►
From YouTube: Securing Critical Projects WG Bi-Weekly (April 20, 2023)
A
D
C
D
My
my
wife
has
an
app
I've
forgotten
what
his
real
name
is,
but
she
calls
it
Shazam
for
birds,
so
she'll
just
put
her
phone
up
and
it'll
tell
us.
You
know
which
bird
is
which
and
you
know
that's
a
cardinal.
That's
a
robin!
That's
you
know,
you
know
all
the
all
that
sort
of
stuff
and
specific
one
species,
and
so
on.
D
I
mean
if
everybody's
nearby
you
can
come
on
over
visit.
My
deck
I
got,
I,
have
power
and
a
Wi-Fi.
E
All
right
well
I'm,
going
to
get
through
as
much
as
we
can.
Maybe
we
should
get
started
people
can
trickle
in.
Do
we
have
any
volunteers
to
do
the
screen
share.
E
All
right,
can
you
see
my
screen
I.
D
Can
now
were
we
going
to
be
talking
about
this
p-tow
to
consider
soon
so.
E
D
Yeah
I
think
if
I
recall
the
the
issue
there
was,
it
wasn't
I
think
there
were
people
asking.
How
did
this
list
get
created
and
and
Jonathan
I,
you
know,
I,
don't
know
if
that's
already
been
answered
and
if
not
maybe
link
off.
You
know
if
there's
anything
else,
if
there
is
a
rationale,
maybe
linked
to
it,
if
not
maybe
write
it
and
link
to
it.
C
It's
in
the
in
the
document
there
is
a
for
every
single
line.
There
is
an
explanation
of
where
that
line
is
coming
from.
C
D
Yeah:
okay
yeah,
like
Debian
popularity
or
yeah,.
C
D
D
Yeah,
but
that's
that's
just
okay,
like
250
most
common
GitHub
URLs
in
the
cve
database,
got
that
but
like
criticality
score,
I
mean
lots
of
things
are
on
criticality
score.
There
must
have
been
a
cut
off
or
something
and
lots
of
things
are
mentioned
in
the
census.
Harvard
census
too
I
think
just
just
that
you
have
two
or
three
words
isn't
really
enough.
You
know
if,
if
there
could
be
like
a
key,
you
know
if
you
say
this
in
the
source.
What's
that
mean.
C
D
C
Can
you
is
that
a
is
there
a
question
that
is
posed
in
that
has
been
posed
to
Michael
scovato,
either
in
the
issue
or
in
the
email
thread.
D
Let's
see
here,
you
know
what
I
think
it
probably
belongs
in
issue
66.,
okay.
So
how
is
this?
Why
don't
I
I
respond
to
that
and
I'll
put
Michael
scavetta
as
an
at
and
hopefully
and
that'll
at
least
notify
him
that
somebody
might
mentioned
his
name
and
whined
about
it?
Yes,.
C
D
E
Yeah,
so
let's
I
haven't
put
my
comments
in
there.
I
was
going
to
wait
me
in
a
mirror
until
other
people
commented
before
you
know
as
the
as
the
chairs.
I
don't
want
to
like
set
the
the
tone
before
anybody
else
comments,
but
yeah
I
wanna
discuss
this
in
a
future
meeting.
E
D
Yeah
yeah,
in
fact,
you
know
what
I
just
posted
it
in
the
issue,
so
I'm
gonna,
open
up,
chat,
click
and
wow.
G
G
Yeah
that
that
that
is
a
reasonable
request.
We're
gonna
actually
find
the
data
yeah.
That's
fine,
yeah.
D
D
What
does
that
mean
and
I
think
would
I
think
that
would
clarify
things
and-
and
you
know
you
know
in
some
cases-
maybe
some
comments
about
what
it
doesn't
doesn't
but
but
do
but
at
least
you
know
where
where'd
you
get
that
you
know,
for
example,
criticality
score,
I
know
that
really
emphasizes
activity.
D
So
so
in
that
case,
I
already
know
you
know
the
the
risk
of
that
particular
measure
is
hey.
If
you're
not
active,
that
doesn't
mean
you're,
not
important,
but
it
won't
show
up
high
on
the
criticality
score,
but.
G
G
Get
caught
in
one
of
the
other
ones
I'm
also
so
so
just
to
be
clear.
I
am
super
happy
not
for
this
not
to
be
the
alpha
omega
10
000
list,
but
this
to
be
the
security
projects
10
000
list,
in
which
case
like
evolve
it
at
you,
know
the
whims
of
of
this
working
group,
and
we
will
just
take
it
and
say
yup,
that's
that
that's
I'd
rather
I'd
rather
point
to
something
that's
up
kept
rather
than
you
know,
try
to
upkeep
it
right.
D
B
D
B
B
It's
not
really
clear
and
I
think
this
is
sort
of
good
with
the
10
000
projects
from
Alpha
Omega
is
that
there
is
sort
of
a
recipient
for
this
like
okay,
we
create
these
critical
projects.
How
what
exactly
is
the
pipeline
or
the
flow
in
the
open
ssf
after
you
do
this?
It
sort
of
doesn't
make
I
mean
I,
don't
think
it's
it's
interesting!
It's
nice,
but
I'm,
hoping
that
it's
not
just
a
matter
of.
Oh.
G
Fair
enough,
yeah
I
mean
I.
I
also
think
that
having
the
list
other
folks
are
going
to
have
the
question
of
like
I
have
a
thing
I
can
do
at
scale,
but
not
at
the
Scale
of
the
Universe.
What's
the
most
important
stuff
that
I
should
be
thinking
about
and
just
having
a
list
available
which
is
like.
Yes,
it's
not
perfect,
but
it's
a
list
and
it's
probably
approximately
correct
and
I
I
I
think
you
know
if
you
build
it,
they
will
come.
G
B
Of
the
list
yeah
exactly
I'm,
not
saying
you
know
again,
you
know
you
know,
stop
what
we're
doing
you
know,
but
it's
simply
a
matter
of
okay.
I
mean
this
is
a
great
list
things
for
me.
It
it's
it's
very
comprehensive.
He
said
you
made
all
these
ways
that
we
produce
it.
You
know,
there's
some
duplication,
but
long
run
again
not
to
to
belabor
this,
but
you
know
for
for
us
to
discuss
after
we
get
through
our
current.
You
know,
scoring
mechanism
is
to
figure
out.
You
know
how.
B
How
are
we
want
to
integrate
this
together?
Is
this
sort
of
a
new
starting
point
of
just
sort
of
you
know
have
once
we
get
through
this
and
this
our
current
sort
of
you
know
race
or
or
whatever
we
want
to
call.
This
is
to
then
sort
of
step
back
and
say
what
really
is
the
purpose
of
this?
This
group
open
this
list
and
how
do
we
want
to
balance
between
this
ten
thousand
and
the
his?
B
You
know
the
the
the
list
that
we've
inherited
or
the
group
has
been
worked
on
so
far
and
then-
and
you
know,
potentially
in
contact
with
the
attack
of
the
next
time
saying.
Okay,
we've
got
these
different
resolutions
or
types
of
information.
You
know,
let's
start
sort
of
socializing
this
amongst
the
open,
ssf
What's.
The
best
way
you
know
or
are
these
sort
of
different
purposes?
A
E
E
Let's
add
some
of
that
stuff,
it's
a
future
topic
ideas.
Can
you
add
one
or
two
there?
Okay,
I'd
like
to
hit
some
of
that
stuff
after
we're
done.
H
So
yeah
attendees
do
we
have
any
welcome
everybody.
Yeah
go
ahead
and
look
at
the
notes
in
Linked.
E
In,
the
meeting
invite
do
we
have
any
new
faces
that
are
new
or
you
know,
redoing
after
a
long
absence
of
like
to
introduce
themselves.
E
E
Everybody
for
joining
so
yeah
I
wanted
to
call
out,
and
what
we
were
discussing
right
now
is
there's
a
proposal
for
a
new
project
or
Sig,
not
sure
which
one
it
would
be
to
join
this
working
group.
So
please
take
a
look
at
the
issue
or
the
email
mailing
list
post
and
leave
your
comments
or
questions
there.
We
want
to
have
a
formal.
You
know
discussion
in
the
meeting
once
we
finish
our
our
current
iteration
of
the
critical
projects
set
I.
C
E
I
think
it's
projects
are
supposed
to
be
code,
so.
C
E
C
A
an
item
that
would
be
owned
and
and-
and
you
know,
deliverable
from
this
working
group-
that's
not
a
Sig
or
a
project.
Maybe
it
is
a
project,
I
mean
maybe
it's
a
code.
Maybe
it's
it's.
D
There's
a
terminology
weirdness
here
we
call
stuff
that
aren't
mostly
code
sigs,
but
they,
but
at
least
in
the
openness
and
stuff
we
have
other
cigs
that
don't
have
separate
meetings
either
so
I
I
first
thought
you
meant
asig
with
a
separate
meeting,
but
you
don't
have
that
so.
Okay,
yeah.
E
Yeah
something
that's
on
the
list
of
our
things
that
we
we
can
produce
anyways,
so
yeah!
Look
at
that,
but
let's
get
busy
with
our
working
meeting
and
and
start
looking
at
our
list
voting
discussion,
consensus
building
on
the
set,
so
we
had
a
small
meeting
last
time
the
Apec
time
isn't
as
popular.
So
there
were
some
that
we
passed
on,
but
we
left
comments
and
then
some
that
we
didn't
get
to
so
let's
go
ahead
and
I
guess
just
go
down
the
list
all
right
up.
F
E
D
F
E
All
right,
I
think
if
it's
just
Dr
pull
count
and
nobody
knows
it,
and
it
wasn't
a
particular
suggestion
with
consider
considerations.
We
should
just
go:
go
ahead
and
vote
no,
since
we
don't
have
any
any
reason
to
say
yes.
C
I
mean
it's
reused
by
the
websites
used
by
GSK
Wayfarer
NASDAQ
verifone
moderna
app
Dynamics,
which
is
part
of
Cisco.
C
D
It's
it's
on
the
10
000
list
four
times.
Interestingly
enough
with
a
little
unusual
yeah.
D
I
I
realize
you're
being
silly,
but
in
all
honesty,
having
making
it
very
clear
that
there
are
non-trivial
companies
who
are
using,
it
is
clearly
a
plus
I'm
not
familiar
with
it,
but
that
Docker
counts
High.
The
critical
score
is
high.
D
D
E
G
I'm
trying
to
look
to
see
what
I
I
don't
know
how
high
okay.
So
if
I
look
at
like
like
Alpine,
it's,
you
know
eight
million.
In
the
past
week,
nginx
is
32
million.
In
the
past
week,
I'm
trying
to
I'm
trying
to
like
sort
the
whole
thing
by
like
is
is
200
million
total,
like
is
that,
like
everybody.
F
G
200
million,
just
because
of
how
you
know
you
pull
it,
you
know.
D
Whoops,
sorry,
can
everybody
hear
me
I
can't
remember
if
I
turned
off
my
mic,
okay,
yeah
I
mean
if
you
look
at
elastics,
Cabana
they've
only
got
you
know
approximately
half
the
poll
count
now
they're
not
open
source,
so
they're,
not
that's,
not
an
open
source.
So
that's
not
within
our
scope,
but
that
is
I
do
know.
That's
widely
used,
so
just
from
the
from
the
poll
count,
that
is
a
new
I
believe
that
is
unusually
high,
yeah,
so
I
I
think
this
is.
D
This
is
definitely
I
would
put
on
the
kind
of
that
margin
of
you
know.
It's
how's
this,
no
matter
what
it's
important.
The
question
is:
is
it
important
enough
to
put
on
that
list
on
this
list?
That's
I,
think
that's
the
the
question
here
and
I
can
see
an
argument
either
way.
Yeah
a
super
question
is
open
source
right.
Let's
I
I
hate
to
do
a
lot
of
a
lot
of
more.
B
I
I
propose
that
we
say
that
this
is
critical
with
a
rationalization
or
you
know
a
question
of
the
that
it.
B
D
D
If
you
look
look
at
look
at
the
their
little
designed
description,
you
know
basically
it's
the
thing
that
that
then
calls
all
the
other
ipis
and
it's
an
arc,
and
it
basically
is
an
orchestrator
of
API
functionality
as
opposed
to
containers
right.
E
B
D
Not
not
not,
this
kind
I
mean.
Obviously
there
is
an
API
to
access
kubernetes
services,
but
kubernetes
is
an
orchestrator
of
containers.
This
is
an
orchestrator
of
incoming
requests,
which
is
different,
got.
G
G
E
E
Api
Gateway
is
typically
just
on
the
external
layer
where
something
like
istio
would
be.
This
API
gateways
and
service
Industries
are
very
similar
but
service,
not
just
more
for
all
your
services
versus
the
the
kind
of
a
layer
where
external
requests
come
into
your
your
system
got
it.
Yeah
I
mean
I,
think
we
just
either
have
to
say
like
yeah,
like
all
the
stats
put
it
really
high.
It's
not
just
one
stat.
So,
let's
just
say
yes
or
you
know,
it
seems
like
it's
a
critical
piece.
E
It's
in
the
main,
you
know,
request
flow,
it
handles
stuff,
like
authentication
authorization
or
we
can
just
say
no,
because
we
don't
have
any
and
actually
you
know,
anecdotal
experience.
I.
D
A
D
Call
yeah
yeah
I
I
I'm,
not
very
satisfied
with
that.
I
I
think
you
know,
I
do
know
about
a
whole
lot
of
projects.
I
am
sadly
not
omniscient.
D
I'll
tell
you
if
I
don't
know
about
something
but
I
I
think
that
we
would
have
to
have.
We
would
have
to
pull
a
lot
of
people
to
truly
represent
all
the
different
uses
of
Open
Source,
so
yeah
I.
E
F
E
C
D
It
takes
three
years:
yeah,
yeah,
yeah,
I
I
would
say:
let's
I,
you
know,
even
though
I'm
not
personally
familiar
with
this,
the
data
that
we
have
that
we're
presenting
suggests
to
me
that
this
this
should
be
a
yes
simply
because
of
the
massive
pull
count,
the
critical,
the
massively
high
security
score
and
the
clear
centrality
of
its
use
by
its
by
its
users-
and
there
are
many
of
them
agreed.
D
B
I
mean
we,
we
spent
like
10
minutes
on
this
I
I,
don't
think
we're
sort
of
getting
anywhere
I
mean
other
than
you
know.
We're
not
getting
any
more.
Clarity
shall
I,
say
right.
I'd,
say
that
you
know
we
say
yes
and
we
say
that
that
we're
you
know
have
qualms
or
where
you
know
we
we
don't
you
know
are-
are
uncertain
about
the
about
this,
but
that,
based
on
exactly
what
David
said,
we
it
seems
to
be
the
critical
use
of
Open
Source
software
yeah.
It
sounds
good.
G
I
need
to
drop
for
another
meeting
thanks
everybody.
B
D
All
righty
and
I
just
dropped
the
the
summary
of
the
analysis,
discussion
on
com,
okay,
so
Libra
SSL.
D
D
D
B
F
D
So
so
the
question
really
here
I
would
say,
comes
down
to
usage,
you
know,
do
they
have
when
they
just
released
something
a
few
days
ago.
So
there's
at
least
there's
at
least
some
activity
here.
D
All
right
I
mean
whether
or
not
I
mean
clearly
it's
been.
They
have
enough
activity
to
make
a
release.
So
I
would
say
that
that's
a
good
thing.
A
D
E
B
A
B
D
D
Open
BSD
is
certainly
nowhere
near
as
widely
deployed
as
Linux
is,
but
certainly
open.
Bsd
itself
does
have
a
non-trivial
number
of
deployments.
Yeah.
A
I
think
I
think
FreeBSD
is
actually
bigger.
I'm
trying
to
remember
I.
F
B
A
little
while
it's
definitely
bigger
I
mean
but
I
think
the
issue
is
more
that
if
we're
talking
about
critical
projects
or
again,
the
criticality
that
openbsd
targets
itself
as
being
a
high
security
solution,
so
it
may
be
so
it
often
is
used
for
the
people
who
care
about
BSD
or
in
in
more
security,
critical
deployments
and
and
situations.
So,
even
though
it's
a
it's
a
low
number,
the
multiplication
factor
for
the
places
it
is
deployed
is
is
rather
High.
D
D
I
would
look
the
other
direction
where
who
is
deploying
Libre
SSL,
but
not
you
know,
but
but
not
in
open
BSD,
because.
B
But
also
there
have
been
some
issues
with
open,
BSD
security
where
they've
had
to
make
changes
to
software,
especially
with
whatever
they
call
it,
whatever
Theo's
latest
announcement
at
cansec
West.
So
this
this
may
also
be
a
a
place.
I
mean
because
live
SSL
is
is
is
is,
is
is
known
for
its
maintenance
complexity.
Shall
we
say
this
may
have
been
a
a
place
to
to
maintain
their
additional
memory.
Layout
changes
necessary
for
the
library
that
that
were
too
slow
for
adoption,
with
SSL.
D
So
in
fact,
I
just
found
I
I
found
another
article
which
I
remember
reading
earlier
now.
D
F
D
You
know.
A
lot
of
people
got
very,
very
worried
about
it
after
heart
bleed,
but
they
cleaned
up
their
act.
A
lot
there's
still
some
issues
in
openssl,
but
a
lot
of
folks
have
just
decided
not
to
pick
up
these
Ultra
that
at
least
that
alternative.
E
Yeah
I'm
good
with
that
any
concerns.
B
F
D
H
B
D
Thanks,
okay,
so
let's
see
here
God
frequently
used
and
embedded
products
all
right!
That's
really!
The
question
is:
how
widespread
is
this
use
in
embedded
products.
D
Okay,
interestingly
enough
now
you
have
to
be
careful.
This
is
them
them
using
themselves
as
a
source,
but
they
are
claiming
tens
of
millions
of
devices
and
thousands
of
Developers.
D
B
H
D
You
know,
and
and
that's
fine
frankly,
that
single
person
project
increase
my
risk
meter.
Frankly,
yeah.
G
D
D
A
I
was
trying
to
remember
from
the
Octo
project.
It
seems
like
it
sort
of
rings,
a
bell
that
I,
you
know,
probably
probably
Richard
Purdy-
would
have
a
better.
You
know
idea
whether
that's
you
know,
because
they
cook
various
packages
into
different
different
recipe
profiles.
So
right
anyway,
I
can
I
can
ping
Richard.
If.
D
Yeah,
if
you
wouldn't
mind
pinging,
Richard
and
I
was
thinking
about
asking
Kate
Stewart
for
Zephyr.
Do
you
know
Kate
yeah.
A
Okay,
I
also
know
the
engineering
manager
for
that
one
I
haven't
talked
to
her
lately,
but
I
could
I
could
check
with
her.
D
Okay,
yeah:
let's,
let's
ask
Zephyr
and
yakdo.
D
You
know
what
why
don't
we
come
back
to
this
one?
We
have
a
plan
for
getting
more
data
about
it.
The
higher
criticality
score
does
suggest
it,
but
you
know
criticality
store,
says
busyness
yeah,
except
for
the
doctor.
Folks
might
have
a
better
sense
of
widespread
use.
E
D
D
A
B
D
Mean
yeah
I
I,
you
know,
I
will
I
will
gladly
note.
Yes,
Bitcoin
the
primary
implementation
people
run
billions
of
dollars
on
it
same
for
ethereum.
This
is
not
either
of
those
things.
This
is
we're
now
down
to
a
much
lower
use
compared
to
say
the
main,
Bitcoin
or
ethereum
I'd
say
we.
We
shouldn't
accept
this
unless
we
first
accept
the
main
Bitcoin
and
ethereum
implementations,
which
we
have
not.
B
D
D
Right
but
and
and
this
is
yeah
but
I
I-
think
just
it's
Lots
that's
commonly
used,
we
don't
I
mean
that's.
Is
it
we're
not
saying
it's
not
important
to
somebody?
It's
just
we're
trying
to
identify
what's
most
common
across
a
very,
very
wide
spectrum,
and
this
doesn't
seem
to
make
it
at
least
that
would
be
my
opinion.
D
E
D
H
D
Okay,
all
right
I'm,
not
sure
that's
disqualifying
I
mean
not.
D
D
Yeah,
here's
a
weirdness,
it
doesn't
Implement
all
the
algorithms.
It's
a
reference
implementation
weird!
So
you
it's
kind
of
you
get
most
of
the
parts,
but
then
you
have
to
self-assemble
I!
Guess
that's
more
common
in
the
embedded
World
anyway.
Okay,
I'm
good
with
it
saying.
Yes,
it's
it's
different,
but
that
doesn't
make
it
bad.
This
just
makes
it
different.
E
E
Okay,
gnats
another
one
we
discussed
it
looks
like
an
important.
You
know
message
passing
for
you
know:
Cloud
native
Greenfield
applications,
but
the
the
current
usage
doesn't
show
that
it's
that
you
know
as
ubiquitous
as
a
lot
of
the
other
things
that
we're
saying
yes
to
it
is
a
cncf
project.
E
Mean
I
mean
it's
a
high
doctor
pull
account,
but
not
one
of
the
highest
and
yeah
Dr
Polk
County,
that's
skew
towards
you
know
container,
like
I
think
this
is
used
in
like
Greenfield
kubernetes
Cloud
native
space,
okay,
but
that's
not
solely
like
gonna
make
it
critical
I.
Think
right.
E
I
think
an
argument
I
had
against
this
one
is
it's
more
like
for
individual
user,
home
user
type
usage,
not
running
critical
systems.
Anybody
have
any.
D
I'm
actually
typing
on
the
previous
one,
to
try
to
capture
what
we
just
said.
I
was
saying
for
the
previous
one,
not
clarified
as
wide
enough
use,
we'll
need
to
re-evaluate
if
its
usage
significantly
increases.
Is
that
fair,
yeah
all
right
all
right
now,
which
one
we
on
next
clown?
Next
Cloud?
Oh,
my
goodness,
yeah
I
mean
this
one
I'm,
actually
yeah
I
I
put
on
popular
and
on
the
fence.
The
thing
is
this:
you
know
if
you
want
to
have
something
you
controlled
yourself.
This
is
a
pretty
common
thing
to
pull
out.
E
D
Because
if
an
organization
you
know
uses
it,
for
example,
for
all
of
their
data
and
editing
and
everything
else,
it
suddenly
does
come
become
pretty
critical.
E
D
D
D
F
B
E
E
Yeah
I
was
looking
towards
no
and
just
say,
like
Enterprise
may
be
used
by
critical
systems,
but
it's
also
not
clear
it's
how
much
the
open
core
part
of
it
is.
E
B
D
B
F
D
This
right
right
now
we
have
not
used
that
as
a
Criterion
one
way
or
the
other
yeah,
but
but
yes,
that
would
be
the
next
step.
Is
you
know
which
ones
need
investment
and
probably
not.
F
E
Thanks
everybody
for
joining
yeah
see
you
next
time.
Next
time
will
be
APAC
friendly
time
again.