►
From YouTube: Security Tooling Working Group (August 2, 2022)
A
B
D
B
C
E
A
A
It's
fine
after
let's
get
cracking
I
put
it
in
the
notes.
A
couple
in
the
chat
a
couple
times
sign
in.
If
you
haven't
already
we're
gonna
sign
in
in
the
tools
working
group,
this
agenda
I,
don't
know
what
to
call
this,
but
most
of
today
will
happen
in
the
s-bomb
everywhere
notes
document
which
is
linked
in
the
agenda.
Unless
someone
has
a
pressing
topic
for
the
tools
working
group,
let's
deal
with
that
business
first
and
then
we'll
move
on
to
as
Mom
everywhere.
A
I
will
assume
not
all
right.
That's
what
I'm
everywhere
it
is
cool
I'll
put
the
link
to
the
other
Doc
in
the
chat,
just
in
case
anyone
missed
it.
So
this
is
where
we'll
work
from
I
see
Kate
is
here
so
Kate.
The
python
Library
funding
is
the
first
item
on
the
list.
Do
you
want
to
take
us
through
what
that
means
and
what
we
want
to
do.
F
F
The
hump
has
been
there
now
for
about
a
year
as
a
pain
point
for
the
project
and
so
we're
looking
probably
at
I,
think
180k
roughly
at
this
point
in
time.
We've
got
an
estimate
in
Euros
from
them
and
then
that
would
take
care
of
moving
getting
the
code
base,
cleaned
up,
putting
a
test
Suite
in
place
and
moving
it
from
two
one
to
two
two
properly
as
well
as
putting
in
two
three,
and
so
that
will
give
us
a
better
foundation
for
working
forward
for
the
transition
to
3-0.
F
G
No
I
I
mean
just
I,
think
everybody
here
already
knows
the
popularity
of
python,
the
libraries,
the
the
real
goal
of
the
libraries
is
to
enable
you
know
other
tools
to
very
effectively
efficiently
utilize
build
us
bombs.
Redesque
bombs,
write
s-bombs,
and
there
are
people
that
are
using
the
python
libraries
today.
But
what
I've
learned
is
a
lot
of
people
have
forked
them
and
used
their
own
version
and
they're,
not
necessarily
popular
publicly
shared
Library.
G
B
D
A
D
F
F
Other
libraries
we'd
like
to
add
in
over
time
and
make
things
a
little
bit
more
robust,
but
the
biggest
pain
Point
we've
seen
right
now
is
the
python
libraries,
so
it
the
idea
was
to
put
in
and
ask
and
see
how
this
process
worked
and
then,
as
other
things
are
prioritized
see.
If
there's
other
ways
we
can
make
it
happen
through
the
community
or
come
here
and
see
if
we
can
get
some
people
to
help.
G
And
I
I
would
just
add
to
that
I
think
very
top
of
the
list
would
be
JavaScript.
Libraries
would
be
the
next
on
the
list.
The
Java
and
go
libraries
already
have
I,
think
good
Community
Support,
so
they're
valuable,
but
they're
they're
covered
as
of
now
anyway.
So
JavaScript
is
the
one
that
needs
a
little
bit
more
help.
Perhaps
thanks.
G
We
do
have
a
kind
of
an
unmaintained
library
right
now
that
was
written
by
a
Google
summer
code
student
and
then
we
do
I
think
what
people
have
been
doing
with
JavaScript
is
just
kind
of
writing
their
own
and
not
necessarily
publishing
them
as
libraries.
There
are
some
subsets
of
spdx
out
there
that
are
are
quite
popular,
like
a
license.
Expression
parsers
that
that
you
know
solve
very
small
segments
of
the
spdx
back
but
I'm
not
aware
of
any
libraries
other
than
the
the
unmaintained
one.
G
A
And,
and
just
for
everyone's
information
I
didn't
make
this
clear
at
the
beginning.
This
is
specifically
for
spdx
libraries
in
this.
In
the
context
of
this,
the
intent
of
this
group
is
not
to
focus
solely
on
spdx,
but
at
this
moment
we
are
aware
of
Need
for
spdx
Library,
specifically,
there's
no
reason
we
couldn't
put
similar
funding
proposals
through
for
something
with
Cyclone
DX
related,
for
example,
crazy.
G
A
Thank
you
and
okay.
So
here's
kind
of
what
we
wanted
to
do
next
is
we
found
out
recently
that
the
openssf
tack
has
some
funding
available
to
it
for
discretionary
projects
and
so
I've
added
the
particular
ask
for
the
the
python
Library,
specifically
just
the
python
Library
Kate
has
the
proposal
and
I
I
want
it
to
go
to
the
next
hack
meeting
and
ask
them
to
pay
for
this,
and
that's
kind
of
where
we
sit
at
hang.
C
C
B
Technically,
it's
not
in
the
text
position
to
entirely
approve
full
stop,
but
it
is.
There
is
a
budget
allocation.
The
tech
can
recommend
proposals
to
that
right
now
that
that's
something
that
we
as
staff
in
the
tech
could
agree
to
move
forward
with
within
the
current
bounds.
There
are
conversations
about
future
approaches
to
funding
that,
but
there
is
an
existing
allocation
here.
I
don't
mean
to
refute
you.
B
There
are
some
better
ways
that
we'll
do
this
in
a
more
systematic
way,
but
today,
I
think
there'd
be
a
relatively
fast
path
if
the
tech
believes
in
it
to
be
able
to
to
get
these
things
funded.
So
I
think
I,
think
focusing
on
a
well-justified
lean
proposal
from
for
for
for
work
to
do
would
be
would
be
incredibly
useful
here.
C
C
C
A
All
right,
we'll
figure
out
what
that
means,
that
was
in
the
tech
channel
on
Slack,
and
it
came
up
like
last
week,
I
think,
but
whatever
we'll
figure
it
out,
I'm,
not
that
worried
about
it
all
right.
So,
let's
move
on
then
so
the
next
item
I
have
is
just
next
steps,
and
this
is
where
Kate
has
started
to
kind
of
construct.
A
But
fundamentally
this
group
has
the
like:
there's
I,
don't
have
a
good
answer
for
where
we
go
next
and
I
think
that's
up
to
the
people
willing
to
do
the
work.
The
only
thing
I
do
know
is
I
want
to
Define
this
as
kind
of
a
for
anyone
who's
ever
been
in
the
agile
world.
There's
like
a
pig
and
chicken
model,
where
there's
kind
of,
if
you
think
of
breakfast,
you
know
the
chicken
is
involved,
but
the
pig
is
committed
and
I.
A
Think
one
of
the
things
that
has
held
up
some
progress
and
in
other
working
groups
and
sigs
I've
seen
is
what
I'll
call
Chicken
bombing
where
people
come
in
with
grand
ideas
or
suggestions
and
then
they
disappear.
And
then
nothing
gets
done,
and
so
I'd
like
to
make
sure
that
the
people
like
working
on
the
Sig
are
working
on
the
Sig.
A
I
I
This
is
the
first
I've
heard
of
it,
and
I
participate
not
only
here
but
also
in
spdx,
and
so
this
all
kind
of
came
out
of
left
field,
and
so
I
would
love
it.
If
we
could
just
sort
of
come
up
with
some
sort
of
at
least
rough
plan
that
we
can
then
follow
through
on
and
then
use
that
as
sort
of
a
chicken
bombing
barrier
so
to
speak.
Yeah.
A
Well,
that's
completely
reasonable.
The
the
python
talk
came
out
of
a
meeting
in
in
Austin
during
the
the
open
source
Summit
we
had,
and
so
it's
yeah
I'll
I'll
take
the
blame
for
that.
We
should
have
documented
it
somewhere.
More
clearly,
I
mean
this
is
also
just
part
of
growing
pains,
I.
Think
for
a
group
like
this.
We
don't
we.
A
I'll
put
a
link
to
a
document,
it's
linked
from
somewhere
else.
We
have
a
lot
of
documents.
This
has
kind
of
you
look
towards
the
bottom.
It
says
our
proposed
approach
and
that
came
out
of
Brian's
write-up
after
the
White
House
meeting
and
so
I
think
that's
kind
of
where
we
want
to
start
and
then
it's
just
a
matter
of
putting
some
structure
around
all
this,
but
I
I,
I
I,
think
your
complaint
is
completely
valid
and
thank
you
David.
Do
you
have
something
to
add.
H
Yeah
completely
well
a
very,
very
specific,
ask
I
guess
which
is
a
number
of
people
starting
to
ask
me
hey.
You
know,
I
hear
about
this
s-bomb
thing
and
I've
been
telling
people
it's
really
best
that
be
generated
during
build
during
during
development.
Great
okay,
where's,
my
open
source
software,
s-bomb
generator
that
I
can
stick
in
and
I
don't
I,
don't
know
that
I
have
a
good
list
of
those
I
mean
I
know
that
Angkor
has
one
I
know.
F
Right,
this
is
something
where
I
think
Alan
I
want
Alan
to
sort
of
speak
on,
in
the
sense
that
we
were
talking
about
doing
this
underneath
his
working
group,
but
that
really
hasn't
started
yet
and
I
don't
know
if
we
want
to
be
having
duplicate
efforts
simultaneously
in
many
places
or
not
is
what
I'm
concerned
I'd
like
to
deconflict
this
early?
Let's
put
it
that
way.
Excellent.
E
E
I
can
share
some
preliminary
thoughts,
we're
trying
to
sort
of
get
some
summaries
put
out.
Some
low-hanging
fruits
include
hey,
let's
have
collections
of
s-bombs
to
sport,
tooling,
let's
supporting
the
Thule
Marketplace,
let's
set
up
plug
fests
and
then
the
longer
term
is
going
to
be
identifying
what
are
some
known:
obstacles
to
interoperability
and
tackling
those
head-on,
and
then
the
last
piece
that
also
might
be
an
early
low
hanging.
E
Is
that
is
that
so
so
that's
a
pretty
broad
agenda
it'll
take
us
a
while
to
get
through
all
of
those.
So
there
are
a
couple
of
things
one
you
can
say
Okay
based
on
that
agenda.
We
will
take
that
and
we'll
move
quickly
on
it
and
another
approach
is
to
say
hey.
This
is
a
good
you
guys
move
forward
based
on
the
broader
landscape,
because
it's
we
have.
You
know,
tool
providers
and
Commercial
staff
in
blah
blah
I'm
quite
open
to
whatever
you
think
is
best.
D
That,
in
our
in
one
of
the
documents,
security
use
cases,
we
did
break
out
types
of
response,
but
to
you're
kind
of
the
broader
Point.
Here
they
are
not
defined,
really
and
I.
Think,
even
just
in
some
very
superficial
attempts
to
put
some
parameters
around
some
of
those
types
illuminated
the
fact
that
they
need
to
be
fully
defined
and
put
into
their
own
sort
of
like
Railway.
F
I'm
willing
to
take
the
action
item
to
move
forward
on
this
to
put
a
straw
man,
one
pager
talk
together,
which,
with
the
definitions
of
the
types
of
s-bombs
that
I
think,
are
being
used
right
now
and
if
people
want
to
go
in
and
comment,
we
can
at
least
start
this
off
and
then
maybe
that
compete
into
the
efforts
that
Alan's
doing
down
the
road
as
things
are
move
forward.
But
they
still
that
way.
A
Yes,
absolutely
I'm
going
to
put
a
link
in
the
in
the
chat
also,
so
the
this
is
a
bug
that
I
forget
who
even
started
the
discussion,
but
basically
Apache
the
the
Apache
software
Foundation
wants
to
generate
s-bombs
for
their
stuff,
but
they
are
looking
for
guidance
and
they
specifically
Mark
Cox
Who's
down
on
the
bottom.
He
and
I
go
way
back.
He
reached
out
and
said
hey.
Can
the
openssf
provide
guidance
for
like
what
are
the
expectations?
A
What
should
we
do,
and
so
I
think
Kate
if
we
can
frame
that
kind
of
in
that
context,
invaluable
I
think
especially
like
in
from
the
perspective
of
like
this
is
what
an
open
source
project
should
do
and
then
I
think
we
can
tie
that
to
David.
To
ask
of
a
list
we
could
even
provide
like
here
is
how
you
can
accomplish
this
with
these
tools,
and
then
you
know,
give
some
good
examples,
because
I
think
it's
one
thing
to
list
some
of
these
tools.
F
C
You
we're
jumping
back
into
the
conversation
on
the
question
of
taxonomy.
Isn't
common
terminology
I
actually
started
that
started
a
project
to
try
and
do
that
I
guess
a
year
and
a
half
ago,
almost
two
years
ago
now
it's
on
my
repo
getaway
called
supply
chain
synthesis.
It's
a
bunch
of
work
there
on
common
taxonomy
as
links
to
other
projects.
If
that
is
a
useful
starting
point
for
this
group,
I'm
also
happy
to
move
that
repo
into
the
open
ssf
into
this
sig.
If,
if
folks
are
interested
in
it,.
C
F
C
E
So
Ava
as
you've
described
it,
it
sounds
like
something
that
I
should
read
digest
and
will
probably
need
you
to
hand
hold
me
to
understand
some
of
it
as
you
describe
it.
One
of
the
things
that
I
want
to
make
sure
that
we're
not
sailing
directly
into
is
a
proposal
to
solve
everything
with
a
capital
e,
and
so
how
can
we
use
the
framework
that
you've
laid
out
to
say
let's
focus
on
this
problem
and
then
make
sure
that
we've
sort
of
left
room
to
interface
with
the
other
stuff?
That's
coming.
C
Yes,
absolutely
that
was
avoiding.
That
was
part
of
my
goal
when
I
started
work
on
this,
but
by
sort
of
building
a
map,
I
thought
I'd
be
able
to
navigate
the
complex
space
of
everyone's
different
terminology
a
little
bit
more
easily,
and
it's
helped
me
I'd
be
happy
to
give
folks
a
walkthrough
of
it.
Not
today,
I
haven't
prepared
for
that.
Maybe
maybe
next
meeting-
or
you
know,
set
up
some
time
outside
the
series
to
do
that.
Foreign.
F
H
F
F
We
want
to
see
in
terms
of
types,
but
you
know
there's
a
lot
of
discussion
that
happened
in
that
Community
to
come
down
with,
you
know,
produce
after
creation.
You
know,
produce
and
consume
and
transform
as
the
different
types
that
were
being
used
and
then
there's
like
say:
there's
one
here
for
cyclone
and
so.
F
B
H
H
F
So
if
there's
a
lot
of
tools
that
are
inside
phone,
DX
and
spdx,
for
instance,
you
want
to
probably
be
able
to
look
at
both
of
them
from
that
context,
and
then
you
know
here's
the
installation
instructions,
but
if
people
come
up
with
the
functionality,
a
location
and
installation
how
to
use,
we
can
leverage.
What's
there
cross
check
it
with
what
is
there
today
and
is
it
still
accurate
and
then
and
as
people
have
gaps?
C
Would
I
I
love
this
idea,
I
think
moving
it
out
of
both.
You
know,
out
of
Google
doc,
out
of
my
repo
into
a
standard
location
in
this
working
group,
fantastic
that'll
help
solve
the
problem.
You
brought
up
David
like
it's
stale,
because
it's
fragmented
right
now
in
different
Google,
Docs
put
it
in
one
place.
We
can
bring
attention
to
it,
but
also
propose
we
put
this
in
a
machine,
readable
format
like
markdown,
fine
or
yaml,
so
that
it
can
be
turned
into
different
sorts
of
web
pages.
Different
resources
can
read
it.
B
H
H
B
A
A
A
A
F
B
F
C
C
F
C
F
F
Okay,
then,
let's
see
if
we
can
make
that
template
actually
start
to
play
together
and
put
the
template
now
so
I
think.
Maybe
the
goal
then
is
to
bring
about
the
template,
we're
proposing
to
this
group
to
make
sure
everyone's
roughly
comfortable
with
it,
and
then
we
will
start
to
populate
it,
and
then
we
can
look
at
tooling.
On
top
of
it
later.
H
Yeah-
and
this
is
Dave
wheeler
happy
to
to
give
a
hand
as
well
I
guess,
FYI
of
the
whole,
the
Landscaping
stuff
was
actually
originally
developed
by
Dan
Khan.
So
you
know
it
really.
My
experience,
the
key
thing
I
think,
is
to
figure
out
what's
the
main
layers
and
information
you
care
about,
because
there's
a
million
ways
you
can
divide
it
up,
but
what
matters
well.
F
H
F
B
A
C
C
F
B
A
C
H
F
B
F
A
F
What
sorts
of
tools
we
want
to
see
where
we
want
to
see
gaps
and
so
forth?
This
came
out
of
the
discussions
in
DC
and
one
of
the
things
that
people
seem
to
both
mostly
all
agree
on
in
the
room
is
starting
to
have
the
discussions
about
what
are
the
use
cases.
We
all
agree
on
that
are
relevant
for
security
here
and
getting
them
documented
as
a
place
such
that
we
can
assess
whether
the
tools
against
them
are
doing
it
or
not,
and
are
able
to
satisfy
the
work.
These
use
cases.
H
H
A
F
F
On
the
spdx
side,
we've
worked
through
a
variety
of
them
over
time,
too,
some
of
which
were
documented
on
wikis
and
so
forth
that
having
a
set
from
the
security
perspective
of
exactly
which
use
cases
we
want
to
be
able
to
handle
I.
Think
we'll
scare
give
us
a
common
ground
of
framework
to
talk
about
things
from.
F
I
F
F
I
suspect,
there's
a
few
I
want
to
add
to
over
time,
but
I'm,
focusing
on
the
other
one
right
now
and
then
I'll
as
soon
as
you
guys
get
the
first
pass
going.
I'll
take
a
pass
there
too
after
that,
as
well
I.
Think
this
group,
as
well
so
maybe
in
three
in
three
meetings
time.
Maybe
we
can
sort
of
go
through
the
use
cases
as
a
group
or
something
like
that.
F
F
F
B
D
I'm,
just
out
of
curiosity,
would
this
be
the
appropriate
place
to
introduce
like
I
mean,
because
the
way
that
I
had
started
approaching
this
particular
document
was
just
thinking
about
use
cases
independent
of
any
pre-existing
use
cases.
So,
while
pre-existing
use
cases
are
established,
would
this
be
the
appropriate
document
to
propose
new
ones,
cool.