►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
G'day,
everyone
just
ask
you
to
add
yourselves
to
the
notes,
as
an
attendee
probably
be
a
film
a
few
minutes
before
we
get
started,
I
think
Dustin's
going
to
be
chairing
this
meeting.
So
hopefully
he
should
be
here
before
too
long.
A
B
A
A
C
Oh
yeah
I
joined
some
many
meetings,
the
open
SS
meeting,
but
probably
the
first
time
here,
just
to
have
a
question
actually
about
the
repository
security
maturity
level
like,
for
example,
without
six
door.
Is
there
such
a
security
level?
A
Oh
I'm
frozen
check,
check
there
I
go.
We
could
put
that
in
this.
D
Hello,
I'm
Noah
I'm
am
I
Audible.
Yes,
I
can
hear
you
perfect
I'm,
a
researcher
with
the
open,
University
and
I'm,
researching
maintenance
and
security,
vulnerabilities
and
open
source
software
very
excited
to
be
here.
C
E
Sure
I
will,
can
you
hear
me.
E
I
can't
get
my
camera
going
right
now
for
some
reason,
but
my
name
is
Ryan
Ware
I'm
from
Intel
Mr
Wheeler
should
recognize
that
name
and
and
I
wonder
how
a
bad
Penny
like
me
can
show
back
up.
But
it's
good
to
see
you
all
I
recently
started
back
at
Intel
after
having
left
for
a
year
and
I
am
focusing
on
openssf.
So.
A
Me
nice,
nice,
to
hear
you
I'm,
not
sure
nice
to
meet
you
in
any
case.
I
think
that's
all
the
the
new
faces
and
the
rest
of
us
are
just
the
usual
crowd.
A
So
the
first
item
on
the
agenda
is
from
Grand
Alum
who's
unable
to
attend.
Today
he
has
opened
a
pull
request
on
our
work
group
repository.
The
pull
request
includes
data
from
the
survey.
That's
been
somewhat
anonymized.
It
includes
a
summary
of
those
results
for
those
who
don't
know
what
I'm
talking
about
and
last
year
we
did
a
survey
of
packaged
ecosystems
asking
questions
about
what
practices
they
have,
what
practices
they
would
like
to
have
and
the
same
again
with
tooling
and
a
few
other
sort
of
topic
areas.
A
So
it's
worth
a
read
I
can
hardly
recommend
it.
Also,
of
course,
looking.
A
I've
frozen
again
to
go,
check,
check
yeah
there
we
go
I'm
I'm,
having
just
one
of
those
days,
so
yes,
feedback,
definitely
welcome,
and
this
this
is
stuff
that
we've
we've
talked
about
in
the
past
as
well.
I
had
to
pass
through
this
morning
afternoon.
It
all
seems
like
a
long
time
ago.
A
A
Blissful
silence
all
right:
let's
move
on
next
next
is
Dustin.
F
Howdy
Folks
I,
just
wanted
to
share
I,
haven't
been
like
directly
working
on
this
too
much
myself,
but
on
behalf
of
the
GitHub
folks
and
npm
folks.
They
have
a
private
beta
running
for
their
provenance
feature,
so
you
can
build
an
npm
package
with
salsa
provenance
and
publish
that
to
the
npm
registry
and
it
shows
up
there
and
everything
looks
like
maybe
Zach
has
added.
F
Public
beta
will
be
on
the
roadmap
to
be
published
by
the
end
of
March,
and
they
want
to
make
this
generally
available
by
June,
but
this
currently
the
private
beta
that
you
can
get
access
to
by
emailing
Zach
and
just
if
you're
interested
in
sort
of
seeing
what
they're
talking
about
with
salsa
I,
think
that's
probably
a
good
place
to
sort
of
peek
at
what's
going
on
and
yeah
any
feedback
for
them
would
be
good
as
well.
That's
where
the
first
ecosystem
to
to
adopt
it's
also
in
provenance
into
the
registry.
A
Any
sort
of
questions
or
thoughts
the
FedEx
might
have
I
was
sort
of
curious.
Sir,
do
you
know
how
this
might
be
published
like
sorry?
Let
me
rephrase
that
and
the
salsa
Providence
would
be
ICM
Json
files
that
live
somewhere
is
that
right.
F
Yeah
they're,
essentially
internal
attestations
that
live
in
the
repository,
maybe
I'll
just
quickly
Skip
to
My
next
item
because
it
sort
of
rolls
into
it.
Oh.
F
The
salsa
spec
is
also
moving
to
a
1.0
release
of
the
specification
it
sort
of
describes
what
provenance
style
and
everything
looks
like
the
so
npm
has
sort
of
integrated
against
an
early
version
of
the
spec.
So
they
have
some
changes
to
make
to
align
with
1.0
because
it
hasn't
actually
been
released.
F
Yet
one
thing
that
I'm
planning
to
include
in
the
1.0
release
for
salsa
is
sort
of
a
guide
for
how
repositories
should
think
about
adopting
salsa
so
like
what
the
file
looks
like
it's
relationship
to
artifacts
how
it
should
be
generated,
that
kind
of
thing
how
it
should
be
validated
so
stay
tuned
for
that
that
will
be
in
the
1.0
release.
The
salsa
spec
is
going
to
be
launching
a
release
candidate
fairly
soon
for
the
1.0
spec.
F
A
That
is
it's
exciting
that
it
is.
It
is
at
last
coming
12,
1.0
and
I.
Look
forward
to
I
know,
probably
a
couple
of
days.
You
know
marinating
in
in
the
release
candidate,
to
really
give
good
feedback,
but
I'm
sure
I'll
find
some
typos
and
some
grammos
that
I
can
claim
credit
for
fixing.
G
Hello,
everyone
yeah
I,
was
about
again
to
use
this
meeting
to
get
some
insight
into
other
package
package
managers,
since
we
are
introducing
some
new
new
stuff
in
ruby
gems,
which
seems
already
be
built
in
and
widely
used
in
other
ones.
So
I
was
about
to
ask
for
some
recommendation.
Suggestions
on
two
topics
in
here
from
them
is.
G
Adding
new
command
to
execute
files
from
the
packages
from
the
inside
I
think
there
was
an
npx
command
on
npm
side,
which
was
somehow
recently
remove
or
removed
I
think
somehow
kind
of
self-deprecated
and
moved
to
npm
itself
come.
E
G
So
we
are,
we
are
looking
for
some
experience,
even
if
there's
any
other
package
manager
doing
something
similar,
mostly
for
security
reasons
right
and
it's
just
like
blindly
executing
some
code
not
coming
from
the
internet,
but
to
keep
it
super
user
friendly.
It
works
in.
E
G
A
D
So
I
saw
just
in
the
notes
as
I
flip
back
and
forth.
This
is
the
say
specific
for
Ruby.
Yes,
what
you're
initially
looking
at,
do
you
guys
look
into
go
projects
at
all.
A
Sorry,
when
you
say
you
do
you
mean
you
Joseph
or
you
the
whole
group,
the
whole
group?
Well,
we
haven't
had
much
contact
with
go
folks,
yet
I
think
there
have
been
attempts
to
reach
out
in
the
past
that
haven't
really
gone
anywhere.
Go
folks
are
very
confident
in
their
implementations.
In
my
experience,
uh-huh.
D
Point:
okay!
Thank
you.
That's
a
good
one.
I've
seen
a
lot
of
OSF
SS
ossf
projects
are
very
go
Centric
in
in
their
the
packages
that
they
make
and
the
tooling
that
they
do
and
I
thought.
This
group
struck
me
as
like
Ruby
Centric.
A
Oh,
it
I
hope
it
doesn't
well.
A
Oh,
it's
just
it's.
You
know
today
we
have
a
lot
of
Ruby,
but
you
know.
Sometimes
we
get
a
lot
of
npm
on
the
agenda.
Sometimes
yeah
we're
hearing
from
Pipi
we've
got
folks
here
from
cargo
Maven
Central
today
today
is
quieter
than
usual,
but
it's
usually
pretty
pretty
diverse.
G
The
reason
for
this
Noah
is
actually
a
total
accident
for
you.
There
was
some
funding
actually
happening
at
Ruby
recently,
which
really
super
boost
the
development
there's
a
lot
of
stuff.
We
are
trying
to
keep
in
sync
with
our
repositories,
so
we
are
building
new
features
and
already
built
around
so
I'm,
usually
trying
to
ask
it
here
also
to
share
some
experience
these
days
in
here,
so
maybe
that
maybe
seems
a
little
Ruby
specific,
but
it's
not
really
in
the
end.
D
A
Good
returning
to
the
question
that
you
had
Joseph
because
we
have
a
relatively
low
tendency,
can
I
suggest
perhaps
also
bringing
this
up
on
the
mailing
list
for
the
weighted
distribution.
A
G
G
E
A
Yeah
I
think
the
mailing
list
is
a
good
place
to
bring
it
up
and
we
can.
We
can
sort
of
hope,
Trevor
or
miles
if,
if
we
get
get
stuck
so
the
next
one
is
also
you
Joseph.
You
were
talking
about
the
package
content
ingestion.
Can
you
can
you
say,
first
of
all
what
that
what
that
is
or
what
that.
G
Let
me
explain
a
little.
It's
also
I
think
future.
You
would
like
to
introduce
already
built
on
that
different
package
managers.
Currently
the
package,
the
German
columns
outside,
is
just
a
few
files
start
together
and
zip
and
just
call
it
Jam.
This
would
not
really
custom
format
and
when
somebody
is
going
to
publish
this
gem,
we
just
blindly
store
it
to
S3
today
these
days
and
it
just
you,
don't
really
look
in
time.
G
We
just
store
it,
and
currently
we
are
looking
for
a
way
to
actually
ingest
the
content
of
the
package
somehow
and
to
be
able
to
build
some
tools
around
the
content
of
the
package,
and
one
of
those
tools
you
would
like
to
build
is
also
some
kind
of
security
analysis
what's
happening
in
there,
since
this
is
currently
provided
by
Third
parties,
and
we
would
like
to
thanks
all
the
funding
can
stop
happening
around
to
start
like
understanding
the
content
of
packages
on
our
own,
and
the
initial
initial
part
is
super
simple
to
somehow
read
the
content
of
the
package
store
somehow
and
then
build
some
simple
UI
when
you
can
on
a
web,
browse
the
package
content
and
also,
for
example,
when
it's
been
interesting,
then
do
a
quick
def
on
web
between
two
versions
right.
G
So
you
can
decide
on
your
own
easily
if
this
different
something
I
would
like
to
put
in
to
my
to
my
local
gym
bundle
and
we've
seen
as
well.
This
is
already
built
on
various
packages
managers,
so
we
are
also
interested
for
now.
We
are
interested
in
a
way
how
to
Index
this
code
store
it.
So
share
some
share
some
knowledge
on
this
side
and
in
the
future.
G
Maybe
we
can
do
some
I
think
there
was
the
data
data
projects
at
last
time,
which
is
a
capable
of
scanning
multiple
kind
of
codes
right.
So
maybe
you
can
just
contribute
to
that
one
and
use
it
internally
to
scan
our
gems
internally
right.
So
maybe
I
saw
some
built-time
shirt
I've
heard
on
this
on
those
topics
which,
once
we
will
know
the
content
of
the
packages,
we
can
start
reading
it
evaluating
taking
a
look
exposing
to
users
in
various
ways.
G
If
there's
anything
for
anyone
to
share
as
well
to
take
a
look
and
Inspire
it
or
again,
mostly,
we
are
looking
for
the
pain
points
right.
So
we
don't
need
to
repeat
and
go
to
the
blind
way
as
well.
A
I
I
was
a
skeptic
on
this
one
Joseph
knows
just
because
I
I
sort
of
see
it
needing
a
lot
of
potentially
a
lot
of
resources,
but
I
also
Andre,
one
of
the
Ruby
Ruby
James
folks,
pointed
out
that
there's
a
sort
of
on
the
scale
of
decades
at
risk
and
relying
on
third
parties
to
do
this
and
that
it
really
needs
to
be
something
that
the
platform
itself
is
responsible
for
or
capable
of.
G
I
think
that's
one
of
the
motivations
to
stay
super
independent
and
isolated
right,
so
we
can
do
anything
in
Ruby
and
on
our
side,
Andre
was
reasoning.
The
ruby
gems
are
in
here
for
more
than
20
years
already,
so
it
would
be
nice
to
to
do
our
best
to
keep
it
moving
forward
and
don't
really
rely
on
third-party
software
as
much
as
possible,
or
at
least
keep
it
open
still
until
since
all
we
do
in
ruby,
gems
is
super
open,
there's
only
tiny
part
being
currently
privileged.
G
So
that's
that's
how
we,
how
we
are
looking
in
here
and
I've
seen
again,
npm
already
is
doing
this
somehow
I
think
they
are
having
like
online
browser
of
the
packages.
We
can
also
ask
again
anything
for
some
hint
I.
Think
C
pen
is
doing
the
same
as
well.
You
can
read
the
package
of
the
C
pen
online,
so
yeah.
Definitely
we
can
Inspire
somewhere
and.
E
G
In
the
future,
maybe
we
can
provide
something
like
code
ql
public
repository
right,
so
anyone
can
just
take
a
look
which
can
be
super
useful.
We
already
do
this
in
ruby
gems,
but
it's
super
private,
since
the
resources
needed
we
host
somehow
or
someone
from
Ruby
team
from
the
core
team
is
hosting
the
the
whole
gems
mirror
locally,
it's
our
machine
and
they
are
able
to
run
some
grips
and
stuff
around
the
code
base.
So
if
there's
some
discussion.
E
G
Deprecating
some
stuff,
for
example,
we
can
grab
the
public
all
the
public
packages
at
once
and
see
if
some
API
call
is
widely
adopted
in
all
the
packages
published
ever
and
thanks
to
some
Modern
Technologies,
like
the
code
ql
and
proper
indexing,
you
will
be
able
maybe
later
provide
this
kind
of
query
open
query
repository
to
anyone,
so
any
maintainer
can
take
a
look
how
those
API
cores
and
methods
are
used
across
the
packages
and
then
decide
on
their
own.
So
we
are
looking
forward
for
this.
G
Okay
I
will
ask
again,
as
mentioned
in
async,
somehow
in
email
list,
and
let's
hope
you
will
get
some
inspiration
and
some
some
shared
knowledge
in
them.
A
Because
that's
good
to
me,
anyone
else
have
any
thoughts
they
wanted
to
put
on
that
before
we
moved
on
going
once
twice
so
Dustin
you're
up.
F
Yeah
I
just
wanted
to
quickly
share
I,
think
that
we
talked
about
before
IPA
is
moving
forward
with
IDC
based
credentialist,
publishing,
authentication
method,
and
so
in
the
initial
release,
this
will
be
ability
to
publish
a
pack
a
package
from
GitHub
actions
over
via
oidc
openid
connect.
It's
super
cool.
This
is
something,
unlike
any
repository,
probably
could
support,
so
we're
going
to
do
a
private
beta
for
this
pretty
soon
and
open
this
up
to
folks,
probably
within
the
next
month.
F
Publicly
and
I
just
want
to
say,
I'd
be
happy
and
Good
Hope
folks
have
been
really
helpful
in
getting
this
working.
The
totally
anxious
to
talk
to
any
other
repositories.
They're
thinking
about
implementing
this
I
know
that
npm
is
kind
of
moving
to
influence
this
as
well
so
yeah
any
questions
or
anything
I'm
happy
to
share,
and
if
you
want
to
join
the
beta
there's,
a
sign
up
form
feel
free
to
share
that.
D
F
Yeah,
so
each
individual
run
of
every
workflow
has
a
unique
identity
and
so
on,
IPI
you'd
configure,
which
repository
which
workflow
you
you
trust
for
publishing
and
then
a
publish
time.
You
exchange.
You
know:
ADC
identity
for
a
API
token
that's
short-lived,
and
then
you
use
that
for
upload.
So
no
secrets
that
store
no
passwords.
Nothing
like
that.
F
The
thing
about
ODC
is
that
you
know
it's
a
list
of
claims
and
some
of
them
are
standardized,
but
most
of
them
are
not
so
things
like
the
GitHub
repository
is
specific
to
github's
oedc
Identity,
so
that
would
like
need
to
be
configured
per
provider,
but
I
I
think,
like
there's
sort
of
some
consensus
around
what
these
should
look
like
for
software
repositories,
at
least
I
know,
gitlab
is
working
on
something
similar,
Google
cloud
like
every
service
account,
has
an
RDC
identity,
but
yeah
you
need
to.
A
We
we
had
in
mind-
and
we
as
me,
wearing
the
team
at
Shopify
who,
who
help
out
with
Ruby
games
in
mind
that
we
want
to
revisit
this
subject,
and
we
know,
having
talked
to
Andre
from
Ruby
James.
That
he's
also
interested
in
solving
this
sort
of
problem
of
of
making
it
easy
for
a
build
to
automatically
acquire
a
token,
and
we
saw
this
workflow
being
done
for
I.
A
Think
it
was
like
AWS
and
gcp
were
the
first
ones
where
you
could
exchange
the
GitHub
token
for
a
an
API
token
and
yeah
I
had
the
same
same
idea
right
that
you
would
take
the
oidc
token
and
exchange
it
for
a
short-lived
or
single
use.
Api
token
with
you
know,
like
earning
permission
to
push,
and
then
that
would
make
a
lot
of
things,
I,
I,
I,
suppose
you're
probably
still
going
to
keep
the
existing
mechanism.
For
a
long
time,
though,.
F
G
Okay
and
so
so
for
now,
just
for
automated
builds.
You
can't
contain
manual
boost.
F
It
would
be
for
any
any
anyone.
That's
publishing
from
GitHub
actions
currently
so
I
think
in
the
beta
it
would
you
sort
of
have
to
manually
request
and
get
the
API
token.
The
plan
is
to
integrate
this
into
the
canonical
like
publishing,
GitHub
action,
workflow
and
publishing
tool
so
that
they
would
just
if
they
didn't
have
credentials
they
could
figure
out
if
they
were
on
GitHub
actions
and
request
of
credentials
are
just
interesting.
G
And
is
this
then
Dustin
currently
on
Ruby
gym
side?
Just
part
of
my
experience,
there
are
no
numbers
behind
this
descendant
I.
Think
mentority
of
publishes
of
the
packages
is
done
manually.
Just
somebody
manually
run
some
command
and
do
it
from
the
console
usually
not
sure
about
the
situation
on
pipei.
E
G
F
One
yes,
yeah
I
mean
I,
think
the
general,
the
general
pushes
for
more
automated,
releasing
and
less
like
running
around
your
machine
kind
of
stuff,
so
yeah.
This
is
like
a
nice
thing
that
would
motivate
people
to
move
off
of
that
or
not
for
something
I
mean,
but
but
yeah
I
mean
obviously
it's
just
all
workflows
are
still
supported.
A
I
know,
for
example,
that
rails
is,
is
released
manually
or
semi-automatically
I
guess
they.
You
know
they
run
a
rig
task.
That
does
all
the
all
the
tedious
bits.
A
They've
they've
got
logic
that
they've
got
logic
that
works
out.
How
far
into
the
release
it's
gone
very
quickly.
This
is
because
rails
has
a
whole
bunch
of
gems
that
roll
up
into
rails,
so
you
have
the
main
rails
gem
that
depends
on
active
voice.
Act
of
that,
and
so
the
release
is
not
complete
until
all
of
those
related
upon
gems
have
also
been
released.
A
So
their
script
has
logic
that
notices
that
it's
crashed
halfway
through,
like
that,
the
OTP
token
has
expired
halfway
through
the
pushes,
and
then
it
needs
to
get
a
new
one.
Your
reaction
is
is
kind
of
like
a
beautiful
mirror
of
how
they
feel
about
this
process.
A
Aaron
Patterson
is
not
a
huge
fan
of
having
to
pull
out
his
phone
and
keep
it
open
while
he's
releasing
rails.
So
it's
something
that's
like
on
our
list
of
things
that
we
think
would
be
nice
to
make
make
easier.
Making
it
automated
would
be
really
really
Pleasant
if
they
could
do
that.
F
F
Not
only
can
we
say
we
know
exactly
the
GitHub
repository
this
came
from,
and
so
we
can
sort
of
verify
that
link
this
way,
but
for
individual
releases
we
can
tie
those
back
to
interval
individual
commits
on
GitHub
as
well
and
workflows
that
published
from
those
commits.
So
it's
like
a
nice
opportunity
to
like
connect
back
to
where
things
were
created,
provide
a
little
more
information
there
as
well
that
we
can't
do
right
now.
B
Yeah
I
I
think
it's
critical
to
be
able
to
say:
I
got
this
where's
the
source
that
that
came
from
and
be
able
to
verify
it.
I'm
sure
I
see
that
Chris
lamb
is
on
so
he'll
appreciate
this.
B
You
know
within
the
for
the
open,
ssf
dashboard
stuff,
that's
currently
in
an
early
stage
of
discussion,
the
the
they're
trying
to
create
a
little
dashboard
where
you
can
see.
What's
the
state
of
some
particular
open
source
software
package,
you
know,
be
you
know
Maven
or
wherever
else,
and
my
I
am
hoping
to
convince
them.
B
You
know,
at
least
as
a
stretch
goal
is
an
attempt
to
reproduce
the
package
and
be
able
to
say
either
yes,
I
could
or
no
I
couldn't
and
Scoville
has
done
some
things
where
it
at
least
in
some
cases.
B
You
can
eventually
guess
and
figure
out
what
the
build
command
must
have
been,
and
at
least
in
some
cases
actually
produce
something
in
some
cases,
if
you
back
off
and
say
well,
okay,
everything's
fine,
except
for
the
dates
I'm
sure
Chris
Lane
will
have
comments
about
that,
but
it's
still
lesser
risk
than
you
know.
Hey,
look!
It's
everything
fine,
except
for
the
crypto
mining
code
that
was
added
after
the
source,
was
released,
which
has
happened
many
times,
yeah.
B
I
I
have
a
crazy
thought
and
I've
raised
it
before
I
think
in
this
group,
but
it
was
a
long
time
ago,
but
it
would
be
awesome
if
at
least
some
of
the
repos
modify
their
workflows
and
basically
said
sure
upload
the
package.
That's
our
test
case,
we'll
rebuild
it
and
see
if
they
match
in
the
short
term,
just
rebuild
and
tell
you
if
they
don't
match
and
in
the
long
term
I'd
like
to
see
big
warning
flashes
that
say:
I,
don't
they
don't
match
and
maybe
even
the
further
future?
A
The
the
tricky
part
is
for
I
know.
This
is
true
for
Ruby
and
Gradle
and
I'm
not
sure
who
else
that
the
the
definition,
the
the
Manifest,
the
spec,
whatever
you
want
to
call
it
gem
spec,
is
what
we
call
it.
Enrique
gems
is
executable.
It's
it's
Ruby
code.
It's
a
DSL,
I'm.
B
A
I'm
driving
at
is
that's
that's
one
aspect
right
is
is
like
the
analyzibility
of
it.
You
know
nightmares.
A
B
B
A
That's
true:
it's
something
to
think
about.
I
think
it'll
be
difficult
to
prioritize
it
over
competing
things
like
salsa
provenance,
sex
store
integration,
oidc
exchanges
like
if
I
think
about
the
three
things
that
interest
me
as
well
as
stuff,
that's
being
done
on
rubygems,
like
you
know,
Jam,
exact
and
ingestion
and
and
the
new
admin
console
and
a
bunch
of
stuff.
That's
happening.
Yeah
I
just
want
to
brag
by
the
way
that,
like
the
progress
in
ruby
gems
lately
has
been
just
amazing.
B
Will
say
that
the
Press
towards
MFA
Tokyo,
the
crypto
mining
stuff
in
many
cases,
is
because
a
developers
account
got
popped.
So
you
know
the
the
Press
towards
MFA
on
GitHub
and
ruby
gems
and
lots
of
other
folks
I
think
is
making
progress
towards
that.
I
still
want
to
see.
Reproducible
builds
longer
term,
but
it
is
having
an
effect
right
now.
A
Yeah
I'm
pretty
excited
about
about
that
rollout
with
GitHub
I.
Think
that's
going
to
raise
raise
the
the
water
level,
so
so
much
in
terms
of
people
will
have
to
get
used
to
to
two-factor
authentication
and
be
set
up
for
it.
It'll
become
much
easier
to
expand
the
number
of
people
we
cover
in
our
different
ecosystems.
A
Yes,
all
right
is
there
any
other
business
that
people
would
like
to
discuss
or
bring
up
as
much
as
I'm
joining
this
sort
of
wondering
conversation.
C
So
for
the
the
repository
GitHub
uses
everywhere,
so
all
the
stuff
that
open
SS
is
doing
is
a
very
Cutting
Edge,
so
I
really
enjoy
listening
and
learning.
C
However,
it's
a
lot
of
it
is
very
complicated,
for
you
know
a
lot
of
users,
so
is
there
any
like,
for
example,
the
the
CIS
Benchmark
there's,
a
concept
called
implementation
group
that,
based
on
the
complexity
and
the
effectiveness
of
the
of
the
change
you
there,
the
security
controls
is
put
into
different
groups,
so
group
one
is
easier
to
implement,
but
has
much
you
know
a
good
effect,
so
in
the
open,
ssf
landscape?
Is
there
such
a
thing
as
well?
C
Like
you
know
what
can
be
done
right
away
like
this,
without
waiting
for
the
latest
software
and
in
a
multi-effective
and
securing
repositories.
A
I
think
there's
there's
two
answers
that
I
can
give.
One
is
that
salsa
is
focused
on
that
from
a
build
sort
of
centric
point
of
view,
there's
also
S2
c2f,
which
should
have
been
called
Sandra,
I'm
still
salty
about
that,
which
is
the
Superior
supply
chain.
A
Consumption
framework
that
was
was
painted
and
donated
by
Microsoft
into
the
open
ssf,
so
that
focuses
it
more
from
a
I'm,
a
consumer
of
dependencies
kind
of
focus
and
both
of
those
have
like
levels
in
them
levels
as
a
concept
leveling
up
where
controls
are
sort
of
grouped
together
and
they
are
broadly
organized
in
sort
of
like
order
of
complexity
or
difficulty.
A
So,
for
example,
in
salsa
by
the
time
you
reach
level
four
you
need
to
have
hermetic
and
reproducible
builds
right,
which
is
not
a
simple
thing.
Am
I
am
I
misundering
that.
B
A
B
A
So,
on
yeah
I
mean
I'm.
I'm
I've
been
a
past
parties
that
can
controversy
in
the
sense
that
I'm
like,
but
what
about
pairing
I'm,
a
parent
with
an
attic?
Where
does
that
fit
okay?
So
the
second
half
of
the
answer,
Victor,
is
that
there
is
an
end
user's
working
group,
which
is
also
part
of
the
open,
ssf
I
attend
that
group
also,
and
one
of
the
things
that
the
end
users
working
group
was
inspired
by.
Was
this
exact
question?
A
A
What
do
I
do?
Where
do
I
start?
You
know
this.
This
there's
just
a
sea
of
documentation
and
ideas,
and
and
where
do
I
begin.
So
that's
something
that
the
end
users
group
has
been
working
on,
particularly
around
sort
of
some
some
reference
architectures
that
you
can
look
at
and
get
guidance
on
where
to
go
for
more
information
and
guidance,
and
also
there's
been
some
cooperation
with
the
diagram
of
society,
which
is
an
effort
to
basically
lay
out
in
some
diagrams.
A
A
No
worries,
okay
were
there
any
other
things
that
people
would
like
to
discuss
today.
A
Going
once
going
twice,
okay,
so
it
sounds
to
me
like
we
can
knock
off
early,
give
ourselves
back
another
21
minutes
by
my
account.
Thank
you.
Everybody
for
coming
today,
I
think
it
was
very
productive
and
I
look
forward
to
seeing
you
all
at
the
next
meeting,
which
is
in
two
weeks
at
the
and
me
a
friendly
time,
which
is
in
the
morning
for
folks
on
the
east
coast
of
the
United
States
and
at
various
other
times
around
the
world,
and
we
will
see
you
there
or
not
as
time
size
permit.