►
A
Nothing
better
than
than
recorded
small
talk
broadcast,
hey
trey
good
good
to
see
you
here,
hey
bud,
sorry
to
be
off
camera
yeah!
No,
no
worries!
Trey!
Jacques!
Have
you
met.
B
A
C
A
Very
interested
in
supply
chain
security,
broadly
especially
from
a
policy
angle.
So
it's
here,
I
guess,
to
check
it
out.
Jacques
works
at
spotify
works
a
lot
in
the
ruby
ecosystem.
B
Which
is
often
confused
because
they
they
start
with
s
and
then,
if
I
it's
a
pleasure
to
meet
you
trey,
I
read
the
atlantic
council
paper
on
supply
chain
issues
a
while
back
yeah.
I
was
really
impressed.
It
was
very
helpful.
A
C
B
B
Oh
thank
you
for
posting
that
zach
I'll
give.
A
B
Welcome
everyone
who's
joining
the
last
few
minutes,
I'm
going
to
give
it
a
few
more
minutes
before
we
kick
off,
there's
a
link
to
the
notes
and
if
you
can
mark
yourselves
as
attending
that
would
be
super
helpful.
B
Okay,
folks,
it's
five
minutes
past
and
I
think
we
can
get
started
relatively
thinly
attended
today.
Normally
we
have
more,
there
must
be
some
sports
game
going
on
somewhere
that
I
don't
know
about,
and
indeed
care
about.
B
So
the
first
thing
we're
going
to
start
with,
as
we
do
in
most
meetings,
is
a
welcome
to
our
new
friends.
So
if
you're
new
to
the
group
or
if
you've
been
here
before-
and
you
haven't
introduced
yourself
before
now-
it's
a
great
time
to
let
us
know
about
yourself
and
why
you're
here.
C
C
Welcome:
hey
yeah.
I
can
maybe
go
next
midair
nice
to
meet
you.
I
work
on
the
google
open
source
security
team
and
you
know
the
this
sort
of
package.
Software
package
distribution
is
a
very
important
problem,
so
very
very
interested
in
the
space.
B
All
right
we're
all
friends
here
so,
first
of
all,
let's
have
a
look
at
the
action
items.
I
don't
see
most
of
the
folks
listed
in
this,
although
I
do
see
zach
that
you
were
tagged
in
an
action
item
to
talk
about
yeah,
widespread
domain
resurrection
is.
A
I
I
misleadingly
made
the
first
word
of
this
action
item
someone
else's
name,
but
we've
been
spending
a
bunch
of
time
in
the
past
couple
of
weeks.
Couple
months.
Talking
about
this,
this
threat
of
domain
resurrection,
attacks
quote
unquote
and
so
that
the
sort
of
classic
example
is
I
sign
up
for
my
rubygems
account
with
a
vanity
email
domain,
and
then
I
go.
I
don't
know,
stop
programming,
stop
renewing
my
domain.
A
My
registration
lapses.
Someone
else
snaps
up
that
domain.
They
run
the
password
reset
flow
on
rubygems
and
the
password
recovery.
Email
gets
sent
to
a
new
person
who
is
not
me
and
should
not
be
publishing
packages
under
under
my
name,
and
so
we've
been
discussing
a
lot
of
potential
mitigations
potential
ways
to
detect
this,
but
we
were
realizing.
We
don't
really
understand
very
well
how
widespread
this
problem
is.
A
You
know
it's
flashy,
you
hear
about
it,
but
maybe
it's
you
know
like
a
couple
of
packages
that
don't
have
any
downloads,
so
we're
interested
in
quantifying
that-
and
I
had
hoped
to
have
a
proposal
by
tonight,
but
I
I
I
don't
so
so
expect
that
in
the
next
few
days,
but
a
proposal
basically
for
if
you
have
access
to
a
database
of
users
for
a
package
repository
some
templates
for
for
queries,
you
could
run
over
over
that
over
those
sort
of
users.
A
That
would
give
us
some
some
insight
into
this,
and
and
so
that
that
I
suppose,
is
yeah.
So
that'll
that'll
come
in
the
next
couple
of
days
and
it'll
be
done
in
a
way
where
you
can
run
it
yourself.
You
don't
have
to
you
know,
share
any
any
information
which
might
might
be
sensitive,
but
we
can
get
some
interesting
act
or
get
statistics
to
really
within
this
group
understand
the
problem
so
expect
that,
in
the
in
the
slack
and
and
maybe
in
in
the
email
group.
B
Yeah,
that
was
one
of
the
questions
I
remember
when
we
discussed
this
last
time
was
how
prevalent
is
it
actually
very
high
profile
when
it
happens,
but
next
one
I
see
is
jason
has
a
java
specific
doc.
I
don't
see
jason
here
today,
so
I
think
we'll
have
to
skip
over
that
one.
It
might
be
the
same
with
alex
and
patrick
and
brandon.
So
I
think,
unfortunately,
we've
burned
through
the
action
items
unless
anyone
could
speak
up
for
one
of
those
folks.
E
Sorry,
I'm
having
some
internet
issues
right
now.
I
don't
really
know
what
the
json
doc
is,
so
we
so
we
just
as
an
update.
We
did
sort
of
come
to
resolution
on
the
multi-artifact
thing
we're
going
forward
with
with
signing
like
every
artifact,
because
we've
sort
of
established
that
that's
not
really
a
problem
on
the
recourse
side
and
simpler
for
us
to
to
go
that
way.
Right
now.
E
What
we're
looking
at
is
trying
to
come
up
with
a
kind
of
something
that
makes
sense
for
java
as
like
a
format
for
making
sure
that
we
store
all
the
bits
that
we
need
to
do
offline
verification,
because
that
might
be
a
concern
in
the
long
run,
and
we
also
want
to
share
that
doc
with
the
other
package
manager
so
that
we
can
might
like.
We
might
consider
sort
of
doing
the
same
thing
across
the
different
languages.
B
Yeah,
I'm
a
big
I'm,
a
big
fan
of
where
possible,
having
having
shared
schemata,
to
avoid
having
to
write
different
monitors
over
and
over,
although
we'll
probably
do
it
just
because
it's
fun
all
right,
so
the
first
one
of
the
generations.
Oh.
C
A
Yeah,
I
I
can
speak
to
jason's
document
it
it's
very
complementary
to
the
existing
domain
resurrection,
doc
that
I
wrote
just
with
some
java
specific
flavor.
So
I
I
think
we
can
just
go
ahead
and
give
jason
swank
is
the
one
responsible
for
that.
So
I'll
give
him
another
ping,
and
hopefully
he'll
share
it
out
with
the
group.
F
Actually,
I'm
here
from
sonotype
jason
is
out
on
pto
for
the
next
couple
of
weeks.
Yeah.
F
But
I
I
do
recall
when
he
you
know
reported
to
me
that
he
had
chatted
with
you
zach
and
I
can't
remember
where
the
ball
is
on
on
our
part.
But
I
actually
I
I
don't.
I
haven't
seen
the
late,
the
latest
dog,
but
he's
out
until
yeah
the
first
week
of
july.
Sorry.
A
Gotcha
that
thanks
thanks
for
sharing
that
joel
the
document
itself
is
in,
I
think,
pretty
good
shape
and
ready
for
for
folks.
This
comment
I
just
didn't-
want
to
be
the
one
to
hit
the
button
I'd
rather.
F
A
B
Cool
before
I
announce
again
that
the
first
item
is
mine,
is
there
anything
else
that
folks
had
from
the
action
items
that
they
could
bring
up
or
cover
or
wanted
to
ask
a
question
about
that?
Maybe
we
could
answer
I'll.
Take
that
as
a
no
all
right,
so
the
first
one
here
it
says
asking
for
help
with
domain
monitoring.
I
wish
jacques
had
had
left
more
detail
than
detailed
notes
about
what
he
meant,
but
if
I
had
to
take
a
guess,
this
is
probably
a
question
about
domain
experiences
with
domain
monitoring
services.
B
So
I
have
no
of
at
least
one
package
service
that
uses
a
service
called
demayna,
which
requires
bulk
uploading
domains
to
be
checked,
and
we
are
curious
whether
people
are
aware
of
more
dynamic
or
you
know,
callback
style
domain
monitoring,
because
that
reduces
the
window
of
opportunity
for
attackers.
B
Okay,
it
sounds
like
we'll
have
to
revisit
that
one
one
here
is
mark
for
miles.
I
don't
think
miles
is
here
by
the
look
of
it
this.
This
is
a
I
think,
going
to
be
a
returning
topic
of
discussion,
which
is
that
some
of
the
security
measures
that
we're
introducing
introdu
also
introduce
support
load.
B
So
the
classic
example
is
multi-factor
authentication.
I
love
it,
you
love
it,
everyone
loves
it
and
then
they
lose
their
phone
and
they
don't
love
it
anymore
and
they
want
their
stuff
to
be
reset
and
so
there's
a
support
burden
to
fix
it,
but
also
to
ensure
that
you're
not
being
so
like.
What's
it
called
socially
engineered
as
a
support
person,
because
bad
people
can
be
very
persuasive,
I
think
miles
was
looking
for
other
experiences.
I
don't
see
I
mean
apart
from
joel
and
patrick.
B
A
Okay,
well,
I
I
know
one
of
the
reasons
miles
wanted
to
bring
this
up.
Is
that
so
npm,
for
instance,
and
maven
central
of
course,
have
you
know,
organizations
behind
them
with
with
you
know
reasonable
staffing?
A
A
lot
of
the
other
repositories
are
volunteer,
run
for
the
most
part,
and
so
we
just
wanted
to
float
the
idea
of
perhaps
the
open,
ssf
being
the
vehicle
through
which
these
volunteer
run
repositories
get
you
know,
perhaps
support
staff
and
common
practices
there
and
and
sort
of
perhaps
some
economies
of
scale
when
it
comes
to
when
it
comes
to.
You
know,
identity,
verification
and
so
on.
A
D
Yeah-
and
the
only
thing
I
was
going
to
say
is
like
our
our
little
corner
of
the
world
is
very
small
and
we
have
like
a
person
a
week
who
spends
not
even
half
time
dealing
with
with
requests
that
come
in
and
and
but
we
also
also
offload
like
a
lot
of
stuff
onto
like
github,
logins
and
stuff.
So
we
don't
even
have
2fa
really
stuff
to
worry
about
right
now,
even
though
we
should
but
yeah
another
problem.
B
B
Yeah,
I
think
we're
going
to
have
to
discuss
this
topic
again
when
we
have
a
larger
contingent
of
folks.
B
This
time
is,
is
pretty
rough
for
folks
in
europe,
although
obviously
that's
why
we
do
it,
so
we
can
have
overlap
with
the
asia
pacific
region,
and
the
next
thing
is
me
again:
this
one
is
interesting,
so
six
store
is
planning
for
its
ga
release.
B
One
question
they
had
for
the
group
was:
what,
if
anything,
do
you
expect
has
to
be
done,
like
from
the
perspective
of
a
repo
maintainer
who's
relying
on
sex
store
like
what?
What
do
you
feel
is
like
a
non-negotiable
minimum
that
folks
need
to
achieve,
and
there
was
there
was
some
discussion
around
like
what
slos
should
be
targeted
for
these.
For
these
services,
like
what
slos
are
required
to
be
effective,
I
think
that
we're
targeting
maybe
zach.
You
remember
this.
I
think
I'm
targeting
like
three
nines
or
four
nines.
A
I
don't
want
to
be
quoted
on
that,
but
I
will
get
at
you.
Oh
simon,
might
know
as
well,
but
I
can.
I
can
link
the
doc.
B
Okay,
yeah,
that's
not
too
bad.
I
mean
it'll
it'll
break
a
few
builds
from
time
to
time,
but
you
know
we
can
aspire
to
higher
nines
as
time
goes
on,
but
also
I
guess
the
question
was
like:
was
there
anything
else
people
can
think
of
off
the
top
of
their
head?
Where
they've
been
saying,
oh
we've
been
waiting
for
x
or
you
know
I'd
be
surprised.
B
If
y
happens
again,
I
feel
like
we're
going
to
have
to
revisit
this
topic
again,
although
maybe
get
more
difficult,
because
I
think
ga
is
probably
going
to
be
announced
next
week
at
the
open
source
summit.
I
think
there's
a
an
appetite
for
making
a
splash.
G
G
I
think
some
some
of
the
questions
we
also
had
for
the
of
this
group.
You
know
in
in
the
period
up
to
ga
where
the
slo
is
aspirational
and
and
maybe
not
achievable,
given
you
know,
lack
of
a
rotation,
for
you
know
on-call
rotation,
those
kinds
of
things.
G
What
what
should
we
be
sort
of
communicating
around
just
expectations?
Physique
store
flows
with
package
managers?
G
Do
we
are
we
comfortable,
saying
yeah
like
take
this
on
use
it
in
you
know,
there's
a
foul
closed
dependency
in
in
critical
flows,
or
you
know
some
bar
in
between,
because
we
have.
You
know
it's
possible
that
things
go
wrong
leading
up
to
ga,
and
you
know
we
have
significant
outages
in
in
the
meantime.
C
Do
we
have
a
strategy
for
sort
of
like
dark
rollouts
for
six
door,
support
and
package
managers,
or
something
along
those
lines
where
it's
sort
of
soft
and
not
it's,
it
fails
open.
First,
will
the
dead
bake
for
a
quarter
see
how
that
goes
and
then
sort
of
and
make
it
fail
close
after
that,
once
we
sort
of
ironed
out
all
the
issues?
B
For
for
ruby,
at
least
when
we
wrote
the
rfc,
that's
that's
still
open.
The
plan
we
had
was
to
roll
it
out.
First
of
all,
as
an
optional
thing,
you
could
do
you
didn't
you
weren't,
forced
to
sign
you
weren't
first
forced
to
verify
you
could
choose
to
do
either
of
those
things,
and
probably
I
would
have
used
my
super
secret
handshake
powers
to
get
the
folks
who
work
on
rails
to
exercise
it,
because
that's
a
nice
high
profile,
high
traffic
sort
of
thing
to
to
try
it
out
on.
B
I
mean
high
traffic
by
ruby
stands.
So
I
think,
but
I
can't
sort
of
give
a
timeline
at
the
moment
for
when,
when
that
would
become
the
case
like
it,
it's
very
unlikely
that
it's
going
to
happen
like
in
weeks
or
even
months.
Depending
on
what
kind
of
staffing
I
can
get.
B
A
Can
I
ask
a
related
question
so
for
the
folks
who
are
running
repositories
here?
Do
you
offer
any
kind
of
slo
or
and
whether
or
not
you
are
do
you
have
an
understanding
of
what
kind
of
uptime
your
repository
has?
Because
you
know,
for
instance,
if
there's
no
slo-
and
you
know
I
don't
want
to
pick
on
anyone,
but
you
know,
programming
language
x,
repository
is
down,
for
you
know
four
hours
a
day
like
like
six
store,
isn't
really
the
blocker
there.
A
So
I
I'd
like
to
understand
you
know
kind
of
what
the
expectations
users
have
around
both
both
for
download
and
for
for
publication
of
packages.
F
But
the
download
side's
always
up
thanks
to
facts,
we've
gotten
a
lot
better
on
the
published
side.
Now
we've
got
more
scale,
but
you
know
we
also
have
people
right.
You
know
the
advantage
of
having
staff
that
we
dedicate
to
keeping
the
lights
on,
but
certainly
a
number
communicating
to
people.
I
mean
if
you
look
at
status.name.org
you'll
see
some
of
the
numbers
we
track,
but
there's
non-macroeconomic
number
associated
with
that,
but
we
at
least
share
the
graph.
G
Just
what
what
do
those
numbers
look
like
out
of
interest.
F
Let
me
just
log
in
right
now,
so
we
the
numbers.
Well,
let
me
just
share
what
what
the
numbers
are,
and
so
we
have
a
roll-up
across
to
the
two
main
publishing
hosts
of
uptime
for
the
hosts
themselves,
and
then
we
put
this,
you
know
line
for
the
cdn,
so
fastly
and
then
searches,
uptime
and
so
everything's
been
been
green.
F
So,
let's
see
it
looks
like
I
can
share,
can
folks
see
sabotageman.org,
and
so
you
know
fastly
everybody
remembers
when
they
went
down,
but
this
thing
should
always
be
at
100
and
I'm
amazed
at
oss.
It's
99.99,
that's
been
a
long
time
since
we've
been
that
green
and
then
we
we
share
this,
which
is
actually
some
stuff
that
drives
our
own
internal
monitors.
F
So
the
team
has
slos
that
you
use
amongst
ourselves
that
are,
in
fact
driven
by
published
latency
how
much
time
between
when
it's
released
and
when
it
shows
up
on
repo
one
and
then
staging
operation
duration,
which
is
essentially
from
when
you
trigger
a
staging
release
to
you
know
when
it
completes,
which
there's
a
hard
time
out
by
default
in
the
nexus
station
they
didn't
plug
in
over
300
seconds.
So
anytime,
we
are
in
the
double
digit.
F
Second,
we
are
in
great
shape,
and
then
we
calculate
that
independently
for
this
humane
publishing
code.
F
The
time
which
means
that
we've
got
a
little
bit
of
pestilence
practice
that
we
got
to
get
into,
but
this
is
status
on
maven.org,
so
they're
actually
welcome.
Please
to
have
a
look,
and
you
know,
provide
feedback.
You
know
this.
We
drive
this
by
sad
page.io
account
that
insights
actually
has
for
our
other
products,
and
we
use
carve
out
a
piece
of
it
for
nathan,
central
and
the
supporting
services.
B
The
slo
for
ruby
is:
we
hope
that
the
one
of
two
people
is
awake
and
at
their
computer,
it's
it's.
It's
volunteer
driven,
so
it's
it's
really
what
we
can
get
when
we
can
get
it
and
like
like
maven
central
we're
relying
on
fastly,
so
that
takes
off
a
lot
of
the
burden
and
the
risk.
B
One
of
the
things
I
joked
about
recently
was
that
it's
sort
of
like
easy
to
get
a
large
technology
or
technology
using
firm
to
assign
developers
to
work
on
these
things,
but
it's
hard
to
get
them
to
assign
operational
or
devops
folks,
I'm
I'm
hoping
to
spread
that
thought
so
that
it
creates
a
vibe,
or
you
know,
a
wave
of
thinking
across
the
industry
that
oh
yeah.
We
also
need
operational
help
for
these
organizations.
I
know
I've
been
looking
at
that
at
my
end
as
well.
C
But,
but
to
come
back
to
original
sort
of
question
about
six
toys,
so
I
I
do.
We
really
want
to
sort
of
measure
it
against
sort
of
package
managers
and
and
instead
sort
of
have
our
own
slo
for
six
stores,
so
that
we
can,
you
know.
So
we
give
less
sort
of
reasons
for
folks
to
sort
of
drop,
using
six
toy
and
other
things,
because
it's
not
available.
For
example,
right.
G
Yeah,
I
mean,
I
think
we
I
think
sigstor
needs
to
have
target
slos
just
because
it's
critical
security
infrastructure
and
an
outage
is
really
blocking.
It
might
be
interesting
for
package
managers
to
separate
the
concerns
around
publishing
from
and
download
publishing.
You
know
the
the
I
imagine
qps
is
considerably
lower
than
than
download
and
the
impact
of
an
outage.
There
is
okay.
Well,
we
can't
publish
a
package
for
a
bit.
G
That's
that's
not
great
verse
on
download.
If
we
have
an
outage
and
you
can't
verify
that's
a
lot
more
people
affected.
E
G
If
you
you
you're
doing
full
offline
verification,
then
sure,
but
if
you
have
recall
you
know
you're
actually
using
the
recall
transparency
log
as
part
of
the
verification
step,
then
yeah,
it's
a
critical
dependency.
So
it's,
I
think
it's
implementation,
specific.
E
Right
and
I
think
that's
one
of
the
questions
that
we've
had
on
the
on
that
sort
of
java
side
and
it
was
sort
of
at
first,
we
just
just
assumed
that
we
would
be
checking
recore
for
every
verification
and
sort
of
as
we
sort
of
dug
into
it
seems
like,
for
instance,
like
I
think,
cosine
verify
of
the
container
image
doesn't
right
by
default.
E
It
just
uses
the
it
just
looks
at
the
at
the
bundle
in
the
signature
in
the
container
registry
and
does
a
verification
using
that
bundle,
and
I
think
we've
come
to
a
conclusion.
That's
what
we
should
be
doing
by
default
and
for
all
the
languages,
because
otherwise
you'd
be
sending
quite
a
lot
of
load
to
to
recore.
E
G
Right,
so
maybe
that's
the
way
to
slice
it
it's
just
we.
If
we
talking
about
six
store,
ga
or
even
pre
ga
integration
for
package
managers,
we
just
focus
on
the
the
critical
user
journeys
around
publishing.
G
Where
you
know
that's.
If
the
infrastructure
is
down,
then
yes,
we're
blocked,
but
that
makes
the
impact
of
a
six
door
outage.
You
know
considerably
less
on
the
repair.
B
It
has
it
has
a
nice
property
now
that
you
don't
have
a
you
know,
a
fault
tree
with
two
with
an
old
node
in
between
them.
So
it's
got
a
higher
probability
of
failure.
It's
just
a
single
node
with
with
a
single
probability.
B
So
in
that
respect
you
know,
assuming,
of
course
you
know,
you
trust
your
your
cdn
to
not
mark
it
up.
You
know
it's
sort
of
interesting
I
feel
like.
We
should
all
send
a
bouquet
to
fastly,
given
that
maven's
using
it
ruby
gems,
is
using
it.
I
know
pipeyi
uses
parsley
as
well
and
I
send
them
a
cake
or
something
like
I
think,
they're
in
new
york.
B
B
Yeah
okay
package
as
well,
that
makes
sense.
Okay,
so
is
there
more
that
we
want
to
talk
about
in
terms
of
like?
What's
coming
up
for
six
star
or
requests
that
we
might
have
questions
about
slos?
I
think
this
has
actually
been
a
productive
topic
of
conversation,
especially
the
spin-off
about
slos,
for
package
managers
themselves.
C
B
So
we've
got
a
request
here
from
brandon
who's,
not
here
today.
He
wants
us
to
have
a
look
at
a
survey
form,
so
you
may
recall
a
spreadsheet
that
was
circulated
earlier,
which
had
a
series
of
question
and
answer
sections
about
features
of
the
package
manager.
You
know
particular
experiences,
I
think
at
some
point.
We
also
added
some
some
questions
about.
B
B
So
I
think
he
wants
folks
to
have
a
look.
I
don't
think
there's
much
else
here
to
do.
I
think
we'll
probably
visit
that
one
again
unless
people
had
a
blazing
concern
that
they
wanted
to
raise
here.
B
Cool
sterling
you're
up
it
says
here
you
want
to
talk
about
common
terminology,
yeah.
D
Yeah,
so
it's
been
a
while,
since
I've
been
here,
but
I've
been
on
a
vacation
and
then
I
got
covered
so
yeah
early.
D
May
I
I
started
this
document
where
there
was
a
few
conversations
we
had
about
like
what
does
package
even
mean
for
the
different
ecosystems
or
what
are
some
common
words
that
we're
using
and
make
sure
we're
using
them
all
the
same
same
way,
not
necessarily
like
in
imposing
on
each
of
the
ecosystems
but
like
just
having
a
common
understanding
of
what
what
we
mean
when
we
say
something
so
I've
I've
filled
up
this
document
partially
for
java,
and
maybe
if
we
had
more
people
here,
it
would
make
more
sense,
but
it'd
be
nice
to
get
other
input
from
other
ecosystems
just
to
fill
out
some
of
the
same
terms
and
and
all
that,
so
the
permissions
on
that
file
might
be
screwed
up.
D
So
if
you
need
access,
just
let
me
know
and
I'll
click
the
button.
What
I
can
do
is
maybe
send
this
out
to
the
mailing
list,
so
the
people
who
are
here
can
weigh
in
on
it
so
yeah.
I
I
see
that
there's
a
there
was
an
email
earlier
earlier
from
brandon
lum.
Is
that,
like
the
good
list
to
send
it,
send
it
to.
F
B
Lists
so
it's
it's
kind
of
like
the
lf
style
of
synchronous
pulses
with
asynchronous
document
work,
yeah.
D
Yeah
so
yeah,
that's
what
I'll
do
I'll
send
it
out
to
the
mailing
list
and
see
if
we
can
get
other
ecosystems
to
fill
in
fill
in
some
terms
and
yeah?
My
idea
was
that
once
we
had
kind
of
a
few
different
ecosystems,
we
could
sort
of
distill
that
into
this
is
what
we
mean
when
we
we
talk
about
that.
If
there
is
a
common
common
definition
for
anything.
D
Yeah
the
way
the
document
is
set
up
right
now
is
just
like
each
word
has
a
section
for,
or
I
was
envisioning
having
a
section
for
each
ecosystem,
and
so
that's
like,
if,
like
your
ecosystem,
didn't
use
that
word,
you
would
just
say
this
is
what
we
call
the
same
thing
assuming
you
could
figure
out
what
that
is
from
looking
at
the
other,
the
other
ecosystem
definitions,
or
you
would
just
say
we
don't
have
that
you
know
in
in
our
ecosystem.
As
this
I
was
I
was
thinking,
it
was
going
to
work.
B
You
know
modulo.
Of
course
the
hardest
thing
to
do
is
fill
out
stuff.
When
you
have
everything
going
on
at
once,.
B
C
B
I'm
not
sure
I
think
the
main
difference
is
just
the
the
ergonomics,
but
I
would
defer
to
brent
to
brandon
about
whether
that's
the
case,
but
I
believe
it's
mostly
that
it's
it's
easier
to
fill
out
a
form
than
a
spreadsheet.
B
B
So
some
of
the
data
can
be
shared
publicly,
so
some
of
that
some
of
the
questions
are
not
sensitive.
Some
of
the
some
of
the
questions
are
very
sensitive
or
could
be
seen
as
sensitive.
So,
for
example,
asking
has
your
main
application
server
been
penetration
tested
with
most
like
a
lot
of
cases.
I
think
people
will
say
no
and
they
would
rather
not
publish
that
fact
right,
they'd,
rather
not
advertise
their
current
security
posture.
B
So
some
of
those
questions,
I
think,
will
not
be
published
or
will
only
be
shared
with.
You
know,
presumably
something
like
academics
or
other
trusted
individuals
and
groups,
but
then
there's
stuff,
like
you
know,
do
you
have
signing
implemented
and
most
or
many
package
ecosystems
have
some
sort
of
signing,
even
if
it's
not
widely
used
at
the
moment,
and
so
I
don't
think
that's
seen
as
a
sensitive
question.
A
Yeah
and
and
to
follow
up
on
how
the
data
will
be
used.
I
think
a
lot
of
it
is
just
for
our
understanding
in
this
group
of
of
what
what
sort
of
the
state
of
the
art
is
to
to
see.
You
know.
Are
there
particularly
popular
package
managers
that
don't
do
a
whole
lot
in
this
space
that
maybe
we
should
get
coming
to
these
meetings
or
yeah
and
just
again
more
to
like
monitor?
A
You
know
this
this
universe
than
anything
else
and
as
as
jacques
mentions,
I
think,
there's
also
potentially
some
interesting
stuff
that
we
could
be
could
be
published
and
shared
with
the
wider
world
to
raise.
You
know,
sort
of
awareness
of
efforts
in
the
space
and
so
on,
but,
but
mostly
just
I
find
at
least
when
I'm
thinking
about
problems
cutting
across
ecosystems.
A
It
would
be
really
really
nice
for
me
to
know
you
know:
hey
like
this
rep,
you
know,
x,
percent
of
these
top
repositories
have
this
thing
implemented,
so
maybe
it
is
worth
adding
at
you
know
an
effort
to
harden
that
up
or
whatever
yeah.
So
I
think
largely
in
this
group,
it's
very
useful
to
to
have
a
lot
of
those
answers.
A
Very
specific
purposes,
but
keeping
an
eye
on
things.
Sorry,
jack.
B
Sorry,
I
didn't
mean
to
cut
you
off
yeah,
the
other.
The
other
use
you
can
see
being
a
possibility.
Is
that
as
we
develop,
that
that
sort
of
insight
into
the
ecosystem
of
ecosystems
that
provides
data
that
we
can
use
to
talk
to
the
tank
or
the
governing
board
to
claw
out
funding
for
like
one-off
projects,
to
implement
certain
capabilities.
B
So
while,
for
example,
you
know
many
ecosystems
have
a
mix
of
mostly
volunteers,
or
sometimes
they
have
like
a
patron
organization,
it's
going
to
be
all
over
the
place.
Sometimes,
you've
you've
got
a
an
uncle,
a
daddy
warbucks
sort
of
situation,
sometimes
there's
an
obscure
cut,
and
sometimes
sometimes
you
don't.