►
From YouTube: Security Tooling Working Group (December 20, 2022)
B
I'll
admit
that
sometimes
I
will
tentatively
accept
a
meeting
invite
just
so
it
stays
on
my
calendar
and
just
just
maybe
to
discourage
anybody
out
there
yeah
that's
right.
It's
so
filled
up
that
you
hardly
get
any
of
the
stuff.
You
actually
need
to
get
done,
because
your
meetings,
all
the
time.
D
A
C
C
The
group
was
working
on
I
gotta,
find
the
document
now
the
s-bomb
everywhere
goals
and
purpose,
which
is
lost
in
my
tabs.
C
Here
we
are
I've,
got
kind
of
two
agenda
items,
but
this
is
the
big
one.
So
I
want
to
turn
this
into
a
working
session
and
we
actually
have
a
really
good
group
of
people
for
this,
which
makes
me
happy,
but
this
document
is
what
we
are
trying
to
explain.
The
purpose
of
this
group
is,
which
is
always
it's
one
of
those
things
that
feels
easy
but
isn't,
and
it
amuses
me
every
time
I
go
through
this
exercise.
I'll
just
share
my
screen,
so
we
can
go
through
it.
C
It's
the
same
document
I
just
pasted
in
the
chat.
So
the
idea
is
to
use
this
to
guide
everything.
This
group
does
into
the
future
and
I
spent
some
time
over
the
break
kind
of
turning
it
into
a
mostly
readable
document.
But
I
would
value
feedback
from
everyone
here,
so
we
can
kind
of
start
at
the
top
there's
the
overview.
The
overview
is
the
week
section
because
it
I
feel
like
the
rest
of
it
will
Define
it
so
I'm,
not
we're
not
going
to
focus
on
that
today.
C
So,
let's
start
at
Mission
and
and
what
we
came
up
with,
and
this
is
me
turning
an
enormous
amount.
Also
I
can't
see
the
chat
very
well
if
someone
puts
something
in
there,
so
okay,
so
we
spent
the
last
couple
weeks,
probably
a
month
or
more
just
jotting,
down
ideas
and
notes,
and
then
I
tried
to
craft
those
into
English
text,
which
is
what
we're
looking
at
here
and
so
I.
C
A
C
The
that's
a
really
good
question.
The
intent
of
the
group
is
forked
to
a
degree
where
I
think
the
we
want
to
focus
on
empowering
open
source
to
create
s-bombs
like
have
every
project
make
it
so
on
the
production
side,
there's
a
very
heavy
open
source
Focus,
but
on
the
consumption
side
we
have
an
interest
in
furthering
kind
of
all
Endeavors.
In
that
space
there
are
open
source
consumption
tools
and
there
are
commercial
consumption
tools.
We
don't
want
to
necessarily
say
this
is
the
right
one.
C
On
open
source
and
Commercial
consumption
tools,
and
that
that
also
ties
into
there's
a
second
document,
this
landscape
funding
proposal,
which
did
not
or
what
have
I
done
there-
we
go-
which
we
may
not
get
to
today.
But
this
is
meant
to
be
I,
know:
I've
talked
about
the
third
link,
so
I
won't,
but
I
won't
like
torture.
Anyone
today
turn
creating
like
a
cncf
landscape
style
thing
for
s-bombs
and
that
will
Encompass
closed
source
as
well
as
open
source
Solutions
we
want
to.
C
C
Okay,
that's
a
good
question,
though
so
work
with
the
existing
Xbox
community
and
in
the
mission
we
try
not
to
specifically
call
it
open
source,
but
I
think
we
should
specifically
do
it,
because
if
we
don't
people
might
assume
open
source,
so
I'm
going
to
add
another
note
for
myself,
open
and
Commercial
to
avoid
anyone
making
assumptions-
and
that's
I
mean
that's
one
of
the
things
that
makes
this
hard
too
is
like
I've,
been
looking
at
this
stuff
for
months
at
this
point,
and
so
there's
lots
of
things.
E
F
A
As
someone
who
has
been
trying
to
Foster
it
for
many
years
now,
yeah
defining
it
is
tricky
defining
it.
The
community
is
tricky
I'll,
let
Josh
Define
the
open
source,
Community
right.
F
Exactly
good
one,
no,
but
so
seriously,
though
I
mean
the
the
problem
is
especially
you
know.
If
you
take
just
that
mission
statement
it
to
me,
it's
going
to
raise
a
lot
of
questions
because
the
asmum
community
can
be
interpreted.
As
you
know,
people
were
already
using
as
bomb
who
are
potentially
interested
in
this
bombs.
People
were
working
on
s-bomb
formats
as
bomb
tools.
I,
it's
I,
don't
know.
A
And
I'd
say
yes
at
least
as
someone
who's
tried
to
build
a
community,
if
you
do
it,
without
both
the
production
side
and
a
consumption
side
at
the
table,
you're
going
to
fail,
if
you
do
it
with
just
one
of
the
two
data
formats,
you're
gonna
fail.
A
If
you
do
it
with
right,
just
the
the
vendors
that
are
focused
on
Java
and
modern
web
apps
you're
going
to
fail
so
I
think
having
a
broad
definition
is
good
and
we
can,
even
you
know,
have
a
line
in
scope
about
the
the
importance
of
diversity,
perspectives
or
something.
C
Yeah
yeah
I'm
comfortable,
leaving
this
one
squishy
for
the
moment.
We
can
tighten
it
up
later.
It's
I,
don't
I
mean,
as
these
things
always
go,
the
devil's
in
the
details
right
and
it's
easy
to
spend.
You
know
months
on
defining
Community
when
it
really
does
I,
don't
think
it
matters
in
this
case.
So,
okay,
okay,.
F
C
S-Bombs,
which
is
that
was
an
important
point,
because
at
first
when
this
group
was
created,
the
focus
was
on
open
source
project,
creating
s-bombs,
but
nearly
everyone
who
has
come
to
meetings
wants
focused
on
consumption
as
well,
which
I
think
is
fair,
because
it's
very
chicken
and
egg,
which
I'm
sure
Allen
has
much
to
say
in
that
regard,
so
then
use
a
resource
to
be
able
to
open
ssf,
encourage
others
to
cooperate.
So
the
cooperation
part
I,
don't
know
if
so.
This
is
a
little
more
clear
in
the
approach.
C
C
We've
had
I
learned
about
a
new
group
doing
something,
and
we
would
like
to
make
it
easier
to
discover
these
groups
and
encourage
the
groups
to
work
together
than
trying
to
reinvent
something
ourselves
and
that's
like
I,
think
the
foundation
of
this
group
is
I,
always
joke
I
say
we
don't
want
to
do
any
work,
and-
and
fundamentally
we
just
want
to
empower
others
to
be
doing
the
work
and
make
ourselves
a
place.
People
can
come
to
understand
what's
happening
in
the
universe.
If
that
makes
sense
does
does
that?
C
G
D
One
one
question
regarding
the
the
first
sentence:
so
the
the
s-bomb
community
well
enable
the
s-bomb
community
to
connect
and
Empower
that
Community
to
create
and
consume
as
bombs.
So
it
does
make
sense.
It
gives
it
kind
of
a
reasonable
scope
in
the
sense
that
those
people
who
are
interested
in
s-bombs
will
be
empowered
to
create
and
consume
as
bombs.
But
by
reading
through
the
first
two
times,
I
was
missing
the
the
bigger
picture.
D
Are
we
not
aiming
for
enabling
the
let's
say,
the
very
broadest
Vision,
the
open
source
Community
like
the
projects
to
create
and
consume
as
bombs,
or
is
that
let's
say
anyway,
an
unrealistic
goal
and
we
would
like
to
focus
on
the
esbom
community,
whatever
that
is,
but
at
least
it
kind
of
encodes
that
it's
the
people
who
have
an
interest
in
working
with,
as
prompts
so
does
that?
Does
that
make
sense?
What's
the
the
scope
of
the
user?
So
to
say,
or
is
it
just
a
good
point.
C
F
C
C
F
C
G
And
I
feel
like
maybe
that's
where
you're
trying
to
get
to
the
part
where
we
don't
want
to
create
something
new.
We
want
to
Leverage.
You
know
the
ideas
of
the
commuting,
so
I
get
where
I
kind
of
get
both
sides.
The
word
existing
is
I
think
there
might
be
another
way
to
kind
of
keep
honing
in
on
the
the
root
of
the
word
existing.
Why
you
put
that
in
there.
F
G
G
C
Indeed,
indeed,
I
love
it,
okay,
all
right
all
right,
so
I
guess
we
might
ask
for
the
group,
then,
is
just
think
about
this.
One
I,
don't
wanna
I,
don't
spend
too
much
time
on
it,
but
if
you
have
comments,
throw
them
in
in
the
document
or
slack
or
whatever,
and
and
we'll
work
on
it,
I
really
I
want
to
try
to
get
this
finished
up
like
in
the
next
meeting.
C
Just
because
we've
been
working
on
this,
what
feels
like
forever
and
then
the
scope
is
kind
of
trying
to
hone
the
mission
a
little
bit.
This
focuses
on
production,
distribution
and
consumption
of
s-bomb
data
for
the
adoption.
The
information
ingest
want
to
remove
blockers
that
make
using
s
bomb.
Hardware
I
mean
this.
This
sentence
doesn't
really
make
sense
in
in
its
own
context,
which
it
kind
of
touches
on
in
the
approach.
C
Okay,
so
I'm
going
to
read
this
out
loud
and
and
just
yell.
If
anything
comes
to
mind,
if
we
have
securing
the
software
ecosystem
will
require
making
the
production,
distribution
and
consumption
of
s-bomb
data
easy
to
enable
wide
adoption
using
the
information
ingesting
it
into
their
own
internal
risk
management
systems
or
other
systems
from
a
blockers
to
make
using
that
make
using
the
s-bombs
hard.
Is
that
yes
Alan
since
you're
here?
How
do
we
talk
about
s-bombs
and
plural?
Is
a
plural
of
s-bomb
s-bomb
or
is
it
s-bombs?
Do
we
know?
A
C
All
right,
all
right
and
I
think
this
is
the
sentence
that
I
want
to
focus
on
and
I
think
is
important,
especially
in
the
context
of
Open.
Source
is
in
a
lot
of
Open
Source
projects,
they're
just
going
to
be
creating
an
s-bomb
and
giving
it
to
someone
else,
they're
not
going
to
be
really
doing
anything
with
it
per
se
and
I.
C
Think
that's
the
piece
that
isn't
necessarily
well
understood
in
the
universe,
because
I
feel
like
in
many
instances
the
person
creating
the
s-bomb
is
the
person
consuming
the
s-bomb
today
and
that's
something
we
want
to
see:
I
guess
change,
especially
in
open
source,
so
that
that
needs
to
be
expanded.
I'm
just
going
to
add
a
note
for
myself.
G
And
I
think
this
kind
of
gets
to
I
think
it
was
George's
point
that
the
community
is
creating
it,
but
if
they
don't
understand
how
it's
going
to
be
used
that
might
impact
how
rigorous
they
are
about
creating
it
or
the
completeness
in
which
they
create
it,
and
so
it's
it's
in
part.
Yes,
maybe
a
software
development,
company
or
hardware
company
is
using
it,
creating
it
and
passing
it
on
further.
G
But
how
can
we
be
very
inclusive
of
the
open
source
community
and
those
maintainers
to
be
diligent
about
it
because
they
may
never
consume
it
and
see
how
it's
done
so?
Coming
from
a
security
operations
background
I
we
get
these,
oh,
if
only
the
developer
would
have
made
XYZ
in
the
logs
available.
Well,
the
developer,
never
in
a
million
years
knew
that
was
going
to
be
a
use
case.
C
Let
me
I
never
thought
of
it
in
this
way,
because
I
feel
like
if
we
have
well-defined
standards
for
s-bombs,
which,
like
spdx
and
Cyclone
DX,
have
there's
the
NTI
minimum
elements,
and
so,
if
you're
generating
correct
outputs
for
whatever
it
is
you're
doing.
Wouldn't
that
suffice
for
someone
using
it
or
is
there
a
piece
of
that
we're
missing.
G
I
think
it
would
suffice
today,
but
it
may
evolve,
and
so
how
do
you
get
the
left
hand
and
the
right
hand
in
ongoing
cooperation
and
I?
Guess,
maybe
that's
the
standards
development,
but
then,
if
you
have
some
very
you
know
free
spirited,
open
source
developers
that
you
know,
maybe
they
have
an
Enterprise
day
job,
and
this
is
something
that
they're
doing
on
the
side
for
fun.
You
know
do
I.
How
do
how
do
we
encourage
the
use
of
following
a
standard
when
the
Upstream
Community
can
potentially
be
very
I?
C
I'm
inclined
to
punt
on
that,
because
you're
not
wrong,
but
I
feel
like
as
long
as
we
have
standard
excuse
me
that
are
well
supported
and
have
active
communities
around
them.
I
think
this
problem
will
solve
itself
because
you'll
have
good
tooling
and
it
it
I
would
hope.
We
won't
see
a
situation
where,
for
example,
someone
say
start
publishing
like
spdx
2.3
and
now
we're
on
spdx6
and
they're,
like
whatever
it's
good
enough
right.
I
would
hope.
We
have
some
level
of
just
Community
pressure
and
involvement
that
keeps
all
this
flowing
forward.
G
C
It
out
there
so
we
kind
of
have
some
of
this
in
the
approach
where
we
have.
Where
was
it
yeah
like
like
starting
with
existing
known
projects,
creating
kind
of
a
white
glove
service
to
learn?
What
does
it
mean
to
help
an
open
source
project,
create
s-bombs
and
distribute
them
and
then
obviously,
as
we
learn
more,
then
we
can
work
on
guidance
like
that,
and
hopefully
it
turns
into
you
know,
kind
of
a
self-looking
ice
cream
cone
to
steal
a
term
from
the
DC
folks
of
once
we
have
this
all
in
place.
G
E
C
All
right,
all
right:
okay,
all
right
so
then
kind
of
next
next
paragraph
expect
the
minimum
elements
and
validation
will
there.
So
so
the
purpose
of
this
particular
paragraph
kind
of
is
right
now
the
ntia
guidance
and
actually
Alan,
is
sisa
going
to
take
ownership
of
that
guidance.
Or
is
it
ntia
minimum
elements
like
staying
with
ntia.
A
No,
so
under
the
somewhat
flawed
OMB
circular
22-18,
but
sisa
has
authority
to
refine
the
minimum
elements
so
that
that
it
will
be
around
for
a
little
while,
but
ultimately,
sisa
is
going
to
enhance
it
perfect.
C
Okay,
so
for
the
moment,
obviously
we're
going
to
defer
to
ntia
guidance.
We
put
a
line
in
here
in
the
future.
Sorry,
what
I.
A
I
I
do
also
want
to
say,
feel
free
to
go
beyond
that
minimum
elements
of
guidance
because
it
was
it
was
written
to
the
slight
background
was
right.
It
was
defined
at
a
point
in
time
which
is
2021
and
the
author
sort
of
had
to
do
a
balance
between
how
do
we
make
sure
that
we're
not
making
something
that's
useless,
but
at
the
same
time
make
sure
that
folks
can
actually
achieve
it
at
the
point
at
that
point
in
time
when
it
was
defined
so
I
just
wanna,
that's
right.
C
Totally
and
and
that's
kind
of
the
purpose
of
the
second
paragraph
here
is
in
the
future-
we
may
find
it
necessary
appendless
guidance,
published
project,
blah
blah
blah
blah,
and
that
is
the
intent
is.
Ideally
the
knob
will
turn
one
way
right
and
as
we
meet
the
current
minimum
guidance,
we
can
add
to
the
minimum
guidance
and
add
to
the
minimum
guidance
and
just
keep
ratcheting
that
up
as
we
go,
and
then
there's
also
this
bit
here
about
validation
tools,
and
this
is
something
I
know.
C
The
spdx
folks
have
started
working
on,
is
kind
of
measuring
the
output
of
spdx
tools
and
being
able
to
say
like
this
is
valid.
This
is
invalid.
This
is
good.
This
is
bad
and
I
think
this
is
part
of
that
work
and
I,
don't
know
off
the
top
of
my
head
was
the
Cyclone
DX
folks
are
doing
here,
but
I
suspect
they
have
similar
projects,
and
ideally,
we
leverage
the
validation
tools
to
kind
of
just
control.
C
What
is
considered
minimum
and
and
good-
and
we
have
I-
think
we
have
some
notes
about
that
somewhere
down
here
in
approach,
but
okay,
but
the
point
being
that,
for
the
beginning,
we're
going
to
Leverage
The
Guidance
that
exists,
we
don't
want
to
publish
something
new.
C
C
C
So
anyway,
funding
creation
of
tools
and
guidance.
This
group
should
not
be
focused
on
creating
new
content.
Yes,
there,
it
is,
but
rather
lifting
up
the
existing
efforts,
and
that
obviously
means
when
someone
wants
to
work
on
something
and
there's
a
group
already
doing
it
go
help
the
group
don't
reinvent
the
wheel
again.
C
C
Again,
if
you
have
thoughts
or
comments,
feel
free
to
just
add
them
later,
it's
it.
We
don't
have
to
do
this
all
right
now,
but
I
do
want
to
have
this
done
in
like
a
week
or
two,
not
two
well,
two
or
four
weeks
from
now
right.
That's
the
goal
next
meeting
or
the
meeting
after
to
clean
this
up,
so
speak
up
or
or
you
don't
get
a
say,
and
then
the
approach
is
where
we
get
a
little
more
tactical
and
we
kind
of
lay
down
some
of
the
things
we
want
to
do.
C
Specifically,
it
is
not
exactly
in
an
order,
but
it
kind
of
is
I
would
say
the
more
important
things
are
near
the
top
and
the
things
that
need
other
things
in
place.
First,
I
won't
say
they're
less
important,
they're,
just
they're
harder
to
do
tactically
without
doing
some
of
this
other
stuff
first,
so
the
the
first
one
is
the
landscape.
We
I
have
a
document
for
this.
C
It
was
here
it's
in
the
notes.
If
you
want
to
look
at
it,
I
would
gladly
accept
comments
on
the
landscape
proposal,
the
landscape
proposal.
We
want
to
go
to
the
open,
ssf
governing
board
and
basically
just
hold
up
the
hat
and
say:
can
we
fund
this
and
can
we
get
someone
to
do
it
and
ideally
it
again
becomes
a
self?
What
did
we
call
it?
Alan's
fancy
word.
C
Self-Perpetuating
thank
you,
I've
already
lost
it.
Where
was
it
anyway?
Self-Perpetuating?
We
want
the
landscape.
Ideally,
if
we
have
a
landscape
that
becomes
a
place,
people
are
looking
for
things.
New
projects
will
be
encouraged
to
add
their
stuff
to
it
right
because
they
know
if
they're,
not
in
the
landscape,
they
don't
exist,
and
so
hopefully
we
get
that
so
anyway,
current
landscape
identify
existing
tools,
projects,
companies,
whatever
all
of
it
right
we
want.
C
H
H
B
H
There
listening
to
be
some
element
of
quality
for
this
to
be
useful.
Otherwise
it's
just.
We
could
cause
more
confusion
than
it'll
assort.
That.
A
I
I
like
the
quality
stuff,
and
it
is
a
fun
philosophical
question
of
his
partial
or
incomplete
data
better
than
no
data
I
I
may
respectfully
disagree
with
Kate
about
the
immediacy
of
putting
quality
on
the
radar,
but
I
I
don't
disagree
with
her
about
the
long-term
goal
of
putting
quality
on
the
radar.
H
I,
just
think
that
you
know
having
at
least
someone
say
that,
yes,
this
is
there
and
I've
used.
It
would
get
rid
of
a
lot
of
the
problems.
Good,
okay,
which
is
part
of
a
review
process,.
C
C
We
view
the
landscape
kind
of
as
the
foundation
of
a
lot
of
this
stuff
and
so
we're
keen
to
get
that
proposal
in
front
of
the
governing
board
at
some
point
in
the
near
future.
So
again,
then
what
else
do
we
have
use?
Okay?
So
we
have
use
open,
ssf
resources
to
encourage
s-bomb
adoption
for
the
focus
on
creating
consumption.
C
So
here's
where
we
want
to
find
a
way
to
get
some
of
the
existing
openssf
members
to
basically
bring
some
talent
to
the
table
because
there's
a
lot
of
talk
about
s-bombs,
there's
a
lot
of
people
working
on
s-bombs
and
so
I
think
this
I'm
hopeful
we
can.
We
can
do
something
with
this
I
I,
don't
know
for
sure,
because,
like
I
think
the
open
ssf
wall,
it
has
been
wildly
successful
in
acquiring
funding
and
Publishing
content.
C
I,
don't
think
it's
been
wildly
successful
in
connecting
Talent
with
projects
necessarily
so
this
one
I
think
will
be
tough
and
we're
going
to
need
a
governing
board
and
Tack
involvement,
I
think
to
try
to
get
existing
members
involved,
and
this
will
probably
require
another
proposal
written
any
thoughts
or
comments
on
this.
G
I
agree
and
I
think
that
think
that
peace,
where
we
get
a
lot
of
value
out
of
the
open,
ssf
bringing
together
a
lot
of
a
lot
of
the
different
tech
companies
in
the
community,
that
if,
if
they're,
using
an
open
source
tool
and
they
want
to
see
it
grow,
then
we
can
funnel
them
to
that.
There's
there's
a
huge
interest
at
my
company
at
Dell,
in
connecting
with
some
of
the
efforts
around
s-bomb
and
it's
been
challenging
to
figure
out
exactly
where
to
go,
to
send
people
and
so
I
think
I
think
evolving.
G
C
That's
fantastic:
no
work
has
been
done
if
you
want
to
take
a
crack
at
it,
Sarah
and
and
just
like,
put
out
a
rough
draft
or
something
if
you
have
ideas,
I
I'm
game,
because
it'll
be
at
least
probably
two
weeks
before:
I'm
gonna
touch
it
because
I
want
to
get
the
landscape
proposal
sorted
first,
so
I'm
not
going
to
put
effort
into
it
but
yeah.
This
is.
This
is
awesome.
I'll.
C
C
That
way,
I
know
who
to
bug
later
Okay,
so
the
next
one.
This
one
actually
is
something
Kate
and
I
were
talking
about
last
week.
Near-Term
wins,
but
with
the
end
goals
in
mind,
so
things
like
s-bomb
example,
references
I
know,
the
spdx
crew
is
working
on
some
quality
tools
for
basically
like
measuring.
Does
your
s-bomb
meet
the
minimum
ntia
standards
and
a
lot
don't
and
I'm?
C
Also
keen
on
having
good
examples
where
we
have
artifacts
and
we
have
expected
outputs
and
then
being
able
to
obviously
run
tools
that
scan
the
artifacts
and
then
output
whatever
it
is
they
output
and
then
they
can
say
like?
Are
you
finding
all
the
right
things
and
I'm
actually
in
a
discussion
right
now,
because
the
question
becomes
what
is
more
important:
quality
measuring
quality,
or
example?
C
But
this
is
this:
one:
I
don't
know
where
this
will
go
yet
I
think
I
think
it
has
to
live
in
this
group
because,
like
spdx,
has
some
examples
but
I'm
sure
Cyclone
DX
won't
want
to
touch
their
examples,
and
a
cyclone
DX
has
examples.
I'm
sure
spdx
won't
want
to
use
their
examples,
so
I
think
having
a
neutral
place
for
the
examples
and
for
the
expected
output
is
probably
what
we're
going
to
do,
and
this
is
this
again.
This
turns
into
another
one
of
those
things.
C
Yet
but
I
think
this
one
is
comes
after
these
other
two
because
I
think
like,
for
example,
if
we,
if
we
can
leverage
resources.
Hopefully
we
have
people
in
a
position
to
start
helping
with
something
like
this,
and
then
they
can
obviously
take
the
examples
and
go
to
the
tools
and
go
to
spdx
and
cycle
of
DX
and
wherever
they
need
to
go
to
help
kind
of
push
the
ideas
and
and
help
with
whatever
anyone
needs
help
with,
because
this
is
New
Territory
for
many
of
us.
So
anyway,
gosh.
D
D
It
could
make
sense
to
also
include
use
cases
or
success
stories,
not
coming
out
of
the
s-bomb
community
itself,
like
the
spdx
community
kind
of
trying
to
to
show
off
the
tooling,
but
also
like
success
stories
from
projects
that
have
already
successfully
adopted
that,
like
we
had
one
one
person
who
relatively
successfully
included
spdxs
bomb
generation
in
istio
and
that
was
well
accepted
or
well
welcomed,
and
so
on
and
so
forth.
It
might
just
add
to
so
it's
just
a
complementary
thing.
D
But
if
you're
going
to
kind
of
write
down,
maybe
guides
or
something
like
this,
it
can
add
to
the
adoption
or
the
the
authenticity
of
what
we're
trying
to
do
by
pointing
to
projects
who
have
already
successfully
done
this,
also
showing
that
it's
feasible
and
so
on,
and
not
just
something
coming
out
of
the
the
specific
tooling
Community
trying
to
to
sell
their
their
tools.
So,
let's.
E
D
C
I
agree,
100
and
in
fact,
the
the
funny
enough
we
put
it's
at
the
very
bottom,
which
it
probably
shouldn't
be
at
the
very
bottom,
but
we
have
celebrate
wins
right
where,
as
there
is
Success,
we
need
to
talk
about
the
success
and
I
think
the
openssf
has
a
lovely
Pulpit
for
that,
because
when
the
open
ssf
speaks
people,
listen
and
everything
from
you
know
things
that
went
well
things
that
maybe
didn't
go
well
ways
to
encourage.
You
know
any
any
sort
of
carrots
we
can
throw
out
absolutely
and
and
I
love
success
stories.
C
I
think
that's
a
really
good
one.
We
didn't
have
that
written
down,
so
I
wrote
it
down.
I
Alan,
you
were
going
to
say
something
I.
A
Was
on
the
sort
of
badging
side,
which
could
be
under
number
two
and
is
a
number
four
five,
and
that
actually
could
be
right.
The
informal
standards
model
of
saying
Hey
to
get
the
badge.
Here's
what
we're
looking
for
as
a
way
of
moving
the
ball
forward
on
something
that's
a
little
more
ambitious
than
the
2021
minimum
elements,
but
still
something
that's
feasible,
and
so
that
that
will
be
work,
but
could
also
be
a
a
very
good
way
to
leverage
our
efforts.
G
Think
that
the
s-bomb
badges
create
a
data
point
that
consumers
can
key
off
of
potentially
even
programmatically.
We
want
to
consume
from
open
source.
What
that
has
a
Spam
badge.
I
know
people
are
talking
about.
You
know
internally
we're
talking
about
tying
what
we
select
to
score
cards
and
metrics
and
ways
to
put
you
know,
you
know,
connect
data
points
into
your
CI,
CD
Pipeline
and
on
automation.
G
So
this
creates
something
that
that
is
a
badge
for
the
foreign
for
the
developer
of
the
open
source
package,
but
that
also
creates
some
Pipeline
and
some
workflows
of
hey.
We
want
to
consume
from
open
source
that
has
these
badges
I.
Think
that
also
does
the
what
was
the
word
you
used
on
self-verification
like
it
continues
to
develop
and
evolve
on
its
own.
It
starts
to
build
momentum.
C
G
C
Our
time,
okay,
so
then
we
have
so
under
the
the
near-term
winds
with
like
the
we
we
put
in,
and
this
one
isn't
well
defined.
I
should
actually
I
need
to
write
this
out
better,
but
we
wrote
down
start
with
tool.
Sets
will
be
facets
to
release
an
economically
efficient,
acknowledging
there
will
be
some
developer
friction.
So
the
intent
behind
this
statement
was
kind
of
saying.
C
Let's
pick
a
few
things
out
of
the
gate
and
suggest
like
this
is
the
fastest
way
open
source
project.
You
can
produce
s-bombs
with
the
minimal
amount
of
pain
for
the
moment
and
basically
create
like
some
concrete
guidance
that
specifically
calls
out
tools
that
says
like
if
you're
using
Java
this
tool
does
a
nice
job.
C
If
you're
using
npm
this
tool
does
a
nice
job
and
the
the
this
one
is
going
to
be
dicey,
because
this
puts
us
in
a
position
of
being
a
king
maker,
essentially
because
anything
we
pick
is
going
to
win,
at
least
in
the
short
term
in
probably
in
the
long
term,
and
that
terrifies
me
and
it's
going
to
piss
off
a
lot
of
people
and
so
I.
Don't
know
a
good
way
to
do
this,
but
I
also
think
it's
the
fastest
way
to
kind
of
roll.
This
ball
down
the
hill.
G
Could
you
tie
this
idea
to
the
s
bomb
badges
where
it's
not
being
a
king
maker?
Necessarily
it's
just
creating
a
a
set
of
standards
in
here?
Here's
a
best
practice
and
you'll
get
a
badge.
If
you
do
this,
here's
some
good
examples
of
people
who
have
done
this
and
then
the
badges
democratize
it
you
can
go
out
and
get
the
badge
yourself.
If
you
want
to.
E
G
C
I
I
this
one
is
so
hard
I,
don't
know
what
the
best
way
to
do
this
is,
and
it
scares
me
every
time.
I
read
it
because
we
need
to
give
concrete
advice
to
projects,
because
projects
do
not
want
to
be
s-bomb
experts,
but
we
also.
How
do
we
pick
one.
C
And
then
so,
following
up
on
this
one,
is
we
have
kind
of
Part
B
being
we
acknowledge
that
any
project
creating
s-bombs
today,
it's
not
going
to
be
a
zero
effort,
thing
they're
going
to
have
problems,
they're
going
to
be
bugs,
there's
going
to
be
weird
little
things
that
happen,
they're
going
to
have
to
address
and
obviously
open
source
projects
have
finite
resources
long
term.
C
How
do
we?
How
do
we
Define
what
these
tool
sets
look
like
and-
and
that
was
why
I
guess
that
ties
into
B,
because,
like
an
example
being
if,
if
we
spend
a
week,
putting
together
an
example
tool
chain
today
in
a
month,
it's
probably
out
of
date,
because
this
these
tools
and
this
stuff
all
moves?
Really
fast
right
now,
and
so
it
would
be
ideal
and
this
kind
of
this
architect
heart
of
this.
C
We
wrote
this
before
the
governing
board
was
talking
about
bringing
on
board
like
an
architect
for
the
Sterling
tool,
chain,
work
and
so
I
think
that's
very
related,
so
I'm
going
to
ignore
this
for
the
moment
and-
and
we
can
maybe
tie
it
into
that-
but
it's
this
one
is
big
and
I,
don't
know
I
would
love
input.
If
someone
has
it
because
I'm
terrified
of
this
particular
like
kind
of
kind
of
goal
like
how
do
we
do
this
in
a
way
that
doesn't
make
everyone
mad
at
us
except
the
project
we
pick
and.
E
I
was
going
to
say
that
if
we
just
have
an
objective
description
of
every
project
and
what
it
does
what
it
covers,
then
people
should
be
capable
of
choosing
on
themselves
based
on
the
criteria
that
are
described
that
are
objective
and
matching
the
project
documentations.
E
E
C
I
think
you've
just
inspired
me.
I
I
found
it
it's
brilliant,
because
if
we
make
the
projects
give
the
guidance
necessary
like
if
we
had
say
a
central
repository
that
says,
here's
here
are
s-bomb
scanners:
here's
how
to
use
them
in
certain
instances,
projects
fill
it
out.
That
also
turns
into
a
self-selecting
cycle
of
projects
that
aren't
active,
don't
update
their
content
right
projects
that
are
active,
have
an
incentive
to
participate
in
this
ecosystem
and
to
keep
their
content
relevant,
which
then
solves
the
problem
we
have
of
D
of
as
things
age.
C
G
Could
that
tie
into
like
LFX,
where
they
were
they're
just
trying
to
put
data
points
about
how
current
projects
are,
how
frequently
they're
updated?
If
you
know,
if
the
s-bomb
components
are
evolving,
I
think
it
could
potentially
tie
in
there
too.
C
C
I
think
it's
more
than
just
a
landscape,
though
Kate
I
think
it
would
be
in
the
landscape.
But
I
think
this
goes
even
a
step
farther
of
saying,
like
let's
say,
you're
a
Java
application.
Oh
I
see
what
you're
saying
how
to
sort
this
out.
Yes,
yes,.
C
D
D
There's
a
constant
competition
between
projects
and
people
tend
to
find
out
relatively
quickly,
which
ones
are
active
and
work
work
better
and
as
soon
as
we
start
publishing
examples
showing
off
that
It's
relatively
easy
to
use
and
the
the
result
has
a
relatively
high
quality,
as
I
said
before,
like
these
quick
wins
or
so
can
add
to
that-
and
maybe
this
would
be
the
middle
ground
to
try
to
approach
this.
D
F
Also
agree:
this
is
a
reasonable
approach.
We'll
just
need
a
proper
disclaimer
so
that
people
understand
we're
not
actually
endorsing
this.
We
are
not
like
guaranteeing
any
level
of
quality
or
anything,
and
this
is
like
a
self.
You
know
people,
you
know
self-registration
of
their
tools
that
people
should
consider
for
those
use
cases
yeah.
F
I
and
I
think
each
entry
should
probably
have
some
kind
of
date.
Associated,
you
know
when
it
was
submitted
because
keeping
track
of
you
know
those
things
getting
stale
is
a
huge
hassle,
so
we
should
make
it
to
this
kind
of
self-explanatory.
You
know,
if
you
see
an
entry,
that's
really
old.
Well,
maybe
you
need
to
to
look
a
bit
more
closely
into
it
and
we
can
just
provide
the
right
information
to
the
reader,
so
they
can
do
their
own
homework.
100.
C
F
C
All
right
so
we're
almost
out
of
time,
so
I
want
to
jump
to
four
I.
Think
five
is
pretty
self-explanatory
and
then
so
four
was
where
we
start
talking
about
incentives
and
I
think
this
is
always
the
challenge
and
I.
Don't
know
these
were
just
some
ideas
we
threw
out.
This
was
more.
This
is
more
brainstorming
than
anything,
but
obviously
the
issue
being.
If
we
say
open
source,
we
would
love
it.
C
If
you
would
make
s-bombs
an
open
source
says
we
don't
care
what
you
think
like
that,
that's
it
that
we're
done,
and
so
this
is
one
of
the
challenges
is:
how
do
we
create
incentives
and
encouragement
for
these
projects,
because
we
also
don't
want
to
show
up
and
say
do
what
we're
telling
you
to
do,
because
that
doesn't
work.
You
know
and.
A
And
so,
and
for
me,
I'm
gonna
have
to
jump
in
a
moment,
but
right
because
looking
for
those
middle
grounds
which
is
like
hey,
here's,
some
tools
or
hey,
can
we
go
in
and
put
some
s-bomb
data
at
the
top
of
and
and
so
one
thing
that
we
can
do
is
say:
hey?
Is
there
any
recommendations
we
can
come
together
for
saying?
Where
does
sbon
data
go
in
a
general
project
or
in
a
specific
type
of
project
and
and
that
also
Loops
back
to
the
package
manager
stuff
which
is
hey?
C
C
If
anyone
has
ideas
or
comments
to
just
like
look
through
this
one
and
and
give
what
your
your
feedback,
because
I
think
incentives
are
going
to
be,
the
hardest
part
is
like
we're
asking
an
open
source
project
to
do
something
that
they
will
receive
minimal
to
no
benefit
from
is
what
I
think
some
of
this
is,
and
so
how
do
we
either
show
value?
How
do
they
extract
value
from
this
I?
C
Like
I,
don't
know,
I,
don't
have
good
answers,
but
I
think
that's
part
of
the
challenge
here,
because
today
I
think
asking
open
source
projects
to
do
this
stuff
isn't
going
to
end
well,
I
think
they're
they're
grumpy
as
they
should
be
because
they're
they
have
a
lot
of
people
pushing
back
on
them
for
a
lot
of
stuff.
So
all
right
all
right.
It's
time
this
was
super
valuable
I
want
to
thank
everyone
for
all
their
feedback.
I've
really
enjoyed
this
today.
I
love
these
working
sessions
like
this,
so
all
right
and
Sarah.