►
From YouTube: OpenSSF Vulnerability Disclosures WG (December 14, 2022)
A
A
B
C
A
C
Because
they
were,
it
was
part
of
their
corporate
account,
so
I
no
longer
work
there.
So
the
new
one
is
affiliate.
It's
my
personal
affiliation.
C
I
moved
about
coming
up
on
two
years:
I'm
an
Intel
now.
C
You
know
the
deep
provisioning
is
not
Enterprise
strong
suits.
B
Been
with
you
guys
for
a
while
now
so
that
that
that
that
other
I
guess
I
have
yeah
I
have
seen
that
migration.
Then
it's
really
been
two
years.
B
Years,
yeah,
you
beat
yeah,
you
beat
me
by
a
while
to
to
join
this
whole
party,
yeah
I
heard
about
to
see
where
did
I
so
the
reason
that
I
joined
the
open
SF
was
because
I
heard
about
it
from
security
Now,
it
was
a.
It
was
something
that
Steve
Gibson
talked
about
as
a
project
and
I
was
like.
Oh,
this
sounds
really
interesting
and
so
I
decided
to
to
hop
on
the
bandwagon
on
this.
One
and
and
I
have
been
happily
surprised
by
this
particular
Endeavor
in
its
entirety.
C
Yeah,
my
old
boss,
Mark
Cox,
got
roped
in
around
the
founding
of
the
foundation
and
he
immediately
delegated
everything
to
me.
B
Mark
Cox
the
the
Apache
soccer
Foundation
security
person,
yeah
yeah,
he's.
B
Yeah
he
and
I
have
had
an
interesting
set
of
interactions,
mostly
because
all
of
my
just
all
of
my
interactions
with
him
has
been
as
a
security
researcher,
so
it's
naturally
slightly
contentious
but
yeah.
So
that's
in
general
I
think
we
have
I,
don't
know
I'd,
be
fascinated
how
he
what
he
thinks
I
mean
if
we
were
to
meet
in
person.
C
B
I
have
pissed
off
a
bit
of
the
ASF,
with
my
automated
vulnerability,
pull
request
issuance
stuff.
I
ended
up
so
I
have
an
opt-out
mechanism
for
maintainers
to
say
like
okay.
If
you
don't
want
more
of
these
polar
press,
here's
how
to
opt
out
and
the
people
behind
the
Apache
Commons
project
opted
out
across
all
of
their
repositories
and
I'm
I.
Don't
know
it
means
that
I
can't.
You
know
I
I
if
I
want
to
report
to
them.
A
Yeah
everybody.
C
Does
things
a
little
different,
which
is
an
interesting
opportunity
for
us
all.
B
C
Double
we'll
make
that
a
topic
for
next
year
to
see
if
we
need
to
change
our
meeting
time
at
all,
we'll
give
folks
one
more
minute
and
get
rolling
yeah
Mark,
just
retired,
from
Red
Hat
about
a
month
or
so
back.
B
B
Doing
is
he
doing
ASF
stuff
still
or
is.
B
Yeah,
well
you
mean
you,
I
mean
the
problem
is
right,
there's
only
so
many
people
that
are
committed
to
this
stuff.
So
you
know
it's
hard
to
find
you
gotta,
find
either
gotta
find
or
hire
new
people
to
come
in
to
take
take
on
the
roles
that
are
having
like
traditionally
filled
by
people
for
a
long
time.
C
C
Next
time
we
meet
in
January.
We
will
have
a
different
set
of
meeting
notes.
I
have
a
link
there
and
part
of
my
jobs
before
January
rolls
around
is
changing
links
in
all
the
slack
channels
to
the
appropriate,
a
set
of
meeting
notes,
so
in
January
don't
sign
in
on
this
sheet.
Please
sign
me
on
my
other
sheet.
C
I
am
still
asking
or
comments
on
issue
118
to
see
what
kind
of
participation
we
can
get
from
this
crew
on
APAC
friendly
meetings
will
probably
schedule
a
call.
You
know
sometime
in
North
America
evening
hours.
C
The
initial
request
is
for
some
folks
from
Australia,
but
we
want
to
cast
as
widering
that
as
possible.
Aipac
is
a
very
big
region,
so
I
need
to
Circle
back
with
the
with
the
folks
in
Australia
that
I
asked
requested
for
it
and
get
a
list
of
them
and
we'll
probably
get
an
alternate
call.
So
anyone
that's
interested
is
invited
to
participate
in
the
evening.
Call
we'll
probably
do
that,
maybe
once
a
month
or
so
going
forward,
but
please
provide
any
comments
or
suggestions
feedback
into
issue.
118.
B
But
two
things:
hi
I'm
here
second
thing:
the
schmoo
shmukh
Khan.
If
it's
not
in
the
opens
and
I'm
getting
a
phone
call,
so
I
will
be
right
back
yeah.
C
I'll
add
that
to
opens.
Thank
you.
So
everyone
is
aware.
Yesterday
we
unveiled
the
OSS
cert
Sig
plan
to
the
attack
and
unfortunately
there
was
no
time
to
talk
about
it,
but
at
least
the
tack
knows
that
the
plan
exists.
They
are
requested
to
comment
on
the
plan.
C
So
if
anyone
is
interested
from
this
group
providing
feedback
to
the
Sig
on
the
plan,
please
comment
on
issue
32
in
the
Sig
repo
that'd
be
delightful
and
I
expect
we'll
have
further
conversations
with
the
TAC
in
January
and
probably
move
towards
the
governing
board
for
discussion
about
funding,
probably
towards
the
end
of
January.
C
There
was
an
interesting
blog
that
came
out
a
week
or
so
back.
Anyone
is
interested.
We
can
discuss
that
here
in
the
call,
or
we
can
even
turn
this
into
a
GitHub
discussion.
If
we
wanted
to
have
kind
of
more
of
an
asynchronous
conversation
around
the
topic,
does
anyone
had
a
chance
to
read
the
crash
override
article,
yet.
C
The
premise
is
how
cve
and
nvd
don't
work
for
the
open
source
supply
chain
very
provocative
title,
so
I
would
request
this
group
and
I'll
send
it
out
to
the
mailing
list.
If
we
have
any
strong
opinions,
if
there's
any
learnings
that
we
might
be
able
to
adopt
and
react
to,
please
provide
us
that
feedback
I'll
shoot
a
note
out
to
the
mailing
list.
After
this
call,
so
we
can
have
a
dialogue
there.
C
It
is
not
in
the
slack
channel
it's
in
the
meeting
invite,
but
I
will
put
it
in
a
slack
Channel.
You.
B
C
C
Just
dropped
it
into
the
slack
channel,
so
we'll
I'll
shoot
a
note
out
to
the
mailing
list
so
that
we
can
kind
of
carry
that
conversation
on
through
that
medium
and
maybe
bring
it
back
as
a
future
meeting
topic.
C
All
right,
let
us
talk
about
shmukh
Khan.
B
Okay,
hi,
so
Madison
and
I
got
accepted
schmukon
to
speak.
Yes,
we
have
the.
If
you
have
not
seen
the
abstract,
let
me
dig
up
the
abstract
because
it
was
fun.
Oh.
A
B
Mouse,
my
mouse
is
not
working
properly:
okay,
schmoo
cfp,
so
the
abstract
that
we
submitted
and
was
accepted,
also
funny
thing:
I
got
accepted
and
rejected
from
shmukh
Khan
in
one,
because
Madison
submitted
our
talk
and
so
I
get
the
email
that
says:
hey
you've
been
rejected
and
then
immediately
Madison
sent
me
a
message
saying:
hey
everybody
and
I'm,
like
wow
I've,
been
accepted
and
rejected
in
in
like
30
seconds.
It's
like
an
emotional
Whirlwind
from
schmoo.
B
So
all
right,
so
this
is
the
abstract
that
we
submitted
after
hours
of
puzzling
over
your
debugger
like
decompiler
or
pen
testing
toolkit
you,
finally,
cracked
it
the
security
vulnerability.
You
strongly
believed
was
present.
Almost
almost
almost
evaded
you,
but
now
you've
got
proof.
You've
achieved
the
thrill
of
finding
a
vulnerability
that,
hopefully
no
one
else
on
the
planet
knows
exists.
Now
the
process
of
vulnerability
disclosure
began
can
begin
where.
B
Do
you?
How
does
the
process
work?
How
do
you
report
a
vulnerability
to
whom?
How
do
you
actually
get
these
things
called
cve
numbers
you've
heard
so
much
about
what
do
you
do
with
the
process
here?
What,
if
you
do,
if
the
process
falters
in
this
talk,
we'll
demystify
the
vulnerability
disclosure
process
by
presenting
the
really
a
recently
published
open
source
software
security
Foundation?
B
Oh,
this
is
f
guide
for
open
source,
vulnerability,
finders
and
then
aim
quotes
the
name
of
the
guy
fully
from,
and
the
link
from
tracking
down
the
correct
place
to
disclose
to
to
publishing
your
findings
to
The
Wider
world
can
defend
themselves
adequately,
we'll
even
discuss
that
pesky
human
element
that
permeates
the
entire
process
along
the
way
too.
B
I
I
I
I
had
fun
writing
that
abstract
and
it
seems
that
the
shmu
people
snagged
it
so
Madison
and
I
have
every
intention
of
meming
this
up
as
much
as
we
have
a
20
minute
slot
and
we
will.
We
will
be
telling
the
story
of
this
guide
and
trying
to
tell
a
story
that
keeps
people
engaged
and
and
helps,
makes
them
laugh
and
then
also
keeps
the
you
know
tells
a
compelling
story.
The.
The
idea
at
a
high
level,
I
think
is.
B
We
would
love
the
recording
to
be
a
semi
good
stand-in
for
the
guide
in
terms
of
a
knowledge
dump.
But,
like
you
know,
you
could
read
the
guide
to
get
more
information,
but
we
don't
want
the
it
all
to
be
like
go.
Read
the
guide.
Go,
read
it
go.
Read
the
guide
go,
read
the
guide.
It's
like
you
actually
gain
valuable
knowledge
out
of
just
watching
our
talk,
because
some
people
consume
stuff
visually
more
than
they
would
reading.
B
One
bit
of
feedback
that
I
had
on
the
guide
is
that
the
guide
is
very
forward
dense
and
describes
a
bunch
of
terminology
instead
of
getting
into
the
meat
of
the
thing
first
and
so
Madison
and
I.
Both
regret
it
in
in
the
in
the
process
of
writing
this
up
and
I.
Don't
know,
I,
don't
know
how
we
wanna
well.
I,
don't
know,
I
think
it
might
be
a
different
issue
that
we
want
to
do
deal
with,
but
on
those
notes
that
we
had
from
from
having
read
the
guide
recently.
B
So
if
there's
anybody
that
has
any
interest
in
being
involved
in
the
creation
of
the
slide
deck,
we
will
be
posting
the
link
to
that
in
the
slack
Channel
whenever
we
create
that,
unless
there
is
a
place
that
someone
from
the
ossf
can
create
for
Google
drive
documents
under
the
Linux
Foundation
IP.
Currently
this
this
shmukhan
cfp
is
in
my
drive
because
I
didn't
have
permission
to
create
a
drive
anything
for
the
ossf,
so
my
computer,
my
lap,
my
keyboard,
is
attached
to
the
other.
B
Pc
click
on
is
on
what
date
is
it?
It
is
January
20th
to
the
22nd,
so
we
have
a.
B
Month
to
get
our
talk
together,
but
knowing
the
Two
of
Us,
Madison
and
I
having
ADHD,
we
will
probably
leave
it
to
last
minute
unless
there
is
some
actually,
it
would
be
good
to
give
us
an
opportunity
to
give
this
talk
as
a
demo
to
you
all
so
that
give
us
an
earlier
deadline
and
also
give
us
an
opportunity
to
run
it
early.
What.
B
To
the
22nd-
and
it
would
be
wonderful
if
anybody
here
could
make
it
there
I
know:
Shamu
tickets
are
really
hard
to
get.
But
if
you
ring
your
phone
tree,
I
presume
that
someone
will
have
it
or
just
come
play.
The
schmoo
is
also
a
good
conference
to
just
come.
Do
just
show
up
and
then
well.
B
I've
asked
Katie
I'm
like
I,
talked
to
Katie
my
service
I'm,
like
how
do
you
get
tickets
she's,
like
I,
usually
show
up,
and
then
hopefully
someone
hands
me
a
ticket
at
some
point,
so
I'm
like
so
you
I
mean
Katie
also
knows
a
lot
of
people,
but
if
you,
if
you,
if
you
are
interested
in
coming
I
I
highly
recommend
it.
So
it's
a
good.
It's
a
good
conference,
a
lot
of
fun,
a
lot
of
religious
people,
a
lot
of
government
types
if
you
want
to.
B
If
you
want
to
get
the
opportunity
to
walk
into
those
people,
yeah.
C
C
C
Think
it's
a
great
idea
and
it's
something
I
would
like
to
next
year,
maybe
be
a
little
bit
more
strategic
and
thinking
through
conferences
like
shmukh
Khan,
where
it
would
be
vital
for
us
to
go,
engage
with
the
community
and
present
things
like
this.
Maybe
we
can
actually
put
out
a
little
schedule
and
be
kind
of
focused
in
our
efforts
to
try
to
hit
some
of
these
major
constituencies
and
get
this
message
out.
B
Yes,
I
two
things:
I've
spoken
to
Xavier
and
apparently
the
get.
D
B
Scary
lab
has
a
like
Master
list
of
like
security
conferences
that
they
keep
track
of
and
and
submit
cfps
to.
So,
if
I
can
track
that
down
and
be
have
him
willing
to
share
that
widely?
That
would
help
that'd
be
great.
That
would
yeah.
That
would
be
really
nice.
Also,
one
of
the
things
that
I
want
to
try
to
do
is
if
there
are
any
good
candidates
for
developer
conferences,
that
would
be
good
to
get
it
into
the
hands
of
people
that.
D
A
B
Okay,
yes,
everybody
else
has
been
very
quiet
in
this
call.
Anybody
else.
A
C
A
C
B
See
the
recording-
usually
yes
but
I,
don't
know
if
the
a
it's
art
art
are
you
making
additional
I?
Think
for
you
said
last
week
whether
or
not
you
were
making
it
I
didn't
forget:
oh
hey,
most
likely,
no
yeah
I,
don't
know
if
you
saw
this,
but
we
got
accepted
to
shmoo
with
the
the
the
top
the
oh,
the
the
title
of
the
talk
is
congratulations.
You
found
a
security
vulnerability
in
an
open
source
project.
Now
what.
B
C
Okay,
that
actually
is
almost
identical
to
the
derby
con
presentation.
I
did
a
couple
years
ago
with
Lisa
Bradley
at
the
time.
Oh.
B
C
So,
given
the
limited
turnout
today,
I
will
defer
talking
about
our
next
working
group
project
for
next
year,
so
in
the
interim
between
now
and
January,
if
you're
thinking
about
some
projects,
we
might
want
to
work
on
next,
like
there
will
be
a
group
of
us
that'll
work
with
the
end
user
working
group
on
a
consumer
cvd
guide,
we've
talked
about
a
A
playbook
for
maintainers,
so
that
when
they're
in
the
middle
of
a
vulnerability
response
how
they
might
best
to
be
able
to
react,
but
if
anyone
has
any
other
ideas
for
future
work
kind
of
germinate
that
feel
free
to
drop
an
issue
in
our
repo
and
we'll
have
hopefully
more
folks
involved
in
the
conversation
next
year.
C
B
Hey
Jeff
I
got
another
one.
This
is
more
a
story,
time
of
Jonathan
slightly,
but
also
like
I,
don't
know
how
to
solve
this
problem
and
a
like
another
sort
of
like
finder.
B
So
there
is
there's
a
popular
Gamo
parser
in
the
Java
ecosystem
called
snake
animal
and
six
years
ago
someone
did
a
wrote
up
a
paper
and
included
a
project
to
get
a
project
called
Marshall
Sac,
which
is
a
it's
a
project
and
a
paper
about
deserialization
vulnerabilities
in
the
Java
ecosystem
and
in
particular,
calling
out
a
bunch
of
parser
libraries
that
are
vulnerable
to
arbitrary
deserialization
of
objects
leading
to
remote
code
execution
and
how,
because
of
like
animal
parsers,
are
basically
allowing
for
arbitrary
deserialization
of
objects.
B
Attackers
can
load
arbitrary
class
files
and
then
lead
to
rce
the
one
of
the
projects.
Snake
yaml
had
this
vulnerability,
re-reported
to
them
by
Google
maintainer
like
earlier
this
month
with
a
payload,
the
snake
animal
team
said
we're
not
going
to
fix
it.
It's
a
feature,
not
a
bug.
A
cve
was
issued
by
Google
Now,
there's
a
discussion
in
their
issue
tracker
about
it.
The
primer
maintainer
is
very
it's
stubborn.
B
About
stating
that
this
is
a
feature
not
a
bug,
I've
been
trying
to
do
my
own
part
to
communicate
hey
you're,
exposing
a
bunch
of
your
users
to
risk
here,
hear
a
bunch
of
cves
that
have
been
issued
for
Downstream
customer
consumers
of
your
library
because
of
this
vulnerable
Behavior.
Like
you
know,
this
should
be
secure
by
default.
Yada
yada
I
am
having
limited
success
in
terms
of
convincing
this
maintainer
to
actually
change
the
default
Behavior
to
be
secure,
and
this
is
all
happening
out
in
public.
B
He
is
a
good
question:
I've
posted
a
link
to
the
chat
or
to
the
to
the
thread
and
my
attempts
to
convince
the
maintainer,
but
it
see
it
seems
it
seems
like
it's
he's
an
Eastern
European,
maybe
Russian
maintainer
yeah.
So
it
seems
like
it's
kind
of
owned
by
a
single
maintainer
or
there
is
a
primary
maintainer.
That
makes
a
lot
of
the
decisions
and
he's
very
unwilling
to
make
a
change
here
to
secure
his
Downstream
custom
users
and
so
I.
Don't
know
like
my.
B
My
long-term
plan
is
if
he
continues
to
refuse
to
make
changes.
I
will
go
out
and
do
my
thing,
which
is
there's
a
way
to
fix
it.
There's
a
the
way
to
fix
it
is
to
use
there's
a
parameter
called
safe
Constructor
that
you
can
pass
when
you're,
creating
the
yaml
parser
and
it
basically
forbids
arbitrary
class
loading
and
I
can
go
generate
a
few
hundred
or
a
few
thousand
pull
requests
to
go
fix
that
across
the
open
source
ecosystem,
but
I'd
rather
fix
it
at
the
source
than
try
to
do
that
right.
B
So
that's
that's
a
bit
of
vulnerability,
disclosure
drama
and
a
use
case,
and
it's
like
even
now
that
it's
because
it's
in
the
public,
the
maintainer,
is
adamant
that
this
remote
code
of
fusion
vulnerability
is
a
feature
not
a
bug.
And
that's
it's
it's
a
it's
a
his
argument
is
nobody
parses
untrusted
yaml
as
an
API
or
they
shouldn't
be
parsing,
untrusted
yaml,
and
if
they
are,
they
should
be
odd.
A
D
He
worried
about
his
installed
base
Community
or
is
it
more
his
pride.
B
That
is
a
good
question
if
you
can
determine
that
from
reading
through
the
thread,
I've
had
a
hard
time,
Discerning
that
and
I,
don't
know
how
to
speak
to
that.
I've
had
to
be
very
gentle
in
in
this
and
it's
hard
because
you
get
frustrated
and
you're
like
okay,
I
can't
be
frustrated,
I
need
to
be
calm
and
collected,
and
also
you
know,
fact-based
or
well.
Yeah
also
I
know
that
I'm
a
little
blunt,
even
when
I'm
fact-based
so.
B
It
could
be
a
legit
concern
to
break
yeah
and
the
breaking
API
changes,
sure
and
I'm.
You
know
General
argument,
for
that
is,
you
know,
go
and
you
know
rev
the
main
major
version
I'm.
Also
the
king
of
breaking
the
job
EU
system
I.
B
You
know
push
for
initiative
that
just
decommissioned
the
support
of
HTTP
across
the
geology,
ecosystem
in
favor
of
https
only
and
broke
25
of
the
build
infrastructure
in
the
job
ecosystem
in
one
day,
so
I'm
I'm
I'm,
not
necessarily
the
right
person
to
you,
know
I
I
I
see
security.
Is
you
know
we
should
break
things
in
order
to
fix
security,
even
if
it's
a
little
painful.
D
B
The
other,
the
other
issue
that
I'm
running
into
in
the
same
vein,
is
I,
found
a
project
that
is
using
snake
yaml
in
its
endpoint
in
one
of
its
endpoints
and
is
vulnerable
and
the
GitHub
security
Advice
security
lab
has
reported
a
vulnerability
to
them.
They
didn't
handle
it,
so
they
ended
up,
dropping
an
ode
on
them
and
I
found
a
similar
vulnerability
that
is
also
rce
in
that
project.
The
project
has
5
000
stars
on
GitHub,
5000
plus
stars
on
GitHub.
It's
a
chinese-based
project
and
the
maintainers
seem
completely
unresponsive
to
vulnerability
reports.
B
So
that's
that's
another
fun
one
too.
On
top
of
that
yeah,
so,
okay,
you
start
digging
and
you
just
start
finding
cases
of
the
real
vulnerability
actually
occurring
so.
C
It
is
an
unfortunate
issue
that
a
lot
of
times,
Securities
at
odds
with
you,
know
their
their
desired
maintenance
or
their.
How
that
Community
wants
to
you
know
leverage
that
tool
and.
C
Yeah
yeah
and
then
some
maintainers
will
be
responsive
because
they,
you
know,
have
the
time,
resources
and
ability
to
react
to
these
things
and
some
won't
and
it's
up
to
kind
of
the
consumers
to
be
able
to.
C
Hopefully
they
have
that
information
at
hand
that
they
can
make
a
choice.
Do
I
want
to
continue
to
use
this
potentially
exploitable
piece
of
software
or
do
I
want
to
make
other
choices.
B
Yes,
yeah
I
mean
the
the
disconnect.
Is
that
the
you
know
the
consumers?
Don't
always
get
like
that?
That
information
is
always
like.
You
know,
like
I.
A
C
There
are
methodologies:
if
the
CBD
process
breaks
down,
there's
other
routes.
We
can
go,
there's
other
tools,
you
know
if
the
maintainer
isn't
going
to
issue
a
cve
and
there
are
other
reporting
mechanisms.
Osv.
C
Ressors
and
Kurt's
project
was
a
GSD,
but
there
are
other
mechanisms
to
get
the
information
out
there
so
that
consumers
can
get
that
information
and
make
choices,
be
aware
of
that
and
if
there
are
alternate
mitigations
that
they
might
be
able
to
deploy
as
a
configuration
option
after
the
fact
sharing
that
with
them.
So
if
they
continue
to
choose
to
use
the
vulnerable
software
that
isn't
going
to
be
fixed,
maybe
they
should
move
off
or
giving
them
an
opportunity
to
have
a
alternate
mitigation
to
provide
that
pass.
That
parameter
themselves
right.
B
Right,
one
of
the
things
that
I'm
useful
for
the
snake,
the
snake
ammo
case
right
this.
This
vulnerability
has
been
widely.
You
know
known,
there's
a
couple
of
CVS
for
snake
yaml,
and
then
you
still
see
a
bunch
of
projects
that
are
still
using
it
in
a
way,
that's
vulnerable
in
a
way
that
leaves
them
vulnerable,
so
that
information
doesn't
make
the
full
like
loop
back
to
the
maintainer.
C
Yeah
and
most
open
source
is
made
to
be
used
under
a
multitude
of
different
scenarios,
so
you
will
see
the
trend
that
a
lot
of
times
things
go
out
insecure
by
default
because
they
don't
know
how
their
end
consumer
is
going
to
deploy
it
and
they
provide
instructions
or
guidance.
Saying
you
know
don't
do
this,
but
they
don't
necessarily
lock
that
off
by
default.
C
That's
again
a
very
common
pattern,
just
because
it
developers
don't
know
how
that
software
is
going
to
be
used,
and
there
are
scenarios
that,
if
you're
a
researcher
or
you're
like
an
academic
education
scenario,
you
might
not
want
to
be
as
restrictive
versus
if
you're
a
bank
or
a
government.
You
want
to
have
that
secure
by
default.
It's.
A
C
It's
a
it's
a
it's
about,
I,
see
both
sides
I
wish
it
was
or
I
wish.
The
developer
was
more
receptive,
but
I
I
am
also
sensitive
to
they
might
not
have
the
resources
or
interest
to
continue
to
change
this.
It
sounds
like
they
have
a.
They
very
clearly
have
stated
we
like
this
and
it's
unfortunate
that
consumers
aren't
going
to
be
able
to.
C
C
That's
part
of
our
efforts
next
year
is
to
figure
out.
Do
we
have
any
Tools
in
our
toolkit
to
provide
education
for
this
type
of
pattern,
to
you
know,
make
developers
aware
of
kind
of
the
consequences
of
these
choices
to
their
downstreams.
C
And
you're
going
to
venues
like
shmukh
Khan,
might
be
a
opportunity
for
us
to
get
directly
in
front
of
those
folks
and
help
show
them
that
their
their
choices
are.
Potentially
they
have
some
negative
consequences.
B
Well,
that's
the
that's
the
the
longest
word
of
those
two
stories.
You
know
any
any
any
the
issues
in
the
in
the
slack
Channel
anybody
who
wants
to
figure
that
and
feel
free
to
do
so.
Yeah.
C
All
right
well,
thank
you
all
for
your
time
and
attention
and
your
attendance
throughout
the
year
looking
forward
to
collaborating
with
you
in
the
new
year
and
have
a
quiet
and
restful
end
of
year
holidays
and
we'll
see
you
in
2023
cheers
all
Happy
New
Year.