►
From YouTube: OpenSSF Day at OSS NA - Finding LibRaska: The Open Source Library that Props up our Infrastructure
Description
OpenSSF Day at Open Source Summit North America - Finding LibRaska: The Open Source Library that Props up our Infrastructure - Julia Ferraioli; Caleb Brown, Google; Amir Montazery, OSTIF
A
A
A
This
next
session
features
some
top
talent
here
and
we
are
here
to
chat
about
finding
and
and
securing
stuff.
Oh,
I
edit
all
that
to
the
document.
That's
pretty
cool,
so
it's
about
finding
and
supporting
critical
open
source
projects
so
for
our
first
panelist
is
amir
montezeri
he's
the
managing
director
of
ostif,
the
open
source
technology
improvement
fund.
It's
a
non-profit
organization
that
provides
tools,
services
and
audits
and
support
for
open
source
projects.
So
amir,
please
find
this
stool
of
your
liking.
A
Next,
to
amir
is
going
to
be
caleb
brown,
he's
a
software
engineer,
working
in
google's
open
source
security
team
on
finding
critical
projects
and
analyzing
behavior
of
open
source
packages,
so
caleb,
please
come
find
a
stool
and
finally,
we
have
julie
faroli.
She
is
a
developer
researcher,
an
open
source,
maintainer
and
podcaster
yay.
A
One
of
my
favorite
hobbies.
She
is
active
in
the
open,
ssf
community,
helping
with
the
securing
critical
projects
working
group
and
researching
project
criticality,
while
advocating
for
solutions
that
work
with
open
source
maintainers.
So
this
is
our
last
presentation
before
lunch,
no
pressure
panel
to
stay
on.
B
A
C
B
B
D
So
I'm
I'm
julia,
I
am
technically.
I
am
officially
an
open
source,
technical
leader
at
cisco.
That's
my
pretty
pretty
awesome
title
and
I'm
also
the
co-maintainer
or
co-founder
of
open
source
stories,
a
community
driven
project
to
capture
untold
narratives
in
open
source
and
my
pronouns.
Are
she
her
and
I'll
pass
it
off
to
caleb.
E
G'day,
I'm
caleb
and
you
can
tell,
by
the
accent
I'm
not
from
this
country,
I'm
with
google
on
the
google
open
source
security
team,
a
few
of
us
here
and
yeah,
as
mentioned
before.
I
work
on
the
criticality
scoring
project
and
the
package
analysis
project,
which
is
lots
of
fun,
so
very
interested
in
today's
topic.
Yeah,
my
pronouns.
Are
he
and
yeah.
C
B
And
I'm
amir
from
ostifostiff
we
as
a
as
crow
mentioned.
We
focus
on
solving
the
problem
of
securing
critical
projects
that
has
been
manifested
through
coordinated,
managed,
audits,
security
audits,
which
I
guess
will
be
a
good
segue
into
kind
of
why
we're
interested
in
the
topic.
So
I
can
kind
of
veer
into
that
and
then
I'd
love
to
hear
your
perspectives,
but
I'm
involved.
The
reason
I
care
about
this
problem
is
because,
as
mentioned
earlier,
our
organization
is
working
really
hard
to
try
and
solve
this
problem.
B
We're
doing
a
lot
of
audits
and
of
open
source
projects
and
in
doing
that,
trying
to
find
better
ways
to
identify
those
projects
that
are
just
so
important
that
everyone
depends
on
but
might
be
overlooked
by,
maybe
some
tooling,
or
we
were
actually
just
having
a
good
conversation
outside
about
community
size
as
a
metric,
how
that
can
be
a
little
bit
misleading
and
so
so
yeah.
I
I'd
like
to
think
I'm
very
close
to
the
problem
and
happy
to
share
experiences.
Doing
that
with
everyone
today
and
yeah
should
be.
E
Good
okay,
I
I'm
interested
in
this
project
because
I'd
like
to
avoid
another
log
for
shell,
I
don't
know
how
many
people
were
involved
in
rolling
incident
management
on
this
in
the
room,
but
I
fortunately
I
wasn't.
There
were
people
on
our
team
who
were
so
getting
ahead
of
that
the
next
one
of
those
would
be
really
good,
and
hopefully
it's
not
a
zero
day.
So
that's
one
interest,
I'm
also
interested
in
this.
D
D
B
Very
cool
and
as
a
work
group,
the
securing
critical
projects
working
group-
this
has
been
one
of
our
main
objectives-
is
coming
up
with
a
well
well
fleshed
out
list
of
you
know
the
most
critical
projects
out
there
and
that
the
idea
or
the
the
intention
for
that
is
to
kind
of
help.
As
julia
mentioned,
guide
resources
to
put
attention
on
projects
that
probably
could
use
the
help,
because
I've
never
come
across
an
open
source
project.
That
said,
no,
we
don't
need
any
help
at
all,
please!
No,
so
so.
B
Finding
those
projects
and
and
being
able
to
support
them
proactively
is
has
been
a
big
part
of
what
we've
been
doing
as
a
work
group,
but
it
has
not
come
without
its
challenges
because,
as
you
know,
lists
are
hard
just
inherently
you're,
never
gonna
have
a
perfect
list
that
will
appeal
to
everybody
and
and
and
based
on
how
they
consume
open
source,
but
being
able
to
at
least
come
up
with
something
again.
It
does
we're
under
the
impression
that
it
doesn't
have
to
necessarily
be
perfect.
B
It
never
is
going
to
be
perfect,
but
I
invite
my
fellow
panelists
to
talk
about
kind
of
what
have
been
some
of
the
challenges,
with
kind
of
getting
consensus
on
that
even
measuring
that,
and
maybe
from
from
your
previous
experience
too.
If
you
want
to
talk
about,
you
know
how
lessons
learned
from
there
yeah.
Let's
do
that.
D
Yeah,
so
one
of
the
big
challenges
that
that
we
identified
early
on
is
the
the
trouble
of
comparison
right.
We've
got
a
lot
of
different
types
of
open
source
projects
out
there
and
I'm
I'm
pretty
sure
that
by
the
time
I
finish
speaking
this
sentence,
there
would
be
like
five
or
ten
more
started,
so
that
might
be
a
floor
actually,
but
they're
shaped
very
very
differently.
D
They
serve
different
functions
and
one
of
the
starting
points
that
I
took
was
from
nadia
egball's
rhodes
and
bridges
publication
from
the
ford
foundation,
where
she
categorized
a
bunch
of
diff,
a
bunch
of
different
types
of
open
source
projects
and
it
included
like
databases,
libraries
frameworks,
etc,
and
until
you
slice
and
dice
open
source
projects
you're
going
to
wind
up
with
one
list.
That
is
not
representative
right
and
we
found
this
with
languages
as
well.
Do
you
want
to
talk
about
the
the
problem
with
with
languages?
Sure.
B
Yeah,
I
think
it's
a
fantastic
point
that
again
there
really
is
no
absolute
here,
but
the
fact
one
being
that
and
and
I
like
how
ann
retucio
had
this
on
the
first
line
open
source
just
inherently-
is
critical.
So
I
think
one
of
the
challenges
is
really
kind
of
just
drawing
the
line
in
the
sand
and
starting
from
somewhere,
because
you
know
in
the
time
it
takes
to,
let's
say,
gain
consensus
on
a
project.
B
There
could
very
well
be
plenty
of
new
projects
being
introduced
vulnerabilities
and
in
these
projects
being
exploited,
that
aren't
being
found
proactively
so
really
just
having
something
and
then
having
something
actionable
to
start
moving
forward
in
terms
of
going
from
identifying
projects
to
actually
taking
steps
towards
securing
them,
and
I
personally
am
much
more
in
the
you
know:
don't
let
perfect
be
the
enemy
of
good
and
you
know
sure.
If
you
survey,
let's
say
a
thousand
people,
whether
project,
x
or
y,
is
critical.
B
E
Yeah,
this
is
one
of
the
challenges.
Is
you
don't
know
where
the
software
is
being
used?
You
don't
know
the
data
that
it
is
using
to
secure.
What
is
the
value
of
the
system
that
this
software
is
being
used
within
is
really
hard
to
quantify,
and
so,
if
you
actually
want
to
measure
the
real
impact
of
what?
What
really
is
critical
you'd,
be
able
to
like
be
a
god
omniscient
and
be
able
to
see
all
the
applications
of
a
piece
of
software
and
know?
But
unfortunately
we
don't
have
that.
D
E
Yeah,
I
think,
there's
there's
I'm
I'm
hoping
in
the
future.
Things
like
s-bombs
and
git
bombs
and
other
ways
of
cataloging
software
and
dependencies
helps
in
this
process,
but
I
think
it's
going
to
be
an
evolutionary
process
where,
over
time,
as
things
like
s-bombs
are
adopted
and
the
companies
are
more,
I
guess
happy
to
be
revealing
this
sort
of
information
that
you'll
over
time
be
able
to
get
a
better
sense
of
how
critical
software
is
being
used
across
the
ecosystem.
D
D
B
Yeah,
but
the
good
thing
is
is
at
least
the
move.
The
needle
is
moving
forward,
despite
it
being
a
constantly
moving
target,
which
makes
it
even
more
challenging,
but
you
have
like
research
like
like
the
census,
2
research
that
did
a
lot
of
work
on
finding.
You
know
what
are
the
most
used
repositories
and
other
research
going
on
in
the
space
is
helping
moving
the
needle,
but
it
is.
It
is
definitely
a
challenge.
Absolutely.
E
Like
how
do
you
do
that
at
scale
and
like
keep
it
up
to
date
as
well
like
the
harvard
census,
is
like
takes
time
to
produce
it's
a
point
in
time
view
of
things
but
like
like
the
more
more
open
source
projects
being
created
every
second,
like
it's,
a
changing
landscape
and
my
problem
with
that?
The
picture
up
there
is
that
it's
that's
a
point
in
time
picture
and
someone
can.
The
nebraska
guy
can
like
add
another
dependency
to
that
tiny
little
thing
there
and
like
suddenly,
your
whole
picture
changes.
B
E
So
like
python
or
node,
you
can
see
that
it
doesn't
easily
track
across
transitive
dependencies
that
sort
of
research,
I've
seen
other
research
in
the
space
around
truck
factor
and
like
trying
to
understand
like
how
many
people
have
a
cognitive
understanding
of
a
piece
of
code
and
using
what
the
get
the
data
and
get
or
in
your
software
repository
to
answer
that
question.
Other
researchers
looked
at
like
how
do
what's
the
time
around
the
issue
resolution
and
those
sorts
of
questions
as
well.
E
You
can
also,
if
you
want
to
take
in
other,
inter
data
as
well,
maybe
the
number
of
source
lines
of
code.
Maybe
who
are
the
organizations
contributing?
Is
there
a
diversity
there
in
that
space?
So
there's
lots
of
metrics
and
when
we
start
to
formulate
some
automation
and
scoring
around
this,
we
really
want
to
look
towards
academic
research
in
this
space.
To
be
able
to
like
have
some
sensible
reason
for
actually
using
something
or
including
a
metric
or
a
signal
in
trying
to
calculate
those
scores.
Does
that
help
answer
the
question?
D
Anything
I
have
so
many
opinions,
oh
my
goodness,
so
academic
research.
Yes,
I
think
we
need
to
be
more
involved
in
in
participating
in
guiding
academic
research.
We
are
seeing
more
and
more
ins
research
institutions
having
an
an
ospo
and
open
source
programs
office
that
can
help
them
understand
open
source
software
better,
but
they're.
They
still
need
some
guidance,
because
open
source
isn't
necessarily
built
into
their
dna.
The
way
that
it
is
for
many
of
us
here.
D
The
problem
that
I
see
with
academic
research
is
that
they
keep
falling
into
the
same
pit
of
assuming
that
github
is
your
source
of
truth,
and
that
is
very
problematic
from
for
a
bunch
of
different
reasons
and
there's
also
the
the
idea
that
metrics
all
metrics
are
good
metrics,
no
they're,
not
all
data
is
good
data.
No,
it's
not.
I
need
to
finish
a
paper
actually
that
a
position
paper
on
this
on
this
subject,
that's
sitting
in
my
open
drafts
folder,
but.
D
B
Qualitative
data
is
important
too,
which
is
why
one
thing
that
I've
been
trying
to
incorporate
into
our
process
is
some
type
of
like
a
community
curation
kind
of
a
thing
where
we
can.
We
can
source
that
kind
of
those
qualitative
data
metrics
that
might
not
be
apparent
on
on
a
tool
or
by
looking
at
a
github
or
something
like
that.
B
C
So
really,
sorry
is
this
one:
oh
great,
okay,
totally
load
all
the
different
perspectives
on
the
panel.
One
thing
that
we're
pretty
concerned
about
is
a
lot
of
the
attention
has
been
on
the
modern
application,
development
side
of
things,
and
so
we
use
the
term
critical
infrastructure,
meaning
I.t,
but
in
fact
right,
the
things.
C
Lives
and
safety
tend
to
be
the
most
under-measured,
whether
it's
embedded
systems
or
medical
devices,
or
you
know
the
things
that
go
boom
or
fizzle
and
at
last
that's
one
of
the
weaknesses
in
frank's
study.
You
guys
have
some
thoughts
about
how
we
can
engage
in
those
software
communities
and
get
better
visibility.
D
So
I
I
I
noped
out
of
getting
a
a
medical
device
implanted
because
they
couldn't
tell
me
about
the
the
security
and
I'm
like
I
do
not
want
some
random
person
administering
shocks
to
my
spinal
cord.
Thank
you
very
much.
So
yes,
that's.
I
think
we
are
overly
focused
on
our
our
pro
representative
companies
interests
right.
F
E
C
G
Hi,
so
I'm
not
from
the
alisa
group,
I'm
from
open
uk
hi
we've
been
working
quite
a
lot
and
trying
to
find
better
data
and
better
metrics,
and
I
personally
don't
like
the
way
we
measure
the
economic
value.
I
think
we
look
at
total
cost
of
ownership,
which
is
very
out
of
date.
We
look
at
lines
of
code
in
we
look
at
number
of
developers.
G
We
also
are
looking
beyond
economic
value
and
we
think
one
of
the
biggest
things
that
we
have
as
an
open
source
community
is
all
the
additional
value
we
add
to
society.
It's
it's
not
something
that
can
be
measured
in
money
and
we
will
launch
our
sustainability
day
in
november.
What
we're
calling
societal
value,
metrics
there'll,
be
a
v1
and
we
need
lots
of
help
to
make
them
better
and
better.
But
we've
started
with
the
sustainable
development
goals.
G
E
E
But
I
think
yeah
we
at
the
same
time
keep
working
on
like
using
the
ones
that
we've
got
to
to
try
and
like
calculate
or
determine
what
we
know
so
far
is
the
critical
stuff
so
that
we
can
invest
in
that
area.
But
let's
improve
the
signal
collection
so
that
we
can
make
sure
that
we're
not
missing
something
that
is
actually
really
critical,
that
we
haven't
seen.
That's
yeah,
hiding
down
the
pile
of
things
and.
D
D
B
H
H
If
you
sample
the
graph
of
dependencies
on
a
monday,
you
will
get
different
critical
packages
than
if
you
sample
the
graph
on
friday.
This
means
that
it
is
not
that
easy
to
just
say:
hey
this
10
packages
are
the
ones
that
we
really
need
to
to
take
care
of,
but
rather
when
do
we
need
to
incentivize,
or
how
can
we
stabilize
this
graph
so
so
that
we
can
actually
start
working
on
it?.
D
So
I'll
take
a
stab
at
the
the
first
part
of
the
question.
I
think
and
and
correct
me.
If
I'm
getting
off
topic,
please
I
tend
to
do
that.
So
I
think
that
there
are
there.
There
is
research
around
the
cross
ecosystem
analysis
right,
there's
the
the
the
project
ocean,
which
is
open
source,
complex
ecosystems
and
networks
coming
out
of
the
uvm
complex
system
center.
D
E
E
But
at
least
that's
what
I'm
thinking
at
the
moment
in
terms
of
like
the
future
and
how
to
make
that
better
yeah.
I
think
we
like
I'm
just
being
able
to
measure
the
dependent
relationships
will
be
really
important,
but
I
don't
think
we're
ever
gonna
get
away
from
having
to
live
with,
like
the
graph
changing
all
the
time.
C
B
I
think
you
make
a
great
point
as
well.
It
definitely
seems
like
lots
of
times
when
we're
trying
to
answer
these
questions,
that
there
are
common
denominators
or
projects
that
typically
do
come
up
time
and
time
again,
which
I
think
at
that
point,
it's
safe
to
say
that
this
is
probably
a
pretty
critical
project.
I
mean
if
it
comes
up
in
all
the
no
matter,
how
you
think
about
the
question.
It
comes
up
that
you
keep
getting
those
projects
and
that
could
be
a
great
place
to
start.
B
B
B
So
I
think
there
needs
to
be
a
little
bit
of
both
in
terms
of
you
know,
doing
the
research,
but
also
it's
a
little
bit
of
experimentation
or
or
trying
things
to
actually
move
the
needle
here
and-
and
I
think,
lots
of
times
those
types
of
experiences
produce
those
kind
of
results
where,
like
hey,
you
know
we
audited
project
a
and
saw
that
project
b
seems
very
important.
So
you
know
that
could
be
something
to
look
into
or
so
yeah.
So
I'm
not
sure
where
I
was
going
with
that,
but.
E
It's
like
criticality
is
like
one
person's
critical
project.
Is
someone
might
not
care
at
all,
and
so
there's
a,
I
think,
part
of
the
the
discussion
around.
What
is
critical
is
that
everybody
has
kind
of
a
slightly
different
opinion
about
it.
Like
is
something
that's
been
receiving.
Investment
in
the
security
space
actually
critical
is,
or
is
this
thing
that's
got
a
corporate
backer.
Is
that
a
critical
project?
So
there's
lots
of
questions
around
lots
of
questions
yeah
and.
D
B
D
E
E
F
Hey,
I
just
really
wanted
to
return
to
this
idea
of
like
criticality
in
terms
of
ecosystems
right,
because
I
think
something
that
we
missed
in
this
discussion
so
far
is
how
different
that
looks
when
you
slice
it
by
language
right.
That's
really
the
differentiating
factor
here
right.
Is
it
a
chaos
model
or
is
it
a
top
down?
We've
decided
that
we're
incubating
these
projects
as
an
ecosystem
right.
F
Those
are
two
very
different
approaches
to
deciding
what
we
prioritize
for
security
and
what
we
grow
with
as
a
global
community.
So
it's
it's
something
that
I'm
reflecting
on
right
now
in
my
own
role,
because
I
have
to
look
at
this
across
different
ecosystems
and
I'm
seeing
it
probably
the
differentiator
between
what
languages
are
still
going
to
be
used
in
10
years
and
what
aren't
right,
because
if
your
idea
of
criticality
is
changing
on
a
week-to-week
basis,
that's
not
what
I
would
consider
a
stable
ecosystem.
B
B
You
have
a
lot
of
emerging
technologies
projects
that
could
very
well
become
the
de
facto
standard
in
five
ten
years
and
recognizing
that
as
soon
as
possible
and
taking
steps
towards
securing
those
projects
is
a
great
approach
because
you're
able
to
be
proactive
and
even
help
increased
adoption
of
those
projects
by
recognizing
them,
as
as
kind
of
maybe
edge
cases
or
emerging
projects.
That
could
be
new
standards
lots
of
times
it
just
goes
back
to,
I
think,
the
curation
piece.
B
E
Yeah,
I
think
ecosys
like
looking
at
each
looking
at
ecosystems
and
trying
to
kind
of
invest
in
understanding
each
one
is
really
valuable.
I
think
we
focus
a
lot
on
the
ones
that
have
easy
data
to
get
at
so
and
and
ones
that
have
high
profile
incidents,
but
like,
for
example,
python
and
node
very
easy
to
to
measure
their
dependence.
They're
used
a
lot
in
web
spaces,
and
so
the
attacks
are
frequent.
E
They
may
not
have
the
highest
impact,
though
it's
harder
in
the
iot
space
or
in
medical
devices
than
those
things
a
lot
of
that's
embedded
code,
and
we
don't
have
a
heap
of
visibility
in
that
space
and
those
languages
that
they
use.
There
are
ones
that
may
not
have
as
much
memory
safety
or
those
sorts
of
things,
so
there's
greater
exposure
there.
D
The
way
that,
like
it,
it
goes
in
my
head,
is,
I
think,
in
matrices.
So
I
think
in
like
okay.
Well,
we've
got,
we've
got
a
a
python
project
that
does
this
there's
this
type
of
this
shape
of
project,
and
we
can
add
on
dimensions
as
we
see
fit,
right
and
being
able
to
compare
like
to
like
or
like
ish
to
like
ish
is
is
hard,
but
I
think
worth
it
so.
B
So
we
could
probably
take
one
more
question
if
there,
if
someone
has
a
burning
question,
otherwise
we
will
be
around
most
of
the
week.
So
if
you'd
like
to
talk
about
this,
please
you
know,
let
us
know
highly
recommend
joining
the
or
participating
in
the
securing
critical
projects
working
group
to
talk
about
this,
and
I
just
want
to
thank
everybody.
I.