►
From YouTube: Supply Chain Integrity WG (April 26, 2023)
A
B
Yep
yep
got
back
Saturday
afternoon
nice.
How
was
it
it
was
good?
It
was.
It
was
really
good,
but
when
we
get
to
the
agenda
there's
there
was
some
interesting
feedback
on
some
of
the
projects
like
see.
You
know
like
salsa
and
some
of
the
other
stuff
that
we've
been
doing
and
definitely
areas
we
can
improve
on
there
I
I
know.
A
lot
of
folks
have
been
asking
for
some
interesting
stuff
out
of
the
open,
sff.
A
Awesome
I
think
maybe
we'll
we'll
start
then,
because
the
other
in
the
other
topic
we
could
I
mean
it's
going
to
take
all
of
the
available
times.
So
I'm
gonna
put
that
at
the
last
and
we'll
basically
soak
up
whatever's
left
with
that
one.
Let's
give
folks
a
couple
of
extra
minutes
to
filter
in.
Let
me
get
started
I'm
very
interested
in
Specter
by
the
way
Mike.
We
need
to
chat
about
that
at
some
point
too.
A
A
A
That's
Linked
In
the
meeting
invite
and
where
you
put
your
names
that
you're
here
on
April
26th
and
then
also
I
I'm,
going
to
ask
see
if
we
have
any
anyone
who's
new
to
this
meeting,
you'd
like
to
introduce
themselves
and
if
you're
new,
to
the
meeting
and
don't
want
to
introduce
yourself.
That
is
also
totally
fine.
But
if
you're
here
for
the
first
time
and
want
to
say
hi
now
is
your
chance.
C
Hi,
it's
not
my
my
first
time
attending
but
I'm
about
to
start
diving
in
a
bit
deeper
in
salsa
and
elsewhere.
My
name
is
Matt
Wood
I'm
from
Intel
and
one
of
the
main
parts
of
my
day.
Job
these
days
is
evaluating
how
to
implement
salsa
within
as
a
common
framework
within
our
software
infrastructure.
So
so
yeah
I
plan
on
engaging
deeper
in
those
forums.
A
C
The
part
part
of
it
is
to
help
us
comply
with
some
of
the
government
mandates
that
are
coming
out.
You
know,
generation
of
evidence
and
and
so
on,
but
you
know
in
in
general,
there's
you
know
the
goodness
and
light
to
making
sure
that
what
we
expect
to
be
built
actually
gets
built
so
and
being
able
to
to
show
that
to
our
customers.
A
Nope,
okay,
so
we
can
progress.
So
we've
got
two
top
level
items
on
the
agenda
today.
One
Mike
brings
us
news
from
from
Amsterdam.
He
comes
with
some
insights
and
some
feedback
and
some
things
which
I
think
collectively
would
be
useful
for
us
to
look
at
second
item
is
the
overall
strategy
or
Direction
I,
guess
or
North
staff
for
this
group
in
2023,
but
we'll
come
to
that
second
Mike.
Let's
start
with
you
and
I'll
take
notes
as
we
go.
B
Cool
yeah,
so
a
couple
things
one
was
hey.
The
salsa
1.0
announcement
went
over
very
well.
A
lot
of
folks
were
were
super
Keen
to
hear
that
that
that
that
kind
of
came
out,
a
lot
of
folks
were
like
asking
questions
you
know
among
because
we
were
also
doing
a
thing
called
the
security
Village
out
there,
and
you
know
among
a
lot
of
the
projects.
A
lot
of
folks
were
like
hey.
Have
you
heard
of
the
salsa
thing
because
they
heard
like
hey
I
do
stuff
with
supply
chain
security.
B
I
said
yes,
I
very
much
heard
about
this
salsa
thing.
In
fact,
we
just
went
1.0
and-
and
so
folks
are
very,
very
keen
on
on
seeing
that
and
see
what
what
kind
of
comes
out
of
that
there's
some
additional
stuff
which
I
added
into
a
GitHub
issue
under
the
salsa
thing.
One
is
just
that
a
lot
of
folks
are
a
little
confused
about
salsa,
1.0
examples
and
like
where
that
might
come
in
and
some
stuff
on
that
front
that
that
I
think
we
should
take
a
closer
look
at.
B
B
Right,
you
know,
and,
and
they
I
mean
they
do
see-
tools
like
Fresca,
but
then
they
say,
hey
I,
think
there's
like
some
sort
of
Middle
Ground
between
like
this
big
thing
like
Fresca
and
something
that
is
just
like
a
sas-like
GitHub,
and
so
some
chat
around
to
chat
around
that
which
also
this
is
something
that
I'm
personally
working
on
on
as
an
open
source
project
for
for
the
future,
but
so
that
was
some
stuff.
Another
thing
that
came
out
was
cncf
announced
salsa
audits.
B
This
was
for
the
V
0.1,
they
did
say
1.0
when
they
had
announced
the
audit.
1.0
hadn't
gone
live
yet
it
was
I
guess
on
the
Wednesday
morning,
a
little
bit
before
one
point.
A
little
bit
before
1.0
went
live
right
so,
but
they
did
a
v
0.1
audit
of
Prometheus
and
Argo
through
the
cntf
they're,
looking
to
do
more
of
those
Audits
and,
in
fact,
want
to
partner,
with
both
tag,
security
to
help
Define
like
that
policy
of
like
yeah.
All
projects
should
be
built
through
salsa.
B
Let's
say
all
cncf
projects
should
be
built
through
salsa
or
something
like
that:
they're
they're.
Looking
for
for
that
sort
of
information
and
and
how
to
include
a
lot
of
the
stuff,
that's
coming
out
of
openssf
like
s2c2f
salsa,
some
of
the
other,
like
best
practices
scorecard
yayada,
and
make
those
as
suggestions
for
cncf
projects.
B
Since
we
know
that
cncf
projects
tend
to
be
more
tooling
focused
projects
and
openssf
is
a
little
bit
more
geared
towards
like
Frameworks
white
papers,
best
practices,
and
they
are
also
looking
to
partner
with
ostiff,
which
is
also
under
the
Linux
Foundation,
as
the
conduit
for
how
audits
get
paid
for
which
I
think
ostev
is
like
the
open
source
technology,
Improvement
fund
or
innovation
fund.
Something
like
that.
B
Another
thing
that
came
up-
and
this
is
sort
of
feedback
for
some
of
the
S2
c2f
folks.
There
seem
to
you
know
folks,
folks
have
heard
of
s2c2f
but
they're
unsure
a
little
bit
of
where
it
fits
in,
and
then
some
folks
had
also
started
to
point
out
that
some
of
the
documentation
I'm
sure
it's
just
a
typo
is
not
on
purpose,
still
refers
to
like
S2
c2f
as
like
Microsoft
S2
c2f,
as
opposed
to
open,
ssf,
s2c2f
and
there's
some
concern.
B
One
of
the
things
that
was
brought
up
was
some
folks
aren't
ready
for
cloud
native
adoption
yet
and
want
to
better
understand
and
how
to
secure
supply
chain
outside
of
cloud
native
tools.
So
that's
why
you
know
a
lot
of
folks
are
saying:
hey,
there's
a
tool
like
kieverno,
which
is
policy,
but
that
only
works
inside
of
kubernetes
oppa
can
work
outside
equipment
but
like
they
want
to
see
more
of
that
and
that's
I
had
brought
up
hey,
there's
some
work
happening
on
the
Sterling
tool
chain.
Side.
B
I
know
that's
still
being
built
out.
There's
a
couple
of
documents
that
are
that
are
out
there
they're,
also
asking
for
more
diagrams
and
where
sort
of
supply
chain
Integrity
fits
in
I
know
that
the
diagrammer's
working
group
is
working
on
some
stuff,
but
I
think
folks
are
like
looking
for
a
little
bit
more
of
like
a
white
paper
that
kind
of
thing
and
then
there's
also
it's
unclear
if
slash
when
SCI
will
focus
more
on
tooling.
You
know
some
folks
are
like
hey:
are
there?
A
D
A
And
I
could,
of
course,
I
I
like
this.
This
question
has
kept
coming
up
and
I.
Think
it's
worthwhile
at
least
I
mean
maybe
it's
worthwhile,
making
it
visible
to
the
tags
that
we
could
use
some
overall
guidance
or
or
kind
of
help
with
the
overall
alignment
as
to
how
we
think
about
tooling
open
ssf
wide.
There
are
various
points
efforts
you
know
in
various
other
working
groups,
and
so
I
know
it's.
A
You
know
we
had
this
also
tooling
working
group,
and
there
was
this
question
of
should
especially
be
SCI
tooling
and
should
Fresca
be
a
part
of
tooling
and
so
on.
I
think
that
we
should
we
should
try
and
run
this
down
and
perhaps
engage
the
second
in
helping
with
this,
because
yeah
I
I
don't
see
this
converging
at
the
moment.
I
see
it
just
continuing
to
Roll
Along
without
much
convergence.
A
That's
super
interesting
about
s2c2fj.
Are
you?
Do
you
I
mean
it
sounds
like
we've
got
some
thick
Subs
to
do
with
it
with
links,
but
in
terms
of
maintainers
and
Microsoft
involvement
and
kind
of
making.
This
you
know
more
clearly
an
open,
SSS
thing
and
less
of
a
Microsoft
thing
is.
Is
that
something
that
the
S2
cctf
working
group
is
is
looking
at.
D
Absolutely
reason
why
I
keep
bringing
it
up,
we
need
a
more
participation,
more
people,
diving
in
more
people,
get
getting
getting
involved.
The
meetings
are
are
open
about
these
links.
Etc
I've
been
going
I've
been
so
I'm
happy
about
that
Discovery,
my
goodness,
because
I've
been
systematically
going
through
and
finding
places
where
we
have
a
little
bit
of
debt
right.
D
We
we
got
a
lot
of
stuff
that
that's
lagging
from
back
in
October
and
back
in
September,
and
everything
like
that
when
we,
when
we
were
trying
to
merge
stuff
over
so
so
highlighting
that
stuff
is,
is
important.
You
know
making
sure
that
we
that
we're
articulating
everywhere
that
this
is
part
of
the
openness
and
stuff
and
I.
Don't
have
any
visibility
on
the
team
that
actually
puts
this
stuff
in
the
in
the
in
the
public
sphere,
but
when,
but
when
I
see
it
and
I
catch
it,
I
can
reach.
D
Excuse
me
reach
out
to
those
that
do
and
exactly
right
people
are
reading
people
people
are
are,
this
is
catching
notice,
but
we
need
to
do
the
right
thing
on
making
sure
it's
it's
it's
situated
correctly
and
it's
not
just
a
Microsoft
thing,
as
I
said
before,
get
getting
all
these
all
of
the
links
and
all
of
the
what's
out
there
in
the
sphere
corrected.
That's
a
that.
That's
an
easy
fix
right.
D
We
found
a
clear
path
and
clear
parallel.
We
could
identify
gaps
and
we
can
identify
how
one
works
with
the
other,
how
s2ct
will
work
with
salsa
and
vice
versa?
Right
so
there
is
a
clear
there
is
a
clear
marriage
between
the
two,
so
I
feel.
Like
you
know,
more
people
join
the
meetings.
More
people
get
involved.
More
people
contribute
more
people
on
that
maintainers
list,
which
is
absolutely
where,
where
we'd
like
for
this
to
go.
A
A
D
Everyone's
excited
about
it,
I
think,
especially
those
that
saw
it's
also
back
in
my
back
no
about
this
time
last
year,
back
in
in
June
and
July
last
year,
and
then
seeing
what
1.0
became
as
a
result
of
all
the
hard
work
that
was
done,
separating
the
tracks
and
really
drilling
down
to
something.
That's
not
only
that
people
can
take
in
and
read,
but
something
that's
actually
usable
and
and
that
they
can
apply
to
their
builds
and
they
can
apply
to
to
how
they
practice
and
what
they
do.
D
D
Going
to
get
developed
in
there
there's
a
bit
of
concern
with
that
whether
or
not
the
the
the
tracks
themselves
are
going
to
take
away
from
the
current
track.
Are
they
going
to
add
two
rights?
And
so
so
both
positive
and
negative
risks
are
articulated
risks.
Nonetheless,
you
know
so
so
that
so
you
know
over
time.
A
E
Hi
there,
let's
try
this
again
awesome
update
on
salsa
1.0
I
gotta
make
my
usual
disclaimer.
Sorry,
everybody
anything
I
discuss
here
my
opinions,
not
those
is
my
employer.
Yet
with
that
said,
I
was
curious
when
we're
gonna
see
some
of
the
stuff
from
salsa
4
come
back,
namely
the
network
isolation,
1.0.
A
B
B
You
know
bad
code,
that's
that's
still
something
that's
there,
but
keeping
it
separate
so
that
folks,
who
are
focused
on
one
piece,
can
focus
on
that
one
piece
but
yeah.
So
the
source
track
is
one
of
the
big
ones.
Two-Person
code
review
sign
commits
that
kind
of
thing,
and
then
the
second
piece
is
is
a
secure,
build
system
itself.
So
a
lot
of
folks
are
really
asking
like
hey
I'm,
not
using
GitHub
actions.
What
are
the
things?
B
I
should
be
doing
to
secure
my
build
infrastructure
right
because
salsa,
it's
all
does
talk
about
like
a
trusted,
build
system
and
right
now,
we've
been
very
broad
about
that.
We're
just
sort
of
saying:
hey
run
that
trusted
build.
You
know
run
a
build
system
securely,
and
you
know
following
these:
sorts
of
parameters,
like
you
know,
builds
need
to
be
isolated
and
those
sorts
of
things
right
as
long
as
it
has
those
characteristics
that
is
good
enough
to
be
salsa
Providence,
but
folks
are
asking
okay
great.
B
Can
you
point
me
in
the
direction
of
how
I
would
do
that,
like
what
sorts
of
things
you
know
do
you
recommend
doing
in
order
to
meet
those
requirements
that
are
required
for
salsa
Providence?
So
those
are
the
two
big
tracks
that
people
have
been
asking
for
recently
and
that
will
that
work
will
probably
start
within
the
next
few
days
as
well.
E
When
I
think
of
like
Network
channeling
as
we
were
discussing,
actually
the
slack
getting
like
all
your
dependencies
into
one
place
like
I,
think
we
called
it
vendoring
I
think
that's
a
term
from
the
rust
ecosystem.
It's
vendoring,
we
pre-compute
all
your
dependencies
and
you
put
them
into
place,
and
then
you
only
read
from
that
place.
E
I
I
would
like
to
see
us
look
at
something
like
Network
isolation
doesn't
mean
you
can't
reach
out
to
the
network.
It
means
you
can
reach
out
to
the
network,
but
when
you
do
so,
it
has
to
be
metered
audited.
That
type
of
thing
so
I'd
like
to
see
that
Nuance
get
in
there
I'm
happy
to
help
contribute,
because
my
second
one
was
how
do
I
help
contribute
to
that
draft.
B
Sure
so
feel
free
to
every
Monday.
We
have
a
salsa
specification
meeting,
that's
kind
of
where
a
lot
of
that
work
starts
so
I
think
usually
like
something
like
this
will
get
brought
up
either
as
open
up
a
GitHub
issue
and
say:
hey
here's
this
thing
or
just
on
the
Monday
meeting
chat
through
some
of
those
like
hey
here's
something
I
noticed
I'd
like
to
sort
of
contribute
to
this,
and
somebody
might
say:
okay,
great
yeah,
let's
that's
on
the
list
or
you
know
we
have
that
prioritized
or
no.
B
No,
we
hadn't
thought
about
that,
but
if
you're
willing
to
write
something
up
so
so
on
Monday,
that's
kind
of
the
the
meeting
to
to
bring
that
up
in
and
just
to
be
clear.
These
are
all
like
reasons
why
those
things
that
you
brought
up
are
reasons
why
we
had
removed
the
hermeticity
requirement.
Originally,
is
because
we
wanted
to
make
sure
that
that
definition
was
like
super
crystal
clear,
so
that
we
included
all
those
things
you
talked
about,
because
these
are
all
things
that
we
also
truly.
B
You
know
we
believe
as
well
of
like
hey.
The
hermeticity
thing
is
more
like
it's
more
about
the
dependencies
you
think
you're
pulling
in
are
the
dependencies
you
did
pull
in
and
that's
it
right.
You
didn't
pull
something
in
without
actually
recording
it.
You
didn't
pull
something
in
without
knowing
what
it
was.
You
actually
pulled
in
exactly
what
you
said
you
were
pulling
in
and
that
sort
of
thing
is
like
in
certain
cases
it's
just
hey,
I
downloaded
everything
beforehand
and
then
I
give
it
to
the
build.
Sometimes
that
might
be.
B
You
know
what
you
described
of
like
I'm,
calling
out
to
the
network,
but
it's
all
audited,
like
I,
don't
have
direct
access
to
the
internet.
I
only
have
access
to
the
things
that
are
already
you
know
allowed
and
that
sort
of
thing
whether
it's
like
through
a
you
know,
artifactory
or
Nexus,
proxy
or
whatever
I-
think
those
sorts
of
things
are
things
that
we're
looking
to
kind
of
yeah
make
a
lot
more
crystal
clear
to
folks
so
that
they
understand
when
they
look
at
the
hermeticity
requirement.
What
if
that
actually
means.
E
B
A
You
yeah
I,
think
I
think
that
Mike
and
I
mean
that's.
It's
a
really
good
point
that
I
think
the
hermiticity
requirement
was
was
kind
of
thought
of
as
a
solution
to
a
set
of
problems
without
the
problems
being
particularly
well
articulated
or
investigated
and
I.
Think.
Actually,
if
you
take
a
closer
look
at
like
what
are
you
actually
solving
for
you
begin
to
go
well,
actually
we
can
solve
for
those
things
without
having
a
completely.
A
A
Yes,
awesome?
Okay,
so
I've
been
through,
so
this
document
has
been
kind
of
circulating
for
the
last
few
months
there
was
when
I
first
shared
it
in
in
December.
There
was
a
whole
bunch
of
comments
coming
in
December
and
January
and
I've,
been
through
in
the
last
couple
of
weeks
and
and
kind
of
gone
through.
All
of
that
feedback
Incorporated
it.
A
One
thing
that
I
added
yesterday,
which
we
didn't
have
was
trying
to
articulate
exactly
what
problem
we're
solving,
and
this
is
again
like
the
context
of
this-
is
the
open,
ssf
supply
chain,
Integrity
working
group,
and
so
this
is
independent
of
you
know
what
products
we
happen
to
have
on
our
shelves
today
and
the
way
of
salsa
or
sqc,
tof
or
Fresca
or
whatever.
This
is
thinking
about
what
should
the
open,
ssf
Supply
generity
working
group
be
focused
on
when
we
think
about
what
problem
are
we
trying
to
solve?
A
And
you
know,
there's
a
lot
of
problems.
We
could
go
solve
right,
I
mean
the
organizations
had
problems
and
the
industry
has
problems,
and
the
government
has
problems,
and
software
producers
have
compliance
problems
and
software
consumers
have
risk
problems,
and
so
I
think
part
of
the
challenge
that
we
have
is
is
narrowing.
A
You
know,
help
add
you
know
more
requirements
on
my
plays
and
practices
that
need
to
be
followed.
So
I
I
think
that
salsa
is
solving
so
and
again
like
I
own.
This
alter
is
kind
of
an
Exemplar
here,
rather
than
playing
Integrity,
but
I
I
feel
like
the
pain
today
of
supply
chain
Integrity.
The
challenge
is,
is
really
borne
by
the
consumers
and
software,
not
the
producers
and
that's
partly
structural
and
I.
Think
that
you
know
the
US
government
would
like
to
shift
that.
A
They've
been
moved
towards
software
liability
and
maybe
when
software
producing
organizations
are
liable
for
security
defects,
maybe
they'll
have
a
set
of
problems
which
are
more
acute
and
Urgent
which
we
might
want
to
solve.
But
right
now,
I
think
that
the
the
more
pressing
problem
and
the
more
readily
articulable
one
and
the
one
that
is
felt
more
urgently
is
on
those
consuming
software,
and
so
the
supply
chain.
A
Integrity
problem
tends
to
be
borne
by
those
who
are
consuming
from
something
upstream
and
are
in
a
position
of
not
being
able
to
reason
about
or
measure
or
manage
or
mitigate
or
reduce
the
risk
that
they're
ingesting
as
they
rely
on
externally
supplied
components
and
so
I.
Think.
If
we
want
to
solve
this
problem,
we
will
be
led
to
Solutions
which
have
implications
for
other
actors,
and
so
you
know
sulfur
as
a
partial
solution
to
this
problem
has
implications
for
software
producers
and
hopefully
recognizing
the
software.
A
You
know
it
leads
to
principles
like
targeting
the
technical
infrastructure
as
a
point
of
Leverage.
You
know
anchoring
trusted
tools
and
systems,
not
processes
and
people,
and
so
on.
So
I've
added
a
little
bit
to
this.
This
document
and
I,
don't
think
I,
don't
think
it's
going
to
be
productive
to
try
and
review
the
whole
thing
top
to
bottom,
live
but
I'd
love
to
get
feedback,
or
at
least
kind
of
initial
reactions.
B
B
If
I
go
back
to
some
of
the
stuff
that
that
myself,
you
know
I've
done
and
some
of
the
other
folks
I've
been
working
with,
have
done
on
sort
of
trying
to
figure
out
who
is
who
are
the
folks?
We
want
to
most
help
to
begin
with,
because
it
turns
out,
everybody
has
slightly
different,
slightly
different
needs
or
different
prioritization
around
the
needs.
I
should
say
like
everybody
has.
These
needs
is
just
around.
B
How
important
is
it
for
them,
and
this
is
something
that's
been
brought
up
as
part
of
also
the
Sterling
tool
chain,
and
some
of
the
other
work
is
you're.
You
know
if
we
take
a
step
back
and
look
at
the
problem
and
how
it
gets
solved
a
little
bit
right,
you're
going
to
have
a
lot
of
these
larger
Enterprises
that
are
going
to
say,
hey,
I,
I'm,
going
to
hire
a
large
consult
like
a
larger
Bank,
let's
say
is
going
to
hire
a
large
consultancy,
a
large
consultancy
to
help
fix
this.
B
They
might
say
please
Implement
salsa,
please
Implement!
You
know
s2c2f
and
these
other
things,
but
one
of
the
things
that
was
brought
up,
which
I
found
very
interesting,
is
that
same
large
Enterprise
that
wants
to
this:
that's
how
they
secure
their
own
supply
chain.
They
want
to
use
software
by
smaller
manufacturers
as
well,
but
it's
hard
for
them
to
do
that
when
those
menu
those
smaller.
B
You
know,
producers
of
software
are
unable,
to,
let's
say
hit
the
high
level
of
requirement
that
they
might
have,
like
the
you
know,
hey
in
order
for
us
to
hit
salsa
and
get
a
salsa
on
and
do
all
this
stuff.
That's
the
majority
of
of
our
budget
right
before
we
even
start
writing
the
features,
and
so
that's
kind
of
one
of
the
things
that
was
brought
up
by
a
few
folks
was
hey
anything.
B
That
was
something
that
was
kind
of
brought
up
in
a
couple
of
the
meetings
was
just
like:
how
do
you
get?
How
do
you
bring
those
folks
along
who
are
like
hey
I?
Have
a
million
things
on
my
plate?
Quantifying
you
know,
risk
and
and
reasoning
about
it
and
yayada
is,
is
not
on
my
on
my
list
of
things
to
do.
B
A
A
Think
there's
there
are
sort
of
organizations
to
produce
great
products
who
would
provide
Great
Value,
but
like
to
your
point,
it's
an
enormous
burden
trying
to
meet
the
requirements
of
a
mega
Corp
like
a
Google
or
a
finance
organization,
and
we
have
these
incredibly
strict
requirements
they
can
be.
It
can
just
be
prohibitively
expensive
to
meet
those
requirements
in
order
to
get
your
first
sale
to
the
company
that
decides
and
I
think
I'm
going
to
make
a
note
of
that
in
in
the
notes.
I
think
that's
a
definitely
a
good
point.
A
E
So
it's
just
reflecting
on
the
what
you
said
about
the
open
source,
maintainer
and
open
source
maintainer
wants
to
wake
up
and
be
like
oh
great,
something
else.
I
have
to
do
one
of
the
challenges
that
I've
personally
found
with
open
source.
It
should
go
clone
the
repo
and
you
say,
Maven
build
or
make
or
whatever,
whatever.
D
E
Build
command
is
and
the
build
immediately
fails
and
there's
no
like
you
go
to
the
contributing
Dock
and
it
just
says,
run
this.
It
doesn't
say:
okay,
you
need
this
jdk
on
this
distro
and
here's
how
you
build
this
thing,
I'm
wondering
if
another
Avenue
is
hey
open
source
maintainers,
if
you
don't
want
to
if
you
are
unable
to
or
for
whatever
reason
you
can't
comply
with
this,
give
the
consumers
the
ability
to
take
the
software
and
build
it
in
their
own
yeah,
defined
environment.
C
A
But
you
know:
Google
has
this
this
product,
a
short
open
source
where
you
know
forgiven
open
source
packages,
you
may
find
that
Google
has
rebuilt
it
on
Google's
own
infrastructure,
and
you
know,
has
provided
salsa
Providence
for
this
package,
and
so
it
could
be
that
you
know
we
can
meet
the
the
goals
of
supply
chain
Integrity
without
requiring
the
software
originator
to
do
the
work
of
the
attestation.
It
could
be
that
there's
an
intermediary
or
third
party
or
trusted
Rebuilder.
A
It
could
even
be
that
you
know
we
want
to
stand
up
a
an
open
source
rebuilding
as
a
service
to
you
to
your
point,
but
maybe
there's
an
opportunity,
for
you
know
an
open
source.
Maintainer
just
say:
go:
go
build
it
over
there
and
you'll.
Get
your
soul
to
Providence
directly
would
be
a
a
neat
way
to
get
around
this
or
deliver
against
the
problem
without
requiring
the
maintainer
to
invest
a
lot.
E
There
may
be
something
a
little
more
specific,
rather
than
saying
you
know
what
hey
come.
Just
let
this
think
about
Google
trusted.
Source
I
mean
the
Google
trusted.
Source
thing
is
cool,
I'll,
try
and
knock
it,
but
rather
than
saying
you
know
what
I'm
gonna
ingest,
hey
open
source
container,
so
I'm
going
to
just
your
stuff
and
I'm
going
to
supply
it.
I'm
gonna
vent
it
for
you.
C
F
C
C
B
I
think
the
thing
is
is
that
sort
of
thing
is
just
that
should
already
be
table
Stakes
for
for
for
an
open
source
project
like
if
you're,
if
you
are
running,
builds-
and
you
are
not
also
providing
the
ability
to
run
those
builds
in
some
way
right,
like
you
know,
a
make
file
a
build
script
or
whatever
right.
You
know
some
way
to
pull
down
dependencies,
then
you
know
you're,
not
really
not
really
complete
right
and
in
fact,
for
a
lot
of
folks
that
should
raise
red
flags.
B
If
hey
I
looked
at
your
Source
I
tried
to
run
the
build
script
and
it
didn't
work,
because
it's
missing
all
these
things.
That
should
be.
You
know,
generally
suspicious
to
begin
with.
I.
Just
think
that,
like
you
know,
I
think
the
thing
there
is
is
is
generally
yeah.
I
think
that's
a
good
best
practice
that
should
be
sort
of,
maybe
even
something
like
a
salsa
practice
right
of
saying,
hey
the.
B
E
E
A
It's
a
good
question:
I'm
I,
don't
I,
don't
have
the
answer
to
that,
and
but
I
would
also
be
super
curious
and
I
can
I
can
try
and
find
out
and
I.
Think
I
mean
the
other
interesting
thing,
and
you
know
speaking
generally
about
this.
This
space
I
think
part
of
the
problem
that
assured
open
source
and
others
like
it
are
trying
to
solve,
is
there's
an
accountability
Gap
in
in
the
ecosystem.
A
You
know
open
source
sustainability
incentives,
economics
problem
to
be
solved
here
as
well.
I
think
assured,
open
source
is,
is
Google,
saying.
Well,
you
know,
hey
we'll
step
in
and
we'll
we'll
be
a
supplier
of
records
for
these
packages,
and
you
know
hey.
If
you've
got
a
problem
with
them,
you
can
come
and
scream
it
as
potentially
there
are.
A
There
are
other
solutions
to
this
problem
too,
but
I
I've
heard
that
this
General
notion
that
there
is
an
accountability
gap
between
what
Enterprises
want
to
consume
and
how
far
up
the
stack
of
Open
Source
can
reach
in
general.
If
that
makes
sense,
I
mean
you
know,
and
you
know,
Red
Hat
has
obviously
made
an
entire
business
out
of
out
of
you
know.
Stepping
into
this
Gap
too
Jonathan
you've
got
your
hand
up.
F
C
F
B
B
The
fact
that
you
know
yeah
I
can't
go
in
and
and
even
though
a
lot
of
these
things
are
open
source,
but
they
require
me
to
own
random
Hardware
or
whatever,
all
of
a
sudden
that
becomes
much
more
difficult.
It
also
I
think
it
sort
of
begins
to
raise
flag.
You
know
red
flags
around
like
hey.
How
would
I
know
whether
or
not
something
is
potentially
malicious
or
dangerous
if
I
can't
even
really
run
the
build
myself
right,
yeah.
A
I
was
I
was
just
going
to
make
the
observation.
Actually
that
I
think
it's
a
salsa,
Level
One
requirement
is
a
scripted,
build
itself
right,
I
mean,
and
that
itself
is
a
nod
to
the
fact
that
not
all
open
source
builds
are.
You
know
readily
scripted
and
automated
already,
and
some
of
them
require
you
poking
around
in
your
IDE
to
get
them
done.
F
What
what
defines
a
scripted
build
right
like
is
that,
like
you,
must
be
able
to
run
a
single
script
to
build
the
whole
thing
which
includes
installing
all
dependencies
in
the
jdk
and
like
all
that
stuff
or
is
it
like?
Can
can
that
scripted
build
assume
certain
dependencies
to
be
present
on
the
system
prior
to
running
that.
A
A
A
Any
other
thoughts
on
this
and
in
general
around
this,
the
supply
chain,
Integrity
Vision
document
in
terms
of
what
I
hope
to
do
next
I
mean
it
sounds
like
nobody's,
looked
at
the
problem
and
gone.
Oh,
my
God.
That's
completely
off
base
and
you're
forgetting
X,
Y
and
Z
important
thing,
which
is
good
I,
recognize
that
there
could
yet
be
some
refinement
to
do.
A
There
may
be
some
some
things
and
perspectives
that
others
may
have
or
more
thought.
May
reveal
and
problems
with
it,
but
my
intent
with
this
document
now
it's
kind
of
cleaner
is
to
go
through
I'll
highlight
you
know
some
of
the
new
sections
of
people
who've
seen
it
before
can
kind
of
just
review.
What's
new
circulate
it
in
the
community?
A
I
think
we've
talked
about
passing
this
up
to
the
tech
to
review
as
well
and
say:
Hey.
You
know
the
SEI
working
group
we're
trying
to
you
know
reboot
it.
You
know,
since
we
left
at
its
Charter
with
visited,
we've
had
salsa
V1
launch,
we've
had
sdc2f
join
the
thing:
we've
had
movement
on
Fresca
and
we
need
to
kind
of
reconceptualize
or
reframe.
B
A
A
I
appreciate
that,
thank
you
very
much
all
right
cool.
Well.
That
in
fact,
is
actually
probably
a
great
place
to
end
at
the
bottom
of
the
agenda.
We've
got
a
great,
encouraging
and
positive
comment.
I
will
post
assembly
this
meeting
in
slack.
I'll
also
circulate
this
doc,
as
discussed
with
me
to
get
in
two
weeks
and
maybe
we'll
have
something
which
we
can
all
agree
as
Tech
already
and
get
this
formalized
as
part
of
the
new
challenges
working
group.