►
From YouTube: Security Tooling Working Group (September 27, 2022)
A
All
right,
thank
you.
Everyone
for
for
attending
I
will
apologize
in
advance.
I
am
super
out
of
the
loop
and
have
not
even
looked
at
any
of
this
stuff
in
two
weeks,
I
caught
covid
immediately
after
the
last
feeding
and
so
I've
been
not
well
we'll
say
for
a
while.
But
if
you
look
at
the
notes
document,
there's
a
sign
in
over
on
the
tools
for
anyone,
kind
of
new
or
or
just
as
a
refresher.
A
This
is
a
weird
group
because
there's
the
tools
working
group
and
then
this
is
s-bomb
everywhere
Sig
that
happens
kind
of
at
the
same
time,
just
because
the
tools
working
group
has
very
little
happening
right
now
outside
of
this.
So
we're
hijacking
the
meeting
for
the
moment,
which
is
why
I
have
this
very
confusing
setup
of
signing
in
on
the
tools
working
group,
but
then
taking
notes
in
s-bomb
everywhere,
and
so,
if
anyone
is
here
for
the
tools
working
group
I'm,
sorry
to
disappoint
you,
but.
B
All
right,
let.
B
A
A
Oh
I,
guess
one
other
thing
we
did
last
time
two
weeks
ago
there
were
it
was
during
the
the
Dublin,
Summit
or
I
forget
what
what
the
name
of
the
event
was,
but
many
many
people
were
gone,
and
so
we
we
worked
our
way
through
this
document
here,
which
is
kind
of
starting
to
lay
out
in
more
detail
some
of
the
goals
and
purpose
which
is
from
the
mobilization
plan-
and
this
is
also
kind
of
covered
in
issue
12
here,
but
we'll
get
to
that
later.
So
Kate
you're
at
the
top
of
the
list.
B
Saw
her
sign
into
the
text,
did
you
know
she's
here,
she's,
muted,.
A
C
That's
that's
a
problem
as
I
started,
signing
things
in
and
then
lost
where
the
what
the
the
show
with
everything's
displaying
side
note
I
also
picked
up
kovid
and
I'm
recovering
from
it
as
well.
So
again,
please
apply
appropriate
caveats
for
brain
issues.
Now
that
being
said,
there
has
actually
been
progress,
so
the
python
Library
funding
has
been
approved.
It
has
been
started
and
the
contract's
been
started
with
the
TNG
group.
C
C
So
anyone
who
is
specifically
interested
as
soon
as
the
meetings
start
I
will
post
the
information
on
our
slack
Channel
and
people
who
want
to
attend
can
be
there
can
join
in
there,
but
they've
been
working
pretty
much
to
the
plan
that
was
articulated
when
we,
you
know,
set
things
up,
so
they've
been
doing
the
survey
and
everyone
looking
at
okay
starting
to
get
the
test
infrastructure
in
place,
as
well
as
the
cleanup.
A
C
A
C
3.0
so
I
the
model
I
have
not
been
on
the
last
two
meetings
for
Courtesy
of
travel
and
covid
I'm
hoping
to
be
there
today
the
model
is
looking
pretty
much.
The
core
model
is
pretty
close
at
this
point
in
time.
I
think
most
of
the
the
grumbles
have
all
been
so
we've
I
think
I
I
think
to
a
certain
degree,
harmonization
has
been
achieved.
C
C
C
There
are
two
profiles
that
are
must-haves,
which
is
the
security
and
the
licensing,
so
we
don't
go
back
in
capability
and
then
which
other
other
profiles
are
ready
at.
That
time
will
also
be
included.
A
C
C
Yeah,
it's
a
guess.
The
underlying
data
model
is
changing.
This
should
not
impact
a
lot
of
the
serializations,
which
is
what
is
being
implemented
like
I,
say
we're
trying
to
keep
the
field
changes
down
to
a
minimum.
There's
people
who
keep
on
wanting
to
rename
things
on
us,
but
for
the
most
part,
there's
enough
push
back
to
give
us
a
really
really
good
reason,
and
just
because
you,
like
a
name
better,
is
not
a
good
read
right:
okay,
because
there
is
a
migration
cost
and
change
associated
with
it.
C
So
a
lot
of
the
fields
we've
got
today
will
be
persisting.
The
deprecated
ones
will
go
away.
Finally,
but
they
haven't
been
used
for,
hopefully
ever
released
now
or
a
couple
of
releases.
Now
so
and
then
the
new
stuff
that's
been
added
will
probably
be
will
be
persisting
so
I
think
it's
it
should
be
incremental,
but
how?
What
the
implications
are
of
the
underlying
data
model
is
what
I
can't
judge
yet.
A
B
A
C
A
Kate,
let
me
let
me
know,
for
one
second:
Dan
has
his
hand
up.
So
here's
here's.
How
we're
doing
this
the
last
two
meetings
ago
was
just
completely
off
the
rails,
so
I'm
happy
to
accept
clarifying
questions,
but
I
don't
want
us
to
be
like
suggesting
a
bunch
of
new
work
or
something
please
do
that
on
the
mailing
list,
so
Dan.
What
is
it
absolutely.
B
It
was
a
clarifying
question.
I
just
wanted
to
know.
Is
there
a
link
where
I
can
a
dumb
question
possibly,
but
is
there
a
link
where
I
can
read
more
about
the
spdx
3.0
harmonization
effort?
Sorry,
can
you
like
send
that
to
me
or
strip
it
into
minutes?
Somehow.
C
The
best
way
to
understand,
what's
happening
with
spx30
is
join
their
meetings
point
in
time.
Okay,.
C
It's
it's
too
much
of
a
moving
Target.
It's
better
to.
If
you
really
care
about
the
details
of
firsthand
is
to
go,
is
to
be
in
the
meetings,
I
think
in
the
meetings.
B
A
The
next
step
is
the
s-pom
one
page
overview
which
you
put
together:
Kate
yeah
I
forget
where
that
was
you
have
a
document.
It's
not
in
the
GitHub
issue,
though,
is.
C
It
there
is
a
Google
Document
where
people
are
starting
to
comment
on
it.
I
need
to
basically
call
anyone
who
wants
to
weigh
in
on
it
into
a
meeting
together
to
have
a
smaller
meeting,
but
with
the
covid
and
travel
I
was
not
able
to
do
it
between
now
and
then.
C
Yeah,
so
anyone
who
wants
to
be
invited
into
that
make
sure
I've
got
your
email.
Send
me
email
or
put
your
email
in
the
document
say.
Please
include
me
in
this
discussion,
there's
starting
points
that
were
there
came
from
the
ntia
efforts
from
before,
and
so
it
was
an
extension
of
that.
So
there's
been
a
lot
of
thought
behind
some
of
these
things
too.
A
C
B
A
B
I
feel
like
I
yeah,
I.
A
Understand
right
and
that's
fine,
look
the
if
the
if
the
status
is
like
there
is
no
status
that
I'm
fine
with
that
that
that's
just
how
it
goes.
Sometimes,
Deanne
your
hand
is
still
up.
Do
you
have
a
new
question,
or
is
that
the
old
hand
awesome?
Thank
you
it's
it's
my
only
complaint
about
Zoom.
Is
it
doesn't
put
your
hand
down
when
you
start
talking?
That's
like
I
hate
teams,
but
that's
the
one
thing
it
does
right.
A
Okay,
cool
all
right,
very
good.
A
Page
overview,
S5
use
cases
all
right.
Okay,
you
have
another
one
Kate,
you
have
too
much
stuff.
We
need
to.
Let
me
give
this
to
other
people
so
that
we
also
had
this.
This
one's
actually
quite
full
of
comments,
and
the
idea
was
to
take
these
these
ntia
kind
of
crowdsourced
documents
and
maybe
turn
them
into
something
more
palatable.
We.
C
C
So
at
this
point
the
materials
sort
of
there
and
we
want
to
try
to
get
the
landscape
some
sort
of
landscape
infrastructure
going
but
need
help
on
that
is.
C
I
think
that's
everyone
wants.
Everyone
wants
to
look
at
the
from
their
specific
perspective
and
having
different
filter
criteria.
Effective
seems
to
be
the
best
way
of
dealing
with
it.
Landslips
will
give
us
that
and.
A
For
anyone
who
hasn't
seen
there's
this
one
isn't
is
this
new?
Did
we
just
create
this
SP.
C
For
the
spdx
community
has
been
trying
to
sort
of
look
at
trying
to
put
something
like
this
together,
but
it
was
also
a
question
of
let's
not
do
this
work
five
times,
not
standardize.
What
information
we
want
to
capture
for
filtering
yeah,
then
they
worked.
The
SPX
Community
does
can
then
be
reused
in
a
wider
filter
set.
Well,
would.
A
They,
okay,
let
me
so,
first
of
all
for
anyone
who
doesn't
know
this
is
what
the
landscape
is.
This
is
something
the
cncf
did
in,
like
all
of
this
data
is
driven
out
of
GitHub,
so
it's
one
of
those
things
that
once
you
put
kind
of
some
of
this
into
a
machine,
readable
format,
It's
Magic,
and
then
you
can.
Obviously
you
know
organize
things
and
sort
things
and
find
things,
and
that's
the
intent
right
behind
this
issue
here
now.
A
Right,
okay,
so
here's
here's.
What
I
think
might
be
the
better
way
to
to
think
about
this?
One
Kate
is
rather
than
trying
to
do
it
with
this
group,
because
I
think
the
intent
isn't
necessary
to
make
this
group
do
things,
but
rather
to
create
proposals
and
then
see
about
funding
it
in
some
meaningful
way,
because,
like
part
of
it
too
is
if
we
have
a
landscape,
it
needs
to
be
care
and
fed
right.
It's
not
like
I.
A
B
Okay,
man,
I
love
the
idea
of
paying
someone
to
do
the
landscape,
because
I
know
over
in
spdx.
We've
just
had
the
darndest
time
getting
carving
out
moments
of
people's
time
to
do
that.
So
that
would
be
an
amazing
task.
It
doesn't
help
that
the
Landscapes
are
they're,
not
well
documented
how
to
set
them
up,
and
unfortunately
the
person
who
created
them
has
passed
so
they're
not
around
to
ask,
and
it
does
make
things
a
little
more
difficult
but
heck
and
yes,
love
that
idea.
A
B
C
C
A
B
C
A
A
A
C
C
A
Yep,
that's
fine,
I'm
I'm,
okay,
with
that,
okay,
just
you're,
just
gonna,
have
to
put
up
with
me
repeating
myself
over
and
over
again,
which
is
a
treat
all
right:
cool,
good,
that's
nice
and
I.
Guess
for
what
it's
worth
just
on
that
note,
I
I!
Really!
Oh
Justin
has
a
comment.
This
is
a
agenda
item.
A
You
prefer
to
send
the
mailing
list.
Yes,
that
is
the
mailing
list.
Address
openssf,
say
yes,
button.
A
A
So
if
we
can
we're
going
to
get
someone
else
to
do
it,
okay,
scope
and
purpose,
this
one
is
huge
and
did
we
put
a
link?
Yes,
Vicky
put
a
link
in
for
the
Google
Doc,
so
Brandon
you
volunteered
to
maybe
help
with
this
one
I
think
Brandon's
here,
right,
yeah!
Okay,
are
you
still
willing
to
do
that?
D
A
So
I'm
going
to
can
I
assign
you
oh
I,
can't
I,
don't
know
how
GitHub
is
like
magic
to
me.
I
can't
figure
out
how
it
adds
people
or
not.
You.
B
B
A
Sense,
interesting
all
right,
everyone
make
sure
you're
part
of
the
organization,
so
we
can
design
your
work.
So
I'll,
I'll
kind
of
I'll
I'll
explain
this
one
a
little
bit.
Maybe
then,
and
for
your
your
purposes,
and
we
don't.
Obviously
nothing
will
come
up.
We
created
this
issue,
you
know
to
more
clearly
Define
goals
and
purpose
and
then
Ricky
links
to
this
document,
which
we
worked
on
a
couple
weeks
ago
here.
A
But
there
is
okay,
a
link
to
the
issue
and
then
there's
the
mobilization
plan
which,
if
no
one,
if
if
anyone
here
hasn't
read
it
like
you,
should
look
it
over.
It's
very
cool
and
it
covers
all
of
the
work
streams.
Not
just
this
one,
we're
obviously
just
one
small
one
and
then
the
mission
and
scope
were
put
together
in
the
last
meeting.
None
of
this
is
written
in
stone,
it's
all
like
squishy.
A
So
if
anyone
has
comments
or
ideas
feel
free
to
kind
of
edit
and
go
with
it
and
then
the
requirements
here
is
where
we
started
taking
the
mobilization
text
and
putting
it
in
here
and
then
we
need
to
tease
out
one
of
these
things.
We
really
because
we
want
to
do
what
makes
sense
what
don't
make
sense,
because
you
got
to
remember
too.
This
mobilization
document
was
written
six
months
ago,
so
I
guess
kind
of
on
that
note,
Brandon
I
will
just
let's
not
worry
about
this
today.
Read
it
over.
A
B
The
question
yep
I
think
one
of
the
the
the
focuses
of
the
issue
was
to
make
it
more
consumable.
B
A
A
Was
so
I
I
think
I
think
my
so
from
what
I
understand
and
and
anyone
who
might
disagree
or
have
better
ideas
come.
You
know,
you
know
correct
me,
but
the
mobilization
plan
text.
If
you
look
at
it,
it's
not
exactly
obvious
necessarily
what
I
mean
some
of
it
makes
sense,
and
some
of
it
we've
just
been
doing
s-bomb
for
a
long
time.
So
we
know
what
it
means.
A
The
goals
and
purpose
document
is
yes.
I
will
put
a
link
in
the
chat
that
is
the
one
I'm
looking
at
and
that
links
up
to
back
to
the
issue
at
the
top
and
the
mobilization
plan,
but
like
if
you,
if,
if
someone
who
isn't
part
of
a
Spam
I'd,
say
Brandon
reads
this
I,
don't
think
they're
necessarily
going
to
understand
what
it
means
and
there's
also
certain
text
that
doesn't
always
make
sense
right
like
where
we
talk
about
you
know,
s-bombs
are
ubiquitous
and
software
distributions,
like
what
does
that
even
mean
like
what?
A
A
A
D
Yeah
sorry
for
jumping
on
late,
but
so
I
I
work
on
the
see
one
of
the
items
in
the
list
that
I
work
on
security
profile
and
sbx3.
That's
what
I
work
on
I
delete
the
security
profile
just
on
the
consumption
side.
The
the
problem
is
is
that
consuming
s-bombs
apart
from
basically
basic
package,
information
is
still
highly
problematic,
so
generating
is
generally
well
not
solved
problem.
There
are
tons
of
gaps
in
there.
Consuming
s-bones
is
still
very
tricky,
so
you
lose
a
lot
of
information.
D
Yes,
so
I'm
working
on,
basically
in
spdx
on
a
project
to
combat,
to
compare
the
various
open
source,
asthma
tools,
and
probably
maybe
some
of
the
proprietary
ones,
with
the
aim
to
basically
simply
set
if
you,
for
instance,
have
a
maven
project
with
a
couple
of
dependencies,
make
sure
that
eventually
all
of
the
open
source
tools
and
also
also
the
required
to
render
those
exactly
the
same
in
spdx,
so
we
need
kind
of
a
validation
Suite.
D
D
It's
partially
work
on
again
I'm
using
it
for
multiple
things,
so
I'm
using
it
for
the
the
security
stuff
to
test
all
of
that
stuff
and
and
also
the
how
the
how
the
inventory
works
and
all
the
other
stuff
so
again,
I'm
trying
to
solve
multiple
problems,
basically
with
the
same
test.
So
we
have
one
test
that
we
look
at
and
I
also
basically
built
our
own
tooling
as
well.
So
I.
A
Can
is
so
Thomas
my
request
for
you.
Can
you
add
a
GitHub
issue
about
this
and
we
can
track
it
and
figure
out
how
it
should
integrate
with
this
group
eventually,
but
I
know
like
Brandon,
put
a
comment
in
the
chat
and
I
know
like
like
I've
got
a
colleague
Alex
on
the
call
that
that's
been
doing
some
some
thinking
in
this
space.
I
I
think
this
one's
really
interesting
to
people,
and
so
because
the
the
comparison.
D
A
D
A
Well
in
right,
this
is
important
and
I
think
this
is
I
mean
this
is
something
we
talked
about
in
the
tooling
working
group
a
long
time
ago,
and
it
was
something
I
wanted
to
do
initially
was
start,
creating
like
like
test
Suites
for
this
stuff,
not
to
say
like
this
is
the
best
tool,
but
rather
just
to
say
these
are
the
gaps,
because
every
tool
is
good
at
what
something.
But
none
of
them
are
good
at
everything
yep.
So.
D
D
Yeah,
so
the
other
nutshells,
basically
I,
have
a
test.
Repo
I
have
get
up
action.
Basically
every
tool
gets
its
own
gitup
action
and
is
executed
basically
every
day.
That's
the
idea,
basically
and
I'm,
talking
to
some
other
people
in
Germany
that
the
next
step
is
they're
like
oh,
can
we
not
make
a
website
that
automatically
Compares,
so
you
can
say
I
care
about
this.
What
which
tool
do
I
pick
yeah,
but.
C
C
It's
almost
that
I
care
about
this,
which
tool
do
I
pick,
is
part
of
what
we
want
to
try
to
do
the
landscape.
So
let's
try
to
harmonize
those
threaded
and
create
there.
B
A
Sorry,
I
I
also
before
we
move
on
and
this
Scrolls
up
my
screen,
I
want
to
John.
Luke
baker
has
a
question.
The
first
timer
for
the
group
so
I
mean
welcome
to
the
group
John
Luke,
but
you
have
the
question
about
the
guide
to
security
tools.
A
B
A
Cool
good
all
right,
all
right,
I
want
to
keep
going
because
we're
running
ourselves
out
of
time
here.
Okay,
so
we
got
scope
and
purpose.
Brandon
is
going
to
take
that
over.
A
B
A
Tracy
are
you
here,
maybe
Tracy
left
all
right.
That's
fine!
I'm,
talking
to
Tracy
later
in
the
week
anyway,
I'll
bug
her
about
it,
then.
So
this
one
I
wanna
I
wanna,
bring
a
couple
of
things
up
and
this
I
I
don't
again
I,
don't
want
to
do
this
ourselves.
I
think
we
should
pay
someone,
but
one
of
the
things
that
came
up
in
this
at
one
point
was
like.
There
are
some
examples
of
data
that
exists
like
like
Cyclone
cycle,
DX
yeah
Cyclone
DX
track
some
things
through.
C
A
They
track
some
of
this
and
I
I
think
this
is
one
of
those
places
again.
I
would
like
to
find
a
way
to
collect
data
and
do
something
with
it
and
like
I
know,
the
Linux
Foundation
has
a
data
Wing,
I
I,
don't
know
what
the
answer
is
to
this
I
think
we
need
to
Hash
it
out.
You
know,
there's
some
comments
in
the
issue.
A
I
would
love
to
again
have
a
proposal
put
together
and
have
research
done
like
proper,
real
research,
not
like
stuff
we
make
up
so
it
is
I
think
this
is
again
one
of
those
places
where
we
started
this
project.
We
thought
that
the
tooling
needed
updating,
but
as
we
discussed
it,
everyone
keeps
talking
about
the
consumption
tooling
being
the
the
barrier
like.
Is
it
I,
don't
know
so.
C
A
That's
right,
I,
like
that
all
right,
cool
okay,
so
that
was
that
was
our
list
I!
Don't
we
we
have
if
we
want,
we
could
go.
Look
at
this.
The
the
document
we
started
on,
but
I
don't
like.
Does
anyone
have
anything
else
they'd
like
to
bring
up
in
the
meantime,
do
you
want
to
work
on
this
document
I'm
happy
for
us
to
all
just
Escape
because,
like
goodness
knows,
I,
don't
feel
amazing.
It's
it's
kind
of
up
to
this
group,
but
we'd
like
to
do.
B
B
If
I'm
sorry
hi,
this
is
the
nasus
I.
This
is
my
first
time
in
the
in
this
group
as
well,
I
believe
with
Jeff
Williams
and
Michael
Fanning,
we're
from
The
Oasis,
sorry
PC
group,
where
we
have
a
different
effort
to
formalize
some
of
the
findings
for
defects
and
so
on
and
we're
effectively
a
liaison
or
and
when
we
joined
this
group
to
to
see.
B
If
there
is
any
fruitful,
you
know
cross
collaboration
that
we
can
we
can
have,
and
maybe
there
are
items
that
we
can
contribute
to
right.
So
we
should
expect
like
one
of
us
to
join
regularly.
A
That's
fantastic
welcome
in
Oasis
you're.
What
is
the
name
of
your
data
format?
Again,
I
apologize.
It's.
B
Oh,
it's
sorry
if
s-a-r-I-f
thank.
A
A
Which
is
a
really
cool
format?
If
no,
if
you
you've
not
heard
of
it
or
seen
it
go,
take
a
look:
it's
really
cool.
Can
you
drop
a
link
to
Oasis
your
your
I
guess,
whatever
you're
getting
started
in
places,
Maybe
cool,
that's
exciting,
good
good,
and
actually
this
reminds
me
as
well.
Vicky
put
a
comment
somewhere,
oh
here
for
future
meeting
folks
get
like
an
intro
I.
A
Don't
want
to
do
a
ton
of
intros
in
the
meetings
and
I
also
don't
like
putting
people
in
the
spot,
because
I
know
a
lot
of
people
don't
like
that.
But
I
would
love
to
see
us
start
doing
intros
on
the
mailing
list
or
in
slack
when
when
folks
join
so
I
will
I
will
make
a
point
to
do
this
myself
in
the
slack
Channel
later
today.
But
if
everyone
else
would
like
to
do
that,
I
think
it'd
be
very
cool.
D
B
D
D
B
A
All
right,
okay,
what
do
we
have
like
15
minutes?
A
A
Okay,
all
right
good
deal.
Thank
you
Jeff!
Thank
you.
Dennis
sorry.
Does
anyone
have
anything
else?
If
not
I
would
very
much
like
to
just
end
this
meeting
early
versus
trying
to
go
through
this
document,
because
Brandon
is
going
to
look
at
it
and
then
we
can
figure
out
how
to
maybe
Wrangle
this
together
in
in
the
future.
A
A
Oh
it
didn't
open,
but
you
can
join
and
then
there's
the
the
stream
nine
s
bomb
everywhere,
Channel,
which
is
where
many
of
us
hang
out
and
then
talk
about
stuff
when
there's
stuff
to
talk
about
and
and
the
mailing
list,
I
really
like
mailing
lists,
because
obviously
those
are
easier
to
search
all
right
anything
else.
Anyone
can
think
of
any
questions.
Any
comments.
A
All
right,
thank
you
all
for
tolerating
me
for
the
last
40
minutes.
I'd
really
appreciate
it.
I
should
be
better
in
two
weeks.
I
think
I'll
be
all
right.
So
all
right,
if
nothing
else,
then
I
guess
my
only
ask
is
in
the
next
two
weeks.
Look
over
the
excuse
me.
The
issues
we
have
you
know
identify
anything
that
might
stand
out
as
as
questions
we
need
to
deal
with
or
answer
and
we'll
we'll
kind
of
go
from
there
and
I
guess.
A
Kate
will
will
make
sure
we
put
a
note
about
when
Kate
and
I
chat
about
putting
together
a
proposal
for
the
landscape
into
the
slack.
So
if
anyone's
around
you
can
hop
on
and
join
but
yeah.
Otherwise,
thank
you
everyone.
This
is
it's
getting
there.
It's
a
lot
of
work,
but
I
appreciate
it
right.
Okay,.