►
From YouTube: Security Tooling Working Group (February 28, 2023)
A
A
B
Yeah
no
I've
had
it
done
before
too.
It
is
it's
so
weird
like
sensation
and
then
yeah.
A
B
No
yeah,
oh
well,
yeah
wow
man,
I,
didn't
realize
it's
because
it's
starting
to
warm
up
a
little
bit
here
on
the
DC
area.
So
that's
crazy,
well,
I
hope
it
hope
it
gets
better
for
you
and
quickly,
that'll
be
all
good.
B
A
C
And
it
was
written
too
low,
a
level
from
Brian's
perspective,
and
so
he
was
volunteering.
You
I
think
to
write
the
blog
post.
Have
you
been
given
access
to
the
document
that
they've
got
right
now?
Oh
fine
I
will
connect
right
now
and
then,
if
you
want
to
draw
the
if
you
want
to
sit
and
work
on
the
blog
post
today,
I
will
happily
chime
in
from
the
sidelines
and
to
help
try
to
push
this
through.
So
we
can
get
this
up
there.
Yesterday.
C
And
the
more
people
that
can
bang
on
it
right
now
and
help
us
find
any
issues.
This
already
will
get.
The
other
thing
that
is
happening
in
the
code
base
is
they
are
working
on
prototyping
the
3-0
model
right
now
and
so
we're
getting
the
J
we're
getting
the
Json
prototyping
going
on
in
parallel
and
they're
looking
for
people
to
participate
on
that
too,.
C
Oh
we'll
be
looking
for
other
languages
too.
If
there's
someone
who's
got,
you
know,
skills
and
to
try
out
the
model
and
try
out
the
modeling
and
the
serializations
for
the
modeling
in
the
other
languages.
Yes,
please,
but
wanted
to
at
least
have
one
place
where
we
could
make
it
solid
and
put
things
in
front
of
people
yeah.
That's.
C
C
A
C
C
A
C
Zephyr's
been
doing
it
for
about
two
years
now:
okay,
and
in
fact
they
generate
three
s
bombs
out
on
every
build.
So
just
a
second
here,
let
me
I
guess:
let
me
open
up
a
window
and
I'll
start
to
give
you
guys
a
bit
of
a
tour
there's
a
if
there's
nothing
else,
while
we're
waiting
for
other
people
to
join.
C
A
C
C
C
C
Okay,
but
including
you
know
some
things
in
Risk,
five
as
well,
most
of
them
being
armed
boards
and
things
like
that,
but
as
you
go
to
some
of
them,
you'll
see
that
they're
either
fast
built
or
generated,
and
anything
that's
built
in
past
for
certain.
C
B
B
C
It's
free
SP,
so
it's
got
its
binary.
It's
got
the
Elf
image.
It's
got
a
lot
of
the
other,
some
of
the
data
around
it,
and
then
it
also
has
three
s-bombs
in
there.
It
has
two
sources:
phones,
one
is
fun
for
the
application
1s
bump
for
the
Zephyr
sources
that
were
used
in
the
build,
and
then
one
s
bomb.
That's
a
build
s-bomb
that
links
the
dotos
back
to
the
sources.
So
you
can
refer
into
these
other
directories.
It's
very
modular!
C
A
C
That's
really
cool,
and
so
it
was.
It
was
some
instruments
animation
that
happened
in
Scenic
as
part
of
the
West
for
the
Zephyr
build,
and
so
that's
there
and
is
in
use
the
other
place
that's
doing
this
is,
and
the
Octo
will
also
build
the.
C
C
C
Yeah,
this
is
all
there
and
you
know
people
can
go
and
explore
this
and
then
there's
a
variety
of
anyone,
who's
sort
of
working
with
yakto
and
both
they're,
both
this
and
the
Octo.
This
is
one
running
one
command
to
sort
of
tell
it
to
record
some
stuff
before
you
do
your
build,
so
it's
eminently
scriptable
and
in
yaco
it's
changed
some
some
parameters
in
a
complete
file
for
the
build
infrastructure.
So
it's
not
a
big
overhead
and
you
get
it
out
automatically.
D
B
A
C
It's
the
build
system
for
Zephyr
is
West
and
it
basically
is
a
shell
around
cmake
to
make
it
easy
for
people
to
pull
all
the
pieces
in
for
an
embedded,
module
nice
and
so
here.
Let
me
just
sort
of,
let
me
show
you
the
two
so
there's
this
app
one
and
it
was
I
think
we
did
dining
philosophy
first,
and
so
it's
a
pretty
small
little
s
bomb
here
where
it
just
says.
C
Okay,
it's
got,
gives
it
a
namespace
and
the
combination
of
the
namespace
and
the
SPD
xid
within
that
namespace
and
what's
what
makes
it
globally
unique?
C
So
you
can
refer
from
one
document
to
the
next
okay,
we're
using
the
namespace
linkage,
and
these
are
the
app
sources
and
there's
just
a
main
file,
so
pretty
small
for
the
C
files
for
the
you
know
for
this,
but
this
is
The
Source
One
and
then,
if
you
looked
at
your
Zephyr
one
again,
this
is
another
source.
One
we've
got
a
lot
more
on
stuff.
Again,
it's
got
its
own
unique
namespace
and
it
also
has
all
the
licensing
clarified
and
the
files
specifically
from
the
dot
C's,
which
are
all
hashed.
C
C
You'll
see
that
there
is
an
external
document,
ref
do
the
app
one
and
to
The
Zephyr
sources
and
so
you'll
see
things
are
generated
from
the
files
in
these
types
of
sources.
So
that's
how
the
linkage
happens
between
these
documents,
and
so
you
can
be
very
modular
about
keeping
information
local
to
its
own
scope,
which
makes
it
much
more
understandable
and
you
have
a
prerequisite.
So
you
have
the
prerequisites
and
then
you
basically
are
you
know
this
has
been
generated
from
this
dot
C.
C
So
your
lib
app.a
was
generated
from
the
C
and
this
is
how
it
was
created
and
then
you
have
you
know
the
handles
and
various
things
from
The
Zephyr
sources,
Etc
on
what
the
prerequisites
were
and
so
forth
and
so
you're.
Basically
you
know
looking
at
the
core
dot
a
has
been
generated
from
exactly
these
files
out
of
zephyr,
and
you
see
it's
document
ref.zephyr
and
then
it's
a
reference
into
the
Z
file,
so
that
document
ref
you
saw
in
the
other
thing.
C
You
eventually
get
your
your
pre-zero,
which
has
you
guys
prerequisites,
and
then
you
have
your
Elf
image,
which
is
dedicating
all
these
things
together.
B
C
G
F
A
All
right,
let's
get
this,
let's
get
this
show
on
the
road
if
everyone
hasn't
already,
if
you
can
sign
in
the
sign-ins
and
the
agenda,
I
will
paste
that
will
we
sign
it
into
the
tools
agenda,
even
though
we
mostly
talk
about
s-bombs
here,
but
there
is
one
more
link
to
the
agenda
sign
in
if
you
haven't
and
then
the
first
item
on
the
to
do
is
introducing
yourself.
I
will
paste
my
intro.
A
That
is
not
my
intro
and
then
we'll
get
cracking
we're
gonna
dance,
the
star
of
the
show
today,
yeah,
oh
all,
right
and
then
I'm
happy
to
share
my
screen
as
I'm
slow
today,
I
apologize
to
everyone,
I
had
my
eyes
dilated
a
couple
hours
ago,
and
so
seeing
is
hard
I'm
sitting
in
the
dark,
also,
which
reminds
me
of
the
when
I
was
much
younger
and
sad
in
the
dark
all
the
time,
but
not
anymore,
so,
okay
cool.
So
here's
the
the
tool
agenda
before
we
go
right
into
s-fum
everywhere.
C
We're
trying
to
have
a
tooling
mini
Summit
type
of
deal,
that's
from
between
Summit
at
open
source,
Summit,
North,
America
and
Vancouver
in
May.
So
if
you're
interested
in
working
on
things
together
to
compare
notes
on
tool,
Imports
and
things
like
that
by
all
means,
reach
out
there'll
be
more
details.
We're
trying
for
the
Monday
afternoon
before
the
conference
starts.
C
B
A
A
E
Said
yeah
she
she
said
she's,
she
said
she's
running
late.
She
has
another
commitment
that
is
kind
of
like,
but
she
might
be
able
to
join
halfway
through
the
first
half
of
this
document
is
kind
of
notes.
So
if
you
scroll
down
a
little
bit
like
and
then
make
it
here,
then
yeah,
then
you
can
find
right.
I
think
where
we
started
with
problem
statement
is
where
we
actually
are
so
again.
E
This
is
trying
to
Echo
the
approach
that
us
best
best
practices
took
to
their
kind
of
mobilization
plan
statement.
You
know
about
and
and
kind
of
restate
a
little
bit
what
the
work
stream
is
going
to
work
on.
E
So
we
we
Sarah
and
I,
worked
on
a
problem
statement
document
or
a
problem
statement.
You
know
paragraph
here
talking
about
the
uncertainty,
you
know.
There's
uncertainty
in
the
ecosystem
recall
regarding
the
role
that
s
bonds
play
the
specific
use
cases
they
feel
and
the
way
that
they
fit
into
the
software
development
life
cycle.
So
this
is
all
about
seeking
to
clear
up
confusion,
articulate
consensus
on
and
Tech
neutral
view
through
member
contributions
and
open
ssf
funded
activities
right.
So
that's
just
basically
bread
and
butter.
E
E
Rather
than
any
particular
thing,
so
if
we
go
down
a
little
bit
further
to
action
plan
right,
so
the
first
thing
was
mapping
the
you
know.
This
is
this
maps
to
other
ways
that
we've
also
talked
about
this
work
but
mapping
the
espon
landscape.
E
All
things
s-bomb
develop
adespond,
landscape
document.
This
is
one
of
the
things
that
I
think
you.
As
you
indicated,
we
should
be
seeking
funding
on
yeah
and
linked
to
standards
tooling
and
as
bomb
user
needs.
E
So
this
is
a
key
point
that
that
also
links
to
the
the
other
agenda
item
that
I
put
into
today
that
are
I
suggested
for
today,
which
was
putting
a
real
emphasis
on
documenting
user
needs
from
different
from
the
perspective
of
different
users
of
the
spons
right,
because
I
think
this
is
a
conversation
that
we
keep
coming
in
again.
C
E
When
we
yeah
so
like
having
it
and
some-
and
you
know,
I
think
some
communities
have
are
already
articulations
of
personas
and
user
needs
or
s-bombs,
but
I
think
we
really
could
do
with
bubbling
that
up
and
having
this
kind
of
higher
level
view
of
what
those
personas
are
and
how
the
s-bombs
are
helping
those
people
in
each
in
each
each
case.
So
that
is
what
that
bullet
point
three.
There
is
all
about,
then.
E
So
yeah
a
user
needs
Matrix
and
talking
about
tooling
right,
so
I'm
gonna
skip
down
to
bullet
point
two,
which
is
establish
an
open,
ssf
tool
chain
for
s-bonds
right-
and
this
is
about
you
know,
coming
back
to
the
Sterling
tool
chain,
vision
for
openssf
and
you
know
what
does
the
tool
chain
mean?
It
means
it
could
mean
things
that
open
Essence
have
curates.
It
could
mean
things
that
we
that
are
donated
to
open
ssf.
E
It
could
mean
stuff,
that's
out
there
in
the
community
that
we're
just
we
we're
just
pointing
to
and
then
so.
Let
me
see
here
and
I
didn't
yet
look
at
your
suggestions.
Josh
I
have
to
say
I'm,
sorry,
but
if
you
want
to
speak
to
them,
feel
free.
A
Oh
no
worries
nothing.
I've
said
I,
don't.
D
A
Don't
even
remember
now
more
at
the
moment,
oh
identify
wait,
which
one
did
I
put
this
on
and
if
I
oh,
contribute,
yeah.
B
A
Now
that
the
way
you
just
described,
this
I
think
I
misread
that,
because
you're
talking
about
existing
tools,
airlifted
into
the
open
ssf
here
right,
yes
versus
creation
of
neutrals,
so
I.
E
Will
I'm
talking
about
things
yeah
I'm,
not
talking
about
creation
of
new
tools,
in
fact
I.
Don't
think
yeah
I
am
talking
about.
You
know
like
what's
the
word
I'm
looking
for
foreign,
maybe
if
one
of
the
member
companies
that
is
involved
in
this
work
stream
already
has
an
internal
tool
that
they're
using
then
this
work
stream
could
be
a
way
to
encourage
that
member
company
to
do
to
open
source
that
tool
and
donate
it
to
open
ssf.
E
A
G
Yeah
just
to
note
I
I
spoken
to
too
many
companies
about
our
tools.
I,
there
will
be
very
few
Tool
Company
tools,
opening
their
tools,
because
the
problem
is
a
lot
of
the
tools
are
very
company
specific,
and
so
what
we
have
done
is
basically,
we
have
taken
their
ideas
and
Incorporated
in
open
source
tool
limit
is
that
I
I
know
I
have
to
talk
into
Cardinals,
probably
40,
to
50
companies
over
the
last
couple
of
years
about
asthma
tools.
G
E
Yeah
I
mean
point
taken:
I
think
that's
I
think
that
it
may
I
I
was
just
pointing
out
a
possibility
under
which
it
might
look
like
we're
creating
a
tool,
but
actually
it's
not
we're
not
creating
a
tool.
We
would
be
encouraging
the
contribution
of
some
other
person's
tool,
but
only
if
it
well
some
other
organization's
tool,
but
only
if
it's
appropriate
and
and
yeah
not
specific
to
that
organization,
but
but
applies
across
the
industry.
E
Okay,
establishing
s-bomb,
best
practices
writing
down
best
practices
around
usefest
bombs.
This
is
very
much
aligned
with
the
work
that
the
best
practices
working
group
is
already
doing.
So.
I
would
see
this
as
being
kind
of
a
joint
piece
of
work
or,
and
then
s-bomb
education,
so
I
think
we
need
an
s-bomb
primer.
E
C
Would
say
that
the
I
think
there's
two
personas
that
are
very
different
here.
C
I
think
it's
the
same
person,
but
nonetheless
I
think
there's
two
pieces
of
evidence
that
you're
aiming
at
here
the
persona
for
developer
developers
just
cares
of
how
do
I
do
it?
What
do
I
do
the
decision
maker
is?
How
does
this
fit
into
a
strategic
View,
and
how
is
this
going
to
save
me
money
in
the
long
run
and
I
think
those
are
two
different
types
of
documents
in
education.
B
F
Before
we
go
down
this
path,
can
I
push
back
a
little
bit
and
ask
the
because
obviously
I'm
heart
I'm,
the
last
person
opposed
to
to
to
education,
but
but
has
this
already
been
done,
yeah
I,
guess,
that's
it
too
I
mean
well.
There
we've.
C
D
H
G
E
Don't
know
I
mean
I
I've
read
a
lot
of
that
material.
You
know,
that's
per
that
and
then
I
sat
down
and
I
and
I
saw
this
presentation
or
a
number
of
the
presentations
from
that
that
were
given
at
fostem
around
s-bombs,
including
the
one
from
Siemens,
which
you
know,
sticks
out
of
my
head,
and
you
know
they
were
saying
stuff
that
I
hadn't
heard
before,
because
it
was
about
their
specific
use
of
s-bombs.
C
E
Talking
about
like
use
cases
right
like
the
fact
that,
like
for
instance,
Siemens,
were
talking
a
lot
about
how
they're
using
s-bombs
for
for
a
licensed
compliance
issues
because
they
have
they
have
huge
legal
compliance
issues
around
licenses,
and
so
that's
something
that
that
is
a
different
take
on
s-bombs
that
I.
If
you
read
some
of
the
other
material,
that's
available,
you
wouldn't
see
so
I
think
there's
still
a
need
to
kind
of
bring
together.
E
Some
of
these
use
cases
and
user
needs
that
are
that
are
across
different
parts
of
the
industry
and
and
and
have
them
in
a
neutral
space
that
is
not
a
US
Government
space
or
a
or
a
you
know,
yeah
anyway,
a
neutral,
more
more
neutral.
E
G
What
is
missing
from
the
educational
material
and
is
like,
where
I
get
so
many
questions
about
Europe,
is
actual
practical
processes,
actually
applied
knowledge
of
s-bombs
generating
as
pumps
yeah.
That
has
been
known.
Why
we
need
asthma
yeah,
you
can
find
it,
but
actually
how
to
apply
it
in
your
organization's
processes
and
food.
You
need
to
align
with
that's
the
biggest
Gap.
How.
G
It's
it's
generate
pretty
much.
Everybody
figures
out:
it's
the
whole
process
around
it.
How
do
you
produce
high
quality
s-bombs?
How
do
you
make
a
process
that
includes
your
vendors
and
your
and
your
developers?
How
do
you
align
this
with
the
various
stakeholders
within
your
organization
that
everything
works
together?
Okay,.
F
I
mean
that
that's
a
different,
that's,
not
just
a
hey.
You
know
that
that's
not.
D
G
A
I,
just
added
that
Thomas
to
the
best
practices
section,
because
I
think
best
practices
and
edu
I
I
would
assume-
and
this
is
someone
smarter
than
me-
can
answer
this
I
would
assume
that
best
practices
we
create
feeds
the
education
yeah.
A
But
so
the
one
other
thing
this
is
for
probably
you
David,
because
you're
the
openness
assistant-
well,
maybe
Kate.
You
might
know
too
so,
when
I
read
Dan
what
what
Dan
and
Sarah
wrote
are
on
education.
The
first
thing
that
popped
into
my
mind
was
funding.
Education
is
hard
right
because
I
mean
it's
just
one
of
those
things
but
like
the
Linux
Foundation
has
training
and
certification.
Where
there's
you
know,
people
pay
and
then
I
assume
that
money
helps
fund
new
content.
Is
that,
like.
B
C
F
We
have
in
fact,
a
whole
department
training
certification.
They
can.
C
F
Actually,
that's
not
true:
they
they
have
and
do
plan.
They
do
occasionally
contract
it
out.
We've.
Actually,
we've
actually
had
a
number
of
courses
where
it's
contracted
now,
but
but
the
but
your
overall
point
still
stands:
there's
a
department
that
does
training
and
certification
in
in
the
LF
and
what
they're
focused
in
on
is
given
content.
F
They
do
sometimes
hire
it
out,
but
you,
the
usual
process,
which
is
what
Kate's
hinting
at,
is
the
expectation
is
that
somebody
else
is
going
to
create
the
content
and
then
that's
good,
there's
going
to
be
a
coordination
process
to
get
that
deployed
and
I
would
encourage
if
you're
trying
to
create
some
education
content
work
with
lft
TNC
or
whoever
you're
going
to
be
working
with
to
find
out.
F
You
know
how
to
get
deployed,
because
you
can
build
your
own
deployment
platforms
for
the
stuff,
but
it
turns
out,
like
anything
else,
in
operations,
making
something
run
in
operations
and
keep
it
keeping
the
lights
on
is
a
big
pain
in
the
butt
and
you
much
it
is
much
better
to
let
somebody
else
who
actually
does
that
as
their
real
job
deal
with
that.
So
you
know
the
the
course
on
how
to
develop.
Secure
software
I
was
the
primary
author
with
lots
of
help
and
review.
F
C
F
C
C
F
Yeah
and
in
fact,
if
I
may,
because
I
I
I've
dealt
with
this
process,
so
I
am
intimately
familiar
with
it.
Let
me
link
off
for
those
who
aren't
familiar
with
the
secure
software
development
fundamentals.
Courses
typically
just
called
the
developing
secure
software
course.
But
basically,
if
you
go
to
that
link,
I
showed
and
you
push
the
big
button.
You'll
end
up
at
the
Ella,
the
Linux
foundation's
train
certification
platform,
where
you
can
just
go
start.
F
However,
the
content
is
posted
on
GitHub
using
a
cc
buy
license,
so
anybody
can
grow
in
markdown
format,
so
anybody
can
take
that
and
tailor
it
extract
it.
You
know
they
can
copy
it
out
and
do
whatever
they
want.
They
just
have
to
give
us
credit
is
all
and
that's
and
they
want
to
propose
changes.
They
go
to
GitHub
and
make
a
pull
request
and
say:
hey.
F
You
should
change
the
content,
this
way
add
or
change
or
whatever
so
the
the
one
exception,
and
it's
because
there
are
cheaters
is
we
can't
release
the
you
know.
If
there's
like
a
test
for
a
digital
badge,
we
can't
publicly
post
the
the
test,
because
there
are
bad
people
and
they
make
everybody's
life
more
miserable,
but
other
than
that
we
can
post
it.
F
B
E
That
your
intention,
yeah
yeah,
yeah
yeah,
absolutely
that's
the
that's
the
that
and
you
know
just
to
be
completely
transparent.
You
know
sneak
have
a
education
work
stream
right,
so
we
would
be
Keen
to
make
use
of
any
of
this
material
around
s-bombs
in
our
own
education
materials
and
and
so
that
that
I
just
want
to
make
sure
that
we're
I'm
sure
every
or
many
other
companies
that
are
and
other
others
outside
the
open
ssf
as
well.
E
So
you
know
we
would
like
to
make
sure
we
want
to
make
sure
that
that's
available
as
widely
as
possible.
I
think
yeah.
E
D
Okay,
I
can
go
first,
so
for
the
education
I
feel
that
there
are
already
actually
a
lot
of
materials
out
there
like,
for
example,
if
we
go
for
a
cyclone,
then
there's
all
kinds
of
documentation
you
can
find
for
cyclone
GX,
then
the
same
goes
for
spdx
and
I.
Think
what's
the
question
here
is
actually
the
vast
quantity
of
the
materials
and
it's
hard
for
one
to
navigate
its
way
across
this
vast
ocean
of
dotted
messages
here
and
there
that
so
I
feel
the
education
here.
D
It
should
be
in
the
form
of
kind
of
providing
a
guidance
for
a
person
based
on
the
certain
user
needs
modeling.
So,
for
example,
if
I'm
like
a
company
I,
have
this
application
and
I
need
to
care
about
like
compliance
side
of
the
product.
D
I
need
to
care
about
what
kind
of
what
kind
of
s-bomb
document
is
the
most
suitable
for
my
own
use
case,
and
it
would
be
great
if
we
can
have
like
a
education
in
the
form
that
it
provides
or
the
the
the
the
pointers
to
the
information
when
we
want
to
have
more
details
regarding
that
aspect
of
the
s-bomb,
and
then
it
can
also
give
us
at
the
same
time
a
kind
of
guideline
based
on
what
I
or
why
do.
D
I
need
s-bomb
and
if
I
need
the
s-bomb,
then
what
that
helps
me
with
what,
with
with
best
choice
for
me
for
this
one
and
what
be
the
practice,
this
I
should,
in
general,
follow
when
I
deal
with
s-bomb.
D
So
instead
of
like
providing
just
information,
it's
more
like
organizing
these
already
existing
information
into
more
meaningful
chunks
and
categories
and
then
navigate
one
through
this
information
based
on
what
one
needs
out
of
response.
A
F
Yeah
so,
first
of
all,
I
completely
agree.
Please
don't
reinvent
the
wheel,
you
know
start
man,
I
always
start
with
Education
First
show
to
me.
You
know
first
look
and
make
sure
that
it
doesn't
or
exist.
That
said,
if
there
is
something,
if
something
doesn't
exist
and
I
mean
the
broad
sense
you
know,
maybe
the
materials
exist,
but
there's
a
problem
with
it
in
some
way
in
general,
how
the
open
ssf
works
for
those
who
aren't
familiar
with
is,
although
we
can
develop
from
scratch.
F
If
somebody
has
a
starting
point
that
can
help
us,
we
are
always
delighted
to
just
I'll
pick
on
specifically
for
Education.
We
developed
a
course.
However,
we
know
that
Intel
has
some
interesting
related
courses
and
so
we're
negotiating
with
them
for
they're
they're
planning
to
you
know
basically
remove
some
of
the
Intel
specific
stuff
and
talking
about
specific
areas
like
you
know,
Hardware
software
co-design,
so
in
developing
secure
software.
F
That
way,
you
know
in
that
situation,
so
so
we're
always
delighted
to
if
somebody
has
something
that's
a
there's,
some
issues
but
the
starting
point.
We
can
go
from
there.
A
All
right
Dan,
why
don't
we
keep
going
we're
running
out
of
time?
I!
Think
that's
it!
Oh
and
then
we
have
a
proposal
summary
right
of
summary,
difficult
election.
E
Yeah
yeah
I
mean
that's,
that's
really,
that's
where
we've
got
to
so
yeah.
This
is
all
this
feedback
is
great.
Sarah
and
I
have
a
meeting
scheduled
next
week.
So
what
we'll
do
is
we'll
try
and
Chomp
through
this
and
and
come
back
with
a
more
fleshed
out
document.
Okay,.
A
A
A
I
I
guess
my
ass,
then
for
everyone
is,
if
you
haven't
looked
at
it,
take
a
look
it's
in
the
agenda
with
that
kind
of
thing.
You
turn
that
somewhat
normal.
It
is
this
one
cool
all
right,
I
want
to
jump
down
to
Dan's
other
thing,
you
added
the
documenting
s,
Bond
user
needs-
and
we
talked
about
this
a
little
bit
just
a
minute
ago.
But
do
you
want
to
kind
of
discuss
more
what
you
were
thinking.
E
Yeah,
it's
something
that
this
came
out
of
a
discussion
that
we
were
having
in
internally
and
Max
and
Chuchu
were
also
we're,
also
involved
in
it,
and
we
basically
yeah
we.
We
were
really
feeling
that
we
needed
to
write
that
a
a
valuable
output
of
this
work
stream
could
be
a
high
level.
Documentation
of
user
needs
against
personas
so
that
we
are
clear
about
when
people
are
using
S
bombs.
Why
they're
using
them
and
the
other
thing
that
really
that.
E
Is
related
is
that
we
started
this
discussion
thinking
about
s-bombs
in
scorecard
right.
So
there
are
these
different.
These
GitHub
issues
that
I
pointed
to
here,
which
are
talking
about
s-bombs
in
scorecard,
and
it
sounds
great.
E
Okay,
we'll
add
s
bombs
into
scorecard
and
that'll
make
scorecard
even
better,
but
it
really
occurred
to
us
in
while
we
were
talking
about
this
internally,
that
the
user
needs
seemed
to
be
a
little
bit
unclear,
not
that
it
didn't
exist,
but
just
that
we
wanted
to
make
sure
that
we
were
all
on
the
same
page
with
regard
to
what
the
user
need
is
when
it
comes
to
s-bombs
and
scorecard
and
I
guess
you
could
say
the
same
thing
about
at
you
know:
Tools
in
general,
you
know
what
what
some
of
the
user
needs
are,
what
what
is
excluded,
what
what?
E
What
s
bombs,
don't
do
right
and
I
think
that's
particular
particularly
becoming
an
issue
as
the
concept
of
s-broms
proliferate
and
like
many
tech
buzzwords,
people
start
to
pick
it
up
and
think
that
they
can
apply
it
to
their
situation.
It
doesn't
really
apply.
So
what
is
it?
What
are
they
good
for?
What
are
they
not
good
for
I
think
is,
is
kind
of
the
the
two
cent,
the
two,
the
whatever
the
summary.
E
So
if
yeah
I
mean
if
people
agree,
then
I
think
it
could
kind
of
be
part
of
the
landscape
agenda
that
we've
been
talking
about.
You
know
documenting
the
s-bomb
landscape
and
again
we
do
see
basketball
user
needs
that
are
articulated
with
specific
s-bomb
implementations
or
specific
tools,
but
what
we,
but,
but
we
don't
really
have
a
document
which
talks
about
sum.
User
needs
from
General
perspective.
A
E
I
I
guess
it
would
be
the
the
best
practices
need
to
map
on
to
what
those
are
right.
You
know,
but
it's
not
like
the
best
practices,
here's
how
to
use
an
s-bomb
to
do
this,
a
user
need,
is
you
know,
user
wants
to
do
this
and
right
so
you
know
it
starts
with
the
user.
It
starts.
It
starts
with
the
user
right
and
the
user
being
in
this
case.
E
Maybe
it's
a
developer
who
or
maybe
it's
a
a
upset
person
or
maybe
it's
a
a
CSO
right
and
you
know
they
want
to
achieve
this
goal.
What's
the
goal
the
user
is
trying
to
achieve
so
I
see,
Sarah
is
here
and
on
thecube.
H
Yeah
so
I
just
wanted
to
ask
a
clarifying
question,
because
when
you
and
I
were
building
this,
we
talked
if
we
originally
had
the
word
use
case
in
there
and
you
had
recommended
swapping
out
the
term
use
case
for
user
needs
and
it
one
of
the
things
that
I
want
to
do
and
I
I
am
working
with
my
CTO
office
and
our
Security
customer
office
is
to
kind
of
build
on
an
s-bomb
document
that
the
Linux
Foundation
had
done
on
how
s-bombs
are
used
and
start
to
do
some
customer
surveys
to
get
information
about
how
they're,
using
or
not
using
s-bombs
and
I
wanted
to
bring
those
use
cases
to
the
conversation,
because
I
think
we've,
you
know
been
talking
about
documenting
a
variety
of
use
cases.
H
But
now,
if
I
think
about
those
from
user
needs
that
might
help
drive
a
set
of
questions
that
we
would.
You
know
we
could
even
put
together
a
in
a
side
document
in
this
working
group.
How
would
we
go
to
various
customers-
and
you
know
Dell
supply
chain,
for
example,
and
and
Target
questions
about
user
needs
versus
use
cases
and
bring
those
back
to
to
the
org
and
I'm
happy
to
do
that
and
I
just
wanted
to
to
say
that
I'm
I'm,
leaning
into
your
definition
of
user
needs
versus
use
cases.
E
And
And
to
clarify
I
think
my
my
definition
of
use
case
versus
user
needs
is
is
to
some
degree
it's
it's
just
using
the
it's
it's
it's
vocabulary
right.
You
know,
but
I
do
think.
User
need
has
an
implication
of
being
a
little
bit
more
high
level,
whereas
use
case
is
like
I.
You
know,
I
I
want
this
specific
feature.
I
want,
you
know,
it's
use.
Cases
tend
to
be
very
a
very
low,
very,
very
kind
of
detail-oriented.
E
The
user
need
is
more
like
looking
at
it
from
the
perspective
of
the
user.
Use
case
can
can
often
just
talk
about
what
the
system
does
a
username
talks
about.
Why
a
user
needs
something,
and
you
know-
and
so
that's
some
that's
a
kind
of
ideology
that
was
a
bit
driven
into
me
when
I
was
working
for
UK
government,
actually
so
I'm.
Sorry
that
I'm
not
that
I'm
kind
of
dredging
it
out
here.
H
No
I
think
it's
great,
so
I
have
like
a
user
need
might
be
as
an
incident
response
vulnerability
incident
response.
You
know
security
operations,
team
member
I
need
to
be
able
to
identify.
You
know,
use
a
tool
where
I
can
identify
residual
risk
after
a
vulnerability
is
identified
and
closed,
and
then
we
would
be
able
to
then
kind
of
hone
in
on
what
would
the
tooling
need
to
be
able
to
do
to
help
address
that
use
case
or
that
user
need
so
I
think
it's
there's
a
lot
of
value
there
and.
E
And
what
underlying
role
does
the
s-bomb
play
in
in
in
providing
that
tool
with
the
information
that
it
needs
to
provide
you
with
right?
Because
you
know,
as
even
as
we
were
looking
through
some
of
the
s-bombs
that
that
were
being
presented
about
the
Zephyr
OS?
E
You
know:
that's
not
like
a
user,
readable
information
right
so
like
so
anyway,
just
kind
of
a
highlighted
to
me
the
fact
that
what
we're
talking
about
is
something
that's
consumed
by
and
and,
and
you
know
used
by
Tools
in
order
to
provide
a
certain
functionality
and
and
looking
at
from
that
perspective,
we
need
to
think
about
these.
The
user
needs
sorry,
I'll
shut
up
about
user
needs.
Now,
no.
A
This
is
really
good.
Dan
I've,
never
thought
of
it
in
this
manner,
but
I
think
best
practices
or
use
cases
and
user
needs
are
very
different,
and
the
thing
I
need
to
think
about
this
more.
But
my
initial
thought
is
that
laying
down
user
needs
like
what
Sarah
just
described,
where
she
said,
vulnerability,
incident
response,
team
member
use
a
tool
to
identify.
A
You
know
risk
after
vulnerabilities
disclosed
like
we
don't
really
have
that
ability
today,
but
if
we
just
focus
on
use
cases,
we're
going
to
say
something
like
you
know:
Finding
packages
in
your
stuff
using
an
s-bomb
versus
here's,
a
Persona,
here's
their
actual
problem.
They
need
to
solve
yes
and
like
in
this
case.
We
can't
do
exactly
this.
We
can
do
some
of
it,
but
this
also
helps
us
then
identify
here's,
a
gap
we
have
today,
and
so
this
is
I
think
this
is
powerful.
I
I
feel
like
this
is
cool.
A
E
I
think
it's
more
detail,
I
think
it's
more
part
of
the
yeah
I,
don't
think.
It's
part
of
this
thing.
This
document
that
we
presented
earlier
that
Sarah
and
I
working
are
working
on
I
think
it's
part
of
a
landscape
document.
That
is
one
of
the
things
it's
pointed
to
that's
by
that
so
I
think
it's
and
I
do
think
it
should
blow
in
and
get
up
eventually,
but
I
think
it's
about
documenting
the
landscape.
Maybe.
F
E
E
A
F
A
F
Don't
know:
okay,
so
I'm
gonna,
I'm
gonna
pop
over
to
the
spdx.dev
website
as
well,
just
to
look
what
they
have
I
mean.
Obviously,
they've
got
a
lot
of
information
there.
A
Okay,
so
we're
almost
out
of
time
and
I
wanna
I
wanna
tile
this
up
before
before
we
are
so
we've
got
the
mobilization
plan
that
Sarah
and
Dan
are
working
on
and
I.
Guess
they
ask
for
everyone
else
here
and
I.
Will
you
know
what
I'm
going
to
write
down
the
actions
and
then
send
an
email
out
to
the
list
because
I
think
that'll
be
easier
review
it
right?
A
A
I
mean
one
of
the
one
of
the
challenges
we've
had
like
this,
this
S
Prime
everywhere
goals
and
purpose
document.
This
has
just
been
dragging
on
and
we
just
we
never
cut
off
conversation.
So,
let's
Dan
and
Sarah
end
of
March.
Does
that
seem
reasonable?
Or
do
you
want
more
time.
H
A
H
F
All
right,
cool,
I
I
would
go
for
in
the
end.
What
we
need
is
here
things
to
be
done
and
an
estimate
of
cost
to
bring
it
up
to
to
for
the
government
board
for
funding,
because
I
think
there
isn't.
You
know,
there's
limited
funding,
but
there
is
an
appetite
to
actually
invest
in
particular
in
Tools
in
this
area,
but
we
need
to
have
an
idea,
which
is
also
why
we
have
we're
running
out
of
time,
but
we
really
need
to
move
forward
on
the
evaluation
of
the
OSS
bomb
generators.
F
A
Yes-
and
that
was
my
question
for
you
David
when
we
get
to
the
next
one,
so
I'm
gonna,
okay
so
hold
on.
Let
me
let
me
be
right
there.
Let's
not
worry
the
landscape
funding
proposal
is
for.
We
need
to
finish
this
up.
I'll
give
it
to
me
Josh
and
Kate,
we'll
we'll
get
that
sorted
in
the
next
before
the
next
meeting.
F
Well,
we
we
need
to
actually
well
go
a
little
further,
take
a
look
and
then
we
need
to
actually
go
sit
to
have
some
folks
sit
down
and
actually
grab
the
generators
grab
some
sample
code
and
see
you
know
an
evaluation.
You
have
to
sit
down
and
actually
try
the
tools
on
real
world
things
and
see
how
they're
doing
because
that's
I
think
the
part
that's
missing
and
there's
very
relatively
little
out
there.
You
know
lots
of
people
talk
about
this
high
level.
I
mean
it's
one
of
the
things.
I
was
wondering
about
the.
F
Why
do
we
need
another
high
level
review
of
s-bombs?
That's
not
the
problem.
The
problem
is
oh
sitting
down
and
actually
evaluating
the
real
tools.
So
we
can
know
what
you
know.
I
mean
if
there's
a
tool
that
you
know
and
I'm.
Looking
specifically
open
source
I
realize
there's
proprietary
tools
as
well
and
they're
all
I
I
bet
some
trying
to
do.
That
also
is
a
bridge
further
than
I'm
willing
to
to
tackle,
but
once
we
review
the
open
source
ones,
the
proprietary
folks
can
use
that
hopefully,
and
do
that
as
well.
F
A
A
E
I
wanted
to
have
this
conversation
and
it
sounds
like
there
is
an
appetite
to
document
as
Mom
user
needs,
and
so
the
question
then
becomes
where
do
we
do
that
and
David
suggested
user
needs
document,
which
maybe
is
a
separate
document
that
we
need
to
start
working
on
I'm
happy
to
do
to
start
that
off
and
and
then
we
can
I,
don't
know
we
can
Moodle.
We
can
work
on
it.
Sure.
A
F
And
really
Step
One
is
do
that
literature
search
first,
because
people
have
already
done
that
and
I
can
actually
quickly
rattle
off
even
off
the
top
of
my
head,
the
main
use
cases
I
mean
I'll.
Tell
you
right
off,
it's
the
you
know,
I'm
worried
about
bringing
in
software
or
I
have
software.
What's
my
risk
of
no
of
known
vulnerabilities
I
have
learned
about
a
disaster
log
for
Shell
just
happened.
Where
is
it
and
there's
the
two
main
security
ones
and
for
the
licensing
you
know
tell
me
about
incompatibilities
I'm.
A
F
H
There's
a
document
that
Dan
I'll
help
you
with
that,
because
then
I
want
to
take
what
we
put
in
the
user,
needs
document
and
start
figuring
out
how
to
talk
to
Dell
supply
chain
and
get
some
some
data
to
validate.
Are
we
missing
anything
how
how
many
people
you
know
say
that
and
and
maybe
put
together
some
surveys
that
I
could
bring
back
to
the
team
and
share
so
I'd
like
to
help
awesome.
A
Okay
and
then
I
guess
the
one
ask
I
have
as
well
and
I'll
do
my
best
to
do.
This
is
I
think
if
we
can
try
to
put
some
effort
into
like
just
saying
what's
going
on
and
on
slack,
that
could
be
helpful
to
try
to
move
some
of
our
efforts
away
from
this
meeting
into
GitHub
and
slack
and
other
things,
because
I
feel
like
we
are
far
too
focused
on
this
meeting
and
it
that
is
not
helpful
to
anyone
who
doesn't
live
in
probably
North
America
or
Western
Europe.