►
From YouTube: SLSA Positioning Meeting (September 6, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
B
A
So
many
things
at
home,
let
me
find
the
meeting
notes.
I
had
them
open
earlier,
but
I.
A
Let
me
see
oh
yeah,
that's
right,
I
keep
forgetting
that.
Zoom
allows
me
to
to
share
a
portion
of
the
screen.
We
use
WebEx
and
it
doesn't
have
that
feature,
interestingly
enough
and
if
I
share
Chrome
it
shares
every
single
Chrome
browser.
I
have
open,
it
doesn't
matter
if
it's
in
a
different
screen
or
not.
A
Okay,
okay,
so
it
might
just
be
the
three
of
us,
so
it
could
be
a
short
meeting
or
it
might
turn
into
a
working
session,
we'll
see
where
it
goes.
So
let
me
make
you
guys
put
them
in
the
chat
if
I
can
find
the
chat.
A
There
you
go
I
added
the
meeting,
template
Mike
for
your
recommendations,
so
that
way,
I
don't
have
to
copy
and
paste
it
all
the
time-
and
you
know,
undo
stuff,
okay,
so
sign
in
hey
Jay.
Thanks
for
for
joining
and
I
will
post
this
just
in
case
you
didn't
get
the
link
before
I
before
you
joined.
Oh
there's,
more
people,
okay,
I!
Guess
we
can
wait.
A
A
Okay,
so
I'm
posting
the
link
again,
please
sign
in
and
thanks
for
joining
and
I.
Think
I'll
start
now,
since
we're
two
after
so
I
I
see
a
newcomer.
A
So
would
you
like
to
introduce
yourself
I
I
I've,
seen
you
present
before
and
I'm
an
advocate
of
your
presentation?
So
how
do
you
pronounce
your
name?
What
is
it
white,
whites.
B
A
Oh
boy,
Pizza.
A
You
for
joining
and
I,
don't
think
I
see
anyone
else.
That's
new
I!
Think
other
folks,
oh
Ava's,
new,
hey
Ava!
Thank
you
for
joining
appreciate
the
time.
B
I
don't
know
yeah
just
gonna.
Listen
in
today.
A
Okay,
awesome
Okay,
so
thank
you.
A
I
am
butchering
your
name.
Aren't
I
A
A
E
I
knew
there
was
an
e
in
there
somewhere.
A
Oh
I'm,
looking
just
wait
who
just
joined
say
it
again,
I'm
sorry,
oh.
A
Oh
hi
Jeff,
hey
thanks
for
joining
okay,
so
quick
updates
from
last
time,
I
don't
see
Isaac
on
I
know
he
was
working
on
one
to
two
blogs
about
positioning
with
regards
to.
Let
me
go
back.
He
has
a
presentation
on
attestation
that
he
presented
last
time
and
actually
the
entire
group
really
really
really
enjoyed
it
so
much
so
that
we
recommended
he
make
a
Blog
out
of
it.
A
So
I'll
have
to
follow
up
with
him
offline
to
see.
You
know
how
that's
going
if
he
needs
any
help.
The
other
update
is
on
the
charter.
We
do
have
if
I
bring
up
the
charter.
Real,
quick,
the
positioning,
Charter
I,
know
Kim
had
asked
the
question.
Well,
you
know.
Why
do
we
have
this?
A
Why
why
not
the
broaders,
also
Charter
and
I,
tried
to
express
and-
and
please
feel
free
if
you,
you
disagree
with
me
and
agree
with
Kim,
please
speak
up,
but
essentially
the
salsa
Charters,
it's
much
broader
and
a
more
ambiguous
versus
a
solstice
positioning
cigars
as
well
as
the
tooling
and
the
specification
their
outcome
focused.
A
So
they
are
driving
towards
specific
outcomes
and
in
order
to
do
that,
they're
going
to
operate
in
different
ways
and
obviously
whatever
they
accomplish,
are
also
going
to
be
different.
A
So
that's
I
think,
from
my
point
of
view,
why
we
have
the
positioning
Sig
Charter
to
make
sure
that
we
are
I,
guess
standardized,
so
to
speak
of
how
we're
going
to
operate
going
forward
to
make
sure
that
we
meet
our
objectives.
Is
anybody
agree
or
disagree
with
that
foreign.
A
Of
crap,
okay,
maybe
it's
still
still
waking
up
from
the
three-day
weekend.
Okay,
so
for
this
Charter,
several
people
have
reviewed.
Thank
you,
I
think
what
will
happen
is
if
there
is
like
this
particular
section,
there's
only
two
I
would
like
at
least
three.
So
there's
a
couple
of
sections
at
the
end
that
haven't
been
reviewed.
A
If
you
can
review
it
by
end
of
day
today
and
give
a
thumbs
up
or
thumbs
down,
I
will
post
it
here
that
way,
we
can
open
up
a
PR
for
the
salsa,
broader
Community
to
in
to
push
it
to
their
their
I
guess
guideline
or
their
governance
I'm,
not
sure
where
they're
going
to
put
it,
but
that
way
we
can
get
their
blessing
and
publish
it.
A
Nope,
okay,
Oscar,
so
Mike,
not
everybody
was
there,
and-
and
maybe
this
warrants
a
a
new
review
Mike.
A
But
during
our
working
session
last
week,
Mike
presented
Oscar,
which
is
a
kind
of
like
a
framework
to
automate
policy,
is
how
I
understand
it,
and
so
we
decided
as
a
group
that
we
would
use
oscow
to
do
the
mapping
of
salsa
to
the
different
Frameworks
or
or
regulations.
So
that
way,
if
something
does
change
in
the
future,
it's
just
a
pointer
like
do
you
want
to
add
to
that.
B
Yes,
I
mean
I,
think
the
so
oscow
is
the
I
remember
exactly
what
it
stands
for,
but
it's
a
control
assessment
language
and
so
the
idea
right,
just
it's
a
way
of
codifying
the
controls
so
that
we
can
store
them
as
opposed
to
just
purely
in
something
like
a
spreadsheet
they're
stored
in
in
a
structured
language
like
XML,
yaml
Json,
that
sort
of
thing-
and
it
lets
us
just
sort
of
be
able
to
have
all
the
data
in
one
place
in
that
sort
of
structured
way.
B
And
then
everything
else
just
becomes
sort
of
a
view
in
that,
and
then
there's
multiple
different
things
from
like
controlled
catalogs,
which
contain
the
definitions
of
the
controls
and
so
on.
To
sort
of
you
know
individual
projects
and
those
sorts
of
things,
and
then
the
idea
would
be
potentially
if
we
can
kind
of
structure
it
in
this
or
a
similar
standard.
We
could
easily
say:
okay,
well,
here's
the
mapping
of
salsa
to
ssdf,
to
the
cncf
stuff,
to
a
wasp
and
and
so
on,
and
make
it
super
easy
to
kind
of.
B
A
Really
tough
crowd
today,
okay,
so
that
kind
of
is
all
the
agenda
items
for
today
is
just
a
quick
update.
Do
we
want
to
repurpose
the
remaining
time
for
an
active
working
session?
A
No
see
no,
no,
no
okay,
I
vote
for
repurposing
the
remaining
time
for
a
working
session.
Anybody
else
agree
no.
A
Okay,
okay,
obviously,
everybody's
welcome
to
participate
for
for
Mike.
I
really
would
like
to
try
to
get
a
better
sense
of
how
to
implement
Moscow
with
our
with
our
mapping
and
for
those
that
don't
know
this
is
the
mapping
document
that
several
of
us
that
are
on
the
call
or
and
off
the
call,
we're
trying
to
map
salsa
levels
to
you
know
different
Frameworks.
We
focus
first
on
the
ssdf
and
then
we
were
trying
to
Branch
out.
A
But
obviously,
if
you
can
see,
this
is
very
much
manual
effort
and
if
something
changes
a
definition
changes,
then
it
would
be
a
lot
of
work
to
update.
So
this
is
where
askal
would
come
in
to
try
to
to
try
to
make
it
so
that
it's
more
flexible
and
easily
populated
changeable
Etc,
so
Mike
thoughts
on
how
we
can
start
with
merging
from
this
to
oscow
or
changing
from
this
to
Osco.
B
That's
where
I'll
have
to
do
a
little
bit
of
research,
myself,
I
I,
it's
been
like
two-ish
three-ish
years
since
I've
really
been
in
the
oscow
sort
of
thing.
I
don't
know.
If
anybody
else
on
the
call
is
is
super
familiar
with
oscow
at
all
or
if
they
they
have
any
thoughts
about.
You
know
anything
that
is
similar.
B
B
No
there's
no
tool,
it's
it's!
It's
all
like
there
is
tooling
it's
it's.
So
oscow
is
similar
to
like
salsa
at
that
level
of
like
it's
a
it's,
a
it's,
it's
a
standard
and
or
sorry
it's
some
standardized
formats
and
then
there's
tooling,
for
to
sort
of
implement
it.
B
A
A
Salsa
Json
XML
definition
file.
So
that
way
we
can
map
it.
I
think
you
said:
cncf
had
has
one
not
in
the
last
meeting,
if
I'm
not
mistaken,.
B
B
Not
sure,
let
me
I
believe
there's
a
there
is
a
a
an
issue,
an
open
issue.
Let
me
go
in
okay,
find
that
thank.
A
You
and
then
I'm
gonna
open
up
the
okay,
so
this
is
trestle
which
I've
not
heard
of
until
you
mentioned
it
to
me,
Ensemble
tools.
Oh,
it
leverages
Osco.
B
Yeah
yeah,
so
yeah
Trestle
is
well
we'll
you
know
so
as
a
reminder
yeah.
So
so
oscal
itself
is
just
the
the
assessment
line.
You
know
it's
just
the
language,
and
so
it's
just
some
standardized
formats
around.
You
know
as
opposed
to
having
a
control
catalog,
that's
just
purely
a
spreadsheet.
Here's
an
XML
format
that
allows
you
to
just
kind
of
you
know,
put
the
definitions
in
there
of
Json
format,
whatever
they'll.
B
Let
you
put
the
definitions
in
there
and
then
the
idea
would
be
to
use
additional
tooling
to
then
make
the
manipulation
and
conversion
and
Views
into
those
documents
really
really
easy.
A
Okay,
it
seems
like
it's
kind
of
helping
to
make
it
more
user
friendly
at
least
Trestle
the
way
I'm
reading
it.
Anybody
on
the
on
the
team
have
experience
with
Russell,
that's
on
the
call,
and
just
because
I'm
IBM
doesn't
mean
I
I
can
do
it.
I
didn't
even
know
this
existed
so.
A
May
23rd
is
the
latest
okay,
that's
that
was
a
while
ago.
So
let
me
go
back.
A
Let's
go
deep
dust:
okay,
so
how
about
we
put
this
on
here?
Maybe
let's
create
an
action
item
to
to
review
the
tools
and
see
which
ones
we
think
will
work
best?
A
A
B
A
Just
try
to
see
you
know,
obviously
nothing
that
we
have
to
pay
for,
but
which
one
of
these
tools
do,
we
think,
will
you
know,
fit
the
requirements
of
what
we're
trying
jelly
sandwich.
That's
funny
fit
the
requirements
of
what
we're
trying
to
accomplish
right,
which
is
basically
changing
this
mapping
into
oscow
format
in
a
easy
way.
A
C
A
B
Well,
so
just
as
a
FYI,
so
so
the
the
salsa
Json
XML
would
be
the
oscal
control
catalog
or
whatever.
A
B
I
mean
but
potentially
I
I
think
so
so
like
at
its
at
its
start,
you
would
need
to
create
an
oscow
document
and
either
you
could
do
that
via
some
tooling
or
you
could
just
create
it
yourself,
but
I
think
also
with
with
creating
that
XML
definition
file
I
would
be
a
little
reluctant
to
go
a
little
too
far
until
the
specification
for
1.0
is
fully
defined.
A
A
Maybe
we
can
use
a
version
0.1
as
an
example
right,
because
that's
what
we've
been
doing,
the
mapping
against
at
least
thus
far.
So
where
is
it
specification
requirements?
I
forget
where
that
table
is
might
be
in
requirements
there?
It
is
so.
Can
we
take
this
right
and
make
it
into
I?
Can't
imagine
why
we
can't
put
this
into
an
XML
format
or
Json
format
easily.
If
we
were
to
just
do
this,
if
we
were
to
do
above
and
beyond
this,
then
I
could
see
it
being
complicated.
A
A
Okay:
okay,
what
else?
A
B
Sure
what.
B
Yeah,
no,
yes,
we
we
yeah,
we
would
go
in
and
you
would
have
you
probably
have
the
the
oscow
one
for
if
they
have
one
for
ssdf,
I
know
that
they
have
them
for
853
and
I.
Think
some
of
the
other
ones
but
yeah.
A
Baselines
but
I
don't
see
ssdf,
so
there
may
not
be
one
for
ssdf.
A
A
B
Yeah
I
mean
we
can
definitely
reach
out
to
the
oscal
folks,
but
but
I
do
think
that
they've,
you
know,
I
mean.
Obviously
a
lot
of
this
stuff
has
been
very
focused
purely
on
as
I
kind
of
mentioned.
Last
time-
I
don't
say
purely
but
it
is.
It
has
been
traditionally
very
focused
on
stuff,
like
you
know:
US
Government,
interoperability,
kind
of
stuff,
so
different
between
different
agencies
and
making
sure
that
those
agencies
can
share.
B
You
know
information
and
share.
You
know,
control,
implementations
and
those
sorts
of
things.
A
A
A
Nope,
okay,
so
for
the
new
folks
on
the
call
something
brought
you
here
today,
so
I'm
kind
of
curious
as
to
what
you
were
looking
to
hear
or
contribute
to,
or
you
know
find
out
about
in
terms
of
this
positioning
in
terms
of
this
sick.
So
if
people
are
willing
to
speak
up,
I
would
love
to
hear
why
you
joined.
A
Okay!
Well,
for
for
those
that
aren't
aware
right,
we're
basically
trying
to
position
salsa
with
respect
to
other
Frameworks
other
regulations
trying
to
differentiate
salsa
show
where
the
gaps
are
potentially
in
salsa
versus
some
other
regulation
or
framework,
maybe
sometimes
complementary,
I
think
somebody
mentioned
what
was
it
last
time?
Was
it
cncf
I
can't
remember
a
skip.
A
Salsa
and
skit
are
complementary
right,
so
when
we
can
identify
things
that
are
complementary
or
you
know,
you're
not
talking
apples
to
apples
that
we're
able
to
communicate
that
to
the
broader
community
so
that
they
know
the
use
cases
for
or
salsa,
and
so
that's
really
our
our
goal
and
that
can
be
through
various
means,
whether
it
be
you
know
doing
these
mappings
and
hopefully,
hopefully
having
that
as
an
open,
ssf
document
at
some
point
so
that
we
can,
we
can
kind
of
advertise
to
to
the
masses.
A
Additionally,
I
just
lost
my
train
of
thought.
Sorry,
there
goes
slack
Bruno,
Bruno
distracted
me,
sorry,
folks,
I,
don't
remember
where
I
was.
A
So
I
don't
know
if
that
Peaks
your
interest
or
not,
but
this
is
this-
is
what
we've
done
so
far,
just
trying
to
figure
out
where
we're
gonna
focus
on
what
about
blogs
outside
of
the
ones
that
Isaac
mentioned
because
of
his
presentation.
What
else
do
you
think
we
should
focus
on
in
terms
of
blogs
or
the
broader
audience.
A
B
You
know
it,
it
may
seem
a
little
a
little
bit
basic,
but
Mel
I
keep
going
back
to
a
couple
of
meetings
ago
when
you
were
showing
your
you
know
essentially
like
the
sdlc,
and
we
talked
a
little
bit
about,
where
kind
of
the
use
cases
for
for
essentially
the
use
cases
for
salsa.
B
A
Me
bring
that
up
for
people
that
don't
know
I
know,
I
have
a
a
picture
of
it.
A
PDF
of
it
but
I
know
I
also
put
it
on
our
channel.
The
positioning
Channel
I
can
find
it.
A
A
So
let
me
download
it
so
that
way,
I
can
open
it
up
much
bigger
than
what
it
is.
So
for
folks
that
don't
know
it.
This
is
something
that
I
came
up
with
internal
to
IBM,
but
I
wanted
to
share
it
externally.
So
I
did
share
that
the
open
source
Summit
and
this
group
went-
and
you
know,
critiqued
the
visual
which
I'm
now
starting
to
call
supply
chain
security.
Life
cycle
instead
of
visual
or
framework,
and
so
we
have
to
think
of
these
These
are
Corrections.
A
Obviously
that
I
have
not
implemented.
Unfortunately,
I've
not
had
time.
So
are
you
seeing
Jeff
to
talk
about,
let's
say
development
as
one
blog
and
then
build
as
another.
A
B
A
A
A
Okay,
we
could
also
talk
about
the
continuous
compliance
part,
because
that's
just
more
than
just
a
Dev
secops
right,
it's
also
potentially
the
CSO
office
or
so
okay,
so
continuous
compliance
to
build.
What
about
somebody
wrote?
Oh
publish,
publish,
artifacts
or
published
artifacts.
C
Story
kind
of
gets
into
the
intersection
between
get
it
and
Skip.
So
you,
you
know
you
put
it
out
to
an
E
notary
system
to
to
notarize
it
as
to
when
it
happened
and
and
give
you
some
public
way
to
get
at
it.
You
know
somebody's
marked
this
up.
It's
at
six
door.
There,
that's
they're,
they're,
also
coming
into
the
space
as
well
right,
so
as
to
where
storage
do
you
use
oci
or
some
of
the
other
conversations,
which
is
the
document
we
just
started
with
a
couple
weeks
ago.
A
When
you
say
we
you're,
referring
to
skit.
C
Well,
the
salsa
team
created
a
document
as
to
where
the
heck
we
put
salsa
claims
and
and
so
forth,
and
and
invited
people
to
fill
it
out.
I've
asked
a
few
people
to
put
some
content
in
there,
but
that
truly
gets
at
the
intersection
of
where
the
public
artifacts
and
how
do
you
get
them
and
how
do
you
do
Discovery
and
things
like
that
got.
C
I'll
find
it
yeah
I'll
find
it
for
you,
I'll
post
it
back
again.
Yeah.
C
Signing
is
the
big
box
down
there
is
this
saying
could
say
and
that's
a
commodity
that
Stig
stores
currently
sitting
but
there's
oh
yeah,
but
whether
you
produce
salsa
claims
or
a
Vex
or
an
s-bomb
or
whatever
they'll
all
go
through
the
signing
service
and
have
to
be.
You
know,
to
make
sure
they're
immutable.
A
A
What
is
it
I
forget
what
group
it
is
I
think
it's
in
open,
ssf,
there's
like
a
machine
learning,
s-bomb
group
somewhere
and
I
thought
it
was
an
open
ssf,
thanks
Mike
for
joining.
If
you,
if
you
dropped
off
yeah,
he
dropped
off
already
I
didn't
see
his
note.
C
A
Yeah,
foreign,
okay,
so
then
that
project
may
not
be
what
I'm.
Thinking
of
this
is
more
around.
You
know
what
kind
of
relationships
can
you
gather
from?
You
know
your
package,
you
know
the
your
dependencies.
Do
you
see
anomalies,
do
you
see
patterns
you
see?
Can
you
predict
right?
Something
and
I.
A
Don't
think
that
there's
a
project
like
that
today
in
open
ssf,
so
I'm
not
sure
if
we
can
talk
about
continuous
compliance
now
that
I
think
about
it,
because
salsa
doesn't
have
anything
like
that
right,
also
just
kind
of
upon
build.
They
don't
talk
about
anything.
B
A
A
B
I
think
it
would
be
good,
I
mean
whenever
it
comes
personally
for
me.
Whenever
it
comes
to
any
security
it,
it
should
always
go
back
to
the
source
because,
let's
say
even
even
when,
when
we're
looking
at,
like
my
Pi
last
week,
it's
like
there
there's
stuff,
that's
it
may
have
been
cleaned
at
one
point.
Now,
it's
not
and
if
there's
no
loot
back,
we
don't
know
it.
If
we
don't
go
back
and
continue
to
check
it,
then
it
gets
put
in
development.
It
gets
put
into
build
now.
B
It's
a
public
artifact,
so
I
I,
just
don't
I,
don't
know
if
that's
a
part,
that's
also
specifically
needs
to
play
or
or
if
it's
one
of
the
other
in
one
of
the
other
security
components.
C
There
is
an
aspect
here,
you
know
in
the
future.
You
could
say:
hey
the
trust
in
a
product
requires
an
anti-malware
scan
every
two
weeks
or
so,
and
therefore
that
potentially
salsa
claim
it
needs
to
be
public
in
a
continuous
produced
thing.
So
you
can
make
the
decision
to
whether
or
trust
it
or
not.
A
B
B
Saying
trust
is
not
a
one
and
a
Don
trust
is
we're
continuing
yeah
I
totally
agree
with
that.
We
we
have
to
continuously
be
checking
the
the
the
code.
We
need
to
be
checking
that
source
to
make
sure
that,
if
we're
going
back
to
Pipi
we're
going
back
to
you
know
whatever
repository
we're
using
that
it's
that
that
is
continuously
validated
and
trusted.
A
A
Oh
I
see
what
you're
saying
I
think
I
think
what
we
do
internally,
not
internally,
but
for
our
products,
I'm
gonna
use
log4j
as
an
example.
A
If
there
was
log
for
J
present
in
a
product
but
wasn't
called
on
wasn't
used,
maybe
it
was
like
in
some
out
like
you
know,
commented
out
code
or
something
like
that.
Then
it's
addressed
as
such.
Right
like
we
don't
use
this
we're
not
vulnerable
because
of
XYZ.
So
we
do
address
that
factor
because
not
everybody
is
going
to
be
vulnerable.
Just
depends
on
how
you
use
something
right
or
if
you
even
use
it.
It
just
happened
to
be
in
your
repo
as
an
example,
and
maybe
it's
never
deployed
in
the
product.
A
It
might
just
be
in
your
test
environment
or
something
like
that.
So
is
that
what
you're
getting
at
Roy.
C
Basically
that,
though,
that
still
is
a
problematic
on
a
continuous
basis.
How
do
you
deal
with
you
know
you,
the
the
subset
of
that
is,
like
I,
have
a
bunch
of
libraries
that
use
openssl
and
the
area
that
is
affected
by
the
Vex,
isn't
actually
Linked
In
against
my
product.
There
is
no
way
to
declare
your
derived
product
is
not
susceptible
and
I,
don't
know
whether
that's
a
claim
independently.
A
No
yeah
I'm
just
curious
because
we've
been
working
on
this
hybrid
model
for
open
source
and
proprietary
and
I'm
wondering
if
this
is
something
this
should
be
taken
into
account.
Their.
A
A
So
this?
This
almost
seems
like
a
hybrid,
a
scenario
that
we
can
address
in
the
specification.
C
C
A
Got
it
got
it?
Thank
you.
Let
me
put
that
in
here.
Trying
to
remember.
Oh
see,
yes,
I'm
gonna
put
that
link
here,
because
this
is
where
you
commented:
hi.
Okay,
let's
see
okay,
so
I
think
we've
somewhat
address
The
Continuous
compliance
and
the
publish
artifact
build.
C
Well,
the
ssdf
required
you
know,
references
stack
analysis
and
fuzzing
requirements,
and
it's
also
then
binds
the
output
of
that.
So
the
question
then
becomes
design
considerations,
so
you
can
actually
test
it
and
fuzz
it,
but
that's
just
indirect
not.
A
Yeah
yeah
a
design
considerations.
C
I
would
rather
go
ahead
this
this
sounds.
You
know
when
you
start
getting
into
this
bent
of
salsa
it
kind
of
gets
into.
Do
we
go
more
towards
the
in
Toto
model
of
declaring
and
signing
the
recipes
going
forward
and
that
to
me,
salsa
is
more
the
reverse
side,
which
is
here's
claims,
putting
into
evidence
that
was
collected
in
the
in
the
process
of
building
something
there's.
You
know
one's
a
push
model
one's
a
pole
now
and
I
think
we
we're
basically
on
the
pull
side
of
it
right.
C
A
C
The
tooling
is
slightly
different
question,
which
is:
do
you
have
tools
that
produce
evidence
that
that
salsa
Claims
can
be
bound
against
and
there's
multiple
ways
to
do
that
I,
don't
think
we're
going
to
dictate?
There
is
only
one.
We
can
use
examples
of
tools
that
that
comply
and
generate
this
binding
or
generate
this
data,
but
I,
don't
think
we're
going
to
limit
ourselves
here.
A
Yeah
I'm,
trying
to
think
of
there,
was
something
I'm
trying
to
go
to
the
salsa
GitHub
page
salsa
GitHub
minor
provenance
generation.
A
C
C
The
fact
that
you
use
code,
ql
or
prefast
or
anything
else
to
generate
static
analysis
data
or
you
use,
goes
fuzzing
Library
versus
the
C
plus
buzzing
Library.
There's
two
different
specific
tools
that
produce
evidence
that
salsa
Claims
can
be
bound
to
I.
Don't
think
we
want
a
tool
that
says
hey
we
we
do
both
at
the
same
time.
A
Too
many
cocktails
too
much
farting
currently
available,
so
I
wonder
and
we
could
probably
reference
I
know
we
could
reference
some
of
the
tooling
of
the
positioning
but
I'd
rather
leave
that
to
the
tooling
group
so
I'm
trying
to
should
we
leave
to
the
totally
group
to
promote
this
aspect,
I'm
not
sure.
A
A
A
A
B
Question
might
you
might
have
to
give
an
over
again
but
then
the
other
two
actually
hash,
some
stuff
out.
A
And
then
the
following
I
know:
there's
vacation
coming
up
because
of
those
two
three
four
five,
six
I'm
gonna
say:
November
29th,
I'm,
probably
gonna
change
that
as
we
get
closer
and
then
this
will
be.
You
know,
2023
for
publish
artifacts,
so
we'll
get
there.
When
we
get
there
thoughts,
folks
I
know
we
only
have
nine
minutes
left.
A
I
didn't
see
any
other
ones,
let's
see.
Okay,
so
does
anybody
want
to
volunteer
on
starting
these?
Obviously
we
can
work
on
them
during
the
working
sessions,
but
if
we
can
have
like
a
lead
for
each
of
them
and
then
in
the
working
sessions
we
can
always
add
to
them
that
way,
there's
at
least
one
point
first
and
then
it's
not
the
same
person,
because
if
they
get
hit
by
a
bus
or
Sol,
so
so,
if
we
can
have
some
volunteers,
that'd
be
fantastic.
A
A
Don't
make
me
name
call
or
do
roulette
name
calling
come
on
now.
A
Okay,
thank
you.
Obviously,
I
I
will
help
as
well
right
during
the
working
sessions
so
build.
Anybody
want
to
volunteer
for
build.
I
know
it's
a
couple
months
out,
but
we
could
technically
always
get
started
on
it
early.
Maybe
do
an
outline
actually
don't
mind
starting
some
of
these
maybe
outline.
A
Okay,
okay,
we
have
you,
have
seven
minutes
left
anything
else.
We
can
end
a
little
early.
I
think
this
has
been
quite
productive.
I
appreciate
you
all
joining
I,
don't
appreciate
the
teeth
pulling
though
teeth
pulling
is
not
pleasant.
So,
hopefully,
next
time
sorry.
A
A
B
No
opinion
just
here
to
listen
and
learn.
Okay,.
A
B
A
Awesome:
okay!
Well
thanks
everyone
for
joining
we'll
end
here
today,
five
minutes
early
and
we
will
meet
each
other
next
week,
thanks
folks,
thank
you.