►
From YouTube: End Users Working Group (April 13, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1KQalBRzfRBvsqh73JUYfp1KG-AJdXcv2Z8LTIFoQP8c
C
D
Is
and
forgive
me
for
taking
some
of
the
air
time,
but
it
is
kind
of
relevant
so
for
anyone
who's
not
aware,
there's
been
an
ongoing
collaboration
between
medical
device
manufacturers
and
large
American
hospitals
about
generating
and
sharing
s-bombs,
and
they
are
now
that
the
FDA
rule
is
coming
into
full
force.
They're
busy
trying
to
figure
out.
Should
we
take
a
Victory
lap
and
shut
down,
always
nice
when
ad
hoc
government
things
say
we're
done
or
should
we
continue?
E
G
H
F
A
F
I
So
my
name
is
Joshua
luck,
I'm,
not
new
to
the
open
SF,
but
I
am
new
to
the
end
user.
Working
group
I've
been
working
in
open
source
software
supply
chain
for
a
long
time
and
recently
joined
Verizon,
so
I'm
looking
to
get
more
equating
with
this
group
and
understand,
and
hopefully
collaborate
too
and
contribute
with
folks
in
this
group
with
end
user
Focus.
J
F
D
F
F
M
Yeah
good
morning,
good
evening,
everyone
we
I'm
glad
to
see
a
couple
new
members
who
who
joined
today
and
for
all
of
those
of
you
who
have
access
to
slack
I,
put
a
spreadsheet
in
the
bar
at
the
top.
It
lists
some
of
the
targets
where
we
have
actually
actions
going
on
so,
for
example,
Mercedes
is
going
to
join
us.
M
Okay,
so
we
we
should.
These
are
clearly
some
good
end
users
we
need
to
reach
out
to
so.
If
we
can
get
some
some
contact
names
from
them,
then
I'm
happy
to
pursue
it
and
if
any
of
you
have
contacts
or
suggestions
for
other
end
users
that
we
should
be
reaching
out
to
Jim.
Thank
you
for
providing
the
contact
and
information
to
the
New,
York
Presbyterian,
Hospital
they're,
doing
some
really
really
cool
stuff
around
open
source
and
I
think
they
said
that
they
would
also
join
next
week.
M
So,
thanks
for
making
that
contact
and
connection,
that's
really
helpful,
but
we
we
want
to
continue
to
get
some
more
folks
in
in
other
highly
regulated
Industries.
Another
healthcare
provider
would
would
be
good.
So
again,
if
any
of
you
have
suggestions,
please
add
them
to
the
spreadsheet
or
Reach
Out
directly
yourselves,
whatever
you,
you
prefer,
but
we're
getting
a
a
good
group
here
and
a
good,
a
good
pipeline.
M
C
Yeah
real
quick
I
just
wanted
to
add
on
the
significance
of
New
York
Presbyterian.
Some
of
you
may
have
seen,
or
are
familiar
with
the
fact
that
they
contributed
daggerboard
as
an
open
source,
Spa
management
tool
which
they're
playing
around
with
within
New
York
Presbyterian
and
has
benefits
both
within
the
healthcare
sector
and
and
outside
as
well
so
it'd
be.
It
would
be
interesting
to
see
where
they're
going
I've
been
kind
of
trying
to
press
J
into
actually
establishing
real
life
first
time,
Healthcare
Osco.
F
Are
a
couple
of
people
and
a
couple
of
groups
on
the
edge
where
we're
talking
to
in
the
have
they're
talking
about
joining
I?
Think
there's
Noah
from
Spotify
who
is
coming
back
from
maternity
and
a
couple
of
others
from
ADP
and
other
groups?
So
we
will
see
more
people
joining
in
shortly
so
Andrew.
Thanks
for
your
work
on
that,
I
think
it's
starting
to
pay
off
great
stuff.
M
F
O
O
And
so
let
me
just
first
talk
about
the
problem
and
go
through
that
really
quick
right.
So
here
you
know
our
supply
software
Supply
chains
are
complicated
and
even
just
a
very
simple
software
supply
chain
that
loads
in
a
few
hundred
packages
that
you're
using
you're,
actually
obviously
using
tens
of
thousands
of
packages
and
in
this
image
you
see
here,
there's
literally
tens
of
thousands
of
packages
in
there
that
you're,
actually,
including
your
you
know,
via
transitive
or
somehow
impacted
by
right
and
each
one
of
those
packages
is
potential.
O
You
know
it's
an
asteroid
right
like
most
of
these
packages
will
are
benign
you'll.
They
they
do
what
they
say
out
there.
They
do
on
their
tin
and
that's
it
right,
some
of
them.
You
know
they
have
vulnerabilities,
you
know,
and
and
even
though
they
are,
you
know,
some
of
them
will
will
pass
by
you
know
close
by,
but
but
miss
you.
Some
of
them
might
hit
you
but
mostly
burn
up
in
the
atmosphere
and
cause
very
little
damage.
O
But
where
are
the
ones
that
are
you're
super
worried
about
right,
like
which
ones
should
you
be
super
worried
about?
Which
ones
are
huge,
will
have
huge
impact
and
Beyond
crash
course
with
you,
and
so
that's
what
we're
trying
to
figure
out
right,
and
so
why
is
this
so
complicated?
Why
is
this
such
a
big
problem?
Well,
we
have
both
too
much
data
and
too
little
data
right.
O
We
have
s-bombs
Vex
salsa
various
other
pieces
of
metadata
cves,
all
this
sort
of
stuff,
also
overall,
the
data
quality
on
a
lot
of
these.
A
lot
of
this
is
quite
bad
right,
like
you
know,
as
you've
seen
folks
from
like
s-bomb,
Benchmark
or
or
s-bomb
scorecard
we're,
seeing
that,
like
largely
right
now
at
least
a
lot
of
the
s-bomb
quality
isn't
very
good,
and
so
we
don't
know
what's
actually
out
there
and
we
don't
know
where
those
gaps
are
right.
O
Let's
talk
about
what
what
what
like
what's
actually
needed
here
right
so
as
end
users,
right
and
and
as
somebody
who
is
up
until
recently,
mostly
in
in
the
end
user
space
right.
We
need
tools
that
stay
out
of
the
developer's
way,
but
provide
them
feedback
when
they
need
it
right.
We
don't
want
a
developer
to
look
at
that
big
set
of
packages
and
say
you
need
to
worry
about
that
right.
We
want
to
just
tell
them
hey.
O
O
We
need
also
consistent
enforcement
of
policy
against
the
stlc
right.
We
don't
want
to
have
tools
that
you
know,
apply
completely
different
rules
and
a
completely
different
rule
engine
for
your
sort
of
inject.
You
know
your
open
source
ingestion
as
you
do
for
managing
that
same
sort
of
Open
Source
risk
when
you
start
to
go
into
the
build
right-
and
we
believe
this
isn't
possible
without
a
data
store
for
your
supply
chain,
security,
metadata.
O
All
right-
and
so
this
is
what
the
picture
looks
like
right,
so
you
want
to
start
to
be
able
to
put
the
pieces
together,
and
you
know
over
here
on
the
right
hand,
side
you
have
some
packages,
you
have
a
various
dependencies
and
eventually
that
sort
of
dependencies
sort
of
blows
up
into
this
thing
of
here's
all
the
files
that
are
used
in
a
build.
In
this
case
we
pulled
this
information
from
salsa
and
this
is
actually
kubernetes,
and
so
you
think
you
know
you
might
think
hey
I'm.
O
Actually
this
is
what
I'm
worried
about,
and
these
are
the
things
you
know,
but
then
actually
there's
all
this
other
information
that's
out
there,
and
so
now
let
me
go
and
just
show
you
what
the
goal
here
is
and
and
and
like
what
this
should
look
like
to
the
actual
developer.
Who
is
looking
at
this
with
Hands-On
keyboard?
B
O
O
You
know
we
queried
your
data
engine,
we
applied
it
to
policy,
and
we
said
this.
You
know
there's
something
wrong
here
right
in
this
case,
it's
a
little
bit
canned,
but
you
know
the
the
idea
here
is.
This
query
is
information
in
guac?
It's
found
to
be,
you
know
not
in
policy,
and
so
you
know
it
provides
some
information
there
for
for
folks
to
sort
of
operate
on
right,
and
so
this
is
what
you
know
the
developer
wants.
The
developer
doesn't
want.
O
You
know
to
say:
okay
well,
I'm
told
that
some
package
in
somewhere
in
my
project
is
bad
and
I
need
to
figure
it
out
right.
They
want
to
be
just
told,
hey
this
package.
Doesn't
you
know
meet
policy,
whether
it's
Regulatory
Compliance,
whether
it's
hey,
there's
a
vulnerability
and
we
are
pretty
sure
you
are
impacted
by
that
vulnerability
or
some
other
mechanism
right,
and
so
how
does
then,
like
the
organization,
the
security
engineers
get
to
that
right?
O
How
do
they
kind
of
figure
out
what
that
thing
should
be,
and
then
how
do
they
explore
that
that's
kind
of
a
bit
more
where,
where
some
of
this
other
stuff
comes
in,
and
let
me
show
you
something
that
you
know
is
still
being
worked
on
from
the
UI
perspective,
but
in
this
image
or
not
image,
it's
it's
interactive
here
in
this
supply
chain
graph.
This
is
information,
that's
coming
from
guac
and
so
just
a
reminder.
O
Guac
is
a
a
supply
chain
graph
and
inside
of
here
right
we
have
a
bunch
of
different
packages,
and
this
is
just
the
python
packages.
If
I
included
everything,
it
would
be
hundreds
of
thousands,
but
I
can
go
and
look
at
stuff
like
actually
let
me
go
and
look
at
celery
right
and
I
can
zoom
in
specifically
here
and
obviously
there'd
be
a
lot
more
knobs
and
and
things
for
folks
once
we
get
once
we
get
there,
but
you
can
start
to
see
here.
I
can
click
on
this
and
right.
O
So
that's
the
information
you
might
have
from
an
s-bomb,
but,
as
you
start
to
pull
out-
and
you
start
to
look
at
information
coming
from
depths.dev
from
cve
streams
from
osv
and
so
on,
I
can
start
to
Bubble
this
up.
You
know
blow
this
up
a
little
bit
and
you
start
to
see
hey,
there's
a
pi
SEC
vulnerability
associated
with
this
version
of
a
thing
there
is
this
GH
there's
this
GHSA
alert
and
we
could
start
to
you
know
continue
to
like
look
at.
Are
there
ones
that
hey
this?
O
This
version
of
this
thing
also
has
that
same
vulnerability
and
and
so
on,
and
you
can,
you
know,
begin
to
also
look
at
stuff
like
I.
Don't
think
this
one
is
included
in
any
of
our
images,
but
you
could
start
to
look
at
stuff.
Like
hey
is,
is
this
particular,
oh?
Actually,
I
guess?
Maybe
there
is
so
we
can
see
here
that
actually,
if
I
pulled
this
up
a
little
bit
more
I'm
sorry
you
can
see
here
there
is
like
a.
This
is
used
inside
of
a
a
container
one
right.
O
How
do
you
know
what
what
sorts
of
things
would
a
security
engineer
and
developers
do
well?
This
is
all
a
graphql
API
and
we
have
a
bunch
of
tools
that
can
interact
with
it.
You
know
to
to
help
out
with
actually
running
the
queries
and
running
automation
to
kind
of
hit
some
of
the
the
key
things
like
hey
from
from
this
package.
Can
you
find
me
all
vulnerabilities
whether
they
are
direct
or
transitive
from
this
package
that
are
in
the
dependency
chain?
O
A
O
O
If
I
want
to
fetch
information
about,
for
example,
salsa
right,
hey
find
me,
you
know
here,
you
know
find
me
this
Builder
right
is
in
this
case
it's
the
kubernetes,
salsa
Builder,
and
if
I
wanted
to
go
in
and
go
in
and
say,
hey
find
me
all
things
that
are
connected
to
that
salsa
Builder.
We
can
do
that
as
well,
and
you
can
see
here's
all
that
various
salsa
attestations
associated
with
that
Builder.
So,
for
example,
if
you
come
in
and
say,
hey
that
Builder
is
was
turned
out
to
be
malicious
right.
O
Okay,
so
so
just
kind
of
going
back
to
the
architecture
here
quickly,
right,
ideally,
what
you
want
is
you
want
to
have
all
of
that
information
loaded
into
a
Knowledge
Graph
right,
your
cves,
your
response,
Etc
that
can
then
feed
back
into
the
rest
of
your
sdlc,
whether
it's
a
sterling
tool
chain
or
or
whatever
else
right.
Where
you
you
have.
You
know
you
want
to
make
sure
like
I'm,
basing
my
ingestion
off
of
the
same
information
that
I'm
basing
my
secure
Dev
on
that
I'm.
O
Basing
my
secure
build
on
that
I'm,
basing
when
I
go
to
actually
do
binary
authorization
right,
you
don't
want
to
say
well,
I'm,
looking
at
this
s-bomb
in
this
case,
I'm
looking
at
this
CBE
and
you
know
stream
in
this
case
you
want
to
have
all
of
that
data
in
one
place
that
can
then
use
be
used
by
policy
to
then
sort
of
figure.
All
of
that
out
right
and
then
quickly.
O
You
know
really,
when
you
start
to
look
at
the
depth,
then
you
have
stuff,
like
the
trust.
Foundation
right,
Sig
store
right
is
at
the
base
and
stuff
like
six
store.
Where
you're
doing
your
signing
your
your
establishing
identities,
then
you
want
to
have
signed
identities.
This
is
stuff
like
signing,
s-bombs,
salsa,
attestations
and
those
sorts
of
things.
Then
you
want
to
make
sure
that
okay,
well
now
that
I
have
all
this
data
I
want
to
perform
analysis
on
this
I
want
to
find.
F
D
D
So,
very
briefly,
some
things
that
this
group
might
be
interested
in
the
sister
s
bomb
work
has
been
banging
its
head
for
a
while
on
what
does
s-bomb
mean
for
cloud
and
obviously
for
developers.
There
shouldn't
be
a
difference
right.
You
write
software.
You
should
know
what
the
heck's
in
your
software,
but
from
a
customer
perspective.
What
does
that
mean?
D
There's
some
work
happening.
That's
trying
to
sort
of
say
from
a
customer
perspective,
why
is
SAS
different
from
on-prem
would
love
some
thoughts
on
that
I'll
paste,
a
link,
there's
a
sort
of
after
a
lot
of
spinning,
they're
sort
of
focusing
on
that.
So
I
will
share
a
link
to
that
rough
document
and
the
other
thing
that
I
want
to
flag.
That
also
might
be
relevant
from
the
folks
who
use
data
and
use
s-bomb
data
is
we're
now
starting
to
acknowledge
that
an
s-bomb
is
not
an
s
bomb.
D
F
C
F
F
O
Sure
yeah,
I
think
and
I
shared
in
the
slack.
The
the
and
I'll
share
it
here
as
well.
The
the
guac,
the
GitHub
page,
but
yeah
if
folks
are,
are
interested
yeah,
we're
definitely
interested
in
more
Community
sort
of
Engagement.
So
from
you
know
the
end
user
space
hey,
you
know
what
feedback
do
folks
have
what
sorts
of
I
think
the
big
things
are,
what
sorts
of
use
cases
do
folks
have
and
and
generally
like?
What
do
folks
want
to
see?
O
As
that
end
state
right,
you
know,
as
I
showed
originally
right,
like
I,
think
you
know
as
being
a
developer
and
whatnot
as
a
developer.
I
just
want
to
be
able
to
say:
oh
I
get
the
red
squiggly.
The
red
squiggly
tells
me
to
update
to
this
Library
I.
Do
that
and
I
move
on
with
my
day,
as
opposed
to
dealing
with
spreadsheets
filled
with
tons
and
tons
of
of
things
I'm
supposed
to
to
sort
through
and
figure
out
myself
and
so,
and
the
same
thing
also
goes
with
stuff
like
ingestion
right.
O
O
This
data
regarding
you,
know,
cve
streams
and
those
sorts
of
things
and
then,
as
well
as
like
anything
else
from
like
you
know,
thesos
or
whomever
who
are
stakeholders
who
are
you
know
what
they're
probably
concerned
about
is
more
around
you
know
am
I
is:
is
my
software
compliant
with
with
regulations
and
are
am
I?
You
know?
Is
the
company
going
to
get
pwned
anytime
soon,
right,
I
think
what
sorts
of
things
do
folks
want
to
see
there
and
we
want
to
see
where
we
can
help
out.
F
J
Oh
yeah
I'd
like
to
add
also
that
you
know
I,
think
a
lot
of
the
the
utilities
that
we
saw
kind
of
just
building
on
top
of
that,
and
those
are
the
things
that,
like
we,
it's
all
based
on
the
graphql
API.
So
it's
not.
You
know
everything's
available
by
the
API.
It's
really
easy
to
spin
up
new
things,
so
it's
nothing's
like
tied
to
the
particular
representation
or
the
UI
that
we
have.
H
F
N
N
It
was
also
suggesting
to
check,
with
the
best
practices,
working
group
and
integrity
working
group
yeah,
because
he
sees
that
probably
could
be
of
interest
of
of
different
working
groups.
So
I
wanted
to
discuss
with
you.
What
would
you
think
will
be
the
following
steps:
how
we
can
push
forward
this
this
item?
How
can
I
be
helpful
for
that?
We
also
discussed
the
topic
of
Licensing.
N
Everything
should
be
fine
because
we
should
have
both
for
the
repository
a
license
that
should
be
easily
transferable
below
before
below
the
openness
itself
and
also
I
think
with
the
paper
we
could
think
about
extracting
extracting
only
the
part
of
the
taxonomy
and
realizance
below
the
opponents
itself.
But
maybe
this
could
be
a
further
item
for
discussion.
F
N
G
F
H
F
P
F
J
F
J
P
Yeah
yeah,
so
I've
been
I've,
been
walking.
Pierre
Giorgio
I've
been
walking
your
paper
around
to
different
working
groups
and
in
different
Sig
meetings
all
over
the
place
because
I've
been
you
know,
taking
the
efforts
that
started
here
and
pitching
you
know,
taxonomy
work
across
the
board,
so
I
mean
I
mean
you
know
it's
good,
that
that
we're
doing
this
conversation
to
being
had
and
I'm
working
on
a
bit
of
a
proposal
as
well
I'm
just
trying
to
make
sure
we're
one.
We
need
a.
P
We
need
a
fully
formed
attack
and
then
two
making
sure
that
they're
we're
helping
and
not
hurting
efforts
by
trying
to
propose
something
without
finishing
or
or
starting
in
other
places.
I
know
that
the
end
users
work
I,
know
here
we're
working
on
a
a
taxonomy,
a
proposal
getting
that
pushed
through
as
well.
So
I
wanted
to
make
sure
that
the
efforts
are
not
available
any
chance.
I
get
when
I
talk
about
taxonomy
I
bring
up
I
bring
up
that
work.
P
You
know
bring
up
the
work
being
done
here,
so
I
mean
other
other
communities
as
well.
Getting
involved
is
a
great
thing.
It
just
just
things
that
we,
you
know,
let's
make
sure
that
we're
settling
on
a
place
to
do
the
work,
do
the
work
and
then
pitch
the
work
being
done
out
rather
than
you
know,
continuing
to
just
I,
don't
know
I
I,
think
I.
Think
our
initiative
here
is
good.
I!
Think
what
we
have
thinking
about
on
a
grander
scale
across
open.
F
So
I
I
think
we
had
a
proposal
that
was
sent
to
the
attack
and
we
have
the
taxonomy
itself
that
people
have
been
adding
to
I,
think
Jay
and
I
think
the
sort
of
more
to
go
there
as
well
right,
I,
think
in
terms
of
moving
things
forward.
I
don't
know
if
there's
any
other
thoughts,
Chrome
I
know
you're
on
the
line.
Any.
Q
Yeah
I
would
be
glad
to
have
Pierre
Giorgio
come
talk
to
the
best
practices,
working
group
and
also
I
think
the
vulnerability
disclosures
working
group
I
think
that
would
be
interesting
for
them,
as
Jay
alluded
to
I
think
this
is
important.
Work
and
I
think
it
deserves
to
live
in
a
a
dedicated
place
within
the
foundation,
something
around
a
general
kind
of
architecture,
kind
of
a
centralized
facility
that
deals
with
not
only
this
taxonomy
but
other
terms
and
lexicons.
We
use
across
the
foundation
personas
any
kind
of
these
Universal
things
across
the
foundation.
Q
I
think
should
live
in
some
centralized
place,
and
a
couple
of
us
are
suggesting
that
the
foundation
create
that
we'll
see
if
a
new
tech
agrees,
but
yeah
I
would
welcome
you
to
come
talk
to
both
of
the
working
groups.
I'm
interact
with
I
think
it
would
be
useful
and
interesting
for
us
to
discuss
more
and
I
I
have
done
personal
presentations
where
I've
used
the
taxonomy
to
illustrate
supply
chain
attacks.
It's
been
pretty
very
illustrative.
F
Q
Q
F
F
F
K
All
right
so
I
mean
we
have
concluded
basically
the
work
on
this
large-scale
architect
or
this
architecture
of
this
large-scale
in-house
development
organization
of
a
non-regulated
company
right.
We
said
it
is
good
enough
to
progress
and
proceed
with
threat
modeling
together
with
Jonathan
and
Abdullah.
We
came
up
with
a
couple
of
high-level
assets,
and
so
the
next
two
steps
will
be
really
thread.
K
Modeling,
those
the
three
of
us
have
kind
of
a
goal
to
present
some
have
something
presentable
at
the
future,
app
as
I
said
conference
in
a
couple
of
weeks,
other
than
that
Abdullah
was
so
kind
to
reach
out
to
see
Rob
and
ask
for
a
open,
ssf
calendar
item,
I'm,
not
sure
whether
there
has
been
any
anything
sent
around
already.
It's
done,
yay.
Q
F
We've
been
really
still
struggling
to
find
other
small
end
users
to
add
to
those
architectures
or
the
threat
models.
So
we
just
as
Henrik
says
forging
ahead
with
the
the
major
one,
a
couple
of
bits
of
feedback
that
have
been
coming
in
about
the
level
of
granularity
and
the
reality
is
whilst
I
think
this
is
a
high
level
threat
model.
There
are
other
threat
models.
We
can
bring
to
bear
around
some
more
of
the
details,
but
we're
trying
to
keep
it
fairly.
F
Generic
and
I
think
what
we're
really
looking
for
is
just
additional
contributors
to
to
join
us
to
go
through
internet
modeling
to
get
other
people's
viewpoints
on
it,
and
you
know:
we've
got
JPMorgan,
Citibank
and
and
all
Labs
looking
at
it,
but
there's
other
end.
Users
that'd
be
good
to
get
people's
view
to
make
sure
that,
when
we're
building
up
these
threats
it
makes
sense.
F
I
think
we've
also
had
a
couple
of
conversations
about
where
to
use
the
threat
model
and
architecture,
and
this
goes
back
to
when
we
presented
it
to
the
tech
a
couple
of
months
ago.
Now,
with
the
view
that
as
we
build
out
a
sterling
tool
chain,
or
as
we
look
at
the
different
standards
for
supply
chain,
if
we
had
an
architecture
up
front
and
then
we
applied
the
threat
model
to
it,
we'd
understand
where
the
different
emerging
standards
would
fit
and
also
where
any
gaps
would
exist.
F
Q
F
Absolutely
totally
totally
agree,
so,
as
we
figure
out
where
that
is,
we
will,
we
will
appropriately
contribute
it.
So
really
just
looking
for
additional
assistance
to
help
with
that
work.
We've
got
the
those
meetings
coming
up
and
we've
done
a
number
of
ad
hoc
meetings.
Adding
into
that
correct
model,
more
people
are
better.
So
all
PR
is
welcome
at
this
point.
F
F
O
Yeah
yeah
I
can
provide
a
little
bit
of
an
update
on
both
the
supply
chain-
Integrity
group
here,
as
well
as
the
supply
chain
group
over
in
in
in
cncf.
So
the
group
here
in
in
we're
working.
So
if
you
might
have
seen
salsa
1.0
release
candidate
2
is
out,
we
are
I,
believe
it's
the
18th
or
19th
1.0
is
planned
to
be
released
unless
somebody
comes
in
and
says,
stop
the
presses,
but
so
1.0
should
be
going
out
soon,
with
that
kind
of
coming
out.
O
You
know
largely.
You
know
the
folks
who
are
building
these
tools
as
well
as
the
folks
who
are
consuming
this
data.
Don't
want
to
have
a
million
different
ways
to
ingest
the
data,
because
you
know
ruby
gems
decided
to
do
it
completely
different
than
npm.
That
decided
to
do
it
completely
different
from
Pi,
Pi
and
so
on.
If
there's
like
a
handful
of
things-
and
you
know
a
couple
of
outliers-
that's
that's
probably
fine.
O
P
P
He
put
out
where
he
spoke
about
the
different
tracks,
the
different
subsequent
tracks
that
are
coming
up
with
salsa,
one
of
them
being
a
potential
dependency
track,
which
is
exciting
because
if
we
take
s2c2f
and
we
do
the
right
thing
with
it,
that
could
be
a
catalyst
for
what
become,
but
for
what
the
dependency
track
is
to
become
and
those
things
can
work
hand
in
hand
furthering
bridging
scc-12
and
salsa.
Now,
what
does
that
mean?
That
means
that
there's
a
lot
more
work
that
can
be
done
right
today.
P
Right
now,
we're
working
on
explaining
to
a
report
which
is
which
is
great
but
also
there's
a
new
threat
and
and
I
was
trying
to
do
it
real,
quick
to
find
the
issue.
But
if
you
go
to
the
s2c2f,
GitHub
repo
and
you
go
to
issues,
you'll
see
an
issue
in
there
where
we've
actually
identified
an
additional
threat
that
we're
working
on
right
now
trying
to
get
the
proper
wording,
for
it
might
actually
become
two
different,
two
different
threats
that
get
put
in
to
s2c12.
P
O
O
O
Maybe
it
needs
some
maintenance
as
that
representative
example,
so,
I'll
post
a
a
document
that
I've
written
up
just
sort
of
describing
what
Fresca
is
and
and
and
that
sort
of
thing
before
I
continue
prob,
oh
okay,
the
other
thing
regarding
the
supply
chain
working
group
within
the
cncf,
so
we're
working
on.
Originally,
it
was
supposed
to
be
sort
of
a
real
world
policy
white
paper
on
supply
chain
policy
in
the
cloud
native
space
But
as
time
kind
of
went
on.
O
Q
Yeah,
so
some
quick
updates
from
other
working
groups,
the
end
user
I'm.
Sorry,
the
the
best
working
group
has
officially
adopted
the
memory
safety
Sig
you'll
recall
that
memory
safety
was
one
the
one
of
the
elements
of
the
mobilization
plan,
so
that
is
now
officially
a
Sig
underneath
the
best
working
group,
and
they
have
a
call
later
today
so
anyone's
interested
in
talking
about
converting
older
software
into
memory,
safe
languages
or
using
more
memory.
Safe
techniques
join
the
fun
the
vulnerability
disclosures
working
group.
Q
Q
If
anyone
wants
to
use
it,
but
the
main
reason
we
adopted
this
is
to
try
to
give
the
foundation
and
the
community
a
voice
in
these
large
industry
spanning
issues,
and
this
gives
us
a
bridge
into
talking
more
efficiently
with
groups
like
cve
csaf
s-bomb.
So
it's
I'm
very
excited
about
the
the
ongoing
Vex
work
and
then
we
also
have
re-energized
our
engagement
with
osv,
which
is
a
vulnerability
documentation.
Standard
used
by
like
GitHub
advisories,
for
example,
so
you'll
see
much
more
energy
and
forward
velocity
around
osv
out
of
the
foundation.
Q
F
F
F
Okay,
so
we'll
ask
the
gender
item
is
any
other
business
and
if
I
can
raise
one
just
as
a
bit
of
a
reminder,
we
are
closing
in
on
Vancouver
right
we're
only
a
couple
of
weeks
away
and
I
think
people
are
getting
together
and
ready
to
participate
in
that.
So
just
a
bit
of
a
reminder:
if
you
haven't
booked
your
travel
go
and
book
it
I
haven't
either,
but
hopefully
people
are
meeting
up
for
a
couple
of
beers
when
we're
in
Vancouver.
E
M
Q
One
quick
thing
not
Foundation,
related
I'm,
jumping
over
to
a
call
at
the
first
P
cert
seg,
the
CVSs
V4
standard
is
very
close
to
implementation
and
release.
So
look
forward
to
all
of
your
favorite
vendors
and
security
researchers
using
a
new
and
better
version
of
CVSs
very
soon
and
I
can
bring
back
details
in
a
future
call
once
I
hop
over
there.
That'd
be
good
actually.