►
A
Okay
can
y'all
see
my
screen.
This
is
weird
Okay
I
think
it's
working
cool
hi,
welcome
everyone,
so
I
forgot
to
copy
and
paste
in
our
usual
thing.
But
yes,
please
add
your
name
to
the
attendees
list.
If
you
are
here
and
I
want
to
welcome
anyone,
that's
new
or
hasn't
been
here
before
I.
Just
don't
want.
A
Okay,
cool
well
welcome
back
everyone.
Then
we
have
a
couple
small
things
on
the
agenda.
Jacques.
Do
you
want
to
start
with
a
talk
on
a
shared
help,
desk
person.
C
Yes,
so
I
just
adjust
my
microphone.
We
have
discussed
this
in
the
past.
The
idea
of
having
a
shared
help
desk
a
couple
of
times,
I
learned
to
my
surprise
that
support
Personnel
not
free,
and
then
we
need
to
pay
them.
They
they
demand
a
currency
in
exchange
for
services.
So
the
proposal
here
is
to
ask
our
friends
higher
up
in
the
chain
of
the
open
ssf
whether
they
can
fund
such
a
position.
The
Proposal.
C
There
basically
lays
out
some
basic
Arguments
for
why
I
have
an
incredibly
scientific
guess
at
numbers,
which
purely
coincidentally,
are
chosen
because
they're
easy
to
calculate
by
hand.
Anybody
who
wants
to
correct
them.
Please
do
one
thing:
that's
sort
of
an
open
question
is
what
the
exact
process
is
going
to
be.
C
This
is
still
somewhat
been
debated,
whether
Tech
is
on
the
hot
path
to
money
or
whether
they
you
know
hear
about
it
from
the
governing
board
or
what
goes
on
so
I'm,
going
to
say,
we'll,
probably
go
through
attack
as
a
courtesy
but
I
believe.
Ultimately,
a
subcommittee
of
the
governing
board
is
the
one
that
will
be
making
the
decision
to
fund
if
they
find
this
proposal.
Satisfactory
I
would
definitely
love
feedback.
C
I
didn't
come
up
with
anything
that
was
obviously
missing
to
me,
but
you
know
it's
like
two
pages
which
I
suppose
I
should
be
celebrating,
but
it
makes
me
nervous
that
I've
missed
something
else.
D
Yeah
I,
just
I
guess
like
two
things
right
off
the
top
of
my
head
and
I'd
love
to
hear
how
how
we
solve
it.
So
I'm,
assuming
you
know,
we're
talking
about
help
desk
for
the
Registries
that
are
run
by
like
volunteers
and
Foundations.
Obviously,
as
opposed
to
you
know
something
like
npm
that
has
a
corporate
Steward
for
our
like.
So
we
have
a
support
squad
for
npm.
D
It's
a
number
of
you
know
full-time
support
folks,
but
we
have
different
support
staff
for
different
kinds
of
tickets
that
come
in
and
I
think
being
laser
focused
on
on
what
this
desk
would
take
in,
because
even
with
the
staff
that
we
have,
we
have
massive
capacity
issues
and
I
could
get
some
numbers
on
projections
here.
But,
like
you
know,
you
get
basic
support.
Tickets.
We
get
tickets
that
we
just
kind
of
like
have
to
throw
out
because
they're
like
programming,
help
questions
and
we
send
people
to
stack
Overflow.
D
But
then
we
get
into
the
tickets
that
I
think
are
getting
closer
to
what
you're
talking
about
primarily
around
account
recovery
being
one
of
the
biggest
ones,
malware
reports
and
vulnerable
packages
and
is
another
one
and
then
another
big
one
that
we
get
a
lot
at
npm,
which
is
very
unsustainable,
is
packaged.
Naming
disputes,
someone
saying
hey
package,
a
is
not
maintained
or
it's
dormant.
Please
give
me
the
name.
D
We
have
like
three
agents
that
are
just
on
malware
and
disputes
and
cannot
keep
up
on
the
naming
disputes
simply
because
we
have
so
much
malware.
That
needs
to
be
dealt
with
separately
with
the
number
of
agents
that
we
have
for
the
account
recovery,
it's
very
hard
to
keep
up
and
you
need
to
make
sure
that
people
are
relatively
well
trained,
which
I
believe
you
point
out
in
your
talk.
D
Yes,
but
you
know
our
security.
The
accounts
that
are
protected
with
MFA
are
only
as
strong
as
the
account
recovery,
because
if
you
can
go
and
do
a
recovery
with
a
password
reset,
then
you
may
as
well
not
have
2fa,
and
you
know
this
I'm
just
repeating
things
you
know,
but
these
agents
are
ones
that
are
going
to
to
be
really
susceptible
to
social
engineering
and
so
part
of
the
thing
that
would
concern
me
here
and
to
be
clear.
D
It's
concerned
in
that
I
would
want
to
see
the
proposal
speak
to
it
directly,
not
that
I
don't
think
it's
doable
for
us
at
mpm.
We
have
to
give
those
support.
Staff
chat,
Ops
is
how
we
handle
it,
but
like
they
have
kind
of
semi-admin
operation
like
they
need
to
be
able
to
do
the
things
that
they're
saying
to
do
like
if
we're
doing
an
account
recovery.
D
What
does
that
look
like
so
that
may
be
resetting
2fa
and
I'll?
This
is
the
kind
of
thing
where
I
could
speak
for
hours
about
all
the
edge
cases,
but
let's
say
we
have
an
account
that
has
2fa
enforced.
Can
you
remove
the
two
of
them?
If
you
do
remove
the
2fa,
then
what
does
that
do
for
them?
D
What
commands
and
ways
in
which
people
can
do
it
so
I
think
I
think
one
of
the
things
that
I
would
like
to
see
or
two
of
the
things
I'd
like
to
see
is
like
one
and
I
know
that
python
has
some
public
data
and
I
can
get
some
data
around.
This
is
like
how
many
tickets
are
you
expecting
to
come
in?
How
much
velocity
do
you
think
people
could
take?
D
How
are
we
actually
going
to
allow
these
agents
to
operate
and
handle
the
tickets
and
act
on
them
at
the
time
that
they
need
to
do
the
reset
and
do
the
Registries
have
the
engineering
capacity
to
build
out
the
infrastructure?
That's
necessary
to
do
it?
One
thing
we're
investing
in
right
now
at
npm
and
I
won't
get
too
much
into
the
specifics
until
later.
If
you
want
me
to
but
we're
trying
to
automate
a
whole
bunch
of
the
identity,
verification
steps,
so
we
launched
oauth
application
links
between
npm
and
GitHub
and
npm
and
Twitter.
D
So
people
can
look
those
accounts
and
we're
actually
creating
a
like
automated
flow.
So
you
go
through
and
like
when
you're
going
to
do
recovery,
you
go
through
those
all
that
flows
ago
and
we
can
match
them
and
verify
we're
doing
verification
of
email
via
OTP
so
that
by
the
time
the
ticket
actually
gets
in
front
of
the
agent.
The
majority
of
the
identity,
verification
has
actually
been
automated
and
we're
hoping
that
that
will
significantly
lower
the
amount
of
work.
D
But
I
do
want
to
point
out
that,
like
without
that
kind
of
investment,
the
identity
verification
portion
of
this
is
going
to
be
unique
for
every
single
provider
that
we're
talking
about
and
it's
extremely
bespoke
and
it's
Error
prone
and
it's
time
intensive,
so
I
would
I
would
like
to
see
maybe,
as
part
of
this
and
I'd
be
happy
to
contribute.
There's
like
a
proposal
about
like
hey.
D
How
are
all
of
these
other
registries
like
going
to
tackle
this
problem,
and
is
it
going
to
be
in
a
consistent
way
because
yeah,
it's
a
hard
problem
to
solve,
and
if
we
only
have
one
agent,
for
example,
and
now
they
have
to
worry
about
four
different
ways
of
doing
everything
and
verifying
identity
across
four
different
platforms
using
different
vectors
and
factors.
That's,
in
my
opinion,
a
recipe
for
social
engineering,
because
it's
really
hard
to
keep
track
of.
All
of
that.
C
I
I,
don't
disagree
with
any
of
the
specifics.
Definitely
definitely
I'm
thirsty
for
data.
If
you,
if
you
can
share
it,
I,
don't
know
how
much
you
can
the
number
one.
The
reason
I
chose
one
Personnel
one.
One
person
is
simply
that
it's
the
smallest
budgetable
unit
that
can
get
the
ball
rolling,
not
because
I
have
a
particular
set
of
data
or
a
simulation,
or
anything
like
that.
That
can
show
me
what
you
know.
The
final
number
will
be.
C
C
Your
point
about
the
heterogeneity
is
well
taken
in
the
original
way.
I
was
thinking
was
that
you
know
each
repository.
Would
you
know,
get
contracts
to
basically
do
the
engineering,
because
you
know
everybody's
flat,
strap
at
all
times?
That's
the
nature
of
both.
C
Volunteering,
but
it
sounds
as
though,
maybe
what
you're
suggesting
is
having
a
consistent
tool
that
instead
turns
to
some
apis
that
are
published
with,
probably
it's.
You
know,
heterogeneity
around
the
actual
API
endpoints,
but
as
much
as
possible.
The
uniform
interface
for
the
agent
to
use
to
you
know
because
I,
one
of
the
reasons
for
doing
this
is
to
centralize
the
investment
and
therefore
centralize
the
protection
where
you
get
economies
of
scale
in
the
kind
of
effort
you
invest
in,
protecting
it,
because
we're
already
going
to
be
facing
social
engineering
attacks
anyway,.
D
Yeah
I
would
say
it's
not
just
the
consistency
and
the
tools
that
the
people
are
using.
The
consistency
in
the
identity
factors
that.
D
C
To
degree
that
that's
that
folks
agree
on
that,
yes,
there
may
still
be
local
reasons
for
for
having
slightly
different
procedures.
Dustin
I
see
you've
had
your
hand
up
for
a
while.
So
let's
go
to
Dustin.
A
Yeah
so
I
think
so.
First
of
all,
I
really
like
this
proposal
on
it.
I'm
excited
to
iterate
on
it
with
you,
I
think
I
agree
with
Miles
that,
like
my
my
like
least
favorite
thing
about
this,
is
the
idea
of
giving
this
potential
person
or
group
of
people
like
kind
of
direct
access.
A
I
think
that
at
least
for
the
ecosystem
that
I'm
focused
on
that
might
be
a
non-starter
just
because
the
the
amount,
the
amount
of
work
that
we
need
to
go
into,
providing
that,
but
also
like
the
amount
of
access
that
that
would
actually
provide
like
the
support
person,
would
have
a
lot
of
control
over
a
some
pretty
destructive
actions.
That
said,
I
mean
sorry
yeah.
C
C
I
I'm,
to
be
clear,
I'm,
not
proposing
any
kind
of
production
access
you've
got
to
maintain
it
would
have
to
carry
out
their
duties
today,
but
rather
a
limited
one
in
scope
and
and
also
as
part
of
The
Proposal
letting
out
contracts
to
to
develop
that
technology,
so
that
you
know
we're
not
putting
an
additional
burden
on
to
maintainers
if
they
want
to
get
this
advantage.
C
A
Yeah,
but
that's
it
like
I,
really
like
one
kind
of
thing
about
this,
which
is
that,
like
I,
think
what
would
actually
be
really
powerful
here
is
being
able
to
have
a
direct
line
in
between
the
support
organizations
of
all
these
different
places
and
like
I,
think,
like
one
thing,
when
we
respond
to
malware
on
Pi
Pi,
for
example,
a
lot
of
times
like
that
stuff
is
also
hosted
on
GitHub
and
it's
just
unfeasible
for
us
to
also
file
a
support
ticket
against
GitHub
support
and
have
them
also
take
down
the
repository
of
where
it
came
from,
or
that
kind
of
thing
being
able
to
have
like
a
tighter
communication.
A
A
Would
it
might
be
a
little
bit
more
of
a
a
larger
proposal,
but
seeing
this
paired
with
like
providing
funding
for
these
organizations
to
hire
support
staff
and
then
have
a
centralized
open,
ssf
person
that
sort
of
acts
as
a
direct
line
or
a
mediator
or
works
with
all
these
together?
I
think
that
would
be
interesting
to
me
as
well,
because
I
think
a
non-profit
organization
is
going
to
look
at
this
and
be
like
well.
Why
don't
you
just
give
us
money
and
we'll
hire
support
staff
ourselves,
because
we
really
want
that
as
well.
C
Think
yeah
I'd
be
happy
with
that
too.
Part
of
the
difficulty
is
that
the
the
scales
vary
according
to
ecosystem,
because
we
have
different
numbers
of
packages,
different
number
of
users,
but
also
different
number
of
people
in
particular,
who
are
now
under
an
MFA
requirement.
C
You
know
I
know
you
know,
Pipi
is
looking
at
thousands.
Npm
has
hundreds
I
think
for
ruby
gems.
At
the
moment,
it's
several
dozen
under
the
current
policy,
but
we'd
like
to
grow
that
but
we'd
also,
you
know,
face
the
same
choke
point
as
everybody,
which
is
the
more
people
you
have
under
MFA.
The
more
requests
you
get.
D
D
One
thing
in
particular
when
it
comes
to
like
account
recovery
at
mpm,
is
you
know
it's
it's
more
than
just
one
story,
but
that
requires
someone
to
have
an
account
like
the
most
obvious
one
that
I
think
is
maybe
worth
focusing
on
in
the
light
of
MFA.
Is
I've
lost
my
second
Factor
right
in
the
case
of
no
second
Factor,
you
know
and
you
lose
your
password,
you
can
go
through
a
password
reset,
but
then
there's
also
like
I've
lost
access
to
my
email
address.
D
There's
a
lot
of
like
subtlety
and
I
think
there
was
another
agenda
item
maybe
to
get
into
a
bit
of
like
this
specific
account,
recovery
and
I.
I
can
talk
about
that
later,
but
I
think
if
we
got
laser
focused
on
exactly
what
these
folks
would
be
responsible
for
and
I
think,
like
the
other
thing
that
could
be
really
interesting
because
maybe
just
not
like
to
take
a
totally
different
approach
to
it.
D
But
if
we
are
super
focused
just
on
MFA
based
recovery
in
light
of
trying
to
engulf
like
enroll
folks,
because
that
will
see
an
increase
of
recovery,
maybe
a
focus
on
identity,
verification,
a
platform
that
can
be
used
to
automate
identity,
identity,
verification
to
give
Registries
like
something
that
they
can
integrate
with
like
that,
may
actually
be
a
really
great
tool
which
may
not
even
require
like
permanent
staff,
Beyond,
maintaining
a
service,
because
I
would
say
like
from
our
end
when
building
things
out
like
you
know,
the
scripts
and
the
agents
are
are
definitely
like
an
important
bit,
but
the
thing
that
we've
spent
months,
working
on
with
like
tens
of
Engineers,
is
building
up
the
infrastructure
for
identity
verification
and
even
to
like
see
your
like
this
second,
this
plan
that
you
have
right
now
be
successful,
would
kind
of
require
every
single
one
of
the
Registries
to
do
a
similar
engineering
effort.
D
So
it's
almost
like
a
a
requirement
before
we
could
even
think
about
agents.
So
there
may
be
something
there
as
far
as,
like
you
know,
a
a
generic
service
that
could
be
offered
around
recovery
and
I
think
consistency.
There
would
be
really
great.
C
Anyone
else
have
a
have
a
question
or
some
comments,
because
I
encourage
all
of
you
to
add
comments
as
well
to
the
the
document
so
that
it's
there
for
future
references.
A
C
Definitely
the
big
one
I
would
like
to
get
is
data
and
also
miles
if
you
can
somewhere
basically
make
the
either
you
can
think
of
it
as
counter
proposal
or
pre-proposal
that
there
needs
to
be
some
sort
of
generic
solution
to
Identity
linking
or
identity
verification,
so
that
we
have
that
and
I
can
try
to
rework
The
Proposal
with
that
in
mind
and
I'll
come
back
in
a
couple
of
weeks
and
we'll
look
at
it
again.
A
B
Hello,
everyone
on
plan
follow-up
of
the
previous
Topic
in
the
agenda,
so
I
was
mentioned
by
Miles.
We
are
also
facing
for
now.
We
are
handling
this
manually
so
facing
gamified
recovery
requests
on
support
side
with
the
scale
of
the
Ruby
jumps
team.
B
Even
as
I
mentioned,
we
have
like
five
per
week
from
now
with
almost
optional
MFA,
it's
required
only
for
pretty
top
out
turns
from
now,
so
we
are
afraid
of
increase
soul
of
this
number
and
even
with
the
current
size
of
the
of
the
support
team,
which
is
totally
voluntary,
based
it's
hard
for
us
to
to
keep
track
on
this
with
some
reasonable
time.
B
But
still
we
are
providing
this
kind
of
manual
service,
so
I
was
about
to
ask
around
what
are
the
best
practices.
I
think
might
have
already
shared
some
at
least
concept
of
done
on
their
side,
so
I
can
kick
off
with
our
classic
procedure
and
it's
actually
related
since
with
the
package,
you
also
for
probably
some
metadata,
which
includes
Source
URL,
which
is
mostly
GitHub
link
to
the
public
repo.
B
B
They
all
the
classic
actions
are
disabled
for
them
before
they
in
re-enable
MFA.
So
this
is
our
really
basic
basic
way
of
doing
some
verification.
All
it's
done
manually,
so
there's
no
automation.
So
my
question
is:
if
there's
any
better
way
to
do
this
and
all
smiles
started
this
explaining
there
are
some
way
to
automate,
but
also
there
are
some
cons
on
this
right
since
then
you
can
get
them
things
out
of
control,
and
for
now
we
have
no
UI
to
actually
reset
the
MFA.
B
So
we
are
just
reaching
the
application
by
the
console
and
resetting
by
some
script
in
there.
Our
plan
for
now
to
add
this
basic
functionality
just
to
click
reset
MFA
to
to
the
web
UI
for
the
admins,
but
there's
even
for
now,
there's
no
concept
of
any
like
power,
user
or
admin
on
ruby
gems.
So
this
will
need
some
time
to
like
revisit
all
the
idea
and
how
to
implement
properly
so
those
this
is
how
we,
how
we
do
it
for
now.
D
Yeah
I'll
try
to
not
talk
for
the
rest
of
this
meeting,
because
I
could
talk
for
hours
about
this.
D
This
is
all
I've
thought
about
like
the
last
couple
months,
so
I
I
will
just
start
by
saying
that,
where
we
started
at
with
npm
was
not
too
different
from
where
you're
at
Joseph,
we
had
text
fields
on
the
profile
of
the
npm
account
where
you
could
put
in
a
Twitter
account
or
a
GitHub
account,
and
our
support
team
would
utilize
that
information
to
basically
do
like
you
know,
verification
we'd,
ask
them
to
tweet
something
or
we'd
ask
them
to
make
a
secret
shift.
D
We'd
verify
that
identity
as
part
of
like
the
overall
improvements
for
account
security
that
was
identified
as
a
security
Risk
by
our
security
teams
and
from
like
a
philosophy.
A
philosophical
standpoint
that
was
generally
thought
about
was
different
factors
of
identity
that
you
use
for
authentication.
D
We're
using
a
point
system
are
worth
so
many
points
and
if
you
want
to
do
something,
for
example
like
recover
MFA
like
inf2fa
on
my
account
and
I
want
to
do
it
that
you
need
to
collect
enough
points
of
identity
from
other
factors
that
are
an
equivalent
in
order
to
recover
otherwise
you're,
actually
lowering
the
like
security
of
the
overall
things
so
like,
for
example,
in
this
case
for
us,
we
consider
email
to
be
six
points
of
identity
and
we
consider
2fa
to
be
10..
D
So
if
you
have
an
account
and
you've
lost
your
email
address,
we
want
to
find
about
six
points
of
identity
from
other
sources.
In
order
to
like
give
you
back
access
to
your
account
and
change,
the
email
address
in
the
case
of
GitHub
account.
That's
only
actually
three
points
of
identity
in
in
our
current
workflow,
and
it's
also
worth
mentioning
that
knowledge
of
your
password
is
something
that's
even
required,
like
we're
working
on
making
a
requirement
to
even
get
into
the
recovery
flow
altogether.
D
So
you
need
to
log
into
your
account
with
your
email
address
and
password.
That
brings
you
to
the
screen
where,
if
you
don't
have
2fa,
you
have
to
put
in
your
OTP
from
login
verification
or
if
you
are
using
OTP
like
or
2fa
you're
prompted
for
2fa,
and
we
have
a
button
at
the
bottom
to
recover
your
account
and
the
form
that
you
can
go
through
the
recover.
Your
account
you
can
actually
only
get
to
from
there.
D
So
our
agents
already
know
by
the
time
the
ticket
has
been
opened,
that
the
person
opening
the
ticket
has
knowledge
of
password.
This
protects
against
kind
of
like
drive
by
social
engineering,
where
someone
doesn't
even
know
the
password,
but
we
need
to
verify
the
identity
to
protect
against
password
stuffing
and
so
email
there,
like
we
verified
the
email.
That's
six
points,
we
verify.
You
know
the
the
Twitter.
That's
three
points
we
can
look
for.
I
think
we
use
nine
points
right
now
to
recover,
for
2fa.
D
I'd
have
to
go
in
and
check
the
chart
access
tokens
confirming
an
access
token,
which
we
immediately
invalidate
after
confirming
that
it's
accurate
is
worth
eight
points,
and
so
we
have
this
kind
of
like
whole
chart
of
all
the
different
kinds
of
identity
that
we
can
verify
and
utilize
that
so
with
what
you've
described
right
now
in
our
methodology,
your
security
for
removing
MFA
would
actually
be
a
little
bit
lower
than
the
actual
protection
that
MFA
itself
offers.
D
D
Verification
I'd
have
to
talk
to
folks
internally
about
sharing
some
more
of
these
details
more
explicitly,
but
we
do
have
like
a
full
script
with
various
scenarios
of
why
people
could
need
to
recover
accounts
each
of
the
different
kinds
of
identity
factors
and
then
a
chart
for
referencing,
like
which
factors
add
up
to
enough
identity
to
recover
in
a
particular
scenarios
and
I'll
see
if
I
can
maybe
get
some
of
that
documentation.
D
And
and
I
see
Jason's
comment
here.
What
else
are
you
talking?
Yeah?
Oh
just
one
last
thing,
I
was
going
to
say
really
quickly.
We
were
inspired
by
the
DMV
point
system
for
for
the
identity
verification,
so
it
is
kind
of
similar
there.
A
Jason
you're
pretty
choppy
I,
don't
think
we
caught
that
I'm
gonna
go
ahead
and
call
myself
real
quick,
so
one
thing,
I
would
say
is
like
the
Pi
Pi
processes
sounds
very
similar
rubygems,
including
the
fact
that
we
have
to
go
into
the
database
because
we
don't
have
a
production
controls
or
interface
for
doing
these
kind
of
things.
A
B
Or
ruby
gems,
we
have
a
support,
email
which
is
maintained
by
zendesk,
so
they
should
send
an
email,
it's
basic
free
from
so
they
just
write
down
their
problem
and
they
just
request
MFA
resident,
which
is
then
stored
in
zendesk,
and
we
need
to
log
into
zendesk
and
answer
and
continue
from
that
point
in
there.
A
Okay,
so
the
other
thing
I
wanted
to
ask
is
for
for
all
folks
here.
Is
there
any
point
at
which,
during
MSA
being
a
reset
for
a
user?
This
is
made
public
like
either
in
the
timeline
for
the
project
that
that
user
owns
or
to
co-maintainers
of
the
projects
that
they
user
owns,
or
you
know
either
public
broadly
to
the
entire
ecosystem
or
public
to
other
folks.
That
might
be
interested
to
know
that
that
user
as
I
reset
yeah,
is
that
something
that's
worthwhile.
C
I
would
say
yes,
I'm,
jumping
in
ahead
of
any
queue
that
might
have
formed.
I
would
say
yes
that
MFA
reset
is
something
that's
worthy
of
publishing,
an
attestation
about
in
the
transparency
log.
It's
a
very
security,
sensitive
event,
the
only
sort
of
asterisk
that
comes
with
that
is
that
generally,
we've
all
shied
away
from
publishing
MFA
status
on
the
theory
that
it
provides
a
useful
phone
book
of
people
to
go
and
attack,
because
they
don't
have
NFA
so
by
process
of
elimination.
C
D
There
are
various
tons
of
resets,
so
just
knowing
that
someone
did
a
reset,
whether
it's
a
password
reset
or
an
MFA
reset
may
be
sufficient
just
to
be
clear,
I'm
not
advocating
for
this,
but
doesn't
need
to
be
explicitly
MFA.
B
But
to
also
continue
checking
your
idea,
the
problem
with
hiding
MFA
setup
or
when
it's
enabled
or
disabled
will
be
eliminated
when
it
will
be
required
for
everyone
right,
then
this
info,
maybe
can
be
done
in
public,
since
everyone
is
we'll
have
MFA
enable.
A
A
So
I
guess,
like
I've,
sort
of
seen,
similar
requests
for
publishing
change
of
status
for
things
like
like
if
the
source
repository
changes
for
a
given
project,
things
like
that,
but
I
haven't
seen
that
quite
extended
into
the
like
things
like
a
contributor
was
added
or
removed
or
like
something
changed
with
one
of
these
contributors,
but
I,
don't
know,
I
think
it's
kind
of
interesting
to
think
about
and
I
think,
probably
in
the
future.
A
Those
would
be
interesting
signals
for
people
that
will
not
sort
of
have
a
deeper
understanding
of
the
security
of
their
dependencies.
C
On
the
npm
six-store
proposal
in
one
of
the
I
don't
know
there
was
a
few
comments
on
it.
In
one
of
the
few
several
dozen
comments.
C
There's
a
dog
I
published
a
list
of
events,
event
that
I
thought
would
be
of
interest
to
a
future
sort
of
log
of
things
that
go
into
say,
recall
so
that
people
can
track
that
kind
of
thing.
So
yeah
change
of
you
know
MFA
reset,
but
also
things
like
added
owner
removed
owner.
You
know
transferred
ownership
from
one
person
to
another.
That
sort
of
thing
is
is
all
sort
of
sensitive
information
like
information.
That
has
a
strong
signal
that
you
should
take
a
closer
look
for
other
information.
D
This
becomes
an
interesting
challenge,
though,
about
like
the
balance
between
security
and
transparency,
because
on
npm,
for
example,
you
could
add
any
number
of
maintainers
to
a
package
with
published
permissions.
But
as
far
as
like
our
public
Ledger
is
concerned,
only
the
maintainers,
who
have
actually
published
a
package
show
up
in
the
authors
list.
D
If
someone
wanted
to
take
over
the
package
now,
like
security
through
obscurity,
is
not
necessarily
great,
and
we
obviously
want
to
know
if
there's
like
a
hundred
people
who
can
all
push
the
button
to
publish
a
package
but
I,
just
yeah,
I
I,
don't
know
what
the
right
solution
is
there,
but
it's
like
I
get
uncomfortable,
no
matter
what
we
do.
You.
A
Okay,
well
also
thanks
for
sharing
that
and
I
guess,
yeah
any
action
items
or
takeaways
from
that
that
we
should
focus
on
like
I
think
there
might
be
a
kind
of
a
proposal,
at
least
something
to
think
about
here,
in
terms
of
like
what
can
be
shared,
what
what
level
of
transparency
is
is
worthwhile
for
sharing
things
like
this
yeah,
it
seems
like
also
funding
for
some
of
these
organizations
to
like
build
better
controls
in
they
don't
have
to
go
into
the
database
and
make
these
changes
would
be
really
great.
B
A
One
last
quick
thing
so
Brandon's
not
here
everybody
asked
me
to
share
that.
We
we've
published
a
package
manager
survey,
so
you
might
remember
the
song
spreadsheet
that
some
folks
filled
out
in
the
past
that
was
sort
of
about
like
the
current
status
of
a
lot
of
the
package
managers
and
indices.
This
survey
is
sort
of
a
more
forward-looking
questionnaire,
and
so
you
can,
you
know,
roll
through
this
and
answer
this
for
your
ecosystem.
A
A
I
think
Brandon's
hoping
to
get
some
comprehensive
responses
here
in
the
next
couple
weeks.
So
if
we
don't
hear
from
folks
we'll
probably
start
asking
more
specifically
but
feel
free
to
fill
it
out
and
also
like
don't
worry
about
filling
it
out
choice
because
I
think
getting
like
a
sense
of
where
multiple
people
think
it's
at
that'd
be
really
helpful
as
well.
So
any
questions
about
that
it
should
take
about
15
minutes.
It
is
a
little
bit
long
but
worthwhile.
A
Okay,
I'm
gonna
call
it
quits
thanks
everyone
for
your
time
and
see
you
next
time.