►
From YouTube: Security Tooling Working Group (July 19, 2022)
A
A
Excuse
me,
I
am
was
washing
my
windows
early
this
morning.
I
live
in
a
condo
and
about
once
a
year
I
try
to
wash
the
windows,
so
I
I
don't
do
a
very
good
job
of
it,
but
I
got
the
ladder
and
the
hose
and
my
cleaner
and
early
this
morning
I
went
out
and
sprayed
the
windows
and
used
the
hose
and
looked
at
my
job
and
yeah.
B
A
B
C
C
A
Hi
there
I'm
matt
miller,
and
I
just
wanted
to
let
you
know
I
manage
the
component
registry
effort
within
within
product
security
within
red
hat,
and
I
work
with
kathy.
I
know
kathy
is
your
your
rep
here
on
the
working
group
we
just
wanted
to.
Let
you
all
know
that
the
component
registry
is
now
open
sourced.
A
We
we
kicked
off
the
component
registry
project
within
red
hat
in
and
although
we
had
been
doing
manifesting
of
our
products
and
services
up
until
that
point,
we
realized
that
we
needed
a
better
solution
for
our
manifesting,
given
u.s
executive
order
on
cyber
security
requirements
and
all
other
the
other
things
that
have
been
going
on
with
regard
to
s-bombs
and
that
kind
of
thing.
So
we've
been
working
on
our
component
registry
effort
as
a
better
way
to
do
manifesting.
A
A
We
are
testing
right
now,
some
of
our
manifest
data
to
see
how
it
will
look
under
the
component
registry
compared
to
our
manifesting
up
until
this
point,
and
the
other
thing
is
what
we've
noticed
with
different
companies.
Organizations
that
have
come
out
with
you
know:
they're
manifesting
solutions
to
try
to
generate
s-bombs
that
there's
really
no
magical,
s-bomb
generator.
For
example,
for
us,
it's
still
an
internally
focused
application
for
a
manifest.
A
It's,
I
think
at
this
point
it
can
be
used
as
a
recipe
for
how
you
want
to
potentially
build
your
own
registry
or
your
own
manifesting
solution,
your
own
company,
but
really
it's
fundamentally
a
shell
that
is
such
that
you
have
to
really
put
in
your
own
data,
your
manifest
data
from
your
own
products
and
services
to
make
it
work
and
generate
the
s-bomb.
We've
noticed
that
with
other
companies
like,
I
think,
microsoft
came
out
with
an
s-bom
tool
not
too
long
ago
and
made
that
open
source.
E
Sorry
this
is
pratik
mishra!
Sorry,
I
didn't
mean
to
interrupt
you,
but
just
just
so
I
sort
of
understand
the
logical
flow.
So
so
there
there's
sort
of
a
process
of
extracting
s-bombs
right
from
repositories
or
artifacts
or
whatever.
So
that's
one
piece
of
it
right
and
then-
and
this
sounds
like
a
second
piece
kind
of
a
place
where,
where
they
can
be
published
and
managed,
is
that
am
I
on
the
right
track
or
so
so
this.
A
Would
be
both
yeah,
so
what
we
have
here
is
a
method
by
which
manifests
can
be
extracted
right
and
for
red
hat.
It's
a
rather
complicated
endeavor,
given
the
number
of
products
and
services
that
we
have
and
we
use
collectors
to
grab
that
data.
So
that's
the
first
thing
that
would
come
under
this
component
registry
project.
A
The
second
thing
would
be
the
component
and
it's
not
in
there
yet
and
that's
the
work
that
still
needs
to
be
done
is
that
our
component
component
registry
will
be
used
to
generate
s-bombs
and
it
will
become
our
default
manifesting
tool
for
red
hat
across
the
whole
company
once
we
are
farther
along
and
we
know
that
we've
tested
it,
we
know
it
works
and
that
it
can
be
used
to
replace
our
existing
way
of
manifesting.
Does
that
answer
your
question.
A
Given
the
interest
in
this
so
again
we're
I
just
want
to
emphasize
we're
pretty
much
at
the
early
stages,
but
you
can
go
in.
You
can
take
a
look
if
you
have
any
relevant
inputs,
you
know
feel
free
to
give
us
some
inputs,
but
that's
really
kind
of
where
we
are
with
the
component
registry.
So
I
don't
know
if
folks
have
any
other
questions
or
I
see
a
hands
up,
I
guess
perhaps.
A
D
A
Yeah
so
point
noted
on
the
demo
to
be
realistic.
We're
probably
not
gonna
be
ready
for
a
demo
to
give
you
all
until
sometime
in
the
fallish
time
frame,
or
you
know,
depending
upon
how
things
go,
it
could
be
even
sort
of
like
the
winter
time
frame,
but
we
can
come
back
and
certainly
do
that.
It
may
be
also
too
that
we
can
perhaps
earlier
record
a
demo,
because
we
we
we've
started
experimenting
with
that.
A
A
It
does
not
include
various
layer,
product
relationships
and
things
that
we
have
at
red
hat
like
you
know
how
sort
of
our
you
know,
enterprise.
You
know
the
relationships
between
you
know
sort
of
like
components
that
are
used
by,
let's
say,
enterprise
linux,
as
well
as
like,
let's
say,
openshift,
or
something
and
and
right
now
it's
a
very
manual
process
to
to
tie
security
vulnerabilities
to
these
components.
A
A
Our
legal
team
is
also
very
involved,
with
at
red
hat
with
what
we're
producing,
because
we
want
to
make
these
manifest
reports
available
to
customers
and
we
have
based
upon
our
legacy
tooling.
A
couple
of
customers
have
already
asked
for
some
preliminary
reports,
so
you
know
it's
it's
it's
a
work
in
progress,
but
but
yes,
we
are
trying
to
tie
in
what
the
community
is
doing
in
terms
of
the
different
formats
and
basically,
what
we're
doing
now
is.
C
A
C
A
It
up
sure,
so
what
we're
doing
now
is
really
just
testing
the
manifesting
for
our
top
products,
so
rel
and
a
few
others
to
see
how
the
manifesting
looks
right
now
in
the
component
registry
right
we're
testing
the
data.
So
that's
where
we
are,
that's
it.
If
there
any
other
questions
happen
to
answer
them
or
just
you
know,
chat
more
offline
with
folks.
So.
C
F
F
Effort
under
this
working
group
would
be
the
logical
and
kind
of
next
step
to
continue
that
forward.
The
point
of
that
sig
would
be
to
steward
that
that
that
plan
forward,
you
know
to
update
it
to
basically
take
ownership
of
it
and
and
set
new
targets
if
new
targets
make
sense,
but
also
to
do
the
groundwork
of
figuring
out.
F
We
we
know
that
there's
lots
of
people
releasing
s-bomb
generation
tools
and
the
like,
so
the
plan
should
should
build
on
top
of
all
that
and
and
figure
out
how
to
how
to
move
the
ball
forward
on
the
goals,
specifically
in
the
in
the
in
that
in
that
overall
plan,
the
idea
is,
those
proposals
would
be
submitted
to
actually
one
of
two
different
places.
The
first
would
be
you
know.
We've
got
a
bunch
of
pledges
from
companies
against
the
plan.
F
We
haven't
yet
figured
out
the
pipeline
of
turning
that
money
into
into
work,
but
the
idea
is
that
proposals
would
go
in
front
of
the
organization
that
made
those
pledges
and,
and
then
hopefully,
we'd
raise
funds
from
them.
You
know
100k
from
here
100k
from
there
pretty
soon
would
add
up
to
a
300k
kind
of
chunk
of
work.
So
so
this
the
sig
that
would
be
under
a
work
group
like
security
tools,
which
I
think
makes
sense
to
to
house
the
s
bomb
everywhere.
F
Sig
we
create
these
proposals,
put
them
in
front
of
those
folks.
We
as
staff
would
help
facilitate
that,
but
but
this
is
not
brian
as
a
domain
expert
or
any
of
the
open
other
open,
ssf
staff
kind
of
you
know,
projecting
a
certain
view
of
how
things
should
work
other
than
to
say
the
collective
intelligence
pulled
together
under
the
sig
in
this
working
group
should
really
shepherd
that
forward.
The
other
place
it
could
go
would
be
in
front
of
the
attack.
C
Josh
is
that
what
you
were
looking
for?
Yes,
before
I
go
to
kathy,
she
has
a
question.
I
apologize
kathy,
it's
one
of
the
benefits
of
being
in
charge.
So
brian
you,
you
said
about
creating
a
sig
in
this
group,
but
we
can't
technically
do
that
until
the
tack
approves
your
plan
right,
or
am
I
mistaken
in
that.
F
Well,
there
have
been
a
couple
of
things
informally
that
have
begun
focusing
on
this,
so
crow,
for
example,
has
been
hosting
calls,
including
one
this
morning
for
the
emergency
response
team
component,
the
the
working
group.
I
forget
the
working
that
created
it,
but
but
there's
the
vulnerability,
disclosures
working
group.
Let's
move
forward
on
that,
there's
been
another
one.
F
That's
been
meeting
on
moving
stream,
one,
the
education
stuff
forward
a
bit,
so
I
think
I
think
whether
we
create
that
funding
structure
under
the
governing
board
as
anticipated
or
not
it's
you
know.
Working
groups
are
free
to
create
special
interest
groups
underneath
them
and
and
and
move
forward
with
that
and
and
if
we
find
have
to
go,
look
for
funding
other
places
we
can.
B
B
F
Even
the
targets
and
and
time
frames
and
the
like
might
might
adjust,
and
it's
really
up
to
the
sig
to
to
to
own
that
overarching
picture,
but
then
also
figure
out.
What
are
the
next
concrete
steps
to
take
to
get
funded?
But,
yes,
it
would
be
specific
to
s
bombs
rather
than
other
types
of
tooling.
I
think
that
was
yours.
C
D
D
I
am
not
necessarily
questioning
whether
that
is
the
case,
but
I'm
wondering
is
that
the
case,
or
does
this
make
more
sense
under,
for
instance,
the
supply
chain
integrity
working
group?
I
just
want
to
make
sure
that
the
sig
and
the
s
bomb
everywhere
initiative
ends
up
in
the
right
place,
where
the
most
people
who
are
most
interested
in
it
will
see
it
and
there's
no
saying
that,
obviously,
there's
not
going
to
be
there's
going
to
be
tooling
involved
right.
F
F
So
much
that
it
was
easy
to
ask
open
source
projects
to
start
to,
do
that,
to
start
to
check
the
s-bombs
of
upstream
components,
if
that,
to
whatever
degree
that
makes
sense
and
and
that
it
was,
it
was
built
into
the
tools
so
that
the
lift
was
very
minor.
And
so
we
got
bombs
up
as
far
upstream
in
the
supply
chain,
as
we
could,
rather
than
s
bomb
generation.
Being
something
left
to
the
last
mile,
where,
if
it
happens,
it'll
be
proprietarized
or
be
seen
as
a
competitive
differentiation.
F
If
that
was,
if
it
was
the
right
home,
I
I
and
you
could
you
could
decide
to
take
it
on
or
or
not,
but
I
I
I
and
my
hope
is
that
there
is
a
home
and
they
have
open
ssf
somewhere
for
it.
If
not,
then
we'll
probably
remove
it
from
the
plan.
You
know
our
on
the
on
the
basis
of
I
guess
s,
bomb
tooling
doesn't
have
a
helmet
of
an
ssf.
E
Yeah
hi
hi
brian
yeah,
quick,
quick
question
in
terms
of
scope
right,
so
one
of
the
challenges
is
sort
of
adequacy
of
s-bomb
generation
right,
there's,
so
many
artifacts,
there's
repositories.
There's
images
there
are
libraries
there's
right,
so
would
some
guidance,
I'm
not
saying
right
that
we
magically
sort
of
imagine
this
tool.
That
quote,
does
it
all,
but
would
some
would
this
would
would
it
be
in
scope
to
provide
some
guidance,
how
to
go
about
doing
this
and
perhaps
even
push
some
requirements
to
the
different
communities
python
java?
G
One
of
the
things
that
josh
and
I
were
chatting
about
the
other
day-
was
on-ramps
and
making
it
clear
and
how
to
make
it
easy
for
people
to
put
this
into
their
tooling.
I
think
that
is
in
scope
that
we
can,
you
know,
say:
you're
gonna
start
generating
a
minimum.
This
is
what
it
needs
to
have
yeah
and
how
do
you?
G
G
It
seems
like
a
reasonable
approach
to
me
anyhow,
but
feel
free
to
contradict
me,
but
yeah.
The
challenge
is
getting
it
into
the
tooling
and
making
it
easy
for
the
tools
to
do
it.
So
it's
behind
the
scenes.
It's
not
front
and
center
is
an
extra
huge
lift
for
the
developers
in
any
way,
shape
or
form.
E
Right
right
not
not
to
rattle
too
much
on
this
right,
but
having
people
having
to
pull
together.
You
know
a
bit
of
this
tool
and
that
tool
and
the
third
tool-
and
no
this
doesn't
work
against.
You
know,
pie
pie
and
this
this
only
works
on
jars.
But
not
not
you
know
it's
just
any
any
guidance
or
any
helpful
scoping
there.
I,
I
think,
would
be
a
contribution
to
the
community
yeah.
B
Yeah
I
I've
attended
quite
a
few
supply
chain
integrity
group
meetings.
It
seems
to
be
more
of
a
framework
tool
agnostic
so
and
coming
up
with
recommendations
for
the
supply
chain
and
how
to
secure
it
and
and
and
addressing
it
that
way,
the
tools
that
they
do
have
that
they
are
creating
are
usually
automations
to
validate
that
things
are
actually
being
accomplished.
B
D
I'm
just
you
know,
the
assumption
is
that
I
have
anything
specific,
I'm
looking
for
right
aside
from
just
verifying
with
the
community
that
this
is
something
that
they
think
makes
sense
for
them.
I
was
coming
to
these
calls
for
a
while,
and
then
I
dropped
off
due
to
time,
but
if
s-bomb
everywhere
is
going
to
land
here,
then
I
will
be
here
all
the
time.
D
D
Yeah,
I
mean,
I
guess
if
it
fits
anywhere,
that
it
would
probably
be
there
or
you
know.
Spdx
has
been
doing
a
great
deal
of
work
on
this.
I'm
you
know
just
in
general,
as
palms,
that's
kind
of
their
bread
and
butter
what
they
do,
but
it
is
a
different
group.
It's
not
openness
as
a
south,
so
I
don't
know
I
I
know
obviously
there's
going
to
be
collaboration
there,
which
is
part
of
why
we
have
the
fabulous
kate
stewart
here,
but
I
I
really
don't
have
any
other
recommendations.
D
I
just
want
to
make
sure
it
does
make
sense
and,
as
brian
said,
the
option
is
on
the
table
to
drop
this
completely
if
it
doesn't
make
sense
to
fit
anywhere
within
open
ssf.
If
no
one
has
these
cycles
to
pick
it
up,
that's
great.
I
personally
think
it
would
be
a
shame
to
drop
that,
in
which
case
someone
else
should
pick
up
the
ball,
perhaps
in
another
linux
foundation,
sub
foundation
or
or
what.
But
I'm
pretty
keen
on
this
being
done.
D
C
F
You
know
again,
I
I
and
I
didn't
come
here
specifically
to
make
the
proposal
for
the
creation
of
the
sick,
yet
I
I
kind
of
wanted
the
tack
to
bless
the
approach
of
using
sigs
to
carry
forward
the
work
of
the
mobilization
plan.
First,
although,
as
noted
some
other
groups
have
started
to
me,
if
there
are
people
willing
to
to
take
that
ball
forward
here,
I
I
want
to
encourage
them
and
and
will
support
them
in
any
way,
but
you're
it
does
take
somebody
you
know
saying
this
is
important
enough.
F
We've
got
to
move
forward.
There
is
a
slack
channel
that
we
created
for
each
of
the
different
streams
as
we
were
developing
the
plan
and
then
kind
of
as
a
follow-up.
That's
been
quiet
for
a
couple
of
weeks
specific
to
this
one
called
the
the
stream
dash
nine
dash
s
bomb
dash
everywhere
channel,
which
has
64
people
in
it
assuming
tac.
The
attack
was
good
with
the
overall
proposal
using
sigs.
I
was
going
to
go
to
each
of
those
slag
channels
and
say
all
right.
F
I
I,
the
next
step
here
is
to
take
these
informal
activities.
We've
been
doing
here
in
the
slack
channel
and
formalize
them
as
sigs
of
different
working
groups,
and
we
suggest,
starting
you
know
s
mom
everywhere
here
at
security
tools
and
seeing
if
it's
a
good
fit.
I
I'm
hearing
uncertainty
about
whether
security
tools
is
the
right
fit
by
folks.
C
C
C
C
F
I
mean
using
this
this
meeting
to
move
move
the
ball
forward,
make
some
sense,
but
I
also
think
having
a
small
team
able
to
to
work
on
the
document
work
on
these
interop
issues
and
come
up
with
concrete
kind
of
next
steps
for
investment
to
move
the
tooling
forward.
I
think
that's
kind
of
important
and-
and
I
think
that
that
sig
should
have
some
named
participants
so
that
they
can
vote
on
on
how
to
move
forward.
G
C
That's
that's
the
trick
with
the
sing
say
guessing
we
have
too
many
afternoons.
That's
the
challenge.
Right
is
how
do
we
and
brian
you
might
have
ideas
on
this
and
kate
you
might
as
well,
but
let's,
let's
find
a
way
to
make
sure
the
sig
is
people
doing
work
and
not
a
thousand
people
who
think
it's
neat
to
put
their
name
on
esmo.
F
Well,
let's
also
use
this
as
an
opportunity
to
bring
in
some
folks
who
aren't
otherwise
very
committed
across
a
very
wide
range
of
other
open
ssf
activities
or
others
too.
I
mean
I
know,
josh
you're
active
in
a
lot
of
things.
Kate,
obviously
has
a
very
full
full
load
as
well.
Let's
I
mean,
if
there's
others
here
on
this
call,
who
aren't
as
active
in
other
parts
of
open
ssf,
who
are
looking
for
an
opportunity
to
really
get
roll
up
their
sleeves
and
have
a
huge
impact.
F
G
Let's
just
reach
out:
okay,
okay,
basically
putting
a
great
big
twitter
storm
out.
There
will
basically
bring
people
in
from
the
whole
to
watch
as
opposed
to
do
that's
what
I'm
afraid
of
okay.
I've
been
in
this
area
in
the
s
palm
space.
I've
been
seeing
a
lot
of
that,
and
so,
let's
find
the
people
who
are
willing
to
volunteer
to
put
some
time
in
on
helping
to
draft
this
stuff
and
see
if
we
can
get
it
moving
forward.
G
This
time,
I'm
willing
to
say
I
told
I'll,
there's
some
things
I
can
do
quickly
and
I'll
try
to
help
out
there
and
then
trevor
has
already
volunteered
and
he
seems
to
be
trying
to
work
on
doing
something.
So
maybe
we
might
get
some
of
the
use
cases
that
we
asked
for
from
the
dc
meeting,
starting
to
get
documented
in
use
cases
as
part
of
the
sig
as
well.
That
was
one
of
the
here.
G
C
G
F
I
do
suggest
either
joshua
kate.
The
next
step
is
on
that
slack
channel.
Just
let
people
know
things
are
starting
to
converge
here
and
you're
looking
for
people
to
step
up
to
put
an
hour
a
week
or
more
into
into
the
sig
going
forward.
A
lot
of
those
64
people
are
likewise
over
committed
interested
parties.
Let's
find
the
the
other
five
for
10
on
that
who
could
also
step
up
to
be
named
parts
of
the
sig.
I
E
C
I
C
I've
been
part
of
lots
of
groups
that
have
tried
to
do
this
in
the
past,
and
and
it's
always
a
struggle
to
put
kind
of
put
on
health,
wanted
and
then
connect
people
who
are
looking
to
help
for
a
variety
of
reasons.
I
I
feel
like
the
answer
to
this
is
someone
just
needs
to
do
it
and
if,
if
you
know
people
willing
to,
I
guess,
seek
out
projects
looking
for
help
and
then
connect
them
to
people
willing
to
help.
C
That
would
be
very
valuable.
I
think-
and
I
mean
I
think
this
is
just
kind
of
one
of
those
topics
where,
like
the
open
ssf
doesn't
have
magic,
it
just
needs
people
to
do
it
and
and
like
I'm,
I'm.
I
would
be
totally
supportive
of
this.
If
someone's
willing
to
put
together
a
list
which
is
probably
become.
I
G
So
there's
lists
of
tools
for
both
cyclone
and
spdx
that
work
with
the
formats
for
s-bombs,
including
oss,
review
toolkit.
Of
course.
The
challenge
right
now
is:
how
do
we
start
storing
them
up
in
a
way?
That's
explorable,
and
this
is
something
that
so
the
question
I
guess
is
the
scope
of
tools
for
one
thing
and
then
how
much
do
we
want
to
pull
off
the
others
and
actually
come
up
with
some
sort
of
landscape?
C
G
You
know
like
there's
a
crying
need
for
it.
Everyone
wants
it,
no
one's
sort
of
agreeing
on
how
to
actually
form
it,
and
you
know
we've
been
talking
about
it
in
the
outreach
team
on
spdx,
for
instance,
and
trying
to
you
know
catch
that,
but
you
know:
do
we
have
a
taxonomy
we're
all
comfortable
with
for
classifying
these
things
under
so,
like
you
know,
tools
have
different
purposes
right
and
generate
different
outputs.
D
D
I
think
it's
it's
fairly
academic
and
dense
and
not
over
user
friendly
as
a
document,
but
it
is
dense
and
full
of
information,
and
it's
something
that
I
was
going
to
recommend
that
we
in
spx
outreach
kind
of
use
within
the
landscape
project
and
the
the
need
for
this
tool
is
why
I
have
enlisted
help
within
wipro
on
that
landscape
project.
We
need
this
list
and
spx
landscape
is
already
making
a
start
on
that.
So
it'd
be
nice
to
maybe
leverage
that
in
there
I'll
defer
to
y'all
house.
E
E
G
Also,
security
tool,
which
is
which
is
you
know,
I
think,
to
daniel's
point,
and
so
the
question
is:
what
classifications
of
tools
do
we
want
to
be?
You
know,
tools
are
used
for
purposes
at
the
end
of
the
day.
What
purposes
are
we
encompassing
in
this
type
of
text?
I
mean
that's,
why
I
was
wondering
if
I'm
extending
some
of
the
landscape
work.
That's
out,
there
might
suffice.
G
Like
we've
got
the
you
know
the
ntia
tooling
for
s-bonds,
but
there's
other
tooling,
like
you
know
what
tools
should
be
used
for
fuzzing.
What
tooling
should
be
used
for?
You
know,
validation.
You
know
how
about
requirements
tracking
is
that
things
that
we
might
want
to
be
looking
at
for,
like
you
know,
the
whole
threat
modeling
and
things
like
that
and
tracking
in
that
section.
So
I
guess
it's
a
question
of
maybe
daniel.
I
I
can
bring
the
yeah
sure
I
can
create
an
initial
version
of
the
of
the
list.
Indeed,
for
example,
we
are
contributing
to
not
only
some
generators
like
also
oss
toolkit,
but
we
are
also
contributing
to
radon.
We
contribute
to
docker
related
security
tools
as
well,
since
I
have
this
people
use
usually
coming
to
me
asking
where
I
can
contribute
to,
because
I
want
to
have
experience.
I
want
to
have
some
exposure
to
the
free
software
community
and
it's
a
lot
of
energy.
I
I
want
to
address
yeah
exactly
yeah,
especially
from
students
very
capable
students,
not
only
from
companies
that
want
to
participate,
so
I
think
I
I
don't
want
to
to
to
this
opportunity
of
contributors,
so
I
I
will
come
up
with
a
a
an
initial
list
with
a
categorization.
We
can
review
this
next
time.
H
So
I
just
wanted
to
make
a
quick
comment.
I
think
there
are
other
communities
that
have
already
started
on
on
landscapes.
My
concern
is:
if
we
do
this
on
our
own,
we
could
end
up
isolating
s-bombs,
which
is
what
we've
had
as
a
problem
with
security
and
and
just
development
and
stuff.
So
cncf
has
done
some
work
on
landscapes.
I
think
digital
ai
has
done
some
stuff
on
landscapes.
Could
we
just
not
pull
them
in
and
say
please,
let's
work
together
to
integrate
s-bombs
into
all
these
various
other
pipelines.
G
G
H
I'm
very
interested
in
that
I'm
just
run
into
this
issue
all
the
time
right
and,
and
so
let's
not
let's
not
create
another
island
of
of
you
know
our
own
taxonomy
or
things
like
that.
So
yeah,
any
you
know
if
we've
got
connections
with
some
of
these
other
groups,
let's
pull
them
in.
You
know
we're
all
working
towards
the
same
goal
here.
I
think
that
would
be
great
thanks.
So.
G
The
cncf
guys
basically
helped
the
spx
community
set
up
the
framework
for
the
landscape.
So
it's
sort
of
a
metaphor
and
I'd
say
the
one
we're
doing
on
spdics
is
not
necessarily
the
n1
for
you,
but
if
we
can
basically
take
that
and
sort
of
evolve
it,
maybe
we
can
make
these
communities
feed
into
a
master
landscape.
First.
C
And
your
comment
amuses
me
because
this
group
has
probably
had
no
less
than
10
discussions
about
creating
a
landscape
list
and
every
time
it's
been
a
hand,
slap
of
no
they're
already
there
don't
do
this,
but
absolutely
yeah
yeah
yeah
we'll
find
now
now
we
could
create
a
list
of
the
lists
right,
that's
like
as
much
as
you
can
get.
I
think,
cool
all
right.
Let
me
I've
lost
the
agenda
again
critique.
Are
you
happy
with
how
these
conversations
kind
of
melded,
together
or
yeah.
E
No,
I
I
think
the
truth
is
that
right.
Many
of
my
questions
were
answered
previous
to
your
coming
to
my
agenda
items,
so
I'm
happy
to
volunteer
and
and
and
help
with
with
on
the
s1
side
of
things,
but
I
understand
that
the
scope
is
too
long
and
that's
obviously
the
the
you
know
the
bigger
picture,
yeah
yeah.
C
Totally
so
I
before
we
leave
and-
and
I
need
to,
I
need
to
fix
a
meeting,
invite
it's
supposed
to
end
at
5-0,
but
before
we
go,
is
someone
willing
to
take
ownership
of
just
kind
of
starting
to
collate
some
of
this
data
in
a
place?
That's
trackable
and
discoverable,
like
vicky,
just
put
a
couple
of
links
in
the
chat.
C
I
I
D
D
It
doesn't
list
specific
tools,
but
it
does
list
types
of
tools
and
I
think
it's
a
good
place
to
start
to
under
each
type
of
tool.
Perhaps
we
can
link
out
to
documents
listing
the
tools
or
whatever,
but
we've
got
something
already
that
we
can
start
to
work
with
and
iterate
on.
So
perhaps
for
the
next
call.
We
can
start
to
kind
of
flesh
this
out
a
bit.