►
From YouTube: Securing Critical Projects WG (March 9, 2023)
A
A
B
C
B
The
alpha
omega
project
has
a
top
10
000
projects
list
that
we're
using
to
identify
and
use
as
a
as
a
basis
for
reporting
vulnerabilities
to
and
I'm
working
on,
a
specification
under
the
open
source
security
foundation
for
a
policy
called
the
specification.
It's
the
open
source
security
Foundation
compliant
automated
vulnerabilities
fix
campaign
Define.
What
is
a
what
is
considered
a
an
automated
security
vulnerability,
fixed
campaign
that
is
compliant
to
a
specific
standard
that
has
the
open
source
security,
Foundation
seal
of
approval.
One.
A
B
The
lines
in
that
is
mandatory
private
disclosure
that
the
top
10
vulnerable
projects
within
the
10
000
critical,
open
source
projects
of
some
list,
which
I
was
discussing
using
the
AO
list,
but
I
thought
that
you
guys
have
the
10
000
list.
But
apparently
the
10
000
list
is
an
AO
list,
not
a
not
a
you
guys
list
would
be
required
to
disclose
to
those
private
to
those
products
privately
as
part
of
the
specification
and
apparently
I
found
out.
That
list
is
not
owned
by
this
group.
B
B
A
B
C
B
C
C
B
C
B
D
B
C
Before
we
dive
in
I
just
wanted
to
do
a
quick
update
that
this
is
the
last
Apec
friendly
meeting
at
this
time,
because
daylight
savings
is
changing.
So
in
four
weeks
when
we
get
to
the
new
the
next
Apec
friendly
meeting
time,
it'll
be
the
the
old
time
that
we
had
before
daylight
savings
or
back
to
Daylight
Savings
yeah.
So,
let's
dive
in
Amir
did
you
have
anything
you
wanted
to
say.
F
C
C
F
E
F
E
E
I
would
I
would
vote
to
not
call
this
one
top
hundred,
because
I
feel
like
the
likelihood-
and
this
is
just
I-
have
data
to
support
this,
but
I
feel
like
the
likelihood
that
governments,
large
organizations,
critical
infrastructure
Etc
would
be
using.
This
is
really
small
but
smaller
than
a
lot
of
the
other
ones.
On
the
list.
D
C
A
B
C
A
D
E
E
F
C
So
I'm
gonna
throw
out
a
no
here,
I
think
that
Amazon
Linux,
like
you
know,
we
have
the
Linux
kernel
all
the
important
packages
in
Linux.
We
would
we
would
consider,
but
what?
What
I
think?
What
listing
the
the
distribution
here
would
really
be
describing
like
the
I,
don't
know
what
Amazon
Linux
is
based
like
if
it
but
like,
is
essentially
describing
like
the
RPM
spec
files
and
build
systems
for
creating
the
distribution
and
I.
F
C
E
B
And
so,
if
you
do
that,
that,
like
you,
know,
immediately
knocks
out
if
you're,
if
you're
going
on
the
basis
of
it's
got
corporate
backing
that
knocks
out
Android
Gradle
curl,
because
that's
curls
being
maintained
by
you,
know
a
maintainer
who
is
being
paid
by
a
company
to
maintain
curl,
like
you
know
like
that.
I!
Don't
think
that
that's
a
good
reason
to
disqualify
a
project.
E
Dot
net
is
while
it
is
an
open
source
project.
It
is
primarily
well
I'm
going
to
get
in
trouble
by
the
lawyers.
If
I
say
this,
it
is
obvious
to
everyone
which
large
corporation
manages.net
in
in,
like
layman's
terms,
should.net
be
on
this
list.
I
would
also
argue
no
for
first,
for
the
same
reason
that,
like
it's
a
it's
a.
C
I
would
argue
that
both
Android
and
net
are
critical
and
I.
Think
that
Jonathan
you're
right,
like
I,
don't
think
that
being
primarily
developed
by
one
company
should
disqualify
it.
But
I
think
this
Amazon
Linux
is
a
different
case
here,
like
the
the
the
the
files
and
projects,
and
you
know
the
the
code
that
makes
up
a
distribution
I
think
that's
not
what
somebody
had
in
mind
when
they
added
this
here.
E
C
E
A
A
A
A
F
F
E
A
I
I
I,
don't
have
any
different
information
and
that
answers
we've
just
answered
the
two
key
questions.
Is
it
OSS?
Yes,
is
it
widely
used,
at
least
according
to
this?
Yes
and
frankly,
I
mean
our
I
know
that
there
are
non-arm
based
Android
devices,
but
the
vast
majority
of
Android,
just
by
itself.
That
tells
me
billions
of
devices.
We
we
care.
I
I
I
I
C
So
I'm
taking
a
look
at
the
original
issue
and
like
bootloaders,
is
listed
as
a
category
like
these
things
are
important
and
the
first
two
are
you
boot
and
Grub,
and
then
it's
this
one.
Third,
so
I
would
say:
let's
go
I
mean
so
I
would
just
say.
Let's
vote
I
mean
my
vote
is
no
I
guess
and
then,
if
we
get
any
more
evidence
that
this
is
also
like,
that's
why
it
uses
the
other
two.
Then
we
can
reconsider.
E
I
I
F
G
A
F
I
Is
where
are
the
oh
here
we
go
yeah
I
proposed
yes,
but
the
question
is
for
why
and
basically
I
think.
The
primary
thing
I
would
worry
about
is
both
subversion
of
the
project
and
ensuring
that
oh
I
can't
easily
see
the
text
let's
see
here
and
making
sure
that,
if
it
handled
when
it
handles
malicious
data,
it
won't
cause
problems.
I
So
there's
some
weird
you
know,
so
there
are
some
things
that
you
can
easily
misuse
and
shell,
but
they're
required
by
the
standards
and
really
not
changeable.
Now,
like
you
have
to
double
quote,
you
know,
if
you
say
Dollar
Food
for
a
variable
reference,
you
have
to
put
double
quotes
around
it
or
it
might
just
suddenly
start
executing
that's
bad,
but
required
by
the
language.
I
On
the
other
hand,
if
you
put
the
double
quotes
around
it
and
it
ran
some
code
anyway,
just
because
it
referenced
it.
That
would
be
really
really
bad,
so
I
think
the
answer
is
yes
because
of
wide
use,
but
the
focus
should
be
on
those
aspects,
because
if
somebody
just
hands
an
arbitrary
bash
shell
to
somebody,
you
know
the
fashion.
The
fact
that
bash
can
run
code
isn't
a
problem.
That's
the
whole
point.
G
I
A
I
B
B
I
What
you're
paying
for
is
a
service
if
you
run
the
service
which
is
optional
so
but
I
think
it's
it's
fair
to
say
you
know
now
I
I
think
right
now
what
we're
arguing
is.
Are
they
critical,
I
think
there's
going
to
be
a
separate
pass
for
you
know
if
there's
existing
commercial
support,
if
you
know,
there's
we'll
probably
expect
them
to
do
the
say,
pay
for
an
audit,
but
we
can
still
contact
them,
for
example,
and
say
Hey,
you
know
here's
some
things
you
can
do.
You
know
you
know
we.
I
I
I
I
I
I
C
I
I
F
I
J
E
E
E
I
D
C
I
I,
don't
think
we
have
that
right
now,
but
I
mean
we.
We
do
have
our
column
F
here
that
we're
recording,
which
is
our
our
reasoning,
I,
wouldn't
assume
automatically
I,
don't
think
we
should
just
say
no
reconsider
unless
it's
something
that
is
essentially
resubmitted
by
in
in
a
future
round
with
somebody
that
submits
for
with
with
more
evidence
so
for
here
on,
you
know,
boring
SSL,
I,
don't
think
we
should
say
no,
let's
reconsider
I
think
we
should
say
no,
unless
it's
resubmitted
with
by
a
future.
D
I
I
J
C
J
I
F
I
A
J
I
I
E
I
Oh
I,
don't
have
like
okay
I,
think
gnu
make
is
used
by
far
far
more
often
than
Mason
is.
If
there's
no
other
reason,
then
make
has
been
around
for
decades
longer.
Okay,
but
I,
but
informally
I've
encountered
enough
uses
of
both
ninja
and
Mason.
To
believe
that
there
is
significant
use.
I
don't
have
a
full-on
study
of
it,
so
this
is
purely
what
is
it?
The
the
plural
of
anecdote
is,
is
knowledge
or
something
like
that
so
I
mean
it's
anecdotal.
I
I
I
I
C
C
I
I
I
E
J
I
mean,
but
this
isn't
a
guarantee
that
it's
going
to
be.
You
know
that
we're
going
to
fund
the
openness
so
I
just
want
to
make
right.
Yeah
I'm,
not
just
saying
that
you
know
put
in
everything
but
I'm,
saying
that
you
know
saying
that
it's
critical
doesn't
mean
that
that
you
know
that
if
there's
any
commitment
from
the
open,
ssf
or
anybody
in
this
group
that
this
is
something
worth
funding
right,
so
funding
supporting
any
other
way.
Then
you.
I
A
I
G
I
J
But
but
that's
what
I'm
saying
is
I:
don't
think
that
Mesa
is
the
only
build
system.
I
mean
I.
Don't
I
think
that
it's
one
of
build
systems
of
postgres
supports
and
that
organ,
so
I
don't
want
to
I.
Don't
think
we
should
look
at
this
is
that?
Okay,
if
Mason
didn't
exist,
that
you
couldn't
build
the
project,
I
think
I
think
you're,
it's
it's
a
it's
a
a
union,
not
an
internet
I
think
that
they're
it's
a
more
white
Weyland,
can
build
without
I.
J
J
J
J
I
As
someone
who
has
written
many
many
make
files
I
try
to
write
portable
make
files
I
rarely
succeed
pretty
soon,
okay,
if
you've
ever
I've,
actually
interacted
with
the
posix
folks.
So
if
you've
ever,
you
know,
talk
to
me
later
about
the
agonies
of
trying
to
stick
within
posix
mate,
so
yeah,
that's
interesting,
all
right!
That
makes
it
more
complicated
and
now
I,
you
know,
I
was
looking
at
that
listens
going
oh
yeah
I've
heard
about
it.
Look
at
that
long
list,
and
that
makes
us
more
complicated
decision.
J
J
C
I
think
the
consideration
here
is
not
you
know,
is
it
a
strict
dependency,
but
is
it
the
default
build
or
is
it
the
most
used
builds
for
that
for
that
maybe
critical
like
postgres
critical
database
or
software
project?
So
you
know
if
Mason
were
subverted.
Would
that
mean
that
you
know
the
attackers
would
then
be
able
to
subvert
postgres
builds.
E
You
know
I
I
was
leaning
against
this,
but
I
think
he
just
convinced
me,
because,
because
of
the
the
place
in
the
pipeline,
the
build
is
the
last
opportunity
to
well.
Maybe
this
one,
the
build
would
be
a
great
place
to
insert
malware.
So
if
Mason
was
compromised
to
insert
malware
into
everything
that
it
bills,
then
it
just
goes.
Downstream
I
think
in
general,
build
technology
should
get
kind
of
a
bump
up
in
criticality
over,
like
the
world
usage
numbers.
C
J
I
mean,
for
example,
you
go
to
the
you
know:
postgres
GitHub
and
there's
build
and
there's
a
new
make.
File.In
I
mean
also,
yes,
you
you
know
it's
and
it's
you
know
the
Nissan
build
system
was
updated
yesterday
and
the
new
make
file
is
I
mean
so,
like
you
know,
they
both
are
actively
maintained
for
postgres,
but
it's
not
the
only
way
to
build
postgres
meeting
Mason.
B
F
B
B
I
used
to
work
for
grade,
also
I'm,
partially
biased,
but
Gradle
used
is
used
as
the
primary
build
tool
for
the
or
for
50
of
the
Java
ecosystem.
99
of
the
of
all
Android
apps
use
Gradle
to
build
build
them.
It's
the
the
tool
of
choice
to
build
Android
apps
in
Java,
yeah,
build
tools,
and
then
Maven
is
used
to
build
the
other
50
of
the
Java
ecosystem.
That's
not
being
used
to
build
maven,
yes,
or
it's
not
being
used
by
Gradle.
F
D
I
A
I
Adding
Gradle
makes
sense:
okay,
I'm
going
back
I'm
I'm,
basically
doing
my
quick
Google
Foo
for
I
agree
with
you.
Anecdotes
are
not
the
same
as
real
data,
so
I
found
an
interesting
post
of
analysis
from
2021,
saying
that,
specifically
for
Fedora,
look,
comparing
it
to
cmake,
escorts
or
Mason.
Mason
is
now
required
by
30
of
their
packages,
but
I'm
trying
to
figure
out
this
30
of
all
packages
are
30
percent
of
yeah.
It's
only
30
of
those
require
C
make
s-cons
or
Mason
a
Maison.
G
E
I'm,
sorry,
one
less
data
point:
if
on
GitHub,
if
you
search
for
the
count
of
files
called
Mason
dot,
build
which
I'm
assuming
is
the
most
obvious
indicator
that
using
Mason
it's
about
70
000.
If
you
look
for
make
file,
it's
3.7
million
right
and
was
a
cmake
list,
dot
text
is
that
is
that
the
cmake.
I
I
C
I
F
F
I
F
A
F
C
J
Yeah,
the
last
thing
is
I
mean:
do
we
do
we
want
to
guess
the
next
meeting
do
a
quick
run
through
of
things
that
we
think
are
just.
Do
it
like
a
straw
poll
of,
what's
not
contentious,
to
just
sort
of
get
that
out
of
the
way
and
then
focus
on
the
ones
that
actually
have
some
disagreement,
or
do
we
want
to
sort
of
randomly
hit
those
when.