►
From YouTube: Security Tooling Working Group (May 23, 2023)
B
A
C
B
B
A
B
A
D
A
E
E
A
I'm
gonna
paste
my
intro
before
I
forget
all
right,
so
let
me
share
my
screen
and
then
move
all
the
crap
Zoom
put
in
the
way.
All
right.
So
here
is
the
attendance.
A
Let
me
open
the
chat
if
everyone
could
sign
in
that
would
be
lovely,
and
this
is
the
tools
working
group
attendance,
because
this
is
a
weird
meeting
where
we're
technically
hijacking
the
tools
working
group
meeting
for
Aspen
everywhere,
so
paste
your
intro
in
the
chat,
everybody,
not
just
new
people,
and
then
I
will
switch
over
to
the
ass
bomb
everywhere
agenda,
which
is
very
light
today
and
I
forgot
to
send
out
an
email,
I
realized,
which
is
why
I
don't
expect
a
lot
of
people
today,
but
that's
all
right,
because
I
don't
feel
good,
so
the
less
I
have
to
do
them
better.
A
A
Quick
recap:
I
mean
I,
I
was
there
Kate?
Was
there
I
I
think
I
see
George
here
he
was
there
and
there
were
probably
some
other
people
who
I
apologize
if
I
feel
free
to
just
jump
in
but
I
mean
I
can
give
you
kind
of
the
overall
feel
of
what
was
there.
It
was.
A
A
Thank
you,
and
there
was
an
s-bomb
everywhere
panel,
an
s-bomb
panel
that
obviously
discussed
s-bomb
everywhere
as
part
of
that,
and
it
was
a
good
panel.
My
favorite
question
was
which
s-bomb
format
do
you
think
will
win
which
I
refuse
to
answer,
but
we
definitely
weren't
touching
that
one,
but
it
was.
A
It
was
good
I
think
the
audience
asked
some
interesting
questions
about
s-bombs
I
feel
like
we
are
approaching
a
place
where
people
are
using,
or
rather
getting
ready
to
actually
use
these
things
for
purposes
where
they
want
to
do
vulnerability,
scanning
or
regulation
or
whatever,
and
that's
exciting
and
I.
Think
that's
also
where
the
use
case
we're
doing
can
can
help.
But
then
there
was
obviously
the
open
source
Summit.
A
The
larger
conference
around
that
and
the
people
I've
talked
to
I
said
there
were
kind
of
two
themes:
I
took
away
from
it
and
one
was
the
whole
supply
chain.
Everything
where
people
are
talking
about.
Just
you
know,
who's,
writing
your
software
type
stuff
and
that's
not
surprising
to
anybody.
I
also
think
there's
a
long
way.
We
have
to
go
there
because
there's
still
a
lot
of
fear.
That's
the
underlying
message:
it's
not
you're
using
open
source.
Let's
figure
out
what
that
means.
It's,
oh
holy
cow.
Do
you
know
who's
writing
your
open
source
like?
A
Are
they
criminals?
It's
like!
Oh,
my
God.
Just
no!
Don't
don't
do
that
and
so
I
think
from
that
perspective.
There's
work
to
do,
but
but
that's
a
different
topic
and
then
AI
came
up
like
constantly
where
every
half
the
people
think
AI
is
going
to
kill
us
all
and
half
the
people
think
it's
going
to
save
us
and
they're.
Probably
both
right
I,
don't
know
the
same
thing,
but
it's
it
was
good.
I
enjoyed
the
conference.
I
I
really
liked
it
and
I
will
say
with
all
the
attention
aspires
are
getting
okay.
A
Maybe
you
can
kind
of
chime
in
here.
I
know
there
is
some
AI
I,
don't
even
know
what
to
call
them,
but
s-bombs
for
the
AI
large
language
models
and
I.
Don't
totally
understand
what
that
means,
but
I
have
a
suspicion.
We're
going
to
see
that
collide
with
reality
sooner
than
we
think
so,
I'll
stop
talking
now.
Thank
you.
C
We
actually
in
the
3-0
spdx
spec.
We
actually
have
a
section
for
AI
models
as
well
as
data
sets.
That
was
very
clearly
separating
those
two
out,
because
both
of
them
are
part
of
the
transparency
we're
going
to
need
to
put
into
the
system
and
so
figuring
out
how
we
can
start
to
summarize
it
and
capture
the
relevant
information
and
move
it
I
mean
something
that
a
lot
of
people
are
interested
in.
There's
a
lot
of
good
hallway
discussions
on
the
topic.
A
C
C
If
it
all
these
things
are
all
just
files:
okay,
I
did
a
trading
data
set
a
set
of
files.
A
trained
model
is
having
had
the
training
data
applied
to
the
model.
It
gets
shaped
into
a
slightly
different
format
and
being
able
to
capture
parameter.
Most
of
this
is
things
that
are
either
files
groups
of
files,
or
you
know
mostly
positive
files,
which
are
effectively
the
equivalent
of
packages,
and
you
know,
basically,
you
know,
groups
of
things
effectively
and
what
we
have
in
s-bomb
can
actually
extend
a
good
portion.
C
Four
years
ago,
five
years
ago,
there
were
about
model
cards,
data
sets
and
fact
sheets
all
came
out
within
about
a
six
month
period,
one
from
IBM
one
from
Google
and
one
from
Microsoft
on
what
types
of
things
one
should
capture
here
on
this
and
when
you
actually
do
a
compare
and
contrast
across
all
of
those.
C
Obviously,
it's
going
to
be
new
stuff
in
the
tooling
and
in
the
spaces
where
we
haven't
been
capturing
s-bomb
stuff
before,
like
the
data
set
creation
and
curation,
and
so
as
people
are
creating
data
sets
being
able
to
record
what
has
led
to
what
what
portions
of
one
data
set.
What
portions
of
another
data
set?
Are
you
being
used
to
train
models?
C
But
you
know
these
are
all
reasons.
These
are
all
Concepts
we've
seen
before,
so
we've
been
working
with
folks
from
the
IEEE
AI
ethics
side,
as
well
as
other
places
to
try
to
articulate
what
makes
sense
to
capture,
and
so,
if
you're
interested
in,
what's
in
an
AI
bomb
there,
you
know
we
have
there's
work
going
on
on
the
spdx
side,
anyhow
and
I.
Think
the
cyclone
that
love
model
cards,
the
big
difference
between
the
two
approaches
that
the
spdx
is
separated
out.
C
The
data
sets
from
and
having
special
expectations
of
lineage
of
data
sets
from
being
just
with
a
model
and
I
think
the
Cyclone
GX
are
just
looking
at
the
mama
card
approach
and
following
that
pretty
closely,
and
so
we've
got
two
different
approaches
going
on
here.
I
think
I
have
a
bias,
let
you
guys
know,
but
I
think
we're
gonna
be
a
little
bit
more
flexible,
being
able
to
catch
data,
set
provenance
more
effectively
and
efficiently,
and
that's
the
feedback.
C
I
was
hearing
from
the
actual
Leaf
folk
too,
and
then
I
was
talking
to
them.
So
those
are
things
that
are
there
in
progress
and
we've
been
starting
to
articulate
out
and
use
the
information
in
fields
form
hand,
mapping
all
data
sets
and
models
and
making
sure
that
the
use
cases
can
be
handled
with
what
we've
got
and
when
we
start
to
look
at
more
and
more
about
automation.
B
C
B
C
Able
to
capture
that
in
a
standard
format
like
I.E
in
a
field
so
that
you
can
sort
of
say
this.
We
don't
at
this
point
in
time
a
lot
of
the
there's,
not
a
lot
of
standard
vocabularies
out
there
to
pull
off
of
okay,
there's
a
lot
of
initiatives,
but
things
haven't
quite
gelled
so
for
for
the
most
part,
we'll
be
just
capturing
some
of
these
things
as
strings.
B
C
Is,
or
is
there
or
are
you
just
taking
in
data
sets,
you
know,
are
you
doing
adaptive
work
over
time
with
the
a
stream
adapting
as
well
as
or
you're
just
trading
it
once
and
going
from
there
and
then
there's
things
like
you
know?
Well
this
data
set
expire
and
will
this
model
expired?
Does
it
need
to
have
a
forestry
training
at
a
certain
point
in
time
right?
So
these
are
things
that
are.
C
You
know,
considerations
on
the
AI
side
that
we've
managed
to
pull
in
as
P
Fields,
and
you
know
I
think
we'll
be
learning
more
as
we
start
populating
this
more
and
more,
but
I
think
we've
got
a
reasonable
starting
point:
go
ahead,
Sarah.
F
Kate
I
was
looking
at
my
calendar.
Can
you
hear
me
I
said
I
was
muted
but
I
think
I'm
off
and
is
that
the
AI
profile
for
s-bomb's
meeting
on
Wednesday
that
you're
referring
to
yeah
that's.
G
F
C
But
you
know
we're
certainly
interested
in
spaces
that
we're
talking
about
here.
C
C
C
C
There
was
one
talk
that
I
did
with
someone
from
UL
Pete
print
and
it
was
very
well
attended.
It
was
the
first
time
I've
backed
I'm
back
to
seeing
people
literally
standing
around
a
room
during
the
talk.
I
had
not
had
that
experience
before
for
the
last
several
years,
and
so
basically
the
room
was
filled,
and
then
people
were
standing
around
the
outside
to
the
room
along
the
walls
and
then
it's
back
to
the
room.
C
H
Yeah,
okay,
try
push
the
buttons
yeah
I
mean.
Obviously
we
had
a
lot
of
folks
interested
in
s-bombs,
I,
I,
not
sure
I
have
much
more
more
to
add.
I'm
I'm,
not
I,
I
am
concerned
about
hey
just
because
you
can
capture
data
doesn't
mean
there's
a
use
case
for
it.
So
that's
you
know,
I
think.
That's.
H
We've
had
that
discussion
elsewhere,
but
I'm
much
more
concerned
about
how
do
we
get
s-bombs
actually
generated
by
real
projects
and
and
and
such
right
now,
which
is
you
know,
we
I
think
we
need
to
move
far
forward
on
the
evaluation
of
the
tools
that
exist
and
that
sort
of
stuff,
but
but
obviously
lots
of
interest
in
s
models
and
such.
B
A
I'll
assume
not
we'll
move
on
so
David.
We
should
add
your
comment
to
an
agenda.
I
don't
know
if
this
is
the
right
one
about.
Oh,
my
goodness,
what
the
hell
is
wrong
with
Google
today
but
add
your
comment
about
getting
projects
to
produce
s-bones,
because
I
think
there's
some
hard
truths.
We
have
to
talk
about
in
that
space
because,
it's
easy
to
say
open
source
projects
should
create
s-bombs,
but
they're.
Really
busy
and
and
I
talked
to
Jonathan
light
shoe
about
this
at
one
point
and
yeah
he
basically
pointed
out.
H
H
But
well
he's
not
saying
anything
different
that
I
haven't
said:
I've
been
repeatedly
saying:
the
challenge:
is
the
users
want
s-bombs,
the
developers
have
no
use
for
them.
That's.
C
C
Challenge
here,
but
right
now,
I'm
going
to
skip
I'm
going
to
challenge
you
back
with
the
fact
that
okay,
we've
got
automatic,
s-bomb
generation
sitting
in
Zephyr
for
the
last
two
years.
We've
had
it
automatically
a
swab
generation
sitting
in
the
Octo
for
about
as
long
and
they're
being
used.
H
H
H
C
Remember
both
of
these
are
embedded
projects
with
limited
sets
of
dependencies,
so
I
think
part
of
your
argumentation
here,
which
I
will
not
disagree
with
from
that
perspective,
however,
what
I
will
say
is
one
of
our
one
of
at
micro
is
a
zephyr
member
and
they
basically
put
out
a
dashboard
for
all
of
the
upper
boards
on
their
simulators
today,
along
with
the
six
applications
that
they
compile
onto
those
boards
and
every
time,
they're
generating
out
an
image
to
run
on
the
simulators
they're
generating
on
an
s-bomb.
H
Perhaps
a
differentiator
will
make
make
what
I
mean
clear,
because
I
may
not
be
communicating
as
clearly
as
I
wish.
You
know
why
do
people
choose
to
use
compilers
in
a
compiled
language
because
trying
to
do
it
by
hand
would
be
completely
ridiculous
and
too
hard
and
too
much
effort?
Okay,
you
know
why?
Don't
they
just
you
know?
C
H
H
F
Yep
David.
This
reminds
me
of
the
conversation
that
we
were
having
in
the
risk-based
metrics
dashboard
meetings.
So
one
of
the
developers
that
was
attending
that
call
said
it's
got
to
be
it.
You
know
one
click
to
generate
an
s-bomb,
one
click
to
run
the
scorecard,
and
then
we
we've
been
talking
about
tying
those
things
into
a
end:
user's
evaluation
of
Upstream
open
source.
Does
it
have
an
s-bomb?
What's
the
scorecard
rating
and
so
we're
looking
to
tie
the
ease
of
creating
one
to
end
use?
F
You
know
user
adoption
and
then
how
might
the
developer
as
they
watch
their
project
become
adopted,
want
to
potentially
or
be
incentivized
to
improve
the
security
scorecard?
There's
a
whole
lot
of
nuance
to
that,
but
at
the
end
of
the
day
it
sounded
like
one
click
and
it
actually
that
information
goes
somewhere.
So
someone
can
use
it
and
then
there's
a
feedback.
Loop.
C
Are
working
right
now
is
that
it
is
a
one-line
command
prior
to
invoking
a
build
on
Zephyr
and
you
get
it
automatically,
and
it
is
also
a
config
file
change
one
line.
You
know
changing
one
option
with
config
file
and
you
get
the
automatico
and
that's
kind
of
how
I
think
it
needs
for
people
using
the
open
source
projects.
Let.
A
A
I
I
It's
useful
if
you
make
the
often
simple
changes
to
get
a
s-bomb
generated,
then
dedicate
the
time
to
look
at
it.
You
often
have
surprises
that
you
want
to
go
remediate
and
I'm,
seeing
developers
on
open
source
projects
that
are
open
to
and
actively
doing
that.
Two
two
in
particular
kubernetes
and
the
LF
edges,
Eve
OS,
which
is
primarily
driven
by
a
company
called
sedata.
I
The
other
way
that
I'm
trying
to
think
about
this
and
encourage
Folks
at
my
company
to
think
about
is
yeah
if
I
think
in
terms
of
salsa
and
I,
and
my
goal
then,
is
to
wait
for
every
open
source
project
that
I
depend
on
to
reach.
It's
also
level
three
I'm
going
to
be
waiting
a
long
time,
but
if
I
look
at
it
from
the
other
side,
s2c2f
is
about
the
consumption
set
of
expectations
that
are
present.
A
I
agree
with
that.
I
like
that
and
I
know.
We
talked
about
that.
It's
it's
on
our
Charter
or
whatever
we
call
the
the
document
for
this
group
is
that's.
One
of
the
things
we
want
to
do
is
like
go
and
help
open
source
projects.
Do
this,
but
we're
just
we're
we're
not
I
mean
I,
don't
think
we've
done.
C
A
We'll
get
there,
it's
coming,
it's
I,
I
I,
think
it's
getting
better
and
I
think
there
are
people.
There
are
many
people
optimistic
about
all
this,
but
I'm
still
running
into
a
lot
of
people
who
are
I,
won't,
say
anti-sbomb
but
they're
like
there's.
No
reason
I
should
care
about
this
and
I.
Think
that's
I
mean
that's
like
what
Tim
just
said.
If
you
generate
an
s-bomb
as
a
project
and
then
there's
a
tool
that
says,
oh,
you
just
picked
up
a
new
open
source
license
in
your
dependencies.
A
E
Yeah
hi
I
hope
you
can
hear
me
yep
all
right
and
I
see
you
talking
about
it
so
to
send
the
people
that
do
something
like
that
to
go
into
teams.
What
I'm
thinking
about
is.
E
How
far
would
we
go
to
generate
Aspen,
because
there
are
a
lot
of
different
aspects
of
quality
as
bunker
have
we
can
enrich
it?
We
can
only
generate
minimum
requirements.
We
can
generate
a
s-bomb,
that's
literally
not
really
an
aspen,
because
there's
no
data
in
it
would
it
be
maybe
an
idea
to
say
if
we
do
something
like
that,
that
we
have
some
kind
of
level
that
we
say:
okay,
we
go
to
a
project
and
bring
you
on
a
level
that
we
integrate
and
use
the
ICD
pipeline.
E
Some
other
generation
tools
like
this
that
just
generates
an
without
knowing
okay.
Is
it
really
a
great
response,
because
you
can
always
enhance
it
then
up
to
the
point
that
we'll
shoot
it
everything
is
in
there
and
that
should
be
in
there.
But
that's
the
question
I
think
about
when
I
would
go
to
some
project
and
do
that
for
them.
How
far
should
I
go
at
that
point?
I
hope
you
understand
what
I
mean.
A
Yeah,
no,
it's
a
good
question.
I
mean
I.
Would
I
would
answer
that
as
like
take
a
very
MVP
approach
right,
like
minimum
viable
product
minimum
viable
s
bomb,
but
if
we
make
it
too
big,
you
fail
right.
But
if,
if
step
one
is
just
run
a
tool
that
generates
an
s
file
magically
like
that's
a
big
first
step,
and
once
you
have
that,
then
you
can
go
to
the
next
step
and
I.
A
Think
things
like
this
having
like
a
Playbook
that
helpers
can
use
to
go
to
a
project
and
say
here
is
the
steps
we're
going
to
take
like
step.
One
is
just
generate
an
s-bomb,
it's
machine
generated.
We
aren't
going
to
do
a
ton
of
verification
to
make
sure
it's
correct.
We're
just
going
to
start
here
and
then
once
you
have
that
step,
then
you
can
go
farther
and
farther
and
so
I
think
I
think
a
Playbook
would
make
sense.
So.
C
Exactly
and
I
think
there's
different
playbooks
associated
with
each
for
the
source
s-bomb
today,
if
your
Project's
up
on
GitHub,
you
can
click
a
button
and
get
it
and
that's
easy.
Okay.
Now
the
question
is:
what
are
we
doing
with
it,
where
the
processors
a
lot
more
processes?
But
you
know
I,
think
github's
made
it
pretty
easy
for
people
to
see
the
sources
for
us
now
for
the
bill
dust
bombs.
C
A
Holy
cow.
This
conversation
took
quite
the
turn,
that's
good,
though
okay,
so
this
this
we're
at
the
bottom
of
the
hour.
We
have
a
little
bit
of
time
left
and
I.
Guess.
I
can
see
two
paths
we
can
take
and
I'll
leave
it
up
to
the
the
audience
or
the
crowd.
I,
don't
know
the
attendees.
Whatever
all
of
you,
we
can
look
at
the
use
cases
for
security
or
we
could
discuss
what
we
want.
A
This
particular
proposal
to
look
like
of
how
do
we,
because
we
never
really
written
down
how
to
go
to
a
project
and
work
with
them
to
create
s-bounds
and
I.
Think
like,
for
example,
Kate
mentions
fate.
Github
will
give
you
a
source
s-bomb
for
free.
How
many
people
know
that,
probably
not
many
and
so
yeah.
A
H
A
A
H
Agree
with
you
that
just
a
a
static
document
doesn't
doesn't
do
anything,
but
it
does.
You
know
trying
to
do
hey
we're
going
to
show
up
at
a
million
projects
individually,
one
by
one
right.
It
doesn't
scale.
We.
A
Know,
but
we
also
don't
know
where
to
start
and
making
a
document
I,
don't
think
it's
helpful
without
experience.
Eric,
do
you
have
your
hands
up.
J
J
To
respond
to
the
the
prior
discussion
about
github's
generation
and
the
quality
aspects,
just
not
all
s-bombs
are
created
equal,
so
something
to
keep
in
mind.
I
think
it's
a
great
first
step,
I
think
there's
other
people
also
allowing
you
to
generate
an
s-bomb.
J
That's
why
I'm
on
this
call?
So
if
it's
not
the
correct
time
to
bring
that
up,
I
will
take
a
break
but
I
just
think.
There's
other
aspects
can
you
do
attestations?
Does
that
tie
back
to
that
public
s-bomb
stuff,
like
that.
A
Oh,
you
have
to
sign
your
ass
bottom,
so
you
have
attestation
and
then
you
have
provenance
and
all
this
and
they're
at
the
end
of
the
conversation
they're
like
I
I,
don't
care
anymore,
like
I'm,
not
going
to
do
any
of
this,
and
so
I
think
we
need
to
be
mindful
of
how
we
approach
this
and
how
we
want
to
talk
about
it.
Like
I,
I,
don't
know,
I
assume
the
GitHub
s-bombs
don't
provide
any
provenance
data
today,
they're.
J
A
But
but
that's
okay,
I
mean
s-bomb
shouldn't
contain
vulnerability.
Right
vulnerabilities
are
something
different.
You
use
the
s-bomb
to
get
the
vulnerability,
it's
not
contained
in
the
s-bomb.
That's
fine,
and
we
can
deal
with
that.
Although
I
guess
they
do
have
depend
about
though,
but
whatever
it
doesn't
matter,
I
think
step.
One
is
s-bomb
right,
that's
it.
It
doesn't
matter
if
it
sucks
just
s-bomb
as
step.
One
I
think
is
is
the
key.
C
F
I
think
that
makes
a
lot
of
sense
to
prioritize
the
projects.
So
there's
that
talk
about
a
refresh
of
the
mobilization
plan
and
basically
the
the
mobilization
plan
is
going
to
show
where
funding
where
funding
could
be
channeled
in
order
to
accelerate
these
treble
areas.
So
we've
got
to
proposal
out,
but
we
haven't
identified
this
the
specific
activities.
F
So
if
you
look
at
probes
proposals,
he
has
kind
of
this
overarching
set
of
goals
that
the
special
interest
group
wants
to
accomplish,
and
then
he
outlines
very
specific
actions
that
you
could
go
fund
and
so
I
really
like
the
direction
of
where
the
conversation
is
headed
today
that
we
could
prioritize
a
list
of
projects
that
are
highly
used
baby
straight
from
Alpha
and
Omega
and
say
we
want
to
make
it
one
click
easy
button
to
do.
S-Bombs
in
these
top
projects.
What
effort
do
we
think
that
will
take?
How
many?
F
A
I
don't
know
if
funding
is
the
answer
to
this
one,
because
we
just
don't
know
what
we
don't
know.
I
think
what
we
need
is.
We
need
some
people
to
go
and
do
the
work
and
that's
a
very
different
ask
I
think
than
funding,
because
obviously
the
GBE
can't
allocate
people
we
need.
We
need
companies
like
Dell
and
Microsoft
and
whoever
to
step
up
and
say
like
we're
going
to
dedicate
a
resource
to
helping
with
this
project.
F
Yeah
and
when
I
say
think
of
funding
I,
think
of
perhaps
paying
a
contractor
to
go,
do
something
or
hey.
We
are
going
to
commit
a
resource
from
a
company
to
go.
Do
that
to
his
time
is
money.
So
how
do
we
get
someone's
time?
Either
a
company
donates
that
or
maybe
through
just
general
funding?
You
could
purchase
contract
time.
F
I
love
the
education
one,
that's
the
one,
I
was
inspired
by
it
and
so
I've
got
to
go,
dig
up
the
link,
but
basically
probe
put
out
a
list
of
goals,
and
then
he
had
three
areas
that
would
need
funded
or
restored
to
to
action
the
goal,
and
so
what
we've
done
is
Dan
and
I
have
created
our
list
of
goals,
we've
kind
of
noodled
on
it,
but
now
kind
of
that
next
step
is
then
okay.
What
do
we
think
it
will
take
to
action
that
goal?
F
Is
it
people
how
many
people,
how
long
if
we
were
to
get
contractors
instead
of
donated
resources?
What
would
that
number
be?
And
then
that
gives
something
for
business
people
to
hold
on
to
and
go?
Oh
okay.
I
can
chew.
On
this
now
I
know,
I've
got
an
action,
suggested
action
plan
I'll,
see
if
I
can
find
the
link
to
probes
education,
one
because
I
thought
it
was
really
well
done.
F
So
it's
been
it's.
The
movement
from
the
GB
in
my
perspective
has
been
slow
because
it's
been
a
timing
thing
right
when
they
were
putting
these
two
proposals
in
one
for
Education
special
interest
group
and
one
for
kind
of
like
a
risk-based
vulnerability
response,
team,
omkar
and
Brian
kind
of
have
done
a
handoff.
Then
we
had
the
open
source
Summit
and
now
you
know
the
governing
board
is
sent
the
those
two
proposals
to
a
subcommittee
called
the
budget
and
finance
subcommittee.
F
I,
don't
know
how
that's
evolved,
but
I
can
try
to
find
out
how.
F
And
then,
where
did
it
go
often
to
you
know
the
unknown,
so
no
I
think
it's
moving
and
I
think
if
we
were
to
propose
one
around
s-bomb
everywhere,
we'll
get
a
lot
of
traction.
Because
there's
this
talk
about
the
you
know
ever
elusive,
you
know
what
does
it
mean
quote:
unquote
Sterling
tool
chain.
Well,
if
you
look
at
a
specific
components
of
making
s-bomb
easier,
I
think
that
would
be
table
Stakes
as
being
part
of
a
tool
chain
that
would
help
evolve
this.
F
A
Okay
Okay,
so
we've
got
15
minutes
what
I
hear
and-
and
everyone
can
can
jump
in
here.
We
need
to
write
down
a
proposal
that
kind
of
explains
our
intent
of
acquiring
I'll,
just
say
people
and
people
can
be
contractors
or
folks
from
a
company
or
whatever,
but
we
need
people
to
go
into.
Let's
say
some
of
the
projects
from
Alpha
and
Alpha
and
Omega.
That's
like
a
dangerous
way
to
describe
the
Alpha
Project.
A
That
sounds
horrifying,
but
go
into
these
projects
from
the
Alpha
Project
and
just
kind
of
figure
out
what
what
to
do
does
that
I
mean
that
sounds
so
squishy
but
I,
don't
know
how
else
to
describe
it.
I
feel
like
David
you're
good
at
at
explaining
things
like
this.
Like
do
we?
How
can
we
even
describe
this
other
than
like
go
fishing.
G
This
is
my
first
meeting,
so
I
apologize
if
I'm
on
a
different
topic
in
my
head
versus
what
is
being
discussed.
But
what
I'm
hearing
is.
We
are
just
looking
for
where,
where
to
basically
start
to
to
solve
General
issue
of
having
an
s-bomb
for
everyone
from
open
source,
Community
right
is
that
is
that
the
right
understanding,
I.
G
So
I
was
thinking
we
have
few.
We
have
so
many
companies
on
this
call
right
now
how
about
a
survey?
What
are
their
problem
areas
and
then
you
know
go
from
there
because,
for
example,
the
other
day
someone
came
to
me
asking
hey,
there
are
some
components
from
open
source
which
we
just
pick
up
from
GitHub,
but
we
don't
know
exactly
where
does
it
belong?
Should
we
just
say
GitHub
or
whose
original
source
of
this
you
know
the
supplier
information
that
the
minimum
India
ntia
element
that
we
need?
G
That
is
like
one
of
the
problem
areas
right
and
to
the
response,
like
my
response
was
hey
if
it,
if
you're
pulling
from
GitHub,
let's
just
say
that
that's
a
supplier,
but
is
it
the
original
supplier?
So
if
we
could
just
do
a
survey
with
all
the
you
know,
folks
in
the
in
the
industry
are
asking
hey:
what
are
the
exact
problem
areas
that
could
help
you
kind
of
Define
the
goal
and
take
actions?
That's
just
my
two
cents.
A
G
A
Okay,
Sarah
put
links
in
the
chat
to
the
the
education
Sig
and
some
of
what
they're
doing,
and
so
we
can.
We
can
look
at
that.
Here's
what
I
want
to
do.
We
have
a
use
case
document
that
we
haven't
looked
at
at
all.
I
think
we,
this
is
a
good
document
and
we
need
to
keep
working
on
this
and
I'll
try
to
put
a
little
time
into
that
next
week,
hopefully
when
I'm
not
ill,
but
I
also
would
like
to
start
writing
this
down
like
this
stuff
here.
A
What
does
that
look
like
base
it
off
of
the
education
Sig
work,
so
they've
got
what
they've
got
three
three
things
to
do.
We
really
only
have
one,
but
these
also
have
like
concrete
milestones
and
so
I
think
that's
going
to
be
one
of
our
challenges
is
we
don't
have
Milestones,
because
we
don't
know
what
we're
even
asking
for
right
now,
which
is
also.
C
C
A
We
know
what
we
want,
we
don't
know
how
to
get
it
and
I
feel
like
how
do
we
go
to
a
group
like
the
governing
board
and
say
we
want
to
send
a
person
to
I.
Don't
even
know,
I
got
I,
don't
know,
I,
don't
know
a
project,
even
name,
but
let's
just
so
this
project,
and
we
want
them
to
figure
out
what
it
would
mean
for
that
project
to
generate
an
s-bomb.
A
A
C
H
Well,
yeah,
thank
you,
I
mean
I,
actually,
I,
don't
I
I
actually
agree
with
Josh
that
trying
to
apply
the
tools
to
specific
projects
as
a
way
to
get
started
is
a
is
it
it's
a
helpful
way
to
get
rid
of
the
hey,
there's
lots
of
complications
we
do
need
to
still,
but
that
will
still
quickly
move
us
on
to
evaluating.
You
know
specific
tools
for
specific
cases,
I'm,
not
sure.
If
that
completely
really
answered
the
question
but
I.
You
know
that
maybe
sounds
like
a
step
forward
here.
H
H
We
have
better
understanding
of
the
current
challenge.
D
Would
that
have
to
be
new
projects
because,
as
Kate
mentioned,
Zephyr
and
others
have
done,
this
I
actually
know
that
istio
has
been
doing
this
because
one
of
our
people
basically
did
exactly
that
going
to
the
or
joining
the
sto
project
and
help
them
building
this
for
the
excess
bombs.
So
there
are
use
cases
or
the
case
studies
out
there,
that
we
can
look
at
already
kind
of
I'm
wondering
all
the
time
when
we
say
we
we
go
out
to
projects
and
help
them
adopt
this
Devil's
Advocate
question.
Would
they
really
like
this?
D
A
For
sure
Sarah
I
don't
know
if
you
were
laughing
or
crying
with
that
emoji,
so
I'll,
let
you
talk
I.
F
And
I
was
like
yes
may
I
share
my
screen
real
quick.
A
Yeah,
let
me
stop
that
there
you
go.
G
F
I
really
want
to
hide
the
floating
meeting
controls.
Okay,
so
this
is
an
example
of
what
probe
did
for
the
education
Zig.
He
said:
here's
the
problem,
here's
the
proposed
plan
to
touch
on
each
one
of
those
problems,
and
so,
if
you
go
into
those
because,
like
here's
exactly
what
we
need
to
do,
here's
what
we
need
people
to
to
do,
here's
how
much
those
people
will
cost
for
x
amount
of
time.
F
So
it's
very
you
know
business
oriented
if
we
look
at
and-
and
he
also
made
this
as
a
tack
issue-
so
the
tap
will
see
this
approve
this
and
then
it
will
go.
The
idea
is
that
it
would
go
to
the
governing
board.
We've
started
just
within
not
as
a
tack
issue,
but
just
as
part
of
our
s-bomb
everywhere
our
special
interest
group
we've
started
the
same
thing:
what's
the
problem,
what
are
the
things
that
we
need
to
do
to
accomplish
it?
F
We
haven't
yet
gone
to
that
next
step
where
we
say
What
specifically
what
actions
by
whom?
For
how
long
do
we
feel
like
we
need
to
take,
and
we've
been
talking
about,
establishing
an
open,
ssf
tool
chain
for
us
bombs?
It'd
be
interesting
to
say,
you
know
to
further
this
out
with
a
set
of
tactical
activities
that
x
amount
of
people
or
resources
from
companies
or
contractors
should
go
to
these
top
three
projects
in
Alpha
and
perform
a
process
to
generate
a
build
s-bomb
in
one
click
and
document.
F
What
that
process
was
so
that
it
can
be
repeatable
across
other
projects
that
wouldn't
consume,
potentially
the
methodology,
and
then
you
know
maybe
a
tail
for
maintaining
that
infrastructure
and
then
also
there's
this
section
on
documenting
user
needs
and
I
forget.
Where
we
put
that
Dan,
you
might
be
able
to
help.
A
Me
in
the
the
top
section,
the
landscape
section.
F
Yes,
and
so
what
I
think
this
document
goes
to
a
blank
document
on
my
Google
Drive,
what
I
feel
like
would
be
cool
to
do
as
it
evolves
is
change
this
to
the
user
needs
document
or
the
personas
document
that
Kate
has
so
that
as
we're
accomplishing
this
map,
the
landscape
part,
we
have
people
or
resources
or,
like
a
sub
team,
that's
going
in
and
continuing
to
push
that
forward
and
pulse
on
that,
and
we
can
document
what
it
will
take
to
continue
to
map
the
s-bomb
landscape.
So
I
feel
like
we're.
Getting
close.
F
A
F
She
has
a
great
document:
I
wanted
to
build
on
it.
I
don't
have
it
in
front
of
me,
so
I'll
stop
sharing.
A
A
One
is
to
start
scribbling
down
some
of
what
we
just
talked
about
around.
How
can
we
create
a
plan
to
go
and
do
an
s-bomb
and
I
don't
mean
like
a
plan
we
can
bring
everywhere.
I
just
mean
like
we
need
to
go
figure
this
the
hell
out
for
one
project
like
one
project
and
then
we
can
start
documenting
it
and
building
it
from
there,
because
I
think
there's
so
much.
A
We
don't
know,
we
don't
know,
and
it
scares
the
bejesus
out
of
me
on
a
regular
basis
and
if
we
can
get
I
mean
I,
don't
funding
would
be
great,
but
if
we
can
just
send
a
person
or
two,
that's
really
what
we
need
or
even
find
someone
doing
this
like
from
Zephyr
and
just
like
talk
to
them.
That
might
be
also
acceptable.
C
A
So
you're
thinking
focus
on
like
npm
or
well
npm's
weird,
but
like
though,
like
the
packaging,
ecosystems,
you're,
saying
or
something
else,
yeah.
C
C
D
C
C
Just
here
to
bring
see
if
you
could
get
Avi
just
volunteer
to
find,
if
she
could,
you
could
get
the
SEO
okay.
B
H
A
So
here's
what
I
want,
though
yes
Sarah
I'm
gonna,
put
you
on
the
hook
for
this.
A
Also,
that's
what
four
people
Tim
George,
Sarah
and
Dan
to
acquire
someone
who
can
speak
to
us
about
their
experiences
in
having
their
project,
create
us
bombs,
I'm
going
to
ask
that
I'll
I'll
create
right
after
this
meeting
I'll
create
the
next
meetings
agenda
and
as
soon
as
you
know,
can
you
write
some
names
down
that
way,
I
also,
if
four
people
show
up
that's
a
very
different
conversation
than
if
one
or
two
people
show
up
right,
because
now
you
have
a
much
limited
time
versus
an
hour,
so
the
the
sooner
you
know
the
better
would
be
very
valuable.
A
Okay,
we
need
to
bail
but
holy
cow.
This
meeting
was
drinking
from
the
fire
hose
I
expected
a
slow,
boring
meeting.