►
From YouTube: End Users (September 15, 2022)
Description
Meeting notes: https://docs.google.com/document/d/1KQalBRzfRBvsqh73JUYfp1KG-AJdXcv2Z8LTIFoQP8c
A
A
B
B
C
B
E
E
C
C
C
F
E
C
C
G
Also,
you
know
heavily
or
becoming
more
heavily
active
in
the
open
ssf,
as
is
my
charge
of
what
I
do
with
Microsoft
I'm
here,
because
I
I
am
also
an
evangelist
of
of
the
consumption
of
Open
Source
and
trying
to
bridge
the
gap
between
a
lot
of
the
Direction
or
or
a
lot
of
a
lot
of
the
the
direction
that's
being
given
through
the
the
very
smart
people
and
and
open
source,
and
then
how
it's
being
a
produced
production
side.
But
then
how
is
being
consumed?
G
How
that
translates
and
what
kind
of
guidance
is
being
given
towards
the
consumption
of
that
direction?
I'm
going
to
say
a
lot
of
the
words
here
towards
how
open
source
is
ingested
and
consumed
by
the
consumers,
so
so
this
this
work
group
is
especially
exciting
for
me
because,
as
I
as
I
as
I
came
from
a
sideways
where
you
consume,
it,
I
get
to
see
both
ends
now
and
how
relevant
it
is
for
this
kind
of
voice
to
be
had
in
the
open,
ssf.
I
Go
for
it
yeah
sorry,
I'm
I'm
new
here
my
name
is
Adrian
diglio,
I'm
I'm,
also
from
Microsoft
joining
here
with
Jay
and
I'll
and
I'll,
be
talking
about
the
open
source,
secure
supply
chain
framework
and
in
Microsoft
I
lead
our
secure
software
supply
chain
team,
so
pleasure
to
be
here
thanks.
Excellent
welcome.
B
C
Excellent
excellent.
Thank
you
very
much
always
welcome
and
it's
good
to
finally,
a
minute
to
this
one
too.
That's
good,
all
right
great!
So
actually,
if
I
may,
just
before,
we,
we
move
up
to
the
the
first
item
in
general.
I
do
want
to
give
a
little
bit
of
an
update
to
people
about
reaching
out
to
additional
members.
So,
as
Andrew
sort
of
highlighted,
we
are
reaching
out
to
additional
members
to
to
highlight.
We
are
starting
now
and
we've
reached
out
to
Andrew.
C
You
suggested
a
couple
of
people
in
the
automated
sector.
I
just
come
from
the
ossf
Dublin
meeting
and
met
a
lot
of
people
at
Dublin
and
reached
out
to
a
number
of
the
different
LF
working
groups
as
well,
so
we've
got
Healthcare
automotive
and
energy,
all
of
them
doing
Communications
and
looking
at
bringing
in
additional
members
or
reaching
out
to
their
members
as
well
as
fsisac,
so
yeah,
I,
I
think
there's
a
lot
of
communication
going
on
at
the
moment.
C
Quite
a
lot
of
people
still
stuck
at
not
stuck
at
dumpling
in
Dublin,
enjoying
Dublin
and
trying
to
get
on
planes
or
or
enjoying
the
rest
of
the
conference
there.
So
you
know
I
I,
think
there's
a
lot
underway,
so
I
think
I'll
continue
and-
and
please
help
so
without
further
Ado,
then,
if
by
popular
demand,
if
I
can
hand
over
to
yourself
Jay
and
perhaps
Adrian
to
give
a
bit
of
a
Insight
or
deeper
insight
into
the
SSC,
it's
the
first
time.
G
Now,
that's
for
me.
That's
for
me,
because
I
feel
like
oh
and
and
John
and
I
spoke
about
this
before,
but
I
feel,
like
you
know,
you're
on
the
spectrum
of
what
is
supply
chain
security.
We
tend
to
focus
a
bit
more
on
one
end,
not
enough
on
the
other
and
then
when
we
do
focus
on
the
other.
We
focus
on
the
other
kind
of
being
a
little
bit
angry
about
the
focus
on
the
other
end.
G
So
if
we
can
build
something
that
does
end
to
end
Works
into
the
middle,
we
fill
those
individual
gaps.
We
have
something
so
robust
in
supply
chain
security
that
just
increases
the
excitement
increases.
What
we're
able
to
do
as
an
industry,
and
so
we're
here
today
to
present
this
framework
that
we
hope
fills
a
lot
of
those
gaps
and
and
I'll
and
I'll
say
it
Loosely.
You
know,
I've
been
in
all
the
salsa
meetings.
G
I
I've
been
I'm
an
active
contributor
in
those
meetings
and
the
one
place
that
seems
to
get
lost
is
what
is
is
when
we
try
to
expand
the
scope
and
expand
the
scope
for
not
being
able
to
meet
a
lot
of
the
questions
that
are
being
asked.
We'll
just
expanded,
I,
don't
expand
the
scope,
keep
the
scope
we're
exactly.
This
is
great
scope.
We
can
bring
in
something
like
this.
That
does
fill
those
gaps
right
so
you're
not
so
so,
you're,
not
there's
no
stop
creep
right.
G
That
being
said,
exciting
framework
focused
on
now
you're
talking
about
the
ingestion
of
Open
Source
software
Adrian,
just
posted
the
just
posted
the
the
the
GitHub
repo
there
we
already
have
brought
it
in.
We
have
GitHub
repo
for
it.
We
brought
it
into
the
open.
We
have
Community
meetings.
We
have
technical
means,
we'll
talk
about
that
later
on
as
well.
G
It's
in
markdown
it's
in
PDF.
You
can
pull
it
up.
You
can
look
at
it,
you
can
print
it
out.
You
can
scribble
on
it.
Do
all
kinds
of
things
you
can
send.
Your
suggestions
in
this
is
done
in
Earnest
and
in
the
open
and
we're
bringing
ahead
to
this
working
group,
because
it's
a
fantastic
working
group
to
bring
it
to
and
to
pick
it
up
and
run
with
it.
G
Like
I
said,
our
desire
is
to
bring
this
into
the
openness
and
stuff
and
to
have
the
community
improve
upon
it
and
then
have
the
bridge
being
built
with
something
like
salsa
that
that
Train's
already
moving
have
that
bridge
being
built
so
that
we
can
forage
audience
into
the
future
and
create
some
pretty
pretty
magical
and
a
secure
supply
chain.
So
without
further
Ado
I'll
hand
it
over
to
to
Adrian
to
get
into
the
nitty-gritty
of
of
the
framework
and
to
further
discuss
how
we
got
here.
I
Thanks
Jay
I'm
also
really
excited
to
be
here
today.
So
so
thank
you
for
your
time
and
attention
I'll
briefly
give
an
an
overview
of
the
framework
and
feel
free
to
raise
your
hand
and
stop
me
or
whatever
the
way
that
the
framework's
organizes
it's.
It
starts
pretty
pretty
high
level,
and
then
it
gets
a
little
bit
more
and
more
and
more
focused
as
it
goes
down.
So
we
start
with
a
high
level
set
of
solution,
agnostic
practices.
I
These
practices
can
be
applied
to
many
many
different
scenarios,
because
there
are
nuances
with
different
ecosystems
example.
You
know
language
packages
versus
containers
and
then
we
get
into
oh
in
the
the
high
level
set
of
practices.
There's
eight
of
them,
you
know
ingest
it
scan
it
inventory
it
update
it,
audit
it
enforce
it,
rebuild
it
and
fix
it,
and-
and
we
explain
what
all
of
those
things
are,
then
we
we
go
to
the
next
level
down
where
we
create
here's.
I
We
then
organize
that
list
of
requirements
across
a
maturity
model
maturity
model
is
always
helpful
because
it
it
helps
organizations
prioritize
some
requirements
over
another,
but
we've
also
ascribed
themes
to
each
level
level.
One
I
would
say
has
been
the
the
general
guidance
that
we've
had
for
years
with
open
source
which
has
simply
been
inventory.
It
scan
it
for
known,
vulnerabilities
and
update
it.
I
Level
two
is
helping
organizations
patch
faster
so
that
you
can
operate
faster
than
the
attacker.
Can
the
Sona
type
2021
report
state
of
the
supply
chain
gave
an
example
use
case
of
the
salt
stack
incident
where
they
confidentially
fixed
a
vulnerability.
They
did
everything
right
and
then
they
they
published
the
the
vulnerability
in
the
open
along
with
a
patch,
and
as
you
can
imagine,
there's
many
organizations
out
there
that
take
a
while
to
deploy
their
patches
well
upon
disclosure
of
this
vulnerability.
I
It
only
took
attackers
three
days
to
craft
an
exploit
and
then
find
you
know,
running
applications
in
production
that
were
using
this
and
we're
able
to
start
exploiting
at
scale,
and
there
were.
There
were
multiple
compromises.
This
is
why
we
are
recommending
requirements
for
adopting
Technologies
such
as
Auto
patching
where
it
submits
you
a
PR
to
to
auto
update,
and
then
you
as
a
developer.
You
just
have
to
evaluate
if
you
want
to
accept
that
PR
and
putting
vulnerabilities
in
comments
at
pull
request
time.
I
The
Third
level
is
is
has
a
theme
of
protecting
you
from
consuming
compromised
OSS,
so
it
it,
you
know,
gets
into
the
concept
of
malware
scanning,
protecting
yourself
from
dependency,
confusion,
blocking
packages
and
even
doing
proactive
security
analysis
on
the
the
open
source
that
you
depend
on
the
most,
and
that
way
you
yourself
might
be
able
to
find
those
those
zero
day
vulnerabilities
and
then
you
yourself
can
then
go
report
it
up
to
the
Upstream
maintainer
level.
Four
is
mostly
aspirational
in
nature.
I
It
is
not
meant
to
be
done
at
scale
for
all
open
source.
I
I
think
it's
meant
to
be
more
targeted
than
that.
If
you
have
open
source
udem
critical
or
perhaps
you
have
a
critical
application
and
you
want
additional
assurances
level,
four
is
all
about
mitigating
against
the
most
sophisticated
type
of
threats
which
are
you
know
the
the
like
solarwinds
types
threats
where
they
are
have
a
presence
on
the
build
machine
and
they're,
silently
contributing
back
doors
from
malware
to
a
build.
I
I
C
I,
don't
think
that
went
in
actually
okay
here
we
go.
If
I
may
just
ask
a
question
that
you
you
mentioned
that
you
prioritize
the
the
different
requirements
there.
How
did
you
prioritize
them?
Is
there
a
specific
sort
of
rubric
used
SME
you,
you
decided
that
was
the
best
one
to
go
for
sort
of
impact,
or
is
there
any
sort
of
methodology
used
there.
I
Exploiting
vulnerabilities
is
still
one
of
those
practices
that
that
it's
it's
fundamentals
and
and
organizations
can
do
better
and
so
I
I
thought
it
best
that
for
level
two
teams
focus
on
like
remediating
themselves,
with
with
quicker
speed
using
today's
technologies
that
help
you
shift
left.
So
that's.
I
It
was
kind
of
like
building
on
the
systems
that
I
expect
most
teams
and
organizations
to
already
be
using,
and
that's
that's
why
I
went
with
with
that
for
level
two
and
then
level.
Three,
you
know
protecting
yourself
from
consuming
compromised,
open
source
is
largely
new
ground.
That
I
don't
think
a
whole
lot
of
teams
and
organizations
have
done
before
and
so
I
felt
that
that
like,
when
you
think
about
it
in
levels
of
maturity,
I
felt
like
that
was
the
natural
progression.
F
F
The
document
itself
says:
Microsoft
OSS,
OS
SSC
framework
all
over
it
so
is.
Is
the
intention
here
to
kind
of
bring
this
document
to
the
openssf
and
have
it
go
into
the
incubation
process?
Is
the
intention
to
bring
it
to
the
incubation
process
within
this
working
group
I'm
just
trying
to
think
about
it
from
the
process
from
a
process
standpoint?
If
so,
is
this
something
that
you're
looking
for
further
contributions
on?
F
What's
the
trajectory
of
this
document,
I,
guess
and
and
this
and
this
standard
and-
and
you
mentioned
ISO
like-
is
that
what
what's
the
intention
there
from
like
in
you
know
who
who
like
when,
in
order
to
get
something
into
ISO,
somebody
needs
to
submit
it
to
ISO
and
certain
things
have
ISO
submitter
status
like
who
does
that?
Where?
Where
is
the?
Where
do
you
see
the
work
going
in
order
for
it
to
become
ready
to
become
submitted
to
ISO
and
who
submits
it
to
ISO
and
all
that
kind
of
stuff?
G
No,
your
questions
are
great
and
I
and
I,
and
so
David
popped
into
chat
and
actually
David.
What
I
was
getting
ready
to
say
is
so
I'll
address
all
of
your
questions
and
then,
as
far
as
the
iso
part
is
concerned,
I'll
point
to
David
wheeler
on
that,
because
that
that
is
the
nature
of
so
I
can
answer
your
question
and
then
talk
and
then
David
can
talk
about
the
isoprop.
That's
the
nature
of
what
we're
doing
so.
Yes,
right
now
developed
in
Microsoft.
G
G
Hopefully,
we've
pitched
to
the
best
practices
working
group,
we've
pitched
to
the
security,
the
supply
chain,
Integrity
working
group
and
we're
here
with
the
end
users
working
group.
The
most
excitement
we've
had
across
all
all
three
working
groups
are
excited
about
this.
The
most
excitement
we've
had
has
been
here,
especially
with
with
John
because
of
the
nature
of
this
working
group.
If
this
working
group
votes
and
says
we
want
to
bring
it
into
this
working
group
outstanding,
the
objective
here
is
to
bring
this
into
the
open
ssf.
G
The
objective
here
is
to
bring
it
into
one
of
these
working
groups,
whichever
working
group
would
be
best
suited
for
it.
The
objective
is
to
get
all
three
of
these
working
groups
to
put
their
hands
on
it,
put
their
hands
into
it
more
than
just
contributing
to
it.
We
want
this
to
go
into
incubation.
We
want
this
to
be
further
developed.
G
We
want
this
to
be
done
in
the
open
we
if
it
ends
up
with
a
different
name,
as
I
said
before
the
end
state
for
me
aspirationally
and
isos,
whatever
ISO
number
is
given
to
us,
my
ISO
dash
one
iso-2
consumer
Focus
producer
Focus,
well-rounded
secure
supply
chain
framework-
that's
consumable
by
by
everyone
in
the
industry.
That
is
the
that
is
the
the
the
Apex
for
me,
but
right
now,
in
short
term,
get
it
into
the
openness
sub.
G
Let's,
let's,
let's
improve
upon
it
like
we're,
improving
upon
salsa
today,
just
like
we're
doing
with
salsa.
We
do
this
with
this
framework
and
understanding
that
both
need
vast
improvements
both
need
gaps
to
be
filled,
because
and
because,
because
both
actually
complement
one
another
right,
they
could
be
done
in
parallel.
Bridges
can
be
built
between
the
two.
This
framework
can
have
a
line
remnants
with
you
know
which
says
this
so
This
security
requirement
is
out
of
scope
of
this
framework.
G
To
address
this,
please
consult
the
producer
Focus
framework,
which
is
salsa
and
salsa,
can
do
the
same
for
this
framework
right
who
knows,
as
it
develops
over
time
and
as
we
get
closer
and
closer
and
closer
to
to
publishing
or
to
requesting
for
publishing
or
requesting
that
stuff
with
ISO
and
David
will
talk
about
that
in
a
second.
The
names
will
probably
change
the
the
the
the
the
format
will
probably
change,
but
guess
what
the
hard
work
that
we've
done
collectively
together
here
in
the
openness
and
step
towards
getting
it
to
that
state.
B
B
Yes,
okay,
okay,
so
short
answer
is
wait.
I
mean
somebody
has
to
decide
that
it's
worth
doing
but
and
I'll
note
that
we
we've
actually
Jane
I
have
tried
it
before
they've
already
switched
over
to
the
community.
License.
That's
well
recommended
required
by
the
open,
ssf
Charter
for
things
which
might
go
on
to
become
formal
specifications,
because
how
should
I
put
this
I
have
opinions
about
the
ways
that
certain
organizations
who
are
often
referred
to
as
patent
trolls
deal
with
the
world.
B
It's
it's
an
unfortunate
fact
of
life
that
there's
some
folks
who
who
make
life
harder
for
everybody
else.
So
so
we've
got
some
that
communication.
Community
specification
stuff
is
part
of
the
process
to
try
to
keep
out
the
trolls
think
everything,
but
we
we
are
prepared
to
deal
with
some
things
and
counter
some
problems
ahead
of
time.
B
D
D
Couldn't
come
up
with
something
for
tngo,
unfortunately,
but
the
other
thing
that
occurred
to
me
as
as
I
guess,
a
comment
or
looking
again
at
today
and
it
sort
of
struck
me
during
your
description,
Adrian,
but
there's
kind
of
a
demarcation
point
between
levels,
two
and
three
levels.
One
and
two
get
you
to
the
point
where
you're
prepared
to
deal
with
the
consequences
of
vulnerabilities
accidentally
being
introduced,
Upstream
and
levels.
D
Three
and
four
are
where
you're
dealing
with
attackers
who
consciously
look
for
ways
into
your
Upstream
rather
than
exploiting
something
that
was
put
there
accidentally
and
I.
Don't
know
if
that's
something
you
would
call
out
or
whether
you'd
be
like
phase
one
and
two
or
just
just
because
otherwise,
like
sometimes
people
blow
those
things
together
in
their
head,
when
they
talk
about
supply
chain.
I
Yeah,
that's
interesting.
We
internally
here,
we've
we've
had
lots
of
discussions
about
this,
and
and
we've
we've
kind
of
come
at
least
where
my
perspective
is
at
is
is
vulnerabilities,
are
an
entirely
different
class
of
what
we're
talking
about
than
than
like,
malicious
or
compromised
components,
and
even
compromised
components
isn't
entirely
true,
because
if
it's
just
typo
squatting,
all
they
did
is
just
change
the
name
of
the
package
to
look
similar
and
help
you
type
it
wrong.
I
F
E
So
I
want
to
go
through
and
and
look
for
that
and
then
the
other
I'd
like
to
understand
a
little
bit
more
about
the
tooling,
because
you
start
off
by
the
presentation
by
saying
it's
solution:
agnostic.
But
the
specification
does
say
that
it
is
a
combination
of
paid
and
free,
tooling,
from
Microsoft
and
other
providers.
I
Yeah:
apologies
for
the
confusion
there.
So
when
you
read
the
the
eight
practices
and
the
description
of
the
eight
practices,
there's
no
mention
of
tooling.
It's
really
just
process
based
thought
as
we
get
deeper
and
deeper
down.
You
know
because
it
starts
at
like
it's
like
a
funnel
and
gets
more
and
more
specific.
I
We
we
have
our
requirements,
and
then
we
have
an
implementation
guide
is
what
we
called
it
in
in
the
document,
and
the
implementation
guide
shows
the
requirements
across
the
four
different
levels
and
has
the
the
free
or
paid
tools
that
help
you
meet,
those
that
was
our
our
first
stab
at
making
a
list
of
of
tools.
It
is
not
a
comprehensive
list
of
tools
that
exist
out
there.
I
C
C
B
I
think
so,
just
this
is
actually
a
response
to
the
previous
comment
about
hey.
What
about
the
intentional
vulnerabilities
being
inserted,
and
the
good
news
is
that
with
this
SSC,
you
can
actually
track
it
through
so
right
from
front.
They
list
the
threats.
The
second
one
they
list
is
intentional
vulnerability,
slash
back
doors,
they
list
the
examples,
PHP
mitemin
and
the
mitigation
which
in
their
case
is
sca-5.
B
So
the
good
news
is
that
it's
not
hard
to
find
out
hey
what
are
they
trying
to
cover
and
how
do
they
think
they've
covered
it?
Obviously,
you
know
I'm
sure
things
can
be
beefed,
got
them
and
and
tweaked,
but
you
you.
Can
it's
not
hard
to
track
down
hey?
Are
they
at
least
trying
to
cover
that
case?
So
I
would
suggest,
walk
you
through
that
table
thanks.
A
After
a
certain
point
and
we're
across
all
of
the
organizations
we
are
going
to
start
to
contribute
to
one
project
rather
than
Reinventing
the
wheel
and
right
now
one
of
the
leaders
in
that
space
when
the
one
that's
making
the
most
progress
is
the
spdx
landscape.
While
it
is
around
spdx,
it
also
encompasses
other,
like
SCA
type
tools,
so
I
would
encourage
you
to
instead
find
other
projects
and
then
refer
to
them
in
the
documentation.
A
G
C
Can
I
sort
of
add
to
the
conversations
for
a
sec,
so
one
of
the
things
that
I
interested
me
about
the
the
SSC
was
that
the
focus
on
the
ingestion
and
sort
of
the
left
of
build
and
that's
certainly
an
area
I've
been
heavily
focused
on,
was
that
you
know
when
you,
when
you
look
at
the
scope
of
SSC,
where
were
you
where's,
the
intent
I
mean?
Is
it
all-encompassing,
except
from
we
have
salsa
as
well
or
or
you
know,
where
does
where
does
it
end?
C
I
I
I
I
feel,
like
I,
can't
answer
your
question
without
like
telling
a
story.
This
is
quite
frankly
how
Microsoft
got
started
on
our
secure
supply
chain.
Journey,
we
we
didn't
securing
the
software
supply
chain
is
so
broad
that
we
knew
we'd
be
boiling
the
ocean.
So
we
picked
one
category
and
we
said
let's
nail
it
here
first,
so
this
is
how
we've
been
securing
ourselves
since
2019.
H
E
So
quick
comment
here:
one
of
the
things
I
noticed
about
this
and
I
I
like
a
lot
a
lot
of
it.
That's
here
is
it's
I'm
guessing
the
origination
is
more
on
compliance
and
rather
than
supply
chain
security,
because
I
don't
see
much
about
third
parties
and
maybe
I'm
I
haven't
gone
through
the
document
line
for
line
and
I'm
missing
that
so
securing
your
software
supply
chain
really
is
also
about
third
parties
and
s-bombs,
and
so
on
and
I
see
from
a
maturity
model
perspective
and
some
of
the
questions.
E
I
I
I
E
About
what
about
their
parties
right,
one
of
the
most
interesting
presentations
I've
seen
recently
was
at
the
open
SSundee
in
in
Austin,
in
which
I
attended
one
by
I
think
it
was
New,
York
Presbyterian
hospital,
and
they
said
that
they
have
1800
different
device
manufacturers
that
they
need
to
manage
and
are
trying
to
figure
out
how
to
do
that
from
with
using
you
know,
an
s-bomb
first
type
of
approach.
So
again
it's
it's
for
an
end
user
consumer
managing
third-party
software
is
as
important
or
even
more
so
than
than
managing
their
their
own.
I
I
You
know
we're
we're
building
brand
new
systems
in
place
today
with
how
we
bring
in
drivers
and
firmware,
and
things
like
that
that
get
ingested
into
our
other
tools
that
that
are
are
way
different
than
just
consuming
open
source
from
a
public
registry,
so
I
mean
I
feel
like
we
should
have
a
conversation
offline
about
that,
because
I
feel
like
it's
it's
a
separate
topic
than
than
what
this
is.
Its
purpose
is.
G
Yeah
I
want
I
also
want
to
make
sure
we
we
do
put
the
line
in
between
compliance
versus
versus
security.
As
far
as
the
the
framework
is
concerned
start
the
conversation
talking
about
you
know
having
maturity
levels
that
doesn't
necessarily
lend
itself
towards
a
compliance
requirement
where
you're
receiving
some
type
of
certification,
you're
completely
type
of
attestation.
G
You
know
Salsa
Salsa,
deals
more
on
the
end
of
of
that
compliance
and
when
you're
receiving
the
testations,
not
saying
that
this
framework
couldn't
evolve
into
that,
but
that's
not
the
true
nature
of
what's
of
what
this
framework,
how
this
framework
has
been
built
here,
so
so
that
I
do
want
to
make
sure
that
that
those
lines
are
drawn
but
but
Andrew,
you
know
your
points
and
your
questions
are
are
extremely
valid.
I,
as
Adrian
said
you
might
want
to
take.
G
C
So
Jay
and
Adrian
we
are,
we
are
coming
up
in
time
a
little
bit
there,
we've
got
other
items,
but
one
one
thing
I'd
like
to
sort
of
add
just
from
our
experience
is
that
you
know
as
you're
looking
at
open
source
software,
particularly
around
ingestion
you're.
Looking
at
certain
controls,
you
need
to
implement
for
the
project
things
like
the
OSS
scorecard
and
you're
looking
at
things,
you
need
to
look
at
for
the
product
or
the
actual
open
source
Library,
and
it's
kind
of
the
same
approach
for
third-party
software
as
well.
C
Instead
of
the
project,
you'd
look
at
the
vendor
and
instead
of
you
know
the
the
open
source
Library,
it
would
be
a
vendor
product.
So
maybe
it's
something
to
extend
or
to
to
look
at
to
add
on,
but
you
know
it's
it's
a
very
similar
approach,
although
clearly
very
different
implementation,
but
more
conversations
to
come,
I'm
sure.
But
thank
you
very
very
much
for
for
presenting
here
today.
It's
been
really
easy.
Thank
you.
Thank
you,
our
pleasure
right.
So
moving
on
and
looking
at
the
agenda
we've
got
next.
C
The
the
group
is
looking
to
to
move
away
from
that
as
an
approach
and
look
at
perhaps
looking
at
getting
a
Vex
data
and
other
metrics
from
the
SAS
providers,
rather
than
the
full
Suite
of
S1
data.
I,
don't
think
any
decisions
have
been
made
as
yet
they're
still
working
through
things,
but
I
thought.
That
was
an
interesting
one
to
bring
to
the
team.
C
From
my
conversations
with
them,
that's
the
one
I've
seen
from
the
the
cloud
cloud
group
Vicky.
You
did
highlight
that
there
are
many
and
they
all
blend
in
into
one
certain
extent.
But
the
next
item,
the
agenda
is
sorry,
the
one
below
that
is
any
other
working
groups
see
Sarah,
otherwise
that
we
want
to
apprise
the
members
of
I
think
you
know
we're
all
in
lots
of
them
at
this
point.
Anything
of
note.
E
H
A
A
Oh,
not
the
extended
one
this
afternoon,
I
don't
have
an
invite
for
that,
but
but
I
do
want
to
mention
briefly
might
be
relevant
here
and
I.
Think
that
this
group
should
participate
in
it
is
that
the
best
practices
working
group
at
some
point
in
the
not
too
distant
future
will
be
taking
on
a
a
glossary
of
all
things.
A
D
Yes,
slightly
out
of
out
of
the
way,
but
one
thing
I'm
working
on
at
the
moment
in
securing
software
repos
is
the
idea
of
a
shared
help
desk
facility
for
those
organizations
where
it's
a
volunteer-led
thing
mostly.
So
we
can
scale
up
MFA
rollouts,
because
the
limiting
factor
is
the
amount
of
support
burden
that
comes
from
people
losing
their
mobile
phones
or
their
Hardware
tokens.
D
One
thing
that
would
be
very
helpful
and
has
been
so
far
impossible
to
retain
from
anybody,
because
it's
sensitive
data
is
what
is
the
cost
of
a
person
who
works
support
in
order
to
make
a
proposal
to
the
governing
board
by
the
tech.
I
need
to
be
able
to
come
up
with
a
vaguely,
realistic
figure.
Anyone
who
feels
comfortable
showing
that
confidentially
would
be
all
ears.
D
D
A
I
in
both
the
education
and
the
the
cert
Sig,
so
those
two
six
that
Crow
is
running
under
vulnerability
disclosure
and
best
practices.
Both
of
them
are
revamping
their
whole
foreign
mobilization
plan
plan,
The
Meta
plan,
they're
they're,
fixing
that
right
and
coming
up
with
budgets
and
time
frames
and
things
like
that
and
they
land
we've
landed
on
300K
we're
just
going
to
use
that
that's
our
our
number
for
a
a
person
whatever
that
is.
Is
it
wrong
heck?
Yes,
it's
wrong,
but.
F
A
E
C
A
C
D
H
I
I
was
trying
to
get
some
clarity,
I
think
I
just
got
it
on
what
the
what
the
purpose
was
for
the
the
costs
and
piece
but
yeah
the
very
to
the
point.
I
think
where
Andrew
was
going,
the
the
costs
of
variable,
hugely
depending
on
where
in
the
world
you
wish
to
resource
said,
but
one
of
the
other
things
that
we
found
when
we
were
looking
at
similar
sort
of
data
and
costs
per
things
is
a
lot
of
our
help.
C
C
Okay
right
next
on
the
agenda
is
the
the
goals
document
so
rather
than
reviewing
it
at
the
meeting
right
now.
What
I'd
ask
is
that
people
take
a
look
at
the
goals
document.
We've
got
a
number
of
comments
in
there
at
the
moment
has
been
a
bit
of
progress
there
there's
some
particular
elements
of
progress
within
that
are
highlighted
in
yellow
people
can
take
a
look
at
that.
What
I
might
suggest
is
if
people
are
interested.
C
E
So
we've
only
got
five
minutes:
I
don't
want
to
try
and
go
through
it.
I
can
do
it.
The
next
session,
so
anyway,
I've
been
working
on
a
presentation
that
we
all
can
use
and
share
with
other
people
that
we're
trying
to
other
organizations
we're
trying
to
bring
into
the
working
group
and
again
I
took
the
the
open,
ssf
town
hall
meeting
as
a
presentation
as
a
framework
I
hacked
it
up
a
bit
added.
More
obviously
working
group
content
sent
it
to
Jennifer
for
some
review.
She
just
got
it
back
to
me.
E
Last
night,
she's
been
a
little
busy,
obviously
with
the
Dublin
meeting,
so
she
added
some
things.
I
had
some
questions
on
so
I'm
going
to
go,
do
another
Rev
on
it
and
I
will
share
it
before
our
next
meeting
for
everyone
to
take
a
look
at
and
I'd
like
to
like
to
request.
You
know
15
minutes,
20
minutes
on
the
next
working
group
agenda.
C
Sounds
good
sounds
very
good.
All
right,
I
think
we've
gone
through
the
agenda,
any
other
business.
One
item
I
think
I
would
be
reasonable
to
suggest.
Is
you
know
follow-ups
to
SSC
if
people
want
to
perhaps
discuss
that
on
slack
next
steps
or
interest
in
in
joining
up
I
think
that'd
be
useful,
but
any
other
business.
F
Question
just
to
expand
on
the
question
that
I
was
asking
earlier:
Do
You
See
so
from
a
group
chair
perspective.
Right
like
this
is
a
new
group,
but
as
I
read
the
recently
merged
process,
update
for
the
for
the
openness
stuff
in
general,
there's
a
kind
of
there's
a
kind
of
steps
towards
incubation
thing,
and
one
of
the
steps
towards
incubation
is
acceptance
into
a
working
group
and
another
is
like.
Then
it
goes
to
the
attack
for
a
certain
level
of
approval,
and
then
it
becomes
a
formal
incubation.
F
F
I
get
I,
guess
I'm
coming
off,
as
rather
a
process
nerd,
but
I
guess
I'm,
just
trying
to
understand
really
kind
of
like
what
things
are
are
happening,
and
this
seems
like
a
a
very
important
potential
one.
But
yeah
I'd
really
like
to
see
some
stuff
move
through
this
incubation
process
so
that
we
have
kind
of
visibility
and
transparency
of
all
the
stuff.
That's
happening
across
open
ssf.
D
I
I'm
surprised
to
learn
that
in
this
industry
we
attract
people
who
are
interested
in
manipulating
rules
and
symbols,
but
more
generally,
very
quickly.
I.
There
was
a
discussion
about
this
in
the
supply
chain.
Integrity
group
yesterday
Abhishek
made
the
argument
that
it
belongs
there,
because
then
it
will
be
a
stablemate
with
salsa
and
that
helps
them
to
ensure
that
they
don't
like
step
on
each
other's
Toes
or
have
overlapping
Scopes.
Then
it
stays
nice
and
tidy
and
neat
and
there's
some
some
coordination.
D
B
Quick
comment:
procedurally,
you
know
we
we,
like
all
things
to
be
in
open,
ssf,
to
have
a
home
within
a
working
group
so
that
somebody's
watching
the
stories
that
were
and
the
tech
can't
watch
everything.
So
you
know
working
group
needs
to
say:
hey
I
I
will
say
that
I
think
in
general,
I've
heard
this
SSC
presentation
several
times,
I
think
in
general,
people
have
had
some
specific
nits,
but
overall
I've
heard
a
lot.
Nothing
but
positive
comments
overall.
So
a
working
group
needs
to
decide.
Yes,
we'll
accept
it.
B
B
One
of
the
reasons
to
bring
it
to
the
tech
is
so
that
they
can
figure
out
things
like
oh
wait.
It
could
go
in
these
three
different
working
groups.
Where
does
it
make
more
sense
and
just
try
to
help?
You
know
help
deconflict,
so
we're
not
trying
to
do
things
three
times.
Yeah
and
but
I
do
actually
agree
very
much
with
Jay.
White's
original
thing
got
comment
that,
regardless
of
whatever
the
home
is
for
the
work
and
I
think
that's
quite
likely
extremely
likely.
B
C
And
I
think
the
realities
from
the
end
user
working
group
is
as
we've
set
ourselves
up
right.
One
of
our
initial
statements
was
that
we'd
actually
be
in
multiple
different
working
groups,
and
that's
why
part
of
it
is
often.
You
know
how
we're
getting
on
interfacing
with
the
other
working
groups,
the
bit
we're
putting
it
in
the
end
user
working
group
from
just
reading
through
the
SSC.
B
So
yeah
to
answer
Dan's
our
question
process,
wise
I,
think
we
want
each
of
these
different
working
groups
to
decide
if
they
want
to
accept
it,
bring
it
forward
to
the
pack
if
more
than
one
working
group
says
yay,
which
is
entirely
plausible,
that
the
attack
will
have
to
say-
and
one
working
group
says
Hey
we'd
like
to
take
it
on.
But
there's
a
reason
for
this.
Other
working
group
I
mean
that's
great
too,
but
we
just
need
to.
B
C
That
makes
sense
to
me
yeah,
absolutely
all
right.
So
thank
you
very
much
for
for
joining
I,
think
good
to
see
a
number
of
additional
members
and
I
think
there's
quite
a
few
will
be
joining
after
we
after
they
leave
Dublin.
So
thanks
very
much
indeed
for
everyone's
time,
thanks
bye,
everyone.
Thank
you.
Bye.