►
A
A
A
C
D
Hello,
I'm,
Jack,
I
joined
quite
a
while
ago,
so
this
is
my
my
first
meeting
in
a
while
yeah
I'm,
mostly
here,
to
to
catch
up
on
things.
I
know
that
the
attestations
are
moving
along
I
just
want
to
catch
up
on
that
the
kind
of
ecosystem
I'm
most
familiar
with
is
Nick's
packages
and
then,
as
a
as
an
ex
kind
of
extension
of
that
that
reaches
up
to
a
lot
of
the
other
ecosystems
like
you
know,
for
us
to
go
JavaScript
all
that
but
yeah.
That's
me.
A
Oh
welcome
all
right
so
the
first
item,
the
agenda
is
to
note
that
our
next
report
to
tack
is
going
to
be
on
April
18th.
So
in
roughly
two
weeks
last
time,
I
was
there.
I
got
caught
unawares
that
that
was
coming
so
I'm
a
little
a
little
scarred
by
The
Experience
I'm,
not
necessarily
the
last
time,
maybe
the
time
before
that.
But
anyway,
at
some
point
we
got
caught
off
guard,
so
I'm
definitely
Keen
for
folks
to
share
anything.
A
A
There
we
go
okay,
so
what's
interesting
to
me
is
that
some
npm
folks
have
gone
ahead
with
the
thing
we've
talked
about
in
the
past,
which
is
producing
attestations
of
a
publication
event.
You
know
Ruby
Jones,
we
think
of
this
as
a
push
and
I
think
in
some
other
ecosystems
it's
called
push,
but
in
npn
it's
called
publish,
as
you
can
see,
it's
very
simple
and
there's
there's
nothing
sort
of
like
specifically
npm
sort
of
hard-coded
to
it.
A
The
reason
I
bring.
That
up
is
that
in
the
past
we
have
talked
about
coming
up
with
a
common
schema
for
events
such
as
pushing
yanking
change
of
owners.
You
know
owner
added
owner,
removed
change
of
owner
email
address,
yeah,
basically
things
that
a
log
monitor
would
be
interested
in
to
give
them
some
sense
that
something
security,
critical
or
sensitive,
has
occurred,
and
that
they
should
update
their
risk
model
for
that
package.
E
A
A
They're
going
to
a
file
that
npm
distributes
is
the
first
Resort
rather
than
going
to
recall
directly,
although
I
think
they
provide
an
option
to
go
to
recore
if
you're
sufficiently
paranoid,
which
is,
which
is
something
we've
muted
in
rubygems
as
well,
when
we,
when
we
talked
about
six
store
signing,
is
that
we
would
want
to
have
stuff
that's
side
by
side
with
the
actual
gem
file
itself.
The
dot
gen
file.
B
D
A
My
online
machine
got
it
my
yeah.
My
understanding
is
that
is
that
it's
it's
been
produced
by
the
npm
backend
or
registry,
which
sort
of
makes
sense
like
this
is
not
the
same
as
what
we
usually
talk
about
when
we
say
signature
when
we
say
signature,
what
I
like
to
sort
of
the
the
thing
I'm
trying
to
make
happen
is
authorial
attestation
right.
An
attestation
of
authorship
is
really
what
we
mean
when
we
say
signature
that
that
I
I
Proclaim,
that
I
am
the
author
of
this
package
or
an
author
of
this
package.
A
Whereas
this
one
is
the
registry
itself
saying
I
received
a
package
under
these
conditions,
the
only
the
only
thing
I
guess
I
would
change
about.
It
is
well
I
was
about
to
say
I
would
add
a
timestamp,
but
that's
actually
not
necessary
in
recall,
because
it's
already
a
Time
stamping
Authority.
So
you
have
a
pretty
good
idea
of
when
things
happened,
but
there
might
be
something
said
for
a
time
stamp
of
like
from
the
registry's
point
of
view
whether
registry
interpreted
the
time
to
be
so.
E
A
A
Spec
concept,
let's
see
chat
lighting
up.
Yes,
thank
you.
Thank
you.
That's
those
are
the
links
it's
worth.
Looking
at
I
haven't
sort
of
prioritized
it
in
my
own
work
in
the
sense
that
I
was
sort
of
on
a
wait
and
see
position
to
see
how
it
how
it
expanded,
I
think
the
use
of
the
prep,
like
the
the
statement
concept,
is
probably
going
to
be
pretty
wide
spread,
but
it's
early
days
I,
don't
know
if
that
really
answers
your
question.
I'm.
A
A
A
F
Yeah
it's
Yusuf,
yeah
I
was
about
to
pretty
much
mention
the
same
things.
You
said
there
in
the
end
that
I
think
quite
a
few
people
are
using
some
parts
of
the
inside
of
spec
like
this
annotations.
So
this
is
kind
of
typical
that
what
npm
is
doing
the
taking
the
at
the
station
and
just
starting
with
that,
because
it
does
I,
haven't
done
it
myself,
but
it
does
look
like
fairly
complicated
setup
if
you
want
to
to
actually
do
the
whole
in
total
process
and.
C
F
A
D
Get
too
into
the
weeds,
but
typically
like
proper
in
total
support
will
be
more
for
for
tooling,
so
any
kind
of
tooling
that
you're
using
during
the
build
process,
can
integrate
with
in
Toto.
In
this
case,
we're
just
talking
about
the
statements
which
were
just
a
good
format
that
others
have
adopted.
A
Yeah,
like
it's
pretty,
it's
pretty
simple,
to
extend
right,
like
you
have
this
part,
which
is
sort
of
the
the
Prelude
that
you
have
to
include.
But
the
extension
point
is
is
being
able
to
do
this
and
then
you
know
so:
I
have
a
predicate
type
and
then,
once
you
define
the
predicate
type,
you
can
sort
of
set
your
fields
and,
oddly
speaking
like
these,
these
three
would
be
enough
right,
like
you
would
interpret
name
locally
within
the
context
of
the
the
software
repo
and
registry
repo.
C
G
Know
what's
up
anyways
the
question
that
I'm
asking
is:
why
is
this
npm
specific?
It
looks
like
it
could
be
used
generically
for
any
yay
I'm
wondering
like
this
looks
like
it
could
be
generically
applied
to
any
package
that
publishes
a
project
that
is
Pearl
spec
compliant
right,
not
just
MTM,
so
Maven
Gradle
well,
Maven
Gradle
is
done
the
maven
ecosystem.
A
The
the
simple
reason
is
that
they
wanted
to
go
ahead
with
it
without
having
to
to
wait
to
agree
to
a
standard,
Fair
yeah
very
fair
like
like,
but
the
other
thing
too,
is
that
you
know
at
least
in
casual
conversation
and
not
sort
of
like
having
firmly
agreed
to
anything
they.
They
were
open
to
the
idea
when
I
spoke
to
npm
folks
in
the
six
door.
G
B
A
Is
the
important
thing
right
like
it?
It's
it's
different
from
an
attestation
that
a
builder
could
which
is
sort
of
what
salsa
focuses
on
yeah,
it's
different
from
an
echo
station.
That
I
am
the
author,
which
is
what
we
usually
mean
anecdotally
sort
of
casually
when
we
say
sign
this.
Is
the
registry
saying
I
received
the
package
with
these
characteristics
and
recording
that
event.
G
Okay,
interesting,
okay,
so
then
this
is
something
that's
that
other
packaging
ecosystems,
like
you
know,
Maven
or
Ruby,
or
whatever
could
could
go
and
Implement
themselves.
Okay,
I
I
understand
okay,
but
this
is.
This
is
not
on
the
on
the
publisher
side.
It's
not
on
the
publisher
side.
This
is
on
the
publish
receiver
side,
yeah.
A
D
A
Handy
so
I
can
I
can
actually
talk
about
this.
The
the
idea
is
that
this
this
one
just
talks
about
the
push
event,
the
publish
event.
There
are
other
attestations
that
talk
about
that
capture,
the
the
authorship
right,
which
is
like
code
signing,
and
that
would
also
be
in
the
transparency
log
and
then
there's
another
event
which
npm
intend
to
Omit,
which
is
the
salsa
build
provenance,
so
that
if
you
were
using
a
service
that
has
the
oadc
token
flow,
that
would
be
able
to
tie
it
to
the
commit
right.
A
So
if
you
were
running
on
GitHub
actions
or
build
kite
or
I,
think
it
let
over
now
as
well.
The
idea
is
that
the
build
that's
happening
inside
one
of
those
systems
is
given
a
token
by
the
build
service
that
can
be
exchanged
for
a
push
token
in
the
registry
or
repository
service,
and
when
it
does
so,
it
includes
information
about
the
commit
and
the
person
who
triggered
the
build
so
that
information
gets
captured
in
in
the
build
provenance.
A
A
D
D
A
Yes,
but
also
like
I,
believe,
npm's
intention
and
I
believe
most
ecosystems
would
do.
Something
similar
is
is
to
have
extracts
from
the
logos
files
that
are
predictably
named,
so
that
you
can
have
the
the
file
of
the
the
dot
gem
or
the
you
know.
The
package
object
whatever
it
is
in
your
ecosystem
and
you
would
have
gem
dot
ATT
for
attestations
so
that
you
would
have
one
or
several
files,
depending
on
the
exact
scheme
to
download
that
would
include
all
the
relevant
information
for
that
particular
package.
A
B
A
D
A
A
A
No
okay,
so
the
next
one
also
me
a
question
that
was
asked
by
Madison
Oliver
in
the
slack
Channel
on
behalf
of
folks
from
erlang
was
what
organization
or
who
are
people
going
to
for
CBE
numbers?
You
know
this:
the
CBE
numbering
Authority
or
CNA,
not
that
one
I
know
is
sometimes
a
storied
question,
but
I
was
curious
if
we
could
gather
any
sort
of
answers
or
suggestions
that
we
could
feed
back.
B
G
If
the
maintainer
has
requested
the
cve
number
and
a
lot
of
maintainers
don't
understand
the
CBE
process,
so
I
also
tend
to
fall
back
on
using
Snick,
because
they're
really
convenient
to
work
with
I
can
pull
them
into
an
existing
GHSA
and
say
hey.
This
is
the
vulnerability
and
they
will
be
pretty
proactive
about.
You
know
giving
me
a
CV
number
for
that,
so,
but
I
prefer
to
publish
my
disclosures
using
two
to
save,
because
snicks
data
is
private
or
sorry.
G
A
F
A
All
right,
I
think
we've
tapped
that
one
out,
unless
anyone
else
has
has
been
concealing
a
CNA
that
they
know
about
and
like,
and
then
we
move
to
any
other
business
which
is
pretty
much
what
it
sounds
like.
If
folks
have
some
issue
that
they're
burning
to
discuss,
we
leave
this
spot
open
towards
the
end
of
the
meeting.
G
G
G
G
I
think
hope.
It's
not
just
maintainers.
So
basically
it'll
be
something
that
you
can
say
hey.
What
are
the
set
of
dependencies
this
this?
This
repository
is
depending
upon
and
you
can
get
that
list
so
that
work
is
proceeding
again.
It's
been,
it
was
stopped
for
about
a
year
and
changed
and
so
I'm
glad
to
see
that
that
moving
again,
okay.
G
H
A
C
G
One
of
the
things
that
I
have
been
pretty
concerned
about
is
that,
in
my
experience,
I
think
I
will
I
will
repeat
ad
nauseam
something
that
a
line
that
I've
said
before
repository
artifact
servers
are
not
usually
something
that
a
company
is
selling.
It
is
usually
something
that
a
company
is
hosting
out
of
the
Goodwill
of
their
art
as
such,
because
it
is
not
a
sold
product.
There
is
never
a
requirement
by
a
company
that
is
purchasing
that
product
to
require
a
security
audit
of
that
that
product
before
consuming
it.
G
G
A
A
E
G
Laws
that
prevent
researchers
from
performing
audits
against
software
and
and
services
that
are
hosted
without
permission.
So
unless
the
company
is
put
forward
a
policy
that
says
we
allow
audits
from
external
researchers,
it
is
hacking
and
it
is
unauthorized
access
under
the
United
States
has
a
has
a
federal
law
called
cfaa,
which
is
this
Computer
Fraud
and
Abuse
Act,
and
if
you
access
a
system
without
permission,
you
are
violating
federal
law
within
the
United
States.
E
E
G
Jack,
what
would
the
process
be
under
which
week
I
part
of
me
is
tempted
to
start
like
beating
this
drum
within
the
open,
SF
to
say:
okay,
like
clearly
I've
been
beating
this
drum.
For
you
know,
over
a
year
now
can
we
get
maybe
I
can
talk
to
Alpha
Omega
and
say,
like
hey,
Alpha
Omega
like
we're
looking
at
software,
but
like
do
we
also
consider
repositories
and
scope?
Can
we
commission
audits,
restriction
in
infrastructure
audits
of
major
artifact
servers
that
can't
come
up
with
an
attestation?
G
They,
you
know,
have
had
a
pen
test
within
the
past
two
years,
like
I
presume
that
I
would
guess,
given
github's
security
stance
in
the
past,
they've
probably
done
an
audit,
but
you
know,
especially
because
npm
was
required
right.
They
were,
they
were
bought
by
GitHub
I
presume
there
was
an
audit
done
at
that
point.
G
A
Yeah,
as
I
said,
with
with
rubygems
the
place
to
go,
would
be
Ruby
Central,
which
is
the
the
sort
of
the
governing
organization
that
oversees
development
and
manages
the
funding
to
suggest
it.
The
the
thing
is
that
in
in
the
agreement
that
Shopify
made,
we
basically
promised
not
to
interfere
with
decisions
right.
A
D
G
D
G
I
am
talking
about
an
audit
of
the
entire
infrastructure
involved
in
the
dependency
resolution
supply
chain
for
an
artifact
server
from
publishing
to
serving
the
content
right.
Is
it
possible
to
cash
poison,
the
CDN
because
of
the
configuration
of
the
company
or
customer
or
or
supplier,
that
is
that
is
hosting
like
because
yeah?
G
So
it's
not
just
about
the
software,
it's
about
the
entire
interplay
between
the
CDN
and
the
artifact
server
software
right,
because
cash
poisoning
between
those
two
places
or
HTTP
request
splitting
between
these
two
places
can
maybe
only
be
possible
against
the
running
instance.
Given
the
configuration
that's
present
that
may
not
be
possible
if
you're,
just
looking
at
the
software
running
locally
on
your
machine.
D
G
D
G
I,
yes,
the
the
are
there
any
artifact
servers
from
the
industry
here
currently
that
are
able
willing
to
discuss
like
current
initiatives
that
are
going
on
in
this
space
around
like
is
there
anybody
in
this
space
that
is
currently
going
through
the
process
of
getting
an
organization
to
get
a
pen
test
of
their
or
is
yeah
I
mean
I?
Don't
want
to
call
anybody
out
specifically,
but
I
want
to
open
the
floor
to
see
if
anybody
wants
to
speak
up.
B
G
A
A
Yeah,
we
do
see
a
lot
of
representation
from
Folks
at
sonotype,
usually
speaking
speaking
with
them
even
Central
hat
on,
and
you
know,
a
lot
of
a
lot
of
customers
also
require
audits
as
well.
At
a
previous
job,
I
worked
for
a
Enterprise
vendor
and
we
actually
had
two
series
of
audits.
We
had
audits
where
we
kept
the
results
to
ourselves
and
audits
where
we
gave
the
results
to
customers.
H
B
G
Mean
yeah,
I'm,
I'm
I
think
that
there's
there's
a
struggle
where
first
off,
if
we
were
to
commission
external
audits,
we
would
still
need
to
get
permission
from
the
organizations
hosting
these
things,
because
again,
anti-hacking
laws
and
also
no
company,
is
going
to
accept
a
contract
to
pen
test
a
firm.
That
is
not
accepting
of
that
right.
G
They're,
not
let
you
know,
that's
a
legal,
that's
a
vertical
legal
hurt,
but
that
may
not
be
a
case
if
we
can,
if
we
can
get
a
list
of
artifact
servers
that
have,
for
example,
you
know
vulnerability
disclosure
policies,
I
think
I
created
a
list
of
that
I
started,
creating
a
list
of
artifact
servers
that
had
set
forth
permission
for
like
you
are
allowed
to
hack
us
and
we
will
not
suit.
We
will
not
chase
you
with
legal,
with
lawyers
created
a
while.
G
A
G
And
and
and
I
think
that,
like
it's
easy
enough
to
go
to
an
organization,
say
hey,
can
you
you
know
a
test
that
you've
had
a
pen
test
within
the
past
year?
Okay,
we
don't
need
to
focus
on
you
right,
like
in
terms
of
throwing
money
at
the
problem.
Yeah
yeah.
Okay,
all
right!
This
gives
me
something
to
go
chew.
On
yeah,
thanks,
happy
to.
A
A
G
A
Up
so
I
I
plan
to
attend,
and
you
know
I'll
I'll
love
you
for
other
things
as
well,
which
I
won't
commit
to
in
a
recorded
session,
but
yeah
the
I
think
it
would
be
a
good
place
for
us.
The
securing
software
request
group
to
show
up
and
give
give
a
presentation
to
basically
say
this
is
the
work
we
do
and
here's
what
we
we
hope
that
will
be
useful
to
you
and
can
you
participate
so
we
can
share,
share
knowledge.
G
Sterling,
do
you
know
if
this
is
a
spin-off
of
it?
All
of
the
the
so
GitHub
back
in
2018
2019,
no
2019,
maybe
2020.
had
a
packaging
Summit
where
they
brought
together
a
bunch
of
the
major
artifact
servers
at
a
Microsoft
Office,
and
that
was
that
was
the
first
incarnation
of
I.
Think
this
meet
this
working
group
actually
before
yeah.
G
A
G
G
A
A
G
Did
a
month
of
non-stop
travel
from
Italy
to
Japan
to
home
in
Boston
to
San
Francisco,
like
three
days
later
to
Florida
to
home,
to
San
Francisco
to
home
within
a
month
and
I
slept
for
a
week
like
I,
like
called
my
doctor
and
I'm
like
I'm
sleeping
a
lot.
Is
this
normal
and
they're
like
give
us
give
it
another
week
if
you're
still
sleeping
a
lot,
let
us
know,
and
then
I
I
was
good
but
like
I
was
like
I
was
concerned:
I'm
like
I'm,
not
I,
don't
sleep
this
much
normally
I'm.
B
A
Anyway,
let's,
let's
not
go
into
the
the
rabbit
weeds
of
the
travails
of
travel,
because
we
could
be
here
all
day,
I'm
gonna!
Let
you
all
go
with
eight
minutes
to
spare
thanks
everybody
for
coming
today
and
I
look
forward
to
seeing
you
all.
The
next
meeting
will
be
at
the
aipac
friendly
time,
which,
for
those
of
you
in
the
US,
is
6
p.m.
Eastern
time,
yes,
so
we'll
see
who
is
able
to
attend
then,
and
thanks
to
everyone
and
we'll
see
you
later.