►
From YouTube: Security Tooling Working Group (July 19, 2022)
A
A
Excuse
me,
I
am
was
washing
my
windows
early
this
morning.
I
live
in
a
condo
and
about
once
a
year
I
try
to
wash
the
windows,
so
I
I
don't
do
a
very
good
job
of
it,
but
I
got
the
ladder
and
the
hose
and
my
cleaner
and
early
this
morning
I
went
out
and
sprayed
the
windows
and
used
the
hose
and
looked
at
my
job
and
yeah.
B
A
B
C
C
All
right,
it's
five
after
I'm
waiting
for
kate,
stewart
and
brian
bellindor
to
show
up,
but
we
can
probably
get
moving
with
the
first
agenda
item.
I
don't
know
who
added
this
one,
there's
no
name
on
it.
I
assume
it's
one
of
the
red
hat
folks.
B
Yes,
that's
us
yeah,
so
matt
is
going
to
talk
about
our
component
registry,
going
open
source.
A
Hi
there
I'm
matt
miller,
and
I
just
wanted
to
let
you
know
I
manage
the
component
registry
effort
within
within
product
security
within
red
hat,
and
I
work
with
kathy.
I
know
kathy
is
your
your
rep
here
on
the
working
group
we
just
wanted
to.
Let
you
all
know
that
the
component
registry
is
now
open
sourced.
A
So
what
that
means
is
you
know,
we've
initially
made
it
available,
for
you
know
the
community
to
look
at
with
a
couple
of
caveats.
A
We
we
kicked
off
the
component
registry
project
within
red
hat
in
and
although
we
had
been
doing
manifesting
of
our
products
and
services
up
until
that
point,
we
realized
that
we
needed
a
better
solution
for
our
manifesting,
given
u.s
executive
order
on
cyber
security
requirements
and
all
other
the
other
things
that
have
been
going
on
with
regard
to
s-bombs
and
that
kind
of
thing.
So
we've
been
working
on
our
component
registry
effort
as
a
better
way
to
do
manifesting.
A
We
just
open
sourced
this
project
a
couple
of
days
ago,
so
you'll
see
here
in
the
meeting
notes
the
link
to
github
for
our
project.
A
couple
of
caveats
which
I
wrote
here
in
the
agenda
is,
we
still
need
to
do
quite
a
bit
of
work
for
this
project
it.
A
We
are
testing
right
now,
some
of
our
manifest
data
to
see
how
it
will
look
under
the
component
registry
compared
to
our
manifesting
up
until
this
point,
and
the
other
thing
is
what
we've
noticed
with
different
companies.
Organizations
that
have
come
out
with
you
know:
they're
manifesting
solutions
to
try
to
generate
s-bombs
that
there's
really
no
magical,
s-bomb
generator.
For
example,
for
us,
it's
still
an
internally
focused
application
for
a
manifest.
A
It's,
I
think
at
this
point
it
can
be
used
as
a
recipe
for
how
you
want
to
potentially
build
your
own
registry
or
your
own
manifesting
solution,
your
own
company,
but
really
it's
fundamentally
a
shell
that
is
such
that
you
have
to
really
put
in
your
own
data,
your
manifest
data
from
your
own
products
and
services
to
make
it
work
and
generate
the
s-bomb.
We've
noticed
that
with
other
companies
like,
I
think,
microsoft
came
out
with
an
s-bom
tool
not
too
long
ago
and
made
that
open
source.
E
Sorry
this
is
pratik
mishra!
Sorry,
I
didn't
mean
to
interrupt
you,
but
just
just
so
I
sort
of
understand
the
logical
flow.
So
so
there
there's
sort
of
a
process
of
extracting
s-bombs
right
from
repositories
or
artifacts
or
whatever.
So
that's
one
piece
of
it
right
and
then-
and
this
sounds
like
a
second
piece
kind
of
a
place
where,
where
they
can
be
published
and
managed,
is
that
am
I
on
the
right
track
or
so
so
this.
A
Would
be
both
yeah,
so
what
we
have
here
is
a
method
by
which
manifests
can
be
extracted
right
and
for
red
hat.
It's
a
rather
complicated
endeavor,
given
the
number
of
products
and
services
that
we
have
and
we
use
collectors
to
grab
that
data.
So
that's
the
first
thing
that
would
come
under
this
component
registry
project.
A
The
second
thing
would
be
the
component
and
it's
not
in
there
yet
and
that's
the
work
that
still
needs
to
be
done
is
that
our
component
component
registry
will
be
used
to
generate
s-bombs
and
it
will
become
our
default
manifesting
tool
for
red
hat
across
the
whole
company
once
we
are
farther
along
and
we
know
that
we've
tested
it,
we
know
it
works
and
that
it
can
be
used
to
replace
our
existing
way
of
manifesting.
Does
that
answer
your
question.
A
So
you
know,
I
guess
the
last
thing
I
would
say
is
you
know
we
will
let
you
know,
as
we
are
further
along
with
development
I'll
either
come
on
this
call
or
I'll
I'll
give
kathy
some
updates
and
she'll
come
on,
and
you
know
tell
you
all
what's
what's
new
this?
A
This
is
going
to
be
a
long-term
endeavor
for
red
hat,
and
so,
even
even
when
we
think
we're
going
to
have
we're
going
to
be
able
to
ga
our
component
registry
internally,
we're
still
going
to
be
obviously
testing
the
quality
of
the
manifesting
and,
at
some
point
we
will
make
more
of
the
component
registry
available
for
the
community.
A
Given
the
interest
in
this
so
again
we're
I
just
want
to
emphasize
we're
pretty
much
at
the
early
stages,
but
you
can
go
in.
You
can
take
a
look
if
you
have
any
relevant
inputs,
you
know
feel
free
to
give
us
some
inputs,
but
that's
really
kind
of
where
we
are
with
the
component
registry.
So
I
don't
know
if
folks
have
any
other
questions
or
I
see
a
hands
up,
I
guess
perhaps.
A
D
Well,
hi
matthew,
so
will
we
be
able
to
get
a
demo
of
this
one?
You
feel
it's
ready
to
do
that.
It
sounds
like
it's
still
very,
very
much
in
the
early
stages,
and
so
that's
question
one
and
you
can
roll
an
answer
to
that.
D
Is
this
related
to
all
of
the
as
bomb
as
pdx
work
that
jillaine
and
fontana
have
been
doing
they've
been
there's
been
a
few
discussions
around
it
in
the
spx
legal
list
lately,
and
so
I
was
just
wondering
whether
I
can
tie
those
together
in
my
mind
in
some
way,
but
mostly.
A
Yeah
so
point
noted
on
the
demo
to
be
realistic.
We're
probably
not
gonna
be
ready
for
a
demo
to
give
you
all
until
sometime
in
the
fallish
time
frame,
or
you
know,
depending
upon
how
things
go,
it
could
be
even
sort
of
like
the
winter
time
frame,
but
we
can
come
back
and
certainly
do
that.
It
may
be
also
too
that
we
can
perhaps
earlier
record
a
demo,
because
we
we
we've
started
experimenting
with
that.
A
A
So
initially
our
plans
are
that
we
are
looking
at
the
spdx
format
as
well
as
the
cyclone
dx
format,
both
for
manifesting,
in
fact,
with
our
legacy
tool
that
we
use
now,
which
is
called
debtopia,
which
is
our
interim
solution
that
we
cooked
up
last
year
as
a
volunteer
effort
before
we
started
the
component
registry
project
officially
in
january,
we
can
generate
now
spdx
formats
for
manifesting,
but
it's
but
one,
but
I
caveat
that
by
saying
the
manifesting
that
we
can
generate
now
does
not
include
license
information.
A
It
does
not
include
various
layer,
product
relationships
and
things
that
we
have
at
red
hat
like
you
know
how
sort
of
our
you
know,
enterprise.
You
know
the
relationships
between
you
know
sort
of
like
components
that
are
used
by,
let's
say,
enterprise
linux,
as
well
as
like,
let's
say,
openshift,
or
something
and
and
right
now
it's
a
very
manual
process
to
to
tie
security
vulnerabilities
to
these
components.
A
So
you
know
we
are
working
on
improving
our
manifesting
based
on
what
we
were
able
to
do
in
the
interim.
But
yes
to
answer
your
question
in
a
long-winded
way.
We
are
looking
at
the
legal
side
of
things
as
pdx
format.
Cyclone
dx
will
probably
try
to
produce
both
initially.
A
Our
legal
team
is
also
very
involved,
with
at
red
hat
with
what
we're
producing,
because
we
want
to
make
these
manifest
reports
available
to
customers
and
we
have
based
upon
our
legacy
tooling.
A
couple
of
customers
have
already
asked
for
some
preliminary
reports,
so
you
know
it's
it's
it's
a
work
in
progress,
but
but
yes,
we
are
trying
to
tie
in
what
the
community
is
doing
in
terms
of
the
different
formats
and
basically,
what
we're
doing
now
is.
C
A
C
A
It
up
sure,
so
what
we're
doing
now
is
really
just
testing
the
manifesting
for
our
top
products,
so
rel
and
a
few
others
to
see
how
the
manifesting
looks
right
now
in
the
component
registry
right
we're
testing
the
data.
So
that's
where
we
are,
that's
it.
If
there
any
other
questions
happen
to
answer
them
or
just
you
know,
chat
more
offline
with
folks.
So.
C
Good
next
topic
is
work
streams
affecting
this
group.
I
asked
brian
to
come
here
to
tell
us
all
about
that,
so
brian,
take
it
away.
F
Hi
sorry
josh.
I
was
expecting
a
little
bit
more
context
but
happy
to
talk
about
kind
of
just
what
we
talked
about
the
other
day.
So,
as
you
all
know,
we've
got
this
mobilization
plan.
It
called
for
s-bombs
everywhere,
as
stream
number
nine,
and
we
are
very
eager
to
see
that
work
progress.
F
F
I
think
it
was
that
a
a
subset
of
the
folks
in
this
room
and
a
few
others
worked
on
for
that
plan
and
turn
that
into
a
series
of
fundable
work
right
and
so
I've
got
a
proposal
in
front
of
the
tech
that
I'm
still
waiting
for
there
kind
of
thumbs
up
on
and
then
something
to
set
up
with
the
governing
board,
as
a
consequence
of
that
which
basically
calls
for
the
creation
of
a
sig
under
different
working
groups,
one
per
stream
so
setting
up
a
sig
for
the
the
s
mom
everywhere.
F
Effort
under
this
working
group
would
be
the
logical
and
kind
of
next
step
to
continue
that
forward.
The
point
of
that
sig
would
be
to
steward
that
that
that
plan
forward,
you
know
to
update
it
to
basically
take
ownership
of
it
and
and
set
new
targets
if
new
targets
make
sense,
but
also
to
do
the
groundwork
of
figuring
out.
F
We
we
know
that
there's
lots
of
people
releasing
s-bomb
generation
tools
and
the
like,
so
the
plan
should
should
build
on
top
of
all
that
and
and
figure
out
how
to
how
to
move
the
ball
forward
on
the
goals,
specifically
in
the
in
the
in
that
in
that
overall
plan,
the
idea
is,
those
proposals
would
be
submitted
to
actually
one
of
two
different
places.
The
first
would
be
you
know.
We've
got
a
bunch
of
pledges
from
companies
against
the
plan.
F
We
haven't
yet
figured
out
the
pipeline
of
turning
that
money
into
into
work,
but
the
idea
is
that
proposals
would
go
in
front
of
the
organization
that
made
those
pledges
and,
and
then
hopefully,
we'd
raise
funds
from
them.
You
know
100k
from
here
100k
from
there
pretty
soon
would
add
up
to
a
300k
kind
of
chunk
of
work.
So
so
this
the
sig
that
would
be
under
a
work
group
like
security
tools,
which
I
think
makes
sense
to
to
house
the
s
bomb
everywhere.
F
Sig
we
create
these
proposals,
put
them
in
front
of
those
folks.
We
as
staff
would
help
facilitate
that,
but
but
this
is
not
brian
as
a
domain
expert
or
any
of
the
open
other
open,
ssf
staff
kind
of
you
know,
projecting
a
certain
view
of
how
things
should
work
other
than
to
say
the
collective
intelligence
pulled
together
under
the
sig
in
this
working
group
should
really
shepherd
that
forward.
The
other
place
it
could
go
would
be
in
front
of
the
attack.
F
I'm
working
with
attack
now
to
get
some
of
the
budget
that
the
tech
has
available
to
it
to
spend
on
technical
work,
which
isn't
a
huge
amount
of
money
compared
to
what
I
think
is
needed
to
move
the
s
bomb
everywhere
project
forward,
but
is
enough
to
get
started
on
some
things,
setting
up
the
processes
for
them
to
be
able
to
evaluate
these
proposals
as
well.
F
So
I
that's
that's
kind
of
the
the
update
on
why
you
know
there
hasn't
yet
been
been
any
funding
from
openssf
for
us
bomb
related
work,
we'd
like
to
get
started
on
that,
though-
and
so
I'm
not
here
to
make
a
formal
proposal
for
the
sig,
but
but
instead
looking
for
folks
in
this
working
group
who
feel
this
is
a
good
idea
and
may
want
to
volunteer
to
step
up
to
create
that
that
sig
under
this
working
group
and
get
started
on
that
work.
C
Josh
is
that
what
you
were
looking
for?
Yes,
before
I
go
to
kathy,
she
has
a
question.
I
apologize
kathy,
it's
one
of
the
benefits
of
being
in
charge.
So
brian
you,
you
said
about
creating
a
sig
in
this
group,
but
we
can't
technically
do
that
until
the
tack
approves
your
plan
right,
or
am
I
mistaken
in
that.
F
Well,
there
have
been
a
couple
of
things
informally
that
have
begun
focusing
on
this,
so
crow,
for
example,
has
been
hosting
calls,
including
one
this
morning
for
the
emergency
response
team
component,
the
the
working
group.
I
forget
the
working
that
created
it,
but
but
there's
the
vulnerability,
disclosures
working
group.
Let's
move
forward
on
that,
there's
been
another
one.
F
That's
been
meeting
on
moving
stream,
one,
the
education
stuff
forward
a
bit,
so
I
think
I
think
whether
we
create
that
funding
structure
under
the
governing
board
as
anticipated
or
not
it's
you
know.
Working
groups
are
free
to
create
special
interest
groups
underneath
them
and
and
and
move
forward
with
that
and
and
if
we
find
have
to
go,
look
for
funding
other
places
we
can.
F
We
can
do
that,
but,
but
that
my
proposal
to
the
attack
was
just
to
try
to
like
systematize
this
and
get
their
kind
of
consent
with
that
idea,
not
to
create
a
roadblock.
B
B
No
in
this
in
this
subset
in
this
tooling
working
group
right
so
secure,
tooling,
there's
a
lot
of
different
tools.
There's
sas
fca,
you
know
s-bom
tools,
so
this
proposal
is
just
for
creating
just
the
one
group
or.
F
If,
if,
if
the
the
working
group
chose
to
create
a
sig
that
that,
as
I
described
here,
would
be
focused
on
the
stream
in
the
mobilization
plan
stream,
nine
s
bomb
everywhere
as
as
currently
framed,
although
it
would
own
evolving
that
frame
as
as
new
software
emerges
as
discussions
about
interoperability
emerge,
you
know
the
kind
of
work
that
it
proposals
proposes.
F
Even
the
targets
and
and
time
frames
and
the
like
might
might
adjust,
and
it's
really
up
to
the
sig
to
to
to
own
that
overarching
picture,
but
then
also
figure
out.
What
are
the
next
concrete
steps
to
take
to
get
funded?
But,
yes,
it
would
be
specific
to
s
bombs
rather
than
other
types
of
tooling.
I
think
that
was
yours.
C
D
Yeah,
a
big
member
of
the
kate
stewart
fan
club
yeah
card
carrying.
I
was
wondering
whether
the
placement
of
this
sig,
underneath
the
tooling
working
group
implies
that
it
is.
The
sig
is
primarily
around
tooling
right,
which
I
I
don't.
D
I
am
not
necessarily
questioning
whether
that
is
the
case,
but
I'm
wondering
is
that
the
case,
or
does
this
make
more
sense
under,
for
instance,
the
supply
chain
integrity
working
group?
I
just
want
to
make
sure
that
the
sig
and
the
s
bomb
everywhere
initiative
ends
up
in
the
right
place,
where
the
most
people
who
are
most
interested
in
it
will
see
it
and
there's
no
saying
that,
obviously,
there's
not
going
to
be
there's
going
to
be
tooling
involved
right.
F
I'll
take
a
a
stab,
although
I
do
want
to
note
I'm
your
humble
mod
facilitator.
It's
really
up
to
the
community
and
and
where
folks
you
want
to
do
the
hard
work
I
want
to
live
within
to
make
to
make
that
call.
F
My
my
suggestion
is
that
it's
here,
my
that
was
part
of
my
initial
proposal
to
the
attack,
where
I
kind
of
sprinkled
these
cigs
across
the
different
working
groups,
probably
because
the
the
goal
for
sbom
everywhere
is
to
get
s-bomb
generation
and
consumption
to
be
built
into
the
tooling
of
modern
development
infrastructure.
F
So
much
that
it
was
easy
to
ask
open
source
projects
to
start
to,
do
that,
to
start
to
check
the
s-bombs
of
upstream
components,
if
that,
to
whatever
degree
that
makes
sense
and
and
that
it
was,
it
was
built
into
the
tools
so
that
the
lift
was
very
minor.
And
so
we
got
bombs
up
as
far
upstream
in
the
supply
chain,
as
we
could,
rather
than
s
bomb
generation.
Being
something
left
to
the
last
mile,
where,
if
it
happens,
it'll
be
proprietarized
or
be
seen
as
a
competitive
differentiation.
F
That
kind
of
thing,
so
that's
where
I
kind
of
that
was
kind
of
the
goal
of
the
stream,
which
is
what
led
me
to
think,
and
that
was
kind
of
an
arbitrary
decision
on
my
part
to
suggest
it
here,
I'd
kind
of
leave
it
all
up
to
you
as
the
security
tools
working
group
to
decide.
F
If
that
was,
if
it
was
the
right
home,
I
I
and
you
could
you
could
decide
to
take
it
on
or
or
not,
but
I
I
I
and
my
hope
is
that
there
is
a
home
and
they
have
open
ssf
somewhere
for
it.
If
not,
then
we'll
probably
remove
it
from
the
plan.
You
know
our
on
the
on
the
basis
of
I
guess
s,
bomb
tooling
doesn't
have
a
helmet
of
an
ssf.
E
Yeah
hi
hi
brian
yeah,
quick,
quick
question
in
terms
of
scope
right,
so
one
of
the
challenges
is
sort
of
adequacy
of
s-bomb
generation
right,
there's,
so
many
artifacts,
there's
repositories.
There's
images
there
are
libraries
there's
right,
so
would
some
guidance,
I'm
not
saying
right
that
we
magically
sort
of
imagine
this
tool.
That
quote,
does
it
all,
but
would
some
would
this
would
would
it
be
in
scope
to
provide
some
guidance,
how
to
go
about
doing
this
and
perhaps
even
push
some
requirements
to
the
different
communities
python
java?
G
One
of
the
things
that
josh
and
I
were
chatting
about
the
other
day-
was
on-ramps
and
making
it
clear
and
how
to
make
it
easy
for
people
to
put
this
into
their
tooling.
I
think
that
is
in
scope
that
we
can,
you
know,
say:
you're
gonna
start
generating
a
minimum.
This
is
what
it
needs
to
have
yeah
and
how
do
you?
G
You
know
we
don't
have
a
green
field,
there's
a
lot
of
there's
a
lot
of
messiness
out
there
and
a
lot
of
you
know:
evolution
we're
going
to
have
to
pick
up
and
so
sarah's
saying
here's
how
to
go
to
get
started.
Then
here's
how
to
continue
to
refine
and
enrich.
G
It
seems
like
a
reasonable
approach
to
me
anyhow,
but
feel
free
to
contradict
me,
but
yeah.
The
challenge
is
getting
it
into
the
tooling
and
making
it
easy
for
the
tools
to
do
it.
So
it's
behind
the
scenes.
It's
not
front
and
center
is
an
extra
huge
lift
for
the
developers
in
any
way,
shape
or
form.
E
Right
right
not
not
to
rattle
too
much
on
this
right,
but
having
people
having
to
pull
together.
You
know
a
bit
of
this
tool
and
that
tool
and
the
third
tool-
and
no
this
doesn't
work
against.
You
know,
pie
pie
and
this
this
only
works
on
jars.
But
not
not
you
know
it's
just
any
any
guidance
or
any
helpful
scoping
there.
I,
I
think,
would
be
a
contribution
to
the
community
yeah.
B
Yeah
I
I've
attended
quite
a
few
supply
chain
integrity
group
meetings.
It
seems
to
be
more
of
a
framework
tool
agnostic
so
and
coming
up
with
recommendations
for
the
supply
chain
and
how
to
secure
it
and
and
and
addressing
it
that
way,
the
tools
that
they
do
have
that
they
are
creating
are
usually
automations
to
validate
that
things
are
actually
being
accomplished.
B
D
I'm
just
you
know,
the
assumption
is
that
I
have
anything
specific,
I'm
looking
for
right
aside
from
just
verifying
with
the
community
that
this
is
something
that
they
think
makes
sense
for
them.
I
was
coming
to
these
calls
for
a
while,
and
then
I
dropped
off
due
to
time,
but
if
s-bomb
everywhere
is
going
to
land
here,
then
I
will
be
here
all
the
time.
D
I
just
want
to
make
sure
that
since
I
did
drop
off,
I
know
that
josh
and
the
others
have
been
working
on
other
things
in
the
meantime,
and
I
want
to
see,
is.
D
For
tooling,
or
would
it
make
it
better
make
better
sense
to
go
elsewhere
right?
So
I'm
looking
for
someone
else
to
make
a
decision
on
just
being
the
gadfly.
Sorry.
D
Yeah,
I
mean,
I
guess
if
it
fits
anywhere,
that
it
would
probably
be
there
or
you
know.
Spdx
has
been
doing
a
great
deal
of
work
on
this.
I'm
you
know
just
in
general,
as
palms,
that's
kind
of
their
bread
and
butter
what
they
do,
but
it
is
a
different
group.
It's
not
openness
as
a
south,
so
I
don't
know
I
I
know
obviously
there's
going
to
be
collaboration
there,
which
is
part
of
why
we
have
the
fabulous
kate
stewart
here,
but
I
I
really
don't
have
any
other
recommendations.
D
I
just
want
to
make
sure
it
does
make
sense
and,
as
brian
said,
the
option
is
on
the
table
to
drop
this
completely
if
it
doesn't
make
sense
to
fit
anywhere
within
open
ssf.
If
no
one
has
these
cycles
to
pick
it
up,
that's
great.
I
personally
think
it
would
be
a
shame
to
drop
that,
in
which
case
someone
else
should
pick
up
the
ball,
perhaps
in
another
linux
foundation,
sub
foundation
or
or
what.
But
I'm
pretty
keen
on
this
being
done.
D
C
F
You
know
again,
I
I
and
I
didn't
come
here
specifically
to
make
the
proposal
for
the
creation
of
the
sick,
yet
I
I
kind
of
wanted
the
tack
to
bless
the
approach
of
using
sigs
to
carry
forward
the
work
of
the
mobilization
plan.
First,
although,
as
noted
some
other
groups
have
started
to
me,
if
there
are
people
willing
to
to
take
that
ball
forward
here,
I
I
want
to
encourage
them
and
and
will
support
them
in
any
way,
but
you're
it
does
take
somebody
you
know
saying
this
is
important
enough.
F
We've
got
to
move
forward.
There
is
a
slack
channel
that
we
created
for
each
of
the
different
streams
as
we
were
developing
the
plan
and
then
kind
of
as
a
follow-up.
That's
been
quiet
for
a
couple
of
weeks
specific
to
this
one
called
the
the
stream
dash
nine
dash
s
bomb
dash
everywhere
channel,
which
has
64
people
in
it
assuming
tac.
The
attack
was
good
with
the
overall
proposal
using
sigs.
I
was
going
to
go
to
each
of
those
slag
channels
and
say
all
right.
F
I
I,
the
next
step
here
is
to
take
these
informal
activities.
We've
been
doing
here
in
the
slack
channel
and
formalize
them
as
sigs
of
different
working
groups,
and
we
suggest,
starting
you
know
s
mom
everywhere
here
at
security
tools
and
seeing
if
it's
a
good
fit.
I
I'm
hearing
uncertainty
about
whether
security
tools
is
the
right
fit
by
folks.
F
Here
I
don't
I'm
not
ready
to
call
a
vote
or
anything
like
that,
but
because
again
I'm
not
making
a
formal
proposal,
but
if
there's
a
general
sense
that
this
is
something
that
fits
within
the
the
mission
of
the
security
tools
working
group,
then
that
helps
me
because
then
it's
easier
for
me
to
suggest
this
as
a
starting
point
to
that
group
of
60
of
64
people.
C
C
D
I
like
the
idea
of
having
every
other
week
in
this
time
slot.
C
C
F
And
we
know
this
is
one
of
the
streams
that
has
a
lot
of
hard
work
to
do
early
on
because
of
the
very
divergent
opinions
out
there
about
the
the
right
technical
platforms,
the
right
places
to
invest
in
tooling
and
the
like
and
kate.
F
You
did
an
admirable
job
you
and
gary
and
others
at
this
small
group
conversation
we
had
in
austin
josh
was
there
as
well
with
some
of
the
folks
from
the
cycling
dx
side
of
the
house
as
well
talking
about
ways
that
we
could
move
forward
further
on
interop
and
that
sort
of
thing,
and
I
think,
I'd
love
to
see
this
sig
that's
created.
F
I
mean
using
this
this
meeting
to
move
move
the
ball
forward,
make
some
sense,
but
I
also
think
having
a
small
team
able
to
to
work
on
the
document
work
on
these
interop
issues
and
come
up
with
concrete
kind
of
next
steps
for
investment
to
move
the
tooling
forward.
I
think
that's
kind
of
important
and-
and
I
think
that
that
sig
should
have
some
named
participants
so
that
they
can
vote
on
on
how
to
move
forward.
F
And
I
think
I
think
the
the
loose
way
to
get
started
with
this
is
to
suggest
that
kate
and
josh
work
on
kind
of
recruiting
for
that
sig.
F
Maybe
some
of
the
folks
who
are
in
other
places
in
the
s-bomb
community,
including
in
that
select
channel
and
others,
and
come
up
with
a
set
of
of
individuals
who
are
kind
of
named
by
this
by
this
working
group
as
as
that
sig,
so
that
they
can
then
not
only
draft
proposals
but
understand
when
they
have
consensus
to
advance
that
proposal
off
to
potential
funding
sources.
G
C
That's
that's
the
trick
with
the
sing
say
guessing
we
have
too
many
afternoons.
That's
the
challenge.
Right
is
how
do
we
and
brian
you
might
have
ideas
on
this
and
kate
you
might
as
well,
but
let's,
let's
find
a
way
to
make
sure
the
sig
is
people
doing
work
and
not
a
thousand
people
who
think
it's
neat
to
put
their
name
on
esmo.
F
Well,
let's
also
use
this
as
an
opportunity
to
bring
in
some
folks
who
aren't
otherwise
very
committed
across
a
very
wide
range
of
other
open
ssf
activities
or
others
too.
I
mean
I
know,
josh
you're
active
in
a
lot
of
things.
Kate,
obviously
has
a
very
full
full
load
as
well.
Let's
I
mean,
if
there's
others
here
on
this
call,
who
aren't
as
active
in
other
parts
of
open
ssf,
who
are
looking
for
an
opportunity
to
really
get
roll
up
their
sleeves
and
have
a
huge
impact.
F
I
mean,
I
think
this
this
this
sig
could
could
be.
You
know
really
benefit
from
from
your
time
and
focus
I
just
I
I
I'm
hesitant
to
go
back
to
the
same
folks,
who
are
volunteering
on
on
20
different
things
in
parallel
to
move
this
forward
and
myself
included
right.
I.
G
Let's
just
reach
out:
okay,
okay,
basically
putting
a
great
big
twitter
storm
out.
There
will
basically
bring
people
in
from
the
whole
to
watch
as
opposed
to
do
that's
what
I'm
afraid
of
okay.
I've
been
in
this
area
in
the
s
palm
space.
I've
been
seeing
a
lot
of
that,
and
so,
let's
find
the
people
who
are
willing
to
volunteer
to
put
some
time
in
on
helping
to
draft
this
stuff
and
see
if
we
can
get
it
moving
forward.
G
This
time,
I'm
willing
to
say
I
told
I'll,
there's
some
things
I
can
do
quickly
and
I'll
try
to
help
out
there
and
then
trevor
has
already
volunteered
and
he
seems
to
be
trying
to
work
on
doing
something.
So
maybe
we
might
get
some
of
the
use
cases
that
we
asked
for
from
the
dc
meeting,
starting
to
get
documented
in
use
cases
as
part
of
the
sig
as
well.
That
was
one
of
the
here.
G
C
G
F
I
do
suggest
either
joshua
kate.
The
next
step
is
on
that
slack
channel.
Just
let
people
know
things
are
starting
to
converge
here
and
you're
looking
for
people
to
step
up
to
put
an
hour
a
week
or
more
into
into
the
sig
going
forward.
A
lot
of
those
64
people
are
likewise
over
committed
interested
parties.
Let's
find
the
the
other
five
for
10
on
that
who
could
also
step
up
to
be
named
parts
of
the
sig.
I
E
C
I
have
too
many
tabs
open.
I
found
it
all
right
so
I'll
film.
The
next
steps
in
the
notes,
but
next
is
prioritization-
of
contributions
from
daniel
with
daniel.
Here.
I
Hi
everyone,
in
the
light
of
all
this
discussion,
I'm
not
sure
about
this
question.
Actually
we
are
contributing
to
a
number
of
tools,
for
example
the
oss
review
toolkit
the
scorecard
and
other
codes
I
wanted
and
regularly.
I
have
students
or
other
volunteers
to
contribute
to.
I
Security
related
tools,
linders
s-bomb
generators,
so
I
wanted
to
ask-
maybe
if,
if
it
is
within
the
scope
of
this
group,
to
have
a
priorities,
a
prioritization
of
projects
and
eventually
the
some
issues
in
this
project,
so
we
can
invite
people
to
contribute
to.
I
In
order
to
escort
the
the
goal
of
this
group,
I
usually
bring
up
these
sort
of
tools,
for
example
the
oss
review
toolkit
or
the
scorecard,
but
I
wanted
to
ask
if
having
a
list
of
suggested
tools
would
be
something
that
this
group
could
recommend
in
a
in
a
web
page
in
somewhere
or
maybe
this
is
completely
tools
agnostic.
I
So
that's
that's
a
question
because
I
regularly
have
people
volunteering
to
to
contribute
to
free
software
projects.
C
I've
been
part
of
lots
of
groups
that
have
tried
to
do
this
in
the
past,
and
and
it's
always
a
struggle
to
put
kind
of
put
on
health,
wanted
and
then
connect
people
who
are
looking
to
help
for
a
variety
of
reasons.
I
I
feel
like
the
answer
to
this
is
someone
just
needs
to
do
it
and
if,
if
you
know
people
willing
to,
I
guess,
seek
out
projects
looking
for
help
and
then
connect
them
to
people
willing
to
help.
C
That
would
be
very
valuable.
I
think-
and
I
mean
I
think
this
is
just
kind
of
one
of
those
topics
where,
like
the
open
ssf
doesn't
have
magic,
it
just
needs
people
to
do
it
and
and
like
I'm,
I'm.
I
would
be
totally
supportive
of
this.
If
someone's
willing
to
put
together
a
list
which
is
probably
become.
I
I
can
bring
a
list,
maybe
in
the
next
meeting
we
can
discuss
or
offline
a
the
list,
but
I
I
was
looking
for
tools
that
are
highly
aligned
with
this
with
this
group.
With
this
mission.
G
So
there's
lists
of
tools
for
both
cyclone
and
spdx
that
work
with
the
formats
for
s-bombs,
including
oss,
review
toolkit.
Of
course.
The
challenge
right
now
is:
how
do
we
start
storing
them
up
in
a
way?
That's
explorable,
and
this
is
something
that
so
the
question
I
guess
is
the
scope
of
tools
for
one
thing
and
then
how
much
do
we
want
to
pull
off
the
others
and
actually
come
up
with
some
sort
of
landscape?
G
We
sort
of
have
started
a
landscape,
but
we're
lacking
people
to
help
fill
it
in
on
the
spdx
side,
for
instance,
to
to
josh's
point,
but
I'm
just
trying
to
figure
out.
G
C
G
You
know
like
there's
a
crying
need
for
it.
Everyone
wants
it,
no
one's
sort
of
agreeing
on
how
to
actually
form
it,
and
you
know
we've
been
talking
about
it
in
the
outreach
team
on
spdx,
for
instance,
and
trying
to
you
know
catch
that,
but
you
know:
do
we
have
a
taxonomy
we're
all
comfortable
with
for
classifying
these
things
under
so,
like
you
know,
tools
have
different
purposes
right
and
generate
different
outputs.
D
Think
didn't
ava
do
a
lot
of
work
on
taxonomy
and
they
have
some
documents.
It's
yeah
it's
under
the
get
bomb
project.
They
have
a
document
somewhere.
I
believe
it's
since
moved
into
the
get
bomb
repository.
D
I
think
it's
it's
fairly
academic
and
dense
and
not
over
user
friendly
as
a
document,
but
it
is
dense
and
full
of
information,
and
it's
something
that
I
was
going
to
recommend
that
we
in
spx
outreach
kind
of
use
within
the
landscape
project
and
the
the
need
for
this
tool
is
why
I
have
enlisted
help
within
wipro
on
that
landscape
project.
We
need
this
list
and
spx
landscape
is
already
making
a
start
on
that.
So
it'd
be
nice
to
maybe
leverage
that
in
there
I'll
defer
to
y'all
house.
E
E
G
Also,
security
tool,
which
is
which
is
you
know,
I
think,
to
daniel's
point,
and
so
the
question
is:
what
classifications
of
tools
do
we
want
to
be?
You
know,
tools
are
used
for
purposes
at
the
end
of
the
day.
What
purposes
are
we
encompassing
in
this
type
of
text?
I
mean
that's,
why
I
was
wondering
if
I'm
extending
some
of
the
landscape
work.
That's
out,
there
might
suffice.
G
Like
we've
got
the
you
know
the
ntia
tooling
for
s-bonds,
but
there's
other
tooling,
like
you
know
what
tools
should
be
used
for
fuzzing.
What
tooling
should
be
used
for?
You
know,
validation.
You
know
how
about
requirements
tracking
is
that
things
that
we
might
want
to
be
looking
at
for,
like
you
know,
the
whole
threat
modeling
and
things
like
that
and
tracking
in
that
section.
So
I
guess
it's
a
question
of
maybe
daniel.
I
I
can
bring
the
yeah
sure
I
can
create
an
initial
version
of
the
of
the
list.
Indeed,
for
example,
we
are
contributing
to
not
only
some
generators
like
also
oss
toolkit,
but
we
are
also
contributing
to
radon.
We
contribute
to
docker
related
security
tools
as
well,
since
I
have
this
people
use
usually
coming
to
me
asking
where
I
can
contribute
to,
because
I
want
to
have
experience.
I
want
to
have
some
exposure
to
the
free
software
community
and
it's
a
lot
of
energy.
I
I
want
to
address
yeah
exactly
yeah,
especially
from
students
very
capable
students,
not
only
from
companies
that
want
to
participate,
so
I
think
I
I
don't
want
to
to
to
this
opportunity
of
contributors,
so
I
I
will
come
up
with
a
a
an
initial
list
with
a
categorization.
We
can
review
this
next
time.
C
Okay,
all
right
altezz.
H
So
I
just
wanted
to
make
a
quick
comment.
I
think
there
are
other
communities
that
have
already
started
on
on
landscapes.
My
concern
is:
if
we
do
this
on
our
own,
we
could
end
up
isolating
s-bombs,
which
is
what
we've
had
as
a
problem
with
security
and
and
just
development
and
stuff.
So
cncf
has
done
some
work
on
landscapes.
I
think
digital
ai
has
done
some
stuff
on
landscapes.
Could
we
just
not
pull
them
in
and
say
please,
let's
work
together
to
integrate
s-bombs
into
all
these
various
other
pipelines.
G
G
H
I'm
very
interested
in
that
I'm
just
run
into
this
issue
all
the
time
right
and,
and
so
let's
not
let's
not
create
another
island
of
of
you
know
our
own
taxonomy
or
things
like
that.
So
yeah,
any
you
know
if
we've
got
connections
with
some
of
these
other
groups,
let's
pull
them
in.
You
know
we're
all
working
towards
the
same
goal
here.
I
think
that
would
be
great
thanks.
So.
G
The
cncf
guys
basically
helped
the
spx
community
set
up
the
framework
for
the
landscape.
So
it's
sort
of
a
metaphor
and
I'd
say
the
one
we're
doing
on
spdics
is
not
necessarily
the
n1
for
you,
but
if
we
can
basically
take
that
and
sort
of
evolve
it,
maybe
we
can
make
these
communities
feed
into
a
master
landscape.
First.
C
And
your
comment
amuses
me
because
this
group
has
probably
had
no
less
than
10
discussions
about
creating
a
landscape
list
and
every
time
it's
been
a
hand,
slap
of
no
they're
already
there
don't
do
this,
but
absolutely
yeah
yeah
yeah
we'll
find
now
now
we
could
create
a
list
of
the
lists
right,
that's
like
as
much
as
you
can
get.
I
think,
cool
all
right.
Let
me
I've
lost
the
agenda
again
critique.
Are
you
happy
with
how
these
conversations
kind
of
melded,
together
or
yeah.
E
No,
I
I
think
the
truth
is
that
right.
Many
of
my
questions
were
answered
previous
to
your
coming
to
my
agenda
items,
so
I'm
happy
to
volunteer
and
and
and
help
with
with
on
the
s1
side
of
things,
but
I
understand
that
the
scope
is
too
long
and
that's
obviously
the
the
you
know
the
bigger
picture,
yeah
yeah.
C
Totally
so
I
before
we
leave
and-
and
I
need
to,
I
need
to
fix
a
meeting,
invite
it's
supposed
to
end
at
5-0,
but
before
we
go,
is
someone
willing
to
take
ownership
of
just
kind
of
starting
to
collate
some
of
this
data
in
a
place?
That's
trackable
and
discoverable,
like
vicky,
just
put
a
couple
of
links
in
the
chat.
C
I
I
And
the
list
of
tools,
grouped
by
category
a
list
of
groups
for
a
sorry,
a
list
of
tools
where
we
could
propose
people
to
contribute
to.
I
Okay,
thank
you.
So
this
would
be,
like
I
wouldn't
say
blessed,
but
proposes
a
list
of
tools,
so
people
can
decide
where
they
can
contribute
to
it's
not
only
for
users
but
for
contributors.
Okay,
okay,.
D
So
I
was
looking
for
a
place
to
put
this
sort
of
thing
and
naturally
the
tooling
working
group
repository
was
the
first
place.
I
looked,
and
would
you
just
look
at
this
link
right
here?
We
have
a
start
to
some
sort
of
document.
D
It
doesn't
list
specific
tools,
but
it
does
list
types
of
tools
and
I
think
it's
a
good
place
to
start
to
under
each
type
of
tool.
Perhaps
we
can
link
out
to
documents
listing
the
tools
or
whatever,
but
we've
got
something
already
that
we
can
start
to
work
with
and
iterate
on.
So
perhaps
for
the
next
call.
We
can
start
to
kind
of
flesh
this
out
a
bit.
G
C
Also
says
a
comment:
action
item:
can
we
get
someone
from
the
cncf
tooling
landscape,
share
thoughts
on
this?
We
will
does
anyone
know
anyone
on
that
group.
F
A
lot
of
in
the
cloud
native
community
active
in
in
this
stuff,
I
I'd
say
probably
more
like
the
folks
at
chain
guard
or
something
maybe
maybe
kim
or
dan
lark
or
something
okay.