►
From YouTube: Securing Critical Projects WG Bi-Weekly (July 28, 2022)
A
Okay,
so
we
are
at
five
minutes
past
the
hour
and
we
are
recording
so
hello
and
welcome
everyone
to
the
gotta
check
the
date
thursday
28th
of
july.
Securing
critical
projects
working
group
meeting
looks
like
we'll
have
a
pretty
light.
A
light
crowd
today,
which
is
totally
okay.
A
Jeff
sends
his
best,
and
I
know
david
wanted
to
join
as
well,
but
is
not
feeling
well,
so
we
can
just
dive
right
in
since
we'll
have
maybe
a
little
extra
time.
I'd
love
to
see
if,
if
this
is
either
anyone's
first
time
or
kind
of
as
we
get
started,
anyone
would
like
to
let
us
know
how
you're
doing
and
sharing
any
updates
with
us.
Anyone
want
to
volunteer
for
that.
B
Yeah
hi
everybody.
I
think
it's
my
first
time
in
this
particular
group,
so
my
name
is
alvaro:
figueroa,
I'm
from
costa
rica
and
I'm
currently
working
for
microsoft,
so
hi
everybody.
A
C
C
A
Hello
christine,
yes,
I've
seen
you
in
the
in
other
working
group
meetings.
Thank
you
so
much
for
joining
this
one.
C
Glad
to
be
here
thanks
cool,
so.
A
Yeah,
so
we'll
we'll
do
as
much
as
we
can
today
and
if
we
need
to
conclude
a
little
early.
That's
that's
okay,
so
the
first
thing
we
do
have
on
the
agenda
is
jeff
did
take
the
time
to
create
a
poll.
I
believe
it's.
Yes,
it's
a
google
form
to
help
us
determine
the
best
time
for
the
aipac
friendly
meeting
time
that
we
are
trying
to
incorporate
into
our
regular
meetings.
A
Switching
to
an
alternate
type
meeting,
where
we'll
do
one
meeting
kind
of
the
regular
time
that
we
have
been
doing
and
then
the
alternating
will
be
an
apac
friendly
time.
C
A
So
yes,
please
fill
that
out
and
let
us
know
what
you
think:
okay.
Next
we
have
and
thank
you
so
much
for
joining
today,
randall
just
to
provide
some
context
in
the
last
meeting
we
had
talked
about.
A
You
know
this
ingestion
engine
and
this
process
for
capturing
and
identifying
projects
that
that
are
deemed
critical
and
talking
about
what
the
best
kind
of
platform
for
that
would
be,
and
we
had
discussed
the
possibility
of
using
github
just
because
you
know
it,
it
is
being
used
for
other
types
of
processes
like
that
and
could
be
a
good
way
to
track
changes
and
to
to
basically
see
and
to
see
how
it
evolves.
A
Over
time
we
had
talked
about
moving
that
over
to
github,
of
which
randall
volunteered
to
do
a
little
bit
of
research
and
see
kind
of
explore
that
as
a
as
an
option.
So
with
that,
if
it's
okay
with
you
randall,
I
will
hand
off
the
mic
and
we'd
love
to
hear
what
you.
What
came
out
of
that
thanks
amir.
D
Yeah
actually
quite
a
bit,
there's
quite
a
bit
of
interest
and
I
actually
got
homebrew
quite
involved
because
they
actually
have
analytics
already
kind
of
pre-deployed.
So
I've
started
kind
of
containerizing
everything
and
I
talked
to
allison.
I
think
it
was
yesterday
from
the
home
or
I'm
sorry,
github
labs,
their
security
lab
and
we're
kind
of
collaborating
and
putting
that
repository
together.
D
We're
still
containerizing
all
the
tools
to
make
them
run
on
github
actions
and
then
basically,
we
the
way
that
we
have
it
kind
of
envisioned
is
you
should
be
able
to
make
a
pr
and
just
add
a
name
to
the
list,
and
it
should
automatically
trigger
the
checks
and
put
those
with
the
pr.
So
when
whoever
is
going
to
come
in
to
merge
that
into
the
list,
he
will
have
all
of
the
tool
all
the
output
of
the
tools
already
put
together
and
attached
to
the
pr.
D
As
far
as
notability
goes,
we
can
add
more
checks
to
those
if
we
wanted
to
it
kind
of
depends
on
like
how
sick
what
do
we
want
to
do
from
the
security
angle?
But
right
now
we're
really
just
focused
on
measuring
popularity
downloads
from
different
package
managers.
Things
of
that
nature
and
it's
a
lot.
We've
already
contacted
the
criticality
score
team
and
we're
kind
of
working
with
them
too,
and
putting
that
container
together
and
adding
some
other
features
and
whatnot
wow.
A
Awesome,
wonderful,
could
you
give
us
a
really
kind
of
if,
if
you've
thought
about
it
yet
and
and
this
is
certainly
open
to
discussion
with
the
work
group,
too
kind
of
kind
of
how
that
looks
from
a
process
standpoint
or
how
that
would
look
or
how
we'd
like
it.
D
It
would
literally
be
something
where
you
could
even
write
on
github.
You
would
be
able,
to
just
add
a
name
to
the
list,
so
in
other
words,
there
will
be
lists
kind
of
for
every
ecosystem
that
we
want
to
cover
and
you
would
be
able
to
just
add
a
name
to
that
list
even
directly
on
github.
D
We
think
that's,
probably
the
easiest
way
to
do
it,
because
if
you
do
it
on
github,
it
doesn't
even
require
you
pulling
down
the
repo
or
doing
anything
like
that,
and
it's
it
we're
kind
of
basing
it
a
lot
on
the
change
set
tool
from
js
and
yeah.
That's
basically
what
it
does.
You
just
add
a
change
log
and
it
detects
it
and
it
executes
from
there.
A
I
see,
and
can
I
ask
because
we
we've
talked
about
this
a
lot
in
in
in
both
open
ssf
meetings
and
just
in
general
of
I'm,
I'm
certainly
okay
with
using
github
as
as
a
tool
for
this.
Would
it,
however,
would
it
exclude,
let's
say,
projects
that
aren't
on
github
or,
let's
say
not
active
on
get
are
not
as
active
on
github,
because
a
lot
of
concerns
we've
got
in
the
past
is
being
too
github-centric.
A
So
as
long
as
and
and
I
and
I
I
see
both
sides
right,
I
mean,
if
github
has
these
these
tools
and
these
things
that
we
can
use
that
will
make
the
the
process
more
effective.
Then
great.
Of
course
we
want
that,
but
at
the
same
time
we
want
to
be
inclusive
and
not
necessarily
exclude
projects
that,
let's
say
don't
use,
github
or
aren't
on
github
and
oh
yeah,
and
eric
brought
up
a
good
point
too
that
some
comp
companies
could
even
block
github
access.
A
So
so
is
it
possible
to
still
be
inclusive
of,
let's
say
private.
D
Sector,
I
think
that's
something
I
would
probably
have
to
bring
up
with
the
criticality
team,
because
I
think
that
most
of
our
current
tooling
does
kind
of
like
play
off
github
a
whole
lot.
I
do
know
that
it
is
supported.
However,
not
all
the
checks
are
supported,
but
I
don't
know
as
far
as
what
the
road
map
is.
D
I
know
that
git
lab
is
pretty
well
supported
as
well,
and
I
know
a
lot
of
open
source
projects
prefer
git
lab
for
whatever
reason
you
know,
but
but
I
I
could
definitely
bring
that
up
with
the
criticality
score
team,
because
I
think
that
is
more
on
their
side,
because
I
don't
really
know
even
what
we
could
necessarily
do
like
if
you
wanted
a
host
on
source
hut,
which
is
run
by
the
way
one
of
the
wayland
maintainers
or
the
weightlift
maintainer.
D
Like
you
know,
the
source
hud
is
a
very
it's
a
nice
tool,
but
it's
extremely
primitive.
So
you
know
I
don't
know
how
they
would
necessarily
handle
that
and
not
to
mention
what
apis
are
available
for
us
to
get
that
information
from.
I
know
gitlab
has
done
a
lot
to
try
to
have
a
lot
of
like
one-to-one
apis
with
github,
but
I
can
bring
that
up
next
time.
I
talk
to
them
on
slack
or
whatever
you
know.
I
can
definitely
bring
it
up.
A
C
A
D
Could
be
that
checks
could
really
be
more
of
a
suggestion,
so,
in
other
words,
if
you
do
add
a
project
that
the
checks
might
not
be
able
to
pick
up,
then
I
think
at
that
point.
Maybe
we
could
add
it
somewhere
where
that
doesn't
necessarily
disqualify
you.
It
just
makes
it
harder
for
us
to
verify
how
critical
this
project
is.
A
Yeah,
because
because
because
if,
if
kind
of
the
high
level
intention
is,
you
know
just
to
have
a
a
method
or
a
process
to
to
capture
the
the
the
community's
thoughts
and
and
research
on,
you
know
what
are
these
projects,
then
I
mean
I
don't
see
why
we
can't
use
github
as
just
the
tool
for
it,
but
I
think
we
we
should
really
make
sure
that
we're
not
being
exclusive
or
maybe
excluding
you
know
smaller
projects
or
projects
that
are
not
on
github.
A
If
the
mechanism
is
really
just
to
use
github
as
a
again
like,
as
that
ma
as
the
tool
to
to
generate
these
lists
and
and
to
to
help
make
that
more
efficient,
then
you
know
I'm
certainly
all
for
it,
but
yeah.
I
would
just
really
want
to
make.
D
A
D
You
know
you
could
use
it
as
a
container
registry
and
I
think,
like
with
git
lab,
it
shouldn't
be
a
problem
because
they
kind
of
have
the
same
thing
going
on,
but
I
think
when
you
start
getting
into
like
get
gitia
or
I
think
it
is
pronounced
and
like
those
open
source
projects
like
fabricator,
for
example,
that
doesn't
have
that.
I
think
there's
still
ways
of
making
that
work,
but
I
think
from
like
a
tooling
perspective
and
priorities
perspective,
because
I
know
that
a
lot
of
the
tooling
projects
are
running
low
on
people.
D
I
don't
know
how
much
of
a
priority
those
are
going
to
be.
So
I
would
probably
just
stick
that
our
checks
do
not
disqualify
anything
or
anyone
they're
just
there
to
assist,
because
even
if
it
is
a
smaller
project,
I'm
assuming
that
we
would
need
some
sort
of
framework
to
do
our
due
diligence
and
a
manual
perspective.
A
Yeah
one
thing
I
I
I
will
maybe
caution
a
little
on
is
you
know
the
the
objective
is
to
capture
information
right,
we're
trying
to
to
identify
projects
and
I'd.
I'm
certainly
all
for
you
know,
like
you,
said,
using
tools
and
certain
things
to
to
help
support
that
or
to
provide
reasoning
or
justification
darn.
I
lost
my
train
of
thought
there.
A
D
Let
me
ask
this
so
like
at
home
brew:
we
have
what
we
call
a
notability
requirement.
I
don't
know
if
you
also
know
this,
but
homebrew
in
other
words,
is
run
by
github,
because
the
project
lead
is
employed
by
github.
So,
but
we
have
like
a
notability
type
of
thing
that
we
check,
because
we
can't
carry
everything
it's
really
hard
to
carry
everything.
D
A
Correct
yes
and
yeah,
so
so
I
think
yeah.
So
if
someone
can
nominate,
let's
say
nominate
a
project,
if
you
know
it
can
automatically,
let's
say,
pull
their
criticality
score
to
as
a
selection
criteria
or
of
a
reason
why
that
should
be
should
be
on
that
list,
so
kind
of
going
along
with
that
in
the
dot
in
the
notes
sheet.
A
Underneath
some
of
the
notes
I've
been
taking,
I
recopied
and
pasted
kind
of
some
of
our
discussions
from
last
week
of
kind
of
like
how
that
would
look
and
and
and
kind
of
what
the
structure
would
be
like,
and
I
have
started
on
this
kind
of
template
to
help
cap
to
show
showcase
some
of
that.
But
I
think
something
that's
really
important
from
this
is
going
to
be.
You
know
that
you
have,
you
know
space
to
not
to
let's
say
nominate
a
project.
You
know
I
nominate
homebrew.
A
For
example,
we
talked
about
like
an
optional.
You
know
way
to
categorize
said
project,
whether
that
so
whether
it's
like
a
framework
or
a
language
or
what
have
you
and
then
I
think,
the
really
important
piece
which
I
think
is
going
to
be
critical
for
kind
of
how
we
set
up
this
process,
is
basically
the
rationale
or
selection
criteria.
So
like
why
someone
would
you
know
why
this
how
you
would
justify?
Let's
say
you
know,
homebrew,
for
example,
being
on
this
list
of
projects
and
why
you
know
that
should
be
justified.
A
So
I'm
certainly
open
I'd
love
to
get
the
rest
of
the
group's
thoughts
on
this
of
you
know
what
is
kind
of
the
key
information
to
to
both
capture,
as
well
as
to
showcase
as
part
of
kind
of
curating.
This
list
of
projects
does
anyone
have
any
immediate
thoughts,
randall
or
anyone
else
in
the
group.
D
Well,
I
mean
immediately
what
I
would
like
to
just
point
out
real
quick.
I
deal
with
a
lot
of
js
because
I
currently
have
a
job
at
astro,
but
that
being
said
like
in
all
honesty
like
I,
I
think
this
is
easy
to
impart
like
open
ssf
from
what
we're
implementing
is
a
lot
easier
to
implement
when
it's
not
js,
but
as
soon
as
you
hit
js.
D
I
think
it's
a
problem
and
because
a
lot
of
there's
a
lot
of
young
developers
that
don't
necessarily
understand
why
you
need
security
they're
more
about
productivity
than
security.
D
So
the
reason
I'm
saying
this
is
because
I'm
bringing
this
to
the
attention
of
a
lot
of
people
like
ryan,
at
solid
and
fred
at
astro,
and
a
lot
of
these
big
names
that
are
all
rich
harris
also
out
for
shell,
and
I
can't
pronounce
his
framework's
name
but
but
the
reason
I'm
saying
that
is
because
I
think
that
if
we
can
align
with
the
criticality
score
tool
or
at
least
communicate
with
them,
so
that
at
least
from
an
open,
ssf
perspective,
the
word
critical
or
criticality
is
somewhat
unified.
D
A
Yeah,
yeah
and-
and
I
think
that
is
tech-
that's
relatively
easy
to
do
right
where,
if
someone,
let's
say
puts
in
a
github
package
link
that
can
automatically
be
cross-referenced
to
its
criticality
score
and
then
that
can
be
basically
auto-generated.
So
as
soon
as
I
I.
D
Haven't
seen
this
type
of
hostility
in
any
other
group,
I've
worked
with,
but
with
js.
Specifically,
you
get
a
lot
of
opinions
to
not
say
something
else,
so
I
would.
I
would
caution
because
the
criticality
score
in
reality
we're
going
to
call
a
spade
a
spade
is
somewhat
very
opinionated
on
how
they
actually
generate
that
criticality
score.
So
yeah
you
get
my
point.
A
I
do
yes
exactly
and
again
I
I
think
this
all
goes
back
to
really
what
our
objective
is,
which
I
think
we
did
a
pretty
good
job
at
our
last
meeting
kind
of
putting
that
into
into
words
in
a
pretty
succinct
way.
Let
me
see
if
I
could
find
it
yeah,
so
we
said
our
reasoning
was
to
provide
a
best
effort,
analysis
of
quantitative
and
qualitative
research
in
the
open
source
ecosystem
and
generate
a
curated
living
set
list
of
projects
deemed
critical
to
organizations
and
individuals.
A
So
going
along
with
that,
I
think
it's
like
we're,
providing
something
that
you
know
we
did
some
work
on
and
then
the
the
key
is
really
how
the
receiver
of
that
understands
that
and
builds
on
that.
You
know
what
I
mean
we're,
not,
I
think
we're
trying
not
to
be
too
prescriptive
and
not
like
you
know.
These
are
absolutely
you
know,
without
a
doubt,
the
most
critical
projects
in
the
open
source
ecosystem,
the.
D
Pushback
that
I
got
from
js
is
that
there's
a
lot
of
things
that
we're
scoring
right
now,
and
this
also
is
part
of
like
the
best
practices
thing
as
well.
I
brought
it
up
in
that
working
group,
there's
a
lot
of
things
that
just
they
don't
really
apply
to
js,
because
js
is
its
own
animal
like
they
don't
have
like
they
have
some
like
a
dynamic
analysis
tool
kind
of,
but
like
they
really
don't
like
like.
D
They
had
one,
it's
just
nobody
used
it
and
like,
for
example,
like.
I
know
that
in
in
best
practices,
that's
something
they
get
scored
on,
and
I
know
that
and
criticalities.
There
also
there's
some
certain
scoring
criteria
that
doesn't
apply
to
every
ecosystem
and
I've
gotten
pushback
on
like,
but
we
can't
like
fit
these
guidelines
because
we
just
don't
even
have
the
tooling
for
it.
D
A
Well
again,
I
think
we're
not
trying
to
do.
I
don't
think
really
any
I
mean
sure
there
is
some
analysis
involved,
but
the
objective
of
this
is
to
essentially
capture
prod.
You
know
capture
a
list
of
projects,
so
I
don't
think
we're
necessarily
you
know
we
can.
I
think
every
identified
project
should
have
to
have
a
justification
or
selection
criteria,
and
that
could
be
the
criticality
score.
Ideally,
you
would
want
you
know
more
than
one
selection
criteria.
Maybe
you
know
two
or
three
to
justify.
A
You
know
why
a
project
should
be
on
that
list,
but
I
I
want
to
shy
away
from
maybe
doing
too
much
of
our
own.
You
know,
maybe
our
own
analysis
or
our
own,
you
know
scoring
so
to
speak
of
you
know
in
terms
of
you
know
this
isn't
necessarily
a
ranking.
I
I
think
we're
really
clear
to
use
the
term
set
instead
of
lists
and
I'm
trying
to
make
that
more
of
a
habit
that
you
know
this
is
just
a
set.
A
It's
not
a
prioritized,
you
know
list
of
things,
it's
just
things
that
have
been
identified.
You
know
through
this
process,
so
so
with
that
I
mean
I'd
really
love
to
if
any
thoughts
have
come
up
or
any,
if
there's
any
feedback
from
anyone
else
in
the
work
group.
A
Alvaro,
I'm
sorry
to
call
on
you,
but
you
know,
given
it's
you're
fresh
I'd,
love
to
hear
you
know,
maybe
some
of
your
initial
thoughts
or
perspectives.
B
Yeah
no
problem,
I
do
agree
that
the
the
criticalization
score
is
a
bit
opinionated,
but
I've
seen
the
the
source
of
the
tool.
I
actually
plan
to
speak
a
little
bit
about
in
the
next
security
tool
meeting
and
yeah.
It's
the
the
tool
is
designed
to
try
to
be
as
objective
as
as
possible
and
when
it's
not,
it
can
be
modified
as
any
tool.
So,
if
there's
anything
missing
from
the
js
perspective,
it
can
certainly
be.
It
can
certainly
be
added
to
it.
B
One
thing
that
I
would
like
to
see
in
that
particular
tool
is,
for
example,
if
a
certain
software
has
a
presence
on
on
distributions,
so
maybe
I
could,
I
could
add
some
some
code
to
that
tool
to
to
add
a
little
bit
to
the
score
based
on
that
but
yeah
for
for
the
the
type
of
work
that
that
this
work
group
is
doing
yeah
thinking
of
videos
and
sets
it's
quite
important
versus
a
list.
So
yeah.
C
C
Great
on
defining,
more
or
less
objective,
criteria
on
what
actually
is
defined
as
being
critical
and
the
aim
of
those
projects
was
exactly
to
make
this
mess
subject
to
opinions
and
what
happened
to
all
the
jobs.
A
C
Well
I'll
make
it
quick.
Last
year
we
did
a
big
job
on
defining
a
set
of
objective
criteria,
just
to
make
this
a
process
of
selecting
critical
projects
less
opinionated,
and
I
wonder
what
happened
to
the
job
and
why
we
are
all
over
again
discussing
how
it's
all
subject
to
opinions.
A
Do
you
have
a
link
to
that?
What.
A
Yeah,
absolutely
so
that
that
does
still
exist,
so
we
do
still
have
based
on
our
first
iteration
at
the
google
sheet
of
you
know
the
projects
that
we
were
able
to
identify.
I
think
we
have
something
like
100
projects
yeah.
We
have
100
projects
on
there.
A
I
think
I
think,
because
and
again
I
think
we
did
a
a
a
fine
job
with
that.
In
that
you
know
we
were
able
to
come
together.
Do
some
discussion,
you
know,
do
some
type
of
curation
and
come
up
with
a
list
and-
and
I
I
think
that
general
idea
is
still
the
same
like
that's
what
we
want
and
we
want
to
have
a
living
set,
meaning
that
you
know
these
things
could
be
changing
all
the
time.
So
a
way
to
iterate,
I
think,
is
very
important
and
some
great
lessons
from
that
exercise.
A
I
think,
were
you
know,
being
really
clear
on
what
the
selection
criteria
are.
So
I
think
we
did
a
fine
job
of
you
know,
naming
some
of
the
most
common
selection
criteria
that
we
had,
such
as
you
know,
criticality
score
census,
program,
two.
If
it
was
identified
as
part
of
that
research
survey
responses,
you
know
we
we
we
want
to
to
curate
this
information
right
and
and
get
feedback
from
the
community.
A
So
we
did
that
as
well
as
other
type
of
like
research
like
docker
pull
count
data,
and
what
have
you
and
I
again
I
I
do
think.
Overall,
we
we
did
a
fine
job
and
I
think
what
we're
trying
to
do
now
is
similar.
To
that.
I,
I
think
the
goal
is
really
just
to
do
it
more
in
a
more
in
a
slightly
more,
I
guess,
structured
way,
or
maybe
a
more
well-defined
way
so
that
we
can
do
it
on
a
on
a
larger
scale
too.
C
Okay,
but
actually,
in
my
opinion,
the
set
of
criteria
we
developed
along
with
the
concrete
leads.
The
projects
was
the
most
important
thing
of
that
process.
So
it's
like
it's
not
about
the
concrete
project.
It's
about
the
criteria,
and
I
guess
we
have
this
list
at
least
half
baked,
so
we
can
reuse
it
in
a
pretty
big
part.
A
Yes,
yes,
yeah,
absolutely
and
and
and
and
selection
criteria.
I
think
we
can
certainly
have
you
know
a
couple
of
really
common
ones,
but
the
point
I
think
is
that
you
know
we
should
be
considering
as
much
as
much
data
and
as
many
as
much
insight
as
we
can.
So
if
someone
comes
in
and
recommends
a
project,
let's
say
that's
an
edge
case
or
you
know,
wouldn't
come
up
on
a
on
a
on
a
tool
or
or
anything
like
that.
A
We
want
to
be
able
to
to
to
hear
from
them
and
we
want
them
to
be
able
to.
You
know,
nominate
a
project
and
say
you
know
this
might
not
come
up
on
a
criticality
score,
but
you
know
because
of
x,
y
and
z.
You
know
this
project
we
think
should
be
you
know,
considered
and
and
to
be
able
to
do
that
in
a
way
where
anyone
can
do
it.
A
Ideally,
you
know
anyone
in
the
community
or
anyone
in
the
open
ssf,
I
think,
will
be
really
important
and
that's
that's
really
what
we're
trying
to
hammer
out.
But
you
know
it's
it's
a
really
hard
thing
to
do,
especially
because,
as
you
said,
you
know
there
are
a
lot
of
opinion,
there's
a
lot
of
different
opinions,
and
so
I
think
we
just
have
to
do
our
best
effort
and-
and
one
thing
I
try
and
bring
to
the
table
is
really
trying
to
focus
on
you
know
what
can
we
have
as
a
deliverable?
A
So
you
know
as
we're
talking
about
this
start.
Even
if
it's
a
mvp,
you
know
a
very
loose
thing.
You
know
something
that
we
can
build
on
and
improve.
So
so
that's
why
we
were
talking
about
you
know
if
we
were
able
to
move
some
of
this.
You
know
instead
of
a
google
sheet,
move
some
of
this
over
to
github,
which
is
you
know,
I
think,
a
little
more
accessible
in
terms
of
like
with
the
google
sheet
it
was
just.
You
know.
A
I
think
it
was
just
shared
with
the
work
group
and
people
who
requested
access
to
it
and
you
know
with
if
they
weren't
actively
involved
in
what
we've
been
doing.
They
would
have
no
idea
that
we
even
did
this,
so
I
think,
being
on
github
could
potentially
be
a
good
way
to
have
a
platform
like
a
place.
People
can
go
to
like
a
repo
or
what
have
you
and
and
be
able
to
participate
and
do
this
process
no.
C
No,
I
agree
with,
I
agree
with
the
proposal.
I
was
just
talking
that
we
could
use
the
list
of
criteria
and
maybe
compose
at
least
so,
where
you
can
like
put
it
on
github
and
like
go
this
criterium
like
check
this
one
check
and
that's
how
we
that's
how
we
assess
the
criticality
is
for
over
a
project
just
to
make
it
less
opinionated
and
more
like
objective.
A
Absolutely
yeah,
and
so
then,
if
we
have
let's
say
so,
I
I
asked
this
to
the
whole
group
and
specifically
to
randall
because
he
did
some
of
the
the
research
or
he
did
all
the
research
on
this.
If
we
have,
let's
say
the
on
our
github
repository
that
you
know
things
go
in
recommendations,
what
have
you
and
then
we
have
this
set?
You
know
that's
also
viewable
and
accessible.
A
How
would
we
like?
How
would
that
look
in
terms
of
really
kind
of
curating
it,
meaning
you
know,
is
it
just
going
to
be
like?
Maybe
one
table,
that's
constantly
being
updated
that
you
know
the
other
parts
of
the
repo
feed
into
I'm?
Almost
I'm
also
wondering
if
we
could
just
maybe
try
making
like
a
really
basic
mvp
on
repo
on
github,
but
yes,
again,
open
open
question
randall,
you
were
saying
something
and
I
interrupted
so
yeah.
D
No,
no,
it's
all
good
yeah.
That
was
the
idea,
because,
basically
we
can
like
so
for
someone
that
doesn't
want
to
contribute
and
just
wants
to
see
the
list.
We
can't
format
the
list
of
markdown
and
they
can
actually
like
really
kind
of
see
it
in
all
his
glory,
so
yeah
we
can
make
tables.
We
can
do
that's
actually
one
of
the
nicer
things
about
this.
D
Is
that
like,
if
you
did
want
to
go
into,
let's
say
the
go
lane
folder
and
then
in
a
framework,
and
then
you
could
see
all
the
like
or
maybe
frameworks
itself
would
be
the
the
markdown.
It
would
just
be
a
matter
of
structuring
but
there's
definitely
a
smart
way
of
structuring
where
yeah
like
it
could
definitely
be
very
well
presented
and
very
open
for
contributions.
So
now,
as
far
as
curation,
I'm
pretty
sure
that
what's
gonna
have
to
happen.
D
Is
that
there's
going
to
be
a
set
of
people
that
will
have
merged
privileges
pretty
much
like
any
repo,
and
it
would
just
be
a
matter
of
those
people
making
sure
that
they
stick
to
it.
Like
you
know,
whatever
we
we
say
like
hey,
you
know
we're
saying:
don't
pay
attention
to
criticality,
which
is
not
what
I'm
saying,
but
I'm
just
throwing
it
out
there.
Then
we
just
have
to
make
sure
they
follow
that
you
know
and
they
use
those
as
suggestions
not
as
guiding
principles.
A
Correct
yeah,
for
the
time
being
step,
one
is
really
just
to
kind
of
get
the
information
and
then
step
two
would
ideally
be.
Maybe
if
there's
a
way
to
chop
it
or
prioritize
it
yeah.
I
think
first
things.
First,
we
want
to
just
have
a
an
output
of
identified
projects
identified
as
critical
some.
You
know
reasoning,
and
I
think
that's
that's
really
it.
You
know.
D
D
They
think
that,
like
the
criticality
score
actually
has
some
significant
meaning,
where
it
really
doesn't
so
yeah,
just
because
of
the
fact
that
nobody
wants
to
be
the
guy
with
the
lowest
guy
on
the
totem
pole.
Now
they
said
like
a
lot
of
the
js
developers,
I
work
with.
They
don't
understand
like
the
actual
principle,
they
just
see
a
low
score,
and
I
need
to
improve
this
so
yeah
that
I
think
avoiding
that.
A
Then
I
think
what
I
I'll
take
an
action
item
then,
because
I
am
still
working
on
this
template
which
may
or
may
not
end
up
being
used,
but
I
think
what'll
be
what's
important,
is
really
that
the
the
data,
the
data
points,
so
I'm
gonna
draft
up
a
couple
of
templates
for
us
to
go
over
and
finalize,
hopefully
in
our
next
meeting,
but
and
what
I
mean
by
templates
is
just
yeah
some
of
that
really
basic
stuff.
A
So
you
know
what
are
kind
of
the
main
data
points
that
we
want
to
capture
and
kind
of
basic
idea
of
what
that
would
look
like.
I
definitely
love
the
the
markdown
table
idea,
at
least
as
one
thing
just
to
kind
of
be
able
to
see
everything
in
one
place.
You
know
nicely
and
but
and
then
yeah
going
back
to
your
question.
A
I
I
think,
since
it's
a
set,
I
think
maybe
100
could
be
just
like
a
general
guiding
you
know
number,
but
if
it's
a
little
more
a
little
less,
I
don't
think
that'll
necessarily
be
a
problem.
So
I
think.
C
D
Think
I
think
that
we
should
stay
away
from
setting
a
number
because
they
said
that's
gonna
just
further
drive
competition.
If
somebody
gets
knocked
off
the
list,
then
there's
going
to
be
that
whole.
You
know
thing
going
on
because
there's
always
going
to
be
people.
Oh,
I
shouldn't
I
should
be
on
the
list
and
then
I
got
knocked
off
the
lid.
It's
just
it's.
I
think
that
not
having
a
set
number
is
a
safer
route
for
us
to
avoid.
D
You
know,
I
agree
with
you
and
maybe
there
could
be
criteria
in
what
you're
putting
together.
You
know
there
hasn't
been
an
update
in
a
year
or
a
year
and
a
half.
You
know
that
could
be
subject
for
you
to
get
removed
off
the
list.
You
know,
even
if
the
project
was
really
critical,
when
we
put
it
on
there,
you
know
somewhere
down
the
line,
you
lost
interest
or
someone
lost
interest
and
that's
what
happened.
D
So
maybe
we
could
have
a
retired
list
or
I
don't
know
we
could
figure
it
out,
but
I
think
that
and
also
amir
with
the
templates
that
are
coming
up.
We
can
put
those
in
the
pr,
so
in
other
words
like
if
people
wanted
to
like
just
say,
hey,
I
don't
host
on
github
or
gitlab,
but
I
want
to
manually
provide
like
links
that
show
how
critical
of
a
project
I
am
for
this.
You
know
ecosystem.
A
Okay,
cool
yeah,
so
I
I
think
I'll
I'll
create
a
google
form
as
just
the
the
the
the
oh
man,
my
brain,
isn't
working
I'll,
create
a
google
form.
Basically
that'll
that'll
that'll
help
us
that'll,
help
guide
that
and
if
we
use
specifically
that
form
great,
if
we
just
take
the
elements
of
it
and
put
it
into
github,
that's
great
too.
So
I'm
curious
not
not
to
call
people
out,
but
I
because
I
know
I've
I've
in
the
identifying
security
threats,
working
group
and
I've.
A
I've
been
in
many
meetings
with
with
christine,
and
I
I
know
that
christine's
working
on
the
the
metrics
dashboard
and-
and
you
have
some
insight
into
you-
know
how
this
output
one
of
the
ways
this
output
is
meant
to
be
used
in
terms
of
you
know,
informing
other
initiatives
like
alpha
project
alpha.
A
Do
you
have
any
kind
of
initial
thoughts
based
on
kind
of
what
we've
been
talking
about
today
and
what
our
goals
are,
and
maybe
some
tips
or
or
or
things
that
could
help
us
with
with
accomplishing
what
we're
trying
to
do.
C
Just
kind
of
like
jumping
in
I've
basically
been
in
listening
mode,
trying
to
like
figure
out
what
this
kind
of
fits
in
with
the
other
working
groups.
So
I
don't
know
if
I
have
like
anything
more
to
add.
I
definitely
like
the
part
where
you're
talking
about
making
it
a
a
set
versus
a
list
not
to
have
as
much
competition.
C
So
it's
like,
I
guess
it's
going
to
be
just
a
question
from
what
I've
been
doing
and
identifying
security
threats
been
focusing
more
on
the
metrics
in
the
dashboard.
So
it's
just
like
it
could
be
just
extra
data
points
that
could
be
used
in
this
system.
But
beyond
that,
probably
not
that
much
more
to
add.
Okay,
yeah.
A
Thank
you
christine.
Do
we
have
any
other
thoughts
from
the
group.
B
Yeah,
I
do
have
a
quick
question
so
and
and
kind
of
naming
you
as
well
so
from
the
the
ostf
tif.
You
guys
need
at
least
to
actually
know
where
to
put
the
money
and
the
people
from
from
alpha
omega
in
a
similar
way.
They
also
need
a
ascent.
Let's
call
it
to
to
actually
know
where
to
start
working
and
where
to
put
their
time,
are
those
two
organizations
are
going
to
use
this
same
list
or
do
they
have
their
own
separate
list
or
what's
the
idea
behind
that.
A
Yeah,
that's
a
that's
a
great
question
so,
typically
with
us
and
when
I
say
us
I
mean
ostif,
oh
stiff,
we
typically
will
go
and
do
the
projects
that
are
that
we
get
funding
to
do
basically,
so
we
don't
have
enough
funds
yet
to
really
go
out
and
just
do
projects
on
our
own.
We,
for
example,
you
know
google
said
hey,
do
a
couple
of
projects
and
you
know
we're
auditing
these
projects.
A
That
being
said,
I
did
create
a
a
short
list
really
to
be
another
data
point.
I
I
created
a
short
list.
That's
really
oh
stiff's
50
projects
that
we
think
should
be
audited.
Basically,
so
it's
like
our
list
of
recommendations.
I'd
like
that
to
be
another
data
point.
Basically,
because
you
know,
we've
done
some
analysis
on
our
end
and
came
up
with
this
list
of
projects,
and
I
know
project
alpha.
I
I
don't
think
they're
really.
A
A
And
I
do
actually
intend
on
presenting
that
to
to
more
folks
in
the
open
ssf,
in
particular,
the
attack
and
governing
board,
just
to
get
you
know,
feedback
and
to
see
if
we're
on
the
right
track
and
seeing
if
by
offering
like
a
menu
or
like
a
list
of
projects,
you
know
if
that's
something
that
would
help
you
know,
organizations
who
might
have
more
interest
in
certain
projects
and
others.
A
You
know
to
help
them
prioritize
those
projects
or
maybe
even
fund
work
for
those
projects
but
yeah,
but
but
to
end
to
to
answer
your
question.
I'd
say:
yes,
you
know
at
oscif
we're
trying
to
also
be.
You
know
a
data
point
too.
In
that
you
know
we
do
audits
all
the
time,
that's
kind
of
what
we
specialize
in,
so
we
could
be
at
least
an
opinion
in
the
space
where
we
could
say
you
know
these
are
important
projects
that
should
be
audited.
A
Okay,
yeah,
we
still
need
to
figure
out
a
little
bit
of,
and
this
is
in
response
to
christine's
comment
yeah.
I
I
think
we're
still
fine-tuning
kind
of
how
the
the
google
group
and
the
access
and
stuff
works.
I
think
right
now,
jory.
Actually,
if
I'm
remembering
correctly,
you
can
auto
join
the
google
group
for
this
for
this
working
group,
which
will
give
you
access
to
the
document.
A
Does
that
ring
a
bell
to
anybody?
I
think
we
we
talked
about
this
last
week
and
it's
I'm
not
remembering,
but
I
believe
you
can
request
access.
B
Yeah
I
had
to
edit
myself
just
before
the
meeting
to
to
get
access
to
that
so
yeah.
Okay,
did
you
do
that
in
I.
A
B
A
A
Yeah,
maybe
that's
it.
Yes,
okay,.
A
Excellent
excellent,
so,
okay,
so
some
things
that
I'm
going
to
take
back
and
have
for
the
group
by
next
meeting
is
some
basic
templates
that
we
could
build
on
to
kind
of
help
structure
this.
With
that
I'd
love
to
open.
We
have
10
minutes
left
if
we
want
to
do
five
minutes
for
any
updates
or
folks
we
haven't
heard
of
in
a
while.
C
One
of
the
things
that
I
that
I
wanted
to
I
was
thinking
is
the
another
critically
scored
the
other
project.
I'm
going
blank.
C
Score
cards
not
the
score,
I'm
not
I'm
talking
about
the
the
one
caleb
works
on
it,
I'm
going
blank.
Oh.
C
Analysis
the
analysis,
the
analysis
that
information
is
there
in
the
google
bucket
somebody
already
asked
for
if
the
google
bucket
is
great
because
and
it
dumps
everything
as
a
json,
one
of
the
things
is
actually
scorecards.
Right
now
is
going
to
do.
Http
rest
endpoint,
especially
with
the
google
bucket.
The
best
part,
is
just
attacking
a
domain
name,
would
give
a
rest.
Endpoint
should
be
able
to
give
everyone
everyone.
The
data
that'll,
be
a
great
option.
C
I
was.
I
was
going
to
write
that
up
as
an
issue,
but
I
also
thought
this
would
be
a
good
forum
to
come
and
talk
if
caleb
was
going
to
be
here
today.
I
know
he's
not
going
to
be
here
today.
C
A
Yeah
that
definitely
sounds
like
a
great
point
to
to
bring
up.
Hopefully
once
we
have
our
aipac
friendly
meeting
finalized,
where
we're
gonna
try
and
alternate
to
be
more
inclusive
of
folks
in
other
time
zones
I'm
fairly
certain,
because
caleb
is
in
australia,
he'll
probably
start
joining
that
one
yeah
okay,
but
yeah
yeah.
I
think
that's
a
great
point
and
if
anyone
else
has
thoughts,
we'd
love
to
hear
from
you
but
yeah,
I
think
caleb
would
be-
would
be
the
best
person
to
talk
to
about
that.
C
I'll
go
ahead
and
write
that
up
as
an
issue
all
supposed
to
know
in
the
notes,
so
that
we
can
track
about
that.
So
essentially
it's
going
to
give
this
is
this
got
coming
back
to
this
phenomenal
data
in
that,
but
people
if
there's
a
static,
http
endpoint,
where
people
can
be
like?
Oh,
I
can
go
to
package
analysis,
osf
package,
analysis
and
all
of
a
sudden
they
can
get
the
data
and
that
will
be
a
great
for
others
to
consume
this.
D
A
Awesome
yeah
that
would
be
great
yeah
yeah.
That.
A
Okay,
so
yeah
well
so
hopefully
yeah,
I
would
say,
even
if
it's
an
extremely
simple
demo
like
screenshots,
that
would
be
really
helpful
and
then
we
can
collaborate
on
that.
And
hopefully
then
I
would
say
yeah
by
the
next
meeting.
I'll
have
some
like
really
basic
templates
and
stuff.
That
can
help
with
kind
of
structuring
also.
D
A
I
want
to
thank
everybody
randall,
thank
you
for
taking
the
time
to
do
some
of
that
that
that
intro
research
and
using
github
and
I
look
forward
to
seeing
how
that
develops,
and
yes,
we're
certainly
looking
forward
to
working
together
as
a
group
on
this
effort,
and
hopefully
you
know
I'm
trying
to
I'd
love
to
by
the
end
of
august,
to
maybe
have
like
something
that
we
can
present
to
the
attack
or
or
or
further
wide.
A
So
thank
you
all
again
I'll
see
you
all
in
two
weeks,
if
you'd
like
to
to
take
the
conversation
to
slack,
feel
free
to
do
that
or
if
emails
preferred,
you
could
just
email
the
group
but
yeah
again.
Thank
you
all
so
much
for
participating
today,
and
I
look
forward
to
talking
to
you
in
two
weeks.