►
From YouTube: End Users (July 21, 2022)
Description
Meeting notes: https://docs.google.com/document/d/1KQalBRzfRBvsqh73JUYfp1KG-AJdXcv2Z8LTIFoQP8c
A
B
A
A
A
A
Okay,
so
thanks
Dan
for
agreeing
to
be
the
Scribe
just
drop
the
agenda
back
into
the
chat
there.
If
people
are
joining,
if
they
can
just
add
their
names
to
the
list
list
of
attendees
and
as
is
customary,
if
we
could
go
through
and
welcome
any
new
friends,
anyone
want
to
say
hi
who's
attending.
For
the
first
time.
B
A
few,
maybe
just
a
little
bit
of
on
the
on
the
work,
maybe
that
you
know
in
the
past,
like
two
or
three
years
back,
we
were
working
together
with
a
university
of
fun
on
this
backstabbers
knife
collection.
Maybe
some
of
you
have
read
that
paper
and
before
that,
with
the
Serena
Ponto
who's,
I
think
also
in
the
call
from
sap,
we
were
working
on
Eclipse
study,
which
is
basically
an
open
source,
vulnerability
scanner-
maybe
also
some
of
you
know.
G
Can
you
hear
me
now
it's
better
now:
okay,
thanks
so
I
was
saying
I'm.
My
name
is
Peter
juladiza
and
I'm.
A
PhD
student
at
sap
I
was
a
formerly
a
PhD
student
from
Henrik
and
now
I'm
below
the
supervision
of
Serena,
in
collaboration
with
the
University
of
France,
and
the
topic
of
my
PhD
is
open
source
software
supply
chain
attacks
and
yeah
and
I'm
a
co-author
of
the
paper
of
about
the
taxonomy
of
Open
Source
software
supply
chain
attacks
with
with
Henrik
and
the
University
of
Fran.
H
D
H
I
D
Yeah
and
Tom
over
trying
to
Independent
security
can
supply
chain
security
consultant
and
working
a
lot
with
s-bombs
now
and
with
the
ntia
and
now
Sissa.
Initiatives
and
I
was
quite
pleased
when
Jonathan
told
me
about
this
group,
because
those
ntia
and
since
I
have
been
both
very
lacking
on
focus
on
end
users,
and
you
know
so
I'm
really
glad
to
see
this
group
operating.
A
E
J
I'm
probe
I
have
the
opportunity
to
work
in
46,
000,
open,
ssf
working
groups,
and
one
of
those
working
groups
is
the
vulnerability
disclosures
team.
We
are
focused
on
educating
the
world
and
maintainers
and
the
ecosystem
around
good
coordination
and
vulnerability
sharing
practices
we've
historically.
J
In
the
past
we've
written
two
guides.
One
guide
focused
on
Open
Source
maintainers
on
good
practices
they
could
adopt
in
their
projects
on
how
to
intake
triage
and
then
communicate
vulnerabilities.
And
then,
most
recently,
we
published
a
guide
around
focused
on
security
researchers
on
how
they
can
best
engage
with
open
source
communities
and
projects
to
report.
C
A
Cool
thanks,
Rob
I
mean
just
looking
at
the
just
looking
at
the
deliverables
and
the
missions
and
goals.
We
did
actually
mention
this.
We'll
put
this
down
as
one
of
our
initial
deliverables.
Just
read
them
from
the
list.
It
was
develop,
guides
white
papers
and
materials
focused
on
strategies
and
solutions
for
better
software
supply
chain
and
open
source
software
targeting
end
users
in
the
phase
one
we
had
on
the
list
was
identify
which
guides
material
is
missing
from
the
existing
I
guess,
Corpus
of
materials
it
sounds
like
it
would
be.
A
F
In
the
options
yeah
I
just
wanted
to
clarify:
do
you
mean
specifically
in
the
area
of
vulnerability,
you're
talking
about
specifically
in
the
area
of
vulnerability?
Disclosures
have
vulnerability
disabilities
work
demystifying
that
space
from
or
those
who
are
consuming
open
software
that
end
users,
just
as
we
described
them.
J
F
Really
explains
the
forensic
nature
of
these
kinds
of
vulnerability.
Disclosures
to
people
that
are
not
used
to
working
in
that
way
would
really
be
valuable
for
this
kind
of
group
that
we're
talking
about
this.
This
target
audience
because
I
know
it
is
a
very
different
way
of
thinking
about
things
when
it
comes
to
disclosure
of
information
yeah,
but
it's
so
valuable,
so
yeah
yeah,
definitely
I.
Think
it's
a
good
idea.
A
Yeah
I,
second,
that
I'm
just
thinking
that
we,
you
know
as
part
of
that
deliverables,
one
of
our
mission
objectives.
This
sounds
like
one
one
Gap.
We
should
probably
get
together
and
identify
the
other
ones
so
that
we
can
start
to
distribute
it
and
for
people
who
have
interest,
because
I
think
this
is
one
and
even
just
things
such
as
policies
of
ingestion,
perhaps
other
ones
or
how
people
think
about
ingesting
software.
A
From
an
end
user
perspective,
I
often
talk
to
people
and
they
they're
looking
at
s-bombs,
but
they
don't
really
think
about
the
policy
they
need
to
put
in
place
to
think
about
what
they're
ingesting
of
my
Nest
form.
You
know.
Are
you
ingesting
software
with
high
vulnerabilities?
Do
you
have
a
policy,
or
do
you
have
any
capability
of
preventing
that
anyway?
A
A
J
The
consumption
Point
fun
fact
I
get
to
work
with
another
group
of
folks
that
put
together
a
concise
guide
for
evaluating
open
source
software.
This
was
primarily
focused
on
open
source
developers,
kind
of
looking
at
their
dependencies
and
as
they're
selecting
code
to
ingest
in
their
own
internal
projects
that
very
easily
could
be
augmented,
expanded.
Just
a
more
General
things
to
do
at
ingestion,
so
I
think
it
would
be
a
good
starting
point.
A
I
I'll
never
forget
that
facial
expression,
yeah
I,
see
we
have
Jay
White
and
I
would
say
that
there's
a
pretty
good
match
up
with
what
is
currently
called
SSC
for
the
role
of
helping
folks
think
through
policies
for
ingestion,
so
I
think.
Definitely
we
can
continue
to
weigh
in
on
that
topic.
There
I
will
add
my
voice
to
the
chorus
I
think
this
is
a
fantastic
idea.
A
A
Jay
I
see
you
there
on
the
call.
We
should
probably
get
together
as
a
group
to
think
about
feedback
on
the
SSC,
because
I've
got
like
10
pages
of
feedback
and
I've
been
starting
to
go
through
with
with
the
team,
but
I
know
that
others
have
got
a
lot
of
feedback.
I.
Think
there's
a
Sig
that's
been
set
up,
but
I
wonder
if
we
have
a
Consolidated
effort,
because
people
want
to
get
together
as
a
Consolidated
group.
C
Yeah
and
I'm
willing
to
meet
so
we
we've
been
we've
been
meeting
with
with
with
John
and
he's
his
points
are.
His
points
are
amazing.
I'm
willing
to
do
you
know.
I,
oh
well,
God
with
within
the
within
within
my
bandwidth.
I'm
willing
to
meet
with
and
Adrian
is
as
well
I
mean
we
can
meet
with
as
a
in
in
the
seek,
because
I
believe
in
the
Sig
we're
going
to
be
more
focused
on
there's
a
couple
of
items
here.
C
One
of
them
would
be
getting
it
in
the
proper
format,
proper
formatting
for
for
specification
purposes,
and
we'll
be
thinking
about
that.
I
I
like
to
think
what
we
come
out
of
the
working
sessions
will
be
stuff
that
gets
put
into
and
we'll
be
trying
to.
You
know
close
PRS
and
and
and
close
issues
and
all
those
kind
of
things.
So
a
lot
of
the
stuff
that
we
do
needs
to
get
put
in
to
issues
in
in
PR,
so
they
can
get
properly
addressed.
C
I
I
think
that
might
require
a
few
separate
meetings
so
that
that
the
sick
meetings
can
concentrate
on
you
know
ratifying
any
any
kind
of
and
anything
out
there
PR
or
issue
wise
and
then,
of
course,
governance,
governance,
their
rent,
so
so
I'm
willing
to
do.
You
know
I'm
willing
to
have
any
any
meetings
that
are
suggested.
A
Cool
thanks,
Jay,
maybe
I'll,
take
an
action
that
I'll
set
up
a
couple
of
different
times,
we'll
put
out
doodle
poll,
see
who's
interested
in
contributing
to
that
feedback.
We'll
get
together,
provide
that
feedback
in
whatever
film
that
you
see
appropriate,
again,
PRS
or
whatever
we'll
take
that
out
offline
cool
all
right
thanks,
Jay
and
thanks
Crow
for
that.
A
good
agenda
item
Moving
Straight
on
to
the
next
one.
E
E
No,
no,
this
is
well
kind
of
sort
of,
but
this
is
more
about.
If
anyone
has
any
educational
material,
we
don't
have
end
users
in
the
educational
like
priorities,
but
it
can
be
added.
I
think
it
depends
on
if
any
one
has
anything
to
add
so
yeah
I
know
that
you
were
working
on
a
guy,
John
and
I
know
that
Dan
might
have
guides
that
sink
sneak.
I
can
never
pronounce
your
company's
name.
I,
keep
forgetting
I'm.
Sorry
fake,
sneak,
yeah
yeah.
A
A
E
A
Is
there
a
whistle
on
the
line,
or
is
it
just
my
headphones
nope
just
my
headphones?
Okay,
keep
going
so
next
item
on
the
list
is
from
Pierre
and
Henrik
and
asked
them
to
come
and
present
the
taxonomy
that
they've
put
together
based
upon
the
backstabbers
knife
collection,
which
is
a
paper
that
I
think.
A
lot
of
us
have
read
a
lot
of
good
detail
in
there.
B
G
B
B
So
here,
if
you
remember,
for
those
who
have
read
it,
there
was
already
an
attack
tree
content
in
this
Specsavers
knife
paper,
but
it
was
relatively
small
and-
and
we
thought
it
is
worthwhile
to
extend
this-
have
a
more
comprehensive
attack
tree
than
what
we
have
presented
back
then,
and
also
to
make
it
to
make
sure
that
it
is
more
comprehensible
to
people
consuming
it.
And
so
we
came
up
with
this
with
this
work.
You
see
the
paper
here
and
it
eventually
became
a
taxonomy.
B
B
What
is
the
utility
and
cost
of
those
safeguards
and
which
of
the
safeguards
are
actually
in
use
by
developers?
And
to
this
end,
we
have
conducted
a
couple
of
well
basically
two
surveys:
online
surveys,
one
with
kind
of
17
experts
in
the
domain,
some
come
from
the
open
ssf
if
I'm
not
wrong,
and
then
another
100
something
developers
in
regards
to
the
cost
utility
of
different
safeguards
and
whether
they
use
them.
B
Overall.
The
result
is
this:
Tech
Tree
taxonomy,
run
with
around
about
100
attack,
vectors
that
are
linked
to
in
the
meantime,
I
think
more
than
different
real
world
incidents,
either
a
text
or
vulnerabilities
which
could
have
led
to
an
attack
as
well
as
plenty
of
scientific
literature
and
and
gray
literature.
B
I'm
going
to
quickly
show
you
this,
but
you
will
have
a
much
nicer
representation
in
just
kind
of
two
minutes,
but
what
I
wanted
to
so
here?
This
is
basically
the
this
taxonomy.
What
I
wanted
to
raise
your
attention
to
is
that
what
we
have
used,
the
different
criteria
we
have
used
for
structural,
giving
structure
to
this
attacker.
So,
on
the
very
left
hand,
side
and
I
tried
to
zoom
a
little
bit
inside.
B
What
I
was
mentioning
before
injecting
something
in
the
source
code
repository
at
the
top
in
the
middle,
injecting
something
during
the
period
of
a
legitimate
package
or
at
the
very
bottom
here,
injecting
something
in
the
distribution
process
of
how
it
gets
from
package
repositories
to
the
computers
to
the
build
systems
of
developers
and
then,
on
the
right
hand,
side
number.
The
third
Criterion
is
basically.
B
Whenever
it
comes
Whenever
there
are
systems
involved,
source
code
repositories,
build
systems
and
so
on.
We
basically
have
this
pattern
of
you
can
either
compromise
that
system
exploit
a
read.
Configuration
exploit
a
vulnerability
or
you
can
tamper
or
compromise
the
users
of
that
system,
and
so
that
is
kind
of
the
the
structure
or
the
criteria
used
for
for
doing
this
for
structuring
the
tree
right.
B
But
you
will
see
this
in
a
second
here:
Georgia
will
walk
you
through
this
beautiful
web
application
and
then
I
wanted
to
just
very
quickly
raise
your
attention
to
to
this
table,
which
is
a
summary
of
the
the
feedback
of
experts
and
developers
on
the
costs
and
the
utilities
of
the
different
safeguards.
And
so
what
you
see
in
the
table
are
yeah
the
the
30-something
safeguards
we
have
come
up
with
like
product
protect
production,
branches
and
source
code
versioning,
and
for
each
of
those
safeguards
you
see
how
useful
is
it?
B
You
have
the
one
that
are
less
costly
and
more
useful
and
at
the
very
bottom
you
have
the
ones
that
are
considered
more
costly
and
less
useful
and
on
the
right
hand,
side
you
have
the
feedback
on
developers
again
according
the
cost
and
the
usage
right,
I
leave
it
with
this.
You
have
the
link
in
the
minutes
to
to
read
through
the
whole
paper
and
with
that
I
would
like
to
hand
over
to
Pierre
Georgia.
So
you
can
show
you
the
tool
in
action.
G
Thank
you,
Eric.
Let
me
try
to
see.
Can
you
see
my
screen?
Can
you
confirm
yeah
yeah
so
right?
So
this
is
how
it
looks
like
the
web
application.
Let's
say
that
it
started
a
bit
like
a
a
tool
that
we
needed
for
our
discussion
to,
to
show
and
to
reason
about
the
tree
to
categorize
the
the
the
attack
vectors
that
we
that
we
used,
and
then
we
categorize
there
and
so
here.
G
Basically,
you
can
then
explore
the
the
detox
right
in
an
interactive
way,
and
when
you
click
here
you
can,
you
can
see
the
description
here.
You
have
also
a
share
button
to
share
whether
you
need
to
reference
the
specific
attack
vectors
here
and
here
you
have
all
the
list
of
references
attached
to
a
specific
node
and
the
list
of
safeguards
map
to
to
that
nodes
right.
G
You
can
inspect
all
the
information
here.
You
have
also
such
Parts,
whether
you
need
to
to
locate
a
specific
attack
within
the
tree,
so
you
can
search
and
is
highlighted
in
the
tree
and
it's
the
same
for
the
safeguards.
Basically,
you
can
you
can
see
where
Safeguard
is
mapped
within
within
the
tree.
With
this
highlight
right,
and
if
you
need
to
access
the
legend,
you
can
yeah
about
the
tree.
What
I
wanted
to
show.
You
also
is
that
you
have
also
tabular
view
for
both
attack,
vectors
and
and
safeguards.
G
So
all
these
information
are
also
available
in
a
tabular
view
and
probably
what
is
also
interesting
for
you.
It's
the
the
entire
list
of
references
attached
here
right
and
so,
as
I
told
you
at
the
beginning,
it
started
really
as
a
as
a
tool
that
we
needed
for
our
discussion,
but
then
it
turns
out
to
be
handy
for
threat,
modeling
use
cases.
G
For
example,
we
we
did
a
threat,
modeling
Workshop
internally,
to
try
to
reason
about
our
internal
infrastructure,
how
yeah
things
can
go
wrong
and-
and
we
thought
that
this
this
context-
view
about
every
part
of
the
system
or
every
part
of
a
possible
threats
and
the
information
available
here
where
yeah
helpful,
at
least
in
this
kind
of
use
cases.
But
another
point
about
the
releasing
it
open
source
is
that
we
we
we
are
trying
our
best
to
maintain
all
the
resources
updated
as
soon
as
a
new
attack
is
going
on.
G
But
this
is
why
we
thought
to
to
discuss
with
you
about
about
the
tool
itself,
because
we
thought
that
having
it,
we
have
below
the
the
open
ssf
umbrella
and
having
a
community
really
that
can
can
can
maintain
the
tool
or
maintain
at
least
the
references
or
all
the
information
there.
We
think
it's
really
important
to
yeah.
B
Yeah,
maybe
one
one
quick
additional
note
on
the
possible
use
cases
and
I
think
this
is
why
it
fits
to
this
work
group
so
clearly,
I
think
this
is
very
a
very
helpful
resource
for
training
and
awareness
and
education
purposes.
Right.
Pierre
Georgia
also
mentioned
that
we
have
used
it
in
the
past
for
threat
modeling,
but
I
think
there
are
maybe
other
use
cases.
One
would
be
to
in
fact
scope
penetration
tests
because
it's
very
easy
to
say
to
the
penetration
test
as
well.
B
If
you
look
at
our
development
infrastructure
at
our
company,
please,
these
are
the
things
that
are
in
the
scope
and
these
other
things.
Please
do
not
do
this.
This
would
be
another
use
case
and
so
I
think
there
are
maybe
more
use
cases
and
yeah.
We
would
be
happy
to
explore
this
with
you
and
coming
back
to
the
second
Point
raised
by
Pierre,
Giorgio
I,
think,
and
we
we
knew
this
from
the
beginning
when
developing
this,
that
such
a
tool
under
Sap's
GitHub
organization
doesn't
make
so
much
sense.
A
A
So
I
started
with
a
threat
model,
and
then
it
quickly
got
to
the
point
where
I
needed
to
have
some
way
of
classifying
the
different
threats
to
figure
out
where
on
the
threat
model
it
was
actually
going
to
go
and
that
Drew
me
straight
to
the
taxonomy,
which
I
figured
was
actually
quite
useful
to
then
map
to
the
threat
model.
Just
I
wasn't
aware
that
you
were
doing
this.
G
G
This
is
my
my
fear.
I
mean
I
I,
and
this
is
why
I
didn't
want
to
give
an
impression
with
the
visualization
tool,
to
pass
a
message
that
may
be
wrong,
because
we
we
may
not
have
enough
resources
or
capabilities
to
track
a
specific
attacks
or
or
not,
but
definitely
is,
is
interesting
to
your
your
point
of
view
and
your
your
use
case,
I
agree
check.
I
Yes,
I
have
a
few
quick
things.
First,
one
I
said
I
was
a
huge
fan
of
backstabbers
knife
collection.
Together
with
towards
measuring
supply,
chain
attacks
and
package
Managers
from
interpreted
languages
paper.
It's
had
a
huge
impact
on
how
we
think
about
things
at
Shopify
and
it's
why
I'm
here
today.
I
So
thank
you
for
that.
A
very
small
note
about
the
visualization
I
would
be
cautious
about
using
red
and
green
as
colors
that
indicate
something.
That's
not
any
good
for
people
who
are
colorblind
Unfortunately.
They
won't
be
able
to
distinguish
between
them.
So
that's
that's
something
to
look
into
I
guess.
One
question
I
have
is
in
terms
of
production.
One
thing
we
struggle
with
in
the
end
user
group
is
like
how
do
all
these
different
things
fit
together
that
the
open,
ssf,
sponsors
and
I
suspect
one
of
the
questions
will
be
like?
I
B
Yes,
maybe
two
two
quick
answers
for
the
colorblind.
In
fact,
there
are
also
different
field
patterns,
so
that
should
be
should
be
done
already.
The
we
had
that
feedback
already
in
the
past.
That's
why
we
did
that
and
for
what
concerns
linking
the
different
initiatives.
I
I
agree
that
it's
difficult
there
are
so
many
things
going
on
in
parallel,
and
sometimes
you
wonder
how
they
fit
together.
B
One
idea
is
that
if
you
select
the
Safeguard,
you
would
highlight
all
the
attack,
vectors
that
are
covered
and
so
giving
you
a
feeling
for
if
you
implement
this
thing,
this
is
what
you
would
you
would
be
partially,
hopefully
completely
mitigating
and
and
from
learn
from
that.
These
are
paths
still
open
that
you
need
to
cover
in
different
ways.
A
I
Yes
and
what
I
would
what
I
would
say
very
quickly,
Jonathan
sorry
to
interrupt
you
I
think
the
question
from
folks
is
going
to
be.
I
have
two
things
now:
the
taxonomy
and
salsa,
which
give
me
guidance
on
which
countermeasures
to
use
and
in
in
the
situation
that
one
covers
something
that
the
other
doesn't
or
where
they
both
cover,
something
that
they
give
different
answers
about.
What's
going
on
or
what
could
be
done,
it
could
cause
a
lot
of
Acts.
G
G
So
for
for
what
concerns
the
work
of
the
taxonomy.
Our
first
goal
was
to
systematize
the
knowledge
about
the
threats
right,
you
can,
you
can
I,
think
I
I
mean
an
analogy
could
be
to
see
it
like,
for
example,
the
Mitra
attack
in
the
sense
that
it's
a
way
to
explain
how
compromises
happen
in
the
open
source
space
right
while
for
for
salsa,
they
are,
let's
say,
providing
a
level
of
maturity.
G
We
can
say
that
for
what
concerns
the
Integrity,
how
to
preserve
the
Integrity
in
the
supply
chain,
right
so
and
and
of
course,
I
I
agree
with
you,
then,
on
the
fact
that
there
could
be
some
confusion
for
what
concerns
the
the
safeguards.
So
we
could
think
about,
for
example,
how
to
better
handle
or
integrate
salsa
with
giving
it
more
visibility
within
the
tool
or
the
risk
Explorer
tool.
G
But
I
I
think
the
scope
is
a
bit
different
right
because
again
the
the
taxonomy
is
trying
to
describe
how
attacks
happened
and
which
are
the
threats
there
and
and
salsa
is
providing
you
guidance
or
level
of
maturity
depending
on
what
and
where
you
put
some
safeguards
right.
I,
don't
know
if
you
please
answer
your
question
or.
A
A
Once
we've
agreed
as
a
a
wider
group,
what
that
mitigation
would
be
so
we
kind
of
tie
the
thing
together
and
we
have
an
architecture
to
figure
out
what
the
landscape
looks
like.
We
need
a
taxonomy
to
reason
about
those
require
attacks,
and
then
we
have
the
mitigations
at
the
back
and
then
I
think
the
bit
that's
missing
there
is
that
prevalence
bit
where,
given
that
taxonomy,
we
start
to
add
the
prevalence
of
the
attacks.
A
It's
like
well,
we
can't
just
decide
hey.
We've
got
a
new
version
of
these
medications.
Let's
go
no.
We
need
to
work
together
with
different
peoples
and
figure
out.
Look
the
standards
just
this
that
and
the
other
provide
the
appropriate
feedback
and
that's
canonical
mitigation,
but
I
think
if
we've
got
a
taxonomy
and
things
underneath
I
think
that
starts
to
help
just
my
thoughts
on
that
one.
In
any
feedback
on
that
one
then
I'll
defer
to
Jay
sounds
like
Chrome.
You
thumbs
up
and
heart
untouched.
A
C
Yeah,
you
know
we're
doing.
I
I
mean
I
I
I
I'd
like
to
add
to
that,
but
I
don't
think
I
have
anything.
To
add
to
that
you,
you
kind
of
took
the
words
right
out
of
my
mouth.
You
know
at
the
time
of
your
writing,
and
and
and
and
guys
I
do
have
to
say,
having
you
know
about
with
you.
Is
this
2022
about
about
a
good
seven
or
eight
years
ago,
I
had
the
pleasure
of
writing
a
dissertation.
C
C
Echoing
what
John
said
all
the
this,
this
piece,
especially
the
taxonomy,
these
things
can
all
be
joined
together.
I
I,
you
know,
having
a
keeping
things
separate
is
is
a
is
a
past
situation.
We
could
bring
that
stuff
together
and
clearly
find
bridges
that
links
each
of
these
things
to
make
a
more
complete.
How
I
would
even
I
I
I
would
even
say
something
a
little
bit
more
provocative
and
say
looking
at
we
could.
C
This
taxonomy
could
be
something
that
could
be
built
out,
such
that
it
does
what
miter
does,
but
specifically
for
supply
chain
security
and
understanding
us
a
true,
especially
with
what
probe
is
doing
understanding.
What
that
supply
chain
attack,
surface
and
attack
landscape
actually
looks
like
and
how
it
will
evolve
over
time
right
so
that
that's
that's
the
that's
the
other
thing
that
I
think
about
that's
top
of
mind
for
me
all
the
time
not
just
today,
but
but
how
does
that
scale?
And
how
does
that
evolve
over
time?
B
So
I
mean
maybe
to
to
reiterate
what
I
think
was
said
before
so
I
think
the
taxonomy
is
really
taking
this
perspective
of
the
attacker,
which
is
maybe
different
from
some
of
the
other
works
and
but
again,
I
totally
agree
that
the
safeguards
need
to
be
well
aligned
with
with
all
the
other
initiatives.
Otherwise
this
doesn't
make
sense
and
only
and
will
only
cause
confusion.
So
in
general,
I
have
the
feeling
there's
more
positive,
confirming
feedback
on
the
possibilities
to
discuss
this
further
and
and
maybe
work
on
this
together.
A
I
I
was
going
to
sort
of
raise
that
or
question
that
myself
and
we've
got
Probe
on
the
on
the
line.
Who
are
verbal
veritable
member
of
the
the
attack.
I
was
wondering
you
know,
I
I,
wonder
if
we
put
a
proposal
together
to
the
attack
that
look
there's
a
way
of
connecting
these
different
projects
together
and
I.
Think
it's
not
like
taxonomy
is
the
glue
necessarily,
but
it's
an
additional
one.
A
Grub
we're
working
on
the
in
the
the
architecture
underneath
taxonomy
needs
to
go
on
top
and
then
connect
in
SSC
and
salsa.
Is
that
an
appropriate
approach
architecture?
And
then,
if
that
is
the
case,
let's
set
that
maybe
up
as
some
form
of
a
I
don't
want
to
use
the
word
working
group
or
project
there.
You
go
I,
don't
know
what
to
call
it
now,
but
the
initiative.
A
J
And
we're
more
and
more
grappling
with
these
ideas
or
efforts
that
bridge
many
groups,
so
I
think
this
would
be
very
good
to
bring
to
the
tech,
and
maybe
we
also
kind
of
help,
standardize
kind
of
what
proceduralize,
how
these
types
of
cross,
Foundation
things
get
put
in
great
yeah
I.
Think
it's
great
I
think
we
should
propose
it
up.
A
So
I
think,
if,
if
we
can
take,
you
know,
maybe
I'll
propose
we'll
do
two
things
to
attack.
One
is
that
joined
up
initiative
and
propose
that
number
one
and
and
second
is
the
basic
suggest
adoption
of
the
taxonomy
to
the
tech.
Also
I,
don't
know
if
it's
the
same
thing
or
is
it
two
separate
things,
but
it's
yep
a
thumbs
up
for
Jack
yep,
any
yep.
Okay,
any
feedback
on
that.
C
Yeah
I
think
I
think
what
we
may.
What
we
may
want
to
do
as
well
because
of
the
Joint
part
of
it,
because
I
I
I'm
I'm
in
but
I
Salsa
Salsa,
should
care
this
too
right
and
having
sat
in
the
room
with
them.
I
think
I
think
this
would
be
beneficial
as
well,
so
that
maybe
when
it
gets
proposed
to
the
tech
we're
all
in
the
room
for
that.
C
A
K
A
A
A
A
K
J
K
K
A
A
A
Think
it's
creating
the
Matrix
or
initial
Matrix
of
the
different
working
groups.
We
would
like
to
attend
as
a
group
and
then
putting
a
kind
of
a
bonus.
I
mean
what
I
could
just
ask
right
now
is:
is
there
any
particular
working
group
we
feel
we
need
to
have
direct
input
in
I'd,
suggest
the
education
working
group,
vulnerability
management
and
integrity
group?
Let's
start
best.
E
A
A
G
K
So
I
just
want
to
mention
if
some
of
these
members
I'm
not
sure
if
anyone
here
is
going
to
be
in
Tahoe
for
that
event.
Hopefully,
if
we,
if
we
have
a
few
folks
from
the
undies
working
group,
it'd
be
great
I'm,
I'm,
happy
to
put
together
and
host
a
birds
of
a
feather
session
that
the
the
local
pub
in
the
hotel.
K
Is
this
whole
software
supply
chain
security
elements
to
the
to
the
conversation
there,
which
they've
said
they're
really
really
interested
and
want
to
want
to
make
sure
that
that
we
are
getting
across
in
some
way
shape
or
formed?
So
now
that's
December,
8th
in
New
York.
So
if
anybody's
happens
to
be
based
there
or
can
make
it,
it's
actually
a
really
good
event.
A
No
okay,
well,
look
we'll
close
a
few
minutes
early,
but
thank
you
very
much
for
everyone's
everyone's
input.
I
think
it's
been
really
useful.
Thank
you,
Henrik
and
Pierre
for
the
presentation
and
good
welcome,
backstabbers
knife
and
quite
a
lot
of
actions,
more
progress.
So
thanks
very
much.
Everyone
appreciate
your
time.