►
From YouTube: OpenSSF Identifying Security Threats WG (April 13, 2022)
Description
Weekly meeting of the Identifying Security Threats working group. Our GitHub page is located at https://github.com/ossf/wg-identifying-security-threats and from there you can find meeting minutes and other information.
A
B
B
A
Cool,
so
we
have.
Let
me
find
me
first
of
all,
how's
everybody
doing.
D
A
Cool
we'll
give
we
have
a
couple
more
folks
in
hi,
vicki,
hey
man,
helping
david
wheeler
can
join
us.
I
don't
need
to
write,
remember
to
record
anymore,
because
it's
automatic.
A
Wow
you
you,
I,
like
your
backdrop.
E
E
Am
performing
work
and
I'm
while
I'm
performing
work,
I'm
performing
it
while
I'm
sitting
on
a
chair
that
is
sitting
up
on
my
deck,
have
I
been
adequately
clear.
G
E
I
I
I
have
taken
my
allergy
pills
and
other
things
to
attempt
to
deal
with
that.
But
if
it's
awful,
I
will
rediscover
the
indoors.
A
Very
cool
so
welcome
everybody,
officially,
let's
kind
of
get
started
for
the
agenda.
If
anybody
has
things
that
they
would
like
to
talk
about,
please
add
them
to
the
agenda
if
you're
not
already
on
the
attendance,
please
have
yourself
there.
If
there's
anybody
new
you'd
like
to
introduce
yourself
the
floor,
is
yours
come
off
newton.
A
E
A
I
I
think,
that's
what
it
means.
I'm
trying
to
I'm
trying
to
find
this
in
cash.
A
Oh
okay,
so
so
so
we
have
a
lot
of
systems
that
continuing
to
use
no
okay
right.
So
I
think
this
was,
I
don't
know
who
said
it,
but
the
42
percent
of
of
systems
are
still
using
a
vulnerable
version
of
log4j.
A
What
we
do
to
to
reduce
that
we
can.
It
would
be
helpful.
We
can
come
back
to
this
one
later
if
it,
if
it
just
takes
some
time
to
to
get
thoughts
out.
E
Well,
if
when
we
can
come
back
to
that,
but
I'd
be
happy
to
to
at
least
have
a
brief
discussion
now.
Why.
E
A
brief
discussion
now
and
then
we
can
circle
back
if
we
have
time,
but
I
I
can
tell
you
one
of
the
main
way
so
I'm
gonna
pitch
the
the
main
issue
here
is
that
developers
aren't
checking,
aren't
updating,
and
I
would
argue
that
the
reason
they're
not
updating
is
because
there
is
no
pressure
to
update.
E
Therefore,
the
proposed
solution
is
to
is
to
encourage
s-bombs
getting
out
to
users,
who
would
then
go
double-check
this,
and
so
basically
the
the
pitch
is
s-bombs
by
themselves
by
the
way
don't
fix
anything.
They
just
tell
you
what's
there,
but
the
argument
for
having
them
is
so
that
some
people
will
look
and
start
providing
back
up
pressure
back
on
the
developers
saying.
Why
haven't
you
fixed
this?
Why
would
you
fix
this?
It's
you
know:
it's
been
vulnerable
for
three
years.
Why
not
now
there's
an
argument
to
be
had
that?
E
That
may
be
true,
but
I
think
currently
the
hope
is
that
if
enough
people
complain
and
in
particular
start
looking
at
making
decisions
on,
I'm
gonna
use
that
one
because
they're
up
to
date,
I
won't
use
this
one
because
they
aren't
you
know,
maybe
that
pressure
won't
work,
but
at
least
currently
I
think
that
that
is
the
I
mean.
There's
no
one,
you
know
it's
not
like.
The
industry
has
a
single
brain.
E
I
think
the
other
thing
is
making
it
easier
to
detect
when
dependencies
are
out
of
date
within
and
that
things
like
depend
about
and
so
on,
and
so
I'm
hoping
that
between
the
pressure
of
of
users
complaining
and
the
ease
of
noticing
within
the
development
organizations
that
this
will
make
the
the
widespread
use
of
vulnerable
components
go
down.
E
So
there's
the
pitch.
I
actually
believe
it
with
the
acknowledgement
that
you
know
this
is
a
this
is
a
proposed
strategy.
It
I
think
it
makes
sense.
That
does
not
mean
it
works
in
reality,
but
only
reality
tells
you
what
reality
will
do.
E
G
Buddy,
so
I
don't
disagree,
which
is
good,
I
think
we're
all
in
agreements
that
s
bombs.
Visibility
is
a
good
thing,
but
you
can't
have
there's
a
difference
between
making
s-bombs
available
to
users
and
making
s-bombs
at
all,
and
that
is
the
actual
hump
you've
got
to
get
over
here
is
making
it
easier
for
projects
to
create
s-bombs
and
then
have
them
shared
by
default,
or
what
have
you
within
it
part
of
the
release,
process,
etc,
because
I,
as
a
user,
that's
fine,
I
can
look
at
an
s-bomb.
G
We
can,
even
because
s-bombs
are
often,
if
you're,
using
something
like
cyclone,
dx
or
spdx,
and
in
particular
these
are
machine,
readable
and
things
that
you
can
automate
right.
You
can
have
things
that
automatically
look
for
an
s
bomb
and
then
we'll
boom
notify
you.
G
If
things
are
out
of
date,
the
hard
part
is
really
getting
the
developers
to
do
it,
which
means
putting
things
in
the
hands
of
developers
to
make
it
easy
right,
lower
that
barrier
to
entry,
so
they
will
actually
create
the
s-bombs
in
the
first
place,
and
everything
then
can
pull
out
from
there.
But
right
now
I
think
we've
got
a
lack
of
awareness
from
rank
and
file
developers
around
s-bombs
in
general
and
especially
how
to
do
it.
G
I
think
that's
what
we
really
need,
because
the
mama
we
spend
a
lot
of
time
talking
about
you,
know,
talking
fixing
vulnerabilities,
but
not
a
lot
about
the
beginning
stock
part
of
that
supply
chain,
which
is
even
identifying
what
that
chain
is,
and
most
almost
every
company.
I
work
with
you,
ask
them
and
they're
just
like
oh
right:
they
they
just
don't
know,
and
so
how?
What
can
we
do
to
make
that
easier?
E
G
A
It's
you
know
between
depend,
bot
and
like
dependency
track,
depends
on
check
and,
like
a
thousand
other,
you
know,
services
in
the
space,
knowing
if
you're
interested
in
knowing
what
you
have
like
the
bar
is,
is
actually
quite
low,
and
it
doesn't
mean
to
say
that
every
organization
does
it
does
anything
here
but
like
if
they
wanted
to
try
it
it's
not
it's
not
actually
a
giant
lift
that
they
need
s-bomb.
In
order
to
do,
there
are
other
other
solutions.
There.
A
S
bomb
provides
the
the
way
that
I
can
tell
you
in
a
structured
way,
so
that
you
can
make
policy
decisions
on
I've.
Never
so
I'm
gonna
have
a
couple
different
points
and
I'll
tie
them
all
together.
Services
like
back-end
services,
I
haven't
heard
any
talk,
and
maybe
just
I
haven't
heard
it,
but
any
talk
on
s-bomb
for
services
being
communicated
out.
I
think
that
would
be
interesting,
because
that
means
that
when
I
go
to
whatever
facebook
somehow
I
can
see
that
facebook
is
using.
A
You
know
whatever
log4j
version
vulnerable,
and
I
can
I'm
not
sure
what
I
could
do
in
that
case,
but
I
could
at
least
be
upset
that
that
might
be
interesting,
but
I
I
think
the
the
other
sorry
that
was
point
two
and
then
point
three
is
when
you
have
deep
dependency
graphs,
it's
it's
a
you
know.
If
log
for
j
is
the
fifth
level
down
anybody
using
the
final
thing
or
at
the
first
second
or
third
level,
has
no
real
ability
to
to
do
anything.
A
It's
only
that
fourth
level
dependency
can
bring
in
a
new
version
of
log
for
j,
and
then
the
third
level
has
to
bring
in
a
lot
that
you
know.
So.
I
think
I
think,
there's
a
structural
challenge
in
how
complex
dependency
graphs
get
resolved
and
whether
or
not
you
know
things
like
semantic
versioning
can
be
trusted
enough
to
like
force,
upgrade
things
like
deep
in
the
chain
like
I,
I
think
it
there's
a
there's,
some
like
research
and
and
like
moving
the
needle
there.
A
G
I
think
there's
there
as
bomb
kind
of
represents
a
lot
of
what
you
said.
I
think
which
is
do
people
do
they
want
to
look
at
these
things.
There
are
sca
tools
and
that
bar
relatively
is
low,
that's
kind
of
the
hearts
and
minds
awareness
of
yes,
you
do
want
to
do
this,
but
that's
a
two-part
hearts
and
minds
right.
That's
not
only
on
the
maintainer
side.
G
I
think
it
also
is,
as
david
was
pointing
out
on
the
user's
side,
and
it's
something
I
was
speaking
with
a
bunch
of
game
developers
about
you
know.
Your
game
is
built
on
these
things.
H
H
I
mean
I
agree
with
vicki's
point
of
view.
I
mean
for
at
least
within
my
company.
We
view
I
the
s
bomb
as
kind
of
like
the
master
index,
of
all
the
evidence
of
everything.
That's
what
that's
that's,
what
people
are
going
to
be
asking
for?
It's
your
choice
on
granularity,
what
what
transitions
you
show
it,
but
you
can
also
add
things
like
service
connectivity.
H
Like
boundary
level
stuff,
you
can
add,
actually
add
tooling
stuff
what
was
used
to
build
it,
what
platform,
what
prerequisites
there's
any
number
of
things,
but
that's
the
master
index.
It's
just
evidence
what
you
do
with
it
is
up
to
you
we're
not
saying
that
we're
mandating.
You
need
to
fix
it,
because
it's
a
fourth
level
down
transitive
dependency,
we're
not
saying
that
we're
just
saying
it's
there,
and
so
people
can
make
decisions
like
with
apache
kafka.
H
Discussion
in
our
company
is
and
with
our
customers
is,
you
know,
maybe
we'll
give
you
a
copy
of
apache
kafka
that
removes
log4j
and
replace
it
with
another
library,
but
at
least
they
saw
it
there
they
can
choose.
You
know
we
accept
the
fix
that
apache
kafka
put
in
or
their
work
around,
they
they
published
or
we
can
choose
to
you,
know,
fork
and
replace
they
have
that
choice.
At
least
they
see
it's.
There.
A
Yep
make
sense
a
bunch
of
other
hands
so.
D
Sorry
yeah,
I
just
want
to
add
what
matt
said
right.
So
there
are
s-bomb
standards
which
also
support
services
and
other
concepts
like
what
matt
already
mentioned
right,
especially
in
cyclone
dx.
There
is
more
options:
how
to
define
an
s
permanent.
I
do
believe
there
is
a
value
with
the
dependency
tree,
irrespective
of
if
it
is
allowed
for
j,
10th
or
11th
transitive
dependence.
It
is
important
to
identify
how
it
is
being
derived
in
some
cases
you
may
have
to
have
a
dirty
patch.
D
E
You
thanks,
okay,
so
a
couple
things
so
I'm
trying
to
type
and
talk
at
the
same
time.
That's
probably
fail.
Okay,
so
mike
asked
some
interesting
questions.
First
of
all,
what
about
back-end
services?
I
can
say.
First
of
all,
I
don't
speak
for
the
u.s
government.
Okay,
I've
just
been
in
some
of
their
meetings
and
discussions.
E
I
I
can
say
with
with
certainty
that
the
us
government
has
specifically
mooted
this.
I
just
copied
and
pasted
their
minimum
elements
for
software
bill
materials
where
they
specifically
talk
about
hey.
You
know
for
online
services
and
so
on
that
you
just
point
to
an
s-bomb
that
stored
online,
so
the
docs
that
I've
seen
about
the
from
the
u.s
government
they're
currently
intending
to
focus
on
code
in-house.
E
That's
that's
used
in-house
first,
but
not
because
that's
the
end,
but
just
that's
where
they're
starting
and
they,
I
think
they
very
much
intend
to
include
back-end
services
as
far
as
updating
of
forcing
updates
deep
in
the
chain.
I
think
there's
an
interesting
question,
which
is:
is
this
something
that
maybe
we
want
to
encourage
package
managers
to
force?
E
So,
for
example,
yeah
a
depends
on
b
depends
on
c
and
b
says
I
need
to
use
vulnerable
version
of
c,
but
there's
nothing
that
says
that
the
package
manager
couldn't
override
that
you
could
say.
E
I
don't
care
if
you
use,
if
you
declare
version
x,
load
version
y
and
I
I
don't
know
of
any
package
manager
that
lets
you
do
that
today,
with
a
simple
option
I
mean
you
could
always
edit
the
input
files
right,
but
you
you,
but
I
don't
see
any
reason
why
that
wouldn't
be
possible,
and
maybe
this
is
something
worth
discussing
here
briefly
and
then
forwarding
on
to
the
to
what
is
almost
certainly
going
to
be
a
new
working
group
for
package
managers.
E
There's
going
to
be
a
risk
if
you
force
that,
but
there's
a
risk,
if
you
don't
force
it,
and
maybe
now
is
the
time
to
add
that
capability
to
well.
No,
I
wouldn't
you
always
use
the
latest
stable.
You
know,
basically,
should
we
enable
over?
Should
we
enable
overrides
of
vulnera
of
versions.
E
Okay,
the
client
okay,
if
the,
if
it
has
data
that
says
v,
use
version
three
and
you
know
version
three
is
vulnerable.
You
could
have
an
override
that
says.
Don't
you
ever
use
version
three
use
version.
Four.
Now,
there's
risks
to
this
because
version
three
is
probably
what
was
tested.
On
the
other
hand,
version
three
is
known
bad.
Why
are
you
using
the
known
bad.
E
So
I
think
that
this
is
something
I
think
it's.
This
is
one
of
those
tools
in
the
toolbox
that
maybe
you
don't
use
normally,
but
maybe
it
would
be
worthwhile
having
it
now.
My
apologies,
I
somebody
said
hey.
It's
often
not
true
that
the
component
is
vulnerable.
E
Okay,
okay!
Well,
whoever
said
it
I
mean
so
I'm
gonna,
I'm
gonna
say
that
that
is
absolutely
true.
Good
luck
being
certain
of
it.
A
Oh
absolutely
oh
yeah,
so
so
what
I
was
going
there
is
that
the
we
naturally,
if
the
true
vulnerable
is
here
and
the
potentially
vulnerable
is
here,
then
we
waste
like
95
percent.
We
we
spend
95
of
our
effort
for
no
value.
If
the
true
value
is
here
and
it
or
the
true
value
is
here
and
the
what
we
show
is
like
there,
where
it's
five
percent-
that's
probably
fine,
but
I
don't
know
what
that
what
that
is
and
and
anecdotally.
E
E
Yep
yep,
especially
in
the
presence
of
dynamic
loads.
Okay,
nobody
calls
it
well,
nobody
calls
it
statically,
but
most
languages
have
a
way
of
calling
things
dynamically.
Are
you
sure
it
didn't
call
it
dynamically?
I
don't
have
any
tools
that
do
that,
because
it
requires
the
ability
to
be
a
human,
great.
A
But
but
then
would
things
so
and
now
now
we're
right
below
the
rabbit
hole.
Things
like
I
guess
tree
shaking,
but
in
the
in
the
context
of
disconnected
dependencies
or
dependencies
that,
like
you
know,
if
you
could
have
your
entire
app
and
like
shake
it
shake
it
shake
all
the
things
that
are
never
called
from
it.
Yeah.
A
Even
at
run
time,
I
don't
know
how
that
would
work
at
runtime,
but,
like
you
could
actually
say
yeah
I
build.
I
have
a
dependency
on
log
for
j,
but
it
doesn't
it,
like
literally
doesn't,
is
not
in
the
final
thing,
because
it's
not
being
called
and
that
the
machine
has
kind
of
exercised
it.
I
mean,
I
think
it's
it's
more
of
a
research
area.
I
don't
know
of
anything
that
that
does
as
well
today.
E
E
So
I'm
not
I'm
not
saying
it
can't
be
useful,
but
is
something
missing.
E
Be
useful
but
but
but
I
I
think
the
the
point
is
valid.
You
know
it's
absolutely
true
that
just
because
you
use
the
component
doesn't
mean
the
app
is
vulnerable.
E
It
is
it's
so
hard
and
to
be
honest-
and
maybe
this
is
an
additional
issue,
if
you
have
a
lot
of
vulnerable
components,
I
view
that
as
a
as
a
as
a
code
smell
as
it
were,
you
know
you
know
so
if
you've
got
a
lot
of
vulnerables,
even
if
that
one's
not
vulnerable,
you
probably
have
something
else.
That
is.
H
F
David
said,
I
think
we
might
want
to
even
expand,
there's
always
the
tension
between
like
stability
and
reliability.
What
makes
people
usually
clean.
D
F
So
that
you
know
things
won't
break
and
security,
because
if
you've
been
a
virgin
and
then
you
become
vulnerable,
you
need
to
do
something
active
in
order
to
cooperate
that
person.
F
So
I
think
the
the
case
they've
said
they've
made
for
doing
something
with
the
package
manager.
It
can
be
even
with
less
of
a
mess
operations,
like
maybe
even
a
warning
message
when
you
follow
something
like
that,
but
I
think
we
can
even
expand
it.
This
is
a
topic
that
is
particularly
it's
interesting
for
me.
F
I'm
actively
doing
research
on
it
and
I
think
we
can
expand
it
for
docker
hub
as
well,
because
people
are,
if
you
have
a
ci
pipeline,
that
pulls
a
specific
docker
image
with
a
specific
tag
and
that
docker
image
is,
let's
say,
volume
of
the
log4j.
If
you
don't
pull
the
latest
version,
then
you
keep
pulling
in
vulnerable
code
into
your
environment
and
there
are
a
lot,
a
lot
of
containers
on
docker
hub
that
are
vulnerable.
F
A
There
is
a
part
of
a
package
manager
working
group-
it's
not
official.
I
think
it's
just
some
folks
starting
to
talk
right
now.
David.
Do
you
have
any
information
about
this.
E
I'm
sorry
about
that.
This
working
group
there's.
E
Yeah,
you
know
well
it's
more
than
about
it's
more
than
a
birds
of
feather
that
is
a
working
and
it
is
an
open,
ssf
working
group
proposal.
The
way,
the
way
that
this
works
in
openssf
is,
you
have
to
meet
five
times
and
have
more
than
one
organization
involved.
They
are
meeting
today,
6
p.m.
Eastern
that
will
be
meeting
number
five
for
them,
which
is
the
requirement
so
I'm
expecting
by
the
end
of
today,
they're
gonna
send
a
request
up
to
the
pack
to
become
a
formal,
open,
ssf
working
group.
E
I
oh,
I
can't
speak
for
the
attack,
but
I'll
eat
my
hat.
If
they
don't
say
yeah,
absolutely,
yes,
absolutely
so
excited
because
I
mean,
I
think
I
think
everyone.
I
think
a
lot
of
people
are
very
excited
about
so
technically
they're,
not
an
open,
ssf
working
group,
but
I
think
that's
going
to
soon
be
a
a,
not
true
statement,
so
can't
guarantee
tacticize
what
one
wants
to
decide,
but
that
would
be
my
expectation.
E
E
Summarize
it
into
a
a
proposal
off
to
that
other
working
group
and,
basically
saying
hey,
you
know
we
had
this
discussion.
For
example,
I
think
the
idea
of
an
option
that
says
you
know
update.
You
know
if,
if
you
got
a
vulnerable
version,
update
to
the
update,
at
least
to
the
not
not
vulnerable
version
as
minimally
as
you
can,
that's
a
risk
to
do
that.
It's
also
a
risk
to
leave
things
as
they
are,
and
so
I
think
enabling
people
to
do.
That
is
something
a
package
manager
could
do.
H
Yeah
and
maybe
I'll
jump
in
the
cube
before,
but
I
act
actually
oppose
that
point
of
view.
I
like
determinism,
if
I
pin
to
a
version
just
the
might,
the
permit
thing
I'm
asking
for
and
I'm
thrilled
the
package
working
group
is
getting
started.
Is
uniformity
of
metadata
uniformity
of
hashing,
fingerprinting
and
force?
Having
pack
managers
provide
me
a
clear
way
to
get
the
bill
of
materials
for
each
package
and
enforce
bill
of
materials
for
on
package
version
releases
submission.
H
So
then
everything
works
out
transitively.
At
least
I
just
want
the
evidence
to
make
my
determination
if
I
switch
based
upon
a
vulnerability
or
not
don't
make
that
decision
for
me,
don't
don't
automatically
switch
me
that
causes
side
effects.
I
don't
want
to
be.
If
I'm
using
log
for
j,
you
know
whatever.
Maybe
I've
already
looked
at
the
vulnerability
and
figured
and
decided
I
fixed
my
configuration
file.
Don't
automatically
force
me
to
a
newer
version.
Don't
do
that
that
that's
not
expected.
E
Well,
you
know
I
I
I
actually
am
I'm
big
on
the
reproducibility.
I
I
think
there's
a
way
to
do
both
I.e,
for
example,
maybe
so
so
so
a
fair
concern.
Maybe
what
we
want
to
do
is
something
like
you
generate.
You
know,
please
generate
an
override
file
and
then
use
the
override
file.
Yeah.
H
E
A
You
know
I
I
think
this
is
absolutely
worthy
of
hours,
more
conversations
about
the
pros
and
cons
and
defaults
and
trade-offs
and
and
whatnot.
I
think
it's
important
to
have
that
conversation,
so
you
know
yeah.
All
voices
should
should
be
in
there.
D
Did
you
have
another
comment?
Yeah
just
want
to
add
to
what
matt
mentioned
like.
I
also
think
that,
wherever
it's
possible,
we
should
have
more
deterministic
bill,
but
even
there
are
build
tools.
They
don't
support
like
deterministic
bill
by
default.
Right,
like
I
think,
good
examples
may
have,
and
even
maven
you
can
override
the
transitive
dependency.
But
as
a
software
producer,
you
can
also
write
test
against
it
right
that
there
can
be
scenarios
where
you
may
be
forced
to
override
a
transitive
dependency,
because
the
direct
dependency
may
not
have
a
patched
version
available
right.
D
H
Yeah,
I
think
that
the
interesting
solutions
I
saw
on
the
on
the
in
january
in
blog4j
were
companies
that
actually
used.
You
know
basically
for
dynamically
pulling
libraries
they
use
like
for
java,
they
use
jndi
and
they
basically
use.
Basically
they
took
that
when
they,
when
that
those
polls
are
made
to
into
a
name
a
library
name,
they
did
an
automatically
replacement,
so
they
didn't
call
out
to
the
package
managers
they
called
out,
they
re,
they
called,
they
basically
didn't
rename
and
they
pulled
out
to
the
a
fixed
version.
H
E
Yeah
and
by
the
way
I
do
believe
in
determinism-
and
you
know
I've
been
if
I've
been
long
pushing
for
verified
reproducible
builds.
So
I
don't
want
to
screw
that
up,
but
I
don't
think
we
have
to
have.
I
don't
think
it's
an
either
or
I
think
it's
a.
I
think
there
are
ways
we
can
have
an
and
you
know
basically
you're
deter
creating
the
overrides.
You
store
that
now
you
can
deterministically
override.
D
A
As
we
move
this
forward,
I
just
had
to
comment:
we
should
connect
with
the
dependable
folks
at
github,
since
this
is
the
product
and
if
the
product
is
not
full
like
the
problem,
obviously
is
not
solved.
So
it
would
be
good
to
understand
what
the
challenges
there
are
on
adoption-
and
you
know
I
know
for
some
of
my
projects
like
they're
they're
in
maintenance
mode-
I'm
not
going
to
you
know
accept
depend
about
pull
requests.
A
Maybe
I
should
just
turn
it
off,
but
for
for
other
cases
you
know
if
there's
a
if
there's
a
reason,
if
there's
a
if
they're
technical
challenges
or
just
whatever
you
kind
of
learn
from
that
experience,
I'm.
D
Not
sure,
michael,
if
you
notice,
the
recent
tweets
from
germanico
like
there
was
a
discussion
about
depend
about,
especially
in
a
maven
ecosystem,
how
it
is
identifying
transitive
dependency
right.
So
there
is
a
my
understanding
that
there
is
a
compromise
there
on
a
how
in
depth
they
depend
about
who
go
with
the
transfer
dependency
and.
E
Cool
okay,
so
I
so
I
would
propose
that
I
mean
either
we
work
or
next
meeting.
We
try
to
turn
this
into
a
proposal
once
there's
a
working
group
to
propose
to-
and
you
know
that
means
that
the
ideas
are
not
lost.
I'm
not
sure
this
is
the
right
group
to
do
it,
but
I
think
we're
a
decent
group
to
at
least
capture
ideas,
including
you
know,
matt's
concern
about
reproducibility.
I
actually
agree
with
him.
E
We
do
not
want
to
screw
that
up
and-
and
so
you
know-
let
so
I
would
say,
let's,
let's
create
a
proposal
to
send
elsewhere.
H
I
I
just
don't
want
to
be
lost
if
the
node
was
pointing
out,
I
was
kind
of
alluding
to
which
is
the
s-bomb.
There
are
features
in
different
formats
and
spdx,
I
think,
is
gonna
align
with
cdx
but
listing
of
tooling.
So
I
think
that
we
should,
you
know,
be
fighting
for
things
like
inclusion
of
services
connectivity
wherever
you're,
where
you're,
where
your
swagger
apis.
You
know
any
detecting
your
connectivity
to
external
things,
identifying
tooling.
What
tooling
did
you
use
to
build?
H
What
what
scanning
tools
did
you
run
during
your
build
process?
These
are
things
that
are
left
out.
We
look
strictly
look
at
the
components,
but
in
terms
of
security
threats,
telling
people
how
we,
what
we
use
to
look
for
those
threats
we
should
be
advocating
here
for
looking
at
those
things
and
including
including
those
in
the
s-bombs
as
well.
So.
A
So
there's
a
separate
parallel
effort
and-
and
I
don't
know
how
these
these
two
are
all
going
to
align
over
time,
but
the
effort
is
called
is
skit
s-c-I-t-t.
A
My
internalization
of
what
skits
provides
is
that
a
collection
of
assertions
about
the
activities
that
took
place
in
order
to
build
so
so
the
an
s-bomb
is
a
part
of
would
be
a
part
of
skit.
It
would
be
the
the
assertion
that
this
is.
This
is
what
makes
it
up,
but
also
would
be
the
results
or
summary
or
an
assertion
that
a
static
analysis
tool
was
run
and
what
tool
that
was
and
what
rules
and
what
version
and
all
that
stuff
as
different
names.
It's
I
agree
with
you
completely.
A
There
should
be
a
thing
that
has
that
information
available
so
that
you
can
say
more
than
just
your
product,
your
your
your
thing
includes
log4j,
but
like
everything
that
went
into
it,
including
yes,
tooling,
services,
all
stuff
like
that.
E
A
Yeah
I'll
find
it
cool.
Is
there
any
other
discussion
on
this
topic.
A
Wonderful
cool
next
topic,
just
a
quick
update
on
the
metrics.openssf.org,
thank
you
to
vanad
and
christine
who
will
be
joined
by
jay
and
azeem
to
kind
of
drive
this
forward,
and
this
is
determining
like
what
what
what
the
future
of
metrics.org
should
be,
not
at
a
technical
level,
not
not
at
a
like
tactical
level,
but
more
at
a
strategic
like.
Should
there
be
an
aggregation
layer
of
security?
Metrics
broadly,
should
that
be
part
of
lfx
security?
A
Should
it
be
part
of
scorecards.dev
depth.dev,
something
else
we
can
re-point
domain
names.
That's
the
easy
part
it's
like,
but
where
is
the
the
guts
of
this
work?
Actually
gonna
gonna
occur
and
who's
gonna
drive
it
forward
and
be
responsible
for
keeping
it
up
to
date
and
and
taking
feature
requests,
and
basically
doing
all
of
that.
A
So
I
think
our
vanet,
I
think
we're
gonna
try
to
meet
over
the
next
couple
days.
Sorry,
we
had
to
change
the
we
had
to
reschedule
from
yesterday,
but
yeah.
I
think
that
that'll
be
I'm
looking
forward
to
making
that
move
forward.
A
Completely
great
and
anything
once
we
have
that
it
opens
up
things
like
what
should
the
package
managers
do
and,
like
you
know
this,
like
once
once
we
have
a
stable
like
trustable
like
thing
that
will
be
available
long
term
and
not
a
proof
of
concept.
I
think
it
opens
up
lots
of
lots
of
doors
and
lots
of
arguments
into.
Is
this
the
right
metric
and
does
this
metric
show
the
thing
that
that
I
expected
to
show
and
all
of
that
stuff
and
that
some
of
it
comes
into
the
security
insights
stuff?
A
A
Wonderful
alpha
omega,
I
just
have
a
couple
quick
updates.
One
is
that
we
are
starting
to
interview,
so
we
have,
I
think,.
B
A
Four
awesome
so,
hopefully
we'll
get
those
done
in
the
next
weekish
two.
G
A
Cool,
so
looking
forward
to
staffing
up
and
being
able
to
kind
of
show
real
value,
we
have
another
announcement
which
I
can't
announce
officially
yet,
but
but
next
time
we
meet
it'll
be
official
and
it'll,
be
our
first
alpha
engagement.
A
What
else?
That's
it
for
alpha
mega
any
questions
there.
We
did
have
a
public
meeting
on
the
last
week.
I
think
was
last
last
wednesday
and
there
was
actually
pretty
good
attendance.
So
for
those
of
you
who
are
there,
thank
you
and
we're
gonna
be
holding
that
monthly.
So
the
the
invite
for
that
is
on
the
open,
ssf
community
calendar.
B
Is
this
we
are
this
is
this:
is
me
just
pointing
out
that
we've
done
a
a
little
bit
of
a
charter
audit
of
all
of
the
working
groups
and
a
lot
of
the
working
groups
have
incomplete
charters
and
identifying
security
threats
as
one
such
working
group
with
an
incomplete
charter?
So
I
just
wondered:
if
y'all
would,
if
one
or
two
of
you
would
be
so
kind
as
to
make
a
pull
request
and
update
your
charter
with
with
scope
and
with
other
sort
of
information
in
there?
E
Okay,
but
by
the
way,
a
quick,
quick
addition
here,
one
challenge
with
the
existing
charter
text
is
the
the
template.
Is
that
talks
about
tscs
no
working
group
has
the
tsc,
so
ava
who's
on
the
tac
said
hey,
you
know,
and
I'm
gonna,
I'm
gonna
say
that
this
is
a
attack
member
saying
what
they.
What
ava
really
wants
is
the
scope
of
the
leads,
so
at
the
very
least,
make
it
clear.
E
What's
the
scope
of
the
working
group
who
is
currently
leading
it
hi
mike,
and
I
think
other
things
in
that
charter
need
to
be
worked,
but
I
think
that's
the
key
that
the
attack
needs
right
now.
B
Exactly
we
think
that
that
charter
was
sort
of
fine
a
year
and
a
half
ago,
but
we'll
likely
get
a
revamped
by
the
tack
and
at
that
point
we'll
do
we'll
make
those
updates
for
for
everyone
but
yeah.
Exactly
if
you
could
focus
on
the
the
scope
and
the
purpose
and
the
mission
and
that
sort
of
thing
that
would
be
great.
A
A
Cool
next
thing
open
ssf
day,
so
this
is
happening
on
june
20th
in
austin,
texas.
So
there's
a
link
to
the
some
information
about
it.
I
think
we're
coming
up
with
the
with
the
agenda
and
and
schedule,
and
all
that
this
is
the
first.
This
is
the
day
before
supply
chain
security.
Con
starts
so
if
you're
gonna
be
there
for
that,
come
to
open
ssf
day,
two.
A
I
will
I'm
planning
to
attend
and
talk
about
alpha
omega,
but
I
think
there's
you
know.
What's
do
you
have
thoughts,
certainly
no
now's
a
good
time
to
chat.
G
So
that
day
is
the
20th
and
it's
the
day
before
supply
chain
security.
Yes,
okay,
jacques,
was
asking
about
that
in
the
channel.
So
I'll
just
let
him
know
on
slack.
E
And
I
believe
the
plan
is
to
also
support
virtual.
I
I
don't
know
more
details,
but
I'm
sure
jory
knows
all
details
here.
Let
me
set
you
up
jerry.
B
It
says
the
one
thing
I
don't
have
details
on.
I
was
just
saying
actually
to
someone
earlier
frustratingly
light
on
details
with
regard
to
how
that
virtual
experience
is
going
to
go.
I
really
do
hope
to
have
more
info
for
you,
but
this
was
a
little
bit
of
a
of
a
we
got
caught
on
our
heels
so
anyway,.
E
A
Terrific
is
there
anything
else
that
anyone
would
like
to
talk
about
any
updates
anything
anything.
D
I
just
want
to
give
an
update
on
the
dev
store
tab.
It
seems
like
a
go
package.
Just
start
to
use.
Tab
store,
tab
links
in
the
package
page
itself,
so
you
know
they
start
to
hyperlink
them
yeah.
Technically,
if
you
will
go
to
package
sorry,
what
was
the
go
package,
url,
yeah,
package.go
and
search
for
a
package,
and
you
can
find
on
the
right
hand,
side
the
dapps.dev
link.
E
D
D
A
D
D
A
D
E
Yeah,
I'm
you
know,
I
I've,
I
managed
the
see
the
open,
ssf,
best
practices
badge
and
it
wouldn't
be
nice
to
link
to
you
know
something
that
provided
some
more
data.
I
mean
linking
to
depths.dev
or
security.
Scorecards
is
not
a
crazy
thing
to
start
with
and
if
later
on
you
know,
lfx
is
another
way.
Then
that's
great
too.
I
I
don't
see
any
trauma
in
having
multiple
links.
A
D
E
You
can
you
slip
in
the
the
example
the
link
to
the
example
of
of
this.
I
think
I
can
just
do
that.
I
guess
you.
C
I
just
have
a
just
generic
question:
I'm
not
sure
it
is
related
to
our
group,
but
I
think
when
you
know
you've
mentioned
about
you
know
facebook.
When
we
talked
about
this,
you
know
improving.
You
know
lines
of
patches
how
we
can
improve
it
as
end
user.
Not
mostly
you
know
not
to
developers.
That's
general
consumers.
C
A
That's
a
hard
problem.
I
I
mean
I
think
people
have
wrestled
with
like
the
web
seal
of
of
happiness
from
like
years
ago,
and
you
know
it's
like
consumer
ratings
and
and
like
smudge
was
talking
about
like
the
like
the
ul,
like
certification,
sort
of
thing
for
for
different
for
different
packages.
It's
it's.
C
Well,
yeah,
so
let's
say
it,
it
was
hitting
me
when
this
local
day
issue
was,
you
know
happening
in
december,
and
and
it
was
all
over
the
news-
and
you
know
someone
who
works
in
a
technology
company,
even
though
she
was
not
a
developer,
she
was
hearing
it
and
was
asking.
This
is
something
I
have
to
worry
about
right
and
it's
it's
for
developers.
They
may
know
right
and
we
are
trying
to
implement
these
tools
and
encouragements
and
processes,
but
the
general
end
users
know
how
do
they
know
right?
E
I
I
don't
I
don't.
To
be
honest,
I
don't
think
we
have
an
answer
for
the
general
user
today
for
a
large
variety
of
reasons,
and
it's
not
like
nobody
has
tried
for
many
many
years.
People
worked
on
something
called
the
common
criteria.
Maybe
some
of
you
may
be
familiar
with
that.
I
mean
hundreds
of
millions
of
dollars
easily
have
been
spent
on
the
common
criteria
which
technically
still
exists.
Today
I
mean
there
are
orgs
who
who
work
this?
E
It's
not
it's
not
dead,
at
least
from
a
technical,
but
it's
not
something
you're
going
to
immediately
reach
for
in
most
circumstances,
it
turns
out
to
be
really
really
hard
to
do.
This.
C
C
F
E
What
we've
been
we've
been
focusing
on?
Can
we
provide
enough
information
to
at
least
the
next
step
of
people
who
make
decisions
of
incorporating
it
in?
Because
it's
hard
enough
to
get
information
for
technical
experts,
never
mind
general
public.
C
So
the
reason
I
was
asking
is
to
I
was
wondering
if
that
can
be
a
notch,
to
encourage
whoever
develops
right
kind
of
people
if
they,
the
general
public,
recognize
this
you
know.
Let's
say
one
company's
website
is
using
durable
packages
right.
They
may
be
able
to
encourage
to
act
faster
right.
E
They're,
focusing
on
the
software
that's
directly
delivered
because
that's
hard.
Well,
yes,
you
say
u.s
government,
at
least
I
don't
know
about
other
governments,
but
I
think
once
that
starts
happening,
that
will
make
it
much
easier
to
say:
hey
services
do
the
same
thing
and
that
will
not
solve
all
problems,
of
course,
but
at
least
it
will
reduce
the
use
of
the
known
dependencies
known
vulnerable
dependencies,
which
I
think
will
help.
D
A
I
wonder
if
it's
inevitable
that
the
kind
of
gdpr
cookie
banner
approach
right
will
just
naturally
extend
to
you
have
to
provide
notice
of
all
your
vulnerable
dependencies
and
let
the
consumer
choose,
in
which
case
any
sane
organization
is
going
to
make
sure
that
list
is
empty.
You
know,
especially
if
it
has
to
be
prominent,
and
it
seems
like
a
sledgehammer
approach,
but.
C
A
C
Thank
you.
Thank
you
for
asking
answering
my
question.
D
I
just
want
to
add:
I
don't
think
all
the
vendors
are
brave
enough
to
do
this
right,
like
yeah
yeah,
but
I
think
the
ones
who
are
confident
with
their
quality
and
security
maturity
they
they
will
do
it
right,
like.
I
think
it's
a
positive
advantage
for
them,
like
you
know
they
can
tell
their
customers
making
it
public.
Even
there
are
vendors
who
are
saying
that
we
won't
even
give
you
even
if
you'll
ask
with
private
right
like
it's
a
so
there
is
always
a
competitive
advantage
for
publishing
sperms
here,
yep.