►
From YouTube: Securing Critical Projects WG Bi-Weekly (May 4 2023)
A
B
B
A
B
Figured
we
could
filter,
let's
see,
just
not
decided
yet.
Okay.
C
Well,
I
guess,
while
we
have
some
time
just
the
two
of
us
I
wonder
if
we'll
have
a
light
meeting
today
because
of
the
timing
but
yeah
I.
C
I,
don't
know
just
maybe
just
a
way
that
is
less
labor
intensive,
I,
wonder
if,
if
you
know,
if
they're,
if
it
makes
sense
to
think
about
you
know,
maybe
what
we
could
do
you
know
potentially
something
that's
more
sustainable
or
maybe
that
requires
less
maintenance.
A
Yeah
I
think
it
is
I
mean
I,
like
the
way
that
we're
doing
it
right
now.
A
A
So
we'll
go
look
at
like
if
it's
python
package
we'll
look
at
the
downloads
on
python.
If
it's
an
npm,
we'll
look
at
the
download
count,
npm
we'll
go!
Look
at
the
I!
Guess
the
GitHub
page
and
see
like
how
busy
it
is
I
guess,
criticality
score
incorporates
that
so
like
we
need
to.
We
should
have
criticality
score
here
to
look
at
so
I
I.
Think
they'll
work
that
Randall
started
would
be
good
at
doing
that.
A
You
know
helpful
to
do
this
faster,
where
essentially,
everything
that
gets
suggested
gets
some
automation
run
that
pulls
all
this
data
that
we
can
then
use
to
to
do
this
in
the
future.
A
A
Caleb
did
message
me.
He
said
he's
gonna,
he
said
he's
gonna
join
but
10
10
minutes
late.
F
Do
we
have
any
more
information
about
this
list
from
Alpha
Omega,
whatever
the
10
000
projects,
and
how
we
want
to.
D
A
Had
for
like
Jonathan
is,
if
you
know,
we
like
I,
think
for
all
the
kind
of
initiatives
that
this
working
group
has.
We
want
to
have
somebody
just
kind
of
say,
like
they're,
the
leader
of
it
and
they're
kind
of
on
the
hook
for
making
you
know
pushing
it
forward
and
trying
to
get.
You
know
the
new
version
or
the
the
new
iteration,
and
so
you
can
sign
up
for
that
or
or
is
he
looking
for
people
other
people
to
do
it?
That's.
F
C
You
know
if
we're
looking
for
justification,
and
you
know
we
have
them
as
a
reference.
You
know
that
list
as
a
reference
as
a
reference.
I
don't
know
if
we
should
necessarily
just
move
forward,
simply
because
it's
on
the
alpha,
10
000
list,
but
I
think
it
should
definitely
be
considered
if
it's
on
there.
You
know.
F
Oh
I
agree,
but
I
thought
that
I
mean
I.
Guess,
like
I
said,
I
mean
they
were
trying
to
automate
how
we
were
going
to
approach
the
next
iteration
of
our
list
and
so
I
mean
I
agree.
It's
not
practical
to
use
that
as
an
input
and
actually
still
do
this
manual
process,
but
I'm,
not
certain
that
it's
really
practical
to.
C
Yeah,
that's
a
great
Point
and
it's
actually
what
Jeff
and
I
were
talking
about
as
we
joined
we
were
talking
about.
You
know
what?
What
can
we
explore
to
automate
this
process
a
little
more
or
make
it
a
little
bit
less
labor
intensive,
but
still
you
know
impactful
and
you
know
have
that
level
of
scrutiny
and
but
yeah
I
I
would
agree
that
it
does
seem
a
bit
labor
intensive.
Now.
C
F
F
What's
that,
I
mean
again
that
we
could
use
this,
this
Alpha
Omega
list
as
sort
of
a
new
starting
point
for
the
input
and
then
develop
some
automated
analysis
around
that,
where
it
sort
of
kicks
out
for
manual
reviews
and
things
that
things
are
on
the
edge
but
but
use
at
a
starting
point,
and
the
other
is
again
sort
of
like
okay,
we're
creating
this
list,
but
I,
don't
really
have
a
sense
of
where
this
list
fits
into
the
Oprah
overall
open
ssf
pipeline
in
terms
of
okay.
F
You
know
we
have
it,
so
it
feels
to
me
very
arbitrary,
like
we
have
this
arbitrary,
you
know
list
I
mean
of
you
know:
people
have
nominated
things
whatever
we
got
this
other
with.
You
know
GitHub
star
whatever
they
think
we
got
this
arbitrary
list
and
we
are
honestly
subjectively
analyzing
that
and
just
sort
of
voting
I
mean
not
not
that
we
don't
have.
You
know,
rationale
behind
it,
but
it's
sort
of
this
arbitrary
okay.
We
picked
these
critical
projects
and
then
it
gets
sent
off
into
the
ether.
It's
like
so
I.
F
Think
part
of
the
problem
we
have
again
from
the
beginning
is
that
there
isn't
a
clear
and
I
don't
know
whether
it's
the
the
attack
should
be
helping
with
this
or
the
executive
director
I
mean
like
but
somewhere
like
if
he
who
exactly
is
going
to
consume
this
and
what
that
they
want,
because
then
that
would
sort
of
drive
back
as
a
forcing
function.
What
are
we
trying
to
you
know?
How
do
we
need?
Ten
thousand
is
100
it.
You
know
right
now,
there's
we're
creating
this.
B
C
Mean
I
could
think
of
two
immediate
ways
and,
and
then
it's
kind
of
what
I
would
say
has
driven
I
guess
my
research
or
my
contributions,
I
guess
as
to
you
know
which
projects
are
critical,
but
you
know,
as
part
of
this
working
group
kind
of
when
it
first
started.
C
I
pitched,
you
know
doing
like
a
managed
audit
program
where
you
know
we
would
go
out
and
do
security
audits
of
you
know
these
important,
critical,
open
source
projects,
because
you
know
statistics
show
most
of
them
have
never
received
any
kind
of
you
know
like
independent
third-party
review
and
pitched
I
think
it
was
something
like
25
projects
where
you
know
we.
We
took
a
bunch
of
input,
including
things
like
the
census2
data,
some
of
the
other
research
that
was
presented
here
in
this
work
group.
C
You
know
and
kind
of
recommended
those
projects
and
those
did
feed
a
lot
of
the
kind
of
the
original
list
that
we
had
here
and
then
you
have,
you
know,
project
Alpha,
which
is
you
know
looking
to
seek
out.
You
know
what
are
the
really
important
open
source
projects
that
you
know
they
could
potentially
put
money
towards.
C
You
know
to
produce
security
outcomes,
one
of
them
being.
You
know
stuff
like
what
we
do
where
you
know
we
could
get
input
as
to
which
projects
to
go
out
and
do
security
audits
for,
for
example,
and
that
does
tie
in
I
guess
with
you
know,
stream,
seven
and
the
mobilization
plan,
but
I
don't
think.
That's
necessarily
the
only
use
for
this
data.
I
think
you
know
a
lot
of
people
are
interested
in
knowing
what
are
the
open
source
projects.
C
You
know
that
are
being
consumed
like
at
a
at
a
very,
very
widely,
and
this
can
be
a
I
guess.
Another
data
point,
but
it
is
a
very
good
point.
You
know,
I
would
love
to
get
your
thoughts,
both
David
and
Jeff.
As
to
you
know,
what
does
a
North
star
look
like
in
terms
of
you
know
if
we
could
determine?
Let's
say
you
know
what
the
output
of
this
is
or
what
the
the
the
the
purpose
of
this
is.
C
A
I
mean
just
just
to
wrap
around
like
I
think
you
know,
I,
don't
I,
don't
have
concrete
examples.
I,
don't
remember
that
the
formation,
but
is
it
was
about
awareness
too,
like
the
XK
CD
is,
is
the
kind
of
guiding
you
know
what
the
the
one
in
our
home
guard,
GitHub
page
Nebraska,.
A
A
You
know,
help
the
whole
ecosystem
and
we're
not
are
are
we're
not
judging
like
how
much
attention
each
Project's
getting,
but
we
are
trying
to
find
like
all
the
critical
ones,
so
that
so
that
somebody
that
you
know
is
trying
to
do
that,
can
can
see
that
and
I
think
this
question
came
up
in
different
working
groups
and
different
efforts
in
in
openssf
previously,
which
is
like
Oh
I
wanna
I
wanna
like
go
check
the
top
10
projects
and
see,
if
they're,
doing
X
right
like
if
they're
using.
C
A
Are
they
using
linting
or
whatever
static
analysis?
Are
they
doing
fuzzing?
Are
they
doing
X,
Y
and
Z?
You
know
I
want
to
run
these
analysis
on
them,
so
the
questions
came
up.
You
know
in
from
multiple
places
like
what
are
the
top
projects
and-
and
you
know,
because
I
want
to
I-
want
to
take,
take
a
look
at
all
of
them
for
for
one
reason
or
another,
but
you
know
I,
don't
have
all
that
today,
like
that
was
in
the
past,
so
like
maybe
something
we
should
do
is
my
idea.
A
I
had
when
you're
talking
David
was
like
do
a
little
bit
of
a
road
show
like
we've
been
doing
this
for
a
while,
and
a
lot
of
people
have
joined
the
open,
ssf
and
and
started
different
efforts
in
the
different
working
groups.
So
maybe
we
need
to
go
and
like
publicize
our
effort,
what
we're
trying
to
build
and
what
people
might
want
to
use
it
for
or
what
they're
already
using
it
for,
because
you
know
people
can
be
using
our
list
and
not
be
telling
us
about
it.
Well,.
A
Mean
go
around
to
like
each
other
working
group
in
the
next
few
months
and
just
just
do
a
little
presentation
on
our
working
group
and
and
gather
that
information,
because
I
agree.
That
would
be
helpful
for
us
if
we
have
today
like
what
people
are
using
it
for
and
and
why
yeah.
F
F
You
know,
help
them
introduce
us
to
this
or
the
executive
director,
and
you
know,
try
to
you
know,
maybe
write
a
blog
post
or
something
for
the
openssf
web
page
I
mean
you
know,
trying
to
publicize
it
that
way,
but
yeah
I
mean,
as
far
as
what
I'd
like
to
be
a
North
star
and
I
was
assuming
that
this
would
actually
feed
into,
for
example,
Alpha
Omega
that
this
would
be
sort
of
like
the
list
of
you
know
here
are
these.
You
know
large
and
small.
Here.
F
Is
these
important
projects
that
helpful
make
it
should
consider
funding
so,
but
then
Alpha
make
it
seems
to
have
its
own
list
of
ten
thousand,
which
comes
back
to
that.
So
that's
why
I'm
saying
that
we're
sort
of
you
know
and
again
get
some
hints
or
recommendations
or
advice
or
mentoring
from
you
know
the
leadership
of
the
open
ssf
of
okay.
How
can
we
actually
engage
in
more
of
a
pipeline
here?
Figuring
out?
F
You
know
not
just
publicizing
to
have
this,
but
you
know:
is
this
useful
to
anybody
or
because
again,
I'm
I'm
sort
of
it
seems
that
Alpha
Omega
may
have
created
its
own
with
this
list?
Ten
thousand
alternative
version
of
this,
or
at
least
something
with
a
similar
purpose,
and
so
that's
where
it's
a
question
of
okay,
now
we're
beginning
for
mixed
messaging,
or
these
multiple
lists
inside.
A
A
A
So
Omega
is
like
ten
thousand
automated
inner
automated
help
in
Alpha's
small
amount
of
projects
and
Hands-On
health.
C
Yeah
I'm
reading
over
the
issue
now
yeah
they
refer
to
it
every
time
as
Alpha
Omega.
It
doesn't
specifically
say
if
it's
what
it
is
for.
It
just
says
it's
they've
collected
a
list
of
top
10K
OSS
projects
which
we
are
using
as
a
target
for
security
scanning
vulnerability,
reporting
and
in
the
future
as
a
list
of
projects
that
any
automated
bulk,
PR
generation
campaign
is
required
to
report
vulnerabilities.
C
Both
to
avoid
confusion
between
the
lists,
okay,
yeah,
so
yes,
Jeff
I,
think
you
are
spot
on
in
what
your
in
the
point
you
just
made
so,
but
it
looks
like
at
the
end
of
the
day
too,
also
to
go
back
to
your
point.
Is
that
I
feel
like
at
the
end
of
the
day,
everyone
is
going
to
take
this
information
and
and
and
and
process
it
differently,
and
that
you
know
no
there.
C
C
It's
just
something
that
Alpha
Omega
generates
and
has
been
using.
For
you
know
some
of
their
bulk
scanning
efforts
which
fall
under.
F
Even
when
we
were
doing
our
analysis
of
the
the
last
couple
of
projects
for
our
set
I
mean
we
were
comparing
stuff
on
Alpha
I
mean
it's
around
that
10
000
list
as
well.
It
has
a
you
know,
an
another
signal
for
decisions
right,
it's
not
just
Omega,
but
the
other
thing
is
I
mean
I'll.
Just
say
that,
based
on
what
I've
seen
in
the
openxsf
tab
and
some
of
the
other
working
groups
that
many
other
people
are
there
with
a
with.
G
F
A
very
specific
point
of
view
and
a
very
specific
action
and
a
very
specific
outcome,
honestly,
possibly
for
their
own
company,
in
addition
to
open,
ssf.
So
I'm,
just
saying
that
that
you
know
to
be
honest,
that
you
know
if
that
I
think
that
we,
the
Sig
I,
mean
not
that
it
has
to,
but
it
could
be
more
assertive
and
take
a
and
if
it
wants
to
have
more
of
an
impact
that
we
should
try
to
not
that
we
have
to,
but
we
should
decide
amongst
ourselves
or
so.
F
F
For
their
own
purposes
like
if
we
don't
have
a
strong
purpose,
somebody
can
step
in
and
because
it's
already
an
established
Sig
within
the
open,
ssf
and
drive
it
for
their
purpose
so
like
either
either
we
do
either.
We
take
control
of
this
or
somebody
else,
but
they
will
I
mean
it.
It
provides
a
an
opening
that
may
not
be
healthy.
A
Yeah
yeah
I,
agree:
I
think
we
do
need
to
do
more
publicist
publicizing
our
work.
I
I
fully
expect
for
us
to
once
we
have
this.
This
list
finished
to
do
a
round
of
Media,
or
you
know
like
Outreach,
like
the
yeah
blog
and
whatever
kind
of
you
know
get
on
the
newsletter
all
that
kind
of
stuff,
because
we
want
to
tell
everybody
like
the
open
ssf
has
a
new
set
of
critical
projects,
and
that's
that's
it
like
we're
worth
making
the
set
for
the
for
the
foundation.
A
I,
don't
think,
there's
another
group
that
could
claim
that
they
have
a
different
better
set,
at
least
in
the
realm
of
about
100
to
200.
You
know
the
10
000
is
a
different
category
right,
so
yeah
I
I
definitely
want
to
do
a
lot
of
now
publicizing
of
our
list.
Once
it's
done,
I,
don't
think
we're
going
to
be
able
to
say
what's
it
for
like,
because
we
just
don't
know
that
right
now,
but
in
that,
like
publicizing
and
getting
people
to
look
at
it,
I
think
it
yeah.
A
What
you're
saying
makes
sense
that
we
can
get
more
input
on
what
people
do
want
to
use
it
for
to
help
us
for
the
next
round
in
the
future.
G
I'm
late
to
this
conversation,
but
I'll
also
mention
Google,
internal
or
Google
had
a
blog
post
about
our
open
source
security,
Upstream
theme
recently,
and
they
use
the
output
from
crew
quality
score
as
well
to
inform
their
work
and
where
they
focus
their
efforts.
So
I
mean
that's
just
an
example
of
somebody
externally.
Using
this,
there
are
enough
people
also
on
the
critically
school
project
in
GitHub,
who
are
appear
to
be
lurking
around
logging
bugs
and
stuff.
G
So
people
are
kicking
the
tires,
I'm,
not
sure
exactly
how
they
may
be
using
that
part
of
this
work,
but
yeah.
Certainly
there
is
interest
in
it.
It
would
be
nice
to
know
who,
if
people
are
looking
at
this
data
and
using
it
internally
for
themselves.
C
Yes,
yes,
go
ahead,
David
go
ahead.
Please
I
was
just
going
to
say
that
I
did
in
the
notes.
I
started
a
one
sentence,
you
know
if
we
can
get
it
in
one
sentence.
E
What
the
purpose
of
this?
What
the
purpose
of
this
effort
is,
and
what
the
purpose
of
the
output
of
this
is.
C
So
I
invite
everyone
to
look
at
that,
or
collaborate
on
that,
but
I
think
that
would
be
a
good,
a
good
place
to
start
and
I.
Think
you're.
Absolutely
right,
though,
David
that
if,
if
certain
things
aren't
driven,
then
they
will
find
themselves
having
drivers
so
I'm
in
agreement
with
you
on
that
so
I'd
say
the
sooner.
C
We
can
get
agreement
on
this
and
then
maybe
even
run
that
by
Tech,
just
to
maybe
get
some
awareness
around
it
as
well-
probably
wouldn't
hurt,
but
in
general,
to
put
in
a
sentence.
I've
always
considered
this.
As
basically
you
know
these
are
projects
that
are
important.
C
That
could
probably
benefit
from
additional
resources,
but
one
thing
that
I
I
don't
want
to
necessarily
detract
from
the
conversation,
but
I
wonder
if,
because
Jeff
you
did
bring
up
a
very
good
point
about
the
you
know,
kind
of
the
but
in
in
some
ways
the
the
the
graphic,
the
xkcd
graphic
kind
of
being
our
Mantra
and
a
lot
or
kind
of
guiding
guideposts
in
a
lot
of
ways.
So
I
wonder
if
that's
kind
of
a
natural
progression
in
this
work
is
maybe
identifying
projects
that
are
under
resources.
C
A
C
Yeah
I
mean
you
bring
up
a
good
point,
even
though
projects
that
are
well
funded
but
I
think
the
reason
I
I
kept
that
so
vague
you
know,
can
benefit
from
additional
resources.
I'd
love
to
bring
up
the
example
of
git.
For
example.
C
You
know
we
did
the
the
security
audit
for
git
last
year,
I'll
be
talking
about
it
next
week
in
Vancouver,
but
you
know
we
actually
got
some
pushback
initially
saying
you
know.
Oh
it
gets
like
such
a
long
established
project.
You
know,
probably
gets
a
lot
of
scrutiny
and
you
know-
and
that
is
in
fact
the
case,
but
I'm
still,
you
know
third-party
audit.
You
know
getting
that
different
perspective
from
an
expert.
You
know
we
were
able
to
help
them
a
bunch,
so
I
think
I.
C
A
A
No
yeah
because
we
it's
just
like
we
want
to,
we
want
to
simplify
each
step
of
our
decision,
making
right
so
each
so
right
now
we
want
to
think
only
critical,
you
know,
is
it
critical
or
not
and
not
consider
is
it.
You
know
what
the
frequency
or
possibility
of
that
bug
or
attack
is
or
how
how
funded
the
project
is.
B
C
A
F
A
F
A
And
I
think
we
as
humans
take
that
into
account
when
we,
when
we
look
at
the
score
and
consider
that
as
a
reason
to
be
critical
or
not
so
yeah
I
agree
there
and
I
think
those
are
well
known.
Just.
G
We're
trying
to
the
score
itself
ideally
would
improve
over
time
so
that
it
is
less
biased
and
better
reflects
like
the
output
of
a
manual
lead
curated
list.
So
that's
like.
Ideally
that
would
be
the
case
that
we
can
trust
more
and
more
the
score
itself.
The
output
from
the
automated
tool
over
time,
but
definitely
you'd,
still
want
someone
to
like
sanity,
check
it
and
go
that's
ridiculous,
get
rid
of
it.
F
Yeah
I
mean
part
of
the
I.
Think
part
of
the
challenge,
I
mean
again
I've.
You
know
I
work
on
GCC,
which
is
not
a
part
of
GitHub
and
I
mean
there's
all
sorts
of
so
there's
you
know
when
you
start
it.
You
know
many
of
the
older
projects.
Don't
necessarily
have
the
the
signals.
The
automated
or
the
mechanical
signals
that
yeah.
F
A
The
automation
part's
hard,
like
yeah,
you
got
to
take
all
these
signals.
You
gotta.
If
you
come
up
with
an
algorithm,
it's
going
to
be
flawed
or
you
know
you
that's
why
we
have
to
do
this
as
humans.
You
know,
but
the
more
the
more
we
can
automate
the
more
we
can
combined
scores
and
metrics.
The
better
Etc
just
helps
our
Steward.
Our
job
faster
and
I.
Think
we
still
need
to
always
have
that
kind
of.
F
Right
but
then
there's
also
this
issue
with
criticality
score.
You
know,
let's
say
you
know
now
this
this
large
push
from
Google
and
Microsoft
and
others
about
memory
saved
languages
like
all
of
a
sudden
is
that
you
know.
Is
that
now
a
requirement
that,
if
you
aren't
using
these,
obviously
get
a
black
mark
for
a
red
mark
or
whatever
for
that
I.
A
G
Yeah,
the
the
largest-
and
this
is
something
that
I'd
like
to
change
soon,
but
it
probably
depends
on
more
sources
of
this
data
which
is
like
the
the
graph
and
and
how
projects
relate
to
each
other.
So
the
biggest
signal
we
have-
or
the
strongest
signal
we
have-
is
the
dependency
relationships
and,
as
you
mentioned,
projects
like
GCC
and
other
C
and
C,
plus
plus
particularly
based
projects,
have
very
poor,
automated
ways
to
like
collect
that
graph
data.
G
So
we
have
thought
about
other
approaches
to
that,
such
as
like
can
we
look
at
the
distros
of
Linux
and
how
they
relate
projects
together
as
a
as
a
way
that
helps
us
understand
that?
G
But
there
are
other
things
like
s
where,
as
s-bombs
become
more
popular
able
to
answer
that
question
as
well
in
a
different
way
so
yeah
over
time.
Hopefully
we
can
can
get
better.
F
So
it's
actually,
you
know
working
very
closely
with
my
colleague
at
Red
Hat
Carlos
O'donnell,
who
leads
julip
C
in
I
mean
just
about
the
general
oversight,
leadership
of
the
new
tool
chain
and
looking
at
you
know,
trying
to
do
our
own
analysis
for
other
things
and
looking
at,
for
example,
red
hat
or
fedora,
and
how
many
of
the
packages
and
they're
actually
depend
on
GCC
or
in
glibc,
and
it's
actually
you
know
it's
not
a
lot
because
it's
sort
of
it
it's
it's
pervasive,
so
they
don't
actually
explicitly
list
it
as
a
requirement
they'll
list,
for
example,
clang
or
claim,
because
that's
actually
it
you
know
a
deviation
from
the
norm,
so
there's
actually
really
lacking
data.
F
Even
there
like
the
entire.
Like
you
know,
99
or
you
know,
90
of
the
distro
should
depend
upon
these
packages.
You
know
lib
standard,
C,
plus,
plus
or
lib
GCC,
and
you
know
G
libsy,
but
it
doesn't
actually
explicitly
list
it
because
it's
just
a
given
based
level
so
yeah.
You
can't
even
use
that
as
a
dependency
tree
just
just.
D
F
G
G
Yeah
yeah
GCC
is
a
lot
trickier,
yeah
yeah,
so
it's
it
is
a
tough
problem
to
crack
yeah
I.
Don't
have
good
answers
for
how
to
solve
that
in
the
short
term,
which
is
why
I
think
having
a
manual
process
yeah.
It
isn't
like
really
important
at
the
moment
to
make
sure
that
those
ones
are
not
overlooked.
Right.
C
Yes,
so
I
did
my
best
at
writing.
The
purpose
of
our
set
so
I
invite
you
all
to
tear
it
up
and
include
comments,
and
but
I
really
tried
to
keep
it
as
high
level
as
possible
and
I
actually
really
like
that.
I
use
the
word
highly
important,
because
we've
used
critical
too
much
too
many
times.
F
E
G
Criticality
School
Pro
has
a
weird
different
like
tries
to
Define
it,
not
in
a
circular
way
as
its
influence
and
importance,
which
is
very
a
very
loaded
terms.
Influence
is
interesting.
More
so
than
importance.
Importance
is
often
like
a
lot
like
either
directly.
It's
we
depend
on
it
or
indirectly,
it's
a
part
of
our
like
infrastructure,
or
something
like
that.
G
But
yeah,
that's
a
yeah.
It's
definitely
hard
to
actually
what
is
critical.
C
Yeah
and-
and
my
intention
from
the
beginning
was
always
to
not
get
too
caught
up
in
the
details
of
it,
because
it's
one
of
those
that
you
know
and
sadly
here
we
are
two
years
later
but
I,
but
we're
definitely
making
progress
and
I
I.
Think
you
bring
up
good
points,
though
about
you
know,
maybe
taking
a
step
back
and
you
know
really
defining
what
is
the
purpose
of
this
and
you
know
who's
meant
to
consume
this,
and
you
know
and
go
from
there
really.
C
I
do
agree
that
maybe
getting
some
guidance
from
the
tech,
especially
if
we
feel
like
maybe
we're
at
a
point
where
we
could
use
some
direction.
I
feel
like
they
would
be
a
good
place
to
start.
B
C
B
D
A
B
A
B
B
A
So
I
kind
of
argue
against
these
kind
of
things
that
are
monitoring
stuff
because
it's
not
like
okay,
so
that
it
says
here,
single
pane
of
glass,
easily
viewed
longer
performance
of
your
MySQL
postgres
databases,
database,
monitoring
solution
so
like
by
default.
These
are
like
reading.
A
Maybe
it's
not
like
a
user
flow
of
data.
It's
it's
monitoring
like
if
you're
monitoring
software
went
down.
A
Okay,
that's
commercially
tax,
one
of
the
one
of
the
things
that
we've
been
doing
is
looking
at
if
it's
like,
if
it's
open
core
and
not
not
really
usable
without
a
proprietary
piece
and
that
kind
of
detracts
from
the
criticality
of
the
open
source.
G
B
A
But
if
it's
funded,
it's
fine.
F
D
B
A
G
That's
also
like
the
rate
of
change
on
Pearl
code
is
probably
very
low
as
well,
so
unless
it's
pulling
from
infrastructure
that,
like
cpan
or
something
like
that,
where
someone
could
compromise,
cpan
and
like
get
in
to
someone's
software
supply
chain
via
that
I'd
like
I'd,
be
surprised
if
it
was
easy
to
attack
Pearl
itself
like
if
people
are
writing
new
code.
Frequently
it's
in
I'm,
not
Pearl,
so
it's
like
yeah
I,
don't
know
what
what
are
we
hoping
to
protect
like
achieve
if
we
were
to
include
Pearl.
A
C
F
A
Yeah
I
think
puppet
is
quite
popular
and
widely
used
yeah,
but
it's
you
know
and
if
it
was
subverted
like
you
could
take
over
Hawaii
tea
or
whole
companies.
Their
whole
I.T
system
is,
you
know,
you'd
in
fact
like
every
computer.
A
The
question
here
was:
is
it?
Is
the
open
source
core
a
critical
path,
or
is
it
mostly
the
you
know
the
Enterprise
version?
That's
used.
A
C
D
A
Registry
I
think
last
time
we
talked
about
this.
We
didn't
actually
know
like
the
docker
container,
the
docker
file.
It
was
pointing
to
was
like
not
the
code
but
I
updated
the
link
here
to
Source
repo
that
GitHub
distribution
distribution.
That's
like
the
new
location
of
the
GitHub
I
mean
the
docker
or
the
container
registry
code,
so
everybody
that
deploys
their
own
registry.
It
probably
uses
this
code.
A
G
A
G
G
Century's
interesting,
but
it's
a
monitoring
project.
Isn't
it.
C
C
That
would
cause
serious,
serious
disruption.
D
G
The
only
the
only
thing
that
it
could
be
subverted
by
oh
sorry,
the
the
like
is
that
you're
injecting
code
from
the
clients,
clients,
yeah
the
the
agents
into
your
application
into
your
websites,
so
that
that
is
the.
So
it's
not
the
same
as
like
you've.
Given
it
read
access
to
your.
So
in
terms
of
the
host
itself,
it's
red
read
access
into
the
proprietary
system,
but
the
open
source
components.
A
Yeah,
so
they
have
here
the
sdks.
They
like
list
out
20
sdks
for
every
language
that
you're
supposed
to
put
in
your
your
application.
G
A
G
B
G
C
C
G
Oh
it
it's
like
it's
a
layer
of
tools
like
leucine
is
the
like
a
tokenizer.
Oh
look.
B
B
G
Is
the
difference
between
them,
solar,
iska
and
Lucy?
Is
its
engine?
Okay,
that's
the
stack
Overflow
there
with
it
yeah.
So
solar
is
like
an
application
you
can
use
out
of
the
box.
Leucine
is
like
the
library
underneath
that
makes
it
work.
B
D
B
G
Solar
is
a
web-based
search
engine
that
is
built
on
top
of
Lucine,
it's
easier
to
use
than
leucine
and
does
not
require
any
programming
knowledge.
However,
it
is
not
as
customizable
as
Lucy.
Okay,
okay
Lucine
is
a
library
that
can
be
used
to
build
a
search
engine.
It
is
highly
customizable
used
to
create
powerful
search
engines.
C
G
C
C
G
There
have
been
rces
via
sqlite
as
well
like
code
execution
by
injection.
F
G
F
G
C
Wonderful
well,
thank
you
all
for
the
great
discussion
today
definitely
gave
us
a
lot
to
think
about
and
I
look
forward
to
seeing
everyone
who
will
be
in
Vancouver
next
week
and
otherwise
we'll
see
you
in
two
weeks,
yeah
thanks
again
for
making
it
this.
This
later
in
the
day
for
the
North
American
folks,.