►
Description
Weekly meeting of the Identifying Security Threats working group. Our GitHub page is located at https://github.com/ossf/wg-identifying-security-threats and from there you can find meeting minutes and other information.
A
Awesome
welcome
everybody
to
the
november
10th,
identifying
security
threats
group
meeting,
because
you
have
access
to
the
meeting
notes,
feel
free
to
add
any
topics
that
you'd
like
to
discuss.
Gosh
it's
transcripting
me
live.
I
don't
like
that.
Is
there
anybody
new
here
that
hasn't
attended
previously
or
would
like
to
introduce
themselves.
B
Yep
hi
everyone,
arlen
baker,
principal
security,
architect
from
wind
river.
We
just
recently
joined
open,
ssf
and
looking
forward
to
coming
up
to
speed
and
getting
engaged
here.
A
Awesome,
I'm
sorry
wind
river,
as
one
word
no
two
words:
river
yeah,
wind.
B
A
C
Welcome
thank
you
yeah.
I
will
say
that
I
didn't
make
much
progress
in
some
of
these
things,
because
I
was
completely
overwhelmed
with
the
efforts
to
get
ready
for
the
open,
ssf
governing
board,
as
well
as
a
keynote
presentation.
But
as
we'll
talk
about,
I
imagine
in
a
moment,
I
think
it
went
really
well.
C
Now
al
member
summit
and
more
possibly
more
importantly,
the
open
ssf
governing
board,
and
I
was
there,
so
I
can
perfectly
some
questions.
A
D
In
this
in
in
the
agenda,
I
don't
know
if
we
have
space
or
time,
though
so
don't
worry,
but
I
have
add
some
comment
and
edit
in
the
open,
ssf
security
yaml.
Of
course
I
prefer
to
have
the
approval
by
david
for
many
reasons,
but
maybe
we
want
to
define
some
requirement
for
the
first
version.
D
For
example,
I
am
quite
sure
that
we
want
to
have
the
scorecards,
the
cii
page,
the
vulnerability
disclosure
involved,
and
so,
and
so,
if
we
define
some
requirement
for
the
first
mention,
I
can
work
with
a
better
template,
because
at
the
moment
there
is
a
sort
of
draft
template,
but
maybe
we
can
work
on
the
first
version
of
the
template
for
the
yaml,
but
I
need
some
requirements
and
I
want
that
everyone
is
involved.
So
if
we
have
time
so
or
otherwise,
we
can
skip
to
the
other
meetings.
Don't
worry.
A
Okay,
cool,
so
yeah,
we'll
we'll
definitely
make
sure
we
get
to
at
least
some
discussion
of
that
so
yeah
so
so
monday
on
the
15th
is
the
open,
sf
town
hall.
I
hope
everybody
can
make
it
and
registered.
You
should
have
gotten
an
email
about
it.
Actually,
while
someone
else
is
talking
I'll,
find
a
link
to
that
and
post
a
link
to
the
register
for
this.
A
So
we're
gonna
have
some
nice
announcements,
including
information
about
the
new
governing
board,
just
kind
of
the
re
re-kick
off.
I
don't
know
what
we
want
to
call
it,
but
a
new
beginning
of
a
new
era
in
in
open
ssf
we're
going
to
announce
alpha
omega
formally
at
least
that's
the
plan
and
we'll
have
a
bunch
of
bunch
of
other
updates
on
other
new
initiatives,
things
that
are
coming
in,
I
think
november
and
then
updates
to
two
existing
things.
A
So
super
excited
to
to
be
for
for
that
to
happen
on
monday
david
did
you
want
to
give
kind
of
an
update
on
the
member
summit
and
the
governing
board
recap
anything
that
you
think
would
be.
C
Happy
to-
and
somebody
else
can
try
to
make
the
notes,
because
it's
always
hard
to
type
and
yep.
C
A
C
All
right
look
at
that
all
right,
so
I
think
both
the
members
summit
and,
more
specifically
the
open
ssf
governing
board,
went
very
well.
We
had
a
huge
governing.
We
have
a
much
larger
governing
board.
There
were
con
some
concerns
that
switching
from
zero
dollars
to
actual
dollars
was
going
to
cause
a
lot
of
loss
in
you
know
a
formal
participation
that
didn't
happen
at
all.
We've
got
quite
a
quite
a
large
board
where,
frankly,
we
may
have
the
opposite
problem
of
wow.
C
This
is
a
lot
of
folks
to
who
have
to
work
together.
That's
okay,
though,
that
this
is
and
then
frankly,
you
know
we
raised
quite
a
bit
of
money
and
my
understanding
is
that
there's
a
couple
more
people
who
are
going
about
to
get
well
papered
the
verb.
A
lot
of
folks
are
using
for
signatures,
and
so
I
I
think
it's
pretty
clear
that
there's
a
tremendous
interest,
tremendous
involvement.
C
You
know
alpha
mago's
approved
the
the
big.
The
big
challenge
that
they
have
right
now
is
there's
a
very
early
draft
idea
of
a
budget,
and
the
plan
is
to
get
that
approved
within
the
next
month.
So
that's
kind
of
being
their.
You
know
their
major
task.
Right
now
is
budgetary,
and
I
will
say
the
budget
is
going
to
include
things
like
outreach
and
you
know
going
out.
C
Awesome
so
questions
for
me.
I
I'm
sure
you
know
I
I
gave
her
their
brief
recap
and
I
copied
some
of
the
slides
into
the
town
hall.
So
you
know
what
the
current
open
ssf
looks
like.
So,
if
you
look
at
the
town
hall,
if
you
cover
the
town
hall,
you'll
see
some
of
that
yep.
C
Yes,
yeah
cool,
yes
and
I'll.
Note
that
in
general
you'll
see
that
the
governing
board
is
a
lot
of,
I
guess,
moving
up
the
hierarchies
of
some
of
the
of
some
I
mean
eric
brewer,
for
example,
is
pretty
happy.
I've
forgotten
his
title
off
hand.
C
If
you
scroll
up,
you
can
look
there,
but
I
mean
vp
of
infrastructure.
It's
also
google
fellow
yeah.
So
so
we've
we've
got
a
number
of
folks
who
can
you
know,
speak
and
cause
things
to
happen
relatively
quickly
within
their
organizations.
C
C
A
If
you
think
of
any
just
raise
your
hand
or
start
talking
cool,
so
so
speaking,.
D
A
For
me,
okay,
so
so
speaking
of
like
getting
on
and
doing
it
alpha
omega,
as
dave
mentioned,
was
approved
on
the
fifth,
we
have
a
blog
that
should
be
released
on
the
on
on
monday
right
before
the
town
hall
governing
board
approval.
We've
got
a
couple
open
tasks
there.
We
actually
need
to
put
together
some
content
and
I
promise
to
set
up
an
information
session.
I
want
to
do
it
on
the
19th
before
we
get
full.
A
I
think
I
think
19
is
probably
the
last
day
before
the
holiday
season
kind
of
starts
and
and
availability
becomes
more
difficult
than
than
usual.
So
we'll
do
that,
and
that
session
will
really
just
be
kind
of
q
a
and
what
is
alpha
omega?
What
are
the
plans
kind
of
talk?
Talk
details
I
do
want
to
share
the
a
finalized
version
of
the
proposal.
Doc
slightly.
You
know
with
some
things
like
you
know,
budgets
and
numbers
and
things
removed.
A
You
know,
but
something
that
that
would
be
that
we,
we
wouldn't
feel
uncomfortable
making.
You
know
public
public,
so
yeah,
so
so
we
have
five
million
dollars
available.
We
have
an
operating
plan.
That
is,
I
don't
say,
it's
finalized,
but
it's
it's
getting
there.
The
breakdown
is
is
somewhere
is,
is
close
to
half
and
half
half
for
alpha
half
for
omega.
The
alpha
part
is
most
of
the
money
will
go
to
service
providers.
A
Doing
these
engagements
on
omega,
it's
about
half
toward
building
the
system
and
half
toward
paying
people
to
triage
the
results
and
action
them
and
and
old
stuff
like
that,
so
our
first
two
hires
are
going
to
be
the
most
important
it's
technical
pm
role,
one
for
alpha
and
one
for
omega.
If
you
know
anyone
that
is
interested
in
this
role,
this
would
be
a.
A
We
haven't
decided
for
sure
whether
this
would
be
contract
for
six
months
or
full
time.
I
think
we're
leaning
towards
contract
for
six
months
for
just
expediency,
but
for
the
right
person.
I
think
we'll
we'll
try
to
do
the
right
thing.
It
it's
much
more
important
to
me
to
have
the
right
person.
A
So
a
lot
more
to
come
here
over
the
next
well
a
few
weeks
really
because
we
do
want
to
keep
keep
progress
going
here
despite
the
holidays.
A
Any
questions
on
this
work.
A
B
A
Let's
say
I
don't
know:
what's
called
I
don't
call
them
vendors,
I
guess
they're
vendors,
so
I
met
with
sourcegraph
yesterday
and
a
meeting
with
snick,
I
think
today
or
tomorrow,
just
to
kind
of
just
start
a
conversation.
So
I
I
don't
know
exactly
what
our
strategy
is
going
to
be
for
alpha
omega
on
kind
of
third
parties
providing
data.
A
A
Because
I
think
that
that
it
it's
probably
naive
to
think
that
we
can
do
everything
soup
to
nuts
that
existing
organizations
that
have
built
this
out
over
years,
you
know
haven't,
could
not
do
could
not
do
better.
So
we
want
to
leverage
that
where
we
can
thoughts,
questions
anything
on
on
alpha
omega.
A
It'll
probably
make
sense
to
split
out
alpha
omega
into
a
separate,
and
I
don't
know
if
it'll
be
a
separate
working
group
or
just
a
project
like
a
core
project
team
and
have
a
separate
meeting,
probably
weekly,
with
that
core
team
number
one,
because
it'll
span
different
different
working
groups
and
number
two,
because
it's
well
mostly
because
it'll
span
different
working
groups
and
it's
not
it's
not
a
project.
That's
contained
within
our
working
group
exclusively
right.
C
C
General
expectation
is
that
alpha
omega
will
be
a
project
immediately
under
the
tack,
just
like
the
the
working
groups.
Currently
are
that
that's
I
mean
the
charter
actually
anticipated
that
and
it's
a
big
enough
thing.
I
I
I
do
have
a
comment.
You
know
about
you're
making
looking
for
people
yeah,
my
experience
has
been
that
the
two
of
the
biggest
challenges
for
a
lot
of
work
is,
you
know.
C
Well,
if
you
need
data
getting
the
data,
but
the
other
is
getting
the
right
people
if
you
have,
if
you
have
any
idea
about
who
the
right
people
are
anybody
here,
please
just
raise
them
as
ideas.
I
imagine
that
eventually,
they'll
pull
out
a
general
call,
but
it's
often
hard
to
get
the
right
people
without
direct
contact.
So
please
please,
please.
If
you've
got
an
idea,
you
know
even
if
they're
busy,
now
they
they
might
be.
If,
if
they're
the
right
person,
let's
let's
at
least
give
them
the
opportunity
yeah.
A
And
and
it
so
in
it,
I
think,
in
addition
to
these
kind
of
you
know,
salaried
or
you
know
hourly
kind
of
engagements
other
folks
from
outside
of
the
open
ssf
that
you
think
have
would
would
be
able
to
contribute
in
some
way
either
just
ideas
or
whatever
to
this.
Let's,
you
know,
keep
the
keep
the
funnel
like
really
wide
here.
I'd
rather
have
more
voices,
even
if
they
are,
you
know
dissenting
voices.
A
I
think
this
is
a
terrible
idea,
but
can
explain
why
you
know
I
kind
of
want
to
hear
everything
we
do
have
so
sorry
period.
A
We
also
have
integrations
that
we
want
to
do
with
different
working
groups.
Specifically,
we
already
spoke
to
the
security
critical
projects
working
group
to
for
them
to
own
the
selection
process
of
what
are
the
critical
projects
like
kind
of
owning
that
that
that
list
that
alpha
would
pick
from
the
top
of
and
and
go
after.
I
think
that
totally
makes
sense
for
them
to
kind
of
drive
that
process
and
essentially
delivered
that
list,
and
then
I
sent
a
note
out
to
best
practice.
A
I
think
I
spoke
with
them
before,
but
I
I
don't
recall
the
best
practices
working
group
on
the
kind
of
the
leave
behind
packet
for
omega
engagements.
A
So
this
would
be
you
know
we
find
a
vulnerability
in
a
in
a
thing
we
report
it.
They
we
give
each
other
a
high
five,
but
before
we
release
the
high
five
we
slip
them.
A
A
note
that
says
hey
here
are
some
things
that
that
you
can
do
you
know
in
what
10
minutes
or
a
half
an
hour
to
improve
the
security
of
your
project,
like
hey,
just
click
here,
to
set
up
code
scanning,
make
sure
you
use
two
factor
off
when
you
you
know
for
both
github
and
however
you,
whatever
package
manager
you
deploy
to
things
like
that,
not
a
you
know
here
is
a
an
enormous
amount
of
like
content.
A
More
like
a
checklist
of
like
you
know,
here's
you
know
three
four
or
five
things
that
that
you
can
do
just
to
kind
of
up
level
it
and
the
reason
that
we
have
to
be
crisp.
There
is
because
we're
gonna
be
doing
a
lot
of
these.
We're
not
gonna
have
time
to
engage
and
back
and
forth,
and
we
really
want
this
to
be
like
you
know,
just
something
we
leave
on
their
desk.
A
So
that's
for
omega.
I
think
the
final
thing
I
wanted
to
say
here
in
in
some
discussions.
Another
point
came
up
that
I
hadn't
really
considered
for-
and
this
is
this
is
probably
somewhere
in
the
middle
between
alpha
and
omega-
the
idea
of
collecting
signals
from
organizations.
A
So
one
of
you
works
for
an
organization
and
you
either
your
spidey
senses
are
tingling
or
you
have
reason
to
believe
that
a
particular
open
source
project
is
has
a
has
a
security
problem.
A
Well
right
now,
you
know,
unless
you
have
the
looking
of
local
infrastructure,
to
tease
that
tease
that
apart
and
and
validate
it
and
then
reach
out
and
do
all
that,
like
a
lot
of
organizations,
just
don't
have
that
and
would
it
be
interesting
for
alpha
omega
to
have
kind
of
like
an
ams,
busbon
roll
where
we
will,
we
will
collect
and
we'll
collect
it
anonymously.
It
doesn't
really
matter
kind
of
signals
from
different
organizations.
Saying
hey!
A
You
should
really
look
at
this
thing
and
we
can
use
that
if
it's
a
critical
project,
we
could
use
that
to
inform
that
list
and
if
it's
a
lower
tier
project,
you
know
bubble
that
up
and
make
sure
that
we
that
we
do
it.
A
You
know
a
better
look
at
that
at
those
projects,
so
I'm
not
really
sure
where
that
will
land,
but
it
was
just
just
a
conversation
that
I
had
that
you
got
me
thinking
about
what
the
interface
of
both
of
these
are
to
the
world
and
and
how
do
how
would
teams
engage?
A
How
would
how
would
outside
parties
so
either
organizations
that
use
open
source
or
even
open
source
maintainers
themselves
like
come
to
us
and
and
engage
in
some
way.
So
there's
a
lot
a
lot
more
thinking
that
needs
to
be
done.
There.
C
E
A
They
they're
not
in
the
github.
They
are
these
two
links
right
here,
operating.
E
C
A
C
We
need
at
the
very
least
now
in
this
particular
case.
It's
not.
I
expect
it's
not
going
to
be
part
of
this
working
group,
so
I
mean
it
won't
matter,
but
when
you
get
to
a
working
group,
you
should
be
able
to
see
a
link
to
everything.
The
working
group
is
up
to
not
something
that
all
working
groups
are
achieving,
but
that's
the
goal
since
alpha
mega
isn't
officially
stood
up
yet.
A
Absolutely
so
so
the
so
so
I've
already
created-
and
we
can
change
this
later,
but.
A
I
can
spell
so
there's
a
private
repo
I'll,
obviously
publish
some
stuff
here
before
making
it
in
public,
but
this
is
where
I
would
imagine
I'll
either
link
to
or
get
a
copy
of,
the
proposal
in
et
cetera,
et
cetera.
So
we
and
then
we
would
have
working
groups
point
to
this
page
as
the
the
kind
of
the
informational
project
page.
A
But
yeah
so
so
right
now
the
proposal
and
the
operating
plan
are
like,
although
there
are
links
that
are
floating
around,
that
are
public.
We
haven't
like
formally
like
posted
it
in
a
very
public
forum
for
like
the
masses
to
to
to
consume
that
we'll
do
that
for
for
monday,.
E
A
Okay,
so
moving
on
security
reviews-
amir's
not
here
today,
no
new
updates
looks
like
there's
refinements
to
the
table
dylan.
I
know
you
were
helping
with
with
that.
That
looked
awesome.
So,
let's
give
a.
A
Give
a
look-
and
it's
this
one
right.
G
F
No,
that
was
the
original.
What
wait
is
it
I'm
pretty
sure?
That's
the
original
one.
I
left
it.
There.
F
It
while
people
are
taking
a
look
yeah
so
overview.md,
that's
just
the
one
I
generated
with
python,
so
maybe
not
quite
as
phenomenal
yet,
but
it
was
just
like.
I
think
someone
wanted
me
to
just
kind
of
write
up
a
draft,
and
I
don't
know
I
got.
Basically,
I
got
all
of
the
easily
automatable
things
like
the
things
I
could
grab
from
the
yaml
like
directly
from
the
metadata
that
are
like
very
consistently
there
I
put
on
top
in
the
other
markdown
file.
C
F
Would
you
mind
scrolling
up
to
the
top
real
quick
mike
just
to
let's
see
the
product?
I
have
there
they
a
result.
I
do
not
have
this
like
a
security
review
or
like
policy
review
like
we
don't
have
anything
like
that
link
to
the
report.
I
have
that
that
I
just
like
the
project
name.
I
just
made
a
hyperlink
great
funded,
oh
yeah,
so
funded
by
facilitated
by
and
reviewed
by.
There's
we
don't
distinguish
any
like
in
our
yaml
header.
F
It's
just
like
you
can
just
it's
just
like
a
list
of
people
of
like
you
can't
tell
if
they're
people
or
organized,
I
think
you
can
tell
if
they're
people
or
organization
but
organizations,
but
it
doesn't
say
yeah.
We
just
have
this
yeah
so.
F
Me
well
I'm
just
saying
that's
like
how
it
was
written
in
the
other
markdown
file
yeah,
so
I
tried
to
mimic
it
as
closely
as
I
could
so
for
this.
I
just
had
to
like
bundle
these
up
but
yeah.
I
don't
know
it
depends
how
much
work
you
want.
The
like.
C
A
Well,
it
yeah,
I
mean
some
of
that
was
because
we
wanted
to
differentiate.
Like
you
know,
I
did
my
own
security
review
of
my
own
thing
as,
like
I'm
biased,
obviously,
but
this
would
be
like
like
or
like,
facilitated
or
or
something
I
don't
know
what
the
title
is,
but
this
would
be
like
facilitated
by
or
kind
of
like
to
differentiate
those
other
headers
yeah
yeah.
C
F
C
F
Yeah,
no,
that's
that's
fair
yeah,
so
reviewed
by
facilitated
by
and
there's
one
more
oh
funded
by,
I
think
was
the
last
one.
C
F
F
Cool
all
right
so
I'll
I'll
I'll
I'll
tweak
it
to
include
that
and
then
actually
now,
I
think
about.
I
need
to
tweak
the
quick
start
page.
C
F
C
You're
gonna
do
this
mike
it's
facilitators
and
you
speed
spellings
anyway,
facilitators.
There's
a
mistake.
F
C
Yes,
it
wouldn't
be
the
first
time
somebody
made
a
spelling
error
in
their
field,
but
they're
annoying
to
fix
later.
C
C
See,
I
don't
think
it
was
a
spelling.
It
was
a
character
limit
all
right
anyway,
nice,
but
anyway,
I
think
the
goal.
Here,
though,
is
I
love
this.
We
need
to
tweak
while
we
have
a
relatively
smaller
database.
We
need
to
tweak
this
so
that
it's
just
push
the
button
and
go
and
frankly
not
just
for
ourselves,
but
for
anybody
else,
who's
trying
to
look
at
this
stuff.
If
we
can.
F
Yeah,
I
think
more
data
and,
in
my
opinion,
like
more
data
like
kind
of
hedging
on
that
side,
probably
a
little
better
right
now,
because,
like
worst
case
scenario
later
on,
we
could
like
I
mean
we
could
write
some
script
to
like
parse
through
all
of
them
and
like
remove
something
and
the
header
that
we
don't
want.
But
I
can't
like
later
in
later
on,
go
in
and
like
fill
out
missing
data
right.
F
G
A
Cool
moving
on
we
have.
We
have
some
time
to
chat
so
luigi.
If
you
want
to
chat
about
security,
ammo
you're
welcome
to
make
as
much
time
as
you
want.
A
D
No,
I
mean
I
can.
I
can
talk
it.
Oh
okay,
now,
yes,
I
have
added
some
comments
to
the
to
the
open,
ssf
security
channel,
but
so
we
don't
need
to
check
them
now.
Then
we
I
mean
they
are
for
them,
especially
because
I
have
some
comments
to
ask
more
information
about
some
yeah,
sorry,
david,
but
just
to
be
sure.
C
H
G
D
No,
I
mean,
I
know
that
at
the
moment,
alpha
omega
is
the
priority.
It
is
very
important,
so
happy.
Thank
you
michael
and
everyone,
but
I
mean
I'm.
I
want
to
continue
with
the
the
yaml
5,
because
I
think
it
is
important
and
probably
we
I
mean
the
document
is
already
advanced,
but
at
the
same
time,
if
we
want
to
have
a
sort
of
first
version,
we
need
to
define
some
requirements
and
I
want
to
be
sure
that
we
are
aligning
our
requirements.
D
C
D
C
D
D
C
D
C
C
My
understanding
is
the
scorecard
and
the
best
practices
badge
that
are
reading
this
data,
not
not
a
human
directly.
In
most
cases,
that's
okay,.
G
C
D
I
suppose
that
it
can
be
helpful
to
read
the
scorecard
result,
because
it
is
an
automated
tool,
so
the
maintenance
that
just
need
to
launch
the
or
a
linter
or
directly
the
scorecard
to
have
the
results
same
for
the
cii
page
and
the
same
for
I
want
to
talk
with
the
vulnerability
disclosure
team,
but
I
want
to
have
some
information
about
the
cbd
policy
in
the
yaml
files
or
the
link
to
the
cbd,
the
security
contact.
D
Then
I
want,
I
think,
that
it
is
really
helpful
for
everyone
to
have
the
contact
with
the
maintainer
of
the
project
and
the
heaviness
and
scorecard
is
a
good
heaviness,
because
everyone
can
replicate
the
scorecard
results
so
to
create
a
sort
of
template
for
the
yamaha
first
template
for
the
yaml.
I
have
thought
that
scorecard
cia
page
vulnerability,
disclosure
maintenance
contact
and
other
similar
information
related
to
the
project.
D
For
example,
what
are
the
main
parties
packages
that
you
use,
or
what
are
the
languages
of
the
project,
can
be
useful
information
that
are
both
human,
readable
and
machine
readable.
In
this
way,
we
can
have
a
first
version
of
the
jumper
file
and
I
can
prepare
it
sort
of
a
standard
template.
C
We
already
know
what
yaml
is:
don't
worry
about
art
making
that
argument
yeah.
I
think
the
question
here
is
what's
in
and
what's
out
because
I
think
that
is
important.
I've
been
assuming
this
would
be
an
input
to
the
scorecard
process
and
the
best
practices
badge
I
mean.
I
guess
it
could
be
an
output
two,
but
then
you
have
the
concern
about
looping
and
which
one
is
the
is
the
correct
result.
C
So,
for
example,
if
you
know,
if
scorecard,
produces
a
different
answer,
what's
the
correct
answer,
I
don't
know
you
know,
I
would
assume
that
the
you
know,
for
example,
the
the
well
anyway
go
ahead.
D
But
I
suppose
that
I
mean
I
don't
think
it's
a
big
problem
for
open
source
project
because
we
can
have
in
the
yaml
file.
We
can
add
the
version
of
the
yammer
file,
of
course,
but
also
the
commit
where
the
or
order
version
of
the
product
where
the
maintainers
have
launched
the
the
up
the
scorecard
in
this
way.
If
you
want
to
test
the
yammer
file,
you
just
need
to
launch
on
the
same
commit,
and
if
you
have
the
same
result,
you
say:
okay,
the
yaml
file
is
correct.
D
I
can
trust
this
project
in
the.
If
the
result
is
different,
you
can
ask
to
demonstrate
an
issue
similar
for
other
topic,
because
I
suppose
that
there
are
some
tests
that
maybe
we
cannot
totally
replicate
in
the
future,
because
I
suppose
that
big
project
can
have
some
cii
or
some
workflow
that
they
want.
They
don't
want
to
totally
share,
maybe
for
security
reason.
D
At
the
same
time,
this
means
that
maybe
the
user
cannot
replicate
the
same
test,
but
they
want
to
have
evidence
about
the
tests
and
we
can
find
a
way
to
convince
people
that
the
tests
are
correct.
I'm
quite
sure
that
google
microsoft
have
high
standard
in
the
back
end
or
that
standard
that
they
don't
want
to
share
workload.
They
want
to
share,
but
sometimes
I
trust,
to
a
cii
or
to
a
workflow
made
by
microsoft
or
google,
and
that
is.
D
C
Yeah,
I
see
a
lot
of
complications
with
this
you're,
suddenly
combining
inputs
and
outputs
in
the
same
file,
which
creates
a
whole
lot
of
challenges.
So,
for
example,
if
the
scorecard
or
the
ci
best
practices
are
run
against
projects,
they
will
report
about
the
current
project,
whereas
a
commit,
of
course,
is
going
to
be
from
a
his
a
point
in
time,
typically,
almost
immediately.
It
goes
into
the
past.
C
B
C
C
Yeah
yeah
I'm
going
tilt
a
little
bit,
because
your
expected
use
case
is
exactly
not
what
I
was
expecting.
C
So
you
know,
thinking
of
this,
as
an
input
to
these
tools
means
that
really
only
the
only
thing
that
needs
to
change
is
a
couple
tools
that
that
load
these
as
inputs
and
then
they
can
use
them.
As
you
know,
additional
information,
if
all
of
a
sudden
they're
outputs.
Now
we
have
to
figure
out
how
to
synchronize
and
how
to
make
you
know
changes
which,
what's
canonical,
how
do
you
merge
stuff?
Because
the
scorecard
and
best
practice
badge
are
going
to
output
different
things?
C
A
Could
I
can
I
make
a
suggestion?
I
I
think
that
the
so
the
benefit
of
scorecard
is
that
it
runs
automatically
right.
The
downside.
A
Is
that
it
runs
automatically
and
yep
and
doesn't
find
everything
so
they're
going
to
be
some
things
that
are
important
that
are
not
discoverable
either
because
scorecard
doesn't
know
about
about
how
to
find
it
or
it
takes
place
offline
or
it's
something
that
is
not
present
in
code.
Like
you
know,
do
you
accept
vulnerability
reports
like
do
you
like
how
how
from
a
github
project?
A
Reporting
process
is
probably
very
important
to
scorecard,
and
the
fact
that
you
run
a
sas
tool
that
is
not
discoverable
by
scorecard
is
also
very
important
to
scorecard
so,
but
at
the
same
time
I
I
I
think
I
agree
with
david
that
feeding
in
like
like
going
backwards,
because
I
think
what
you
want
is
well.
A
Perhaps
what
you
want
is
a
open
source.
Maintainer
will
look
at
this
file
once
a
year
and
be
like
oh
yeah.
I
don't
do
that
anymore
or
like
and
change
it,
but
it
wouldn't
be
updated
frequently
so
that
so
these
would
generally
be
things
that
would
you
know,
be
kind
of
sticky
and
stay
around
and
they're
really
there
to
augment
what
could
be
found
automatically,
so
it
can
be
found
automatically.
It
kind
of
doesn't
need
to
be
here.
A
The
way
that
I
see
both
of
these
both
scorecard
and
yaml
kind
of
feeding
into
is
the
idea
of
this
kind
of
s-bomb
skim
store
set
of
claims
thing
about.
Like
did
this
work
actually
take
place
and
like
do
they
have
a
do?
They
have
a
a
a
reporting,
a
vulnerability
reporting
framework.
A
Is
you
know,
as
of
this
point
in
time?
Yes,
it
is
because
it
was
defined
in
this
yamo
and
then
that
flows
through
as
a
pop
as
something
that
consumers
of
the
open
source
can
make
policy
clean,
but
it
can
make
policy
evaluations
by
so
I
only
want
to
include
open
source
projects
that
have
a
vulnerability
reporting
process,
but
I
think,
like
that's
downstream,
of
of
security.
Ammo
security
yaml
is
kind
of
one
of
the
the
primary
inputs
to
lots
of
other
things.
At
least
that's
the
way
I
was
thinking
about
it.
H
F
Oh
so
yeah,
I
just
wanted
to
kind
of
add
in
I.
I
kind
of
agree
that,
like
this
is
like
the
easiest
way
to
do.
This
would
be
to
kind
of
have
it
as
like.
F
A
stickier
input,
source
kind
of
like
mike
was
saying,
because
I
think
the
way
we
can
maybe
handle
this
potential
stay
on
this
issue
is
by
just
is
by
maybe
yeah
like
say
someone
reviews
it
like
periodically
like
once
a
year,
nothing
crazy
right
like
once
every
year,
something
maybe
like
we
can
have
some
kind
of
timer
like
or
something
programmatically
that
goes
off
for,
like
anything,
that's
manually,
inputted,
that's
manually
accepted
into
these
any
of
these
projects
for
any
of
like
a
manual
sources
that,
like
you
know
after
a
year
or
something
it'll
kind
of
you
know,
alert
us
or
whoever
sends
some
notification
that
says
you
know,
like
you
know,
requires
some
oss
maintainers
review,
right
and
and
they're
they're.
F
You
know
their
score,
won't
change,
so
they
won't
be
unhappy
at
the
time.
But
you
know
maybe
it'll
leave
like
another
six
month
window
for
someone
to
actually
come
review
it
and
then
at
that
point
it'll
you
know
it'll
go
back
to
like
a
question
mark
or
an
x
or
a
lower
score
so
like
maybe
we.
I
think
that
might
be
the
easiest
and
most
like
achievable
in
my
eyes
personally,
but
that's
just
my
opinion.
C
D
But
this
means
that
we
see
it
like
an
output
in
the
repo
for
human,
for
us
can
be
also
an
input
because
we
can
test
it.
We
can
replicate
it,
so
it
can
be
also
an
input
for,
for
example,
for
the
metric
dashboard,
because
if
small
projects
start
to
use
the
yaml
file,
we
don't
need
to
use
scan
every
project.
We
can
just
say
hey
for
this
project.
We
haven't
scanned
the
project,
but
we
have
the
yaml
file.
D
We
can
trust
it
and
we
can
replicate
just
it,
but
so
technically
it
is
an
output.
The
first
version
in
the
future.
H
D
An
input
or
an
output
and
now
put
for
people
that
read
it
so
the
maintainers
launch
a
linter
or
a
script
to
automate
the
the
yaml
generator.
We
can
create
a
sort,
also
a
web
page
if
we
need,
and
that
generate
the
first
version
of
the
yammer
file
and
then
for
other
people.
This
is
just
an
output
that
that
they
can
read
to
take
decision
and
say:
okay.
I
tasked
to
this
project
or
I
don't
trust,
but
maybe
I
have.
C
C
Yeah,
careful
that
you're,
using
the
words
output,
I
can
tell
you're
using
the
word
output
in
the
opposite
of
its
meaning.
In
some
cases
you
don't
you
you,
you
don't
read
inputs,
or
at
least
you
know,
the
output
of
a
program
of
something
is
the
input
to
somebody
else.
If
that
makes.
C
Okay,
so
yes,
it's
confusing,
so
I
was
thinking
of
this
file
and
I
assumed-
and
I
thought
that
we
had
agreed.
Originally,
we
can
change
this,
but
originally
this
was
an
output
of
the
project
that
was
going
to
be
used
as
an
input
for
badging
for
the
best
practices,
badge
and
scorecard.
G
G
C
D
C
Okay,
now
already,
okay,
they
do
have
those
two
suites
already
have
outputs.
I
mean
the
cii
best
practices.
This
badge
has
a
it's,
not
yama.
It's
in
json.
You
know,
it'll,
take
me
two
minutes
to
find
a
tool
to
convert
json
to
yaml
and
technically
any
json's
also
valid
yaml.
So
if
we're
really
going
to
be
technical
about
it,
anybody
that
generates
json
files
also
generates
ammo
files.
C
D
C
D
D
D
So
we
using
a
workflow
and
everyone
can
test
this
workflow,
because
you
can
technically
launch
the
scorecard
or
the
same
comment
and
say:
okay,
this
cork,
this
yaml
file
is
a
trust
one
because
I
have
the
same
results
using
the
same
tool
on
the
same
commit,
and
for
this
reason
I
see
this
like
an
output
of
the
scorecard
and
it
is
easy
to
automate
for
the
maintainers.
But
if
you
have
another
approach,
so
you
want
to
create
a
file
that
the
scorecard
can
read
easily.
It
is
a
different
approach.
C
Right:
okay,
if
nothing
else,
we
first,
we
need
to
clearly
agree
which
direction
it's
going
and
two.
We
need
to
much
more
clearly
document
it,
because
if
you
misunderstood
that
from
the
text
that
was
written,
it's
clearly
not
clear
enough
now,
okay,
now
let
me
let
me
make
an
argument
for
the
current
michael's
just
sitting
back
and
michael
all
right.
So
let
me
make
a
pitch
for
the
current
approach
that
has
originally
documented
that
this
was
going
to
be
input.
The
ci
best
practices
batch.
C
That
doesn't
make
me
right,
but
let
me
make
a
pitch
for
it
and
I
want
to
hear
the
counter,
because
I
can
be
wrong.
Okay,
my
pitch
would
be.
We
already
have
ways
to
output
information
from
the
badges
and
the
cia
best
practices
match.
I
just
clicked
sent
a
link,
for
example,
if
you
want
to
get
information
from
the
ci
best
practices
badge.
If
you
click
on
that
link,
you
will
find
the
json
output
for
that
particular
a
particular
project.
C
It's
actually
for
the
badging
project
itself,
because
I
often
use
the
badging
project
as
its
own
guinea
pig.
But
if
you
click
on
that,
you
will
get
yeah
a
json
file
there
you
go
now
if
you
open
that
up,
if
you
open
that
up
with
firefox
firefox
actually
has
a
built-in
json,
pretty
printer,
so
or
or
just
you
know,
or
just
save
it
and
use
jq
or
something
else,
but
you
know
it
will
immediately
generate
a
json
output
and
you
can
immediately
start
working
with
it.
C
The
same
is
true
for
the
scorecard,
so
I'm
going
to
argue
that
if
you
need
machine
processable
results
from
at
least
those
two
tools,
we've
already
got
that
we
don't
need
any
additional
work.
Maybe
we
should
merge
it.
Oh
hey!
Look
at
this.
You
found
a
pretty
printer
good
for
you
all
right.
C
C
Oh,
I
see
you're
gonna
show
the
the
scorecard
output
sure,
okay,
so
basically
they
we
already
have
ways
to
output
those
tools.
Now
you
could
make
an
argument:
okay,
yeah
and
they
have
a
more
and
they
have
various
and
sundry
things.
C
Yeah,
so,
basically
for
both
scorecard
and
ci
best
practices,
you
can
already
get
machine
processable
data.
Now,
maybe
you
could
argue,
wouldn't
it
be
great
to
merge
them
somehow,
I'm
not
sure.
That's
all
that
vital
but
sure,
but
I
think
the
bigger
problem
right
now
is
that
there
is
no
way
to
present
data
to
scorecard
and
badge
app
to
assert
information.
C
You
know
that's
a
particular
problem
for
scorecard
because
it's
only
automated,
but
it's
actually
a
challenge
for
cia
best
practices
badge
also
because
you
know
we
do
do
some
automation
by
the
way.
Eventually,
I
think
we're
going
to
switch
cii
to
open
ssf
since
technically
cii
isn't
around
anymore.
We
were
always
a
little
hesitant
to
redo
the
rename,
but
I
think
people
have
decided
no
reason
to
hesitate
anymore,
but
that
that's
a
nit.
C
C
Amen,
I
don't
think
I'm
thinking
man,
however,
and
here's
the
thing
I
I
notice.
Our
clock
is
unfortunately
beating
up
on
us.
So
here's
what
I
would
suggest
if
you
know
okay
you've.
So
we
have
discovered
in
this
meeting
a
really
fundamental,
disconnect
and
difference
of
understanding
of
what
this
is
about.
At
the
very
least,
we,
I
think
we
can
all
agree.
We
need
to
clarify
its
purpose.
C
Okay
now,
if
indeed
we
want
to
switch
the
direction
the
arrow.
In
spite
of
my
argument
that
I
just
made
here,
I
would
ask
that
somebody
here,
post
the
I
don't
agree
and
why
on
the
mailing
list
or
hey,
if
they're
listening
all
this
and
you
think
about
it,
and
you
agree
and
because
I
don't
want
to
wait
weeks
for
us
to
find
out
in
fact
we're
developing
for
the
wrong
direction.
C
So,
at
the
very
least,
though,
it's
very
clear,
we've
got
to
clarify
which
direction
it
is.
I'm
gonna
actually
just
put
triple
question
marks
in
the
doc
right
now
clarify
this
is
an
output
from
a
project
and
an
input
to
scorecard
yeah
best
practices,
badge
etcetera,
because
that's
what
the
current
doc
was.
A
C
Okay-
let's
resolve
that,
I.
D
D
Justify
my
vision
or
my
my
opinion,
it
is
because,
if
we
have
a
a
yammer
fight
that
contains
and
trusted
yemen
find
that
contains
the
scorecard
results.
The
cia
based
information
and
similar
the
metric
dashboard
can
just
take
this
information
for
the
yammer
file
without
launch
for
every
project,
the
the
scorecard
and
similar,
or
we
can
just
launch
the
scorecard
one
time
per
month,
just
to
check
if
we
are
aligned
and
in
this
way
we
have
a
good
way
to
keep
updating
the
the
metric
dashboard.
D
That
is
another
important
project
that
I
hope
that
we
could
continue
to
maintain
it
and
for
the
reason
I
see
it
like
an
output
that
we
can
use
like
an
input.
So,
but
maybe
I
have
totally
misunderstood
that.
C
The
thing
is,
they
actually
are
already
doing
this,
the
in
fact
I'll
say
between
the
scorecards
and
the
ci
best
practices
badge
we're
having
an
interesting
conversation,
because
the
the
scorecards
folks
are
scanning
about
a
million
projects
every
week,
which
is
totally
beating
up
the
best
practices
badge,
because
google
is
actually
pretty
impressive
at
the
number
of
queries
it
can
generate
per
second,
if
you
want
to
do
a
dos
attack,
doing
it
from
microsoft
or
google
is
an
excellent
approach.
C
Even
if
it's
unintentional,
you
know
it's,
it's
it's
fun,
it's
all
the
it's!
It's
the
standard,
growing
pains
as
you
scale
up
projects.
It's
not
a
it's,
not
a
real
problem,
it's
just
the
hilarity
of
reality,
but
my
point,
though,
is
that
they
already
intend
actually
to
rerun
this.
I'm
not
sure
we
want
to
make
projects
try
to
rerun
individually.
C
The
scorecard
I
mean
that
means
that
each
project,
every
open
source
project,
would
have
to
download,
install
a
tool,
run
it
if
they're
going
to
do
that,
I
want
them
to
install
a
security
tool.
I
I
don't
think
I
want
them
to
try
to
do
everybody
to
try
to
do
scorecard.
C
We
want
to
minimize
the
amount
of
work
that
they
now.
What
they
might
do
is
create
a
yaml
file
to
provide
some
data
to
those
tools.
I
can
totally
see
that
which
is
what
this
was,
but
I
I
don't
think
we
want
to
ask
every
project
to
install
scorecard
and
try
to
run
it.
C
That
just
seems
you
know
we're
we're
struggling.
You
know
it's
work
to
get
people
to
do
the
ci
best
practices,
badge,
hey
click
on
a
web
link
and
fill
in
a
form,
never
mind,
hey,
download,
a
program
and
learn
how
to
run
it.
C
You
know,
that's
you
know,
using
a
website's,
a
ton
easier
than
asking
people
to
install
and
run
tools
and
learn
how
to
use
them.
C
C
Can
can
we
continue
this
via
mailing
list
and
and
circle
back,
but
we've
we've
got
to
resolve
this
and
it
could
even
in
theory,
be
both,
but
I
think
that's
a
problem.
I
wouldn't.
I
would
not
like
to
see
this
trying
to
do
both
because
then
you
have
to
worry
about
cycles
and
how
do
you
update
things,
and
I
won't
tell
you
it
can't
be
done.
Of
course
it
can
be
done,
but
it's
so
much
more
work.
I
don't.
D
C
You
could
use
slack,
you
can
use
mailing
lists,
I
actually
don't.
I
I'm
not
a
big
slack
user
and
part
of
the
reason
is
after
10
000
messages
they
go
away
so.
A
C
C
A
I
need
to
drop
okay.
Thank
you
all
very
much.
I
appreciate
all
your
time
see
you
guys
on
monday.
Thank.