►
From YouTube: Supply Chain Integrity WG (April 25, 2023)
A
B
C
Oh
yeah,
it
is
when
I
think
I
got
like
the
last
one
or
one
of
the
last
ones
and
I
was
like
hell.
Yeah.
A
B
C
So
Melba
I
Melba
I
know
is
sick,
so
I'll
be
running.
The
meeting
today
give
me
a
few
minutes
to
sort
out
my
billions
of
tabs
to
kind
of
bring
up
the
docs
here.
C
We
can
get
started
here
just
as
a
reminder.
This
meeting
is
being
recorded,
it'll
be
uploaded
to
YouTube
shortly
after
usually
within
a
few
weeks,
and
your
participation
in
this
meeting
is
an
agreement
to
abide
by
the
open,
ssf
code
of
conduct
and.
C
We
can
get
started,
I,
don't
see
anybody
new
here,
so
we
can
sort
of
skip
that
the
next
up.
C
First
off
for
the
salsa
1.0
stuff
just
wanted
to
extend
my
deepest
thanks
to
Jennifer
and
the
rest
of
the
open,
ssf
team
for
for
the
great
announcement
and
and
how
well
that
worked,
and
that
was
great,
it
was.
It
was
awesome.
D
Yeah
I
thought
it
went
really
well.
Nice
nice
work.
Everyone,
especially
all
of
you
here,
a
true
team
ever
I
think
we
saw
a
lot
of
great
press
coverage
as
well
a
lot
of
coverage
on
social
media
and
a
lot
of
positive
feedback.
B
E
C
You
know
we're
never
going
to
be
able
to
get
folks
who
are
not
involved
directly
with
salsa
to
always
report
100,
accurate,
but
I
believe
that
I
remember
seeing
a
couple
of
the
articles
that
sort
of
got
a
couple
of
the
key
details
wrong
on
on
salsa
and
like,
for
example,
I
think
they
still
were
looking
at
Salsa,
V,
0.1
and
Reporting
on
the
four
levels
of
salsa.
C
When
it's
it's
three
and
I
think
one
of
the
things
is
just
like
we
would
love
to
in
the
future
is
like,
at
least
if
any
of
these
folks
have
questions
or
whatever,
to
be
able
to
help
answer
those
questions
for
them,
so
that
you
know
there's
a
little
bit
less
of
that
inconsistency,
because
I
know
one
of
the
pieces
of
feedback
a
little
bit
from
a
few
Folks
at
kubecon
was
like
hey,
I
saw
one
thing
say:
there's
three
levels
and
another
thing
say:
there's
four
levels,
and
you
know
if
we
can
do
stuff
to
to
help
prevent
that.
C
That
would
be
good
moving
forward,
but
I
I
don't
have
a
great
answer
outside
of
like.
If,
if
we
can
kind
of
you
know,
we
don't
want
to
do
their
work
for
them,
but,
but
if
we
can,
you
know
help
help
clarify
anything
for
them
in
in
the
future.
I
think
that
would
be
useful.
D
Yeah
and
I
will
note
that
we
did
ask
for
a
correction
for
for
places
where
there
were
inaccuracies
and
they
and
they
were
corrected
to
the.
B
D
D
C
Poco,
so
next,
actually
anybody
else
have
any
things
that,
regarding
like
the
salsa
1.0
announcement
generally.
A
I
think
one
of
the
things
that
that
came
up
a
few
times
and
I
put
this
as
like.
The
last
bullet
point
under
here
is
like
who
can
say
what
about
salsa
compliance
like
there's,
I
I
saw
some
people
immediately
wanted
to
to
claim.
There
was
also
level
three,
and
there
were
questions
about
like
whether
or
not
they
really
were,
but
also
there's
I,
think
more
questions
along
the
lines
of
like
how
do
I
know.
A
What's
also
level
I
am
and
like
I'm
assuming
there
is
like
I
know,
there's
a
conformist
program
coming
up,
but
also
like,
maybe
just
a
more
like
procedural
like
I
assume
salsa
is
a
trademark
trademark
thing
held
by
open
ssf
people
can't
just
go
and
claim
with
like
free
of
of
any
sort
of
consequences,
whatever
they
want
to
about
salsa
now,
I,
don't
think
we
want
to
step
in
and
like
be
happy
candid
about
any
of
that,
but
at
the
same
time,
there's
like
there's
a
like.
A
C
Yeah,
so
so,
there's
actually
some
interesting
stuff.
That
kind
of
came
out
of
some
conversations,
also
at
kubecon,
so
one
of
the
things
was
yeah,
so
I
know
that
there's
still
work
being
done
on
the
conformance
program.
I
know
based
on
some
earlier
conversations
about
that
conformance
program.
There
is
like
yes,
openssf
owns
the
trademark.
The
lawyer
said
that
generally
the
way
that
they
sort
of
do
it
is
like.
C
If
somebody
is
very
egregiously
lying
then
yes,
we
we
definitely
enforce
those
rules,
especially
when
it
comes
to
usage
of
certain
like,
like
not
let's,
say,
trademarks
like
you
know,
hey,
you
could
have
the
salsa
Goose
on
your
thing.
C
If
you
use
you
know,
salsa
blah
blah
as
long
as
you
make
it
sure
that
it's
clear
that
you
are
not
you
know,
you're
not
associated
with
it
you're
just
like
using
salsa
or
whatever,
but
the
thing
is
that
there,
as
part
of
the
conformance
program,
they're
most
likely
will
be
some
sort
of
badge
or
something
like
that,
and
that
logo
will
require
going
through
the
conformance
program
and
they'll
be
most
likely
two
things.
One
is
like
a
self-assessment
that
folks
will
be
able
to
go
to
and
then
there
will
also
be
through.
C
You
know:
salsa
through
open,
ssf,
I
should
say,
there'll
be
a
program
around
like
certifying
Auditors
or
something
like
that,
and
those
Auditors
can
come
in
and
say:
hey,
I
inspected
this
person's.
You
know
internal
build
system
and
I
believe
it
to
be
salsa
level
three
or
whatever,
based
on
this
criteria
and
I'm
assert,
you
know
I'm
making
some
sort
of
attestation
on
that.
So
that's
definitely
something
that's
being
talked
through
along
those
lines.
C
I
believe
a
lot
of
folks
are
are
worried
that
the
conformance
program
is
still
kind
of
not
hasn't,
really
come
together
yet
and
yes
I,
believe,
that's
still
the
latest
version
of
of
the
conformance
program-
and
you
know,
there's
some
background
information
regarding
the
cncf
conformance
program
and
in
fact,
actually
I
spoke
to
Chris
addict
from
the
cncf,
and
he
had
expressed
actually
some
concerns
about
us.
C
Basing
our
conformance
program
on
the
kubernetes
conformance
program,
because
actually
a
lot
of
folks
have
a
lot
of
issues
with
that
conformance
program,
but
I
think
there's
not
really
a
great
answer.
We
have
right
now
and
I'm
sure
the
lawyers
will
help
us
sort.
Some
of
this
out
so
I
definitely
think
we.
C
We
want
to
make
sure
that
that
we
sort
some
of
the
the
salsa
conformance
stuff
out,
especially
as
as
soon
as
possible,
because
I
know
a
lot
of
folks
are
looking
to
either
get
involved
in
the
salsa
auditing
process
or
the
you
know:
hey
I
want
to
release
a
build
and
I
want
to
claim
it's
salsa
whatever.
How
do
I
do
that
without
like,
while
making
sure
that
the
community
recognizes
you
know,
while
following
the
rules
that
say,
you
know
I'm
actually
doing
what
what
I'm
claiming
to
be
doing?
C
Does
anybody
I
and
I
don't
know
if
anybody
else
has
any
information
on
that?
That's
kind
of
the
the
last
I'd
heard.
C
E
I'm
not
sure
there's
any
other
topics,
I'm
just
being
attending
a
meeting
for
several
months
and
because
I'm,
not
a
security
person,
I
try
not
to
bother
the
experts,
but
one
thing
that
I've
been
reading
is
the
the
this
one,
the
the
next
security
white
paper,
which
is
kind
of
an
introduction
to
security
overall
in
this
in
this
area.
E
So
one
thing
I
find
it
probably
is
going
to
need
to
interesting.
At
least
to
me
is
this
now
sells
a
1.0
formerly
released.
I
know,
there's
previously
previously.
Some
overlap
between
Salsa
and
S2
c2f,
so
it
probably
is,
is
good
to
based
on
the
the
standards.
E
It's
also
standard
to
understand
what
S2
CTF
do
and
what
where's
overlap,
and
you
know
what
what's
the
difference
between
for
a
a
developer,
focused
source
of
framework
versus
the
consumer
based
framework-
and
you
know
where's
all
lap-
was
a
difference
and
how
all
this
contribute
and
map
back
to
the
original
white
paper,
because
in
a
white
paper,
if
you
see
that
there
there's
a
couple
diagrams
that
were
several
pictures.
Diagram
is
pretty
useful
about
build,
and
you
know
those
things
how
to
understand
that.
E
You
know
that
paper
from
the
salsa
perspective,
yeah,
I,
guess
using
pictures
I
guess
that's
probably,
is
the
easier
for
for
newbies
like
me
to
understand
the
whole
process.
C
Yeah
definitely
hear
you
on
that.
One
I
know
we
have
some
stuff,
but
it
might
be
useful
for
and
I
wonder
if
Jay,
if,
if
folks,
like
Adrian
or
yourself,
would
be
willing
to
sort
of
write
up
a
Blog
for
like
openssf,
either
on
like
the
S2
c2f
site
or
or
the
salsa
site,
to
kind
of
chat
through
sort
of
like
the
the
differences
between
something
like
salsa
and
S2
c2f.
B
C
Okay,
yeah,
that's
definitely
something
we
can
kind
of,
because
I
know
yeah,
even
among
a
lot
of
folks
there's
some
confusion
exactly
as
to
that.
I
I
agree
that
there
probably
should
be
a
blog
or
or
also
something
like
a
paper
that
comes
out
of
the
SEI
group,
so
that
we
can
kind
of
explain
the
larger
supply
chain
security
picture.
E
So
let's
say
if
we
add
the
source
of
content
back
to
the
original
executive
white
paper.
I
know
it's
a
different
organization,
but
if
that's
a
something
can
be
done.
How
do
you
map
to
the
to
the
pictures
that
the
workflows
in
that
in
that
picture,
in
that
in
a
texture
paper
for
cncf
yeah.
C
So
that's
actually
something
else
that
that
is
happening
so
I
spoke
to
Chris,
also
at
kubecon,
so
I'm
also
a
tag
security
lead
for
for
cncf
and
well
one
of
the
things
we
had
discussed
because
something
actually
that
also
came
out.
This
is
for
salsa
V
0.1,
but
there
were
some.
Let
me
actually
put
this
over
here.
There
are
some
updates
so
for
salsa,
V
0.1.
C
0.1
audits
done
on
cncf
projects,
I
believe
one
was
Argo
and
there
was
some
other
one
hold
on.
C
And
cncf
is
ramping
up
a
salsa
audit
process,
which
also
is
something
that
I
I
said
hey.
We
need
to
make
sure
that
kind
of
comes
back
into
how
that
is
going
to
work
with
the
conformance
process,
and
so
once
the
conformance
process
is
done,
the
idea
would
be
you
know
to
have
folks
be
able
to
assess
that.
That's
a
big
thing
to
Victor
what
you
were
saying
yeah.
C
So
one
of
the
things
right
now
is
that,
like
the
cncf
doesn't
really
have
like
a
you
should
be
doing
salsa
or
whatever
as
part
of
its
thing.
But
one
of
the
things
that
has
been
brought
up
is
is
potentially
to
include
salsa
as
like
a
framework
for
some
of
the
projects
within
the
cncf
to
start
using
and
then
how
would
that
map
to
the
larger
sort
of
supply
chain
picture?
C
That's
definitely
something
that
that
that
we're
thinking
about
but
I
think
one
of
the
things
that
that,
if
there's
something
unclear,
I,
definitely
recommend
if
you
can
to
like
open
up
like
the
issue
under
the
salsa
GitHub
to
kind
of
say:
hey,
like
here's,
some
things
that
that
are
not
super,
clear
and
it'll
be
great.
If,
like
you
had
something
like
this
diagram
in
this
cncf
security
white
paper,
for
you
know
where
salsa
fits
in
or
something
like
that
and
where
it
maps
in.
C
Cool
so
yeah
what
else
looking
through
here?
Oh
so,
some
other
kubecon
updates,
so
I
opened
up
a
GitHub
issue.
For
this.
We
got
some
good
feedback.
C
Regarding
generally,
regarding
was
gonna,
say
generally
regarding
salsa
I
posted
this
also
in
the
in
the
document.
The
general
things
were
folks
are
very
excited
for
salsa.
There's,
no
examples
or
not
enough
examples
for
1.0
compliance.
I
know
that
a
lot
of
the
build
tools
as
far
as
I
know
right
now,
don't
support
it
quite
yet,
but
they
will
very
very
soon,
there's
still
confusion
around
the
change
to
tracks.
Why
did
we
remove
the
two-person
code
review?
C
There
may
be
some
things.
We
can
be
a
little
bit
louder
about
to
say:
hey,
we
have
the
source
track
and
the
source
track
includes
the
two-person
code,
review
and
yayada
like
I,
think
the
sooner
we
can
kind
of
get
something
like
that
out,
even
just
to
say
this
is
what
we're
working
on
right,
the
second
the
easier
it
will
be
for
folks
to
recognize
like.
Oh,
we,
we
just
sort
of
separated
it
out
and
we
were
focused
on
the
build
track.
C
But
that's
that's
a
big
thing,
a
big
piece
of
feedback,
a
lot
of
folks
confused
about
what
is
required
for
a
1.0
salsa
build
system,
and
how
does
that
conformance?
Look
like
how
do
I
make
sure
I
do
it
without
you
know
doing
something
wrong:
yeah
yada,
there
is
General
worry,
given
that
pretty
much
all
the
examples
today
are
using
GitHub
actions
and
hosted
SAS
providers
and
that
people
are
saying
hey
is
salsa
only
a
SAS
like.
C
Can
you
only
be
salsa
compliant
with
SAS
and
that's
obviously
not
the
intention
by
any
means,
but
I
think
that's
kind
of
the
perception
and
so
I
think
that
there's
some
worry
there
and
then
yeah
and
there's
just
some
general
worry
about
at
least
some
general
confusion
about
what
is
the
conformance
program?
How
is
it
supposed
to
work?
How
do
folks
get
involved?
How
do
folks
provide
feedback
all
that
good
stuff?
C
With
all
that
said,
though,
overall
though
people
seem
to
be
very
keen
on,
like
the
laser
focus
that
that
open
that
salsa
provides
like
compared
to
a
lot
of
the
other
Frameworks,
they
like
the
fact
that
hey
you
are
super
focused
on
the
build
you're,
not
talking
about
how
you
know
here,
you
need
to
do
these
12
million
things
before
you're
secure.
It's
like
here
are
some
specific
things.
You
can
do
and
then
we
can
broaden
the
scope
over
time
and
you
can
be.
C
You
must
do
these
million
things
in
order
to
even
get
started
so
overall,
great
great
feedback
there
and
a
lot
of
folks
also
seemed
very
interested,
especially
from
the
Europe
side,
is
if
we
could
have
some
more
Europe
friendly
meetings
that
would
be
convenient
for
them
because
they
want
to
get
a
lot
of
folks
from
from
Europe,
especially
like
Eastern
Europe
want
to
get
more
involved,
but
I
believe
that
this,
like
a
lot
of
our
meetings,
happen
around
this
time,
which
is,
is
a
little
inconvenient
for
them.
C
Any
questions,
feedback,
questions,
I'm,
sorry,
any
questions
or
feedback
on
that.
C
Okie
dokie,
so
the
only
other
thing
I
had
on
the
agenda
here
before
us,
maybe
going
back
to
the
list
of
blogs
and
seeing
what
other
things
we
can
do
and
what
other
things
from
the
general
day-to-day
SCI
work
was
upcoming
announcements
regarding
salsa
and
I.
Don't
know
if
anybody,
because
I
know
we
had
Jennifer
correct
me
if
I'm
wrong
pretty
much
tomorrow
at
9
00
a.m.
C
C
You
know
as
part
of
salsa
1.0
or
here's
our
blog
sort
of
talking
through
the
details
of
salsa
1.0.
Is
that
correct,
correct.
C
Okay,
all
right
so
just
a
reminder:
9
A.M
Eastern
on.
C
C
B
C
B
B
C
So
any
other
sort
of
business
regarding
updates
on
some
of
the
salsa
blogs
or
s2c2f
updates
I
know
that
I
believe
Jay.
Correct
me.
If
I'm
wrong
Adrian
is
at
RSA
to
talk
about
s2c12.
F
So
I'm
doing
I'm
doing
double
time
here.
I
have
I
got
one
one
me
no
and
then
one
meeting
in
this
meeting
here.
What
was
the
question
again.
C
I
was
just
curious.
Is
there
any
updates
on
any
of
the
S2
c2f
things
that
I
know.
F
F
That
panel
discussion
there
at
at
open
Summit
we're
currently
working
on
the
explanatory
report,
stuff
like
that
for
s2c2f
and,
of
course,
we'll
be
meeting
again
so
because
of
RSA
and
and
all
the
upcoming
stuff
where,
where
the
meetings
have
have
taken
a
break
until
we
come
back
so
we'll
be
meeting
again
once
once,
once
we
get
through
this
conference
cycle,
was
our
meetings
will
start
up
again?
F
Do
need
to
get
keep
getting
the
word
out
as
our
Focus
shifts.
It's
also
1.0
is
out
I'm
gonna.
Let
that
breathe
a
little
bit,
but
as
our
Focus
shifts
dive
on
into
s2c2
up
and
get
that
get
that
ramped
up
as
well.
C
Well,
yeah,
no
I
and
I
know
definitely
from
from
our
end,
we're
very
interested
in
seeing
you
know
something
like
a
presentation
or
a
demo
of
a
current
state
of
it,
because
I
know
one
of
the
pieces
of
feedback
also
from
kubecon
was
at
least
from
a
few
folks
who
were
there,
who
had
seen
some
of
the
stuff
from
S2
ctuf
they
had
assumed.
It
was
just
a
white
paper
and
I
was
like
no.
C
No,
it's
a
framework,
it's
a
whole
bunch
of
stuff
in
there,
but
I
think
they
were
kind
of
confused
by
by
some
of
those,
maybe
the
layout
of
the
repo
or
something
like
that.
F
Yep,
so
what
what's?
What
we'll
definitely
do?
And,
of
course,
like
I,
said
we
have
to
get
back
and
then
ramp
up,
but
we
definitely
want
to
bring
it
before
the
the
working
group
again.
I
know
that
we
talked
about
that
at
the
last
working
group
meeting
as
a
matter
of
fact,
but
definitely
bring
it
before
the
working
group
again
yep.
F
You
know
just
just
to
do
a
good
presentation
on
it
and
bring
that
before
so.
Yeah
we'll
definitely
put
that
on
the
agenda
once
the
dust
clears
on
all
these
conferences.
F
Yeah
it'll
probably
be
sometime
in
the
next
sometime
right
after
open
Summit.
The
meeting
we
have
after
open
Summit,
we'll
be
able
to
dive
right
back
in
and
to
that,
and
what's
great
about
that
is
we'll-
have
a
a
bit
more
content
to
use
from
the
talks
in
the
conferences
at
that
time.
So
the
presentation
is
pretty
much
are
already
written
and
already
done
just
need
to
polish
them
up
and
shape
them
up
and
trim
them
down
a
little
bit
just
for
the
for
the
working
group.
But
we'll
definitely
do
that.
C
Oh
yeah,
no
yeah
definitely
interested
there,
hoping
to
start
being
able
to
attend,
or
at
least
have
somebody
from
my
side
be
able
to
start
attending
the
S2
c2f
meetings
when
they're
once
they're
back
cool.
C
All
right
on
the
Fresca
side,
there
was
also
some
feedback
from
kubecon.
Largely
some
folks
seemed
you
know
they
liked
the
general
idea
of
hey
here's,
a
thing
that
can
do
salsa
III,
it's
it's
something
that
you
can
run
yourself:
yada,
yada
yada.
C
The
problem
still
is
hey
without
folks
maintaining
Fresca,
it's
just
gonna
sit
there
and
not
do
anything
and
I
know.
From
my
end,
you
know:
I
keep
seeing
Fresca
show
up
in
other
people's
presentations
and
they
say:
hey
Mike.
We
we
really
want.
You
know
this
thing
to
be
maintained,
but
given
that
you
know,
there's
been
really
not
a
lot
of
interest
in
as
far
as
actually
contributing
to
Fresca.
C
You
know
I
think
at
least
from
my
end,
I'm,
probably
gonna,
be
pushing
stuff
in
in
a
slightly
different
direction
and
we'll
kind
of
go
see
from
there,
but
I
reached
out
also
once
again
to
a
few
Folks
at
open
ssf
who
had
reached
out
to
me
a
rich
generally
asking
like
hey.
What
can
they
do
to
help
out
with
Fresca
and
so
far
none
of
them
have
responded.
C
So
after
I
sort
of
replied
so
I'm
gonna
keep
trying
to
you
know
poke
here
and
there
but
I
it
doesn't
look
like
there's
a
lot
of
interest,
so
probably
gonna
go
in
a
different
direction.
With
that.
B
C
B
C
C
Sorry
GitHub
handmade
as
well,
so
that
so
GitHub
has
this
provenance
thing.
It's
also
as
part
of
that
part
of
that
picture,
and
so
there
is
an
npm
Builder.
The
idea
is
to
also
contribute
it.
It
looks
like
to
GitHub
itself,
so
you'd
have
an
official
Builder
that
is
supported
by
npm
itself,
and
that
would
be
a
GitHub
action
that
could
then
be
used
to
for
for
salsa,
1.0,
Providence
and
and
all
that
good
stuff,
and
so
that
I
posted
in
the
chat.
Here.
C
It's
not
chat
inside
of
the
notes,
with
information
about
that
PR
so
feel
free
to
add
feedback.
There.
C
Cool
any
other
updates
or
anything
else,
I
know
that
there
is
a
lot
of
I
see
still
that
there's
a
lot
of
potential
blogs,
but
I,
don't
know
kind
of
what
has
kind
of
come
out
of
there.
C
So
I
know
that
there's
the
build
versus
Source
blog
I
know
Melba,
is
out
and
I
don't
see.
Chris
on
I
know
that
there
was
a
kind
of
a
broader
supply
chain,
Integrity
positioning
blog
stuff
that
that
some
folks
had
had
brought
up
yeah
I,
don't
know
if
there's
anything
else
folks
have
on
any
of
the
blog
side
or
things
that
folks
are
planning
to
contribute
to.
You
know
some
of
the
stuff
that
we're
working
with
SEI.
C
You
know
whether
it's
Fresca,
whether
it's
presca,
S2,
c2f
or
salta,
related
or
anything
just
generally
about
the
supply
chain,
integrity.