►
From YouTube: Securing Critical Projects WG Bi-Weekly (July 14, 2022)
B
A
C
A
A
C
C
C
F
C
C
G
C
A
Sure
this
is
actually
pretty
straightforward.
This
is
more
of
a
heads
up,
the
tac
agreed
at
their
meeting
earlier
this
week.
They
want
to
start
enforcing
dcos
they're
actually
in
the
charter,
but
because
we're
not
enforcing
them,
they
don't
always
happen.
How's,
I'm
trying
to
be
gracious,
so
it
turns
out
it's
not
that
hard
to
turn
on
a
requirement
and
whine
at
you.
A
So
it's
basically
a
super
inexpensive
way
to
provide
some
extra
legal
protections
that
a
lot
of
projects
use
so
just
want
to
give
give
a
heads
up
the
the
plan
is
to
enforce.
If
there's
a
problem
that
we
don't
know
of
you
know,
let
us
know
we're
we're
trying
to
give
a
little
time.
Just
in
case
we
there's
a
problem.
What
do
you
mean
basically,
okay,.
A
Right
right
I
mean
you
know
the
the
point
of
the
dco
is
to
make
it
relatively
easy.
Just
it's
a
reminder
that
before
you
commit
oh
wait,
do
I
have
the
legal
right
to
do
this
for
most
of
this,
this
is
not
a
problem
I
mean
you
know,
hopefully
most
folks
work
with
your
employer
and
making
sure
that
you're
not
doing
something
illegal
or
you
know,
in
violation
of
your
your
employment
or
con
contractual.
A
B
A
A
Right,
that's
right,
right
and-
and
my
experience
has
been,
if
you've
never
done
it
before
and
say:
oh
wait,
new
step
and
then
after
you
do
a
little
bit.
You
start
just
doing
it
everywhere,
because
it's
I
mean
it's,
it's
a
lowercase
s
option.
If
you
use
git
commit
it's
not
hard
and
please
do
read
the
dco
it's
what
a
third
of
a
page
and
basically
just
says
before
of
this
commit
I'm
asserting.
I
have
a
legal
right
to
do
so.
I
mean
that
that's
all.
It
is.
A
E
A
A
A
C
Yeah
this,
what
this
makes
me
think
of
is
I
I
do
think
it
makes
sense
to
maybe
at
some
point
in
the
near
future.
I
know
we
had
talked
about
this.
I
think
a
couple
months
ago
about
really
kind
of
dotting
our
eyes
and
crossing
our
tees
in
terms
of
like
everything
we
need
to
do
with
governance,
like
with
our
charter
and
and
kind
of
kind
of
formalizing.
C
All
of
that,
so
I,
if
it
sounds
good
to
jeff
and
and
everyone
else
in
the
work
group,
I
think
it
makes
sense
to
maybe
take
one
work
group
meeting
in
the
near
future.
To
once
we
have,
I
would
say,
good
guidance
of
what
we
need
to
actually
deliver,
really
just
kind
of
all
put
our
heads
together
and
and
kind
of
get
all
of
that
taken
care
of
with
with
kind
of
our
governance
and
some
of
our
administrative
tasks
that
we
need
to
do.
C
Awesome:
okay,
next
on
the
agenda
is
oss
europe,
so
that
is
going
to
be,
if
I'm
not
mistaken
in
dublin
ireland
in
from
september,
I
believe
it's
13th
through
the
15th
should
be
a
good
event.
I
know
oss
oss.
What
am
I
trying
to
say?
North
america,
I
almost
said
native
america,
sorry
oss,
north
america
was
a
fantastic
event
and
I'm
anticipating
oss
europe
to
to
be
very
similar,
so
do
check
it
out.
Let's,
like
looks
like
they're.
C
G
Oh
sorry,
what
was
that
you
said
jeff
yeah,
I
didn't
see
it
open
yet,
but
I
I
remember
the
initial
communication
to
the
working
groups
was,
you
know
tell
the
working
group
that
there
will
be
a
formal
cfp
and
and
to
prepare
proposals
for
when
it's
when
it
happens
it
might,
it
might
be
fast.
It
seems
like
it's
coming
up,
yeah
yeah.
I
have
a
feeling
it
is
and
that's.
C
Okay,
that's
correct,
okay,
awesome!
Thank
you!
Thank
you.
Everyone
for
the
confirmation,
okay,
yeah,
so
yeah
definitely
check
out
the
event.
If
you
can
make
it,
I
would.
I
would
recommend
it.
Lf
events
are
great
and
they're
a
good
way
to
see
people
in
person
and
and
catch
up
and
learn
about
all
the
the
great
initiatives
going
on.
C
C
G
Had
discussed
this
in
a
previous
meeting
and
the
idea
was
just
to
get
some
names
down
before
we
get
to
the
point
of
the
whole.
Was
it
charter
and
things
like
that
of
the
more
strict
definition,
but
at
least
get
something
down
so
that
we
can
kind
of
have
more
focus
around
each
effort
that
this
group
is
doing
so
and
good
comment
there,
david
yeah,
I
should
add
caleb.
C
C
C
And
then
the
next
thing
we
I
I
threw
something
up
on
the
agenda
from
as
a
continuation
of
the
conversation
from
two
weeks
ago
about
this
this
process
dock
for
identifying
critical
projects.
I
thought
before
we
dive
into
that
if
there
were
any
other
kind
of
open
agenda
items
or
topics
that
anyone
would
like
to
bring
forward
first
before
we
kind
of
dive
into
that,
I'd
be
happy
to
hear
from
from
the
work
group.
A
A
C
Yeah
I'll
share
it
now
so
just
to
be
easier
and
if
you're
in
the
in
the
google
group
for
this
working
group,
you
should
have
full
access
to
the
document,
but
in
case
you're
having
issues
with
access.
Please
let
me
know,
and
I'm
aware
we
still
need
to
to
kind
of
get
that
fully
figured
out
to
the
google
docs
and
and
the
permissions
and
what
have
have
we.
But
if,
if
we
have
the,
if
we
have
the
document
up,
I
could
even
just
for
ease.
C
Let
me
see:
oh,
I
can't
share
my
screen:
okay,
yeah.
So
the
first
thing
that
I
added
that
I
would
love
to
have
some
discussion
on
and
maybe
come
to
consensus
on.
Is
we
talked
a
little
bit
about
you
know
what
is
the
really
the
purpose
or
the
objective
of
this
list,
and
so
underneath
underneath
objective,
which
I
put
you
know
a
process
for
nominating,
identifying
and
prioritizing
critical
projects,
critical,
open
source
projects.
C
The
reasoning
for
the
list
I
put
to
provide
a
best
effort,
analysis
of
quantitative
and
qualitative
research
in
the
open
source
ecosystem
and
generate
a
curated
living
list
of
projects
deemed
critical
to
organizations
and
individuals
open
the
floor
for
discussion.
If
that
sounds
kind
of
like
what
we're
looking
to
to
accomplish
here,
more
than
happy
to
include
thoughts
and
feedback
to
improve
this.
A
That's
okay
is
the
we
probably
ought
to
make
it
clear
that
this
is
our
an
initial
process,
except
it
may
be
a
process,
an
initial
process,
because
I
I
really
liked
jacques
presentation,
I'm
sorry
that
everybody
didn't
get
to
hear
it,
I'm
hoping
that
video
is
going
to
be
out
soon.
It
was
a
great
pitch
on
a
I
think,
a
better
long-term
process.
A
C
Yeah,
so
the
under
deliverables-
I
I
thought
the
first
phase
could
be
just
kind
of
a
list
of
projects
deemed
critical,
not
necessarily
prioritized
or
chopped
up
in
any
given
way
kind
of,
like
vicky's
example
of
like
100
greatest
hits
to
use
kind
of
a
music
reference.
So
I
think
at
least
to
my
understanding
that
is
the
kind
of
phase
one
or
step
one
is
to
just
get
a
list
of
projects
that
we
kind
of
ran
through
some.
C
You
know
some
analysis,
some
some
some
feedback
and
came
up
with
this
list
for
people
to
ingest
and
use
how
they
seem
fit,
because
I
think
it's
important
that
we
don't
be
too
prescriptive
and
say
like
this
is
something
for
you
to
consume,
but
again
that's
kind
of
what
we're
discussing
here
to
figure
out
and
make
sure
we
we
are
in
agreement.
So
david.
You
have
your
hand
up.
A
Yeah,
first
of
all,
I
do
want
to
support
a
you
know:
a
co
not
ordering
within,
mainly
because
I
I
think
it's
we're
going
to
struggle
trying
to
come
up
with
that
order.
We're
not
jacques
more
sophisticated
approach,
I
think,
would
would
be
better
if
we
were
trying
to
have
a
more
differentiated
ordering,
but
given
that
we're
right
now,
just
trying
to
come
up
with
that
rough
order,
I
think
I'm
differentiated
is
better
just
because
we're
not
going
to
have
that
sophistication.
C
Yes,
so
does
the
and-
and
I
guess
to
conceptually
yeah
so
the
goal
is
to
just
kind
of
come
up
with
100
greatest
hits.
You
know
of
all
time
more
or
less,
as
kind
of
like
a
phase
one
and
the
reasoning
for
that
is
again.
We
want
to
have
something
that
people
can
use.
You
know
as
a
data
point
and
you
know
to
to
for
their
own
use.
C
Okay
and
again,
and-
and
thank
you
david-
I
actually
like-
if,
if
you
want
to
either
do
suggested
mode
to
include
suggestions,
they
are
more
than
welcome.
So
let
me
look
at
the
notes,
so
I'm
actually
going
to
put
this
in
the
notes
for
people
to
comment,
and
then
yes
and
then
we
started
talking
about
kind
of
the
first
step
of
that
at
least
how
I
kind
of
visualize.
It
is
what
I'm
calling
an
ingestion
engine
like
something
that
we
take.
C
D
C
D
D
You
like
to
see
the
light
at
the
end
of
the
tunnel
instead
of
more
tunnel.
I
know
that
feeling
yeah,
so
I
think
that's
fine.
That
would
to
me
meditate
and
favor
a
very
simple
solution,
something
like
google
forms,
plus
you
know
backing
into
a
spread
spreadsheet
a
google
sheet
yeah,
just
something
really.
C
Simple:
okay,
yeah!
That's
that's!
That
is
what
I
was
leaning
towards
too.
I
don't
want
to
be
too
my
too
myopic
and
just
think
about
what
we
did
in
our
first
iteration,
but
when
I
think
of
what
can
be
done
relatively
quickly
and
easily,
I
I
even
have
that
here
too,
a
google
form
and
that
feeds
into
like
a
sheet
of
of
of
identified
projects
being
kind
of
like
the
first
phase.
C
So
do
we
have
any
thoughts
on
that?
I
I
think
github
could
potentially
work
in
some
ways
because
there's
strong
kind
of
change
controls
and
you
can
kind
of
see
what
other
people
are
doing
and
and
contributions
they're
making.
But
but
again
it's
we're
walking.
The
fine
line
of
you
know
actually
having
something
a
deliverable
to
show
people
and
but
wanting
to
do
it
in
a
way,
that's
effective
and
can
be
built
on
so
do
we
have
any
thoughts
on
that.
A
H
C
Yeah
yeah,
that
was
yeah,
and
that
was
exactly
my
intention
too.
I
I,
like
the
idea
of
you,
know
a
small
project
maintainer
being
able
to
to
make
their
case
and
say
you
know,
have
the
opportunity
to
be
like
hey.
I
think
my
project,
for
example,
could
be
considered
critical
due
to
these
reasoning
and
just
really
give
folks
the
opportunity
to
to
to
do
that.
David
david,
you
have
your
hand
up.
B
Yeah,
I
mean
one
all
through
that
sort
of
related
to
this
is
actually
talking
with
a
colleague
of
mine
july
4th
former
colleague,
who
works
on
a
couple
small
projects
and
what
I
actually
suggested
him
is.
Why
don't
you
go
over
to
the
lf,
the
was
the
critical
infrastructure
initiative
or
whatever
this
dispatches
and
fill
it
out
and
fail.
B
Just
to
say
another
alternative
to
how
to
end
this.
It's,
like
you
know
it's
already
publicized.
Sorry,
we've
been
saying:
okay,
you
know,
we've
got
whatever
this
lf,
the
whatever
the
badge
is
called
now.
Whatever's
inside
go
go
to
the
business
like
this
entire
forum.
You
fill
out
of
okay,
I've
got
this
characteristic
and
I've
got.
You
know
this
committee
and
I
get
said:
go
to
the
forum.
Add
your
project
and
fail.
B
So
that
was
you
know
it's
like
easy.
You
know
the
lf
is
already
even
for
years
I
mean
the
previous
core
infrastructure
initiative,
project
equipment,
sort
of
critical
infrastruc,
whatever
the
heck
that
acronym
stands
for.
You
know,
let's
just
you
know
publicizing
this,
so
you
know
we.
You
know
people
at
least
there's
some
awareness
with
those
two.
You
know.
Studies
and
reports
of
you
know
here
is
a
a
funnel.
D
D
B
D
B
But
I'm
just
thinking
we're
looking
for
other
I
mean
I
thought
part
of
this
was
how
to
get
other.
You
know
other
data
points
I
mean
how
to
get
you
know
other
places
for
for
things
that
are
missing
off.
I
mean
sort
of
this
alpha
omega.
I
mean
like
what
what
we've
got.
You
know
what
the
the
the
the
big
high
you
know,
publicity
you
know
top
of
the
line
projects
are,
but
how
to
be
aware
of
these
other.
You
know,
in
addition
to
you,
know
all
the
great
work
that
you're
doing.
B
B
H
H
Please
pay
attention
to
me,
but
we
need
to
give
them
tools,
and
you
know
if
we
we
might
have
tools
to
determine
a
blast
radius
or
you
know
severity.
You
know
even
for
a
small
blast
radius
or
some
things
like
that
that
that
fit
into
our
criteria,
but
we've
acknowledged
we
still
want
to
make
it
flexible,
so
we
can
give
them.
You
know,
give
teams,
proof
say:
pay
attention
to
my
project.
H
We
use
the
same
tools
you
did
and
I
can
prove
from
my
ecosystem
or
from
my
language
or
whatever
it
is,
but
I
have
a
similar
blast
radius
within
this
this
domain
or
this
ecosystem.
So
I
you
know,
I
don't
want
to
encourage
build
a
game
system
by
saying
fail
something
to
get
on
the
radar.
You
know
this
team.
This
group
has
proven
through
our
conversations,
that
we
want
to
be
considerate
of
a
larger
community
and
that
we
acknowledge
that
we
can
never
get
a
perfect
set
of
tools
or
readouts.
H
C
It
would
just
be
so
there's
a
google
form
where
you
can
basically
nominate
projects
and
then
that
feeds
to
this
sheet
of
identified
projects
that
we're
calling
does
it
make
sense
to
just
kind
of
have
it
singular,
meaning
the
only
way
to
basically
get
a
project
nominated
onto
this
sheet
of
identified
projects
is
through
the
google
form
as
a
process,
or
are
there
better
ways
to
potentially
to
do
that
or
offer
multiple
ways
to
get
projects
basically
nominated
or
on
to
this
kind
of
this
identified
list?
Thank
you.
Jeff
take
care.
H
Well
again,
it
comes
you
know
if,
as
long
as
they
have
a
way
to
you
know
if
they
show
up
to
the
work
group
meeting,
you
know,
I
think
the
former
is
the
best
approach.
Having
a
single.
You
know
point
of
entry,
a
single
path
for
everybody.
You
know
they
can.
They
can
come
to
this
meeting
and
plea
their
case
and
bring
other
evidence
or
whatever,
but
in
the
end
they
can
attach
it
to
a
form.
H
C
C
And
I
feel
like
maybe
we
shouldn't
constrict
ourselves
to
where
you
can
only
nominate,
like
one
project
perform
correct
like
if
you
are
familiar
with
a
large
list
of
projects
that
you
think
are
critical,
being
able
to
nominate
all
of
them
via
one
form
might
be
easier
than
you
know.
If
you
have
to
go
one
by
one
and
nominate,
you
know
only
one
project
at
a
time.
C
G
C
G
F
G
G
C
H
H
Yeah
so
I
mean
so
it
got
me
thinking.
You
were
talking
about
granularity
of
project
relative
to
number
of
repos,
but
I
think
it's
also
relative
to
packages
so
well.
We
have
a
way
to
say:
give
us
an
s
bomb
for
for
argo
for
tekton
or
something
you
know
things
that
we
even
reference
here
and
open
ssf,
saying
here's
my
s-bomb
and
you
can
use
the
the
composite
components
for
that
software
to
help
weight.
You
know
lower
level
building
blocks
there's
their
severity.
H
C
D
Yeah,
I
was
just
gonna,
say,
probably
a
good
source,
for
that
would
be
the
harvard
census
rankings,
because
they've
already
sort
of
done
that
that
heavy
lifting
defined
dependencies
of
dependencies
of
dependencies.
That
sort
of
thing
and
the
really
nice
thing
about
the
harvard
data
is
that
it's
based
on
basically
telemetry
from
software
composition,
analysis
on
sort
of
private
code
basis.
So
basically
what
what?
D
H
Yeah
yeah,
I
agree.
The
harvest
comes
to
mind
heavily
in
every
every
time
we
meet
in
my
back
of
my
mind,
but
it
goes
back
to
additive
waiting.
So
you
know
we.
We
acknowledge
that
you
know
there
there
has
to
be
willingness
and
in
in
you
know,
by
submission
of
form,
you're
willing
to
participate,
you're
asking
for
help
you,
you
know
those
type
of
things.
So,
in
addition
to
any
base
waitings,
we
have
that
kind
of
indirectly
adds
to
awaiting
to
this
to
the
set
of
these
dependencies.
H
You
know
an
indicator
that
there
also
is
a
willing
set
of
you
know
contributors
either
knowingly
at
a
top
level
saying
I
know
this
package
is
important.
I
submit
that
package
again
or
I'm
spending
techton
and
indirectly
we
can
say
oh
you're.
We
we
see
that
techcon
is
highly
dependent
on
the
signing
library
and
that
adds
to
the
weight
again
type
of
thing.
So.
D
G
C
B
C
I
I
D
D
C
G
G
I
mean,
I
think,
there'll
be
a
step,
so
I
think
on
the
form,
we're
not
going
to
ask
people
to
type
that
in,
but
I
think
there's
going
to
be
a
step
between
a
and
b
here,
the
ingestion
engine
and
the
identify
projects
where
there
are
columns
that
we
need
to
fill
out
based
on
data
like
the
harvard
ranking
and
things
like
that.
So
the
the
list
there
under
b
poll
count
data
harvard
census.
Data
et
cetera,
should
probably
include
that
as
well
and
hopefully
there's
a
way.
We
can
automate
that
through
the.
C
C
What
projects
and
recommended
some
of
those
and
a
lot
of
those
cross-referenced
with
stuff
on
you
know
the
harvard
study
criticality
score,
for
example,
so
that
we
definitely
do
want
to
capture
selection
criteria,
or
you
know
why
a
why,
basically
and
lots
of
times,
I
think,
a
pretty,
probably
an
easy
way
that
we
could
at
least
do
some
automated
analysis
of
this
is
seeing
what
projects
come
up
on
multiple
on
multiple
selection
criteria.
So
something
comes
up
in
the
harvard
study,
as
well
as
the
criticality
score
as
well.
C
C
C
D
C
Yep,
that's
a
good
point.
I
mean
we
do
want
to
make
this
less
as
as
less
manually
intensive
as
possible,
but
I
think
if
we,
if
we're
able
to
to
get
help
from
you,
know
the
community,
for
example,
people
who
are
nominating
projects
to
to
do
some
of
this
stuff
as
they
as
they
get
involved
to
to
nominate
a
project.
Hopefully
that'll
ease
some
of
that
that
manually
intensive
work
that
needs
to
be
done,
yeah
and
hopefully,
as
we
iterate
more.
You
know,
maybe
we'll
find
you
know
clever
ways.
C
C
It's
a
that's
a
good
point.
I
I
I
mentioned
github
earlier
in
the
meeting
of
a
potential.
Basically,
I
can't
think
either
but
yeah
using
github,
but
I
don't
know
I
I
don't
know
github
very
well,
but
it
could
be
something
we
could
migrate
to
or
even
do
from.
You
know,
as
we
start
to
do
this.
I
do
a
lot.
I
C
C
C
C
G
I
was
gonna
say
to
jacques
point:
you
know
if
we
get
a
lot,
if
if
our
list
is
really
long-
and
we
want
to
maybe
like
take
a
pass
first
of
whittling
it
down
and
then
when
we
did
this
the
last
time
it
wasn't
that
it.
It
wasn't
that
hard
to
like
kind
of
look
up
these
some
of
these
stats
in
real
time
going
through.
But
if,
if
the
list
isn't
that
long,
so
we
might
have
to
do
a
staged
approach
or
something
like
that,
but
yeah.
G
C
C
C
Thank
you,
randall,
okay,
so
we've
got
about
five
minutes
left
I
like
to
keep
the
end
of
meetings
open
for
just
general
discussion.
If
there
was
something
that
maybe
someone
didn't
get
to
or
didn't
get
a
chance
to
to
voice
their
opinion
and
we'd
love
to
hear
from
you
as
well
as
I
guess,
any
general
project
updates
that
either
are
directly
or
indirectly
related
to
the
work
group.
We'd
love
to
hear
from
you.
So
the
floor
is
open
to
anyone
who
would
like
to
to
bring
up
a
topic.
C
C
Yes,
absolutely
send
my
email
in
the
chat,
yes
yeah
and
I'll
forward
it
to
jori
who
has
been
doing
helping
us
with
a
lot
of
that.
I
know
she's
on
vacation
for
until
I
think
the
very
beginning
of
august.
So
but
there
there's
other
people
that
I
think
can
help
with
this.
So
but
yeah
we'll
get
you
on
the
on
that
on
that
working
group
list.
C
C
C
We
just
I
think
it
was
monday,
monday
or
tuesday-
oh
stiff,
open
source
technology
improvement
fund.
We
released
another
audit
report.
This
one
was
of
the
cncf
project
cube
edge
and
it
I
thought
it
went
really
well.
We
found
some
some
some
issues
fixed,
some
of
them
actually
most
of
them
and
then
incorporated
some
new
fuzzers
and
wrote
some
new
fuzzers
for
the
project
so
that
they
can,
you
know,
continue
to
to
monitor
and
find
vulnerabilities
in
their
project.