►
From YouTube: OpenSSF Diagrammers Society (March 23, 2023)
Description
Meeting minutes: https://docs.google.com/document/d/14i9v7WuQcLzWpvLe9B0sl-kf90JLwxNwrZkRXLWmEdQ/edit#heading=h.9m0zi4b0wnne
A
A
B
Now
I'm
Victor
I'm
not
really
new
to
the
community,
but
first
time
joining
this
call.
The
reason
is:
I've
been
watching
this.
The
video
on
YouTube
one
thing
I
liked,
if
possible,
I
know
that
this
diagram
is
not
finalized,
yet
I
think
it'd
be
great
to
still
go
over
it.
You
know
just
just
like,
like
a
short
presentation,
just
a
couple
minutes
this
way
when
I
watch
the
video
online
I
know
what's
going
on
latest.
You
know
information
about
that,
but
the
diagram.
C
Hey
it's
sanket
I'm
new
to
the
community,
so
I'm
just
listening
and
attending
various
meetings
and
just
just
thinking
observing
trying
to
learn.
D
A
D
A
Does
anyone
have
any
topics
to
discuss
today?
If
not
David
gave
me
some
homework
that
we
can
take
a
look
at.
A
A
A
All
right,
so
this
is
an
update.
We
did
based
off
of
the
CI
CD
version,
two
graphic
that
is
in
our
git
repo
and
what
we
did
is
we
took
a
CI,
CD,
workflow
and
overlaid
the
assorted
projects
of
the
foundation
across
the
different
pieces,
and
we've
shared
this
with
a
couple:
different
communities,
and
so
far
this
has
gotten
us
very
good
response.
I
see
I
gotta
tidy
up
a
couple
things
like
space,
basic
alignment;
oops,
that's
not
what
I
wanted
to
do.
A
It's
got
to
tidy
up
some
alignment,
but,
aside
from
that,
this
is
what
our
most
recent
collaboration
looked
like.
So
does
anyone
have
any
thoughts
or
comments
on
this
particular
style
of
illustrating
the
foundation.
B
Yeah
I
think
this
is.
This
is
very
good
just
if
I
need
to
take
this
slide
and
and
explain
to
someone
else
in
one
or
two
minutes,
how
should
I
go
through
the
content
either
getting
that
flow.
A
Well,
that
is
something
we
have
not
strategized
on,
yet
the
actual
execution
of
delivering
it.
You
might
have
seen
we
did
a
town
hall
last
week
and
David
wheeler
shared
this
and
kind
of
briefly
walked
through
it,
but
we
have
not
yet
kind
of
had
a
chance
to
regroup
to
talk
about
kind
of
what
next
steps
might
be,
how
you
know,
potentially
writing
a
script
or
speaker
notes,
but
the
idea
is
that
we
would
have
this
slide
available
as
a
resource
that
anybody
could
utilize
and
drop
into
a
presentation.
A
Any
other
plots
do
we
want
to
maybe
think
about
writing
that
script.
Kind
of
giving
some
outline
of
how
somebody
might
take
this
and
describe
the
interesting
story
of
the
Foundation.
A
All
right,
as
always,
you
are
able
to
make
comments
or
have
a
conversation
in
our
slack
Channel
or
on
our
mailing
list.
We
also
can
open
up
issues
and
PR's.
If
there's
things
we
need
more
involved
conversation
on,
we
want
to
make
sure
we
get
documented.
B
A
B
Yeah
I
think
he
gave
the
presentation
about
this
slide
in
the
town
hall.
So
do
you
mind
maybe
going
through
now
and
probably
just
just
by
doing
that
over
and
over
again
probably
can
automatically
get
a
script
ready
just
how
to
talk
about
this
slide.
A
Certainly
before
we
do
that
Matt
did
you
have
a
question.
E
Oh
no
I
was
making
it
earlier
on.
I
was
making
I
was
going
to
make
an
observation,
so
very
happy
that
this
turned
out.
You
know
always
been
supportive
of
the
CI
CD
View
I
just
want
to
let
you
know
that
I
I
did
create
my
own
view
of
this
and
I
super.
Basically,
what
I
did
was
I
superimposed,
some
salsa
considerations
and
I
basically
divided
into
source
and
build
their
left
side
and
the
right
side
just
just
interesting.
It
was
just
an
interesting
exercise
in
in
terms
of
communicating
attack.
E
E
Well,
yeah
I
actually
presented
it
I'm
doing
this
education
internally
in
my
company.
Let
me
see
if
I
can
do
a
quick
share
to
see
what
shape
that
should.
I
did
hold
on
sure
yeah
I'll.
Stop
sharing
here,
desktop
one
all
right.
So
this
is
what
I
did
for
salsa.
E
Basically
so
anyways
I
just
thought
it
was.
It
was
useful.
I
don't
have
the
actual
feedback
loop
of
the
s-bomb,
as
presumably
the
s-bomb
going
back,
but
yeah
yeah
or
evidence
General
evidence
going
back
so
helpful,
yeah.
A
Very
much
so
and
I
know
that
the
end
user
working
group
is
looking
at
actually
doing
a
formal
reference
architecture
based
off
of
a
couple
different
personas,
like
a
small
software
development,
firm
and
then
I'll
right
now,
a
large
software
development,
firm
and
I
think
they
were
thinking
about
taking
this
CI
CD
or
potentially
documentation
from
salsa
to
start
their
assessment
there,
and
then
they
wanted
to
threat
model
it,
which
I
thought
was
interesting
kind
of
see
how
we
can
break
it.
E
A
Cool
cool
and
Jay
says
he
still
has
a
outstanding
AI
and
we'll
hopefully
get
some
folks.
So
if
anyone
participates
in
any
of
these
working
groups,
it'd
be
wonderful
to
try
to
get
this
particular
thing
on
the
docket
there
to
start
that
discussion.
So
we
can
refine
and
make
sure
we
have
things
accurately
placed,
as
opposed
to
just
kind
of
David
and
I,
giving
a
semi
expert
guess.
A
But
how
this
would
be
shared.
A
So,
from
a
high
level
talking
about
creation
and
curation
of
software,
starting
it's
a
never-ending
Circle,
but
starting
with
a
developer,
we
have
many
different
projects,
special
interest
groups
and
initiatives
within
the
foundation
that
are
directly
useful
to
developers.
Things
like
our
secure
coding,
fundamentals,
class
tool,
Hands-On
lab
tools
like
the
security
knowledge
framework,
but
we
also
have
ways
things
around
developers
being
able
to
get
machine,
readable,
common
requirements
through
tools
like
cre.
A
Then,
after
the
developer,
starts
their
journey
and
creates
some
software
and
move
over
to
the
source
box,
and
that's
where
things
like
the
great
MFA
distribution
where
we
went
through
and
gave
away,
multi-factor
tokens
to
developers
to
help
try
to
prevent
account
and
identity
takeover
attacks.
That's
where
things
like
that
come
into
effect,
but
then
also
as
we
have
source
code,
we
can
use
tools
like
the
developer,
best
practices
badge
to
actually
demonstrate.
A
We
have
relevant
work
with
a
project
called
All-Star
which
again
provides
some
more
prescriptive,
automated
scoring
of
code
as
it's
going
through
a
build
pipeline,
and
then
we
have
Frameworks
like
something
like
a
salsa
where
that
and
during
the
build
phase,
helps
you
understand
how
software
is
built
and
managed,
and
ultimately
As
you
move
into
the
packaging
phase.
Things
like
Fresca
apply
just
different
Frameworks
and
standards
that
are
relevant
to
these
different
phases
of
the
pipeline.
A
We
also
have,
as
you
get
to
the
packaging
phase
and
you're
ready
to
sign,
digitally
sign
your
artifacts.
We
have
a
project
called
Sig
store
that
allows
to
for
a
statement
on
you
on
this
day.
This
developer
signed
this
code
and
it
has
been
untampered
with,
and
it's
in
a
kind
of
block
stain,
shot,
Block
Chain
style
repository
that
anyone
can
view
publicly
and
kind
of
understand
a
little
bit
more
pedigree
and
provenance
information
of
that
package.
A
Then
thinking
about
the
consumer
end,
we
have
Frameworks
like
S2
c2f,
which
is
a
supply
chain
framework
for
consumers
of
Open
Source,
but
we
also
have
things
like
a
taxonomy
for
so
consumers
can
understand
how
Supply
chains
can
be
attacked
and
also
we're
developing
a
reference
architecture
around
that.
So
again,
consumers
can
understand
how
they
can
apply.
Some
of
this
tooling
across
the
foundation
hopping
back
to
the
build
phase
quickly
under
dependencies.
A
We
have
projects
things
like
s-bomb
everywhere,
where
we're
looking
to
help,
understand
and
inventory
all
the
different
open
source
tools
that
help
provide
s-bomb
manifest
information.
We
also
have
tools
like
open
sort,
the
OSS
fuzzing
project.
A
We
have
different
assortment
scanning
tools
that
can
be
run
on
these
dependencies,
so
you
understand
you're,
bringing
in
quality
packages
into
your
build
environment,
and
then
we
also
have
projects
like
the
secure
and
critical
projects
working
group
where
they
have
a
list
of
you
know
the
top
200-ish
open
source
projects
and
providing
some
assertations
some
assertions
around
how
those
how
those
projects
are
being
maintained
and
developed,
and
so
we
can
help
Focus
resources
on
it.
A
We
also
have
assorted
projects
within
the
foundation
where
we
can
help
developer
choose
packages.
You
know
providing
them
information
around
different
insights
around
that
particular
project.
We
also
have
a
we're
developing
a
risk
dashboard
again
as
we're
a
value.
Is
the
developers
evaluating
those
dependencies
they'll
have
the
ability
to
have
kind
of
a
risk
assessment
on
you
know
how
frequently
this
packed
product
this
package
is
updated
and
kind
of
what
the
security
aspects
are
and
what's
give
you
an
assessment
of
risk
potentially
of
using
those
packages.
A
We
also
have
a
couple
Tools
around
package
feeds
and
Analysis,
and
all
this
information
provided
to
the
developer
so
that,
as
they
are,
writing
and
composing
their
application
and
building
it
they'll
have
all
this
information
available
to
them
and
then
kind
of
the
tail
end.
The
maintenance
aspect
of
this
is
typically
kind
of
vulnerability,
management,
vulnerability,
information
and
we
have
many
different
initiatives
within
the
foundation.
They're
focused
on
providing
that
information
getting
that
fed
into
tools
so
that
again,
as
developers
are
working
through
their
pipeline,
they'll
have
access
to
this.
A
So
we
have
guides
on
how
vulnerabilities
are
disclosed.
We
are
have
a
prototype
project
around
creating
an
open
source
security
incident
response
team
that
can
help
provide
this
information
and
help
evaluate
and
hopefully
correct-
maybe
some
of
these
dependencies
in
the
pipe,
and
we
also
have
tools
like
the
open
source,
vulnerability
schema,
which
is
a
kind
of
similar
system
to
cve
or
GSD.
So
it's
another
way
that
a
lot
of
projects
publish
vulnerability
information
and
also
leverages
those
other
ecosystems
like
CV
and
GSD.
A
We
also
have
oh
David's,
got
a
typo
there's
a
group
of
folks
working
on
squashing,
false
positives
within
open
source
scanning
tools,
so
they
have
a
specification
and
they
work
on
that
to
try
to
help
make
as
scanners
find
problems.
The
results
are
ideally
more
actionable
and
meaningful
to
the
developer,
and
we
also
have
the
cve
benchmarking
Sig,
which
is
working
on
evaluating
cve
data
and
in
a
nutshell,
that
summarizes
all
the
different
projects
that
are
going
on
across
the
foundation
So
to
that
kind
of
help.
Your
understanding,
Victor.
B
Yeah,
definitely
that's
great
I'm
gonna
go
back,
go
back
and
watch
the
recording
again
again,
so
one
thing
I
think
probably
will
help.
Maybe
may
not
be
even
to
be
recorded
as
each
individual
work
group
might
might
come
with
a
one
or
two
person
to
give
a
presentation
using
this
slide
and
they'll
probably
figure
out
where
whether
the
group
is
part
of
a
particular
stage,
for
example,
with
the
best
practices
right
just
looking
at
the
the
blue
squares
they're,
not
they're,
only
at
the
beginning.
B
So
that
probably
means
it's
all
related
to
developers
open
source
developers.
So
best
practices
is
now
for
a
consumer
which
is
the
the
the
the
like
why
S2
c2f
is
probably
it's
especially
best
practice
for
Consumer
right
users,
so
yeah
I,
I
think
probably
because
I
I
still
don't
know
a
lot
of
details.
So
I
cannot
really
talk,
but
for
the
group
the
lead
they
probably
can
when,
when
talking
through
the
slide,
they
can
probably
see
whether
their
their
group
is
missing
out
some
squares
or
maybe
in
the
wrong
location.
A
Yeah
and
then
there's
a
a
wide
diversity
of
things
going
on
across
the
foundation,
and
so,
for
example,
there
actually
is
a
concise
guide
for
consumers
for
selecting
and
evaluating
open
source
software,
and
it's
just
ideally
that
stuff
will
get
sussed
out,
as
we
continue
to
refine
this,
and
and
the
ultimate
goal
is
both
in
the
the
kind
of
table
below
and
also
the
boxes
above
is
that
everything
would
be
hyperlinked
so
that
somebody
could
jump
right
into
a
project
or
working
group's
body
of
knowledge
and
be
able
to
see
kind
of
activities.
B
Yeah
yeah:
this
is
really
really
good,
so
for
you
for
most
people
who
don't
really
kind
of
contribute
to
the
code
or
the
in-depth
knowledge,
this
is
actually
good
enough
and
then
just
need
to
be
yeah.
I
guess
go
over
over
again
until
yeah
just
get
familiar
with
the
landscape.
A
Yeah
and
I
think
ultimately
we're
looking
to
have
my
dear
friend
Gunner
used
to
call
it
a
walking
around
deck,
but
our
dream
is,
we
would
have
a
a
a
presentation
deck
that
we
could
very
quickly
bring
out
and
share
this
information
that
way
can
be
consistently
shared
by
any
member
or
kind
of
anyone
within
the
foundation
be
able
to
kind
of
articulate
what's
going
on.
A
So
that's
another
kind
of
objective
that
eventually
we'll
we'll
get
into,
but
this
is
like
kind
of
David's
Alpha
draft
of
what
this
could
look
like.
E
Matt
yeah
yeah,
so
I
mean
I
enjoyed
the
layout
so
much
or
the
past
couple
weeks
or
whatever
that
I,
never
really,
as
you
were
talking
and
walking
through
from
left
to
right
all
the
things
I
just
noted
how
expansive
this
Creator
group
was
in
terms
of
number
of
cigs
yeah,
but
unless
I
was
in
a
coma
besides,
the
fuzzing
and
the
s-bomb
everywhere,
Sig
I
haven't
seen
all
the
other
cigs
on
and
actually
all
the
three
years
I've
been
there.
A
Right,
these
are
all
represented
in
each
of
the
working
groups.
Github
repositories
I
have
added
in
the
notation
of
Sig
or
Project
based
on.
If
something
is
code
related
or
a
kind
of
documentation
related
and
like
we
had
talked
about
when
you
first
shared
the
Mind
map
with
us
is
we
have
a
lot
of
inconsistencies
and
we
need
to
do
a
significant
amount
of
cleanup.
So
a
further
step
when
we
go
to
these
working
groups
would
be
validating.
You
know
it.
Is
there
any
activity
on
like
The,
cve,
Benchmark,
I.
E
A
Well
and
again,
the
the
designate.
There
are
three
things
within
the
foundation
that
something
can
be.
You
can
be
a
project.
If
you
have
code,
you
can
be
a
Sig
if
you
work
on
kind
of
process
or
documentation,
and
then
they
have
kind
of
a
special
special
product.
Associated
projects,
which
is
kind
of
something
outside
of
the
general
working
group
model.
A
E
A
E
D
B
A
The
the
software
repos
is
AG
again.
The
I
can't
edit
the
document
to
move
the
box
to
make
it
more
visible,
but
the
the
repos
are
the
securing
software
repos
is
there.
They
only
have
right
now,
one
kind
of
thing
that
they
list
doing
again.
This
is
a
a
starting
step
that
there's
a
lot
of
work
that
needs
to
go
through
to
verify
the
accuracy
of
this
and
get
things
cleaned
up
and
I.
Welcome
everybody
on
the
call
to
help
us
with
that.
B
Okay,
what
I
mean
is
like,
for
you
know,
yeah.
Sometimes
it
sounds
like
it's.
The
best
way
to
to
understand,
which
is
an
expert
in
that
area,
is
kind
of
kind
of
in
shooting,
not
helping
so
I
feel
that
if
there's
a
this
helps
me
as
a
newcomer
to
just
watch
this
diagram
to
see
what's
going
on
and
and
know
where
Things
Fall
and
then
I
can
just
base
down
this.
B
This
understanding
of
this
diagram
go
watch
the
corresponding
YouTube
videos,
cool
yeah,
so
that
this
will
help
a
lot
good
and.
A
Like
to
Matt's
comment
like
security
tooling,
that
has
essentially
been
transformed
into
the
s-bomb
everywhere
Sig.
That
is
almost
exclusively
the
work
that
they're
doing
today
and
if
there's
value-
and
you
know
kind
of
keeping
those
artifacts
those
historic
artifacts
there
or
do
we
need
to
retire
them.
Yes,
future
conversations
make
sure
that
this
is
as
accurate
and
useful
as
possible.
A
Any
other
questions,
comments
or
feedback
on
the
the
slide
here.
A
All
right
do
we
have
any
other
topics
we'd
like
to
discuss
today.
A
All
right,
friends
with
that
I
will
give
some
time
back.
I
appreciate
your
time
and
attendance
and
comments.
Today
we
will
meet
again
in
two
weeks
and
hopefully
we'll
have
some
updates
to
the
diagram
to
get
it
more
accurate.
So
thank
you
all
and
enjoy
the
rest
of
your
day.
All
right.
Thank
you.