►
From YouTube: OpenSSF TAC Meeting (August 24, 2021)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
Hey
good
morning,
david
hi
there
I
was
not
sure
if
anybody
else
was
coming
in
as
open
ssf
operations.
So
I.
C
A
A
D
A
After
that,
I
don't
know,
but
I
send
me
a
slack
or
an
email
and
I
will
try
to
help
I'll
try
to
remember
to
do
this,
for
you
yeah,
actually,
email
weirdly
enough
is
sometimes
better,
because
I
keep
forgetting
to
check
my
slack
so.
A
A
A
It's
still
around,
there
was
a
there's,
there's
a
brouhaha
about
a
takeover,
and
I
guess
a
number
of
people
have
moved
to
different
irc
hosting
services,
but
it's
still
being
used.
E
A
G
C
H
A
A
H
Maybe
sometime
you
and
I
can
look
at
it
together.
I
I
always
struggle
so
I
have
to
somehow
get
team
nut
teams.
What
is
this
but
zoom
to
log.
H
A
I
Oh,
it's
phil.
Okay,.
C
It's
not
just
us
yeah
I've
tried
the
all
the
password
stuff,
everything
it
never
works.
I
don't
know
what
it
is.
C
A
H
A
H
Everybody
gets
a
little
diss
this
morning
except
irc.
That's.
A
Want
others
to
enter
the
meeting
notes.
C
A
ton
for
notes,
but
yeah
if
people
could
please
add
yourself,
I
will
do
that
as
well.
C
We
have
a
pretty
decent
amount
of
folks,
let's
say:
okay,
we
gotta
look,
we've
got
phil,
we
got
rao,
okay,
all
right!
I
think
it's
that's
five
minutes
past
we
can
go
ahead
and
get
started
so
fairly
short
agenda.
Today,
though,
I
think
some
of
this
might
go
on
for
for
a
little
bit
for
discussion,
so
a
couple
of
things.
First,
the
executive
order
and
open
ssf
updates.
So
we've
been
talking
about
this
in
various
other
groups.
C
I
had
attempted
before
my
honeymoon
to
go
and
schedule
a
meeting
with
leads
and
various
other
folks.
I
got
like
three
responses
to
the
to
the
meeting
request
times,
so
I
will
attempt
to
do
that
again
and
raoul.
I
apologize.
I
did
see
your
email,
but
as
part
of
going
through
the
eight
million
emails
that
I
have
over
the
past
three
weeks
or
so
I
didn't
get
a
chance
to
respond
to
it,
but
yes,
we're
still
trying
to
schedule
this.
C
I
will
attempt
to
do
so
again
and
then
once
we
get
that,
hopefully
we
can
have
a
deeper
conversation
with
the
leads,
but
just
to
highlight
so
some
of
the
things
have
been
happening
with
the
planning
committee.
We've
been
talking
about
identifying
critical
projects
and
what
that
looks
like
okay,
I'll
give
you
a
moment
to
talk
about
that
in
a
second,
and
we
have
a
proposal
from
mike
scaveda
regarding
project
alpha
omega.
C
So
this
is
in
regards
to
kind
of
securing
critical
projects.
So
it's
all
sort
of
related,
and
then
we
have,
as
part
of
the
governing
board
updates,
have
been
happening.
It
made
me
realize
that
we
actually
have
the
tac
election
coming
up
this
in
a
few
weeks.
So
we
months
ago
we
decided
on
this
entire
procedure,
and
so
now
we
actually
have
to
go
ahead
and
implement
it.
So
we
need
to
go
through
that.
C
So
I
want
to
just
kind
of
bring
it
top
of
mind
and
also
get
people's
feedback
and
comments.
If
there's
any
concerns
regarding
that
coming
up,
and
then
I
see
that
vulnerable
disclosures,
I'm
assuming
this
is
ukrobe.
The
working
groups
guide
to
coordinated
vulnerability,
disclosure
for
open
source
software
projects-
and
this
is
also
somewhat
related
to
the
executive
order,
and
so
we
kind
of
need
to
talk
through
how
that's
going
to
work
and
and
different
aspects.
C
As
far
as
the
working
groups
and
who's
doing
what
and
yeah
we
have
a
lot
of
things
to
try
to
coordinate.
So
with
that.
Okay,
would
you
mind
giving
us
a
quick
update
as
far
as
the
executive
order
goes
and
some
of
the
work
streams
that
you've
got
going
for
that
and
and
how
we
plan
to
tackle
some
of
that.
H
Yeah
so
there's
two
two
things
I'm
aware
of
going
on
that
are
related
to
open
ssf.
One
is
the
work
that
michael
scabetta
is
doing
on
alpha
omega.
That's
not
it's
not
limited
to
the
eo,
it's
broader
than
the
eo,
but
it
to
getting
that
going,
helps
us
to
meet
eo
requirements.
H
So
so
that's
one
thing.
The
other
thing
I'll
let
people
know
about
is
there
is
a
meeting
at
the
white
house
on
wednesday
upcoming
on
wednesday
this
week,
and
it
is
with
my
understanding.
Is
there
are
about
35
ceos
from
corporate
corporations
across
a
number
of
sectors,
including
technology,
critical
infrastructure?
H
I
think
government
sector
and
I'm
not
sure
what
else.
But
I
know
technology
is
there
in
that
meeting
the
first
there's
a
meeting
at
the
white
house
and
then
there
will
be
some
announcements
at
that
meeting
and
then,
following
that
there's
a
kind
of
a
panel
discussion,
I
think,
is
what
it
is.
Where
there
be
more
opportunity-
and
I
think
those
panel
discussions
might
be
bi-sector
and
so
there'll
be
more
opportunity
for
tech
sector
discussions
there.
H
The
one
of
the
things
that
both
nist
and
the
white
house
have
been
very
interested
in
is
having
the
tech
sector
come
together
and
have
a
statement
that
we
want
to
work
together
to
create
standards
around
cyber
security,
and
that
is
likely
to
reference
a
couple
of
initiatives.
One
initiative:
that's
in
the
open,
ssf
currently,
which
is
salsa
and
it
will.
H
It
will
make
reference
to
another
initiative,
that's
not
in
the
open
ssf
now,
but
the
aim
is
for
it
to
get
there
and
that's
called
skim
and
skim
is
s-c-I-n
that
stands
for
supply
chain
integrity
model.
That
is
an
initiative
that
microsoft
is
spearheading
and
we're
just
getting
it
ready.
I've
been
talking
with
ryan
and
a
few
others
of
you
over
the
past
few
weeks,
we're
getting
it
ready
to
move
it
into
open
ssf.
I
think
it
will
probably
be
september
when
that
happens,
but
the
intent
is
even
though
we're
spearheading
it.
H
We're
intending
it
to
be
a
an
open
source
project
and
the
difference
between
salsa
and
skim
is
that
salsa
is
more
focused
on
the
for
software.
Here.
Here's
how
you
gather
evidence
about
software
and
here's,
how
you
create
policy
and
then
here's
how
you
do
the
verification.
Skim
is
more
focused
on
the
data
layer.
So
it's
intending
to
be
a
data
store
for
supply
chain
information,
so
the
two
of
those
are
compatible.
H
So
that's
yeah,
that's
those
are
my
thoughts
about
eo
right
now.
I
think
it
would
be
interesting
to
still
go
ahead
ryan
and
have
a
meeting
where
we
get
the
attack
and
the
leads
together.
Maybe
we
can
with
that
group
we
can
talk
about
both
the
alpha,
omega
skim,
salsa
and
then
you
know
kind
of
look
at
eo
all
together
and
what
what
and
how
the
open
ssf
is
contributing
to
that.
C
Thank
you,
yeah.
I
definitely
try
to
get
that
meeting
scheduled
again
and
hopefully
get
a
little
bit
more
of
a
response.
I
think
david.
I
even
saw
your
mail
yesterday,
I
believe,
regarding
trying
to
get
leads
to
give
status
updates
at
this
meeting.
Yeah
I've
been
we've
been
trying
to
do
that
for
a
while.
Now
I
don't
know
if
we
have
schedule
conflicts
or
what,
but
I
would
love
to
have
leads
here.
C
That's
kind
of
the
the
crux
of
getting
everybody
coordinated
would
be
to
get
the
working
groups
together
here,
but
so
we'll
keep
trying
on
that
and
and
see
what
we
can
go.
C
But
let's
see
what
we
can
do,
but
I
will
send
out
yet
another
mail,
and
hopefully
we
can
get
a
little
bit
better
response
at
this
time
and
we'll
try
to
get
that
set
up,
but
I
know
there's
a
lot
of
interest
from
from
other
members
of
openssf,
so
hopefully
we
can
get
the
leads
to
to
get
together
as
well
so
and.
H
You
know
if
it's:
if
scheduling
is
an
issue,
it's
it
wouldn't
be
the
worst
thing.
If
we
made
it
a
you
know,
kind
of
a
fuller
agenda
item
for
the
next
for
the
next
hacc
meeting,
and
then
just
we're
more
explicit
in
reaching
out
to
the
working
group
leads
letting
them
know
what
we
were
discussing
and
how
we'd
like
to
have
them
involved.
C
Yeah,
if
we
can't
get
response
yeah,
we
can
definitely
leverage
this
meeting
and
try
to
get
people
to
to
show
up
to
it.
So
I
will
certainly
make
another
attempt,
and
hopefully
we
get
a
better
response
this
time,
okay.
So
the
next
thing
is
the
alpha
omega
proposal.
Mike,
do
you
want
to
do
you
have
something
to
share
or
just
want
to
talk
through
it.
F
I
can
certainly
share,
although
most
of
you
have
seen
this
now
multiple
times,
so
I'm
going
to
apologize
again.
We
can
go
through
this.
If
everybody
has
seen
it,
I
don't
need
to
go
through
it,
but
I
think
for
matt
and
phil.
I
don't
know
if
you've
seen
it
in
luke.
I
think
you've
just
read
it.
So
I'm
happy
to
give
the
10
minute
spiel
you're,
not.
E
F
But
I
want
to
see
it
four
times:
okay,
the
fourth
time
is
free,
so
yeah,
alpha
omega
is
a
there's
a
project.
It's
actually
two
projects,
but
the
overall
purpose
is
to
identify
and
it's
to
improve
the
security
quality
of
open
source
components
at
large
kind
of
raising
the
tide
of
the
of
the
entire
ecosystem.
F
F
The
way
we're
thinking
about
this
is
projects
really
fall
into
one
of
two
categories:
there's
the
high
risk
and
there's
everything
else.
The
graph
here
is
shown
from
the
criticality
project.
We've
done
other
models,
or
at
least
I
I
have
based
on
you
know
the
a
risk
algorithm
of
the
day,
and
they
all
tend
to
look
like
this,
so
you
take
the
top
end
of
it,
whatever
you
can
kind
of
piece
off
based
on
your
budget
and
you
do
deep
security
work
on
that
stuff.
F
So
these
are
critical
projects,
things
that
everybody
depends
on
things
that
are
very
core
to
modern
technology.
Let's
say
so,
something
like
you
know:
kubernetes
linux,
kernel,
open,
ldap,
pick
projects
like
that
open
ssl
that
critical
vulnerabilities
in
can
meaningfully
impact
the
world.
We
want
to
make
sure
that
that
those
are
covered
now,
at
the
same
time,
recognize
that
a
lot
of
those
projects
have
security
teams
and
are
doing
just
fine
and
they
don't
need
open,
ssf,
stepping
in
and
telling
them
anything
really.
F
F
You
know,
advocate
for
better
practices
or
hook,
people
up
or
whatever,
whatever
the
practices
are
to
to
help
at
least
some
of
these
critical
communities
having
so
so
the
model
here
for-
and
this
is
the
alpha
project,
so
the
model
of
the
alpha
project
is
you
have
someone
who's
kind
of
on
point
for
that
project,
so
you
know,
we'd
have
a
should
say
an
open
ssl
person
and
that
person
would
be
liaising
between
open
ssf
members
and
the
openssl
project.
F
In
theory,
something
like
coordinated
disclosure
could
come
in,
but
I
think
that
that
may
be
that
may
just
in
practice
just
be
a
step
too
far
for
the
you
know
for
us
for
us
to
get
any
kind
of
pre-disclosure
information
from
these
projects,
so
even
without
that
project
is
still
worth
it.
Yes,
david.
A
Yeah
one
thing
I
don't
didn't
see
in
the
list
for
alpha,
but
I'm
kind
of
assuming
you
had
intended.
It
was
the
possibility
of
independent
security
reviews,
yeah.
F
F
Oh
no,
no!
No.
I
didn't
mean
that
okay
yeah
I'll
I'll
change
that
and
make
that
clear,
because
obviously
it
didn't
come
across.
A
Or
just
add,
as
another
bullet,
you
know,
yeah
yeah
you're
doing
doing
you
know
ensuring
you
have
a
security
threat,
then
evaluate
independent
evaluation
and
then
additional
security,
help
that
makes
sense
yeah
it's
hard
to
know
what
to
evaluate
to
do
independent
value.
If
you
don't
have
an
idea
of
what
you're
trying
to
do
the
security,
the
threat
model
then
identify
problems
and
then
other
help
right.
F
F
Won't
be
very
effective;
instead,
I
would
think
the
model
would
be.
The
person
would
come
in
and
take
a
look
at
the
project
from
a
from
a
kind
of
a
a
process:
artifacts
how's
it
going
where
you're,
paying
like
understanding
the
project
and
engaging
like
a
partner
there
and
then
saying:
okay,
what
you
guys
need
you
guys
need
a
third-party
audit
open
ssf.
Can
we
can
we
pay
for
an
a
and
you
know
an
audit
of
you
know,
open
ssl
so
and.
F
J
So
would
you
hire
an
open,
ssl
expert?
Is
that
the
thinking?
Yes,
I
I
think
they're
not
easy
to
come
by.
I
mean
this
is
you're
talking
a
very
rare
unicorn
here.
That's
that
code
base,
I
I
probably
shouldn't
have
started
with
open
ssl
because
it's
probably
the
hardest
one
most
of
the
critical
projects.
To
be
honest,
the
ones
you
mentioned
the
kernel,
kubernetes
they've,
got
some
very
high
expertise,
security
experts
that
work
on
this
day
in
day
out
and
have
done.
F
We
will
we
will
learn
how
to
do
that.
I
I
I
don't.
I
don't
presume
that
anything
will
be
able
to
start
day
one
the
way,
the
model
that
I'm,
that
I'm
imagining
is
that
this
is
a
resource
that
is
paid
by
the
open
ssf
to
do
whatever
need
do.
Do
whatever
helps
the
the
project
be
more
successful
from
a
security
perspective,
so
if
they
need
somebody
to
triage
issues,
maybe.
F
Need
help.
That's
the
first
part
of
the
project
is,
is
understand
for
each
of
like
we
choose
projects
that
we
think
are
critical.
We
choose
a
little
bit
larger
of
a
pool
than
we
then
we'll
be
able
to
handle,
and
then
we
pair
them
down
based
off
of
learning
about
those
projects.
If
it
turns
out
that
none
of
these
projects
actually
need
help,
then
we
can
high-five
ourselves
and
say
you
know
great.
We
don't
need
to
do
this.
F
J
H
No,
we
I
mean,
but
we
want
to
approach
this
in
a
systematic
way,
so
yeah,
we'll
kind
of
start
with
all
and
then
we'll
say
things
are
good.
These
are
good.
F
Yeah
yeah,
so
I
would
imagine
like
okay,
so
so,
the
the
the
cost
of
doing
the
learning
and
figuring
out
what
you
know
if
this
is
a
problem
that
we
actually
need
to
tackle
and
how
we
would
look
all
that
stuff
is
minuscule
compared
to
the
cost
of
hiring
like
200
people
to
go
after
the
top
or
whatever
you
know,
lots
of
people
to
go
after
the
top
projects
and
be
like
dedicated.
So
one
you
know
somebody
could
handle,
maybe
two,
but
more
likely
one
for
the
larger
ones.
F
F
H
And
we,
you
know,
we
don't
necessarily
need
to
hire
or
place
new
people
on
projects.
Another
way
that
we've
thought
about
it
inside
of
microsoft,
and
I
think
we
in
google
have
had
some
discussions
about,
is,
and
actually
I'm
sure
mike
mentions
it
later.
In
the
document
I
mean
it
could
be
that
companies
who
already
have
security
people
who
are
working
in
those
projects,
if
those
end
up
being
the
the
contact
people
and
it
just
they
become
a
point
that
that
we
can
liaise
with
from
open
ssf.
F
And
in
addition,
you
know,
obviously
every
community
needs
different
things,
so,
if
the
community
it
you
know,
if
a
if
a,
if
the
core
maintainer
that
kind
of
I
don't
say
own
security
but
like
is
on
point
for
security
for
the
project,
is,
you
know,
split
over
kind
of
their
day
job,
and
this
is
their
side
thing
and
open
ssf
can
fund
them
to
make
this
their
full
thing
like
that
works
too.
I
think
I
think
any
model
works
or
any
model
could
work
here
yeah.
F
So
I
think
the
big
risk
of
of
this
you
know,
obviously,
is
that
the
projects
kind
of
don't
want
our
help.
I
guess
if
they
don't
need
our
help.
It's
not
really
a
problem,
we'll
just
move
on
to
the
next
project,
and
if
we
move
far
enough
down
the
line,
then
we
realize
that
this
isn't
a
problem
that
needs
to
be
solved.
F
I
think
the
I
think,
where
we
may
have
kind
of
underestimated,
as
we
were
kind
of
formulating,
this
idea
is
what
kind
of
investment
this
is
in
terms
of
time.
So
we're
now
thinking
that
this
is
a
many
months,
two
years
investment.
So
we
need
to
be
ready
like
if
we
commit
to
this.
We
need
to
commit
to
it,
for
you
know
at
least
a
few
years,
because
it
would
do
more
damage
to
us
from
a
reputation
perspective
to
you
know,
come
in.
F
Have
somebody
like
parachute
in
and
say:
hey,
I'm
going
to
help
you
with
all
things
security
and
then,
six
months
later
you
know
they're
out
it
has
to
be
on
their
terms.
We
have
to
be
very
thoughtful
here:
we're
not
trading
zero
days
either.
So
we
need
to
be
careful
about
the
perception
of
that
we're
not
paying
for
access
we're
not
paying.
You
know
it's
not
that
kind
of
thing.
I
think
that
would
that
would
go
over
terribly
in
the
community
and
luke.
I
totally
hear
your
your
point
about.
F
You
know
not
not
thinking
that
this
gives
us
access
to
any
predisclosure
anything.
I
think
we
would.
We
would
be
on
the
same
footing
as
anyone
that
would
get
embargoed
vulnerabilities,
depending
on
who
we
represent
as
an
organization,
but
that
wouldn't
be
through
openssf
or
at
least
not
anytime.
Soon,.
J
F
Do
you
mean
that
if
they
had
access
to
privileged
information
that
that
I
don't
think
that
they
should
share
it
with
openssf?
I
think
that
there
should
be
a
firewall
of
sorts
in
between
there,
where,
when
they,
when
they're
working
for
the
project-
and
they
have
privileged
information,
they're
wearing
the
project
hat
on
just
because
we're
paying
their
paycheck
doesn't
mean
that
we
get
that
privileged
information.
J
Yeah,
it's
I
mean,
there's,
there's
technical
solutions,
I'm
thinking
of
you
can
have
people
that
need
to
run
the
site.
Okay
and
yeah.
I
don't
think
that's
so
much
of
an
issue.
The
main
thing
that
strikes
me
is
that
we
haven't
really
we're
still
trying
to
find
a
problem,
presenting
a
solution
for
a
problem
that
we
don't
really
have
a
grasp
on
us.
Yet
yep.
That's
that's!
That's!
There
is
one.
That's
fair
enough!.
F
Yeah,
I
I
think
we
we
all
so
some
of
the
background
that
this
kind
of
came
from
that
might
may
make
it
make
it
clear,
or
at
least
where
the
directionally,
where
we
started
from
was
we
all
depend
on
much
of
the
same
open
source
components,
and
it
makes
no
sense
for
us
all
to
do
independent
in
isolation,
assessments
of
zlib
and
openssl
and
and
all
these
others,
it's
just
it's
just
it's
neither
practical
nor
efficient.
So
let's
pull
our
resources
and
do
security
work.
F
You
know
as
a
as
an
as
an
industry
group,
so
we
can
be
more
efficient.
We
get
more
done
all
that
stuff
and
then
it
expanded
out
a
little
bit
beyond
that
to
what
kind.
What
about?
Like?
You
know,
security
quality
assurances
like
just
just
assurance
in
general
like
do
they
have
a
do?
They
have
a
security
response
process.
Is
it
any
good?
Are
they
you
know?
F
What's
the
vulnerability
trend
look
like,
and
some
of
this
is
data
that
can
just
be
collected,
but
I
think
the
the
the
idea
of
having
someone
on
point
for
it
means
that
once
the
program
is
is
if
obviously
we
do
the
program
and
the
program
is
up,
then
we'll
know
that
for
the
most
critical
open
source
projects,
there
is
someone
actively
looking
at
it
that
we
know
that
we
have
a
relationship
with.
H
I
would
add
a
very
another,
very
tangible,
like
here's,
here's
the
prop
a
problem
we're
trying
to
solve
so
every
this
is
starting
with
the
executive
order,
but
there
will
be
other.
You
know,
other
governments
that
that
require
and
again
this
project
alpha
made
is
not
it's
not
specific
to
the
executive
order
or
other
government
requirements,
but
that
that's
a
piece
of
it.
H
H
And
so
you
know
we
do
need
some
kind
of
system
that
allows
project
maintainers
to
provide
information
demonstrating
that
they
need
conformance
and
then,
where
they
don't
need
conformance.
H
Then
there's
you
know
some
work
to
be
done
to
get
all
of
us
up
to
that
level,
certainly
for
companies
that
are
using
open
source,
which
is
everyone
so
that
we
can
that
we
can
say
for
certain
that
both
our
products
and
all
the
open
source
we
consume
meet
the
bar
for
security,
at
least
the
bar.
That's
meant
by
you
know
as
a
starting
point.
The
bar.
That's
specified
by
the
us
government
and
maybe
that
bar
gets
higher
over
the
future.
F
That
fair
mike
totally,
so
I
think
that
I
think
that
was
perfectly
into
into
omega,
which
is
the
other
half
of
this.
So
while
alpha
was
the
top
half
of
the
very
small
number
of
most
critical
components,
omega
is
everything
else
and
I
would
say
it
probably
includes
the
100,
your
the
top
as
well.
F
But
that's
a
rounding
error
purpose
of
omega
is
to
run
high
quality
tools,
collect
critical
vulnerabilities,
auto
triage
them
in
a
programmatic
way
as
best
as
possible,
and
then
a
little
bit
better,
because
we
expect
to
advance
the
state
of
the
art
here
and
then
have
dedicated
security.
F
Analysts
do
do
that
last
leg,
triage
validate
that
it
is
real
and
then
either
create
a
patch
and
send
it
to
send
it
privately
to
the
maintainers,
engage
the
maintainers,
directly
or
or
just
report
the
issue
in
a
in
a
private
way
and
then
kind
of
move
on.
F
So
we
expect
that
what
this
would
actually
look
like
is
a
system
for
doing
the
automated
tooling
that
just
kind
of
sucks
in
the
universe
and
spits
out
a
list
of
critical
vulnerabilities
found
yesterday
and
then
the
analysts
would
go
in,
say:
yep
yep,
yep
yep.
No,
maybe
you
know
hopefully
it's
like
well.
We
would
have
a
target
of
like
90
to
95,
true
positive
and
then
and
then
do
the
reporting
and
then
they
get
fixed
and
that's
kind
of
our
main
metric
is
like.
Are
we
getting
critical
vulnerabilities
fixed?
F
So
we
don't.
While
there
would
be
some
internal
prioritization,
you
know.
Obviously,
if
there
are,
if
they
can
do,
I
don't
know
if
they
can
do
five
a
day
and
there
are
500
a
day
coming
in
they're,
going
to
target
the
highest
risk
of
the
500
and
do
those
then
we
can
figure,
we
could
figure
out
what
that
algorithm
actually
looks
like
private
sharing.
F
I
don't
know
what
that
would
actually
look
like
whether
it
would
be
through
vince,
which
is
the
nist
app
there
or
an
existing
program.
That
kind
of
outsource
that
function
entirely
and
say
you
know
here's
the
package,
someone
else
like
deal
with
it
or
if
that's
something
that
we
should
manage
completely
within
this
within
this
program.
If
we
manage
it
within
the
within
the
program,
we
would
need
to
resource
some
sort
of
a
devrel
function
to
approach
maintainers
in
a
consistent
and
good
way.
F
We
we,
we
don't
want
to
you,
know
poison
the
community
by
approaching
them
the
wrong
way,
especially
not
something
like
you
know.
Here's
a
copy
paste
that
I
that
I
I
grabbed
from
the
output
of
this
tool.
Please
fix
this,
and
let
me
know
when
it's
done
like
anything
like
that
would
be,
would
be
terrible.
J
I
mean
the
thing
is:
with
tools:
automated
scanning
tools,
linters
they're,
incredibly,
inaccurate.
Okay,
that
you
know
the
you're
gonna
a
large
volume
of
they.
They
never
find
credible
issues.
Okay,
I
say
this-
I
mean
I'm
a
maintainer
on
one
of
the
most
popular
ones.
There
is
okay.
I've
been
in
this
been
working
in
this
domain
for
for
a
long
time,
you're
really
yeah,
I
mean
a
lot
of
this
stuff
is
also
freely
available.
Already,
if
you
open
a
github
account,
you
get
coql,
there's
multiple
different
scanners
that
you
can
pull
in.
F
I
I
totally
get
the
point:
how
so
a
couple
different
things,
a
lot
of
so
actually
I'll
purchase
a
couple
different
ways.
One
is
there.
There
are
like
two
million
projects
out
there
other
than
mark
like
mass
marketing,
which
I
think
github
has
tried
to
do,
and
I
don't
know
what
the
what
the
the
coverage
rate
for
code
scanning
is
on
github.
I
would
be
surprised
if
it
were.
F
A
There
we
go
yeah,
I
don't
think
so.
I
mean
unless
that's
a
unless
that's
an
extremely
recent
change.
They
do
make
some
suggestions,
but
it's
not
as
easy
as
you
would
think.
J
A
No,
that
you
only
get
automatic
reports
for
dependencies
he's
talking
a
lot
more
than
that,
so
you
know:
there's
not
going
to
be
fuzzers
automatically
enabled
there's
not.
L
Yeah
it's
easy
to
enable,
but
by
default
you
get
the
dependable
color
right
by
default,
though,
but
quickly
you
have
to
put
a
flag,
but
it's
easy.
So
I
think
that's
a
valid
point.
Michael
something
is
the
first
step
is
make
sure.
Actually
that
is
enable
itself
is
a
star
for
the
projects
right.
I
think
that's
the
direction,
we're
trying.
F
F
Oh
actually
yeah,
and
so
so
we
have
the
data
for
for
at
least
the
projects
that
we're
capturing
in
scorecard.
We
can
see
how
many
of
them
have
codes
getting
enabled,
so
we
can
just
do
that
and
anything
from
from
a
best
practices
perspective.
F
Yes,
absolutely
we
should
be
advocating
for
you
know
if
it's,
if
it's
a
click
to
turn
it
on
turn
it
on
you
know
so
and
and
if
that
leads
to
there
being
nothing
that
would
ever
pop
out
of
this,
then,
while
I
would
feel
kind
of
silly
and
a
little
bit
sad
for
spending
money
on
something
that
that
didn't
have
anything.
I
think
that
would
be
a
I'd,
be
okay
with
that.
If
there
were
just
no
more
vulnerabilities.
H
Another
thing
that
mark
cox
mentioned
yesterday
that
I
thought
was
was
interesting,
which
is
that-
and
he
was
talking
about
the
apache
foundation
and
they've
done
work
around
security
as
well,
and
his
point
was
that
you
know
some
of
these
tools
raise
lots
and
lots
and
lots
of
issues,
and
the
vast
majority
of
those
might
not
even
get
looked
at
by
the
maintainers.
H
And
that's
because
you
know
a
lot
of
them
are
could
be
an
issue
might
not
be
an
issue
hard
to
tell,
and
so
what
we
talked
about
is
having
there
be
kind
of
a
central
place
for
doing
that,
triaging
that
could
then
forward
it
to
them.
You
know
once
there's
something
for
certain
there.
They
could
then
forward
a
filtered
list
to
maintain
yours
could
be
seen
as
something
very
valuable
by
the
maintainers.
A
I
will
say
that
for
some
projects,
particularly
at
the
super
high
secure,
which
is
more
the
alpha
side,
it
may
be
better
to
modify
the
code,
so
it
doesn't
have
any
of
those
warnings.
There's
been
a
long-standing
work
in
the
linux
kernel
to
do
exactly
that
turns
out
that
that's
a
lot
of
work,
it's
hard.
On
the
other
hand,
once
you
do
that,
and
you
know,
then
all
reports
are
things
you
look
at
because
you're
no
longer
getting
overwhelmed,
but
I
also
can
see
that.
A
That's
I,
I
think
that's
a
good
idea
for
all
projects,
but
for
many
projects
that
already
exist.
That
may
not
be
time
that
they're
going
to
be
wanting
to
spend
that's
going
to
be
a
long-term
effort
for
some
some
projects.
If
they
even
think
that's
a
good
idea.
F
Yeah,
I
I
don't
have
this
in
the
paper,
but
I
think
it
an
ancillary
benefit
of
this
is
that
this
a
lot
of
the
same
tools
that
would
could
be
used
to
find
critical
vulnerabilities
well
I'll.
Rephrase
that
tooling,
in
general,
that
could
be
used
to
find
critical
vulnerabilities
could
also
be
used
to
find
things
like
back
doors
and
custom
malware
and
yeah.
I
would
say
even
things
like
typo
squatting,
so
I
I
don't
want
to
dilute
omega
by
making
it
far
beyond
critical
vulnerabilities.
F
But
I
think
a
backdoor
is
a
critical
vulnerability,
so
I
think
it
actually
does
fit
if
you
just
kind
of
turn
your
head
a
little
bit
and
those
would
be
the
kinds
of
things
that
we
cannot
trust
the
project
maintainer
to
install
on
their
own
because
they
are
exactly
the
wrong
people
that
you
know
would
not
do
that.
F
F
But
that
means
that
that
I
actually
I
don't
know
if
it's
if
it's
enabled,
if
it's
enabled
I
don't
know
if
it's
just
full
of
critical
vulnerabilities,
that
the
maintainer
doesn't
care
about,
or
maybe
they
do
care
about,
but
they
just
haven't
gotten
to
it
yet
or
kind
of
anything.
So
because
I'm
assuming
the
risk,
I
feel
like
I
as
a
proxy
for
the
you
know:
users
of
open
source.
I
I
need
to
know
this
information
and
I
think
that
that's
another
thing
that
I
don't
think
came
through
in
the
paper,
but.
F
F
I'm
I'm
on
my
first
cup
of
coffee.
So
sorry,
no!
No!
I
I
think
I
as
a
okay.
So
as
this
program,
this
program
is
provides
a
service
to
the
world.
That
says
we
will
go
looking
for
critical
vulnerabilities
and
we
will
get
them
fixed
for
you.
So
if
a
a
let's
say,
a
third
party
that
wants
to
know
is
the
open
source
that
they
are
using
secure
right
now
they
can
like
literally
ask
for
the
project.
F
What
this
project
omega
would
give
them
is
a
third
option,
which
is,
I
haven't,
really
thought
thought
this
through
too
much
like
what
would
we
say
that
we've
that
left,
you
know,
npm
left
pad,
has
gone
through
this
and
has
that
and
and
no
critical
vulnerabilities
were
found
like
do
we
maintain
like
publish
a
list
of
like
known,
good
or,
I
don't
know,
say
good
but
known?
No,
not
bad,
but
no.
F
I
would
not
open
up
the
entire
data
set
publicly
because
that's
just
a
pile
of
zero
days,
but
I
think
there's
something
that
we
could
do
to
provide
more
broad
assurance
than
just
saying
trust
us
we're
we're
mopping
the
floor.
Even
though
you
can't
get
in
the
room.
H
I
think
what
you
know
somehow
we
can,
I
think
something
we
should
stretch
for
is
something
like
in
integrating
this
with
the
salsa
program,
or
maybe
cia
best
practices
badge
so
some.
So
there
is
something
tangible
at
the
end
that
says
you
know
this
there's
you
know
the
project
meets
this
level
of
security
quality
and,
and
we
can,
we
don't
have
to
show
all
the
the
results
of
all
the
work
we
did,
but
we
can
describe
here's
here's
the
work
that
happened
to
allow
us
to
say
this
project
meets
the
security
level.
B
I
think
there
are
a
large
number
of
projects
in
cncf
links,
foundation,
umbrella,
foundations,
the
that
would
you
know
if
we're
going
to
score
them.
We
need
to
map
that
boarding
system
and
everything
we,
how
we
configure
it
and
how
we
weight
it
to
to
salsa,
and
then
we
can
determine
tell
you
know,
tell
projects
how
they
tighten
up
their
bulb
processes,
their
committer
processes,
all
those
things,
so
they
can
improve
their
scorecard
and
get
to
the
salsa
3
level
rating
that
we
want.
F
C
B
I
guess
so
I
mean
I
apologize
michael,
but
I
mean
I
have
some
of
the
similar.
You
know
reservations.
I've
heard
here,
it's
like
we
can't
get
enough
experts
to
dive
in
and
the
attack
vectors
are
not
just
the
code.
The
taxpayers
is
the
entire
build
process
and
mutations
that
occur,
and
everything
like
that.
I
think
it's
better
for
us
to
work
on
the
meta
infrastructure,
the
build
infrastructure,
making
sure
the
critical
projects
that
you
know
take
the
code
out
and
teach
people
how
to
create
these
processes
themselves
that
we
score
against.
B
B
Thing
is,
I
think
I
I
see
immediate
action.
I
can
take
it
for
like,
for
example,
my
the
project
that
I
that
I've
enamored
with
and
trying
to
do
stuff
around
is
tech
time
and
I
love
what
we're
doing
with
sig
store,
and
I
love
the
fact
that
eventually,
six
store
can
play
a
roll
to
salsa.
I
love
that
if
you
look
at
salsa,
we
talk
about
source
code,
build
promenades
and
and
and
things
like
that,
98
of
the
products
out
here,
no
attestation,
no
signing
no
tax
level,
signing
no
built
tool
level,
signing
there's.
B
No,
I
they
don't
but
and-
and
me-
and
I
know
that
returns
like
six
servers
providing
plug-ins
packages
for
the
for
the
in
in
in
records
signing
package
signing
but
tech
times,
working
with
the
change
project
trying
to
get
the
in
the
end
sign
I
mean
these
are
the
noble
things
we
need
to
embrace
and
try
and
bring
to
these
communities
to
improve
their
scoring.
Overall,
you
have
them
so
so
they
have
a
process
set
up.
I
mean,
like
I'm,
grateful.
B
I
have
my
projects
at
apache
foundation,
because
apache
gave
me
a
process
for
security,
vulnerability,
reporting
for
signing
how
to
add
people
to
the
to
the
release
management,
signing
keys,
how
to
do
all
those
things:
how
to
create
attestation
records
all
those
things
and
most
projects
don't
have
that
if
we
create
those
frameworks
and
hand
them
out
to
people.
I
think
that
goes
much
much
further
and
it
doesn't
require
experts.
It's
very
formulaic.
F
Okay,
but
I
I
still
come
back
to
the
and
I'm
not
saying
that
you
know
because
it
exists,
we
should
do
it,
but
is
that
in
some
ways
orthogonal
to
this
because
having
better,
I
I'm
all
for
having
better
practices
and
advocate
like
all
this,
the
all
this
sick
story-
it's
great!
Let's
do
it.
Let's,
let's
move
on
it
as
fast
as
we
can
is.
B
It's
not
just
six
stars,
just
it
means
first,
of
course,
a
plug-in
model
that
is,
the
pixel
represents
the
concept
of
end-to-end
signing
attestation.
Transparency
that
you
know
you
can
bring
and
even
sticks
are
itself.
You
know
and
chains
recommends
that
you
can
bring
in
your
own
kms
keys
your
own
hardware,
router
press
keys,
so
you
know
people
can
bring
in
their
own
keying
systems
their
own
processes,
but
they
need
a
framework
to
plug
it
into.
H
B
F
We
have
to
do
lots
of
different
things,
but
I
think
that
I
think
the
question:
what
I'm
trying
to
get
out
of
this
is:
is
this
a
net
positive,
so
is,
would
alpha
and
omega
be
net
positive
for
the
industry
and
or
and
is
it
so
minusculely
net
positive
that
it
doesn't
matter
or
is
it
good
and
other
things
are
important
as
well,
and
we
should
not
do
this
and
not
something
else
likewise,
should
you
know
it
does,
does
it
make
sense,
and
if
the
answer
in
the
consensus
is
no,
we
just
double
down,
and
we
do
you
know
we,
we
we
embrace
salsa
and
six
store
and
developer
best
practices
and
just
that
stuff
and
not
do
the.
B
Here
you
know,
here's,
let
me
say,
here's
a
real
example,
so
my
project
got
attacked
last
week
and
I
caught
it
manually.
I
wrote
a.
I
have
a
client
tool
and
apache
my
apache
open
with
project
where
someone
tried
to
inject
a
a
a
script
into
my
travis
ci
system.
That's
never
been
detected
by
alpha
or
it
the
the
process.
B
He
didn't
let
the
stuff
in
because
I
raised
the
project
management
committee.
We
manually
inspected
this
stock
and
we
rejected
it
and
reported
it.
But
you
know
there's
some
automation
there
there's
some
things
we
could
have
done
with
scorecard.
There's
some
things
you
could
have.
You
know
run
to
say
this.
This
id
was
only
you
know,
one
day
old
and
even
though
he
created
he
signed
it
in
his
github
thing.
You
know
it
was
self-signed
and
it
was
not
a
recognized
signature.
B
So
it
looks
like
a
verified
commit,
but
in
that
that
would
have
appeared
in
the
attestation
record,
but
that
wouldn't
have
helped
an
end
user
customer
say
that's
a
bad
actor.
So
those
are
things
we
could
have
done
with
scorecard.
That
would
have
helped
that
project,
and
if
we
fix
that
at
one
project
we
can
translate
many
more
products.
A
So
let
me
try
to
wrap
this
up
michael,
so
I
I
think
what
matt
is
saying
is
hey.
We
also
need
to
get
best
practices
embedded
in
and
I
certainly
am
not
hearing
you
disagree
with
that.
Certainly,
I
would
say
getting
best
practices.
I
I
think
what
I
would
say
is
this:
the
proposal
needs
to
make
it
clear
either
it's
part
of,
or
it
assumes
that
there's
also
an
effort
to
get
projects
to
embed
best
practices
into
the
project,
because,
in
the
end,
that's
really
the
long-term
solution.
A
You've
got
to
fix
things
or
they're
or
they're
not
going
to
get
better,
but
we
need
to
get
people
train.
We
need
to
get
best
practices
embedded
into
the
projects,
and
so
I
think
that
your
proposal
is
looks
weaker
than
it
should
be,
because
it
doesn't
clarify
that
it's
not
that
the
proposal
is
necessarily
wrong.
It's
just
that,
as
matt
has
pointed-
and
I
agree
with
him,
you
know
we
need
to
get
these
practices
really
embedded
into
the
pr
into
the
projects.
A
H
The
I
mean,
and
then
one
thought
that
I
would
have
tactically
on
that
michael-
is
that
if
we
can
wrap
it
into
this
proposal
it
would
be
better
and
the
reason
I
say
that
is
for
getting
funding
for
it.
If
we
come
forward
with
one
package
that
says
you
know,
here's
you
know
hear
the
set
of
things
that
we're.
You
know
that
we're
planning
to
do
you
know
instead
of
piecemealing
it
all
in
one,
will
make
it
easier
for
people
to
sign
up
and
say
yep.
I
support
you
yeah
yeah.
F
J
I
just
want
to,
I
think,
k
made
a
good
point
there,
which
is:
if
you
can
piecemeal
this
okay
and
and
then
you
can
look
to
socialize
those
ideas.
You
can
prototype
quickly
fail
fast
on
stuff
that
doesn't
work
yeah,
I
mean
that's
something.
L
J
And
it's
that
thing
of
yeah
just
having
that
the
ability
to
to
quickly
set
ideas,
socialize
them
write
some
code,
get
something
working
share.
It
get
some
feedback
yep
and.
J
For
yeah.
F
I
I
I
totally
got
it
the
presumption
here
is
that
we'll
be
wrong
on
eighty
percent
of
our
assumptions,
but
the
only
way
to
know
which
one
is
to
try.
F
J
Challenging
it's
just
you
know,
to
give
what
I'm
just
kind
of
the
sort
of
stuff
that
communities
will
start
greeting
you
over.
If
you
see
me.
G
Good
yeah
one
quick
comment:
I
know
we're
probably
trying
to
wrap
this
discussion
up,
but
you
know
per
your
xkcd,
which
is
an
awesome
cartoon.
I
I
I
guess
I
you
know
one
bit
of
very
high
level
feedback.
G
Is
I
kind
of
see
a
mismatch
between
that
and
then
talking
about
kubernetes
and
the
linux
kernel
like
those
are
projects
that
have
hefty
like
enterprise
involvement
from
engineers
who
have
training
on
you
know
from
their
large
entities
they
they
get
their
paycheck
from
unsecured
coding
practices
and
pipelines,
and
you
know
kubernetes
has
a
pretty
significant
security
organization
set
up.
So
I'm
always
wondering
is
you
know,
is
this?
Should
this
be
more
focused
at
the
projects
that
people
are
forgetting
about
that
we
do
all
rely
on.
G
F
So
yeah,
I
I
totally
get
your
point.
If,
and
I
know
I
know
your
comment-
isn't
about
the
image
specifically
if
the
image
takes
away
from
the
message,
because
it
like
makes
you
think
about
one
thing
and
then
we're
talking
about
something
yep
we
can,
we
can
fix
that
alpha
and
omega
really
are
two
separate
projects
that
just
happen
to
be
tackling
the
the
different
ends
of
the
of
the
spectrum.
You're
right,
the
the
top
end
of
the
spectrum
needs
very
different
things
than
the
bottom
end
of
the
spectrum.
F
G
C
Yeah,
thank
you,
michael.
That
was
definitely
helpful,
good
discussion,
so
we've
we've
only
got
five
minutes,
ish
left
here
so
crope.
I
know
you
have
an
agenda
item
as
well.
I
don't
know
if
five
minutes
is
enough
to
cover
it
all
good.
All
right
I'll
yield
the
floor
to
you
and
we
can.
E
We
are
done
with
the
first
draft
of
this
document,
we're
closing
comments
for
the
working
group
next
week.
I
would
like
the
tac
to
take
a
peek
at
it
and
we're
proposing
to
write
a
blog
that
the
foundation
potentially
could
publish
to
talk
about
it.
A
Yeah
pl,
please
look,
we
want,
we
want
a
blog
post
and
we
want
the
world
to
use
it.
A
A
D
A
But
in
fact,
if
it's
okay,
I
would
suggest-
and
it's
detect
say
hey
governing
board-
we're
gonna.
We
want
to
eventually
post
this
as
a
blog
post,
any
comments,
quick,
because
if
they,
because
the
governing
board
is
the
one
that's
to
prove
the
blog
post,
so
I
think
now
would
be
a
good
time
to
to
give
the
governing
board
heads
up.
Okay,.
H
Yes,
let's
do
it,
you
know
my
my
recommendation
for
any
of
those
is,
if
you
can
just
you
know
the
sooner
you
can.
Let
me
know
the
sooner
I
can.
You
know
share
it
with
the
rest
of
the
governing
board
as
a
heads
up
and
then,
as
we
get
closer
like
if
we
have
maybe
a
week
of
time
to
just
share
it
with
other
people
to
review,
and
then
it's
all
all
good.
A
Okay,
I
think
the
main
thing
I'd
be
worried
about
is
the
governing
board
says?
Oh,
let's,
let's
look
at
this
thing,
this
document
and
oh
wait
a
minute.
I
don't
want
some
changes.
Well,
it
would've
been
a
lot
easier
to
do
that
earlier.
So
that's
that's!
What
I'm
concerned
about
is
the
governing
board
doesn't
want
to
do
a
post
because
they
never
read
the
document.
It's
posting
about.
C
Any
other
questions
topics
in
the
next
two
minutes
that
we
have
here.
H
Do
you
want
to
talk
about
elections?
Just
briefly,
I
forget
whether
you
let
me
mention
to
you
that
some
of
you
know
this,
but
at
the
governing
board
level
we
are
looking
at
some
changes
to
to
the
governing
board
in
a
couple
of
ways.
H
The
main
one
is
that
we're
we've
we've
been
a
non-funded
entity
for
a
year
with
with
a
couple
of
donations,
and
but
next
year
we're
looking
to
request
member
dues,
and
so
that's
going
to
be
one
change
and
then
related
to
member
dues,
we're
going
to
change
the
governing
board
structure
so
that
the
the
entities
who
are
paying
the
the
dues,
the
premium
level
dues,
will
have
more
representation
on
the
governing
board.
So
those
two
things
are
coming
up.
H
The
governing
board
is
reviewing
those
changes
and
we'll
have
a
vote
on
that
in
the
next
two
weeks
and
so
depend,
and
this
all
I'm
saying
all
this
related
to
the
attack
elections.
I
know
there
was
a
the
test.
The
proposal
was
to
have
alternating
years,
three
represent
representatives
elected
by
the
governing
board
for
by
the
community.
H
If
you
wanted
the
first
ones
to
be
the
governing
board,
you
probably
we
should
really
wait
until
we
get
the
new
governing
board
set
up.
If
you
wanted
it
to
be
through
the
community,
I
think
you
could
you
know
it
could
happen
at
any
time,
so
consideration
for
you.
C
Yeah,
that's
definitely
something
I've
been
thinking
about.
I
was
hoping
we'd
have
a
little
bit
more
time
to
talk
about
it
today,
but
we
can
probably
kick
off
an
email
thread
about
it.
C
My
instinct
says
that
we
probably
want
to
start
with
the
community
based
elections
just
because
of
the
nature
of
kind
of
how
this
is
all
working
plus
governing
board
is
kind
of
influx.
It
sounds
like
so
just
for
stability
reasons.
It
probably
makes
more
sense
to
do
it.
That
way,
I
think
I
believe,
back
in
january,
we
did
come
up
with
a
proposal
around
like
how
we
would
decide.
You
know
who
who's
up
for
re-election
and
that
sort
of
thing,
and
it
was
a
little
bit
of
a
kind
of
ad
hoc
process.
C
So
I
think
we
just
need
to
go
kind
of
refresh
that
I
can
start
a
an
email
discussion
around
kind
of
what
we
decided.
C
I
don't
think
there's
any
open
issues
with
with
any
of
that,
but
we
can
kind
of
hash
that
out
over
email
and
then
we
can
kind
of
get
the
process
started
and
look
towards
september
for
actually
being
able
to
get.
This
kicked
off.
I
just
can't
believe
it
this
time
already
so
yeah
we'll
get
that
going
and
then
by
the
next
tax
meeting,
hopefully
we'll
be
able
to
just
kind
of
wrap
it
up.
C
All
right
well
with
that
we're
out
of
time.
Thank
you,
everybody
for
your
time
today
and,
like
I
said
I'll,
kick
off
those
email
discussions.
I
will
attempt
to
reschedule
this
leads
meeting
and
then
we
will
see
you
all
back
here
in
two
weeks.