►
From YouTube: OpenSSF Identifying Security Threats WG (April 26 2023)
Description
Meeting notes: https://docs.google.com/document/d/1AfI0S6VjBCO0ZkULCYZGHuzzW8TPqO3zYxRjzmKvUB4/edit
D
A
A
But
I'm
here,
but
maybe
I
shouldn't,
take
notes
right
now.
C
C
C
All
right
welcome
everybody
to
the
April
26th
downtown
security
working
group.
I
will
be
your
host.
Do
we
have
any
new
members
who
would
like
to
introduce
themselves
I?
Think
I
think
everyone
has
been
here
before,
but.
C
All
right,
so,
let's
see
project
updates.
Do
we
have
anybody
who
would
like
to
update
us
on
some
of
the
work
that
they
are
working
on.
E
E
Lucci,
okay
about
the
security
insights
in
the
last
week.
Slowly
for
my
fault,
it's
my
math,
but
I
have
collected
a
lot
of
feedback
by
Jonathan
good
feedback.
Honestly
I
mean
a
very
good
argumented
and
opinions
and
the
comments,
and
so
there
are
two
up
and
pull
requests
ready
to
be
merged.
E
One
is
to
improve
the
granularity
and
the
information
that
Montana
can
share
about
automated
tool
and
Bot.
So
what
bot
or
automated
tool
can
do
on
that
repo,
for
example,
open
issue
or
open
full
request
to
fix
something
or
something
similar.
This
was
a
real
use
case,
because
Jonathan
is
a
very
a
massive
open
source
researcher.
So
you
need
to
optimize
how
he
submits
the
order
fix
of
the
he
should
report
something,
and
there
is
also
an
improvement
that
is
can
be.
E
That
is
definitely
something
that
we
need
to
prove
so
in
the
in
the
section
to
to
link
the
security
inside
so
the
repo
to
the
different
ecosystem.
Where
the
package
is
deployed,
there
was
a
regex
that
permit
just
HTTP
or
https
URL,
but
it
is
better
if
we
support
package
URLs.
E
That
is
now
a
standard,
something
similar,
so
I
am
just
changing
that
and
then
there
is
a
probably
the
most,
not
critical
but
most
important
or
with
the
and
high
impact
on
the
specification
and
another
purpose
to
remove
all
the
dependencies
key
with
the
information
about
the
third
party
packages.
So
the
link
to
the
dependency
file
like
requirement.txt
or
package.json
similar,
and
also
this
bomber,
where
that
was
a
key
or
a
value,
to
add
a
link
to
this
bomb
file.
E
There
are
two
reasons
two
main
reasons
I
tries
to
summarize,
but
do
not
at
least
correct
me
if
I
summarize
in
the
wrong
way,
but
the
reason
to
remove
the
packages
link
I
mean
the
file
like
requirement.txt.json.
Is
that
it's
not
clear
about
this
a
package
file,
because
if
you
have
a
docket
file,
you
need
to
link
what
everything
that
you
upload
in
the
docker
file
or
or
what
or
what
does
and,
in
addition,
scanner
are
quite
good
to
find
to
find
this
file.
E
So
it's
something
that
is
not
so
important
to
have,
because
yeah
there
are
sometimes
misalignment
between
scanner
and
specification
like
python.
Now
is
try
to
change,
but
it's
not
so
critical
in
Scandal
are
quite
I
mean
maintainer
of
scanner
like
quite
fast
and
quick
to
to
align
the
scanner
to
this
kind
of
requirements
and
files,
and
about
this
bomb
there
is
no
standard
or
there
is
no
a
unique
way
or
a
standard
way
to
deploy
or
to
share
this
this
file.
E
At
the
moment,
it's
not
clear
where
project
or
company
should
share,
despite
there
is
not
a
sort
of
centralized
service
to
collect
all
this
bomb.
There
is
no
standard
for
the
nomenclature
of
the
file,
so
Jonathan
suggests
to
not
have
these
this
voice
in
the
specification
honestly
I,
don't
know,
I
have
no
strong
opinion
about
this.
I
can
understand
this
point.
E
At
the
same
time,
maybe
it
can
be
interesting
to
know
if
where
people
share
this
file,
but
this
can
add
the
friction,
because
if
you
change
the
spam,
this
bomb
or
you
just
automate
this
bomb
generation,
the
deployment
of
this
bomb
file
for
every
release
that
you
you
made.
This
means
that
you
need
to
update
the
security
insights
to
for
every
release.
That
is
quite
annoying
because
it
is
a
human
file
that
can
be
read
by
scanner,
but
it
is
a
human
file.
E
The
Yemen
file
so
I
agree
that
maybe
we
can
deprecate
this
bomb
value,
but
at
the
same
time,
in
this
bomb
project
that
now
it's
quite
important,
I
say
I
see
that
companion
projects
are
trying
to
implement
it.
Maybe
we
need
them,
I
mean
a
sort
of
standardization
on
how
we
want
to
share
and
name
this
file.
That
is
a
good
point.
It
is
a
good
discussion,
not
just
what
the
security
in
size.
It's
a
good
discussion
for
this
bonfire.
E
In
my
opinion,
I,
if
you
got
on
the
report,
there
is
the
entire
thread,
and-
and
that
is
why
Jonathan
suggests
to
remove
the
dependency
honestly.
They
are
good
arguments.
I
can
agree,
especially
because,
if
in
the
future
we
want
to
implement
or
react,
then
we
can.
We
can
change
the
version
of
the
specification,
so
there
are
no
particular
conflict,
but
if
we
want
to
release
a
version
one
and
try
to
test
it
in
our
repo,
maybe
we
need
to
have
something
that
is
easy
to
use.
A
E
Is
that
but
yeah
at
the
moment,
it's
not
easy
to
find
this
bomb
file,
because
there
is
no
standard
there,
yeah,
okay
added
to
the
security
insights.
It
is
better
than
nothing
and
at
least
the
scanner
can
find
it,
but
without
having
a
standard
at
the
moment
you
need
to
release
s-bomb
for
every
project
release
because
every
version
you
have
maybe
change
and
you
need
to
have
a
new
spawn
file.
So
you
need
to
update
the
security
site
for
every
list
that
you
do.
E
Okay,
you
can
automate
it
it's
the
yaml,
so
it's
very
easy
to
automate
this
kind
of.
But
the
point
is
that
there
is
not
an
easy
way
for
now
for
scanner
for
human
and
also
for
specification
to
create
a
place
where
people
can
easily
communicate.
I
mean
or
you
put
in
the
repo
in
the
main
folder
and
now
in
the
maintainer
at
the
user-
can
easily
find
it.
But
there
is
no
stand.
E
I
have
tried
to
rejects
Google
to
understand
if
people
use
all
the
same
folder
or
the
same
URL
path
or
something
similar
or
if
the
package
stream
systems
start
to
support
this
bomb
file.
If
I
remember
correctly,
there
are
some
attempts
from
some
packages
system
I'm,
not
totally
sure,
but
at
the
moment
there
is
no
standard
and
this
make
hard
to
maintain
the
security
inside.
So
if
we
don't
have
a
standard.
A
Yeah
I
I
agree
that
there's
a
need
for
such
a
thing
and
I've
talked
to
some
other
folks
about
this
I
I'm,
not
sure
I
can
give
you
answers,
but
I
may
be
able
to
give
you
some
insights
upon
not
intended
I.
Think
one
of
the
challenges
is
that
security
insights
yaml
is
at
least
as
my
understanding
is
fundamentally
mapped
to
a
particular
source
code
Repository
and
while
and
yet
there
are
many
ways
that
s-bombs
can
get
generated.
A
A
You
know
so
you
know
I
I.
You
know
if
this
is
becomes
especially
obvious
when
you
do
look
at
system
packages
where
typically
every
Linux
distro
has
its
a
separate
package
for
Mac
OS,
there's
going
to
be
at
least
one
for
brew,
there's
going
to
be
one
or
more
for
the
Microsoft
Windows
ecosystems,
often
recompiled
in
every
use,
and
so
the
reality
is
that
an
s-bomb.
A
You
know
if
you're
gonna,
you
know
you
can
generate
an
s-bomb
of
sorts
from
the
source
code.
They
have
that.
Has
this
weaknesses
the
you're
going
to
get
more
accurate
information
at
the
build
time,
but
now
a
you
have
to
probably
modify
the
build
process
to
capture
it
and
B.
You
have
to
figure
out
how
to
find
how
to
make
it
so
that
recipients
can
figure
out
where
it
is
and
and
then
it
maps
to
that
package,
and
not
this
one,
so
I
think
it's
more
complicated.
I
mean
yeah
I!
A
Think
it's
more
complicated
than
hey
I've
got
a
source
repo
where's
my
bomb.
Well,
unless
they're
doing
a
source
code
bomb,
probably
the
wrong
place
to
even
ask
now
that
doesn't
unfortunately
tell
you
what
to
do.
A
Can
just
tell
you,
the
I
could
tell
you
some
of
the
challenges
with
doing
it,
the
at
the
source
code,
repo
level
I,
do
think
this
needs
to
get
solved.
I
don't
have
a
simple
solution
for
it
and
if
somebody
does
I
would
be
delighted
to
hear
it.
E
C
I
I
think
that's
that's
a
good
point.
I
I
started
out
thinking.
No,
of
course,
we
should
put
s-bomb
in
there
and
now
I'm
like
right
along
the
line.
I.
Think,
like
you
know,
the
security
spec
isn't
repository
Centric.
It's
it's
just
a
file
that
list
that
lives
with
a
bunch
of
other
files,
so
you
could
distribute
it
along
with
your
package
to
point.
So
if
it's
in
your
package,
your
sbomb
is
called
food,
not
an
s-bomb.
C
C
B
And
this
spot,
this
file,
as
it's
described,
is
there's
a
quote
from
the
readme.
This
file
is
then
put
under
Version
Control,
provided
to
potential
users
and
updated
as
needed.
It's
intended
to
be
checked
into
Source
control
as
a
yeah
right
like.
If
that's
the
intended
discovery
of
this
file,
then
it
shouldn't
be.
B
A
So
so
you
could,
for
example,
like
GitHub
can
generate
spdx
s-bombs
from
The
Source.
The
problem
is
that
that
is
only
accounting
for
the
source
code,
not
for
the
software
is
built
and
since,
in
many
cases
the
Builder
is
a
separate
org
source
code
may
or
may
the
the
source
code
distributor
may
not
have
any
knowledge
of.
B
A
From
from
from
The
Source
repo,
yes
there's
different
kinds
of
s-bombs,
and
this
is
there's
a
paper
that
I'm
hoping
someday
it
might
before.
I
die.
A
Because
it's
been
it's
been
finished
for
several
months:
I'm,
not
sure
why
it's
not
been
released
yet,
but
it's
been
observed
that
a
lot
of
folks
have
been
studying.
Yes,
bombs
that
there's
fundamentally
different
kinds
of
vest
problems,
very
much
influenced
by
the
inputs
that
they
use.
So
what
people
are
calling
Source
s?
Bombs
are
s-bombs
generated
purely
from
the
source
code.
You
absolutely
can
do
that
from
a
repo.
A
C
I
can
reject
it
package,
log
files
are
generated
and
best
practices
generally
to
check
those
into
the
repo.
Does
that
change
things
yeah.
A
No
because
yeah
they're
they're
generated,
but
the
assumption
is
that
in
fact
you
could
generate
others,
but
this
is
the
one
we
care
about
and
we
are
forcing
we
we
are
specifically
forcing
lock.
Files
are
actually
an
interesting
case
because
you're
right,
they
are
generated,
but
they're
generated
with
other
data.
A
No
and
here's
why
and
it's
a
great
question,
and
you
know,
and
if
obviously
there's
in
reality,
of
course
there's
gradations
here,
okay,
so
so
let
me
attempt
to
create
an
intellectually
honest
answer,
even
though
we
all
know
that
there's
nuance
and
complications-
okay,
I
always
try
to
be
as
honest
as
I
humanly
can
be.
But
the
rationale
here
is,
you
know
a
a
typically
when
people
talk
about
an
s-bomb
they're,
referring
to
a
particular
package.
A
Basically
I
took
source
code,
I
compiled
it
somehow,
that's
the
software
I'm
actually
using
I'm
generally,
not
using
the
original
sources
I'm
using
something
that
was
built
in
practice
in
many,
though
not
all
ecosystems.
That
process
brings
in
other
stuff
that
isn't
in
the
repo,
and
you
cannot
just
guess
from
the
repo
itself.
Whatever
else
is
going
on,
I'll
give
you
a
I
mean
it's.
A
This
becomes
painfully
obvious
for
the
systems
level
languages
where
you
start
yanking
in
Library,
System,
libraries,
other
kinds
of
components,
there's
configuration
options
that
are
specific
to
a
system,
and
the
result
is
that
there's
software
in
there
that
you
wouldn't
have
that.
You
can't
be
sure
of
looking
only
at
the
source
code,
whereas
the
lock
file
is
just
saying
you
know
of
the
options.
Here's
you
know
of
the
version
options,
here's
the
ones
that
we
are
going
to
lock
that
we
recommend
locking
into-
and
we
know,
work.
E
To
say
just
one
thing
about
how
and
why
of
what
was
in
my
mind
when
I
have
added
this
bomb
in
spam
in
security
insights,
when
I
added
it
I
knew
that
there
was
not
a
standard
or
a
standard
place.
To
put
it
and,
in
my
mind,
I,
remember
my
product,
because
I
found
it
on
Google
I
have
seen
that
some
projects
are
not
not
open.
So
just
some
projects
released
this
bomb
in
a
part
of
the
URL
of
the
main
page.
E
Like
you
have
a
psy.com
download
to
download
the
the
the
the
program
or
the
app
you
have
a
site.com
slash
bomb
and
the
list
of
bomb
technically
just
one
for
the
last
version,
but
it's
not
important
at
the
moment.
So
the
idea
was
that
people
at
the
Indus
by
my
URL,
with
a
sort
of
folder
or
path
where
they
put
the
all
these
bumps
up
more
for
the
human,
then
for
the
scanner
for
now,
but
I
agree
with
Jonathan.
E
Also
why
there
are
good
reason
to
not
have
this,
but
instead
to
not
had,
if
we
add
it,
but
in
a
sort
of
optional.
So
you
don't
need
to
add
it
to
the
security
insights
and
we
add
the
comment.
That
is
an
experimental
feature,
just
to
say:
hey.
If
you
have
a
Spam,
please
share
a
sort
of
generic
link
where
people
can
find
it,
so
we
can
start
to
map
how
people
share
this
bomb
file.
B
You're,
if
you're
putting
this
information
right
in
a
file,
that's
intended
to
be
read
by
machines.
It
should
not
be
generic
where
how
to
interpret
a
value.
It
should
be
right
like
if,
if
you
want
it
to
be
something
that
we
understand,
we
can
encourage
people
to
put
it
in.
C
D
C
B
E
B
Soon
as
you
as
soon
as
you
start
publishing
things
with
version
paths,
then,
if
there's
no
standardized
way
of
saying
okay
for
this
s,
bomb
I
want
to
access
this
version.
At
this
subpath
right,
you
can't
link
to
the
actual
s-bomb
you're
linking
to
a
sub
path
of
the
the
folder
that
contains
those
s-bombs
and
you're,
not
linking
to
the
s-bomb.
E
Yeah
I
understand
all
your
points,
but
there
are
two
things:
the
Security
Site
initially
born
to
aggregate
information
that
have
no
standard.
For
example,
a
lot
of
projects
have
a
security
policy,
but
not
in
the
same
place,
so
scanners.
Sometimes,
for
example,
the
scorecard
evaluate
a
project
in
a
bad
way
or
just
don't
give
points,
because
the
tool
was
not
able
to
find
the
security
policy,
but
the
patch
Foundation
had
the
security
policies
just
in
a
different
in
a
different
place.
E
So
the
idea
is
that
we
can
use
the
security
inside
to
start
to
map
how
people
share
this
bomb
and
we
can
write
in
the
comment
on
the
specification
comment
that
it
is
an
experimental
label
or
value,
and
you
don't
need
to
change
for
every
version,
just
try
to
give
a
point
appointed
people,
human
initially
and
then
in
the
future
scanner.
E
E
Does
for
the
security
doctor
name
that
had
the
link
if
there
is
a
security.md,
but
you
the
scanner,
can
decide
also
to
ignore
this
bomb
in
the
security
insights,
because
at
the
moment,
it's
just
experimental
because
they
have
seen
that
don't
can
cannot
trust
the
information
for
a
lot
of
reasons,
but
at
the
same
time,
scanner
can
start
us
to
aggregate
information
and
say:
oh,
the
50
percent
of
project
puts
bomb
in
this
folder
or
using
this
nomenclature.
Maybe
we
can
standardize
this
nomenclature
or
suggest
this
nomenclature.
E
So
there
is
also
this
approach
or
goal
in
the
security
insights.
Try
to
understand
how
people
use
a
specification
or
standard
or
just
the
new
file
and
something
similar.
Even
if
I
totally
agree
with
you
and
probably
we
can
add
the
disclaimer,
you
don't
need
to
update
the
security
in
size,
whatever
just
bomb
has
I,
don't
know
the
version
or
the
commit
or
something
similar.
We
cannot
just
say,
share
an
example
link
and
explain
in
the
comment
section
how
to
reelaborate
it,
and
that
is,
we
have
a
comment
section
for
this
reason.
E
Also
for
the
security
for
the
security
report,
I
mean
for
the
penetration
test
report
that
some
projects
have.
There
is
no
standard,
but
a
lot
of
Open
Source
projects
have
a
yearly
penetration
test.
You
you
don't
know
where
they
are
stored
or
shared.
You
want
just
to
have
a
link
and
it's
better
than
nothing.
Then
we
can
start
also
to
type
so
I.
B
Think
the
biggest
problem
here
is
that
there's
no
clearly
defined
user
story
for
what,
like
what
I
think
that
it
would
be
useful
to
start
from
a
point
of
what
are
the
user
stories
we
are
trying
to
achieve
here
right
like
it.
If,
if,
if,
if
we
don't
have
user
stories,
then
all
of
these
are
well,
maybe
you
want
to
do
this?
Well,
maybe
we
want
to
do
that.
Well,
maybe
like
it's
like
it's,
it's
not
a
clearly
defined.
These
are
the
set
of
constraints
and
the
use
cases
that
we
are
trying
to
satisfy
the.
E
B
E
A
I
I
I
I.
Actually,
let
me
cut
to
the
chase,
which
is
I,
think
the
assumption
is
that
it
must
be
machine
processable,
because
if
it
only
has
to
be
processed
by
a
human,
we
don't
need
it
within
this
file.
Correct
readme's
already
exist
so
since
readme's
exist.
The
only
reason
to
put
something
in
security
insights
is
because
you
want
to
be
able
to
understand
it
in
some
other
way
as
well.
E
Properly
it's,
for
example.
Again
the
security
policy
is
a
good
example.
Not
all
the
projects
have
the
same
URL
for
the
security
policy.
You
add
the
URL
in
the
security
inside,
so
the
scanner
report
report
you
directly
in
your
dashboard,
together
with
other
information.
For
example,
you
can
aggregate
information
about
the
penetration
testing,
the
security
MD,
so
you
can
know
if
a
project
have
all
this
thing
and
at
the
same
time
you
have
a
URL
that
a
human
can
read,
because
the
security
policy
is
a
sort
of
revenue
for
security.
E
So
a
scanner
cannot
read
it
for
you,
but
you
can
aggregate
a
lot
of
information
that
maybe
are
in
the
security
team
policy
that
are
written
just
in
human
way,
but
you
add
it
in
the
security
inside.
So
a
machine
can
read
it
for
you,
according
to
the
purpose
or
the
goal,
that
you
have
just
compare,
multiple
projects
for
compliance
or
just
to
find
find
easier.
Some
information,
for
example.
If
you
are
a
human,
you
can
find
easy,
the
security
policy,
but
you
need
to
read
it
to
find
the
security
contact
in
the
security
side.
E
You
can
easily
find
a
scanner,
can
easily
read
the
file
to
find
the
security
contact
or
to
know
if
you
have
a
back
Bounty
or
to
know
if
you
have
a
penetration
test.
But
if
you
want
to
read
the
penetration
test
wrapper,
that
is
a
PDF
file.
You
need
to
be
a
human
same
first
bum.
E
B
A
It
is
also
a
readable
human
readable,
but
you
know
it's
there's
a
this
is
semantics
and
so
on
same
for
cycling,
DX,
yeah,
so
I
I,
guess
you
know,
as
I
I
talked
earlier,
about
build
s-bombs
but
as
I
thought
more
about,
like
you
know,
lock
files
lock,
files
I
think
are
a
great
example
by
the
way
Michael.
So
if
you've
got
a
source,
s-bomb
I
can
certainly
see
that
getting
checked
in
and
and
and
s-bombs
of
packages
that
are
getting
embedded.
A
If
you
do
I
mean
I'm,
not
sure
it's
a
great
idea,
but
certainly
some
people
do
embed
that
stuff.
So
if
you're
embedding
that
sort
of
stuff
now
I
can
see
it
where
it's
not
just
s-bombs
in
general,
it's
Source
s
bombs
and
then
you're
pointing
off
to
you
know:
hey
the
name
of
the
file
of
the
source:
s
bomb
is
foo.you,
know.spnax,
dot,
Json
or
whatever
you
know,
whatever
the
the
s-bomb
format
and
the
file
of
that
s-bomb
is
what.
A
This
one
I
was
mentioning
earlier
as
and
as
as
this
is
the
document
that
has
has
been
written
for
months
ago,
but
still
not
released.
There
are
different
kinds
of
s-bombs
and
when
you
got
get
into
this
stuff,
all
of
a
sudden,
you
realize
Oh
wait
we're
talking
past
each
other.
A
source
best
bomb
is
an
s-bomb
generated
from
just
the
source
code.
A
A
Is
probably
not
right
is
probably
not
fair,
I
would
say,
and
a
sources
bomb
is
the
best
information
you
have
when
all
you
have
is
source
code.
A
Without
knowingly
build
without
knowing
about
the
build
environment,
what
can
I?
What
can
you
tell
me
turns
out?
You
can
tell
a
lot
actually
just
from
a
source
s-bomb.
You
know,
particularly
if
there's
a
lock
file,
hi
Michael
you
can.
You
actually
can
know
a
whole
lot
about
the
dependencies.
Not
everything
I
mean
trivial
example
might
be.
You
know
if
you're
using
well
numpy
may
not
be
the
best
example,
but
you
know
I'm
gonna
go
with
it
for
now.
A
Numpy
is
a
widely
used
package
on
python.
If
you
say:
hey
I
bring
in
numpy
it'll,
say:
okay
I
bring
in
numpy
what
does
numpy
bring
in?
Oh
well,
now
that's
a
different
issue.
You
start
tracking
down
and
you
find
out.
Well,
it
depends
on
how
it's
built
you
may
suddenly
Define
you're,
depending
on
many
many
lines
of
Fortran
code,
because
it
depends
on
Matrix
multiplications
and
all
that
code
is
heavily
heavily
owned
over
decades
in
Fortran.
A
But
you
wouldn't
know
that,
if
all
you
see
is
the
source,
because
that
depends
on
build
and
system
and
so
on,
I'm
overstating
it.
But
my
point,
though,
is
that
there's
some
things
you
can
tell
and
some
things
you
can't
with
this
ursus
bomb.
You
can
get
a
lot
of
information,
but
you
have
necessarily
don't
have
some.
F
I,
don't
know
it's
perfect.
I
just
wanted
to
mention
that,
for
example,
the
dependency
resolution
in
different
programming
languages
present
a
lot
of
problems
and,
for
example,
my
my
my
tool
of
choice
is
Java.
So,
for
example,
we
have
tons
of
blog
sessions
about
the
dependency
resolution
hell
and
how
complicated
is
to
build
the
graphs
so
analyzing
the
dependencies
by
what
actually,
at
the
end
of
the
process
of
resolving
dependencies.
F
It's
it's
totally
different
from
the
one
that
you
get,
for
example
in
the
Palm
XML
or
your
packages,
and
if
you're,
using
JavaScript
and
yes
mentioning
just
expanding
on
what
you
were
mentioning
about
the
build
because
I
also
sit
down
in
the
s-bomb
everywhere
working
group.
Yes,
it's
also
about
like
the
the
CI
CD
agents
that
we
want
to
know
what
specific
versions
and
actually
trust
the
agents
that
are
actually
building
from
source
and
generating
the
different
artifacts.
F
So
every
single
part
of
this
process-
it's
really
interesting
and-
and
there
are
there-
is
in
a
specific
format
that
we're
not
using
it.
So
much
is
the
swid
tax.
That
is
also
telling
us
about
not
only
the
build
but
who
build
it,
who
built
it
in
terms
of
what
actual
agent
version
and
information
about
the
environment
that
it
was
built.
F
E
It
is
a
good
question
because
I
mean
it
was
bomb,
but
it
is
very
generic
and
yeah.
It
is
a
standard,
but
I
mean
standard
is
a
very
elastic
term.
So,
honestly,
I,
don't
know
how
to
answer
to
your
question
and
honestly,
initially
I
would
like
just
to
see
how
people
use
this
section.
E
B
Would
say
here
here,
like
I,
think
that
the
thing
that
I'm
struggling
with
here
is
like
there's
you
there
we're
building
a
specification
without
defining
like
there
is
no
users
that
we
have
for
this
thing
and
like
there's
not
even
like
a
python
script
to
pull
this
stuff
down
and,
like
visually
present,
the
information
in
a
way
that,
like
might
be
something
or
like
it's
not
being
pulled
by
any
of
the
various
different
dashboards,
the
open
source
security
Foundation
has
right
so
like,
even
if
we
wanted
to
just
take
this
data
and
pull
it
down
and
like
make
it
into
a
user
interface.
B
That,
like
shows
this
information,
that's
like
that
use
case
of
like
hey.
Are
we
providing
enough
information?
Are
we
not
providing
it
like?
Are
we
providing
too
much
information
like
how
div
and
then
also
having
one
of
these
things?
Actually
like
I,
don't
know
if
anybody
else
has
actually
implemented
these
things
for
any
other
projects
like
how
hard
is
this
thing
to
actually
Implement,
as
it
is
right
without
those
three
sort
of
things
using
it
and
actually
trying
to
implement
it
for
a
real
project?
A
Yeah
we
we
do
you
Luigi
and
I
did
talk
about
maybe
using
this
as
an
input
to
the
best
practices
scorecard.
Sorry,
scorecards
and
best
practices
score
cards
at
least
last
I
checked
is
not
interested.
They
only
want
to
do
automated
analysis
and
if
it's
asserted
by
the
project,
they
don't
want
to
use
the
data
best
practices
badge.
We
are
absolutely
willing
to
use
it,
but
we
also
generally
require
rationales
and
I'm
mapping
to
the
specific
criteria.
I
don't
lose
you.
E
For
the
metric
dashboard
that
now
we
have
a
new
project,
but,
for
example,
there
are
a
lot
of
good
information
that
are
not
maped
in
our
business
project.
But
Bunty
is
one
of
these
information
about
Security
contact
that
sometimes
it's
not
easy.
We
have
at
the
moment
a
scanner
that
try
to
find
contact,
but
that
is
the
best
solution
that
we
have.
E
We
sometimes
also
the
security
policy
was
not
in
a
standard
place.
The
penetration
test
report
and
generic
information
about
the
poster,
for
example,
cambot
or
not,
opening
for
request.
Can
you
open,
pull
request
or
not
I
mean
sometimes
you
can
find
easily
eat,
especially
if
you're
human?
You
can
check
on
Gita,
but
you
see
that
the
issues
are
closed,
for
example,
something
similar
or
the
poor
request.
Sometimes
you
see
that
in
GitHub
you
have
just
a
mirror
and
the
original.
E
And
this
means
that
the
scorecard
cannot
really
check
this
security
standard
on
the
security
posture.
You
are
just
checking
probably
a
mirror,
and
you
don't
know
how
it
is
updated
or
not,
and
the
security
Insight
is
something
that
is
independent
by
the
platform.
You
just
need
to
follow
the
specification,
and
at
least
we
can
have
something
that
you
can
wrap
in
every
moment.
So
this
was-
and
there
are
some
user
case
in
the
redmi.
There
is
a
section
that
Michaels
are
already
Linked
In,
the
chapter
for
which
kind
of
user
can
be
user.
E
That
can
use
the
project
user
that
can
want
to
contribute
to
the
project,
the
security
researcher,
the
maintainer,
so
people
that
won't
create
scanner,
and
this
is
the
reason
why
we
would
like
to
have
seen
a
similar
file.
So
technically
we
have
use
case.
The
point
is
that
you
cannot
land
the
specification
without
to
be
sure
that
we
test
the
minimum
information
that
can
be
helpful
and
if
we
are
not
able
to
find
to
agree
in
our
Organization
for
sure
the
standard
cannot
be
adopted
by
the
community.
E
I
mean
it's
very
hard
to
convince
people
to
use
something,
even
if
you
have
an
RFC,
even
if
you
have
all
the
documentation
that
you
want
to
have,
it
needs
to
be
easy
to
use.
You
need
to
have
a
good
information,
and
probably
it
need
to
be
easy
to
maintain
and
you
need
to
be
read
by
human
and
machine
because,
yes,
maybe
we
are
able
to
to
create
script
and
automate
or
create
a
custom
flow,
especially
big
company.
But
again
the
open
source
is
made
by
people,
a
single
person
that
maintain
a
project.
E
Usually
you
have
no
team,
you
are
just
a
single
person
and
you
will
not
create
a
pipeline.
You
want
just
to
read
the
file
and
find
the
information.
So
you
are
a
human,
and
this
price
should
help
the
community,
not
just
the
big
big
teams
or
corporate
for
sure
it
can
be
good
also
for
corporate,
because
it
is
a
yaml
and
yeah.
E
B
This
topic
ties
into
the
other
one,
which
is
like
the
topic
of
third-party
packages
and
like
the
dependency
lists
so
like
there.
That
was
another
field
that
I
just
proposed
that
get
t-gank
out
because
dependencies
right,
you're
listing
you're,
giving
a
dependency
list,
but
that
dependency
list
is
also
variable
and
it's
something
the
bill
generates
and
it's
not
static
right.
It's
like
you're
asking
for
a
field,
that's
non!
That's
that's
that,
like
going
to
fluctuate,
as
you
actually
are
developing
the
project.
A
Redefine
it
is
just
the
statically
declared
dependencies,
which
is
what
source
code
files
typically
do
anyway.
I
don't
have
any
trouble
with
that,
although
I'm
not
sure
why
we
need
to
restate
it.
To
my
knowledge,
there.
B
Is
I
I?
Don't
again,
I
don't
get
what
the
value
is
especially
like,
for
example,
you
have
Gradle
build
files
right
Gradle.
You
can
have
your
your
dependencies
in
multiple
different
gradle.build
files.
You
may
have
them
in
build
up
build.graded
like
ATS
files.
You
may
have
them
in
a
dependencies.tommel
file.
You
may
have
them
in
like
a
bunch
of
and
like
also,
you
can
do
multiple
of
those
things
right
and
then
also
at
the
end
of
the
day.
B
E
I
can
explain
also
why
I
have
the
the
dependency.
It
is
quite
easy.
The
main
reason
is
that
a
lot
of
scanner,
especially
security
scanner,
check,
just
the
major
languages
at
the
measure
dependencies
file,
if
you
use
a
language
is
that
is
not
so
popular
or
not
popular
enough
for
a
company
that
provider
dependency
scanner,
probably
you
and
you
launch
the
scanner
you
and
read
the
output
you
just
ignore,
because
there
is.
There
is
no
information
in
the
output
that
there
are
maybe
other
languages
or
other
dependency
you
finding
the
dependency.
E
You
can
understand
the
languages,
for
example,
or
for
scripting,
for
a
lot
of
reasons
that
are
in
the
repo,
especially
for
big
repo
that
have
no
single
language.
Now.
Github
do
a
very
good
good
overview
of
the
language
that
are
used
in
a
repo,
but
it
is
again
it
is
GitHub
and
the
idea
is
to
not
be
too
much
dependent
by
the
platform,
especially
because
there
are
a
lot
of
projects
that
are
not
in
GitHub
and
just
for
example,
PDF,
fume,
chromium
and
a
lot
of
Google
projects
are
not
initable.
E
So
if
we
want
to
have
something
that
can
really
scan
the
code
base,
we
need
something
that
and
can
help.
We
need
something
that.
A
Directly
from
API
I
guess
I'm
confused,
though
I
mean
yeah
I
totally
agree
with
the
hey.
The
world
does
not
begin
the
under
GitHub
or
any
Forge
or
any
of
these
others,
but
for
the
most
part,
there's
already
existing
tools
that
do
a
lot
of
this
kind
of
analysis,
presumably
we're
not
replacing
them.
Example.
C
C
A
We
go
okay,
all
right
now
now
now
you're
starting
to
sell
me
on
this.
Yes,
because
what
I
was
afraid
of
is
the
Luigi
I
was
afraid.
This
was
re-implementing.
Oh
python
has
its
own
system.
Ruby
has
its
own
system.
If
we're
trying
to
re-implement
everybody
else's
systems,
I'm
scared,
it's
not
important.
If
the.
D
E
D
A
G
A
But
but
you
know,
but
let's
ignore
that
for
the
moment,
if
the
point
is
additional
dependencies,
I
would
encourage
the
field
name
to
be
named
additional
dependencies
and
then
make
it
really
clear
that
this
is
for
marking
dependencies
that
aren't
otherwise
marked
using
the
typical
ecosystem
or
something
like
that,
because
otherwise
I
just
don't
want
to
reinvent
the
wheel
here.
Wow.
B
Okay,
again
Ask
the
maintainer
to
like,
are
we
it's
a
it's
an
s-bomb
right
like
at
that
point,
you
should
should
the
maintainers
be
publishing
an
s-bomb,
and
is
this
something
that
should
be
statically
listed
inside
of
a
repository
file?
Or
is
this
something
that's
like
a
living
like
again?
This
document
is
intended
to
be
okay.
You'll.
Have
this
document
someone's
going
to
write
it
and
then
they're
going
to
leave
it
alone
and
they're
going
to
forget
about
it
for
years?
Right,
probably
yeah.
Do
you
like?
E
Some
information
in
the
security
inside
can
lose
the
value
over
time
for
sure
it
is
designed
to
be
to
be
so.
The
point
is,
if,
in
the
future,
every
project
or
we
and
find
a
good
way
to
share
the
plot,
write
and
deploy
as
bomb
file.
Probably
you
don't
need
to
have
a
dependency
file
or
something
similar
if
there
is
a
sort
of
a
big
spawn
with
all
transversal
to
every
package
system,
something
similar.
This
means
that
we
can,
in
the
future,
remove
the
dependency
just
in
favor
of
this
Bond
file.
B
If,
in
my
like
in
it,
it
says
you
know,
the
description
is
defined
if
the
project
uses
third-party
packages
and
that
the
argument
that
I
had
to
Luigi
was
that
will
always
be
true.
You're
writing
a
python
project.
You
depend
upon
the
python
standard,
Library
you're,
writing
a
Java
project.
You
depend
upon
the
Java
standard
library
right.
B
C
The
the
point
of
this
so
I
I
think
I
remember
when
this
came
up
like
a
long
time
ago,
and
it
was
really
about
like
do.
You
have
to
worry
about
other
things
and
I.
Think
I
agree
that
in
the
vast
majority
of
cases
the
answer
is
yes,
but
I'm,
not
sure
if
it's
is
even
one
of
those
depends
on
another
package,
the
other
one
does
not
now.
C
Maybe
we
need
to
just
Define
it
better
to
scope
out
standard
library
and
platform
and
Os
and
bios
and
junk.
But
like.
C
Like
I
mean,
it
may
also
be
uninteresting
because
that
information
is
available
in
the
lock
files
and
the
dependent
requirements.txt
and
the
additional
dependencies.
So
if,
if
like
none
of
those
exist,
then
you
then
the
uses
third-party
dependencies
as
like
by
definition
false.
Yes,
otherwise
it's
by
definition,
true.
So
it's
really
a
calculated
field,
which.
E
In
addition,
again,
scanner
can
find
some
dependency
file
for
popular
languages,
but
not
all
dependencified
for
all
the
languages.
E
Okay,
you
can
aggregate
a
lot
of
scanner,
but
no
one
do
this.
Scanner
are,
GitHub
scanner
are
sneaks,
some
other
tool.
Bio
was
Java
and
mad,
but
that
is
for
a
lot
of
popular
enough,
but
not
I
mean
popular
enough
to
be
used
by
enough
user.
For
my
Constitution
from
my
perspective,
a
good
example
is
metabase.
Metabase
is
an
open
source
project
to
that
give
you
dashboard
to
aggregate
data
user,
usually
business
business
data,
and
you
can
self-hosted
it.
E
So
if
there
is
a
critical
security
vulnerability
in
create
metabase,
all
this
posted
instances
are
exposed,
but
at
the
same
time,
scanner
are
not
so
good
to
find
the
closure
dependency
5..
So
if
you
have
at
least
a
link,
you
know
that
there
is
something
that
is
not
usual
and
if
you're
a
human
or
to
start
to
understand
why
there
is
this
file
that
is
not
found
by
the
scanner
or
I
mean
you
are
a
human.
E
If
the
scanner
file,
you
start
to
investigate
the
log,
so
there
is
even
if
security
inside
can
be
scanned
by
scanner,
you
cannot
have
something
that
don't
require.
Human
Action
I
mean
the
security.
Insight
can
help
you
to
reduce
the
Human
Action,
and
this
is
the
automation,
but
at
the
same
time
connect
the
human
to
find
information
that
can
miss,
and
this
is
why
we
need
it.
Yep.
E
C
You
cool
I,
want
to
give
a
quick
update
on
disclosure
check.
I
I'm
gonna
try
to
get
this
on
pipei.
Actually
this
week
right
now,
there's
a
wheel
file
and
a
tar
file
on
the
GitHub
repo
that
you
can
just
pip,
install
file,
name
and
it'll,
bring
down
the
dependencies
and
do
the
do
the
thing:
the
outputs
in
the
in
the
dock,
so
change
it
up
a
little
bit.
C
It
substantively
kind
of
kind
of
the
same.
So
it
looks
for
it
starts
out.
At
a
package,
URL
looks
for
authors,
maintainers
email
addresses
linked
from
read
from
security
MDS
and
similar
files.
C
It
traces
down
to
GitHub
does
what
it
can.
There
looks
for
tide,
lift
private
vulnerability,
disclosures
I
think
next
on
my
list
was
to
add
depths.dev
because
they
have
an
a
nice
API
now
and
all
this
is
available
in
Json
too.
So
it's
it's
pretty.
If
you
want
pretty
or
Json.
If
you
want
Json.
B
B
C
Github
would
resolve
yes,
I.
Don't
know
that
I
that
I
respect
the
Precedence
of
it,
but
I
do
look
at
the
dot
GitHub
in
the
root
in
the
org
level.
For
for
a
security
MD
but
I'm
not
using
the
API
I
am
looking
for
Magic
file
names
in
the
infinity
I
think
does
the
GitHub
API
include
like
what
your
security
policy
file
like
is
named,
or
is
it
just
assume
that
it's
you
know.
C
The
the
private
vulnerability
reporting
I
literally
like
scrape
the
page
and
look
for
the
new
vulnerability
report
button,
because
that
was
the
only
only
way
I
could
think
of
of
getting
it
without
the
an
API
saying
this
is
enabled
or
not.
Oh,
that's.
B
C
What's
up,
that's
it
if
this
is
useful,
that's
great!
If
not
please,
let
me
know
it's
missing
things,
please.
Let
me
know
next
couple
weeks
we'll
get
this
I'll
I'll
formally
ask
to
move
this
over
to
open
ssf.
C
What
I
got
there
anything
else.
Anyone
would
like
to
talk
about.
D
G
D
G
Yeah
Adrian
did
that
this
Adrian
did
that
this
morning
he
said:
do
you
hear
that
he
had
a
about
a
half
full
room,
but
the
room
was
kind
of
large.
So
that's
a
win
for
him.
He
said
it
went
pretty
well
a
lot
of
questions
at
the
end
of
it
too,
which
was
good.
G
S2C12
was
talked
about
a
lot
during
kubecon.
Apparently,
so
we
got
some
cleaning
up
of
our
repos
and
our
stuff
to
do
because
they
mentioned
a
few
things
that
that
we
kind
of
dropped
the
ball
on
a
little
bit
in
our
efforts
to
move
quick
right.
G
So
it's
like
slow
down
a
little
bit
and
clean
some
stuff
up
outside
of
that,
though,
the
world's
getting
out
people
are
talking
about
it,
and
here
shortly
we
should
get
a
lot
more
people
coming
into
the
to
the
meetings
and
contributing
and
makers
getting
that
maintenance
list
to
grow
a
little
bit,
which
is,
which
is
what
we
want
to
do.
Yeah
things
are
moving
right
along
with
that
as
well.
C
Very
cool
is
anybody
planning
to
be
at
open
ssf
day
in
Vancouver
in
two
weeks,
I'll.
D
C
C
I'm
Gonna
Cancel
it
in
which
case
we'll
be
back
in
a
month.
A
B
B
If
you
want
to
come
talk
about
automated
fixing
vulnerabilities
at
scale,
and
one
of
the
use
cases
for
this
file
that
we've
all
been
discussing
in
this
call
for
the
past
hour
is
I
actually
want
to
parse
I
want
to
encourage
people
to
put
this
file
in
their
repositories
if
they
want
to
opt
out
of
automated
vulnerability,
fixing,
and
so
I
want
to
have
this
file
done
so
that
I
can
tell
people.