►
From YouTube: Securing Critical Projects WG Bi-Weekly (May 4 2023)
A
B
B
A
A
So
we'll
go
look
at
like
if
it's
python
package
we'll
look
at
the
downloads
on
python.
If
it's
an
npm,
we'll
look
at
the
download
count,
npm
we'll
go!
Look
at
the
I!
Guess
the
GitHub
page
and
see
like
how
busy
it
is
I
guess,
criticality
score
incorporates
that
so
like
we
need
to.
We
should
have
criticality
score
here
to
look
at
so
I
I.
Think
they'll
work
that
Randall
started
would
be
good
at
doing
that.
A
D
A
Had
for
like
Jonathan
is,
if
you
know,
we
like
I,
think
for
all
the
kind
of
initiatives
that
this
working
group
has.
We
want
to
have
somebody
just
kind
of
say,
like
they're,
the
leader
of
it
and
they're
kind
of
on
the
hook
for
making
you
know
pushing
it
forward
and
trying
to
get.
You
know
the
new
version
or
the
the
new
iteration,
and
so
you
can
sign
up
for
that
or
or
is
he
looking
for
people
other
people
to
do
it?
That's.
F
C
You
know
if
we're
looking
for
justification,
and
you
know
we
have
them
as
a
reference.
You
know
that
list
as
a
reference
as
a
reference.
I
don't
know
if
we
should
necessarily
just
move
forward,
simply
because
it's
on
the
alpha,
10
000
list,
but
I
think
it
should
definitely
be
considered
if
it's
on
there.
You
know.
F
Oh
I
agree,
but
I
thought
that
I
mean
I.
Guess,
like
I
said,
I
mean
they
were
trying
to
automate
how
we
were
going
to
approach
the
next
iteration
of
our
list
and
so
I
mean
I
agree.
It's
not
practical
to
use
that
as
an
input
and
actually
still
do
this
manual
process,
but
I'm,
not
certain
that
it's
really
practical
to.
C
Yeah,
that's
a
great
Point
and
it's
actually
what
Jeff
and
I
were
talking
about
as
we
joined
we
were
talking
about.
You
know
what?
What
can
we
explore
to
automate
this
process
a
little
more
or
make
it
a
little
bit
less
labor
intensive,
but
still
you
know
impactful
and
you
know
have
that
level
of
scrutiny
and
but
yeah
I
I
would
agree
that
it
does
seem
a
bit
labor
intensive.
Now.
F
F
You
know
we
have
it,
so
it
feels
to
me
very
arbitrary,
like
we
have
this
arbitrary,
you
know
list
I
mean
of
you
know:
people
have
nominated
things
whatever
we
got
this
other
with.
You
know
GitHub
star
whatever
they
think
we
got
this
arbitrary
list
and
we
are
honestly
subjectively
analyzing
that
and
just
sort
of
voting
I
mean
not
not
that
we
don't
have.
You
know,
rationale
behind
it,
but
it's
sort
of
this
arbitrary
okay.
We
picked
these
critical
projects
and
then
it
gets
sent
off
into
the
ether.
It's
like
so
I.
F
Think
part
of
the
problem
we
have
again
from
the
beginning
is
that
there
isn't
a
clear
and
I
don't
know
whether
it's
the
the
attack
should
be
helping
with
this
or
the
executive
director
I
mean
like
but
somewhere
like
if
he
who
exactly
is
going
to
consume
this
and
what
that
they
want,
because
then
that
would
sort
of
drive
back
as
a
forcing
function.
What
are
we
trying
to
you
know?
How
do
we
need?
Ten
thousand
is
100
it.
You
know
right
now,
there's
we're
creating
this.
B
C
I
pitched,
you
know
doing
like
a
managed
audit
program
where
you
know
we
would
go
out
and
do
security
audits
of
you
know
these
important,
critical,
open
source
projects,
because
you
know
statistics
show
most
of
them
have
never
received
any
kind
of
you
know
like
independent
third-party
review
and
pitched
I
think
it
was
something
like
25
projects
where
you
know
we.
We
took
a
bunch
of
input,
including
things
like
the
census2
data,
some
of
the
other
research
that
was
presented
here
in
this
work
group.
C
You
know
and
kind
of
recommended
those
projects
and
those
did
feed
a
lot
of
the
kind
of
the
original
list
that
we
had
here
and
then
you
have,
you
know,
project
Alpha,
which
is
you
know
looking
to
seek
out.
You
know
what
are
the
really
important
open
source
projects
that
you
know
they
could
potentially
put
money
towards.
C
You
know
to
produce
security
outcomes,
one
of
them
being.
You
know
stuff
like
what
we
do
where
you
know
we
could
get
input
as
to
which
projects
to
go
out
and
do
security
audits
for,
for
example,
and
that
does
tie
in
I
guess
with
you
know,
stream,
seven
and
the
mobilization
plan,
but
I
don't
think.
That's
necessarily
the
only
use
for
this
data.
I
think
you
know
a
lot
of
people
are
interested
in
knowing
what
are
the
open
source
projects.
C
You
know
that
are
being
consumed
like
at
a
at
a
very,
very
widely,
and
this
can
be
a
I
guess.
Another
data
point,
but
it
is
a
very
good
point.
You
know,
I
would
love
to
get
your
thoughts,
both
David
and
Jeff.
As
to
you
know,
what
does
a
North
star
look
like
in
terms
of
you
know
if
we
could
determine?
Let's
say
you
know
what
the
output
of
this
is
or
what
the
the
the
the
purpose
of
this
is.
C
A
A
C
A
Are
they
using
linting
or
whatever
static
analysis?
Are
they
doing
fuzzing?
Are
they
doing
X,
Y
and
Z?
You
know
I
want
to
run
these
analysis
on
them,
so
the
questions
came
up.
You
know
in
from
multiple
places
like
what
are
the
top
projects
and-
and
you
know,
because
I
want
to
I-
want
to
take,
take
a
look
at
all
of
them
for
for
one
reason
or
another,
but
you
know
I,
don't
have
all
that
today,
like
that
was
in
the
past,
so
like
maybe
something
we
should
do
is
my
idea.
A
I
had
when
you're
talking
David
was
like
do
a
little
bit
of
a
road
show
like
we've
been
doing
this
for
a
while,
and
a
lot
of
people
have
joined
the
open,
ssf
and
and
started
different
efforts
in
the
different
working
groups.
So
maybe
we
need
to
go
and
like
publicize
our
effort,
what
we're
trying
to
build
and
what
people
might
want
to
use
it
for
or
what
they're
already
using
it
for,
because
you
know
people
can
be
using
our
list
and
not
be
telling
us
about
it.
Well,.
A
F
F
You
know,
help
them
introduce
us
to
this
or
the
executive
director,
and
you
know,
try
to
you
know,
maybe
write
a
blog
post
or
something
for
the
openssf
web
page
I
mean
you
know,
trying
to
publicize
it
that
way,
but
yeah
I
mean,
as
far
as
what
I'd
like
to
be
a
North
star
and
I
was
assuming
that
this
would
actually
feed
into,
for
example,
Alpha
Omega
that
this
would
be
sort
of
like
the
list
of
you
know
here
are
these.
You
know
large
and
small.
Here.
F
Is
these
important
projects
that
helpful
make
it
should
consider
funding
so,
but
then
Alpha
make
it
seems
to
have
its
own
list
of
ten
thousand,
which
comes
back
to
that.
So
that's
why
I'm
saying
that
we're
sort
of
you
know
and
again
get
some
hints
or
recommendations
or
advice
or
mentoring
from
you
know
the
leadership
of
the
open
ssf
of
okay.
How
can
we
actually
engage
in
more
of
a
pipeline
here?
Figuring
out?
F
You
know
not
just
publicizing
to
have
this,
but
you
know:
is
this
useful
to
anybody
or
because
again,
I'm
I'm
sort
of
it
seems
that
Alpha
Omega
may
have
created
its
own
with
this
list?
Ten
thousand
alternative
version
of
this,
or
at
least
something
with
a
similar
purpose,
and
so
that's
where
it's
a
question
of
okay,
now
we're
beginning
for
mixed
messaging,
or
these
multiple
lists
inside.
A
A
C
Yeah
I'm
reading
over
the
issue
now
yeah
they
refer
to
it
every
time
as
Alpha
Omega.
It
doesn't
specifically
say
if
it's
what
it
is
for.
It
just
says
it's
they've
collected
a
list
of
top
10K
OSS
projects
which
we
are
using
as
a
target
for
security
scanning
vulnerability,
reporting
and
in
the
future
as
a
list
of
projects
that
any
automated
bulk,
PR
generation
campaign
is
required
to
report
vulnerabilities.
C
Both
to
avoid
confusion
between
the
lists,
okay,
yeah,
so
yes,
Jeff
I,
think
you
are
spot
on
in
what
your
in
the
point
you
just
made
so,
but
it
looks
like
at
the
end
of
the
day
too,
also
to
go
back
to
your
point.
Is
that
I
feel
like
at
the
end
of
the
day,
everyone
is
going
to
take
this
information
and
and
and
and
process
it
differently,
and
that
you
know
no
there.
C
F
Even
when
we
were
doing
our
analysis
of
the
the
last
couple
of
projects
for
our
set
I
mean
we
were
comparing
stuff
on
Alpha
I
mean
it's
around
that
10
000
list
as
well.
It
has
a
you
know,
an
another
signal
for
decisions
right,
it's
not
just
Omega,
but
the
other
thing
is
I
mean
I'll.
Just
say
that,
based
on
what
I've
seen
in
the
openxsf
tab
and
some
of
the
other
working
groups
that
many
other
people
are
there
with
a
with.
G
F
A
very
specific
point
of
view
and
a
very
specific
action
and
a
very
specific
outcome,
honestly,
possibly
for
their
own
company,
in
addition
to
open,
ssf.
So
I'm,
just
saying
that
that
you
know
to
be
honest,
that
you
know
if
that
I
think
that
we,
the
Sig
I,
mean
not
that
it
has
to,
but
it
could
be
more
assertive
and
take
a
and
if
it
wants
to
have
more
of
an
impact
that
we
should
try
to
not
that
we
have
to,
but
we
should
decide
amongst
ourselves
or
so.
F
F
For
their
own
purposes
like
if
we
don't
have
a
strong
purpose,
somebody
can
step
in
and
because
it's
already
an
established
Sig
within
the
open,
ssf
and
drive
it
for
their
purpose
so
like
either
either
we
do
either.
We
take
control
of
this
or
somebody
else,
but
they
will
I
mean
it.
It
provides
a
an
opening
that
may
not
be
healthy.
A
Yeah
yeah
I,
agree:
I
think
we
do
need
to
do
more
publicist
publicizing
our
work.
I
I
fully
expect
for
us
to
once
we
have
this.
This
list
finished
to
do
a
round
of
Media,
or
you
know
like
Outreach,
like
the
yeah
blog
and
whatever
kind
of
you
know
get
on
the
newsletter
all
that
kind
of
stuff,
because
we
want
to
tell
everybody
like
the
open
ssf
has
a
new
set
of
critical
projects,
and
that's
that's
it
like
we're
worth
making
the
set
for
the
for
the
foundation.
A
I,
don't
think,
there's
another
group
that
could
claim
that
they
have
a
different
better
set,
at
least
in
the
realm
of
about
100
to
200.
You
know
the
10
000
is
a
different
category
right,
so
yeah
I
I
definitely
want
to
do
a
lot
of
now
publicizing
of
our
list.
Once
it's
done,
I,
don't
think
we're
going
to
be
able
to
say
what's
it
for
like,
because
we
just
don't
know
that
right
now,
but
in
that,
like
publicizing
and
getting
people
to
look
at
it,
I
think
it
yeah.
G
I'm
late
to
this
conversation,
but
I'll
also
mention
Google,
internal
or
Google
had
a
blog
post
about
our
open
source
security,
Upstream
theme
recently,
and
they
use
the
output
from
crew
quality
score
as
well
to
inform
their
work
and
where
they
focus
their
efforts.
So
I
mean
that's
just
an
example
of
somebody
externally.
Using
this,
there
are
enough
people
also
on
the
critically
school
project
in
GitHub,
who
are
appear
to
be
lurking
around
logging
bugs
and
stuff.
G
C
E
C
So
I
invite
everyone
to
look
at
that,
or
collaborate
on
that,
but
I
think
that
would
be
a
good,
a
good
place
to
start
and
I.
Think
you're.
Absolutely
right,
though,
David
that
if,
if
certain
things
aren't
driven,
then
they
will
find
themselves
having
drivers
so
I'm
in
agreement
with
you
on
that
so
I'd
say
the
sooner.
C
C
That
could
probably
benefit
from
additional
resources,
but
one
thing
that
I
I
don't
want
to
necessarily
detract
from
the
conversation,
but
I
wonder
if,
because
Jeff
you
did
bring
up
a
very
good
point
about
the
you
know,
kind
of
the
but
in
in
some
ways
the
the
the
graphic,
the
xkcd
graphic
kind
of
being
our
Mantra
and
a
lot
or
kind
of
guiding
guideposts
in
a
lot
of
ways.
So
I
wonder
if
that's
kind
of
a
natural
progression
in
this
work
is
maybe
identifying
projects
that
are
under
resources.
C
A
C
C
You
know
we
did
the
the
security
audit
for
git
last
year,
I'll
be
talking
about
it
next
week
in
Vancouver,
but
you
know
we
actually
got
some
pushback
initially
saying
you
know.
Oh
it
gets
like
such
a
long
established
project.
You
know,
probably
gets
a
lot
of
scrutiny
and
you
know-
and
that
is
in
fact
the
case,
but
I'm
still,
you
know
third-party
audit.
You
know
getting
that
different
perspective
from
an
expert.
You
know
we
were
able
to
help
them
a
bunch,
so
I
think
I.
C
A
No
yeah
because
we
it's
just
like
we
want
to,
we
want
to
simplify
each
step
of
our
decision,
making
right
so
each
so
right
now
we
want
to
think
only
critical,
you
know,
is
it
critical
or
not
and
not
consider
is
it.
You
know
what
the
frequency
or
possibility
of
that
bug
or
attack
is
or
how
how
funded
the
project
is.
B
C
A
F
A
A
G
We're
trying
to
the
score
itself
ideally
would
improve
over
time
so
that
it
is
less
biased
and
better
reflects
like
the
output
of
a
manual
lead
curated
list.
So
that's
like.
Ideally
that
would
be
the
case
that
we
can
trust
more
and
more
the
score
itself.
The
output
from
the
automated
tool
over
time,
but
definitely
you'd,
still
want
someone
to
like
sanity,
check
it
and
go
that's
ridiculous,
get
rid
of
it.
F
Yeah
I
mean
part
of
the
I.
Think
part
of
the
challenge,
I
mean
again
I've.
You
know
I
work
on
GCC,
which
is
not
a
part
of
GitHub
and
I
mean
there's
all
sorts
of
so
there's
you
know
when
you
start
it.
You
know
many
of
the
older
projects.
Don't
necessarily
have
the
the
signals.
The
automated
or
the
mechanical
signals
that
yeah.
F
A
The
automation
part's
hard,
like
yeah,
you
got
to
take
all
these
signals.
You
gotta.
If
you
come
up
with
an
algorithm,
it's
going
to
be
flawed
or
you
know
you
that's
why
we
have
to
do
this
as
humans.
You
know,
but
the
more
the
more
we
can
automate
the
more
we
can
combined
scores
and
metrics.
The
better
Etc
just
helps
our
Steward.
Our
job
faster
and
I.
Think
we
still
need
to
always
have
that
kind
of.
F
Right
but
then
there's
also
this
issue
with
criticality
score.
You
know,
let's
say
you
know
now
this
this
large
push
from
Google
and
Microsoft
and
others
about
memory
saved
languages
like
all
of
a
sudden
is
that
you
know.
Is
that
now
a
requirement
that,
if
you
aren't
using
these,
obviously
get
a
black
mark
for
a
red
mark
or
whatever
for
that
I.
A
G
Yeah,
the
the
largest-
and
this
is
something
that
I'd
like
to
change
soon,
but
it
probably
depends
on
more
sources
of
this
data
which
is
like
the
the
graph
and
and
how
projects
relate
to
each
other.
So
the
biggest
signal
we
have-
or
the
strongest
signal
we
have-
is
the
dependency
relationships
and,
as
you
mentioned,
projects
like
GCC
and
other
C
and
C,
plus
plus
particularly
based
projects,
have
very
poor,
automated
ways
to
like
collect
that
graph
data.
G
F
Even
there
like
the
entire.
Like
you
know,
99
or
you
know,
90
of
the
distro
should
depend
upon
these
packages.
You
know
lib
standard,
C,
plus,
plus
or
lib
GCC,
and
you
know
G
libsy,
but
it
doesn't
actually
explicitly
list
it
because
it's
just
a
given
based
level
so
yeah.
You
can't
even
use
that
as
a
dependency
tree
just
just.
D
F
G
G
Yeah
yeah
GCC
is
a
lot
trickier,
yeah
yeah,
so
it's
it
is
a
tough
problem
to
crack
yeah
I.
Don't
have
good
answers
for
how
to
solve
that
in
the
short
term,
which
is
why
I
think
having
a
manual
process
yeah.
It
isn't
like
really
important
at
the
moment
to
make
sure
that
those
ones
are
not
overlooked.
Right.
C
F
E
G
Criticality
School
Pro
has
a
weird
different
like
tries
to
Define
it,
not
in
a
circular
way
as
its
influence
and
importance,
which
is
very
a
very
loaded
terms.
Influence
is
interesting.
More
so
than
importance.
Importance
is
often
like
a
lot
like
either
directly.
It's
we
depend
on
it
or
indirectly,
it's
a
part
of
our
like
infrastructure,
or
something
like
that.
C
Yeah
and-
and
my
intention
from
the
beginning
was
always
to
not
get
too
caught
up
in
the
details
of
it,
because
it's
one
of
those
that
you
know
and
sadly
here
we
are
two
years
later
but
I,
but
we're
definitely
making
progress
and
I
I.
Think
you
bring
up
good
points,
though
about
you
know,
maybe
taking
a
step
back
and
you
know
really
defining
what
is
the
purpose
of
this
and
you
know
who's
meant
to
consume
this,
and
you
know
and
go
from
there
really.
C
B
C
B
D
A
B
A
B
B
A
A
G
B
F
D
B
A
G
That's
also
like
the
rate
of
change
on
Pearl
code
is
probably
very
low
as
well,
so
unless
it's
pulling
from
infrastructure
that,
like
cpan
or
something
like
that,
where
someone
could
compromise,
cpan
and
like
get
in
to
someone's
software
supply
chain
via
that
I'd
like
I'd,
be
surprised
if
it
was
easy
to
attack
Pearl
itself
like
if
people
are
writing
new
code.
Frequently
it's
in
I'm,
not
Pearl,
so
it's
like
yeah
I,
don't
know
what
what
are
we
hoping
to
protect
like
achieve
if
we
were
to
include
Pearl.
A
C
F
A
A
A
C
D
A
Registry
I
think
last
time
we
talked
about
this.
We
didn't
actually
know
like
the
docker
container,
the
docker
file.
It
was
pointing
to
was
like
not
the
code
but
I
updated
the
link
here
to
Source
repo
that
GitHub
distribution
distribution.
That's
like
the
new
location
of
the
GitHub
I
mean
the
docker
or
the
container
registry
code,
so
everybody
that
deploys
their
own
registry.
It
probably
uses
this
code.
A
G
G
C
D
G
The
only
the
only
thing
that
it
could
be
subverted
by
oh
sorry,
the
the
like
is
that
you're
injecting
code
from
the
clients,
clients,
yeah
the
the
agents
into
your
application
into
your
websites,
so
that
that
is
the.
So
it's
not
the
same
as
like
you've.
Given
it
read
access
to
your.
So
in
terms
of
the
host
itself,
it's
red
read
access
into
the
proprietary
system,
but
the
open
source
components.
A
G
A
G
B
G
C
C
B
B
G
B
D
B
G
Solar
is
a
web-based
search
engine
that
is
built
on
top
of
Lucine,
it's
easier
to
use
than
leucine
and
does
not
require
any
programming
knowledge.
However,
it
is
not
as
customizable
as
Lucy.
Okay,
okay
Lucine
is
a
library
that
can
be
used
to
build
a
search
engine.
It
is
highly
customizable
used
to
create
powerful
search
engines.
C
G
C
C
F
G
F
G
C
Wonderful
well,
thank
you
all
for
the
great
discussion
today
definitely
gave
us
a
lot
to
think
about
and
I
look
forward
to
seeing
everyone
who
will
be
in
Vancouver
next
week
and
otherwise
we'll
see
you
in
two
weeks,
yeah
thanks
again
for
making
it
this.
This
later
in
the
day
for
the
North
American
folks,.