►
From YouTube: OpenSSF Identifying Security Threats WG (May 24 2023)
Description
Meeting notes: https://docs.google.com/document/d/1AfI0S6VjBCO0ZkULCYZGHuzzW8TPqO3zYxRjzmKvUB4/edit
A
B
C
B
So
yeah
I
spent
two
days
trying
to
track
down
a
lawyer.
I
mean
yeah
and
it's
it's
yeah.
The
LF
has
a
an
insurance
plan
for
legal
support
and
it's
not
not.
It
was
not.
C
A
Oh,
it's
like
a
parking
tickets
and
well
yeah,
but
it's
supposed
to
have
all
leases
and
stuff
like
that
and
it's
yeah.
B
B
But
at
this
point
I'm
good,
but
I
am
going
to
make
their
lives
a
little
more
difficult
because
they
made
my
life
difficult.
There
you
go
yeah
I'm
spiteful
like
that.
Just
a
little
bit.
B
B
B
A
B
Good
I
have
to
drop
off
at
a
half
pass
for
our
meeting
with
another
lawyer.
This
is
the
plaintiff's
lawyer
I'm,
trying
to
get
them
to
extend
the
deadline
by
20
days,
foreign.
B
Oh
for
the
outbound
one
I
worked
on
Mike
Dolan
directly,
who
is
a
PM
at
Linux
Foundation,
but
also
a
lawyer
he's
very
nice
he's
very
I.
Actually
he's
he's
not
your
average
lawyer
he's
fairly
well
informed
about
technology
topics,
and
you
know
he's
an
advocate
for
open
source.
B
E
B
B
B
Yeah
Mike
Nolan's
good
Mike,
Dolan's
good
he's,
like
he's
he's
with
it
he's
he's
like
he
knows
what
a
CNA
is
for
the
CV
numbering
Authority,
like
he's
he's
very
he's
very
like
in
the
know.
So
yes,
I,
like
Mike
Nolan
Louisa,
was
asking
what
the
what
the,
what
my
experience
was
like
going
through
trying
to
get
the
outbound
disclosure
policy
signed
off
by
LF
legal.
E
Him
I
would
hold
that
against
him,
really
the
the
big
challenge
with
Mike
and
and
is
that
he
is
oh
insanely
busy
I
do
my
best
to
not
Badger
him
when
he's
when
I
don't
need
his
time,
because
he
has
precious
little
of
it,
but
it's
always
a
joy
to
chat
with
him.
So
yeah
excuse
me.
So
what
are
we?
What
are
we
up
to
here?
I'm,
we're.
A
Just
getting
started,
it's
we're
getting
started
a
little
late,
it's
all
good
okay,
so
it
probably
will
just
be
us
so
well,
I!
Think
Jonathan!
You
said
you
need
to
drop
it.
Half
past
I
could
certainly
use
time
back
so
yeah
we
can.
We
can
make
this
one
on
the
short
side.
I
know
Luigi.
If
you
got
any
updates
on
on
security,
insights.
D
Start
updates
I
mean
about
the
security
inside
honestly.
In
the
last
week,
I
was
a
bit
busy,
I'm
blocked
and
so
I
haven't
had
time
to
dedicate
enough
time
to
review
the
jonatella
pull
requests,
but
I
need
just
to
match
them
more
or
less
all
and
just
Claus
issue
now
I
hope
to
do
this
week
and
I'm
sorry
for
the
delay,
my
fault
and
about
the
security
policy.
D
Well,
technically,
security
policies,
reading
I,
guess
I'm
quite
sure
that
we
don't
want
to
go
public
with
the
security
policy
that
don't
have
the
Safe
Harbor
and
for
this
reason
I
was
asking
about
Linux
Foundation
lawyer.
We
need
to
have
an
approval
by
the
legal
team.
The
policy
is
ready.
Honestly,
I
use
the
template
by
the
disclosure.io.
That
is
the
same
template
used
by
at
least
one
Unity
State
governative
website.
D
So
we
need
just
to
have
an
approval,
a
formal
approved
by
the
legal
team,
but
yeah
I.
Don't
think
that
we
need
to
add
so
much
the
template
we
just
we
need
just
to
agree
if
we
want
to
have
this
safe,
fiber
or
not,
but
I
think
it
is
a
requirement
for
us,
and
I
have
been
to
the
message
in
the
vulnerability
disclosure
Channel
to
try
to
move
this.
This
topic
yeah,
because
now
we
need
just
to
have
a
formal
approval.
D
The
policies
was
has
been
reviewed,
I
guess
from
a
lot
of
people
from
for
sure
that
this
vulnerability
disclosure
group,
but
also
from
the
tag
group
I
shared
it
at
least
two
times,
and
so
now
it
is.
We
need
to
wait
for
the
Linux
Foundation
David
if
you
have
any
contact
that
can
help
us
to
move
on
to
go
going
public
with
this.
Please.
E
Okay
or
we're
talking
about
a
safe
harbor
for
those
are
reporting
vulnerabilities
to
say,
open,
ssf,.
E
Yeah
and
Jonathan
and
I
have
talked
about
this
and
then
I
decided
to
get
pretty
sick
at
the
conference.
I'm
still
recovering
so
I've
I
have
not
done
anything
on
that
Jonathan.
Have
you
done
anything
along
the
Safe
Harbor
stuff?
We
talked
once
and
then
I
disappeared
off
the
face
of
the
planet.
So,
okay,
we
talked
about
Michael
Mike,
Dolan
Mike,
and
you
know
by
the
way,
as
this
as
we
said
no,
like
Mike,
he
had
a
lot
of
concerns
about
that.
E
Safe
Harbor
I
have
to
be
careful
here
because
I
think
some
of
that
was
under
a
you
know:
ECP
well
no
illegal
privilege
here,
but
basically
the
the
problem
is
that
there
are.
There
are
attackers
who
exploit
safe
harbors
who
are
not
working
with
the
best
interests
of
anybody
except
evildoers.
Frankly,
and
and
while
the
intent
is
clear,
we
unfortunately
have
had
some
pretty
awful
experiences.
E
Can
decide?
No?
No,
no!
No,
because
if
you
say
something
and
they
do
something
depending
on
it,
you
can't
just
pull
the
rug
out
from
under
them.
So
you've
got
to
say
what
you
actually
mean
and
really
you
don't
want
to
say
anything
else.
That's
that
you
don't
mean
anyway,
but
I've
forgotten.
There's
a
weird
legal
term,
I
think
it's
a
stoppel
that
may
not
be
the
right
legal
term,
not
a
lawyer,
but
you
know.
E
Basically,
if
you
make
a
decision
based
on
what
someone
else
says,
there
are
certain
protections
to
you,
because
you
trusted
what
someone
else
said
and
my
apologies
to
me.
If
a
lawyer
ever
sees
this
they'll
go.
What
do
you
mean?
It's
obviously
I'm.
E
I
I
I
I
do
not
try
to
pretend
to
be
a
lawyer
and
there's
good
reasons
for
that.
But
but
I
do
know
that
you
can't
just
make
a
promise
and
then
just
nah,
never
mind
yeah
right
right,
so
I
I
think
the
problem
is
I.
Think
I
think
he
I
think
it
was
Mike.
It
was
a
lawyer,
I
think
it
was
Mike
looked
at
and
they
said
no,
no,
no,
no!
No!
No!
No!
No.
We've
actually
had
some
terrible
experiences
with
people
who
exploit
those
kinds
of
statements.
E
I
think
they
would
rather
just
not
have
a
safe
harbor
statement
period,
because
then
that,
then
that's
not
a
problem
for
that.
For
for
us,
if
you
want
a
a
safe
harbor,
if
you
think
it's
critical
and
vital
to
have
a
safe
harbor
statement,
then
it's
going
to
have
to
be
my
much
more
fine-tuned
than
what
was
their
originally
because
their
their
suggestion
was
actually
quite
simple.
Great,
let's
delete
all
that
stuff
go
on
so.
B
E
Not
gonna
they're
they're,
absolutely
not
going
to
sign
off
on
the
Safe
Harbor
statement
originally
stated.
If
it's
critically
important,
then
it
needs
to
be
written
in
such
a
way
that
those
with
malicious
intent
can't
just
write
it
through.
E
You
you
have
us,
you
have
a
draft
security
policy.
If
you
don't
have
a
safe,
harbor
statement,
you
can
post
it
today.
No.
E
B
Evil
is
Ava
was
pretty
staunch
when
we
chatted
with
about
this
that
you
know
they
wanted
to
see
Safe
Harbor
policy
put
into
that.
Okay.
E
That's
fine
all
right,
so
we
have
a
disagreement
here.
The
the
LF
legal
fake
folks
say
basically
we're
not
going
to
sign
off
on
the
Safe
Harbor
statement.
You
originally
stated
as
far
as
legal
is
concerned.
If
you
don't
have
a
safe,
harbor
statement,
you're
fine,
the
attack
has
to
approve
if
attack
members
of
the
tax,
say,
You
Gotta
Have,
a
safe,
harbor
statement.
Then
what
needs
to
be
created
that
both
sides
can
agree
on
I,
I,
I'm.
D
E
Sorry
yeah
I
was
gonna,
say
I'm,
not
sure
it
needs
one,
but
I
certainly
see
the
value
of
it.
The
the
problem
here
is
that
one
needs
to
be
crafted
because
as
soon
as
the
lawyers
started
looking
they
went.
Oh,
we.
B
E
So
yeah
I
I
I,
don't
think
that
I
don't
think
the
objection
is.
Oh,
we
can't
have
a
safe
harbor
policy.
I
think
the
objection
was
as
written
to
Lucy
goosey.
We
there's
been
some
some
pretty
bad
experiences
from
people
who
claim
to
be
security,
researchers,
but
their
goal
is,
is
to
harm
others
not
to
be
helpful,
so
I
mean.
B
E
Right
exactly
yeah,
let's
yeah
how's
this
so
so
let
me
shift
this
a
little
bit
and
really
this
is
outside
this
working
group
thing
anyway.
This
is
a
vulnerability
disclosures
working
group
thing,
so
here's
what
I
would
say:
Jonathan
I,
you
know
you,
you
have
both
the
background
background
and
passion
once
you
talk
with
Mike
I
would
be
happy
to
be
there
too.
Although
it
seems
to
me
that
the
issue
is
one
of
legal
crafting
and
I'm,
not
a
lawyer
can.
B
You
arrange
that
meeting
because,
like
I
I
I've
already
I'm
I'm
I
already
owned
Mike
some
things
so
I
can
you
can
you
drive
that?
Can
you
drive
that
meeting
to
occur
and
I'm
more
than
happy
to
attend.
E
I
mean
I'm
fully
capable
of
using
calendars.
Yes,
so,
okay,
all
right
so
excuse
me
all
right.
I
will
try.
I
I
will
then
pick
up
the
ball
to
create
a
meeting
and
you
and
I
and
Mike,
discuss
and
and
go,
but
this
is
yeah.
This
is
the
wrong
meeting
for
that,
because.
B
E
They're
concerned
about
got
it
got
it
got
it
got
it:
okay,
let's
not
waste
everybody
else's
time,
so
Jonathan,
Michael,
Mike,
I
and
I
will
we'll
try
to
work
with
Mike
Dolan
and
we
can
move
on
to
another
topic.
D
Okay,
so
action
item.
This
means
that
Jonathan
David,
you
are
following
now:
the
Safe
Harbor
for
the
inbounder
security
policies.
So
we
can
find
us.
E
There
isn't
there's
Church
went
to
the
tack
approved
it
was
the
outbound,
the
outbound
yeah,
okay,
tacos
approved
outbound,
neither
the
TAC
nor
Ella.
Neither
the
attack
nor
alif
legal
have
approved
the
inbound.
So
nothing
is
nothing
is
nothing
is
approved.
Yet
on
that
nothing.
D
No,
it's
not
approved
the
inbound,
but
we
need
to
solve
the
Safe
Harbor.
So
the
question
is
for
me:
the
next
action
item
for
me
is
in
the
tag
group.
We
have
seen
that
people
want
to
have
the
Safe
Harbor
for
the
Linux
Foundation
legal
team.
The
SI
fiber
is
a
problem,
so
I
want
to
find
or
a
different
cells
algorithm
write
it
to
have
a
better
Safe
Harbor
for
the
inbound
security
policy
or
we
need
to
remove
it.
I,
don't
see
all
the
solution.
You.
E
We
want
okay,
but
let's
do
two
stages:
let's
Jonathan
and
I
talk
with
Mike
work
step,
that's
step,
one
step
two
once
we've
further
understood
the
issues
and
started
crafting
something,
then
do
it
more
widely,
but
yeah
I
I,
think
some
of
the
concerns
that
they're
con
raised
about
are
involving
past
events
that
were
unpleasant
and
are
not
desirable
to
go
public.
So
we
want
to
get
the
Lessons
Learned,
but
we
I'm
not
sure
that
they
can
share
everything
publicly.
E
A
Don't
know
this
is
all
good
okay,
so
that
was
that
was
on
that
Luigi.
Do
you
have
anything
else,
okay,
cool
by
the
way,
I
thought
that
was
a
pizza
icon
thing
on,
and
why
does
like
that?
That's
party.
A
Cool
okay
disclosure
track,
Jonathan
I,
know
you
what
we
were
trading
things
back
and
forth.
We're
gonna
chat
with
vulnerability.
Disclosures
tomorrow
or
I
am
at
least
I'd
like
that
working
group
to
adopt
the
project
officially
and
and
all
that
we
already
have
a
repo
in
openssf.
We
just
need
to
move
the
content
over
so
Jonathan.
C
B
A
That's
that's
what
we
need,
no
I
I,
don't
want
to
own
it
going
forward.
I
would
like
someone
invulnerability
disclosures
to
step
up
and
say
sweet.
This
is
this
is
a
good
opportunity.
I
want
to
do
this.
Put
my
name
down.
I
will
own
it.
A
Then
the
question
is
well
what
what
does
adopting
mean
if
it
doesn't
mean
doing
anything
with
it?
I
like
I,
I
and
I.
Think
we
need
to
push
on
like
just
as
like
in
this
working
group
like
Luigi,
clearly
owns
security.
Insights
and,
like
is
point
Amir,
clearly
owned,
Security
reviews.
A
B
A
A
I,
it's
all
open
up
like
whatever
how
about
this.
Let's
ask
Will
there
be
the
disclosures
if
someone
would
like
to
own
it
because
it
clearly
is
in
their
Charter.
If
they
say
yes,
well,
you
don't
have
anybody
and
you
say
well
I'm
a
part
of
this
working
group.
You'd
like
to
own
you
know
drunk,
would
like
to
own
it
whatever
that's
great.
Let's
do
it.
A
Okay,
and
if
they
say
nope,
not
our
thing,
then
maybe
you
own
it
as
part
of
AO
and
if,
like
we'll
just
kind
of
go
down
the
line
of
like
options
and
it'll.
A
It's
dangerous,
you
know
I,
just
I
just
popped
it
in
in
the
thread
back
to
you
and
I'll
post.
It
here.
C
A
A
No
because
I
gotta
build
a
doctorate,
Mission
stuff.
B
A
And
actually
do
the
python
build
thing
and
sure
not
all
of
my
days
are
terrible.
A
Security
reviews,
I,
know
Amir,
isn't
here,
but
I
noticed
yesterday
that
maybe
it
was
today
that
Google
open
sourced
their
rust
crates
audit,
which
it
looks
like
they
just
they.
They
dumped
a
big
file
worth
of
cargo
crev
audit
things
for
a
whole
bunch
of
projects
that,
at
least
from
a
first
glance,
looks
like
they
had
someone
like
actually
go
through
and
are
thumbs
upping.
A
You
know
a
whole
bunch
of
cargo
projects
would
have
been
awesome
to
have
that
be
part
of
Security
reviews,
because
that's
kind
of
the
exact
same
purpose,
but
whatever
I
think
it's
good
to
have
that
out
there.
That
may
be
an
interesting
place
for
the
dashboard.
The
I'm
sorry
risk
dashboard
to
pull
and
pulling
data
from
I
would
love
a
resource
like
this,
where
lots
of
organizations
contribute
to.
A
Last
two:
two
less
things:
the
the
threats
paper,
so
threats
paper
is
now
like
two
years
old,
two
and
a
half
years
old.
Something
like
that.
It's
missing
some
emerging
things,
I
I
think
it
came
out
shortly
before
dependency,
confusion.
So
all
of
those
types
of
attacks-
I,
don't
believe
ever
mentioned.
D
A
Is
that
something
that
we
that
we
want
to
do
that?
We
think,
has
enough
value.
D
The
document
is
quite
good:
I
am
trying
to
understand
where
I
should
add
the
new
thing
or
if
I
would
want
to
adjust
an
additional
page,
I,
don't
know,
but
I.
We
have
a
GitHub
issue
where
there
are
two
or
three
good
comments
with
missing
topic.
One
is
dependency
confusion
and
one
is
maybe
multi-factor
fatigue,
attack
and
similar,
and
so
the
document
is
already
still
good,
though
we
need
just
to
a
smaller
bump.
We
don't
need
the
probably
air
back
from
2.0
I
should
just
to
share
the
updates.
D
A
Yeah,
that's
right!
Yeah!
We
do
have
some
good
some
good
docs
here.
We
probably
also
want
to
include.
A
A
I,
don't
really
know
what
what
exactly
that
means,
but
I'm
I'm
off
time.
I
had
like
you
know,
attackers,
if
AI
or
if
AI
systems
are
used
to
make
decisions,
and
then
things
like
prompt
injection
and
whatnot
can
be
used
to
undermine
that.
The
the
Integrity
of
those
decisions
that,
if
there's.
D
Know
and
probably
we
can
have
a
new
section
for
AI,
because
the
document
yeah
we
didn't
write
nothing
about
the
AI
in
the
first
version.
A
Cool
so.
D
I
haven't
downloaded
honestly
a
document
in
I
mean
I
downloaded
that
word
version
and
uploaded
on
my
my
Google
Drive
I
would
prefer
to
use
GitHub,
maybe
but
so
weeks
ago
you
suggested,
if
I
remember,
corrected
to
use
the
word
document.
So
I
just
moved
to
drive
because
you
can
add
comment
easily
and
so
and
so,
but
no
no
strong
opinion
I
can
move
on
Google
on
GitHub,
honestly
I
think
it
is
I.
A
I,
don't
have
a
strong
opinion
either
like
I
think
the
the
PDF
looks
nicer
than
a
printed
markdown
file
and
I
know
that,
like
in
theory,
there's
a
way
to
like
make
a
markdown
file.
Look
pretty
when,
as
a
published
document.
C
D
So
I'll
probably
have
a
version.
Inward
that
we
can
expect
in
PDF
is
a
good
idea.
The
only
reason
why
I
like
GitHub
is
that
it's
public,
so
everyone
can
see
everything
yeah,
but
we
came
writing
it
up
and
then
we
can
just
add
it
to
the
word
the
documents
or
we
can
create
the
word
document
and
we
and
then
we
can
move
to
to
GitHub.
D
Going
to
do
this,
I
have
only
one
concern
about
the
word
document
and
it
is
related
also
to
the
all
the
other
document
that
I
have
like
the
security
policy.
Now
I
am
the
owner
of
my
Google
Drive
I
would
like
to
move
to
open
ssf
something
and
drive
that
I
don't
know.
If
we
have
oh.
A
I
gotcha:
here's
where
openssf
does
not
have
a
Google
workspace,
so
each
of
the
like
the
the
meeting
notes
for
this
are
on
my
personal
Drive
and
the
silly
thing
is
like
you
can't
even
tell
from
the
URL
like
where
this
thing
is
hosted
or
or
things
like
that,
the
word
doc.
A
The
official
like
final,
like
the
one
one
word
doc,
what
is
physically
uploaded,
but
you
can't
like
collaboratively
edit
that
in
GitHub
you
can
download
the
docx
file
and
do
whatever
you
want
locally,
but
there's
no,
there's
no
collaboration.
So
so
how
about
this?
Oh
I,
see
what
you
mean.
A
D
I
sent
you
an
invitation
by
email,
but
I
need
to
ask
the
email
to
everyone
is
in
in
this
lock
or
I
need
to
put
it
public
with
editor
privilege
or
comment,
privilege,
I,
don't
remember
now
and
yeah.
This
is
the
reason
why
I
would
like
to
have
a
sort
of
open
ssf
space
and
why
I
prefer
Gita,
because
in
Gita,
but
we
have
an
organization.
D
The
only
reason
why
I
mean
it's
not
because
we
are
working
on
the
security
policy
and
we
see
that
no
one
edited,
but
we
have
no
spam
or
similar,
but
yeah.
It
is
on
my
Google
Drive.
Even
if
something
happened
to
my
Google
Drive
will
lose
all
the
work
that
we
have
made.
So,
let's.
C
Do
that
sorry,
sister
here,
just
hello,
everybody!
It's
my
first
time
joining
sorry
I
I
joined
eight
minutes
late,
but
as
I
feel
like
in
this
topic,
what
I
have
seen
in
other
you
know:
Community
Driven,
effective
foundation,
for
example,
something
that
we
used.
C
That
we
currently
do
is
that
you
know
the
meeting
notes
from
each
call
are
approve
at
the
next
meeting
and
that
is
converted
into
a
PDF
and
is
uploaded
in
the
in
the
official
Foundation
website,
with
whatever
tool
they
have,
and
so
in
that
case
it
never
gets
lost
and
it's
officially
approved
every
every
next
meeting
and
in
the
meantime
the
live
meeting
is
just
running
as
we
currently
have,
and
in
that
case
you
know
the
best
scenario
as
I
agree
with
Luigi
is
to
have
you
know
that
the
foundation
drive,
but
if
that
is
not
possible
at
least
having
the
fight
of
approving
meeting
notes
from
previous
call
and
upload
that
to
a
official
website,
make
things
more
yeah.
A
Yeah
I
would
really
prefer
is
just
to
have
a
if
I
I'll
David.
Do
you
know
if
conversations
have
ever
happened
with
with
Brian
or
around
car
about
like?
Should
we
just
have
like
a
Google
workspace
or
or
something
where,
like,
because
I
think
that
the
preference
has
always
been
like?
Let's
just
do
this
in
in
GitHub,
but
like.
A
E
A
E
A
A
E
Well,
we
have
not
been
insistent
about
putting
all
documents
underneath
the
open,
ssf
scope
of
the
of
Google
docs
now
I
mean
prop,
maybe
that's
something
that
should
be
done,
but
yeah
there's
a
there's,
an
open,
ssf,
drive
and
and
so
on,
I
believe
it's
separate.
Could
you
could
you.
E
Storage,
that's
okay,
I
think
there
is
I,
have
not
fussed
with
trying
to
keep
track
of
what
is
what,
but
that
sounds
like
a
quick
email
to
operations
and
okay.
So
so
would
would
a
shared
driver
area
or
something
that's
Google,
Docs
but
specific
to
open
ssf.
Would
that
resolve
the
issue.
A
Well,
that
would
actually
solve
lots
of
issues
because
things
like
the
meeting
notes.
The
past
three
years
of
meeting
notes
for
this
are
dependent
upon
like
me,
retaining
my
Gmail
account
personal
Gmail
account,
which,
which
ain't
great
so
if
we
can
throw
that
into
something
openssf
owned
and
I'm,
just
a
collaborator
contributor,
then
that
that's
better
for
that
that
solves
one
set
of
reasons.
A
The
other
thing
that
Luigi
was
talking
about
is
collaborative
editing
of
a
word
doc,
which,
as
I,
if
I
recall
correctly,
like
there's
that
that's
great,
if
you're
on
SharePoint
there's,
no,
it
doesn't
like
I,
don't
think
Google
Drive
is
maybe
it
is
I'm,
not
sure
I
I
doubt
that
it's
aware
enough
to
support
collaborative
editing
in
a
in
a.
E
Good
way,
no
yeah
I've
used
word
on
SharePoint
before
many
times.
You
know
government
lives
on
that
stuff.
Yeah.
E
If
you're
editing
completely
different
parts
of
a
document,
it
can
work
sort
of
I
think
if,
if
your
goal
is
collaborative
editing
of
a
document
how's
this
I'm
gonna
say
try
to
save
this
in
the
nicest
way,
because
we
have
Microsoft
people
here
and
we
love
our
Microsoft
folks.
But
there
is
a
challenge:
that's
trying
to
support
multiple
tools.
I,
don't
see
a
big
advantage
of
supporting
both
SharePoint
and
Google.
E
I'm
gonna
go
further
I'm
going
to
create
an
email
and
say
you
know,
moving
Google
Docs
into
related
to
open
ssf
into
an
open,
ssf
controlled
space.
E
Okay,
let's
see
Google
Docs
space,
all
right
so
how's.
This
I'm
gonna
I
have
a
crazy
idea.
This
is
actually
I
know
exactly
share.
My
screen
go
for
it
all
right.
Here's.
E
Public
it's
getting
recorded,
hopefully
I
have
covered
all
the
secrets,
all
right,
all
right.
So
basically,
let's,
let's
try
to
figure
out
quick
group
discussion.
What
are
we
looking
for?
Okay,
currently
mini
many
open,
ssf,
Google
doc,
Google
Docs,
oops
docs,
including
working
group
meeting
notes,
are
owned,
are
owned
by
individuals
with
either
their
individual
accounts,
personal
accounts
yep
or
their
work
accounts
if
they
leave
their
job
or
stop
being
involved
in
openssf
right.
E
B
So
two
couple
of
problems:
permissions
are
wacky
right
who,
how
do
you
like
add
a
new
document
as
an
outside
collaborator?
That's
you
know
how
do
you
you
know
that
that
means
that,
like
for
Google
like,
if
we
want
to
have
outside
collaborators,
then
we've
got
to
pay
for
workspaces
accounts
for
them
is
also
already
I.
B
Can
I've
I've
heard
people
pitch
fits
to
Brian
bellendorf
about
hey,
like
you
know,
because
the
other
stuff
is
so
Google
Docs
heavy
that
people
who
are
in
regular,
highly
regulated
Industries
can't
access
Google
Docs
such
they
can't
collaborate
in
the
open,
SF
again
regularly
or
easily,
because
they
their
companies
block
access
to
these
things.
The.
E
The
problem-
that's
a
fair
point,
but
I
think
there's
multiple
different
issues.
There's
the
companies
limited
and
I
believe
China,
actually
just
straight
up,
forbids
a
lot
of
these.
C
E
A
country,
the
challenge
is
it's
not
clear
that
alternatives
are
going
to
be
any
better.
I
can
I
can't
speak
for
all
regulated
Industries,
but
at
least
the
company
I
used
to
work
for
Google
Document
access
required
a
special
exception,
exactly
the
same,
applied
to
SharePoint
or
GitHub,
or
anything
else
where
there
was
shared
access.
So
switching
to
a
different
tool
helps
you
zero
percent,
because
what
they
want
to
do
is
scan
every
email
and,
if
you're
sending
data
out
in
a
way
that
doesn't
involve
an
email,
then
they
don't
like
it
so
I.
C
E
Same
is,
and
and
I
and
and
for
for
China
I
think
the
challenge
there
is
they're
blocking
those
services
but
I
think
I
think
they
allow
other
services
but
I
think
other
countries
block
those
services.
So
again
we
there's
a
in
that
case.
There
is
an
alternative,
but
then
we
lose
a
lot
of
other
folks,
so
I
I
think
we've
I
think
we
lose
I'm,
not
an
expert
in
this.
E
There
may
be
a
better
solution,
happy
to
I'd
be
delighted
to
hear
that
better
solution,
but
at
least
my
personal
experiences
was
that
there
wasn't
necessarily
a
better
and
the
challenge
with
I
think
the
other
one
is
using
GitHub
more
people
allow
accesses
to
GitHub,
but
then
the
challenge
is
that
GitHub
is
great
when
you
want
to
do
small
changes
to
a
document,
but
simul
editing
is
not
something
that
Sports
well.
A
So
great,
let's
do
this
I
think
this
also
solves
a
problem
where,
let's
just
convert
the
word
doc
to
a
Google,
doc,
I
think
Google
Docs
is
practically
the
same
level
of
expressivity
as
as
word,
and
then
we
get
it's
in
it's
in
Google
Docs.
You
can
get
moved
over
to
the
open,
ssf
thing
you
can
do
collaborative
editing,
it
looks
nice
and
what,
if
you
want
to
publish
it
as
a
PDF
at
the
end,
we
just
hit
PDF
and
then
we're
done.
E
All
right,
biggie,
all
right,
everybody
good
with
this
email
that
I'm
proposing
here.
E
Okay,
what
what
what.
C
E
C
E
Right
so
it
turns
out
I
have
the
infinite
cosmic
power
of
writing
emails.
C
E
The
way
when
I
say
you
know
certain
kinds
of
you
know,
although
Jonathan
I,
you
know
you
described,
you
know,
saying
different
or
different
regulated
organizations
have
different
regulations,
which
makes
things
even
harder
to
say
generalizations
about,
like
I,
think
I
think
my
company
wouldn't
be
considered.
My
previous
company
wouldn't
have
been
considered
a
regulated
industry,
but
for
various
reasons
they
were
very
very
concerned
about
a
lot
of
stuff
in
part
because
they
always
they
were
always
getting
attacked
by
by
sophisticated
State
actors.
So
they
were
they.
E
A
Okay,
it
it
looks
like
a
converted,
messed
up
all
the
pictures,
but
yeah
yeah.
A
It's
just
like
all
the
all.
The
pictures
have
white
text
on
white
background.
Now,
I'll
figure
it
out.
Is
there
anything
else
that
folks
want
to
talk
about
David
we
talked
about
reproducibility,
so
we
can
have
that
conversation
real
quick.
If
you
want
not,
if
anybody
else
has
things
I
want
to
talk
about,
that
can
take
precedence.
C
A
So
what
do
you
want
to
talk
about?
This
was
the
the
the
hallway
conversation
we
had
in
Vancouver
about
how
reliably
could
we
rebuild
a
package
and
how
oh
right
right?
We
do
that
in
in
an
automated
fashion,
yeah.
E
I
would
love
for
you
to
write
down
your
experiences,
so
I
can
share
them
because
that's
I,
I
I
thought
your
experiences
were
better
than
I'd
hoped,
but
you
know
the
only
way
you
know
the
result
of
something
is
to
run.
The
experiment
and
I
was
delighted
to
hear
the
result
of
the
experiment.
It
was
even
better
than
expected.
A
So
so
here's
what
I'm
actually
thinking
about
doing,
because
I'd
rather
not
like
like
if
I,
can
kill
two
birds
with
one
stone
like
let's.
Let's
do
that
as
we
ramp
up
assurance
assertions,
one
of
the
things
that
I
want
to
be
able
to
provide
is
a
snapshot
report.
Whatever
you
want
to
call
dashboard
thing
of.
A
And
I'm
not
sure
what
but
like
some
something
like
like
you
should
be
able
to
go
somewhere
and
say
either.
Show
me
all
the
packages
that
are
show
me:
a
breakdown
of
reproducibility
for
packages
like
pass
or
fail
and
there'll
be
some
pie.
Chart
and
it'll.
Look
like
that,
and
you
click
on
it
and
you
get
the
list
of
packages
that
are
reproducible
in
the
list
of
packages
that
are
not
reproducible.
And
you
do
that
for
like
each
policy
type,
because
we
have
all
the
data,
so
that's
kind
of
trivial
to
generate.
A
E
But
but
I
would
be
delighted
to
you
know
to
see
that
so
I
guess
maybe
the
first
so
I
mean
the
first
step
might
be
to
do
the
random
sample.
You
know
pick
pick:
a
hundred
out
of
sale
grab
the
score
card
list
of
whatever
it
is.
A
million.
E
Then
just
run
it
against
that
particular
ecosystem
and-
and
you
know,
pick
a
hundred
and
see
how
many
reproduced
to
certain
levels,
we
probably
need
a
a
a
name
like
quasi
reproducibility,
because
you're
not
you're,
not
requiring
bit
for
bit.
E
But
frankly,
if
you
get
bit
for
a
bit
I'm
sure
we,
you
know
fully
reproducible,
you
know,
if
not
hey,
quasi
reproducible
with
a
little
effort.
We
got
everything
except
eight
times
or
whatever.
The
measure
is
right.
A
Right
exactly
and
then
actually
as
the
tool,
and
so
as
we
do
that
and
we
find
bugs
we
improve
the
tool
and
then
future
runs
will
have
more
accurate
will
be
less
likely
to
false,
positive
or
false
negative
on
well
it'll,
never
false
positive
on
a
is
it
reproducible,
it'll
false
negative
and
call
something
not
when
it
actually
is.
E
In
some
additional
way,
right
right,
but
I
mean
indeed
the
and
I
think
that
was
the
challenge
with
it
is
that
it
could
tell
you
in
certain
cases
when
things
were
okay,
but
if
it
didn't,
if
it
wasn't,
reproducible
that
wasn't
necessarily
a
strong
indicator
of
maliciousness
of
a
malicious
build.
It
was
just
well
I,
can't
reproduce
it,
which
is
a.
B
E
A
That's
that's
how
you
get
things
done
so
for
this
one
for
so
left
pad
1.2
is.
A
See
your
shirt
screen
nice
so
so
I
get
a
thing
Zoom,
quick
unexpectedly,
but
apparently
it
didn't
so
wow,
okay,
we'll
just
we're
just
gonna
go
with
it.
So
you
know
you'll
have
this
and
if
you
click
on
it
like
we'll,
we
can
have
better
text
here.
That.
E
A
I
mean
so
so
already
in
the
in
the
output
here,
like
oh
you're,
already
doing
this
oh
yeah
yeah.
This
is
already
I
mean
it's,
and
this
will
be
more
readable,
yeah.
A
That,
like
left
pad
1.2,
there's
a
file
added
which
is
get
ignore
so
in
there's
a
I
I
forgot,
which
way
it
goes
but
like
there's,
probably
a
git
ignore
in
the
repo
that
doesn't
appear
in
the
package.
E
E
A
Have
these
are
our
strategies
I'll
push
that
in
there
and
I'll
post
that
in
the
meeting
notes
for
like
like
how
we
actually
implement
the?
Are
these
thing
like
the?
Can
you
get?
Can
you
get
there
from
here?
You
know
the
most
basic
one
is
like:
are
they
exactly
the
same
text
and
then.
A
E
Yeah
I,
just
I
I,
think
I
think
the
problem
is,
the
reproducible
builds
folks
have
been
around
for
a
long
time
have
kind
of
owned.
This
word
I've
tried
to
convince
them
to
be
more
flexible,
but
but
they
don't
I
understand
why,
frankly,
so,
let's
just
pick
a
different
term
and
that
way,
there's
no
confusion
that
works
I
will
create
a
an
issue
on
it.
Right
now,.
A
A
Awesome.
Thank
you.
All
very
much
conversation
see
you
all
again
in
two
weeks
and
if
you
haven't
seen
the
open
ssf
day,
videos
just
got
posted
to
the
YouTube
channel
enjoy
bye.
All
thank
you.
Bye.