►
From YouTube: OpenSSF Identifying Security Threats WG (August 3, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
D
Cool,
let's,
let's
get
started,
welcome
everybody
to
the
august
3rd,
identifying
security
threats,
working
group
meeting.
If
you
don't
have
the
meeting
notes,
I
posted
them
in
chat.
I
still
need
them.
Let
me
know
again
I'll
post
them
again,
but
if
you
don't
mind
adding
yourself
just
so,
we
have
have
attendance.
Is
there
anybody
new
that
would
like
to
introduce
themselves
now's
a
good
time.
D
It
works
too,
okay
awesome.
So,
following
up
on
last
time,
I
was
supposed
to
send
out
a
doodle
poll
which,
obviously
I
did
not
I
I
can
do
that
right
after
this
meeting
or
we
can
just
kind
of
look
at
it
really.
What
I
want
to
make
sure
is
is
the
time
zones
that
folks
are
in
that
either
are
participating
or
would
participate
if
this,
if
this
were
a
different
time,
would
work
I'd
rather
not
do
something
that
I'd
rather
not.
D
I
mean
if,
if
I
can
avoid
having
like
subgroup
a
attend,
the
like
pacific
time
friendly
zone,
the
friendly
slot
and
like
group
b,
which
is
like
completely
different
people,
attend
the
other
one
that
I
think
that
would
that
would
be
preferable.
I'd
like
to
keep
as
many
people
as
possible.
So
I
think
what
I'm
thinking
is,
if
you
don't
mind
and
add
yourself
in
what
time
zone
you're
in
and
then
I'll
try
to
find
the
least
painful
for
everybody
and
I'll
do
two
I'll
still
do
it.
D
Where
there's
like
you
know
two
meetings
a
month,
one
meeting
will
be
friendlier
for
one
subset
and
one
will
be
friendlier
for
the
other
one,
but
I'd
rather
not
make
it
absolutely
horrible
for
anybody.
If
I
can
avoid.
B
D
Perfect,
okay,
so
we
can
do
project
updates
and
then
other
topics.
I
think
it
probably
would
make
sense-
and
in
fact
maybe
we'll
just
I'll
just
add
that
in
if
other
folks
have
topics
preempt
mind,
but
as
a
backup
kind
of
like
other
strategic
initiatives
like
basically
open
brainstorming.
D
If
there
are
things
that
we
think
we
should
do,
let's
get
a
list
out
and
see
if
anything
sticks.
So
with
that
christine.
Would
you
like
to
give
an
update
on
office
hours.
D
Oh,
I'm
sorry,
I'm
sorry!
I
security
metrics.
E
We
need
a
decision
on,
because
the
original
goal
of
the
of
the
project,
when
it
spun
off,
is
to
see
what
we
wanted
to
do
with
the
future
of
metrics
and
it's
a
bit
confusing
with
what
the
what's
going
on
with
stream
two.
So
we
kind
of
like
need
a
decision
and
if
that's
still
like
the
the
way
we
want
to
go
or
what
we
want
to
do
with
it,
because
it's
sort
of
like
in
a
weird
kind
of
like
stance,
so
we
there's
still
a
lot
of
confusion
out
there.
D
B
E
Off
and
said
that
this
is
what
I'm
looking
for,
because
the
the
site
isn't
sort
of
like
a
place
where
it's
not
being
properly
maintained,
and
we
need
something
to
do
something
about
it.
But
now,
knowing
that
there's
this
going
on
with
stream
two
and
potentially
using
lfx
tools.
But
potentially
the
question
is
like:
do
your
original
thought
of
vision?
Is
that
still
the
way
you
wanna
go?
E
D
Okay,
yeah,
I
mean
we.
We
have
time
now
when
we
have
folks
on
the
court
like
I
certainly
don't
want
to.
You
know
pretend
that,
like
I
own
the
decision
or
anything
so,
okay.
D
D
Yeah
well,
yeah,
you
know
I'd
rather
not.
Maybe
would
make
sense
to
wait
for
them
to
to
be
able
to
join.
How
about
this?
Do
you
want
you
want
to
say
in
two
weeks
we'll
we'll
make
sure
that
this
is
the
kind
of
the
top
item
to
talk
about
and
we'll
see
if
we
can
get
jay
and
and
bernard
okay.
D
And
in
the
meantime,
I'll
try
to
connect
with
brian
to
see
if
there's
anybody
else,
that's
david.
Unless
you
know
anybody
else
kind
of
moving
on
anything
with
stream.
Two.
C
I've
been
a
little
out
of
things,
so
yeah,
maybe
yeah,
so
there
may
be
other
things.
I
don't
know.
Okay,.
B
F
Yeah,
sorry,
if
I'm
missing
the
last
meeting
anyway,
I
have
the
script
that
can
generate
and
verify
the
the
security
inside
yaml.
I
have
written
it
in
python,
but
probably
not
the
best
choice,
because
there
is
a
lack
of
good
library,
200
yamaha
in
python,
but
it's
work
for
now,
I'm
working
for
improvement
and
I'm
writing
a
redmi.
So
people
know
how
to
use
it.
F
I've
written
a
comment
in
the
dark
pr
that
explain
why
I
take
some
decision
and
of
course,
if
everyone
wants
to
rewrite
the
script
or
just
want
to
add
another
tool
that
is
between
other
languages,
it's
welcome,
especially
because
I
think
that
javascript
can
be
a
good
idea
for
this
kind
of
tool.
I
have
seen
that
javascript
and
npm
microsystem
offer
a
lot
of
packages
to
handle
very
good.
C
Quick
quick
interruption,
I'm
very
confused,
I'm
shocked
that
python
doesn't
have.
I
mean
I
just
did
a
quick
google
and
immediately
find
pie
yaml.
What's
what's
the
problem
with
python
and
yaml.
F
That
doesn't
support
yaml
one
1.2.
C
F
D
F
In
the
pyjama
library
there
is
a
problem
that
is
called
the
norway
problem.
It
is
how
the
dump
function
work
in
payamal,
and
so
it
converts,
for
example,
and
all
like
the
norway.
I
have
added
the
link,
but
in
some
reason
I
mean
a
short
explanation.
Is
that
somewhere
you
are
converted
in
the
wrong
way.
So,
for
example,
if
you
have
a
plot,
it's
converted
an
interview
or
something
similar
and
without
an
easy
way.
C
Okay,
do
we
do
we
need
the
1.2
capabilities,
or
can
we
just
back
off
to
1.1
if
they
only
support
1.1.
D
C
C
Yes,
okay,
but
thank
you
so
much
for
raising
it.
That's
a
that's
a
new
and
interesting
one,
and
they
there
are
solutions
like
might
mean
we've
already
just
noted
too
so,
but
raising
the
issue
is
the
first
step.
F
A
good,
a
good
reason
to
use
fight
the
last
version
of
payama
is
that
support
more
rejects
and
more
format
for
matching
the
value
directly
using
the
schema.
So
if
we
use
the
schema
as
sort
of
a
source
of
trust
or
something
similar,
probably
the
last
version
is
better
than
the
the
1.1.
From
my
perspective,
and
I
agree
that
npm
offered
better
solution,
but
I
I
mean
I
am
just
lower
to
write
javascript
code
or
typescript
code,
but
I
think
that
we
can
do
it
definitely
with
the
another
language
they're.
F
Yeah
I
mean
it
was
a
surprise
also
for
me.
I
ever
entered
beats
on
twitter,
but
we
can
talk
if
we
need
to
create
a
new
library
or
just
update
the
pyjama.
That
is
technically
the
standard
in
python
and.
F
So
the
script
is
ready,
I'm
writing
the
redmi,
so
I
can
explain
how
to
use
it.
It
is
a
command
line
tool.
You
can
just
write
the
input.
It's
work.
I've
tested
the
sample.
There
are
some
improvements
that
I
can
do
for
sure,
also
in
the
code.
Definitely,
but
in
the
second.
B
F
And
I
need
to
fix
some
typo
that
I
have
in
the
schema
for
error,
and
that
is,
I
have
prepared
the
slide
that
you
asked
michael.
I
think
that
for
this
project
we
need
more
people
for
sure,
because
for
a
lot
of
reason,
but
because
maybe
there
are
people
that
are
have
a
strong
knowledge
in
spec,
so
how
to
create
a
spec
is
not
so
easy.
I
have
a
study
other
example
I,
like
sarif
and
similar
and
having
more
people
involved
in
this
project,
can
help
for
sure.
D
A
Yes,
hello,
so
a
couple
quick
updates
so
added
the
last
added
about
four
more
in
the
last
week
or
two.
So
that
puts
us
at
over
90
in
terms
of
the
collection
need
help
with
a
couple
of
things.
It
might
be
something
that
we
could
maybe
knock
out
really
quickly
right
now
as
a
group,
just
because
I'm
not
super
well
versed
with
with
kind
of
the
intricacies
of
github
and
how
things
like
depend
about
and
and
how
some
of
those
automatic
checks
work.
A
So
if
you
go
to
the
repo
right
now,
it
does
say
maybe
the
main
thing
we
can
knock
out
as
a
group
together
right
now
is
it
says
we
found
potential
security
vulnerabilities
in
your
dependencies.
I
think
it's
like
an
automatic
dependable
check,
so
maybe,
if
we
could
address
that,
I
just
really
wouldn't
know
exactly
where
to
start
or
how
to
best
handle
that,
let's
do
it.
Okay,
awesome!
So
let
me
put
in
here's
the
link
to
the
repo
save
you.
A
couple:
searches
and
yeah
you'll
see
right
away.
A
A
A
B
A
A
A
Hi
again
welcome
back
this
works.
I
have
a
feeling
it
is
okay,
I
believe
it
is
working
now.
Okay
can
can
y'all
see
that
the
okay
so
yeah.
This
is
the
main
thing
I'm
talking
about
about.
These
depend
about
alerts,
so
I'll
just
click
here
see
depend
about
alerts,
and
let
me
hide
this.
Okay.
A
D
D
So,
basically,
you
know
check
it
out,
grab
the
latest
select
two,
probably
just
406
and
then
just
drop
it
in
there
and
commit
and
that
that
should
resolve
the
the
alert.
Alternatively,
you
could
do
do
this
with.
D
You
know
npm
package
file
or
yarn
or
whatever,
to
kind
of
reference,
select
two
and
then
bring
it
in
during
build.
But
you
know
it's,
you
know
it's
not
like.
It's
not
like.
There
are
a
lot
of
them
here,
so
you
could
also,
if
you
wanted
to
yeah,
do
you
know
hit
hit
edit
and
like
go
to
a
cdn
and
grab
select
two
406
and
then
copy
paste?
I
guess
that
should
work
too.
You
know
so
so
literally.
D
D
D
And
then
find
that
yeah
dependable
alerts
and
click
on
that
so
improper
neutralization
of
web
page,
so
it's
cross-site
scripting
through
html
templates
when
used
to
display
list
box
data.
So
if
you
give
it,
you
know
script
alert
one.
Then
it
will
run
the
run.
The
alert
yeah.
D
Oh
totally
right,
but
but
the
the
the
question
of
are
we
I
mean
it's
so
interesting.
Like
are
we
you
know,
so
this
is
used
in
the
in
the
quick
start,
which
is
a
statically
defined,
select
box.
There's
nothing
dynamic
about
it.
It's
not
vulnerable
right.
Do
we
have
to
upgrade?
No,
should
we,
of
course,
probably
yeah.
C
D
C
Okay,
so
you're
just
going
to
update
the
url
you,
you
can't
just
update
the
version
number
and
have
it
have
it
updated.
Okay,.
C
D
C
Okay
how's
this
can
we
do
this
out
of
out
of
band,
because
I
I
see
the
oh.
D
C
Yeah,
I
mean
you
know
what
just
just
show
what
we're
you're
about
to
do
and
then
I
think
we
can
okay,
so.
C
Yeah,
okay,
and
do
it
awesome
all
right?
So
I
have
a
quick
question.
I
don't
really
want
to
volunteer
to
do
them
all,
but
there's
a
very
there's.
An
old
way
for
evaluating
software
called
the
common
criteria.
Some
of
you
may
already
have
these
twin
v
emotions.
It
can
be
all.
It
can
certainly
be
used
for
evaluating
open
source
software.
C
So
I'm
wondering
if
at
least
as
a
sampler,
we
should
include
a
couple
of
the
reviews
of
their
of
their
security
targets
if
they
have
something
that's
either
all
or
mostly
open
source.
I'm
thinking
particularly
of
for
example,
there
are.
There
are
final
reviews
of
red
hat
enterprise,
linux,
8.2
and
susie,
and
you
know
basically
at
least
a
couple
linux
distros,
because
they
include
a
ton
of
open
source
software,
and
you
know
you
can
then
point
to
at
least
somebody
has
done
certain
kinds
of
reviews.
C
You
know
fully
acknowledging
that
there's
problems
with
that.
Well,
in
fact,
all
reviews
have
limitations
so
including
common
criteria,
evaluations
thoughts.
I
mean
what
I
think.
One
challenge
is
that
traditionally,
we've
been
doing
surgery,
views
of
very
specific
packages,
whereas
these
are
like
for
entire
dish,
groves.
D
B
D
C
I
mean
if
we're,
if
we're
gonna
talk
about
at
least
u.s
law
all
open
source
software
is
commercial
products,
because
if
it's
released,
if
it's
as
soon
as
you
license
it
to
the
general
public,
it's
a
commercial
item.
C
I
think
it's
more
complicated
yeah,
I
believe
the
source
code.
The
source
code,
is
open
source,
but
there's
well
yeah.
I
think
basically
they
generate
the
binaries
and
you
also
and
there's
a
support
contractor.
So
you
know
we,
I
don't
think
we
need
to
delve
into
and-
and
you
know,
susu
has
a
somewhat
different
and
you've
also
got.
You
know,
that's
that
if
you
wanted
to
answer
the
question
hey
has
anybody
looked
at
this
open
source,
which
I
think
is
the
question
most
folks
are
going
to
ask.
C
You
know
the
red
hat,
one
really
bases
itself
on
a
couple:
key
open
source
components
like
ssl,
some
modules
with
them
in
the
linux
kernel,
likely
lightweight
auditing
framework
and
stuff
like
that.
So
if
you
were
interested
in
that
I
mean
I
I
I
think
it
would
make
sense,
even
though
there
are
caveats
but
I'll
also
argue,
there
are
caveats
for
all
reviews
there
have
to
be.
You
know,
there's
no,
no
review,
you
know
unless
you're
doing
formal
proofs,
even
the
formal
proofs.
You
have
to
look
at
what
the
assertions
are.
C
So
you
know
you
know
for
most
folks,
there's
always
gonna
be
a
caveat.
So
I
think
that
there's
caveats
but
there's
always
caveats.
C
C
Okay,
just
weirdness
for
those
who
aren't
familiar
with
the
weird
common
criteria:
terminology
the
process
of
evaluating
an
actual
product
and
reporting.
Basically,
here's
what
it
does
that
the
document
that
they
evaluate
against
something
called
a
security
target
and
the
security
target
is
the
target
for
security
purposes.
For
that
particular
product
and
the
goal
of
their
process
is
to
show
that
whatever
the
security
target
says
is
actually
met
by
the
product.
C
Yeah
yeah,
I
I
feel
like
let
me
here
I'll
pop
in
I
mean
there's
actually
a
whole
bunch
of
different
docs.
You
can
point
to
I'm
going
to
point
up
to
the
nyapp.
Nyap
is
actually
technically
the
you
off
technically
it's
the
u.s
scheme,
but
they
also
track
what
evaluations
are
done
in
other
countries.
C
B
A
And
then
yeah,
just
to
finish
out
the
update,
I
might
need
to
sync
with
dylan
on
this
one,
but
I
just
kind
of
going
over
the
automatic
checks
that
happen
when
you
try
and
upload
a
new
review,
I
still
get
occasional
errors
with
that,
as
well
as
maybe
working
with
him
on
seeing
how
we
could
augment
the
the
overview.
A
D
Don't
be
great
yeah
if
he
has
cycle
go
for
it.
Okay,.
A
Yeah,
I
know
he's
busy
during
our
regular
meeting
time,
but
maybe
I
could
get
like
30
minutes
with
him
and
work
out
some
of
this.
I'm.
A
Awesome,
well,
that's
everything
I
had
for
security
reviews.
Thank
you.
B
D
Martha's
not
here
so
we
will
hold
off
on
office
hours
till
next
time,
although
I
believe
there's
some
posts
in
the
office
hour
slack
channel.
So
there
is
a
proposal
that
was,
I
think
we
took.
We
talked
about
that
last
time,
doodle
for
expert
availability,
so
I
think
I
think
things
are
moving
just
stay
tuned.
I
think
we're
gonna
have
the
first
office
hours
I
think,
later
this
month.
If
I
remember
the
dates
correctly,.
C
Cool
and
although
it's
not
it's
not
the
same
well,
quick
heads
up
the
education
sig
under
the
best
practices
working
group
they're
talking
about
trying
to
create
something
a
little
like
office
hours
to
support
people
going
through
courses.
C
Basically,
if
they
have
a
question,
I
I
think
frankly,
there's
a
lot
similar
between
that
and
office
hours.
It's
not
the
same
yeah
but
there,
but
I
think,
there's
some
similarities.
So
I
don't
know
if
there's
any
lessons
learned
that
one
can
learn
from
the
other,
but
I
just
want
to
raise
it
as
a
you
know.
Other
people
are
interested
in
doing
similar
things.
C
Really
at
the
crow
right
now
and
there's
a
lady
from
this
who
works
at
cncf-
oh
my
gosh,
I
just
talked
to
her
earlier
today.
I'm
so
pathetic!
So
is.
E
C
C
Okay,
apparently
I
I
will
learn
to
think
eventually,
so
my
friend
sal,
if
you're
listening
to
this-
please
forgive
me
so
yeah,
so
I
think
sal
is
very
interested
in
that
nothing,
no
details
determined.
Yet
this
is
just
a
discussion.
We've
started
today,
but
I
think
I
I
think
that
there's
probably
less
this
learning
the
way
as
we
do
each
of
these,
but
helping
people
out.
C
D
C
B
D
Awesome
any
other
topics
that
folks
would
like
to
talk
to.
D
I
don't
wanna
put
you
on
the
spot,
but
if
you'd
like
to
talk
about
open
refactory
and
the
python
work,
you
know
you're
welcome
to
have
the
floor
for
a
few
minutes
and
kind
of
chat
about
that
if
you'd
like
otherwise,
anybody
else
welcome
to
throw
ideas
in
the.
G
G
You
in
a
while
it's
I
know
you
you
have
a
hit.
Is
that
a
haircut
I
see?
No,
I
have
a
non-haircut.
I
really
need
a
haircut
okay,
it's
been
okay,
so
sneak
preview
of
my
black
hat
defcon
talk
prior
to
it.
G
We
on
friday
of
last
week,
we
generated
170
pull
requests
to
fix,
temp
direct,
well
temp
directory,
hijacking,
partial
path,
reversal,
ziploc,
very
cool,
so.
G
G
C
Well,
hopefully,
they
already
have
unit
tests
to
make
sure
the
functionality
keeps
working
right,
because
I
it
seems
to
me
that's
the
key
point.
Is
you
know
it
was
working?
It
was
working
functionally
before
it's
working
functionally.
Now
you
don't
necessarily
have
to
test
for
the
vulnerability
if
it's
clear
that
it
was
vulnerable
and
now
it's
fixed,
I
mean
you
know
they.
G
C
G
They're
not,
but
they
don't
they
don't
get.
I
mean
a
lot
of
people,
so
the
the
this
is
automatically
generated
at
scale.
It's
like
subtle
in
the
message
that
I
send
out,
because
I
don't
want
people
to
say
automated
floor
press
like
go
away
like.
I
want
it
to
be
clear,
it's
actually
from
a
person
because
there's
a
person
behind
it
right
like
when
they
respond,
because
I
have
gotten
comments.
It's
like
ba,
like
this
is
like
a
bot
and
I'm
like
actually
hi,
I'm
a
person.
G
I
just
use
the
bot
to
generate
the
thing
but
like
I
am
seeing
your
comments
right.
That
helps,
but
then
there's
a
dialogue
with
other
people
that
are
like
they
just
see
the
pull
requests
and
like
can
you
add
tests?
You
fix
the
code,
I'm
like
no,
like.
I
did
this
at
scale.
There's
like
170
other
requests-
and
I
can't
do
this
scale
so
yeah,
yeah
so
and
we're
presentations
are
submitted
to
black
hat
defcon.
G
They
have
them
in
hand
so
yeah
and
we've
run
it
enough
times
that
we're
pretty
solid
on
them.
So
yeah
very.
C
C
I
I
I
was
thinking
about
it
earlier,
but
I
I'm
still
recovering
and
I
just
if
I
really
really
need
to
be
there
I'll,
I'm
off,
but
otherwise
I'm
going
to
try
to
recover
my
emails.
My
email
inbox.
G
C
G
Your
talk,
at
least
yes,
I
will
send
that
into
the
slack
channel
awesome.
Thank
you.
I
so
I've
given
three
three
talks.
There's
besides
las
vegas,
black
hat
defcon
defcon
is
the
longest
of
the
three
because
we
get
45
minutes
and
well,
but
besides
las
vegas,
too
they're
45
minutes,
and
then
black
has
40
minutes.
G
There's
like
one
extra
example
that
I
throw
in
there,
which
is
mostly
a
joke
like
to
make
it
extra
humorous
in
the
middle
that
I
had
to
drop
because
there's
not
enough
time
for
black
hat.
If
you
guys
saw
my
amazon
incident
vulnerability
where
they
said,
hey
I'd,
let
er
hey
they'd
like
to
give
me
a
bug,
bounty
and
then
they
said
I
said
oh
great
cannot
like,
but
but
in
order
to
receive
a
blog
mounting
bonus
bug
bounty
from
amazon,
you
must
be
doing
nda.
G
G
That's
amazing
yeah,
so
they've
since
reached
out
to
me
and
said
this
is
not
our
policy.
We
won't
do
this
in
the
future
I'm
like,
but
you
did
and
repeat
that
even
so.
G
Exactly
yeah
so
yeah
apparently
yeah,
so
they
are
not
willing
they
offered
to
pay
for
like
they
offered
me
a
thousand
dollars,
but,
like
I.
B
C
Someone
who
used
to
work
with
the
u.s
federal
government-
I
I
will
neither
confirm
or
deny
your
claims
yeah.
C
G
Well,
so
they
so
they
did
end
up
offering
me
a
thousand
dollars
bounty
but
okay,
the
provision
was,
they
can't
offer
to
me
in
cash,
because
it's
because
I
didn't
sign
the
nba,
so
they
were
offering
me
there.
They,
I
said,
can
you
give
me
an?
I
have
like
a
thousand
dollar
amazon
gift
card
and
they
said.
A
G
I
know
they
virtually
offered
me
a
thousand
dollars
of
awareness,
credit
and
I'm,
like
I
don't
use
aws
that
much
and
so
then
I
said
this
and
now
I'm
just
like
okay.
Can
you
just
like
my
final
answer?
Is:
can
you
double
it
and
give
it
give
two
thousand
dollars
to
events
nice?
All
right
like
I
don't.
I
don't
really
wanna
play
this
game.
You
just
like
you,
donate
the
money
and
double
it
so.
G
If
not,
maybe
I'm
getting
a
thousand
dollars
in
new
apartment
stuff,
because
we're
moving
all
right,
I'm
sending
the
I'll
send
the
link
into
the
into
the
chat.
Okay
and
sean.
My
intern
made
has
been
a
you
know,
a
good
part
of
this
whole
project.
He
and
I
worked
on
datable
analysis
and
control
analysis
together
and
he
wouldn't
have
been
as
successful
as
it
was
without
him
being
present
in
this
project.
So
thank
you
to
him
as
well.
D
Best
you
both
yeah
amir,
your
hands
up.
A
Yeah
I'd
love
to
bring
something
up,
but
you
did
mention
munawar,
giving
a
an
update
and
I
think
he
dropped
when
you
mentioned
that,
but
he
has
since
rejoined
so
I'd.
Love
to
you
know
not
to
jump
ahead
of
someone
else
minar.
If
you
want
to
give
an
update
first
and
then
I
can
jump
in
next.
If
you
like.
H
Hey
yeah,
so
I
just
joined
this
meeting
for
the
first
time,
so
I
and
I
was
I'm
slowly
trying
to
find
my
foot
in
like
the
different
working
groups.
So
this
is
the
first
time
I'm
joining
this.
This
particular
group,
I
typically
frequent
the
alpha
omega
meeting
frequent,
doesn't
like
I've
been
there
for
the
last
just
last
couple
of
meetings,
but
yeah
I
mean
so.
My
interest
has
been
so.
H
We
are
building
a
bug,
detection
tool
that
has
that
detects
bugs
with
very
low
false
positive
and
also
finds
bugs
that
other
tools
miss,
and
so
I've
been
working
with
michael
to
basically
like
create
a
poc
for
a
for
an
ambitious
project
where
I
want
to
scan
the
entire
pipeline
repository
automatically
all
three
and
a
half
million
artifacts
in
that
and
and
basically
generate
automated
pull
requests,
if,
if
the
bugs
are
valid
so
right
now
we're
doing
a
poc
with
100
something
projects
finding
bugs.
H
These
are
all
the
top
python
projects
it's
available
at
pipei.open,
pipei.openrefactory.com
and
so
right
now
we're
reviewing
the
results
and
seeing
that,
if
the
results
have
a
high
concentration
of
true
positive,
we
can
actually
generate
automated
tool.
Pull
requests
for
that.
But
I
was
interested
in
what
jonathan
was
saying
as
in
like
what
are
the
consequences
of
like
a
bot
generated,
pull
request
like
whether
they
will
be
ignored
or
not,
even
if
they're
serious
or
not,
so,
I'm
just
learning
but
at
the
same
time
yeah
hi
hi.
H
Everybody
I'd
like
to
be
frequent
in
this.
These
meetings
in
future.
G
I
will
I
will
absolutely
chat
with
you
more
about
this.
I
do
recommend
watching
the
talk,
but
I
had
one
vulnerability
that
I
tackled,
which
was
the
http
downloaded
dependencies
in
maven
build
files.
That
was
the
first
project
that
I
developed
for
generation
for
and
I
generated
1
596
pull
requests
for
that
and
as
of
one
it
says,
2019
was
no
2020
when
I
did
it
and
as
of
20
as
of
now,
we
have
about
a
40
merge
rate.
G
H
G
H
Why
I
want
to
align
it
with
alpha,
omega
folks
and
and
and
specifically
like
open
ssf
in
particular,
is
that
that
perhaps
also
creates
some
weight
in
like
when
these
pull
requests
are
being
sent,
as
in
like
this
is
approved
or
sent
by
open
ssf
as
well,
so
that
stamp
of
approval
would
probably
nudge
people
more
towards
that
again,
like
I'm
trying
to
find
this
thing
in
real
time
now
to
to
see
like
what
is
the?
What
is
the
ideal
approach
to
go
to?
H
I
I
will
like
connect
with
michael
about
a
specific
update
like
about
like
he
was
also
reviewing
the
results,
so
I
would
appreciate
some
update
from
from
him
at
some
point.
D
B
F
D
And
for
everybody
else,
I
posted
the
link
to
the
open
refactory
thing
on
the
in
the
meeting.
Notes
feel
free
to
take
a
look.
It's
a
list
of
projects
and
you
click
in
and
then
you
see
the
diff.
So
you
can
see
what
the
issue
is
and
drilling
and
whatnot
so
feedback
useful.
There
cool,
let's
see
other
topics
which
I
didn't
have
did
anybody
else
have
other
other
topics.
Otherwise
we
can
just
kind
of
do
strategic
kind
of
open,
brainstorming.
A
I
had
one
so
I
don't
know
if
this
would
be
the
best
group
or
maybe
if
I
should
just
join
one
of
the
next
alpha
omega
public
meetings,
but
a
couple
cool
things
so
one
we.
We
have
some
impact
reports
coming
out
real,
soon
kind
of
just
basically
summarizing
and
aggregating.
Some
of
our
works,
especially
for
the
first
half
of
the
year,
to
give
us
kind
of
a
sneak
preview
like
jonathan,
did
kind
of
build
off
of
that.
Some
of
our
recent
audits.
A
You
know
we
have
resulted
in
over
130
security
fixes
and
improvements
and
45
cves
reported
and
fixed,
and
a
little
over
50
fuzzers,
so
new
tools
built
for
these
different
projects
that
we've
worked
with
so
going
along
with
that.
A
We're
we're
thinking
now
into
especially
next
year
into
2023
and
and
to
start
kind
of
putting
some
things
together
in
terms
of
getting
more
audits
done,
and
I
wonder
if,
if
it
would
make
sense
to
approach
y'all
at
the
on
the
alpha
side,
especially
and
maybe
work
with
y'all
on
coming
up
with.
Maybe
even
if
we
want
to
start
with
a
couple,
I
don't
know
the
the
best
way
to
do
that
in
terms
of
kind
of
separation
of
duties.
A
But
I'd
love
to
maybe
explore
that
with
with
the
alpha
team
to
see
if
we
want
to
start
putting
like
a
work
package
together
of
some
projects
and
and
and
just
start
start
auditing
them
and
and
continuing
this.
This.
This
good
thing
we've
got
going
in
terms
of
finding
all
these
security
issues
and
making
the
fixes.
So
is
that
something
you
think
maybe
I
should
get
on,
maybe
with
the
in
the
next
alpha
omega
public
meeting.
D
We
can
either
do
the
public
meeting
or
we
could.
We
have
a
less
public
meeting
that
we
that
we
we
talk
every
week
on
more
internal
stuff,
but
kind
of
I
think
I
think
the
question
is
aligning
on
like
so
right
now:
we've
we've
sponsored
or
granted
or
whatever
you
want
to
call
it.
We've
given
money
to
node,
eclipse
and
and
python.
We
have
one
more
on
the
hopper
that
we're
hoping
to
announce
soon.
D
That
will
that'll
put
us
at
close
to
two
of
the
five
million
that
we
have
available
allocated,
plus
hiring
that'll,
get
us
to
like
three
and
change.
So
we
we
do
have
a
a
pm
resource,
that's
becoming
available,
and
perhaps
a
product
manager
resource
that's
becoming
available,
so
that'll
round
out
the
let's
get
us
unbottlenecked
on
michael
windsor
and
my
kind
of
available
time
to
to
to
do
this
stuff,
and
I
think
at
that
point
it's
good
to
say,
okay,
so
we
we've
done
a
handful
of
these
larger
ecosystem
systemic
projects.
D
What
about
the
you
know
we'll
say
that
with
the
open,
ssls
and
z,
libs
of
the
world
ubiquitous
single
library
projects,
and,
and
does
it
make
sense
to
do
to
do
audits
of
those
and
how
do
we
coordinate
and
how
do
we
make
sure
that
what
we're
doing
is
is
you
know,
effects
longer-term
improvements
to
the
project,
and
things
like
that?
So
I
think
I
think
that
totally
makes
sense.
D
I
wouldn't
want
you
to
put
a
lot
of
work
into
like
coming
up
with
that
list
before
we
have
that
discussion
of
like
is
that,
is
that
the
next,
like
you
know,
would
it
make
sense
to
just
put
a
pile
of
money
that
that
we
have
into
and
pick
10
projects
and
and
kind
of
do
those?
So
I
think
that
that's
a
great
conversation.
I
will
make
sure
that
we
sync
with
you
feel
free
to
reach
out,
and
you
know
ping,
us
and
stuff,
but.
A
Okay,
wonderful
yeah.
Now
I'm
thinking,
especially
once
we
have
these
at
least
this
first
impact
report
published
you
know,
I
think
we'll
have
a
really
strong
case
study,
basically
showing
that
you
know:
hey:
we've
partnered
with
this
organization.
We've
done
some
audits
and
we've.
You
know
made
some
good
had
some
good
results
and
you
know
would
like
to
do
it
at
a
on
more
scale.
So
definitely
so
I'll
keep
in
touch
with
you
over
the
coming
weeks
and
yeah.
Maybe
I'll
get
in
on
one
of
your
meetings
and.
D
D
Further
folks
are
there
things
that
we
should
be
doing
that
we're
not
are
there
things
that
we're
doing
that?
We
should
stop.
Do
wait.
Should
we
change,
should
we
do
more
or
less
of
things?
Are
there
emerging
threats
that
we're
not
really
thinking
about
it
doesn't
have
to
be
structured?
It
doesn't
have
to
be
well
thought
out.
D
But
I
I
I
would
suppose
that
that
it,
you
know
if
somebody
had
a
great
idea
right
now.
That
said,
you
know,
and
we
all
agree
like
wow.
This
is
the
most
important
thing
that
we
should
be
doing.
Then
we
should
be
doing
that
and-
and
you
know,
dropping
something
else,
but
you
know
want
to
make
sure
that
we're
not
so
hyper
focused
on
project
status
and
kind
of
incremental
improvements
to
those
things
that
we're
not
looking
at,
like.
D
You
know
this
giant
other
thing
that
we
should
be
thinking
about
so
so
there
was
the
report,
there
was
a
tweet
or
something
it
was
just
yesterday.
It
was
in
the
general
channel
about
35
000
github
repositories.
Getting
pull
requests
accepted
that
had.
G
It
was
35,
35,
000
repositories,
the
examples
of
potential
mischief,
but
it
looks
like
I
saw
that
thing.
It
was
like
mostly
about
like
the
main
like
it
was
typo,
squatting
or
name
spotting
or
like
a
lot
of
that
stuff
around,
like
you
know,
are
you
looking
for
the
surprise
story?
Oh,
this
is
the
one
you're
probably
looking
for
and
then
not
having
malicious
code
in
it,
not
like
right.
D
Right
right
so,
but,
but
I
think
you
know
keeping
an
eye
on
those
types
of
threats,
so
give
a
little
bit
of
insight.
So
my
my
internal
team,
with
my
microsoft
hat,
you
know
we
do
kind
of
at
scale
analysis
of
projects
as
they
are
published.
D
We
do
you
know,
as
a
new
package
is
published
in
npm.
We
do
some
checks,
depending
on
the
output
of
that
we
will
report
them
to
npm
and
get
them
taken
down,
and
things
like
that
and
I'm
starting
to
wonder
whether
or
not
that
work
would
be
better
situated
within
openssf
because
it
benefits
the
ecosystem.
There's
I
don't
think,
there's
anything
proprietary
in
there
that
we
wouldn't
feel
comfortable.
You
know
making
public.
There
is
an
operational
overhead
like
there's
a
there's,
a
cost
to
it,
but
open
ssf
has
budget
for
that.
D
There's
a
people
cost
because
it
takes
time
to
go
through
these
things
and-
and
you
know
we
want
to
automate
them,
but
for
now
it's
a
little
painful,
but
I
want
to
get
get
thoughts
on
whether
or
not
essentially
an
open
source
ecosystem.
D
B
G
Whatever
happened
to
office
hours,
the
like
maintainer
office
hours,
security
people
was
that
was
that
somewhere
else.
D
No,
it
isn't.
This
group
marta
runs
that
she's
not
here
today,
but
I
think
we're
having
the
first
one.
I
think.
Later
this
month
there
was
an
office
hour
slack
channel
with
a
link
to
the
proposal
and
the
doodle
poll
to
to
participate,
and
things
like
that.
A
Nice
one
last
thing
I'll
say
it's
a
little
unrelated,
but
I
did
really
think
that
that
we
were
on
on
a
good
track
with
metrics.openssf.org.
I
know
where
that's
going
to
continue
and
be
augmented,
but
I
just
think
it
just
makes
so
much
sense
to
have
a
relatively
simple
way
to
you
know:
access
some
of
these
different
data
points
that
normally
are
maybe
a
little
harder
to
access
kind
of
on
an
individual
level.
A
But
if
I
could
just
type
in
you
know,
open
source
project
x
and
you
know,
get
a
good
overview
of
the
security
score
card
and
the
criticality
score
and
integrating
all
these
great
tools
that
are
out
there
and
and
integrating
in
in
different
ways.
I
just
think
that
it
would,
it
would
just
be
so
helpful
it'd,
be
such
a
value
add
to
the
ecosystem.
So
I
definitely
don't
think-
and
I
know
this
wasn't
the
plan,
but
I
don't
think
we
should
axe
open,
metrics.openssf.org.
A
And
you
know
just
augment
it.
However,
we
can
and-
and
I
know
folks
are
working
hard
on
that,
but
I
just
I
just
think
it's
such
a
useful
tool-
and
I
just
want
to
advocate
for
it
again
that
I
think
it's
something
that
could
be
really
useful
for
a
lot
of
folks.
D
Yep
makes
sense,
I
mean,
I
think
I
don't
think
I
I
I
think
well
christine
feel
free
to
jump
in,
but.
E
D
Are
there
so
so
we
had?
Actually,
this
has
gone
back
last
year.
I
don't
know
how
budgets
work
in
in
lf,
but
we
did
have
a
40
000
budget
to
hire.
D
You
know
a
basic
contractor
for
a
little
bit
to
build
metrics.openssf.org
and
it
turned
out
that
at
the
time
it
was
just
the
the
overhead
to
manage
that
was
more
than
the
value,
so
we
just
we
just
did
it,
but
maybe
maybe
that
that
equation
is
different
and
maybe
that
money's
still
available,
even
if
it's
not,
I
think
that
you
know
perhaps
as
part
of
stream
two
getting
a
pushing
this
forward
might
be.
D
You
know
might
be
something
that
we
could
that
we
could
actually
fund
it's
also
like,
realistically,
it's
probably
maybe
20
or
30
hours
worth
of
work
to
like
you
know,
fix
the
fix,
the
refresh
and
kind
of
do
minor
updates.
It's
not
super
complicated.
It's
just.
I
think.
C
Yeah,
I
think
step
one
is
either
create
the
propose,
create
the
proposal,
or
I
I
mean
you
could
just
dust
off
the
old
one,
but
I
suspect
things
have
changed
so
it
really
probably,
but
I,
I
think,
write
a
proposal,
send
it
up
the
flagpole.
You
won't
get
what
you
don't
ask
for
so.
C
Oh
well,
that's
a
different
challenge,
but
but
in
all
seriousness
I
think
step
one
is
to
try
to
it
doesn't
have
to
be.
You
know
you
don't
have
to
give
the
blow-by-blow
hour-by-hour.
Is
you
what's?
What's
the
end
state
some
approximate
idea
of
how
to
get
there
ask
you
know
rough
estimate
on
costs,
you
know,
but
but
some
some
reasonable
proposal.
C
B
C
D
Wants
to
like
actually
work
on
this
from
an
engineering
perspective.
It's
linux
a
little
bit
of
python.
It's
grafana!
It's
some
docker!
That's
it!
It's
happy
to
like
hand
the
keys
so
to
speak.
C
C
Lfx
security
they've
always
been
very
concerned
about
expanding
the
scope
to
all
open
source
software.
That
is
a
plausible
outcome,
but
if
that's
not
reasonable,
then
you
know
growing.
What's
there
is
is
plausible
too,
but
just
we
need
to
figure
out
that
we
need
to
figure
out
a
reasonable
story
that
makes
sense.
E
C
Yeah-
and
I
will
say
you
know,
the
chaos
folks,
for
example,
have
worked
very,
very
hard
on
identifying
metrics
and
there's
an
auger
tool
where,
if
you
really
want
to
delve
into
a
metrics
for
a
particular
project,
oh
my
gosh,
they
got
all
sorts
of
cool
stuff.
You
can
learn,
but
I
think
what
most
people
want
is
a.
I
go
click
and
I
get
the
key
information
and
off
I
go.
C
You
know
open
hub
used
to
be
at
least
in
that
ballpark,
but
I
don't
think
it's
really
been
maintained
for
a
while.
I
don't
the
you
know.
Devs.Dev
could
be
that
lfx
security
could
be
that,
but
we
just
need
to.
We
need
to
figure
out
that
story.
I
do
think
that
all
effects
security
probably
should
be
at
least
part
of
that
story,
but
I
don't
know
that
that's
what
we
need
to
work
out.
B
Make
sense
roger
yeah
hi
I
I
would
be
interested
in
contributing
to
that.
I
I
don't
know
python,
so
I,
but
this
is.
D
Literally,
like
200
lines,
it's
super.
It's
it's
not
not
interesting
at
all,
but
no
that
that
that
would
be
awesome.
Let
me
do
I
have
your.
I
don't
have
your
last.
Are
you?
Are
you
on
slack.
D
It
is
awesome,
I
I
see
you
in
slack.
I
will
reach
out
to
you
and
we'll
we'll
sync
up
and
then
christine
will
we'll
we'll
sink
back.
I
think
this
might
just
be
a
let's
keep
the
lights
on
on
metrics,
so
that
it,
you
know
the
circ
don't
expire
and
we
can
refresh
it
more
than
once
once
in
eon.
D
We
are
a
time.
Thank
you
all
very
much
for
contributions
and
chat
and
everything
this
is
really
good
meeting.
We
will
sync
up
again
in
two
weeks
and
in
the
meantime,
expect
the
the
doodle
poll
for
me
later
today
thanks
everybody.
Thank
you.
Thank
you.