►
From YouTube: Securing Critical Projects (March 10, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
C
Jonathan
meadows,
are
you
going
full
stealth
mode?
There.
E
C
My
partner's
thinking
behind
me
with
my
my
my
green
screen
effect
is
completely
blocking
her
from
being
displayed,
but
she
was
stealthing
across
the
screen
behind
me
just
now.
A
Oh,
thank
you.
Does
anyone
have
a
good
link
to
the
the
census
ii
study
that
was
just
released
last
week.
B
A
Okay
awesome
looks
like
we're
already
recording,
so
just
a
heads
up
on
that
we
can
go
ahead
and
get
started
hi.
Everyone
welcome
thanks
so
much
for
joining
today.
One
thing
that
we
did
not
do
directly
last
time
were
new
member
introductions.
I
think
I
see
a
couple
here
a
couple
folks,
so
we
would
love
for
you
to
introduce
yourself
and
talk
about
what
brought
you
to
this
work
group
and
yeah
we'd
love
to
hear
from
you.
So
we'll
start
with
with
introductions.
C
In
a
while,
I
don't
know
if
I
remember
inviting
myself
or
introduced
myself,
I
think
I've
seen
some
of
your
faces
before
but
hi.
My
name
is
jonathan
laishu.
I
was
here
a
few
months
ago
took
a
bit
of
a
break
and
I'm
now
back
so
I'm
working
for
human
security
and
I'm
doing
the
dan
kimske
fellowship
so
open
source
security
research
for
the
next
year.
A
Awesome,
hey
jonathan
nice
to
see
you
again
do
we
have
anyone
else,
who'd
like
to
introduce
themselves.
F
Happy
to
jump
in
hey
everyone,
my
name
is
dirandal.
This
is
my
first
call
with
the
stem,
so
I've
just
joined
in
I'm
a
developer
advocate
at
sneak
his
part
taking
part
in
other
working
groups.
I
guess
I've
got
some
background
with
working
on
the
node.
What
used
to
be
the
node
foundation
today,
the
opengs
foundation,
ecosystem
security,
working
group
and
some
awesome
stuff
so
happy
to
chat
and
work
through
all
of
this
with
this
one,
a
bunch
of
great
humans
on
making
open
source
security
really
awesome.
A
A
Okay,
okay,
so
with
that,
we
do
have
just
a
quick
announcement
regarding
the
next
session.
That's
going
to
be
in
two
weeks
time
on
the
24th.
With
that,
I
will
hand
it
off
to
jeff.
G
Thanks
amir
yeah,
just
a
bit
of
an
announcement
caleb
from
the
criticality
score
project,
has
a
proposal
and
wants
to
do
a
real,
deep
dive
presentation
to
this
team.
G
The
only
thing
is
that
he
is
in
australia,
and
this
time
is
when
he's
sleeping.
So
what
we
thought
would
be
good
is
to
have
a
one-off,
later
meeting
next
for
the
next
meeting
in
two
weeks.
So
the
proposal
time
is
oops
put
here
in
the
notes
it
would
be
at
depending
on
your
time
zone.
8
am
australia,
2
pm
west
coast,
5
pm
east
coast,
9
pm
gmt.
G
Again,
that's
a
one
off
for
next
next
time,
and
I
have
the
link
to
the
presentation.
If
anybody
wants
to
look
at
it
ahead
of
time,
put
it
there,
but
yeah
caleb's
going
to
go
over
a
lot
of
the
kind
of
criticisms
that
he's
collected
of
the
project.
A
Awesome
awesome,
thank
you
so
much
jeff
yep,
so
so
just
a
heads
up
then,
for
the
next
meeting,
3
24
24th
of
march-
that's
going
to
be
a
little
bit
later
than
we
normally
have
it,
but
I
also
do
want
to
just
say
thanks
to
jacques
and
everyone
else
who
joins
from
the
the
different
time
zones.
I
know
that
can
be
tough
sometimes,
so
we
really
do
appreciate
that
and
and
yeah
hopefully
we'll
accommodate
with
this
next
meeting
and
have
a
deep
dive
into
a
criticality
score.
A
So,
since
we're
going
to
be
doing
that
in
the
next
meeting,
I
thought
for
this
session,
given
the
release
of
that
census
2
report.
Finally,
with
with
all
the
the
full
data
from
that
report
before
we
really
dive
really
deeply
into
the
oh
hi
jonathan
hello
from
london.
That's
awesome!
I
love
that
we
have
an
international
group
as
well.
A
I
think
that's
really
cool,
but
yes,
so
before
we
dive
into
the
the
100
greatest
hits
and
the
whole
process
of
of
developing
our
list
of
projects
to
help
the
other
projects,
I
thought
we
can
have
kind
of
an
open
discussion
talking
about
this
report.
A
You
know
a
lot
of
data
came
out
of
it.
I
think
around
4
000,
open
source
projects
were
identified
as
a
part
of
the
the
release
of
that
data,
so
I
thought
it
would
be
cool
to
if
we
don't
have
any
objections,
kind
of
talk
about
the
report
and
what
we
thought
of
some
of
the
data
that
came
out
of
that
anything.
A
That
was,
you
know,
not
a
surprise
at
all
things
that
might
have
been
more
surprising,
or
maybe
things
that
weren't
surprising
at
all
and
yeah
any
insights
that
we
can
just
draw
from
that
just
from
kind
of
having
a
bit
of
an
open
discussion
on
that.
A
I'm
sure
you'll
have
a
lot
of
thoughts,
so
yeah
with
that
I'll,
open
the
floor
to
discuss
the
the
harvard
census
release
and,
as
always
the
notes
sheet
is
communal,
so
feel
free
to
something
sounded
important
to
note
and
hasn't
been
jotted
down
in
the
doc
feel
free
to
to
to
participate
in
the
note
taking
as
well.
Okay,
awesome
and
I
believe
it
is
I'm
not
entirely
sure
who
has
access
to
to
access
jeff.
Do
you
know
who
who
handles
that
like?
If
someone.
H
G
A
Good
document
yeah
the
easiest
way
to
try
a
group
yeah,
that's
what
I
did:
okay
yeah.
So
if
you'll
join
the
the
google
group,
I
believe
it
is
for
this
working
group
that'll
grant
you
access
to
the
document
and
and
the
emails
that
that
come
through
as
a
result,.
A
Okay,
yeah,
I
think
at
some
point
we'll
probably
want
to
fix
that
just
to
make
that
the
access
controls
much
easier
and
allow
everybody
to
to
collaborate
and
contribute,
but
yeah.
So
with
that
any
thoughts
on
the
harvard
census
which
has
been
linked
in
the
document.
If
you
want
to
take
a
look
at
the
report,
I'm
pulling
it
up
now.
E
I
guess
one
of
the
ones
that
stood
out
to
me
was
the
the
critical
dependency
on
such
a
few
number
of
developers.
Actually,
I
I
think
the
when
it
was
presented
last
week.
I
don't
recall
the
actual
number
of
developers
that
suggested,
but
it
was
seemed
to
be
very
few
developers
and
doing
the
majority
of
the
code
for
the
the
top
x
projects
that
that
was
quite
eye-opening.
E
Actually,
you
know,
there's
always
a
quite
tight-knit
open
source
community
and
a
certainly
tight
knit
group
that
are
focusing
on
security,
but
finding
out
that
actually
there's
something
you
know
like
a
hundred
people.
Almost
I
don't
recall
the
exact
number
are
actually
writing
the
top
200
libraries.
That's
that's
a
critical
personal
dependency
right
there
right.
That
was
a
bit
a
bit
more
acute
than
I'd
that
I'd
imagined
and
I
guess
the
other
point
which,
which
is
a
known
one,
is
the
the
lack
of
standardized
naming
being
a
critical
critical
issue.
E
A
Yeah,
I
thought
I
I
completely
agree
with
you
jonathan.
I
thought
that
was
surprising.
I
thought
the
number
was
something
like
130,
but
I
think
you
know
if
we're
talking
about
securing
critical
projects
it,
it
might
make
sense
to
to
maybe
reach
out
to
these
130
people
and
see
how
we
can
help
them.
So
I
that
was,
I
thought,
yeah
a
very
good
bit
of
insight
from
that.
Thank
you.
Anyone
else.
D
Yeah,
I
can
sort
of
add
some
color
to
that
from
from
ruby
land,
we're
pursuing
a
policy
whereby
the
owners
of
the
top
100
most
downloaded
gems
would
be
required
to
enable
mfa
and
when
the
maintainers
of
rubygems.org
went
and
crunched
the
numbers
they
found
that
out
of
the
100
and
something
odd
people
and
11
people
would
have
to
do
it.
D
Who
haven't
already
enabled
mfa.
So
there's
there's
a
great
deal
of
concentration
in
at
least
the
ruby
ecosystem
as
well.
A
Yeah,
it
reminds
me
of
the
the
old
80
20
rule.
It
seems
to
certainly
apply
in
in
this
field
as
well
yeah.
It's
definitely
a.
I
As
we
all
do,
just
the
report
sections
and
with
an
apache
hat
on
it,
was
shocking
to
see
avalon
even
appear
on
the
list.
So
I'm
looking
at
the
last
one
right.
This
is
the
non
non-javascript
direct
and
indirect,
so
the
full
tree,
what's
the
most
common
thing
to
show
up,
avalon
died
in
the
early
2000s
as
a
project
that
jar
file
that's
been
referenced,
was
built
in
2005.,
pretty
sure,
there's
some
weird
stuff
in
maven
central,
where
it
seems
to
have
had
copying
copied
around
in
2015.
I
I'm
not
sure
why,
but
that
that's
old
stuff,
that
one's
working
as
to
why
that's
appearing
there?
One
of
the
bits
that
I
think
would
be
very
useful
to
do
for
a
future
census
like
in
these
things
is
put
the
put
the
date
that
the
artifact
was
built.
I
don't
know
if
we
can
always
do
that
for
npm
and
things,
but
I
know
in
maven
land.
I
One
of
the
things
I
always
do
is
is
you
know,
check
the
timestamp
of
the
zip
that
the
jar
effectively
is
because
sometimes
you're
finding
jar
files
from
2001,
and
it's
easy
to
tell
so
that
was
just
an
obscure
project
that
jumped
way
high
on
that
list.
That
should
not
be
that
high
on
that
list
or
if
it
is
that
high
in
that
list,
that's
someone
needs
to
figure
that
out
yeah.
Absolutely
that's
a
great
question.
A
Yeah
yeah
and
that's
a
good
point,
and
that
might
be
something
of
value
that
we
could
provide.
Is
you
know
identifying
projects
that
are
probably
deprecated
or
you
know
there
are
probably
better
alternatives,
more
current
or
more
secure
alternatives
that
you
know
if
we
can
identify
these
projects
that
are
probably
out
of
support,
but
still
you
know
very
critical,
then
you
know
maybe
there's
something
we
can
do
about
it
as
a
working
group,
but
yeah,
that's
a
very
good
point
and
I'm
sure
that's
not
the
only
one.
A
A
J
Well,
it
suggests
also
tying
in
some
of
the
chaos
metrics
to
to
some.
This
might
be
a
value
you
know.
When
was
the
last
time
the
team
was
active,
not
not
sure,
but
it
feels
like
there's
there's
these
non-functional
kind
of
criteria
that
matter
and
it
was
worth
throwing
up
red
flags
and
a
dashboard
somewhere.
E
Yeah
great
sorry,
I
I
I
agree.
I
I
think
you
know
there
was
one
comment
I
heard
from
someone
suggesting
that
their
library
was
code
complete
and
therefore
they
weren't
updating
it
anymore.
However,
one
once
the
security
issue
was
raised
with
them,
they
responded
really
rapidly
to
it.
I
guess
that
that's
like
a
little
nuance.
We
need
to
take
into
account,
but
I
do
like
the
idea
of
raising
a
cve
as
soon
as
someone
steps
away
with
you
know.
As
long
as
we
take
account
of
when
people
are
effectively
finished
in
some
way,.
I
If
you
had
a
single
metric,
you
could
use
to
determine
what
what
software
you
should
choose
or
not
choose
has
released
in
the
last
small
number
and
years
I
think,
is
the
the
only
single
metric
you
pay
attention
to,
because
it
it
doesn't
just
mean
that
software
is
new
and
modern
or
something,
but
also
that
that
team
has
been
able
to
react
to
an
issue
and
how
they're
showing
life
within
apache.
I
So
almost
the
reverse
thing
is:
is
any
anyone
could
start
a
vote
that
says
this
should
go
to
the
apache
attic
and
as
long
as
you've
got
three
people
saying
no,
you
have
successfully
beaten
that
vote
with
with
packages
like
this.
It's
effectively.
If
you've
managed
to
do
a
release,
then
great
you
you
are,
you
are
above
the
bar
software
and
and
and
you
can
handle
the
cv
you
can
handle
the
security
issue.
I
So,
even
if
you,
even
if
your
code
is
sort
of
locked
down
and
you
know,
is
solid
and
done
and
nothing
to
add,
you
probably
still
have
the
need
to
release
once
every
two
or
three
years.
Something.
B
So
as
we
discuss
this,
you
know
I
can't
help
but
think
of
some
of
the
problems
that
jonathan
has
been
having
just
getting
cdes
from
certain
cnas
that
I
shan't
mention,
but
I'm
sure
he's
willing
to.
And
so,
if
we're
going
to
go
that
direction-
and
I
do
think
it's
interesting
to-
if
not
a
cve
at
least
find
some
other
way
to
mark
these
as
potential
risks
right.
B
But
if
we
were
to
go
the
cve
route
for
which
there
is
already
a
lot
of
infrastructure
right
and
that
could
very,
we
could
very
quickly
and
easily
leverage
that
how
how
could
we
convince
the
cnas
to
actually
participate
right
when
we
can't
even
get
some
of
them
to
open
cves
for
legitimate
security
bugs
and
they
might
not
see
an
old
package
or
an
old
release
as
being
legitimate.
B
So
maybe
this
is
jumping
a
bit
too
far
into
implementation,
rather
than
just
insights
into
the
report.
But
I
think
it's,
it
might
be
a
larger
problem
that
we
need
to
look
at.
You
know
getting
cooperation
from
cnas.
C
It's
I
can
follow
up
there,
so
I
finally
have
a
contact
at
mitre,
so
I'm
able
to
go
through
the
I'm
I've.
I
had
two
appeals
that
I
had
kicked
off
and
then
I
just
you
know
now
that
I
have
a
contact
at
minor.
I
can
just
say:
hey:
can
you
help
expedite
this
and
so
that,
that's
you
know
yeah,
so
getting
getting
a
cde
to
begin
with
can
be
really
difficult.
C
There
are
certain
companies,
that's
you
know
one
one
of
the
things
that's
kind
of
kicking
around
the
the
ecosystem
that
I've
heard
mentioned
a
couple
times
is
like
getting
a
cve
number
issued
if
a
package
is
no
longer
being
maintained
right
or
if
it
if
like,
if,
if
a
pro
or
if
a
a
piece
of
software
is
no
longer
in
like
it's
end
of
life
by
a
company,
they
should
release
a
cd
for
that
as
well
to
see
say
like
hey.
C
This
is
no
longer
safe
and,
like
just
blanket
statements
no
longer
safe,
you
know
you
shouldn't
trust.
It
there's
differing
opinions
on
that
yeah.
The
other
thing
I've
had
to
figure
out
how
to
collaborate
with
a
bunch
of
different
cnas.
C
Like
you
know,
I
use
github
for
some
of
the
stuff
I
use,
but
github's
not
issued
willing
to
issue
cds
for
vulnerabilities
that
are
not
opened
by
the
maintainer
miter
is
snick
is
so
yeah,
so
I
I
you
kind
of
have
to
be
like
you
know,
just
poke
everybody
which
takes
a
lot
of
time
and
it
turns
into
it
can
for
somebody
200
to
this
is
a
side
project.
It's
a
lot
of
lot
a
lot
of
time
more
than
you
can
actually
spend
versus
somebody.
H
I'm
just
wondering
do
we,
maybe
we
do
have
a
need
for
an
open
source,
centric
cna.
C
That
was
done
by
oh
god.
What's
his
name.
C
Yeah
so
that
that
existed
for
a
while
that
was
run
by
kurt
siegfried
and
joe
bressers.
They
had
that
for
a
while.
They
have
stepped
away
from
cve
for
a
variety
of
reasons,
they're
working
on
an
article
about
that
they
have
had
a
lot
of
experiences
there.
Trying
to
shift
the
cve
mindset
and
they've
had
a
lot
of
struggles
there,
but
yeah
you
so
so.
The
current,
like
difficulty
that
I
have
is
the
easiest
one
that
I've
found
to
get
cbd
numbers
with
a
snick.
C
I
love
using
snake,
however
snick's
database
is
when
you,
when
you
get
a
vulnerability
disclosed
to
snick.
They
take
the
data
that
you
provide
as
a
security
researcher
and
they
put
it
into
their
database,
but
their
database
is
locked
behind
a
paywall,
so
you
have
to
pay.
You
have
to
pay
for
their
data
in
a
structured
format.
Their
data
is
free
on
their
website.
But
if
you
want
an
unstructured
format
that
a
tool
can
use
you
need
to
have,
you
need
to
like
basically
transpose
that
into
your
own
tool.
C
So
I
try
to
disclose
my
stuff
via
github,
using
the
github
security
advisors,
ghsa
system,
and
I
will
also
potentially,
if
github,
won't
give
me
a
cve
I'll
get
the
cve
from
snick,
but
because
I
publish
by
github
security
advisories.
It
ends
up
in
the
github
security
advisories
database,
and
that
is
a
structure
I've
already
written
in
the
structured
data.
That
says
this
is
the
package
impacted.
C
This
is
the
you
know
whatever
so
and
because
github's
database
is
under
creative
commons,
then
that
data
can
be
used
by
tools,
and
so
I'm
not
just
providing
the
data
about
the
vulnerability
to
a
cna.
That's
going
to
make
money
off
of
it
and
not
provide
it
back
to
the
community
in
a
structured
format
that
can
be
used
by
tools.
So
you
know,
but
I'm
me
and
I've
been
doing
this
for
a
long
time
and
I
figured
out
all
these
things
for
somebody.
You
know,
especially
a
new
security
researcher.
K
K
Is
that
people
often
take
open
source
software
and
create
a
business
model
where
they
fork
the
code,
and
then
they
produce
bug
fixes
on
top
of
it,
and
they
sell
that
as
a
value
add
to
customers,
and
they
intentionally
do
not
report
bugs
and
or
cves
back
to
the
open
source
so
that
they
can
have
that
as
leverage
to
sell
their
customized
version
of
that
open
source
software.
So
I
don't
know
how
that
can
be
factored
in,
how
we
disincentivize
those
type
of
activities.
C
K
I'm
not
gonna
say
on
this
call,
that's
totally
fair,
but
these
are
actual
conversations.
I've
had
with
major
customers
who
are
trying
to
get
us
to
force
these
third-party
companies
to
submit
their
bugs
and
potentially
cves
to
the
open
source
communities,
but
the
open
source
committees
do
not
have
that
type
of
leverage.
If
you
broke
the
code,
you've
worked
the
code
as
long
as
they're
operating
within
the
license.
C
So
the
question
that
I
have
is:
what
is
the?
How
does
this
group
relate
to
the
alcohol
omega
project
like?
I
know
that?
That's
something
that
the
alpha.
This
is
a
kind
of
problem
problem.
The
alpha
major
megaproject
is
somewhat
aiming
to
fix
or
try
to
dive
on
and
like
throw
researchers
at
and
start
working
on
is.
Is
this
kind
of
a
discussion
about
how
alpha
and
omega
should
do
their
disclosures
or
what?
A
Well,
today's
session
is
is
generally
more
open
discussion
just
on
the
on
the
census
too.
But
to
answer
your
question,
the
the
general
thought
process
is,
we
are
going
to
help
identify,
identify
and
categorize
the
projects,
because
there's
a
lot
and
so
we're
essentially
going
to
help
them
on
their
focus
on
which
projects
to
focus
on
and
to
to
put
resources
into.
So
it's
it's
going
to
be
helping
them
and
other
working
groups
like
the
mfa
project.
A
Who
is
looking
for
projects
to
give
out
mfa
tokens
too,
so
it's,
I
think,
to
help
guide
decision
making
and
just
to
provide
some
insight.
Really
it's
it's
like
a
like
a
consensus-based,
insight
on.
You
know
what
are
the
most
critical
projects?
A
That's
that's
what
we're
working
towards
and-
and
I
thought
with
today-
you
know-
we'd-
keep
it
a
little
bit
more
just
discussion
based.
You
know
all
that
data
came
out
with
the
census
2
and
then
we
would
start
essentially
working
together
on
a
good
process
for
identifying
curating
and
categorizing
those
projects
further.
A
So
that's
actually
a
great
segue
into
a
question
discussion
point
I
had
for
the
work
group
based
off
of
the
report
is
the
thoughts
on
how
it
was
categorized,
because
you
know
we
are
thinking.
You
know
we
are
talking
about
different
types
of
categories
and
I
I
see
it's
already
come
up
in
some
discussions
quite
a
bit
in
the
chat
and
otherwise.
So
I
did
note
all
the
different
categories
in
the
sheet
in
our
notes
sheet.
A
So
I
would
love
to
hear
any
thoughts
that
the
work
group
has
on
how
the
projects
were
categorized
and
and
how
that
helps
with
with
essentially
solving
the
problem
of
identifying
critical
projects.
D
I'm
not
sure
what
feedback
you
might
be
might
be
hoping
for
or
looking
for,
there's
eight
groups
of
five
hundred.
So
what's
that
four
thousand.
A
D
Dependencies
to
sort
of
eyeball
it's
difficult
to
do
in
a
one-hour
slot,
yeah
yeah
I'll.
A
K
That's
still
from
earlier,
but
I
do
have
to
go,
but
I'd
love
to
say
that
I
was
trying
to
scan
through
the
port
live
on.
This
call,
and
I
appreciate
the
the
table
outcomes
and
their
methodology
described.
I
would
just
love
to
as
say
earlier.
Two
things
is
that
I
would
like
to
understand
the
trend
which
likes,
I
know
talking
to
a
lot
of
major
cloud
providers
where
they
might
be
using
a
certain.
K
You
know
libraries
today
or
packages
today,
but
have
plans
to
adopt
rust
or
other
newer
languages
tomorrow
to
see
like
a
time
based
trend
as
well
as
to
get
at
least
a
sense
of
what
the
higher,
how
they
netted
it
out
to
the
low
level
packages,
but
I'd
love
to
see
what
higher
level
projects
these
things
hit
when
they
think
what
the
what
package
these
projects
they're
factored
into.
Basically
as
dependencies
I'd
love
to
see
that.
A
Yeah,
that's
a
great
point
because
I
think
you
know
identifying
emerging
technologies
or
a
way
to
to
determine
edge
cases.
You
know
those
things
that
you
don't
always
that
don't
always
come
to
mind
right
away,
but
are
you
know
equally
as
important?
It
would
be
good
to
have
some
insight
on
that
and
trends.
So
absolutely.
A
Okay,
cool!
Well,
I
guess,
if
there's
not,
I
know,
I
know
it's
it's
it's
a
very
expansive
topic,
I'm
just
curious
yeah.
If
anyone
had
any
thoughts
on
how
these
projects
were
were
categorized,
is
there
any
way
that
potentially
could
work
better
or
were
not
worse,
but
that
could
work
better
in
terms
of
you
know,
how
would
you
categorize?
I
I
do
I
find
myself
fairly
quickly
gravitating
towards
the
last
reports
that
get
version
specific.
The
earlier
reports
do
feel
more
tldr
and
you
know
you're
like
great
this
one's
top,
but
is
it?
Is
it
a
really
old
version
of
it?
Is
it
one
version?
Is
it
a
big
span?
You
start
getting
interested
in
the
details
there.
I
I
also
quickly
find
myself
wanting
to
sit
in
excel
and
filter
filter
by
language,
so
I
can
get
that
here's
the
maven
picture,
here's
the
go
picture
because
it
is
just
it's
separate
ecosystems,
they're,
separate
worlds
and
seeing
them
side
by
side
is
useful.
When,
when
it's
a
case
of
deciding
I've
got
one
project,
I
can
help
what's
the
top,
but
to
get
that
feel,
I'm
immediately
wanting
to
look
at
them.
I
Also,
I
know
more
maven
history,
so
I
feel
like
I
can
immediately
apply
more
thought
by
looking
at
the
maven
list
and
trying
to
think
about
what
looks
odd
here.
What
looks
terrifying,
what's
a
project
I've
never
heard
of,
and
is
that
something
new
that
I
haven't
heard
of
or
something
that's
just
hiding
out
there
in
the
depths
of
open
source.
So
that's
my
immediate
instincts
here
and
where
my
apache,
I
also
want
to
filter
through
for
the
apache
project
and
be
like.
A
A
So
that's
a
that's
a
good
point
and
I
wonder
if
we
can
potentially
get
a
filtered
list
from
the
folks
who
developed
the
the
report
if
they
have
any
insight
on
that,
would
you
happen
to
know
brian
not
to
put
you
on
the
spot
here,
but
if
anything
like
that
was
done
or
is
being
done.
A
Or
potentially
chopped
or
filtered
by
language
programming,
language.
J
Don't
know
what
what
his
underlying
data
set
looked
like
so
send
me.
Send
me
an
email
with
like
some
kind
of
a
specific
ask.
I
can
relay
it
to
frank
or
if
anyone
knows
I
mean
I'm
sure
people
here
have
been
in
touch
with
frank
nagle
at
one
point
or
another.
So
but
yeah
send
me
a
note.
I'm
happy
to
chase
it
down.
Okay,.
B
So
yeah
there
should
be
a
way
to
have
this
be
a
consumable
list,
so
it's
more
actionable
by
whomever,
be
it
slicing
and
dicing.
Or
what
have
you
and
as
we're
having
these
conversations
and
coming
up
with
this
feedback
and
just
general
thoughts
around
you
know
categorization,
and
you
know,
information
that
would
be
handy
to
have
a
la
hands
recommendation
to
have
version
which,
yes,
absolutely.
I
would
love
to
see
that
do.
We
know
whether
there's
going
to
be
a
census
three,
because
then
we
they
can
actually
accept
our
feedback.
B
We
can
hand
it
to
frank
and
see
whether
we
can
keep
this
going,
and
I
do
think
it's
important
to
keep
an
eye
on
this
ecosystem
long
term
and
be
that
you
know
frank
and
his
team
or
whomever
this
group
or
you
know,
can
we
pick
up
that
ball
of
the
census
and
keep
moving
it
down
the
field
to
or
if
we
do
football?
I
guess
you
know,
kicking
it
down
the
field
to
just
sort
of
keep
things
moving,
because
as
valuable
as
this
information
is
now.
B
J
I
think
it's
a
big
in
retrospect,
but
we
should
have
frank
come
here
and
have
a
conversation
at
one
of
the
next
calls.
Yes,
let
me
actually
do
that
yeah,
because,
yes,
we're
definitely
interested
in
continuing
the
work
and
continuing
to
fund
frank
to
do
more
more
reports
like
this.
I
I
don't
know
what
he's
thinking
or
what
some
others
of
the
lf
might
be
thinking
for
a
census
three.
J
A
That's
wonderful
thanks,
brian
yeah,
absolutely
another
thing
that
comes
to
mind
in
in
the
scope
of
kind
of
what
we're
looking
to
do
with
you
know,
developing
a
a
curated
list
of
of
critical
projects
is,
and
I
and
we
don't
need
to
necessarily
get
into
it
too
much
just
yet,
because
I
know
it's
going
to
require
a
lot
of
dedicated
time
but
making
it
curated
and
iterable,
meaning
that
it
is
you
know
we,
it
is
constantly
being
updated.
A
You
know,
as
as
the
landscape
changes
and
as
and
as
things
change
does,
that
seem
like
a
good
kind
of
general
idea
in
terms
of
how
to
design
something
like
this
to
be.
You
know,
kind
of
a
living
breathing
thing
that
is
changing
with
the
times.
B
I
suspect
that's
going
to
be
a
pretty
heavy
lift.
I
will
have
to
wait
and
hear
from
frank
as
far
as
what
was
involved
in
just
creating
this
this
one,
but
the
negotiations
required,
I
suspect,
to
get
the
different
data
sets
from
the
different
vendors
and
the
different
providers
and
then
to
crunch
that
data
after
coordinating
and
rationalizing
that
data
and
normalizing
it
from
different
data
providers.
You
know:
does
this
field
mean
this
in
all
providers
or
do
we
have
to?
J
Yeah,
I
I
I
appreciate
they
keep
setting
expectations
modest
modestly
on
this
you
know,
I
think
we
would
all
love
a
a
weekly
or
daily.
You
know,
leaderboard
for
for
what's
what's
been
consumed
today,
what
what?
What
are?
What
what's
critical
today
or
not?
What
are
the
trend
lines
that
kind
of
thing
I
I
just
don't
you
know
we.
I
know
that
we
had
to
deal
with
a
lot
of
sensitive
data
sets.
You
know,
there's
commercial
interest
in
keeping
that
data
up.
J
You
know
to
to
to
folks
themselves,
so
I
don't
know
what
we're
able
to
do
here,
but,
but
maybe
we've
created
some
demand
for
a
step
function.
Improvement
in
this.
So
let
me
let
me
talk
to
frank
first
to
invite
him
to
this
call.
J
Second,
to
ask
him
if
there's
interesting
data
sets
that
you
know
if
we
can
provide
this
more
machine
consumable
form
just
what
was
published
in
the
report,
let
alone
the
the
backing
data
and
then
third,
what
you
know
maybe
to
start
thinking
about
what
would
it
mean
to
create
a
continuous
stream
oriented
view
of
this
data
because
it
no
doubt
changes
over
time
fairly
quickly.
A
Okay,
yeah-
and
you
know
it's
good-
that
we're
we're
having
these
conversations
now.
You
know
we'll
discuss
and
I
think
in
general
I
I
lean
towards
you
know:
minimum
viable
products
and
something
that
we
can.
We
can
get
out
and
iterate
on
and
and
build
on,
but
I
also
see
the
value
of
you
know
really
taking
the
time
to
to
think
about
things
before
launching
them.
So
I'm
sure
we'll
have
to
find
a
happy
medium
through
our
discussions
and
through
what
we're
trying
to
accomplish
so
yeah.
A
But
I
I
totally
agree
that
getting
frank
in
here
to
maybe
give
us
a
little
bit
of
insight
onto
onto
the
data
and
and
what
could
possibly
be
done
with
the
data.
I
think
would
be
very
really
helpful.
I
Just
one
thing
to
add
in
here
thinking
about
the
data,
the
something
I
think
we'll
end
up,
having
to
figure
out
how
to
dig
into
is
the
indirect
list,
so
the
directors
is
easy
right.
You're,
like
people
have
chosen
this
for
some
reason,
but
the
indirect
list
leads
you
into
figuring
out.
Why,
like
what
path
got
to
this?
Was
it
many
paths?
Is
it?
I
Is
this
appearing
only
because
it's
dependent
on
by
one
project-
and
I
that's,
I
think,
a
bit
where
we
end
up
asking
frank,
a
whole
bunch
of
of
deeper
questions
of
like?
Are
we
barking
down
the
wrong
alley?
I
If
we're
looking
at
this
one
thing,
because
the
voice
in
the
back
of
my
head
is
reminding
me
that
I
think
that
avalon
thing
I
pointed
out,
I
think,
is
a
dependency
on
the
logging
frameworks
into
that,
and
so
that
possibly
the
only
reason
it
shows
is
because
it
hasn't
changed
in
20
years
and
therefore
this
optional
dependency
might
mean
it
just
really
shows
up
a
lot,
so
we
have
to
figure
out
how
to
go
backwards.
A
Okay,
wonderful,
so
what
I
think
we
can
do
now,
we've
got
about
about
20
minutes,
just
under
20
minutes
left
in
our
session
today
there
have
been
a
couple
of
future
topic
ideas
that
we
haven't
gotten
to
in
the
last
couple
of
meetings.
A
So
I
thought
if,
if
the
work
group
is
cool
with
it,
we
can
just
leave
this,
have
this
time
open
to
discuss
either
any
future
topic
ideas
or
maybe
topics
that
we
haven't
gotten
into
in
the
in
the
last
couple
meetings
just
to
make
sure
that
we're
hearing
from
everyone
and
giving
everyone
a
chance
to
talk
about
what's
important
to
them.
So
with
that,
I
will
open
up
the
floor
to
anyone
who
would
like
to
bring
any
any
topics
up.
B
Just
a
quick
one
on
behalf
of
julia
from
twitter,
for
those
of
you
who
haven't
looked
at
the
slack
channel
she's
working
on
the
outreach
document
and
would
love
it.
If
people
could
have
a
look
at
the
outreach
document
amir.
Do
you
have
a
link
to
that
handy?
B
I
do
drop
it
in
the
chat,
brilliant
and
if
people
could
have
a
look
at
that
and
if
you
are
willing
to
take
ownership
on
a
section
or
two
just
add
a
comment
and
say
so
so
we
can
start
to
move
that
document
forward.
B
So
that's
the
end
of
my
thing
as
your
julia
proxy.
For
today.
A
Awesome,
thank
you,
vicky
and
and
by
proxy
julia.
Yes,
I
I
was
taking
a
look
at
her
document
and
I
think,
especially
as
we
talk
about
the
insight
piece,
you
know
how
are
we
gonna
take
you
know
a
list
of
projects
and
and
draw
some
insight
out
of
it.
I
think
her
her
expertise,
outreach
program,
I
think,
fits
in
perfectly
with
that,
so
yeah,
that's
that'll,
be
fun
to
to
dive
into
further
and
yeah.
So
thank
you
for
that
update
anyone
else.
E
G
B
How
would
you
suggest
we
approach
that?
Would
you
like
to
I
mean
we
could
set
aside
a
call
to
have
a
working
session
where
we
just
walk
through
issues
or
assign
them
up
to
people
or
people
dive
in
and
take
ownership?
What
do
you
think
would
be
best.
C
C
C
Github,
you
know
either
getting
into
the
user
interface
for
github
or
getting
getting
refined
github.
To
add
that
it's
like
a
component
that
you
could
see
when
you're
looking
at
a
repository
it'd
be
like
I'd,
want
to
refine.
I'm
sorry,
I
thought
you're
finished
go
ahead.
Go
ahead!
Sorry,
no
yeah!
I
was
rambling.
D
Hey
that's
my
line
I
was
I
was
thinking.
I
would
like
to
refine
criticality
score
more
first.
One
of
my
concerns
has
been
that
it
feels
as
though
it
mixes
together
considerations
of
event,
frequency
with
event
magnitude,
like
some.
Some
of
the
indicators
are
kind
of
covering
both
or
not
fully
orthogonal.
D
That's
just
been
a
personal
interest.
This.
This
is
something
I
talked
about
you
weren't
here
a
couple
of
weeks
ago,
jonathan,
when
I
did
a
presentation
about
ranking
software
projects-
and
I
talked
about
that
briefly.
So
if
you
go
back
to
the
notes
for
I
think
january
27th,
that
might
be
where
it
was
or
13th
one
of
those
couple
of
couple
of
meetings
ago,
when
julia
and
I
presented
on
on
different
aspects
of
that
identification
problem.
C
B
Yes,
but
okay
go
ahead
now,
there's
a
recent
paper
showing
that
a
surprising
percentage
of
important
projects
are
not
on
are
not
on
github
and
yet
all
these
assumptions
are
being
made
that
they
are,
and
so
that's
something
that
we
really
need
to
be
aware
of
and
to
protect
against,
as
we
should
not
be
making
that
assumption.
B
As
we
are
looking
at
these
critical
projects,
while
we
can
certainly
make
a
difference
by
working
with
github
to
to
surface
this
information,
I
love
your
idea
by
the
way,
jonathan
to
service
this
information
as
much
as
possible.
B
We
can't
limit
ourselves
purely
to
github
for
that
and
we
have
to
make
sure
we
are
reaching
out
to
other
places
like
apache
and
eclipse
and
there's
other
organizations.
B
B
But
I
think
we've
got
enough
people
with
contacts
that
we
can
certainly
do
that,
but
we
can't
make
the
assumption.
C
As
so,
I'm
mostly
working
maven
and
java
ecosystems
for
my
security
research,
it's
my
impression
that
all
of
the
apache
maven
stuff,
although
not
actively
necessarily
being
developed
or
github,
is
at
least
mirrored
on
github.
Is
that
accurate,
or
is
that
still
not
accurate
from
some
apache
projects.
I
Pretty
accurate,
I
think
that
so
I
think
apache
and
eclipse.
I
think
you
can
find
anything
in
the
last
15
years.
Probably
on
github,
like
the
issues
aren't
being
used,
pull
requests
might
not
be
used
for
a
project
right.
There
are
other
ways
to
get
code
in.
So
a
lot
of
the
problems
come
when
you're
trying
to
do
anything
other
than
find
the
thing,
but
also
like
the
the
path
to
finding
the
path
to
finding
that
component.
L
So
right
right,
but
the
some
of
the
tools
like
scorecard
and
so
forth,
assume
that
github
is
there
and
that
the
github
settings
are
set,
and
otherwise
you
get
a
bad
score.
So
you
know
we're
going
to
be
dealing
with
an
awful
lot
of
false
positives
for
a
number
of
apache
projects,
for
instance
that
aren't
really
being
managed
through
github
they're
just
out
there,
for
you
know,
ease
of
finding
them.
You
know
from
a
github
perspective,
but
that's
not
where
the
controls
are
in
place
right.
C
I
D
This,
this
sort
of
goes
back
to
one
of
that
that
pet
peeve
of
mine,
which
you
said,
there's
some
sort
of
orthogonal
mixes
of
of
signals,
so
the
dependency
count
versus
you
know,
issue
activity
or
the
age
of
the
project.
D
Some
of
those
metrics
are
talking
about
predicting
sort
of
there
to
kind
of
like
predict
how
likely
it
is
to
have
some
vulnerability
in
a
given
span
of
time.
You
know
the
frequency
and
something
like
dependency
is
a
proxy
for
what
is
the
magnitude
of
an
event
if
something
goes
sour
and
they
they
smush
together
linearly,
even
though
they're
different
dimensions.
M
A
M
I
just
want
to
add
so
there
is
already
a
backlog
items
for
scorecard
team
to
support
in
other
source
code
repositories
as
well
right
like
a
and
the
same
discussion
come
up
in
another
call,
I
believe,
with
alpha
make
I
don't
recollect
so
currently
we
have
multiple
places
where
we
can
find
scorecard.
One
is
a
depth:
dot
dab
right,
like
that's
currently
being
handled
by
google,
but
irrespective
of
github
or
gitlab.
They
have
all
the
packages
right,
but
it's
a
programming
language
ecosystem
packages,
mainly
right.
M
So
there
is
that,
and
I
think
we
also
have
a
another
metrics
graph,
for
instance,
where
you
know
openness
of
itself
hosts
the
scorecard
score
for
a
critical
projects.
I
believe
I
think
there
is
a
discussion
about
migrating
that
we
should
migrate.
Like
you
know,
a
discussion
around
that
also,
you
know
if
there
is
any
progress
with
that
discussion.
C
Additional
context
for
why
I'm
asking
is
so,
I
do
security
research,
but
I'm
looking
more
for
I'm
looking
at
more
security
vulnerabilities
in
breadth
instead
of
depth,
so
I
write
code
called
queries
and
find
you
know
how
many
thousands
of
projects
are
vulnerable
to
this
thing.
And
then
I
look
through
the
list
and
try
to
figure
out.
C
Okay,
like
from
these
thousands
of
you
know
hundreds
of
projects
which
are
the
ones
that
are
most
worthy
of
of
having
an
individual
kind
of
catered
report
to
them
and
which
one's
the
one
you
know
I
so
what
my
goal
is.
Is
I
try
to
report
to
the
ones
that
are
important
and
then
then
for
the
rest
of
them?
I
I'm
working
with
a
company
to
do
bulk
floor.
C
Press
generation
generate
thousands
of
pull
requests
to
just
fix
the
security
vulnerability
out
from
under
the
maintainer,
so
they
don't
have
to
really
like
you
know,
and
that
scales
a
lot
better
than
me,
reporting
individually,
but
that
whole
question
of
like
okay.
Is
this
project
worth
my
time
to
report?
To
or
not
is
a
question
that
I
continue
to
have,
and
so
you
know
currently
I
because
I
you
know
the
criticality
score
is
not
there
in
front
of
me.
C
I
go
off
of
like
okay,
how
like
how
long
has
it
been
since
this
project
has
last
had
commits
to
it?
How
many
issues
that
have
opened
any
pull
requests,
like
you
know
a
little
bit
of
activity
and
like
the
major
thing
that
I
look
at
is
the
star
count
on
github?
Is
you
know
that's
one
of
the
biggest
things
like
higher
star
count
and
that's
you
know
not
perfect,
but
if
I
had
something
that
was
a
little
bit
better
thought
out
than
that,
it
would
make
my
life
easier
in
terms
of
making
those
discernments.
D
The
the
discussion
we
had
a
month
ago
and
continued
at
the
last
session
was
in
part
about
that
is
that
we
have
two
related
problems,
one
with
which
is
a
ranking
problem,
so
that
you
could,
for
example,
see
the
rank
of
something
and
say
that's
high
enough
that
I
care
to
do
it
by
hand.
D
I
posted
a
link
to
the
presentation
I
gave
back
there
and
the
related
problem
was:
if
we're
ranking
things,
then
that
implies
a
human
or
at
least
some
human
expert
input
has
been
taking
for
that
ranking
and
we
need
experts
to
do
that.
We
need
to
actually
find
those
experts,
and
that
was
the
outreach
problem
which
julia
has
been
working
on.
D
That
becky
pointed
out.
Oh
she's
finished
that
that
vicky
asked
people
to
participate
in.
A
Awesome,
wonderful,
so
yeah
we
got
two
weeks.
We
got
caleb's
presentation
and
then
at
the
session
after
that,
we'll
be
back
to
our
regular
time,
yeah,
and
so
with
that
we've
got
a
couple
minutes
left.
If
anyone
has
any
final
thoughts,
any
good
conferences
coming
up
or
any
interesting
any.
You
know
last
bits
of
tidbits
for
the
rest
of
the
work
group
and
then
we
can
adjourn.
D
I
bought
three
books
on
expo
judgment
because
I
didn't
exercise
the
judgment
to
just
pick.
One.
A
Yes,
easy
to
say
hard
to
do.
Indeed:
yes,
okay,
wonderful!
Well!
Thank
you.
Everyone
really
appreciate
everybody
joining
today.
Great
discussions
can
refer
back
to
this
recording
or
the
notes
and
feel
free
to
add
anything
to
the
notes
that
might
have
been
missed
and
we'll
see
you
in
two
weeks
for
the
one-off
session,
that'll
be
a
little
bit
later
and
that'll
be
on
the
24th
and
again
thanks
everybody
and
have
a
great
weekend
and
we'll
see
you
all
soon.