►
From YouTube: SLSA Positioning Meeting (September 20, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Yeah
you
usually
people
will
buy
that
by
their
nickname
and
put
it
down,
but
I
see
it
as
Joshua.
On
the
on
the.
A
A
Yeah
I've
been
a
little
under
the
weather,
lately
yeah.
C
C
A
A
A
No
recuperating
but
yeah
a
bit
better.
Let's
see
what
time
is
it?
Okay,
it
is
101.,
I'm
sure
people
will
hop
on
and
Josh
I
think
you
found
the
the
link
to
the
meet
to
the
notes.
So,
okay,
let
me
see
so
Josh
you
closed
on
the
house,
I.
B
C
A
Nice
yeah
and
did
you
sign
in
Jeff,
no
I,
don't
think
you
signed
in.
Let
me
put.
C
A
No
I
don't
know
yeah
it's
okay,
I'll,
just
put
it
in
since
Jason's
joining
too
just
remind
folks
to
sign
in
let's
see,
hey
Jason
welcome
yeah.
My
my
little
tidbit
of
the
day
is:
don't
don't
eat
too
much
peanut
butter.
Apparently
it's
horrible
for
your
stomach.
I
had
no
idea.
I
love,
peanut
butter
and
apparently
I
ate
just
a
tad
bit
too
much
and
I
was
an
extreme
amount
of
pain.
Oh
no,
for
hours,
hours,
yeah
and
like
no
Tums,
no
Mylanta,
no,
nothing
would
fix
it
and
I
googled
it
I'm.
A
Like
does
peanut
butter,
give
you
stomachache,
and
it
says
it
does
for
some
reason:
I
think
it's
something
about
the
fats
in
it
that
if
you
eat
too
much
of
it
but
I
love,
peanut
butter,
I
eat
peanut
butter.
All
the
time
then,
just
yesterday,
I
was
just
a
little
bit
too
indulgent
and
yep.
There
goes
my
stomach,
anywho,
okay,
so
newcomers
I
think
Josh
you're.
The
only
newcomer
but
I
feel.
B
B
Around
some
of
the
Salsa
Salsa
meetings
and
but
I
have
not
been
able
to
be
as
regular
as
I
wish.
I
could
be,
and
I
have
not
attended
this
positioning
meeting
before.
So
let
me
give
a
little
brief
introduction
to
myself.
B
I'm
a
I
am
a
security
architect
at
Red,
Hat
and
so
I
work
with
our
products
to
you
know
improve
their
improve
their
security
on
a
variety
of
different
levels,
but
one
of
the
ones
that
we're
focused,
pretty
heavily
on
especially
recently
is,
is
Supply
chains,
so
I'm
definitely
excited
to
to
be
involved
and
I
want
to
help
wherever
I
can
and
I
do
have
a
topic
that
I'd
like
to
talk
about
a
little
bit
later.
B
That
I
brought
up
in
one
of
the
other
meetings,
but
it
was
not
the
correct
Forum.
So
I
am
here
at
the
correct
forum
for
that.
A
No
worries
I
mean
these.
These
breakouts
are
kind
of
new,
so
you
never
know
where,
where
to
bring
something
up,
and
sometimes
it
overlaps
too.
So
oh
Bruno.
E
A
A
A
C
Know
like
no
no
way
to
move
on
and
then
I
have
to
walk
and
then
take
some
coke
and
think
like
that.
Coca-Cola
yeah.
A
Okay,
okay,
so
let's
go
ahead
and
get
started
and
let
me
share
the
agenda.
If
I
can
find
my
Chrome,
you
can
see
it
right.
Yes,
okay,
awesome,
okay,
so
welcome
Josh,
we're
gonna.
Do
a
quick
update,
I,
don't
see
Jay
on
so
we'll
probably
have
to
delay
that
has
anyone
worked
with
Jay
on
the
development
blog
I
think
it
was.
From
last
time
we
met.
A
A
Okay,
so
what
can
we
do
to
help?
Do
we
need
to
set
up
some
some
meetings
or
just
tell
tell
me
what
you
need.
C
D
C
Just
I
just
need
to
to
prioritize
and
get
it
done.
I
will
and
and
Roy
already
already
offered
assistance,
so
I
figure,
I'll
kind
of
get
started
with
a
skeleton
and
then
and
then
touch
base
with
Roy
to
kind
of
start
putting
meat
on
it.
A
Okay,
yeah
and
if
you
need
help
right
from
from
the
group,
feel
free
to
you
know
post
whenever
you
do
get
that
outline
post
it
to
this.
Also
positioning
Channel
and
people
can
just
chime
in
right.
Okay,
I'm
sure
other
folks
would
be
more
than
happy
to
partake
and
then
Isaac
is
oh.
Go
ahead.
B
All
kind
of
in
that
stage
right,
everyone
in
life,
I.
A
Yeah
no
yeah,
we
we
had
talked
about
it
was
kind
of
once
I'm
on
the
agenda.
We
were
just
talking
about
different
things
and
Jeff
mentioned.
Why
don't
we
do
a
Blog
Series
in
terms
of
like
the
different
phases,
and
then
we
agreed
on
a
development
one
and
then
a
build
one
and
maybe
give
it
like
a
month
and
a
half
for
each
to
be
completed.
A
I
can't
think
of
a
word
right
now.
Any
progress
are
you
any
progress
made,
but
that's
fine,
yeah
and
let
me
know
if
you
want
me
to
set
up
meetings
now
that
I'm
not
sick,
anymore,
being
more
more
active
and
then
Isaac
was
also
going
to
be
doing
one
on
attestation.
He
did.
He
did
acknowledge
that
he
he
still
owes
me
a
blog
post
and
it's
on
his
list
so
he's
at
least
still
aware
of
of
it,
and
then
Jay
was
going
to
look
at
the
tools.
B
A
A
A
Okay,
it's
like
I,
don't
know
how
to
get
this
thing
to
to
show
me
everybody.
It's
not
showing
me
everybody.
It's
just
showing
me
a
couple
of
people
and
yeah
I
can't
get
it
to
like
expand,
hi,
Jay
and
then
I
also
see
you
Chris.
A
So
if
you
haven't
signed
in
I'm,
gonna
put
this
in
the
chat.
If
I
can
find
the
chat
I
can
there
it
is
there.
It
is
okay,
feel
free
to
sign
in
so
Jay
since
you're,
on
any
progress
on
the
development
outline
or
blog.
F
Well,
well,
yeah.
What
I
wanted
to
do
is
I
wanted
to
see
if
I
can't
get
a
good,
a
couple
of
means
on
the
calendar
just
to
do
just
to
do
a
deeper
dive
to
organize
a
few
points,
also
with
respect
to
the
to
all
Scout
tools,
there's
been
a
couple
of
a
couple
of
conversations
circulated
about
those
tools
and
I
think
I.
Think
all
Scott
was
mentioned
during
the
nist
Center
of
Excellence
WebEx
yesterday
that
I
thought
was
I.
Thought
was
pretty
interesting
too.
F
So
I
want
to
double
back
on
that
to
see
what
to
see
what
that
tool
did
did
for,
for
I
want
to
say,
was
800-2.
F
C
F
C
F
F
F
Just
so
I
can
level
set
on
a
couple
of
points
for
the
outline
of
the
blog
and
then
get
that
way.
So
so
yeah,
that's
that's
where
I'm
at
now.
A
Yeah
feel
free
to
to
set
up
the
meetings
I
forget
who
it
was
that
said
that
they
would
help
you
I,
know.
I
said
you
know,
feel
free
to
sign
me
up
too
I
can
help
where
I
can
and
if
you
have
a
place
that
you're
documenting
these
things
just
drop
it
in
the
salsa
positioning,
Channel
and
right.
A
lot
of
people
I'm
sure
will
be
happy
to
help.
But
if
you
want
to
have
a
a
dedicated
meeting,
just
feel
free
to
send
one
out
with
this,
with
the
zoom
link.
F
A
Okay,
so
set
up
a
30-minute
meeting
and
then
maybe
set
up
a
draft
area
and
I
know
Jeff.
You
said
that
you
were
gonna.
Do
that
to
the
setup
of
a
draft
area.
C
A
F
A
A
Okay,
okay,
the
other
update,
I
created
it
that
was
like
about
two
weeks
ago.
I
did
create
some
Json
files
or
the
requirements.
A
You
know
for
the
different
like
mapping
the
summary,
rather
like
high
level
versus
the
actual
in
detail.
You
know
build
versus
provenance,
so
Mike
I
don't
know
if
this
is
what
you
need
or
what
we
need.
I
should
say
for
the
Osceola
implementation,
but
I
think
I,
remember
hearing
that
this
was
a
good
start
to
to
just
create
that
Json
file.
So
I
did
it
for
all
of
the
the
different
levels
in
the
website.
D
Sure
yeah
I'll
have
to
take
a
look:
yeah
I'm,
not
super.
It's
been
a
it's
been
several
years
since
I've
I've
dived
into
the
sort
of
the
oscow
Json
format.
So
I'll
go.
Take
a
look
there.
A
Okay,
yeah
and
then
I
did
attach
the
the
files
I
didn't
attach
to
Json,
but
obviously
you
can
copy
the
Json,
but
at
least
the
CSV
that
created
it
when
I
converted
it
that.
So,
if
you
need
to
alter
it
for
some
reason,
you
can
use
that,
let's
see
and
like
I,
don't
have
access
to
changing
labels.
So
I
don't
know.
A
I
was
trying
to
put
it
as
a
positioning
label,
but
I
can't
I
can't
do
that.
I,
don't
know
if
you
have
access
yeah.
D
I
have
access
to
that.
Give
me
a
second
okay
change.
C
A
Yeah
I
saw
this
maybe
1.0
and
I'm,
like
oh
I,
think
Mark
thinks
it's
for
the
the
spec,
the
1.0
specification.
It
would
be
nice
to
have,
but
not
initially
right.
Initially,
it's
just
trying
to
do
it
for
the
version.
A
What
is
it
0.1
that
it's
on
right
now,
yep,
yeah,
okay,
and
is
there
anybody
from
micro,
oh
Jay,
you're
here
for
Microsoft,
so
Isaac
in
the
positioning
Channel
suggested
to
kind
of
go
over
this
and
figure
out
you
know:
can
we
maybe
have
some
sort
of
blog
or
communication
on
how
this
new
framework
by
Microsoft
is
going
to
work
alongside
salsa?
F
Well,
as
a
mat,
as
a
matter
of
fact
matter
of
fact,
I
do
because
I'm,
the
one
that's
been
pushing
it
into
the
open
on
behalf
of
Microsoft.
That's
because
me
and
Adrian
did
Leo
yeah,
so
so
the
the
long
and
short
is
this
framework
is
very
consumer
based
and
consumer
focused
right.
F
A
lot
of
the
conversations
had
and
the
specification
meaning
a
lot
of
conversations
had
even
in
this
meeting
in
the
tooling
meeting.
Sometimes
the
scope
of
salsa
gets
fudged
a
little
bit.
It's
a
lot
of
scope
creep
because
there
are
a
lot
of
of
gaps
that
are
identified
that
are
actually
filled
on
the
consumer
side
of
of
supply
chain
security.
F
So
this
framework
deals
primarily
consumer
focused
and
consumer-based
versus
salsa,
which
is
very
producer.
Focused
producer
based
my
argument
and
and
not
necessarily
argument.
But
my
pitch
is
two
Frameworks
can
be
developed
side
by
side
in
parallel
bridged
they
could
be
bridges
built
between
the
two
of
them
and
then
I
always
end
with
this
saying
how
beautiful
would
it
be
to
have
some
type
of
an
ISO
standard
dash
one
dash,
2
and
dash
three
I
include.
F
That's
three
later
on
saying
dash
one
for
producer,
focused
Dash,
two
for
Consumer
Focus,
or
you
can
flip
and
bounce
those
I,
don't
care
which
one
comes,
but
then
a
dash
three
for
the
tooling
around
each
of
these
right
within
the
openness
itself
within
the
Linux
Foundation
generally,
there
is
a
feeder.
We
have
a
feeder
and
David
Willard
can
expand
upon
this,
but
there
is
a
feeder
into
publishing
ISO
standards,
there's
a
precedent
already
that
this
can
actually
be
done
through
the
Linux
foundation,
and
we
have
both
of
these
Frameworks.
F
The
the
secure
supply
chain
framework
right
now
is
going
into
incubation,
but
we
have
both
of
these
Frameworks
currently
within
the
openness
itself
currently
being
worked
on
in
the
open,
improved
on
in
the
open
and
with
everyone
collectively
working
on
these
together,
we
can
make
them
we
can
put
the
rigor
in.
They
could
become
so
robust
everyone's
trying
to
start
working
in
unison
to
take
these
two
great
Frameworks
that
are
being
worked
on
and
March
them
forward
to
to
spend
the
iso
specification.
If
we
so
choose.
F
That's
my
that's
my
my
look
at
them.
That's
for
me
being
involved
in
all
the
meetings,
all
the
conversations,
understanding,
what
the
gaps
are
and
saying
both
of
these
documents
complement
each
other
very
well
and
then
the
tooling
around
them
can
be
developed
And.
Yet
when
you're
developing
the
tooling
hell,
even
in
the
tooling
conversations
a
lot
of
those
things
are
like
well.
This
tool
works
for
this,
but
it
may
not
address
that
or
it
may
address
this,
but
it
may
not
address
that.
Well,
does
shouldn't
address
that?
F
Well,
I,
don't
know,
but
in
this
particular
case
now
we
could
begin
to
answer
those
questions
a
little
bit
more
fluidly
if
we're
working
these
two
Frameworks
in
parallel,
and
that
and
that's
my
and
that's
my
that's
my
one
and
two
so
when
it
comes
to
positioning,
especially
in
this
meeting
I'm
saying
we
can
position
salsa
and
and
the
the
secure
supply
chain
framework
bridging
between
the
two
make
comments
on
one
they
can
begin
to
March
together
because
they
should
right
so.
F
A
He's
not
he
had
to
he
had
to
skip
today
so
curious,
Jayden.
Is
there
someone?
Obviously
I,
don't
want
to
overload
you
because
you
already
have
that
development
blog,
but
is
there
someone
that
maybe
you
can
work
with
or
another
Microsoft
person
that
can
try
to
write
a
blog
about
this
to
say,
Hey?
You
know
this
is
how
the
two
can
work
together
or
this
is
how
they're
different.
F
We
actually
we
have
something
like
that
already
and
and
to
make
it
a
little
bit
more
put
to
put
a
little
bit
more
rigor
on
it.
I
don't
mind
taking
on
that
task,
because
I
think
we
already
have
something
like
that.
F
Already
all
I'll
do
is
reach
out
to
Adrian
who,
who
is
who
I'm
partnered
with
try
the
home
partner
with
bringing
it
into
the
open
and
bringing
it
and
making
the
part
openness
itself
all
I
gotta
do
is
grab
some
of
the
stuff
that
we've
already
written
and
and
put
that
out
there
as
well.
A
Okay,
I
need
to
work
with
Adrian.
Okay,
awesome,
any
questions
from
folks.
Today,
I
don't
see
hands
up
so
a.
F
Lot
a
lot
of
people
I
think
a
lot
of
people
leave
it
on.
This
call
have
heard
have
heard
this
in
two
or
three
places
already,
because
I've
I've
been
all
over
I've,
been
all
over
the
different
working
groups.
With
this,
so
so
I
mean
they
they've
they've
heard
this
pitch
they've.
A
A
E
Hi
I,
so
I
guess
a
few
comments.
I
totally
really
like
the
positioning
of
consumer
versus
producer
information,
because
I
think
that
yeah
can
help
us
to
start
create
this
taxonomy.
E
F
So
we
talk
about
capturing
I,
think
I
think
what
what
will
step
back
we'll
take
a
step
back
and
we'll
talk
about
ingestion
of
Open
Source,
which
is
something
that
the
salsa
framework
doesn't
cover
right.
Yeah,
we'll
talk
about
those
specific
threats
that
are
experienced
at
the
consumer
level
and
now
I.
F
Don't
have
the
framework
framework
up
in
front
of
me,
but
there's
a
whole
there's
a
whole
table
of
con
of
threats,
risks
and
then
controls
that
can
be
put
in
place
at
the
consumer
level
at
that
at
that
base
level,
which
is
different
than
when
it
comes
to
salsa
and
you're
in
your
attesting
to
certain
things
right,
so
so
the
the
SSC
as
it
stands
right
now
and
and
like
I,
said
before,
being
improved
in
the
open.
F
This
is
something
that's
going
to
happen
in
the
open
whether
there
becomes
a
compliance
requirement,
compliance
basis
for
where
there
are
attestations
salsa
already
has
that
in
place
with
you
know
we're
talking
about
in
total
attestations
everything
that
you're
testing,
something
that
that's
compliance,
very
compliance
heavy.
This
is
very
security
heaven.
F
So
when
you
look
at
when
you
look
at
the
SSC,
look
at
it
as
a
security
framework,
a
maturity
model,
if
you
will
rather
than
a
compliance
requirement
when
I
talk
about
the
one-two
punch,
I
talk
about
the
security
framework,
the
maturity
model,
that
is
the
SSC
paired
with
the
producer,
focused
compliance
basis
of
salsa.
You
have
the
one
that
deals
with
taken
controls,
putting
them
in
place
respective
tooling
at
the
consumer
level,
the
other
one
that
says
okay
producer.
Now
you
happen
to
me
these
compliers
requirements.
F
F
Now
you
have
now,
you
have
standards
that
third
parties
now
can
take
to
say:
hey
are
these
requirements
met
and
then
you
can
have
further
certification
based
on
that
now
all
these
things
can
be
worked
on
like
we're
doing
now
in
the
open
like
this
like
this,
the
whole
point
of
this
is
is
continuous
Improvement,
continuous
development,
continuous
massaging
to
the
point
where
they're
all
ready
and
can
be
published
as
as
standards
later
on,
so
so
I,
I
and
I
and
I
I
hope
that
hope
that
answers
the
question
there,
but
when
it
comes
to
capturing
I,
think
it's
I
think
I
think
you
take
it
a
step
back
and
say
what
ends
of
the
spectrum
and
supply
chain
security
of
both
of
these
Frameworks
targeting
and
I,
say
the
secure
supply
chain
comes
from
the
ingestion
standpoint,
where
you're
you're
at
your
salsa
comes
from
the
build
standpoint.
E
Yeah
yeah
I
know
I
I,
I
I
do
get
what
you're
saying
I
think
that
makes
a
lot
a
lot
of
sense.
So
thanks
for
explaining
that
I
guess,
my
question
was
also
more
when
I
when
I
said
capture
I
mean
and
maybe
I
just
misunderstand
what
the
SSC
is
really
meant
to
do,
but
is
it
actually
a
data,
a
metadata
format
of
some
sort
or
a
policy
specification,
not
policy
specification,
because
that
sort
of
is
a
whole
separate
can
of
worms.
F
So
I
want
once
again
I
I
would
so
if
we're
thinking
about
deliverables,
let
me
say
I'm
gonna
say:
what's
a
deliverable:
what's
the
output
I
want
to
say
that,
could
you
could
you
build
a
report
from
this
sure
right,
I
referenced
it
being
almost
like
a
mature
model?
You
have
levels
one
through
four
saying
you're,
if
you're,
if
you're
a
level
one,
if
you
reach
level
one
maturity,
you've
Incorporated
these
things.
If
you're
level,
two
maturity,
you
incorporate
the
Incorporated.
F
These
things,
of
course,
level,
four
being
something
that's
kind
of
aspirational
in
terms
of
how
how
strict
you
are
no
with
your
security
posture
at
that
point,
I
think
as
a
deliverable
would
be
the
level
that
you've
reached
per
the
artifacts
that
have
been
developed
based
on
the
set
of
controls
you
have
in
places
you
can
actually
and
then
and
I'm
going
to
say
this
word
a
test
too
right,
so
I
so
I
think
that
I
think
that
that's
what
that's,
what
gets
gets
delivered
from
it,
but
once
again
where
the
takeaway
is
here
is.
F
This
is
strictly
at
that
consumer
level,
on
how
you
bring
in
open
source.
How
you
utilize
open
source
right,
so
how
you,
how
it,
how
you,
how
it
comes
into
the
organization,
how
what
whatever
mechanism
that
is
and
then,
of
course,
you
know
as
a
scan
properly
have
the
vulnerabilities
been
identified?
Have
they
been
remediated?
F
F
Don't
I
I'm
trying
I'm
trying
to
keep
this
as
as
high
level
as
possible,
because
I
don't
want
to
do
a
do
a
deep
dive,
I'm
willing
to
do
that,
of
course,
but
I
think
I
want
to
have
a
bit
more
preparation
to
do
that
and
I
also
want
to
bring
Adrian
in,
because
he's,
of
course,
the
one
that
that
actually
wrote
the
document.
F
So
so
I
read
it
I
understand
it,
but
but
a
lot
of
the
a
lot
of
the
nuances
might
come
best
from
him
and
then
I'll
always
conclude
with
this
is
why
we
brought
it
into
the
open
so
that
we
can
identify
guts.
We
can
identify
areas
where
things
need
to
be
improved,
need
to
be
scaled
and
thought
about
towards
scaling
them
for
the
future
of
secure
supply
chain.
And
then
how
can
we?
How
can
we
drive
that
forward
towards
specification?
F
The
same
thing
that
we're
doing
here
with
with
with
salsa.
E
Awesome
yeah
thanks
for
that
that
actually,
if
I
may
brings
them
a
question
Melba
because
I'm
starting
to
think
that
there's
actually
a
lot
more
connection
here
with
the
salsa
Source
requirements
that
we
sort
of
started
to
brainstorm
with
Sean
and
Gilbert
I
think
was
his
name
so
I'm
wondering
if
we
should
sort
of
circle
back
to
probably.
A
So
I'll
try
to
put
that
meeting
together
for
later
this
week
and
then
we
can
bring
this
into
and
sorry
to
put
you
on
the
spot.
Jay.
Oh,
not
nice,.
F
Look
I,
I,
love,
I,
love
the
work
that
we're
doing
I,
I
love,
I
love
this
stuff
in
general,
so
I'm,
I'm,
okay,
with
with
being
put
on
the
spot,
because
I
think
there's
a
a
wonderful
opportunity
here
for
the
work
that
we're
doing
with
salsa
and
the
work
that
we're
doing
with
with
the
SSC
I
think
there
is
a
wonderful
opportunity
here
that
could
bear
some
real
fruit
over
the
next
year
or
so.
F
A
F
A
A
Yeah
I
think
you
know,
put
it
on
there
on
the
slack
Channel
and
I'm,
like
oh
yeah.
If
somebody
from
Microsoft
is
willing
to
talk
to
it,
then
sure
why
not?
Okay,
so
before
I,
let
Josh
start
speaking.
A
In
this
meeting,
I
can't
quite
see
everyone
but
I'm
not
seeing
anyone,
but
I
also
am
not
okay.
Well,
if,
if
you
are
a
newcomer
and
you
want
to
speak
up,
feel
free
to
interrupt
and
just
kind
of
introduce
yourself,
let's
see
so
next
on
the
agenda,
I
will
give
it
away
to
Josh.
Just
did
come
up
in
the
positioning
meeting,
or
rather
the
specification
meeting
that
this
week
but
previous
week,
and
it
was
recommended
that
it
be
brought
here
so
take
it
away.
A
B
I
I
can
just
talk
through
it.
Okay,
so
basically
my
my
thought
is
I
know
that
there
was
kind
of
a
discussion
previously
about
you
know:
corroborating
security
claims.
You
know,
organizations
come
out
and
say:
hey
I'm,
salsa
level,
four
I'm
salsa
level,
five
I'm
level,
seven,
you
know
how
do
we
kind
of
prevent
dilution
of
the
brand
and
allow
it
to
be
a
useful
thing
for
consumers
who
utilize
build
systems?
B
So
my
idea
was:
could
we
potentially
trademark
salsa
and
produce
a
set
of
badges
that
are
available
for
use
for
companies
that
sign
a
an
agreement
or
under
the
terms
of
the
license?
B
They
comply
with
the
terms
of
license
by
meeting
a
set
of
requirements,
and
so,
if
they,
if
it
ever,
you
know
at
least
get
legal
at
their
company
involved
in
the
process
of
them,
saying
anything
regarding
their
salsa
level,
so
that
we
can
kind
of
at
least
put
some
sort
of
some
sort
of
barrier
in
between
people
outright
lying
about
whether
it's
also
level
and
in
good
faith,
incorporating
salsa
to
the
best
of
their
ability
and
in
good
faith.
B
You
know
executing
up
with
us
having
to
go
and
and
audit
every
single
organization
that
might
want
to
say
that
they
are
a
certain
salsa
level.
So
my
my
thought
process
would
be
as
we
standardize
and
develop
requirements
around
each
level
like
what
type
of
evidence
would
be
required
in
order
to
show
that
you
are
salsa
level
one
we
could
produce.
B
B
B
D
So
great
minds,
think
alike,
so
that's
actually
already
being
done
by
the
Linux
Foundation
at
this
point,
so
we
we
do
have
that
thing
getting
done
and
just
to
kind
of
give
you
an
idea.
We
do
have
this
idea
of
the
salsa
badges
actually
Kim
from
chain
guard
was
supposed
to
give
a
demo
on
it.
D
This
past
Thursday,
but
she
got
pulled
away
into
something
so
it'll
probably
be
next
Thursday,
where
she'll
give
a
little
bit
of
a
demo
on
some
of
the
conversation
between
the
Linux
foundation
and
and
salsa
about
that,
but
yeah
it
hits
all
those
things
I
believe
salsa.
Technically
it
might
already
be
trademarked.
D
I
think
the
thing
is
we're
just
trying
to
make
sure
that
yeah
so
there's
a
couple
of
things
that
are
kind
of
coming
out:
we're
building
out
what
is
being
called
a
conformance
program.
So
the
idea
would
be
yeah
you're
allowed
to
self-claim
salsa.
But
if
you
do
so,
you
know
if
you
do
assert
salsa,
you
need
to
at
least
State
these
things
and
then
that
would
be
potentially
used
as
like.
If
it
turned
out,
you
were
lying
about
that.
That
could
be
used
against
you,
which
is
hey.
B
D
Yeah,
so
that's
very
much
more
on
the
Linux
Foundation
than
than
I
think
us,
because
we
already
have
the
lawyers
who
are
doing
that
sort
of
thing
and
I
believe
they
might
have
already
done
that
in
a
couple
of
situations
where
folks
are
just
sort
of
saying
you
know,
we've
seen
people
say
stuff
like
we're
salsa
level,
five,
there
is
no
salsa
level,
five
stuff
like
that.
D
B
But
there
is
for
us
to
have
something
about
that
on
the
salsa
page
to
State,
you
know
to
kind
of
talk
about
hey
we're,
not
ready
for
anyone
to
begin
claiming
this,
but
we're
working
on
building,
Badges
and
conformance
requirements
so
that
you
can
use
salsa
in
marketing
material.
It
would
be
good
to
have
a
page
I
think
that
kind
of
States
out
that
stuff.
D
Yep,
oh
yeah,
I
know
to
be
clear:
I
I
agree.
The
Linux
Foundation
lawyers
have
been
doing
a
lot
of
interesting
stuff
on
that.
That
is
beyond
me,
so
I
I
think
maybe
it
might
be
worthwhile
to
reach
out
to
a
couple
of
the
lawyers
to
have
them.
D
Maybe
give
a
a
like
a
presentation
in
one
of
the
upcoming
meetings
here
to
kind
of
explain
their
reasoning,
because
they've
said
a
couple
of
things
that
once
again
I'm
not
a
lawyer,
so
I
don't
totally
grock
it,
but
just
to
kind
of
give
a
high
level
overview,
though
there's
two
things
that
we
were
pushing.
One
was
a
self-conformance
sort
of
program
of
you
can
State
these
things
and
then
there
was
also
sort
of
an
idea
of
a
third-party
audit
accreditation
where
you
can
imagine
you
know.
D
Potentially,
something
like
a
third
party
in
conjunction
with
you
know,
can
get
certified
by
the
Linux
Foundation
itself
and
anybody
could
apply
for
it
based
on
some
training
and
then
they
could
go
out
to
other
organizations
and
say:
hey
I've
audited,
you
I'm,
taking
on
additional
liability
myself,
because
if
it
turns
out
I
audited,
you
and
I
lied
about
the
audit.
You
know
people
can
come
after
me,
but
I
can
audit
you
and
say
that
you're
this
level
of
salsa
and
there's
a
couple
of
different
levels
of
it
too.
D
One
is
salsa
build
services.
So
these
are
things
like
GitHub
actions
and
and
different.
You
know,
Services
could
claim,
based
on
the
way
that
the
service
is
set
up.
We
can
do
salsa
level
this
by
default
and
up
to
salsa
level
this.
If
your
project
meets
these
requirements
and
so
there
and
then
separately,
there
would
be
each
individual
project
can
go
in
and
say
great
I
built
this
way
on
a
salsa,
this
level
Builder
and
then
in
addition
to
that,
I
applied
these
extra
set
of
rules
which
allow
me
to
be.
D
B
C
A
Okay
and
then
I
think
I,
I
I
think
it
was
you
Josh
that
mentioned
you
know.
Maybe
we
should
post
something
on
the
salsa
website
to
say:
hey,
you
can't
say
that
yourself,
a
level
four,
because
we're
not
ready
blah
blah
blah
so
trying
to
understand
you
know:
where
do
we
envision?
That
being
you
know
who
could
potentially
do
that?
Is
that
part
of
this
group's
responsibilities
or
do
we
have
to
bring
it
to
the
steering
committee
for
them
to
do
it
just
trying
to
figure
out
logistics.
B
Clearly,
then
I
think
probably
anyone
from
this
also
you
know
organization
could
like
any
of
us,
could
could
write
up
a
a
blog
post
that
kind
of
takes
legal
language
and
maybe
makes
it
a
little
bit
more
security,
security,
professional
Focus,
so
that
our
Security
Professionals
know
what
they
can
or
cannot
say
can
and
cannot
do
right
now
and
what
might
be
coming
in
the
future
for
them
to
be
able
to
use.
That
would
be
great,
but
probably
the
lawyers
would
need
to
be
at
least
give
us
an
overview
right.
C
Yeah
I
apologize
for
not
chiming
in
earlier
I
I
am
working
with
Kim
on
the
conformance
program
and
so
yeah
as
as
it
was
described,
we
were
going
to
present
just
wanted
to
make
sure
we
had
some
more
eyes
on
what
we're
proposing.
But
yes,
so
I
could
answer
any
questions
around
that.
A
D
Yeah,
so
do
you
know
what
the
the
current
sort
of
status
is?
I
know
Kim
and
I
had
sort
of
talked
a
few
weeks
ago,
but
I
know
things
have
been
sort
of
really
busy
and
then
also
I
haven't
seen
any
GitHub
issues
regarding
the
conformance
thing.
I
I
could
be
missing
it,
but
I
think
we
probably
want
to
make
sure
that
it's
tracked
in
a
in
a
salsa
issue.
C
Absolutely
yeah
some
of
the
statuses
on
there.
Actually,
we
wanted
to
run
this
by
you
as
well
and
I.
Think
part
of
the
problem
is,
is
I'm
not
too
Savvy
with
the
GitHub
process,
so
I
think
we
do
want
to
put
it
out
there.
We
just
want
to
run
it
internally,
a
couple
eyes
and
then
run
it
by
you
as
well,
so
that
the
whole
process
doesn't
really
come
as
a
surprise,
but
to
both
of
your
questions.
Yes,
we
do
plan
on
presenting
relatively
soon.
C
In
fact,
like
you
had
mentioned,
we
missed
the
opportunity
last
last
session,
so
we're
hoping
to
get
this
out
as
soon
as
possible.
B
Hey
Jason
I'd
love
to
help
with
a
review
or
anything.
If
you
have
a
document,
okay,
I'd
love
to
participate
in
that
I
used
to
work
at
Deloitte,
so
I
know
kind
of
the
compliance
side
of
things
in
the
audit
side.
So
that
might
be
a
valuable
eye
to
have
on
there.
C
Okay,
absolutely
let
me
figure
out
what
how
I
should
go
about
that,
but
Michael,
if
you
have
like
you
mentioned
putting
it
on
GitHub,
might
be
the
appropriate
way
to
do
that.
Yeah.
D
Yeah
I
think
the
main
thing
is.
We
want
to
make
sure
that
it's
it's
out
in
the
open,
even
if
it's
just
knowing
that
folks
are
looking
at
the
salsa
conformance
thing.
We
just
don't
want
like
there's
a
bunch
of
different
things
like
we
don't
want
like
three
or
four
different
groups
to
start
like
working
on
the
thing
and
it
turns
out
they've
all
been,
you
know
doing
different
things
with
different
groups.
D
You
know,
and
we
just
want
to
make
sure
that
also
like
making
sure
that
it's
out
in
the
open
we
we
like
the
last
thing
we
want
is
for
folks
to
think
that,
like
any
one
company
is
the
conformance
company
for
salsa,
that
kind
of
thing,
and
so
we
just
want
to
really
really
make
sure
that
it's
out
in
the
open.
D
I
mean
Jason
if
you've
been
working
with,
it
might
still
be
worthwhile
to
just
if
any
of
those
lawyers
can
like
give
a
short.
You
know,
probably
like
15
minute
presentation
of
like
I'm
sure,
there's
probably
the
Linux,
Foundation,
probably
and
I
know
I've
seen
this
with
some
of
the
other
stuff
they've
done.
They
probably
just
have
a
generically
This
Is
How,
We,
Do,
Brands
and
trademarks,
especially
when
it
comes
to
sort
of
standards
and
Frameworks
and
those
sorts
of
things
within
the
Linux
foundation
and
most
likely
salsa,
probably
already
falls
under
it.
D
D
D
D
You
know
it's
not
on
purpose
but
they're
like
oh
based
on
my
understanding
of
salsa
I'm
salsa
three,
and
it's
like
actually
you're,
hitting
some
of
it,
but
you're
more
salsa,
too,
and
so
I
think
we
just
need
to
make
sure
that
that
that's
clear,
because
once
again
we
you
know
the
worst
thing
that
could
happen
to
us
right
is
a
bunch
of
folks
claim
that
there
are
all
sorts
of
different
levels
of
salsa,
there's
no
ruling
behind
it.
There's
no
enforcement
behind
it
and
then
salsa
just
gets
diluted
and
no
one.
You
know
yeah.
C
Yeah
and
to
add
on
that
I
think
the
the
lawyers
discussion
would
be
great
because
of
the
talk
about
the
trademarks
of
what
I've
kind
of
been
focusing
on
with
Kim
has
really
nothing
on
enforcing
the
trademark.
It's
more
just
about
a
transparent
way
to
attest
to
salsa
conformance
levels
and
yeah.
We
do
want
to
make
this
completely
open.
We
just
wanted
to
set
some
eyes
on
it,
so
put
it
out
there,
but
I
guess
I
should
have
did
that
that
way,
again,
I'm,
not
just
not
GitHub
Savvy
on
that.
A
Okay,
anything
else
on
this
topic.
A
Oh,
as
you
all
were
talking
about
this,
it
made
me
remember:
I
actually
was
reached
out
to
buy
someone
in
the
tech
that
knows
about
the
work
that
we're
doing
I
think
they
read
the
notes
and
they
said.
Oh,
are
you
going
to
be
publishing
the
blog
for
review
from
the
tech?
Apparently
there's
some
new
procedures
that.
D
D
So
that
is
true,
for
if
we
are
talking
about
like
a
big
announcement
that
would
be
on
the
open
ssf,
then,
yes,
if
it
is
a
smaller
and
and
if
it's
like
just
a
smaller
blog,
there's
two
different
ways
like
if
it's
on
the
salsa
blog
right,
because
once
again
it
salsa
has
a
steering
committee.
I,
don't
know
if
you're
talking
about
the
tack
for
the
open,
ssf
or
you're.
Talking
about
the
steering
committee
for
salsa.
A
Okay
and
I
can
also
you
know,
double
clarify
with
that
person,
but
you
know
they're,
like
oh,
you
know.
Are
you
gonna
get
this
reviewed
by
the
tech
and
I'm
like.
D
So
the
salsa
steering
committee
would
approve
it
for
for
all
the
other
stuff,
but
it's
also
the
way
that
we've
been
doing.
It
is
if
it's
also
an
official
salsa
thing,
then
it
requires
multiple
members
of
the
steering
committee
to
vote
and
be
like
yeah.
This
is
an
official
announcement
versus
the
other
thing
that
we've
done,
which
is
more
of
a
hey,
like
a
community
contributor,
wants
to
contribute
like
their
viewpoint
on
salsa,
which.
D
Separated
and
we've
made
it
clear
in
those
blog
articles
that
this
is
the
Viewpoint
of
the
contributor,
not
the
Viewpoint
of
salsa,
whereas
when
it
comes
to
some
of
the
bigger
salsa
blogs,
we
do
get
the
you
know.
You
know
we
do
try
to
go,
do
a
vote
among
the
actual
steering
committee
members
so
that
it
becomes
a
like.
D
Yes,
this
is
the
Viewpoint
of
salsa
as
voted,
but
we
also
didn't
want
to
make
it
so
that,
like
every
single
blog
had
to
be
litigated
to
the
ends
of
the
Earth,
you
know
if
somebody's
like
hey.
This
is
how
I've
been
doing
salsa.
Well,
there's
lots
of
different
ways
to
do
salsa
and
with
the
conformance
program
and
stuff
like
that,
we'll
be
able
to
kind
of
Define.
You
know
ground
rules,
but
largely
there's
going
to
be
a
broad
way
of
doing.
D
Salsa
different
people
are
going
to
have
slightly
different
opinions
on
things
and
we
don't
want
to
hold
up
every
blog
on.
You
know
the
minutia
of
well,
when
you
said
like,
for
example,
when
you
said,
comply
instead
of
conformance
like
it's.
It's
fine
when
we're
talking
about
just
a
generic
blog.
That
kind
of
thing.
A
Got
it?
The
other
thing
was
about
the
Google
group,
slash
list.
We
need
to
migrate
by
the
end
of
the
year,
so
I'm
not
sure
if
anyone's
done
this
for
any
other
group
that
have
Google,
Groups
or
Google
lists
distribution
lists.
Does
anybody
have
experience
with
this.
D
With
regards
to
what
now
the
so
so
my
understanding
is
yeah
we're
moving
over
to
some
different
thing
end
of
year.
D
A
I'm
trying
to
find
it
I
know,
I
put
it
in
the
specification.
No
I
put
it
in
tooling,
I
know
and
I
also
put
it
in
the
other
one,
but
I
can't
remember
where
it
is
I'm
looking
for
it.
C
D
A
A
A
A
So,
okay,
any
other
questions,
comments,
thoughts.
C
A
Going
once
going
twice
and
it
sounds
like
wait,
was
it
you
Josh,
it
was
you
Josh,
you
can
go,
enjoy
your
new
house
now.