►
From YouTube: OpenSSF Identifying Security Threats WG (July 20, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Hi
folks
welcome
we'll
just
wait
a
few
minutes
to
get
started
if
you
are
not
already
in
the
the
the
work
group
meeting,
notes,
meeting
minutes
feel
free
to
add
yourself
in
and
if
you
have
anything
that
you'd
like
to
talk
about,
feel
free
to
add
them
in
in
the
response.
B
Hi,
michael,
I
have
one
one
note
I
would
like
to
cover
the
office
hours
in
the
first
30
minutes
of
okay.
B
C
A
All
right,
terrific
everybody
welcome
to
the
july
20th,
identifying
security
threats
working
group
meeting.
I
will
be
your
host
if
you,
as
I
said,
if
you
haven't
already
put
your
name
in
the
in
the
minutes,
feel
free
to
do
so.
A
D
Hi,
this
is
manjunat
from
vpro.
I
work
in
india
bangalore.
I
work
on
artificial
intelligence
technologies
and
a
little
bit
of
homomorphic
encryption
security,
I'm
looking
for
the
opportunities
how
we
can
contribute
for
securities
in
terms
of
artificial
intelligence.
That's
why
I
mean
participating
this
meeting.
A
Awesome
awesome
welcome
and
I'm
sorry
about
the
time
zone,
one
of
the
things
we're
going
to
chat
about.
A
E
Yeah,
I'm
john,
I
was-
I
was
here
probably
about
a
year
ago
and
I'm
with
intel,
so
I
do
some
like
supply
chain
security,
stuff
there
and
various
open
source
work
on
the
front
of
the
ai
involvement.
It's
funny
that
somebody
said
that,
but
we're
working
on
sort
of
this
developer
assistant,
developer,
helper
called
alice
so
that
you
know
the
alice
and
bob
sort
of
thing
and
the
goal
will
be
to
go
around
and
try
to
like
proactively
deliver
best
practices
to
people.
E
E
I
don't
know
if
anybody
has
heard
of
the
inner
source
patterns,
but
it's
a
community
of
folks
who
are
trying
to
apply
open
source
practices
to
internal
development,
and
so
we
sort
of
have
a
open
source
community
and
we're
trying
to
do
the
inner
stuff
internally
and
the
open
source
stuff
externally,
and
a
lot
of
this
work
revolves
around
analyzing,
git,
repos
and
stuff,
and
and
so
we
had
talked
last
time.
E
I
was
here
about
the
metrics,
and
so
you
know
I'm
here
again
I
it
was
unfortunately
out
of
scope
for
me,
so
I
had
to
get
out
of
the
working
group,
but
now
I'm
back,
and
so
I'm
hoping
we
can
work
together
and
I'm
really
excited
about
some
of
the
stuff
that
I
saw
with
you
know
the
you
know
the
stuff
that's
happening
here
and
and
the
way
that
we
could
bridge
that
with
the
omega
alpha
stuff
that
I
saw
you
had
recently
done
mike
and
then
maybe
look
at
things
like
s
c.
E
I
t
t
that
architecture
for
secure
supply
chain
that
I
believe
there's
a
working
group
out
of
that
I
saw
that
was
related
to
that
and
I
wanted
to
bring
that
up
today.
Talk
a
little
bit
about
that
and-
and
you
know,
ways
that
we
could
kind
of
connect
a
few
of
these
initiatives.
A
Terrific
awesome
welcome
back
thanks
anybody
else.
A
Cool
okay,
so
we'll
start
with
project
updates
office
hours
martial
floor
is
yours.
B
Thanks,
so
what
is
office
hours
is
the
project.
We
are
starting
right
now
to
provide
the
opportunity
for
open
source
maintenance
to
have
a
place.
They
can
come
and
ask
the
security
related
questions
to
experts
and
hopefully
get
some
answers
and
have
them
happy
and
improving
security
of
their
projects
right.
B
So
there
have
been
already
some
discussions
in
this
group
in
the
best
practices
group,
and
I
wrote
down
the
a
link
to
the
discussions
in
document.
I've
posted
into
the
to
the
meeting
notes
and
I
worked
on
the
logistics
so
dates
times
how
we
do
it.
So
I
was
looking
at
the
calendars
at
the
time
zone
conversion
of
how
how
we
can
set
up
meetings
so
that
it
works
for
different
audiences,
so
put
the
proposal
with
the
of
course,
there's
no
time
zone
that
works
for
everyone.
B
You
know
that,
so
I
so
what
I
propose
in
short,
to
summarize,
what
they
propose
right
now
is
that
we
run
first
two
session
at
the
end
of
august.
B
Then
we
do
a
short
break
because
the
celebrity
holiday
in
the
u.s,
then
we
have
the
open
source
summit
europe,
so
people
will
be
busy
during
those
two
weeks
and
then
due
to
other
sessions
in
the
second
part
of
the
september
of
september.
So
we
have
four
sessions
after
four
sessions.
We
can
look
at
what
we
have
done,
how
it
worked
and
how
we
can
adjust
and
how
we
go
forward.
B
Then,
on
the
on
on
the
planning
side,
also
timing,
I
looked
at
the
possible
time
zones
between
how
to
cover
asia
and
how
and
I'm
proposing
two
different
time
slots
so
like
we
have
two
calls
and
two
calls
we
can
use.
You
can
do
one
in
one
time
zone
and
the
other
in
the
other
time
zone.
My
big
open
question
here
will
be:
will
we
be
good
well
staffed
in
both
of
those
because
it
won't
be
convenient
for
everyone?
So
to
feel
I
I
already
collected
feedback
right
now.
B
If
you
can
note
that
within
minutes
chat
me
on
on
slack
or
whatever,
what
will
be
the
possibilities
for
those
dates,
and
I
will
be
also
I'm
also
pinging-
all
people
who
have
shown
interest
in
the
past
to
make
sure
I
have
a
clear
answers
from
them
and
then
the
other.
B
The
other
important
topic
that
came
up
in
the
discussions
is,
which
format
do
we
do
so
there
was
a
discussion
between
allowing
everyone
to
come
in
and
ask
their
questions
or
doing
the
registrations
allowing
them
to
ask
which
subject
they
want
to
talk
about,
and
the
second
one
has
more
support
right
now.
It
has
some
advantages.
It
allows
us
to
prepare
on
the
time
we
can
limit
the
number
of
people
within
host.
B
We
can
prepare
on
the
experts,
we
can
grab
the
right
people
and
we
can
also
think
a
little
bit
on
on
how
we
can
answer.
Maybe
you
can
group
the
questions
as
we
do
not
know
how
that's
going
to
happen.
We
can
we
can
prepare
in
our
case.
So
I
think
that's
what
I
what
would
be
the
at
least
the
best
choice
for
the
first
two
sessions
to
see
this
way,
and
maybe
then
we
can
experiment
a
little
solution.
B
So
I'm
looking
feedback
for
that
too.
What
opinions
are
and
I'm
reaching
out
to
the
links
foundation
team
to
for
the
actual
logistics,
so
the
the
organization
of
zoom
rooms
or
the
registration
and
how
we
can
communicate
all
those
things
that
that
needs
to
be
done.
So
what
I
would
like
to
do
is
to
have
the
registration
and
first
communication
somewhat
at
the
beginning
of
august,
so
the
people
have
like
to
three
weeks
to
register
and
then
we
do
we
do.
We
do
those
sessions
and
yeah.
A
That
all
sounds
great
yes
to
all
of
it.
What
might
be
helpful
just
just
recommendation
just
do
it
like
a
doodle
poll
to
open
ssf
members
like
give
this
slots
and
say:
can
you
make
any
of
these,
and
that
way
you
just.
A
B
Just
just
got
that
after
sending
to
to
jewelry
and
got
that
email.
That's
the
amazing
all
the
people
to
come
back
to
him.
A
F
A
We
may
want
to
do
a
blog,
in
addition
to
kind
of
twitter,
for
the
outreach
they're
gonna
blog
out
on,
like
the
fourth
or
fifth
saying
hey.
This
is
coming
click
here
to
register
and
stuff
and
then
have
the
twitter
point
back
to
the
blog,
and
that
way
we
kind
of
capture
that.
A
Cool
there's
nothing
else
on
that
topic,
we'll
we'll
kind
of
move
on.
A
Okay,
so,
let's
see
so
so
next
up
I
had
on
the
agenda,
was
meeting
time
update,
so
we've
been
doing
this
at
10
a.m:
pacific
every
other
week,
for
I
don't
know
a
year
or
so
maybe
a
little
bit
longer
and
we
used
to
sorry.
Let
me
close
my
videos
like,
oh,
I
don't
know.
A
We
used
to
have
it.
I
think
we
had
a
before
that
we
had
a
more
like
two
time
slots
and
we
alternated
to
try
to
make
it
less
bad
for
our
folks
in
in
europe
and
asia.
What's
everybody's
thoughts,
I
mean
if,
if
practically
everyone,
if,
if
this
time
slot
is
great
for
almost
everyone
and
moving,
it
would
make
it
terrible
for
most
people
like
I
want
to
like
minimize
the
badness,
but
if
folks
have
thoughts,
I
think
most
of
the
other
working
groups
are
morning.
A
A
Is
I'm
I'm
I'm
happy
to
find
a
a
time
slot
that
works
better
or
we
could?
We
could
do
the
the
flip
alternate
again
and
do
once
a
month
this
time,
and
once
a
month
at,
like
you,
know,
six
hours
from
now.
A
How
about
this
I
will,
if
you
have
thoughts,
obviously
you
can
say
them
now:
throw
them
in
the
dock.
Under
the
meeting
time,
update
or
I'll,
send
out
a
doodle
poll
with
options
and
then
just
choose:
whichever
option
is
the
most
taken,
whatever
whatever
that
is.
F
Yeah
one
thought,
michael,
that
we're
we're
floating
around
and
securing
critical
projects
is
potentially
alternating.
So
doing
you
know
one
one
of
the
sessions
in
the
month
during
our
normal
time
that
we've
been
having
it
and
then
the
next
one
being
like
a
apac
friendly
time
zone.
I
think
I
think
we're
we're
we're
aiming
for.
I
think
four
four
p.m,
my
time
so
that
would
be,
I
think,
2
p.m,
central.
F
A
A
Cool
all
right
so.
A
See
next
topic
tac
update?
Okay,
so
for
those
of
you
who
some
of
you
may
know,
probably
most
of
you
don't
the
technical
advisory
committee
is
responsible
of
kind
of
the
overall
technical
direction
of
open,
ssf
and
kind
of
understanding
left
to
right
kind
of
what
we're
working
on
and
making
sure
that
we
are
delivering
the
promise
that
we've,
you
know,
kind
of
made.
A
Part
of
that
is
visibility
and
transparency
into
this.
The
work
that
we
do,
which
I
think
all
the
working
groups
to
you
know
they.
They
provide
some
information
to
the
tac,
but
not
complete
information,
and
we
don't
have
like
a
formal
reporting
process.
Well,
we
do
know
and
that
that
formal
reporting
process
is
a
periodic.
A
We
are
invited,
I'm
invited-
and
you
folks
are
invited
to
come
too.
If
you'd
like
to
the
tac
meeting
to
just
kind
of
I'm,
I'm
just
gonna,
do
a
deck
and
it'll
be
probably
one
slide
per
project
and
it'll
be.
This
is
what
we're
doing
this
is
why
we're
doing
it,
and
this
is
the
status
and
it
gives
them
the
it's
mostly
an
inform
to
be
clear.
A
It's
not
really
a
asking
permission,
there's
some
negotiation
like
if
they
think
what
we're
doing
is
really
awful
like
they
will
push
back
and
we
will
iron
that
out.
But
this
is
not
this,
isn't
you
know
we're
not
explicitly
asking
for
approval
for
anything
and
then
that's
also
good,
because
we're
probably
due
for
an
open,
ssf
public
town
hall,
which
we
would
want
to
use
this,
that
opportunity
to
kind
of
articulate
the
things
that
we've
done.
A
So
what
I
think
I'm
going
to
ask
for
is
everyone
who
is
driving
a
project
or
a
process
or
a
if
you're
driving
a
thing.
I
would
very
much
appreciate
a
single
slide.
You
could
do
two
if
you
want,
but
I
think
we'll
be
kind
of
time
constrained
on
what
it
is
so
I'll
send
out
like
a
template
of
just
so
they
kind
of
look
the
same,
but
it'll
it'll
basically
be
like
what
is
it?
A
Why
we're
doing
it
what
the
status
is
and
if
you
need
anything
basically
or
like
what's
coming
next
or
something
like
that,
so
I'm
imagining
you
know
amir
for
security
reviews
christine
for
metrics
marta
for
for
office
hours
I'll
do
one
on
alpha
omega,
even
though
that's
kind
of
separate
and
and
we're
just
going
to
go
from
there
and
oh
and
and
luigi
up
upping
is
luigi
on
the
call,
no
upping
luigi
for
security
insights.
A
I'll
send
out
a
template
and
and
post
it
in
slack
and
whatnot,
so
you
guys
can
get
to
it
any
questions
there.
A
Okay,
project
updates
luigi's,
not
here
so
we'll,
say
christine
any
updates
on
on
metrics.
C
Yes,
I
need
to
catch
up
with
the
folks
from
last
week,
because
I
I
missed,
I
missed
the
meeting,
but
I
know
from
the
one
of
the
previous
meetings
there's
a
couple
of
action
items.
One
was
to
just
get
it
on
the
get
link
up
with
jewelry
to
get
it
on
the
calendar
so
that
it
would
be
on
open
ssf,
and
the
other
question
was
more
to
bring
this
to
this
group.
I've.
C
Some
of
the
other
working
groups
that
there
have
been
like
those
working
groups
adopted
a
particular
stream
from
the
mobilization
plan,
and
the
thing
that
I
was
curious
about
is
for
the
metrics
project.
Is
it
or
is
this
group
like
adopting
or
like
the
stream
one
of
the
streams
that
specifically
the
one
related
to,
I
would
say
it
would
be
like
the
stream
two
or
is
it
like?
What
is
kind
of
the
thoughts
around
that.
A
That's
a
good
one.
I
don't
know
I
haven't
the
the
way
I've
internalized.
This
is
like
the
mobilization.
Breakdown
is
like
one
list,
and
the
working
groups
is
a
completely
different
list
like
generate
completely
independently.
So
there's
like
weird
overlaps
between
the
two,
I
don't
feel
any
like
need
for
the
metrics
work
to
like
live
under
this
working
group.
I
think
it
does.
It
should
live
under
a
working
group.
So
if
best
practice
is
the
better
one
great.
A
If
it's
this
one
great,
so
I
I
don't
know
if
there
have
been
other
conversations
where
I
guess
I
guess
crow
has
an
opinion
here.
I
like
whatever
works
I've
just
kind
of
along
as
long
as
the
work
gets
done.
I
guess
is.
A
It's
all
good.
I.
I
also
think
that
that
we
would,
as
an
organization
openssf,
would
benefit
by
being
less
siloed,
so
having
more
projects
that
consume
expertise
from
different
working
groups,
that
that's
better,
that
just
creates
more
connected
tissue.
So.
C
A
True,
I
mean
I
mean
it
probably
is
effectively
the
the
other
thing,
which
is
a
little
little
awkward.
I
guess
the
way
that
the
metric
stuff
was
described
in
the
mobilization
paper
was
very
much
lfx
specific
and
we.
G
A
Not
moved
in
any
meaningful
way
toward
lfx,
it's
accepting
like
with
with
you
and
and
and
and
jay
and
venad
kind
of
exploring
that.
So
it's
not
like.
We've
done
a
lot
of
work
and
it's
just
like
pent
up
like
work
to
get
out.
It's
it's
we've
talked
about
it
and
thought
about
it
a
little
bit,
but
but
that's
about
it
so
short
answer
whatever
you
want.
A
E
Yeah
I
had
also
looked
at
those
stream
docs
and
I
had
talked
to
see
rob
about
which
ones
I
thought
were
aligned.
I
unfortunately
outlooked
delete
my
emails
after
three
months,
so
he
might
still
have
the
email,
but
I
was
thinking
as
well.
It
would
probably
make
sense
for
us
to
try
to
understand
what
streams
this
is
aligned
with
right.
A
Yeah
yeah,
I
I
I
think
any
alignment
is
good,
we'll
we'll
when,
when
we
talk
to
attack
next
week,
we
can
actually
raise
that
with
them.
Since
they'll
have
that
and
we
can
actually,
we
can
ask
their
opinion,
say:
hey
tech.
A
C
C
So
since
I
missed
the
last
metrics
project.
I
C
A
Terrific
anything
else
from
your
end,
christine
no,
nothing,
nothing
for
me,
okay,
perfect!
Moving
on
alpha
omega,
so
I
think
a
few
of
you
were
on
the
alpha
omega
public
meeting
call
earlier
today.
If
not,
that
will
be
the
recording
of
that
will
be
on
youtube.
A
Okay,
so
well
converted
to
the
public
meeting,
welcome,
updates
and-
and
we
had
probably
a
good
40
minutes
of
discussion
so
or
maybe
half
hour
of
discussion
point.
So
we
are
still
hiring
the
links
to
the
job
descriptions
out
there,
we're
exploring
other
ways
of
funding
the
position
or
not
funding
of
finding
somebody
other
than
direct
hiring
just
because
the
the
market
is
is
quite
tough
to
find
to
fill
these
roles
either
way,
though,
we're
still
looking.
A
For
alpha,
you
guys
know,
we
announced
note
a
couple
months
ago
we
announced
python
and
eclipse
in
austin
last
month
we
have
not
signed
the
paperwork
there,
but
we
are
rapidly
approaching
that
so
we'll
we'll
start
getting
updates
from
them.
Probably
in
september,
all
those
progress
reports
will
just
get
pr'ed
into
the
alpha
omega
repo.
A
For
omega,
the
tool
chain
is
still
pending
and
I
feel
I'm
feeling
increasingly
bad
about
this,
but
it
is
waiting
for
kind
of
legal
approval
due
to
the
way
that
the
license
for
coql
works.
That
said,
we've
had
a
little
bit
of
success.
So
far,
so
we
had
a
cve
in
node
that
got
fixed
earlier.
This
month
we
had
a
rce
in
a
build
script
for
js
hint
that
was
deleted.
The
bill
script
wasn't
actively
used,
so
they
just
they
just
removed
it.
A
We've
got
two
and
it's
actually
well
two
cves
that
have
that
we're
just
kind
of
waiting
publication,
and
actually
it's
two
more
that
we
that
we
disclosed
yesterday
to
the
maintainers.
So
you
should
should
know
back
in
a
couple
weeks
on
on
what
those
look
like.
A
We
also
put
together
the
way
that
we
found
the
node.js
vulnerability
was
system
call
tracing,
and
we
noticed
that
when
it
when
node
started
up,
it
tried
to
read
from
a
file
in
the
home
io.js
directory
an
openssl
config
file,
and
it
didn't
find
it
because
I
don't
have
that
user
on
in
the
environment
that
I
was
testing
on,
but
we
thought
that
perhaps
that
pattern
exists
someplace
else,
so
we're
now
running
every
ubuntu
package.
A
Sorry,
every
binary
from
every
ubuntu
package
through
effectively
a
scaled
down
version
of
of
of
the
tool
chain
and
dumping
the
s
trace
logs
to
a
repo.
So
now
you
have
a
kind
of
a
one-stop
shop
of
show
me
every
linux
package
that
when
a
binary
starts,
it
does
a
dns
query
or
things
like
that.
A
So
it's
it's
kind
of
interesting,
or
at
least
we
think
it's
interesting
so
if
it
doesn't
actually
provide
value
in
the
end,
no
harm
no
foul,
but
I
have
a
feeling
that
we'll
find
some
some
interesting
things
with
that.
A
We
also
absorbed
sos.dev
into
alpha
omega,
I
don't
say
absorbed,
but
we
are.
We
are
partnering
closely
with
them
and
they
will
be
under
the
alpha
omega
umbrella.
This
allows
us
to
directly
reward
individual
developers
for
fixing
and
improving
fixing
security
bugs
and
improving
security
for
the
long
tail
of
open
source
so
forth.
A
This
was
funded
by
google,
but
I
think
it's
administered
technically
through
the
linux
foundation
and
we're
looking
to
see
how
how
we
can
advance
this
and
move
this
forward
and
expand
it
and
and
make
it
as
useful
as
it
as
it
can
be.
So
if
you
have
thoughts
on
this,
we
are
all
ears.
A
And
then
there's
a
call
for
like
how
to
participate,
which
is
as
an
individual
sos.dev
is
a
good
way.
Improving
security
tools
is
a
good
way
and
then,
just
generally
being
on
the
slack
channel
and
then
chiming
in
and
joining
the
working
groups.
D
A
A
No,
it
is
opt
so
so,
if
you
go
to
sos.dev,
there
is
an
faq
and
it
describes,
and
it's
a
little
bit
like
it-
could
be
a
little
bit
clearer
but
effectively
you
if
you
think
that
I
know
pick
your
favorite
project.
If
you
see
that
this
that
that
project
has
is
like,
it
doesn't
have
branch
protection
enabled-
maybe
that's,
maybe
that's
a
good
one,
because
only
a
maintainer
could
enable
that
it's
you.
You
run
a
tool.
You
find
a
couple
security
issues,
you
report
it
they
fix
it.
A
A
F
All
right,
yeah,
the
repo,
is
looking
good,
I'm
updating
all
of
the
ones
that
we
at
ostif
just
published
this
week
and
last
we
published
four
new
audits
in
the
last
two
weeks
so
going
through
and
just
updating
that
into
the
repo
and
yeah.
F
I'm
excited
to
give
this
update
to
the
tech,
because
I
think
one
great
metric
that
we
can
use
is
you
know
we
started
with
zero
and
now
I
think,
we're
I
think,
almost
at
100
reviews
in
there
just
both
from
us
and
from
from
you,
michael
from
the
from
the
work
you
did
with
omega
and
just
the
community
in
general
uploading
stuff
in
there.
F
So
we'll
be
able
to
to
to
highlight
that
that
you
know
the
repos
gaining
traction,
we're
getting
new
stuff
in
there
all
the
time
and
and
yeah
again,
any
other
any
other
contributions
are
more
than
welcome.
F
I
might
need
some
help
again
with
some
of
that
kind
of
automated
testing
that
gets
done
when
we
try
to
upload
reviews.
I
know
dylan
helped
a
lot
with
that
last
time,
but
but
for
all
the
the
repo
is
looking
good.
It's
constantly
being
updated
and
yeah.
Any
feedback
is
always
welcome,
but
yeah
we're
just
uploading
as
as
new
stuff
comes
out.
E
Yeah,
I
you
know,
if
nobody
has
anything
else
I'd
like
to.
I
know
it
sounds
like
the
metrics
have
split
off
into
a
separate
thing.
So
sorry,
if
this
is
the
wrong
form,
but
it
sounds
like
the
omega
alpha
stuff
also
relates
to
some
of
this
data
capturing,
and
you
know
like
that's
why
I
mentioned
that.
E
You
know
this
is
where
I
kind
of
wanted
to
try
to
see
if
we
could
connect
some
thoughts
here,
but
you
know
yeah
last
time
I
was
here
we
talked
about
you
know:
how
do
we
insert
data
into
the
shared
metric
db
and
I've
been
you
know,
watching
the
space?
Well,
I
didn't
have
official
scope
to
get
involved
and
it
looks
like
you
know,
there's
several
things
that
have
been
evolving
in
the
area,
including
this.
E
This
s-c-I-t-t
architecture,
which
looks
to
be
something
along
the
lines
of
you
know
a
standardized
way
that
we
can
go
about
viewing
the
provenance
information
involved
with
our
software
supply
chain,
and
so
you
know,
as
a
part
of
you,
know
this
collection
of
metrics
and
stuff.
You
know
this.
The
source
side
of
things
you
know
becomes
part
of
that
provenance
information
as
we
want
to
get
more
the
deeper
you
get
right.
We
need
to
we're
starting
to
know
what
that
source
code.
E
That's
part
of
the
problem,
so
I'd
like
to
see,
if
maybe
we
could,
you
know
all
come
to
an
agreement
on.
You
know
how
how
do
how
are
we
gonna
collaboratively?
You
know
how
do
we
contribute
to
this
database
right?
You
know
whatever
that
is,
and
you
know
is
something
like
this.
I
noticed
azure
has
this
confidential
ledger,
which
has
this
public
private
option
and
with
stream
eight
there's
this.
You
know,
there's
this
concern
about
vulnerability,
sharing
and
keeping
some
of
that
stuff
embargoed,
and
so
this
looked
like.
E
A
Skit
is
basically
a
schema
and
rules
on
how
one
would
assert
facts.
A
Whether
it's
confidential
compute
or
just
traditional,
like
permissions,
like,
I
think,
that's
kind
of
implementation
details
I
I
think
the
but,
where
we're
so
so,
you've
got
metrics,
which
is
like
you
know,
a
tool
ran
against
github
and
and
saw
that
you
had
like
30
different
contributors
and
opinion
and
says
30.
Different
contributors
is
a
good
amount.
So
you
are
you
get
a
gold
star
for
that
and
then
there's
the
I
as
a
consumer.
A
A
You
know
all
that,
so
I
think
you
could
imagine
a
world
where
things
like
scorecard
or
any
other
tool
that
static
analysis
tools,
any
any
kind
of
tool
that
analyzes
a
thing
and
then
state
something
that
that
statement
is
expressed
as
a
skit
assertion
and
uploaded
to
some
either
distributed
or
centralized
exactly
and
then
and
then
you
go
and
you
query
that
store
and
say
tell
me
everything
you
know
about
you
know
exactly
who
and
you
get
that
back
exactly.
E
I
just
ask
what
is
kit
sorry
for
interrupting
just
understand
the
link
in
there
in
the
chat,
but
michael.
A
Yeah,
so
so
so
skit
is
supply
chain
and
I
think
it
was.
A
E
I
mean
this
is
probably
like
a
future.
You
know,
probably
like
a
you
know
in
the
future
thing,
because
I
think
they
haven't
landed
all
the
components
and
they're
still
in
draft
phase,
but
you
know
I
just
wanted
to
raise
this
now
because,
as
this
evolves
we're
only
it's
only
going
to
get
more
complex
and
we're
going
to
have
to
deal
with
this
data
provenance
thing,
and
so
you
know
maybe
just
like
we
do
whatever
we're
doing
now,
but
maybe
we
just
sort
of
start
thinking
about
it.
A
I
mean
so
christine
vernad.
You
know
I'll
certainly
defer
to
you
if,
if
you
guys
have
thought
about
this
or
have
intentionally
not
thought
about
it,
my
own,
my
own
take
on
this
is
that
until
we
have
an
implementation,
that's
like
downloadable
and
usable
and
cross
cross
cloud,
because
if
it's
azure
only,
I
think
it's
a
it's
a
non-starter
for.
A
You
know
so
so
once
it's
at
at
least
beta,
let's
kind
of
explore
what
that
would
look
like,
and
it
may
be
as
simple
as
taking
the
facts
that
are
created
by
whatever
tool
is.
E
Dumping
that
in
because
I
was
like
yeah
because
because
right
now,
you
know
everything
is,
is
we're
all
looking
at.
You
know,
recording
the
the
transparency
logs
and
stuff
like
that,
and
I
you
know
that's
great
stuff,
and
I
think
that
that's
probably
like
you
know
what
what
we'll
do
for
provenance
right
now,
at
least
with
intel
right
and
the
open
source
side
of
it.
E
But
but
you
know
this
is
really
looking
at
like
okay,
you
know,
okay,
so
so
data
insertion
arbitrary
place
wherever
right,
provenance,
probably
record
right
now,
and
then
you
know
in
the
future,
probably
bridge
over
to
this
new
space.
If
that
it
sounds
like
this
is
something
that
you
you
all
are
you
know
it
seems
like
it
fits
in
the
umbrella
of
this
area
right
so
at
least
from
my
perspective,
this
is
that's
my
project,
my
trajectory
now
and
I'll.
Try
to
you
know
stay
in
touch
with
you
all
on
that.
G
H
E
I
just
found
it.
I
just
found
it
like
yesterday
when
I
saw
this
whole
the
did
recommendation
became
official
and
you
know
I
was
just
trying
to
make
sure
that
I
always
try
to
look
out
there.
What
other
people
doing,
because
you
know
everybody's,
doing
great
work,
and
I
don't
want
to
duplicate
anything.
So
if
they've
got
that
down,
then
you
know
I
want
to
run
with
that.
If
we
all
agree,
that's
going
to
trade,
so
yep.
C
A
Looks
like
you
might,
you
guys
might
get
some
time
back,
there's
nothing
else.
A
Everybody
have
the
great
rest
of
your
week.
Thank
you
for
joining.
I
appreciate
you
being
here
and
we'll
sink
back
again
in
about
two
weeks
and
sorry,
and
for
those
who
are
have
a
have
a
project
expect.
An
email
from
me
with
the
request
for
for
for
a
slide
by
monday
would
be
would
be
terrific.
So
thank
you.
Bye.
Everybody
thanks.