►
From YouTube: OpenSSF Day at OSS NA - Finding LibRaska: The Open Source Library that Props up our Infrastructure
Description
OpenSSF Day at Open Source Summit North America - Finding LibRaska: The Open Source Library that Props up our Infrastructure - Julia Ferraioli; Caleb Brown, Google; Amir Montazery, OSTIF
A
A
So
up
next,
we
have
oh
dear,
don't
do
that
we
have
a
pretty
exciting
treat
for
us
all.
Stop
that
we
have
a
panel
panel
yeah.
A
This
next
session
features
some
top
talent
here
and
we
are
here
to
chat
about
finding
and
and
securing
stuff.
Oh,
I
edit
all
that
to
the
document.
That's
pretty
cool,
so
it's
about
finding
and
supporting
critical
open
source
projects
so
for
our
first
panelist
is
amir
montezeri
he's
the
managing
director
of
ostif,
the
open
source
technology
improvement
fund.
It's
a
non-profit
organization
that
provides
tools,
services
and
audits
and
support
for
open
source
projects.
So
amir,
please
find
this
stool
of
your
liking.
A
Next,
to
amir
is
going
to
be
caleb
brown,
he's
a
software
engineer,
working
in
google's
open
source
security
team
on
finding
critical
projects
and
analyzing
behavior
of
open
source
packages,
so
caleb,
please
come
find
a
stool
and
finally,
we
have
julie
faroli.
She
is
a
developer
researcher,
an
open
source,
maintainer
and
podcaster
yay.
A
One
of
my
favorite
hobbies.
She
is
active
in
the
open,
ssf
community,
helping
with
the
securing
critical
projects
working
group
and
researching
project
criticality,
while
advocating
for
solutions
that
work
with
open
source
maintainers.
So
this
is
our
last
presentation
before
lunch,
no
pressure
panel
to
stay
on.
B
A
C
B
B
So
I'm
super
excited
to
be
here
with
my
fellow
panelists,
and
I
guess
we
didn't
really
talk
about
how
we
would
like
formally
start
but
really
excited
to
be
here.
Julia
yeah.
D
So
I'm
I'm
julia,
I
am
technically.
I
am
officially
an
open
source,
technical
leader
at
cisco.
That's
my
pretty
pretty
awesome
title
and
I'm
also
the
co-maintainer
or
co-founder
of
open
source
stories,
a
community
driven
project
to
capture
untold
narratives
in
open
source
and
my
pronouns.
Are
she
her
and
I'll
pass
it
off
to
caleb.
E
G'day,
I'm
caleb
and
you
can
tell,
by
the
accent
I'm
not
from
this
country,
I'm
with
google
on
the
google
open
source
security
team,
a
few
of
us
here
and
yeah,
as
mentioned
before.
I
work
on
the
criticality
scoring
project
and
the
package
analysis
project,
which
is
lots
of
fun,
so
very
interested
in
today's
topic.
Yeah,
my
pronouns.
Are
he
and
yeah.
C
B
And
I'm
amir
from
ostifostiff
we
as
a
as
crow
mentioned.
We
focus
on
solving
the
problem
of
securing
critical
projects
that
has
been
manifested
through
coordinated,
managed,
audits,
security
audits,
which
I
guess
will
be
a
good
segue
into
kind
of
why
we're
interested
in
the
topic.
So
I
can
kind
of
veer
into
that
and
then
I'd
love
to
hear
your
perspectives,
but
I'm
involved.
The
reason
I
care
about
this
problem
is
because,
as
mentioned
earlier,
our
organization
is
working
really
hard
to
try
and
solve
this
problem.
B
Taking
from
some
leading
research
and
vulnerabilities
shows
that
lots
of
times
to
find
those
really
deep-seated
problems
and
those
vulnerabilities
and
software
projects,
you
really
need
to
dig
deep
and
and
go
in
to
find
to
find
the
juicy
bugs
so
to
speak,
so
by
doing
that
for
the
last
seven
years-
and
you
know,
thankfully,
with
openssf
and
a
lot
of
the
foundations
and
larger
organizations
starting
to
care
about
this
problem
more
and
be
much
more
actively
involved
in
it.
B
We're
doing
a
lot
of
audits
and
of
open
source
projects
and
in
doing
that,
trying
to
find
better
ways
to
identify
those
projects
that
are
just
so
important
that
everyone
depends
on
but
might
be
overlooked
by,
maybe
some
tooling,
or
we
were
actually
just
having
a
good
conversation
outside
about
community
size
as
a
metric,
how
that
can
be
a
little
bit
misleading
and
so
so
yeah.
I
I'd
like
to
think
I'm
very
close
to
the
problem
and
happy
to
share
experiences.
Doing
that
with
everyone
today
and
yeah
should
be.
E
Good
okay,
I
I'm
interested
in
this
project
because
I'd
like
to
avoid
another
log
for
shell,
I
don't
know
how
many
people
were
involved
in
rolling
incident
management
on
this
in
the
room,
but
I
fortunately
I
wasn't.
There
were
people
on
our
team
who
were
so
getting
ahead
of
that
the
next
one
of
those
would
be
really
good,
and
hopefully
it's
not
a
zero
day.
So
that's
one
interest,
I'm
also
interested
in
this.
E
In
helping
people
who
consume
open
source
to
understand,
I
guess
their
exposure
and
their
risk
and
hopefully
motivate
them
towards
investing
in
improving
that
particularly
the
ones
that
are
like
log4j,
where
there's
a
small
handful
of
developers
working
really
hard
and
being
able
to
invest
their
resources
that
they've
got
into
that
into
those
places
that
really
need
it
to
improve
the
security
for
the
entire
ecosystem.
D
Well
said
thanks,
so
I
I
work,
I
have
worked
in
open
source
programs,
offices
and
in
different
companies,
and
I
think
my
interest
boils
down
to
pain
management,
because
I
am
not
the
person
fixing
the
bugs
I'm
the
person
managing
like
the
efforts
to
figure
out
who's
using
all
of
these
open
source
packages
and
worse
who's
responsible
for
fixing
them,
and
so
I
I
really
want
to
help
people
avoid
the
pain
of
having
to
drop
their
entire
work,
their
entire
life
to
go
and
fix
their
open
source
dependencies,
and
I
started
doing
research
in
this,
and
maybe
it
was
like
20
2018.
D
I
was
actually
at
google
at
the
time
looking
into
where
investment
should
be
where
like.
If
something
fell
over
like
happened
in
2014.
D
If
you
remember
2014
2015
a
couple
of
times
actually
like
how
can
we
respond
faster?
How
can
we
figure
out
that
some
of
these
projects
need
extra
help,
and
so
I
developed
a
framework
to
help
identify
those
projects
that
I
think
are
released
at
somewhere.
So.
B
Very
cool
and
as
a
work
group,
the
securing
critical
projects
working
group-
this
has
been
one
of
our
main
objectives-
is
coming
up
with
a
well
well
fleshed
out
list
of
you
know
the
most
critical
projects
out
there
and
that
the
idea
or
the
the
intention
for
that
is
to
kind
of
help.
As
julia
mentioned,
guide
resources
to
put
attention
on
projects
that
probably
could
use
the
help,
because
I've
never
come
across
an
open
source
project.
That
said,
no,
we
don't
need
any
help
at
all,
please!
No,
so
so.
B
Finding
those
projects
and
and
being
able
to
support
them
proactively
is
has
been
a
big
part
of
what
we've
been
doing
as
a
work
group,
but
it
has
not
come
without
its
challenges
because,
as
you
know,
lists
are
hard
just
inherently
you're,
never
gonna
have
a
perfect
list
that
will
appeal
to
everybody
and
and
and
based
on
how
they
consume
open
source,
but
being
able
to
at
least
come
up
with
something
again.
It
does
we're
under
the
impression
that
it
doesn't
have
to
necessarily
be
perfect.
B
It
never
is
going
to
be
perfect,
but
I
invite
my
fellow
panelists
to
talk
about
kind
of
what
have
been
some
of
the
challenges,
with
kind
of
getting
consensus
on
that
even
measuring
that,
and
maybe
from
from
your
previous
experience
too.
If
you
want
to
talk
about,
you
know
how
lessons
learned
from
there
yeah.
Let's
do
that.
D
Yeah,
so
one
of
the
big
challenges
that
that
we
identified
early
on
is
the
the
trouble
of
comparison
right.
We've
got
a
lot
of
different
types
of
open
source
projects
out
there
and
I'm
I'm
pretty
sure
that
by
the
time
I
finish
speaking
this
sentence,
there
would
be
like
five
or
ten
more
started,
so
that
might
be
a
floor
actually,
but
they're
shaped
very
very
differently.
D
They
serve
different
functions
and
one
of
the
starting
points
that
I
took
was
from
nadia
egball's
rhodes
and
bridges
publication
from
the
ford
foundation,
where
she
categorized
a
bunch
of
diff,
a
bunch
of
different
types
of
open
source
projects
and
it
included
like
databases,
libraries
frameworks,
etc,
and
until
you
slice
and
dice
open
source
projects
you're
going
to
wind
up
with
one
list.
That
is
not
representative
right
and
we
found
this
with
languages
as
well.
Do
you
want
to
talk
about
the
the
problem
with
with
languages?
Sure.
B
Yeah,
I
think
it's
a
fantastic
point
that
again
there
really
is
no
absolute
here,
but
the
fact
one
being
that
and
and
I
like
how
ann
retucio
had
this
on
the
first
line
open
source
just
inherently-
is
critical.
So
I
think
one
of
the
challenges
is
really
kind
of
just
drawing
the
line
in
the
sand
and
starting
from
somewhere,
because
you
know
in
the
time
it
takes
to,
let's
say,
gain
consensus
on
a
project.
B
There
could
very
well
be
plenty
of
new
projects
being
introduced
vulnerabilities
and
in
these
projects
being
exploited,
that
aren't
being
found
proactively
so
really
just
having
something
and
then
having
something
actionable
to
start
moving
forward
in
terms
of
going
from
identifying
projects
to
actually
taking
steps
towards
securing
them,
and
I
personally
am
much
more
in
the
you
know:
don't
let
perfect
be
the
enemy
of
good
and
you
know
sure.
If
you
survey,
let's
say
a
thousand
people,
whether
project,
x
or
y,
is
critical.
B
You'll,
probably
get
you
know
a
relatively
high
percentage
of
those
saying
yes,
so
really
just
trying
to
move
the
needle
forward
and,
as
you
said,
yes,
languages
play
a
part
platforms.
B
Even
the
functionalities
of
of
the
projects
you
know
is
a
you
know,
a
project
that
runs
that
may
not
be
used
by
a
lot
of
people,
but
is
a
critical
part
of
the
large
hadron
collider
project
I
mean.
Is
that
critical
I
mean.
E
Yeah,
this
is
one
of
the
challenges.
Is
you
don't
know
where
the
software
is
being
used?
You
don't
know
the
data
that
it
is
using
to
secure.
What
is
the
value
of
the
system
that
this
software
is
being
used
within
is
really
hard
to
quantify,
and
so,
if
you
actually
want
to
measure
the
real
impact
of
what?
What
really
is
critical
you'd,
be
able
to
like
be
a
god
omniscient
and
be
able
to
see
all
the
applications
of
a
piece
of
software
and
know?
But
unfortunately
we
don't
have
that.
D
I
think
that's
that's
a
good
segue
to
one
of
the
points
that
was
made
earlier
in
the
day
is
that
we
don't
have
the
telemetry
that
we
used
to.
We
don't
have
the
trust
and
when
it
comes
to
securing
infrastructure
and
identifying
the
projects
most
critical
for
infrastructure.
However,
you
define
that.
E
Yeah,
I
think,
there's
there's
I'm
I'm
hoping
in
the
future.
Things
like
s-bombs
and
git
bombs
and
other
ways
of
cataloging
software
and
dependencies
helps
in
this
process,
but
I
think
it's
going
to
be
an
evolutionary
process
where,
over
time,
as
things
like
s-bombs
are
adopted
and
the
companies
are
more,
I
guess
happy
to
be
revealing
this
sort
of
information
that
you'll
over
time
be
able
to
get
a
better
sense
of
how
critical
software
is
being
used
across
the
ecosystem.
E
So
one
day,
hopefully
we
have
that
ability
to
see
what's
how
things
are
being
used,
but
I
think
there's
a
there's
a
process
and
a
time
when
that
will
be
the
case.
D
And
a
wish
list
like
dependencies
and
dependency
count
and
software
composition.
Analysis
is
great,
but
also
I
want
to
see
how
much
time
is
being
spent
on
in
processes
in
functions
when
they're
being
run,
because
you
know
my
my
favorite
example
for
critical
software
is
is
a
a
fortran
package.
D
Yes
blast.
Thank
you.
Thank
you
mark,
so
that
a
lot
of
time,
a
lot
of
processing
time
is
spent
in
blast,
and
it's
probably
not
on
a
lot
of
people's
radar.
B
Yeah,
but
the
good
thing
is
is
at
least
the
move.
The
needle
is
moving
forward,
despite
it
being
a
constantly
moving
target,
which
makes
it
even
more
challenging,
but
you
have
like
research
like
like
the
census,
2
research
that
did
a
lot
of
work
on
finding.
You
know
what
are
the
most
used
repositories
and
other
research
going
on
in
the
space
is
helping
moving
the
needle,
but
it
is.
It
is
definitely
a
challenge.
Absolutely.
E
Like
how
do
you
do
that
at
scale
and
like
keep
it
up
to
date
as
well
like
the
harvard
census,
is
like
takes
time
to
produce
it's
a
point
in
time
view
of
things
but
like
like
the
more
more
open
source
projects
being
created
every
second,
like
it's,
a
changing
landscape
and
my
problem
with
that?
The
picture
up
there
is
that
it's
that's
a
point
in
time
picture
and
someone
can.
The
nebraska
guy
can
like
add
another
dependency
to
that
tiny
little
thing
there
and
like
suddenly,
your
whole
picture
changes.
B
Yes,
what
type
of
metrics
are
we
looking
at
when
we're
talking
about
or
measuring
criticality
caleb?
Do
you
want
to
talk
about
that.
E
A
little
so
I
I'm
still
getting
up
to
speed
on
all
the
the
research
and
papers
that
are
available
some
of
the
ones
I've
seen
are
based
on
dependencies
and
and
looking
at
how
they
work
that
works
in
languages
that
have
clear
dependent
data.
E
So
like
python
or
node,
you
can
see
that
it
doesn't
easily
track
across
transitive
dependencies
that
sort
of
research,
I've
seen
other
research
in
the
space
around
truck
factor
and
like
trying
to
understand
like
how
many
people
have
a
cognitive
understanding
of
a
piece
of
code
and
using
what
the
get
the
data
and
get
or
in
your
software
repository
to
answer
that
question.
Other
researchers
looked
at
like
how
do
what's
the
time
around
the
issue
resolution
and
those
sorts
of
questions
as
well.
E
You
can
also,
if
you
want
to
take
in
other,
inter
data
as
well,
maybe
the
number
of
source
lines
of
code.
Maybe
who
are
the
organizations
contributing?
Is
there
a
diversity
there
in
that
space?
So
there's
lots
of
metrics
and
when
we
start
to
formulate
some
automation
and
scoring
around
this,
we
really
want
to
look
towards
academic
research
in
this
space.
To
be
able
to
like
have
some
sensible
reason
for
actually
using
something
or
including
a
metric
or
a
signal
in
trying
to
calculate
those
scores.
Does
that
help
answer
the
question?
D
Anything
I
have
so
many
opinions,
oh
my
goodness,
so
academic
research.
Yes,
I
think
we
need
to
be
more
involved
in
in
participating
in
guiding
academic
research.
We
are
seeing
more
and
more
ins
research
institutions
having
an
an
ospo
and
open
source
programs
office
that
can
help
them
understand
open
source
software
better,
but
they're.
They
still
need
some
guidance,
because
open
source
isn't
necessarily
built
into
their
dna.
The
way
that
it
is
for
many
of
us
here.
D
The
problem
that
I
see
with
academic
research
is
that
they
keep
falling
into
the
same
pit
of
assuming
that
github
is
your
source
of
truth,
and
that
is
very
problematic
from
for
a
bunch
of
different
reasons
and
there's
also
the
the
idea
that
metrics
all
metrics
are
good
metrics,
no
they're,
not
all
data
is
good
data.
No,
it's
not.
I
need
to
finish
a
paper
actually
that
a
position
paper
on
this
on
this
subject,
that's
sitting
in
my
open
drafts
folder,
but.
D
B
Qualitative
data
is
important
too,
which
is
why
one
thing
that
I've
been
trying
to
incorporate
into
our
process
is
some
type
of
like
a
community
curation
kind
of
a
thing
where
we
can.
We
can
source
that
kind
of
those
qualitative
data
metrics
that
might
not
be
apparent
on
on
a
tool
or
by
looking
at
a
github
or
something
like
that.
B
So
as
important
as
the
the
quantitative
metrics
and
the
the
research
is,
I
I
think
the
the
sourcing
from
the
the
folks
actually
maintaining
projects
working
on
these
projects
is
going
to
be
an
important
data.
Point
too.
C
So
really,
sorry
is
this
one:
oh
great,
okay,
totally
load
all
the
different
perspectives
on
the
panel.
One
thing
that
we're
pretty
concerned
about
is
a
lot
of
the
attention
has
been
on
the
modern
application,
development
side
of
things,
and
so
we
use
the
term
critical
infrastructure,
meaning
I.t,
but
in
fact
right,
the
things.
C
Lives
and
safety
tend
to
be
the
most
under-measured,
whether
it's
embedded
systems
or
medical
devices,
or
you
know
the
things
that
go
boom
or
fizzle
and
at
last
that's
one
of
the
weaknesses
in
frank's
study.
You
guys
have
some
thoughts
about
how
we
can
engage
in
those
software
communities
and
get
better
visibility.
D
So
I
I
I
noped
out
of
getting
a
a
medical
device
implanted
because
they
couldn't
tell
me
about
the
the
security
and
I'm
like
I
do
not
want
some
random
person
administering
shocks
to
my
spinal
cord.
Thank
you
very
much.
So
yes,
that's.
I
think
we
are
overly
focused
on
our
our
pro
representative
companies
interests
right.
F
E
D
Yes,
yeah
and
I
think
that.
C
D
We
need
help
figuring
out
who
to
talk
to,
because
a
lot
of
the
people
aren't
here
right.
G
Hi,
so
I'm
not
from
the
alisa
group,
I'm
from
open
uk
hi
we've
been
working
quite
a
lot
and
trying
to
find
better
data
and
better
metrics,
and
I
personally
don't
like
the
way
we
measure
the
economic
value.
I
think
we
look
at
total
cost
of
ownership,
which
is
very
out
of
date.
We
look
at
lines
of
code
in
we
look
at
number
of
developers.
G
We
also
are
looking
beyond
economic
value
and
we
think
one
of
the
biggest
things
that
we
have
as
an
open
source
community
is
all
the
additional
value
we
add
to
society.
It's
it's
not
something
that
can
be
measured
in
money
and
we
will
launch
our
sustainability
day
in
november.
What
we're
calling
societal
value,
metrics
there'll,
be
a
v1
and
we
need
lots
of
help
to
make
them
better
and
better.
But
we've
started
with
the
sustainable
development
goals.
G
E
I
think
there's
a
in
terms
of
signal
quality.
I
think
there's
a
combination
of
keep
looking
for
better
signals
and
keep
finding
them
and-
and
it's
great
to
know
that
people
are
doing
that
and
that
there
is
investment
in
that
space.
E
But
I
think
yeah
we
at
the
same
time
keep
working
on
like
using
the
ones
that
we've
got
to
to
try
and
like
calculate
or
determine
what
we
know
so
far
is
the
critical
stuff
so
that
we
can
invest
in
that
area.
But
let's
improve
the
signal
collection
so
that
we
can
make
sure
that
we're
not
missing
something
that
is
actually
really
critical,
that
we
haven't
seen.
That's
yeah,
hiding
down
the
pile
of
things
and.
D
D
B
H
So
this
resonates
a
lot
with
the
work
that
I
criticized
from
academia
to
other
academics
to
follow
up
with
some
some
questions
around
what
we've
been
finding
on
on
my
lab,
we're
trying
to
understand
the
cross
ecosystem
analysis
rather
than
just
looking
at
say,
npm
and
docker
or
blah,
and
we
find
that
it's
really
highly
interconnected,
and
most
of
it
really
just
does
boil
down
to
the
linux
distros
right
if
you're
going
embedded,
you're
going
to
find
a
bunch
of
yukto
around
if
you're
going
embedded,
you're,
probably
going
to
find
some
free,
rtos
and
things
of
this
nature.
H
So
my
question
is:
why
don't
we
approach
say
those
communities
that
I
find
surprising,
sometimes
they're
not
very
engaged
with
a
linux
foundation
and
as
a
follow-up
which
may
be
a
little
tangential
another.
Finding
that
worried
me
a
lot
was
that
these
social
systems
are
actually
unstable.
H
If
you
sample
the
graph
of
dependencies
on
a
monday,
you
will
get
different
critical
packages
than
if
you
sample
the
graph
on
friday.
This
means
that
it
is
not
that
easy
to
just
say:
hey
this
10
packages
are
the
ones
that
we
really
need
to
to
take
care
of,
but
rather
when
do
we
need
to
incentivize,
or
how
can
we
stabilize
this
graph
so
so
that
we
can
actually
start
working
on
it?.
D
So
I'll
take
a
stab
at
the
the
first
part
of
the
question.
I
think
and
and
correct
me.
If
I'm
getting
off
topic,
please
I
tend
to
do
that.
So
I
think
that
there
are
there.
There
is
research
around
the
cross
ecosystem
analysis
right,
there's
the
the
the
project
ocean,
which
is
open
source,
complex
ecosystems
and
networks
coming
out
of
the
uvm
complex
system
center.
D
That
is
digging
into
this
and
it's
a
cross-disciplinary
approach.
So
that's
there
there
are
initiatives
out
there
you
you
do
have
to
kind
of
work
to
find
them.
So
that's
the
at
least
the
first
part
of
the
question.
I
think,
if
you
want
to.
E
E
It's
part
of
why
we
we
use
dependence
as
a
kind
of
proxy
for
the
impact
I
think
in
some
in
terms
of
my
thinking
about
it
has
been
to
kind
of
ignore
that
the
graph
is
changing,
because
the
things
that
are
really
critical,
the
number
of
people
depending
on
it
will
be
high
enough
that,
hopefully,
those
things
elevate
that
that
doesn't
work
so
well,
where
those
relationships
are
not
explicit.
E
But
at
least
that's
what
I'm
thinking
at
the
moment
in
terms
of
like
the
future
and
how
to
make
that
better
yeah.
I
think
we
like
I'm
just
being
able
to
measure
the
dependent
relationships
will
be
really
important,
but
I
don't
think
we're
ever
gonna
get
away
from
having
to
live
with,
like
the
graph
changing
all
the
time.
C
B
I
think
you
make
a
great
point
as
well.
It
definitely
seems
like
lots
of
times
when
we're
trying
to
answer
these
questions,
that
there
are
common
denominators
or
projects
that
typically
do
come
up
time
and
time
again,
which
I
think
at
that
point,
it's
safe
to
say
that
this
is
probably
a
pretty
critical
project.
I
mean
if
it
comes
up
in
all
the
no
matter,
how
you
think
about
the
question.
It
comes
up
that
you
keep
getting
those
projects
and
that
could
be
a
great
place
to
start.
B
B
When
you
have
again
different
needs,
different
uses
for
open
source,
and
there
really
is
no
absolute
there's,
not
a
lot
of
absolutes
in
open
source,
so
I
guess
in
life
in
general,
but
but
especially
in
open
source,
because
I
mean
even
I
mean
we
spent
a
good
amount
of
time
just
talking
about
what
critical
meant
you
know,
and
so.
B
I
think
we
have
yeah,
I
know,
but
no
we
certainly
have-
and
it
just
goes
to
show
that
I
think
it's
obviously
it's
very
important
to
think
about
the
problem
and
that's
something
we're
doing
a
lot
and
it's
nice
to
see
that
happening
on
such
a
broader
scale.
B
B
So
I
think
there
needs
to
be
a
little
bit
of
both
in
terms
of
you
know,
doing
the
research,
but
also
it's
a
little
bit
of
experimentation
or
or
trying
things
to
actually
move
the
needle
here
and-
and
I
think,
lots
of
times
those
types
of
experiences
produce
those
kind
of
results
where,
like
hey,
you
know
we
audited
project
a
and
saw
that
project
b
seems
very
important.
So
you
know
that
could
be
something
to
look
into
or
so
yeah.
So
I'm
not
sure
where
I
was
going
with
that,
but.
E
It's
like
criticality
is
like
one
person's
critical
project.
Is
someone
might
not
care
at
all,
and
so
there's
a,
I
think,
part
of
the
the
discussion
around.
What
is
critical
is
that
everybody
has
kind
of
a
slightly
different
opinion
about
it.
Like
is
something
that's
been
receiving.
Investment
in
the
security
space
actually
critical
is,
or
is
this
thing
that's
got
a
corporate
backer.
Is
that
a
critical
project?
So
there's
lots
of
questions
around
lots
of
questions
yeah
and.
D
I
I
just
advocate
for
when
we're
thinking
about
this
problem,
a
lot
of
nuance
right,
because
there's
in
capturing
like
dependency,
graphs
and
metrics
and
qualitative
data
as
well
like
we're
going
to
grab
a
lot
of
nuance,
that
shouldn't
shouldn't
necessarily
be
lost,
and
so
the
way
that
that
I
think
about
criticality
is
by
allowing
a
lot
of
freedom
for
people
to
decide
what
what
factors
signal
criticality
to
to
them
and
leaving
an
open
framework
is
very
difficult.
D
D
B
All
right,
so
we
could
take
a
couple
of
questions
and
then
maybe
we
can
adjourn
just
a
little
early.
Let
folks
get
to
lunch.
So
this.
D
Side
has
been
remarkably
quiet
so
and
I'm
not
sure
if
that's
just
because
I
can't
turn
that
way.
But
if
there
are
any
questions
from
from
that
side
of
the
audience
or
not
not
limited
to.
E
E
F
Hey,
I
just
really
wanted
to
return
to
this
idea
of
like
criticality
in
terms
of
ecosystems
right,
because
I
think
something
that
we
missed
in
this
discussion
so
far
is
how
different
that
looks
when
you
slice
it
by
language
right.
That's
really
the
differentiating
factor
here
right.
Is
it
a
chaos
model
or
is
it
a
top
down?
We've
decided
that
we're
incubating
these
projects
as
an
ecosystem
right.
F
Those
are
two
very
different
approaches
to
deciding
what
we
prioritize
for
security
and
what
we
grow
with
as
a
global
community.
So
it's
it's
something
that
I'm
reflecting
on
right
now
in
my
own
role,
because
I
have
to
look
at
this
across
different
ecosystems
and
I'm
seeing
it
probably
the
differentiator
between
what
languages
are
still
going
to
be
used
in
10
years
and
what
aren't
right,
because
if
your
idea
of
criticality
is
changing
on
a
week-to-week
basis,
that's
not
what
I
would
consider
a
stable
ecosystem.
B
That's
a
fine
question
I
can.
I
can
one
thing
that
has
helped
for
us
and
when
I
say
us,
I
mean
on
the
on
the
audit
side
with
ostif
is
having
an
an
advisory
council
or
people.
Basically,
who
are
in
the
space
to
talk
about
these
things
right,
because
you
do
have
a
lot
of
edge
cases.
B
You
have
a
lot
of
emerging
technologies
projects
that
could
very
well
become
the
de
facto
standard
in
five
ten
years
and
recognizing
that
as
soon
as
possible
and
taking
steps
towards
securing
those
projects
is
a
great
approach
because
you're
able
to
be
proactive
and
even
help
increased
adoption
of
those
projects
by
recognizing
them,
as
as
kind
of
maybe
edge
cases
or
emerging
projects.
That
could
be
new
standards
lots
of
times
it
just
goes
back
to,
I
think,
the
curation
piece.
B
E
Yeah,
I
think
ecosys
like
looking
at
each
looking
at
ecosystems
and
trying
to
kind
of
invest
in
understanding
each
one
is
really
valuable.
I
think
we
focus
a
lot
on
the
ones
that
have
easy
data
to
get
at
so
and
and
ones
that
have
high
profile
incidents,
but
like,
for
example,
python
and
node
very
easy
to
to
measure
their
dependence.
They're
used
a
lot
in
web
spaces,
and
so
the
attacks
are
frequent.
E
They
may
not
have
the
highest
impact,
though
it's
harder
in
the
iot
space
or
in
medical
devices
than
those
things
a
lot
of
that's
embedded
code,
and
we
don't
have
a
heap
of
visibility
in
that
space
and
those
languages
that
they
use.
There
are
ones
that
may
not
have
as
much
memory
safety
or
those
sorts
of
things,
so
there's
greater
exposure
there.
E
So,
yes,
I
like,
I
think
that
there
is
a
challenge
in
being
able
to
do
that
yeah
and
over
time,
we'll
have
to
like
invest
more
in
understanding
how
to
get
into
that
into
those
spaces
to
be
able
to
provide
good
answers
and
understand
criticality
of
the
dependencies
in
that
space.
D
The
way
that,
like
it,
it
goes
in
my
head,
is,
I
think,
in
matrices.
So
I
think
in
like
okay.
Well,
we've
got,
we've
got
a
a
python
project
that
does
this
there's
this
type
of
this
shape
of
project,
and
we
can
add
on
dimensions
as
we
see
fit,
right
and
being
able
to
compare
like
to
like
or
like
ish
to
like
ish
is
is
hard,
but
I
think
worth
it
so.
B
So
we
could
probably
take
one
more
question
if
there,
if
someone
has
a
burning
question,
otherwise
we
will
be
around
most
of
the
week.
So
if
you'd
like
to
talk
about
this,
please
you
know,
let
us
know
highly
recommend
joining
the
or
participating
in
the
securing
critical
projects
working
group
to
talk
about
this,
and
I
just
want
to
thank
everybody.
I.
E
B
Friday,
yeah
right
so
we
do
currently
meet
every
other
week.
At
11
am
central
time.
We
are
working
on
potentially
doing
maybe
in
every
other,
where
one
session
I've
seen
other
working
groups.
Do
this
to
be
more.
E
B
B
For
different
time
zones,
but
also
a
great
point,
we
have
the
slack
as
well.
You
know
for
folks
who
might
not
be
able
to
join
the
meetings,
so
participation
via
slack
is
more
than
welcome.
We're.
D
Also,
I
think,
there's
I
think,
there's
a
github
repo.
Yes,.
B
Awesome,
I
think
that
is
a
great
way
to
end
our
panel
seriously.
Thank
you
all
so
much
for
having
me
thank.