►
Description
Meeting minutes: https://docs.google.com/document/d/1-f6m442MHg9hktrbcp-4sM9GbZC3HLTpZPpxMXjMCp4/edit#heading=h.pujncb7gxv4f
B
B
A
A
A
A
A
C
Help
maintainers
of
those
systems
reach
certain
levels
of
maturity.
That
sort
of
thing
it's
very
early
days,
but
if,
if
these
are
the
questions
that
interest
you,
which
they
probably
otherwise,
you
wouldn't
be
here,
you
might
consider
either
reaching
out
to
him
or
also
encroaching
him
to
enjoy
these
conversations.
A
C
Okay,
so
Providence
I'm
always
saying
this
word
wrong,
promulgating,
I!
Think,
that's
how
you
say
it
anyway.
We
now
are
a
little
over
a
month
out
from
the
public
beta
of
provenance
in
npm.
So
this
is
the
capability
that
ties
a
built
package
back
to
its
source
code
and
build
instructions
using
the
public
good
six
store
instances,
and
we
are
very
close
to
announcing
an
additional
cicd
vendor
who's
supporting
building
with
Providence,
but
aren't
quite
ready
to
do
that
yet.
C
But
I
thought
I
would
come
to
this
group
and
mention
that
we're
very
interested
in
other
open
source
package
managers
adopting
this
capability
I
know
that
there's
a
few
barriers
to
that
principally
funding,
but
also
it's
it's
kind
of
a
it's
kind
of
a
complicated
system
with
a
lot
of
different
living
pieces.
It
might
require
implementing
a
six-door
library
in
a
language
of
your
choosing.
C
So
again,
this
is
another
one
where
I
don't
I,
don't
really
have
a
specific
request
for
this
group
I,
just
sort
of
an
FYI
that
we're
interested
in
spreading
the
idea
of
Providence
around
to
more
package
major
ecosystems,
and
if
this
is
something
that's
interesting
to
you
or
if
there
are
specific
roadblocks
that
you're
encountering
that
you
need
help
with
do.
Let
us
know.
A
That
sounds
fair
before
two
weeks
ago,
roughly
I
was
looking
at
the
rust
Library,
the
six
door
RS
as
a
as
a
candidate
for
like
a
shared
Library
that
rubygems
could
hook
into
and
I
got
something
to
work.
I'll
put
it
that
way
at
a
very
limited
level.
It
was
mostly
like
you
know,
baby's
first
rust
binding,
something
else.
I
was
going
to
say,
but
it's
still
sort
of
like
the
open
question
was
exactly
how
will
that
be
distributed.
A
Although
building
rust
modules
is
now
part
of
the
base,
Ruby
distribution
building
modules
has
never
been
part
of
rubygems,
so
it
opens
the
question
of
like.
Do
we
binaries?
How
do
we
build
all
the
binaries?
You
know
we
have
to
spot
all
these
different
platforms,
etc,
etc.
So,
still
still
I
hadn't
sort
of
like
come
to
a
firm
opinion
at
the
time
that
I
left
off.
D
C
So
the
main
things
that
we've
published
right
now
are
the
the
npmrfc,
of
course,
there's
the
implementation
in
the
npm
CLI,
which
is
open
source.
The
npm
registry,
unfortunately,
is
not
open
source
and
then
We've
documented.
What
properties
they
build
system
should
have
in
order
to
have
non-falsifiable
Providence
in
the
full
seal
certificate.
C
So
we
haven't,
we
haven't
been
focused
as
much
on
the
package
manager
side,
maybe
a
little
bit
more
focused
on
the
CSU
provider
side,
and
so,
if
there's,
if
there's
something,
if
there's
something
more
specific
or
more
concrete
you're.
Looking
for
on
that
side,
that
I
mean
that's.
That's
helpful
feedback.
D
C
Oh
yeah
and
yes,
so
the
specification
is
useful
and
then
also
the
way
the
in
Toto
document
is
being
constructed
in
the
npm
CLI.
So,
in
addition
to
this
specification,
there's
also
at
least
one
implementation-
that's
open,
source
and
available
to
look
at.
Maybe
we
should.
Maybe
we
should
link
that
from
here
this.
This
appears
to
mostly
be
just
the
readme
yeah.
D
C
A
A
It
would
be
really
cool
to
see
that
on
pipei
rubygems.org,
you
know
cargo
Etc
Maven,
the
usual
suspect's
Gradle,
of
course,
so
yeah
I'm,
hoping
that
spreads
the
last
I
left
off.
The
main
thing
that
was
coming
down
the
pipe
in
rupajam's
land
was
an
oidc
to
token
flow,
so
taking
taking
that
build
oidc
token
and
can
make
exchanging
it
for
a
posh
token.
C
C
That
yeah,
you
know
if,
if
often
a
a
good
place
to
start,
if
your
ecosystem
doesn't
already
support,
it
is
some
concept
of
scoped
API
tokens
or
being
able
to
assume
in
with
a
workload
identity
from
an
oidc
token.
Otherwise
you
know
people
are
like.
Oh
I'll,
just
put
my
personal
account
password
as
a
secret
advice.
If
I
see
ICD
flow,
which
is
okay,
wrong,
yeah
yeah.
A
C
B
Spoke
to
Adam
earlier
today.
Oh
sorry,
sorry
so
I
have
this
proposal.
I.
Have
this
idea
it's
currently
in
the
works.
I'm
not
I.
Have
another
meeting
I
need
to
you
know.
Another
thing:
I
need
to
jump
to
quickly
so
I'm
not
going
to
work
on
the
document,
but
I'd
like
to
increase
the.
How
often
this
working
group
is
meaning
to
try
to
push
this
idea
forward.
B
So
the
the
proposed
idea
that
I'm
pushing
forward
is
this
thing
called
the
Great
repository
audit
and
the
concept
behind
it
is
I
pause
it
that,
because
so,
whenever,
whenever
you
accompany
buys
software
right,
they
buy
software,
they
it
goes
through.
Security
goes
through
legal
right,
there's
a
whole
vetting
process
that
goes
on
when
artifact
servers
like
Maven,
Central,
Gradle,
plug-in
portal,
pip,
ruby,
gems,
all
those
things
get
incorporated
into
corporate
software
supply
chain.
That
audit
never
occurs.
There's
never
an
ask
from
security
of
like
hey.
Has
this
thing
ever
had
a
pen
test?
B
Most
artifact
servers
in
the
industry
have
never
had
a
pen
test
done,
have
never
been
secure,
haven't
ever
had
a
security
audit
and
so
I
think
that
as
an
industry
and
especially
within
the
open
source
security,
Foundation,
we've
kind
of
started
focusing
on
like
these
bigger
security
topics
like
Sig
store
and
artifact
verification,
but
we
haven't
focused
on
the
basics.
Right
is
the
artifact
server.
B
That's
hosting
these
artifacts
that
are
part
of
the
entire
industry
supply
chain
actually
secure
like
have
like.
Could
you
compromise
those
artifacts
right?
Could
an
attacker
get
in
like
get
on
the
box
and,
and
or
you
know,
is
the
AWS
bucket
World,
readable,
World
writable
right
World
readable
is
fine,
World
writable
right
so
I.
The
The
Proposal
that
I
have
is
that
the
open,
Star,
Security
Foundation,
funded
by
the
alpha
omega
project,
reach
out
to
the
vendors,
the
industry
writ
large
and
go
to
each
of
these
artifact
servers
and
say:
hey?
B
Have
you
had
a
pen
test
done
and,
if
not
we'll
say?
Okay,
if
you've
not
had
a
pen
test
done,
we
if
you,
if
you,
can
get
your
own
pen
test
done
and
you
can
give
us
the
results
within
like
you
know,
180
days,
you
know
200
days,
300
days,
right,
probably
not
300
days
like
180
days,
if
you
can
get
back
to
us
in
180
days
with
a
pen
test
report
and
a
a
a
confirmation
of
like
a
retest
where
the
vulnerabilities
have
been
fixed
great.
Thank
you.
B
Otherwise,
if
you
can't
do
that,
it's
fine
we'll!
We
will
hire
a
firm
to
audit
you.
We
will
hire
a
firm
to
come
and
do
a
pen
test
of
your
of
your
infrastructure
and
your
organization
and
of
the
of
the
hosting
publishing
infrastructure,
and
so
I
spoke
to
Amir.
Who
has
done
this
a
lot
through
the
ostiff,
and
he
said
that
that
he's
done
a
bunch
of
these
audits.
B
B
C
C
C
Yes,
the
results
could
be
considered
sensitive,
yes
and
so
there's
sort
of
a
spectrum
here
where
we
might
say
like
can
The
Operators
of
these
Registries
confirm
that
a
internal
red
team
or
an
external
pen
test
has
taken
place.
You
know
at
over
the
past
year,
two
years,
you
know
when
was
the
date
of
the
last
one,
then
from
there.
Okay,
here's
how
many
like
critical,
high
medium
low
findings.
There
were
and
figuring
out
how
to
like
iterate
our
way
into
into
revealing
a
lot
of
information.
B
So
two
aspects
of
that
that
I
you
know.
One
thing
is
that
in
my
experience,
I've
worked
with
we've.
In
my
experience,
we've
interact
with
some
I've
interact
with
the
pen
test
firms
and
a
lot
of
them.
If
you
pay
lower
amounts
of
money,
they
will
only
do
web,
UI
audits,
right,
burp,
Suite
scans
and
then
some
stuff.
B
The
other
thing
that
I
I
want
to
say
about
that
is
I
I
agree
that
there's
going
to
be
a
certain
amount
of
hesitation
that
we'll
have
to
work
through
here,
but
these
artifact
servers
are
critical
parts
of
the
entire
supply
chain
for
the
entire
industry
right,
and
so
we
could
theoretically
publish
the
you
know.
I
mean
I
think
that
one
of
the
things
we
could
do
is
like
hey.
We
have
these
organizations
that
have
given
us
reports
and
like
look.
B
This
is
the
one
organization
that
didn't
like
that
doesn't
look
great
from
an
or
from
like
we
can.
We
can
use
that
leverage
like
hey.
Look
at
all
these
other
organizations
that
have
been
willing
to
give
us
their
reports
and
you're
not
like
what
is
that,
like
that,
doesn't
look
great
for
you
that
sort
of
thing
right,
so
we
can
give
a
social
pressure
there,
but
yeah
I,
I
I
also
think
that
there's
a
certain
amount
of
like.
B
So
that
is
a
conversation
that
happened
when
the
vulnerability
disclosure
working
group
earlier
today,
The
Proposal
on
that
one
was
for
this
audit.
The
open
source
security,
Foundation
vulnerability,
disclosure
policy,
outgoing
policy
that
was
ratified
by
the
attack
two
weeks
ago,
which
is
basically
at
a
high
level.
90-Day
disclosure
policy
plus
14
days,
applies
to
vendors
that
we
engage
with
that
are
backed
by
corporations,
so
Gradle
Maven,
Central
npm,
you
know
Newgate
would
be
Microsoft
right.
B
The
standard
90
day
disclosure
policy
applies
to
them
if
the
repositories
hosted
by
and
run
by
the
by
the
community,
rubygems
Pi
Pi.
At
that
point,
those
ones
would
have
more
flexibility
around
their
disclosure
timelines
that
that's
the
rationale
that
we
were,
we
were
kind
of
aiming
for
was
it
we
break
it
down
by
this
is
clearly
run
by
a
company.
This
is
community
run
around
around
the
enforcement
level
of
the
disclosure
policy
we
will
operate
with.
C
Yeah
there
was
a
Jonathan.
There
was
a
category
of
security
risk
you
mentioned
initially,
but
not
the
second
time
so.
I
wanted
to
emphasize
that,
like
in
audit
of
cloud
infrastructure,
is
a
really
good
idea.
It
is
awesome.
Fruit,
I
keep
I,
keep
sending
this
link
to
everyone
who
will
listen
or
any
captive
audience,
but,
for
example,
the
the
psf
and
Pipi
have
a
list
of
like
fundable
improvements
and
the
reason
that
they
did.
D
C
Know
there's
one
and
a
half
of
us
and
every
time
we
ask
for
150
000,
it's
a
it's
a
two
month
or
it's
a
two-year
Grant
cycle,
and
so
sometimes
the
problem
with
improving
the
security
in
package
managers
isn't
exposing
more
risk,
but
it's
finding
the
resources
to
fix
the
risks
that
are
already
known.
That's
not
to
say
there
isn't
value
in
in
this
approach.
C
B
D
B
B
Right
for
for
the
ones
that
are
open
source
right,
the
ones
that
are
fully
open
source
like
Alpha
Omega,
because
it's
open
source
right,
we
will
both
fund
the
vulnerability
finding
and
the
fixing
right.
I
mean
I,
know
that
you're
kind
of
dropping
someone
into
it
but,
like
contractors,
are
used
to
being
dropped
into.
You
know
here
deal
with
this
sort
of
situations.
At
least
the
good
ones
are,
but
yeah
I
hear
that
that's
a
that's
a
good
thought.
I
hadn't,
I
hadn't
quite
thought
that
through
fully
so
but
yes,
I,
think
that
makes
sense.
C
There's
there's
another
aspect
of
your
pitch:
I
wanted
to
give
you
feedback
on,
and
that's
that's
what
you're
saying
like.
Oh,
if
we
get
some
ecosystems
to
agree
to
this
and
other
ecosystems
say
we're
not
going
to
do
it,
they
they
would
look
bad
I.
Don't
find
that
argument
compelling
I'm,
not
I'm,
not
sure
I
can
speak
for
all
of
npm
but
like
as
as
someone
who
is
partially
responsible
for
that
ecosystem.
B
A
B
That
methodology
only
works
where
you're,
maybe
not
wanting
to
necessarily
be
involved,
would
only
work
if
the
organization
has
a
safe
hour
policy
in
place
which,
as
far
as
I
know,
Microsoft,
GitHub
and
Gradle
of
the
three
I
think
I
actually
have
a
I
have
a
CSV
file.
That
is
a
pull
request
that
I
open
that
lists
all
of
the
different
repositories
and
their
disclosure
policies
in
a
CSV
file.
That
I
wanted
to
have
someone
review
and
merge.
Potentially,
if
you
guys,
are
really
uncomfortable
to
do
so,.
B
So
jfrog
has
a
partial,
Safe
Harbor,
which
is
dependent
upon
some
clauses.
So
jfrog
would
be
you
know,
but
for
the
for
you
know
anybody,
that's
Microsoft,
any
any
artifact
service,
Microsoft
or
GitHub
driven.
We
could
still
do
those
audits
without
without
needing
I
mean
I.
Ideally
right,
that's
like
the
fallback.
That's
the
like.
We
don't
want
to
go
there,
but
we
we
could.
We
want
to
work
with
you.
We
want
to
collaborate
with
you,
but
if
we
can't
do
that,
we
have
this
fallback
methodology
that
we
can
we
can.
We
can
move
back
on.
C
I'm
still
I'm
still
having
trouble
understanding
the
the
value
proposition
here
so
that
there's
there's,
maybe
two
paths.
One
one
is
well
it's
hard.
It's
hard
to
say
that
you're
gonna
help
me
fix
something
before
we
know
what
things
need
fixing
but
but
like
maybe
maybe
we
could
come
to
an
agreement
where
it's
like.
Okay,
we're
going
to
do
the
audit
we're
going
to
get
the
findings,
and
then
we
can
figure
out
how
expensive
it
might
be
to
fix
them
and
then
you're
going
to
work
with
us
to
to
fix
them
and.
B
So
for
the
for
the
Community
Driven,
so
the
community
runs
ones,
yes,
gotcha
the
community
one
run
ones
would
be
fine
with
it.
Maybe
maybe
the
community
run
ones
would
have
a
contractor
assigned
to
help
fix
them,
but
the
ones
that
are
backed
by
a
company.
If
we're
doing
the
audit,
the
90-day
disclosure
policy
would
apply
for
those
for
those
vulnerabilities
that
are
reported
via
this
channel.
B
A
C
A
B
All
that's
and
from
my
experience,
even
if
you
were
given
something
like,
for
example,
I
work
for
an
organization
where
we
received
an
offer
for
a
bunch
of
security
keys
for
free
from
Gradle
or
from
from
the
from
the
from
from
the
open,
SF
right
and
that
never
got
followed
up
on,
even
though
it
was
something
given
for
free
to
help
secure
your
organization
right,
like
I,
have
seen
these
sorts
of
things
where
they
have
you
you
get.
You
are
offering
these
because
that's
it's
work
for
them
right,
it's
not
it's!
A
B
A
Sure
I
I
don't
disagree,
there's
there's
a
cost
to
accept
the
help,
hence
hence
the
Strategic
use
of
quote
unquote.
That
being
said,
it's
still
going
to
be
attractive
to
a
lot
of
ecosystems.
I
would
hold
the
stick
back
for
a
while
until
I
saw
what
the
layer
of
the
land
was
or
until
someone
else
comes
with
a
stick
like
the
EU,
for
example,
then
I
would
offer
to
help
with
you
know:
stick
armor.
B
We
won't
that
90
day
disclosure
policy
doesn't
apply
to
you
right
because
you
you
own
the
you
own,
you
own.
The
reports
that
have
come
in.
We
just
want
your
pen
test
and
retest
report
at
180
days
or
whatever
time
frame
we
want
like.
We
just
just
make
sure
that
you
get
that
to
us,
but
as
long
as
you
deal
with
it,
you've
paid
for
it.
Like
that's
fine.
A
B
No
I
agree,
no
I,
you
know,
and
that's
I
mean
if
that's
why
you
can
more
easily
work
with
the
organizations
that
have
established
not
like
you
know,
Safe
Harbor
policies,
because
the
lawyers
have
already
had
those
debate
like
you've
already
had
those
like
I
had
to
when
I
was
a
Gradle
I'd
have
those
fights
with
our
lawyer
to
say
no,
no.
We
can't
put
that
in
there
because,
like
disclosure
is
going
to
happen,
anyways,
but
yeah
no
I
get
I
get
what
you're
saying
yeah.
C
C
Well,
essentially,
yeah
right,
because
the
the
audit
is
thought
it
was
only
the
first
step
in
that
process.
Right
and
and
the
audit
is
going
to
be
more
successful
if
it's
done
in
collaboration.
You
know,
for
example,
with
npm.
The
registry
is
not
open
source.
You
know
the
the
cloud
infrastructure
I
think
would
be.
B
B
D
A
A
I
I
would
want
to
wait
until
the
emea
meeting
take
our
pass
before
we.
We
said
whether
we
do
a
sick
or
stay
in
a
group,
but
my
instinct
would
be
to
stay
in
the
group
for
now
unless
it
starts
to
consume
too
much
time.
So
we
we
tend
to
find
that
we
either
hit
our
hour
or
we
come
in
under
so
I
think
we've
got
space
to
to
carry
it
as
a
regular
pattern.
Right.
B
And
yeah:
that's
my.
My
intention
is
yeah.
I
I
think
that
one
of
the
things
that
I,
if
I,
want
one
of
the
things
that
I'm
struggling
with
is
I,
don't
want
to
write
this
document.
Solo
and
I'd
rather
do
this
with
the
working
group
collaboratively
during
meetings
and
so
part.
One
of
the
things
that
I
would
like
to
do
is
increase
the
the
rate
at
which
these
meetings
occur.
B
B
B
B
B
But
yes,
so
if
you
know
if
we
could
find
another
organization,
so
I've
already
got
two
that
are
like
okay,
they're
aware
of
it
like
you
know,
but
yes,
if
we
could,
if
we
could
find
another
artifact
server
in
you
know
vendor
that's
willing
to
be
part
of
the
conversation
for
collaborating
on
on
this.
That
would
be
really
helpful.
I
don't
have
as
many
though
I
have
the
connections
in
the
Java
ecosystem,
and
you
know
Maven
sent
Maven
Central
Gradle.
B
D
B
Don't
know,
if
did
I
say
that
I
was
going
to
work
with
Amir
from
Austin
to
do
these
audits
because
he's
already
done
them
for
a
bunch
of
cloud
stuff.
So
that's
that's
where
the
mostly
that
not
money,
but
that's
like
where
the
like
you've
gone
here
before
you
have
firms
you've
worked
with.
Will
you
know
maybe
work
with
those
firms?
Maybe
not,
but
like
at
least
you
have
a
model
for
doing
this.
C
B
B
B
Somebody
mentioned
a
Larry
for
Ada
I,
don't
know
if
Ada's
used
widely
enough
that
we
want
to
care
about
that
and
then
PHP
packages
and
I
know
the
PHP
is
everywhere,
even
though
it's
not
represented.
Often
like
you
know,
people
don't
think
Here's.
My
thought
about.
Php
people
don't
invest
in
securing
PHP
because
it's
always
run
by
not
the
engineers
always
run
by
marketing
and
marketing
is
just
like
make
it
work
and
Engineers
are
like
you
know,
so,.
A
B
So
you
were
proposing
that
we
meet,
we
do
a
meeting
with
an
a
package
maintainer
that
is
willing
to
engage.
What
would
the
time
frame
on
that
look?
Was
that,
like
a
regular
meeting
to
work
on
it
individually
with
that
individual,
instead
of
in
this,
these
working
groups
on
those
documents?
Is
that
what
you're
proposing
in.
B
I'm
working
on
a
dock
as
yes,
I
it
I,
I,
think
I,
don't
even
know,
I
think
that
the
doc
is
currently
living
under
the
Linux,
Foundation
GitHub
or
a
Google
workspace.
But
that's
just
because
you
know
that's
where
I
created
it
I,
don't
control
the
funding
of
Alpha
Omega
I
have
to
go
through
the
proposal
process
like
everybody
else
does,
so
the
idea
would
be
I
am
just
the
messenger
I'm,
the
idea
guy
and
the
messenger
of
the
idea,
but
I
want
this
to
come
from
the
working
group
right.
B
B
C
B
B
B
No
And
So
to
that
end,
is
it
if,
if
we
want
to
work
on
this
within
the
working
group,
is
it
okay
if
I
work
with
operations
to
increase
the
frequency
of
these
meetings,
so
that
we
can
have
those
some
of
those
meetings
involve
discuss
like
we
can
have?
We
can
have
a
more
regular
Cadence
of
just
of
discussing
the
work
on
this
document.
I've
started
a
document,
but
it's
like
yeah.
B
A
B
A
A
Of
seeds,
there's
there's
a
whole
Parker
Northcote
quote
about
committees,
but
yeah,
so
those
those
sort
of
two
options
being
laid
on
the
floor
and
get
a
get
a
Vibe
and
definitely
probably
will
need
to
touch
this
again.
In
two
weeks
when
we
get
to
the
mer
session
that
when
a
lot
more
people
show
up
yep
but
definitely
worth
setting
up
an
email
to
start
all.