►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
Wednesday,
yes,
yes,
Michael,
you
you're
in
the
U.S
right
yeah.
B
C
B
Right
thinking
of
those
anyone
going
to
I
think
it
was
messes
up
in
Japan
in
December
yeah.
C
Unfortunately,
not
I
I
will
try
to
to
join
to
China
to
attend
an
online
conference,
open
security,
something
something
because
I
have
seen
that
I
mean
for
sure.
There
is
bit
wordness
in
some
way
involved
within
this
event,
and
there
are
some
good
speakers
so
I,
don't
remember.
The
name
of
the
even
I
can
share,
but.
D
C
Just
because
I
am
toward
the
user,
so
sometimes
I
monitor
the
website
open
source
security,
Summit,
very
generic
name,
foreign.
B
B
B
B
Same
here,
I
got
to
go
to
these
open
source
Summit
in
financial
sector
in
in
December
8th.
So
it's
my
local
event,
New
York
city.
So
basically.
C
C
A
Cool
so
welcome
everybody
I
think
this
might
be
all
we
get.
We
we
have
today
I'm
expecting
a
bunch
of
folks
in
the
U.S
to
have
started
turn
things
into
a
five-day
weekend.
So
that's
all
good.
If
you
have
anything
you'd
like
to
talk
about,
we
can
certainly
please
add
it
to
the
agenda
and
we'll
make
sure
we
talk
about
it.
A
I
have
two
things
that
I
wanted
to
cover
today
and
then
we
have
project
updates
and
the
usual
usual
go
around
I
apologize
I'm
like
two
octaves
slower
my
voice,
my
kids
brought
home
the
plague.
No,
it's
all
good.
A
So
so
the
two
things
I
want
to
talk
about
one.
We
need
to
get
content
over
to
Jennifer
Bligh
for
the
openssf
annual
report.
It
is
a
up
to
500
words
on
basically
the
purpose
of
the
working
group.
What
we
do,
what
our
accomplishments
were
in
2022
and
what
we
want
to
do
going
forward.
So
there
is
content
in
the
meeting
notes.
What
I'm
hoping
is
that
we
can
spend
like
15
minutes
and
just
knock
this
out
together.
A
I
started
some
things
in
there,
but
please,
let's
just
maybe
all
collaborate
and
simultaneously
edit
and
we'll
just
do
the
to
the
group.
The
group
thing
there.
So
the
the
sections
there
are,
the
ones
that
that
they
asked
for
I,
don't
see
any
like
photos
or
charts
or
graphs
or
even
like
quotes
being
super
relevant
for
for
the
stuff
we've
been
doing
so,
which
we
can
just
kind
of
kind
of.
Go
with
that
and
don't
worry
about
formatting
or
anything
like
that.
A
And
it
should
be
anything
that
we've
either
done
in
2022,
which
is
like
everything
we
can
think
of
is
probably
stuff
that
we've
done
in
2022
and
for
the
what's
next
things
that
we
like
I,
really
think
we're
gonna
do
or
give
me
a
little
little
forward
thinking
so.
A
E
E
E
By
the
way,
I
I
don't
know
if
you
noticed
Michael
but
I
tried
to
add
Russell's
to
the
security
reviews
and
got
blocked
on
some
check.
I.
A
E
E
You
know,
maybe
we
should
just
first,
you
know:
metrics
dashboard
provides.
Okay,
you
know,
explain
what
it
is
and
then
give
the
status.
So
you
know
so
start
with
Security
reviews,
collection
and
then
say
the
like.
That.
E
C
I
I
can
add
the
description.
What
what
is
that.
C
Feel
free
to
correct
my
English
grammar
I
need
to
adapt
this
to
help.
Okay.
E
Oops
Yeah
yeah,
you
do
a
control,
a
shift,
control,
V
or
shift
command
V
when
you
paste
it
in
because
otherwise.
D
A
We
can
kill
it,
it's
it's
an
order,
magnitude
lesson
important
than
the
others
So
Gone,
but
it
was
the
the
one
where
we
we
do.
A
Security
review
interactively
like
and
record
it
and
record
the
the
thought
process
and
whatnot,
but.
E
All
right
and
presumably
Alpha
Omega
is
going
to
be
reported
separately.
We're
not
going
to
talk
about
that
here,
yeah
all
right.
What
do
we
want
to
say
about
office
hours?
I,
I,
I'll
have
to
I,
mean
I,
think
we
tried
and
it
frankly
didn't
get
a
lot
of.
A
Yes,
well,
we
we
did
everything,
but
when
no,
when
no
one
signed
up
there
was
nobody
that
could
come.
So
you
know
yes,
we
canceled
it,
but.
E
You
know
we
are
we
attempting
I,
don't
know
if
we're
going
to
say
something
we
ought
to
say
something.
We
scheduled,
you
know
a
a
forum,
but
in
spite
of
press
all
right,
let
me
just
be
honest
and
we
may
decide
to
just
kill
it.
But
yes,
in
spite
of
significant
publicity,
no
one.
A
E
And
no,
that's
not
true.
I
I
posted
other
people
posted
granted.
The
the
people
that
I
post
to
are
the
probably
the
least
likely
to
show
up
at
one
of
these
things
yeah.
You
know
we
our
first
all
right.
So,
let's
our
our
we
schedule
our
our
first
effort
at
scheduling,
a
forum.
E
Which
suggests
the
need
for
significant
publicity
I
just
lead
time,
yeah
and
publicity.
E
For
potential
success
all
right
now
that
I've
written
it
directly,
let's
try
to
write
it
nicely.
How.
E
The
first
session
didn't
have,
which
suggests
to
us
the
need
for.
A
D
D
E
Targeted
at
potential
a
a
a
potential
requesters.
B
A
No
I
think
I
think
for
that
I
think
I
just
linked
to
the
slack
channel
because
particularly
for
virtual
maintainer
Summit,
it's
a
closed.
Invite
only.
D
B
Yeah
yeah
I
think
we
will
probably
yeah
this.
This
was
discussed
before
right,
because
this
is
more
like
a
POC
trial.
B
B
We
are
working
to
create
a
like
survey
bomb
as
well,
so
maybe
there's
something
we
are
sticking
for.
Some
action
items
and
you're
welcome
to
join
our
next
call.
D
B
D
B
B
D
B
E
Do
you
mean
by
that
the
little
script
that
checks
the
security
reviews,
proposals
I
thought
that
was
done
in
2022,
am
I
correct
or
was
that
earlier.
A
I,
no,
it
was
probably
before
2022,
but
either
way
that
that's
like
a
crude
implementation
detail.
E
E
A
Yeah,
that's
we
can.
That
should
be
easy
enough
to
fill
in.
B
A
E
All
right
so
I
want
to
ask
get
everything
done
in
every
file
that
was
added
in
2020
to
under
security
reviews,
reviews.
D
B
We
haven't
officially
I
think
because
we
want
to
have
we
have
a
you
know
like
a
formal
request
letter
at
eight
and
along
with
the
survey
the
nomination
excuse
me,
we
worked
with
the
Atlanta
Foundation
event
team
on
the
nomination
request
so
that
we
don't
expose
their
email
right.
So.
B
B
C
I
mean,
and
the
list
of
the
critical
offensive
project
is
crazy.
I
mean
I,
I
remembered
at
least,
but
when
we
prepared
I
mean
when
Michael
starts
to
prepare
it,
but
from
all
that
project
I
know
just
one
maintainer.
That
is
one
of
the
bubble.
Maintainer
that.
B
C
B
C
About
okay,
I
can
I
can
I
mean,
for
sure,
is
one
of
the
three
or
four
main
Mountaineers
of
bobbin.
So
if
you
to
check
the
repo
you
can
see
his
commit,
but
I
can
write
him
if
he
want
to.
C
We
have
some
meeting
in
person
in
touring
and
we
we
talk
about
security,
so
it
is
a
nice
person,
yeah.
B
It
will
definitely
help
you
know
if
we,
you
know,
if
you
have
someone
who
knows
that
I'm
trying
to
have
a
relationship
with
I'm
gonna
reach
out
to
you
know,
to
mentioned,
for
the
ansible
sign,
you
know,
okay,
so
some
other
people
have
some
some
context
too.
So,
but
definitely.
A
Okay,
I'm
feeling
pretty
good
about
where
this
is
now
other
than
filling
in
n.
Is
anybody
not
feel
good
about
this.
A
A
Can
you
know
edit
a
little
bit
awesome?
Thank
you
folks.
Next
thing,
I
want
to
talk
about.
I
wanted
to
do
if
it's
all
right
with
y'all
do
a
more
less
hand-wavy
pitch
for
the
assurance
assertions.
A
A
Okay,
so
we're
talking
about,
we
I
really
need
a
better
name.
I,
we
Assurance
assertions
just
the
short
name
version
of
that
it's
just
terrible.
So
we
have
to.
We
have
to
figure
something
this
out.
E
By
the
way,
I
have
I
just
FYI,
while
you're
up
I
have
just
run
a
get
command.
To
give
you
the
list
of
the
there
are
a
104
new
reviews.
Awesome.
E
A
Okay,
so
assured
assertions
motivating,
I
was
trying
to
put
together
something
that
would
be
catchy.
A
A
It
is
usually
hand
waves
and
stuff
and,
and
certain
things
like
you
know,
Sig
store
for
integrity
and
and
salsa,
and
things
like
that
address
certain
parts
of
the
the
equation
and
I
think
what
we're
talking
about
here
is
is
a
way
to
a
tie,
some
of
those
things
together,
but
also
supplement
with
things
that
I'm
not
aware
of
anybody
else
working
on
so
this.
This
third
Cartoon
thing
you
know
so
you
know
the
organization
has
a
set
of
policies
that
we
used
to
check
every
piece
of
Open
Source.
A
We
use,
we
make
sure
it's
maintained
that
doesn't
have
vulnerabilities.
It
doesn't
do
weird
things
like
roller
tone,
crypto
and
I
think
those
are
three
kind
of
interesting
examples
of
of
you
know
some
organizations
do
one.
Some
do
two,
but
I
don't
think
any,
and
anyone
does
all
you
know
all
three
of
those
types
of
things.
A
So
our
mission
of
assurance
assertions
is
to
provide
stakeholders
consumable
data
that
describes
the
security
quality
of
the
open
source
software.
They
use
yeah,
there's.
A
Just
happens
to
be
the
target,
it
is,
you
know,
it'll
work
on
anything.
The
vision
we
have
is
that
stakeholders,
meaning
consumers
of
open
source
of
users.
You
know
developers,
organizations
whatever
can
can,
can
do
this
efficiently
and
informed
and
they
can
make
decisions
about
which
projects
they
used
and
understand
what
risk
they
carry.
You
know
when
they
when
they're
using
it.
So
you
want
this
to
be
objective
and
extensible
and
like
a
lot
of
things
so
context,
most
open
source
has
never
gone
any
kind
of
security
validation.
A
What
it
does
in
the
best
scenario.
Well,
in
the
best
realistic
scenario,
those
validations
take
place
privately
things
like
the
security
reviews.
Repo
is
a
you
know,
is
it
you
know
one
of
the
contraindicators
of
that,
but
for
the
most
part,
it's
privately.
It's
not
consumable.
It's
not
in
a
readily
accessible
format
or
anything.
A
It
means
that
consumers
are
either.
You
know,
rely
on
super
coarse,
metrics
like
cves
or
just
wish,
or
you
know
I
suppose
sometimes
like
you
can
Outsource
this
to
a
vendor.
That
you
know
provides
some
level
of
assurance.
A
It's
the
problem
is
that
this
stuff
is
very
expensive.
Having
12
organizations
all
doing
the
same
work
is
a
waste
of
11
organizations,
time
and
money.
It's
inefficient.
It's
rarely
done
in
practice.
A
A
So
the
you
will
reduce
the
likelihood
well,
actually,
the
this
one
I'm
probably
going
to
take
this
one
out:
I'm,
not
I'm,
not
really
sure
about
about
the
second
one,
but
what
we?
What
I
think
we
want
to
avoid
is
a
place
where
regulations
come
into
existence.
That
say,
every
organization
needs
to
do
a
code
review
of
every
piece
of
Open
Source
they
use
laws
are
fickle.
There's
no
reason
why
a
law
like
that
could
not
be
created.
A
That
would
be
terrible,
but
so
so
having
something
like
this,
where
you
can
say
I
as
a
consumer
organization,
everything
that
I
do
I,
have
these
policies,
meaning
these
like
technical
policies
that
are,
and
every
piece
of
Open
Source
I
use,
is
validated
against.
A
Those
means
that
do
you
think
you
can
make
you
can
make
the
argument
that
that
is
a
a
reason,
a
commercially
reasonable
action
that
you're
that
you're
taking
to
to
address
this
risk,
open
ssf
seems
like
a
reasonable
organization
to
drive
this
I,
can't
think
of
any
other
organization.
That
would
make
sense
to
do
this
publicly.
A
So
what
does
this
actually
look
like?
So
well,
actually,
no
the
goals-
and
this
is
where
we
get
more
concrete-
we're
going
to
analyze
a
lot
of
Open
Source
projects
using
automated
tools,
we're
going
to
create
an
assertion
based
on
the
results
of
that
analysis,
essentially
describing
in
a
consumable
way
what
those
results
were.
Sometimes
those
are
the
precise
results.
This
thing
was
reproducible,
or
it
was
not
reproducible.
Sometimes
it
it
has.
These,
it
is,
you
know,
has
these
cbes?
A
Sometimes
it's
aggregate
results.
I
ran
code,
ql
and
I
found
three
critical
findings,
not
necessarily
vulnerability,
but
at
least
a
finding.
We
will
have
a
process
for,
can
you
know
continuous,
like
you
know,
scanning
and
rescanning.
The
stuff
has
to
be
kept
up
to
date,
we'll
provide
a
reference
implementation
for
generating
those
assertions
for
storing
them
for
consuming
them,
basically,
the
whole
kind
of
end-to-end
package.
A
We
will
run
an
instance
of
that
and
make
it
available
for
anyone
with
a
you
know,
using
our
our
reference,
consuming
implementation,
to
set
up
a
policy
or
to
run
a
policy
that
we
provide
them.
That
says,
like
all
packages,
have
to
be
actively
maintained.
So
in
a
you
know,
CLI,
you
just
say
like
is
Django
actively
maintained,
yes,
cool,
great
and
move
on,
and
you
and
all
that,
so
the
assertions
themselves
are
just
Json
they're
consumable
by
anything.
A
There's
no
like
weird
magic
infrastructure
you
need
to
have
anyone
can
generate
their
own
assertions,
they
can
store
them
privately,
they
can
run
their
own
policies,
they
can
run
their
own
policy
engine.
Nothing
about
this
is
this.
Is
this
is
a
a
spec
and
a
reference
implementation
and
not
a
you,
know
the
only
system
for
this
nothing
about
this
is
private.
A
A
We
want
to
see
how
many
projects
can
can
we
generate
at
least
in
this
one
assertion,
for
we
want
lots
of
assertions
available,
because
every
assertion
is
a
piece
of
information
that
a
decision
could
be
made
off
of,
and
we
want
organizations
to
be
using
this.
If
we
just
generate
this
ourselves
and
nobody
uses
it
well,
it
can
be
great,
but
not
impactful.
A
We
so
we
want.
You
know
a
lot
of.
We
want
these
assertions
to
be
consumed
and
we
want
folks
from
outside
to
be
contributing
to
the
either
the
reference
implementation
or
their
own
set
of
policies
or
their
own
Registries
of
of
assertions.
A
You
know
we
can
kind
of
map
the
assertions
and
the
policies
that
we
provide,
at
least
to
things
like
ssdf
and
other
requirements.
So
if
sstf
says
you
have
to
do
Foo,
if
we
can
measure
whether
or
not
you
did
Foo
and
they
have
a
policy
that
says
you
have
to
do
food,
you
combine
that
all
together
and
you
can.
A
You
can
say
that,
through
this
system,
the
open
source
that
is
evaluated
complies
with,
in
the
best
case,
ssdf
and
I'm,
going
to
hand
wave
and
say
there
are
lots
of
things
that
won't
be
measurable,
so
that'll
always
be
a
a
partial
coverage,
so
River
very
high
level
road
map,
so
between
now
and
January
I
want
to
get
buying
on
the
concept
generate
some
some
initial
assertion
types
make
sure
that
there's
an
end-to-end,
you
know
POC
that
works,
scan
about
a
thousand
projects
and
you
know
and
then
start
to
engage
opennesses
more
broadly
get
some
public
feedback.
A
Iterate
talk
about
this
and
then
in
the
in
the
New
Year
expanded
out
to
you
know:
10
000
projects,
100
000
projects
like
it's
at
some
point,
it's
just
CPU,
but
then
gather
gather
feedback
and
iterate.
What
I'd
like
to
do
is
I'd
like
to
get
this
to
like
a
what
we
feel
good
about
like
a
0.8
version
release
by
that,
like
you
know
the
april-ish
time
frame
and
then
figure
out
like
what
does
the
full
like
V1
release.
Look
like
you
know
in
terms.
A
Six
store
had
to
have
to
think
about.
You
know
as
they
in
prep
for
them
going
to
one
one
out.
We
won't
have
to
do
the
same
so
sample
assertions
you
know.
Subject
is
vulnerable
to
these
cves.
If
that
could
be
maintained,
aggregate
tool,
findings
it
implements
crypto,
it
has
Pearl
source
code.
A
So
this
is
an
example
of
an
assertion
and
it's
you
know
in
two
parts
which
embeds
the
scorecard
data
for
one
particular
GitHub
repo
in
it.
So
you
can
then
have
a
you
could
have
a
policy
that
says
for
all
you
know
for
for
a
given
subject
package,
whatever
I
want
to
you
know:
I
I
want
that
I
don't
know.
A
Branch
protection
needs
to
be
greater
than
a
seven,
because
I
know
that
that
means
something
in
based
off
the
scorecards.
So
this
project
would
would
fail
that
that
policy,
because
rent
protection
is
zero
or
you
know,
pin
dependencies
has
to
be
greater
than
or
equal
to
seven
and
it
would
pass
because
it's
it's
equal
to
seven.
A
So
that's
kind
of
what
it
what
it
looks
like
it
is
just
Json.
So
we
have
a
handful
of
policies
that
we've
implemented.
We
can
make
these
as
complicated
as
you
want
workflow,
and
the
architecture
is
going
to
get
a
package.
It
goes
into
the
black
box.
Does
some
analysis
assertions
get
spit
out?
A
The
surgeon
may
have
the
evidence
embedded.
Maybe
reference
may
not
have
it
at
all.
It
doesn't
doesn't
really
matter.
It
goes
to
an
assertion
store
and
then
you
run
a
policy
against
it.
A
So
we
made
some
some
choices.
The
the
reference
implementation
is
like
vanilla,
python.
Nothing
special.
Some
tools
are
needed
to
generate
the
assertions
so
like
we
have
the
Omega
analyzer,
which
is
Docker
container.
We
run
open
policy
agents.
A
You
need
that
that
binary,
if
you're
gonna,
run
those
types
of
policies,
we
right
now
store
things
either
in
a
local
sqlite
database,
which
is
like
not
super
helpful
or
a
local
file
directory
which
in
theory,
you
can
push
to
GitHub,
but
we
I
ran
into
some
challenges,
so
I
think
that's
not
going
to
be
be
really
The.
A
Way
Forward,
so
we'd
have
to
run
some
sort
of
a
service
with
an
API
that
you
know
gets
and
puts
so
we
have
that
all
that
is
right
now
sitting
in
a
pull
request
in
Alpha
Omega
and
we're
continuing
to
iterate
on
that.
So
so
really
really
really
really
really
really
important
about
this
trust
is
provided
by
the
consumer,
not
the
system.
So
while
we
open
ssf
or
Alpha
Mega
or
whoever
will
generate
some
assertions,
no
one
is
required
to
trust
them.
A
Any
organization
can
generate
assertions
you
can
make
them
publicly
available,
throw
them
in
a
repo
throw
them
in
any
of
the
kind
of
connectors
that
we'll
have
okay
private
like
it
does
it
doesn't
really
matter
the
only
the
only
thing
that's
important
is
that
the
consumer
of
those
assertions
can
get
to
them,
while
we'll
also
provide
a
reference
set
of
policies,
no
one's
required
to
use
them
any
organization
create
their
own
policies,
evaluate
any
of
the
assertions
that
you
know
they
physically
have
access
to
you.
Could
you
don't?
A
Even
you
can
still?
You
can
even
have
a
commingled
public
assertion
store
and
through
the
magic
of
signing.
A
You
can
trust
some
assertions
and
not
others,
so
there's
nothing
that
would
prevent
us
technically
from
having
a
public
API
endpoint
that
anybody
can
submit
assertions
to
and
then
you
as
a
consumer
can
decide
which
organizations
which
Keys,
which,
like
and
waving
hands
like
need
to
figure
this
out,
which
ones
to
trust
and
which
ones
not
to
trust.
So
you
know
what
I
would
imagine
is,
for
you
know,
npm
left
pad
after
you
know
some
time
of
using
this.
A
There
will
be
hundreds
of
assertions
that
have
made
various
claims
about
about
that
that
project.
You
will
trust
some
of
those
and
based
off
of
the
ones
that
you
trust
your
policies
will
either
evaluate
to
like
true,
false
or
like
I.
Don't
have
an
assertion
for
that,
so
I
can't
I
I'm,
no
I
guess
so
it's
intended
to
be
super
super
flexible
there
and
and
simple.
A
The
API
surface
is
also
like
really
simple.
You
generate
an
assertion
against
you
know:
npm
Express,
you
put
it
in
this
directory.
A
E
A
You
know
you
can,
you
know,
provide
your
own
and
then
you
have
a
you
know,
assigning
you
know,
assigning
key
and
then
on
the
consumption
and
then
you
can.
You
know
obviously
like
wrap
that
up
and
run
lots
of
assertions.
A
You
know
on
this
on
the
same
same
package
instead,
so
you
know
we
provide
that
as
well
and
then
on
the
consumption
part.
It's
the
same.
It's
basically
the
same
thing
you
consume.
Your
subject
is
npm
Express.
This
is
your
repository
directory
or
or
connector
or
whatever,
which
policies
do
you
want
to
run?
A
And
then
you
know,
obviously
the
the
trust.
However,
you
express
trust
would
be,
would
be
that
last
option
and
then
the
the
you
know
results
of
that
will
be.
You
know.
Policy
x,
fail
policy
y,
pass
policy,
Z,
not
enough
information,
and
then
you
can
as
an
organization
you
can
do
whatever
you
want.
A
So
next
steps.
Let's
see,
is
this
useful?
Is
this
something
that
would
actually
be
used
in
practice?
You
know
what
would
it
be
used
for?
Are
there
key
parts
of
this
that
are
completely
missing?
A
You
know
look
people,
try
it
out
and
all
that
and
contribute,
and
and
all
that.
So
at
this
point
you
know
which
we're
still
in
the
early
incubation
of
this
but
I'm
I'm
optimistic
that
we
can
make
it
real
in
2023,
so
thoughts.
B
Oh,
this
is
great.
Can
I
can
I
ask
one
question:
do
you
see
the
the
assertion
parts
that
the
consumers
or
users
are
going
to
survive?
Do
you
see
any
possibility
that
a
vendor
or
company
kind
of
scrub
it
or
filter
it
and
make
their
own
version
of
recommended?
You
know
those
set
like
yep
yeah
like
ca,
managing
certificates,
right
blessing,
yeah.
A
So
so
what
I
would
what
I
would
say
is
you
we
need
to
think
a
little
bit
about
how
to
do
like
hierarchical,
like
policy,
overlays
or
I.
Don't
know
how
to
kind
of
describe
it,
but,
like
so
imagine
like
we
have
a
public
assertion
that
says
what
we
say.
We
would
say
we
rank
code
ql
and
we
found
four
for
command
injection
vulnerabilities.
A
Now
because
it's
untriaged
like
it's,
you
know
it's
a
data
point
but
like
I,
don't
know
if
you
want
to
make
a
decision
based
off
that
and
we're
certainly
not
going
to
provide
the
Raw
results
in
the
public
data
set.
So
we'll
just
have
like
potentially
critical
reform
you
for
your
or
for
your
organization,
you
may
run
a
similar
tool
chain,
running
codeql
or
anything
else
against
the
project
and
include
the
raw
details
or
filter
out
and
say
you
know
what
I
don't
really
care
about
that
injection,
but
SQL
injection
I
really
care
about.
A
So
that's
the
only
one
that
I'm
going
to
index
on
so
you'll
have
a
separate
assertion
that
kind
of
like
like
deletes
the
the
public
one,
and
then
your
policy
can
say
either
I
only
trust
things
from
your
organization
or
you
know,
I
only
care
about
things
where
about
SQL,
injection
or
or
anything
else
like
that.
So
I
do
absolutely
see
private
organizations
running
their
own
repository
that
they
could
run
whatever
tools
they
want
on
it
and
you
can
even
run
like
you
can
even
like
provide
a
manual
assertion.
A
You
know
with
like
arbitrary
stuff
and
then
and
then
make
decisions
based
off
of
that
I
I
hope
that
more
things
are
are
published
centrally,
because
it
again
it
reduces
the
need
for
lots
of
organizations
to
be
doing
the
same
work
but
I,
don't
I
think
it's
inevitable
that
poor
Position
will
do
that.
Foreign
Luigi.
D
C
My
question
is:
are
you
citing
an
example
that
you
can
run
hot
ql
to
find
where
rbts,
and
so
that
is
great?
But
my
question
is
there
is
the
risk
that
we
can
penalize,
maybe
indirectly
popular
or
big
enough
professional
projects
that
are
written
in
not
so
common
languages
or
not
so
popular
languages?
I,
don't
know
it.
I
suspect
I
have
no
data
but
I'm
pretty
sure
that
for
new
popular
languages
like
raster,
closure
or
similar,
we
have
less
tool.
Sometimes
they
are
just
wrapper
or
Improvement
of
all.
B
C
Main
bodies,
for
example,
so
kotlin
can
be
a
good
example.
Even
if
now
we
have
more
tool
for
cutting,
but
we
used
to
create
better
result
for
all
languages
like
Java
and
C.
A
So
I
think
we
need
to
Target
broadly
so
if
we
only
have
npm
packages
in
here,
like
it'll,
be
of
limited
use,
I
do
think
that
there
is
a
danger
that,
if
the
tooling
so
so
the
tooling
is
garbage-
and
you
know
we
we
keep
like
saying.
Oh,
you
have
all
these
vulnerabilities
and-
and
it
turns
out
that
they're
in,
like
example,
code
or
you
know,
unit
tests
and
things
like
that.
That
will
that
people
will
rightly
no
longer
trust
the
assertion
signed
by
open
ssf,
because
our
drilling
is
garbage.
A
A
So
if
you
write
a
tool
in
Haskell,
it's
going
to
come
back
with
zero
like
tool
findings,
you
know
exactly
imagine
so
so
does
that
mean
that
it's
safer
or
that
it's
not
analyzable
and
I,
think
that
we
could
very
easily
create
a
policy
that
said
that
that
that
that
accounts?
For
that,
so
the
policy
would
be
something
like
you
know.
A
If
the
language
contains
Haskell,
then
well,
so
how
about
this
as
a
policy
you
should
you
shouldn't,
use
anything
in
a
language:
that's
not
analyzable,
so
anything
written
in
Haskell
should
flag
as
as
something
and
that
could
be
your
organization's
policy,
and
maybe
not
that
would
be
a
public
one
that
we
would
that
I,
don't
think
we
would
we
would
use.
But
you
know
you
could
do
that
or
you
could
even
combine
the
policies
where
you
say
you
know
the
false
positive
rate
on
like
memory.
A
Corruption
for
C
is,
let's
just
say
it's
really
high.
So
the
fact
that
there
are
you
know
the
the
density
of
memory.
Corruption
findings
is
lower
than
some
amount.
Then
it's
considered
safe
and,
if
not
so
you
can,
you
can
absolutely
go
nuts
in
terms
of
the
the
expressiveness
of
like
what
you,
what
you
consider
a
a
how
you
implement
that
policy,
one
of
the
things
that
we
did
was
so
we
we
use
Rego
as
a
first
cut
policy
engine
so
or
policy
evaluator.
A
So
it's
just
a
command
line
and
you
run
you
have
a
policy
that's
expressed
in,
like
you
know,
you
say
this
Json
path
equals
this
value,
for
example,
and
it
says
true
or
false,
but
we
also
have
one
where
it's
just
an
arbitrary
command.
So
you
can
just
say
like
run
my
own
thing
and
it'll
either
like
spit
back
true
or
false.
A
There's
some
some
contract
there
and
then
you
can
you'll
get
the
whole
set
of
assertions
for
the
package
and
you
can
do
whatever
you
want
with
it
at
that
point.
So.
C
I
I
expect
grid
results
from
this
project
for
some,
in
particular,
some
programming
languages
like
C,
Java,
JavaScript
and
python,
probably
also
where
we
have
a
scanner
and
also
we
have
good
partnering
tool.
So
technically
we
can
definitely
run
the
automation.
The
concern
is
just
for
are
not
so
popular
languages
that
are
still
used,
but
we
don't
have
just
two
but
yeah
with
the
open
policy
agent.
At
least
people
can
try
to
balance
or
to
Define
what
they
want
to
see
in
a
sort
of
way
and.
A
I
think
we'll
probably
be
conservative
in
the
types
of
policies
that
we
have
I'm,
not
sure
I
mean
I,
can
imagine
organizations
being
more
strict
than
the
general
than
than
in
general
Christine.
D
Oh
okay,
so
I'd
a
question
that
when
you
you
had
a
section
where
you
wanted
to
socialize
with
all
the
open
ssf.
Are
you
looking
to
go
to
other
working
groups
like
The
End
users,
our
working
group,
because
they.
A
A
D
I
I
believe
end
users
would
be
folks
who
potentially
could
be
the
consumers
of
it.
Like
organizations
who
use
open
source.
A
A
Definitely
think
that
they
are
a
key
stakeholder
in
this
I,
because
I
think
most
of
the
well.
Actually,
no,
it
is
kind
of
a
jointly.
So
so
it's
both
on
the
I
think
I
think
having
it
like
organizationally
fit
within
Omega
I
think
makes
makes
sense,
because
we're
already
analyzing
a
lot
of
packages
anyway,
and
you
know
this
is
a
way
that
we
can
distribute
information
about
the
results
of
that
stuff,
but
then
yeah
yeah.
It
should
absolutely
be
be
part.
In
fact,
I
would
make
a
note
of
that.
A
I,
so
I
I
think
people
will
share
their
policies
where
they're,
where
they're
relevant
you
know
and
and
the
the
mental
model
that
I
have,
is
the
way
that
semgrep
has
their
I
forgot,
what
they
call
it.
A
No,
not
a
playground,
but
it's
like
a
it's
like
a
community
registry
where
they
have
their
own
Like
official
ones,
and
then
people
have
uploaded
their
own
and
you
as
a
consumer,
can
choose
like
whichever
ones
you
want
to
want
to
do,
or
you
can
just
point
to
them
completely
privately,
if
you,
if
you
want
to
do
that
too,
but
yeah
I'm
optimistic
that
the
like,
for
the
most
part
like
the
assertion
generation,
isn't
like
super
secret
intellectual
property.
A
For
the
most
part,
the
policies
won't
be
either
like
which
policies
and
organization
implements
internally.
That's
private
and
I.
Wouldn't
expect
them
to
you
know,
let
us
know
which
ones
they
are
running,
but.
A
Wonderful
yeah
I
appreciate
everybody's
yeah
I'm
here.
Thank
you.
A
Cool
we
just
have
a
few
minutes
left.
Was
there
anything
else
that
anybody
would
like
to
give
an
update
on.
C
We
have
a
security
engineer
for
Alpha
Omega,
it's
official.
We.
A
Do
yes,
do
you
see
any
yes,
sir
joined
us
last
week,
so
she
will
be
working
on
this.
This
project,
among
others,
so,
okay,
cool.
A
Cool
awesome
well
for
everybody.
Thank
you
very
much
appreciate
everybody's
time
today
enjoy
for
those
of
you
that
are
off
for
the
rest
of
the
week
enjoy
it.
Those
of
you
aren't
sorry,
but
you
should
still
enjoy
it
and
I'll
see
everybody
in
two
weeks.