►
A
B
B
A
B
B
D
B
Yeah
I,
I,
definitely
heal
and
I
thought
I
thought
that
would
be
appropriate
for
be
open
after
that
black
to
suggest
that
when
people
are
creating
their
accounts,
they
use
their
personal
emails
instead
of
their
work,
email,
which
is
currently
recommend
using
the
working
mode
and
the
Google
layoffs
really
put
put
a
point
on
the.
Maybe
that's
a
bad
idea
of
doing
what
people
want
to
print
for
their
identities,
between
companies
mentally
or
if
they
want
to
stay
involved.
A
B
B
F
There
is
I
I
posited
this
thing
that
I've
been
positing
to
this
group
for
quite
a
while,
which
is
that
any
sufficiently
large
enough
artifact
server
in
the
job
in
the
industry
that
has
been
provided
for
free
and
is
not
ever
been.
A
part
of
a
purchasing
agreement
from
a
company
has
probably
never
been
audited
like
there's,
never
been
a
pen
test
performed
against
it,
and
my
proposal
to
Alpha
Mega
was
hey.
Would
we
consider
like
currently
the
audits
that
Alpha
Omega
are
performing
right?
F
Would
it
be
a
valid
Alpha
engagement
to
consider
performing
audits
of
major
artifact
servers
that
have
never
had
a
pen
test
performed
against
them,
and
it
was
not
like
an
immediate
yes,
but
it
was
more
like
I
mean
that
seems
like
it's
in
scope,
so
we
would
be
happy
to
review
a
proposal
for
such
a
a
request
for
money
or
Grant
or
whatever,
whatever
the
album
I
got.
You
know,
you'd
think
that,
because
I
work
for
them,
I
should
know
how
what
what
the
full
process
I
I
truly
do.
F
Audit
that
are
like
you
know,
maybe
like
pip,
are
you
know
any
any
industry,
artifact
server
that
is
used
to
supply
the
the
industry
Supply
chains
and
then
maybe
include
in
that
scope
the
build
tools,
maybe
I'm,
not
certain,
but,
like
you
know
how
do
these?
All
these
systems
interplay
and
then
trying
to
hire
a
company
to
perform.
You
know
audit
to
these
tools
and
and
and
and
infrastructure,
and
then
you
know,
disclose
the
vulnerabilities
to
the
maintainers
and
try
to
get
them
fixed.
You.
A
F
All
that
all
that
full
that
whole
sphere
of
now
this
is
further
complicated
because
your
base,
you
know,
most
of
the
time
when
you're
engaging
in
a
pen
test
right,
you're
you're,
our
company,
coming
to
a
security,
firm
and
you're,
saying
hey.
We
would
like
you
to
pen
test
us
and
then
there's
a
bunch
of
legal
documents
that
get
drafted
up
that
basically
like
State.
What
a
scope
is
and,
like
you
know
what
is
allowed
to
be
audited.
F
What
is
not
allowed
to
be
audited,
and
you
know
it's
going
to
be
very
hard
for
us
to
try
to
do
this
with
an
organization
that,
like
doesn't
have
a
public
vulnerability
disclosure
policy
with
a
scope
document
predefined
right.
If
you're
you,
because
you
can't
authorize
hacking
against
a
system
or
an
infrastructure
that
you
don't
own
and,
like
you
know
the
openness
of
can't
do
that
so
so
we've
had
there
would
have
to
be
some
for
a
level
of
Engagement.
A
C
Yeah
they
do
all
of
the
cncf
security
assessments
and
Audits
and
things,
and
they
basically
have
a
network
of
security
companies
that
they
work
with
and
have
like
pre-selected
because
of
familiarity
with
open
source
and
the
like
differences
in
doing
security.
Work
in
this
environment,
as
opposed
to
like
a
traditional
commercial
environment.
F
Cool,
that's
that's!
That's!
That's
really
good!
Okay,
so
I
will
I
will
ping
Amir
I
guess.
Does
anybody
else,
I'm
I'm?
My
schedule
is
packed
with
currently
with
mentee
I'm.
Currently
Alpha
May
is
currently
trying
to
hire
me
or
not
higher,
find
mentees,
and
my
schedule
is
currently
packed
with
interviews,
but
I
can
spend
some
time
working
with
someone
to
like
start
this
document.
B
F
G
F
A
A
Yeah
absolutely
I
think
it's
a
great
idea
and
another
suggestion
from
Joshua
is
that
we
could
do
it
start
with
the
GitHub
issue
and
link
to
that
from
slack
and
email.
Yeah
I
think
that'd
be
a
great
way
to
establish
a
paper.
Trail
I
think
it's
a
great
idea.
I
think
we'll
probably
find
things
I
think
everybody's
done
their
best,
but
it's
always
good
to
have
an
external
set
of
eyes.
F
Right-
and
it's
like
you
know,
and
and
I
presume
that,
because
you
know,
because
these
systems
are
built
by
people
that
are
just
you
know,
trying
to
get
something
together.
Sometimes-
and
you
know
they
will
handle
reports
that
come
in
they're
still,
you
know
they're
still
only
as
good
as
the
people
that
have
actually
looked
at
them
can
can
report
them
to
be.
A
E
G
A
E
A
E
A
H
G
H
So
there's
no
needs
for
any
OTP
since
that's
mostly
manual
workload,
but
also
at
the
same
time,
there's
no
need
to
lower
your
security
on
the
account
by
Design
disabling
this.
So
it's
working
totally
with
IDC
things
and
I.
Think
if
I
remember
well,
it's
written.
Currently,
the
implementation
is
not
a
GitHub
related
GitHub
actions
related.
A
H
G
C
A
Really
cool
yeah
I'm
really
excited
about
that
one.
Like
the
the
work
we
do
on
MFA
made
a
big
difference,
I
think
in
terms
of
folks
working
at
the
CLI
and
working
in
the
GUI.
So
it
was
nice
that
we've
also
done
big
work
on
making
automation
a
first-class
Citizen
and
it's
been
exciting,
seeing
that
happening
with
npm
and
Pipi
as
well.
I
think
that's
going
to
make
a
big
difference
in
the
long
run.
Having
these
capabilities.
D
So
I
was
actually
interested
in
hearing
from
one
of
the
implementers
of
like
how
is
the
how
are
changes
in
these
trusted
publishing
States
handled
is
this
like
if
you
say
that
this
oidc
identity
is,
is
now
like
a
trusted
publisher?
How
do
you
change
that?
Is
it
just
logging
into
a
web
UI
or
something
else.
A
I
might
have
done
it
differently,
but
it's
a
very
flexible
system
which
leads
to
the
user
a
lot
of
discretion
about
how
they,
how
they
configure
it.
So
they
can
configure
that
the
the
issuer
is
GitHub
and
presumably
you
know
in
as
as
support
comes
online
for
forget
lab
and
the
like,
you
know
you
you
would
get.
Gitlab
is
an
issue
or
example.com
is
an
issuer
and
that
would
be
left
to
the
user.
H
I
think
for
now,
in
the
current
state
there
is
a
no
UI
around.
So
it's
just
some
manual
manual
run
with
configuring
all
the
entities
needed
on
the
rubygems
outside
manually,
but
definitely
there
will
be
UI
and
API
around
this
to
make
users
able
to
control
and
add
delete
providers
how
they
would
like
to.
A
But
it,
but
it
has
in
a
sense
so
yeah
most
most
of
the
implementation
in
terms
of
user
interface
is
focused
on
the
admin
user
interface.
At
the
moment,
the
UI
that
that
folks,
like
Joseph
use,
but
it
has
it-
has
at
least
been
reached
a
proof
of
concept
stage
where
Samuel
giddens
who's
doing
doing
the
work
is
able
to
do
this
in
an
environment,
basically
have
a
build
on
GitHub
issued
a
token
and
make
a
push
to
this
environment,
so
it
always
together.
A
E
F
F
F
Not
what
I'm
doing
yeah,
also
email
kaheel,
that's
our
operations.
They
may
be
able
to
assist
you
I,
don't
know
if
they
can,
but
you
know
yeah
and
then
what
was
the
other
question
so
I
know
that
npm
implemented
the
2f
pay
requirement.
Has
anybody
else
done
that
or
is
it
just
npm?
That's
the
big
one.
Yeah.
F
A
J
A
For
Pipi,
it
was
based
on
I
think,
essentially
a
sort
of
like
a
criticality
score
type
thing
where
they
base
it
on
the
number
of
dependents,
and
your
package
would
be
marked
as
being
critical
and
I
I
think
might
be.
I
had
the
hardest
time
because
they
swept
up
about
three
thousand
three
thousand
packages.
A
F
F
A
A
F
Yeah
I
I
wouldn't
make
the
assumption
that
all
the
the
login
has
been
moved
over
I
I,
don't
know
if
you
all
I
mean
game
Gamers,
Among
Us.
There
has
been
a
lot
of
people
being
not
through
not
thrilled
with
Microsoft,
requiring
that
you
have
a
Microsoft
login
account
for
your
Minecraft
account,
because.
F
H
G
H
G
A
There's
the
infrastructure
set
up
for
it
right
like
we,
we
had
the
mailers
in
the
source
code
that
can
be
repurposed
to
to
send
another
another
round.
The
thing
the
thing
that
sort
of
I
think
made
us
hesitant
in
the
past
and
I
think
this
is
true
of
Pi
Pi
as
well,
is
the
support,
first
of
all,
the
the
blowback
from
the
usual
tinfoil
hat
Brigade
and
the
other
part
being
the
support
burden
of
dealing
with
folks.
F
All
right,
yeah
I,
in
my
experience,
right
the
more
to
the
more
2fa
solutions
you
offer
right
that
are
crossed
compatible
the
less
likelihood
of
lockout
you
have.
You
just
have
to
encourage
people
to
hear
you
know
give
us
your.
You
know,
give
us
multiple
ways
to
2fa
verify
you
and
I'm
like
I'm
thinking,
like
you
know,
my
immediate.
G
F
F
Right
I
would
like
to
propose
for
the
talent
of
this
meeting.
If
we
don't
have
any
of
the
topics,
which
is
fine,
that
I
co-opt
this
meeting
to
turn
it
into
a
slight
small,
like
group
of
us
chewing
on
creating
a
potential
initial
template
for
the
AO
proposal.
I,
don't
know
if
people
want
to
do
that
or
not
but
I.
You
know,
I've
got
the
rest
of
this
meeting
set
aside
so
I
can
I
can
I
can
chew
on
it.
If
I
can
I'm
trying
to
get
my
computer
booted
up.
A
F
A
A
A
F
F
F
I
F
F
F
A
F
F
Foundations
that
cover
many
elements
is
published
core
ecosystem
Services.
The
selection
is
informed
by
the
work
of
the
open,
SF
critical
security
day-
okay
Grand
proposal.
First,
it
should
describe
the
product's
current
state
assume
we
know
very
little
about
the
project,
how
the
project
critical
and
what
okay?
This
is.
Some.
This
is
somewhat
targeted
at
going
after
or
performing
an
audit
of
an
open
source
project,
so
I'll
need
to
drag
we'll
need
to
add
some
stuff
that
clarifies
this
for
this
use
case.
F
F
F
F
So
I
I
thought
so
three
three
things
that
I
was
thinking
about
doing
in
this
sort
of
work.
Having
someone
having
someone
pen
test
the
infrastructure
right
like
the
repository
host,
Sony
pen,
testing,
the
build
artifact
build
and
upload
tooling
right
like
or
cradle,
it's
Gradle
for
npm,
it's
the
npm
CLI.
You
know
all
those
things
and
then
the
third
one
was
definitely
going
to
be
contentious
and
definitely
be
harder
to
pull
off.
Is
red
team
engagements
against
the
infrastructure
and
maintainers?
F
I
As
a
community
man
or
as
a
community
member
I
can
tell
you
and
so
someone
that's
gathered
feedback
in
the
past.
I
wonder
if
set
using
the
word
pen
test
is
the
best
word,
because
some
people
might
have
direct
objections
to
that
and
I
wonder
if
you've
considered,
maybe
just
saying
that
we're
auditing
or
maybe
a
in-depth
audit
might
be
a
little
bit
more
or
easier
pillow
to
swallow.
Just
saying.
F
B
F
F
Make
the
source
code
of
the
artifact
server
public,
but
they
do
they
don't
like
the
public,
the
artifact
server
code
public,
but
they
they
do
have
a
they
do,
have
a
vulnerable
disclosure
policy
that
allows
you
to
perform
an
audit
right.
So
you
can't
get
access
source
code,
but
they
say
here
go
ahead
and
hack
us
and
tell
us
about
it
right,
right
and
in
either
of
those
cases
right
in.
F
F
In
my
experience
right,
the
in
my
experience,
having
worked
for
a
repository
host
because
this,
the
repository
infrastructure
is
not
being
paid
for,
there's
never
a
requirement
to
do
these
audits
right.
So
even
the
effort
involved,
like
that
you
know,
I
have
worked
for
having
worked
for
a
potential
company
that
is
hosting
some
of
this
stuff.
F
They
don't
it's
not
a
a
priority
for
them
to
invest
the
energy
or
time
in
trying
to
get
an
audit
done,
even
if
it
was
given
to
them
for
free
and
they
didn't
have
to
pay
for
it
right,
like
that's
just
not
on
the
radar,
something
that's
important,
but
necessarily
so
even
trying
to
engage
with
them.
Saying
hey:
were
you
willing
to
give
you
this
for
free?
F
They
still
have
to
dedicate
engineering
hours
to
one
guaranteeing
that
they're
going
to
get
and
handle
the
reports
and
receive
and
actually
do
something
with
them
versus.
If
taking
this
hypothetical
artifact
server
organization
that
may
or
may
not
have
a
vulnerability
disclosure
policy
that
was
published.
F
You
can
because
that
that
that
organization
has
a
VDP
that
explicitly
spells
out
that,
like
Safe
Harbor
is
offered.
If
you're
performing
an
audit
within
this
scope,
you
could
potentially
engage
a
company
to
to
perform
an
audit
against
that
scope
without
the
organization
necessarily
needing
to
be
involved
with
the
approval
process.
G
F
H
F
G
F
E
F
F
I
I
So
that's
where
I'm
coming
from
with
a
lot
of
this,
because
a
lot
of
people
like,
for
example,
the
kernel
guy,
went
on
to
explain
to
me
that
openssf
doesn't
understand
that
there
have
been
multiple
generations
of
security
and
security
has
been
addressed
in
different
ways
at
different
points
in
time
when
certain
things
are
recommended-
and
we
are
tone
deaf
to
that-
that
was
one
of
the
opinions
that
came
up.
So
that's
why
I
think
that
a
lot
of
what
we
should
do
is
not
be
like
hey.
F
I
F
I
But
I
think
I
I
just
think
the
state,
the
way
that
we
should
approach
it
is
so
you
know
I
think
at
this
point
everyone
can
agree
that
Safe
Harbor
is
kind
of
a
a
best
practice
that
is
pretty
much
industry
standard.
So
why
don't
you
have
one?
Is
it
because
you
don't
want
one?
You
don't
want
to
have
the
liability?
Are
there
legal
reasons,
or
is
it
a
matter
that
you
actually
need
help
writing
one?
If
you
get
what
I'm
coming
from.
F
Right
and
that's
that's
a
conversation.
That's
currently
going
on
I
mean
the
one
of
the
things
that
David
wheeler
is
working
on
is
hopefully
a
safe
harbor
policy
that
LF
legal
will
sign
off.
On
that
I
mean
David
Wheeler's
perspective
goal
is
to
write
one.
That
is
a
model
one
that
anybody
else
could
apply
and.
I
I
G
F
You
know
10-year
I-
think
that
I
think
the
other
problem
is
that,
like
having
safe,
harbor
language,
also
somewhat
predicates
you
on
needing
to
have
legal
like
provide
you
advice
and
most
of
these
organizations
that
are
smaller,
don't
have
Elite,
don't
have
lawyers
on
staff
or
in
in
their
circles
that
they
could
tap
into
to
provide
those
insights.
Well,.
F
A
F
All
of
that
stuff,
so
that
you're,
not
in
violation
in
terms
of
service
you're,
not
in
violations
of
all
that
stuff
and
then
that,
because
you
waived
all
that
stuff,
there's
no
risk
or
there's
significantly
reduced
risk
of
the
federal
government
coming
after
you
for
a
violation
of
cfaa
or
whatever
the
equivalent
government
laws.
Are
you
your
country,.
F
F
G
F
I
H
F
F
Fair
I,
don't
know
what
the
current
state
of
the
Season
Cesar
published
a
like
here.
You
work
for
the
or
you're
a
government
entity,
use
this
disclosure
policy
copy
and
paste
it.
If
you
don't
want
to
spend
the
time
doing
your
own,
but
that's
that's.
That
document
was
intended
for
the
use
by
government
agencies,
Fair
yeah,
but
I
think
Caesar
also
mandated
that
all
of
these
any
like
government
agencies
had
to
have
a
disclosure
Channel
like
had
they
had
to
announce
one.
I
F
F
Okay,
so
this
is
like,
so
this
is
the
disclose.io
one
right.
So
when
conducting
vulnerability
research
according
to
this
policy,
we
consider
the
research
we
can
talk
to
onto
this
policy
to
be
authorized
concerning
any
applicable
anti-hacking
laws
that
and
we
will
not
initiate
our
support
legal
action
against
you
for
act
for
accidental
good
faith
violations
as
policy.
A
G
F
Is
also
used
to
go
after
hackers
and
security
researchers,
because
often
when
you're
doing
research
you
it
requires
reverse
engineering
and
reverse.
It
may
also
involve
de-obfiscation
and
de-offification
has
also
been
tried
and
found
to
be
led
to
violate
potential
violations
of
dmca
exempt
from
restrictions
in
our
terms
of
service
and
our
acceptable
leaders,
policy
or
interfere
with
conducting
research,
and
we
waive
those
restrictions
on
a
limited
basis
and
lawful
helpful
to
the
overall
Security
Internet
and
conducted
in
good
faith.
J
F
For
is
required
by
law.
We
shall
not
share
your
information,
identifying
information
with
any
affected
third
party
without
notifying
you.
This
is
to
prevent
you
disclosing
to
us,
and
then
we
have
to
tell
someone
else
and
that
resulting
in
you
getting
legal
blowback,
because
we
had
to
share
the
details
with
someone
else
and
your
name
getting
associated
with
it
and.
I
F
Really
it's
more
like
you,
you
hack
me,
but
that
system
you
went
after
actually
I
don't
know,
but
you
didn't
know
that
and
I
need
to
tell
the
downstream
vendor
that
you
that
there's
a
vulnerability
in
the
downstream
thing.
You
won't
include
identifying
information
of
the
original
reporter
in
that,
so
that
the
downstream
vendor
can't
go
after
legally
the
Upstream
one,
because
they
don't
know
who
it
is
fair.
F
F
They're
they're
trying
they're
trying
to
limit
their
liability
by
saying
we're
only
going
to
do
we're
only
going
to
tell
the
person
they're
we're
gonna
only
give
them
their
name
if
we
are
compelled
to
by
law
which
may
happen
in
in,
like
you
know,
judges
can
force
and
compel
Microsoft
to
do
anything
right,
so
they
might
have
to.
They
might
have
to
cough
up
this
information
tragically
and
then
right
into
the
public
record
right
right,
fair.
F
Also
standing
out
here,
please
note:
we
cannot
authorize
out
of
scope
testing
in
the
name
of
third
parties
and
such
testing
is
beyond
the
scope
of
this
policy,
so
they're,
basically
saying
like
we
may
have
to
disclose
on
your
behalf
to
a
downstream,
but
this
is
not
considered
like.
We
are
not
authorizing
you
to
go
after
third
parties
and
using
our
policy
as
something
that
that
you
said.
Oh
well,
Microsoft.
Let
me
do
it.
G
F
On
that
right,
I
authorize
you
to
test
it,
but
you
accidentally
find
a
vulnerability
in
Amazon's
infrastructure.
Correct
right,
I
have
authorized
you
to
find
something
in
my
infrastructure,
but
you
have
gone
outside
the
scope
of
that
and
so
I
think
that
Microsoft
and
Google
and
Amazon
have
all
released
and
said.
You
know
you
can
provide
scope,
permissions
up
the
chain
of
your
supply
chain
and
you
don't
need
to
engage.
You
don't
need
to
engage
with
us
in
that
work.
I
Applies
more
to
people
that
are
like
tinkering
like
those
people
that
are
trying
to
find
like
where
they
messed
up
setting
up
the
cloud
like
the
one
guy
that
found
that,
if
you
change
one
number
in
the
Google
Cloud
panel,
you
could
pull
up
other
people's
accounts
and
do
whatever
you
want
with
it.
Kinda.
F
I
F
F
J
F
F
F
F
Actually
might
find
this
useful
for
some
of
the
work
that
you're
doing
I
don't
know.
You've
got
a
larger
team
of
people
around
you
than
not
so.
The
tax
voted
on
Tuesday
to
ratify
a
proposed
disclosure
policy
that
I
authored
in
with
the
open
source
security,
vulnerability,
disclosure
working
group.
That
is.
F
One
so
this
one
is
the
model
out
on
vulnerability
disclosure
policy,
and
this
now
because
it's
been
ratified
by
the
attack
is
the
if
any.
If
any
working
group
wants
to
use
this
as
their
disclosure
policy
for
outgoing
reports,
I
mean
it
applies
to
any
work
coming
out
of
the
open
source
security
Foundation.
Ultimately,
the
person
who's
doing
the
work
to
find
the
vulnerability
can
choose
if
they're,
like
I'm.
G
I
I
F
F
Edit
to
get
us
a
starting
point
right
to
State
hey,
we
want
to
engage
in
this.
This
we
want
to
engage
in
in.
We
want
to
engage
in
in
potentially
auditing
your
security,
but
we
need
you
to
have
a
safe,
harbor
policy
for
us
to
do
that,
and
so,
if
we
can
come
up
with
an
email
that
communicates
that
it
might
be,
it
might
be
a
good
starting
point.
G
I
By
a
company,
but
you
want,
but
you
want
to
know
something,
so
this
is
what
I
get
from
the
community.
A
lot
of
people
have
security
teams
and,
like
there's
a
difference
between
hey,
let
us
help
you
do
this
and
hey.
Let
us
help
your
security
team
get
the
ability
so
that
they
can
do
more
things,
which
is
I.
Think
what
you
got
to
walk
all
I'm,
saying
John,
is
that
you
got
to
walk
that
line.
I
Because,
like
at
gentu,
for
example,
you'll
run
into
people
that
are
very
security,
opinionated
and
I'm,
not
going
to
say
they're
wrong,
but
they
come
from
different
generations
of
security
and
yeah
like
realize
that
Gen
2
does
not
have
an
installer.
So
these
are
the
people
you
talk
to
in
that
community
and
and
there's
other
communities,
because
I.
I
Imagine
that,
like
npm,
has
a
security
team
I'm
sure
that
cargo
has
a
security
team
and
I
think
that
we
need
to
make
sure
that
we're
not
saying
hey
your
security
team
isn't
doing
their
job
or
or
anything
that
implies
like
that.
So
let
us
do
their
job,
because
some
people
will
take
that
the
wrong
way
is
all
I'm
saying.
F
F
Servers
that
do
have
do
have
that
do
have
socks
that
come
like
the
company
has
a
sock
of
some
kind
and
those
that
do
not
right.
Github
is
owned
by
Microsoft.
Github
probably
has
a
sock.
Microsoft
is
a
sock
right
if
they
have
a
security
incident
that
impacts
their
support,
their
their
npm.
They
can
respond
with
their
sock
right,
perform.
F
G
I
The
expectations
of
the
users
are
drastically
different,
like
in
Homebrew,
people
will
download
stuff
and
then
when
they
they
like
have
adverse
effect
for
whatever
reason,
because
somebody
packaged
something
they
shouldn't
have
packaged
in
their
software,
then
they'll
come
back
to
Homebrew
and
be
like,
but
why
do
you
guys
host
it?
So
that's
why
Homebrew
does
not
take
any
editorial
approach
to
like
what
they
upload
or
they
try
not
to.
However,
if
a
package
is
unsafe,
they
will
delete
it,
but
it's
more
of
a
community
decision.
I
It's
not
like,
but
yeah
like
long
story
short
Homebrew.
Has
this
thing
where,
like
because
the
end
user
expectation
is
that
everything
works
and
everything
is
relatively
safe,
Homebrew
defends
itself
with
their
ideology
of
Homebrew
is
the
last
line
of
defense
and
should
not
be
relied
on
for
security,
and,
if
you
rely
on
it
for
security,
then
you're
just
doing
it
wrong.
Yeah.
A
F
F
If
you
could
so
I
found
the
nougat
contact
page
yeah,
if
you
can
try
to
convince
the
nougat
pm
to
add
the
security
contact
to
that
contact
page,
that
would
be
valuable
as
well
sure
or
and
if
even
if
it's
like
Microsoft's
policy
applies
that
actually
really
helps,
because
it
means
that
I
can
just
use.
Microsoft
is
the
is
the
disclosure
perspective
for
that
right,
yeah,
all
right
cool?