►
From YouTube: Securing Critical Projects WG Bi-Weekly (June 29 2023)
A
A
D
That's
meant
to
be
I,
pinged,
Jeff
and
Amy
to
have
something
added
to
the
agenda.
So
I
was
assuming
it's
on.
D
That's
not
I,
don't
know
if
it's
a
make
a
decision
on
things,
but
let's
have
a
look.
D
D
I
don't
know
if
Amir
can
make
it
if
he's
going
to
make
it.
Let
me
see.
D
C
C
C
Yeah,
no,
no,
no
worries
at
all.
I
was
just
gonna
say:
yeah
I
I
have
to
admit
the
the
different
times
have
thrown
me
off
a
couple
times
so
I'm
guessing
other
folks
might
be
feeling
that
as
well.
So
no
worries
I
mean
it
totally
happened
for
some
folks.
It
is
you
know,
time
zones,
so
it
is
totally
understandable
but
I'm
glad
we
have
at
least
a
couple
folks
here
to
have
Quorum
for
today's
29th
of
June.
C
So
yeah
regrets
from
Jeff
who
wasn't
feeling
well,
so
he
couldn't
make
it
today.
I
guess
we
could
start
like.
We
normally
do
with
any
new
faces.
If
anyone
would
like
to
introduce
themselves.
B
Yeah
so
I'm
Seth,
Larson
I
was
just
recently
hired
by
the
python
software
Foundation
to
be
the
security
developer
in
Residence
and
I'll,
be
representing
the
python
ecosystem
as
much
as
I
can
in
these
meetings,
and
so
hopefully
become
a
regular
face
here.
C
That's
great
yeah
welcome.
Welcome!
Thank
you
so
much
for
joining.
Oh,
that's!
Wonderful!
What
time
zone
are
you
normally
based
in
yes,.
B
I'm
us
Central,
but
my
previous
employer
was
actually
elastic
and
they
are
a
globally
distributed
company
and
so
I'm
extremely
immersed
in
working
at
different
hours
of
the
day.
Early
in
the
morning
needs
to
happen.
C
Awesome
well
yeah,
we're
very
happy
to
have
you
here
would
would
we
want
to
everyone,
just
give
a
quick,
quick
introduction
to
Seth
just
to
give
him
some
context
as
well.
D
C
A
D
The
fool
who
didn't
reach
themselves:
I
work
at
Google
on
the
Google,
open
source
security
team.
We
have
Dustin
Ingram
who's
on
the
psf
as
well.
He
works
on
our
team
yeah,
so
I've
been
working
particularly
on
a
package
analysis
project,
but
also
on
the
criticality
school
project
for
a
while
as
well.
So
the
criticality
scope,
I,
don't
know
if
you're
familiar
with
either
of
those,
but
probably
I
might
be
talking
a
bit
more
about
the
former.
D
C
Awesome
awesome.
Thank
you,
Caleb,
oh
and
wonderful,
so
that
you're
summoning
Powers
did
end
up
working
yeah,
David
wheeler
as
well.
E
C
Were
giving
itself
a
quick
introduction
of
ourselves
just
to
give
us
some
context
of
who
he
is
joining
this
meeting
with
so.
A
Startup
was
just
said
that
I
am
everybody's,
coming
late
in
the
time
zone
and
everything,
and
so
there
was
like
you
know
it
was
a
big
Caleb
shows
up
and
they
killed.
Oh
well,
I
guess
a
beer
is
like
a
mirror,
shows
up
and
then
I
just
said.
Well,
who
else
should
we?
You
know,
call
forth
like
David,
wheeler
and
David
wheeler
shows
up.
A
E
You
all
right
so,
let's
see
here
so
the
29th
and
I
see
someone's
already
added
my
name.
Thank
you
yeah,
so
I'm
David,
Edelson.
A
I
work
at
IBM
research,
I'm
part
of
the
GCC
steering
committee,
which
is
a
new
tool
chain
working
with
the
Linux
foundation
and
openssf
on
the
core
tool
chain
project
to
create
a
robust
infrastructure.
There,
also
with
security
part
of
the
okay
Guru
tool
chain
community
and
also
participating
in
a
lot
of
helping
with
Jeff
boric
and
the
IBM
security
team
and
Hospital
team
and
their
participation
with
the
Linux
foundation
and
with
specifically
the
openssf.
C
Awesome,
thank
you.
David
I
can
go
next.
I'm
Amir
Montessori
of
oastiff.org
the
open
source
technology,
Improvement
fund,
I'm,
the
managing
director.
We
specialize
in
helping
open
source
projects
improve
their
security
posture,
so
we
work
with
a
ton
of
Open,
Source
researchers,
Consultants
tool,
fuzzling
experts,
all
sorts
of
teams
and
are
able
to
mobilize
resources
to
help
projects,
and
we
do
a
ton
of
work
all
over
the
space.
C
Some
with
Linux
Foundation
I'm
with
Google
some
with
Amazon
web
services,
a
bunch
of
other
folks
and
I
co-chair
this
working
group
with
Jeff,
who
was
not
feeling
well,
can
be
here
today,
but
yeah
again,
thanks
for
being
here,
Seth
and
last
but
not
least,
we
have
David
wheeler.
If
you
want
to
give
a
really
quick
intro
give
us
a.
E
C
Vest
I've
been
indeed
okay,
I
think.
First,
on
the
agenda,
we
have
updates
from
Caleb.
D
You
heard
all
my
didn't
hear
all
my
stumblings
yeah
so
a
month
or
so
ago
we
I
think.
Hopefully
we
email
the
document
out
that
we
had
been
considering
for
the
package
analysis
project.
So
the
package
analysis
project.
We
do
a
lot
of.
D
Oh,
we
see
a
lot
of
packages,
we
see
malicious
packages
and
part
of
the
challenge
is
how
do
we
like
surface
those,
particularly
for
like
improving
the
kind
of
value
of
the
project
and
being
able
to
communicate
that,
but
also
in
a
form
that
people
can
consume
and
make
use
of?
So
we
propose
this
repository
where
we
publish
osv
or
open
source
vulnerabilities,
formatted
reports
that
we
generate
from
our
infrastructure
and
then
yeah.
D
So
that's
something
we've
been
working
on
if
you
have
been
looking
at
the
repo
or
following
its
commits
you'll,
see
that
there's
been
a
bunch
of
activity
over
the
last
few
weeks
and
it's
now
at
a
point
where
we
are
preparing
internally
to
start
pushing
out
osv
that
we've
been
generating
to
the
repo.
But
it's
also
ready
for
people
who
are
interested
in
contributing
to
be
able
to
do
that
as
well.
D
So
I
have
a
PR
with
some
documentation,
but
yeah
just
wanted
to
kind
of
tell
people
that
this
has
happened,
that
this
is
something
we've
been
working
on
and
get
any
feedback
that
people
have
around
this
and
this
concept,
like
I'm
kind
of
optimistic
at
this,
potentially
being
able
to
change
the
ecosystem
in
a
way.
That's
better
but
I,
don't
know,
that's
probably
my
optimism
but
yeah
got
some
hands
David.
E
Yeah
so,
while
having
some
some
results
in
a
in
some
repo
somewhere
is
probably
a
great
start.
I
would
like
to
plug
this
in
to
the
various
places
that
load
in
osv
I'm,
really
thinking
of
like
the
the
per
ecosystem,
things
where
you
know,
presumably
they
would
want
to
know
you
know
already.
We've
got
there
are
a
number
of
package
managers
and
ecosystems
which
load
in
osvs
and
then
use
that
to
do
things
like.
E
Oh,
you
got
a
vulnerable
version
update
or
in
this
case
oh
you've
got
a
vulnerable
vulnerable
version
either
you
know,
stop
using
it
or
upgrade
I
mean
it
depends
on
whether
or
not
it's
a
a
subverted
version
or
the
whole
thing
is,
is
an
attack
and
I.
Don't
know
if
you
can
I'm
not
sure
how
you
can
determine
that
through
automated
means.
To
be
honest,.
D
So
this
is
our
stage
two
plan
is
to
when
we
get
some
content
in.
There
is
to
work
with
osb.dev
who,
like
they
literally
sit
across
the
office
from
me,
at
work,
so
to
get
the
data
consumed
by
osv.dev.
So
that
then
means
it
rolls
into
their
collection,
and
people
can
opt
into
using
that
themselves
and
with
that
without
it
like.
This
is
not
perfect.
E
Have
you
talked
with
them,
and
maybe
some
of
the
repos,
because
I
wouldn't
be
surprised
if
I
mean
in
general,
I'm
sure
that
they
would
want
do
this,
but
there
may
be
some
concerns.
I
would
rather
nip
in
the
bud
so
that,
because,
as
soon
as
possible,
I
would
like
to
get
to
the
point
where
there's
an
alert
they
die.
You
know
the
the
whole
package
shows
it
starts
working
where
the
pipeline
starts
getting
through.
D
Do
you
mean
when
you
say
repos,
do
you
mean
the
the
open
source
package
repositories.
E
Like
yeah
npm,
Pi,
Pi,
ruby,
gems,
you
know
you
know
those
kinds
of
things:
the
repos
and
registries.
D
So
I
had
a
brief
email
with
Dustin
and
I
mean
Seth
who's.
Hands
raised
probably
has
some
thoughts
on
this
as
well.
D
The
the
like
it's
one
of
these,
like
we've,
got
to
build
it
for
it
to
prove
itself
as
valuable,
so
that's
kind
of
partly
why
we're
doing
it
and
also
like
to
make
package
analysis
interesting
for
people
to
contribute
to
so
that's
kind
of
like
on
that
motivation.
In
my
mind,
I
would
love
for
this
to
be
integrated
with
the
repos
and
for
that
to
be
something
that
enables
like
a
faster
response
to
right
away
being
detected,
but
it
may
not
necessarily
be.
D
It
may
be
something
that
Flags
it
and
says.
Oh
we've
noticed
that
this
is
potentially
a
problem,
but
doesn't
restrict
access,
but
this
is
like
really
comes
down
to
the
quality
of
the
data
we
have,
how
trusted
it
can
be
and
also
how
quickly
we
can
have
it
consumed
and
build
those
pipelines.
So
I
mean
this
is
kind
of
evolving
I'd
love
for
it
to
be
accepted
by
repos,
but
we
haven't
really
started
those
discussions.
D
Yet
I
I
have
a
brief
discussion
and
Dustin
basically
said
not
yet
we're
building
our
own
thing
and
it
will
depend
on
Seth
and
what
he
does
so
and
maybe
I
don't
know
if
you
or
Seth
working
for
the
IPA
as
well
as
just
the
psf
like
I
mean
you
can
tell
us
more.
Your
hands
raised.
B
The
python
package
index
just
received
funding
and
I'm
posting
something
in
the
chat
right
now.
This
is
an
announcement
for
automated
malware
detection
for
external
sources.
This
is
something
that's
funded,
it's
not
something
that
I
personally
am
going
to
be
implementing,
because
we're
also
hiring
a
an
engineer.
The
psf
is
hiring
an
engineer
to
work
specifically
on
Pipi
and
features,
so
this
will
likely
go
to
this
individual
yeah.
That's
that's
one
thing.
The
other
side
of
it
is
the.
B
E
Seth
I
can
stall
for
you
so
malware
detection's
hard,
so
I
have
no
problems
with
multiple
streams
of
efforts,
each
of
them
trying
to
do
this
sort
of
thing.
E
There
is
the
challenge
of
false
positives
on
a
malware
report,
so
I'm
I'm
guessing
that
there's
some
sort
of
the
tool
detects
it.
It
then
goes
through
some
human
to
verify,
and
then
it
goes
out,
but
yeah
I
would
very
much
like
to
see
a
pipeline,
and
you
know
if
the
python,
if,
if
the
python
software
foundation's
already
doing
this,
some
in
detection
itself,
that's
gonna
make
is
the
wrong
word,
but
they're
already
going
to
have
to
have
a
way
of
taking
that
data
and
turning
into
something
actionable.
E
B
Having
this
isn't
the
just
just
because
I
want
to
make
sure
we're
not
going
on
the
wrong
path,
this
isn't
the
python
package
index
doing
the
malware
detection.
This
is
an
endpoint
that
allows
external
malware
detection
people
that
are
already
doing
this
work
to
be
able
to
automate
it
in
an
automated
fashion,
be
able
to
mark
like
a
certain
release
or
a
certain
point.
Oh
oh.
D
Yeah,
but
this
is
this
is
cool,
because
then
you
can.
We
can
plug
that
build
that
into
the
repository
as
well,
and
that
can
become
a
way
for
it
to
end
up
in
pi
P
quickly.
So
it's
like
there
are
lots
of
opportunities
in
this
space
and
yeah
I
agree
with
you
David
that,
like
this
is
where
I
think
competition
is
really
good
for
security
and
having
lots
of
diversity
in
the
ecosystem
will
improve
the
safety
for
people
who
are
using
open
source
and
I'm
I'm.
D
Okay
with
that,
like
I,
think
that's
fine,
but
like
part
of
I
hope
as
well
from
this.
Is
that
response
times
exactly
what
you
said.
Seth
can
go
down,
because
often
these
packages
eventually
do
get
taken
down,
but
there's
this
window
where
people
are
exposed
before
a
security
researcher
is
able
to
like
get
that
report
written,
get
it
submitted
to
a
package
repository
someone
at
the
package
reposited
to
triage
and
process
it
so
yeah.
B
So
maybe
just
the
the
thing
that
I
remembered
is
that
in
this
post
here
Caleb,
if
you
actually
go
all
the
way
through
to
the
blog
post,
not
just
the
discuss
post
I
think
there
is
like
a
form
like
a
Google
form
that
you
can
reach
out
and
then
because
I
think
what
they're
trying
to
do
is
they're
trying
to
solicit
feedback
from
a
lot
of
different
people
that
would
end
up
using
this
endpoint.
B
So
definitely
do
that,
and
the
other
side
of
this
I
think
is
one
of
the
goals,
maybe
I'm
not
sure
if
it's
explicitly
listed
out
or
not,
but
one
of
the
goals
that
I
would
really
like
to
see
done
is
that
if
we
have
enough
sources-
and
we
have
enough
like
historical
data
on
how
valid
those
sources
have
been
historically
right
like
we
can
kind
of
build
something.
B
Maybe
that
is
automated-
that
doesn't
have
a
human
intervention
if
it
comes
back
to
it
fast
enough
that
okay,
our
top
five,
you
know,
scanners
have
all
said
this
is
malware.
Let's
do
a
soft
like
delete
of
this
file
and
then
let
a
human
like
flip.
The
switch
back
to
the
other
way
around
I
think
that's
one
of
the
goals
of
this
project
as
well.
D
That's
secretly
my
plan
as
well
is
to
be
able
to
incentivize
people
to
enter
this
space
by
effectively
by
becoming
a
Clearinghouse
for
reports
and
malicious
packages.
You
can
then
incentivize
people
to
contribute
that
wouldn't
necessarily
do
that
and
they
can
compete
on
a
Level,
Playing
Field
with
bigger
players.
So
that's
kind
of
my
secret
I'd
like
that,
would
be
great
because
then
it
incentivizes
competition,
especially
I'm,
like
it'd,
be
great
to
have
a
scoreboard,
and
you
can
see
who's
submitting
stuff.
D
You
can
then
see
who's
who's,
which
sources
are
producing
lots
of
false
positives
and
I
mean
this
is
good
generally
just
for
the
health
of
the
data
set,
but
yeah
like
gamification.
D
So,
yes,
these
are
all
great
ideas
so
and
and
the
the
other
part,
the
transparency
is
really
important
to
I.
Think
part
of
the
challenge
has
been
that
mpm
or
like
ruby
gems,
for
example,
will
Mark
something
as
revoked,
but
other
repositories
like
pipey
and
Pipi.
You
can
go
and
query
bigquery
and,
like
you
can
compare
that
the
what
you
can
see
publicly
with
what's
in
in
the
database
and
go
oh,
that's,
probably
being
pulled,
but
other
things
like
npm.
D
They
may
or
may
not
publish
a
an
advisory
saying
something
was
malware
so
often
as
people
who
consume
open
source,
you
don't
even
know
if
the
package-
that's
not
there
anymore,
was
pulled
because
of
the
security
problem.
So
that's
the
other
part
of
this.
That's
interesting.
E
And
I
should
quickly
add
unless
they've
changed
their
policies.
The
cve
process
excludes
malicious
code,
you
know
so,
which
is
completely
I,
think
not
just
wrong-headed
but
completely
misses
the
point.
You
know
the
whole
point
of
this
of
the
CV
process
is
to
let
people
know
you
need
to
do
something,
and
if
you're
not
going
to
tell
people
about
some
of
the
most
important
things
when
they
need
to
do
something.
You
have
no
idea
what
you're
doing,
or
at
least
you're,
not
understanding
the
Viewpoint
of
the
users
of
vulnerability,
reporting
processes.
E
D
E
Ask
solarwinds:
well:
okay,
I
I'm,
not
you
know
many
many
organizations
I
mean
Microsoft
has
had
distributed
CDs
with
viruses
in
them
way
back
when
you
know
so
it's
in
the
open
source
World.
It
actually
is
pretty
rare,
too
yeah
Sony.
Well,
certainly
there's
multiple
issues
there,
but
I
mean
Sony's
a
big
org
to
be
fair
too,
but
I
mean.
B
Do
yeah
there's
also
the
problem
of
like
name
reuse
right
like
if
you
have
a,
for
example,
on
Pipi,
you
can
if
a
name
gets
pulled
for
being
malicious,
I
mean
I,
I!
Think
that
the
process
I'll
end.
Don't
quote
me
on
this
I,
don't
know
for
certain.
If
this
is
the
way
it
works,
but
I
think
that
there
is
a
process
for
you
to
be
able
to
reclaim
a
name.
That's
been
taken
down
by
Pipi.
D
I
have
seen
packages
a
package,
get
pulled
from
pipe
pi
that
eventually
that
was
malicious
and
then
a
new
package
under
that
name
got
posted.
That
was
malicious
as
well,
so
I
think
yeah
name.
Reuse
is
definitely
a
thing.
It's
interesting
as
well.
There
are
some
like
osv
itself,
doesn't
account
for
dependency,
confusion,
and
it
assumes
that
the
resources
are
the
the
packages
being
pulled
are
from
the
public
repositories,
so
there
is
kind
of
some
challenge
in
consuming
this
for
people
who
have
internal
Registries.
D
So,
but
that
said
like
it's
also
not
necessarily
a
bad
thing
that
you
know
that
your
internal
package
has
been
dependency,
confusion
attacked
so.
E
Caleb,
let
me
clarify
I
I,
think
what
you
said
said,
strictly
speaking,
isn't
correct,
but
I
understand
where
you're
coming
from.
If
you
go
look
at
the
at
least
the
package
URLs
back,
if
you
say
it
came
from
maven,
then
it
came
from
Maven.
That's
the
that's!
What
you're
reporting
it
on
now?
E
You
can
also
include
it's
using
this
protocol,
but
it's
from
somewhere
else.
You
can
include
a
URL
and
so
on
and
say:
okay,
it's
this
format,
but
it's
coming
from
over
here
and
that
can
handle
both
the
multiple
repositories.
This
is
particularly
common
for
systems
packages.
You
know
if
you're
Adobe,
for
example,
you're
going,
you
may
distribute
a
Linux
package
that
is
from
your
own
repo,
it's
not
in
fedoras
or
debians
or
ubuntu's,
even
better
yeah.
E
But
but-
and
you
can
even
use
that
for
internal
repos,
it
presuming
an
org
has
an
internal
repo
and
you
give
it
a
URL.
Shame
on
you.
If
you're
not,
you
could
include
that
now,
I'm,
giving
you
the
technically
correct
answer,
which
is
solving,
as
we
know,
is
the
always
the
the
best
answer
right.
The
problem,
of
course,
is
that
people
are
sometimes
kind
of
sloppy,
in
other
words,
well
I'm
loading
it
and
it's
supposed
to
be
just
a
copy
from
Maven,
so
I'll
identify
as
the
maven
version.
Did
you
download
it
from
Maven?
E
D
E
You
know
the
thing
is
dependency.
Confusion
has
become
one
of
the
most
common
I
mean
it's
type
of
squatting
has
been
the
most
common
problem
for
a
very
long
time
and
then
dependency
confusion
Rose
to
the
top.
We
don't
know
what's
going
to
be
coming
up
next
year,
but
you
know
it's
it's
not
going
to
go
away
so
yeah
in
the
long
term.
The
solution
is
modify
the
package
manager
code
so
that
this
is
not
a
thing.
But
until
that
happens,
it's
going
to
be
a
thing.
D
Yeah
anyway,
that's
it
from
me
all
right,
yeah,
thank
you
for
your
feedback.
I'm
I'm
happy
to
hear
there's
positive
kind
of
opinions
generally.
So
thank
you.
Oh.
E
C
Foreign,
thank
you
again
for
the
update
Caleb.
Next
on
the
agenda.
We
have
feedback
on
the
critical
open
source
software
projects,
2023
documents.
C
We
decided
that
we
weren't
going
to
move
forward
with
kind
of
marketing
the
set
and
Publishing
publishing
the
set
kind
of
in
a
until
we've
kind
of
put
more
put
more
thought
into
it
and
get
more
I
guess
we
could
say
more
more
diversity
in
terms
of
the
input
that
we
get
and
the
how
this
is
kind
of
vetted
and
generated.
C
I
was
honestly
kind
of
relieved
to
see
they
significant
amount
of
feedback.
It
was
almost
validating
that
you
know
this
is
not
an
easy
undertaking
and
the
fact
that
it
was
kind
of
that
there
was
a
good
amount
of
feedback.
Honestly
was
was
I
was
happy
to
see
that
and
it
was,
it
was
good
to
see
because
it
really
was,
it
was
a.
It
was
a.
It
was
a.
It
was
a
challenge
and
it
was.
C
C
I
I've
thought
about
ways
of
you
know,
potentially
getting
more
I
guess,
activity
into
getting
more
feedback
and
more
insight
into
you
know
which
projects
to
identify,
but
I
do
yeah.
I
just
want
to
acknowledge
the
the
good
amount
of
feedback
that
we
got
and
it
looks
like
did
we
get
some
feedback
from
Youssef
on
that
as
well?
So
I'd
love
to
hear
from
your
you
know
from
your
angle.
You
know
your
thoughts
and
and
your
feedback.
B
Yeah,
the
first
set
of
feedback
that
I
kind
of
saw
was
there.
There
are
some
tools
in
that
in
that
list,
but
a
lot
of
the
there's
like
a
specific
topic
for
language
ecosystems
like
python,
for
example
right,
but
then
the
package
manager
is
there
for
Ruby,
but
not
for
Python,
and
it's
I
I
think
that
a
lot
of
these
the
metrics
have
a
hard
time
with
tools,
because
I
was
looking
through
like
what
are
the
other
tools
that
are
in
the
list
and
almost
all
of
them
don't
come
through
in
the
criticality
score.
B
They
all
come
through
some
other
source,
which
is
good
because
they're
getting
included,
but
then
it
means
that
they're
getting
missed
by
this
automated
source
that
something
not
I,
don't
know
how
to
solve
that
problem.
It's
just
a
hard
problem,
yeah,
the
other
side
of
it
was
more
on
the
transitive
dependency
side.
B
It
mentioned
transitive
dependencies,
but
a
lot
of
these,
like
there
are
some
projects
in
there
where,
yes,
that
is
like
just
a
base
building
block
like
curl,
or
something
like
that,
where
you
know
that
that's
just
a
building
block
and
there's
not
really
like
this
huge
network
of
dependencies,
that's
Downstream,
but
then
there's
the
complete
other
side.
Where
you
know
python,
you
know
has
like
maybe
30
40
libraries
that
are
very
important
to
python.
B
Existing
like
open
SSL
is
obviously
in
that
list,
but
some
of
them
aren't
and
like
how
does
that
fit
into
this
story
of
saying
that
this
more
top
level
recognizable
more
likely
to
get
talked
about
projects
is
in
this
list,
but
then
all
of
these
other
Downstream
dependencies
that
if
they
weren't
there,
this
project
wouldn't
be
able
to
do
its
thing.
How
do
we?
How
do
we
reconcile
that.
C
No,
no,
no
worries
at
all.
It's
always
good
to
hear
a
a
new
take
or
a
different
take,
and
you
know,
that's
I
think
where
the
value
comes
from
right
is
in
the
discussion
and
the
collaboration
so
yeah.
So
here
I'm
not
entirely
sure
where
we
want
to
go
from
here.
I
suppose
I
mean
I,
guess
we
are
still
getting
feedback,
but
I
don't
know
if
the
group
has
any
thoughts
on
kind
of
where
to
go
next
or
how
to
how
to
put
more
I
guess.
C
Meat
on
this
I'm
certainly
open
to
thoughts
and
ideas
and,
of
course,
getting
more
getting
more
activity.
You
know
between
this
group
and
the
community
at
Large.
C
E
Absolutely
okay,
all
right
so
I
I
think
in
the
sure,
so
I
guess
I'll
try
to
write
proposals.
We
go
here,
I
I.
So
what
outropos
is
in
the
I?
Don't
know
if
you
can
see
my
little
comments.
I
wrote
in
these
things
and
you
know:
I've
talked
separately
with
you
Mir
and
you
know
with
both
the
co-leads
formally.
We
can,
if
you
want
to
make
this
Market,
if
you
want
to
try
to
do
a
marketing
campaign.
The
idea
is
you
talk
to
the
staff
prop.
E
You
know
work
with
the
talk
to
make
sure
that
they
say
okay,
but
on
the
quick
initial
look,
I
will
say
that
that
staff
frankly,
is
really
nervous
about
this.
E
The
fundamentals
I
mean
in
you
know
if
the
attack
wants
to
wants
to
say
yay
yay,
but
I
think
I
would
argue
by
all
means
record
what
you've
done.
Okay,
you
know
post
some
you
know,
post
is
as
a
link
off
the
web
of
the
working
group.
I
mean
it's.
The
previous
version
is
already
that
way,
but
I
want
to
be
careful
about
not
making
a
big
deal
of
this.
E
Yet
the
challenge
that
we've
got
right
now
is
that
this
is
so
hard
and
there's
been
so
much
painful
work
that
I
don't
know
if
you've
been
following
some
of
the
numbers
of
participants,
but
we
had
more
people
earlier
and
then,
when
every
other
week,
okay
sit
down
we're
going
to
talk
in
gruesome,
painful
detail
through
a
spreadsheet
we
may
get
through
10
or
15
rows
today
for
an
hour
that
took
a
toll
on
a
lot
of
people
and
the
reality
is
I
for
on
the
I
want
to
commend
everyone
who
put
an
effort,
because
that
was
amazing,
but
it's
a
little
hard
to
argue
that
this
is
a
a
sense
of
the
entire
open
source
software
Community.
E
When
you
end
up
with
a
very
small
number
of
the
Willing
willing
to
slot,
take
the
slog
and
so
I
think
it's
been
valuable
and
I
think
I
think
the
results
have
been
helpful.
There
are
some
known
problems
with
it.
David
Ellison
noted
some
problems,
I
think
some
other
folks
have
so
here's
what
I
would
suggest.
First
of
all,
I
we
I
want
to
try
to
convince
you,
I
think
Amira
Amir.
E
We
lost
your
video,
you,
okay,
yeah
I'm,
here,
okay,
all
right,
so
what
I
would
say
is
yes,
let's
you
know
you
know,
post
on
the
on
the
repo
page:
hey
here's
the
updated
version,
let's
not
make
a
blog
post
or
a
big
deal
of
it
yet
because
we
know
there's
some
challenges
and
here's
the
problem,
we're
basically
anticipating.
If
we,
if
we
made
a
big
deal
of
it,
that
a
lot
of
people
are
basically
going
to
be
have
a
big
pushback
about
the
you
know,
wait
a
minute.
E
What's
on
the
list
and,
frankly,
why
is
this
very
small
group
of
people
deciding
for
Global?
You
know
for
all
of
all
of
the
world
and
those
are
hard
questions
to
answer.
So
you
know,
but
I
do
want
to
acknowledge
all
the
hard
work
done
and,
first
of
all,
the
results
of
this
for
sure
they're
going
to
go
straight
to
Alpha
Omega,
because
that's
there,
you
know
they
care
about
this.
They
use
the
previous
list.
E
I'm
expecting
a
couple
other
groups
to
use
the
the
list,
because
this
is
one
of
the
best
lists
we
have.
We
know
their
problems,
but
when,
when
you
have
something
versus
nothing
for
a
lot
of
organizations
having-
and
you
know
having
partial
work-
that's
the
best
available
in
the
world-
that's
better
than
nothing
and
hooray
for
that.
So
this
this
is
not
going
to
get.
The
work
is
not
going
to
get
wasted.
E
Okay,
that's
but
I
would
say:
don't
do
the
blog
post
do
finish
up
work
through
the
comments
and
make
a
best
list
with
the
processes
we've
got
then
I,
either
in
parallel
or
whatever.
Let's
talk
about,
how
can
we
get
far
more
eyeballs
on
this
problem?
You
know:
how
can
we
turn
this
into
something
where
we're
not
scared
to
make
a
claim,
because
yeah,
okay,
five
people
sat
in
the
back
room
out
of
video
calls
and
decided
for
everybody.
E
You
know,
that's,
obviously
not
what
really
what
the
intent
was,
but
we
need
to
find
a
way
to
get
a
broader
consensus
on
work.
That's
frankly,
really
hard,
so
we
we
need
to
figure
out
a
way
to
do
that
and
I
that's.
What
I
would
propose
we
talked
through
Jacques
had
worked
out
some
approaches.
E
He
had
a
lot
of
good
information,
his
approach,
the
one
problem
that
he
had
was
that
he
basically
was
thinking
about
hey.
You
need
to
build
a
new
tool
and
then
building
a
two
neutral's
heart,
so
that
kind
of
got
stalled.
I
think
that
we
could
Implement
those
processes
without
building
specialized
tools,
and
that
might
be
helpful.
So
basically,
I
would
like
to
finish
what
we
did.
We're
I
mean
we're
at
the
90
level.
E
A
Yes,
thanks
very
much
and
doing
in
New
York
and
got
the
smoke
from
Canada
again.
We
can
now
officially
claim
that
we're
making
these
decisions
in
the
smoke-filled
room
so-
and
you
know
great
suggestions,
David
about
how
to
approach
this
I
may
definitely
agree
that
we
should.
You
know,
try
to
move
this
to
a
conclusion
that
that
you
know
something
is
better
than
nothing
I
think
it's
also
important
to
communicate
that
look
this.
It's
really
impossible
to
do
this
as
a
democracy.
A
I
mean
like,
and
it's
still
you
know,
you
know
who
do
you
choose?
You
know,
as
the
Funko
Community
who's
going
to
vote
on
this
I
mean
that,
ultimately,
there
has
to
be
some
and
it's
like
okay,
you
know
why
not
the
five
of
us
or
whoever,
like
you
know
it
has
to
be
somebody
I
mean,
and
you
know,
I
agree
that
building
another
tool,
but
if
we
can
try
to
figure
out
some
data-driven
process
and
it's
a
more
objective,
I
think
that
would
help.
A
You
know
who
the
basically,
the
input
and
output
of
this
it's
like.
Who
exactly
is
the
consumer
of
this?
Who
is
going
to
accept
this
views,
and
so
you
know
this.
This
existed
before
the
open,
ssf
really
existed.
It's
a
great
project
and
break
to
work
on
this,
but
I
think
that
it
was
sort
of
done
in
a
vacuum,
and
that
was
part
of
it.
So
not
only
is
it
a
matter
of
you
know,
people
are
willing
to
slog
through
this,
but
it
was
also
you
know,
sort
of
this.
A
You
know
you
know
I
mean
self-selected
in
multiple
ways.
I
mean
it
was
it's
it's
it's
almost
this
secret
working
group
in
a
certain
way,
so
I
think
that
that
and
we'll
see
if
on
car
and
attack
can
can
help.
With
this
of
you
know,
who
exactly
is
the
consumer
of
this?
What
they?
Actually?
What
are
we
going
to
do
with
this?
A
As
you
said,
yes,
we
can
put
it
out
there
and
see
so
there
are
various
groups
who
would
like
something
but
I
think
then
we
should
be
clear
about
it
of
you
know
both
explicitly
who
is
going
to
requesting
this
or
use
it
also
implicitly,
of
what
government
agencies
in
the
U.S
Europe
wherever
might
use
this,
as
we
have
a
better
framework
for
that
mission
and
a
better,
you
know
and
figuring
out
what
we're
going
to
do
with
it
and
also
more
clarity
on
again.
What
is
the
input
I
mean?
A
Who
is
presenting
this
or
from
the
suggestions?
You
know
the
analysis
of
you
know.
Github
I
mean
now
we
got
this
list
from
whatever
ten
thousand
projects
from
Alpha
Omega
I
mean
there's
this.
A
So
you
know,
what's
the
the
driver
on
the
other
side
of
how
we're
going
to
collect
this
information
or
for
whether
we
or
whoever
is
making
this
decision
so
I
think
that
that
trying
to
get
clarity
about
the
pipeline
is
really
critical
to
helping
this.
You
know
you
know,
and-
and
maybe
you
know
again
as
as
Seth
as
we're
saying-
maybe
we
need
to
have
or
I
mean
based
on
on
his
comments.
You
know
different
lists.
I
mean
these.
A
Are
you
know
one
of
the
things
that
that
bothered
me
I
made
the
comments,
and
there
was
we
made
this
list?
Oh
well,
we
need
to
you,
know,
cut
this
down
to
a
hundred
well
like.
Where
did
that
come
from?
And
you
know
me
I
mean
I
know
where
it
came
from,
but
it's
like
you
know,
you
know.
Okay,
we
create
this
list.
Oh
well,
you
know
it
needs
to
be
the
the
set
of
100
is
not
list.
A
You
know
all
these
sorts
of
appearance,
you
know
decisions,
but
then
also
maybe
we
need
to
have
as
you're
saying
a
list
for
tools
a
list
for
this,
and
maybe
we
need
you
know
different
facets
of
this,
not
just
the
one
you
know
list
of
you
know
critical
projects
or
100
critical
projects,
you
know
or
whatever,
but
we
say
that.
Okay
for
these
different,
you
know
100
critical
projects
for
the
Linux
ecosystem
that
are
critical
price
for
embedded
I
mean
not
100,
but
they
critical
projects
for
the
BSD.
A
So
excuse
me,
you
know
we
try
to
provide
some
more
clarity
about
what
this
is
is
supposed.
Is
you
know
again,
as
as
David
said,
this
is
the
the
you
know
the
committee
of
the
willing
or
the
self-selected
set,
but
it
was
coming
for
a
particular
point
of
view
and
we
were
a
lot
of
times.
Aren't
you
know
trying
to
to
determine
you
know,
give
it
our
own
and
admitting
our
own
limitations
and
knowledge
of
okay?
This
is
maybe
is
this
important
for
this
ecosystem?
Is
that
ecosystem?
A
Maybe
we
need
to
have
a
little
bit
more
detail
and
clarity
about
these
different
types
of
ecosystems
and-
and
you
know
different
sets
of
critical
projects
for
different
things
and
again,
maybe,
as
the
same,
if
you
want
a
list,
that's
you
know
these
top
level
10-pole,
you
know
famous
projects
whatever,
and
then
you
have
another
listed.
Okay,
here's
the
really
low
level
dependencies
that
that
aren't,
you
know,
name
brands,
but
these
are
the
critical
projects
that
really
feed
into
everything.
A
In
this
ecosystem
and
again
things
like
you
know:
G
lip,
C
and
GCC,
and
you
know
open
SSL
and
all
these
things
feed
into
that.
So
definitely
think
that
you
know
some
more
Clarity
but
I
again.
I
really
think
that
you
know
sorry
to
belabor
this
again
and
again,
and
you
know,
but
getting
better
communication
having
a
real,
a
better
sort
of
mission
statement
from
who's
going
to
consume
this.
You
know
what
are
they
going
to
do
with
it?
A
E
Yeah,
so
let
me
make
a
quick
reply
and
add
to
your
list
so
in
inter
okay,
so
as
far
as
who's,
the
consumer
I
mean
I.
Think
in
general
you
know
we
kind
of
got
started.
I
had
some
overall
statements
on
off.
We
went,
maybe
so
you
know
increased
Clarity.
Maybe
that's
really
the
next
step.
We
have
done
this
and
in
the
process
we've
learned
some
things
now,
let's
you
know
you
know
really
put
down
and
make
clear
as
far
as
the
consumers
specifically
I
know
that
I
had
specific
ideas.
E
That
does
not
mean
they
were
clearly
written
down
or
that
anyone
shared
them.
But
at
least
from
my
vantage
point,
one
of
the
main
reasons
for
the
critical
project
list
was
to
help
Focus
organizations
who
want
to
we
want
to
improve
the
security
of
Open
Source.
We
cannot
do
everything,
so
we
are
going
to
focus
limited
resources
on
limited
places.
There
are
actually
a
number
of
organizations
which
want
to
do
that.
E
Alpha
Omega
within
open
ssf
itself
is
one
of
those
cisa
is
one
I
know
that
the
I
don't
know
if
they've
actually
gone
through
and
done
it,
but
I
believe
that
there's
been
a
lot
of
talk
about
the
US
Department
of
Defense,
believe
it
or
not,
trying
to
identify
the
ones
that
they
use
the
most
because
they
want
weapons
to
only
go
boom.
When
they're
supposed
to
you
know,
I
know
the
Europeans,
particularly
there's
a
there's,
a
group,
that's
funded
by
the
German
government.
E
The
U.S
has
something
else
called
The
Sovereign
Tech
fund,
which
my
brain
is
bending
a
little
bit,
because
it's
not
is
this
government
or
not?
Well,
it's
you
know,
that's
complicated,
but
I
know
that
they
can
give
you
the
correct
answer:
I've
forgotten
what
the
correct
answer
is,
but
any
case
there
are
groups
which
want
which
know
that
Society
is
depending
on
open
source
and
want
to
do
some
Investments,
but
they
want
to
do
smart
Investments.
E
So
they
were
trying
to
figure
out
the
important
things,
and
so
they
would
very
much
like
a
hand
from
or
at
least
top
cover
for
some
of
the
things
that
they
would
like
to
focus
on
now.
E
Oh
okay.
Yes,
thank
you.
Seth
yeah,
yeah,
open
technology
fund.
That's
right!
I'm!
Sorry,
I'm!
Sorry,
you
know
the
stf
is
German
yeah.
You
know,
OTF
is
us,
but
you
you
there's
a
open
technology
fund,
there's,
but
there's
a
number
of
these
orgs
is
my
point
and
I
actually
think
some
companies
internally
have
had
some
of
those
they're
they're
picking
a
few,
and
we
want
to
help
them
do
that.
E
Okay,
as
far
as
what
to
be
clear
on
I,
think
not
just
the
inputs
and
the
outputs,
but
the
criteria
and
the
process
I
mean
right
now.
Frankly,
there's
been
a
very
short
description
of
what's
the
criteria
and
there
has
been
a
process
of
okay.
You
know
it's
basically
Democratic
vote
of
whoever
happens
to
be
there.
E
I
think
we
can
do
better
than
that.
So,
for
example,
I
think
that
we
could
be
Persnickety
about
you
know
before
you
vote.
People
have
to
sit
down
ahead
of
time
and
start
inferring
information
so
that
the
voting
decisions
are
based
on
full
information.
E
I
do
know
that
in
several
cases
a
number
of
folks
were
not
familiar
with
the
with
that
particular
software
component,
and
so
we
had
a
few
who
were
and
the
one
the
person
who
knew
something
you
know
ends
up
having
the
full
vote,
which
is
not
really
how
the
process
is
supposed
to
go.
I
mean
it's
not
crazy,
there's,
certainly
no
malicious
intent,
but
I
I
think
that
we
can
do
better
as
well
as
just
finding
a
way
to
get
all
that
larger
participation.
E
So
it's
a
much
larger
group
I,
don't
think
this
is
a
smoky
room
for
one
thing:
smoke
doesn't
work
well
through
video
calls
and
we're
getting
recorded,
so
we're
trying
to
be
really
transparent,
so
I
I.
Don't
think
transparency
is
the
problem
technically,
but
it
is
a
problem
of
lack
of
not
enough
participation,
not
through
exclusion,
but
simply
because
it's
been
really
hard
to
get
people
to
pull
very
heavy
loads
and
so
I
think
going
back
and
figuring
out.
How
can
we
make
it?
B
My
point
was
more
on
the
like:
if
we
are
just
talking
about
kind
of
like
the,
if
this
is
an
input
to
something
else
like
knowing
what
that
input
is
because
if
a
lot
of
that
is
more
about
giving
visibility
getting
support
from
organizations
all
of
that
I
I,
really
it's
tough
for
me
to
say
like
oh,
you
have
to
get
it
100
right
like
in
two
years
than
like,
getting
it
80
right
today
and
then
and
then
further
refining,
like
it's
hard
for
me
to
say,
like
oh
yeah,
just
just
have
all
of
those
organizations
that
are
trying
to
support
open
source.
E
A
We
haven't
been
getting
back
to
what
what
David
said.
I
think
I'll
respond
specifically
I
mean
as
I.
Just
put
it
up.
I
think
part
of
the
problem
again
and
why
I
say
consuming
is
I
think
that
there
was
lack
of
participation
because
I
mean
it's
difficult,
working.
It's
logging
in
a
lot
of
things
that
David
said,
but
people
didn't
see
a
specific
benefit
or
outcome
to
be
like
okay,
if
a
Project's
not
on
the
list,
what's
it
going
to
matter
or
if
a
project
is
on
the
list.
A
Oh,
how
is
that
going
to
help
with
the
project?
So
you
need
to
have
a
specific
reward
mechanism.
You
need
to
have
some
sort
of
feedback
mechanism
that
encourages
people
to
participate
in
this.
Okay.
If
you're
on
this,
that
means
that
you're
going
to
get
you
know
not
a
guarantee,
but
this
is
how
we're
going
to
determine
open
ssf
grants
or
Alpha
Omega
grants
for
this.
You
have
something
where
people
see
other
than.
Oh,
it's
a
bunch
of
self-selected.
You
know
nerds
that
just
decided
to
you
know
list
their
favorite
projects.
A
You
know
that,
maybe
that's
I
mean
I
mean
yeah.
That's
what
it
but
I'm
not
saying
this,
what
it
was,
but
from
the
outside
it
can
look
that
way
and
the
people
don't
see
any
reason.
It's
like.
Why
am
I
going
to
sit
for
you
know
every
other
week
for
an
hour
and
slog
through
this
and
to
a
list.
That's
just
gonna.
Go
in
the
you
know
in
in
the
circular
file
and
you're,
like
you
know,
that's
where
I
think
there
was
the
lack
of
messaging
and
lacking.
A
E
All
right,
I,
that
makes
complete
sense
to
me,
so
it's
and
I
I
actually
think
I.
Well,
at
least
for
that
part
Clarity
on
who
the
consumers
are,
we
should
be
able
to
knock
that
out,
or
at
least
make
considerable
improvements
quite
quickly.
Maybe
this
caller
the
next
one,
basically
at
least
the
inputs,
at
least
some
of
the
inputs.
E
Some
of
the
outputs
I
think
that
within
the
next
few
Gatherings
we
should
be
able
to
well
at
least
the
inputs
and
the
outputs
and
maybe
the
and
maybe
at
least
make
decent
progress
on
criteria
and
maybe
even
a
process
now,
if
we
just
are
going
to
continue
to
use
this
existing
process,
that's
one
thing,
but
if
we
do
I
think
we've
got
to
find
a
way
to
broaden
the
number
of
participants.
I
I,
think
clarifying
the
outputs
and
who
is
important.
A
A
You
know
if
it's
something
you
know
and
that
person
you
can't,
but
you
know
at
a
certain
level
of
oh
you
get
to
you
know,
invited
to
if
you're
in
the
Beltway
I've
been
to
a
Washington
DC
dinner
party
with
the
White
House,
you
know,
there's
certain
things
that
I
mean
I'm
I'm,
not
joking
I'm,
joking
but
I'm,
not
joking.
No.
A
A
What
I'm
saying
is
that
I
mean
different
people
have
different
motivations,
but
there
are
levels
of
motivations
that
at
a
certain
level
that
is
worthwhile
for
people
to
participate,
especially
with
people
who
are
you
know
in
these
communities?
If
you
say
okay,
this
election,
this
will
help.
You
know
your
community.
This
is
or
or
k-loving
I
mean
again,
I,
don't
know.
If
we
could,
you
know
this
could
help
I
mean
by
mentioning
Caleb
is
back
to
Google.
You
know
this
could
help.
A
With
Google
summer
of
code
I
mean
if
you're
listed
high
in
there,
then
you
can
get
a
boost
for
the
number
of
people
who
you
know
slots
you
get
in
the
Google
summer,
those
sorts
of
things
and
sometimes
I'm,
just
a
spitballing.
But
it's
just
like
those
sorts
of
things
where
you
see:
okay,
here's
a
a
real,
definitive
benefit
from
participating,
making
sure
your
project
on
the
list.
A
E
E
All
right,
that's
a
fair
thing
and
you
know
what
we
can
start
by
asking.
You
know
you
know
groups
here
what
would
motivate
I'm,
not
sure
I
I,
don't
think
that
any
of
these
group,
any
of
these
groups
like
Alpha
Omega,
are
willing
to
say,
hey
whatever
list
you
come
up
with
they're
immediately
going
to
get
a
certain
amount
of
money,
they
have
their
own
processes,
but
they
can
certainly
promise
to
say.
E
Oh
yeah,
we're
absolutely
going
to
look
at
this
list
and
we're
considering
the
the
100
by
the
way
is
in
part
from
Alpha
Omega,
but
the
other
folks
we've
talked
to
nobody's,
really
said
it
has
to
be
exactly
100.
Okay,
that's
that's
not,
but
but
the
the
feedback
in
general
has
been
from
some
of
these
groups.
We
would
love
to
know
a
list
of
what
you
think
is
the
most
important,
especially
when
you
have
some
rationale.
It
can't
be
Millions.
E
You
know
we
don't
expect
it
to
be
two.
So
if
you're
going
to
argue
that
100
is
an
arbitrary
number,
let
me
help
agree
with
you
now,
but
the
notion
was
a
somewhat
bounded
number
that
and
now
one
challenge
is
for
most
of
these
orgs
many
of
these
orgs.
They
don't
want
to
know
just
what's
important.
They
also
want
to
know
what
needs
most
help.
E
That's
even
a
harder
analysis
because,
like
the
python
software
Foundation
I
am
sure
that
you
can
use
any
resources
that
you
could
that
we
anybody
can
send
to
you,
but
there
are
organizations
who
are
far
worse
off.
You
know
the
you
know,
there's
the
you
know
the
maintainer
who's
doing
it
once
a
couple
of
a
couple
months
and
takes
a
couple
hours
on
the
weekends,
and
you
know
that's,
that's
it
and
you
know
well
the
the
live
Nebraska
problem.
E
So
yes,
so
so
so
we
haven't
tried
to
cross
that
bridge
and
I
understand
why
that
may
be
a
bridge
too
far.
If
we
can
bring
it
down
to
approximately
a
hundred,
though
other
orders,
that
can
then
go
and
do
that
analysis
and
come
up
with
different
answers
once
they
have
a
smaller
set
to
analyze.
B
To
what
you
just
mentioned,
the
potentially
harder
problem
of
finding
critical
packages
that
also
need
help.
Is
that,
like
a
sec
like
a
something
that
is
on
the
roadmap
for
this
working
group,
or
is
it.
E
I
think
it
was
originally
intended,
but
I'm
not
sure
that's
I
mean
this
group.
What's
on
the
roadmap,
for
this
group
was
whatever
this
group
decides.
Okay,
I
am
sure
that
many
people
would
like
that
information.
I
can
tell
Jim
zenman
who's.
The
president
of
the
Linux
Foundation
would
like
that
information
he's
been
looking
for
that
for
a
long
time,
but
it's
been
a
challenge:
I
mean
we've:
we've
funded
the
Harvard
work
and
they
actually
punted
on
this
as
well.
E
The
just
trying
to
figure
out
quantitatively,
what's
important
turns
out
to
be
incredibly
painful
and
hard,
and
you
know
they
had
to
scoop
it
down
to
just
what
seems
to
be
important
among
certain
ecosystems
that
are.
You
know
that
support
package
managers
and
even
that
quantitatively
I
mean
we.
We
took
an
incredible
amount
of
time
to
do
that.
Quantitative
analysis
and
it
intentionally
omitted
like
you
know
any
system
packages,
so
that's
or
any
applications.
So
that's
kind
of
a
challenge.
D
I'll
call
out
the
school
card
project
as
well,
which
attempts
to
do
this
in
some
degree.
No,
that
doesn't
okay,
no.
E
No,
what
they
do
no
now,
what
scorecard
does
is
it
attempts
to
measure
whether
or
not
you
are
performing
certain?
There
are
certain
good
behaviors?
Okay.
E
B
E
D
It
I
mean
it's,
it's
the
negative
opposite.
Like
it's
yeah,
it's
you
can't
it's
measuring
like
whether
you're
doing
the
right
things
as
opposed
to
are
you
at
risk.
There
is
a
correlation
between
people
who
are
doing
the
right
things
and
risk,
but
it's
not
a
direct
relationship
and
it's
yeah.
E
Exactly
now,
there
is
actually
another
relationship.
I
have
already
worked
with
the
scorecard
folks
with
the
draft
report
that
we
had
earlier
and
we
checked
and
verified,
and
we
I
made
sure
that
every
single
one
of
those
is
now
on
their
weekly
scam.
They
do
weekly
scan
with
scorecard
of
about
1.2
million
projects,
and
they
include
everything
on
the
critical
projects
list,
as
well
as
every
project.
E
That's
getting
a
best
practices
badge
and
various
other
sources
as
well,
so
so
Now
scan
does
not
mean,
of
course,
that
they're
doing
well
or
not
it's
just,
but
you
know
they're
part
of
that
Weekly
scan
so
that
you
can
quickly
get
that
data
and
do
analysis
of
it
and
that's
a
first
step.
So
you
know
that's
yet
another
group,
that's
using
whatever
this
critical
projects
working
group
does.
Other
people
neatly
take
that
out
and
do
something
with
it.
So
people
do
care.
D
C
Wow,
ours
certainly
goes
by
quickly
when
these,
when
these
discussions,
I'll
say
so
I'll,
say
by
next
time.
Let's
definitely
start
to
get
some
of
this
on
paper
and
start
formulating
a
plan
to
really
kind
of
tackle
this
problem
and
break
it
down
into
smaller
steps.
Things
that
we
can
do
definitely
would
love
to
hear
more
on
Solutions
and
suggestions.
E
But
before
we
go,
if
I
can
appeal
for
60
more
seconds,
I
would
love
to
have
two
tracks.
One
is
I
would
like
to
try
to
wrap
up
the
version
that
we've
got
we're
at
the
90
percent,
but
I
think
several
people,
David
E,
being
one
of
them-
have
noted
some
problems
with
the
current
list.
I
I
think
you
know
so.
I
I
think
I'd
like
to
make
the
list
the
best
we
can
with
the
processes
that
we
had
and
then
and
I,
don't
think
we
can.