►
From YouTube: OpenSSF Vulnerability Disclosures WG (October 19, 2022)
B
Yeah
hi
everybody
it
looks
like
Crow
will
not
be
joining
us
today
either,
but
we
are
free
to
continue
without
him.
A
Today,
you
wanna
you
wanna,
you
wanna
crank
on
that
I
I
we
could
I
could
spend
the
rest
of
my
day
working
on
with
that
working
on
that
with
you
after
this
meeting,
if
you
so
desire.
A
B
So
please
feel
free
to
mark
yourself,
as
here
change
the
color
on
your
entry.
If
you
are
attending
today,
as
I
said
earlier,
Crow
can't
join
us.
He
has
a
conflict,
but
do
we
have
any
new
friends
here
who
want
to
introduce
themselves.
B
Okay,
great
everyone
here
knows
each
other.
That
makes
that
super
easy.
Does
anybody
feel
inclined
describe
for
us?
If
not
I'll,
happily
do
it
I,
don't
imagine
we
have
too
too
many
things
to
cover
today.
B
D
B
Yeah
Friday
I
haven't
taken
a
look
at
this,
yet
I,
don't
know
if
other
folks
in
here
have
or
if
anybody
has
any
questions
about
it
but
yeah.
It
seems
like
everything
we
need
here
everything
we
need
to
review.
It
is
here.
So
if
you
have
questions
or
anything
feel
free
to
use,
this
issue
looks
like
it's
already
made
for
this
and
give
any
feedback
by
Friday.
B
We
talked
a
little
bit
in
our
last
meeting
about
future
projects
for
the
group,
so
there
were
three
that
were
up
for
consideration,
creating
plugins
and
or
other
tooling
to
enable
the
cvd
guides
that
we've
already
created
creating
a
guide
for
maintainers
on
how
to
actually
handle
an
incident
and
creating
a
cvd
guide
for
open
source
software
consumers.
B
So
it
seems
like
we
have
some
activity
at
least
on
this
one
though
I'm
biased,
because
some
of
the
activity
is
my
own
for
handling
incidents,
but
it
doesn't
seem,
like
many
folks
have
weighed
in
elsewhere,
so
it
seems
like
for
now.
This
is
at
least
the
front
rather
front
runner,
for
what
our
next
project
will
be.
So
I
would
encourage
everyone
to
go
on
these
issues.
B
C
So
sorry,
sorry,
medicine,
so
do
we
have
to
just
put
a
comment
there
or
is
there
any
vote
button
I'm
not
that
familiar
with
GitHub?
To
be
honest,.
B
Or
voting
which,
if
we
wanted
to
do,
we
could
do
that
in
a
discussion,
but
unfortunately
I.
B
D
B
Yeah,
so
that
I
didn't
get
any
negative
feedback
for
doing
it.
This
way,
so
I'd
encourage
everyone
else
to
basically
do
the
same,
so
whichever
whichever
one
you
feel
strongly
about
is
doing,
is
our
next
idea,
whatever
one
we
pick
from.
This
doesn't
immediately
nullify
the
other
two
ideas
I'm
personally
hoping
we
do
all
three,
so
it's
really
just
choosing
whatever
order
we
want
to
do
them
in.
A
This
I
can't
remember
her
name
off
the
top
of
my
head.
She
works
at
Apple.
The
one
I
was
interested
in
doing
me
and
being
involved
in
the
incident
response.
Emily.
D
A
A
My
brain
just
totally
shut
down
and
I.
Don't
remember
what
the
question
that
I
had
about
her
so
yeah
I
guess
is:
is:
is
there
any
progress
on
that
I
guess
to
the
question
like
the
actual
implementation
of
of
that
instant
response
that
the
or
I
guess
it's
not
completely
related
to
what
this
word
group
is
doing
or
am
I
incorrect.
B
I,
don't
I,
don't
think
I
know
anything
about
that
project.
Does
anyone
I
feel
like
I
feel
like
I'm
missing
it.
A
Context
so
sorry
context
context
would
be
that
there
was
an
idea
to
create
an
incident
response
team
that
the
opennesses
have
had
standing.
Wait,
no
wait.
This
was
about
sorry
I'm,
conflating
two
things
there
was
there
was
there
was
an
idea.
I
could
hear
on
me
osis
about
an
instant
response
team
so
that,
if
you
know
some
maintainer
has
some
chaos
involved,
they
could
reach
out
to
someone
and
get
help.
A
But
then
there
was
also
a
group
that
was
focused
on
or
an
idea
kicking
around
of,
like
giving
open
source
maintainers
a
group
of
people
to
ask
questions
of
about
security
topics
on
like
hey,
like
office
hours,
sort
of
thing
and
I
think
that
was
the
thing
that
Emily
was
involved
in
this
I
think
I
can
inflated
those
two
things
and
yeah
my
bad.
B
Okay,
so
at
least
the
former
I
think
is
the
work
that
the
OSS
cert
Sig
is
now
doing,
which
is
a
group
that
sort
of
spun
off
of
this
one,
so
I
think
I,
think
they're,
covering
the
former
of
what
you
said.
I,
don't
know
anything
about
office
hours,
though.
If
anybody
else
knows
more
information
about
that.
E
Yeah
there's
a
separate
group,
but
I
thought
it
was
one
of
the
other
working
groups
that
was
trying
to
do
kind
of
a
general
purpose.
Security
office
hours,
but
I
was
having
trouble
finding
a
way
to
there's
kind
of
a
chicken
and
egg
thing
like.
How
do
you
make
it
useful
enough
that
you
attract
people
to
it,
but
then
enough
people
that
you
attract
the
experts
to
it
so
I
think
that's
still
I'm
trying
to
get
off
the
ground.
D
D
B
Art,
hey
I'm,
Madison,
hey
John,
okay,
there,
unfortunately
I
think
you
joined
us
at
the
end
art
unless
there's
anything
else
that
we
need
to
talk
about.
A
A
B
Yeah
I
mean
so
we
just
had
a
question
actually
or
maybe
you're
perfect
for
this
about
the
what's
going
on
in
the
OSS
cert
Sig.
It's
currently
under
RFC
I
know
you're
involved
in
that.
If
you
want
to
give
us
any
updates
about
where
they
are.
F
Yeah
I
can
do
that
briefly,
so
probe
Christopher
Robinson
is
the
point
on
that.
There's
been
a
bunch
of
work
going
on.
There
were
three
sort
of
subgroups
three
parts
to
the
open
source,
assert
planning
document
development.
F
Those
have
all
been
completed
and
I
think
probe
is
wrapped
it
up
into
a
more
or
less
master
plan
which
he
has
a
request
out.
Yes,
request
for
comment:
I
think
you
have
the
that's,
probably
the
link
there.
F
So,
if
folks
have
folks
have
input,
you
know
now
is
one
of
several
good
times,
but
my
understanding
is
this
is
going
from
the
OSS
Sig
to
whether
it's
the
Brian
might
know
better
the
tag
or
some
you
know
more
management
level
decision
making
level,
possibly
at
some
point
funding
level
decisions
within
openssf
and
or
LF.
F
So
we're
expecting
you
know
it's
possible
there'll,
be
substantial
feedback
from
someone
and
there
might
be
revisions
to
the
plan,
but
you
know
check
plan
plan
drafted
and
submitted
for
further
review
approval.
Etc
I'll
comment
briefly,
the
more
more
personal
hat
on
as
I
mean
I
think
this
is
appropriate.
The
it's
a
plan.
It's
not
necessarily
the
you
know,
here's
what
the
cert
will
look
like
and
do
that
directly,
which
I
think
is
appropriate
and
fine.
I
personally
had
some
struggled
a
bit
with.
F
Are
we
actually
writing
down
the
whole
thing
or
are
we
writing
down
for
the
plan
part
and
it's
a
little
more
plan
oriented
again
totally
fine,
just
a
comment:
if
you're
expecting
the
circle,
do
the
following
things:
a
through
z,
I
think
we're
not
quite
at
that
step
exactly
yet,
but
yeah,
that's
all
I'll!
Stop
there
I
think
thanks.
F
Hey
sorry
can
I
ask
just
for
a
minute
too.
There
was
I
I
joined
in
and
there
was
chat
about
office
hours
and
I.
Think
the
question
was
we're
not
somebody
had
mentioned.
Maybe
having
these
and
nope.
We
couldn't
find
where
it
where
that
had
been
offered
yeah.
Oh
yeah,
please
yeah,
okay,
yeah.
F
That's
not,
but
that
that
is
not
the
disclosures
working
group
did
not
offer
that
ourselves.
I
guess.
F
D
A
B
Yeah,
the
state
of
the
world,
for
at
least
this
working
group
in
particular,
is
we
are
trying
to
pick
our
next
project
idea.
So
next
steps
for
us
is
weigh
in
on
these
issues,
about
which
one
you
would
like
to
work
on
next
and
we'll
go
from
there.
Basically.
A
D
B
Okay,
great
then
yeah
for
those
for
those
that
don't
want
to
stay
no
offense
taken
at
all
feel
free
to
take
your
time
back.
John
and
I
are
going
to
talk
about
possibilities
of
presenting
the
finder
guide
at
conferences,
so
that
was
something
that
probe
has
brought
up
before.
Basically,
if
anybody
wants
to
you
know,
evangelize
the
guide
or
the
good
work
that
this
working
group
is
doing.
Please
feel
free
to
do
that.
So
that's
something
that
at
least
John
and
I
have
been
talking
about
doing
ourselves.
D
A
D
B
Okay,
great
well
yeah!
Well,
thank
you,
everybody
that
is
here,
I
appreciate
you
coming
yeah.
A
Yeah,
so
all
right,
schmooz
cfp.
Let
me
double
check
and
make
sure
that
I've
sandedly,
like
we
I,
haven't
already
missed
it.
I
think
the
it's
still
open,
sorry,
I'm
gonna
transition
to
getting
on
my
computer.
Give
me
a
second
but
yeah.
It
closes
today,
yeah,
okay,
perfect,
and
they
have
a
couple
of
tracks.
I
remember
that
there
was
a
track
that
s-bomb
was
originally
like.
A
I
remember
like
one
of
the
early
talks
on
F-bomb
was
done
at
schmoo,
and
so
there's
probably
a
track
where
this
would
be
very
relevant
in
I
gotta
use
my
smart
home
automation
to
turn
on
all
my
monitors.
If
I
turned
them
off
last
night,
right,
yeah
I
have
I'm
gonna,
be
completely
honest,
not
read.
The
guide.
I
should
probably
do
that.
A
B
Lord,
you
know
what
that
is
actually
a
good
point,
so
I
read
through
the
god
the
other
day
and
found
a
couple
of
oops.
Let's
see,
I
found
a
couple
of
issues
in
it,
just
the
typos
and
other
things,
just
from
like
formatting
issues,
from
moving
it
around
as
much
as
we
did
so
I
made
a
PR
fixing
a
bunch.
B
Which
also
I
was
hoping,
Chrome
might
be
here
today.
We
need
to
determine
how
to
how
to
handle
that
or
who
who
accepts
those
PRS.
A
D
A
D
A
B
You
use
my
multiple
commits
on
it
because
it
failed
the
first
check
because
it
wasn't
signed,
which
is
not
great.
A
Art
are
you
doing?
Are
you
doing.
F
Unlikely:
okay,
it's
all!
It's
always
a
weekend
right.
A
F
A
D
F
No
I'm
I'm
near
enough,
but
it's
still
a
trip
and
weekend
and
family
don't
haven't
traditionally
worked
out,
worked
out
well,
I.
A
Can
respect
that
yeah?
It's
the
20
20th
to
the
22nd.
F
Yeah
so
yeah
again,
I'm
I'm
unlikely
I'm
happy
to
hang
out
and
hear
what's
going
on,
I,
I'm,
probably
unlikely
and
I.
You
know
probably
don't
need
to
count
me
in
as
involved
in
any
cfps
or
presenting
I
mean
if
you
desperately
want
me
for
a
panelist
or
something
you
know,
I
can
handle
that.
But
that's
fair,
that's
fair,
but
yeah,
just
to
be
clear.
Yeah
yeah,
I'm
interested
but
not
gonna,
yeah.
A
Yeah
so
Fast
and
Furious
meant
to
entertain,
educate
and
allow
you
to
drive
your
point
home
quickly,
probably
not
that
one
track
mind
plenty
of
presentation,
broad
technical
interest,
build
it
probably
bring
it
on
right,
which
is
the
open
mind
to
technology
and
security
related
topics.
A
So
this
build
it
50-minute
presentations
about
creating
inventive
software
and
Hardware
Solutions
belay.
It
50-minute
presentation
about
Cutting,
Edge,
defensive
solutions
to
current
problems.
I
mean
it
could
also
be
blade
or
bring
it
on
and
then
bring
it
on
is
50
minute
prison
20
to
50,
minute
20
or
15
minute
presentation
with
an
open
mind.
Technology
and
security
related
topics.
B
B
Yeah
I
I
recorded
something
for
the
CBE
podcast
yesterday,
actually
about
the
finder
guide,
which
I
was
gonna,
wait
to
share
once
it
was
actually
public,
but
I
presented
the
whole
guide
to
them
and
probably
took
me,
maybe
about
a
half
an
hour.
I
could
probably
do
it
in
about
20
minutes,
but
yeah
I
think
I
agree
that
10
is
maybe
not
enough.
D
A
There
go
ahead
like
what
are
the
hot
I
mean
I,
just
like
I
think,
starting
with
like
what
are
the
points
we
want
to
make
or
is
that
like?
Is
there
a
story
we
want
to
tell,
or
are
there
points
we
want
to
make,
or
both
probably
both.
A
Let's
I
mean
you
just
started
with
a
story,
though
right
like
hey
like
like:
let's
start
with
the
story
or
the
press,
the
premise
of
I
have
found
vulnerability.
It's
really
bad
right,
like
and
I
need
to
make
sure
the
maintainers
are
aware
of
it
right
like
because
the
most
compelling
talks
are
gonna
have
to
tell
a
story
right,
yeah,
so.
A
B
Well
so
I
guess
maybe
going
back
a
step
two
aside
from.
Are
there
other
other
places
that
we
think
something
like
this
would
make
make
sense
to
present?
Yes,
I
know,
I,
don't
think
we
presented
this
guide
at
any
open,
ssf
Summits
this
year.
A
Right,
I
think
that
that's
like
you
know
that
seems
like
a
very
relevant
location
to
toss
it
to
first
or
not
first
but
like
in
a
general
sense
like
also
throwing
it
at
those
talks
Brian.
What's
the
I'm
hoping
Brian
you're
the
right
person
to
ask
what
is
the
relationship
with
the
open
SF
working
groups
and
getting
talked
accepted
to
the
Linux
Foundation
Advantage
conferences.
E
No
Formal,
Connection
being
a
contributing
working
group
member
doesn't
guarantee
you
any
position.
It
still
has
to
go
through
the
cfp,
but
we
have,
at
a
couple
of
events,
put
together
an
open
ssf
day,
which
is
a
more
hand,
curated
collection
of
content,
and
for
that
we
tend
to
be
more
proactive
in
going
out
to
the
community
and
asking
who
wants
to
talk
and
like
trying
to
program
it
a
little
bit
more
top
down
rather
than
through
a
Bottoms
Up
cfp
So.
E
If
we
do
that,
then
there
might
be
a
chance
to
get
something
more
directly
in
you
know
it's
part
of
the
open
ssf
story,
but
but
that's
that's
if
we
do
an
open
ssf
day
at
a
given
event.
Otherwise
it's
just
everyone
goes
to
the
same
front
door.
A
B
Oh,
so
is
there
anything
else,
maybe
more
at
a
high
level
that
we
want
to
talk
about
like
presenting
the
work
that
we're
doing
on
this
more
before,
like
while
we
have
a
bit
of
a
group
here,
I,
don't
know
if
it's
I
don't
know,
maybe
it
is
I.
Don't
know
if
it'd
be
very
valuable
for
everybody
on
the
call
to
sit
here
and
go
through
like
making
the
actual
presentation
itself,
but
I
would
also
expect
whatever
presentation
that
we
could
create
from
this
we'd
share
with
the
rest
of
the
group
and
in.
D
A
Right
I
mean
the
idea
is
like
this
is
a
resource.
The
cfp
sort
of
text
is
something
like
you
know,
for
my
talk
that
I've
been
giving
around
the
world
I
just
have
a
basic
like
you
know,
abstract
that
I.
Just
like
you
know,
oh
this
abstract
needs
to
be
only
140
characters
all
right.
Well,
now,
I
gotta
cram
it
into
like.
You
know
less
sort
of
thing
but,
like
you
know,
having
a
basic
template
of
like
this
is
a
bunch
of
the
words
that
we've
written
already.
You
can
craft
it.
A
If
you
want
to
tell
the
story
somewhere
else,
yeah
I
think
that's.
A
turning
into
a
resource
is
a
good
thing.
B
A
E
A
A
I
mean
all
else
fails.
We
can
always.
We
can
always
take
a
document
and
throw
it
into
Google
or
GitHub
eventually,
but,
like
that's,
not
really
good
for
active
development.
A
B
Brand
yeah,
it's
I
mean
it's
more
so
just
like
holidays
and
traveling
I'm
happy
to
work
on
something
like
this
async
throughout
the
day,
and
we
can
maybe
sync
up
at
like
the
end
of
the
day.
It
might
work
all.
F
No
I'm
I'm
out,
but
a
quick,
quick,
high
level
question
I
have
not
been
attending
this
working
group
for
a
while,
but
do
we
consider
the
guide
and
or
guides
as
sort
of
finished
or
finished
enough
to
point
people
to
I?
Think
I
think
Jonathan,
you
said
you've
been
speaking
perhaps
about
or
to
them.
A
Yeah
I'm,
just
speaking
about
it,
I
mean
no.
My
talk
has
been
very
different.
I've
been
the
talk
that
I've
been
giving
is
titled
scaling
the
security
researcher
to
eliminate
against
Social
Security
vulnerabilities
once
and
for
all,
which
is
the
one
I've
been
getting
all
over
the
world.
This
is
not
my
host
guide.
Okay
got.
F
A
D
F
D
F
G
I
added
the
linter
that
we've
been
using
across
all
of
our
repos
on
there,
so
that
cleans
up
a
lot
just
so
you
know
which
is
42,
which
is
the
one
before
you
yours,
which
is
43.
G
B
G
And
that
will
also
review
any
new
contributions
to
the
guide
so
that
it
all
follows
the
default
markdown
lint
rules
they
can
be
configured
if
you
want
to
you,
could
just
hit
me
up
and
I
can
help
you
configure
him,
but
yeah,
okay,
great
every
group
kind
of
has
their
own
thing.
So.
G
B
Okay,
perfect
I,
appreciate
that
that's
very
good
to
know
I
think
I
think
do
we
have
a
process
for
for
PRS
and
feedback
I
I
assume
not,
which
is
why,
when
I
made
mine
I
didn't
know,
is
there
somebody
that
we
should
add
as
a
reviewer?
How
do
we
decide
what
actually
gets
approved?
Does
probe
just
unanimously?
Do
this.
A
I'm
gonna
drop
a
link
into
wait.
Okay,
here
we
go.
A
Okay,
so
I
pasted
the
link
to
the
document
in
the
working
group
notes.
D
B
Foreign
okay,
great,
thank
you
for
sharing
that
so
yeah.
Anybody
welcome
to
contribute
to
it.
I
will
be
on
and
off
of
it
throughout
the
day
and
we'll
see
if
we
can
get
something
done
today
and
if
not,
obviously
we
can
still
continue
in
the
previews,
as
for
other
other
conferences
where
we
might
want
to
evangelize
the
same
thing
and
and
just
because
we
want
our
want
to
and
are
talking
about,
the
finder
report,
because
it
happens
to
be
the
most
recent
work
that
we've
done.
B
A
What
I
guess
the
only
thing
that
I
would
love
feedback
on
is
because
titles
are
hard,
I
I,
you
know
I'm
just
at
like
you
know,
I'm
trying
to
beat
clickbaity,
because
that's
what
every
good
title
is
and
I
came
up
with,
so
you
found
a
security
vulnerability
now.
What
does
anybody
else?
Have
any
suggestions?
Is
that
a
good
title,
a
bad
title,
a
horrendous
title,
doesn't
make
any
sense
or
do
we
like
do
we
want
something?
That's
more
specific
to
the
vulnerability
guide
or
I.
A
So
if
anybody
has
a
better
name,
I'm
all
ears
and
welcome,
welcome
to
welcome
to
feedback
or
suggestions.
B
I,
don't
have
any
offhand,
but
again
I
mean
that
sounds
fine
I'll,
think
of
it
more
throughout
the
day
and
hopefully
be
able
to
give
you
more
actual
feedback.
But
I
don't
have
anything
offhand.
A
My
presenter
name
and
then
you're
like
putting
title
on
your
presenter
name.
It's
like
my
title,
who
I'm
working
for
is
gonna,
shift
very
radically
between
now
and
schmoo,
so
which
one
do
I
put.
Who
I
am
now
or
who
I'm
going
to
be
then,
which
is
why
I'm
going
to
be,
then,
is
not
yet
public
yeah,
so
I.
B
A
Oh
I
hate
this
too
bios
are
limited
to
100
Words,
which
means
50
words
each
do
you?
Do
you
have
a
a
I
pursue
you've
spoken
in
conferences,
so
you
have
a
bio
I,
just
sharpened
mine,
so
much
actually
I
do
already
have
a
50
word,
bio
for
sure
movie,
because
I
already
submitted
a
cfp
earlier
for
different
talk.
We.
A
A
Our
body
call
that's
very
fair,
that's
very,
very
fair,
because
anybody
who's
read
the
guide,
because
I
will
my
as
soon
as
I
get
off
the
call
my
plan
is
to
read
the
guide.
Is
there
anything
in
particular
that
for
the
people
that
have
read
the
guy
that
we
want
to
make
sure
we
highlight
specifically
I
will
write
down
some
bullet
points
on
that.
B
I
think
we
want
to
highlight
that
there
are
a
number
of
options
available
right,
which
is
like
part
of
the
problem.
Is
that
you
don't
know
what
to
do,
but
you
could
also
do
a
lot
of
different
things
right
once
you
think
you
found
this
information,
so
I
think
one
of
the
benefits
of
the
guide
is
that
it
does
highlight
all
of
the
different
options.
I
mean.
Obviously
we
give
our
preference
right,
our
our
opinion
of
here's,
the
way
that
we
think
that
you
should
do
this,
but
there
are
a
lot
of
options.
B
B
And,
and
so
for
like
for
me
personally
too,
when
I
when
I
was
recording
this
podcast
yesterday
about
this
guide,
one
of
one
of
the
things
that
I
like
to
say,
and
that
I
like
to
really
really
reiterate,
is
that
vulnerability
disclosure
is
a
human
process.
There
are
humans
involved.
There
are
different
motivations,
there
are
emotions
right
there.
There
are
a
lot
of
a
lot
of
human
parts
of
this
process
that
can
cause
it
to
go
well
or
degrade.
G
I
also
can't
remember
if
it's
in
this
guide
or
one
of
the
other
guys
that
we
have
or
I
read
a
lot
of
guys
but
there's
also
a
level
of
setting
expectations
so
like.
If
you
don't
get
a
response
that
doesn't
necessarily
mean
that
you're
being
ignored.
B
D
A
G
On
that
same
token,
this
is
based
off
of
some
of
the
discovery
that
I
did
for
the
cert,
like
a
lot
of
projects
in
the
general
like
Linux
ecosystem
use
this
as
an
excuse
to
fix
things
in
isolation
which
can
get
really
aggravating
for
certain
projects
as
well.
G
So
there's,
there's
kind
of
a
level
there
where,
like
you,
don't
want
to
like
go
all
the
way
or
don't
make
assumptions
is
another
one
like
just
don't
assume
that,
like
you're,
going
to
be
ignored
either
just
because
you're
not
getting
a
response
or
like
it's
not
important,
and
then
you
do
something
that
causes
or
aggravates
the
problem.
That
much
more.
E
A
G
That
trying
to
solve
the
problem
in
isolation
that
too
many
people
solving
the
same
problem
in
isolation,
trying
to
push
different
results
forward
can
become
a
huge
problem
in
the
packaging
ecosystem
and
I'm,
assuming
in
just
about
any
ecosystem.
D
G
G
Here's
here's
why
why,
like
from
my
understanding-
and
this
is
from
my
historical
perspective,
from
my
understanding
them
doing-
that
historically
caused
problems
and
that's
where
some
of
these
things
come
from,
because
what
happened
was
people
went
to
complain
to
httpd
and
they
were
like,
but
we
didn't
make
these
changes.
E
Faster
I
can
share
this,
the
pain
right
now,
trying
to
use
Firefox
and
some
other
stuff.
That's
been
put
in
sandboxes
on
on
Ubuntu,
where
you
know
things
that
I
needed
for,
like
opening
local
HTML
Pages
become
very
cumbersome,
then,
and,
and
so
I
have
to
use
the
Firefox
teams
version
of
Firefox
that
installs
it
locally.
You
know
unsandboxed
or
on
I
forget
what
the
sandboxing
term
for
Ubuntu
is
but
outside
of
that.
E
Oh
the
the
snap
system,
sorry
snaps,
so
so
debates
between
you
know
people
at
the
end
of
the
supply
chain
and
the
and
further
up
are
perennial
and
have
existed
for
decades.
There's
no
no
hard
and
fast
solution
to
that,
except
just
more
conversation
and
and
and
but
any
any
any
system
is
gonna
have
to
accommodate
the
fact
that
stuff
does
change
as
it
moves
through
the
chain
and
it's
not
always
the
same
httpd
right.
A
G
Some
of
them
come
from
other
sources
but
like
in
the
sake
of
like
supply
chain
security,
he
yeah,
but
from
what
I've
seen
and
the
argument
is
like
Arch.
Does
it
too
so
like?
Are
we
really
that
wrong?
Because
and
then
you
go
to
like
divian
and
Debian
does
their
own
thing
too?
So
then
you
then
yeah
and
Arch
has
like
five
different
installations
of
Firefox.
A
Is
there
anything
else
that
we
want
to
make
sure
we
include
in
the
detailed
description
of
the
cfp,
so
this
is
this
is
what
they
say.
This
is
the
most
important
part
part
of
the
description.
You're.
Not
you
do
not
need
to
provide
detailed
information
that
demonstrate.
Oh,
you
need
to
provide.
You
do
not
need
to
you.
Do
you
need
to
provide
detailed
information
that
demonstrates
your
knowledge
of
the
topic
and
how
you
will
present
it
to.
A
Rely
on
your
abstract
to
be
enough
to
for
the
Review
Committee,
it
isn't
issue.
Yes,.
B
G
B
G
Much
pretty
much
because
pretty
much
everyone
kind
of
told
us
the
same.
We
did
an
initial
Discovery
to
kind
of,
because
the
ideology
is
that
we're
going
to
be
surveying
people
and
groups
to
actually
get
like
the
full
core
set
of
services.
However,
kind
of
what
I
just
described
was
one
of
the
things
that
came
up
a
lot,
so
we
know
that
a
big
part
of
the
cert
is
going
to
be
facilitating
communication
between
groups
and
that's
right.
Now,
that's
going
to
be
like.
G
In
other
words,
we're
going
we're
moving
away
from
patching
and
really
taking
on
additional
responsibilities
like
that,
and
what
we're
trying
to
do
is
we're
trying
to
like
not
like
I.
Think.
One
of
the
things
we
wanted
to
do
was
talk
to
someone
of
the
people
involved
with
some
of
the
bigger
incidents
and
figure
out
how
we
could
either
create
a
buffer
or
facilitate
Communications.
A
lot
of
it
is
in
facilitating
Communications,
currently.
B
That
makes
sense.
Yeah
I
was
involved
in
the
search
early
on,
but
then
I
got.
Hopefully
somebody
else
from
GitHub.
Is
there
and.
B
A
The
so
this
this
is
basically
a
my
understanding.
Is
this
is
a
coordinate
coordination,
tooling
group,
or
is
it
a?
Is
it
a
coordination
like
on.
G
Rebuilding
Vince,
so
it
is
a
coordination
tool,
because
the
ideology
is
that
if
you
found
something-
and
you
didn't
want
to
report
it
directly
to
like
the
group-
for
whatever
reason
you
could
report
it
to
us
and
then
what
would
happen
if
I,
if
I
get
the
whole
perspective
correctly,
is
we
would
we
would
create
a
vulnerability
report?
Madison,
you
were
in
the
the
what's
Vince.
A
A
G
Be
completely
blunt
with
you,
it
was
it's
basically
me
probe
art
and
Francis
from
Google,
but
we
kind
of
had
it
a
large
shift
in
membership
lately.
So
it
kind
of
has
come
down
to
myself,
probe
and
art.
Okay,.
A
D
G
Status,
we
have
the
plan,
I
mean
pretty
much.
The
plan
is
at
this
point,
pretty
much
finalized,
because
I
spent
most
of
yesterday,
like
rewriting
it
and
and
touching
it
up.
Chrome
just
needs
to
go
in
there
and
put
it
all
together
to
present
it
to
the
attack,
but
but
yeah,
and
there
is
still
room
for
improvement
on
the
plan.
G
However,
I
think
that
a
big
portion
of
it,
like
it's
really
hard
to
establish
services
without
doing
like
the
first
part
of
like
actually
doing
a
survey
and
actually,
like
figuring
out
like
how
it's
gonna
all
work
and
that's
one
of
the
things
like
one
of
the
things
we've
discussed.
Is
it's
going
to
be
really
hard
to
have
a
cert
for
like
groups
that
we
don't
have
any
contact
with
or
that
we
just
don't
have
not
like
signed
up
for
the
cert
or
something
along
those
lines?
G
And
we
definitely
don't
want
to
create
a
another
situation
where
we're
going
to
add
another
party.
That's
just
reporting
something
else,
so
I
think
right
now,
where
the
plan
stands.
Is
that
section
one
is
the
majority
of
the
plan
and
section
two
which
is
like
creating
the
actual
services
and
whatnot
that
will
come
after
or.
G
G
G
G
It's
because
of
the
fact
that,
like
we
were
I
set
it
up,
I
did
a
demo
and
we
I
got
called
out
like
three
times
on
like,
but
it's
AWS
what
about?
If
you
want
to
self-deploy
and
it
was
like
well
yeah.
So
what
we
did
is
I'm
I
know
a
lot
of
JavaScript
people,
so
I
know
the
people
in
Super
Bass
they're
like
a
Firebase,
open
source
alternative.
So
basically
we
made
like
a
proof
of
concept,
because
it's
not
that
difficult
to
rebuild
but
I.
B
Yeah
yeah,
no,
that
that
makes
sense,
yeah,
I'm,
I
I
was
previously
involved
in
the
cert
Sig
and
then
thought
others
at
GitHub
might
be
more
suitable
to
be
involved,
but
I
have
kind
of
missed
being
involved,
so
I'm
happy
to
help
yeah.
G
G
And
I
would
also
say
that
part
of
the
cert
is
actually
we
have
something
on
the
plan
called
the
security
buddy
training,
which
is
kind
of
like
in
essence,
build
your
own
cert
or
like
why
you
should
have
a
cert,
so
I'm
kind
of
hoping
that
that'll
be
like
a
course
that
we
can
even
use
SKF
on.
Maybe
so,
therefore,
like
you
know,
there's
like
a
centralized
place
where
you
can
go
to
learn
about
like
setting
up
your
own
cert
but
yeah.
A
G
We
follow
a
lot,
the
first
framework,
the
first
cert
framework,
if
you
will
and
there's
two
types
of
cert
there's
a
cert
and
a
p
cert
a
cert
for
my
understanding
is
more
of
like
a
corporation
thing,
because
you're
going
to
attract
the
whole
corporations
like
Network
and
all
their
usage.
A
psert
is
a
product
cert
that
can
be
set
up
by
pretty
much
anyone
and
even
as
an
open
source
project.
B
Yeah,
if
you
want
to
look
up
more
about
the
differences
between
pizza
and
seizerts,
you
can
look
at
some
of
the
stuff.
That
first
has,
if
that's
helpful,
there's
tons
of
information
about
this.
The
security
buddy
program
is
particularly
interesting,
so
I
I'm
definitely
going
to
read
the
RFC
and
we'll
definitely
be
giving
feedback.
Art
and
I
used
to
actually
teach
a
course
together
about
how
to
set
up
your
own,
how
to
set
up
your
own
pizza.
So
that's
great
I
love
this.
G
D
G
Yeah
absolutely-
and
we
did,
we
do
have
a
PR
with,
like
all
the
tooling
we've
considered,
but
as
I
said,
I
think
Vince
is
what
we
wanted
to
use.
But
the
problem
is
the
AWS.
D
G
But
I,
just
think
in
your
presentation,
like
search,
should
definitely
be
something
that's
promoted,
because
I
think
that
that
could
be
a
very
big
deal
like
I,
actually
think
it
might
unify
some
people,
because
I'll
say
one
of
the
things
that
Mike
said
is
that
they
specifically
avoid
reporting
things
to
certain
projects,
just
because
certain
projects
are
extremely
hostile
and
they
like
just
want
to
fight.
So
that's
one
of
the
things
that
we're
going
to
try
to
alleviate
with
the
search
so
I
think
the
more
Vision
or
Focus
we
have
on
it.
G
And
then
we've
also
had
the
conversation
of
what
happens
when
the
maintainer
speaks
a
different
language,
because
that
was
actually
one
that
we
kind
of
used
an
example
of,
because
somebody
didn't
get
a
response
to,
because
the
maintainer
only
spoke
Mandarin
and
he
like
got
real
like
abrasive
like
started
just
cussing
and
being
like.
You,
don't
care
about
your
effing
project
and
a
bunch
of
stuff
and
yeah.
So
I
get
it.
D
B
A
A
You're
in
Pennsylvania
right,
yeah,
okay,
perfect
yeah,
let's
I'll
slap
I
will
toss
well
here,
I'll,
send
you
my
calendly
and
then
you
can.