►
From YouTube: S2C2F SIG (February 14, 2023)
Description
The S2C2F SIG is a group working within the OpenSSF's Supply Chain Integrity Working Group formed to further develop and continuously improve the S2C2F guide which outlines and defines how to securely consume Open Source Software (OSS) dependencies into the developer’s workflow. This paper is split into two parts: a solution-agonistic set of practices and a maturity model-based implementation guide. The Framework is targeted toward organizations that do software development, that take a dependency on open source software, and that seek to improve the security of their software supply chain.
A
B
E
C
Know
when
I
got
caught
up
on
yeah
caught
up
on
the
on
the
salsa
positioning
call,
but
we're
here
now
people
more
time
to
join
I'm,
not
sure
Adrian,
I,
think
Adrian
may
or
may
not.
He
may
or
may
not
be
here
today
believe
he
may
have
had
a
may.
Have
a
conflict
today,
believe
it
or
not.
A
B
Nope
nope
yeah
getting
ready
to
post
up
the
notes
post
up
the
notes
link
now.
F
Okay,
yeah
I
got
the
I
got
the
link.
If
you
want
me
to
drop
it
or
you
already
did.
C
So
there's
a
there's
five
of
us
on
here.
That
means
that
we
need
to
go
out
there
and
recruit
more
people
to
the
call.
I
know
that
we
have
a
the
tomorrow.
The
supply
chain,
Integrity
meeting,
there's
end
users
meeting
at
the
end
of
the
week
reach
out.
Let
them
know
that
that
work,
that
we
are
once
again
meeting
so
that
we
get
more
people
here,
All
Things
Considered.
We
do
have
a
few
things
to
talk
about
today,
one
of
those
things
being
new
spec
format.
C
We
have
that
to
talk
about
upcoming,
open,
open
Summit.
We
have
the
cfp,
that's
in
that
that
we
have
a
chance
to
talk
about
salsa,
s2c2f
and
Fresca
together
in
like
a
panel
and
a
panel
discussion.
Thank
you,
I
know
for
putting
that
up.
C
I
believe
I
believe
you
submitted
that
you
submitted
that
that
was
actually
a
submission
from
from
from
the
other
working
group
right
and
then
it
just
so
happens
that
that
well,
that
it
provides
an
opportunity
for
us
to
speak
on
that
now,
there's
open
there
is
the
open
ssf
day
that's
coming
up,
and
that
and
that
cfp
will
drop
here
shortly
for
us
to
submit
for
open
ssf
day.
C
That
might
also
present
and
not
an
opportunity
for
us
to
to
talk
about
something
I
and
I'm
and
I
think
that
it'll
only
be
a
couple
of
minutes
on
open
ssf
day.
It's
just
one
day,
so
I
think
they'll
give
us
maybe
15
minutes
if,
if
you
get
get
approved
or
whatever
it
is
just
to
talk
about
what
we're
doing
here,
I
think
that
may
also
be
an
excellent
opportunity
to
highlight
what
we're
doing
across
the
whole
supply
chain-
Integrity
working
group,
not
just
in
one
area
but
in
all
areas
right.
C
So
maybe
five
minutes
for
us
five
minutes
for
the
salsa
five
minutes
for
Fresca,
just
a
detail
where
we're
going
supply
chain
Security
in
general
right.
That
might
be
a
great
opportunity
there
and
then,
after
that
figuring
out
more
work
on
the
spec
in
general.
So,
like
I,
said
we'll
talk
about
reformatting
to
to
something
that
resembles
resembles
a
spec
that
could
get
put
through
a
process
for
for
for
approval
and
made
into
a
made
into
a
real
boy.
C
You
know
I
mean
we
could
we
get
that
we
get
that
done,
but
that's
got
to
be
in
the
right
format,
so
we
so
we're
going
to
go
through
looking
at
that
and
and
that
being
the
case,
taking
a
look
at
it
and
making
it
better
right.
So
we
got
to
do
so.
We
gotta
put
our
hands
in
there
and
do
some
work
there
as
well.
So
those
are
the
things
that
I
wanted
to
cover
cover
today.
F
Yeah
yeah
I'm
I've
been
typing
away,
as
as
the
Scribe
in
the
agenda
section
and
I
think
the
biggest
thing
that
we
are
looking
for
at
this
very
moment
is
adopters.
F
F
If,
if
you
want
to
be,
you
know
if,
if
I
have
your
like
approval
to
to
include
you
in
the
list,
but
you
know,
we've
been
working
and
enhancing
our
our
strategy.
Doc
for
this
sig
and
you
know
getting
like
organizations
and
and
software
teams
out
there
like
actually
adopting
these
practices
and
trying
to
follow
them
is,
is
like
a
key
goal
of
ours.
F
So
I
guess
out
of
the
out
of
the
folks
on
here
we
have
Eric,
Arno
and
avishay.
F
G
Yeah
so
I'll
I'll
answer
the
question
first,
so
Wipro
is
a
GSI,
so
you
know
as
a
consulting
company.
We
typically
would
leverage
these
more
toward
our
clients
needs.
G
So,
as
per
client,
we
would
look
to
find
the
best
degree
tools,
Frameworks
and
others
to
to
help
alleviate
their
security
risks
as
well
as
we
do
build
internal
products
and
and
accelerators.
So
on
those
teams.
We
would
be
looking
to
do
that,
but
that's
you
know
we're
240
000
employees.
We
have
a
fairly
large
scope
of
groups
that
work
on
these.
C
Eric
man,
so
when
I
worked
at
PWC,
one
of
the
one
of
the
one
of
the
caveats
of
of
having
a
book
of
business
like
that
was
being
able
to
take
a
customer,
take
customer
needs
and
wants
back
to
an
organization
like
like,
Microsoft
or
or
or
or
like,
like
Google
or
or
or
you
know,
one
of
the
organizations
that
that
are
doing
that
that
have
services
that
are
being
offered
a
products
they're
being
offered
or
Frameworks
that
are
being
offered
or
something
like
that,
and
in
this
particular
case
you
can
bring
it
back
here
to
the
open
ssf,
where
we're
producing
a
lot
of
these
Frameworks
and
stuff.
C
Like
that,
and
then
say:
hey
my
customers
are.
This
is
what
the
industry
is
talking
about,
but
this
is
what
my
customers
are
talking
about,
and
sometimes
those
things
can
be
slightly
different
right.
The
industry
can
be
saying
one
thing:
customers
can
be
saying:
yeah
yeah,
that
sounds
nice,
but
from
a
business
standpoint.
These
are
our
pain
points
and
it
would
be
wonderful
if
you
could
get
some
of
those
pain
points.
C
Take
a
look
at
the
spec
and-
and
you
know,
as
a
collective
we
can
cover
down
on
industry
stuff,
but
for
customer
sakes
and
customer
purposes
they
may
be
having
they
may
be
experiencing
pain
in
one
area
or
another
that
you
know.
If
we,
if
we
can
fix
it,
we
can
fix
it
in
the
spec.
But
if
it's,
if
it's
something
that
that
you
know
we
can't
fix,
we
can't
fix,
of
course
that's
what
it
is,
but
maybe
there's
something
that
we
can
Target
in
there.
C
G
Yeah
yeah,
so
I
I,
you
know
just
I,
don't
want
to
take
up
all
the
time
here
on
this
topic,
I,
let
others
speak
too,
but
I
I
already
do
a
lot
of
that.
So
devsecops
is
one
of
my
areas
of
expertise.
It
has
been
for
a
long
time
and
the
security
aspect
is
something
that
I
push
with
all
of
our
customers
to
try
and
help
them
fill
gaps,
because
it's
it's
often
that
that
afterthoughts
right,
you
know
the
network
is
secure.
We
think
we've
got
the
right
authentication
mechanisms.
G
You
know
we
can
do
the
other
things
we'll
run
our
we'll
run
our
testing
once
a
year
or
twice
a
year
as
compliance
requires.
G
But
you
know
more
and
more
over
the
last
two
three
years
and
I,
you
know,
Wipro
is
we're
Platinum
members
we're
on
the
board
of
open
ssf
and
we're
we're
big
evangelists
of
you
know
a
salsa
framework
of
the
best
practices,
all
the
other
components
and
most
definitely
these
components
as
well
is
more
and
more
tooling
and
Frameworks
continue
to
come
amount
of
of
this
we'll
continue
to
to
push
that
and
we're
partners
with
Microsoft
and
a
number
of
other
tech
companies,
but
I
think
one
of
the
most
important
groups
to
come
out
recently
is
the
end
User
Group,
because
in
this
this
discussion
point
a
lot
of
you
know
in
my
experience
in
David
is
in
almost
every
one
of
these
meetings.
G
But
it's
my
experience
with
most
of
these
is
they
tend
to
be
driven
a
lot
by
technology
companies.
You
know
client
companies
and
end
users.
Oftentimes
are
not
the
focus
and
I
think
that's
been
recognized
and
I.
Think
that's
improving,
but
I
think
that's
one
of
the
things
that
we
need
to
be
laser
focused
on
I
think
you're,
absolutely
right,
it's.
What
is
the
client?
G
What
does
the
customer
need
and
a
lot
of
the
people
in
these
meetings
are
people
that
we
would
consider
clients
outside
of
a
technical,
Product
Company
right,
so
the
FSI
people
that
are
in
these
meetings?
All
of
those
you
know
those
are
potential
customers
and
their
need
is
much
different
than
Microsoft's
I
know
so
so
yeah
and
Microsoft
in
and
of
itself
is
something
of
a
GSI
as
well
of
a
product
company.
You
have
a
complete
Consulting
arm.
That
does
you
know
similar
work
also,
so
so
we're
on
the
same
page.
G
H
A
C
Oh
all
right,
let's
see
where,
where,
where,
where
are
we
at
in
our.
C
Our
agenda,
the
new
spec
format,
God
Jasmine,.
E
C
C
What
I
did
want
to
do
here
with
with
the
group
is,
is
presented
so
that
we
can
then
do
the
proper,
creating
a
pull
request
and
and
then
doing
the
proper
merger
and
all
that
kind
of
stuff
like
that.
But
what
we
didn't
want
to
do
is
work
too
much
out
of
band
on
this
right.
We
did
want
to
bring
it
to
the
to
the
group.
Let
the
group
see
what
what's
what's
happening
and
then
go
through
the
processes
of
doing
the
proper
or
requested
mergers.
H
Let's
try
to
generate
ISO
standard
format
from
a
markdown
file.
Oh.
F
C
Well,
so
what
so?
What
we
did
was
was
was
we
pulled
it
out
and
we
did
it
in
like
a
word
dot.
What
we're
going
to
do
is
push
it
back
into
markdown
in
its
current
format.
That
way,
I
mean
it's
a
lot
easier
to
work
on
once
the
once
you
have
it
in
in
the
template.
I
guess
like.
C
If
it's
it's
a
lot
harder
to
do,
you
know
from
one
to
the
other,
I
guess
and
the
longer
version
now
it's
easier
to
to
work
on
and
mark
down,
maybe
but
the
hell,
the
hell.
If
we
didn't
have
a
hard
time.
You
know
with
that.
You
know
looking
at
it
in
the
beginning,
so
so.
H
C
So
the
current
plan
right
now
we
want
to
present
and
we
want
to
do
a
a
merger
inside
of
the
inside
of
the
GitHub
repo.
We
want
to
make
sure
this
is
as
open
as
possible.
We'll
attempt
to
do
any
you
know,
create
any
issues
and
do
any
any
pull
requests
and
markdown.
If,
if
we're
unable
to
maintain
the
format
as
is-
and
it
gets
too
hard,
then
we'll
just
have
to
do
issues
and
then
we'll
have
to
make
the
you
know,
make
the
corrections
and
then
present
the
corrections
made.
C
Maybe
we
could
do
it
in
a
Google
doc
or
something
like
that.
I,
don't
know
something
that
everyone
can
get
to
something
that's
Universal
and
and
then
and
we'll
go
about
it.
That
way,
I
mean
that,
ultimately,
we
want
to
make
sure
that
that
this
is
done,
that
we
don't
want
to
do,
and
we
don't
want
to
do
a
lot
of
other
band
work
on
this.
We
really
do
want
to
make
sure
that
everyone
who's.
A
part
of
of
this
sig
has
a
has.
A
look,
has
a
say
and
has
a
feel
on
on.
F
F
What
I've
imagined
in
my
head
is
that
we,
because
the
iso
spec
needs
to
not
include
names
of
specific
tools
and
and
things
like
that,
I
I
almost
think
that
you
know
just
thinking
out
loud
that
we
need,
like
the
iso
version
of
the
spec,
to
live
side
by
side
or
you
know
be
separate
from
the
way
the
spec
is
today.
F
I
think
the
way
the
spec
is
today
is
more
the
like
easier
to
consume
and-
and
you
know,
ISO
just
asks
for
things
in
a
very
specific
way,
and
so
therefore,
it
might
make
sense
to
just
have
two,
because
the
iso,
once
it
gets
approved
I
think
that's
like
foreign.
It's
it's
like
written
in
stone
at
that
point
in
time
and.
C
So
you
do
have
different
you
do
you
can
update
it
and
have
different
releases.
I.
Think
formatting
wise
has
to
be
the
same,
but
do
you
can
do
updates
and
all
that
kind
of
stuff,
but
I'd
be
interested
I,
know
and
and
David
I've
been
I'd,
be
interested
to
see
how
you
guys
feel
about
that.
H
It's
it's
obviously
possible
and
for
a
for
the
core
for
the
for
some
situations,
I
actually
do
maintain
parallel
docs,
it's
a
pain
in
the
butt,
but
basically
I
would
say
when
you
can't
avoid
it.
Try
to
do
that
if
you
have
to
do
it,
make
it
clear.
H
H
If
you
want
to
remove
names
of
specific
products
and
so
on,
I
would
suggest
pull
that
out,
maybe
to
like
an
appendix
or
a
different
document,
and
then
that's
a
different
document
and
you
know
or
different
appendix
and
you
just
don't
include
it
in
the
in
the
spec
or
whatever.
But
you
know
if
you
can
avoid
entirely
oops.
Oh
my
video's
not
showing
if
you
can't
avoid
it
entirely.
If
you
can't
try
to
make
it
just
formatting
changes,
you
can
drew
the
cross
check.
D
D
That's
why
I
mean
if
you
look
at
33c,
for
instance,
when
they
have
different
translations
of
a
spec?
There's
a
there's
a
you
know,
a
stipulation
in
the
spec
that
says:
if
there's
any
discrepancy,
the
English
version
is
the
master
and
yeah
I
would
think
in
that.
You
probably
need
something
like
this
here,
too
I
mean
practically
speaking
as
David
said.
D
F
F
Sense
and
I
I
hope
I'm
not
mistaken
again,
there's
a
learning
curve,
at
least
for
me,
you're,
going
through
the
official
standardization
process,
but
I
believe
ISO
sells
their
specs.
That
is
correct.
I,
don't
think
we
can
keep
a
free
version.
H
But
there
are
catches,
okay,
okay!
This
is
another
reason
to
do.
Okay.
So
having
done
this
nonsense
for
a
number
of
years,
so
this
is
another
reason
why
you
do
not
want
to
have
a
document.
That's
differing
with
any
content.
H
Iso
loves
to
sell
their
documents
for
large
sums
of
money,
which
is
really
hurts
standardization,
because
there's
only
three
standards.
Sure
I
can
buy
a
couple
documents.
If
there's
a
modern
society
with
millions
of
Standards,
no
one
can
afford
it.
Okay,
so
since
we're
living
in
a
modern
society,
the
simple
approach
is,
you
have
your
own:
you
can
have
your
own
doc.
You
can
have
your
own
format
and
here's
the
iso
copy.
H
It
might
be
exactly
identical,
it
might
be
formatted
differently,
but
as
soon
as
you
make
differences
now,
you're
all
in
southern
trouble.
By
the
way,
this
is
not
a
new
trick.
The
common
criteria-
folks,
did
it
the
Ada
programming
language
standard
folks
have
done
it.
Spdx
has
done
it.
Open
chain
has
done
it.
This
is
a
pretty
you
know.
Oh,
if
you
want
the
official
Ida
piece
of
paper,
that's
fine!
Most
people.
What
they
want
is
the
content
of
the
spec.
Here
it
is
okay,
if
you
have
extra
money,
awesome.
Okay,
oh.
H
Go
spend
it
right,
but
this
is
another
reason
why
you
you
know
this,
there's
a
there's
a
well-known
way
to
how
to
play
this
game
once
you
understand
the
game
got
it
so
and
by
the
way
my
comments
may
sound
like
I'm
like
opposed
ISO.
That's
not
the
meaning.
Here.
H
I
I
have
I'm
a
big
believer
in
international
standards.
It's
just
I
think
this
particular
policy
of
iso
is
from
the
Dark
Ages
that
needs
to
have
gone
away
decades
earlier,
and
they
just
still
haven't
fixed
that
further.
There's.
H
D
H
H
Not
many
there
are
a
few
ice,
is
the
main
holdout
IEEE
will
do
it,
but
a
couple
others
ITC.
D
D
H
D
D
But
so
back
to
your
point,
though,
Andrew
I
mean
yes,
the
actual
ISO
stands
won't
be
freely
available
directly.
There
are
other
context,
ways
around
it
to
get
content
out.
You
can
even
get
the
letters
draft
of
the
iso
standard
out.
Some
working
groups
actually
play
that
game
because
for
review
purposes
you
can
publish
the
working
draft,
and
so
people
say:
okay,
we
are
basically
ready,
hey
world,
you
want
to
see,
you
don't
have
the
official
letters
one,
but
it's
very
close.
Yeah.
H
H
Trying
to
close
that
particular
door,
but
you
know
I,
here's
where
you
know
if
you
want
the
one
with
the
iso
name
on
it.
If
you
want
the
contents
of
the
spec
here,
it
is
and
I
think
for
most
people.
What
they
want
is
the
content.
D
D
What
we're
talking
about
right
right
so
exactly!
Ideally,
you
would
have
some
kind
of
mechanism
to
you
know
one
version,
that's
kind
of
your
master
and
then
from
there
you
produce
the
other
right.
H
I've
never
tried
to
create
an
ISO
format
from
Mark
markdown
I'm,
not
saying
it
can't
be
done.
Just
never
tried.
Yeah.
C
I
just
sent
I
just
sin,
and
let
me
know
if
you
let
me
know
if
you
got
it
or
not,
Jasmine,
but
so
the
dock
that
we
have
in
it
right
now
can't
be
shared
outside
of
internal,
so
I
got
gave
her
a
Google
doc
that
can
be
shared,
so
the
Google
Doc
is
is
shareable
and
right
now
we're
moving
everything
over
to
that
for
the
intern
for
everybody
else's
consumption.
H
Okay,
so
so
very
soon,
what
are
we
going
to
be
editing
to
make
sure
that
we
are
on
one
version?
The
the
Google
Doc
version
is.
C
The
the
Google
Doc
version
and
and
by
the
way
I
did
I,
did
want
to
ask
this
so
I've
done
this
before
created
the
Google
Doc
and
then
shared
it
out,
but
is
this
something
that
we
should
be
creating
internally
or
should
we
be
asking
Khalil
to
give
us
a
Google
doc
or
something
like
that?
For
this.
H
E
H
Well,
at
least
the
we
we
try
to
do
that.
We
have
not
always
been
that
all.
C
Right
here,
how's
this
and
also
I,
will
ask
that,
because
What,
some
of
us
working
groups
and
six
are
experiencing,
as
of
for
some
reason
this
week
is,
is
all
of
our
permissions
as
editors
have
been
scrubbed
and
we're
all
now
just
able
to
make
suggestions
in
these
in
these
dots.
So
so
we're
not
so
are
we're
not
able
to.
You
know,
make
edits
that
stick.
H
H
So
all
right,
so
Jay
you
are
now
oh
and
Jasmine.
Just
requested
access,
uh-oh
I'm
gonna
have
to
read
my
emails
I'm
a
terrible
idea.
H
Look
at
that
all
right,
so,
let's,
let's
get
going
here,
I'm,
giving
the
people
who
are
in
this
meeting
and
requesting
it
immediate
edit
accesses
we
can
make
changes
as
the
document
gets
further
along,
but
I
think
right
now.
The
goal
is
to
ensure
that
we
have
the
best
available
collaboratively
written
document
and
then
go.
H
It's
been
a
pain,
but
we
have
found
some
better
tools
for
that.
I
I
used
some
tools
before
it
wasn't
bad
I
understand,
I've,
learned
better
of
ones
that
many
people
told
me
are
better,
so
I
haven't
used
them
in
Anger,
yet
but
I've
been
told,
they're
pretty
decent,
we'll
see
and.
A
H
One
thing
we
might
want
to
do
and
Jay
I
mean
it's
up
to
you,
but
we
might
want
to
attempt
to
format
the
Google
Doc
like
the
iso
Docs
and
then
at
least
it's
closer
to
what
the
final
one
will
look
like.
Oh
look
at
this
magic
occurs.
Yeah.
H
Right
now,
I
I
will
say:
I
am
Persnickety
about
some
things
when
you're
writing
a
doc
and
it's
okay
right
now,
but
as
soon
as
possible,
you
want
to
set
all
the
paragraph
types
to
be
the
type
and
that
way,
oh
I
want
headings
to
be
heading
ones,
to
be
a
slightly
different
format.
Boom
done
so
we
have
to
I
mean
you
know.
I
wasn't
expecting
that
to
happen.
H
The
next
two
seconds
but
I
think
that's
that's
important,
because
the
tools
like
the
markdown
generator
or
really
any
of
these
other
tools,
they're
going
to
work
off
the
paragraph
effects
yeah
you
know,
Google
Docs
doesn't
have
many
paragraph
types,
but
it
does
have
some
so
and
you
can't
I,
don't
think
you
can
make
your
own,
but
at
least
you
can
use
those
and
that's
a
step.
C
Yeah,
so
Jazz
and
Jasmine
is
a
pasted
that
there
awesome
you
need
to
to
separate
some
of
these
paragraph
watches
and
then
format
and
all
the
stuff.
You
just
said:
David
absolutely
yeah.
B
H
B
F
So
David
I
wanted
to
make
sure
you
were
aware
of
this,
but
I'll
be
speaking
at
RSA
and
introducing
s2c2f
and
so
yeah.
You
know
I'm
gonna
be
beholden
to
the
RSA.
You
know
slide
template,
but
as
much
as
I
can
I
want
to
put
like
openssf
branding
in
there
and
everything
so.
G
H
F
H
You
do
it's,
it's
an
RSA
rule
I've,
given
a
presentation
too
so
at
RSA,
also
so
yep.
But
that
said,
they
do
understand
that
people
like
to
put
in
logos
and
things
and
they're
not
going
to
forbid
it
from
being
in
the
in
the
main
body.
So.
F
H
Great
yeah
I
think
you
can
just
grab
it
from
the
openssf.org
page,
either
the
front
or
there's
a
direct
link
from
it.
If
you're
having
trouble
find
it,
let
me
know,
actually
you
know
what
the
person
who
can
give
you
all,
the
goodness
is
Jennifer
Bligh
I'm
gonna
put
her
email
address
in
the
chat
all.
F
H
F
H
I
mean
if,
if
nothing
else,
if
you're
ever
in
a
hurry,
I
think
a
lot
of
that's
already
on
the
public
openness
site
anyway,
but
she
may
have
some
like
some
other
formats.
That
may
be
helpful
for
you.
Okay,.
F
Okay,
Jay
was
there
any
sorry,
I
I
diverged
a
little
bit
Jay.
Is
there
anything
else
we
want
to
discuss
about
the
new
spec
format
or
are
we.
C
Ready
nope
just
wanted
to
make
sure
that
everybody
first
of
all
sees
what
what
was
what
was
worked
on
sees
sees
what
what
changed
this
version
is
a
trimmed
version,
there's
a
longer
version,
but
these
are
all
things.
I
think
that
we
can
discuss
a
lot
of
you
know.
Iso
ISO
specs
are
really
a
really
a
really
generalized,
but
you
know
we
really
do
want
to
make
sure
that
everything
that's
supposed
to
be
in
the
spec
is
in
the
spec.
C
So
this
is
where
a
lot
of
a
lot
of
the
questions
are
are
are
asked
and
and
and
a
lot
of
the
help
is
needed
to
make
sure
this
is
as
complete
and
robust
robust
as
possible.
C
C
You
know
within
open
SSL
also
for
language
purposes.
I
harp
on
this
and
other
sigs
I
will
do
no
different
here.
I
want
to
make
sure
that
the
terms
and
definitions
that
we're
working
on
and
the
best
practices
group
that
that
you
know
when
we
have
terms
and
definitions
that
we're
working
on
here
in
in
this
in
this
spec,
that
those
terms
and
definitions
are
are
uniform
across
all
of
the
other
respective
areas.
C
So
that's
some
of
the
things
that
that
we're
going
to
need
help
with
as
well
right,
so
so
collectively
as
we're
reading.
If
we
can,
you
know
get
somebody
from
Best
Practices
over
there.
Working
on
that
terms
and
definitions
and
I
think
obvious
had
some
had
some
a
hand
in
that
as
well.
So
you
know,
while
you're
reading
the
spec.
Obviously,
if
you
see
a
term
in
there
that
now
we're
saying
it
one
way,
but
and
but
in
definition
it's
written
differently
and
the
terms
and
definitions
Doc
in
the
best
taxes.
C
C
So
these
are
the
things
when
it
comes
to
the
spec
that
I
want
to
make
sure
that
that
we're
that
we're
talking
about
you
know
that
that's
in
uniform
across
the
working
group
across
the
the
openness
and
stuff
and
then
also
making
sure
that
we're
successfully
bridging
over
to
the
other
Frameworks
and
the
other
things
that
we're
working
on
as
well,
so
that
it's
one
voice,
one
language,
one
continuous
spectrum
of
supply,
chain
security
and
and
compliance
and
conformance
and
and
whatever,
whatever
the
whatever
else.
C
We
we
like
to
say
across
all
the
different
six
and
different
things
in
working
groups.
Ultimately,
what
it
comes
down
to
is
when
this
is
done,
it's
going
to
be
something
that's
same
voice,
same
organization,
everyone
had
a
hand
in
it
and
and
that
and
that
that's
that's
what
it
is
I'm
done.
Talking
about
that
right
now,
okay,.
H
I
will
race
my
raise
my
hand.
First
of
all,
I
love
it.
You
know,
even
if
we
can't
get
Universal
agreement
on
something
step,
one
is
at
least
find
the
problems
are.
But
let
me
add
another
point
about
this
stock
if
something
needs
to
be
removed,
because
it's
not
General
enough
or
whatever
for.
F
H
Thank
you,
I
propose
that
we
create
an
appendix
within
this
document.
I
mean
you
remove
it
if
it's
not
appropriate
to
be
there
but
and
not
be
appropriate
at
all.
But
but
if
it's
man
it's
a
little
too
specific,
it
really
can't
go
in
an
ISO
document.
But
it's
important
to
say
somewhere
for
now,
I
proposed
putting
it
gracious,
I'm
allergic
to
you,
Jay.
H
Yeah
but
in
all
seriousness,
I
think
for
now
moving
into
a
separate
appendix,
and
the
reason
is,
if
it's
within
the
same
dock
we
can,
somebody
else
can
say:
oh
no,
we
can
have
it,
it's
all
right
there,
the
movement's,
easy
and
then
near
the
end.
We
can
talk
about,
say,
hey.
Maybe
we
take
this
out
right
as
a
different
document,
whatever
I
wouldn't
be
surprised
if,
by
the
way,
in
the
end,
you
end
up
with
a
short,
formal,
Speck
and
then
kind
of
a
guidance
document,
or
something
else
like
that.
H
That's
you
know
the
okay
there's
many
ways
you
can
do
this
here's
a
common
way,
but
because
there's
so
many
variations,
it
doesn't
really
belong
in
a
formal
spec,
but
it
you
know
whatever
yeah
but
I
I.
If
we
put
in
an
appendix
then
at
least
it
won't
get
lost.
That's
really
what
I'm
worried
about
right
now,
okay,.
C
All
right,
yeah,
that's
why
that's
why
I
mean
as
far
as
the
spec
is
concerned,
we
have
it
up.
We
have
a
doctor.
Now
we
can
begin
working
on
it,
commenting
and
doing
all
that
kind
of
stuff.
So
please,
by
all
means
work
in
it
comment
on
it.
C
When
we
have
our
next
meeting
we'll
talk
about
it,
some
more
right
we'll
make
it
a
point
to
put
in
at
least
a
good
15
minutes
just
to
talk
about
the
spec
on
each
on
each
call
that
way
we're
actively
touching,
and
if
we
need
more
time,
then,
let's
take
more
time
if
we
need
to
have
a
complete
working
session.
C
Let's
do
that
too,
but
but
all
those
things
can
be
discussed
as
we
as
we
move
along
next
topic
for
discussion
is
the
open
ssf
day
and
the
town
hall
I'm
still
waiting
to
get
more
understanding
about
this
town
hall.
C
C
I,
don't
know
about
that.
But
openness
is
up
day
is
something
that
we
probably
should
be
thinking
about
and
talking
about
those
leave
that
on
the
floor,
how
do
we
feel
about
opennesses
up
today?.
H
So
I've
done
a
number
of
these
town
halls.
I
mean
really
they're
just
an
opportunity
for
both
inside
and
outside.
You
know,
openness
except
there's
this
huge
number
of
groups
here
about
what
everybody
else
is
doing
and
for
folks
outside
do
You,
Hear
What,
some
things
that
we're
doing
excuse
me
so
really
they're.
Looking
for
things
that
are
worth,
you
know
that
are
that
you
think
other
people
would
want
to
hear
who
are
not
already
involved
in
whatever
the
the
the
operations,
and
it
doesn't
have
to
be
long.
H
It
can
be
just
a
really
quick.
You
know:
here's
where
we
are
here's
where
we're
going.
They
love
to
have.
You
know
some
kind
of
success
story,
so
you
know
something
that's
being
worked
or
something
released,
or
something
like
that.
So
I
mean
it's
that's.
What's
about.
B
C
Well,
hopefully,
at
the
working
group
level
they
they
want
to.
If,
if
there
is
an
opportunity
or
something
like
that,
I
know
I'll
be
attending
the
town
hall,
I
believe
Adrian.
If,
if
you,
if
you're
able
to
attend
the
town
hall,
that
would
be
great
too,
but
if
not
that's
fine,
I'll
gladly.
If
it
comes
up
I'll
gladly
speak
to
s2c2f.
C
You
know
we
can
do
it
together.
You
can
do
it
when.
F
C
I
believe
on
that
one
and
I
and
I
think
I
think
it's
a
one
where
we,
where
they're
they're,
also
outside
outside
the
company's
organizations
that
attend
that
sometimes
too,
as
well
I
mean.
Maybe
we
can.
You
know,
get
more
contributors
if
that's
not
on
the
calendar,
by
the
way.
F
D
C
It's
that
it's
at
10
actually
10
a.m.
Pacific
on
the
16th
yeah.
C
Cool
all
right
so
now
on
that
and
and
then
of
course,
openness
and
stuff
day.
That
may
also
present
another
great
opportunity
to
take
about
10
15
minutes
to
discuss
s2c2f.
C
And
then,
actually,
that's
probably
a
great
time
to
discuss,
discuss
it
individually,
because
there'll
be
that
group
discussion,
hopefully
I,
think
March
10th
the
notifications
go
out
to
whether
or
not
you're
you're.
You
know
your
your.
The
cfp
got
accepted,
I
think
that's
March
10.,
but
for
open
ssf
day
it
might
be
a
great
opportunity
to
get
that
good.
Five.
Ten
minutes
hey.
This
is
what
we're
working
on
a
few
slides
up.
C
You
know
all
that
kind
of
stuff,
and
then,
when
open
Summit
happens,
then
they
can
talk
about
them
all
together
in
that
panel
discussion
right.
So
that's
like
you
know,
you
tell
them
what
you
want
to
tell
them,
tell
them
and
then
tell
them
what
you
told
them
at
the
end.
Yeah
Dave
David's
very
familiar
with
that.
Yes,
because
I
did
I,
did
bring
that
out.
I
did
bring
that
you.
H
C
Absolutely
absolutely
I
I
expect
that
to
be
a
really
cool
I
do
not
expect
a
whole
bunch
of
people
to
attend
it,
though
I
mean
I,
got
I,
think
you
know,
travel
budgets,
travel
budgets
or
a
little
light
these
days,
but
I
think
it'll
be
real
cool
and
hopefully,
if
they
have
virtual
stuff,
that
that'll
be
real
cool
and
we'll
get
enough
people
enough
people
to
look
at
that
as
well.
So
yeah
I've
never
been
to
Vancouver
Vancouver
before
so
I'm.
Looking
forward
to
it.
C
That
is
where
are
we
at
now
in
our
agenda?
Yeah,
adopters
and
I.
Think
I
think
Adrian
talked
about
adopters
earlier
as
well.
That's
it
for
the
agenda.
Do
we
have
any
openings.
H
Yeah
I
added
one
to
you,
Jay,
so
don't
blink!
Now
you
don't
have
to
accept
my
proposed
agenda
change,
but
it's
not
really
a
change.
It's
just
a
really
a
note,
a
note
to
the
larger
group
yeah.
Is
it
okay?
If
I
talk
about
this
real
quick.
H
Yeah
so
basically
I
mentioned
earlier
I
think
it's
important
to
do
a
cross,
compare
with
between
Salsa
and
sdc2f
I
I
keep
meaning
go,
do
that
and
I
keep
handling
other
fires.
H
So
since
the
fires
keep
not
getting
put
up,
so
I've
asked
somebody
else,
Jordan
heartbrand,
if
he
can
try
to
take
a
quick,
Cross,
compare
and
just
to
make
clear
the
goal
isn't
to
make
them
be
to
these
the
same
document.
Okay,
the
goal
is
to
make
sure
that
there's
no
conflict
between
them
so.
D
G
H
That
that's
where
and
you
know
what
we
we
want
to
know
anyway,
because
if
there's
a
conflict
like
that,
you
know
there's
something
going
on.
C
Yeah,
well,
you
know
what
that
so
that
that
that's,
what
kind
of
what
I
was
talking
about
earlier
when
I
was
talking
about
bridging
right,
so
so
right,
we're
talking
about
one
thing
in
one
document
and
then
kind
of
what
we're
talking
about
here,
Segways
a
bit
over
into
what
the
other
documents
talking
about.
Let's
make
sure
we
give
that
honorable
mention
back
and
forth
right
that
honorable
mention
should
go
both
ways
because
we're
developing
both
of
them
in
the
same
organization
and-
and
you
know
they
comp-
they
should
complement
one
another.
C
F
100
aligned
all
the
way
and
I
almost
started.
You
know,
brainstorming.
What
are
what
are
some
ways
that
we
could
openssf
could
message
the
the
partnership
and
how
they
fit
together
with
with
salsa
and
and
stc2f
and
and
Fresca
yeah
foreign
do.
C
So
so
we've,
so
we
just
got
a
meeting
where,
where
someone
wants
to
put
up
or
not
someone
I
mean
they,
they
want
to
put
up
a
site
for
salsa
right,
a
a
a
landing
page
with
salsa
and
I
said
well.
Why
don't
we
do
a
landing
page
for
supply
chain
security
under
the
openness
and
stuff,
and
then
we
have
salsa
s2c2f
and
Fresca,
and
maybe
they.
C
A
drop
down
page
for
salsa,
you
could
click
on
it.
It's
a
drop
down,
page
a
drop
down
print
page
for
for
s2c2f.
You
click
it
it's
a
drop
down
page,
but
then
on
the
opening
page
for
supply
chain
security,
there's
an
end
to
end
something
like
David's
diagram
that
he
created
for
the
diagram
of
society.
There's
an
end
to
end
that
talks
about
salsa
s2c2f
in
the
middle
is
Fresco.
With
this,
with
the
with
the
secure
build,
you
know
pipeline
right.
There
bam.
C
You
know
you,
you
have
all
of
that
and
then
you're
able
to
talk
about
each
one
of
them
and
what
each
one
of
them
does
and
how
it
contributes
to
supply
chain
security
under
the
auspice
of
what
we're
trying
to
develop.
You
know
across
the
whole
working
group,
which
is
a
complete
supply
chain.
Security
framework
across
the
whole
I
mean
it's.
It's
pretty
much
creates
itself.
C
We
were
just
talking
about
it
so
to
your
point,
Adrian,
yes,
that
would
be.
That
would
be
be
something
to
see
if,
if
we
could
get
get
the
powers
that
be
to
to
align
on
on
on
on
our
thinking
of
partnership
and
collaboration,
I.
F
Think
that
would
be
an
amazing
way
to
tell
the
whole
story
so
that
so
it
doesn't
appear
like
these
things
are
being
developed
in
silos
or
and
and
people
can
see
how
they
fit
together
and
complement
each
other.
C
B
C
The
weekend,
considering
how
many
soapboxes
I
stand
on
and
I
said,
you
know,
I'm
gonna,
I
gotta
find
a
way
to
limit
this
soapbox
team.
I
gotta
find
a
way
to
to
stop
that.
But
then
here
I
you
know
there
I
go
again,
I
just
get
on
them
and,
oh
you
know,
I
I
have
to
continuously
tell
myself
like
I
tell
other
people
look
you're,
not
wrong,
but
you're.
Not
all
the
way
right.
C
B
C
Left
we
covered
a
lot
today.
This
is
really
really
good.
Thank
you
very
much
for
the
next
meeting.
I
know
I'll.
Do
it
please?
If
you
all,
will
I'll
jump
inside
the
slack
inside
of
you
know
the
meetings
and
tell
people
hey
does
s2c2
up
is
meeting
again
come
aboard.
You
guys
are
here
once
come
on.
A
D
H
H
From
open
ssf
straight
to
ISO,
now
there
are
some
prereqs,
but
the
kind
of
prereqs
you'd
want.
Anyway.
Basically,
it's
got
to
have
multiple
organizations
and
review
and
just
the
things
you'd
want
anyway.
Okay,.
E
G
D
Okay,
now
I'm
familiar
with
the
path,
the
the
fast
path
process,
but
I
I
didn't
know
if
it
was
a
lip
Foundation
level
or
the.
D
A
D
H
There's
more
and
if
you
want
their
jury,
can
tell
you
more
than
you
want.
D
C
We're
crossing
teams
and
understand
it's
not
just
to
get
to
go
through
the
past
submitted
process,
but
it's
become
an
ISO
dot.
It's
towards
this
becoming
something
that's
usable,
some
something
that's
relevant
right
and,
and
that
and
that's
the
most
important
it's
not
set
and
forget
it
want
to
make
sure
that
this
is
something
that's
also
scalable
right
and
that
and
that
moves
with
the
ebb
and
flow
of
of
of
the
industry
and
the
ebb
and
flow
of
supply
chain
security,
because
we
know
all
too
well.
C
You
blink
your
eyes
and
some
changes.
So
so
we
want
to
make
sure
that
this
can
roll
with
the
punches
as
well.
H
H
For
you
specifically,
but
I'm
gonna
I'm
gonna
talk
to
Kate
Stewarts
who's
been
through
this
process.
I
think
that
you
know
I
would
we
need
to
get
the
templates
and
stuff
to
help
things
out
and
I?
Think
that'll
I
think
we'll
give
you
a
hand
there?
Oh.