►
From YouTube: Supply Chain Integrity WG (June 21, 2023)
Description
Agenda: https://docs.google.com/document/d/1xPs2sSbH3I9Ich7OyLOzl85oJshnK8Q6WoAgREE5-zA
A
D
B
B
So,
just
as
a
reminder,
this
meeting
is
being
recorded,
it'll
be
uploaded
to
YouTube
shortly
after,
and
your
participation
in
this
meeting
is
an
agreement
to
abide
by
the
open,
ssf
code
of
conduct
before
getting
into
the
agenda
before
getting
into
the
agenda.
Is
there
anybody
new
to
the
group
who
would
like
to
introduce
themselves.
B
Only
one
item
on
the
agenda
today,
at
least
as
far
as
I,
can
see
on
the
meeting
notes,
if
folks
have
other
things
they
want
to
add
on.
You
know,
we
have
a
fairly
open
agenda
today,
but
the
one
thing
I
just
wanted
to
kind
of
bring
up,
so
the
this
is
from
for
guac.
This
is
from
the
attack,
so
the
maintainers
of
the
creators
and
maintainers
of
guac.
B
B
Just
about
a
year
now-
and
we
have
a
an
initial
beta
out-
and
we
based
on
discussion
from
the
maintainers,
we
decided
to
contribute-
or
we
decided
to
talk
about
contributing
guac
to
the
open,
ssf
and
largely
the
attack
was
very
receptive
of
of
accepting
guac.
There's
a
lot
more
details
about
some
of
the
things
in
there
like
a
potential
Public
Service
database
or
for
open
source
and
stuff
like
that,
as
well
as
what
exact
level
it
falls
under
the
open,
ssf
governance.
B
Sorry,
the
open,
ssf
maturity
project
maturity.
So
it's
a
little
unclear
if
we're
incubating
or
sandbox
that
sort
of
details
will
get
sorted
out,
but
one
of
the
things
that
we
were
looking
at
as
well
was
I
know.
We
had
discussed
this
previously
with
the
group
like
if
there
was
interest,
would
this
group
be
open
to
sponsoring
I
know
that
there
was
some
initial
sort
of
interest
in
that
and
so
I
don't
think
we
have
enough
folks
today
to
just
kind
of
make
that
official.
B
But
this
is
actually
let's
take
a
step
back.
This
is
actually
one
of
the
I'm
going
to
be
opening
up
a
GitHub
issue
about
the
open,
ssf
governance.
There
is
seems
to
be
some
confusion
on
exactly
also
one
second,
so
they
should
just
be
the
one
meeting
note
stock.
The
positioning
one
is
not
the
the
the
correct
one.
It
should
just
be
the
this
dock
here.
B
If
there
is
a
second
copy
or
if
there's
something
that
is
yeah
it
should
it
should
be
that
one,
but
anyway,
the
the
one
of
the
things
that's
a
little
confusing
is
the
tag
governance.
Oh
sorry,
the
sorry,
the
Pac
governance
says
that
you
should
go
to
the
attack
first
and
it
needs
to
be
accepted
to
the
attack
before
getting
sponsorship
from
other
groups,
but
tax
sponsor,
but
the
the
actual
application
process
asks
which
which
working
group
would
sponsor
your
project.
B
So
it
seems
like
a
catch-22:
it's
like
I,
I,
I,
can't
say
who's
going
to
sponsor
it.
If
it's
not
accepted
yet
and
I
can't
you
know
so
so
there's
some
confusion
there
largely
it
seems
like
the
idea
would
be
right
now
at
least
we
probably
get
accepted,
and
then
we
come
to
the
attack
just
to
cut
sorry.
We
come
to
this
group
to
say:
hey,
do
you
want
a
sponsor
and
we
kind
of
have
a
vote
there?
Andrew.
C
Yeah
I
had
a
question.
Well,
one
I
didn't
realize
that
guac
wasn't
already
part
of
open
ssf,
but,
as
part
of
this,
this
whole
process
to
get
guac
into
open,
ssf
and
looking
for
sponsorship.
What
does
the
entire?
What
does
this
process
look
like
for
for
tools,
projects?
What
not
to
become
part
of
openness?
What
does
it
mean?
You
said
that
levels
incubating
sandbox
I
mean
I'm
familiar
with
some
of
these
Concepts
from
cncf,
but
like
I
I,
don't
I,
don't
know
what
it
means
in
relation
to
open
ssf.
B
B
So
to
take
a
step
back
before
I
answered
that
question
I'm
going
to
go
into
a
slightly,
hopefully
short,
tangent
here,
so
open,
ssf's
Charter
is
very
different
than
cncfs,
so
cncf
has
a
ton
of
projects.
Often
these
projects
are
are
brought
like
they're
contributed
to
cncf,
but
they're
coming
from
vendors.
Who
are
you
know,
selling
Enterprise
versions
of
you
know
these
pieces
of
software?
B
So
if
you
look
at
you
know
a
lot
of
stuff,
there's
different
service
meshes
and
different
policy
engines
and
all
those
things
are
often
backed
by
companies
or
other
large
organizations
like
you
know,
universities.
So
it's
usually
you
know
incubated
and
then
kind
of
brought
in
open.
Ssf
kinda
has
been
a
little
bit
different,
mostly
focused
traditionally
on
stuff,
like
standards
or
you
know,
specifications
those
sorts
of
things
so
stalsa,
S2
c2f,
and
that's
not
to
say
that
there
aren't
tools
related
to
those
things.
B
So,
for
example,
you
know
scorecard
itself
is
actually
more
of
a
specification
and
then
it
just
happens.
We
also
have
the
implementation
of
scorecard,
but
you
can
Implement
scorecard
yourself,
so
that
kind
of
has
that's
starting
to
change
a
little
bit
as
we
try
to
do
a
little
bit
more
right.
So
if
you
look
at
something
like
six
store,
six
door
is
a
giant
project
with
a
lot
of
different
things
in
it,
and
it's
probably
one
of
the
things.
That's
most,
you
know
it
it.
B
B
Some
ambiguity
is
still
in
there,
that's
being
sorted
out,
but
largely
the
idea
is
if
you
want
to
go
and
contribute
something,
a
project,
the
way
that
it's,
the
the
the
the
rules,
as
as
they
are
written
the
law,
as
it
is
written
states
that
what
you
do
is
you
you
open
up
a
pull
request
into
the
attack
with
some
details
and
the
issues
I
have
in
here.
I.
B
So
this
whoops,
so
the
main
things
are
the
application,
looks
something
like
this
and
there
is
a
template
for
it.
But
the
basic
idea
is
list
of
project
maintainers.
There's
some
requirements
like
you
can't
just
be
a
single:
they
can't
just
be
a
single
company
or
a
single
organization,
that's
contributing
it
must
have
a
plurality
or
it
must
at
least
have
two
in.
In
our
case.
You
know
this
was
a
collaboration
between
kusari,
Google,
Purdue
and
City.
B
The
mission
of
it
needs
to
have
a
mission
of
the
project.
The
mission
of
the
project
should
think
up,
at
least
with
attack.
Sorry,
with
the
openness
of
Charter
in
the
least
and
then
should
also
fall
under
eventually
should
fall
under
a
working
group
as
long
as
it's
not
a
top
level
project
in
the
open,
ssf
and
exactly
what
would
fall
under
a
top
level
project
versus
what
should
always
fall
under
a
working
group
is
a
little
unclear
if
there
is
Project
adoption,
it
should
be
listed
here.
B
A
B
And
then
IP
policy
and
Licensing
due
diligence,
so
this
is
something
that
I
have
the
other
issue.
That's
in
there
179
is
essentially
a
an
open
issue
with
the
Linux
Foundation
to
have
them
do
due
diligence
on
us
to
make
sure
that
you
know
all
IP
is
being
released
in
the
right
way
and
that
this
you
know
our
project
guac
is
not
somehow
pulling
in
other
folks
IP
without
permission
and
all
that
good
stuff,
and
then
just
some
project
references
in
here.
B
B
We,
you
know,
talked
to
the
attack
in
an
attack
meeting.
They
had
some
debate
on
what
what
makes
sense
there
and
then
you
know,
based
on
the
conversation
largely
there
seemed
to
be
interest.
They're
gonna
go
vote
on
it
in
probably
the
coming
days
or
coming
weeks,
and
then
assuming
that
that
goes
well,
then
we
get
adopted.
Then
we
get
adopted
into
the
the
open
ssf
and
then
we
I
think
come
back
to
this
project
for
sponsorship.
All
right
so
coming
back
to
this
working
group
for
sponsorship.
C
C
Would
it
still
be
possible
to
bring
something
like
that
to
say
this
working
group
and
be
like
hey?
We
we
have
this,
it's
something
that
that
we,
we
think
is
really
interesting.
Here's
here's
the
benefits
and
and
see
if
there's
there's
engagement
before
being
able
to
bring
it
to
the
attack
for
The
Next
Step.
B
Yeah
I
I
believe
so
that's
actually
been.
You
know
that
was
one
of
the
things
we
did
with
guac
as
well.
Is
we
brought
it
here
first
and
we
brought
to
a
couple
other
working
groups
just
to
get
General
like
feedback
and
feeling
around
the
groups
like?
Does
this
seem
to
be
of
interest
to
people
and
then,
based
on
you
know,
largely
good
feedback?
B
You
know
we
cleaned
some
things
up
and
yeah
yeah,
and
then
we
you
we
brought
to
the
attack
and
I
think
that's
kind
of
where
so
I'm
not
gonna
name
any
names,
but
but
I
I
know
that
the
the
thing
that
I
I
I
believe
the
attack
is
really
trying
to
make.
Sure
of
is
that
when
folks
contribute
to
projects
that
is
not
a
single
maintainer
sort
of
project,
I
know
that
there
are
certain
projects
that
are
have
been
kind
of.
B
They
came
in
before
some
of
these
governance
rules
around
needing
to
have
multiple
maintainers
from
multiple
organizations
and
affiliations
that
they
do
some
projects
there,
but
I
believe
new
projects,
they're,
really
wanting
to
make
sure
that
it's
not
purely
like
a
vendor,
just
sort
of
throwing
something
in
there
and
saying
hey
now
we
have
an
open
ssf
project
and
they
also
want
to
make
sure
that
you
know
if
they
have.
You
know
they
want
to
make
sure
that
you
know
it's.
B
It's
not
just
a
particular
company
or
organization
trying
to
just
sort
of
throw
something
out
there.
They
can
say
hey.
We
have
something
under
the
open
ssf
and
then,
but
they
still
essentially
maintain
the
control
of
the
project.
It
should
be
something
that
is
open.
Source
falls
under
some
sort
of
open
governance,
and
it's
not
something
that,
like
you
know,
one
particular
company
organization
Etc,
can
can
sort
of
strong
arm
other
folks
and
I
believe
that
was
you
know
that
that
is
I.
B
Oh
yeah,
we
added
someone
from
another
company
just
to
kind
of
Hit
the
rule,
because
I
I
know
that
that
has
come
up
a
couple
of
times
was
you
know
a
particular
organization
has
done
the
majority
of
the
work.
They
then
added
a
new
maintainer
to
try
and
hit
the
rules
and
people
you
know
had
called
out
hey.
It
looks
like
you
just
you
just
added
a
new
paint
maintainer
yesterday
it
looks
like
that
new
maintainer
hasn't
made
any
commits
to
the
project.
B
It
seems
a
little
suspicious,
so
I
believe
that
the
idea
is
long
term.
At
least
you
know
you,
you
can
show
that,
yes,
you
bring
on
new
maintainers
you.
You
are
able
to
kind
of
show
that
this
is
actual
project,
that
is
more
than
one
organization
and
so
on
and
so
forth,
and
then
it
can
be
brought
into
the
openssf.
C
And,
and
so
all
these
these
rules,
guidelines
I
mean
they.
You
see
them
as
being
more
guidelines
with
a
where
the
intention
or
the
the
intent
is,
is
what
the
tech
takes
into
account,
and
so
it
really
comes
down
to
having
that
conversation
with
attack
and
and
seeing
where
that
tool
needs
to
go
and
the
the
reason
that
that
I
am
and
poking
on
a
little
bit
is
just
because
I
feel
like
with
the
Sterling
tool
chain,
that
there
is
opportunities
for
potential
interest,
I
guess
in
openssf.
B
More
yes,
yes,
so
on
that
front
for
folks
who
are
not
super
familiar,
the
Sterling
pool
it's
formerly
known
as
the
Starling
tool
chain,
but
it's
you
know
being
used
as
a
placeholder
name
until
we
figure
out
something
better,
we're
still
figuring
out
the
scope
and
everything
else,
but
largely
the
problem
has
been.
You
know
there
is
a
problem
generally
in
application
and
supply
chain
security
and
all
that
stuff.
B
B
That,
like
an
example
here
is,
it
could
be
very
unclear
whether
or
not
a
particular
issue
came
in
at
the
dev
level,
like
as
in
a
developers,
workstation
got
compromised
or
a
developer,
either
purposefully
or
inadvertently,
introduced
a
SQL
injection
or
whatever
folks
are
unaware
of
whether
or
not
a
dependency
caused.
An
issue
like
where,
where
is
this
vulnerability
coming
from?
Where
are
these
issues
we're
seeing
coming
from
and
then
also
when
we
go
to
deploy
to
production
like?
B
Are
we
actually
making
sure
that
we're
only
deploying
what
we
expect
to
deploy
and
making
sure
that
it
fits
all
the
various
rules
right?
And
so
the
problem
here
is
at
a
large
company,
a
large
company.
You
know
a
giant
Bank,
let's
say
right:
they
look
at
some
of
these
things.
They
say
great.
We
we
have
a
bunch
of
policies
in
place
to
make
sure
that
we're
doing
these
things,
whether
or
not
it's
efficient
is
another
story,
but
that's
largely
the
the
big
problem
and
they
also
say
hey
a
large
Bank
says.
B
Well,
we
can't
use
startup
tool
XYZ,
because
we
don't
have
confidence
that
startup
tool
XYZ
is
doing
their
sdlc
in
a
way
where
they're,
not
you
know,
are
they
allowing
devs
to
just
write
code
on
their
personal
laptops,
with
no
restrictions
and
hey
it
turns
out
the
developer.
You
know
wasn't
being
malicious,
but
they
had
downloaded
something
on
their
personal
laptop.
That
was
malware
and
now
the
source
code
got
injected
with
bad
stuff,
and
so,
even
though
it
wasn't
the
intent
bad
stuff's
out
there
right
are
folks
generating
s-bombs
that
they
can.
B
You
know
and
those
sorts
of
things
are
they
building
it
via
salsa
and
doing
the
right
things
from
a
build
security
standpoint.
So
there's
a
concern
here
of
like
this.
Is
this
there's
a
big
problem
here,
and
so
what
can
we
do
to
solve
it?
And
at
least
this
initial
I?
You
know
the
initial
things
that
have
been
thrown
out
there
are.
Perhaps
we
need
to
build
an
architecture
that
sort
of
describes
the
capabilities
that
need
to
be
there
from,
like.
B
You
know,
secure
development
as
a
capability,
secure
ingestion
as
a
capability
and
those
sorts
of
things,
and
then
once
that's
done,
we
need
to
look
at
also
how
those
things
communicate
with
each
other
like
so
how
does
secure
Dev
communicate
to
the
secure
build
that
yes,
secure?
Dev
was
done
correctly
so
that
the
secure
build
knows
like
yes,
this
was
done
with
commits
were
signed,
software
was
developed
in
appropriate
places
and
so
on,
and
then
finally
you
we
need
to
then
start
to
say,
okay
great.
B
B
So
if,
if
there
are
open
source
projects
out
there,
let's
just
say
an
open
source,
secure,
artifact
repository
if
there
is
an
open
source,
secure,
artifact
repository,
would
the
open
ssf
be
willing
to
take
that
in
as
a
project?
It's
a
little
unclear,
there's
debate
about
what
exactly
is
the
scope
of
the
openssf
charter,
or
is
it
more
along
the
lines
of
you
know?
Tool
choice
is
kind
of
something
that
comes
in
later
and
just
is
just
something
that
is
like.
B
We
can
throw
out
the
architecture
and
say
hey
as
long
as
you
hit
the
architecture.
You
hit
the
sort
of
interfaces
as
in
like
the
inputs
and
outputs,
and
you
know
you
have
a
set
of
conditions
for
what
you're
actually
doing,
maybe
that's
enough
and
then
whatever
fits
in
there
fits
in
there,
but
I
believe.
A
lot
of
the
details
on
that
are
still
up
for
for
debate.
Did
I
describe
that
correctly
to
folks
who
were
there.
C
B
They
they
the
same
inputs,
the
same
outputs.
They
follow
like
a
a
common
communication
language
from
an
API
perspective,
which
means
that
you
know
earlier
these
things
didn't
interoperate
correctly,
and
you
know
it.
It
led
to
a
lot
of
issues,
but
now
they
all
interoperate.
Now
lots
of
folks
can
can
buy
my
stuff
or
whatever
I
think.
B
There's
a
lot
there
that
will
help
out,
but
there's
also
debate
about,
for
example,
I
know,
the
biggest
debate
is
whether
or
not
from
a
tool
perspective
if
it's
up
to
the
open
ssf
to
build
the
tools
themselves.
A
lot
of
folks
who
have
you
know
a
large
background
in
open
source
have
fed
the
majority
of
Open
Source.
That's
out.
There
does
not
start
purely
in
open
source,
it
starts.
It
tends
to
be
an
organization,
a
person,
a
company
or
whatever
decides
to
do
something.
B
C
B
Yeah
and
and
I
agree
with
that
and
I
think
that
generally
also,
you
know,
if
you
look
at
the
majority
of
successful
open
source
projects,
the
large
ones
right.
It's
because
they're,
backed
by
companies
that
are
willing
to
to
put
the
the
time
money
and
resources,
even
if
it
does
fall
under
the
Linux,
Foundation
or
another
open
source
group.