►
From YouTube: Supply Chain Integrity WG (September 14, 2022)
B
C
A
E
But
it's
a
beautiful
day
in
Northern
Virginia,
so
please
vicariously
enjoy
the
day.
I
guess.
E
Not
so
much
here
yet
that
comes
later,
if
it's
probably
already
starting
in
New
England,
but
it's
it's
still
what
I
call
thermostat
weather
for
those
fahrenheit's
around
68
degrees,
Fahrenheit,
basically,
where
it's,
where
you
set
your
your
room
temperature
at.
If
you
want
to
be
comfy.
D
All
righty,
so
we've
got
just
the
one
item
on
the
agenda
today.
Just
before
we
get
started
anyone.
Anyone
new
want
to
say
hello,
introduce
yourself.
C
C
Yeah
I've
been
to
a
few
of
the
other
open
ssf
groups,
but
yeah
I'm
excited
to
see
the
demo
today.
G
G
D
Yeah,
just
historically
this,
this
working
group
has
been
full
of
really
good
presentations
and
fostering
a
lot
of
good
discussions
around
software
supply
chain
Integrity.
So
if
you
do
have
a
presentation
or
a
topic,
you
want
to
discuss
yeah,
please
feel
free
to
add
it
to
a
future
agenda,
and
then
we
will
definitely
let
you
take
the
stays
and
present
and
talk
and
teach
us
all
things
and
yeah.
Just
a
reminder
for
new
folks
too.
D
This
is
part
of
this
working
group
is
part
of
the
open
ssf,
and
these
meetings
are
recorded
and
uploaded
to
YouTube
at
some
point
in
the
future,
when
we
remember
I,
think
I
think
it
happens
automatically.
Now
we
got
someone
helping
us
out
so
yeah.
So
with
that
today,
do
you
doing
in
Adrian?
Do
you
want
to
take
the
stage
foreign.
B
Thank
you
very
much,
Kim,
yes,
so
so
here
we
are,
and
I
and
I
didn't
ask
myself
earlier.
This
is
not
the
first
time
I've
attended
this.
This
working
group
meeting
and
sometimes
I,
have
to
sit
back
and
listen
and
other
times
I
might
I,
might
chime
in
so
I'm,
not
necessarily
new
and
as
a
matter
of
fact
that
way
in
and
out
of
all
the
working
group
meetings
across
the
openness
and
stuff
up
to
and
including
the
tag
mean
I'm
trying
to
get
as
involved
as
possible.
B
All
that
being
said,
I
do
work
for
Microsoft
and
I
do
evangelize
bringing
a
lot
of
the
good
work,
that's
happening
in
Microsoft
into
the
open,
where
I
think
a
lot
of
this
work
belongs
up
to
and
including
what
Adrian
and
I
are
are
here
to
present
today
and
I'm,
waiting
on
Adrian
to
go
ahead
and
I.
Think
he's
here,
I'm,
not
sure
anyway.
B
What
we're
presenting
today
is
is
what's
been
developed
by
Adrian
and
his
team,
and
now
one
in
a
one
Engineering
Services
here
in
Microsoft,
and
it's
the
open
source
software
supply
chain
security
framework.
This
framework
is
consumer,
focused
and
really
does
drill
down
and
a
lot
of
the
issues
around
supply
chain
focusing
on
ingestion
which
which
and
that's
really
a
huge
item.
B
That's
not
really
focused
in
a
lot
of
the
other
Frameworks
that
that
you
see
today
and
what
we
do
plan
on
discussing
along
with
the
framework
itself,
is
how
how
it
balances
and
bridges
over
to
the
other
Frameworks
we're
discussing
here
in
the
openness
and
stuff
such
as
salsa
and
and
other
Frameworks
like
that.
So
look
so
as
we're
talking.
B
Please
look
at
this
as
not
as
competition,
but
as
a
bridge
and
as
something
that,
if,
if
we
do
this
correctly,
we
can
have
both
of
these
documents
built
and
and
improved
such
that
they
can
both
be
hand
in
hand
to
help
both
the
producer,
the
producers
of
bills
and
then,
of
course,
the
consumers
of
those
bills
and
organizations
so
I'll
pause.
There
David
has
a
question
what
you
got:
David
yeah.
E
So
I
I
I'm,
looking
forward
to
the
presentation,
of
course,
I've
heard
your
previous
one.
So
I
guess
it
is
my
thinking,
but
maybe
I'm
misunderstanding
things
is
Microsoft,
considering
contributing
this
to
be
part
of
the
open
ssf
and
if
so,
then
the
opennesses
have
to
have
to
S
decide
whether
or
not
they
want
to
take
that
on
and
if
so,
which
working
group.
E
So
if
that's
part
of
the
discussion,
then
it's
probably
helpful
to
know
that
in
advance
before
the
presentation
goes,
Jay
you're,
probably
the
best
person
to
answer
that
question.
Absolutely.
B
That
is
the
desired
approach,
so
so
I'll
I'll
start
I'll
start
with
what
the
what
the
aspirational
end
is
and
then
we'll
and
then
we'll
do
what
I
like
to
refer
to
as
tarantinoing
it
right
with
Tarantino
all
right.
The
aspirational
end
is
to
have
maybe
some
type
of
iso,
some
type
of
mist
and
then
maybe
some
type
of
iso
standard.
B
When
you
consider
ISO
a
dash
one
and
a
Dash
two,
let's
think
about
it
right,
that's
one
being
a
producer-focused
framework
or
consumer
reporting
yeah
you
could
you
could
do
one
or
the
other
good
swinging
Edge,
which
way
you
want,
but
that's
when
being
producer
focused,
that's
two
being
consumer
focused
but
ultimately
being
something.
B
That's
industry
recognized
as
secure
supply
chain,
Frameworks,
that's
complete
and
it's
construction
completeness,
build
and
complete
and
then
the
way
that
it's
continuously
improved
through
organizations
such
as
the
one
we're
in
right
now
open
ssf
right,
because
this
is
the
place
where
there's
a
place
to
do
with
that
now,
tarantinoing
it.
B
How
do
we
get
there
first
by
having
this
brought
into
the
open
into
the
openness
itself
being
worked
inside
of
the
openness
itself
and
we're
proposing
to
not
only
here
and
and
secure
supply
chain
working
group,
but
we're
proposing
to
the
end
users
working
group
tomorrow,
and
we
proposed
already
to
the
best
practices
working
group?
The
idea
is
for
all
three
of
these
working
groups
together
and
if
this
is
this
is
me
talking
now
I,
you
know
far
beer.
B
Today,
salsa
has
been
off
into
into
into
sinks
and
then
there's
a
there's,
a
pro
a
positioning
Sig
a
specification
Sig,
a
tooling
sync,
and
that's
no
difference
in
what
can
happen
with
this,
with
the
exception
that
we're
bringing
it
in
and
we're
saying:
hey:
okay,
Mark
when
these
working
groups
take
it
a
couple
other
working
groups
get
on
in
and
dig
in.
B
Let's
build
six
and
then,
and
then
let's,
let's
build
both
of
these
out
together
side
by
side,
because
you
can't
talk
about
one
successfully
if
you're
not
talking
about
the
other
and
then
and
then
my
honest
opinion.
This
is
me
talking
a
lot
of
the
the
the
conversations
that
we're
having
both
on
the
you
know
within
the
salsa,
because
I'm
in
all
those
meetings
too,
but
and
then
a
lot
of
the
stuff
that
we're
talking
about
when
it
comes
to
this
consumer-focused
fragrance
and
secure
supply
chain
framework.
B
A
lot
of
the
difficulty
that
we're
having
is
because
we
know
the
missing
pieces
and
we're
talking
about
them
actively,
but
we're
not
bringing
together
the
information
that
we
already
have
in
place
to
fill
those
gaps.
We
can
fill
those
gaps
with
this,
because
now
we
can
talk
about
these
together
in
parallel
Bridging,
the
two
together
one
another
go
ahead:
David,
okay,.
E
And
a
quick
response
actually
I'm,
pretty
sure
you
already
know
this,
but
for
those
of
you
who
don't
the
Linux
Foundation
is
actually
an
ISO
pass.
So
if
there's
a
specification
and
there's
a
desire
to
submit
it
to
ISO
and
make
it
an
ISO
standard,
there's
actually
you
know
there
are
mechanisms
in
place
to
do
that.
We
can
talk
about
that,
but
but
step
one
is
to
have
the
conversation
here
you
know.
Is
this
something
they
want
to
contribute
to
openness
is
that
is
this?
Something
openness
and
stuff
wants
to
pick
up.
E
B
Yeah,
what
we
got
Disney
World
for
that
and,
of
course,
if
it
ends
up
happening,
David,
Disney,
World's
on
me
all
right.
We
got
Adrian
just
just
just
just
popped
in
and
that's
excellent
and
perfect
timing,
Adrian
I
warmed
them
up
for
us.
Please
go
ahead
and
and
and
take
it
away.
Yeah.
G
I
I
also
just
wanted
to
to
double
down
on
that
comment
about
about
making
it
an
ISO
standard.
My
understanding
is
that
the
license
that
we
chose
that's
in
the
GitHub
repo,
the
community
specification
license,
was
actually
designed
with
that
in
mind,
so
that
these
can
be
more
easily
contributed
up
to
to
ISO
to
be
making
a
standard.
G
So
just
wanted
to
point
that
out,
but
yes,
I'm
I'm
here
with
Jay
I,
can
help
provide
an
overview
of
the
OSS
secure
supply
chain
framework.
G
It's
it
the
way,
the
way
that
we've
organized
it
is,
we
start
at
a
very
high
level,
and
then
we
get
more
and
more
further
down
into
specifics.
So
at
the
high
level
we
have
some
solution:
agnostic
set
of
practices,
eight
different
practices.
G
These
are
these
are
things
that
can
be
applied
to
numerous
different
scenarios
because
different,
you
know,
open
source
ecosystems
have
have
different
consumption
nuances
from
there.
We
also
then
describe
the
set
of
requirements,
and
these
set
of
requirements
mapped
to
those
eight
high-level
practices.
G
Then
we've
we've
developed
this
list
of
requirements
based
on
real
world,
open
source
supply,
chain
threats.
G
I
think
we've
all
seen
the
the
industry
report
from
sonotype
in
2021,
citing
that
there's
been
a
650
percent
year
over
year,
increase
in
attacks
that
are
specifically
targeting
open
source,
so
making
sure
that
we
are
configuring
ourselves
to
securely
consume
them
is
Paramount
because
I
think
there's
another
report
out
there
that
says
90
of
all
software
today
consumes
open
source
and
so
open
source
is
a
a
critical
piece
of
every
software
development,
team
and
organizations
supply
chain.
G
So
we've
analyzed
these
set
of
real
world
threats.
We
have
links
to
them
to
the
articles
that
describe
these
threats
and
then
we
we
map
and
say
these
are
our
requirements
that
mitigate
against
these
threats.
G
G
Those
those
in
simple
terms
are
inventory
or
OSS,
scan
it
for
vulnerabilities
and
and
keep
it
up
to
date
to
patch
the
vulnerabilities.
That's
basically
our
maturity
level,
one
right,
that's
that's
kind
of
like
the
bare
minimum.
That's
where
I
would
say,
a
large
majority
of
organizations
and
teams
across
the
world
are
because
they
haven't
had
any
guidance
to
improve
their
their
governance
programs
so
level.
Two.
G
The
theme
for
level
two
is
all
about
helping
you
patch,
faster,
improve
your
mean
time
to
remediation,
so
we
we've
implemented
requirements
such
as
you
know.
G
G
By
adopting
those
types
of
capabilities
you
are
helping.
Your
developers,
patch
faster
than
the
adversary,
can
act
because
we've
seen
also
mentioned
in
one
of
the
sonotype
state
of
the
supply
chain
reports
that
The
Assault
stack
had
they,
they
publicly
disclosed
a
vulnerability
same
day
that
they
made
a
patch
available,
and
it
only
took
adversaries
three
days
to
craft
and
exploit
and
start
actively
exploiting
against
the
vulnerability
and
because
organizations
and
teams
take
a
long
time
to
patch
their
systems.
G
Even
though
a
patch
was
available,
they
were
getting
actively
exploited,
and
so
we
need
to
start
adopting
tools
and
Technologies
to
patch
faster
than
the
adversary
can
operate
level.
Three
starts
moving
us
into
malicious
protection.
There
have
been
lots
of
compromised
open
source,
there's
been
lots
of
new
threat.
Vectors
such
as
dependency,
confusion
and
and
organizations
and
teams
need
to
start
to
develop
technologies
that
can
start
to
evaluate
the
and
protect
themselves
from
consuming
open
source
that
that
may
be
malicious
or
compromised
and
level.
Four
is
largely
aspirational.
G
This
is
I,
would
say
reserved
for
for
open
source
that
that
you
deemed
like
a
critical
dependency
inside
one
of
your,
your
critical
applications
and-
and
it
has
to
deal
with
you-
know,
cloning,
the
the
the
a
local
copy
of
the
repo,
so
that
you
could
potentially
even
rebuild
it
yourself
if
you
needed
to
be
proactively
scanning
it
for
for
unknown
vulnerabilities
that
aren't
disclosed
today
and
have
the
capabilities
in
place
to
contribute
those
fixes
back
upstream
and
and
if
you
so
needed.
G
If
the,
if
the
vulnerability
you
discovered
was
so
severe,
you
could,
you
know,
fix
yourself
to
to
temporarily
to
mitigate
against
the
risk.
G
While
you
confidentially,
coordinate
with
the
Upstream
maintainer
on
implementing
a
public
fix
for
everybody,
so
there's
and
then
the
the
the
guide
also
has
a
questionnaire
for
organizations
to
to
interview
their
developers
to
understand
where
they
are
on
their
journey
of
the
the
maturity
models.
And
we
also
have
mapped
our
set
of
requirements
to
six
other
secure
supply
chain
specifications.
Just
to
show
the
the
traceability
there
across.
G
C
E
You
are,
you
are
open
to
adjustments.
I
think
several
people
have
complained
about
your
definition
of
Open
Source
software
I
know,
you've
heard
him
before
yeah
I,
I,
I,
I,
I,
I
I,
don't
actually
mean
to
beat
on
you
with
that.
It's
just
the
but
I
mean
I.
Don't
think
that
that
subverts
the
document
at
all.
It's
just
hey,
there's
some
things
that
I
know.
People
here
would
like
to
comment
on
and
but
you're
willing
to
make
some
adjustments
based
on
community
feedback.
Is
that
fair.
B
Is
the
intention
yeah
I
want
to
I
wanted
to
reiterate
we're
bringing
this
into
the
open?
Adrian
posted
our
the
GitHub
repo
here
submission
submit
your
your
no.
We
we
have
it
both
in
PDF
and
both
in
markdown.
B
You
know,
read
it
submit
your
submit
your
your
improvements
to
it,
submit
your
thoughts
around
it
get
you
know
we're
we're
actively.
We
actively
want
to
improve
this
for
the
better
for
the
community,
for
the
industry
at
at
large,
as
I
said
before,
so
so.
This
is
something
that
everyone
can
get
their
hands
on
sink
their
teeth
into
and
and
really
build
up.
Isaac.
You
got
a
question.
H
Yeah
I
got
a
couple
of
questions,
I
mean
the
first
one
I
mean
well.
Actually.
My
first
observation
is
thank
you
for
bringing
this
I
think
it's
a
it's
a
really
solid
set
of
of
practices.
I
mean
you
know,
I
looked
at
this
and
others
looked
at
the
internet
Google
and
we're
kind
of
nodding,
along
with
it,
as
instead
of
best
practices
for
ingesting
open
source
dependencies.
H
I
think
it's
articulated
very
well
in
those
times
one
one
question
I
have,
is
you
know
about
the
overall
intent
and
scope
I
mean?
Actually
let
me
let
me
start
with
one
simple
question
at
the
top
of
the
tree
there,
and
do
you
imagine
this
this
framework,
as
as
being
applicable
to
organizations
as
to
order
artifacts
I
mean,
should
I
conceptualize
this
as
hey.
H
My
organization
is
at
level
three
of
SSC
with
respect
to
how
we
managed
open
source
or
should
I
conceptualize
this
as
this
artifact,
which
I
produced
its
dependencies,
were
managed
in
conformance
with
OSS
SSC,
and
so
should
I.
Think
of
this
as
organization
oriented
or
artifact
oriented,
or
is
it
both.
G
If
I
were
to
share
a
little
bit
of
my
vision,
I
I,
absolutely
imagine
a
future
where
organizations
claim
you
know
level
three
conformance
to
to
the
framework
and
I
I
think
there's
there's
certain
requirements
that
that
can't
really
be
done
on
a
on
a
per
repo
level.
It
kind
of
needs
to
be
done
on
like
a
larger
team
or
or
organization
level
for
like
proper
Disaster
Recovery
planning,
like
yeah.
G
The
yeah
so
so
so
yeah
there
are
I
would
say
a
cup,
a
small.
F
H
And
so
it
sounds
with
that
that
it's
I
can
think
of
it
kind
of
like
a
maturity
model
for
organization
or
a
transformation
framework
for
an
organization
who's
getting
started
on
this
journey
and
they're
going
to
progress
as
an
organization
of
these
levels,
and
it's
it's
not
necessarily
the
case
that
you
know
an
individual
artifact
if
I
have
an
attestation
about
OSS
and
C
conformance
that
that
makes
sense,
the
the
other
question
I
had
was
was
just
about
the
name.
H
The
way
I
mean
I,
I
think
the
way
the
document
describes
this
and
the
way
you've
described
it.
You
know
around
your
open
source,
dependency,
ingestion
or
dependency
management.
H
H
H
B
Well
so
I
I
well
Adrian,
because
I
mentioned
this
earlier
right,
so
aspirationally
right
thinking
about
what
we
have
currently
and
most
secure
supply
chain
Frameworks
with
their
very
producer,
focused
we're
taking
the
consumer.
Focused
angle
to
this
all
represent
a
secure
supply
chain
when
brought
together.
There's
you
have
one
element
that
focuses
on
one
end
of
the
spectrum
around
the
supply
chain:
we're
bringing
this
all
the
way
back
to
the
point
of
hey.
This
is
how
a
company
would
ingest.
B
So
when
you
combine
these
together
right
when
you,
when
you
bridge
them
together
and
you
march
them
forward,
produce
a
focus
and
consumer
Focus,
you
have
a
complete
secure
supply
chain
framework,
both
representing
secure
supply
chain
from
one
and
or
the
other.
The
desired
and
aspirational
goal
would
be
to
have
these
work
in
parallel,
so
so
to
change
the
name
we
could
right
by
itself.
H
Yeah
no
I,
I,
agree,
I,
agree
with
that,
and
I
think
I
mean
that's.
That
speaks
to
where
I
was
going
to
go
next,
which
is
you
know
overall
I
I
think
the
open
ssf
you
know
needs
to
have
you
know
Clarity
with
the
way
it
it
presents
it.
You
know
supply
chain,
security
Frameworks
and
we
we
kind
of
thought
to
have
two
of
them
right.
We
can't
afford
to
have
people
to
go.
H
My
question
was
was
really
about
you
know.
The
name
of
this
thing
suggests
supply
chain.
Broadly,
the
text
of
the
specification
suggests
dependency
management
more
narrowly,
and
so
I
was
just
trying
to
understand
how
those
two
fit
together.
I
mean
what
what
you
said
makes
complete
sense
in
terms
of
hey.
Look,
we
need
to
think
about
a
supply
chain
holistically.
You
can't
just
address
one
part.
It
I
definitely
agree
with
that,
and
so
I
think
you
know.
H
If,
if
the
open
ssf
would
you
know,
adopt
this
or
begin
to
incubate
this
further
I
think
figuring
out,
you
know
how
do
we
position
ourselves
alongside
it?
So
it's
not
confusing
so
people
don't
Don't
Come
Away,
with
the
impression
that
hey
there
are
two
competing
or
two
separate
supply
chain
Frameworks
within
the
open
ssf.
We
really
want
to
explain
that.
You
know
no,
no,
no
there's
just
one
there's
different
elements
of
supply
chain
security
and
the
these
sub
Frameworks
speak
to
those
different
aspects.
If
that
makes
sense,.
B
So
that
makes
perfect
sense
and,
and
the
one
and
the
one
the
one
caveat
to
this
and
bring
it
into
the
openness
so
that
we
can
further
those
kind
of
discussions
right
and
and
as
we
throw
them
along
and
as
it
evolves
it
could
evolve
to
whatever
it's
going
to
be.
What
I
also
want
to
bring
in
is
the
difference
between
a
security
framework
and
that's
compliance,
requirement
right
and
and
understanding
that
there's
some
elements
of
this
that
could
become
compliance
driven
where
you
do
have
attestations.
You
do
have
artifacts.
B
You
do
have
third
parties
that
are
coming
in
providing
certification,
and
then
you
just
have
something.
That's
that's
designed
to
create
a
secure
that
reinforces
secure
architecture
and
secure
infrastructure,
secure
architecture
around
secure
supply
chain
and
I
think
we
have
the
POS
with
the
work
that
we
could
do
together.
B
We
could
really
provide
that
one-two
punch,
salsa
itself
is
being
poised
and
positioned
is
the
ongoing
conversations
I
think
right
now,
one
of
the
one
of
the
biggest
ones-
and
this
is
just
my
opinion
and
what
I
hear
is
the
the
ebb
and
flow
between?
Is
this
a
compliance
requirement
versus
a
secure
framework
right,
we're
talking
about
attestations,
we're
talking
about
artifacts,
but
then
we're
also
talking
about
tools
that
are
being
used
to
to
put
controls
in
place
to
provide
that
kind
of
information.
B
We
actually
have
a
set
of
controls
that
could
be
put
in
place
to
secure
your
your
supply
chain,
environment,
on
the
ingestion
side
and
and
then
and
then
going
into
you
know
as
you
collapse
them
both
into
the
middle
right,
so
one
could
be
security
and
architecture
driven
other
one
can
be
a
compliance
requirement
that
attests
to
those
controls
being
in
place
once
both
of
these
items
and-
let's
just
say,
salsa
and
the
SSC
together-
are-
are
further
developed
openly
like
like,
where,
like
we
want
to
do
here,
that
could
be
developed
and
improved
such
that
those
gaps
can
be
filled
as
you
continue
to
bridge
on
on
into
the
middle.
B
If
that,
if
that
makes
sense,
like
I
said,
a
lot
of
the
stuff
is
aspirational.
I
get
excited
about
it
and
so
does
Adrian
right
and
and
then
so.
The
excitement
is
there
to
see
if
we
can't
bring
this
in.
But
these
conversations
are
the
ones
that
need
to
be
had
once
it's
in
the
no
as
we're
doing
now,
to
reinforce
these
ideas
and
and
bring
them
both
up.
H
No
I
think
you're
right
and
I
I
share
your
excitement,
honestly,
I
do
and
I
I
think
that
there's
there's
a
lot
that
we
could
do
here.
Work
working
together
in
this
space.
I
guess
you
know
at
a
high
level
and
potentially
precisely
in
this
working
group,
I
think
it
would
be
great
to
form
a
collective.
H
You
know
consensus
around
the
map
of
the
problem
domain
and
how
these
various
things
that
we
have
today
map
into
that
in
a
non-overlapping
way,
because
you
know
already:
we've
got
sales,
so
we've
got
Fresca,
we've
got
guac,
we've
got
you
know,
sing
store
and
someone's
showing
up
at
the
open.
Ssf
today
could
be
forgiven
for
being
very
confused
on
day.
H
One
and
I
think
if
we
add
another,
we
risk
adding
to
that
and
that's
not
to
say
no,
no,
we
shouldn't
add
another,
it's
more
to
say,
yeah,
let's
bring
in
these
new
capabilities,
but
let's
also
make
sure
that
they're
all
positioned
correctly
and
we
can
tell
a
great
story
about
how
they
fit
together,
because
it
is
it's
a
confusing
space
today
already
and
at
the
open
SSS
having
these
various
Frameworks
of
various
acronyms
there's.
Also,
the
cncf
there's
also
a
bunch
of
government
bodies
coming
out
of
those
things.
H
There's
this
coming
out
the
ssdf
and
it's
a
confusing
acronym
super,
so
I
think
it's
incumbent
upon
the
open
ssf
to
you
know,
frame
you
know,
describe
the
problem
domain
and
how
our
Solutions
map
into
that
problem
domain
in
a
natural
way
and
I.
Would
you
know
personally
I'd
love
to
see
you
know,
joint
work
on
on
that
and
I
I
see
SSC
and
salsa
solving
separate
problems
in
this
that
we
can
work
together
on.
B
A
Monopolizing
the
conversation
is
my
job,
so
you
know,
watch
out,
I'll
be
I'll,
be
saying
if
you're
into
competitive
practice,
yeah
so
I
would
say
if
I
put
on
my
end
use
a
hat.
The
thing
I
really
like
about
salsa
is
that
the
scope
is
limited.
I,
really
like
your
frame,
Isaac,
that
it's
about
artifacts
and
information
that
attends
and
attaches
to
artifacts
I
think
there
is
definitely
room
for
complementary
practices.
A
You
know
methods
controls
if
you
like,
and
it
would
be
useful
to
have
something,
particularly
because
that
will
prevent
the
sprawl
of
salsa.
There
is
an
ongoing
tension
between
what
salsa
sort
of
started
out
as
and
what
what
folks
are
worried
about.
You
know
like.
Oh,
it
doesn't
cover
this
and
it
doesn't
cover
that
so
I
would
be
happy
with
you
know,
an
Allied
framework
that
takes
that
pressure
off
and
allows
salsa
to
stick
to
its
knitting.
A
So
yeah,
we've
we've
all
had
a
good
time
discussing
alternative
names,
I
think
I
think
it
basically
comes
down
to
do.
You
want
your
puns
to
be
about
Latin
dance
when
you
want
them
to
be
about
food,
because
salsa
leaves
either
way.
B
So
he
and
I
are
both
in
those
meetings
and
that's
kind
of
what
I
was
alluding
to
earlier,
that
the
scope
of
salsa
is
getting
kind
of
lost
around
what
gaps
are
not
being
covered
and
it
per
its
current
scope
and
I.
Think
the
current
scope
is
sound.
I
I
think
this.
The
social
scope
is,
is
phenomenal.
If
to
not
go
beyond
that,
and
just
basically
say
hey,
that's
out
of
scope
for
this
good.
We
have
something
that
we
could
provide,
that's
in
scope
for
that,
let's
Bridge
them
together
and
improve
them
together.
B
C
D
Jay
and
Adrian
thanks
for
yeah,
thanks
for
the
presentation,
any
any
other
questions
comments.
I
was
gonna
chime
in
a
little
bit.
Okay,
go.
F
Ahead,
Mark
yeah
I
just
have
a
quick
question
on
the
like
the
leveling
system.
That's
in
the
proposal
right
now
are
you
anticipating
that
each
level
I
know
you're
just
a
little
bit
at
the
beginning,
but
that
each
level
provides
a
particular
kind
of
guarantee
of
like
level
one
provides
this
level
two
provides
that
level
three
provides
that
or
is
it
more
of
a
guidance
of
we
think
most
organizations
are
going
to
want
to
go
in
this
order
and
level.
One
is
like
the
low
hanging
fruit
and
level.
F
G
How
to
help
people
claim
compliance
to
just
one
so
that
they
can,
you
know,
be
able
to
make
that
claim.
We
want
that
claim
to
be.
You
know
we,
you
know,
there's
I,
I'd,
love
to
see
this
being
adopted
and
find
a
way
to
be
able
to
measure
that
that
people
are
claiming
compliance
to
these
things.
G
Maybe
there's
some
sort
of
like,
like
a
best
practice
badge
that
people
can
earn
once
they've
proven
that
they've
they've
met
certain
controls
or
something
to
that
effect,
but
I
think
I'm
slightly
getting
off
the
course
of
your
your
question,
which
is
like.
Does
it
provide
a
particular
guarantee.
F
No
I
I
think
maybe
well
I,
guess
I'm
happy,
but
actually
you
got
to
my
kind
of
the
root
of
my
question,
which
is
that
it
sounds
like
you're
intending
this
as
not
just
like
I
said
the
best
practice
that
an
organization
could
do,
but
rather
this
is
something
that
they
would
claim
externally.
G
Okay
thanks,
that's
my
personal
Vision!
Yes,.
I
So
that
that
was
actually
going
to
be
I.
Think
related
to
my
to
my
question,
which
was
I.
Don't
know
if
you
have
this
yet
but
I
know
one
of
the
things
I
would
love
to
see
is
just
like,
maybe
some
like
a
demo,
even
if
it's
you
know
a
contrived
example
of
like
what
this
sort
of
those
claims
could
actually
look
like,
so
that
hey
as
an
end
user,
if
I
want
to
tell
folks
yeah
no,
my
like
you
can
trust
my
org
because
we're
doing
the
right
things.
I
G
Yeah
yeah,
you
bring
up
a
great
point.
I
know
that
that's
like
the
type
of
thing
that
that
salsa
is
working
on
is,
is
you
know,
using
in
Toto
attestations
to
claim
conformance
to
a
particular
requirement,
and
we
can
start
to
explore
that
going
forward
how
to
how
to
write
up
example,
attestations
in
that
format,
I
think
that
would
be
good.
You
know
now
that
we've
got
these
these
Community
meetings.
G
Those
are
things
we
can
add
to
our
backlog,
to
try
to
work
down
and
and
talk
about
in
in
upcoming
sinks.
B
G
B
I
want
to
say
I
I,
don't
have
it
in
front
of
you
right
now
either
so
please
they're
held
on
Monday
and
a
Tuesday
ones,
I
believe
at
the
third,
so
the
third
Monday
of
the
month
and
the
or
the
last
Tuesday
of
the
month.
It's
one
it's
it's
that
some
combination
that
I'll
have
it
in
front
of
me,
but
all
are
welcome,
they're
on
the
open,
ssf
calendar
right
and
and
so
that
they
can
all
be
attended.
B
Then,
and
of
course,
if
one
of
the
working
groups
decides
to
pick
it
up
and
an
incubation,
we
work
on
it,
then
then
a
Sig
for
this
can
get
can
get,
can
get
opened
up
as
well
and
and
then
you
know
those
means
to
be
on
the
calendar
and
all
can
attend
those,
and
we
can
all
work
on
that
work
on
it
together.
That
way
as
well.
So
yeah.
B
No,
no,
we
have,
as
a
matter
of
fact,
if
I
pull
up
the
the
notes,
who
do
we
have
the
last?
The
last
meeting
we
had
a
we.
G
Believe
krobe
owes
us
one,
he
says
he's
you
know
done
the
old
school.
You
know
redlining
of
a
printout
of
our
guide
and
he
needs
to
convert
that
into
a
PR.
If
I
come
down
to
our
attendance
yeah,
we
had
Wipro
Gen,
2,
intel,
Linux,
Foundation,
astrotech
and
Google
attend
I.
Think
we
had
a
total
of
eight
different
organizations
attend
our
our
inaugural
kickoff.
D
Cool
yeah
thanks
for
suppression
and
the
overview
I.
Think
from
my
side,
as
is
one
of
the
working
group
chairs
here,
I.
Think
a
couple
of
next
steps
that
I
kind
of
came
up
with
is
maybe
present
this
to
the
salsa
group
as
well,
and
we
can
you
can
sort
of
talk
about
what
that
could.
D
Look
like
I
mean
I'm,
mostly
concerned
about
the
comments
that
other
people
brought
up
about,
how
we
position
this
against
salsa
and
make
sure
they're
we're
not
confusing
the
world,
but
I
do
think
to
Jacques
point.
I
think
it
would
be
great
to
have
like
a
complimentary
framework
that
fills
in
the
gaps
that,
like
salsa,
you
know,
is
a
bit
out
of
scope
for
salsa
right
now
and
I
think
that
could
be
a
a
really
great
story,
so
yeah
I
think
for
next
steps.
D
Maybe
if
we
can
dig
a
little
bit
deeper
on
that
and
cover
sort
of
how
they
can
complement
each
other,
it
might
be
in
the
repo
I
haven't
looked
at.
It
would
be
good
next
steps,
at
least
for
this
working
group.
I
mean
I,
know
the
you
know.
Even
the
whole
process
of
like
the
the
foundation
and
the
stuff
at
the
attack
level
is
still
kind
of
getting
shaken
out.
D
You
know
as
complementary
would
be
a
good
place
to
to
start
so
that's
just
kind
of
my
two
cents
quickly
based
on
and
what
I
learned
today
does
anyone
else
have
any
kind
of
opinions
on
on
next
steps
or
like
that
idea,
including
yourself.
G
Kim,
would
it
help
like,
let's
just
assume
for
a
moment
open
ssf
did
take
this
on?
Would
it
help
if
we
made
references
to
the
salsa
framework
and
said
like
this
is
where
the
salsa
framework
comes
in
and
we
could
kind
of
have
references
from
one
to
the
other
kind
of
a
thing.
I
don't
know.
D
D
An
open
conversation
with
the
folks
that
are
more
active
I
mean
we
have
some
of
them
on
the
call
now
active
in
the
salsa
thing
just
to
help
kind
of
land.
This
well
because
I
like
jock
was
saying,
is
an
active
discussion
there
around
scope
and
the
end
of
the
day.
For
me,
like
any
framework,
that's
improving
supply
chain
security
is
great
with
me.
D
I
just
want
to
see
you
want
to
see
Frameworks
that
actually
can
be
used,
so
I
think
to
Mike's
Point,
having
like
some
demos
of
like
how
what
this
could
actually
look
like
end
to
end
could
be
super
helpful
as
we're
kind
of
looking
at
this.
It
does
I
mean
it
doesn't
have
to
be
complete
or
anything,
but
just
so
folks
can
sort
of
wrap
around
wrap
their
heads
around
how
this
would
work
in
practice
and
how
people
are
supposed
to
use
it.
I
think,
would
be
super
helpful.
B
Yeah
I
can
actually
see.
I
can
actually
see
a
a
great
conversation
stemming
from
first
hitting
hitting
a
presentation
in
the
bi-weekly
and
and
and
Mike
that
this
is
something
that,
because
I
know,
you're
you're
active
in
that
as
well
the
Dubai
weekly
meeting
and
then
maybe
Hitting
off
into
the
positioning
meeting
after
right
after
that
to
to
kind
of
position,
both
both
Frameworks,
together
or
or
figure
out.
B
What
that
looks
like
and
then
off
to
the
specification
meeting
to
see
whether
to
see
where
there
are
parallels
that
can
be
bridged
from
one
to
the
other,
I
mean
if,
if
that,
if
that
ends
up
being
the
the
desired
State
I
can
I
can
absolutely
see
the
the
fruit.
The
fruit
of
that
labor.
Absolutely.
I
So
yeah
I
think
I
agree
with
a
lot
of
the
comments
there
I
think
one
of
the
things
that's
kind
of
coming
to
mind,
which
is
slightly
orthogonal
to
this,
but-
and
this
is
maybe
a
question
for
folks
like
David,
wheeler
and
other
folks,
who
are
kind
of
like
looking
at
this
a
lot
of
the
stuff
on
the
open
ssf.
I
More
broadly
is
like
do
we
have
in
any
of
the
stuff
from
the
open
ssf
that,
like
a
higher
level
view
on
what
are
all
the
components
of
open
source
security
and
supply
chain
security
and
all
that
sort
of
stuff,
so
that
when
we
look
at
all
the
different
pieces,
we
can
better
and
I
know
this?
Is
this
was
kind
of
a
question
we
had
early
on
on
salsa
last
year
and
I?
Don't
know
if
things
have
shifted
but
I
know
it
was
like
a
big
open
question
of
like
hey.
I
You
know
if
if
we
had
something
like
a
landscape
right
where
you
know
we
have
like
this
Arrow,
you
know
these
sorts
of
tools
feed
into
these
sorts
of
Frameworks.
These
sorts
of
Frameworks
lead
into
these
other
sorts
of
processes
whatever.
I
You
know
where,
for
example,
you
know
salsa
starts
and
ends
where
SSC
starts
and
ends,
and
and
so
on,
so
that
we
can
kind
of
go
and
look
and
see
like
okay,
yeah
SSC
is
the
framework,
and
do
we
have
tools
that
like
easily
integrate
in
there
and
then
it
would
help
us
kind
of
build
that
story
out
and
to
be
clear,
I,
don't
think.
That's
necessarily
something
on
on
the
SSC
folks
to
figure
out
I.
I
You
know
this
is
a
fairly
common
problem
that
we're
seeing,
as
somebody
does
show
off
something
really
good
like
this
and
we're
like.
Actually
we're
not
exactly
sure
how
this
fits
in,
and
we
just
need
to
have
a
better
idea
of
like
that
big
picture
so
that
we
go.
We
know,
oh
if
it's
in
right
here.
B
You
know
what
John
Meadows
has
a
fantastic
diagram
of
of
end-to-end
supply
chain
I'm
talking
about
all
the
way
from
you
know,
on
one
end,
where
you're,
you
know
your
ingestion,
you
have
a
other
end
where
you're
on
the
build
side,
it's
fantastic.
It's
huge
and
I
think
that
that,
with
a
little
bit
of
Polish,
we
could
kind
of
take
the
Frameworks
and
overlay
them
and
go
from
one
end
of
that.
B
Spectrum
start
on
one
end
of
that
Spectrum
with
salsa
start
on
the
other
end
of
that
Spectrum,
with
the
SSC
and
kind
of
find
our
way
into
the
middle
I
I.
It
was
that
it
was
that
fantastic
when
he
showed
it
to
me.
So
so,
I
I
think.
If
we
have
something
like
that
and
we
can
overlay
them
and
then
with
a
little
bit
of
polish
from
the
people
and
on
this
team,
the
best
practices
team
and
the
end
users
team,
we
can
sit,
we
can
come
together
and
kind
of
build
that
mapping.
B
E
Ahead,
David
yeah
just
quickly
I,
actually
a
while
back
I,
did
create
I,
took
the
salsa
diagram
and
then
tried
to
place
where
different
projects
fit
in.
Some
of
you
may
have
seen
that
I
did
that
with
both
the
open
ssf
projects
and
the
projects
not
within
the
Open
Access
app
I
mean
you
know
by
no
means
perfect,
but
at
least
is
an
early
attempt
to
try
to
figure
out
hey.
Where
do
things
fit?
E
Chrome
has
been
doing
some
of
that
work
and
Jay
I
did
not
catch
the
name
of
that
person.
That.
E
A
he's
the
yeah.
E
E
B
D
E
So
I,
actually
I,
don't
want
us
to
go
before
okay,
so
first
of
all,
I
do
want
to
thank
I'm
sure
everybody's
gonna
thank
Microsoft
for
for
developing
this
sharing
I
mean
I,
guess
I'm
gonna
appeal
to
I.
Don't
think
we
need
to
take
a
vote
today,
but
I
think
we
at
some
point
need
to
figure
out.
Hey.
E
Is
this
something
we
want
to
bring
into
the
open,
ssf
I
think
there's
been
a
lot
of
interest
in
doing
that
and
then,
where
and
I,
don't
I
I
think
the
problem
of
how
do
you
scope
out
different
things?
I,
don't
think
we
have
to
resolve
it
all
to
get
started.
In
fact,
I
would
say
that
that
would
be
part
of
the
process
is
working
out,
how
it's
much
easier
to
work
out
things
together
when
we're
all
talking
to
each
other
and
okay.
E
H
D
H
I
was
just
going
to
agree
as
well
I'm
inclined
to
agree
with
that.
I
think
you
know,
bring
bringing
it
in
and
then
figuring
out
how
we
do
this
kind
of
mapping
into
the
problem
domain
and
then
kind
of
this
relative
position
of
the
openness
is
have
framework
offerings
and
that
could
you
know
that
could
be
work
that
we
do
once
once
we
bring
this
in.
D
D
No,
we
don't
care,
you
know
how
it
relates,
and
this
is
fine
and
we'll
just
figure
it
out
as
we
go
like
that's
another
option,
but
I
would
just
like
to
have
like
a
story
that
I
could
that
we
could
be
using
like
all
in
alignment
there
is
in
terms
of
salsa
and
Fresca
and
how
these
play
nicely
together.
So
that's
just
my
my
thoughts
on
that.
C
B
Do
want
to
say
we
are
meeting
with
the
end
users
end
users,
working
group
tomorrow
and
I,
know
and
I
know.
John
is
he's
super
healthy.
He's
super
excited
about
this
framework
as
well.
I,
I'm,
I'm,
not
I'm,
not
sure.
If
there's
like
a
some
type
of
a
bidding
war,
or
something
like
that
is
there
might
be
so
so
I'd
be
remiss
if
I
didn't
say
he's
interested
as
well.
B
Trying
to
show
this
like
I
said
it
doesn't
matter
where
it
comes
in
that,
as
as
long
as
all
the
three
work
groups,
I've
mentioned,
best
practices,
this
working
group
and
then
the
end
users
working
group,
I
I,
do
see
enough
meat
on
this
phone
and
not
just
on
this
framework
on
salsa
as
well.
B
I
see
enough
meat
on
both
of
those
bones
for
all
three
of
these
working
groups
to
jump
in
on
and
have
a
hand
in
to
help
improve
it
and
and
bring
out
to
the
industry
at
large
I
think
office
check
had
a
hand
up
he's
been
waiting
for
a.
C
Minute
yeah
I'm
strongly
in
favor
of
actually
keeping
it
in
this
working
group,
because
that
keeps
us
aligned
with
salsa
very
nicely
like
as
Isaac
was
saying.
We
want
these
two
parts
to
work
together
for
that
kind
of
alignment.
It's
very
important
to
be
in
one
working
group
where
there
are
the
members
who
can
discuss
that
alignment
and
there
are
similar
supply
chain.
Things
like
walk
is
coming
too,
so
it
will
be
very
nice
to
have
these
all
aligned
together
and
get
the
story
right.
So
we
are
very
excited
about
the
collaboration.
G
I
I,
I
hope
I'm,
not
stepping
out
of
my
swim
Lane
here,
I,
I'm,
new
and-
and
you
all
have
been
at
this
for
a
while
I
just
wanted
to
share
how
how
Microsoft
has
internally
organized
ourselves
when
we
think
about
supply
chain.
G
I,
lead
the
supply
chain
team
and
it's
our
job
to
be
scenario,
owners
and
think
about
the
end
to
end.
And
then
we
partner
with
all
the
different
pieces
that
make
up
the
supply
chain
and
so
because
we
think
about
the
end
to
end.
We
can
see
how
different
things
need
to
connect
and
interact
and
I.
Don't
know
if
you've
thought
about
like
how
you
scope
out
your
your
different
working
groups
and
how
it
all
fits
together.
But
I
just
wanted
to
share
that
for
comparison
purposes.
I
Yeah,
that's
actually
been
an
open
question
in
a
lot
of
the
open,
ssf
stuff.
Like
you
know,
for
example,
where
does
end
user
start
and
end
versus
like
but
end
user
stuff
is
also
interested
in
supply
chain.
So
it's
it's
almost
like.
We
need
I,
don't
know
a
inter
a
a
self-interoperability,
an
open,
ssf,
interoperability,
working
group
or
something
but
yeah.
I
No
I
think
that
that
what
you
brought
up
there
is
is
is
of
kind
of
like
a
huge
concern
for
us
as
as
well
yeah
Jacques
pointed
out
Matrix
management,
yeah,
there's
a
lot
of
stuff
there.
I
That
I
think
we're
we're
we're
trying
to
kind
of
figure
out
because,
like
as
you
can
probably
imagine
right,
there
there's
different
groups
that
are
making
tools
that
also
integrate
with
salsa
but
they're,
not
part
of
salsa
working
group
itself
or
the
supply
chain
working
group,
and
then
there
are
tools
that
are
part
of
some
of
these
other
working
groups.
That
are
not
really.
I
You
know
rather
yeah.
There's
a
lot
of
overlap
here
and
I.
Think
it's
I,
don't
know
if
we
have
an
answer
on
how
to
make
that
a
little
bit
more
organized,
because
I
do
agree
that
it
is
a
bit
of
a
it's
a
bit
of
a
mess.
D
Well,
let's
have
some
like
some
of
the
Converse,
at
least
in
terms
of
this
working
group
like
have
a
couple
of
these
conversations
with
more
of
the
salsa
folks
and
maybe
a
more
pointed
discussion
just
how
we
can
talk
about
these
things
together.
D
If
that's
of
interest
to
you
Jane
Adrian,
you
mentioned
some
of
the
meetings
that
I
think
would
be
good
places
for
at
the
positioning
one
and
the
specification
one
if
you're
open
to
that
and
yeah
I
would
love
to
see
this
kind
of
come
together
and
and
and
even
under
this
working
group,
if
you'll,
if,
if
we're
a
contender
in
the
in
the
bidding
race,
yeah.
B
Well,
well,
you
know
I
I,
well,
I
will
say:
I
mean
I.
I
can't
stop
I,
can't
I,
won't,
say
I
can't
stop
I
I'll,
say
it.
This
way:
I'm
I'm
with
David,
on
this
selfish
reasons
or
not
I'm,
with
David.
On
this,
the
sooner
we
get
it
in
the
faster
we
can
begin
and
or
the
more
impactful.
B
That
being
said,
if
any
working
group
wants
to
take
a
vote
and
say
yeah,
let's
bring
it
in
here
and
it
gets
ingested
and
now
and
it
gets
brought
in
and
now
it's
actively
being
worked
on
in
this
working
group
and
in
a
sync
could
be
spilled
off
with
it.
That's
just
all
for
the
better,
as
as
we
begin
to
have
these
more
impactful
conversations.
B
Otherwise
it's
still
it's
still
flapping
in
the
winds
and
we're
still
going
to
have
Community
meetings.
We're
still
going
to
have
technical
means.
We're
still
going
to
do
this
open
but
having
it
in
the
openness
and
stuff
and
being
worked
on
in
the
open
ssf
towards
the
the
objective
is
the
desired
state.
So
you
know
whatever
gets
us
there
excellent,
but
you
know
just
just
one
that
want
to
level
set
with
that.
D
Cool
yeah
I
mean
there's
attack
stuff
too
so
I
think
there's
a
bunch
of
different
Avenues.
We
can
look
at
or
you
can.
You
can
look
at
like
the
incubating
I
I,
don't
even
know
where
the
tech
is
so
I'm.
Not
even
gonna
try
to
try
to
make
stuff
up
here,
but
there
is
a
process
for
even
just
new
projects.
I
don't
know
if
it
needs
a
home,
a
working
group
home
right
off
the
bat.
If
there's
other
ways
other
things
we
can
do
here
so.
B
Obviously,
we'll
have
a
we'll
have
a
good,
and
David
too
will
have
a.