►
From YouTube: S2C2F SIG (January 31, 2023)
Description
The S2C2F SIG is a group working within the OpenSSF's Supply Chain Integrity Working Group formed to further develop and continuously improve the S2C2F guide which outlines and defines how to securely consume Open Source Software (OSS) dependencies into the developer’s workflow. This paper is split into two parts: a solution-agonistic set of practices and a maturity model-based implementation guide. The Framework is targeted toward organizations that do software development, that take a dependency on open source software, and that seek to improve the security of their software supply chain.
B
Hey
yep
I
can
yeah.
I
cannot
hear
yeah
I
can
hear
it.
C
A
A
A
You
can
hear
me
yep
yep,
yep
I
can
hear
you.
I
can
hear
you
now
all
right
good
deal.
Let's
get
this
meet
and
Link
hosted
in
the
media.
The
meeting
doc.
A
E
A
A
B
Take
the
time
to
introduce
myself
Castro
from
Brazil.
Most
people
just
call
me
Alex,
because
it's
a
laser
and
I've
been
involved
in
open
source
communities
for
a
while
now
and
I've
been
a
participating,
a
lot
in
the
tech
contributor
strategy
from
called
native
computer
foundation
and
other
working
groups
from
the
Linux
Foundation
and
I'm.
B
Looking
for
other
working
groups,
where
I
can
provide
some
insights
and
get
some
insights
on
outsole
help,
communities
grow
and
whatnot,
so
I'll
be
following
along
and
learning.
D
B
It's
nikkas,
it's
I'm,
not
from
cncef,
okay,
participating
like
the
tags
and
working
groups,
but
as
not
as
like
the
cncf.
D
D
And
I
see
we
have
I
I'm,
not
sure
how
to
pronounce
it
right
recipe.
E
E
My
name
is
Jose
and
I'm
from
Indonesia
or
as
a
software
engineer,
and
it's
my
first
time
to
join
and
yeah
I
hope.
I
can
learn
a
lot.
D
A
Okay,
so
so
Alexander's,
just
on
the
call
with
me
on
the
salsa
positioning
meeting
call,
so
you
get
a
chance
to
see
another
framework,
that's
being
worked
on
under
the
supply
chain,
Integrity
working
group.
A
Now
you
get
to
see
this
one
as
well.
The
more
of
these
meetings
that
you
that
you
attend
the
more
the
same
faces
that
you'll
tend
to
see
throughout
all
of
this
stuff,
because
we're
doing
a
whole
bunch
of
work
and
we
got
a
whole
bunch
of
work
going
on
and
we're
extremely
passionate
about
it
then.
So,
thank
you.
Thank
you
for
joining
and
thank
you
for
for
any
contributions
you
make
in
advance.
A
Fantastic,
we'll
start
with
asking
for
a
a
scribe:
who's
going
somewhere
somebody's
typing
in
there
who's
willing
to
subscribe
for
us.
D
A
Okay,
we're
at
about
11
past.
So
what
so
we'll
we'll
Dive
Right
In?
We
just
have
a
few
agenda
items
on
this
call
today
and
usually
we
have
a
lot
more
people,
but
we
understand
this
is
the
first
meeting
of
the
year.
So
once
this
meeting
kicks
off
and
these
notes
get
out,
then
then
of
course
more
people
will
will
attend
and
come
back
and
and
then
we'll
be
able
to
keep
marching
forward.
A
You
see
the
agenda
items
there,
we'll
talk
about
the
submission
to
RSA
and,
of
course,
Adrian
getting
ready
to
go
ahead
and
kick
that
off.
We
did
some
spec
reformatting
what
we
have
the
well
going
down
line.
We
have
the
s2c2f
strategy
that
we
want
to
review
disrespect
reformatting
for
the
people
as
format
reformatting
to
a
modern
spec
right,
so
so
so
that
when
it
comes
time
to
do
any
submittals
or
anything
like
that,
the
spec
is
in
the
proper
format
for
those
submissions.
A
We
have
a
presentation
of
we're
going
to
be
given
to
sisa
at
some.
At
some
point
over
the
next
couple
of
months
before
RSA,
which
is
really
good
and
then
we'll
open
up
for
any
topics.
A
So
before
we
begin
there
are
there
are
there?
Are
there
any
questions
and
then
questions
mainly
from
Alexander
or
oracity,
because
Adrian
Jasmine
and
I
go?
We
go
at
this
pretty
much
all
week
long
so
do
we
have
any
questions
from
from
you
both
before
we
continue.
D
D
So
you
know,
let
me
start
with
this
one
first,
so
I'm
I'm
really
excited
that
the
RSA
accepted
my
you
know
they
did
a
call
for
presentations
and
I
submitted
to
introduce
s2c2f
and
I
wrote
like
a
really
long,
write-up
and
everything
and
I
just
found
out.
You
know
just
the
end
of
last
week
that
they
that
they
accepted
it.
D
So
if
I
already
got
plain
tickets
and
hotel
booked
and
the
funny
news
is
I
had
to
submit
to
RSA
so
long
ago
that
the
s2c2f
wasn't
called
the
S2
c2f
back,
then
it
was
our
previous
name,
which
was
the
OSS,
secure
supply
chain
framework,
and
so
now,
I'm
I'm
I
got
assigned
a
like
a
a
manager
and
and
so
I'm
I'm
emailing,
with
that
person
to
check
with
RSA,
if
I
could
respectfully
change
the
name
of
the
title
of
the
session,
so
that
it
represents
the
new
name
of
this
framework.
D
D
And
so
you
know,
that'll
be
great
it'll,
be
great
representation
for
open
ssf
there
and
it'll
be
great
to
to
spread
awareness
about
this.
This
framework
that
that
any
team,
any
organization
can
adopt
to
to
improve
how
they
securely
consume
dependencies
into
the
development
workflow.
D
So
other
than
that
I
I
think
the
the
RSA
session
is
going
to
be
on
the
26th
of
April,
which
is
a
Wednesday.
That's
going
to
be
at
8
30
a.m.
It's
going
to
be
a
50-minute
session!
D
So
let
me
now
I
got
to
be
my
own
scribe
here
and
write
all
that
down.
A
Well,
I
was
writing
that
down
I'll
I'll
skip
ahead
to
the
sauce
to
the
sisa,
to
see
some
primer.
So
so
you
know,
while
Adrian's
working
on
that
50-minute
presentation,
we
have
the
opportunity
to
give
a
10-minute
presentation
to
sisa
before
RSA,
so
that'll
be
an
excellent
opportunity
to
give
them
a
high,
a
high
level
overview
of
what
we'll
be
talking
about
at
RSA
right.
A
So
it's
actually
perfect
timing
and
they're
they're
wanting
this
presentation
to
look
at
potential
areas
to
adopt,
which
is
always
a
great
thing,
because
that's
what
we
need.
We
need
adopters
and
people
who
are
going
to
sign
on
to
contribute,
but
then
also
to
bring
internally
and
adopt
and
let's
see
if
it
works
and
let's
work
out
the
Kinks
and
the
bugs
and
all
that
kind
of
stuff.
So
this
this
is
this.
A
This
is
a
a
great
time
for
this
spec
and
a
great
time
for
all
the
stuff
that
we're
working
on
really
because
it's
getting
noticed
in
the
government
and
we
have
the
opportunity
to
to
be
impactful
that
way.
We
also
have
stuff
that
we're
working
on
and
that's
not
in
the
notes.
I
know,
agents
working
on
stuff
with
the
NSA
as
well.
I
I
didn't
even
know
if
we
won.
A
If
we
wanted
to
put
that
out
now
or
if
we
want
to
wait
a
little
bit
before
we
before
we
put
that
down.
D
Yeah
I'll
we'll
just
put
a
a
placeholder
here
that
we
are
engaged
and
working
with
NSA
and
during
a
security
framework
to
have
it
be
referenced
in
their
upcoming
publication.
D
It's
already
been
like
added
into
the
draft
docs,
so
you
know
I'm
very
confident
that
when
the
the
final
thing
has
been
published
that
it'll
be
included
in
there,
which
is
which
is
very
similar
to
what
the
NSA
did
with
some
of
their
other
Frameworks.
Here's.
Let
me
see
if
I
can
share
where's
the.
E
D
All
the
different
things
that
they've
that
they've
published
you
can
see
the
publication
date
and
so
they're
going
to
be
they're
going
to
be
publishing
one.
D
That's
that's
dedicated
to
securing
how
you
consume
open
source
dependencies
and
that's
exactly
where
s2c2f
is
going
to
be,
and
it
also
has
like
s-bomb
guidance
in
there
as
well.
So
that's
going
to
be
one
of
the
new
upcoming
things
that
they're
going
to
publish
and
it'll
be
here
for
download,
eventually,
I'll
I'll
drop.
This
link
into
the
meeting
notes.
D
Jasmine,
would
you
like
to
walk
us
through
some
of
the
updates
that
we're
we're
making
to
our
s2c2f
strategy,
it's
kind
of
like
a
living
document,
and
you
know
we
could
just
kind
of
share
what
what
we've
been
doing.
F
Yeah
sure
do
you
mind,
or
do
you
want
to
share
that
page.
D
So
let
me
just
start
from
the
top,
since
we
have
some
new
audience
here,
we
kind
of
got
like
the
high
level
about
you
know
hey.
This
was
contributed
on
October
October
4th,
and
you
know
this
is
what
we're.
What
we're
here
to
do
is
you
know,
protect
how
developers
consume
open
source
and
there's
so
much
going
on
across
the
open
ssf
that
we
need
to
outline
a
strategy
like
where
and
how
do
we
collaborate
and
integrate
with
all
the
other
parts
of
openssf?
D
So
it's
important
to
note
that,
like
our
goals,
are
awareness,
Community,
engagement,
adoption
and
drive,
tooling
innovation.
D
So
you
know
we're
actually
really
happy
to
see
you
both
here
as
as
newcomers
to
because,
like
that's
like
proof
in
the
pudding
that
we're
like
we're
growing
the
community
engagement
already,
please
tell
your
friends
and
family
to
dial
in
next
time.
D
Okay,
and
with
that
Jasmine,
you
want
to
tell
me
where
I
should
scroll
to.
F
D
F
This
section
Adrian
had
started
these
opportunities
for
collaboration,
but
for
the
past
few
days,
I've
kind
of
been
taking
these
working
groups
and
other
kinds
of
groups
that
he
had
linked
and
kind
of
coming
through
their
strategies
and
like
what
direction
they're
going
in,
that's
usually
all
listed
in
their
GitHub
repos.
F
So
if
you
scroll
down
a
little
bit,
I
think
yeah
most
of
the
stuff
for
like
Suggestions
by
me.
But
a
lot
of
it
is
more
so
about
the
awareness
aspect
of
the
above,
where
we
have
opportunities
to
integrate,
either
the
S2
c2f
itself
or
like
pieces
of
the
s2ct
2f
to
until
other
people's
initiatives.
And
just
you
know
getting
the
word
out
there,
that
we
are
a
resource
that
should
be
leveraged
and
we
have
valuable
information
and.
A
F
Scroll
down
more
this
plan
section,
as
you
can
see
again,
a
lot
of
it
falls
under
awareness,
but
basically
kind
of
mentioning
the
opportunities
I
have
listed
up
above
and
then
just
making
that
into
a
list
of
who
we
should
be
reaching
out
to
and
why.
A
Yeah
just
provides
an
excellent
opportunity
for
us
to
go
into
each
working
group
and,
and
really
you
know,
nail
down,
hey
guys.
This
is
what
we've
identified,
where
we
can
actually
be
helpful
or
where
we
need
help
from
this
particular
working
group
to
fill
gaps
and
solve
some
problems,
and
this
document
does
it
all
in
one.
That's
that's
why
this
is
so
exciting.
This
document
is
exciting
itself
provides
us
an
area
where
we
can
just
pull
from
ask
to
I
have
information
for
that.
Fresca
Parts,
who
content.
D
Yeah
just
an
update
so
like,
while
this
document
is
US
kind
of
like
outlining
here's,
the
whole
landscape
of
open
ssf,
specifically
the
pieces
where,
where
we
feel
that
there's
like
Synergy
for
in
opportunity
for
us
to
like
work
together
and
partner
on
something
we've
already
started
to
reach
out.
D
So
so
getting
S2
c2f
embedded
into
the
security
knowledge
framework
I've
reached
out
to
Randall
over
here
and-
and
he
indicated
that
he
is
the
person
to
help
us
get
integrated
with
this
and
so
I'm
waiting
to
hear
back
from
him
and
he's
you
know,
excited
to
partner
with
us
here.
D
I've
also
reached
out
to
end
users
working
group
as
well
as
the
security
tooling
working
group.
I,
don't
have
direct
contacts
yet
and.
C
C
D
And
so
you
know
they
the
s2c2f
itself.
When
you
look
at
our
implementation
guide
in
our
repo,
we
recommend
security
tools
that
help
people
implement
the
requirements.
D
But
the
openssf
has
this
whole
guide
to
security
tools
section,
and
so
you
know
I
think,
there's
there's
some
opportunity
for
us
to
contribute
to
their
guide
to
kind
of
beef
it
up
a
little
bit
for
some
of
the
areas
that
we
care
about
like
tools
that
improve
how
fast
you
can
patch
your
open
source
vulnerabilities
right.
These
are
tools
like
dependabot,
which
is
like
automated
PR
generation
and
I.
Think
it's
called
on.
D
Github
I
think
it's
called
like
dependency
insights,
regardless
there's
a
couple
different
tools
out
there
that
show
you
an
open
source
vulnerability
as
a
comment
and
a
pull
request
so
that
you
can
actually
address
the
vulnerability
before
everything
gets
checked
in
and
and
merged
to
main
in
its
in
its
Technologies,
like
those
that
help
Developers
stay
patched
faster,
which
reduces
the
window
of
opportunity
for
attackers.
D
They
it
allows
us
to
patch
faster
than
the
adversary
can
operate
and
that's
the
goal,
and
so
I
want
to
I
want
to
start
implementing
some
of
our
Tools
in
here
in
this
guide,
so
we've
we've
reached
out
and
and
we're
getting
the
ball
rolling,
but
Alexander
or
or
recipe
are.
Are
you
involved
in
any
other
working
group
or
Sig
that
might
be
on
this
list?.
B
So
I'm
taking
a
look
here,
there
might
be
some
that
that
can
probably
add
some
some
value
or
or
collaborate
to
reach
to
other
groups,
if
not
directly
so
yeah
I'll
be
I'm.
Taking
a
look
here
now
and
you
know,
follow
up
if
I
find
it
when
you
know
those
that
I
participation
can
help.
B
So
this
is,
this
is
only
for
the
open
stuff
or.
D
At
this
time,
we're
looking
for
ways
that
we
can,
you
know,
get
plugged
into
the
other
parts
of
the
open
ssf
so
that
we're
not
just
working
in
a
silo,
I'm
sure,
there's
definitely
opportunities
outside
of
the
open
ssf.
If
let
please
let
me
know,
because
that
would
help
you
know,
Drive
adoption
and
increase
awareness.
So
if
there's
like,
like
the
awareness
section,
let's
see
here.
D
Oh
that's
already
here.
Thank
you
this.
This
would
be
inclusion
within
the
NSA
during
security
framework
right.
So
these
are
all
ways
that
we
can
raise
awareness
by
raising
awareness
we
could
drive
adoption.
B
Yeah
so
I'll
have
to
take
some
time
to
to
think,
but
there
are
some
opportunities
for
collaborating
with
other
organizations
that
other
open
source
organizations
that
work
on
centralized
and
distributed
Technologies
and
systems
and
best
practices,
and
all
that
made
maybe
a
good
thing
to
get
to
check
with
some
of
those
organizations
to
see
if
they
have
anything.
That
said,
it's
interesting
so
I.
B
And
I'll
contact
you
or
or
just
come
back
with
in
the
next
meeting
to.
D
Oh
yeah,
that
sounds
fantastic,
yeah
and
and
if
you're
you
know
involved
in
the
the
cncf
I'm
there
might
be
so
so.
The
the
S2
c2f
is
advertised
as
a
consumption
focused
framework
that
pairs
well
with
any
producer
focused
framework
and
I
know
that
the
cncf
has
their
own
secure
supply
chain
guide
book
and
so
like
I,
wonder
how
much
this
might
pair
well
with
that
or
if
there's
like
opportunities
for
us
to
you
know
improve
how
this
is
represented
in
you
know,
Cloud
native
world.
D
You
know
those
are.
Those
are
all
topics
that
are
worth
exploring.
D
D
A
Yeah,
nothing,
nothing
to
add,
just
look
for
the
reformat,
the
spec
to
show
up
on
the
issue
and
pull
requests
and
all
that
prior
to
it
being
merged,
and
everything
else
we'll
do
that
here
in
the
next
in
the
next
week
or
so
as
we.
It
was
a
lot
easier
to
do
a
lot
of
this
to
try
to
do
it
in
markdown.
A
We
had
one
hell
of
a
time
trying
to
do
this
in
markdown,
so
we
pulled
it
so
we
pulled
it,
and-
and
did
it
in
word
so
so
that
so
it'll
be
updated
as
soon
as
we
finish,
fixing
and
everything
else,
we'll
we'll
get
it
switched
back
over
the
markdown.
This
is
just
incredibly.
It
was
incredibly
time
consuming
to
try
to
work
it
out
at
markdown.
D
Yeah
and
and
like
to
collaborate
with
one
another
that
was
really
difficult,
like
word
just
has
like
track
changes.
You
can
add
comments
all
that
stuff.
So
it's
a
lot
easier.
I
agree.
G
D
Well,
well,
hey
I
wanted
to
follow
up,
because
you
know
you
and
I
had
chatted
not
too
long
ago,
and
you
know
this
is
our
our
strategy,
doc.
For
for
how
the
S2
c2f
can
kind
of
plug
in
with
all
the
different
parts
of
the
openssf
and
I've
got
you
listed
here
for
the
security
knowledge
framework
yep,
so.
G
And
I
also
have
a
a
little
bit
of
of
gossip
and
and
drama.
If
you
guys
want
to
hear
about
it,
because
you
guys
are
kind
of
indirectly
mentioned
okay,
so.
D
G
Homebrew
is
one
of
these
groups,
that
is
of
the
strong
opinion
that
certain
things
are
being
said
that
our
security
that
like
are
very
tone,
deaf
and
I'm,
trying
to
resolve
the
problem.
However,
like
is
God
into
the
point
where
my
right
privilege
is
to
Homebrew,
are
currently
restricted.
Wow.
G
Because
the
word
strong
arm
has
been
used
and
yeah,
it's
gotten
like
crow
calls
it
like.
It's
a
really
a
shame
when
people
start
using
open
sources
of
religion,
but
in
reality
that's
kind
of
what's
happened,
and
specifically
this
framework
was
called
like
was
one
of
the
things
that
was
mentioned
as
to
why
open
ssf
just
doesn't
get
it
so
yeah
I
just
thought
that
would
be
an
interesting
piece
of
gossip
but
yeah
when.
G
No
I'm
saying
about
because
you
know
security
knowledge
framework
is,
is
not
really
it's
a
lot.
G
Smaller
I
mean
basically
Salsa
Fresca
your
framework,
I
I,
keep
forgetting
the
acronyms,
but
those
things
they
according
the
way
Homebrew
feels
about
it
is
it
feels
like
it's
not
necessary
and
we've
done
it
for
years
without
it
and
it
just
it's
a
lot
of
Croft
and
a
lot
of
things
like
this
have
already
been
tried,
and
we
know
why
they
fail,
and
it's
kind
of
like
for
Microsoft
to
go
out
and
like
donate
this
framework
and
start
saying
things
like
this
needs
to
happen
in
the
supply
chain.
A
You
know
you
know,
that's
the
the
whole
that
whole
reputation
we're
trying
to
fix
that
every
single
day
and
and
and
it's
it's
a
man,
I
I
got
I
gotta,
say
it
it's
it's!
It's
I!
Don't
I
don't
want
to
use
the
word
sickening,
but
in.
A
Well,
I
mean
when
you
consider
that
other
Frameworks
and
other
things
get
readily
accepted,
but
the
minute
they
hear
about
something
like
this
and
Microsoft.
Now,
all
of
a
sudden,
it's
like
a
cross
symbol
gets
put
up.
Yep
I
mean
it's
it's
it's
it's
it's
a
it's
really!
It's
it's
getting
to
be
really
really
weird,
but.
G
A
G
This
is
a
terrible
idea.
It's
how
dare
you
propose
this
idea
and
you
guys
don't
even
like
have
money
to
like
fund
it
and
it's
like
so
you
want
to
go
out
and
just
like
fix
every
packaging
ecosystem.
Is
that
what
like
with
money?
Because
that
would
be
very
expensive
and
probably
not
feasible,
but
yeah.
A
Yeah
yeah:
well,
you
know
what
we
we
have
the
power
to
change
that
and
we're
going
to
do
it.
You
know
one
person
at
a
time,
that's
why
we
brought
it
to
the
openness
itself.
That's
why
it's
you
know
we
we're
we're
positioning
it
in
such
a
way,
we're
like
hey.
A
We
can
do
all
of
these
things
together
and
and
as
long
as
people
like
you,
Randall
and
and
then,
and
then
you
know
as
long
as
we
as
long
as
we
beat
the
drum
and
and
continue
to
beat
the
drum
we'll
be
all
right.
G
And
and
you
and
you
gotta
and
you
gotta
fight
those
fires
with
like
absolutely
nothing,
because
you
know
like
the
more
you
feed
into
it.
The
worse
it
gets
so
I
was
like
you
know
exactly
what
you
said
like
I'm,
pretty
sure
no
one's
trying
to
strong
arm
anyone.
It's
really
a
matter
of
if
you're
interested
in
the
security
of
your
users.
Maybe
you
participate
because
it
is
an
open,
Forum,
yeah
so
stuff
like
that.
That's.
A
Exactly
that's
exactly
the
argument.
It's
like
it's
simple.
It's
like
hey!
Well,
we
we
meet,
we
meet
Tuesday
at
12.,
you're,
welcome,
come
and
join
the
meeting.
No
read
the
spec
join
the
meeting,
find
the
Gap
submit
an
issue.
Let's,
let's
let's
talk
about
it,
you
know.
G
What
I
mean
yeah?
Just
just
so
you
guys
could
laugh.
I
actually
had
to
go
to
Emily
and
ask
Emily
to
like
invite
the
project
leader
of
Homebrew
and
some
of
the
other
people,
but
to
like
the
virtual
maintainer,
Summit
yeah,
and
and
that's
when
it
was
like
no
more
like
wow
Randall.
You
really
waste
your
time
to,
like
maybe
we're
gonna
have
to
show
up.
G
But
yeah,
but
it
was
actually
I
just
thought
it
was
good
feedback
Adrian.
Now
let
me
say
this:
let
me
I've
actually
done
a
little
bit
of
talking
and
I
do
think,
there's
an
opportunity
here,
because
there
is
also
groups
working
on
something
that
they're
calling
next-gen
packaging,
which
is
flat
pack
and
snaps
and
I.
G
It's
actually
very,
very
interesting
because,
like
so
basically
flat
pack
is
the
ideology
of
like
what
happens
if
everyone
puts
their
differences
aside
and
we
create
an
app
store
like
a
community,
app
store
where
you
can
download
things
and
it's
properly
sandboxed
in
its
own
little
sandbox
environment,
kind
of
like
Dino
versus
JS
kind
of
that
sort
of
ideology
and
I
mean
it's
actually
a
decent
idea.
Now
can
it
be
implemented
and
that
that's
remains
to
be
seen
because
you
see
a
lot
of
people
would
have
to
cooperate
to
make
that
happen.
G
But
I
do
feel
like
to
some
degree
it's
worth
talking
about,
because
security
is
one
of
those
things.
These
group,
or
at
least
flat
pack
likes
to
talk
about,
is
something
like
they're
solving
and
I
think
they're
solving
it,
but
from
a
different
perspective,
because
then
you
have
package
managers
like
Homebrew
they're,
like
we're
no
security
and
by
the
way,
here's
another
funny
one
just
also
for
your
information,
so
Homebrew
feels
confident
that
they're
licensing
would
essentially
exclude
them
from
having
to
worry
about
security.
G
Wait
what
that
I
I
thought!
I
I,
don't
know
the
legalities
on
that.
But
you
know
homebrews
underneath
githubs
and
githubs,
underneath
Microsoft,
so
I
don't
know.
I
just
thought.
I'd
put
that
out
there,
because
I
thought
I
thought
that
just
doesn't
seem
like
the
right
perspective,
but
I
could
be
wrong,
but
yeah.
C
G
G
A
Basically,
so
they
so
that's
because
they're
not
paying
attention
to
new
to
new
law,
written
they're,
not
paying
attention
to
the
Cyber
resiliency
act,
they're,
not
paying
attention
to
anything
going
on
in
the
government.
Whether.
G
G
A
Not
reading
the
tea
leaves
they're
starting
to
now
write
legislation
in
in
random
places
about
who's
liable
for
what,
when
it
comes
to
when
it
comes
to,
packages,
builds
and
everything
else,
and
it's
getting
crazy
too,
because
now
you're
trying
to
figure
out
well,
if
you,
if
you
build
something
and
let's
say
you
build
it
for
somebody
else,
and
then
they
go
ahead
and
repackage
it
and
sell
it.
You
know
how
it
goes.
A
Some
companies
are
just
taking
open
source
components
and
open
source
packages,
they're
taking
them
into
their
organizations,
turning
around
repackaging
them
and
then
and
then
sending
them
back
out
on
the
different
names
who's
liable
for
that
yep.
G
Yeah
and
I,
just
I
just
thought
for
this
group
might
be
interested
in
all
that
information,
because
I
actually
thought
like
I'm,
not
a
very
conflictive
guy
but
I'll,
be
honest,
like
you
know,
Homebrew
and
the
project
leader,
someone
that
I've
always
kind
of
looked
up
to,
because
I've
known
him
for
a
very
long
time.
So
I
just
thought
like
this
point
of
views,
was
like
settled
like
a
few
years
ago,
like
I
thought
we
were
past
it.
G
G
Was
the
gossip
for
Homebrew,
because
I
was
pretty
shocked
when,
like
one
day
out
of
the
blue
they're,
trying
to
pick
a
fight
with
me,
because
I'm
involved
in
open
ssf
and
they
felt
that
open
ssf
is
strong-arming
people
into
worrying
about
security?
And
that's
not
the
way
to
do
it?
And
this
that
and
the
other
thing
and
I
was
like
yeah.
G
B
C
G
Should
be
an
actual
clarification,
though,
because
I
do
think
there
is
something
as
far
as
developers
and
what
is
acceptable
to
developers
and
I
I.
Don't
disagree
with
homebrews
point
that
most
people
that
use
Homebrew
are
not
developers,
they're
end
users.
So
it's
it's
a
difficult
Crux
because,
like
in
Homebrew
like
it
does
exist
because
I've
been
in
long
enough,
where
I
can
tell
you
the
end
users,
just
think
that
everything
you
carry
is
secure
and
if
it's
not
secure,
then
why
you
carry
it.
D
That's
a
very
subtle
difference
here
that
when
we
wrote
the
s2c2f,
it
was
entirely
focused
on
the
developer
workflow,
so
so,
like
Linux
package
managers
that
that
whole
ecosystem
it
it,
it
doesn't
well.
G
F
D
Things
doesn't
always
like
work
well
when
you
think
about
it
for
Linux,
because
we
were,
we
were
primarily
thinking
about
things
like
nuget
packages,
npm
packages,
pipei.
E
D
E
D
Yeah
I'm
sure,
there's,
you
know
a
couple
things
that
you
could
maybe
reuse
for
that
scenario,
but
but
not
definitely
not
the
whole
thing.
G
But
that
is
one
of
the
things
I
said
in
my
conversation
that
maybe
there
is
an
opportunity
there
to
clarify,
because
it
because
just
for
the
clarification
Homebrew
is
Mac,
but
Mac
is
not
that
different
from
Linux.
Basically,
they
share
ancestors
so
like
but
yeah
you
are,
you
are
correct
and
but
in-
and
it
is
a
big
thing
too
because
like
Divi
and
will
go
to
outstanding
links
because
they
feel
like
they
need
to
modify
packages
for
their
users.
G
G
And
this
actually
creates
something
called
the
Debian
problem,
because
divian
actually
has
a
very
bad
reputation,
so
like
Apache
httpd
is
different
on
Debian
than
any
other
operating
system
because
they
modify
it.
And
that's
that's
the
whole
thing
because,
like
at
Gen
2,
we
carry
both
versions,
We
Carry,
the
Debian
version,
or
we
carry
the
non-divionized
version.
However,
it
really
depends
on
kind
of
what
arguments,
because
Debian
does
a
lot
of
things
by
default
for
the
security
of
their
users,
because
they
feel
like
there's
certain
saying,
defaults.
G
They
believe
in
so
that
sometimes
gets
to
be
important
because
everyone
uses
Debian
like
most
containers
use
Ubuntu,
which
is
a
derivative
of
Debian,
so
I'm
just
saying
there
is.
There
is
a
section
there
that
maybe
at
some
point
I
don't
know,
if
necessarily
in
the
framework,
but
at
some
point
I
do
think
you
should
clarify
or
we
should
clarify
as
open
ssf.
No.
D
Yeah
that
this
is
this
is
for
developers
specifically
not
for
end
users
and
and
so
maybe
have
like
an
out
of
scope.
Section
right.
G
G
But
but
like,
for
example,
like
a
very
a
bit
very
well
known
issue
on
the
Microsoft
store
that
happens
also
on
flat
package
in
any
ecosystem
is
name
squatting.
What
do
you
do
with
name
squatting
like
hot?
You
know?
How
do
you
deal
with
that?
You
know
because
flat
pack
says
anyone
can
make
a
flat
pack,
but
then
you
got
developers
on
the
other
side.
That
say
no.
D
Yeah
those
are
the
so
there
there
are
risk
reduction
requirements
that
we
have
in
our
in
our
framework
that
talk
that
that
reduce
the
risk
of
accidental
consumption
of
a
type
of
squatted
package.
D
E
D
You
know
some
of
some
of
the
malware
scanning
and
it
depends
on
what
type
of
malware
skinning
you
do,
but
the
type
of
malware
scanning
that
looks
for
like
hey.
Why
is
this
package?
You
know
Gathering.
You
know,
system
profile,
information
like
like
OS
type
and.
D
And
sending
that
to
a
remote
address
like
like
that
is
sus
and
and
should
not
be
allowed.
That's
usually
typical
behavior
of
like
what
type
of
squatting
package
and
so.
G
And
a
lot
of
packages
also
do
a
lot
of
really
strange
things
like
we
found
that
Discord
basically
has
a
key
logger
just.
D
G
Correct
me,
if
I'm
wrong,
like
an
ecosystem
like
flat
pack,
would
essentially
like,
wouldn't,
if
you're
trying
to
distribute
software
at
that
level.
Wouldn't
you
want
to
implement
something
like
this
framework
I
mean
you'd
have
to
like,
because
you're
Distributing
software
at
like
massive
levels
like
millions
of
devices
at
that
point,
because
it's
it
is
crazy
to
think
about
I'm,
just
saying,
like
I've
I've
gone
over
this.
This
is
something
that
I
I
made
it
a
point
this
year
to
start
ignore,
stop
ignoring
them.
So
that's
what
I'm
saying
it's
a
good
idea.
G
C
D
Yeah,
so
so
what
you're
bringing
up
is
a
very
interesting
point,
because
I
think
we're
we're
looking
at
the
big
picture
here
this
the
s2c2f
is,
is
all
about
like
what
can
you
do
as
a
consumer
to
try
to
protect
yourself,
but
there's
also
things
that
package
managers
can
do
to
try
to
protect
its
entire
community
of
its
entire
customer
base
if
people
are
pulling
software
from
them,
there's
an
inherent
level
of
trust
that
they
place
with
that
package
manager
like
like
what
does
that
package
manager
doing
to
kind
of
validate
that
they're
not
serving
up
malware?
D
G
Let
me
out
while
we're
here.
Let
me
just
add
a
note.
It
is
of
the
opinion
of
some
very
high
up
Linux
developers
that
the
whole
reason
that
there
is
a
security
industry
to
begin
with
was
because
that
Circle
of
trust
between
package
managers
and
users
was
violated
by
the
JavaScript
people
like
mpm,
basically
like
what
happened
in
the
npm
ecosystem
was
like
the
straw
that
broke
the
camel's
back,
and
that
proved
that
you
can't
trust
anybody
anymore
and
that,
like
yeah,
oh.
G
Specifically
at
that
one
incident
where
the
guy,
like
replaced
all
of
his
code
with,
like
you
know,
I'm
not
gonna,
do
this
anymore
because,
like
corporate
like
overlords,
are
evil
that
guy
yeah
it
was
that
incident
that
they
specifically
point
to
because
they
said
that
that
was
when,
like
the
circle
of
trust,
was
broken
by
that
guy,
and
we
can
never
go
back
to
things
because
of
that.
Guy.
G
E
G
You
know
ecosystems,
so
yeah,
no
BS.
That
is
like,
if
you
were
to
ask
the
packaging
ecosystems
like.
Where
did
we
like
make
that
left?
Turn
they'd
point
you
right
here.
It
was
right
here.
This
was
the
day
and
time
when
this
guy
did
this.
The
circle
of
trust
was
broken
yeah.
It
will
never
be
repaired.
Yeah.
D
So
for
what
it's
worth,
Microsoft
owns
both
nuget
and
npm,
and
we
are
making
active
Investments
to
secure
and
validate
the
packages
that
get
served
up
on
both
of
those
things
right.
So
there's
so
you
know
we're
doing
what
we
can
to
try
to
improve
the
security
of
the
that
whole
ecosystem.
D
But
then
there's
there's
still
like
the
consumer.
That
yeah
look.
E
C
G
Using
WSL
at
large,
because
everyone
uses
WSL
nice
and
the
people
that
use
like
Max,
because
everyone
has
a
Mac
now
too,
and
you
have
Homebrew,
you
see
it
and
ideologies
like
the
ones
that
I'm
sharing
with
you
start
to
get
a
little
sketchy
because
everyone
installs
everything
on
Homebrew.
You
have
a
Mac,
so
yeah.
G
Yes
ex,
according
to
them,
they
don't
have
to
worry
about
anything
about
security
like
basically
they
are
excluded
because
long
story
short,
it
is
declared
several
times
in
our
readme
and
I'm
sure
it's
in
our
licensing
as
well,
that
Homebrew
cannot
be
taken
as
a
security
tool
as
all
at
all.
The
specific
wording
they
use
is
that
homebrews
should
be
your
last
line
of
defense
and
it
should
not
be
relied
on.
So
they
feel
pretty
confident
in
that
that
they
don't
have
to
worry
about
anything
security
related.
E
G
G
C
G
G
D
Okay,
that
sounds
like
a
similar
I
think
it's
called
like
tide
shift
or
something
yeah.
He.
G
E
D
E
G
In
all
honesty,
that's
kind
of
like
my
gig
now
so
like
I
can
I
can
yeah
when
we
have
a
team
as
well.
Just
so
you
know,
so
it's
not
like
it's
just
me
and
Anthony,
but
yeah
yeah.
So
so
we're
we're
fully
functional
there.
It
was
just
as
I
said
it
was
shocking
and
Homebrew
is
important.
I
won't
say:
I
won't
lie
like
I.
Do
think
that
that
three
I
should
bring
them
around
and
reparation
should
be
made.
G
G
D
G
And
also,
let
me
share
this
from
you
guys,
you
guys
being
Microsoft
I,
don't
think
anyone
has
a
problem
with
Microsoft,
like
even
lioness
has
publicly
stated
that
he
doesn't
have
a
problem
if
Microsoft
takes
over
Linux,
so
I
actually
don't
think
Microsoft
is
an
issue
except
yeah.
Did
you
guys
hear
what
happened
yesterday
with
GitHub
and
get
the
hash
changing.
D
G
Yesterday,
at
like
two
o'clock,
we
got
this
message
that
that
GitHub
was
changing
the
compression
of
their
get
like,
because
git
now
has
an
internal
implementation
of
gzip
and
all
the
all
the
hashes
on
the
git
archives
are
gonna
change
and
they
had
it
back.
They
had
a
back
track
disc
like
two
hours
later,
because
it
was
good.
It
blew
up.
G
E
C
A
G
D
That's
too
funny
yeah.
D
Had
my
fair
share
of
fun
stories
with
GitHub
in
this
in
this
repo,
okay,
we're
viewing
this
in
in
markdown
right
now,
but
you
can
also
view
it
in
PDF,
yep
and
I.
Remember
we
went
live
and
on
the
day
we
went
live
it
rendered.
The
PDF,
like
all
over
the
place
like
Pages,
were
swapped
in
wrong
orders
and
I
had
to
like
get
a
hold
of
them
and
tell
them
that,
like
it's,
messed
up
and
I
get
and
and
then
they're
like.
G
E
D
C
D
D
Know
what
I
mean
so
full
on
when
you
say
full-on?
What
comes
to
my
mind
and
by
the
way
we're
over
on
time?
What
comes,
to
my
mind,
is
being
able
to
clone
the
source
to
an
internal
location.
So
so.
A
D
That's
really
really
concerned
about
business
continuity
and
Disaster
Recovery.
If
you
have
some
really
important
projects
that
are
dependent
on
these
third-party
dependencies,
you
you
might
want
to
just
clone
their
code
locally
so
that
you
could
take
ownership
of
it
in
the
event
that
you
needed
to
correct
yeah
and
then,
if
you
did
have
a
local
copy,
you
could
run
your
own
security
tools
on
it
and
start
looking
for
back
doors
and
zero
days,
and
that
sort
of
thing.
G
Like
most
pack,
that's
how
like
the
linuxy
way
of
doing
it
is
but
yeah
I
mean
you
can
get
fancy
with
it,
but
as
I
was
asking
like
cool
on
like
should
like,
should
we
ever
explain
like
if
you
had
a
small
business,
and
you
just
wanted
to
do
this
small
I
mean
you
could
do
it
big
too,
because
Red
Hat
supports
this
in
huge
infrastructures,
but
obviously,
like
you
know,
maybe
you
don't
trust
the
cloud
or
something
you
can
do
it.
There
are
ways
of
doing
it.
Manually
is
what
I'm
trying
to
say.
D
G
D
G
If
you
don't
need
it,
it
doesn't
get
merged
and
we
have
a
tool
that
does
it.
Then
we
don't
need
like
Docker,
for
example,
so
yeah
it's
stuff
like
that
and
I.
Just
think
that
that
should
be
also
thought
about,
because
I
would
say
that
they're
the
counterweight
of
all
this,
because
they
do
have
a
very
good
ideology
which
still
keeps
them
relevant
even
20
years
after
so
you
see
what
I'm
saying
yeah.
D
G
It's
very
like
Old
Manny
like
yeah.
We're
not
like
you
don't
need
doctor,
because
doctors
just
see
a
truth,
so
like
Docker,
is
just
for
people
that,
like
don't
want
to
learn
CH
root,
so
solution
learn
CA
true
we're
not
merging
Docker,
which,
as
I
said
from
like
a
security
perspective,
it's
very
like
the
less
you
have
the
smaller
your
attack,
vector
so
I
mean
it
makes
sense.
But
yeah
I
just
wanted
to
point
that
out
because
a
lot
of
people,
especially
in
the
Linux
Community
kind
of
treat
BSD
like
royalty.
B
You
cannot
like
you're
confined
to
his
mother,
grew
when
I
do
that,
because
then,
then
you
like
you,
don't
don't
have
the
user
experience
and
the
develop
developer
experience
that
most
users
are
comfortable
with
so
you're
correct.
That's
that's
the
hard
part
like
how
do
you?
How
do
you
get
that
adopted
by
like
more
people
and
yeah
I?
Guess:
that's!
That's
the
main.