►
From YouTube: Supply Chain Integrity WG (April 25, 2023)
A
B
C
A
B
C
C
C
D
B
C
E
C
B
D
A
I
think
one
of
the
things
that
that
came
up
a
few
times
and
I
put
this
as
like.
The
last
bullet
point
under
here
is
like
who
can
say
what
about
salsa
compliance
like
there's,
I
I
saw
some
people
immediately
wanted
to
to
claim.
There
was
also
level
three,
and
there
were
questions
about
like
whether
or
not
they
really
were,
but
also
there's
I,
think
more
questions
along
the
lines
of
like
how
do
I
know.
A
C
Yeah,
so
so,
there's
actually
some
interesting
stuff.
That
kind
of
came
out
of
some
conversations,
also
at
kubecon,
so
one
of
the
things
was
yeah,
so
I
know
that
there's
still
work
being
done
on
the
conformance
program.
I
know
based
on
some
earlier
conversations
about
that
conformance
program.
There
is
like
yes,
openssf
owns
the
trademark.
The
lawyer
said
that
generally
the
way
that
they
sort
of
do
it
is
like.
C
If
you
use
you
know,
salsa
blah
blah
as
long
as
you
make
it
sure
that
it's
clear
that
you
are
not
you
know,
you're
not
associated
with
it
you're
just
like
using
salsa
or
whatever,
but
the
thing
is
that
there,
as
part
of
the
conformance
program,
they're
most
likely
will
be
some
sort
of
badge
or
something
like
that,
and
that
logo
will
require
going
through
the
conformance
program
and
they'll
be
most
likely
two
things.
One
is
like
a
self-assessment
that
folks
will
be
able
to
go
to
and
then
there
will
also
be
through.
C
You
know:
salsa
through
open,
ssf,
I
should
say,
there'll
be
a
program
around
like
certifying
Auditors
or
something
like
that,
and
those
Auditors
can
come
in
and
say:
hey,
I
inspected
this
person's.
You
know
internal
build
system
and
I
believe
it
to
be
salsa
level
three
or
whatever,
based
on
this
criteria
and
I'm
assert,
you
know
I'm
making
some
sort
of
attestation
on
that.
So
that's
definitely
something
that's
being
talked
through
along
those
lines.
C
Basing
our
conformance
program
on
the
kubernetes
conformance
program,
because
actually
a
lot
of
folks
have
a
lot
of
issues
with
that
conformance
program,
but
I
think
there's
not
really
a
great
answer.
We
have
right
now
and
I'm
sure
the
lawyers
will
help
us
sort.
Some
of
this
out
so
I
definitely
think
we.
C
We
want
to
make
sure
that
that
we
sort
some
of
the
the
salsa
conformance
stuff
out,
especially
as
as
soon
as
possible,
because
I
know
a
lot
of
folks
are
looking
to
either
get
involved
in
the
salsa
auditing
process
or
the
you
know:
hey
I
want
to
release
a
build
and
I
want
to
claim
it's
salsa
whatever.
How
do
I
do
that
without
like,
while
making
sure
that
the
community
recognizes
you
know,
while
following
the
rules
that
say,
you
know
I'm
actually
doing
what
what
I'm
claiming
to
be
doing?
C
C
E
E
It's
also
standard
to
understand
what
S2
CTF
do
and
what
where's
overlap,
and
you
know
what
what's
the
difference
between
for
a
a
developer,
focused
source
of
framework
versus
the
consumer
based
framework-
and
you
know
where's
all
lap-
was
a
difference
and
how
all
this
contribute
and
map
back
to
the
original
white
paper,
because
in
a
white
paper,
if
you
see
that
there
there's
a
couple
diagrams
that
were
several
pictures.
Diagram
is
pretty
useful
about
build,
and
you
know
those
things
how
to
understand
that.
C
Yeah
definitely
hear
you
on
that.
One
I
know
we
have
some
stuff,
but
it
might
be
useful
for
and
I
wonder
if
Jay,
if,
if
folks,
like
Adrian
or
yourself,
would
be
willing
to
sort
of
write
up
a
Blog
for
like
openssf,
either
on
like
the
S2
c2f
site
or
or
the
salsa
site,
to
kind
of
chat
through
sort
of
like
the
the
differences
between
something
like
salsa
and
S2
c2f.
B
C
Okay,
yeah,
that's
definitely
something
we
can
kind
of,
because
I
know
yeah,
even
among
a
lot
of
folks
there's
some
confusion
exactly
as
to
that.
I
I
agree
that
there
probably
should
be
a
blog
or
or
also
something
like
a
paper
that
comes
out
of
the
SEI
group,
so
that
we
can
kind
of
explain
the
larger
supply
chain
security
picture.
E
C
So
that's
actually
something
else
that
that
is
happening
so
I
spoke
to
Chris,
also
at
kubecon,
so
I'm
also
a
tag
security
lead
for
for
cncf
and
well
one
of
the
things
we
had
discussed
because
something
actually
that
also
came
out.
This
is
for
salsa
V
0.1,
but
there
were
some.
Let
me
actually
put
this
over
here.
There
are
some
updates
so
for
salsa,
V
0.1.
C
And
cncf
is
ramping
up
a
salsa
audit
process,
which
also
is
something
that
I
I
said
hey.
We
need
to
make
sure
that
kind
of
comes
back
into
how
that
is
going
to
work
with
the
conformance
process,
and
so
once
the
conformance
process
is
done,
the
idea
would
be
you
know
to
have
folks
be
able
to
assess
that.
That's
a
big
thing
to
Victor
what
you
were
saying
yeah.
C
So
one
of
the
things
right
now
is
that,
like
the
cncf
doesn't
really
have
like
a
you
should
be
doing
salsa
or
whatever
as
part
of
its
thing.
But
one
of
the
things
that
has
been
brought
up
is
is
potentially
to
include
salsa
as
like
a
framework
for
some
of
the
projects
within
the
cncf
to
start
using
and
then
how
would
that
map
to
the
larger
sort
of
supply
chain
picture?
C
That's
definitely
something
that
that
that
we're
thinking
about
but
I
think
one
of
the
things
that
that,
if
there's
something
unclear,
I,
definitely
recommend
if
you
can
to
like
open
up
like
the
issue
under
the
salsa
GitHub
to
kind
of
say:
hey,
like
here's,
some
things
that
that
are
not
super,
clear
and
it'll
be
great.
If,
like
you
had
something
like
this
diagram
in
this
cncf
security
white
paper,
for
you
know
where
salsa
fits
in
or
something
like
that
and
where
it
maps
in.
C
C
Regarding
generally,
regarding
was
gonna,
say
generally
regarding
salsa
I
posted
this
also
in
the
in
the
document.
The
general
things
were
folks
are
very
excited
for
salsa.
There's,
no
examples
or
not
enough
examples
for
1.0
compliance.
I
know
that
a
lot
of
the
build
tools
as
far
as
I
know
right
now,
don't
support
it
quite
yet,
but
they
will
very
very
soon,
there's
still
confusion
around
the
change
to
tracks.
Why
did
we
remove
the
two-person
code
review?
C
There
may
be
some
things.
We
can
be
a
little
bit
louder
about
to
say:
hey,
we
have
the
source
track
and
the
source
track
includes
the
two-person
code,
review
and
yayada
like
I,
think
the
sooner
we
can
kind
of
get
something
like
that
out,
even
just
to
say
this
is
what
we're
working
on
right,
the
second
the
easier
it
will
be
for
folks
to
recognize
like.
Oh,
we,
we
just
sort
of
separated
it
out
and
we
were
focused
on
the
build
track.
C
But
that's
that's
a
big
thing,
a
big
piece
of
feedback,
a
lot
of
folks
confused
about
what
is
required
for
a
1.0
salsa
build
system,
and
how
does
that
conformance?
Look
like
how
do
I
make
sure
I
do
it
without
you
know
doing
something
wrong:
yeah
yada,
there
is
General
worry,
given
that
pretty
much
all
the
examples
today
are
using
GitHub
actions
and
hosted
SAS
providers
and
that
people
are
saying
hey
is
salsa
only
a
SAS
like.
C
Can
you
only
be
salsa
compliant
with
SAS
and
that's
obviously
not
the
intention
by
any
means,
but
I
think
that's
kind
of
the
perception
and
so
I
think
that
there's
some
worry
there
and
then
yeah
and
there's
just
some
general
worry
about
at
least
some
general
confusion
about
what
is
the
conformance
program?
How
is
it
supposed
to
work?
How
do
folks
get
involved?
How
do
folks
provide
feedback
all
that
good
stuff?
C
With
all
that
said,
though,
overall
though
people
seem
to
be
very
keen
on,
like
the
laser
focus
that
that
open
that
salsa
provides
like
compared
to
a
lot
of
the
other
Frameworks,
they
like
the
fact
that
hey
you
are
super
focused
on
the
build
you're,
not
talking
about
how
you
know
here,
you
need
to
do
these
12
million
things
before
you're
secure.
It's
like
here
are
some
specific
things.
You
can
do
and
then
we
can
broaden
the
scope
over
time
and
you
can
be.
C
Okie
dokie,
so
the
only
other
thing
I
had
on
the
agenda
here
before
us,
maybe
going
back
to
the
list
of
blogs
and
seeing
what
other
things
we
can
do
and
what
other
things
from
the
general
day-to-day
SCI
work
was
upcoming
announcements
regarding
salsa
and
I.
Don't
know
if
anybody,
because
I
know
we
had
Jennifer
correct
me
if
I'm
wrong
pretty
much
tomorrow
at
9
00
a.m.
C
C
C
B
C
B
B
C
F
F
C
Well,
yeah,
no
I
and
I
know
definitely
from
from
our
end,
we're
very
interested
in
seeing
you
know
something
like
a
presentation
or
a
demo
of
a
current
state
of
it,
because
I
know
one
of
the
pieces
of
feedback
also
from
kubecon
was
at
least
from
a
few
folks
who
were
there,
who
had
seen
some
of
the
stuff
from
S2
ctuf
they
had
assumed.
It
was
just
a
white
paper
and
I
was
like
no.
F
Yep,
so
what
what's?
What
we'll
definitely
do?
And,
of
course,
like
I,
said
we
have
to
get
back
and
then
ramp
up,
but
we
definitely
want
to
bring
it
before
the
the
working
group
again.
I
know
that
we
talked
about
that
at
the
last
working
group
meeting
as
a
matter
of
fact,
but
definitely
bring
it
before
the
working
group
again
yep.
F
F
Yeah
it'll
probably
be
sometime
in
the
next
sometime
right
after
open
Summit.
The
meeting
we
have
after
open
Summit,
we'll
be
able
to
dive
right
back
in
and
to
that,
and
what's
great
about
that
is
we'll-
have
a
a
bit
more
content
to
use
from
the
talks
in
the
conferences
at
that
time.
So
the
presentation
is
pretty
much
are
already
written
and
already
done
just
need
to
polish
them
up
and
shape
them
up
and
trim
them
down
a
little
bit
just
for
the
for
the
working
group.
But
we'll
definitely
do
that.
C
C
The
problem
still
is
hey
without
folks
maintaining
Fresca,
it's
just
gonna
sit
there
and
not
do
anything
and
I
know.
From
my
end,
you
know:
I
keep
seeing
Fresca
show
up
in
other
people's
presentations
and
they
say:
hey
Mike.
We
we
really
want.
You
know
this
thing
to
be
maintained,
but
given
that
you
know,
there's
been
really
not
a
lot
of
interest
in
as
far
as
actually
contributing
to
Fresca.
C
You
know
I
think
at
least
from
my
end,
I'm,
probably
gonna,
be
pushing
stuff
in
in
a
slightly
different
direction
and
we'll
kind
of
go
see
from
there,
but
I
reached
out
also
once
again
to
a
few
Folks
at
open
ssf
who
had
reached
out
to
me
a
rich
generally
asking
like
hey.
What
can
they
do
to
help
out
with
Fresca
and
so
far
none
of
them
have
responded.
C
B
C
B
C
Sorry
GitHub
handmade
as
well,
so
that
so
GitHub
has
this
provenance
thing.
It's
also
as
part
of
that
part
of
that
picture,
and
so
there
is
an
npm
Builder.
The
idea
is
to
also
contribute
it.
It
looks
like
to
GitHub
itself,
so
you'd
have
an
official
Builder
that
is
supported
by
npm
itself,
and
that
would
be
a
GitHub
action
that
could
then
be
used
to
for
for
salsa,
1.0,
Providence
and
and
all
that
good
stuff,
and
so
that
I
posted
in
the
chat.
Here.
C
C
So
I
know
that
there's
the
build
versus
Source
blog
I
know
Melba,
is
out
and
I
don't
see.
Chris
on
I
know
that
there
was
a
kind
of
a
broader
supply
chain,
Integrity
positioning
blog
stuff
that
that
some
folks
had
had
brought
up
yeah
I,
don't
know
if
there's
anything
else
folks
have
on
any
of
the
blog
side
or
things
that
folks
are
planning
to
contribute
to.
You
know
some
of
the
stuff
that
we're
working
with
SEI.