►
From YouTube: Securing Critical Projects WG Bi-Weekly (April 20, 2023)
A
D
C
D
My
my
wife
has
an
app
I've
forgotten
what
his
real
name
is,
but
she
calls
it
Shazam
for
birds,
so
she'll
just
put
her
phone
up
and
it'll
tell
us.
You
know
which
bird
is
which
and
you
know
that's
a
cardinal.
That's
a
robin!
That's
you
know,
you
know
all
the
all
that
sort
of
stuff
and
specific
one
species,
and
so
on.
D
E
D
Yeah
I
think
if
I
recall
the
the
issue
there
was,
it
wasn't
I
think
there
were
people
asking.
How
did
this
list
get
created
and
and
Jonathan
I,
you
know,
I,
don't
know
if
that's
already
been
answered
and
if
not
maybe
link
off.
You
know
if
there's
anything
else,
if
there
is
a
rationale,
maybe
linked
to
it,
if
not
maybe
write
it
and
link
to
it.
C
C
C
D
D
Yeah,
but
that's
that's
just
okay,
like
250
most
common
GitHub
URLs
in
the
cve
database,
got
that
but
like
criticality
score,
I
mean
lots
of
things
are
on
criticality
score.
There
must
have
been
a
cut
off
or
something
and
lots
of
things
are
mentioned
in
the
census.
Harvard
census
too
I
think
just
just
that
you
have
two
or
three
words
isn't
really
enough.
You
know
if,
if
there
could
be
like
a
key,
you
know
if
you
say
this
in
the
source.
What's
that
mean.
C
D
D
C
D
E
E
G
G
D
D
G
G
Get
caught
in
one
of
the
other
ones
I'm
also
so
so
just
to
be
clear.
I
am
super
happy
not
for
this
not
to
be
the
alpha
omega
10
000
list,
but
this
to
be
the
security
projects
10
000
list,
in
which
case
like
evolve
it
at
you,
know
the
whims
of
of
this
working
group,
and
we
will
just
take
it
and
say
yup,
that's
that
that's
I'd
rather
I'd
rather
point
to
something
that's
up
kept
rather
than
you
know,
try
to
upkeep
it
right.
D
B
D
B
B
It's
not
really
clear
and
I
think
this
is
sort
of
good
with
the
10
000
projects
from
Alpha
Omega
is
that
there
is
sort
of
a
recipient
for
this
like
okay,
we
create
these
critical
projects.
How
what
exactly
is
the
pipeline
or
the
flow
in
the
open
ssf
after
you
do
this?
It
sort
of
doesn't
make
I
mean
I,
don't
think
it's
it's
interesting!
It's
nice,
but
I'm,
hoping
that
it's
not
just
a
matter
of.
Oh.
G
Fair
enough,
yeah
I
mean
I.
I
also
think
that
having
the
list
other
folks
are
going
to
have
the
question
of
like
I
have
a
thing
I
can
do
at
scale,
but
not
at
the
Scale
of
the
Universe.
What's
the
most
important
stuff
that
I
should
be
thinking
about
and
just
having
a
list
available
which
is
like.
Yes,
it's
not
perfect,
but
it's
a
list
and
it's
probably
approximately
correct
and
I
I
I
think
you
know
if
you
build
it,
they
will
come.
G
B
Of
the
list
yeah
exactly
I'm,
not
saying
you
know
again,
you
know
you
know,
stop
what
we're
doing
you
know,
but
it's
simply
a
matter
of
okay.
I
mean
this
is
a
great
list
things
for
me.
It
it's
it's
very
comprehensive.
He
said
you
made
all
these
ways
that
we
produce
it.
You
know,
there's
some
duplication,
but
long
run
again
not
to
to
belabor
this,
but
you
know
for
for
us
to
discuss
after
we
get
through
our
current.
You
know,
scoring
mechanism
is
to
figure
out.
You
know
how.
B
How
are
we
want
to
integrate
this
together?
Is
this
sort
of
a
new
starting
point
of
just
sort
of
you
know
have
once
we
get
through
this
and
this
our
current
sort
of
you
know
race
or
or
whatever
we
want
to
call.
This
is
to
then
sort
of
step
back
and
say
what
really
is
the
purpose
of
this?
This
group
open
this
list
and
how
do
we
want
to
balance
between
this
ten
thousand
and
the
his?
B
You
know
the
the
the
list
that
we've
inherited
or
the
group
has
been
worked
on
so
far
and
then-
and
you
know,
potentially
in
contact
with
the
attack
of
the
next
time
saying.
Okay,
we've
got
these
different
resolutions
or
types
of
information.
You
know,
let's
start
sort
of
socializing
this
amongst
the
open,
ssf
What's.
The
best
way
you
know
or
are
these
sort
of
different
purposes?
A
E
E
H
E
E
Everybody
for
joining
so
yeah
I
wanted
to
call
out,
and
what
we
were
discussing
right
now
is
there's
a
proposal
for
a
new
project
or
Sig,
not
sure
which
one
it
would
be
to
join
this
working
group.
So
please
take
a
look
at
the
issue
or
the
email
mailing
list
post
and
leave
your
comments
or
questions
there.
We
want
to
have
a
formal.
You
know
discussion
in
the
meeting
once
we
finish
our
our
current
iteration
of
the
critical
projects
set
I.
C
C
E
C
D
E
Yeah
something
that's
on
the
list
of
our
things
that
we
we
can
produce
anyways,
so
yeah!
Look
at
that,
but
let's
get
busy
with
our
working
meeting
and
and
start
looking
at
our
list
voting
discussion,
consensus
building
on
the
set,
so
we
had
a
small
meeting
last
time
the
Apec
time
isn't
as
popular.
So
there
were
some
that
we
passed
on,
but
we
left
comments
and
then
some
that
we
didn't
get
to
so
let's
go
ahead
and
I
guess
just
go
down
the
list
all
right
up.
F
E
D
F
E
C
D
D
D
G
E
G
F
D
Whoops,
sorry,
can
everybody
hear
me
I
can't
remember
if
I
turned
off
my
mic,
okay,
yeah
I
mean
if
you
look
at
elastics,
Cabana
they've
only
got
you
know
approximately
half
the
poll
count
now
they're
not
open
source,
so
they're,
not
that's,
not
an
open
source.
So
that's
not
within
our
scope,
but
that
is
I
do
know.
That's
widely
used,
so
just
from
the
from
the
poll
count,
that
is
a
new
I
believe
that
is
unusually
high,
yeah,
so
I
I
think
this
is.
D
This
is
definitely
I
would
put
on
the
kind
of
that
margin
of
you
know.
It's
how's
this,
no
matter
what
it's
important.
The
question
is:
is
it
important
enough
to
put
on
that
list
on
this
list?
That's
I,
think
that's
the
the
question
here
and
I
can
see
an
argument
either
way.
Yeah
a
super
question
is
open
source
right.
Let's
I
I
hate
to
do
a
lot
of
a
lot
of
more.
B
D
E
B
D
G
G
E
E
Api
Gateway
is
typically
just
on
the
external
layer
where
something
like
istio
would
be.
This
API
gateways
and
service
Industries
are
very
similar
but
service,
not
just
more
for
all
your
services
versus
the
the
kind
of
a
layer
where
external
requests
come
into
your
your
system
got
it.
Yeah
I
mean
I,
think
we
just
either
have
to
say
like
yeah,
like
all
the
stats
put
it
really
high.
It's
not
just
one
stat.
So,
let's
just
say
yes
or
you
know,
it
seems
like
it's
a
critical
piece.
E
D
A
D
D
E
F
E
C
D
B
I
mean
we,
we
spent
like
10
minutes
on
this
I
I,
don't
think
we're
sort
of
getting
anywhere
I
mean
other
than
you
know.
We're
not
getting
any
more.
Clarity
shall
I,
say
right.
I'd,
say
that
you
know
we
say
yes
and
we
say
that
that
we're
you
know
have
qualms
or
where
you
know
we
we
don't
you
know
are-
are
uncertain
about
the
about
this,
but
that,
based
on
exactly
what
David
said,
we
it
seems
to
be
the
critical
use
of
Open
Source
software
yeah.
It
sounds
good.
B
D
D
B
F
D
D
A
D
E
B
A
B
D
D
F
B
A
little
while
it's
definitely
bigger
I
mean
but
I
think
the
issue
is
more
that
if
we're
talking
about
critical
projects
or
again,
the
criticality
that
openbsd
targets
itself
as
being
a
high
security
solution,
so
it
may
be
so
it
often
is
used
for
the
people
who
care
about
BSD
or
in
in
more
security,
critical
deployments
and
and
situations.
So,
even
though
it's
a
it's
a
low
number,
the
multiplication
factor
for
the
places
it
is
deployed
is
is
rather
High.
D
B
But
also
there
have
been
some
issues
with
open,
BSD
security
where
they've
had
to
make
changes
to
software,
especially
with
whatever
they
call
it,
whatever
Theo's
latest
announcement
at
cansec
West.
So
this
this
may
also
be
a
a
place.
I
mean
because
live
SSL
is
is
is
is,
is
is
known
for
its
maintenance
complexity.
Shall
we
say
this
may
have
been
a
a
place
to
to
maintain
their
additional
memory.
Layout
changes
necessary
for
the
library
that
that
were
too
slow
for
adoption,
with
SSL.
F
D
B
F
D
H
B
D
D
D
B
H
D
G
D
D
A
I
was
trying
to
remember
from
the
Octo
project.
It
seems
like
it
sort
of
rings,
a
bell
that
I,
you
know,
probably
probably
Richard
Purdy-
would
have
a
better.
You
know
idea
whether
that's
you
know,
because
they
cook
various
packages
into
different
different
recipe
profiles.
So
right
anyway,
I
can
I
can
ping
Richard.
If.
D
D
E
D
D
A
B
D
Mean
yeah
I
I,
you
know,
I
will
I
will
gladly
note.
Yes,
Bitcoin
the
primary
implementation
people
run
billions
of
dollars
on
it
same
for
ethereum.
This
is
not
either
of
those
things.
This
is
we're
now
down
to
a
much
lower
use
compared
to
say
the
main,
Bitcoin
or
ethereum
I'd
say
we.
We
shouldn't
accept
this
unless
we
first
accept
the
main
Bitcoin
and
ethereum
implementations,
which
we
have
not.
B
D
D
Right
but
and
and
this
is
yeah
but
I
I-
think
just
it's
Lots
that's
commonly
used,
we
don't
I
mean
that's.
Is
it
we're
not
saying
it's
not
important
to
somebody?
It's
just
we're
trying
to
identify
what's
most
common
across
a
very,
very
wide
spectrum,
and
this
doesn't
seem
to
make
it
at
least
that
would
be
my
opinion.
D
D
H
D
D
Yeah,
here's
a
weirdness,
it
doesn't
Implement
all
the
algorithms.
It's
a
reference
implementation
weird!
So
you
it's
kind
of
you
get
most
of
the
parts,
but
then
you
have
to
self-assemble
I!
Guess
that's
more
common
in
the
embedded
World
anyway.
Okay,
I'm
good
with
it
saying.
Yes,
it's
it's
different,
but
that
doesn't
make
it
bad.
This
just
makes
it
different.
E
E
E
D
I'm
actually
typing
on
the
previous
one,
to
try
to
capture
what
we
just
said.
I
was
saying
for
the
previous
one,
not
clarified
as
wide
enough
use,
we'll
need
to
re-evaluate
if
its
usage
significantly
increases.
Is
that
fair,
yeah
all
right
all
right
now,
which
one
we
on
next
clown?
Next
Cloud?
Oh,
my
goodness,
yeah
I
mean
this
one
I'm,
actually
yeah
I
I
put
on
popular
and
on
the
fence.
The
thing
is
this:
you
know
if
you
want
to
have
something
you
controlled
yourself.
This
is
a
pretty
common
thing
to
pull
out.