►
From YouTube: Security Tooling Working Group (December 20, 2022)
C
B
B
C
B
Yeah
yeah
I
mean
that's
exactly
what
it's
been
like
for
the
last
two
weeks
for
me,
I've
got
like
so
much
work
to
do
and
none
of
it's
getting
done
because
I
think
the
problem
is
Christmas
lands
on
the
weekend,
so
all
of
the
people
are
like
they've
got
like
that.
Last
put,
you
know
they
get
the
whole
week
like.
Let's
use
it
and
it's
like,
oh,
my
goodness,
no
stop.
C
B
C
A
C
C
C
B
C
B
C
B
Like
Minnesota,
but
the
weather
is,
is
Right,
their
weather
is
even
worse
than
my
weather,
because
I
live
in
Green
Bay,
which
we
get
the
the
lake
kind
of
tempers.
The
climate,
a
bit
and
I
have
some
family
that
lives
in
Minneapolis
and
they
just
get
like
feet
and
feet
of
snow
and
horrible
cold.
And
just
it's
terrible.
C
B
Up
I
know,
I
know,
I've
got
a
co-worker,
that's
there
and
they
just
can't
what
was
it
like?
40,
some
inches
of
snow
I'm,
just
I,
don't
even
know
what
to
do
with
I
can't
imagine
that
I
mean
and
I
live
in
freaking,
Green,
Bay,
I,
think
I
think
we
got
24
inches
once
and
it
nearly
ended
me
because
it
was
just
like
what
do
you
even
do
with
it?
At
that
point,
there's
it's
awful
and
man.
D
B
All
right,
let's,
let's
get
this
this
show
on
the
road
I,
don't
expect
a
lot
of
people
which
is
good,
so
I
guess
thank
you,
everyone
who,
who
made
it
you're
the
dedicated
few.
So
let
me
share
my
screen.
I'm
very
slow.
Today,
I
apologize,
it's
been
in
a
week
all
right,
so
I
will
paste
this
in
the
chat
which
I
find
so
sign
in.
Do
me,
a
favor
people
who
are
here
there's
the
introduce
yourself
in
the
chat.
Do
that
quick.
B
E
F
B
That
sounds
silly,
but
one
of
the
challenges
the
openssf
has
is
getting
working
groups
to
actually
do
work
and
they
they
don't
because
we're
busy
people,
and
so
what
we
really
want
to
do
is
use
the
purse
of
the
openssf
to
accomplish
tasks
not
try
to
acquire
help
from
people
who
are
too
busy
to
do
it.
So
so,
anyway,
let's
just
go
through
this
and
and
see
what
we're
missing
and
we
have
all
right.
We
got
the
overview.
I'm
gonna
ignore
that
for
now,
because
I
think
this
is
easy
enough.
B
So
we
have
scope,
secure
the
software
and
also
I
want
to
add,
if
any
of
you,
oh
hi,
Kate.
If
any
of
you
have
anything
to
say,
just
jump
in
and
talk,
don't
worry
about,
raising
hands
or
anything
like
that.
I'm,
not
watching
the
chat.
So
if
someone
could
speak
up,
if
anyone
makes
a
comment,
that's
relevant,
otherwise
we'll
just
kind
of
keep
going
all
right.
So
secure
software
ecosystem
require
making
production
distribution.
That's
one
easy
in
consumption,
so
this
part
is.
B
We
talk
about
consumption,
a
lot
in
this
group
and
when
we
started
the
group
there
was
going
to
be
a
focus
on
creation
and
then
the
group
basically
said
all
we
care
about
is
consumption,
and
so
I
think
this
one
is
important
and
we
need
to
do
more
with
it.
But
I
don't
know
what
yet.
So
if
anyone
has
thoughts
or
comments,
I
would
value
those,
because
just
saying
consumption
I
think
is
meaningless
in
many
instances.
But.
F
A
B
F
B
F
We
want
to
make
sure
that
the
blockers
are
removed
so
that
people
have
Solutions
out
there
that
they
can
use
themselves
to
do
so.
Like
you
know,
there's
some
open
source
projects
out
there.
There's
some
commercial
offerings
out
there,
making
that
visible,
that
these
options
are
there
I
think
it's
something
that
I
thought
we
had
agreed
was
in
scope
for
this
group
already.
Hence
the
landscape
approach,
yeah.
B
F
B
F
F
F
Specifically,
daggerboard
is
out
there
in
open
source
yeah
and
it
consumes
it,
and
then
it
basically
does
a
match
up
to
you
know
the
vulnerabilities.
It
gives
you
a
dashboard,
so
you
can
track
them
for
yourself
and
so
getting
more
of
these
things
which
are
taking
the
s-bomb
and
ingesting
the
s-bombs,
and
then
you
know,
transforming
or
communicating
them
like
I
think
you
know,
the
d-bomb
project
will
be
ingesting
them
in
the
sense
of
bringing
them
in
and
encapsulating
them
and
passing
them
on.
What.
C
Policies
and
that's
what
I
was
going
to
bring
up
so
the
consumption
I
think
it
needs
to
be
agreed.
Consumption
rules,
because
something
that
also
came
came
up
yesterday
during
the
season
call
was
as
an
integrator
I
might
consume
an
s-bomb
produced
by
the
producer,
and
then
what
can
I
consumption?
Does
it
mean
that
now
I
can
share
it
with
my
Downstream
customer,
which
might
the
producer
may
not
want
me
to
share?
So
it's
a
little
bit
grayish
area
about
this
consumption
and
the
rules
around
it.
B
F
C
B
F
B
F
F
A
F
F
D
But
I
think
the
I
I
do
think
that's
important
because
we
are
going
to
have
a
problem
with
really
inaccurate
s-bombs.
A
lot
of
folks
are
doing
analysis
they're,
you
know
throwing
bits
in
and
you
know
flipping
the
random
the
digital
coins
to
see
what
they
can
figure
out,
which
is
I
mean
if
that's
what
you
got
to
do,
that's
what
you
got
to
do,
but
I
I
fear
that
people
are
going
to
look
at
that
and
say:
oh,
that's,
all
a
sponsor
could
be
so
I
I
think
we.
F
B
F
Like
verifying
at
this
point,
I'd
say:
don't
fall
off
the
floor
is
something
that
someone
is
a
little
imprecise,
a
thing.
I'd
say
it's
in
that
you
know
some
syntactic
at
least
gate
yeah
make
sure
the
syntax
is
correct
and
you're
following
the
actual
written
down.
Syntax,
yep,
okay,
the
so
I'd
be
explicit
here
that
it's
a
syntactic
check.
F
E
B
All
right,
I'm,
gonna
I'll,
just
bold,
that
as
the
quality
gate
for
the
moment
and
then
I'm
gonna
rewrite
all
this.
So
don't
worry,
I'm
just
taking
notes,
basically
in
the
document.
Okay,
so
I
think
the
other
piece
and
I
don't
know
I,
don't
know
how
much
we
want
to
focus
on
this,
but
there's
the
angle
of
how
do
we
get
open
source
or
not?
Even
how
do
we
get?
We
know
one
of
the
goals
is
we
want
to
see
all
of
Open
Source
producing
s-bombs
for
everything
they
do
right.
B
So
what
does
that
mean
like?
Do?
We
want
to
provide
some
level
of
guidance?
I
mean
like
the
example
is
the
Apache
Foundation
asked
us
for
guidance
and
we
haven't
really
given
them
any
because
we
don't
have
any
like
do
we
do
we
want
to
create
that
kind
of
guidance?
Do
we
just
want
to
tell
open
source
projects
you
should
do
this?
Do
we
want
to
like
give
them
the
tool?
I
I,
don't
know,
I,
don't
know
where
to
draw
this
line.
F
F
Everyone
thinks
they
know
everything
in
their
own
space,
so
I
think
figuring
out
what
Min
we
already
have,
a
definition
of
what
minimum
is
and
helping
them
figure
out
how
they
can
achieve
minimum
in
one
of
the
recognized
formats
as
opposed
to
creating
their
own,
because
they're
all
seeming
to
want
to
create
their
own
is
I.
Think
what
we
need
to
help
do
and
make
it
easy
for
them.
So
reference
tooling
examples-
and
you
know.
F
F
E
F
E
F
B
B
F
Well,
I
think
finding
people
who
are
have
connections
into
these
communities
who
also
understand
this
space.
In
effect,
if
you
create
you,
know,
get
a
set
of
ambassadors
who
actually
understand
the
format
and
who
can
you
know
talk
to
these
people
and
help
put
pull
requests
in
and
discuss
things
in
their
own
spaces
is
probably
what's
going
to
be
needed.
F
C
I'm
going
to
go
back
to
reference
tooling
yeah,
so
that's
isn't
that
like
a
live
reference
tooling
or
something
that
can
continuously
be
updated
because
otherwise
it's
a
snapshot
and
this
whole
area
is
growing
so
fast.
You
know
every
morning
you
get
up
there,
there's
a
new
tool,
there's
a
new
way
to
this,
or
should
it
be.
F
F
F
F
D
F
B
Now
now
David
I,
I'm
gonna,
ask
you
on
this.
One
is,
is
I,
think
Brian
said
at
some
point
long
ago
that
the
open
ssf
is
comfortable
being
a
king
maker
when
it
comes
to
like
these
tools,
because,
obviously,
if
we
create
a
reference
architecture,
that's
it
right.
That's
that
those
are
the
tools
that
win
are.
Is
that
still
true
I.
D
I
think
that
is
still
true,
I
I
would
say,
with
a
caveat
that
King
maker,
but
wise
King
maker.
In
other
words,
we
shouldn't
just
roll
the
dice
I'm,
hoping
that
we
like
and
you
actually
Josh.
You
actually
started
down
this
road
and
I.
Think
you
had
the
right
Road,
you
know
sit
down
what's
close
and
even
if
something,
even
if
nothing
is
perfect
today,
what's
a
good
basis.
D
Right
I
mean
there's,
there
are
advantages
to
doing
100
different
things,
but
if
we
want
to
focus
resources
on
one
thing,
it's
helpful
to
know
what
the
one
thing
is
by
the
way.
I,
don't
think
we'll
actually
have
one
thing,
I
think
there'll
be
a
thing
for
a
particular
ecosystem
and
it
might
not
be
the
same
thing
for
every
ecosystem.
I.
B
F
A
F
F
We've
got,
you
know,
I
think
the
build
one
is
the
one
that
you
know
everyone's
sort
of
focusing
on
the
industry
in
the
in
the
industry
right
now,
but
certainly
the
deployed
one
is
ones
I
think
will
be
moving
to
next
but
I.
Maybe
we
should
sort
of
choose
an
order
of
what
we
think
is
most
important
from.
B
F
E
F
D
B
Bit
exactly
100,
and-
and
this
is
the
other
reason-
I
want
to
start
better,
just
documenting
and
tracking
a
lot
of
this,
because
it
feels
like
there's
so
many
projects
and
it's
so
fragmented
and
no
one
knows
what
anyone
else
is
doing,
and
it's
just
no
one
wins
in
an
environment
like
that.
We
all
just
suffer
well.
F
B
100
all
right
so
I
I
feel
like
there's
enough
notes
in
this
scope
that
I
can
take
this
and
and
spin
it
into
spin
the
straw
into
gold
and
put
together
something
passable,
probably
let's
jump
to
the
mission,
because
we're
also
running
ourselves
out
of
time.
Mission
of
this
work
stream
encourage
collaboration
between
esperan
producers,
Distributors
between
all
the
s-bomb
people,
identify
barriers,
usage
of
s-bomb.
F
B
B
B
F
B
F
B
F
Maybe
shareable,
what
I'm
trying
to
do
is
you
know
if
someone's
creating
something
someone
else
has
to
be
able
to
ingest
it,
which
is
why
the
support
software
supply
chain
is
I'm,
going
to
be
looking
for
that
right
and
I
guess
we
established.
That
means
it
happens.
Okay,
fine,
yeah,
okay,
I'm,
not
gonna,
word
Smith
any
further
there.
Let
other
people
Wordsmith
a
bit
better.
D
Yeah,
the
one
thing
that's
worrying
me
a
little
bit
and
maybe
maybe
it
doesn't
belong
here,
but
in
the
end
we've
got
to
have
you
know-
and
this
is
American
thing-
the
king
maker
comment
earlier
from
Josh.
We
need
to
get
good
high
quality,
s-bomb
generators
for
the
various
ecosystems.
Ideally,
there
be
at
least
an
obvious
OS
open
source
software
tool
for
it
and
I
would
be
more
specific
for
at
least
the
bill
dust
bombs
for
an
ecosystem
in.
D
F
D
B
F
E
B
F
B
B
E
D
Nice
I
also
don't
want
to
get
too
bogged
down
into
the
words,
but
it's
just
in
the
end.
What
I
want
to
make
sure
is
that
we
are,
we
are
ensuring
we
have
generator
tools
that
are
you
push
the
button
off?
It
goes
super
easy,
I
think
we're
all
in
agreement.
We
just
got
to
put
that
down
because
when
people
join
I
want
them
to
come
in
and
oh
that's
what
you're
doing
and
not
have
to
re-explain
it.
F
E
B
100.
and
even
then
oh
man,
it's
gonna,
be
it's
gonna,
be
a
treat,
but
that's
right.
Okay,
so
the
requirements
is
old,
so
I
don't
want
to
put
too
much
focus
on
that.
But
the
approach
is
not
so
to
to
reiterate
what
I've
said
at
the
beginning.
We
don't
want
to
do
any
work
right.
We
want
to
fund
work
and
encourage
others
to
maybe
do
work,
and
we
could
potentially
create
like
a
special
group
or
a
project
beneath
this
group
to
do
the
work.
A
A
B
D
D
E
B
B
F
B
So
one
of
the
oh,
let
me
let
me
write
this
down
first
and
then
I
have
a
I
have
something
to
ask
you
Kate
sure,
whatever
that's
gonna,
so
you
talk
about
the
gaps
and
there's
I
think
there's
two
important
gaps,
but
we
don't
talk
about
them
correctly.
So
there's
the
angle
of
there's
just
tooling
missing,
be
it.
You
know
some
sort
of
blind
spot
like
we
can't
generate
s-bombs
for
like
Cobalt
or
something
we'll
say,
but
then
there's
also
I
think
the
angle
of
like.
B
If
we
look
at
the
Go
python
library,
that
was
a
gap
in
maintainership
right
like
the
the
tooling
existed,
but
we
didn't
have
anyone
actually
taking
care
of
it
and
I
feel
like
we.
A
landscape
can
help
identify
gaps
of
like
a
tool,
not
existing
or
a
feature
not
existing,
but
a
landscape
isn't
going
to
tell
us
which
projects
have
funding
or
you
know.
D
You
know
what
I'll,
although
Landscapes,
typically
don't.
If
that's
one
of
our
primary
concerns,
there's
no
reason
we
can't
the
landscape
tool.
We
could
add
data
about,
you
know
number
of
contribute.
Has
it
been
contributed
to
or
released
in
the
last
we
can
grab
the
data
straight
from
scorecards
and
just
extract
that
out.
If
we
think
that's
a
high
enough
risk
for
these
kinds
of
projects
and
I
think
that's
plausible,
we
can
do.
F
B
F
F
D
Yeah
so
Josh
I
know
that
you
had
already
started
down
that
path.
I
I
think
that
basically
some
acceleration
and
you
know
people
to
work
alongside
you
know.
Here's
here,
here's
some
sample
code
I
mean
we
can
just
there's
a
whole
lot
of
Open
Source
projects
we
can
use,
you
know,
go
grab,
you
know,
grab
some
tools.
D
B
That's
another
interesting
problem,
I
think
so
there
is
tooling
right.
There's
cooling
that
needs
help
and
I.
Think
again,
like
your
comment:
scorecard's
fine,
but
then
there's
also
the
I
guess
architecting.
Is
that
the
right
term,
maybe
of
like
all
this
tooling
exists,
there's
a
need
to
use
it
and
someone
needs
to
glue
it
all
together,
and
that
is
not
really
so
we
we
say
that
we
want
this
group
to
do
that
right
up
in
the
we're
up
in
the
scope.
We
talk
about
tooling.
B
How
do
we
do
that
and
I
think
that's
part
of
the
approach
here
is
like
here.
This
is
actually
a
number
three
you
know
start
with
tool
sets
that
will
be
fastest
to
release
economically
efficient
to
build.
But
who
is
going
to
do
that
right,
like
we
can't
pay
an
upstream
project
to
do
this?
Necessarily
we
can't
pay
I,
don't
know
we.
D
B
You
didn't
say
we
could
do
it,
but
we
need
like
some
sort
of
structure
to
say,
like
this
person
is
going
to
architect
this
and
then
the
their
work
will
live
in
this
project
and
I.
Also,
the
most
important
thing
I
do
not
want
to
see
us
like
fund
something
get
it
done,
and
then
it
rots
because
no
one
is
responsible
for
it.
Absolutely.
F
F
So
they
can't
just
sort
of
Define
it
as
a
fight
for
themselves
and
continue
yeah,
and
you
know
that
was
one
of
the
conditions
that
we've
tried
to
set
up,
and
you
know
we're
going
to
be
continuing
to
work
on
it
for
the
python
side.
I
think.
But
you
know
we're
seeing
people
start
to
help
us
out
the
ghost
libraries
and
things
like
that.
So.
D
Yeah
and
the
good
news
is
that
you
know.
Certainly
the
US
government
is
really
interested
in
this
I
think
there's
some
other
folks.
Europe
is
also
the
European
commissioned
is
floating
requiring
us
bombs
in
certain
cases
as
well.
So
I
I
think
that
there's
a
even
though
this
is
a
huge
kind
of
radical
change
on
the
industry.
There
is
some
stomach
in
trying
to
make
it
happen
and
therefore,
at
least
some
folks
willing
to
put
some
money
in
there
if
there's
a
plausible
path
for
it.
Well,.
F
F
I
was
getting
all
excited
when
you
know
the
s-bomb
initiatives
were,
and
there
was
the
small
small.
Was
it
Silicon
Valley
program,
and
you
know,
but
when
you
start
going
into
the
details
of
that
program,
there's
no
way
that
sort
of
an
open
source
project
could
easily
take
advantage
of
that
funding.
You
had
to
be
a
commercial
entity
right.
F
D
D
B
F
F
D
D
I
also
think
that
there's
a
there
there
is
a
stage
where
I
have
you
know
it
works
sort
of,
but
not
quite
quite
enough
for
a
large
enough
Community
to
be
willing
to
use
it.
And
there
is
always
the
challenge
of
getting
the
software
for
enough
use
cases
so
that
people
will
just
grab
it
and
use
it.
And
then,
and
then
you
you
pick
up
the
rest
as
it
gets
better
and
better.
F
F
B
C
B
Has
some
of
that
so
I
I
want
to
jump
to
four
here
it
says
incentivize
and
educate
blah
blah
blah
maintainers.
It
includes
helping
open
source
maintainers
implement
this,
which
I
think
is
the
obvious
second
step
after
the
first
step.
So
if
we
have
the
tool
sets,
if
we
have
the
guidance,
if
we
have
money
to
give
people
to
implement
this
stuff
like
how
do
we,
how
do
we
actually
start
turning
that
crank
and
is
there
something
we
can
do
to
incentivize?
That.
F
So
I
think
part
of
it
is
sponsoring
meetups
at
the
some
of
the
shoulder
events,
so
maybe
having
a
hackathon
type
of
deal
where
all
the
tool
vendors
can
come.
You
know
people
are
doing
tooling,
can
come
and
collaborate
together,
and
you
know
so
those
who
are
sort
of,
like
maybe
using
sort
of
the
open
source
events.
F
F
E
F
D
B
F
B
F
Okay,
I'm
calling
that
meetups
for
whatever
reason,
but
you
know
in-person
get-togethers
whatever.
However,
what
we
might
want
to
do
is
have
sponsor
a
seminar
series
of
you
know:
people
have
a
tool
and
they
can
talk
about
how
to
use
their
tool
in
a
lightweight
fashion
and
have
a
q
a
session.
So,
as
you
know,
projects
have
tools
visible
and
available
and
they
want
to
show
people
how
to
use
them.
F
B
Let
me
I
I
do
like
that.
That's
a
cool
idea,
I
think
we
should
definitely
have
some
sort
of
forum,
but
actually
I,
think
the
CNC
app
does
stuff
like
this,
where
they
have
regular
show
me
webinars
and
stuff
yeah,
where
people
like
to
show
off
their
cool
stuff,
I'm,
seeing
even
even
higher
level
than
this.
So
let's
say
I'm
gonna
pick.
B
Just
because
I
was
running
their
tools
this
morning
and
I
was
getting
grumpy
about
it,
but
so
open
office
right,
let's
say
open
office
needs
an
s-bomb.
How
do
we
incentivize
a
project
like
that?
That
is
already
running
thin
to
dedicate
resources
or
something
into
making
and
maintaining
esperan
content
are.
C
B
D
I
think
we
should
identify
a
few
and
literally
work
with
hand
and
Glo
I
would
call
what
we
call
White
Glove
work
with
a
few
projects
to
help
them
over
the
starting
line,
because
when
nobody,
how
else
does
it
everybody's
gonna
say
nobody
else?
Does
it
and
you
get
keep
repeating
that
and
Kate's
going
to
point
out
that
some
projects
already
do,
which
is
true
but
I,
think
there's
some
other
kinds
of
products
that
are
widely
used.
D
That
don't
LibreOffice
might
make
a
very
good
case
because
there's
a
wide
variety
of
folks
who
bring
that
in
as
a
desktop
application,
I,
don't
know
what
the
right
list
is.
Doesn't
matter
right,
you
pick
a
few
help
them
get
going
once
you've
got
a
few
as
examples
now
you
can
point
to
them
and
say:
look
do
X
and
they're
doing
it
already,
and
you
can
do
it
too,
following
exactly
what
they
did
and
so.
D
F
F
F
F
F
You
know
there
are
people
wanting
to
talk
about
what
they've
got
or
explore
or
say
what,
like
you
know,
we
had
to
turn
about
a
third
of
the
proposals
away:
okay
because
of
space
wow,
so
like
I,
say
so:
sponsoring
in-person,
get-togethers
of
some
form
and,
quite
frankly,
collaboration
forums
where
people
can
talk
to
each
other,
and
you
know
explore
these
things.
I
think
is
a
way
to
advance
this
and
get
adoption
in
a
lot
of
these
other
projects.
F
What
we
might
also
want
to
do
is
in
the
notion
of
celebrate.
You
know
celebrate
when
people
achieve
things
is.
You
know
as
projects
make
things
visible
or
have
done
things
you
know
it
should
we
have
some
sort
of
way
of
badging
equivalent
I
don't
want
to
use
the
term
I
didn't
want
to
use
such
a
badging,
but
nonetheless,
badging
is
kind
of
what
I'm
talking
about
as
hey.
We
speak
s-bomb.
D
E
E
Sorry
haven't
been
in
one
of
these
in
a
while,
so
you
know
it's
got
me
thinking
about
something
along
the
lines
of
the
blackhead
Arsenal.
So
having
something
you
know,
if
you
already
have
a
conference
around
these
issues,
whether
it's
sisa
or
the
Linux,
Foundation
or
whatever,
and
then
simply
opening
up
a
track
for
tools
for
guys
to
be
able
to
show
presents
and
people
can
ask
questions
similar
to
what
they
do
in
the
bracket.
F
B
F
Yeah
I
mean
you've,
been,
you
know
like
I
say
this
is
why
we've
been
working
with
the
Octo
so
see
earlier
point
about
the
white
glove
treatment.
Like
you
know,
we've
been
working
with
the
Octo
and
that's
a
good
inflection
point.
I'd
say
like
any
of
build
chain,
like
you
know,
compiler
tool
chain
with
a
Linker
step
as
the
information
necessary
here.
Yeah.
D
F
B
B
So
what
I'm
going
to
do
now
is
take
everything
we
have
and
I'm
going
to
turn
this
into
like
a
a
proper
draft
document
that
we
can
then
like,
like
nitpick
words
and
Wordsmith
and
do
whatever
we
need
to
do
and
kind
of
get
this
under
sort
it
out
and
and
and
like
get
moving
after
that,
like
I,
think
I
think
we
have
all
the
pieces
we
need
now.
We
just
need
to
put
it
together
and
then
like
get
moving
so
awesome.