= PyPI Project Kickoff - 2019 Q4 RFP Milestone 2 - Automated Detection of Malicious Uploads =

== Attendees ==

 * Ernest W. Durbin III - PSF
 * Cristina Muñoz - Independent Contractor
 * William Woodruff - Trail of Bits
 * Mike Myers - Trail of Bits

== Introductions ==

 * Ernest: PSF Dir of Infra. Overseeing project, available for review, design discusisons, and project onboarding.
 * Cristina: Contractor - Proposed for Milestone 2. Will be working on implementation of Milestone 2
 * Trail of Bits: William - Security Engineer at ToB, will be working on design and review of Milestone 2 work. Mike - engineering practice manager, point of contact for administrative concerns.

== Logistics and Communications ==

 * GitHub: https://github.com/pypa/warehouse - Code Review, Design discussion, and Project tracking
 * Slack: https://thepsf.slack.com for synchronous comms related to onboarding/development and higher throughput conversations.
 * William and Mike from ToB already present as single-channel guests, Need invitation email for Cristina.
 * Meetings: Scheduled as needed, or monthly.

== Project Timeline and Availability ==

Known unavailability:

 * Ernest: Firm: December 24-25, January 1. Tentative: December 23, 26-27.
 * Mike: Dec 24 - Jan 1
 * William: Dec 16 - 20
 * Cristina: Generally around :)

== Next Steps ==

 * Project on-boarding: Will should be up to speed, Cristina can work with Ernest as needed.
 * Cristina: Share design proposal, after discussion: create GitHub Issue to capture and discuss design from proposal.
 * Ernest: Reference related issues to above and create Milestone: https://github.com/pypa/warehouse/milestones.
 * Trail of Bits: Interview point of contact: Ernest, https://python-security.readthedocs.io/packages.html#pypi-typo-squatting. 
   * Initial Qs:
     * Survey of the history of packages removed from PyPI
     * Expected/desired incident response workflow
     * Tolerance for false positives/false negatives