►
From YouTube: SLSA Positioning Meeting (January 10, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1tpPOXVzNSwtpWA7cXhTPLAO6HIP50obUvoP85XqgVHM/edit#heading=h.yfiy9b23vayj
SLSA repo: https://github.com/slsa-framework/slsa
A
I'm,
relatively
okay,
my
allergies
are
acting
up
today,
so
I
am
going
to
sound
a
little
raspy,
as
you
can
see
over
here,
I
should
say.
Hopefully
you
enjoyed
your
break.
B
No,
it
was
the
first
week,
yeah
I
mean
I
I
mean
in
truth,
I'm
like
running
to
get
back
because
I
I
don't
handle
the
Devil's
Playground.
With
me,
I
mean
I
I,
don't
I
tend
to
get
pretty
bored.
A
He's
in
a
pod,
if
I
don't
keep
my
mind
occupied
with
something
challenging
I
get
bored.
A
That's
probably
my
resume
reflects
that
I'm
always
trying
something
new
because
I
just
you
know
once
I'm
like
okay
yeah.
This
is
nothing
like
okay,
give
give
me
something
else,
that's
more
challenging
or
something
I've
never
done
before.
No,
no.
A
I'm
hoping
other
folks
join,
we
did
have
a
good
discussion
last
week
about
the
conference
and
several
folks
it
wasn't.
It
was
like
two
or
three
people
were
were
on
the
call
I
think
one
joined
late,
I
forget
his
name.
A
A
So
that's
that's
what
happened
and
I've
since
fixed
that
and
so
I
apologized
in
the
slack
Channel
I'm
like
hey
sorry,
it
wasn't
on
the
calendar.
I
didn't
realize,
but
it
was
on
my
internal
calendar,
which
is
why
I
I
started
it
up
and
there
was
a
couple
of
other
people
that
had
the
same
thing
where
they
had
it
on
their
internal
calendar
or
they
figured
it
was
probably
happening
and
just
not
on
the
calendar.
Hi
Kathy.
Thank
you
for
joining.
A
Happy
New,
Year,
okay,
let's
let
me
let
me
get
you
all,
hopefully
other
folks
kind
of
trickle
in
because
there's
there's
lots
to
to
talk
about.
If
you
can.
C
Sign
we
normally
don't
attend
the
positioning
meetings
but
I'm
trying
to
ramp
back
up
with
salsa
on
the
other
side
and
all
those
things
are
conflicting.
So
I'm,
like
I
gotta,
jump
in
something
yeah.
A
Yeah
we
we
may
change
the
the
time
of
this
meeting,
because
the
group
that
has
inconsistently
Coming
yeah
is
not
the
same
as
those
that
said
that
they
would
come
so,
and
we
also
would
like
to
be
a
little
bit
more.
C
C
Yeah,
that's
tough,
I.
Think
one
of
the
meetings,
the
tooling
meeting
or
the
specification
meeting
is
at
a
really
bad
time
for
me,
but
that's
the
meeting
I
need
to
attend,
so
I'll
get
there
yeah.
Actually
it's.
A
Pretty
funny
because
this
past
Monday
I
had
this
but
I
had
put
stuff
on
the
agenda
for
the
specification
meeting
to
talk
about
that
yeah
and
then
my
manager
put
something
over
that
time
slot
for
like
the
priorities
for
2023
and
things
like
that
and
I'm.
Like
that's
the
worst
slot
I'm
like
I'm,
sorry,
I
can't
attend
you're
gonna
have
to
record
so
I
missed
that
meeting
for
first
awesome
meeting,
because
I
was
like
I
can't
I'm
on
the
agenda.
C
A
C
A
Okay,
so
I
know
I,
think
hi
Bruno
thanks
for
joining
and
I'm
trying
to
get
my
windows
organized
here,
so
I
don't
have
to
like
look
all
the
way
over
there
to
see
everybody
and
get
my
my
chat
if
you
can
sign
in
that,
would
be
nice
folks
that
just
joined
Cedar
fever
season
here,
so
my
allergies
are
acting
up.
So
if
you
see
me
disappear,
I'm,
probably
you
know
dealing
with
my
nose
because
it
this
is
the
time
of
year
that
sucks
to.
A
Okay,
so
I
know
Jay
and
Kathy.
You
were
not
here
last
week
again,
it's
okay,
because
it
wasn't
on
the
calendar
and
it
was
just
an
accident
right
that
it
wasn't
on
a
calendar.
A
But
what
we
did
was
we
said:
okay,
we
know
2023,
we
have
buy-in
from
many
different
people
that
we're
going
to
start
aligning
prioritizing
same
vision
together
right
and
one
of
the
things
that
came
up
was
conferences
right.
How
do
we
make
sure
that
we
are
as
a
group
presenting
or
have
representation
in
these
conferences,
and
so
what
we
did?
The
last
session
is
we
kind
of
did
a
high
level
brainstorming
of
what
could
we
do
not
only
as
a
positioning
group
but
potentially
even
with
the
other
group
saying?
A
Okay,
you
as
a
social
specification
Sig,
you
should
talk
about
the
1.0
update
in
detail
right,
so
that's
not
something
we
would
do,
but
that's
something
that
Josh
and
Mark
potentially
do
so.
We
were
thinking
of
more
than
just
our
group,
but
across
salsa
to
figure
out
what
could
we
submit
and
we
came
up
with
this
timeline
to
say:
okay
will
have
a
first
draft
of
all
of
these
Talks
by
the
24th,
we'll
all
review
by
the
31st
or
first
draft
24th.
A
We
need
to
review
that
that
drop
by
the
31st,
because
submission
will
be
on
Friday
the
3rd,
because
I
think
it's
due
the
5th.
So
the
timeline
is
coming
up
real,
quick
for
those
submissions.
It's
a
lot
shorter
this
time
around
than
last
year,
and
so
what
I've
done
here
is
I've
started
to
break
out
some
of
the
ones
I
didn't
do
the
roadmap
update,
because,
obviously
we
don't
have
the
right
people
on
this
call.
Thank
you
for
joining
Michelle,
feel
free
to
sign
in
I
know.
Let
me
where's
the
chat.
A
I,
don't
know
where
the
chat
is.
I've
lost
the
chat.
If
someone
can
oh
wait,
I
found
it.
Yes,
there
you
go
so
my
goal
for
today
is
to
try
to
say:
okay.
What
do
we
think
we
would
talk
about
in
terms
of
like
a
an
abstract
at
a
high
level?
We
did
some
of
that
brainstorming
last
week,
but
I
think
if
we
can
start
writing
down
some
words
for
each
of
these
I
think
it
would
go
a
long
way.
So
that's
the
focus
on
the
call.
B
C
Think
it's
I
think
it's
a
great
idea.
You
know
for
us
also
for
beginners
and
of
course,
you
know
talk
about
the
the
levels
you
know.
What
is
it?
What
are
the
levels?
A
B
What
conferences
are
we
are?
We
are
we
eyeing
for
the
year.
A
So
we
don't
have
a
a
road
map
for
all
conferences,
because
we
haven't
had
that
alignment
or
the
supply
chain,
Integrity
right
and
then
across
salsa,
just
in
general.
But
this
one
is
the
open
source,
Summit
North
America,
which.
D
A
In
Vancouver
so
that
time
we're
like
okay,
we
know
this
is
a
big
one.
Typically
open
ssf.
Is
there
there's
a
supply
chain
security
con
there,
so
this
one
I
suspect
we
would
want
to
participate
in
and
for
the
other
ones,
I'm,
not
sure
right.
We
would
have
to
have
that
discussion
with
the
supply
chain,
Integrity
working
group
to
say,
okay,
what
do
you
think
we
should
prioritize
right?
A
We
can't
do
everything
necessarily,
but
you
know
what
do
you
think
as
a
group
we
can
do,
people
can
submit
their
own
talks
if
they
want,
but
as
a
group,
as
leads
as
particulars
or
participants,
what
could
we
provide
for
for
this
year,
so
yeah
so
for
for
this
one?
We
talked
about
this
last
time.
We
talked
about
the
business
problem
like
you
know
why.
Why
would
someone
care
right?
A
Because
if
you
don't
tell
them
the
why
you're
pretty
much
gonna
lose
them
the
1.0
launch
right
now,
it's
10
the
the
RFC
is
going
to
be
beginning
of
February
and
then
they're
thinking
of
wrapping
up
by
March
1st.
That's
the
goal
right
now,
so
it
should
be
well
out
there.
If
we
stick
to
this
timeline
for
1.0
launching
so
and
then
you
know
having
potentially
a
road
map,
if
we,
if
we
coordinate
with
the
supply
chain,
Integrity
working
group
with
salsa,
obviously
the
the
Sig
leads
as
well
as
attack.
A
B
A
Yeah,
it's
supposed
to
be
billed
level
one
two
and
they
won
a
target
for
three
as
well.
So
that's
what
they're
trying
to
go
for
by
March?
First,
okay,
there
is
APR
currently
for,
let
me
see
I
think
it's
pool
or
high
five
five
I
can't
remember:
there's
a
like
525
Maybe
PR
request
that
talks
specifically
about
provenance
I
have
not
had
a
chance
to
read
that
PR.
B
B
They
pull
provenance
out
completely
and
made
its
own
thing
now.
I,
don't
know
if
that
was
intentional.
I,
don't
know
if
that
was
just
a
work
on
it
and
then
maybe
put
it
back
in,
but
I
do
know
that
privacy,
prominence
version,
1.0
initial
job,
they
pulled
Providence
out
and
I'm
and
I
and
I
and
I
and
I
think
that
had
something
to
do
with
what
we
brought
to
them
a
couple
of
months
ago.
A
A
What
are
the
packages
that
make
up
the
build
environment
and
not
the
application
or
the
package
that
which
you
are
building
but
I've,
not
gotten
a
response,
because
that
was
this
morning,
so
I
need
to
go
through
it,
but
I'm
not
100
sure
like
what
what
in
1.0
is
officially
launching.
There
is
that
proposal,
and
yesterday
they
said
what
they
wanted
to
do
was
meet
that
proposal
at
least
the
majority
of
what
they
set
out
to
do.
A
But
there's
going
to
be
a
review,
so
I
don't
know
if
everything
is
going
to
be
on
that
check
box
or
not.
So
this
is
provenance
okay.
So
what
do
we
think?
Oh
I,
think
for
me.
A
E
Year
it's
in
April
and
we
may
have
already
missed
the
cfp.
I
I'm,
but
I
mean
I
it.
That
would
have
been
a
great
place
to
actually
talk
about
salsa
because
the
audience
I
here's
the
problem
that
I
perceive
that's
happened
with
the
direction
salsa
is
going,
which
is
great,
I
mean
it's
focused
very
heavily
on
developers
and
implementers,
but
not
on
cisos,
really
and
ciso's
here,
supply
chain
security
and
they
go
and
they
run
around
and
they
go.
E
Let's
buy
us
some
of
that
and
like
that,
that's
not
what
this
is.
This
is
process
right
and
with
some
tooling
that
maybe
understands
it
and
there's
a
captive
audience
at
RSA
right
of
cisos
and
security
directors,
and
things
like
that
and
this
the
opportunity
is
there
to
help
them
talk
to
and
learn
how
to
talk
to
developers
right.
E
There
are
other
conferences
like
this,
so
we
probably
want
to
try
to
Target
them.
If
you
have
a
if
there
are
b-sides
events,
local
to
you,
those
Community
backyard.
Events
are
great,
I
have
just
FYI
recommended
I've
been
working
internally
with
the
event
coordinator
for
in
Google,
Cloud
for
RSA
security
conference
and
explained
I
said:
look.
E
We
need
to
not
just
talk
about
Chronicle
and
you
know
and
Mandy
that's
great,
but
we
also
need
to
talk
about
salsa,
mvsp
and
Dora
and
Salsa's
right
at
the
top
of
the
list
right.
So
any
content
that
we
have
that
could
be
on
a
you
know
like
talking
points
or
Associated
blog
post
I
mean
that
we
can
help
push
there
I'm
willing
to
make
that
happen
in
our
booth,
yeah.
A
A
That's
actually
another
reason
why
we
said
we
think
a
month
worth
of
time
will
give
the
tooling
group
an
hour
group
enough
time
to
create
blogs
to
create
the
tooling
required
for
1.0,
and
if
we
can't
meet
the
March
1st,
we
would
just
extend
the
RFC
deadline
so
that
we
can
get
up
to
speed
for
the
1.0
launch.
So
we
want
to
be
in
lockstep
for
all
the
the
different
salsa
to
groups
us
and
the
tooling
to
make
sure
everything
is
in
order.
A
So
we
should
in
theory,
have
it
by
RSA,
even
published,
maybe
a
Blog.
It's
definitely
going
to
be
on
the
website
Etc.
So.
E
By
the
way,
there's
more
than
one
RSA,
there's
RSA,
also
in
Europe
and
there's
appsec
us,
but
there's
also
other
appsec
events
that
we
could
Target
I
mean
they're
all
over
the
world
besides
all
over
the
place.
So
that's
what
I
would
recommend
that
was
what
I
had
on
my
content
plan
is
RSA
besides
and
any
owasp
event.
A
Oh
yeah
I
forgot
about
all
of
us.
Sorry,
okay,
so
yeah
we'll
we'll
have
to
talk
about
that.
That
was
a
an
item
that
got
brought
up
at
the
end
of
last
year,
like
which
conferences
do
we
want
to
Target,
but
unless
we
know
our
vision
as
supply
chain
Integrity,
we
can't
even
begin
to
plan
that.
A
A
That's
not
to
say
that
people
can't
submit
their
own
talks
but,
as
you
know,
like
I
said,
leads
or
maintainers
Etc
trying
to
submit
something
for
us,
not
as
a
IBM
person
as
an
example
I'm
an
IBM
I'm
not
going
to
talk
about
the
IBM
story,
I'm
going
to
talk
about
my
contributions
and
collaboration
with
the
open
source
that
has
nothing
to
do
with
IBM
right.
A
Okay,
any
other
questions,
and
thank
you
for
that.
Michelle.
A
Okay,
so
what
do
we
think
a
good
title
or
abstract
for
salsa
for
beginners
would
be.
D
I'm
gonna
have
something
simple,
like
salsa
overviews
and
think
more
funny,
like
the
the
good
and
bad
and
ugly
whatever.
A
How
do
we
make
sure
other
than
because
I
know
they'll
identify
beginner?
Also
it
goes
with
all
your
apps.
It's
also
the
app
set
condiment,
oh
nice,
okay
and
and
feel
free
to
to
type
in
here.
I.
Don't
have
to
be
the
only
one
typing
by.
D
A
So
if
you
have
an
idea,
feel
free
to
to
add
them,
how
do
we
other
than
the
level
usually
every
talk?
Has
a
level
designated
like
beginner
intermediate
advanced?
How
do
we
Express
that
in
the
title,
because
sometimes
that's
your
first
impression
and
the
people
aren't
going
to
read
the
description?
A
A
D
A
Does
everybody
else
agree
yeah,
okay,
so
I'm
gonna
take
it
out
of
the
beginner's
one,
it's
also
the
abstract
condiment,
and
it
goes
with
all
your
apps
I'm
trying
to
think.
If
salsa
is
the
upset
condiment,
what
would
Fresca
and
s2cqf
be?
A
This
is
like
a
sandwich
of
some
sort
right,
so
I
feel
like
a
sandwich.
Joke
would
be
appropriate
in
the
title,
but
I'm
not
I'm,
not
sure.
Sorry,.
A
Sandwich
ish
Channel
or
maybe
like
a
H.
We
can't
do
guap
because
guac
is
something
else
like
guacamole.
No.
D
A
Okay,
it's
salsa,
not
salsa.
A
E
A
Okay,
let's
see
what
else
it
goes
with
all
your
apps
I'm
trying
to
think
panel
and
then
the
Hands-On
demo,
foreign.
A
A
No,
no,
no,
but
by
all
means,
because
it
says
Anonymous
so
I
don't
know
who's
typing,
but
clearly
you
have
an
accident,
so
I'm
gonna,
let
you
do
your
thing,
I!
Think
for
the
content.
The
only
thing
about
the
content
that
we
care
about
for
the
abstract
is
making
sure
that
we
cover
high
enough
level
statement
that
we
could
add
extra
things
in
there
if
we
need
to
as
an
example
right
so
right
now
we're
just
talking
about
the
business
problem
and
why
do
I
care?
A
Oh
and
road
map
right?
We
can
talk
about
compliance
and
how
it
fits
in
right.
We
can
talk
about
the
EO
if
we
wanted
to.
A
A
Yeah
no
I
I'm
I'm,
just
like
I'm
making
fun,
because
actually
it
should
be
s2c2f
and
then
salsa
and
then
Fresca
right.
B
A
A
A
We
we
can,
we
can
mention
it
in
the
description.
I
mean
we
could
say
salsa
for
beginners
right
and
maybe
it's.
E
So
when
you're
doing
cfps
I
think
you
gotta
grab
them
at
the
beginning
and
you
could
have
a
subtitle.
So
if
you
have
the
catchy
one,
like
you
know,
chips
and
salsa
for
beg,
you
know
beginner
supply,
chain
security
or
something
like
you
have
the
catchy
thing
at
the
beginning,
hook
them
and
then
have
the
description
like
the
subtitle.
A
E
Can't
hear
you
Michelle
it's
an
introduction
to
protecting
your
supply
chain,
something
like
that
or
supply
chain
security
like
a
model
for
supply
chain
security.
Something
like
that
right
like
interesting.
Get
them
hooked,
boring
description,
got
it.
A
Got
it
so
definitely
in
the
abstract
we
can
talk
about.
A
You
know
salsa
for
beginners,
right
like
it's
intended
for
beginners
or
folks
that
want
to
get
reacquainted
acquainted
with
salsa
right,
because
what
we
don't
want
to
like
the
more
advanced
people
joining
and
then
giving
really
bad
readings
for
the
talk,
because
they
were
expecting
something
more
right.
A
So
you
said
something:
can
you
repeat
what
you
know,
what
I'm
not
even
gonna,
make
you
repeat:
I'm
just
going
to
go
over
the
recording
later,
because
you
said
something
Michelle
that
I
thought
when.
A
E
Remember
nobody's
gonna
know
what
the
hell
salsa
is
right
and
that's
the
point
like
so
you
want
to
say,
like
you
have
the
ab,
the
the
the
model
name
right,
you
have
salsa
and
you
say
pick
one
of
those
and
then
you
say
something
about
it's
about.
You
know
the
basics
of
supply,
chain,
security
right
and
then
they're
going
to
be
intrigued
right.
So
you're
saying
oh,
what's
it's
not
spelled
like
salsa?
What
does
that
mean?
E
That
sounds
interesting
right,
so
you
you
want
to
tell
them
what
salsa
is
right
kind
of
in
the
title,
which
is
oh,
it's
about
supply
chain,
because
they're
not
going
to
remember
they're,
not
they've,
never
heard
of
like
a
lot
of
people
haven't
heard
of
slsa
right
and
especially
if
you
focus
on
like
I
put
here
so
say:
let's
say
you:
do
you
go
to
b-sides
or
you
go
to
you?
Do
it
at
RSA
security
conference?
Okay,
not
those
aren't
developer
conferences
right,
but
you
want
crossover.
E
A
E
So
the
second
FYI
so
having
been
worked
on
security
teams
and
been
a
security
architect,
I
will
tell
you
when
they
see
nist.
That's
like
you
almost
want
to
put
that
very
close
to
the
top,
because
that
answers
the
regulatory
question
and
the
the
you
know.
Like
any
time
you
a
ciso,
sees
that
oh
there's,
a
nist
standard.
A
A
We
planned
on
having
other
blogs
about
other
references,
but
we
never
figured
out
the
oscow
thing,
so
we
kind
of
put
a
stop
to
that.
It
was
too
much
manual
work.
E
I
I
can
tell
you
some
of
those
like
assessment
language
formats
like
vendors,
might
end
up
using
it,
but
I
I,
don't
know
like
I've.
Never
had
the
an
oscow
conversation
in
an
Enterprise
I
can
tell
you
that
I
have
never
I
actually
had
to
look
it
up
and
I
remembered
what
you
were
like
the
for
the
the
format
and
everything
like
but
yeah
I've
never
had
that
conversation
in
an
Enterprise
I
can
tell
you.
A
Yeah
I
think
I
think
the
it's
possible
in
an
Enterprise.
This
is
just
my
theory
here.
The
reason
why
obscow
hasn't
been
talked
to
enough,
because
they're
I
think
nist
does
use
Oscar
if
I'm
not
mistaken,
but
I
think
in
Enterprise
they're
doing
things
so
manually
and
they're
used
to
doing
things
so
manually
that
they're
not
thinking
about
how
do
we
scale
this
so
that
we
don't
have
to
waste
time
cross-checking.
All
of
these
you
know
controls
this,
that
control
that's
what
allscal
is
intended
to
do.
A
Is
you
map
the
controls
and
you
can
map
that
control
to
some
other
reference
framework
or
whatnot.
E
I,
don't
think
that's
it.
I
mean
every
place.
I've
worked
over
the
last
five
years.
They
are
trying
to
automate
like
Capital
One
For
example
tries
to
correlate
and
automate
a
lot
of
this
I
that
we
didn't.
We
never
talked
about.
Oscow
I
mean
maybe
somebody
brought
it
up,
but
I
think
you're
more
likely
in
my
experience,
like
it's
sort
of
like
the
Sarah
format,
you're
more
likely
to
have
that
conversation
with
a
vendor
I'm.
Just
just
my
my
impression.
Having
worked
on
the
Enterprise
side,
yeah
well,.
B
F
B
One
area
will
input,
we'll
have
we'll
have
inputs
that
are
in
one
format.
Another
area
will
have
inputs,
another
format
and
it's
supposed
to
produce
something
when
you're
for
the
purposes
of
auditing,
so
that
you
don't
have
to
so
that
one
person
doesn't
have
to
go
to
all
these
different
places.
All
these
different
places
can
feed
into
one
tool
with
their
different
format,
and
it's
supposed
to
regurgitate
some
or
it's
supposed
to
spit
out
something,
that's
readable
that
says:
hey
based
on
all
of
these
inputs
from
all
of
these
different
formats.
E
I
mean
irm
is
like
I
was
having
this
conversation
earlier
internally
and
irm
is
like
everybody,
you
know
the
single
pane
of
glass,
irm
centralized
dashboard
automating.
All
these,
it's
just
so
most
places
are
so
far
away
because
most
of
it
is
just
a
jumble
of
trying
to
get
these
tools
to
plug
into
each
other.
I
mean
I,
I
mean
maybe
I
I
don't
mean
to
sound
like
a
negative
Nelly,
but
having
lived
it
in
banking,
I,
just
I.
B
I
just
think
the
tool
hasn't
been
built
yet
that
can
produce
the
the
report
or
whatever
it
is,
that
needs
to
be
produced
that
uses
all
the
information.
I
I
think
that
I
I
don't
I'm,
not
saying
that
it's
not
good
I'm,
just
saying
that
everyone
I've
spoken
to
everyone
I've
reached
out
to
about
it.
They
all
it's
like.
There's,
no,
there's
no
ending
to
the
story.
This.
This
is
just
additional
questions.
There's
no
yeah.
E
A
Okay,
I'm
gonna
reset.
We
went
on
an
oscow
tangent
I'm.
Sorry
about
that,
because
I
I
said
we
haven't
been
able
to
do
that.
A
Okay,
so
I
think
we'll
have
to
do
some
work
on
the
beginners
I
think
it'd
be
good
to
try
to
come
up
with
some
other
ones.
For
the
you
know,
the
the
three
that
are
left
so
the
good,
bad
and
ugly
about
salsa
I
think
is
a
really
good
one.
A
I
don't
know
if
you
have
any
other
ideas
on
this
catchy
title
right
now
we
know
Red
Hat
can
be
a
panelist.
They
have
a
claim
for
version
dot.
One
of
salsa
I
think
it's
is
it
level
three
Laura
is
that
right.
A
For
red
hat
I
thought
pushed
out
an
announcement
for
level
three,
it's
also
compliance,
but
that
was
for
draft
version.1.
F
A
Happened
in
like
october-ish
November
around
there
somewhere
I,
remember,
I
mean
mentioning
it
so
Aaron
from
Verizon
I
know
he's
done
he's
done
several
about
his
journey
in
salsa.
A
I
have
not
yet
asked
anybody
internally
for
folks
on
this
call.
Would
there
be
anybody
from
your
organizations
or
organizations
that
you
know
have
done
kind
of
that?
We've
done
salsa
demo
to
the
broader
community
that
maybe
we
could
reach
out
to
because
it'd
be
good
to
have
different
perspectives
right
Verizon's,
a
telecom
right
red
hat
is
pure
open
source
software,
so
it'd
be
good
to
have
different
industry,
slash
sectors
participating
so
that
there
is
a
diverse
point
of
view.
A
A
Yeah
and
I
forget
what
Aaron
got
to
I
want
to
say
he
got
to
level
three
but
I'm,
not
100
sure.
What
level
did
you
get
to?
A
Was
it
level
three
so
yeah?
We
should
probably
record
that
so
Jay
do
you
know
as
an
example
Microsoft
right,
I
know
at
IBM
we're
doing
something
but
I
think
it's
mostly
internal
I.
Don't
think
we
have
an
official
product.
That's
been
announced.
I'd
have
to
go
double
check,
so
my
does
Microsoft
have
anything
I
know
Bruno.
You
were
going
to
check
for
on
your
end,
okay,.
B
Yeah
that
this
is
still
touch
and
go
as
far
as
salsa
is
concerned.
Inside
of
Microsoft
I
know
that
that
there's
been
talk
about
a
few
that's
been
talked
actually
Salsa,
Fresca
guac
there's
been
a
lot
of
talk
about
about
all
of
these
internally,
but
I
think
I
think
there
are
still
it's
still
touch
and
go
with
salsa,
mainly
because
there
hasn't
been
a
nail
down
yet
of
what
of
where
salsa
is
going
to
land
version.
One.
F
F
B
A
F
B
Hang
stuff
on
on
a
on
a
on
a
maybe
I
mean
I'd,
really
like
that.
It
helped
I
I
and
I'm
following
I'm
following
the
GitHub
site
I'm,
following
all
the
conversations,
because
I'd
really
like
to
know
too
for
the
purposes
of
what
we're
attempting
to
do,
where
we're
gonna
fall
at
a
version
one,
because
a
large
part
of
how
we're
trying
to
help
position
relies
on
that.
You
know
so
so
yeah
that
that's
where
it's
from
a
Microsoft
standpoint,
we're
trying
to
figure
that
part
out.
A
Okay,
Michelle
Bruno.
A
I
I
I
I
know
that
Google
has
plenty
of
videos
that
say
that
they
are
level
three,
even
potentially
even
level.
E
Two
I'm
looking
at
the
slide,
I,
actually
looked
it
up.
While
you
were
talking
so
Google
Cloud
build,
says
level.
Two
GitHub
action
like
General,
yeah,
Google,
Cloud,
build
level
two
there's
a
salsa
verifier
and
go.
E
D
B
Three,
but
that
was
like
more
towards
the
more
towards
the
internal
and
then
like.
There
was
nothing
after
the
change
after
the
change
over
and
and
decisions,
and
not
to
to
not
have
the
level
four
and
then
the
breakup
between
build
and
source,
and
it.
B
A
A
No,
no,
no
I
just
know
that
I've
seen
plenty
of
demos
or.
A
Claim
level
three,
and
so
we
we
could
certainly
who,
if,
if
there
is
a
person,
I
think
this
is
valuable
perspective.
If
there
is
a
person
that
can
talk
to,
we
used
to
version
dot
one,
if
you
see
level
three
but
because
of
version
1.0
now
we
are,
you
know
level.
You
know
two
for
build
Etc
right.
That
is
an
interesting
story,
because
there
are
plenty
of
people
that
have
gone
down.
A
This
version
point
one
Journey,
and
so
they
need
to
be
aware
that,
just
because
you
were
level
three
or
level
four
before
doesn't
mean
you're
gonna,
be
that
come
time
when
you
revisit
version
1.0,
so
I
think
that's
a
really
really
valuable
perspective.
If
we
could
find
a
person
that
could
speak
to
that
at
Google.
E
Big
deal
I
mean
if
you
want
I
mean
they
talk
a
lot
about
salsa
internally
like
a
lot,
so
it's
very
yeah
I.
We
probably
did
talk
about
it
at
next,
because
we
have
products
that
we
link
to
salsa.
You
know
to
say:
hey
we're
so
like
so
we
have
that,
but
we
we
also
have
discussions
like
about
our
product
side
where
we're
implementing
salsa
ourselves
right,
you
see
so
you
do
Which
comp
I
mean
I
can
have
both
I
can
get
both
conversations.
C
D
A
D
A
Aaron
I
think
red
hat
is
product.
Aaron
is
internal
right,
so
Google
it
doesn't
matter
if
it's
product
or
internal
it'd
be
good
to
have
a
fourth
panelist
splog
about
salsa
working,
comparing.
A
And
I
did
get
confirmation
from
Aaron.
It
was
level
two
because
of
a
constraint,
git
lab
side.
If
I,
if
I
understand
GL
is
gitlab
so
that
that's
something
that's
good
to
talk
about
right.
It's
like
well
I
can't
get
past
this
because
we're
using
x
y
z
and
that
thing
that
tool
can't
do
you
know
this
requirement
of
salsa.
A
Okay.
How
much
time
do
we?
Okay,
we
have
less
than
15
minutes
left,
so
I
think
this
would
be
easy
one.
It's
just
more
about
the
right.
The
abstract
will
have
something
about.
You
know
experiences
from.
A
E
We
can't
repeat
that
sorry,
there's
something
called
Innovation
sandbox
and
launch
pad
at
RSA
security
conference
and
that's
that
environment
is
ex
explicitly
for
the
purpose.
Like
I
remember,
once
I
saw
a
bunch
of
TPM
presentations
at
Innovation,
sandbox
and
that
might
be
I,
don't
know
if
they
do
open
source
things,
but
it
it's
worth
maybe
taking
a
look
at,
but.
A
Yeah
I've
not
heard
of
it
I
think
when
we
talked
about
this
last
week
right
we
were
hoping
that
would
be
more
interactive,
that
it's
not
necessarily
a
website
that
you
go
to
to
do
this,
but
that
could
be
an
option
for
those
that
don't
have
a
laptop.
So
that's
a
good
point.
You
know,
maybe,
for
those
without
laptops,
slash,
Dev
tools
right,
because
there's
going
to
be
a
bunch
of
different
people,
so
we
talked
about
you
know
a
lot
of
people,
especially
you
know
people
that
want
to
implement
salsa.
A
A
A
A
No
and
then
I
think
for
this
may
need
tooling
groups
help
slash
tools
right,
I
suspect
that
they
they
have
something
up
their
sleeves
right
and
I'm,
not
sure
if
it's
them.
That
would
be
doing
this
right,
but
this
is
kind
of
like
a
beginner
way
of
looking
at
it.
Maybe
there's
also
an
advanced
version
of
the
the
demo.
A
Yes,
now
I
will
say
that
Mike
Lieberman
had
was
the
one
that
recommended
oscow
so
he's
the
reason
why
we
were
going
down
that
rabbit
hole
and
he
is
part
of
tooling.
So
if
he
does
integrate
it
fantastic,
he
is
familiar
with
it
and
he's
the
one
that
recommended
it
at
the
beginning.
A
A
F
And
go
ahead:
I
said
I
like
Michelle's
dance
reference
to
the
oh
yeah.
E
What
do
you
call?
What
do
you
call
a
salsa
like
you
know,
in
Tango
you
have
some
Malanga,
which
is
a
group
dance
event.
You
show
up
and
you
can
dance
with
anybody.
Do
they
have
that
in
salsa?
Oh.
A
F
A
Yeah
I'll
put
a
comment
on
it:
it
called
weather.
A
But
yeah,
maybe
the
the
dancing
where'd
it
go.
I
think
it
was
in
your
in
the
chat.
D
A
Yeah
this
one's
foreign.
E
No
there's
a
salt
there's
a
really
bad
movie
and
like
it
has
like
a
really
stupid
title
that
you
could
riff
off
of
because
it's
and
some
absec.
A
A
And
I
think
Laura
you
just
shared
some
slides
I,
don't
think
we'll
have
time
to
cover
them.
If
you
can
put
a
link
and
we
can
cover
it
next
time-
I
think
that
would
be
helpful.
I
think
I
saw
a
notice
on
on
my
on
my
phone
that
it.
F
Came
in
yeah,
it's
just
as
Prime
as
promised,
but
I
I
had
a
overview,
a
salsa
overview
that
I
did
in
May
for
internal
to
Red,
Hat
and
I
scrubbed
it
of
The,
Branding
and
and
left
kind
of
just
the
basics,
so
that
you
didn't
have
to
start
from
school.
We
wouldn't
have
to
start
from
scratch
and
then
added
I,
just
added
a
road
map.
A
blank
roadmap
slide
to
the
end.
F
I
I'll
continue
to
working
on
working
on
it,
but
I
wanted
to
at
least
provide
it.
Okay,.
A
It's
also
yeah
we'll
have
to
think
about
this
salsa
Hands-On
demo,
and
obviously
we
can
do
this
offline
as
well
right
if
you
come
up
with
something
put
it
here,
if
you
think
of
a
really
good
abstract
put
it
here,
there's
no
reason
again
that
one
person
has
to
do
it
or
that
we
even
have
to
meet
I.
Think
now
that
everybody
gets
the
gist
of
what
we're
doing
it's
it's
easy
to
to
collaborate
and
do
it
offline.
A
So
I
think
we
do
have
to
work
on
on
the
Hands-On
demo
title
the
S2,
c2s
Salsa
Fresca,
that's
part
of
the
supply
chain,
Integrity
working
group
conversation
J
that
we've
been
having
right
with
Isaac,
so
I
like
the
ketchup,
mustard
and
relish,
but
I,
don't
know
if
that's
truly
synonymous
or
we
don't
really
care
we'll
just
call
it
that
yeah.
B
B
A
Yeah
so
I
I
do
like
the
the
the
title,
so
it
really
sounds
like
we
need
to
vote
on
The
Beginner's
one
and
then
talk
about
this
one
I
think
I
like
salsa
with
us.
You
know
the
dance
of
abstract.
Oh
what,
if
it's
salsa
with
us,
oh
I,
see
what
you
did
is
this.
The
the
sub
cap,
caption
or
subtitle.
Is
that
what
this
is
Michelle?
A
E
E
I
just
put
in
the
document
that
B-side
San
Francisco,
which
is
traditionally
either
the
weekend
before
the
weekend
after
RSA
the
cfp,
is
still
open.
So
anybody
who
that's
like
that's
an
amazing
opportunity
right
there,
I
just
put
I,
threw
in
the
link
to
the
event.
Oh.
A
F
E
A
E
No,
the
San
Francisco
one,
if
you
can't
it's
too
late
for
the
main
conference,
you
know
for
RSA,
but
you
get
there's.
You
know
cross
pollination
between
like
the
same
with
you
know,
when
you
go
to
typically
when
you
go
to
black
hat,
that's
why
they
call
it
security
summer
camp
because.
A
So
two
things
that
we
haven't
talked
about,
but
I
need
to
go
figure
out
who
to
talk
to
and
I,
don't
know.
If
anybody
on
this
call
knows
I
need
to
or
somebody
needs
to
talk
to,
whoever
is
managing
the
conference.
If
there's
going
to
be
an
expert
lounge
and
if
yes,
how
do
we
sign
up
and
two?
A
Is
there
going
to
be
an
open
ssf
day,
because
if
there's
an
expert
Lounge
that's
you
know,
come
talk
to
us
ad
hoc
and
we
can
have
volunteers
to
be
there
to
talk
about
salsa
throughout
the
day.
B
Update
I,
don't
even
know
that
that's
been
decided,
yeah
I
asked
about
that
last
week
or
the
week
or
the
week
before
that.
Well,
there's
going
to
be
an
open
ssf
day
and
I
guess
they're
still
trying
to
figure
that
part
out,
but
I
can
ask
David
Willow
a
crow.
You
know:
okay,
what
that's
gonna,
where
they're
landing
on
any
of
any
of
that
stuff.
Okay,.
A
Yeah,
that
would
be
fantastic
because
I
was
like
I,
don't
even
know
where
to
begin
with
this,
because
the
expert
Lounge
is
great,
for
you
know,
whiteboarding
or
just
ad-hoc
conversations
and
questions
that
people
can't
ask
during
the
sessions
or
after
the
session
and
then
the
open
ssf
day.
If
we
had
a
presentation
about
salsa,
then
we
would
want
to
be
included
in
the
open
ssf
day
but
I.
Thank
you.
Laura
and
I
actually
have
to
run
two.