►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Let's,
let's
get
started,
welcome
everybody
to
the
august
17th,
identifying
security
threats
working
group
meeting.
I
will
be
your
host
if
there's
anybody
dan,
I'm
sure
if
you
attended
one
of
these
before.
If
so
you're
welcome
to
introduce
yourself,
I
think
everybody
else.
B
Yeah
I
haven't
attended
before
I'm
I'm
I'm
new.
To
I
mean
I've
been
aware
of
the
organization
for
a
while
I'm
new,
a
new
person
at
sneak,
leading
open
source
and
open
standards
strategy.
B
So
you're
gonna
see
me,
I
think
a
bit
on
these
work
streams
and
right
now,
I'm
I'm
just
kind
of
like
attending
as
many
as
I
can.
I
don't
know
if
I'm
going
to
be
a
regular
participant
in
everything,
I'm
probably
not,
because
I
only
have
so
many
hours
in
the
day,
but
but
I
I'm
just
kind
of
like
trying
to
absorb
enough
about.
What's
going
on
across
the
open,
ssf
yeah,
terrific.
B
C
A
A
Okay,
awesome,
so
I
guess
the
first
thing
I
wanted
to
do
is
just
there's
a
doodle
poll.
If
you
haven't
filled
out
the
doodle
poll,
please
try
to
do
that
today.
It'll.
Take
you
two
minutes.
Maybe
three.
This
is
to
find
a
europe
slash
a
pack
in
the
friendly
time
to
do
one
of
these.
So
I'm
thinking
it
will
probably
be
late
evening,
pacific
time
or
late
late
evening,
pacific
time
either
way
we'll
switch
on
and
off.
So
we'll
continue.
A
This
meeting
slot
once
a
month
and
the
other
slot
will
be,
would
be
this
other
time.
So
if
you
won't
be
able
it's
not
it's
not
a
popularity
contest
for
the
voting
for
the
for
the
time.
It's
like
what
you
could
actually
attend.
So
if
you
can't
attend
any
of
them,
just
don't
mark
any
of
them
and
we'll
I'll
just
try
to
find
the
best
time
that
the
most
folks
would
be
able
to
attend
and
do
it
there.
A
If
it
turns
out
that
you
know,
there's
only
you
know
one
or
two
people
that
could
do
those
we'll
we'll
reevaluate
and
and
think
because
we
don't
want
to.
We
don't
lose
momentum
on
the
stuff
that
we
do
by
only
being
able
to
effectively
meet
once
a
month.
A
So
that
is
that,
so
I
have
one
new
topic.
I
want
to
make
sure
there's
you
know
a
bunch
of
time,
for
you
know
for
project
updates,
but
if
there's
anything
else
that
you
folks
would
like
to
talk
about,
feel
free
to
add
that
to
the
agenda,
and
we
can
do
that,
we
can.
We
can
make
sure
we
get
to
to
everything
we'll
just
we'll
just
talk
fast.
A
Nice,
okay,
so
this
is
a
proposal
this
is
not
set
in
stone.
This
is
not
like.
This
is
like
basically
the
first
time
that
anybody's
seeing
this.
So
I
love
to
get
your
your
open
thought,
your
your
thoughts
and
critiques
and
tell
me
this
is
terrible.
Tell
me
this
is
great
whatever
whatever
you
feel
purpose
of
what
I'm
going
to
describe
is
basically,
I
want
to
pitch
putting
together
an
open
source,
essentially
a
monitoring
and
alerting
system
for
the
open
source
ecosystem
outside
of
any
particular
ecosystem.
A
So
this
isn't
just
python
or
just
npm
or
just
anything
else
it
it
be
monitoring
the
system
as
a
whole,
and
it
would
allow
us
to
get
an
early
signal
when,
let's
say
malware
backdoors,
other
kind
of
just
bad
things
are
starting
to
happen.
Now.
A
I'm
sure
that
you
know
these
things
exist
already
out
there
by
you,
know,
sonotype
and
and
sneak,
and
we
have
one
that
my
team
uses,
which
is
actually
the
implementation
that
I'm
proposing
we
we
just
donate,
but
but
I'm
not
aware
of
anything,
that's
kind
of
out
in
the
open
or
owned
by
open,
ssf
or
or
a
similar
org.
It
could
be
wrong
there,
in
which
case
I'd
like
to
learn
from
the
so.
B
A
You
know
results
of
of
this
thing
once
it's
built
is
you
know,
alert,
saying:
hey
we
see
a
malicious
package
has
been
detected.
It's
in
this
package.
Do
you
want
to
investigate
it?
Do
you
want
to
report
it?
Do
you
want
to
ask
the
ecosystem
to
just
block
it
or
delete
it
or
whatever,
and
it
would
allow
a
team
of
let's
say
incident
responders
to
to
get
access
to
this
to
this
data
and
do
interesting
things
with
it,
but
feel
free
to
stop
me
anytime
with.
A
If
you
have
questions
so
I
called
it
assimilation
because
it
seems
like
a
fun
name.
It
is
a
essentially
a
sim.
I'm
not
even
sure
that
I'm
that
incident
and
event
management
of
the
right
is
that
that
that
those
are
actually
the
that's
the
acronym
that
sim
stands
for,
but
we'll
fix
that
if
it's
wrong,
but
it's
aimed
at
identifying
anomalies
back
door
like
anything
bad
within
the
open
source
ecosystem
and
it
turns
it
into
into
alerts.
So
this
is
an
example
of
one
that
this
was
already
deleted,
but
the
npm
package
hey
there.
A
The
description
clearly
says
that
it's
you
know
it's
a
it's
a
security
research
thing
like
don't
install
it.
So
the
way
that
this
would
actually
work
at
a
super
high
level
is
you've
got
this.
You've
got
the
whole
open
source
system
ecosystem
out
there.
You've
got
event,
processors
that
listen
for
things
so
like
a
new
package
is
published,
or
I
mean
in
theory,
you
could
go
down
to
the
repo
level
and
a
commit
is
made.
A
Those
things
are
dumped
and
minimally
processed
into
some
sort
of
a
structured
log.
Queries
are
run
against
that
log
potential
incidents
are
created
and
depending
on
their
the
confidence
and
and
other
you
know
well
quality.
I
guess
of
that
of
that
result,
we'd
either
automate
a
response,
meaning
you
know,
send
a
note
right
back
to
npm
or
pi
pi
or
ruby
gems,
or
whoever
or
have
a
human
in
the
loop
and
the
human
would
be.
This
kind
of
incident
responder
persona.
A
The
implementation
is
not
super
interesting,
but
right
now
it's
it's
just
serverless
stuff.
So
you
know
we
use
the
library's.
I
o
api.
When
a
new
package
is
published,
we
pull
out
some
metadata.
Do
a
couple
queries
and
then
dump
the
stuff
into
into
this
into
this
log.
A
We
watch
things
like
you
know,
so
it's
not
just
open
source
packages.
So
so
imagine,
like
you
know
when
you
install
rust,
like
the
official
way
to
install
rust,
is
to
do
like
you
know,
curl
rest
stop
pipe!
Sh!
That's
interesting!
You
know
that's
kind
of
a
not
a
naughty,
not
an
awesome
pattern,
but
it's
but
it's
prevalent.
A
So
you
know
we
had
the
idea
of
let's
just
watch
these
urls
to
see
if,
when
you
know
when
they
change
particularly
the
code
cuv
incident
from,
was
it
last
year
or
the
year
before,
sometime
in
the
past,
like
two
years,
the
code
cub
incident
where
the
popular
curl
bashing
script
got
compromised.
A
You
know
that
was
where
this
this
idea
kind
of
came
from
of
just
watching
them,
and
there
aren't
too
many
there's
like
a
couple
hundred
and
they
don't
change
super
often,
and
then
we
could
do
other
things
like
actually
you
know
install
the
package
in
a
detonation
chamber
and
watch
system
calls
and
dump
those
they're
intended
to
be
lightweight.
Most
of
the
logic
you
know
should
be
in
the
within
the
query,
so
we
can.
We
can
change
it
after
the
fact.
A
The
structured
logs
are
really
it's
just
a
it's
just
a
it's
a
log
and
there's
a
property
bag
with,
like
other
things.
So
it's
it's
it's
something!
It's
not
it's
not
awesome,
but
it's
something
we
use
azure
sentinel
to
to
do
the
monitoring.
Other
things
are
possible,
but
it's
it
does.
Have
some
nice
integrations.
So
you
know
we
can
kick
off
what
it
may
be
response
from
there.
A
You
know,
folks
that
are
instant
responders
in
their
day,
job
for
their
organizations
who
are
part
of
openssf
take
on.
You
know
a
role
to
to
respond
to
these
things.
What
we
don't
want
to
do-
and
I
don't
think
we
can
do-
is
make
the
whole
thing
public,
because
these
are
almost
by
definition,
zero
days.
So
you
know
these
folks
would
be
responsible
for
receiving
the
alerts
that
aren't
automated,
taking
appropriate
action
and
kind
of
an
engineer
to
make
the
automation
more
magical
over
time.
A
A
Second
scenario,
which
might
actually
just
be
simpler,
is
just
to
hire
folks.
I
think
we
could
probably
do
this
with
with
contractor
work
for
the
first
six
months
to
you
know
be
that
that
incident
responder
be
the
engineer
to
do
this.
In
that
case,
there's
there's
a
you
know,
there's
no
question
of
like
sharing
zero
days
and
things
like
that,
and
we
just
kind
of
try
it
for
six
months
and
see
so
kind
of
minimal
cost
see
if
this
thing
happens,
and
maybe
there's
something
that
I'm
not
thinking
about.
A
So
the
next
steps
that
what
I
was
planning
is.
Actually
you
know
talking
to
this
working
group
talking
to
the
oss
cert
work
stream,
because
this
does
feel
like
an
incident
response
thing
get
this
in
front
of
tac.
A
We
have
a
hackathon
at
microsoft,
we
have
a
hackathon
on
the
september
19th,
so
I'm
planning
on
putting
some
cycles
into
into
this
either
way
for
them.
We
also
have
open
ssf
day.
The
week
before
so
I
don't
know
if
that
timeline
that
timeline
might
be,
might
just
be
too
aggressive
to
to
do
anything
with,
but
you
know
I
I
want
to
get
this
out
and
see
what.
C
I
thought
it
was
a
great
presentation,
michael
one.
One
concern
that
I
do
have
is
that
you
do
seem
very
azure,
based
which
I
know
is
not
a
problem
for
me,
but
I
know
that
certain
people
in
open
ssf
have
you
know
the
there's
that
whole
vendor
agnostic
part
to
it.
So
I
think
that
that
might
be
something
that
might
have
to
be
thought
of
down
the
line.
If
it's
going
to
be
an
open,
ssf
project,
so
yep.
A
Totally
agree,
the
the
actual
logic
to
do
this
stuff
is,
I
mean
so
so
the
functions
themselves
are.net,
so
you
could
run
them.
You
could
do
them
anywhere.
The
queries
are
like
just
readable
so
to
port
those
over
to
something
else.
Is
super
uninteresting
like
there's,
nothing
so
tied
to
azure
that
I
would
feel
like
if
someone
said
hey,
you
need
to
make
this
work
on
aws
too
say.
Okay,
I
mean
what
we
have
to,
but
but
yeah,
no
totally.
A
The
the
only
other
reason
why
azure
is
probably
the
easier
path
is
because
we
open
ssf
already
has
azure
cred.
I
think
we
have
50
grand
in
azure
credits.
So
it's
slightly
easier.
A
It's
it's
just
code
it'll.
It
should
work
anywhere.
There's!
No,
it's
not
a
big
service
like
bound
thing.
C
A
I
get
it
well
so
so
I
just
heard.net
that
net
six
is
in
2204.
A
C
D
Feedback
I
I
like
I
like
the
I
like
the
idea
as
well.
I
know
that
there
are
some
very
similar
efforts
that
I
think
are
currently
being
developed.
I
think
one
is
potentially
I
think
through.
I
can't
remember
which
organization
it
was.
It
was
either
google
or
aws
that
I
think
they
were
talking
about
kind
of
basically
setting
up
a
red
team,
basically
to
go
out
and
make
some
of
to
make
some
of
these
fixes
and
stuff.
D
So
if
there's
any
parallels
there,
and
then
it
seems
like
hiring
is-
is
really
difficult,
especially
in
the
security
space.
You
know
it's
very
in-demand
skills
and
there
aren't
a
ton
of
people
who
have
them.
So
I
would
maybe
bake
in
a
little
bit
of
time,
for
you
know
if
there
is
going
to
be
hiring
just
to
go
through
that
process
and
and
to
find
the
right
person
yeah.
A
I
mean
if
we
can
get
agreement
to
just
you
know.
Put
I
don't
know
a
tenth
of
a
person
from
you
know,
pick
three
or
four
organizations
that
are
already
in
incident
responders
and
you
know
have
a
have
all
that
that
can
just
you
know
be
that
that
that
triage
eye,
that
might
be
the
easiest
path
to
getting
getting
something.
E
I
I
have
a
question
first
time,
caller
long
time,
favorite
daisy
hertz
from
from
ion
channel,
and
we
do
a
lot
of
software
supply
chain
assurance
and
the
federal
space
and
critical
infrastructure.
And
so
I
guess
I'm
trying
to
wrap
my
head
around
the
concept
of
operations.
E
Is
it
that
there's
kind
of
an
enhanced
skillful?
E
You
know
sort
of
tooling
plus
people
to
identify
threats,
and
then
these
are
remediated
kind
of
on
the
package
package
manager
level
or
wherever
they
live
kind
of
quietly.
Is
that
that's
the
the
idea.
A
Yeah,
so
so
so
the
vast
majority.
So
so
maybe
I
should
draw
a
distinction,
we're
not
looking
for
for
log4j
style
vulnerabilities.
We
would
be
looking
for
and
there
were
a
bunch
from
from
pipe.
I
in
the
news
I
think
was
last
week,
you
know
either
a
compromised
package
or
a
new
package
that
started
out
malicious
and
that's
all
it
ever
was,
but
it's
it's
got
a
tricky
name
or
it
has
this
or
it's
linked
or
somehow
this
you
know
it's
doing
bad
thing.
A
So
a
lot
of
those
can
just
be
kind
of
evaporated
out
of
the
ecosystem,
because
no
one
was
using
them
anyway
to
begin
with,
and
there's
no
like
it,
it's
not
like
you
have
to
reset
the
author's
account
like
the
author
themselves
was
the
threat,
so
the
ecosystems
are
pretty
good
at
kind
of
making
those
go
away.
They
just
have
to.
They
have
to
know
about
them.
Obviously
the
ones
where
it's
a
normal
maintainer
whose
account
gets
compromised
and
then
a
new
package
gets
published
with
bad
stuff
in
it.
A
That's
that's,
probably
that's,
probably
a
slightly
different
workflow,
where
it's
it's
a
combination
of
the
ecosystem.
You
know.
E
B
A
Yes,
so
that's
a
good
question.
I
don't
have
a
great
answer
because
I
don't
think
the
equal
system
does
that
today
to
be
to
be
frank
like
when
we
report
these
types
of
things
to
ecosystems,
the
packages
disappear
and
I've
almost
never
seen
a
report
out.
Sometimes
npm
will
do
like
a
security
holding
package,
but
a
lot
of
times.
These
things
are
done
scripted
at
scale,
so
there'll
be
a
thousand
packages
each
with
you
know
kind
of
words
from
the
dictionary
chosen.
A
They
all
get,
they
will
they're
all
gone
and
then
like
there's,
really
no
notification
out.
That
could
be
a
problem
if
you're
mirroring
or
if
you
know.
E
And
so
you
don't
necessarily
want
people
stuck
in
this
position
where
they
have
malicious
packages
that
have
fallen
down
the
memory
hole
with
no
notification.
A
E
B
B
Sorry,
possibly
s
uninformed
question.
I
know
there
is
no
such
thing
as
stupid
questions,
but
there
might
be
uninformed
questions
still.
You
mentioned
in
your
description
of
this
system
that
it's
periodically
going
through
and
evaluating
projects
based
on
some
rules,
which,
I
guess
are
part
of
the
queries
part
of
your
box
here
and
where
are
those
rules
defined?
Are
they
defined
in
a
common
format?
Is
that
is
that
something
that
could
be
like
a
common
resource
which
so
yeah?
You
know
what
are
the
criteria?
B
I'm
just
trying
to
think
like
like
when
I
compare
that
to
the
criticality
score,
for
instance,
which
I
know
is
a
totally
different
thing
like
that's
a
published
metric,
what
are
the?
What
are
the
kind
of
things
that
we're
looking
for
here
and-
and
you
know,
can
that
be
a
public?
Can
that
be
a
common
resource
that
we're
all
inputting
into
or
that
we
all
have
visibility
on.
A
I
in
some
ways
it's
an
av
game,
so,
while
part
of
me
says
it's
better
for
it
all
to
be
public
so
that
we
can
all
build
off
it
and
make
it
better.
Another
part
says:
if
you
specify
the
exact
rules
of
what
we're
looking
for
it'll,
be
easier
for
folks
to
avoid
that
and
then
it's
just
cat
and
mouse
from
then
on
then
on
out.
A
I
mean
having
a
closer
circle
of
more
trusted
entity
that
those
rules
are
shared
is
also
interesting,
but
it
doesn't
fit
super
well
with
the
openness
that
open
ssf
is,
you
know,
is
behind,
so
I
don't
know
if
that
would
work
either.
We
should
think
about
how
to
share
those
those
rules.
A
lot
of
them
are
going
to
be
a
lot
less
interesting
than
you
might
think,
but
they
do.
They
do
tend
to
find
stuff.
E
I
I
have
a
question
as
well.
Some
of
what
we
are
looking
at
has
to
do
with
multi-library
malware.
E
So
you
know
you
have
one
package
which
is
a
dropper.
You
have
something
else
that
does
something
else.
You
have
configuration
of
malware
between
four
and
seven
libraries
kind
of
in
real
time.
E
E
D
A
I'm
cleaning
the
pool,
you
know
yeah
like
a
filter,
but
I
think
for
things
like
that
at
some
point
you
get
sophisticated
enough.
Whatever
tools
we
build
are
not
going
to
find
it
yeah.
F
A
You
know,
but
but
for
the
ones
that
are,
I
guess,
more,
more
complicated
than
just
the
the
very
basic
stuff
that
we
see,
but
not
yet
you
know
like
actually
exploiting
you
know
next-gen
kind
of
stuff
running
this
running
like
installing
and
trying
to
use
the
package
in
some
sort
of
a
detonation
chamber
and
watching
to
see
what
happens.
So,
oh
you
know
you've
installed
ooh
and
it
downloads
a
thing
and
all
of
a
sudden
you
have
new
processes
running
like
that's
weird,
without
ascribing
that
to
malware.
You
can
just
say
it's
weird.
A
E
B
C
Just
let
you
know
open
ssf
is
organizing
their
own
incident
response
team
we
met
yesterday.
I
think
you
can
talk
to
vicki
if
you
want
to
talk
to
them
about
it
going
to
jc's
first
question:
if
this
were
to
be
used
by
openssf
and
our
response
team,
we
are,
I
think
we
you
could
almost
say
that
we've
already
established
guidelines
on
how
it
would
be
reported
and
like
what
procedure
that
would
take
so
yeah.
Just
oh.
C
C
A
Yeah
I
missed
I
missed
yet
I
thought
it
was
six.
I
think
it
was
six
a.m.
I
thought
it
was
nine.
It
was
whatever
time
zones
are
hard,
yeah
I'll,
join
next
time
and.
C
A
A
C
And,
and
also
michael
because
this
also
ties
into
our
incident
response
over
there.
If
you
do
want
to
try
to
present
to
the
gen
2
security
team,
you
can
they're
kind
of
a
storage
security
team
that
has
a
lot
of
important
people
important
linux
developers.
C
But
I
think
it
would
be
a
good
perspective
because
they
are
like
they
are
very
resilient
and
and
a
lot
of
times
they
they
do.
Do
a
lot
of
great
things
like
you
have
a
lot
of
really
famous
people
like
the
guy
that
I
kind
of
mentor
around
is
jason
donnafield
from
wireguard,
the
guy
that
created
wireguard
yeah.
You
know
so.
A
A
That
would
be
awesome.
I
I
would
yeah
I'd,
be
very
happy
to
do
that
and,
and
really
actually
just
to
learn
from
from
the
gentoo
perspective.
You
know
kind
of
representing,
like
a
big
slice
of
the
linux
ish
like
non
npm,
nougat,
ruby,
gems,
pipes
of
the
world,
how
something
like
this
correlates
over
there
like
like.
Are
they
because
we
hear
about
compromised
packages
in
npm
and
pipe
all
the
time?
A
C
What
actually
normally
happens,
at
least
from
a
genji?
It
really
depends
on
how
you
how
you
look
at
it
right
because,
for
example,
there's
a
large
group
of
people
that
think
that
debian
is
the
worst,
because
debian
will
go
out
and
modify
packages
if
they
feel
like.
There
are
security
issues
or
it
doesn't
agree
with
their
debianness.
C
A
C
Go
ahead
and
you
know
modify
things,
so
definitely
it's
one
of
those
things
but
yeah
like
it.
I
would
definitely
say
that
it
really
depends
on
who
you
look
at
you
know,
because
then
you
have
like
arch
that'll,
just
upstream
everything,
including
the
security
issues,
because
that's
your
problem,
not
theirs,
you
know,
and
then
you
have
gen
2.
C
That
kind
of
it
really
walks
this
fine
line,
the
real
cool
thing
about
gen
2
and
why
we
use
it
for
a
lot
of
security,
stuff
and
kind
of
the
security
distro
is
because
we
can
patch
things
because
we
build
all
the
packages
from
source
we're
the
only
distro.
That
does
that.
So
you
can
patch
things
on
the
fly
like.
C
If
you
go
to
any
pr
on
github
and
you
just
add
patch,
you
can
get
the
patch
version
and
then
just
drop
it
in
your
patches,
folder
and
then
recompile
your
package
and
it's
patched
so
yeah
like
portage,
is
a
very
powerful
tool
in
this
regard,
and
we
also
have
package
core
because
there's
obviously
we
couldn't
ever
agree
on
one
package
manager.
So
we
have
three
good
well.
At
least
it's
only.
C
Yeah,
but
it
really
depends-
and
you
know,
like
red
hat-
also-
does
a
very
good
job
of
taking
up
care
of
a
lot
of
stuff
upstream
with
their
security
team.
We
work
with
them
a
lot
and
yeah
it
just,
but
it
really
depends
on
like
where
you
are
in
the
argument
really
right,
which
is,
I
guess,
one
of
the
things
that
you
should
be
aware
of
also
because
I
think
a
lot
of
people
do
depend
on
their
package
managers
to
keep
them
safe,
even
though
we
tell
them
not
to
like.
C
A
Yeah
but
the
thing
is
between
between
homebrew
and
oh,
the
other
one
that
I've
mentioned,
or
I
don't
know
on
the
window.
The
chocolatey
win
get
like
all
these
ones
that
you
know
it's
just
a
it's
a
really
easy
way
of
installing
a
package
that
you
know
nothing
about.
C
C
B
A
Yeah
yeah
cool,
okay-
I
didn't
want
to
take
up
the
whole
meeting
with
this.
Any
any
last
comments.
I
I
think
what
I'll
probably
do
is
so
I
will
definitely
reach
out
to
vicky,
take
a
look
at
the
the
doc
that
you
sent
randall
and
we'll
kind
of
keep
socializing
it.
If
certainly
if
we
can
just
be
the
front
end
and
leverage
an
existing
response,
you
know
process
that
that's
even
better
and
all
that
and
we'll
we'll
make
it
all
happen
so
more
to
come.
B
A
It
is
linked
in
the
meeting
notes.
Please
don't
share.
Broadly
you
know,
I
mean.
Obviously,
this
meeting
is
being
recorded,
so
if
you're
seeing
it
like
you're
welcome
to
look
at
it
but
don't
treat
it
as
like,
officially
signed
off
or
like
a
plan
or
anything,
it's
just.
It's
just
thoughts
in
a
in
a
slide.
Deck
form.
A
Cool
terrific,
let's
see
where
are
we
now
so
do
we
want
to
talk
about?
Oh,
I
had
one
other
thing
that
I
wanted
to
chat
in
this.
This
isn't
a
demo
or
anything,
but
I
had
the
thought
of
like
so
part
of
what
I
and
some
others
on
my
team
do.
A
Is
we
do
security
reviews
of
open
source
so
we'll
crack
open
a
package
we'll
look
through
it
we'll
see
what
we
think
and
we'll
either
find
vulnerabilities
or
not
sometimes
we'll
write
up
a
formal
review,
sometimes
we'll
make
that
review
public,
but
the
actual
process
that
we
use
to
do
that
review.
You
know
we
kind
of
realize
is
this
kind
of
it's
this
magical
thing
that
we've
like
each
built
up
independently
over
time?
It's
not
super
structured.
A
It's
not
super
methodical,
but
we
do
tend
to
you
know,
focus
on
different
things
and
perhaps
record
doing
like
a
video
recording
kind
of
narration
stream
of
consciousness.
A
Of
of
someone
looking
through,
you
know
a
project
and
be
like
what
are
you
looking
for?
Oh,
this
is
a
magic.
This
is
a
magic
string.
This
looks
weird
what
like,
why
do
they
have?
This
here,
like
that
kind
of
thing
and
then
running
tools
and
and
triaging
results
and
stuff,
might
be
just
interesting
in
educational,
instructive
kind
of
knowledge
sharing
among
the
community.
A
So
we're
going
to
think
about
just
doing
a
couple
of
these
just
to
try
it
out
and
get
feedback
and
stuff,
but
I
wanted
to
just
throw
that
out
there
in
case.
Anyone
else
would
be
interested
in
doing
one
of
these
I
mean.
A
We
could
we
could
totally
do
that.
You
know,
I
think
it
came
up
on
there's
a
twitter
thread
on
it
and
you
know
the
question
of
like
oh,
could
you
just
livestream,
do
it
on
twitch
and
live
stream
it?
I
don't
really
feel
comfortable
live
streaming
it,
because
if
we
find
something-
and
now
it's
too
late,
so
we'll
record
it
and
then
if
we
find
issues,
then
we
will
get
them
resolved
and
then
we
will
publish
it.
If
we
don't
find
anything,
then
we
can
just
publish
immediately,
but.
B
B
A
Thank
you
and
we
could
try
it.
You
know,
do
it
a
couple
times
and
if
it,
if
it
flops,
then
it
plops
and
you
know
no
harm,
no
foul,
okay,
so
project
updates.
We
have
about
20
minutes
left.
So
marta,
are
you
still.
A
No
okay,
so
marta
gave
let's
see
first
session
postponed
to
september.
Only
three
people
confirmed
as
experts,
so
a
new
planning
questionnaire
really
soon.
So
please
fill
out
the
questionnaire.
This
is
just
to
level
set
everybody.
This
is
to
run
a
office
hours.
I
think
once
a
month
or
twice
a
month
to
invite
open
source
maintainers
to
come
and
ask
questions
and
get
help
get
like.
You
know,
actual
help
with
anything
related
to
security
that
they
have.
A
A
So
in
order
to
do
that,
we
need
folks
to
be
able
to
be
at
those
office
hours
to
help.
So
once
that
questionnaire
for
timing
goes
out
for
marta,
we'll,
you
know
amplify
that
in
the
general
slack
channel
and
whatnot
and
try
to
get
get
some
folks
signed
up.
It'll,
probably
be
you
know,
I
think
what
you'd
be
signing
up
for
is
like
two
or
three.
You
know
hour-long
sessions
over
the
next
couple
months,.
A
D
No
nothing
new.
I
do
have
a
quick
session
with
dylan
planned
after
our
meeting
to
take
care
of
that
thing.
We
spoke
at
the
at
the
last
work
group
meeting
the
the
select
2
and
just
kind
of
cleaning
up
the
repo
a
little
bit.
But
besides
that,
no
no
significant
updates.
A
I
did
have
something
on
on
security
insights.
Actually,
so
a
question
came
up
about.
This
is
one
fuzz
or
oss
fuzz,
but
there
was
a
a
request
to
add
support
into
scorecard
to
detect
that
fuzzing
occurs.
When
you
have
this
kind
of
you
know
a
doc
file
that
they,
I
think
it's
dot,
one
fuzz
or
dot
oss
fuzz
in
the
in
the
root
of
a
repo,
and
the
comment
that
I
had
was
like
hey.
Can
we
just
like
include
this
in
the
security
insights,
yaml
spec?
A
So
that
way
you
don't
have
more
dot
files
floating
all
around
which
got
me
to
the
scorecard
has
scorecard
agreed
to
pick
up
to
to
read
security,
insights,
yaml
files
or
read
kind
of
a
chicken
of
the
egg
problem
on
who
goes
first,
so
I'll
pick
it
up
with
luigi
next
time,
but
that
was
the
only
update
I
had
for
security
insights.
B
A
Cool
and
metrics
a
bunch
of
folks
from
from
metrics
or
any
update,
you'd
like
to
give.
B
Yeah,
I
know
from
the
last
meeting
we
had
sort
of
tabled
and
we
wanted
to
discuss
in
this
meeting.
What
sort
of
like
would
be
the
next
steps
for
that,
and
I
know
we're
not
on
the
line
I
don't
know
if
jay
was
able
to
join.
B
His
question
was
basically
to
kind
of
like
talk
through
a
decision
and
what
the
direction
of
the
project
if
the
direction
of
the
project
originally
started
with,
is
still
the
one
to
go,
or
is
there
a
different
decision
being
made,
for
example,
lfx
tools?
That's
what
we
wanted
to
discuss
during
this.
F
Yeah,
sorry,
I
was
late
and
I
missed
the
last
couple
of
meetings
also
yeah,
so
so
yeah
michael.
This
is
a
situation
right
like
we
are
a
bit
confused
with
the
mobilization
plans
and
all
the
things
and
we
feel
like
we
don't
know.
What
exactly
we
need
to
do
is
everything
suddenly
change
yeah.
We
need
a
clarity
on
that.
One
right,
yeah.
A
Okay,
so
the
one,
the
the
thing
that
I
don't
think
I
can
help
with
is
the
the
question
is
open,
ssf,
strategically
behind
lfx
being
the
metrics
dashboard
of
the
future
and
is
any
work
that
we
do
outside
of
that,
like
by
definition,
throw
away
work
because
strategically
we're
all
going
to
be.
You
know.
Lfx
is
the
way
forward
and
I
would
say.
A
Like
without
getting
clarity
on
that
like
we
have
to
take
a
risk
of
like
a
re,
you
know-
and
I
I
I
honestly,
I
don't
think
that
question
has
been
answered.
So
I
don't.
I
don't
think
it's
it's
an
answer
that
someone
has
just
to
ask.
You
know,
ask
them
about
it.
I
I
would
say
the
there's,
probably
more
value
in
getting
something
useful
sooner
rather
than
later.
A
If
lfx
were
chosen
as
the
platform
now
it
would
probably
be
a
year
before
you
know
that
dashboard
would
be
publicly
available
and
whatnot,
because
it's
such
an
architectural
yeah
from
my
understanding,
as
opposed
to
something
like
just
use,
depth.dev
or
just
get
the
current
metrics
dashboard
refreshing
daily,
or
something
else
that
that's
much
much
lower
left.
F
Yeah,
I
think
that's
a
fair
point.
What
you
mentioned
right,
the
current
form
of
lfs
matrix
is
not
suitable
replacement
for
the
in
a
matrix
dashboard.
We
have.
I
mean
this
is
something
when
we
evaluate
before
we
know
we
just
didn't
just
evaluate
lfs.
We
look
for
depth.dev
and
other
platforms
available,
similar
platform.
So
yeah,
that's
why
we
have
this
confusion,
like
you
know,
do
do
we
what
we
need
to
do
maybe
like,
as
you
mentioned
here,
irrespective
of
what
is
the
strategic
thing?
F
Maybe
we
just
make
you
know
we
were
thinking
different
persona
or
use
cases
or
how
consumer
of
metrics
dot
dev.
Sorry
metrics.openssf.org
will
be
expecting.
So
we
were
thinking
from
a
consumer
or
end
user's
perspective,
not
necessarily
from
an
org
perspective.
Like
you
know,
we
how
we
need
to
transfer
this
to
one
to
another,
but
not
considering
who
is
the
actual
end
user
of
this
data
and
how
they
are
going
to
benefit
from
it
right
like
if
it
is
a
restricted
data
for
a
limited
maintenance.
F
A
Yeah,
I
I
did
ping
some
folks
to
try
to
get
get
connected
with
the
depths.dev
team
at
google
to
see.
If
we
could,
you
know,
think
about.
You
know
everything
from
code
co-developing
to
just
kind
of
partnering
on
making
that
platform,
extending
extending
the
depth.dev
platform
to
include
you
know
additional
ecosystems
right
now.
It
it
does
not
do
github
or
or
nuget.
A
Github
is
probably
the
bigger
one,
but
it
it
also
doesn't
include
things
like
the
the
raw
details
of
the
the
best
practice
badge
and
things
like
that.
So
you
know
maybe
there's
an
opportunity
there,
just
to
yeah,
add
incrementally
into
that
platform,
and
then
that
platform
is
the
platform.
And
then
you
know.
F
Yeah
we
were
discussing
along
the
same
line
right
like
we
may
not
have
a
perfect
platform
at
this
point,
but
at
least
we
can
check
with
their
plans
and
or
influence
them
to
have
similar
capabilities
so
that
the
consumers
of
metrics
won't
be
unhappy
right
like
it.
But
I
think
one
of
those
major
data
is
a
score
card,
and
you
know
one
of
the
additional
that
is
available
is
vulnerability
in
the
metrics.
Sorry
dapp
store
dev
right
like
it.
F
So
there
are
interesting
data
and
we
were
also
considering
what
other
potential
data
will
be
useful
for
different
personas
right,
like
a
maybe
a
developer,
a
security
person.
You
know
different
kind
of
use,
cases
and
scenarios,
but
yeah.
I
think
it's
good
to
hear
that
you
already
contacted
it
and
made
some
progress.
Maybe
we
can
reach
that
then
like,
as
you
mentioned
like.
Maybe
we
can
continue
with
that
approach,
yeah
and
yeah.
If
something
change
in
future,
maybe
we
will
change
the
banner
or
redirection
or
whatever.
It
is
like.
F
I
think,
in
my
opinion,
it
may
be
a
redirection
from
current
or
showing
a
banner
or
use
like
you
know,
but
one
of
my
main
concern
what
the
concern
was
like
adapts,
don't
have
also
not
offering
rest
api.
At
this
point
of
time.
I
heard
they
were
planning
for
first
api,
but
I
don't
know
when
something
says.
A
So
they
have
an
unofficial
rest
api,
so
so
they're
they're,
the
actual
page,
is
just
a
it's
just
a
shell
of
a
page
and
then
it
does
ajaxy
stuff
behind
to
to
grab
itself.
You
can
call
those
ajax
endpoints
yourself,
and
it
comes
back.
It's
structured.
It
has
all
the
scorecard
data
in
it.
So
I
think
the
the
other
idea
that
we
were
thinking
about
was
actually
to
take
the
current
metrics
out
of
openstaff.org
grafana
and
all
that
and
basically
blow
that
all
up
and
just
have
a
page
that
you
have.
A
You
know
pick
a
library
and
you're
like
npm
left
pad
and
then
it
goes
out
and
it's
stateless
and
it
goes
out
to
depths.dev
and
the
badge,
and
I
think
you
could
probably
do
criticality
score
as
well,
just
by
querying
bigtable
and
all
that
together
and
showing
you
a
similar
page.
But
now
it's
all
dynamic,
there's
no
there's
no
back
end.
E
I
would
also
hasten
to
add,
because
we've
been
doing
the
same
sorts
of
things
for
six
years,
is
that
you
have
to
be
very
careful
about
what
you
claim.
E
B
E
So
it
I
think
that
part
of
the
the
scoring-
I
guess,
the
le
the
legend
to
the
map
right,
has
to
really
be
a
very
clear
accounting
of
what
this
is
and
isn't
and
what
you
can
know
and
not
know,
because
I
think
people
tend
to.
We
have
seen
people
who
are
not
using
longitudinal
stateful
data,
look
at
things
and
feel
like
it's
really
safe
when
the
data
in
the
snapshot
is
misleading,
not
intentionally,
but
there's
a
huge
amount
of
senescence
and
degradation
of
support.
F
Yeah,
I
think
it's
also
important
to
give
more
transparent
information,
especially
when
the
score
was
calculated.
All
the
details
I
mean
yeah,
I
think
a
version
of
the
score,
the
tool
itself
like
when
the
score
was
calculated.
There
are
so
many
information
which
need
to
be
there
which
can
impact
the
score
itself
right,
like
even
in
many
current
system
like
yeah,
the
scores
are
primarily
checked
based
on
the
master
branch
or
main
branch.
F
It's
not
clearly
mapping
with
the
tagging
with
which
version
which
branch
and
those
kind
of
things
like
you
know
it
can
be
a
bit
complicated
right.
I
think
it's
important
to
provide
that
information
to
the
user
or
in
the
api,
at
least
so
that
you
know
consumers
can
take
that
that
and
make
appropriate
decisions
right,
but
I
I
don't
think
it
is.
F
A
But
then
there
is
the
trending
and
you
know
more
complex
analysis
where
you,
you
combine
multiple
signals
and
you
come
up
with
your
own
opinions
on
on
what
what
constitutes
you
know,
the
bar
that
you
expect
or
hope
for,
and
I
think
when
we
started
this
project.
Originally
we
were
thinking
the
full
version
and
we
were
that's
kind
of
why
we
started
building
it
out
in
terms
of
a
you
know,
real.
You
know,
data
repository,
that's
a
product
and
needs
a
product
team
to
drive
and.
E
Yes,
that's
what
that's?
What
we
keep
on
pointing
out
to
people
when
they
hold
up
open,
ssf,
we're
like
okay,
so
who's
being
paying
the
cloud
bill
for
all
that,
compute
and-
and
you
know,
yeah
you're
right,
it's
a
product
and
I
think
it's
very
important
to
make
that
differentiation.
But
there
is
a
lot
of
good
that
you
can
do
right
on
a
very
light
basic
level.
A
Yep
yep
so
and
and
perhaps
going
down
the
path
of
a
stateless.
Just
it's
just
some
magic,
ajax
stuff
paints
us
into
the
corner
where
there's
no
way
to
get
from
that
to
a
full
version,
but
we
can
provide
value
sooner
with
that,
and
maybe
it's
both
does.
That
say
you
know.
F
E
One
thing
that
would
be
amazingly
useful
for
something
like
that
to
do
is
actually
to
start
to
get
to
some
of
that
criticality,
because
the
the
dynamic
information
about
all
of
those
risk
factors
you
know
it.
It's
very
gets
very
productive,
but
being
able
to
understand,
especially
in
the
context
of
threat
right,
which
is
the
beginning
of
this
conversation.
E
The
the
criticality
of
any
given
package
as
a
lookup
would
be
very
useful.
Yep.
A
Yep
and
there's
another
project
that
I
forgot:
who's
who's
driving
it.
Someone
at
openstaff,
is
driving
a
project
to
basically
do
expert
opinions
on
what
criticality
means
to
you
as
a
as
another
as
a
qualitative
data
point.
In
addition
to
the
criticality
score,
the
more
objective
metrics-
and
maybe
you
know,
as
this
project
moves
forward
in
whatever
way
it
does
combining
those
things
in
a
way
that
makes
sense
where
you
can
say
you
know
for
this.
A
You
know
if
logging
frameworks
for
java
it'd
be
like
here,
your
top
three
most
critical
things
by
by
score
and
by
like
expert,
you
know,
checks
or
you
know,
hot
tamales
or
something
that's.
E
Where
experts
can
really
play
a
role
right,
so
every
one
of
us
could
probably
turn
you
know
our
hat
around
and
say.
Well,
if
I
were
an
attacker
and
looking
for
something
juicy,
I
would
want
to
get
to
something
like
fill
in
the
blank
and
we
can
all
probably
pull
together
a
list
of
what
that
is,
and
I
think
those
would
probably
be
the
top
things.
We'd
want
to
look
at
yep.
F
B
A
Cool
we
have
about
three
minutes
left
for
this
meeting.
Is
there
anything
else
anyone
would
like
to
talk
about.
F
So
just
want
to
summarize,
michael,
what
you
are
saying
is
like:
let's
continue
with
the
you
know,
what
let's
resume,
what
we
were
doing
and
make
decision
from
the
not
sure
are
we
formally
sick
at
christine?
Do
we.
B
Were
waiting,
we
were
moving
in
that
direction
until
you
know
like
decided
to
pause.
F
A
I'm
sorry,
I
actually
don't
know
what
the
why
you
need
would
need
to
be
a
si.
I
I'm
just
ignorant
on
this,
like
what
does
being
a
sig
open
up
for
you
that
you
don't
have
well.
F
A
No,
no
so
okay
yeah,
so
so
no,
so
I
my
understanding
is
that
you
would
need
to
be
a
sig
when
you
are
soliciting
like
funds
independently
and
outside
of
open
ssf.
You
can
just
be
a
project
and
you
can
get
funded
just
by
asking
tac
for
funds
to
do
x
and
they
say
yup
and
then
you've
got
funds
available.
You
can
have
jory
or
other
folks
from
openssf
set
up
meetings
on
the
open,
ssf
zoom
same
as
any
other
project.
I
don't
think
there's
any!
I
don't
I
don't.
F
B
Okay
sounds
good.
One
last
question
alex
I'm
sorry
I
was
late.
Is
there
any
participation
on
kubecon
coming
to
phone.
B
A
I
would
say,
probably
some
of
the
other
working
groups,
I'm
sure,
are
closer
aligned
to
six
store.
I
would
imagine
that
you
know
they
would
they'll
be
all
over.
That.
A
Cool
awesome.
Well,
thank
you
all
very
much
for
your
your
time
and
attention
and
thoughts
and
opinions
and
everything
else.
I
really
appreciate
it
and
we
will
please
fill
out
the
the
doodle
and
then
we
will.
I
will
see
some
of
you
hopefully
most
of
you
in
two
weeks
at
the
at
the
next
the
next
session.
So
thanks,
everybody
have
a
great
rest
your
day.
Thank
you.
Thanks.