►
From YouTube: Memory Safety Sig (March 2, 2023)
B
Yeah
good
morning,
Jake
one
of
the
values
Jay,
your
mic
is
unmuted.
B
We
don't
have
an
official
Doc
I've
mainly
been
taking
notes
off
to
the
side
and
then
posting
them
in
slack,
but
I'm
happy
to
do
it
a
different
way
too.
Yeah.
A
C
But
you
know
if,
if
you
want
to
record
anything,
it's
exactly
the
worst
thing,
because
it'll
disappear
in
a
few
weeks
is.
C
There
is,
although
you
know,
I'm
in
a
rush,
so
how's
how's
this
it
looks
like
there
is
actually
a
little
notes
thing.
That's
already
set
up.
Oh
I,.
C
That
so,
let's
I
don't
know
the
full
story
behind
it,
but
we
can
start
from
there
and
see.
C
It
is
so
tell
you
what
why
would
I
do
this
I,
don't
know
the
full
story?
Okay,
we
can
fix
it
later,
but
let's
use
that
that
works
for
me
and
I'm
gonna
have
to
share
it.
Let's
see,
okay,
you
know
what,
for
the
moment,
here's
what
I'm
gonna
do
I'm
going
to
share
with
everybody
to
the
link
to
at
least
comment
all
right
and
I'll.
Tell
you
here's
what
we
usually
do.
C
You
don't
have
it's
not
like
anybody
takes
away
your
birthday,
but
we
usually
do
take
notes
in
Google
Docs
and
then
everybody
else
can
chime
in
and
you
know
fix
notes
as
we
go
cool
less
work
for
everybody
and
what
we
usually
do
is
write
down
the
attendees
right
and
then
we
usually
have
a
preset
agenda
and
then
walk
through
and
people
make
notes
and
changes.
B
I'll
I'll
paste
the
agenda
in
all
right.
If
I
can.
C
Here
so,
and
usually
at
the
top
there's,
you
know:
memory
memory,
safety,
Sig,
all
right
and
I
will
do
some
formatty
things
later.
There's
usually
we
have
like
the
legal
and
code
of
conduct
stuff
up
here,
so
if
everybody
could
just
kind
of
do
it
do
what
you're
doing,
which
is
slip
in
your
name
and
the
reason
we
we
take
attendance
is
not
because
we're
going
to
take
your
your
birthdays
away,
but
we
want
to
make
sure
over
time
that
we
have
multiple
different
organizations
involved.
C
B
And
do
thank
you
David
all
right.
Everyone
well
you've
got
a
link
in
the
chat
there,
so
please
go
ahead
and
looks
like
everyone's
doing
it
put
in
your
name
and
your
org
and
pronouns.
If
you'd
like
I'll,
go
ahead
and
put
mine
in,
let
me
just
mute,
so
you
don't
hear
my
mechanical
keyboard.
C
Okay,
I
am
immediately
adding
some
some
permissions
for
folks
that
happen
to
have
offhand.
B
C
B
Started
all
right
cool:
well,
let's
go
ahead
and
get
started
and
let's
start
with
some
introductions
because
I
know,
we've
got
some
newer
new
people,
which
is
fantastic
to
see
so
briefly,
Nell
shamrel,
Harrington
pronouns,
are
she
they
I
work
at
Microsoft
as
a
principal
engineer
and
I'm
and
I
am
leading
this
sig
on
memory
I'm
also
on
the
rust
Foundation
board
of
directors
leading
the
Sig
on
memory
safety
and
let's
go
ahead
and
go
to
Daniel
next.
D
Hi
I'm
Daniel,
Frampton,
I
work
at
Microsoft,
I
lead
the
rust
team
in
the
developer
division
and
so
I'm
really
interested
in
all
things
to
do
with
memory
safety.
From
from
that
perspective,.
B
Awesome
next,
let's
go
to
Josh.
E
Hi
I'm
Joshua's
I'm
Ed
over
at
Internet
Security
research
group
from
the
prosimo
project,
where
we're
doing
a
bunch
of
raw
stuff.
F
My
contract
is
with
sisa
but
I'm
here
with
a
I,
don't
know
individual
hat
on
I
will
say
to
some
extent,
so
I
can't
of
course,
represent
sisa
I
did
spend
20
years
at
the
cert
coordination.
Center
worrying
about
software
security
bugs
and
I.
Just
can't
let
some
of
this
stuff
go.
So
that's
why
I'm
here
thanks.
B
Glad
to
have
you
here,
Jay
are
you
able
to
introduce
yourself,
I
know
you're
in
two
meetings
at
once?
Oh.
G
Yeah
that
one
just
okay,
cool
yeah
from
Microsoft
do
a
lot
of
work
here
and
in
the
openness
and
stuff
as
well
I'm
here,
because
I
want
to
learn,
you
know:
I'm,
not
I'm,
not
a
I'm,
not
a
Dev,
although
I
I
in
the
previous
life
I
had
I
had
a
breaking
devs
hard
work,
Tendencies
and.
G
For
that
I'm
definitely
here
to
learn
about
memory,
same
languages
and
and
plus
up
thumb
skills
to
take
forward
our
initiatives
across
the
open,
SSA.
H
Yeah
I'm
Victor
I'm,
not
independent,
I'm,
just
curious
about
the
difference
between
memory
safety
versus
computational
Computing
such
as
you
know,
try
trying
to
understand
that.
B
Cool
I
mean
there
are
some
differences.
There
is
also
a
tiny
bit
of
overlap.
Cool
Randall
over
to
you.
C
I
am
Randall,
I
lead
the
SKF
project
and
I'm.
Also
now.
A
Hey
everyone,
I'm
Walter
I'm,
the
new
security
engineer
at
hired
under
the
rust
foundation.
So
you
know
my
purview
is
kind
of
everything
security
that
involved
for
us.
So
I
am
here
because
all
of
you
talked
about
writing
rough
stuff
and
since
that's
my
job,
that's
why
I'm
here.
C
All
right,
I,
Am
David,
a
Wheeler
I'm,
also
trying
to
type
and
talk
at
the
same
time,
so
Linux
Foundation,
my
title
tells
me:
I'm
the
director
of
Open
Source
supply
chain
security.
So
basically
I've
some
been
somebody
who's
been
interested
in
developing
secure
software
for
literally
decades.
C
You
know,
I,
don't
think
it's
a
big
secret
that
the
majority
of
vulnerabilities,
when
you
total
them
all
up,
are
memory
safety
problems.
So
we
would
like
to
eliminate
those.
So,
let's,
let's
find
ways
to
do
that.
C
I
I
will
quickly
note
that
I
I
I
I,
like
rust,
I've,
I,
write
code
and
rest,
but
my
my
broader
entry
is
frankly
just
eliminating
security
vulnerabilities.
If
it's
another
language,
that's
great,
but
you
know
the
the
goal
is
to
improve
security
and
then
everything
else
is
the
secondary
right.
B
In
fact,
I
was
going
to
mention
real
quickly.
Obviously,
a
lot
of
us
here
have
a
rust
background,
rust
interest,
but
this
is
not
just
a
rust
group.
There's
a
focus
on
memory
safety
in
general,
that
includes
memory
safe
languages,
not
just
rust,
but
others
out
there
as
well,
and
also
something
I've
had
people
from
within
Microsoft
in
other
places.
Express
Express
to
me
is,
you
know,
there's
still
there's
billions
of
lines
of
existing.
B
You
know
C,
C,
plus
plus
code,
it's
not
possible
to
rewrite
every
part
of
it
in
in
a
memory
safe
language.
So
how
do
we
make
it
better
and
how
do
we
Define
what
what
what
areas
are
do
need
to
be
potentially
be
Rewritten
or
be
or
have
different
tools
applied
to
them
so
yeah
memory
safety
is
a
is
a
huge
issue
and
one
that
I
think
needs
to
be
tackled
in
a
variety
of
ways,
all
right.
B
Well,
so
a
little
bit
of
recap,
so
we
are
still
a
very
early
Sig
within
the
open,
ssf
I,
don't
even
know
if
we
can
consider
ourselves
official
yet,
but
how
we
become
official
is
we
find
a
working
group
to
Nest
ourselves
under
and
present
our
goals
to
them
and
if
they
take
us
under
their
wing,
then
we
we
are
a
they
had
to
do
the
wing.
Then
we
are
a
full
sorry.
Then
we
are
a
a
official
Zig.
B
So
one
of
the
things
we
do
need
to
do
before
we
approach
a
oh
hi
avishay.
Before
we
approach
a
working
group,
we've
discussed
the
developers
best
practices
as
possibly
being
a
very,
very
good
fit.
Is
we
need
to
Define
our
goals
as
a
Sig,
and
there
were
two
that
were
proposed
when
the
Sig
was
initially
forming.
B
One
is
updating
the
language
in
the
open
source
security,
mobilization
plan
stream
four
to
reflect
a
broader
context
and
have
more
broad
inputs
in
it,
and
then
the
second
was
to
based
on
that
updated
language,
recommend
a
specific
Project
Specific
initiatives
for
funding
from
the
open,
ssf
or
openssf
members.
Now
my
question
to
the
group
is:
does
that
you
know
still
sound
good,
at
least
as
a
place
to
start
or
are
there
area
or
are
there
other
things
we
should
consider
as
a
Sig
putting
within
our
scope.
C
Yeah,
when
you
say
tasks
to
start
those
could
be
programs.
Those
could
be
documents
right
is
that
okay.
B
I
guess:
oh:
go
ahead.
David.
C
C
I
can
try
to
drag
the
text
from
the
mobilization
plan,
although
if
somebody
else
has
that
quickly
at
hand,
please
just
go
but
I
think
step.
One
is
you
know,
making
sure
we
agree
on
what
we're
doing
and
right
in
a
way
that
others
can
clarify
that.
Oh,
oh,
quick,
a
procedural
note!
I
can't
do
it
for
everybody,
but
for
several
of
you,
I've
turned
you
into
editors.
C
A
weird
Quirk
of
Google
docs
is
that
you
have
to
click
on
reload
to
get
your
new
amazing
privileges,
so
my
apologies,
I
haven't
been
able
to
do
it
for
everybody,
but
if
you
could
reload,
you
know
for
at
least
some
of
you.
You
will
get
the
Privileges
that
you
should
have
that
we're
starting
starting
with
the
airplane
in
flight.
B
Understood
all
right,
well,
I,
I,
guess
then
what
I'll
propose
is
we
do
Define
as
a
goal
updating
the
language
within
the
mobilization
plan,
first,
that
language,
what
I
I
was
Josh
and
I,
and
some
others
were
involved
in
that
very
early.
B
That
was
put
together
very
very
fast,
with
limited
input
and
I
believe
there's
places
we
can
take
it
number
one
making
it
more
crisp,
crisply
defined
and
also
having
the
broader
input
on
it
and
then
turning
those
into
specific
initiatives
to
fund
so
I
guess
I
I
want
to
propose
the
group.
Does
that
sound
like
a
good
first
goal?
Updating
the
language
within
the
mobilization
plan.
C
I
I
think
it's
a
longer
term
goal.
That's
great
I
I
would
suggest,
though,
that
we
try
briefly
to
see
if
we
can't
come
up
with
a
at
least
a
first
cut
now,
because,
if
you're
going
to
present
to
a
working
group
they're
going
to
want
to
know,
what's
your
goal,
I,
don't
I
think
you
should
be
able
to
make
something,
even
if
it's
drafty
now
and
then
improve
it
later
or
do
you
think
that's
too
drafting.
C
No
well
I'm
just
I'm
thinking
of
one
sentence.
What
is
the
purpose
of
this
group.
G
What
David
is
saying
you
know
kind
of
lay
out
what
should
be
going
into
that
read
me
on
the
on
on
the
GitHub
site.
You
can
get
you
get
ahead
of
that,
then
you
know
when
you
become
an
official
Sig.
You
already
have
that
established
so
Charter
and
everything
else
can
be
established
after
that,
but
that,
but
but
purpose
and
and
scope,
and
everything
like
that
is
very
important
to
get
up
to
get
out
in
front
of
in
the
beginning.
Okay,.
B
C
C
All
right,
oh
okay-
and
somebody
has
you-
know,
here's
the
causes.
B
All
right,
so,
let's
start
with
all
right.
So
let's
discuss
what
our
purpose
as
a
Sig
is,
which
I
believe
it's
to
Pro
I
mean
starting
big
to
improve
memory
safety
within
open
source
code.
C
B
Your
transition
to
memory
say
program
link,
let's
see
here,
I,
don't
think
it's
quite
that
yet
I'm
purpose
of
the
memory
safety,
Sig
I,
don't
know
if
it's
I
think
that's
all
encased
in
there
I'm
trying
to
figure
out
how
to
crisply
define
this,
which
I
believe
is
you
know
to
improve
memory.
Safety
within
open
source
code,
I.
Think
that's
the
big
General
one
art
go
right
ahead.
You
have
your
hand.
Oh
you.
F
There's
a
so
I've
been
I've
been
sort
of
following,
maybe
not
this
exact
thread,
but
the
the
consumer
reports
and
the
post
White
House,
you
know
guidance
a
bit,
there's
an
element
here
and
I,
don't
know
if
it
needs
to
go
in.
You
know
the
single
sentence,
mission
statement,
or
ever
or
or
else
but
I
also
want
to
slow
things
down.
But
I.
You
know
kind
of
reviewing
the
problems.
I
think
is
a
important
step.
F
You
know
the
the
dumb
version
of
this
is
well.
You
know
we're
not
going
to
rewrite
certain
things
right
off
the
bat,
but
you
know
so
something
like
understanding
and
then
proposing
ways
to
improve
memory.
Safety
for
open
source,
I
I
feel
with
some
of
the
current
push.
There's
been
a
bit
of
a
those
who
are
not
well
experienced
and
subtly
well
informed,
are
reading
here.
Jen
easterly
said
this:
I
was
there
in
person
on
Monday.
She
said:
two-thirds
of
software
vulnerabilities
are
caused
by
memory
safety
issues.
F
She
left
out
the
words
in
C
and
C,
plus
plus
programs
from
that
from
that
sentence,
and
you
know
message
is
clear,
great
great
speech,
great
message
overall
and
the
consumer
reports.
If
you
read
the
whole
paper
or
the
consumer
reports
papers.
Well,
you
know
it
covers
all
the
angles
very
nicely,
but
like
the
first,
you
know
two
sentences.
Are
this
two-thirds
number
so
I'm
a
little
cautious
of
that
I
don't
want
to
again
don't
want
to
gatekeep.
They
want
to
slow
things
down,
I
think
investigating
memory.
F
Safety
is
open
source
and,
in
fact,
in
all
software
is
an
important
security
thing
to
consider.
But
I
want
to
be
cautious
that
we're
set.
You
know
we
get
to.
We
understand
where
things
currently
are
here
here
and
here
are
places
to
push
on
memory
safety.
These
places
are,
you
know,
maybe
today
not
a
good
place
to
push
there's
something
there
I'd
like
to
try
to
fit
in
understanding
the
problem
space.
Well,
that's
my
high
level
comment
I'm,
not
sure
how
to
put
in
your
words
very
easily.
So
thank
you
all.
B
Right,
thank
you.
I
appreciate
that
yeah
and
yeah
I
was
I
was
chatting
with
the
authors
of
the
consumer
report
reports
thing
recently
and
what
I?
What
part
of
what
I've
experienced
within
Microsoft
in
other
areas-
and
this
is
not
confidential,
information
is
I.
B
But
so
that
is
where
my
caution
is,
is
I,
don't
think
anyone
who's
credible
is
saying
that
specifically,
but
we
do
need
to
move
toward
more
memory,
safe
languages
and
we
do
need
to
move
toward
more
memory,
safe
programming
practices
and
I
do
think
you're
correct.
In
that
understanding.
The
problem
space
is
key
to
that.
F
Yeah,
thank
you
and
I
I
suspect.
The
folks
here
do
understand
the
problem
space
that
was
not
directed
folks
here.
A
lot
of
people
do
just
you
know
it
comes
out
at
the
high
level
for
some
policy
makers
as
we
write
everything
yeah,
as
you
said,
so
that's
it.
Thank
you
sure.
B
C
I
was
gonna,
say
now.
That
said,
I
think
that
you
can
do
work
to
eliminate
roadblocks.
So,
for
example,
things
like
gee
I,
can't
you
know
the
CPU
is
not
supported
by
a
language.
I'd
prefer
to
use.
That's
members
safe.
How.
C
That
this
language
is
too
slow
for
my
purposes,
so
I'm
going
to
use
it
well,
but
we
can
you.
B
B
All
right,
so
I
saw
Randall
proposed
purpose
of
the
memory
safe,
gig
Sig
is
to
develop
and
promote
standards
and
guidelines
for
memory,
safe
programming
practices,
I
personally,
like
that,
but
I
want
to
get
additional
group
feedback
on
it.
C
I
I
also
like
the
use
of
safe
practices
and
better
than
stating
the
memory
safe
languages,
because
it
suggests
that
even
with
using
safe
by
Nature
languages,
you
can
still
have
the
right
practice
to
make
it
safe
and
that's
an
education
best
practice.
That's.
A
C
The
the
problem
with
this
is
that
I
actually
don't
think
that
standards
and
guidelines
is
adequate
for
purpose.
C
C
The
Linux
kernel
Folks
by
the
way
they're
having
to
write
a
lot
of
code
in
order
to
enable
a
transition
just
to
enable
support
memory
of
sorry
device
drivers
in
Linux
and
they're.
Not
they
have
no
intention
of
using
a
memory
safe
language
for
the
core,
for
a
variety
of
forever,
of
understandable
reasons,
and
even
even
that
is
challenging,
but
their
challenges
aren't
standards
and
guidelines.
They're
challenges.
They
need
to
write
additional
code
to
make
it
happen.
Okay.
B
Let's
go
over,
that's
a
good
point:
Daniel,
let's
go
to
you
next
and
then
Josh.
You
look
like
you
have
something
to
say
so,
we'll
go
to
you
after.
D
I
I
was
gonna,
basically
Echo
the
same
point,
and
that's
that
you
know
where
the
tools
fit
into
this.
D
Where
does
you
know,
example,
projects
that
we
would
help
Drive
fit
into
this
and
I
think
when
we
think
about
example,
projects
one
of
the
things
which
may
not
shape
the
mission
but
may
shape
how
we
set
our
goals
is
how
much
we
want
to
be
the
Broad
in
terms
of
making
memory
safe
programming
practices
available
in
more
places
and
for
more
important
code
bases
and
how
much
we
want
to
be
deep
in
terms
of
showing
an
example
or
having
the
thing
connect
end
to
end
to
be
able
to
actually
push
something
forward,
because
I
think
we've
got
a
very
clear
definition
of
the
problem,
and
maybe
it's
not
always
well
communicated,
and
we
have
you
know
a
solution
to
that
problem,
at
least
for
new
code,
but
how
we
connect
that
in
the
existing
open
source
landscape
that
we
have
and
make
a
real
difference
to
you
know,
mitigating
or
resolving
that
problem.
D
B
Question
I'm
overall
hearing
broad
agreement,
I
I,
think
let's
go
over
to
Josh.
E
Point
I,
don't
think
I'm
saying
much.
That's
near
I,
think
I'm,
mostly
echoing
David
and
my
concerned
about
this,
is
that
it's
like
sounds
purely
educational
as
it
is,
and
I'm
curious
about
what
kind
of
scope
there
is
for
a
Sig
to
pursue
actually
writing
tools
or
actually
just
straight
up
fixing
software
I.
Don't
I,
don't
know
what
a
norm
is
for
things
in
general.
E
C
Ahead
and
jump
in
here
yeah
because,
okay,
you
know
it's
a
nomenclature
thing
in
the
open
ssf.
We
we
have
sigs
and
projects
projects
primarily
write
code.
Six
primarily
do
something
other
than
writing
code.
There's
nothing
that
says
that
we
can't
be
a
Sig
and
a
project
or
whatever
you
know,
but
that's
just
the
typical
nomenclature.
But
the
real
point
is:
there
is
no
restriction
in
the
open
ssf
from
writing
code
and
if
code
writing
is
what's
necessary
to
solve
the
problem
by
god.
C
Let's
do
that
if
it's
something
other
than
writing
code
is,
is
the
way
to
solve
the
problem.
Great.
Let's
do
that,
but
I
certainly
don't
want
to
be
captive
to
a
nomenclature
right.
B
All
right
so
overall
hearing
broad
agreements,
we're
also
bringing
in
lots
of
ideas
and
such
that
it's
great
I
still
want
to
get
to
that
crisp,
definite
definition
of
what
this
sig
does,
so
that
we
can
present
it
to
developers
best
practices,
so
I
I
think
you
know
we
could
expand.
B
C
Shaking
the
head
nope
still
not
enough
you're,
not
rewrite.
You
know
you
haven't
covered
all
those
bullets
underneath
roadblocks
and
selectively
rights.
So.
B
G
A
D
Yeah
I
guess
we
could.
We
could
look
at
it
as
a
like
a
a
road
building
exercise
so
do
what
we
need
to
do
to
to
damage
like
to
actually
connect
that
like
to
solve
that
problem
and
then
a
lot
of
these
other
I
mean
it
is
very
Broad
and
so
I
think.
Then
it
really
forces
us
to
to
go
to
that
next
level
of
of
detail
to
make
sure
that
we
have
the
clearer
goals
and
sort
of
sitting
under
that
right.
F
F
I,
like
the
short
I've,
been
writing
some
things
down
and
I.
Think
someone
else
just
wrote
the
same
thing,
but
academically
I
like
reduce
but
eliminate,
is
much
more
aspirational,
no
problem
there
I
think
high
level.
This
is
very
succinct
right:
we're
going
to
reduce
or
eliminate
memory
safety
vulnerabilities.
F
F
What
I've
got
highlighted
on
the
screen
are
a
couple
of
ways:
I
rewrote
it.
As
everyone
was
talking
honestly,
that's
my
contribution.
I,
don't
have
a
I'm
not
going
to
fight
hard
for
for
a
particular
mission
statement,
but
that's.
B
It
thank
you
and
briefly,
my
and
then
we'll
go
to
Jay.
My
worry
is
that
we'll
come
to
the
developer,
best
practices
working
group
with
this
eliminate
memory,
safety,
vulnerabilities
and
OSS,
and
their
response
will
be.
This
is
way
too
broad
and
we
can
put
specifics
under
it,
but
let's
go
to
Jay
next.
G
Yeah
my
it
might
help
if
we
actually
wrote
the
words
Mission,
Vision
and
purpose
down
and
then
and
then
wrote
these
things
next
to
him,
because
a
lot
of
what
I
hear
is
is
a
combination
of
the
two
one
sounding
like
a
mission
when
it's
really
a
vision,
you
know
being
clear
about.
You
know
what
what
is
the
the?
What
is
the
Crux
of
what
the
the
Sig
is
going
to
do?
What,
based
on
what
the
mission
of
the
Sig
is?
G
What
does
that
Outlook
Vision
look
like
so
what's
the
vision,
what
what
is
what
does
success
mean
right
and
then
and
then
then
you
drill
down
into
purpose
and
all
that
all
that
kind
of
stuff
like
that,
so
I
think
you
know
high
level,
you
know
understand
what
that
mission
is
and
then
what
does
success?
Look
like
against
that
mission.
Okay,.
G
B
G
Oh
and
I
was
going
to
say
Vision
the
great
thing
about
the
vision,
and
this
is
to
what
what
art
said
before
he's
right
to
say
academically,
you
want
to
say,
reduce
right,
I
mean
because
you,
but
but
but
Vision
wise
right.
The
great
thing
about
a
vision
is
you
can
get
aspirational
as
hell
you
can
you
can
get
you
can
get
wild
with
a
vision
right.
The
vision
is
to
eliminate
them
completely
right.
G
That's
that's
the
that's
aspirationally.
What
we
want
to
do
now
that
goes
right
up
into
you
know,
against
the
the
broader
Mission.
The
mission
of
this
put
this
to
do
this,
but
the
vision
out
the
outcome
of
it
is
to
have
this
so
now
that
we
grow
the
vision.
That
mission
should
become
a
a
a
a
little
a
little
clearer
got.
B
It
and
I
see
David
adding
in
you
know,
we
could
Envision
eliminate
mission
is
reduce
memory
safety
vulnerabilities
by
and
we
can
add
in
where
I
just
lost,
where
my
trance
on
but
add
in
by
developing
and
promoting
standards
and
guidelines
and
something
along
lines
of
develop
and
promote
tools
and
projects.
G
I,
even
so
I
what
David,
what
David
wrote
there
I
even
think
some
of
that
goes
into
the
purpose,
so
I
I
think
once
once
you
start
getting
into
the
nitty-gritty
of
tools
and
guides
I
think
that
drills
down
into
the
purpose,
the
purpose
of
this
organization
is
to
now
is
to
is
to
develop
tools
and
guides,
and
all
that
towards
you
know,
eliminating
vulnerabilities,
which
cohens,
which
references
are
reducing
this
and
this,
and
this
by
Etc,
I,
think
I,
think
you
know
the
the
tools,
the
guys
and
all
that
stuff
that
goes
into
the
purpose
of
the
organizations
is
to
create
these
things
that
achieves
the
that
achieves
the
vision
by
you
know.
B
B
B
D
Yeah
I
think
I
think
if
the
if
our
purpose
is
to
kind
of
provide
some
proof
points
and
to
provide
tooling
and
to
provide
guidance
like
I,
don't
know
again
it
kind
of
crosses
in
a
bit
into
goals,
but
I
think
rather
than
the
activities
we
might
do
like
rewriting
software
building
guidance
or
whatever
else.
What
what
our
purpose
is
is
to
basically
take
this
lofty
goal
of
fixed
giant
problem
into
here
is
the
path
that
you
go
down
right
to
meaningfully
improve
this
and
to
build
that
path.
We
need
to
improve
the
tools.
D
D
B
All
right,
all
right
so
see
your
vision
and
purpose.
All
right,
so
Vision
I
think
we've
got
down
I
I
a
mission
purpose.
B
All
right,
we
still
get,
there's
there's
rapid
edits
going
on,
which
is
good
all
right.
B
B
B
C
Somewhere,
I
think
the
word
pragmatism
or
pragmatic
may
help
deal
with
this.
You
know
something
like
you
know
in
in
a
pragmatic
or
risk
focused
way.
You
know
basically
dealing
with
the
no
we're
not
going
to
be
able
to
rewrite
the
universe.
All
at
once.
Right.
C
B
B
Okay
and
then
I
guess
the
question:
is
you
know
if
we
have
that
as
the
draft
of
the
mission
for
right
now
at
least,
we
can
obviously
continue
to
iterate
what?
How
is
the
purpose?
Different
Jay
I'd
love
your
your
your
advice
on
this
because
I
know
you're
in
all
the
meetings.
G
G
The
mission
includes
some
of
the
purpose.
So,
if
you
ask
me
what
the
difference
is
I'm
going
to
say,
I'm
going
to
say
that
there's
very
little
understand
and
reduce
memory
safety,
vulnerabilities
mission
is
understand
and
reduce
many
receptive
vulnerabilities,
the
developing
programmatic
guidance
and
software,
including
tools,
that's
the
that's
the
purpose.
G
B
G
You
can
have
a
one
sentence,
vision
and
a
one
sentence.
Mission.
The
the
mission
is,
this
is
what
we
want
to
do.
The
vision
is
this
is
what
you
want
to
do:
aspirationally
aspirationally.
We
want
to
accomplish
this
based
on
what
we
want
to
do.
So
what
we
want
to
do
is
this.
The
vision
is
what
it
looks
like
once
we
accomplish
what
we
want
to
do.
The
purpose
is
to
develop
these
things,
to
accomplish
the
mission
to
achieve
the
vision.
D
D
I
D
Want
it
to
include
improving
the
memory
safety
or
having
memory,
safe,
dialects
or
subsets
or
static
analysis
that
proves
memory
safety
in
other
languages,
but
we
want
to
pragmatically
work
out
how
we
can
use
that
technology
and
then
get
you
know.
Meaningful
positive
results
there.
So
I
am
like
right,
so
I
think
I
think
the
pragmatic
side
of
it
and
the
analysis
side
of
it
are
important,
but
I
I
don't
want
it
to
look
like
with
we're.
Oh,
is
it
a
good
idea
to
use
memory
safe
languages
because
I
feel,
like
that's,
been
litigated?
B
D
D
B
Yeah
Walter
and
Victor
I
I'd
like
to
see
a
few
two
have
any
input
on
this.
H
Yeah,
for
me,
it
will
be
more
for
Education
purpose.
For
example,
it
was
memory
safety
versus
confidential,
Computing
I,
just
look
it
up
so
I
I
sort
of
know
the
difference
so
yeah
know.
What's
the
difference
for
the
general
public
I
think
that
will
help.
A
Yeah
from
my
side,
it's
also
the
same
I
think
a
lot
of
it's
going
to
be
the
visibility
of
like
what
tools
practices
Etc
are
available
for
the
transition
for
memory
safety.
You
know
being
moving
through
like
rust
or
another
language.
That
is
one
of
the,
like
sort
of
you
know
guiding
directions,
they
can
go,
but
that's
just
the
way
everyone
is
kind
of
going
right
now
and
I
want
to
make
sure
that
we
include
like
the
visibility
of
alternatives
to
that.
A
Where
you
know
here
it
is
you
know
if
you
were
interested
in
how
do
you
handle
your
Legacy
Safety
standards?
You
know
that
that
could
still
be
a
cult.
That
kind
of
makes
sense
for
I
want
to
make
sure
we
include
those
other
transitional
factors.
Of
course
you
know
you
could
rewrite
your
code
base
XYZ,
it
doesn't
have
to
be
rust
just
so
we
don't
put
it
all
on
that
and
I
want
to
make
sure
that
we
include
like
all
of
those
transitional
recommendations.
So
it's
you
know
more.
A
H
It
makes
sense
yeah
yeah,
one
thing
I
want
to
add
is
I'm
a
database
consultant,
so
I'm
not
a
developer.
So
like
the
information
here,
is
quite
useful
for
a
lot
of
security
reasons.
So
is
there?
Is
there
anything
that
information
available
with
us
not
only
for
developers
but
also
for
users?
So
you
know,
for
example,
database
consultant
topper.
B
It's
something
we
could
consider
I
I,
don't
know
if
that's
something
we
need
to
capture
in
the
vision,
mission
and
purpose,
but
it's
something
we
can
consider
in
the
artifacts
that
we
produce
certainly.
A
A
side
question
as
well
sorry,
some
of
this
may
also
be
sort
of
the
well
I'm
wondering
for
the
purpose.
You
know
how
much
is
it
because,
like
within
this
group,
we
understand,
like
you,
know
it
kind
of
Harkens
back
to
the
very
beginning
of
this
discussion
where
we
were
talking
about.
You
know.
We
all
know
the
case
of
like
70
of
C
plus
plus
bugs
are
memory
safety
issues,
but
it
should
also
be
you
know.
A
Should
some
of
this
group
be
you
know
bringing
to
like
here
or
or
here
is
why
memory
safety
is
an
issue
and
at
least
still
having
that
within
the
purpose
of
the
group
to
you
know,
help
Define
that
more
granularly
besides
just
the
consumer
reports,
numbers
or
exciting
numbers
like
that,
you
know
having
this
group
also,
if
you
don't
kind
of
provide
that
where
you
are
using
technology
and
language
X,
it
has
memory
safety
issues,
and
you
should
move
to
why?
A
B
I
do
think
there's
a
lot
of
existing
research,
not
just
Consumer
Reports,
but
Microsoft
Google,
others
around.
Why
memory
safety
is
an
issue.
I
mean
that's,
certainly
stuff.
We
could
draw
on
I,
don't
know
if
we
would
necessarily
need
to
produce
something
on
that,
but
I'm
certainly
open
to
feedback
on
that
and.
B
B
C
A
C
We
stated
earlier
as
well
as
this
discussion
about
the
70.
I
will
quote
we'll
quickly
note.
My
memory
may
be
a
little
fuzzy
here,
but
I
recall
the
70
for
Microsoft
was
about
all
Microsoft
products
which
are
not
just
CNC,
plus.
B
That's
CBE
does
that
number
is
based
on
bugs
that
cves
were
assigned
to
by.
C
C
I,
don't
know
that
either.
That's
why
I'm
saying
I
don't
remember,
but
I
I
vaguely
remember.
It
was
across
all
cves
across
all
of
Microsoft
and
I
know
they
developed
more
than
CNC
and
then
coding,
C
and
C
plus
plus
I
mean
c-sharp,
for
example,
and
net
in
general.
So
it
may
we've
been
saying
70,
but
we
might
want
to
go
back
as
part
of
this
informed
by
real
world
data
might
want
to
find
out
more
about
the
actual
numbers
for
for
different
situations.
Go.
F
I've
been
a
little
bit
Perhaps
Perhaps
personal
bias,
cranky
about
that
70
number
ever
since
it
came
out,
I,
don't
argue
with
it,
but
again,
I'm
I'm,
trying
to
very
objectively
look
at
hey
60
70
of
security
bugs
in
memory
unsafe
languages
are
caused
by
no
surprise
right.
Memory.
Memory
on
safety,
I
did
an
analysis
of
the
nvd,
which
is
already
not
great
data.
The
nvd
does
try
since
about
2008
and
I
spoke
to
them.
They
try
pretty
hard
to
use
cwe
as
a
cause
of
the
vulnerability.
F
Cwe
has
issues
so
no
I'm
not
going
to
defend
that.
The
data
is
a
great
great
quality
here.
I
did
a
almost
back
of
the
napkin.
Looked
at
here
are
cwes
that
are
obviously
memory.
Safety
issues,
your
rcwes
that
are
probably
but
not
always,
memory
safety
issues
and
here
are
cwes
that
are
definitely
not,
and
I
came
up
with
about
25
percent
of
the
last
five
years
of
all
things
in
the
nvd.
F
Now
again,
it's
I
want
to
be
very
clear
here.
There
are
a
lot
of
biases
and
issues
with
this
and
you
can't
go
deep
with
that
analysis
because
it's
fraught
with
bias
and
data
problems.
Nonetheless,
if
you
look
at
you
know,
if
you,
if
you
make
a
denominator
bigger,
the
number
goes
down,
is
all
I'm
all
I'm
saying.
C
Right
right,
well,
yeah,
I!
Think!
That's
because
you
know
you
are
unlikely
to
write,
for
example,
web
application
code.
You
know
you
know.
F
C
Web
server
and
see
you're
not
going
to
be
able
well
putting
this
with
webassemble.
You
could
but
you're
often
not
going
to
write
client-side
code
in
C.
So,
for
example,
the
OAS
top
10
doesn't
list
memory,
safeties
never
happens,
it's
the
top
one.
Last
I
checked
on
the
CV
ve
top
25
again,
which
languages
are
are
in.
You
know,
Microsoft
writes
a
whole
lot
of
CNC
plus
plus
that's.
The
number
goes
up.
B
All
right
all
right,
I'm,
gonna,
I'm
gonna-
put
it
put
a
time
box
on
this,
because
I
want
to
make
sure
we
we
complete
our
our
goal
here
for
this
meeting,
which
is
to
yeah
a
develop
that
Mission,
Vision
and
purpose
I,
think
maybe
we
can
word
Smith
the
purpose
just
a
little
bit
I,
don't
think
we
necessarily
need
to
do
that
synchronously,
but
are
there
any
objects,
the
Mission,
Vision
and
purpose,
as
they
are
right
now.
B
So
are
there
I
just
can?
Are
there
any
concerns
with
the
language
for
vision,
mission
and
purpose,
as
they
are
right
now.
B
C
Tweak
on
purpose-
and
that's
after
the
word
guidance
I
would
add
the
word
standards,
pragmatic
guidance,
comma
standards
and
software
I.
G
B
No
problem
on
that,
from
my
end:
okay,
all
right,
cool
all
right,
I
think:
we've
got
that
that
we
can
go
to
the
developer
best
practices
working
group
with
obviously
I
think
you
said
their
next
meeting
is.
Is
it
next
week
or
the
week
after.
C
You
could
even
ahead
of
time,
say:
hey
we're,
proposing
this
and
and
copy
them
on
what
we've
just
discussed
today
and
then
you
know
basically
give
them
a
pre-read
and
if
they
don't
read
the
pre-read,
you
at
least
gave
them
the
opportunity
of.
C
B
B
It
thank
you.
Thank
you.
Thank
you
cool,
and
we
can
continue
to
talk
asynchronously
prior
to
that
meeting
on
the
14th
I.
Think
our
next
meeting
as
a
Sig,
it's
two
weeks
from
today,
and
that
would
be
because
I
cannot
do
the
math
I.
I
Think
that
by
the
way
collides
with
the
check,
maybe
it
collides
with
the
town
hall.
B
Our
next
meeting-
okay-
well,
we
we
might
cancel
that
then,
and
if,
if
it
sounds
like
that,
that's
a
big
conflict,
we
might
cancel
that
I.
Don't
want
to
try
and
reschedule
the
meeting,
because
it's
been
so
difficult
to
get
this
time
in
general.
But
let's
talk
asynchronously
and
we
can.
We
can
continue
to
to
address
that.
If
we
need
to
cancel,
we
can
continue
to
talk
in
the
slack
Channel
and
in
other
places
as
well.
C
The
next
one
is
March
30.
keep
talking
on.
B
And
I
really
appreciate
you
doing
this
notes.
David
is
impossible
for
me
to
talk
and
take
notes
at
the
same
time,
so
I
so
appreciate
this.
Thank
you.
B
That's
hard,
too,
all
right
anything
else
for
this
group
that
we
should
discuss.
C
I
guess
two
minor
things,
and
these
are
just
more
procedural
things,
but
I
want
to
make
sure
that
things
actually
happen.
So
there's
a
I
quickly
commented
earlier
about.
You
know
the
open
ssf
has
you
know
some
little
terminology.
They
Define
on
their
website
about
Sir,
sigs
and
projects.
Projects
have
code.
Cigs
are
something
other
than
necessarily
code,
but
please
don't
shy
away.
If,
if
you
know
a
Sig,
can
you
know
say
fire
off
a
project?
So
hey
you
know
we
we
look.
We
need
to
do
this.
C
We
can
create
a
project.
I
think
formally
would
be
underneath
the
best
practices
working
group
presuming
they
take
this
on
which
I
suspect
they
will.
But
you
know
please
don't
shy
away
from
developing
software
or
standards
or
guidance.
If
that's
a
solution.
Second
up
money,
I,
don't
I!
C
Think
a
number
of
you
are
very
familiar
with
the
open,
ssf,
but
I'm,
not
sure
everybody
is
we
always
you
know
a
whole
lot
can
be
done
without
funding
with
people
who
are
ex
who
are
interested
exciting
and
we
don't
want
to
stop
any
of
that.
If
you
need,
if,
if
funding
is
needed,
formally,
the
governing
board
of
the
open
ssf
decides
where
the
it's
funding
gets
spent.
Now,
if
somebody
finds
some
funding
elsewhere,
your
company
is
paying
you
to
do
X,
carry
on
don't
let
us
stop.
C
You
in
the
end
of
the
governing
board,
immediately
looks
over
to
the
tech
for
a
technical
review.
So
in
practice,
what
happens?
Is
you
talk
among
the
working
group?
Does
that
make
sense,
then
it
gets
raised
up
to
the
tech.
Does
that
make
sense?
There
are
a
couple
pockets
for
small
amounts
of
funding,
that's
pre-approved.
Otherwise
it
goes
the
governing
board.
I
can't
guarantee
funding,
but
that's
how
it
works.
Okay,.
B
Right
and
I
know
when
I
approached
this
idea
with
Brian
bird
off
a
while
ago.
He
had
you
mentioned
one
of
the
things
this
group
could
produce
his
recommendations
for
specific
projects
and
initiatives
for
funding,
either
from
the
open,
ssf
or
from
open,
ssf
members
right.
B
C
C
Actively
trying
to
get
more
funding
evidence
stuff
so
work
on
that
angle
too,
but
you
know
for
for
now.
That's
the
that's
where
we
are
understood.
B
All
right
anything
else
for
this
group
as
we're
approaching
the
end
of
our
time.