►
From YouTube: Security Tooling Working Group (September 13, 2022)
A
A
B
Yeah
me
too
they're
kind
of
in
this
mode
where
they
want
to
hang
out
down
in
the
basements,
which
is
really
irritating,
but
I
mean,
but
yesterday
they
were
up
here
again.
So
I
think,
like.
B
Them
yeah
yeah
and
one
of
them's
new,
so
they're
just
trying
to
get
to
know
each
other
and
really
you
know
kind
of
bond,
so
I
I
want
to
go
down
and
grab
them
and
bring
them
up
here.
But
it's
like
no.
Let
them
take
everything
at
their
own
pace,
which
is
a
shame
because
one
of
them
I
like
showing
off
because
he's
polydactyl,
oh
cool,
he's
super
cute
I
mean
they're.
Both
super
duper
cute,
but
the
polydactyl
one
is
kind
of
ridiculous.
B
C
A
A
Yeah
they
said
they
don't
specifically
because
I
guess
what
they
do
now:
they're
a
zoo
which
is
really
funny.
That's
the
only
reason
they
can
have
all
those
cats,
but
they
said
like
every
year
when
there's
a
new
litter
of
kittens.
They
pick
like
the
four
healthiest
or
something
like
that,
and
then
they
spay
and
neuter
the
rest
to
control
population,
and
so
they
don't.
They
don't
specifically
pick
out
the
polydactyl
cats,
but
just
through
the
nature
of
of
everything,
they've
ended
up
with
a
lot
of
them.
B
I
learned
after
I
got
Osgood
that
Sailors
thought.
Polydactyl
cats
were
good
luck,
and
so
they
preferred
to
try
and
get
a
polydactyl
cat
on
their
ships,
which
means
polydactyl.
Cats
are
more
common
around
Port
areas
and
we
I
mean
Portland
despite
you
know,
we're
slightly
Inland,
but
we
are
legitimate
working
Port,
so
nice
yeah,
so
yeah,
that's
that's
kind
of
cool
I
had
no
idea.
D
D
A
B
A
B
A
Then
there's
an
agenda
for
the
Sig,
which
is
the
second
link
where
we
don't
sign
in
to
make
it
confusing,
I,
guess
and,
and
so
what
I
was
thinking
we
should
do
today,
because
there's
so
many
people
missing
from
well.
In
fact,
I,
don't
think
any
of
the
people
who
currently
have
any
of
the
GitHub
issues
assigned
to
them
are
here
way:
Cameron
and
bunny
I.
B
Are
you
doing
that
can
I
give
while
you're
doing
that
can
I
give
some
some
background
for
how
this
has
been
managed
in
the
two
other
existing
sigs
on
this?
Please
do
so.
Let
me
lower
my
hand
before
I
forget
now,
so
the
other
two
sigs
for
working
for
sorry
still
early
for
me
mobilization
plan
streams.
B
The
other
two
that
exist
so
far
are
education
and
incident.
Response,
Team
search
the
firefighters
so
to
speak.
Now,
coincidentally,
those
both
ended
up
under
croak.
B
B
So
what
each
of
them
did
is
exactly
the
same,
because
they're
run
by
the
same
person
and
what
we
did
is
took
the
text
from
the
existing
work
stream
stuff
from
that
big
document,
mobilization
plan,
slapped
it
down
and
said:
okay,
let's
look
at
this
critically
now
that
we're
not
racing
to
get
something
out
the
door
for
Washington.
Let's
see,
can
we
actually
do
what
we
promised
in
what
order?
Should
we
do
it?
What
are
the
potential
budget
numbers?
B
You
know
like
what's
first
year
what
second
year
what's
beyond
and
is
there
anything
we
missed?
B
Do
we
have
to
scope
this
better
or
Define
things
better
or
throw
things
out
completely,
and
what
we've
ended
up
with
in
each
case
is
a
much
tighter,
more
focused
view
of
what
we're
going
to
do
with
more
of
a
roadmap
that
is
now
being
broken
into
smaller
groups
and
committees
that
are
going
off
and
adding
additional
details
before
it
all
gets
put
back
together
handed
to
the
tack
of
the
board
or
whoever
does
financing
thing
for
mobilization
plan,
which
is
a
tap
question
then
I'm
just
going
to
totally
Dodge
right
now.
B
So
that's
essentially
what
we
did.
We
took
the
mobilization
plan
text
critically
looked
at
it
did
a
Six
Million,
Dollar
Man
on
the
thing,
and
now
it
is
stronger,
faster,
better
and
now
we're
going
to
start
to
hopefully
execute
on
that.
So
that's
what
they
did
and
it
seems
to
work
really
well,
but
full
disclosure.
What
they
did
took
a
couple
of
months
of
weekly
calls.
B
It
really
took
a
lot
of
work
to
to
look
at
these
things
and
it's
totally
valuable,
because
it's
really
great
stuff
that
we
ended
up
with,
but
just
want
to
set
expectations
for
everyone,
while
we'd
be
starting
that
process.
Today
it
sounds
like
and
Josh
you'll
you'll
clarify,
I'm
sure
if
I'm
wrong,
but
if
we
start
that
process
today,
I
don't
expect
we'll
finish
it
today,
but
I
think
we
can
at
least
start
to
set
some
a
good
trajectory
for
it.
Yeah
totally.
A
A
No,
that
was
that
was
super
valuable
I
mean
thank
you.
Vicky
I,
truly
appreciate
it.
Okay,
yeah
I
put
a
link
in
the
document
to
the
can
we
enable
GitHub
pages
I,
don't
even
know
what
GitHub
pages
are
cameras.
C
Yeah,
it's
just
like
to
compile
the
documentation
into
a
fully
qualified
domain
that
yeah
it's
just
like
a
GitHub
ISM
for
generating
static
site
out
of
the
documentation
in
the
repo.
C
No
totally
fair,
totally
fair
I
didn't
know
like
if
one
of
the
messaging
items
is
like
an
easier
to
ingest
a
form
of
consumption
around
the
actual
technical
documentation
process.
So
that's
TBD,
I'm,
just
a
suggestion.
So.
A
Yeah
I'm
gonna
ignore
that
for
now
well,
we
can.
We
can
talk
about
that.
A
B
B
A
It's
actually
really
funny
too,
because,
like
my
wife
has
taken
an
enormous
amount
of
like
Excel
training
and
Office
training
and
stuff,
and
so
she's
really
good
at
all
this,
and
she
mocks
me
because,
like
if
I
have
to
do
something
with
data
I
export,
an
Excel
spreadsheet
to
CSV
I,
write
a
python
script
to
modify
it
and
then
I
re-import
it.
But
that's
how
I
do
things,
but
anyway,
all.
A
Done
and
that's
what
matters?
That's
right,
not
pretty
all
right.
So
if
we
look
at
page
44,
this
is
the
mobilization
plan
which,
if
you
go
to
in
the
issue,
12
I
just
updated
the
link.
We
had
a
link
to
a
PDF
that
no
longer
exists.
Apparently,
but
hopefully
this
URL
will
stay.
This
issue
currently
has
no
owner
Brandon
Lum
mentioned
he
might
be
willing
to
pick
up
and
help
out,
but
I'll
I'll
track
him
down
later,
but
anyway,
right.
A
If
you
click
the
link
you
get
here,
and
then
they
have
a
read
the
plan
which
brings
you
to
whatever
this
is
and
Page
44
is
kind
of
where
we'll
start-
and
this
is
where
I
don't
know
how
many
pages
it's
not
a
lot,
the
s-bomb
everywhere.
Yeah,
it's
only
four
pages.
This
one
was
definitely
not
as
lengthy
as
some
of
the
others,
which.
A
A
A
I
see
this
in
the
dock,
the
numbering
that
all
right-
okay,
I,
blame,
Google,
okay
and
then
I
think
this
is
a
nice
chunk
which
I
will
also
paste
down
at
the
bottom.
Of
course,
none
of
this
will
be
formatted,
which
is
great,
and
then
what
is
this
initial
implementation?
This
makes
sense,
I
think
and
then
obviously
we'll
we'll
move
all
this
to
GitHub
at
some
point
in
the
near
future
and
then
there's
the
levels
which
I
think
are
worth
defining.
A
And
badging
and
advocacy
I'm
going
to
skip
for
the
moment,
because
I
think
those
will
just
be
part
of
the
rest
and
then
there's
costs
and
goals
Vicky.
How
much
of
the
other
groups
have
focused
on
like
costs?
Have
they
done
any
of
that.
B
Yeah,
they
were
very,
very
rough
numbers
around.
Each
of
them
like
we're.
Going
to.
This
is
something
we
need
to
staff
right.
Here's
here's
a
function.
We
will
need
to
staff
the
function,
we're
going
to
assume
Staffing
a
function
is
three
hundred
thousand
dollars
right.
They
just
picks
made
some
wild
ass,
guess
and
used
that
number
for
every
single
thing
like
that.
A
A
I
think
he's
going
to
do
the
second.
Someone
is
down
here
great.
Thank
you.
What
about
the
initial
implementation
section?
Can
I
get
a
volunteer
for
that
yeah
I
can
take
that
thanks,
Cameron
this
one's
going
good,
we've
got
this
thing
here
then.
A
E
A
Yeah
I
mean
sure
we
want
to
make
it
readable
and
look
nice,
so
we
can
work
on
it.
So
and
of
course,
if
you
do
the
work
you
get
to
do
it
your
way,
which
is
the
best
part
awesome.
Thank
you
and
I
will
grab
this
one
here.
A
D
A
Right
cool
all
right,
all
right,
let's
start
at
the
top
then
and
and
work
our
way
down
the
sun
pushing
wrong
buttons,
all
right,
so
I'm,
just
gonna
read
aloud,
and
if
anyone
has
comments,
jump
in
add
comments
to
the
doc
we
can
edit
the
doc
in
real
time,
like
I'm,
pretty
flexible
here,
I'm
I'm,
a
pretty
big
proponent
of.
If
you
do
the
work
you
get
to
do
it
your
way.
So
all.
C
A
Ableing
s-bombs
everywhere
prove
the
security
posture
of
entire
open
source
ecosystem.
Producing
stores
maintainers
just
publishing
s-bombs
is
insufficient.
You
need
to
be
proactively
used.
Removing
substantial
barriers
to
further
s-bomb
adoption
lies
in
ensuring
that
does
anyone
have
any
issues
with
this,
like
Preamble
clause.
C
Well,
yeah
I.
So
what
very
unqualified
like
to
me
substantial
barriers
and
then
I
don't
know:
do
you
think
that
s-bomb,
just
in
general,
from
a
procedural
and
tight
perspective,
is
maintained
or
we've
arrived
at
some
level
of
consensus?
Consensus
at
that
or
or
do
we
just
kind
of
take
the
position
of
hey,
go,
implement
this
broad
thing
and
bring
it
back
and
you
know
we
can
discuss.
C
C
B
Think
so,
as
far
as
glossary
the
education
and
best
practices
working
group,
Sig
is
going
to
be
taking
on
creating
a
glossary
for
all
things:
open,
ssf,
it's
that
work
is
only
just
kind
of
started
as
but
it's
something
that
will
be
happening
because
every
single
venue
that
I'm
in
somebody
says
holy.
Why
don't?
We
have
a
glossary
and
everyone's
like?
Oh,
it's
like.
A
B
Don't
remember
it's
one
of
crows,
I,
believe
it's
the
education
or
and
or
best
practices,
probably
best
practices,
because
that's
the
working
group
so,
but
that
work
has
only
just
sort
of
started
as
a
what,
if
wouldn't
it
be
nice
but
they're
going
to
be
picking
it
up
in
future
weeks.
After
all
of
this
Dublin
stuff
settles
down.
D
C
Yeah
I
guess
what
like
removing
the
substantial
barriers
to
further
F-bomb
adoption
to
be
fair.
I
did
not
read
through
to
see
if
that's
broached
to
Define
what
substantial
barriers
exist.
A
A
to
kind
of
discuss
some
of
that
and,
as
you
can
imagine,
there's
no
consensus
on
any
of
this
yeah,
which
I
mean
Steve's
already
disagreeing
with
me
about
bias,
which
is
fine
but
and
and
yeah
we
we
need.
We
don't
have
data
right.
It's
just
all
made
up
at
this
point,
so
this
this
this
word
substantial.
That's
a
marketing
term!
At
this
point
in
this
document,
I'm
comfortable,
removing
it
does
anyone
have
any
complaints.
D
D
Couch
my
comments
and
thoughts,
so
you
know
I
I
see
this,
as
you
know,
because
I
see
certain
things
already,
you
know
is
this
a
security
focus
group
we're
trying
to
get
s-bombs
adopted
everywhere
and
architect.
The
ways
to
get
that
done
or
what
we
can
do
to
support
that
for
the
purpose
of
improving
security
is.
C
Is
that
oh
yeah,
have
you
read
the
the
immobilization
plan
that
kind
of
defines
what
that.
B
D
A
D
Because
you
know
because
I
don't
know,
if
that
that
I
think
I
would
argue
that
premise
I
know
we're
all
talking
to
security,
but
I
think
it's
it's
it's
easily
possible
at
economics.
You
know
it
will
really
drive
up
even
the
first
wave,
yeah
I
I
get
the
caveat
in
there.
Maybe
the
first
wave
really
is
driven
by
security,
but
but
anyways
I
I'm,
just
trying
to
I
don't
want
to
take
up
all
the
Cycles.
You
guys
are
being
very
efficient
here,
but
I'm
just
trying
to
figure
out
get
my
head
around.
B
So
it
says
security
right
in
the
very
first
paragraph,
I
mean
first
sentence
right.
We
by
enabling
s-bomb
s-bombs
everywhere
we
can
improve
the
security
posture
of
the
entire
ecosystem.
So
I
think
that's
you.
You've
got
an
excellent
point.
There
Chris
it
would
be
kind
of
nice
to
have
some
sort
of
mission
statement
right:
here's
our
elevator
pitch
for
S
bombeth,
everywhere
boom,
and
maybe
we
have
we
stub
out
a
section
where
we
can
fill
that
in
after
we
have
got
the
entire.
B
The
big
picture
kind
of
hammered
back
into
shape,
which
is
what
kind
of
this
process
is
starting,
and
that's
once
once
we
have
done
that,
then
we
can
swing
back
around
and
go
okay.
Now,
let's
summarize
that
into
their
one
or
two
lines
and
that's
this
is
our
commission
statement.
B
A
D
What
are
we
trying
to
achieve
and
if
it's
you
know
to,
for
you
know,
promote
security,
you
know
and
follow
that
Fred,
you
know,
that's,
you
know
very
likely
a
worthy
goal,
but
as
we
get
down,
you
know
and
I
see
Stephen
here
you
know
of
anybody
has
heard
me
yeah
much,
you
know
knows
I
think
right
now,
I
think
one
of
the
big
barriers
you
know
in
all
this,
and
maybe
the
Sig
isn't
really
the
place
to
tackle
it.
D
But
I
see
some
signs
that
you
know
that
it's
influenced
by
it
as
well
is
where
the
hell
we're
actually
going
right
and
I.
Think
as
we
get
into
a
lot
of
the
the
atomic
issues
we
deal
with
one
at
a
time
right
now
we
spend
a
lot
of
time
working
on
individual.
You
know
things
because
none
of
us
have
really
looked
at
where
this
all
goes
so
I
like
that,
you
know.
That's
what
keeps
me
in
the
s-bombs
everywhere
title
in
this.
You
know.
D
Is
this
the
Forum
to
try
to
figure
that
out?
And
you
know,
while
I'm
on
the
soapbox,
you
know
as
I
scan
through
the
docs.
You
know
something
you
know
some
of
the
things
about
tools.
You
know
developing
tools
and
so
forth.
I
think
that
speaks
to
somebody
needs
to
Define.
What
is
the
tool
space,
which
has
a
lot
to
do
with?
You
know
yeah
in
three
years
and
five
years
and
seven
years,
for
you
know
specifically
in
that
sort
of
range.
What
do
we
you
know?
What
are
we
going
to
be
doing?
D
The
whole
day,
I
gotta,
say
you
know
the
whole
Vex
thing
from
the
moment
moment.
I
heard
that
you
know
I
think
it's
an
artifact
of
that
yeah
I
mean
dovex.
Documents
need
to
be
great
for
things.
Maybe
you
know.
Did
the
industry
benefit
by
defending
these
resources
over
this
time?
Scrolling
on
that
no
and
I
think
the
answer
is
really
and
how
you
combine
all
this
crap,
which
is
you
know
that
three
five
seven
you're
out
stuff
for
sure.
B
Yeah
and
that's
being
worked
on
in
the
various
different
s-bomb
formats
as
well.
So
that's
not
simply
with
us.
Tracy
has
had
her
hand
up,
so
you
go
girl.
E
Hey
thanks,
first
of
all,
I
don't
have
the
link
to
this
doc
that
we're
looking
at
I
look
to
the
everywhere
and
I
couldn't
find
it.
So
if
you
could
put
it
in
the
agenda
doc,
so
it
can
be
referenced.
Secondly,
the
I
think
that
there
is
some
there's
some
good
little
chunks
of
of
text
in
that
that
we
can
bring
up
and
just
create
a
common
scope
and
I
don't
feel
like
we
have
a
clear
scope
and
that's
what
we're
talking
about
adoption
should
be
in
the
scope.
E
How
do
we,
you
know
I
think
that
the
scope
should
really
be
focused
on
or
this
or
this
team
should
be
coming
up
with
ways
to
make
the
adoption
of
s-bombs
and
the
consumption
of
s-bombs
easy.
E
And
while
we
do
not
have
good
data,
there
is
one
big
barrier
that
we
should
list,
and
that
is
the
nature
of
CD
pipelines.
That
requires
everything
to
be
manually,
updated.
Every
single
workload
has
to
be
manually,
updated
if
a
company
suddenly
decides
that
they
want
to
generate
an
s-bomb.
That
is
one
of
the
biggest
barriers
I
hear
it
every
day
from
people.
So,
let's
take
a
Jenkins
pipeline,
you
might
have
400
500
workflows,
every
single
workflow
is
going
to
have
to
be
updated,
so
there
are
barriers
that
we
can
start
listing.
E
That
we
know
are
not
just
marketing
but
are
real.
So
I
feel
like
that
in
up
here,
the
the
that
we
could
improve
the
security
posture.
I
think
that
that
is
the
I,
don't
know
if
we
have
to
say
that,
because
this
is
the
whole
point,
but
we
have
to
say
the
way
up
front
is
that
there
is
a
lack
of
leveraging
s-bomb
data
and
the
adoption
of
s-bomb
generation
that
we
need
to
address.
A
And
and
part
of
this
as
well
that
we
should
keep
in
mind
is
so
like
everything
Tracy
just
said
is
captured
in
number
two
will
say
badly
because
number
two
is
so
vaguely
written,
and
these
were
all
things
discussed
in
the
initial
setup
of
this
document,
which
was
done,
I,
guess
very
Cloak
and
Dagger,
which
frustrated
me
greatly.
But
that's
another
story
and
it
the
decision
was
made
to
not
explicitly
list.
B
Exactly
yeah
that
and
that's
really
what
we
did
in
the
other
two
stakes
is:
make
sure
that
we
have
no
assumptions.
We
are
spelling
things
out
because
we
have
the
space
to
do
so.
We're
not
constrained
by
like
one
or
two
pages
for
this
big
wheelie
idea.
A
A
C
I
started
a
list
I'm
just
like
basically
tooling,
that
I
saw
as
more
or
less
prevalent
and
kind
of
like
my
day
today.
So
I
don't
know.
If
that's
something
we
want
to
be
mindful
of
from
a
tooling
perspective,
or
if
we
want
to
nullify
all
prior
understandings
to
start
fresh
from
a
tooling
Discovery
ever.
B
Oh
God,
no
I.
B
Us
to
do
this
at
all.
I
want
us
to
contribute
to
existing
efforts
for
this,
because
they
are
out
there
already
as
PDX
and
Cyclone
DX.
Both
are
working
on
their
own
separate
lists
of
tools,
and
we
should
get
these
kids
to
play
nicely
in
a
sandbox
and
all
work
together
on
a
single
set
of
tools.
My
one
comment
on
this
is
this
tool.
Is
this
is
about
generating
s-bombs
yeah,
that's
great.
Whatever,
there's
lots
of
tools
that
can
help
you
generate
Nest
bomb
to
varying
degrees
of
specificity.
B
There
aren't
a
lot
of
tools
and
people
aren't
really
talking
enough
about
consumption
of
s-bombs
and
then
what
do
you
do
with
the
nest
bomb
after
you
get
it,
and
that
is
the
major
problem.
I,
don't
care,
if
you
hand
me
an
s-bomb
if
I,
what
I'm
doing
is
sticking
it
in
a
share,
drive
somewhere
and
saying
yeah
I've
got
this
bomb
and
take
that
box
on
my
compliance
form,
whatever
it's
not
going
to
help
me,
find
any
sort
of
compliance
or
security
issues.
B
A
C
Way,
yeah
and
actually
to
that
point
right,
there
right
I
think
that
it's
TBD
on
what
even
minimum
minimally
needs
to
be
represented.
I,
think
and
also
I
believe
that
every
tool
listed
as
an
output
format
capability
and
so,
if
you've
kind
of
take
an
iterative
approach
to
trying
to
understand
the
generation
process
and
visualize
that
in
a
meaningful
way,
I
think
that
might
help
on
the
back
end
on
consumption.
B
I
think
there's
value
in
that,
but
I
also
think
that's
worth
that
we,
rather
than
doing
this
I,
also
am
pretty
concerned
that
we
might
Rat
Hole
on
the
front
end
and
then
never
get
to
the
end
right.
It's
like!
Oh.
Let
me
pick
up
this
really
cool
new
hobby
and
then
never
get
to
the
end
and.
B
B
Yeah,
so
you
know
everything
people
are
saying
here
is
valuable,
but
I
would.
Rather
we
let
other
people
work
on
that
and
we
look
at
the
areas
where
no
one
else
is
addressing
as
much
I
mean
acknowledge
and
point
people
to
other
things
that
are
already
happening,
but
yeah.
So
so
Vicky.
Are
you
saying
that
we.
E
Should
focus
more
on
the
adoption
and
consumption
or
we
should
focus
more
on
the
generate
the
tooling
that
generates
us
bombs,
I
I,
wasn't
quite
sure
I.
B
I
definitely
think
the
adoption
and
consumption
is
going
to
be
the
bigger
problem.
There
are
things
that
are
already
working
on
the
generation.
I
want
to
help
support
those.
Definitely-
and
you
know
if
Steve
were
here,
he
would
be.
B
He
would
be
asking
that
we
ensure
we're
not
we're
not
getting
to
focus
on,
for
instance,
only
spdx
tools,
only
Linux
Foundation
tools,
only
only
but
you
know,
certainly
support
all
the
free
and
open
source
software
tools
that
generate
s-bombs
gay,
but
the
place
where
I
think
we
can
make
the
biggest
difference
and
to
your
point
earlier
is
that
adoption
and
consumption
and
making
that
easy,
because
a
lot
of
there's
gonna
be
a
lot
of
really
big
companies
that
are
already
going
to
be
creating
s-bombs
and,
if
they're,
sending
it
as
a
vendor
to
their
smaller
companies.
B
D
D
Is
you
know
explaining
how
any
of
this
goes
together
now
what
I
have
an
s-bomb?
Now?
What
right
you
know
so
and
to
be
clear
on
my
background
of
motivation,
so
I
work
for
an
s-bomb,
tooling,
company
side
beats
and
so
managing
s-bombs
and
so
forth.
You
know,
is
it
sort
of
a
day
job
thing,
but
even
that
you
know
what's
going
on
today
is
pedantic
and
boring
right.
You
know
what
needs
you
know
what
every
group
I'm
part
of
has
a
hard
time.
D
You
know,
raising
their
eyes
up
enough
to
look
forward
is
how
I
got
into
this.
You
know
the
d-bomb,
the
attestation
ecosystem
open
source
thing
right.
You
know
that
that
is
still
a
little
bit
too
far
ahead
of
the
curve,
but
it
speaks
to
all
these
issues.
You
know
what
I
see
is
what
I
was
trying
to
achieve
that
got
me
into
all
this,
and
what
I
still
see
coming
is
I
want
to
say
that
I'm,
Chris
and
I
want
to
know
on.
D
You
know
what
I
should
know
about
this
mouse,
which
may
be
who
shoveled
the
sand
into
the
furnace
to
make
the
chips
or
not
right
and
and
that's
policy
and
it's
connection
connecting
all
the
supply
chain,
players
together
and
I
think
contract
language
has
more
to
do
with
all
of
this
than
any
of
the
tools
in
Tech.
Now,
when
we
look
back,
you
know
five
and
ten
and
more
years
from
now.
So
again,
maybe
this
you
know,
there's
a
lot
of
every
group
is
doing
great
stuff.
D
Tom
Aldridge's
s-bomb
forum
is
sort
of
spun
out,
informally,
I
think
it's
done
good
work
with
naming,
and
but
what
I
see
is
the
the
yawning
Gap?
Is
anyone
standing
back
and
saying
all
right?
Here's
the
world
you're
moving
into
and
s-bombs
fit
here
right.
D
A
For
use-
and
you
can
all
say
if
I'm,
right
or
wrong
or
maybe
I'm
missing
something
so
I
feel
like
there's
a
consensus
that
we
don't
want
to
dwell
on
specific
tooling,
because
there's
already
a
lot
of
pre
well
specific
tools
for
creating
s,
forms
which
there
is
a
lot
of,
and
there
are
going
to
be
countless
places
to
find
that
information
right
go
to
spdx
go
to
cyclingvx,
go
to
whatever
there's
a
ton
of
projects.
There's
a
ton
of
generators.
A
C
This
I
personally
think
in
scope
because
it
furthers
the
ability
to
adopt
that
to
adopt
s-bomb,
because
it's
outloading
the
initial
logic
to
generate
them
and
using
something
like
GitHub
and
reusable
actions,
making
like
codified
examples
would
only
be
helpful.
I'd.
Imagine.
B
Think
it's
a
good
I
agree.
Yeah
I
I
agree
that
it's
certainly
in
scope
but
I
think
it's
in
scope
in
as
much
as
it's
something
we
want
to
help
to
facilitate
and
make
sure
is
happening
and
not
necessarily
that
we
are
are
the
ones
doing
it
right,
and
so
perhaps
a
committee
of
this
group
would
be
to
look
at
these
tools
to
advise,
consult,
Jenkins,
GitHub
gitlab.
B
You
know
Choose
You,
Poison
and
work
with
them
to
make
sure
that
this
is
actually
happening
on
their
side
and
that
it's
happening
in
a
relatively
consistent
way
and
that's
going
to
be
a
bigger
problem.
Go
ahead.
Chris
yeah.
D
I
think
I
think
the
question
was
well
stated
because
I
think
you
know
yeah
I
I
think
both
Alaska
speakers
have
said.
You
know
it's
not
really
hand
waving
but
hand
waving
is
a
good
way
to
say
it,
because
I
think
we
should
all
recognize
the
La
Brea
Tar
Pits
of
of
a
lot
of
this
right
and
you
know
I,
think
it's
safe
to
say
you
know
that
you
are
going
to
be.
You
know
exactly
what
what
I
think
it
just
said.
D
You
know
your
your
system
is
going
to
be
automatically
creating
these
things
in
the
future,
regardless
you
know,
but
there's
a
lot
of
detail
and
to
my
my
last
rant
I
think
what
we
can
do
on
that
side
is
help
frame
how
that
gets
done.
You
know
if
we,
you
know
if
we
are
capable
to
look
a
little
bit
farther
forward.
D
Look
at
you
know
how
the
the
larger
scale
integrated
system
is
going
to
be
working,
we're
going
to
say
and
that's
why
right
now
you're
going
through
this
process
but
Jenkins,
because
we're
just
going
through
this
phase,
where
the
automation
is
going
to
be
built
into
Jake's.
Next
version
I
mean
and
here's
how
to
walk
through
that.
E
Okay,
so
I'm
making
an
attempt
here
to
give
us
a
one
paragraph
like
a
two-line
scope:
you're
a
hero,
I
love
it
I've,
written
I've,
tried
to
incorporate
what
you
guys
are
talking
about
I'm,
just
going
to
read
it
and
see
if
I
mean
we're
even
close,
securing
the
open
source
ecosystem,
we
will
require
making
the
adoption
and
consumption
of
s-bomb
data
easy
at
all
levels.
Source
build
and
Os
the
goal
of
the
S
problems
everywhere.
B
One
my
one
question
is
that
OS
we
have
I
mean
that's
really
it
there's
too
many
things
in
our
world
that
go
OS
is
that
open
source
is
that
operating
system.
C
A
System,
let's
call
it
deploy,
maybe
because
if
we,
if
we
look
at
the
current
I,
think
ntia
created
it,
they
I'm
not
starting
this
conversation
right
now.
So
dear
God,
no
one
comment
on
this,
but
they're
grouping
s-bombs
into
Source,
build
and
deploy
and
I
know
you
can
argue,
there's
way
more
stages,
but.
E
D
D
B
A
A
B
E
A
A
Let's
say
another
10
minutes
ish
to
kind
of
kind
of
chair
through
this,
so
we
I
mean
this
is
good,
though
I
think
defining
a
scope.
Is
that's
a
big,
that's
a
big
one.
So
I'm
really
happy
if
that,
if,
if
this
is
our
output
for
the
day,
this
is
great.
So.
E
B
Yeah
I
I
think
that
makes
sense,
or
we
can
kind
of
make
a
really
brief
something
like
this,
but
we're
going
to
iterate
on
it
sort
of
Mission
to
give
us
some
sort
of
Target
sure
songs.
We
all
know
it's
carved
in
jello.
B
A
A
A
Buttons
anymore,
but
okay,
so
we
kind
of
have
this
description.
This
came
from.
It's
got
some
steps.
We,
the
second
section,
is
kind
of
more
missiony
I
think
than
the
first,
but
I
think
this
is
these
three
bullet
points
capture
the
the?
What
I
guess
would
the
first
section
is:
maybe
the
y
a
little
bit
so
I
I
think
something
for
us
to
keep
in
mind
and
I.
Don't
expect
us
to
do
all
this
right
now.
A
I
just
want
us
to
like
look
at
this
as
a
whole,
and
we
can
work
on
it
during
the
week,
but
this
group
isn't
going
to
do
any
of
the
work
right.
That's
the
understanding,
we're
going
to
create
plans
and
suggestions
and
bring
them
to
the
openssf
and
say
we
think
this
is
what
should
be
done
and
they
can
say
you're
dumb
go
away
or
they
could
potentially
fund
it
and
that's
kind
of
the
intent.
A
B
I
I
think
it.
You
know
at
first
when
you
said
it,
I
was
like
oh
I,
don't
know
that
kind
of
feels
like
splitting
hairs,
but
as
I
look
at
this
document
it
it
does
make
sense
that
we
should
you
know
what
does
done.
Look
like
for
this
group.
Essentially
right
is
this
group's
purpose.
To
set
up
the
plan
set
up
the
subgroups
that
will
go
out
and
do
the
actual
work
and
then
you
know
disappear
right.
We
our
work,
is.
C
B
Here,
peace
out
we're
gone
individuals
can
then
move
into
the
implementation
of
the
plan
if
they
wish.
But
this
group,
as
we
know
it,
would
that
dissolve
and
so
really
defining.
What
done
looks
like
for
this
group?
What
is
our
Verizon
Detra
right?
Why
are
we
here?
B
The
number
42
sort
of
crap
but
I
I,
think
that
might
be
kind
of
a
good
thing
for
us
to
figure
out,
because
if
the
answer
is,
if
you're
here,
you're
also
going
to
be
once
we
finish,
this
we're
going
to
have
a
next
stage
of
things
and
my
vet
is
calling
I
need
to
go.
Sorry,
sorry.
E
Okay,
so
I
took
a
stab
at
the
mission.
The
mission
of
the
work
stream
will
be
to
encourage
collaboration
between
s-bomb
producers,
consumers
and
maintainers,
identify
common
barriers
to
the
adoption
of
s-bomb
generation
and
make
recommendations
for
creating
friction-free
open
source
tools
that
make
s-bombs
everywhere
easy.
D
I
yeah
I
think
it's.
It
may
just
be
right,
it's
certainly
a
solid
start.
You
know
it
doesn't
give
me
the
Epiphany,
the
first
one
does,
but
it,
but
it's
logical.
It
makes
sense
and
did
to
what
Vicky
was
talking
about.
You
know,
yeah
I
think
it's
just
thinking
out
loud.
You
know
so
I.
You
know,
but
I
am
trying
to
achieve
for
myself,
and
this
group
may
be.
The
thing
is
a
vision
of
the
architecture
of
how
this
stuff
all
fits
together.
You
know
s-bombs
and
you
know
a
part
of
it.
D
And
and
I
think
once
we
figure
out
what
that
is,
it
needs
to
be
maintained
over
time.
Right.
I
think
this
is
a
sort
of
long-term
issue
that
you
know
again.
Some
definition
of
we
has
to
you
know
it
has
to
keep
an
eye
on.
D
C
C
Oh,
it
was
a
now
I'm
gonna
lower
it
because
I
forgot
what.
A
I
love
it
so
I
I
think
that's
a
really
good
point.
Chris
made
about
the
architecture,
because
to
date,
this
document
and
this
group
has
had
an
obsession
with
tools,
specifically
tools
and
I,
think
it's
bigger
than
that,
especially
if
we
start
incorporating
consumption
which
we've
not
talked
about
in
the
past
cameras,
you
hand
it
for
reality.
C
Yeah
now
I,
remember
I,
remember
what
I
was
going
to
say
so
one
kind
of
element
for
us
at
least,
and
why
this
is
a
a
point
of
important
I
guess
from
this
like
viewing.
The
working
group
is
something
that
should
be
producing
very,
like
valuable
context,
so
to
inform
down.
Downstream
processes
is,
from
my
perspective,
I
guess
like
a
worthy
Pursuit.
One
like
we
are
actually
going
to
enter
into
a
funded
effort
to
do
research
that
I'd
like
to
kick
into
the
open
source.
C
So
I
guess
that
yeah
bunny
do
any
ideas
around
that.
C
Yeah,
so
are
you
saying?
Are
you
asking
whether
those
elements
are
fitting
into
like
the
cultural
component
that
Tracy
put
in
the
scope
or
the
interoperability
component
yeah
interoperability,
because,
as
we
start
looking
at
a
lot
like
the
full
life
cycle
of
software,
especially
when
you
talk
about
air
gaps
being
the
ends
kind
of
state
really
defining?
What
elements
have
to
make
it
all
the
way
through
and
starting
up
the
source?
And
that
actually
is
going
to
be
a
research
effort?
C
So
you
know
I,
don't
have
any
answers
to
that,
but
what
I
would
like
to
do
is
to
be
able
to
bring
findings
from
that
effort.
Do
this
for.
A
A
A
These
steps,
but
I
think
trying
to
bucket
all
of
this
into
existing
efforts
and
creating
new
efforts
for
each
of
the
the
items
and
we
we
want
to
rework
some
of
this
because,
like
for
example,
we
talk
about,
you
know,
clients
and
sdks
and
again
this
is
extremely
tool
focused
and
we
I
feel
like
there
is
a
consensus
that
we
want
to
step
away
from
the
tooling
a
little
bit,
maybe
and
go
more
towards
I'm,
going
to
steal,
Chris's
term
architecture
to
describe
this,
which
I
I
like
a
lot.
D
Yeah
I'll
just
agree,
I
think
the
last
comment
yeah.
When
you
start
looking
at
the
network
architecture,
the
differences
are
Stark
right,
you
know,
there's
not
a
lot
of
flow
things
are
created,
didn't
stay
in
the
same
place
and
until
we
start
thinking
in
that
way,
it
just
anyways
I
think
it
helps
a
lot
I.
A
I
agree
and
I
think
to
date
most
of
the
tooling
and
even
advice
has
been
very
I.
Don't
know
what
to
call
it
componentized.
You
know
just
very
singular
I'm
going
to
focus
on
this
one
place.
So
what
I'm
going
to
do
now
is
write
kind
of
a
brief
explanation
of
what
happened.
I
want
to
send
it
to
the
mailing
list
and
I'm
I
am
opposed
to
having
lots
of
meetings
like
this
one,
because
I
think
we
should
be
able
to
function
in
an
asynchronous
Manner
and
work
through
GitHub
and
things
like
Google
Docs.
A
So
that's
what
I'm
going
to
encourage
I'm
not
going
to
schedule
another
meeting
like
this,
because
I
don't
want
to
so
I'm
going
to
write
this
up.
I
will
try
to
lay
out
some
of
the
work
that
needs
to
be
done
moving
forward
and
then
I
guess
we
can
kind
of
go
from
there,
but
I
I
really
want
to
make
sure
we
can
keep
this
going
because
I
feel
like
this.
This
makes
sense
to
me
and
I
like
it.
So
I
want
to.
Thank
you
all
for
the
help.