►
From YouTube: S2C2F SIG (February 28, 2023)
Description
The S2C2F SIG is a group working within the OpenSSF's Supply Chain Integrity Working Group formed to further develop and continuously improve the S2C2F guide which outlines and defines how to securely consume Open Source Software (OSS) dependencies into the developer’s workflow. This paper is split into two parts: a solution-agonistic set of practices and a maturity model-based implementation guide. The Framework is targeted toward organizations that do software development, that take a dependency on open source software, and that seek to improve the security of their software supply chain.
B
B
I'm
good,
you
know,
Adrian's
out,
my
skip
is
also
out
so
it's
kind
of
quiet,
but
it
also
feels
like
I'm
in
charge
of
more
things.
A
lot
of
more
people
have
been
started.
Asking
me
for
things
because
they're
like
Adrian's
out
and
I'm,
like
oh
I,
don't
know
if
I
got
the
answer,
but
I
try
to
help.
You
know
it's
good.
B
A
B
C
A
A
Well,
hopefully,
we
have
a
have
a
decent
turnout.
Today,
I
mean
I
know.
The
last
few
minutes
has
been
pretty
been
pretty
shy
on
the
turnout,
but
hopefully
it's
a
little
bit.
Otherwise
we
have
to
go
back
into
reaching
out
people
again.
B
A
Yeah
I
mean
it's
usually
like
I
mean
well
the
the
salsa.
The
salsa
meetings
is
pretty
the
main
one's
pretty
large
and
then
a
couple
of
the
cigs
that
get
a
little
smaller
but
is
usually
decent,
turned
out
around
around
the
majority
of
them,
and
there
are
a
few
that's
on
like
a
few
people,
but
you
know
all
important
work
is
done.
A
You
know,
just
this
one
is
a
is
hit,
is
a
hit
or
miss,
and
that's
because
we
missed
a
few
weeks
into
this
year
and
of
course
you
know
do
that.
You
pretty
much
got
to
start
all
over
again
with
the
Outreach
right
right,
but
but
that,
but
that's
maybe
that's
what
we
have
to
do
is
start
over
again
with
the
Outreach.
A
A
Maybe
I
can
do
that
now.
Let
me
see
it,
you
know
we
got
some
people
in
the.
C
C
A
A
As
an
answer
to
a
couple
of
our
so
we're
talking.
A
It
get
getting
somebody
to
help
us
edit,
the
edit,
the
the
dark
for
isil
that
that
price
tag.
It
seems
that
we
can
get
that.
We
can
request
funding
from
the
attack
from
the
top
of
that
little
three
to
five
thousand
dollar
clip
to
to
do
the
editing.
Oh
yeah,
I
didn't
even
know
that,
but
once
I
learned
that
I
was
like.
Oh
that's
something
I
need
to
bring
before
the
Sig
and
if
we
can
get
a
yeah
on
that
go
ahead
and
vote
that
to
the
attack.
A
I,
imagine
that
that
we
need
to
do
like
a
quick
write-up
or
something
like
that.
But
but
it
really
is,
you
know
putting
up
an
issue,
you
know
put
putting
an
issue
on
the
on
the
site
or
an
issue,
putting
an
issue
on
attack.
Saying:
hey
we'd
like
to
you
know,
formally
request
or
put
up
an
issue.
You
know
request
funding
for
ISO
frame,
but
the
iso
format
edits
for
s2c2f
and
then
your
proposal
from
there
because
we're
we
are
already
at
1.1
right.
A
A
Yeah
we
got
we're,
gonna
be
doing
I,
don't
know
if
Adrian
mentioned
this
to
you,
because
we
had
we
had
a
meeting
last
week.
I
don't
think
you
were
in
with
us,
but
we're
going
to
put
together,
like
a
nice
little
eight
hour,
training
block
for
scc-12
what
he
doesn't
know
that
I'll
tell
them
is
that
we're
going
to
try
to
get
it?
A
We're
gonna
try
to
get
a
day
on
the
calendar
at
open
Summit
for
this
one
day,
eight
hour
block
of
training,
we're
gonna
I,
see
if
we
can
either
get
a
room
at
the
hotel
or
get
or
get
a
room
at
a
nearby
location.
But
that's
going
to
be
something
that
I
want
to
bring
before
the
Sig
here.
That's
something
that
we
get
that
we're
gonna
actually
do.
C
A
C
A
B
A
A
So
all
things
that
that
all
things
that
accomplish
that
effort
should
be
within
should
be
within
the
constraints
of
of
but
of
budgeting
right.
We
should
be
able
to
accommodate
that.
B
A
B
A
I
mean
it's
like
you
know
they,
don't
they
don't
play
up
there
like
if
you
come
up
on
their
you
know
where
they
look,
that
they
run
you
through
the
computer.
You
come
up
with
anything,
but
it
gets
really
hard.
If
you
have
a
prior,
whatever
traffic
infractions,
even
it's
a
little,
it's
a
little
sketchy
but
mm-hmm.
B
A
I
mean
you're
driving
from
one
place
to
the
other,
like
I,
have
I
actually
have
Global
Global
Entry.
B
A
Well,
we're
looking
at
we're
into
like
almost
15
minutes
I'm,
assuming
that
no
one
else
is
joining
you're,
welcome
to
drop
off
hit
teams
and
start
talking
to
me
about
that
show
that
would
not
go
mentioned
here.
A
I'll
I'll
stay
here,
stick
around
for
another
few
minutes
see
if
anybody
else
joins.
Okay,.
B
C
C
C
A
Andrew,
hey
Jay
I
was
about
to
I,
was
about
to
adjourn
the
meeting,
we're
already
20
minutes
in
and
so
far,
but
so
far
it's
just
me.
I
was
hanging
on
a
while
to
see
if
see
if
anyone
would
join
but
I
think
for
the
purposes
of
what
I
wanted
to
tackle.
For
today,
you
know
probably
requires
a
few
more
people.
There
goes
David,
oh
goodness,
this
is
the
so
David
I
was
just
saying.
I
was
getting
ready
to
adjourn
the
meeting.
D
A
Well,
I
mean
you
you
you
both
are
here
and
now.
I
mean
that
this
get
the
agenda
is,
is
pretty
I
want
to
say
pretty
pretty
lofty,
but
I
I
want
to
make
sure
that
we
have
enough
time
enough
time
to
go
through
it.
Let
me
make
sure
I
post
the
agenda
and
notes
Here
in
the
chat.
D
Okay,
this
is
the
new
spec
format,
format,
edits
and
so
on.
Is
that
what
we're
talking
about.
D
One
two
get
that
new
template
by
the
way.
A
Well,
we
got
so.
The
template
that
we
have
is
is
the
one
that's
inside
of
the
license.
The
community
spec
license.
A
A
Yeah,
you
know
I
mean
the
things
that
that
license
is.
Is
you
know
how?
How
often
is
that
updated
right?
We
should
probably
make
sure
either
way.
One
of
the
things
I
wanted
to
talk
about
with
respect
to
the
four
well
inspective
formatting.
Is
that
I
learned
that
we
could
potentially
request
funding
from
the
tech,
so
so
I
know
that
in
the
jdfs
I
was
talking
with
Seth
and
and
Jory
and
to
get
Rex
who's?
A
Who
does
the
iso
ISO
format,
editing
or
whatever
it
is,
and
out
of
the
jdf
he's
a
contractor,
and
he
usually
charges
anywhere
from
three
to
five
thousand
dollars
to
my
understanding,
to
help
with
those
edits
and
I
believe
what
we
could
I
learned
that
we
can
request
that
funding
from
the
tech.
So
if
that's
the
case,
I
wanted
to
bring
it
before
the
Sig
to
discuss
and.
D
A
D
Just
just
so,
you
know
this
is
a
technicality,
but
I
feel
I
I
feel
like
I've
I've
got
an
obligation
to
do
it
technically.
What
the
the
attack
just
reviews,
a
proposal
for
you
know,
Merit
the
governing
board
in
the
end
is
always
that.
E
C
D
So
I
I
feel
like
I'm
out
of
Duty,
bound
to
for
say
that
that
said,
the
governing
board
has
actually
approved
certain
funding
ahead
of
time
for
certain
areas,
and
you
know
that
and
and
and
although
the
governing
board
has
the
final
say
on
how
funds
are
spent,
they
as
a
reality,
they
always
ask
the
tech.
Hey,
give
us
your
cut,
they
don't
the
governing
board
doesn't
have
to
do
what
the
tax
says,
but
they
always
want
to
know
so.
D
The
the
real
life
process
is
bring
it
to
the
tech
and
then
well,
if
I
mean,
if
the
tax
says
no,
you
can
actually
still
bring
it
to
the
governing
board,
but
your
odds
just
went
down,
whereas
if
they
say
yay
the
odds
go
up.
Usually
the
attack
is
more
interested
in
yes,
buts
and
then
they'll
have
some
suggestion
for
you.
Yeah.
A
So
great
that
you
say
that,
because
that's
actually
how
it
was
told
to
me,
it
was
said
that
the
governing
board
has
always
the
governing
board
has
already
said.
Look
for
certain
dollar
amounts.
Don't
even
approach
us
with
that.
If
it's
not,
if
it's
not
like,
if
it's
not
egregious
right,
you
can,
you
know,
approve
it
down
there.
Let
us
know
and
we'll
cut
the
check,
but
but
don't
bring
us.
You
know
don't
bring
before
the
governing
board
like
small
denominations
of
money
right.
D
Right
right,
well,
I
I
would
word
it
differently,
but
the
results
the
same.
Basically,
the
governing
board
has
pre.
In
the
end,
the
governing
board
is
the
decider,
but
the
governing
board
has
pre-approved
certain
things:
yeah
yeah,
but
but
while
I
would
word
it
differently,
the
the
results,
the
same.
A
Well,
cool
and
so
so
to
to
that
end,
you
know
I'd
be
if,
if
like
I
like
I,
said
I
wish,
we
had
the
the
more
people
on
call,
so
we
can
get
to
the
gays
but
yeah
we
I
guess
we
have
another
three
of
us
here,
I
I
think
you
know
that.
However,
that
wording
goes
help
me
out
with
it,
but
I
think
if
that's
the
direction
went
ahead
and
we
could
put
up
with.
Is
it
as
an
issue
that
we
create
on
the
attack
on
on
the
attack.
D
Yeah
post
is
an
issue
on
the
on
the
attack.
I
mean
you.
Can
you
can
raise
it
multiple
ways,
but
I
would
eight
raises
an
issue
to
the
attack
in
just
in
case
it
might
be
missed.
You
could
also
post
it
to
them
their
mailing
list,
but
yeah
I
would
put
put
it
to
the
to
the
issue.
D
The
reason
was
a
get
up
issue
is
the
tack
will
see
it,
but
others
can
see
it
and
chime
in
now.
This
is
not.
Usually
the
debates
are
on
technical
matters.
Right
I
mean
this
is
a
hey
want
to
reformat
me
I,
don't
know
what
the
technical
issue
is
here
so,
but
but
that's
the
that's
the
you
know
we
want
to
be
open
and
transparent.
So
so
you
know
follow
the
process.
D
You
know
if,
in
the
end
it
is,
is
it
has
to
be
raised
to
the
attack
and
while
there's
multiple
mechanisms,
GitHub
issues
is
the
easy
way
to
do
it
absolutely.
A
Okay,
good,
so
so
that
so
so
you
know
make
sure
that
we
get
that
done.
Adrian
and
I
had
a
good
call
with
Glenn
over
in
SKF
and
I
want
to
say
his
name
is
Tom
sarowitzerowitz.
A
Glenn
not
Glenn,
is
it
Glenn.
A
Right
from
the
SKF
stuff,
you
know
he's
in
the
best
practices
working
group
with
us,
yes
and
then,
and
then
sir
s-e-r-e-w-I-c-z
is
his
last
name
Tom.
Is
it
Tom
I
can't
remember.
A
Works
for
the
he
works
for
the
for
the
LF.
He
works
for
the
LF.
The
oh
okay,
yeah
I,
can't
I
have
his
email
address.
Just
can't
remember
is.
A
In
the
SKF
and
creating
LF
training
modules
so
so
create
so
creating
training
modules
that
are
both
on
SKF
and
and
and
on
the
LF
and
I
think
we
were
looking
at
doing
something
doing
something
like
an
eight
hour
like
an
eight-hour
training
course
actually
modeled
after
something
you
did
David
with
with
some
of
the
train
uses
like
a
nice
eight
hour,
training
course.
But
we
talked
about
that
on
Friday
and
we
were
exchanging
a
few
emails
back
and
forth
about
that
as
well
about
that
as
well.
A
To
get
that
kind
of
to
get
that
kind
of
off
the
ground.
One
of
the
Tim
Tim
is
his
name,
one
of
the
other
things
that
that
we
were
thinking
about
doing
with.
That
was
seeing
if
we
can't
get
a
day
on
the
calendar
at
the
open,
Summit
or
you
know,
if
it's
either
at
the
open
Summit,
if
it's,
if
we
can
do
it
at
the
hotel
there
in
Vancouver
or
if
we
have
to
find
another
room
somewhere
else,
but
to
get
a
day
good
as.
A
We're
talking
about
a
day
a
day
for
the
training
to
do
like
an
eight
hour
training.
Oh
a
day,
a
day
of
eight
hour
training
during
that
time
period
that
that's
a
that's
a
bit
heavier
of
a
yeah.
D
That's
that's
a
heavy
lift
and
especially
earlier
on
when
we
still
I
mean
as
to
c2f,
is
still
I
mean.
Obviously,
you've
they've
made
great
progress,
but
I
think
there's
a
number
of
things
to
be
fixed
up
before
I
I
I
would,
you
know,
make
sure
the
dies
are
the
eyes
are
more
dotted
before
we
do
a
lot
of
training
modules.
D
You
know
doing
the
crosswalk
between
that
and
salsa
and
and
Fresca,
but
I
mean
it's
the
right
thing
to
do.
It's
just
I
would
do
them
in
a
I
would
do
them
in
a
different
order,
but
but
you
know
now
as
far
as
the
the
eight
hour
track.
So
let's
talk
you
want
to
talk
about
training
and
then
we
can
come
come
back
because
it
is
a
good
thing
to
look
ahead
towards
so
I
I
I
can
speak
a
whole
lot
about
this
because
I
mean
you
know.
D
We've
got
that
online
course.
I've
talked
to
them
extensively.
I
mean
there's
Alternatives
Andrew.
By
the
way,
are
you
familiar
with
Linux
foundation's
training,
stuff
I'm.
B
D
D
We
want
to
make
sure
that
people
know
stuff,
there's
no
obligation
that
we
specifically
through
LS
training,
but
we
Linux
Foundation
actually
has
a
training
and
certification
Department,
where
basically
they
they
make
sure
that
the
courses
you
know
basically-
and
you
want
to
sign
up
for
an
online
course
or
for
an
in-person
course,
there's
a
lot
of
I,
don't
know
how
else
you
call
it
scutwork,
you
know,
is
it
you
know,
keep
the
site
running.
You
know
people
have
a
problem
with
her
particular
system
and
and
hey
it's
not
working.
D
How
do
I
fix
that?
Okay,
they
handle
all
that
that
stuff,
okay,
for
course,
content
they
can
and
sometimes
do
contract
out
to
develop
course,
content
in
some
cases,
even
in-house,
but
usually
we
depend
on
someone
else
to
create
the
course
content.
So,
for
example,
I
developed
the
course
content
for
the
developing,
secure
software
course
and
then
work
with
them
to
get
that
deployed
on
their
site
and
they
manage
the
whole
registration
and
making
the
tests
and
keeping
the
site
running
and
giving
people
digital
badges.
D
So
what
they
need
from
us
only
is
create
the
course
content,
they're
pretty
flexible
about
how
you
get
the
course
content.
But
the
approach
that
I
took
and
I
would
suggest
is
create
it
in
something
simple
I
mean
you
could
use
Google
Docs
I
we
used
markdown.
We
actually
did
the
first
version
in
Google
Docs
and
then
converted
it
to
markdown,
and
that
way,
every
time
we
make
a
change,
we
can
share
with
them,
hey
here's
the
change
and
they
can
go,
make
sure
that
it
implements
in
their
system.
D
There
is
an
annoyance
that
there
tends
to
be
kind
of
two
stages
where
you
create
the
content,
and
then
you
tweak,
but
the
systems
generally
want
to
do
it
that
way,
it's
kind
of
a
pain
to
do
it
either
way,
and
since
you
don't
have
to
deal
with
it,
it
works
out
just
fine
the
they
can
support
video
and
audio
and
all
sorts
of
goodness.
D
However,
they
have
an
interesting
recommendation,
I
mean
if
your
material
is
very
short-lived
and
then
it
goes
away.
Videos
are
awesome.
The
problem
that
they
have
with
videos
is
that
they're,
really
hard
to
update
and
safe
code
is
probably
a
fabulous
example
of
this
safe
code
created
some
really
awesome
content
and
but
it's
so
expensive
to
update
that's
basically
Frozen
in
the
past,
and
you
know
they've.
D
They
have
all
these
awesome
videos
about
Java
and
what
they
mean
is
running
Java
on
your
client
as
part
of
your
browser,
Nobody
Does,
that
okay,
but
it's
really
really
hard
to
update
materials,
and
so
it
doesn't
happen,
and
so,
while
they
can
support
videos
and
do
they
typically
suggest
try
to
do
a
lot
of
simple
text.
Simple
quiz
things
as
you
go
along
by
all
means:
you
do
video
introductions,
maybe
some
video
Snippets,
but
while
they
can
support
it,
there's
a
lesson
learned
about
updateability,
which
is
really
important.
D
D
A
No,
no,
no,
no!
No!
No!
No!
No
none
of
that
so
yeah.
We
so
the
call
the
call
that
have
explained
as
much
but
very
easy,
say,
I,
say
easy
process.
The
thing
about
s2c2f
is
that
there's
already
eight
practices.
That's
right!
That's
right!
There
already
now
I
agree
with
you.
David
eyes
dotted
T's
cross,
but
with
those
eight
practices
that
are
there,
I
don't
see
those
changing,
I
think
contextually.
A
Those
are
already
in
place
and
you
we
can
actually
build
modules.
We
talk
about
those
a
practices
save
for
adjusting
the
entirety
of
the
spec.
You
know
to
make
sure
that
those
eyes
are
DARS
and
T's
across
I.
Think
those
eight
practices
can
be
okay,.
D
I
I
I
think
you're,
probably
right,
but
you
know
we
keep
coming
back
to
the.
We
really
need
to
do
the
crosswalk
with
at
least
salsa
I
know
it's
been
on
the
it's
it's
on
the
to-do
list,
but
I
would
like
to
I.
Would
I
would
strongly
look
I
mean
I
can't
tell
you
to
do
anything,
but
yeah
I
would
strongly
recommend.
Do
the
crosswalk
first
I,
don't
think
it'll
be
that
hard
and
if
there
is
an
issue,
I
think
we'd
rather
know
sooner.
D
Fair
to
argue
that
there's
always
going
to
be
changes
and
improvements,
heck,
that's
true
for
the
development
course
as
well,
there's
actually
a
a
meeting.
Earlier
today
we
talked
about
one
particular
area
that
you
know
used
to
be
really
important.
D
Maybe
we
can
drop
it
now
we're,
but
you
know
we
need
some
security
folks
to
verify
that
it's
obsolete,
but
presuming
it's
obsolete,
we'll
drop
it
and
that's
okay,
but
but,
but
that
said,
I
I
just
I
would
like
to
eliminate
any
conflicts
just
because
I'm
Afra,
that's
something
I
want
to
avoid
I,
don't
I'm
not
expecting
any,
but
I
think
it
would
be
wise
to
know
so.
D
One
step
ahead,
so
if
you
don't
mind
I'm
going
to
write
that
down,
you
know
David
oops!
Aren't
you
that's
not
here.
All
right,
so
I've
been
putting
count
notes
in
the
wrong
place.
So
let's
see
here
foreign.
So
this
is
really
kind
of
its
own
point
and.
A
But
so
we
yeah,
we
should
probably
see
if
we
can't
get
that
get
that
on
the
book.
Sooner
than
later,
too.
A
D
Here
let
Let's,
let's
do
Let's
cross,
compare
with
salsa.
First
I
mean
they've
already
they
just
they
they're
they're,
putting
up
a
draft
for
V1,
so
they're
near
they
think
they're
nearly
done
with
at
least
the
build.
Now
they've
decided
to
break
out
the
cut
the
code
source
code
control
separately,
but
for
at
least
the
build
part.
A
Yeah
I
mean
you
know
we
had
that
we
had
a
meeting
this
morning
in
the
positioning
thing
you
know
talking
about
it.
I
feel
like
you
know,
there
needs
to
be
a
lot
of
needs
to
be
some
scoping
done
on
that,
Source
part,
whether
what
exactly
does
that
entail
I
think
as
far
as
the
dependency
management
piece
of
it
I
think
that
that
we're
that
that
we're
we're
pretty
we're
pretty
solid
there,
but
I
do
agree
that
there
might
be
some
it
doesn't.
D
Now
there
is
one
other
thing
that
comes
to
mind:
I'm,
not
sure
you
know
the
the
early
part
of
of
sdc2f,
which
is
really
an
awesome
part,
was
basically
a
list
of
threats
and
how
they
map
to
the
rest
of
the
dock.
Yeah
there
are.
There
is
a
proposal
up
to
the
tank
of
maybe
using
this
document.
As
for
at
least
the
supply
chain
attacks
as
the
official
taxonomy
now
I,
don't
actually
think
it'd
be
hard
to
map
what
SDC
to
F
currently
does,
but
yeah.
A
A
D
Right
so
I'm
being
recorded
so
I'm
gonna
be
a
little
careful
here,
but
I
am
in
conversations.
I
have
had
some
brief
conversations
with
the
the
PHD
student
who's
been
doing
the
primary
work
on
this
thing.
Okay,
first
of
all,
I
want
to
be
careful,
no
promises,
okay,
but
this
the
student
is
say.
First
of
all,
this
is
really
great
work.
I
mean
you
know.
I
would
organize
things
a
little
differently
in
particular,
I
would
have
put
the
dependency
confusion
in
a
slightly
different
place,
but
it's
there.
D
B
D
That
broader,
that
broader
picture-
that's
very
impressive,
so
it
turns
out
that
this
particular
person
has
done
some
awesome
work
and
has
two
problems.
One
of
them
is
sustainability
and
the
other
is
well
actually
I.
Guess
it's
all
the
same
thing,
which
is
sustain
over
time,
keeping
it
up
to
date.
Yeah
so
I
have
briefly
started
discussions,
no
promises
that
I
know
of
an
organization,
that's
very
interested
in
supply
chain
of
Open
Source
software,
and
you
know
it
might
be
a
very
good
place
for
it
to
live
yeah.
D
So,
if
that
you
know
so
you
know
that
and
we
we
are
never
in
them.
We
are
never
interested
in
taking
over
somebody's
Project.
Without
you
know,
what
do
you
call
it?
A
hostile
fork?
Okay,
even
if
it's
legal,
we
have
zero
interest
in
that
stuff.
But
if
this,
if
the
people
involved,
you
know
their
academics,
they
want
it
sustained,
but
they
can't
really
justify
it
over
time
and
we
want
it
sustained
because
we
maybe
want
to
use
it.
That
might
be
an
interesting
Road,
as
I
said,
there's
no.
A
I'll
tell
you
when
I,
when
I
went
to
a
few
different
cigs
and
a
couple
of
different
working
groups
with
this
uh-huh
and
I
got
head
nods,
that
person
that
same
individual,
that
you're
talking
about
email
me
directly
and
instead
that
he
wants
to
be
in
on
the
Sig
and
in
on
helping
me
write
the
proposal
to
create
that
tax
on
the
music,
so
it
can
live
and
breathe
and
be
a
working
document.
That's
con!
A
D
Okay,
all
right,
you.
B
D
I
think
you
know
I
think
what
we
have
I
don't
want
to
mention
this
person's
name
more
because
they
haven't
allowed
me
to
talk
or
say
that
publicly,
but
you
know
I
think
I've
been
a
little
Coy
I.
Think
I'm
gonna
just
ask
them
directly
if
they're
interested-
and
you
know
obviously
I
I
view
this
as
I
I,
don't
know
of
a
better
analogy
for
this
I
view
this
as
dating
towards
a
potential
marriage.
So
you
know
both
both
sides,
both
both
sides.
Both
parties-
have
to
agree
to
the
union.
D
If
it
will,
you
know
open
ssf,
you
know
has
to
agree.
These
other
folks
have
to
agree.
Otherwise
you
know
carry
on
and
we're
all
glad
for
you,
but
yeah,
but
I
I
think
I'm
just
going
to
raise
it
direct
and
and
if
they're
interested
start
raising
it
further,
because
I
don't
by
the
way,
for
that
I,
don't
see
a
conflict
between
sdc2f
I
would
be
interested
again.
Another
quick
crosswalk.
A
Is
that
if
we
go
down
that
road
and
we
create
that
that
that
Sig?
That
does
nothing
but
builds
this
one
common
language
across
all
of
the
openness
itself?
Then,
ultimately
we're
going
to
have
to
change
some
things
in
s2c2f
and
salsa
and
whatever
and
anything
else
underneath
the
the
supply
chain
Integrity
working
group,
because
we're
going
to
have
to
work
off
of
that
one
taxonomy
that
we're
building
in
this
one
area.
A
That's
supposed
to
govern
the
conversation
that
we're
having
everywhere
else,
so
that
so
that's
definitely
worth
the
the
effort,
but
also
puts
out
more
work
for
us
in
terms
of
the
crosswalk
crosswalk
later
on.
D
Yeah
yeah
all
right,
so
so
I'm
going
to
ask.
Basically
you
know
if
they're
interested
in
having
the
openness
to
self
sustain
this,
and
you
know
you
know
and
then
note
that
everybody
all
sides
have
to
agree,
but
you
know
but
but
nevertheless,
I
think
I,
think
I
I've
been
very
cautious
and
indirect
and
I
think.
Maybe
that's
that's
no
longer
time
for
that.
I
can't
promise
the
open,
ssf
or
either
side,
but
I
can
say
how
you
know
how
it
would
work
and
and
then
see
if
there's
interest.
A
We're
looking
at
about
15
minutes,
left
left
in
this
hour,
we'll
I
know
that
we
could.
We
could
just
sit
here
and
and
bat
that
around
but
I
think
we
have
a
good
game
plan
with
that.
I
do
want
to
make
sure
we
talked
about
the
positioning
meeting
at
least
the
podcast.
A
As
far
as
the
this,
this
one's
real
quick,
we
had
the
first
supply
chain,
Integrity
working
group,
positioning
meeting
today.
So
what
that
meeting
is?
Is
we
have
the
salsa
positioning
meeting
first?
A
But
what,
as
a
working
group,
we
said,
you
know
we're
just
focused
on
positioning
one
of
these
Frameworks
that
we're
working
on.
We
got
a
few
other
things
we're
working
on
here.
We
should
really
be
talking
about
how
these
things
are,
are
bridged
together,
working
together
and
then
we
should
be
positioning
them
in
such
a
way
that
the
conversation
is
a
bit
more.
A
You
know
broader
in
the
brickmore
unified
across
all
these
different
efforts,
so
we
had
the
first
positioning
meeting
for
all
three
of
them
today,
which
is
important
because
if
you,
if
you,
if
you
you
know
I'm
there
yep
a
few
of
a
few
others
of
us-
should
be
there
as
well
to
make
sure
that
that
were
that
we're
speaking
in
Earnest
I'll
tell
you.
A
We
just
had
the
rc1
RC
version,
one
blog
of
salsa
that
was
released
this
week
and
then,
of
course,
there
were
a
lot
of
it
was
first
of
all,
the
blog
was
great
I
mean
you
know
it
had
a
lot
of
good
information
and
it
talked
about
the
the
build
track
and
talked
about
where
they're
going,
of
course,
one
of
the
things
I
had
with
that
was.
Why
didn't
we
mention
anything
about
the
openness
and
stuff
in
that
blog?
A
That
was
my
concern,
because
you
know
the
blog
didn't
originate
within
the
positioning
sync
like
it
should
have
been
so
so
wondering
why
that
was
why
there
was
no
mention
of
it.
Of
course,
I
had
my
feedback
to
it,
and
I
mentioned
as
much
in
the
feedback
that
I
was
giving
during
the
creation
of
the
blog,
but
one
of
the
other
things
was
that
did
not
originate
within
the
openness
itself,
and
that
was
the
other
concern,
so
we're
trying
yeah
we're
trying
to
prevent
that
from
happening
again.
Okay,.
D
I
mean
I'm
I
have
no
interest
in
stopping
people
from
posting
blog
posts
outside.
So
so,
but
that
said,
hey
connecting
things
together,
awesome.
A
Yeah,
so
so
so
yeah.
So
what
that?
That's,
that's
the
effort
that
would
that
would
we've
definitely
undertaken
so
I
wanted
to
make
sure
that
was
mentioned
here.
A
Let's
see
what
else
we
got
we
have
the
oh,
there
was
was
discussed
on
the
open
source
security
podcast,
and
you
know
the
podcast
is
there?
So
please
go
into
the
podcast
hear
about
that
I.
It
was
mentioned
by
joylin
kurui.
She
she's
out
of
Kenya.
A
A
So
that
would
that,
when
we're
asked
certain
questions,
we
can
provide
certain
answers
that
are
are
in
line
with
the
work
that
we're
doing
and
all
that
kind
of
stuff,
great
that
it
was
mentioned
and
then
I
and
I've
had
the
pleasure
of
speaking
with
with
Joyland
directly
great
individual.
She
just
wasn't
armed
with
with
the
meat
that
she
that
she
needed
in
order
to
provide
a
lot.
The
bright
Insight,
so
we
want
to
make
sure
that
we
get
that
right
for
next
time.
A
Okay,
let's
see,
then
of
course
it's
the
inclusion
of
patching
tools
in
the
security
tooling
guide,
I'm,
all
about
that
any
any
time
that
we
can
find
branches
into
other
working
groups
into
other
cigs
and
and
by
diversary
right
anytime,
that
that
note
that
we
can
combined
efforts
and
and
have
that
collaborative
and
Cooperative
effort
across
openness.
So
that's
always
warranty,
so
so
yeah
I'm.
All
for
that.
D
Now
I
I
should
warn
you
that
right
now,
because
so
many
organizations
are
kind
of
pressing
to
respond
to
both
the
eus
and
EU
presses
for
s-bomb.
The
security
tooling
working
group
has
been
kind
of
I
would
say
a
hostile
takeover
except
it's
from
the
inside
I.
Don't
know
what
you
call
that.
D
Not
a
coup
d'etat
because
I
mean
when
the
lead
does
it
it's
it's
not
it's.
You
know,
I,
guess
a
temporary
change
of
Direction.
They
have
decided
that
they
are
going
to
for
the
moment.
Work
focus
on
s-bombs
as
bomb
Generations
on
because
says,
while
all
tools,
good
you
know
more
tooling,
is
good
automation.
Good
the
s-bomb
area
is
the
one
where
that's
just
not.
You
know,
that's
that's
not
what
we've
been
doing
in
the
past.
D
D
They're
I
mean
they're,
it's
hard
to
describe
it.
It's
a
discussion
primarily
of
the
main
fuzzing
implementation
in
users,
implantations
and
users,
but
but
if
you
want
them
to
do
something
else
like
focus
on
patching
tools,
I
mean
in
one
sense
it's
pretty
connected
to
s-bombs.
Obviously,
because
once
you
get
an
s-bomb,
you
want
to
cross,
compare
to
the
problems
and
then
start
fixing.
D
But
if
you
want
start
something
started
up
it
may
they.
You
may
have
to
form
another
group,
you
know
within
the
tooling
or
somewhere
else,
because
they
they
are
just
they
have
expressly
decided.
They've
got
to
focus
for
now
on
s-bombs
yeah.
A
This
one
this
was
a
mentioned
from
Sarah
Evans,
okay
and
I'm,
assuming
Sarah
Evans
is
part
of
that
security.
Tooling
working
group,
I
I,
don't
I,
don't
have
a
a
well
say:
I,
don't
have
a
dog
in
the
fight,
but
but
I
I
agree.
A
Okay,
sure
security,
tooling
working
group
is
s-bomb
everywhere
at
this
point,
so
so
that's
I
mean
I
mean
both
stated.
David
I
feel
like
if
there's
room,
excellent
it.
You
know
maybe
after
we've
solved,
maybe
after
we've
cured
the
cancer
that
is
best
bomb
Oh.
A
We
cured
that
cancer.
You
know
I
mean
in
in
the
positioning
meeting
we're
talking
about.
There
was
a
Blog
mentioned
about
s-bomb
M
bomb
D
bomb
e-bomb,
all
this
bombs
versus
versus
salsa
Providence,
and
please
for
the
love
of
God
I,
I,
I,
I
I,
chime
in
on
that,
every
single
time
I
had
to
I
had
to
bite
my
tongue
on
this
one.
I
I,
don't
even
understand
why
these
are
topics
of
Converse,
that
that
is
the
purpose
of
conversation.
A
Anyway,
once
we
get
s-bomb
solved
and
we
get
Beck's
started,
perhaps
we
can
begin
to
think
about
other
tooling
as
well
so
I
agree.
You
know
you
gotta
focus
on
one
scope
for
one
focus
on
one
for
us
finish
that
and
then
get
to
the
others
yeah
just
because
of
the
the
importance
of
it.
At
this
point,
yeah
I.
E
E
So
do
do
you
know
like
at
Gen
2
and
the
most
distros
keep
like
a
patch
like
we
have
ways
of
patching
software,
but
besides
the
distros
are
there.
Anyone
do
you
know
of
anyone
like
because
I
know
like
there
is
kind
of
that
old
recommendation
that
you
should
review
every
patch
before
you
like,
apply
it
and
whatnot.
But
do
you
know
of
anyone
that
still
follows
that
or
not
really.
E
D
And
he
dropped
off
again
Randall,
whatever
Tech
you're
using
is
not
your
friend
today.
E
D
D
You
now
yes,
but
it
is,
it
is
touch
and
go
I'm.
Sorry.
So
when
I
was
Randall,
you
might
want
to
type
it
in
yeah.
D
All
right
and
the
other
question
is:
can
you
hear
us
so
how's
this
I'm
going
to
riff
and
then
we'll
see
where
angel
said,
but
my
experience
is
that
there
are
both
binary
and
Source
patches,
but
almost
all
patches
are
Source
sure
there
are
binary
also,
but
nowadays
they're
typically
generated
from
The
Source
patches.
So
you
know
you
make
a
cake
and
in
my
vernacular
patch
just
means
change.
D
D
Sure
I
mean
lots
of
organizations.
Do
that
but
I'd
put
a
whole
bunch
of
caveats
on
this.
I
actually
know
of
some
organizations,
and
this
is
bad
behavior
and
hopefully
it's
mostly
gone
where
they
would
directly
patch
the
binaries,
not
change
the
source
code.
You
would
actually
open
up
the
binaries
and
here's
the
change
to
it.
D
You
know,
if
you
were
running
on,
you
know
an
old
Mainframe.
You
know,
and
you
know
all
you
had
was
the
executable
code
and
you
didn't
have
the
source
and
you
had
to
fix
it.
That's
what
you
do
right.
You
know,
but
I
think
modern
software
is
so
large.
D
Now
and-
and
you
know
one
thing-
basically
the
source
code,
if
you
don't
have
it,
you
already
know
it's
a
disaster
sooner
or
later
you're
going
to
have
to
figure
out
the
source
code,
so
you
grab
a
decompiler
and
create
a
source
code
and
then
generate
things
again.
So
I
I
think
the
I
think
the
use
case
for
someone
who
is
patching
binaries
directly
without
editing
source
code
is
almost
nil.
D
That's
a
pretty
weird
rare
condition
today,
if
you're
patching
binaries
because
you've
modified
the
source
code,
and
then
you
just
want
to
update
just
a
binary,
that's
already
out
there.
There
are
a
lot
of
tools
that
do
that
and
yeah
a
lot
of
organizations
do
do
that
it's
an
optimization
for
distribution,
I,
know
Microsoft.
Does
that
and
I
know
a
lot
of
organizations?
Do
that
it's
a
lot!
You
know.
D
A
D
C
A
You're,
not
you're,
not
wrong
at
all,
I
think
for
the
purpose
of
what
we're.
What
we're
talking
about
here
is
just
you
know,
including
a
tool
cool,
including
the
tool
or
or
the
the
the
further
development
of
the
tool
that
we
can
include
from
this
framework.
In
the
security
security,
tooling
working
group,
I
I
mean
I.
You
know
finish
what
we're
doing
in
this
bomb
first
and
then
bring
that
over,
but
in
terms
of
patches
I,
you
know
I
I
did
you
know?
A
D
No,
that
is
terrible
business,
yeah,
I,
so
I
agree
with
you,
I
guess:
here's
the
what
I've
been
assuming
and
I'm
gonna
put
this
since
this
is
the
s2c2f
sick,
meaning
it
seems
like
we
should
talk
about
sec
to
have
yeah.
So
so
let
me
connect
it
back
when
from
an
s2c2f
perspective
and
Jay.
You
can
tell
me
if
this
wrong-
maybe
that's
not
adequately
clear.
D
You
know.
Typically,
when
a
a
group
sends
out
an
organization
sends
out
a
binary
patch,
it's
an
optimization
to
say:
I
assume
you
already
have
version
X
here
is
the
patch
to
change
this
to
version
x.1,
and
it's
just
a
way
so
that
I
don't
have
to
send
the
whole
thing,
because
you
already
have
the
previous
version
right
now.
D
If
you
don't
have
the
previous
version,
you
then
have
to
download
X
plus
one,
but
in
either
case
I've
been
assuming
that
the,
whether
you
download
the
patch
or
you
download
the
whole
thing
it
will
end
up
as
exactly
the
same
file
that
has
a
hash
and
hopefully
a
signature
and
that's
what
you're
checking
and
so
let's
say
that
somebody
distributes
a
binary
patch
to
a
file
and
your
tools
screw
up
either
the
sending
or
receiving.
Well.
D
Obviously,
that's
terrible,
but
the
good
news
is
that
on
the
receiving
end,
the
first
thing
they
do
is
reconstitute
the
new
version
check
the
hash
check
the
signature.
If
it's
wrong,
nothing
else
happens.
I
mean
it's
not
good.
Obviously,
if
your
tools
have
that
kind
of
pretty
substantive
error
and
most
these
tools
have
been
tested
over
decades.
So
it's
pretty
unusual
today
to
have
that
kind
of
mistake.
It's
their
relatively
small
programs,
but
you
know
it's
certainly
not
that
software
can't
make
a
mistake.
It's
not
that
someone
can't
write
a
mistake,
but.
A
I
think
it's
the
only
I
think
the
only
thing
that
the
only
thing
to
be
careful
on
is
is
whether
or
not,
and
it
depends
on
what
we're
talking
about,
whether
it's
the
third
party
binaries
or
just
the
the
open
source
components
themselves,
but
if
you're
mirrored
repositories
internally,
you're
gonna
have
to
know
or
learn
or
get
notifications
that
there
have
been
patches
or
there
have
been
updates
to
versions
of
the
components
that
you're
using
to
re-mirror
those
repositories.
Unless
you
have
unless
there's
a
sink.
A
You
know
some
type
of
a
sync
happens
where,
if
there's
changes
or
things
every
week
or
or
something
like
that
right,
because
what
you
don't
want
to
do
is
mirror
bad
components
right.
So
you
you
know,
but
so
that
there's
got
to
be
some
type
of
a
notification,
then
I
think
the
only
issue
is
what
you
see
in
most
organizations
today
is
they're
using
components
that
are
not
the
right
versions,
because
the
repository
itself
has
the
wrong
version
still
or
have
not
been
patched
properly.
So,
okay.
D
A
D
Know
what
basically,
the
difference
between
you
know,
the
the
the
Assumption
I've
been
making
generally.
Is
that
when
you
receive
a
patch
step
one,
is
you
reconstitute
to
a
binary
that
you
reconstitute
it
back
to
a
full
new
version,
which
is
then
you
know
installed
and
updated
under
because
otherwise
it's
it's
plausible
that
someone
who
downloads
version
X,
plus
one
and
someone
who
gets
a
patch
to
create
X
Plus
One,
will
get
different
things.
That's.
D
A
You
know
what
I
I
I'll
go
out
here
and
I'll,
say:
I,
don't
think
so
and
that's
okay,
I
say
it
might
make
a
mention,
but
I
don't
think
it
I,
don't
think
it
does
and
I
think
that's
something
that
we
can
actually
write
in
here
to
make
yeah
s2c2f,
so
I
think
I.
Think
I
think
that's
important.
That
part
isn't
this
whole
conversation
is
important
to
make
sure
it's
in
it's
in
the
spec
yeah.
D
So
if
you
don't
mind,
I'm,
gonna,
I'm,
gonna
create
a
new
issue
within
sdc2f
binary
patches
in
ensuring
that
binary
patches,
when
reconstituted
constituted,
are
the
same
as
the
original.
D
Okay,
what
is
today,
by
the
way
this
is
February
28th,
ooh
last
day
per
discussion,
2023.
all
right,
so
I'm
gonna.
We
need
to.
E
Does
it
because
they
don't
have
they
don't
really
bump
their
version?
Numbers
there's
like
I,
could
tell
you
right
now,
there's
like
three
or
four
hundred
commits
over
the
last
version,
so
it's
unavoidable.
You
have
to
patch
it
manually
in
order
in
order,
if
you
want
like
it
to
work
like
normal.
If
you
want
it
to
work
like
it's
really
old,
then
yeah.
But
if
you
want
it
to
work
like
normal,
then
you
have
to
patch
it
manually.
D
D
D
You're,
seeing
is
some
really
really
old
software
following
in
some
cases,
some
really
bad
practices,
I
would
argue
because
I
was
around
then
they
were
bad
practices,
then,
okay,
so
so
so
the
failure
to
learn
has
continued
and
and
for
my
ex-org
friends,
I
love
you
guys,
but
some
of
the
things
you
do
are
insane.
D
You
know
I
appreciate
the
results,
because
I
use
them
all
all
the
time
and
I
do
but
yeah
so
I
mean
really
the
the
fundamental
problem
here.
Is
you
know,
sharing
a
patch
a
patch
in
the
old
terminology
is
just
a
difference.
It
could
be
the
source
or
binary
and
really
every
time
you
create
a
get
commit.
The
difference
between
that
and
the
previous
commit
it's
based
on
is
the
patch
and.
A
D
Right,
okay,
so
how's
this
for
one
thing,
I'm
gonna,
add
I've
already
added
the
issue.
It's
issue
13.
C
D
Because
I,
don't
you
know
at
first
I
was
going
where
the
heck
is
Randall
going
with
this
nonsense,
but
I'll
go:
oh
okay,
yeah
you're
right!
You
know
when,
when
you
download
a
binary
patch,
you
should
make
sure
it's
the
same
as
original.
Otherwise
we
have
the
problem
that
somebody
downloading
a
patch
might
not
get
the
same
thing
as
a
straight
download,
which
is
clearly
not
desired
and
I
also
think
it's
there's
a
trivial
fix,
not.
B
D
E
D
Is
okay?
It
is
okay,
all
right.
If
you
download
the
software
from
the
Apache
software
foundation
and
by
the
way
the
Apache
software
Edition
has
a
policy,
they
only
provide
source
code,
they
never
produce
a
a
compiled
code,
but
that's
just
a
specific
policy
of
them
which,
by
the
way,
they
sometimes
sort
of
Break
but
yeah
Debbie,
the
HTTP,
and
even
if
they
called
it
Apache
web
server.
That
is
not
the
same
Source.
B
D
And
so
yeah,
if
I
download
software
from
Debian,
that's
not
the
same
as
downloading
it
from
Apache.
Now,
both
Debian
and
Fedora
and
red
hat
in
general.
They
practice
I
forgotten
what
they
call
it,
but
they've
very
carefully
isolate
the
changes
they
make.
C
D
The
original
and
I
you
know
I
salute
that,
but
even
if
they
didn't
it
doesn't
matter,
I
think
that's
a
good
practice,
but
it
doesn't
matter
from
a
user's
perspective.
They
got
it
from
Debian
or
they
got
it
from
Apache
and
that's
your
source
and
then
that
then
a
lot
of
these.
How
does
this
work
they
go
away?
If
I
got
you
know
some
software
from
Microsoft
I?
Would
you
know
there's
my
source?
D
D
And
I'm,
gonna
and
and
Jay
you
have
convinced
me,
I'm
gonna,
follow
up
and
for
the
taxonomy
thing,
maybe
maybe
that's
actually
something
I
should
else
raise
is.
Maybe
we
should
make
this
the
s2c2f
and
really
I.
Think
it's
a
naming
thing
because
you
cover
the
issues
mostly,
although
it'd
be
interesting
to
do
the
crosswalk.
For
that
too,
you
know
because
being
able
to
say
hey,
not
just
these
are
names,
but
hey,
look!
Here's
a
taxonomy
and
we've
covered
it.
That's
pretty
compelling.
A
I
mean
look,
you
know
what
something
that
we
can
do
across
the
entirety
of
the
openness
itself.
I
mean
we,
we
I'll,
show
you
so
krobe
and
I
have
been
working
on
some
and
I'll.
Show
it
to
you
later
too.
I
think
it's
something
that
could
that
could
really
help
everyone
out
a
great
deal.
So.