►
A
A
I'll,
just
give
it
a
few
more
minutes
before
we
kick
off.
If
you
haven't
added
yourself
to
the
notes
and
just
go
ahead
and
do
that
and
the
link
is
in
the
chat.
A
Okay,
I
think
we're
far
enough
into
the
air
that
we
can
kick
off.
I
guess
I
am
sharing
today.
Lucky
me
so
usually
in
these
meetings
we
like
to
start
off
with
new
faces,
as
anybody
who
feels
like
a
new
face
or
a
returning
face
and
would
like
to
introduce
themselves.
C
Hale,
my
name
is
I'm
working
at
VMware,
the
open
source
supply
chain
team,
I'm,
a
maintainer
of
goldoff
and
yeah.
That's
that's!
It.
D
Hello,
I'm,
Jack,
I
joined
quite
a
while
ago,
so
this
is
my
my
first
meeting
in
a
while
yeah
I'm,
mostly
here,
to
to
catch
up
on
things.
I
know
that
the
attestations
are
moving
along
I
just
want
to
catch
up
on
that
the
kind
of
ecosystem
I'm
most
familiar
with
is
Nick's
packages
and
then,
as
a
as
an
ex
kind
of
extension
of
that
that
reaches
up
to
a
lot
of
the
other
ecosystems
like
you
know,
for
us
to
go
JavaScript
all
that
but
yeah.
That's
me.
A
Oh
welcome
all
right
so
the
first
item,
the
agenda
is
to
note
that
our
next
report
to
tack
is
going
to
be
on
April
18th.
So
in
roughly
two
weeks
last
time,
I
was
there.
I
got
caught
unawares
that
that
was
coming
so
I'm
a
little
a
little
scarred
by
The
Experience
I'm,
not
necessarily
the
last
time,
maybe
the
time
before
that.
But
anyway,
at
some
point
we
got
caught
off
guard,
so
I'm
definitely
Keen
for
folks
to
share
anything.
A
They
think
that
the
tax
should
know
about
so
for
those
who
don't
know
or
don't
sort
of
pay
attention
attack,
it's
the
technical
advisory
committee,
sort
of
the
community,
partially
Community
elected
group,
Who
oversee
the
working
groups
and
they
ask
working
groups
to
report
to
them
every
few
months
as
to
what
they're
up
to
where
they're
headed
and
what
they
need
help
with.
A
A
No
burning
needs
cool.
Well,
if
you
think
of
anything,
let
us
know
in
the
slack
Channel
the
next
one
is
pretty
much
gonna,
be
the
joke,
show
I'm
afraid
the
next
one
on
the
agenda
is
npm
publish
attestation.
A
So
let
me
open
that
and
share
the
tab.
I
guess
I
can't
really
do
that
with.
A
Zoom
I
share
screen
the
one
that's
in
bright,
green
jerk.
A
There
we
go
okay,
so
what's
interesting
to
me
is
that
some
npm
folks
have
gone
ahead
with
the
thing
we've
talked
about
in
the
past,
which
is
producing
attestations
of
a
publication
event.
You
know
Ruby
Jones,
we
think
of
this
as
a
push
and
I
think
in
some
other
ecosystems
it's
called
push,
but
in
npn
it's
called
publish,
as
you
can
see,
it's
very
simple
and
there's
there's
nothing
sort
of
like
specifically
npm
sort
of
hard-coded
to
it.
A
They're
using
package
URLs
to
identify
the
packages
which
is
nice
and
I,
had
a
chance
to
talk
to
some
npm
folks,
coincidentally,
in
in
another
call
about
six
store,
and
they
were
open
to
the
idea
that
at
some
point,
if
we
adopted
some
format
or
attestation
for
this
kind
of
event,
they'd
be
fine
with
migrating.
A
The
reason
I
bring.
That
up
is
that
in
the
past
we
have
talked
about
coming
up
with
a
common
schema
for
events
such
as
pushing
yanking
change
of
owners.
You
know
owner
added
owner,
removed
change
of
owner
email
address,
yeah,
basically
things
that
a
log
monitor
would
be
interested
in
to
give
them
some
sense
that
something
security,
critical
or
sensitive,
has
occurred,
and
that
they
should
update
their
risk
model
for
that
package.
A
Any
thoughts
on
this
or
anybody
who
feels
they
can
give
more
context.
Oh.
E
A
That's
a
that's
a
good
question.
My
answering
is
that
they
publishing
them
to
recall
seven
to
six
stores,
transparency.
Look
it's
one
thing,
but
they're,
also
providing
essentially
extracts
on
npm
itself.
A
A
They're
going
to
a
file
that
npm
distributes
is
the
first
Resort
rather
than
going
to
recall
directly,
although
I
think
they
provide
an
option
to
go
to
recore
if
you're
sufficiently
paranoid,
which
is,
which
is
something
we've
muted
in
rubygems
as
well,
when
we,
when
we
talked
about
six
store
signing,
is
that
we
would
want
to
have
stuff
that's
side
by
side
with
the
actual
gem
file
itself.
The
dot
gen
file.
A
I
should
be
clear
just
because
going
to
recore
all
the
time
will
be
bad
for
recore
and
also
because
we're
you
know
doing
it
as
a
file
that
sits
next
to
the
to
the
original.gem
plays
very
nicely
with
CDN
support.
B
D
A
My
online
machine
got
it
my
yeah.
My
understanding
is
that
is
that
it's
it's
been
produced
by
the
npm
backend
or
registry,
which
sort
of
makes
sense
like
this
is
not
the
same
as
what
we
usually
talk
about
when
we
say
signature
when
we
say
signature,
what
I
like
to
sort
of
the
the
thing
I'm
trying
to
make
happen
is
authorial
attestation
right.
An
attestation
of
authorship
is
really
what
we
mean
when
we
say
signature
that
that
I
I
Proclaim,
that
I
am
the
author
of
this
package
or
an
author
of
this
package.
A
Whereas
this
one
is
the
registry
itself
saying
I
received
a
package
under
these
conditions,
the
only
the
only
thing
I
guess
I
would
change
about.
It
is
well
I
was
about
to
say
I
would
add
a
timestamp,
but
that's
actually
not
necessary
in
recall,
because
it's
already
a
Time
stamping
Authority.
So
you
have
a
pretty
good
idea
of
when
things
happened,
but
there
might
be
something
said
for
a
time
stamp
of
like
from
the
registry's
point
of
view
whether
registry
interpreted
the
time
to
be
so.
A
You
can,
you
know,
check
for
drift,
or
things
like
that
and
I
haven't
really
looked
at
this
repo
very
much
looks
like
publish
is
the
first
one
they've
done
and
I
guess
the
readme
is
a
little
bit
terse,
but
you
know
I
think
it's
a
it's
a
work
in
progress
and.
E
E
There
was
mention
it's:
can
you
open
the
example
one
again
yeah
yeah
Justin
mentioned
it's
like
conforms
to
in
total
of
the
stations
and
who's
behind
this.
A
Yeah,
so
in
Toto
is
a
project
that
originally
came
out
of
New
York
University.
A
It's
it's
a
number
of
things.
Actually,
the
original
sort
of
gist
for
in
Toto
was
that
you
would
describe
your
supply,
like
your
build
process,
was
the
main
focus
of
it
in
a
sort
of
a
generic
format
and
then
provide
signatures
for
each
step
of
that
chain
to
establish.
A
You
know
all
the
things
that
you
did
and
all
the
inputs
you
took
and
all
the
outputs
you
produced,
and
the
idea
was
that
somebody
could
use
that
to
trust
that
you
actually
perform
the
builds
that
you
promised
and
as
part
of
that
there
is
a
more
generic
concept
of
a
statement
which
is
like
a
a
relatively
open-ended
format
or
envelope
which
people
are
using
they're
sort
of
like
building
on
top
of
that
to
Define
attestations
such
as
publish,
but
it's
it's
a
little
hard
to
get
your
hair
around
at
first,
like
it's,
it's
fairly
generic
in
its
design
or
it's
been
made
more
generic
as
time
has
gone
on
with
the
introduction
of
this
attestation.
A
Spec
concept,
let's
see
chat
lighting
up.
Yes,
thank
you.
Thank
you.
That's
those
are
the
links
it's
worth.
Looking
at
I
haven't
sort
of
prioritized
it
in
my
own
work
in
the
sense
that
I
was
sort
of
on
a
wait
and
see
position
to
see
how
it
how
it
expanded,
I
think
the
use
of
the
prep,
like
the
the
statement
concept,
is
probably
going
to
be
pretty
wide
spread,
but
it's
early
days
I,
don't
know
if
that
really
answers
your
question.
I'm.
E
Just
wondering
who's
behind
behind
this
or
I'm
feeling
better,
better
question
is
who
is
maintaining
this
today,
but
looking
at
the
home
homepage,
it's
also
related
to
Linux
foundation
and
all
this
all
this
stuff.
A
A
Yeah
and
Toto's
good
I,
see
it
as
part
of
like
you
might
think
of
it
as
the
overall
long-term
solution,
I'm,
pretty
sure
that
salsa
attestations
are
also
in
Toto
stations.
So.
A
They
are
yeah,
okay,
so
it's
it's
sort
of
like
being
used
as
a
base
format
which
I
understand
happens.
People
do
it
to
me
too
either
juicy
or
you
see.
F
Yeah
it's
Yusuf,
yeah
I
was
about
to
pretty
much
mention
the
same
things.
You
said
there
in
the
end
that
I
think
quite
a
few
people
are
using
some
parts
of
the
inside
of
spec
like
this
annotations.
So
this
is
kind
of
typical
that
what
npm
is
doing
the
taking
the
at
the
station
and
just
starting
with
that,
because
it
does
I,
haven't
done
it
myself,
but
it
does
look
like
fairly
complicated
setup
if
you
want
to
to
actually
do
the
whole
in
total
process
and.
C
F
A
A
D
Get
too
into
the
weeds,
but
typically
like
proper
in
total
support
will
be
more
for
for
tooling,
so
any
kind
of
tooling
that
you're
using
during
the
build
process,
can
integrate
with
in
Toto.
In
this
case,
we're
just
talking
about
the
statements
which
were
just
a
good
format
that
others
have
adopted.
A
Yeah,
like
it's
pretty,
it's
pretty
simple,
to
extend
right,
like
you
have
this
part,
which
is
sort
of
the
the
Prelude
that
you
have
to
include.
But
the
extension
point
is
is
being
able
to
do
this
and
then
you
know
so:
I
have
a
predicate
type
and
then,
once
you
define
the
predicate
type,
you
can
sort
of
set
your
fields
and,
oddly
speaking
like
these,
these
three
would
be
enough
right,
like
you
would
interpret
name
locally
within
the
context
of
the
the
software
repo
and
registry
repo.
A
C
G
Know
what's
up
anyways
the
question
that
I'm
asking
is:
why
is
this
npm
specific?
It
looks
like
it
could
be
used
generically
for
any
yay
I'm
wondering
like
this
looks
like
it
could
be
generically
applied
to
any
package
that
publishes
a
project
that
is
Pearl
spec
compliant
right,
not
just
MTM,
so
Maven
Gradle
well,
Maven
Gradle
is
done
the
maven
ecosystem.
G
You
know
any
of
those
other
spaces.
So
why
is
this
npm
specific
out
of
curiosity
sure.
A
The
the
simple
reason
is
that
they
wanted
to
go
ahead
with
it
without
having
to
to
wait
to
agree
to
a
standard,
Fair
yeah
very
fair
like
like,
but
the
other
thing
too,
is
that
you
know
at
least
in
casual
conversation
and
not
sort
of
like
having
firmly
agreed
to
anything
they.
They
were
open
to
the
idea
when
I
spoke
to
npm
folks
in
the
six
door.
A
Call
to
the
idea
that,
like
if
we
adopted
this-
or
you
know,
adopted
some
evolution
of
this,
then
they
would
be
fine
with
with
migrating
to
it,
to
a
shared
schema.
G
Right:
okay,
interesting
because
I'm
you
know,
I'm
thinking
like
and
also
trying
to
understand.
Is
this
something
that
is
published
by
npm
to
the
the
central
repository
is
something
that
that
you
run
a
get
of
action
to
say:
hey
I
did
a
publish
from
this
action.
My.
B
A
Is
the
important
thing
right
like
it?
It's
it's
different
from
an
attestation
that
a
builder
could
which
is
sort
of
what
salsa
focuses
on
yeah,
it's
different
from
an
echo
station.
That
I
am
the
author,
which
is
what
we
usually
mean
anecdotally
sort
of
casually
when
we
say
sign
this.
Is
the
registry
saying
I
received
the
package
with
these
characteristics
and
recording
that
event.
G
Okay,
interesting,
okay,
so
then
this
is
something
that's
that
other
packaging
ecosystems,
like
you
know,
Maven
or
Ruby,
or
whatever
could
could
go
and
Implement
themselves.
Okay,
I
I
understand
okay,
but
this
is.
This
is
not
on
the
on
the
publisher
side.
It's
not
on
the
publisher
side.
This
is
on
the
publish
receiver
side,
yeah.
A
It's
on
it's
on
on
the
registry
or
repository
side,
which
is,
which
is
something
we
talked
about
earlier
on
in
this
group,
was,
as
I
said,
sort
of
like
Registries
or
repositories,
publishing
events
to
the
transparency
log
that
were
security
sensitive
that
they
had
privileged
access
to,
and
the
idea
is
that
you
sort
of
My
slogan
that
I
try
to
use
is
making
the
attacker
move
in
the
open.
A
So,
as
these
events
occurred,
they
put
into
a
public
log
that
is
separate
from
the
repository.
So
there's
no
easy
way
for
an
attacker
to
go
back
and
delete
the
evidence
that
they
perform
those
actions.
A
D
D
I
think
what
I
would
want
to
see
in
here
to
make
it
a
lot
more
useful
is
I
would
want
to
know
kind
of
who
was
publishing
or
have
some
kind
of
signature
saying
this
is
the
the
person
or
bot
or
whatever
that
did
the
publish
for
that
event
and
I
would
also
want
to
know
kind
of
where
the
source
is
like.
D
What's
the
PRL
for
where
the
code
came
from,
if
if
it's
like
an
open
source
project,
because
one
of
the
things
I've
been
really
questioning
a
lot
looking
at
pearls
and
vulnerability
scanning
like
this,
is
it
odv
or
ovd?
D
What's
really
bugging
me
is
how
do
I
map
these
to
like
a
common
location?
So
I
guess:
we've
got
in
this
case.
Npm
scope,
package
Foo,
but
maybe
that
has
a
origin
of
you
know:
GitHub
some
organization,
some
repo
name
and
that
can
have
a
parallel
of
that
location.
A
Handy
so
I
can
I
can
actually
talk
about
this.
The
the
idea
is
that
this
this
one
just
talks
about
the
push
event,
the
publish
event.
There
are
other
attestations
that
talk
about
that
capture,
the
the
authorship
right,
which
is
like
code
signing,
and
that
would
also
be
in
the
transparency
log
and
then
there's
another
event
which
npm
intend
to
Omit,
which
is
the
salsa
build
provenance,
so
that
if
you
were
using
a
service
that
has
the
oadc
token
flow,
that
would
be
able
to
tie
it
to
the
commit
right.
A
So
if
you
were
running
on
GitHub
actions
or
build
kite
or
I,
think
it
let
over
now
as
well.
The
idea
is
that
the
build
that's
happening
inside
one
of
those
systems
is
given
a
token
by
the
build
service
that
can
be
exchanged
for
a
push
token
in
the
registry
or
repository
service,
and
when
it
does
so,
it
includes
information
about
the
commit
and
the
person
who
triggered
the
build
so
that
information
gets
captured
in
in
the
build
provenance.
A
A
D
I'm,
just
thinking
so
I've
got
a
I've
got
a
handful
of
attestations,
I,
guess
that
the
build
is
saying
it's
at
this
commit
and
then
the
resulting
artifact
is
package,
npm,
scope,
blah
blah
blah,
but
I
wouldn't
necessarily
be
able
to
work.
My
way
back
the
other
direction
as
what
I
was
thinking.
D
So
I
can
go
from.
I
can
go
from
the
build
at
the
station
to
then
find
the
publisher
station,
but
I
can't
take
the
publisher
station
and
work
out
where
that
build.
That
station
was
quite
as
easily.
A
Yes,
but
also
like
I,
believe,
npm's
intention
and
I
believe
most
ecosystems
would
do.
Something
similar
is
is
to
have
extracts
from
the
logos
files
that
are
predictably
named,
so
that
you
can
have
the
the
file
of
the
the
dot
gem
or
the
you
know.
The
package
object
whatever
it
is
in
your
ecosystem
and
you
would
have
gem
dot
ATT
for
attestations
so
that
you
would
have
one
or
several
files,
depending
on
the
exact
scheme
to
download
that
would
include
all
the
relevant
information
for
that
particular
package.
A
So
if
you
had
the
package
name,
you
could
derive
everything
else
pretty
easily.
Okay,
Jonathan
did
you
have
a
follow-up
question
or
is
that
an
old
hand.
B
A
It's
a
mystery:
okay.
Were
there
any
more
sort
of
like
questions?
This
is
a
good
conversation.
I
think.
D
D
But
in
the
case
of
these
these
predicate
formats,
we
mostly
just
refer
to
the
version.
I
guess:
that's,
that's
probably
fine.
These
things
aren't
going
to
change
particularly
often
but
I.
A
A
Yeah
the
association
issue,
like
the
auto
station
repository
there's,
the
word
I
was
looking
for
on
GitHub,
has
issues
enabled
so
it
would
be
possible
to
to
raise
it.
There
I
think.
Okay.
A
Cool
cool,
any
more
questions
about
attestations
and
publish
an
npm
and
so
on.
A
No
okay,
so
the
next
one
also
me
a
question
that
was
asked
by
Madison
Oliver
in
the
slack
Channel
on
behalf
of
folks
from
erlang
was
what
organization
or
who
are
people
going
to
for
CBE
numbers?
You
know
this:
the
CBE
numbering
Authority
or
CNA,
not
that
one
I
know
is
sometimes
a
storied
question,
but
I
was
curious
if
we
could
gather
any
sort
of
answers
or
suggestions
that
we
could
feed
back.
E
There
is
open
world
some
sort
of
software
security
list,
I
used
to
request
Series
in
before
I
think
it's
a
managed
by
some
redhead
folks,
or
at
least
once
at
the
time
I
was
requesting
those
for
some
Ruby
libraries
so
just
about
to
send
out
the
report,
and
they
just
replied
to
the
CV
and
the
number
for
this
one
rather
a
single
process,
but
it
was
like
eight
years
ago,
I
used
it
for
last
time,
but
I
checked
recently
before
I
applied
and
it's
still
working
well.
B
A
Oh,
if
you
get
a
chance
Joseph,
can
you
drop
a
link
into
the
into
the
notes.
A
G
Yeah,
so
you
can
have
a
very
convenient
system
participating
like
if
you're,
using
git
and
have
a
security
advisory,
and
you
can
very
easily
just
hit
a
button
and
say:
hey,
please
give
me
a
CBE
number
and
they
will,
if
you
one
for
you,
the
one
that
I
use
them
when
I
can
they're
only
willing
to
issue
a
cve
number.
G
If
the
maintainer
has
requested
the
cve
number
and
a
lot
of
maintainers
don't
understand
the
CBE
process,
so
I
also
tend
to
fall
back
on
using
Snick,
because
they're
really
convenient
to
work
with
I
can
pull
them
into
an
existing
GHSA
and
say
hey.
This
is
the
vulnerability
and
they
will
be
pretty
proactive
about.
You
know
giving
me
a
CV
number
for
that,
so,
but
I
prefer
to
publish
my
disclosures
using
two
to
save,
because
snicks
data
is
private
or
sorry.
G
A
Okay,
I
didn't
know
about
Snick
doing
that,
but
yeah
that
makes
makes
sense
that
you
would.
You
would
prefer
GitHub
when
you
could.
You
see.
F
A
All
right,
I
think
we've
tapped
that
one
out,
unless
anyone
else
has
has
been
concealing
a
CNA
that
they
know
about
and
like,
and
then
we
move
to
any
other
business
which
is
pretty
much
what
it
sounds
like.
If
folks
have
some
issue
that
they're
burning
to
discuss,
we
leave
this
spot
open
towards
the
end
of
the
meeting.
G
Thrilled
to
have
seeing
that
start,
seeing
that
there
is
now
some
beat
underneath
some
work
that
I
did
prior
to
my
departing
bradle,
which
is
involving
a
dependency
extractor
plug-in
that
will
sit
underneath
a
Gradle
build
okay.
So
so.
G
G
You
know
you
can
look
at
a
requirements,
file
or
setup.pi.
That's
not
too
complicated
and
kind
of
discern.
G
What
versions
and
a
project
depends
upon
and
that's
not
possible
for
Gradle,
because
it's
a
fully
turned
complete,
build
and
so
as
a
result
or
GitHub
never
tried
to
create
a
dependency
graph
for
Gradle,
and
so
it
is
finally
being
worked
on
by
the
Gradle
team
to
add
support
that
when
you're
running
a
Gradle
build
within
negative
action,
the
the
build
will
automatically
have
a
set
of
dependencies
that
are
resolved
or
will
be
resolved
within
the
build,
get
extracted
and
sent
up
to
github's
dependency
API,
which
will
mean
that
that
the
other
thing
is
that
API
will
be
something
that
anybody
can
pull
from
from
a
repository.
G
I
think
hope.
It's
not
just
maintainers.
So
basically
it'll
be
something
that
you
can
say
hey.
What
are
the
set
of
dependencies
this
this?
This
repository
is
depending
upon
and
you
can
get
that
list
so
that
work
is
proceeding
again.
It's
been,
it
was
stopped
for
about
a
year
and
changed
and
so
I'm
glad
to
see
that
that
moving
again,
okay.
H
No
I
I
think
it's
hey
again.
I
haven't
talked
to
you
in
a
while.
H
Nice
to
hear
your
voice,
yeah
I
I
think
I
was
going
to
mention,
is
I
think
next
week
there
is
there's
gonna,
be
a
conference
and
we
have
somebody
presenting
there
giving
an
update
on
six
door
support
for
Java
for
for
Gradle.
H
So
right
now
we
we
have
the
six
door.
Gradle
plug-in
is
able
to
publish
six
door
metadata,
but
currently
Gradle
doesn't
do
anything
with
us.
There's
a
verification
part
but
yeah
at
least
I'm
gonna
talk
next
week
about
that.
A
That's
really
cool.
If
you
get
a
chance
to
win,
can
you
drop
a
link
into
the
the
notes?
Sure
findings
yeah,
that's
exciting,
to
see
the
progress?
It's
all
it's
all
sort
of
coming
together,
any
other
business
that
folks
had.
C
G
One
of
the
things
that
I
have
been
pretty
concerned
about
is
that,
in
my
experience,
I
think
I
will
I
will
repeat
ad
nauseam
something
that
a
line
that
I've
said
before
repository
artifact
servers
are
not
usually
something
that
a
company
is
selling.
It
is
usually
something
that
a
company
is
hosting
out
of
the
Goodwill
of
their
art
as
such,
because
it
is
not
a
sold
product.
There
is
never
a
requirement
by
a
company
that
is
purchasing
that
product
to
require
a
security
audit
of
that
that
product
before
consuming
it.
G
G
Has
there
been
any
more
discussions
about
trying
to
encourage
our
push
forward
an
initiative
or
even
get
visibility
into
the?
How
prevalent,
actually
getting
pen
testing
done
against
artifact
servers
that
are
used
to
supply
the
industry?
Software
has
actually
happened.
A
Yeah
I'm
gonna
jump
in
front
of
Jack
because
I'm
rude,
I,
hope
that's
okay,
Jack
and
do
an
UNO
reverse
card,
which
is,
do
you
know
any
organizations
with
millions
of
dollars
and
a
mission
to
spend
money
on
improving
security
that
might
be.
A
Yeah
yeah
quite
as
much
narrowly,
at
least
in
Shopify.
We
we
donated
a
million
dollars
over
four
years
to
really
Jam
start
well,
Ruby
Central,
really
who,
who
are
the
people
behind
Ruby,
Ruby,
james.org
and
they've,
also
managed
to
raise
funding
from
the
German
government.
A
We
don't
set
their
agenda,
how
they
spend
that
money.
We
did
ask
them
to
focus
on
security,
yeah,
there's
a
lot
of
work
being
done,
but
I
haven't
seen
an
audit
being
commissioned
at
this
time.
A
E
Much
being
raised
on
this
topic
right,
but
I,
think
also
one
of
the
answers
at
the
time
was
the
public
programs
on
hacker
one
and
all
the
stuff
which,
in
theory,
anyone
can
do
how
they
try.
The
code
is.
G
Laws
that
prevent
researchers
from
performing
audits
against
software
and
and
services
that
are
hosted
without
permission.
So
unless
the
company
is
put
forward
a
policy
that
says
we
allow
audits
from
external
researchers,
it
is
hacking
and
it
is
unauthorized
access
under
the
United
States
has
a
has
a
federal
law
called
cfaa,
which
is
this
Computer
Fraud
and
Abuse
Act,
and
if
you
access
a
system
without
permission,
you
are
violating
federal
law
within
the
United
States.
E
E
A
custom
one
for
testing,
but
clearly
that's
what
real
audit
right.
But
there.
E
G
Jack,
what
would
the
process
be
under
which
week
I
part
of
me
is
tempted
to
start
like
beating
this
drum
within
the
open,
SF
to
say:
okay,
like
clearly
I've
been
beating
this
drum.
For
you
know,
over
a
year
now
can
we
get
maybe
I
can
talk
to
Alpha
Omega
and
say,
like
hey,
Alpha
Omega
like
we're
looking
at
software,
but
like
do
we
also
consider
repositories
and
scope?
Can
we
commission
audits,
restriction
in
infrastructure
audits
of
major
artifact
servers
that
can't
come
up
with
an
attestation?
G
They,
you
know,
have
had
a
pen
test
within
the
past
two
years,
like
I
presume
that
I
would
guess,
given
github's
security
stance
in
the
past,
they've
probably
done
an
audit,
but
you
know,
especially
because
npm
was
required
right.
They
were,
they
were
bought
by
GitHub
I
presume
there
was
an
audit
done
at
that
point.
G
A
Yeah,
as
I
said,
with
with
rubygems
the
place
to
go,
would
be
Ruby
Central,
which
is
the
the
sort
of
the
governing
organization
that
oversees
development
and
manages
the
funding
to
suggest
it.
The
the
thing
is
that
in
in
the
agreement
that
Shopify
made,
we
basically
promised
not
to
interfere
with
decisions
right.
A
D
G
D
Nice,
but
so
what
you're
talking
about
is
more
Central
Registries
like
yeah,
npm
and
rupee,
rather
than
like
donated
CDN
stuff
like
okay,
I'm
hosting
my
Arch,
Linux,
Isis
and
there's.
You
know
30
universities
and,
firstly,
Etc
that
are
all
well.
G
I
am
talking
about
an
audit
of
the
entire
infrastructure
involved
in
the
dependency
resolution
supply
chain
for
an
artifact
server
from
publishing
to
serving
the
content
right.
Is
it
possible
to
cash
poison,
the
CDN
because
of
the
configuration
of
the
company
or
customer
or
or
supplier,
that
is
that
is
hosting
like
because
yeah?
G
So
it's
not
just
about
the
software,
it's
about
the
entire
interplay
between
the
CDN
and
the
artifact
server
software
right,
because
cash
poisoning
between
those
two
places
or
HTTP
request
splitting
between
these
two
places
can
maybe
only
be
possible
against
the
running
instance.
Given
the
configuration
that's
present
that
may
not
be
possible
if
you're,
just
looking
at
the
software
running
locally
on
your
machine.
D
G
D
G
I,
yes,
the
the
are
there
any
artifact
servers
from
the
industry
here
currently
that
are
able
willing
to
discuss
like
current
initiatives
that
are
going
on
in
this
space
around
like
is
there
anybody
in
this
space
that
is
currently
going
through
the
process
of
getting
an
organization
to
get
a
pen
test
of
their
or
is
yeah
I
mean
I?
Don't
want
to
call
anybody
out
specifically,
but
I
want
to
open
the
floor
to
see
if
anybody
wants
to
speak
up.
A
Might
be
tricky
we're
lightly
attended
today,
you
might
also
ask
in
the
in
the
slack
Channel.
B
D
I'm
not
sure
about
like
public
Registries,
but
I
wonder
if,
if
J
frog
have
had
anyone
kind
of
audit
their
product,
I.
G
A
A
Yeah,
we
do
see
a
lot
of
representation
from
Folks
at
sonotype,
usually
speaking
speaking
with
them
even
Central
hat
on,
and
you
know,
a
lot
of
a
lot
of
customers
also
require
audits
as
well.
At
a
previous
job,
I
worked
for
a
Enterprise
vendor
and
we
actually
had
two
series
of
audits.
We
had
audits
where
we
kept
the
results
to
ourselves
and
audits
where
we
gave
the
results
to
customers.
A
H
B
G
Mean
yeah,
I'm,
I'm
I
think
that
there's
there's
a
struggle
where
first
off,
if
we
were
to
commission
external
audits,
we
would
still
need
to
get
permission
from
the
organizations
hosting
these
things,
because
again,
anti-hacking
laws
and
also
no
company,
is
going
to
accept
a
contract
to
pen
test
a
firm.
That
is
not
accepting
of
that
right.
G
They're,
not
let
you
know,
that's
a
legal,
that's
a
vertical
legal
hurt,
but
that
may
not
be
a
case
if
we
can,
if
we
can
get
a
list
of
artifact
servers
that
have,
for
example,
you
know
vulnerability
disclosure
policies,
I
think
I
created
a
list
of
that
I
started,
creating
a
list
of
artifact
servers
that
had
set
forth
permission
for
like
you
are
allowed
to
hack
us
and
we
will
not
suit.
We
will
not
chase
you
with
legal,
with
lawyers
created
a
while.
G
D
Google
have
for
some
servers
and
domains.
I
wonder
if
the
the
golang
cache
is
in
that
list.
G
Yeah,
let
me
go
talk
to
Alpha
Omega
and
see
if
there's
I
mean
I,
don't
need
a
budget
for
Alpha
Omega
set,
and
so
we
could
maybe
consider
that
in
scope
for
an
audit.
A
A
G
And
and
and
I
think
that,
like
it's
easy
enough
to
go
to
an
organization,
say
hey,
can
you
you
know
a
test
that
you've
had
a
pen
test
within
the
past
year?
Okay,
we
don't
need
to
focus
on
you
right,
like
in
terms
of
throwing
money
at
the
problem.
Yeah
yeah.
Okay,
all
right!
This
gives
me
something
to
go
chew.
On
yeah,
thanks,
happy
to.
A
A
I
haven't
heard
anything
about
it.
Lately,
I
haven't,
haven't
looked
at
the
page
for
a
little
bit,
but
it's
I
don't
think.
Cfbs
are
open,
yet
I'm
gonna
just
cheat
and
look
at
it
and
pretend
I
knew
all
along
what
this
was
or.
A
There
is
we'll
drop
a
link
in
for
packaging
com,
which
is
a
conference
for
software
repository
folks,
okay,
and
to
my
knowledge,
any
news.
G
I
do
know
that
the
cfp
for
open
source
Summit
EU
is
open,
so
I
submitted
a
paper
yesterday.
What
is
packaging
con,
where
who's
hosting
it
and
what?
Where
is
it,
run
out
of?
Because
this
is
a
new
one?
It's.
A
A
Up
so
I
I
plan
to
attend,
and
you
know
I'll
I'll
love
you
for
other
things
as
well,
which
I
won't
commit
to
in
a
recorded
session,
but
yeah
the
I
think
it
would
be
a
good
place
for
us.
The
securing
software
request
group
to
show
up
and
give
give
a
presentation
to
basically
say
this
is
the
work
we
do
and
here's
what
we
we
hope
that
will
be
useful
to
you
and
can
you
participate
so
we
can
share,
share
knowledge.
A
G
Sterling,
do
you
know
if
this
is
a
spin-off
of
it?
All
of
the
the
so
GitHub
back
in
2018
2019,
no
2019,
maybe
2020.
had
a
packaging
Summit
where
they
brought
together
a
bunch
of
the
major
artifact
servers
at
a
Microsoft
Office,
and
that
was
that
was
the
first
incarnation
of
I.
Think
this
meet
this
working
group
actually
before
yeah.
H
No
I
I,
don't
know
since
I've
heard
any
more
about
it.
I
haven't
beat
any
bushes
for.
G
A
Well,
there's
this
sponsorship
opportunities.
They
say
it
says
it's
run
by
num
Focus,
which
is
sort
of
a
Scientific
Python
Community,
okay,.
A
No
matter
what
what
they
do
so
I
imagine
there's
folks
involved
there
from
maybe
Pipi
and
Anaconda
that
sort
of
yep.
G
G
To
accept
that,
it's
not
just
the
python
ecosystem
packaging,
but
the
whole
industry
is
packaging.
A
As
I
said,
they
had,
they
had
a
great
10
out
in
21
and
I
expect
they
will.
They
will
have
a
nice
broader
turn
out.
What.
A
Well,
I
didn't
know:
I
didn't
go
to
the
2021
I
conflicted
with
with
Rubicon
for
that
year.
Okay,.
A
Yeah
yeah,
especially
when
you're
a
little
bit
taller
than
average
that
tends
to
work
against
you
I.
G
Did
a
month
of
non-stop
travel
from
Italy
to
Japan
to
home
in
Boston
to
San
Francisco,
like
three
days
later
to
Florida
to
home,
to
San
Francisco
to
home
within
a
month
and
I
slept
for
a
week
like
I,
like
called
my
doctor
and
I'm
like
I'm
sleeping
a
lot.
Is
this
normal
and
they're
like
give
us
give
it
another
week
if
you're
still
sleeping
a
lot,
let
us
know,
and
then
I
I
was
good
but
like
I
was
like
I
was
concerned:
I'm
like
I'm,
not
I,
don't
sleep
this
much
normally
I'm.
B
A
A
Anyway,
let's,
let's
not
go
into
the
the
rabbit
weeds
of
the
travails
of
travel,
because
we
could
be
here
all
day,
I'm
gonna!
Let
you
all
go
with
eight
minutes
to
spare
thanks
everybody
for
coming
today
and
I
look
forward
to
seeing
you
all.
The
next
meeting
will
be
at
the
aipac
friendly
time,
which,
for
those
of
you
in
the
US,
is
6
p.m.
Eastern
time,
yes,
so
we'll
see
who
is
able
to
attend
then,
and
thanks
to
everyone
and
we'll
see
you
later.