►
From YouTube: Securing Critical Projects WG (March 9, 2023)
A
A
B
B
This
is
the
March
9th
meeting.
Yes,
yes,
can
we
do
do
you
guys
do
opens.
C
So
we
normally
do
but
right
now
we're
on
our
like
schedule
for
doing
the
list,
so
we
wanted
to
spend
the
whole
meeting
on
voting
and
consensus.
Okay,.
B
The
alpha
omega
project
has
a
top
10
000
projects
list
that
we're
using
to
identify
and
use
as
a
as
a
basis
for
reporting
vulnerabilities
to
and
I'm
working
on,
a
specification
under
the
open
source
security
foundation
for
a
policy
called
the
specification.
It's
the
open
source
security
Foundation
compliant
automated
vulnerabilities
fix
campaign
Define.
What
is
a
what
is
considered
a
an
automated
security
vulnerability,
fixed
campaign
that
is
compliant
to
a
specific
standard
that
has
the
open
source
security,
Foundation
seal
of
approval.
One.
A
B
The
lines
in
that
is
mandatory
private
disclosure
that
the
top
10
vulnerable
projects
within
the
10
000
critical,
open
source
projects
of
some
list,
which
I
was
discussing
using
the
AO
list,
but
I
thought
that
you
guys
have
the
10
000
list.
But
apparently
the
10
000
list
is
an
AO
list,
not
a
not
a
you
guys
list
would
be
required
to
disclose
to
those
private
to
those
products
privately
as
part
of
the
specification
and
apparently
I
found
out.
That
list
is
not
owned
by
this
group.
B
B
A
B
C
Yeah,
so
you
can
I
was
talking
to
Caleb
Caleb
had
a
question
too
about
the
the
schedule.
So,
if
you
want
put
it,
you
know,
send
an
email
on
the
emailing
list.
We
don't
have
much
there
and
otherwise
we
can
just
add
it
to
the
next.
The
next
meeting.
B
C
C
B
C
And
I
wouldn't
say
top
either
because
we're
not
something
not
being
on
the
list
is
not
saying
that
it's
not
critical.
It
just
hasn't
been
proposed
and
considered
yet
so
interesting.
B
D
B
C
Yeah
thanks
for
joining
so
yeah
we'll
the
meeting
notes
are
the
link
to
the
meeting
notes
are
in
the
calendar,
invite
we'll
go
through
some
new
faces
and
then
get
to
today's
meeting,
which
is
all
about
working
on
our
V
1.1
list
for
the
set
of
or
list
or
set
of
critical
projects,
and
we
have
a
set
of
proposals
and
we're
going
to
go
through
those
one
by
one
and
reach
consensus
thanks
everyone
for
joining,
but
yeah
new
faces
other
than
how
to
pronoun.
C
Before
we
dive
in
I
just
wanted
to
do
a
quick
update
that
this
is
the
last
Apec
friendly
meeting
at
this
time,
because
daylight
savings
is
changing.
So
in
four
weeks
when
we
get
to
the
new
the
next
Apec
friendly
meeting
time,
it'll
be
the
the
old
time
that
we
had
before
daylight
savings
or
back
to
Daylight
Savings
yeah.
So,
let's
dive
in
Amir
did
you
have
anything
you
wanted
to
say.
F
C
And
so
I
guess
the
first
question
is:
we've
got
two
lists:
we've
got
our
1-0
list
that
we're
going
to
consider
for
removals,
and
then
we've
got
our
candidates
list
to
consider
for
additions.
Any
thoughts
on
which
one
we
want
to
do.
First.
F
All
right
do
you
want
to
just
dive
in
from
from
row
two.
C
Yeah
and
so
the
way
it
works
here
is
we
want
to
just.
Have
anybody
speak
up
with
a
yes
or
no,
and
maybe
we
can
argue
against
or
for
it.
F
Add
minor,
so
this
was
from
Docker
pull
count
data
originally
when
it
was
recommended.
I,
don't
know
a
ton
about
the
project
personally,
but
I
don't
know
if
anyone
else
has
thoughts.
E
E
F
That
might
be
in
favor
of
maybe
wanting
to
put
some
Spotlight
on
it
with
the
putting
it
on
the
set.
E
Yeah
I
mean
it's
also
a
single
developer
project.
The
other
thing
I
are.
We
sure
that
that
Docker
pull
count
is
correct.
E
I
would
I
would
vote
to
not
call
this
one
top
hundred,
because
I
feel
like
the
likelihood-
and
this
is
just
I-
have
data
to
support
this,
but
I
feel
like
the
likelihood
that
governments,
large
organizations,
critical
infrastructure
Etc
would
be
using.
This
is
really
small
but
smaller
than
a
lot
of
the
other
ones.
On
the
list.
D
C
A
B
C
E
I
mean
I'm,
also
seeing
just
from
the
bugs,
and
the
pull
requests
like
there
just
doesn't
seem
to
be
I,
don't
say
any
activity,
but.
A
C
All
right
feel
free
to
use
emojis
or
whatever,
as
well
all
right,
I,
don't
see
any
disagreement
so
move
on.
D
E
I'll
vote.
Yes
Alpine
is
a
core
based
package
for
countless
other
Docker
containers.
If
that,
if
that
goes
goes
sideways,
lots
of
things
are
on
fire.
E
F
C
So
I'm
gonna
throw
out
a
no
here,
I
think
that
Amazon
Linux,
like
you
know,
we
have
the
Linux
kernel
all
the
important
packages
in
Linux.
We
would
we
would
consider,
but
what?
What
I
think?
What
listing
the
the
distribution
here
would
really
be
describing
like
the
I,
don't
know
what
Amazon
Linux
is
based
like
if
it
but
like,
is
essentially
describing
like
the
RPM
spec
files
and
build
systems
for
creating
the
distribution
and
I.
C
C
Yeah,
so
that's
just
my
thoughts.
Does
that
make
sense.
F
C
E
I
would
put
Amazon
Linux
in
the
same
kind
of
in
the
same
category
as
WSL
like
these
are,
while
they
they
may
have
here
open
source.
These
are
corporate
projects,
yeah.
B
And
so,
if
you
do
that,
that,
like
you,
know,
immediately
knocks
out
if
you're,
if
you're
going
on
the
basis
of
it's
got
corporate
backing
that
knocks
out
Android
Gradle
curl,
because
that's
curls
being
maintained
by
you,
know
a
maintainer
who
is
being
paid
by
a
company
to
maintain
curl,
like
you
know
like
that.
I!
Don't
think
that
that's
a
good
reason
to
disqualify
a
project.
E
Dot
net
is
while
it
is
an
open
source
project.
It
is
primarily
well
I'm
going
to
get
in
trouble
by
the
lawyers.
If
I
say
this,
it
is
obvious
to
everyone
which
large
corporation
manages.net
in
in,
like
layman's
terms,
should.net
be
on
this
list.
I
would
also
argue
no
for
first,
for
the
same
reason
that,
like
it's
a
it's
a.
B
C
I
would
argue
that
both
Android
and
net
are
critical
and
I.
Think
that
Jonathan
you're
right,
like
I,
don't
think
that
being
primarily
developed
by
one
company
should
disqualify
it.
But
I
think
this
Amazon
Linux
is
a
different
case
here,
like
the
the
the
the
files
and
projects,
and
you
know
the
the
code
that
makes
up
a
distribution
I
think
that's
not
what
somebody
had
in
mind
when
they
added
this
here.
C
I
think
that
the
distribution
is
like
the
packaging
and
the
scripts
and
the
build
the
decision
of
like
which
which
to
include
and
I
don't
I,
don't
know
that
that's
an
actual
open
source
project.
C
E
C
E
F
Okay,
so
then
what
was
this
consensus
on
Android.
A
A
A
A
F
Ope
I'm
pretty
sure
it
is
yeah
yeah.
Next
we
have
arm
trusted
firmware.
This
was
from
a
GitHub
issue
that
someone
recommended.
F
E
A
I
I
Meetings
at
once
go
to
one
then
go
to
the
other.
I
have
no
better
assistant.
I
All
right,
okay,
the
description
actually
answers
my
question:
it
runs
on
every
Arm
based
Android
device,
wow.
C
I
mean
I
think
if
we're
gonna
trust
the
submitter,
which
I
think
we
should
I
would
vote
Yes.
I
I,
don't
have
any
different
information
and
that
answers
we've
just
answered
the
two
key
questions.
Is
it
OSS?
Yes,
is
it
widely
used,
at
least
according
to
this?
Yes
and
frankly,
I
mean
our
I
know
that
there
are
non-arm
based
Android
devices,
but
the
vast
majority
of
Android,
just
by
itself.
That
tells
me
billions
of
devices.
We
we
care.
F
Another
one
from
suggested
from
GitHub,
okay,.
I
I
I
Yeah
I
would
say:
I
would
want
you
boot
first,
just
with
the
I
mean
granted.
This
is
a
positive
information.
You
know
I
probably
should
be
in
the
spreadsheet.
Everybody
else
is
looking
out
shouldn't
I.
I
C
So
I'm
taking
a
look
at
the
original
issue
and
like
bootloaders,
is
listed
as
a
category
like
these
things
are
important
and
the
first
two
are
you
boot
and
Grub,
and
then
it's
this
one.
Third,
so
I
would
say:
let's
go
I
mean
so
I
would
just
say.
Let's
vote
I
mean
my
vote
is
no
I
guess
and
then,
if
we
get
any
more
evidence
that
this
is
also
like,
that's
why
it
uses
the
other
two.
Then
we
can
reconsider.
E
I
I
I
I
realized
we're
recording
this,
but
those
are
rather
painful
to
hunt
through.
F
G
A
F
I
Is
where
are
the
oh
here
we
go
yeah
I
proposed
yes,
but
the
question
is
for
why
and
basically
I
think.
The
primary
thing
I
would
worry
about
is
both
subversion
of
the
project
and
ensuring
that
oh
I
can't
easily
see
the
text
let's
see
here
and
making
sure
that,
if
it
handled
when
it
handles
malicious
data,
it
won't
cause
problems.
I
So
there's
some
weird
you
know,
so
there
are
some
things
that
you
can
easily
misuse
and
shell,
but
they're
required
by
the
standards
and
really
not
changeable.
Now,
like
you
have
to
double
quote,
you
know,
if
you
say
Dollar
Food
for
a
variable
reference,
you
have
to
put
double
quotes
around
it
or
it
might
just
suddenly
start
executing
that's
bad,
but
required
by
the
language.
I
On
the
other
hand,
if
you
put
the
double
quotes
around
it
and
it
ran
some
code
anyway,
just
because
it
referenced
it.
That
would
be
really
really
bad,
so
I
think
the
answer
is
yes
because
of
wide
use,
but
the
focus
should
be
on
those
aspects,
because
if
somebody
just
hands
an
arbitrary
bash
shell
to
somebody,
you
know
the
fashion.
The
fact
that
bash
can
run
code
isn't
a
problem.
That's
the
whole
point.
G
I
I,
pretty
much
always
use
my
middle
initial
when
in
anything
written
because
there's
too
many
David
wheelers
and
it
gets
even
worse
with
initials.
So
that
is
my
attempt
of
being
clear
bit.
A
I
I
H
I'd
also
add
that
I
get
the
feeling
that
a
lot
of
people
moved
off
LastPass
a
bunch
moved
to
bit
Warden
as
well.
I
Yeah
yeah
I
think
I
think
a
lot
of
people
move
to
either
bit
Warden
or
LastPass
I
think
so.
The
short
answer
is
yes,
I
think
you're
correct.
B
B
I
What
you're
paying
for
is
a
service
if
you
run
the
service
which
is
optional
so
but
I
think
it's
it's
fair
to
say
you
know
now
I
I
think
right
now
what
we're
arguing
is.
Are
they
critical,
I
think
there's
going
to
be
a
separate
pass
for
you
know
if
there's
existing
commercial
support,
if
you
know,
there's
we'll
probably
expect
them
to
do
the
say,
pay
for
an
audit,
but
we
can
still
contact
them,
for
example,
and
say
Hey,
you
know
here's
some
things
you
can
do.
You
know
you
know
we.
I
I
I
I
I
I
Think
we
need
more
information
about
it.
How
widely
it's
used
or
do
we
not
it
doesn't
matter
it's
an
SDK.
It's
not
the
thing
itself.
C
Yes,
I
propose
that
we
get
come
up
with
the
yes
or
no
here,
and
some
knows
you
know
are
going
to
be
things
that
can
be
reconsidered
in
a
future
version
with
more
evidence
or
if
we
have
more
automation
for
pulling
evidence.
C
I
I
F
I
It's
unclear
Whitely
used.
It
is
it's
okay,.
I
All
right,
I
do
know
something
about
boring,
SSL.
I
J
E
E
E
I
But
okay
I
I
mean
how's.
This
you
may
be
right,
but
I
don't
think
so.
I
mean
this
is
a
rust
ring,
boring
SSL,
yeah,
I.
D
C
I
I,
don't
think
we
have
that
right
now,
but
I
mean
we.
We
do
have
our
column
F
here
that
we're
recording,
which
is
our
our
reasoning,
I,
wouldn't
assume
automatically
I,
don't
think
we
should
just
say
no
reconsider
unless
it's
something
that
is
essentially
resubmitted
by
in
in
a
future
round
with
somebody
that
submits
for
with
with
more
evidence
so
for
here
on,
you
know,
boring
SSL,
I,
don't
think
we
should
say
no,
let's
reconsider
I
think
we
should
say
no,
unless
it's
resubmitted
with
by
a
future.
D
I
And
you
know
what
I
it's
a
little
bit
of
a
struggle.
I
didn't
do
this
research
ahead
of
time,
but
it
does
look
like
darn
it
Mike's
Michael's
right.
You
know
I'll
I'll!
Let
you
be
right
once
Michael.
I
I
am
teasing,
of
course,
I,
but
in
all
seriousness,
I
wasn't
aware
of
this
I
knew
of
ring,
but
I
didn't
know
that
it.
You
know
you
know
I
know
of
ring
because
of
other
tools
that
use
ring,
not
that
I've
really
looked
at
ring
myself.
J
C
J
But
that's
why
I'm
saying
is
Google
this
discourages
it.
Then
it
seems
like
they're
actively
saying
this
should
not
be
critical,
it
may
be
used,
it
may
be
a
dependency,
but.
I
F
I
I
Okay,
I'm
gonna,
say
similar
things
about.
Can
you
make
that
I
would
about
Bash.
I
And
I
think
it's
fair
to
say
that
if
someone
subverts
it
or
it
can't
handle
malicious
data
when
it's
when
you
give
it
the
correct
now,
the
malicious
data
argument
probably
doesn't
really
apply,
but
I
do
think
the
subversion
does.
A
J
I
I
mean
I
think
in
the
end
we
decide
what
we
decide:
I
I
I'm
not
going
to
recuse
myself,
but
I
will
note
that
many
years
ago
I
did
write
a
couple
lines
of
code
to
tweak
a
new
make
and
so
I
and
I
actually
know
some
of
the
gnu
folks,
not
person,
not
very
personally,
just
by
email,
but
I
mean
it's
a
couple
years
back,
I
think
and
I
use
it
occasionally,
but
I
don't
think
that's
a
reason
to
recuse.
B
Does
anybody
read
trusting
Trust
I
think
that
it
I
think
that
that
you
know
in
summer
I
mean
I
know
the
trusting
trust
is
a
little
bit
exaggerated
in
terms
of
its
capabilities
and
but
I
think
that,
given
that
it
is
the
underlying
infrastructure
for
compilingual
and
all
operating
system
or
most
of
Linux
operating
systems,
it's
probably
a.
I
Right
right
and
that
that's
why
I
mentioned
I
would
worry
about
malicious
subversion
of
it
by
the
way
just
I
I
know
some
people
already
know,
but
my
PhD
dissertation
is
specifically
about
countering
the
trusting
trust
attack.
So
if
you.
I
E
C
Right
so
David,
you
made
a
comment
here
on
this
one
that
can
you
explain
the
reasoning
here
like
do
you
have
any
evidence
that
it's
as
widely
used
or
just
saying
that
it's
also
a
build
system
for
a
make
tool.
I
Oh
I,
don't
have
like
okay
I,
think
gnu
make
is
used
by
far
far
more
often
than
Mason
is.
If
there's
no
other
reason,
then
make
has
been
around
for
decades
longer.
Okay,
but
I,
but
informally
I've
encountered
enough
uses
of
both
ninja
and
Mason.
To
believe
that
there
is
significant
use.
I
don't
have
a
full-on
study
of
it,
so
this
is
purely
what
is
it?
The
the
plural
of
anecdote
is,
is
knowledge
or
something
like
that
so
I
mean
it's
anecdotal.
I
It's
not
a
serious
study,
but
I've
encountered
it
often
enough
to
think
there
are
people
who
use
this
thing.
I,
don't
know
how
to
do
a
quick
survey
of
that
says.
I
I
You
know,
Nautilus
certainly
I
mean
if
you're
running,
gnome
you're
running
Nautilus.
You
got
Mesa.
So
if
you're
running
any
3D
you're
running
that
ksh
pretty
widely
used
shell,
so
here's
what
I'm
going
to
do
I'm
going
to
post
in
ours.
You
know
their
list
of
users.
I
C
C
I
Yeah,
I,
don't
think
that's
that's
really
the
right
measure
there,
because
me,
if
you
do,
if
only
if
you
download
it
but
they're
the
one
I
mean
this.
The
the
challenge
here
is:
it
ends
up
being
used
to
build
a
lot
of
other
things.
If
that
makes
any
sense,
yeah.
I
That's
I
mean
G
screen,
you
know
things
like
gstreamer
and
gtk.
If
you
use
a
gnome
system,
which
is
the
default
on
almost
all
the
lyrics
just
goes.
That
means
you're
using
this
software
and
you're,
using
that
Builder.
I
E
J
I
mean,
but
this
isn't
a
guarantee
that
it's
going
to
be.
You
know
that
we're
going
to
fund
the
openness
so
I
just
want
to
make
right.
Yeah
I'm,
not
just
saying
that
you
know
put
in
everything
but
I'm,
saying
that
you
know
saying
that
it's
critical
doesn't
mean
that
that
you
know
that
if
there's
any
commitment
from
the
open,
ssf
or
anybody
in
this
group
that
this
is
something
worth
funding
right,
so
funding
supporting
any
other
way.
Then
you.
I
A
I
G
I
J
But
but
that's
what
I'm
saying
is
I:
don't
think
that
Mesa
is
the
only
build
system.
I
mean
I.
Don't
I
think
that
it's
one
of
build
systems
of
postgres
supports
and
that
organ,
so
I
don't
want
to
I.
Don't
think
we
should
look
at
this
is
that?
Okay,
if
Mason
didn't
exist,
that
you
couldn't
build
the
project,
I
think
I
think
you're,
it's
it's
a
it's
a
a
union,
not
an
internet
I
think
that
they're
it's
a
more
white
Weyland,
can
build
without
I.
J
J
I
Me
add
that
to
the
little
notes
here,
because,
but
that
said
it's
not
necessarily
required
in
many
cases.
J
J
I
As
someone
who
has
written
many
many
make
files
I
try
to
write
portable
make
files
I
rarely
succeed
pretty
soon,
okay,
if
you've
ever
I've,
actually
interacted
with
the
posix
folks.
So
if
you've
ever,
you
know,
talk
to
me
later
about
the
agonies
of
trying
to
stick
within
posix
mate,
so
yeah,
that's
interesting,
all
right!
That
makes
it
more
complicated
and
now
I,
you
know,
I
was
looking
at
that
listens
going
oh
yeah
I've
heard
about
it.
Look
at
that
long
list,
and
that
makes
us
more
complicated
decision.
J
J
C
I
think
the
consideration
here
is
not
you
know,
is
it
a
strict
dependency,
but
is
it
the
default
build
or
is
it
the
most
used
builds
for
that
for
that
maybe
critical
like
postgres
critical
database
or
software
project?
So
you
know
if
Mason
were
subverted.
Would
that
mean
that
you
know
the
attackers
would
then
be
able
to
subvert
postgres
builds.
E
You
know
I
I
was
leaning
against
this,
but
I
think
he
just
convinced
me,
because,
because
of
the
the
place
in
the
pipeline,
the
build
is
the
last
opportunity
to
well.
Maybe
this
one,
the
build
would
be
a
great
place
to
insert
malware.
So
if
Mason
was
compromised
to
insert
malware
into
everything
that
it
bills,
then
it
just
goes.
Downstream
I
think
in
general,
build
technology
should
get
kind
of
a
bump
up
in
criticality
over,
like
the
world
usage
numbers.
C
J
I
mean,
for
example,
you
go
to
the
you
know:
postgres
GitHub
and
there's
build
and
there's
a
new
make.
File.In
I
mean
also,
yes,
you
you
know
it's
and
it's
you
know
the
Nissan
build
system
was
updated
yesterday
and
the
new
make
file
is
I
mean
so,
like
you
know,
they
both
are
actively
maintained
for
postgres,
but
it's
not
the
only
way
to
build
postgres
meeting
Mason.
B
F
B
Two
that
I
can
speak
authoritatively
on
are
Gradle
and
Maven.
Both
are
built
tools
both
are
used
about.
30
of
the
Java
ecosystem
is
the
build
infrastructure.
B
I
used
to
work
for
grade,
also
I'm,
partially
biased,
but
Gradle
used
is
used
as
the
primary
build
tool
for
the
or
for
50
of
the
Java
ecosystem.
99
of
the
of
all
Android
apps
use
Gradle
to
build
build
them.
It's
the
the
tool
of
choice
to
build
Android
apps
in
Java,
yeah,
build
tools,
and
then
Maven
is
used
to
build
the
other
50
of
the
Java
ecosystem.
That's
not
being
used
to
build
maven,
yes,
or
it's
not
being
used
by
Gradle.
F
D
F
Disagree
with
Jonathan.
I
A
I
Adding
Gradle
makes
sense:
okay,
I'm
going
back
I'm
I'm,
basically
doing
my
quick
Google
Foo
for
I
agree
with
you.
Anecdotes
are
not
the
same
as
real
data,
so
I
found
an
interesting
post
of
analysis
from
2021,
saying
that,
specifically
for
Fedora,
look,
comparing
it
to
cmake,
escorts
or
Mason.
Mason
is
now
required
by
30
of
their
packages,
but
I'm
trying
to
figure
out
this
30
of
all
packages
are
30
percent
of
yeah.
It's
only
30
of
those
require
C
make
s-cons
or
Mason
a
Maison.
I
In
other
words,
among
those
three
it's
30
but
I
know.
Cmake
is
a
huge
use.
G
E
I'm,
sorry,
one
less
data
point:
if
on
GitHub,
if
you
search
for
the
count
of
files
called
Mason
dot,
build
which
I'm
assuming
is
the
most
obvious
indicator
that
using
Mason
it's
about
70
000.
If
you
look
for
make
file,
it's
3.7
million
right
and
was
a
cmake
list,
dot
text
is
that
is
that
the
cmake.
I
Yeah
I
think
no
matter,
what
can
you
make
and
C
make
our
far
far
more
common
yeah?
Basically,
you
know
the
articles
that
I
have.
There
says
that
600
packages
of
Fedora
depend
on
it.
I
C
I
I
think
there's
something
of
an
upward
trajectory,
but
it's
it's
not
like
dominant,
it's
not
like,
say
either
cmake
or
or
make
files
which
granted
once
you
create
a
make.
Once
you
create
a
build
system,
it's
a
pain
in
the
butt
to
change.
F
F
I
F
A
F
C
J
Yeah,
the
last
thing
is
I
mean:
do
we
do
we
want
to
guess
the
next
meeting
do
a
quick
run
through
of
things
that
we
think
are
just.
Do
it
like
a
straw
poll
of,
what's
not
contentious,
to
just
sort
of
get
that
out
of
the
way
and
then
focus
on
the
ones
that
actually
have
some
disagreement,
or
do
we
want
to
sort
of
randomly
hit
those
when.
E
G
F
Yeah
but
I'd
say
if
any
are
just
kind
of
absolute
yeses.
They
can
be
noted
ahead
of
time,
and
you
know
unless
there's
something
we
didn't
consider.
You
know
those
can
pretty
much
automatically
go
through
and
then,
like
David
said
we
can
focus
on
the
ones
that
might
be
a
little
more
contentious.