►
From YouTube: S2C2F SIG (December 13, 2022)
Description
The S2C2F SIG is a group working within the OpenSSF's Supply Chain Integrity Working Group formed to further develop and continuously improve the S2C2F guide which outlines and defines how to securely consume Open Source Software (OSS) dependencies into the developer’s workflow. This paper is split into two parts: a solution-agonistic set of practices and a maturity model-based implementation guide. The Framework is targeted toward organizations that do software development, that take a dependency on open source software, and that seek to improve the security of their software supply chain.
A
No
one
I'm
getting
ready
to
wind
down
for
the
holidays
as
a
matter
of
fact,
I'm
looking
forward
to
the
time
off.
B
A
Well,
well,
yeah
no
I
mean
I'm
here,
I
mean
I
I,
that's
a
that's
a
good
indicator,
yeah
yeah
I,
don't
think
I,
don't
believe
we
can.
No.
We
we
canceled
the
last
one
because
we
didn't
have
an
agenda.
B
All
right,
cool
I've
been
active
somewhat
over
in
the
best
practices
in
education,
Sig
and
then
I've
been
working
with
Brian
Fox
here
at
sonotype
and
and
then
Jonathan
Meadows
at
city
and
they
recommended
to
come,
join
us
as
well.
So
this
is
the
first
one
on
this
session
or
this
group
that
I've
been.
A
You
know
we're
trying
to
get
all
the
the
sigs
involved
that
that
that
you
know
that
have
have
what
the
ones
we're
trying
to
get
everyone
involved,
but
especially
the
other
working
groups
and
and
six
that
you
know,
we
feel
like
have
a
dog
in
this
fight
right
and
and
really
it's
all
the
best
from
Best
Practices
to
end
users.
A
D
A
I
just
put
the
notes
dock
up
in
the
on
the
chat.
E
All
right,
thanks
for
doing
that,
Jay
I'm
also
sharing
my
screen
with
the
notes
stock
up
so,
and
we
really
only
had
one
kind
of
large
topic
today
and
then
kind
of
like
a
fun
one,
you
know,
would
love
to
submit
a
request
for
a
goose
icon.
E
You
know
being
in
the
the
open
ssf
and
you
know,
S2
C2
kind
of
sounds
like
R2D2,
so
kind
of
thinking
of
a
goose
that
might
somewhat
resemble
R2D2
would
be
pretty
funny,
but
yeah
do
we
do
we
want
to
go
ahead
and
get
started
or.
A
Yeah
we're
almost
at
five
minutes
five
minutes
past
Let's:
let's
go
ahead
and
do
it
all.
E
Right
so,
switching
over
to
to
this
Doc
and
maybe
I,
will.
E
And
drop
this
into
the
meeting
chat.
E
So
I
just
got
started:
writing
a
a
strategy
doc
because
you
know
S2
c2f
is
new
and
there's
a
lot
going
on
in
openssf,
and
so
it
would
be
great
to
start
to
plan
out
all
the
ways
that
s2c2f
can
like
integrate
across
the
open
ssf
to
make
sure
that
we
are,
you
know
partnering
with
and
becoming
a
part
of
the
broader.
E
You
know
open,
ssf
story,
and
so
you
know
this
is
a
I
want
to
say
a
rough
draft
as
soon
as
we
start
getting
here
into
the
opportunities
it
starts,
getting
really
weak
and
I
was
hoping
that
that
participants
on
this
call
might
even
be
able
to
suggest
other
other
ideas,
and
then
we
can
start
to
kind
of
codify
how
and
where
the
S2
c2f
can
can
like
fit
across
certain
things.
There
were
a
few
ideas
that
were
brought
up
previously,
such
as
you
know,
obviously,
partnership
with
salsa.
E
You
know
that's
the
whole
reason
why
we're
in
the
supply
chain,
Integrity
working
group
and
then
additionally
other
folks,
have
mentioned
you
know
how
do
we
bring
this
in
as
part
of
the
security
knowledge
framework
and
the
documentation
that
they
have
around
like
guide
to
evaluating,
OSS
and
and
and
so
I
think,
there's
lots
of
opportunities
and
I
wanted
to.
E
You
know,
use
this
as
a
working
meeting
to
discuss
other
areas
for
collaboration,
but
so
up
at
the
top
we
have
you
know
this
was
contributed
in
October
and
where
a
specification
that
provides
guidance
on
secure
consumption
of
OSS
and
it's
within
the
supply
chain,
Integrity
working
group,
but
also
has
relevance
across
other
working
groups.
The
purpose
of
this
document
is
outline
a
strategy
for
where
and
how
we
should
plan
to
collaborate
and
integrate
with
various
other
pieces
if
I
were
to
describe
the
goals
of
S2
c2f.
E
This
is
what
I
had
kind
of
come
up
with
off
the
top
of
my
head,
also
open,
for
you
know,
ideas
to
to
iterate
and
elaborate
here,
but
I
think,
like
awareness,
awareness,
that
there
are
these
supply
chain,
threats
that
are
specific
to
open
source
and
understanding
that
a
guide
like
s2cqf
is
here
to
directly
help
mitigate
those
issues
and
I
think
that
collaboration
across
the
open
ssf
is
is
necessary
in
order
to
help
spread
that
awareness,
Community
engagement,
that's
incredibly
important,
because
this
is
a
must.
E
You
know
this
is
a
threat
based
risk
reduction
approach.
So,
as
threats
change,
we
need
to
make
sure
we're
we're
keeping
the
framework
up
to
date.
Isaac
you
have
your
hand
up.
Oh
and
Jay
has
a
stand
up
too
I
don't
know
who.
F
A
Yeah
I
I
didn't
want
to
just
jump
in
and
thank
you
for
that
Isaac,
so
I
wanted
to.
Along
with
what
Adrian
said
earlier,
I
wanted
to
bring
to
the
front
a
lot
of
the
conversations
that
are
happening
at
across
the
openness
and
stuff
at
large
right
so
in
the
tech
meeting
and
Tack
meetings.
Now
for
the
last
cup
of
last
few
weeks,
maybe
a
couple
of
months,
it's
been
talked
about
streamlining
working
groups,
streamlining
sigs
and
streamlining
the
efforts
at
large
across
the
open
SSL.
So
it's
so.
A
This
is
actually
timely
and
our
approach
here
to
make
sure
that
that
we
are
Reaching
Across,
the
other
working
groups
and
Reaching
Across,
the
other
six
to
find
ways
to
collaborate
and
find
those
points
that
actually
bridge
and
those
points
that
are
actually
in
Synergy
with
one
another,
because
the
openness
stuff
at
large
is
looking
at
looking
across
the
working
groups.
We
have
a
thing
called
the
diagram
of
society
and
we're
we're
actually
proposed
to
be
a
new
Sig
underneath
attack
where
we're
actually
looking
at
the
whole
of
the
openness
success.
A
What
are
the
areas
that
we
should
be
working
together,
so
I
I
wanted
to
know
while
Adrian
is
doing
this
I
want
I
might
toss
it
back
off,
but
I
wanted
to
make
it
clear
that
this
is
actually
quite
timely
in
its
approach
and
and
the
the
effort
here
is
to
make
sure
that
we're
that
that
we're
branching
and
reaching
out
and
bridging
where
we
should
be
so
that
it's
one
Continuous
Flow
across
the
supply
and
trade
security
Spectrum.
So
I'll
stop
there
go
ahead.
Isaac.
F
Yeah
I
know
I
I,
think
you're,
absolutely
right,
I
couldn't
agree
more
with
you
and
respect
the
timeliness.
The
question
I
had
was
around
awareness
that
I
I
was
wondering
if
you
see
this
as
as
different
or
having
a
different
flavor
from
open
ssf's
goal.
F
If
I
think
about
openness
as
a
whole,
like
part
of
the
goal
of
open
ssf
is
to
you
know,
talk
about
or
you
know,
even
the
supply
chain
Integrity
working
group
is
talking
about
supply
chain
threat,
specifically
open
source,
and
so
I'm
I
was
wondering
if
this
awareness
goal
I,
don't
know
I
I,
guess
as
I
think
about
the.
Let
me
back
up
as
I
think
about
the
supply
gear,
Integrity
working
group
and
what
that's
for
and
what
its
goals
are.
F
E
I
mean
yeah
and,
and
so
partly
for
me,
this
was
an
exercise
for
me
to
learn
more
about
the
open,
ssf
I
think
I
think
I'm
relatively
new
to
the
openness
7,
so
I'm
not
aware
of
everything
across
the
board
myself,
and
so
this
kind
of
forced
me
to
start
looking.
If,
if
I
could
better
align
this
document
with
the
open,
ssf
schools,
I'm
I'm,
all
for
that.
F
That
makes
sense
and
then
the
opportunities
for
collaboration
I
mean
it
sounds
like
I
mean
I
as
I.
Remember
when
you,
when
s2c12
was
coming
into
openss,
it
was
the
it's
a
pleasure
Integrity
working
group
with
the
end
users
and
then
the
best
practices
working
group
I
think
were
the
three
candidate
Landing
spots.
F
Is
that
right
and
it
feels
to
be
like
those
like
kind
of
s2c12
have
landed
ultimately,
and
it's
a
pleasure
Integrity
working
group,
but
certainly
you
know
Jonathan
over
in
end
users,
and
then
you
know
the
best
practices
it
seems
like
their
interest
in
sdc2f
probably
continues,
and
so
those
would
be
threads
to
pull
on
with
respect
to
collaboration
there,
but
that
you've
not
gotten
to
that
section.
Yet
so
I'll
shut
up
for
now.
A
Isaac
to
just
answer
you
briefly:
I've
made
it
a
point:
I
I've,
you
know
competing
priorities
and
and
travel
and
everything
else
preventing
me
from
attending
those
working
group
meetings
for
the
last
couple
of
weeks,
but
I've
been
making
it
a
point
to
go
to
each
one
of
those
working
group
meetings
as
well
and
I
know
I've
seen
you
there
too,
in.
D
A
Them
but
but
yeah
absolutely,
you
know,
can't
can't
just
let
the
buck
stop
and
we
do
need
to
say
hey
we're
here.
You
know
come
aboard
so
so
it's
a
it's
something.
That's
going
to
be
at
the
top
of
my
list
in
the
coming
year.
To
make
it
a
point
in
each
one
of
these
working
group
means
as
a
if
there's
any
questions
left,
in
the
mean
to
say
hey
guys
by
the
way.
S2C2F
is
no
we're
we're
meeting
love
for
you
to
join
and
keep
that
going.
Every
single
one
of
those
meetings,
great.
G
Speaking
of
joining
us
I
suppose
I'd
pick
up
so
Bill
Bill
to
work
here.
William,
if
you
look
at
it,
IBM
would
be
the
company
I'm
affiliated
with
folks
from
my
group,
have
been
popped
up
in
OSS,
so
it
was
my
Jeff
borax
for
those
to
know
that
name
that
works
a
lot
with
Brian
battledorf,
Jamie
Thomas.
The
chair
of
the
governing
board,
is
my
boss.
Melba
Lopez
is
somebody.
G
That's
been
pretty
involved
in
salsa,
so
it's
my
folks
in
my
group
that
are
sort
of
scattered
about
this
new
initiative
sort
of
caught
my
eye.
It's
one
that
I
sort
of
got
embedded
in
because
of
the
the
sort
of
consumption
side
of
it
is
kind
of,
is
kind
of
a
unique
element.
I
would
ask
one
question
on
it.
You
know
kind
of
the
goal
and
awareness.
Maybe
it's
it's.
Do
we
think
there
really
is
an
awareness
problem.
G
A
So
so
I
I
mean
I'll.
Take
this
and
Adrian
you
jump
in
I.
I
do
want
to
I.
Do
want
to
preface
my
comment
by
saying
awareness,
to
threat
specific,
to
open
source
versus
awareness
to
threats
specific
across
the
entire
supply
chain.
You
do
have
you
do
have
the
the
whole
supply
chain,
threat,
landscape
and,
and
then
of
course
you
know,
look
at
all
those
that's
related
to
that.
But
we
talk
about
specific
to
open
source.
There
have
been
a.
C
A
And
more
recent
attacks
that
are
more
social.
What
I
consider
to
be
social
engineering
in
nature
right
and
those
can't
be
overlooked
as
well.
A
So
so
we
talk
about
awareness
to
supply,
chain
threats,
lock,
4J
included
as
well,
but
really
digging
in
on
open
source
itself,
both
Upstream
contributions
and
the
threats
that
that
emerge
when
you,
when
you're
Upstream,
contributing
and,
of
course,
Downstream
and
into
product
development,
and
then
what
does
that
actually
look
like
across
the
spectrum
of
different
organizations
who
have
different
risk,
appetites
and
and
of
course,
accept
those
kind
of
risks.
So
so
so
it
I
mean
I
mean
William.
Your
question,
your!
A
What
your
question
is
sound
if
I
do
want
to
make
sure
that
that
we
that
we
tease
out
both
of
those
Concepts
and
then
bring
them
back
to
Center.
E
G
Good
and
I
will
have
that
one
one
particular
thing
I
know
you
haven't
gotten
to
it
since
I
spoke
up,
but
is
the
tooling
Innovation
I
think
is
a
key
part
of
it
right.
There's
a
lot
of
Concepts
in
S2
c2f
that
there
is
no
tooling
to
support
today.
You
know
simple,
one
I
think
it's
level
two
of
maturity
or
something
it's
about
scan
friend
of
life
right,
there's,
no
scanner
that
looks
friend
of
life.
The
reason
there's
no
scanning.
G
Of
device
there's
no
database
of
end
of
life
software,
and
so
we've
talked
to
pretty
much
every
standard
vendor
out
there,
and
none
of
them
are
excited
about.
Like
hey
guys,
you
realize
you'd
be
like
the
first.
If
you
just
went
out
and
did
the
research
and
built
an
end
of
life
database
like
everybody
to
come
to
you,
you
make
billions
of
dollars,
nobody's
tackling
that
problem.
So
there's
some
big
nuts
like
that.
That
would
be
awesome
to.
A
And
so
I
I
I'll
make
this
last
comment,
because,
because
I
want
to
stick,
it
stay
on
the
on
the
path
that
Adrian's
on,
but
I'll
say
this
over
in
the
CDF.
There's
a
there's,
a
team
working
on
the
supply
chain,
maturity
model
and
it's
a
it's
another-
either
Google
that's
working
working
on
that,
but
but
they
focus
on
what
happens
afterwards,
with
with
artifacts
and
with
archiving
and
everything
else,
they're
doing
so
much.
A
But
the
one
thing
that's
not
mentioned
there
and
I
said
this
in
that
in
that
meeting
is
hey
guys?
What
about
end
of
life
so
you're
hitting
on
your
arms
are
something
that
I
that
I
have
actually
said
many
times
before.
One
thing
that
I
do
not
that
I,
don't
see,
which
is
just
as
much
as
part
of
the
entire
spectrum
is
end
of
life
and
what
happens
there?
How
do
things
get
archived
there?
What
you
know
all
that
kind
of
stuff?
So
you
know
something
very
good.
G
G
E
E
Got
it
okay,
okay,
William!
Thank
you!
So
much
for
introducing
yourself!
Apologies,
I
didn't
give
space
for.
E
And
you
so
you
asked
you
know
is:
is
awareness,
a
problem
and
I
think
that's
a
great
question
to
ask.
We
have
Jeff
from
sonotype
here
and
Sona
type
publishes
an
annual
report,
the
state
of
the
software
supply
chain
security
and
it
largely
focuses
on
open
source
supply,
chain
security
and
I.
E
Think
that
report
is
a
testament
to
the
fact
that
we
need
to
educate
the
masses
that
there
are
threats
here
and
the
threat
is
growing
and
so
I
I
think
there's,
there's
there's
something
to
be
said
there
and
and
I
continue
to
see.
You
know.
E
Startup
companies,
you
know
focused
on
supply
chain,
they're,
doing
like
webinars
to
to
educate
the
public,
about
these
open
source
threats
and,
and
so
like
education
of
the
threats
is,
is
like
just
a
so
not
only
is
it
awareness
that
the
threats
are
there,
but
then
also
like
awareness
that
that
there
is
a
guide
that
exists,
that's
backed
by
the
open
ssf
you
know
to,
as
as
best
practices
to
move
to
the
drive
toward
tooling
Innovation
you're
you're
100
spot
on.
There
are
some
gaps.
E
E
Yeah,
yeah,
yeah,
and-
and
so
you
know,
those
are
are
things
that
we
want
to
continue
to
to
work
on
and
and
I
think
it
it
just
kind
of
highlights
like
hey.
These
are
useful
ways
to
mitigate
against
these
threats
and
we
need
more
tools
to
start
offering
this
to
really
protect
the
industry
at
Large.
B
And
I
think
I
I
put
a
little
blurb
in
there
and
I
was
just
working
on
some
some
papers
in
the
last
two
weeks
on
this.
So
the
data
is
pretty
pretty
recently
just
checked
in
the
last
week
and
so
like
30
of
the
log
for
J
downloads
from
home,
Central,
which
certain
types
of
custodian
on
are
still
vulnerable
versions
like
in
I
mean
not
like
a
year
after
and
that's
like
your
consumer,
that's
dead,
scary,
I.
Think
most
people
don't
know
that
they
think.
Oh
there's
a
problem.
Someone
announced
it.
B
The
fix,
went
in
I
worked
at
another
company
before
coming
back
to
Sunnyside
this
year,
sourcecraft,
which
is
mostly
code
search
similar
to
the
github's
code
search
and
the
predominant
focus
of
of
development
teams,
we're
just
trying
to
get
s-bombs
right,
which
I
think
is
the
wrong
way
to
look
at.
It.
I
feel
like
it's
important
to
see
women
in
there,
but
just
a
list
of
this
stuff,
but
that's
really
they've
over
over
corrected.
I.
Think
on
that,
because
of
the
executive
order,
when
you
have
problems
like
this
still
existing
that's
cool
agnostic.
G
We
actually
see
most
of
our
vendors
I'll
share
that
there's
focusing
on
s-bomb
because
of
the
executive
order
and
they're
using
us
bomb
as
we
get
out
of
the
jail
free
cards.
So
a
vendor
will
give
us
an
estimate,
we'll
say
Hey.
You
know
you
got
some
logs
for
Jay
in
here
and
they'll
say:
oh
yeah
yeah
we
haven't
had
a
chance
to
fix
it
yet,
but
but
do
we.
G
By
making
you
be
aware
so
they're
seeing
it
as
they
get
a
jail
free
card,
so
I
guess
where
I'm
going
is
in
some
cases
it
may
not
be
awareness
of
the
supply
chain
threats.
Maybe
the
key
is
awareness
of
how
to
address
the
supply
chain
threats,
which
is
a
slight
twist
to
the
awareness
I
think
everybody
gets
it
I
think
everybody
has
different
opinions
of
how
to
address
it.
E
Obviously,
adoption
by
the
industry
to
to
reduce
open
source
supply
chain
risk.
You
know
I
I,
there's
many
ways
to
to
achieve
this,
but
but
just
some
initial
thoughts.
You
know
if
we
could
get
this
recognized
across
the
industry
as
a
best
practice.
E
Adoption
of
you
know
the
the
s2c2f
into
the
openssf
was
kind
of
like
the
first
step
on
this
journey
of
of
of
helping
helping
others
and
then
pursuing
you
know,
International
standardization
is
another
to
kind
of
lend
credibility
to
it
and
then
and
then
drive
tooling
Innovation.
Yes,
this
is
this
is
a
huge
one,
because
I
think
there
are
capabilities
that
that
developers
need
to
protect
them
from
you
know.
E
Accidental
consumption
scanning
end
of
life
I
believe
the
open,
ssf
scorecard
has
some
end
of
life
data,
maybe
not
all,
but
we
we
do
have
a
system.
You
know
like
at
Microsoft
that
kind
of
tracks
that
internally
and
we
we
advise
users
to
move
off
of
end
of
life
stuff
and
onto
something
else,
but
like
again,
these
are.
E
These
are
all
opportunities
for
us
to
like
make
everyone
better,
and
so
you
know
I
think
we're
here
to
help
kind
of
discuss
those
things,
and
you
know,
I
I
also
just
want
to
make
sure
that
we're
not
working
in
a
silo.
You
know,
they're
they're
needs
to
be
conscious
efforts
to
leverage
other
initiatives
where
it
makes
sense
for
the
s2c2f
to
be
involved.
So
you
know
we
want
to
get
plugged
in
and
and
and
and
help
where
we
can
be.
E
Like
a
you
know,
a
good
collaborative
working
across
the
border
kind
of
member
of
of
open,
ssf,
Isaac.
F
Yeah
I'm,
so
one
of
the
things
I
was
just
going
to
add
on
adoption
and
one
thing
is
I've
been
so
I've
been
working
on
a
a
similar
doctor
for
salsa
you're
about
a
month
ahead
of
me,
I
I
think
that's
also
going
into
2023,
and
one
of
the
things
that
occurred
to
me
about
adoption
is
there's
two
sides
to
this,
which
I
think
are
equally
important.
One
is
hey.
F
You
could
increase
security,
the
ecosystem
by
encouraging
people
to
adopt
your
practices
and
that's
part,
one
part
two
is:
if
people
adopting
the
practices
make
attestations
about
their
adoption,
then
Downstream
consumers
of
their
artifacts
can
then
start
to
implement
policy.
Based
on
you
know,
does
this
Upstream
artifact
meet?
You
know
this
s2c12
level
or
whatever,
and
so
there's
kind
of
like
two
parts
to
the
adoption
effect.
F
That's
kind
of
the
inherent
value
of
a
software
producing
organization,
adopting
these
best
practices
and
then
there's
also,
you
know
the
the
possible
the
the
potential
for
Downstream
to
implement
policy
based
on
the
practices
of
upstream,
and
so
the
example
for
salsa.
Is
you
know,
people
putting
you
know
admissions
policy
on,
you
know
for
their
runtime,
saying
we're
not
going
to
put
anything
and
we're
not
going
to
deploy
anything
that
has
dependencies
the
salsa
level
two
or
below,
for
example?
F
And
so
you
know
that's,
that's
it
I
guess
what
I'm
saying
is
that
there's
there's
a
there's,
a
flip
side
to
the
adoption
of
practices
which
is
yes
adopt
them,
but
then
produce
an
attestation
to
say
what
you've
adopted
to
allow
Downstream
consumers
of
your
artifacts
to
implement
policy
and
secure
themselves
yet
further,
and
so
I
think
you
know,
salsa
has
you
know
the
provenance
format
and
the
intro
to
attestation,
which,
which
is
part
of
the
framework?
F
E
Yeah,
oh
yeah,
I'm
I'm.
Definitely
with
you
with
that
Vision
I,
I
love,
it
I
think
that's
a
great
yeah,
so
I
put
a
a
bullet
here.
So
we
can.
We
can
elaborate
on
this
later,
but
right,
yeah
part
of
adoption
is
developing,
attestations
and
and
part
of
tooling
Innovation
will
also
be
generating.
Those
attestations
of
policy
conformance.
F
Totally
awesome
and
then
ultimately,
decisioning
that
you
know
based
on
do
I,
want
to
put
this
into
my
run
time,
based
on
what
I
know
about
how
it
was
produced
and
so
on.
100.
E
E
You
know
I
just
want
to
capture
like
main
points
of
contact,
and
you
know,
s2c2f
is
advertised
as
a
consumption
focused
framework
that
pairs
well
production
focused
Frameworks
such
as
salsa,
so
finding
opportunities
to
create
a
bridge
with
salsa
is
like
vital
and
is
like
the
main
reason
why
we
joined
the
supply
chain,
Integrity
working
group.
So
this
is
you
know,
obviously,
first
in
the
list
we.
G
E
Jumping
on
down
best
practices,
working
group,
they
have
the
secure
knowledge
framework
and
Randall
was
the
one
that
had
originally
offered
up.
The
idea
of
you
know
getting
the
S2
c2f
in
with
the
rest
of
the
education,
materials
and
and
if
memory
serves
I'm
blanking
on
the
name,
but
but
we
also
got
this
link
to
the
the
guide
to
evaluating
OSS,
so
I
just
need
to
spin
up
a
thread
and
and
and
start
working
with,
Randall
and
others
on
on.
How
do
we?
E
How
do
we
get
this
added
additionally
like
right
alongside
the
SKF
there's
the
education
Sig,
which
was
also
brought
up
by
by
Randall
I?
Believe-
and
you
know,
how
do
we
make
make
you
know
to
to
serve
our
awareness
goals?
How
do
we
get
this
into
the
education
Sig?
If
that's
appropriate
right,
like
all
of
these
things,
need
to
be
evaluated
and
and
assessed?
E
Scorecards
project
is
interesting
because
you
know
we
just
talked
about
like
end
of
life,
for
example.
So
maybe
that's
something
we
want
to
like
double
click
on
with
the
with
the
scorecards
project
and
see.
How
can
we
make
that
data
more
more,
robust
or
or
comprehensive
that
that
others
can
can
start
to
trust
it
for
for
making
decisions
about?
You
know
getting
off
of
end
of
Life
Products
and
there's
probably
other
opportunities
to
collaborate
as
well.
Let
me.
C
Just
actually
capture
that
idea
expand
on
end
of
life
detection.
G
Assuming
everybody
is,
this
scorecard
is
probably
like
us,
with
Eric's
damaged
scorecard
to
do
an
end
of
life
detection,
and
so,
if
you
have
a
given
repo
or
open
source
component,
you
can
run
scorecard
or
they
tell
you
know.
It'll
tell
you
end
of
life
for
not
or
nearing
end
of
life
based
on
on
activity,
but
that
is
different
than
having
a
big
old
database
of
the
you
know:
190
000
things
are
end
of
life
and
then
the
one
thing
that
went
into
life
yesterday,
it's
more
of
a
ongoing
crawler
challenge.
C
E
Okay,
the
best
practices
badge,
so
you
know
when
you
think
about
you,
know
adoption,
there's,
there's
the
carrot
in
the
stick
right
and
so
the
best
practices
badge
is
kind
of
like
the
carrot
approach
to
you
know,
encouraging
folks
to
to
adopt
best
practices,
and
you
know
so
there's
you
know
some
questions
there
about
how
how
can
s2c2f
be
be
involved
with
this,
if
appropriate
again,
but
I
at
least
want
to
start
the
discussion
there's
also
some
package
manager
best
practices
again.
E
This
is
all
part
of
the
supply
chain,
Integrity
working
group.
So
all
these
links
came
off
of
their
their
landing
page
in
their
in
their
repo.
So
I
just
got
to
go.
Dig
some
more
here
existing
guidelines
for
developing
and
distributing
secure
software,
there's
probably
opportunities
for
us
to
include
references
to
the
S2
c2f
within
within
these
guidelines
and
and
if
and
if
anybody
else
has
any
other
ideas.
E
I
think
you
know
we
want
to
build
out
this
kind
of
like
network
of
of
you
know,
here's
all
the
touch
points
that
we
need
to
have
across
that
working
group
and,
as
as
Isaac
pointed
out
earlier,
the
end
user's
working
group
definitely
has
expressed
interest
with
the
S2
c2f.
So
we
need
to
start
some
sort
of
a
v
team
here
to
to
start
working
with
them
on.
E
You
know
how:
how
does
the
S2
c2f
fit
within
their
Charter?
How?
How
can
they
leverage
it
or
reuse
it
so
on
and
so
forth?
Security
tooling
working
group
has
the
s-bomb
everywhere
before.
C
G
D
C
E
Yeah,
so
so
I
I
think
what
there's
there's
yeah
yeah.
We
know
there's
something
there.
We
just
gotta,
get
it
on
paper
and
and
build
a
plan
around
it
and
and
then
we
can
make
it
happen.
Thank
you
for
for
letting
me
know
that,
though,
that's
exciting.
B
Sort
of
stupid
question
yeah
for
like
this,
for
the
awareness
and
the
education
pieces
and
working
with
these
other
groups,
what's
the
target
audience
for
this
group
like
who
do
you
see
consuming
it?
Is
it
developers
that
are
coding
today
or
is
it
higher
in
the
chain?
Like
decision
makers,
you
know
leadership
within
engineering.
E
So
when
we
wrote
the
the
stc2f
and
maybe
I
should
just
jump
to
here's.
E
Just
just
to
give
you
a
super
high
level,
we
talk
about
the
threats
and
we
talk
about
these
these
practices,
and
then
we
go
a
level
deeper
down
to
the
requirements,
so
I,
just
wanna
I,
just
wanna
jump
to
we
have
these
these
high
level
practices
that
are
solution,
agnostic
and
and
they
can
be
applied
to
any
scenario,
so
the
the
target
audience
see
for
for
just
looking
at
the
high
level
practices
is
more
of
like
the
csos
and
Engineering
managers.
That
really
just
want
to
understand.
E
Like
the
methodology
when
you
want
to
get
into
the
nitty-gritty,
then
you
start
looking
at.
Like
so
see,
we
have
the
the
eight
practices
and
we
we
broke
it
down
into
a
maturity
model
and
what
each
level
you
know
the
theme
for
each
level
and
then
here's
a
here's.
How
to
assess
where
your
organization
is
within
the
maturity
model.
Like
a
set
of
questions,
you
can
go
interview
developers
because
developer
at
the
end
of
the
day.
E
E
You
know
manage
their
use
of
Open
Source
and
then
also
secure
their
use
of
Open
Source,
and
so
now
now
you
can
see
that
we've
organized
each
requirement
into
each
practice,
so
we've
like
further
broken
it
down,
broken
it
down
and-
and
this
has
a
specific
audience
of
like
well.
These
are
the
people
that
are
implementing
it.
So
these
are
going
to
be
like
the
individual
developers
or
engineers
that
that
need
to
go.
B
Yeah,
so
that
was
really
helpful,
I
appreciate
it
and
I'll
hold
it
in
there
deeper
as
well,
in
working
on
the
education
and
best
practices.
Sig,
it
seems
like
there
is
a
that
could
be
wrong.
B
I'm
only
been
there
for
maybe
a
month
or
two,
it
seems
like
there
is
sort
of
a
focus
to
the
the
left
on
the
developer,
which
makes
sense,
but
it
doesn't
have
you
know,
courses
are
sort
of
learning
Pathways
for,
like
that
leadership
level
as
well,
and
some
of
the
things
we're
talking
about
here
so
is.
B
E
Yeah,
so
I
I
would
I
would
love
the
goals.
To
kind
of
you
know
where
you
have
similar
goals
to
us.
I
would
love
for
us
to
kind
of,
like
you
know,
leverage
each
other
to
to
to
both
accomplish
those
goals.
So
if,
if
your
goal
is
to
spread
awareness
of
the
threats,
we've
already
created
an
enumerated
list
holistic
list
of
threats
that
are
specifically
targeting
OSS
with
links
to
real
world
articles
of
like
how
it's
affected
somebody.
E
A
I
think
for
the
purposes
of
Education
right
right,
let
the
let
the
framework
meet
the
the
the
the
curriculum
right,
so
so
it
depending
upon
what
kind
of
training
or
what
kind
of
what
kind
of
training
or
what
kind
of
mechanism
or
what's
whatever's,
being
taught
right
if
it
has
relevance
to
S
to
c2f
within
reference
step,
it
has
relevance
to
salsa,
okay
within
reference
that
relevance
to
Fresco,
okay
within
reference
that
help
relevance
across
all
three
right.
A
If,
if
there's
like
scenario,
Based
training
of
some
sort
right,
I
I'm,
throwing
I'm
a
spitball
this
one
right,
but
but
let's
say
there's,
there's
a
some
type
of
Advanced
audit
teaching
right
or
how
to
self
audit
how
to
self-attest
to
whether
or
not
you're
you're
following
you're
following
these
respective
you
know,
got
pieces
of
guidance
and
and
you're
and
you're
saying
well.
Do
we
follow
things
over
here
from
a
consumer
standpoint?
Do
we
follow
things
over
here
from
a
producer's
standpoint?
A
Are
we
archiving
things
correct
correctly
are:
are
we
are
we
using
tools
to
to
secure
build
pipelines
right
now
and
now
so
I'm
referencing,
now
s2c2f,
I'm,
referencing,
salsa
and
I'm
referencing
Fresca
right
just
just
as
a
means
of
going
across
what
we're
doing
in
the
supply
chain,
Integrity
working
group
and
how
those
things
could
be
lent
to
the
education
Sig
with
education.
Sig
is
lining
out
no
items
to
be
taught
across
I.
A
Don't
know
whether
it's
I
I
only
know
this,
because
I
I've
seen
a
few
pieces
of
some
of
the
stuff
that
come
out
of
Education
state
but
stuff,
that's
taught
in
high
school
stuff,
that's
taught
in
in
colleges
stuff
that
at
the
University
level
stuff
that
you
know
all
these
different
initiatives
that
are
taking
place.
D
The
the
the
all
yes
to
all
the
things
you
said
and
and
the
the
the
opportunity
that
we
see
is
that
the
education
Sig
is
very
much
focused
on
the
producers
of
Open
Source
and
the
individual
developers
and
the
Gap
that
we're
trying
to
solve
are
the
consumers
of
Open
Source,
which
are
really
the
organizations
the
companies
and
I
think
s2c2
from
from
it's
been
a
while,
I
read
it
when
you
first
launched
it
and
I
was
like
yeah.
D
A
D
Yeah,
it's
unclear
that
that
how
easy
that
will
be
and
and
there's
been
conversations
back
and
forth,
even
the
board
meeting
we
had
in
in
Tahoe-
it
wasn't
a
consensus
on
that.
There's
a
lot
of
people
that
really
want
to
lean
hard
into
that
education
thing
and
it's
like
that's
great.
It
might
be
too
disruptive
to
expand
that
context
and
when,
when
a
bunch
of
us
kind
of
got
together,
we
were
like
well
end.
D
A
D
A
perfect
fit
that's
that's
kind
of
where
we're
at
at
the
moment,
trying
to
figure
out
what
is
the
right
thing
to
do
the
end
users
to
be
the
easiest
place,
to
pick
up
the
shovel
and
make
that
happen,
but.
D
A
That
could
be
a
broader
conversation
with
the
best
practices
working
group
at
the
the
umbrella
right
between
the
education
see
supply
chain,
Integrity,
educations,
no
best
practices,
supply
chain,
Integrity,
end
users.
We
all
three
talk
together
to
see.
You
know
what
the
best
way
to
come
about
that,
because,
because
what
you're
touching
on
is
very
important,
too,
and
and
what's
funny
about
that
is
I
made
a
similar
comment
with
respect
to
taking
out
even
part
of
what
the
education-
and
this
is.
A
It's
owned.
You
know
Sig
offshoot
of
the
education
seat,
because
it's
that
large
of
an
animal
to
tackle
outside
of
regular
Justice
stuff-
that's
discussed
in
the
education
seek
so
so
to
your
point
right.
That
might
be
something
that
needs
to
come
out
come
up
and
then
be
its
main
point
of
main
point
of
focus.
E
And
I
know
that
this
topic
of
you
know
security
tools
has
kind
of
come
up
once
before
you
know
within
our
our
guide.
There's
a
section:
oh
wait,
wrongly
there's
a
section
for
right
here.
This
is
the
the
implementation
guide
and-
and
we
have
you
know,
links
to
tools
from
around
the
industry
and
and
we've
gotten
feedback
from
somebody
else
within
the
open
ssf
that
that
this
is
a
tough
thing
to
manage,
and
you.
D
E
D
Guess
somebody
has
a
very
big
taxonomy
I,
don't
remember
which
working
group
it
is
but
I
think
that's
what
you're
talking
about
yeah
yeah.
E
And
again,
I,
just
I
just
need
to
find
that
and
find
who
the
right
person
to
talk
to
is,
and
then
you
know
these
are.
This
is
a
lot
of
just
areas
of
collaboration
that
that
haven't
gotten
started
yet
and-
and
so
you
know-
hopefully
in
the
New
Year-
we
can
have
a
lot
of
good
conversations
about
this
and
then
obviously
you
know
we
can
build
a
plan.
E
According
to
you
know
the
opportunities
that
are
that
are
readily
in
front
of
us,
and
then
we
can
also
plop
in
some
longer
term
roadmap
stuff.
So
so
this
is
very
much
an
incomplete
document.
E
E
That
was
that
was
it
for
for
today's
agenda.
We
can,
we
can
move
to
other
other
I,
guess
open
topics.
E
C
F
I
mean
don't
you
just
go
to
like
stable
diffusion
or
something
these
days
and
just
type
that
in
and
the
outcomes,
a
goose
that
looks
like
artiste.