►
From YouTube: S2C2F SIG (November 15, 2022)
Description
The S2C2F SIG is a group working within the OpenSSF's Supply Chain Integrity Working Group formed to further develop and continuously improve the S2C2F guide which outlines and defines how to securely consume Open Source Software (OSS) dependencies into the developer’s workflow. This paper is split into two parts: a solution-agonistic set of practices and a maturity model-based implementation guide. The Framework is targeted toward organizations that do software development, that take a dependency on open source software, and that seek to improve the security of their software supply chain.
B
Great
excited
for
this
blog
post
to
go
out
tomorrow
and
for
the
upcoming
holidays.
A
B
A
You
me
too,
although
as
soon
as
Jay
comes
on
I'm
gonna
go
nag
him,
okay
and
I've
added
it.
Basically,
we
think
it's
all
ready,
but
the
the
blog
post
tomorrow
and
I
think
we're
going
to
get
more
activity.
A
A
A
Welcome
Brian
you,
you
can
begin
your
your
effort
to
show
up,
as
at
many
meetings
and
groups
as
I
have
no.
A
A
You
know
there
are
some
competitions,
it's
best
not
to
play
you're,
to
put
it
another
way.
This
is
not
a
competition.
You
actually
want
to
win.
A
And
I
say
that
in
all
in
in
somewhat
of
Jess,
because
in
fact
we've
got
a
lot
of
really
awesome
groups
here,
I
can't
cover
them
all
and
there's
some
really
awesome
stuff
happening.
So
you
know
it's
just
I
I'm
in
some
sense,
I,
don't
need
more
meetings,
but
on
the
other
hand
the
each
one
is,
for
the
most
part,
each
one's
a
joy,
alrighty.
E
A
E
A
Totally
get
you
so,
okay.
Actually
the
I
think
the
time
has
started.
Do
we
want
to
Jay
it's
it?
It's
your
I
think
it's
your
show
and
Adrian
you
too.
So
you
want
to
just
go
ahead
and
get
started.
E
Absolutely
absolutely
and
thanks
David
all
right
guys,
so
so
we're
here
this
will
be
I.
I
want
to
say
this
is
the
last
meeting
before
the
Thanksgiving
break
and
then
we'll
come
back.
We'll
come
back
after
that,
and
then
we'll
probably
have
maybe
a
meeting
or
two
before
the
end
of
the
year.
E
Maybe
one
people
will
be
ready
to
break
fast
for
for
Christmas.
We
don't
suspect
that
this
will
be
a
long
meeting.
We
just
have
a
couple
of
things
to
to
to
to
share
the
first
being
our
blog
posts
right.
So
we
got
those
done
and
they
look
good.
We
still
have
a
couple
of
go:
go
ahead:
David
yeah,.
A
I
was
gonna,
say
I'm
Jay
I'm
already
gonna
make
you
lose
the
meeting,
because
I'm
going
to
give
you
an
assignment
and-
and
that
is
I-
think
that
the
blog
final
draft
blog
post
is
ready
to
go.
But
it's
got
your
name
on
it
and
we
want
to
make
sure
that
I
mean
there
were
some
very
small
tweaks.
We
wanted
to
make
sure
you
were
okay
with
that
before
it
gets
published.
A
E
E
Absolutely
and
I
did
want
to
get
with
you
on
some
on
a
couple
of
the
comments
too
I
Abby
chuck
had
some
really
some
some
good
comments
and
some
more
comments.
I
wanted
to
ask
about.
So
so,
but
but
but
yeah
I'll
take
a
look
at
that.
I've
got
to
get
on
the
plane
at
about
three
o'clock,
so
I'll
take
a
look
at
it,
while
I'm
on
the
plane
and
we'll
get
it
we'll
get
those
get.
Those
straightened
out.
Okay,
yeah.
E
Yeah,
so
so
we
got
so
we
got
those
for
the
for
the
for
the
group.
We
got
those
and
we're
happy
to
share
them
right.
There
they're,
you
know
we're
really
happy
about
them
and
then,
of
course,
we'll
pop
open
the
repo
we
made
some
a
couple
of
changes
per
a
couple
of
the
issues
we
made
some
governance
changes,
so
some
had
some
admin
changes
to
support,
support
our
movements
towards
towards
you
know
the
project
project,
a
specification,
a
project
towards
specifications.
E
So
we
made
some
some
governance
changes.
Some
admin
changes
in
the
repost,
so
we
want
to
share
those
as
well
and
outside
of
that
I
mean
I.
Think
this
would
be
a
be
a
short
meeting
because
we
do
want
to
make
sure
that
time
is
is
given
back
to
finish
up
things.
You
gotta
finish
up
for
the
week
before
before
next
week,
so
without
further
Ado
I'll
pass
off
to
Adrian
for
anything,
he's
got
he's
got
to
share
and,
of
course
we
can
continue
with
the
agenda.
B
Here
we
go:
okay
came
off
mute,
yeah,
hello,
everybody,
so
the
so
the
the
blog
is
going
out
tomorrow.
Is
it
all
right
if
I,
if
I,
share,
sneak
peek
at
the
open,
SF
blog.
A
B
A
Yeah,
so
let
me
see
you
know
what
I
mean
it's
gonna
go
out
tomorrow,
so
I
don't
know
actually
how
we're
supposed
to
handle
this
sort
of
thing
all
right.
You
know
what
how's
this
cat.
Let
me
just
ask
I
I
I'm,
making
up
a
process
as
we
go,
but
tell
me
if
it
was
a
process
file.
Do
we
have
any
reporters
in
attendance
there
you
go
all
right.
A
The
video
won't
be
able
to
be
nobody's
gonna
post
the
video
before
tomorrow
and
then
it'll
all
go
off
embargo
anyway,
so
I
I'm,
gonna,
I'm
gonna
declare
it's
okay
to
do
to
talk
about
it
anyway,
Adrian
and.
F
A
As
long
as
you're,
okay
with
it
I
just
want
to
make
sure
you
know
the
report,
we
promised
reporters
that
you
know
that,
basically
here
it
is
and
drafts
and
that
sort
of
stuff,
so
I
I
want
to
make
sure
that
we
we
don't
send
it
out
to
reporters
before
other
reporters
when
promises
have
been
made.
That
sort
of
stuff.
B
Yeah,
that
makes
a
lot
of
sense,
good,
good
thing
to
double
check.
Okay,
so
switching
back
over.
B
B
And
yeah,
so
we've
got
Jay,
White
and
and
David
a
Wheeler
as
the
the
authors
here,
and
you
know
just
talking
about
the
it's.
A
consumption
focused
consumer-focused
framework
and
you
know
when,
coupled
with
a
producer-focused
artifact
oriented
framework
such
as
salsa
give
software
producers
and
consumers
a
complete
guide
for
how
to
approach
building
and
consuming
software
securely.
A
F
B
A
Let's
see
and
if
I'm
really
clever
I
can
find
the
tab.
This
is
in
because
I
think
I
have
suggestion
rights,
okay,
but
anyway,
yeah
well
we're
we're
we're
turning
we're
turning
it
down,
because
we
want
to
make
sure
that
changes
are
tracked
at
this
point,
all
right.
So.
A
Whoop,
oh
I
have
editing
rights,
I
didn't
want
to
actually
use
them
because
all
right,
so
consumer
focused
producer,
focused
nice,
okay
and
you
can
see
basically
what
we've
got
here,
which
is
you
know
you,
you
send
a
doc
out
to
several
people
and
comments
ensue
and
that's
not
a
bad
thing.
It's
a
good
thing.
B
Yes,
and
so
then
you
know
what
is
it?
It
describes
the
eight
practice
areas
and
how
these
eight
practice
areas
are
organized
into
four
different
levels
of
maturity.
B
It
explains
the
four
levels
we
have
a
quote
from
mark
brasinovich
and
it
includes
a
guide
to
assess
your
organization's
maturity
and
implementation
guide.
That
recommends
tools
from
across
industry
to
help
meet
the
framework
requirements
for
any
company.
B
And
then
like
in
closing,
we've
got
open,
ssfs
committed
to
providing
pragmatic,
accessible
Frameworks.
Maybe
I
should
try
zooming
in
a
little
bit
here.
E
A
So
it's
okay
to
yeah,
it's
okay
to
disagree!
You
know
I
think
in
this
case
consumption's
better
because
Queen
a
consumer
while
it
you
know
I,
think
the
opposite
of
producer
is
consumer.
Sometimes
the
word
consumers
implied
like
end
users
and
that's
not
what
we
necessarily
mean
so
I
would
say:
consumption
and
producer
they're,
just
trying
to
be
consistent
here
and,
and
sometimes
we've
got
to
say.
Consumers
can,
because
those
consumpters
I,
don't
think,
is
a
word.
B
Yep
and
so
at
the
end,
you
know
we're
we're.
B
You
know
highlighting
the
the
importance
of
this,
because
there
are
industry
reports
like
sonotypes
state
of
the
software
supply
chain
report
that
are
highlighting
how
many
attacks
are
specifically
targeting
open
source
and-
and
you
know,
open
source
represents
a
large
portion
of
anybody's
software
supply
chain,
and
so
the
call
to
actions
at
the
end
are
you
can
view
or
download
the
guide
to
get
to
get
involved
with
the
community
discussion
and
and
like
a
last
sentence
of
like
we're
excited
for
your
feedback
and
contributions
by.
C
The
way
there's
another
stat
in
there
that
might
be
even
more
relevant.
Oh
that
you
know
David.
You
saw
at
the
96-4
right
96.
So
in
the
report
and
part
of
what
I
presented
last
week,
we.
C
The
downloads
from
from
Central
and
of
the
things
that
were
vulnerable
96
of
them
were
of
things
that
already
had
effects
was.
C
A
A
C
Let's
see
what
do
we
want
to
say,
we
might
even
be
able
to
steal
the
words
already
from
the
report.
Real
quick,
it's
because
I
know.
F
C
Had
this
same
conversation
before
like
how
do
you
describe
that?
Well,
okay,
let
me
see
what
did
we
say?
It's
of
the
vulnerable
of
the
things
yeah,
sorry
I'm,.
C
A
I'm
also
looking
but
have
being
the
being
the
author,
you'll
probably
get
there
first,
here's.
C
The
link
yeah
I
can
throw
the
link
in
the
chat
for
sure
this
is
the
chapter
and
if
you
scroll
down
until
you
see
the
big
scary
pie,
chart
I'm
looking
for.
A
Yeah
I
saw
it
I
thought
it
was
a
really
interesting.
I
mean
the
whole
report's
very
interesting,
so
yeah
95.5
percent
of
vulnerability.
Things
had
a
fix.
C
There's
no
one
single
pair
sentence
that
I'm
seeing
here
and
that's
what
I
was
hoping
to
just
to
slurp
out.
So,
let's
see
you
know
at
the
end
of
that
section,
there's.
A
This
okay
yeah,
you
know,
but
how
common
are
fixed
vulnerabilities
I
think
is
the
I
mean.
Let
me
start
use
that
as
a
starting.
In
addition,
95.5
percent
okay
of
no
more,
have
a
non-vulnerable.
C
C
Yeah,
what
he
wrote
exactly
foreign.
C
But
yes,
that's
basically
right
so
protected.
A
A
F
A
A
Yeah
and
you
know
what,
but
now
that
we've
talked
about
the
unintentional
ones,
I
think
the
following
sentence
needs
a
just:
a
minor
tweak
to
flow
better
foreign.
A
And
then
I
think
it
all
with
that
new
digital
sentence,
we're
I
think
it's
even
better
now,
because
you're
right,
that's
an.
A
F
D
Can
I
just
ask
a
question
about
that?
95.5
is
that
for
have
I,
asked
the
question
direct
dependencies
or
transitive,
so
it's.
D
C
At
the
downloads
from
the
raw
downloads,
so
we
don't
know,
we
don't
easily
know
why
they're
downloading
it.
So
we
said
of
all
the
things
that
are
vulnerable.
The
total
is
14,
so
14
of
the
consumption
happens
to
be
of
things
known
vulnerable.
When
we
looked
at
the
that
14
and
zoomed
in
we,
we
said
of
the
things
being
consumed
when
they
were
being
consumed,
were
they
known
to
be
vulnerable,
95.8,
95.5,
whatever
it
is
of
the
time
they
were
of
things
that
already
had
a
fix
available.
D
D
Well,
mate,
but
so
so
I,
that's
second
part
of
the
sentence,
so
developers
are
simply
not
updating
the
fixed
versions.
That's
true!
So
so
imagine
you
know
a
depends
on
b
b
depends
on
c
c
is
vulnerable
now
fixed
B,
still
references.
The
older
version
right
consumer
of
a
I
do
not
have
a
fix
available
for
me.
F
A
D
C
Or
not,
usually,
if
it
was
just
a
vulnerability
fix,
it
would
be
right
so
I
I,
that's
an
excuse.
I
hear
and
it's
technically
not
accurate.
I
know
people
I
don't
like
to
do
it,
but
you
know:
I
wouldn't
be
sitting
there
in
January
going
I'm,
not
updating
log
for
J,
because
my
direct
dependency
hasn't
done.
It
like
I.
Think
that's
a
poor
excuse.
A
Right
because
how's
this
I
don't
think
the
same,
the
stuff
after
the
semicolon
was
really
necessary
that
the
stat
speaks
for
itself
right.
You
know,
95.5,
there's
a
note
and
non-vulnerable
option
available,
yeah
that
that
that
hits
you
so
far
between
the
eyes
that
I
don't
think
we
need
the
rest
of.
A
Okay,
so
if
you
don't
mind,
is
it
okay,
if
we
just
spit,
spend
a
couple
more
minutes
kind
of
talking
through?
What's
left,
because
I
know
that
Jay
has
to
go
on
travel
and
if
we
could
resolve
these
last
few
items,
that
would
be
awesome.
Everybody's,
okay,
with
saying
consumption
focused
instead
of
consumer
focused.
A
I
mean
that's
what
the
document,
the
doc
itself
is
so
got
a.
A
E
A
A
C
A
You
should
mention
that
because
well,
the
last
sentences,
just
before
the
Bold
one
talks
about
its
connection
with
salsa,
which
tends
to
focus
more
on
producer
or
you
know.
What
do
the
producers
have
to
do
right.
C
That
isn't
that,
like
you
can't
you
shouldn't
be
able
to
get
like
salsa
level
one
if
that's
the
lowest
level
I
forget
I,
think
it
is
without
without
at
least
being
somewhat
secure
in
your
consumption.
It
feels
like
a
prerequisite
to
me,
but
I,
don't
know.
A
E
And
I
think
per
salsa,
so
going
into
version
one.
The
focus
will
be
squarely
on
build
and
not
necessarily
Source,
and
since
the
focus
is
squarely
on
build,
what
salsa
will
be
doing
at
level.
One
would
put
in
this
and-
and
please
correct
me
if
I'm
wrong
I
might
be
whoops.
E
Okay,
yeah,
you,
you
lied
to
me
artifacts
and
dependencies.
The
artifact
that
the
the
the
artifacts
of
the
dependencies
gained
two.
E
Good
goodness
Grace
I'm
getting
I'm
going
to
get
Tongue
Tied
on
this
one.
It's
it's
the
pro
it's
the
provenance
generated
through
through
salsa
could
could
potentially
be
used
or
the
Providence
generated
through
s2c2f
can
be
used
to
validate
the
level
one
in
salsa.
A
A
That
exactly
what's
going
to
be
in
1-0
is
still
in
discussion
that
they
wanted
to
just
pick
on
a
bigger
one,
and
there
were
so
many.
But
what
do
you
mean
by
this
is
that
they're
intentionally
scoped
down
a
little
bit
so
that
it's
it's
clear
and
strong
in
what
it
focuses
on
instead,
so
so
Jay
I
think
you
can
let
yourself
off
the
hook.
I
would
try
to
not
say
with
exact
detail
exactly
what
salsa
is
and
that
way
you're
safe,
no
matter
what
they
do.
A
A
All
right-
and
let's
see
here,
there's
the
95
percent.
We
already
agreed
to
that
I
made
a
little
tweak,
adding
the
vulnerable
packages,
including
the
malicious
and
compromised,
so
that
because
the
first
one
talks
about
just
the
unintentional
as
well
yep
all
right
and
we're
excited
to
get
feedback
and
contributions,
Jay
and
see
you
know
see
or
we
are
excited
to
get
feedback
and
contributions,
see
organizations
benefit
and
deliver
on
our
vision
for
supply,
chain
security,
end
and
Jay.
A
A
F
E
Yeah
I'll
be
I'll,
be
leaving
here
in
about,
let's
see,
35
minutes,
35
40
minutes
all.
F
A
E
B
No,
that
was
fantastic,
so
you
know
blog
post
agenda
topic
done,
gonna
bring
up
these
these
reference
implementations.
So
when
you
come
to
our
repo,
you
now
see
this
new
folder
called
reference
implementation,
and
this
is
something
that
we
were
working
on
in
the
open
prior
to
joining
the
open
ssf
and
we
received
feedback
like
hey,
rather
than
keep
these
in
random
Google
Docs,
like
let's
just
make
them
markdown
files
and
have
them.
B
So
when
you
come
to,
you
know
good
GitHub,
you
you
get
just
the
the
giant
table
that
explains
the
requirement
and
and
and
how
we
are
implementing
this
the
of
each
each
thing.
I
am
Define
this
as
saying
the
goal
is
to
show
how
far
a
GitHub
project
can
get
using
as
much
Native
tooling
as
possible.
B
So
I
always
look
through
the
existing
capabilities
of
whatever
that
platform
may
be
and
recommend
those
things
and,
and
in
the
case,
when
they
don't
have
native
tooling,
you
know
we
recommend
like
open,
ssf
tools
and
so
and
then
we
did
the
same
thing
with
the
the
gitlab
one,
and
so
this
is.
This
will
be
like
a
a
thing
that
will
continue
to
develop
and
work
on
building
these
out
for
all
the
different
platforms
and
absolutely
welcome
contributions
here.
B
B
That
is
a
good
idea.
That's
been
brought
up
before
I
think
we
just
need
to
get
to
I
think
we
just
need
to
configure
that
and
make
that
happen.
We
had
sorry
if
we
come
here
to
the
maintaining
the
specification
and
we
can
update
this
as
well,
but
so
what
we
have
written
down
here
is
it's
expected
that
many
minor
updates
will
occur.
Corrections
to
grammar,
spelling
clarification
and
language
when
these
occur
and
are
considered
minor
changes
to
overall
content
will
not
warrant
the
Regeneration
of
a
PDF.
G
In
the
in
some
other,
with
some
other
groups
that
I've
been
working
with
what
they
do,
is
they
every
time
they're
gonna
like
make
a
PDF
they'll
upload
it
to
releases
like
oau,
suppose
that
occasionally
so,
therefore,
it's
like
the
official
versions
are
in
releases.
If
should
you
want
to
download
them
and
you,
and
by
the
way,
if
you
want
to
learn
how
to
automate
it,
I
do
know
how
to
make
a
PDF
out
of
markdown
and
GitHub
access
so
recently
learned
actually.
E
A
B
To
screw
up,
anybody
go
for
it
because
I
think
we're
we're
done
early
with
the
agenda
topics.
Okay,.
A
So
anyway,
hopefully
this
is
okay.
So
it's
not
a
requirement.
Oh
a
requirement
by
open
ssf
that
opened
ssf
projects
have
protected
branches,
but
it
is
something
encouraged
by
scorecards,
and
so
basically
protective
branches
mean
that
you
can't
just
edit
the
main
branch.
You
have
to
create
a
proposed
a
proposal
on
another
branch
and
then
merge
it
in
that
gives
everybody
a
chance
to
review
something
before
it's
merged
in
I.
A
A
Push
the
button
all
right,
all
right.
If
you've
seen
the
Monsters
Inc,
pre,
Sully's
car,
you
know
push
the
buttons.
A
All
righty-
and
it
has
already
oh-
it's
not
already
done
because
I
have
to
put
in
my
security
key
I,
haven't
done
it
for
all
right,
but
anyway,
it's
gonna
happen
today,
so
that
and
that
just
will
give
an
everybody
an
opportunity
to
review
changes
before
they
happen,
which
I
think
is
what
everyone
wants
anyway.
Fantastic.
Thank
you
so
much
for
permission.
Yes,.
B
F
Hey
friends,
it
was
super
quick
one
and
then
I
dropped
this
in
the
slack
a
little
while
ago,
but
there's
a
I
can't
subscribe
to
the
mailing
list.
There's
some
error
on
that
and
then
I'm
not
sure
if
you
set
up
or
J
or
David,
if
it's
not
necessary
thing,
but
who
will
I
go
bug
about
that
that
permission,
sir,
on
the
sdc2f
mailing
list.
A
Okay,
the
the
correct
answer
for
any
kind
of
admin,
questions
like
that
is
operations
at
openssf.org.
A
The
email
I
mean
you
can
summon
them
via
slack.
Also
I,
don't
know
if
there's
a
separate
operation,
good
question
I
usually
do
email
but
I'll.
E
Yeah
I,
don't
believe
I,
don't
believe,
there's
an
operation
slack,
although
you
can
reach
Khalil
through
slack
I
mean,
but
that
but
I
don't
believe.
There's
just
a
straight
operations
too.
So
I
can
think
it's
just
done
through
email,
yeah.
A
A
Yeah,
in
some
cases,
I
can
actually
do
it,
but
yeah
I
know
some
things
and
not
other
things.
So
if
you
send
it
to
there,
then
it
ends
up
in
the
right
person's
lap
and
they
can't
escape.
G
I
just
wanted
to
make
a
quick
comment.
It's
a
little
premature,
but
I
know
that
we've
had
discussions
in
the
past
about
potentially
like
Distributing
this
framework
with
the
rest
of
our
education
materials,
and
if
we
were
to
do
that,
I
just
wanted
to
point
out
that
very
large
markdown
files
are
a
little
bit
difficult
to
ingest.
So
I
just
wanted
to
point
that
out.
I
thought
something
that
we
have
to
do
anything
about
now,
but
down
the
line.
G
A
Yeah,
although,
although
I
mean
like
the
fundamentals
course
is
one
big
honking
large
markdown
file,
so
I
I,
don't
think
it's
exactly
true
that
large
markdown
files
of
the
problem
I
think
what
you're
concerned
about.
Is
you
want
section,
headers
and
subheaders
so
that
it's
easy
to
find
just
a
little
piece
with
their
clear
name?
Is.
G
That
really
what
you
mean,
that
is,
that
is
part
of
it,
but
in
general,
like
having
very
large
markdown
sections,
are
we've
noticed
that
there
is
a
performance
degradation
on
the
skg.
So
if
we
can
make
things
that
are
more,
shall
we
say
digestible
so,
in
other
words
like
what
we're
thinking
about
now
is
making
like
sections
entire
like
nodes.
So
therefore
they're
more
easily
searchable
and
it's
more,
the
information
as
a
whole
is
more
malleable.
But
yes,
like.
A
G
So
I,
it
is
an
SKF
specific
problem.
However,
I
do
know
that
in
the
plan
there
is
that
API
that
we're
trying
to
use
to
distribute
content
to
other
people
so
and
I
know
that
there's
not
something
that
we
could
do
year,
one,
which
is
why
I'm
saying
it's
a
bit
premature,
but
I
just
wanted
to
point
that
out.
A
A
So
so,
even
if
SKF
didn't
exist,
it
would
still
be
helpful.
You
know
I
I
I
prefer
to
have
at
least
one
section
heading,
a
page
and
maybe
more
than
one
just
because
you
know
man
I
got
this
wall
of
text
I'm
reading
through,
and
sometimes
it
can
be
helpful
to
give
oh
I'm
in
this
part
I'm
in
that
part,
another.
G
A
Yeah
there
are
disadvantages
to
breaking
it
up,
also
I
agree,
but
I
I,
I
think
I
would
say.
Let's
start
by
just
breaking
it.
You
know
trying
to
put
sections
in
if
it's
more
than
a
page
and
be
primarily
if
for
no
other
reason,
that's
for
signposts.
A
G
A
At
least
I
can't
speak
for
all
the
education's
sake,
but
at
least
for
the
fundamentals
course
we
actually
do
update
based
on
the
open,
ssf
materials.
But
usually
we
wait
until
it's
a
little
more
solid
like,
for
example,
the
the
record,
the
concise
guidelines
for
evaluating
open
source
software.
A
Will
write
down
what
I
heard,
not
necessarily
what
was
said.
I,
sadly
also
make
mistakes
being
human
is
a
real
problem
all
right.
So,
let's
see
foreign.
A
Hopefully
that
gets
the
the
gist,
so
so
I
I
think
there
is
very
much,
though
an
interest
and
appetite
even
for
creating
educational
materials.
Based
on
this
once
it
once
we've
got
a
solid
agreement
and
then
I
I
think,
and
maybe
I
can
stick
this
Adrian
into
your
ear
into
Jay.
Your
ear
probably
operate
the
group
you
know
basically
do
you
think
it
should
be
integrated
into
some
existing
materials
or
might
it
be
better
separate?
A
Or
you
know
we
don't
have
to
answer
that
question
today,
but
I
think
we
want
to
make
sure
that
not
only
we
most
important
is
we
say
the
right
things
that
everything's,
clear
and
accurate
and
all
that
good
stuff.
But
then
we
need
to
make
sure
we
get
the
word
spread
and
the
most
effective
way
isn't
always
the
same.
So
you
know
think
through
how
you
would
want
to
get
the
educational
materials
out
there
too.
B
Yeah
Randall
would
love
to
learn
more
about
where
this
might
fit.
If
you
could
kind
of
give
us
a
few
pointers
happy
to
to
review
it
and
take
a
look
yeah.
G
Absolutely
that's
no
problem.
I'm,
just
gonna
throw
this
out
there
that
I
think
that
the
end
user
group
and
John
they
were
talking
about
they've
talked
to
me.
We
were
going
to
integrate
this
into
SKF,
because
I
know.
John
has
a
use
case
at
his
job
for
using
SKF
and
putting
security
training
together
with
that
so
and
I
know
John's
very
interested
in
this
proposal
as
well
or
this
framework
as
well.
Yeah.
A
And
I'm,
certainly
interested
in
you
know,
I
lead
the
fundamentals
course
which
then
gets
sucked
into
SKF,
but
SKF
also
has
all
the
labs
and
some
of
the
other
materials
so
I'm
also
interested
in
at
least
trying
to
get
the
Highlights
the
fundamentals
courses
just
kind
of
the
the
the
most
key
points
and
then
pointing
typically
and
then
pointing
off
to
more
details.
So
it
certainly
would
be
interested
in
that
as
well.
A
There's
already
some
material
about
consumption.
Of
course.
So
you
know:
okay,
we
haven't
yeah,
so
I.
We
don't
have
to
make
that
decision
today,
but
I
think
it's
it's
worthy
of
thinking
through
and
starting
that
discussion.
B
This
could
be
in
a
a
topic
to
follow
up
on
in
a
future
sink.
A
A
You
know
so
you
know,
SKF
and
fundamentals
are
obviously
two
places
for
it
to
go,
and
then
there's
also
here's
the
link
there.
What
about
connection
to
guide
to
evaluating.