►
B
D
B
C
C
Hey
yeah,
I'm
here,
oh
hi,
yeah
great
glad
you're
here
you're
going
to
be
the
bulk
of
the
meeting
today.
I
think
so.
I'm
glad
that
you're
here
we'll
get
started
in
like
a
minute.
C
C
C
Okay,
cool;
no
one
knew
this
room
or
this
this
this
time.
Okay,
cool,
let's
go
hand
it
over
to
bobby
so
bobby's
here
to
talk
to
us
about
cargo
vet.
He
is
from
mozilla.
I
guess
bobby
hasn't
been
to
one
doing
these
before
cycle
I'll.
Let
you
introduce
yourself
by
the
end
and
you
can
take
it
away.
E
Yeah
is
it
alright?
If
I
share
my
screen,
I
got
some
slides.
B
F
B
Okay,
oops
now.
E
Okay,
cool
yeah.
I
think
I
think
I
have
this
working,
but
if,
like
the
slides,
don't
move
or
something
somebody
please
like
shout,
okay,
so
yeah,
I
guess
I
also.
I
should
raise
my
hand
as
a
new
person
here.
I've
not
been
to
this
meeting
before
and
I
very
much
appreciate
being
invited
to
talk
to
y'all.
Today,
I'm
bobby
holly,
I'm
a
distinguished
engineer
at
mozilla,
and
I
guess
something
about
me.
E
E
So
this
tool
is
running
in
production
for
firefox.
Today,
however,
we
haven't
really
done
like
a
general
release
yet,
and
I
would
say,
strictly
speaking,
we
haven't
even
really
announced
it,
but
nevertheless,
like
people
lurk
on
our
email
lists
and
word
spreads.
We've
already
got
a
fair
amount
of
inbound
interest,
which
I
generally
take
is
a
good
sign
that
we're
on
the
right
track.
E
Our
near-term
objective
with
this
is
to
secure
firefox,
but
our
long-term
objective
is
to
secure
the
ecosystem,
and
so
it's
very
important
to
us
that
we
build
the
tool
that
people
actually
like
and
want
to
use,
and
it's
especially
important
given
the
design
of
cargo
vets,
because
the
dual
has
very
strong
has
network
effects
so
the
more
people
that
use
it,
the
less
work
that
anybody
has
to
do
so
did
the
slide
transition
there,
yeah,
okay,
so
yeah.
So
why
are
we
doing
this?
E
Firefox
has,
of
course
you
know
been
around
since
long
before.
Rust
was
the
thing
and
has
always
had
its
share
of
third-party
c
plus
plus
code,
but
it
was
never
really
all
that
much
because
there
was
just
like
a
ton
of
friction
involved
in
pulling
something
in
like
you
had
to
have
lots
of
discussions,
and
maybe
you
had
to
talk
to
a
lawyer
and
then
maybe
had
to
figure
out
the
build
system,
integration
and,
like
all
that
kind
of
stuff,
and
so
as
a
consequence.
E
It
just
was
not
something
that
we
did
all
that
often
it
was
usually
easier
just
to
go
and
like
write.
E
The
damn
thing
yourself,
but
then
russ
came
along
and
had
a
modern
package
manager
and
suddenly
everything
on
crates.io
was
just
a
one-line,
manifest
change
away,
and
this
was
like
a
huge
productivity
boost,
and
so
I
would
say
we
were
reluctant
to
just
outlaw
third-party
crates
in
the
build,
and
so
we
didn't
and
we
quickly
ended
up
with
something
like
400
of
them
and
in
theory,
people
were
supposed
to
audit
the
code
that
they
were
pulling
in.
E
E
You
know
used
all
over
the
place
by
major
companies
and
unfortunately,
though,
there
was
no
way
for
us
to
know
whether
anybody
else
had
actually
gone
and
looked
at
them
or,
if,
like
all,
the
players
in
the
system
were
just
jointly
hurting
around
these
mystery
boxes
and
hoping
for
the
best.
E
And
the
truth
is,
there
is
a
limit
to
how
much
energy
everyone
can
devote
to
securing
their
supply
chains,
and
so
the
harder
it
is,
the
less
likely
it
is
to
happen,
and
I
assume
that
I
don't
need
to
convince
people
in
this
meeting
that
it
is
important
to
secure
supply
chains.
E
So
it's
something
that
we
definitely
want
to
get
done,
and
so
therefore,
the
driving
principle
behind
cargo
vet
is
to
minimize
the
friction
and
make
it
as
easy
as
possible
for
everybody
in
the
system
to
do
the
right
thing,
and
so,
in
that
spirit,
we've
done
a
number
of
things.
E
E
So
next,
I
guess
I
want
to
give
like
a
high
level
overview
of
how
the
system
works.
E
So
you've
got
a
repository
with
your
code,
but
it's
unfortunately
not
really
all
your
code,
because
you've
got
a
bunch
of
these
third-party
mystery
boxes,
and
so,
naturally,
you
are
concerned
about
this
and
you
decide
to
enable
cargo
vet
enabling
cargo
vet
just
involves
adding
the
tool
as
a
linter
and
creating
some
metadata
in
your
repository-
and
this
takes-
I
don't
know
like
five
minutes
and
crucially,
it
does
not
require
you
to
go
and
audit
all
of
your
existing
dependencies.
E
So
then,
suppose,
sometimes
later,
a
developer
comes
along
and
tries
to
pull
in
new
third-party
code,
and
this
new
third-party
code
might
be
a
brand
new
dependency
or
it
might
just
be
an
update
to
an
existing
dependency
that
you
know
happens
to
release
very
often,
and
so
this
new
code
is
not
exempted,
and
so
cargo
vet
will
reject
the
push
and,
of
course,
the
goal
of
cargo
vet
is
not
just
to
be
stop
energy,
but
to
be
user
friendly
and
sort
of
help.
E
You
accomplish
your
goals,
and
so
it
also
helps
the
developer
figure
out
how
to
resolve
the
situation,
and
the
first
thing
it
does
is
to
scan
the
registry
to
see
if
there
are
any
well-known
organizations
like
you
know,
for
example,
mozilla
or
google
that
have
already
audited
the
package
before
and
if
there's
a
match
cargo
vet
tells
you
who
it
is
and
offers
you
the
option
to
add
that
organization
to
your
trusted
imports,
and
so
what
this
system
does
is
it
allows
you
to
sort
of
lazily
at
your
convenience,
build
up
an
increasingly
wide
set
of
approved
crates
that
you
can
trust.
E
But
of
course,
it
may
be
the
case
that
the
developer
needs
to
audit
the
code
themselves
and
that
can
take
some
work.
But
cargo
vet
streamlines
the
process
of
auditing
to
make
it
as
easy
as
possible.
So
often,
somebody
will
have
already
audited
a
different
version
of
the
same
crate,
in
which
case
cargo
vet
computes
the
relevant
diffs
and
identifies
the
smallest
one
for
you
to
review
and
then,
regardless
of
whether
you're
auditing,
a
diff
or
the
full
crate.
It
helps
you
pull
up
the
goods
for
inspection
and
record
the
results.
E
But
I'm
excited
to
announce
that
we've
also
partnered
with
sourcegraph
to
offer
a
rich
audit
experience
in
the
browser
and
source
graph
has
some
very
impressive
technology
here,
for
example,
like
the
indexing
works
correctly
across
both
removed
and
added
lines
in
a
review
of
a
diff
which
is
very
nice
and
it
sort
of
works
exactly
like
you'd
expect,
and
so
I'm
pretty
excited
about
this,
because
it's
a
much
friendlier
audit
experience
than
reading
the
diff
in
your
terminal
and
it
allows
people
to
be
sort
of
more
excited
and
more
enthusiastic
about
doing
audits
and
also
do
these
audits
with
higher
fidelity.
E
So
another
thing
that
cargo
vet
does
to
minimize
friction
is
to
store
the
audit's
entry,
and
this
means
the
developers
don't
have
to
navigate
or
even
authenticate
with
any
sort
of
external
system
like
they
already
have
a
change
set.
That's
adding
the
new
third-party
code,
and
with
this
they
can
just
submit
the
relevant
audits
directly
as
part
of
that
change
set
and,
of
course,
as
mentioned
before,
cargo
vet
has
these
sharing
and
discovery
features.
E
But
these
affordances
are
built
on
top
of
that
system
and
they
do
that
by
pointing
to
the
audit
files
in
the
repositories
of
the
other
organizations.
So
this
also
means
that
there's
no
central
infrastructure
for
any
kind
of
attacker
to
compromise.
The
only
way
that
you
can
spoof
an
audit
from
mozilla
is
to
compromise
the
firefox
repository
itself,
and
I
can
assure
you
that
you
know
we
have
lots
of
people
who
make
sure
that
that
doesn't
happen.
E
E
In
your
build
graph,
you
can
filter
out
platform-specific
code
that
you
don't
care
about,
but
these
and
these
are
obviously
very
useful
for
large
projects,
but
they're
also
all
completely
optional,
and
the
baseline
experience
is
designed
to
be
very
simple
and
hard
to
screw
up
and
that's
because
we
really
want
this
to
be
something
that
everybody
sort
of
both
large
and
small
projects
alike
can
use
without
devoting
a
whole
lot
of
headspace
to
it.
E
You
know
just
sort
of
does
what
you
expect
so
yeah,
I
would
say:
that's
the
high
level.
I
was
told
that
I
only
had
maybe
like
15
minutes
total
for
the
presentation.
Q
a
so
I
didn't
go
into
too
much
more
detail
than
that.
But
obviously,
questions
are
welcome,
happy
to
elaborate
on
any
of
the
aspects
of
motivation
or
the
design.
You
know
you
know
at
this
point
and
of
course,
we'd
love.
E
Any
feedback
of
you
know
how
this
might
work
better
for
you
or
your
organizations
and
so
definitely
well
yeah.
Let's,
let's
take
questions.
A
Yeah,
I
want
to
steal
everything
as
usual,
I
did
have
hey
man
great
out
of
steel.
I
have
some
questions,
just
some
small
ones.
One
was
it
seems
to
me
as
though,
because
you
want
the
audit
to
go
with
the
change
it
more
or
less
has
to
be
done
by
hand
at
the
moment.
A
So,
for
example,
if
I'm
updating
you
know
lib
foo
and
you
know,
I
inspect
lib
food
changes
to
see
that
I'm
satisfied
that
nothing
naughty
has
happened
and
then
I
include
the
audit.
Oh
yeah,
I'm
not
exactly
sure
if
the
details,
because
it's
it's
a
tamil
chess,
obviously.
B
A
E
I
mean,
generally
speaking,
you
probably
want
it.
The
audit
needs
if
you're
using
cargo
vet
as
like
a
linter,
and
that
lender
is
getting
check-in.
Then
the
audit
needs
to
be
part
of
the
store
before
the
commit
lands.
So
it
could
be
a
follow-up
commit
you.
Could
you
could
certainly
record
the
audit
ahead
of
time?
You
know
even
in
its
own
push,
there's
no
there's
no
restriction
on.
E
You
know:
recording
audits
that
aren't
strictly
necessary
yet,
but
the
basic
workflow
of
how
it
works
is
you
know
the
developers
there
they're
trying
to
do
the
push,
and
that
says
like
oh,
like
as
when
you're
running
your
linters,
either
locally
or
you
know,
on
ci,
it
will
say:
cargo
vet
failed
and
you
type
like
okay
cargo
vet,
and
then
it
tells
you
well.
This
is
you
know
this
dependency
is
missing
an
audit
and
then
right
there.
It
provides
you
like
a
command.
E
You
just
copy
paste
in
your
terminal,
depending
on
whether
it's
like
an
absolute
inspection
or
just
a
diff,
so
you
might
save
like
cargo
vet
diff
like
lib,
foo,
1.1,
1.2,
and
then
it
will
sort
of
it
will
pull
up
by
default,
either
the
local
view
or
the
web
view
for
doing
the
inspection.
E
And
then,
when
you're
done
with
that,
you
type
cargo
vet
certify.
And
then
it
will
remember
what
you
had
just
inspected
and
provide
you
sort
of.
You
know
the
a
textual
description
of
the
you
know
the
stuff
you're
supposed
to
be
auditing
for-
and
this
is
kind
of
like
in
a
it's
kind
of
like
a
git,
commit
thing
where
it
opens
up
an
editor.
E
And
you
know
you
sign
your
name
at
the
bottom
and
then
that
will
automatically
go
and
put
the
change
in
the
entry
audits.tamil
file,
and
so
whether
you
want
to
then
take
that
and
add
it
to
your
existing
change
set
or
when
you
make
a
new
change
set
or,
however,
you
want
to
do
that.
It's
up
to
you.
A
I
don't
want
to
monopolize
question
time,
but
I
will
ask
or
make
one
more
before
I
get
off
the
queue
and
wait
to
come
back
in
later.
One
thing
we've
talked
about
in
this
group
before
is
the
idea
that
six
store
should
record
for
sig
store,
should
record
far
more
than
just
signatures
right,
where
signatures
are
really
an
attestation
of
authorship
or
committership,
but
we
also
want
to
see
events
committed
to
the
transparency
log
like
this
dependency
was
pushed,
but
also
this
dependency
was
inspected
by
person
x
and
they
said
opinion
y.
A
Do
you
see
something
like
that
being
something
that
could
be
evolved,
or
would
you
see
it
as
like
a
monitor,
watches
the
yaml
and
sorry
the
tunnel
and
then
replace
that
into
the
transparency
log?
Does
this
make
sense
to
you,
or
did
it
just
yeah.
E
On
top
of
you
know,
you
know
whatever
is
in
the
firefox
repository
or
the
wasm
repository
right,
yeah
yeah,
I
mean,
I
think
I
think,
there's
potentially
a
fair
amount
of
value
in
that
like
it's,
I
would
say,
the
fundamental
model
for
for
cargo
vet,
like
I
said,
is
to
is
to
just
lean
on
the
existing
repository
security
models
that
these
sort
of
large
well-known
projects
have
right
because,
obviously
like,
if
you
can,
you
know
if
you
figure
out
how
to
compromise
the
firefox
repository
like
you've
got.
E
There
are
much
more
interesting
things
that
you
can
do
than
than
spoofing
audience
right,
and
so
you
know
that's.
That
would
say
that
that
is
the
baseline,
but
I
think
that
you
know
potentially
like
as
an
additional
layer
of
transparency.
E
You
know
you
know,
there's
potentially
other
things
that
could
be
done,
but
I
haven't
yeah.
I
don't
think
we've.
It's
not
part
of
the
of
the
core
operational
mechanism.
E
A
E
Oh
goodness,
I
probably
should
drop
something
like
that
in
the
slack.
Let
me
read
the
chat
or
whatever
yeah.
Let
me
see
here.
F
I
I
see
b
helinet
that
slash
cargo
dash
vet.
E
That
that
now
re
redirects
to
mozilla.github.comcargo.vet,
so
let
me
go
ahead
and
drop
that
into
the
channel
here.
Okay,.
F
E
Right
and
there's
also
there's
also
a
github
repository,
which
I
think
is
linked
to
somewhere
in
the
book,
but
it's
the
mozilla
github
repositories,
slash
cargo,
vets
and
so
that's
sort
of
where
the
the
code
is
happening.
Right
now,
I
will
say
that
we
have
intentionally
there's
a
there's:
a
dummy
hello
world
crate
under
cargo
vet
right
now,
that's
published
to
crates.io
and
we
specifically
have
like
avoided
publishing
one
just
because
you
know
we're.
E
We've
got
a
couple:
people
that
are
just
kind
of
like
iterating
on
the
features
and
making
sure
like
you
know
it
handles
all
the
edge
cases
and
that
sort
of
stuff
anybody
that's
using
it
right.
Now
we
kind
of
want
to
be
like
really
in
the
loop
and
filing
issues,
but
probably
like
in
maybe
two
weeks
or
something
we'll
do
a
general
release.
F
F
Yeah
second
question:
have
you
had
any
communication
with
the
open,
ssf
security
reviews,
folks,
security
dash
reviews,
project.
E
Yeah-
and
I
would
also
say
that
you
know
the
thing
about
the
cargo
vet
system-
is
that
the
basic
flywheel
is
you
know
designed
to
be.
You
know,
projects
that
are
trying
to
sort
of
manage
their
own
dependencies
and
you
know
in
the
process
of
managing
their
dependencies,
they're,
auditing
them
and
then
they're
sort
of
sharing
that
work.
That
they've
already
done,
however,
there's
totally
space
in
the
system
for
an
entity,
that's
simply
like
whose
job
it
is
to
like
just
audit
stuff
right
so
like.
E
Even
if
you
didn't
you
know,
if
you
wanted
to
go
and
audit,
you
know
the
top
100
crates
on
crates.io,
and
then
you
were
a
well-known
entity
that
people
trusted
and
you
published
an
audits.tamil
for
that.
Then
everybody
could
go
and
pull
that
in.
Even
if
you
weren't,
strictly
speaking,
using
those
dependencies
yourself.
F
G
No,
no!
No!
No!
No,
I
I
see
sort
of
decentralized
dimension
in
terms
of
like
the
individual
organizational
repositories
would
have
audits
of
adventures
that
they've
done,
but
there's
a
registry
area.
I
I
was
a
little
unclear
about
how
that
registry
works.
How
could
I
find
an
audit
that
organization
has
done.
E
Yeah
exactly
yeah
so,
and
you
know
you're
totally
right
that
it
was.
You
know
it's
like
a
bit
of
a
hand
wave
at
this
point
in
the
slides,
like
I
didn't
go
into
it
in
too
much
detail,
but
the
basic
model
of
what
the
registry
does
is
that
people
it's
just
like
a
list
like
for
now.
E
I
think
we're
just
gonna,
restoring
it
in
the
cargo
that,
like
source
repository
itself,
but
it's
a
list
that
cargo
that
fetches,
that
just
maps
like
entity
names
to
the
url
of
their
audit
files
right
so
there's
it
doesn't
actually
contain
any
audits
themselves.
It's
just
a
directory
service.
But
what
that
means
is
that
when
cargo
vet
is
like
trying
to
run
it's
like.
Oh,
like
I
don't
have
an
audit
for
version
1.3
of
foo.
E
It
can
just
check
the
registry
and
it
can
go
just
fetch
all
of
those
audits
from
the
organizations
whether
you
trust
them
or
not,
because
it's
not
you
know
pulling
them
in
as
part
of
your
trusted
set
it's
just
sort
of
looking
around
and
then,
if
it
finds
one,
then
it
can
say.
Oh,
hey,
look
like.
Google
has
already
audited
foo
version,
1.3.
or
point
three.
E
G
G
Organization,
I
would
basically
put
in
a
pr
against
cargo
vet
to
add
my
entry
to
the
tamil
file
right
listing
the
version
these
it's
versions
it's
so
it's
a
name
version
sort
of
look
up
or
is
it
check
somebody
no.
E
Sorry
I
mean
it
would
just
be
a
name
and
then
the
ur,
like
you
know
you
know
your
organization
and
the
url
of
your
auditing
of
your
audits
file
and
then
cargo
vet.
Would
then
you
know
when
somebody's
cargo
event
failed,
it
would
go
and
just
fetch
everything
from
the
directory
and
then
if
it
noticed
that
your
organization
has
actually
audited
the
thing
that
was
needed
or
something
that
was
perhaps
very
close
to
what
was
needed.
E
And
then
you
could
just
like
audit
a
little
diff
on
top
of
that,
then
it
would,
you
know,
inform
you
and
then,
depending
on
like
the
organ,
you
know
how
big
the
organization
is
like,
I
would
say
in
mozilla's
case,
you
know
if
some
developer
ran
into
this
issue
and
then
it
was
like.
Oh
like
I
want
to
go,
pull
in
like
open
ssfs,
like
audits,
individual
developers
wouldn't
have
the
authority
to
you
know
add
an
entity
to
the
trusted
list,
or
rather
they
could
add
it.
E
But
then
it
would
get
reviewed
by
our
security
like
supply
chain
module
right
because
we
watch
we
watch
that
tumble
file
and
then
we
would
say
oh
somebody's,
trying
to
solve
this
problem
by
pulling
this
in,
do
we
you
know,
do
we
think
that's
a
good
idea
or
not
thanks.
E
I'm
not
sure
how
to
yeah.
C
I
think
it
might
be
me,
I
think
the
question
kind
of
was
addressed
by
jason's
question
before
and
I
apologize
because
my
laptop
decided
it
needed
to
restart
immediately
after
you
started
talking.
So
you
might
have
said
this,
but
I
guess
maybe
you
could
just
sort
of
summarize
what
you're
imagining
the
like.
C
You
know
it
seems
like
this
is
mostly
team
focused
for
now,
but
the
like
the
upstream
model
for
like
how
there'll
be
a
shared
vet
amongst
a
community
of
of
resources
there,
and
I
think
you
kind
of
described
it
like
if
you
have
trust
in
some
organization's
project
you
adopt
their
their
vet.
Is
that
sort
of
the
idea.
E
Yeah,
the
basic
idea
is,
you
know,
different
organizations
like
wellness
organizations,
you
know
like
mozilla
is
you
know,
we've
got
our
audits
file
up
there
already.
You
know
the
bytecode
alliance
is
going
to
be
doing
one
with
wasm
time
shortly.
I've
had
a
number
of
back
general
organizational
conversations
with
wellness
organizations
that
are
potentially
interested
in
doing
this
as
well,
and
so
the
idea
is
that
you
know
organizations
are
producing
their
own
audits
and
they
can
choose
or
not
choose
to.
E
You
know
import
them
from
other
organizations
like
as,
as
fits
with
their
you
know,
threat
model
and
security
decisions,
but
that
these
audits
are
published
and
then
people
can
people
can
choose
to
say,
like
you
know,
like
I
think,
if
mozilla
has
audited
this
thing,
then
that's
good
enough
for
me
and
then
they
can
just
automatically
import
all
of
the
audits
from
mozilla
and
then,
if
they
try
to
import
some
package
that
they
haven't
audited
but
mozilla
has
audited,
then
you
know,
cargo
vet
will
pass
and
the
original
model
that
we
had
there
was
that,
like
kind
of
upfront
in
configuring
cargobat,
you
would
kind
of
look
at
the
list
of
organizations
that
were
doing
this
and
choose
which
ones
you
wanted.
E
That
required
you
to
make
sort
of
a
bunch
of
like
upfront
decisions,
and
then
we
switch
to
this
lazy
model
where
you
don't
have
to
add
anybody
up
front
and
then,
when
you
run
into
this
problem
of
like
well
now
I
have
to
audit
this
thing
and
then
you
start
wondering
well
gosh,
there's
like
anybody
else
out
there
like
already
looked
at
it
and
that's
the
moment
when
you
sort
of
you
know
when
there's
potential
value
there
from
importing
one
of
these
other
organization's
audit
sets
and
you
can
make
that
decision.
C
Sure,
okay,
cool
so
kind
of
a
follow-up
question
there,
since
this
group
is
sort
of
like
broadly
focused
across
lots
of
different
ecosystems,
the
the
model
of
then
mechanics
and
maybe
like
this
format
for
the
policy
file
and
the
audit
or
whatever
it
might
be
like
how
tied
to
the
rust
ecosystem
is
that
or
how?
How
much
could
it
extend
into
other
ecosystems?
Do
you
think.
E
Yeah,
that's
a
great
question,
so
I
would
say
currently,
like
the
I
would
say.
The
idea
is
not
particularly
russ
specific.
You
know
the
the
specific
implementation
and
exactly
like
how
you
know
it's
integrated
into
you
know.
Traversing
your
build
graph
like
those
parts
are,
of
course
rust
specific.
E
I
would
obviously
love
to
see
this
succeed
in
other
ecosystems,
like
obviously
like
javascript
and
python,
are
ones
that
come
to
mind,
but
I
think
that
you
know
several
people
have
come
to
me
and
said,
like
hey
like
I
want
to
like
extend
this
to
like
node.js
right
now,
and
I've
suggested
like
hey
like
what,
let's,
let's
wait
a
little
bit,
because
I
think
that
you
know
right
now
we're
you
know
we're
kind
of
getting
this
thing
off
the
ground
and
rust
and
we're
iterating
on
the
design
and
that
sort
of
thing,
and
I
fully
expect
that
there
to
be
potential
like
small
changes
that
we
make.
E
You
know
just
to
make
the
ergonomics
better
for
people
and,
as
we
figure
out
how
it
scales
and
then
I
think,
if
we
can
get
this
thing
working
in
rust
and
we
can
really
demonstrate
yeah
like
a
very
wide
community
of
stakeholders.
Like
is
interested
in
using
this
and
getting
value
out
of
it,
then
I
think
that
would
be
a
useful
proof
point
to
then
go
and
look
at
one
of
these
other
language,
ecosystems
and
then
say
based
on
what
we
learned
and
how
cargo
vet
worked.
C
Okay,
we'll
stay
tuned,
then
I
think
maybe
apu
or
jacques
is
next.
I'm
not
sure.
B
C
B
I
was
just
kind
of
curious,
like
what
granularity
can
you
write
policy?
Can
you
trust
certain
actors
at
google
and
and
maybe
not
others,
and
then,
if,
like
the
google,
orgs
kind
of
pool
of
auditors
changes?
Is
that
something
you
should
be
aware
of.
E
So
the
basic
trust
model
is,
I
mean
fundamentally
I
mean
it's
the
it's.
The
domain
trust
model
right
of
of,
like
you
know,
who
controls
the
files
on
the
domain,
but
the
you
know
the
the
thing
that
you
import
is
a
is
a
url,
and
so
it
would
depend
a
little
bit
of
like
whether
google
decided
to
publish
you
know
separate
audit
files,
for
you
know,
team,
x
and
team
y
or
whether
they
wanted
to
publish
a
consolidated
google
audit
file.
E
E
So,
like
you
know,
if
somebody's
you
know,
if,
if
there's
you
agree
with
99
of
what
this
organization
has
audited,
but
they
like
actually
approved
like
one
thing
that
you
sort
of
you
know,
have
some
philosophical
objection
with,
then
you
can
kind
of
specifically
strike
that
one
out,
but,
generally
speaking,
it's
a
little
bit
up
to
the
organizations
of
what
they
you
know
of
what
granularity
they
publish
with.
E
I
think,
generally
speaking,
I
think
people's
instinct
within
the
organization
is
to
think
that,
like
they're,
very
different,
you
know
that
the
different
teams
are
quite
different,
but
that
the
you
know
perception
from
outside
the
organization
is
just
like
well,
this
is
like
this
is
that
organization
and
that's
the
brand,
and
so
I
do
think
that
teams
are
gonna,
have
to
figure
out
a
little
bit
like
you
know
within
mozilla,
right
like
we
have,
you
know
we
have
firefox,
and
then
we
have
like
a
number
of
other.
E
You
know
smaller
projects
like
including
cargo
vet
itself.
You
know
in
the
mozilla
github
repository
and
the
question
of,
like
you
know,
how
much
do
we
combine
these
or
you
know,
do
people
you
know
have
separate
imports,
for
these,
you
know
is
something
we
have
to
figure
out,
but
I
would
lean
towards
you
know
the
the
high
level
like
you
know
this.
This
carries
mozilla's
stamp
of
approval.
I
think
that's
kind
of
the
the
most
understandable
granularity.
E
There's
a
directive
for
the
audit,
where
you
know
the
normal
thing
you
do
when
you
audit
is,
you
say
like
this
looks
good,
but
you
can
also
say
like
no,
this
is
a
violation.
Audits
are
defined
in
terms
of
criteria
right,
so
this,
like
you,
know,
you're
auditing,
for
a
given
set
of
criteria
and
there's
there's
some
built-in
criteria
and
if
you
say
like
no,
this
crate
actually
violates
those
criteria.
E
You
can
mark
that
and
then
that
will
just
like
prevent
the
thing
from
from
being
allowed
on
anything
that's
pulling
in
those
imports
and
the
reason
we
have
this
like
exclusion
thing
that
I
mentioned
just
a
minute
ago.
Is
you
know
in
case,
like
two
organizations
get
into
some
like
fundamental
disagreement
of
like
well,
this
is
unsound
but
like
well.
It's
like.
We
think
it's
like
totally
fine.
You
know
or
something
like
that.
E
B
Okay,
cool,
I
think
matt
was
next.
G
Yeah,
it's
kind
of
it's
kind
of
a
follow-on.
Maybe
you've
answered
this
partly,
but
when
you
introduce
the
term
audit,
that's
usually
very
loaded,
it
implies
that
there's
a
standard
with
a
framework,
a
set
of
controls
with
checklists
certifications
for
people
followed
up.
You
know
certain
steps
they
have
to
follow,
control,
lists
and
things
like
that
ways
of
recording
your
audit
results
and-
and
things
like
that,
I
mean
it.
G
You
see,
it
seems
like
this
trust
change,
trusting
an
org
that
at
that
level,
granularity
is
not
enough
that
there
has
to
be
some
rigor
behind
it
and
such
frameworks
and
controls
to
ensure
that
audits
are
performed
uniformly
across
different
orbs
or
at
least
an
attempt
to
do
those
things.
Have
these
things
been
discussed
at
all.
E
Yeah,
so
I
will
say
you
know,
as
part
of
the
system
like
I
mentioned
before,
like
audits
are
defined
relative
to
criteria
I
didn't
get
into
into
the
talk,
because
it's
you
know
it's,
it's
perhaps
a
level
of
detail
more
than
I
could
fit
in
10
minutes.
But
yes,
there
are.
There
are
some
built-in
audit
criteria,
which
you
know
have
specific
text
of
like
what
is
what
you
should
look
for
and
what
is
allowed.
E
These
are,
and
I
think
they're
specified
in
the
book
and
also
showed
to
you
on
the
command
line
when
you're
doing
this,
but
the
built-in
ones
are
safe
to
run
and
safe
to
deploy.
The
main
difference
is
that
safe
to
run
is
that
this
thing
is
not
actively
going
to.
You
know:
compromise
you
on
its
own
and
safe
to
deploy.
Is
this
thing
is
hardened
against
untrusted
inputs
and
therefore
like,
even
if
it's
exposed
inputs
in
the
wild,
it
will
also
not
compromise.
You
is.
E
Not
at
that
level
granularity,
no,
so
the
way
it
basically
works
is
that,
like
you
know,
I
can
say
you
know
in
firefox,
you
know
we
have.
The
audits
are
well
all
of
cargobed's
metadata
is
stored
in
a
directory.
The
default
directory
is
the
top-level
supply
chain
directory,
and-
and
so
we
have
a
specific
governance
module
that
governs
that
and
whenever
somebody
submits
something
to
that,
we
look
at
it
and
we
perhaps
go
and
talk
to
the
person
like
depending
on
you
know.
E
Our
level
of
you
know
like
whether
this
is
a
very
senior
engineer
that
we
have
a
huge
amount
of
confidence
in
versus
like
a
relatively
junior
person.
Certainly
if
it's
an
external
contributor,
you
know
that
that
might
be
something
we
just
wouldn't
accept,
but
so
we
have
some
degree
of
governance
processes
like
around
what
audits
go
in
and
get
the
mozilla
seal
of
approval,
but
there
is
not
an
attempt
to
standardize
what
the
seal
of
approval
means
across
organizations.
I
don't
think
that
that
is
particularly
tractable,
but.
G
You're
implying
that
that
there
are
people
involved,
so
it
would
still
require
some
level
of
recording
of
signatures
and
things
like
that
right
signatures,
signatures
of
the
people
you
approved
to
perform
the
audits.
You
know
I
perform
this
audit
and
I'm
and
I'm
submitting
this
audit
or
these
people
contributed
to
the
audit
right.
So
it's
like
the
trust
chain.
You
know
it
goes
back
to
org
level
back
to
you.
Basically,
you
rely
back
to
individuals
to
go
back
to
individuals.
G
E
Yeah,
but
the
way
that
the
identities
are
managed
is,
by
the
same
way
that
identities
are
managed
in
our
existing
code
development
processes.
Right,
like
people
have
you
know,
people
have
authenticated
with
our
code
repository
that
allows
them
to.
You
know,
submit
code
to
it,
and
certainly
that
also
allows
them
to
do
reviews.
So
when
people,
when
somebody
submits
an
audit
or
you
know,
submits
a
patch
that
you
know
adds
an
audit
to
the
tamil
file,
we
know
who
they
are,
and
so
it
goes.
E
I
don't
know
exactly
what
you
mean
by
sign
commits
in
this
case,
but,
like
you
know,
we
have
a
code
development
process
where
somebody
comes
along
and
they
submit
a
patch
under
their
identity
and
that
shows
up
in
our
fabricator
and
then
we
have
different
policies
around
reviews
in
different
directories
and
then
those
have
to
get
reviews
by
the
appropriate
authenticated
people
using
sort
of
mozilla's
processes.
E
And
then,
when
that
all
gets
approved
it
gets
landed.
I
I
feel
like
I'm,
not,
I'm
not
sure,
I'm
really
understanding
the
question.
A
A
Yeah,
so
I
think
matt
is
thinking
in
terms
of
like
what
we
talk
about.
A
lot
is
attestations,
which
is
some
statement
of
fact
with
an
attached
signature
that
has
an
identity
like
some
proof,
something
can
be
proved
that
the
attestation
was
created
by
person
x
or
by
identified
workload
x
in
some
cases.
A
So,
for
example,
at
the
moment
the
identification
is
relying
on
the
git
commit
is
what
I'm
hearing
so
like.
Who
is
the
author
or
the
committer
of
the
commit?
I
think.
E
Well,
I
mean
mozilla,
we
don't.
We
don't
use
github
for
our
development.
We
use
something
called
fabricator,
but
it's
yes,
it
would
be
similar
yeah,
but
the
whatever.
C
A
E
Yes,
I
or
well,
I
think
that
the
the
baseline
design
of
cargo
vets
is
to
rely
on
the
repository
right
that
this
repository
is
the
thing
that
the
organization
is
putting
forward
as
something
that
it
is
standing
behind.
You
know
that
this
is
you
know,
whatever
the
the
the
by
code
alliance,
github
organization,
there's
the
wasm
time
repository.
That
is
the
thing
that
people
are
pulling
releases
from
and
sort
of,
implicitly
trusting
whenever
anybody's
using
code
from
them,
and
so
that
that
is
sort
of
that
is
the
attestation
point.
E
Okay
and
and
the
organizations
use
their
existing
processes
for
accepting
code
to
in
whatever
governance
model,
they
set
up
to
figure
out
what
audits
get
included
in
that
source.
Repository.
A
Okay,
so
I
think
there's
a
there's
a
further
conversation
we
can
have.
I
don't
know
whether,
today
or
or
it's
on
on
the
slack
about
what
kinds
of
method
of
attestation
people
want.
So,
for
example,
you
know
at
the
moment
we
have
a
tool
called
git
sign
which
creates
a
digital
signature
that
is
written
also
to
a
transparency
log.
So
there's
a
very
strong
public
record
that
person
x
was
responsible
for
commit
y
that
doesn't
rely
on
the
commit
itself,
but
I
won't
go
into
that
too
much.
E
And
I'll
just
say:
oh
on
that,
specifically
about
like
individual
developers,
doing
some
sort
of
signature.
That
is
an
explicit
design,
choice
of
cargo
vet
to
not
require
any
sort
of
additional
identity
or
authentication
beyond
whatever
they
use
to
interface
with
the
project
repository
itself.
E
Okay,
specifically
because
it
is
a
concern
about
like
friction
and
then
making
it
much
more
difficult
for
developers
to
participate
in
the
system,
because
you
know
if
I'm
a
mozilla
developer
and
I'm
just
like
you
know,
working
on
firefox
code,
I'm
landing
firefox
code,
all
the
time.
I
have
my
little
workflow
on
that
and
if
suddenly,
I'm
in
the
thing
where
I
have
to
you
know
create
like
a
new
public
identity
or
get
a
you
know,
figure
out
a
public
key
or
all
that
kind
of
stuff.
A
Okay,
so
I
had
some
questions
which
are
which
are
unrelated.
Oh
I've
got
three
sorry
joseph
and
it'll
take
a
little
while
to
get
through
these.
The
first
one
is:
is
there
some
notion
of
saying
that
I
trust
like
n
out
of
k,
audits,
or
I
trust
any
two
in
this
group
of
five-
something
like
that.
E
It
does
not
exist
yet,
but
that
is
something
that
I
think
would
be
very
it's
something
we've
thought
about
and
would
be
very
easy
to
do.
On
top
of
this.
A
Yeah
like,
for
example,
for
you
know,
speaking
with
my
shopify
hat
on,
there's
a
number
of
other
companies.
We
would
trust
to
audit.
So
if
we
saw
two
out
of
github
airbnb
square
and
stripe
we'd
probably
be
like
this
is
sweet.
This
is
fine
with
us,
so
that
would
be
very
useful
as
a
capability.
E
Yeah
and
that's
that's
something,
yes
again,
something
we've
we're
very
excited
about
as
a
possibility.
I
think
you
know
the
first
mvp
of
this
I
mean
is
getting
to
the
point
where
you
can
import
most
popular
crates
on
crates.I
o
and
at
least
one
entity
will
have.
You
know
signed
off
on
that
which
is
a
strict
improvement
over
what
we
have
today
and
then
once
we
do
that,
then
we
can
start
adding
the
redundancy
in
of
having
multiple
entities.
E
A
Because
I
imagine
I
I
mean
extending
on
this-
I
imagine
there'll
be
like
a
lot
of
out
of
band
arrangements.
This
is
this
is
also
slightly
touching
on
what
matt's
asking
about
auditing,
I
think,
like
the
definition
of
voting
in
some
sense
is
not
technologically
described
it's
it's
out
of
band
agreements
between
different
parties
that
they
will
recognize
each
other's
audits,
because
they've
agreed
to
some
some
approach.
So
I
had
a
question
is
there's
a
terminology?
We
use
a
lot
when
we're
talking
about
attestations,
which
is
predicate.
A
I
hope
I'm
not
using
this
wrong
trishank
if
you're
still
on
the
call,
which
is
something
that
comes
out
of
in
total,
which
is
basically
like
your
verb
or
action
for
the
thing
you
did
and
there's
an
example.
E
Yes,
so
the
there
is
only
one
verb
which
is
audited
in
accordance
with
the
associated
criteria
here,
but
audit
records
specify
what
the
criteria
are,
and
so,
if
you,
you
know,
I
would
say,
I
would
say,
probably
like
the
the
default
here-
is
security
audit
and,
like
I
sort
of
described
before,
there's
those
two
levels
of
security.
Audit
of
you
know
like
actively
malicious
versus
hardened
against
interested
input,
and
but
you
can
certainly
there's
affordances
for
specifying
your
own
criteria
and
for
mapping
those
custom
criteria
across
different
projects.
E
So
if
you
want
to
introduce
sort
of
other
concepts
of
of
of
what
people
might
be
doing,
that
would
be
done
by
specifying
criteria.
So
I
guess
so
it's
it's
there's
one
verb,
but
but
a
number
of
nouns
or.
B
E
A
Yeah
you're
taking
me
back
yeah,
I
I
guess
in
the
long
run,
I'd
hope
that
this
group
can
help
to
suss
out
some
common
terminology
or
common
taxonomy,
because
one
of
my
goals
in
participating
in
this
group
is
that
my
peers
in
abstech
and
infrasec
should
not
need
to
run
multiple
monitors
to
deal
with
different
ecosystems.
They
should
run
one
monitor
that
has
a
common,
a
common
language
to
the
degree
it's
possible.
The
last
one
question
I
had
was
about
private
auditability.
Like
can.
E
Absolutely
yeah,
so
there
is
the
the
model
that
I
described
is
a
little
bit
of
a
simplified
model,
and
that
assumes
that,
like
everybody's
repositories,
source
repositories
are
open
source
right
and
when
the
source
depositor
is
open
source,
you
don't
have
to
do
anything
fancy
because
you
just
like
point
to
somebody
else's.
E
You
know
you
point
to
github
slash,
buy
code
alliance,
you
point
to
ht.mozilla.org
mozilla
central
and
you
you
that's
where
you
find
the
audit
file,
it's
just
you're,
pulling
it
out
of
the
source
tree
and
nobody
has
to
do
any
extra
work
to
publish
it.
Obviously,
if
you
have
some
sort
of
private
project
that
doesn't
work,
and
so
what
you
would
do,
then
is
you
would
have
a
mechanism
by
which
you,
you
know,
pull
the
audit
file.
E
You
know
you
pull
out
you
sync,
the
audit
file
out
of
that
private
repository
into
some
known
public
location
that
you
then
add
to
the
registry.
There
is
there's
an
additional
affordance
which
again
was
a
detail.
I
didn't
get
into
of
handling
multi-repository
organizations
that
want
to
consolidate
them.
E
There's
a
there's,
an
affordance
called
cargo
vet
aggregate
that
allows
you
to
sort
of
aggregate
audits
from
like
a
bunch
of
different
things
and
create
sort
of
one
unified
one
that
sort
of
points
to
the
thing
that
it
originally
came
from,
so
that,
for
example,
if
you
have
an
organization
like
you
know,
I
would
like
to
be
able
to
pull
in.
E
You
know,
microsoft
or
meta,
or
something
like
that,
and
I
know
that
these
organizations
have
a
whole
bunch
of
different,
like
repos,
a
whole
bunch
of
different
software
repositories
under
the
roof,
and
it
is
not
a
particular
you
know
it
may
not
be
a
detail
that
I'm
interested
in
of
you
know
exactly
which
one
it
is,
and
so
that's
what
that
aggregation
affordance
is
but
yeah,
generally
speaking,
oh
go
ahead.
Sorry.
A
I
I
I
don't
know
if
I
heard
what
I
was
trying
to
try
to
do
for
and
joseph
I
promise
this
is
the
last
interruption
I'll
have
which,
which
was,
if
I'm,
if
I'm
meta,
I
might
want
to
reveal
some
of
my
audits,
but
I
might
not
want
to
be
revealing
all
of
my
audits
because
I
don't
want
to
signal
to
potential
attackers
what
dependencies
I
have
you
know.
Different
different
companies
have
different
levels
of
paranoia
around
this.
A
You
know
we've
had
informal
discussions
with
other
companies
about
doing
like
this
general
idea
for
ruby
and
it
has
come.
One
of
the
sticking
points
has
been
some
of
our
peers
are
like.
We
don't
want
to
publish,
we
don't
want
to
publish
what
dependencies
we
have.
We
do
want
to
do
audits
and
we
want
a
recording
mechanism
for
it,
but
we
don't
have
to
share
that
publicly.
E
Right,
and
so
I
guess
what
I'm
saying
is
that,
assuming,
if
you're
in
a
world,
if
you
have
some
project
as
a
company,
that
you
don't
want
people
to
know
what
the
dependencies
are,
I
would
assume
that
that
project
is
not
open
source
right,
because
if
it
was
open
source,
then
somebody
could
just
look
at
this
or
you
know
if
it
was
public.
Somebody
could
just
go.
Look.
E
You
know,
regardless
of
your
audits,
and
see
what
you're
using,
and
so,
in
that
case,
it's
in
some
private
location
and
the
default
would
be
that
you
didn't
share
your
audits
with
anybody
at
all.
And
if
you
wanted
to
share
your
audits
with
somebody
you
would
you
know
build
some.
E
You
know
the
simplest
thing
would
be
something
that,
like
you
know,
rsyncs
to
file
to
some
public
server
and
then,
if
you
wanted
to
have
do
something
a
little
bit
more
complicated
where
you
wanted
to
have
a
policy
of
stripping
some
of
those
audits
out
like
you
wanted
to
share
some
of
them,
but
not
all
of
them.
E
Whatever
that
synchronization
tool
would
you
would
then
have
to
grow
some
some
stripping
capability,
and
I
would
be
totally
open
to
building
that
into
cargo
vet
if
we
had
a
clear
sense
of
what
the
use
cases
were
and,
like
you
know
some,
you
know
common
mechanism
that
would
be
applicable
to
other
multiple
organizations,
but
I
do
suspect
that
in
the
sort
of
in
the
early
days
it
will
not
be
that
difficult
for
people
to
kind
of
just
hand
roll
whatever
they
need
for
that.
B
Sorry,
I
think
actually,
meanwhile,
all
my
questions
were
answered,
but
actually
maybe
let
me
summarize-
if
I
understand
this
too
well
so
currently,
it's
just
a
tumblr
file
with
audits,
right
and
there's
cli
tool
around
this
file,
which
you
can
manipulate
with
the
predefined
structure
and
also
the
cli
tool,
is
capable
of
helping
you
doing
the
audit.
So
it
can
actually
show
you
the
differentiations
between
two
cargo
versions
of
crates
right.
B
So
in
the
end,
it's
totally
non-invasive
right,
because
how
do
you
version
that
file?
How
people
are
changing?
That
file
depends
on
your
approach,
just
nothing
actually
around.
It
really
depends
it's
the
same
as
your
oh,
it
can
follow
the
rest
of
the
project
and
how
do
you?
How
do
you
version
your
code
right.
E
Exactly
yeah
yeah,
that's
that's
really.
The
idea
is
that
we
want
this
to
not
take
headspace
from
people
right,
because
it's
going
to
be
something
you
know
mozilla,
we
have
hundreds
of
developers
that
work
on
firefox,
and
you
know
to
make
this
a
not
very
to
make
this
a
very
a
sort
of
cheap
investment
for
us
to
make
we
the
easiest
way
to
do.
That
is
to
avoid
adding
like
two
hours
of
friction,
the
first
time
like
each
of
those
developers
like
bumps
into
this
thing
and
has
to
figure
it
out
right.
E
So
if
the
answer
is
it's
just,
this
fits
in
your
workflow
you're,
just
modifying
the
the
code,
as
you
were
just
stick
it
in
your
patch
that
the
theory
is
that
that
goes
a
long
way
to
making
it
a
lower
cost
to
deploy.
B
E
Yeah,
I
will
also
just
say
that
there's
the
audits
file
and
then
there's
also
a
separate
config
file
that
allows
you
to
do
things
like
specifying
different
policies
for
parts
of
your
subtree
and
that's
also
where
your
list
of
exemptions
is
stored.
But
the
basic
idea
is:
there's
conceptually.
There's
sort
of
two
files,
like
the
audits
file,
is
the
thing
that's
shared
with
the
ecosystem,
and
then
the
config
file
is
the
thing.
E
That's
kind
of
like
private
to
your
to
your
project
and
that's
sort
of
what
that
is,
the
design
criterion
of
what
information
goes
into
each
of
those
files.
G
E
Oh
yeah
are
there
any
other
questions?
I'm
glad,
I'm
glad
that
we
ended
up
with
a
relatively
light
agenda,
because
I
definitely
took
more
than
my
a
lot
of
15
minutes.
C
Cool
bobby,
thank
you
so
much
for
coming
and
talking
to
us.
I
think
everyone
is
super
interested
in
the
topic
and
we'll
be
excited
to
see
where
cargo
that
goes
and
maybe
how
we
can
sort
of
generalize
it
across
some
other
ecosystems,
because
I
think,
there's
definitely
a
demand
there.
So
yeah
thanks
again
super
cool
project.
Please,
please
keep
in
touch
with
us.
I
see
you're
in
the
slack
but
like
let
us
know
as
things
progress
or
has
things
changed,
definitely
clue
us
in.
E
Yeah
definitely
and
yeah,
thanks
again
for
everybody
for
having
me
thanks
for
all
the
questions
and
feedback,
I'm
happy
to
talk
sort
of
more
about
any
of
these
topics,
and
you
know,
most
importantly,
you
know:
we've
got
sort
of
ad
hoc
inquiries
from
various
companies
that
are
interested
in
using
this.
E
You
know
who
are
using
rust
and
would
be
interested
in
using
this
sort
of
concretely
to
secure
the
rest
supply
chain,
but
if
you
all
are
familiar
with
any
other
companies,
your
companies
or
ones
that
you
work
with,
or
organizations
or
projects
for
which
this
might
be
a
good
fit,
definitely
reach
out.
And
let's
talk
about
the
use
case,
because
you
know
the
more
organizations
that
use
it,
the
more
successful
it'll
be.
C
Sweet
thanks
again
moving
on,
I
just
stuck
a
quick
fyi
in
the
docs
here.
Let
me
show
you
my
screen
back
again.
C
C
F
Yeah,
I
I
slipped
in
a
quick
additional
agenda
item
request,
if
you
don't
mind
yeah,
so
it's
in
the
notes
here,
but
basically
I
think
many
of
you
know
that
the
open,
ssf
mobilization
plan
was
put
out
as
10
streams.
The
question
obviously
is
what
to
do
next.
At
the
time
we
were
just
focused
on
the
what
to
do
and
not
how
and
who,
but
that
doesn't
need
to
get
answered.
One
thing,
that's
being
looted.
F
No
decision
made
anything
like
that,
but
basically
trying
to
come
up
with
a
bunch
of
of
groups
calling
them
sigs
and
stream
10,
which
involves
supply,
improved
supply
chains,
looks
like
something
that
maybe
could
be
created
in
support
to
this
report.
Up
to
this
working
group,
as
I
said,
nothing,
nothing
set
in
stone
or
anything
like
that,
but
just
to
want
to
give
folks
a
heads
up
that
that's
a
topic
of
discussion.
C
D
What
we're
currently
in
the
middle
of
talking,
with
both
the
governing
board,
as
well
as
the
the
foundation
staff
from
what
is
the
correct
execution
model,
and
if
you
look
across
all
of
the
ten
work
streams,
there's
quite
a
bit
of
variability
that
exists
so
we're,
as
david
noted,
like
we're
still
in
the
middle
of
trying
to
codify
approaches
that
work
across
the
diverse
set
of
activities
across
the
work
streams,
but
certainly
in
the
open
spirit
of
open
source.
D
If
folks
see
short-term
shovel-ready
projects
that
you
know
out
of
this
discussion
are
out
of
the
broader
work
out
of
this
working
group
that
align
really
well
with
something
was
identified
in
that
mobilization
plan
we're
looking
to
as
we
pull
that.
F
D
Together,
we're
looking
for
things
to
kind
of
sanity
check
it
again.
So
if
folks
do
have
ideas
of
of
things
that,
if
you'd
like
to
kind
of
request,
funding
or
resources
or
or
map
up
to
some
of
the
evangelization
and
the
the
recruiting
that
has
been
done
to
get
more
people
interested
in
funding.
This
we're
trying
to
figure
out
the
exact
logistics
there.
D
So,
if
folks
have
any
other
questions
or
or
ideas
like,
I
said,
feel
free
to
reach
out
to
david,
or
I
will
put
that
together,
but
we're
still
early
days
of
of
sketching
that
out.
F
C
You
know
that's
great
and
I
know
we
had
talked
a
little
bit
about
that
when
the
for
the
folks
that
were
in
person
in
dc
back
when
we
were
talking
about
the
streams
we
so
we're
like
yeah,
there's
a
lot
of
overlap
here.
So
I
think
that
makes
sense
cool
anything
else
for
the
agenda.
Otherwise,
a
couple
minutes
back.