►
From YouTube: End Users Working Group (May 25, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1KQalBRzfRBvsqh73JUYfp1KG-AJdXcv2Z8LTIFoQP8c
A
C
D
E
E
C
D
D
E
F
D
D
D
A
A
We
also
had
from
the
Linux
Foundation
openssf
day
up
in
Vancouver
a
couple
weeks
ago
we
had
Morgan
Stanley,
commit
I,
don't
believe
they're
on
here,
they've
been
in
the
past,
but
yep,
but
he's
committed
to
have
someone
here.
Moving
forward
was
not
able
to
connect
with
Boeing.
They
had
expressed
an
interest.
I
still
think
they're
trying
to
find
the
right
person
to
participate.
I'll
continue
to
work
on
that
any
other
from
the
from
the
members
here,
any
other
folks
that
you've
talked
to
that
have
expressed
an
interest.
A
You,
okay,
all
right!
Well,
it's
it's
gonna,
be
a
collective
effort
to
make
sure
we
continue
to
grow
this
this
working
group-
so
please,
all
you
know
just
keep
thinking
about
who
you
can
reach
out
to
Jonathan
I
Jacques
are
are
happy
to
reach
out
to
anybody
that
that
make
may
come
up,
but
we
this
selective
effort
to
continue
to
drive
the
membership
here.
D
A
I
did
so
I
know.
A
number
of
us
were
up
there.
There
were
a
couple
of
panels
where
I
participated
in
where
we
talked
about
the
open
ssf.
We
talked
about
the
end
user
working
group
and
its
mission,
the
one
the
Jacques
and
I
and
and
John
presented
to
the
open
ssf,
the
open,
ssf,
attendees
I
think
it
is.
A
A
A
So
we
had
some
folks
who
clearly
understood
were
actively
contributing
and
participating
to
a
variety
of
different
efforts,
and
then
we
had
some
that
put
it
bluntly,
weren't
quite
sure
what
software
supply
chain
security
was
so
again
it
just.
It
just
reminded
us
of
that.
We
need
to
continue
to
raise
awareness.
We
need
to
continue
to
put
out
material
to
reach
out
to
an
audience
again
with
widely
varying
degrees
of
expertise.
We
can't
just
assume
that
people
have
the
same
level
of
knowledge
of
many
of
the
folks
on
this
audience.
A
B
Yeah
I
thought
all
in
all.
It
was
a
good
set
of
micro,
conferences
and
conferences.
I
think
the
open,
ssf
day
started
off
very
strong.
We
lost
some
folks
in
the
afternoon.
I,
don't
know
if
that
was
just
kind
of
competing
content,
or
if
people
didn't
want
to
see
about
the
mobilization
plan,
I
can't
tell,
but
a
lot
of
really
good
talks
and
I
absolutely
agree.
Andrew,
we
need
to
it
the
pan.
B
The
the
panel
that
you
and
jock
and
Jonathan
put
together
really
highlighted
the
need
to
get
a
broader
feedback
from
the
end
user,
constituency
and
I.
Think
there's
just
a
lot
of
opportunity
and
the
there's.
A
group
of
us
working
on
threat,
modeling
the
software
supply
chain,
with
henrik's
kind
of
helping
lead
that
and
an
idea
that
potentially
could
lead
into
luring
more
participation
is.
B
A
B
And
I'll
put
a
plug
in
they're
doing
the
OSS
EU
will
be
in
Spain
in
September
and
they'll
be
doing
an
open
ssf
day
there.
They
just
opened
up
a
call
for
papers
for
open
source,
Summit
Asia,
so
that
call
for
papers
is
open.
Now
and
depending
on
the
interest
we
might
be
able
to
do
another
open
ssf
day
and
I
would
encourage
this
group
to
figure
out.
E
I
just
wanted
to
put
my
two
cents
in
that
I
totally
agree.
I
was
not
the
event,
but
like
it
jibes
with
my
feeling
that
you
know,
we
really
need
to
work
on
getting
the
word
out
getting
the
raising
the
awareness
of
these
terms.
Software
supply
chain
security
is
very,
very
well
known
in
our
circles
but
like
when
I
talk
to
web
developers.
They,
you
know
they're,
like.
E
Like
I'm
a
martian
but
I
one
thing,
I
is
there
actually
I
know
that
there's
a
concise
guide
there
are
concise
guides,
but
is
there
actually
like
a
guide
or
a
single
document
somewhere?
That's
like
this
is
the
definition
of
software
supply
chain
security.
According
to
the
openness
set
because
I
know
there
are
like
blog
posts
and
there's
concise
guides
and
then
there's
like
more
detailed
learning
material,
but
maybe
crop
can
answer.
Is
there
something
that
we
can
point
to.
B
B
So
it's
a
cross
foundational
resource
for
both
dictionary
lexicon
type
things
personas
and
also
be
a
resource
where
we
could
have
an
introductory
deck
on
explaining
what
each
of
the
working
groups
do
just
some
resource
for
the
whole
Foundation
that
one
place
people
could
go
to
to
get
this
stuff.
So
I
agree
patches,
welcome.
B
E
F
So
probably
we
got
we
got
that
we
got
that
document
that
we
started
and
I
still
have
the
link
open
right
on
my
damn.
I
still
have
it
open
as
one
of
my
links
on
my
yeah
yeah
yeah
I.
Do,
although
I'm
not
on
my
computer
right
now.
What
I
can
do
is
when
I
get
there.
I
could
post
a
link
in
the
slack
but
but
I
started
with.
F
We
have
a
we
have
like
five
or
six
different
areas
and
I
wrote
some
in
each
one
of
them
for
for
the
objective,
the
Mission
Vision
scope,
one-liners
that
can
be
built
out,
probe
and
I
have
both
strapped
for
time.
So
whenever
we
can,
we
jump
back
into
it
and
do
something,
but
we
really
would
like
to
get
this
over
the
Finish
Line,
we're
strapped
we're
really
strapped
for
time,
but
the
the
idea
is
to
build
a
working
group.
F
That's
a
centralized
tentative
that
can
have
tentacles
out
to
the
other
working
groups
so
that
we
can
do
things
like
you
know,
on
one
sheet
of
music
with
personas
one
sheet
of
music
with
taxonomy
one
sheet
of
music,
with
d
e
and
I
one
sheet
of
music
that
spreads
out
across
the
and
then
can
act
as
a
liaison
across
the
LF,
even
on
behalf
of
the
open
ssf.
To
do
some
of
these
things
as
well.
Right,
that's!
That's!
That's
more!
That's
our!
That's
our
our
ultimate
Vision
I!
F
Guess
for
the
for
that
particular
working
group,
but
the.
But
we
have
a
document
that
that's
that
we
started
months
ago,
that
you
know
things
come
up
and
we
can't
you
know
we
need
help.
So
so,
when
I
get
back
to
my
computer
I'll
post
a
link
because
I
still
have
it
open
because
I
get
back
to
it
when
I
can
and
then
and
then
you
know
so
so
who
Crow
was
referring
to
it,
wasn't
just
him.
F
F
C
H
Yeah
so
I
thought
Dan
was
asking
about
more
of
a
not,
as
you
know,
like
the
glossary
type
of
thing,
but
more
around
the
the
guidance
or
or
the
the
main
requirements
or
countries
I
mean
I.
I
I'm
come
from
security
backgrounds
right
talk
in
terms
of
controls,
the
controls
that
need
to
be
in
place
in
our
supply
chain.
H
You
know
to
say
that
our
suppression,
we
meet
supply
chain
requirements
right.
So
I
thought
that's
what
Dan
was
referring
to
so
do
we
have
any
guidance
on
like
you
know.
These
are
the
controls
we
recommend
in
you
know
in
in
sem
or
these
are
in
in
the
build
pipelines
or
in
the
introduction,
or
you
know
so,
do
we
have
anything
that
you
know
runs
through
those
type
of
controls
so
that,
like
end
users
like
us,
we
could
like
take
it
and
say:
okay,
do
we
meet
those
requirements
in
our
environment.
E
I
was
just
gonna
say
yes,
I
mean
I.
I
might
I
think
that
the
thing
that
I'm
thinking
about
is
something
that
speaks
in
the
language
that
software
developers
would
understand,
but
not
necessarily
people
that
are
in
the
security
field,
right
to
explain
to
them
in
simple
terms
what
it
is
we're
talking
about
when
we
talk
about
software
supply
chain
security-
and
you
know
that
could
then
be
a
link
off
to
things
like
what
is
an
s-bomb?
What
is
a?
What
is
it
this?
E
What
is
it
that
right
and
I
think
that,
like
like
the
thing
that
was
going
through
my
head,
when
you're,
when
you
were
talking
about
glossary,
is
there?
Are
we
got
to
make
sure
that,
when
we're
building
that
we
build
it
from
that
mindset,
perspective
of
it's
not
for
us?
Actually,
it's
for
it's!
It's
for
the
wider
Community
yeah
right.
B
Agreed
and
then
specifically
to
gaja's
statement,
there
is
no
centralized
place
that
provides
that
kind
of
mapping
to
the
nist
search
cyber
security
framework
or
anything
like
that.
But
we
do
have
things
like
salsa
and
guac
and
S2
c2f
S2
c2f
is
probably
your
best
example
of
mapping
the
idea
of
information,
security
controls
to
different
compliance
and
legislative
guidelines
and
Frameworks,
but
there
is
no
centralized
resource
today.
It's
kind
of
spread
out
across
a
couple
different
projects
and
working
groups.
D
That
that
said,
I
did
see
someone
pop
up
in
the
salsa
channel
on
slack
Lori
Williams,
who
says
she
or
he
has
a
draft
of
framework.
There's
a
union
of
the
72
tasks
from
ssdf
salsa,
S2
c2f
and
some
sort
of
mapping
I
haven't
looked
at
it.
I'll
drop
a
link
to
slack
in
the
chat
here.
That's
in
the
salsa
channel,
so
I
I,
yeah.
F
Goodness
gracious
I
can't
remember
the
other
two,
but
but
it
was
actually
a
really
comprehensive.
There
were
a
couple
of
gaps,
so
I
think
it's
something
that
can
be
further
developed
I
actually
like,
like
what
I
saw
for
the
most
part,
but
she
did
take
everything
like
you
know,
not
just
the
the
outside
frames
but
s2c2
up
and
salsa
to
do
this
as
well.
I
think
she
missed
a
couple
of
points
that
salsa
provides,
but
it
was
it
was.
F
D
I
Yeah
I
think
a
couple
weeks
ago
at
the
summit,
I
know
Brian
and
and
Jonathan
were
there
I,
don't
know
who
else
so
I
think
they
had
some
some
conversation
because
we'd
pitch
the
the
manifesto
a
couple
times
I
think
before
in
the
past
at
least
two
months,
and
so
we
pushed
it
to
GitHub
sort
of
a
version.
Zero
I
think
we've
got
some
good
comments.
I
replied
to
those
today
I'd
like
to
see
what
we
need
to
get
that
to
like
a
V1.
I
You
know
just
so
we
can
get
it
out
there
and
then,
once
we
can
do
that,
hopefully,
relatively
quickly,
I
have
a
blog
post
that
we
can.
You
know,
put
to
the
openss
blog
to
sort
of
publish.
You
know,
give
it
a
little
get
some
more
notice
but
open
the
comments.
Still.
If
anyone
has
any
questions,
what
it
is,
the
Link's
there
in
the
dock
as
well.
D
I
know
this
is
bike
shedding,
but
I
feel
like.
There
was
a
discussion
about
the
word
manifesto
at
some
point
and
whether
there
was
a
a
word
because
it
means
different
things
in
different
places.
Unfortunately,
but
that
that
could
be
an
aside.
So
is
the
the
action,
the
caller
action
here
for
for
more
comments.
I
Yeah
I
think
I
think
you
know
the
you
know.
Maybe
we
give
another
week
because
there
haven't
there
haven't
been
a
lot
since
the
last
two
weeks
in
in
you
know,
there's
no
more
comments
in
a
week.
We
can.
We
can
think
about
the
wording.
I
know
there
were
comments
about
that
I'm
I'm
on
the
side
of
not
letting
people
take
words
sure
but
I
totally
understand.
D
I
I
Yeah
sounds
great,
I
won't
be
here
because
I'll
actually
be
out
of
town,
but
Brian
Fox
or
someone
else
from
from
some
type
can
probably
take
my
place
for
it,
but
also
in
the
email
and
can
do
all
that
and
I
can
send
out
the
draft
for
the
the
potential
blog
as
well.
Do
you
know
on
the
blog
side
who-
and
this
may
be
more
I-
see
rob
you
might
have
a
an
idea
on
this?
You
know
next
steps
for
that,
where
we
need
to
get
that
that
going.
D
E
Is
the
blog
post
something
that
you're
going
to
be
looking
for
or
it's
anything
related,
sometimes
in
a
Manifesto
you
have
signatories
to
the
manifesto.
Are
you
looking
for?
Are
we
looking
for
signatories,
or
is
it
kind
of
implied
that
it
has
the
imperator
of
this
group
and
the
members
of
this
group
by
simply
by
this
group
publishing
it.
I
Yeah
I
think
the
intent,
but
again
I
wasn't
at
the
meeting
at
the
summit,
but
I
think
that
was
the
intent
of
bringing
this
in.
You
know,
I
think
some
people
you
know
ran
into
how
they
would
be
a
signatory.
You
know,
with
representation
of
their
company
and
that
causing
issues
so
that
I
think
that
was
one
of
the
ideas
was
to
bring
it
into
the
end
user
group
and
that
sort
of
be
the
way
to
do
it
versus
you
know
someone
going
wait.
You
signed
this.
C
D
E
E
C
E
E
E
The
demos-
yes
exactly
all
right
here,
we
go
all
right,
we'll
just
click
on
the
first
one
I
shouldn't
have
gotten
fancy
all
right
and
then
that
links
through
to
a
Singleton
page,
that
that
shows
like
the
description.
How
severe
we
think
it
is.
You
know
the
description,
the
thread
example
and
a
remediation
steps,
and
that's
why
you
kind
of
need
this
to
be.
You
need
this
to
be
fluid,
because
sometimes
the
remediation
steps
are
going
to
change
if
the
UI
on
that
particular
platform
changes.
E
Basically,
that's
I,
just
I'm
I'm
trying
to
get
I
mean
part
of
the
point
of
presenting
it
here
is
to
get
feedback
really
and
to
see,
because
because
the
the
audience
part
of
the
audience
that
is
intended
here
are
you
know,
people
working
in
ospus
right.
So
we
want
to
make
sure
that
this
is
actually
useful
for
those
for
those
groups.
D
E
J
F
J
To
I've
copied
about
conversation,
there
is,
but
I
was
just
commenting.
First
of
all,
the
hospital
thing
I
I
just
came
out
of
the
the
osbo
Europe
thingamajig
that
that
is
sometimes
I.
I,
don't
know
every
week
or
something
like
that.
I
can
I
can
add
this
to
the
to
the
agenda
for
the
for
the
hospital
at
least
Hospital
Europe.
E
There's
some
operational
stuff
that
doesn't
really
have
legitify
generated
pages,
so
I
think
we're
as
we
as
we
continue
working
on
this.
We
will
be
building
out
from
the
core
information
that
comes
out
of
the
legitify
database
and
adding
more
editorial
that
comes
from
this
from
from
open,
ssf
right
and
that
could
include
as.
C
B
Yeah,
the
intention
was
always
to
make
this
a
multi-use
document.
The
team
that
assembled
has
a
lot
of
deep
expertise
in
GitHub
and
git
lab,
but
we
always
wanted
to
make
it
open
enough
that
we
would
have
other
source
code
Management
systems
and
forges
so
to
speak
in
there.
It's
just.
We
don't
currently
have
folks
that
have
the
background
or
time
to
do
that
so
again,
patches
are
always
welcome.
Robert,
we
would
love
you
to.
You,
know
add
if
you
had
other
areas,
you
wanted
to
contribute
to
that'd,
be
awesome.
D
Stuff
thing
yeah,
I
had
I
had
sort
of
two
questions.
The
first
question
was
around
the
relationship
to
other
open,
ssf
sort
of
work.
It
feels
like
there
might
be
overlap
or
or
intersection
with
one-off
or
both
salsa,
which
we
know
at
the
moment
doesn't
have
a
source
track
anymore,
but
did
did
previously
and
also
possibly
with
scorecard,
which
includes
a
lot
of
these
sort
of
controls,
as
as
things
that
they
recommend
and
I'm
sort
of
curious
about.
E
Well,
what
we've
talked
about
is
now
that
we
have
these
these
Singleton
pages
that
are
going
to
be
at
a
stable,
URL
and
I.
Don't
think
the
GitHub
URL
should
be
the
should
be
the
final
URL
for
these
by
the
way,
I
think
it
should
be
at
an
open,
ssf.org
URL.
You
know
published
through
get
a
page
type
mechanism
or
something
like
that,
but
the.
But
once
we
have
these
Singleton
Pages
at
a
specific
at
a
stable
URL,
then
then
scorecard
could
send
you
to
that
URL.
E
Basically,
like
here's,
the
remediation
steps
that
you
need
and
then,
if,
if
then
it's
up
to
it's
up
to
us
or
it's
up
to
the
best
practice
working
group
to
make
sure
that
that
information
is
up
to
date,
so
that
that
seems
like
it
could
be
a
good
way
to
work.
So
we've
had
those
those
discussions
already
I
haven't
had
any
discussions
with
salsa
but
I'm
happy
to
chat,
although
I
always
just
think
about
eating
salsa.
When
I
hear
salsa
so
never
mind,
it's.
H
Yeah
I
I'll
pass
it
on
to
the
Osco
in
internally
and
Morgan
Stanley,
but
some
of
the
members
of
our
ASCO
are
also
part
of
Finn
voice,
different
working
groups
and
Finos,
and
you
know
the
working
groups
that
deal
with
Supply
chains
like
that
talk
about
supply,
chain
security
and
a
few
other
relevant
topics.
Should
we
pass
it
on
to
them
or
I
mean?
Is
there
a
restriction
on
how
far
we
can
take
it.
E
No
it'd
be
great.
That
would
be
great
yeah
and
the
way
that
we're
managing
this
now
is
through
is
is
through
issues.
So,
if
there
are,
if
they,
if
there
are
issues,
they're
welcome
to
raise
an
issue
or
they're
welcome
to
raise
it
to
me
or
if
you
want
to
raise
it
to
me
on
slack
on
I'm
responsive
there,
and
we
can
work
it
that
way,
I'm
happy
to
to
to
be
able
to
funnel.
For
for
that
feedback.
D
K
E
B
Yeah
I
mentioned
this
to
Jonathan.
This
working
group
gets
the
opportunity
to
come
before
the
attack
next
Tuesday,
and
you
have
10
minutes
to
share
all
the
awesome
things
that
you're
working
on.
If
you
need
assistance
with
anything,
there
is
an
amazing
Google
slide
template
that
I
shared
with
Jonathan,
and
we
would
love
to
the
broader
Foundation,
would
love
to
hear
what
this
working
group
is
working
on
and
especially
where
you
all
want
feedback
like
on
the
manifesto,
and
things
like
that.
B
D
B
D
B
Everyone
universally
agreed.
The
title
is
terrible,
but
I
think
we
might
be
security
tool
belt,
but
we're
going
to
start
meeting.
There
is
an
issue
on
the
TAC
repo
I
would
invite
you
to
comment
on.
If
you
have
feedback
now,
and
then
there
is
a
doodle
poll,
if
you
want
to
participate
with
the
group
and
actually
help
architect
the
future
or
in
real
time
we're
going
to
meet
weekly
and
we're
going
to
kick
those
calls
off
probably
next
week.
So
end
users
are
welcome.
D
D
I
mean
we've
got
20
minutes.
We
could
talk
about
the
name,
no
I'm
joking,
please
don't
okay,
well,
that
that
sort
of
gets
us
through
to
the
end
of
the
traditional
sort
of
list
of
things
on
the
on
the
agenda.
Typically,
what
we
like
to
do
is
in
any
other
business
section
to
allow
for
impromptu
discussions.
Was
there
anything
else
that
folks
would
like
to
discuss.
D
F
F
F
Now
a
lot
of
people
are
are
actually
going
through
up
down,
left
right
and
center
of
the
of
the
spec
and
providing
their
perspectives
and
we're
adding
new
threats
and
we're
identifying
gaps
that
that
can
be
filled
when
we
need
the
end
users
Community,
especially
with
this,
to
make
this
exactly
what
it
needs
to
be
for
the
consumer
for
the
end
user,
so
Jump
On,
In,
the
water's
warm
every
other
Tuesday
at
12.
The
last
one
was
this
Tuesday,
so
look
for
it
in
in
a
couple
of
weeks.
F
I
can't
remember
what
day
of
the
week
that
is
and
I
want
to
say
it's
a
I
want
to
say
it's
a
not
the
the
fourth
or
the
fifth
I
I.
Can't
it's
on
the
calendar.
There
yeah
it's
on
the
calendar,
so
take
a
look
at
the
public
calendar.
You'll
see
it
there
like
I,
said
come
on
in
the
water.
Is
warm
love
to.