►
From YouTube: Supply Chain Integrity WG (March 29, 2023)
A
Aj,
did
you
want
to
take
the
the
running
of
this
meeting,
based
on
what
you
sort
of
said
in
the
slack
or.
C
I
believe
Michael
is
you
can
do
the
the
meeting
notes,
an
agenda
and
attendance
Dot
for
us
all
to
to
fill
in
there?
So
please,
by
all
means,
fill
your
name
in
there.
C
I'm
updating
the
doc
with
the
with
the
new,
with
the
new
chair
and
co-chairs
at
the
top
of
the
doc
attendance
down
at
the
bottom.
C
Booms
and
I'm
not
sure
if
you
know
the
Melbourne.
A
Think
she
she
also
has
for
this
week
because
of
some
something
or
other
that
she
has
a
an
overlap.
C
Oh
good,
okay,
so
then,
let's,
let's
Jump
Right
In.
If
we
have
any
new
well,
first
of
all,
thank
you
all
for
attending
and
then,
if
anyone
is
available
to
take
notes,
that'll
be
a
great
help
and
they
can
take
notes.
That
would
be
a
great
help.
C
D
Hi
I'm
John
new
to
this
meeting
I've
been
popping
into
a
bunch
of
the
different
working
group
meetings,
side,
positioning
and
Fresca
and
other
things
like
that.
So
just
coming
up
to
speed
on
all
the
awesome
work,
everyone
is
doing
and
super
interested
in
supply
chain
security.
So.
C
I've
seen
you
in
a
few
other
meetings
too.
We
got
to
stop
meeting
like
this
all
right.
Do
we
have
anyone
else
new,
as
I?
Look
at
the
list
here,
I
think
yes,
I've
seen
everyone's.
E
C
E
C
All
right,
well
good,
welcome.
Welcome
so
I
didn't
see
any
any
agenda
items
that
were
new
for
this
week
would
drop
down
into
the
past
week
to
see
if
there
are,
there
is
anything
that
is
anything
that
was
outstanding,
that
we
that
we
need
to
rotate
on
a
little
bit.
D
C
Shortly
s2c2f
I
know
is
working
on
some
training
modules
with
SKF.
C
Also
there's
a
couple
of
a
conference,
a
couple
of
speaking
engagements
for
S2
c2f,
especially
in
the
RSA,
which
Adrian
will
be
doing
here
at
the
end
of
so
it's
the
end
of
April
and
then,
of
course,
we'll
be
having
the
ketchup
mustard
and
relish
the
open
Summit,
which
we'll
talk
about
s2c2f,
salsa
and
Fresca,
and
then
a
panel
just
discussion.
So
we
have
those
coming
up.
C
We
also
have
a
few
documents,
a
few
blogs
that
are
being
created
that
need
to
be
reviewed
out
of
the
the
supply
chain,
Integrity
positioning
meeting.
We
have
that
that
coming
up
as
well
I
think
what
we
can
do
is
drop
down
into
the
sigs
and
just
get
a
good
round.
A
good
round
of
discussion.
Sig
related
I'm,
not
if
but
who
I
want
to
say
John.
C
Are
you
able
to
give
a
quick
about
about
the
about
salsa,
just
as
a
as
a
just
from
the
just
from
the
bi-weekly
means
I
believe
I've
seen
you
in
there,
if
not
I,
think
I
can
I
can
give
a
give
a
one
and
two
just
just
from
memory
purposes,
but
I
could
definitely
give
something
about
s2c2f
and
I'm
Mike
about
about
Fresca.
C
D
I
have
not
yet
been
able
to
get
into
this
the
specification
meetings
for
for
salsa,
but
it's
on
my
list
of
things
I
had
to
move
other
other
meetings
blocking
it.
C
A
Yeah
sure
so,
there's
a
bunch
of
issues
up
I
apologize,
I'm.
Switching
from
writing
the
notes
for
a
second
to
bring
up
some
of
the
these.
So
there's
a
bunch
of
issues
up
for
for
some
of
this
there's
actually
a
bunch
of
PRS
that
folks
are
looking
for
reviews
and
comments
on.
A
A
There's
one
on
Distributing,
Providence
and
there's
a
bunch
of
other
ones,
but
I'll
just
post
this
one
in
the
the
meeting
notes:
Here
I'll
post
it
here
in
the
chat
as
well.
So
there's
there's
a
bunch
of
comments
on
that.
There's
a
few
other
things
that
that
have
already
been
resolved
around
making
some
of
the
language
a
little
bit
clearer.
So
we
switched
back
from
isolated
ephemeral
to
just
using
the
word
isolated.
A
For,
for
how
builds
should
be,
and
then
ephemeral
is
just
a
property
of
isolated,
as
opposed
to
it
being
its
own
separate
thing,
there's
a
bunch
of
stuff
on
on
that
end
and
a
lot
of
other
little
changes
like
that.
That
that
have
been
happening,
and
so
there's
a
lot
of
stuff
to
kind
of
that,
based
on
the
feedback
that
people
are
prepping
for
for
the
release
candidate
too.
So
that's
just
sort
of
the
generic
salsa
stuff
in
the
salsa
specification
stuff.
A
As
far
as
some
of
the
salsa
positioning
stuff,
there
is
a
salsa
tracks,
blog,
that's
looking
for
for
feedback.
This
one
is
hold
on
one
second,
for
some
reason:
GitHub,
oh
no
well
GitHub
is
giving
me
500
errors,
but
I
believe
this
is
the
the
pr
on
on
that,
and
so
this
is.
A
A
One
is
just
you
could
have
a
secure
build
without
having
secure
source
and
you
could
have
secure
Source
without
having
a
secure
build,
and
so
we
want
to
make
sure
that
that
was
separate
and
clear
so
that
folks
knew
where
to
start
looking.
If
something
were
to
go
wrong.
Oh
okay,
if
something
went
wrong.
A
That's
so
that's
that
there's
also
another
blog
more
generally
about
why
split
up
salsa
build
from
salsa
from
salsa
Source
those
tracks
that
Melba
and
Chris
are
writing,
and
let
me
see
if
I
can
find
that
one,
this
one's
still
a
a
working
just
a
Google,
doc
and
I'll
post,
that
there
I
believe
they're
looking
potentially
for
some
feedback
on
that.
One.
D
A
So
there's
a
bunch
of
discussions
happening
on
that
front.
Trying
to
keep
folks
in
the
loop
make
sure
that
we
have
sort
of
from
an
open,
ssf
perspective.
We
have
sort
of
that
unified
vision
and
then
for
a
lot
of
the
various
community
members
who
are
very
involved
in
so
also
who
are
interested
in
also
being
part
of
that.
A
You
know
that
communication
blast
there's
some
discussions
happening
on
that
front
as
well,
and
then
salsa
tooling,
is
looking
to
change
the
meeting
time,
because
a
lot
of
the
folks
who
have
been
working
traditionally
I
guess
working
on
a
lot
of
the
the
it's
also
tooling
have
worked
at
different.
They
tend
to
be
West
Coast
and
the
9
A.M
East,
Coast,
Media
or
no
sorry
10
a.m.
East
Coast
meeting
is
a
little
early
for
them.
A
So
we're
looking
to
sort
of
change
that
up
and
and
we're
you
know
probably
deferring
a
little
bit
to
folks
who
are
actually
Hands-On
keyboard
Engineers
a
little
bit.
A
So
you
know
not
to
you
know
discount
any
of
the
work
that
other
folks
doing,
but
we
kind
of
wanted
to
to
make
sure
that
we
could
get
some
of
the
people
who
are
actually
actively
doing
the
software
engineering
to
start
to
collaborate
a
bit
more
because
there's
a
lot
of
tools
that
are,
we
could
probably
have
like
stuff
like
shared
libraries
and
some
of
these
other
things
kind
of
come
out
of
what
is
happening
in
in
the
tooling
space.
So
that's
that's
another
thing
that's
being
worked
on
from
from
the
tooling
side.
A
Oh
and
one
other
thing
from
the
tooling
side
is
potentially
having
a
shared
developing,
something
like
a
standards
or
best
practices
around
Distributing
salsa
right,
there's,
there's
some
high
level
guidance
coming
from
the
specification
itself,
but
we
probably
want
to
say
hey.
If
everybody
can
you
know
if
there's
something
like
a
a
if
everybody
sort
of
named
their
files
like
this,
then
any
tool
that
you
know
in
injected
from
ingested
from
ingested,
salsa
stuff
would
be
able
to
do
that.
A
So
anyway,
that's
salsa
tools.
Oh
and
yeah.
B
All
right,
well
might,
as
might
as
well,
hang
out
there
Mike
and
give
a
quick,
quick
run
down
on
Fresca.
A
Sure,
yeah
yeah,
so
Fresca
I
have
a
a
what
is
Fresca.
So
as
a
reminder,
you
know
Fresca
due
to
a
couple
of
different
things
that
that
folks
have.
Let
me
just
put
this
here
so
take
a
step
back.
A
A
And
you
know
Frisk
is
not
a
priority
for
them,
so
we
kind
of
went
from
you
know
like
about
like
three
or
four
core
maintainers
along
with
like
another
like
four
or
so
pretty
common
contributors
down
to
mostly
just
just
me
and
a
few
other
folks,
just
kind
of
keeping
the
lights
on.
A
So
we
are
looking
to
kind
of
get
more
contributors
again
or
you
know
call
you
know
if
it
turns
out
hey,
why
don't
we
just
sort
of
use
Fresca
as
a
teaching
example?
Let's
not
really
focus
too
much
on
the
features.
You
know.
There's
lots
of
different
options.
We
have
there
from
a
use
case
perspective.
So
just
let
me
just
share
this.
So
I
shared
it
in
the
chat.
A
A
Think
that,
like
telling
the
story
of
how
Fresca
came
about
is,
is
kind
of
important
for
folks
to
understand
why
it
was
sort
of
like
why
it
looks
the
way
it
does
and
so
for
folks
who
are
not
super
familiar
as
a
reminder
like
Fresca,
is
kind
of
came
out
of
a
lot
of
the
the
frustration
confusion
around
all
the
different
security
tools
out
there
with
regarding
to
like
build
and
and
that
sort
of
thing
and
and
how
could
people
create
something
like
a
salsa
Builder
themselves,
and
so
this
is
using
tools
like
tecton
tecton
chains,
kuverno
as
policy
management
Spire
for
for
stuff,
like
workload,
workload
out
of
stations
and
those
things
and
those
things
combined
create
a
a
secure,
build
system
that
can,
you
know,
be
salsa
compliant,
can
ingest
stuff
from
like,
let's
say,
s2c2f
and
so
on,
and
so
that's
kind
of
why
Fresca
and
so
right
now
it's
kind
of
in
a
state
of
it's.
A
You
know
it's,
it's
a
it's
an
example:
it's
a
POC,
but
it's
not
necessarily
something
that
could
just
be
deployed
by
somebody
as
just
a
like
a
tool
today,
and
so
the
answer
you
know
so
there's
some
questions
here
of.
A
Do
you
know
what
are
folks
use
cases
do
folks
want
to
see
this
turn
into
more
of,
like
just
a
pure
teaching
example,
so
that
people
can
almost
like
build
their
own
Fresca
right
based
on
you
know,
hey
we
swap
out
kieverno
with
Opa,
and
this
is
the
things
you
should
be
considering
and
so
on,
or
do
folks
want
to
see
this
to
be
an
actual
thing
that
you
know
could
be
a
Deployable
build
tool,
I
think
those
are
the
things
that
we're
looking
to
kind
of
get
from
folks
from
a
use
case
perspective
and
then
secondarily
we're
also
looking
for
folks
like
who
are
actual.
C
We
had
a
great
a
great
meeting.
We
also
had
another
issue
up
in
the
middle
of
the
issue:
number
16.,
where
there
was
a
question
about
one
of
the
controls
and
I
believe
Adrian
had
answered
that
one
also
we
got
a
chance
to
talk
about
Adrian,
finalizing
his
slides
for
the
RSA
and
then
the
upcoming
panel
discussion
at
at
the
open
Summit.
C
Oh
as
I
said
before,
we
were
also
working
on
their
training
with
SKF
and
that
that
part
today,
that's
that's,
going
really
really
well
we're
almost
done
with
the
with
the
first
outline
and
drafting
the
different
training
modules,
which
would
go
before
the
SKF
and
then
they'll
help
us
format
and
tease
out
the
rest
of
that
to
rest
of
that.
So
we
can
at
least
get
some
training
modules
up,
so
people
can
start
getting
trained
on
implementation
of
S2
c2l.
C
Also
we're
working
on
currently
the
explanatory
report
to
answer
the
to
enter
the
towards
entering
the
path
submitter
process
of
s2c2f
as
well
and
I
know
that
that
that
believe
that
salsa
is
a
it's
all
is
it
will
be
ready
to
do
the
same
thing
once
we
get
1.0
off
the
ground
and
and
it's
actually
being
adopted
so
we'll
so
we're
using
we'll
use
one
as
a
guinea
pig
to
make
smoother
the
other
going
through
going
through
the
same
process
towards
to
a
specification.
C
So
so
good
times
are
ahead
for
for,
for
all
of
these
different,
all
these
different
different
Frameworks
and,
of
course,
and
Fresca
as
well.
I'm
really
excited
about
the
trajectory
that
we're
going
I
believe
we're
also
doing
a
bit
of
work
on
the
supply
chain.
Security
framework
that
we're
that
we're
building
here
in
this
working
group,
too
and
I
think
that
we
are
due
for
they
take
them.
Take
a
look
back
at
the
notes.
C
Here
I
believe
we're
due
for
some
sort
for
some
kind
of
a
meeting
on
that
here
shortly,
where
we're
actually
what
we're
actually
going
ahead
and
and
and
teasing
that
out.
I
know
that
that's
been
something
that's
near
and
dear
to
Isaac
to
Isaac's
heart,
because
we
talked
about
been
talking
about
that
for
so
long,
So,
eventually,
I
think
we
need
to
be
trailing
back
down
on
that
any
break
that
break
that
document,
I'm
trying
to
find
the
link
the
link
to
that
document.
C
C
Oh
here
it
is
yeah.
F
C
And
I
think,
oh,
let's
see
look
here,
I'm
trying
to
remember
what
Isaac's
Isaac's
net
net
with
this
was
whether
or
not
we
were
going
ahead,
and
this
is
a
document
that
I'm
looking
at
right
here.
C
So
this
is
something
that
we
that
we
have
been
rotating
on
for
a
while.
Now
up.
E
C
You
know
we're
looking
at
1.0
right
now,
and
you
know,
as
Michael
is
just
talking
about
when
it
comes
to
tooling-
and
you
know
these
two
bullets
right
here
are
increasingly
important
as
we
begin
to
think
about
rc2
off
window
So.
Eventually,
we
want
to
get
back
into
this
document
kind
of
tease
out
a
few
more
things
here
amongst
all
of
up
to
including
Fresca
as
well,
I
think
Michael's
blog
or
his
the
post.
C
That
he's
writing
right
now
will
help
out
in
this
area
a
great
deal,
because,
as
we
begin
people
interested
in
Fresca
again
and
and
get
them,
you
know
diving
back
into
putting
hands
on
it.
You
know
adopting
you
know
getting
you
know
getting
the
community
behind.
It
again
will
actually
add
and
season
this
part
out.
So
this
part
could
be
a
little
bit
more,
have
a
little
bit
more
meat,
a
little
bit
more
meat
to
it.
C
This
last
one
right
here,
though,
this
is
the
one
right
here.
I
was
referring
to
So,
eventually
I'd
like
for
us
that
little
Isobel
lights
is
like
this
too,
for
us
to
think
about
forming
or
reforming.
B
C
Sort
of
a
a
topic
team
or
a
Sig
that
specifically
talks
about
this
umbrella
framework
that
we
can
begin
developing
and
you
know,
tease
out
design
and
then
begin
to
develop
underneath
the
working
group,
so
I'll
I'll
pause
there
do
we
have
any
thoughts
on
on
how
best
to
tackle
this
part
I'm
very
interested
in
this
as
well,
because
I
think
this
will
be
good,
not
just
for
this
working
group,
but
this
will
be
good
for
the
whole
of
the
openness
and
stuff
as
we
begin
to
conceptualize.
C
What
a
umbrella
framework
looks
like
that's
being
that
that
is
the
the
the
voice
right.
The
one
voice
across
the
openness
itself,
for
how
we
conduct
ourselves
in
supply
chain
security,
go
ahead.
Mike.
A
Yeah
so
I
know
that
there's
some
discussion
on
and
I
hope
not
to
trigger
anybody,
because
I
know
there's
a
lot
of
back
and
forth
on
this,
but
there's
a
discussion
on
a
thing
called.
You
know
the
Sterling
tool
chain,
you
know
and
and
I
know
that
there's
some
back
and
forth
about
what
is
what
exactly
is
that
and
is
that
actually
going
to
get
off
the
ground?
A
I
know
that
was
something
that
the
governing
board
sort
of
voted
on
in
December,
but
I
know
that
there's
there's
you
know
the
open
SF
is
trying
to
hire
a
Chief
Architect
and
some
other
folks
to
kind
of
help
out
with
that
sort
of
thing,
but
I
know
that's
kind
of
where
I
think
this
sort
of
umbrella
framework
would
also
sort
of
fit
in
there
would
be
like
you
know,
would
fit
in
somewhere
there
and
I
know
one
of
the
things
that
kind
of
have
also
come
out
of.
A
Some
of
the
discussions
is
folks
are
like
asking
for
hey
and
how
do
I
actually
Implement?
That
framework,
you
know
nobody's
saying
like
there
needs
to
be
one
only
one
way
to
implement
it,
but
but
you
know
how
could
I
actually
go
about
doing
some
of
those
things
you
know
like,
for
example,
you
know
if,
if
here's
our
our
our
rules
for
something
like
vulnerability
management
great,
how
would
somebody
Implement
that
from
a
policy
perspective
How?
Could
somebody
actually,
you
know,
configure
their
tools
to
to
help
out
with
it.
B
C
Well
and
to
that
point
right,
so
there's
a
lot
of
stuff
being
developed
the
security
tools,
the
security
tooling
working
group
has
spun
back
up
and
they're
doing
some
they're
conceptualizing
a
lot
of
the
great
things
that
have
to
do
with
the
the
you
know,
salsa
and
s2c2f,
and
the.
F
C
C
So
you
know
I'm
pretty
sure
that,
as
that
gets
spun
up,
then
now
have
relevance
into
this
framework
as
well.
Right
I
mean
there's,
go
ahead.
John.
D
Yeah
I
was
just
going
to
ask
about
some
of
the
other
efforts
within
open,
ssf
I'm,
trying
to
to
learn
where
they
all
fall.
The
ones
that
I
think
could
be
related
would
be
things
like.
D
Guac
I,
don't
know
if
that's
under
a
working
group
and
the
S
vomit
stuff
and
omnivore
like
there's
a
lot
of
really
interesting
projects
that
relate
to
supply
chain
security
and
could
tie
into
this
larger
umbrella
framework
I'm,
just
thinking
of
the
like
the
best
way
to
solicit
either
feedback
from
those
groups
or
pulling
the
right
people
from
other
working
groups
like
what's
the
right
hierarchy
of
where
this
should
fall.
D
And
does
this
group
have
the
right,
Charter
and
purview
to
to
take
that
on,
and
that's
also
like
I
get
more
wrapped
up
around
this
stuff
than
needs
to
happen,
sometimes
just
into
like.
So
you
know:
I
like
the
idea
of
the
intent
of
open
source
governance
to
be
more
lightweight
when
possible,
as
opposed
to
like
getting
burrowed
down
in
these
things,
so
I'm.
Also,
okay,
just
saying
like
hey,
it's
fine,
I'll
I'll
defer
to
you
all
as
experts.
C
C
Why
not
bring
all
those
people
into
the
room
and
discuss
where
all
of
that
stuff
fits
if
it
fits
right
if
it
fits
if
it
doesn't
fit
okay,
but
there's
no
harm
in
having
that
discussion
because,
like
I
said,
there's
stuff
going
on
all
across
the
open,
SSL
and
I'm,
not
sure
if
guac
the
conversation
around
guac
is
involved,
I
know,
there's
conversations
about
guac
I'm,
not
sure
if
it's
inside
of
the
openness
and
stuff
like
Fresca
is
but
I
know
that
there's
conversations
outside
there's
conversations
around
right,
but
but
all
that
can
be
can
be
talked
about
and
all
that
can
know
that
there
is
relevance
there
for
for
all
those
conversations
go
ahead.
C
A
Oh
yeah
I
was
just
gonna,
say
yeah,
so
so
guac
as
well
as
omnibor
and
some
of
the
other
ones
like
s
bomb.
It
don't
currently
fall
under
the
open,
ssf
but
I
believe
I'm,
not
sure
omnibora
I'm,
not
deep
with
that
group,
but
I,
know
guac.
Actually,
one
of
the
things
that
we
plan
to
do
is
in
two
weeks
from
now.
In
this
meeting
we
plan
to
demo
guac
to
the
group.
A
To
sort
of
you
know
the
the
intention
is
probably
to
contribute
it
to
the
open
ssf,
whether
it's
this
group
or
another
group
we're
going
to
be
demoing
guac
to
multiple
groups.
To
kind
of
you
know
see
if
there's
any
interest
there,
but
yeah
I
think
you
know.
One
of
the
other
problems
is
a
lot
of
those
a
lot
of
those
projects.
A
Don't
quite
currently
fall
under
open
ssf,
but
there
might
be,
but
also
I,
know
that
with
some
of
the
stuff
that
that
we've
been
talking
about
is
they
don't
necessarily
have
to
fall
under
the
open,
ssf
to
still
be
involved.
C
Yeah,
absolutely
not
I
mean
I
I
think
once
we
get
into
this
discuss
the
beauty
of
this.
This
specific
discussion
is
that
it's
something
that
is
going
to
span
across
the
entirety
of
the
openness
and
stuff
and
can
include
outside
tools,
and-
and
you
know
it
doesn't
have
to
be
something.
That's
specific
I
mean
what
we
love
all
of
those
tools
to
be
in-house
short,
but
that
doesn't
have
to
be
the
case
right
and
and
then
and
I.
C
Think
that
and
I
think
that
that's
the
beauty
of
this
this
particular
initiative
I,
don't
want
to
take
a
vote
on
creating
a
Sig
for
without
Isaac,
though
so
I
won't
so
I
won't
I
won't
put
that
I
won't
put
that
here.
I
do
wanted
to
show
up
in
the
notes
of
them
when
we
have
when
we
have
Isaac
back
and-
and
you
know
he-
you
know
he's
able
to
put
his
eyes
on
it,
then
we
can.
C
Then
we
can
talk
about
it
and
and
get
there,
but
I,
but
I
I
did
want
to
make
sure
it
was
mentioned
in
this
meeting
and
on
this
recording
and
then
and
in
these
notes
that
we
did
that
we
did
in
fact
bring
it
up
and
that
and
that
we
are
putting
some
thought
to
it,
especially
considering
a
lot
of
the
great
discussions
we're
having
across
the
other
working
groups
with
a
lot
of
initiatives.
C
They
have
going
on
guides
that
are
being
published
best
practices
that
are
being
talked
about,
especially
no
hardening,
guides
being
developed.
All
that
stuff
has
relevance
here,
so
I
wanted
to
make
sure
that
we
that
we
keep
that
nice
and
tight
on
the
radar
all
right.
As
far
as
agenda
like
I
said
there
wasn't
anything
there
for
the
agenda,
but
as
far
as
the
working
group
goes,
I
believe
we
covered
down
cigs
we
covered
down
our
23.
C
C
Not
hearing
any
comments,
I'll
say
that
that
I,
that
that
is
literally
all
we
have
so
I-
can
give
everybody
30
28
minutes
back
or
we
can
sit
here
and
and
have
a
casual
conversation
amongst
ourselves
about
about
the
openness
and
stuff
and
how
much
we
enjoy.
G
C
H
C
That's
all
right,
though,
that's
all
right!
It's
all
right!
Yeah,
all
right
well,
as
I
said
we're
at
26
minutes
now,
so
you
guys
have
some
time
back.
I
do
have
a
nice
tight,
10
a.m.
Meeting
for
myself,
I
got
the
identifying
security
threats.
Meeting
group
up
next
I'll
be
attending
that
if
anybody
else
is
attending
that
I'll
see
you
there,
if
not
I'll,
see
you
in
a
couple
of
weeks.
Thank
you
all
very
much.
Thank.