►
From YouTube: OpenSSF Day at OSS NA - Mobilizing the Open Source Industry in Fight For Better Security By Default
Description
OpenSSF Day at Open Source Summit North America - Mobilizing the Open Source Industry in the Fight For Better Security By Default by Brian Behlendorf, General Manager, OpenSSF
A
My
displays,
but
okay
I'll
read
it
so
thank
you,
anithia
for
the
for
the
really
nice
scene.
Setting
for
why
we're
here
today.
I
wanted
to
add
also
a
little
bit
of
historical
context
that
I
think
is
really
germane
to
how
the
open
source
community
actually
got
into
a
very
favorable
position.
When
it
comes
to
security,
I
might
even
use
the
term
irrational
exuberance
which,
if
anyone
is
familiar
with
where
that
term
first
came
into
the
popular
mindset.
It
was
at
the
time
of
the
2008
financial
crisis.
A
Who
was
it
who
gave
testimony
about
irrational
exuberance
in
the
stock
market
anyways?
I
think
what
we
actually
need
to
do
is
think
about.
How
do
we
substantiate
what
is
already
actually
a
really
great
reputation
for
open
source
software
when
it
comes
to
security,
but
really
try
to
understand
also
where
some
of
that
came
from
so
I
also
tried
to
look
deep
in
the
past.
I
went
to
the
internet
archive
and
the
oldest
screen
grab.
A
I
could
get
of
the
netcraft
web
server
survey
was
from
99,
but
they
actually
started
in
95
with
a
survey
of
the
entire
web
once
a
month
where
they
would
ask
every
web
server.
What
software
are
you
running
and
again
the
internet.
A
The
internet
was
a
high
trust
environment
at
the
moment
where,
at
that
time,
where
telemetry
of
what
people
were
running
was
considered
a
public
good,
I
think
it's
kind
of
crazy
in
retrospect
that
people
would
advertise
the
specific
patch
level
of
the
server
software
they
were
running
to
make
it
easier
for
you
to
figure
out
which
compromise
would
would
would
come
in.
A
But
the
great
thing
about
this
was
this
is
really
the
first
moment
where
we
had
substantiated
evidence
that
open
source
software
was
being
used
out
there
in
the
wild
and
in
quantity
right
and
being
not
just
being
used
for
for
research
purposes,
or
you
know
early
days
of
the
web
kinds
of
things,
but
actually
being
used
in
production.
A
Because
not
only
could
you
see
quantitatively,
then,
if
I'd
scroll
down
to
the
bottom
you'd
see
more
that
the
apache
web
server
was
being
used,
something
like
five
times
as
much
well,
two
and
a
half
times
as
much
as
the
microsoft
web
server
was
being
used.
Apologies
to
microsoft.
It
was
being
used
about
what
almost
ten
times
as
much
as
the
netscape
server
was
being
used.
Apologies
to
anyone
who
worked
for
netscape,
but
also
you
could
ask,
through
this
website
you
didn't,
have
to
type
http
commands.
A
You
could
ask
through
this
website
what
is
that
site
running
and
it
made
it
really
easy
for
those
of
us
who
were
working
on
the
apache
web
server
back
then
to
make
the
case
to
our
own
pointy-haired
bosses,
which
is
what
php
is,
but
also
to
others.
That
not
only
can
you
know,
are
people
using
this
in
production.
You
could
also
point
people
to
cia.gov
or
to
I
believe
it
was
vatican.va.
A
It
might
have
been
something
else,
but
it
was
dot,
va
and
people
could
see.
Oh
apache
is
running
behind
those
and
if
it's
good
enough
for
the
cia
and
for
the
vatican
simultaneously,
that
probably
is
good
enough
for
for
your
company
right,
but
which
was
great,
and
it
allowed
us
to
make
the
case
that
that
you
could
trust
this,
that
it's.
What
garnered
interest
from
some
of
the
first
companies
ibm
was
really
one
of
the
first
to
say:
can
we
bundle
apache
into
our
our
web-based
products?
A
That
kind
of
thing
lots
of
others
followed
suit,
but
it
also
led
us
down.
I
think,
a
path
that
started
to
say
popularity
was
a
rough
proxy
for
perhaps
even
equivalent
to
security
that
the
more
people
use
this
stuff.
I
mean
there's
certainly
a
case
that
we
made
right
the
more
eyeballs,
just
naturally,
just
almost
by
by
by
the
you
know,
law
of
large
numbers
and
therefore
you
could
trust
it,
and
that
seemed
to
be
true.
A
You
know
we
would
get
notices
of
security
holes
we'd
respond
quickly,
and
I
I
you
know
that
that
started
to
also
be
mirrored
by
the
linux
community
that
also
developed
a
great
reputation
for
being
able
to
respond
very
quickly
and-
and
I
don't
know
by
the
way-
there
were
very
few
analysts
looking
at
this
data,
in
fact,
even
ibm
sent
a
poll
out
to
their
top
100
customers
in
97
asking
and
asking
their
cios
how
many
of
you
are
using
linux
or
apache
or
any
open
source
in
your
organization.
A
Only
one
out
of
those
hundreds
said
that
they
were.
They
repeated
that
by
asking
systems
administrators
in
those
hundred
companies
and
got
back
something
like
93
of
them,
saying:
oh,
yes,
we're
using
it's
just
that
the
cios
never
saw
a
purchase
order
for
anything,
labeled
open
source
software
until
red
hat
came
along
and
others
of
course,
but
but
anyways
that
it
was
really
nice
to
have
those
those
numbers.
But
it
led
us
to
some
interesting
place.
A
The
second
places
the
second
thing
that
I
think
really
helped
the
world
come
to
trust
open
source
software.
Was
this
that
a
lot
of
the
early
communities
were
really
rigorous
about
setting
up
processes
and
setting
up
a
culture
that
said
it's
we
need
to
avoid
heroics
like
we
might
still
have
what's
what
was
the
term
for
like
one
individual
kind
of
at
the
top,
I'm
struggling,
sorry,
bdfl,
sorry
benevolent
dictator
for
life
bdfl.
Thank
you.
I
was
blanking
on
that.
A
Even
if
we
have
elena
torvalds
or
larry
wall
or
others,
they
are
surrounded
by
people
who
can
help
catch
the
falling.
You
know
hot
knives,
you
know
or
help
review
patches
who
can
help
enforce
some
process
and
even
at
apache
one
of
the
the
founding
kind
of
principles
was
community
over
code.
We
wouldn't
start
a
project.
A
We
wouldn't
even
take
one
in
as
a
as
an
incubator
project
without
some
evidence
that
there
was
more
than
one
person
interested
in
working
on
this
code
and
really,
ideally,
it
should
be
from
more
than
one
company,
and
that
premise
is
that
just
then,
if
somebody
burns
out,
if
a
company
changes
tack,
whatever
happens,
there's
some
resiliency
built
into
that
and
and
somehow
we
got
away
from
that.
A
Somehow,
in
the
last
20
years,
we
kind
of
got
more
to
the
swap
meet
model
of
open
source
code,
where,
rather
than
looking
at
and
kind
of,
and
not
not,
that
those
projects
went
away,
certainly
apache
and
and
the
linux
kernel
and
other
projects
do
have
this
kind
of
culture
of
let's
pull
communities
together
right
to
write
code,
but
we're
all
also
very
proud
of
the
millions
and
millions
of
repos
up
on
github
of
the
millions
and
millions
of
packages
published
at
npm,
and
any
one
package
is
always
very
proud
of,
boasting
of
the
hundreds
of
thousands
or
hundreds
of
millions
of
downloads
they
get
per
week
again,
as
a
sign
of
the
law
of
large
numbers
means,
you
should
be
able
to
trust
us
and
that
just
kind
of
seems
wrong
just
at
an
intuitive
level
and
to
me
feels
like
a
place
where
perhaps
we've
we've
gone
a
little
bit
in
a
different
direction,
and
I'd
like
to
see
us
return
to
this
idea
of
open
source
communities
and
open
source
projects
as
being
a
little
bit
more.
A
Like
barn
raisings,
where
you
know
people
working
together
to
build
a
thing.
It's
not
just
about
pull
10
or
100
people
together
to
do
and
one
day
what
would
otherwise
take
one
person,
10
or
100
days,
there's
no
way
for
one
person
to
build
a
barn,
at
least
in
the
old
amish.
You
know
barn,
raising
kind
of
stereotype
right
that
one
person
cannot
pull
the
timber
up.
The
timber
frames
up
to
mount
them
in
the
right
way.
They
cannot,
you
know,
do
all
the
things
that
are
required
to
to
build
a
barn.
A
Is
that
they're
people
with
complementary
skills,
people
who
might
specialize
in
that
one
function
that
no
one
else
really
wants
to
look
at,
but
at
least
one
person
is
keeping
an
eye
on,
and
hopefully
more
than
one
for
every
given
line
of
code,
and
it's
not
perfect
and
it
fails,
and
it
means
a
whole
lot
of
overhead
in
managing
a
community
managing
clashing
priorities
managing
overhead,
but
it
pays
off
and
it
pays
off
in
more
resilient
code
and
with
respect
to
turtles
with
apologies
to
them.
A
Actually,
as
we
think
about
building
critical
infrastructure-
and
we
think
about
from
the
bottoms
up-
you
know
from
the
hardware
layer
up-
you
know,
which
should
be
barn
raisings
all
the
way
down
to
to
really
help
build
the
kind
of
secure,
critical
infrastructure
that
that
we
know
that
we
need-
and
I
would
love
somebody
to
do
a
better
graphic
than
this.
A
This
was
me
last
night,
doing
cut
and
paste
eight
times,
but
it
seemed
to
work
and,
and
so
for
me,
the
open
source
community
really
was
one
of
the
first
places
on
the
internet.
Oh
I'm
sorry,
an
important
angle
on
this.
A
I
I
I
feel
is
that
the
process
by
by
having
these
things
be
barn
raisings,
rather
than
kind
of
one-person
projects
it
made
it
possible
to
bring
in
anonymous
and
pseudonymous
contributors,
and-
and
this
is
really
key-
and
I
remember
in
the
early
days
of
the
apache
web
server,
there
was
a
contributor
named
alexi
cosa,
who
was
very
productive,
wrote
great
code
but
didn't
write
as
much
as
the
others,
which
was
fine,
but
he
did
a
lot
of
tending
to
the
usenet
news
group
of
answering
new
user
questions.
A
Writing
documentation
like
a
model
open
source
contributor
and
three
years
in
to
his
contribution
history
at
apache
he
wrote
a
note
to
the
other
maintainers
going.
I'm
really
sorry
guys,
but
I
probably
will
have
to
pull
back
a
little
bit
of
my
contributions
because
I'm
starting
as
a
freshman
in
the
fall
at
stanford
university
so
like
that
was
the
fact
that
we
have
very
low
barriers
to
entry
in
open
source
is
actually
key.
In
my
opinion,
I
mean
I
don't
have
numbers
to
back
this
up.
A
I
would
love
to
see
the
econometrics,
but
I
would
assume
a
lot
of
you
share.
This
gut
that
is
key
to
the
scalability
of
the
open
source
process
and
getting
to
what
you
know
what
eric
raymond
called
lena's
law,
which
was
with
enough
eyeballs
all
bugs
are
shallow,
which
intuitively
we
know
that
it's
not
quite
a
mathematical
equation,
of
course,
but
no
matter
what
tooling,
what
processes
we
come
up
with,
they
all
fall
down.
A
In
my
opinion,
if
you
have
too
few
developers
per
line
of
code,
and-
and-
and
I
want
to
note
this-
this
idea
of
being
able
to
have
our
projects
be
open
to
both
lightly
authenticated
people
or
even
totally
anonymous
contributors
doesn't
mean
that
reputation
doesn't
matter.
We
know
it
matters.
A
There's
there
were
a
lot
of
vendors
at
rsa
two
weeks
ago,
selling
tools
to
do
know
your
developer
behind
open
source
projects
and
other
contributing
other
collaborative
software
projects
where
factors
such
as
national
identity
or
ip
address,
of
where
the
contribution
came
from
are
considered
a
viable,
a
viable
basis
for
trusting
a
contribution
or
not,
and
I
think
that
would
be
very
dangerous.
A
All
major
open
source
projects
have
healthy
amounts
of
ip
from
contributors
from
countries
that
aren't
necessarily
places
you
and
I
would
be
able
to
travel
to
or
want
to
travel
to
right
now,
and
you
know,
geopolitical
relationships
come
and
go,
but
I
think
it's
important
that
the
open
source
community
remain
a
global
community
and
in
a
way
that
we
have
found
challenging
in
other
parts
of
the
internet.
A
We
truly
are
one
of
the
last
remaining
places
on
the
net
where
you
can
productively
work
and
even
come
to
trust
people
who
are
lightly
authenticated
into
the
community,
and
I
think
that's
core
to
what
we're
trying
to
build
and
at
the
same
time
we
can.
We
can
do
that
because
we
have
processes.
How
many
people
remember
the
university
of
minnesota
hack
from
last
year?
A
I
think
it
was
where
a
team
of
researchers,
the
university
of
minnesota,
thought
it
would
be
cute
to
prove
how
valuable
our
processes
were
by
slipping
intentionally
broken
code,
not
a
back
door.
So
much
as
an
intentional
vulnerability
into
the
linux
kernel.
It
was
noticed
it
was
stopped,
but
not
before
it
consumed
a
whole
lot
of
time
on
the
part
of
greg,
crowe,
hartman
and
and
linus
and
some
others,
and
in
response
the
university
of
minnesota
has
now
been
banned.
A
I
think
by
ip
address
I
don't
know
if
it's
by
email
address
but
but
now
been
banned
permanently
from
contributing
to
the
linux
kernel
and
which
kills
jim
zemlin's
heart
because
he's
a
graduate
of
university
of
minnesota
good
old.
You
know
minnesota
kid,
but
yeah.
We
have
these
processes.
We
have
these
mechanisms,
but
they're
not
perfect.
Are
they
perfectable
that's
worth
asking,
but
but
we
need
to
to
fight
what
might
otherwise
be
a
tendency
to
slip
into
a
dark
place.
A
Certainly
we
can
be
better
at
turning
users
into
contributors,
turning
contributors
into
maintainers
that
sort
of
thing,
but
but
a
lot
of,
what's
going
on
in
the
open,
ssf
matches
that
first
kind
of
kind
of
thing.
The.
When
you'll
hear
about
a
lot
of
that
today,
the
best
practices
badge
work.
The
scorecard
work,
things
that
we're
looking
at
in
the
in
the
mobilization
plan.
All
of
that
speak
to
this
need
to
better
understand
through
processes
through
measurements
through
tools.
A
What
I,
how
do
we
get
an
objective
sense
of
the
trustworthiness
of
code?
Not
because
we
want
to
stop
using
certain
open
source
packages,
but
so
that
the
better
ones
can
know
where
to
invest?
To
increase
that
we
are
far
past
the
point
of
dunbar's
number
right
150,
which
is
about
the
number
of
social
relationships.
A
A
We
also
need
processes
that
simply
encourage
better
security
practices
by
developers
and-
and
that
also
is
a
theme
for
many
of
the
projects
you'll
hear
about
today
and
are
a
key
part
of
the
open
ssf
speaking
to
this
third
part,
though
about
teamwork.
This
is
a
place
where
I
challenge
us
a
little
bit
to
think
about
where
perhaps
some
existing
efforts
in
the
open
ssf,
perhaps
new
efforts
that
we
might
take
on,
might
encourage
a
little
bit
more
teamwork
and
shared
responsibility
amongst
open
source
projects
and
shared
responsibility
for
security.
A
I
encourage
folks
to
to
if
you're
working
on
one
bit
of
open
source
code,
you've
thrown
it
out.
You
might
have
hundreds
of
thousands
of
downloads
a
week,
that's
great,
but
what
happens
when
you
burn
out
what
happens
when
you
slip
in
a
bug
that
you
didn't
realize
and
notice,
and
it
wouldn't
be
great
to
have
other
people
help
you
find
those.
This
is
why
I
loved
open
source,
because
I'm
not
a
good
coder.
The
world
is
much
better
off
without
my
code
in
the
world.
I
I
was
it
wasn't
just
me
being
humble.
A
It
was
me
being
completely
honest.
This
is
broken.
This
is
something
I
know.
There's
something
broken
about
this
please
help
me
find
the
bugs
in
it,
and
for
me
with
that,
without
that
sounding
board,
there
is
no
point
and,
and
most
important
for
us
is
to
think
about
how
to
add
the
words
by
default
to
every
one
of
those
right.
How
do
we
make
the
lift
as
zero
cost,
as
we
can
to
adopt
better
tooling,
to
adopt
better
practices
to
get
this
into
the
default
workflows?
A
The
default
build
tools,
the
systems
that
we
use
as
open
source
developers
and
contributors
to
make
this
all
work,
and-
and
so,
as
I
mentioned,
you'll
hear
a
lot
today,
you
won't
get
everything
going
on
in
the
open
ssf.
We
are
kind
of
a
circus.
I
say
that
lovingly
and
somebody
likes
going
to
the
circus,
like
there's
lots
of
things
going
on
at
openssf
lots
of
different
teams,
and
that
is
a
part
of
our
strength,
we're
roughly
divided
out
by
working
groups
in
certain
thematic
areas.
A
We
also
have
a
set
of
initiatives,
alpha
omega
six
store
and
the
new
tool
chain
infrastructure
that
are
additive
to
a
lot
of
those
different
efforts,
and
certainly
lots
of
people
on
multiple
working
groups
and
efforts.
At
the
same
time,
there's
a
lot
more.
A
We
can
do,
and
one
of
the
things
we
in
the
open,
ssf
community
are
actively
trying
to
figure
out
is
how
much
to
be
big,
tent
versus
best
of
breed
and
small
and
focused
right
and-
and
this
is
this-
is
something
you'll
perhaps
hear
more
about
today-
is
how
do
we?
How
do
we
tread
that
line
and
and
and
make
sure
we're
tapping
into
really
the
best
of
what's
going
on
in
the
open
source
world
and
the
best
the
best
thinkers,
the
best
developers,
the
best
people?
A
Thinking
about
how
this
maps
to
the
real
world
now
in
the
remaining
kind
of
17
minutes?
I
want
to
pivot
a
little
bit,
oh
and
thank
you,
of
course,
to
all
the
organizations.
Here's
a
few
of
them
there's
actually
a
longer
list
of
the
full
membership
you
can
see
on
the
website.
A
It's
organizations
like
these
that
are
really
helping
make
those
efforts
work
both
through
their
individual
developers,
contributing
and
participating
on
the
working
groups
and
the
projects,
but
also
by
putting
some
money
in
to
allow
us
to
spend
money
on
some
of
the
work
that
that
is
necessary
to
do
now.
I
want
to
pivot
and
talk
a
little
bit
about
this
effort
that
we
put
together
since
the
beginning
of
this
year
to
take
this
circus
so
to
speak
on
the
road
and
to
think
creatively
about.
A
If
we
were
to
to
not
just
say
here's
a
bunch
of
things
that
might
help
the
world,
but
to
get
activists
about
it
and
invest
in
it
and
say,
could
we
actually
close
some
of
the
known
issues
we
have
in
the
world
around
how
open
source
is
built
in
some
reasonable
time
frame
in
the
next
few
years?
How
would
we
do
it
and,
and
frankly,
how
much
would
it
cost,
and
a
lot
of
this
was
spurned
by
by
the
log
for
shell
vulnerability?
A
I
tried
to
avoid
saying
log
for
j,
because
the
developers
behind
log4j
and
other
apache
projects
are
professionals.
They
are
doing
a
great
job.
I
want
to
give
them
due
credit.
They
are
they're
by
large
for
for
for
a
component,
that's
used
as
pervasively
as
it
is
again.
The
law
of
large
numbers
does
say:
occasionally
we
will
stumble
over
vulnerabilities
here
or
there
and
it
should
not
reflect
upon
them.
So
I
do
try
to
say
log
for
shell
when
I
can
just
to
be
reflective
of
that.
But
log
for
shell
broke
the
internet.
A
It
caused
a
whole
bunch
of
organizations,
particularly
in
government,
to
go.
This
is
an
earthquake.
We've
got
a
scramble,
we
don't
even
know
where
we're
running
it.
You
know
the
number
of
organizations.
That
said,
oh
no
problem,
we're
using
you
know
the
the
bugs
are
in
the
cve
is
an
log
for
log4j
version
two,
but
we're
on
log
for
j
version,
one,
so
we're
not
vulnerable,
which
had
been
out
of
maintenance
for
five
years.
A
A
To
reasonably
ask
the
question:
if
this
is
an
example
of
doing
it
right,
if
this
is
an
example
of
the
process
working
well,
we
we
would
be
frustrated
if
we
woke
up
one
day
and
every
bridge
crossing
every
for
every
highway
bridge
crossing
every
river
had
to
be
shut
down
for
a
month
while
it
got
re-architected
and
re
cement
report
so
that
we
can
then
cross
that
bridge
again
and
and
drive
over
it
or
we
would
be
frustrated
if
the
electrical
grid
had
to
go
down
for
three
days
while
we
updated
it,
which
is
dauntingly
similar
to
some
of
what
we've
heard
about
you
know,
the
electrical
grid
is
much
more
of
a
software
driven
piece
of
infrastructure
these
days
than
anything
else.
A
Is
this
really
what
it's,
how
it's
supposed
to
work,
and
so
the
white
house
convened
this
meeting
in
january,
invited
a
bunch
of
us
there,
david
nalley,
if
he's
in
the
room,
I
don't
know
if
he
is
from
apache
and
a
few
others
from
apache
the
few
of
us
from
the
linux
foundation
about
10
other
companies
and
they
kind
of
posed
this
question
and
and
for
about
six
hours
we
came
out
with
basically
the
question:
what
would
it
take
to
actually
solve
many
of
these
issues
that
we
were
coming
up,
which
could
roughly
be
categorized
in
three
kind
of
different
buckets?
A
How
do
we
secure
how
the
code
is
written?
How
do
we
find
get
better
at
finding
the
vulnerabilities
that
are
out
there
and
fixing
them
and
then
apologies?
How
do
we
get
better
at
pushing
those
fixes
out
to
the
world,
and-
and
so
we
went
back
as
the
open,
ssf
and
started
a
little
bit
more
privately
kind
of
you
know
talking
about
this
talking
about
in
in
the
governing
board.
Talking
about
this,
you
know
kind
of
one-on-one
between
us
and
staff
and
a
lot
of
others
and
said.
A
Well,
maybe
what
we
should
do
is
think
about
how
to
frame
and
organize
all
those
different
efforts
in
the
circus
in
the
with
this
idea
of
what
would
it
take
to
push
those
to
the
point
where
they
can
actually
address
a
set
of
issues
that
are
responsive
to
those
goals?
What
are
things
that
are
working
now
that
we
could
double
down
on
and
and
and
put
some
more
resources
behind
in
a
somewhat
inorganic
manner?
A
I
mean
I'll
be
honest,
most
of
the
time
at
the
linux
foundation,
when
we
open
projects
we
as
linux
foundation,
staff
and
the
funding
kind
of
goes
into
air
traffic
control
right,
it
goes
into
convening
the
space
hosting
the
calls
hope
hosting.
You
know
whatever
is
required.
Even
the
build
systems
that
kind
of
thing
it
doesn't
really
go
into
top
down
driving
this
stuff
to
be
everywhere.
It
does
sometimes
in
the
automotive,
great
automotive,
grade
linux
project.
A
A
Other
projects
like
let's
encrypt,
actually
run
a
service
which
requires
an
ops
team
which
requires
you
know
some
actual
staff
to
go
and
run
this,
even
though
the
code
is
open
source,
even
though
it's
built
on
open
protocols
and
and
they
work
very
very
publicly
so
with
us,
it
was
a
little
bit
like
well,
even
given
all
of
the
folks
showing
up
to
our
circus
making
contributions.
How
might
we
best
organize
our
efforts
to
go
and
and
accomplish
some
of
these
things
and
we're
not
gonna
solve
them
tomorrow?
A
And,
and
so
what
are
some
ambitious
but
pragmatic
targets
that
we
could
set
to
make
that
happen,
and
in
10
minutes,
I'm
not
going
to
be
able
to
go
into
depth
on
the
next
10
different
slides,
but
we
put
together
a
plan,
a
mobilization
plan
that
laid
out
10
different
streams
that
identified
some
reasonably
interesting
places
that
we
felt
would
make
a
big
difference
in
the
trustworthiness
and
reliability
of
open
source
code
and,
frankly,
to
bring
the
reality
up
to
that
set
of
expectations
that
irrational
exuberance
around
the
security
and
open
source
code.
A
We
published
this
it
in
may
and
had
convening
in
dc
with
friends
of
ours
in
government.
It
was
not
a
government
plan,
it
was
not
intended
to
be.
You
know,
here's
what
we
want
government
to
pay
for,
but
it
was
intended
to
say
look
those
of
us
organizing.
A
This
would
like
to
collaborate
with
our
peers
in
government-
there's
a
few
in
fact,
from
the
government
here
at
open
ssf
day
and
at
the
conference
this
week
and
we'd
like
to
make
sure
whatever
you're
doing
in
that
in
in
inside
of
government
around
pushing
further
on
s-bombs
or
evolving
the
cyber
security
fra
infrastructure
framework,
driven
by
nist
or
other
places
that
that's
complementary
by
the
way,
I'm
sorry
they're
showing
top
gun
maverick
next
door.
A
So
I
I
can't
compete
with
that,
but
I
will
try
and-
and
so
what
we
identified
to
our
surprise
was
actually
what
we
thought
was
kind
of
a
low
number
150
million
dollars
worth
of
well-vetted
spending.
That
would
go
and
pay
pay
for
itself
tremendously.
So
we
had
this
convening
in
dc,
we
I
tried
to
pull
in
more
companies,
more
open
source
community
members,
more
organizations.
It
was
never
going
to
be
enough,
of
course,
but
for
as
public
as
we'd
normally
like
to
be
about
how
we
work.
A
But
it
was
enough
to
try
to
get
across
to
the
government
we're
serious
about
this,
and
this
was
something
that
we'd
like
to
repeat
with
other
governments
around
the
world
as
well,
and
we've
got
some
conversations,
starting
in
a
few
places
to
have
a
similar
type
of
kind
of
roll
out
and
conversation
with
them.
In
that
event,
we
identified
30
million
dollars
in
pledges
to
that
project.
Thank
you
to
many
of
the
companies
who
are
here
today
who
helped
make
that
work.
These
are
pledges.
A
These
are
moments
where
this
is
basically
an
investment
fund,
if
you
think
of
it
that
way
towards
the
150,
so
we're
going
to
be
raising
more
from
different
sources
to
to
go
and
hopefully
start
work
on
each
of
those
different
streams
independently.
A
I
won't
be
able
to
go
in
depth,
you'll
be
able
to
find
it,
but
very
briefly,
just
to
give
you
the
highlights.
One
of
them
is
about
trying
to
reach
everybody
with
many
of
the
security
education
documents
and
processes
that
we've
developed
here.
Thank
you
particularly
to
david
wheeler,
for
that
work.
He'll
be
talking
about
it
later
today.
One
of
those
is
about
trying
to
do
that
that
risk
assessment
kind
of
that
I
talked
about.
A
How
do
we
better
understand
the
riskiness
of
code
well
pulling
together
all
the
data
that
the
tooling
we're
coming
up
with
can
give
us
as
well
as
additional
data,
sets
into
one
place
to
go
to
say,
I'm
I'm
interested
in
this
code.
What
what
is
its
risk
profile
right
and
can
I
compare
that
to
similar
code?
A
Another
is
to
further
the
work
of
the
sig
store
community
on
digital
signatures
that
you'll
hear
more
about
today
as
well,
to
invest
in
memory
safety
and
the
conversion
of
some
core
internet
utilities
like
ntpd
or
or
further
invest
in
russell's,
for
example,
the
russ
library
for
tls
to
try
to
eliminate
whole
categories
of
vulnerabilities
in
really
critical
software,
to
establish
a
security
and
incident
response
team
to
focus
on
specifically
open
source
projects
who
are
don't
have
the
funding
or
have
a
big
community
around
them.
A
Who
can
help
manage
a
vulnerability
disclosure
process?
Another
tool
to
really
double
down
on
the
work
going
on
in
alpha
omega,
to
do
more
pervasive
scanning
of
open
source
code
on
a
regular
basis
to
try
to
find
new
vulnerabilities
to
be
you
could
think
of
it
as
an
open
source
version
of
project
zero
at
google.
Another
one
to
invest
in
code
audits.
A
Amir
here
from
austif
knows
this
process:
well,
not
for
a
large
number
of
projects,
but
for
starting
with
the
50
and
maybe
to
the
hopefully
to
200
projects
a
year
in
the
kind
of
third-party
audits.
That
really
start
to
ask
you
you
know:
did
you
mean
to
put
that
chainsaw
in
the
middle
of
that
dinner?
Cutlery
set
right,
so
not
just
the
the
potential
memory,
corruption
issues,
but
also
really
starting
to
ask
at
a
feature
level
or
an
architectural
level.
You
know.
A
Are
you
have
you
really
built
this
defensively
and
thoughtfully
to
encourage
more
data
sharing
to
understand
what
are
really
the
most
critical
open
source
projects
not
based
on
download
numbers
from
npm,
but
based
on
data
that
might
actually
be
hard
to
get
in
public
data
sets
so
working
with
with
distribution,
points
and
vendors
to
try
to
collaborate
around
around
that
data
and
help
make
like
the
harvard
study
that
we
published
recently
even
more
more
thoughtful
and
more
and
perhaps
more
frequently
updated
to
really
invest
in
s-bombs?
A
So
far,
we
haven't
done
much
in
the
open
ssf
with
software
bill
of
materials
we've
we've
talked
about.
It
there's
been
some
work
in
the
security
tooling
community.
Thank
you
to
josh
bressers,
if
you're
here,
but
this
is
a
place
we
know
there's
a
need
to
invest
more.
This
particularly
was
a
big
message
from
our
partners
in
government.
I
we
need
to
also
finally
just
look
at
the
especially
the
last
few
stages
of
the
software
supply
chain.
A
The
distribution
points,
the
the
the
the
software
repositories
and
ask:
is
there
more
that
we
can
do
to
bring
salsa,
for
example,
to
those
to
bring
a
kind
of
native
consumption
of
s-bombs
to
those
other
things
that
can
help
make
it
easier
for
people
consuming
software
through
what
are
essentially
the
apple
app
stores
of
the
open
source
community
be
more
thoughtful
about
how
they
get
that
data,
and
this
is
work
that
I'd
say
has
already
begun
through
collaboration
with
through
the
securing
software
repositories
working
group
that
is
really
just
getting
underway.
A
All
this
work
together,
you
know
there
were
teams
that
formed
around
each
of
those
ten.
I
want
to
thank
everybody
here
who
did
participate
in
those
work
streams?
It
was
very
short
time
frames,
partly
intentionally
so
so
that
we
could
get
to
really
just
a
first
kind
of
size
of
the
bread
box
kind
of
notion.
These
numbers
will
change.
This
is
a
draft.
A
The
the
the
process
from
here
is
that
we
will
continue
working
with
interested
parties
on
those
streams
to
refine
the
proposals
to
get
to
the
point
where
we
can
start
to
match
them
up
against
pledges
or
other
sources
of
funding.
Frankly,
150
million
dollars
was
cheap
in
my
book.
I
I
talked
about
that
a
bit.
150
million
might
sound
like
a
lot,
certainly
for
any
one
open
source
project.
A
It's
a
lot,
there's
very
few
with
budgets
that
are
larger
than
that,
but
I
want
to
give
you
one
other
number
against
which
it
sounds
fairly,
affordable,
700
million.
Does
anyone
know
what
number
I
might
be
referring
to
when
I'd
say,
700
million
it's
a
little
obscure?
A
I
apologize,
but
it
was
just
a
few
years
ago
that
the
ftc
levied
a
fine
on
equifax
for
its
breach,
its
data
breach
of
so
and
find
them
700
million
dollars
due
to
a
vulnerability
in
apache
struts,
again
not
to
blame
apache
struts,
not
to
blame
apache
or
anything
like
that.
A
In
fact,
I
believe
they
were
only
like
a
few
months
out
of
date
in
in
their
patching,
but
that
provided
enough
of
a
window
for
somebody
to
come
in
and
trade,
a
ton
of
data
and
the
ftc
has
already
started
to
say
they
will
issue
a
notice
that
already
issued
a
notice
saying
that
if
they
find
that
future
data
breaches
or
other
major
you
know,
compromises
occur
because
somebody
did
not
update
their
log
for
j,
frequently
enough
david's.
A
The
plotting
here,
because
this
is
these-
are
the
kinds
of
nudges
that
we're
going
to
see
more
of
both
from
the
public
sector.
I
think,
even
from
folks,
like
insurance
companies
who
insure
against
cyber
security
breaches
they're
going
to
start
to
raise
the
the
floor
when
it
comes
to
what
what's
the
minimum,
that
they
expect
organizations
to
do
to
be
more
secure,
and
this
is
serious.
This
is
the
government
getting
serious.
These
are
the
sticks,
and
I
am
much
more
about
carrots
frankly
much
more
about
incentives
and
like
helping
people.
A
In
fact,
a
big
theme
through
the
mobilization
plan
has
not
been.
How
do
we
make
open
source
developers
get
more
serious?
You
know
but
has
been
about
how
do
we
show
up
with
help?
How
do
we
add
to
their
existing
processes
and
with
with
with
better
tooling,
with
with
people
and
other
things
like
that?
A
A
At
the
end
of
the
day,
the
mobilization
plan
is
just
one
element
of
what
we
do
at
the
open
ssf
it's
about
sprinkling,
some
accelerant
on
top
of
existing
efforts
at
the
core
of
openssf,
though
we
are
an
open
source
project,
like
any
other
you'd
find
where
anybody
can
contribute
where
anybody
can
use
the
tools
and
the
and
benefit
from
the
standards
and
all
the
goodness
coming
out
and
the
and
the
docs
and
the
guides.
I
mean
there's
too
much
to
mention
this
is
about
just
trying
to
sprinkle.
A
You
know
douse
a
little
bit
of
fuel
on
on
on
these
different
efforts
and
make
that
work
so
come
in
and
get
and
and
check
out
the
plan,
but
but
do
check
out
the
rest
of
what's
going
on
inside,
open
ssf
and
apologize
to
james
brown
for
stealing
his
riff
but
get
involved,
and
with
that
I
think
I'd
like
to
pass
the
baton
back
to
krobe.
Thank
you
all.