►
From YouTube: Supply Chain Integrity WG (June 21, 2023)
Description
Agenda: https://docs.google.com/document/d/1xPs2sSbH3I9Ich7OyLOzl85oJshnK8Q6WoAgREE5-zA
B
More
minutes
for
some
folks
to
join
and
as.
B
Anything
on
the
agenda
there's
not
much
on
the
agenda
right
now.
A
I
guess
maybe
give
it
another
minute.
Let
me
just
also
ping
in
the
chat
and
then
we
can
get
started.
D
B
Yeah,
so
I
think
it
is
now
every
other
week,
so
this
week
will
be
the
normal
sort
of
full
group
and
then
next
week
is
the
positioning
group
got
it.
Okay,
thanks
yep
all
right,
so
we
can
get
started.
A
And
let
me
just
copy
the
link
into
the
chat
there,
just
in
case
all
right.
B
So,
just
as
a
reminder,
this
meeting
is
being
recorded,
it'll
be
uploaded
to
YouTube
shortly
after,
and
your
participation
in
this
meeting
is
an
agreement
to
abide
by
the
open,
ssf
code
of
conduct
before
getting
into
the
agenda
before
getting
into
the
agenda.
Is
there
anybody
new
to
the
group
who
would
like
to
introduce
themselves.
A
Okay
sounds
good
if
okay,
so.
B
Only
one
item
on
the
agenda
today,
at
least
as
far
as
I,
can
see
on
the
meeting
notes,
if
folks
have
other
things
they
want
to
add
on.
You
know,
we
have
a
fairly
open
agenda
today,
but
the
one
thing
I
just
wanted
to
kind
of
bring
up,
so
the
this
is
from
for
guac.
This
is
from
the
attack,
so
the
maintainers
of
the
creators
and
maintainers
of
guac.
B
So
that's
myself
from
kusari
as
well
as
a
few
other
folks
from
kasari,
as
well
as
a
few
folks
from
Google
and
some
other
people
from
Purdue
University
have
come
together
and
sort
of
we
created.
You
know
guac,
which
guac
for
folks
who
are
not
familiar
with
it.
B
Yet
it's
sort
of
it's
it's
a
database
where
we're
pulling
in
supply
chain
metadata,
like
s-bombs,
salsa,
attestations
and
all
that
great
stuff,
putting
it
into
a
giant
graph,
so
that
folks
can
better
understand
their
supply
chain
and
understand
aspects
of
their
supply
chain
for
stuff,
like
you
know,
vulnerability
management,
for
you
know,
policy
and
all
that
good
stuff,
so
that
we
we
you
know,
had
been
working
on
it
for
yeah.
B
Just
about
a
year
now-
and
we
have
a
an
initial
beta
out-
and
we
based
on
discussion
from
the
maintainers,
we
decided
to
contribute-
or
we
decided
to
talk
about
contributing
guac
to
the
open,
ssf
and
largely
the
attack
was
very
receptive
of
of
accepting
guac.
There's
a
lot
more
details
about
some
of
the
things
in
there
like
a
potential
Public
Service
database
or
for
open
source
and
stuff
like
that,
as
well
as
what
exact
level
it
falls
under
the
open,
ssf
governance.
B
Sorry,
the
open,
ssf
maturity
project
maturity.
So
it's
a
little
unclear
if
we're
incubating
or
sandbox
that
sort
of
details
will
get
sorted
out,
but
one
of
the
things
that
we
were
looking
at
as
well
was
I
know.
We
had
discussed
this
previously
with
the
group
like
if
there
was
interest,
would
this
group
be
open
to
sponsoring
I
know
that
there
was
some
initial
sort
of
interest
in
that
and
so
I
don't
think
we
have
enough
folks
today
to
just
kind
of
make
that
official.
B
But
this
is
actually
let's
take
a
step
back.
This
is
actually
one
of
the
I'm
going
to
be
opening
up
a
GitHub
issue
about
the
open,
ssf
governance.
There
is
seems
to
be
some
confusion
on
exactly
also
one
second,
so
they
should
just
be
the
one
meeting
note
stock.
The
positioning
one
is
not
the
the
the
correct
one.
It
should
just
be
the
this
dock
here.
B
If
there
is
a
second
copy
or
if
there's
something
that
is
yeah
it
should
it
should
be
that
one,
but
anyway,
the
the
one
of
the
things
that's
a
little
confusing
is
the
tag
governance.
Oh
sorry,
the
sorry,
the
Pac
governance
says
that
you
should
go
to
the
attack
first
and
it
needs
to
be
accepted
to
the
attack
before
getting
sponsorship
from
other
groups,
but
tax
sponsor,
but
the
the
actual
application
process
asks
which
which
working
group
would
sponsor
your
project.
B
So
it
seems
like
a
catch-22:
it's
like
I,
I,
I,
can't
say
who's
going
to
sponsor
it.
If
it's
not
accepted
yet
and
I
can't
you
know
so
so
there's
some
confusion
there
largely
it
seems
like
the
idea
would
be
right
now
at
least
we
probably
get
accepted,
and
then
we
come
to
the
attack
just
to
cut
sorry.
We
come
to
this
group
to
say:
hey,
do
you
want
a
sponsor
and
we
kind
of
have
a
vote
there?
Andrew.
C
Yeah
I
had
a
question.
Well,
one
I
didn't
realize
that
guac
wasn't
already
part
of
open
ssf,
but,
as
part
of
this,
this
whole
process
to
get
guac
into
open,
ssf
and
looking
for
sponsorship.
What
does
the
entire?
What
does
this
process
look
like
for
for
tools,
projects?
What
not
to
become
part
of
openness?
What
does
it
mean?
You
said
that
levels
incubating
sandbox
I
mean
I'm
familiar
with
some
of
these
Concepts
from
cncf,
but
like
I
I,
don't
I,
don't
know
what
it
means
in
relation
to
open
ssf.
B
Sure
so
I'll
put
this
also
I
put
it
in
chat
and
also
put
in
the
meeting
notes.
So
the
governance
stuff
is
inside
of
the
the
the
governance
is
inside
the
the
attack
repo.
B
So
to
take
a
step
back
before
I
answered
that
question
I'm
going
to
go
into
a
slightly,
hopefully
short,
tangent
here,
so
open,
ssf's
Charter
is
very
different
than
cncfs,
so
cncf
has
a
ton
of
projects.
Often
these
projects
are
are
brought
like
they're
contributed
to
cncf,
but
they're
coming
from
vendors.
Who
are
you
know,
selling
Enterprise
versions
of
you
know
these
pieces
of
software?
B
So
if
you
look
at
you
know
a
lot
of
stuff,
there's
different
service
meshes
and
different
policy
engines
and
all
those
things
are
often
backed
by
companies
or
other
large
organizations
like
you
know,
universities.
So
it's
usually
you
know
incubated
and
then
kind
of
brought
in
open.
Ssf
kinda
has
been
a
little
bit
different,
mostly
focused
traditionally
on
stuff,
like
standards
or
you
know,
specifications
those
sorts
of
things
so
stalsa,
S2
c2f,
and
that's
not
to
say
that
there
aren't
tools
related
to
those
things.
B
So,
for
example,
you
know
scorecard
itself
is
actually
more
of
a
specification
and
then
it
just
happens.
We
also
have
the
implementation
of
scorecard,
but
you
can
Implement
scorecard
yourself,
so
that
kind
of
has
that's
starting
to
change
a
little
bit
as
we
try
to
do
a
little
bit
more
right.
So
if
you
look
at
something
like
six
store,
six
door
is
a
giant
project
with
a
lot
of
different
things
in
it,
and
it's
probably
one
of
the
things.
That's
most,
you
know
it
it.
B
It's
pretty
popular,
it's
pretty
widely
out
there
now
and
it's
also
sort
of
a
project,
that's
very
different
than
a
lot
of
the
other
projects
that
have
been
more
on
the
specification
side,
threat,
modeling,
side,
diagrams
and
all
that
good
stuff.
B
So
with
that
said,
you
know
they
started
to
try
and
say
hey
how
what
can
we
do
to
be
a
bit
more
for
stuff
like
these
tools
and
projects?
What
can
we
do
to
kind
of
make
that
a
bit
more
rigorous,
add
some
governance.
So
that's
where
the
attack
stuff
comes
in
there's
you
know.
B
Some
ambiguity
is
still
in
there,
that's
being
sorted
out,
but
largely
the
idea
is
if
you
want
to
go
and
contribute
something,
a
project,
the
way
that
it's,
the
the
the
the
rules,
as
as
they
are
written
the
law,
as
it
is
written
states
that
what
you
do
is
you
you
open
up
a
pull
request
into
the
attack
with
some
details
and
the
issues
I
have
in
here.
I.
B
Think
it's
tack,
pull
request
178.,
so
this
one
here
and
I
can
actually
go
in
and
share
what
that
looks
like
in
a
second
here
once.
B
So
this
whoops,
so
the
main
things
are
the
application,
looks
something
like
this
and
there
is
a
template
for
it.
But
the
basic
idea
is
list
of
project
maintainers.
There's
some
requirements
like
you
can't
just
be
a
single:
they
can't
just
be
a
single
company
or
a
single
organization,
that's
contributing
it
must
have
a
plurality
or
it
must
at
least
have
two
in.
In
our
case.
You
know
this
was
a
collaboration
between
kusari,
Google,
Purdue
and
City.
B
The
mission
of
it
needs
to
have
a
mission
of
the
project.
The
mission
of
the
project
should
think
up,
at
least
with
attack.
Sorry,
with
the
openness
of
Charter
in
the
least
and
then
should
also
fall
under
eventually
should
fall
under
a
working
group
as
long
as
it's
not
a
top
level
project
in
the
open,
ssf
and
exactly
what
would
fall
under
a
top
level
project
versus
what
should
always
fall
under
a
working
group
is
a
little
unclear
if
there
is
Project
adoption,
it
should
be
listed
here.
B
So
in
our
case,
we
actually
have
a
bunch
of
folks
who've
been
adopting
guac.
So
this
is
stuff,
like
you
know,
different
groups
that
have
talked
about
adoptic
walk,
it
needs
to
have
governance,
and
so
we
have
our
governance
listed
in
in
our.
A
B
And
then
IP
policy
and
Licensing
due
diligence,
so
this
is
something
that
I
have
the
other
issue.
That's
in
there
179
is
essentially
a
an
open
issue
with
the
Linux
Foundation
to
have
them
do
due
diligence
on
us
to
make
sure
that
you
know
all
IP
is
being
released
in
the
right
way
and
that
this
you
know
our
project
guac
is
not
somehow
pulling
in
other
folks
IP
without
permission
and
all
that
good
stuff,
and
then
just
some
project
references
in
here.
B
B
We,
you
know,
talked
to
the
attack
in
an
attack
meeting.
They
had
some
debate
on
what
what
makes
sense
there
and
then
you
know,
based
on
the
conversation
largely
there
seemed
to
be
interest.
They're
gonna
go
vote
on
it
in
probably
the
coming
days
or
coming
weeks,
and
then
assuming
that
that
goes
well,
then
we
get
adopted.
Then
we
get
adopted
into
the
the
open
ssf
and
then
we
I
think
come
back
to
this
project
for
sponsorship.
All
right
so
coming
back
to
this
working
group
for
sponsorship.
C
Yeah
I
think
that
it
answers
a
lot
of
it.
So
if,
if
there
is
some
project
that
like
say,
for
example,
doesn't
have,
does
it
meet
that
minimum
criteria
for
maintainers
across
organizations?
Is
there
still
room
like?
C
Would
it
still
be
possible
to
bring
something
like
that
to
say
this
working
group
and
be
like
hey?
We
we
have
this,
it's
something
that
that
we,
we
think
is
really
interesting.
Here's
here's
the
benefits
and
and
see
if
there's
there's
engagement
before
being
able
to
bring
it
to
the
attack
for
The
Next
Step.
B
Yeah
I
I
believe
so
that's
actually
been.
You
know
that
was
one
of
the
things
we
did
with
guac
as
well.
Is
we
brought
it
here
first
and
we
brought
to
a
couple
other
working
groups
just
to
get
General
like
feedback
and
feeling
around
the
groups
like?
Does
this
seem
to
be
of
interest
to
people
and
then,
based
on
you
know,
largely
good
feedback?
B
You
know
we
cleaned
some
things
up
and
yeah
yeah,
and
then
we
you
we
brought
to
the
attack
and
I
think
that's
kind
of
where
so
I'm
not
gonna
name
any
names,
but
but
I
I
know
that
the
the
thing
that
I
I
I
believe
the
attack
is
really
trying
to
make.
Sure
of
is
that
when
folks
contribute
to
projects
that
is
not
a
single
maintainer
sort
of
project,
I
know
that
there
are
certain
projects
that
are
have
been
kind
of.
B
They
came
in
before
some
of
these
governance
rules
around
needing
to
have
multiple
maintainers
from
multiple
organizations
and
affiliations
that
they
do
some
projects
there,
but
I
believe
new
projects,
they're,
really
wanting
to
make
sure
that
it's
not
purely
like
a
vendor,
just
sort
of
throwing
something
in
there
and
saying
hey
now
we
have
an
open
ssf
project
and
they
also
want
to
make
sure
that
you
know
if
they
have.
You
know
they
want
to
make
sure
that
you
know
it's.
B
It's
not
just
a
particular
company
or
organization
trying
to
just
sort
of
throw
something
out
there.
They
can
say
hey.
We
have
something
under
the
open
ssf
and
then,
but
they
still
essentially
maintain
the
control
of
the
project.
It
should
be
something
that
is
open.
Source
falls
under
some
sort
of
open
governance,
and
it's
not
something
that,
like
you
know,
one
particular
company
organization
Etc,
can
can
sort
of
strong
arm
other
folks
and
I
believe
that
was
you
know
that
that
is
I.
B
Just
that
I
believe
that's
a
worry
and
they
want
to
make
sure
that's
one
of
the
reasons
why
they
want
to
have
multiple
maintainers
and
so,
for
example,
if
you
have
a
let's
say,
a
project
that
you
know
either
is
open
source
or
you
plan
to
open
source,
and
let's
say
it
doesn't
have
multiple
maintainer,
multiple,
multiple
maintainers
from
different
organizations,
then
you
know
I,
believe
they're
looking
to
at
least
show
that
you
can
bring
on
new
maintainers
and
that
those
new
maintainers
are
not
just
like
token
maintainers
they're,
not
just
purely
like.
B
Oh
yeah,
we
added
someone
from
another
company
just
to
kind
of
Hit
the
rule,
because
I
I
know
that
that
has
come
up
a
couple
of
times
was
you
know
a
particular
organization
has
done
the
majority
of
the
work.
They
then
added
a
new
maintainer
to
try
and
hit
the
rules
and
people
you
know
had
called
out
hey.
It
looks
like
you
just
you
just
added
a
new
paint
maintainer
yesterday
it
looks
like
that
new
maintainer
hasn't
made
any
commits
to
the
project.
B
It
seems
a
little
suspicious,
so
I
believe
that
the
idea
is
long
term.
At
least
you
know
you,
you
can
show
that,
yes,
you
bring
on
new
maintainers
you.
You
are
able
to
kind
of
show
that
this
is
actual
project,
that
is
more
than
one
organization
and
so
on
and
so
forth,
and
then
it
can
be
brought
into
the
openssf.
C
And,
and
so
all
these
these
rules,
guidelines
I
mean
they.
You
see
them
as
being
more
guidelines
with
a
where
the
intention
or
the
the
intent
is,
is
what
the
tech
takes
into
account,
and
so
it
really
comes
down
to
having
that
conversation
with
attack
and
and
seeing
where
that
tool
needs
to
go
and
the
the
reason
that
that
I
am
and
poking
on
a
little
bit
is
just
because
I
feel
like
with
the
Sterling
tool
chain,
that
there
is
opportunities
for
potential
interest,
I
guess
in
openssf.
C
If
the
Sterling
tool
chain
might
just
be
working
to
understand
what
the
opportunities
are,
if
the
the
struggling
tool
chain
is
going
to
do
more
than
than
just
identify
the
capabilities,
but
also
potentially
Identify
some
other
projects
within
its
own
organization,
which
can
help
to
make
or
to
to
fill
in
in
some
of
the
the
gaps
might
be
present,
there
might
be
interest
from
various
Tools
around
once
they
start
hearing
about
this
to
be.
B
More
yes,
yes,
so
on
that
front
for
folks
who
are
not
super
familiar,
the
Sterling
pool
it's
formerly
known
as
the
Starling
tool
chain,
but
it's
you
know
being
used
as
a
placeholder
name
until
we
figure
out
something
better,
we're
still
figuring
out
the
scope
and
everything
else,
but
largely
the
problem
has
been.
You
know
there
is
a
problem
generally
in
application
and
supply
chain
security
and
all
that
stuff.
B
The
problem,
at
least
as
far
as
a
lot
of
folks,
are
debating
about
exactly
the
definition,
but
the
basic
problem
that
has
been
put
out
there
is
it
is
hard
to
do
the
end-to-end,
sdlc,
security
or
folks
are
not
even
aware
of
what
they
need
to
do.
What
do
I
mean
by
that?
B
That,
like
an
example
here
is,
it
could
be
very
unclear
whether
or
not
a
particular
issue
came
in
at
the
dev
level,
like
as
in
a
developers,
workstation
got
compromised
or
a
developer,
either
purposefully
or
inadvertently,
introduced
a
SQL
injection
or
whatever
folks
are
unaware
of
whether
or
not
a
dependency
caused.
An
issue
like
where,
where
is
this
vulnerability
coming
from?
Where
are
these
issues
we're
seeing
coming
from
and
then
also
when
we
go
to
deploy
to
production
like?
B
Are
we
actually
making
sure
that
we're
only
deploying
what
we
expect
to
deploy
and
making
sure
that
it
fits
all
the
various
rules
right?
And
so
the
problem
here
is
at
a
large
company,
a
large
company.
You
know
a
giant
Bank,
let's
say
right:
they
look
at
some
of
these
things.
They
say
great.
We
we
have
a
bunch
of
policies
in
place
to
make
sure
that
we're
doing
these
things,
whether
or
not
it's
efficient
is
another
story,
but
that's
largely
the
the
big
problem
and
they
also
say
hey
a
large
Bank
says.
B
Well,
we
can't
use
startup
tool
XYZ,
because
we
don't
have
confidence
that
startup
tool
XYZ
is
doing
their
sdlc
in
a
way
where
they're,
not
you
know,
are
they
allowing
devs
to
just
write
code
on
their
personal
laptops,
with
no
restrictions
and
hey
it
turns
out
the
developer.
You
know
wasn't
being
malicious,
but
they
had
downloaded
something
on
their
personal
laptop.
That
was
malware
and
now
the
source
code
got
injected
with
bad
stuff,
and
so,
even
though
it
wasn't
the
intent
bad
stuff's
out
there
right
are
folks
generating
s-bombs
that
they
can.
B
You
know
and
those
sorts
of
things
are
they
building
it
via
salsa
and
doing
the
right
things
from
a
build
security
standpoint.
So
there's
a
concern
here
of
like
this.
Is
this
there's
a
big
problem
here,
and
so
what
can
we
do
to
solve
it?
And
at
least
this
initial
I?
You
know
the
initial
things
that
have
been
thrown
out
there
are.
Perhaps
we
need
to
build
an
architecture
that
sort
of
describes
the
capabilities
that
need
to
be
there
from,
like.
B
You
know,
secure
development
as
a
capability,
secure
ingestion
as
a
capability
and
those
sorts
of
things,
and
then
once
that's
done,
we
need
to
look
at
also
how
those
things
communicate
with
each
other
like
so
how
does
secure
Dev
communicate
to
the
secure
build
that
yes,
secure?
Dev
was
done
correctly
so
that
the
secure
build
knows
like
yes,
this
was
done
with
commits
were
signed,
software
was
developed
in
appropriate
places
and
so
on,
and
then
finally
you
we
need
to
then
start
to
say,
okay
great.
B
What
are
the
tools
that
actually
do
those
things
to
hit
those
capabilities
to
get
to
Andrew's,
Point
and
I.
Think
that
sort
of
thing
is
where
there's
a
lot
of
current
conversation
about
whether
or
not
the
open
ssf
will
take
on
that
work.
Whether
or
not
the
openssf
will
let's
say
take
in
that
work.
B
So
if,
if
there
are
open
source
projects
out
there,
let's
just
say
an
open
source,
secure,
artifact
repository
if
there
is
an
open
source,
secure,
artifact
repository,
would
the
open
ssf
be
willing
to
take
that
in
as
a
project?
It's
a
little
unclear,
there's
debate
about
what
exactly
is
the
scope
of
the
openssf
charter,
or
is
it
more
along
the
lines
of
you
know?
Tool
choice
is
kind
of
something
that
comes
in
later
and
just
is
just
something
that
is
like.
B
We
can
throw
out
the
architecture
and
say
hey
as
long
as
you
hit
the
architecture.
You
hit
the
sort
of
interfaces
as
in
like
the
inputs
and
outputs,
and
you
know
you
have
a
set
of
conditions
for
what
you're
actually
doing,
maybe
that's
enough
and
then
whatever
fits
in
there
fits
in
there,
but
I
believe.
A
lot
of
the
details
on
that
are
still
up
for
for
debate.
Did
I
describe
that
correctly
to
folks
who
were
there.
C
C
B
Yeah
and
the
you
know,
there's
current
debate
about
like
because,
because
there's
folks
who
within
the
group
who
work
at
you,
know
vendors,
who
have
very
clearly
made
it
a
point
to
say,
hey,
we
do
not
want
to
help
the
openness,
have
build
something
that
competes
with
its
own
members
per
se,
but
I
believe
that
there
seem
to
be
a
lot
of
interest
from
the
perspective
of
at
least
trying
to
build
a
specification
or
a
set
of
Standards
or
a
set
of
guidelines
around
what
good
looks
like
in
a
secure
supply
chain
and
a
secure
sdlc,
so
that
and
in
my
opinion,
I
think
that
actually
helps
out
a
lot
of
vendors
to
say:
hey
my
scanning
tool
interacts
with
another
vendor's
build
tool
because
they
speak
the
same
sort
of
language.
B
They
they
the
same
inputs,
the
same
outputs.
They
follow
like
a
a
common
communication
language
from
an
API
perspective,
which
means
that
you
know
earlier
these
things
didn't
interoperate
correctly,
and
you
know
it.
It
led
to
a
lot
of
issues,
but
now
they
all
interoperate.
Now
lots
of
folks
can
can
buy
my
stuff
or
whatever
I
think.
B
There's
a
lot
there
that
will
help
out,
but
there's
also
debate
about,
for
example,
I
know,
the
biggest
debate
is
whether
or
not
from
a
tool
perspective
if
it's
up
to
the
open
ssf
to
build
the
tools
themselves.
A
lot
of
folks
who
have
you
know
a
large
background
in
open
source
have
fed
the
majority
of
Open
Source.
That's
out.
There
does
not
start
purely
in
open
source,
it
starts.
It
tends
to
be
an
organization,
a
person,
a
company
or
whatever
decides
to
do
something.
B
They
then
open
source
it
and
then
they
contribute
it
to
an
organization
as
opposed
to
an
organization.
Saying:
hey,
here's
a
need
and
trying
to
do
the
product
work
on
that
side.
So
I
think
that
there
is
some
stuff
there
about
exactly
there's
some
debate.
There.
C
B
Yeah
and
and
I
agree
with
that
and
I
think
that
generally
also,
you
know,
if
you
look
at
the
majority
of
successful
open
source
projects,
the
large
ones
right.
It's
because
they're,
backed
by
companies
that
are
willing
to
to
put
the
the
time
money
and
resources,
even
if
it
does
fall
under
the
Linux,
Foundation
or
another
open
source
group.
A
B
Does
anybody
else
have
any
other
questions
comments
things
that
they
want
to
add
on
the
agenda?
I
know
we
still
have
a
half
hour.
We
can
end
it
early.
If
folks,
don't
have
anything
else,
but
it's
you
know
the
the
floor
is
open.
B
Well,
if
there's
nothing
else,
everybody
can
get
back
about
a
half
hour
and
see
you
all
in
a
couple
weeks.