►
From YouTube: What is the OpenSSF? - Brian Behlendorf, OpenSSF
Description
What is the OpenSSF? - Brian Behlendorf, OpenSSF
A
A
We
have
done
a
couple
of
other
open
ssf
Day
events
in
one
in
the
European
in
Europe,
in
Dublin,
as
well
as
in
Austin
Texas,
and
it's
really
a
chance
for
us
to
a
bit
come
together
as
a
community
of
people
interested
in
security,
in
the
open
source,
landscape
and
and
really
thus
the
entire
software
ecosystem,
but
also
a
chance
to
help
recruit
more
people
to
our
projects.
A
More
more
people
to
the
different
initiatives
going
on
and
I
think
you'll
find
what
we're
doing
incredibly
fascinating,
I
hope,
perhaps
even
daunting,
but
I
hope
what
you
find
are
lots
of
opportunities
to
get
involved
and
jump
in
and
find
things
that
you
can
use
in
in
your
work
in
your
daily
life,
but
also
really
invest
yourself
into
just
a
few
housekeeping
notes.
I.
A
In
addition
to
the
fact
that
this
meeting,
like
all
Linux
foundation,
events
is
governed
by
the
Linux
Foundation
code
of
conduct,
I
I
also
wanted
to
mention
that
we
are
recording
this
on
YouTube.
So
if
any
of
you
feel
like
recording
these
sessions
and
we'll
be
putting
them
up
on
YouTube
actually,
so,
if
any
of
you
feel
like,
you
need
to
take
a
break
and
come
back,
don't
worry,
you
won't
miss
a
thing.
A
A
The
open
ssf
is
a
cross-industry
collaboration
that
brings
together
leaders
in
software,
open
source
software
leaders
in
security
to
improve
the
security
of
Open
Source
software
by
building
an
expert
Community
focused
on
the
topic
by
running
some
targeted
initiatives,
software
and
others,
and
pulling
together
a
set
of
best
practices
that
can
uplift
all
developers
and
how
they
write
code.
A
We're
really
trying
to
focus
in,
in
particular
on
software
technologies
that
we
can
build
that
push
the
envelope
on
this
on
pulling
together
resources
to
go
and
help
other
open
source
projects,
with
what
they're
doing
and
really
develop
across
industry
expertise
in
how
open
source
software
works
and
how
the
supply
chain
can
really
be
improved.
A
There
are
six
kind
of
different
ways
that
we
operate.
I
won't
go
into
too
much
detail
on
these
things,
but
if
you
think
about
like
what
we
do
is
very
different
than
say
what
the
cncf
does
or
Automotive
grade
Linux,
where
you
know
they
have
a
particular
category
of
software
that
they're
interested
in
We,
Are,
One,
Step,
more
meta,
if
you,
if
that's
I,
don't
know
how
that
word
translates,
but
we
kind
of
sit
above
a
lot
of
these
different
efforts.
We
we're
trying
to
help
figure
out
what
are
the
priorities?
A
How
do
we
find
the
next
log
for
J
and
keep
it
from
happening
or
the
next
100
projects
that
might
each
have
a
tiny
little
risk
of
being
the
next
log
for
Jay
and
suffer
from
a
big
breach?
How
might
we
automate
the
tools
that
we're
using
across
the
software
ecosystem
to
have
security
baked
in
really
is
a
more
core
default?
How
do
we
educate
the
world
software
developers
open
source
and
otherwise
to
just
get
better
at
what
they
do?
How
do
we
help
incentivize
fixes
to
open
source
code?
A
We're
really
good
we're
pretty
good,
let
me
say
at
finding
vulnerabilities,
but
how
do
we
go
and
get
those
fixes
into
the
Upstream
code
and
then
adopted
throughout
the
industry?
How
do
we
help
the
world
be
just
much
more
informed
about
the
differences
between
open
source
software
that
is
secure
and
those
that
don't
tend
to
have
the
same
priorities,
the
same
processes
that
can
lead
to
more
secure
code?
A
So
how
do
we
paint
a
picture
of
risk
across
the
open
source
landscape
and
then,
finally,
how
do
we
help
standardize
what
everybody
is
doing
in
slightly
different
ways
when
it
comes
to
securing
the
software
supply
chain,
lots
of
companies
have
home
built
tools
and
scripts
that
that
do
different
things:
lots
of
different
taxonomies
terminologies
out
there?
How
do
we
really
across
the
industry
get
to
a
converged
sense
of
how
we
work
together?
A
This
slide
is
very
busy.
There's
a
whole
lot
of
information
on
here.
This
slide
shows
you
at
at
the
open
ssf.
What
are
different?
Working
groups
are
working
on
our
the
top
level
project.
We
have
now
called
project
Sig
store,
you'll,
be
hearing
more
about
today
and
a
couple
of
associated
projects.
A
We
have
as
well
I'm
not
going
to
go
into
depth
on
this
slide
right
now,
but
I'll
mention
right
after
I
speak,
you
will
hear
David
wheeler
talk
quite
a
bit
about
the
work
of
the
best
practices
working
group
and
and
probably
touch
on
some
other
things
going
on
in
other
projects,
while
he
does
that
you'll
hear
Bob
Callaway
talk
about
Sig
store,
which
is
really
our
key
top
level
project.
At
this
point
and
you'll
hear
bits
and
pieces
from
some
other
projects
as
well.
A
The
open
ssf
is
governed
like
many
Lin
Foundation
projects,
with
kind
of
a
two-part
top
level
governance.
It's
the
governing
board
who
manage
the
budget
and
figure
out?
What
are
the
Strategic
priorities?
Priorities
for
us
and
the
technical
advisory
Council,
which
really
tries
to
bring
the
technical,
Clarity
and
vetting
to
all
the
activities
underneath
all
the
different
working
groups
and
the
associated
and
top
level
projects.
This
kind
of
bicameral.
A
This
really
closely
combined
governance,
we
think,
is
the
right
Balancing
Act,
to
make
sure
what
we're
building
is
not
only
technically
the
right
thing,
but
will
actually
be
adopted
by
the
industry
and
we've
received
this
year.
A
whole
lot
of
different
news:
I
won't
go
into
the
different
aspects
of
it,
but
about
this
time
last
year,
many
of
you
I'm
sure
were
scrambling
to
fix
a
vulnerability
in
the
log
for
Jay
logging
framework
that
called
log
for
Shell.
A
That
was
disrupting
everybody's
December
disrupted
a
lot
of
people
people's
holiday
and
it
helped
crystallize
I
think
for
much
of
the
world
and
certainly
for
us.
Why
we're
here?
What
we're
trying
to
do
as
six
months
after
that
incident,
seven
months
after
the
U.S
government
issued
a
report
that
they
pulled
all
these
experts
together
and
said
what
led
to
this
vulnerability
and
what
made
it
so
complicated
and
expensive
and
disruptive
for
us
to
fix,
and
this
report
is
really
great
to
read.
A
I
highly
encourage
all
of
you
to
read
it,
but
it
cited
the
open,
ssf
13
times
as
having
potential
pieces
of
a
solution
to
the
many
deep
problems
that
it
cited.
In
fact,
we
pulled
together
the
insights
that
that
report
generated
and
many
others
that
we
knew
internally.
We
had
to
go
and
focus
on
and
developed,
also
around
the
middle
of
this
year,
a
mobilization
plan
focusing
on
10
different
streams
of
work.
A
A
I
won't
go
into
depth
I'm
not
with
those
10
are
there's
a
whole
lot
behind
it,
and
and
what
you'll
hear
during
today's
presentations
are
like
bits
and
pieces
and
hints,
but
but
certainly
watch
this
space
as
we're
developing,
continue
to
develop
this
plan
to
go
and
tackle
the
the
challenges
that
we
now
see
one
year
later.
I
do
want
to
thank,
of
course,
the
members
of
the
open
ssf
who
make
this
possible.
There
are
many
companies
here
on
this
chart
who
represent
the
cloud
and
infrastructure
and
software
developer
tool
kind
of
landscape.
A
Basically,
everybody
who's
relevant
in
this
community
is
now
a
part,
but
you'll
also
see
Financial
Services
firms
there,
such
as
Morgan,
Stanley
and
City
and
and
others,
and
so
really
want
to
thank
them
all
in
particular.
Today
thank
IBM
for
their
involvement
in
today's
agenda.
A
We
also
have
now
between
our
Premier
members
and
our
general
members
over
100
different
members
of
the
open,
ssf
helping
us
sorry
helping
us
do
what
we
do
and
financially
support
the
organization,
but
also
operationally-
and
this
includes
a
couple
of
of
you
in
the
audience
who
are
based
here
in
Japan
saibosu.
Cyber
trust
and
Renaissance
in
particular.
I
want
to
thank
you
for
your
involvement
and
participation
and
we're
certainly
very
eager
to
grow
the
representation
from
the
the
Japanese
industry
into
the
open
ssf.
A
So
today's
agenda
is
really
focused
on
giving
you
kind
of
an
overview,
a
sweep
of
a
couple
of
the
activities
going
on
here,
as
well
as
some
voices
from
Japan
who
are
working
on
from
companies
based
here
who
are
working
on
different
aspects
of
openssf
Technologies
you'll
hear
just
after
me,
David
wheeler
who's,
also
with
the
Linux
Foundation
talking
about
the
work
of
the
best
practices
working
group
you'll,
hear
Bob
Callaway
from
Google
talk
about
Sig
store,
give
an
overview
of
that
and
really
the
sense
of
momentum
that
has
been
generated.
A
There
you'll
hear
fumico
Sato
from
IBM
talking
about
how
IBM
is
incorporating
these
tools
and
developing
some
new
ones
to
to
bring
security
to
the
software
supply
chain.
A
You'll
hear
Yuji
Watanabe
from
IBM
as
well
talk
about
his
work
in
bringing
kubernetes
building
a
plug-in
for
kubernetes
to
use
the
Sig
stores
signatures
to
to
really
bring
an
end-to-end
secure
software
development
life
cycle
you'll
hear
mu
Ikeda
from
cyber
trust
talking
about
his
company's
activities
in
the
open
source,
security,
mobilization
plan
and
finally,
takuya
yoshikawa
from
saibosu
talking
about
whether
what's
going
on
here
in
Japan
regarding
software
bill
of
materials
s-bombs,
it's
very
exciting
stuff.
So
this
is
our
two
and
a
half
hours
together.