►
From YouTube: Securing Critical Projects WG Bi Weekly (May 19, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
C
C
C
A
A
Ssf
is
doing
so
I'm
I'm
basically
here
I
cannot
do
everything,
but
I'm
trying
to
be
supportive
and
help
where
I
can
and
it's
not
the
only
thing
I
do,
but
it's
one
of
the
things
I
do
is
try
to
be
supportive
of
each
of
the
working
groups
to
help
them
pull
stuff
over
the
transom
as
it
were,
and
also
connect
up,
because
I'm
aware
not
everybody
can
show
up
at
everything
I
can't
either
so
where
I
can
point
out.
Oh
look.
That
group
is
doing
this.
A
Speaking
of
which
I
just
saw
a
link,
I
think
it's,
the
0mq
yeah
I'll
repost,
because
I
think
some
people
have
not
slipped
in
their
names
and
we
want
to
know
who
shows
up.
A
Excellent,
all
right,
I
will
add
you,
although
I
will
admit
you're
the
spelling
of
your
last
name
may
defeat
me,
but
I
will
do
my
best.
C
It's
german,
my
mother,
used
to
joke
that
it's
german
for
keep
your
maiden
name.
B
Wonderful
well
we're
at
five
past
the
hour.
So
on
that
note,
yes,
please
add
yourself
to
the
attendees
and
if
you
have
anything
that
you'd
like
to
talk
about
today,
feel
free
to
throw
something
on
the
agenda
and
notes
are
always
welcome
as
well
contributions
to
taking
notes.
B
We
like
to
typically
start
off
with
any
new
faces,
or
anyone
who
might
be
new.
Whether
this
is
your
first
or
maybe
one
of
your
first
meetings.
You
know
we
always
love
to
have
introductions
and
say
hello
to
the
new
faces,
because
thankfully
we
do
seem
to
be
growing
and
have
more
people
joining
meetings.
So
we'd
love
to
hear
from
you.
B
Okay!
Next
on
the
agenda,
we
have
caleb
who
is
going
to
give
us
an
update
on
the
criticality
score
and
package
analysis
projects
quickly
before
I
hand
it
off
to
caleb.
This
is
a
good
time
to
mention
that
yeah.
One
thing
that
we'll
we'll
definitely
get
in
the
habit
of
doing
is
providing
updates,
regular
updates
on
all
the
different
projects
and
kind
of
different
efforts
associated
with
the
work
group
regularly.
So
we
can
all
stay.
We
can
all
stay
abreast
on
latest
developments
and
and
updates
there.
B
So
with
that
caleb
the
floor
is
yours.
D
I'll
hit
the
right
button,
hello,
how's,
everyone
going,
it's
been
a
while,
unfortunately,
the
time
zone
in
winter
is
particular
is
not
great
for
attending
these
meetings,
which
actually
is
one
of
the
first
things
I'll
mention-
and
maybe
this
is
for
discussion
later-
is
maybe
I
think
it's
the
securing
software
repos
or
one
of
the
others
kind
of
alternates
between
amir
friendly
and
apac
friendly,
and
maybe
that's
something
to
consider
in
this
group
so
that
I
can
have
a
shorter
lead
time
on
delivering
some
of
these
updates
yeah.
D
So
anyway,
that's
just
a
question,
maybe
for
the
end,
yeah,
so
I'll
dive
in
on
the
criticality
score
side
of
things,
I
posted
to
slack
recently
a
milestone
one
doc
app
on
github.
I
haven't
had
any
comments
on
that
yet,
except
I
think
an
arnold
I
know-
and
I
can't
pronounce
his
name
annoyed
from
ibm-
has
given
me
some
comments
and
yeah.
I
was
wondering
first
of
all,
had
anybody
looked
at
that
and
got
any
thoughts
and
feedbacks
feedback,
I'm
looking
for
just
making.
D
I
want
to
make
sure
that
we're
heading
in
the
right
direction,
so
I've
built
in
the
dock.
It
talks
about
an
enumerator
that
generates
a
whole
bunch
of
repos
from
github.
I've
implemented
that
and
it
works.
Well,
I'm
I've
got
a
prototype
signal,
collector
working
as
well,
but
yeah.
I
just
want
to
make
sure
that
I'm
heading
on
the
right
track
and
that
there
aren't
anything
there
isn't
anything
that
I've
missed
or
any
use
cases
in
particular
that
I
need
to
take
into
account,
particularly.
E
D
I
can
yes
so,
prior
to
this
doc,
I
also
wrote
a
kind
of
a
it
was
logged
as
an
issue,
but
I
was
talking
about
signal
collection,
some
of
the
issues
with
the
existing
criticality
score
project
and
how
it
collects
and
some
of
the
metrics.
D
At
the
end,
it
proposed
an
approach
to
improving
the
score
overall,
where
we
basically
make
it
scale
to
the
point
where
we
can
run
this
automatically
in
the
cloud
generating
signals
that
people
can
look
at
and
there
seems
to
be
an
interest
in
kind
of
experimenting
and
seeing
how
it
works,
rather
than
just
spitting
out
a
number
so
yeah.
D
So
this
is
kind
of
moving
towards
a
stage
where
we
can
have
this
score
being
updated
continuously
and
that
the
data
that
it
produces
is
all
publicly
available
for
people
to
look
at.
So
the
milestone.
D
One
document
talks
about
like
a
first
step
in
that,
where
we
I'm
rebuilding
the
project
around
this
idea
of
enumeration
like
an
enumerator,
that's
separate
to
a
thing
that
collects
the
signals,
so
the
numerator
enumeration
is
where
we
just
list
all
the
github
projects
or
git
lab
projects,
or
we
might
have
something
that
in
the
future
goes
around
and
google
docs
for
random
see
get
host
of
repositories
on
the
internet.
D
So
and
then
it
passes
that
list
of
enumerated
projects
into
a
signal
collection
phase,
which
then
goes
and
generates
all
the
raw
signals
used
to
generate
the
criticality
score
and
then,
at
the
end,
after
that,
the
output
is
then
fed
into
something
like
a
bigquery
table
for
querying
and
the
scoring
itself.
So
the
milestone
one
talks
about
so
yes,
so
it's
got
a
numerator
talks
about
the
implementation
of
that
and
the
algorithm
for
how
to
extract
the
github
repos
and
some
other
sources
of
data.
D
We
may
look
at
the
raw
signal
collection,
just
talks
about
the
data
format
and
how
that
approach
will
generally
work
and
just
a
rough
algorithm,
a
data
format
and
then
a
rough
mention
of
bigquery
ingestion
and
the
final
thing
is:
it
talks
about
a
we're
switching
to
go.
D
There
has
always
been
some
alignment
between
the
scorecard
project
and
critical
score
with
the
white
house
summit
last
week.
That
alignment
is
stronger
if
you've
read
the
the
document.
There's
a
stream
two
where
talks
about
these
projects
merging
I'm
not
sure
what
that
will
look
like
in
the
future,
but
I'd
already
been
thinking
about
trying
to
leverage
a
lot
of
what
they've
done
for
the
criticality
school
side
of
things.
D
So
at
the
end,
we
talk
about
rewriting
hitting
go
to
make
that
transition
easier
in
the
future,
so
yeah,
that
is
the
briefest
of
overviews.
D
Yes,
I'm
would
love
to
get
some
feedback,
particularly
around
use
cases
in
terms
of
how
are
people
using
this
tool.
How
are
people
interested
in
using
this
tool?
What
questions
are
people
trying
to
answer
yeah,
because
that
will
help
set
the
direction
for
where
we
where
it
goes
in
the
future,
and
it
also
like
encourages
people
to
get
involved
and
collaborate
if
the
tool
is
actually
solving
their
needs
rather
than
what
we
imagine
they
might
be.
C
Sure
so
I'm
gonna
security
researcher.
I
leverage
code,
I'm
sorry,
I'm
cooking,
so
my
camera's
off,
but
I'm
leveraging
it
codeql,
is
being
used
to
you
know
find
by
security
reasons,
to
find
widespread
common
security,
vulnerabilities
and
open
source.
One
of
the
things
you
kind
of
want
to
do
is
you
know
you
have
a
bunch
of
open
source
projects.
You
want
to
write
a
code,
query
that
finds
those
projects
that
are
vulnerable
great.
C
This
project
is
vulnerable,
but
it's
even
worth
reporting
to
right
and
criticality
score
can
help
be
that
you
know
yes,
this
is
worth
reporting
to.
No,
this
is
somebody's
one-off
project.
They
developed
is
like
a
college
project.
We
don't
you
know
it's
not
worth
your
time
or
nobody's
using
it.
That
sort
of
thing.
So
that's
the
that's.
The
use
case
that
I
have
that
is,
I
believe,
other
researchers
may
have
that
same
use.
Case
too.
D
Yeah,
thanks
for
sharing,
I
hadn't
considered
that
one,
that's
really
good,
just
for
pub
publicness
sake.
Arnold
from
ibm
had
said
that
they
are
using
it
to
measure
the
the
criticality
of
open
source
components
that
they
consume
and
I
think
that's
interesting,
certainly
to
other
big
companies
as
well.
D
B
Yeah
and
and
to
piggy
back
a
little
bit
off
of
jonathan's
point
too,
as
you
know,
in
this
work
group
and
and
and
beyond
we'll
hear
more
about
the
white,
the
white
house
dc
update
updates
as
well,
but
it's
very
important
to
have
some
kind
of
quantitative
measurement
of
of
something
that
we
can
point
to
when
we
are
looking
at
prioritizing
projects
to
audit
or
to
review
from
a
security
perspective.
B
So
having
a
tool
like
criticality
score,
I
would
say
is
extremely
helpful
in
that
case,
because
it
can
give
us
one
more
kind
of
layer
of
of
essentially
validating
that
these
projects
that
we
are
interested
in
auditing,
for
example,
are
indeed
you
know
critical
to
to
to
some
to
some
measurable
degree.
D
Yeah,
I
think,
that's
kind
of
the
core
use
case.
That's
been
kind
of
had
in
mind.
The
whole
time
is
certainly
being
able
to
address
those
like.
Where
do
we
focus
our
attention
at
in
terms
of
the
most
important.
F
B
D
Interesting
yeah,
oh
jonathan,
you
might,
I
did
have
a
comment
which
is
that
there
was
some
another
research
student
in
the
slack
channel
asking
about
the
project
as
well
and-
and
I
think
at
the
very
least,
it
needs
to
be
runnable
by
the
by
research,
students
and
and
researchers
to
be
able
to
actually
get
the
data.
I
think
it's
very
hard
to
use
the
existing
python
tools
so
but
yeah,
I
think,
there's
a
lot
more.
We
can
do
in
that
sort
of
collaboration
around
research,
yeah.
B
Yes
and
I
believe
when,
when
the
results
were
being
presented,
a
lot
of
inquiries
did
come
about.
You
know,
is
the
data
going
to
be
accessible
in
like
in
a
way
that
it
can
be
kind
of
manipulated
and
analyzed?
B
And
so
I
I
don't
know
if
anything
came
out
of
that,
if
david,
if
you
have
anything
there
but
have
being
able
to
have
the
data
in
kind
of
like
a
in
a
in
a
format
where
it
can
be
analyzed
or
cross-referenced
with
criticality
score,
or
something,
I
think,
is
something
that
is
certainly
doable.
C
So
you
said
scraping
the
internet
for
like.
Are
you
looking
at
like,
for
example,
if
a
package
or
project
name
ends
up
in
the
news,
a
ton
right
like
left
pad
and
it's
an
indication
that
a
project
that
may
have
not
come
up
as
critical?
It
just
broke
the
internet
or
something
like
that
like,
oh
hey,
this
might
actually
be
more
critical
than
we
thought
it
is.
It
was.
C
D
A
narrator-
and
I
like
it's-
certainly
these
data
points
are
interesting,
because
they
you
can
look
at
the
output
of
the
score
and
go
all
right.
This
is
what
it's
saying,
but
without
actual
it's
going
to
take
occasional
incidents
like
that
to
like
help
you
go
well
was,
is
our
school
correct?
I
think
this
is
where
things
like
harvard
census
can
also
be
useful,
where
you
get
somebody
else's
research
and
compare
it
to
what
you're
producing
and
say
well,
why
why?
Why
is
it
different?
D
And
so
I
think
that
that
that
is
something
that
certainly
needs
to
happen
and
part
of
the
again
part
of
the
orientation
the
why
the
project
is
oriented
towards
this
big
query
data
set
is
so.
These
questions
can
be
more
easily
asked
and
addressed
and
investigated
so
yeah
by
being
able
to
like
publicly
mess
around
with
how
how
the
algorithm
works
and
the
waiting
and
things
like
that.
I
think
we
can
hopefully
get
to
a
point
where
these
are
easier
to
to
detect
and
and
fix,
and.
D
A
Yeah,
so
I
having
done
this
criticality
analysis
before
myself
and
for
census,
one
and
involved
in
the
harvard
work
on
census
too.
I
I
have
opinions
having
gone
through
and
received
arrows.
So,
first
of
all
I
mean
it's
important
to
understand.
I
mean
you
know:
all
systems
have
have
strengths
and
weaknesses.
The
criticality
score
fundamentally,
is
mostly
about
how
active
the
project
is.
A
I
know
there
are
other
metrics,
but
really
if
it's
super
active,
it's
going
to
get
a
high
score.
If
it's
not
active,
it's
going
to
get
a
low
score.
I
know
there's
more
metrics
caleb,
so
you
you
know
it's
more
complex
than
that,
but
that's
I
mean,
but
that's,
but
it's
heavily
weighted
towards
that.
It's
not
completely
insane,
because
if
something
is
very,
very
active
with
lots
of
users,
it
must
be
important
to
a
lot
of
folks.
But
of
course
the
problem
is,
if
it's
inactive,
that
doesn't
mean
it's
unimportant.
A
It
may
be
widely
used
just
not
changed
often,
and
I
don't
I
mean
if
indeed
there's
ways
to
improve
and
add
metrics
and
weight
it
that's
great,
but
we
tried
to
do
something
similar
on
census.
One
and
I
think
at
the
at
the
end
of
the
day,
you
have
to
take
multiple
data
inputs
and
also
add
some
human
intelligence.
A
That's
so,
for
example,
census
2
takes
a
different
attack
where
you
looks
at
what's
dependent
that
does
raise
out
actually
the
I'll
log
for
j
right
away.
I
mean
long
for
j
shows
up
really
high
on
the
list,
because
so
many
projects
depend
on
it,
and
so
my
my
view
right
now
is
that
what
we
need
to
do-
and
really
this
is
in
my
mind
this
is
the
primary
purpose
of
this
group.
A
So
we
need
to
move
eventually
from
discussing
it
to
making
decision
on
the
new
process
and
executing
it.
We
need
to
take
multiple
data
sources,
so
I
actually
do
think
that
a
lot
of
activity
does
suggest
that
it's
important,
you
know
unusually
large
amount
of
activity,
but
that
can't
be
the
only
signal
high
dependency.
That
seems
like
a
pretty
important
signal.
A
Other
signals
which
census
2
doesn't
work
with,
although
census
one
did
is,
what's
the
risk
level
of
it,
so
it
may
be
widely
used,
but
by
golly
they
they
really
do
try
hard
up
with
the
linux
kernel
by
the
way
in
this
camp.
It's
not
that
it
has.
No
vulnerabilities.
A
A
It's
you
know
it's
not
hard
to
beat
a
pro,
but
you
know
they
at
least
make
some
real
attempts.
They
have.
They
have
various
processes
that
make
a
try,
whereas
a
lot
of
dead
projects
that
lots
and
lots
of
people
depend
on.
I
worry
about
a
lot.
You
know
it's
about.
It's
a
hundred
thousand
lines.
No
one
has
edited
in
three
years,
which
would
mean
I
have
a
low
criticality
score
and
you
know
everybody
depends
on
it,
I'm
getting
worried.
A
So
so,
basically,
what
we
need
to
do-
and
we've
already
talked
about
this
before-
is
combine
the
signals.
Then
human
then
use
humans
to
make
adjustments
I'll
give
you
a
cop
before
I
get
out
chris.
I
will
definitely
give
you
your
turn,
but
census
won.
A
One
of
the
things
that
showed
up
really
high
in
our
scoring
regime
were
the
mail
transfer
agents
and
the
reason
was
we
were
awaiting
things
like
direct
access
to
internet
check.
They
were
all
written
in
c
no
memory,
safety
doesn't
mean
it's
necessarily
bad.
Some
of
them
were
not
maintained
as
well
as
you
would
like
them
to
be,
and
so
you
know
they
met
all
the
criteria,
but
here's
the
challenge,
how
many
people
install
their
own
mtas
40
years
ago.
Quite
a
number
now,
not
so
much
it's
pretty
unusual.
I.
A
A
fair
retort
you're
you
you
actually
that
that's
a
fair,
a
fair
reply,
but
we
were,
we
were
trying
to
emphasize
the
wide
use,
and-
and
so
we
just
basically
the
the
numbers,
told
us
what
so
maybe
this
is
a
bad
example,
because
you've
got
a
good
retort.
A
But
my
broader
point,
though,
is
that
the
members
can
tell
us
one
thing,
but
we
know
other
things
that
can
make
some
adjustments,
and
so
what
I
think
we
should
do
is
use
multiple
measures,
try
to
identify
that
list
of
things
that
are
likely
to
be
important
in
some
semi-mechanical
form,
and
then
humans
use
humans
to
kind
of
filter
it
out
and
create
our
updated
criticality
list.
We
have
a
draft
list,
it
was
created
quickly.
We
all
agreed
that
we
needed
to
do
a
better
job.
A
I'm
sorry,
I
know
there's
at
least
one
person
who
complained
and
rightly
so,
about
the
speed,
but
we
really
need
those
answers
in
a
hurry.
I'm
grateful
for
that.
We
can
do
better,
you
know,
but,
and
we
need
to
actually
decide
on
how
we're
gonna
do
that
thanks.
D
Okay,
I'll
just
sorry,
I
was
gonna
mention
that
jax
is
suggesting
a
voting
as
a
source
of
criticality
and
julia
is
talking
about
engaging
experts
in
communities.
So.
D
A
Jacques
has
done
a
lot
of
work,
trying
to
figure
out
a
better
way
of
voting.
I
don't
know
if
we'll
get
there
but
yeah,
I'm
aware
that
we
there
is
work
in
progress.
I
just
want
to
move
on
from
thinking
about
the
process
to
writing
it
down
and
starting
executing
it
sooner
rather
than
later,
just
because,
I'm
afraid
we'll
keep
drawing
forever.
G
Sorry,
chris,
that's
that's
fine,
sorry,
sorry,
kale!
So
so,
and
thanks
david,
I
I
agree
with
almost
everything
you
said
I
did
want
to
sort
of
highlight,
though
I
think
well,
number
one
log4j
didn't
show
up
that
high
actually
was
like
40.
and
that's
you
know
right.
It's
not
like
you
know
as
critical,
and
I
think
that
the
problem-
and
it
was
hinted
at
with
the
exchange
comment.
I
think,
is
that
there's
an
awful
lot
of
dark
matter.
If
you
will
in
terms
of
dependencies
where
things
are
consumed
into
products.
G
That
then
are
widely
used,
and
I
think
there's
a
transitive
property
to
you
know
the
dependency
that
we're
probably
not
factoring
in
appropriately,
and
that
is
where
something
is
a
tertiary
dependency
or
where
something
is
doesn't
have
a
whole
lot
of
open
source
dependencies,
but
is
used
everywhere.
Right
and
log4j
is.
Is
an
example
of
something
like
that?
If
you're,
you
know,
if
you,
if
you
have
a
a
lot
of
java
applications-
and
you
probably
had
an
awful
lot
of
log4j
and
that
doesn't
show
up
in
the
study
right
because
it.
A
Does
it
does
actually?
No
it
does
they
use
information
on
proprietary
software's
dependencies
to
develop
census
too
yeah?
It's
it's
in
the
report
yeah
the
s.
What
they
did
is
the
sca
vendors
analyzed
software,
most
of
which
was
proprietary
and
used
that
as
their
top
level
and
then
tracked
the
dependencies
down.
A
Your
point
is
correct
that
it's
awful
dark
matter
is
a
problem.
I
think
the
log
for
j
you're
right,
it's
it.
I
don't
remember
the
number
before
I
I
believe
you
it's
40..
I
think
what
that
showed
is
there's
another
logging
system
that,
if
it
had
been
subverted,
it
would
have
been
even
more
disastrous.
There's
a
there's,
a
competitor
to
log4j
that
if
you
use
that,
if
that
had
been
subverted,
it
would
have
been
even
worse.
G
Yeah
and-
and
so
so
I
I
did
want
to
sort
of
highlight
that
aspect
of
the
sort
of
the
transitive
property
of
dependencies,
and
then
I
think
the
other
thing
to
factor
in
here,
at
least
from
from
my
own
perspective
here,
and
I
think
that
of
ibm's
is
that
I'd
like
to
be
able
to
use
a
tool
like
criticality
score
in
the
context
of
my
own
set
of
use
cases.
In
other
words,
I'd
like
to
be
able
to
influence
either
the
weighting
of
what
things
we
consider
to
be
more
or
less.
G
You
know
critical
to
be
worried
about,
or
or
I
should
say-
and
we
probably
would
also
like
to
factor
in
when
we
talk
about
again
dependencies.
I
think
it's
great
to
understand
where
it's
used
in
the
external
world.
You
know
of
other
open
source,
but
I
would
like
to
understand
where
it
falls
in
terms
of
usage
in
my
own
enterprise,
and
if
I
can
get
a
census
through
an
s
bomb,
you
know
curation
of
of
our
own
either
consumed,
or
you
know,
produced
software.
G
I'd
like
to
be
able
to
run
criticality
score
against
that
set
of
dependencies
to
understand
where
my
risk
profile
is
and
where
maybe
I
should
be
investing
my
own
resources.
So
again,
I
understand
you
know
there.
It
is
somewhat
competing
with
what
we
have
from
an
open,
ssf
perspective
where
we're
looking
sort
of
more
broadly
and
where
is
sort
of
like
trying
to
rally
the
entire
open
source
community,
but
there's
also,
if
you
will,
I
s
a
selfish
interest
that
I
would
like
to
understand.
G
You
know
where
what
is
how
critical
is
is
is
log4j
in
my
own
circumstance,
not
so
much
yeah,
maybe
everybody's
using
it,
but
you
know-
maybe
I
don't
use
it
at
all,
or
vice
versa,
right,
maybe
it's
something
that
very
few
people
use
but
ibm
uses
very
heavily,
and
I'd
like
to
be
able
to
understand
that
so
so
being
able
to
either
give
it
different
data
sources
for
something
like
dependencies
and
so
forth.
I
think,
would
be
valuable.
That's
that's
really
my
point.
D
Yeah,
I
think
that's
a
really
good
idea,
and
I,
like
it's,
the
internal
private
corporations
using
this
pro
tool
is
certainly
a
very
interesting
use
case
that
was
just
brought
up
to
like
ibm.
I
think
that
your
counterpart
in
your
arnold
brought
up
to
me
chris.
So
I
think
it's
a
that's
a
really
interesting
use
case.
D
I
think,
in
terms
of
the
general
border
sense
like
understanding
how
end
products,
both
publicly
open
source
or
internal
to
organizations
used,
would
be
a
fantastic
signal
to
be
using
like
it
gives
you
a
better
sense
of
the
true
criticality
of
a
particular
project.
D
I
don't
think
the
xpdf
people
really
understood
that
there
was
a
jpeg
big,
whatever
algorithm
it
was,
was
going
to
get
exploited
by
an
israeli
security
firm,
the
way
it
did
yeah
and
and
no
one
understood
the
breadth
of
that
issue,
because
it's
in
every
iphone
like
and
it's
hidden
under
the
surface.
D
So
I
think
being
able
to
like,
I
think,
the
move
towards
having
s-bombs,
I
think,
even
thinking
about
having
machine
passable
license
files
because
they
are
required
to
be
open
source
may
help
in
these
spaces,
where
we
can
start
to
collect
more
data
from
corporations.
D
There
may
even
be
a
way
we
can
have
like
a
zero
knowledge
or
some
way
that
first
books
companies
to
submit
like
s-bomish
type
data
to
the
project
as
a
signal
source
without
kind
of
disclosing
that
they're
the
organizations
that
use
those
dependencies
as
a
way
to
further
like
incorporate
into
their
public
algorithm
as
well,
so
their
ideas
that
I've
had
they're
kind
of
long
down
the
track.
But
I
think
there's
opportunities
there
as
well.
D
A
B
A
A
One
is
I'm
the
us
government
what's
internal
and
I
am
looking
at
the
critical
infrastructure
of
the
nation
I
govern
and
what's
important,
and
I
I
nice
by
the
way
I
think
those
are
going
to
be
different
answers,
and
so
I
don't
think
the
I
want
to
redo
the
analysis,
but
with
a
slightly
with
a
different
scope,
is
at
all
irrelevant.
A
A
B
We
could
definitely
create
a
template
to
put
at
the
top
of
our
our
work
groups
notes
so
that
it's
something
we
can
easily
refer
to-
and
I
think
is-
we
should
definitely
start
getting
stuff
done
on
paper
and
and
working
working
on
it,
maybe
even
having
like
a
more
intensive
working
group
session
on
that
in
particular,
but
I'm
in
agreement
here.
What
do
you
think
jeff.
H
Yeah,
I
think
I
agree
with
you
mira.
I
think
we,
you
know
we're
right
now
we're
talking
about
the
criticality
tool,
which
is
a
separate
from
the
the
identifying
critical
projects
process,
which
is
another
project
in
our
group
working
group.
I
think
we
need
to
have
a
advertised
meeting
for
the
any
any
kind
of
proposal
on
that
topic,
but
yeah.
I
agree.
A
H
H
I
agree
one
of
the
things
I
was
I'm
thinking
about
and
I'm
sorry
caleb.
H
Maybe
we
should
talk
about
this
in
another
section,
but
I
I
got
a
lot
of
feeling
with
vocabulary
from
the
tac
that
if
it's
something
that's
like
a
project
with
an
output,
it
needs
to
be
we
and
I
think,
we'll
get
a
little
more
support
if
we
call
our
identifying
a
project
with
identified,
leads
and
status,
and
maybe
we
do
the
project
in
the
working
group
meetings
yeah.
But
let's
get
it.
Let's
get
this
project
a
little
bit
more
formal.
H
It's
the
first
bullet
on
our
on
our
readme
for
the
projects
in
this
working
group-
and
I
think
you
know
we
can
have
we
can.
A
A
H
B
Yeah
I'll
I'll
I'll
take
lead
on
kind
of
on
kind
of
the
high
level
stuff,
but
if
I
need
help,
I
would
I'll
gladly
take
volunteers
and
I
definitely
agree
with
you
on
that
jeff
that
it
certainly
makes
sense
to.
I
always
go
back
to
the
same
example.
Sorry,
if
it's
annoying
by
now,
but
where
the
buck
stops
essentially
is
knowing
you
know
where
that
decision
point
is,
and
who's
responsible
for
making
that
decision
or
moving
things
forward.
It's
really
important
to
establish
that.
A
A
Yeah,
I'm
not
so
sure,
I'm
pretty
sure
it's
not
all
code,
but
if
it
has
code
in
it
it's
a
project.
So,
okay,
all.
D
Right,
I'm
happy
to
be
involved
as
well
in
this
process
and
I
think
yeah
anyway.
I
think
maybe
it's
worth
talking
about
this
in
a
separate
meeting
but
yeah
we
are
you're
waving
your
hand.
A
Yeah,
I
know
gladly
I'll
gladly
be
involved
too.
D
Yeah
and
it'd
be
great,
like
I'd
love,
to
have
someone
from
ibm
too,
because
you
guys
are
using
this
so
either
chris
or
I
know
are
now.
D
And
it's
probably
worth
pinging
jax
and
julia
as
well,
because
they've
had
a
lot
of
investment
in
the.
D
It's
space
worth
moving
on
because
I
really
want
to
get
to
the
the
washington
stuff
at
the
bottom.
D
No
I'm
hap,
like
so
there's
a
blog
post
published
on
the
open
ssf.
We
basically
in
giving
it
an
announcement.
It's
running
like
it's
running,
reliably
at
the
moment,
generating
signals
which
is
great
and
the
post
was
like
to
drive
attention
and
try
and
get
some
more
public
interest
and
contributors.
D
We've
had
some
people
trying
to
run
the
projects,
which
is
great,
so
yeah,
hoping
hoping
that
it
will
get
some
public
contributions
and
I
think,
having
some
people
trying
and
running
it
has
shown
us
that
probably
need
to
make
the
ergonomics
for
new
users
a
bit
better
but
yeah.
It's
basically
the
start
like
if
you're
using
stars
as
a
metric.
It's
gone
from
like
40
to
over
400,
which
is
like
a
nice
to
have
that
improvement
in
tension.
D
We
recently
added
dns
data
to
the
what
it
captures,
which
is
good
and
yeah
still
trying
to
haven't
quite
decided.
What's
next,
we
can
improve
dynamic
analysis,
which
is
probably
what
we'll
do
some
more
work
on,
but
yeah
and
also
love
to
integrate
more
with
some
of
the
stuff,
the
male
oss
and
georgia.
Tech
guys
are
doing
and
yeah
but
yeah
reach
out.
If
you
have
any
more
to
talk
about
naveen.
I
Yes
is
that
data
available
in
bigquery-
I
didn't
see
anything
in
that,
but
I
did
see
code
for
that,
but
I
didn't
see
at
least
in
the
readme
section
on
that
question.
D
Yeah,
what
I,
what
I'll
do
is
I'll
add
the
link
if
it's
not
in
the
read
me
to
it
and
I'll
ping
you
out
outside
the
meeting.
Yes,.
I
D
D
I
You
general
readme,
is
the
best.
Yes,
I
know
it's
it's
saved,
so
many
questions,
at
least
for
four
days
like
every
time.
Every
time
somebody
asks
questions
caleb.
I
also
have
another
question
totally
low.
I
I
I
remember
you
mentioning
on
taking
the
criticality
score,
moving
to
go
and
using
some
of
the
scorecard.
So
are
you
planning
to
use
the
scorecard
code
like
what
is
the
like?
D
Yeah,
so
we're
leveraging
their
some
of
their
logic
around
github
token
usage.
At
the
moment,
yeah,
which,
like
I
didn't
want
to
write
that
myself,
there
is
a
lot
in
common
between
the
projects.
That's
like
they're,
both
basically
scanning
public
repos.
Although
you
could
argue
that
the
scorecard
project
depends
on
like
knowing
what
the
critical
projects
are
to
kind
of
prioritize
those,
whereas
the
criticality
score
is
about
finding
them.
But
I
mean
that's.
D
You
could
argue
about
that,
but
yeah
there's
a
lot
in
common
in
terms
of
what
they're
trying
to
do,
and
so
it
makes
sense
to
try
and
leverage
the
the
like
as
much
as
we
can
between
the
two.
D
Initially,
it's
there's
they're
kind
of
separate,
but
I
think
the
reason
I've
tried
to
write
it
more
like
in
go
and
more
modular
is
so
that
bits
can
be
moved
into
scorecards
or
like
there's
can
be
more
alignment
between
the
two
and
we
can
generalize
things
that
are
in
common
between
both
at
the
very
least
yeah.
I
That's
yeah.
I
think
that
I
think
that's
an
important
step,
yeah
right
now,
scorecards
not
being
used
as
a
library
anywhere
else
other
than
all-star.
I'm
just
wanted
to
understand
that
it's
something
another
critical
point
that's
coming
to
scorecard.
That's
that's
another
reason.
Thanks.
D
No
worries
yeah
and
I
I
we
do
meet
with
the
azeem
and
laurent
on
the
school
card
side
and
I'll,
try
and
make
it
to
the
working
groups
as
well.
For
that
as
like
as
time
permits.
B
C
Just
for
me
so
for
the
the
criticality
store,
if
that
was
offered
as
a
rest,
api
like,
I
know
that
it's
in
big
data,
I
know
that
the
big
table
data
is
there,
but
if
there's
an
easy
way
to
just
like
be
able
to
pull
the
latest
version
of
that
stuff,
just
like
via
even
if
just
csv
off
of
a
rest,
endpoint
that'd
be
really
helpful.
I
think
for
some
people
that
want
to
build
apps
off
of
that,
if
it
was,
you
know,
you
didn't
need
to
download
it
with
bigtable.
First.
B
Wonderful,
so
moving
along
I'll
do
my
update
really
quickly
because,
yes,
I'm
sure
everyone
is
very
excited
to
hear
about
some
of
the
updates
from
the
security
summit
in
dc
david
for
the
managed
audit
program.
B
Thanks
to
funding
from
google
and
openssf,
we
are
expecting
to
publish
results
coming
up
pretty
soon,
looking
at
around
q2,
so
hopefully
in
by
the
end
of
next
month.
Thinking
ahead,
what
we
did
was
to
to
kind
of
iterate
that
list
of
25
projects.
We
updated
that
taking
into
account
the
the
full
harvard
census,
2,
study
and
and
and
any
other
data
points
that
we
were
able
to
get
and
have
an
updated
list
of
projects.
That's
currently
at
about
50..
B
So
it's
a
larger
pool
of
projects
to
go
through
and
ideally
can
serve
as
a
data
point
for
aggregation
and
in
terms
of
the
next
steps.
So,
as
I
mentioned,
we've
got
some
results
coming
through.
The
pipeline
really
excited
to
get
those
results
out
to
for
everyone
to
see
and
see
some
of
this
work
that
we're
doing
as
well
as
kind
of
validating
this
new
list
of
projects
and
putting
proposals
together
so
that
list
of
50
projects.
B
I
did
add
it
to
our
existing
list
as
a
new
tab.
So
I'm
just
going
to
link
that
here
and
if
anyone
would
like
to
discuss
or
have
comments,
feel
free
to
would
love
to
hear
your
feedback.
So
that's
just
a
quick
brief
update
on
the
managed
audit
program
and
the
work
that
we're
doing
and
that
we
can
go
over
to
david
and
the
open
source
software
security
summit
to
from
dc.
A
Okay,
let's
see
all
right
hey,
I
unmuted
myself
this
time,
always
a
good
sign
all
right
so
last
week
there
is
the
I'm
going
to
read
it
in
a
funny
way:
open
source
software
security
summit.
Second,
in
dc
thursday
and
friday,
the
primary
purpose
was
to
discuss
this
thing
called
the
open
source
software
security
mobilization
plan.
A
I
know
a
number
of
you
had
a
hand
in
this,
but
it's
basically
an
attempt
to
try
to
distill
some
ideas
so
that
at
least
they
can
be
discussed
brian
like-
and
I
would
like
to
talk
about
this
as
version
0.9.1-
hopefully
it
makes
sense,
but
this
is
not
set
in
stone.
This
is
just
hopefully
much
better
than
a
blank
piece
of
paper
trying
to
put
ideas
that
people
have
put
around
before
it.
A
It
was
primarily
a
meeting
between
folks
in
the
u.s
government,
executive
branch
and
some
folks
with
the
within
the
open
source
software
off
in
the
open
ssf,
but
in
industry
to
participate
with
the
open
ssf
and
it
goes
into
three
three.
It
was
basically
starting
with
three
goals:
wow
that
were
actually
from
an
earlier
meeting
and
then
divided
into
ten
streams.
A
Stream.
Seven
is
especially
relevant
to
this
group,
but
I
think
there
are
three
streams
that
are
relevant
to
this
group
stream.
Two
is
about
a
public
vendor
neutral,
objective
metrics,
based
risk
assessment,
dashboard
screen
five
is
established.
The
open,
ssf
security
incident
response
team-
maybe
that's
a
different
group,
not
sure
where
that
goes,
and
stream
seven
is
about
conducting
third-party
reviews
of
up
to
200
the
most
critical
open
source
software
components
once
a
year
and
there's
more
to
it
than
that.
A
A
It
was
a
meeting
between
the
u.s
government,
executive
branch
and
industry,
but
I
do
want
to
clarify
that
the
expectation
is
that
this
is
not
unique
to
the
us
government
or
any
specific
government.
We
do
very
much
want
to
float
this
around
other
governments,
other
public
organizations,
other
private
sector
organizations-
you
know,
but
basically
it's
an
excuse
to
get
started.
A
A
Who
pays
now
funny,
as
it
may
seem?
We
intentionally
didn't
answer
that
question.
In
fact,
we
didn't
even
say
who
does
it's
actually
kind
of
hard
to
get
a
large
number
of
people
to
agree
on
anything?
I'm
sure
this
is
news
to
you.
A
A
The
streams
were
in
many
ways,
based
on
other
recommendations
that
already
exist.
We
didn't
just
create
everything,
whole
cloth
and
then
the
idea
was
to
drill
down
just
enough
to
ask
the
quest
answer
the
question:
what
at
a
high
level
needs
to
be
done,
and
that
was
the
goal
of
that
plan-
is
to
create
a
draft
idea
of
what
needs
to
be
done
without
now,
we
did
have
to
answer
the
question
approximately
how
much
effort,
how
much
resources
we
estimated
in
dollars,
but
I
mean
you
can
estimate
number
of
people
for
the
most
part.
A
It's
number
of
people
really,
but
you
know
it's
what's
the
level
of
effort
we
estimated
with
dollars
and
what
needs
to
be
done,
who
does
it
and
who
pays?
That
is
the
discussion.
As
of
that
day
forward,
I
I
think
from
here
on
the
idea
is
first
of
all,
maybe
there's
tweaks
to
this
plan
that
needs
to
be
made.
I
mean
it
could
be
that
everybody
doesn't
agree.
I
think
there
was
general
consensus
overall.
Most
of
the
changes
or
suggestions
were
based
on
extensions
or
improve
minor
improvements,
not
wholesale
rejection.
A
A
We're
not
going
to
get
this
by
having
any
one
company
or
any
one
government
paying
for
it.
On
the
other
hand,
if
you
look
at
the
dollars,
I
mean,
if
you
look
at
my
bank,
account,
that's
a
lot
more
money
than
I
have
if
you're
the
us
government,
this
is
pocket
change.
Okay,
all
of
the
us
is
just
looking
at
the
u.s
from
all
of
us.
Society
depends
on
computers.
A
This
is
a
lot
less
than
a
lot
of
other
things
the
us
government
pays
for,
especially
if
we
notice
oh
wait.
I
hear
the
eu
uses
computers,
at
least
that's
what
I
hear.
Okay
and
and
the
uk,
I
hear
they
also
use
computers
and,
and
so
we'll
never
get
kind
of
the
consensus
on
terms
of
how
much
you
should
pay
versus
me,
but
I
think
what
the
goal
rate
now
is
to
get
people
to
to
contribute
and
help
now
to
to
wrap
it
up.
A
We
were
just
here's
a
plan
and
people
basically
standing
around
saying
my
gosh.
We
needed
a
plan
that
a
number
of
people
said
makes
sense
and
it
makes
sense
to
us
and
dollars
started
showing
up.
So
I
don't
think
it's
unreasonable
think
that
we
can
make
more
dollars
show
up
now.
Of
course,
we
actually
have
to
execute
the
plan.
I
mean,
that's
the
that's
the
downside
of
all
this
right.
A
B
A
A
You
know
what
I
I
probably
should
have
been
clear
about
that.
Not
only
do
we
not
care
who
pays,
we
also
don't
care
who
gets
the
money
if
somebody
else
other
than
the
open
ssf
is
the
right
organization
to
do
some
part
of
the
plan.
That's
fantastic!
In
fact.
A
couple
of
the
points.
Really:
it's
not
open,
ssf
or
even
industries
tasks,
there's
some
things
that
are
really
government
kinds
of
stuff
and
you'll,
be
I
I
know
I'm
the
first
to
tell
you
but
we're
not
a
government.
A
So
you
know,
and
and
for
example,
there's
been
one
of
the
points
that
was
raised
several
times
on
the
education
track
was
hey.
Although
not
everybody
goes
to
universities,
we
should
get
the
university's
accreditation
changes.
Accreditation
requirements
changed.
I
have
beat
my
head
against
that
wall
for
years.
You
know
after
10
years
I
managed
to
get
them
to
add
the
word.
Security,
no
content,
just
the
word
security,
great
okay.
A
So
I'm
I'm
kind
of
frustrated
and
have
I
gave
up
for
a
while,
but
maybe
now
is
the
time
to
try
again,
maybe
they'll
actually
care
about
security
this
time.
So,
but
that's
acm
and
ieee,
okay,
we're
not
acm
we're
not
ieee.
Okay,
we
can
we.
We
can
write
emails
and
letters,
but
you
know
so
it
isn't
just
the
openness
of
receiving
it
isn't
just
the
folks
who
were
in
that
room
that
were
hope,
contributing
funding.
So
it
is
a
global
plan
for
global
execution.
A
I
expect
the
open
ssf
will
implement
a
lot
of
it,
because
this
is
a
place
where
a
lot
where
industry
is
basically
decided
to
collaborate,
but
you
know
what
if
we
want,
if
somebody
needs
to
go
to
say
the
eclipse
foundation
great,
let's
do
it.
Okay!
Does
that
solve
a
problem?
Good?
Let's
do
that?
Okay,
you
know
we're
happy
to
work
with
all
sorts
of
folks.
B
I
mean
that's
great,
I
mean
there
needs
to
be
strong
collaboration,
and
I
think
this
was
a
good
good
step
in
that
direction,
so
yeah
so
there
there
was
a
full
report
released
on
that,
so
feel
free
to
look
it
over
and
if
anyone
would
like
to
discuss
any
points
of
it
in
an
upcoming
meeting
that
would
be
awesome
looks
like
we
have
a
couple
minutes
left.
B
So
I
did
want
to
get
to
the
last
agenda
item
about
the
meeting
time,
and
I
guess
with
that
point
I'll
I'll
run
it
by
the
I'll,
see
what
the
work
group
says.
I
think
it
makes
sense
to
kind
of
alternate
to
do.
You
know
every
other
session
do
a
apac
friendly
time.
Thankfully
it's
still
for
the
most
part
within
within
the
day
for
for
everyone.
In
in
north
america,
so
I'm
totally
for
it.
B
If
there
are
no
objections,
I
think
we
can
come
to
a
consensus
right
now
on
on
whether
we
should
do
that
or
not.
Does
anyone
have
any
thoughts
or
feedback?
Is
it.
D
These
it
might
be
worth
touching
base
with
dustin
or
someone
in
the
other
working
group
that
was
doing
this.
I
think
that
they
ask
each
meeting
whether
it's
okay,
but
I
certainly
would
appreciate
being
able
to
attend
more
of
these.
So.
G
It
would,
I
think,
be
preferable
from
my
perspective.
If
we
had
a
fixed
alternate
time,
you
know,
in
other
words
every
other
week
or
whatever
you
know
the
schedule,
rather
than
ad
hoc
and
asking
each
time
and
then
the
other
request
I
would
have
is
that
if
he
actually
put
in
the
the
the
minutes,
you
know
because
I
actually
have
two
invites
one.
A
G
Five
and
one
for
noon
or
you
know,
and
so
again
I
would
just
sort
of
prefer
if
we
and
I'm
very
supportive
of
the
the
alternating
I've
done
that
number
of
working
groups
that
I've
run.
So
I
think
that's
the
fairest
thing
and
it's
gonna
again.
If
we
do
it
consistently,
then
I
think
we'll
have
the
broadest
participation
as
a.
H
Result
yeah
jeffer
david,
should
our
early
time
be
earlier.
A
G
H
I
Yeah,
the
scorecard
also
I'm
gonna-
I'm
gonna
suggest
this.
Let's
go
that
also,
obviously,
would
like
people
like
caleb
showing
him
for
that.
So
I
believe
we
don't
want
to
beat
on
the
same
day,
so
we
all
step
on
each
other.
So
so
we
just
have
to
work
with
across
the
groups
to
make
sure
that
it
is
so
that
we
can
have
every
other
week.
I
Please
like
this
was
great
because
prior
to
this
was
a
school
coming
then
after
this
meeting
was
there
so
easy
for
me
to
go
so
we
should
probably
plan
like
this.
A
Please
don't
schedule
on
top
of
another
open,
ssf
meeting
that
just
you
know,
let's
at
least
not
shoot
our
own
feet
and-
and
I
will
actually
quickly
add-
there
is
actually
some
work
on
going
within
the
open,
ssf
we've
actually
contracted
with
some
folks
that
are
used
to
doing
some
apac
related
outreach,
because
you
know
folks
in
apac
actually
have
some
other
challenges.
A
Obviously
language
is
an
issue
and
so
on.
So
we
are
trying
to
do
some
other
outreachy
things
to
reach
out,
but
this
would
certainly
alternating
times
lots
of
folks.
Do
it
makes
sense.
We
just
got
to
find
that
other
time
and
make
it
consistent.
B
Yes,
and
just
for
any
lack
of
confusion
next
meeting
time,
we'll
just
move
we'll,
have
it
at
our
regular
time
that
we
have
been
meeting
until
we
finalize
the
new
schedule
with
that.
Thank
you
so
much
everybody.
Thank
you,
caleb
for
the
updates
and
everybody
who
participated
today,
and
I
will
see
you
in
two
weeks.