►
From YouTube: End Users Working Group (April 13, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1KQalBRzfRBvsqh73JUYfp1KG-AJdXcv2Z8LTIFoQP8c
A
Is
all
right
we'll
have
to
go
and
explore
who's.
C
Has
been
and
if
I
may
take
30
seconds
of
indulgence,
I
changed
jobs
from
the
Linux
foundation
and
in
doing
so
lost
track
of
my
S
Healthcare,
s-bomb,
POC
working
group,
calendar
invites
and
stuff
is
that
still
still
ongoing?
It.
D
Is
and
forgive
me
for
taking
some
of
the
air
time,
but
it
is
kind
of
relevant
so
for
anyone
who's
not
aware,
there's
been
an
ongoing
collaboration
between
medical
device
manufacturers
and
large
American
hospitals
about
generating
and
sharing
s-bombs,
and
they
are
now
that
the
FDA
rule
is
coming
into
full
force.
They're
busy
trying
to
figure
out.
Should
we
take
a
Victory
lap
and
shut
down,
always
nice
when
ad
hoc
government
things
say
we're
done
or
should
we
continue?
C
Kind,
thank
you,
sir
appreciate
that,
taking
the
moment
and
and
to
add
to
Alan's
comments,
we've
been
at
it
since
what
2018,
I
think.
E
G
H
F
A
F
Right
look
forward
to
it
very
cool
right:
we've
got
a
lot
of
people
on
the
call
already
very
good,
so
a
little
packed
agenda.
F
If
people
can
update
the
meeting
notes,
I
would
appreciate
it
and
if
we
jump
down
to
the
agenda
first
things
first,
as
always,
we
look
for
any
new
friends
on
the
the
group
that
want
to
say
hello.
F
And
I
was
quite
a
few
people
coming
in,
but
I
think
also
a
chunk
of
people
are
on
holiday
at
the
moment.
So
any
new
friends
that
want
to
say
hello.
I
So
my
name
is
Joshua
luck,
I'm,
not
new
to
the
open
SF,
but
I
am
new
to
the
end
user.
Working
group
I've
been
working
in
open
source
software
supply
chain
for
a
long
time
and
recently
joined
Verizon,
so
I'm
looking
to
get
more
equating
with
this
group
and
understand,
and
hopefully
collaborate
too
and
contribute
with
folks
in
this
group
with
end
user
Focus.
F
Josh
next
up.
H
F
Hello,
welcome
and
Brandon.
Do
you
want
to
go
next
Brandon.
J
Yeah
hi
says
me:
hi
I'm,
part
of
the
Google
open,
Social
Security
team,
not
new
to
openness
and
stuff
as
well,
but
I'm
new
to
this
group.
So
hi
everyone.
F
Excellent
welcome.
Thank
you
very
much
and
Dr
Amanda
Martin.
F
Sure
we
will
thank
you
sunny.
C
Hi
everyone,
Sunny
AP
I'm
part
of
the
corsara
team
working.
K
L
Hey
everybody.
This
is
parth,
also
part
of
the
qusari
team
working
on
guac
glad
to
be
here.
F
Very
cool,
okay!
Thank
you
so
good
to
see
a
lot
of
new
faces.
Welcome
to
the
group
first
thing
or
the
next
thing
or
another
is
to
see
if
we
can
nominate
a
scribe.
Anyone
available
to
take
up
scribe
duties
today,.
D
F
F
All
right
so
first
thing
on
the
agenda:
is
membership
update
so
Andrew?
Do
you
want
to
give
a
quick
update.
M
Yeah
good
morning,
good
evening,
everyone
we
I'm
glad
to
see
a
couple
new
members
who
who
joined
today
and
for
all
of
those
of
you
who
have
access
to
slack
I,
put
a
spreadsheet
in
the
bar
at
the
top.
It
lists
some
of
the
targets
where
we
have
actually
actions
going
on
so,
for
example,
Mercedes
is
going
to
join
us.
M
M
Okay,
so
we
we
should.
These
are
clearly
some
good
end
users
we
need
to
reach
out
to
so.
If
we
can
get
some
some
contact
names
from
them,
then
I'm
happy
to
pursue
it
and
if
any
of
you
have
contacts
or
suggestions
for
other
end
users
that
we
should
be
reaching
out
to
Jim.
Thank
you
for
providing
the
contact
and
information
to
the
New,
York
Presbyterian,
Hospital
they're,
doing
some
really
really
cool
stuff
around
open
source
and
I
think
they
said
that
they
would
also
join
next
week.
M
So,
thanks
for
making
that
contact
and
connection,
that's
really
helpful,
but
we
we
want
to
continue
to
get
some
more
folks
in
in
other
highly
regulated
Industries.
Another
healthcare
provider
would
would
be
good.
So
again,
if
any
of
you
have
suggestions,
please
add
them
to
the
spreadsheet
or
Reach
Out
directly
yourselves,
whatever
you,
you
prefer,
but
we're
getting
a
a
good
group
here
and
a
good,
a
good
pipeline.
N
M
C
Yeah
real
quick
I
just
wanted
to
add
on
the
significance
of
New
York
Presbyterian.
Some
of
you
may
have
seen,
or
are
familiar
with
the
fact
that
they
contributed
daggerboard
as
an
open
source,
Spa
management
tool
which
they're
playing
around
with
within
New
York
Presbyterian
and
has
benefits
both
within
the
healthcare
sector
and
and
outside
as
well
so
it'd
be.
It
would
be
interesting
to
see
where
they're
going
I've
been
kind
of
trying
to
press
J
into
actually
establishing
real
life
first
time,
Healthcare
Osco.
F
Are
a
couple
of
people
and
a
couple
of
groups
on
the
edge
where
we're
talking
to
in
the
have
they're
talking
about
joining
I?
Think
there's
Noah
from
Spotify
who
is
coming
back
from
maternity
and
a
couple
of
others
from
ADP
and
other
groups?
So
we
will
see
more
people
joining
in
shortly
so
Andrew.
Thanks
for
your
work
on
that,
I
think
it's
starting
to
pay
off
great
stuff.
M
And
now
again
to
George's
point
I'll,
add
another
tab.
I'll
send
out
a
notice
to
this
on
the
slack
Channel
and
if
you
can
add
yourself
your
your
name,
title
contact
role
so
on
just
the
basics.
F
Pretty
cool!
Thank
you
all
right.
Next
item
on
the
list
is
Mike
and
team
to
give
us
a
bit
of
an
update
on
guac
sure.
O
F
I
think
I
think
probably
sort
of
15
minutes
to
see
how
it
goes
sure.
Yeah.
A
Yep
give
me
one
second.
O
Crush
for
me
one
second,
let
me
refresh
the
page
there
we
go
okay,
so
guac,
it's
a
pro,
it's
an
open
source
project,
that's
a
collaboration
between
Google
kasari
and
Purdue
University,
and
we
got
a
lot
of
our
sort
of
use
cases
in
collaboration
from
City.
O
And
so
let
me
just
first
talk
about
the
problem
and
go
through
that
really
quick
right.
So
here
you
know
our
supply
software
Supply
chains
are
complicated
and
even
just
a
very
simple
software
supply
chain
that
loads
in
a
few
hundred
packages
that
you're
using
you're,
actually
obviously
using
tens
of
thousands
of
packages
and
in
this
image
you
see
here,
there's
literally
tens
of
thousands
of
packages
in
there
that
you're,
actually,
including
your
you
know,
via
transitive
or
somehow
impacted
by
right
and
each
one
of
those
packages
is
potential.
O
You
know
it's
an
asteroid
right
like
most
of
these
packages
will
are
benign
you'll.
They
they
do
what
they
say
out
there.
They
do
on
their
tin
and
that's
it
right,
some
of
them.
You
know
they
have
vulnerabilities,
you
know,
and
and
even
though
they
are,
you
know,
some
of
them
will
will
pass
by
you
know
close
by,
but
but
miss
you.
Some
of
them
might
hit
you
but
mostly
burn
up
in
the
atmosphere
and
cause
very
little
damage.
O
But
where
are
the
ones
that
are
you're
super
worried
about
right,
like
which
ones
should
you
be
super
worried
about?
Which
ones
are
huge,
will
have
huge
impact
and
Beyond
crash
course
with
you,
and
so
that's
what
we're
trying
to
figure
out
right,
and
so
why
is
this
so
complicated?
Why
is
this
such
a
big
problem?
Well,
we
have
both
too
much
data
and
too
little
data
right.
O
We
have
s-bombs
Vex
salsa
various
other
pieces
of
metadata
cves,
all
this
sort
of
stuff,
also
overall,
the
data
quality
on
a
lot
of
these.
A
lot
of
this
is
quite
bad
right,
like
you
know,
as
you've
seen
folks
from
like
s-bomb,
Benchmark
or
or
s-bomb
scorecard
we're,
seeing
that,
like
largely
right
now
at
least
a
lot
of
the
s-bomb
quality
isn't
very
good,
and
so
we
don't
know
what's
actually
out
there
and
we
don't
know
where
those
gaps
are
right.
O
You
know,
so
we
want
to
kind
of
point
to
telescope
at
our
supply
chain,
start
to
start
to
look
out
there
and
and
and
see
what
are
the
things
that
that
we
should
be
worried
about
what
are
the
things
we
actually
have
information
on
and
that
we
can
kind
of
build
relationships
to
better
understand
whether
or
not
we
are
about
to
be
impacted,
and
then
you
know
we're
also
looking
at
you
know
what
are
the
areas
we
don't
have
enough
information
to
actually
make
a
call
and
that's
worrying
foreign.
O
Let's
talk
about
what
what
what
like
what's
actually
needed
here
right
so
as
end
users,
right
and
and
as
somebody
who
is
up
until
recently,
mostly
in
in
the
end
user
space
right.
We
need
tools
that
stay
out
of
the
developer's
way,
but
provide
them
feedback
when
they
need
it
right.
We
don't
want
a
developer
to
look
at
that
big
set
of
packages
and
say
you
need
to
worry
about
that
right.
We
want
to
just
tell
them
hey.
O
O
We
need
also
consistent
enforcement
of
policy
against
the
stlc
right.
We
don't
want
to
have
tools
that
you
know,
apply
completely
different
rules
and
a
completely
different
rule
engine
for
your
sort
of
inject.
You
know
your
open
source
ingestion
as
you
do
for
managing
that
same
sort
of
Open
Source
risk
when
you
start
to
go
into
the
build
right-
and
we
believe
this
isn't
possible
without
a
data
store
for
your
supply
chain,
security,
metadata.
O
All
right-
and
so
this
is
what
the
picture
looks
like
right,
so
you
want
to
start
to
be
able
to
put
the
pieces
together,
and
you
know
over
here
on
the
right
hand,
side
you
have
some
packages,
you
have
a
various
dependencies
and
eventually
that
sort
of
dependencies
sort
of
blows
up
into
this
thing
of
here's
all
the
files
that
are
used
in
a
build.
In
this
case
we
pulled
this
information
from
salsa
and
this
is
actually
kubernetes,
and
so
you
think
you
know
you
might
think
hey
I'm.
O
Actually
this
is
what
I'm
worried
about,
and
these
are
the
things
you
know,
but
then
actually
there's
all
this
other
information
that's
out
there,
and
so
now
let
me
go
and
just
show
you
what
the
goal
here
is
and
and
and
like
what
this
should
look
like
to
the
actual
developer.
Who
is
looking
at
this
with
Hands-On
keyboard?
B
O
All
right
now,
you
should
see
oh
whoops
here.
Let
me
just
do
that
all
right
close
that
for
a
second
eight,
so
you
know
you
have
a
Docker
file
and
really
what
a
developer
wants
is
a
developer
just
wants
to
have.
O
O
You
know
we
queried
your
data
engine,
we
applied
it
to
policy,
and
we
said
this.
You
know
there's
something
wrong
here
right
in
this
case,
it's
a
little
bit
canned,
but
you
know
the
the
idea
here
is.
This
query
is
information
in
guac?
It's
found
to
be,
you
know
not
in
policy,
and
so
you
know
it
provides
some
information
there
for
for
folks
to
sort
of
operate
on
right,
and
so
this
is
what
you
know
the
developer
wants.
The
developer
doesn't
want.
O
You
know
to
say:
okay
well,
I'm
told
that
some
package
in
somewhere
in
my
project
is
bad
and
I
need
to
figure
it
out
right.
They
want
to
be
just
told,
hey
this
package.
Doesn't
you
know
meet
policy,
whether
it's
Regulatory
Compliance,
whether
it's
hey,
there's
a
vulnerability
and
we
are
pretty
sure
you
are
impacted
by
that
vulnerability
or
some
other
mechanism
right,
and
so
how
does
then,
like
the
organization,
the
security
engineers
get
to
that
right?
O
How
do
they
kind
of
figure
out
what
that
thing
should
be,
and
then
how
do
they
explore
that
that's
kind
of
a
bit
more
where,
where
some
of
this
other
stuff
comes
in,
and
let
me
show
you
something
that
you
know
is
still
being
worked
on
from
the
UI
perspective,
but
in
this
image
or
not
image,
it's
it's
interactive
here
in
this
supply
chain
graph.
This
is
information,
that's
coming
from
guac
and
so
just
a
reminder.
O
Guac
is
a
a
supply
chain
graph
and
inside
of
here
right
we
have
a
bunch
of
different
packages,
and
this
is
just
the
python
packages.
If
I
included
everything,
it
would
be
hundreds
of
thousands,
but
I
can
go
and
look
at
stuff
like
actually
let
me
go
and
look
at
celery
right
and
I
can
zoom
in
specifically
here
and
obviously
there'd
be
a
lot
more
knobs
and
and
things
for
folks
once
we
get
once
we
get
there,
but
you
can
start
to
see
here.
I
can
click
on
this
and
right.
O
So
that's
the
information
you
might
have
from
an
s-bomb,
but,
as
you
start
to
pull
out-
and
you
start
to
look
at
information
coming
from
depths.dev
from
cve
streams
from
osv
and
so
on,
I
can
start
to
Bubble
this
up.
You
know
blow
this
up
a
little
bit
and
you
start
to
see
hey,
there's
a
pi
SEC
vulnerability
associated
with
this
version
of
a
thing
there
is
this
GH
there's
this
GHSA
alert
and
we
could
start
to
you
know
continue
to
like
look
at.
Are
there
ones
that
hey
this?
O
This
version
of
this
thing
also
has
that
same
vulnerability
and
and
so
on,
and
you
can,
you
know,
begin
to
also
look
at
stuff
like
I.
Don't
think
this
one
is
included
in
any
of
our
images,
but
you
could
start
to
look
at
stuff.
Like
hey
is,
is
this
particular,
oh?
Actually,
I
guess?
Maybe
there
is
so
we
can
see
here
that
actually,
if
I
pulled
this
up
a
little
bit
more
I'm
sorry
you
can
see
here
there
is
like
a.
This
is
used
inside
of
a
a
container
one
right.
O
So
if
I
click
on
that
and
well
in
yeah,
so
you
can
see
here.
O
This
is
included
in
the
index.doctor.io
library
image
right
and
so
once
again,
this
is
not
what
an
end
user
would
see
and
and
largely
you
know
and
whatnot,
but
this
is
sort
of
what
security
Engineers
are
trying
to
sort
out
and
Okay
cool
so
like
this
is
what's
out
there
and
they
think
you
know
when
you
first
look
at
the
problem,
you
only
see
this
small
little
pack,
you
know
set
of
things,
but
this
is
really
what's
out
there,
and
so
then,
how
do
we
kind
of
get
there?
O
How
do
you
know
what
what
sorts
of
things
would
a
security
engineer
and
developers
do
well?
This
is
all
a
graphql
API
and
we
have
a
bunch
of
tools
that
can
interact
with
it.
You
know
to
to
help
out
with
actually
running
the
queries
and
running
automation
to
kind
of
hit
some
of
the
the
key
things
like
hey
from
from
this
package.
Can
you
find
me
all
vulnerabilities
whether
they
are
direct
or
transitive
from
this
package
that
are
in
the
dependency
chain?
O
Let's
kind
of
like
just
sort
of
look
here
right
if
I
wanted
to,
you
know
just
say:
hey
fetch
me
all
packages
I
can
run.
This
takes
a
few
seconds
because
there's
hundreds
of
thousands
of
packages
in
there,
but,
while
that's
running,
let
me.
A
O
Have
just
sorry
this
is
running
my
laptop,
so
it's
it
might
be
a
bit
intense
here.
Let
me
just.
O
O
If
I
want
to
fetch
information
about,
for
example,
salsa
right,
hey
find
me,
you
know
here,
you
know
find
me
this
Builder
right
is
in
this
case
it's
the
kubernetes,
salsa
Builder,
and
if
I
wanted
to
go
in
and
go
in
and
say,
hey
find
me
all
things
that
are
connected
to
that
salsa
Builder.
We
can
do
that
as
well,
and
you
can
see
here's
all
that
various
salsa
attestations
associated
with
that
Builder.
So,
for
example,
if
you
come
in
and
say,
hey
that
Builder
is
was
turned
out
to
be
malicious
right.
F
Michael,
would
you
mind
if
we
we
pause
at
sort
of
25,
sure
yeah
yeah,
a
second
just
so
I
can
get
because
I
appreciate
Alan
mentioned
that
you're
going
to
drop
a
half
past,
and
then
we
continue
after
doing
a
yeah.
O
Yeah
that
that's
fine.
O
Yep,
okay,
so
let
me
just
quickly
here.
O
Okay,
so
so
just
kind
of
going
back
to
the
architecture
here
quickly,
right,
ideally,
what
you
want
is
you
want
to
have
all
of
that
information
loaded
into
a
Knowledge
Graph
right,
your
cves,
your
response,
Etc
that
can
then
feed
back
into
the
rest
of
your
sdlc,
whether
it's
a
sterling
tool
chain
or
or
whatever
else
right.
Where
you
you
have.
You
know
you
want
to
make
sure
like
I'm,
basing
my
ingestion
off
of
the
same
information
that
I'm
basing
my
secure
Dev
on
that
I'm.
O
Basing
my
secure
build
on
that
I'm,
basing
when
I
go
to
actually
do
binary
authorization
right,
you
don't
want
to
say
well,
I'm,
looking
at
this
s-bomb
in
this
case,
I'm
looking
at
this
CBE
and
you
know
stream
in
this
case
you
want
to
have
all
of
that
data
in
one
place
that
can
then
use
be
used
by
policy
to
then
sort
of
figure.
All
of
that
out
right
and
then
quickly.
O
You
know
really,
when
you
start
to
look
at
the
depth,
then
you
have
stuff,
like
the
trust.
Foundation
right,
Sig
store
right
is
at
the
base
and
stuff
like
six
store.
Where
you're
doing
your
signing
your
your
establishing
identities,
then
you
want
to
have
signed
identities.
This
is
stuff
like
signing,
s-bombs,
salsa,
attestations
and
those
sorts
of
things.
Then
you
want
to
make
sure
that
okay,
well
now
that
I
have
all
this
data
I
want
to
perform
analysis
on
this
I
want
to
find.
F
Cool
thanks
Michael,
so
we
can
come
back
from
maybe
q
a
if
that's!
Okay!
Just
after
week,
we
get
an
update
from
Ellen
and
sorry
to
put
this
thing
in
a
different
order,
but
I
think
needs
most
of
the
minute.
Alan
you've.
Sorry.
D
And
then
thank
you
Jonathan.
This
is
interesting.
I
want
to
learn
more
about
guac,
especially
happy
to
see
multiple
different
organizations
involved
in
it.
D
So,
very
briefly,
some
things
that
this
group
might
be
interested
in
the
sister
s
bomb
work
has
been
banging
its
head
for
a
while
on
what
does
s-bomb
mean
for
cloud
and
obviously
for
developers.
There
shouldn't
be
a
difference
right.
You
write
software.
You
should
know
what
the
heck's
in
your
software,
but
from
a
customer
perspective.
What
does
that
mean?
D
There's
some
work
happening.
That's
trying
to
sort
of
say
from
a
customer
perspective,
why
is
SAS
different
from
on-prem
would
love
some
thoughts
on
that
I'll
paste,
a
link,
there's
a
sort
of
after
a
lot
of
spinning,
they're
sort
of
focusing
on
that.
So
I
will
share
a
link
to
that
rough
document
and
the
other
thing
that
I
want
to
flag.
That
also
might
be
relevant
from
the
folks
who
use
data
and
use
s-bomb
data
is
we're
now
starting
to
acknowledge
that
an
s-bomb
is
not
an
s
bomb.
D
It's
not
an
s-bomb
and
tools
that
generate
data
at
different
parts
of
the
life
cycle
are
important
for
in
in
different,
and
so
one
of
the
next
steps
is
to
be
able
to
describe
the
s-bomb
data
in
a
scalable
vendor
neutral
tool,
neutral
way,
so
that
people
can
understand
what
they're
getting
what
they're
asking
for
ETC
we
have
in
both
groups.
D
We
have
the
vendors,
we
have
the
people
who
want
to
sell
you
things
and
we
have
the
tool
providers
in
the
tooling
group.
For
folks
who
say
I
want
to
use
s-bomb
data.
D
F
Excellent
that
sounds
particularly
interestingly
I
spawn
quality
stuff.
Looking
forward
to
that
thanks,
Alan,
so
yeah,
if
you
can
drop
the
chat,
links
in
We'll,
add
them
back
into
the
transcript.
Thank
you.
C
And
Alan
I
don't
know
if
you've
been
or
you
were,
you
or
someone
else
from
CIS
has
been
involved
in
the
Oscar
effort.
But
my
thought
for
some
time
is
how
to
marry
up
the
s-bomb
outputs
into
oscow
related
control
activities.
D
Yes,
so
for
those
of
you
who
are
not
familiar,
oscal,
very
big
sort
of
National,
Security
oriented
right
heavy
on
the
gov
side
of
things
for
tooling
and-
and
there
definitely
been
some
overlap
on
that
side
of
things,
but
essentially
trying
to
build
very
large
Frameworks
that
allow
you
to
integrate
your
different
security
tools
from
an
organization's
perspective.
F
All
right,
thank
you
very
much
noise.
So
if
we
can
just
segue
back
to
the
the
guac
conversation
for
a
second,
so
Michael
thanks
for
the
the
demonstration,
are
there
any
any?
F
Are
there
any
questions
from
the
group,
but
also
Michael?
Is
there
any
sort
of
feedback
or
contributions
you'd
like
from
us.
O
Sure
yeah,
I
think
and
I
shared
in
the
slack.
The
the
and
I'll
share
it
here
as
well.
The
the
guac,
the
GitHub
page,
but
yeah
if
folks
are,
are
interested
yeah,
we're
definitely
interested
in
more
Community
sort
of
Engagement.
So
from
you
know
the
end
user
space
hey,
you
know
what
feedback
do
folks
have
what
sorts
of
I
think
the
big
things
are,
what
sorts
of
use
cases
do
folks
have
and
and
generally
like?
What
do
folks
want
to
see?
O
As
that
end
state
right,
you
know,
as
I
showed
originally
right,
like
I,
think
you
know
as
being
a
developer
and
whatnot
as
a
developer.
I
just
want
to
be
able
to
say:
oh
I
get
the
red
squiggly.
The
red
squiggly
tells
me
to
update
to
this
Library
I.
Do
that
and
I
move
on
with
my
day,
as
opposed
to
dealing
with
spreadsheets
filled
with
tons
and
tons
of
of
things
I'm
supposed
to
to
sort
through
and
figure
out
myself
and
so,
and
the
same
thing
also
goes
with
stuff
like
ingestion
right.
O
You
know
what
are
folks
doing
when
it
comes
to
we'd
love,
to
hear
more
about
like
what
are
folks
using
to
to
deal
with
sort
of
Open
Source
ingestion.
And
how
are
you
saying,
like
hey
Yep,
this
matches
my
my
company
policy
for
ingestion,
because
it
has
this
data
from
the
s-bomb?
O
This
data
regarding
you,
know,
cve
streams
and
those
sorts
of
things
and
then,
as
well
as
like
anything
else
from
like
you
know,
thesos
or
whomever
who
are
stakeholders
who
are
you
know
what
they're
probably
concerned
about
is
more
around
you
know
am
I
is:
is
my
software
compliant
with
with
regulations
and
are
am
I?
You
know?
Is
the
company
going
to
get
pwned
anytime
soon,
right,
I
think
what
sorts
of
things
do
folks
want
to
see
there
and
we
want
to
see
where
we
can
help
out.
F
Right
excellent,
thank
you
very
much.
Any
any
questions
from
anyone
in
the
group.
Jim
you've
got
your
hand
up,
but
I
think
that
might
be
from
before.
J
Oh
yeah
I'd
like
to
add
also
that
you
know
I,
think
a
lot
of
the
the
utilities
that
we
saw
kind
of
just
building
on
top
of
that,
and
those
are
the
things
that,
like
we,
it's
all
based
on
the
graphql
API.
So
it's
not.
You
know
everything's
available
by
the
API.
It's
really
easy
to
spin
up
new
things,
so
it's
nothing's
like
tied
to
the
particular
representation
or
the
UI
that
we
have.
H
F
Cool.
Thank
you
very
much,
certainly
interesting
work
going
on
and
I've
seen
it
a
little
bit
earlier
on
so
good
stuff.
Thank
you
and
thanks
for
presenting
okay
next
item
on
the
agenda,
Pierre
joshio
around
taxonomy
yeah.
N
N
He
he
said
that
he
really
appreciated
you
really
like
the
the
work
and
I
really
thought
that
it's
a
good
idea
to
push
in
the
open,
ssf
the
adoption
for
for
this
and
to
discuss,
of
course,
this
in
different
working
groups
and
then,
of
course,
I
already
told
him
that
we
already
discussed
this
item
in
in
the
end
user
working
group,
and
we
proposed
it
to
the
attack.
N
It
was
also
suggesting
to
check,
with
the
best
practices,
working
group
and
integrity
working
group
yeah,
because
he
sees
that
probably
could
be
of
interest
of
of
different
working
groups.
So
I
wanted
to
discuss
with
you.
What
would
you
think
will
be
the
following
steps:
how
we
can
push
forward
this
this
item?
How
can
I
be
helpful
for
that?
We
also
discussed
the
topic
of
Licensing.
N
Everything
should
be
fine
because
we
should
have
both
for
the
repository
a
license
that
should
be
easily
transferable
below
before
below
the
openness
itself
and
also
I
think
with
the
paper
we
could
think
about
extracting
extracting
only
the
part
of
the
taxonomy
and
realizance
below
the
opponents
itself.
But
maybe
this
could
be
a
further
item
for
discussion.
F
N
G
F
Ones
was
reaching
out
to
others
in
other
groups
such
as
the
cncf
and
then
we'd
reached
out
to
Andy
Martin
in
the
thanks
accuracy
and
Justin
kappos
as
well
right.
So
there's
connections
over
into
the
cncf
as
well
to
get
additional
input.
H
F
P
F
F
Yeah
we
reached
out
to
Andy
and
Justin
kappos
and
the
tax
security
side
I,
don't
think
it's
actually
been
presented
in
the
tax
security
working
group
itself,
though,.
J
Okay,
so
we
have
to
meet.
We
have
two
meetings
that
will
be
rather
vermilized,
that
we
need
languages,
a
general
attack
and
then
this
one's
a
supply
chain
specific,
which
you
think
is
about
a
target
audience.
F
J
P
Yeah
yeah,
so
I've
been
I've,
been
walking.
Pierre
Giorgio
I've
been
walking
your
paper
around
to
different
working
groups
and
in
different
Sig
meetings
all
over
the
place
because
I've
been
you
know,
taking
the
efforts
that
started
here
and
pitching
you
know,
taxonomy
work
across
the
board,
so
I
mean
I
mean
you
know
it's
good,
that
that
we're
doing
this
conversation
to
being
had
and
I'm
working
on
a
bit
of
a
proposal
as
well
I'm
just
trying
to
make
sure
we're
one.
We
need
a.
P
We
need
a
fully
formed
attack
and
then
two
making
sure
that
they're
we're
helping
and
not
hurting
efforts
by
trying
to
propose
something
without
finishing
or
or
starting
in
other
places.
I
know
that
the
end
users
work
I,
know
here
we're
working
on
a
a
taxonomy,
a
proposal
getting
that
pushed
through
as
well.
So
I
wanted
to
make
sure
that
the
efforts
are
not
available
any
chance.
I
get
when
I
talk
about
taxonomy
I
bring
up
I
bring
up
that
work.
P
You
know
bring
up
the
work
being
done
here,
so
I
mean
other
other
communities
as
well.
Getting
involved
is
a
great
thing.
It
just
just
things
that
we,
you
know,
let's
make
sure
that
we're
settling
on
a
place
to
do
the
work,
do
the
work
and
then
pitch
the
work
being
done
out
rather
than
you
know,
continuing
to
just
I,
don't
know
I
I,
think
I.
Think
our
initiative
here
is
good.
I!
Think
what
we
have
thinking
about
on
a
grander
scale
across
open.
F
So
I
I
think
we
had
a
proposal
that
was
sent
to
the
attack
and
we
have
the
taxonomy
itself
that
people
have
been
adding
to
I,
think
Jay
and
I
think
the
sort
of
more
to
go
there
as
well
right,
I,
think
in
terms
of
moving
things
forward.
I
don't
know
if
there's
any
other
thoughts,
Chrome
I
know
you're
on
the
line.
Any.
Q
Yeah
I
would
be
glad
to
have
Pierre
Giorgio
come
talk
to
the
best
practices,
working
group
and
also
I
think
the
vulnerability
disclosures
working
group
I
think
that
would
be
interesting
for
them,
as
Jay
alluded
to
I
think
this
is
important.
Work
and
I
think
it
deserves
to
live
in
a
a
dedicated
place
within
the
foundation,
something
around
a
general
kind
of
architecture,
kind
of
a
centralized
facility
that
deals
with
not
only
this
taxonomy
but
other
terms
and
lexicons.
We
use
across
the
foundation
personas
any
kind
of
these
Universal
things
across
the
foundation.
Q
I
think
should
live
in
some
centralized
place,
and
a
couple
of
us
are
suggesting
that
the
foundation
create
that
we'll
see
if
a
new
tech
agrees,
but
yeah
I
would
welcome
you
to
come
talk
to
both
of
the
working
groups.
I'm
interact
with
I
think
it
would
be
useful
and
interesting
for
us
to
discuss
more
and
I
I
have
done
personal
presentations
where
I've
used
the
taxonomy
to
illustrate
supply
chain
attacks.
It's
been
pretty
very
illustrative.
F
It
so
I'm
writing
a
list
of
different
places
to
present
it
to
and
I
think
it's
really
super
beneficial
crib
you're,
mentioning
about
different
places
to
host
these
materials
is.
Is
this
something
that's
being
discussed
at
the
attack
or.
Q
It
has
gone
nowhere.
I've
suggested
it
to
a
couple
people
in
the
attack.
We
are
trying
to
put
together
a
business
case
to
suggest
kind
of
a
centralized
facility.
Q
The
living
Compass
personas
taxonomies
lexicons
diagrams
that
type
of
stuff,
so
we
kind
of
I
would
suggest
we
mush
that
into
one
working
group
and
that
way
it
would
be
kind
of
across
the
whole
Foundation,
as
opposed
to
kind
of
living
here
in
the
end
user's
working
group,
which
this
is
a
very
important
working
group,
but
it's
very
focused
and
doesn't
necessarily
have
the
reach
across
the
whole
foundation,
so
I
think
elevating
it
to
a
part
of
a
working
group
of
its
own
I
think
would
get
more
traction
and
attention,
so
yeah
I'd
be
glad
to
work
with
anyone.
Q
F
Sounds
good
to
me
so
I
I,
guess
how
to
help
is
just
give
you
a
call
and
see
if
we
can
get
together
to
agree
on
that
place,
that
put
this
data
yeah.
F
Very
cool,
so
if
I
just
double
check
that
so
we
have
the
tax,
Security,
Group,
the
cncf
security
working
group,
the
vulnerability
working
group
and
the
best
practices
working
group
as
well
yeah.
And
then
in.
F
To
that,
come
together
to
look
at
the
sort
of
universal
hosting
ossf
Repository
sounds
good,
all
right,
very
good.
Any
other
comments
and
questions
about
the
taxonomy
or
I
think
I
think
those
are
a
couple
of
areas
we
can
move
that
forward.
F
All
right
next
step
is
the
architecture
and
threat
model
with
Henrik,
myself
and
Abdullah.
Abdullah
is
actually
on
vacation.
Today,
unfortunately
send
Rick,
it's
just
you
and
I.
K
All
right
so
I
mean
we
have
concluded
basically
the
work
on
this
large-scale
architect
or
this
architecture
of
this
large-scale
in-house
development
organization
of
a
non-regulated
company
right.
We
said
it
is
good
enough
to
progress
and
proceed
with
threat
modeling
together
with
Jonathan
and
Abdullah.
We
came
up
with
a
couple
of
high-level
assets,
and
so
the
next
two
steps
will
be
really
thread.
K
Modeling,
those
the
three
of
us
have
kind
of
a
goal
to
present
some
have
something
presentable
at
the
future,
app
as
I
said
conference
in
a
couple
of
weeks,
other
than
that
Abdullah
was
so
kind
to
reach
out
to
see
Rob
and
ask
for
a
open,
ssf
calendar
item,
I'm,
not
sure
whether
there
has
been
any
anything
sent
around
already.
It's
done,
yay.
Q
Right
look
on
the
go:
the
community
calendar.
The
meeting
is
set
up,
weekly
Tuesdays
at
9
00
a.m,
Eastern
2
p.m,
UK.
K
Perfect
I
didn't
see
this
one
right,
that's
about
it
from
my.
F
We've
been
really
still
struggling
to
find
other
small
end
users
to
add
to
those
architectures
or
the
threat
models.
So
we
just
as
Henrik
says
forging
ahead
with
the
the
major
one,
a
couple
of
bits
of
feedback
that
have
been
coming
in
about
the
level
of
granularity
and
the
reality
is
whilst
I
think
this
is
a
high
level
threat
model.
There
are
other
threat
models.
We
can
bring
to
bear
around
some
more
of
the
details,
but
we're
trying
to
keep
it
fairly.
F
Generic
and
I
think
what
we're
really
looking
for
is
just
additional
contributors
to
to
join
us
to
go
through
internet
modeling
to
get
other
people's
viewpoints
on
it,
and
you
know:
we've
got
JPMorgan,
Citibank
and
and
all
Labs
looking
at
it,
but
there's
other
end.
Users
that'd
be
good
to
get
people's
view
to
make
sure
that,
when
we're
building
up
these
threats
it
makes
sense.
F
I
think
we've
also
had
a
couple
of
conversations
about
where
to
use
the
threat
model
and
architecture,
and
this
goes
back
to
when
we
presented
it
to
the
tech
a
couple
of
months
ago.
Now,
with
the
view
that
as
we
build
out
a
sterling
tool
chain,
or
as
we
look
at
the
different
standards
for
supply
chain,
if
we
had
an
architecture
up
front
and
then
we
applied
the
threat
model
to
it,
we'd
understand
where
the
different
emerging
standards
would
fit
and
also
where
any
gaps
would
exist.
F
F
Think
place
of
hosting
it
would
be
grope
your
Universal
artifact
Repository.
Q
Agreed
again,
this
is
important
to
all
elements
of
the
foundation.
Although
you
know
it
drastically
affects
end
users
and
consumers.
F
Absolutely
totally
totally
agree,
so,
as
we
figure
out
where
that
is,
we
will,
we
will
appropriately
contribute
it.
So
really
just
looking
for
additional
assistance
to
help
with
that
work.
We've
got
the
those
meetings
coming
up
and
we've
done
a
number
of
ad
hoc
meetings.
Adding
into
that
correct
model,
more
people
are
better.
So
all
PR
is
welcome
at
this
point.
F
All
right
next
step
of
the
meeting
is
updating
for
other
working
groups.
We've
heard
from
Cesar
on
some
of
the
good
working
groups
as
always
going
on
there.
Anyone
else
want
to
bring
any
other
working
groups
that
they've
attended
any
updates
from
them.
F
Repeat
the
question:
it's
really
any
updates
from
any
other
working
groups-
oh
the
user
group.
It's
it's
so
many
different
great
working
groups
that
are
around.
We
can't
go
to
all
of
them,
but
it's
useful.
We
sort
of
bring
it
back
to
the
the
group.
O
Yeah
yeah
I
can
provide
a
little
bit
of
an
update
on
both
the
supply
chain-
Integrity
group
here,
as
well
as
the
supply
chain
group
over
in
in
in
cncf.
So
the
group
here
in
in
we're
working.
So
if
you
might
have
seen
salsa
1.0
release
candidate
2
is
out,
we
are
I,
believe
it's
the
18th
or
19th
1.0
is
planned
to
be
released
unless
somebody
comes
in
and
says,
stop
the
presses,
but
so
1.0
should
be
going
out
soon,
with
that
kind
of
coming
out.
O
I
think
we're
looking
to
especially
get
some
some
more
input
from
end
users
on
the
tooling
right.
O
You
know,
because
we
have
a
couple
of
tools
out
there,
but
as
we
kind
of
push
to
salsa
1.0
we're
looking
for
folks
who
like
when
it
comes
to
end
users
like
what
are
they
looking
to
kind
of
get
out
of
the
tools
when
they
sort
of
produce
and
consume
salsa,
as
well
as
anybody
who
might
be
building
tools
for
that
that
plan
to
interact
with
us,
also
we'd
love
to
hear
more
about
what
folks
are
building
and
associated
with
that
is
they're,
starting
to
be
some
whisperings
of
maybe
spinning
up
a
bit
of
a
project
that
could
provide
guidelines
for
Distributing
supply
chain
metadata
right,
because
folks
don't
want
that.
O
You
know
largely.
You
know
the
folks
who
are
building
these
tools
as
well
as
the
folks
who
are
consuming
this
data.
Don't
want
to
have
a
million
different
ways
to
ingest
the
data,
because
you
know
ruby
gems
decided
to
do
it
completely
different
than
npm.
That
decided
to
do
it
completely
different
from
Pi,
Pi
and
so
on.
If
there's
like
a
handful
of
things-
and
you
know
a
couple
of
outliers-
that's
that's
probably
fine.
O
Otherwise,
the
the
the
tools
in
the
space
is
going
to
be
quite
complicated,
so
that's
one
of
the
big
things
from
the
supply
chain.
Integrity
thing,
stuff
and
I
know:
Jay
I
think
has
some
updates
regarding
the
S2
c2f
and
some
of
the
training
stuff.
P
Nope
so
s2c2f,
you
know,
as
we
approach
salsa
1.0,
which,
which
is
which
is
a
which
is
a
wonderful
accomplishment,
I
mean
so
much
work
went
into
that
right.
S2C2F
things
are
still
pushing
along
with
that,
but
because
of
the
way
we
structured,
salsa,
1.0
and
Mike
had
a
really
great
block.
P
He
put
out
where
he
spoke
about
the
different
tracks,
the
different
subsequent
tracks
that
are
coming
up
with
salsa,
one
of
them
being
a
potential
dependency
track,
which
is
exciting
because
if
we
take
s2c2f
and
we
do
the
right
thing
with
it,
that
could
be
a
catalyst
for
what
become,
but
for
what
the
dependency
track
is
to
become
and
those
things
can
work
hand
in
hand
furthering
bridging
scc-12
and
salsa.
Now,
what
does
that
mean?
That
means
that
there's
a
lot
more
work
that
can
be
done
right
today.
P
Right
now,
we're
working
on
explaining
to
a
report
which
is
which
is
great
but
also
there's
a
new
threat
and
and
I
was
trying
to
do
it
real,
quick
to
find
the
issue.
But
if
you
go
to
the
s2c2f,
GitHub
repo
and
you
go
to
issues,
you'll
see
an
issue
in
there
where
we've
actually
identified
an
additional
threat
that
we're
working
on
right
now
trying
to
get
the
proper
wording,
for
it
might
actually
become
two
different,
two
different
threats
that
get
put
in
to
s2c12.
P
But
these
are
things
that
this
group
specifically
can
come
in
help
with
building
wording
around
help
with
you
know,
making
sure
that
that
that
how
it's
addressed
in
the
the
document
is
sound.
P
Ultimately,
what
this
means
is
our
efforts
across
the
board,
with
both
salsa
and
s2c12,
can
only
complement
one
another
as
they
increase
and
continuously
improve
intensity
evolved.
P
So
a
lot
of
great
work
out
of
the
supply
chain,
Integrity
working
group-
that,
in
addition
to
our
coming
up,
we're
going
to
start
meetings
here
to
to
do
a
complete
end-to-end
supply
chain,
Integrity,
secure
supply
chain,
taking
a
framework
right
just
just
from
the
working
group
perspective
across
the
open,
entirely
the
openness
itself-
and
this
is
going
to
include
all
the
stuff
that
we're
working
on
and
additionally
identifying
gaps
in
all
those
Works
to
create
this
one.
P
This
one
framework,
this
one
governing
framework
so
exciting,
stuff
I'm
excited
about
it.
I
know
Mike
is
too
so
come
jump
in
the
water's
warm.
O
Oh
I
was
just
gonna,
provide
an
update,
sorry
on
on
the
other
supply
chain
group
as
well.
Oh
one,
other
quick
update,
actually
so
Fresca,
which
is
you
know,
part
of
the
supply
chain.
Integrity
group.
O
O
O
Maybe
it
needs
some
maintenance
as
that
representative
example,
so,
I'll
post
a
a
document
that
I've
written
up
just
sort
of
describing
what
Fresca
is
and
and
and
that
sort
of
thing
before
I
continue
prob,
oh
okay,
the
other
thing
regarding
the
supply
chain
working
group
within
the
cncf,
so
we're
working
on.
Originally,
it
was
supposed
to
be
sort
of
a
real
world
policy
white
paper
on
supply
chain
policy
in
the
cloud
native
space
But
as
time
kind
of
went
on.
O
We,
we
recognized
that
one
of
the
biggest
challenges
is
not
necessarily
the
real
world
policy.
It's
it's
more
of
the
executive
summary
that
can
then
eventually
lead
to
the
real
world
policy,
and
so
there's
a
bunch
of
work
happening
in
that
group.
O
In
fact,
actually,
right
after
this
meeting
is,
is
the
weekly
meeting
that
that
works
on
that,
but
there's
some
work
that
we're
hoping
you
know,
like
maybe
five
pages,
that's
just
sort
of
describes
at
the
executive
level
like
what
are
the
things
that
that
you
know,
executive
stakeholders
need
to
care
about
when
it
comes
to
Cloud
native
supply
chain
security
and
and
where
to
start
looking
and
what
to
start
doing,
and
then
that
should
hopefully
lead
into
some
of
the
other
things
that
we're
we're
planning
to
release.
Q
Yeah,
so
some
quick
updates
from
other
working
groups,
the
end
user
I'm.
Sorry,
the
the
best
working
group
has
officially
adopted
the
memory
safety
Sig
you'll
recall
that
memory
safety
was
one
the
one
of
the
elements
of
the
mobilization
plan,
so
that
is
now
officially
a
Sig
underneath
the
best
working
group,
and
they
have
a
call
later
today
so
anyone's
interested
in
talking
about
converting
older
software
into
memory,
safe
languages
or
using
more
memory.
Safe
techniques
join
the
fun
the
vulnerability
disclosures
working
group.
Q
We
voted
and
officially
adopted
the
open,
Vex
spec
and
the
software,
so
we're
working
with
legal
on
that
IP
transfer
and
many
of
us
have
been
very
active
with
the
sisa
s-bomb
working
group.
So
you
will
continue
to
help
forward
the
Vex
standard
and
open
Vex
is
a
simple
implementation
of
that.
Q
If
anyone
wants
to
use
it,
but
the
main
reason
we
adopted
this
is
to
try
to
give
the
foundation
and
the
community
a
voice
in
these
large
industry
spanning
issues,
and
this
gives
us
a
bridge
into
talking
more
efficiently
with
groups
like
cve
csaf
s-bomb.
So
it's
I'm
very
excited
about
the
the
ongoing
Vex
work
and
then
we
also
have
re-energized
our
engagement
with
osv,
which
is
a
vulnerability
documentation.
Standard
used
by
like
GitHub
advisories,
for
example,
so
you'll
see
much
more
energy
and
forward
velocity
around
osv
out
of
the
foundation.
Q
F
Very
good,
thank
you
very
much
anything
else,
any
other
updates
from
other
working
groups.
It's
a
good
list
today,
a.
F
F
Okay,
so
we'll
ask
the
gender
item
is
any
other
business
and
if
I
can
raise
one
just
as
a
bit
of
a
reminder,
we
are
closing
in
on
Vancouver
right
we're
only
a
couple
of
weeks
away
and
I
think
people
are
getting
together
and
ready
to
participate
in
that.
So
just
a
bit
of
a
reminder:
if
you
haven't
booked
your
travel
go
and
book
it
I
haven't
either,
but
hopefully
people
are
meeting
up
for
a
couple
of
beers
when
we're
in
Vancouver.
M
On
that
note,
this
group
does
have
two
presentations:
Jeff
bork
I,
think
you're
on
today,
you're
leading
one
of
the
panels,
a
panel
presentation
and
then
Jonathan
and
I
are
are
presenting
I
think,
let's
let
let's
get
a
little
bit
of
a
teaser
out
and
I'll
make
sure
we
I
put
it
in
the
slack
channel
here.
M
If
the
folks
here
could
put
it
on
their
social
media
channels,
get
some
publicity
raise
the
attendance
and
visibility
that'd
be
really
helpful
and
also
I
know
for
Jonathan,
I,
Jeffrey
and
I,
and
the
others
on
the
panel
have
done
it
a
couple
of
times
so
I
think
we're
okay
from
a
Content
perspective,
but
Jonathan
you
and
I
should
start
putting
something
something
together
for
that.
M
E
Yeah
thanks
Andrew
I
did
throw
it
out
on
Twitter,
just
in
the
last
48
hours
with
you
and
my
other
esteemed
colleagues
on
Twitter
copy,
not
that
Twitter's
the
most
popular
platform.
These
days.
M
Q
One
quick
thing
not
Foundation,
related
I'm,
jumping
over
to
a
call
at
the
first
P
cert
seg,
the
CVSs
V4
standard
is
very
close
to
implementation
and
release.
So
look
forward
to
all
of
your
favorite
vendors
and
security
researchers
using
a
new
and
better
version
of
CVSs
very
soon
and
I
can
bring
back
details
in
a
future
call
once
I
hop
over
there.
That'd
be
good
actually.
F
Interesting
stuff,
all
right,
thank
you
very
much,
so
a
lot
going
on
as
usual
and
we've
got
Vancouver
coming
up
too.
So,
thank
you
to
all
the
presenters
today
and
we
will
close
it
out
have
a
great
weekend
and
thanks
for
joining.