►
From YouTube: Securing Software Repositories (July 13, 2022)
C
A
C
C
C
All
right,
let's
kick
it
off!
Dustin
is
out
this
week,
so
I'm
filling
in
to
chair
the
first
thing
we'd
like
to
do
in
these
meetings
is
to
welcome
new
faces.
So
if
there's
anybody,
who's
new
or
who's
been
here
before
but
hasn't
had
a
chance
to
introduce
themselves,
please
raise
your
hand
and
introduce
yourself.
A
I'll
introduce
myself,
you
know
hall,
I
work
for
lockheed
martin
and
there's
a
little
devsecops
organization
and
we're
doing
a
lot
of
work
with
secure
supply,
chain
management
and
doing
a
lot
of
work
with
cyclone
dx
right
now
and
I
figured
we
should
be
a
little
more
involved
here.
So
just
listening
in
for
the
first
time.
A
D
F
C
C
Speaking
for
myself,
I'm
hopeful
that
this
will
start
something
of
a
wave
for
other
ecosystems
as
well.
You
know
we
we
all
sort
of
struggle
with
having
bandwidth
to
work
on
the
many
many
many
many
many
things
that
need
to
be
done.
So
this
was
our
photo
shopify
and
I'm
hoping
that
other
folks
will
step
up
in
in
other
communities
as
well
to
to
match
that
kind
of
a
commitment.
C
C
I
don't
know
controversy
about
the
announcement
that
ipr
made,
that
they
are
introducing
a
policy
of
required
mfa
for
anyone
in
anyone
who
is
the.
I
think
the
term
is
maintainer
in
pipi
of
a
package
in
the
one
percent
of
most
downloaded
packages.
This
is
comparable
to
policies
that
are
being
rolled
out
by
npm,
where
it's
the
top
500
packages
and
rubygems,
where
it's
the
top
100
packages
that
are
being
required.
Pipi
went
with
a
percentage-based
approach,
which
is
interesting.
C
There
were
some
some
folks
who
didn't
like
that,
and
it
got
a
little
heated
in
places.
I
think
the
point
that
that
david
has
added
to
the
agenda
is
is
something
I
wanted
to
point
out,
which
is
that
the
open,
ssf
technical
advisory
council
committee
it
changes
depending
on
who
you
ask
has
you
know,
noticed
this
and
is
preparing
sort
of
like
a
statement
of
support,
basically
saying
we
think
that
the
mfa
rollout
is
great.
E
Just
as
a
clarifying
question,
I
don't,
I
don't
want
to
necessarily
rehash
the
whole
conversation
on
the
comments
of
y
combinator
or
anything
like
that,
but
was
part
of
the
is
part
of
the
objection
it
sounds
like
one
of
the
objections
is
sort
of
some
form
of
a
slippery
slope.
Argument
about
increasing
requirements
is,
is
any
of
it
just
related
to
access
to
mfa
devices
right?
Is
it
the
kind
of
thing
where
organizations
like
yubikey
or
similar
could
be
engaged
with
to
be
like
hey?
E
C
It's
interesting,
you
should
say
that
so
I'm
just
going
to
steal
david's
thunder.
I
reckon
there's
there's
two
things
here:
one
is
piperi.
Did
supply
vouchers
for
for
mfa,
keys
supplied
by
google,
the
titan
keys,
so
they've
they've
got
a
few
thousand
of
those
available.
In
fact,
they
supply
two
keys
at
a
time
to
ensure
you
have
a
backup
key,
which
is
very
sensible.
C
B
C
C
Yeah
yeah,
so
I
think
I
think
I
think
to
your
point,
the
the
I'm
sorry
time
zones
are
fun.
I
think
it's
a
great
idea
and
I
think
we
should
encourage
more
of
those
distributions,
especially
amongst
other
ecosystems,
to
to
ensure
that
folks
have
that.
So
at
the
moment
I
can
speak
for
rubygems.
We
don't
have
web
authent
support,
it's
something
that
we're
working
on.
C
D
Hi
thanks
yeah.
This
is
controversy,
maybe
surprising
in
some
some
aspects.
No,
but
at
the
risk
of
politicizing
it
a
little
bit.
I
feel
it's
a
little
bit
like
kind
of
like
vaccines.
People
don't
like
to
be
told
what
to
do.
Maybe
this
a
little
bit.
I
don't
want
to
speak
for
people
who
objections
to
this
requirement.
Generally,
I'm
in
favor
of
mfa.
Personally,
I
don't
think
it's
difficult
to
use.
D
I
have
one
key
for
work,
one
key
for
my
personal
use,
but
I
feel
people
feel
like
they're
being
told
what
to
do,
especially
when
they're
volunteers,
what
they
see
what
they
perceive
I'm
guessing
here.
It's
pure
speculation
on
my
part.
They
are
doing
this
in
their
own
personal
time
and
they,
I
guess
don't
appreciate
you
know
being
told.
Oh,
hey,
you're,
suddenly
a
critical
open
source
project.
We
need
you
to
do
this
this
and
this
so
I
can.
I
can
see
both
sides.
Sorry
go
ahead.
D
Okay,
so
yeah,
I
can
see
both
sides
of
the
argument.
Generally,
I
think
I'm
I'm
in
favor
of
this,
and
you
know
we
even
wrote
a
paper
that
I
think
I
mentioned
about
before-
investigating
the
impact
of
policies
like
this,
but
one
comment
I
want
to
make
here
is
that
well
two.
Actually
one
is
that
you
know
if
we
have
things
like
canary
rollouts,
even
for
our
software,
maybe
we
should
have
canary
rollout
for
things
as
big
and
impactful
as
mfa.
D
Even
if
it's
a
few
hundred
people,
I
don't
think
we
should
underestimate
the
impact
of
you
know
turning
it
on
at
once,
and
I
don't
think
that
was
the
plan
here.
I
don't
think
so,
but
you
know
maybe
better
communications
there.
Perhaps
the
other
thing
is.
This
is
a
bit
of
a
crazy
idea,
but
I've
been
thinking
about
this
recently
over
the
weekend.
D
Maybe
at
some
point-
and
I
think
yeah,
just
maybe
a
thing
for
the
open
ssf-
is
that
it
might
be
at
some
point
worth
thinking
about
adopting
some
of
this
critical
but
small
and
underfunded
open
source
projects
if
the
requirements
become
too
much.
For
example,
again,
that's
a
crazy
while
the
field
thought
out
there,
but
something
I
just
wanted
to
mention
anyway.
Go
ahead.
C
B
Yeah,
my
brain
can
only
handle
so
many
comments
at
one
time,
but
let
me
I'll
quickly
come
on
the
last.
The
underfunded
projects
I
mean
absolutely
that's
I
mean
alpha
megan
in
particular-
is
specifically
focused
on
these.
That
sort
of
things
and
other
things
are
folks,
are
too,
I
think
you're
actually
right.
I
mean
the
original
poster
actually
said
that
you
know
that
who
got
all
this
going.
You
know
actually
said
that
hey
2fa
is
actually
perfectly
reasonable
requirement
there.
B
That
person's
worry
was
very
much
the
hey.
What
else
you're
going
to
make
me
do
not
the
not
the
2fa
itself,
and
I
will
note
I
I
put
in
this
list,
because
I
I
think
a
lot
of
these
things
are
being
seen
in
isolation.
Well,
the
pi
pi.
They
really
are
trying
to
start
small,
because
their
goal
is
to
do
this
across
all
of
pipe.
I,
the
one
percent
means
they're
skipping
the
99
they
intend
to
get
to.
B
If
you
look
at
the
notes,
I
included
here,
I
think
most
folks
are
not
aware.
They
only
see
one
ecosystem.
I
mean
this
is,
I
think,
there's
a
problem.
The
problem
of
the
highly
split
up
nature
of
most
open
source
software
communities-
you
know
the
pi
pi
folks-
probably
never
hear
about
ruby,
gems
and
in
many
ways
vice
versa,
and
so
I
think
a
lot
of
folks
aren't
aware
that
ipi
is
doing
something
like
this
ruby,
gems,
npm.
B
C
So
it's
it's
interesting.
If,
if
I
sort
of
follow
those
comments,
I
can't
project
the
argument
that
it's
an
imposition
on
maintainers
out
of
hand
in
the
sense
that
it's
like
some
sort
of
categorical
or
epistemically
incorrect
argument.
If
I'm
fancy
the
way
I've
been
looking
at,
this
is
as
a
utilitarian
calculus.
C
So
if
you,
if
you
take
a
very
unromantic
utilitarian
calculus
view
of
the
ethics
of
the
situation,
then
unfortunately
we
have
to
on
the
balance
of
rights
and
interests.
I
think
I
come
down
on
the
side
of
the
users,
which
means
enforcing
mfa,
there's
also
a
the
related
argument,
which
I
think
is
technically
separate,
which
is
what
obligations
do
maintainers
have
often
missing
from
that
conversation
is
also
like
what
obligations
do
the
repositories
have
and
what
is
the
contractual
agreement
between
them?
You
know
from
the
maintainers
view
it's
like.
C
C
C
B
I
was
going
to
try
to
respond.
Remember
my
my
brain
is
limited,
so
I
can't
remember
all
the
comments
backwards,
but
I
I
do
think
actually
the
the
the
you
know,
people
don't
want
to
be
told.
What
to
do,
I
think
is
absolutely
at
least
it's
hard
to
summarize.
You
know
a
massive
discussion,
because
different
people
have
different
motivations,
but
I
think
that
is
at
least
one
of
the
issues,
and
so
I
and
jack
I
agree
with
you.
B
A
So
I
admittedly
have
missed
a
lot
of
this
discussion,
but
reading
armin's,
a
post
that
was
linked.
His
point
isn't
that
mfa
is
a
problem,
in
fact,
and
I
wonder
if
he
would
have
been
less
upset
if
we
had
made
it
clear
we're
starting
with
the
one
percent,
but
we
will
eventually
be
requiring
this
for
everyone
breaking
up
jacob
sorry.
I
wish
I
could
do
anything
about
that.
Yeah
and
the
other
thought
is
his
objection.
A
Is
your
argument
that
there
are
more
customers
they're
more
users
than
there
are
maintainers
and
the
consequences
to
users
are
much
higher,
also
applies
to
slas
and
required
maintenance
and
globally
burning
out.
Our
maintainers
is
the
correct
thing
to
do
for
world
health,
but
it's
not
a
good
policy
for
us
to
be
pushing,
and
so,
when
you
say,
you're
so
important
that
that
you
no
longer
decide
how
you
participate.
That
is
a
if
that
is
a
problematic
line
according
to
arm
and
logic.
B
A
I
don't
know
how
clear
the
original
post
was,
but
armin
is
responding
to
the
fact
that
he
was
declared
a
critical
dependency
yeah
he's
pretty
clear
in
his
post
that
he's
not
responding
to
mfa
as
a
particular
demand.
He
agrees
with
that
he's,
responding
to
being
declared
critical
and
therefore
having
different
rules.
G
There
is
no
process
of
tooling
to
sort
of
actually
sort
of
do
it
intentionally
and
review
with
how
practical
that
is
et
cetera,
et
cetera.
We
can
sort
of
argue
about
that,
but
there's
sort
of
an
interesting
argument
of
sort
of
shared
load
in
this
specific
case
where
whether
the
burden
of
that
is
disrepaired
by
the
developers,
as
opposed
to
being
shared
by
also
consumers
right
and.
C
C
C
Thinking
that
you
can
only
have
one
like
it
feels
as
though
people
feel
that
there's
a
limited
number
that
you
know
that
you
can
use.
I
don't
agree.
I
think
cargo
vet
is
a
great
idea,
I'm
looking
forward
to
seeing
how
it
goes
in
the
cargo
ecosystem
and
like
what
dynamics
arise
and
what
works
well
and
what
doesn't
because
off
the
top
of
my
head.
It
looks
great-
and
I
want
to
you-
know.
F
C
Form,
that's
somewhat
compatible,
so
it's
easy
to
do
cross
ecosystem
comparisons.
I
had
a
second
point
which
has
now
escaped
me.
I'm
sure
it
was
great
but
yeah.
I
I
think
it's
an
interesting
place.
I
guess
what
I
was
I
was
hoping
to
do
today,
except
for
myself
with
my
original
cryptic
comment
of
you
know:
love
for
pi,
pi
maintainers
was
just
to
sort
of
say
like.
C
We're
with
you,
like,
we
think
you're
on
the
right
track.
There's
there's
reasons
to
discuss
it
and
there
are
fair
debates
to
be
had,
but,
generally
speaking,
we're
with
you.
Certainly
those
of
us
who
are
in
ruby
james
land
obviously
agree,
and
I
know
that
folks
in
npm
obviously
agree
because
we're
all
rolling
out
those
similar
policies.
C
I
was
surprised
at
first
that
pipi
seemed
to
cop
so
so
much
when
everyone
else
has
sort
of
been
allowed
to
slip
past
without
too
much
controversy.
Then
I
crunch
the
numbers-
and
I
realize
it's
a
it's-
an
orders
of
magnitude
thing
like
for
ruby.
It's
a
about
100
100
dependencies
for
npm
is
500
and
for
pi
pi
they're
talking
about
4
000
people.
So
it's
it's
a
different
order
of
magnitude.
B
C
C
C
B
What
I
hear
is
what
I
suggested
said:
if
you
are
interested
in
particular,
you
have
some
points
you'd
like
to
make.
Why
don't
you
email,
joshua
locked?
I
think
that's
who
it
is
right,
unlocked
directly
if
you
need
I'll,
be
happy
to
share
offline
the
email
and
if
you
don't
already
have
that
and
I'll
just
go
go
that
way,
because
then
we
don't
have
to
try
to
do
the
back
and
forth
stuff,
because
I
think
there's
a
goal
getting
that
something
out
sooner.
C
Yeah,
I
would,
I
would
like
us
to
get
that
out
sooner
mostly,
it
would
just
be
nice
if
we
also
said
you
know
technical
advisory
council
and
securing
software
repo's
working
group,
okay,
so
I'll.
Basically,
I
think
once
we
have
a
draft
we'll
send
it
to
the
mailing
list
and
if
there's
no
particularly
strong
objection,
we
can,
we
can
add
a
name
to
that.
B
F
But
this
is
something
I
think
that
is
worth
addressing
if
we're
gonna
have
productive
conversations
in
this
group,
especially
productive,
technical
conversations
in
this
group-
and
I
think,
a
good
first
step
at
this
as
proposed
by
sterling-
is
to
basically
yeah.
That's
is
to
basically
allow
people
to
comment
from
various
repositories
send
information
to
sterling
on
on.
Basically,
what
do
we
call?
These
things
in
your
ecosystem
and
then
hopefully
we
can
at
least
have
a
table
for
translation.
If
not
agree
on
some
some
ecosystem
neutral
terminology.
F
G
I
think
the
only
comment
there
would
be
that
salsa
is
sort
of
actually
sort
of
going
through
the
same
thing,
also
trying
to
figure
out
the
correct
terminology
to
use
for
the
artifacts
and
other
things
so
be
sort
of
interesting.
If
there
is
a
bit
of
alignment
there
between
the
two
and
reuse
to
make
sure
that
so
cause
also
sort
of
an
interesting
part
of
all
of
that
right
and
I'll
link.
Here,
the
at
least
the
current
version
of
that.
C
E
Yeah,
so
I
know
in
general,
the
kind
of
scope
and
purpose
of
this
sort
of
working
group
is
less
about
specific
tools
and
more
about
kind
of
policies,
procedures
and
sort
of
sharing
common
problems,
but
I
did
want
to
just
pass
along
as
something
that
folks
might
want
to
investigate.
A
new
implementation.
We've
been
funding
for
sort
of
the
server
side
of
our
kind
of
tough
signing
process
in
the
drupal
ecosystem.
E
C
C
C
E
C
A
C
E
C
C
Yeah,
absolutely
okay.
Well,
thank
you
for
that
update.
That
was.
That
was
good.
That
was
a
great
topic.
I
don't
see
any
more
topics
on
the
agenda
at
this
point.
We
have
sort
of
three
options
here.
One
is
someone
else
has
something:
that's
you
know
burning
a
hole
in
their
head
and
that
they
need
to
share
urgently.