►
From YouTube: S2C2F SIG (June 20, 2023)
Description
Meeting notes: https://docs.google.com/document/d/10Q_VOvKsGaYJoK-5yJY4868mTkYZjEo-6xV6ghYS84k
The S2C2F SIG is a group working within the OpenSSF's Supply Chain Integrity Working Group formed to further develop and continuously improve the S2C2F guide which outlines and defines how to securely consume Open Source Software (OSS) dependencies into the developer’s workflow. This paper is split into two parts: a solution-agonistic set of practices and a maturity model-based implementation guide. The Framework is targeted toward organizations that do software development, that take a dependency on open source software, and that seek to improve the security of their software supply chain.
A
A
Well,
technically,
not
North
Carolina,
but
Virginia,
more
or
less.
Yes,
yes,
but
it's
a
long
drive
for
if
you
showed
up
in
North,
Carolina
you'd
be
sad
because
it's.
B
The
Transportation
division
there
in
in
in
Virginia
one
says
Fort,
Lee,
I,
won't,
say
it's
Fort
Lee.
B
You
know
well,
billboard
was
one
of
was
supposed
to
be
one
of
my
stomping
grounds
when
I
switched
over
to
Intel
and
in
cyber
they
do
a
lot
of
training
and
education
there
in
Fort,
Belvoir.
A
A
A
All
right
so,
let's
see
here
somewhere
I,
should
click
and
open
the
notes.
A
Yeah,
maybe
I
should
you
know,
while
we're
waiting,
I
I'll
I'll
do
the
the
boring
task
which
is
or
we're
trying
to
switch
over
towards
tables
because
they
convert
to
other
formats
like
markdown
much
better.
A
Yeah
you've
probably
been
seeing
that
out,
sir,
because
the
whole
unshade
shade
stuff
I
mean
it
can
be
done,
but
it
doesn't
mean
you
want
to.
C
A
I'm
trying
to
do
the
basics
here
so
I'm
gonna
list
you
first
Jay.
You
are
the
man
of
Honor
here
or
whatever.
B
A
A
Sure
we
can
make
things
better,
but
I
was
trying
to
do
the
minimum
viable
if
that
makes
any
sense.
A
While
we
wait
for
everybody
to
come
in
I,
you
know
I'm
just
noticing
and
going
and
look
at
that
and
now
I
don't
have
to
say
or
include
org
anymore,
because
it's
right
there.
A
A
And
I'm
gonna
yeah
and
we
keep
track
of
this
stuff.
I
mean
we'll
we'll
listen
to
anybody,
but
we
try
to
make
sure
there's
multiple
organizations
involved.
A
So
you
know
in
particular
get
worried
when
there's
just
you
know,
nobody
seems
to
be
it's
only
one
org
ever
so.
B
Well,
hopefully,
the
usual
people
usually
join
Victor,
usually
joins
and
then
had
we
had
a
yard.
Last
last
meeting
that
Joe
had
used
here.
I
I
fear
do
the
all.
These
are
like
two
or
three
additional
meetings
on
the
calendar.
Everybody
joins
that
fear
that
that
that
you
know
those
meanings,
May
interfere
or
people
may
say.
Well,
you
have
only
so
much
time
we
can
devote
to
the
openness
stuff
yeah.
A
I
I
understand:
we
definitely
want
to
try
to
make.
We
don't
want
to
overwhelm
people
I
I
think
there
are
ways
that
we
can
work
that
and
to
be
fair.
This
meeting
date
is
kind
of
unfortunate,
because
this
is
right
following
Juneteenth,
which
I
and
many
other
people
had
off
so
we
may
have.
We
may
have
fewer
today
just
because
of
that.
Adrian
welcome,
yeah.
B
I
wonder
what
I
wonder:
I
mean
you
got
that
one
holiday
and
then
you
have
and
then
it's
piggyback
and
you
had
the
two
weeks
and
then
you
got
another
holiday
another
holiday
weekend.
So
a
week
and
a
half
we'll
be
on
another
holiday
weekend,
Fourth
of
July
weekend
another
week
and
a
half
I
mean
the
people
that
used
to
pay
opportune
time.
People
take
vacation
too,
if
they
winner.
B
B
15Th
of
December
see
you
all
next
year,
just
there
we
go
all
right
cool,
so
I
get
I,
guess
we'll
for
the
purposes
of
the
recording
and
and
the
meaning
in
general,
we'll
go
ahead
and
get
started.
I'll
put
in
the
slack
that
hey
we're
meeting
now.
So
if
you,
if
you,
if
you
feel
so
inclined,
join
the
meeting,
but
there
are
a
couple
of
things
we
want
to
talk
to
talk
today.
B
I
know
Adrian's
been
hard
at
work,
getting
clear
on
some
issues
and
there's
a
couple
other
things
you
put
down
here
as
well.
Also
we
found
out
today
that
in
a
book
that
was
just
written
by
Chris,
Hughes
and
Tony
I
can't
remember,
remember
his
last
name,
but
it
was
forward.
The
forward
was
written
by
Alan
Freeman
software
transparency.
They
gave
us
a
good
seven
pages
about
s2c2f
in
that
book.
B
Oh
hey
Tom!
So
that's!
That's
an
amazing
stuff
that
we
can
talk
about
today
as
well.
I
I
mean
I,
I,
love
that
and
I
bought
the
book
as
well.
It's
due
to
get
here
tomorrow,
because
I,
you
know,
I
just
put
books
like
that
on
the
bookshelf.
A
I
just
put
the
link
in
the
chat:
oh
fantastic,
okay,
I'm,
gonna,
I'm
gonna
copy
that
right
into
the
notes.
Now.
A
It
up,
no,
you
didn't
mess
it
up,
I
messed
it
up,
so
I
can't
be
part
of
a
link,
and
that
turns
out
not
to
work
so
well
so,
but
through
the
through
the
power
of
selection
and
copy
paste,
I
got
it
right.
A
That's
great
that
sounds
it.
Has
anybody
read
this
book?
Is
this
something
that
we
should
that
we
should
be
wow
336
Pages?
Is
that
something
that
we
should
put
on
our
on
our
beat
zip
list.
B
B
Supply
chain
security,
so
I
imagine
most
of
the
chapters
will
interest
me
but
I'll
dive
in
on
the
ones
that
don't
involve
writing
code.
So
there
you
go
yeah.
E
So
and
you
know,
inside
Microsoft,
we
have
a
special
service
where
we
can
access
digital
books
for
free,
for,
if
we're
an
employee,
so
I
I
started
taking
a
look
at
it.
We
get
the
S2
c2f
was
mentioned
in
the
chapter.
Seven
and
and
chapter
seven
is
called
existing
and
emerging
commercial
guidance,
and
so
they
they
I,
guess
analyzed
a
couple
of
different
Frameworks
and
guides.
So
they
have
salsa
in
their
Google
graph
for
understanding
artifact
composition.
They
have
this
internet
for
internet
Center,
for
internet
security,
software
supply
chain
guide.
E
They
have
the
cncf
in
there
they
added
the
S2
c2f.
They
have
o
wasp,
open,
ssf
scorecard
and
that's
pretty
much
the
whole
the
whole
chapter
so
just
kind
of
giving
you
insight
into
you
know
what
they
talked
about
in
that
chapter
so
yeah
it
might
be
a
cool
thing
to
recommend
to
others.
I
I
personally
haven't
read
it
yet
I
just
found
out
about
it
this
morning.
B
B
We
only
got
like
a
page
or
something
in
or
something
like
that
or
age
or
two
in
I,
don't
know
how
far
we
got,
but
there
was
some
more
nuggets
there
that
we
could
chew
on
that.
We
need
to
chew
on
so
I
wanted
to
make
sure
we
have
some
time
for
that
yeah.
Let's
jump
right
on
it,
sure.
E
Okay
I'll
share
my
my
screen.
E
And
share
there
we
go.
E
Okay,
so
I
don't
think
we're
gonna
spend
too
long
discussing
the
these
other
agenda
items,
but
jumping
into
issue
number
fourteen.
E
Issue:
number
14.,
okay,
so
crosswalk
with
salsa.
So
when
we
first
published
the
s2c2f,
it
was
before
salsa
achieved
1.0
and
we
we
identified
two
requirements
that
we
thought
were
mapped
to
salsa
requirements,
so
you
know
verify
the
provenance
of
your
OSS
salsa.
E
Had
this
provenance
for
dependencies
requirement
and
under
our
rebuild
it
section,
you
know
our
rebuild
it
section
is
specifically
about
rebuilding
OSS
that
you
consume
and
salsa
had
a
you
know,
make
your
build
reproducible
that
was
like
their
their
their
aspirational
level,
four
guidance
and,
of
course,
they're
talking
about
the
code
that
you're
producing
I,
don't
think
that
they
were
specifically
talking
about
the
OSS
that
you
consume,
but
nonetheless,
I
mapped
the
two.
E
And
now
when
we
look
at
salsa.
Thank
you.
This
is
the
1.0
we've
got,
you
know,
choose
an
appropriate
build
platform,
follow
consistent,
build
process
distribute
provenance,
then
they
have
like
generate
provenance
and
with
three
different
levels
of
maturity
there
and
your
isolation,
strength.
So
I
I,
don't
think
the
things
that
we
we
mapped
to
previously
are
even
here
anymore.
A
I
know
the
reproducible
builds,
went,
went
off
and
I
can
talk
about
that.
There's
been
some
I
guess
some
early
talks
about
creating
a
new
track
for
that,
although
that's
by
no
means
a
certain
thing,
the
other
one
I'm.
Can
we
go
back
here?
What
was
the
the
mapping
in
map
from
map
2
because
it
sounds
like
you're
saying
that
hey
there's
no
overlap,
which
is
to
me
a
little
surprising
at
this
point.
E
Well,
you
know
the
S2
c2f
is
hyper
focused
on
requirements
for
securely
consuming
OSS
right
and
salsa
was
largely
a
requirements
on
how
to
securely
build
software.
So,
like
producer
Focus,
first
consumer
Focus
right.
A
Right
I
mean
that's
been
the
Mantra
all
along
I'm,
just
shocked
that
there's
that,
just
in
the
natural
process
of
things
we've
managed
to
eliminate
overlaps,
which
is
not
what
I
was
expecting
I'm
the
one
who
who
said
hey,
we
can
you
do
it,
you
know,
but
I
was
expecting
a
little
overlap,
but
I
hadn't
thought
through
you
know,
as
opposed
to
sitting
down
and
doing
the
crosswalk,
because
you
know
I
I
can
remember
that
I.
Remember,
there's
a
little
overlap,
which
your
earlier
analysis
is.
A
That's
correct,
yeah
it
now
I
I'm
I
mean
there
is
information
about
providing
the
provenance
I
mean,
maybe
on
the
on
the
s2c2f
side,
the
answer
is
review
that
provider
or
consume
and
use
that
provenance
information
when
available
or
something
along
that
line.
Oh.
A
In
fact,
I
think
that's
the
trick
is
when
we've
got
no
I
just
realized
your
hand
is
raised,
I'm,
sorry,
okay,
yeah,
because
I
think
it
would
make
more
sense
for
it
and
by
the
way,
appreciate
the
crosswalk
where
salsa
produces
something
that
is
useful
for
consumption,
that
we
point
out
in
order
to
do
this,
here's
some
data
you
could
use
to
bring
in
to
do
that.
If
that
actually
makes
sense
that
that's
a
big
gift,
of
course,
yeah
and
I
can
give
some
background
on
the
whole
reproducible
builds
stuff.
A
E
Yeah
and
and
so
I
think
like
if
open
source
maintainers
are
following
salsa
and
they
are
producing
provenance
of
their
open
source
components.
Then
this
makes
a
lot
of
sense.
Then
we
are
very,
we
are
consuming
and
verifying
the
provenance
of
the
OSS.
That's
provided
by
people
that
follow
salsa
right.
A
D
D
Okay
yeah,
so
in
the
last
meeting
we
briefly
touched
on
some
of
this,
where
there
is
a
small
overlap
with
the
current
specification,
but
there's
also
a
gap
between
the
two
and
that
there's
an
opportunity
to
enhance
that
and
it
is
in
the
the
PDF
and
we
can
go
over
it
again.
D
But
but
there's
very
small
overlap
and
then
Jay
did
a
made
a
good
point
about
the
the
creator
of
a
piece
of
software.
Let's
say
it
has
no
dependencies
right,
it's
brand
new
and
and
it's
dependent
on
nothing
right.
D
That's
where
salsa
comes
in
and
then
s2c2f
is
where
okay
you're
going
to
consume
that
package
and
other
packages,
and
you
need
a
framework
to
make
sure
that
you
are
doing
the
right
thing
before
you
consume
those
packages
right,
but
that
there's
there's
kind
of
almost
Like
An
Origin
right,
like
you,
have
to
like
start
from
scratch
or
assume
you
start
from
scratch,
because
salsa
right
now
there's
dependencies
right.
So
it
just
keeps
going.
It's
like,
never
ending
right
if
you
keep
going
down
the
transitive
dependencies.
D
B
You
know
that
back
in
back
at
this
time
last
year,
when
we
were
talking
about
salsa-
and
this
was
right
before
you
know
this
is
when
David
and
kroven
and
Adrian
and
I-
we
were
talking
about
trying
to
bring
s2c2f
into
the
openness
and
stuff
at
that
time.
B
The
conversations
around
salsa,
if
you
remember
some
of
the
stuff,
was
well
it
it
will
will
we
can
attest
to
it,
because
you
know
what
work
we
we,
the
individual,
is
saying
it's
good
right
and
that
was
respective
of
some
of
the
instances
where,
like
you
said,
you
know
you're
building
it
from
scratch.
We
said
we
did
this,
we're
signing
it
using
our
email
address
right.
That's
when
you
know
six
store
was
was
just
coming
out,
we're
signing
it
and
we're
saying
it's
good
and
then
and
I'm
saying
I'm.
B
Anything
what
are
you
guys
talking
about,
but
but
I
think
that's!
That's
where
you
know
s2c2f
Community,
S2,
C2
up
you're,
not
taking
anybody's
word
for
it
at
that
point
and
I
think
that's
where
the
gaps
can
be
filled
where,
where
you
would
have
a
truck
where
trust
is
an
issue
now
you
you
trust
the
process.
B
There's
a
process
now
right
at
the
consumer
level
right,
there's
a
process
at
the
consumer
level
where,
where
that
process
doesn't
exist,
necessarily
at
the
on
the
producer
side
yeah,
especially
when
you're
dealing
with
you
know
a
fresh,
just
a
fresh,
build,
there's
nothing
to
depend
on
now,
you're
talking
about
the
processes
on
the
other
end
on
the
consumer
side,
so
you
don't
have
to
trust
a
person.
You
can
trust
the
process
right
so.
A
B
Mean
I
mean
that
that's
my
that's
my
it's
my
train
of
thought
there,
especially
respective
of
trying
to
crosswalk,
because
I
think
we
can
crosswalk
I,
think
there'll
be
some
similarities,
but
I
think
when
you
bust
down
into
what
exactly
we're
talking
about
from
one
framework
to
the
other.
B
They
look
similar
but
in
context
they're
different
right,
you
can,
you
can
build.
You
can
build
an
argument
both
ways.
E
So
Melba
I'm
glad
you
have
visuals
I'm
I'm
very
much
a
visual
person,
I'd
love
to
see
those
later.
So
maybe
we
can
come
back
to
this
when
you
share
your
your
visual
with
us.
D
Yeah
well,
the
visual
I
have
for
today
is
that
that
PDF
I
don't
have
a
visual
of
the
connections
not
not
as
of
yet.
E
Okay,
okay
and
okay,
I
think
we'll
just
oops
I
think.
B
We'll
just
crosswalk
I
think
the
crosswalk,
for
what
needs
to
occur
should
be
at
the
I
think
that
crosswalk
should
be
at
the
working
group
level,
not
the
Sig
level.
Think
at
the
working
group
level
we
need
to
do.
We
need
to
figure
out
a
tiger
team
to
do
this
crosswalk
and
then
present
it
at
the
working
group
level,
just
because
it
encompasses
yeah,
two
or
three
different
sigs,
underneath
that
working
group
right
yeah.
E
But
I
do
love.
This
touch
point
where
we
have
this
requirement
to
verify
the
provenance
that
the
OSS
you're,
consuming
and
salsa
is
telling
everybody
you
better
produce
your
provenance
and
share
it
right.
They've
got
distribute,
distribute
your
provenance,
and
we
know
that,
like
the
npm
registry
is
also
supporting
this
notion
as
well,
because
they
started
adopting
Sig
store
and
they
you
know
for
certain
builds.
E
They
can
attach
the
provenance
of
the
build
when
they
publish
packages
up
to
npm,
and
so
it's
it's
like
when,
when
systems
start
supporting
the
nature
of
provenance
like
that,
that
makes
it
a
whole
lot
easier
for,
like
a
consumption
and
validation
story,
which
is
which
is
great.
E
Okay,
so
moving
on
to
the
to
the
next
whoops
moving
on
to
the
next
agenda
item
creation
of
an
FAQ
wanted
to
get
everybody's
thoughts,
because
what
just
happened?
Oh,
my
goodness,
okay!
So
coming
back
to
the
issues,
we
had
this
one
submitted
by
By
Reggie
Chen
a
while
ago-
and
we
answered
him
and
just
so
that
this
knowledge
isn't
lost
I
started
thinking
like
maybe
we
should
create
an
FAQ,
not
inside
the
Guidebook.
E
But
could
we
just
create
a
new
section
in
our
repo
somewhere
somewhere
here,
where
we
have
like
an
FAQ
and
we
could
have?
E
A
Okay,
so
all
right
in
the
past,
up
until
recently,
most
of
the
documents
have
been
just
dump
marked
down
into
GitHub
and
sometimes
in
a
couple
cases
Google
Docs,
particularly
if
they're
expecting
you
know
lots
of
simultaneous
edits.
Okay,
there
are
pros
and
cons,
okay
and
so
the
the
the
best
practices
working
group
basically
has
a
little
short
and
some
guides,
and
the
complaint
was
oh,
my
gosh
we're
linking
directly
to
the
markdown
and
GitHub.
These
look
terrible.
A
So
the
problem
is
that
the
there
is
literally
a
billion
there's
at
least
a
billion
ways
to
talk
with
some
start
with
some
source
files
and
generate
some
pretty
looking
pages
on
a
website.
Okay,
the
problem
isn't
that
it
can't
be
done.
The
problem
is,
there
are
so
many
ways
it
can
be
done
that
we
could
spend
a
lifetime
just
analyzing
the
options.
A
Okay,
especially
when
you've
got
a
whole
bunch
of
people
in
another
program.
This
is
the
it's
the
it's
the
bike
shedding
problem
with
multiple
bike
sheds
so
got
it
so
sorry,
okay,
so
basically
what
I
proposed
is
a
process
that
I
am
I.
I
have
defined
as
a
simplest
possible
process.
Okay,
the
spp
GitHub
supports
taking
markdowns
and
generating
them
into
pretty
looking
HTML.
We
can
go
configure
it.
Okay,
the
only
problem
with
it
just
the
default
way
is
that
each
repo
basically
ends
up
with
its
own
domain,
but
wait.
A
A
I
will
very
now
I
think
it's
a
helpful
process,
but
I
have
already
raised
to
the
tack
the
I
think
legitimate
question
of.
Is
this
the
really
the
way
we
want
to
continue
or
not?
A
So
the
attack
has
not
made
a
decision
on
that,
but
I
think
it's
useful
to
at
least
be
aware
of
this,
and
you
know
what,
if,
if
this
doesn't
work
for
somebody,
that's
great!
That's
not
a
problem.
You
know
do
something
else,
there's
no
requirement
that
everybody
has
to
do
everything
exactly
the
same
way,
particularly
if
it
doesn't
work
for
them.
Okay,
I
want
to
emphasize
that
point.
A
If
it
doesn't
work,
please,
let's
do
something
else,
but
if
simply
creating
a
markdown
page
and
editing
it
and
creating
a
little
simple
page
will
do
the
job
I
like
simple.
So
there
is
a
link
to
the
TAC
document
and
and
here
and
I'm,
going
to
click
on
a
an
example
of
what
these
look.
Like.
Oh
wait.
No,
that's
the
ugly
version!
We
don't
want
the
ugly
version
who
wants
that,
so
let
me
copy
the
link
address
to
a
pretty
version.
A
A
So
you
know
I
think
now
is
a
perfectly
reasonable
time.
I
mean
you
know,
and-
and
all
this
is,
is
it's
literally
taking
the
the
GitHub
defaults
doing
some
tweaks
where
they're
approach
where
we
want
them,
for
example,
there's
been
a
recommendation
for
a
different
font,
so
this
one
just
switches
to
a
different
font.
A
Okay,
and
if
it
had
heading
numbers,
it
would
have
heading
numbers
obvious,
you
know,
but
these
are
all
controllable
per
repo.
We
don't
have
to
do
things
this
way.
The
attack
is
not
ruled
on
anything,
but
if
you
like
it
or
hate
it
now
would
be
a
good
time
to
talk
about
this.
As
I
said,
the
expectation
isn't
that
everybody
has
to
do
this,
but
if
all
you
need
to
do
is
serve
some
simple
static.
Pages,
like
an
FAQ
yeah
edit,
the
repo
merge
it
into
the
main
line.
A
So
we,
as
I,
said
we
don't
have
to
do
that.
That
way,
one
alternative
has
been.
Why
don't
we
merge
it
into
the
top
level
openssf.org
domain?
The
challenge
with
that
is
that
it's
a
WordPress
site,
so
there's
extra
work
in
working
out
a
workflow
to
make
that
happen.
There's
no
question
that
could
be
done:
zero
percent
problem
in
doing
it.
The
problem
is
now
we
got
to
work
out
the
workflow
and
maintain
the
workflow.
If
we
can
avoid
doing
that,
that's
awesome!
E
Perfect,
oh
sorry,.
A
So
my
guess,
let's
see
here
what
is
the
repo
name
that
we're
on
right
now
by
the
way,
is
it
s2c2f
something
like
that
yeah
yeah,
so
my
guess
would
be
if
we
did
that
and
by
the
way,
Brian
basically
said
and
I
agree,
let's
not
create
domains
that
aren't
being
used.
Okay,
you
know
at
the
very
least,
let's
not
do
that,
so
my
guess
is
that
there
be
an
s2c2f
dot,
open
ssf.org.
If
we
did
this
approach
now,
I
will
note
the
best
practices
working
group.
A
They
put
all
their
documents
in
a
docs
subdomain,
a
docs
folder.
We
might
choose
to
do
the
same.
It
keeps
things
a
little
cleaner
from
you
know,
say
the
stuff
that
you
don't
intend
to
publish
on
a
site,
but
that's
up
to
you
there's
a
million
ways.
This
is
the
general
problem.
Is
you
know
a
whole
lot
of
us
know
how
to
write
software.
There
are
so
many
ways
to
do
this,
it's
embarrassing
and
it
makes
it
actually
harder
to
make
a
decision,
because
there's
so
many
ways
to
do
this
perfect.
E
My
next
question
was
very
very
relevant
and
it's
my
last
topic
and
then
we
can
move
hand
over
the
hand.
This
over
to
Melba
I
would
love
to
maybe
write
some
addendums
or
supplemental
materials
such
as
like
how
does
the
S2
c2f
apply
to
C
and
C,
plus
plus
scenarios.
E
E
F
E
Oh,
that's,
that's
great
feedback.
Yeah
we'd
love
to
talk
about
it
specifically
and
like
the
the
things
that
I
could
talk
about,
are
are
how
we
did
it
inside
Microsoft,
but
we'd
love.
You
know.
That's
the
beauty
of
working
in
this
in
this
group
is
that
others
probably
have
other
best
practices
or
what
have
you
that
they
could
contribute
to
it.
A
F
But,
like
I
think
stc2f
kind
of
shows
you
can
like
read
between
some
lines
and
figure
out
a
golden
path
for
how
you
ingest,
how
you
introduce
this
code
to
your
Enterprise,
how
you
describe
it,
what
you,
what
you
do
in
terms
of
sort
of
governance,
compliance
in
terms
of
the
vulnerabilities
associating
licenses-
and
you
know
the
license
clearing
processes
all
the
way
through
to
the
inventory
of
what
you've
actually
consumed
and
deployed
or
released.
F
A
F
Much
useful
what
you
do
for
stuff,
you're,
bringing
from
Pipi,
you
can
pretty
much
translate
to
what
you
do
for
npm
and
Maven
and
so
forth.
The
CNC
plus
plus
most
of
it,
is
obviously
vendored
in
from
you
know,
as
source
and
not
from
a
package
manager,
and
even
just
tools
like
pearls
and
things
like
that,
which
are
ways
of
achieving
a
lot
of
this
framework,
aren't
an
option
or
necessarily
evident
as
in
a
media
option.
A
Now
the
pearls
actually
should
be
able
to
work
with
that.
The
problem
is
you're
going
to
have
to
use
some
of
the
Lesser
known
mechanisms
in
pearls,
because
the
pearls
that
most
people
point
to
are
like
Maven,
pearls
or
Pi
Pi
pearls,
but
pearls.
Also,
let
you
specify
a
straight
up:
here's
the
URL
for
downloads,
and
you
can
use
that
even
if
you,
even
if
you
would
need
Space
special
permission
to
download
something,
because
all
it
is
really
is
a
it's
a
string
to
use
to
identify
something.
F
Are
other
sources
describing
it
in
that
same
way,
an
example
being
we're
blessed
now
with
so
many
vulnerability
databases,
but
some
pretty
good,
open
source
or
open
platforms
where
things
like
RSB,
where
you
can
provide
a
pearl
and
find
out
convulnerabilities
and
things
like
that,
I,
don't
know
if
that's
necessarily
is
supported
when
looking
to
an
external
source
for
information
about
a
dependency,
it
seems
like
something
that's
a
little
bit
more
nuanced
than
needs
kind
of
more
things
related
to
hashing
and
stuff,
like
that
to
figure
out
what
it
is,
and
so,
if
you
could
yeah
I'll
describe
it
as.
A
Yeah
I
mean
obviously
one
approach.
Is
you
share
the
cryptographic,
hashes
and
use
that
as
the
identifiers
I
think
those
can
be
helpful,
at
least
sometimes,
but
you
lose
a
lot
of
information
with
that
I
mean
literally.
All
you
get.
Is
this
mysterious
sequence
of
digits?
You
have
no
idea
of
the
version
or
name
or
anything
else.
E
Yeah,
so
inside
Microsoft,
so
an
example
of
what
what
I
can
share
is
that
you
know
where
we
use
VC
PKG
as
our
method
for
consuming
CNC,
plus
plus
OSS,
and
that
tool
the
way.
The
way
that
tool
works.
E
Is
they
just
maintain
this
giant
list
of
recipes
on
how
to
build
all
the
different
OSS
components
and
every
time
you
use
that
tool,
it
would
go
out
to
the
public
internet
and
grab
the
the
code
that
it
needs
and
pull
that
in
into
your
build
part
of
securing
your
supply
chain,
is
reducing
your
Reliance
on
the
public
internet,
also
making
sure
that
you
cache
your
open
source
locally
to
prevent
you
from
left
pad
incidents,
and
so
with
vcpkg.
E
We
didn't
have
like
a
repository
manager,
but
we
instead
were
marrying
a
copy
of
the
OSS
source
code,
and
then
we
could
point
vcpkg
at
our
internal
clone
instead
of
direct
to
the
public
internet
and-
and
this
in
effect,
served
accomplishes
the
same
thing
as
making
sure
we
have
a
local
copy.
So
we
can
always
continue
to
build
if,
for
some
reason,
the
Upstream
has
an
outage
or
an
availability
issue.
A
Yeah
I
will
note
that
for
left
pad
it
was,
it
was
more
just
it
wasn't.
Just
hey
the
repo
went
down
temporarily.
They
actually
literally
deleted
the
package
and
and
and
I
will
point
out
that
one
of
their
Solutions,
which
I
think
is
quite
reasonable,
is,
after
a
short
period
of
time,
I
think
it's
three
days.
They
just
simply
will
not
remove
the
package
I.
A
Presumably
they
would
if
it
was
legally
required,
but
other
than
that
they
will
not
remove
it
and
I
encourage
all
the
repos
to
do
that,
because
that,
while
I,
obviously
large
organizations
can
manage
their
own
copies
and
caches
I
think
it's
also
good
to
make
sure
the
Upstream
is
more
reliable.
E
Very
true,
very
true,
there's
there's
benefits
to
both
okay,
great,
so
so
like
like
telling
that
kind
of
a
story
about
you
know
how
how
this
is
more
yeah
applicable
to
the
CNC
plus
plus
World,
rather
than
this,
and
and
kind
of
adding
that
Clarity
for
people
that
fall
in
that
scenario,
that's
that's
something
that
I
want
to
try
to
try
to
accomplish
in
the
you
know,
months
ahead,
and
that
was
kind
of
the
last
agenda
item
I
had
and-
and
we
can
absolutely
hand
this
over
to
to
Melba.
E
Would
you
like
to
share
your
screen.
C
D
Sorry,
which
one
we
got:
oh
I'm,
sorry
I'm!
Sorry
this
one
right
here:
Integrity
of
an
OSS
package
is
tampered
after
build,
but
before.
D
C
D
If
you
look
at
the
attack,
unfortunately
I'm
only
sharing
the
like
the
PDF
I'm,
not
sharing
like
the
rest
of
my
screen,
I,
have
way
too
many
things
open.
Okay,
if
you
look
at
the
attack
diagram
that
salsa
has
on
their
website
right,
there's
a
part
that
talks
about
preventing,
tampering
right
after
the
build
right,
and
so
there
with
that
diagram.
It
looks
like
there's
a
little
bit
of
an
overlap
after
talking
with
Jay
right,
we
he
was
explaining.
D
You
know,
like
origin,
reverses
consumption
right
and
worse
also,
would
play
versus
s2f,
and
we
realized
that
there
is
a
small
Gap
between
Salsa
and
S2
c2f,
where
there
could
be
a
handshake
between
the
two
in
order
to
ensure
that
not
only
what
you
built
is
okay,
but
then
right
before
you
consume
it
that
it's
okay
and
before
I,
get
to
published
yeah.
So
before
it
gets
published.
D
It's
also
would
have
to
ensure
that
there's
build
integrity
and
no
tampering
and
then
once
it's
published,
s2c2f
would
validate
integrity
and
there
should
be
some
sort
of
handshake
so
that
I
wanted
to
re-bring
that
up,
because
that
part
I
thought
was
a
small
overlap,
but
there's
also
an
opportunity
to
expand
how
the
two
interact.
E
D
After
Bill,
but
before
consumption,
yeah
and
again,
I
don't
have
my
my
whole
screen,
but
let
me
find
the
link
for
that
attack.
Salsa
I
think
it's
like
a
threat,
back
threat,
threats
or
something
like
that.
It's
what
it's
called
threats
and
mitigations,
maybe
yeah
here
it
goes.
This
is
version
one.
Let
me
look
for
version
1.0.
D
Light
train
threats
found
it.
Oh
okay,
I'm
gonna,
put
in
the
chat
right
here
for
folks
to
see,
but
if
you
see
right,
there's
the
right
after
build,
there's
the
s
g
and
H
part.
D
So
that's
where
I
I
my
understanding
of
F2
c2f
and
what
I've
read
right,
I'm,
not
obviously
not
an
expert
you
all
are.
It
seems
like
the
Frameworks
start
to
talk
to
each
other.
Slash
overlap
right
about
there,
and
so
we
would
have
to
make
it
clear
as
to
how
we
do
cooperate
with
each
other.
Given
that
we're
under
the
same
working
group,
the
I
know
we
went
over
these
three
stars
last
time.
I
think
that's
kind
of
where
we
stopped
and
I
kind
of
quickly
zipped
by.
D
There
are
some
examples
where
we'll
have
to
clean
up
the
because
it
mentions
Microsoft's
technology
right.
Given
that
now
it's
an
open
ssf,
we
need
to
make
sure
that
maybe
it
says
you
know,
Cloud
itself
is
unavailable
right
or
you
know
just
make,
make
it
agnostic
I
forgot
what
this
meant
right
here.
Oh.
D
I
think
this
was
around
the
point
of
we
consider
anything,
that's
end
of
life,
unmanaged
or
outdated,
a
vulnerability
right
because
there
are
risks
Associated
to
that,
and
so,
when
you
scan
it,
we
want
to
also
check
for
this,
but
it's
not
mentioned
here,
I
think
it's
mentioned
elsewhere,
so
I
don't
know
what
the
group
thinks
about
putting
this
in
the
scan
it
right.
You
would
want
to
understand
that
way
ahead
of
time.
You
don't
want
to
find
that
out
later
so
thoughts
on
that.
E
Yeah
scan
it
sca3
is
our
requirement
to
scan
it
to
see
if
it's
end
of
life,
so
we
just
didn't
put
it
in
the
practices
section.
We
can
okay,
we're
gonna,
make
that
bring
that
up.
Okay,.
D
Let
me
let
me
okay,
so
you
you
said
it's,
you
just
didn't.
Have
it
in
here
yeah.
D
D
Requirement
does
have
this:
it's
just
not
section,
okay,
so
yeah,
so
that
that's
minor
right.
That
should
be
a
quick
fix
and
I
think
we
mentioned
this
one
a
little
bit
about
contradicting
the
the
earlier
statement
about
you
know.
If
you
don't
have
resources
and
blah
blah
blah,
then
you
can
do
f2c2f
and
you
don't
want
to
necessarily
do
repo
and
I
I
can't
remember
what
you
said
last
time
about
this,
or
is
it
this
right
here.
D
C
D
E
Yeah,
so
the
the
guidance
that
we're
we're
trying
to
describe
is
that
is
that
development
teams
should
have
a
okay,
a
package
repository
solution,
a
package,
caching
solution,
I
guess
I
was
you
know
when
I
chose
that
I
was
trying
to
look
up
like
what
is
the
industry
term
for
what
artifactory
is
right
and
and
so
I
thought
package
repository
solution
described
things
like
drug
Art,
Factory
and
you
know
other
other
equivalent
things
like
GitHub
packages,
Azure
artifacts,
those
those
yeah.
A
E
E
They
they
try
to
implement
some
sort
of
central
feed
that
all
developers
in
their
company
pull
from,
and
that
has
that
requires
a
lot
of
central
overhead
and
and
other
centralized
expenses
to
to
manage
it
that
way.
Yeah.
So
when
I
talk
about
scale,
I
think
there
are
ways
that
we
can
build
in
these
security
protections
into
like
every
local
Developers.
E
You
know:
package
cash,
like
each
team,
has
their
own
package
cash
feed
for
what
their
team
uses.
F
A
Is
going
to
be
right,
I
would
worry
more
about
making
sure
that
at
least
they
have
some,
you
know
decrease
the
likelihood
that
they're
in
Upstream
are
available,
but
for
a
larger
company,
absolutely
cashing
the
results
so
that
they
don't
go
away,
makes
sense.
I've
actually
seen
two
different
approaches.
Some
of
the
organizations
I've
worked
for
the
hope
will
work
with
I
should
say.
The
whole
point
is
to
centralize
it,
because
it's
not
that
they
want
to
just
cash.
E
C
A
Yeah
yeah,
but
but
I
think.
My
point,
though,
is
we
have
to
somehow
use
our
words
to
not
suggest
either
those
two
extremes
I
mean.
If
you
want
to
have
that,
centralized,
managed
and
approval
process.
You
can
that's
not
the
point
you
can
download
from
you
know
a
pack.
You
know
a
package
from
its
official
sorts,
but
that's
not
the
point
either
the
pointies
you're
trying
to
prevent
loss
when
it's
not
available
or
it
was
deleted
from
the
repo
or
whatever.
D
D
Okay?
So
how
do
you
know
if
it's
approved
or
not?
Who
is
going
to
approve
that?
What's
the
process
right,
and
so,
if
there
is
an
expectation
that
we
have
to
vet
these
packages
ahead
of
time,
because
then
we
can
say:
okay,
then
teams
can
cash
it
themselves
if
they
want
or
we
can
centralize
it
or
we
can
do
some
sort
of
okay.
D
If
you
can
use
this
one
and
go
to
the
internet
and
download
it
in
your
own
cache,
whatever
it
may
be,
right,
there's
still
a
process
to
vet
that
open
source
package
and
even
from
a
licensing
perspective.
I
know
not.
Everybody
has
this
problem
right,
but
from
a
licensing
perspective
we
also
have
to
vet
the
open
source
package.
So
no
matter
what
at
least
for
a
large
Enterprise,
you
have
to
vet
those
packages.
D
C
D
Worry
that
staying
the
the
scale
part
at
the
beginning
and
then
expecting
later
on
that
you
have
to
use
trusted
sources
it.
It's
really
conflicting
message
right.
You
can't
have
trusted
sources
in
a
lot
at
a
large
scale
right
without
having
some
level
of
processes
in
place,
so
there's
overhead
to
vet
those
packages
ahead
of
time,
not
sure
if
I
made
sense
there.
E
So
trusted
sources
we
can.
We
can
maybe
use
better
words,
but
you
know
it
was
things
like:
thou
shall
use
or
consume
packages
from
nougat.org
and
not
myget.com.
E
E
Those
are
those
are
decisions
that
that
should
be
made
to
say,
like
hey,
your
your
development
team
or
your
organization
should
make
these
kind
of
like
upfront
decisions,
and
then
they
need
to
be
enforced.
C
D
D
Predicting
the
original
message
at
the
beginning
of
the
paper.
Thank
you
because
you
can't
you
can't
do
some
of
this
stuff
without
overhead
right
and.
C
All
right,
the.
D
Yeah
yeah,
so
some
organizations
may
attempt
to
secure
their
OSS
ingestion
process
through
a
central
internal
registry
that
all
developers
are
supposed
to
pull
from
right,
but
it
has
a
problem
of
requiring
a
team
to
manage
a
process
and
workflow
right,
so
whether
it's
centralized
or
decentralized,
the
late
later
part
of
the
paper,
you're
literally
saying
do
this.
B
Melba
the
way,
the
way
this
reads
they
just
reading
it,
I
I,
can
see.
I
can
see
how
you
how
you
got
there
when
I
read
this
I,
don't
read,
and-
and
that's
maybe
because
it's
the
way
that
I'm
reading
it
I,
don't
read
where
it
says.
Do
this
I
read
where
it
says
some
organizations
attempt
to
do
this?
However,
what
happens
if
this
person
does
this?
Is
there
anything
preventing
them
from
doing
it?
B
And
then
it
says
a
centralized
registry
has
a
problem
of
x,
y
and
z
and
then
it
talks
about.
There
are
some
tools
that
help
organizations
do
this
and
then
down
at
the
bottom
I,
don't
think
it
even
I.
Don't
think
it
suggests
to
do
this
down
at
the
bottom.
I
think
it
says
such
I
think
down
at
the
bottom.
B
It
even
says
you
know
this
could
be
a
way,
and
if
you
do
this
way
you
so
when
so
down
here,
it
says
you
know,
have
the
ability
within
your
the
organization
to
audit
consumption
and
that's
regardless
of
whether
you
do
it
that
way
or
not
yeah,
without
the
ability
to
audit
it
and
and
then
and
and
then
it
says,
through
some
type
of
a
standardized
consumption
tool
that
just
says
such
as
so
you
could
do
whatever
you
want
to
do
there.
B
B
That's
due
to
that's
due
to
whatever
pop
processes
or
procedures
you
use
to
determine
that
trusted
Source,
but
that
still
doesn't
mean
that
you
have
to
create
a
centralized
registry,
although
that
might
be
a
a
preferred
method,
but
we're
I
guess:
what's
what
the
thought
process
is?
Some
organizations
may
not
have
financially
have
that
capability
regardless.
B
You
must
be
able
to
audit
how
you
consume
and
I
think
that's
the
Crux
of
that
part
right
there
up
above
I,
I'm
reading
it
saying
organizations
can
do
this,
but
there's
a
problem
with
doing
it,
and
then
you
in
order
to
solve
that
problem,
you
must
be
able
to
have
access
to
a
certain
tools
such
as
right.
B
How
I'm
reading
all
of
that
I
could
see
how
you
got
to
where
you
got
to
when
I
wait,
I'm
reading
it
I'm
I'm,
saying
such
as
I
only
see
one
must
the
ability
to
audit
I
don't
see
that
happen
anywhere
else
and
consumed
from
a
trusted
right
and
I
agree
with
you
here
Define
what
trust
it
is
if
it's
not
defined
anywhere,
definitely
Define
what
that
means,
but
I
think
that
there's
a
there's
a
one
must
and
that's
all
because
and
everything
else
is
like
you
can
do
this,
but
you
need
this.
A
Yeah-
okay,
that's
also
my
reading,
but
I
totally
see
how
Melba's
getting
I.
Also
I
think
this
needs
to
be
modified
to
make
that
much
clearer,
because
I've
worked
with
some
Works
which
actually
do
do
the
you
must
use
this
go
through
and
what
I
again
I've
not
actually
worked
in
that
situation.
But
my
understanding
from
those
folks
who
are
in
that
situation
is
wow.
Is
this
hard?
You
know
the
central
organ
is
always
hideously
behind,
because
it's
always
hard
to
fund
the
central
org
they
always
get.
A
B
Yeah
I
was
going
to
say
the
hard
part
about
that
I,
don't
even
know
if
the
money's,
the
hard
part
I,
think
it's.
The
slos
are
the
hard
part,
especially
if
you
can't
guarantee
like
a
12-hour
turnaround
and
now
you're
into
24
or
48,
and
guess
what
you've
only
got
40
hours
to
turn
over
whatever
you
need
to
turn
over,
so
that
you
can
beat
the
clock
in
into
into
into
into
GA.
So
I
I'd
say
the
time
limits
are
you
are
your
biggest
photos.
A
C
E
A
D
D
Yeah
you
you
all
have
this
so
I
can
always
do
an
off
an
asynchronous
session.
If
you
need
me
to
but
I
I
do
have
to
drop
cool.