►
From YouTube: OpenSSF Identifying Security Threats WG (April 12 2023)
Description
Meeting notes: https://docs.google.com/document/d/1AfI0S6VjBCO0ZkULCYZGHuzzW8TPqO3zYxRjzmKvUB4/edit
A
D
C
It's
a
it's
a
lot.
It's
a
lot.
If
I
could
tell
you
that
by
the
time
Friday
comes
like
I,
I
have
to
I
have
to
front
load
all
my
meetings
and
I
and
I'm,
not
even
joking,
like
Wednesday
at
about
two
o'clock
I
have
that
two
o'clock
I
I'm
telling
you
cameras
off
because
nine
times
out
of
ten
I
am
dozing
off
in
that
meeting
I'm
my
eyes
are
closing
I'm
I'm
slumped
over
Thursday
comes
I'm,
like
oh,
my
God.
How
many
meetings
do
I
have
today?
What
is
this?
Friday
comes.
C
E
When,
when
Michael
is
not
here,
I,
usually
I
just
opened
the
document
I
start
to
try
to
well
to
organize
I
call
a
meeting,
and
usually
they
would
write
the
meeting
notes,
because
it
is
definitely
better
the
meter
right
meeting
now.
So
thank
you
so
well.
I
think
that
we
can
wait
just
two
minutes
to
see
if
someone
has
a
join
in
time
for
the
meeting.
Otherwise
we
can
start
from
the
meeting
notes.
I
can
share
the
link
in
one
second.
F
D
E
E
Okay,
I,
don't
know
if
you
have
just
choose
this
working
group
randomly
or
if
you
have
already
a
background
about
Tower
previous
project
anyways.
The
this
working
group
started,
the
the
identify
security
threats
started
now,
I
guess
two
years
ago.
Writing
a
document
where
we
have
tried
to
identify
all
the
security
risk
and
the
threat
that
you
can
have.
E
If
you
have
an
open
source
project
and
you
try
to
deploy
it
in
production,
where
production
means
a
packet
manager
or
just
to
distribute
it
in
another
form,
and
then
we
started
to
to
work
on
other
projects
like
the
metric
dashboard.
That
now
is
deprecated,
but
it
was
a
first
attempt
to
aggregate
metrics
from
scorecard,
but
not
only
in
in
an
online
dashboard
based
on
grafana
that
you
can
use
to
evaluate
or
compare
different
open
source
projects
using
the
same
metrics.
E
Then
from
this
working
group
with
the
project,
Alpha,
Omega,
Alpha
and
Omega
started.
It
is
a
very
big
project.
Now
have
a
total
different.
Well
now
they
have
more
people
that
work
focus
on
it.
So
we
receive
updates
in
this
working
group.
We
talk
about
Alpha
Omega,
but
there
are
better
channel
in
slack
that
you
can
use
to
monitor
that
project
the
initially
it
was
a.
E
A
Yes,
absolutely
thank
you.
Luigi
Security
reviews
is
a
GitHub
repo
meant
to
collect
data
on
relevant
research
or
Security
reviews
done
on
open
source
projects,
and
the
intention
for
that
also
is
to
feed
into
other
things
like
the
metrics
dashboard
and,
if
I'm,
no,
that's
not
in
the
in
the
security
scorecards,
yes
in
the
metrics
dashboard,
namely
so
folks
can
you
know
who
are
doing
any
kind
of
due
diligence
or
research
or
looking
into
a
project,
can
see.
A
You
know
whether
it
has
undergone
a
third-party
Security
review
or
security
audit,
namely
audits
that
have
you
know,
public
reports
that
can
be
viewed
so
we're
working
on
curating.
That
kind
of
collection
of
security,
reviews
and
audits
done,
I
guess,
while
I
have
the
mic,
I
will
quickly
update
the
group
that
I
have
not
been
able
to
make
those
updates
just
yet
that
I
had
planned
on
doing
to
the
repo
to
kind
of
clean
it
up
a
little
bit.
A
E
And
then
there
is
the
security
size.
That
is
another
project
where
we
are
trying
to
define
a
specification
that
can
add
maintainers,
user
and
scanner
to
collect
information,
and
probably
I
am
forgotten.
Other
project
people
feel
free
to
share
more
information,
because
if
I
don't
know
if
I
forgot
something,
but
that
is
these
are
a
couple
of
the
last
few
years
and
cool
I
think
that
we
can
start.
E
E
Okay,
no
objection.
We
can
start
okay
about
the
security
insights
I
have
some
updates.
Jonathan
is
helping
me
with
a
lot
of
questions
and
good
comment
and
feedback
to
try
to
improve
the
security
insights.
In
particular,
he
seems
to
be
interested
in
the
in
the
keys
that
can
Define
how
a
scanner
or
researcher
can
open
pull
requests
in
an
automatic
way,
because
it's
very
good
to
automate
security
issue
or
security
request
to
mitigate
vulnerabilities
to
a
large
scale,
but
not
all
the
maintainers
are
happy.
E
So
probably
this
file,
this
specification
can
help
to
connect
maintainer
to
Define
how
they
want
to
receive
help
by
the
the
community,
not
just
with
the
policy,
so
the
security,
but
also
adding
more
granularity
to
to
the
request.
In
particular,
we
have
a
true
wait.
A
second
I
can
find
the
link.
We
have
two
PR
that
are
in
review.
E
One
is
to
support
the
package
URL
and
one
is
to
add
more
morganularity
on
how
we
how
the
maintenance
get
defined
if
they
want
to
have
or
not
the
Bots
in
a
has
helper
or
something
similar.
There
is
an
interesting
point
in
that
in
a
discussion
in
issue.
Discussion,
I
think
this
one
yeah
about
this
bomb
sbm,
because
at
the
moment,
apparently
there
is
no
or
I
am
pasting.
The
link
in
the
Google
Doc
in
the
meeting
notes.
But
this
is
the
issue.
E
Every
different,
Community
or
project
use
a
a
different
way
to
store
or
to
publish
and
share
the
spam
files,
and
maybe
this
is
something
that
in
the
future,
we
want
to
be
sure
that
open
ssf
can
handle
have
to
handle
it
yeah,
because
otherwise
we
are
asking
to
maintainers
to
create
bomber.
We
see
the
value
was
bomb,
but
it's
not
so
easy.
It's
a
manual
task
to
find
them
that
is
annoying,
and
that
is
for
the
security
insights
for
the
availability
disclosure
policy.
E
There
are
just
few
comments,
happen.
I
guess
three
three
thread
open
and
one
is
about
the
name
because
it's
I
mean.
That
is
a
question
also
for
you,
because
there
is
a
my
my
comment
to
your
own
suggestion.
Is
we
want
to
name
it
vulnerability,
disclosure
policy
or
not?
For
me,
it's
okay!
The
point
is
that
we
have
another
vulnerability
disclosure
policy,
but
with
a
different
intent
and
scope.
E
D
E
E
So
if
there
are
any
opinion
about
the
name,
because
in
the
in
the
issue,
I
named
it
the
security
policy,
just
because
it's
it
is
similar
to
the
security.md,
but
it
is
also
famous
in
other
I
mean,
especially
in
the
website,
has
coordinated
the
vulnerability
disclosure
policy.
But
we
have
also
another
issue
where
we
are
trying
to
introduce
disclosure
policy.
That
is,
the
name
is
very
similar,
but
the
scope
is
quite
different.
E
One
is
on
how
open,
ssf
researcher
communicate
with
the
maintenance
about
vulnerability
and
share
than
in
a
public
way
and
the
other
one
the
the
possible
that
time
trying
to
write
is
on
how
the
researcher
can
communicate
to
us.
The
vulnerability
that
we
have
so
I
have
no
strong
opinion
about
the
nomenclature,
but
it's
very
easy
to
confuse
them.
E
Don't
worry,
we
were
talking
about
the
nomenclature
for
vulnerability
disclosure
policy,
because
we
have
now
two
policies
with
the
same
name
and
it's
not
I
mean
initially
I
suggested
security
policy
for
the
unability
disclosure
policy,
where
the
receptors
and
has
the
report
David
suggests
just
vulnerability.
Describe
her
policy.
I
have
no
strong
opinion,
but
maybe
we
want
to
avoid
confusion
so.
D
C
B
B
E
B
G
B
E
A
B
All
right,
so,
basically
all
right.
So
let
me
add
this
to
the
notes
inbound
since
there's
an
outbound
policy
and
make
it
clear:
that's
the
scope
in
title:
that's
the
scope!
Sorry
I
I,
just
I
can't
do
two
things
at
one.
Well,
sometimes
I
can
but
I'm
having
trouble
right
now,
all
right
yeah
so
for
Security
reviews,
I
have
a
quick,
quick
note
and
a
and
a
a
and
a
bank.
Okay,
so
I
have
a
grad
student
who's.
B
Doing
a
brief
review
of
a
particular
open
source
program,
a
bit
Warden.
It
doesn't
matter
specifically,
but
you
know
he,
you
know
he
he's
newer.
So
he's
not
going
to
be
able
to
do
the
in-depth
that
some.
You
know
somebody
who
does
this
professionally,
but
you
know
what
more
review
more
review.
The
more
folks
look
at
these
things
with
different
and
share
exactly
what
they
did,
the
more
that
other
people
can
build
on
that.
B
So
I
would
encourage
anybody
else
if
you're
in
an
academic
setting
where,
particularly
for
whatever
reason
a
grad
student
is
going
to
be
reviewing
soft
open
source
software
for
security
anyway,
you
know
and
gonna
be
writing
up
something
about
it.
Please
ask
them
to
note
it
and
Security
reviews,
so
that's
just
a
a
bag
to
others.
B
I
I
I
get
to
beg,
I
get
to
I'm
jokingly,
saying
I
get
to
abuse
my
students
I.
Don't
hopefully
don't
really
do
that,
but
you
know
I
I
get
to
oversee
the
awesome
work
that
they
do
and
if
they're
going
to
do,
the
work
I
want
others
to
be
able
to
take
advantage
of
the
awesome
work
that
the
academic
Community
is
generating.
A
Awesome
yeah
absolutely
and
say
that
sounds
great
and
then
yeah
just
to
to
reiterate
my
update
I'm
now
getting
into
making
some
those
updates
that
I
talked
about
on
the
previous
meeting.
I'm
just
cleaning
up
the
repo
a
little
bit
and
updating
some
of
those
those
blanket
reviews
that
had
a
lot
of
sub
reviews
in
them,
so
we'll
just
break
those
down
and
so
I'm
actually
going
to
be
working
on
that
now
for
the
rest
of
the
meeting.
But
that's
my
main
update
there.
E
C
You
know,
code
wise
and
getting
getting
a
getting
the
actual
look
and
feel
and
and
how
we're
actually
ingesting
the
data
getting
that
together.
So
he
he's
he's
been
phenomenal,
thus
far,
a
couple
of
other
things
that
have
occurred
as
of
late
and
that-
and
this
is
after
the
fact
this
is
as
of
yesterday
bitterjia
and
miter.
C
So
in
that
effort
we
reached
out
and
got
a
couple
of
good
contacts
from
venturjia
and
and
miter
so
that
we
could
better
understand
some
of
the
things
that
they
do
in
terms
of
getting
more
information,
and
maybe
we
can
use
those
efforts
or
find
a
way
that
we
can
kind
of
do
something
similar.
So
we
can
get
more
data
from
just
than
just
from
from
GitHub
and
then,
of
course,
we'll
bring
that
back
into
the
Sig
and
discuss
that
at
LinkedIn
and
all
of
that.
C
But
the
exciting
part
about
this
is
I've
committed,
our
our
sake
to
produce
something
that
we
can
actually
put
in
front
of
open
ssf
day,
even
right
and-
and
you
know
not
a
full
demo,
but
but
perhaps
some
mock-ups-
that
we
can
put
and
open
that
stuff.
They
say
hey.
This
is
where
we're
at
this
far
and
then,
of
course,
by
the
middle
of
next
month,
going
into
the
end
of
next
month.
C
We
may
be
able
I
mean
say:
may
no,
we
we
should
be
able
to
bring
before
this
working
group
a
workable
demo
of
of
of
what
we
have
with
with
every
everything
you
know
you
know
enter
into
the
search
of
package.
This
is
the
content
that
comes
out
of
it
all
that
kind
of
stuff,
and
so
so
we're
really
excited
about
that.
We're
moving
full
steam
ahead,
I'm
really
excited
about
about
what
we're
producing
and
and
iteratively
I
I.
C
My
my
one
comment
was:
don't
let
Perfection
be
the
enemy
of
of
putting
something
out,
so
so
we're
gonna.
You
know
we'll
put
something
out.
It
won't
be
perfect,
but
it'll
be
something
that's
something
that
we
can
do
further
releases
and
everything
else,
but
we're
like
I,
said
we're
moving
full
steam
ahead
in
it
and
it's
an
exciting
effort,
exciting
efforts
at
this
point.
G
B
C
That's
the
other
thing
so
so
Raul
was
able
to.
Finally,
he
got
he
got
access
to
the
to
the
back
end.
So
here
shortly
we'll
be
moving
the
metrics
to
open
ssf.org
to
a
legacy
metrics.
The
openness
of
organ
will
be
having
a
preview,
a
preview,
dot,
metrics
dot
open.
So
you
can
preview
the
live
thing
and
I
think
that'll
be
in
time
for
the
demo
right.
C
I
will
add
one
of
the
things
that
we're
teasing
apart
is
the
single
maintainer
of
the
single
maintainer
that
that
that
that
bubble,
that
because
it,
what
that
does
to
scores
how
we
think
about
scoring
around
single
maintainers,
that's
still
being
teased
apart
and
that'll,
take
a
little
bit
of
time
to
perfect
as
well.
So
so
we
we
so
I'm
saying
not
to
say
we
understand
we're
we're
looking
at
it
and
and
and
we'll
make
sure
that
we
do
right,
buy
single
maintainers
as
well.
C
G
A
G
We'll
be
in
this
kind
of
proof
of
concept,
Dev
environment
for
the
next
month
or
two,
but
then
we
can.
We
can
talk
about
what
it
means
to
make
this
thing
a
real
thing
and
getting
more
contributors
to
it
and
all
that
stuff,
you
guys
haven't
seen
Assurance
assertions.
It's
it's
bitly,
slash,
Assurance
instructions.
One
word.
G
So,
let's
just
script
it
and
do
the
best
we
can
so
I've
got
a
script
that
I'll
put
on
I'll
upload
somewhere
in
the
next
couple
days.
But
the
idea
is,
you
know
you
give
it
a
you,
go
to
package
URL,
it
comes
out
and
looks
at
it
looks
for
signals.
So
if,
if
they
have
GitHub
private
vulnerable
disclosure,
disclosures
enabled
that
should
be
the
top
Mech
that
you
know,
that's
the
preferred
mechanism.
G
If
they
have
a
tide,
lift
contract
should
be
tidelift
otherwise,
and
then
we
fall
back
to
like
scraping
security,
ND
files
and
every
other
like
variation
of
a
security
MD
file.
I
have
security
insights,
it's
aware
of
the
security
insights
files
and
then
just
email
addresses
in
readme's
and
npm
and
pie
pie
and
everybody
else.
So
the
idea
is,
you
know,
just
come
out
with
a
preferred
ordering.
G
You
know
like
most
likely
to
least
likely
and
then
it'd
be
up
for
some
other
tool
to
consume
that
to
do
something
with
it
and
say
you
know
either
send
out
emails
or
open
up
issues
or
whatever
so
I.
Think
it's
just
something
small
and
Tiny
But
I'm
I
was
surprised
that
I
couldn't
find
anything
else
out
there.
That
did
this.
G
G
G
It
doesn't
really
matter,
I
mean
I,
guess
it
probably
should
be
published
as
a
published
on
Pi,
Pi
I,
guess
so
that
others
could
consume
it
pretty
easily,
but
yeah
I
did
it'll,
be
open
sourced.
It's
just
like
the
the
the
hoods
up
right
now
and
there's,
like
you,
know,
stuff
all
over
the
floor,
so
sure
I'm
gonna
have
a
slightly
better
condition
but
like
by
the
end
of
the
week,
it'll
be
up.
Okay
thanks.
H
G
C
G
E
E
A
A
This
is
kind
of
a
Half
Baked
thought,
slash
idea,
but
I
just
wonder,
or
even
if
something
like
that
exists,
because
I
feel
like
lots
of
times,
we
say
like
oh
like.
Wouldn't
this
thing
be
great,
and
then
you
know
someone
responds
oh,
like
that
already
exists,
and
so
like
I,
wonder
if,
like
there's
any
way
to
map
just
all
of
the
both
the
great
work
being
done,
all
the
efforts
being
done
and
all
the
resources
out
there
so
that
they
could
be
almost
grouped
or
used
in
in
parallel
or
yeah.
G
G
I
could
totally
I
mean
it
it
the
way,
I'm
the
way
I
I
heard
it
is
like
it
could
just
be
a
list
of,
like
you
know,
vulnerability
disclosure
policies
like
open,
ssf
GPZ,
like
you
know,
there's
come
up
with
good
ones,
let's
just
add
them
and
then
just
kind
of
you
know
risk
dashboards.
Well,
we've
got,
we've
got
everything,
we've
got,
you
know
open,
open,
Hub
or,
and
you
know.
G
A
A
So
yeah
I
wonder,
maybe
that's
something
that
can
then
be
incorporated
into
that
architecture
like
what
are
the
list
of
you
know
things
that
are
being
worked
on
in
this
working
and
then,
if
that
could
feed
into
like
a
larger
list
or
something
but
yeah
again,
just
just
brainstorming.
Some
thoughts
I
didn't
mean
to
to
to
take
over
the
discussion,
but
because.
A
F
G
G
G
So
so,
let's,
let's
do
this
I
I
for
fear
of
like
jumping
right
into
into
implementation?
Let's
do
we
want
to
just
start
a
doc
and
see
if
there's
enough
meat
in
the
idea
that
the
doc
looks
interesting
and
then,
if
the
doc
looks
interesting,
then
we'll
we'll
find
the
right
place,
the
right
repo
or
get
it
to
the
diagram
of
society
and
things
like
that
with
a
little
bit
of
meat
on
it
or
do
we
want
to
go
to
them
and
say
hey?
A
D
D
A
F
F
C
That
also
has
a
lot
of
room
to
with
some
of
the
stuff
that
we
do
here,
especially
from
an
end
user's
perspective,
if
you're
thinking
about
the
taxonomies
and
the
taxonomy
of
attacks
and
threat
vectors,
not
a
threat
to
threat
models
and
everything
else,
this
is
actually
you
know,
but
this
is
this
from
an
academic
standpoint
gives
us
a
foundation
to
talk
about
taxonomies
across
the
board,
so
I
mean
look,
give
it
a
read.
I'll
put
the
link
here.
H
C
Just
like
all,
just
like
all
academic
academic
papers,
I
mean
sometimes
it's
mostly
written
from
a
theoretical
perspective,
and
not
necessarily
all
heavy
heavy
practical
I
mean
you,
you
have
a
you,
have
a
you,
you
have
your.
You
have
a
methodology
that
you're
going
to
use
right
at
your
either
quantitative
or
qualitative
methodology,
but
I
believe
here
they
use
the
pretty
they
use
the
they
used
a
blend
between
the
qualitative
and
the
quantitative
methodology
to
write
this.
C
H
C
C
For
me
to
read
and
I,
you
know
it's
been
a
look
since
since
the
days
when
I
was
gung-ho
right
in
my
dissertation
when
I,
when,
when
I,
when
I
I
sucked
down
articles
and
scholarly
stuff-
and
it
was
towards
that
finish
line
after
that
I
kind
of
brain
dumped,
anything
related
to
trying
to
read
something
so
I
needed
a
couple
of
tall
boys
of
coffee
to
get
through
it.
But
but.
C
A
C
Just
I
just
want
a
donut,
not
you
know:
I
I,
don't
I,
don't
eat
that
kind
of
stuff,
but
a
donut
just
to
say:
I
had
one
so,
preferably
if
it
has
like
the
the
Oreo
cookies
on
top
I
saw
this
one.
This
place
called
Voodoo,
Donuts,
I
I
was
I
happen
to
be
at
Universal,
Studios,
I,
don't
get
on
rides
or
anything.
We
don't
do
any
of
that,
but
but
I
walked
around
I
saw
this
place
called
Voodoo
Donuts.
C
B
H
So
let
me
feel
the
space
a
little
bit
so
there's
one
thing
that
I
that
we
did
was
the
the
maintainer
summit
and
the
report
is
due.
It's
actually
passed
you
but
I
mean
there's
been
a
dramatic
drop
of
enthusiasm
after
the
event.
So
right
now,
it's
like
myself
and
Emily,
who
are
I
I,
would
say
like
actively
working
on
it,
but
yeah
we're
making
some
progress
on
it.
H
We
expect
we
promised
some
people
that
we
should
be
doing
by
April,
15
I
think
we
might
be
off
by
a
few
days
but
yeah.
It
should
be
around
that
time.
So
it's
it's
basically
a
summary
of
what
we
understood
from
from
that
particular
event
and
some
recommendations
that,
from
our
perspective,
we
initially
plan
to
be
a
collaborative
perspective,
but
it's
probably
going
to
be
just
a
couple
of
people's
perspective,
but
then
yeah.
We
would
like
to
have
feedback
on
that.
H
So
that's
something
that
we
are
doing
right
now
and
should
be
coming
soon.
There's
one
other
thing
that
Yesenia
and
myself
we
are
we
planned.
So
we
did
a
pre-event
survey
before
that
particular
event,
and
there
were
some
really
a
question
that
appeared
to
be
pretty
relevant
and
should
be
asked
in
a
broader
audience.
So
we
planned
a
broader
survey
of
practices
that
that
are
followed
by
open
source
security,
maintainers,
so
I
created
that
service
sometime
ago,
foreign
was
finding
out
the
the
logistics
like
as
in
whom
to
call.
H
Initially
we
thought
that
we
could
probably
have
I
think
she
can
tell
better.
But
initially
we
thought
that
we
could
probably
have
like
the
Linux
Foundation
members.
They
can
be
reached
and
stuff,
but
there
probably
was
some
issue
regarding
that,
so
it
would
have
to
be
dialed
down
to
a
scale
that
we
can
manage.
So
it's
not
going
to
be
like
a
really
big
scale,
but
we'll
we'll
send
it
out
and
that's
something
that's
upcoming,
I
I
think
we
discussed
it
earlier
at
some
point
in
this
group
and
not
in
the
alpha
omega
group.
H
So
that's
that's.
Why
I'm
bringing
it
here,
but
that's
like
we,
we
just
so
you
see
me
just
published
the
survey
and
in
on
Google
or
created
that
server
on
Google
Docs,
so
we
should
be
sending
that
out
soon
and
and
so
so
that's
that's
something
that
yeah.
We
are
also
really
excited
about,
and
hopefully
we'll
get.
Some
interesting
results
on
this
that
we
can
share
in
a
couple
of
months.
Also
awesome.
E
G
A
G
C
G
H
G
You
can
trick
it
into.
You
know
parsing
it
one
way
and
the
Java
Java
equivalents.
Do
it
slightly
different
and
no
does
it
slightly
different?
So
if
you
are
unaware
of
the
gotchas
and
the
the
foot
guns
in
there,
you
could
be
validating
things
like
you
know:
oauth
return,
URLs
incorrectly
and
make
security
decisions
based
off
of
that.
So
the
the
thought,
if
I
recall,
was
to
come
out
with
a
a
pretty
simple.
You
know
website
app.
E
E
I
started
with
the
npm,
so
probably
I
can
at
least
finish
10
pm
and
then
I
can
move
to
order
ecosystem,
probably
python,
because
I
know
it's
better
than
other,
and
then
we
can
see
and
also
Java
I
I,
also
written
to
Oracle,
just
to
know
yeah
I
sent
a
there
is
this
Behavior
because
they
have
two
standard,
Library,
URL
and
URI
and
I
mean
my
expectation
is
that
the
URL
is
a
subset
of
Uris.
So
technically,
if
you
are
working
a
way,
the
same
should
do
the
URI
and
X
exactly
but
they're
different.
G
H
G
And
then
people
just
add
more
Docker
files,
so
we
have
you
know
whatever
we
have
500
of
them.
It
doesn't
matter
and
then,
as
part
of
the
script,
it
just
goes
through
each
one
and
they
all
have
like
a
well-defined
interface.
So
you
just
like
pass
the
URL
to
it
and
you
get
back
a
a
dictionary
of
of
like
you
know.
The
host
name
was
found
to
be
this
and
the
fragmented,
and
that
way
you
can
run
the
mole
and
then
see
all
the
see.
H
G
I
I,
don't
I,
don't
think
you
know
what
it
could
it
could
work
if
you
have
a
kind
of
a
complex
system
where
one
system
over
here
is
Java
and
it's
validating
something
and
then
sending
it
over
here
and
this
one's
doing
it
different
and
like
like
it
should
usually
fail
closed,
but
maybe
they
fail
open
and
they're.
You
know
I
think.
G
The
bigger
issue,
though,
is
that
if
we
go
to,
let's
say
we
find
out
that
Java
and
python:
do
it
differently
for
whatever
reason
and
we
go
to
job
and
we're
like
you
guys,
do
it
different
from
Python
and
they're
like
yep,
and
we
go
to
python,
so
you
guys
are
doing
it
different
than
Java
and
they're
like
yep,
like
that's
great,
but
like
only.
We
know
that
having
having
the
you
know
this
kind
of
website
dashboard
app
whatever
showing
that
like
everybody's
the
same
except
for
you
know
a
pick
on.
G
You
know
one
one
Library
that
probably
means
a
lot.
The
library
is
Doing
It,
Wrong
versus
everybody's,
doing
something
slightly
differently
with,
like
you
know,
double
slashes
or
something
in
which
case
it's
not
really
clear
that
that
there
and
maybe
there's
a
gap
for
the
standard.
So
so
really
it's
more
I
think
to
flesh
out
to
understand
the
problem
better.