►
From YouTube: Securing Critical Projects WG (March 25, 2021)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
right
cool
so
welcome
everyone
today,
sorry
for
any
confusion
on
the
meeting
times,
we
move
this
one
as
a
one-off
for
my
co-worker,
my
colleague,
oliver
who's
in
sydney,
so
he
9
am
meeting
time
does
not
work
well
for
them.
So
I
appreciate
those
of
you
coming
and
making
this
time
work
so
right
now
we
have
two
agenda
items.
A
A
So
with
that
oliver
do
you
want
to
kick
it
off
and
maybe
give
a
brief
intro
for
yourself.
B
Sure,
hey
la
I
work
with
kim
on
a
lot
of
open
source
security
work.
I
think
she
already
mentioned
I'm
from
sydney
australia.
So
I
apologize.
If
I'm
my
speech
with
this
learned,
it's
a
bit
early
here,
I'm
still
trying
to
wake
up.
Hopefully
I
can
sit.
Hopefully
I
can
still
give
a
big
presentation
or
something
we're
working
on
called
osv.
A
If
you
prefer
me
present
the
slides,
I
could
do
that
too.
If
you
want
to
shoot
me
the
link,
quick,
if
you
want
to
keep
your
version
open.
A
A
B
Cool
all
right,
I
think
it's
working
thanks
everyone
for
coming,
so
I
wanted
to
give
a
quick
demo
on
something
I'm
working
on
called
osv.
So
this
is
short
for
open
source
vulnerabilities
and
it's
a
vulnerability,
database
and
automation,
infrastructure
that
we're
building
for
open
source.
B
B
Traditionally,
it's
been
pretty
difficult
to
build
automated
tools
for
them
they
have
been
difficult
to
pass
and
the
key
issue
is
with
the
lack
of
precise
versioning
for
cves
and
in
particular,
it's
really
difficult
to
take
a
cve
and
match
that
to
an
exact
version
and
package
of
a
vulnerability,
also
exact
version
of
the
package
that
we're
using
as
a
dependency
and
on
the
flip
side,
generating
the
precise
information
that
we
want
to
see
and
requesting.
Cves
is
also
quite
difficult.
B
So
we've
also
seen
a
lot
of
open
source
maintainers,
not
take
the
steps
to
generate
the
required
information
and
request
cvz
cpus
in
the
first
place.
So
we
end
up
with
a
lot
of
missed
vulnerabilities.
B
So
to
address
this,
we
launched
something
called
osv
a
few
months
back,
I
think
one
or
two
months
ago,
and
so
again
this
is
a
open
source,
vulnerability,
database
and
automation,
infrastructure
for
vulnerabilities
in
open
source
and
the
key
difference
with
cves
is
that
we
promote
precise
versioning
for
each
vulnerability
so
for
each
vulnerability
we
automatically
perform
by
sections
and
look
at
the
upstream
repository
to
determine
the
precise
ranges
of
both
commits
and
also
just
version
numbers
that
might
be
affected
for
each
vulnerability,
and
currently
we
have
a
pipeline
set
up
to
automatically
import
a
few
thousand
vulnerabilities
from
something
called
oss
fuzz,
which
is
a
free,
continuous
fuzzing
infrastructure
that
we
run
for
over
400,
now
critical,
open
source
projects.
B
B
B
B
Okay,
how
is
introduced
indeterminate
so
for
our
supposed
bugs
we
do
buy
sections
so
oss
files
is
a
buzzing
infrastructure,
so
we're
lucky
there
in
that
we
have
a
reliable
way
of
reproducing
bugs
for
every
vulnerability
we
find,
and
that
means
we
can
perform
by
sections
to
reliably
determine
the
commit
which
introduces
a
bug.
B
E
B
B
Right,
yeah
yeah,
you
can
think
of
it
as
if
we
are
running
every
single
version
and
we
can
figure
out
the
exact
commit
which
started
crashing.
D
Bicep's
a
capability
built
into
tools
like
get
so
you
can,
you
know
if
it
was
introduced
when
was
introduced
well
I'll
check
out
the
version
two
years
ago,
if
it
wasn't
in
there
that
must
be
between
two
years
ago
and
now
I'll
check
on
the
one
that
was
done
last
year
and
go
I'm
gonna
do
a
binary
search.
There
are
problems
with
that,
though
I
mean
if
the
api
changes,
the
vulnerability
may
have
been
there
earlier,
but
bisect
won't
be
able
to
tell.
E
Yeah,
I
I
was
going
to
mention
it
later,
but
I
just
put
in
a
chat.
I
mean
another
project
that
you
know
looks
for
the
introducing
commits
on
vulnerabilities
and
the
goal
is
a
research
database.
E
It's
vulnerabilityhistory.org
there
and
there's
a
lot
of
challenges
with
like
figuring
out
when,
when
a
vulnerability
is
actually
introduced,
we
call
them
the
vcc
the
vulnerability
contributing
commit,
and
we
have
some
automation
called
archaeoget
to
automate
that,
and
we
just
did
a
manual
validation
of
the
algorithms
in
there
and
you
know,
there's
a
lot
of
challenges
in
terms
of
picking
up
sort
of
spurious
changes,
and
I
didn't
know
if
you
had
any
workarounds
on
that
or
you
know
or
if
you,
if
you
knew
that
you
can
get
a
lot
of
false
positives.
B
We
see
that
if
this
works
for
the
majority
of
cases,
but
in
the
cases
where
this
does
not
work,
we
do
provide
a
way
for
users
to
kind
of
fix
up
any
incorrect
information
and
I'll
demonstrate
that
as
well
as
part
of
this
demo,.
B
B
Cool
yeah,
so
I
think
I
was
talking
about
the
api
yeah,
so
we
provided
the
api
as
well
that
people
query
for
vulnerabilities.
So
one
way
to
do
this
is
by
providing
just
a
commit
hash.
You
don't
have
to
provide
anything
else.
You
just
paste
your
api
and
the
ipl
return
any
vulnerability
in
any
package
that
we
know
about
and
and
return.
This
result
in
this
json
format
that
we
defined.
B
So
that's
that
was
kind
of
how
a
user
of
an
open
source
package
would
probably
might
use
our
service,
but,
as
chris
mentioned
before,
there
might
be
issues
or
inaccuracies
with
using
automation
to
determine
all
of
our
data.
So
we
do
want
to
provide
a
way
for
people
to
manually
fix
up
any
accuracies
as
well.
B
So
this
is
a
repro
that
isn't
actually
public
yes,
so
this
is
a
bit
of
a
preview.
We
are
probably
going
to
make
this
public
in
a
matter
of
days,
so
this
is
the
automated
repository
of
vulnerabilities
oss,
first
vulnerabilities
from
osb,
so
all
the
files
here
are
automatically
imported,
and
these
are
the
same
data
that
we
expose
figure
out,
api
and-
and
the
interesting
thing
about
this
repro
is
that
this
is
interactive
and
there's
a
lot
of
automation
involved.
So,
as
a
user,
I
have
a
test
command
here.
B
I
might
come
in
and
fix
up
at
the
fixed
commit
range,
and
I
want
the
infrastructure
to
recompute
all
the
versions
that
are
affected.
So
I
make
this
commit
and
then
the
infrastructure
comes
in
very
quickly
after
and
says.
Okay,
this
affects
version
3.9.0
and
they'll
update
the
modified
field.
B
So
that's
just
an
example
of
some
automation
that
we
can
do
here,
there's
a
bit
more
under
the
hood
that
we're
doing
so
stuff
like
bisection,
and
we
really
want
to
generalize
this
to
help
other
ecosystems
with
managing
vulnerabilities,
so,
for
example,
generalizing
our
bisexual
infrastructure,
so
that
we
can
provide
a
mechanism
for
people
to
bisect
any
vulnerability,
even
if
they
don't
come
from
a
fuzzing
source
and
in
general
just
trying
to
reduce
the
amount
of
work
it
takes
to
maintain
a
vulnerability
database
and
have
quality,
precise
version,
information.
B
B
F
Thanks
laurier
great
presentation,
thanks
for
presenting
it,
I
think
there
is
similar
effort
from
other
open
source
community
right
like
a
problem
with
the
cpes
and
everything.
So
there
is
a
spec
called
package
url.
So
it
also
address
the
same
thing
right
like
not
to
manually
someone
to
describe
a
version
of
a
software
or
something
like
that.
So
you
know
having
package
url
support.
It
is
great
like
a
package.
Url
is
already
using
sperm
standards
and
many
open
source
tools
and
even
commercial
tools
like
they
are
moving
away
from
cv
cp
to
package
url.
F
So
you
know,
if
you
guys,
can
support
package
url,
query
right
so
similar
to
your
existing
queries,
but
I
don't
think
it's
that
complicated.
It
should
be
straightforward
right,
so
it
can
add
great
value
for
other
ecosystem
to
search
in
your
database.
B
Sure
yeah,
I
I
think
I
think
it
definitely
something
we
can
easily
add.
So
all
about
all
the
necessary
data
is
already
there
now
database.
I
think
we
can
easily
add
a
new
api
endpoint
where
you
provide
a
package
url
instead
of
individual
ecosystem
and
package
name.
B
It's
just
that.
At
this
point
we
are
more
focused
on
getting
more
sources
of
data
into
our
database,
so
all
of
our
work
is
focused
on
that
for
now
and
then
perhaps
once
we
get
to
a
good
state
there,
we
can
look
at
making
more
improvements
to
our
api.
B
So
just
an
example:
if
you
do
a
pip
install,
there
is
no
mechanism
today
which
checks
for
vulnerabilities
in
your
kit
packages.
There
are
commercial
tools
out
there,
but
we
really
want
like
we
really
want
the
open
source
world
to
kind
of
land
on
a
common
set
of
tooling
that
works
on
a
common
format
to
deal
with
vulnerabilities.
B
So
so
our
main
use
case,
I
guess,
is
people
who
use
open
source
packages
in
any
open
source
package.
Ecosystem
like
npm
pipeline,
could
be
great
modules.
Anything.
A
B
Sure
so
so
definitely
we
are
working
some
tools
to
help
look
at
the
existing
mvd
database,
for
example,
and
try
to
automate
as
much
process
as
possible
in
providing.
We
think
there'll
always
need
to
be
some
human
element
involved.
Automation
is
not
enough
to
scrape
cvs,
otherwise
cvs
would
be
sufficient
to
as
a
as
a
source
of
vulnerability,
so
we're
definitely
building
tools
to
automatically
look
at
these
feeds
and
provide
a
list
of
things
for
a
human
to
look
at
and
perhaps
add
to
a
database
and
of
vulnerabilities.
B
B
D
B
Yeah
for
sure
I
understand
that
this,
the
ruby
one
is
literally
a
single
person
working
on
their
work,
work
out
on
the
step
spare
time.
So,
if
they're
away
for
a
weekend,
it
just
doesn't
get
updated.
B
A
A
All
right
I'll
get
a
copy
to
his
slides
too
and
post
them
in
the
notes
as
come
here
you
want
to
take
it
away.
C
Sure
so
I'm
going
to
present
my
screen
and
show
a
document.
I
didn't
really
do
too
much
in
terms
of
a
presentation,
but
I
have
a
document
and
derek's
going
to
kind
of
go
through
the
document
with
us.
H
Okay,
so
what
I
wanted
to
share
with
you
guys
today
is
something
we've
been
working
on
for
a
few
months
now
for
those
of
us
who
know
what
we
do.
This
is
a
continuation
of
what
we've
been
doing
for
the
last
five
years.
For
those
of
you
who
have
never
heard
of
us,
what
we
do
is
open
source
auditing.
We
raise
money
from
usually
corporate
backers.
We
audit
projects
based
on
whether
we
think
they're,
critical
infrastructure
or
not.
H
H
I'm
not
going
to
show
that
list
today,
because
we
have
23
people
in
this
room
and
I
guarantee
we're
going
to
have
23
different
answers
on
what
should
be
on
that
list.
We
used
a
very
data-driven
approach.
There
were
some
projects
that
fell
off
of
this
list
that
I
personally
want
on
there,
but
we
are
going
to
show
this
to
the
tac
and
they're
going
to
decide
whether
these
projects
are
actually
important
or
not
or
whether
we
should
tweak
this
list
etc.
H
What
we
have
been
spending
most
of
our
time
on
is
scoping
these
projects
appropriately,
so
that
we
can
come
up
with
an
actual
budget,
because
one
of
the
things
that
we
have
heard
when
we've
gone
to
groups
for
money
is,
we
need
to
know
exactly
how
much
money
you're
asking
for
and
that's
a
question.
We
can
never
ever
answer,
because
this
stuff
is
very
vague.
H
H
H
And
then,
as
we
move
forward
from
there
we're
going
to
actually
we
can
begin
the
work
as
soon
as
we
have
money.
Frankly,
we
are
prepared
with
many
many
security
teams
who
can
work
on
this
in
parallel.
H
I
really
don't
want
to
get
into
the
nitty-gritty
of
the
entire
process.
I
I
will
let
questions
handle
that,
because
we're
going
to
be
all
over
the
place
with
that
stuff.
So
do
you
want
to
scroll
down
past
the
objectives
here
and
there.
H
Absolutely
we're
using
the
google
criticality
score
project
we're
using
the
lish
survey.
We
are
using
the
recent
under
production
paper
that
we
just
went
over
in
this
group
and
then
we
also
look
at
the
dependency
trees
from
the
top
projects
and
we
have
an
extensive
advisory
council
of
experts
who
advises
us
on
narrowing
down
the
list,
because
we
initially
came
up
with
like
38
or
39
projects,
which
we
whittled
down
to
25
for
various
reasons.
H
H
I
just
want
to
make
sure
that
that's
abundantly
clear,
because
I
think
that
everybody's
going
to
have
the
urge
to
get
all
of
their
pet
projects
on
this
list,
and
that
is
fine
if
we're
adding
to
the
list.
But
if
we're
taking
things
away,
we're
kind
of
killing
some
work
and
also
we
tried
to
take
the
best
data
driven
approach.
H
So
hopefully
everybody
will
be
at
least
somewhat
happy
with
the
list,
and
then
I
wanted
to
talk
a
little
bit
about
the
critical
advantages
we
are
designed
from
the
ground
up
to
solve
a
lot
of
the
problems
monetarily
that
projects
run
into
when
it
comes
to
getting
security.
Work
done,
this
can
be
everything
from
projects
that
have
no
central
authority.
No
business
entity,
no
bank
account,
so
they
need
somebody
to
hold
things
in
escrow
or
pay
for
things.
H
H
Oh
and
then
we
talk
about
what
to
expect.
So
what
we
do
is
we
facilitate
security
fixes
and
we
try
to
help
projects
make
long-term
fixes
to
close
classes
of
bugs.
So
we
advise
them
on
how
we
found
the
bugs.
What
tooling
we
used
to
do
it
and
how
this
problem
surfaced,
so
that
it
can
be
remediated
over
the
long
term.
H
H
We
have
many
of
them.
I
think
we've
closed
370
bugs
to
date,
something
like
that
and
then
additionally,.
H
H
We've
been
operating
a
pilot
program
for
five
years
on
a
shipstream
budget
yeah
to
be
completely
honest.
95
of
my
work
is
currently
fundraising
sure,
so
if
we
actually
secured
backing
and
hit
the
ground
running
for
an
entire
year,
we
would
have
probably
five-fold
that
number
in
under
here.
G
Is
there
a-
and
I
know
is,
is
now
a
good
time
to
ask
questions?
Are
you
in
the.
G
Well,
I'm
I'm
I'm
trying
to
see
if
I
can
understand
better
about
what
you're
doing
so
if,
for
example,
there's
a
project
on
the
list
that
you
say
golly,
it
would
be
great
if
this
this
is
a.
This
is
a
project
that
has
a
lot
of
dependencies.
It's
not
very,
maybe
fixing
bugs
very
quickly
or
looking
at
security
issues.
You
will
you
describe
some
of
what
you
you'd.
Do
it
you'd
say:
hey
we've
got
we
found
some
bugs
here's
some
fixes
and
here's,
maybe
some
architectural
things
to
help.
C
G
And
the
the
money
is
I'm
trying
to
connect
the
dots
here,
so
the
money
goes
to
hire
more
people
who
are
developers
who
can
do
this
work?
Is
that
the
idea.
H
H
H
Actually,
I
think
if
we
scroll
down
amir,
has
two
examples
in
our
supporting
evidence
section
here
where
we
can
talk
about
two
of
our
things
yeah
here,
so
we
did
open
ssl
version
111,
which
is
the
version
that
implemented
tls,
1.3
and
that's
important,
because
one
of
the
things
that
we
learned
is
not
to
reinvent
the
wheel.
H
When
it
comes
to
security
audits,
we
wait
for
a
major
release
where
a
lot
of
code
is
changed
or
green,
because
it's
adding
new
features
or
making
significant
changes
to
the
software,
and
then
we
do
an
audit
and
because
this
had
a
lot
of
green
code,
we
looked
at
the
new
prng
and
all
of
the
tls
1.3
code
and
they
made.
Let
me
look
15
potential
security
fixes.
Now
that
was
alpha
code,
so
we
don't
call
them
cdes
or
anything
like
that.
H
But
there
were
15
fixes
that
were
applying
because
of
that
research
and
then
additionally,
unmound
dns,
which
is
the
next
project,
made
48
fixes.
As
a
result
of
our
audits
and
of
those
six,
I
think,
were
severe.
So
higher
critical
cbss.
G
And
the
other
question
I
had
was
research
that
we've
heard
about
from
harvard
has.
You
know
suggested
that
you
know
money
to
it's:
it's
not
always
easy
to
connect
money
as
a
motivator
for
open
source.
Yes
right
absolutely,
and
so
it
sounds
like
what
you're
doing
here
is
a
little
bit
of
a
hey.
Let's
hire
some
security
people
with
money
who
can
go
into
the
projects
and
help
them
understand
what
their
security
you
know,
vulnerabilities
are,
etc.
I'm
trying
to
play
the
movie
forward
here.
G
Let's
say
you
know,
someone
comes
up
with
a
big
hunk
of
money
right
and
you
go
great.
We
can
go
address
all
these
things
right
and
then
people
sort
of
say,
okay,
good
problem
solved,
and
then
your
you
know,
hired
security
experts
go
off
to
do
other
things
right.
Are
we
going
to
be?
G
H
Yes,
absolutely
so,
that
is
why
we
focus
on
closing
classes
and
bugs
and
educating
the
developers
on
specifically
how
issues
came
to
be
so
that
the
problems
don't
resurface
as
development
continues
on
that
project.
H
C
H
H
G
Or
probably,
the
better
way
of
doing
it
once
you've
picked
off
the
the
the
lowest
hanging
fruit,
you
can
keep
working
up
the
tree,
you
know,
but
and
and
not
have
to
go
back
and
you
know
revisit.
C
G
G
Love
it
if
they
were,
you
know,
for
example,
open
ssl.
I
don't
have
a
clarity
as
to
whether
they've
they've
cert,
they
will
no
longer
need
sort
of.
You
know.
The
extra
help
to
you
know
fix
their
stuff.
H
H
Yeah
we
do
have
to
be
careful
because
it
does
a
well
of
infinite
depth
where
we
could
just
go
through.
I
could
probably
personally
name
three
or
four
hundred
projects.
That
would
be
interesting
and
you
know
we're.
Never
gonna
find
the
money
for
everything,
but
we
could
prioritize
at
least
this
important
stuff
and
start
right
and
and
get
the
ball
rolling.
A
One
one
question
I
haven't:
I've
been
thinking
about
this.
A
little
bit
is
you
know
before
we
google
would
help.
You
know
fund
something
like
this
is
making
sure
that
you
know
every
single
project
on
the
list
sort
of
has
buy-in
from
the
maintainers
thing
that
we
discussed
as
well.
Here
like
we
don't
want
to
go
in
and
piss
off
a
whole
bunch
of
people.
Have
you
thought
about
that
at
all?
As
you
went
through
your
project
list
like
making
sure
you
can't
buy
in
the
project,
maintainers.
H
Yes,
so
far
we
haven't
encountered
a
project
that
has
said
we
don't
want
security,
review
or
security
help.
If
we
did
encounter
that,
I
would
hope
there
would
be
some
type
of
negotiation
or
meeting
that
we
could
have.
That
would
change
their
minds.
H
I
I'm
an
infinite
optimist
when
it
comes
to
that
sort
of
thing,
but
we
we
would
have
to
cross
that
bridge
when
we
come
to
it.
I
I
can't
imagine
it's
gonna
be
a
pervasive
problem.
If
it
did
happen,
it
would
be
a
one-off
thing.
G
I
suspect,
probably
in
many
of
these
cases,
it's
like
you
know.
I
know
one
really
important
open
source
package.
I
could
name
it
where
the
maintainer
is
literally
a
rocket
scientist
that
works
for
nasa,
and
you
know
there
may
be
some
a
bunch
of
things
which
is
like
we've.
We've
sent
them
changes
and
it's
like
not
bringing
them
in
because
they're
off
on
the
launch-
and
I
don't
know
texas
or
something
like
that
right.
So
this
is
this-
is
the
reality
that
we
have
in
the
open
source
world.
G
H
Yeah
and
there's
definitely
that
piece
of
negotiation
that
goes
on
every
time.
We
talk
about
doing
a
project.
Sometimes
they
just
want
to
clean
up
their
code
before
we
do
an
audit
that
actually
happened
with
unbound.
They
did
a
bunch
of
patching
before
we
came
in
and
did
the
secure
interview
so
yeah.
H
It
is
a
negotiation
process,
but
usually
because
we
come
in
and
say
hey,
you
know,
freaking
security,
consulting
we're
going
to
help
you
guys
out
that
most
people
are
very
supportive
of
that.
D
Derek
are:
are
you?
Are
you
ready
to
to
sh
to
share
your
list
you're
still
working
on
on
that
list?
Through
the
process
you
just
described.
H
The
list
is
complete
as
far
as
we're
concerned,
but
we're
going
to
share
it
with
the
tac
rather
than
the
working
group.
My
my
biggest
concerns
right
now
are
one
that
everybody's
gonna
be
unhappy
with
the
list,
because
that's
the
nature
of
lists
and
two
that
there
is
approximately
300
hours
of
my
own
work
in
this,
and
somebody
could
just
take
it.
A
I
yeah,
but
before
you
even
do
that,
though,
this
is
something
that
I
was
chatting
about
like
that
the
ossf
doesn't
have
a
way
of
funding
anything
through
the
ossf
right
now.
It's
something
that
needs
to
needs
to
do,
and
I
don't.
I
unfortunately,
don't
have
an
update
on
when
that's
gonna
land.
So
that's
just
the
situation.
We're
in.
H
A
E
H
H
I
understand
we're
not
showing
the
list
and
that's
not
transparent,
but
we're
going
to
show
the
list
very
soon.
I
just
want
to
be
in
a
position
where
we
can
say
here's
the
list
give
us
the
money,
let's
go
and
because
the
the
grant
process
hasn't
been
set
up
yet
at
open
ssf.
I
don't
want
to
get
in
a
situation
where
the
list
goes
out
there
and
then
somebody
else
tries
to
steal
the
work
more
or
less.
H
To
be
candid,
there
are
some
security
companies
that
are
operating
in
these
channels
and
they
have
secured
funding
for
specific
projects
that
we've
identified
in
the
past,
and
they.
H
E
Channel
or
you
you
don't
want
to
say
yeah,
I
don't
want
to
give
specific
examples,
but.
G
You
know
the
the
at
least
as
far
as
as
our
my
company's
concerned.
We've
we've
done
a
bit
of
analysis
of
the
open
source
projects
that
our
products
depend
on
the
most
and
we
are.
I've
got
a
data
scientist
working
on
this.
G
Unfortunately,
his
he's
on
spring
break,
so
we
haven't
gotten
the
answer
back,
but
I
wanted
to
do
a
a
cross
correlation
between
what
he's
done
in
this
or
what
intel
that
list
and
a
list
that
came
out
of
this
university
of
washington
research
project
that
we
heard
about
a
couple
weeks
ago,
which
were
the
under
produced
projects
that
they
found
in
debian.
So
what
I
was
one
of
my
data
scientists
is
to
tell
me,
is
where's
the
cross
correlation,
and
is
there
one
as
a
way
to
kind
of
help,
help
motivate?
G
G
Having
at
least
I
I
try
not
to
let
the
perfect
be
the
enemy
of
good
enough,
and
it
may
be
that
you
know
we
could
may
come
up
with
slightly
different
lists,
but
in
any
case,
if
there's
I,
you
know
hoping
that
you
know
kim
and
others
that
we
could
think
in
terms
of
not
boiling
the
ocean.
But
seeing
you
know,
are
there?
Are
there
a
collection
I
my
intuition?
G
Is
that
there's
probably
seven
to
nine
projects
that
are
you
know
if
we
could
make
a
big
difference
on
you
know
this
year?
It
would
it
would
help
the
community
to
a
large,
very
large
extent
right.
That
would
be
one
contention
that
I've
been
arguing
with
my
folks
here
about
not
arguing
discussing.
We
don't
argue
here
and
the
other.
C
G
I'm
guessing
the
preference
would
be
to
funnel
some
contributions
through
linux
foundation,
as
opposed
to
you
know.
So
if
we
can
work
out
that,
I
don't
know
that
for
a
fact,
I'm
trying
to
I'm
trying
to
get
the
people
with
the
purse
strings.
To
tell
me
the
answer
on
this
question,
but
I'm
guessing
that
might
be
at
least
having
the
linux
foundation
on
the
on
the
hook.
To
make
sure
this
stuff,
you
know,
functions
a
way.
That's
that's.
I
mean
we're
very
familiar
with
linux
foundation
right.
G
Yeah,
the
one,
the
one
thing
that
disappoints
me,
which
I
don't
think
you
you're
necessarily
charged
with
with
being
able
to
fix,
is
is
I
wish
we
could
figure
out
how
to
make
durable
changes
to
these
projects.
I
I
I
have
a
fear
that,
in
spite
of
your
best
efforts,
they're
just
going
to
continue
to
you
know,
putter,
along
without
the
right
sort
of
support
and
and
part
of
honestly
part
of
what
the
open
source
community
may
want
to
do
is
advocate
for
projects
that
are
that
are
supported.
G
I
mean
to
be
honest,
you
mentioned
ssl
is
the
perfect
example.
I
mean
you
know,
maybe
russell's
or
you
know
other
options
like
that
or
boring
ssl,
which
is,
I
think,
is
a
google
fork
of
open
ssl.
I
mean
there's
some.
You
know
that
that
may
be
a
better.
You
know
path.
Well,
I
I
don't
want
to.
I
mean
nobody
has
any
control
on
any
of
this,
but
that's
that's
one
of
those
advocacies
that
might
be
a
good
option.
H
C
E
Is
the
only
way
to
forget
that
sorry,
okay,
ripping
on
david's
idea?
I
mean,
if
there's
infrastructure,
you
can
set
up
on
projects
or
so
you
know,
patterns
and
guide,
rails
and
other
things
you
can
do
within
the
project
right
that
prevent
the
repetition
of
mistakes
right
so
is
it
introducing
static
analysis
to
projects
or
doing
other?
You
know
architectural
level
things
in
the
projects
that
make
them
more
safe.
E
H
Is
to
give
them
the
ability
to
do
their
own
security
review
from
that
point
forward
and
evaluate
whether
any
new
changes
are
creating
problems
so
static
analysis,
dynamic
analysis,
one
of
the
things
that
we
also
do
is
look
at.
If
they
are
fuzzing
their
code,
the
coverage
is
often
incomplete,
so
we
will
have
engineers
do
the
work
to
fuzz
all
of
the
code
and
then
provide
that
to
them
so
that
they
can
fuzz
all
of
their
components.
H
Wider
coverage
is
really
important
when
it
comes
to
that
and
when
you
fix
one
problem
with
fuzzing,
when
you
fix
an
issue
with
fuzzing
often
the
fuzzer
can
go
deeper
than
and
find
issues
in
other
layers
of
code,
because
the
first
issue
was
causing
a
crash.
So
the
second
issue
was
undiscovered,
so
things
like
that
are
what
we
tend
to
focus
on.
H
G
I
was
I'd
had
a
question,
but
I
didn't
want
to.
I
already
asked
one
so
I
didn't
want
to
jumping
too
fast
here.
I
I'm
I'm
trying
to
understand
that
the
audit
methodology
you
said
it
was
more
manual
review
than
pen
testing.
So
it's
more
of
a
like.
H
Okay,
yes,
that's
accurate!
I'm
reading,
I'm.
G
H
A
two-parter,
so
we
had
jp
amazon
who
is
a
phd
level,
cryptographer
review
just
the
prng,
because
that
is
a
critical,
critical
piece
of
software
and
they
completely
re-engineered
it.
So
he
did
a
review
first
and
then
we
had
quarks
lab,
come
in
and
do
a
review
of
all
the
tls
1.3
code,
and
then
they
also
looked
at
the
prng.
After
all,
of
the
fixes
were
applied
by
jp's
review.
H
So
in
aggregate
we
had,
I
can't
remember
what
the
total
is,
but
from
the
presentation.
F
Currently,
with
the
google's
project,
zero
team-
or
are
you
planning
to
do
that
in
future,
like
I
think
they
are
also
focusing
similar
for
right
project,
zero.
H
Oh
google
project
zero.
Yes,
it's
it's
literally
google
project
zero,
only
more
targeted
and
more
of
it.
The
project,
zero
guys,
do
amazing
work
and
I
actually
got
the
idea
for
osif
from
project
zero,
the
difference
being
the
project,
zero
guys
just
work
on
whatever
they
want
and
we
work
on
something
that's
very,
very
targeted
and
we
try
to
solve
all
of
the
little
issues
that
come
up
with
individual
projects
that
are
barriers
to
that
getting
security
review.
F
H
Yeah
definitely
I
I
would
actually
one
thousand
percent
support
some
help
from
project
zero.
We've
approached
them
a
couple
times
before,
but
the
response
was
something
like
they're
they're
concerned
about
conflicts
of
interest
arising.
I
I'm
not
sure
exactly
how
that
works
with
open
source
software,
but
that
was
the
response
that
we
got
so.
A
One
idea
that
I've
been
working
on
a
little
bit
and
trying
to
get
lf
to
help
flush.
This
through
is
sometimes
a
lot
of
these
projects.
What
they
need
is
help
not
with
code,
so
I'm
hoping
that
that
I
will
be
able
to
stand
something
up
soon.
That
basically
says
like
hey:
if
you're
you
know
a
popular
open
source
project,
but
need
help
with
things
like
your
logo,
documentation
code
reviews
like
let's
get
you
know,
let's
get
you
the
help
that
you
need,
so
you
can
actually
go
focus
on.
A
H
Yeah,
that's
what
I
find
interesting
about
the
lfx
system
is
that
we
can
set
up
a
project
for
an
entity
that
has
no
bank
account
no
business
entity.
Nothing
like
that
can't
even
handle
money
in
a
legal
fashion.
That's
not
going
to
cause
an
irs
nightmare
for
whoever's
donating
and
we
can
basically
escrow
all
of
that
for
them
and
they
don't
have
to
handle
any
funds.
They
don't
have
to.
You
know
worry
about
selecting
the
right
people,
it's
just
all
done
for
them.
It
makes
the
whole
process
easier.
E
A
E
E
No
yeah,
not
them.
They
traditionally
did
like
license
enforcement
for
microsoft,
and
things
like
that,
okay
and
oracle,
but
they
have
all
the
major
go
out
of
the
major
software
organizations
are
a
member
of
that
to
trade
group.
C
A
Yeah
send
over
details
when
you're
ready.
H
Yeah,
we
will
have
them
for
you
very
quickly.
I'm
glad
that
everybody
seems
excited
about
this.
A
Cool
all
right
only
about
five
minutes
left
should
we
call
it
a
day
any
other.
Last
minute,
questions.