►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
So
software
Bill
of
Materials
is
like
the
ingredients
list
on
a
package
of
food
that
you
purchase
literally
I,
except
we're
not
in
the
state
where
all
software
is
required
to
have
that.
Yet
so
today,
most
food
in
most
countries
is
required
to
say:
I
can
name:
flour,
eggs,
sugar,
milk,
whatever,
and
if
you
ask
a
restaurant,
they
have
to
tell
you
what's
in
it.
Many
software
that
is
in
regulated
industries
is
starting
to
get
to
the
point
where
they
will
not
purchase
from
certain
vendors.
A
If
they
can't
get
ask
them
SB
om
software,
Bill
of
Materials,
I
and
I,
guess
you
could
call
it
s
bum
bum,
as
whatever,
but
yeah
software
Bill
of
Materials,
and
so
we
are
starting
to
get
asked
more
and
more
often
by
our
users.
How
can
I
provide
a
software
Bill
of
Materials
to
my
users
and
essentially
there's
two
competing
standards
out
there
right
now,
one
of
the
common
ones
that
I
hear
slightly
more
often,
but
there
is
no
clear
winner.
Yet
is
the
software
package,
data
exchange
or
SP
DX?
C
A
B
That
it
traces
all
the
dependencies
from
within
your
projects
own
dependencies.
So
if
there's
a
vulnerability
and
something
that's
six
degrees
away
from
your
project,
s
bomb
would
be
able
to
identify
that
as
it
sells
to
today,
you
have
a
list
of
what
you
use,
but
the
chain
of
trust
beyond
that
is
kind
of
nebulous.
So.
A
A
D
A
Files
analyzed
we
just
analyze
the
files
we
find.
We
don't
actually.
As
far
as
I
know
record,
which
file
we
analyzed
to
pull
our
information
and
we
definitely
and
we've
got
the
license
yeh
well,
we've
got
the
declared
license,
but
we
don't
have
the
concluded
license,
which
I
think
this
is
an
interesting
difference.
A
If
there's
any
copyright
text,
we
do
not
have
that
package
comments,
external
references,
the
file
names
and
then
you
have
to
put
the
included
license
and
again
I,
don't
understand
most
formats
because
they
make
you
say
things
like
ten
times
in
four
different
ways,
and
we
definitely
don't
have
things
like
the
file
contributors
like
you're
supposed
to
say
like
who
owns
the
package
set.
You
know
where
who
contributes
into
the
package
net
set.
B
Would
be
could
be
provided
to
us
by
the
package
I
think
there
are
two
use
cases
here
where
one
gitlab
is
generating
s
bomb
for
you
and
then
a
use
case
where
gitlab
is
consuming,
provided
s
bombs
of
your
various
packages,
the
licensed
ones,
I
think,
is
a
really
interesting
use
case.
That's
close
to
what
we
do
today.
A
We
don't
have
the
licenses
and
dependencies
in
one
list
which
Kyle
and
I
have
been
chatting
about:
brainstorming
and
testing
out
doing
on
users
anyway,
which
is
kind
of
where
this
conversation
came
from,
and
then
there
isn't
a
nice
little
export
button,
because
obviously
you
need
to
have
this
list
in
a
format.
I
am
in
no
way
under
the
Sun
doing
the
SP
dx-format
this
year,
that's
not
happening,
but
CSV.
You
would
probably
get
people
pretty
close
and
actually
say
I
like
that
idea
of.
A
If
maybe
we
included
an
extra
couple
pieces
of
information
like
this
is
the
file
we
got
it
from
or
this
is
the
location
we
got
it
from.
People
could
pull
some
of
that
information,
additional
information
themselves
for
the
missing
pieces.
If
we
point
them
at,
we
got
it
from
this
file
location
or
we
got
it
from
this
package
manager,
location
which
is
I,
think
actually
a
really
interesting
like
we
get
you
partially.
Their
idea.
B
B
A
Here's
here's
where
I
agree
and
disagree
I
when
we
introduce
standards,
I,
would
love
to
say,
check
one
of
your
there's
actually
like
four
competing
standards.
These
two
are
just
the
ones
that
are
currently
getting
popularity.
It
it
changes
year
by
year,
who's
who's,
the
hotness,
but
I
would
love
eventually.
For
somebody
to
say
this
is
my
format
and
we
give
them
as
much
of
that
format
as
we
can
with
blanks
where
we
don't
know,
but
to
start
I'm,
not
sure
I
want
to
get
into
any
formats.
A
I
just
want
to
maybe
say
like
here
is
your
combined
tip
like
I,
want
to
start
getting
closer
to
s
bomb
without
saying
the
word
necessarily
and
say
like
here's,
your
combined
dependency
and
license
information
list,
and
literally
just
give
them
like
a
puke
out
list
of
what's
on
the
combined
license
dependency
page
and
then
allow
people
to
start
telling
me
like
a
were
in
the
background.
Maybe
gonna
look
and
see
what,
but
could
we
add,
like
you
were
saying?
A
Maybe
we
could
just
add
a
piece
of
information
like
this
is
where
we
fetch
this
from
and
then
start
allowing
users
to
be
like.
Oh
well,
could
you
add
X
to
that
export,
or
could
you
add
Y
to
that
export
and
if
it's
something
we're
already
looking
at,
if
I
go
to
update
the
way
we
do
a
dependency
scan
or
a
license
can
and
I
can
easily
add
that
really
cheaply
then
be
like
yeah
sure,
let's,
let's
add
it
and
we'll
keep
getting
incrementally
closer.
C
Over
there,
it's
actually
a
good
one
to
have
an
inquiry
with
an
analyst
on
and
see
what
their
opinion
is
about,
which
of
the
standards
are
the
most
important.
What
do
they
get
asked
for
the
most,
because
it
could
make
the
difference
on
an
RFP
if
we
say
that
we're
in
you
know,
we
adhere
to
one
standard
or
another,
and
they
would
know
if
what
people
are
asking.
We.
A
Can
ask,
but
just
for
full
transparency
and
friends
with
like
the
three
people
who
are
actually
pressing
the
government
the
most
on
this
standard,
I
and
I
know
that
there
is
no
consensus,
even
within
government.
So,
even
if
we're
like
I
said
each
year,
there
tends
to
be
about
two
and
my
hope
is
VHX
me,
Betamax,
etc.
A
That
as
this
is
getting
more
and
more
attention
like
there's
honestly,
probably
like
fourteen
standards
out
there,
I
think
it
any
given
time
to
or
the
most
popular
espy
DX
has
stayed
pretty
popular
because
it
does
have
a
pretty
solid
advisory
board.
So
I'm
hoping
as
we
go
more
of
those
standards,
start
dropping
off
or
any
of
them
associated
with
a
wasp.
B
Guess
one
thing
also
think
about
whatever
gitlab
chooses
to
do
will
likely
move
the
industry
to
a
large
extent
because
of
all
the
open
source
influence
we
have.
If
we're
able
to
offer
capabilities
that
support
a
given
standard.
A
lot
of
our
hosted
projects
will
move
to
that
standard,
and
you
know
that'll
kind
of
push
that
to
become
the
industry
leader,
I
guess.
My
main
thing
is
I
want
it
to
be
a
standard
of
those
fourteen.
Rather
than
invent
the
fifteenth
we've
all
seen
the
xkcd
comic
yeah
I.
B
A
You
know
nine
or
ten
different
areas
of
information
and
within
those
areas
and
information.
Each
one
needs
these
four
or
five
particular
fields,
no
matter
which
standard
we
can
work
towards
having
that
data,
and
then
we
know
that
whatever
are
the
pop
top
three
popular
ones
that
we're
hearing
from
analysts.
Let's
see
what
commonalities
there
are
between
these
and
we
could
we
could
hone
in
and
be
like.
Okay,
the
first
one
we're
going
to
support.
Is
this
one
because
it
seems
to
be
asked
for
the
most?
A
It
makes
the
most
sense
you
know:
I
know
that
SPD
X
and
sweet
both
have
advisory
boards
and
take
community
contribution
and
so
I
believe
that
get
lab
with
a
line
with
either
one
of
them.
The
other
ones
I'm,
honestly,
not
sure
about,
because
they
are
not
mentioned
as
often
and
I'd
have
to
dig
into
that.
A
I
guess:
does
anyone
have
any
other
concerns
or
things
we
should
be
watching
out
for
because,
like
I
said,
I
don't
actually
want
to
like
have
a
firm
plan,
because
I
feel
like
it's
gonna
change
but
I
just
want
to
like
the
analyst
cause.
I'm
gonna
have
some
things
that
we
can
put
some
feelers
out,
not
get
surprised
attacked
by
any
customers
or
analysts
or
other
lab
stations.
A
B
A
Let's
say:
let's
fast-forward
four
months
out
from
now
and
Kyle
and
I
have
come
up
with
a
masterful
plan
to
combine
the
dependency
page
in
the
license
page
because
that's
sort
of
on
the
radar
would
it
be
fair?
Do
you
think
to
say
that
we
could
start
telling
the
sales
team
like
there
is
an
export
button?
It's
not
in
an
S
Bomb
format,
but
it
will
help
customers
get
close,
and
you
know
at
least
internally
tell
them
like
that
and
also
warn
them.
C
I
mean
anything
we
can
do
around.
That
would
help
when,
in
fact,
I've
been
talking
with
sales,
ops
daraa
a
little
bit
to
try
to
figure
out
a
way
to
simplify
the
way
we
respond
to
RFPs
right
now.
Everyone
is
unique,
and
we
reinvent
the
wheel
I'd
like
to
be
able
to
have
like
a
set
of
answers
that
people
just
draw
from
to
the
most
common
questions,
and
then
you
just
have
to
worry
about
the
exceptions
and
so
having
something
around
build
materials
would
would
be
really
helpful.
B
Things
are
messaging
on
s.
Mom
will
need
to
be
really
crisp
before
talking
to
prospects
about
it.
Pata
market
is
potential
gain
into
saying.
Yes,
we
support
s.
Mom
were
closed
today
with
our
exports.
We
end
up
on
the
compliance
person's
desk
who's
expecting
to
see
full
sweat
and
STX
tags,
and
then
that's
not
what
we
have
and
they'll
say
well.
B
B
A
There's
also
been
some
discussion
about
moving
some
of
our
license:
finding
capabilities
into
proprietary
from
open
source,
which
I
think
would
honestly
help
us
with
this,
because,
instead
of
trying
to
figure
out
what
does
license
finder
or
so
on
and
so
forth,
fetch
we
can
fetch
it
ourselves,
but
that
one
is
we're.
Gonna
start
I,
think
I
looking
at
doing
a
proof-of-concept
just
to
see
like
how
terrible
is
this
in
you
know
the
next
couple
releases,
but
depending
on
how
terrible
it
is,
the
answer
will
depend
when
that
gets
slated
or
not
Nicole.
C
C
A
C
A
Mean
most
of
the
license:
fine
e
stuff
dependency
stuff,
like
pulls
your
your
a
list
but
I
haven't
seen
any
today
that
says
that
it'll
cough
it
up
and
then
most
of
the
open
source
will
build
a
nest
bomb
for
your
packages.
I've
seen
kind
of
like
Sam
was
saying,
invent
the
15th,
16th
or
18th
different
standard,
and
that
is
the
last
game
be
playing.
What.
C
A
B
But
we've
also
not
really
brought
it
up
as
a
topic,
so
there
might
be
opportunities
that
we
haven't
talked
about.
I,
think
you
know
to
the
question
about
specific
companies.
We
can
actually
abstract
it
into
two
different
pieces:
the
value
of
providing
s
bomb
and
that's
software
supply
chain.
That's
more
of
a
technology
thing
that
we
can
do
with
anyone,
whether
we
build
it
or
a
partner
builds.
B
It
I
think
we
really
need
to
flesh
out
kind
of
what
is
that
experience
with
value
we
want
to
provide
and
then
see
what
those
partners
might
fit
into
that
different
points.
I
think
black
duck
probably
would
be
a
great
place
to
start
a
conversation,
because
all
the
stuff
they're
doing
around
opens
for
scanning
for
licenses
seems
very
close
to
s
bomb,
but
that
said,
they
are
by
no
means
the
only
people
that
we
could
talk
to
about
doing
this
now.
A
I
had
a
conversation
last
week,
I
think
Sam
I
had
sent
you
a
screenshot
asking
like.
Why
were
they
talking
to
me
that
you
with
some
of
the
partner
alliances,
team
people
I,
feel
like
I,
should
circle
back
with
them,
because
the
ask
they
had
for
me
is
what
should
we
be
looking
for
to
prioritize
when
requests
come
in
for
partnerships?
Okay,
we
get
a
bunch
of
partnership
requests
in
what
should
come
to
the
top
of
the
pile,
faster
and
I.
A
Think
this
like
a
couple
things
I
was
mentioning,
is
if
anyone
specifically
fills
in
gaps
of
languages
that
we
don't
have
like
that
yet
or
mobile.
Please
pull
them
to
the
top
of
the
pile,
but
I
think
we
could
possibly
also
say
if
they're
willing
to
do
that's
bomb,
maybe
that
could
also
help
pull
them
to
the
top.
B
E
When
it
comes
to
just
and
to
help
me
understand
to
with
ASP
like
when
it
comes
to
a
gitlab,
what
what
are
some
things
that
we
could
help
like
internally,
like
one
example
that
I
know
of
that
our
legal
team
uses?
Is
this
what
we're
looking
at
now
for
licenses?
So
let's
say
that
one
of
our
customers
asks
us
for
like
sort
of
like
what
we're
using
in
ER
versions
in
terms
of
licenses
like
SAS
customers
have
the
right
to
do
that.
E
A
A
It
does
contain
the
major
information
but
kind
of
like
we
are
referencing
earlier,
where,
like
sometimes
it
wants
to
know
the
exact
file
location
that
you
fetched
it
from,
and
the
reason
why
that
matters
and
people
can
make
faces
at
me
right
now
is
because
of
the
I'm
gonna
forget
the
name
for
it.
It's
not
man
in
the
middling,
when
somebody
poisons
like
the
NPM
package
manager
and
like
takes
over
a
directory
and
poisons
the
latest
version
of
an
update.
Is
there
an
official
name
for
that?
Yet?
A
But
like
so,
if
I
was
grabbing
from
a
particular
package
manager
and
I
grabbed
a
particular
package
manager,
a
particular
version
of
a
particular
package
I
could
like
have
pulls
a
poisoned
package,
and
so
that's
why
some
of
these
like?
Not
only
do
you
have
to
say,
I
grabbed
this
in
this
version.
I
grabbed
it
from
here,
and
so
that's
additional
information
that
I
think
we
could
easily
provide.
A
Maybe
it
wouldn't
be
as
pretty
as
that
that
website,
but
we
can
certainly
have
it
in
a
CSV
and
I
mean
if
it's
not
that
hard
to
render
like
a
little
website.
We
could.
If
people
asked
for
a
website
which
is
actually
a
backlog
item,
you
know
we
can
eventually
look
at
that
as
well,
but
the
real
thing
that
people
want
is
usually
some
kind
of
XML
JSON
formatted
thingy,
that
their
compliance
person
will
use
I,
wonder.
B
Even
if
I
don't
know
what
the
hash
was
right,
I
wonder
if
there's
a
way
we
could
say
you
know
this
has
an
S
BOM
score
of
70%
based
on
this
missing
info,
which
you
know,
puts
kind
of
a
ceiling
on
what
you
could
guarantee
and
anything
consuming
it
upstream
could
be
something
to
explore.
I,
don't
know
if
they
do.
You
know
what
the
standards
say
there,
but
I've.
A
B
I
I
think
that
would
also
help
us
to
iterate
more
quickly,
because
if
we
try
and
make
every
single
dependency
providing
everything,
we're
not
gonna
make
any
progress,
but
I
think
it
would
be
very
useful
for
end
users.
If
we
could
say
you
know,
this
is
the
provenance
information
we
do
have.
These
are
key
pieces
that
are
missing.
You
can
make
your
own
judgements
based
on
your
policies
and
whatever
you're
willing
to
tolerate
or
not
so.
A
Here's
an
example
one
and
like
I
was
saying
earlier,
like
I'd
love
to
have
a
CSV
export,
even
if
most
of
our
fields
are
blank,
but
like
this
one
is
like
I'm
I'm.
This
version
of
we're-
and
this
is
my
you
know-
ugly
name
versus
my
pretty
name-
here's
my
version
number-
this
is
where
I
came
from
this
is
website.
I
came
from
this
is
the
URL
exactly
this
is
my
Edition.
This
is
my
service
pack.
This
is
my
hash,
you
know.
A
So
it's
got
all
these
nitty
gritties
in
there
and
I
I
knew
we
don't
record
like
I
was
saying
a
bunch
of
the
nitty
gritties
today,
but
I
look
at
them,
so
we
certainly
could
start
adding
them,
and
we
can
certainly
put
all
this
in
the
CSV
and
just
have
a
column
and
leave
a
blank
and,
like
you
were
saying,
maybe
judge
half
our
columns
are
blank
due
to
your
package
manager.
Sorry.
B
Well
and
I
see
a
lot
of
value.
We
could
also
do
around
s.
Bom
is,
if
you
put
s,
BOM
txt
in
your
project,
get
lab
will
only
import
dependencies
from
specific
sets
of
repos
that
have
an
s
bomb
attached
to
them.
Then,
if,
where
you're
able
ever
able
to
identify
a
downstream
vulnerability,
you
know
in
the
dependency
of
the
dependence
you
have
the
dependency.
We
could
proactively
either
alert
users.
Push
fix,
create
an
issue.
A
We're
sort
of
going
to
get
there
not
in
that
way,
and
this
is
kind
of
one
of
those
things
where
I
said
we're
dancing
around
this
whole
topic
for
the
next
year.
We
do
want
to
get
to
the
point
where,
like
today
with
licenses,
I
can
say:
I
would
like
to
prohibit
licenses
XYZ
from
coming
into
my
project.
People
have
asked,
could
I
prohibit
dependencies?
Xyz
could
I
prohibit
things
with
vulnerabilities,
XYZ
and
so
I
think
we
will
be
getting
closer
and
closer
to
something
similar
to
that.
C
Up
in
one
of
the
analyst
things
the
wave
or
MQ
or
somewhere
was
customers
want
to
have
like
a
pre-approved
bill
of
materials
that
they
can
draw
from
and
that
kind
of
crosses
into
the
line
with
the
create.
You
know
SCM
group
I
guess,
but
it
would
be
great
if
we
could
figure
out
a
way
to
do
that
where
the
customer
and
decide
these
are
the
this
comes
up
a
lot
in
regulated
industries.
These
are
the
approved
dependencies
that
we
can
use,
and
you
know
they
shouldn't
be
able
to
pull
anything
else.
A
B
Thought
we
could
also
look
at
users
and
customers
that
have
trusted
docker
registries
to
look
at
what
they're
the
workflows
look
like
send
it
to
your
point
about.
You
know
you
have
trusted
dependencies
that
you
can
only
pull
from
here.
They
have
that
for
container
images
right.
If
we
could
do
a
similar
workflow
for
code
dependencies
as
containers
I
bet,
we
could
probably
get
better
adoption
out
of
the
gate.
A
C
A
D
A
A
Think
I
actually
want
to
not
I,
don't
want
to
limit
people
to
a
topic,
but
I
have
wanted
to
figure
out
a
good
way
and
I.
Don't
know
how
to
phrase
this
to
have
the
people
in
sales,
because
right
now,
like
occasionally,
people
will
bubble
things
up
to
me,
but
I
started
almost
when
I
have
like
in
office.
Hours
of
like
I
am
gonna
be
available.
A
You
know
this
week
at
this
early
hour
and
this
week,
at
this
late
hour
or
whatever,
and
if
you
want
to
drop
in
I
will
just
be
chillin
in
my
zoom
and
you
can
come
yell
at
me
and
how
things
that
you've
had
trouble
with
selling
customers
on
or
whatever,
or
that
you've
heard
repeatedly.
You
know,
and
just
we
can
spit
ball
out
stuff
or
whatever.
A
If
you
have
any
ideas
on
better
ways
to
do
that,
just
because
I
would
love
to
have
them,
engage
more
and
I
know
they're
busy
and
they
don't
seem
to
populate
a
lot
up
in
issues
occasionally
will
get
quick,
slacks
and
whatever,
but
I
love
to
just
be
like
I'm.
Here
you
can
complain
to
me
all.
You
want
I,
won't,
take
it
personal,
you
know,
I
might
feel
a
little.
C
A
A
You
know,
sometimes
it's
a
lot
easier
to
be
like
well
I'm,
constantly
a
problem
selling
X,
because
we
don't
have
s
bomb
whatever,
and
it's
easier
to
just
say
that
in
the
meeting
because
I'm
there
then
for
it
to
have
gotten
to
an
annoyance
point
where
you
actually
create
an
issue.
So
there's
like
a
different
threshold,
so
I'd
love
to
like
lower
the
threshold
where
people
could
just
things
that
me
so.
C
A
Have
controlling
or
bracing
we,
it
will
not
be
productive
for
you
to
discuss
that
with
fence
right
cool.
This
is
good
thanks.
Thank
you
all
for
spitballing.
This
I
definitely
loved
some
of
the
ideas,
especially
like
hitting
up
the
analysts
or
possibly
sound,
like
you're,
saying
that
the
percent
complete,
like
I,
think
there's
some
good
evil
plots
in
here.
That
could
be
quick
wins
when
we're
in
other
areas.
A
Nicole.
Do
you
want
me
to
open
it
for
you
for
an
inquiry
or
if
you
know
how
to
word
it
cuz?
My
wording
would
be
like
what
analyst
has
heard
of
s
bomb
requests
from
customers.
So
if
you
have
a
better
way
to
phrase
that
go
for
it,
otherwise
I'll
just
open
one
for
Joyce
with
that
and
she'll.
Look
at
me
funny
that.