►
A
A
B
B
B
B
B
There
is
at
least
one
meeting
on
November,
16th
and
also
actually
the
next
meeting
where
we
could
use
a
backup
chair
or
a
regular
chair.
If
someone
is
available
would
like
to
chair,
we'd
really
appreciate
it.
Just
stick
your
name
in
the
doc.
Otherwise
these
meetings
may
or
may
not
be
canceled
based
on
my
and
Jacques
availability,
so
Zach.
Thank
you.
I
see
you
doing
that
already
cool
yeah
thanks
for
that
sharing
the
meeting
is
very
easy.
B
B
B
D
But
let's
say
nothing
that
would
be
that
could
be
exploited,
Beyond,
a
security
research
right.
That's
how
how
we
see
that
and
just
to
be
clear
that
Ruby
jumps
policy.
I,
disagree
with
that,
but
yourself
set
to
to
open
the
discussion
here.
Npm
removes
packages
like
that
when
we
report
them,
we
report
admit
more
or
less
400
packages
like
that
in
two
weeks:
Prince,
so
yeah,
200,
Weekly
right
so
I
just
wanted
to
ask
on
behalf
of
ruby
gems.
D
What
do
you
guys
do
with
that
in
other
registries
right?
Should
we
reshape
our
policy?
That
is,
as
of
now,
really
generous
like
if
it's
not
harming
anyone,
if
it's
described
at
least
decently,
we
allow
it
to
stay,
or
should
we
remove
it
right
on
one
side,
security,
research,
good
security
research
is
needed.
On
the
other
hand,
then
we
get
some
complaints
like.
Why
is
it
in
registry?
D
Why
didn't
you
stop
Alex's
binham
dependency,
confusion
when
you
knew
about
that,
but
you
allowed
the
packages
to
stay
right,
so
we
we
actually
don't
know
what
to
do
with
it.
So
we're
asking
other
people
from
other
registries
how?
How
do
you
deal
with
this
type
of
of
non-malicious
but
still
kind
of
exploitable
content.
D
Okay,
oh
many
opinions.
So
let
me
rephrase
the
question:
would
you
expect
us
to
remove
packages
like
this
right?
If
you
would
encounter
a
package
like
this
in
any
registry
that
is
sending
something
from
from
your
systems
whether
it
is
or
it
is
when
it
is
not
any
sensitive
information,
non-keys,
let's
say
a
IP
host
name
again,
we
can
argue
if
host
name
is
something
sensitive,
I
believe
it
is
booby
gems
as
a
collective
does
not.
B
So
I
I
can
answer
this
on
behalf
of
the
behalf
of
a
registry,
I
guess
so
for
Pi
Pi,
like
we,
our
policy
is
the
same
as
npm
like
anything
that
is
essentially
not
legitimately
useful.
Software
is
grounds
for
removal
and
is
considered
an
invalid
project.
So
like
Alex
Pearson's
packages,
it
was
a
specific
sort
of
turning
point
where
we
were
like
yeah.
B
If
IPA
is
not
a
security
research
Tool,
and
so
we
removed
all
those-
and
we
do
remove
essentially
anything
that
checks
the
box
of
malware,
including
abusication
or
exfiltration,
because
essentially
our
policy
is
that
there's
no
legitimate
need
for
acoustication
and
there's
no
way
for
us
to
determine
the
legitimate
use
of
exfiltration.
Essentially,
it
all
just
looks
like
someone
trying
to
compromise
some
some
users.
So
even
if
the
package
says
I'm,
only
a
security
project
do
not
install
me.
I
am
malicious.
B
E
D
I
agree:
if
you
could
invite
at
least
me
and
yourself,
whoever
is
also
interested
to
see
the
draft.
I
may
maybe
reuse
it
or
put
our
comments.
That
would
be
really
good,
because
I
have
a
plan
to
open
a
request
for
changing
ruby
gems,
to
exactly
provide
a
policy
like
that
and
then
basically
do
a
bigger
cleanup.
A
Yes,
so
wearing
my
end
user
hat
working
at
Shopify
and
worrying
about
their
people,
I
see
any
exfiltration
of
data
is
hostile,
no
matter,
no
matter
what
the
stated
intention
of
the
researcher
is.
Anyone
can
say
that
they're,
a
researcher
anyone
can
say
that
they're
doing
it
for
good
purposes
and
that
that
seems
to
be
currently
the
excuse
for
obviously
hostile
people
where
they're
like
oops,
you
caught
me,
but
it
was
legit.
I
promise
right.
It's
just
like
somebody
being
caught
robbing
a
bank.
A
D
A
That
is
a
good
question.
We
did
that
as
as
a
secondary,
like
initially
as
the
first
line
of
defense
against
dependency,
confusion
right
back
when
it
was
the
hot
fresh
thing
mostly
it
has.
They
haven't
been
removed
out
of
an
abundance
of
caution.
If
the
policy
was
that
they
should
be
removed,
then
we'd
go
with
that
and
there's
a
case
to
be
made
that
that
they
should
be
because
they
don't
like
serve
and
peppers.
But
that's
like
a
step
further
than
you
exhibit
any
behavior
that
could
potentially
be
malicious
because
they
don't
do.
D
Because
there
are
many
companies
that
and
that's
actually
justifiable
right-
that
version
their
their
packages
with
v,
something
right,
Google
likes
to
do
that
they
release
different
packages
for
different
versions,
maybe
probably
also
because
there's
a
they're
different
in
what
they
do
are
different
apis
so,
like
the
maintenance
may
be
distributed
across
bigger
teams,
but
they
also
do
placeholders
right.
They
have,
let's
say:
V1
and
V2
should
be,
should
be
removed
at
V3
until
it
is
not
being
used.
D
And
how
should
we
deal
with
this
non-security
part
where,
let's
say
I
like
to
do
data
mining,
so
I
just
pick
a
lot
of
names
that
I
know
that
are
going
to
be
taken
not
for
typo
scoring,
but
just
because
then
I
can
claim
hey.
You
know,
but
I
created
a
V3
version
for
this
API
I'm
I'm,
not
Google,
I'm,
not
I'm,
at
Shopify
or
whoever.
But
this
is
a
legit
API,
and
this
is
a
legit
package.
D
A
I
don't
know,
I
I
would
want
to
start
with
the
current
scope
of
the
discussion,
which
is
when
a
security
researcher
uploads
something,
and
it
does
something
that
vaguely
resembles
my
way
like
dials
home
in
some
way
to
prove
that
they
did
it
I,
don't
care
I,
don't
give
a
if
they
can
publish
a
paper
or
not
or
whether
they
get
a
cool
blog
post
or
a
conference
talk.
That's
not
my
problem.
My
problem
is
that
they're,
actually
cheating
data
from
my
systems,
I
hadn't,
thought
about
the
place.
F
D
D
G
G
If
you
went
to
an
IRB
and
you
propose
doing
something
that
just
like
deemed
data
from
people's
computers
up
to
a
server
that
you
controlled
you
would
you
would
not
get
that
study,
approved
and
so
I
I
think
that
I
am
in
favor
of
the
repositories
being
really
harsh,
especially
about
non-opted,
Telemetry
and
exfiltration
of
data
and
and
I
think
that
no
reasonable
researcher
would
object
to
that.
I
think
you
know
you
should
allow
your
users
and
study
participants
to
have
you
know
some
notion
of
informed
consent.
G
That's
like
a
real
requirement
of
even
like
really
low-key
Anonymous
survey
data,
and
so
yeah
I
I
I'm
in
favor
of
made
like
I,
am
against
anything
where
unwitting
users
are
part
of
your
survey.
Now,
that's
like
there's
some
Nuance
here
right
because
data
that,
for
instance,
you
pipe
guy
might
be
able
to
to
pick
on,
you
know,
might
be
collecting
already,
like
you
know,
download
counts
or
whatever
can
be
and
has
been
used
in
academic
research
and
so
I
think
there's
some
Nuance
there,
but
I
think
that's
different.
G
F
What
you
said
there
Zach
also
reminded
me
of
a
case
where
a
user
of
a
package
that
I
helped
maintain
said
that
it
was
sending
data
off
to
Google
and
their
corporate
policy
prevented
that.
And
that
was
a
bit
strange.
But
it
turned
out
that
there
were
so
many
dependencies
of
our
project
that
it
was
very
hard
to
find
out
which
of
the
libraries
was
sending
that
information
and
so
having
a
opt-in
would
make
it
much
better.
G
Yeah,
absolutely
and
putting
on
a
different
hat.
My
the
Hat
of
a
software
developer
I
would
be
extremely
surprised
to
find
that
Library
dependencies
were
performing
Telemetry
and
surprised
in
a
bad
way
and
I
think
that
I
am
a
fan
of
opt-in.
In
every
case
when,
in
a
past
life
I
was
shipping
command
line
tools,
that's
how
we
did
it
and
our
metrics
were
worse
and
you
live
with
that
because
you
have
to
respect
people's
privacy.
H
Yeah
I
have
the
story
of
what
happened
when
we
turned
Telemetry
on
at
Homebrew,
because
it
turned
into
like
a
real
incident
like
massive,
and
we
ended
up
having
to
do
a
bunch
of
stuff
to
it,
and
the
Google
thing
actually
came
up
because
we
were
using
Google
analytics
so
I
remember.
There
was
a
post
on
Reddit
about
how
we
were
sharing
information
with
Google
but
yeah.
It's
a
it's
very
tricky.
H
H
H
Of
around
it's
not
them
it's
it's,
the
one
Jeff
leads
it
I
think
Jeff
Meadows
and
they
both
they
made
the
mpm
best
practices.
They.
They
were.
The
group
that
published
that
I'm
a
part
of
a
lot
of
groups-
I,
don't
remember
all
the
names
of
all
the
groups
I'm
a
part
of,
but
there
is
one
that's
supposed
to
like
be
for
the
pat,
like
software
repositories
to
like
publish
a
set
of
like
this
is
what
we
consider
best
practices.
I'll,
find
it
on
GitHub
and
I
will
send
the
link
on
chat.
B
I
guess
this
is
kind
of
the
inverse
right.
This
is
worse
practices.
This
is
like
the
stuff.
We
definitely
don't
want
you
to
do
that
group
or
not.
Maybe
we
can
collaborate
with
them
right
and
so
one
action
that
I'm
going
to
take
out
of
this
I
shared
there's
a
link
here
on
what
IPI
already
considers
to
be
in
developed
projects.
It
doesn't
go
into
a
lot
of
detail
about
malware.
Specifically,
it
just
says
malware,
so
I
will
share
like
updated
draft
and
what
so?
B
What
we're
actually
working
on
is
an
acceptable
use
policy
which
we
don't
really
have
right
now,
but
if
you're
interested
in
seeing
a
really
good
one,
githubs
is
really
good
in
describing
like
what
represents
acceptable
use.
What
can
be
published
on
GitHub
that
kind
of
thing,
but
I'll
share
that
so
is
there
anything
else
that
you
know
we,
as
a
group
should
probably
do
here.
I
People
doesn't
do
it
I
think
it's
important
to
recognize
here
that
every
region,
every
set
of
customer
types
right-
that,
for
example,
is
going
to
have
a
different
set
of
rules
and
regs
in
this
area,
and
it
is
the
cloud
providers
requirement
to
make
sure
you
know
for
these
repositories
that
it's
right
and
and
for
its
private
customers,
Etc
that
it
is
the
security
policies
of
the
policies
of
that
region.
Legal.
I
You
know,
Federal,
that
sort
of
thing
Mia
has
their
own
rules,
for
example,
especially
with
regard
to
the
types
of
data
you
can
expose.
So
I
think
what
this
group
should
be
focused
on.
Then,
in
that
view,
is
the
plugability
of
these
kinds
of
security
profiles.
These
you
know
ways
that
various
companies
Define
how
they're
going
to
react
to
certain.
You
know
such
instances
right
more
so
than
trying
to
create
a
one-size-fits-all
for
all
countries,
all
regions,
all
companies,
all
corporate
types.
B
B
G
B
A
A
B
D
A
Yes,
this
is
a
quick
update
on
the
proposal
to
have
a
shared
help
desk.
You
may
recall
that
we
talked
about
this
at
the
last
meeting,
or
maybe
you
don't
because
it's
at
a
different
time,
but
to
summarize
briefly,
several
repositories
or
most
most
repositories
are
volunteer,
operated
and
have
limited
sort
of
bandwidth
for
dealing
with
support
issues.
A
Many
of
us
would
like
to
expand
the
coverage
of
NFA
requirement
policies
to
larger
cohorts,
but,
of
course,
the
more
people
you
have.
The
more
people
need
MFA
resets
to
be
performed
because
they
lose
their
phone
or
something
else
happens
that
goes
wrong,
and
that,
of
course,
is
an
intensive
process
and
a
tricky
process
and
and
miles
will
recall.
A
So
we
can
hire
someone
a
to
be
that
support
person
shared
amongst
multiple
ecosystems,
because
you
know,
there's
probably
not
enough
for
just
one
ecosystem
and,
second
of
all,
to
fund
a
series
of
contracts
to
be
rfped
to
basically
construct
the
tooling.
That
will
be
necessary
because
of
course
nobody
in
their
right
mind
is
going
to
say,
like
hello
person
who
is
paid.
But
we
don't
know
here-
is
production
access
to
the
database?
A
A
So
I've
assumed
it's
not
fully
loaded
for
conservatism,
and
the
next
step
is
going
to
be
that
I
will
put
that
report
in
front.
Put
that
proposal
in
front
of
the
TAC
I
wasn't
mentioning
it
to
them
yesterday,
because
we
were
supposed
to
give
a
report
on
what
we've
been
up
to
and
what
we're
going
to
be
doing
to
tax,
so
I
sort
of
had
to
extemporize
a
little,
because
we
we
missed
the
calendar
on
that
one.
A
A
B
A
J
J
I
would
speak
to
directly
like
how
how
access
is
going
to
be
managed
and
I
know
that
we
talked
about
it
briefly.
In
apologies,
I
haven't
had
a
chance
to
to
review
it,
but
like
top
and
Center
one
of
the
most
important
bits-
and
this
is
what
I
would
imagine
like-
the
various
Registries
need
to
agree
to
is
like
who
will
eventually
be
making
the
decisions?
How
will
they
get
access
to
these
details?
J
How
will
we
integrate
into
it,
because
I
would
personally
find
it
hard
to
fund
something
without
like
a
clear
commitment
to
executing
on
it
or
like
knowledge
that
you
know
it's
set
up
for
Success
to
be
clear.
I
think
that
this
is
really
important
and
as
possible,
but
those
are
kind
of
the
holes
that
I
would
look
at
first.
A
Of
yeah
in
terms
of
integration,
I,
I
included
in
in
the
proposed
budget,
a
series
of
contracts
to
basically
pay
for
the
development,
because
the
the
whole
point
of
it
is
that
it's
volunteer
organizations
that
have
limited
bandwidth
and
saying
surprise
we're
gonna
dump
something
on.
You
probably
doesn't
go
very
well.
I'm
gonna
turn
off
my
screen
in
monitor
for
a
second
I've
got
someone
at
the
door,
but
I'll
still
be
listening.
H
That's
the
because,
basically
originally,
the
ideology
of
the
Sig
cert
was
to
create
like
a
First,
Response
Unit,
but
now
that
things
are
starting
to
move
and
like
there
are
groups
that
are
starting
to
like
gather
information,
we're
starting
to
realize
that
might
not
be
entirely
possible.
So
now
it's
kind
of
sitting
at
this
50
50,
split
of
education
and
like
incident
response.
So
that's
why
it
might
be
worth
having
a
conversation
with
him.
A
A
A
F
A
Thank
you.
Yes,
integration
is
definitely
one
of
the
reasons
that
that
the
the
budget
includes
a
substantial
amount.
The
proposed
budget
includes
a
substantial
amount
of
money,
basically
for
letting
contracts
to
deal
with
integration
problems,
because
it's
it's
not
possible
to
let
like
I
mean
it's
very
unlikely
that
we
could.
We
could
let
the
project
to
one
vendor
and
get
everything
done,
because
we'd
need
them
to
be
experts
in
Python,
Ruby,
potentially
rust
chat
like
all
these.
F
B
A
Well,
I,
what
I
would
basically
like
I
guess
to
Master's
Point
at
least
a
in
principle,
yes
from
from
folks
from
say
two
ecosystem,
so
I
would
say
normally
pipeline,
which
answers
the
obvious
candidates.
Other
ecosystems,
of
course,
welcome,
so
I'll
send
an
email
to
the
mailing
list.
To
that
end,
I
would
like
at
least
a
Voice
vote.
Probably
next
time,
all
the
time
after
I've
got
to
look
at
the
coming
calendar
and
the
tricky
part
is
that
I
will
not
be
at
the
next
meeting.
B
A
B
C
And
people
have
answered
there,
so
I
was
really
I'm
asking
for
a
friend,
literally
Jason,
so
I
couldn't
make
it
today.
He's
like
hey
Go
pass
this
along
the
working
group,
so
it
looks
like
there
will
be
folks
there,
I
I
I,
don't
know
if
I'm
going
yet
and
but
I
feel
like
Jason's
sort
of
plotting
out
his
his
show
visit
schedule.
So
this
is
helpful
and
I'll
make
sure
to
pass
this
along
to
him.