►
Description
Meeting notes: https://docs.google.com/document/d/1ttqkcYPmYZyqvtkaHs92bx2UeVUiXDhuzP-0WbP11Fw/edit#heading=h.7o2ubzl5z39r
C
B
Hey
David
does,
does
Brian
usually
come
to
these.
C
So
I
I
I'm
not
running
this
crops.
Okay,.
B
Rob
you're
here
so
Crow,
here's
the
deal
I
was
talking
to
bro
I'm,
a
research
guy
for
Linux
Foundation
and
did
work
last
year
for
open
ssf
on
security
issues
and
managed
to
go
out
and
get
72
completes
in
my
survey
to
maintainers
from
maintainers
rather
and
on
53
different
best
practices,
and
so
I
was
talking
to
Brian
about
a
week
ago
about
you
know
what
his
plans
are
for
research
this
year
and
he
said
well,
you
know
why
don't
you
stop
by
one
of
these
best
practices,
meetings
and
kind
of
show
them
what
you've
got
so
far
and
ask
questions?
B
F
Okay,
can
everyone
hear
me
yep
all
right,
I
installed
some
new
equipment
and
my
audio
is
a
little
flaky.
So,
let's
add
Stephen
a
little
bit
further
down
the
agenda.
F
G
I
do
I
proposed
the
other
day
to
add
the
the
AC
plus
plus
my
brain.
G
The
guide-
oh
words,
sorry
I,
wanted
to
yes,
I
propose
to
put
this
on
the
on
the
agenda
because
one
of
my
colleagues
Thomas
who's
on
the
call
could
and
would
like
to
quickly
maybe
present,
let's
say
or
it's
interested
in
contributing,
let's
say
first
and
then
he
has
some
material
that
could
be
the
foundation
or
could
be
used
as
a
foundation
to
extend
the
current
draft
that
exists
already.
F
See
it
there,
so
let
us
get
started.
Everyone
welcome
to
the
last
day
of
the
first
month
of
2023.
F
11
more
to
go
before
2024
everybody.
Do
we
have
any
new
friends
that
wanted
to
introduce
themselves
and
say
hello
to
the
group
as
we
get
started.
H
Okay,
I'll
chime
in
hi,
everyone,
Bradford
Bartlett,
here
I
work
at
Sonos,
The,
Speaker,
Company
and
I
work
in
I
see
somebody
clapping.
Hopefully,
a
happy
customer
I
work
on
product
security,
so
I've
been
interested
in
openssf
I'm,
getting
to
learn
more
about
that
and
salsa
and
some
of
the
other.
You
know
Frameworks
and
tools
out
there
that
might
help
us
in
our
journey
here
so
nice
nice
to
meet
everyone.
Excellent.
I
Sir
I'll
jump
in
hi
I'm,
Sheila,
saibi
and
I
am
located
in
Silver
Spring
Maryland
I
work
at
Comcast
in
the
open
source
program
office
and
I
am
here
to
lurk
a
little
bit
and
learn
how
to
get
involved
in
this
community,
so
that
I
can
help
our
technologists
also
get
involved
in
this
community.
Excellent.
I
J
Hi,
my
name
is
Caroline
Cameron
I
work
in
supply
chain,
security
with
IBM,
so
I
am
a
devsecops
developer,
so
I'm
just
I'm
very
interested
in
encouraging
more
widespread
adoption
of
secure
development,
so
I'm
happy
to
be
here
and
help
in
any
way.
I
can
excellent.
K
Yes,
hello,
I'm,
Thomas,
Newman,
so
I'm
from
Ericsson,
where
I
work
at
the
in
the
product
security
organization
as
part
of
a
security,
Technologies
team,
so
I'm
joining
today
to
present
this
material
on
CNC
plus
hardening
that
they
are
mentioned
nice
to
meet
everyone.
Nice.
L
Maybe
maybe
not
I'll
introduce
myself.
My
name
is
Robert
I
come
from
Norway
and
I'm
I
work
in
a
company
called
mr42
and
we're
a
platform
engineering,
slash
security,
slash
everything
as
code
company
we're
making
platforms
to
create
platforms.
L
So
we
need
a
little
bit
of
those
security
there.
So
I'm
just
here
to
try
to
help
us
as
much
as
possible
and
I
have
I
have
a
long,
CV
I'm
not
going
to
go
into
it.
I'll
just
skip
for
that,
so
feel
free
to
reach
out
all.
F
F
Could
I,
please
ask
someone
to
be
our
scribe
for
today
to
help
us
take
notes,
I.
F
F
F
So
if
you
are
interested
in
submitting
a
talk,
please
do
so
by
Sunday.
If
anyone
is
interested
in
assistance
in
helping
massage
their
abstract
or
they're.
Looking
for
co-presenters,
please
raise
your
hand.
Let
us
know
we're
glad
to
help
out.
Several
members
of
the
group
have
already
submitted
some
things,
so
we
were
always
welcome
to
see
some
strong
representation
from
the
open
ssf
at
this
Summit.
F
And
there
will
be
I.
Imagine
the
call
for
papers
for
the
European
version
of
The.
Summit
will
open
up,
probably
in
another
month
or
two.
Do
you
have
any
idea
where
that
might
be
this
year?
David
I,
don't
I
had
heard
rumors
of
maybe
Amsterdam,
but
we'll
see.
G
F
F
F
We
started
a
source
code
management,
best
practices
guide,
we
met
last
week
and
we
will
continue
meetings
every
other
week
continuing
next
week
if
anyone's
curious,
what
we
talked
about
and
what
we're
up
to
there's
Issue
102
in
our
repo.
We
have
a
created,
a
folder
for
the
doc
repository
and
we're
already
starting
to
check
in
some
materials,
so
that'll,
be
kind
of
our
next
group
project
will
be
a
source
code
management,
best
practices
guide
pretty
exciting.
F
C
Or
minor
thing-
and
maybe
this
is
just
me-
but
you
know,
source
code
management
is
a
really
broad
topic.
You
know
it
seems
to
me
you're
really
talking
about
configuration
guides
for
forges
like
GitHub
and
get
lab
right.
Yes,
yeah,
so
I'm
wondering
if
you
might
want
to
title
it
to
be
more
specific,
because
there
are
people
who
use
get
locally.
They'll
people
use
completely
different
kinds
of
tools
and
systems.
C
It
might
be
useful
to
title
it.
That's.
F
An
excellent
suggestion,
David
I,
would
welcome
that
comment
on
the
issue.
Initially,
it
was
titled
GitHub,
best
practices
right,
so
we're
kind
of
directionally
correcting
things
so
we're
not
endorsing
any
single
vendor,
but
yeah
I
think
that's
good
feedback.
So
why
don't
you
post
a
comment
and
we'll
get
the
group
to
potentially
course
correct
again.
F
K
Yes,
thank
you
very
much.
Is
it?
Is
it
all
right
if
I,
if
I
share
my
screen,
so
I'd
like
to
show
Absolutely
like
the
material
that
we
have.
K
K
Yeah,
let's
see
so
I
hope,
let's
see
I
seem
to
have
like
a
permission
issue.
Let's
see
if
this
will.
B
K
I
think
I,
unfortunately,
might
have
to
drop
out
and
rejoin
for
these
two
for
this
to
work.
Is
it
all
right
if
we
take
this
a
little
bit
a
little
bit
later
and
absolutely
try
to
sort
it
out
on
my
day,
my
apologies?
No.
F
B
All
right
I'm
going
to
leave
the
panel
up
on
the
side
because
it
may
be
useful
to
jump
around
a
bit.
So
what
you
need
to
know
to
be.
B
To
be
since
the
LF
has
only
recently
back
in
middle
of
2021
started
up
a
a
research
group
that
I'm
part
of
my
first
opportunity
to
work
with
Brian
was
here
in
the
middle
of
2022
actually
beginning
in
2022,
and
so
we
put
together
a
survey
on
an
open
source
software,
Supply
chains,
security
issues
and
as
part
of
that
particular
survey,
we
went
out
and
tried
to
talk
to
maintainers
slash
core
contributors.
B
Our
sample
for
the
survey
was
we
had
a
lot
of
people
start
this
survey,
but
we
had
about
between
400
and
500,
who
actually
completed
most
of
the
questions,
but
we
did
have
72
that
self-identified
as
a
maintainer
or
core
contributor
who
went
through
and
answered
a
specific
section
designed
only
for
maintainers
and
core
contributors,
and
that
was
a
section
on
best
practices.
B
What
I
did
was
I
spent
time
with
David
wheeler
went
through
all
of
his
secure
software
development,
best
practices,
and
you
know
to
the
salsa
framework
and
others
that
are
similar
to
that
and
went
through
and
tried
to
winnow
down.
B
You
know
out
of
David's,
100
plus
I,
think
it
is
best
practices,
a
subset
that
I
could
actually
put
in
the
survey
and
ask
questions
about
it,
and
so
I
ended
up
with
53
of
David's
best
practices
and
I
managed
to
torture
the
maintainers
pretty
well,
because
there
was
a
space
for
feedback
at
the
end
of
the
survey
which
I
think
ran
like
for
them
about
80
questions
in
total
and
then
some
said:
fabulous,
I
love
the
fact
that
you're,
actually
you
know
somebody
is
looking
at
this
particular
space.
B
Others
said
way
way
too
long
so
and
I
think
probably
all
of
those
statements
in
a
whole
prove
realistically.
C
B
Well,
I
I
still
want
to
thank
David
for
helping
helping
me
kind
of
navigate
those
the
complex
Waters
of
those
best
practices.
B
So
anyway,
what
I
want
to
do
is
I,
don't
want
to
show
you
all
of
the
data,
because
it's
not
time
for
that.
It's
really
not
a
need
for
that.
B
This
was
a
summary
of
the
best
practices
that
I
asked
about.
So
there
were
one
two
three
four
five.
E
B
Seven
different
areas
or
different
topics
and
on
the
left
side,
you
see
the
number
of
questions
we
had
about
each
best
practice
that
I
aligned
with
that
particular
topical
area.
So.
B
C
Sure
the
is
it
do
you
have
a
URL
for
this,
because
I
want
to
make
sure
this
is.
B
Okay,
so
here's
an
example,
for
instance,
this
was
best
basic
activities
and
there
were
nine
questions
here.
These
best
practices
that
are
identifying
the
left
side
of
the
text.
Those
I
I
did
my
best
to
shorten
the
description
as
much
as
I
could
so,
but
only
enough
to
be
able
to
fit.
B
Are
they
using
that
best
practice?
Now,
if
they're
not
using
it,
are
they
planning
to
use
it
later
in
2022,
because
we
did
the
survey
back
in
Q2
of
2022.,
so
it
is
getting
a
little
bit
long
on
the
tooth
when
I
have
to
take
responsibility
for
that.
But
nevertheless
we
asked.
Are
they
going
to
do
implement
this
best
practice
later
in
2022
or
sometime
in
2023?
B
I
didn't
have
enough
room
to
say
Beyond
2023,
but
then
I
skipped
then
to
do
or
do
you
have
no
plans
to
use
this
best
practice?
Does
it
not
apply
to
the
particular
way
in
which
you
are
doing
me?
Maintenance
or
do
you
not
know,
or
are
not
sure
about
either
how
to
answer
the
questions
or
kind
of
what
the
state
is
of
this
particular's
best
practice
as
it
applies
to
your
use,
so
those
were
the
let's
see
five
different
types
of
responses.
B
They
had
to
pick
one,
and
this
was
repeated
for
all
53
of
these
best
practices.
So
these
are
the
ones
on
basic
activities.
B
I've
got
two
pages
here:
they're
a
total
of
I,
think
nine
on
source
code
management
and
change
control,
and
you
can
you
can
see
that
in
general
there's
a
pattern
that
that
becomes
clear
very
quickly
as
to
you
know
how
many
you
know,
a
lot
of
a
lot
of
best
practice
use
is
happening
if
it's
not
happening.
There's
some
planned
and
the
not
applicable
is
pretty
small.
The
no
plans
to
use
varies
significantly
and
what
I
need
to
ultimately
do
is
follow
up
with
some
maintainers
to
try
to
find.
B
You
know.
Why
is
it
that
people
would
have
no
plans
to
use
some
of
these,
not
sure?
Maybe
it
has
to
do
with
the
ones
I
selected
from
soft,
secure
software
development
best
in
a
list
who
knows
so
this
one
there's
a
panel
here
on
software
builds
sorry
about
that
software
quality
testing
and
then
we
had
I've
got
several
on
security
from
slightly
different
Foci.
This
is
sort
of
overall
security
focused
best
practices.
This
is
specific
to
testing,
and
then
we
had
secure
software
development.
So
what
I'm?
B
So
here's
you
know
one
of
the
obvious
ways
from
a
reporting
standpoint
would
be
able
to
show
the
data.
Much
like
you
just
saw
it
talk
about
the
percentages
that
are
using
it
now
and
the
plans
for
for
future
use
and
what
the
growth
is
looking
like
perhaps
have
a
story
that
I
have
to
obviously
develop
on.
You
know
why
some
people
have
no
plans
to
use.
B
Think
one
of
the
things
I
would
I
would
need
to
do
to
report
on
this
and
probably
add
some
value
is
to
be
able
to
look
at
the
different
topics,
the
best
practices
within
those
topics
and
gain
a
better
understanding,
for
you
know
how
difficult,
maybe
is
it
to
actually
implement
this
kind
of
a
best
practice
or
and
what
is
the
value
proposition
that
goes
along
with
it,
so
that
there's
a
story
that
tell
that
tell
for
those
best
practices
that
don't
have
a
lot
of
people
using
them.
B
What
maintainers
using
them
right
now
I
mean,
as
you
saw,
for
the
basic
activities,
those
are
kind
of
like
the
entry
point
for
doing
secure
software
development,
so
they
were,
you
know
widely
subscribed
to,
but
for
some
of
the
later
ones
when
it
came
to
security,
for
instance
like
this,
the
last
one
on
the
list:
Dynamic
application
security
system,
so
dast
and
web
app
scanning.
B
Surprisingly,
you
know
not
a
lot
of
use
right
now,
kind
of
surprising
and
then
no
plans
to
use
I
think
there's
a
lot
of
a
lot
of
developers
who
probably
do
things
in
a
very
manual
way
and
with
a
lot
of
introspect
and
introspection
into
the
code
and
may
not
necessarily
either
feel
the
tools
are
needed
or
tools
don't
accomplish
quite
what
they're
looking
for
I'm,
not
sure
I'm.
B
You
know
I'm
just
speculating
at
this
point
anyway,
but,
as
you
can
see,
there's
a
lot
to
think
about
and
talk
about
here
so
before
I
stop
and
sort
of
see
what
people
might
have
to
offer
and
what
people
think.
Let
me
just
talk
about
one
possible
way
to
leverage
this
information.
I
thought
was
potentially
useful,
so
you
know
we
do
have
72
maintainers
that
answered
every
single
one
of
these
questions.
B
B
B
Do
you
have
to
complete
other
best
practices
before
you
can
then
move
on
to
this
next
best
practice,
so
other
prerequisites
that
exist
and
where
do
they
exist
and
do
they
commonly
exist
across
the
set
of
best
practices
that
we
have
here,
because
if
there
was
sort
of
a
network
model
that
I
could
put
together,
which
said
you
know
you
hear
this
best
practice
has
to
be
completed
before
you
can
move
on
into
these
other
best
practices,
then
one
thing
we
could
do
is
we
could
based
on
this
model
of
prerequisites.
B
We
could
actually
build
something
akin
to
a
recommendation
engine
that
would
say
you
know
here
are
some
of
the
things
that
come
to
mind
based
on
your
particular
set
of
best
practices
in
use,
the
challenges
and
the
benefits
that
exist
from
doing
you
know
all
of
these
best
practices,
and
that
would
have
to
be
probably
qualitative
information,
but
nevertheless,
then
we
could
build
recommendations
about
here's
where
you
might
want
to
look
Nest
next
from
the
standpoint
of
improving
your
secure
software
development
and
getting
sort
of
biggest
bang
for
the
buck,
potentially
or
other
potential
scenarios,
depending
upon
what's
of
interest
to
them
or
different
ways
that
we
can
recommend
to
help
them
improve
what
they're
doing,
depending
upon
perhaps
what
what
topical
areas
are
most
important
to
them
from
so
anyway.
B
B
From
the
standpoint
of
usage,
what
we're
seeing
out
there
in
the
industry,
and
so
the
model
can
continually
be
updating
based
on
people
that
essentially
take
the
take
the
survey
and
are
looking
for
results
back,
and
we
can
continue
to
update
you
know
and
then
become
better
informed
over
time.
As
we
try
to
report
back
results
to
people
so
I'm
going
to
stop
there
and
see
whether
or
not
you
know
there
are
anybody
out,
there
has
some
either
other
ideas
for
what
I
can
do
or
some
sort
of
assessment
on
the
you
know.
B
F
F
Michelle
asked:
do
you
have
any
idea
what
industries
are
represented
as
part
of
your
survey,
I.
B
Do
if
that
I
haven't
put
it
together
for
just
the
72
maintainers,
but
yes,
we,
we
have
demographics,
that
are
part
of
every
survey.
So
we
know
what
industry
they're
coming
from
we
Fairmont
about
their.
You
know
their
level
of
experience
and.
B
I
could
do
that
if
I,
if
I,
do,
share
the
slides,
the
one
request
I
would
make
was
you
know
you
put,
have
them
for
your
internal
use
only
you
know
I
need
to
be
reporting
on
this
and
put
a
report
together
on
this
subject
and
get
it
out.
For
you
know,
the
use
inside
of
you
know
posting
on
the
open
ssf.
So
you
know
I
don't
want
to.
B
B
B
So
let's
see
we're
getting
some
additional
resources
to
help
with
the
development
of
this,
which
is
really
cool,
I
would
think,
probably
about
three
to
four
months
from
now
it'll
surface
it
takes
about
a
month
in
production,
and
you
know-
and
it's
going
to
have
to
go
through
a
pretty
pretty
a
serious
review
process
where
we
build
a
storyboard.
You
know
we
get
that
reviewed.
We
build
a
draft
and
get
that
reviewed.
B
So
it's
going
to
that
those
review
Cycles
take
a
while,
so
I
would
say
when
we
say
you
know
safely
with
four
months
from
now.
Okay,.
F
B
Of
the
things
I
can
say
well
well,
people
are
trying
to
unmute
is
there's
a
lot
of
commentary
here
on
SAS
desk
and
I
asked
you
know,
I
don't
have
any
dogs
in
this
hunt,
but
the
reality
is
is
that
all
of
all
of
these
are
really
really
useful
tools.
You
know
both
static
analysis
and
dynamic
analysis
and
the
integrated,
which
is
I,
think
really.
B
The
combination
of
the
two
so
so
I'm
a
big
fan
of
using
tools
to
help
address
security
issues,
and
one
thing
I
do
want
to
look
closely
at,
as
you
can
tell,
is
the
fact
that
this
is
not
the
first
survey
where,
in
some
cases,
we've
seen
tool
use
not
as
strong
as
we
want
in
the
actual
General
the
rest
of
the
survey
that
already
has
been
published
for
openssf
and
I
I
really
strongly
recommend
you
go
to
the
go
to
the
LF
website
and
pull
it
down.
B
I
mean
all
this
research
is
free
it
there
is
I,
think
tools,
tools
for
you
know
either
number
one
or
number
two
way
in
which
significant
improvements
could
be
made
to
you
know
software
from
it
from
addressing
a
software
security
need
that
and
best
practices
both
show
shown
through
as
being
very
important
activities
that
developers
should
take.
So,
and
so
you
know
it's
the
typical
software
tools,
it's
the
fuzz
testing
and
you
know
it's
also.
B
Software
composition,
analysis
where
you
can
look
at
licensing
and
vulnerability
issues
and
it's
a
whole
rafter
tools,
and
you
know
the
the
platforms
for
creating
platforms.
There's
all
sorts
of
there's
tooling
there.
That's
really
fascinating
as
a
way
to
potentially
build
more
bulletproof.
You
know
platforms
essentially,
so
there's
a
lot
of
different
ways
to
do
this.
B
I'm
a
big
fan
of
tools,
but
I
will
have
to
look
closely
at
what
the
data
is
saying
here
in
terms
of
tool
update,
because
I
have
seen
in
other
questions,
approaches
where
maintainers
are
more
apt
to
say
look,
you
know,
I
do
a
lot
of
manual
inspection
of
the
code,
and
that
is,
you
know,
sort
of
the
best
way
in
which
I
know
to
go
through,
and
you
know
either
check
check,
work
or
be
able
to.
You
know
validate
that
the
work
has
been
done
well,
so.
M
M
A
B
Haven't
done
any
scoring
at
all
so
far,
I'm
just
sort
of
picking
obvious
places
where
we
might
want
to
start,
which
is
you
know,
challenges
and
benefits.
But
you
know
I,
don't
have
any.
M
Yeah,
okay,
so
I
think
my
I'm
just
gonna
be
direct.
If
that's
okay
and
let
me
turn
on
my
camera,
because
that's
probably
not
if
I'm
gonna
talk,
I
I,
think
that
before
when
you
do,
you
know
when
you
do
a
case
study
or
or
a
review
like
this
I
think
it's
important
to
confirm
what
the
criteria
is
ahead
of
time,
because
then
it's
less
fuzzy,
I
I,
think
we
don't
know
what
we're
talking
about.
M
I
I
think
that's
really
critical
for
me
when
I
review
studies
so
and
I
would
like
to
see
make
sure,
because
when
you
talk
best
practices,
that
can
mean
many
different
things
so
either
whether
you
use
the
nist
framework
or
oasp
or
cmmi
or
whatever
right
it
just
I
think
that
needs
to
be
confirmed,
and
then
it
needs
to
be
agreed
upon
and
published
in
advance.
M
I
would
like
to
see
industry
representation,
even
though
it's
small
I'd
also
like
to
see
a
larger
sample
size
I
think
72
is,
is
really
small
for
me
and
I
think
that
I
would
break
down
the
security
testing
into
agreed
upon
domains
like
I
saw.
You
left
I,
asked
out
and
sure
there's
overlap
between
Das
and
I
asked,
but
it
I
mean
people
are
still
trying
to
adopt
it
right
when
it'd
be
helpful
to
see
where
they
are
with
that
I
think
those
are
my
main
points
with
it.
B
It's
fine,
it's
fine,
yeah
I
wish
the
sample
size
was
larger,
too
I.
Guess
the
real
question
becomes.
A
M
B
B
B
The
the
challenge
that
I
had
in
doing
this
was
that
I
call
a
lot
of
flack
inside
of
Linux
Foundation
because
you
know,
like
you
know,
the
sort
of
the
philosophy
is:
don't
bother
the
maintainers.
They
have
a
hard
enough.
You
know
role
as
it
is,
and
so
it's
very
difficult
yeah,
it's
very
difficult.
M
Okay,
it's
a
study.
Studies
usually
help
people
I.
Maybe
you
can
get
the
certification
for
working
with
human
volunteers.
You
know,
have
you
heard
of
that
phrp
or
whatever
I?
Maybe
that
would
make
people
feel
better?
No,
but
I,
because
I,
don't
even
it's
not
even
clear
to
me,
like
one
of
the
things
that
additionally
isn't
clear
that
just
popped
in
my
head,
I,
don't
know
the
the
sizes
like
it's
not
broken
down
by
here's.
You
know
under
50.
You
know
50
to
500.
M
B
We
I
have
work
size
that
they're
a
part
of
so
yeah.
M
Okay,
okay,
so
just
I'm,
I'm
hoping
this
is
helpful
and
I'm
happy
to
talk
to
you
offline.
If
you
wanna,
if
it
helps
to
get
this
feedback,
I
mean
we
because
you
know
at
Google
we
we
do
the
Dora
stuff,
and
maybe
we
can
use
I'm,
not
saying
we
should
do
it
like
that
and
I'm
not
trying
to
boss
you
or
sass
you
but
I'm.
Just
saying
that.
There's
some
methodologies
that
maybe
might
be
useful,
I
just
thought,
I'd
throw
it
out
there.
B
My
question
is
whether
or
not
I've
got
enough
to
actually
add
some
value
in
some
capacity
and
if
there
are,
and
primarily
what
I
was
thinking
was
that
based
on
usage
patterns
and
the
nature
of
the
activities
that
were
described,
you
know,
is
there
less
usage
in
some
areas
simply
because
these
are
difficult
practices
to
implement
or
you
know,
is
there
what?
B
What
insights
can
we
draw
if
any
from
what
we
already
know
and
I
think
that
was
that
was
probably
pretty
much
as
far
as
I
thought,
we
could
go
I
like
the
idea
of
a
recommendation
engine
but
I'm,
not
so
sure
that
we
have
enough
information
to
be
able.
M
To
make
no
I
I
would
agree
with
that
and
I
wonder
if
you
could
it's
possible
for
you
to
take
this
initial
exploration
and
call
it
that,
like
you,
could
call
it
we
did.
We
performed
an
initial
exploration
we'd
like
to
dive
into
this
further,
but
we
will
need
the
following
assistance
that
might
be
an
opportunity,
I
think
if
you
catch
it
that
way,
as
opposed
to
not
good
enough
or
something
like
that
right,
yeah.
Okay,
that's
good!
A
great
recommend.
C
Great
idea,
thanks
yeah,
because
I
I
think
there
are
interesting
questions,
but
you
know
the
the
numbers
I
agree
with
Michelle
the
samples
for
compared
to
the
millions
of
developers.
72
is
a
little
rough
to
make
a
lot
of.
B
F
So
I
have
a
couple
things
and
then
again,
if,
as
anyone
else
has
additional
thoughts,
please
raise
your
hand
to
queue
up.
I
think
this
is
very
interesting.
I
think
we
all
agree
that
the
sample
size
is
an
opportunity
for
future
Improvement,
but
I
think
the
data
is
interesting.
So
if
you
are
looking
for
additional,
you
know
more
collaborative
feedback,
don't
hesitate.
I
I
would
be
very
glad
to
work
with
you
know
you
and
David,
and
anyone
else
in
this
team.
F
That's
interested
in
kind
of
diving
a
little
bit
more
into
that
information
and
then.
Secondly,
we
also
lead.
We
have
a
Sig
around
education
and
I
think
just
spotting
a
couple
things.
Despite
the
small
sample
size.
We
know
that
multi-factor
authentication
is
a
point
of
contention
in
the
community,
so
that
potentially
could
be
something
interesting.
We
feed
over
to
the
education
Sig.
How
can
we
provide
more
information
to
explain
the
benefits
of
multi-factor
the
same
thing
with
tooling?
F
And
you
know,
as
we
do,
you
know
dive
more
deeply
into
what
you
already
have
and
as
we
get
more
participants,
maybe
there's
some
Trends
or
recommendations.
We
can
make
around
open
source
tooling.
That
might
help.
Maybe
developers
are
unaware
that
there
are
open
source
options
or
even
you
know,
low-cost
commercial
options
in
this
space,
so
I
again,
I'm
really
excited
I.
Think
there's
a
lot
of
opportunity
to
feed
this
into
some
of
our
other
initiatives.
So
please,
let's
set
something
up
to
continue
to
collaborate.
Yeah.
B
A
F
As
we
mentioned,
please
for
internal
use
suddenly
know
sharing.
Please
we
want
to
wait,
don't
want
to
steal
the
Thunder
once
the
report
gets
out
in
roughly
a
quarter.
Okay.
F
F
Thank
you
Stephen.
This
is
excellent,
where
I
think
it's
a
great
start
very
excited
about
it,
and
it
is
a
very
unique
opportunity
to
actually
talk
to
people
identifying
as
core
maintainers
and
developers.
That's
we
don't
get
that
chance
terribly
often
yeah.
A
F
All
right
Thomas
have
you
reset,
and
are
you
ready
to
try
to
talk
about
C
and
C,
plus
plus
yeah.
K
Let's
give
this
another
try,
so
there
you
go
I
hope
my
Firefox
window
is
visible
now
to
everyone.
Yes,
okay,
excellent!
Thank
you
very
much
for
the
opportunity
to
to
come
here
and
talk
about
this.
So
I'll
try
to
be
brief,
but
I'll,
maybe
sort
of
say
as
much
for
the
background
on
this
is
that
this
is
sort
of
this
is
sort
of
a
document
on
what
we
call
tool
chain
hardening
for
CMC
plus
plus,
that
started
out
as
a
kind
of
like
an
internal
initially
like
an
internal
PowerPoint.
K
We
would
present
to
our
product
development
units
and
later
it
got
turned
into
this
sort
of
a
part
of
our
internal
internal
security
recommendations
and
sort
of
the
motivation
for
this
work
was
that
we
had.
We
got
this
feedback
from
developers
that
you
know
they.
They
know
that
they
need
to
apply
this
mechanisms,
such
as
stack
protectors
and
things
of
that
nature,
to
C
and
C,
plus
plus
code,
but
actually
getting
to
the
situation
where
they
had
a
grasp
of
how
exactly
these
work
and
what
threats
they
protect
against.
K
They
were
sort
of
like
this
Gap
and-
and
one
of
the
reasons
for
this
was
that,
while
these
options
are
widely
available
in
compilers,
sometimes
the
documentation
was
not
necessarily
that
accessible
to
your
average
developer
right.
So
you
needed
to
have
someone
with
some
security
background
to
understand
what
was
going
on.
K
So
we
we
sort
of
try
to
address
this
Gap
by
by
starting
to
collecting
this
material
on
until
tool
chain.
Hardening
I
know
that
this
is
also
something
that
you
hear
a
lot
of
different
terms
for
this
right,
so
binary
hardening
runtime
protection.
We
we
sort
of
picked
this
name,
because
this
is
the
name
that
ovasp
uses
as
well
as
it
sort
of
goes
nicely
together
with
product
hardening,
which
is
you
know
internally
what
we
used
to
call
like
hardening
the
configuration.
K
So
this
sort
of
goes
nicely
hand
in
hand
right
and
and
and
this
is
sort
of
now,
a
version
of
the
document-
I've
been
turning
the
markdown
to
make
it
a
little
bit
online
friendly.
This
is
still
work
in
progress,
so
excuse
the
rough
edges,
but
but
sort
of
if
I
sort
of
go
up
briefly
through
like
the
content.
So
we
have
some
sort
of
motivating
text.
We
have
a
section
on
recommended
compiler
options
which
is
kind
of
like
the
meat
of
the
document
moment.
K
K
And
and
something
that
I
I'll
sort
of
you
know
should
address
like
ahead
of
time
that
that
this
is
not
in
any
way
sort
of
complete
right.
So
so
we
have
sort
of
prioritized
covering
the
kind
of
options
that
are
supported
both
by
GCC
and
Clan
and
as
well
as
our
cross-platform
right.
K
So
one
of
the
things
that
we
hope
to
do,
possibly
with
the
help
of
the
committee,
if
this
is
something
that
that
you
would
be
willing
to
to
sort
of
adopt,
would
be
to
also
extend
this
to
platform
specific
options
so
for
the
support
for
things
like
Intel,
CET
or
arm
pointer,
authentication,
So
So.
Currently
this
is
sort
of
limited
to
the
stuff
that
is
is,
is
sort
of
a
little
bit
more
easier
to
deploy
in
the
sense
of
that
it's
a
software
software
specific.
K
But
so
we
have
a
like
these
tables
and
then
for
each
of
these
options
we
have
a
sort
of
a
short
section
that
tries
to
provide
like
a
synopsis
of
what
is
happening.
That's
the
extent
for
the
warning
flags
and
then,
when
we
go
to
the
actual
runtime
protection,
we
provide
a
little
bit
more
information.
So
some
of
some
of
the
like
commonly
asked
questions
is
that
what
are
the
performance
implications
right?
K
This
is
what
developers
care
about
right,
always
what
what's
the
impact
on
performance,
and
so
we've
we've
taken
the
stance
that
that
you
know
we
try
to
explain
that
if
there
is
a
performance
impact,
where
does
the
performance
impact
come
from
because,
obviously
you
know
the
actual
effects
will
vary
depending
on
what
kind
of
software
you
apply
it
to,
but
but
we
have
sort
of
tried
to
do
our
best
to
somehow
characterize
that.
Are
there
like
any
Corner
cases
that
might
hurt
you
very
badly
in
performance?
K
You
should
be
aware
of
them,
and
and
just
this
notion
that
what
are
the
what
other
aspects
of
this
feature
that
will
actually
contribute
the
performance
overhead
and
then
we
have
a
sort
of
like
a
general
warning
section
like
when
not
to
use.
So
some
of
these
options
can
be,
you
know
problematic,
so
you
cannot
come
with
a
sort
of
General
recommendation.
Like
always
use
it,
so
we
try
to
cover
possible
Corner
cases
which
might
be
problematic
and
and
we've
sort
of
original
format
for
this.
K
So
so
this
this
sort
of
comes
from
like
a
Word
document,
where
each
of
these
should
sort
of
feature
on
a
single
page
to
be
like
accessible.
That
doesn't
necessarily
come
across
here
from
the
like
the
markdown
format,
but
but
sort
of
you.
You
see
that
we
have
sort
of
tried
to
be
fairly
brief
on
this,
so
that
it
would
be
easy
to
easy
to
sort
of
get
at
a
glance.
K
An
idea
of
what
this
feature
does
without
having
to
you
know,
spend
potentially
hours
going
through
compiler
documentation,
go
read
a
mailing
list
or
a
blog
post,
and
so
we've
kind
of
like
done
all
that
effort
and
and
try
to
condense
the
sort
of
this
into
something:
that's
that's
accessible
and
yeah.
So
so,
basically,
this
this
sort
of
mostly
follow
the
the
same
structure.
K
We
have
some
started
work
on
something:
that's
so
discourage
compiler
options,
so
options
that
can
have
a
security
impact
sometime
and
then
we
have
a
working
progress
section
on
sanitizers
as
well.
So
obviously
there
are
more
sanitizers
than
this,
but
again
these
are
the
ones
that
are
I,
think
the
common
ones
that
at
least
our
developers
usually
want
to
want
to
use,
and
then,
lastly,
there
is
a
section
on
handling
debug
information.
So
this
is
another
sort
of
pain
point
that
we
felt
was
sort
of
necessarily
to
necessary
to
address
that.
K
How
do
you,
actually,
you
know,
deploy
binaries
with
that
are
stripped,
but
then,
if
you've
run
into
issues,
you
still
need
to
be
able
to
to
debug
them
yeah.
So
so
this
is.
This
is
sort
of
what
what
we
have
and
as
part
of
this
process.
You
know
we
identified
this.
You
know
interest
to
to
open
source
these
and
we
thought
that
bringing
it
to
open
ssf
would
be
a
a
natural
option,
especially
now
that
Ericsson
has
formerly
formally
joined
and
I.
K
I
know
that
there
is
a
kind
of
like
a
partial
overlap,
with
the
with
the
excellent
work
that
Mr
Wheeler
has
been
has
been
doing,
but
but
sort
of
again
we
sort
of
tried
to
do
like
a
little
bit
of
a
deeper,
deeper
delving
on
partially
these
options,
and-
and
we
are
of
course
very
happy
to
continue
developing
this.
You
know,
and
our
hope
is
that
we
can
do
that
through
a
community
effort,
because
we
also
see
a
benefit
in
this.
K
Getting
like
more
pairs
of
eyes
on
this,
so
I
think
that
that's
that
sort
of
the
brief
in
brief
sort
of
summary,
from
from
my
side
and
I,
think
I'll
sort
of
cross
scroll
through
this
this
document,
so
you
kind
of
see
the
extent
of
it
are
there
any
questions
that
I
could
I
could
answer
you
folks
at
this
point.
C
Yeah,
so
we
those
of
you
who
don't
know
we
do
have
an
incubating
project
which
has
CC
plus
plus
options
which
it
looks
to
me
like.
This
is
fundamentally
the
same
scope.
You've
got
a
lot
of
information.
C
We
don't
have
I've
put
in
the
notes,
the
link
to
our
current
draft,
the
CC
plus
plus
compiler
options
guide,
but
this
is
has
lots
of
information
that
we
don't
I
love,
the
note
of
which
ver
of
which
compiler
version
when
I
know
that
some
folks
have
also
asked
to
add-
and
this
will
be
an
interesting
discussion
point
of
Windows
compiler,
because
it
uses
completely
different
options.
C
Yet
we've
got
a
lot
of
folks
using
that,
but
yeah.
K
That's
an
excellent
point,
so
that's
also
something
that's
been
brought
up
internally
and
not
just
the
windows
compiler
but
other,
let's
say
proprietary
compiler,
so
so
that
that's
something
that
we
are
currently
limited
ourselves
to
Jesus
young
and
see
Lang,
because,
as
you
can
imagine
like
actually
going
to
find
this
information
is
quite
time
consuming.
So
right,
yeah,
I.
C
Mean
as
a
larger
group,
we
can
say
we
added
or
we
just
limit
the
scope.
I
mean
that's
another
possibility
too
there
I
did
find
at
least
one
document
that
did
actually
do
a
separate
one
for
the
windows
ones,
but
because
the
options
are
all
so
different.
It's
almost
a
different
document
at.
C
I
mean
I
like
I,
don't
know
if
you've
looked
how
I
have
people
here
have
looked
at
the
draft,
but
I
mean
we've
got
just
like
two
pages.
It
has
some
discussion.
I.
Think
just
like
you.
Other
folks
have
noted
the
same
problem
of
just
saying:
hey
here's
an
option
is
enough
complete.
You
need
to
explain
why
women
would
care.
C
I
would
love
to
see
this
and
emerge
in
of
some
of
the
other
materials
that
we've
got
into
some
sort
of
you
know.
Basically
large
version
of
you
hear
the
flags
you
recommend
and
why
you've
got
a
lot
of
details.
So
I
would
what
I
would
suggest
is
be
brief
summer
at
the
top
and
then
hyperlink
down
to
all
the
details
so
that
people
can,
if
all
you
want
to
know,
is
what
do
I
do
there.
C
K
C
For
those
who
don't
know,
documents
in
general
are
CC
by
our
Creative
Commons
by
license,
which
means
that,
even
if
you
contribute
I
mean
you
can
obviously
keep
using
whatever
doing
whatever
you
do,
and
then
we
can
all
work
together
to
make
you
know
to
add,
maybe
missing
information
or
whatever,
as
you
go
along,
but
I
love.
This
idea,
others.
F
I
love,
love,
love
this.
This
is
something
we've
been
trying
to
get
going
for.
Quite
some
time
and
I
know
we
have
a
couple
members.
Marta
has
expressed
interest
in
participating,
I'm
trying
to
get
the
internal
Intel
team
and
the
clear
Linux
folks
to
get
their
documents
together
to
share
and
contribute
to
something
like
this,
so
I
think
there
at
least
initially
is
a
lot
of
energy
from
this
group
around
this
idea
and
I
love
the
the
the
details
and
how
you've
laid
this
out
Thomas.
F
K
K
So
my
my
own
own
background
into
this
that
I
I
I
I
did
my
PhD
at
Alto
University,
where
I
wrote
my
dissertation
on
using
Hardware,
assisted
Hardware,
assisted
mechanisms
for
runtime
protection.
So
this
is
sort
of
a
topic
close
to
my
heart,
which
is
you
know
so,
but
for
this
we
sort
of
Started
from
the
software
side,
but
I'm
I'm,
looking
forward
to
having
deep
or
extending
this
into
the
into
the
hardware
assisted
mechanisms
now
that
they
are
becoming
more
and
more
relevant
and
available.
C
Just
one
of
the
reasons
I
ask
is
I've
had
some
informal
conversations
that
passed
with
Fedora
about
extending
this
I
know
some
others
have
talked
to
Jen
too,
because
they're
they've
got
some
others,
but
you
know
it
seems
to
me
that
taking
this
and
if
we
can
get
some
others
contribute
I
think
we
can
very
soon
come
up
with
material
that's
better
than
any,
but
any
one
organizations-
and
this
is
it-
looks
like
a
fantastic
start.
C
D
Yeah
promise,
if
you
wanted
to
talk
to
the
Gen,
2
and
GCC
people,
I
could
get
you
in
touch
with
those
people.
K
Yeah
exactly
so,
as
I
said,
there
is
there's,
definitely
like
room
for
room
for
additions
here
right,
so
so
our
our
sort
of
motivation
for
why
we
have
big
thesis
that
sort
of
we
have
somehow
felt
that
these
are
the
sort
of
the
low
hanging
fruit
so
to
say,
and
most
most
relevant
for
for
our
product
development
units,
but
obviously
working
together.
We
can.
We
can
extend
this,
extend
this
further
to
to
try
to
be
as
comprehensive
as
as
possible.
K
F
C
Yeah
I
think
that's
I,
think
that
would
be
a
good
idea.
I
would
propose
scope
it
down
a
little
bit
me
I,
think
you've
already
kind
of
implicitly
done
so,
but
I
assume
that
this
is
for
CNC,
plus
plus
GCC
and
C,
laying
primarily
I
mean
I.
C
Think
we
there's
a
brief
attempt
to
try
to
broaden
it,
but
the
reality
was
I
think
that's
the
only
two
that
a
lot
of
the
documents
really
focus
on,
because
the
others
are
so
different,
but
with
that
scope,
yes,
as
long
as
we
clarif
clarify
what
the
scope
is,
so
people
aren't
surprised.
F
Okay,
are
there
any
contrary,
opinions.
D
F
What
I'll
do
is
I
will
get
a
doodle
set
up,
I'll
work
with
David
on
the
wording,
so
I,
don't
put
my
giant
foot
in
my
giant
mouth
and
we'll
get
that
sent
out
so
Thomas
make
sure
we
have
your
email.
I'll.
Add
you
to
that
doodle
and
we'll
shoot
it
out
through
the
mailing
list
and
the
slack
for
anyone.
That's
interested
participating.
So
we
can
pick
up
Marta
and
everyone
has.
F
D
J
D
D
F
C
Let
me
jump
in
real,
quick,
sorry
to
be
the
the
licensing
nerd
here,
but
you
know
Thomas
only
of
course,
you're
always
welcome
to
to
interact.
We
would
love
for
you
to
contribute
this.
You
know,
or
at
least
you
know,
contribute
just
release
this,
as
you
know,
CC
Buys,
so
we
can
use
as
a
starting
point,
but
that's
I'm,
obviously
up
to
you
and
your
organization
to
make
that
decision.
But
but
we
can,
we
can
beg.
K
We
we
already
have,
we
already
have
internal
clearance
for
the
CC
by
licensing,
so
so
we
are
still
so
so
we
are
waiting
for
like
the
final
red
tape
on
this
particular
version.
So
once
we
can
clear
that
internally,
I
would
be
happy
to
make
this
available
on
on
GitHub
in,
in
whatever
ways
is
kind
of
like
easiest
to
work
with
happy
to
get
feedback
on
that.
K
That's
what
we
be
the
what
would
be
the
most
easiest
way,
but
but
the
licensing
licensing
is
already
already
sort
of
cleared
cleared
from
our
side.
Yeah.
F
I'll
I'll
get
a
folder
staged
for
where
we
can
start
to
have
future
collaboration,
ready.
F
F
Work
really
appreciate
you
all
putting
this
together
very
excited
about
the
energy
around
this
particular
little
project.
Thank
you
also
to
Stephen
for
coming
to
share
your
research.
Hopefully,
I
look
forward
to
Future
collaboration
with
you
on
the
best
practices,
helping
get
maintainers
a
little
more
secure
or
focusing
on
areas
where
they
have
some
opportunities
for
improvement.