►
From YouTube: Supply Chain Integrity WG (March 7, 2023)
B
Can
get
started.
A
Foreign,
all
right,
you
can
probably
get
started
here
and
might
be
some
other
folks.
I
know
who
are
going
to
trickle
in
a
little
later.
A
All
right
so
yeah
we
can
get
started
just
a
reminder.
This
meeting
is
being
recorded,
it'll
be
uploaded
to
your
YouTube
shortly
after,
and
your
participation
in
this
meeting
is
an
agreement
to
abide
by
the
open,
ssf
code
of
conduct.
A
All
right,
let
me
shared
for
folks
feel
free
to
put
anything
you
want
to
want
to
talk
about
in
the
agenda
as
well
as
your
your
attendance
in
the
oops.
A
So
yeah
feel
free
to
add
your
your
self
to
the
attendees
list
and
anything
you
might
want
to
add
onto
the
agenda.
I
I
know
that
Melba
last
night
said
she
couldn't
make
it
so
I,
don't
know
if
we
had
much
on
the
way
of
the
agenda
outside
of
stuff,
like
blog
updates
and
and
so
on,
before
kind
of
getting
into
any
of
that,
though,
is
there
anybody
who's
new
to
the
meeting
who
wants
to
introduce
themselves.
D
I
can
this
is
Jennifer
Bligh
here
hello
I
have
been
around
some
of
the
other
meetings,
so
maybe
you've
seen
me
there
I,
lead
marketing
and
Communications
for
the
open,
ssf
and
so
I
think
it's
going
to
be
a
great
collaboration
here
and
how
we
can
get
the
word
out
about
each
of
these
projects.
A
A
Not
we
can
go
into
some
of
the.
Why
don't
we
actually
hold
off
on
the
blog
updates
until.
A
Oops
until
after,
but
so
I
see
something
here
about,
S2
c2f
is
that
UJ.
E
Yes,
it
is
yes,
it
is
I'm
popping
that
in
there's
a
couple
of
things,
it's
not
just
that
so
there's
a
at
the
RSA,
also
there's
some
training
being
being
developed
as
well.
Adrian
will
be
presenting
s2c2f
at
RSA.
E
E
You
know
it's
work
being
done
here
in
the
open,
that's
the
stuff
and
it's
bridging
with
with
with
with
salsa
and
everything
else.
So
there's
a
lot
of
good
talk
around
that
there's
also
a
bit
of
training,
that's
on
the
horizon,
2,
so
for
the
purpose
of
positioning
as
we
get
closer
to
developing
that
kind
of
stuff,
and
they
want
to
look
at
how
we
want
to
Market
or
in
a
good
thing
and
Jennifer.
E
Being
here
is
great
for
this,
but
how
we
want
to
sit
there
and
promote
promote
these
things
that
that
are
coming
up
and
how
we
want
to
do
that
as
a
as
a
foundation.
You
know,
as
we
go
out
and
start
talking
about
all
of
these
different
Frameworks
together.
A
Yeah,
if
there's
anything
I,
don't
know
if
those
the
RSA
talks
end
up
getting
uploaded
to
YouTube
or
something
else.
If
they
do
whatever
it
does,
we
can
definitely
link
it.
B
A
Okay,
so
we
can
move
on
to
the
blog
updates,
so
one
thing
I
know
is
there:
is
the
salsa
1.0?
What
what's
it
called
the
sort
of
call
for
feedback
hold
on?
Where
is
this.
B
C
A
The
request
for
comments
so
I'm
just
gonna
link
that
there
and
I'll
also
share
it
in
a
second.
B
A
So
it's
pretty
simple
and
straightforward,
just
a
a
quick
thing,
just
talking
about
what
salsa
was,
we
were
at
one
point,
zero
point:
one
we're
releasing
1.0
we're
looking
for
feedback,
we're
looking
for
folks
to
provide
input
on
stuff,
like
you
know,
is
it
hitting
the
various
requirements
so
on
and
so
forth.
They're
looking
before
it
goes
out,
they're
looking
for
comments
from
us
in
the
positioning
group
and
other
folks
just
to
see
like
hey,
does
this?
Does
this
hit
what
we
wanted
to
hit
so
yeah?
That's!
A
That's
that
any
comments
on
this
I
know
this
just
went
out
earlier
today.
D
The
only
thing
I'd
say
for
this
one
is:
we
should
probably
get
it
up
this
week,
given
that
folks
only
have
until
March
24th
to
leave
comments
so
sooner
the
better.
B
C
Right
one,
second,
let
me
actually
add
that
into
the
notes.
B
A
A
Okay,
now
going
down
the
list
so
I
know:
Melba
is
working
on
developer,
Persona,
stuff,
I
know
Melba's,
not
on
I,
don't
know.
If
there's
anybody
else,
who's
been
working
on
that
who
has
any
updates
on
that.
A
All
right,
what
the
what's
new
blog,
Chris
I,
think
you're.
The
only
person
on
who's
been
who
might
be
working
on
that
is
that
the
I
don't
know
if
it's
yeah,
sorry.
A
Oh
Chris
at
the
what
the
1.0
what's
new
comparison.
Let
me
actually
move
this
over
here,
so
that
it's
also
being
shared.
A
Oh
okay,
so
Chris
says
he
can't
be
on
voice,
hasn't
done
any
work
on
the
blog
post.
It
doesn't
clear
what
needs
to
be
done
compared
to
the
post
on
soulsup.dev,
yeah,
I'm
I'm,
not
sure
myself.
A
Yeah,
this
actually
looks
fine,
so
actually
this
might
already
be
the
thing
that's
done.
Yeah,
I
think
this
is
actually
the
thing.
That's
done.
Okay,
so
never
mind.
So
this
is.
We
can
probably
listen.
This
status.
A
I'll,
just
double
check
with
Melba
to
just
to
make
sure
that
we
didn't
want
to
cross
post
this
somewhere
else
as
well
cool
yeah,
so
that
I
I
believe
that's
that's
done,
then
the
so
this
one
says
not
needed.
So
we're
not
gonna
go
over
that
salsa
tracks,
so
that
one
is
on
me.
A
So
I
am
not
done
with
it
yet,
but
I
will
I
have
a
link
somewhere
and
I
will
also
post
this
over
here.
So
you
can
share.
I
only
have
a
couple
of
paragraphs,
thus
far
I'm
going
to
be
writing
up
a
bunch
more
once
again,
it's
not
going
to
be
something
super
long.
It's
mostly
just
going
to
be
hey.
We.
Why
are
there
different
tracks
in
salsa
and
the
high
level
sort
of
overview
right
is?
A
The
sdlc
is
quite
large.
Salsa
is
very
much
focused
on
the
build
piece,
because
the
build
piece
is
one
of
the
more
critical
pieces
that
takes
all
that
untrusted
stuff
like
source
code
independencies,
does
a
bunch
of
compilation,
building
whatever
and
then
transforms
that
into
an
artifact
that
should
then
be
used
in
you
know
other
folks's
dependency
chains,
Supply
chains
and
or
being
deployed
to
production
or
whatever,
and
so
that
sort
of
thing
is
is
kind
of
a
critical
piece
in
making
sure
it
is
secure.
A
So
that's
kind
of
we
focused
on
that,
and
we
also
didn't
want
to
throw
everything
in
the
kitchen
sink
at
the
problem
to
begin
with,
because
that's
kind
of
a
recipe
for
nothing
getting
done,
and
so
we
wanted
to
make
sure
that
we
kept.
We
did
one
thing
and
we
did
one
thing
right
and
then,
as
it's
kind
of
going
on,
we're
now
kind
of
focusing
on
the
things
that
kind
of
go
into
and
out
of
the
salsa
build.
So
this
is
stuff
like
source
and
ensuring
that
Source
can
be.
A
We
can
start
to
trace
the
source
into
the
salsa,
build
piece
and
that's
why
there's
going
to
be
some
different
tracks
and
but
while
we're
still
sort
of
focused
in
that
sort
of
build
space,
so
that's
going
to
be
the
focus
of
this
on
on
this
blog
feel
free
to
sort
of
add
comments.
I'll
be
writing
up
a
bunch
of
stuff
on
it
over
the
next
couple
of
days
and
hopefully,
by
next
week,
have
something
ready
for
that
foreign.
C
A
And
this
is
kind
of
somewhat
why
there's
the
breakup
between
build
versus
Source
I,
don't
know
if
we
wanted
to
kind
of
highlight
exactly
why
that
is
but
yeah
I
mean
this
I
think
is
is
kind
of
also
I.
Think
explains
why
there's
there's
why
there
is
the
breakup
right.
The
breakup
was
Hey
by
including
everything
it
meant
that
we
had
to
make
the
trade-offs
right
where
there
wasn't
salsa
tooling,
for
the
build,
but
there
was
salsa.
A
It
wasn't
great
social
tooling
for
the
build
and
we
need
to
have
salsa
tooling
for
the
build
in
order
to
make
some
of
the
other
pieces
easier
to
kind
of
when
we
start
to
think
about
ingestion
and
that
sort
of
thing
so
I
apologize,
I,
don't
know
how
to
pronounce
your
your
name.
It's.
F
It's
actually
Laura
I'm,
I,
guess
I
named
my
first
initial.
My
last
name
is
on
there
sorry
about
that.
I
had
a
question
about
the
like
the
source,
integrity
and
the
dependency
section
of
the
the
kind
of
diagram
that
that
is
typically
seen
when
you're
looking
at
the
ver.
The
very
first
version
of
salsa.
C
F
Understand
when
we
present
at
the
open,
ssf
North
America
Summit
like
should
we
remove,
mentions
of
source
integrity
and
dependencies
and
just
focus
on
the
the
build
Integrity
for,
but
as
we're
presenting,
it
was
supposed
to
be
salsa
for
beginners,
but
I
think
it's
been
renamed
salsa
the
app
set
condiment
but
I'll
be
pers.
If
it,
if
it,
the
call
for
proposals
is
accepted,
I'll
be
presenting
that
section.
F
So
I
had
a
really
good
footing
on
salsa
before
all
the
new
changes,
and
so
I
just
want
to
make
sure
that
what
we're
presenting
at
the
Summit
is
just
version
one
or
should
we
talk
about
salsa
as
a
whole?.
A
Yeah,
so
my
two
cents
on
it
is
salsa.
1.0
is
very
much
focused
around
sort
of
like
the
CDF
area
of
you
know,
or
in
I
guess
e
as
well
a
little
bit
so
1.0
does
not
cover
the
full
scope,
but
I
think
you
do
want
to
you
know.
Chris
just
mentioned
there
and
I
agree.
I
think
we
do
want
to
just
sort
of
say:
hey,
look,
this
diagram
sort
of
explains
what
the
problem
generally
is.
A
A
A
That's
one
of
the
big,
also
open
questions
still
a
little
bit
with
the
push
versus
poll
right.
Like
is,
is
source
code
being
pushed
into
the
build
versus
being
pulled
in
I've,
been
mostly
when
talking
about
it
since
most
of
the
systems
that
I'm
aware
of
are
mostly
the
poll
based
systems
where
you
have
the
build
pulling
the
source
code
in
and
pulling
dependencies
in,
and
so
the
idea
would
be,
at
least
from
my
perspective,
is
yeah
I.
A
Think
almost
I
would
almost
add
one
more
thing
here
for
Clarity,
where
I,
where
the
build
can
say
it
pulls
from
a
yeah,
it
pulls
dependencies
from
these
locations
or
whatever
right
and
that
it
accurately
pulls
those
things
down,
not
necessarily
that
any
of
those
things
have
not
been
tampered
with
before
you
pulled
it
down.
If
that
makes
sense,.
F
So
the
secure
software
repositories
group
is
I,
I
know
I,
just
kind
of
found
out
about
that
working
group
existing.
Is
that
something
that
they're
going
to
be
working
on
the
source
piece
of
that
or
and
or
is
that
gonna
eventually
be
folded
back
into
salsa
as
a
separate
track,
and
do
we
have
like
a
road
map
for
or
like
a
timeline
of
when
that
we're
gonna?
Do
that?
If
we're
gonna
do
that.
A
So
my
understanding
and
and
I
Chris
might
have
a
bit
more
details
about,
because
I
know
Mark
is
the
one
who's
really
pushing
a
lot
of
this
is
so
my
understanding
was
always
we
try
to
keep
it
simple
for
now,
because
we
didn't
want
to
overwhelm
folks,
especially
given
one
of
the
big
challenges
is
the
securing
repositories
group
is
going
to
be
building
a
bunch
of
practices
and
building
tools
to
help
secure
repositories.
It's
hard
for
us
to
sort
of,
say:
hey.
A
A
There
are
questions
among
the
open,
ssf
groups
that
even
actually
my
meeting
literally
after
this
one
is
going
to
be
about
hey,
there's
another
group
that
is
building
out
a
whole
bunch
of
supply
chain
threat
models
and
does
that
flow
back
into
salsa
I,
don't
know
you
know
so.
There's
I
think
that
there's
a
lot
of
also
confusion
within
the
open.
A
Ssf
about
where
these
things
and
how
they
get
split
up,
I
I
think
that
sort
of
thing
needs
to
be
brought
back
up
to
the
the
attack,
because
I
think
that
there
is
a
lot
of
confusion
about
like
does.
Is
the
securing
software
repositories
group
in
charge
of
those
practices
and
standards,
and
that
actually
salsa
should
focus
on
the
build
and
they
can
come
up
with
something
else.
A
I
think
that
there's
legitimate
arguments
that
folks
have
been
making
on
that
front,
but
currently
the
way
we've
been
moving
forward
is
like
the
tools
and
a
lot
of
the
other
pieces
might
fall
under
different
groups,
but,
and
we
might
pull
those
practices
into
salsa
for
the
standard,
at
least
that's
the
way
that
that
we've
been
operating
thus
far,
but
I
think
that
might
change.
If
you
know
the
openss
attack
or
others
kind
of
say
hey,
it
would
be
great
if
we
split
it
up
a
little
bit
better
this
way
or
that
way.
F
Thanks
yeah
I'm
just
trying
to
piece
it
all
together,
so
I
appreciate
that
actually.
A
Yeah,
sorry,
oh
yeah,
no
I
I
do
agree
that
it
is
or
I
would
pause
it
that
it
is
kind
of
a
mess
right
now
with
lots
of
overlap
between
some
of
the
groups.
A
So
it's
something
that
I
think
we
need
to
do
a
bit
better
cross-pollination,
so
maybe
even
have
us
go
to
the
securing
software
repositories
group
with
maybe
like
here's,
what
we're
doing
with
salsa.
We
don't
want
to
reinvent
the
wheel
if
you're
already
doing
this,
we
might
just
want
to
be
consumers
of
what
they're
building.
A
So
so
that
is
technically
currently
not
under
any
given
group.
It
was
that
flowed
out
of
the
in
Toto
project
a
little
bit
and
there's
some
debate
about.
Does
that
fall
under
as
a
subgroup
under
in
Toto?
Is
that
something
that
they
want
to
donate
or
contribute
to
open,
ssf
yeah
a
lot
of
different
folks
working
on
a
lot
of
different
things?
And
obviously
some
of
those
things
are
it's
okay
to
have
two
or
three
groups
reinvent
the
wheel
and
realize
like
oh?
A
A
But
generally
I
think
the
way
that
I
at
least
I've
been
when
I've
been
talking
about
1.0
to
to
folks.
On
my
end,
it's
mostly
like
showing
this
big
diagram
of
the
set
of
threats
and
then
kind
of
saying
what
Chris
has
mentioned.
I
tend
to
also
include
c
in
there
right
because
I
think
anything.
That's
under
the
the
build
integrity
right
where
I
think
the
I
mean.
A
A
A
Maybe
that's
something
we
should
bring
up
I,
always
viewed
from
what
Chris
has
just
said:
I
I
always
viewed
be
being
the
source
and
C
being
that
I
downloaded
it
into
the
build
and
the
build
changed
the
source
files
before
it
actually
ran
a
compilation
or
packaging
step,
or
something
like
that,
but
that's
something
that
can
be
I
think
brought
up
anyway.
I'll
I'll
add
my
thoughts
into
that
personally,
anyway.
F
Yeah,
it
definitely
seems
like
a
gray
area
like
that,
build
from
modified
Source
being
the
threat
and
then
the
well
I
call
them
events
of
Interest
I.
Don't
know
if
that,
but
they're
like
C1
through
C5,
in
their
original
version,
where
we
talk
about
the
different
ways
to
different
events
that
made
trigger
that
particular
threat.
So
it's
yeah.
It
would
definitely
be
worth
it
or
definitely
interesting
to
understand
how
that
fits
into
salsa
version.
One.
C
A
Yeah
and
so
actually
that's
one
of
the
reasons
why
we've
been
so
focused
on
the
build
system
is
just
how
how
many
things
are
are
involved
here
and
trying
to
to
keep
it
simple
for
the
folks
who
are
adopting
it
and
I
recognize
that
they're
still,
even
with
that,
there's
still
some
confusion.
F
And
I
I
didn't
mean
to
hijack
the
agenda
today,
I
just
thanks
for
the
next.
Your
time,
I.
A
Don't
know,
and
there's
not
also
a
lot
on
here
and
I-
think
it
also
still
ties
back
into
some
of
the
stuff
that
we're
trying
to
convey
to
folks
is
like,
for
example,
like
I
was
assuming
in
in
my
blog
article,
that
I'm
writing
for
this
right
is
I
was
going
to
assume
that
you
know
the
way
I've
sort
of
been
viewing,
and
this
is
the
thing
I'll
bring
up
with
Melba,
we'll
try
and
maybe
sort
it
out
where
it's
like
we'll,
try
and
figure
out.
Where
that
let.
A
Yeah,
that's
something
that
that
I
yeah
I
think
I'll
write
something
up
and
and
try
and
post
that
out
there
anyway.
Okay,
next
up,
oh
I,
guess
I
thought
I
saw
Emmy
on,
but
so
Emmy's
not
on
right.
I,
don't
see
her.
A
Okay,
so
yeah,
that's
so
then
we'll
so
I'll
just.
B
A
Then
there's
a
couple
other
ones
which
I
you
know:
don't
have
owners
I,
don't
know
if
anybody's
taken
up
on
this,
but
the
supply
chain,
Integrity,
positioning
blog,
the
salsa,
Vex,
open,
Vex
Etc,
like
just
all
these
different
things
that
are
going
over
and
and
the
sort
of
comparison
between
various
different
standards
like
the
salsa,
s2c2fx,
open,
Vex
and
and
what
use
cases
they're
trying
to
hit
and
so
on.
E
I
think
I
think
for
that
one
we're
I
think
for
that
one
we're
keeping
our
ears
to
the
ground,
there's
still
there's
still
a
lot
of
volatility
and
a
lot
of
that
stuff,
especially
on
on
the
Vex
front,
on
the
back
side.
Is
this
there's
a
lot
so
ears
to
the
ground?
E
I
think
I
think
we'd
be
able
to
come
up
with
something
shortly
as
a
lot
of
the
the
specs
and
and
all
that
all
the
other
stuff
that's
happening
in
all
these
different
communities
start
start
getting
developed
and
start
getting
published.
I
think
we'll
be
able
to
have
a
better
chance
at
a
doing
a
Blog.
That
makes
sense
right
now.
There's
way
too
much
way
too
much
up
in
the
air.
A
I
agree
with
that
hi
I
know
tomorrow.
If
folks
are
interested
tomorrow
at
the
the
vulnerability
disclosures
working
group,
I
believe
there's
supposed
to
be
a
demo
from
some
folks
on
open,
Vex
and
and
that
sort
of
thing
and
I
know
that
that's
contentious
among
some
folks
so
should
be
interesting.
E
Yeah
I
mean
I
saw
a
a
saw,
a.
D
E
Peek
I
guess
if
you
can
say
that
of
what
it'll
be
presented,
because
they
did
that
presentation
that
the
sisa
Vex
working
group
on
on
Monday,
so
I
expect
to
see
pretty
much
the
same.
It
wasn't
a
bad
presentation.
It
wasn't
a
bad
demo,
either
I'm
just
interested
to
see
what
all
comes
of
that,
because
we
have
an
idea
in
that
working
group
where,
where
we'd
like
that
to
go
but
like
I,
said
a
lot
of
volatility.
A
A
Yeah
I
mean
I,
think
I
think
this
is.
This
is
also
somewhat.
There
is
I
think
we
should
wait
till
after.
A
So
I
know
that
there's
some
conversations
about
like
whether
or
not
you
know
there's
some
folks
out
there,
who
think
salsa
as
a
proven,
inspect
shouldn't
exist
and
we
should
just
be
using
s-bombs.
Other
folks
are
like
believe
that
there
should
be
just
better
mappings
between
them
and
there's
others
who
think
that
they
should
be
completely
separate
and
so
I
think
some
of
that
needs
to
be
sorted
out,
especially
given
that
it
seems
like
you
can't
go
a
week
without
a
new
yeah
yeah.
E
A
Yeah
I
mean
I,
think
that's
the
thing
that
at
least
I
think
salsa
has
done
well,
regardless
of
of
the
various
other
things
that
are
going
on.
I.
Think
the
thing
of
salsa
trying
to
keep
this
the
keep
the
scope,
Limited
and
then
expanding
out
and
compare
that
to
some
other
folks
who
are
sort
of
keeping
the
scope
very,
very,
very
large
and
trying
to
support
lots
of
different
things.
I
think
they
all
have
their
different
trade-offs
and
and
I
think
that's.
A
Yeah
and
I
know:
oh
so
yeah
regarding
I
just
saw
the
comment
from
about
the
p-bomb
I.
Don't
know
if
anything
has
happened
with
this,
yet
it
does
say
it's
an
open
framework.
The
like
Oscar
and
P
bombs
are
supposed
to
be
open,
but
all
these
links,
always
just
they
don't
lead
anywhere
and
I-
know
some
of
the
folks
from
I.
A
Think
it's
called
Ox
security
is
that
right,
they've,
been
sort
of
some
folks
have
reached
out
to
them
to
kind
of
get
more
details
figure
out
like
are
there
Community
meetings?
If
there
are
Community
meetings,
then
you
know:
are
there
folks
to
attend
and
and
so
on,
cool,
so
opening
blog
on
all
three
sub
projects?
So
just
a
reminder,
so
this
is.
B
A
A
Take
ownership
of
the
Fresco
one
Marcelo,
you
have
your
hand
up.
C
Yeah
I
wanted
to
add
potentially
to
this
list.
I
know
some
folks
in
the
in
Twitter
Community
have
been
also
working
on
a
blog
post
about
how
in
Toto
enables
salsa
and
other
supply
chain
attestation
types
I
was
wondering
if
that
should
also
be
added
to
this
sure,
would
that
be
hosted
under
openness,
stuff
or
we're
not
sure
actually,.
A
Yeah
I
mean
one
of
the
things.
I
know
that
always
works
well
is
like
you
have
the
companion
blogs
of
like
yeah,
you
know,
cncf
related
blog
can
focus
on
like
hey.
How
in
Toto
is
being
used
to.
You
know
like
how
in
Toto
helps
projects
like
salsa
to
do
X,
Y
and
Z,
and
then
salsa
can
be
like
hey
how
how
using
in
Toto
enable
you
know
like
there's.
There's
areas
for
collaboration.
C
Okay,
yeah
I
know
Aditya
is
working
on,
but
he's
leading
that
blog
post
so.
C
D
And
then
to
add
on
another
blog
post,
that
I'm
aware
of
without
sharing
too
many
details
ahead
of
time
for
next
week,
There's
a
survey
that
was
put
out
in
a
report
that
was
generated
chain
guard
took
the
lead,
open,
ssf,
Ross,
Foundation,
Eclipse
Foundation
also
participated,
so
I
believe
that's
that's
coming
out
next
week
and
and
the
blog
is
being
drafted
currently
and
it's
on
salsa
the
report,
a
survey
of
software
supply
chain,
security
practices
and
beliefs.
C
A
All
right
is
there
anything
else
as
far
as
the
blogs
or
or
anything
like
that,.
A
If
not,
does
anybody
else
have
any
agenda
items
they
wanted
to
bring
up.
A
If
not
I'll,
we
can
give
folks
back
19
minutes
and
see
you
all
next
week.