►
From YouTube: Securing Critical Projects WG Bi Weekly (May 19, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
C
C
C
A
A
Ssf
is
doing
so
I'm
I'm
basically
here
I
cannot
do
everything,
but
I'm
trying
to
be
supportive
and
help
where
I
can
and
it's
not
the
only
thing
I
do,
but
it's
one
of
the
things
I
do
is
try
to
be
supportive
of
each
of
the
working
groups
to
help
them
pull
stuff
over
the
transom
as
it
were,
and
also
connect
up,
because
I'm
aware
not
everybody
can
show
up
at
everything
I
can't
either
so
where
I
can
point
out.
Oh
look.
That
group
is
doing
this.
B
B
We
like
to
typically
start
off
with
any
new
faces,
or
anyone
who
might
be
new.
Whether
this
is
your
first
or
maybe
one
of
your
first
meetings.
You
know
we
always
love
to
have
introductions
and
say
hello
to
the
new
faces,
because
thankfully
we
do
seem
to
be
growing
and
have
more
people
joining
meetings.
So
we'd
love
to
hear
from
you.
B
Okay!
Next
on
the
agenda,
we
have
caleb
who
is
going
to
give
us
an
update
on
the
criticality
score
and
package
analysis
projects
quickly
before
I
hand
it
off
to
caleb.
This
is
a
good
time
to
mention
that
yeah.
One
thing
that
we'll
we'll
definitely
get
in
the
habit
of
doing
is
providing
updates,
regular
updates
on
all
the
different
projects
and
kind
of
different
efforts
associated
with
the
work
group
regularly.
So
we
can
all
stay.
We
can
all
stay
abreast
on
latest
developments
and
and
updates
there.
D
So
anyway,
that's
just
a
question,
maybe
for
the
end,
yeah,
so
I'll
dive
in
on
the
criticality
score
side
of
things,
I
posted
to
slack
recently
a
milestone
one
doc
app
on
github.
I
haven't
had
any
comments
on
that
yet,
except
I
think
an
arnold
I
know-
and
I
can't
pronounce
his
name
annoyed
from
ibm-
has
given
me
some
comments
and
yeah.
I
was
wondering
first
of
all,
had
anybody
looked
at
that
and
got
any
thoughts
and
feedbacks
feedback,
I'm
looking
for
just
making.
D
I
want
to
make
sure
that
we're
heading
in
the
right
direction,
so
I've
built
in
the
dock.
It
talks
about
an
enumerator
that
generates
a
whole
bunch
of
repos
from
github.
I've
implemented
that
and
it
works.
Well,
I'm
I've
got
a
prototype
signal,
collector
working
as
well,
but
yeah.
I
just
want
to
make
sure
that
I'm
heading
on
the
right
track
and
that
there
aren't
anything
there
isn't
anything
that
I've
missed
or
any
use
cases
in
particular
that
I
need
to
take
into
account,
particularly.
D
D
So
and
then
it
passes
that
list
of
enumerated
projects
into
a
signal
collection
phase,
which
then
goes
and
generates
all
the
raw
signals
used
to
generate
the
criticality
score
and
then,
at
the
end,
after
that,
the
output
is
then
fed
into
something
like
a
bigquery
table
for
querying
and
the
scoring
itself.
So
the
milestone
one
talks
about
so
yes,
so
it's
got
a
numerator
talks
about
the
implementation
of
that
and
the
algorithm
for
how
to
extract
the
github
repos
and
some
other
sources
of
data.
D
There
has
always
been
some
alignment
between
the
scorecard
project
and
critical
score
with
the
white
house
summit
last
week.
That
alignment
is
stronger
if
you've
read
the
the
document.
There's
a
stream
two
where
talks
about
these
projects
merging
I'm
not
sure
what
that
will
look
like
in
the
future,
but
I'd
already
been
thinking
about
trying
to
leverage
a
lot
of
what
they've
done
for
the
criticality
school
side
of
things.
D
Yes,
I'm
would
love
to
get
some
feedback,
particularly
around
use
cases
in
terms
of
how
are
people
using
this
tool.
How
are
people
interested
in
using
this
tool?
What
questions
are
people
trying
to
answer
yeah,
because
that
will
help
set
the
direction
for
where
we
where
it
goes
in
the
future,
and
it
also
like
encourages
people
to
get
involved
and
collaborate
if
the
tool
is
actually
solving
their
needs
rather
than
what
we
imagine
they
might
be.
C
Sure
so
I'm
gonna
security
researcher.
I
leverage
code,
I'm
sorry,
I'm
cooking,
so
my
camera's
off,
but
I'm
leveraging
it
codeql,
is
being
used
to
you
know
find
by
security
reasons,
to
find
widespread
common
security,
vulnerabilities
and
open
source.
One
of
the
things
you
kind
of
want
to
do
is
you
know
you
have
a
bunch
of
open
source
projects.
You
want
to
write
a
code,
query
that
finds
those
projects
that
are
vulnerable
great.
C
This
project
is
vulnerable,
but
it's
even
worth
reporting
to
right
and
criticality
score
can
help
be
that
you
know
yes,
this
is
worth
reporting
to.
No,
this
is
somebody's
one-off
project.
They
developed
is
like
a
college
project.
We
don't
you
know
it's
not
worth
your
time
or
nobody's
using
it.
That
sort
of
thing.
So
that's
the
that's.
The
use
case
that
I
have
that
is,
I
believe,
other
researchers
may
have
that
same
use.
Case
too.
D
Yeah,
thanks
for
sharing,
I
hadn't
considered
that
one,
that's
really
good,
just
for
pub
publicness
sake.
Arnold
from
ibm
had
said
that
they
are
using
it
to
measure
the
the
criticality
of
open
source
components
that
they
consume
and
I
think
that's
interesting,
certainly
to
other
big
companies
as
well.
D
D
F
B
D
Interesting
yeah,
oh
jonathan,
you
might,
I
did
have
a
comment
which
is
that
there
was
some
another
research
student
in
the
slack
channel
asking
about
the
project
as
well
and-
and
I
think
at
the
very
least,
it
needs
to
be
runnable
by
the
by
research,
students
and
and
researchers
to
be
able
to
actually
get
the
data.
I
think
it's
very
hard
to
use
the
existing
python
tools
so
but
yeah,
I
think,
there's
a
lot
more.
We
can
do
in
that
sort
of
collaboration
around
research,
yeah.
B
C
So
you
said
scraping
the
internet
for
like.
Are
you
looking
at
like,
for
example,
if
a
package
or
project
name
ends
up
in
the
news,
a
ton
right
like
left
pad
and
it's
an
indication
that
a
project
that
may
have
not
come
up
as
critical?
It
just
broke
the
internet
or
something
like
that
like,
oh
hey,
this
might
actually
be
more
critical
than
we
thought
it
is.
It
was.
C
D
A
narrator-
and
I
like
it's-
certainly
these
data
points
are
interesting,
because
they
you
can
look
at
the
output
of
the
score
and
go
all
right.
This
is
what
it's
saying,
but
without
actual
it's
going
to
take
occasional
incidents
like
that
to
like
help
you
go
well
was,
is
our
school
correct?
I
think
this
is
where
things
like
harvard
census
can
also
be
useful,
where
you
get
somebody
else's
research
and
compare
it
to
what
you're
producing
and
say
well,
why
why?
Why
is
it
different?
D
And
so
I
think
that
that
that
is
something
that
certainly
needs
to
happen
and
part
of
the
again
part
of
the
orientation
the
why
the
project
is
oriented
towards
this
big
query
data
set
is
so.
These
questions
can
be
more
easily
asked
and
addressed
and
investigated
so
yeah
by
being
able
to
like
publicly
mess
around
with
how
how
the
algorithm
works
and
the
waiting
and
things
like
that.
I
think
we
can
hopefully
get
to
a
point
where
these
are
easier
to
to
detect
and
and
fix,
and.
D
A
Yeah,
so
I
having
done
this
criticality
analysis
before
myself
and
for
census,
one
and
involved
in
the
harvard
work
on
census
too.
I
I
have
opinions
having
gone
through
and
received
arrows.
So,
first
of
all
I
mean
it's
important
to
understand.
I
mean
you
know:
all
systems
have
have
strengths
and
weaknesses.
The
criticality
score
fundamentally,
is
mostly
about
how
active
the
project
is.
A
I
know
there
are
other
metrics,
but
really
if
it's
super
active,
it's
going
to
get
a
high
score.
If
it's
not
active,
it's
going
to
get
a
low
score.
I
know
there's
more
metrics
caleb,
so
you
you
know
it's
more
complex
than
that,
but
that's
I
mean,
but
that's,
but
it's
heavily
weighted
towards
that.
It's
not
completely
insane,
because
if
something
is
very,
very
active
with
lots
of
users,
it
must
be
important
to
a
lot
of
folks.
But
of
course
the
problem
is,
if
it's
inactive,
that
doesn't
mean
it's
unimportant.
A
It
may
be
widely
used
just
not
changed
often,
and
I
don't
I
mean
if
indeed
there's
ways
to
improve
and
add
metrics
and
weight
it
that's
great,
but
we
tried
to
do
something
similar
on
census.
One
and
I
think
at
the
at
the
end
of
the
day,
you
have
to
take
multiple
data
inputs
and
also
add
some
human
intelligence.
A
That's
so,
for
example,
census
2
takes
a
different
attack
where
you
looks
at
what's
dependent
that
does
raise
out
actually
the
I'll
log
for
j
right
away.
I
mean
long
for
j
shows
up
really
high
on
the
list,
because
so
many
projects
depend
on
it,
and
so
my
my
view
right
now
is
that
what
we
need
to
do-
and
really
this
is
in
my
mind
this
is
the
primary
purpose
of
this
group.
A
So
we
need
to
move
eventually
from
discussing
it
to
making
decision
on
the
new
process
and
executing
it.
We
need
to
take
multiple
data
sources,
so
I
actually
do
think
that
a
lot
of
activity
does
suggest
that
it's
important,
you
know
unusually
large
amount
of
activity,
but
that
can't
be
the
only
signal
high
dependency.
That
seems
like
a
pretty
important
signal.
A
A
It's
you
know
it's
not
hard
to
beat
a
pro,
but
you
know
they
at
least
make
some
real
attempts.
They
have.
They
have
various
processes
that
make
a
try,
whereas
a
lot
of
dead
projects
that
lots
and
lots
of
people
depend
on.
I
worry
about
a
lot.
You
know
it's
about.
It's
a
hundred
thousand
lines.
No
one
has
edited
in
three
years,
which
would
mean
I
have
a
low
criticality
score
and
you
know
everybody
depends
on
it,
I'm
getting
worried.
A
A
One
of
the
things
that
showed
up
really
high
in
our
scoring
regime
were
the
mail
transfer
agents
and
the
reason
was
we
were
awaiting
things
like
direct
access
to
internet
check.
They
were
all
written
in
c
no
memory,
safety
doesn't
mean
it's
necessarily
bad.
Some
of
them
were
not
maintained
as
well
as
you
would
like
them
to
be,
and
so
you
know
they
met
all
the
criteria,
but
here's
the
challenge,
how
many
people
install
their
own
mtas
40
years
ago.
Quite
a
number
now,
not
so
much
it's
pretty
unusual.
I.
A
But
my
broader
point,
though,
is
that
the
members
can
tell
us
one
thing,
but
we
know
other
things
that
can
make
some
adjustments,
and
so
what
I
think
we
should
do
is
use
multiple
measures,
try
to
identify
that
list
of
things
that
are
likely
to
be
important
in
some
semi-mechanical
form,
and
then
humans
use
humans
to
kind
of
filter
it
out
and
create
our
updated
criticality
list.
We
have
a
draft
list,
it
was
created
quickly.
We
all
agreed
that
we
needed
to
do
a
better
job.
A
D
D
A
Jacques
has
done
a
lot
of
work,
trying
to
figure
out
a
better
way
of
voting.
I
don't
know
if
we'll
get
there
but
yeah,
I'm
aware
that
we
there
is
work
in
progress.
I
just
want
to
move
on
from
thinking
about
the
process
to
writing
it
down
and
starting
executing
it
sooner
rather
than
later,
just
because,
I'm
afraid
we'll
keep
drawing
forever.
G
Sorry,
chris,
that's
that's
fine,
sorry,
sorry,
kale!
So
so,
and
thanks
david,
I
I
agree
with
almost
everything
you
said
I
did
want
to
sort
of
highlight,
though
I
think
well,
number
one
log4j
didn't
show
up
that
high
actually
was
like
40.
and
that's
you
know
right.
It's
not
like
you
know
as
critical,
and
I
think
that
the
problem-
and
it
was
hinted
at
with
the
exchange
comment.
I
think,
is
that
there's
an
awful
lot
of
dark
matter.
If
you
will
in
terms
of
dependencies
where
things
are
consumed
into
products.
G
That
then
are
widely
used,
and
I
think
there's
a
transitive
property
to
you
know
the
dependency
that
we're
probably
not
factoring
in
appropriately,
and
that
is
where
something
is
a
tertiary
dependency
or
where
something
is
doesn't
have
a
whole
lot
of
open
source
dependencies,
but
is
used
everywhere.
Right
and
log4j
is.
Is
an
example
of
something
like
that?
If
you're,
you
know,
if
you,
if
you
have
a
a
lot
of
java
applications-
and
you
probably
had
an
awful
lot
of
log4j
and
that
doesn't
show
up
in
the
study
right
because
it.
A
Does
it
does
actually?
No
it
does
they
use
information
on
proprietary
software's
dependencies
to
develop
census
too
yeah?
It's
it's
in
the
report
yeah
the
s.
What
they
did
is
the
sca
vendors
analyzed
software,
most
of
which
was
proprietary
and
used
that
as
their
top
level
and
then
tracked
the
dependencies
down.
A
Your
point
is
correct
that
it's
awful
dark
matter
is
a
problem.
I
think
the
log
for
j
you're
right,
it's
it.
I
don't
remember
the
number
before
I
I
believe
you
it's
40..
I
think
what
that
showed
is
there's
another
logging
system
that,
if
it
had
been
subverted,
it
would
have
been
even
more
disastrous.
There's
a
there's,
a
competitor
to
log4j
that
if
you
use
that,
if
that
had
been
subverted,
it
would
have
been
even
worse.
G
Yeah
and-
and
so
so
I
I
did
want
to
sort
of
highlight
that
aspect
of
the
sort
of
the
transitive
property
of
dependencies,
and
then
I
think
the
other
thing
to
factor
in
here,
at
least
from
from
my
own
perspective
here,
and
I
think
that
of
ibm's
is
that
I'd
like
to
be
able
to
use
a
tool
like
criticality
score
in
the
context
of
my
own
set
of
use
cases.
In
other
words,
I'd
like
to
be
able
to
influence
either
the
weighting
of
what
things
we
consider
to
be
more
or
less.
G
You
know
critical
to
be
worried
about,
or
or
I
should
say-
and
we
probably
would
also
like
to
factor
in
when
we
talk
about
again
dependencies.
I
think
it's
great
to
understand
where
it's
used
in
the
external
world.
You
know
of
other
open
source,
but
I
would
like
to
understand
where
it
falls
in
terms
of
usage
in
my
own
enterprise,
and
if
I
can
get
a
census
through
an
s
bomb,
you
know
curation
of
of
our
own
either
consumed,
or
you
know,
produced
software.
G
I'd
like
to
be
able
to
run
criticality
score
against
that
set
of
dependencies
to
understand
where
my
risk
profile
is
and
where
maybe
I
should
be
investing
my
own
resources.
So
again,
I
understand
you
know
there.
It
is
somewhat
competing
with
what
we
have
from
an
open,
ssf
perspective
where
we're
looking
sort
of
more
broadly
and
where
is
sort
of
like
trying
to
rally
the
entire
open
source
community,
but
there's
also,
if
you
will,
I
s
a
selfish
interest
that
I
would
like
to
understand.
G
You
know
where
what
is
how
critical
is
is
is
log4j
in
my
own
circumstance,
not
so
much
yeah,
maybe
everybody's
using
it,
but
you
know-
maybe
I
don't
use
it
at
all,
or
vice
versa,
right,
maybe
it's
something
that
very
few
people
use
but
ibm
uses
very
heavily,
and
I'd
like
to
be
able
to
understand
that
so
so
being
able
to
either
give
it
different
data
sources
for
something
like
dependencies
and
so
forth.
I
think,
would
be
valuable.
That's
that's
really
my
point.
D
Yeah,
I
think
that's
a
really
good
idea,
and
I,
like
it's,
the
internal
private
corporations
using
this
pro
tool
is
certainly
a
very
interesting
use
case
that
was
just
brought
up
to
like
ibm.
I
think
that
your
counterpart
in
your
arnold
brought
up
to
me
chris.
So
I
think
it's
a
that's
a
really
interesting
use
case.
D
There
may
even
be
a
way
we
can
have
like
a
zero
knowledge
or
some
way
that
first
books
companies
to
submit
like
s-bomish
type
data
to
the
project
as
a
signal
source
without
kind
of
disclosing
that
they're
the
organizations
that
use
those
dependencies
as
a
way
to
further
like
incorporate
into
their
public
algorithm
as
well,
so
their
ideas
that
I've
had
they're
kind
of
long
down
the
track.
But
I
think
there's
opportunities
there
as
well.
D
A
B
A
A
A
B
We
could
definitely
create
a
template
to
put
at
the
top
of
our
our
work
groups
notes
so
that
it's
something
we
can
easily
refer
to-
and
I
think
is-
we
should
definitely
start
getting
stuff
done
on
paper
and
and
working
working
on
it,
maybe
even
having
like
a
more
intensive
working
group
session
on
that
in
particular,
but
I'm
in
agreement
here.
What
do
you
think
jeff.
H
Yeah,
I
think
I
agree
with
you
mira.
I
think
we,
you
know
we're
right
now
we're
talking
about
the
criticality
tool,
which
is
a
separate
from
the
the
identifying
critical
projects
process,
which
is
another
project
in
our
group
working
group.
I
think
we
need
to
have
a
advertised
meeting
for
the
any
any
kind
of
proposal
on
that
topic,
but
yeah.
I
agree.
A
H
H
Maybe
we
should
talk
about
this
in
another
section,
but
I
I
got
a
lot
of
feeling
with
vocabulary
from
the
tac
that
if
it's
something
that's
like
a
project
with
an
output,
it
needs
to
be
we
and
I
think,
we'll
get
a
little
more
support
if
we
call
our
identifying
a
project
with
identified,
leads
and
status,
and
maybe
we
do
the
project
in
the
working
group
meetings
yeah.
But
let's
get
it.
Let's
get
this
project
a
little
bit
more
formal.
A
H
H
B
Yeah
I'll
I'll
I'll
take
lead
on
kind
of
on
kind
of
the
high
level
stuff,
but
if
I
need
help,
I
would
I'll
gladly
take
volunteers
and
I
definitely
agree
with
you
on
that
jeff
that
it
certainly
makes
sense
to.
I
always
go
back
to
the
same
example.
Sorry,
if
it's
annoying
by
now,
but
where
the
buck
stops
essentially
is
knowing
you
know
where
that
decision
point
is,
and
who's
responsible
for
making
that
decision
or
moving
things
forward.
It's
really
important
to
establish
that.
A
A
D
D
D
No
I'm
hap,
like
so
there's
a
blog
post
published
on
the
open
ssf.
We
basically
in
giving
it
an
announcement.
It's
running
like
it's
running,
reliably
at
the
moment,
generating
signals
which
is
great
and
the
post
was
like
to
drive
attention
and
try
and
get
some
more
public
interest
and
contributors.
D
We've
had
some
people
trying
to
run
the
projects,
which
is
great,
so
yeah,
hoping
hoping
that
it
will
get
some
public
contributions
and
I
think,
having
some
people
trying
and
running
it
has
shown
us
that
probably
need
to
make
the
ergonomics
for
new
users
a
bit
better
but
yeah.
It's
basically
the
start
like
if
you're
using
stars
as
a
metric.
It's
gone
from
like
40
to
over
400,
which
is
like
a
nice
to
have
that
improvement
in
tension.
D
We
recently
added
dns
data
to
the
what
it
captures,
which
is
good
and
yeah
still
trying
to
haven't
quite
decided.
What's
next,
we
can
improve
dynamic
analysis,
which
is
probably
what
we'll
do
some
more
work
on,
but
yeah
and
also
love
to
integrate
more
with
some
of
the
stuff,
the
male
oss
and
georgia.
Tech
guys
are
doing
and
yeah
but
yeah
reach
out.
If
you
have
any
more
to
talk
about
naveen.
D
I
D
D
I
I
D
Yeah,
so
we're
leveraging
their
some
of
their
logic
around
github
token
usage.
At
the
moment,
yeah,
which,
like
I
didn't
want
to
write
that
myself,
there
is
a
lot
in
common
between
the
projects.
That's
like
they're,
both
basically
scanning
public
repos.
Although
you
could
argue
that
the
scorecard
project
depends
on
like
knowing
what
the
critical
projects
are
to
kind
of
prioritize
those,
whereas
the
criticality
score
is
about
finding
them.
But
I
mean
that's.
I
D
B
C
Just
for
me
so
for
the
the
criticality
store,
if
that
was
offered
as
a
rest,
api
like,
I
know
that
it's
in
big
data,
I
know
that
the
big
table
data
is
there,
but
if
there's
an
easy
way
to
just
like
be
able
to
pull
the
latest
version
of
that
stuff,
just
like
via
even
if
just
csv
off
of
a
rest,
endpoint
that'd
be
really
helpful.
I
think
for
some
people
that
want
to
build
apps
off
of
that,
if
it
was,
you
know,
you
didn't
need
to
download
it
with
bigtable.
First.
B
Thanks
to
funding
from
google
and
openssf,
we
are
expecting
to
publish
results
coming
up
pretty
soon,
looking
at
around
q2,
so
hopefully
in
by
the
end
of
next
month.
Thinking
ahead,
what
we
did
was
to
to
kind
of
iterate
that
list
of
25
projects.
We
updated
that
taking
into
account
the
the
full
harvard
census,
2,
study
and
and
and
any
other
data
points
that
we
were
able
to
get
and
have
an
updated
list
of
projects.
That's
currently
at
about
50..
B
So
it's
a
larger
pool
of
projects
to
go
through
and
ideally
can
serve
as
a
data
point
for
aggregation
and
in
terms
of
the
next
steps.
So,
as
I
mentioned,
we've
got
some
results
coming
through.
The
pipeline
really
excited
to
get
those
results
out
to
for
everyone
to
see
and
see
some
of
this
work
that
we're
doing
as
well
as
kind
of
validating
this
new
list
of
projects
and
putting
proposals
together
so
that
list
of
50
projects.
B
I
did
add
it
to
our
existing
list
as
a
new
tab.
So
I'm
just
going
to
link
that
here
and
if
anyone
would
like
to
discuss
or
have
comments,
feel
free
to
would
love
to
hear
your
feedback.
So
that's
just
a
quick
brief
update
on
the
managed
audit
program
and
the
work
that
we're
doing
and
that
we
can
go
over
to
david
and
the
open
source
software
security
summit
to
from
dc.
A
Okay,
let's
see
all
right
hey,
I
unmuted
myself
this
time,
always
a
good
sign
all
right
so
last
week
there
is
the
I'm
going
to
read
it
in
a
funny
way:
open
source
software
security
summit.
Second,
in
dc
thursday
and
friday,
the
primary
purpose
was
to
discuss
this
thing
called
the
open
source
software
security
mobilization
plan.
A
I
know
a
number
of
you
had
a
hand
in
this,
but
it's
basically
an
attempt
to
try
to
distill
some
ideas
so
that
at
least
they
can
be
discussed
brian
like-
and
I
would
like
to
talk
about
this
as
version
0.9.1-
hopefully
it
makes
sense,
but
this
is
not
set
in
stone.
This
is
just
hopefully
much
better
than
a
blank
piece
of
paper
trying
to
put
ideas
that
people
have
put
around
before
it.
A
It
was
primarily
a
meeting
between
folks
in
the
u.s
government,
executive
branch
and
some
folks
with
the
within
the
open
source
software
off
in
the
open
ssf,
but
in
industry
to
participate
with
the
open
ssf
and
it
goes
into
three
three.
It
was
basically
starting
with
three
goals:
wow
that
were
actually
from
an
earlier
meeting
and
then
divided
into
ten
streams.
A
Stream.
Seven
is
especially
relevant
to
this
group,
but
I
think
there
are
three
streams
that
are
relevant
to
this
group
stream.
Two
is
about
a
public
vendor
neutral,
objective
metrics,
based
risk
assessment,
dashboard
screen
five
is
established.
The
open,
ssf
security
incident
response
team-
maybe
that's
a
different
group,
not
sure
where
that
goes,
and
stream
seven
is
about
conducting
third-party
reviews
of
up
to
200
the
most
critical
open
source
software
components
once
a
year
and
there's
more
to
it
than
that.
A
A
It
was
a
meeting
between
the
u.s
government,
executive
branch
and
industry,
but
I
do
want
to
clarify
that
the
expectation
is
that
this
is
not
unique
to
the
us
government
or
any
specific
government.
We
do
very
much
want
to
float
this
around
other
governments,
other
public
organizations,
other
private
sector
organizations-
you
know,
but
basically
it's
an
excuse
to
get
started.
A
A
A
A
The
streams
were
in
many
ways,
based
on
other
recommendations
that
already
exist.
We
didn't
just
create
everything,
whole
cloth
and
then
the
idea
was
to
drill
down
just
enough
to
ask
the
quest
answer
the
question:
what
at
a
high
level
needs
to
be
done,
and
that
was
the
goal
of
that
plan-
is
to
create
a
draft
idea
of
what
needs
to
be
done
without
now,
we
did
have
to
answer
the
question
approximately
how
much
effort,
how
much
resources
we
estimated
in
dollars,
but
I
mean
you
can
estimate
number
of
people
for
the
most
part.
A
It's
number
of
people
really,
but
you
know
it's
what's
the
level
of
effort
we
estimated
with
dollars
and
what
needs
to
be
done,
who
does
it
and
who
pays?
That
is
the
discussion.
As
of
that
day
forward,
I
I
think
from
here
on
the
idea
is
first
of
all,
maybe
there's
tweaks
to
this
plan
that
needs
to
be
made.
I
mean
it
could
be
that
everybody
doesn't
agree.
I
think
there
was
general
consensus
overall.
Most
of
the
changes
or
suggestions
were
based
on
extensions
or
improve
minor
improvements,
not
wholesale
rejection.
A
A
We're
not
going
to
get
this
by
having
any
one
company
or
any
one
government
paying
for
it.
On
the
other
hand,
if
you
look
at
the
dollars,
I
mean,
if
you
look
at
my
bank,
account,
that's
a
lot
more
money
than
I
have
if
you're
the
us
government,
this
is
pocket
change.
Okay,
all
of
the
us
is
just
looking
at
the
u.s
from
all
of
us.
Society
depends
on
computers.
A
This
is
a
lot
less
than
a
lot
of
other
things
the
us
government
pays
for,
especially
if
we
notice
oh
wait.
I
hear
the
eu
uses
computers,
at
least
that's
what
I
hear.
Okay
and
and
the
uk,
I
hear
they
also
use
computers
and,
and
so
we'll
never
get
kind
of
the
consensus
on
terms
of
how
much
you
should
pay
versus
me,
but
I
think
what
the
goal
rate
now
is
to
get
people
to
to
contribute
and
help
now
to
to
wrap
it
up.
A
We
were
just
here's
a
plan
and
people
basically
standing
around
saying
my
gosh.
We
needed
a
plan
that
a
number
of
people
said
makes
sense
and
it
makes
sense
to
us
and
dollars
started
showing
up.
So
I
don't
think
it's
unreasonable
think
that
we
can
make
more
dollars
show
up
now.
Of
course,
we
actually
have
to
execute
the
plan.
I
mean,
that's
the
that's
the
downside
of
all
this
right.
A
B
A
A
You
know
what
I
I
probably
should
have
been
clear
about
that.
Not
only
do
we
not
care
who
pays,
we
also
don't
care
who
gets
the
money
if
somebody
else
other
than
the
open
ssf
is
the
right
organization
to
do
some
part
of
the
plan.
That's
fantastic!
In
fact.
A
couple
of
the
points.
Really:
it's
not
open,
ssf
or
even
industries
tasks,
there's
some
things
that
are
really
government
kinds
of
stuff
and
you'll,
be
I
I
know
I'm
the
first
to
tell
you
but
we're
not
a
government.
A
So
you
know,
and
and
for
example,
there's
been
one
of
the
points
that
was
raised
several
times
on
the
education
track
was
hey.
Although
not
everybody
goes
to
universities,
we
should
get
the
university's
accreditation
changes.
Accreditation
requirements
changed.
I
have
beat
my
head
against
that
wall
for
years.
You
know
after
10
years
I
managed
to
get
them
to
add
the
word.
Security,
no
content,
just
the
word
security,
great
okay.
A
So
I'm
I'm
kind
of
frustrated
and
have
I
gave
up
for
a
while,
but
maybe
now
is
the
time
to
try
again,
maybe
they'll
actually
care
about
security
this
time.
So,
but
that's
acm
and
ieee,
okay,
we're
not
acm
we're
not
ieee.
Okay,
we
can
we.
We
can
write
emails
and
letters,
but
you
know
so
it
isn't
just
the
openness
of
receiving
it
isn't
just
the
folks
who
were
in
that
room
that
were
hope,
contributing
funding.
So
it
is
a
global
plan
for
global
execution.
A
I
expect
the
open
ssf
will
implement
a
lot
of
it,
because
this
is
a
place
where
a
lot
where
industry
is
basically
decided
to
collaborate,
but
you
know
what
if
we
want,
if
somebody
needs
to
go
to
say
the
eclipse
foundation
great,
let's
do
it.
Okay!
Does
that
solve
a
problem?
Good?
Let's
do
that?
Okay,
you
know
we're
happy
to
work
with
all
sorts
of
folks.
B
So
I
did
want
to
get
to
the
last
agenda
item
about
the
meeting
time,
and
I
guess
with
that
point
I'll
I'll
run
it
by
the
I'll,
see
what
the
work
group
says.
I
think
it
makes
sense
to
kind
of
alternate
to
do.
You
know
every
other
session
do
a
apac
friendly
time.
Thankfully
it's
still
for
the
most
part
within
within
the
day
for
for
everyone.
In
in
north
america,
so
I'm
totally
for
it.
B
D
G
It
would,
I
think,
be
preferable
from
my
perspective.
If
we
had
a
fixed
alternate
time,
you
know,
in
other
words
every
other
week
or
whatever
you
know
the
schedule,
rather
than
ad
hoc
and
asking
each
time
and
then
the
other
request
I
would
have
is
that
if
he
actually
put
in
the
the
the
minutes,
you
know
because
I
actually
have
two
invites
one.
A
G
Five
and
one
for
noon
or
you
know,
and
so
again
I
would
just
sort
of
prefer
if
we
and
I'm
very
supportive
of
the
the
alternating
I've
done
that
number
of
working
groups
that
I've
run.
So
I
think
that's
the
fairest
thing
and
it's
gonna
again.
If
we
do
it
consistently,
then
I
think
we'll
have
the
broadest
participation
as
a.
A
G
H
I
Yeah,
the
scorecard
also
I'm
gonna-
I'm
gonna
suggest
this.
Let's
go
that
also,
obviously,
would
like
people
like
caleb
showing
him
for
that.
So
I
believe
we
don't
want
to
beat
on
the
same
day,
so
we
all
step
on
each
other.
So
so
we
just
have
to
work
with
across
the
groups
to
make
sure
that
it
is
so
that
we
can
have
every
other
week.
A
B
Yes,
and
just
for
any
lack
of
confusion
next
meeting
time,
we'll
just
move
we'll,
have
it
at
our
regular
time
that
we
have
been
meeting
until
we
finalize
the
new
schedule
with
that.
Thank
you
so
much
everybody.
Thank
you,
caleb
for
the
updates
and
everybody
who
participated
today,
and
I
will
see
you
in
two
weeks.