►
Description
Weekly meeting of the Identifying Security Threats working group. Our GitHub page is located at https://github.com/ossf/wg-identifying-security-threats and from there you can find meeting minutes and other information.
A
Awesome
welcome
everybody.
A
Good
cool
welcome
everybody
to
the
october
27th,
identifying
security
threats.
Working
group
we've
been
chatting
about
a
bunch
of
different
things,
but
before
we
do
that
number
one,
we
are
recording
and
number
two.
Would
anybody
and
I'm
sorry
please
forgive
me
if
advanced.
If
you
were
here
last
time
and
I'm
forgetting
but
krishna
did
you
want
to
introduce
yourself
or
tell
me
that
you
were
here
last
time
and
I'll
apologize.
B
Yeah
I
know
I
I
first
time
I'm
joined
okay.
My
name
is
trishna
kumar,
I'm
from
thanks
mike
for
sending
the
invite
I'm
from
mexico.
First
time
I'm
joining.
So
I
was
going
through
the
security
foundations,
different
work
groups,
so
I
sold
a
tooling
word
groups
and
this
work
group.
So
I
thought
hey.
Let
me
check
out
this
work
group,
which
I
think.
C
B
Are
probably
going
to
talk
about
vulnerabilities
and
how
to
resolve
all
those
things
right
so
an
accident?
Currently,
I
am
doing
a
cloud
consulting
mainly
google
cloud,
but
I
do
work
with
some
part
with
the
azure
and
aws
ii,
okay
kind
of
a
multi-cloud
I'm
in
dealing
with
you
know:
google
kubernetes
engine,
you
know
anthos
and
aks
and
eks
that
world.
B
I
am
also
a
cncf
ambassador,
so
I
am
with
cncf
for
the
last
four
or
five
years
prior
to
this
company.
I
was
working
for
another
company
where
we
contributed
something
to
a
cncf
like
kubej
and
edge
platform,
so
my
team
was
working
volcano.
That
was
a
big
data
framework
for
containers
that
also
be
contributed
both
are
in
in
the
incubation
stage.
I
believe
in
cncf.
B
At
this
point
yeah
I
have.
B
I
have
ckad
certification,
some
google
certification
things
like
that,
so
my
main
purpose
to
join
this
group
was
to
see
you
know
what
container
vulnerabilities
or
tooling
you
guys
are
working
on
how
remediation
is
happening
and
I'm
also
involved
with
one
group
called
cloud
computing:
innovation,
council
of
india.
It's
a
group
in
india
where
they
are
trying
to
build
a
test
framework
for
multi-cloud.
B
So
there
is
a
security
work
group
which
I
am
a
member
of,
so
we
were
looking
into
all
the
container
level
security
and
see
what
are
the
frameworks
coming
into
market
and
what
are
the
new
things
happening?
So
I
thought
I
will
join
here
and
see
what
I
can
learn
and,
if
possible,
what
I
can
contribute.
Also
thanks
for
the
invite
awesome.
B
A
Awesome
since
well,
you
know
what
what
let's
do
super
quick
round
of
interest
for
everybody
else.
Everybody
so
krishna
can
meet
everybody
else,
and
we
have
one
more
so
hi
everybody
I'm
mike
scaveda.
I
run
open
source
security
team
at
microsoft.
I've
been
leaving
this
work
group
since
the
beginning
of
time
and
pushing
for
advocating
this
alpha
omega
project,
which
there
are
links
here,
and
we
can
talk
more
about
that
later.
A
D
David,
okay,
so
david
a
wheeler,
I
work
at
the
linux
foundation.
My
official
title
is
director
of
open
source
supply
chain
security,
but
and
but
that
doesn't
mean
I
can
solve
all
problems
all
my
myself.
It
really
means
that
I'm
I
show
up
in
groups
like
this
and
try
to
help
various
folks
work
on
this
challenge.
F
I
am
a
software
engineer
at
microsoft,
focused
obviously
in
the
security
space
I've
been
in
this
group,
for
I
I
don't
know,
koba
just
made
me
lose
track
of
time,
but
for
a
while,
not
nearly
as
long
as
mike,
maybe
like
a
year
or
so
and
yeah
I'm
really
kind
of
excited
and
involved
in
the
in
the
open
source
space
and
like
a
lot
of
the
potential
that
there
is
to
expand
upon
things
and
yeah
very
happy
to
be
here.
F
I'm
sorry
matt,
do
you
want
to
go
next.
D
G
G
I
work
in
the
open
source
team
for
in
cloud
platform
and
I'm
leading
a
cross-team
effort
in
between
our
cio
office
and
our
cso
team
to
work
on
a
a
security
compliance
pipeline
that
incorporates
a
lot
of
the
things
from
ossf.
G
C
Well,
I'm
sergio
and
currently
I'm
an
independent,
but
I'm
planning
to
be
an
ambassador
for
the
academy
software
foundation.
And
previously
I
was
a
software
engineer
at
arena
world
and
I
contributed
to
the
brake
browser.
A
Awesome,
if
that's,
if
that's
pronouncing
your
name
right
and
if
not
I'm
sorry.
H
A
I
A
Awesome,
okay,
so
we
have
an
agenda,
so
we
did
the
first
part
second
part.
So
as
most
of
you
know,
but
some
of
you
intro
don't
but
there's
a
project
mike
there
is.
I
can.
A
Really,
I
don't
have
that
it
hasn't
up
for
me.
Is
it
children
for
anybody
else
to
I
mean
feel
free
to
admit
if
you
see
an
admit
thing
just
hit?
Yes
yeah.
I
just
tried.
A
Oh,
it
didn't
show
up
for
me.
I
see.
Okay,
if
I
see
it
again,
or
I
mean
okay.
Thank
you
cool,
so
alpha
omega
is
a
project
that,
where
it
is
in
its
infancy
and
kind
of
it's
been
pitched
a
bunch
of
times.
Oh
here
we
go.
A
All
good,
no
worries
I'll,
add
security
ammo
at
the
end,
if
you
want
to
give
an
update,
but
so
alpha
omega
there's
a
proposal
here.
If
you
haven't
seen
the
link,
I
encourage
you
to
kind
of
produce
that
over
there's
an
operating
plan
which
is
the
like.
What
specifically
did
we
plan
to
do
in
the
year
2022?
A
This
is
all
pre-announced.
We
were
gonna.
I
think,
we're
into
a
blog
article,
I
think,
maybe
on
either
november
8th
as
part
of
the
town
hall
or
shortly
thereafter,
something
like
that.
It's
not
super
secret.
It's
just
we
haven't
talked
about
it
in
kind
of
a
public
forum.
Yet
I
am
so.
A
J
D
The
money
is
there
so
al,
although
I
don't
have.
A
A
Yes,
yep
yeah.
Sorry
I
shouldn't
be,
I
shouldn't
be
be
flippant
about
where
it's
actually,
but
so
yeah.
No,
so
we're
gonna
present
for
formal
approval
to
the
governing
board
on
the
fifth,
and,
if
that,
assuming
that
goes
well
and
what
we're
gonna
be
presenting,
is
this
basically
a
version
of
this
operating
plan?
A
So
I
I
don't
wanna
because
we
could
spend
the
rest
of
the
time
just
talking
like
deep
diving
on
this,
I
can
give
a
quick
overview
or
david
if
you
wanted
to
go
right
to
questions
that
you
had.
So
I
want
to
make
sure
that
we
integrate
that.
D
I
think
we
have
a
limited
time
for
a
meeting,
so
I
would
propose
that
you
know
if
you
haven't
read
it,
take
a
look
and
let's
focus
particularly
on
issues.
I
have
a
couple
yeah.
I
was
intending
to
write
you
an
email
that
didn't
happen
so
here
we
are,
it's
probably
a
lot
better
anyway,
to
have
a
group
discussion.
D
So
I'm
I'm
going
to
declare
that
that
was
the
plan
all
along
so
and-
and
I
would
propose
other
folks
if
they
have
either
just
issues
or
concerns
about
it,
raise
that
as
well,
because
I
mean
if
it's
good,
then
it'll
just
stay
and
off
we
go
so.
A
A
D
Okay,
all
right
yeah,
all
right
all
right.
So
when
we
discuss,
if
we
can
any
issues
and
then
we
can
make
at
least
comments
on
the
doc
and
then
you
can,
you
know,
try
all
right
so
number.
One
thing
is:
whenever
I
see
somebody
trying
to
serve
multiple
bosses,
I
worry
I've.
Just
you
know,
I'm
not
saying
it
can't
be
done,
but
it's
almost
always
a
problem.
I
think
really
the
alpha
omega,
I
mean
in
a
sense,
you
know
they
do
a
technical
reporting
to
the
attack.
D
They
ultimately
are
responsible
to
the
governing
boards
for
the
funding,
and
you
know
for
the
the
for
the
third
part
of
your
it's,
the
identifying
security.
It
seems
to
me
that
they
they
report
to
the
attack
and
the
identifying
security
threats
working
group,
but
they're.
Ultimately,
that
lead
is
ultimately
under
control
of
the
governing
board
or
not
make
it
the
tack
but
yeah.
C
A
I
agree
yep
yep,
so
so
so
the
way
that
so
I'll
just
open
that
and
keep
in
mind
so
so
this
draft
should
be
like
much
larger
font
than
it
actually
is,
but
the
way
that
I
was
now
this
is
one
way.
A
I
think
that
we
that
we
do
it
where
each
of
the
projects
kind
of
all
the
resources
from
a
reporting
and
time
management
and
like
hey
my
thing
broke,
I
need
help,
has
a
dedicated
project
manager,
project
manager,
program
manager-
I
don't
know,
but
it's
a
it's
some
flavor
of
pm
those
pieces
but
there's
one
person.
A
I
think
that
needs
to
be
responsible
for
the
entire
project
and
that
person
is
the
one
that
essentially
presents
back
to
the
tack
and
the
working
group
and
the
governing
board
and
they
kind
of
manage
it
as
a
liaison
from
the
project
team
to
the
open
ssf.
Now
this
isn't
the
only
way
of
doing
it.
The
other
way
of
doing
it
would
be
to
actually
have
alpha
report
to
like
the
critical
projects
working
group
lead
and
omega
report
to
a
different
lead.
A
We
could
do
that
too.
There's
no
reason
why
alpha
omega
need
to
be
tightly
bound
to
having
one
person
looking
over,
both
of
them.
D
A
D
A
D
D
A
So
so
the
pro
so
so
the
the
concrete
proposal
at
this
point
is
a
technical
pm
lead
thing
for,
as
this
pm
function
for
six
months,
for
each
of
them
so
dedicated
with
it.
After
that,
as
we
go
through
that
we'll
realize
if
we
were
way
off,
but
I
don't
think
that
number
one
it
has
to
be
a
paid
position.
It
can't
be
a
volunteer
thing.
Sorry
for
these
two
on
the
bottom.
This
alpha
omega
lead,
I'm
imagining!
A
That's
me
or
someone
like
me
that
would
kind
of
oversee
the
project
at
a
strategic
level
but
delegate
the
day-to-day
stuff,
because,
as
things
come
up,
they
need
to
be
dealt
with
in
a
you
know:
40
hours,
a
week,
kind
of
effort.
So
that's
why
I
think
these
are
important
and
we-
and
if
we
realize
in
three
months
that
you
know
what
this
only
takes
12
hours
a
week,
then
we
combine
them
after
six
months
and
and
we're
good.
That's
at
least
my
my
take
on
that.
A
I
would
rather
over
resource
this
than
under
resource
this,
because
we
under
resources,
it's
going
to
fail
and
we're
going
to
look
circle.
A
Yes,
and
and
that's
why
I
think
that
this
chart
is
important.
This
is
the
one
for
alpha
and
you
know
granted
that
some
of
the
numbers
here
were
a
little
hand
wavy,
but
what
I
was
we're
trying
to
keep
is
to
a
reasonable
overhead.
D
D
One
of
the
other
things
is,
I
don't
know
if
those
dollars
are
going
to
be
enough
for
both
doing
an
audit
of
the
software
and
then
actually
going
and
rolling
up
the
sleeves
and
fixing
things.
I
guess
we'll
find
out
some
of
that
as
we
go
along,
but
yeah
I'm
a
little
skeptical.
D
Basically,
I
think
you're
over
on
the
management
and
under
the
performance
that.
A
That's
that's
very
possible
what
so
yeah,
I
think.
A
I
think
that,
because
that
will
be
a
sizable
chunk
of
whatever
the
investment
is
per
project,
that
maybe
we
borrow
from
peter
to
pay
paul
or
whatever
the
phrase
there
is
so,
and
I
also
have
a
an
additional
buffer
here
to
to
be
used.
If
we
are
wrong
about
any
particular
project,
we
can
just.
D
D
A
Is
the
are
you
mostly
getting
that
from
the
diagram,
because
the
diagram
is
getting
that
impress
okay?
So
maybe
the
diagram
is
just
garbage,
let's
say
maybe.
D
Like
like
reports,
the
governing
board
and
then
like
dash
lines
showing
off,
you
know,
you
know,
report
technology
and
then
they
they
also
report
to
the
gv.
But
I
I
I
think
the
tac
and
I
don't-
and
this
working
group
role
or
whatever
working
group.
This
is
under
I
mean
and
by
the
way
we've
actually
talked
about
just
having
alpha
omega
as
its
own
thing.
It
doesn't
have
to
be
under
this
working
group
yeah.
But
if
it
is,
I
think
that
more
of
a
report
back
hey.
How
are
things
going?
A
I
maybe
yeah
I
mean
I,
I
think
part
of
this.
In
order
for
this
to
be
effective,
you
you
do
need
one
boss.
You
need
one
person
on
the
line,
that's
accountable
to
deliver
the
results.
One.
A
D
Right
I
mean
I'm
okay,
with
a
an
executive
reporting
to
a
board.
I
mean
lots
of
companies
work
that
way.
But
what
I'm
afraid
of
is
I
report
to
a
board
and
this
other
group
and
this.
C
D
A
So,
okay,
I
think
that
that
the
problem
is
that
I've
I've
poorly
described
the
intent
the
intent
has
been
for
the
let's
just
call
them
the
director
of
the
alpha
omega
project
to
own
all
decisions
and
subject
to
the
available
budget,
and
you
know,
in
line
with
the
spirit
of
the
project.
D
That
but
that
person
who
owns
it
still
needs
to
report
to
somebody
yeah.
I
think
I
think
that
is
actually
the
governing
board
and
they
also
report
out
for
technical
to
the
tac
and
the
working
group
so
that
they
can
raise,
and
you
know
they
can
disagree,
they
can
discuss
if
they
truly
hate
it,
they
can
raise
it
to
the
governing
board,
but
in
the
end,
it's
the
governing
board.
That
makes
the
final
call.
Oh,
it
doesn't
have
to
be
that
way.
A
So
we'll
probably
have
ao
report
to
governor.
I
think
that
makes
more
sense,
particularly
with
the
new
governing
board
board,
make
up
that's
going
to
be
happening
soon.
D
A
D
My
other
main
comment
is
frankly
another
decisional
thing.
Yeah.
You
can
see
my
comment
there.
You
know
for
alpha,
I'm
really
actually
for
omega.
Also
you're,
you
can't
handle
everything
you
have
to
decide
who
determined
what
the
what
the
projects
are.
D
I
am
guess,
although
I'm
expecting
the
league
to
have
a
significant
voice
and
particularly
in
how
it
gets
executed,
I'm
expecting
the
lead
to
take
the
lead,
but
as
far
as
who
decides,
which
projects
are,
I
think
that
has
to
be
that
should
be
a
small
group,
not
a
single
individual,
and
that
small
group
should
be
informed
by
quantitative
data,
and
I
think
we
should
list
some
examples
of
that
data,
but
I
think
in
the
end
it
needs
to
be
a
small
group
called
a
cabal
call
it
whatever,
but
we
have
to
have
a
way
of
deciding
that
doesn't
just
put
it
on
the
that
burden
on
a
single
individual,
because
if
it's
a
single
individual,
no
matter
what
people
are
going
to
complain
about,
that
people
complain.
A
D
A
Yep,
I
I
agree
completely.
I
was
the
the
intent
was
never
to
have
one
person
create
the
list
right.
D
Right,
but
that's
not
clearly
a
I
in
my
mind,
what's
critical
for
your
plan
is
figuring
out
who
makes
the
decisions
because
you'll
never
put
it
all
in
the
plan?
The
plan
will
have
to
change
anyway.
The
plan,
no
matter
what
you
do
is
wrong.
Making
the
plans
helpful
actually
executing
the
plan
is
unlikely.
It
will
change,
so
we
just
really
need
to
focus
on
who
makes
the
decisions
and
then,
as
things
change,
we
know
who's
going
to
make
the
decisions
right.
A
A
A
A
Would
that
would
be
great
yeah?
I
mean,
I
think,
that
that
having
the,
I
would
probably
be
the
the
lead
director,
whatever
you
want
to
call
own
the
process
and
delegate
out
the
actual
prioritization
to
either
open
ssf
members
writ
large
or
a
representative
from
each
working
group
or
the
governing
board
of
attack
or
like
whoever
wants
to
contribute
into
that.
I
think
the
problem
will
actually
be
too
few
people
wanting
to
actively
contribute
into
that
rather
than
too
many.
A
It
doesn't
matter,
though,
like
we'll
come
up
with
a
list
that
we
all
feel
equally
bad
about,
and
that
that'll
be
the
the
best
list
that
we'll
that
we'll
be
able
to
do
and
then
we'll
just
start
at
the
top
and
go
from
there.
I'm
I
don't
wanna
over
engineer
out
the
the
perfect
list,
but
but
yeah
just
definitely
not
one
person.
A
D
E
I
think
you
brought
up
some
great
points
david.
We
always
talked
about
back
in
the
it
audit
days
about
establishing
where
the
buck
stops.
So
you
know
knowing
who
you
know
eventually
makes
that
final
decision
and
yeah.
I
I
definitely
like
the
idea
of
some
kind
of
ongoing
curation
as
well.
A
Cool
any
more
content,
because
I
I
do
have
some
well.
I
can
come
right
after
this,
but
it's
still
related
to
the
operating
plan.
E
Last
thing
I
was
going
to
say,
michael
I'm,
happy
to
to
share
with
you
just
some
of
our
experiences
with
security
engagements
when
it
comes
to
costs
and
and
kind
of
budgeting,
and
things
like
that,
you
know-
we've
been
doing
it
for
for
a
number
of
years
now,
so
we've
got
some
data
points
that
can
hopefully
help
and
maybe
kind
of
get
a
better
estimate
of
what
some
of
these
things
might
cost.
Yep.
A
E
Yeah
yeah
we
can,
we
can
just
have
a
question.
D
E
A
D
A
A
Given
this
a
lot
of
thought
so
for
for
alpha,
I
feel
really
comfortable
well,
I
may
feel
less
comfortable
in
mirror
after
we
talk
and
like
budget
wise
in
terms
of
like
how
much
we
can
get
done
with
how
much
money,
but
but
I
feel
that
the
the
overall
approach
of
basically
that
there's
a
there's,
a
a
a
layer
of
of
overhead
at
the
top
that
makes
sure
the
right
things
are
happening
and
then
it's
basically
a
money,
funneling
thing
to
organizations
that
do
the
work
and
then
checking
to
make
sure
that
the
right
work
was
done
and
all
that
stuff
for
a
mega.
A
I
don't
know,
but
I
don't
want
to
minimize
and
say
this
the
wrong
way,
but
it's
doing
the
technical
analysis
and
it's
building
the
tools
and
it's
doing
the
triage
and
it's
it's
not
a
it's,
not
a
an
outsourced
service
provider
setup
and
the
the
one
of
the
challenges
that
I
have
is
how
to
keep
a
similar
low
overhead.
A
On
this
and
at
the
same
time,
know
that
we
don't
actually
know
what
what
we're
building
but
we
need
to,
we
need
to
start
building.
Oh
so
we
don't
know
what
it
looks
like
what
it'll
look
like
at
the
end,
so
I
there's
a
section
here
which
is
like
the
absolute
like
minimum
requirements
for
for
omega
for
2022.,
and
it's
still
for
the
the
three
pieces
that
we
talked
about
in
in
the
in
the
proposal.
So
there's
automated
analysis,
there's
a
triage
portal
of
some
sort
and
there's
a
response
process.
A
The
response
process
isn't
really
a
technical
thing.
It's
just
like.
How
do
you
know
it's
a
document
really
of
how
do
you
engage,
and
how
do
you
manage
that?
Maybe
a
little
bit
of
like
a
crm
light
thing,
so
you
can
track
like
you
know,
hey
I
reached
out
to
this
person.
They
never
got
back
or
they
did
and
fix,
is
in
place
and
should
be
ready
next
month.
A
Things
like
that,
you
know,
and
a
kind
of
a
website
to
like
show
the
the
aggregated
aggregate
like
high
level
results,
but
the
real,
I
think,
kicker,
I'm
not
a
kicker.
A
The
real
guts
of
this
is
the
the
automated
analysis
of
infrastructure
and
the
triage
portal,
and
both
of
these
things
are
things
that
are
going
to
need
to
be
built
and
iterated
on
significantly
over
time,
so
where
I've,
I
think
I've
landed
in
my
head,
is
that
these
should
be
minimum
viable,
like
literally
minimum
viable
project
products
projects
whatever
where
it
has
to
be,
it
has
to
be
functional,
but
it's
not
for
mass
consumption.
It
doesn't
need
to
be
pretty.
It
doesn't
need
to
be
like
everything
that
you
want.
A
The
final
thing
to
be:
we,
we
want
an
experimental
playground
that
we
can
iterate
on
quickly
and
and
and
come
up
with
something
that
functionally
works
and
then,
as
we
as
we
get
closer
to
solidifying
something
we
take,
we
look
at
it
through
another
lens
of
how
do
we
make
this
thing?
You
know
what
does
this
thing
want
to
be
when
it
grows
up?
How
do
we,
you
know,
build
this
into
lfx?
A
How
do
we,
you
know,
make
make
this
the
the
visible
and
you
know
for
for
more
usage
and
more
data
sources
and
kind
of
everything
else?
A
The
advantage
here
is
that
both
of
these
can
be
put
together
for
an
mvp
quickly
and
cheaply,
as
at
least
relative
to
the
full
on
the
the
full
thing.
Since
we
don't
know
what
we're
building,
I
think
that's
also
fiscally
responsible,
but
I
want
to
get
get
get
get
thoughts,
because
I
don't
want
to
steer
this
too
too
much
based
off
of
just
what
I'm
thinking.
E
D
I
mean
almost
all
the
tools
have
some
way
of
doing
some
kind
of
triage
because
you
have
to
you
know:
most
of
them
have
at
least
a
way
to
estimate
how
important
the
vulnerability
is
and
then
sort
them
by
that.
That's
absolutely
a
triaging
technique.
I
A
The
the
aggregation
one
that
that
that's.
D
When
there
are
tools
that
aggregate
particularly
aggregation
between
multiple
tools,
that
is
absolutely
a
thing
there's.
There
are
multiple
tools
that
do
this.
A
D
E
This
came
up
before
in
some
discussions.
I
think
it's
in
beta,
but
I
think
snake
sneak
is
working
on
something
like
that.
J
J
A
You
know
or
something
functionally
like
this,
you
know
where
you're
seeing
the
finding
which
could
come
from
multiple
tools
and
you
can
see
the
code
and
you
can
navigate
around
and
you
can
say
this
one
is
garbage
and
nope.
This
one
is
good,
like
you
know,
kind
of
the
the
the
single
pane
of
glass
for
I'm,
a
security
triager
that
that
needs
to
take
action
on
on
these
across
multiple
projects.
A
D
I
think
that's
honestly,
the
answer
I
think
the
the
problem
is
for
a
lot
of
folks
is
that
many
of
these
tools
are
pretty
expensive,
yeah,
and
so
you
know
so.
D
There
was
a
there's,
a
study
done
by
nsa,
I'm
sure
some
people
don't
want
to
hear
from
them,
but
okay,
but
you
know
they
did
some
serious
studies
and
what
they
found
was
that
the
different
static
analysis
tools,
at
least
at
the
time,
had
remarkably
little
overlap.
D
In
other
words,
if
you
ran
two
tools,
it
wasn't
that
they
found
the
same
things
it's
that
they
found.
It
was
a
significant
amount
of
things
that
where
there
was
no
overlap-
and
so
their
recommendation
was,
if
you
really
care,
use
multiple
tools
and
a
lot
of
people
took
that
to
heart
until
they
looked
at
the
budget
and
then
oh
wait.
If
I
buy
two
tools,
that's
more
expensive
than
one
yeah.
How
about
that?
D
And-
and
so
I
think
there
is
general
agreement
that
using
multiple
tools
is
better
and
then
you
can
eliminate
the
overlap.
The
problem
is
for
a
lot
of
organizations
if
you're
not
developing,
open
source
they're,
not
a
lot
of
tools
are
pretty
expensive.
Yeah.
C
D
So
the
number
of
folks
who
use
them,
I'm
trying
to
remember
I
know
one
of
the
aggregators
ended
in
dx,
but
it
was
only
part
of
the
were
so
I
I'm
still
trying
to
find.
D
A
I'll
we'll
I'll
figure
it
out
from
there
yeah
I
mean
ideal
like
if
there
was
something
off
the
shelf
that
we
could
use.
That
would
be
even
better.
I
have
a
feeling
that
it's
going
to
be
like
well,
this
doesn't
really
do
what
we
want,
but
we'll
take
it
from
there
at
least
we'll
have
kind
of,
I
think,
articulating
as
a
you
know,
minimum
requirements
and
then
how
do
we?
How
do
we
just
make
it
happen?
A
D
A
D
Dhs
funded
development
of
one
of
them.
Okay,
but
again,
that's
not
not
quite
enough
to
find
it
wait
a
minute
was
it
code.
D
All
right
looks
like
they
got
bought
up
by
synopsis.
Oh
okay,
so
I
mean
this
is
actually
not
unusual.
It's
somebody
does
something
and
it
gets
bought
up
by
somebody
else.
I
I
hear
that's
happened
before.
A
Shocking
okay,
we
have
15
minutes
left.
I
want
to
make
sure
that
we
get
to
the
other
topics.
Is
there
anything
else
that
we
wanted
to
close
on
for
alpha
omega.
A
Okay,
please
get
any
comments
you
have
into
the
doc
as
soon
as
possible.
We're
we're
gonna
need
to
solidify
this.
I
think
by
the
end
of
oh
gosh,
by
next
friday.
We
need
to
present
so
have
a
couple
days,
but
please
get
any
comments
in.
I
will
do
my
best
to
faithfully
well,
I
will
respond
and
I
will
try
to
faithfully
take
to
heart
everything
that
that
that
you
guys
say:
yeah.
Okay,
next
part,
security
reviews,
amir.
E
Awesome
shout
out
to
dylan
for
updating
the
table
and
making
it
not
static
anymore.
So
it's
definitely
looking
nice.
I
inc
incorporated
it
into
the
main
branch
of
the
repo
there's
a
couple
things
I've
considered
either
it's
in
overview.md
is
the.
Is
the
python
table
nice
yeah,
so
dylan?
Do
you
want
to
quickly
talk
about
what
you
did
just
because
I
don't
want
to
mess
it
up?
I
want
a
link
coming
right
up
I'll
give
you
a
link.
D
E
Standing
meeting
but
yeah,
so
it
looks
like
essentially
what
he
did
was
generated
a
table
that
can
be
essentially
generated
automatically,
not
statically.
E
I
think
it's
definitely
a
great
start
for
kind
of
giving
an
overview
of
of
all
the
work.
That's
in
the
repo
I
there
are
some
things
that
I
would
like
to
run
by
the
work
group
to
potentially
augment
this
just
to
make
it
a
little
bit
more
a
little
bit
more
descriptive,
there's
a
couple
fields
that
I
think,
might
you
know
someone
coming
from
you
know
just
the
outside
who
doesn't
know
anything
about
the
work
group
or
this
repo
might
get
confused.
E
So
I
think
what
I'm
gonna
do,
for
that
is
just
put
put
it
all
together
in
a
list
of
recommendations,
and
if
and
of
course,
if
the
work
group
has
any
thoughts
about
this
table
or
just
generally
making
this
information
more
discoverable.
E
Please
comment
on
both
the
notes
or
you
can
contact
me
directly,
but
yeah.
It's
definitely
looking
like
a
fantastic
start.
The
only
other
big
update
was.
It
looks
like
someone
from
trail
of
bits
added
a
couple
of
new
security
assessments
that
they
did
and
it
keeps
getting
that
the
python
application
build
error
and
I'm
not
entirely
sure
how
to
debug
that.
So
I
thought
I
mean
if
we
have
a
couple
of
minutes,
if
we
could
just
figure
out,
what's
going
on
there
and
just.
A
Yep,
so
so
right
here
the
validation,
so
I
mean
we
can
look
at
validate
109..
Sorry.
What
did
it
say?
It
said
this
store
object
has
no
so
reviewer
should
be
a
dictionary.
It
is
not.
It
is
a
string.
That's
why
that's
that's
upset.
So,
let's
look
at
that.
A
So,
okay,
so
reviewers
should
be
a
dictionary,
a
yamalified
dictionary,
and
so
that's
telling
me
that
one
of
these
at
least
one
of
these
look
at
the
files.
A
D
G
A
This
is
a
dictionary,
I
guess
so
so
so
the
solution
is
add
a
dash
next
to
the
first
one-
and
I
don't
know
if
that,
if
that
is
a
problem
with
if
they
use
the
quick
start
to
do
that,
it's
possible
that
the
quick
start
generated,
broken
yaml.
D
I
D
Yeah,
okay,
but
we
we've
got
the
idea:
okay,
yeah,
it's
just
it's
being
interpreted
as
a
string,
and
it's
not
supposed
to
be
it's
supposed
to
be
a
either
a
well
something
it's
supposed
to
be
an
inter.
Well,
it's
not
just
iterable.
What
did
it
say?
Items.
A
I
mean
it,
it
needs
to
be
a
python
dictionary
at
some
point.
Yeah.
D
A
Cool,
that's
awesome
anything
else
in
here
from
from
your
side,.
E
That's
about
it
for
the
repo
itself.
Hopefully
we're
going
to
have
some
results
of
a
new
project
real
soon,
so
I'll
have.
C
A
Perfect
luigi
any
update
on
security,
ammo.
C
J
Have
I
have
written
to
david
that
the
next
suggestion,
probably
for
the
next
suggestion,
I
will
ask
his
approval
just
to
be
aligned,
because
I
think
it
is
a
good
idea,
and
that
is,
I
will
continue
to
update
the
document
cool.
A
I
guess
the
only
other
thing
that
I
forgot
to
add
this,
but
have
you
guys
seen
the
ua
parser
js
malware?
This
was
the
one
that
came
out
over
the
weekend.
Backstory
was
the
the
np,
the
the
author
of
the
npm
package,
or
the
npm
package
gets
like
seven
million
downloads
a
week.
He
didn't
have
2fa
enabled
so
it
was
a
count
cup
popped.
The
attacker
published
a
new
version,
three
new
versions
of
ua
parser
js
with
crypto
miner.
A
A
D
That's
actually
a
very
common
problem,
although
it's
not
the
focus
right,
it's
instant.
In
the
previous
group,
I
was
on
the
the
digital
identity.
Folks,
a
working
group
may
get
renamed
to
the
supply
chain.
Integrity,
working
group.
I
D
And
because
people
are
talking
about
projects
that
are
a
lot
related,
but
not
quite
the
same,
and
there
was
a
discussion
about
spending
at
least
a
little
money
on
doing.
Reproducible
builds
on
some
of
these
packages,
specifically
because
it
would
catch
this
kind
of
nonsense.
D
So
if
you,
if
you
check
that
the
github
and
the
part
and
the
npm
library
matched
that
would
you
know
this
wouldn't
happen,
but.
A
If,
if
I
could
give
a
shameless
plug,
because
I'm,
I
think
we're
better
at
creating
tools
than
we
are
at
marketing
tools,
unfortunately,
but.
A
This,
oh,
I
think
I
think
we
talked
about
this
just
maybe
six
months
ago
or
something
but
oss.
Reproducible
does
do
pretty
good
for
for
npm
packages
in
particular.
So
you
give
it
an
npm,
you
you
give
it
ua
parser.js
and
it
will
go
back
and
find
the
github
repo
and
then
try
to
build
it
right,
don't
match
it'll!
Show
you
why
they
don't
match.
D
Right,
that's
not
the
those
results
aren't
showing
up
in
open
ssf
in
metrics,
open
ssf.org.
Are
they.
D
A
This
needs
to
be
run
at
scale.
This
is
a
expensive,
expensive
thing,
but
it's
available.
We
could
actually
do
that
as
part
of
omega.
That
would
be
an
interesting
data
point.
D
Yes,
but
I
I
think
more
broadly,
I
mean
we
would
be
good
to
run
it
more
as
omega,
but
I
think
more
broadly,
and
we
probably
ought
to
talk
about
this
in
in
another
forum.
We
ought
to
make
that
just
a
you
know:
it's
whenever
you
are
thinking
about
updating,
you
can
do
a
quick
check
and
oh
look.
It's
reproducible
or
not.
D
I'm
not
sure
that
I
I
hear
that
I
think
that's
a
different
distinction
without
a
difference,
because,
where
the
heck
are
you
getting
those
source
packages,
if
you're
not
getting
it
from
the
correct
source,
then
what
does
it
matter
that
we
can
reproduce
it?
You
know
it's.
The
here
is
the
we.
We
agree
that
this
is
this
correct
source
code
and
we
can
agree
that
we
can
produce
exactly
the
same
package.
Okay,
yeah.
If.
C
D
If
you
can
reproduce
something,
but
it's
not
the
authentic
source,
why
do
we
care.
A
No,
no,
no
sorry
it
it's
actually
saying
can
I
can
I
look
backward
so
reproducibility
is
about.
I
I'm
sorry,
I'm
talking
as
I'm
thinking
reproducibility
is
about
looking
forward
like
given
a
piece
of
source
code.
Can
I
can
I
generate
a
binary
that
is,
is
from
it.
The
binary
that
came
from
it
is
this
thing
safe
to
use.
A
Well,
just
knowing
that
x
was
reproducible
doesn't
mean
that
the
bits
that
I
have
in
my
hand
over
here
are
the
ones
that
came
from
this,
and
and
I
guess
you
could
do
hash
matching
and
now
you've
got
ledgers
and
and
and
things
like
that
for
it,
I
think
it's
an
interesting
space.
We
don't
have
enough
time
to
go
into
it,
but
yeah.
D
J
D
I
would
if
I
am
a
rece,
let
me
let
me
I'm
probably
the
wrong
eye
anyway,
if
I'm
a
potential
receiver
of
a
package,
I
want
to
verify
that
the
package
I'm
about
to
install
is
reproducible
either.
I
will
do
it
myself
or
somebody
else
has
reproduced
it,
but
basically
I
want
to
have
confidence
that
the
binary
data
that
I'm
downloaded
and
thinking
about
using
is
reproducible
from
the
source
that
that
is,
it
is
purported
to
have
been
developed
from.
A
Yes,
yes,
so
I
I
think
I
think
I
think
we're
saying
the
same
thing.
A
lot
of
reproducibility
projects
tend
to
start,
though,
with
source
and
just
say:
hey
did
I
produce
the
same
bits
every
time
I
compile
and
like.
A
D
In
the
ci
best
practices,
we
actually
have
a
different
name
for
that.
We
call
that
repeatability,
so
it's
possible
to
repeat
the
build
yeah,
but
that
you
know
if,
if
a,
if
one
organization
can
repeatedly
build
it
and
they
produce
the
same
answer,
that's
repeatable
reproducible
means
that
someone
else
totally
outside
the
project
can
reproduce
the
build
and
it
I
I
think
repeatability
is
a
useful
step.
D
So,
for
example,
repeatability
is
required
for
sievel
for
silver
and
reproducible
is
required
for
gold,
because
repeatability
is
necessary
to
get
reproducibility,
but
but
re
repeatability
is
a
little
easier
because
you
don't
have
to
figure
out
how
to
tell
everybody
else.
Your
tools,
it's
just
run
it
twice.
Did
I
get
the
same
answer:
easy
easy,
easy
peasy
to
do,
but
from
a
security
point
of
view,
that
is
not
really
what
you
want.
It's
a
step
towards
what
you
want,
which
is
independent,
verified
reproducibility,
because
now
somebody
else
is
checked
right.
A
Awesome
well
then,
I
appreciate
everybody's
time.
Thank
you
have
a
great
rest
of
your
week
and
we'll
meet
again
in
two
weeks.
Oh
sorry,
last
thing,
if
you
guys
haven't
gotten
the
email,
there's
a
openness
of
town
hall
on
the
eighth,
I
don't
know
they're.
D
C
D
They
should
have,
they
should
have
actually
well.
You
know,
I
think,
that's
fair
to
say
that
it's
okay
for
them
not
to
do
that,
but
it
would
have
been
better
for
them
to
give
more
warning.
So
they
didn't
give
a
lot
of
warning
and
I
think
a
lot
of
people
are
going
to
want
to
do
that.
So
we're
probably
going
to
reschedule
that
a
week
out
that
hasn't
been
actually
officially
confirmed.
Yet
so,
okay.
D
Watch
watch
your
emails.
We
may
get
that
rescheduled
because
of
conflicts
that
were
not
of
our
making.