►
From YouTube: Supply Chain Integrity WG (March 29, 2023)
C
C
A
C
D
C
E
C
E
C
D
C
Also
there's
a
couple
of
a
conference,
a
couple
of
speaking
engagements
for
S2
c2f,
especially
in
the
RSA,
which
Adrian
will
be
doing
here
at
the
end
of
so
it's
the
end
of
April
and
then,
of
course,
we'll
be
having
the
ketchup
mustard
and
relish
the
open
Summit,
which
we'll
talk
about
s2c2f,
salsa
and
Fresca,
and
then
a
panel
just
discussion.
So
we
have
those
coming
up.
C
We
also
have
a
few
documents,
a
few
blogs
that
are
being
created
that
need
to
be
reviewed
out
of
the
the
supply
chain,
Integrity
positioning
meeting.
We
have
that
that
coming
up
as
well
I
think
what
we
can
do
is
drop
down
into
the
sigs
and
just
get
a
good
round.
A
good
round
of
discussion.
Sig
related
I'm,
not
if
but
who
I
want
to
say
John.
C
A
A
A
There's
one
on
Distributing,
Providence
and
there's
a
bunch
of
other
ones,
but
I'll
just
post
this
one
in
the
the
meeting
notes:
Here
I'll
post
it
here
in
the
chat
as
well.
So
there's
there's
a
bunch
of
comments
on
that.
There's
a
few
other
things
that
that
have
already
been
resolved
around
making
some
of
the
language
a
little
bit
clearer.
So
we
switched
back
from
isolated
ephemeral
to
just
using
the
word
isolated.
A
For,
for
how
builds
should
be,
and
then
ephemeral
is
just
a
property
of
isolated,
as
opposed
to
it
being
its
own
separate
thing,
there's
a
bunch
of
stuff
on
on
that
end
and
a
lot
of
other
little
changes
like
that.
That
that
have
been
happening,
and
so
there's
a
lot
of
stuff
to
kind
of
that,
based
on
the
feedback
that
people
are
prepping
for
for
the
release
candidate
too.
So
that's
just
sort
of
the
generic
salsa
stuff
in
the
salsa
specification
stuff.
A
A
A
One
is
just
you
could
have
a
secure
build
without
having
secure
source
and
you
could
have
secure
Source
without
having
a
secure
build,
and
so
we
want
to
make
sure
that
that
was
separate
and
clear
so
that
folks
knew
where
to
start
looking.
If
something
were
to
go
wrong.
Oh
okay,
if
something
went
wrong.
A
That's
so
that's
that
there's
also
another
blog
more
generally
about
why
split
up
salsa
build
from
salsa
from
salsa
Source
those
tracks
that
Melba
and
Chris
are
writing,
and
let
me
see
if
I
can
find
that
one,
this
one's
still
a
a
working
just
a
Google,
doc
and
I'll
post,
that
there
I
believe
they're
looking
potentially
for
some
feedback
on
that.
One.
D
A
So
there's
a
bunch
of
discussions
happening
on
that
front.
Trying
to
keep
folks
in
the
loop
make
sure
that
we
have
sort
of
from
an
open,
ssf
perspective.
We
have
sort
of
that
unified
vision
and
then
for
a
lot
of
the
various
community
members
who
are
very
involved
in
so
also
who
are
interested
in
also
being
part
of
that.
A
You
know
that
communication
blast
there's
some
discussions
happening
on
that
front
as
well,
and
then
salsa
tooling,
is
looking
to
change
the
meeting
time,
because
a
lot
of
the
folks
who
have
been
working
traditionally
I
guess
working
on
a
lot
of
the
the
it's
also
tooling
have
worked
at
different.
They
tend
to
be
West
Coast
and
the
9
A.M
East,
Coast,
Media
or
no
sorry
10
a.m.
East
Coast
meeting
is
a
little
early
for
them.
A
So
you
know
not
to
you
know
discount
any
of
the
work
that
other
folks
doing,
but
we
kind
of
wanted
to
to
make
sure
that
we
could
get
some
of
the
people
who
are
actually
actively
doing
the
software
engineering
to
start
to
collaborate
a
bit
more
because
there's
a
lot
of
tools
that
are,
we
could
probably
have
like
stuff
like
shared
libraries
and
some
of
these
other
things
kind
of
come
out
of
what
is
happening
in
in
the
tooling
space.
So
that's
that's
another
thing
that's
being
worked
on
from
from
the
tooling
side.
A
Oh
and
one
other
thing
from
the
tooling
side
is
potentially
having
a
shared
developing,
something
like
a
standards
or
best
practices
around
Distributing
salsa
right,
there's,
there's
some
high
level
guidance
coming
from
the
specification
itself,
but
we
probably
want
to
say
hey.
If
everybody
can
you
know
if
there's
something
like
a
a
if
everybody
sort
of
named
their
files
like
this,
then
any
tool
that
you
know
in
injected
from
ingested
from
ingested,
salsa
stuff
would
be
able
to
do
that.
A
A
So
we
are
looking
to
kind
of
get
more
contributors
again
or
you
know
call
you
know
if
it
turns
out
hey,
why
don't
we
just
sort
of
use
Fresca
as
a
teaching
example?
Let's
not
really
focus
too
much
on
the
features.
You
know.
There's
lots
of
different
options.
We
have
there
from
a
use
case
perspective.
So
just
let
me
just
share
this.
So
I
shared
it
in
the
chat.
C
We
had
a
great
a
great
meeting.
We
also
had
another
issue
up
in
the
middle
of
the
issue:
number
16.,
where
there
was
a
question
about
one
of
the
controls
and
I
believe
Adrian
had
answered
that
one
also
we
got
a
chance
to
talk
about
Adrian,
finalizing
his
slides
for
the
RSA
and
then
the
upcoming
panel
discussion
at
at
the
open
Summit.
C
Oh
as
I
said
before,
we
were
also
working
on
their
training
with
SKF
and
that
that
part
today,
that's
that's,
going
really
really
well
we're
almost
done
with
the
with
the
first
outline
and
drafting
the
different
training
modules,
which
would
go
before
the
SKF
and
then
they'll
help
us
format
and
tease
out
the
rest
of
that
to
rest
of
that.
So
we
can
at
least
get
some
training
modules
up,
so
people
can
start
getting
trained
on
implementation
of
S2
c2l.
C
So
so
good
times
are
ahead
for
for,
for
all
of
these
different,
all
these
different
different
Frameworks
and,
of
course,
and
Fresca
as
well.
I'm
really
excited
about
the
trajectory
that
we're
going
I
believe
we're
also
doing
a
bit
of
work
on
the
supply
chain.
Security
framework
that
we're
that
we're
building
here
in
this
working
group,
too
and
I
think
that
we
are
due
for
they
take
them.
Take
a
look
back
at
the
notes.
C
Here
I
believe
we're
due
for
some
sort
for
some
kind
of
a
meeting
on
that
here
shortly,
where
we're
actually
what
we're
actually
going
ahead
and
and
and
teasing
that
out.
I
know
that
that's
been
something
that's
near
and
dear
to
Isaac
to
Isaac's
heart,
because
we
talked
about
been
talking
about
that
for
so
long,
So,
eventually,
I
think
we
need
to
be
trailing
back
down
on
that
any
break
that
break
that
document,
I'm
trying
to
find
the
link
the
link
to
that
document.
F
E
C
You
know
we're
looking
at
1.0
right
now,
and
you
know,
as
Michael
is
just
talking
about
when
it
comes
to
tooling-
and
you
know
these
two
bullets
right
here
are
increasingly
important
as
we
begin
to
think
about
rc2
off
window
So.
Eventually,
we
want
to
get
back
into
this
document
kind
of
tease
out
a
few
more
things
here
amongst
all
of
up
to
including
Fresca
as
well,
I
think
Michael's
blog
or
his
the
post.
C
That
he's
writing
right
now
will
help
out
in
this
area
a
great
deal,
because,
as
we
begin
people
interested
in
Fresca
again
and
and
get
them,
you
know
diving
back
into
putting
hands
on
it.
You
know
adopting
you
know
getting
you
know
getting
the
community
behind.
It
again
will
actually
add
and
season
this
part
out.
So
this
part
could
be
a
little
bit
more,
have
a
little
bit
more
meat,
a
little
bit
more
meat
to
it.
C
B
C
A
Yeah
so
I
know
that
there's
some
discussion
on
and
I
hope
not
to
trigger
anybody,
because
I
know
there's
a
lot
of
back
and
forth
on
this,
but
there's
a
discussion
on
a
thing
called.
You
know
the
Sterling
tool
chain,
you
know
and
and
I
know
that
there's
some
back
and
forth
about
what
is
what
exactly
is
that
and
is
that
actually
going
to
get
off
the
ground?
A
Some
of
the
discussions
is
folks
are
like
asking
for
hey
and
how
do
I
actually
Implement?
That
framework,
you
know
nobody's
saying
like
there
needs
to
be
one
only
one
way
to
implement
it,
but
but
you
know
how
could
I
actually
go
about
doing
some
of
those
things
you
know
like,
for
example,
you
know
if,
if
here's
our
our
our
rules
for
something
like
vulnerability
management
great,
how
would
somebody
Implement
that
from
a
policy
perspective
How?
Could
somebody
actually,
you
know,
configure
their
tools
to
to
help
out
with
it.
B
F
C
C
D
D
And
does
this
group
have
the
right,
Charter
and
purview
to
to
take
that
on,
and
that's
also
like
I
get
more
wrapped
up
around
this
stuff
than
needs
to
happen,
sometimes
just
into
like.
So
you
know:
I
like
the
idea
of
the
intent
of
open
source
governance
to
be
more
lightweight
when
possible,
as
opposed
to
like
getting
burrowed
down
in
these
things,
so
I'm.
Also,
okay,
just
saying
like
hey,
it's
fine,
I'll
I'll
defer
to
you
all
as
experts.
C
C
A
Oh
yeah
I
was
just
gonna,
say
yeah,
so
so
guac
as
well
as
omnibor
and
some
of
the
other
ones
like
s
bomb.
It
don't
currently
fall
under
the
open,
ssf
but
I
believe
I'm,
not
sure
omnibora
I'm,
not
deep
with
that
group,
but
I,
know
guac.
Actually,
one
of
the
things
that
we
plan
to
do
is
in
two
weeks
from
now.
In
this
meeting
we
plan
to
demo
guac
to
the
group.
A
To
sort
of
you
know
the
the
intention
is
probably
to
contribute
it
to
the
open
ssf,
whether
it's
this
group
or
another
group
we're
going
to
be
demoing
guac
to
multiple
groups.
To
kind
of
you
know
see
if
there's
any
interest
there,
but
yeah
I
think
you
know.
One
of
the
other
problems
is
a
lot
of
those
a
lot
of
those
projects.
C
Yeah,
absolutely
not
I
mean
I
I
think
once
we
get
into
this
discuss
the
beauty
of
this.
This
specific
discussion
is
that
it's
something
that
is
going
to
span
across
the
entirety
of
the
openness
and
stuff
and
can
include
outside
tools,
and-
and
you
know
it
doesn't
have
to
be
something.
That's
specific
I
mean
what
we
love
all
of
those
tools
to
be
in-house
short,
but
that
doesn't
have
to
be
the
case
right
and
and
then
and
I.
C
Think
that
and
I
think
that
that's
the
beauty
of
this
this
particular
initiative
I,
don't
want
to
take
a
vote
on
creating
a
Sig
for
without
Isaac,
though
so
I
won't
so
I
won't
I
won't
put
that
I
won't
put
that
here.
I
do
wanted
to
show
up
in
the
notes
of
them
when
we
have
when
we
have
Isaac
back
and-
and
you
know
he-
you
know
he's
able
to
put
his
eyes
on
it,
then
we
can.
C
They
have
going
on
guides
that
are
being
published
best
practices
that
are
being
talked
about,
especially
no
hardening,
guides
being
developed.
All
that
stuff
has
relevance
here,
so
I
wanted
to
make
sure
that
we
that
we
keep
that
nice
and
tight
on
the
radar
all
right.
As
far
as
agenda
like
I
said
there
wasn't
anything
there
for
the
agenda,
but
as
far
as
the
working
group
goes,
I
believe
we
covered
down
cigs
we
covered
down
our
23.
G
C
C
That's
all
right,
though,
that's
all
right!
It's
all
right!
Yeah,
all
right
well,
as
I
said
we're
at
26
minutes
now,
so
you
guys
have
some
time
back.
I
do
have
a
nice
tight,
10
a.m.
Meeting
for
myself,
I
got
the
identifying
security
threats.
Meeting
group
up
next
I'll
be
attending
that
if
anybody
else
is
attending
that
I'll
see
you
there,
if
not
I'll,
see
you
in
a
couple
of
weeks.
Thank
you
all
very
much.
Thank.