►
From YouTube: Security Tooling Working Group (December 6, 2022)
A
A
Okay,
so
neither
of
us
really
knows
what
the
current
state
is.
I
think
I'm
I'm
part
of
the
chaos
project
and
we
have
a
risk.
We
have
a
risk
working
group
that
focuses
on
some
of
the
things
that
are
related
to
security.
Some
of
the
things
that
are
really
more
related
to
licensing
and
dependency
age
and
I
mean
I'm
a
maintainer
for
a
tool
called
auger.
B
A
A
B
A
I
can
I,
I
can
certainly
represent
the
chaos
Community
and
what
we've
done
another
great
resource
I,
don't
know
if
you've
met
her
is
Sophia
Vargas,
yeah,
she's
she's
at
Google.
She
probably
doesn't
come
to
the
tooling
meetings,
but
I
think
she's
active
on
a
couple.
Other
OS,
open,
ssf
groups
and
she's
she's
been
real
active
in
our
risk
working
group
as
have
I
and
David
wheeler
and
Kate
Stewart,
so
yeah.
A
A
A
D
E
D
E
D
E
E
E
E
Yeah
there's
stuff
out
there
we
haven't
been,
you
know,
terribly
though
Allen
knows
about,
because
he's
Alan
and
I
bam
Facebook
a
whole
lot,
a
little
bit
on
on
on
LinkedIn
there's
a
website
all
got
Tara
I'm,
putting
the
chat.
It's
mostly
just
one
page
right
now,
but
there's
stuff
behind
it.
We're
gonna
turn
on.
E
Well,
it's
a
practical
application
of
all
the
stuff
we're
about
it
started
in
2019
when
I
was
with
Unisys,
you
know,
got
a
bit
of
budget
started
the
Marine
living
Research
Center.
You
know,
Airbnb
on
the
water,
makes
huge
money
in
a
marina
or
on
anchor,
but
it's
just
crazy
people
doing
it,
but
making
good
money
so
I
instigated
someone
making
a
solar
powered
smart
boat
on
anchor
down
in
the
keys
that
makes
400
more
money
because
it's
an
upscale
instead
of
a
budget
hospitality.
E
D
D
D
C
I
wanted
to
basically
bring
the
question
really
just
as
a
question
interest
check
to
this
group
wondering
if
there
is
interest
in
expanding
a
little
bit
again
the
scope
of
the
tooling
working
group
in
terms
of
talking
a
bit
about
security
tooling
as
such
and
again
s-bomb
is
one
part
of
that,
and
that
was
basically
it
it's
an
interest
check
from.
From
my
end,
not
a
fully
flushed
out
proposal.
C
C
Maybe
there
is
a
way
to
connect
this
more
to
the
alpha
omega
project
which
by
itself
again
releases
an
Omega
tool
chain
and
so
on,
so
nothing
new
that
you
guys
are
probably
not
yet
aware
of
anyway.
So
but
again,
I
just
wanted
to
get
a
feel
for
that.
But
again
I'm
wondering
if,
as
you
said,
Josh
the
the
attendance
is
a
little
bit
low,
it's.
It
might
be
better
to
send
out
an
email
to
the
mailing
list
or
to
the
slack
Channel,
to
get
let's
say
a
broader
feedback
on
that.
D
That
that's
great
I
mean
I,
can
I'll
fill
everyone
else
in
on
kind
of
what
I
know
and
where
I
stand
is.
So
this
group
has
struggled
to
get
any
traction
doing
just
something
more
broad,
because
that
was
originally
the
intent
and
when
I
took
it
over
to
turn
it
into
the
s-bahn
group
it
they
were
talking
about
like
just
dissolving
it
completely
because
there
just
wasn't.
D
A
A
D
E
You
know
I,
think
I've
said
this
on
the
in
this
working
group.
I
know,
I've
said
it
in
the
in
yours,
Islands,
yeah,
I
think
this
is
one
of
the
big
issues
you
know
we
need
to.
You
know.
I
was
just
sitting
here
thinking.
I
should
actually
just
sit
down
and
write
a
list
I'm
in
most
of
the
bloody
working
groups,
but
I
don't
know
if
anybody's
actually
written
down
the
working
groups
much
less
trying
to
correlate
them
to
each
other.
You
know
we
need.
We
need
a
map
so.
D
E
E
E
D
F
E
F
C
What
right,
that's
the
one
I've
been
using
internally
a
lot
and
then
people
ask
me:
oh
this
security,
tooling
thing
that
sounds
interesting.
What
are
they
doing
but
yeah?
Maybe
let's
have
some
conversations
with
with
other
folks
to
see
if
we
can
do
something
around
it.
Okay,
but
I
think
that
that
kind
of
covers
it,
I
don't
want
to
hijack
this
and
I
guess
I
wanted.
You
guys
wanted
to
talk
about
the
the
s-bomb
topic
so
good,
let's
see
if
we
can
have
more
conversations
around
this
going
forward.
Yeah.
E
E
D
E
I
was
going
to
say
you
know
so
I,
you
know
I'm
and
I'm
I'm
coming
up
to
speed
on
it,
but
it's
like
this
sort
of
page
I'm
looking
at
here.
You
know
all
sorts
of
stuff
going
on
all
sorts
of
communities
and
threads
and
whatnot
and
John's
John
Johnson
is
a
long
timer
there
yeah.
So
how
do
we
navigate
the
influence
to
connect
those
dots
there,
similar
to
here
similar
to
what
Ellen's
doing
in
the
federal
government
all
across
the
various
touch
points
of
the
supply
chain
top
and
going
on?
So.
D
B
Will
try
to
do
that
as
briefly
and
succinctly
as
possible?
Two
broad
buckets
inside
U.S
government
that
we
try
to
firewall
between
one?
Is
the
government
regulation
side
of
things?
So
this
is
the
executive
order
which
is
ultimately
going
to
require
everything.
The
US
government
purchases
having
an
s-bomb
as
well
as
coordinating
across
the
US
government,
DOD
things
like
that
and
trying
to
make
sure
that
right,
a
random
Army
lab
doesn't
reinvent
this
stuff.
B
B
We
have
five
work
streams
that
support
that.
So
very
briefly,
Vex
everyone
familiar
with
the
idea
of
the
vulnerability
exploitability
exchange,
one
of
the
worst
named
projects
in
infosec,
but
probably
one
of
the
more
useful
ones
right.
This
is
the
ability
to
share
a
machine,
readable
advisory
that
says
that
your
product
is
not
affected
or
a
project
is
not
affected
by
a
vulnerability.
B
Two
Andre
sharing
and
exchanging
s-bombs
Chris
is
involved
in
this
is
heavy
on
the
commercial
side,
but
essentially
there
really
isn't
a
way
to
move
software
metadata
around
at
scale
and
so
right.
How
do
you
sort
of
say,
and
especially
for
s-bombs
right
if
you've
got
a
commercial
proprietary
provider,
they
want
to
share
with
their
customers?
What
does
that?
Look
like
three
and
I'm
going
in
the
order
of
the
calendar?
Not
in
the
priority
three
is
on-ramps
and
adoption.
B
B
Four
is
cloud
much
of
the
discussion
around
how
we're
going
to
use
s-bombs
deals
with
on-prem
software
and
users
of
on-prem
software.
Very
few
people
have
said
you
know
Alan.
The
future
of
software
is
on
premise,
and
so
what
does
this
mean
for
a
cloud
environment?
What
do
customers
want?
How
do
we
deal
with
not
impossible
problems
such
as
right,
Cloud,
Services
change
quickly?
B
D
Cool
and
and
just
to
clarify,
if
you
you,
can
email
them
and
ask
to
be
added
to
the
calendar,
invite
and
then
you
get
to
attend
the
meetings
and
complain
about
Microsoft
teams,
which
is
my
favorite
part,
so
all
right
cool
that
was
great.
Does
anyone
have
anything
else
before
we
get
back
to
the
document
in
question?
We've
been
working
on.
G
G
G
D
I
think
our
answers
are
going
to
be
the
same,
and
it's
that
there's.
We
have
no
intention
of
trying
to
pick
a
format
or
a
winner,
and
rather
it's
an
ecosystem
and
we're
all
going
to
do
our
best
to
cooperate
and
Empower
everybody
like
the
The
View
we
have
in
s-bomb
everywhere.
Is
we
expect
tools
to
take
in
Cyclone,
DX
and
spdx
and
to
Output
Cyclone,
DX
and
spdx,
and
that
is
the
and.
H
D
D
D
G
This
is
useful
for
me,
because
I
was
actually
trying
to
do
something
similar
this
past
couple
of
weeks
and
our
organization
is
more
focused
on
the
security
findings
which
relate
to
Vex
and
I
did
find
that
Cyclone
DX,
for
instance,
has
some
of
these
attractions.
You
can
make
them
part
of
s-bomb
and
I
wasn't
able
to
to
do
this
with
spdx,
but
it's
it
sounds
like
you're
saying.
The
goal
of
the
group
is
really
to
enable
the
standard
and
just
make
this
happen.
So,
let's.
B
Go
ahead
so
so,
unfortunately,
the
true
data
formats,
the
leads
of
some
of
the
data
formats,
don't
necessarily
play
well
together
and
there's
perhaps
a
little
too
much
strategic
competition
between
them.
I
think
one
of
the
things
that
we
as
the
community
can
do
is
say,
do
what
you
want,
innovate
what
you
want
we're
interested
in
a
core
interoperability
model
and
if
you
want
to
add
more
features
as
a
competitive
thing,
that's
great,
but
we're
going
to
focus
on
the
basics
to
scale
it
for
the
entire
ecosystem.
G
That
that
makes
a
lot
of
sense
and
then
I
guess
then
I
that
answers
my
my
question.
I
do
have
a
quick
follow-up
where,
as
far
as
scope,
so
Vex,
for
instance,
is
usually
used
for
or
csap
or
something
like
that.
It's
usually
used
for
incidence
response.
While
a
lot
of
the
s-bomb
things
that
you
see
in
the
industry
are
you
know,
pre-production
pre-shipping,
you
know
gather
the
bill
of
materials.
Put
it
in
one
place.
Are
we
trying
to
get
a
format
that
captures
everything
like
the
entire?
As
they'll
say?
G
B
So
the
fun
part
of
s-bomb
is
right.
It
really
does
affect
the
entire
life
cycle
of
software.
No
one
should
be
making
software
without
knowing
what
they
have.
Once
you
have
an
s-bomb,
you
can
implement
it
into
a
lot
of
great
use
cases,
compliance
vulnerability,
management,
all
sorts
of
fun
things.
What
we
want
to
do
is
sort
of
foster
that
the
current
state
of
play
is
that
s-bomb
generation
is
necessarily
well
ahead
of
s-bond
consumption,
because
until
recently
no
one
had
piles
of
s
bombs
sitting
around.
B
So
why
would
anyone
pay
for
a
tool?
Why
would
anyone
spend
time
working
on
an
open
source
project?
That's
starting
to
change,
as
people
are
sort
of
realizing
this
and
so
I
think
again,
what
we
want
to
do
is
emphasize
the
interoperability
across
the
supply
chain.
At
least
that's
that's
my
take
on
how
we
can
do
this
and
then
tying
it
back
to
s-bomb
everywhere.
I
Just
to
say,
in
addition,
that
I've
been
working
on
a
research
and
Tooling
in
that
area
and
what
we
try
to
achieve
is,
at
the
end,
to
have
an
s-bomb
that
that
has
as
much
data
as
possible,
combining
the
analyze
build
time
and
other
types
of
face
bombs.
So
I
think
this
is
the
long-term
goal
and
there
are
gaps
in
producing
every
s-bomb
type
on
the
path
and
how
we
are
working
on
some
tooling.
That
can
generate
build
time
and
package
time,
which
is
missing.
I
I
I
D
All
right,
I'm
going
to
open
this
document,
then
I'll
paste
it
in
the
chat
for
anyone
who
can't
find
it
because
there's
too
many
links
and
all
this
stuff.
So
this
is
the
thing
we've
been
working
on
for
a
couple.
It's
been
like
a
month
now
or
more
I
think,
but
basically
the
structure
we
have
is
to
define
the
the
s-bomb
everywhere
like.
Why
are
we
here?
Why
are
we
doing
this?
D
And
the
group
has
gone
through
a
handful
of
changes
since
its
Inception
and
it
was
announced
as
part
of
a
larger
I
forget
what
they
called
it.
The
the
Linux
Foundation
had
their
work
streams,
but
basically,
if
you
look
towards
the
bottom
here,
some
of
these
requirements,
that's
the
I,
think
the
approach
and
requirements
are
still
the
old.
D
And
basically
the
group
has
come
to
the
consensus
that
we
don't
expect
the
s-bomb
everywhere
group
to
actually
do
any
work.
We
want
this
group
to
you
laugh.
It's
I
mean
it
you'll.
It
makes
sense.
Our
intent
is
to
spend
money
like
the
open.
Ssf
has
money
to
spend
on
some
of
this
stuff.
So
we
want
to
connect
some
of
the
projects
with
funding
that
might
need
them.
D
Like
an
example,
is
we
the
the
spdx
python
Library
needed
help
and
the
open,
ssf
paid
I
think
it
was
like
250
Grand
or
something
to
fund
bringing
the
python
spdx
Library
up
to
Snuff.
So
it's
like
a
proper
good
library.
Now
that
people
can
use-
and
there
are
other
libraries-
obviously
that
that
have
these
concerns-
so
that's
one
example
and
then
also
we
have
an
interest
in
a
landscape.
D
D
It's
just
a
nice
way
to
categorize
various
companies
and
tooling
into
what
they're
doing
and
how
they
work,
and
we
think
having
something
like
that
for
s-bomb,
not
just
open
source
F-bomb,
like
literally
the
entire
s-bomb
ecosystem,
could
have
value
and
part
of
that
as
well
is
cataloging
some
of
these
groups
and
how
they
might
fit
together.
And
this
kind
of
goes
back
to
what
you
know.
D
D
We
put
some
effort
into
this
last
week,
two
weeks
ago,
to
kind
of
Define
everything
we're
going
to
ignore
the
kind
of
Overview
at
the
moment,
which
is
really
just
describing
what
an
s-bomb
is
for
the
most
part
here,
but
then
we
get
to
the
the
scope
and
now
I
guess
one
other
thing.
If
anyone
wants
to
just
feel
free
to
throw
comments
or
suggestions
into
the
document,
you
don't
like
need
to
ask
or
anything
it's
it's
pretty
pretty
easy
going
here
so
anyway.
D
This
is
the
scope
we
we
hammered
on
this
a
bit
and
we
settled
on
production,
distribution
and
consumption
of
s-bomb
right.
We
and
we
specifically
called
it
ecosystem
because
we
don't
want
to
do
it
and
I
think
this,
like
ties
into
some
of
Alan's
working
groups,
that's
cesa!
Where
there's
people
doing
this,
so
we
want
to
make
sure
we
connect
the
right
people
to
the
right
places.
G
D
D
D
Yeah
I
mean
that's
a
fair
question:
we
we've
been
yeah,
yeah
I
mean
so
kind
of
the
some
of
the
background
there
Alan
is
there's
been
a
push
by
the
group
in
the
last
couple
of
meetings
to
focus
more
to
to
put
effort
into
consumption
and
So
that
obviously
consumption
is
a
problem
for
many,
but
obviously
everywhere
denotes
creation
as
part
of
Open
Source
projects
and
so
I
think
that's
a
fair
point.
I'm
going
to
add
a
note.
B
B
B
J
Yeah
this
is
Tracy,
I,
don't
want
to
be
self-serving,
but
I
think
everybody
should
be
aware
that
artillius
who's
incubating
at
the
continuous
delivery
Foundation
is
focused
on
centralizing
s-bombs
and
we
did
get
a
small
Grant
from
Ripple
to
create
an
immutable
s-bomb
blockchain
that
we're
working
on.
That
would
be
a
public
public
chain.
But
we
have
don't
have
the
funding
to
create
a
centralized
location
to
support
that
SAS
version
at
this
point-
and
we
haven't
gotten
that
far,
but
we
are
working
on
that.
B
J
Sure
yeah
and
it
is
a
very
inefficient
just
there's
a
lot
of
data,
which
is
why
we
decided
to
look
at
the
blockchain
solution
and
we
yeah
blockchain,
believe
it
or
not.
There's
ways
you
can
make
that
depart
more
efficient
than
a
than
a
database
and
I'd
be
happy
to
walk
through
what
the
architecture
looks
like
in
order
to
consolidate
data
like
licenses
and
information,
that's
repeated
over
and
over
and
over
and
create
that
blockchain.
E
I'd
love
to
get
ready
on
all
that
as
well
right
and
you
know
which,
which,
as
you
say,
I
would
probably
take
a
you
know-
be
a
lively
conversation
right
now,
but
maybe
that's
not
the
not
the
exact
best
time
for
it.
So
but
the
but
Tracy
I
have
to
ask
you
at
the
same
time.
This
topic
comes
up.
You
know,
I,
find
them
I.
Think
it's
fundamentally
impossible
that
there
will
be
a
centralized
database
now.
Will
the
US
federal
government
will
other
people
other
governments
you
know
create?
E
J
Let's
put
it
this
way,
the
way
we're
approaching
it
is,
let's
say,
for
example,
if
the
Linux
Foundation
had
a
high
level
domain
and
we
could
and
kubernetes
had
a
domain
under
that
your
every
release
of
kubernetes.
You
would
see
a
what
the
cves
and
the
s-bombs
were
for
for
kubernetes
and
you
could
see
the
history
of
it
over
time,
so
you
would
know
if
you
ever
had
a
vulnerability
in
the
past.
J
D
J
J
J
Trying
to
make
it
easy
for
people
to
see
if
they
have
an
environment-
let's
say
they're,
their
entire
environment
has
kubernetes
at
the
bottom
level.
They
may
be
using
some
other
tools
in
between
there
and
then
they
have
all
of
their
application
Level
at
their
their
their
container
s-bombs.
How
do
they
create
a
full
view
of
s-bombs
across
their
organization?
Do
they?
Are
we
expecting
them
to
go?
Collect
them?
J
Go
to
the
kubernetes
team,
find
the
s-bomb
from
there
go
to
these
other
tools
find
their
Spawn
from
there,
or
can
we
do
something
that
allows
them
to
aggregate
that
information
up
easily
to
say
to
the
US
government?
Here
is
what
we
are
using
and
here's
what
we're
dependent
upon
and
here's
a
complete
picture
of
what
the
the
dependencies
are.
This
is
what
it
looks
like
go.
J
I
say
that
considering
a
person
who's
been
in
the
build
space
forever,
that
being
able
to
aggregate
it
up
in
one
big
report
is
going
to
make
the
use
of
s-bombs
a
lot
easier
than
asking
people
to
go
out
and
collect
it
themselves
and
to
collect
it
for
every
release
when
releases
happen
all
day,
long,
we're
not
in
a
monolith
world
anymore,
we're
in
a
microservices
world.
So
things
change
on
a
very,
very
high
frequency
basis.
J
Now
kubernetes
might
not
change,
but
your
application
level
does
and
we
want
to
be
able
to
pull
all
of
that
information
up
into
one
one
full
report
that
everybody
can
see
where
the
vulnerabilities
are
and
what
the
s-bomb
looks
like
not
just
for
kubernetes
but
for
the
entire
stack.
That
of
application
runs
on.
E
Well,
it
was
Sarah
Evans
from
Dell
just
popped
in
and
reminds
me
into
the
in
the
chat
right.
So
there's
so
many
layers
of
this
right
and
I
think
at
the
highest
level.
As
I
said
earlier,
I
I
don't
think
it's
even
conceivable.
There
is
going
to
be
a
repository.
You
know
for
the
entire
universe,
for
the
entire
planet,
every
every
piece
of
everything
but
I,
think
actors
like
the
US.
E
You
know
the
US
government,
you
know
this
ecosystem
and
so
forth
will
do
things
like
Tracy
you're
talking
about
now,
which
is
probably
a
good
thing
and
I
think
for
the
working
group
perspective,
whether
it's
this
one
or
you
know
it's
sisa
or
whatnot.
Our
real
goal
is
to
figure
out
the
architecture
where
people
can
do
those
things,
and
you
know
so,
Tracy
a
d-bomb
I,
don't
know
if
you
know
about
that.
I'd
love
to
have
a
side
conversation
about
that.
E
You
know
how
we
share
all
this
and
so
forth
is
a
fascinating
topic,
but
I
think
from
working
group
perspective.
We
want
to
say
you
know
the
traces
of
the
world
will
do
these
things
yeah.
This
is
fairly
inevitable.
You
know,
is
that
good
or
bad
I
don't
know
right,
you
know
work
through
this
and
how
do
we,
you
know?
Not?
Should
you
you're
going
to?
How
does
that
work
and.
D
I
want
to
reel
this
back
in
because
I
think
this
is
a
really
interesting
conversation,
but
I.
Don't
think
this
is
the
right
place
for
it
thanks
Adam.
Thank
you,
I
appreciate
you
showing
up
and
and
Alan
that's
a
point
about
for
anyone.
Just
read
the
chat
about
s-bombs
and
Vol
data
living
near
each
other,
but
I
want
I
want
to
reel
this
back
into
the
document
here
versus
ortelius,
which
I
I
think
I
Tracy.
Do
you
have
like
Community
meetings
or
something
people
can
attend
just
on
the
website?
Oh.
J
Absolutely
yep
and
I
want
to
point
out
too
in
the
in
the
conversation
you
had
before,
I
think
that
what
you
said
was
was
spot
on
that
we
don't
do
anything
right.
I
know
it
sounds
weird,
but
I
believe
if
we
were
to
take
a
look
at
this
all
of
the
open
source
projects
that
are
currently
under
the
Linux
Foundation
that
have
been
born
since
be
prior
to
the
open
ssf.
J
There
may
be
a
good
set
of
open
source
tools,
that's
already
incubating
at
the
Linux
Foundation
that
we
should
be
looking
at
and
determining.
If
it's
you
know,
making
potentially
making
recommendations
or
helping
them
go
through
the
process
of
of
solving
some
of
these
problems,
because
I
I
haven't
looked
at
all
of
these
tools,
but
I
do
know
that
they're
out
there,
because
the
open
ssf
was
sort
of
late
to
the
party,
a
lot
of
tools
went
into
the
cncf
and
then
when
we
came
along,
we
wanted
to
do
security
stuff.
A
A
J
So
there
may
be
some
tools
out
there
that
you
know
this
group
could
already
begin
to
look
at
as
in
as
a
2023
goal
and
I
think
it's
spot
on
to
say
that
we
shouldn't
do
anything
ourselves,
but
we
should
be
bringing
in
these
tools
and
categorizing
them
in
that
landscape,
which
is
going
to
be
a
tough
task,
but
there's
going
to
be
a
whole
new
category
of
you
know,
tools
that
are
addressing
security
and
I.
Think
that's
a
great
idea.
Yeah.
D
D
Central
data
storm,
but
man
it
is
going
to
be
a
hard
sell,
I
think,
but
all
right
all
right,
I
want
to
I
want
to
jump
back
over
here.
So
we've
got
like
five
more
minutes
before
a
little
more
before
we're
out
of
time.
For
this
this
call
and
every
meeting
I
ask
people
to
look
at
the
document
between
the
meetings
and
and
they
never
do,
which
is
fine,
we're
busy,
but
I.
D
A
D
All
right,
all
right,
so
we've
got
our
approach.
I
I
think
Alan
brought
up
and
I
really
like
this-
that
the
the
s-bomb
everywhere
aspect
of
this
is
not
being
addressed
today.
I
think
we
got
a
little
derailed,
maybe
into
the
the
consumption
side,
which
is
fine
but
I,
don't
know
if
this
group
is
going
to
solve
consumption
either
I
think
I
think
there's
value
in
seeing
open
source
producing
good
s-bombs,
which
there
are
not
very
many
projects
doing
that
today.
D
E
I
F
I
A
Yeah
I
have
one
of
them
that
I'm
a
maintainer
for,
but
I
wouldn't
put
it
forth
as
a
solution
to
the
s-bomb
problem,
because
what
the
I'm
hearing
a
little
bit
of
this
lack
of
coalescence
around
A
single
standard
for
drug
generating
s-bombs,
so
I
I,
heard
earlier.
That
SPX
is
not
generally
accepted
as
the
only
standard
for
expressing
the
s-bomb
as
an
outsider.
One
of
my
Curiosities
would
be
is:
do
you
have
a
list
of
the
other
proposals
that
are
out
there.
A
A
D
F
D
D
D
D
We
will
talk
about
what
to
do
with
them.
I
guess
later,
and
this
is
something
so
you
know
what
this
reminds
me
of
is
I.
Had
a
friend
at
the
Apache
software
Foundation
come
to
me
some
time
ago
and
basically
said
we
want
to
make
us
moms.
How
should
we
do
it?
There's
no
guidance
telling
people
like
you
should
make
spdx
and
Cyclone
DX
and
do
a
thing
with
them
and
I
think.
Well,
that's
not
true,
because.
D
The
maven
folks
were
here
a
couple
weeks
ago,
and
they
pointed
out
like
Maven
has
a
way
they
do
it
and
npm
now
I
think
has
a
way
they
do
it
and
every
ecosystem
is
doing
it
different
and
so
I,
don't
I,
don't
know.
If
we
have
that's
going
to
be
the
challenge.
I
guess
and
that's
probably
something
for
us
to
think
about
is
every
open
source
ecosystem
is
going
to
want
to
do
it
their
own
way
and
it's
very
open
source
like
if
we
say
you
should
do
it
our
way.
D
We
know
how
that
story
ends
right
like
they
don't
we
they
give
us
a
finger
and
then
they
go.
Do
it
their
own
way,
which
is
cool,
I
mean
it's
open
source,
but
that's
probably
something
we
need
to
think
about
too.
Is
how
do
we
Define
the
goal
right?
Because
the
goal
is
an
s-bomb?
The
goal
isn't
to
tell
people
how
to
do
this.
D
H
I
think
this
is
Sarah
Evans
from
Dell
I.
Think
one
of
the
things
we've
been
talking
about
is
understanding
the
consumption
in
parallel
because,
as
the
adoption
and
the
consumption
of
s-bombs
evolves,
that's
going
to
be
very
helpful
information
for
us
to
understand
across
our
technology
stack
and
then
also
to
be
able
to
influence
some
of
those.
You
know,
while
we're
not
building
anything
if
we're
defining.
If
this
group
is
defining,
you
know
the
goals
of
an
s-bomb
being
able
to
have
that
evolve
over
time.
This
is
how
customers
are
using
it.
H
D
H
H
It
might
be
that
they
are
more
suited
to
it
and
we
just
have
awareness
and
visibility
to
how
that
evolves
in
this
group
and
the
spirit
of
not
creating
anything
new,
so
I'm
totally
flexible
to
that.
I.
Just
know
that,
whichever
group
it
ends
up,
Landing
in
we'd
want
to
maintain
visibility
that
we
we're
trying
to
contribute
that
to
understanding
in
general,
yeah.
D
Yeah,
100
percent,
okay,
all
right
we're
out
of
time,
but
this
has
been
immensely
valuable
I'm
going
to
clean
this
document
up
a
little
bit
I'm
going
to
see
about
getting
my
my
acid
gear
for
that
that
landscape
funding,
because
I
think
having
a
landscape
would
be
very
valuable
to
help
untangle
some
of
this
and
then
I
guess
if
I
would
truly
appreciate
anyone
taking
a
look
at
any
of
this
and
asking
questions
or
adding
comments
or
anything.
If
and
if
not
I
guess
are
we
do
we
have
a
meeting
in
two
weeks.