►
Description
Meeting notes: https://docs.google.com/document/d/1ttqkcYPmYZyqvtkaHs92bx2UeVUiXDhuzP-0WbP11Fw/edit#heading=h.7o2ubzl5z39r
C
B
B
All
right,
I
just
dropped
the
a
new
template
in
there
for
today's
meeting.
You
guys
can
put
yourselves
or
ourselves
as
presence
if
you
wish
I
so
does
that
seem
we
have
an
agenda
already.
So
while
people
are
doing
that,
if
anyone
would
like
to
put
some
updates
in
or
bring
up
some
topics
I'd
like
to
discuss,
we
can
certainly
do
that.
D
B
A
D
B
A
A
B
E
A
quick
update
on
the
sales
Control
Management
project,
so
we
met
last
week
and
what
we're
going
to
be
working
on
next
today
is
going
to
be
presenting
I.
Think
an
update
to
the
class
on
May
30th
for
the
best
practices
working
group,
and
we
are
trying
to
see
what
we
can
do
to
kind
of
get
that
into
like
a
good
update.
E
So
what
we're
working
on
is
that
known
with
legitify,
had
actually
gone
ahead
and
put
together,
like
a
nice
CR,
to
talk
about
GitHub
and
GitHub,
and
we
want
to
round
up
round
out
that
documentation
with
adding
more
context
so
working
on
a
PR
to
get
that
done.
We're
also
thinking
about
what
we
want
to
do
in
terms
of
the
roadmap
in
the
future,
anything
related
to
editorial
work
or
things
related
to
operations,
and
we
also
want
to
get
this
in
the
hands
of
Open
Source
program
offices.
E
E
This
week
are
in
front
of
say,
like
the
to-do
Group,
which
is
another
Linux
Asian
community
of
practice
prospers
so
we're
meeting
kind
of
like
off
cycle
this
week
to
view
a
PR
for
some
of
the
editorial
content
together,
ready
for
those
other
review
folks,
as
well
as
to
get
it
in
a
good
shape
maker
and
to
talk
about
it.
So
that
cool
thing
to
talk
about
it.
B
E
G
So,
just
a
minor
one
on
the
best
practices
we're
currently
working
to
replace
a
couple
of
the
encryption
libraries
that
we've
used.
We
did
an
update
on
our
on
our
framework,
which
now
includes
some
encryption
mechanisms,
and
basically
we
want
to
switch
over
to
that,
because
that
way
we
will.
It
should
be
much
easier
to
update
going
forward.
We've
had
some
updating
problems
in
the
past,
so
it's
one
of
those
when
we're
done.
No
one
will
know,
but
it'll
be
easier
to
maintain
it
in
the
future.
B
So,
as
you
can
tell
we're
kind
of
in
ad
hoc
mode
here
since
Crow
is
on
PTO,
we
do
not
have
an
agenda
so
again.
I
will
invite
anyone
who
has
any
topics
they
would
like
to
discuss
with
the
working
group
to
please
raise
those.
Now.
We've
got
a
fair
number
of
folks
online.
That
I'm
sure
we'll
be
happy
to
talk
about
anything.
That's
interesting
to
anyone.
H
H
Okay,
I
got
one
person
with
a
thumb
up,
that's
about
it
all
right.
So
this
is
something
that
I'm
pitching
to
the
the
it's
a
cig.
Now
under
the
or
well,
it
will
be
a
Sig
under
the
securing
artifact
repositories
working
group
and
maybe,
if
funded
by
Alpha,
Mega
I'm,
not
entirely
certain.
So,
okay,
it's
taking
a
step
back.
My
fundamental
proposition
postulate
for
this
whole
thing
is
Major
artifact
servers
right,
Pi,
Pi,
ruby,
gems,
Maven
Central.
H
You
know
all
those
major
artifact
servers
and
all
these
different
Industries
have
likely
never
had
a
pen
test
performed
against
them
and
the
reason
that
I
posit.
That
is
because,
when
what
what
does
the
kind
of
the
forcing
function
that
forces
you
to
get
a
pen
test
right,
either
you've
got
regulations
in
some
respect
or
your
your
software's
being
purchased
right.
H
You
have
a
piece
of
software,
that's
being
bought
and
you
have
a
customer
that
says
we're
not
going
to
buy
your
software
unless
you
have
a
pen
test
right
and-
and
you
can
show
us
that
pen
test,
because
the
security
team
is
like
part
of
the
acquisition
process
of
your
of
your
customer,
because
artifact
servers,
major
artifact
servers
in
the
industry,
Maven
Central,
you
know
Gradle
plugin
portal,
Pi,
Pi,
ruby,
gems,
like
all
these
artifact
servers,
nougat
npm.
All
these
things
are
available
for
free
right.
H
We
may
be
building
all
this
infrastructure
in
the
industry
and
pushing
for
these
security
measures
without
having
kind
of
ensured
that
the
the
Bedrock
we're
standing
on
is
secure,
and
so
the
idea
behind
the
great
repository
audit
is
that
the
open,
SF
and
Alpha
Omega-
and
you
know,
potentially
a
bunch
of
places,
come
together
and
actually
fund
pen
tests
of
major
artifact
servers.
So
let
me
switch
to
my
other.
H
Let
me
switch
off
my
phone
and
I'll
send
the
link
to
this
proposal
in
the
chat,
unless
somebody
wants
to
beat
me
to
it.
It's
linked
in
the
securing
software
repositories
working
group.
So
if
somebody
wants
to
grab
that
link,
I
will
be
right.
There
just
give
me
a
half
second
I'm,
just
going
to
switch
to
my.
H
G
H
Group
right,
yeah
yeah,
that's
that
that's
the
that's
the
high
level
right.
It's
it's
tied
to
best
practices,
because
it's
the
best
practice
running
an
artifact
server,
but
this
is
also
got
best
practices
for
open
source.
So
you
know
but
I
I.
Just
you
know
different
crew,
different
group
people.
You
know
there
was
an
opening
at
the
end
of
the
call.
It
seemed
like
nobody
had
anything
to
talk
about,
so
I
figured
I'd,
throw
it
in
there
sure
absolutely.
G
I
If
I
mean
to
reject
here
just
one
thing
Jonathan
you,
you
started
with
the
premise
that,
because
open
source
is
free,
there's
not
been
any
forcing
function
to
have
been
testing.
I
mean
this
is
clearly
not
always
the
case
right
I
mean
there
are
I,
think
it's
evolved
in
the
Linux
Foundation,
especially
you
know
it's
fairly
common
for
projects
that
will
run
to
do.
I
First
major
release,
we
do
security
testing
and
it
does
cost
quite
a
bit
of
money,
but
is
supported
by
the
membership
and
so
I
I
think
you're,
probably
right
anyway,
that
there
are
many
of
those
packages
available
in
those
you
know,
Registries
do
not
or
have
not
been
tested,
so
I'm
not
arguing
with
the
the
you
know
the
need
they
may
still
be
in
it.
I
just
wanted
to
question
a
little
bit
the
premise
you
started
from.
H
I
mean
one
result
of
this
thing.
Maybe
oh
hey.
Actually
everybody
has
a
hint
fantastic
wow.
Okay,
great,
you
know,
that's
like
awesome
right.
We
we
didn't
realize
it,
but
it
has
happened
I.
So
the
projects
that
you've
been
engaged
in
have
been
funded
through
non-profits,
primarily
or
where's.
The
funding
come
from
for.
I
G
Yeah
I,
certainly
don't
know
of
all
I
mean
we've
actually
got
a
repository
called
Security
reviews
of
every
security
audit
report
that
we
can
find
for
open
source
software
projects,
which
won't
claim
is
a
full
list.
So
lots
of
people
do
pen
test
security
audits,
related
things
for
a
variety
of
reasons.
G
I
mean
it
really
just
comes
down
to
somebody
decide
it
was
important
and
find
a
way
to
fund
it,
but
but
you
know
what
so
so,
I
I'm,
not
sure
I'm,
you
know
I'm
not
sure
I
always
buy
the
premise,
but
just
because
whether
or
not
a
premises
is
true,
the
conclusion
can
still
be
true
and
I
absolutely
do
agree
with
the
conclusion
which
you
know,
yeah,
P
may
or
may
not
imply
q,
but
Q
is
still
true.
So.
I
H
No
I
yeah
yeah,
so
I
have
so
like
I
I
originally
posed
this.
You
know
during
the
open,
open
source
Summit
in
in
Vancouver
and
was
talking
to
like
Brian
Fox
and
Brian
Fox
like
did
some
digging
through
his
company
and
came
back
with
oh
hey.
Actually,
we
have
had
a
pen
test
for
Maven,
Central
right
so
and
and
I
presume
that
npm
probably
had
an
audit
done
at
some
point
during
the
acquisition
right,
because
that
was
they
were
bought
by
Microsoft
right,
whether
that
happens
regularly.
H
I
also
come
at
this
from
a
personal
point
of
view
of
pers,
like
personal
experience,
just
having
worked
with
package
of
managers
in
the
past,
they
tend-
or
at
least
in
my
experience,
they're
like
these
critical
bit
of
infrastructure
for
the
ecosystem,
but
they're
not
making
the
company
running
it
any
money.
It's
usually
cost
sync,
and
so
it's
kind
of
like
as
long
as
it
keeps
working
we're
happy
as
long
as
it
keeps
running.
H
We're
happy
right
and
that
may
not
be
true
for
you
know,
and
then
there's
other
organizations
like
Pi
Pi
right,
which
is,
is
community,
run
and
there's
a
bit
of
a
difference
there.
So
but
at
least
for
the
from
the
corporate
side.
In
my
experience,
it's
it's
a
cost
sync
and
it's
not
really
often
the
priority,
because
it's
not
making
the
company
any
money.
H
D
G
Right
so
it
I
think
it's
a
there's,
a
much
broader,
simpler
statement.
Most
software
has
not
been
reviewed
for
security.
You
can
just
put
the
period
right
there
and
most
Services
side
effect
either
and,
let's,
let's
go
make
sure,
since
these
are
important,
let's
make
sure
that
they
have
I've
gotten
a
serious
look.
So.
H
This
time,
let's
go,
the
scope
of
this
test
also
includes
a
proposal
for
also
trying
to
pay
for
red
team
engagements
too,
against
these
artifacts
server.
The
organizations
running
these
artifact
servers,
which
may
be
a
harder
sell
and
also
involves
much
more
heavily
collaborating
with
those
organizations,
because
those
have
Scopes
that
are
when
you
started
in
dealing
with
social
engineering,
potential
employees
or
employers
or
organizations.
You
have
even
more
careful
Scopes
you
need
to
deal
with,
but
it
is,
it
is
included
as
a
potential
like
hey.
H
We
should
make
sure
that,
like
the
people
who
own
the
keys
to
these
major
artifact
servers
that
are
supplying
the
industry's
open
source,
software
have
a
certain.
You
know
that
they
they
understand.
You
know
social
engineering
attacks
as
well
are
a
valid
Target
against
them,
given
given
their
place
in
the
supply
chain.
H
G
The
Sterling
tool
chain
no
I
was
at
at
the
open
source,
Summit
I
guess
it
was
a
week
a
week
a
week
a
week
ago
and
then
I
decided
to
get
ill.
So
so
I
need
to
get
I'm,
not
sure
I
actually
have
the
pen
on
that.
But
I
know
that
there's
some
been
some
efforts
to
try
to
take
the
governing
board
idea
and
the
various
in
the
mobilization
plan
and
Tech
I
tried
to
circle.
The
square
and
other
people
have
made
comments
too.
G
G
G
G
In
fact,
the
the
esper
everywhere
Group,
which
I
believe
is
meeting
next
one
of
the
things
that
there's
is
on
their
list
of
to
Do's,
is
to
try
to
do
that.
Evaluation,
I,
don't
think
that's
moving
as
quickly
as
I'd
like,
but
it's
that
seems
to
me.
The
first
step
is
before
proposing
anything
knowing
which
ones
make
any
sense,
and
my
understanding
is,
you
know
all
have
strengths
and
weaknesses
how's.
That
said,.
G
F
This
is
probably
just
to
make
people
aware
I'm
going
through
some
of
our
GitHub
repos
and
trying
to
condense
things
into
a
single
source
of
truth
type
of
thing,
because
we
have
a
few
community
members
that
were
eager
to
start
helping
and
they
weren't
sure
where
to
start.
You
know
what
are
certain
groups
working
on?
What
are
the
certain
groups
goals
times
places
where
the
notes
things
like
that,
because
we
have
a
lot
of
different
repos
on
GitHub
and
so
I'm,
starting
to
condense
them
into
this
one
Community
repo.
F
So
the
community
has
a
place
to
to
go
and
start
rather
than
having
to
look
through
the
61
different
repos
plus
external
ones
and
things.
So
if
you
feel
what
feel
free
to
contribute
to
that
repo
pull
request,
welcome
and
everything
else
just
trying
to
get
it.
So
it's
easier
for
people
to
kind
of
onboard
into
helping.
B
H
The
vulnerability
disclosure
working
group
has
proposed
and
has
been
accepted
by
the
attack,
a
open,
SF,
outbound
vulnerability,
disclosure
policy
which
describes
how
we
as
the
open
SF.
If
anybody
wants
to
speak
for
and
represent
the
open
SF
has
a
vulnerability
they
want
to
disclose
to
an
organization
or
a
repository
or
project
the
policy
that
that
we
will
use
for
those
disclosures.
H
So
if
you
find
any
vulnerabilities
and
you
want
to
disclose
them
under
the
open,
SF
Banner
or
you
want
to
there's
also
a
model-
outbound
vulnerability-
disclosure
policy-
that,
if
you
don't
want
to
use
the
open
ssf
name-
but
you
want
to
just
adopt
that-
that
is
also
present-
send
a
link
to
that
in
the
chat
and
it
will
we're
trying
to
find
a
home
for
it.
What
repository
it
will
live
in
so
yeah?
That's
just
the
attack
ratified
this
policy,
so
it
is
policy
for
the
open,
SF.
H
H
Well,
yeah
I
think
the
attack
has
proposed
that
we
put
it
in
there's
a
repository
called
Foundation
open,
SF
Foundation,
which
has
policies
in
it.
That's
the
one
that
Bob
Callaway
supposedly
put
it
in,
but
I've
emailed
the
TAC
twice
now
saying:
where
should
I
put
this
document
and
I've
gotten?
No
responses,
other
one
other
than
Bob
Calloway.
So
no.
I
H
I
G
Yeah
yeah
I
I
will
say
if
it's,
if
it's
going
to
be
a
part,
I
mean
I,
don't
think
those
two
statements
are
in
Conflict
by
the
way,
there's
nothing
wrong
with
it:
open,
ssf,
webs
the
webinar
stuff
website,
you
click
and
jumps
over
to
the
repo
for
the
actual
contents.
But
you
know
if
it's
going
to
be
a
policy
we're
going
to
need
to
make
it
actually
visible.
Yeah.
H
Definitely
is
there
so
if,
if
there
are
there
ways
that
we
can
like
have
a
document
or
a
policy
that
is
written
in
a
GitHub
repo
under
the
openxf
somewhere
and
have
it
mirrored
to
the
website
in
such
a
way
that
any
updates
to
the
GitHub
repository
where
that
file
is,
will
get
reflected
to
the
website
or
is
that
a
manual
process?
So.
F
G
I
will
note
that
the
current
solution,
which
you
may
hate,
but
is
what
this
working
group
has
been
doing,
is
creating
the
documents
on
GitHub
and
then
creating
a
link
on
the
website,
creating
a
link
to
the
GitHub
page
to
the
page
generated
by
GitHub
itself.
It's
not
GitHub
Pages,
it's
a
page
on
GitHub.
If
the
distinction
makes
any
sense,
yeah.
F
G
Doesn't
matter
because
it's
a
link
on
the
main,
open,
ssf
website,
it's
a
it's
a
link
to
and
by
the
way
the
the
trick
on
a
markdown
file
on
GitHub
is,
if
you
add
hash,
read
me
it
will
it.
When
you
open
up
the
page,
it
will
skip
the
header,
that's
normally
generated
for
a
markdown
file
and
you
immediately
see
the
start.
Seeing
the
actual
contents,
it's
a
it's
a
hack,
but
it's
a
working
hack,
yeah.
H
F
H
Does
it
just
doesn't
rank
it
highly
yeah
I
mean
you?
Can
you
can
definitely
search
for
like
if
you
put
GitHub
at
the
beginning
of
a
search?
It'll
definitely
come
up
for
you,
but
it
just
it
just
like
if
you
want
like,
if
you
don't
want,
if
we
want
I
presume
right,
if
we
were
to
look
for
the
vulnerability
disclosure
working
group,
finders
guide
or
the
report
or
the
the
either
the
finders
guide
or
the
maintainer
guide,
we
would
not
be
the
top
of
the
list
on
Google.
H
G
D
G
H
This
conversation
with
attack,
one
of
the
oh
just
another
Amanda,
just
aside
to
you
there
before
most
of
the
most
of
the
working
groups,
were
using
a
a
GitHub,
plugin
called
security.yaml,
or
something
like
that.
That
was
giving
it
was
configuring
like
permissions
and
how
the
repository
is
configured
from
a
file
in
the
Repository.
H
H
H
D
F
I'm
learning
how
to
manage
permissions
later
today,
actually
now
that
that
project
is
complete
and
so
I'll
bring
it
up
Jonathan.
Thank
you.
You've
just
emailed
operations,
congratulations!
Yeah!
Great
thanks!
Arno
is
back.
If
you
wanted
to
ask
the
question
again
about
if
the
attack
heard
about
it,
Arno.
H
F
H
Where's
honor
come
here:
oh
there
you
are
yeah,
yeah
did
did
the
attack
ever
get
communicated
about
so
when
the
open
SF
was
originally
set
up
there
were
these
security,
dot
or
repositoryconfig.yaml
files,
the
ones
that,
like
let
anybody
configure
their
permissions
on
their
working
group
from
a
file
it
was
in.
Let's
see
it
was
settings.yaml,
but
is
that
ringing
any
bells.
H
Went
through
and
configured
these
across,
so
all
the
working
groups
like
you,
know,
settings.yaml
right
and
it
gives
you
know
users
whose
collaborators
like
what
labels
are
set
up
right.
So
it
lets
you
configure
the
the
Repository
from
a
yaml
file.
So
if
you
wanted
to
change
the
repository,
you
didn't
need
to
be
an
admin
on
the
repository
you
could
just
push
things
to
this
file.
I
H
H
So
these
were
so
these
were
this.
This
plugin
was
applied
across
the
entire
organization,
and
I
was
digging
into
this.
This
plugin,
because
I
was
curious
about
it
and
how
it
worked,
and
because
of
how
this
thing
works,
you
can
configure
who's
an
admin
on
the
repository
from
this
config
file,
and
that
meant
that
anybody
who
had
push
access
to
this
file
could
make
themselves
an
admin
for
the
repository
and
then
privilege
escalate
into
controlling
the
repository.
So.
E
H
I
H
D
H
C
H
Does
yeah
as
of
a
month
and
a
half
ago,
maybe
two
months
ago,
it
doesn't
do
anything
currently
I,
don't
think
that
the
file
does
anything
because
it
got
yank.
Oh,
is
this:
is
this
you
know
what
probably
happening
that
file's,
probably
getting
added
everywhere
yeah.
This
is
where
it's
coming
from
people
or
people.
Oh,
that's,
weird
from.
H
H
Okay,
so
I
will
we
should
have
a
conversation
with
the
tag,
slash
somebody
about
how
you
know
what
problem
are
we
trying
to
solve
and
do
we
do?
We
want
to
yank
this
from
the
template,
given
that
it's
not
usable
anymore,
so,
okay,
we've
deviated
heavily
from
the
topic
of
this
intended
meeting
working
group,
but
this
has
been
a
helpful
call.
So
thank
you
for
for
humoring
me
on
this
one.
B
Otherwise,
we
can
probably
wrap
up
today's
meeting
and
hopefully
next
time,
we'll
have
a
better
agenda
in
place
at
the
beginning
and
a
little
bit
more
structure
to
the
conversation.
But
I
think
this
is
good.
We
talked
about
some
good
stuff
and
we
helped
Jonathan
figure
out
his
problem,
which
is
always
a
good
thing.