►
C
A
C
All
right,
yeah,
so
I
suppose
I'm
sharing
today
I'm
gonna
follow
the
the
same
rule
I
make
when
I'm
making
popcorn,
which
is
you
wait
until
the
the
length
between
people
joining
the
call?
It's
a
it's
a
certain
time
slows
down
to
more
than
a
you
know
several
seconds.
C
So
we'll
we'll
wait
for
that
that
that
trickle
that
to
slow
and
then
we
can
go
ahead
and
get
started
in
the
meantime,
I
invite
I'll
I'll
drop
the
notes
Link
in
the
chat
one
more
time
and
I
invite
folks
to
add
to
the
agenda.
I
apologize
I
am
supposed
to
solicit
topics
for
the
agenda
ahead
of
the
meeting
this
week.
I
was
a
little
bit
under
the
weather
so
neglected
to
do
that.
C
So
sorry,
but
I
I
trust
that
you
all
will
be
able
to
improvise
and
and
if
not,
we'll
have
a
short
meeting
which
no
one
will
complain
to
me
about.
C
All
right,
it's
it's
starting
to
feel
like.
We
have
a
pretty
pretty
stable
group
of
folks
here.
So
the
first
item
on
the
agenda
is
new
faces,
so
I
invite
anyone
who
is
new.
You
don't
have
to
certainly
but
yeah.
You
are
you're
more
than
welcome
to
introduce
yourself
say
what
brings
you
here
and
what
you're
excited
to
talk
about.
E
And
I
work
in
software
supply
chain,
especially
ecosystem
started,
so
I
wanted
to
I
met
with
three
weeks
back
and
I
wanted
to
know
what
is
happening
in
this
group
and
maybe
try
to
discuss
some
of
the
research
opportunities
that
we
can
do
in
software
special
ecosystem,
wise.
C
Great
then,
if
it's
not,
if
it's
not
putting
you
on
the
spot
too
much
I'm
gonna
go
ahead
and
add
to
the
end
of
the
agenda.
Just
a
quick
moment
to
summarize
kind
of
previous
discussions.
We've
had
on
this
topic
and
then
maybe
brainstorm
for
a
second
kind
of
where
we.
F
C
Because
I
think
many
of
the
folks
in
this
call
would
be
excited
to
facilitate
kind
of
especially
across
ecosystem
research,
so
I'll
go
ahead
and
add
that
to
the
end
of
the
agenda,
okay,.
G
Have
been
out
for
several
months
because
of
travel
and
conferences,
so
I'll
reintroduce
myself,
Jonathan
liked
you
I'm
an
open
source
security
researcher
and
formerly
worked
at
Gradle
so
and
I
was
here
to
secure
primary
security
person.
There.
H
I
can
go
quick,
I
joined
sporadically.
Maybe
a
couple
of
these
so
I
haven't
been
to
many
of
these,
but
my
name
is
Philip
I'm
at
GitHub
on
the
package
security
team.
So
we
are
currently
working
on
a
project
to
bring
salsa
provenance
to
npm
packages
and
we're
currently
Starship
this
intern.
So
we're
looking
at
a.
I
J
J
Sorry,
okay,
I
was
cut
rapid
there.
Sorry,
it's
also
my
second
last
day
before
maternity,
so
I'm
going
to
try
to
get
someone
else
from
cloud
Smith
to
to
to
come
to
this
I
was
wondering
if
I
know
you
guys
are
talking
about
doing
support
for
baby
python
and
Ruby
and
because,
like
we
support
loads
of
packages,
we
might
have
some
insight
of
how
that
works
with
supporting
more
than
one.
If
you
ever
I
can
I
can
ask
some
of
the
the
guides
to
come
on
and
talk
about
that.
K
Know
I've
I've
tried
to
take
it
off
topic
for
a
second
I
have
been
putting
off
working
on
that
proposal,
because
it's
a
lot
of
work
to
be
done
on
it
and
sort
of
sort
of
like
I
know
I'll
just
do
these
small
things
first,
so,
yes,
any
any
additional
input
would
be
useful
in
helping
shape
in
the
next
round.
J
Cool
so
I'll
try
to
get
someone
else
on
and
then
hopefully,
they'll
also
know
stuff.
They
hate
to
support
loads
of
package
for
us.
C
Great
yeah
thanks
a
lot
any
any
final
introductions
or
reintroductions
before
we
gecko.
A
F
That
so
I
yeah
I'm
chadania
from
GitHub
again
primarily
work
on
packages
and
npm.
So
a.
G
C
Great
yeah
fun
crowd
things,
I
know
for
so
some
folks,
it's
a
little
bit
early
for
you,
so
I
appreciate
you
joining
and
then
for
some
folks,
it's
late.
That's
the
exciting
thing
about
working
on
something
that
everyone
around
the
world
works
on.
So.
C
Super
happy
to
have
all
of
you
yeah
and
then
I
think
we
can
get
moving
on
the
under
the
kind
of
business
section
of
the
agenda,
so
I'm
gonna
go
ahead
and
turn
it
over
to
shock
to
start
up
feel
free
again
to
keep
adding
stuff
to
the
end
of
the
agenda,
because
I
forgot
to
solicit
that
ahead
of
time.
Yeah
while
Jacques
is
talking
but
also
pay
attention.
Yeah.
K
I
wasn't
sorry,
maybe
maybe
I
can
turn
it
over
to
Joseph,
because
I
wasn't
sure
who
was
going
to
be
here
today,
but
very
briefly,
we're
both
in
support
for
the
user
interface
like
the
GUI.
The
website
privygems.org
has
landed
in
production
so
for
MFA
you
can
now
use
you
know
your
hardware
token,
your
phone
Touch
ID,
your
computer,
Touch
ID,
that
sort
of
thing
to
authenticate
yourself
to
as
your
second
Factor.
K
K
K
Next
on
the
agenda,
as
it
says,
there
will
be
CLI
support,
we're
still
sort
of
figuring
out.
What
that
will
look
like
one
approach
is
that
you
copy
and
paste
a
one-time
code
like
an
OTP
that
we
generate
and
play
it
back
to
us
so
that
we
can
validate
you
that
way,
the
other
one.
Sorry,
sorry
to
explain
it
a
little
better!
You
go
to
the
command
line.
You
say
I
want
to
log
in
it
says
you
need
to
do
web
auth
and
takes
you
to
the
website.
K
You
do
the
notification
through
the
browser.
The
browser
sends
you
back.
It
gives
you
back
a
code
that
you're
meant
to
give
to
the
CLI.
The
CLI
plays
that
to
the
server
and
then
you're
logged
in
that's
one
approach.
K
The
other
one
is
that
we're
thinking
about
is
instead
having
the
CLI
listen
on
a
socket
for
web
requests,
and
the
rubygems.org
server
actually
does
a
redirect
to
localhost
on
that
port
and
squirts
a
bunch
of
information
to
it,
and
that
has
the
nice
advantage
that
there's
no
copying
and
pasting
it
just
the
magically
happens,
but
it
has
the
downside
that
it's
some
fairly
more
complex
to
implement.
If
you
want
to
stay
within
the
bounds
of
the
Ruby
standard
library,
because
we
have
to
use
raw
sockets
to
do
it.
C
Cool,
that's
super
exciting
Jack
I'd
like
to
explore
a
couple
things
there.
One
is
sort
of
like
it
would
be
cool
to
be
concrete
about
the
security
improvements
that
we're
going
to
see
from
this.
C
You
know
the
the
sort
of
shorthand
that
I
hear
people
talk
about
within
is,
you
know,
quote
unquote
unfishable
to
UFA,
so
I
was
wondering
if
you
could
expound
for
a
second
on
the
security
benefits
that
you're
hoping
to
see
here
in,
like
the
specific
attack
scenarios,
your
your
most
excited
about
and
then
also
I,
think
this
General
problem
of
package
managers,
often
having
constraints
in
terms
of
how
many
external
libraries
they're
able
to
take
a
dependency
on
is,
is
also
quite
interesting
and
I
was
wondering
if
we
wanted
to
tug
on
that
a
little
as
well.
K
Okay,
so
I'll
start
with
web.
Often
there
are
two
reasons
that
we
we
were
keen
on
web.
Often
one
is
that
there
are
people
who
just
don't
like
otps.
They
don't
like
the
business
of
loading
up
an
app
getting
a
number
typing
it
in
they
find
that
address
and
tedious
and
they
find
devices
or
touch
ID
much
easier,
because
it's
just
a
tap
and
it
and
it
works.
K
That's
one
reason.
Secondly,
in
terms
of
the
artificial
ability
for
those
who
are
thinking
that
sounds
impossible
recently,
so
the
difficulty
with
OTP
is
it's
still
fishable.
Someone
can
still
fool
you
and
say:
oh
you
know
go
to
this
website.
You
know
basically
put
up
a
phishing
website
harvest
the
OTP
code,
for
you
turn
around
and
play
it
to
rubygems.org
immediately.
K
You
know
it's
obviously
better
in
the
sense
that
it's
not
you're,
no
longer
vulnerable
to
password
leaks
and
so
on,
but
you
still
have
phishing
as
a
vector
for
account
takeover
web.
Often
you're
using
a
hardware
device
and
Hardware
device
itself
stores
certificate
information
from
the
Target
website.
K
So
it
will
only
authenticate
with
that
key
to
that
website.
So
if
somebody
sets
up
a
phishing
website,
fake
rubygems.org,
the
key
that's
stored
in
the
hardware
device
will
not
be
revealed
to
that
site
because
it's
a
different
certificate.
This
is
my
hand
wavy
explanation,
but
broadly,
the
reason
that
that's
said
to
be
unfishable
is
because
they
can't
set
up
the
fake
website
and
harvest
the
key,
because
it
will
just
not
send
that
information.
It
will
not
authenticate
to
that
that
different
address.
C
C
Yeah
exactly
the
the
second
point
was
was
broadly
around
sort
of
this
General
theme.
I've
noticed
for
package
managers
are
often
really
hesitant
to
take
dependencies
on.
You
know
third-party
libraries
or
so
on
in
the
interests
of
keeping
the
implementation
self-contained.
C
You
know
and
not
having
this
sort
of
bootstrap
and
say:
okay,
I
need
to
install
this
package
in
my
language,
using
the
package
manager
before
the
package
manager,
even
even
yeah,
it
even
exists.
Yeah.
K
So
at
least
at
least
in
ruby,
gems
and
Joseph.
Please
put
me
if
I'm,
if
I
make
any
mistakes,
the
the
gem
client
is
included
and
bundler
is
included
in
the
rubygem
standard
installation
now,
so
you
get
channel
installed,
rubygems
does
bundle
some
gems
baby,
pardon
Ruby
does
bundle
some
gems
by
default
and
of
course
it
has
its
own
standard
Library
but
yeah.
The
argument
is,
if
you,
you
know,
how
do
you
use
gen
to
install
gems?
K
The
gem
relies
on
it's
the
first
part
of
it
and
the
second
part
of
it
is
it
adds
to
code
sprawl.
You
know
the
number
of
things
that
have
to
be
kept
up
to
date.
This
is
already
a
problem
because
there
are
a
number
of
gems
that
actually
get
vended
into
Ruby,
James
and
bundler.
There's
a
small
small
collection
and
it's
a
very
carefully
curated
set,
and
it
has
a
sort
of
a
parallel
mechanism,
for
you
know,
keeping
those
up
to
date
and
it's
kind
of
hairy.
K
So
it's
so
much
as
much
as
possible.
The
code
has
to
stay
within
the
standard
library
or
the
standard
gems
and
unfortunately,
there's
no
standard
library
or
standard
gem
that
provides
an
HTTP
server.
So,
in
the
scenario
we're
talking
about,
we
actually
open
a
raw
socket.
We,
you
know
re,
read
the
lines.
You
look
for
HTTP
verbs
by
hand,
that
sort
of
thing
which
makes
me
nervous.
C
C
A
little
bit
less
reviewed
than
than
maybe
a
standard,
Library
implementation,
or
even
even
a
popular.
You
know
package.
So
I,
don't
I,
don't
know
that.
There's
anything
actionable
to
do
there,
but
I
was
wondering
if
folks
from
other
ecosystems
have
hit
the
same
problem
and
if
there's
a
way
that
they're
thinking
about
it.
K
No,
you
need
a
server,
so
what's
happening
is
you've.
You've
got
the
client
that
that
you
can
talk
to
the
rubygems.org
API
and
that's
one
thing,
but
the
way
you
are
doing
this
is
that
you
are
basically
going
to
a
URL
that
is
provided
by
the
server
to
the
to
the
client.
K
So
the
question
is:
how
does
the
OTP
get
into
the
like
into
the
memory
space
of
the
client?
And
one
way
to
do
that?
Is
you
copy
and
paste
it
manually?
The
other
one
is
that
the
rubygems.org
server
sends
a
redirect
to
localhost
and
in
localhost
the
client
is
listening
and
gets
the
OTP
code.
That
way.
So
it's
it's
a
little
roundabout
like
it's
it's
one
thing,
that's
interesting!
K
It's
difficult
to
work
on
the
code
and
keeping
your
mind
that
you
have
two
different
things
that
listen
for
http
and
that,
like
the
client,
fills
two
roles
and
that
there's
sort
of
three
parties
to
it,
including
the
browser.
So
it's
it's
in
a
way
like
simple
to
give
the
one
sentence
explanation,
but
it
gets
fiddly
as
soon
as
you
explain
the
details
and
that's
that's
the
sort
of
cause
of
our
nervous
is
this
is
like
it's
it's
more
complicated
to
implement
that,
but
in
exchange
you
get
a
much
much
nicer
user
experience.
K
There's
also
the
fact
that
we
envisaged
in
our
prototype
for
six
door,
gem
signing.
We
did
it
that
way.
So
we
you
know,
in
terms
of
like
the
conversation,
the
oauth
flow.
You
know
we
we
have
to
listen
on
local
port
to
do
that.
So
it's
just
like
well
we're
going
to
be
doing
that
anyway,
at
some
point
yeah.
Why
not
now?
So
we
haven't
made
a
final
decision
on
on
what
we
want
to
do.
We
do
want
to
get
to
the
socket.
B
Is
I
I,
I,
okay,
so
this
these
are
details.
I
wasn't
aware
of
so
so
thank
you.
I'm
trying
to
there
may
be
a
way
to
simplify
this
I
gotta
think
this
through
a
little
carefully
yeah,
so
I
I.
Actually
maybe
this
is
just
an
appeal
to
everybody
here.
You
know
maybe
there's
a
way
we
can
simplify
it
so
that
the
problem
doesn't
because
I
love.
The
idea
of
the
of
the
CLI
I
understand
the
oh,
my
putting
a
lot
of
code
here.
That's
a
problem.
K
Yeah
should
have
us,
you
know,
like
writing.
A
little
one-trick
HTTP
server,
which
is
kind
of
what
we're
doing
at
the
moment.
I
mean
it's
it's.
What
we
have
is
prototype
code.
It's
deliberately
like
not
factored
messy
yeah,
we've.
K
We
do
we
do
well,
I
mean
that's
the
thing
is
that
that's
fine
when
we're
directing
back
to
the
Local
Host
right?
That's
fine,
because
it's
within
localhost
that
the
browser
is
sending
that
token.
So
we're
not
worried
about
interception.
So
we
can
just
serve
HTTP.
We
don't
have
to
worry
about
TLS
thank
God.
K
B
K
C
You
know
sort
of
the
failure
mode
so
like
I,
think
a
lot
of
a
lot
of
the
risk
of
implementing
an
entire
HTTP
server
comes
in
in
some
of
the
some
of
the
complexity
and
if
truly
all
you're
trying
to
do
is
you
know
of
pull
out
the
web
off,
and
you
know
encoded
token,
and
you
know
parse
that
and
all
the
parsings
happening
using
libraries
that
you're
okay
with
and
the
language
itself
is
memory
safe.
Then
a
lot
of
the
a
lot
of
the
scary
parts
have
gone
away.
C
K
F
K
Those
those
links
yeah
that
thank
you
for
adding
those
the
two
sort
of
prototypes
that
we
have
again
emphasizing
their
prototypes
they're.
Not
you
know
we
made
the
deliberate
decision
not
to
make
them
pretty,
but
they
give
you
the
idea
of
the
implementation,
how
we've
gone
about
it
and
we're
basically
deciding
between
those
two.
B
K
If
they're
simple,
do
you
credit,
Jew
credit
is
is
owed
to
npm,
from
whom
we
took
inspiration
so
npm
at
least
initially
had
the
copy
and
paste,
but
I
think
now
have
a
socket-based
Arrangement.
But
if
someone
from
GitHub
wants
to
correct
me
but
yeah,
so
basically
we
were
like
yeah.
We
need
to
do
something
on
CLI.
Oh
npm
is
doing
something
with
CLI.
What
are
they
doing
so
we
we
use
that
as
inspiration
for
this
functionality.
B
K
F
F
G
I
G
Pen
tested
have
they
had
an
audit
of
their
and
no
one
besides
I
filled
out
the
one
for
Gradle,
because
I
used
to
work
there.
K
I
K
K
C
Right,
if
you,
if
you
checked
the
notes,
I,
don't
know
that
it
made
it
into
the
takeaways
doc,
which
is
just
because
there's
some
sensitive
information
there
that
that's
shared
on
request
by
Brandon
and
I'm
I'm.
Sad
that
actually
Brandon
I
think
only
makes
the
APAC
friendly
meeting
times.
Because
he's
the
one
to
ask
about
this.
F
C
You,
if
you
want
to
go
ahead,
Jonathan
and
follow-up,
maybe
in
slack
and
and
ask
and
tag
Brandon
and
I
bet,
he'd-
be
able
to
answer
that
if
you
aren't
able
to
find
the
Google
form
that
actually
went
out.
C
Yeah
yeah,
so
so
the
the
results
I
believe
were
a
little
bit
hesitant
to
to
share
them
to
too
widely
the
the
sort
of
raw
data,
because
there's
some
stuff-
that's
semi-sensitive
in
there,
but
that
takeaways
doc
that
that
got
linked
is,
is
we're
sharing
on
a
sort
of
as
needed
basis,
but
I
I
bet.
You
know
you
are
you're
part
of
the
target
group
for
that
if
you're
curious.
So
if
you
ask
for
access
to
that,
I
bet
Brandon,
we'll
give
it
to
you.
Yeah
I
mean.
G
I
was
my
original
understanding
of
that
document
was
to
understand
the
state
of
the
world
and
then
also
leverage
it
as
a
way
to
figure
out
what
organizations
needed
some
encouragement
and
or
resources
allocated
from
the
LF,
maybe
to
help
fill
in
those
gaps.
And
so,
if
we
don't
have
that
information
in
a
place
that
we
can
view,
we
can't
help
like
know
where
that
resources
need
to
get
targeted.
Or
you
know
that
encouragement
needs
to
get
targeted.
C
Yeah
again
I
believe
and
I
David.
Actually
maybe
I
can
pick
on
you
here
is
there?
Is
there
sort
of
like
a
Des
like
almost
I,
it
sounds
Overstock
to
say
the
classification
system
for
like,
like
some,
you
know,
within
security,
in
the
open
ssf
we
got
open
name,
we
want
to
be
as
open
as
possible.
At
the
same
time,
you
know
advertise
blasting
out
to
the
world
pay
attackers.
C
B
Mean
openssf
hasn't
declared
any
formal
way
to
do
that.
You
might
consider
using
the
good
old
traffic
light
protocol
yeah.
You
know
that
too.
G
B
Oh
there's
nothing
wrong
with
having
an
open
group
here
that
talks
about
hey.
What
are
the
questions?
Ask
a
survey
yeah
and
then
a
smaller
group
that
actually
gets
some
of
the
data,
and
you
know
we
want
to
be
as
as
wide
open
as
possible,
but
we
aren't
trying
to
to
the
goal
is
not
be
a
service
to
adversaries.
B
B
I
would
like
to
see
some
version
of
this
as
a
public
report.
It's
well
I
know
in
there.
It
does
not
have
to
say
everything.
You
know.
Oh
look
right
here
attack,
however,
I
do
kind
of
ripping
on
this.
You
know
why.
Why
create
a
more
private
version
it
seems
to
be.
The
next
step
would
be
working
out
how
to
fix
that.
B
B
You
know
obviously
Shopify
cares
a
whole
lot
of
ruby
gems
and
that's
a
great
thing
as
someone
who
also
uses
ruby,
gems
I
appreciate
it
so,
but
you
know
so,
but
basically
having
a
way
to
share
with
some
folks
so
that
we
can,
maybe
you
know,
get
people
who
are
employees
of
certain
companies
to
go
work
on
it
once
they
know
of
a
problem
or
maybe,
if
we
can't
do
nobody,
we
can't
find
that
maybe
we
fund
something
or
or
something
like
that,
but
you
know
Finding
identifying
problems
is
step
one,
but
then
we
need
to
try
to
fix
it.
C
Cool
so
then
I'm
going
to
in
his
absence
sorry
Brandon,
give
Brandon
the
the
AI
to
follow
up
there
and
and
yeah
I
think
I
would
love
to
see
something
some
public
version
of
that
data.
You
know
just
turned
into
something
you
know
quick
and-
and
you
know,
I
think
a
good
advertisement
for
the
work
that
we're
doing
and
also
just
a
little
bit
of
what's
the
state
of
the
art
here
so
I'll
go
ahead
and
give
that
to
Brandon.
K
Because
it'll
also
be
nice
to
come
back
in
a
year
or
two
and
do
it
again
yep
and
see
what
progress
has
been
made.
I.
G
G
Repository
hosts
are
not
commercial
products
and
Commercial
products
when
they
are
purchased
most
often
have
organizations
that
have
security
requirements
requiring
that
when
they
purchase
software
they
have
they're
buying
a
piece
of
software
that
has
been
tested
right
like
there
are
certain
sort
of
constraints
that
get
applied
when,
when
the
security
team
gets
involved
with
buying
a
piece
of
software,
when
there
are
repositories
like
npm,
Maven,
ecosystem,
Gradle,
ruby,
gems,
those
just
get
integrated
into
the
organization
without
any
Financial
money
transfer,
they
just
get
used,
and
so
there
is
never
a
incentive
forced
upon
the
repository
hosts
to
actually
get
a
security
audit
done
of
the
the
the
repository,
and
so
I
would
posit
that
these
critical
tools
that
are
being
used
across
the
entire
industry
as
a
supply
chain
for
these
are
massive
organizations,
have
never
been.
G
Given
how
critical
these
things
are,
and
so
I
see
that
as
a
pretty
glaring
thing
to
be
addressed
in
the
industry
writ
large,
that
just
kind
of
needs,
some
money
thrown
at
mostly
and
then
engineering
resources
to
fix
the
end
result
of
the
pro
the
the
the
the
vulnerabilities
that
I
get
identified.
We.
K
G
Doesn't
that
doesn't
work
when
the
repository
host
is
owned
by
a
company
which
there
are
several
in
this
call
and
they
like
you,
stop
Shopify
can
come
in
and
be
like.
We
think
this
is
important
and
step
in
and
be
like
we're
going
to
do
this
right.
But
when
the
host
is
a
company
and
not
a
non-frofit
organization,
then
you
you,
as
Shopify,
can't
just
show
up
to
sonotype
or
Gradle
and
or
GitHub
and
say:
hey
we're
gonna
pen
test.
You
like
thanks.
K
K
These
random
people
like
showing
up
all
of
a
sudden
and
asking
for
this,
and
that
so
there's
there's
that
I'd
also
say
that,
like
in
terms
of
things
that
take
money
again
to
brag
like
we've
donated
them,
a
million
dollars
to
the
Ruby
Shield
initiative
and
what
I've,
what
I've
been
sort
of
like
hoping
in
the
back
of
my
head,
is
that
in
other
ecosystems,
other
people
who
rely
on
the
those
ecosystems
would
take
the
hint
that
they
should
do.
The
same
thing.
K
I,
don't
I
don't
accept
I,
don't
expect
you
know
globokon
five.
You
know,
member
of
the
The
Fortune
500
to
do
it,
but
I
I
do
expect
that
people
where
they
feel
kinship
with
with
the
the
ecosystem
to
be
involved.
So
you
know
I,
won't
I
won't
call
out
names,
but
you
know
for
ecosystem
X,
so
I
would
I
would
hope
that
large
technology
I
mean
I
already
know
that
large
technology
company
was
interested
in
contributing,
but
I
think
they
should
step
up
their
game
and
so
on.
K
G
C
G
Anybody's
willing
to
out
themselves
for
not
having
gotten
a
pen
test
done
of
their
repository
or
if
they
don't
want
to
help
themselves.
What
do
you
think
the
barrier
is
for
you
or
you
know
if
you
want
to
just
speak
in
the
general
sense,
what
would
be
the
barrier
you
think
that
exists
for
your
organization,
getting
a
pen
test
done
of
your
repository
host
the
thing
that
you're
hosting
like
what
is
in
in
the
org
structure.
Above
you.
C
Can
I
can
I
suggest
that
we
revisit
this
question
with
once
we
have
access
to
the
the
actual
data,
because
it's
I.
A
C
I
I
hope
I,
don't
think
I,
don't
think
it
is
I
hope
everything
you're
saying
is
moot
because
a
lot
of
these
organizations
have
but
but
sort
of
knowing
whether
that
it's
you
know,
zero
of
them
have
had
this
done
versus
99
of
them
have
had
this
done
versus
50
I
think
is
going
to
change
the
approach
that
we're
going
to
have
to
take
here,
but
I
I
do
I
I
think
your
point,
Jonathan
is
well
taken
that
this
is.
C
C
J
C
Once
we
kind
of
have
this,
this
data
actually
available
so
I'm.
C
Gonna
propose
that
you
go
ahead
Jonathan
and
ask
Brandon
specifically
this
question
and
then
hopefully
we
can
get
the
two
of
you
in
the
same
meeting
at
some
point
and
at
that
point,
let's,
let's
talk
talk
strategy
about
going
ahead
and
trying
to
trying
to
use
the
open
ssf
to
push
on
this.
L
I
can
also
contribute
quickly,
sorry,
the
Ruby
Jones
itself.
Speaking
of
the
original.org,
there's
no
barrier
to
its
open
source.
You
can
even
run
it
locally,
so
anyone
can
do
anything.
We
also
see
it
a
lot
of
phone
hackerspace
and
sensory
hacker
one,
since
we
see
a
lot
of
so
it's
actually
like
Con
in
theory
like
constantly
been
tested
by
volunteers
around
try
to
follow
them
price
money.
L
But
what
concerns
me
actually
is
something
different:
there's
a
lot
of
small
open
source,
private
hosting
services,
which
are
really
run
by
small
team
having
no
visibility,
so
I
think
nobody's
really
fantastic
this
in
this
way,
and
it's
actually
more
critical
since
it's
it's
mostly
used
for
hosting
private
gems
in
private
way.
Right
so
I
think
those
should
take
some
some
care
as
well
from
the
community.
L
They
are
open
source,
but
not
really
getting
attention
right
and
it
can
be
critical
part
of
something
private
infrastructure,
they're
just
mimicking
the
robins
API
right,
but
doing
it
on
its
own
under
some
password
and
stuff
to
keep
its
things
private.
So
we
could
consider
including
those
projects
as
well.
If
we
would
like
to
do
some
next
steps
on
this
in
general,.
B
If
I
may
quickly,
comment
back,
I
think
that
if
the
code
itself
is
open
source
that
helps
a
lot,
but
obviously
you
can
configure
something
you
can
deploy
something
and
configure
it
in
a
way
that
that
was
insecure.
Even
if
the
code
itself
wasn't
so
there's
still
value
in
doing
pen
testing,
even
if
somebody
reviewed
the
code
from
the
point
of
view
of
how
is
it
working
in
operations,
of
course,
just
because
the
code
that's
open
source
doesn't
mean
anybody
actually
did
a
pen
test
the
code
either.
So.
L
Yeah,
that's
clear
about
the
rubations
are
given
its
open
source.
It's
not
meant
to
run
local
instance
for
for
any
like
company,
and
there
are
different
projects
to
do
to
host
the
private
gems
as
I
mentioned.
So
those
should
be
considered,
probably
as
well
to
some
audits.
If
we
decide
to
do
something
in
general,.
L
Organization
itself
is
providing,
like
example,
jump
server
implementation,
which
is
called
gem
stash.
So
this
can
be
the
also
the
object
of
some
pen
testing
if
possible.
C
And
if,
if
I
can
zoom
sorry
even
further
out
for
a
second
I
know,
there's
some
new
faces
on
the
call
and
sorry
we
should
we
showed
it
to
this
earlier,
but
just
just
for
quick
context.
One
of
the
things
that's
come
out
of
this
group.
C
That
I
think
a
lot
of
us
have
been
really
excited
about
is
there
is
not
like
one
spreadsheet
that
says:
okay
npm
has
implemented
2fa
and
it's
optional,
and
you
know
Ruby
Jones
is
influent
in
2fa
and
it
supports
these
methods
and,
and
so
like,
there's
not
one
at
a
glance
like
this
is
the
state
of
various
open
source
package
repositories
and
their
ownership
and
like,
like
all
that
information
which
feels
relatively
standard.
You
know
and
like
something
that
I
would
love
to
know.
C
Oh
X
percent
of
the
top
open
source
package
repositories
you
know-
are
support
some
form
of
2fa
or
or
whatever
whatever
the
axis
is,
and
I
I
see
some
nods
I
think
from
the
academic
folks
on
the
call
who
especially
can
see
how
this
is
interesting,
but
also
from
a
sort
of
Industry
perspective
and
trying
to
like
put
our
resources
to
the
best
use
we
just
wanted
to
like
have
a
at
a
glance
like
what
is
what
does
this
all
look
like,
and
you
know,
I
think
it's
useful
for
making
really
informative
decisions
like
exactly
what
Jonathan
was
getting
at
where,
if.
J
C
Zero
of
these
have
had
pen
tests
done.
That
feels,
like
maybe
a
good
way
like
a
good
place
for
the
open
ssf
to
step
in
and
have
a
broad
push
for
for
all
that
sort
of
stuff.
So
to
that
end,
we
we
sort
of
sent
out
to
a
number
of
different
open
source
repositories,
basically,
a
survey
that
asks
a
bunch
of
questions
about
various
security
controls
and
practices,
and
and
so
on.
C
We
decided
we
would
I,
think
the
where
we've
landed
with
that
we
talked
for
a
moment
about
sort
of
the
sensitivity
of
that
data.
Where
we've
landed
is
roughly
you
know,
it's
not
public
right.
We
don't
want
a
link
to
go
around
that
literally
anyone
can
access,
but
it
should
be
pretty
easy.
If
you
can,
you
know
authenticate
yourself
as
a
researcher
to
get
access
and
and
we're
picking
a
bunch
on
Brandon
who's.
Not
here,
but
Brandon
Alum
over
at
Google
was
someone
who
put
together.
That
survey
has
been
kind
of
instrumental.
C
Had
a
lot
of
help,
but
he's
been
kind
of
the
main
driver
there
so
yeah,
so
that
that
information
I
think
we're
we're
starting
to
see
why
it's
useful
but
yeah
I,
think
getting
access
directly
to
that
will
help
a
whole
bunch
in
terms
of
answering
a
lot
of
these
questions
that
we're.
G
Having
I
have
a
I
that
some
part
of
this
will
work
I'd
like
carrot
and
stick
and
if
it's
not
public
stick
is
harder
or
you
know,
but
it's
also
hard
to
get
the
information
out
of
these
organizations
and
being
willing
for
them
to
to
share
that.
You.
G
Yeah
yeah
right
exactly
so
no
I
agree,
so
yeah
management
of
companies
have
priorities.
Most
of
those
priorities
are
targeted
at
getting
more
sales.
This
is
not
necessarily
directly
related
to
like
that,
and
so
this
is
that's
yeah,
so
I
I
think
I'm,
I'm,
looping
and
I'm.
G
Sorry
for
that,
but
yeah
so
I
will
I
sent
a
message
to
Brian,
Brandon
and
hopefully
I'll
get
access
to
that
data,
but
I,
don't
know
how
we
can
make
that
cut,
that
I'm
struggling
with
how
to
how
to
how
to
actually
turn
it
into
something
actionable,
and
we
continue
to
talk
about
that
a
little
bit
more
whatever
so
so
that
was,
that
was
the
primary.
G
The
primary
reason
for
switching
from
this
spreadsheet
to
the
to
the
form,
was
to
get
more
get
the
package
ecosystem
maintainers
to
be
more
willing
to
share
more
details
more
publicly
or
sorry.
More
privately,
like
that
was
the
General
concept.
There.
K
So
I
just
want
to
give
a
time
check
as
well.
Yeah
I
want
to
make
sure
we
have
time
to
get
to
Zach
talking
about
other
data
Gathering
that
we
want
to
do.
Yeah.
C
A
lot
of
relationship,
so
this
survey
is
I,
think
one
example
of
one
of
the
really
great
potential
uses
of
this
working
group
and
getting
all
these
folks
in
a
room
which
is
say
we
can
sort
of
collect
broad
cross,
ecosystem
data
and
there's
a
couple
of
purposes
for
that.
The
sort
of
most
abstract
purpose
is
just
understanding
what
the
world
looks
like
today
and
what
people
have
planned
and-
and
that
has
a
couple
of
Downstream.
This
is
one-
is
again
from
the
perspective
of
the
open
ssf.
C
Can
we
use
this
group
to
coordinate
and
to
possibly
provide
funding
for
security
initiatives?
Can
we
share-
and
you
know
peer
pressure
folks?
In
the
same
you
know
again,
we
can't
do
this
if
the
data
is
all
public,
but
we
can
selectively
make
data
public
and
say
Hey,
you
know,
seven
out
of
the
eight
biggest
repositories
all
have
2fa
and
one
out
of
the
eight
does
not,
and
you
know,
nudge
nudge.
C
Perhaps
you
should
too,
but
then
also
just
from
from
a
sort
of
abstract
understanding,
and
you
know
I
know
we
have.
We
have
at
least
one
one
PhD
student
on
this
call,
so
you
can.
You
can
certainly
appreciate
this,
but
just
like
this
could
be
a
really
cool
I.
Think
data
set
in
terms
of
like
understanding
the
security
of
the
open
source
ecosystem
at
large,
and
so
the
survey
is
one
example
of
that.
C
There's,
a
number
of
other
things
that
are
very
similar
in
that
like
they
are
like
slightly
sensitive
in
that
we
don't
necessarily
want
to
hand
them
out
to
like
people
who
are
attackers,
but
they're,
not
super
sensitive.
In
that
you
know,
we
are
willing
to
have
tens
or
hundreds
of
people
know
them,
and,
and
so
one
of
them
is
one
of
them-
is,
for
instance,
data
on
yanked
packages.
C
Well,
and
that's
that's
due
to
either
copyright
or
mostly
of
interest
to
this
group,
suspicion
of
being
malware.
A
lot
of
that
information
is
not
available
publicly,
but
kind
of
is
available
publicly.
So,
for
instance,
if
you
scrape
npm
every
day,
you're
going
to
be
able
to
notice.
Oh,
this
package
was
here
today
and
it's
gone
tomorrow,
like
I
I
have
a
hunch
about
why
that
might
be,
and
and
so
that
information
right
now
is
not
made
available
in
any
easy.
C
You
consume
format,
but
it
is
quite
interesting,
I
think
to
researchers,
interested
in
conservative,
malware
and,
and
so
we've
talked
about
the
open
ssf
as
being
a
mechanism
by
which
to
distribute
that.
Similarly,
Pipi
does
a
really
really
great
job
and
rubygems
does
too
via
a
different
platform
of
Distributing
information
about
package
downloads
and
package
uploads.
C
But
the
formats
are
different.
So
then
it's
a
kind
of
a
pain
to
make
across
ecosystem
comparison.
So
we've
talked
also
about
the
open
ssf
as
a
as
a
sort
of
common
platform
via
which
to
distribute
that
data.
Where
are
we
with
that?
Yeah
and
David
in
the
in
the
notes
suggests
that
maybe
we
write
a
status
report.
I,
don't
know
that
we're
even
there
we've,
where
we're
at
largely
is
we've
talked
about
how
it
would
be
a
good
idea
and
how
everyone
is
interested.
C
But
we
haven't
had
anyone
sort
of
in
a
position
to
drive
this,
and
so
there's
a
bunch
of
good
ideas
and
I
I
believe
at
this
point,
there's
a
couple
of
other
working
groups
that
have
also
had
roughly
the
same
idea
independently
and
is
my
understanding
correct
that
it's
kind
of
the
same
situation
where
someone
in
one
of
these
working
groups
said:
oh,
wouldn't
it
be
nice,
but
I
am
not
personally
ready
to
volunteer
a
bunch
of
my
time
yet.
K
From
what
I've
seen
yes,
I
mean
I'm
I'm
also
involved
in
the
end
users
working
group
and
definitely
had
to
use
this
working
group
had
the
idea
to
collect
malware
samples,
and
there
were
even
even
more
ambitious
of
getting
to
the
point
of
having
analysts
and
and
possibly
providing
a
threat
intelligence
service
for
package
repositories,
which
is
you
know,
an
expensive
capability,
but
would
be
super
nice
yeah.
If
someone
could
tell
you
that,
like
we're,
seeing
this
pattern
on
npm
Pipi,
ruby
gems
can
I
go
get
ready.
F
C
And
so
maybe
newsread
if
I
could,
if
I
could
make
an
ask
of
you,
I
I,
don't
know
if
I
want
yeah.
If
you
have
to
do
this
per
se,
but
can
you
talk
to
folks
in
your
lab
and
see
if
there's
anyone
like
this
to
me
could
be
a
cool
paper
and,
or
you
know,
good
chunk
of
a
PhD?
C
So
if
someone
wants
to
coordinate
this
like,
there
are
a
bunch
of
folks
from
repositories
in
this
group
who
are
willing
to
help
they're,
all
you
know
overworked,
but
but
they're
very
helpful
and
have
the
right
attitude.
And
so,
if
you
want
to
kind
of
drive
that
I'd
bet,
you
could
get
a
really
cool
data
repository
out
of
this
and
again
to
play
up
the
academic
angle
a
little
bit.
One
thing:
that's
really
great
about
papers
that
make
good
useful
data
sets,
is
they're
very
citable,
yeah.
C
E
Okay,
so
I
so
far,
I
have
done
two
studies
in
NVM
ecosystem
and
by
ecosystem.
So
the
one
of
the
study
that
I
had
advised
what
are
the
weak
links
in
npm
ecosystem,
where
we
collected
all
the
metadata
back,
then
it
was
1.6
million
packages.
Metadata
of
comment,
VM
registry
and
I
was
working
with
npm,
GitHub
and
Microsoft
back
then.
So
we
had
access
to
some
of
the
malicious
package.
E
So
we
did
not
have
the
original
metadata
I
mean
not
all
the
original
method
to
identify
the
pattern
of
malicious
package,
especially
the
one
of
the
pattern
of
attacker
or
maybe
what
type
of
what
are
the
patterns
that
attacker
get
exist
in
that
npm
ecosystem,
so
what
we
have
been
doing
for
last
one
year,
like
Jack
mentioned,
we
have
been
collecting
npm
metadata
from
npm
register
for
one
year.
So
even
if
npm
remove
a
malicious
package,
we
may
have
the
original
metadata.
E
If
we
look
back,
it's
been
one
year
that
we
have
been
collecting
now
you
will
start
the
project,
probably
from
next
semester.
That's
something
I
did
in
our
lab
and
another
project
that
I
just
completed.
It
was
with
scorecard
and
I,
wanted
to
add
this
project
as
well,
because
on
that
project,
what
we
did
we
study
scorecard
compatibility
with
npm
and
552
system.
The
first
goal
was:
what
is
the
security
practice
of
npm
and
Pi
Pi
using
scorecard
security
Matrix,
and
the
second
goal
was
whether
all
the
scorecard
security
batteries
are.
E
You
know
Deployable
for
those
ecosystems,
mainly
so
we
published
the
preprint
of
that
paper
and
we
had
some
media
coverage
and
one
of
the
most
common
thing
we
found
from
that
study
that
Pi
Pi,
some
of
the
practitioners
from
Piper
ecosystem
were
not
happy
with
us
because
they
think
they
don't
use
GitHub
repositories,
and
this
is
not
the
way
we
should
measure
security
for
Pi,
Pi
ecosystems.
Maybe-
and
we
haven't
heard
back
from
npm,
so
we
don't
know
how
they
feel
about
it.
E
So
one
of
the
goals
that
we
can
do
here
reach
out
to
those
ecosystem
practitioners
and
ask
what
are
the
specific
security
practice
or
pattern
they
have
and
scorecard
can
probably
implement,
or
one
thing
that
I
think
one.
This
group
was
also
discussing
like
two
systems:
Pacific
security
practice.
If
scorecard
can
implement
it,
that's
good.
If
not,
then
maybe
we
can
do
the
similar
study
that
I
did
with
npm
ecosystem
identify
with
link
signals
in
Pi
Pi.
E
So
right
now
my
focus
is
all
ntml5,
but
if
definitely
if
I
can
get
data
from,
but
we
want
to
access
some
malicious
package
from
these
ecosystems
and
we
want
to
get
access
also
where
we
can
get
all
the
metadata
for
pipe
practices.
That's
another
struggle
for
us
because
for
npm
it
is
little
bit
easy,
so
and
I
haven't
started
study
ecosystem,
so
I
might
be
wrong
and
I
don't
have
enough
knowledge
there.
So
any
suggestion
or
anything
that
it
would
be
great
from
this
group.
E
Apart
from
that,
our
lab
actually
already
collaborating
with
this
podcast
team
for
different
project
and
one
of
the
project
is:
how
can
we
use
scorecard
to
select
good
component
and
I?
Think
I
saw
it
in
the
survey
good
component,
especially
in
the
dependency
graph.
How
can
we
use
scorecard
and
Dev
step?
Probably-
and
this
is
something
we
are
planning
to
do
in
next
semester
as
well,
so
that
was
another
project
that
we
are
doing
in
our
lab.
C
C
That's
all
very
cool
and,
and
so
I
think
I
think
there
is
definitely
potential
alignment
here.
I
think
if
you
know
kind
of
this,
this
sort
of
common
data
repository
that
we
were
talking
about,
became
you
know
easily
available.
I.
C
Think
several
of
those
research
projects
that
you
have
talked
about
would
turn
into
like
SQL
statements,
which
is
not
not
to
be
dismissively
right,
like
they're
they're,
hard
work
right
now,
but
it
would
be
awesome
if
some
of
those
things
which
were
difficult
projects
turned
into
basically
one
line
of
SQL
and
the
other
Advantage
here
too
is
I,
see
a
lot
of
academic
research
in
this
area.
C
That
does
kind
of
a
case
study
on
one
ecosystem
and
I
think
there
are
very
legitimate
reasons
why
you
would
do
that
right
now,
but
it
would
be
really
really
cool
to
see
to
sort
of
test,
cross,
ecosystem
validity
and
again,
I,
think
sort
of
taking
all
of
this
data,
and
you
know
putting
it
in
common
data
formats,
would
be
really
quite
excellent
in
terms
of
you.
K
So,
which
is
yeah
to
add
to
add
my
voice
to
that
you
know
my
focus
is
on
ruby,
gems
and
part
of
my
mission
is
ensuring
or
encouraging
Ruby
James
to
be
included
in
research
because
findings,
don't
always
generalize
between
ecosystems,
I
I
need
to
know.
What's
going
on
and
I
need
to
know
whether
we're
in
the
same
boat
as
other
ecosystems,
and
so
I
can
learn
from
them
if
we're
in
a
different
boat
and
we
need
to
row
in
a
different
direction.
K
I
can't
do
all
of
that
myself.
I
rely
on
Academia
to
do
a
lot
of
the
heavy
lifting,
so
anything
I
can
do
to
make
sure
that
rubygems
is
accessible
and
easy
to
get
data
for.
C
Oh
so
I
was
just
going
to
propose
so
news
right.
I,
don't
want
to
on
your
very
first
attendance.
Please.
C
Huge
project,
but
maybe
a
little
thing
that
you
that
I
could
give
you
as
an
action
item
and
I'll,
follow
up
with
you,
and
maybe
we
can
work
on
this
together,
would
would
just
be
to
write
a
quick
doc
like
a
one-page,
two-page
shock
that
says
what
would
you
a
researcher
want
from
a
common
data
repository?
C
Can
you
just
brainstorm
a
bunch
of
ideas
and
I
think
that
will
dry
that,
like
that's
enough
to
sort
of
Drive,
come
back
to
this
meeting
and
whenever
we
come
back
to
it
because
of
the
holidays
and
and
but
I
think
that
would
be
enough
to
sort
of
motivate
and
sort
of
say.
Okay,
any
effort
to
do
this
is
going
to
require
laying
out
some
schemas
for
data
to
prioritize
what
data
we
want
to
talk
to
various
repositories
about
the
data
ingestion.
Where
should
it
be
hosted?
C
We
have
some
bunches
about
where,
where
that
might
be,
but
but
to
just
sort
of
outline
at
a
high
level
answer
these
kinds
of
questions
and
I
think
with
those
goals
outlined
that
will
make
discussion
between
this
and
other
groups
easier,
especially
also
there
is
a
group
I.
Don't
know
that
block
is
its
own
group,
but
there's
a
there's
another
project
within
the
open
ssf.
C
That's
also
interested
in
a
bunch
of
this
data,
they're
interested
in
consuming
this
data,
but
they're
finding
that
they
have
to
create
a
lot
of
it
and
that's
where
a
lot
of
their
efforts
are
going
and
so
like
it's.
It
seems
like
a
lot
of
folks
within
the
open
ssf.
This
working
group
in
particular,
but
but
other
working
groups
as
well
are
finding
that.
C
The
absence
of
this
kind
of
shared
data
in
common
formats
is
a
really
limiting
factor
for
so
I'm
going
to
take
the
Liberty
I'll,
assign
it
to
myself
as
the
action
item,
but
to
follow
up
with
you
and
then
maybe
you
and
I
can
work
on
this.
C
Yeah
all
right
and
then
I
think
we're
pretty
close
to
time.
So,
thanks
for
the
discussion,
everyone
else
solicit
last
minute.
I
had
one
of
the
thought.
G
I'm
actually
working
on
a
document
for
this
right
now,
the
the
one
of
the
thought
process
that
I
had
is
okay.
Well,
you
know,
even
if
we
can't
get
these
organizations
to
agree
to
announce
whether
or
not
they've
been
pan
tested
before,
if
we
can
go
through
and
like
I'm
actually
going
through
and
looking
at
all
the
different
package
ecosystems
and
coming
up
with
a
list
of
their
disclosure
policies
and
like
if
they
it
barring
anything
else.
G
You
know
the
open,
ssf
could
allocate
x
amount
of
money
and
just
hire
a
pen
testing
firm
and
because
all
these
companies
hopefully
have
their
own
disclosure
policies.
That
you
know
would
facilitate
the
ability
for
these.
You
know
an
external
organization
to
come
in
and
audit
them.
G
We
could,
you
know,
theoretically,
leverage
that
now
I'm,
seeing
that
some
of
these
organizations
don't
have
that,
like
you
know
in
particular,
Safe
Harbor
policy
that
would
allow
them
to,
like
you
know,
not
be
taking
on
legal
Risk.
By
doing
this,
public
audit,
for
example,
sonar
type
and
Ruby
as
far
as
I
can
tell
don't,
have
a
safe,
harbor
policy
explicitly
yet
so
yeah.
G
This
may
be
easier
said
than
done
in
certain
aspects,
but
I'm
curious
to
do
is
I'm,
doing
a
quick
scrape
and
looking
and
seeing
what
disclosure
policies
are
already
out
there
that
that
we
could
use
so.
C
Yeah
well,
it
sounds
like
Jonathan
you're
quite
interested
in
this,
so
perhaps
it
makes
sense
for
you
to
if
you
have
the
availability
to
kind
of
Drive
generally,
the
pen,
testing,
effort
and
I
think
that's
going
to
include
getting
access
via
Brandon
to
some
of
the
data
directly
sort
of
you
compile
your
own
spreadsheet.
That
says,
you
know
this
repository
has
had
a
pen
test
done,
has
not
had
a
pen
test
done.
C
Would
we
be
able
to
just
do
it
without
talking
to
them
or,
like
you
know,
and
like
I
think
you
could
probably
push
to
get
some
of
these
policies
in
place?
Yeah
and
I
I
have
a
hunch.
Most
of
them
would
be
willing
to
work
with
you
on
that.
It's
just
that,
like
suggested
chat
that
it's
in
progress,
you
know
yeah.
G
Yeah
yeah
David,
well,
I,
guess
this
is
a
long.
You
know
you
know.
Well
money
comes
later:
let's,
let's
have
the
data
first
yeah
yeah,
perfect,
okay,.
G
C
All
right
thanks
everyone
and
then
the
last
point
before
we
leave,
is
just
happy
holidays
to
folks
who
have
holidays
coming
up
and
to
those
who
don't
enjoy
the
empty
room.
I
think
what's
gonna
happen
is
our
next
scheduled
meeting
would
be
on
Thursday
December
29th.
When
everyone
in
the
world
is
out
of
office,
so
I
think
then
we
just
have
the
emea.
C
So
this
meeting
is
scheduled
on
January
12th,
so
hopefully
see
you
all
then,
and
in
the
meantime
say
hi
in
slack
and
and
we
can
coordinate
there.
B
Yeah
and
and
Zach,
can
you
or
somebody
else
send
operations
to
kill
to
remove
the
meeting
so
that
people
don't
show
up?
Yes,.