►
Description
Meeting minutes: https://docs.google.com/document/d/1-f6m442MHg9hktrbcp-4sM9GbZC3HLTpZPpxMXjMCp4/edit#heading=h.pujncb7gxv4f
B
B
A
A
A
A
A
All
right,
I
think
it's
been
awkward
enough
for
long
enough.
Let's,
let's
get
the
row
on
the
show,
as
they
say
in
the
classics,
I
think.
First,
the
Zach
you
had
a
night
of
for
us
yeah.
C
C
And
he
is
quite
interested
in
this
question
of
how
can
we
help
increase
the
security
of
open
source
action
managers
which
is
kind
of
the
theme
of
this
working
group?
C
So
I
pointed
him
at
these
meetings
and
at
the
slack,
Channel
I
wasn't
sure
I
don't
think
he
was
going
to
be
joining
today,
but
you
know
he's
he's
sort
of
he
tune
a
survey
of
all
of
the
security
capabilities
of
various
package
managers
and
his
you
know,
starting
to
ask
the
questions
about
like
what
things
the
US
government
could
do
to
help
set
up
a
maturity
model.
C
Help
maintainers
of
those
systems
reach
certain
levels
of
maturity.
That
sort
of
thing
it's
very
early
days,
but
if,
if
these
are
the
questions
that
interest
you,
which
they
probably
otherwise,
you
wouldn't
be
here,
you
might
consider
either
reaching
out
to
him
or
also
encroaching
him
to
enjoy
these
conversations.
A
I
feel
like
the
difficulty
might
be
that
this
is
after
government
house
and
they
they're
most
strict
about
over
time
than
a
lot
of
organizations
is
very
rigid.
A
Not
be
able
to
attend
at
this
time.
That
would
be
my
hypothesis
Battle
6
PM
is
a
rotten
time,
at
least
eastern
time,
I'm
sure
it's
fine
up
in
the
Pacific.
C
Okay,
so
Providence
I'm
always
saying
this
word
wrong,
promulgating,
I!
Think,
that's
how
you
say
it
anyway.
We
now
are
a
little
over
a
month
out
from
the
public
beta
of
provenance
in
npm.
So
this
is
the
capability
that
ties
a
built
package
back
to
its
source
code
and
build
instructions
using
the
public
good
six
store
instances,
and
we
are
very
close
to
announcing
an
additional
cicd
vendor
who's
supporting
building
with
Providence,
but
aren't
quite
ready
to
do
that
yet.
C
But
I
thought
I
would
come
to
this
group
and
mention
that
we're
very
interested
in
other
open
source
package
managers
adopting
this
capability
I
know
that
there's
a
few
barriers
to
that
principally
funding,
but
also
it's
it's
kind
of
a
it's
kind
of
a
complicated
system
with
a
lot
of
different
living
pieces.
It
might
require
implementing
a
six-door
library
in
a
language
of
your
choosing.
C
So
again,
this
is
another
one
where
I
don't
I,
don't
really
have
a
specific
request
for
this
group
I,
just
sort
of
an
FYI
that
we're
interested
in
spreading
the
idea
of
Providence
around
to
more
package
major
ecosystems,
and
if
this
is
something
that's
interesting
to
you
or
if
there
are
specific
roadblocks
that
you're
encountering
that
you
need
help
with
do.
Let
us
know.
A
That
sounds
fair
before
two
weeks
ago,
roughly
I
was
looking
at
the
rust
Library,
the
six
door
RS
as
a
as
a
candidate
for
like
a
shared
Library
that
rubygems
could
hook
into
and
I
got
something
to
work.
I'll
put
it
that
way
at
a
very
limited
level.
It
was
mostly
like
you
know,
baby's
first
rust
binding,
something
else.
I
was
going
to
say,
but
it's
still
sort
of
like
the
open
question
was
exactly
how
will
that
be
distributed.
A
Although
building
rust
modules
is
now
part
of
the
base,
Ruby
distribution
building
modules
has
never
been
part
of
rubygems,
so
it
opens
the
question
of
like.
Do
we
binaries?
How
do
we
build
all
the
binaries?
You
know
we
have
to
spot
all
these
different
platforms,
etc,
etc.
So,
still
still
I
hadn't
sort
of
like
come
to
a
firm
opinion
at
the
time
that
I
left
off.
A
But
I
was
enticed
by
the
possibility
that,
like
a
lot
of
the
heavy
lifting
could
be
delegated
to
someone
else,
especially
if
it
came
to
pass
that
other
ecosystems
joined
us
in
relying
on
that
Library,
then
there
would
be
a
combination
of
effort
that
would
make
it
very
attractive.
D
It's
a
question
for
Zach.
If
we
wanted
to
look
up
more
information
about
what
you
were
talking
about
with
promulgation
like
what
what's,
what
could
we
go?
Look
at?
Is
there
any
anything
public
yet
that
we
could
look
at.
C
C
So
the
main
things
that
we've
published
right
now
are
the
the
npmrfc,
of
course,
there's
the
implementation
in
the
npm
CLI,
which
is
open
source.
The
npm
registry,
unfortunately,
is
not
open
source
and
then
We've
documented.
What
properties
they
build
system
should
have
in
order
to
have
non-falsifiable
Providence
in
the
full
seal
certificate.
C
So
we
haven't,
we
haven't
been
focused
as
much
on
the
package
manager
side,
maybe
a
little
bit
more
focused
on
the
CSU
provider
side,
and
so,
if
there's,
if
there's
something,
if
there's
something
more
specific
or
more
concrete
you're.
Looking
for
on
that
side,
that
I
mean
that's.
That's
helpful
feedback.
D
And
is:
is
this
related
to
the
attestation
work
that
I
think
there's
some
links
in
these
notes
about
that
from
maybe
a
couple
weeks
ago?
Is
that
is
that
related
or
is
that
is
a
separate,
a
separate,
separate
thing:
yeah
I'll.
A
C
Oh
yeah
and
yes,
so
the
specification
is
useful
and
then
also
the
way
the
in
Toto
document
is
being
constructed
in
the
npm
CLI.
So,
in
addition
to
this
specification,
there's
also
at
least
one
implementation-
that's
open,
source
and
available
to
look
at.
Maybe
we
should.
Maybe
we
should
link
that
from
here
this.
This
appears
to
mostly
be
just
the
readme
yeah.
D
Yeah,
if
you
have
any
extra
information,
I
I'm
interested
in
in
seeing
because
we
we
have
on
the
so
I
work
on
Gradle,
you
know
in
Java
land,
so
we're
interested
in
what
other
people
are
doing.
So
we
can
figure
out
how
much
we
want
to
do
as
well.
C
Totally
yeah
and
having
having
any
having
some
sort
of
like
CLI
tooling,
available
to
people
to
you,
know
construct
these
things
similar
to
s-bombs
right,
it's
like
if,
if
you're
telling
people
build
s-bombs
like
okay,
if
you're.
C
A
A
It
would
be
really
cool
to
see
that
on
pipei
rubygems.org,
you
know
cargo
Etc
Maven,
the
usual
suspect's
Gradle,
of
course,
so
yeah
I'm,
hoping
that
spreads
the
last
I
left
off.
The
main
thing
that
was
coming
down
the
pipe
in
rupajam's
land
was
an
oidc
to
token
flow,
so
taking
taking
that
build
oidc
token
and
can
make
exchanging
it
for
a
posh
token.
C
C
That
yeah,
you
know
if,
if
often
a
a
good
place
to
start,
if
your
ecosystem
doesn't
already
support,
it
is
some
concept
of
scoped
API
tokens
or
being
able
to
assume
in
with
a
workload
identity
from
an
oidc
token.
Otherwise
you
know
people
are
like.
Oh
I'll,
just
put
my
personal
account
password
as
a
secret
advice.
If
I
see
ICD
flow,
which
is
okay,
wrong,
yeah
yeah.
A
Yeah
the
things
people
would
like
to
discuss
unless
we
haven't
tapped
that
out.
A
It's
the
speed
run.
Excellent
I
got
bad
news
for
Jonathan
who's
just
joining,
which
is
that
we
were
very
quick
and
we're
about
to
wrap
up.
Can.
C
B
Spoke
to
Adam
earlier
today.
Oh
sorry,
sorry
so
I
have
this
proposal.
I.
Have
this
idea
it's
currently
in
the
works.
I'm
not
I.
Have
another
meeting
I
need
to
you
know.
Another
thing:
I
need
to
jump
to
quickly
so
I'm
not
going
to
work
on
the
document,
but
I'd
like
to
increase
the.
How
often
this
working
group
is
meaning
to
try
to
push
this
idea
forward.
B
So
the
the
proposed
idea
that
I'm
pushing
forward
is
this
thing
called
the
Great
repository
audit
and
the
concept
behind
it
is
I
pause
it
that,
because
so,
whenever,
whenever
you
accompany
buys
software
right,
they
buy
software,
they
it
goes
through.
Security
goes
through
legal
right,
there's
a
whole
vetting
process
that
goes
on
when
artifact
servers
like
Maven,
Central,
Gradle,
plug-in
portal,
pip,
ruby,
gems,
all
those
things
get
incorporated
into
corporate
software
supply
chain.
That
audit
never
occurs.
There's
never
an
ask
from
security
of
like
hey.
Has
this
thing
ever
had
a
pen
test?
B
Has
this
thing
ever
been
secured
because
it's
something
that's
given
away
for
free
right
and
I
pause
it
that
because
there's
never
been
a
security
team
or
security
request
from
a
vendor,
saying
hey,
you
need
a
pen
test
before
we're
going
to
buy
your
software.
B
Most
artifact
servers
in
the
industry
have
never
had
a
pen
test
done,
have
never
been
secure,
haven't
ever
had
a
security
audit
and
so
I
think
that
as
an
industry
and
especially
within
the
open
source
security,
Foundation,
we've
kind
of
started
focusing
on
like
these
bigger
security
topics
like
Sig
store
and
artifact
verification,
but
we
haven't
focused
on
the
basics.
Right
is
the
artifact
server.
B
That's
hosting
these
artifacts
that
are
part
of
the
entire
industry
supply
chain
actually
secure
like
have
like.
Could
you
compromise
those
artifacts
right?
Could
an
attacker
get
in
like
get
on
the
box
and,
and
or
you
know,
is
the
AWS
bucket
World,
readable,
World
writable
right
World
readable
is
fine,
World
writable
right
so
I.
The
The
Proposal
that
I
have
is
that
the
open,
Star,
Security
Foundation,
funded
by
the
alpha
omega
project,
reach
out
to
the
vendors,
the
industry
writ
large
and
go
to
each
of
these
artifact
servers
and
say:
hey?
B
Have
you
had
a
pen
test
done
and,
if
not
we'll
say?
Okay,
if
you've
not
had
a
pen
test
done,
we
if
you,
if
you,
can
get
your
own
pen
test
done
and
you
can
give
us
the
results
within
like
you
know,
180
days,
you
know
200
days,
300
days,
right,
probably
not
300
days
like
180
days,
if
you
can
get
back
to
us
in
180
days
with
a
pen
test
report
and
a
a
a
confirmation
of
like
a
retest
where
the
vulnerabilities
have
been
fixed
great.
Thank
you.
B
Otherwise,
if
you
can't
do
that,
it's
fine
we'll!
We
will
hire
a
firm
to
audit
you.
We
will
hire
a
firm
to
come
and
do
a
pen
test
of
your
of
your
infrastructure
and
your
organization
and
of
the
of
the
hosting
publishing
infrastructure,
and
so
I
spoke
to
Amir.
Who
has
done
this
a
lot
through
the
ostiff,
and
he
said
that
that
he's
done
a
bunch
of
these
audits.
B
On
source
code,
usually
the
audits
run
in
the
range
of
about
150
000
for
four
to
eight
human
weeks
of
you
know,
engineering
weeks
of
time
focused
on
these
projects
and
I
think
that
as
Alpha
Omega
and
as
this
working
group,
we
could
be
a
driving
force
behind.
B
B
C
C
Yeah
I
mean
certainly
well
as
we
as
we
as
we
talked
about
in
Vancouver
I.
Think
there
are
instances
of
audits
happening
in
these
platforms.
C
Yes,
the
results
could
be
considered
sensitive,
yes
and
so
there's
sort
of
a
spectrum
here
where
we
might
say
like
can
The
Operators
of
these
Registries
confirm
that
a
internal
red
team
or
an
external
pen
test
has
taken
place.
You
know
at
over
the
past
year,
two
years,
you
know
when
was
the
date
of
the
last
one,
then
from
there.
Okay,
here's
how
many
like
critical,
high
medium
low
findings.
There
were
and
figuring
out
how
to
like
iterate
our
way
into
into
revealing
a
lot
of
information.
B
So
two
aspects
of
that
that
I
you
know.
One
thing
is
that
in
my
experience,
I've
worked
with
we've.
In
my
experience,
we've
interact
with
some
I've
interact
with
the
pen
test
firms
and
a
lot
of
them.
If
you
pay
lower
amounts
of
money,
they
will
only
do
web,
UI
audits,
right,
burp,
Suite
scans
and
then
some
stuff.
B
The
other
thing
that
I
I
want
to
say
about
that
is
I
I
agree
that
there's
going
to
be
a
certain
amount
of
hesitation
that
we'll
have
to
work
through
here,
but
these
artifact
servers
are
critical
parts
of
the
entire
supply
chain
for
the
entire
industry
right,
and
so
we
could
theoretically
publish
the
you
know.
I
mean
I
think
that
one
of
the
things
we
could
do
is
like
hey.
We
have
these
organizations
that
have
given
us
reports
and
like
look.
B
This
is
the
one
organization
that
didn't
like
that
doesn't
look
great
from
an
or
from
like
we
can.
We
can
use
that
leverage
like
hey.
Look
at
all
these
other
organizations
that
have
been
willing
to
give
us
their
reports
and
you're
not
like
what
is
that,
like
that,
doesn't
look
great
for
you
that
sort
of
thing
right,
so
we
can
give
a
social
pressure
there,
but
yeah
I,
I
I
also
think
that
there's
a
certain
amount
of
like.
A
Jacques
I
think
one
consideration
to
bear
in
mind
is
that
a
lot
of
the
repos
volunteer
operated,
yes,
which,
which
means
that
you
would
probably
want
to
offer
that
until
vulnerabilities
fixed,
they
weren't
disclosed.
B
So
that
is
a
conversation
that
happened
when
the
vulnerability
disclosure
working
group
earlier
today,
The
Proposal
on
that
one
was
for
this
audit.
The
open
source
security,
Foundation
vulnerability,
disclosure
policy,
outgoing
policy
that
was
ratified
by
the
attack
two
weeks
ago,
which
is
basically
at
a
high
level.
90-Day
disclosure
policy
plus
14
days,
applies
to
vendors
that
we
engage
with
that
are
backed
by
corporations,
so
Gradle
Maven,
Central
npm,
you
know
Newgate
would
be
Microsoft
right.
B
The
standard
90
day
disclosure
policy
applies
to
them
if
the
repositories
hosted
by
and
run
by
the
by
the
community,
rubygems
Pi
Pi.
At
that
point,
those
ones
would
have
more
flexibility
around
their
disclosure
timelines
that
that's
the
rationale
that
we
were,
we
were
kind
of
aiming
for
was
it
we
break
it
down
by
this
is
clearly
run
by
a
company.
This
is
community
run
around
around
the
enforcement
level
of
the
disclosure
policy
we
will
operate
with.
C
Yeah
there
was
a
Jonathan.
There
was
a
category
of
security
risk
you
mentioned
initially,
but
not
the
second
time
so.
I
wanted
to
emphasize
that,
like
in
audit
of
cloud
infrastructure,
is
a
really
good
idea.
It
is
awesome.
Fruit,
I
keep
I,
keep
sending
this
link
to
everyone
who
will
listen
or
any
captive
audience,
but,
for
example,
the
the
psf
and
Pipi
have
a
list
of
like
fundable
improvements
and
the
reason
that
they
did.
D
C
Know
there's
one
and
a
half
of
us
and
every
time
we
ask
for
150
000,
it's
a
it's
a
two
month
or
it's
a
two-year
Grant
cycle,
and
so
sometimes
the
problem
with
improving
the
security
in
package
managers
isn't
exposing
more
risk,
but
it's
finding
the
resources
to
fix
the
risks
that
are
already
known.
That's
not
to
say
there
isn't
value
in
in
this
approach.
C
B
D
B
For
no
I
don't
think
this
is
applicable
for
corporations,
but
for
for
Community,
Driven
ones.
Right,
there's,
maybe
a
provision
that
we
say
we
will
both
do
the
audit
and
then
we
will
also
hire
a
contractor
to
come
in
and
fix
those
things
right
like.
B
Right
for
for
the
ones
that
are
open
source
right,
the
ones
that
are
fully
open
source
like
Alpha
Omega,
because
it's
open
source
right,
we
will
both
fund
the
vulnerability
finding
and
the
fixing
right.
I
mean
I,
know
that
you're
kind
of
dropping
someone
into
it
but,
like
contractors,
are
used
to
being
dropped
into.
You
know
here
deal
with
this
sort
of
situations.
At
least
the
good
ones
are,
but
yeah
I
hear
that
that's
a
that's
a
good
thought.
I
hadn't,
I
hadn't
quite
thought
that
through
fully
so
but
yes,
I,
think
that
makes
sense.
C
There's
there's
another
aspect
of
your
pitch:
I
wanted
to
give
you
feedback
on,
and
that's
that's
what
you're
saying
like.
Oh,
if
we
get
some
ecosystems
to
agree
to
this
and
other
ecosystems
say
we're
not
going
to
do
it,
they
they
would
look
bad
I.
Don't
find
that
argument
compelling
I'm,
not
I'm,
not
sure
I
can
speak
for
all
of
npm
but
like
as
as
someone
who
is
partially
responsible
for
that
ecosystem.
C
My
primary
objective
is
to
like
keep
it
available
and
secure,
and
so,
if
I,
if
I,
think
undertaking
a
course
of
action
might
result
in
handing
attackers
a
road
map
or,
like
you
know,
a
list
of
prioritizing
weaknesses,
I
am
absolutely
going
to
not
participate
in
that,
as
opposed
to
like
drawing
a
hand
grenade
at
myself
right.
B
A
B
Audit,
because
you
know,
for
example,
npm
has
a
has
a
npm
has
a
safe
harbor
policy
that
a
lot
would
allow
an
external
entity
to
go
and
do
that
audit
themselves
and
not
be
legally
risked
legally
at
risk
of
repercussions
for
doing
such
an
audit
right
so
and
that
only
works
for
that.
B
That
methodology
only
works
where
you're,
maybe
not
wanting
to
necessarily
be
involved,
would
only
work
if
the
organization
has
a
safe
hour
policy
in
place
which,
as
far
as
I
know,
Microsoft,
GitHub
and
Gradle
of
the
three
I
think
I
actually
have
a
I
have
a
CSV
file.
That
is
a
pull
request
that
I
open
that
lists
all
of
the
different
repositories
and
their
disclosure
policies
in
a
CSV
file.
That
I
wanted
to
have
someone
review
and
merge.
Potentially,
if
you
guys,
are
really
uncomfortable
to
do
so,.
B
So
jfrog
has
a
partial,
Safe
Harbor,
which
is
dependent
upon
some
clauses.
So
jfrog
would
be
you
know,
but
for
the
for
you
know
anybody,
that's
Microsoft,
any
any
artifact
service,
Microsoft
or
GitHub
driven.
We
could
still
do
those
audits
without
without
needing
I
mean
I.
Ideally
right,
that's
like
the
fallback.
That's
the
like.
We
don't
want
to
go
there,
but
we
we
could.
We
want
to
work
with
you.
We
want
to
collaborate
with
you,
but
if
we
can't
do
that,
we
have
this
fallback
methodology
that
we
can
we
can.
We
can
move
back
on.
C
I'm
still
I'm
still
having
trouble
understanding
the
the
value
proposition
here
so
that
there's
there's,
maybe
two
paths.
One
one
is
well
it's
hard.
It's
hard
to
say
that
you're
gonna
help
me
fix
something
before
we
know
what
things
need
fixing
but
but
like
maybe
maybe
we
could
come
to
an
agreement
where
it's
like.
Okay,
we're
going
to
do
the
audit
we're
going
to
get
the
findings,
and
then
we
can
figure
out
how
expensive
it
might
be
to
fix
them
and
then
you're
going
to
work
with
us
to
to
fix
them
and.
B
So
for
the
for
the
Community
Driven,
so
the
community
runs
ones,
yes,
gotcha
the
community
one
run
ones
would
be
fine
with
it.
Maybe
maybe
the
community
run
ones
would
have
a
contractor
assigned
to
help
fix
them,
but
the
ones
that
are
backed
by
a
company.
If
we're
doing
the
audit,
the
90-day
disclosure
policy
would
apply
for
those
for
those
vulnerabilities
that
are
reported
via
this
channel.
C
But
I
guess
I'm
trying
to
I'm
trying
to
figure
out
how
we
can
build
a
collaborative
supportive,
non-adversarial
relationship
between
Alpha,
Omega
and
I'd.
B
A
C
A
A
thing
but
I
think
also
the
carrot
of
somebody
will
come
and
order.
You
quote
unquote
for
free.
That's.
B
All
that's
and
from
my
experience,
even
if
you
were
given
something
like,
for
example,
I
work
for
an
organization
where
we
received
an
offer
for
a
bunch
of
security
keys
for
free
from
Gradle
or
from
from
the
from
the
from
from
the
open,
SF
right
and
that
never
got
followed
up
on,
even
though
it
was
something
given
for
free
to
help
secure
your
organization
right,
like
I,
have
seen
these
sorts
of
things
where
they
have
you
you
get.
You
are
offering
these
because
that's
it's
work
for
them
right,
it's
not
it's!
A
B
A
Sure
I
I
don't
disagree,
there's
there's
a
cost
to
accept
the
help,
hence
hence
the
Strategic
use
of
quote
unquote.
That
being
said,
it's
still
going
to
be
attractive
to
a
lot
of
ecosystems.
I
would
hold
the
stick
back
for
a
while
until
I
saw
what
the
layer
of
the
land
was
or
until
someone
else
comes
with
a
stick
like
the
EU,
for
example,
then
I
would
offer
to
help
with
you
know:
stick
armor.
B
There
you
go
yeah
I've
gotten,
that's
the
big
one
that
I've
gotten
a
lot
of
pushback
on
is
that
just
the
the
the
in
force
disclosure
policy
I
think
that
I,
the
the
rationale,
also,
the
other
rationale
to
it,
is
like
we
would
love
to
do
this
work
with
you
and
also
Alpha
Omega
like
if
we
can
avoid
spending
the
money
on
you,
that's
even
better
right
because,
like
you,
can
do
the
audit
yourself,
and
so,
if
we
give
them
the
grace
period
of
like
hey,
if
you
do
the
audit
yourself,
we
won't.
B
We
won't
that
90
day
disclosure
policy
doesn't
apply
to
you
right
because
you
you
own
the
you
own,
you
own.
The
reports
that
have
come
in.
We
just
want
your
pen
test
and
retest
report
at
180
days
or
whatever
time
frame
we
want
like.
We
just
just
make
sure
that
you
get
that
to
us,
but
as
long
as
you
deal
with
it,
you've
paid
for
it.
Like
that's
fine.
A
A
Tough
I
think
a
lot
of
folks
when
they
commission
private
audit
won't
be
Keen
to
share
it.
A
How
do
I
put
this
lawyers.
B
No
I
agree,
no
I,
you
know,
and
that's
I
mean
if
that's
why
you
can
more
easily
work
with
the
organizations
that
have
established
not
like
you
know,
Safe
Harbor
policies,
because
the
lawyers
have
already
had
those
debate
like
you've
already
had
those
like
I
had
to
when
I
was
a
Gradle
I'd
have
those
fights
with
our
lawyer
to
say
no,
no.
We
can't
put
that
in
there
because,
like
disclosure
is
going
to
happen,
anyways,
but
yeah
no
I
get
I
get
what
you're
saying
yeah.
C
So
I
I
love
the
vision,
I
think
the
vision
is
100
aligned
with
this
working
group,
which
is
we're
looking
for
ways
to
make
package
managers
more
secure
in
terms
in
terms
of
like
how
we
get
there,
though
I
mean
there's,
there's
certainly
no
harm
in
you
continuing
to
talk
to
individuals
who
can
say
yes
we'll
do
this
or
or
no
we
won't,
but
I'm,
but
I'm,
not
I'm,
not
quite
I'm,
not
quite
seeing
how
we
get
from
the
existing
proposal
to
that
destination.
C
Of
like
the
package
registers
are
materially
more
secure.
It's
I,
haven't
I,
haven't
quite
followed
that
so.
C
Well,
essentially,
yeah
right,
because
the
the
audit
is
thought
it
was
only
the
first
step
in
that
process.
Right
and
and
the
audit
is
going
to
be
more
successful
if
it's
done
in
collaboration.
You
know,
for
example,
with
npm.
The
registry
is
not
open
source.
You
know
the
the
cloud
infrastructure
I
think
would
be.
B
B
D
A
A
I
I
would
want
to
wait
until
the
emea
meeting
take
our
pass
before
we.
We
said
whether
we
do
a
sick
or
stay
in
a
group,
but
my
instinct
would
be
to
stay
in
the
group
for
now
unless
it
starts
to
consume
too
much
time.
So
we
we
tend
to
find
that
we
either
hit
our
hour
or
we
come
in
under
so
I
think
we've
got
space
to
to
carry
it
as
a
regular
pattern.
Right.
B
And
yeah:
that's
my.
My
intention
is
yeah.
I
I
think
that
one
of
the
things
that
I,
if
I,
want
one
of
the
things
that
I'm
struggling
with
is
I,
don't
want
to
write
this
document.
Solo
and
I'd
rather
do
this
with
the
working
group
collaboratively
during
meetings
and
so
part.
One
of
the
things
that
I
would
like
to
do
is
increase
the
the
rate
at
which
these
meetings
occur.
B
The
these
meetings
occur
for
this
working
group,
too,
give
us
more
opportunities
to
discuss
this
document
as
it's
being
worked
on
the
proposal
for
Alpha
Omega
to
fund
it
mostly
to
start
out
with.
C
Is
there
is
there
if
there
isn't
already,
could
we
find
a
single
package
manager
who's
willing
to
go
on
this
journey
with
you
and
then
include
them
in
the
conversation
of
iterating
as
to
what
the
scope
and
the
the
procedure
and
the
engagement
looks
like
you're
gonna
need
them
to
agree
eventually,
yeah.
B
No
no
I
have
so.
For
example,
I
spoke
Sterling
help
me
out
his
name
Adam
Adam.
Thank
you.
I
spoke
to
Adam
Adam
said
that
Gradle
was
working
on
moving
to
a
new
identity
management,
sir
system
for
Gradle
plug-in
portal,
and
they
were
probably
going
to
get
a
pen
test
done.
B
B
So
you
know
Adam's
on
board
Brian
Fox
from
Maven
sent,
but
that's
you
know
they'd
be
doing
their
own
audit
great
perfect.
They
don't
need
to
spend
money.
Brian
Fox
is
from
Maven
Central.
He
said
that
there
they
had
a
pen
test
done
a
while
ago
that
he
looked
for
and
he's
like.
B
This
seems
like
boilerplate
BS
that
probably
didn't
go
in
depth,
so
it
probably
should
get
redone
we're
gonna
do
that
they
said,
probably
within
the
next
couple
of
months,
he's
less
willing
to
share
those
results
similar
to
what
you
have
said.
So
I
I
also
respect
that.
B
But
yes,
so
if
you
know
if
we
could
find
another
organization,
so
I've
already
got
two
that
are
like
okay,
they're
aware
of
it
like
you
know,
but
yes,
if
we
could,
if
we
could
find
another
artifact
server
in
you
know
vendor
that's
willing
to
be
part
of
the
conversation
for
collaborating
on
on
this.
That
would
be
really
helpful.
I
don't
have
as
many
though
I
have
the
connections
in
the
Java
ecosystem,
and
you
know
Maven
sent
Maven
Central
Gradle.
B
D
B
Don't
know,
if
did
I
say
that
I
was
going
to
work
with
Amir
from
Austin
to
do
these
audits
because
he's
already
done
them
for
a
bunch
of
cloud
stuff.
So
that's
that's
where
the
mostly
that
not
money,
but
that's
like
where
the
like
you've
gone
here
before
you
have
firms
you've
worked
with.
Will
you
know
maybe
work
with
those
firms?
Maybe
not,
but
like
at
least
you
have
a
model
for
doing
this.
C
We,
oh
sorry,
there
is
my
hand,
but
we
could
there's
a
number
of
folks.
We've
talked
to
about
Providence,
so
I
we
I
might
be
able
to
help
you
connect
with
folks
in
the
python.
B
All
right,
that's
really
helpful.
I've
also
been
messaging
with.
B
Avishay
Balter
regarding
nougat
and
and
Microsoft
stuff,
because
you
know
nougat's.
B
So
Microsoft
has
a
couple:
the
Microsoft
has
npm
nuget
access
it.
That's
it
I
mean
but
github's
npm.
So.
B
B
Somebody
mentioned
a
Larry
for
Ada
I,
don't
know
if
Ada's
used
widely
enough
that
we
want
to
care
about
that
and
then
PHP
packages
and
I
know
the
PHP
is
everywhere,
even
though
it's
not
represented.
Often
like
you
know,
people
don't
think
Here's.
My
thought
about.
Php
people
don't
invest
in
securing
PHP
because
it's
always
run
by
not
the
engineers
always
run
by
marketing
and
marketing
is
just
like
make
it
work
and
Engineers
are
like
you
know,
so,.
A
B
So
you
were
proposing
that
we
meet,
we
do
a
meeting
with
an
a
package
maintainer
that
is
willing
to
engage.
What
would
the
time
frame
on
that
look?
Was
that,
like
a
regular
meeting
to
work
on
it
individually
with
that
individual,
instead
of
in
this,
these
working
groups
on
those
documents?
Is
that
what
you're
proposing
in.
B
I'm
working
on
a
dock
as
yes,
I
it
I,
I,
think
I,
don't
even
know,
I
think
that
the
doc
is
currently
living
under
the
Linux,
Foundation
GitHub
or
a
Google
workspace.
But
that's
just
because
you
know
that's
where
I
created
it
I,
don't
control
the
funding
of
Alpha
Omega
I
have
to
go
through
the
proposal
process
like
everybody
else
does,
so
the
idea
would
be
I
am
just
the
messenger
I'm,
the
idea
guy
and
the
messenger
of
the
idea,
but
I
want
this
to
come
from
the
working
group
right.
B
B
C
Source,
it's
certainly
something
we
could
discuss
more
more
in
this
working
group
meeting.
Do
you
know
that
this
working
group
also
doesn't
have
funding
that
would
have
to
come?
I,
don't.
B
A
Yeah
I
think
I
think
for
now
the
working
group
makes
sense,
but
it
there
might
come
a
time
when
it
gets
when
it
heats
up
that
we
spin
out
of
sync
with
with
members
from
securing
software
repos
now
for
Omega.
B
B
No
And
So
to
that
end,
is
it
if,
if
we
want
to
work
on
this
within
the
working
group,
is
it
okay
if
I
work
with
operations
to
increase
the
frequency
of
these
meetings,
so
that
we
can
have
those
some
of
those
meetings
involve
discuss
like
we
can
have?
We
can
have
a
more
regular
Cadence
of
just
of
discussing
the
work
on
this
document.
I've
started
a
document,
but
it's
like
yeah.
B
A
B
A
A
Of
seeds,
there's
there's
a
whole
Parker
Northcote
quote
about
committees,
but
yeah,
so
those
those
sort
of
two
options
being
laid
on
the
floor
and
get
a
get
a
Vibe
and
definitely
probably
will
need
to
touch
this
again.
In
two
weeks
when
we
get
to
the
mer
session
that
when
a
lot
more
people
show
up
yep
but
definitely
worth
setting
up
an
email
to
start
all.
B
B
A
A
All
right,
folks,
any
other
business
that
folks
wanted
to
discuss
today
and
being
none
I'm
going
to
wrap
it
up
and
let
everybody
have
15
minutes
of
the
evening
back
or
afternoon
with
the
case.
Maybe.