►
From YouTube: Memory Safety Sig (April 27, 2023)
D
D
Hello,
sorry,
it's.
E
B
E
F
G
F
Sorry
now
was
it
on
me
to
update.
Was
it
on
me
to
update
the
repo
I
can't
remember.
C
Go
ahead
and
check
out
the
doc.
Thank
you.
Whoever
is
copying
and
pasting
from.
Oh
thank
you
Abhishek
from
last
time,
I'm
going
to
go
ahead
and
accept
that
suggestion.
Please
go
ahead
and
add
yourself
to
the
list
of
attendees.
C
All
right
for
those
who
just
joined
because
Zoom
does
weird
stuff
with
chat.
I
am
going
to
share
our
meeting
agenda
doc
again
and
come
on
in
and
add
yourself
to
the
attendees,
and
we
will
go
ahead
and
get
started.
E
Oh
okay,
there
we
go.
C
C
C
All
righty:
well,
let's
go
ahead
and
get
started.
It
is
five
after
hello,
everyone
and
welcome
to
another
of
our
every
other
week.
Meeting
schedule
of
the
open,
ssf,
Memory,
safe
languages,
special
interest
group
I
know
we
have
at
least
one
possibly
two
new
people
here
today.
C
So
let's
just
do
a
very
brief
round
of
introductions
who
you
are,
who
you
work
with
and
just
like
one
sentence
about
your
your
interest
in
this
in
this
stream,
so
I'll
go
ahead
and
start
off
I'm
Nell,
shamrel,
Harrington
I'm,
a
principal
engineer
here
at
Microsoft
and
I.
C
B
Hey
everybody,
I'm
krobe,
I
work
with
stuff
on
the
internet,
I
officially
work
for
Intel,
the
director
of
security
Communications,
but
I
spend
a
lot
of
time
here
with
Upstream
at
the
open,
ssf
and
other
industry
groups.
I
lead
the
developer
best
practices
working
group,
of
which
this
sig
is
a
new
and
vital
member
of.
C
Go
to
Gabby
next,
okay,.
D
G
F
C
Awesome:
let's
go
to
Jay.
F
Hi
I'm
Jay
I
work
in
the
open
source
strategy.
Ecosystem
team
at
Microsoft
I
do
not
write
code,
although,
although
I
have
written
some
show
code
back
in
the
day
for
the
purposes
of
breaking
people's
code,
you
guys
are
welcome
aside
from
that
I
work
heavily
here
in
in
the
open.
Ssf
I
also
sit
in
see
sub
Vex
working
group
meetings
and
any
other
meeting
I'm
told
to
sit
in
you
know
and
I
do
my
best
to
do
work
in
these
meetings
too.
I
shrug.
A
Good
afternoon,
I've
I'm
a
long
time,
a
believer
in
got
my
little
stuffy
here
so.
A
Ibm
research
since
forever
started
ethical
hacking
there
in
the
mid
90s
I
had
a
good
old
time
with
that
got
bored
real,
fast
started,
doing
more
advisory
stuff
after
I
was
director
for
a
while
that
that's
boring
you'll
get
touch
code
so
now
I
do
mostly
fooling
around
with
government
trying
to
advise
them.
A
You
know
yeah,
that's
a
good
idea,
but
it
won't
work
that
sort
of
thing
and
I
also
am
a
long
time,
professor
at
Dartmouth,
since
the
mid
to
I,
guess,
28,
2008
and
teaching
software
design
stuff
like
that
and
I
am
a
Avid
restation
wannabe
I'm
after
it,
and
working
hard
and
I've
got
Dartmouth
convinced
that
we
need
to
shoot
C
and
go
with
rust.
A
But
it's
it's
an
evolution,
so
we're
getting
there
and
I'm
here,
because
I
spent
a
lot
of
time
with
the
ESF
enduring
security
framework,
which
is
a
joint
industry,
Academia
and
mostly
industry
and
government
effort
trying
to
look
around
the
corner
and
we're
you
know
working
on
s-bombs
and
all
these
everything
else.
Everybody
is
working
on
and
I'm
trying
to
push
them
towards
memory
safe
as
well.
So
that's.
E
H
I
work
in
the
open,
Tech,
Technologies
Group
in
IBM
I
do
a
lot
around
open
source
clearance
and
cyber
security
and
I'm
wherever
I
can
be
in
the
open
ssf.
You
heard
my
comments.
The
previous
call,
basically
I
want
to
make
sure
that
the
the
conversation
is
not
binary
your
memory,
safe
or
or
not
understood,
and
that
with
all
the
Legacy
languages
companies
have
that
we
know
and
I
see.
H
You
know
some
things
done
with
C
and
C
plus
plus,
and
things
like
that
that
we
have
a
better
story
than
like
in
the
metrics
dashboard
saying
you,
you
failed
or
you
passed,
based
upon
just
a
language
usage.
C
Course,
last
but
not
least,
Randall.
I
Hi
I'm
Randall
I
work
at
LF,
I
am
manager
of
educational
content
and
certifications,
specifically
pretty
much
everything
that
has
to
do
with
cyber
security.
At
this
point
so-
and
that
is
my
new
title,
as
of
yesterday
awesome
I'll
tell
you.
E
C
J
J
Hi
I'm,
Jeff,
borick
and
I
work
in
open
source
at
IBM
have
been
involved
in
open
source
for
over
a
decade
and
have
been
responsible
for
the
open
source
license
clearance
or
the
security
risk
management,
or
rather
the
intellectual
property
risk
management
at
IBM
for
the
last
eight
years,
but
I've
been
concerned
about
the
overall
security
of
the
open
source
ecosystem.
So
I
got
involved
early
with
the
various
players
to
help
establish
the
1.0
version
of
the
openssf
and
happy
to
see
it.
Making
continued
progress.
E
C
Cool
well
very
glad
to
have
everyone
here.
We've
got
a
good
meeting
of
the
minds
and
let's
go
ahead
and
move
on
to
the
next
item
on
the
agenda,
which
is
I,
am
incapable
of
talking
and
taking
notes.
At
the
same
time,
so
I'm
wondering
if
it's
true
I'm
wondering
if
someone
might
be
willing
to
be
the
Scribe
for
this
meeting
and
it's
something
we
will
rotate
through
from
meeting
to
meeting.
C
Obviously
thank
you.
Thank
you
appreciate
it
very
much
and
we'll
we'll
rotate
it
to
someone
else
next
time,
all
right.
So,
first,
my
only
agenda
item
was
I
put
together.
Some
revised
wording
based
on
comments
on
the
original
wording
of
the
a
memory
safe
stream
of
the
open
source
security
mobilization
plan.
That
is
a
lot
of
words
and
I'd
love.
E
C
C
C
After
doing
some
research,
I
do
I
largely
agree
with
this
comment.
I
think
that
would
be
more
precise
language,
yeah.
D
Yeah
part
of
it
is
also
that
you
know
I
think
from
my
perspective,
I
think
we
want
to
set
the
bar
higher
than
oh
we're
only
fixing
things
we
know
today
supposed
to.
We
want
to
fix
large
classes
of
problems
that
you
know.
We.
C
Makes
sense
any
other
thoughts
on
this.
E
C
Right
next
up
introduce
known
memory
safety
vulnerabilities
that
might
imply
purposeful
action.
Could
you
say
just
a
little
bit
more
about
that
Charles.
A
E
E
C
Right
that
makes
sense
to
me
next
count
from
Charles
regarding
memory
leaks
I,
should
we
discern
I
I,
understand
that
there's
certainly
a
technical
difference
between
memory,
safety,
vulnerabilities
and
memory
leaks,
I'm
thinking
of
the
audience
for
this
Doc
is
a
little
challenging
because
I
know
the
original
audience
for
the
the
original
plan
was
a
high
level
government,
Executives
and
other
things
so
I.
C
D
Yeah
I
think
originally
I
thought
all
right.
No,
not
actually
we,
it
would
make
sense
to
include
that
and
I
thought
more
about
him
like
if
you.
If
we
take
garbage,
collected
languages
like
Java
or
c-sharp,
they
do
memory
late,
but
not
in
a
way
to
do
it
in
C,
but
they're
still
in
very,
like
cabbage,
culture
is
sitting
on
some
memory
that
hasn't
been
released
for
a
while,
that's
leaking
memory,
and
so
but
I
don't
think
we
want
to
include
those
languages
as
the
one
we
call
unsafe
by
default.
D
So
after
that
I'm
like
I,
see
the
point,
but
I
don't
think
it
will
clarify
the
the
thing
that
we
want
to
aim
at
here.
E
A
Yeah,
if
it's,
if
it's
too
much
in
the
weeds,
that's
fine,
it's
just
a
again
I
I
play
with
you
know
some
government
folks,
and
they
have
put
things
in
place
like
that.
Their
system
has
to
be
rebooted
every
24
hours,
no
questions
understood
and
and
it's
it's
not
because
they
like
the
startup
sound.
So,
oh
so
either
way.
I
just
wanted
to
make
that
point.
C
Yep,
that's
all
good,
we're
still
figuring
out
ourselves.
Next
comment
from
Gabby
yeah
that
was
copy
and
paste
from
the
original
language,
so
I
do
think
you're
right
it
rolled
all
these
vulnerabilities
and
exploitations.
That
is
an
example
of
more
precise
language
which
I
think,
regardless
of
the
audience
that
that
this
paper
is
intended
for,
would
be
beneficial.
C
Charles
added
should
refer
to
oh
cool.
That
sounds
like
a
wise
ID,
even.
A
C
I
I
I'm
gonna
use
that
phrase
from
now
on,
cool,
okay,
yeah
I
think
this
would
be
an
excellent
thing
to
include
and
one
of
the
things
this
will
become
more
relevant,
which
I
believe
was
in
the
stock
would
become
more
relevant
as
we
discuss
comments
later
in
the
doc.
Is
they
emphasize
switching
to
a
memory
safe
by
default
language
when
possible
and
practical
which
I've
found
is
again
the
example
really
good
Precision
Precision
language,
which
I
think
helps
many
audiences
understand.
D
C
Cool
and
I'll
ask
people
to
raise
the
digital
hand.
If
you
want
to
say
something
or
go
ahead
and
unmute
and
say
something
or
raise
your
digital
hand.
Zoom
is
not
letting
me
see
all
the
the
portraits
of
people
while
I'm
in
screen
sharing
mode
all
right.
Let's
take
a
look
at
this
known.
It's
talking
about.
D
E
E
C
Yeah
I
I,
like
I,
agree
with
this
comment:
Gabby
the
one
of
the
reactions
to
the
original
reports.
C
What
some
people
interpreted
it
as
saying
well,
the
open
ssf
is
saying
you
should
just
rewrite
everything
in
Rust,
which
was
not
the
intent
at
least
not
the
not
the
original
intent,
but
when
people
react
to
things
via
Twitter
or
via
Twitter,
HOT
takes
that
that
is.
That
is
something
that
emerged
as
part
of
it.
So
I,
yeah,
I,
I,
largely
agree
with.
D
That
yeah
and-
and
it
is
that
aspect
and
then
there
was
also
the
aspect
of
people,
felt
like
the
name
and
shame
so
it
would
be
like
they
were,
welcome
to
contribute
so,
and
you
know
later
on,
I
had
someone
comment.
It
will,
instead
of
emphasizing
level
more,
you
know
emphasize
what
the
language
brings
like.
Does
your
technology
help
us
do
this
thing
by
default?
Yes
or
no?
If
it
doesn't
then
well
I'm.
Sorry,
as
opposed
to
here
technology
is
bad
yeah.
C
All
right,
rephrases
existing
large
code,
yes
I,
100
I,
agree
with
that
one.
That's
better
ordering
two
or
five
you're
right
on
this
and
and
fix
that
my
numbering
was
off.
C
A
Too
yeah,
but
if
it
again
aiming
at
since
you've
mentioned
you're
aiming
at
a
particular
experience
level,
are
they
going
to
have
any
idea?
What
you're
talking
about
yeah.
E
H
C
When
we
say
tools
to
use
tools
to
reduce
memory,
safe
vulnerabilities
or
whatever,
the
phrasing
is
that
we
we
land
on
would
a
specification
fit
the
label
of
tool
in
that.
Would
it
make
sense
for
tools
to
include
a
specification.
B
E
B
C
Never
surrender
and
it
is
useful
because
I've
written
rust
crates
where
I
created
a
a
API
interface
in
it
or
C
code
or
any
code
that
uses
C
by
needs
could
use
that
rust
code,
but
I
need
to
use
unsafe
rust
code
in
order
to,
for
that
precise
part,
in
order
to
do
that-
and
it
is
still
someone
thankfully
pointed
me
because
I
felt
like
I
was
juggling
with
knives.
Someone
thankfully
pointed
me
to
some
of
the
standards
that
exist.
C
H
So
so
one
so
I
was
thinking
about
tools
and
expansion.
Sense,
like
probe,
is
mentioning
I
applied
crop
for
providing
that,
but
I
also
say
I
also
see
this
as
being
a
building
block.
When
we
talk
about
best
practices
that
instead
of
wholesale
saying
you
have
a
tool
that
can
vet
a
whole
application
but
I
think
an
important
part
of
this
is
my
memory,
safe
libraries
or
incremental
reasonable
packages.
H
So
so,
if
you
I
know
that
when
I
worked
on
operating
systems
and
device
drivers
that
we
actually
had
memory
safe
libraries,
we
used
that
made
sure
you
didn't,
you
know,
go
out
of
bounds
or
overreach
your
memory
offers.
So
that's.
A
Oh
well,
this
is
the
yeah
you've
written
it
and
you've
got
the
new
product
completely
new
source,
using
a
memory
safe
language,
regardless
of
what
it
is.
Do
you
reach
out
and
use
API
libraries
May
themselves
have
issues
I
get
beat
up
on
this
all
the
time
saying.
Oh
yeah
well,
but
I
still
gotta
have
whatever
dot
a
and
you
know
okay
fixed.
So
it's
not
really
improving
things
again.
A
D
I
know
we
we
talk
about
these
terminology
earlier
tools
and
process
that
allows
us
to
to
vet
something
so
the
question
for
Charles
is:
do
you
think
this
is
one
of
those
cases
where?
Yes,
we
have
dependency?
We
have
a
reasonable
thing
we
have,
but
we
still
have
dependency
on
this
other
Legacy
about
the
used
stuff.
D
But
do
you
think
this
is
the
case
where
we
can
make
the
case
that,
because
of
the
process
and
the
tools
that
we're
additionally
applying
we're
confident
that
we're
eliminating
the
issue
that
would
exist
if
we
just
like
using
the
Legacy
code
on
control?
Well,.
A
A
A
A
C
C
Cool
all
right,
and
on
that
note
the
other
thing
I
could
really
use
some
help
with,
for
those
of
you
who
are
more
in
the
C
plus
plus
Community
is
recommendations
on
initiatives
that
could
potentially
use
funding
from
within
the
open,
ssf
and
we'll
be
coming
up
with
a
a
larger
list
of
that.
But
I
mean
there's
some
that
I
have
some
awareness
of
such
as
prossimo
there's
also
some
other
efforts,
but
the
ones
that
are
C
plus
specific
I'm,
much
less
familiar
with
yeah.
D
So
at
the
beginning,
when
we're
doing
introduction,
I
think
I
heard
Matt
or
maybe
I'm
confusing,
who
expressed
the
idea
that
well,
we
all
have
legacy
codes
and
so
forth
and
and
safety
is
not
a
binary
thing,
zero
one
but
more
of
a
scale.
Is
that
something
we
want
to
somehow
reflect
in
the
in
the
dark.
H
D
C
I
appreciate
that,
let's
put
it
under
a
list
of
proposals
now,
do
you
mind
adding
a
comment
to
the
the
doc
along
along
those
lines
just
to
capture
it.
C
Yeah
I
I
was
on
that
note.
Some
language
that
I
took
out
when
I
was
redrafting
from
the
original
language
was
the
original
language
that
we
know
how
to
completely
eliminate
memory.
Safety
vulnerabilities,
which
that's
misleading,
and
it's
not
just
a
you,
know,
Precision
terms
it's
the
last
thing
I
want
to
do
is
create
something
that
will
provide
a
false
sense
of
security.
C
C
I
I
like
to
use
the
phrase
I
used
to
have
old
apartment
I
had
a
sliding
glass
door
in
the
back,
which
had
a
rod
to
prevent
someone
from
forcing
it
open
someone
smashed
through
the
back
door
when
I
wasn't
there
so
did
not
prevent
someone
from
breaking
into
my
apartment,
even
though
I
thought
it
would,
but
anyway,
that's
a
weird
example,
but
yeah
largely
saying
I
I
definitely
agree
with
that.
G
However,
I
would
say
that
we
couldn't
really
think
at
that
point
in
time
how
that
would
actually
look
in
slow
guard.
So
what
are
we
actually
looking
for?
G
E
C
Right
any
other
thoughts.
Besides
what
we've
discussed
on
this
draft
of
the
document,
there
will
be
probably
multiple
other
drafts
coming
forth.
G
G
G
B
And
I
I
would
suggest
to
the
group
there's
going
to
be
an
effort
across
a
foundation
to
do
a
refresh
of
the
plan,
so
this
group
is
at
Liberty
to
either
you
know
copy
and
paste.
What
was
there
and
just
do
minor
edits?
We
could
wholesale
rewrite
the
whole
thing
or
some
kind
of
combination
between
those
two
spectrums
and
I
would
encourage
us,
especially
since
we
had
some
of
us
have
had
a
year
or
so
to
think
about
this
problem.
B
Let's
try
to
add
some
more
precision
and
some
more
tasks
to
the
kind
of
the
the
project
plan.
What
we
are
saying,
we
would
like
to
do
what
we're
proposing
what
types
of
resources
do
we
need
so
the
first
year
and
then
the
beyond
the
first
year
goals?
Let's
try
to
fill
that
out
with
more
of
a
project
plan
and
saying
we
think
if
we
do
these
6
12
100
actions
we're
going
to
increase
the
memory
security
of
all
things
in
the
long
run.
B
C
Contrast
to
it
doesn't
contrast
to
it,
I,
don't
believe
Josh
whatever
his
last
name
is
AAS
ahead
of
isrg,
which
is
what
prosimo
is
under.
Is
a
member
of
the
Sig
just
not
at
this
meeting
and
has
been
I,
don't
see,
it
contrasted
I,
see
prossimo
as
being
part
of
an
implementation
of
what
this
sig
is
trying
to
do.
Yeah.
H
I
guess
I
wonder
like
Minneapolis
like
sigster,
for
example,
being
a
major
one,
you
know:
is
there
a
way
for
them
to
bring
their
work
here,
especially,
it
looks
like
they've
already
have
a
lot,
a
lot
of
thought
around
specific,
tooling
they're
going
to
attack,
and
things
like
that.
So
I
don't
know
if
that's
possible.
If
we
bring
that
if
the
person
does
attend,
if
we
can
make
that
liaison
type
of
approach
to
them
all.
C
Engaging
with
prostimo
we
do
yep
is.
H
B
If
it's
an
option,
it's
open
source
we
could,
if
we
can
dream
it,
we
could
make
it
happen.
So
if
it's
something
the
group
feels
strongly
about,
if
there's
value
in
getting
that,
you
know
hosted
underneath
the
open
ssf,
we
certainly
can
reach
out
to
the
project
and
see,
and
there
is
a
process
for
kind
of
intellectual
property
transfer
that
we
could
go
through.
So
if
the
group
would
like
that,
if
there's
value
into
it,
it
helps
the
whole
Community.
We
certainly
can
pursue
that.
E
C
H
C
I
I
think
that
sounds
logical,
apparently
I'm,
a
Vulcan
I,
it's
not
the
first
time
I've
been
referred
to
as
that
yeah.
Thank
you.
Everyone,
cool,
I,
I,
think
so.
I
I'd
be
happy
to
reach
out
to
Josh
and
talk
about
creating
an
official
liaison
within
this
group
between
the
two
of
them.
How.
B
And
it
is
a
very
common
practice
for
us
to
kind
of
Federate
and
partner
with
other
foundations
or
other
external
projects.
So
that's
perfectly
there's
precedent
there
so
I
think
that's
a
good
idea
to
liaise
with
them,
especially.
J
In
terms
of
positioning
it
properly,
right,
I
mean
it's.
If
it's
an
initial
Outreach
with
the
idea
of
exploring
Mutual,
you
know
best
interests
as
well
as
sort
of
honestly
kind
of
kicking.
The
tires
to
see
you
know
is
that
you
know
what
is
that
Community
like
really
under
the
covers
beyond
what
you
experience
when
you
just
show
up
on
their
website,
because
they're
we
want
to
both
expand
and,
at
the
same
time
protect
the
open,
ssf.
H
I
think
it
would
be
great
to
have
a
formal
relationship
and
blog
blog
it
out
and
and
then
have
an
agreement
on
when
we
periods
when
we
share
outputs
from
different
things
right,
and
they
have
a
set
of
tools
that
we
could
reference,
and
maybe
that
leads
us
the
path
to
get
the
granularity.
We
need
to
to
to
to
do
better
things
with
scorecards
and
such.
C
Yeah
I'm
happy
to
reach
out
to
John
Liz
I'm,
particularly
just
specifically
between
the
Sig
and
them,
which
Josh
is
a
member,
but
is
very
busy
and
is
of
this
sig
and
is
not
able
to
come
to
as
many
meetings
I.
As
for
a
formal
relationship
between
prossamo
and
the
open
ssf
that
I'd
rather
leave
to
people
a
little
higher
up
than
I
am.
B
I
would
say:
let's:
let's
engage
with
them.
Let's
talk,
maybe
there's
some
Synergy.
Maybe
we
get
some
more
contributors
here
to
rewriting
the
plan
they
potentially
might
get
some
contributors
to
their
software,
I
think
I
think
it's
a
good
collaboration
opportunity
and
there's
nothing,
stopping
us
and
again
the
more
allies
that
we
draft.
You
know
the
more
successful
we're
going
to
be
in
implementing
our
goals
of
getting
things
converted
to
more
memory,
safe
methods
and
languages.
B
E
E
C
Popcorn
but
anyway,
okay
cool,
all
right
is
there
anything
else
anyone
would
like.
J
I
I
vote
that
we
use
just
the
image
of
the
Jiffy
Pop
stovepop
thing,
and
that
way
people
will
have
to
sort
of
extrapol
extrapolate
a
bit
to
get
the
connection.
It's
just
a
little
too
obvious.
Oh.
C
Cool
anything
else,
no.
C
I'm
glad
all
right
so
anything
else,
memory
safety
related
that
we'd
like
to
talk
about
in
this
meeting.
Otherwise,
I
have
no
problem
with
meetings
closing
early
when
the
the
agenda
is
is
completed,
but
we
still
have
time
if
anyone
has
anything
else,
they'd
like
to
discuss.
C
Yeah
next
up
is
I
will
put
together.
Another
draft
based
on
the
comments
and
I
will
get
it
out
earlier
than
the
day
before
the
next
meeting
next
time,
and
we
will
continue
the
revision
process
after
we
finish
revising
the
language
I'd
like
us
to
identify
specific
initiatives
that
we
could
potentially
recommend
funding
for
from
the
open,
ssf
krube.
D
C
Guess
we
are
two
weeks
out
from
that:
I
will
not
be
there,
but
I
know
we
certainly
will
have
people
who
are
I
I'd
recommend
we
potentially
do
not
do
a
synchronous
meeting
that
week,
because
there's
going
to
be
so
much
going
on
so
I'll
make
sure
to
reach
out
to
staff
to
cancel
that
meeting
on
the
calendar.
But
we
can
continue
asynchronous
work.
C
A
Just
a
twitch
to
say
goodbye,
okay,
cool!
No!
This
is
great.
This
is
much
more
interesting
and
than
I
expected.
This
is
great.
G
E
A
Well,
I
mean
think
about
it,
with
standards
is
like,
usually
a
snooze,
but
this
is
much
more
interesting.
C
J
Island
and
quite.