►
From YouTube: OpenSSF Identifying Security Threats WG (May 24 2023)
Description
Meeting notes: https://docs.google.com/document/d/1AfI0S6VjBCO0ZkULCYZGHuzzW8TPqO3zYxRjzmKvUB4/edit
A
B
C
B
C
B
B
B
B
B
A
B
B
B
E
B
B
B
Yeah
Mike
Nolan's
good
Mike,
Dolan's
good
he's,
like
he's
he's
with
it
he's
he's
like
he
knows
what
a
CNA
is
for
the
CV
numbering
Authority,
like
he's
he's
very
he's
very
like
in
the
know.
So
yes,
I,
like
Mike
Nolan
Louisa,
was
asking
what
the
what
the,
what
my
experience
was
like
going
through
trying
to
get
the
outbound
disclosure
policy
signed
off
by
LF
legal.
E
Him
I
would
hold
that
against
him,
really
the
the
big
challenge
with
Mike
and
and
is
that
he
is
oh
insanely
busy
I
do
my
best
to
not
Badger
him
when
he's
when
I
don't
need
his
time,
because
he
has
precious
little
of
it,
but
it's
always
a
joy
to
chat
with
him.
So
yeah
excuse
me.
So
what
are
we?
What
are
we
up
to
here?
I'm,
we're.
A
Just
getting
started,
it's
we're
getting
started
a
little
late,
it's
all
good
okay,
so
it
probably
will
just
be
us
so
well,
I!
Think
Jonathan!
You
said
you
need
to
drop
it.
Half
past
I
could
certainly
use
time
back
so
yeah
we
can.
We
can
make
this
one
on
the
short
side.
I
know
Luigi.
If
you
got
any
updates
on
on
security,
insights.
D
Start
updates
I
mean
about
the
security
inside
honestly.
In
the
last
week,
I
was
a
bit
busy,
I'm
blocked
and
so
I
haven't
had
time
to
dedicate
enough
time
to
review
the
jonatella
pull
requests,
but
I
need
just
to
match
them
more
or
less
all
and
just
Claus
issue
now
I
hope
to
do
this
week
and
I'm
sorry
for
the
delay,
my
fault
and
about
the
security
policy.
D
Well,
technically,
security
policies,
reading
I,
guess
I'm
quite
sure
that
we
don't
want
to
go
public
with
the
security
policy
that
don't
have
the
Safe
Harbor
and
for
this
reason
I
was
asking
about
Linux
Foundation
lawyer.
We
need
to
have
an
approval
by
the
legal
team.
The
policy
is
ready.
Honestly,
I
use
the
template
by
the
disclosure.io.
That
is
the
same
template
used
by
at
least
one
Unity
State
governative
website.
D
So
we
need
just
to
have
an
approval,
a
formal
approved
by
the
legal
team,
but
yeah
I.
Don't
think
that
we
need
to
add
so
much
the
template
we
just
we
need
just
to
agree
if
we
want
to
have
this
safe,
fiber
or
not,
but
I
think
it
is
a
requirement
for
us,
and
I
have
been
to
the
message
in
the
vulnerability
disclosure
Channel
to
try
to
move
this.
This
topic
yeah,
because
now
we
need
just
to
have
a
formal
approval.
D
The
policies
was
has
been
reviewed,
I
guess
from
a
lot
of
people
from
for
sure
that
this
vulnerability
disclosure
group,
but
also
from
the
tag
group
I
shared
it
at
least
two
times,
and
so
now
it
is.
We
need
to
wait
for
the
Linux
Foundation
David
if
you
have
any
contact
that
can
help
us
to
move
on
to
go
going
public
with
this.
Please.
E
Yeah
and
Jonathan
and
I
have
talked
about
this
and
then
I
decided
to
get
pretty
sick
at
the
conference.
I'm
still
recovering
so
I've
I
have
not
done
anything
on
that
Jonathan.
Have
you
done
anything
along
the
Safe
Harbor
stuff?
We
talked
once
and
then
I
disappeared
off
the
face
of
the
planet.
So,
okay,
we
talked
about
Michael
Mike,
Dolan
Mike,
and
you
know
by
the
way,
as
this
as
we
said
no,
like
Mike,
he
had
a
lot
of
concerns
about
that.
E
Safe
Harbor
I
have
to
be
careful
here
because
I
think
some
of
that
was
under
a
you
know:
ECP
well
no
illegal
privilege
here,
but
basically
the
the
problem
is
that
there
are.
There
are
attackers
who
exploit
safe
harbors
who
are
not
working
with
the
best
interests
of
anybody
except
evildoers.
Frankly,
and
and
while
the
intent
is
clear,
we
unfortunately
have
had
some
pretty
awful
experiences.
E
Can
decide?
No?
No,
no!
No,
because
if
you
say
something
and
they
do
something
depending
on
it,
you
can't
just
pull
the
rug
out
from
under
them.
So
you've
got
to
say
what
you
actually
mean
and
really
you
don't
want
to
say
anything
else.
That's
that
you
don't
mean
anyway,
but
I've
forgotten.
There's
a
weird
legal
term,
I
think
it's
a
stoppel
that
may
not
be
the
right
legal
term,
not
a
lawyer,
but
you
know.
E
E
I
I
I
I
do
not
try
to
pretend
to
be
a
lawyer
and
there's
good
reasons
for
that.
But
but
I
do
know
that
you
can't
just
make
a
promise
and
then
just
nah,
never
mind
yeah
right
right,
so
I
I
think
the
problem
is
I.
Think
I
think
he
I
think
it
was
Mike.
It
was
a
lawyer,
I
think
it
was
Mike
looked
at
and
they
said
no,
no,
no,
no!
No!
No!
No!
No.
We've
actually
had
some
terrible
experiences
with
people
who
exploit
those
kinds
of
statements.
E
I
think
they
would
rather
just
not
have
a
safe
harbor
statement
period,
because
then
that,
then
that's
not
a
problem
for
that.
For
for
us,
if
you
want
a
a
safe
harbor,
if
you
think
it's
critical
and
vital
to
have
a
safe
harbor
statement,
then
it's
going
to
have
to
be
my
much
more
fine-tuned
than
what
was
their
originally
because
their
their
suggestion
was
actually
quite
simple.
Great,
let's
delete
all
that
stuff
go
on
so.
B
E
E
E
B
E
That's
fine
all
right,
so
we
have
a
disagreement
here.
The
the
LF
legal
fake
folks
say
basically
we're
not
going
to
sign
off
on
the
Safe
Harbor
statement.
You
originally
stated
as
far
as
legal
is
concerned.
If
you
don't
have
a
safe,
harbor
statement,
you're
fine,
the
attack
has
to
approve
if
attack
members
of
the
tax,
say,
You
Gotta
Have,
a
safe,
harbor
statement.
Then
what
needs
to
be
created
that
both
sides
can
agree
on
I,
I,
I'm.
D
E
B
E
So
yeah
I
I
I,
don't
think
that
I
don't
think
the
objection
is.
Oh,
we
can't
have
a
safe
harbor
policy.
I
think
the
objection
was
as
written
to
Lucy
goosey.
We
there's
been
some
some
pretty
bad
experiences
from
people
who
claim
to
be
security,
researchers,
but
their
goal
is,
is
to
harm
others
not
to
be
helpful,
so
I
mean.
B
E
Right
exactly
yeah,
let's
yeah
how's
this
so
so
let
me
shift
this
a
little
bit
and
really
this
is
outside
this
working
group
thing
anyway.
This
is
a
vulnerability
disclosures
working
group
thing,
so
here's
what
I
would
say:
Jonathan
I,
you
know
you,
you
have
both
the
background
background
and
passion
once
you
talk
with
Mike
I
would
be
happy
to
be
there
too.
Although
it
seems
to
me
that
the
issue
is
one
of
legal
crafting
and
I'm,
not
a
lawyer
can.
B
E
B
D
E
D
No,
it's
not
approved
the
inbound,
but
we
need
to
solve
the
Safe
Harbor.
So
the
question
is
for
me:
the
next
action
item
for
me
is
in
the
tag
group.
We
have
seen
that
people
want
to
have
the
Safe
Harbor
for
the
Linux
Foundation
legal
team.
The
SI
fiber
is
a
problem,
so
I
want
to
find
or
a
different
cells
algorithm
write
it
to
have
a
better
Safe
Harbor
for
the
inbound
security
policy
or
we
need
to
remove
it.
I,
don't
see
all
the
solution.
You.
E
We
want
okay,
but
let's
do
two
stages:
let's
Jonathan
and
I
talk
with
Mike
work
step,
that's
step,
one
step
two
once
we've
further
understood
the
issues
and
started
crafting
something,
then
do
it
more
widely,
but
yeah
I
I,
think
some
of
the
concerns
that
they're
con
raised
about
are
involving
past
events
that
were
unpleasant
and
are
not
desirable
to
go
public.
So
we
want
to
get
the
Lessons
Learned,
but
we
I'm
not
sure
that
they
can
share
everything
publicly.
E
A
A
Cool
okay
disclosure
track,
Jonathan
I,
know
you
what
we
were
trading
things
back
and
forth.
We're
gonna
chat
with
vulnerability.
Disclosures
tomorrow
or
I
am
at
least
I'd
like
that
working
group
to
adopt
the
project
officially
and
and
all
that
we
already
have
a
repo
in
openssf.
We
just
need
to
move
the
content
over
so
Jonathan.
C
B
A
A
A
B
A
I,
it's
all
open
up
like
whatever
how
about
this.
Let's
ask
Will
there
be
the
disclosures
if
someone
would
like
to
own
it
because
it
clearly
is
in
their
Charter.
If
they
say
yes,
well,
you
don't
have
anybody
and
you
say
well
I'm
a
part
of
this
working
group.
You'd
like
to
own
you
know
drunk,
would
like
to
own
it
whatever
that's
great.
Let's
do
it.
A
C
A
B
A
Security
reviews,
I,
know
Amir,
isn't
here,
but
I
noticed
yesterday
that
maybe
it
was
today
that
Google
open
sourced
their
rust
crates
audit,
which
it
looks
like
they
just
they.
They
dumped
a
big
file
worth
of
cargo
crev
audit
things
for
a
whole
bunch
of
projects
that,
at
least
from
a
first
glance,
looks
like
they
had
someone
like
actually
go
through
and
are
thumbs
upping.
A
You
know
a
whole
bunch
of
cargo
projects
would
have
been
awesome
to
have
that
be
part
of
Security
reviews,
because
that's
kind
of
the
exact
same
purpose,
but
whatever
I
think
it's
good
to
have
that
out
there.
That
may
be
an
interesting
place
for
the
dashboard.
The
I'm
sorry
risk
dashboard
to
pull
and
pulling
data
from
I
would
love
a
resource
like
this,
where
lots
of
organizations
contribute
to.
A
Last
two:
two
less
things:
the
the
threats
paper,
so
threats
paper
is
now
like
two
years
old,
two
and
a
half
years
old.
Something
like
that.
It's
missing
some
emerging
things,
I
I
think
it
came
out
shortly
before
dependency,
confusion.
So
all
of
those
types
of
attacks-
I,
don't
believe
ever
mentioned.
D
D
The
document
is
quite
good:
I
am
trying
to
understand
where
I
should
add
the
new
thing
or
if
I
would
want
to
adjust
an
additional
page,
I,
don't
know,
but
I.
We
have
a
GitHub
issue
where
there
are
two
or
three
good
comments
with
missing
topic.
One
is
dependency
confusion
and
one
is
maybe
multi-factor
fatigue,
attack
and
similar,
and
so
the
document
is
already
still
good,
though
we
need
just
to
a
smaller
bump.
We
don't
need
the
probably
air
back
from
2.0
I
should
just
to
share
the
updates.
D
A
A
A
D
I
haven't
downloaded
honestly
a
document
in
I
mean
I
downloaded
that
word
version
and
uploaded
on
my
my
Google
Drive
I
would
prefer
to
use
GitHub,
maybe
but
so
weeks
ago
you
suggested,
if
I
remember,
corrected
to
use
the
word
document.
So
I
just
moved
to
drive
because
you
can
add
comment
easily
and
so
and
so,
but
no
no
strong
opinion
I
can
move
on
Google
on
GitHub,
honestly
I
think
it
is
I.
A
C
D
So
I'll
probably
have
a
version.
Inward
that
we
can
expect
in
PDF
is
a
good
idea.
The
only
reason
why
I
like
GitHub
is
that
it's
public,
so
everyone
can
see
everything
yeah,
but
we
came
writing
it
up
and
then
we
can
just
add
it
to
the
word
the
documents
or
we
can
create
the
word
document
and
we
and
then
we
can
move
to
to
GitHub.
D
A
A
D
I
sent
you
an
invitation
by
email,
but
I
need
to
ask
the
email
to
everyone
is
in
in
this
lock
or
I
need
to
put
it
public
with
editor
privilege
or
comment,
privilege,
I,
don't
remember
now
and
yeah.
This
is
the
reason
why
I
would
like
to
have
a
sort
of
open
ssf
space
and
why
I
prefer
Gita,
because
in
Gita,
but
we
have
an
organization.
D
C
A
Yeah
I
would
really
prefer
is
just
to
have
a
if
I
I'll
David.
Do
you
know
if
conversations
have
ever
happened
with
with
Brian
or
around
car
about
like?
Should
we
just
have
like
a
Google
workspace
or
or
something
where,
like,
because
I
think
that
the
preference
has
always
been
like?
Let's
just
do
this
in
in
GitHub,
but
like.
A
E
A
E
A
A
E
E
A
Well,
that
would
actually
solve
lots
of
issues
because
things
like
the
meeting
notes.
The
past
three
years
of
meeting
notes
for
this
are
dependent
upon
like
me,
retaining
my
Gmail
account
personal
Gmail
account,
which,
which
ain't
great
so
if
we
can
throw
that
into
something
openssf
owned
and
I'm,
just
a
collaborator
contributor,
then
that
that's
better
for
that
that
solves
one
set
of
reasons.
E
E
If
you're
editing
completely
different
parts
of
a
document,
it
can
work
sort
of
I
think
if,
if
your
goal
is
collaborative
editing
of
a
document
how's
this
I'm
gonna
say
try
to
save
this
in
the
nicest
way,
because
we
have
Microsoft
people
here
and
we
love
our
Microsoft
folks.
But
there
is
a
challenge:
that's
trying
to
support
multiple
tools.
I,
don't
see
a
big
advantage
of
supporting
both
SharePoint
and
Google.
E
E
Public
it's
getting
recorded,
hopefully
I
have
covered
all
the
secrets,
all
right,
all
right.
So
basically,
let's,
let's
try
to
figure
out
quick
group
discussion.
What
are
we
looking
for?
Okay,
currently
mini
many
open,
ssf,
Google
doc,
Google
Docs,
oops
docs,
including
working
group
meeting
notes,
are
owned,
are
owned
by
individuals
with
either
their
individual
accounts,
personal
accounts
yep
or
their
work
accounts
if
they
leave
their
job
or
stop
being
involved
in
openssf
right.
E
B
So
two
couple
of
problems:
permissions
are
wacky
right
who,
how
do
you
like
add
a
new
document
as
an
outside
collaborator?
That's
you
know
how
do
you
you
know
that
that
means
that,
like
for
Google
like,
if
we
want
to
have
outside
collaborators,
then
we've
got
to
pay
for
workspaces
accounts
for
them
is
also
already
I.
B
Can
I've
I've
heard
people
pitch
fits
to
Brian
bellendorf
about
hey,
like
you
know,
because
the
other
stuff
is
so
Google
Docs
heavy
that
people
who
are
in
regular,
highly
regulated
Industries
can't
access
Google
Docs
such
they
can't
collaborate
in
the
open,
SF
again
regularly
or
easily,
because
they
their
companies
block
access
to
these
things.
The.
E
C
E
A
country,
the
challenge
is
it's
not
clear
that
alternatives
are
going
to
be
any
better.
I
can
I
can't
speak
for
all
regulated
Industries,
but
at
least
the
company
I
used
to
work
for
Google
Document
access
required
a
special
exception,
exactly
the
same,
applied
to
SharePoint
or
GitHub,
or
anything
else
where
there
was
shared
access.
So
switching
to
a
different
tool
helps
you
zero
percent,
because
what
they
want
to
do
is
scan
every
email
and,
if
you're
sending
data
out
in
a
way
that
doesn't
involve
an
email,
then
they
don't
like
it
so
I.
C
E
Same
is,
and
and
I
and
and
for
for
China
I
think
the
challenge
there
is
they're
blocking
those
services
but
I
think
I
think
they
allow
other
services
but
I
think
other
countries
block
those
services.
So
again
we
there's
a
in
that
case.
There
is
an
alternative,
but
then
we
lose
a
lot
of
other
folks,
so
I
I
think
we've
I
think
we
lose
I'm,
not
an
expert
in
this.
A
So
great,
let's
do
this
I
think
this
also
solves
a
problem
where,
let's
just
convert
the
word
doc
to
a
Google,
doc,
I
think
Google
Docs
is
practically
the
same
level
of
expressivity
as
as
word,
and
then
we
get
it's
in
it's
in
Google
Docs.
You
can
get
moved
over
to
the
open,
ssf
thing
you
can
do
collaborative
editing,
it
looks
nice
and
what,
if
you
want
to
publish
it
as
a
PDF
at
the
end,
we
just
hit
PDF
and
then
we're
done.
C
E
C
C
E
The
way
when
I
say
you
know
certain
kinds
of
you
know,
although
Jonathan
I,
you
know
you
described,
you
know,
saying
different
or
different
regulated
organizations
have
different
regulations,
which
makes
things
even
harder
to
say
generalizations
about,
like
I,
think
I
think
my
company
wouldn't
be
considered.
My
previous
company
wouldn't
have
been
considered
a
regulated
industry,
but
for
various
reasons
they
were
very
very
concerned
about
a
lot
of
stuff
in
part
because
they
always
they
were
always
getting
attacked
by
by
sophisticated
State
actors.
So
they
were
they.
E
A
It's
just
like
all
the
all.
The
pictures
have
white
text
on
white
background.
Now,
I'll
figure
it
out.
Is
there
anything
else
that
folks
want
to
talk
about
David
we
talked
about
reproducibility,
so
we
can
have
that
conversation
real
quick.
If
you
want
not,
if
anybody
else
has
things
I
want
to
talk
about,
that
can
take
precedence.
C
A
E
I
would
love
for
you
to
write
down
your
experiences,
so
I
can
share
them
because
that's
I,
I
I
thought
your
experiences
were
better
than
I'd
hoped,
but
you
know
the
only
way
you
know
the
result
of
something
is
to
run.
The
experiment
and
I
was
delighted
to
hear
the
result
of
the
experiment.
It
was
even
better
than
expected.
A
So
so
here's
what
I'm
actually
thinking
about
doing,
because
I'd
rather
not
like
like
if
I,
can
kill
two
birds
with
one
stone
like
let's.
Let's
do
that
as
we
ramp
up
assurance
assertions,
one
of
the
things
that
I
want
to
be
able
to
provide
is
a
snapshot
report.
Whatever
you
want
to
call
dashboard
thing
of.
A
And
I'm
not
sure
what
but
like
some
something
like
like
you
should
be
able
to
go
somewhere
and
say
either.
Show
me
all
the
packages
that
are
show
me:
a
breakdown
of
reproducibility
for
packages
like
pass
or
fail
and
there'll
be
some
pie.
Chart
and
it'll.
Look
like
that,
and
you
click
on
it
and
you
get
the
list
of
packages
that
are
reproducible
in
the
list
of
packages
that
are
not
reproducible.
And
you
do
that
for
like
each
policy
type,
because
we
have
all
the
data,
so
that's
kind
of
trivial
to
generate.
A
E
E
E
In
some
additional
way,
right
right,
but
I
mean
indeed
the
and
I
think
that
was
the
challenge
with
it
is
that
it
could
tell
you
in
certain
cases
when
things
were
okay,
but
if
it
didn't,
if
it
wasn't,
reproducible
that
wasn't
necessarily
a
strong
indicator
of
maliciousness
of
a
malicious
build.
It
was
just
well
I,
can't
reproduce
it,
which
is
a.
B
E
A
E
A
E
A
A
E
Yeah
I,
just
I
I,
think
I
think
the
problem
is,
the
reproducible
builds
folks
have
been
around
for
a
long
time
have
kind
of
owned.
This
word
I've
tried
to
convince
them
to
be
more
flexible,
but
but
they
don't
I
understand
why,
frankly,
so,
let's
just
pick
a
different
term
and
that
way,
there's
no
confusion
that
works
I
will
create
a
an
issue
on
it.
Right
now,.