►
From YouTube: Security Tooling Working Group (January 31, 2023)
B
A
It's
five
after
let's
get
cracking,
oh
okay,
so
for
everyone
new
here
this
is
technically
the
security
tooling
working
group
meeting,
but
we've
hijacked
it
for
s-bomb
everywhere,
and
so
it's
actually
the
s-bomb
everyone
meeting.
Unless
someone
has
tooling
topics
and
that
we
could
talk
about
those
for
a
few
minutes,
but
fundamentally
it's
s-bomb
everywhere.
Which
is
why,
if
you
look
at
the
agenda
which
I'll
paste
again,
it
asks
to
sign.
C
D
D
A
A
E
I'm
looking
forward
to
that
yeah,
so
we
just
wanted
to
quickly
debut
openvex.
So
this
is
a
new
specification
that
we're
launching
today,
actually-
and
probably
most
of
you-
have
heard
of
X.
The
idea
that
you
can
comment
on
vulnerability
findings
and
have
a
machine,
readable
format
for
deciding
a
status
for
the
match
between
a
vulnerability
and
a
package.
E
E
What
are
the
minimum
requirements
for
the
Vex
concept
and
for
to
try
to
bring
some
alignment
and
consensus
around
how
Vex
is
going
to
be
used
in
the
industry
and
so
we're
hoping
that
we
can
really
Leverage
The
agreements
from
that
those
those
meetings
and
and
discussions
to
create
something
that
folks
really
enjoy
in
terms
of
of
X
workflow,
and
so
we've
launched
something
called
openvex
and
what
that
is?
It's
a
specification.
E
So
it's
literally
like
what
should
Json
look
like,
but
it's
also
more
than
that,
it's
it's.
We
feel
that
a
really
big
factor
in
the
success
or
failure
of
a
spec
like
this
is:
is
there
tooling
to
go
along
with
it?
Can
you
get
your
hands
on
something?
Can
you
begin
to
try
it
out,
and
so
we
also
have
you
can
go
to
the
actually.
E
Let
me
just
show
you
this
there's
a
open
effects:
GitHub
org
now,
and
that's
probably
a
better
thing
to
speak
to
at
this
point.
F
F
E
That's
perfect,
okay,
cool,
so
yeah,
so
you
can
go
to
github.com
openvx
if
you're
not
already
there
and
this
kind
of
breaks
down
what
we
are
talking
about.
So
there
is
a
specification
that
has
its
own
repo
there's
a
go
Library
so
far
to
parse
and
then
write
out
and
do
some
Transformations
on
Vex
documents
using
go.
E
Hopefully,
there'll
be
more
languages
supported
soon
and
there's
also
tools
that
are
meant
to
kind
of
demonstrate
what
Vex
can
be
used
for
things
like
creating
documents
benefiting
from
prior
of
X
analyzes
to
filter,
scan
results
and
those
are
sorts
of
things
you
can
do
right
now
we
have
one
kind
of
Flagship
tool
called
vexctl,
but
we're
hoping
to
add
more
tools
soon
and
I.
E
Think
the
other
thing
that's
really
important
to
us
is
that
we're
working
with
the
community,
so
we
have
already
buy-in
from
other
companies
that
we're
really
excited
about.
So
we
have
chain
guard
Google,
Angkor,
VMware,
hopefully
more
soon,
but
we've
already
talked
with
folks,
like
the
gripe
team,
about
adding
native
support
for
openvx
into
gripe,
I
think,
which
is
a
super
compelling
use
case
and
so
I
think.
E
One
of
the
things
that
we're
hoping
happened
soon
is
that,
as
this
community
starts
to
grow,
we're
getting
a
lot
of
iterations
on
this
concept
and
we're
seeing
really
early
on.
If
this
is,
if
the
ideas
kind
of
encoded
in
the
open
back,
spec
are
going
to
work
for
folks
or
not,
and
what
adjustments
we
can
make,
but
I
think
our
our
big
hope
is
that
this
really
becomes
something
that
adds
a
lot
of
value
and
I.
E
Think
address
is
one
of
the
problems
we've
seen,
which
is,
as
we
talk
to
folks
about
fix.
What
we
tend
to
hear
is
that
they've
heard
about
it
and
it
sounds
cool
they're,
not
aware
of
a
lot
of
adoption
for
it
yet
and
I
think
that's
the
big
thing
we're
trying
to
change
with
openvx.
E
This
is
the
specification
itself
if
you're
interested,
let
me
just
scroll
down
to
one
thing
just
to
make
it
kind
of
a
visual
here.
This
is
an
example
of
a
an
open
effects
document.
Just
so
you
have
a
picture
and
I
think
I'm
going
to
hand
it
over
to
Prego
who's
on
the
call
too,
to
make
it
a
little
bit
more
concrete,
but
that's
the
overall
idea
of
openvx
a
way
to
do.
E
Vex,
that's
minimal
and
tries
to
get
a
lot
of
feedback
loops
with
the
community
going
to
make
it
more
successful.
G
I
hope
that
German
really
is
big
enough.
I
don't
know,
I
can
I,
cannot
see
it.
Your
videos
should
your
video
screens,
but
it's
a
bit
smaller.
Let
me
know
all
right.
So,
as
I
mentioned,
we
have
this
tool
already
created
to
work
with
flex
documents.
It's
called
vexctl
and
it
allows
you
to
do
a
couple
of
things.
G
So
the
first
one
is
it
lets
you
create
new
documents
which
more
than
created,
is
more
of
a
native
to
let
you
scaffold
the
new
one,
so
you
can
start
moving
quickly
with
it.
So
if
we
demo
this
document
here
and
then
I
run
it,
it's
gonna
produce
this
document
for
me
and
using
this
product,
which
is
the
subject
of
the
Vex
statement,
then
have
vulnerability
and
then
a
status
so
I
just
produce
a
document
that
says
okay,
this
package
is
not
is
fixed
for
this
vulnerability.
G
Storage
should
not
be
affected
as
a
reminder.
Next
is
going
to
be
the
company.
So
if
you
want
to
know
more
about
the
software
artifact
itself,
you
can
go
and
referred
to
the
album.
Then
the
other
thing
it
lets
you
do
is
it
lets.
You
merge
documents,
and
so
the
purpose
of
merging
documents
is
because
Vex
is
supposed
to
be
generating
documents
constantly
all
of
the
time.
So
you
get
a
as
New
Impact
knowledge
evolves
about
the
vulnerability
and
a
software
product.
G
So
if
I
pass
it
to
the
documents
and
what
I'll
do
is
that
it
will
combine
them
into
one
document
that
captures
all
of
that
knowledge.
So
just
going
to
one
of
them
it
lets
you
see
that
it's
it's
a
single,
it's
a
document
issuing
one
single
statement
and
then,
when
I
run
it
through
the
tool,
it
combines
them
into
two
and
then
finally,
and
finally,
the
the
well
not
fairly,
but
the
other
thing
that
it
lets
you
do
is
start
testing
creating
other
stations
and
of
the
documents.
G
So
if
you
do
once
you
have
that
document
ready
and
you
need
to
sign
it
and
also
attaching
it
to
an
image
the
XTL
lets
you
attach
and
lets
you
attach
the
document
so
I
have
this
document
already
prepared
talking
about
a
bunch
of
container
images.
So
if
I
just
pass
it
through,
the
back
CTL
it'll
create
this
in
Colorado
station.
G
It
is
smart
enough
to
understand
that
I'm
talking
about
images
and
it
transforms
all
of
the
references
in
prls
or
image
references
into
into
our
other
stations
expressed
in
container
and
image
references,
and
then
it
embeds
the
openvx
document
in
the
predicate
of
the
administration,
and
this
is
already
also
integrated
with
sixtures.
So,
if
I
pass
the
signed
argument
like
that,
you
cannot
see
it,
but
my
browser
just
opened
the
standard
six
door
flow.
It
and
I'm
authenticated
with
my
Google
credentials.
G
It
produces
a
signed
at
the
station
and
it
already
has.
It
has
already.
Also
the
attached
lag
like
this.
So
if
I
pass
it
a
batch,
it's
gonna
go
and
attach
the
attestation
to
all
of
the
so
all
of
the
adjusted
images.
And
finally,
the
one
I'm,
not
gonna
demo,
because
I
didn't
I,
don't
have
a
something
to
to
show
for
is
I,
don't
have
documents
to
work
with
right
now
is
filter
and
the
filters
of
the
land
What
it
lets
you
do
is
is
the
final
piece
of
the
Rex
workbook.
G
Once
you
have
a
scan
report
and
a
vulnerability
list
and
in
a
Vex
document
it
lets.
You
filter
the
scan
report
through
vexidl
and
Switched
Off
and
remove
any
false
positives
found
in
the
in
the
report.
Currently
we
have
this
working
with
site.
G
So
if
you
have
a
tool
that
supports
self,
it
should
be
able
to
be
piped
through
like
CTL,
and
we
are
working
to
support
the
each
of
the
major
security
scanners
property
formats
so
that
we
can
turn
off
the
most
positives
using
like
supplements.
G
A
Awesome,
thank
you
all.
So
much
and
and
I
know
we
have
Justin
here
from
sisa,
and
sis
is
kind
of
the
driving
force
behind
this
Justin.
When
does
the
the
Vex
DOC
come
out
from
sisa?
Do
you
know
off
the
top
of
your
head
by
chance.
B
We
are
at
the
earliest
it'll,
be
about
two
weeks
from
now
we're
hoping
we
had
our
our
weekly
Vex
meeting
yesterday
an
attempt
to
just
work
out
some
last
minute
edits,
but
the
process
the
internal
process
at
cesa
once
we
turned
it
over
because
we're
we
will
be
posting
on
our
website.
It
has
to
just
go
through
a
few
different
policy
through
our
external
Affairs
team
and
things
like
that
and
then
get
508
process
that
usually
takes
about
a
14
day
process.
B
So
hopefully,
two
three
weeks
at
the
most.
A
Awesome
and
then
Dan,
you
have
a
question.
H
Yeah,
sorry,
if
it
said
dumb
question
the
spec,
the
open,
Vex,
spec
I,
just
noticed
it's
under
cc0
license
I,
don't
see
any
other
information
about
its
license
or
provenance
or
IP.
H
You
know
regime
under
which
it
was
developed
other
than
the
note
to
say
it
was
developed
by
chain
guard
and
Google
and
some
other
folks.
So
what's
the
situation?
Is
this
plan
to
be
contributed
into
openssf?
Will
it
be
reissued
under
the
open
specification
license
or
what's
the
what's?
The
deal
with
the
spec
I
suppose
is
my
question.
G
Yeah
we
had,
we
had
the
same
comment
from
the
Linux
Foundation
about
the
licensing
of
the
spec
and
we
already
started
working
with
them.
If
you
see
in
the
governance
document,
we
already
have
the
documents
of
the
proper
license
that
we're
going
to
be
applying,
probably
today,
because
this
just
merged
yesterday
and
yeah.
Definitely
we
would
like
to
pursue
donation
at
some
point.
G
It's
let
me
tell
you
that.
D
A
Awesome
awesome
all
right
good
deal
well.
Thank
you
all
that
was
that
was
fun.
Next
up,
we've
got
Sarah,
who
has
I
think
a
pretty
generous
size
topic
today,
so
at
the
just
to
remind
everyone
at
the
end
of
the
last
meeting,
Sarah
generously
volunteered
to
start
putting
together
kind
of
I,
don't
know
a
proposal,
I,
don't
know
what
we'd
call
it,
but
a
document
kind
of
requesting
from
the
open,
ssf
members
resources
to
help
with
s-bomb
everywhere,
where
we
talk
about
going
out
to
projects
and
working
with
projects
to
create
s-bombs.
A
C
We
go
all
right,
so
I
I
thought
about
this
idea
of
how
we
could
set
it,
send
up
a
proposal
to
the
TAC
and
to
the
governing
board
to
help
activate
the
companies
who
want
are
interested
in
this
work
stream
of
the
mobilization
plan
and
want
to
financially
or
with
resources,
support
this
initiative
and
before
I
could
get
started
on
the
proposal,
while
I
was
ideating.
C
How
to
put
together
that
request,
I
saw
what
probe
had
done
with
the
education
special
interest
group
and
he
had
put
together
a
GitHub
where
he
gave
an
overview
of,
and
I
can
share
this
with
you.
But
he
gave
the
overview
of
what
the
education
special
interest
group
was
doing,
and
he,
you
know,
talked
about
how
it
aligned
with
the
mobilization
plan,
had
links
to
the
mobilization
plan,
and
then
he
put
together
for
a
proposal
of
how
they
thought
they
would
accomplish
that.
C
So
let
me
pull
that
up
and
I'll
share
my
screen
and
what
I
wanted
to
do
was
get
feedback
from
the
Groupon.
If
we
feel
like
this
is
a
good
idea
to
frame
our
proposal
up
in
a
similar
way
that
way
that,
when
work
groups
working
groups
are
taking
on
something
from
the
mobilization
plan,
it's
coming
up
to
the
attack
into
the
governing
board
in
a
consistent
way.
C
C
C
All
right,
so
this
first
one
just
kind
of
this-
is
a
lot
like
the
document
that
Josh's
and
team
have
been
working
on
the
last.
You
know
couple
weeks
what
what
motivates
us?
What's
our
objective?
What's
our
scope,
so
we
could
take
all
that
work
that
that
Josh
and
team
have
been
doing
and
actually
put
it
in
here
how
to
get
involved
prior
work.
What
you
know
when
do
we
meet
that
sort
of
thing?
C
They
have
a
link
to
the
mobilization
plan.
They
also
have
a
a
thread
on
how
they
are
pursuing
accomplishing
the
problem
space
around
that
plan,
and
then
he
goes
into
the
proposed
plan
we
so
in
this
situation.
They
want
to
collect
and
create
content.
C
They
want
to
expand
training,
they
want
to
reward
and
incentivize
developers
and
maintainers,
and
then
this
proposal
summary
is
something
that
I
really
like
and
I
I,
don't
know:
if
I
have
it
I'm
going
to
open
it
up
and
see
The
Proposal,
summary
I
thought
was
really
impactful
because
it
kind
of
goes
into
each
one.
Okay
for
collecting
curate
content.
C
You
can
go
there
for
more
information,
but
then
here's
how
they
put
together
time
and
resource
estimates
same
thing
for
what's
involved
in
expanding
training
and
then
what's
involved
in
incentivizing
and
rewarding
developers
and
maintainers.
A
C
I
I
wholeheartedly
agree
and
I
do
not
want
to
reinvent
the
wheel.
I
just
want
to
reuse
what
he's
done
and
then
just
put
in
content.
That's
specific
to
our
work
stream,
yeah.
A
C
Yeah
and
as
an
observer
to
the
governing
board,
you
know
I've
attended
the
meetings
and
I've
listened
to
how
they're
talking
about
operational.
You
know,
what's
the
operationalizing
things
they
have
the
tech
attending
and
so
there's
a
lot
of
there's
a
lot
of
things
being
fleshed
out
operationally
in
the
open
ssf,
and
so
one
of
the
things
I,
think
or
organically
that
we
can
do
as
a
community
is
where
possible,
approach
this
Challenge
in
a
consistent
way.
That
way
it's
bubbling
up
through
the
tech
and
the
governing
board
in
a
consistent
way.
C
And
then
you
know,
as
we
need
to
change
or
modify
things
we
can
but
no
need
to
be
a
special
snowflake
if
without
a
a
good
reason
to
be.
A
C
To
my
knowledge,
so
that
actually
came
from
a
it's
all.
The
link
posted
for
review-
hey
I,
want
the
tag
to
review
this,
so
I
don't
know
if
it
has
gone
through
the
tax
review
process.
I
think
it
would
then
probably
need
to
go
up
through
your
governing
board
and
there
need
to
be
some
sort
of
decision
made.
C
You
know
and
then,
as
the
open
ssf
is
looking
to
help,
you
know,
fund
or
provide
oversight,
product
managers
and
all
these
things
that
they've
been
talking
about
doing,
reporting
to
kind
of
help
with
that
infrastructure
for
operations.
I
think
that
this
is
going
to
kind
of
force.
Some
of
those
continue
to
have
some
of
those
conversations
about
how
we
do
that,
so
my
guess
is
no
nothing's
actually
dropped
yet.
H
You
have
a
question
yeah
I
I
was
just
wondering
if
you
could
provide
a
tiny
bit
more
context
on.
Is
this
part
of
the
overall
goal
of
the
work
stream
to
get
the
word
out
to
you
know
education
of
developers
are
there
other
activities
that
the
work
stream
is
involved
in
that
don't
fall
underneath
the
funding
request
umbrella,
which
are
also
part
of
that
area?
You
know,
I,
just
I
was
just
wondering
if
you
could
put
this
in
context.
For
me,
sorry
yeah.
C
C
All
right
so
kind
of
going
to
the
source
this
there's
this
document
called
the
mobilization
plan
that
went
out.
It
has
each
one
of
these
work
streams
and
well,
let's
see
if
I
can
go
to
education,
one
okay
delivers.
This
is
what
probe
was
trying
to
do:
deliver
Baseline,
secure
software
development,
education
and
certification
to
all,
and
so
it
just
was
a
paragraph
and
a
cost,
and
so
then
that's
it.
This
was
published
back
in
May,
and
so
how
do
we?
C
How
would
then
a
working
group
take
that
paragraph
and
go
execute
on
it,
based
on
the
expertise
and
the
community?
That's
showing
up
to
a
working
group,
that's
aligned
with
education,
and
so
we're
kind
of
doing
the
same
thing
around
I.
Think
s-bomb
everywhere
is
stream
nine
yeah
two
paragraphs,
a
cost
and
TBD
amount
per
year
Beyond.
So
one
of
the
things
we've
been
talking
about
is
so.
C
How
do
we
take
this
and
and
put
together
a
framework
that
we
can
use
within
the
security
tooling
working
group
to
execute
on
this
point,
this
work
stream
in
the
plan,
and
then
how
can
we
get
the
word
out
so
that
if
there's
people
at
companies
like
Dell,
for
example,
because
that's
one
of
my
jobs
is
to
make
sure
that
we
are
internally
organizing
ourselves
in
such
a
way
that
we
can
support
the
mobilization
plan?
C
Where
can
I
send
committed
resources
or
funding
to
and
right
now,
those
connections
aren't
really
clear
how
we
can
really
activate
different
companies
and
their
resources
within
that
are
participating
in
the
open,
ssf
to
really
come
and
get
some
traction
and
have
some
movement
on
these
different
work
streams.
C
You
know
kind
of
what's
our
scope,
what's
our
mission,
how
do
we
want
to
accomplish
this
within
the
working
group
and
then
what
do
we
think
that
we'll
need
and
then
bubble
that
up
through
the
TAC
through
the
governing
board,
and
then
that
word
can
get
out
to
each
of
the
companies
who
are
participating
or
even
individual
contributors
who
want
to
participate,
say
yeah,
I
I
want
I
I
want
to
participate
as
an
individual
or
representing
my
company.
I
know
exactly
how
to
do
that
and
where
to
go.
A
D
A
There
has
never
been
like
a
formal
way
for
open
ssf
members
to
connect
resources
to
projects
and
there's
just
a
bunch
of
structural
things
around
that
I
think
and
then
the
other
piece
of
it
I
think
that
we
need
to
do
is
we
need
to
actually
have
a
list
of
stuff
because
there's
nothing
more
depressing.
When
you
want
to
help
when
you
show
up
and
say,
let
me
help
and
they're.
A
Like
oh,
come
to
the
meetings,
it's
like,
that's
not
helping
I
want
to
do
something,
and
so
I
think
that's
the
the
second
piece
of
this
and
the
thing
I
think
will
well
Sarah's
kind
of
putting
the
meat
on
or
I
guess
the
bones
together.
Initially
we'll
start,
the
rest
of
us
can
start
building
like
things
we
want
to
see
done
like
what
are
projects,
and
we
cover
this
in
the.
Let
me
find
the
goals
and
purpose
document.
Oh
for
crying
a
lot.
A
My
Google
Docs
is
just
not
happy
with
me
today,
but
this
okay,
it's
got.
Is
this
right?
Yeah
it's
got
I,
don't
know
what
like
instant
change.
It
doesn't
matter,
but
we
have
in
the
approach.
We
talk
about
like
some
ideas
of
doing
things
like
sending
people
two
projects
to
do
the
work,
not
asking
nicely
which
never
works,
but
there's
a
bunch
of
ideas,
and
so
this
is
kind
of
the
the
piece
I
think
we
can
all
work
together
on
is
just
some.
What
what
do
we
need
to
do?
A
A
A
A
No
I
don't
think
so.
That
document
actually
is
in
pretty
good
shape
and
we've
been
having
it
home
over
that
for
over
a
month
now
and
so
I'm
comfortable
saying,
unless
someone
has
like
egregious
edits
that
that's
good
to
go
and
so
I
think
you
can
take
that
content
and
incorporate
it
into
what
you're
doing
with
a
high
degree
of
confidence.
A
So
I'm
I'm
good
with
that,
and
that's
linked
to
from
the
notes
under
current
documents
in
flight
which
I'm
going
to
skip
over
that
since
the
S5
everywhere
goals
on
purpose.
Just
everyone
here
read:
it
I
think
it's
it's
in
good
shape
like
we've
gone
back
and
forth
the
landscape
funding
proposal
needs
eyes,
but
we'll
do
that
next
time,
probably
I
need
to
I
need
to
go
through
it.
A
I
haven't
looked
at
it
in
probably
two
weeks,
but
I
think
the
thing
I
want
to
do
now
with
the
time
we
have
and
the
people
we
have
is
the
resources
we
want
to
work
on.
I
think
that
would
be
an
interesting
conversation
to
just
start.
Getting
some
ideas
like,
for
example,
I,
put
I
put
something
in
here
called
s-bomb.
Examples
and
a
little
bit
of
background
to
that
there
is
an
effort
going
on
in
spdx
right
now,
which
is
around
quality
of
s-bomb
and
their
focus.
A
Is
they
want
to
make
sure
that
the
actual
content
in
the
s-bomb
is
well
structured
and
good
and
they're?
Looking
at
how
to
measure
that,
and
what
defines
that
but
I
think
from
this
group's
perspective,
what
I
want
to
see-
and
no
one
has
done
this
and
I
talk
to
them,
and
they
don't
want
to
they.
Don't
they're,
not
interested
in
this
PDX
right
now,
but
like
I,
want
to
see
I'm
an
artifact.
This
is
what
I
expect
to
get
out
of
it
right
rather
than
I
expect
a
well-formed,
spdx
I.
A
Think
that's
for
spdx
to
deal
with,
but
I
would
love
to
see
golden
examples.
Then
we
can
point
scanners
at
that.
We
think
we
we
think
if
you
look
at
the
the
goals
and
purpose
document,
we
talk
about
going
out
to
like
some
open
source
projects
and
offering
to
help
them
create
s-bombs,
not
saying
here's
some
tools,
but
literally
doing
the
work
and
again.
This
is
where
we
connect
the
people
to
the
the
work
but
I'm
curious.
If
anyone
has
thoughts
or
ideas
on.
I
A
I
Well,
there's
the
NTI,
Checker
and
I
only
work
for
spdx,
but
okay,
it's
not
difficult
to
run
that
again,
Cyclone
DX
as
well,
but
there
must
be
a
minimum
minimum
set
of
attributes
of
a
package
that
you
need
and
then
there
are
other
things
now:
there's
lots
of
issues
but
actually
just
start
start
with
a
very
low
hanging
fruit
and
then
get
that
and
then
move
forward,
because
you
can
already
see
on
spdx
the
difference.
People
are
generating
s-bombs
and
they've
all
got
different
strengths
and
different
weaknesses
and
they're
all
compliant.
I
A
G
Yeah
well,
the
the
ntia
been
in
Wisconsin
said,
like
a
base
quality
trying
to
address
the
most
common
uses
of
Bismol,
but
yeah.
There
are
other
factors
in
which
are
not
covered
by
that,
such
as,
for
example,
structure
and
also
ensuring
that
we
are
capturing
parts
of
the
software
required
to
do
operations
on
the
edge
zone
so
ideal
with
container
images
a
lot.
G
And
then
we
had
this
big
discussion
on
whether
the
S1
should
capture
inside
of
like
in
its
structure,
the
not
only
the
components
but
also
the
layers
and
the
images
themselves
which
a
lot
of
tools
are
missing
currently
and
so
yeah.
There's
this
there's,
there's
I
think
we
we
are
seeing
this
discussion
about
quality.
More
and
more
I
I
was
going
to
present
about
that
included
since
security
gone
tomorrow,
but
I
I
couldn't
go,
but
we
we
have
a
lot
of
presentations
about
those
things
happening.
G
If
you
pay
attention
to
force
them,
there's
going
to
be
a
couple
of
them
and
I
I.
Think
I
saw
some
inclinative
security
gone
about
from
others,
presenting
on
the
same
subject
as
well:
foreign.
A
The
perspective
we
have
in
this
group
Anthony
is:
we
don't
want
to
do
the
work
if
spdx
is
doing
this,
if
Cyclone
DX
is
working
on
something
similar
which
I
I
suspect
they
are
somewhere,
I
don't
know
about
it.
We
don't
want
to
get
involved
like
let
them
do
their
job.
Let
them
do
their
work
and
then
we
can
help
spread
messages
and
help.
For
example,
let's
say
spdx
says
like
this:
is
the
new
minimum
expected
standard.
I
Yeah
but
I
still
think
they
still
think
we
need
to
look
at
the
consumers
rather
than
the
generators,
because,
yes,
and
that
is-
and
that
and
that-
and
that
I
think
is
I
totally
agree
with
what
you're
saying
just
in
terms
of
it's,
not
the
purpose
of
the
group
to
actually
create
the
tools,
but
actually
it
is
to
campus
the
community
of
s-bomb
users,
which
is
what
Xbox
everywhere
should
be
looking
at,
is
so
actually
well.
What
do
they
need?
And,
yes,
you
can
use
it
for
vulnerabilities.
You
can
use
it
for
license
management.
I
A
I
A
We
definitely
are
a
hundred
percent
now
I
will
say
if
you
look
at
the
goals
and
purpose
document
for
for
s-bomb
everywhere,
that
is
described
in
several
places
where
there
is
an
obvious
focus
on
creation
and
consumption
and
I
think
capturing
consumption
is
going
to
be
slightly
harder.
The
one
of
the
goals,
one
of
the
things
we
want
to
do
as
part
of
that
is
just
create
a
landscape
of
like
s-bomb
everything.
What
who
are
the
consumers?
What
are
the
tools
consuming
it?
What
are
the
tools
generating
it?
What
are
the
formats?
A
What
are
there's
so
much
going
on
that
we
can't
all
keep
track
of
I
mean
almost
every
meeting
I
learn
about
something
new
I
didn't
know
about,
and
somewhere
in
the
s-bomb
universe
like
it's
just
it's
so
big
right
now,
and
so
you
are
correct,
but
I.
Think
given
the
the
talent
we
have
at
the
moment
in
the
open
ssf,
we
can
probably
accomplish
the
most
in
terms
of
generation
today
and
so
I
think
that's
where
we'll
probably
focus
on.
A
I
I
You
know
to
quite
big
sectors,
which
clearly
would
lead
s-bombs
to
see
what
they
would
actually
use
them
for,
and
the
discussion
about,
Vex
as
well
would
be
interesting
as
well,
not
extended
you
the
difference
between
the
US
and
Europe
as
well,
because
there's
obviously
there's
going
to
be
different
perspectives
as
well.
G
Can
I
do
like
a
quick
commercial
Josh
if
it's
okay,
so
yeah
I'm
part
of
the
organizers
of
the
forza
Medicine
Room,
so
Anthony?
If
you
I'm
happy
to
hear
all
of
your
concerns,
we're
gonna
have
an
open
discussion
to
hear
about
questions
and
answers
and
yeah.
So
if
anybody
is
interested
in
this
subject,
then
once
it's
going
to
be
around
for
some,
please
show
up
check
out
the
agenda.
We
got
assigned
a
full
day's
worth
of
of
slots
for
our
foreign
presentations,
so
please
be
there.
I
A
Awesome
Dan
just
asked
in
the
chat,
is
there,
do
you
know?
Is
there
any
remote
anything
for
that.
J
There's
a
live
stream
normally
I'm,
not
sure
if
it
will
go
to
our
room.
So
normally
there
is
a
live
stream
on
on
video
that
follows
them.
That
was
basically
live
broadcasted.
It
depends
highly
on
the
room
where
we're
gonna
be
in
where
the
audio
is
good
or
bad.
It
really
depends
on
on
the
room
and
which
person
we
get
to
technical
support
our
audios,
but
it
has
become
better.
They
actually
improved
their
open
source
setup.
They
have
now
three
mics
in
in
most
rooms.
So
but
there's
no
chat
or
anything.
J
A
A
Perfect
I'm
very
excited
now
cool
and
whenever
that
happens,
I
will
figure
it
out
from
somebody
or
anyone
here
who
can
just
put
a
note
in
the
agenda
Doc
and
we
can
just
let
everyone
know
because
I'm
sure
there
are
many
people
hanging
out
in
the
slack
and
on
the
mailing
list
that
would
love
to
watch
the
videos,
okay,
okay,
so
we're
kind
of
running
ourselves
out
of
time
and
so
in
the
agenda.
I
I!
C
Yeah
I'm
always
up
for
help,
so
we
would
just
need
to
if
anyone's
interested,
collaborating
on
that.
You
know
we
can
divide
and
conquer
pages,
and
you
know
it'll
go
twice
as
fast
or
three
times
as
fast,
but
I'm
going
to
do
it
either
way.
A
This
is
great
awesome,
good,
okay,
so
as
part
of
that
then
I
guess,
let's
consider
the
s-bomb
everywhere
goals
and
purpose,
at
least
a
a
0.01
right.
We're
done
nitpicking
it
like
if
you
any
content
in
that
you're
welcome
to
take.
There
is
a
note
at
some
point.
Yes,
old
content
below
this,
obviously
don't
use
that,
but
everything
above
is
fair
game.
Okay,
so
Sarah's
going
to
do
that.
There's
the
landscape
funding.
A
Needs
a
review
that'll,
be
me:
Ivan,
I,
don't
even
know
what
state
that's
in
Kate
and
I
worked
on
it
a
long
time
ago,
and
and
we
need
to
get
back
on
it
and
then
just
for
anyone,
who's,
who's
new
and
hasn't
heard.
There
is
a
thing
in
the
cncf
called
the
landscape,
which
is
where
they
list
like
tons
of
cloud
native
everything.
A
Companies
tooling
pick
a
topic,
and
we
want
to
do
that
for
us,
but
we
need
money
because
we're
gonna
have
to
pay
someone
to
do
it
because
just
getting
it
stood
up
is
difficult.
Once
it
stood
up,
it'll,
hopefully
be
easy
to
keep
alive,
and
so
we're
going
to
ask
the
open
ssf
to
pay
for
it
and
I'm
hopeful
they
won't.
A
C
I
was
going
to
start
with
trying
to
collect
the
projects
that
we
know
exist.
So
there's
a
lot
of
parallel
efforts
going
on
in
one
place
and
I.
Think
last
two
weeks
ago
you
said
we
we
don't
want
to
do
new
work.
We
just
want
to
make
sure
that
we
communicate
what
work
is
going
on
and
how
you
can
participate,
and
then
we
may
discover
that
there's
gaps
that
there's
opportunities
that
we
do
want
to
do
some
work
in
like
talking
to
Downstream
consumers
of
of
s-bombs
or
something
like
that.
C
But
I
was
going
to
start
with
what
we
know
about
and
then
go
from
there.
Okay,.
A
All
right,
that's
fair!
So,
let's,
let's
just
put
that
on
on
hold
for
the
moment,
so
I
won't
I,
won't,
let's
not
brainstorm
anything.
Yet
I
am
probably
going
to
put
some
effort
into
the
the
idea
I
have
of
turning
artifacts
into
content,
because
I
view
that
as
separate
from
the
goodness
discussions
going
on
in
spdx
right
now,
because
from
my
perspective,
I
want
an
artifact
that
I
want
to
get
exactly
these
findings
out
of
it.
A
A
Awesome
I
want
to
thank
everyone
for
coming.
This
has
been
a
lovely
chat
and
I
will
see
you
all
in
two
weeks
and
Sarah
Reach
Out
on
slack
well,
Sarah
and
Dan
I
should
say
reach
out
on
slack.
If
anyone,
if
there's
anything,
any
questions
any
help
whatever.
Let
us
know
all
right
awesome
thanks.
Everybody.