►
From YouTube: SLSA Positioning Meeting (August 22, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
Here,
thunderstorms
and
torrential
rain
like
there
were
just
basically
no
flights
into
jfk,
laguardia
or
newark
either
yesterday
afternoon
or
this
morning
it
was
just
a
disaster.
C
C
Okay.
Well,
let's
go
ahead
and
get
started.
I
know
people
will
probably
trickle
in
please
if
you
can
put
your
your
name
up
top
and
if
you
want
to
share
something
about
yourself,
feel
free.
I
think
there's
some
new
faces.
Oh,
I
should
put
that
always
newcomers.
A
D
Everyone
I'm
new
dave
lester.
I
recently
joined
google
on
the
open
source
team
happy
to
meet
you
and
glad
to
be
part
of
the
community.
C
Okay,
thanks
for
joining
okay,
you
haven't
missed
much.
This
is
our
third
meeting,
so
good
timing.
C
Yes,
yes,
yeah
and
I
let's
see
build
to
reach
the
oh
that's
why
you
know
about
that.
I
was
wondering
how
you
knew
there
was
no
no
flights
in
there
out
of
the
east
coast.
C
B
C
C
Okay,
so
isaac
last
time
we
met,
which
was
the
first
meeting.
You
said
you
wanted
to
present
on
at
the
station.
I
know
you
were
on
vacation
last
time.
B
B
B
Yeah
perfect,
so
this
is
actually
where
the
content
is.
This
is
an
appendix
to
a
different
deck
and
but
I'll
give
you,
and
I'm
just
going
to
take
a
few
minutes
here
to
go
through
this.
This
is
one
of
the
well
the
exercises
that
I
did.
I
know
a
few
months
ago,
I
was
getting
a
lot
of
questions
about
hey.
You
know
how
does
also
relate
to
ssdf.
How
does
also
relate
to
skits?
How
does
skit
really
relate
to
sig
store?
B
How
do
all
these
pieces
fit
together,
and
so
I
kind
of
I
took
a
little
bit
of
time
to
go
back
to
first
principles
and
assembled
some
thoughts
and
which
seemed
sufficiently
compelling
that
I
I
put
them
into
a
deck
and
shared
them
around
here
at
google
and
folks
here
found
them
useful,
and
so
I
thought
it
might
be
a
useful
framing
for
this
meeting
as
well.
B
There's
no
there's
no
action
that
comes
from
this,
rather
than
just
kind
of
sharing
that
the
contents
of
my
head
and
how
I've
begun
to
at
least
kind
of
create
a
mental
model
of
this
space.
So
I
started
off
with
this.
You
know
the
notion
of
software
attestation,
it
has
some
some
key
elements
and
these
aren't
all
the
elements
and
there's
one
that's
missing
here,
which
I'll
come
to
at
the
end
and
I'll
come
back
to
you.
B
But
I
started
off
there's
a
a
neat
thing
coming
out
of
trillian
called
the
claimant
model
and
there's
a
link
here
and
I'll
share
these
slides.
Afterwards,
lots
of
folks
have
the
links
and
but
about
you,
know,
entities
making
claims
about
artifacts
and
arbiters
of
those
entities
and
and
and
so
on,
and
so
I
I
that
was
a
useful
framing
here,
but
thinking
about
software
testation
in
general
I'll
go
through
each
of
these
individually
and
so
there's
a
set
of
possible
claims.
B
You
might
want
to
make
about
a
software
artifact,
and
so
you
know,
salsa,
you
know
enables
you
to
make
claims
like
hey.
It
was
built
from
these
materials.
It
was
built
hermetically.
B
Is
right
here
you
could
imagine
you
know
if
we
extend
salsa
into
other
and
other
areas
of
concern
and
we
might
want
to
enable
you
know.
Attestations
like
this.
Artifact
was
scanned
for
vulnerabilities
on
this
date
or
you
know
the
source
management
practices
you
know
upstream
of
this
artifact
are
xyz
or
you
know
this
artifact.
B
You
know
this
artifact
has
this
s-bomb
or
whatever
it
is,
and
so
you
can
think
about
a
set
of
possible
claims
you
might
want
to
make
and
then
how
these,
how
these
claims
get
grouped,
and
so
you
know,
there's
functional
groupings
of
claims
and
there's
tiered
groupings
that
kind
of
what
it
came
up
with
and
salsa
offers
both
and
so
salsa
has.
You
know.
B
Four
functional
groupings
of
planes
are
in
common
source
management,
build
and
and
providence,
and
but
then
it
also
offers
tears
salsa
one
two
three
and
four,
so
you
can
group
software
attestations
or
claims
about
artifacts
into
you
know
in
a
variety
of
different
ways,
and
then
you
go
on
to
which
entities
will
want
to
make
claims,
and
so
I'm
you
know,
the
author
or
maintainer
of
a
project
may
want
to
say
you
know
hey.
I
claim
that
you
know
the
following
practices
were
in
use
around.
B
B
A
third-party
assessor
could
also
be
a
package
manager
and
so
for
a
given
open
source
package,
that's
built
over
here
and
then
uploaded
uploaded
to
pipe.
I
say
it
could
be
that
pipe
I
wants
to,
then
you
know,
do
some
assessment
around.
You
know
the
integrity
of
security
that
package
and
then
put
its
own
stamp
of
you
know
pipe.
B
I
I
believe
that
this
this
artifact
conforms
to
x,
y
or
z,
standard
so
and
there's
a
variety
of
different
entities
in
the
supply
chain
that
may
want
to
make
claims
without
an
artifact
having
had
gotten
these
claims.
You're
gonna
then
need
a
way
of
formatting
them
signing
them,
and
this
is
where
we
get
into
a
little
bit
of
detail,
and
you
know
we
have
in
total
odyssey.
We
have
seabourn
cozy.
B
These
are
familiar
to
many
folks
here,
and
some
of
these
claims
have
explicit
or
implicit
semantics,
and
so
I'm
you
know
software
signatures
like
authentico
back
in
the
day,
simply
the
act
of
signing.
You
know
there
isn't
an
explicit
claim
there,
but
there's
an
implicit
claim
that
hey
the
publisher
signed
this
artifact.
Therefore
they
are
testifying
about
it
about
its
providence
and
its
integrity.
B
I
microsoft
sign
this
artifact.
Therefore,
you
can
trust
that
it
came
from
me
and
it
hasn't
been
tampered
with
sims,
but
those
claims
are
implicit
in
just
the
presence
of
the
signature
with
these
claims,
then
you
know
in
order
to
make
them
useful
and
we
need
a
way
of
registering,
discovering
and
authenticating
them,
and
there
are
a
variety
of
ways
of
doing
this
and
again,
you
know
in
the
swirling
landscape,
around
salsa
and
skit
and
ssdf
and
so
on,
and
the
authentico
would
come
to
that.
B
I'm
busy
concerts
like
transparent
logs
sidecars
for
artifacts,
I'm
you
know
naming
conventions
being
able
to
link
an
artifact
to
you,
know,
signed
profit
and
statement,
that's
distributed
alongside
of
it
and
so
on
or
even
embedded
signatures,
and
then,
where
the
rubber
meets
the
road
here,
and
is
you
know
the
reason
why
we're
doing
this
ultimately,
is
the
ability
to
actually
specify
policy
based
in
claims,
but
not
just
in
the
claims.
B
It's
trust
in
those
making
them
as
well,
and
so
you
can
think
of
of
a
claim
here,
as
you
know,
having
yes
there's
the
entity,
making
the
claim,
there's
the
claim
itself,
there's
the
artifact
to
which
the
claim
pertains
and
there's
a
there's,
a
dimension
again,
which
is
a
part
of
the
policy
assessment
which
is
to
what
extent
do
I
trust
the
entity
making
the
claim
and
what
types
of
claims
do.
B
I
trust
that
entity
to
make-
and
so
you
know,
salsa
has
right
now
an
implicit
trust
around
some
of
the
tooling
we've
built
around
github
actions
that
we
trust
to
get
her
when
they
say
you
know
I
get
github
actions
pipeline
is
designed
such
that
you
know
the
the
environment's
isolated
and
hermetic,
and
you
know
you
can
you
can
reproduce
builds
securely
using
this
environment,
and
so
we
allow?
You
know
we
allow
the
github
actions
builder
to
say
this
artifact
was
built
in
conformance
with
salsa
level
three.
Why
do
we
do
that?
B
And
we
do
that
because
we
have
some
implicit
trust
in
github,
but
you
know,
as
salsa
becomes
more
prevalent
and,
as
you
know,
frameworks
like
salsa.
You
know
expand
their
reach.
We,
I
think
we're
going
to
get
to
need
to
get
a
little
bit
more
explicit
about
how
that
that
trust
is
formulated
and
how
it's
anchored,
and
it
could
be
that
organization
x,
trusts
github
to
you,
know,
certify
an
artifact
at
salsa
level.
B
Three
organization
y
may
not
organization
y
may
trust
this
smaller
or
different
set
of
builders,
and
so
I
think
you
know
salsa
has
very
little
in
this
realm
today
around.
You
know
how.
How
trust
is
how
trust
is
established
around
solar
and
claims
are
insults
of
providence
and
then
the
anchors
of
that
trust
anyway,
where
this
ends
up,
is
you
you're
looking
at
this
table
here,
actually
making
this
explicit
with
a
number
of
different
frameworks
and
so
sulsta
here
this
first
column,
the
set
of
possible
claims
also
calls
requirements.
B
It
groups
them
into
you
know
both
functional
groupings
and
tiered
groupings
forming
a
matrix
and
the
entities
making
the
claims.
Today
we
allow
the
builder
to
make
a
claim.
I
built
this
artifact.
I
am
a
builder
that
provides
the
right
environment
to
conform
to
salsa
principles.
Therefore,
I'm
you
know,
you
should
believe
my
my
claims
about
this
artifact,
the
formatting
and
signing
again,
you
know
getting
into
the
details,
but
you
know
these
are
shoulds
in
the
cell
specifications
should
israel
you
know
encoding.
Your
statement
is
an
introduce
statement.
B
Formatted
json
signed
with
distree,
but
this
isn't
the
only
way.
This
also
can
be
done
these
these
are.
These
are
shirts
rather
than
musks,
and
then,
as
we
go
further
down
the
column
here,
how
we
get
to
registration
discovery,
authentication
gets
a
little
bit
more
blurry.
Sig
store
has
a
role
to
play
that
I
believe,
and
then
policy,
as
as
you
probably
all
know,
is
a
work
in
progress.
How
we
actually
you
know,
express
and
define
policy
around
salsa.
What's
interesting,
looking
at
the
next
two
two
columns?
B
Actually,
let's,
let's
skip
forward
to
to
skits,
I
think
you
know
my
understanding
of
skit.
I
mean
this
get
working
groups
and
then,
having
you
know,
talk
to
folks
about
skit.
It
seems
to
me
that
actually,
skit
and
salsa
seem
rather
complimentary
in
the
sense
that
skit
is
silent
on
on
essentially
the
top
three
rows
at
this
table.
Sk
doesn't
say
you
know
we're
only
supporting
this
set
of
claims,
or
you
know
this
set
of
claims
is
out
of
scope
with
skit.
B
You
can
essentially
make
an
arbitrary
claim
about
an
arbitrary
artifact,
whereas
skip
becomes
very
detailed
around
how
those
claims
are
signed.
You
know
the
the
you
know.
The
draft
specification
of
the
moment
has
musts
around
seabourn
and
cozy,
and
so
on.
You
know
around
registration
discovery
authentication,
it
gets
very
specific
about
transparency,
service
and
all
the
policy
is
out
of
scope.
B
But
but
looking
at
this,
the
the
elements
where
salsa
is,
you
know
less
prescriptive:
around
formatting
signing
about
registration
discovery
as
precisely
the
areas
where
skit
is
highly
prescriptive
and
vice
versa,
and
so
you
could
imagine,
I
think,
a
world
in
which
you
know
salsa,
attestations
and
insults
of
provenance
are
expressed
and
distributed
and
stored
and
registered
in
a
skip-like
framework.
Ssdf
here
is
an
interesting
middle
ground.
Ssdf.
B
Has
you
know
functional
grouping
called
practices
around
a
set
of
tasks
the
entity
making
the
claim
is
essentially
the
supplier
who,
in
at
this
stage,
is
looking
to
self
a
test
around
ssdf
conformance
and
then
the
policy
is
is
kind
of
implicit
that
there's
there
isn't.
You
know
a
policy
engine
there,
but
the
the
implicit
policy
is
that
hey
at
some
point,
the
federal
government
will
not
have
to
buy
or
deploy
your
staff
if
you're,
not
ssdf
compliant,
and
so
it
conforms
to
this
executive
order.
B
There's
the
implicit
policy
that,
in
order
to
ship
your
stuff
into
the
federal
government
and
you're,
going
to
need
to
be
ssdf,
conformant
mean
then
just
kind
of
on
the
right
hand.
Side
here
is
slightly
different
way
of
doing
software
attestations,
but
one
which
is
more
ancient
and
familiar
around
authentic
code,
where
you
know
here
we're
in
the
world
of
implicit
attestations
just
by
signing
an
artifact
you're
saying
certain
things
about
it:
you're
talking
about
the
publisher,
identity
and
the
integrity
of
the
artifact.
B
B
The
ca
is
always
hosted
and
so
on,
and
so
with
the
end
of
code
is
a
is
it's
a
different
for
it's
a
different
mechanism,
very,
very,
very
different
mechanism
for
doing
this
stuff,
but
essentially
you
know
it
performs
a
similar
type
set
of
functions
that
it
is
essentially
a
mechanism
for
non-forgeable
statements
about
a
digital
artifact.
B
There's
one
row
on
this
table,
which
I
think
keeps
coming
up
with
people
saying.
Oh
what
about
this
and
and
that
is
identity,
and
I
do
think
that
there's
there's
an
identity
row
on
this
table,
which
is
missing
that
you
know
when
we're
looking
at
I'm.
You
know
who
is
the
entity?
B
How
do
we
identify
the
entity
making
the
claim
you
know
salsa
and
to
the
extent
that
we're
reliant
on
on
six
store
for
silently
deciding
providence,
attestations,
we're
essentially
leveraging
oidc
and
six
store,
exchanging
oidc
tokens
for
short-lived
certificates,
whereas
in
skit
land?
I
think
the
the
leading
the
leading
proposal
in
skit
land
is
to
use
did
for
identity,
and
so
I
think
there
is
an
important
identity
role
on
this
table
which
which
isn't
here
today.
B
So
I
wanted
to
to
kind
of
lay
that
out
and
that's,
as
I
said,
this
isn't
maybe
particularly
actionable,
but
I
found
it
useful
to
to
think
through
in
this
way
and
see
how
you
know.
Six
store
can
be
seen
to
support
salsa
around
particular
functions
of
software
attestation.
B
B
It's
also
interesting
to
see
how
ssdf
and
skit
are
actually
highly
complementary
in
the
the
precise
parts
of
this
framework,
which
are
out
of
scope
for
ssdf
skid
comes
in
with
a
highly
prescriptive
framework,
so
I'm
gonna
pause
there
anyway
and,
as
I
say,
I'll
share
these
slides,
but
I
thought,
as
we
think,
to
position
salsa
as
we
think
about
how
salsa
may
evolve,
as
we
think
about
the
missing
pieces
of
salsa,
like
policy
and
like
discovery.
For
example,
we
have
a
fairly
weak
story
to
thirty
week
story
today.
D
D
So
this
a
couple
of
comments
and
a
couple
of
questions,
so
I
think
this
lines
up
with
some
of
our
research
on
the
same
sort
of
thing
you
know,
skid,
is
sort
of
this
broader
framework
for
how
to
distribute
claims.
How
to
actually
like
make
claims
in
general.
Salsa
is
sort
of
a
set
of
specific
claims
and
there's
some
work
being
done
even
in
conju.
D
You
know
conjunction
with
with
some
of
some
of
us,
in
conjunction
with
google,
on
on
like
a
thing
called
guac,
which
is
also
trying
to
do
some
of
that
registration
discovery
piece
as
as
well
right
now,
it
does
seem
like
the
majority.
There's
the
policy
stuff.
There
is
existing
work
out
in
the
community
around
enforcing
salsa
salsa-based
policies
or
policies
based
around
salsa,
but
it's
mostly
from
a
admission
control
perspective
into
kubernetes.
D
There
is
some
discussion
on
like
how
do
we
make
that
more
generic,
so
that,
like
not
just
talking
about
specifically
like
oh
here's,
an
emission
controller,
here's
policy
that
makes
sure
that
you
know
whatever,
but
I
know
folks
are
saying
hey:
how
do
we
do
the
same
sort
of
thing?
But
for
like
more
generically
like
hey,
if
I
want
to
ingest
a
thing
you
want
to
make
sure
it's
salsa
and
whether
that
ingestion
is
running
it
in
production
or
downloading
it
to
a
dev
machine.
D
That
should
be
something
that
is
kind
of
considered
at
that
level.
I
guess
the
the
other.
The
only
question
I
have-
or
this
is
is
some
folks
are-
are
also
starting
to
ask
if
there
are
ways
to
describe
the
categories
that
these
things
fit
in,
so
that,
as
more
of
this
comes
out,
we
have
a
unified
vocabulary.
D
B
They
acclaim
discovery
network
and
so
they're
completely
that
kind
of
way.
D
Yeah,
because
a
lot
of
folks
are
asking
like
oh
cool,
I
have
these
things
made
in
in
salsa
great,
but
then
how
does
that
relate
to
skit
and
and
building
up
the
sort
of
like
building
up
that
vocabulary?
I
think,
would
be
interesting.
I
know.
Actually
there
was
somebody
in
just
real
quickly
in
open,
ssf
chat
yesterday.
D
I
believe
it
was
zach
newman
who
posted
in
in
general
chat,
saying
like
hey.
Is
there
a
terminology
to
consistently
between
working
groups,
for
instance,
instances
of
shared
glossary
terms
like
attestation,
artifact,
etc?
I
think
that
sort
of
thing
might
be
useful
and
I
know
there's
a
million
working
groups
already
or
sorry,
not
just
working
group.
You
know
what
I
mean,
but
just
just
wanted
to
throw
that
out.
There.
B
B
Dependency
mean-
and
this
you
know
this
stuff,
this
turned
into
a
five-page
document.
Basically,
but
I
agree
I
mean
I
think
that
something
like
the
positioning
working
group
actually
getting
crisp
on
the
terms
we
use
is
probably
a
big
part
of
of
making
it
successful.
Melville.
Sorry,
you
have
your
hand
up.
C
Yeah
this
before
I
ask
my
question
mike:
I'm
I'm
definitely
in
sync
with
you
in
terms
of
that
taxonomy,
even
just
for
simple
things
in
the
spec
meeting,
I
said
you
know
a
runner
but
ibm
calls
it
a
worker.
You
know
git
love,
git,
lab
github,
calls
it
a
runner.
C
Microsoft
azure
calls
it
a
pipeline
agent
right.
So
I
think
that
you
know
mapping
of
just
a
simple
term
that
everybody's
talking
about,
but
then
nobody
understands,
I
think,
yeah
I
think
you're
spot
on.
But
my
question
was
two
questions
and
I
put
it
on
the
meeting
notes.
C
I
love
the
framework
comparison.
You
have
right,
instead
of
it
being
detailed.
It's
very
much
simple
to
the
point:
do
you
have
a
blog
on
this,
or
can
we
publish
a
blog
on
this?
I
think
it
would
be
very
helpful
to
the
community
to
have
something
like
this.
Just.
B
I'm
I'm
happy
to
take
the
action
of
drafting
this
into
a
post
and-
and
you
know,
making
a
start
that
other
folks
can
contribute
to.
This
has
been
sitting
with
me
for
yeah
for
a
little
bit
and-
and
it's
been
it's
been
helpful
enough
and
for
me
I
think
that
I
I
want.
I
didn't
want
to
turn
into
something,
and
so
the
deck
was
the
start
of
me
kind
of
just
sharing
the
ideas
but
yeah
you're
right.
I
think
a
writer,
but
this
would
be
useful
and
I
can
take
that
action.
C
Okay,
and
then
you
know
you
mentioned
salsa
and
skit
are
complementary.
One
of
the
things
one
of
the
frameworks
which
was
skit.
If
you
can
call
it
a
framework,
we
said
that
we
would
compare
it
to
salsa.
You
know
detailed
right.
A
C
Given
that
you
are
familiar
with
skit
and
salsa,
I
was
also
thinking
well
what,
if
we
had
a
blog
about
a
super
supply
chain
right
with
salsa
and
skit
right.
B
You're
right
I
mean
this.
This
literally
started
from
you
know,
folks,
internally,
here
at
google
kind
of
you
know,
hitting
me
up
and
saying
I
need
to
understand
the
difference
between
soldiers
and
then
kind
of
tearing
them
apart.
It
turns
out
they're
different
things
and
that
you
know
like
and
to
mike's
point
like
actually
the
eggs.
B
They
exist
in
different
categories,
to
try
and
compare
them
as
a
category
error,
because
that
they're
different
things
fundamentally
and
that
that
was
kind
of
the
epiphany
that
I
came
out
of
putting
this
day
together
with
but
yeah.
I
could
certainly
include
that
in
the
blog
post
too,.
C
Okay,
it
could
be
a
separate
one
too,
but
we
we
can.
I
guess,
brainstorm
offline
on
that,
but
I
do
have
it
as
an
action
item,
because
I
think
that
would
be
a
good
start
right.
You
already
have
something
in
place.
It
would
be
a
good
first
objective
or
first
deliverable
sort
of
speak
for
the
group
happen
to
take
that.
B
A
I
do
so
first
of
all,
plus
one
on
turning
this
into
a
blog
post
or
multiple
blog
posts,
love
it,
because
that
would
be
me.
I
I
found
this
interesting,
but
I
think
other
people
would
who
aren't
at
this
particular
meeting,
and
I
think
that
would
be
great
as
far
as
glossaries
go.
Let's
see,
I
I'm.
I
think
it's
certainly
important
to
define
your
terms,
at
least
within
a
document.
A
If
you
say
a
word,
and
people
might
misunderstand
highly
important:
there's
definitely
value
in
trying
to
create
a
say,
a
cross
or
glossary,
but
I
will
just
quickly
observe
that
having
been
involved
in
similar
efforts
in
the
past,
those
take
a
whole
lot
longer
than
you
might
expect.
A
So
I
would
suggest
start
small,
maybe
starting
with
any
document
with
a
few
terms
trying
to
make
those
crisp
and
then
saying:
hey,
let's
pull
out
this
part
and
then
grow
it
just
because
otherwise
it's
okay,
if
you
think
that's
the
important
thing
go
for
it,
it's
just
it
takes
real
time.
That's
all
I
just
I
just
want
to
warn
before
starting
the
road
is
long.
C
Agreed
yeah,
I
I'm
doing
one
for
the
diagrams
I
made
for
the
specification,
like
I
said.
Different
people
call
the
thing
that
does
the
same
function
different.
They
call
it,
they
name,
it
yeah
different
things
and
it
drives
me
nuts
because
I
say
one
thing
and
nobody
understands
what
I'm
saying
on
the
other
side.
C
So,
but
I
agree
with
you
start
small
now
mike
did
you
have
something?
That's
already
a
taxonomy.
I
thought
you
said
that
somebody
brought
this
up,
but
I
don't.
D
Know
this
was
in
general
chat
in
open
ssf.
I
don't.
I
don't
have
a
taxonomy.
I
do
think
that
there
should
be
a
taxonomy
in
the
past
ava
from
microsoft.
They
had
created
at
least
a
start,
and
this
is
their
github,
that,
with
with
some
of
that
work
in
there.
C
Okay,
let
me
see
okay
I'll
put
it
in
the
meeting
notes,
and
then
I
guess
we
can
take
a
look
at
it.
Okay,
any
other
questions
for
isaac
or
isaac.
Do
you
have
any
other
comments.
B
I
don't
thank
you
for
having
time
for
me
on
the
agenda,
I'm
glad
this
was
at
least
a
little
bit
useful
and,
yes,
I
will
start
on
a
write-up.
C
Yeah
awesome
and,
let's
see
sure,
let's
go
back
okay,
so
next
on
the
agenda,
I
have
the
charter
template,
which
I
thought
would
just
be
one
paragraph
and
leave
it
to
me
to
make
it
a
whole
page.
Maybe
two
I
found
this
outline
on
what
a
charter
means
and
what
are
the
components
of
a
charter
and
so
based
off
of
the
feedback
that
we
had
the
last
meeting,
which
were
split
up
between
two
issues.
It
was
a
scope
charter
issue
and
then
you
know
comparing
those
different
frameworks.
C
I
I
kind
of
put
it
put
it
in
this
document
and
try
to
make
sense
of
some
of
the
discussions
so
that
it
fits
these.
These
areas
there's
the
mission
right,
and
this
is
the
definition
of
what
a
mission
is.
Why
do
we
exist?
What
activities
will
we
pursue,
etc?
Right,
and
so
I
started
writing
you
know,
educate
evangelize
and
I
was
like
okay.
Let
me
keep
going
with
the
ease,
so
educate,
evangelize,
evaluate
and
encourage,
so
that
was
kind
of
the
mission.
C
I
think
this
one
is
a
new
one
that
we
didn't
talk
about.
Basically,
you
know
try
to
get
the
more
people
the
better
right,
especially
when
you're
talking
about
different
industries.
You
know
open
source
communities
or
government.
You
know
different
geographies.
C
Their
perspectives
are
very
unique
and
we
need
to
take
that
into
consideration
when
it
comes
to
salsa
and
then
the
vision,
I
didn't
really
change
it
much.
I
just
you,
know
kind
of
rewarded
it
a
little
from
what
josh's
document
stated
and
then
the
values
is
just
a
copy
and
paste
of
our
code
of
conduct
at
the
beginning.
C
So
there's
no
change
there
and
then
the
strategy
is
when
I
start
kind
of
going
into
like
what
are
we
doing
when
we
evaluate-
and
these
were
the
things
that
came
up
out
of
the
last
meeting
right
like
how
does
it
overlap?
Does
it
increase
scope?
C
Is
there
you
know,
deficiencies
with
relations
to
other
frameworks,
etc?
You
know
educating
when
we're
educating
people.
What
are
we
trying
to
do
right
house
also
compares
to
other
frameworks.
You
know
how
to
apply
it.
You
know
what
is
out
of
scope
for
salsa.
You
know,
just
like
you
mentioned
isaac,
you
know
you're,
comparing
skit
to
salsa.
C
Somebody
says:
oh,
I
want
to
do
what
skit's
doing
well,
that
that's
not
quite
what
salsa
is
doing
right,
trying
to
educate
the
the
industry
or
organizations
you
know
this
is
not
what
salsa
is
for
and
educating
standards
and
regulatory
bodies.
So,
if
you
think
of
nist
as
an
example,
I
know
brandon
lum
had
mentioned,
he
had
connections
at
nist
to
potentially
help
them
understand
how
salsa
fits
in
right
and
then
potentially
have
you
know
our
material
or
reference
salsa
in
their
material,
so
that
others
can
also
reference
it.
C
So
I
think
that's
a
a
good
way
of
thinking
of
educating
the
regulatory
bodies
and
then
just
educating
the
general
open
source
community
right.
We
we
can
either
do
it.
You
know
with
the
work
or
the
communities
we're
involved
in
already
or
via
an
initiative
like
I
know,
there's
a
working
group
for
critical
software.
I
know
there's
another
one,
for
I
think
best
practices
that
goes
out
and
tries
to
help
people
from
a
security
perspective.
C
So
anything
we
can
do
there
and
trying
to
help
salsa
and
and
getting
people
to
leverage
salsa,
I
think,
is
you
know
advantageous
to
the
entire
industry.
Not
not
just
us,
and
I
don't
know
if
we
need
this,
but
I
figured
this
is
just
giving
people
ideas
how
they
would
do
this
right,
blogs,
slack
channels,
that's
where
my
social
media
account
question
came
from
mike.
C
C
I
didn't
see
one,
and
so
I
don't
know
if
that's
in
our
charter
going
forward,
but
you
know
if
we
do
have
one.
Obviously
we
would
add
it
here.
A
C
Yeah
so
yeah,
I'm
gonna
highlight
this
because
I
don't
have
a
link
to
that
contribution
guideline.
If
I
can
zoom
out
and
find
my
little
highlighter
here,
okay,
it
goes
up
here,
evaluate
there.
I
see
contribution
guidelines
there
we
go
any.
I
didn't
finish
the
the
evangelize
I
did
finish
encourage,
but
not
the
evangelize,
because
evangelize
is
very
similar
to
educate,
but
evangelize
is
obviously
a
different
mission
right.
It's
literally
going
out
and
saying
how
great
salsa
is
and
it's
going
to
solve,
xyz
of
your
problems.
C
It's
not
necessarily
the
same
thing
as
educating,
so
I
I
would
like
some
help
on
on
this
part
if
it
makes
sense
to
keep
evangelize.
Otherwise
we
can
just
keep
it,
as
you
know,
educate
and
get
rid
of
the
evangelize.
C
And
then
encourage
this
is
just
you
know,
getting
those
different
perspectives
and
you
know
by
encouraging
new
participation
right.
What
are
we
gaining
right?
We
get
new
use
cases,
new,
personas,
right
opportunities,
for,
I
should
say,
salsa
expansion
for
shifting
the
salsa
strategy
scope
right.
If,
if
something
doesn't
make
sense
to
do
any
more
in
salsa,
then
we
will
get
that
perspective
as
more
people
join
and
more
people
use
salsa
and
then
indirectly
we're
enabling
additional
open,
ssf
participation
and
potentially
improving
security
of
our
open
source
communities
and
operating
goals.
C
This
is
similar
to
what
josh
put
in
his
in
his
document.
He
originally
put
you
know
ssdf
and
s-bomb,
but
I
kind
of
put
eo
and
cncf.
I
know
a
lot
of
people
are
very
much
keen
on
those
two
things
as
well.
So
if
the
group
agrees
on
these
as
short-term
goals,
then
great,
if
not
feel,
free
to
comment
on
what
should
be
the
short
term
goals
and
then
longer
term
is
you
know,
look
at
other
missed
documents.
C
Oh
this
one
has
eo,
but
I'll
I'll
figure
out.
If
I'm
going
to
keep
eo
in
here
or
not.
C
This
is
a
common
criteria,
and
one
thing
I
forgot
to
put
was
the
cis
benchmark
or
supply
chain
security?
I
know
that
was
a
big
one
that
just
got
released
and
then
you
know
as
we
go
through
these
exercises,
we're
going
to
provide
feedback
to
the
salsa
specification.
C
D
Oh
yeah,
no,
this
is
great,
and
I
think
also
like
some
of
this
might
even
be
useful
to
to
to,
as
we
kind
of
push
salsa
to
1.0,
maybe
even
make
this
potentially
like
integrated
just
into
the
general
salsa
charter.
D
Two
things
or
a
couple
things
one
is,
I
think,
also
there's
another,
so
there's
some
additional
work,
that's
spinning
up
from
the
cd
foundation
there
and
once
again,
another
linux
foundation
group.
Actually
so
so
for
a
while,
there
was
a
little
unclear
where
they're
gonna
be
focused
and
they're
gonna
actually
be
really
focused
on
the
problem
from
the
business
challenge
side,
as
opposed
to
so
much
the
technical
challenge
side.
D
So
this
is
the
stuff
around
things
like
hey,
imagine,
you
know,
there's
a
supply
chain
security
risk
like
what
does
that
mean
from
a
legal
like
what
does
that
mean
from
like
a
licensing
standpoint?
What
does
that
mean
from
you
know
a
time
to
market
standpoint
and
yaya?
So
that's
just
something
just
to
be
in
there,
because
they
seem
to
be
interested
to
see
how
they
could.
D
C
D
Yeah,
like
a
product
manager,
attests
to
a
thing
saying
yep.
This
should
be
good
to
go
to
production
right,
like
I
think
the
features
look
good
for
for
us
to
make
a
release,
and
you
know
it's.
The
sort
of
thing
that
you
might
imagine
is
like
would
be
part
of
a
holistic
decision.
For
a
you
know,
a
large
organization,
often
like
a
commercial
enterprise,
making
a
a
decision
based
on
ingesting
of
software
or
whatever,
as
opposed
to
just
purely
the
security
focus,
which
is
what
we're
focused
on
okay,.
D
Yeah,
that's
definitely
a
longer-term
goal
because
they,
they
are
just
they've,
just
started,
spinning
that
up
they're
still
looking
for
like
use
cases
and
and
and
like
personas,
and
that
kind
of
thing.
D
Yeah,
oh,
the
only
other
thing
was
also
the
you
can
sign
me
up
for
whatever
the
cncf1
is,
because
I've
I've
been
leading
a
lot
of
that
for
the
cncf.
So
if
you
need
anybody
to
link
up
with.
C
Yeah,
the
cncf-
I
think,
really
it's
starting
to
fill
out
this
this
column
here
on
this
spreadsheet,
that
we
have
right
where
we
started
with
brandon
and
and
some
other
salsa
members
of
okay,
what
controls,
which
I
know
are
somewhat
changing
in
salsa,
but
what
controls
and
salsa
or
requirements
and
solution
meet
some
of
these
controls
in
these
frameworks.
C
So
I
think
that
that's
the
biggest
help
that
we
need
right
now
for
cncf
is
just
trying
to
do
that.
Comparison.
D
Yeah,
so
let
me
actually
marina
moore
has
essentially
done
that
okay,
so
so
let
me
go
and
see
if
I
can
find
what
she
made,
which
should
be
clear,
marina,
moore,
like
as
on
behalf
of
the
cncf,
had
had
made
that
already
or
at
least
had
started
some
of
that
mapping
already.
So
I'm
sure
we
could
just
sort
of
merge
all
of
these
into
into
one.
C
Yeah,
I
I
just
put
the
link
in
the
midi
notes
and
I'm
trying
to
find
the
chat
to
webex
because
it
always
disappears
whenever
the
presentation
stops.
C
So
there
there's
the
spreadsheet
but
yeah
any
contributions
to
this
or
any
other
framework.
That's
either
listed
on
here
or
not
listed.
Please.
You
know,
this
is
kind
of
what
we're
going
to
be
doing
is
comparing
right,
how
does
it
match
up
and
then
we'll
probably
have
some
sort
of
blog
or
summary
of
some
sort
to
educate
the
community
on
what
our
findings
are?
If
I
go
back,
nope
nope,
nope,
nope
nope
there.
It
goes
okay,
any
other
comments
and
quite
or
questions
on
on
this.
C
I
honestly
thought
it
would
just
be
one
paragraph
and
I
made
the
mistake
of
looking
up
charter
and
then
I
came
across
this
linkedin
article.
I'm
like!
Oh,
that's,
really
good.
So
I
think
what
I'll
do
is
I'll
put
in
a
pr
to
adopt
some
of
this,
given
that
people
give
them
each
section
a
thumbs
up
go
ahead.
I.
A
Do
have
a
reminder:
knit
you
copied
and
pasted
the
code
of
conduct.
Can
you
just
link
to
it,
because
otherwise
I.
B
C
B
C
C
B
A
A
C
A
So,
specifically,
on
the
code
of
conduct,
I
mean:
there's
always
a
risk
of
stuff
changing
and
so,
for
you
know,
I
would
suggest
you
know
just
link
to
the
other,
and
you
know
most
people
right
exactly
just
link
to
it.
You're
done
if
there's
an.
C
C
Yes,
that
works
for
me.
Okay,
any
other
comments
or
questions
about
the
the
charter.
C
C
So
if
we
can
get
maybe
a
week
for
people.
B
A
C
Okay,
and
if
anybody
wants
to
help
with
this
leadership,
accountability
or
what
was
the
other
one,
I
think
it
was
evangelize
whether
or
not
we
should
keep
it
or
or
get
rid
of
it.
Please
feel
free
to
comment
or
jump
in
and
try
to
fill
in
the
gaps.
Okay
and
then
the
other
thing
I
have
the
on
the
agenda
is.
C
Because
I'm
not
seeing
a
lot
of
outside
of
activity
with
regards
to
this,
like,
for
example,
like
the
comparison
we
said,
we
would
start
comparing
and
even
myself,
I'm
guilty
of
that
haven't
started
the
comparison.
So
I'm
wondering
if
we
should
have
a
bi-weekly
working
session
so
that
if
we
have
to
get
something
done
like
this
right,
we
have
the
bye
week
and
we
have
the
time
set
aside
to
let's
just
hash
it
out.
C
Let's,
let's
finish
it
or
let's
write
a
blog
or
let's
do
a
comparison
that
way
we're
not
waiting
two
weeks
and
then
find
out.
No
one's
done
anything
so
not
sure
what
people's
thoughts
are
on
that.
B
I
I
like
it,
I
mean
I,
I
think
you
know
part
of
the
original
intent
of
setting
up
these
sigs.
You
know
the
the
specification
and
positioning
and
tooling
was
precisely
there
to
actually
kind
of
do.
You
know,
try
and
try
and
converge
on
specific
outcomes.
You
know
the
community
meeting
provided
a
great
venue
for
discussion,
but
not
a
lot
of
action,
and
so
I
think,
having
these
expires
towards
action
and
having
specific
working
sessions
where
we're
actually
creating
stuff.
I
think
sounds
like
a
great
idea
to
me.
A
C
A
This
is
jason,
so
kind
of
like
comparing
this
to
another
working
group
on
a
completely
different
framework
yeah.
The
way
I've
seen
it
done
is
like
typically,
if
they're
engaging
on
a
mapping
from
one
framework
to
another,
the
different
domains.
A
Compares
the
two
frameworks
and
then
a
second
reviewer,
and
then,
if
there's
any
like
ties
or
or
disagreements
a
third
reviewer,
but
on
blogs
yeah,
it
seems
like
we
could
team
up
and
divvy
those
out
based
on
who
wants
to
contribute
to
which
blogs
and
so
on.
C
Okay
and
then
so
you
said,
the
blog
is
really
more
of
a
working
session.
A
C
A
C
No
okay!
Well,
I
think
I
can
do
the
same
time.
I
know
I
did
it
on
a
bye
week,
so
it
wouldn't
conflict
with
any
other.
You
know
open
ssf
meetings.
I
don't
know
if
there's
another
open,
ssf
meeting
the
same
time
next
week,
looking
for
the
calendar
ssf
somebody
gets
to
it
before
me
by
all
to.
Let
me
know.
C
C
Yeah,
okay,
okay,
so
then
action
item
get
on
open,
ssf,
meeting
calendar;
okay,
any
other
topics.
People
want
to
discuss
and
I
am
losing
my
there.
Is
it
this
one?
Yes,
any
other
topics.
D
So
just
as
an
fyi,
I
added
marina's
spreadsheet
there,
as
was
the
cncf
control
catalog.
D
Yeah,
so
the
cntf
control
catalog
there's
the
subset.
That's
the
supply
chain
security
best
practices
is
what's
relevant
to
us,
but
yet
there's
actually
not
a
ton
of
like
a
lot
of
the
stuff
under
the
cncfs
things
fall
more
under
that
sort
of
like
holistic,
like
here,
is
what
you
should
be
doing
from
a
build,
deploy
etc.
Like
like
you
know,
yes,
you
should
be
doing
sca.
D
You
should
be
doing
all
these
other
things,
whereas
salsa
at
least
right
now-
and
I
know,
there's
a
bunch
of
discussions
up
on
increasing
the
scope-
has
really
been
focused
on
the
providence
piece,
whereas
the
the
securing
the
the
supply
chain,
security
from
the
cncf,
is
significantly
more
focused
on
stuff,
like
like
actual
actions,
you
know
it's
very
prescriptive,
like
you
should
be
doing
these
three
specific
things.
C
Okay,
yeah
sorry,
I'm
trying
to
like
expand
the
the
column
and
it's
not
letting
me
so
it's
it's
driving
me
a
little
crazy
because.
D
I'm
just
going
to
post
whoops.
It's
all
the
way
at
the
bottom
of
that
pdf
are
all
this
or
wait
it
used
to
be
under
here.
They
might
have
swapped
it
out.
Okay
yeah,
they
changed
the
the.
I
think
the
formatting
a
little
bit.
So
there
is
it's
in
one
of
these
things,
I'll
I'll
update
the.
D
D
D
The
mapping
where,
where
marina,
tried
to
look
at
what
tools
and
things
kind
of
address,
this
adjust
these
things
that
we
describe
in
there.
But
if
you
in
the
actual
document,
like
the
second
link,
I
posted
is
the
controls
catalog
from
the
cncf.
D
I'm
muted
so,
for
the
most
part,
it's
under
anything
if
you
scroll
down
scp,
is
kind
of
the
stuff.
That's
mostly
focused
around
supply
chain
security.
C
I
saw
that
yeah
yeah,
so
I'm
I'm
gonna
assume
that
this
is
public,
because
it's
from
the
cncf.
C
Yeah,
I
see
the
1.0
on
there.
Okay,
I
just
wanted
to
double
check
that
this
wasn't
a
work-related
item
that
shouldn't
be
in
the
public.
No,
no,
no.
C
Awesome
well,
both
of
those
are
in
the
midi
notes.
Anything
else,
folks.
C
No
okay!
Well,
if
there's
nothing
else
feel
free
to
drop.
You
have
nine
minutes
back
to
your
day,
I'm
probably
gonna
stick
around
and
try
to
wrap
up
some
of
the
action
items
on
my
side
for
like
open,
ssf
meeting
calendar
invite
and
things
like
that.