►
From YouTube: OSS-SIRT SIG - Part of BEST WG (April 4, 2023)
B
A
A
A
However,
you
know
that
I
never
shut
up
about
open
ssf
and
even
though,
even
though
LF
has,
let's
just
say,
not
been
as
excited
about
my
commitment
to
open
ssf,
basically
I
got
Tim
so
just
to
kind
of
let
you
know
so.
Tim
told
me
that,
because
of
all
of
this,
LF
is
willing
to
put
money
into
the
education
Sig.
B
A
Okay,
well
just
to
let
you
know,
because
I
know:
initially,
we
were
kind
of
sitting
on
well,
let's
just
donate
SKF
to
open
ssf,
and
then
they
can
put
whatever
money
they
want
in
it
and
whatnot.
That
was
one
option,
but
basically
one
of
the
things
we
were
talking
about
is
keeping
the
SKF
brand
as
a
whole.
So
now
the
new
option
is,
let's
keep
SKF,
but
let's
figure
out
what
openssf
wants
to
be
done
with
it,
and
then,
let's
figure
out
what
like
aligns
with
what
they're
trying
to
do,
which
is
obviously
their
certifications.
A
So
basically
Tim
wants
to
have
a
sit
down.
I
think
it
would
be
wise
to
have
a
sit
down
with
you
and
Glenn
as
well
and
go
over
that
so
that
I
don't
know
if
it
needs
to
be
done
right
now,
but
Tim
would
like
to
get
that
clarified.
As
far
as
how
much
time
commitment
does
open
ssf
need
from
the
SKF
team
that
will
be
paid
for
by
LF
yeah.
B
A
Also,
just
so
you
know,
the
new
platform
Glenn
is
of
the
opinion
that
if
Linux
Foundation
wants
to
integrate
that
all
into
their
new
onto
their
existing
platform,
that
will
just
donate
SKF
the
new
platform
to
open
ssf,
and
then
you
guys
can
pretty
much
do
whatever
you
want
with
it.
We
still
want
to
be
involved,
but
it's
been
made
clear
to
us
that,
like
yeah,
like
we're
part
of
LF,
we're
part
of
core
LF
and
we
have
a
bunch
of
responsibilities
and
yeah
man.
A
A
A
B
A
B
A
Actually,
really
like
the
security
and
happy
hour
and
if
there's
anything
that
I
could
do
to
help
I.
The
next
thing
I'm
going
to
be
working
on
is
the
rust
a
lot
of
rust
courses
for
LF,
cool
I,
just
finished
the
security
kubernetes
security
course
and
I
handed
that
off
yesterday.
So
now,
I'm
probably
going
to
be
on
Rust
y.
B
B
B
C
C
Luigi's
been
kind
of
chatting
with
about
this
and
I've
been.
This
is
some
research
area
that
I've
been
curious
about
for
yeah,
but
it's
basically
like
hey.
There
are
multiple
URL
parsers
and
if
you
use
one
to
parse
the
URL
and
like
break,
allow
list
or
deny
list,
and
then
you
process
that
URL
to
make
a
request
with
a
different
parser.
You
can
have
bypasses
and
it's
about.
C
C
C
I
mean
so
the
problem
that
exists
is
that
the
URL
parser
right,
there's
an
old
spec
which
the
RFC
spec
and
then
there's
the
what
wig
spec
and
the
what
wig
spec
is
supposed
to
be
a
living
document,
but
they're
the
model
that
what
wig
is
kind
of
taking
on
is
like
they
don't
necessarily
want
to
thrust
up
an
initiative
upon
people.
It's
more
like.
C
This
is
a
specification
that
defines
the
current
way
the
world
works,
not
the
way
we
want
to
be
because
either
their
perspective
is
like
a
spec
that
it's
not
actually
implemented
is
meaningless,
which
I
respect
it's
more.
You
know
it's,
this
is
it.
The
spec
is
designed
to
be
more
reactive
than
proactive,
but
I
think
that
I
articulating
and
visualizing.
The
problem
at
least,
is
a
good
starting
point.
To
give
us
a
a
representative
representation
of
like
you
know
how
how
how
varied
are
these
parsers
across
the
industry?
C
You
know
pick
a
bunch
of
different
languages.
You
know
get
crumbs
parser
in
there
Firefox
parser
in
there
see
you
know,
Java
JavaScript
python.
You
know
get
a
bunch
of
different
parsers
in
there
and
then
just
visualize
the
problem
and
then
like
that,
can
help
drive
a
discussion
about
hey,
like
we've
got
this
problem
in
the
industry
and
like
this
fundamental
I,
would
call
a
URL
a
pretty
fundamental
building
block
of
Internet
understanding
is
actually
an
in
and
of
itself
deeply
flawed.
B
B
This
might
be
an
interesting
topic
if
you
can
get
things
together
for
that
Workshop.
It's
called.
It's
focused
on
we're
trying
to
bring
secure
supply
chain
practices
to
web
developers
because
there
seems
to
be
kind
of
a
big
disconnect
with
that
community
and
cyber
security
in
general.
So
we're
trying
to
have
a
little
workshop
around
that
and
this
particular
topic
could
be
of
interest
to
because
we're
going
to
have
practitioners,
you
know
actual
developers,
not
just
security
walks
there,
so
it
might
be
an
interesting
Workshop
topic
to
kind
of
walk
through.
C
A
Apparently
this
is
a
known
issue
and
apparently
what
wig
there's
a
member
in
what
wig
that
I
don't
want
to
publicly
name,
but
there
is
a
very
specific
person
that
we
need
to
get
in
touch
with,
because
basically
in
the
past,
so
someone
already
did
a
bunch
of
work
to
try
to
fix
this
problem
and
long
story
short.
Basically,
what
wig's
response
was
I,
don't
see,
the
problem
go,
take
a
hike
and
basically
that's
that's
a
big
part
of
the
problem.
A
A
C
B
A
A
Say
this
because
I
already
have
something:
if
you
guys
look
at
this
link,
this
was
the
URL
parser
that
was
recently
implemented
in
Rust
like
two
weeks
ago
and
what
we
did
is
we
took
this
Jonathan,
we
kind
of
tweaked
it
so
that
it
basically
works
and
wasn't,
and
we
were
doing
it
that
way.
That's
the
first,
that's
the
POC
that
we
did
this
weekend
and
we
also
tried
your
URL
and
it
actually
spits
out
the
same
problem.
A
A
I
agree
what
we're
doing
what
we're
doing,
because
okiki
works
at
Rousseau
we
okiji
is
trying
to
figure
out
if
Rachelle
would
be
willing
to
sponsor
this.
So
we
can
use
Versa
Edge
functions
for
this
all
right
cool,
if
not
I,
know
that
our
friends
at
Microsoft
have
our
backs
sure
pretty
well
with
Azure.
So
just
so
you
got
I,
don't
know
if
that
qualifies
as
a
paper
crew,
but
like
we
are
working
on
a
POC
that
actually
illustrates
the
problem.
C
A
And
for
the
records
on
it
and
I
think
we
can
compile
just
about
anything
to
wasm,
but
I
do
know.
There's
a
couple
of
languages
in
there
that
don't
like
it
and
I
know
that
we
really
basically
had
to
re-implement
the
parser
and
Lawson
to
make
it
work.
But
it
did
it
does
work
and
I
mean
it
is
browser-based.
So
there's
no
Edge
function,
but
you
know
it
would
be
nicer
as
an
edge
function.
I
think
personally,
not
to
mention
that
you're
not
going
to
get
into
well.
C
Thing
so
there's
also
that's
the
biggest
thing
that
I'm
concerned
about.
Also,
if
you
have
an
API
behind
it
like
you
have
so
you
have.
If
you
have
an
API,
you
have
a
website
that
you
can
like
give.
You
know
normal
people,
but
people
that
want
to
like
run
their
own
tests
and
maybe
automate
those
things
if
you
have
a
solid
API
that
they
can
use.
Just
like
give
me
this
and
then
hear
all
the
languages
that
get
you
know,
then
then
independent
research
can
go
on
around
that
topic.
A
Right
but
now
going
back
to
cert
Chrome
the
reason
I'm
bringing
it
up
is
I,
don't
know
if
maybe
the
cert
can
help
us
report
this
or
how
we
could
go
about
getting
more
eyeballs,
because
that's
one
thing
that
John
said
is
that
if
we're
going
to
try
to
fix
this
problem,
we
got
to
prove
to
w3c
that
it
is
a
problem
or
not
w3c.
But
what
wig
that
it
isn't
actually
the
problem
that
they
need
to
correct.
B
Yeah
I
think
it's
definitely
something
that
eventually
the
team
could
help
out
with
you
know,
right
now.
It's
just
a
handful
of
us
showing
up
to
a
couple
calls
so
no
one's
doing
anything
yet,
but
I
think
it's
definitely
something
worthy
that
the
you
know
within
the
ideal
mission
of
the
team
was
to
try
to
help
coordinate
this
type
of
stuff,
so
I
think
it
would
probably
fall
in
scope,
Fair,
cool.
B
A
B
But
yeah
yeah,
let
me
know
how
it
goes,
how
we
might
be
able
to
help
out,
and
then
you
know,
I
would
again
consider
submitting
something
to
that.
Workshop
I
think
that's
a
good
topic.
We
should
have
I.
That
sounds
like
exactly
the
target
audience
of
people
we
want
to
talk
to.
Is
the
web
developers?
What
is
the
workshop
virtual
or
where
is
it
it
is
going
to
be
in
London?
Okay,
don't
I
know
that
they
are
thinking
about.
There
will
be
allowing
remote
viewing
I,
don't
know
about
remote,
presenting.
B
B
The
initial
questionnaire
you
were
using
Randall,
as
you
were
walking
around
talking
to
folks
yep.
Could
you
potentially
drop
that
into
the
agenda
at
some
point
and
maybe
next
time
we'll
actually
work
to
refine
it
and
then
maybe
take
some
actions
to
start
to
divide
up
our
list
of
people?
We
wanted
to
talk
to
and
start
to
approach
folks.
Once
we
get
a
a
good
set
of
questions
together,
yeah.