►
Description
Meeting notes: https://docs.google.com/document/d/1-f6m442MHg9hktrbcp-4sM9GbZC3HLTpZPpxMXjMCp4/edit#heading=h.pujncb7gxv4f
B
A
C
C
Guess
from
the
callers,
what
university?
Also
the
context
of
where
Marina
is
a
student.
A
C
B
E
E
You
Zach
yes,.
B
E
F
Yeah,
so
I
was
scrolling
down
to
the
notes
to
remind
myself
of
what
happened
two
weeks
ago,
and
so
we
had.
F
We
had
a
little
bit
of
this
meta
discussion
about
like
what
is
the
purpose
of
the
spring
group
and
some
of
the
things
that
came
out
of
that
is
people
said
they
really
appreciate
the
Forum
just
to
hear
about
what
problems
folks
are
facing
and
how
they're
addressing
those
the
idea
of
of
writing
documentation,
particularly
around
I,
think
one
of
the
examples
was
like
accounts,
credential,
reset
criteria
or
other
ways
that
we
could
write
content.
F
That
sort
of
like
helps
other
people
who
might
be
maintaining
software
repositories,
and
then
there
were
some
excellent
points
that
you
know.
We
can't
assign
things
to
different
software
repositories,
and
everyone
is
short
on
time.
So
you
know
things
in
particular
that
are
high
impact
and
low
effort.
F
F
I
think
we're
still
talking
about
that
approach
and
where
it
might
or
might
not
work,
but
that
got
me
thinking
about
other
ways.
Those
sort
of
those
two
topics
coming
together,
ways
that
we
can
help
other
other
software
repositories,
deliver
meaningful
security
improvements,
and
this
wonderful
pattern
that
the
python
software
foundation
and
pipei
have
of
writing
up
sort
of
like
individual
chunks
of
improvements
that
could
then
be
funded
and
then
once
funded
delivered.
F
F
But
I
am
very
interested
in
continuing
to
talk
about
ways
that
we
can
turn
dollars,
maybe
from
the
open,
ssf,
maybe
from
other
entities
into
meaningful
security
improvements,
and
this
is
this
is
sort
of
one
example,
I
think
of
ways
to
do
that,
but
I'm
also
open
to
other
people
getting
feedback
about
why
that
approach
might
or
may
not
work
for
them.
Or
you
know
if
people
if
people
need
help
with
the
documentation
or
if
they
need
help
connecting
to
funding
resources,
trying
to
figure
out
how
to
facilitate
that.
E
So
we
did
this
a
while
back
when
we
were
looking
for
various
opportunities
to
get
funding
and
basically
just
came
up
with
a
list
of
all
the
kind
of
biggest
nice
to
have
projects
that
you
know,
volunteer.
Maintainers
are
probably
not
going
to
be
able
to
fix
because
they
need
some
dedicated
experienced
work
over
a
long
period
of
time.
E
I
think
it
worked
really
well,
I
think
it
for
the
community.
It
paints
a
good
story
of
here's.
Why
we
haven't
done
this
thing
yet
sort
of
sets
the
scope
a
little
bit
better
for
some
things
that
might
become
in
future
requests.
So
these
are
specifically
scope
to
you
know
packaging.
E
E
Where
funders
didn't
really
come
along
and
say,
Yes
I
want
to
do
exactly
this
thing
off.
This
list
is
more
of
a
way
to
start
a
conversation
around
how
they
might
want
to
support
the
ecosystem.
So
it
was
good
for
that.
E
But
I,
don't
think,
there's
been
a
lot
that
we've
been
able
to
actually
check
off
the
list
as
a
result
and
I
think
the
only
other
thing
I'd
note
is
that
you
know
overall,
it
was
very
useful
I
think
if
I
were
to
do
it
again,
we'd
probably
and
we've
talked
about
this-
also
turn
it
into
a
repository
of
issues
rather
than
a
giant
markdown
document,
because
that
sort
of
allows
for
some
communication
and
feedback
and
discussion
on
individual
fundables,
rather
than
just
the
giant
list.
E
So
from
based
on
sort
of
Zach
craziness
some
sort
of
sensing,
maybe
it
would
be
interesting
for
us
to
think
about
putting
together
fundable
security
improvements
for
ecosystems
and
and
then
we
did
the
the
packaging
landscape
a
while
back
and
that
sort
of
identified
some
some
gaps
where
we
ecosystems
might
be
missing
security
features
that
would
collectively
like
as
a
bunch
of
people
that
maintain
these
repositories
found
to
be
valuable.
E
I
think
it'd
be
important
to
make
sure
that
you
know
any
list.
That
is
a
list
of
fundable
improvements.
Has
buy-in
from
you
know
the
folks
that
maintain
that
ecosystem
right
so
I,
don't
think
you
know
I,
don't
think
me
making
a
list
of
things
that
rubygems
should
should
definitely
get
funded,
make
sense,
but
I
think
with
with
support
from
everyone
in
these
ecosystems.
That
probably
would
be
useful.
E
Yeah
I
mean
I,
think
there's
you
know,
I
think
I'm.
If
I
can
guess
at
the
sub
subtext
here,
npm
did
build
provenance
attestations
and
that's
something
that
I
think
a
lot
of
folks
are
really
interested
to
bring
in
other
ecosystems.
But
it's
also
a
big
chunk
of
work.
E
I
would
be
really
you
know
like
as
a
maintainer
of
another
ecosystem
that
is
kind
of
interested
in
this
I
would
like
to
hear
a
couple
things
I'd
like
to
hear
like
how
much
work
was
it?
How
long
did
it
take?
You
know
how
many,
how
many
of
all
how
many
engineer
hours
was
it
roughly
like
anything
that
you
would
do
differently
or
any
challenges
in
the
rollout?
That
kind
of
stuff
I
think
would
be
really
interesting
to
hear
from
any
ecosystem.
That's
already
implemented
it.
G
Yeah
I
think
that
another
interesting
and
I
don't
know
if
this
fits
it's
here
at
all,
so
feel
free
to
ignore
the
suggestion,
but
I
think
like
the
tough
project,
for
example,
I
think
we've
looked
into
Integrations
and
ecosystems,
I
think
we've
learned
from
that
some
things
that
would
could
improve
in
the
project
to
make
that
process
better
I
think
even
even
not
as
part
of
an
integration
because
as
like
to
like
you,
know,
improving
tooling,
improving
usability
things
which
doesn't
quite
fit
into
an
ecosystem.
C
Yeah
and
that's
and
that's
kind
of
the
point
I
was
I
was
getting
at
Dustin.
Is
that
I
think
there's
certainly
a
place
for
you
know
for
ecosystem
fundables
and
I
I
heartily
encourage
that.
I
also
think
that
there's
perhaps
some
issues
that
we
in
this
working
group
can
identify
that
are
cross-cutting,
and
so,
for
instance,
you
know
funding,
for
if
we
wanted
to
bring
tough
to
a
specific
ecosystem
would
be
you
know,
kind
of
scoped
to
that
ecosystem.
C
If
we
wanted
to,
you
know,
invest
in
documentation
or
process
or
tooling
or
whatever
it
is
for
all
tough
implementations,
and
then
that
could
be
cross-cutting
and
I'll
table
it
for
a
moment.
But
I
I
do
have
some
some
specific
fundables
in
in
mind.
I
I
assume
that
at
the
end
of
this
this
bullet
point
we
can
throw
out
a
couple
of
like
specifics,
not
necessarily
work
through
them,
but
but
you
know
just
kind
of
kick
the
ball
around
as.
E
C
A
It
just
sounds
to
me
well
I,
shouldn't
say
just
it
sounds
to
me
like
there's
a
sort
of
a
latent,
fundables,
Matrix
or
vulnerable's
table
lurking
in
the
wings.
For
this
with
you
know,
one
dimension
being
things
we
would
like
to
fund
and
the
other
dimension
being
ecosystems
that
have
or
have
not
been
able
to
achieve
that
thing
we
could
use
the
survey
as
a
as
a
jumping
off
point
in
that
regard.
A
F
The
feedback
that
I
gave
to
Jonathan
on
the
great
repository
audit,
which
I
would
be
remiss
to
not
repeat
here,
is
that
often
often
we
kind
of
have
these
Grand
plans,
but
it's
like
we,
we
sort
of
need
one
ecosystem
to
buy
in
and
say
like,
yes
we're
interested,
and
then
it
certainly
certainly
we
could
create
that
table.
But
you
know
in
in
order
in
order
for
any
of
those
pieces
to
be
delivered,
it's
it's
it's,
the
classic
sort
of
like
two-sided,
Marketplace
problem
right.
F
You
need
agreement
from
the
repository
that
this
is
yes,
they're
interested
in
aplenting
this
in
the
near
future
and
then
agreement
from
a
funder
that
they're
going
to
you
know,
cut
the
check
and
so
I
think.
F
Maybe
this
is
me
thinking
too,
like
tactically
and
pragmatically,
but
what
I
would
really
like
to
see
us
identify
a
particular
ecosystem
who
would
sort
of
be
interested
in
going
through
this
exercise
either
either?
For
you
know
just
one
or
two
things
that
are
sort
of
like
top
of
mind
for
them
or
or
something
like
what
the
pipi
did,
which
is
sort
of
like
a
more
comprehensive
like
almost
like
a
road
map
of
something
I
could
endure
for
a
couple
of
years.
E
I
think
the
other
thing
that's
been
really
nice
to
have
here
is
kind
of
prior
art
right,
I,
think
that
would
be
make
a
lot
of
these
more
attractive
to
funders.
If
they
see
oh,
like
python,
ecosystem
wants
to
do
build
an
stations,
and
it's
already
been
done
in
npm,
and
it
was
successful
to
some.
You
know,
based
on
some
Metric
or
you
know,
it
exists.
Right
is
already
somewhat
proven.
I.
B
C
Yeah,
so
so
Jacques
I
think
I
think
sounds
like
overall.
It's
it's
a
good
idea
to
try
to
reuse
as
much
as
we
can
right
and
to
be
able
to
point
to
past
experiences
and
to
honestly
just
let
people
cut
and
paste
where
they
can.
Instead
of
having
to
write
these
things
from
from
scratch,
but
I
I
think
all
Echoes
Zach's
point,
which
is
we
shouldn't,
you
know
and
I.
Don't
think
this
is
what
you
were
saying,
but
we
shouldn't
block
improvements
in
one
ecosystem
on
having
a.
A
That's
that's
not
possible.
I
would
caution
that
in
many
ways
the
biggest
obstacle
is
not
necessarily
knowing
what
to
do.
It's
convincing
somebody
to
give
you
money
at
all
for
anything
and
going
through
the
the
very
fuzzy
vague
back
and
forth
is
probably
where
it
can
help.
A
You
know
here
are
concrete
things
that
we've
identified
in
advance,
but
there's
still
a
lot
of
fuzzy
back
and
forth
speaking
about
an
ecosystem
that
I
have
some
familiarity
with
a
large
company
took
the
position
that
they
would
basically
hand
the
money
over
no
strings
attached,
but
with
sort
of
like
we
would
like
it
if
you
spent
this
mostly
on
security
things,
but
we're
also
not
going
to
dictate
what
it
gets
spent
on,
which
is
a
very
different
funding
model,
but
also
even
that
took
a
long
time
to
negotiate.
F
If,
if
there's
a
repository,
that's
interested
in
in
undertaking,
this
I
I
would
be
happy
to
boss
yourself,
my
time
to
help
them
navigate
the
process
of
of
either
talking
to
the
open,
ssf
or
other
bodies
about
funding
opportunities.
E
So
I
think
I'd
definitely
be
interested
in
maybe
teasing
out
security
stuff
from
that
fundables
list.
Keeping
that
purely
about
you
know,
packaging,
stuff
and
and
maintaining
something
separately
around
security
improvements.
C
Cool
should
I
give
anyone
an
action
item
or
you
two
are
just
gonna
kind
of
follow
up
on
that.
C
Awesome
cool
well,
then
not
to
get
not
to
get
too
into
the
weeds,
but
but
Zach
if
you're
interested
in
also
experimenting
with
process
around
more
cross-cutting
stuff.
I
I
have
a
proposal
in
mind.
Long
long
story,
short
and
I
can
I
can
give
more
context
of
this
later
and
in
in
any
kind
of
fundable
document.
C
But
the
Nyx
ecosystem
is
interested
in
in
sort
of
introducing
six
door
signing
for
build
provenance,
the
blocker
for
that
winds,
up
being
a
Haskell
implementation
of
of
Sig
store
and
actually
I've
identified,
an
organization,
that's
willing
to
write
Haskell
bindings
for
us,
but
that's
kind
of
blocked
on
a
six-store
like
C
library,
basically,
and
so
there's
already
been
a
proposal
to
do
this
to
take
the
six
door
rest
effort
and
exposed
a
Sig
store,
six-door
rust
Library
that
can
be
you
know,
can
be
linked
against
from
from
a
bunch
of
different
languages,
but
I,
don't
think
that
will
happen
without
without
sort
of
a
dedicated
effort,
and
so
that
that
could
be
another
possible
test
case
if
you're
interested
you
and
I
can
follow
up
on
on
that.
C
E
F
Speaking
of
build
provenance
like
we,
we
can't
talk
about
other
things
like
we
can
talk
about
two-factor
authentication.
We
can
talk
about
detecting
malware,
but
it
is
a
bit
of
a
Hot
Topic
these
days,
I.
So
the
there
we
go,
I,
I
guess:
I
have
the
next
agenda
item,
which
is
about
Dockers,
build
attestations.
I
was
delighted
and
surprised
to
see
this
announcement.
F
They
are
making
use
of
in
Toto
attestations
with
salsa
predicates,
which
I
think
is
a
great
idea
and
I
hadn't
I
hadn't
seen
people
talk
about
it.
Much
I
hadn't
encountered
anyone
from
Docker
who
was
working
on
this,
and
so
in
case.
Other
people
were
similarly
unaware
that
this
was
something
they
were
working
on.
I
wanted
to
share
it
with
this
group
as
I.
Think.
A
lot
of
us
on
this
call
are
are
fans
of
in
Toto
attestation
documents
with
salsa
predicates.
E
Is
there
any
attempted
standardization
here
is
there?
How
is
this
compared
to
provenance
attestations
for
npm.
F
Yes,
so
and
I'm
never
sure
how
much
background
to
give
and
these
sort
of
things,
but
just
to
make
sure
we're
on
the
same
page
in
the
in
the
process
of
publishing
an
npm
package
with
attestations.
There's,
there's
two
sets:
there's
the
build
attestations
which
are
sort
of
well-defined
in
total
document
with
salsa
predicates
and
then
there's
the
publish
attestation,
which
we
sort
of
took
cues
from
the
in
total
project,
but
sort
of
like
made
up
what
information
we
thought
should
be
contained
in
a
published
attestation.
F
I
I
did
not
I'm
not
like
steeped
in
in
the
in
the
work
and
the
thinking
behind
the
publish
at
that
station.
So
certainly
we
should
talk
about
this
more
when
Frederick
or
Philip
Harrison
are
here,
but
but
we
are
absolutely
interested
in
going
through
a
more
rigorous
process
of
talking
about
what
should
be
in
that
published
attestation
with
people
outside
of
npm
and
ensure
that
whatever
documents
and
standard
and
predicates
that
we
settle
on
are
something
that
is
widely
applicable.
F
I'm
just
not
prepared
to
have
that
discussion,
because
I
don't
have
enough
sort
of
like
background
as
to
as
to
what
the
objectives
are
and
and
what
alternatives
we
considered.
G
Yeah
and
I
think
that
tree
shock
might
know
more
here,
but
I
know
that
the
encoder
project
is
looking
at
creating
methods
to
like
propose
attestation
types
that
can
then
be
more
standard
and
centralized,
but
still
have
like
some
options.
G
G
Think
it's
89.
It's
the
the
one
about
different
attestation
types
for
in
Toto.
D
E
Cool,
that's
really
interesting,
so
yeah.
Maybe
we
can
have
a
larger
discussion
about
that
in
two
weeks.
Frederick.
F
Just
maybe,
but
one
more
on
this
topic
does
anyone
know
I,
so
I
think
that
the
docker
build
attestations
then
does
not
include
publish
attestations
but
I'm
sort
of
I
I
didn't
look
thoroughly
enough
to
know.
If
for
sure,
if
that's
the
case,
does
anyone
know.
D
E
Can
definitely
rope
someone
into
that.
The
other
thing
I
was
going
to
say
what
I
thought
you
were
going
to
say
is:
do
we
want
to
pull
someone
from
Docker
into
this,
because.
A
Yes,
we
we
haven't
had
anybody
from
DACA,
which
is
in
some
ways,
is
a
good
thing,
and
you
know
in
the
sense
that,
like
people
trust
these,
these
documents
and
standards
enough
to
act
independently.
That's
a
positive
sign.
A
Was
just
going
to
say,
I
I
have
a
thing
coming
out,
which
is
that
it
looks
like
notary
actually
delivered
something.
I
I
saw
a
picture
on
Twitter
of
a
big
announcement
at
AWS
re
invent
which
they
did
something
based
on
notary
and
I'm
like
oh,
is
that
still
going
so
I
I
wonder
how
much
internal
drama
there's
going
to
be
at
Docker
and
I?
Don't
know
if
that's
gonna
have
any
influence
I'm
so
glad
this
is
recorded.
That
I
put
that
out
there
in
the
world.
D
Yeah
I
just
wanted
to
add
the
the
the
docker
at
the
stations
right
now
seems
to
use
the
version
0.1
of
the
in
dodo
statement
on
an
envelope.
So
maybe
a
little
bit
of
thinking
to
do
that.
C
Yeah
I
think
I.
Think.
Another
important
point
to
note
is
that
my
understanding
is
that
there's
a
generic
mechanism
for
attaching
things
to
container
images
and
the
specific
formats
are
an
artifact
of
the
build
tooling
here,
and
so
it
would
be
I
think
pretty
straightforward
to
extend
the
build
to
only
to
produce
things
in
different
formats
or
like
the
the
attachment
mechanism,
seems
generic
enough
that
I,
don't
I,
wouldn't
view
the
specific
types
that
are
on
the
table
today
as
permanent
or
unique.
F
I
did
I
did
notice
that
the
that
it
appears
that
they're
using
their
own
sort
of
way
of
of
specifying
the
registry
how
these
artifacts
are
related
and
the
the
way
Docker
chose
to
do.
It
is
independent
of
the
way
of
the
of
the
oci11
draft
spec.
E
So
maybe
it'd
be
useful
to
have
someone
here
that
can
answer
questions
about
it
as
well.
I
saw
Zach
suggested
Justin
Chadwell
does.
E
Foreign
cool
all
right,
so
this
one
is
mine,
so
I
was
what
I'm
curious
about
is
if
folks
are
aware
of
cargo
vet
and
if,
if
there's
any
sort
of
Interest
or
has
been
any
interest
in
your
ecosystem
of
bringing
it
to
your
ecosystem,
so
the
background
for
anyone
that
is
not
familiar
with
cargo
vet.
This
is
some
project
out
of
Mozilla
to
essentially
audit
third-party
dependencies
sort
of
somewhat
standardized
way.
So
the
idea
is
your:
your
team
consumes
some
some
third-party
dependencies.
E
B
E
Somewhat
arbitrary
right,
so
there's
sort
of
different
categories
of
audits
that
is
sort
of
up
to
the
the
team
publishing
it
to
Define.
E
So
I
think
trishank
kind
of
actually
read
my
mind
here,
a
little
bit
so
a
I'm
curious.
You
know
with
your
ear
to
the
train
tracks.
Have
you
heard
any
kind
of
interest
in
this
or
does
anything
like
this
sort
of
already
exist
in
your
ecosystem
and
then
B?
Yes,
does
it
make
sense
to
think
about
standardizing
this
in
some
way.
E
The
other
thing
about
the
audits
right
now
is:
there's
no
sort
of
sense
of
identity
or
verification
or
Integrity
of
the
audit,
so
I
believe
they're
sort
of
published
in
GitHub
repositories
and
sort
of
just
trusted.
As
a
result
of
that.
A
A
long
time
ago
we
saw
that,
let
me
think
we
very
Loosely
and
vaguely
and
yeah
the
main.
The
main
concern
was
that
it
was
like
GitHub
based.
Ideally
it
would
go
through
a
transparency
log
and
the
other
question
that
was
raised.
I,
don't
think
I
ever
had
a
satisfactory
answer
is
how
do
I
put
this
politely?
A
A
lot
of
companies
will
be
a
little
trepid
about
attaching
their
name
to
a
public
statement,
but
something
is
good
or
not
so
would
need
some
ref
on
an
open
source
license
on
their
test
station
itself.
To
say
no
warranty,
you
know
don't
see
me
if
you
rely
on
my
statement,
then
something
bad
happens
because
otherwise
nobody's
going
to
contribute
these.
G
Yeah
I
think
that
brings
up
an
interesting
point
too,
because
I
think
one
of
the
ideas
is
that
you
have
this
accountability
system.
Where
folks,
like
we
mean
trusted
Bettors
if
their
betting
isn't
found
to
be
bad,
but
I
think
it's
hard
to
Define
what
that
means,
because,
like
we
discover
new
vulnerabilities
and
stuff
changes,
yeah.
A
It
also
argued
that
you
would
essentially
need
subjective
statements
right
like
in
the
sense
that
there
is
an
identity
that
is
asserting
or
attesting
something,
and
that
your
trust
as
a
query,
a
querying
agent
depends
in
part
on
who,
as
well
as
what
and
I
think
that's
going
to
be
true,
no
matter
what,
but
also
in
practice.
Probably
what
will
happen
is
we'll
wind
up
congregating
about
certain
common
like
there
will
be
some
shelling
points
right
in
in
this
universe,
where
people
sort
of
converge
from
a
policy
that
everyone
follows.
A
You
know
like
pretty
much
everybody's
going
to
be
like
I
trust,
GitHub
and
Google
100
to
not
up
good
luck
with
that
guys.
So
I
think
it's
a
good
idea.
I
think
I.
Think
it's
important
because
otherwise
we
have
to
replicate
that
labor
over
and
over
and
over
right
it.
It
turns
the
defensive
problem
into
it's
still
a
collective
action
problem,
but
it's
like
building
offense.
You
know
if
somebody
doesn't
build
their
segment
of
the
fence.
A
The
fence
is
not
effective,
whereas
what
we
want
is
I
can't
remember
the
analogy
it
doesn't
matter.
I'll
start
now.
E
I
was
just
gonna,
say:
I
I
totally
I
would
totally
agree
with
you
on
the
trepidation,
thing
about
open
sourcing
audits,
but
I
actually
I'm,
not
sure
if
folks
are
aware,
but
we
Google
just
recently
announced
that
our
Chrome.
E
Team
are
both
doing
cargo
vet
for
their
rust
dependencies
and
Publishing.
The
audits
yeah
be
going
okay.
A
Yeah
I
guess
my
only
like,
apart
from
the
legalities,
which
you
know
you
can,
if
you
talk,
if
you
sort
of
yell
at
lawyers
enough,
they
will
eventually
do
what
you
ask
them
to
do.
You
just
threaten
them
with
Fists
Full
of
cash
and
yeah
it
really
all
it
would
come
down
to
is
I.
E
Yeah
I'm
also
curious
about
discovery
of
attestations
in
this
way
too
right,
like
I,
think
having
them
be
available
alongside
the
artifacts.
Probably-
and
this
is
something
that's
been
discussed-
a
lot
for
salsa
but
I.
Think
generally,
it
makes
sense
to
have
them
at
least
nearby.
E
D
Oh
I,
don't
think
this
this,
but
thanks
yeah,
I,
think
I.
Think
it's
important
ever
since
I
saw
a
cargo
wet
I'm
like
this
is
a
brilliant
idea,
but
it'd
be
nice
if
we
could
standardize
it
so
that
we
could,
we
could
literally
wet
it
the
same
way
so
to
speak
across
ecosystems.
So,
just
like
with
the
publisher
station
I,
guess
that's
going
to
be
my
tune
for
the
next
few
meetings.
Let's
standardize
this
and
that.
E
C
I'll
answer
no,
but
I
I
think
maybe
there
that
points
to
a
useful
follow-up,
which
is
someone
should
read
it,
but
then,
but
then
also
we
we
could
reach
out
to
the
in
Toto
folks
and
see
if
they
have
any
thoughts
on
how
best
to
do
this.
Because
because
my
my
assumption
is
that
their
familiarity
with
the
ecosystem
will,
will
you
know
point
to
getting
the
format
more
right
than
I.
G
Would
I
can
see
if
someone
who
has
actually
like
maybe
written
this
I
can
come
to
the
next
meeting,
I've
skimmed
it
but
I'm
not
gonna,
claim
I.
Won't
summarize
it
here.
Based
on
that,
so.
A
E
Is
obvious,
but
I
also
kind
of
wanted
to
raise
how
this
might
relate
to
malware
because,
like
pipia,
is
undertaking
a
project
right
now
or
we
are
going
to
sort
of
standardize
the
way
that
third
parties
report
now
are
to
us
and
it
would
be
super
cool
if
these
were
a
standard
format
that
we
could
sort
of
ask
anyone
to
use,
and
that
makes
sense
across
the
ecosystems
and
also
we
could
make
public
right.
E
F
E
Guys
are
getting
the
little
backstage
preview,
it's
it
hasn't
been
announced
yet,
but
probably
within
the
month.
E
I'm
going
to
judge
by
the
lack
of
discussion
and
talking
about
it
probably
just
makes
sense
to
everyone
and
so
probably
something
we're
thinking
about
cool.
So
we
have
Marina's
going
to
reach
out
to
the
internal
folks
and
so
I
think,
let's
try
and
make
an
effort
to
read
item
nine
with
our
next
meeting
anything
else
about
cargo,
better
stations.
A
A
We
know
sort
of
main
problem
with
nature.
Is
that
it's
containers?
That's
all.
It
does
and
I
think
the
absence
of
a
transparency
log
makes
it
much
less
attractive
than
it
would
otherwise
be,
but
I
just
you
know.
As
I
said
this
flew
across
my
radar
very
briefly.
Today,
I
don't
have
much
context,
but
it's
kind
of
interesting
because
I'd
sort
of
forgotten
about
notary
because
it
it
had
sort
of
turned
into
you,
know
the
Quest
for
El
Dorado.
A
As
far
as
I
can
tell
you
know
to
get
to
version
two,
so
I
was
sort
of
surprised
to
see
that
something
had
happened
and
I
thought
people
who
might
be
interested,
who
had
also
forgotten
well,
yeah,
notaries,
a
thing
there.
You
go
something's
coming,
but.
F
We
it's
been:
it's
been
on
my
list
to
reach
out
to
AWS
on
a
number
of
fronts.
They
operate.
Two
services
with
building
its
name
and
I
can
never
keep
them
straight.
F
One
is
focused
on
CI
and
one
is
focused
on
CD
and
if
nothing
else
would
be
really
cool
to
see
the
well
actually,
both
the
CI
and
the
CD
system
support
a
concept
of
workload,
identity
via
oidc,
so
that
you
know,
if,
if
people
are
publishing
from
that
system
to
our
software
repositories,
they
can
use
workload
identity
instead
of
secrets,
so
that
was
one
point
I
was
going
to
make
and
then
I
guess.
F
The
other
point
is
just
that:
AWS
is
sort
of
notorious
for
being
a
platform
that
likes
to
adopt
lots
of
different
overlapping
options,
to
kind
of
let
their
customers
decide,
and
then,
in
that
platform
they
operate
several
like
secret
stores
or
other
sort
of,
like
HSM,
backed
options
for
managing
key
material
for
their
customers,
and
so
the
the
use
case
that
AWS
might
be
envisioning
for
their
customers
is
a
is
a
little
different
than
that.
F
It's
not
just
a
developer
on
a
laptop,
it's
someone
who
has
an
AWS
account
which
then
avails
them
of
thousands
of
different
Services,
including
at
least
two
different
HSM,
backed
ways
to
manage
key
material.
F
So
you
know
I
I,
think
it's
I
think
it's
interesting
to
see.
People
continue
to
explore
different
options
for
providing
integrity
and
provenance,
but
I'm
not
terribly
worried
about.
You
know
anyone
sort
of
like
stepping
at
each
other's
toes
here.
A
F
A
Not
worried
either
I
think
the
main
difference
is
that
Sig
Stone
has
actual
momentum
I
just
the
same
the
same
with
you
know
the
skit
folks,
it's
just
like.
Oh
we're,
throwing
an
ETF.
You
need
to
do
it
our
way
and
it's
just
like
no
one's
using
it.
There's
no
software.
You
know
bye.
A
A
We've
got
an
operator
schedule,
I,
don't
know
anyway.
That's
that's.
That's!
That's!
That's
me!
Being
a
human,
you
know
reacting
to
things
like
a
chimpanzee
in
a
troop
and
there's
been
a
status
move
amongst
the
the
males.
So,
whatever.
A
E
A
I
think
it's
it's
worth:
what's
the
one
I'm
looking
for
with
distinguishing
in
2fao
MFA,
between
using
tatp
and
using
tokens
or
pass
Keys,
a
lot
of
I
mean
there'll,
be
cases
where
people
have
already
implemented
totp.
A
E
E
E
Yes,
so
pipei
didn't
support,
I
might
be
wrong,
I,
don't
think
it
supported
2fa
at
all,
and
then
we
added
to
TP
and
web
offense
support
a
couple
years
ago,
and
that
was
actually
Trail
bits
that
did
that
work.
William.
F
A
E
Getting
back
to
2fa,
we
can
move
down
in
a
second
I,
wanted
to
add
support
for
2fa
mandate
rollout.
So
you
know
I,
don't
know
if
folks
have
seen,
but
pipei
is
going
to
do
this
by
the
end
of
2023
for
for
everyone,
and
so
there's
just
a
lot
of
work
that
has
to
go
into
you
know,
announcing
it
and
making
all
the
changes
to
support
it.
That
kind
of
thing
definitely
a
potentially
fundable
project
for
some
some
ecosystems,
we're.
E
Think
but
yeah.
F
I
was
I
was
going
to
blow
out
the
scope
by
suggesting
we,
we
like
even
have
like
a
higher
group
of
categories
which
is
like
well
and
then
inspired
by
the
not
comprehensive,
but
maybe
medium
thought
out,
threat
modeling
that
npm
did
there
were
lots
of
people
posting
what
they
thought
were
threats
to
npm
online
and
then
posting
what
they
thought.
Our
mitigations
were
to
those
things
and
then
posting
on
what
they
thought.
F
The
effectiveness
of
those
imagined
mitigations
were
so
we
decided
to
write
them
down
in
one
place,
and
so
this
may
or
may
not
be
a
helpful
framework,
but
you
know
kind
of
like
bucketing
and
thinking
like
okay.
Well,
how
are
we
preventing
account
takeover?
How
are
we
preventing
people
from
submitting
malicious
or
otherwise
like
confusing
content?
A
F
For
for
how
we
organize
these
things,.
A
Related
to
that
is
the
supply
chain
taxonomy,
which
was
originally
in
a
paper
by
the
folks
who
wrote
the
backstabbers
knife
kid
or
knife
collection.
I
can't
remember
the
exact
title
now,
which
had
a
very
elaborate
attack
tree
very
elaborate,
like
hundreds
of
hundreds
of
leaf
nodes
and
that's
been
adopted
by
the
end
users
working
group
and
it's
still
evolving,
still
being
worked
on
so
for
Source
material
in
terms
of
parts.
A
E
Oh
I
was
going
to
just
add
around
2fa
miles
and
I've
talked
quite
a
bit
about
defining
the
like.
E
Okay,
we
sort
of
moved
around
a
little
bit.
Do
we
want
to
keep
talking
about
2fa?
We
want
to
bump
up
to
account
takeover
stuff.
E
Stick
with
account
takeover,
so
one
thing
that
IPI
has
as
well
as
we
integrate
with
the
Habib
and
permanent
API,
so
that
you
know
if
a
password
doesn't
appear
in
a
breach
and
someone
tries
to
log
in
with
it.
For
that
account,
we
just
make
them
reset
their
password.
E
Not
a
huge
lift,
it
would
be
a
pretty
small,
fundable,
I
would
think,
but
maybe
a
part
of
a
larger.
You
know
account
recovery,
takeover
prevention,
kind
of
effort
that
could
be
included.
F
We
have,
we
have
definitely
seen
in
the
theme
of
account
takeover.
We
have
definitely
seen
expired
email
domain
takeover
as
a
as
a
common
attack
manager.
A
Yeah
Resurrection
attacks
rubygems
has
a
a
daily
job.
I
can't
remember
these
exact
details,
but
it
hits
an
API
that
provides
a
list
of
expired
domains
based
on
the
domains
that
exist
in
the
database.
It
says
these
ones
have
expired
and
it
locks
that
account.
Basically,
it
forces
them
to
reset
the
account.
E
E
E
E
And
some
improvements
of
tooling
around
making
it
really
easy
to
sort
of
identify
what
looks
like
malware
and
make
the
takedown
really
easy
to
do
to
handle
volume.
A
A
E
I
mean
that's
what
I
sort
of
Imagine
happening,
so
you
know
maybe
like
in
pipa's
case.
We
have
multiple
security
researchers
that
report
they
don't
share
notes,
but
there's
overlap
there.
So
there's
interesting
things
can
be
done
with
the
like,
consensus-based,
automation,
too.
If.
B
E
Even
need
intervention
by
a
human
but
yeah
I
think
the
workflow
is
sort
of
like
yeah
publishing.
This
I
think
there
was
some
interest
in
doing
this
with
osv,
but
I
think
the
the
scope
was
a
little
bit
different
there,
because
OC
is
really
primarily
concerned
with
the
vulnerabilities
and
malware
kind
of,
but
doesn't
exactly
fit
in
that
bucket,
and
also
the
volume
is
quite
different
right.
Over
vulnerability
is
somewhat
somewhat
rare
and
malware
definitely
isn't.
C
It
could
be
there's
only
two
categories
in
Zach
and
your
in
your
taxonomy
and
so
I'm
happy
to
pull
it
out
as
its
own
thing,
but
I
also
can
see
the
argument.
First.
G
B
E
F
We're
always
very
careful
in
the
npm
documentation
or
other
content
to
not
say
that
a
package
is
secure
just
because
it's
published
Providence
but,
of
course
having
those
verifiable
links
to
source
code
and
build
instructions,
enable
malware
detection
techniques
that
would
not
otherwise
be
possible.
Yeah.
A
That's
that's
what
I
always
thought
right
like
as
as
more
and
more
parts
of
the
overall
package
lifecycle
become
available
in
the
transparency
log
right,
it
becomes
easier
and
easier
to
detect
a
suspicious
pattern
and
to
to
investigate
further.
It's
really
just
about
prioritizing,
and
my
motto
that
I
keep
repeating
is
make
the
attacker
move
in
the
open,
because
they're
gonna
have
to
do
all
these
things
anyway.
C
E
Level
of
recommendations
of
things
that
software
repository
should
do,
and
then
maybe
the
next
step
after
that
is
working
with
individuals
in
those
ecosystems
to
make
a
list
of
fundables
I
mean
I
really
like
the
funnels
thing.
I
think
it
works
a
lot
better
if
it's
sort
of
owned
by
the
individuals
who
will
be
overseeing.
E
You
know
defining
the
standard
or
whatever
it
might
be,
but
yeah
I'm
curious.
What
folks
think.
F
Think
I
think
there's
huge
value
in
in
having
an
opinionated
like
if
you
want
to
call
it
a
maturity
model
or
like
security
capability
list
or
the
maybe
maybe
I'm,
putting
too
much
faith
in
in
white
papers.
But
you
know
the
I.
Just
to
me.
F
Salsa
has
had
such
a
Monumental
shift
in
the
way
that
people
think
about
supply
chain
security,
and
that's
because
it
was
a
framework
that
you
know
wasn't
too
complex
was
written
and
pretty
easy
to
understand
language,
at
least
in
my
opinion
and
and
I
was
able
to
kind
of
like
shape
and
frame
people's
thinking
and
I.
Think
there's
an
opportunity
for
this
group
to
do
the
same
for
software
repositories.
E
C
Yeah
I
will
say
early
in
the
history
of
this
working
group
I,
along
with
a
number
of
others,
produced
lots
and
lots
and
lots
of
pages
that
could
that
are
not
in
the
format
that
you're
proposing
Dustin
but
I
think
could
pretty
easily
be
adapted
to
that
and
I
think
that
would
be
an
extremely
useful
thing
for
for
this
group
to
produce.
C
So
then,
maybe
AI
on
that
is
I
can
take
it
and
just
file
an
issue
in
our
in
our
repository
and
link
to
a
bunch
of
source
material
that
that
could
possibly
be
useful,
including
probably
this
this
brainstorm.
We
just
had
a
bunch
of
stuff
throughout
the
I.
Think
this
note
stock
is
like
200
Pages
or
something
it's
82,
but
like
yeah
I,
think
I
think
that
yes,
let's
track
doing
that,
because
I
think
it's
a
great
idea.
C
E
And
with
that
we're
at
time
zone
I'll,
let
everyone
go,
but
thanks
is
this
is
a
really
great
discussion
and
see
y'all
there
thanks
bye,
thanks
for
taking
notes,
foreign.