►
From YouTube: Security Tooling Working Group (August 2, 2022)
A
B
B
I
love
that
part
of
the
fill
out
the
attendee
list
when
everyone's
clobbering
over
each
other's
edits,
continuous,
read,
continuance
right
still
be
doubles
us
it's
even
better
when
your
Google
Docs
doesn't
actually
show
you
that
other
people
are
on
the
line.
D
Yeah
it's
like,
and
it's
really
it's
like
just
enough
behind
the
ball
to
be
impactful
and
then
as
far
as
I
know,
like
everyone
can
be
anonymous
in
the
commentary.
So
that's.
B
C
E
A
A
It's
fine
after
let's
get
cracking
I
put
it
in
the
notes.
A
couple
in
the
chat
a
couple
times
sign
in.
If
you
haven't
already
we're
gonna
sign
in
in
the
tools
working
group,
this
agenda
I,
don't
know
what
to
call
this,
but
most
of
today
will
happen
in
the
s-bomb
everywhere
notes
document
which
is
linked
in
the
agenda.
Unless
someone
has
a
pressing
topic
for
the
tools
working
group,
let's
deal
with
that
business
first
and
then
we'll
move
on
to
as
Mom
everywhere.
A
I
will
assume
not
all
right.
That's
what
I'm
everywhere
it
is
cool
I'll
put
the
link
to
the
other
Doc
in
the
chat,
just
in
case
anyone
missed
it.
So
this
is
where
we'll
work
from
I
see
Kate
is
here
so
Kate.
The
python
Library
funding
is
the
first
item
on
the
list.
Do
you
want
to
take
us
through
what
that
means
and
what
we
want
to
do.
F
Oh,
the
python
library
is
a
pain
Point
I've
got,
we've
got
Gary
O'neil
here
who
can
also
talk
to
this
in
more
detail,
but
the
code
base
in
there
is
fairly
stale.
We've
gotten
a
estimate
from
a
Contracting
organization
to
help
us
do
the
cleanup
and
Revitalize
it
a
bit.
F
F
The
hump
has
been
there
now
for
about
a
year
as
a
pain
point
for
the
project
and
so
we're
looking
probably
at
I,
think
180k
roughly
at
this
point
in
time.
We've
got
an
estimate
in
Euros
from
them
and
then
that
would
take
care
of
moving
getting
the
code
base,
cleaned
up,
putting
a
test
Suite
in
place
and
moving
it
from
two
one
to
two
two
properly
as
well
as
putting
in
two
three,
and
so
that
will
give
us
a
better
foundation
for
working
forward
for
the
transition
to
3-0.
F
G
No
I
I
mean
just
I,
think
everybody
here
already
knows
the
popularity
of
python,
the
libraries,
the
the
real
goal
of
the
libraries
is
to
enable
you
know
other
tools
to
very
effectively
efficiently
utilize
build
us
bombs.
Redesque
bombs,
write
s-bombs,
and
there
are
people
that
are
using
the
python
libraries
today.
But
what
I've
learned
is
a
lot
of
people
have
forked
them
and
used
their
own
version
and
they're,
not
necessarily
popular
publicly
shared
Library.
G
B
I
I'm,
sorry,
this
is
critique,
I
I
should
know
this,
but
which
which
repositories
are
being
referenced.
Here
are
oh.
D
A
D
In
a
model
it's
the
standardized,
Library
yeah
is
pipeline,
I
mean
python,
obviously
is
a
one-way.
Did
we
want
multi-support
for
other
languages
as
well.
F
Yeah,
we
definitely
want
support.
We
we
have
some
of
it
already
supported
in
a
very
well
maintained,
set
of
libraries
from
the
community
already
with
Java
and
Gary
and
others.
We
also
have
some
go
initiatives
where
there's
some
Community
people
participating
in
that
there's.
F
Other
libraries
we'd
like
to
add
in
over
time
and
make
things
a
little
bit
more
robust,
but
the
biggest
pain
Point
we've
seen
right
now
is
the
python
libraries,
so
it
the
idea
was
to
put
in
and
ask
and
see
how
this
process
worked
and
then,
as
other
things
are
prioritized
see.
If
there's
other
ways
we
can
make
it
happen
through
the
community
or
come
here
and
see
if
we
can
get
some
people
to
help.
G
And
I
I
would
just
add
to
that
I
think
very
top
of
the
list
would
be
JavaScript.
Libraries
would
be
the
next
on
the
list.
The
Java
and
go
libraries
already
have
I,
think
good
Community
Support,
so
they're
valuable,
but
they're
they're
covered
as
of
now
anyway.
So
JavaScript
is
the
one
that
needs
a
little
bit
more
help.
Perhaps
thanks.
D
And
are
that
like
I,
don't
know
if
anyone
else
was
tracking
but
I
would
imagine
in
JavaScript
we
have
a
lot
of
disparate
and
like
either
under
maintained
or
kind
of
like
Rogue
libraries
that
people
kind
of
pop
up
this
application.
G
We
do
have
a
kind
of
an
unmaintained
library
right
now
that
was
written
by
a
Google
summer
code
student
and
then
we
do
I
think
what
people
have
been
doing
with
JavaScript
is
just
kind
of
writing
their
own
and
not
necessarily
publishing
them
as
libraries.
There
are
some
subsets
of
spdx
out
there
that
are
are
quite
popular,
like
a
license.
Expression
parsers
that
that
you
know
solve
very
small
segments
of
the
spdx
back
but
I'm
not
aware
of
any
libraries
other
than
the
the
unmaintained
one.
G
That's
and
I
can
I
can
post
a
link
to
that
as
well,
but
there's
not
much
activity
on
it
right
now,.
A
And,
and
just
for
everyone's
information
I
didn't
make
this
clear
at
the
beginning.
This
is
specifically
for
spdx
libraries
in
this.
In
the
context
of
this,
the
intent
of
this
group
is
not
to
focus
solely
on
spdx,
but
at
this
moment
we
are
aware
of
Need
for
spdx
Library,
specifically,
there's
no
reason
we
couldn't
put
similar
funding
proposals
through
for
something
with
Cyclone
DX
related,
for
example,
crazy.
G
A
Thank
you
and
okay.
So
here's
kind
of
what
we
wanted
to
do
next
is
we
found
out
recently
that
the
openssf
tack
has
some
funding
available
to
it
for
discretionary
projects
and
so
I've
added
the
particular
ask
for
the
the
python
Library,
specifically
just
the
python
Library
Kate
has
the
proposal
and
I
I
want
it
to
go
to
the
next
hack
meeting
and
ask
them
to
pay
for
this,
and
that's
kind
of
where
we
sit
at
hang.
C
C
B
Technically,
it's
not
in
the
text
position
to
entirely
approve
full
stop,
but
it
is.
There
is
a
budget
allocation.
The
tech
can
recommend
proposals
to
that
right
now
that
that's
something
that
we
as
staff
in
the
tech
could
agree
to
move
forward
with
within
the
current
bounds.
There
are
conversations
about
future
approaches
to
funding
that,
but
there
is
an
existing
allocation
here.
I
don't
mean
to
refute
you.
B
There
are
some
better
ways
that
we'll
do
this
in
a
more
systematic
way,
but
today,
I
think
there'd
be
a
relatively
fast
path
if
the
tech
believes
in
it
to
be
able
to
to
get
these
things
funded.
So
I
think
I,
think
focusing
on
a
well-justified
lean
proposal
from
for
for
for
work
to
do
would
be
would
be
incredibly
useful
here.
C
I
continue
to
not
have
any
clear
framework
from
the
governing
board
on
what
the
pack
should
or
shouldn't
be
approving.
What
exactly
our
budget
is.
I've
heard
a
variety
of
numbers
and
proposals
for
possible
ways
forward:
I'm
waiting
for
the
governing
board
to
be
more
clear.
C
B
And,
and
for
those
who
know
it
is
a
tech
member,
so
it's
it's
an
important
consideration
to
to
to
yeah.
C
And
not
not
saying
we
we
stopped
this.
Just
please
don't
put
on
the
agenda
for
next
attack
meeting.
We
have
a
few
more
things
to
resolve
before
I
think
we
could
entertain
and
vote
on
a
proposal
like
this
again
I.
Think
it's
a
good
one
just
give
us
a
little
more
time
to
sort
things
out.
A
All
right,
we'll
figure
out
what
that
means,
that
was
in
the
tech
channel
on
Slack,
and
it
came
up
like
last
week,
I
think,
but
whatever
we'll
figure
it
out,
I'm,
not
that
worried
about
it
all
right.
So,
let's
move
on
then
so
the
next
item
I
have
is
just
next
steps,
and
this
is
where
Kate
has
started
to
kind
of
construct.
A
But
fundamentally
this
group
has
the
like:
there's
I,
don't
have
a
good
answer
for
where
we
go
next
and
I
think
that's
up
to
the
people
willing
to
do
the
work.
The
only
thing
I
do
know
is
I
want
to
Define
this
as
kind
of
a
for
anyone
who's
ever
been
in
the
agile
world.
There's
like
a
pig
and
chicken
model,
where
there's
kind
of,
if
you
think
of
breakfast,
you
know
the
chicken
is
involved,
but
the
pig
is
committed
and
I.
A
Think
one
of
the
things
that
has
held
up
some
progress
and
in
other
working
groups
and
sigs
I've
seen
is
what
I'll
call
Chicken
bombing
where
people
come
in
with
grand
ideas
or
suggestions
and
then
they
disappear.
And
then
nothing
gets
done,
and
so
I'd
like
to
make
sure
that
the
people
like
working
on
the
Sig
are
working
on
the
Sig.
A
H
So
I
oh
whoops,
raise
hands
thanks.
I
Okay,
so
yay,
plus
one
to
not
chicken
bombing.
I
You
know
great
phrase
there,
but
I
also
would
like
to
make
sure
that
we've
just
kind
of
got
a
scope
around
this
in
general
and
have
a
plan,
and
it
kind
of
feels
like
we're
diving
into
this
and
only
a
select
do
you
have
some
sort
of
context
for
what
has
happened
before
what's
going
forward
rather
than
being
having
this
be
a
collective
effort.
I
So
could
we
just
sort
of
you
know,
step
back
and
set
that
scope
and
make
sure
everyone
is
on
board
with
it,
and
we
know
what
exactly
we're
doing?
What
we're
looking
to
deliver
all
that
sort
of
stuff,
for
instance
this
python
stuff.
I
This
is
the
first
I've
heard
of
it,
and
I
participate
not
only
here
but
also
in
spdx,
and
so
this
all
kind
of
came
out
of
left
field,
and
so
I
would
love
it.
If
we
could
just
sort
of
come
up
with
some
sort
of
at
least
rough
plan
that
we
can
then
follow
through
on
and
then
use
that
as
sort
of
a
chicken
bombing
barrier
so
to
speak.
Yeah.
A
Well,
that's
completely
reasonable.
The
the
python
talk
came
out
of
a
meeting
in
in
Austin
during
the
the
open
source
Summit
we
had,
and
so
it's
yeah
I'll
I'll
take
the
blame
for
that.
We
should
have
documented
it
somewhere.
More
clearly,
I
mean
this
is
also
just
part
of
growing
pains,
I.
Think
for
a
group
like
this.
We
don't
we.
A
I'll
put
a
link
to
a
document,
it's
linked
from
somewhere
else.
We
have
a
lot
of
documents.
This
has
kind
of
you
look
towards
the
bottom.
It
says
our
proposed
approach
and
that
came
out
of
Brian's
write-up
after
the
White
House
meeting
and
so
I
think
that's
kind
of
where
we
want
to
start
and
then
it's
just
a
matter
of
putting
some
structure
around
all
this,
but
I
I,
I
I,
think
your
complaint
is
completely
valid
and
thank
you
David.
Do
you
have
something
to
add.
H
Yeah
completely
well
a
very,
very
specific,
ask
I
guess
which
is
a
number
of
people
starting
to
ask
me
hey.
You
know,
I
hear
about
this
s-bomb
thing
and
I've
been
telling
people
it's
really
best
that
be
generated
during
build
during
during
development.
Great
okay,
where's,
my
open
source
software,
s-bomb
generator
that
I
can
stick
in
and
I
don't
I,
don't
know
that
I
have
a
good
list
of
those
I
mean
I
know
that
Angkor
has
one
I
know.
H
F
Right,
this
is
something
where
I
think
Alan
I
want
Alan
to
sort
of
speak
on,
in
the
sense
that
we
were
talking
about
doing
this
underneath
his
working
group,
but
that
really
hasn't
started
yet
and
I
don't
know
if
we
want
to
be
having
duplicate
efforts
simultaneously
in
many
places
or
not
is
what
I'm
concerned
I'd
like
to
deconflict
this
early?
Let's
put
it
that
way.
Excellent.
E
E
I
can
share
some
preliminary
thoughts,
we're
trying
to
sort
of
get
some
summaries
put
out.
Some
low-hanging
fruits
include
hey,
let's
have
collections
of
s-bombs
to
sport,
tooling,
let's
supporting
the
Thule
Marketplace,
let's
set
up
plug
fests
and
then
the
longer
term
is
going
to
be
identifying
what
are
some
known:
obstacles
to
interoperability
and
tackling
those
head-on,
and
then
the
last
piece
that
also
might
be
an
early
low
hanging.
E
Fruit
is
to
sort
of
say
a
let's
come
up
with
a
couple
of
definitions
that
can
then
be
adopted
by
both
s-bomb
specs
that
Define
the
difference
between
to
build
and
source
and
post,
build
binary
analysis
and
things
like
that
and
have
that
set
potentially
be
extensible
so
that
as
we
move
into
SAS
bombs
and
apis,
and
things
like
that,
we
can
have
some
more
information.
E
Is
that
is
that
so
so
that's
a
pretty
broad
agenda
it'll
take
us
a
while
to
get
through
all
of
those.
So
there
are
a
couple
of
things
one
you
can
say
Okay
based
on
that
agenda.
We
will
take
that
and
we'll
move
quickly
on
it
and
another
approach
is
to
say
hey.
This
is
a
good
you
guys
move
forward
based
on
the
broader
landscape,
because
it's
we
have.
You
know,
tool
providers
and
Commercial
staff
in
blah
blah
I'm
quite
open
to
whatever
you
think
is
best.
D
That,
in
our
in
one
of
the
documents,
security
use
cases,
we
did
break
out
types
of
response,
but
to
you're
kind
of
the
broader
Point.
Here
they
are
not
defined,
really
and
I.
Think,
even
just
in
some
very
superficial
attempts
to
put
some
parameters
around
some
of
those
types
illuminated
the
fact
that
they
need
to
be
fully
defined
and
put
into
their
own
sort
of
like
Railway.
F
I'm
willing
to
take
the
action
item
to
move
forward
on
this
to
put
a
straw
man,
one
pager
talk
together,
which,
with
the
definitions
of
the
types
of
s-bombs
that
I
think,
are
being
used
right
now
and
if
people
want
to
go
in
and
comment,
we
can
at
least
start
this
off
and
then
maybe
that
compete
into
the
efforts
that
Alan's
doing
down
the
road
as
things
are
move
forward.
But
they
still
that
way.
A
Yes,
absolutely
I'm
going
to
put
a
link
in
the
in
the
chat
also,
so
the
this
is
a
bug
that
I
forget
who
even
started
the
discussion,
but
basically
Apache
the
the
Apache
software
Foundation
wants
to
generate
s-bombs
for
their
stuff,
but
they
are
looking
for
guidance
and
they
specifically
Mark
Cox
Who's
down
on
the
bottom.
He
and
I
go
way
back.
He
reached
out
and
said
hey.
Can
the
openssf
provide
guidance
for
like
what
are
the
expectations?
A
What
should
we
do,
and
so
I
think
Kate
if
we
can
frame
that
kind
of
in
that
context,
invaluable
I
think
especially
like
in
from
the
perspective
of
like
this
is
what
an
open
source
project
should
do
and
then
I
think
we
can
tie
that
to
David.
To
ask
of
a
list
we
could
even
provide
like
here
is
how
you
can
accomplish
this
with
these
tools,
and
then
you
know,
give
some
good
examples,
because
I
think
it's
one
thing
to
list
some
of
these
tools.
F
C
You
we're
jumping
back
into
the
conversation
on
the
question
of
taxonomy.
Isn't
common
terminology
I
actually
started
that
started
a
project
to
try
and
do
that
I
guess
a
year
and
a
half
ago,
almost
two
years
ago
now
it's
on
my
repo
getaway
called
supply
chain
synthesis.
It's
a
bunch
of
work
there
on
common
taxonomy
as
links
to
other
projects.
If
that
is
a
useful
starting
point
for
this
group,
I'm
also
happy
to
move
that
repo
into
the
open
ssf
into
this
sig.
If,
if
folks
are
interested
in
it,.
C
Yeah,
it
was
my
my
first
official
foray
into
open
source
supply
chain.
Work
was
to
build
a
taxonomy.
Oh.
F
C
A
couple
pictures
in
there
that
also
might
be
useful
where
I
tried
to
map
out
what
are
the
functional
roles
necessary
in
this
domain,
and
how
can
we
create
a
sort
of
a
common
taxonomy
for
the
relationships
between
different
types
of
tools
and
standards?
C
I
boiled
it
down
to
five
different
sort
of
categories
or
lexical
groupings
of
things,
specification
formats,
objects
and
their
artifact
formats
tools
and
processes
for
manipulating
artifacts,
metadata
storage
and
distribution
mechanism
and
identity
systems.
C
We
need,
like
any
system,
needs
all
five
of
those
to
be
fulfilled
in
some
way,
and
there
is
multiple
ways
to
fulfill
each
of
those
requirements.
C
E
So
Ava
as
you've
described
it,
it
sounds
like
something
that
I
should
read
digest
and
will
probably
need
you
to
hand
hold
me
to
understand
some
of
it
as
you
describe
it.
One
of
the
things
that
I
want
to
make
sure
that
we're
not
sailing
directly
into
is
a
proposal
to
solve
everything
with
a
capital
e,
and
so
how
can
we
use
the
framework
that
you've
laid
out
to
say
let's
focus
on
this
problem
and
then
make
sure
that
we've
sort
of
left
room
to
interface
with
the
other
stuff?
That's
coming.
C
Yes,
absolutely
that
was
avoiding.
That
was
part
of
my
goal
when
I
started
work
on
this,
but
by
sort
of
building
a
map,
I
thought
I'd
be
able
to
navigate
the
complex
space
of
everyone's
different
terminology
a
little
bit
more
easily,
and
it's
helped
me
I'd
be
happy
to
give
folks
a
walkthrough
of
it.
Not
today,
I
haven't
prepared
for
that.
Maybe
maybe
next
meeting-
or
you
know,
set
up
some
time
outside
the
series
to
do
that.
Foreign.
H
This
Google
doctor
is
this:
your
work
here,
tooling,
ecosystem
working
with
spdx,
no.
F
H
F
No
but
happy
to
like
I
say
the
part
I
like
to
have
like
say
this
is
part
of
the
agreeing
how
we
actually
commonly
specify
the
tools.
Let
me
just
go
and
look
at
one
of
them
right
now
with
the
swed
is
as
part
of
the
entire
efforts.
F
We
did
a
tool,
classification
taxonomy,
that's
missing
a
type
I
think
in
my
mind,
but
then
we
had
a
standard
template
that
was
filled
in
that
could
then
be
parsable,
and
so
the
idea
was
eventually
to
take
it
up
to
GitHub
and
have
something
that
was
a
landscape
type
of
deal.
F
So
people
could
start
to
search
on
things
and
find
things,
and
if
people
are
comfortable
with
this,
I
propose
this
as
a
starting
point
for
classifying,
and
then
we
add
in
after
we
get
the
definitions
of
the
s-bomb
service
standardized
any
sort
of
further
tooling
change.
F
We
want
to
see
in
terms
of
types,
but
you
know
there's
a
lot
of
discussion
that
happened
in
that
Community
to
come
down
with,
you
know,
produce
after
creation.
You
know,
produce
and
consume
and
transform
as
the
different
types
that
were
being
used
and
then
there's
like
say:
there's
one
here
for
cyclone
and
so.
F
B
H
H
Yeah
so
but
I
I
think
that's
that
that's
my
point.
That's
absolutely
not
an
attempt
to
beat
on
either
of
you
it's
a.
We
need
to
find
a
way
to
get
these.
You
know
up-to-date,
maintains
because
I
think
a
lot
of
people
find
these
so.
F
If
people
are
comfortable
with
this
basic
type
of
structure
here,
which
is
you
know,
we
might
want
to
make
it
more
General
to
have
not
specific
format,
but
basically
let
people
say
the
formats
and
then
the
actions
effectively.
F
So
if
there's
a
lot
of
tools
that
are
inside
phone,
DX
and
spdx,
for
instance,
you
want
to
probably
be
able
to
look
at
both
of
them
from
that
context,
and
then
you
know
here's
the
installation
instructions,
but
if
people
come
up
with
the
functionality,
a
location
and
installation
how
to
use,
we
can
leverage.
What's
there
cross
check
it
with
what
is
there
today
and
is
it
still
accurate
and
then
and
as
people
have
gaps?
C
Would
I
I
love
this
idea,
I
think
moving
it
out
of
both.
You
know,
out
of
Google
doc,
out
of
my
repo
into
a
standard
location
in
this
working
group,
fantastic
that'll
help
solve
the
problem.
You
brought
up
David
like
it's
stale,
because
it's
fragmented
right
now
in
different
Google,
Docs
put
it
in
one
place.
We
can
bring
attention
to
it,
but
also
propose
we
put
this
in
a
machine,
readable
format
like
markdown,
fine
or
yaml,
so
that
it
can
be
turned
into
different
sorts
of
web
pages.
Different
resources
can
read
it.
E
And
as
you
go
about
doing,
that
may
want
to
think
about
what
are
some
of
the
things
in
the
description
of
these
tools
that
need
to
be
a
little
more
formalized
or
better
defined,
because
again,
I
think
one
of
our
goals,
or
at
least
one
of
Kate's
goal
that
kid
in
the
federal
level
resonate
with
a
lot
of
people
is
to
sort
of,
say:
hey.
B
H
H
H
B
A
A
We've
got
Vicky
asking
about
clear
goals,
so
I
wanna,
I
Wanna
Give
a
to-do
off
that
we
need
to
kind
of
clean
up
this
document.
We
have
that
defines.
A
What's
it
called,
it's
called
the
s-bomb
use
cases
for
security.
It
has
a
smattering
of
kind
of
goals
and
ideas
and
I
think
we
should
tighten
those
up
quite
a
bit
I'm
happy
to
do
that.
Unless
someone
else
wants
to
foreign.
A
F
B
F
C
The
cncf
landscape
is
an
interactive
web
portal
for
browsing
through
projects
and
companies
in
the
cncf
ecosystem.
So
there's
a
defined
format
on
the
back
end
sort
of
how
sort
of
in
GitHub
yeah
so
landscape
about
cnco.io
is
the
is
the
web
portal
to
access
it?
C
F
The
only
thing
like
I
say,
the
thing
I'm
just
wondering
is:
if
we
can
just
start
putting
the
machine
the
information
machine
readable
in
a
format
that
makes
it
easier
to
import
into
Landscapes
going
down
the
road.
We
don't
have
to
do
the
work
twice.
I.
C
F
I'm
willing
to
work
with
someone
on
that
and
to
you
know,
integrate
with
what
we've
got
from
the
ntia
stuff
to
date
and
some
of
the
other
sort
of
gaps
to
come
up
with
a
basic
template.
Is
there
anyone
else
that
wants
to
work
on
the
template
with
me.
F
Okay,
then,
let's
see
if
we
can
make
that
template
actually
start
to
play
together
and
put
the
template
now
so
I
think.
Maybe
the
goal
then
is
to
bring
about
the
template,
we're
proposing
to
this
group
to
make
sure
everyone's
roughly
comfortable
with
it,
and
then
we
will
start
to
populate
it,
and
then
we
can
look
at
tooling.
On
top
of
it
later.
H
Yeah-
and
this
is
Dave
wheeler
happy
to
to
give
a
hand
as
well
I
guess,
FYI
of
the
whole,
the
Landscaping
stuff
was
actually
originally
developed
by
Dan
Khan.
So
you
know
it
really.
My
experience,
the
key
thing
I
think,
is
to
figure
out
what's
the
main
layers
and
information
you
care
about,
because
there's
a
million
ways
you
can
divide
it
up,
but
what
matters
well.
F
Then
it
sounds
like
Vicky:
Dicky
has
to
drop,
but
or
not
other
service
only
drop.
Sorry,
my
bad
chat
too
fast
yep,
so
I'll
call
a
meeting
then
with
Vicky
and
David,
and
anyone
else
want
to
be
part
of
that
discussion.
F
Okay,
buddy
sure-
and
we
can
put
a
straw
man
together
and
work
it
between
now
and
the
next
meeting
and
then
bring
it
all
back.
F
Oh
York
wants
to
help
as
well
yeah
George.
Can
you
basically
make
sure
I
have
your
email
ID
then.
H
Yeah
I
think
I
do
think
that
one
complication
for
the
landscape
is
I,
think
that
several
tools
probably
cover
multiple
different
kinds
of
capabilities.
So
it
may
be
a
little
more
complicated,
not
sure
how
to
deal
with
that,
but
that's
something
we
can
discuss
later.
Yeah.
F
I
think
we
just
want
to
discuss
which
capabilities
we
want
to
be
able
to
systematize
and
standardize
on
and
then
just
have
the
animal.
Just
you
know
format
described
such
that
people
can
build
things
on
top
of
it
later
filtering
and
so
forth.
B
A
Then
the
only
other
well
I
guess
the
other
two
Do's
will
say
Ava
if
you're
willing
to
present
on
your
git
repo
in
the
next
meeting.
That
would
be
lovely.
C
C
F
B
A
C
H
I
Okay,
I
think
Josh
you'll
have
to
ask
the
open,
ssf
Ops
Team
to
get
that
spun
up
for
you.
F
B
F
A
F
Well,
I
think
the
there
was
a
variety
of
use
cases
that
people
think
are
important
for
the
tools
to
adhere
to
some
of
this
stuff
will
obviously
impact.
F
What
sorts
of
tools
we
want
to
see
where
we
want
to
see
gaps
and
so
forth?
This
came
out
of
the
discussions
in
DC
and
one
of
the
things
that
people
seem
to
both
mostly
all
agree
on
in
the
room
is
starting
to
have
the
discussions
about
what
are
the
use
cases.
We
all
agree
on
that
are
relevant
for
security
here
and
getting
them
documented
as
a
place
such
that
we
can
assess
whether
the
tools
against
them
are
doing
it
or
not,
and
are
able
to
satisfy
the
work.
These
use
cases.
H
H
Here,
okay,
do
you
wanna
all
right
so
if
I
want
to
brainstorm
or
use
cases,
I
think
one
of
the
most
obvious
one
is.
You
know.
A
H
Okay,
sorry
I'm.
Looking
at
the
note
stock,
yeah.
F
You
know
these
various
pieces
of
evidence
in
other
places
too,
so
maybe
starting
to
pull
that
all
together
and
document
the
perspective
of
you
know.
This
is
what
I
would
like
to
do
with
the
various
personas
would
be
a
useful
thing
to
have
at
hand
and
us
to
consolidate.
Like
I
know.
F
On
the
spdx
side,
we've
worked
through
a
variety
of
them
over
time,
too,
some
of
which
were
documented
on
wikis
and
so
forth
that
having
a
set
from
the
security
perspective
of
exactly
which
use
cases
we
want
to
be
able
to
handle
I.
Think
we'll
scare
give
us
a
common
ground
of
framework
to
talk
about
things
from.
F
I
F
H
The
Amazon
use
cases
sure
yeah,
there's
several
I
I
know
that
I'm
surprised
aren't
there,
but
we
can
fix
that
yeah.
F
I
suspect,
there's
a
few
I
want
to
add
to
over
time,
but
I'm,
focusing
on
the
other
one
right
now
and
then
I'll
as
soon
as
you
guys
get
the
first
pass
going.
I'll
take
a
pass
there
too
after
that,
as
well
I.
Think
this
group,
as
well
so
maybe
in
three
in
three
meetings
time.
Maybe
we
can
sort
of
go
through
the
use
cases
as
a
group
or
something
like
that.
F
F
F
B
D
I'm,
just
out
of
curiosity,
would
this
be
the
appropriate
place
to
introduce
like
I
mean,
because
the
way
that
I
had
started
approaching
this
particular
document
was
just
thinking
about
use
cases
independent
of
any
pre-existing
use
cases.
So,
while
pre-existing
use
cases
are
established,
would
this
be
the
appropriate
document
to
propose
new
ones,
cool.