►
From YouTube: Supply Chain Integrity WG (March 7, 2023)
A
A
A
So
yeah
feel
free
to
add
your
your
self
to
the
attendees
list
and
anything
you
might
want
to
add
onto
the
agenda.
I
I
know
that
Melba
last
night
said
she
couldn't
make
it
so
I,
don't
know
if
we
had
much
on
the
way
of
the
agenda
outside
of
stuff,
like
blog
updates
and
and
so
on,
before
kind
of
getting
into
any
of
that,
though,
is
there
anybody
who's
new
to
the
meeting
who
wants
to
introduce
themselves.
A
E
E
You
know
it's
work
being
done
here
in
the
open,
that's
the
stuff
and
it's
bridging
with
with
with
with
salsa
and
everything
else.
So
there's
a
lot
of
good
talk
around
that
there's
also
a
bit
of
training,
that's
on
the
horizon,
2,
so
for
the
purpose
of
positioning
as
we
get
closer
to
developing
that
kind
of
stuff,
and
they
want
to
look
at
how
we
want
to
Market
or
in
a
good
thing
and
Jennifer.
E
A
B
A
B
C
B
A
So
it's
pretty
simple
and
straightforward,
just
a
a
quick
thing,
just
talking
about
what
salsa
was,
we
were
at
one
point,
zero
point:
one
we're
releasing
1.0
we're
looking
for
feedback,
we're
looking
for
folks
to
provide
input
on
stuff,
like
you
know,
is
it
hitting
the
various
requirements
so
on
and
so
forth.
They're
looking
before
it
goes
out,
they're
looking
for
comments
from
us
in
the
positioning
group
and
other
folks
just
to
see
like
hey,
does
this?
Does
this
hit
what
we
wanted
to
hit
so
yeah?
That's!
B
B
A
A
A
A
A
A
A
A
So
I
am
not
done
with
it
yet,
but
I
will
I
have
a
link
somewhere
and
I
will
also
post
this
over
here.
So
you
can
share.
I
only
have
a
couple
of
paragraphs,
thus
far
I'm
going
to
be
writing
up
a
bunch
more
once
again,
it's
not
going
to
be
something
super
long.
It's
mostly
just
going
to
be
hey.
We.
Why
are
there
different
tracks
in
salsa
and
the
high
level
sort
of
overview
right
is?
A
The
sdlc
is
quite
large.
Salsa
is
very
much
focused
on
the
build
piece,
because
the
build
piece
is
one
of
the
more
critical
pieces
that
takes
all
that
untrusted
stuff
like
source
code
independencies,
does
a
bunch
of
compilation,
building
whatever
and
then
transforms
that
into
an
artifact
that
should
then
be
used
in
you
know
other
folks's
dependency
chains,
Supply
chains
and
or
being
deployed
to
production
or
whatever,
and
so
that
sort
of
thing
is
is
kind
of
a
critical
piece
in
making
sure
it
is
secure.
A
So
that's
kind
of
we
focused
on
that,
and
we
also
didn't
want
to
throw
everything
in
the
kitchen
sink
at
the
problem
to
begin
with,
because
that's
kind
of
a
recipe
for
nothing
getting
done,
and
so
we
wanted
to
make
sure
that
we
kept.
We
did
one
thing
and
we
did
one
thing
right
and
then,
as
it's
kind
of
going
on,
we're
now
kind
of
focusing
on
the
things
that
kind
of
go
into
and
out
of
the
salsa
build.
So
this
is
stuff
like
source
and
ensuring
that
Source
can
be.
A
We
can
start
to
trace
the
source
into
the
salsa,
build
piece
and
that's
why
there's
going
to
be
some
different
tracks
and
but
while
we're
still
sort
of
focused
in
that
sort
of
build
space,
so
that's
going
to
be
the
focus
of
this
on
on
this
blog
feel
free
to
sort
of
add
comments.
I'll
be
writing
up
a
bunch
of
stuff
on
it
over
the
next
couple
of
days
and
hopefully,
by
next
week,
have
something
ready
for
that
foreign.
C
A
And
this
is
kind
of
somewhat
why
there's
the
breakup
between
build
versus
Source
I,
don't
know
if
we
wanted
to
kind
of
highlight
exactly
why
that
is
but
yeah
I
mean
this
I
think
is
is
kind
of
also
I.
Think
explains
why
there's
there's
why
there
is
the
breakup
right.
The
breakup
was
Hey
by
including
everything
it
meant
that
we
had
to
make
the
trade-offs
right
where
there
wasn't
salsa
tooling,
for
the
build,
but
there
was
salsa.
A
F
It's
actually
Laura
I'm,
I,
guess
I
named
my
first
initial.
My
last
name
is
on
there
sorry
about
that.
I
had
a
question
about
the
like
the
source,
integrity
and
the
dependency
section
of
the
the
kind
of
diagram
that
that
is
typically
seen
when
you're
looking
at
the
ver.
The
very
first
version
of
salsa.
C
F
Understand
when
we
present
at
the
open,
ssf
North
America
Summit
like
should
we
remove,
mentions
of
source
integrity
and
dependencies
and
just
focus
on
the
the
build
Integrity
for,
but
as
we're
presenting,
it
was
supposed
to
be
salsa
for
beginners,
but
I
think
it's
been
renamed
salsa
the
app
set
condiment
but
I'll
be
pers.
If
it,
if
it,
the
call
for
proposals
is
accepted,
I'll
be
presenting
that
section.
A
Yeah,
so
my
two
cents
on
it
is
salsa.
1.0
is
very
much
focused
around
sort
of
like
the
CDF
area
of
you
know,
or
in
I
guess
e
as
well
a
little
bit
so
1.0
does
not
cover
the
full
scope,
but
I
think
you
do
want
to
you
know.
Chris
just
mentioned
there
and
I
agree.
I
think
we
do
want
to
just
sort
of
say:
hey,
look,
this
diagram
sort
of
explains
what
the
problem
generally
is.
A
A
That's
one
of
the
big,
also
open
questions
still
a
little
bit
with
the
push
versus
poll
right.
Like
is,
is
source
code
being
pushed
into
the
build
versus
being
pulled
in
I've,
been
mostly
when
talking
about
it
since
most
of
the
systems
that
I'm
aware
of
are
mostly
the
poll
based
systems
where
you
have
the
build
pulling
the
source
code
in
and
pulling
dependencies
in,
and
so
the
idea
would
be,
at
least
from
my
perspective,
is
yeah
I.
A
Think
almost
I
would
almost
add
one
more
thing
here
for
Clarity,
where
I,
where
the
build
can
say
it
pulls
from
a
yeah,
it
pulls
dependencies
from
these
locations
or
whatever
right
and
that
it
accurately
pulls
those
things
down,
not
necessarily
that
any
of
those
things
have
not
been
tampered
with
before
you
pulled
it
down.
If
that
makes
sense,.
F
So
the
secure
software
repositories
group
is
I,
I
know
I,
just
kind
of
found
out
about
that
working
group
existing.
Is
that
something
that
they're
going
to
be
working
on
the
source
piece
of
that
or
and
or
is
that
gonna
eventually
be
folded
back
into
salsa
as
a
separate
track,
and
do
we
have
like
a
road
map
for
or
like
a
timeline
of
when
that
we're
gonna?
Do
that?
If
we're
gonna
do
that.
A
So
my
understanding
and
and
I
Chris
might
have
a
bit
more
details
about,
because
I
know
Mark
is
the
one
who's
really
pushing
a
lot
of
this
is
so
my
understanding
was
always
we
try
to
keep
it
simple
for
now,
because
we
didn't
want
to
overwhelm
folks,
especially
given
one
of
the
big
challenges
is
the
securing
repositories
group
is
going
to
be
building
a
bunch
of
practices
and
building
tools
to
help
secure
repositories.
It's
hard
for
us
to
sort
of,
say:
hey.
A
A
There
are
questions
among
the
open,
ssf
groups
that
even
actually
my
meeting
literally
after
this
one
is
going
to
be
about
hey,
there's
another
group
that
is
building
out
a
whole
bunch
of
supply
chain
threat
models
and
does
that
flow
back
into
salsa
I,
don't
know
you
know
so.
There's
I
think
that
there's
a
lot
of
also
confusion
within
the
open.
A
Ssf
about
where
these
things
and
how
they
get
split
up,
I
I
think
that
sort
of
thing
needs
to
be
brought
back
up
to
the
the
attack,
because
I
think
that
there
is
a
lot
of
confusion
about
like
does.
Is
the
securing
software
repositories
group
in
charge
of
those
practices
and
standards,
and
that
actually
salsa
should
focus
on
the
build
and
they
can
come
up
with
something
else.
A
I
think
that
there's
legitimate
arguments
that
folks
have
been
making
on
that
front,
but
currently
the
way
we've
been
moving
forward
is
like
the
tools
and
a
lot
of
the
other
pieces
might
fall
under
different
groups,
but,
and
we
might
pull
those
practices
into
salsa
for
the
standard,
at
least
that's
the
way
that
that
we've
been
operating
thus
far,
but
I
think
that
might
change.
If
you
know
the
openss
attack
or
others
kind
of
say
hey,
it
would
be
great
if
we
split
it
up
a
little
bit
better
this
way
or
that
way.
A
So
it's
something
that
I
think
we
need
to
do
a
bit
better
cross-pollination,
so
maybe
even
have
us
go
to
the
securing
software
repositories
group
with
maybe
like
here's,
what
we're
doing
with
salsa.
We
don't
want
to
reinvent
the
wheel
if
you're
already
doing
this,
we
might
just
want
to
be
consumers
of
what
they're
building.
A
So
so
that
is
technically
currently
not
under
any
given
group.
It
was
that
flowed
out
of
the
in
Toto
project
a
little
bit
and
there's
some
debate
about.
Does
that
fall
under
as
a
subgroup
under
in
Toto?
Is
that
something
that
they
want
to
donate
or
contribute
to
open,
ssf
yeah
a
lot
of
different
folks
working
on
a
lot
of
different
things?
And
obviously
some
of
those
things
are
it's
okay
to
have
two
or
three
groups
reinvent
the
wheel
and
realize
like
oh?
A
A
But
generally
I
think
the
way
that
I
at
least
I've
been
when
I've
been
talking
about
1.0
to
to
folks.
On
my
end,
it's
mostly
like
showing
this
big
diagram
of
the
set
of
threats
and
then
kind
of
saying
what
Chris
has
mentioned.
I
tend
to
also
include
c
in
there
right
because
I
think
anything.
That's
under
the
the
build
integrity
right
where
I
think
the
I
mean.
A
A
Maybe
that's
something
we
should
bring
up
I,
always
viewed
from
what
Chris
has
just
said:
I
I
always
viewed
be
being
the
source
and
C
being
that
I
downloaded
it
into
the
build
and
the
build
changed
the
source
files
before
it
actually
ran
a
compilation
or
packaging
step,
or
something
like
that,
but
that's
something
that
can
be
I
think
brought
up
anyway.
I'll
I'll
add
my
thoughts
into
that
personally,
anyway.
F
Yeah,
it
definitely
seems
like
a
gray
area
like
that,
build
from
modified
Source
being
the
threat
and
then
the
well
I
call
them
events
of
Interest
I.
Don't
know
if
that,
but
they're
like
C1
through
C5,
in
their
original
version,
where
we
talk
about
the
different
ways
to
different
events
that
made
trigger
that
particular
threat.
So
it's
yeah.
It
would
definitely
be
worth
it
or
definitely
interesting
to
understand
how
that
fits
into
salsa
version.
One.
C
A
Don't
know,
and
there's
not
also
a
lot
on
here
and
I-
think
it
also
still
ties
back
into
some
of
the
stuff
that
we're
trying
to
convey
to
folks
is
like,
for
example,
like
I
was
assuming
in
in
my
blog
article,
that
I'm
writing
for
this
right
is
I
was
going
to
assume
that
you
know
the
way
I've
sort
of
been
viewing,
and
this
is
the
thing
I'll
bring
up
with
Melba,
we'll
try
and
maybe
sort
it
out
where
it's
like
we'll,
try
and
figure
out.
Where
that
let.
A
B
E
E
I
think
I
think
we'd
be
able
to
come
up
with
something
shortly
as
a
lot
of
the
the
specs
and
and
all
that
all
the
other
stuff
that's
happening
in
all
these
different
communities
start
start
getting
developed
and
start
getting
published.
I
think
we'll
be
able
to
have
a
better
chance
at
a
doing
a
Blog.
That
makes
sense
right
now.
There's
way
too
much
way
too
much
up
in
the
air.
A
D
E
Peek
I
guess
if
you
can
say
that
of
what
it'll
be
presented,
because
they
did
that
presentation
that
the
sisa
Vex
working
group
on
on
Monday,
so
I
expect
to
see
pretty
much
the
same.
It
wasn't
a
bad
presentation.
It
wasn't
a
bad
demo,
either
I'm
just
interested
to
see
what
all
comes
of
that,
because
we
have
an
idea
in
that
working
group
where,
where
we'd
like
that
to
go
but
like
I,
said
a
lot
of
volatility.
A
A
A
So
I
know
that
there's
some
conversations
about
like
whether
or
not
you
know
there's
some
folks
out
there,
who
think
salsa
as
a
proven,
inspect
shouldn't
exist
and
we
should
just
be
using
s-bombs.
Other
folks
are
like
believe
that
there
should
be
just
better
mappings
between
them
and
there's
others
who
think
that
they
should
be
completely
separate
and
so
I
think
some
of
that
needs
to
be
sorted
out,
especially
given
that
it
seems
like
you
can't
go
a
week
without
a
new
yeah
yeah.
E
A
Yeah
I
mean
I,
think
that's
the
thing
that
at
least
I
think
salsa
has
done
well,
regardless
of
of
the
various
other
things
that
are
going
on.
I.
Think
the
thing
of
salsa
trying
to
keep
this
the
keep
the
scope,
Limited
and
then
expanding
out
and
compare
that
to
some
other
folks
who
are
sort
of
keeping
the
scope
very,
very,
very
large
and
trying
to
support
lots
of
different
things.
I
think
they
all
have
their
different
trade-offs
and
and
I
think
that's.
A
Yeah
and
I
know:
oh
so
yeah
regarding
I
just
saw
the
comment
from
about
the
p-bomb
I.
Don't
know
if
anything
has
happened
with
this,
yet
it
does
say
it's
an
open
framework.
The
like
Oscar
and
P
bombs
are
supposed
to
be
open,
but
all
these
links,
always
just
they
don't
lead
anywhere
and
I-
know
some
of
the
folks
from
I.
A
Think
it's
called
Ox
security
is
that
right,
they've,
been
sort
of
some
folks
have
reached
out
to
them
to
kind
of
get
more
details
figure
out
like
are
there
Community
meetings?
If
there
are
Community
meetings,
then
you
know:
are
there
folks
to
attend
and
and
so
on,
cool,
so
opening
blog
on
all
three
sub
projects?
So
just
a
reminder,
so
this
is.
B
C
Yeah
I
wanted
to
add
potentially
to
this
list.
I
know
some
folks
in
the
in
Twitter
Community
have
been
also
working
on
a
blog
post
about
how
in
Toto
enables
salsa
and
other
supply
chain
attestation
types
I
was
wondering
if
that
should
also
be
added
to
this
sure,
would
that
be
hosted
under
openness,
stuff
or
we're
not
sure
actually,.
A
Yeah
I
mean
one
of
the
things.
I
know
that
always
works
well
is
like
you
have
the
companion
blogs
of
like
yeah,
you
know,
cncf
related
blog
can
focus
on
like
hey.
How
in
Toto
is
being
used
to.
You
know
like
how
in
Toto
helps
projects
like
salsa
to
do
X,
Y
and
Z,
and
then
salsa
can
be
like
hey
how
how
using
in
Toto
enable
you
know
like
there's.
There's
areas
for
collaboration.