►
From YouTube: S2C2F SIG (March 14, 2023)
Description
The S2C2F SIG is a group working within the OpenSSF's Supply Chain Integrity Working Group formed to further develop and continuously improve the S2C2F guide which outlines and defines how to securely consume Open Source Software (OSS) dependencies into the developer’s workflow. This paper is split into two parts: a solution-agonistic set of practices and a maturity model-based implementation guide. The Framework is targeted toward organizations that do software development, that take a dependency on open source software, and that seek to improve the security of their software supply chain.
C
D
C
A
E
A
So
howdy
everybody
Glenn
Randall,
I'm
glad
you
guys
are
here.
I've
got
this
start
batting
people.
Yes,.
A
All
right
so.
A
Jay
so
I
just
you
know,
had
these
two
agenda
items
we
can
go
through
our
course
outline
and
we
can
also
just
throughout
there.
We
now
have
an
official
folder
on
the
Google
Drive,
so
we're
going
to
start
storing
all
of
our
documents
there
like,
like
these
meeting,
notes,
I
think
we're
gonna
have
to
move
over
there
and
maybe
like
our
strategy.
Dock
we'll
have
to
move
in
there
and
things
like
that.
A
The
draft
course
outline
happy
to,
and
let
me
throw
this
in
the
strapped.
E
A
So
there's
the
link
for
for
this
doc
happy
to
receive
feedback
on
it
I'm
following
the
same
kind
of
template
that
I
have
used
before
for
other
courses
that
I've
developed,
so
I
I
liked
this
kind
of
outline
for
putting
this
together
and
structuring
what
a
training
might
look
like.
But
you
know,
as
I
started
breaking
things
down
into
session
one
session
two
session:
three
we
can.
A
We
can
move
things
around
and
figure
out
like
a
better
structure
and
that's
kind
of
like
where
I
left
off,
but
so
so
I
put
like
this
course
will
be
offered
through
the
SKF
and
or
through
the
Linux
foundation.
Training,
I
I,
don't
think.
We've
like
totally
figured
that
out
yet
and
I'm
guessing
that
this
might
be
like
four
hours,
but
this
could
also
change.
A
But
like
the
course
overview,
if
we
were
to
to
provide
like
a
description,
you
know
over
90
percent
of
commercial
software
uses
open
source
dependencies.
Additionally,
sonotype
has
stated
that
there's
been
a
742
percent
rise
and
attack,
specifically
targeting
open
source
and
those
two
things
together,
make
open
source.
Arguably
the
most
important
aspect
of
any
software
supply
chain
and.
A
So
this
target
audience
I'm
imagining
are
going
to
be
software
developers
and
Engineering
managers.
Basically,
managers
that
manage
software
Developers,
there's
probably
going
to
be
some
GRC
people
that
would
be
interested
in
understanding
like
a
program
to
help
manage
and
mitigate
risk
security.
Practitioners
such
as
those
that
care
about
like
vulnerability
management.
They
would
love
to
understand
these
additional
requirements
that
help
people
patch
their
vulnerabilities
faster
cyber
security
incident
responders.
A
This
one
I
was
a
little
bit
hesitant
about
I
think
they
they
care
about
some
of
the
requirements
in
the
s2c2f,
because
it
could
be
part,
I
mean
like
one
of
the
requirements,
is,
have
an
incident
response
plan.
A
Yeah
Randall.
You
have
your
hand
up.
B
I
know
that,
as
far
as
open
ssf,
cert
I'm,
one
of
the
co-leads
I
know
that
education
and
trying
to
kind
of
like
not
like
we're
not
gonna,
say
it
like.
A
big
focus
is
to
try
to
educate
people.
How
I
like
to
avoid
this
incident
happening
again.
So
I
would
agree
with
number
fives
just
wanted.
A
To
say
that
oh
awesome,
okay,
I,
love
it
and
then,
and
then
this
last
one
I
think
caesos
would
want
to
understand,
like
from
a
top
level
perspective,
how
the
S2
c2f
could
be
incorporated
into
their
strategy.
A
Right,
they're,
trying
to
think
broadly
over,
like
an
entire
organization
and
usually
want
to
have
like
set
some
sort
of
like
direction
or
strategy
and
I
think
that
they
would
be
interested
in
this
as
well.
B
A
Yeah,
let's
just
yeah
executive
stakeholders.
C
I
had
one
remark
as
well:
I
was
already
scrolling
a
bit
down
in
a
document.
Is
it
also
maybe
an
idea
that
we
classifier
for
what
type
of
audience
which
type
of
sessions
or
areas
are
interesting
for
them,
because,
like
a
c0
and
executive
dude
yeah,
he
doesn't
want
to
go
through
the
whole
four-hour
thing
right.
You
just
wanna
yeah
have
like
a
very
summarized
version
of
it.
A
Oh
yeah,
let's,
let's
throw
in
this,
would
be.
C
E
C
C
You
can
split
up,
you
know
the
course
in
different
levels
right,
so
maybe
the
levels
could
be
the
target
audience
right
and
for
like
other
courses,
we
have
just
the
the
easy.
You
know
the
the
junior
developer,
the
media
senior
whatever,
but
maybe
here
the
split
could
be
actually
our
audience.
A
Yeah
yeah
yeah
I
like
that
okay,
so
this
is
something
I
could
work
in.
A
C
Okay,
maybe
you
could
do
it
like
that,
but
technically
we
could
also
even
do
it
on
your
ship
bullets
right,
so
maybe
for
an
executive
is
indeed
the
only
the
first.
There
is
interesting.
C
So,
basically,
with
all
the
the
topics
you
define
in
each
session,
we
could
also
classify
per
topic
for
whom
it
might
be
interesting,
and
if
you
then
click
or
start
like
hey
I'm,
a
software
developer,
then
you
get
all
the
topics
from
all
the
sessions
that
belong.
I,
don't
know
to
that
target
audience.
If
you
say
hey
I
want
to
have
the
CCO
point
of
view.
Then
you
only
get
from
all
the
sessions,
the
very
specific
ones
that
are
interesting
for
ciso
or.
A
B
Yeah
another
idea
is
like,
as
far
as
following
kind
of
what
we're
planning
on
doing
with
Linux
Foundation
is.
You
could
do
like
a
introductory
course?
That's
more
Theory
based
because
the
overhead
of
that
is
much
lower
and
you
we
could
do
the
the
labs
like
like
build
your
own
c2f
lab
type
situation
as
an
advanced
course,
just
just
an
idea
of
how
you
could
also
do
it.
B
A
Courses
could
be
lab
based
so
what
you
said.
B
Because
you
can
make
I
mean
it's
a
well.
When
we
talk
to
Tim
I
mean
he
said,
it's
a
possibility
of
developing
it
into
a
certification.
So
if
we
do
go
down
that
road,
that's
kind
of
what
normally
they
do,
they
have
like
a
free
introductory
course,
and
then
the
bigger
course
that'll
get
into
the
you
know,
bolt
like
the
real
nuggets
is
a
is
actual
paid,
for
course,.
E
F
B
No
David
might
be
able
to
add
more
details
here
since
he's
on
the
call,
but
from
my
understanding
there
isn't
it's
really
a
matter
of
like
us
being
sustainable
and
like
labs
and
stuff
have
an
inherent
cost
and
I
know
that
LF
is
concerned
on,
like
those
costs
and
whatnot,
so
they're,
not
as
much
concerned
about
making
bundles
of
money
off
of
it.
As
far
as
just
at
least
being
able
to
pay
what
we're
offering
the
student.
G
G
And
other
things
things
don't
work,
and
so
we
need
to
find
a
way
to
to
deal
with
the
costs.
F
Yeah
I,
like
the
idea
of
the
introductory
course,
though
Theory
based
in
the
introduction
requests
I
like
that
I.
Like
that
a
great
deal,
you
know
you
get
a
whole
bunch
of
questions
there
like
well.
How
does
this
work
in
practice?
How
does
this
work
real
world
scenarios
and
that's
when
you
pitched
right.
E
A
A
B
Another
thing
that
I'm
gonna,
throw
in
there
another
big
one
that
we
do
Beyond
SKF,
is
that
there
is
kind
of
what
they
call
instructor-led
courses
so
also
be
thinking
about.
Possibly,
if
you
wanted
to
make
something
like
that,
so
that
like
it,
could
be
brought
with
all
the
other
instructor-led
courses,
that
could
also
be
a
possibility.
E
A
B
It's
going
to
be
a
more
a
more
reoccurring
thing:
Glenn
does
do
like
security
Champion
that
sort
of
thing
pretty
pretty
regularly,
but
I
I,
don't
know
like
now
that
it's
all
going
to
be
under
a
left,
how
that's
going
to
change
or
what
the
expectation
there
is.
But
I
do
know
that
instructor-led
courses
is,
is
a
very
big
Focus
for
them
and
for
what
we
do
at
skn.
A
Okay,
so
where
did
we
where
we
stop,
because
we're
kind
of
jumping
around
so
I
just
list
out
key
features
so
that,
like
so
I'm
imagining
so
again,
I'm
just
following
an
outline
that
I've
I've
used
before,
and
these
could
potentially
become
things
that
like,
if
somebody
was
interested
in
paying
for
this
course,
they
would
probably
want
to
understand
what
sort
of
value
they're
going
to
get
out
of
it.
That's
kind
of
like
what
yeah.
What
so
that's
what
this
list
would
be
right.
A
There's
these
eight
high-level
solution,
agnostic
practices,
it
Maps
requirements
to
each
practice
area
and
then
those
requirements
are
then
further
organized
into
maturity.
F
A
To
help
you
prioritize
your
Investments
and
provides
a
process
to
help,
you
assess
your
team's
existing
maturity
so
like
what
you
will
learn.
This
needs
to
be
like
well
thought
through
and-
and
this
is
by
no
means
complete-
we
can
keep
expounding
upon
this,
but
you'll
have
like
a
deep
dive.
A
In
like
real
world
OSS
threats,
so
that
you
you'll
also
understand
how
this
is
just
one
piece
of
the
larger
puzzle,
you
will
learn
about
the
Myriad
of
creative
ways
that
developers
consume
open
source
and
thus
underscoring
the
value
of
establishing,
like
an
official
ingestion
Channel
across
all
your
development
teams,
to
control
your
supply
chain
how
to
mitigate
the
real
world
OSS
threats.
A
So
then
we'll
you'll
start
to
see
the
mapping
of
of
the
S2
c2f
requirements
against
those
threats
and-
and
this
will
dive
deeper
into
understanding
the
need
to
improve
the
speed
that
you
patch
known
vulnerabilities.
A
This
is
leveraging
the
salt
stack
example
where
the
disclosed
vulnerability
attackers
were
able
to
research
the
Vol
craft
and
exploit
find
systems
that
were
still
vulnerable,
that
hadn't
patched
and
were
actively
exploiting
that
vulnerability
within
three
days
after
disclosure.
A
Thus,
the
importance
of
improving
your
devsecops
capabilities
to
patch
faster,
because
you
want
to
be
able
to
patch
faster
than
the
adversary
can
operate.
That's
our
North
Star
understanding
the
need
to
implement
defensive
capabilities,
to
prevent
accidental
consumption
of
malicious
components,
and
there's
probably
more
that
we
can
add
here
a
little
blurb
about
about
the
author
and
then
and
then
this
is
like
the
real
meat
and
potatoes.
G
F
I
also
added
to
the
agenda
as
well.
We
got
a
couple
of
outstanding
issues
that
were
a
couple
of
them.
We
probably
probably
got
a
better
way,
though
I
know
that
the
the
crosswalk
with
salsa
we
want
to
wait
on,
but
I
think
we
do
need
to
take
a
look
at
the
taxonomy
paper,
see
what's
going
on
there
and
I
believe
the
answer.
F
One
of
the
issues
there's
another
one
there
as
well,
that
David
threw
out
there
that
might
might
want
to
take
a
look
at
real,
quick
too,
just
just
to
just
to
tighten
up
see
more
right.
There.
G
Yeah
I'll
quickly
note
that
the
fundamentals
course
talks
about
evaluating
open
source
software
before
you
bring
it
in
and
how
to
bring
it
in
and
it
very
much
is
it
basically
walks
through
the
best
practices
working
group
guide
on
evaluating
open
source
software,
so
it
might
make
sense
to
to
connect
those
two
to.
A
F
D
F
F
No,
no
Jonathan
good
to
go
man
Jonathan
had
a
had
a
an
add
to
in
the
best
practices
meeting
earlier
that
I
thought
might
be
relevant
to
bring
up
in
discussion
here.
I
mean
at
least
a
little
bit
in
part,
since
we
are
talking
about
dependency
management
as
well.
This,
of
course,
is
after
this
right.
We
don't
need.
This
is
one
thing
this
is
another,
but.
F
D
That
topic
at
hand
is
not
dealing
with
vendor
dependencies.
It's
about
how
you
should
be.
If
you
vendor
your
dependencies,
you
should
be
issuing
your
own
disclosure
when
you
update,
fix
those
vulnerabilities
and
communicating
back
to
the
parent
CNA
that
you
pack,
you
also
patch
this
vulnerability.
G
Oh
Jonathan
I
recently
thought
I
was
going
to
send.
You
I
have
another
term
that
you
we
could
use
instead
embedded
dependencies.
C
G
A
Yeah
yeah,
so
it
seems
like
when
coming
up
with
like
an
outline,
I
need
to
consider
this
approach,
doing
like
an
like
an
introductory
Theory
based,
followed
by
like
more
in-depth
Hands-On
or
lab
guided
trainings,
and
that
might
be
a
different
way
to
organize
the
contents.
So
we'll
have
to
shift
some
things
around.
B
A
A
You
know
one
of
the
so
so
in
my
in
my
opinion,
there's
there's
there
should
be
increased
emphasis
on
where
do
I
have
it
this
focusing
on
ingestion.
A
This
is
a
such
a
core
part
of
of
a
strategy
to
secure
your
software
supply
chain.
You
should
first
Define
like
as
a
development
team
or
as
an
entire
organization.
What
is
the
approved
ingestion
method
or
how
to
consume
open
source
that
all
developers
should
follow
when
you
look
at
secure,
Supply,
Chain
Solutions
that
that
exist
today,
such
as.
A
What
company
is
that
and
any
anyways
it
it
attaches
on
to
like
jfrog,
artifactory
and
so
like?
If
you
as
a
developer,
consume
packages
into
a
package.
Caching
solution
like
jfrog
artifactory,
that
should
become
the
approved
ingestion
flow.
A
Then
there
are
all
these
other
methods
that
developers
use
like
git,
clone,
Pearl,
bash
and
and
wget,
and
you
know,
invoke
web
requests
and
and
matter
of
fact,
this
is
kind
of
like
what
I
have
sneak
peek
of
my
RSA
slides.
A
There's
all
these
Myriad
of
ways
that
developers
consume
open
source
right
and-
and
this
is
kind
of
like
the
recommended
best
practice
where
you
consume
from
the
public
internet.
It
gets
cached
locally
into
your
jfrog
art
Factory
or
what
have
you
and
then
it
gets
pulled
in,
because
if
you
continue
to
allow
Developers
to
pull
in
in
all
of
these
creative
ways,
then
how
can
you
control
your
supply
chain?
A
How
do
you
make
sure
that
you
have
these
defensive
controls
that
protect
your
that
protect
the
the
components
that
you
are
consuming
and
and
evaluate
them
appropriately,
and
so
I
talk
about
like
package
source
files?
A
You
know,
depending
on
what
language
you're
using
there's
like
nougat.config
or
dot
npmrc
or
pip.com
Palm,
XML,
rightconfig.tom
LL
for
rust
and
like?
How
do
you
identify
what
an
insecure
configuration
is
right
and
and
if
their
package
source
file
is
pulling
direct
from
the
public
registry,
then
it's
not,
then
it
then
it's
it's
following
this
model
here
right.
What
happens?
If
that?
What
happens
if
that
package
gets
removed
from
from
the
public
package
registry?
A
Your
build
will
break
because
you
can't
pull
that
package
anymore,
and
so
that's
why
you
need
to
have
this
sort
of
a
setup
and
so
like,
like.
We
could
use
this
as
like
a
training
to
help
people
identify
what
what
an
insecure
configuration
looks
like
and
why
it's
it's
insecure
and
and
those
sorts
of
things.
So
this
is
kind
of
like
the
that
emphasizing
the
importance
of
of
that.
A
So
so
this
was
definitely
something
I
wanted
to
get
into.
That
was
more
Hands-On,
but
you
know
I
was
thinking
of
it
from
a
certain
angle,
I'm,
not
thinking
about
it
from
like.
Oh,
if
this
was
a
lab
environment,
how
do
what's
the
best
way
to
like
get
them
have
to
have
Hands-On,
so
so
I
I
might
need
to
expand.
How
I'm
thinking
about
this.
G
I
mean
so,
you
know
the
whole
hey,
I'm,
gonna
copy
in
locally
I
mean,
like
everything
else,
there's
trade-offs.
Obviously
the
big
bonus
is.
Oh
look,
I
have
a
local
copy
if
that,
if
the
main
site
goes
down,
I
still
have
my
copy,
which
is
a
great
which
is
great
for
some
kinds
of
you
know:
availability
requirements.
G
I
will
say
that
a
lot
of
organizations
that
I've
seen
you
know
they're
they
they
often
pull
very
slowly,
and
if
you
you
know,
you
can
easily
get
yourself
in
a
situation
where
you're
not
keeping
up
to
date
and
the
problem
that
originally
they
were
thinking
about.
You
know
things
like
removing
I
think
it
was
left
pad
by
policy.
Those
organizations
don't
allow
removal
of
packages
under
a
normal
case
anymore.
G
So
you
know
unless
it's
legally
required,
so
the
I
think
some
of
the
risks
are
reduced.
That
said,
if
you
want
to
counter
that
risk,
that's
a
that's
a
reasonable
way
to
do
it.
There
is
a
new
risk
when
you
add
that
and
that's
dependency
confusion
which
I
think
it's
already
been
covered
elsewhere,
which
is
as
soon
as
if
you
only
have
one
repo,
then
all
obviously
everything's
from
that
one
repo.
G
As
soon
as
you
bring
multiple
repos,
you
need
to
make
sure
you're
getting
a
particular
package
from
the
correct
repo
and
now
that's
one
of
the
most
common
kinds
of
attacks
is
creating
a
package
on
one
repo
and
you
assume
that
you're
getting
it
from
the
other
one.
So
we
just
have
to
be.
You
know:
I
I,
talk.
F
Yeah
I
think
a
good
idea,
then,
being
too
have
a
have
a
disclaimer
at
some
point.
Talks
about
working
within
the
guidelines
of
your
organization's
policies
that
some
organizations
have
have
different
policies
to
put
the
different
scenarios
and
slos
can
impact.
They
have
a
great
impact
on
where,
where
packages
are
being
pulled
from
absolutely
so
so
I
think
I
think
that'll
be
I.
I
I,
don't
do
not
think
it's
relevant
for
the
training.
I
do
think
the
training
will
require
a
disclaimer
saying
please
operate
within
the
the
constraints
or
or
operate
Within.
F
You
know
whatever
of
your
organization's
current
policies
and
if
your
current
policies
do
not
reflect
this,
you
know
operate
within
those
and
you're
at
you're,
free
inside
of
your
organizations
to
recommend
policy
changes
you
mean,
but
but
we
are
not.
We
are
not
telling
you
what
to
do
in
your
organization
against
your
current
organizational
policy.
I.
Think
that's!
Oh
right.
Yeah.
E
A
A
Do
we
was
there
anything
else
we
wanted
to
talk
about
here
or
are
we
can
we
pivot
topics.
A
Okay,
by
the
way,
David
I
wanted
to
bring
your
attention
to
this.
So
switching
topics:
okay
in
the
in
the
security
tooling
working
group
I,
was
interested
in
potentially
updating
the
security
tooling
or
the
guide
to
security
tools
to
to
include
tools
that
improve
the
mean
time
to
remediate
and
I
started
this.
This
small
thread
with
Sarah-
and
she
had
tagged
you
on
here
to
see
what
your
thoughts
are
about.
Adding
we
can
take
this
offline
I
just
wanted
to
bring
it
to
your
attention.
G
A
A
This
security,
tooling
working
group
channel,
there's
this
thread
here.
You
can
click
view
thread
and
you'll,
see:
okay,.
A
A
Okay,
great,
we
got
oh
I've,
got
to
add
Jonathan.
E
F
Well,
it's
going
to
do
one
one
or
two
of
them,
probably
explaining
program.
Let's
have
a
look
just
to
make
sure
that
I
mean
they're.
There
doesn't
mean
that
we
necessarily
have
to
do
something
with
them
now,
but
it's
just
give
them
a
quick
look.
D
D
A
If
you
can
see
my
screen
that
I'm
sharing
I'm,
showing
the
the
slack
Channel
it
looks
like
you'll,
have
to
scroll
up
just
a
couple
of
messages
to
find
one
from
me
from
January
25th,
okay,.
A
And
there's
this
thread
that
got
started
over
here
and
you
can
see
the
the
messages
over
here
where
I
clarified
that
I'm
interested
in
updating
the
guide
to
security
tools,
to
have
a
new
section
about
tools
that
help
address
or
improve.
G
G
A
Okay,
cool:
shall
we
tackle
issues
first
or
or
shall
we
go
to
the
the
link
that
Jonathan
provided.
A
Jonathan,
is
there
any
context
or
introduction
you
want
to
make
about
this?
This
stock.
D
So
the
topic
was,
it's
part,
so
the
proposals
for
this
to
go
into
the
best
practices
document
and
at
a
high
level,
it's
the
best
practices
document
is
broken
up
into
two
things:
the
like
line
for
concise
guide,
which
is
like
a
single
line
version
of
the
the
best
practice
and
the
longer
version
is
the
description.
D
So
you
know
and
yeah
I
presume
everybody
do
we
want
to
read
it
out
loud.
Do
we
want
to
you
know?
How
do
we
want
to
do
this.
F
I
think
for
the
purposes
of
yeah
and
for
the
purposes
of
s2c2f
I
I
I'd
like
to
understand
the
dependency
perspective.
This
paint's
a
different.
This
paint's
a
different
picture
that
it's
not
often
not
often
thought
about
me
as
a
special
around
it,
but
it
should,
but
it
could
be,
it
could
be,
and
it
could
have
relevance
here,
I'm
trying
to
to
see
where
but
I'm
trying
to
see
where
and
that's
why.
F
I
just
I
thought
it
might
be
great
for
you
to
for
you
to
bring
up,
especially
considering
going
into
the
best
practices
but
from
a
framework
perspective
apps.
F
A
E
D
Kind
of
it's,
this
is
kind
of
more
Vex
than
s-bomb.
Okay,.
D
D
E
D
That
I
guess
this
information
get
it
gets
included
in
any
education.
That's
presented
otherwise,
like
you
know,
making
sure
that
this
is
this
becomes
part
of
the
best
practices.
It
should
also
be
presented
as
something
that
we
recommend
in
other
places,
outside
of
just
the
best
practices,
feed
or
yeah.
F
My
yeah,
my
thought
on
this
was
was
to
to
bring
the
thought
to
bring
the
thought
past
just
best
practices,
I
I,
think
I.
Think
this
is
the
thought
worth
worth:
bringing
out
no
feedback
necessary,
just
mainly
hey.
This
is
the
thought.
What
what
is
is
there
alignment
here?
F
Is
there
something
right
to
to
for
no
other,
for
nothing
else
make
for
our
the
framework
is
solid
and
you
know
everything
else,
but
is
there
a
piece
of
this
that
hasn't
been
thought
of
and
if
it
hasn't
or
hasn't
been
fleshed
out,
can
we
flush
it
out
right?
Can
we
can
we
use
this
kind
of
thought
and
flesh
it
out
if
it
hasn't
been
we're
saying
that
you
know
a
lot
of
this
can
be
covered?
F
You
know
the
Vex
documents
and,
and
all
that
kind
of,
and
that
kind
of
stuff,
but
it's
mainly
just
this-
is
these
are
thoughts
that
are
being
had
in
other
places.
Let's
make
sure
that
being
one
Collective,
that
the
thoughts
in
other
places
are
also
brought
up
here.
F
Being
that
that
you
know
we're
working
on
something,
that's
going
to
help
the
masses
in
other
places.
So
that
all
that
is
one
hand
washing
the
other.
E
A
Sounds
good,
so
so
yeah
I
think
there's
there's
ways
we
can
leverage
this.
This
language
we
could
point
to
is
this?
Is
this
the
best
practice?
We
want
to
point
to
concise,
guide
for
developing
more
secure
software.
G
G
Right
now,
if
you
think
there's
a
problem,
a
limitation
with
it
feel
free
to
pre-pro,
propose
changes
and
improvements,
and
that's
that's
why
we
Version
Control
these
things
and
such
I
do
think
that
you
know
it's
entirely
possible
as
we
develop
things
over
time,
that
there'll
be
more
increasingly
hyperlink
between
them
and
that's
awesome.
That's
a
good
thing!.
G
A
Perfect,
thank
you,
okay,
so
we
can
come
back
up
to
our
issues
here.
A
So
I've
got
that
captured
in
the
course
outline
and
absolutely
we'll
weave
that
in
and
and
leverage
consistent
language,
so
that
we're
saying
the
same
things
across
the
board:
yeah,
whatever
yeah,
whatever
so
David.
We
have
three
issues
from
you
and
we
had
this
one
from
from
Reggie,
which
I
I
went
ahead
and
answered.
C
A
Know
scott5,
is
you
know
this
requirement
for
proactive,
Security
reviews
and
and
communicating
them
communicating
fixes
confidentially
to
to
Upstream
maintainers,
to
suggest
a
fix
and
fix.
One
is
really
like
a
the
the
ability
to
perform
a
private
fix.
A
This
is
this
is
used
only
in
extreme
circumstances
as
a
temporary
risk
reduction
measure,
as
your
team
and
organization
plan
to
convert
to
the
public
fix
once
available.
While
you
continue
to
partner
with
and
suggest
fixes
to
the
Upstream
maintainer.
So
that
was
the
answer
answered
that
five
days
ago,
I
think
I.
We
might
be
able
to
mark
this
resolved
Jay.
Were
there
any
others
you
wanted
to
dive
into
or
any
anything.
F
No
I
just
wanted
to
make
sure
that
that
we
that
we
had
that
we
knew
that
were
there
I
think
this
crosswalk
was
also
that
one
needs
to
happen
at
a
at
a
Sig
level.
I
think
we
need
to
sit
down
drill
down
the
front
and
figure
out
when
we
want
to
do
that.
F
I
do
think
that
that
you
know
you
mentioned
before
you
know,
speaking
with
the
with
once
you,
the
music,
that's
the
taxonomy
stuff
stuff
there
and
of
course,
David
had
the
third
one
down
there
that
he
that
he
that
he
mentioned
as
well
and
I.
Imagine
we'll
talk
about
that.
Talk
about
that
over
time
too.
G
I
can
interrupt
real,
quick,
I
I,
don't
know
if
it
made
clear
but
I
didn't
ask
you
to
ask
the
question
on
on
sca5
and
fix
one
I.
Don't
I
did
I
put
some
others,
but
not
that
one
I
do
think
that
maybe
that
suggests
more
clarifying
language.
Just
to
clarify
the
difference.
Wait!
Sorry
Jasmine,
realizing,
oh
wait
might
have
been
confusing.
F
G
E
G
And
by
the
way,
although
I
think
it's
interesting,
we
just
a
continuation
of
that
almost
on
cue,
one
of
the
red
I
think
it
was
one
of
the
Linux,
distros
and
I
want
to
say
it
was
Fedora
has
recently
dropped
their
support
for
these
binary
patches,
primarily
be
because
they
weren't
it
really
seemed
like
an
implementation
problem.
G
They
they
hadn't,
implemented
them
well
and
basically,
instead
of
trying
to
fix
them
all
up,
they
just
said
you
know:
the
networks
are
a
lot
faster
now
and
we're
just
not
going
to
worry
about
it,
but
so
I
mean
that,
but
that
really
doesn't
eliminate
the
issue.
Okay,
if
you're
not
using
it,
then
there's
a
no
problem,
but
if
you
are
doing
it,
then
some
clarification.
We
are
probably
needs
to
be
said.
A
I
want
to
make
sure
I'm
understanding
the
scenario
here
and
I'm,
not
thinking
something
different
than
what
you
were
thinking.
So
a
binary
patch
here
is
in
this
example.
You
said:
Fedora
dropped
it.
So
is
that
like
an
RPM
patch,
or
is
this
like
the.
G
G
The
phrase
binary
patch
is
not
very
clear:
maybe
what
they
we
really
should
call
them
is
binary
diffs.
In
other
words,
let's
say
that
you
have
version
10
today
and
you'd
like
to
get
version
one
one.
Instead,
one
way
you
can
do
that
is
here
is
version
one
one
uninstall
version,
one,
zero
install
this
and
poof
you've
got
version
one
one
now:
okay,
the
problem
when
doing
that.
G
You
okay,
so
the
big
issue
here
is
imagine
that
someone
says
okay,
so
so
so
I
didn't
capture
very
much
because
I
kind
of
assumed
that
the
participants
would
be
at
that
meeting
two
weeks
ago,
and
probably
that
was
a
bad
assumption.
But
I
was
in
a
hurry,
so
the
the
risks
that
we're
trying
to
deal
with
is,
if
you
download
package
version
one
one
and
install
it,
it
should
have
the
same
effect
as
having
by
having
version
10
installed
and
then
updating
with
a
binary
patch.
G
Basically,
if
you,
the
results,
should
be
the
same.
If
one
you
don't
have
package,
you
know
package
version
1.0
installed
and
you
download
and
install
version
1.1
two
is
you
have
package
version
10
installed,
you
uninstall
it
on
install
it
and
download
and
install
version
1.1.
G
G
E
G
I
think
attackers
have
found
other
things
to
attack,
but
well,
although
solar
winds
was
in
some
sense,
although
that
really
wasn't
the
problem,
wasn't
the
binary
patch?
The
problem
was
that
the
the
the
new
versions
were
subverted
straight
up.
So
it's
not
really
the
same
thing.
G
G
E
G
A
Gotcha
and
thank
you
so
okay,
so
we
can
actually
let
me
assign
this
to
myself.
A
That
was
easy
and
I
will
work
on
finding
a
spot
to
to
address
this
within
our
our
guidance,
perfect.
A
A
Am
I
going
to
have
to
here?
We
go
download,
yes,.
G
Pdf
yeah
it
is,
it
is
available.
You
don't
have
to
sign
in
for
anything
perfect
now,
if
you're
going
to
do
that,
I
think
it's
what
page
three
or
four
in
there
is
the
actual
the
little
graphical
techno
taxonomy.
So
if
you
scroll
down
a
little
bit
now,
I,
don't
know
what
viewer
you're
using
you
know,
keep
going,
keep
going.
It's
a
full
page,
graphic
you'll,
you'll
note!
When
you
see
it
keep
going.
No
don't
keep
going,
I!
Think
one
or
two
more
pages
nope.
G
Yay,
okay,
so
this
is
the
taxonomy
that
some
academics
have
come
up
with.
I
mean
you
can
always
complain
about
anything,
but
you
know
they've
done
a
an
honest
attempt
at
seriously
looking
at
every
vulner
every
supply
chain,
vulnerability
they
could
find
in
open
source
software
and
then
categorizing
them,
which
is
I,
mean
first
of
all,
good
for
them
that's
a
lot
of
work
and
then
they
try
to
categorize
it
in
a
certain
way.
G
In
a
couple
cases,
they
use
different
terms
that
I've
used
whatever,
but
you
know,
they've
made
a
serious
a
stab
at
cranial,
taxonomy
and
some
folks
have
even
talked
about.
Maybe
you
know
mooding
this
as
something
openness
and
stuff
should
more
widely
used
at
the
very
least,
I
think
it
might
be
useful
to
try
to
do
the
mappings
for
this
because
it
helps
us.
You
know
it's
easy
to
create
a
list
that
is
incomplete.
A
Yeah
I
I
already
see
a
lot
of
these
that
this
is
a
good
breakdown
and
some
of
them
are
easy
and
obvious
that
we're
already
using
type
of
squatting
right.
But.
G
This
is
great
dependency.
Confusion
in
a
different
area.
I
would
put
it
in
your
type
of
squatting,
but
they
don't.
They
have
a
rationale.
You
it's
actually
a
different
area,
but
that's
fine,
it's
there
and
and
there's
a
rationale
for
why
they
did
it.
So
you
know
you
can
always
complain
about
something
because
well
you
did
differently
than
me,
but
I.
Don't
actually
think
that's
the
point.
G
You
know
it's
it's
it's
the
best
attempt
I
know
of
of
trying
to
tackle
open
source
software
supply
chain
categories
where
they
do
it
much
more
methodically.
A
I'd
love
to
see
this
their
taxonomy
be
like
adopted
by
you,
know
the
attack,
miter
attack
framework
or
something
like
that.
That
would
kind
of
like
legitimize
it
or
make
it
mainstream.
I
should
say,
but
you
know
having
open
source
kind
of
lead
the
way
and
make
just
make
the
decision.
This
is
going
to
be
our
taxonomy
like
that.
That
probably
will
send
a
message
and
others
will
follow.
G
So
yeah
yeah,
so
I've
actually
been
talking
with
the
folks
who
did
this
this
taxonomy
about
their
plans
for
maintaining
this
longer
term,
I
mean
that
taxonomies
obviously
don't
require
the
same
kind
of
Maintenance
as
say
a
software
program,
but
they
do
require.
You
know
as
new
things
just
get
discovered.
G
E
A
Yeah
no
worries,
you
know
we
are
out
of
time,
but
I
guess
like
I
I'd
want
to
just
maybe
close
today
with
you
know,
here's
our
our
meeting
notes
and
if
and
if
somebody
is
interested
in
us
covering
a
topic
that
maybe
we
haven't
covered
yet
or
or
would
like
to
present
at
a
at
a
future
thing.
You
know
we'd
love
to
be
able
to.
You
know
capture
those.
Now,
if
you
have
something
please
please
shout
it
we'll
we'll
add
it
to
our
our
list
here.
F
This
was
this
was
a
extremely
productive
meeting.
Man
I'm
this.
This
was
probably
one
of
them,
one
of
the
most
productive
we
had
thus
far,
and
they
don't
hear
so.
We
have
the
Town
Hall
this
week.
We're
not
going
to
be
presented
this
during
it,
but
the
town
hall
is
great
for
all
to
attend
as
well.
F
Open.
That's
the
seventh
day
is
is
happening
in
May
May
10th.
We
have
until
Friday
for
submission
if
we
choose
to
submit
something
for
open
ssf
day.
So
let's
keep
that
on
in
our
thoughts
as
well
and
if
somebody
says
hey,
let's
present
something
that
we're
doing
here
during
open
ssf
day,
throw
that
in
the
slack
and
let's
see
if
we
can
get
a
cfp
together
for
that
we
are
going
to
be
doing.
F
It's
called
the
mustard
and
relish
of
supply
chain
security
and
that'll,
be
talk,
we'll
be
talking
about
s2c2f
and
salsa
and
Fresca
during
that
panel
discussion
during
the
open,
Summit
Adrian's
got
RSA
coming
up,
so
we
have
a
few
things
on
on
the
radar
here
to
pique
our
interests
increase
our
exposure
and,
first
of
all,
get
involved
with
so
keep
it
on
on
your
minds
as
well.
A
All
right,
fantastic
yeah,
we're
now
overtime,
Randall
and
Glenn
I'll
follow
up
with
you,
maybe
I'll
play
around
with
the
the
course
outline,
and
you
know,
and
that
sort
of
stuff
and
we'll
keep
communicating
over
email.