►
A
A
All
right,
I
guess
we
can
get
started,
I'm
joking,
I'm
your
host
for
today,
as
dustin,
is
unable
to
make
it
this
time.
The
first
thing
we'd
like
to
do
in
this
call
is
to
welcome
any
new
faces.
Anybody
who
feels
like
they
would
like
to
introduce
themselves
so
now's
two
chance,
try
to
use
the
hand
up
gesture
in
the
reactions
and
then
that
way
we
get
an
ordered
list
of
people.
B
I
am
let's
say:
I've
been
interested
in
security
for
a
long
time
from
a
sort
of
I
used
to
be
a
software
engineer,
and
so
obviously
I
should
be
interested
in
it
from
that
perspective,
but
I
was
also
before
that.
I
worked
for
lynx
journal
for
a
long
time,
so
I
was
you
know
we
covered
open
source
security,
but
this
is
the
first
time
I've
ever
attempted
to
get
involved
in
anything
and
now
that
I'm
in
intel
it
makes
more
sense.
A
C
B
D
Hello,
I
I'm
a
maintainer
for
the
oci
standards
as
well
as
container
d.
I
work
in
signo
around
google.
It
do
you
know
a
lot
of
work
in
this
area.
I
did
the
oci
implementation
and
you
know,
distribution
distribution
in
the
registries
so
been
around
them
been
around,
and
I
heard
I
need
to
come
here
so
here
I
am.
A
A
There'd,
be
no
people
rushing
to
the
front
I'll
move
on
to
the
next
agenda
item,
which
is
for
those
of
you
who
haven't
heard
our
friends
in
pipe.
I
have
had
a
bad
day.
There
is
currently
a
phishing
attack
being
made
on
pipeli.
Where
folks
are
being
told,
you
know
the
standard.
Your
account
is
in
trouble.
We
need
you
to
log
in
give
us
your
details
and,
as
we
all
know,
this
is
much
harder
to
do
with
at
least
hardware
token
based
mfa
at
this
time.
A
I
believe
it's
unclear
whether
they're
also
harvesting
totp
codes,
but
something
to
bear
in
mind.
It
could
be
anybody's
turn
next,
unfortunately,
so
I
wanted
to
bring
that
to
people's
attention
if
they
haven't
seen
it
already.
Next
on
the
agenda,
brandon
wants
to
talk
to
us
about
the
package
manager
survey
brandon.
E
Awesome
take
check,
so
this
is
kind
of
works
out
quite
a
while
back.
I
think
we've
been
iterating
on
this.
Initially
we
started.
I,
the
whole
point
of
this
was
to
kind
of
like
pull
different
package
managers,
see
what
are
the
different
features
that
people
are
implementing
and
kind
of
get
an
idea
in
like
what
are
areas
that
people
are
focusing
on
from
the
package
manager
ecosystem.
E
So
initially
we
had
the
doc
out
that
we
got
a
lot
of
feedback
about
about
adding
additional
questions
and
and
all
the
stuff,
and
so
we've
put
all
the
good
feedback
into
a
google
docs
survey,
and
so
this
this
questionnaire
will
contain
a
lot
of
the
new
information.
We've
also
added
collecting
information
about
intent
of
the
package
ecosystems
to
to
say
like
to
certain
areas
whether
this
is
currently
planned.
This
is
currently
implemented.
It's
a
roadmap
or
you
know
that
it's
kind
of
like
considered
out
of
scope.
So
we
are.
E
We
are
collecting
additional
information
on
top
of
what
we've
asked
about
before
and
this
will
I've
checked.
I've
talked
to
dustin
about
this.
We've
been
working
on
this
together
and
the
plan
is
to
get
the
survey
results
and
do
a
little
bit
run-through
kind
of
analytics
on
it
and
publish
a
blog
post
on
the
openness
blog
to
say,
like
you
know,
this
is
what
we
found
out
here
like
focus
areas
that
we
can
work
on
from
the
secure
and
repositories
working
perspective.
E
A
E
I
think
that
really
we,
what
we
are
one
of
that
question
is
like,
oh,
you
know,
are
you
kind
of
a
someone
that
that
is
in
the
know
of
you
know,
what's
happening
with
the
ecosystem
with
the
road
map?
Are
you
just
like
coming?
Is
this
from
outside
observer
to
saying
that
this
is
what
I'm
observing
from
the
ecosystem?
I
think
that's
kind
of
the
the
mean
what
we
want
to
get
out
of
the
question.
C
F
Great
so
I
floated
a
document
a
while
ago
that
is
now
out
of
date.
You're
welcome
to
look
at
it,
but
it's
gonna
undergo,
hopefully
some
pretty
heavy
revisions
in
the
next
couple
weeks,
basically
proposing
the
open
ssf
as
a
natural
home
to
data
that
could
help
researchers
who
are
trying
to
study
supply
chain
attacks,
especially
in
the
context
of
software
repositories.
F
This
was
very
selfishly
motivated,
marina
and
I
had
a
had
a
project
that
we
were
working
on.
That
data
would
have
been
very
helpful
for,
but
wasn't
available
all
in
one
place
and
so
maureen
and
I
had
just
been
thinking
hey,
you
know,
like
the
open
ssf
seems
like
maybe
maybe
a
good
place
to
collect
this
to
store
this
to.
F
If
we
decide
to
that
certain
things
are
sensitive
and
need
access
to
be
gated
to
do
that,
gating
and
so
on
and
recently
we've
had
a
couple
of
a
very
concrete
use.
Cases
come
up
that
I
think,
would
be
useful.
I
spoke
with
some
folks
who
do
work
on
typo
squatting
and
they
said
it's
a
big
pain
to
sort
of
even
get
packaged
metadata.
F
Relatedly
in
the
context
of
you
know,
malware
of
a
a
perpetual
struggle
of
people
trying
to
study
malware
in
the
wild
is
that
when
people
find
it,
they
kill
it,
which
is
good
right
like
we
don't
want.
You
know,
users
downloading
it,
but
it's
it's
bad
for
trying
to
characterize
and
understand,
malware
and
so
forth
in
other
potential
use
cases
to
sort
of
have
the
linux
foundation.
When
you
know
a
repository
responds
to
a
you
know,
report
of
malicious
software
and
takes
down
a
package.
F
It
would
be
great
if,
in
addition
to
taking
it,
you
know
delisting
it
from
your
repository.
It
also
gets
fired
off
over
into
some
some
silo
that
the
the
open
ssf
operates
and
and
gets
sucked
up
there,
and
we
can
grant
access
to
researchers
as
well.
So
at
this
point
I
I
guess
my
primary
question
is-
is
the
and
I
I
I
want
to
be
really
really
conscious
of.
I
know
most
of
the
maintainers
here
have
more
than
enough
on
their
plates
already,
but
in
in
broad
strokes
terms.
F
B
I
don't
think
so.
I
think
you
basically
covered
it.
I
think
that
in
the
future
we
could
expand
this
kind
of
data
outside
of
the
two
specific
categories
here,
but
I
think
they're
a
great
place
to
start
with
the
types
of
data
that
be
especially
useful
for
researchers
and
especially
hard
to
find,
because,
obviously
you
don't
want
to
keep
malware
on
the
public
repositories.
D
Yeah,
so
is
the
intent
to
make
this
available
only
to
researchers,
or
would
it
be
available
to
other
repositories
so
for
context?
I
work
with
the
conduct
community,
I'm
here
representing
the
conda
community
and
because
we
we
aren't
necessarily
sort
of
the
repository
of
record,
but
we
would
definitely
be
very
interested
in.
For
example,
if
there
were
type
of
squatting
in
pi
pi,
we
want
to
make
sure
those
don't
get
carried
over
into
the
conda
ecosystem.
F
Yeah,
that's
a
that's
a
great
question
and
I'm
going
to
make
a
note
to
myself
to
try
to
address
that
in
any
proposal
we
come
up
with
again
I
mean
the
short
answer.
Is
we
want
anyone
supplying
data
to
be
comfortable
with
who's?
Gonna
see
it,
and
so
the
important
thing
is
to
make
it
clear
to
people
who
are
shipping
their
data
up.
What
what
the
bounds
are?
F
I'm
of
the
opinion
that
broadly
the
more
things
that
can
be
made
public
the
better
and
we
want
to
you-
know,
sort
of
limit
what
we
gain
access
to,
for
instance,
a
really
popular
thing
that
people
don't
even
in
open
science
communities
publish,
is
samples
of
malware
because
the
theory
goes,
you
know.
Oh,
you
know,
script
kitties
can
just
download
it
and
spray
and
pray
across
the
internet,
and
that's
that's
something
we
want
to
avoid.
F
So
the
short
answer
is,
I
don't
know,
that'll
get
fleshed
out
as
as
the
details
come
together,
but
my
inclination
is
to
try
to
push
for
access
being
as
as
broad
as
possible,
and
I
think
you
know
we
have
three
scopes.
There's
totally
public,
there's
sort
of
you
know
gated
behind
some
assurance
that
you're
not
a
script
kitty
and
then
there's
actually
sensitive
stuff.
So
anything
that
involves
you
know,
user
data
or
or
even
you
know,
anonymized
user
data
might
might
fall
into
that
bucket.
A
A
The
main
thing
I
would
say
in
support
is
that
the
studies
I've
seen
in
the
past
of
various
ecosystems
when
there's
a
comparative
study
findings
from
one
ecosystem
do
not
always
generalize
to
a
different
one
and
that's
why
it's
so
important
to
have
multiple
ecosystems
represented,
because
you
know
a
finding
that
applies
to
npm
might
not
apply
to
ruby
gems
and
vice
versa,
and
obviously
my
my
day
job
is
worrying
about
ruby
gems.
So
I'm
interested
in
that
problem,
and
I
want
it
to
go
away
as
much
as
possible.
C
Thank
you.
I
also
wanted
to
speak
in
support
of
this,
and
I
I
would
really
like
it
if
this
data
was
public,
but
for
the
data
which
you
can
make
public.
I
think
it's
really
important
that
standard
software
well
standard
data
licenses
are
used
as
well
as
standard
formats
for
the
data.
It's
often
the
biggest
inhibiting
factor
for
data
sharing
is
those
those
things
which
should
be
insignificant
that
take
up
a
disproportionate
amount
of
time.
F
Yeah,
I
think
thanks
for
that
sebastian.
I
agree
with
with
all
of
that,
and
I
think
that's
one
of
the
things
we're
trying
to
accomplish
here
is
to
make
it
so
that
one
person
one
time
has
to
do
the
work
of
figuring
out
what
license
we
can
share
this
data
under
and
converting
from
one
format
into
a
slightly
different
format
and
and
making
things
all
uniform
and
then
thereafter
that
doesn't
have
to
get
done
forever
by
every
researcher
on
every
study
so
yeah.
F
Great
yeah,
and
we
will
we
will
certainly
before
we
make
moves
towards
actually
collecting
any
of
this.
This
group
will
see
a
proposal
that
will
include
things
like
proposed
formats,
so
I
appreciate
that
offer
and
I
will
I
will
keep
it
in
mind,
but
if
you
note
a
place
where
a
format
like
that
is
more
appropriate
than
what
we're
proposing
you'll
have
an
opportunity
to
suggest
it.
A
A
It
was
a
plane
that
was
published
by
the
open
ssf
a
couple
of
months
ago
in
concert
with
the
second
white
house
conference
of
like
leaders
from
industry
and
government
and
and
open
source,
and
it
proposed
ten
different
streams
of
work
and
that
these
would
cost
a
hell
of
a
lot
of
money
and
a
fraction
like
a
substantial
percentage
of
the
hell
of
a
lot
of
money,
has
been
raised
or
has
been
what's
the
word.
I'm
saying
promised
I
guess
pledged.
Thank
you.
That's
exactly
the
word.
A
I
was
struggling
to
find
pledged
by
a
number
of
a
number
of
companies.
Two
streams
jumped
out
at
me,
one
of
which
was
stream
10,
enhanced
the
10,
most
critical
oss,
build
systems,
package,
managers
and
distribution
systems
with
better
supply
chain,
security
tools
and
practices,
and
the
other
one
is
stream,
a
coordinate
industry
where
data
sharing
to
improve
the
research
that
helps
determine
the
most
critical
oss
components.
So
I
was
thinking
I
would
like
to.
I
would
like
for
us
to
go
to
the
governing
board
and
propose
two
spending
items.
A
A
Ruby
gems
is
like
many
repos,
a
volunteer
organization.
You
know
it
takes
time.
People
have
to
wait
till
they
get
home
or
the
weekend,
and
it
would
be
nice
to
have
a
shared
help
desk.
If
possible.
I
was
wondering
if
there
were
any
sort
of
like
things
that
you
felt.
I
should
consider
or
objections
to
the
idea
of
me
sort
of
trying
to
put
a
draft
together
for
the
governing
board
for
funding.
A
F
A
I
don't
have
one
in
mind,
so
one
of
the
one
of
the
reasons
I'm
doing
this
is
because
so
far
as
I
know,
nobody
has
actually
done
this
yet,
like
these
streams
are
out
there
and
there's
money
pledged,
but
nobody's
actually
showed
up
and
said
what
they
want
to
spend
it
on.
So
I
don't
have
a
particular
timeline,
but
I
am
cognizant
of
the
fact
that
it
will
be
an
unknown
timeline
because
we're
we're
blazing
the
path
which
everyone
comes
in
first.
A
The
other
thing
to
bear
in
mind
is
that,
with
data
we
can
more
or
less
do
it
right
away
like
it's.
It's
closer
to
shovel,
ready
with
shared
help
desk.
We'll
have
to
talk
about
the
mechanics
of
like
how
do
we
hire
this
person?
What
should
we
pay
them?
Because
I
assume
it
would
be
one
person
to
start
and
also
each
ecosystem
then
has
to
come
up
with
tooling
to
enable
them
to
you
know,
perform
basic
actions
without
having
to
have
production
access.
A
F
I
have
a
question
related
to
what
you
just
described.
Do
you
think
that
one
possible
use
of
of
these
resources
could
be
getting
for
each
ecosystem?
Something
implemented,
and
this
is
this-
is
addresses
both
your.
What
your
point
and
the
data
collection
as
well,
you
know,
would
it
be
possible
to
have
a
contractor,
for
you
know,
go.
F
Of
the
repositories
and
integrate-
and
if
so,
is
that
easier
to
delegate
to
the
repositories
themselves
or
is
it
it?
You
know
it
feels
a
little
tough,
because
one
person
isn't
going
to
have
expertise
in
every
ecosystem,
but
at
the
same
time
you
know
the
coordination
of
asking
every
ecosystem
to
do.
A
moderate
amount
of
work
feels
awesome.
A
A
D
C
Thank
you,
it
strikes
me
is
it,
but
one
of
the
key
skills
that
someone
in
that
role
would
need
to
be
able
to
do
is
to
investigate
the
context
of
a
package
to
find
whether
the
person
who
is
making
that
appeal
is
actually
the
same
person.
Who
is
the
maintainer
of
the
package,
and
that
might
be
an
understanding
of
how
ssh
keys
and
gpg
keys
work
and
looking
through
email,
logs
or
github
signed
commits.
C
A
A
A
G
Hey
everybody.
Can
you
hear
me
great
yeah?
I
just
want
to
give
you
an
update,
because
we
had
been
talking
in
previous
meetings
about
this
effort
to
produce
a
single
artifact
for
us
blob
signing
from
cosign
and
from
the
various
clients,
since
relative
that's
very
relevant
to
the
package
managers
and
just
wanted
to
let
you
know
where
that
is.
A
G
Everything
that
we
need
to
support
all
the
sort
of
use,
verification
use
cases
and
including
offline
verification,
so
yeah,
it
would
include,
like
the
require
recall,
entry
information
like
the
log
id
et
cetera,
as
well
as
a
certificate.
It's
also
going
to
the
plan
is
to
support
out
of
stations
as
well.
G
A
D
Yeah,
just
a
quick
question
for
patrick
I'm
working
on
the
like
c
store,
js
stuff,
so
definitely
interested
in
the
bundle
format,
and
I
work
alongside
frederick.
So
I
could
ask
him
this,
but
does
the
like
the
current
thinking
around
like
the
format
in
the
fields?
Is
that
reflected
in
the
google
doc?
That's
linked
in
that
issue,
or
is
that
work
happening
somewhere
else
right
now?
It's.
G
It's
it
is
reflected
at
sort
of
in
terms
of
the
data
that
we
want
to
include,
but
it's
it's
a
little
sort
of
it's
not
very
specific.
In
terms
of
you
know,
it's
not
using
it's
just
a
table
with
like
the
kind
of
data
we
want,
so
we're
now
putting
together
a
proto
that
we
want
to
be
as
like
the
basis
for
the
definition,
and
I
think
that'll
be
a
much
more
like
concrete
and
useful
specification.
A
A
There
is
a
lively
discussion
which
I
invite
people
to
read
with
some
differences
of
opinion
about
the
details,
but
I
think
most
of
the
feedback
was
positive
and
certainly
I'm
really
excited
by
it.
You
know
npm
is
such
a
high
leverage,
part
of
the
ecosystem
of
ecosystems,
so
it's
really
exciting
to
see
that
six
door
work
coming
forward
and
I'm
looking
forward
to
seeing
it
roll
out
quite
a
lot.
So
bravo
npm
folks.
C
A
G
A
C
A
A
No,
that
sounds
pretty
good.
Well,
this
has
been
a
great
meeting.
It's
been
great,
seeing
everybody
and
talking
through
these
issues,
I'm
looking
forward
to
the
next
one,
of
course,
the
next
meeting.
As
you
know,
we
alternate
between
emir
friendly
times
and
apac
friendly
time.
So
the
next
meeting
is
apac
friendly,
which
means
it's
going
to
be
five
hours
later
or
six
hours,
I'm
I'm
not
sure
off
the
top
of
my
head,
but
make
sure
to
check
your
calendars
and
make
your
plans
around
that.