►
Description
Meeting minutes: https://docs.google.com/document/d/1-f6m442MHg9hktrbcp-4sM9GbZC3HLTpZPpxMXjMCp4/edit#heading=h.pujncb7gxv4f
A
A
C
B
And
Joseph
good
to
see
you
thank
all
of
you
have
already
found
the
the
minute
stock,
but
it's
in
the
chat
too.
E
D
B
E
Good
well,
this
is
my
first
time
doing
great
to
meet
you
all
I'm
Aaron
I'm,
the
CEO
and
co-founder
of
a
company
called
phylum
that
is
kind
of
working
in
the
software
supply
chain,
security,
space.
F
Aaron,
do
you
know
Alan
Clements
I
do
yeah
yeah,
he
stopped
by
Houston
he's
a
former
sonotyper
and
we
had
lovely
dinner
and
he
was
on
his
way
to
San
Antonio
for
your
for
your
big
meet
up.
C
D
D
That
sorry
Aaron
in
your
intro,
but
welcome
glad
to
have
you
here.
Thank
you
great,
to
be,
and
also
yeah,
thanks
for
all
the
work
that
follow
has
done
in
Python
ecosystem.
Lately,
it's
been
awesome.
D
Okay,
I'm
streaming
on
Jacques.
Are
you
ready
to
talk
about
this?
C
Okay,
that
seems
to
be
working
yes,
sweet
to
change
from.
Can
you
see
my
screen
yeah
so
in
in
there
I,
basically
linked
to
a
PR
which
has
been
opened
on
rubygems.org
and
the
gist
of
this
PR
I?
Believe
I
can
load
it
up
here
and
you
should
still
be
able
to
see
it.
Do
you
see
the
piano
in
Korea
cool?
Is
that
Tommy's
proposing
to
do
something
very
much
like
what
Maven
Central
does,
which
is
to
sort
of
surface
vulnerability
information,
but
so
they
have.
C
You
know,
there's
prototype
working,
what
we're
mostly
curious
about,
and
job
apps
you'd,
be
the
best
person
to
ask
about.
This
is
like
what
issues
or
hiccups,
or
things
were
surprising
about
doing
that
like
we
just
want
to
sort
of
know
more
about
it,
to
get
some
context
done.
What
to
expect.
F
G
F
Formal
relationship
with
sonotype
or
anything
that
we
do
I
kind
of
know
how
they
Source
their
information.
Their
data
lags
by
like
a
week,
I
think
there's
a
an
index
that
they
download
and
scrape.
But
then
then
they
decorate
it
on
their
own.
I
really
have
no
idea
like
how
they
line
up
to
the
cves
or
anything.
It's
interesting
all
right,
yeah,
that's
good!
So
that's
the
surprise
for
me.
F
I
I
I
will
say
that
you
know
I,
don't
know
if
we
publicized
this
to
the
to
this
group,
but
you
know
we're
looking
at
sort
of
really
sort
of
modernizing
a
lot
of
the
formal
search
interfaces
that
we
build.
So
there's
central.sonotype.dev
has
links
to
vulnerability.
Information
from
another
son
of
tech,
property,
OSS
index
and
I
thought
that
that's
what
people
had
stumbled
upon
and
I
can
talk
more
about
that,
but
that
one
you
know,
there's
no
surprises
there
either.
It's
essentially
another
group
of
someone.
F
C
Okay,
well,
I
mean
I
I.
Nothing
sort
of
struck
me
as
a
possibility.
I
see
that
the
synthetics
are
throwing
some
notes
in
though
so
maybe
they
could
speak
to
that
me
see
for
me
to
see
who's
doing
well.
When
I've
got
the
shared
screen
going.
D
H
D
Audit
every
single
time
a
install
happens
on
pipei.
We
actually
have
all
the
vulnerability
information
via
osv
for
all
everything
that
you
know
has
a
CDE
or
exists
and
advisory
database
on
GitHub
or
elsewhere,
but
we
don't
surface
it
in
the
UI
like
the
website
UI,
which,
if
I
understand
correctly,
that's
that's
what
the
pr
for
rubygems
is
about
right,
yeah,.
C
That's
what
the
proposal
is
it's
this
episode
and
I'm
sort
of
like
I'm,
not
sure
how
I
feel
about
it
like
it
at
this
episode.
Well,
it
seems
Obviously
good,
but
something
in
my
mind
is
just
sort
of
nagging
at
me.
I
kind
of
quite
put
my
finger
on.
D
Had
recently
considered
thinking
about
adding
what
like
what
it
would
take
to
add
this
to
the
UI,
whether
it
be
useful
and
I,
think
a
lot
of
users
probably
aren't
coming
to
the
web
presence
for
these
indices,
to
interact
with
them
and
and
so
like.
Even
if
you
flag
it
there,
like
the
chances
of
someone
seeing
it
before
they
install
is,
is,
is
not
very
high
right,
so
yeah
yeah,
yeah
yeah,
so.
D
C
There's
other
things
that
relies
on
the
Ruby
sec
data
set,
which
you
know
is
curated
by
volunteer
curated
by
volunteers,
I
think
actually,
that's
the
source
data
for
osv
as
well
when
it
comes
to
to
Ruby.
But
don't
quote
me
on
that
which
is
a
a
useful
data
set.
But
you
know
it
relies
on
folks
taking
time
out
of
their
day.
So.
C
G
The
only
thing
to
to
add
is
the
idea
of
like
yeah.
What
like
what
is
the
sort
of
goal?
Devs
the
dev
is
an
interesting
example
because
and
I'm
not
actually
sure
how
Ruby
does
that
and
how
it
expresses
its
dependencies.
So
the
dev
example
of
Link
actually
is
interesting
because
it
talks
about
like
actual
vulnerabilities
in
the
thing
itself,
but
also
its
dependencies
right,
and
so
so.
G
So
that's
sort
of
an
interesting,
interesting
detail
there
right
it
and
it
would
be
cool
to
chat
if
Ruby
is
actually
using
osv
for
this,
because
osv
tends
to
provide
sort
of
a
slightly
more
actionable
vulnerability
reports
to
people
right
saying
which,
what
you
can
actually
say,
which
version
is
not
vulnerable
which
commit
as
assuming
the
data
set.
Is
there
so
you,
you
know,
like
people
can
actually
click
through
it
and
say
like
oh
okay,
maybe
I
need
to
upgrade.
C
C
A
G
Reason
I
say
that
is
that
osv
does
do.
Is
it
also
ingests
it
ingests,
GitHub,
I,
think,
advisories
and
so
I've,
just
search
for,
like
I'll
paste,
a
link
for
what
you
see
here
in
the
chat,
which
has
actually
some
of
the
some
of
the
examples
from
GitHub
advisors
which
may
actually
come
from
rubysec
I'm,
not
sure
I
need
to
click
through
that,
but
yeah
yeah.
C
Also,
Joseph
notes
that
it's
in
the
pr
neighbors
Ruby
advisory
DB,
so
that
that
is,
if
I'm,
going
to
correctly
the
name.
The
Ruby
sack
is
the
sort
of
the
organization
or
GitHub
I've
used
that
data
set
before
in
some
exploratory
work.
It's
it's
interesting.
What
you
can
cross
cross
correlate
yeah,
that's
that's!
Basically
all
I
needed
so
I'm
all
done
thanks.
Everyone.
C
C
D
D
Maybe
not
as
part
of
this
PR
but
make
you
know
separate
feature
or
something
something
that
should
be
maybe
higher
priority
is,
is
actually
exposing
this
via
an
API
rather
than
just
the
the
repository,
so
it
can
be
like
directly
correlated
but
I.
Don't
actually
know
what
apis
exist
for
ruby
gems.
Maybe
that
doesn't
doesn't
make
sense
cool
yeah
Joseph.
Do
you
want
to
talk
about
the
friendly
readme
problem.
J
Hello,
everyone
I
would
like
to
show
a
quick,
quick
demo
to
explain
that.
Just
like
my
personal
name
of
this
problem,
there
are
two
parts
actually
so
I
would
like
to
share
some
tries
to
take
over
some
packages
we
faced
recently
on
ruby,
gems
and
also
some
counter
measures
we
are
trying
to
to
deploy
and
ask
for
some
maybe
suggestion
recommendation
if
any
other
packages
package
maintainers
were
facing
similar
stuff,
so
I
would
like
to
see
also
any
recommendation
how
to
how
to
tackle
those
problems.
So
let
me
share
my
screen.
First.
A
J
J
Also
readme
generated
with
actually
already
points
in
the
readme
by
the
gem
name
specified
to
install
for
the
client.
So
then,
usually
you
do
some
work
in
progress
stuff
and
push
this
to
GitHub,
usually
which
then
and
kind
of
read
me.
A
J
And
try
to
take
a
look
if
this
gem
already
pushed,
if
not,
you
can
push
and
like
win
the
race
of
the
naming,
Corner,
reserving
the
name
on
Public
public
resource.
So
this
is
relatively
simple
to
fix
on
our
side,
so
our
plan
currently
is
to
stop
generating
this
part.
Just
make
it
a
little
more
generic
right
so
like
thank
you
and
and
put
like
big
to
do
in
here
like
update.
J
These
two
will
begins.org,
which
is
something
we
can
do
easily
on
our
side,
so
we
didn't
make
release.
This
would
be
somehow
fixed,
but
the
second
problem
is
what
we
faced.
So
usually
we
go.
We
report
this
to
the
author
on
the
GitHub,
so
in
in
this
this.
J
Of
something
we
could
report
it
by
some
automated
checks,
we
reach
the
outer
of
the
GitHub
repo,
the
author,
just
updated
readme.
So
it's
just
not
mentioning
the
suggesting
anything
anymore.
We
block
the
user
on
rubygemside
and
also
remove
the
gem
from
the
index,
so
nobody
can
just
install
it
and
we
see
this
button
being
used
more
often
than
often
in
recent
weeks.
J
So
the
second
part
of
the
problem
is:
we
are
trying
to
block
the
users,
but
the
users
are
trying
to
be
creative
of
creating
new
accounts
and
they
are
used
since
you
need
to
have
unique
email
on
Ruby
Jam.
So
once
you
get
blocked
that
email
is
blocked
right,
so
you
don't
need
to
bring
your
new
account
with
new
emails
and
that's
what
I
mentioned
in
the
list
as
well.
We
would
like
to
prevent,
registering
I,
don't
know
those
those
emails
and
we
find
out
some
patterns.
J
Some
of
those,
let's
say,
researchers
to
be
to
be
nice
to
those
are
trying
to
to
use
so,
for
example,
hacker
one
is
providing
email,
gmail
is
doing
the
same,
which
is
having
called
on
emails
on
Gmail
side.
Email
address
variations,
so
you
can
just
get
your
email
put
a
plus
sign
anything
after
the
plus
sign
can
be
random,
but
on
our
side
it's
Unique
email
right,
so
you
can
like
create
infinite
amount
of
accounts
on
one
Gmail
inbox.
J
Thanks
to
this
other
service,
you
can
use
it
something
called
disposable
emails
and
thanks.
That's
it
for
this
link
and
also
clearly
manually,
you
can
buy
domain
and
provide
some
kind
of
domain
basket,
so
everything
sent
to
some
domain
on
email
we
learned
somewhere.
So
personally,
I'm
I'm,
aware
of
we
can't
win
this
fight
like
in
100,
but
we
can
also
try
to
make
it
as
hard
as
possible
for
those
not
friendly
users.
So
So.
J
Currently
we
just
validate
uniqueness
of
an
email
as
it
is
so
I
would
like
to
ask
for
some
suggestion
on
this.
If
any
other
package
from
maintainers
are
aware
of
this
and
are
doing
something
more
complex,
so,
for
example,
try
to
block
under
this
possible
email,
there's
some
nice
list
on
the
GitHub
we
can
use
to
to
say
this
is
not
real
email
service
right
so
at
least
provide
some
proper
email.
J
Also,
we
can
try
to
stop
block
those
services
using
those
alien
things,
so
we
can
just
read
the
email,
also
not
unique
on
Gmail.
Since
you
know,
Gmail
work
this
way,
also
workerspace
email
or
sorry
hacker.
One
email
works
the
same,
so
we
can
provide
some
additional
rules
to
prevent
those
malicious
users
to
to
be
able
to
provide
infinite
amount
of
accounts
manually.
So
those
are
my
questions
aware
of
this
yeah.
D
I
can
definitely
speak
to
all
this,
but
yeah
I'm
curious.
Anyone
else
wants
to
chime
in
I.
B
Guess,
first
sorry,
I
I,
don't
know
if
I
totally
understand
the
the
problem
here
so
I
get.
Why
I
like
these
disposable
addresses,
where
someone
can
re-register
with
the
same
address,
10
minutes
later
or
an
hour
later,
is
bad
but
like
I
use
disposable
emails,
all
the
time
I
have
I
haven't
I
have
a
wild
card
email
at
my
vanity
domain
and
I
I
use
that
for
every
sign
up,
I
do
like
so.
What's
the
issue
yeah.
J
So
the
issue
is,
we
are
seeing
malicious
users
using
those
those
right.
So
we
are
not
rushing
for
this
to
just
not
do
not
block
everything
using
this
kind
of
email-
or
at
least
it
seems
like
this
this
one,
but
we
are
trying
to
find
out
some
some
balanced
way
of
not
really
annoying
proper
users
and
also
try
to
stop
those
managers
who
wants
to
make
it
this
easy
for
them
to
create
infinite
amount
of
accounts
because
we
are
blocking
or
as
an
old
account.
B
J
Oh
so,
in
last
two
weeks
or
maybe
one
month,
one
like,
let's
again
call
it
a
researcher
created
like
an
alias,
is
using
Gmail
and,
like
everyone,
email,
the
same
just
having
the
plus
sign
and
some
suffix
on
that
side,
and
we
just
block
them
right.
So
we
just
remove
the
malicious,
gen
and
block
the
email.
So
it's
up
the
blocking
the
email
is
doing
like
nothing
for
them
right,
since
they
can
create
simply
new
account
using
the
same
one.
That's
providing
different
topics.
D
So
we
have
popular
has
the
exact
same
problem
happens
a
lot,
maybe
even
more
frequently,
and
so
one
thing
we
did
a
while
back.
I
I
helped
maintain
this
disposable
email
list
which
to
be
clear
like
exactly
what
you
were
describing
I,
wouldn't
call
a
disposable
email.
The
Disposable
emails
are
the
ones
that
sort
of
don't
require
any
registration
or
anything
like
that.
Aren't
like
personally
owned
right.
So
a
lot
of
them
are
like
open
inboxes
also,
so
the
accounts
are
kind
of
just
like.
D
D
One
thing
that
we
do,
which
is
maybe
kind
of
counterintuitive,
is
that
if,
when
we
find
this,
we
don't
block
or
shut
down
the
account,
because
what
we've
found
is
that
most
often
they
will
just
keep
using
the
same
account.
And
so
we
just
sort
of
like
put
a
little
flag
on
the
account
and
keep
an
eye
on
it.
And
that
allows
us
to
sort
of
just
maintain
this
sort
of
list
of
like
known
bad
things,
that
we
can
cult
pretty
quickly.
D
So
that's
one
thing,
and
then
the
other
is
like
IP
address,
based,
filtering
and
and
monitoring,
because
in
my
experience
also
like
they
just
use
the
same
IP
address
so
they'll
create
the
same
account
or
10
different
accounts
from
the
same
IP
and
it's
pretty
easy
to
correlate
those,
and
that
has
pretty
good
signals.
Usually,
although
lately
I've
been
seeing
a
lot
using
torque
exit
nodes,
which
has
a
lot
of
overlap
with
legitimate
user
traffic
too,
so
you
know
kind
of
kind
of.
J
Have
to
be
careful
one
mode
Zach
just
to
make
it
clear
for
those
variations
on
the
email,
so
I'm
in
those
plus
signs
in
the
middle
of
the
email.
I
was
thinking
about
like
tweet,
without
plus
sign
and
with
plus
sign
the
email
the
same
right.
So
you
can
use
the
plus
sign
in
the
email,
but
only
once
for
your
domain
and
the
prefix
right.
So
you
can
continue
using
it,
but
only
once
because
it
will
be
considered.
J
It's
the
same
inbox
if
you
use
the
plus
sign
in
the
middle
as
we
don't
write.
Only
I
can
post
some
example
to
the
chat,
but
definitely
it's
not
about
blocking
using
plus
sign
in
the
email,
but
just
use
it
once
per
context.
B
Yeah
I
yeah
I
can
I
can
imagine
legitimate
use
cases
if
I
have
like
an
organization
that
I'm,
a
part
of
and
I
want
to
maintain
two
accounts,
but
I
don't
know
that
these
outweigh
like
I.
Think
they'd
be
rare
enough
that
it's
acceptable
collateral
damage
for
sort
of
yeah.
So
this
is
not
about
stopping
anyone
right,
because
it's
pretty
easy
for
me
to
just
make
a
new
Gmail
account,
but
it's
it's
sort
of
in
inconveniencing
people
who
are
repeat
offenders.
G
Yeah
I
was
going
to
ask
him
to
just
think
to
Zach.
Basically
it's
not
about
stopping
this,
but
slowing
it
down
right
is
that
is
that
the
correct
sort
of
categorization
that
we
you
just
want
to
make
sure
that
as
they
do
in
this,
they
can't
do
it
can't
do
it
at
scale
effectively
right
and
if
so,
like
things
and
other
things,
would
they
actually
have
a
good
role
to
play
here?.
C
So
it
makes
me
wonder
whether
we
can
these
somebody
like
Shadow
Banning
as
a
trick.
So
if
they're
logged
in
they
can
see
it,
they
can
see
their
own
hostile
packages,
but
nobody
else
can
download
it.
C
D
J
A
J
J
I
mean
what
kind
of
rules
are,
for
example,
applied
if
any
currently.
J
Oh,
that's
the
list
of
the
like
domains
used
for
this
one-time
email,
but
I
mean,
for
example,
if
python
packages
is
there
any
any
public
like
policy
or
something
you
can
just
take
a
look
and
go
through
yeah
or.
D
I,
don't
know
it's
not
I'm
happy
to
write
it
down
and
share
it,
but
it's
not
a
thing
that
we
really
say
publicly
because
hey
it's
sort
of
adaptive
depending
on
what's
going
on,
but
also
be
I,
don't
think
we
really
want
to
fully
expose
our
full
strategy
to
combat
this
yeah.
It
doesn't
hurt
that
need
for
it.
I
guess
so,
yeah
happy
to
share
it
with
all
the
folks
here.
J
Also,
our
other
question,
but
it
was
answered
by
that
link,
was
about
to
keep
some
shared
list
of
those
it's
possible
email
domain,
but
it's
already
present
right.
So
there's
the
various
I
find
out
various
lists,
but
this
one
seems
to
be
like
aggregator
of
all
other
ones
so
see
if
this
is
the
best
one
to
follow.
If
I
understand
it
well,.
D
Yeah
this
one's
been
maintained
for
a
while
I
think
it's
a
fair
amount
of
contribution
and
folks
are
pretty
good
about
keeping
it
clean
and
there's
a
lot
of
rules
around
what
can
and
can't
be
in
there.
So
it's
not
just
like
they're,
pretty
we're
careful
not
to
add
false
positives
and
things.
J
A
J
It
super
friendly
right
and
like
during
you
are
doing
a
new
account
if
we
like,
filter
out,
then.
J
G
G
Limited
to
a
single
package
manager-
or
there
is
an
opportunity
for
sort
of
like
maybe
through
this
group-
for
a
bit
of
cross
package
manager,
collaboration
in
in
sort
of
sort
of
battling,
their
abuse.
D
G
J
It
was
actually
original
intention
which
I
missed
to
explain
to
don't
invite
it
on
either
side
again
from
scratch,
but
try
to
reuse
as
much
as
possible
if
anything
is
implemented
on
you
guys
how
you
can
Implement
like
technical
on
our
side,
but
share
the
same
approaches.
So
thanks
for
this,
for
this
note,
that
was
the
original
idea.
Actually.
D
D
Github
was
here
because
I
feel
like
they
probably
have
fairly
good
abuse
Protections
in
place,
and
you
know
we
can
maybe
lean
on
that
a
little
bit
as
well.
C
C
D
Yeah
I
was
just
looking
out,
so
the
one
thing
I
I
wanted
to
also
add
so
IPA.
We
just
recently
added
an
acceptable
use
policy.
This
is
largely
based
on
GitHub.
Success,
acceptable
use
policy.
This
is
because
we
wanted
to
take
some
kind
of
specific
actions,
take
down
things
that
included
hate
speech,
and
we
didn't
really
have
a
public
policy
to
point
to,
for
that.
D
Okay,
let's
move
on
to
the
next
thing.
Brandon
are
you
on
the
call.
D
H
Me
yes,
awesome
yeah,
so
I
think
two
weeks
ago
I
shared
the
package
manager
survey
takeaways
to
for
open
notification.
It
seems
like
a
couple
commands,
but
nothing
kind
of
I
guess
no
requested
modification.
So
I'm
wondering
what
would
be
the
best
way
forward
to
kind
of
deliver
kind
of
like
the
the
results,
maybe
like
create
a
PR
and
a
repo.
H
Like
what
would
be
the
best
way
to
kind
of
encode
the
group's
work,
yeah
yeah,
so.
H
D
Yeah
I
think
that
makes
sense,
I
think
yeah,
there's
probably
also
you
know.
We
want
to
use
this
to
make
a
list
of
recommendations
for
things
that
gaps
that
are
worth
funding,
so
some,
like
short
short
lists
there
to
summarize,
would
be
probably
really
helpful
to
share
with
the
tech
and
elsewhere
yeah.
D
We're
just
quickly,
you
know,
padding
out
the
agenda
as
we
go
all
right.
So
one
thing
I
quickly
want
to
mention
I.
D
Had
open
ssf
like
or
organizing
team
or
whatever
had
reached
out
to
us
about
their
annual
report,
they
wanted
a
short
thing
on
the
work
group,
so
it
says,
threw
together
some
of
our
accomplishments
for
the
year,
and
so
this
is
the
doc
that
we
shared
with
him
that
just
sort
of
like
in
250
words
describes
what
the
group
does
and
some
of
the
things
the.
D
Included
in
there
is
one
of
the
things
that
we
did,
but
yeah
I
just
want
to
share
that
with
everybody.
D
I,
don't
know
if
it's
finalized,
if
there's
comments
any
feel
free
to
add
comments
or
edits.
If
you
want,
if
anything
seems
weird,
but
it's
pretty,
it
should
be
straightforward.
I
think.
A
C
Yeah
yeah:
this
is
something
I
just
realized,
I
hadn't
put
on
the
agenda,
so
we
have,
in
the
past,
discussed
the
idea
of
having
a
Clearinghouse
repository
of
data
where
we,
where
we
sort
of
drain
a
bunch
of
different
repos
into
the
same
location,
and
we
sort
of
put
the
data
into
a
common
format
that
sort
of
jazz
make
it
easy
for
researchers,
better
researchers
to
look
stuff,
but
also
we've
talked
about
collecting
malware
samples
for
the
same
reason
for
better
researchers.
C
C
So
that's
that's
one
thing
I
wanted
to
to
raise
and
I've
I've
raised
the
unuses
working
group
that
this
is
something
we've
discussed
in
the
past
as
well
and
when
I
just
saw
yesterday
or
the
day
before,
which
is
from
identifying
security
threats
or
security
tolling
I,
don't
recall
which
of
the
two
called
assimilation
or
C
emulation
and
I'll
show
you
how
to
pronounce
it.
It's
sort
of
a
pun.
C
On
CMS
and
acceleration
and
OSS
I'll
try
to
spell
it
in
a
minute,
but
essentially
that
one
is
just
like
you
know,
security.
C
C
Something
is
that
the
end
users
group
have
thought
about
as
well
is
having
a
a
threat
assessment
capability
and
to
the
point
where
Jonathan
Meadows
from
from
end
users,
even
even
would
like
to
see
the
open
ssf
having
staff
whose
job
it
is
is
to
provide
that
threat,
intelligence
to
ecosystems.
C
So
that's
that's
the
thing
I
wanted
to
bring
people's
attention.
I,
don't
know,
what's
actionable
just
at
the
second,
but
I
I
have
made
sure
to
let
both
groups
know
that
that
securing
software
reprocess
thought
about
this
in
the
past.
So
if
they
start
to
make
movements
up,
I
hope
that
we're
involved
now
we
can,
we
can
share,
share
wishes
and
thoughts.
B
Can
I
pick
on
Brandon
for
a
second
and
ask
also
about
walk
in
the
relationship
between,
because
guac
seems
to
be
doing
overlapping,
though
not
identical
things
yeah.
C
It's
difficult
for
me
to
say
exactly
what
was
doing,
because
I
tend
to
look
at
it
through
the
frame
of
that
article
I
wrote
about
the
idea
of
a
universe,
elastic
graph
and
what
all
the
things
I
thought
it
had
to
do,
but
it
does
in
my
understanding
it
is
essentially
you
know,
a
sort
of
a
a
smaller
version.
What
I
had
in
mind.
So
it's
a
it
is
a
graph
that
describes
you
know
assets
or
artifacts,
and
you
know
information
about
them.
C
C
B
Roughly
looks
like
you
know,
pulling
in
data
using
the
the
package,
analysis,
Pipeline
and
and
and-
and
it
seems
like
basically,
every
as
you're
pointing
out
every
group
in
the
open
ssf
has
a
need
for
this
data,
and
so
less
I'm,
saying
less
I
guess
that
guac
should
be
the
party
that
fills
this
role
and
more
of
that
solving
these
problems
will
be
beneficial
to
that
project
as
well.
C
Yeah,
as
I
said,
I
hadn't
thought
of
that
connection,
so
I'm
going
to
need
to
digest
it.
I
can
see.
I
can
see
that
definitely
working
for
stuff
like
metadata
about
packages
and
so
forth.
C
There
was
there
were
things,
though,
that
like
we
would
want
to
collect,
which
shouldn't
be
in
a
public
graph,
so
I
don't
know
to
what
degree
guac
should
be
federateable,
so
there's
obviously
the
malware
samples.
We
don't
want
the
baddies
to
teach
each
other
throughout
our
offices.
C
But
also
things
like,
for
example,
if
a
package
gets
yanked,
one
thing
might
be,
you
know,
I,
don't
know
who's
tracking
for
the
reasons
for
it
at
the
moment,
I
know
in
Ruby
Jones
we
don't
but
yeah.
It's
like
on
my
mental
checklist
somewhere
about
back
here
on
the
list
is
like
it
would
be
cool
if
we
could
say
why
we
yanked
a
gym.
Was
it
because
of
a
copyright
claim?
Was
it
because
it
was
reported
malicious
and
we
agreed
or
was
it?
C
You
know
some
other
reason
and
that
information
would
be
sensitive.
We
wouldn't
necessarily
want
to
advertise
that
particular
packages
had
a
copyright
claim
against
them
or
that
they
were
found
to
be
malicious
at
certain
points
and
that
sort
of
thing
so
I
guess
what
I'm
saying
is
yes,
but
I
also
have
to
think
through.
B
Sort
of
yeah
yeah,
so
sorry,
my
my
vision
is
I,
suppose
all-encompassing
right,
like
I
I,
want
and
if,
if
it
helps-
and
this
is
something
that
we're
gonna
we're
gonna
devote
serious
chunks
of
this
meeting
time
to
do,
I
can
try
to
make
sure
that
we
rope
in
a
bunch
of
academics
and
other
researchers
to
one
of
these
meetings.
B
One
time
I'm
I'm
coming
just
yesterday,
I
was
chatting
with
a
group
at
NC
State,
which
just
got
a
huge
NSF
Grant
to
work
on
software
supply,
chain
security
and
they're
very
interested.
In
a
lot
of
empirical
questions,
they've
done
a
bunch
of
work
with
the
open
source
insights
data
set.
That's
I
think
reference.
That's
the
same!
That's
the
depths.dev
website
that
shows
up
in
our
meeting
minutes
a
little
bit
above
and
so
I
think.
B
The
my
vision
from
a
from
a
sort
of
research
perspective
is
have
a
One-Stop
shop
across
ecosystems
where
you
can
get
a
bunch
of
data
and
I
think
we're
slowly
working
towards
it,
and
the
python
ecosystem
in
particular,
I
want
to
call
out
is
having
done
an
incredible
job,
making
making
sort
of
download
and
upload
available
in
using
Google
bigquery,
which
means
that
it's
pretty
easy
to
join
against
the
open
source
insights
data
set.
So
so
we're
getting
there.
B
But
my
I
I
think
it's
it's
worth
doing
some
amount
of
coordination
to
make
sure
that
schemas
look
similar
enough
that,
like
I,
don't
have
like
the
end
goal
is
I'm
a
researcher
I'm
trying
to
do
some
metadata
analyzes
of
various
package.
Ecosystems,
I
shouldn't
have
to
write
one
query
for
the
python
ecosystem
in
one
query,
for
the
JavaScript
ecosystem
and
so
I'm
I'm,
relatively
indifferent
to
how
we
get
there.
B
I,
like
a
push-based
model
like
what
Python's
doing
but
I
understand,
that's
a
little
bit
more
work
and
requires
a
little
bit
more
cooperation
to
to
get
into
the
repositories
and
in
practice,
we're
going
to
have
to
have
a
hybrid
of
of
push
and
pull
but
I
think
I.
Think
trying
to
like
you
know,
settle
on
schemas
for
these
things
and
then
having
some
subset
of
the
tables
that
are
especially
for
any
we're,
probably
going
to
push
for
anything.
That's
deemed
sensitive
right
like
or
I
guess
we
could
expose.
B
You
know
an
API,
that's
like
what's
been
yanked
and
put
it
behind
some
Access
Control,
so
that
was
a
little
bit
rambly,
but
I
think
I
think
I'm
I'm
relatively
indifferent
to
how
this
gets
done.
But
I
I
think
the
vision
for
the
end
product
is
basically
the
open
ssf,
maybe
using
big
query
or
something
like
that
as
a
repository,
that's
sort
of
ground
Truth
for
metadata
in
formats
that
are
relatively
consistent
across
ecosystems
in
that
as
a
starting
point
for
a
bunch
of,
because
I
think.
B
D
I
was
just
gonna
quickly
say,
like
bigquery
has
a
public
assets
program
too?
That
will
that
can
help
do
all
this
so
and
like
host
the
data
says
you
have
to
pay
for
the
hosting
either
and
I
can
put
whoever
in
touch
with
that.
If
anyone
wants
to
take
on
that
project.
G
G
If
you
identify
some
sort
of
maliciousness
you'll
be
able
to
maybe
go
and
jump
like
you
come
back
to
early
discussion
by
email
or
other
other
sort
of
property
or
based
on
package
analysis
results,
for
example,
that
get
ingested
right,
but
it
will
always
be
sort
of
the
interesting
private
component
right
because
otherwise,
if
all
the
threat
Intel
data
is
publicly
available,
then
it's
it.
It
sort
of
defeats
the
purpose
in
that
people,
the
minute
it
becomes
actually
meaningfully
useful
and
effective.
G
C
C
Think
we
can
safely
vet
the
data
or
vet
who
gets
access
to
it.
I
think
there's
there's
a
road
to
go
in
terms
of
getting
all
the
way
to
the
gold-plated,
one
that
end
users
and
Visage
like
a
full,
full
threat
and
a
lot.
You
know
full
threat,
intelligence
capability,
which
would
be
amazing
if
we
could.
C
You
know,
come
to
this
and
have
like
an
unreported
section
where,
where
we
get
briefed
on
what's
Happening,
but
I
also
think
that
there's
going
to
be
a
road
before
we
get
to
the
to
the
point.
Where
there's
a
proposal
that
the
government
board
can
vote
on,
that
we
can
spin
up
people
and
all
that
kind
of
stuff.
C
Okay,
so
I
don't
have
a
sort
of
like
immediative
actions
beyond
the
ones
I've
already
taken,
which
was
to
let
other
folks
know,
I,
don't
know
if
anyone
else
wanted
to
propose
something
or
if
we
want
to
sort
of
put
this
down.
As
a
you
know,
the
more
you
know,
situation.
B
Yeah
I'm
definitely
glad
you
brought
it
up.
I,
don't
earnestly
want
to
propose
cleaning
up
a
new
working
group
for
this,
but
it
almost
seems
like
that's.
What
we
should
do
really
I
think
I
think
what's
missing
is
is
someone
with
the
the
Cycles
to
drive
it?
B
If
that
were
to
happen,
I
think
most
of
the
folks
in
this
room
would
be
willing
to
help
out
and
there's
a
bunch
of
ways
that
could
happen
by
sort
of
enumerating
use
cases
and
so
on.
So
like
I,
don't
know,
I've
brought
it
up
in
the
past
and
it's
it's
something
I
would
be
excited
about,
but
it's
a
little
bit
back
burner
for
me.
I
wonder
if,
actually
speaking,
about
sort
of
the
academic
end
of
things,
if
we
could
sucker
some
some
poor
grad
student
into
into
a
project.
B
All
all
Poke
around,
because
there's
enough
there's
a
number
of
researchers
and
I
I,
know
more
more
of
the
ones
that
academic
institutions
who
are
who
are
doing
a
lot
of
cool
empirical
work
trying
to
analyze
software
dependencies
and
software
supply
chain.
B
Who
might
be
in
a
position
to
to
kind
of
drive
this
so
I'll
I'll
drop
a
lot
yeah
that
can
be
an
action
item
is
I
and
you
don't
need
to
give
it
to
me
in
the
doc
necessarily
but
I'll
drop
a
line
to
to
some
of
the
folks
I
know
and
see.
If
see,
if
there's
any
bright
ad
in
bushy-tailed
PhD
candidates
that
we
can
we
can
taking
on
this
job,
I
mean.
C
I
I
gotta,
say
I
can't
dedicate
Cycles
too,
if
anything
I'm
having
to
to
reclaim
Cycles
from
other
working
groups
at
the
moment,
but
I
am
hardly
in
favor
of
such
a
repository
because
of
seeing
in
the
past
that
empirical
results
do
not
always
generalize
from
one
repository
to
another.
A
B
Yeah
I
think
and
I
think
this
would
enable
a
lot
of
cool
analyzes
that
are
currently
done
in
a
really
ad
hoc
way.
So
like
there
there
has
been
research.
I
know,
there's
been
a
lot
of
discussion
in
this
group
in
the
past
on
on
what
what
have
been
termed
domain
Resurrection
attacks,
so
I
have
a
vanity
domain.
B
Sorry
David
wheeler
that
I
used
to
sign
up
for
my
Pi
Pi
account
and
then
I,
don't
think
about
it
for
a
year
and
that
lapses
and
someone
notices,
there's
a
there's,
a
package
with
that
email,
and
then
they
re-register
that
domain
and
now
they're
able
to
impersonate
my
email
and
recover
my
account
and
so
like
the
extent
to
which
that
it
happens
across
ecosystems.
I
think,
like
that's,
a
those
analyzes
have
been
done,
but
they're
they're,
very
ad
hoc
and
they're
limited
to
one
ecosystem
at
a
time.
C
B
There's
nothing
like
having
a
SQL
database.
You
can
just
throw
a
query
at
and
like
I
I
I've
noticed
met
a
lot
of
these
meetings,
and
this
is
the
best
we
got
right
now,
but
are
are
someone
from
from
One
Republic,
saying,
like
hey
I'm
noticing.
This
are
other
folks
affected
and.
A
A
B
C
D
I
I
guess
he's
getting
an
action.