►
From YouTube: OpenSSF Identifying Security Threats WG (April 12 2023)
Description
Meeting notes: https://docs.google.com/document/d/1AfI0S6VjBCO0ZkULCYZGHuzzW8TPqO3zYxRjzmKvUB4/edit
A
D
C
It's
a
it's
a
lot.
It's
a
lot.
If
I
could
tell
you
that
by
the
time
Friday
comes
like
I,
I
have
to
I
have
to
front
load
all
my
meetings
and
I
and
I'm,
not
even
joking,
like
Wednesday
at
about
two
o'clock
I
have
that
two
o'clock
I
I'm
telling
you
cameras
off
because
nine
times
out
of
ten
I
am
dozing
off
in
that
meeting
I'm
my
eyes
are
closing
I'm
I'm
slumped
over
Thursday
comes
I'm,
like
oh,
my
God.
How
many
meetings
do
I
have
today?
What
is
this?
Friday
comes.
C
C
I,
don't
see
it
well.
My
cousin
joined
Luigi
he's
taking
over
for
Mike
when
he's
not
here.
E
When,
when
Michael
is
not
here,
I,
usually
I
just
opened
the
document
I
start
to
try
to
well
to
organize
I
call
a
meeting,
and
usually
they
would
write
the
meeting
notes,
because
it
is
definitely
better
the
meter
right
meeting
now.
So
thank
you
so
well.
I
think
that
we
can
wait
just
two
minutes
to
see
if
someone
has
a
join
in
time
for
the
meeting.
Otherwise
we
can
start
from
the
meeting
notes.
I
can
share
the
link
in
one
second.
F
E
D
E
F
Hi
ciao
nice
to
meet
you
guys,
yeah,
so
I'm,
Andreas,
I'm,
actually
a
senior
at
NJIT
and
I'm
looking
to
contribute
in
any
capacity
you.
E
Okay,
I,
don't
know
if
you
have
just
choose
this
working
group
randomly
or
if
you
have
already
a
background
about
Tower
previous
project
anyways.
The
this
working
group
started,
the
the
identify
security
threats
started
now,
I
guess
two
years
ago.
Writing
a
document
where
we
have
tried
to
identify
all
the
security
risk
and
the
threat
that
you
can
have.
E
If
you
have
an
open
source
project
and
you
try
to
deploy
it
in
production,
where
production
means
a
packet
manager
or
just
to
distribute
it
in
another
form,
and
then
we
started
to
to
work
on
other
projects
like
the
metric
dashboard.
That
now
is
deprecated,
but
it
was
a
first
attempt
to
aggregate
metrics
from
scorecard,
but
not
only
in
in
an
online
dashboard
based
on
grafana
that
you
can
use
to
evaluate
or
compare
different
open
source
projects
using
the
same
metrics.
E
Then
from
this
working
group
with
the
project,
Alpha,
Omega,
Alpha
and
Omega
started.
It
is
a
very
big
project.
Now
have
a
total
different.
Well
now
they
have
more
people
that
work
focus
on
it.
So
we
receive
updates
in
this
working
group.
We
talk
about
Alpha
Omega,
but
there
are
better
channel
in
slack
that
you
can
use
to
monitor
that
project
the
initially
it
was
a.
E
They
have
a
project,
are
the
top
100
open
source
security
project
that
we
have
defined
in
the
talking
with
in
the
in
the
working
group
and
they
open
ssf
condition,
and
they,
the
Omega
project,
are
the
meaner,
but
not
less
important,
just
minor,
because
less
popular
or
just
new
a
pesos
projects
that
have
maybe
fewer
people
that
can
contribute
on
it
or
that
maintain
them,
but
they
need
to
have
some
security,
insights
and
maybe
more
automated,
but
still
that
can
help
the
maintainer
to
have
a
better
security
posture.
E
And
now
this
working
group
is
still
again
working
on
a
new
metric
dashboard
and
there
is
a
another
historic
project
is
the
security
review
that
is
well
I.
Think
that
Amir,
you
are
online.
If
you
can
talk,
you
can
explain
yourself
about
the
project.
A
Yes,
absolutely
thank
you.
Luigi
Security
reviews
is
a
GitHub
repo
meant
to
collect
data
on
relevant
research
or
Security
reviews
done
on
open
source
projects,
and
the
intention
for
that
also
is
to
feed
into
other
things
like
the
metrics
dashboard
and,
if
I'm,
no,
that's
not
in
the
in
the
security
scorecards,
yes
in
the
metrics
dashboard,
namely
so
folks
can
you
know
who
are
doing
any
kind
of
due
diligence
or
research
or
looking
into
a
project,
can
see.
A
You
know
whether
it
has
undergone
a
third-party
Security
review
or
security
audit,
namely
audits
that
have
you
know,
public
reports
that
can
be
viewed
so
we're
working
on
curating.
That
kind
of
collection
of
security,
reviews
and
audits
done,
I
guess,
while
I
have
the
mic,
I
will
quickly
update
the
group
that
I
have
not
been
able
to
make
those
updates
just
yet
that
I
had
planned
on
doing
to
the
repo
to
kind
of
clean
it
up
a
little
bit.
A
But
I'll
actually
do
some
of
that
here
during
our
meeting
today,
while
we
are
discussing
other
things,
but
that's
my
main
update
for
the
repo
but
yes
I
address
just
also
for
your
reference.
It's
the
OS.
It's
a
GitHub
repo
ossf,
slash,
Security
reviews,
I'll
link
it
in
our
in
our
chat
imminently.
E
And
then
there
is
the
security
size.
That
is
another
project
where
we
are
trying
to
define
a
specification
that
can
add
maintainers,
user
and
scanner
to
collect
information,
and
probably
I
am
forgotten.
Other
project
people
feel
free
to
share
more
information,
because
if
I
don't
know
if
I
forgot
something,
but
that
is
these
are
a
couple
of
the
last
few
years
and
cool
I
think
that
we
can
start.
E
E
Okay,
no
objection.
We
can
start
okay
about
the
security
insights
I
have
some
updates.
Jonathan
is
helping
me
with
a
lot
of
questions
and
good
comment
and
feedback
to
try
to
improve
the
security
insights.
In
particular,
he
seems
to
be
interested
in
the
in
the
keys
that
can
Define
how
a
scanner
or
researcher
can
open
pull
requests
in
an
automatic
way,
because
it's
very
good
to
automate
security
issue
or
security
request
to
mitigate
vulnerabilities
to
a
large
scale,
but
not
all
the
maintainers
are
happy.
E
So
probably
this
file,
this
specification
can
help
to
connect
maintainer
to
Define
how
they
want
to
receive
help
by
the
the
community,
not
just
with
the
policy,
so
the
security,
but
also
adding
more
granularity
to
to
the
request.
In
particular,
we
have
a
true
wait.
A
second
I
can
find
the
link.
We
have
two
PR
that
are
in
review.
E
One
is
to
support
the
package
URL
and
one
is
to
add
more
morganularity
on
how
we
how
the
maintenance
get
defined
if
they
want
to
have
or
not
the
Bots
in
a
has
helper
or
something
similar.
There
is
an
interesting
point
in
that
in
a
discussion
in
issue.
Discussion,
I
think
this
one
yeah
about
this
bomb
sbm,
because
at
the
moment,
apparently
there
is
no
or
I
am
pasting.
The
link
in
the
Google
Doc
in
the
meeting
notes.
But
this
is
the
issue.
E
E
Every
different,
Community
or
project
use
a
a
different
way
to
store
or
to
publish
and
share
the
spam
files,
and
maybe
this
is
something
that
in
the
future,
we
want
to
be
sure
that
open
ssf
can
handle
have
to
handle
it
yeah,
because
otherwise
we
are
asking
to
maintainers
to
create
bomber.
We
see
the
value
was
bomb,
but
it's
not
so
easy.
It's
a
manual
task
to
find
them
that
is
annoying,
and
that
is
for
the
security
insights
for
the
availability
disclosure
policy.
E
There
are
just
few
comments,
happen.
I
guess
three
three
thread
open
and
one
is
about
the
name
because
it's
I
mean.
That
is
a
question
also
for
you,
because
there
is
a
my
my
comment
to
your
own
suggestion.
Is
we
want
to
name
it
vulnerability,
disclosure
policy
or
not?
For
me,
it's
okay!
The
point
is
that
we
have
another
vulnerability
disclosure
policy,
but
with
a
different
intent
and
scope.
E
D
E
E
So
if
there
are
any
opinion
about
the
name,
because
in
the
in
the
issue,
I
named
it
the
security
policy,
just
because
it's
it
is
similar
to
the
security.md,
but
it
is
also
famous
in
other
I
mean,
especially
in
the
website,
has
coordinated
the
vulnerability
disclosure
policy.
But
we
have
also
another
issue
where
we
are
trying
to
introduce
disclosure
policy.
That
is,
the
name
is
very
similar,
but
the
scope
is
quite
different.
E
One
is
on
how
open,
ssf
researcher
communicate
with
the
maintenance
about
vulnerability
and
share
than
in
a
public
way
and
the
other
one
the
the
possible
that
time
trying
to
write
is
on
how
the
researcher
can
communicate
to
us.
The
vulnerability
that
we
have
so
I
have
no
strong
opinion
about
the
nomenclature,
but
it's
very
easy
to
confuse
them.
E
Don't
worry,
we
were
talking
about
the
nomenclature
for
vulnerability
disclosure
policy,
because
we
have
now
two
policies
with
the
same
name
and
it's
not
I
mean
initially
I
suggested
security
policy
for
the
unability
disclosure
policy,
where
the
receptors
and
has
the
report
David
suggests
just
vulnerability.
Describe
her
policy.
I
have
no
strong
opinion,
but
maybe
we
want
to
avoid
confusion
so.
B
D
C
B
B
E
B
If
that's
a
confusion,
use
a
different
title,
but
yeah
I
think
there
is
another
problem.
We
do
have
two
disclosure
policies,
one
for
inbound
and
one
for
outbound.
G
B
E
Perfect
so
I
can
close
another
Point
and
that's
the
term
I
updates.
E
A
B
All
right,
so,
basically
all
right.
So
let
me
add
this
to
the
notes
inbound
since
there's
an
outbound
policy
and
make
it
clear:
that's
the
scope
in
title:
that's
the
scope!
Sorry
I
I,
just
I
can't
do
two
things
at
one.
Well,
sometimes
I
can
but
I'm
having
trouble
right
now,
all
right
yeah
so
for
Security
reviews,
I
have
a
quick,
quick
note
and
a
and
a
a
and
a
bank.
Okay,
so
I
have
a
grad
student
who's.
B
Doing
a
brief
review
of
a
particular
open
source
program,
a
bit
Warden.
It
doesn't
matter
specifically,
but
you
know
he,
you
know
he
he's
newer.
So
he's
not
going
to
be
able
to
do
the
in-depth
that
some.
You
know
somebody
who
does
this
professionally,
but
you
know
what
more
review
more
review.
The
more
folks
look
at
these
things
with
different
and
share
exactly
what
they
did,
the
more
that
other
people
can
build
on
that.
B
So
I
would
encourage
anybody
else
if
you're
in
an
academic
setting
where,
particularly
for
whatever
reason
a
grad
student
is
going
to
be
reviewing
soft
open
source
software
for
security
anyway,
you
know
and
gonna
be
writing
up
something
about
it.
Please
ask
them
to
note
it
and
Security
reviews,
so
that's
just
a
a
bag
to
others.
B
I
I
I
get
to
beg,
I
get
to
I'm
jokingly,
saying
I
get
to
abuse
my
students
I.
Don't
hopefully
don't
really
do
that,
but
you
know
I
I
get
to
oversee
the
awesome
work
that
they
do
and
if
they're
going
to
do,
the
work
I
want
others
to
be
able
to
take
advantage
of
the
awesome
work
that
the
academic
Community
is
generating.
A
Awesome
yeah
absolutely
and
say
that
sounds
great
and
then
yeah
just
to
to
reiterate
my
update
I'm
now
getting
into
making
some
those
updates
that
I
talked
about
on
the
previous
meeting.
I'm
just
cleaning
up
the
repo
a
little
bit
and
updating
some
of
those
those
blanket
reviews
that
had
a
lot
of
sub
reviews
in
them,
so
we'll
just
break
those
down
and
so
I'm
actually
going
to
be
working
on
that
now
for
the
rest
of
the
meeting.
But
that's
my
main
update
there.
E
C
That
means
that
I'm
up
all
right
so
so
we
had
a
once
again
great
effort,
great
progress
on
the
wrist
dashboard,
Michael
Harvest
joined
our
our
band,
so
as
Sarah
Evans,
and
you
know,
a
lot
of
good
good
conversation
came
out
of
that,
Michael
be
looking
at
how
how
we
get
and
I'm
I'm
I'm
teasing
this
apart
my
mind
so
I
have
a
notes
in
front
of
me,
but
but
the
next,
the
next
stage
of
how
we
bring
in
data
and
what
that
data
looks
like
into
the
wrist
dashboard
Raul
continues
to
to
plug
away.
C
You
know,
code
wise
and
getting
getting
a
getting
the
actual
look
and
feel
and
and
how
we're
actually
ingesting
the
data
getting
that
together.
So
he
he's
he's
been
phenomenal,
thus
far,
a
couple
of
other
things
that
have
occurred
as
of
late
and
that-
and
this
is
after
the
fact
this
is
as
of
yesterday
bitterjia
and
miter.
C
We
got
a
couple
of
good
contacts
in
both
of
those
orgs,
because
I
think
what
we
were
talking
about
in
the
mean
two
was
is
how
the
is
GitHub
going
to
be
the
only
place
where
we
get
our
data
from,
and
that's
not
that
that
we
wanted
to
be
able
to
expand
past
that.
C
So
in
that
effort
we
reached
out
and
got
a
couple
of
good
contacts
from
venturjia
and
and
miter
so
that
we
could
better
understand
some
of
the
things
that
they
do
in
terms
of
getting
more
information,
and
maybe
we
can
use
those
efforts
or
find
a
way
that
we
can
kind
of
do
something
similar.
So
we
can
get
more
data
from
just
than
just
from
from
GitHub
and
then,
of
course,
we'll
bring
that
back
into
the
Sig
and
discuss
that
at
LinkedIn
and
all
of
that.
C
But
the
exciting
part
about
this
is
I've
committed,
our
our
sake
to
produce
something
that
we
can
actually
put
in
front
of
open
ssf
day,
even
right
and-
and
you
know
not
a
full
demo,
but
but
perhaps
some
mock-ups-
that
we
can
put
and
open
that
stuff.
They
say
hey.
This
is
where
we're
at
this
far
and
then,
of
course,
by
the
middle
of
next
month,
going
into
the
end
of
next
month.
C
We
may
be
able
I
mean
say:
may
no,
we
we
should
be
able
to
bring
before
this
working
group
a
workable
demo
of
of
of
what
we
have
with
with
every
everything
you
know
you
know
enter
into
the
search
of
package.
This
is
the
content
that
comes
out
of
it
all
that
kind
of
stuff,
and
so
so
we're
really
excited
about
that.
We're
moving
full
steam
ahead,
I'm
really
excited
about
about
what
we're
producing
and
and
iteratively
I
I.
C
My
my
one
comment
was:
don't
let
Perfection
be
the
enemy
of
of
putting
something
out,
so
so
we're
gonna.
You
know
we'll
put
something
out.
It
won't
be
perfect,
but
it'll
be
something
that's
something
that
we
can
do
further
releases
and
everything
else,
but
we're
like
I,
said
we're
moving
full
steam
ahead
in
it
and
it's
an
exciting
effort,
exciting
efforts
at
this
point.
C
If
there
are
any
questions,
please,
let's,
let's
have.
G
It's
just
really
exciting
to
see
this
stuff
moving
forward.
I'm
looking
forward
to
turning
off
the
the
metrics
infrastructure.
B
C
That's
the
other
thing
so
so
Raul
was
able
to.
Finally,
he
got
he
got
access
to
the
to
the
back
end.
So
here
shortly
we'll
be
moving
the
metrics
to
open
ssf.org
to
a
legacy
metrics.
The
openness
of
organ
will
be
having
a
preview,
a
preview,
dot,
metrics
dot
open.
So
you
can
preview
the
live
thing
and
I
think
that'll
be
in
time
for
the
demo
right.
C
So
so
once
so,
once
that
happens,
that'll
be
up
and,
and
we'll
be,
you
know,
that'll
start
the
process
of
merging
from
from
the
old
and
into
the
new
and
that
and
once
again
exciting,
because
what
we
have.
C
What
we
have
coming
is
is-
and
you
know
we
had
a
few
questions
on
what
the
kind
of
content
will
be,
will
be
present
in
it
and
then
and
David
happily
answered
that
question
say:
hey
we're
not
going
to
be
able
to
please
all
of
the
people
all
the
time,
some
of
the
people,
some
of
the
time,
I'm,
absolutely
and
and
iteratively
as
we
as
we
continue
to
improve
upon
it
and
and
do
do
future
releases.
C
I
will
add
one
of
the
things
that
we're
teasing
apart
is
the
single
maintainer
of
the
single
maintainer
that
that
that
that
bubble,
that
because
it,
what
that
does
to
scores
how
we
think
about
scoring
around
single
maintainers,
that's
still
being
teased
apart
and
that'll,
take
a
little
bit
of
time
to
perfect
as
well.
So
so
we
we
so
I'm
saying
not
to
say
we
understand
we're
we're
looking
at
it
and
and
and
we'll
make
sure
that
we
do
right,
buy
single
maintainers
as
well.
G
C
G
So
you
know,
we've
had
just
to
you
know
key
pair
signing,
you
know
for
a
while,
but
I
think
six
stores,
probably
the
the
better
way
to
go.
I
really
like
the
idea
of
keyless
signing,
so
that
you
can
just
kind
of
trust.
The
author
by
essentially
email
address,
so
that's
kind
of
what
we're.
G
What
we're
experimenting
with
right
now,
I'm
hoping
to
have
something
done
early
next
week,
showing
that
and
then
getting
more
assertions
built
out
and
talking
about
it
more
and
kind
of
I
still.
A
G
We'll
be
in
this
kind
of
proof
of
concept,
Dev
environment
for
the
next
month
or
two,
but
then
we
can.
We
can
talk
about
what
it
means
to
make
this
thing
a
real
thing
and
getting
more
contributors
to
it
and
all
that
stuff,
you
guys
haven't
seen
Assurance
assertions.
It's
it's
bitly,
slash,
Assurance
instructions.
One
word.
G
G
How
should
you
report
something
privately
to
the
maintainer
without
like
a
human
like
looking
through
different
things
and
trying
to
find
a
signal
somewhere,
but
that
the
way
that
a
human
would
do
it
isn't
exactly
like
magical?
G
So,
let's
just
script
it
and
do
the
best
we
can
so
I've
got
a
script
that
I'll
put
on
I'll
upload
somewhere
in
the
next
couple
days.
But
the
idea
is,
you
know
you
give
it
a
you,
go
to
package
URL,
it
comes
out
and
looks
at
it
looks
for
signals.
So
if,
if
they
have
GitHub
private
vulnerable
disclosure,
disclosures
enabled
that
should
be
the
top
Mech
that
you
know,
that's
the
preferred
mechanism.
G
If
they
have
a
tide,
lift
contract
should
be
tidelift
otherwise,
and
then
we
fall
back
to
like
scraping
security,
ND
files
and
every
other
like
variation
of
a
security
MD
file.
I
have
security
insights,
it's
aware
of
the
security
insights
files
and
then
just
email
addresses
in
readme's
and
npm
and
pie
pie
and
everybody
else.
So
the
idea
is,
you
know,
just
come
out
with
a
preferred
ordering.
G
You
know
like
most
likely
to
least
likely
and
then
it'd
be
up
for
some
other
tool
to
consume
that
to
do
something
with
it
and
say
you
know
either
send
out
emails
or
open
up
issues
or
whatever
so
I.
Think
it's
just
something
small
and
Tiny
But
I'm
I
was
surprised
that
I
couldn't
find
anything
else
out
there.
That
did
this.
G
G
Like
I
mean
I
could
make
it
a
an
open,
ssf
repo.
If
somebody
else
thinks
that
would
be
useful,
I
could
throw
it
throw
it
someplace
I
could
throw
it
under.
You
know
Alpha,
Omega
or
or
this
working
group
or
someplace.
G
It
doesn't
really
matter,
I
mean
I,
guess
it
probably
should
be
published
as
a
published
on
Pi,
Pi
I,
guess
so
that
others
could
consume
it
pretty
easily,
but
yeah
I
did
it'll,
be
open
sourced.
It's
just
like
the
the
the
hoods
up
right
now
and
there's,
like
you,
know,
stuff
all
over
the
floor,
so
sure
I'm
gonna
have
a
slightly
better
condition
but
like
by
the
end
of
the
week,
it'll
be
up.
Okay
thanks.
H
G
C
G
Everything
we
had
a
thousand
other
people,
you
know
to
to
kind
of
help.
Us
are
there
things
that
we
should
be
doing.
E
E
A
I
have
a
kind
of
a
half-baked
idea,
so
apologies
if
it
just
sounds
like
a
ramble,
but
one
thing:
I,
I,
I've,
noticed
or
observed.
It
seems
like
there's
a
lot
of
really
great
efforts
and
a
lot
of
them
seem
to
be
kind
of
parallel
or
very
similar,
like
even,
for
example,
I'm.
A
Just
talking
about
you
know
a
vulnerability
disclosure
policy,
I
start
to
think
of
the
Google
project,
zero
vulnerability,
disclosure
policy,
which
is
you
know,
pretty
well
established
and
followed
policy
for
for
for
this
kind
of
thing
and
I
wonder
if
it
would
be
possible
to
to
almost
like
map
all
of
the
all
of
the
all
of
the
great
work
being
done,
because
I
feel
like
lots
of
times
some
of
the
parallel
efforts
can
almost
build
off
of
each
other
or
similar
efforts
can
build
off
of
each
other
so
again,
yeah
sorry.
A
This
is
kind
of
a
Half
Baked
thought,
slash
idea,
but
I
just
wonder,
or
even
if
something
like
that
exists,
because
I
feel
like
lots
of
times,
we
say
like
oh
like.
Wouldn't
this
thing
be
great,
and
then
you
know
someone
responds
oh,
like
that
already
exists,
and
so
like
I,
wonder
if,
like
there's
any
way
to
map
just
all
of
the
both
the
great
work
being
done,
all
the
efforts
being
done
and
all
the
resources
out
there
so
that
they
could
be
almost
grouped
or
used
in
in
parallel
or
yeah.
A
Just
just
a
thought.
End
of
rant.
G
G
I
could
totally
I
mean
it
it
the
way,
I'm
the
way
I
I
heard
it
is
like
it
could
just
be
a
list
of,
like
you
know,
vulnerability
disclosure
policies
like
open,
ssf
GPZ,
like
you
know,
there's
come
up
with
good
ones,
let's
just
add
them
and
then
just
kind
of
you
know
risk
dashboards.
Well,
we've
got,
we've
got
everything,
we've
got,
you
know
open,
open,
Hub
or,
and
you
know.
G
G
Yeah
I
like
it,
it
also
sounds
a
little
bit
like
who's
doing
his
crib
doing
it.
The
like
the
reference
architecture
of
like
everything
that
we're
doing
like
yes,.
A
A
I
was
just
thinking
that
I
I
remember
there
being
conversations
of
yeah,
basically
mapping
out
all
the
different
stuff,
so
that
you
know
folks
can
understand
like
how
working
groups
work
to
like
together,
for
example,
and
kind
of
architecturing
having
like
architecture
reference
documents
for
that.
A
So
yeah
I
wonder,
maybe
that's
something
that
can
then
be
incorporated
into
that
architecture
like
what
are
the
list
of
you
know
things
that
are
being
worked
on
in
this
working
and
then,
if
that
could
feed
into
like
a
larger
list
or
something
but
yeah
again,
just
just
brainstorming.
Some
thoughts
I
didn't
mean
to
to
to
take
over
the
discussion,
but
because.
A
F
B
You
can
blame
me
and
the
diagram
of
society
I'm
the
one
who
created
the
first
version
of
this,
and
then
it
went
into
the
hopper
of
the
diagrammer
society
who
who
beat
it
up
and
proved
it
cleaned
it
up
put
in
things
that
I
hadn't
put
in
there
and
you
know
in
a
pure,
open
source
way
all
the
hands
in
there
made
it
better
than
any
one
of
us,
yeah.
G
Think
it
it
it's,
it's
like
I,
know,
orthogonal
or
like
adjacent
to
it,
but
like,
for
example,
like
Sig
store.
You
know
what
are
the
other
things
that
are
like
six
store
that
are
not
six
store,
and
you
know
supply
chain
attack
taxonomies,
like
I'm
sure.
G
A
taxonomy,
and
that
way
we
put
ourselves
in
contacts
with
things
that
are
way
outside
of
open
ssf.
G
So
so,
let's,
let's
do
this
I
I
for
fear
of
like
jumping
right
into
into
implementation?
Let's
do
we
want
to
just
start
a
doc
and
see
if
there's
enough
meat
in
the
idea
that
the
doc
looks
interesting
and
then,
if
the
doc
looks
interesting,
then
we'll
we'll
find
the
right
place,
the
right
repo
or
get
it
to
the
diagram
of
society
and
things
like
that
with
a
little
bit
of
meat
on
it
or
do
we
want
to
go
to
them
and
say
hey?
G
Do
you
think
this
is
a
good
idea
first,
or
do
we
want
to
do
anything
with
it.
A
D
D
A
Quick
question
Jay
when
you
were
referring
to
the
an
academic
paper,
were
you
referring
to
the
the
threats,
mitigations
and
risks
in
the
open
source
ecosystem
paper.
A
F
C
Yeah
I
mean
very
well
written.
You
know,
albeit
at
the
time
of
it's
a
time
of
his
publishing.
C
C
That
also
has
a
lot
of
room
to
with
some
of
the
stuff
that
we
do
here,
especially
from
an
end
user's
perspective,
if
you're
thinking
about
the
taxonomies
and
the
taxonomy
of
attacks
and
threat
vectors,
not
a
threat
to
threat
models
and
everything
else,
this
is
actually
you
know,
but
this
is
this
from
an
academic
standpoint
gives
us
a
foundation
to
talk
about
taxonomies
across
the
board,
so
I
mean
look,
give
it
a
read.
I'll
put
the
link
here.
H
So
I
looked
into
the
paper.
This
was
submitted
to
IEEE
s
p,
but
it
was
not
accepted
so
I,
don't
know
what
the
reason
is
or
anything,
but
we
just
wanted
to
and
take
it
with
a
grain
of
salt.
It's
not
published.
C
Just
like
all,
just
like
all
academic
academic
papers,
I
mean
sometimes
it's
mostly
written
from
a
theoretical
perspective,
and
not
necessarily
all
heavy
heavy
practical
I
mean
you,
you
have
a
you,
have
a
you,
you
have
your.
You
have
a
methodology
that
you're
going
to
use
right
at
your
either
quantitative
or
qualitative
methodology,
but
I
believe
here
they
use
the
pretty
they
use
the
they
used
a
blend
between
the
qualitative
and
the
quantitative
methodology
to
write
this.
C
But
when
you
consider
you
know
the
tool
you
use,
I
mean
you
know
it's,
it's
not
you're,
not
surveying
a
bunch
of
a
a
bunch
of
practitioners
who
are
then
providing
you
know.
Your
taxonomies
are
always
hard
because
everybody
has
their
own
yeah
I.
H
C
Did
you
have
a
link
there?
It
was
going
to
read
I
I
needed,
of
course,
for
me
I
needed
to
have
a
couple
of
a
couple
of
these
tall
boys
of
coffee.
C
For
me
to
read
and
I,
you
know
it's
been
a
look
since
since
the
days
when
I
was
gung-ho
right
in
my
dissertation
when
I,
when,
when
I,
when
I
I
sucked
down
articles
and
scholarly
stuff-
and
it
was
towards
that
finish
line
after
that
I
kind
of
brain
dumped,
anything
related
to
trying
to
read
something
so
I
needed
a
couple
of
tall
boys
of
coffee
to
get
through
it.
But
but.
C
And
what's
the
name
of
that
donut
that
donut
shop?
This
is
a
there's
a
donut
chain
in
Canada
that
that
can't
ever
remember
the
name
of
it.
Tim.
A
C
Just
I
just
want
a
donut,
not
you
know:
I
I,
don't
I,
don't
eat
that
kind
of
stuff,
but
a
donut
just
to
say:
I
had
one
so,
preferably
if
it
has
like
the
the
Oreo
cookies
on
top
I
saw
this
one.
This
place
called
Voodoo,
Donuts,
I
I
was
I
happen
to
be
at
Universal,
Studios,
I,
don't
get
on
rides
or
anything.
We
don't
do
any
of
that,
but
but
I
walked
around
I
saw
this
place
called
Voodoo
Donuts.
C
B
H
So
let
me
feel
the
space
a
little
bit
so
there's
one
thing
that
I
that
we
did
was
the
the
maintainer
summit
and
the
report
is
due.
It's
actually
passed
you
but
I
mean
there's
been
a
dramatic
drop
of
enthusiasm
after
the
event.
So
right
now,
it's
like
myself
and
Emily,
who
are
I
I,
would
say
like
actively
working
on
it,
but
yeah
we're
making
some
progress
on
it.
H
We
expect
we
promised
some
people
that
we
should
be
doing
by
April,
15
I
think
we
might
be
off
by
a
few
days
but
yeah.
It
should
be
around
that
time.
So
it's
it's
basically
a
summary
of
what
we
understood
from
from
that
particular
event
and
some
recommendations
that,
from
our
perspective,
we
initially
plan
to
be
a
collaborative
perspective,
but
it's
probably
going
to
be
just
a
couple
of
people's
perspective,
but
then
yeah.
We
would
like
to
have
feedback
on
that.
H
So
that's
something
that
we
are
doing
right
now
and
should
be
coming
soon.
There's
one
other
thing
that
Yesenia
and
myself
we
are
we
planned.
So
we
did
a
pre-event
survey
before
that
particular
event,
and
there
were
some
really
a
question
that
appeared
to
be
pretty
relevant
and
should
be
asked
in
a
broader
audience.
So
we
planned
a
broader
survey
of
practices
that
that
are
followed
by
open
source
security,
maintainers,
so
I
created
that
service
sometime
ago,
foreign
was
finding
out
the
the
logistics
like
as
in
whom
to
call.
H
Initially
we
thought
that
we
could
probably
have
I
think
she
can
tell
better.
But
initially
we
thought
that
we
could
probably
have
like
the
Linux
Foundation
members.
They
can
be
reached
and
stuff,
but
there
probably
was
some
issue
regarding
that,
so
it
would
have
to
be
dialed
down
to
a
scale
that
we
can
manage.
So
it's
not
going
to
be
like
a
really
big
scale,
but
we'll
we'll
send
it
out
and
that's
something
that's
upcoming,
I
I
think
we
discussed
it
earlier
at
some
point
in
this
group
and
not
in
the
alpha
omega
group.
H
So
that's
that's.
Why
I'm
bringing
it
here,
but
that's
like
we,
we
just
so
you
see
me
just
published
the
survey
and
in
on
Google
or
created
that
server
on
Google
Docs,
so
we
should
be
sending
that
out
soon
and
and
so
so
that's
that's
something
that
yeah.
We
are
also
really
excited
about,
and
hopefully
we'll
get.
Some
interesting
results
on
this
that
we
can
share
in
a
couple
of
months.
Also
awesome.
E
G
Let's
see,
okay,
so
so
sorry
for
the
for
the
for
the
doctor,
we've
been
been
adding
links
to
does
it?
Do
we
feel
like
there's?
Do
you
feel
like
do?
We
feel
like
we
have
an
opinion
on
on
it,
yet
on
on
what
to
do
like.
G
Tilt
the
scale
but
I
mean
it,
it
looks
like
it
like.
This
could
grow
into
a
pretty
neat
list.
G
A
I,
my
immediate
thought
is:
is
there
something
else
like
this
also
because
I
think
that's,
if
that's
the
inspiration
for
this
right
so
but
I
I
do
think
it
would
be
just
so
helpful
for
folks
to
just
to
be
like
you
know,
what
are
all
the
resources
on
this
topic,
for
example,
and
then
or
what
are
all
the
efforts
being
done
in
this
space?
G
C
G
A
blah
blah
blah
blah
here's
a
link
to
the
actual
GPC.
You
know
thing,
and
that
way
each
of
these
are
maybe
it
can
just
be
be
just
a
list.
G
H
G
Okay:
let's
do
that,
let's
feel
free
to
just
add,
add
stuff
to
this
list
over
the
next
two
weeks
and
in
two
weeks
we'll
decide
whether
or
not
we
it's
in
good
enough
shape
to
get
to
to
diagram
our
society
with
a
you
know,
recommendation
to
like
publish
it
or
maintain
it
or
something
and
if
they
don't
want
to,
we
could
too,
like
it's
not
doesn't
seem
like
a
huge
huge
lift
cool
and
the
last
thing
I
was
just
looking
through
a
couple
weeks
ago
we
talked
about
your
url
parsing
ambiguities,
where
you
know
you
are
a
lib
three.
G
You
can
trick
it
into.
You
know
parsing
it
one
way
and
the
Java
Java
equivalents.
Do
it
slightly
different
and
no
does
it
slightly
different?
So
if
you
are
unaware
of
the
gotchas
and
the
the
foot
guns
in
there,
you
could
be
validating
things
like
you
know:
oauth
return,
URLs
incorrectly
and
make
security
decisions
based
off
of
that.
So
the
the
thought,
if
I
recall,
was
to
come
out
with
a
a
pretty
simple.
You
know
website
app.
G
Whatever
thing
that
essentially
ran,
you
know
you
gave
it
a
URL
and
it
would
run
you
know,
20
different
URL
parsers
and
show
you
the
differences
and
then
kind
of
use
that
as
a
as
a
playground
and
as
a
teaching
moment
for
you
know
that
these
things
are
different
and
are
worthy
of
paying
closer
attention
to.
E
E
I
started
with
the
npm,
so
probably
I
can
at
least
finish
10
pm
and
then
I
can
move
to
order
ecosystem,
probably
python,
because
I
know
it's
better
than
other,
and
then
we
can
see
and
also
Java
I
I,
also
written
to
Oracle,
just
to
know
yeah
I
sent
a
there
is
this
Behavior
because
they
have
two
standard,
Library,
URL
and
URI
and
I
mean
my
expectation
is
that
the
URL
is
a
subset
of
Uris.
So
technically,
if
you
are
working
a
way,
the
same
should
do
the
URI
and
X
exactly
but
they're
different.
G
Yeah
kind
of
the
way
I
was
thinking
about
this
was
you
know
we
have
a
repo
with
a
bunch
of
different
Docker
files,
each
Docker
file
containing
like
either.
This
is
going
to
be
a
node
version.
X.
H
G
And
then
people
just
add
more
Docker
files,
so
we
have
you
know
whatever
we
have
500
of
them.
It
doesn't
matter
and
then,
as
part
of
the
script,
it
just
goes
through
each
one
and
they
all
have
like
a
well-defined
interface.
So
you
just
like
pass
the
URL
to
it
and
you
get
back
a
a
dictionary
of
of
like
you
know.
The
host
name
was
found
to
be
this
and
the
fragmented,
and
that
way
you
can
run
the
mole
and
then
see
all
the
see.
H
G
I
I,
don't
I,
don't
think
you
know
what
it
could
it
could
work
if
you
have
a
kind
of
a
complex
system
where
one
system
over
here
is
Java
and
it's
validating
something
and
then
sending
it
over
here
and
this
one's
doing
it
different
and
like
like
it
should
usually
fail
closed,
but
maybe
they
fail
open
and
they're.
You
know
I
think.
G
The
bigger
issue,
though,
is
that
if
we
go
to,
let's
say
we
find
out
that
Java
and
python:
do
it
differently
for
whatever
reason
and
we
go
to
job
and
we're
like
you
guys,
do
it
different
from
Python
and
they're
like
yep,
and
we
go
to
python,
so
you
guys
are
doing
it
different
than
Java
and
they're
like
yep,
like
that's
great,
but
like
only.
We
know
that
having
having
the
you
know
this
kind
of
website
dashboard
app
whatever
showing
that
like
everybody's
the
same
except
for
you
know
a
pick
on.
G
You
know
one
one
Library
that
probably
means
a
lot.
The
library
is
Doing
It,
Wrong
versus
everybody's,
doing
something
slightly
differently
with,
like
you
know,
double
slashes
or
something
in
which
case
it's
not
really
clear
that
that
there
and
maybe
there's
a
gap
for
the
standard.
So
so
really
it's
more
I
think
to
flesh
out
to
understand
the
problem
better.
G
Cool
we're
at
time.
Thank
you
all
very
much
again,
sorry
for
being
late.
Thank
you
for
carrying
on
and
have
a
great
rest
of
your
week
and
I'll
see
you
guys
in
two
weeks
and
I
hope
to
see
many
of
you
in
Vancouver.
G
G
Here,
here's
here
the
link
is
in
chat.
Thank
you
just
do
that
and
use
that
use
that
one
ever
just
to
like
nail
me
down
into
it
to
a
specific
time.
Okay,
thank
you.
Awesome.
Thanks
all.