►
From YouTube: Supply Chain Integrity WG (January 18, 2023)
C
D
B
E
B
E
B
B
B
My
screen
yep,
wonderful,
okay,
cool,
so
what
I
hoped
we
do
today
so
I
put
in
the
agenda?
We've
got
three
items
and
we'll
see
how
far
we
get
down
the
agenda.
This
document
we
talked
last
time
about
you
know
having
you
know.
We
have
something
about.
You
know
open,
ssf,
top
level,
Vision
Direction
scope.
What's
the
openness
is
f
about
and
then
I
think
you
know
we
have
individual
projects
like
salsa
and
Fresca
and
sgc2f
and
and
so
on.
B
Joshua
don't
tell
everyone,
but
we
so
we
have
we.
What
we
don't
have
is
a
really
crisp
and
clear
kind
of
north
star
or
direction
for
the
the
supply
chain.
Integrity
working
group,
which
kind
of
sits
between
the
two.
You
know
it's
a
pleasure,
Integrity
working
group
containing
the
salsa
and
Fresca
and
s2c2f,
and
who
knows
what
else
in
the
future
but
itself
doesn't
have
really
much
of
you
know
a
an
actionable
or
or
helpful
North
Star
I
mean
I
read
the
charter.
B
You
can
all
read
the
charter
too.
It's
linked
from
the
top
of
the
the
node
stock.
It's
broad!
It's
generic!
It
doesn't
seem
that
it
would
be
particularly
helpful
in
guiding
day-to-day
decisions
and
directions
and
that's
kind
of
what
I,
what
I'm
hoping
we
can
jointly
produce
I
a
document
which
and
I
think
Melbourne
made
the
comment
that
hopefully
we
don't
touch
very
much.
Hopefully
we
don't
have
to
continue
editing
and
refining
it.
B
Hopefully
we
set
this
and
say
you
know
what
this
is
probably
gonna,
Orient
and
guide
us
for
the
next
year
or
even
two
and
then
there'll
be
lots
of
activities
at
the
day-to-day
level
in
the
individual
projects
and
and
and
sigs,
but
this
will
continue
to
be
our
North
Star.
So,
with
that
in
mind,
I,
you
know
I've
done
several
things
in
slack
about
this
doc.
I
know
a
lot
of
you
reviewed
it
provided
comments
for
which
many
thanks.
B
My
proposal
is,
first
of
all,
just
to
kind
of
open
the
floor,
see
if
anyone's
got
any
general
comments,
like
does.
Does
this
with
the
problem
I've
identified
about
having
a
missing
middle,
not
having
something
which
guides
an
audience
and
and
helps
the
day-to-day
decision
making?
Does
anyone
have
opinions
about
whether
this
doc
gets
us
towards
that?
And
it
feels
to
me,
I
mean
I,
I,
say
it
with
my
author's
bias.
B
B
Got
a
thumbs
up
from
Joshua,
okay.
Well,
in
that
case,
we
can
dive
into
individual
comments
and
what
I
want
to
do?
You
know
I,
don't
proposally
read
through
the
top
to
bottom
I
promise.
We
do
a
quick
view
at
each
comment
and
then
for
each
one
decide.
What
do
we
want
to
do?
Do
we
want
to
assign
an
action,
I
kind
of
figured,
that
some
of
these
will
be
action
with
me
to
clarify
or
work
the
comment
into
the
dark?
B
So
this
first
comment
here
about
the
shared
vocabulary
and
problem
model
for
the
industry
or
he's
got
a
good
point
here
about
hey.
You
know
what
we're
going
to
be
talking
about.
My
intention
really
was
was
not
in
terms
of
you
know,
formalizing
or
coming
up
with
a
prescriptive
or
normative
standard.
It
was
more
of
the
observation
that
you
know
today.
B
I
think
that
salsa
itself
and
salsa.dev
has
provided
already
provided
a
useful
set
of
vocab
for
the
industry
like
when
people
say
you
know
provenance
now,
you
know
salsa
provides
a
useful
definition,
a
useful
anchor
for
that
term
when
people
think
think
about
Providence
and
I've
heard
people.
You
know
talk
about,
oh,
wouldn't
it
be
great
to
have
an
s-bomb
that
you
know,
links
a
binary
to
individual
source
files
and
I'm
like
wow.
That's
not
quite
an
s-bomb
I
think
you're
more
talking
about
binary
provenance.
B
But
again
my
thought
is
that
we
don't
need
to
get
super
formal
with
this
vocabulary,
but
more
recognize
that
part
of
the
value
that
we're
providing
in
the
supply
chain.
Integrity
group
is,
you
know
just
normalizing
some
of
these
Concepts
at
a
high
level
and
and
start
to
encourage
people
to
use
the
same
words
for
the
same
things.
Does
anyone
disagree
or
have
any
additional
thoughts
on
that.
D
Oh
yeah,
so
you
know
whenever
we
talk
about
any
type
of
standardization,
with
respect
to
Concepts
or
terms
or
or
vocabulary
like
that.
My
first
question
is
always
how,
in
sync,
are
we
with
best
practices
right
with
the
best
practices,
working
group
and
and
the
initiatives
that
they
have
around
building
guides
and
also
their
their
glossary
they're,
building
a
glossary
of
terms,
Etc,
right
and
I?
Think
always
while
I
I
mean
the
argument
comes
back?
D
Well,
you
don't
want
to
have
this
dictate
that
or
that
dictate
this,
which
is
all
true,
but
I
do
think.
As
far
as
the
openness
and
stuff
is
concerned,
we
should
be
speaking
with
one
voice
across
the
entirety
of
the
openness
and
stuff
and
I.
Think
that's
the
idea
behind
the
diagram
of
society
and
trying
to
build
that
that
trying
to
build
those,
those
schemas
and
trying
to
build
that
nomenclature
across
the
board.
Like
hey,
what
is
everyone
doing?
D
So
so
I
I,
so
I
go
back
to
it
and
say:
are
we
making
sure
that
we're
that
we're
aligning
one
way
or
the
other,
whether
it's
our
terms
or
the
best
ones
that
they
should
use
right
so
take
from
us
and
then
put
into
your
glossary,
or
should
we
take
from
that
glossary
and
bring
it
back?
Bring
those
some
of
those
terms
back
to
what
we're
doing
here.
G
B
F
I
just
wanted
to
like
I
completely
agree
that
we
need
a
shared
vocabulary.
Problem
model
I
think
we
need
to
like
I
I
see
this
as
being
a
phase
thing
like
we
need
to
get
our
own
house
in
in
order
like
the
SEI
WG
and
the
projects
that
form
part
of
that,
then
we
can
try
and
get
like,
of
course,
open
ssf
agreement
or
normalization
of
terms.
The
industry
is
going
to
be
a
long
battle
like
provenance.
F
Salsa's
definition
of
provenance
does
not
agree
with
how
half
of
the
people
I
talk
to
interpret
Providence.
It's
an
ongoing
ongoing
battle,
so,
like
I,
think
I
fully
agree
with
the
goal.
Let's
just
be
aware
that
this
is
a
long-term
thing,
but
having
a
set
of
definitions,
we
all
agree
on
that.
We
can
start.
Socializing
is
like
super
valuable.
B
Love
it
I'm
going
to
follow
up
with
you
about
those
those
conflicting
definitions
of
provenance.
I'm
super
interested
I've,
seen
some
of
that
emerging
here
internally
at
Google
as
well,
and
then
I'm
trying
to
get
a
handle
on
it.
So
I'd
love
to
hear
what
you're
seeing
too
okay
I'm
I'm
going
to
close
out
on
that.
B
One
and
I've
got
some
some
follow-ups
tagged
in
the
comment
here,
so
that
we
don't
forget
that
what
we're
up
to
this
point
about
interoperability
here
or
erased
I
think
you
know,
there's
much
that's
easy
to
say
and
how
to
define
a
more
concrete
definition.
I
actually
I
mean
I
I
struggle.
With
this
a
little
bit
I
mean
I.
I
wrote
ready
interoperability,
meaning
that
hey
you
know
we
have
you
know.
F
Yeah
I
think
we
are
looking
for
like
a
coherence,
interoperability,
interoperable
set
of
projects
within
the
working
group
like
how,
when
I
was
thinking
about
this
a
bit
earlier
and
adding
comments
to
the
doc.
It's
not
entirely
clear
to
me,
because
I
haven't
had
a
chance
to
dig
into
them
like
how
scorecards
and
I
think
you
refer
to
it
as
S2,
but
the
acronym
that
I
cannot
remember.
F
The
context
of
this
working
group
have
a
consistent
narrative
and
can
be
coherently
plugged
together
into
a
into
a
sort
of
cure
software
supply
chain.
That's
the
first
step
for
interoperability,
I
think
and
then
yeah
part
of
that
is
just
being
super
creative
about
what
the
what
the
interfaces
are
between
them
and
and
therefore
like
what
the
apis
or
data
formats
or
whatever,
that
they
Expose
and
therefore
can
be
adopted
more
broadly
yeah.
That's
how
I
would
interpret
that.
B
That
makes
sense,
I
couldn't
I'll,
add
a
little
bit
more
detail.
I
don't
want
to
get
this
I,
don't
this
document
to
kind
of
Veer
too
far
into
into
problem
solving
but
more
describing
the
problem.
But
I
will
your
comments
there
on
point
Joshua
and
I'll
I'll
work,
those
in
and
thank
you
let's
see.
Do
we
have
a
daughter
on
the
call
here.
C
B
C
D
A
B
Okay,
Melba
I
think
I
I
unilaterally
gave
you
an
action
here
to
to
reword
this
one
to
your
preference.
I.
Don't
think
I
think
we're
talking
about
the
same
thing
and
just
word
smithing
here.
So
unless
anyone
has
additional
comments
on
this
one
I
suppose
we
move
on
to
the
next,
and
maybe
you
can
take
that
one
up
offline,
the
the
point
about
Fresca
here:
do
we
have
Mr
Lieberman
with
us
today,
I,
don't
think
we
do
Melvin.
E
B
B
No,
but
it's
important
like
I
mean
this
is
we're
hoping
this
document
lasts
a
while
we're
gonna
have
lots
of
people
look
at
it.
Some
with
you
know
where
everyone's
varying
degrees
of
context,
so
I
I
appreciate
the
value
of
wordsmithing
and
I.
Think
it's
important
that
we
get
this
right,
so
I
will
I'll
make
that
change
of
clarify
ooh
interesting
one.
Here
we
had
do
we
have
William.
Oh,
we
do
have
William
here
today.
I
I
would
love
to
hear
your
additional
thoughts
on
this
and
and
Melba.
B
You
too,
I'll
give
you
what
what
my
intent
was
with
with
this,
that
this
this
framework
shouldn't
require
you
to
get
value
from
this
framework.
It
shouldn't
require
that
you
trust
GitHub
or
you
trust
Google,
or
you
trust
Microsoft,
or
you
trust
this
entity
or
that
entity
or
ideally
it
should
be.
You
know
that
who
you
trust
should
be
up
to
you
and
me,
as
a
consumer.
B
I
can
say
well,
I,
trust,
Pipi
and
I
trust
GitHub,
and
that
is
going
to
you
know
give
me
the
anchors
from
which
my
policy
decisions
would
be
based.
It's
not
up
to
the
framework
to
tell
me
who
is
trustworthy
in
this
ecosystem.
That
was
my
intent
with
this,
but
but
William
melber
give
me
your
thoughts
so
so.
G
You
just
described
I
think
that
that
is
I
agree.
What
we
should
be,
we
should
be
saying
here:
I
was
responding
to
ori's
comment
of
of
consumer
selected
versus
he
was
suggesting
regulator,
selected
and
I.
Think
what
Melvin
and
I
were
kind
of
saying
there
was
well
I,
was
first
saying,
like
I,
think
consumers
can
select
if
they
want
to
have
a
regulator
selected.
So
it
assumes
that
and.
A
G
Melba's
comment
was:
have
we
really
defined,
what
we
meant
by
a
consumer
in
this
and
I
could
see
a
consumer
being?
What
you
described
would
be
someone
with
a
different
context,
could
view
consumer
being
an
end
consumer
or
a
company
using
software
from
a
provider,
so
I
think
we're
clear.
The
consumer
is
really
a
consumer
of
like
the
supply
chain
right,
because
that's
really
the
focus
here
and
that's
not
what
we
need
and
clarified
I,
don't
think
we're
fine.
B
Great,
that's
so
I'll
note
that
I
think
there
was
that
Echoes.
Some
other
comments,
also
in
the
talk
about
consumer
and
Josh,
had
a
a
different
preferred
term.
I.
Think
consumers
are
it's
it's
great
because
hey
it's
a
very
consuming
software,
it's
terrible
because
some
some
people
think
consumer
means
and
consumer,
or
you
know
someone
who
goes
and
buys
software
retail
Off,
the
Shelf
at
Best
Buy.
B
D
B
That's
a
good
point
so
I'm
just
writing.
The
consumer
main
include
anchor
suitable
clone
regulatory
context.
Given
that
you
know
every
consumer
is
going
to
exist
in
a
different.
You
know
regulatory
domain
and
hey
you
know
in
the
EU.
Maybe
there
will
be
a
requirement
to
trust
this
entity
or
that
entity
who
knows,
but
it's
a
good
point
and
I
will
note
that.
B
Okay,
scrolling
down
I
think
there's.
This
is
a
totally
fine
point.
I
mean
I
noticed
that
lots
more
needed
I
already
made
a
specific
suggestion
about
what
could
be
included
in
that
lot.
I
agree
with
it
and
I
thought
it
looks
like
you
do
too,
and
so
I
will
I'll
upload
some
additional
thought
and
work
into
that
and
I
invite
you
all
to
do
the
same.
B
E
B
B
I
really
agree
with
with
your
point
here
that
I
think
that
you
know
we
should
be
cautious
about
trying
to
boil
the
ocean
and
trying
to
immediately
go
from
from
zero
to
100
and,
like
kind
of
you
know,
for
going
from
an
insular
Community
to
one
that
includes
the
entire
world
and
its
collaborative
universe
and
I
think
we
have
a
natural
set
of
concentric
Rings
here
and
with
you
know,
salsa.
You
know
next
scope,
workers,
SCI
and
xcopark.
B
It's
open,
ssf
next
goes
up
with
LF
and
and
so
on,
and
we
can
work
on
collaboration
in
that
order
and
I
think
that
you
know
I
mean
I,
think
I,
don't
know
whether
you
wrote
it
but
getting
our
own
house
in
order.
First,
like
let's
go
to
get,
let's
get
good
at
collaboration
with
that
in
our
own
group
and
then
the
group
surrounding
us
and
then
work
out
from
there
rather
than
trying
to
solve
everything
at
once
and
I
I.
Very
much
agree
with
that.
B
Specific
Outreach
plan
Melba,
you
got
me
and
Joshua
both
ganging
up
on
you
now
that
about
this,
the
SEI
positioning
idea,
I
I
mean
it
feels
to
me
I
mean
certainly
looking
actually
at
the
the
notes
that
you
shared
from
the
positioning
meeting
yesterday.
It
feels
to
me,
like
you're,
already
doing
the
work
of
SEI
positioning
and
at
this
stage,
actually
it's
probably
more
just
about
renaming
the
thing.
E
Yeah
I
think
we
would
need
and
make
sure
that
there
are
co-leads
from
the
other
groups
right
because
I
don't
know
everything
about
Fresca
I,
don't
know
everything
about
s2c2fs.
As
long
as
we
have
co-leads
from
each
of
the
different
subgroups
than
I
think
we
would
be
fine,
but
that
would
be
the
biggest
challenge.
E
D
There
are
other
things
that
happen
out
there
too,
and
the
point
about
getting
a
house
in
order
is
just
that
I
know
in
the
CDF
and
their
supply
chain.
Integrity
working
group
they're
working
on
something
over
there
maturity
model
over
there,
that's
supposed
to
be
something
bolted
onto
the
back
end
of
salsa,
and
they
actually
say
this
inside
of
their
repo
inside
of
their
working
group.
D
D
But
that
can
only
happen
if
we
do
what
we,
what
we're
talking
about
here
and
then,
of
course,
maybe
race
positioning
up
to
the
point
where,
once
we
have
our
house
in
order,
we
can
properly
position
some
of
the
things
we're
doing
and
creating
those
conversations
so
that
when
we
take
those
tentacles
and
reach
out,
we're
reach
reaching
out
with
that
one
voice.
Right
I
mean
that
all
that
all
makes
perfect
sense.
B
It's
a
good
point
Jay
that
we
should
make
sure
that
we
we
have.
You
know
in
the
first
instance
a
situational
awareness
of
the
you
know
the
adjacencies
around
us.
You
know
what,
like
you
say,
I
mean:
there's
the
supply
chain,
maturity,
working
group
in
the
CDF
and
that's
chaired
by
actually
a
colleague
of
mine
at
Google,
and
perhaps
we
could
have
him
come
and
talk
to
her
sometime
about
his
intent
of
what
he's
doing,
but
Step
One
is
like
kind
of
becoming
aware
of
these
adjacency
step.
B
Two
is,
is
kind
of
figuring
out
how
we
fit
alongside
them
or
where
we
don't
fit
or
where
we
need
more
active
collaboration
and
then
step
three
is
providing
a
map
of
the
entire
universe.
I'm
open
to
success,
of
just
being
one
Galaxy
quickly
on
companies.
I
can
clarify
this
in
in
the
dark
now,
but
my
intent
was-
and
you
know
if,
if
we
decide
here,
this
is
what
we
want
to
do.
We
want
to
think
about.
B
You
know
supply
chain
Integrity
in
in
the
macro,
and
we
want
to
think
about
this.
This
Uber
framework.
We
may
decide
that
we
don't
have
sufficient
representation
in
the
open
ssf
to
succeed.
We
may
decide
that
gosh,
wouldn't
it
be
great
to
have
a
couple
of
folks
from
Amazon
who
are
really
leaning
in
or
maybe
two
from
GitHub
or
an
encore
or
I
mean
I,
don't
know
I'm
just
suggesting
that
we
should
we
can.
B
We
can
open
our
doors
and
see
who
walks
in
and
we've
got
a
great
set
of
people
here
already
and
then
great
representation
from
IBM
and
Microsoft
and
VMware
and
and
AMD
and
Intel
and
the
rest.
It
could
be
that
if
we
take
this
more
deliberate
approach,
we
may
decide
gosh.
We
need
to
go,
find
some
people
from
company
X
or
company,
or
welcome
new
Z
and
encourage
strong
on
them
to
participate,
and
that
was
the
intent.
Does
that
make
sense.
C
E
If
it's
about,
like
you,
said
ecosystems
right,
perhaps
we
say
you
know
Partners
in
the
industry,
that
you
know
that
manage
ecosystems
or
something
making
sure
that
we're
not
making
it
seem
like
I
said
that
it's
favoritism
or
it's
about
funding
right.
If
it
is
okay,
then
we
should
state
that.
But
if
it's
not
I
think
we
need
to
be
a
little
clear
about
what
why
companies
and
what
the
intent
is
behind
that
I.
B
H
Oh
yeah,
yeah
and
I
think
yeah
I
agree
with
Melba
on
that
one
and
another
thing
just
to
be
cognizant
of
is
I
believe
late.
Last
year
the
governing
board
did
vote
on
the
sort
of
new
direction
for
2023,
which
includes
sort
of
that.
Like
they're
calling,
you
know,
hey
a
I,
don't
know
if
it's
an
open
source
tool
chain
or
but
like
pretty
much
trying
to
kind
of
really
push
the
the
open
bit
of
of
open,
ssf
and
so
I
think
the
idea
should
be
also.
B
Open
in
it
for
a
reason,
Let's
see,
we
have
a
comment
here
about
Fresca
again
and
I.
Think
I
mean
again:
Michael
I'm,
not
sure
whether
you're
here
when
I
you
know
declared
my
biases
Fresca
is
an
area
that
I'm
out
of
everything
that
we
have
in
the
inscope
for
SEI
working
group
rescue
is
the
one
I'm
least
familiar
with,
and
so
please
forgive
me
and
and
then
it
also
educate.
H
Me
sure
yeah
yeah
I,
could
definitely
help
out
here.
So
I
mean
the
the
quick
sort
of
elevator
pitch
right
was,
was
Fresca
started
off
as
hey.
We
tie
together
a
bunch
of
Linux
Foundation
tools
like
tecton
and
and
spire
and
and
a
bunch
of
other,
also
open
source
tools
into
a
secure,
build
system.
So
something
like
you
know
you
could
imagine
something
like
GitHub
actions
or
whatever,
but
but
it's
it's
it's
like
tecton,
but
with
opinions
on
top
of
it.
H
There
were
some
discussions
between
a
few
other
folks
at
open,
ssf
like
Brian,
and
there
was
some
cure
there.
There
is
some
interest
in
potentially
making
open
SF
a
bit
opinionated
about
like
hey.
If
here's
a
bunch
of
Linux
Foundation
tools
that
could
be
a
demonstrative
architecture
that
could-
or
you
know,
be
tied
together
in
a
demonstrative
architecture
once
again,
not
the
only
architecture,
not
a
reference
architecture,
but
something
that
is
like
hey.
H
If
you
use
these
tools
configured
in
these
ways,
we
think
you
can,
you
know,
secure
your
supply
chain
secure
your
applications,
Etc.
That
seems
to
be
one
of
the
things
that's
kind
of
coming
out
there,
and
so
one
of
the
things
that
was
brought
up
was
like
Hey.
Fresca
is
doing
part
of
that
already
a
little
bit
for
the
build
right.
It's
not
you
know.
Fresco
was
not
some
new
build
system
built
from
scratch.
H
It
was
tying
together
existing
sort
of
open
source
tools,
so
that's
kind
of
where
Fresca
is
today,
but
there
was
you
know
there
was
some
interest
as
to
whether
or
not
you
know
how
do
we
sort
of
expand
that
into
what
the
open
ssf
wants
to
do
with
this
in
2023?
And
how
can
we
make
Fresca
a
part
of
that
and
separately?
What?
What
else
can
we
do
from
the
Fresca
side
of
things
to
make
it
more
of
that
demonstrative
example?
H
H
B
Yeah,
no,
that's
that's
a
that's
super
helpful
and
so
I
mean
what
I
I
characterize
it
here
and
please,
let
me
know
if
I
can
close.
This
rescue
is
not
just
a
reference
architecture,
but
an
actual
instantiation
of
it.
It's
an
actual
implementation.
It's
not
just
you
know,
boxes
and
arrows
in
theory.
This
is
how
it
fit
together,
but,
like
hey
here,
are
the
actual
binaries
and
tools
that
you
use
to
create
something
that
works.
H
Yes,
yeah
exactly
yeah,
it's
intended
to
be
opinionated.
It's
intended
to
be
the
sort
of
thing
where
you
can
imagine
it
hits
that,
like
70
or
80
use
case
box,
where,
like
yeah,
if
you
just
have
something
simple,
you
have
another
Go
app
or
you
have
another
Java
app.
You
know
this
is
just
a
way
to
build
it.
That
is
salsa
compliant
and
it's
all
kind
of
tied
together
in
a
nice
way.
Where
you're
getting
you
know,
you
get
your
spiffy
Spire.
You
get
your.
H
B
A
H
Yeah,
so
there
was
this
idea
of
a
sterling
tool
chain,
and
one
of
the
things
that
was
brought
up
was
not
necessarily
that
you
know
Fresca
is
the
the
Sterling
pool
between
by
any
means,
but
sort
of
what
Fresca
is
doing
where
it's
like
hey.
We
took
some
tools,
we
combined
them.
Together
we
configured
them.
We
wrote
scripts
to
sort
of
tie
everything
together.
H
That
could
be
something
that
the
open,
ssf
is
sort
of
interested
in
is
sort
of
taking
more
of
these
open
source
tools
like
that
are
part
of
openssf
or
LF,
and
figure
out
how
to
tie
them
all
together
to
help
secure
applications,
and
then
you
know
the
for
us.
You
know
how
do
you
sort
of?
Could
you
use
some
of
these
tools
together
to
help
secure
your
supply
chain.
B
B
I
would
see
Melba
you're
so
on
on
this
one,
it
sounds
like
you
were
saying:
hey
before
we
go
after
you
know,
let's
get
kubernetes,
you
know
shipping
salsa
Providence.
We
should
make
sure
that
you
know
our
own
open,
ssf
tools
which
we
produce
and
maintain
ourselves
should
conform
with
our
own
best
practices.
Is
that
right.
E
A
A
C
B
B
If
we're
not
doing
it
ourselves,
and
we
should,
like
you
say
it's
at
the
standard
and
walk
the
walk
as
well
as
talk
or
talk,
so
I
I
know,
there's,
there's
a
there's,
a
team
that
I
work
with
here
at
Google
who've,
begun
to
kind
of
at
least
take
inventory
of
open
ssf
projects
and
and
start
to
engage
with
them
to
look
at
you
know
best
practices
and
but
I'll
make
sure.
That's
in
the
document
as
well
I
think
it's
yeah
I
mean
I,
wrote
it
as
inexcusable
I.
B
E
D
E
Don't
know
if
this
is
going
too
far,
but
I
I
almost
want
to
even
say,
like
I,
think
about
the
salsa
tooling.
Why
isn't
this
also
tooling
handled
by
Fresca
again,
I,
don't
know
anything
about
the
two
I
know
Mike
does
right,
but
why
have
multiple
tooling
right?
Why
not
have
one
tooling
for
a
supply
chain
integrity
go.
H
H
B
That's
super
helpful
for
for
me
to
understand
better
this
universe.
I'm
I'm
kind
of
I
still
have
what
Melba
said
ringing
around
my
head.
That
should
we
should
Fresca,
say:
okay,
you
know
what
we're
the
implementation
side
of
the
SEI
working
group
where
the
implementation
wing
of
this
working
group-
and
you
know
what
we
have
a
reference
architecture
instantiated
in
a
playful
magnetic
way.
We
have
a
suite
of
salsa
tools
on
the
generation
verification
policy
side.
We
also
are
incubating
tools
to
and
produce
s2c2f
attestations,
and
we
just
say
Fresca
you'll.
B
H
Our
tool
can
also
like
we're
looking
to
sort
of
support
stuff
like
scorecards
from
openssf
and
some
of
the
other
stuff's
in
there
in
Fresca,
but
I
think
it's
worth
a
sort
of
a
broader
conversation
with
just
sort
of
the
open,
ssf
Direction,
just
to
kind
of
say,
hey.
We
think
you
know
if
folks
think
it
could
be
this
thing.
It
could
be
this
thing.
I,
don't
know
like
right
now,
I
will
say
with
the
the
existing
set
of
maintainers.
H
A
H
It's
definitely
something
that
I
think
you
know
we
would.
We
would
be
happy
to
have
that
discussion
about.
You
know
supporting
some
of
these
other
things.
We
just
want
to
make
sure
that
a
it's
done
in
coordination
with
the
rest
of
the
open
ssf,
so
that
you
know
there's
a
lot
of
work
that
overlaps
with
some
of
these
other
things,
and
we
want
to
make
sure
that
we
can
kind
of
tie
tie
together
in
yeah.
B
That
makes
a
ton
of
sense,
I
mean
I.
Think
with
respect
to
resourcing.
I.
Could
imagine
like
approaching
that
in
parallel,
where
we
we
could
decide
hey,
you
know
what
Fresca
is
is
responsible
as
a
working
group
for
the
entire
tools
Universe
in
supply
chain,
Integrity
right
now.
It's
only
staff
to
support
this
part
of
the
scope.
So
this
subset
of
the
scope
is
resourced.
We
have
a
roadmap
for
this
subset,
maybe
in
24
or
25,
we'll
have
Staffing
enrollments
or
other
areas,
but
at
least
nominally
conceptually.
F
A
lot
of
folks
were
interested
and
we
tried
to
like
describe
what
salsa
means
to
different
audiences
and,
as
we've
refined
the
specification
over
time,
we
were
increasingly
realizing
that
this
is
mostly
you
know,
useful
document
for
people
creating
build
systems
and
package
ecosystems,
and
that
made
me
wonder
whether
the
kind
of
the
SEI
working
group
good
luck
at
personas
and
try
to
think
of
like
what
the
strategy
is
across.
Those
personas,
which
I
think
we've
probably
kind
of
gotten
to
already
in
the
discussion
during
this
meeting.
B
B
Without
talking.
First
about
the
problem
space,
we
can't
assess
whether
these
are
good,
Solutions
or
not,
and
so
I
think
what
we
first
needed
to
say.
What
is
the
problem?
Space
What
problems
are
we
solving
and
for
whom?
What
challenges
do
they
have
today?
Why
are
they
the
important
and
the
right
ones
to
solve?
Now
we
can
look
at
what
do
we
have
in
our
hands
and
what
do
we
need
to
go
build?
How
do
we
apply
what
we
have
to
these
problems?
Where
do
we
have
gaps?
Where
do
we
have
overlaps?
B
B
Actually,
when
we
look
closer
at
the
problem
and
the
personas,
the
people
who
care
about
the
problem
best,
you
see
to
fight
themselves
from
Fresco,
don't
really
directly
address
them
or
we
have
bigger
gaps
than
that,
but
I
think
that
what
you're
speaking
to
Joshua
is:
let's
figure
out.
You
know
what
what
like,
who
who
is
it
who's?
E
E
B
Statement
and
from
there
we
can
start
to
talk
about
Solutions
and
how
well
or
they
address
the
problems
or
not
I'm
edited
together
and
so
on.
So
I'll
I'll
take
that
up
as
something
I
can
add
to
the
document
and
again
we
can
continue
to
iterate
on
it.
Offline
I
have
I
think
just
met
a
comment
quickly.
I
have
been
super
encouraged
by
the
amount
of
review,
comments
and
people
reading
the
doc
and
throwing
in
comments
and
ideas
and
thoughts
and
asking
for
clarification.
B
It's
awesome
to
see
this
level
of
collaboration
and
I
want
to
say
thanks
to
everyone
who
did
that
and
just
encourage
you
all
to
to
jump
in
and
if
stuff
isn't
clear
and
comment.
If
you
things
could
be
worded
better,
go
and
make
the
suggestion.
I
am
we're
going
to
end
up
with
a
much
better
document
for
the
fact
we
have
a
dozen
people
working
on
it
than
just
one
or
two.
So
thank
you.
B
With
that
said,
we've
gone
to
talk
to
the
bottom
through
the
doc.
Looking
at
comments,
I've
obviously
got
a
bunch
of
follow-up
work
to
do
to
address
and
much
of
this
stuff.
Unless
there's
anything
else,
we
want
to
cover
on
this
topic.
We
can
move
to
the
next
one
and
I
think
Melba
you
how
you'd
have
added
2023
future
robot
priorities
is
that
right.
E
Yeah,
so
that's
where,
for
folks
that
weren't
here
in
the
last
the
last
meeting
for
last
year,
I
had
brought
up
this
this
topic,
which
resulted
in
this
document
that
Isaac
created,
and
so
it
sounds
like
you
know,
we're,
and
it
looks
like
we're
very
much
coming
to
an
alignment
on
the
vision
and
the
next
step
would
be
okay.
Once
we
have
alignment
on
the
vision,
what
do
we
think
we
can
accomplish
in
2023?
E
E
E
F
E
F
I
mean
that's,
it's
not
a
criticism.
It's
a
challenge
right
because
a
lot
of
the
co-located
well
a
lot
of
the
Limerick
foundation.
Events
are
larger
in
North
America.
They
have
more
kind
of
participants
in
North
America.
More
of
the
folks
doing
this
kind
of
work,
as
evidenced
by
this
call,
are
based
in
North
America.
And
how
do
we
there's
a
challenge
ahead
of
us
as
a
lonely
European
that
how
do
we
pull
it
over
and
have
discussion
here
too?
F
H
Oh
yeah,
so
yeah
there's
a
couple
things
I
and
I
Echo
Joshua's
comment
there,
and,
and
also
there
was
actually
a
surprising
amount
of
folks
over
in
Japan
who,
who
I've
been
poking
around
with
with
salsa
as
well
I.
Don't
I
I
know
that
one
of
the
things
that
should
also
be
a
goal
for
us,
as
well
as
I,
think
to
see
how
we
can
help
Foster
some
of
those
folks
who
are
not
on
a
time
zone.
That
is
makes
this
sort
of
time
work
for
them.
H
You
know
the
whether
it's
salsa
or
just
you
know
the
supply
chain,
Integrity
working
group,
so
that
could
be
potentially
gold.
The
other
thing
I
was
just
going
to
say,
is
I.
Think
I
think
we
should
push
on
the
Open
ssf
Leadership
a
little
bit
to
do
something
similar
to
what
the
cncf
does
where
they
have
like
a
maintainer
track.
H
So
as
opposed
to
us
needing
to
pitch
talks,
you
know
if
the
idea
here
is
like
hey,
you
know
a
couple
of
members
from
salsa
the
supply
chain,
Integrity
working
group-
you
know
you
like
the
supply
chain.
Integrity
working
group
will
have
something
like
x
amount
of
talks
assigned
to
them
and
then
they
can
figure
out
like
okay,
we're
gonna
have
one
talk
on
salsa
one
talk
on
S2
c2f,
another
talk
on
implementations
or
whatever.
A
B
Makes
sense
to
me
and
I
think
Melba
to
your
point
about
actual
kind
of
you
know
what
what
work
can
we
align
to
this
stuff?
I?
Think
potentially
I
mean
not
wanting
to
get
too
horribly
corporate
about
it,
but
you
know,
potentially
we
could
we
could
turn
you
know
we
got
2023
priorities
or
proposed
ones
in
this
SEO
working,
Group
doc.
We
could
reformulate
those
priorities
in
terms
of
things
like
objectives
and
then
we
could
look
at
mapping.
A
B
Results
on
those
objectives-
forgive
me,
but
something
along
those
lines.
I'm
not
worried
about
okr
is
but
actually
getting
specific
about.
Okay.
If
we
think
that
these
are
our
priorities,
what
specific
work
are
we
going
to
do
and
what
specific
outcomes
are
we
going
to
look
to
enable
and
how
will
we
measure.
B
And
how
will
we
talk
about
progress
towards
them
and
so
on
and
so
I
think
what
you're
speaking
to
is
well
yeah,
it's
great
to
have
the
vision,
dark
and
some
of
the
orients
and
guides
us.
But
then
we
need
to
say:
okay,
there
is
actual
work
to
be
done
and
and
things
that
need
to
be
typed
and
conversations
that
need.
C
B
B
Okay
with
that
too,
but
I
I
would
like
this
working
group
to
get
into
a
mode
of
you
know,
default
collaboration
happens
in
between
meetings.
Meetings
can
provide
a
sync
point
and
a
roll
up
and
a
you
know
just
a
checkpoint
to
look
at
course,
Corrections.
Obviously,
a
lot
aligned,
but
a
majority
of
the
work
should
happen
in
the
30
days
between
meetings
rather
than
the
60
minutes
we
have
together
each
month
Michael.
We
have
one
more
gender
item,
which
was
the
road
map
for
Fresca.
We've
only
got
four
minutes
left.
H
Yeah,
so
so
we're
actually
the
the
thing
was
going
to
be.
So
our
meeting
is
every
other
Wednesday
at
10
a.m.
So
actually
it's
you
know
not.
Today,
it'll
be
next
week,
and
next
week
we
are
looking
to
maybe
work
on
the
2023
roadmap.
Most
likely,
one
of
the
big
things
we're
working
on
is
we're
building
out
using
q,
a
pretty
much
a
framework
for
configuring
and
tying
everything
together
inside
a
queue
where
the
big
idea
here
is.
H
You
know
we
would
make
it
very,
very
simple,
almost
trivial,
for
you
know
an
end
user
to
just
sort
of
plop
in
their
go
code,
their
Java
code-
and
it
would
automatically
sort
of
you
know,
apply
salsa
and
S2
c2f
and
Etc
all
in
there,
and
so
we're
looking
for
sort
of
a
collab
operators
on
some
of
that
stuff
that
that's
the
yeah.
That
I
think
is
the
big
one.
We're
also
looking
to
maybe
even
have
an
initial
sort
of
like
pre-v.
H
B
Cool.
Thank
you
awesome.
This
has
been
great
super
productive
and
again
really
appreciate
all
your
collaboration,
leaning
into
the
document.
The
discussion
I
welcome
any
feedback
you
want
to
provide
offline
or
continue
edits
and
comments
in
the
doc.
I
got
a
whole
bunch
of
work
to
do
to
incorporate
some
revisions
from
audio's
feedback
and
then
I'll
continue
to
Ping
in
slack
and
poker
people
and
and
nag
you
all
to
to
help
make
this
awesome
in
time
for
next
month.
Thank
you.
Thank
you,
Mike.