►
From YouTube: OSS-SIRT SIG - Part of BEST WG (January 10, 2023)
B
A
A
B
B
I
don't
know
if
I
ever
told
you
that
I
used
to
be
in
the
music
business
I'm,
technically
a
retired
talent
agent.
Technically,
oh
really,
yeah!
That's
why
I
can
spend
all
my
time
in
open
source
but
but
yeah
I
had
a
very
interesting
career
in
the
entertainment
business.
A
A
Wow
cool
so
yeah
totally
different
thing
now:
yep.
B
A
While
I've
got
you
before
the
meeting
starts
I
had
another
working
group
ask
about
the
office
hours
and,
if
I
recall
correctly
weren't
you
involved
in
helping
get
that
set
up
and
running
yeah.
B
A
Just
curious
to
like
listen
to
your
experiences
and
how
it
was
going.
A
Yeah
Jonathan
Meadows
is
the
working
group
lead
and
they'll
meet
next
week
will
be
your
next
call.
A
A
Art
you
got
popped
in
just
as
I
was
saying
it
no
updates,
except
I'm,
going
to
remind
the
tech
in
two
hours.
They
need
to
give
us
comments
and
a
direction
on
what
where
to
go.
Next
to
the
plan.
A
D
A
Right
anything
Randall
or
Marta.
Anything
you'd
like
to
discuss
I.
B
B
A
B
A
C
B
Crow
Crow
before
we
go
I
actually
I
actually
got
contacted
by
some
really
interested
groups
like
the
zero
day,
malware
Consortium
Association,
something
of
the
sort
that
they
would
be
interested
in.
Talking
to
us
about
the
cert,
okay
and.
A
And
and
maybe,
while
we're
waiting
on
kind
of
the
adjudication
of
the
plan,
if
we
started
to
organize
ourselves
around
our
data
collection,
you
know
that's
not
going
to
be
lost
work,
no
matter
what?
A
B
A
A
So
perhaps
we
could
send
a
note
out
to
the
list
and
then,
through
slack
Randall,
asking
for
volunteers
anyone's
interested
to
help
participate
in
the
interview.
So
we
can
start
to
organize
kind
of
divide
up
the
list
and
pair
up
maybe
go
out
and
start
to
do
some
talks.
Yeah.
B
Absolutely
and
then
I
also
been
talking
like
on
a
side
Channel
with
Jonathan
the
other
Jonathan
from
alpha
alpha
omega.
B
The
researcher
yes,
because
I
kind
of
I
kind
of
like
what
he
was
doing
and
I
know
that
at
Gen
2
we
kind
of
have
initiatives
like
that.
So
I've
been
trying
to
see
how
we
can
like
connect
efforts
there
about
like
scanning,
like
the
open
source
world
as
a
whole
and
I.
Don't
know
how
that
I
mean
that
could
possibly
like
have
things
to
do
with
the
cert,
but
yeah.
B
B
But
yeah,
but
I
thought
that
was
interesting
because
I
know
that
there's
a
lot
of
stuff
happening.
I
know
that
there's
a
lot
of
like
I've,
been
reading
a
lot
about
use
of
Linux
like
in
the
wild
and
how
that's
evolving.
I
know
that
we
don't
talk
about
that
much
here,
but
I'd
like
to
start
talking
more
about
it.
Things
like
initiatives
like
flat
pack,
because
apparently
a
lot
of
companies
are
investing
a
lot
of
money
in
flagpac.
B
C
A
We'll
I
don't
know
if
anybody
saw,
but
it
looks
like
we'll
be
having
a
call,
that's
Australia,
friendly
I
know:
Marta
probably
won't
participate
but
art
if
you're
available,
we'd
love
to
have
you
talk
with
our
friends
over
in
aipac.
As
we
talk
about
volume,
disclosure.
D
D
There
I
will
likely
participate
when
I
said.
I
could
probably
yeah
pretty
cool
happy
too
yep.
A
And
I
know
that
we'll
get
some
folks
from
GPZ
participating
in
that
as
well,
so
that'll
be
kind
of
an
interesting
I
have
some
folks
from
Red
Hat
product
security
that
are
coming
and
then
hopefully
we'll
get
some
GPZ
folks.
So
it
should
be
a
productive
call
once
that
gets
rolling.
B
And-
and
let
me
say
this
Crow,
my
intent
of
bringing
this
up
is
I
actually
did
look
in
a
flat
pack,
quite
a
bit
yeah
and
it's
actually
pretty
interesting
technology.
However,
they
do
a
lot
of
things
in
the
name
of
like
security
and
it
makes
you
ask
like
but
like
who
told
you
to
do
this
like,
and
why
are
you
saying
that
this
is
like
the
way
it
needs
to
be
done,
because.
A
B
Feel
like
they
walk
that
line
of
like
well
we're
free
desktops,
so
we're
just
gonna
Implement,
a
bunch
of
stuff
and
y'all
just
have
to
kind
of
deal
with
it
and
that's
one
of
those
attitudes.
That's
always
bothered
me,
but
I
feel
like
with
time
I
mean
it's
a
good
technology.
I.
Just
think
that,
like
first
of
all,
we
got
a
call.
You
know:
cows,
cows,
apples,
apples,
oranges,
oranges
and,
second
of
all,
I.
Just
don't
think
that,
like
they,
they
have.
D
They're
they're
securing
it
because
flat
backs
are
up
to
date.
B
Then,
and
then
they
have
this
idea
of
a
universal
Linux,
which
is
very,
very
interesting
because
essentially
flat
packs
run
on
what
they
call
run
times,
which
are
shared
across
all
of
the
flat
packs.
So
it
gets
rid
of
a
lot
of
like
a
lot
of
problems,
and
even
if
you
were
to
secure
something-
and
if
you
were
to
talk
about
security,
then
the
run
times
could
be
very
useful
from
that
regard,
but
how
they
get
done
like
the
build
process
in
which
they
get
produced.
B
There's
really
no
security
like
in
terms
of
like
supply
chain
security,
like
they
really
don't
do
anything
like
that,
but
they
still
tout
that
it
is
the
most
secure
option
for
running
Linux
and
now
that
steam
deck
runs
flat
packs
and
their
entire
ecosystem
is
flat.
Packs
then,
like
now,
everyone's
talking
about
how,
like
flat
packs,
are
the
future.
Okay
to
the
point
to
the
point
where
they're
calling
them
next-gen
packaging.
It's
like
the
next
generation
of
Packaging.
D
I'm
I'm
not
familiar
enough.
I
was
just
kind
of
curious
with
your
that
one
statement,
but
that
that
explains
it.
Banks
I'm,
just
grumpy
I,
want
to
do
things
the
old
way,
yep.
B
B
D
I
have
a
small
topic,
I,
wouldn't
mind,
introducing
it
won't
take
long.
We
don't
have
to
spend
a
lot
of
time
on
it.
If
that's
all
right
sure
it
came
up
in
a
side
thing.
I
was
typing.
While
we
were
talking
here
so
Linux
kernel,
devs,
I've
heard
this
is
a
handful
of
people
and
Greg
Crow
Hartman's,
the
most
I
think
vocal
about
this.
D
Don't
don't
do
they
don't
do
cve
Greg
recently
said
they
do
GSD,
but
I
evidence
suggests
they
do
not
do
that
either.
I
have
talked
to
them
and
I
a
while
back
and
I
get
my
version
of
their
story
is.
D
We
are
we're
at
a
layer
of
abstraction
in
computer
science,
which
is
totally
fine
right.
You
can
see
that
these
are
bugs.
We
are
maintaining
the
kernel.
We
have
a
good
process.
That's
working,
everybody
cares.
It's
like
an
important
piece
of
software
that
sounds
like
crazy.
Yeah
bugs
are
bugs
are
bugs
shut.
The
f
up,
basically
right
bugs
are
bugs,
are.
D
No,
it
is,
and
he
tells
really
very
first-hand
stories
of
like
hey
there's
this
thing
and
I
woke
up
one
morning
and
five
years
ago,
I
realized
it
was
the
most
terrible
Linux
security
bug
ever
on
the
planet
and
some
other
thing
we
accidentally
fixed
and
it
was
like
there
so
yeah
he's
a
colonel
Dev
I.
Believe
him
like.
A
Sure,
no,
no,
that
they
have
a
a
good
process.
It
isn't
necessarily
compatible
with
Enterprise
Downstream
consumers
exactly.
D
So
yeah
they
have
a
process
that
works
for
them.
It
works
great
and,
and
there
is
there
is
truth
in
that
perspective
and
I
I
see
it
and
I
don't
deny
it
and
all
good
yeah.
So
just
about
everybody.
Downstream
of
them
starts
to
care
about.
You
know,
security,
bug
or
non-security
bug
very
quickly
and
then
I
think.
Basically,
the
plan
is
the
current
plan
is
hopefully
one
of
the
larger
distros
Susie
was
the
last
one
who
caught
one
caught.
D
And
the
distros
will
go,
go
to
town
and
do
stuff
and
fixes
will
get
distributed
to
all
of
the
poor
Downstream
folks
who
are
not
Linux,
kernel
devs,
who
can't
tell
what's
going
on
so
right
that
is
sort
of
relying
on
as
usual,
like
some
random
person
who
cares
and
understands
the
problem
or
some
distro?
Who
does
a
lot
of
support
and
it's
their
job
and
like
notice
and
catch
these
things
right.
A
D
A
D
A
D
Yeah
so
and
I
I,
so
it
occurs
to
me
and
I.
Don't
know
if
this
anybody
wants
this
or
not
a
organization.
Who's
full
one
of
their
full-time
sort
of
tasks
was
tag
Vol,
IDs
to
Kernel.
Things
sounds
like
it
could
maybe
be
I
want
to
personally.
Do
it
too
much,
but
a
person
could
be
a
an
open
source
search
type
of
thing
right.
The
Linux
kernel,
CNA
and
you
know
Greg
would
yell
at
us,
but
we
would
still
assign
or
G
and
honestly
I
don't
it
could
be.
D
B
I
actually
have
something
to
add
to
this,
because
I
am
a
frequent
kernel,
contributor
and
I've
been
told
on
good
authority
that
since
2008,
there
is
really
a
lack
of
a
security
Steward
in
the
Linux
kernel,
because
that
that
security
Steward
was
gr
security
and
the
guy
that
ran
gr
security,
retired
and
his
kids
didn't
want
to
do
anything
with
like
open
source.
They
went
full
on
private
now.
B
I
have
a
lot
of
contacts
in
gr
security
because
they're
in
Irvine,
which
is
where
I
live
and
I
go
there
often
so
I
actually
have
access
to
all
of
the
repositories,
but
they
just
physically
don't
want
to
do
this.
They
don't
want
to
like
do
free
work
anymore
and
according
to
like
a
lot
of
people,
not
to
Greg.
That,
like
there
needs
to
be
a
security
Steward,
because
all
security-
and
he
told
me
I-
could
quote
him
on
this.
All
Security
in
the
Linux
kernel
is
bolt-on
foreign.
C
I
will
add
something
to
that:
I've
tried
to
to
sort
out
the
CVS
in
the
North
Carolina,
because
when
I
was
doing
a
CV
analysis
for
distribution,
basically
out
of
the
1500
packages,
half
of
the
CVS
was
in
the
Linux
kernel.
C
C
Ever
fixed-
or
it
is
if
it
has
ever
been
posted
to
the
mailing
list,
because
the
description
are
so
unclear
and
so
on,
and
if
you
don't
know
which
parts
patches
actually
could
apply
to,
you
do
not
have
the
contact
information
for
the
guys
who
have
reported
it.
C
So
for
quite
many
of
them,
you're
just
simply
stuck,
and
you
are
looking
at
the
comments
on
the
when
you
are
lucky,
you
can
identify
the
exact
module
when
the
when
the
problem
was
expected
to
be.
You
look
at
the
comment
list
and
you
start
wondering
which
one
it
could
be
and
you
will
never
be
sure.
Basically.
A
Yeah
and
if
this
I
I
agree
that
this
definitely
has
Merit
and
would
be
very
useful,
it's
a
very
delicate
situation.
A
So,
but
if
the
group
is
interested
in
trying
to
commit
some
time
and
effort
on
this,
I
would
suggest
we
reach
out
to
you,
know:
Red
Hat,
Susan,
canonical
first
kind
of
get
some
of
their
thoughts
on
what
they
feel
is
working.
What
isn't
working
and
then
try
to
broker
some
conversation
with
the
colonel
security
team
to
see
if
they
would
be.
B
A
Private
and
secret,
and
if
we
are
interested
in
trying
to
make
adjustments
or
try
to
add
some
assistance,
it'll
take
some
time
and
energy
to
kind
of
work
through
the
communications
of
that
to
make
to
not
inadvertently
offend
anybody,
because
there
are
a
lot
of
personalities
and
we
want
to
add
value.
We
don't
want
to
get
into
like
a
flame
War.
Well,.
B
B
D
Randall
the
distinction,
the
distinction
that
may
apply
here-
I'm
yeah
I'm
passionately
familiar
with
all
the
pack
stuff
I
watched
some
of
that
stuff
go
by,
but
I
don't
have
details,
but
I
was
more
sort
of
focused
on
the
very
simple
sounding
but
I
know
it's
not
cripp's
Point
yeah,
the
hey,
not
we're,
not
we're
not
going
to
argue
with
the
Kernel
Security
people
Linux
about
what
security
sure
shouldn't
be
in
there.
This
was
a
security
bug.
It
gets
an
ID,
it
gets
managed
to
Marta's
point.
D
D
So
it's
just
that
first
hop
in
the
downstream
involved
management
ecosystem
and
make
sure
that
the
paperwork
is
taken
care
of.
That's
it.
Yeah.
A
And-
and
there
are
people
that
are
Foundation
members
that
are
already
doing
some
of
this
work,
so
I
would
suggest
we
start
with
them
to
see
kind
of
their
perceptions
and
what
their
activities
and
then
see
what
you
can
do
to
add
value
to
that,
to
make
it
more
easier
for
Downstream,
we
don't
want
to
add
the
burden
on
to
the
developer,
but
I
think
this
is
possibly
an
area
we
could
with
a
couple.
D
And
if
it's
a
value
yeah,
if
it's
being
done,
we
don't
need
to
do
it
a
second
time
and
if
no
one
wants
us
to
do
it,
that's
all
fine,
and
if
we
don't
want
to
do
it,
that's
also
fine,
but
there's
a
little
spot
there
and
I
feel
like
somebody
paid
to
do.
It
regularly
would
be
efficient
for
everyone
else,
as
opposed
to
like
who's
getting
this
one
who's
getting
that
one
anyway
yeah.
Okay,
that
was
my
idea
thanks
over
and
actually
one.
A
Of
the
guys
from
that
team,
I've
invited
to
the
Apec
Royal
disclosure
call
so
hopefully
he'll
show
up
it's
good
dude
cool.
D
B
C
B
A
A
Folks,
in
my
time,
back
at
red
hat
and
some
of
their
patches
were
not
compatible
with
Enterprise
deployments
of
Linux
correct
you
could
you
could
throw
that
on
a
Wall
Street
trading
floor?
You.
B
Know,
but
what
I
was
trying
to
get
at
is
a
lot
of
them
that
ones
that
I
have
from
gr.
Security
are
just
simply
that
they
were
not
submitted.
Yeah,
yeah,
I
I,
don't
know
what
bad
blood
there
is
there,
but
all
I
was
told
is
that
the
guy
wanted
to
hand
off
the
torch
to
someone
and
he's
been
sitting
there
with
the
torch
since
2008.
C
A
It's
it's
that
space
is
very
emotionally
and
mentally
straining
just
the
the
pace
and
the
importance
of
that
pack
that
ecosystem,
really
it's
not
just
a
package.
It's
a.
A
Yeah,
so
if
that's
again,
if
the
group
wants
to
apply
some
time
to
this,
I
think
we
definitely
could
add
value
to
Downstream
by
applying
some
people's
time
to
help
with
the
documentation
but
yeah.
But
let's,
let's
see
what
exists
today.
What's
working
what
isn't
working
and
then
start
to
talk
to
the
players
to
ask
if
we
would
be
if
we
can
go
ahead
and
do
that.
B
A
D
A
Comments
on
this-
and
maybe
that's
a
if
you
want
to
maybe
put
your
thoughts
together
a
little
more
eloquently
art
and
send
that
to
the
mailing
list.
I
think
I
think
this
is
a
worthy
topic
for
us
to
talk
about
and
I
think
it
makes
sense
that
the
cert
potentially
something
they
could
work
on.
B
On
on
the
flip
side,
probe
could
could
I
know
that
these
are
really
a
cert
problem,
but
could
I
bring
this
to
open
ssf,
because
here's
kind
of
what
happened?
How
I
know
about
this
is
that
they
were
trying
to
get
us
to
do
it,
and
then
we
were
trying
to
do
it.
But
it
turned
out
to
be
like
a
lot
of
work
for
two
people,
so
I
kind
of
feel
like
someone
should
do.
B
A
A
I
had
to
put
some
thought
to
it:
I
don't
know
exactly
where
that
would
end
up
getting
routed.
You
know
what
whose
desk
that
would
land
on,
but
that's
definitely
something
we
it.
It
is
a
free
and
open
Forum.
A
Anyone
is
glad
is
welcome
to
bring
up
suggestions
but
I
just
don't
know
where
we'd
start
with
the
tack
and
see
if
the
tax
sees
value
in
it
and
if
it
aligns
with
where
the
foundation
the
direction
they're
moving
and
then
see
about
getting
it
appropriately,
routed
to
the
people
who
can
best
participate.
A
B
B
A
Yeah
so
again,
art
I
would
suggest
you
put
your
thoughts
together
with
a
male
to
the
group
and
then
Randall
if
you're
interested
in
moving
that
particular
the
patches
piece
forward,
we'll
need.
B
A
The
distros
will
typically
they'll
carry
things
for
their
older,
supported,
kernels
that
aren't
necessarily
part
of
Upstream.
So
yeah,
it's
a
thing.
Okay,
they.
A
All
right
any
other
thoughts
for.
A
A
On
am
I
like,
firstly,
out
of
my
mind,
yeah,
it
may
be
at
the
top
of
this.
Maybe
it's
at
the
top
of
my
agenda
party.
D
Oh
nice
and
there's
a
big
public
page
for
all
this
dude.
A
All
right
well,
thank
you,
the
three
of
you
for
your
participation
and
your
ideas
today
and
I,
look
forward
to
talking
to
you
soon
and
I'll
get
an
update
once
I
hear
anything
from
the
pack.