►
From YouTube: Securing Critical Projects WG Bi-Weekly (June 15, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1GFslP6elYCx27TUitdigDr1gsOItYkL0Vq7hTB9y4Lo/edit#heading=h.ylcmpchqsywz
B
A
Yeah
I
mean
I,
think
it's
good
for
us
to
have
like
a
somewhat
of
a
definition
of
what
we're
trying
to
accomplish
which
what
you
wrote
is
good
like,
like
you
know,
when
we're
making
it
we
should
say
this
is
what
it
is.
We
should
be
able
to
describe
what
it
is,
but
as
far
as
like
what
it's
for
I,
don't
think
we
can
just
come
up
with
that
on
our
own.
We
need
to
go,
go
to
the
other
groups
and
ask
them
okay,
how's
it
going.
C
D
So,
very
very
soon
it's
going
to
be
roasting.
Hot
and
I
will
be
back
inside,
but
I'll
take
advantage
of
what
I
can
get
in
the
weather.
D
All
right,
12
of
I
have
four.
After
are
we
expecting
more.
A
E
A
C
A
Yeah,
let's
discuss
that
in
your
I
typed
that
as
the
first
thing,
what
is
the
list
for
or
who
are
the
users?
Yes.
B
Yeah
so
I've
I
I've
been
putting
this.
Oh
absolutely
yeah,
that's
a
good
point.
David
is
thinking
of
specific,
like
groups.
I
think
that's
great
I
was
also
oh
okay.
B
I
was
also
considering
like
when
we
were
talking
about
like
essentially
having
some
language
on.
You
know
what
this
is
and
who
it's
for
so,
but
this
is.
This
is
going
to
help
us
a
lot
because,
because
that
can
help
us
walk
backwards.
Sorry.
D
You
just
lost
what
we
were
typing.
Oh.
B
D
E
B
So
yeah
I
just
put
this
I,
don't
know
if
it's
too
circular,
but
you
know
the
purpose
of
the
set
of
critical
projects
curated
by
securing
critical
projects.
Working
group
is
to
help
guide
the
open
source
community
in
determining
highly
important
open
source
projects
that
have
been
identified
through
research
and
discussion
with
the
work
group.
D
Yeah,
what's
the
what's
the
the
tech,
German
Tech
fund
and
there's
another
American
one.
B
Yes,
good
point
sovereign.
B
D
D
B
D
D
D
But
it
helps
us
like:
oh
okay,
all
right.
Okay,
I
will
put
you
in
a
different
category,
but
okay,
because
you're
not
funding
the
work,
but
you
are.
D
B
D
Okay-
and
this
is
a
weirdness
for
me-
I'm-
going
to
put
the
U.S
later
and
I'm
going
to
do
that
in
simple,
because
we
love
our
us
friends
but
I
want
to
I
I.
Think
some
people
have
have
missed
been
misinformed.
That
were
somehow
only
us.
Yes,.
C
D
A
lot
of
U.S
folks
there's
nothing
wrong
with
U.S
folks,
but
this
is
international,
and
you
know,
and
so
by
putting
a
German
government
thing.
First,
I
think
that'll
help
clarify
that
the
internet.
This
is
something
that's
International
issue
that
we're
working
on
International
solutions
for
yeah
or
ostiff
I
mean
what
what
I
bet
that
there's
you
know,
organizations
who
need
I
mean
you're,
basically
trying
to
guide
other
organizations
right.
B
B
Like
the
impact
report,
the
Google
and
open
SSS
impact
report.
We
used
like
the
Harvard
census,
2
study
and,
like
the
preliminary
some
of
the
preliminary,
our
preliminary
recommendations,
our
meaning
Hostess
preliminary
recommendations
which
fed
into
the
you
know
the
the
predecessor
to
this
step
to
determine
which
projects
we
would
go
ahead
and
audit.
So
that's
why
I
wonder
I.
D
You
know
what,
how
they're,
if
we
eliminate
the
how
we're
they're
using
it.
C
D
You
know
I'm
gonna
put
that
in
as
another,
you
know,
I
think
MFA
distributions
and
other
organizations
or
whoops
what
happened.
That's
what's
weird.
E
Okay,
all.
D
D
So
Alpha
Omega
and
okay
SOS
dot,
Dev
You
Know
It.
That
funds
provides
small
funds
for
OSS
projects,
but
would
like
to
prioritize
the
more
critical
ones
now
splitting
that
up
is
probably
a
little
weird,
because
that's
also
now
part
of
open
ssf.
So.
D
Yeah
but
but
I
think
there's
a
there's.
An
organization,
that's
kind
of
popping
up
here.
Alpha
may
get
is
an
example
of
we're
looking
for
the
critical
ones
and
to
fund
those.
There
are
other
organizations
who
do
the
same
thing
and
then
there's
small
funds
where
they
do
fund
a
number
of
different
things,
but
they
again
you
know
they're
not
going
out
and
looking
but
they'd
like
to
prioritize
when
they
get
a
request.
D
Future
MFA
distributions
all
right.
Maybe
we
can
probably
argue
about
the
order
here,
but
you
know
you
just
you
know,
that's
I
think
that's
a
that's
a
nice
list.
E
D
Of
of
users
and
potential
users,
I
mean
Alpha,
Omega,
certainly
I
know
for
sure
uses
it
is,
is
using
it.
The
older
version,
the
MFA
one
has
already
done.
So
you
know.
B
D
Right
we
actually
have
a
couple
tokens
left,
so
it
was
a
lot
of
work
to
get
them
out.
So
we
haven't
tried
very
hard,
but.
B
Awesome
and
then
so
we
talked
about
preparing
it
and
Publishing
I'm.
Looking
at
that.
A
Yeah
so
David
you
put
that
here
we
have
this
process
document.
Is
this
up
to
date?
Do
you
know
Amir
with
what
essentially,
what
we
do?
It's.
D
I,
don't
know
what
you
call
this
I
mean
some
of
this
is
aspirational
and
no
no
I
I
need
a
I.
I,
don't
need
some
ideas
of
what
the
plan
is.
I
here
is
the
list.
Here's
how
it
was
made.
C
D
And,
and
also
here's
something
that
that
document
was
really
future
looking
we
need
to,
we
need
to
include
you
know,
ready
answer,
for
how
did
you
make
this
list
and
acknowledge
you
know,
weaknesses
in
current
set
I
mean
it's
all
over.
You
know
varying
size.
C
D
C
D
A
paragraph,
or
maybe
two,
you
know
maybe
like
here's,
how
we
did
you
know
and
acknowledged
weaknesses,
because
there's
always
weaknesses
but
I
mean
I.
Think
that's
now
publication.
All
right,
we
need
it.
Do
we
need
something
nice
looking.
A
D
I
mean
we
can
make
a
PDF,
we
can
make
a
Mark,
we
can
make
an
HTML
page
now.
One
thing
that
we
could
do
is
turn
it
into
something
that
looks
legit.
D
Let
me
you
I,
don't
think
either
of
you
have
been
involved
in
the
fund
on
the
publication
of
the
best
practices.
Folks,
have
you
yeah
all
righty?
Okay?
So
let
me
share
with
you
a
link.
D
Okay,
what
you
will
see
is
something
that
looks
fairly
decent
and
this
was
generated
through
a
process
that
I
am
now
I
have
now
given
in
a
name.
It
is
called
this,
the
SSP
something
the
simplest
possible,
but
spp
simplest,
possible
process.
D
D
Okay
and
creating
subdomains
is
incredibly
trivial
used
to
be.
You
didn't
want
to
create
a
new
domain
for
this
stuff
because
of
the
fundamental
problem.
When
you
do
that
is
now,
you
got
to
manage
the
TLs
certs
thanks.
So
let's
encrypt,
that
is
just
not
a
concern,
so
you
know,
and
so
right
now
there's
a
separate
Tac
issue
about
whether
or
not
basically
we
were
originally
just
pointing
the
GitHub
Pages.
It's
ugly
is
awful.
It's
ugly,
it's
awful
I
mean
it
looks
like
it
looks
terrible.
D
D
Yeah,
it's
a
Sans
serif
font
for
the
body
text.
I'm,
actually
I
actually
prefer
serifs,
but
this
is
the
most
seraphy
non-sera.
This
is
the
most
surfy
Sans
serif
font
I've
ever
seen
for
body
decks,
so
we
can
live
with
it.
D
I,
don't
care
about
fonts
nearly
as
much
as
readability.
That's
my
concern.
You
know,
there's
people
who
are
really
excited
about
fonts
that
are
cool
looking
as
long
as
you
don't
need
to
read
it
boo,
hiss
to
that
so
anyway.
So
this
is
not
an.
This
is
not
a
statement
that
we
have
to
do
things
this
way.
In
fact,
you
know
that
something
right
now
that's
been
raised.
Attack
is
a
hey.
Is
this?
You
know
I
think
Brian,
Brian
ballengar
from
particular
is
I,
don't
know
if
we
want
all
those
different
domains.
D
That's
fine!
If
that's
a
problem,
then
let's
do
something
else.
In
fact,
this
is
part
of
the
problem.
There's
so
many
different
ways
to
do
publication,
workflows
that
we
almost
get
we
get
paralyzed
by
choice.
There
are
too
many
ways
to
do
this
so.
D
Way,
but
what
I
would
like
to
see,
though,
is
a
simple
link
where
you
click
on
it,
and
you
see
the
document
I'm
not
excited
about
PDFs,
but
I.
Guess
there
is
the
advantage
of
that.
They,
you
know,
declare
a
sort
of
Complete
product.
D
In
the
best
practices
working
groups
repo,
so
if
you
go
yeah,
give
me
let's
see
here.
Is
there
an
obvious?
D
E
D
D
A
B
And
I
believe-
and
it
was
mentioned
that
openssf
would
do
a
blog
post.
D
Okay
process,
all
right,
so
let's
go
back
the
process
options;
okay,
they
include,
you
know,
generated
PDF.
D
Okay,
you
know
well
I,
guess,
link
to
Google
Docs
is
the
easiest
possible
Right
link
to
Google
Docs
and
and
if
we
generate
a
PDF,
there's
actually
two
options
to
generate
straight
from
Google
doc.
D
But
that's
kind
of
ugly
doesn't
have
intro
and
then
there's
the
create
a
nicer
dock,
and
you
know
what
it's
almost
its
own
thing
generous
and
then
they
create
a
nicer
Dock
and
then
there's-
and
you
know-
and
at
that
point
it's
the
intro
plus
the
list
right
and
then
we
intro
plus
list
and
then
there's
endless
ways
to
do
that
which
is
PDF.
D
E
D
I,
don't
know
that
that's
a
big
issue
because
we're
not
trying
to
hand
edit
it
I,
don't
think
I
think
we're
just
taking
the
Google
Doc
and
translating
it.
D
D
Be
honest:
the
first
thing
I'll
do
is
grab
for
pandok
p-a-n-d-o-c.
If
you've
not
heard
of
pandok,
please
hear
of
pen
doctor
life
will
be
better.
D
D
Tool
it's
some
depending
on
what
you're
doing.
If,
if
you
want
to
deal
with
tech
you
to,
if
you
want
to
generate
Tech,
then
you
also
need
to
install
a
whole
bunch
of
tech
stuff,
but
in
general
it
can
do
cool
things,
and
so,
while
I
haven't
tried
tables
from
Google
Docs,
specifically
with
pandok,
it
would
be
unsurprising
to
me
if
that
wasn't
too
bad.
D
There's
a
couple
other
generators,
specifically
from
Google
docs,
to
markdown
that
I've
used
also
for
the
for
for
the
course,
because
we
actually
originally
wrote
the
course
in
Google
Docs
and
then
translated
it
to
markdown
and
the
markdown
is
actually
now
the
canonical
version
in
that
one
and
yeah
translated
tables
and
stuff.
Like
that,
I,
don't
know,
I!
Think
our
this
one's
pretty
simple,
so
I,
don't
know,
that's
going
to
be
a
problem.
D
D
D
By
the
Yeah,
I
may
as
well
slip
that
in
here
all
right
right,
it's
probably
in
the
top.
Isn't
it
yeah.
B
D
E
C
D
D
D
In
fact,
if
anything,
you
could
probably
argue
that
everything
should
have
some
comment,
but
that's
a
lot
more
additional
work.
D
D
A
D
A
Yeah
Okay,
so
we've
got
some
ideas
for
getting
the
set
ready
to
go.
We
need
the
intro
the
process,
paragraph,
something
that
looks
nice
right.
D
A
A
I
wrote
a
I
just
jotted
some
notes
here
right
now
for
the
points
we
want
to
make
in
the
blog
kind
of
the
stuff
that
we're
going
over
right
now
like
what
is
it,
how
do
we
make
it
who's
using
it?
So
we
just
discussed
that
right
and
then
typically
like
a
Blog
would
be
like.
How
should
you
use-
or
you
know,
how
might
you
this
be
useful
to
you
and
then
how
can
you
get
involved.
D
Right
and
really
all
and
there's
always
an
audience
question
I
think
we've
got
two
different
audiences
here.
One
is
just
kind
of
the
general
hey
if
you're
curious
about
open
source
and
you're
wondering
if
anybody
cares
about
it.
The
answer
is
yes,
and
some
people
are
working
to
identify
a
critical
one,
really
important
one
so
that
we
can
go
do
some
funding
of
it.
D
Frankly,
there's
another
audience
it's
way
smaller
and
that's
the
folks
we
just
listed
earlier.
You
know
who
are
saying:
Hey
I
want
to
fund
stuff.
D
Now
I
will
say
that
some
of
those
a
lot
of
those
have
very
specific
angles,
like
a
good
part
of
cisa
they're,
actually
interested
in
improving
the
security
of
Open
Source
software.
That's
used
by
critical
infrastructure,
so
they're
thinking
about
dams,
electrical
power
grids
that
kind
of
stuff-
and
that
is
not
necessarily
this
list.
In
fact,
I
I
think
that
there
would
be
quite
a
different
list
so,
but
for
some,
like
the
German
government,
one
I'm
sure
that
they
would
be
very
interested
and
that
for
them,
I
think
the
goal
is
just
hey.
D
Please
look
at
our
list
now.
We
can
just
tell
our
friends:
hey,
go
look
on
our
list,
but
if
we
do
a
blog
post,
then
that
gives
them
cover
for
looking
at
the
list.
So
oh
wow
look
at
that.
They
announced
it
and
it's
a
big
announcement.
So
we
should
look
at
that
list.
Mm-Hmm
I
suspect
they
would
look
at
it
anyway,
but
you
know
I
think
that
would
be
helpful
to
them.
A
Are
you
curious,
like
you
want
to
get
involved
in
open
source?
You,
oh
you're,
a
company,
and
you
you
want
to
know
if
your
stuff
that
you
use
is
critical
like
I,
don't
if.
D
A
great
idea:
yeah:
are
you
looking
for
an
area
where
you
might
contribute
if
you're,
if
you're
looking
to
re,
say
review
open
source
software
and
you
want
to
you
know,
look
up
for
you
know,
do
security
reviews
of
the
most
critical
ones.
These
would
be
good
ones
to
look
at,
not
implying
that
you
can't
look
at
others,
because
that's
ridiculous,
but
if
you're
looking
to
evaluate
something
now,
I
think
we
do
have
to
be
careful,
not
implying
that
these
are
the
problem.
Children.
C
D
But
both
contribute
to
in
the
sense
of
code.
Well,
actually,
I,
don't
know
some
of
the
mayor.
May
you
know
most
of
them
are
open
to,
although
you
know
some
of
the
smaller
ones,
especially
the
ones
that
think
they're
more
or
less
feature
complete
they're
going
to
have
a
higher
bar,
but
all
of
them
will
be
very,
very
interested
if
you
found
a
vulnerability
and
it
was
a
real
vulnerability.
I
would
hope
that
every
single
one
of
these
projects
would
say.
Oh
yeah,.
A
Okay,
all
right,
they
do
something
like
something
like
that:
okay
get
involved
in
the
working
groups,
I
guess
projects,
that's
pretty
much
it.
Okay,
okay,
do.
D
Let's
see
here
I,
you
know
now
to
be
honest.
I
should
know
see
if
I
was
smart,
I
would
go,
look
for
the
tries
for
open
ssf.
E
D
All
right,
open
this
and
stuff
has
a
drive
I'm
having
a
little
trouble.
This
is
problem
is
between
keyboard
and
chair
here.
All
right,
you
know
one.
This
is
gonna,
be
a
short
Doc
anyway,
that
not
lasting
long
I
suspect.
So
why
don't
we
quickly
draft
up
something
and
we
will.
D
E
D
All
right,
let
me
see
here,
I
am
going
to.
D
D
D
D
D
A
D
So
I
think
we
need
two
things:
you're
right:
okay,
we
need
two
things.
So
what
I
just
did
was
create
the
actual
yeah
intro
to
list
list
yeah.
D
D
A
Yeah,
because
we're
essentially
I'm
saying
we
want
to
reuse
the,
what
is
it,
how
is
it
made
in
the
blog
post,
so
we.
D
That
needs
to
be
done
first
right
and-
and
this
is
a
report
from
the
the
open
source
security
Foundation.
D
Put
triple
question
marks
everywhere
and
then
what
I'm
gonna
say
and
when
I,
when,
when
I
start
breaking
it
down,
then
I
start
each
of
those
subsections
get
Triple
marks
and
when
I
run
out
of
triple
question
marks
the
document's
done
foreign.
You
don't
have
to
do
it
that
way.
Just
if
you
interact
with
me
a
lot
on
my
documents,
you'll
start
to
see
that
nonsense.
D
D
D
D
By
from
the
okay,
what
is
this?
This
is
what
this
is:
okay,
the
purple.
C
D
These
have
been
determined
to
be
highly
important,
whoop.
A
D
Okay,
my
access
to
Google
Docs
suddenly
disappeared.
D
And
now
we're
back
the
the
the
risks
of
of
this
kind
of
of
okay,
the
okay.
This
set
identifies.
D
To
be
highly
out
to
be
highly
important,
I
mean
it's
just
important,
I,
don't
know
a
highly
important
bye.
E
D
E
D
It
in
yeah
yeah,
you
know
what
actually
I
think
that
just
having
the
selection
reasoning,
slash
justification
does
help,
especially
presuming
that
we're
going
to
explain
what
the
heck
those
are.
D
D
Yeah,
so
that
this
implies
the
process
need
to
note,
need
to
explain.
Selection
reasoning,
slash
justification.
B
D
E
C
D
Done,
okay,
you,
but
you
know
what
you
know:
what's
great
about
Source
repo
I
I've
I've
been
telling
several
folks.
This
I
understand
the
problem
when
you're
talking
about
proprietary
software,
but
when
you're
talking
about
for
open
source
software,
you
know
which
X
did
you
mean
I
mean
this
repo.
C
D
D
C
B
C
D
B
Yeah
we've
just
gotten
good
within
the
work
group
to
keep
calling
it
a
set
now
because
to
make
that
distinguish.
A
D
Okay,
this
identifies
a
set
of
okay,
so,
let's
head
in
between
the
eyes,
if
that's
a
key
problem,
please
note
that
this
is
not
a
list.
It
is
a
set.
D
There
is
no
implied
order
in
the
list.
Well,
actually,
no,
there
is
an
order
right.
It's
alphabetic.
D
B
B
D
B
I
got
it
all
right
and
then
I'll
I'll,
re-alphasize
It.
D
Fabulous
all
right
all
right,
very
good,
very
good,
all
right
so.
D
Right
this
document
presents
the
test
at
that.
Please
note
that
this
is
not
a
list,
not
a
list.
It
is
a
set
there's.
The
this
set
is
listed
in
in
alphabetical
order
by
project
name.
C
D
Right,
quick,
well,
I'll
tell
you
what
we
said
we
needed.
We
we've.
We
basically
have
agreed
that
we
need
to
have
something
that
looks
good
I
will
say
from
here
on.
We
can
either
generate
markdown
and
then
generate
HTML,
or
we
can
just
turn
this
into
a
PDF.
Either
works
if
you
want
to
create
a
PDF.
Of
course,
that's
super
easy
and
then
so
so
it
sounds
like
the
homework
now.
D
Maybe
we
can
post.
The
slack
is
working
on
this
report
and
the
blog
post
yeah,
and
you
know
if
we
none
of
us
get
to
us,
then
this
here's,
what
I
would
propose
if
we
don't
get
to
it
between
now
and
next
being
the
next
meaning
is
we
finish
this
off
yeah.