►
From YouTube: Supply Chain Integrity WG (April 26, 2023)
A
B
Yep
yep
got
back
Saturday
afternoon
nice.
How
was
it
it
was
good?
It
was.
It
was
really
good,
but
when
we
get
to
the
agenda
there's
there
was
some
interesting
feedback
on
some
of
the
projects
like
see.
You
know
like
salsa
and
some
of
the
other
stuff
that
we've
been
doing
and
definitely
areas
we
can
improve
on
there
I
I
know.
A
lot
of
folks
have
been
asking
for
some
interesting
stuff
out
of
the
open,
sff.
A
Awesome
I
think
maybe
we'll
we'll
start
then,
because
the
other
in
the
other
topic
we
could
I
mean
it's
going
to
take
all
of
the
available
times.
So
I'm
gonna
put
that
at
the
last
and
we'll
basically
soak
up
whatever's
left
with
that
one.
Let's
give
folks
a
couple
of
extra
minutes
to
filter
in.
Let
me
get
started
I'm
very
interested
in
Specter
by
the
way
Mike.
We
need
to
chat
about
that
at
some
point
too.
A
A
All
right,
1004
there
we
go.
Let's
begin
so
I'm
gonna
invite
a
couple
of
things.
First
of
all,
if
you're
here
and
you
haven't
yet
added
your
name
to
the
agenda.
Please
do
so
and
just
kind
of
note
that
you
were
here
today
there's
a
little
section
in
the
doc.
A
That's
Linked
In
the
meeting
invite
and
where
you
put
your
names
that
you're
here
on
April
26th
and
then
also
I
I'm,
going
to
ask
see
if
we
have
any
anyone
who's
new
to
this
meeting,
you'd
like
to
introduce
themselves
and
if
you're
new,
to
the
meeting
and
don't
want
to
introduce
yourself.
That
is
also
totally
fine.
But
if
you're
here
for
the
first
time
and
want
to
say
hi
now
is
your
chance.
C
Hi,
it's
not
my
my
first
time
attending
but
I'm
about
to
start
diving
in
a
bit
deeper
in
salsa
and
elsewhere.
My
name
is
Matt
Wood
I'm
from
Intel
and
one
of
the
main
parts
of
my
day.
Job
these
days
is
evaluating
how
to
implement
salsa
within
as
a
common
framework
within
our
software
infrastructure.
So
so
yeah
I
plan
on
engaging
deeper
in
those
forums.
A
Can
I
ask
you
a
quick
question
about
that?
Just
out
of
curiosity,
are
you
looking
at
that,
primarily
driven
by
like
Insider
risk,
or
are
you
looking
at
adoption
of
salsa,
better
assessment
of
Upstream
risk
or
what
was
the
overall
motivation
I
guess.
C
The
part
part
of
it
is
to
help
us
comply
with
some
of
the
government
mandates
that
are
coming
out.
You
know,
generation
of
evidence
and
and
so
on,
but
you
know
in
in
general,
there's
you
know
the
goodness
and
light
to
making
sure
that
what
we
expect
to
be
built
actually
gets
built
so
and
being
able
to
to
show
that
to
our
customers.
A
A
Sweet
anyone
else
want
to
say
hi
if
the
first
time
or
new
issue
of
these
meetings.
A
Nope,
okay,
so
we
can
progress.
So
we've
got
two
top
level
items
on
the
agenda
today.
One
Mike
brings
us
news
from
from
Amsterdam.
He
comes
with
some
insights
and
some
feedback
and
some
things
which
I
think
collectively
would
be
useful
for
us
to
look
at
second
item
is
the
overall
strategy
or
Direction
I,
guess
or
North
staff
for
this
group
in
2023,
but
we'll
come
to
that
second
Mike.
Let's
start
with
you
and
I'll
take
notes
as
we
go.
B
Cool
yeah,
so
a
couple
things
one
was
hey.
The
salsa
1.0
announcement
went
over
very
well.
A
lot
of
folks
were
were
super
Keen
to
hear
that
that
that
that
kind
of
came
out,
a
lot
of
folks
were
like
asking
questions
you
know
among
because
we
were
also
doing
a
thing
called
the
security
Village
out
there,
and
you
know
among
a
lot
of
the
projects.
A
lot
of
folks
were
like
hey.
Have
you
heard
of
the
salsa
thing
because
they
heard
like
hey
I
do
stuff
with
supply
chain
security.
B
I
said
yes,
I
very
much
heard
about
this
salsa
thing.
In
fact,
we
just
went
1.0
and-
and
so
folks
are
very,
very
keen
on
on
seeing
that
and
see
what
what
kind
of
comes
out
of
that
there's
some
additional
stuff
which
I
added
into
a
GitHub
issue
under
the
salsa
thing.
One
is
just
that
a
lot
of
folks
are
a
little
confused
about
salsa,
1.0
examples
and
like
where
that
might
come
in
and
some
stuff
on
that
front
that
that
I
think
we
should
take
a
closer
look
at.
B
You
know
like
one
of
the
things
that
was
brought
up
was
like
hey:
are
there
any
salsa
1.0
compliant
tools,
some
of
that's
still
being
built
out?
B
There
was
also
some
questions
around
which
I
think
we
just
need
to
do
a
better
job
on
which
is
like
a
lot
of
folks
are
worried
that,
like
salsa,
only
supports
thus
builds,
which
it
it
doesn't
but
I
think
they're
looking
at
like
hey.
Why
is
everything
on
GitHub
right
now?
B
Right,
you
know,
and,
and
they
I
mean
they
do
see-
tools
like
Fresca,
but
then
they
say,
hey
I,
think
there's
like
some
sort
of
Middle
Ground
between
like
this
big
thing
like
Fresca
and
something
that
is
just
like
a
sas-like
GitHub,
and
so
some
chat
around
to
chat
around
that
which
also
this
is
something
that
I'm
personally
working
on
on
as
an
open
source
project
for
for
the
future,
but
so
that
was
some
stuff.
Another
thing
that
came
out
was
cncf
announced
salsa
audits.
B
This
was
for
the
V
0.1,
they
did
say
1.0
when
they
had
announced
the
audit.
1.0
hadn't
gone
live
yet
it
was
I
guess
on
the
Wednesday
morning,
a
little
bit
before
one
point.
A
little
bit
before
1.0
went
live
right
so,
but
they
did
a
v
0.1
audit
of
Prometheus
and
Argo
through
the
cntf
they're,
looking
to
do
more
of
those
Audits
and,
in
fact,
want
to
partner,
with
both
tag,
security
to
help
Define
like
that
policy
of
like
yeah.
All
projects
should
be
built
through
salsa.
B
Let's
say
all
cncf
projects
should
be
built
through
salsa
or
something
like
that:
they're
they're.
Looking
for
for
that
sort
of
information
and
and
how
to
include
a
lot
of
the
stuff,
that's
coming
out
of
openssf
like
s2c2f
salsa,
some
of
the
other,
like
best
practices
scorecard
yayada,
and
make
those
as
suggestions
for
cncf
projects.
B
Since
we
know
that
cncf
projects
tend
to
be
more
tooling
focused
projects
and
openssf
is
a
little
bit
more
geared
towards
like
Frameworks
white
papers,
best
practices,
and
they
are
also
looking
to
partner
with
ostiff,
which
is
also
under
the
Linux
Foundation,
as
the
conduit
for
how
audits
get
paid
for
which
I
think
ostev
is
like
the
open
source
technology,
Improvement
fund
or
innovation
fund.
Something
like
that.
B
Another
thing
that
came
up-
and
this
is
sort
of
feedback
for
some
of
the
S2
c2f
folks.
There
seem
to
you
know
folks,
folks
have
heard
of
s2c2f
but
they're
unsure
a
little
bit
of
where
it
fits
in,
and
then
some
folks
had
also
started
to
point
out
that
some
of
the
documentation
I'm
sure
it's
just
a
typo
is
not
on
purpose,
still
refers
to
like
S2
c2f
as
like
Microsoft
S2
c2f,
as
opposed
to
open,
ssf,
s2c2f
and
there's
some
concern.
B
You
know
there's
some
confusion
also
about
how
like
much
of
it
is
an
open,
ssf
project
versus
Microsoft
Project
given
to
given
that,
like
the
maintainers
are
all
Microsoft
folks
and
also
some
of
the
links
seem
to
incorrectly
point
to
Microsoft,
slash,
OSS
SSC
framework,
so
there's
some
stuff
there
I'm
sure
that
can
kind
of
be
sorted
out,
but
that's
some
feedback
I
had
gotten
on
that
from
a
few
folks
and
then
separately,
there's
also
a
desire
for
the
open
ssf
to
take
a
larger
part
in
helping
to
find
end-to-end
supply
chain
security.
B
One
of
the
things
that
was
brought
up
was
some
folks
aren't
ready
for
cloud
native
adoption
yet
and
want
to
better
understand
and
how
to
secure
supply
chain
outside
of
cloud
native
tools.
So
that's
why
you
know
a
lot
of
folks
are
saying:
hey,
there's
a
tool
like
kieverno,
which
is
policy,
but
that
only
works
inside
of
kubernetes
oppa
can
work
outside
equipment
but
like
they
want
to
see
more
of
that
and
that's
I
had
brought
up
hey,
there's
some
work
happening
on
the
Sterling
tool
chain.
Side.
B
I
know
that's
still
being
built
out.
There's
a
couple
of
documents
that
are
that
are
out
there
they're,
also
asking
for
more
diagrams
and
where
sort
of
supply
chain
Integrity
fits
in
I
know
that
the
diagrammer's
working
group
is
working
on
some
stuff,
but
I
think
folks
are
like
looking
for
a
little
bit
more
of
like
a
white
paper
that
kind
of
thing
and
then
there's
also
it's
unclear
if
slash
when
SCI
will
focus
more
on
tooling.
You
know
some
folks
are
like
hey:
are
there?
B
Are
there
gonna
be
any
tools
that
come
out
of
the
supply
chain,
Integrity
working
group
or
at
least
suggestions
of
tools,
or
something
like
that,
because
I
think
it
really
does
sound
like
folks
are
a
little
bit
lost
when
it
comes
to
actually
implementing
the
practices
that
are
coming
out
of
this
group
got.
A
B
I
think
that
there
is
this
is
where,
like
I,
think
some
of
that
cross
group
pollination
should
happen
a
bit
more
because
I
I
know
that
there
is
I
think
that
there
is
like,
for
example,
there's,
like
you
know,
open
ssf,
scorecard
right,
you
know,
and
and
people
are
saying,
hey
open
ssf
scorecard
is
great,
but
a
lot
of
folks
are
like
what
other
tools
are
out
there,
and
especially
like
command
line
tools
and
kind
of
more
Dev,
focused
things,
because
there
yeah,
there's
the
security,
tooling
working
group
but
I
believe
the
security
tooling
working
group
isn't
really
working
on
I,
I,
guess
I!
B
Guess
it's
probably
worthwhile
for
for
me
at
this
point
to
maybe
do
a
little
bit
of
a
dive
into
the
security
tooling
working
group
and
see
where
we
can
cross-pollinate
more
on
that
end,
because
I
know
that
I
think
they're,
mostly
like
linking
back
to
to
a
bunch
of
tools
that
are
that
are
working
on
this
stuff.
B
Yes
yeah
that,
but
that's
that's!
A
good
point
I'll
definitely
reach
out
to
those
folks.
A
Got
it
yes
and
you're,
you
could
use
some
of
your
abundant
free
time
to
to
follow,
but
yet
another
thread
I
mean
I
I.
D
A
And
I
could,
of
course,
I
I
like
this.
This
question
has
kept
coming
up
and
I.
Think
it's
worthwhile
at
least
I
mean
maybe
it's
worthwhile,
making
it
visible
to
the
tags
that
we
could
use
some
overall
guidance
or
or
kind
of
help
with
the
overall
alignment
as
to
how
we
think
about
tooling
open
ssf
wide.
There
are
various
points
efforts
you
know
in
various
other
working
groups,
and
so
I
know
it's.
A
You
know
we
had
this
also
tooling
working
group,
and
there
was
this
question
of
should
especially
be
SCI
tooling
and
should
Fresca
be
a
part
of
tooling
and
so
on.
I
think
that
we
should
we
should
try
and
run
this
down
and
perhaps
engage
the
second
in
helping
with
this,
because
yeah
I
I
don't
see
this
converging
at
the
moment.
I
see
it
just
continuing
to
Roll
Along
without
much
convergence.
A
That's
super
interesting
about
s2c2fj.
Are
you?
Do
you
I
mean
it
sounds
like
we've
got
some
thick
Subs
to
do
with
it
with
links,
but
in
terms
of
maintainers
and
Microsoft
involvement
and
kind
of
making.
This
you
know
more
clearly
an
open,
SSS
thing
and
less
of
a
Microsoft
thing
is.
Is
that
something
that
the
S2
cctf
working
group
is
is
looking
at.
D
Absolutely
reason
why
I
keep
bringing
it
up,
we
need
a
more
participation,
more
people,
diving
in
more
people,
get
getting
getting
involved.
The
meetings
are
are
open
about
these
links.
Etc
I've
been
going
I've
been
so
I'm
happy
about
that
Discovery,
my
goodness,
because
I've
been
systematically
going
through
and
finding
places
where
we
have
a
little
bit
of
debt
right.
D
We
we
got
a
lot
of
stuff
that
that's
lagging
from
back
in
October
and
back
in
September,
and
everything
like
that
when
we,
when
we
were
trying
to
merge
stuff
over
so
so
highlighting
that
stuff
is,
is
important.
You
know
making
sure
that
we
that
we're
articulating
everywhere
that
this
is
part
of
the
openness
and
stuff
and
I.
Don't
have
any
visibility
on
the
team
that
actually
puts
this
stuff
in
the
in
the
in
the
public
sphere,
but
when,
but
when
I
see
it
and
I
catch
it,
I
can
reach.
D
Excuse
me
reach
out
to
those
that
do
and
exactly
right
people
are
reading
people
people
are
are,
this
is
catching
notice,
but
we
need
to
do
the
right
thing
on
making
sure
it's
it's
it's
situated
correctly
and
it's
not
just
a
Microsoft
thing,
as
I
said
before,
get
getting
all
these
all
of
the
links
and
all
of
the
what's
out
there
in
the
sphere
corrected.
That's
a
that.
That's
an
easy
fix
right.
D
You
only
see
what
you,
but
you
can
only
catch
what
you
can
see
right
unless
you're
fishing,
then
you
just
toss
the
lineup,
which
is
the
other
line
Mike,
but
but
with
respect
to
Community
involvement,
you
have
heard
me
say
and
it'll
be
almost
a
year
now
be
a
year
and
a
couple
of
months:
hey
we're
here,
get
involved,
let
Let's
Do,
It
and-
and
hopefully
hopefully,
everybody
jumps
on
then
now
that
we're
we're
full
steam
ahead
with
1.0
and
because
we
can,
we
find
you
know
hell.
D
We
found
a
clear
path
and
clear
parallel.
We
could
identify
gaps
and
we
can
identify
how
one
works
with
the
other,
how
s2ct
will
work
with
salsa
and
vice
versa?
Right
so
there
is
a
clear
there
is
a
clear
marriage
between
the
two,
so
I
feel.
Like
you
know,
more
people
join
the
meetings.
More
people
get
involved.
More
people
contribute
more
people
on
that
maintainers
list,
which
is
absolutely
where,
where
we'd
like
for
this
to
go.
A
That
makes
sense
thanks,
Jay
and
I.
Think
I
mean
whoever
said
I
think
it
is
worthwhile
to
note
that
hey
people
finding
needs
to
pick
out
in
the
docs
is
encouraging
and
intensive
people
are
looking
at
the
dogs.
A
I
mean
that's,
there's
progress
in
itself,
so
it's
something
to
celebrate
there,
even
though
we've
got
a
little
bit
of
fix-up
to
do
here
and
there
mm-hmm
any
any
other
thought
on
anything
that
Mike
brought
back
from
Amsterdam
or
any
other
thoughts
generally
on
on
how
salsa
1.0
has
landed
in
in
your
communities
and
and
places
around
you.
A
No
just
just
generally
for
anyone
here
is
anyone
else,
got
feedback
from
the
community
or
from
their
companies,
or
you
know
any
of
the
other.
You
know
chatter,
we've
heard
around
1.0
that
they
want
to
bring
up.
D
Everyone's
excited
about
it,
I
think,
especially
those
that
saw
it's
also
back
in
my
back
no
about
this
time
last
year,
back
in
in
June
and
July
last
year,
and
then
seeing
what
1.0
became
as
a
result
of
all
the
hard
work
that
was
done,
separating
the
tracks
and
really
drilling
down
to
something.
That's
not
only
that
people
can
take
in
and
read,
but
something
that's
actually
usable
and
and
that
they
can
apply
to
their
builds
and
they
can
apply
to
to
how
they
practice
and
what
they
do.
D
D
Going
to
get
developed
in
there
there's
a
bit
of
concern
with
that
whether
or
not
the
the
the
tracks
themselves
are
going
to
take
away
from
the
current
track.
Are
they
going
to
add
two
rights?
And
so
so
both
positive
and
negative
risks
are
articulated
risks.
Nonetheless,
you
know
so
so
that
so
you
know
over
time.
D
I
guess
we
can
do
do
a
good
job
of
explaining
changes
iteratively
as
as
they
come
up,
but
but
so
far
I
mean
that
the
the
review
and
and
so
far
the
it's
just
nothing
but
positivity
around
around
1.0.
A
That's
great
to
hear
great
I
see
a
couple
of
hands
up:
I'm,
not
sure
who
had
the
hand
up
first
Mike.
Maybe
we'll
start
with
you
you're,
both
Mike
Mike
Thompson.
Maybe
we'll
start
with
you.
E
Hi
there,
let's
try
this
again
awesome
update
on
salsa
1.0
I
gotta
make
my
usual
disclaimer.
Sorry,
everybody
anything
I
discuss
here
my
opinions,
not
those
is
my
employer.
Yet
with
that
said,
I
was
curious
when
we're
gonna
see
some
of
the
stuff
from
salsa
4
come
back,
namely
the
network
isolation,
1.0.
A
Was
the
the
big
one
they
got
removed?
I
mean
it's
also
level
four
I
think
I
think
it
was
sacrificed
to
pragmatism.
A
B
Yeah
yeah,
so
I
believe
the
main
things
were
so
the
reason
why
a
lot
of
it
was
removed
was
what
exactly
hermeticity
meant
to
different
folks
kind
of
was
wildly.
B
They
have
a
lot
of
issues
with
some
of
those
requirements
and
a
lot
of
confusion
on
like
how
that
might
get
done.
And
so,
even
if
we
did
sort
of
put
the
requirement
out
there,
there
was
worry
that
it
would
just
kind
of
like
Get,
Lost,
In
the
Mix,
or
that
folks
would
keep
sort
of
doing
that.
B
So
the
thing
there
is
like
I,
think
very,
very
soon,
you'll
probably
see
something
like
a
salsa
for
Draft
come
up
very,
very
soon,
I,
anticipate,
probably
in
on
the
order
of
like
weeks,
not
months,
and
you
know,
it'll
be
in
draft
form
for
a
while,
as
folks
kind
of
sort
that
out
and
sort
out
what
hermiticity
means
and
some
of
those
other
things.
B
Some
of
the
other
tracks
are
also
being
sorted
out
and
I
think
the
the
two
ones
that
have
been
brought
up
time
and
again-
and
this
actually
came
from
some
of
the
conversations
in
at
kubecon
as
well-
was
the
two
main
ones
were
source
track,
like
two-person
code
review,
bringing
that
back
in
but
as
a
separate
track,
so
that
folks
recognize
that
you
can
have
a
secure,
build
that
just
builds.
B
You
know
bad
code,
that's
that's
still
something
that's
there,
but
keeping
it
separate
so
that
folks,
who
are
focused
on
one
piece,
can
focus
on
that
one
piece
but
yeah.
So
the
source
track
is
one
of
the
big
ones.
Two-Person
code
review
sign
commits
that
kind
of
thing,
and
then
the
second
piece
is
is
a
secure,
build
system
itself.
So
a
lot
of
folks
are
really
asking
like
hey
I'm,
not
using
GitHub
actions.
What
are
the
things?
B
I
should
be
doing
to
secure
my
build
infrastructure
right
because
salsa,
it's
all
does
talk
about
like
a
trusted,
build
system
and
right
now,
we've
been
very
broad
about
that.
We're
just
sort
of
saying:
hey
run
that
trusted
build.
You
know
run
a
build
system
securely,
and
you
know
following
these:
sorts
of
parameters,
like
you
know,
builds
need
to
be
isolated
and
those
sorts
of
things
right
as
long
as
it
has
those
characteristics
that
is
good
enough
to
be
salsa
Providence,
but
folks
are
asking
okay
great.
B
Can
you
point
me
in
the
direction
of
how
I
would
do
that,
like
what
sorts
of
things
you
know
do
you
recommend
doing
in
order
to
meet
those
requirements
that
are
required
for
salsa
Providence?
So
those
are
the
two
big
tracks
that
people
have
been
asking
for
recently
and
that
will
that
work
will
probably
start
within
the
next
few
days
as
well.
E
When
I
think
of
like
Network
channeling
as
we
were
discussing,
actually
the
slack
getting
like
all
your
dependencies
into
one
place
like
I,
think
we
called
it
vendoring
I
think
that's
a
term
from
the
rust
ecosystem.
It's
vendoring,
we
pre-compute
all
your
dependencies
and
you
put
them
into
place,
and
then
you
only
read
from
that
place.
E
I
I
would
like
to
see
us
look
at
something
like
Network
isolation
doesn't
mean
you
can't
reach
out
to
the
network.
It
means
you
can
reach
out
to
the
network,
but
when
you
do
so,
it
has
to
be
metered
audited.
That
type
of
thing
so
I'd
like
to
see
that
Nuance
get
in
there
I'm
happy
to
help
contribute,
because
my
second
one
was
how
do
I
help
contribute
to
that
draft.
B
Sure
so
feel
free
to
every
Monday.
We
have
a
salsa
specification
meeting,
that's
kind
of
where
a
lot
of
that
work
starts
so
I
think
usually
like
something
like
this
will
get
brought
up
either
as
open
up
a
GitHub
issue
and
say:
hey
here's
this
thing
or
just
on
the
Monday
meeting
chat
through
some
of
those
like
hey
here's
something
I
noticed
I'd
like
to
sort
of
contribute
to
this,
and
somebody
might
say:
okay,
great
yeah,
let's
that's
on
the
list
or
you
know
we
have
that
prioritized
or
no.
B
No,
we
hadn't
thought
about
that,
but
if
you're
willing
to
write
something
up
so
so
on
Monday,
that's
kind
of
the
the
meeting
to
to
bring
that
up
in
and
just
to
be
clear.
These
are
all
like
reasons
why
those
things
that
you
brought
up
are
reasons
why
we
had
removed
the
hermeticity
requirement.
Originally,
is
because
we
wanted
to
make
sure
that
that
definition
was
like
super
crystal
clear,
so
that
we
included
all
those
things
you
talked
about,
because
these
are
all
things
that
we
also
truly.
B
You
know
we
believe
as
well
of
like
hey.
The
hermeticity
thing
is
more
like
it's
more
about
the
dependencies
you
think
you're
pulling
in
are
the
dependencies
you
did
pull
in
and
that's
it
right.
You
didn't
pull
something
in
without
actually
recording
it.
You
didn't
pull
something
in
without
knowing
what
it
was.
You
actually
pulled
in
exactly
what
you
said
you
were
pulling
in
and
that
sort
of
thing
is
like
in
certain
cases
it's
just
hey,
I
downloaded
everything
beforehand
and
then
I
give
it
to
the
build.
Sometimes
that
might
be.
B
You
know
what
you
described
of
like
I'm,
calling
out
to
the
network,
but
it's
all
audited,
like
I,
don't
have
direct
access
to
the
internet.
I
only
have
access
to
the
things
that
are
already
you
know
allowed
and
that
sort
of
thing
whether
it's
like
through
a
you
know,
artifactory
or
Nexus,
proxy
or
whatever
I-
think
those
sorts
of
things
are
things
that
we're
looking
to
kind
of
yeah
make
a
lot
more
crystal
clear
to
folks
so
that
they
understand
when
they
look
at
the
hermeticity
requirement.
What
if
that
actually
means.
E
B
A
You
yeah
I,
think
I
think
that
Mike
and
I
mean
that's.
It's
a
really
good
point
that
I
think
the
hermiticity
requirement
was
was
kind
of
thought
of
as
a
solution
to
a
set
of
problems
without
the
problems
being
particularly
well
articulated
or
investigated
and
I.
Think.
Actually,
if
you
take
a
closer
look
at
like
what
are
you
actually
solving
for
you
begin
to
go
well,
actually
we
can
solve
for
those
things
without
having
a
completely.
A
You
know:
isolated,
no
network
access
environment,
but
you
know
perhaps
metering
or
white
listing
or
logging,
or
you
know
at
least
we
have
observability
into
what
is
going
on
and
then
the
idea
that
you
know
in
the
process
of
this
build
the
bill
can
decide
to
reach
out
the
internet.
A
For
you
know
arbitrary
artifact,
ad
hoc,
that's
certainly
something
which
we
don't
want
to
allow,
but
there's
plenty
of
network
access
which
is
is
non-threatening
in
nature
and
perhaps
needs
to
be
within
the
boundaries
here,
and
you
know,
with
the
idea
of
hermetic
to
your
to
your
environment
like
her
vetting
to
your
organization
and
your
company
or
hermetics,
or
your
build
system
and
your
artifact
registry,
whatever
that
looks
like
to
Mr
lieberman's
Point,
there's
some
Nuance
there,
which
needs
to
be
a
better
articulated
in
the
spec.
A
That's
super
good
feedback,
though
Mike.
Thank
you.
A
Foreign
anyone
else
with
with
comments
on
salsa
before
we
move
on
to
the
the
SEI
vision.
A
Okay
with
that,
let's
move
on
and
let's
see
if
I
can
actually
I'm
kind
of
I'm
juggling
various
devices
here
so
I'm
trying
to
figure
out
if
I
can
project
this
thing,
while
I'm
on
my
boat,
yeah
I,
think
I
can
so
let
me
try
and
share
my
screen
here.
A
A
Yes,
awesome?
Okay,
so
I've
been
through,
so
this
document
has
been
kind
of
circulating
for
the
last
few
months
there
was
when
I
first
shared
it
in
in
December.
There
was
a
whole
bunch
of
comments
coming
in
December
and
January
and
I've,
been
through
in
the
last
couple
of
weeks
and
and
kind
of
gone
through.
All
of
that
feedback
Incorporated
it.
A
A
One
thing
that
I
added
yesterday,
which
we
didn't
have
was
trying
to
articulate
exactly
what
problem
we're
solving,
and
this
is
again
like
the
context
of
this-
is
the
open,
ssf
supply
chain,
Integrity
working
group,
and
so
this
is
independent
of
you
know
what
products
we
happen
to
have
on
our
shelves
today
and
the
way
of
salsa
or
sqc,
tof
or
Fresca
or
whatever.
This
is
thinking
about
what
should
the
open,
ssf
Supply
generity
working
group
be
focused
on
when
we
think
about
what
problem
are
we
trying
to
solve?
A
And
you
know,
there's
a
lot
of
problems.
We
could
go
solve
right,
I
mean
the
organizations
had
problems
and
the
industry
has
problems,
and
the
government
has
problems,
and
software
producers
have
compliance
problems
and
software
consumers
have
risk
problems,
and
so
I
think
part
of
the
challenge
that
we
have
is
is
narrowing.
A
You
know,
help
add
you
know
more
requirements
on
my
plays
and
practices
that
need
to
be
followed.
So
I
I
think
that
salsa
is
solving
so
and
again
like
I
own.
This
alter
is
kind
of
an
Exemplar
here,
rather
than
playing
Integrity,
but
I
I
feel
like
the
pain
today
of
supply
chain
Integrity.
The
challenge
is,
is
really
borne
by
the
consumers
and
software,
not
the
producers
and
that's
partly
structural
and
I.
Think
that
you
know
the
US
government
would
like
to
shift
that.
A
They've
been
moved
towards
software
liability
and
maybe
when
software
producing
organizations
are
liable
for
security
defects,
maybe
they'll
have
a
set
of
problems
which
are
more
acute
and
Urgent
which
we
might
want
to
solve.
But
right
now,
I
think
that
the
the
more
pressing
problem
and
the
more
readily
articulable
one
and
the
one
that
is
felt
more
urgently
is
on
those
consuming
software,
and
so
the
supply
chain.
A
Integrity
problem
tends
to
be
borne
by
those
who
are
consuming
from
something
upstream
and
are
in
a
position
of
not
being
able
to
reason
about
or
measure
or
manage
or
mitigate
or
reduce
the
risk
that
they're
ingesting
as
they
rely
on
externally
supplied
components
and
so
I.
Think.
If
we
want
to
solve
this
problem,
we
will
be
led
to
Solutions
which
have
implications
for
other
actors,
and
so
you
know
sulfur
as
a
partial
solution
to
this
problem
has
implications
for
software
producers
and
hopefully
recognizing
the
software.
A
Producers
are
not
particularly
incentivized
to
solve
this
problem
because
they're
not
feeling
the
pain
and
I
think
that
leads
to
principles
like
if
we
scroll
down
to
principles,
principles
where
we
aim
to
disappear
into
the
infrastructure
layer,
and
if
software
producers
have
to
invest
or
commit
to
a
lot
to
adopt
salsa
or
s2c2f,
we're
probably
not
going
to
get
much
adoption,
and
so,
but
if
we
make
it
so
that
all
you
know,
common
tools,
cicd
systems,
build
systems,
policy
systems
out
there
and
already
have
support
for
the
Frameworks
we're
building
and
it
becomes
next
to
free
to
to
adopt
for
for
many
software
producers
again.
A
You
know
it
leads
to
principles
like
targeting
the
technical
infrastructure
as
a
point
of
Leverage.
You
know
anchoring
trusted
tools
and
systems,
not
processes
and
people,
and
so
on.
So
I've
added
a
little
bit
to
this.
This
document
and
I,
don't
think
I,
don't
think
it's
going
to
be
productive
to
try
and
review
the
whole
thing
top
to
bottom,
live
but
I'd
love
to
get
feedback,
or
at
least
kind
of
initial
reactions.
A
On
on
this
problem
statement
here,
because
I
think
that
if
we
can
agree
on
again
like
an
SCI
working
group,
level
and
kind
of
you
know
putting
what
we
have,
what
we
happen
to
have
on
the
truck
today
as
in
Salsa
Fresca
and
sgc2f,
putting
that
aside
and
just
thinking
about
if
we
had
nothing
and
we're
starting
the
SEO
working
group
today,
what
problem
would
we
begin
to
try
to
solve
I
think
it
would
be
this
one
and
I'd
love
to
hear
if
there
are
other
opinions.
B
Yeah
this
is,
this
is
great,
I,
think
to
take
a
step
back,
I,
think
that
and
and
I
don't
know
how
we
want
to
prioritize.
It
I
think
generally
I
think
you
hit
the
nail
on
the
head
on
a
lot
of
it.
B
If
I
go
back
to
some
of
the
stuff
that
that
myself,
you
know
I've
done
and
some
of
the
other
folks
I've
been
working
with,
have
done
on
sort
of
trying
to
figure
out
who
is
who
are
the
folks?
We
want
to
most
help
to
begin
with,
because
it
turns
out,
everybody
has
slightly
different,
slightly
different
needs
or
different
prioritization
around
the
needs.
I
should
say
like
everybody
has.
These
needs
is
just
around.
B
How
important
is
it
for
them,
and
this
is
something
that's
been
brought
up
as
part
of
also
the
Sterling
tool
chain,
and
some
of
the
other
work
is
you're.
You
know
if
we
take
a
step
back
and
look
at
the
problem
and
how
it
gets
solved
a
little
bit
right,
you're
going
to
have
a
lot
of
these
larger
Enterprises
that
are
going
to
say,
hey,
I,
I'm,
going
to
hire
a
large
consult
like
a
larger
Bank,
let's
say
is
going
to
hire
a
large
consultancy,
a
large
consultancy
to
help
fix
this.
B
They
might
say
please
Implement
salsa,
please
Implement!
You
know
s2c2f
and
these
other
things,
but
one
of
the
things
that
was
brought
up,
which
I
found
very
interesting,
is
that
same
large
Enterprise
that
wants
to
this:
that's
how
they
secure
their
own
supply
chain.
They
want
to
use
software
by
smaller
manufacturers
as
well,
but
it's
hard
for
them
to
do
that
when
those
menu
those
smaller.
B
You
know,
producers
of
software
are
unable,
to,
let's
say
hit
the
high
level
of
requirement
that
they
might
have,
like
the
you
know,
hey
in
order
for
us
to
hit
salsa
and
get
a
salsa
on
and
do
all
this
stuff.
That's
the
majority
of
of
our
budget
right
before
we
even
start
writing
the
features,
and
so
that's
kind
of
one
of
the
things
that
was
brought
up
by
a
few
folks
was
hey
anything.
B
Salsa
I
should
say
salsa
the
various
things
like
scorecard
and
all
the
other
best
practices
that
are
coming
out
of
this,
the
better
it
is
for
everyone
at
large,
because
then
those
smaller
you
know
you
know,
producers
of
software
can
then
be
used
by
larger
ones,
and
then
it
you
know
it
all
sort
of
flows
down.
B
That
was
something
that
was
kind
of
brought
up
in
a
couple
of
the
meetings
was
just
like:
how
do
you
get?
How
do
you
bring
those
folks
along
who
are
like
hey
I?
Have
a
million
things
on
my
plate?
Quantifying
you
know,
risk
and
and
reasoning
about
it
and
yayada
is,
is
not
on
my
on
my
list
of
things
to
do.
B
A
No,
it's
a
really
good
point
and
I
mean
I.
Actually,
just
literally
the
only
responding
had
a
conversation
with
folks
here
at
Google,
who
you
know
are
in
the
business
of
you
know:
vendor
security
assessments
and
looking
at
you
know
how
we
bring
in
third
body
software
and
yeah
I.
A
Think
there's
there
are
sort
of
organizations
to
produce
great
products
who
would
provide
Great
Value,
but
like
to
your
point,
it's
an
enormous
burden
trying
to
meet
the
requirements
of
a
mega
Corp
like
a
Google
or
a
finance
organization,
and
we
have
these
incredibly
strict
requirements
they
can
be.
It
can
just
be
prohibitively
expensive
to
meet
those
requirements
in
order
to
get
your
first
sale
to
the
company
that
decides
and
I
think
I'm
going
to
make
a
note
of
that
in
in
the
notes.
I
think
that's
a
definitely
a
good
point.
A
Tim
you
mentioned
you
were
you
were
scanning
down
and
this?
Oh
sorry,
Mike
I
just
saw
you
got
your
hands
up.
E
So
it's
just
reflecting
on
the
what
you
said
about
the
open
source,
maintainer
and
open
source
maintainer
wants
to
wake
up
and
be
like
oh
great,
something
else.
I
have
to
do
one
of
the
challenges
that
I've
personally
found
with
open
source.
It
should
go
clone
the
repo
and
you
say,
Maven
build
or
make
or
whatever,
whatever.
D
E
Build
command
is
and
the
build
immediately
fails
and
there's
no
like
you
go
to
the
contributing
Dock
and
it
just
says,
run
this.
It
doesn't
say:
okay,
you
need
this
jdk
on
this
distro
and
here's
how
you
build
this
thing,
I'm
wondering
if
another
Avenue
is
hey
open
source
maintainers,
if
you
don't
want
to
if
you
are
unable
to
or
for
whatever
reason
you
can't
comply
with
this,
give
the
consumers
the
ability
to
take
the
software
and
build
it
in
their
own
yeah,
defined
environment.
C
A
I
think
I
think
yes
and
I
I,
think
and
I
I
was
thinking
about
you
yesterday,
as
I
was
working
on
this,
this
dock,
that
I
think
in
some
cases
like
being
able
to
say
you
know,
this
open
source
has
a
sort
of
Province
if
we
can
get
there
without
even
involving
the
maintainer,
and
you
can
still
solve
the
problem,
and
so
you
know
again
like
not
wanting
to
expose
my
bias
too
much.
A
But
you
know:
Google
has
this
this
product,
a
short
open
source
where
you
know
forgiven
open
source
packages,
you
may
find
that
Google
has
rebuilt
it
on
Google's
own
infrastructure,
and
you
know,
has
provided
salsa
Providence
for
this
package,
and
so
it
could
be
that
you
know
we
can
meet
the
the
goals
of
supply
chain
Integrity
without
requiring
the
software
originator
to
do
the
work
of
the
attestation.
It
could
be
that
there's
an
intermediary
or
third
party
or
trusted
Rebuilder.
A
It
could
even
be
that
you
know
we
want
to
stand
up
a
an
open
source
rebuilding
as
a
service
to
you
to
your
point,
but
maybe
there's
an
opportunity,
for
you
know
an
open
source.
Maintainer
just
say:
go:
go
build
it
over
there
and
you'll.
Get
your
soul
to
Providence
directly
would
be
a
a
neat
way
to
get
around
this
or
deliver
against
the
problem
without
requiring
the
maintainer
to
invest
a
lot.
E
There
may
be
something
a
little
more
specific,
rather
than
saying
you
know
what
hey
come.
Just
let
this
think
about
Google
trusted.
Source
I
mean
the
Google
trusted.
Source
thing
is
cool,
I'll,
try
and
knock
it,
but
rather
than
saying
you
know
what
I'm
gonna
ingest,
hey
open
source
container,
so
I'm
going
to
just
your
stuff
and
I'm
going
to
supply
it.
I'm
gonna
vent
it
for
you.
C
F
C
C
B
Sorry
I
was
just
going
to
say:
yeah
I,
think
I
mean
that's,
definitely
something
that
I
can't
remember
if
it's
the
it's
one
of
the
like
groups
under
Ethiopia,
but
as
Seth
has
been
talking
about
this
sort
of
thing
as
well.
B
I
think
the
thing
is
is
that
sort
of
thing
is
just
that
should
already
be
table
Stakes
for
for
for
an
open
source
project
like
if
you're,
if
you
are
running,
builds-
and
you
are
not
also
providing
the
ability
to
run
those
builds
in
some
way
right,
like
you
know,
a
make
file
a
build
script
or
whatever
right.
You
know
some
way
to
pull
down
dependencies,
then
you
know
you're,
not
really
not
really
complete
right
and
in
fact,
for
a
lot
of
folks
that
should
raise
red
flags.
B
If
hey
I
looked
at
your
Source
I
tried
to
run
the
build
script
and
it
didn't
work,
because
it's
missing
all
these
things.
That
should
be.
You
know,
generally
suspicious
to
begin
with.
I.
Just
think
that,
like
you
know,
I
think
the
thing
there
is
is
is
generally
yeah.
I
think
that's
a
good
best
practice
that
should
be
sort
of,
maybe
even
something
like
a
salsa
practice
right
of
saying,
hey
the.
B
E
I
think
that's
a
great
idea
that
it
should
be
definable
which
also
like
yeah
I.
Imagine
Google
when
y'all
were
building
your
sorry
I
forget
the
name
of
the
product.
Now.
E
A
It's
a
good
question:
I'm
I,
don't
I,
don't
have
the
answer
to
that,
and
but
I
would
also
be
super
curious
and
I
can
I
can
try
and
find
out
and
I.
Think
I
mean
the
other
interesting
thing,
and
you
know
speaking
generally
about
this.
This
space
I
think
part
of
the
problem
that
assured
open
source
and
others
like
it
are
trying
to
solve,
is
there's
an
accountability
Gap
in
in
the
ecosystem.
A
You
know
open
source
sustainability
incentives,
economics
problem
to
be
solved
here
as
well.
I
think
assured,
open
source
is,
is
Google,
saying.
Well,
you
know,
hey
we'll
step
in
and
we'll
we'll
be
a
supplier
of
records
for
these
packages,
and
you
know
hey.
If
you've
got
a
problem
with
them,
you
can
come
and
scream
it
as
potentially
there
are.
A
There
are
other
solutions
to
this
problem
too,
but
I
I've
heard
that
this
General
notion
that
there
is
an
accountability
gap
between
what
Enterprises
want
to
consume
and
how
far
up
the
stack
of
Open
Source
can
reach
in
general.
If
that
makes
sense,
I
mean
you
know,
and
you
know,
Red
Hat
has
obviously
made
an
entire
business
out
of
out
of
you
know.
Stepping
into
this
Gap
too
Jonathan
you've
got
your
hand
up.
F
F
C
F
B
No
I
yeah,
no
I
totally
also
sorry
I
was
just
gonna,
say
yeah
I
totally
agree
with
that.
I
think
the
idea
is,
it
should
be
table
Stakes,
I,
Know,
It,
Like
It.
By
no
means
is
it
but
I
think
that
you
know
for
a
lot
of
folks
who
are
who
are
looking
at
this
sort
of
stuff?
B
The
fact
that
you
know
yeah
I
can't
go
in
and
and
even
though
a
lot
of
these
things
are
open
source,
but
they
require
me
to
own
random
Hardware
or
whatever,
all
of
a
sudden
that
becomes
much
more
difficult.
It
also
I
think
it
sort
of
begins
to
raise
flag.
You
know
red
flags
around
like
hey.
How
would
I
know
whether
or
not
something
is
potentially
malicious
or
dangerous
if
I
can't
even
really
run
the
build
myself
right,
yeah.
A
I
was
I
was
just
going
to
make
the
observation.
Actually
that
I
think
it's
a
salsa,
Level
One
requirement
is
a
scripted,
build
itself
right,
I
mean,
and
that
itself
is
a
nod
to
the
fact
that
not
all
open
source
builds
are.
You
know
readily
scripted
and
automated
already,
and
some
of
them
require
you
poking
around
in
your
IDE
to
get
them
done.
F
What
what
defines
a
scripted
build
right
like
is
that,
like
you,
must
be
able
to
run
a
single
script
to
build
the
whole
thing
which
includes
installing
all
dependencies
in
the
jdk
and
like
all
that
stuff
or
is
it
like?
Can
can
that
scripted
build
assume
certain
dependencies
to
be
present
on
the
system
prior
to
running
that.
A
That
is
a
great
question:
I'm
literally
looking
up
to
cells
about
Dev,
slash
requirements
right
now
to
answer
that
all
build
steps
are
fully
defined
in
some
sort
of
build
script.
The
only
manual
command,
if
any,
is
to
invoke
the
build
script
example
being
make
all.
F
A
The
right
version
of
python-
it's
an
implicit
assumption
around
prerequisites
here,
which
is
kind
of
hands,
are
waived.
Yeah
I
think
that's
fair
reservation.
A
Any
other
thoughts
on
this
and
in
general
around
this,
the
supply
chain,
Integrity
Vision
document
in
terms
of
what
I
hope
to
do
next
I
mean
it
sounds
like
nobody's,
looked
at
the
problem
and
gone.
Oh,
my
God.
That's
completely
off
base
and
you're
forgetting
X,
Y
and
Z
important
thing,
which
is
good
I,
recognize
that
there
could
yet
be
some
refinement
to
do.
A
There
may
be
some
some
things
and
perspectives
that
others
may
have
or
more
thought.
May
reveal
and
problems
with
it,
but
my
intent
with
this
document
now
it's
kind
of
cleaner
is
to
go
through
I'll
highlight
you
know
some
of
the
new
sections
of
people
who've
seen
it
before
can
kind
of
just
review.
What's
new
circulate
it
in
the
community?
A
I
think
we've
talked
about
passing
this
up
to
the
tech
to
review
as
well
and
say:
Hey.
You
know
the
SEI
working
group
we're
trying
to
you
know
reboot
it.
You
know,
since
we
left
at
its
Charter
with
visited,
we've
had
salsa
V1
launch,
we've
had
sdc2f
join
the
thing:
we've
had
movement
on
Fresca
and
we
need
to
kind
of
reconceptualize
or
reframe.
A
What
SCI
working
group
is
about
in
open
ssf,
and
this
document
is
our
our
current
best
articulation
of
that,
and
so
what
I'll
probably
do
is
post
on
the
mailing
list
and
in
slack
a
call
to
review
this
thing,
another
round
of
comments
and
feedback
Incorporated,
and
then
you
know,
with
one
more
nod
from
this
group
in
the
meeting
and
probably
pass
it
up
the
tank
to
review
any
thoughts
on
that
as
proposed
next
steps.
A
Okay,
I'm
going
to
take
that
as
there's
no
I.
B
A
A
I
appreciate
that,
thank
you
very
much
all
right
cool.
Well.
That
in
fact,
is
actually
probably
a
great
place
to
end
at
the
bottom
of
the
agenda.
We've
got
a
great,
encouraging
and
positive
comment.
I
will
post
assembly
this
meeting
in
slack.
I'll
also
circulate
this
doc,
as
discussed
with
me
to
get
in
two
weeks
and
maybe
we'll
have
something
which
we
can
all
agree
as
Tech
already
and
get
this
formalized
as
part
of
the
new
challenges
working
group.
A
Thanks
all
great
to
see
you
all
Mike
great
to
have
you
here,
I
hope
to
see
you
again
in
this
meeting
and
continued
presence
and
now
really
definitely
look
forward
to
your
help
with
the
spec
around
Hermitage
City,
and
if
you
need
ping
me
on
slack
or
on
email,
if
you
need
pointers
to
the
the
spec
working
group
for
that
and
yeah
great
to
have
you
involved
thanks
chisel.