►
From YouTube: OpenSSF Identifying Security Threats WG (June 7, 2023)
Description
Meeting notes: https://docs.google.com/document/d/14_ILDhSK3ymKqUTQeQBRgJKgfiy_ePoGZIe8s7p3K5E
The purpose of this working group is to enable stakeholders to have informed confidence in the security of open source projects. We do this by collecting, curating, and communicating relevant metrics and metadata from open source projects and the ecosystems of which they are a part.
B
A
Mean
if
we
can
get
to
11
after
I
will
be
I
only
had
one
crash
last
time.
So.
A
Maybe
this
will
be
an
early
meeting
grab
some
more
coffee,
welcome
everybody.
We
do
not
have
any
new
members.
B
I
I
have
to
drop
a
little
early,
so
I
would
love
to
go
first
and
just
give
a
quick
update
that
I
did
spend
some
time
on
the
security
reviews
repo
and
have
a
list
of
action
items
to
make
some
updates
to
it.
I
captured
them
in
the
notes
here.
B
I
did
run
into
an
error
again
I'm
going
to
try
doing
some
debugging,
but
in
case
I
can't
figure
it
out.
Maybe
at
one
of
our
next
meetings
we
could
just
go
over
it
as
a
group
really
quickly
and
but
progress
is
finally
being
made.
Thank
you.
Everyone
for
your
patience
on
that
and
yeah
I'll
have
more
updates
for
the
group,
probably
in
the
next
meeting
or
two.
A
A
Let's
see
disclosure
check
update,
there
is
repo
has
been
moved
over
to
ossf
next
disclosure.
A
Big
thing
I
want
to
just
get
done
in
the
next
week
or
two
is
just
more
testing.
I
want
to
feel
I
want
to
feel
good
that
what
it
says
is
the
same
thing
that
a
human
would
find
out
by
manually.
Looking
I
do
need
to
repoint
the
pipe
high.
So,
let's
see.
C
C
A
C
Was
gonna
put
you
on
the
spot
because
I
you've,
actually
things
are
going
so.
D
Yeah,
so
we
we
I
mean
another
great
call
here
last
week
and
we
got
Michael
Hart
that
that's
you
know,
he's
he's
jumped
in
he's
done
a
great
survey
to
figure
out.
You
know
what
all
users
actually
want
to
see
and
and
all
that
kind
of
stuff
Raul
has
been
wonderful
on
the
back
end
and
Mike
has
talked
about
hiring
a
contractor,
so
a
contract
is
set
to
start
this
week,
they'll
be
working
on
some
front
end
type
stuff.
D
There
was
a
promise
that
was
made
that
by
the
by
a
couple
of
weeks,
I
want
to
say
I
I
think
we
I
think
we
said,
give
them
another
another
month
on
it.
I
I'd
like
to
under
promise
and
over
deliver
on
this,
so
I'm
going
to
say
maybe
another
month,
but
we
should
have
something
to
show
from
Raul's
back
end
work
and
then,
of
course,
this
new
contract
is
front
and
work
and
then
utilizing
the
data
that
came
out
of
Mike's
survey.
D
We
should
be
able
to
show
you
something
that
that's
that
that's
pretty
exciting
in
in
the
form
of
the
dashboard
right,
but
we've
so
we've
been
we've
been
we've
been
part
of
that
work.
Things
have
been
a
little
slow,
but
not
slow,
because
the
you
know
we're
working,
slow,
slow
because
we're
taking
the
time
that's
needed
to
be
taken
in
order
to
make
sure
that
we
that
we
get
this
right.
C
C
So
Jay
I
hope
you
don't
mind
me
putting
you
on
the
spot
there,
but
this
is
the
kind
of
spot
that
I
think
people
are
excited
to
hear
about.
Oh.
D
No
not
not
at
all,
not
at
all.
We
got
some
good
work
going
on
and
you
know
what
I'll
forget.
You
know
I'll
Pat,
my
own
self,
on
the
back,
not
that
my
back
needs
to
be
padded
for
any
particular
reason.
But
you
know
the
work
gets
done
as
long
as
the
work
gets
done,
I,
don't
I,
don't
I'm,
not
a
light
Shiner
on
that
awesome.
C
A
I
don't
have
too
much
else.
Obviously
we
had
open
ssf
day
earlier
this
month.
Oh
wait,
no
I'm!
Sorry
I
do
have
something
important
next
Tuesday.
Let
me
let
me
find
the
date
I
think
it's
next
Tuesday.
We
have
attack,
update.
A
Yes,
okay
Tuesday,
the
13th
pack
update
for
this
working
group.
There's
a
template
is
there
anybody
that
would
like
to
well
how
about
this?
I
will
take
a
stab
at
the
content.
I
will
leave
placeholders
for
each
of
the
projects,
and
I
will
send
that
out
today.
A
Thank
you,
and
if
you
could
just
put
in
any
kind
of
updates
that
you
have,
that
would
be
awesome.
You're,
of
course,
welcome
to
join
at
the
top
on
Tuesday,
if
you'd
like
otherwise
I
can
I
can
represent
and
I
will
go
from
there.
B
Yeah
so
I
I
wanted
to
add
a
new
review
that
we
just
published
last
week
and
I
thought
it
would
be
a
good
case
study.
So
I
did
it
exactly
how
the
repo
tells
you
to
do
it.
I
did
the
markdown
generator
and
you
know,
created
a
new
fork
and
created
the
branch
and
then
did
the
pull
request.
So
I
did
it
all?
What
I
thought
was
you
know
five
as
by
the
book,
as
I
possibly
could
and
I
still
got
a
I
still
failed.
B
One
of
the
automated
checks
so
I'm
so
I
want
to
debug
and
see.
If
maybe
it
was
something
you
know
something
wonky
happened
in
the
process
of
me
following
the
the
process
but
or
if
it
might
be,
you
know
might
be
something
that
can
be
done
to
to
make
it.
You
know
easier
to
to
upload
new
reviews
and
stuff
like
that,
so
how's.
A
I'm
I'm,
looking
at
it
right
now,
let
me
since
we're
here
I
think
we
can
do
this
kind
of
real
time.
C
Okay,
okay,
you
know
what
I
was
you
know
if
if
Jay
and
Jeff
Barrack
don't
want
to
stick
around
for
that
part,
I'd
say
we
I
would
propose.
While
we
close
up
the
meeting
and
those
who
want
to
stick
around
for
the
debugging
session
yep,
you
can
do
so
that.
A
Works,
yeah,
you're,
just
you're,
just
missing
a
dash,
and
so
here's
what
I'd
suggest
don't
I'm,
assuming
that
you
generated
the
the
mark
down
here
by
hand.
B
Me,
the
it
didn't
pre-load
it
with
the
dash
in
front
of
for
reviewer
in
the
reviewers
field,.
C
C
A
C
A
B
Yes
and
I
did
create
the
issue
again
just
to
keep
track
of
it.
Where.
C
Where
can
you
put
the
Link
in
the
chat
in
the
notes
or
the
chat
and
I'll
copy
it
into
the
notes.
B
A
Awesome
all
right
is
there
anything
else
that
anyone
would
like
to
talk
about
if
not
you'll
get
45
minutes
back
a
short
meeting
this
week.
Excellent
awesome.
Thank
you.
All
very
much
see
you
in
two
weeks.