►
From YouTube: Supply Chain Integrity WG (September 14, 2022)
B
C
E
D
C
G
G
D
Yeah,
just
historically
this,
this
working
group
has
been
full
of
really
good
presentations
and
fostering
a
lot
of
good
discussions
around
software
supply
chain
Integrity.
So
if
you
do
have
a
presentation
or
a
topic,
you
want
to
discuss
yeah,
please
feel
free
to
add
it
to
a
future
agenda,
and
then
we
will
definitely
let
you
take
the
stays
and
present
and
talk
and
teach
us
all
things
and
yeah.
Just
a
reminder
for
new
folks
too.
D
This
is
part
of
this
working
group
is
part
of
the
open
ssf,
and
these
meetings
are
recorded
and
uploaded
to
YouTube
at
some
point
in
the
future,
when
we
remember
I,
think
I
think
it
happens
automatically.
Now
we
got
someone
helping
us
out
so
yeah.
So
with
that
today,
do
you
doing
in
Adrian?
Do
you
want
to
take
the
stage
foreign.
B
Thank
you
very
much,
Kim,
yes,
so
so
here
we
are,
and
I
and
I
didn't
ask
myself
earlier.
This
is
not
the
first
time
I've
attended
this.
This
working
group
meeting
and
sometimes
I,
have
to
sit
back
and
listen
and
other
times
I
might
I,
might
chime
in
so
I'm,
not
necessarily
new
and
as
a
matter
of
fact
that
way
in
and
out
of
all
the
working
group
meetings
across
the
openness
and
stuff
up
to
and
including
the
tag
mean
I'm
trying
to
get
as
involved
as
possible.
B
All
that
being
said,
I
do
work
for
Microsoft
and
I
do
evangelize
bringing
a
lot
of
the
good
work,
that's
happening
in
Microsoft
into
the
open,
where
I
think
a
lot
of
this
work
belongs
up
to
and
including
what
Adrian
and
I
are
are
here
to
present
today
and
I'm,
waiting
on
Adrian
to
go
ahead
and
I.
Think
he's
here,
I'm,
not
sure
anyway.
B
What
we're
presenting
today
is
is
what's
been
developed
by
Adrian
and
his
team,
and
now
one
in
a
one
Engineering
Services
here
in
Microsoft,
and
it's
the
open
source
software
supply
chain
security
framework.
This
framework
is
consumer,
focused
and
really
does
drill
down
and
a
lot
of
the
issues
around
supply
chain
focusing
on
ingestion
which
which
and
that's
really
a
huge
item.
B
That's
not
really
focused
in
a
lot
of
the
other
Frameworks
that
that
you
see
today
and
what
we
do
plan
on
discussing
along
with
the
framework
itself,
is
how
how
it
balances
and
bridges
over
to
the
other
Frameworks
we're
discussing
here
in
the
openness
and
stuff
such
as
salsa
and
and
other
Frameworks
like
that.
So
look
so
as
we're
talking.
B
Please
look
at
this
as
not
as
competition,
but
as
a
bridge
and
as
something
that,
if,
if
we
do
this
correctly,
we
can
have
both
of
these
documents
built
and
and
improved
such
that
they
can
both
be
hand
in
hand
to
help
both
the
producer,
the
producers
of
bills
and
then,
of
course,
the
consumers
of
those
bills
and
organizations
so
I'll
pause.
There
David
has
a
question
what
you
got:
David
yeah.
E
So
I
I
I'm,
looking
forward
to
the
presentation,
of
course,
I've
heard
your
previous
one.
So
I
guess
it
is
my
thinking,
but
maybe
I'm
misunderstanding
things
is
Microsoft,
considering
contributing
this
to
be
part
of
the
open
ssf
and
if
so,
then
the
opennesses
have
to
have
to
S
decide
whether
or
not
they
want
to
take
that
on
and
if
so,
which
working
group.
E
B
That
is
the
desired
approach,
so
so
I'll
I'll
start
I'll
start
with
what
the
what
the
aspirational
end
is
and
then
we'll
and
then
we'll
do
what
I
like
to
refer
to
as
tarantinoing
it
right
with
Tarantino
all
right.
The
aspirational
end
is
to
have
maybe
some
type
of
iso,
some
type
of
mist
and
then
maybe
some
type
of
iso
standard.
B
How
do
we
get
there
first
by
having
this
brought
into
the
open
into
the
openness
itself
being
worked
inside
of
the
openness
itself
and
we're
proposing
to
not
only
here
and
and
secure
supply
chain
working
group,
but
we're
proposing
to
the
end
users
working
group
tomorrow,
and
we
proposed
already
to
the
best
practices
working
group?
The
idea
is
for
all
three
of
these
working
groups
together
and
if
this
is
this
is
me
talking
now
I,
you
know
far
beer.
B
Let's
build
six
and
then,
and
then
let's,
let's
build
both
of
these
out
together
side
by
side,
because
you
can't
talk
about
one
successfully
if
you're
not
talking
about
the
other
and
then
and
then
my
honest
opinion.
This
is
me
talking
a
lot
of
the
the
the
conversations
that
we're
having
both
on
the
you
know
within
the
salsa,
because
I'm
in
all
those
meetings
too,
but
and
then
a
lot
of
the
stuff
that
we're
talking
about
when
it
comes
to
this
consumer-focused
fragrance
and
secure
supply
chain
framework.
B
A
lot
of
the
difficulty
that
we're
having
is
because
we
know
the
missing
pieces
and
we're
talking
about
them
actively,
but
we're
not
bringing
together
the
information
that
we
already
have
in
place
to
fill
those
gaps.
We
can
fill
those
gaps
with
this,
because
now
we
can
talk
about
these
together
in
parallel
Bridging,
the
two
together
one
another
go
ahead:
David,
okay,.
E
And
a
quick
response
actually
I'm,
pretty
sure
you
already
know
this,
but
for
those
of
you
who
don't
the
Linux
Foundation
is
actually
an
ISO
pass.
So
if
there's
a
specification
and
there's
a
desire
to
submit
it
to
ISO
and
make
it
an
ISO
standard,
there's
actually
you
know
there
are
mechanisms
in
place
to
do
that.
We
can
talk
about
that,
but
but
step
one
is
to
have
the
conversation
here
you
know.
Is
this
something
they
want
to
contribute
to
openness
is
that
is
this?
Something
openness
and
stuff
wants
to
pick
up.
B
G
I
I
also
just
wanted
to
to
double
down
on
that
comment
about
about
making
it
an
ISO
standard.
My
understanding
is
that
the
license
that
we
chose
that's
in
the
GitHub
repo,
the
community
specification
license,
was
actually
designed
with
that
in
mind,
so
that
these
can
be
more
easily
contributed
up
to
to
ISO
to
be
making
a
standard.
G
G
These
are
these
are
things
that
can
be
applied
to
numerous
different
scenarios
because
different,
you
know,
open
source
ecosystems
have
have
different
consumption
nuances
from
there.
We
also
then
describe
the
set
of
requirements,
and
these
set
of
requirements
mapped
to
those
eight
high-level
practices.
G
G
Those
those
in
simple
terms
are
inventory
or
OSS,
scan
it
for
vulnerabilities
and
and
keep
it
up
to
date
to
patch
the
vulnerabilities.
That's
basically
our
maturity
level,
one
right,
that's
that's
kind
of
like
the
bare
minimum.
That's
where
I
would
say,
a
large
majority
of
organizations
and
teams
across
the
world
are
because
they
haven't
had
any
guidance
to
improve
their
their
governance
programs
so
level.
Two.
G
By
adopting
those
types
of
capabilities
you
are
helping.
Your
developers,
patch
faster
than
the
adversary,
can
act
because
we've
seen
also
mentioned
in
one
of
the
sonotype
state
of
the
supply
chain
reports
that
The
Assault
stack
had
they,
they
publicly
disclosed
a
vulnerability
same
day
that
they
made
a
patch
available,
and
it
only
took
adversaries
three
days
to
craft
and
exploit
and
start
actively
exploiting
against
the
vulnerability
and
because
organizations
and
teams
take
a
long
time
to
patch
their
systems.
G
Even
though
a
patch
was
available,
they
were
getting
actively
exploited,
and
so
we
need
to
start
adopting
tools
and
Technologies
to
patch
faster
than
the
adversary
can
operate
level.
Three
starts
moving
us
into
malicious
protection.
There
have
been
lots
of
compromised
open
source,
there's
been
lots
of
new
threat.
Vectors
such
as
dependency,
confusion
and
and
organizations
and
teams
need
to
start
to
develop
technologies
that
can
start
to
evaluate
the
and
protect
themselves
from
consuming
open
source
that
that
may
be
malicious
or
compromised
and
level.
Four
is
largely
aspirational.
G
While
you
confidentially,
coordinate
with
the
Upstream
maintainer
on
implementing
a
public
fix
for
everybody,
so
there's
and
then
the
the
the
guide
also
has
a
questionnaire
for
organizations
to
to
interview
their
developers
to
understand
where
they
are
on
their
journey
of
the
the
maturity
models.
And
we
also
have
mapped
our
set
of
requirements
to
six
other
secure
supply
chain
specifications.
Just
to
show
the
the
traceability
there
across.
G
C
E
You
are,
you
are
open
to
adjustments.
I
think
several
people
have
complained
about
your
definition
of
Open
Source
software
I
know,
you've
heard
him
before
yeah
I,
I,
I,
I,
I,
I
I,
don't
actually
mean
to
beat
on
you
with
that.
It's
just
the
but
I
mean
I.
Don't
think
that
that
subverts
the
document
at
all.
It's
just
hey,
there's
some
things
that
I
know.
People
here
would
like
to
comment
on
and
but
you're
willing
to
make
some
adjustments
based
on
community
feedback.
Is
that
fair.
B
B
You
know,
read
it
submit
your
submit
your
your
improvements
to
it,
submit
your
thoughts
around
it
get
you
know
we're
we're
actively.
We
actively
want
to
improve
this
for
the
better
for
the
community,
for
the
industry
at
at
large,
as
I
said
before,
so
so.
This
is
something
that
everyone
can
get
their
hands
on
sink
their
teeth
into
and
and
really
build
up.
Isaac.
You
got
a
question.
H
Yeah
I
got
a
couple
of
questions,
I
mean
the
first
one
I
mean
well.
Actually.
My
first
observation
is
thank
you
for
bringing
this
I
think
it's
a
it's
a
really
solid
set
of
of
practices.
I
mean
you
know,
I
looked
at
this
and
others
looked
at
the
internet
Google
and
we're
kind
of
nodding,
along
with
it,
as
instead
of
best
practices
for
ingesting
open
source
dependencies.
H
I
think
it's
articulated
very
well
in
those
times
one
one
question
I
have,
is
you
know
about
the
overall
intent
and
scope
I
mean?
Actually
let
me
let
me
start
with
one
simple
question
at
the
top
of
the
tree
there,
and
do
you
imagine
this
this
framework,
as
as
being
applicable
to
organizations
as
to
order
artifacts
I
mean,
should
I
conceptualize
this
as
hey.
H
My
organization
is
at
level
three
of
SSC
with
respect
to
how
we
managed
open
source
or
should
I
conceptualize
this
as
this
artifact,
which
I
produced
its
dependencies,
were
managed
in
conformance
with
OSS
SSC,
and
so
should
I.
Think
of
this
as
organization
oriented
or
artifact
oriented,
or
is
it
both.
G
If
I
were
to
share
a
little
bit
of
my
vision,
I
I,
absolutely
imagine
a
future
where
organizations
claim
you
know
level
three
conformance
to
to
the
framework
and
I
I
think
there's
there's
certain
requirements
that
that
can't
really
be
done
on
a
on
a
per
repo
level.
It
kind
of
needs
to
be
done
on
like
a
larger
team
or
or
organization
level
for
like
proper
Disaster
Recovery
planning,
like
yeah.
F
H
H
B
Well
so
I
I
well
Adrian,
because
I
mentioned
this
earlier
right,
so
aspirationally
right
thinking
about
what
we
have
currently
and
most
secure
supply
chain
Frameworks
with
their
very
producer,
focused
we're
taking
the
consumer.
Focused
angle
to
this
all
represent
a
secure
supply
chain
when
brought
together.
There's
you
have
one
element
that
focuses
on
one
end
of
the
spectrum
around
the
supply
chain:
we're
bringing
this
all
the
way
back
to
the
point
of
hey.
This
is
how
a
company
would
ingest.
B
So
when
you
combine
these
together
right
when
you,
when
you
bridge
them
together
and
you
march
them
forward,
produce
a
focus
and
consumer
Focus,
you
have
a
complete
secure
supply
chain
framework,
both
representing
secure
supply
chain
from
one
and
or
the
other.
The
desired
and
aspirational
goal
would
be
to
have
these
work
in
parallel,
so
so
to
change
the
name
we
could
right
by
itself.
H
Yeah
no
I,
I,
agree,
I,
agree
with
that,
and
I
think
I
mean
that's.
That
speaks
to
where
I
was
going
to
go
next,
which
is
you
know
overall
I
I
think
the
open
ssf
you
know
needs
to
have
you
know
Clarity
with
the
way
it
it
presents
it.
You
know
supply
chain,
security
Frameworks
and
we
we
kind
of
thought
to
have
two
of
them
right.
We
can't
afford
to
have
people
to
go.
H
My
question
was
was
really
about
you
know.
The
name
of
this
thing
suggests
supply
chain.
Broadly,
the
text
of
the
specification
suggests
dependency
management
more
narrowly,
and
so
I
was
just
trying
to
understand
how
those
two
fit
together.
I
mean
what
what
you
said
makes
complete
sense
in
terms
of
hey.
Look,
we
need
to
think
about
a
supply
chain
holistically.
You
can't
just
address
one
part.
It
I
definitely
agree
with
that,
and
so
I
think
you
know.
H
If,
if
the
open
ssf
would
you
know,
adopt
this
or
begin
to
incubate
this
further
I
think
figuring
out,
you
know
how
do
we
position
ourselves
alongside
it?
So
it's
not
confusing
so
people
don't
Don't
Come
Away,
with
the
impression
that
hey
there
are
two
competing
or
two
separate
supply
chain
Frameworks
within
the
open
ssf.
We
really
want
to
explain
that.
You
know
no,
no,
no
there's
just
one
there's
different
elements
of
supply
chain
security
and
the
these
sub
Frameworks
speak
to
those
different
aspects.
If
that
makes
sense,.
B
So
that
makes
perfect
sense
and,
and
the
one
and
the
one
the
one
caveat
to
this
and
bring
it
into
the
openness
so
that
we
can
further
those
kind
of
discussions
right
and
and
as
we
throw
them
along
and
as
it
evolves
it
could
evolve
to
whatever
it's
going
to
be.
What
I
also
want
to
bring
in
is
the
difference
between
a
security
framework
and
that's
compliance,
requirement
right
and
and
understanding
that
there's
some
elements
of
this
that
could
become
compliance
driven
where
you
do
have
attestations.
You
do
have
artifacts.
B
You
do
have
third
parties
that
are
coming
in
providing
certification,
and
then
you
just
have
something.
That's
that's
designed
to
create
a
secure
that
reinforces
secure
architecture
and
secure
infrastructure,
secure
architecture
around
secure
supply
chain
and
I
think
we
have
the
POS
with
the
work
that
we
could
do
together.
B
We
could
really
provide
that
one-two
punch,
salsa
itself
is
being
poised
and
positioned
is
the
ongoing
conversations
I
think
right
now,
one
of
the
one
of
the
biggest
ones-
and
this
is
just
my
opinion
and
what
I
hear
is
the
the
ebb
and
flow
between?
Is
this
a
compliance
requirement
versus
a
secure
framework
right,
we're
talking
about
attestations,
we're
talking
about
artifacts,
but
then
we're
also
talking
about
tools
that
are
being
used
to
to
put
controls
in
place
to
provide
that
kind
of
information.
B
If
that,
if
that
makes
sense,
like
I
said,
a
lot
of
the
stuff
is
aspirational.
I
get
excited
about
it
and
so
does
Adrian
right
and
and
then
so.
The
excitement
is
there
to
see
if
we
can't
bring
this
in.
But
these
conversations
are
the
ones
that
need
to
be
had
once
it's
in
the
no
as
we're
doing
now,
to
reinforce
these
ideas
and
and
bring
them
both
up.
H
No
I
think
you're
right
and
I
I
share
your
excitement,
honestly,
I
do
and
I
I
think
that
there's
there's
a
lot
that
we
could
do
here.
Work
working
together
in
this
space.
I
guess
you
know
at
a
high
level
and
potentially
precisely
in
this
working
group,
I
think
it
would
be
great
to
form
a
collective.
H
You
know
consensus
around
the
map
of
the
problem
domain
and
how
these
various
things
that
we
have
today
map
into
that
in
a
non-overlapping
way,
because
you
know
already:
we've
got
sales,
so
we've
got
Fresca,
we've
got
guac,
we've
got
you
know,
sing
store
and
someone's
showing
up
at
the
open.
Ssf
today
could
be
forgiven
for
being
very
confused
on
day.
H
One
and
I
think
if
we
add
another,
we
risk
adding
to
that
and
that's
not
to
say
no,
no,
we
shouldn't
add
another,
it's
more
to
say,
yeah,
let's
bring
in
these
new
capabilities,
but
let's
also
make
sure
that
they're
all
positioned
correctly
and
we
can
tell
a
great
story
about
how
they
fit
together,
because
it
is
it's
a
confusing
space
today
already
and
at
the
open
SSS
having
these
various
Frameworks
of
various
acronyms
there's.
Also,
the
cncf
there's
also
a
bunch
of
government
bodies
coming
out
of
those
things.
H
There's
this
coming
out
the
ssdf
and
it's
a
confusing
acronym
super,
so
I
think
it's
incumbent
upon
the
open
ssf
to
you
know,
frame
you
know,
describe
the
problem
domain
and
how
our
Solutions
map
into
that
problem
domain
in
a
natural
way
and
I.
Would
you
know
personally
I'd
love
to
see
you
know,
joint
work
on
on
that
and
I
I
see
SSC
and
salsa
solving
separate
problems
in
this
that
we
can
work
together
on.
B
A
Monopolizing
the
conversation
is
my
job,
so
you
know,
watch
out,
I'll
be
I'll,
be
saying
if
you're
into
competitive
practice,
yeah
so
I
would
say
if
I
put
on
my
end
use
a
hat.
The
thing
I
really
like
about
salsa
is
that
the
scope
is
limited.
I,
really
like
your
frame,
Isaac,
that
it's
about
artifacts
and
information
that
attends
and
attaches
to
artifacts
I
think
there
is
definitely
room
for
complementary
practices.
A
You
know
methods
controls
if
you
like,
and
it
would
be
useful
to
have
something,
particularly
because
that
will
prevent
the
sprawl
of
salsa.
There
is
an
ongoing
tension
between
what
salsa
sort
of
started
out
as
and
what
what
folks
are
worried
about.
You
know
like.
Oh,
it
doesn't
cover
this
and
it
doesn't
cover
that
so
I
would
be
happy
with
you
know,
an
Allied
framework
that
takes
that
pressure
off
and
allows
salsa
to
stick
to
its
knitting.
A
B
So
he
and
I
are
both
in
those
meetings
and
that's
kind
of
what
I
was
alluding
to
earlier,
that
the
scope
of
salsa
is
getting
kind
of
lost
around
what
gaps
are
not
being
covered
and
it
per
its
current
scope
and
I.
Think
the
current
scope
is
sound.
I
I
think
this.
The
social
scope
is,
is
phenomenal.
If
to
not
go
beyond
that,
and
just
basically
say
hey,
that's
out
of
scope
for
this
good.
We
have
something
that
we
could
provide,
that's
in
scope
for
that,
let's
Bridge
them
together
and
improve
them
together.
B
C
D
F
Ahead,
Mark
yeah
I
just
have
a
quick
question
on
the
like
the
leveling
system.
That's
in
the
proposal
right
now
are
you
anticipating
that
each
level
I
know
you're
just
a
little
bit
at
the
beginning,
but
that
each
level
provides
a
particular
kind
of
guarantee
of
like
level
one
provides
this
level
two
provides
that
level
three
provides
that
or
is
it
more
of
a
guidance
of
we
think
most
organizations
are
going
to
want
to
go
in
this
order
and
level.
One
is
like
the
low
hanging
fruit
and
level.
F
G
G
I
So
that
that
was
actually
going
to
be
I.
Think
related
to
my
to
my
question,
which
was
I.
Don't
know
if
you
have
this
yet
but
I
know
one
of
the
things
I
would
love
to
see
is
just
like,
maybe
some
like
a
demo,
even
if
it's
you
know
a
contrived
example
of
like
what
this
sort
of
those
claims
could
actually
look
like,
so
that
hey
as
an
end
user,
if
I
want
to
tell
folks
yeah
no,
my
like
you
can
trust
my
org
because
we're
doing
the
right
things.
I
G
Yeah
yeah,
you
bring
up
a
great
point.
I
know
that
that's
like
the
type
of
thing
that
that
salsa
is
working
on
is,
is
you
know,
using
in
Toto
attestations
to
claim
conformance
to
a
particular
requirement,
and
we
can
start
to
explore
that
going
forward
how
to
how
to
write
up
example,
attestations
in
that
format,
I
think
that
would
be
good.
You
know
now
that
we've
got
these
these
Community
meetings.
B
G
B
I
want
to
say
I
I,
don't
have
it
in
front
of
you
right
now
either
so
please
they're
held
on
Monday
and
a
Tuesday
ones,
I
believe
at
the
third,
so
the
third
Monday
of
the
month
and
the
or
the
last
Tuesday
of
the
month.
It's
one
it's
it's
that
some
combination
that
I'll
have
it
in
front
of
me,
but
all
are
welcome,
they're
on
the
open,
ssf
calendar
right
and
and
so
that
they
can
all
be
attended.
B
Then,
and
of
course,
if
one
of
the
working
groups
decides
to
pick
it
up
and
an
incubation,
we
work
on
it,
then
then
a
Sig
for
this
can
get
can
get,
can
get
opened
up
as
well
and
and
then
you
know
those
means
to
be
on
the
calendar
and
all
can
attend
those,
and
we
can
all
work
on
that
work
on
it
together.
That
way
as
well.
So
yeah.
B
H
G
Believe
krobe
owes
us
one,
he
says
he's
you
know
done
the
old
school.
You
know
redlining
of
a
printout
of
our
guide
and
he
needs
to
convert
that
into
a
PR.
If
I
come
down
to
our
attendance
yeah,
we
had
Wipro
Gen,
2,
intel,
Linux,
Foundation,
astrotech
and
Google
attend
I.
Think
we
had
a
total
of
eight
different
organizations
attend
our
our
inaugural
kickoff.
D
D
Look
like
I
mean
I'm,
mostly
concerned
about
the
comments
that
other
people
brought
up
about,
how
we
position
this
against
salsa
and
make
sure
they're
we're
not
confusing
the
world,
but
I
do
think
to
Jacques
point.
I
think
it
would
be
great
to
have
like
a
complimentary
framework
that
fills
in
the
gaps
that,
like
salsa,
you
know,
is
a
bit
out
of
scope
for
salsa
right
now
and
I
think
that
could
be
a
a
really
great
story,
so
yeah
I
think
for
next
steps.
D
Maybe
if
we
can
dig
a
little
bit
deeper
on
that
and
cover
sort
of
how
they
can
complement
each
other,
it
might
be
in
the
repo
I
haven't
looked
at.
It
would
be
good
next
steps,
at
least
for
this
working
group.
I
mean
I,
know
the
you
know.
Even
the
whole
process
of
like
the
the
foundation
and
the
stuff
at
the
attack
level
is
still
kind
of
getting
shaken
out.
G
D
D
An
open
conversation
with
the
folks
that
are
more
active
I
mean
we
have
some
of
them
on
the
call
now
active
in
the
salsa
thing
just
to
help
kind
of
land.
This
well
because
I
like
jock
was
saying,
is
an
active
discussion
there
around
scope
and
the
end
of
the
day.
For
me,
like
any
framework,
that's
improving
supply
chain
security
is
great
with
me.
D
I
just
want
to
see
you
want
to
see
Frameworks
that
actually
can
be
used,
so
I
think
to
Mike's
Point,
having
like
some
demos
of
like
how
what
this
could
actually
look
like
end
to
end
could
be
super
helpful
as
we're
kind
of
looking
at
this.
It
does
I
mean
it
doesn't
have
to
be
complete
or
anything,
but
just
so
folks
can
sort
of
wrap
around
wrap
their
heads
around
how
this
would
work
in
practice
and
how
people
are
supposed
to
use
it.
I
think,
would
be
super
helpful.
B
Yeah
I
can
actually
see.
I
can
actually
see
a
a
great
conversation
stemming
from
first
hitting
hitting
a
presentation
in
the
bi-weekly
and
and
and
Mike
that
this
is
something
that,
because
I
know,
you're
you're
active
in
that
as
well
the
Dubai
weekly
meeting
and
then
maybe
Hitting
off
into
the
positioning
meeting
after
right
after
that
to
to
kind
of
position,
both
both
Frameworks,
together
or
or
figure
out.
B
I
More
broadly
is
like
do
we
have
in
any
of
the
stuff
from
the
open
ssf
that,
like
a
higher
level
view
on
what
are
all
the
components
of
open
source
security
and
supply
chain
security
and
all
that
sort
of
stuff,
so
that
when
we
look
at
all
the
different
pieces,
we
can
better
and
I
know
this?
Is
this
was
kind
of
a
question
we
had
early
on
on
salsa
last
year
and
I?
Don't
know
if
things
have
shifted
but
I
know
it
was
like
a
big
open
question
of
like
hey.
I
I
You
know
where,
for
example,
you
know
salsa
starts
and
ends
where
SSC
starts
and
ends,
and
and
so
on,
so
that
we
can
kind
of
go
and
look
and
see
like
okay,
yeah
SSC
is
the
framework,
and
do
we
have
tools
that
like
easily
integrate
in
there
and
then
it
would
help
us
kind
of
build
that
story
out
and
to
be
clear,
I,
don't
think.
That's
necessarily
something
on
on
the
SSC
folks
to
figure
out
I.
I
B
You
know
what
John
Meadows
has
a
fantastic
diagram
of
of
end-to-end
supply
chain
I'm
talking
about
all
the
way
from
you
know,
on
one
end,
where
you're,
you
know
your
ingestion,
you
have
a
other
end
where
you're
on
the
build
side,
it's
fantastic.
It's
huge
and
I
think
that
that,
with
a
little
bit
of
Polish,
we
could
kind
of
take
the
Frameworks
and
overlay
them
and
go
from
one
end
of
that.
B
Spectrum
start
on
one
end
of
that
Spectrum
with
salsa
start
on
the
other
end
of
that
Spectrum,
with
the
SSC
and
kind
of
find
our
way
into
the
middle
I
I.
It
was
that
it
was
that
fantastic
when
he
showed
it
to
me.
So
so,
I
I
think.
If
we
have
something
like
that
and
we
can
overlay
them
and
then
with
a
little
bit
of
polish
from
the
people
and
on
this
team,
the
best
practices
team
and
the
end
users
team,
we
can
sit,
we
can
come
together
and
kind
of
build
that
mapping.
B
E
Ahead,
David
yeah
just
quickly
I,
actually
a
while
back
I,
did
create
I,
took
the
salsa
diagram
and
then
tried
to
place
where
different
projects
fit
in.
Some
of
you
may
have
seen
that
I
did
that
with
both
the
open
ssf
projects
and
the
projects
not
within
the
Open
Access
app
I
mean
you
know
by
no
means
perfect,
but
at
least
is
an
early
attempt
to
try
to
figure
out
hey.
Where
do
things
fit?
E
E
D
E
E
Is
this
something
we
want
to
bring
into
the
open,
ssf
I
think
there's
been
a
lot
of
interest
in
doing
that
and
then,
where
and
I,
don't
I
I
think
the
problem
of
how
do
you
scope
out
different
things?
I,
don't
think
we
have
to
resolve
it
all
to
get
started.
In
fact,
I
would
say
that
that
would
be
part
of
the
process
is
working
out,
how
it's
much
easier
to
work
out
things
together
when
we're
all
talking
to
each
other
and
okay.
E
H
D
H
I
was
just
going
to
agree
as
well
I'm
inclined
to
agree
with
that.
I
think
you
know,
bring
bringing
it
in
and
then
figuring
out
how
we
do
this
kind
of
mapping
into
the
problem
domain
and
then
kind
of
this
relative
position
of
the
openness
is
have
framework
offerings
and
that
could
you
know
that
could
be
work
that
we
do
once
once
we
bring
this
in.
D
D
No,
we
don't
care,
you
know
how
it
relates,
and
this
is
fine
and
we'll
just
figure
it
out
as
we
go
like
that's
another
option,
but
I
would
just
like
to
have
like
a
story
that
I
could
that
we
could
be
using
like
all
in
alignment
there
is
in
terms
of
salsa
and
Fresca
and
how
these
play
nicely
together.
So
that's
just
my
my
thoughts
on
that.
C
B
Do
want
to
say
we
are
meeting
with
the
end
users
end
users,
working
group
tomorrow
and
I,
know
and
I
know.
John
is
he's
super
healthy.
He's
super
excited
about
this
framework
as
well.
I,
I'm,
I'm,
not
I'm,
not
sure.
If
there's
like
a
some
type
of
a
bidding
war,
or
something
like
that
is
there
might
be
so
so
I'd
be
remiss
if
I
didn't
say
he's
interested
as
well.
C
Minute
yeah
I'm
strongly
in
favor
of
actually
keeping
it
in
this
working
group,
because
that
keeps
us
aligned
with
salsa
very
nicely
like
as
Isaac
was
saying.
We
want
these
two
parts
to
work
together
for
that
kind
of
alignment.
It's
very
important
to
be
in
one
working
group
where
there
are
the
members
who
can
discuss
that
alignment
and
there
are
similar
supply
chain.
Things
like
walk
is
coming
too,
so
it
will
be
very
nice
to
have
these
all
aligned
together
and
get
the
story
right.
So
we
are
very
excited
about
the
collaboration.
G
I,
lead
the
supply
chain
team
and
it's
our
job
to
be
scenario,
owners
and
think
about
the
end
to
end.
And
then
we
partner
with
all
the
different
pieces
that
make
up
the
supply
chain
and
so
because
we
think
about
the
end
to
end.
We
can
see
how
different
things
need
to
connect
and
interact
and
I.
Don't
know
if
you've
thought
about
like
how
you
scope
out
your
your
different
working
groups
and
how
it
all
fits
together.
But
I
just
wanted
to
share
that
for
comparison
purposes.
I
Yeah,
that's
actually
been
an
open
question
in
a
lot
of
the
open,
ssf
stuff.
Like
you
know,
for
example,
where
does
end
user
start
and
end
versus
like
but
end
user
stuff
is
also
interested
in
supply
chain.
So
it's
it's
almost
like.
We
need
I,
don't
know
a
inter
a
a
self-interoperability,
an
open,
ssf,
interoperability,
working
group
or
something
but
yeah.
I
That
I
think
we're
we're
we're
trying
to
kind
of
figure
out
because,
like
as
you
can
probably
imagine
right,
there
there's
different
groups
that
are
making
tools
that
also
integrate
with
salsa
but
they're,
not
part
of
salsa
working
group
itself
or
the
supply
chain
working
group,
and
then
there
are
tools
that
are
part
of
some
of
these
other
working
groups.
That
are
not
really.
I
B
B
That
being
said,
if
any
working
group
wants
to
take
a
vote
and
say
yeah,
let's
bring
it
in
here
and
it
gets
ingested
and
now
and
it
gets
brought
in
and
now
it's
actively
being
worked
on
in
this
working
group
and
in
a
sync
could
be
spilled
off
with
it.
That's
just
all
for
the
better,
as
as
we
begin
to
have
these
more
impactful
conversations.
B
Otherwise
it's
still
it's
still
flapping
in
the
winds
and
we're
still
going
to
have
Community
meetings.
We're
still
going
to
have
technical
means.
We're
still
going
to
do
this
open
but
having
it
in
the
openness
and
stuff
and
being
worked
on
in
the
open
ssf
towards
the
the
objective
is
the
desired
state.
So
you
know
whatever
gets
us
there
excellent,
but
you
know
just
just
one
that
want
to
level
set
with
that.
D
Cool
yeah
I
mean
there's
attack
stuff
too
so
I
think
there's
a
bunch
of
different
Avenues.
We
can
look
at
or
you
can.
You
can
look
at
like
the
incubating
I
I,
don't
even
know
where
the
tech
is
so
I'm.
Not
even
gonna
try
to
try
to
make
stuff
up
here,
but
there
is
a
process
for
even
just
new
projects.
I
don't
know
if
it
needs
a
home,
a
working
group
home
right
off
the
bat.
If
there's
other
ways
other
things
we
can
do
here
so.