►
A
Okay
can
y'all
see
my
screen.
This
is
weird
Okay
I
think
it's
working
cool
hi,
welcome
everyone,
so
I
forgot
to
copy
and
paste
in
our
usual
thing.
But
yes,
please
add
your
name
to
the
attendees
list.
If
you
are
here
and
I
want
to
welcome
anyone,
that's
new
or
hasn't
been
here
before
I.
Just
don't
want.
A
C
Yes,
so
I
just
adjust
my
microphone.
We
have
discussed
this
in
the
past.
The
idea
of
having
a
shared
help
desk
a
couple
of
times,
I
learned
to
my
surprise
that
support
Personnel
not
free,
and
then
we
need
to
pay
them.
They
they
demand
a
currency
in
exchange
for
services.
So
the
proposal
here
is
to
ask
our
friends
higher
up
in
the
chain
of
the
open
ssf
whether
they
can
fund
such
a
position.
The
Proposal.
C
There
basically
lays
out
some
basic
Arguments
for
why
I
have
an
incredibly
scientific
guess
at
numbers,
which
purely
coincidentally,
are
chosen
because
they're
easy
to
calculate
by
hand.
Anybody
who
wants
to
correct
them.
Please
do
one
thing:
that's
sort
of
an
open
question
is
what
the
exact
process
is
going
to
be.
C
This
is
still
somewhat
been
debated,
whether
Tech
is
on
the
hot
path
to
money
or
whether
they
you
know
hear
about
it
from
the
governing
board
or
what
goes
on
so
I'm,
going
to
say,
we'll,
probably
go
through
attack
as
a
courtesy
but
I
believe.
Ultimately,
a
subcommittee
of
the
governing
board
is
the
one
that
will
be
making
the
decision
to
fund
if
they
find
this
proposal.
Satisfactory
I
would
definitely
love
feedback.
D
Yeah
I,
just
I
guess
like
two
things
right
off
the
top
of
my
head
and
I'd
love
to
hear
how
how
we
solve
it.
So
I'm,
assuming
you
know,
we're
talking
about
help
desk
for
the
Registries
that
are
run
by
like
volunteers
and
Foundations.
Obviously,
as
opposed
to
you
know
something
like
npm
that
has
a
corporate
Steward
for
our
like.
So
we
have
a
support
squad
for
npm.
D
It's
a
number
of
you
know
full-time
support
folks,
but
we
have
different
support
staff
for
different
kinds
of
tickets
that
come
in
and
I
think
being
laser
focused
on
on
what
this
desk
would
take
in,
because
even
with
the
staff
that
we
have,
we
have
massive
capacity
issues
and
I
could
get
some
numbers
on
projections
here.
But,
like
you
know,
you
get
basic
support.
Tickets.
We
get
tickets
that
we
just
kind
of
like
have
to
throw
out
because
they're
like
programming,
help
questions
and
we
send
people
to
stack
Overflow.
D
But
then
we
get
into
the
tickets
that
I
think
are
getting
closer
to
what
you're
talking
about
primarily
around
account
recovery
being
one
of
the
biggest
ones,
malware
reports
and
vulnerable
packages
and
is
another
one
and
then
another
big
one
that
we
get
a
lot
at
npm,
which
is
very
unsustainable,
is
packaged.
Naming
disputes,
someone
saying
hey
package,
a
is
not
maintained
or
it's
dormant.
Please
give
me
the
name.
D
We
have
like
three
agents
that
are
just
on
malware
and
disputes
and
cannot
keep
up
on
the
naming
disputes
simply
because
we
have
so
much
malware.
That
needs
to
be
dealt
with
separately
with
the
number
of
agents
that
we
have
for
the
account
recovery,
it's
very
hard
to
keep
up
and
you
need
to
make
sure
that
people
are
relatively
well
trained,
which
I
believe
you
point
out
in
your
talk.
D
Yes,
but
you
know
our
security.
The
accounts
that
are
protected
with
MFA
are
only
as
strong
as
the
account
recovery,
because
if
you
can
go
and
do
a
recovery
with
a
password
reset,
then
you
may
as
well
not
have
2fa,
and
you
know
this
I'm
just
repeating
things
you
know,
but
these
agents
are
ones
that
are
going
to
to
be
really
susceptible
to
social
engineering
and
so
part
of
the
thing
that
would
concern
me
here
and
to
be
clear.
D
It's
concerned
in
that
I
would
want
to
see
the
proposal
speak
to
it
directly,
not
that
I
don't
think
it's
doable
for
us
at
mpm.
We
have
to
give
those
support.
Staff
chat,
Ops
is
how
we
handle
it,
but
like
they
have
kind
of
semi-admin
operation
like
they
need
to
be
able
to
do
the
things
that
they're
saying
to
do
like
if
we're
doing
an
account
recovery.
D
D
What
commands
and
ways
in
which
people
can
do
it
so
I
think
I
think
one
of
the
things
that
I
would
like
to
see
or
two
of
the
things
I'd
like
to
see
is
like
one
and
I
know
that
python
has
some
public
data
and
I
can
get
some
data
around.
This
is
like
how
many
tickets
are
you
expecting
to
come
in?
How
much
velocity
do
you
think
people
could
take?
D
How
are
we
actually
going
to
allow
these
agents
to
operate
and
handle
the
tickets
and
act
on
them
at
the
time
that
they
need
to
do
the
reset
and
do
the
Registries
have
the
engineering
capacity
to
build
out
the
infrastructure?
That's
necessary
to
do
it?
One
thing
we're
investing
in
right
now
at
npm
and
I
won't
get
too
much
into
the
specifics
until
later.
If
you
want
me
to
but
we're
trying
to
automate
a
whole
bunch
of
the
identity,
verification
steps,
so
we
launched
oauth
application
links
between
npm
and
GitHub
and
npm
and
Twitter.
D
So
people
can
look
those
accounts
and
we're
actually
creating
a
like
automated
flow.
So
you
go
through
and
like
when
you're
going
to
do
recovery,
you
go
through
those
all
that
flows
ago
and
we
can
match
them
and
verify
we're
doing
verification
of
email
via
OTP
so
that
by
the
time
the
ticket
actually
gets
in
front
of
the
agent.
The
majority
of
the
identity,
verification
has
actually
been
automated
and
we're
hoping
that
that
will
significantly
lower
the
amount
of
work.
D
But
I
do
want
to
point
out
that,
like
without
that
kind
of
investment,
the
identity
verification
portion
of
this
is
going
to
be
unique
for
every
single
provider
that
we're
talking
about
and
it's
extremely
bespoke
and
it's
Error
prone
and
it's
time
intensive,
so
I
would
I
would
like
to
see
maybe,
as
part
of
this
and
I'd
be
happy
to
contribute.
There's
like
a
proposal
about
like
hey.
D
How
are
all
of
these
other
registries
like
going
to
tackle
this
problem,
and
is
it
going
to
be
in
a
consistent
way
because
yeah,
it's
a
hard
problem
to
solve,
and
if
we
only
have
one
agent,
for
example,
and
now
they
have
to
worry
about
four
different
ways
of
doing
everything
and
verifying
identity
across
four
different
platforms
using
different
vectors
and
factors.
That's,
in
my
opinion,
a
recipe
for
social
engineering,
because
it's
really
hard
to
keep
track
of.
All
of
that.
C
I
I,
don't
disagree
with
any
of
the
specifics.
Definitely
definitely
I'm
thirsty
for
data.
If
you,
if
you
can
share
it,
I,
don't
know
how
much
you
can
the
number
one.
The
reason
I
chose
one
Personnel
one.
One
person
is
simply
that
it's
the
smallest
budgetable
unit
that
can
get
the
ball
rolling,
not
because
I
have
a
particular
set
of
data
or
a
simulation,
or
anything
like
that.
That
can
show
me
what
you
know.
The
final
number
will
be.
C
C
Volunteering,
but
it
sounds
as
though,
maybe
what
you're
suggesting
is
having
a
consistent
tool
that
instead
turns
to
some
apis
that
are
published
with,
probably
it's.
You
know,
heterogeneity
around
the
actual
API
endpoints,
but
as
much
as
possible.
The
uniform
interface
for
the
agent
to
use
to
you
know
because
I,
one
of
the
reasons
for
doing
this
is
to
centralize
the
investment
and
therefore
centralize
the
protection
where
you
get
economies
of
scale
in
the
kind
of
effort
you
invest
in,
protecting
it,
because
we're
already
going
to
be
facing
social
engineering
attacks
anyway,.
D
D
C
A
A
I
think
that
at
least
for
the
ecosystem
that
I'm
focused
on
that
might
be
a
non-starter
just
because
the
the
amount,
the
amount
of
work
that
we
need
to
go
into,
providing
that,
but
also
like
the
amount
of
access
that
that
would
actually
provide
like
the
support
person,
would
have
a
lot
of
control
over
a
some
pretty
destructive
actions.
That
said,
I
mean
sorry
yeah.
C
C
A
A
Would
it
might
be
a
little
bit
more
of
a
a
larger
proposal,
but
seeing
this
paired
with
like
providing
funding
for
these
organizations
to
hire
support
staff
and
then
have
a
centralized
open,
ssf
person
that
sort
of
acts
as
a
direct
line
or
a
mediator
or
works
with
all
these
together?
I
think
that
would
be
interesting
to
me
as
well,
because
I
think
a
non-profit
organization
is
going
to
look
at
this
and
be
like
well.
Why
don't
you
just
give
us
money
and
we'll
hire
support
staff
ourselves,
because
we
really
want
that
as
well.
C
C
You
know
I
know
you
know,
Pipi
is
looking
at
thousands.
Npm
has
hundreds
I
think
for
ruby
gems.
At
the
moment,
it's
several
dozen
under
the
current
policy,
but
we'd
like
to
grow
that
but
we'd
also,
you
know,
face
the
same
choke
point
as
everybody,
which
is
the
more
people
you
have
under
MFA.
The
more
requests
you
get.
D
One
thing
in
particular
when
it
comes
to
like
account
recovery
at
mpm,
is
you
know
it's
it's
more
than
just
one
story,
but
that
requires
someone
to
have
an
account
like
the
most
obvious
one
that
I
think
is
maybe
worth
focusing
on
in
the
light
of
MFA.
Is
I've
lost
my
second
Factor
right
in
the
case
of
no
second
Factor,
you
know
and
you
lose
your
password,
you
can
go
through
a
password
reset,
but
then
there's
also
like
I've
lost
access
to
my
email
address.
D
There's
a
lot
of
like
subtlety
and
I
think
there
was
another
agenda
item
maybe
to
get
into
a
bit
of
like
this
specific
account,
recovery
and
I.
I
can
talk
about
that
later,
but
I
think
if
we
got
laser
focused
on
exactly
what
these
folks
would
be
responsible
for
and
I
think,
like
the
other
thing
that
could
be
really
interesting
because
maybe
just
not
like
to
take
a
totally
different
approach
to
it.
D
A
A
B
B
But
still
we
are
providing
this
kind
of
manual
service,
so
I
was
about
to
ask
around
what
are
the
best
practices.
I
think
might
have
already
shared
some
at
least
concept
of
done
on
their
side,
so
I
can
kick
off
with
our
classic
procedure
and
it's
actually
related
since
with
the
package,
you
also
for
probably
some
metadata,
which
includes
Source
URL,
which
is
mostly
GitHub
link
to
the
public
repo.
B
B
They
all
the
classic
actions
are
disabled
for
them
before
they
in
re-enable
MFA.
So
this
is
our
really
basic
basic
way
of
doing
some
verification.
All
it's
done
manually,
so
there's
no
automation.
So
my
question
is:
if
there's
any
better
way
to
do
this
and
all
smiles
started
this
explaining
there
are
some
way
to
automate,
but
also
there
are
some
cons
on
this
right
since
then
you
can
get
them
things
out
of
control,
and
for
now
we
have
no
UI
to
actually
reset
the
MFA.
B
So
we
are
just
reaching
the
application
by
the
console
and
resetting
by
some
script
in
there.
Our
plan
for
now
to
add
this
basic
functionality
just
to
click
reset
MFA
to
to
the
web
UI
for
the
admins,
but
there's
even
for
now,
there's
no
concept
of
any
like
power,
user
or
admin
on
ruby
gems.
So
this
will
need
some
time
to
like
revisit
all
the
idea
and
how
to
implement
properly
so
those
this
is
how
we,
how
we
do
it
for
now.
D
D
We'd
verify
that
identity
as
part
of
like
the
overall
improvements
for
account
security
that
was
identified
as
a
security
Risk
by
our
security
teams
and
from
like
a
philosophy.
A
philosophical
standpoint
that
was
generally
thought
about
was
different
factors
of
identity
that
you
use
for
authentication.
D
So
if
you
have
an
account
and
you've
lost
your
email
address,
we
want
to
find
about
six
points
of
identity
from
other
sources.
In
order
to
like
give
you
back
access
to
your
account
and
change,
the
email
address
in
the
case
of
GitHub
account.
That's
only
actually
three
points
of
identity
in
in
our
current
workflow,
and
it's
also
worth
mentioning
that
knowledge
of
your
password
is
something
that's
even
required,
like
we're
working
on
making
a
requirement
to
even
get
into
the
recovery
flow
altogether.
D
So
you
need
to
log
into
your
account
with
your
email
address
and
password.
That
brings
you
to
the
screen
where,
if
you
don't
have
2fa,
you
have
to
put
in
your
OTP
from
login
verification
or
if
you
are
using
OTP
like
or
2fa
you're
prompted
for
2fa,
and
we
have
a
button
at
the
bottom
to
recover
your
account
and
the
form
that
you
can
go
through
the
recover.
Your
account
you
can
actually
only
get
to
from
there.
D
So
our
agents
already
know
by
the
time
the
ticket
has
been
opened,
that
the
person
opening
the
ticket
has
knowledge
of
password.
This
protects
against
kind
of
like
drive
by
social
engineering,
where
someone
doesn't
even
know
the
password,
but
we
need
to
verify
the
identity
to
protect
against
password
stuffing
and
so
email
there,
like
we
verified
the
email.
That's
six
points,
we
verify.
You
know
the
the
Twitter.
That's
three
points
we
can
look
for.
I
think
we
use
nine
points
right
now
to
recover,
for
2fa.
D
D
A
A
Okay,
so
the
other
thing
I
wanted
to
ask
is
for
for
all
folks
here.
Is
there
any
point
at
which,
during
MSA
being
a
reset
for
a
user?
This
is
made
public
like
either
in
the
timeline
for
the
project
that
that
user
owns
or
to
co-maintainers
of
the
projects
that
they
user
owns,
or
you
know
either
public
broadly
to
the
entire
ecosystem
or
public
to
other
folks.
That
might
be
interested
to
know
that
that
user
as
I
reset
yeah,
is
that
something
that's
worthwhile.
C
I
would
say
yes,
I'm,
jumping
in
ahead
of
any
queue
that
might
have
formed.
I
would
say
yes
that
MFA
reset
is
something
that's
worthy
of
publishing,
an
attestation
about
in
the
transparency
log.
It's
a
very
security,
sensitive
event,
the
only
sort
of
asterisk
that
comes
with
that
is
that
generally,
we've
all
shied
away
from
publishing
MFA
status
on
the
theory
that
it
provides
a
useful
phone
book
of
people
to
go
and
attack,
because
they
don't
have
NFA
so
by
process
of
elimination.
C
A
C
C
There's
a
dog
I
published
a
list
of
events,
event
that
I
thought
would
be
of
interest
to
a
future
sort
of
log
of
things
that
go
into
say,
recall
so
that
people
can
track
that
kind
of
thing.
So
yeah
change
of
you
know
MFA
reset,
but
also
things
like
added
owner
removed
owner.
You
know
transferred
ownership
from
one
person
to
another.
That
sort
of
thing
is
is
all
sort
of
sensitive
information
like
information.
That
has
a
strong
signal
that
you
should
take
a
closer
look
for
other
information.
D
This
becomes
an
interesting
challenge,
though,
about
like
the
balance
between
security
and
transparency,
because
on
npm,
for
example,
you
could
add
any
number
of
maintainers
to
a
package
with
published
permissions.
But
as
far
as
like
our
public
Ledger
is
concerned,
only
the
maintainers,
who
have
actually
published
a
package
show
up
in
the
authors
list.
D
If
someone
wanted
to
take
over
the
package
now,
like
security
through
obscurity,
is
not
necessarily
great,
and
we
obviously
want
to
know
if
there's
like
a
hundred
people
who
can
all
push
the
button
to
publish
a
package
but
I,
just
yeah,
I
I,
don't
know
what
the
right
solution
is
there,
but
it's
like
I
get
uncomfortable,
no
matter
what
we
do.
You.
B
A
One
last
quick
thing
so
Brandon's
not
here
everybody
asked
me
to
share
that.
We
we've
published
a
package
manager
survey,
so
you
might
remember
the
song
spreadsheet
that
some
folks
filled
out
in
the
past
that
was
sort
of
about
like
the
current
status
of
a
lot
of
the
package
managers
and
indices.
This
survey
is
sort
of
a
more
forward-looking
questionnaire,
and
so
you
can,
you
know,
roll
through
this
and
answer
this
for
your
ecosystem.
A
I
think
Brandon's
hoping
to
get
some
comprehensive
responses
here
in
the
next
couple
weeks.
So
if
we
don't
hear
from
folks
we'll
probably
start
asking
more
specifically
but
feel
free
to
fill
it
out
and
also
like
don't
worry
about
filling
it
out
choice
because
I
think
getting
like
a
sense
of
where
multiple
people
think
it's
at
that'd
be
really
helpful
as
well.
So
any
questions
about
that
it
should
take
about
15
minutes.
It
is
a
little
bit
long
but
worthwhile.