►
From YouTube: Supply Chain Integrity WG (December 14, 2022)
A
All
right,
let
me
quickly
pull
up
the
agenda,
though.
C
A
Everyone
having
a
link
to
the
agenda,
doc
I,
think
we've
got
a
fairly
short
agenda
today.
Melba,
it
looks
like
it
is.
Basically
you
here.
A
This
call
is
being
recorded
your
time
to
drop
now,
if
you
don't
like
that
is,
is
now
and
then
also
I'd
like
to
invite
anyone
who's
new
on
the
call
and
who
feels
like
introducing
themselves
now
is
your
chance
to
do
that.
Do
we
have
anyone
new
today.
C
A
Sweet
good
to
meet
you.
E
So
I'm
I've
been
on
a
couple
calls
but
I
didn't
introduce
myself
I'm
willing,
I'm
a
professor
at
NC
State
I,
do
research
broadly
across
system
security
and
recently
focusing
on
soccer
supply
chain.
A
Melba
I
think
you're
the
only
one
with
agenda
items
today.
Do
you
want
to
kick
us
off
with
the
first
one
and
we
can.
D
A
D
Yeah
and
thanks
Isaac
and
apologies
for
the
the
raspy
voice,
I've
been
hit
by
the
triple
demick,
so
bear
with
me.
So
yesterday,
during
the
salsa
positioning
meeting,
we
were
trying
to
figure
out.
You
know:
how
do
we
improve
for
2023
right?
How
do
we
make
sure
that
we're
doing
what
we're
supposed
to
be
doing
we're
coordinating
with
the
other
teams,
and
so
really
because
salsa
is
underneath
the
supply
chain?
Integrity
working
group
Fresca
is
underneath
and
now
S2
c2f.
D
It
would
be
good
to
have
some
level
of
priority
slash
road
map
from
the
broader
team
of
what
we
should
be
doing
collectively
together,
because
we're
off
on
our
own
doing
our
own
thing
and
I
feel
like
we
could
be
more
effective
if
we
start
putting
our
heads
together
and
collaborating
more
and
I
know.
D
Jay
has
been
a
big
proponent
of
that
during
several
meetings
and
the
reason
why
we
bring
that
up
is
because
whenever
we
try
to
do
any
positioning
blog
a
lot
of
times,
we
don't
have
insights
into
what
some
of
the
other
groups
are
doing,
and
so
then
we're
kind
of
stuck,
and
so
this
is
a
recurring
theme
not
only
within
salsa,
but
then
you
know
for
for
the
peer
teams
of
salsa
as
an
example.
D
So
do
we
have
a
list
of
what
we
want
to
accomplish
from
a
supply
chain,
Integrity
perspective
for
2023
collectively?
If,
yes,
you
know,
does
that
mean
that
you
know
we
can
potentially
I
know
this
meeting's
monthly,
but
maybe
on
the
bye
week?
Maybe
the
leads
get
together
and
have
a
discussion
right,
because
I
think
once
a
month
is
not
enough
for
the
leads.
So
just
trying
to
get
thoughts
on
on
this
particular
topic.
A
I
agree
with
everything
you
said:
I
mean
I,
think
that
I
mean
my
my
observation
and
I'm
relatively
to
open
ssf.
A
A
I
think,
then
we
have
individual
working
groups
here,
salsa
we
have
s2c2f.
We
have
presca
we're
various
groups
doing
various
things
at
ground
level.
What
we're
missing
I
think
at
the
level
of
this
working
group,
so
pledge
of
Integrity
is
what
is
the
overall
vision
for
supply
chain
integrity
and
how
and
in
what
way,
are
we
substantively
moving
towards
realizing
that
Vision
and
I?
Think
that's
that's
what
you're
describing
that
the
individual
groups
are
progressing,
that
things
are
happening
in
salsa
land.
A
Things
are
happening
at
SGC
to
Earth
land,
but
to
what
extent
are
they
enabling
something
at
their
at
a
higher
altitude?
At
what
extent
are
they
contributing
towards
an
overall
supply
chain,
Integrity
Vision?
That
is
something
which
we're
we're
lacking,
I.
Think
in
the
open,
ssf
a
really
crisp
articulation
of
what
is
the
vision
for
this
working
groups
that
played
in
Integrity
overall?
How
do
these
pieces
fit
together
and
contribute
towards
that
vision,
and
is
that
is
that
fair?
Is
that
kind
of
that
a
fair
reset
into
what
you
said:
Martha.
D
Yes,
correct
right,
and
then
you
know
once
we
do
have
that
Vision,
the
coordination
right
again
this
meeting
once
a
month
with
the
leads,
is
not
enough
right,
I'm
sure
there
has
to
be
at
least
another
checkpoint
in
the
month
to
say:
okay,
this
is
what
we
are
are
having
issues
or
whatnot.
Could
it
be
offline
sure?
But
we
all
know
we
have
day
jobs
and
it's
hard
to
coordinate
schedules.
D
So
this
used
to
be
a
bi-weekly.
Maybe
we
do
keep
it
as
a
bi-weekly,
but
the
middle
one
is
really
meant
for
the
leads
to
catch
up
versus
the
broader
Community.
I,
don't
know,
but
it
was
just
a
thought,
so
those
two
topics
were
really
combined
instead
of
separate
to
try
to
further
the
cause
right,
be
more
productive,
have
more
tangible
outcomes,
because
I
know
I'm
struggling
with
with
that
from
a
positioning
standpoint
in
salsa
and
so
I'm
going
to
have
the
same
conversation
with
the
salsa
group
tomorrow.
A
I
mean
I
would
my
again
my
motivation,
having
seen
this
meeting
go
from
bi-weekly
to
monthly
I
I.
Think
that
it's
because
we
didn't
have
enough
of
a
framework
at
this
middle
altitude
here
that
we
didn't
really
have
much
direction
for
this
group.
It
didn't
seem
like
there
was
much
to
talk
about
no
one
really
kind
of
knew.
What
quite
what
we
were
doing
here,
and
so
the
meetings
became
ineffective,
lower
in
value,
and
so
you
know
we
slipped
it
down
to
one
to
three
months,
because
we
weren't
getting
much
value
from
it.
A
I
think
if
we
had,
you
know
a
vision
which
we
all
agree
with
and
we're
all
built
in
on
and
we're
all
working
towards.
I
could
imagine
a
bi-weekly
get
into
making
sense
because
hey
we're
all
in
alignment,
we
all
agree
where
we
need
to
be
in
12
months
time,
we're
all
chewing
through
a
list
of
items
to
get
there,
and
we
can
make
progress
on
that
at
a
bi-weekly
guidance.
A
So
I
I
almost
think
that
that
kind
of
the
fact
that
this
is
a
monthly
meeting
is
it
was
almost
you
know
an
outcome
of
this.
You
know
not
having
the
the
necessary
structure
at
this
level
to
make
the
meeting
useful
Jay.
You
are
uncharacteristically
quiet.
What
are
your
thoughts
on
this.
F
Well,
you
know
when
I
Echo-
and
you
know
Isaac,
you
and
I
have
had
many
conversations
about
this
in
and
on
the
other
hand,
Melba
and
I
have
as
well.
I
came
in
many
many
months
ago.
Now,
I
came
in
to
the
openness
and
stuff
and
then
of
course,
when
we
were
originally
pitching
what
was
in
the
OSS
SSC
framework
and
of
course
we
changed
the
name
when
they
got
adopted.
F
The
the
whole
idea
was
collaboration
partnership
and
then
that
360
degree
view
around
supply
chain
security
and
I
and
I.
You
know
I
I,
I'll
say
the
same
thing
once
again
in
terms
of
visioning
for
for
the
working
group
itself,
I
think
the
working
groups,
the
The
Division
I,
mean
aside
from
mapping
to
the
overall
mission
and
vision
of
the
open,
ssf
and,
of
course,
where
we
fit
in
that
I.
F
Let's
go
things
together
on
paper
as
sort
of
our
our
general
roadmap
that'll
map
with
our
mission
and
our
vision,
and
also
you
and
I
have
talked
about
this
in
terms
of,
and
we
and
we
really
didn't
know
what
that
looks
like
so
I'm
glad
Melba
Melba
articulated
it.
But
even
you
and
I
talked
about
this.
This
should
be
something
in
the
middle
somewhere
and
we
don't
know
like.
F
But
you
know
we
have
the
Sig
meetings
and
we
have
the
subcommittee
meetings,
but
there's
got
to
be
something
that
happens
in
the
middle
there,
where
we
built
that
connective
tissue
between
perspective
Sig
is
doing,
and
then
how
that
maps
to
the
overall
vision
and
mission
of
the
working
group
and
then
maybe
even
how
that
Maps
to
other
working
groups
like
The,
End
users
working
group,
the
best
practices
working
group-
you
know
it
I
mean
it
does
because
and
of
course
attending
some
of
the
tech
meetings.
F
Some
of
the
planning
meetings
and
everything
else
and
and
the
diagram
of
society
meetings
there
is
a
big
push
to
figure
out.
We
have
so
much
going
on
across
the
breadth
of
the
openness
itself.
What
we're
losing
traction
of
is
how
we
all
work
together
and
collab
together
towards
our
Outreach,
to
whether
it
be
the
the
the
the
U.S
government
you
know,
EU
and
and
how
everything
that
we're
doing
affects
policy
procedure
and
guidance
across
the
globe.
F
So
I
think
it
there's
now
a
requirement
for
us
to
get
a
little
tighter
with
some
of
the
things
that
we're
doing
so
that
we
can
meet
those
those
thoughts
and
those
ideas.
A
little
bit
easier
collectively,
right,
I
said
a
lot
just
now,.
A
I
think-
and
that
makes
it
makes
a
lot
of
sense
to
me
and
I
I-
think
I
mean
at
this
level,
like
I
I,
think
it
would
be
difficult
for
us
to
hey.
You
know,
establish
the
you
know
the
nature
of
how
we
work
with
all
the
other
groups
in
the
urban
ssf.
Until
we
have
something
in
place
for
how
we
think
about
supply
chain
Integrity,
it
feels
like
we
should
start
with.
What
is
the
vision
for
this
group
supply
chain,
Integrity
working
group,
and
once
we
had
decided?
A
Okay,
here's
our
scope,
here's
our
Charter,
here's
what
we
think
matters
they're
the
outcomes
which
we're
driving
towards
we
can
at
that
point
we
can
then
go
okay.
Well,
how
does
end
users
fit
into
that?
How
does
you
know
tooling
fit
into
that?
How
do
you
know
how
do
we
represent
this
work
best
in
the
diagram
of
society,
and
so
on
and
I
mean
thinking
about
this?
This
supply
chain,
Integrity
working
group,
actually
I'll
pause,
Mel
B
of
your
hand,
up.
D
I
was
just
curious
if,
if
somebody
knows
of
where
the
the
charter
is
for
this
group,
I
don't
know
where
the
repo
is.
If
there
even
is
one
or
if
there's
a
website,.
E
So
I
I
had
just
a
sort
of
a
quick
thought
here
and
I,
don't
not
on
many
working
groups,
so
feel
free
to
ignore
this.
But
from
what
I'm
hearing
is
there's
because
there's
a
lot
going
on,
because
there
are
three
now
three
different
efforts
going
in
here.
You
know.
One
of
the
the
purposes
that
this
working
group
could
serve
is
really
as
a
sync
point
going
towards
that
larger
Vision
and
you
could
have
a
little
bit
of
structure
in
terms
of
the
the
three
sort
of
sub
projects
coming
in.
A
I
think
that's
that
I
think
that's
fair
and
I,
so
I
I
think,
but
I
come
back
to
like
we.
We
should
it
seems
like
the
mechanism
for
achieving
our
vision
and
like
the
meetings
that
support
it
and
the
agendas
for
those
meetings
and
how
we
structure
them.
The
types
of
issues
we
bring
up
are
all
ultimately
subservient
to
the
the
vision
itself
like
without
having
that
that
Vision
agreed
and
we're
aligned
and
we're
agreeing.
This
is
a
direction
we're
headed.
A
We
can
then
talk
about
how
many
wheels
we
need
on
the
car
and
who's
holding
the
steering
wheel
and
who's
going
to
change
gears
and
so
on.
It
seemed
I'm
going
to
throw
something
out
there.
It
seems
to
me
looking
at
oh
look
at
s2c2f
looking
at
Salsa,
looking
at
what
what
we
have
in
common
with
supply
chain
Integrity.
A
It
seems
to
me
that
one,
a
straw,
dog
vision
for
the
supply
chain,
Integrity
working
group,
could
be
this
working
group
is
about
scalable
standardized
practices
for
supply,
chain
security,
and
today
we
have
salsa
and
salsa
has
specified
a
set
of
scalable
standardized
practices
for
build
and
provenance,
and
we
have
s2c2f
that
is
standardized.
A
scalable
set
of
practices
for
dependency
management,
another
important
part
of
some
pleasure
and
security,
and
so
they
fit
together
into
this
vision
and
contribute
to
scalable
standardized
practices
for
supply,
chain
security
and
what?
A
If,
if
I,
was
put
on
the
spot?
And
if
I
was
in
charge
of
the
world-
and
someone
said
to
me,
what
should
the
vision
for
supply
chain
do
to
be?
I
would
say
we
should
come
up
with
a
single
framework,
a
pragmatic
supply
chain,
security
framework
covering
the
key
functional
areas
and
it's
a
single
framework,
and
so
we'll
take
the
best
of
salsa
for
building
and
provenance.
It
would
take
the
best
of
s2c
to
Earth
for
dependency
management.
A
Let's
build
something
up
for
vulnerability
management,
let's
build
up
a
set
of
best
practices
for
source
code
measurement
and
how
buzzing
is
done,
and
then
we
have
an
overall
framework
covering
the
key
functional
areas
or
the
key
functional
concerns
of
supply,
chain
security
and
as
a
single
framework
and
people
don't
have
to
worry
about
whether
it's
called
s2c2f
or
salsa
or
Fresca,
or
what
acronym
it
has.
There
is
a
framework.
The
open
ssf
has
a
framework,
a
framework,
a
single
one
for
scalable
standardized
practices
for
supply
chain
security.
A
That
would
be
my
vision
for
this
group
that
we
come
up
with
the
a
framework
and
an
sdc2f
concentrates
on
where
it's
where
it's
the
center
of
gravity
is
today
around
best
practices
for
dependencies.
We
have
salsa
concentrate
where
it
is
today
on
building
Providence.
Let's
stand
up
another
group
thinking
about
Source
management
or
vulnerability
management
or
fuzzing
or
other
key
functional
areas,
but
let's
assemble
these
into
a
single
unified
framework
to
address
this
problem
space
as
a
whole
I'm
going
to
pause
there,
Adali
you'll
have
your
hand
up
yeah.
B
Just
kind
of
like
to
make
sure
on
on
the
framework
that
you're
mentioning
right
from
the
sounds
of
it
and
that's
the
question
I
was
gonna
have
is
we
want
to
make
sure
that
that
framework
covers
the
Enterprise
level
effectively
right,
not
only
the
pipelines
per
se
right
you
jumped
into
vulnerability
management,
team
and
other
areas
that
comprise
an
Enterprise,
so
I
guess
yeah.
A
And
I
think
absolutely
and
I
think
some
some
of
these
practices
I
mean
the
interesting
thing
looking
at
these
is
that
building
provenance
these
practices
we
they
can
be
encoded
by
a
trusted
Builder
and
we
can
say
I'll
put
my
trust
in
the
building.
If
the
Builder
has
built
an
artifact,
it
can
tell
me
it's
hermetic,
it's
isolated.
A
C
A
They
produce
attestations
related
to
those
practices
which
flow
Downstream
in
the
supply
chain.
Consuming
organizations
can
then
Implement
policy
based
on
you
know,
I'm
not
going
to
deploy
anything,
that's
below
salsa
level,
three
or
I'm
not
going
to
be
interested
in
any
artifacts
which
haven't
you
know,
aren't
conformed
until
s2c
to
F
level,
four
or
whatever
it
may
be,
and
then
consuming
organizations
can
can
realize
a
security
benefit
too,
and
so
you
get
on
both
sides
of
the
equation
in
here.
A
You
get
better
practices
upstream
and
you
get
better
assurances
and
policy
Downstream,
so
it
it
seems
it
seems
to
me
and
I
I
guess
my
difficulty
is:
what
do
we
need
in
in
terms
of
establishing
a
vision
like
like
I've
thrown
out
a
straw
dog
Vision
I'm
happy?
If
people
want
to
tear
it
apart
or
suggest
any
alternative
or
say
why
this
isn't
appropriate
or
why
you
know
six
Frameworks
would
be
better
than
one.
A
It
feels
to
me
like
having
an
open
ssf
framework
which
decomposes
the
problem
space
into
key
functional
areas
and
then
standardizes
scalable
practices
in
each
area.
If
we
deliver
that
bang,
that's
Kick-Ass,
it
seems
to
me
and
I
think
we've
got
some
great
raw
materials
in
salsa
and
s2c2f
Melba
J.
Anyone
else
on
the
call
any
opinions
on
on
on
that
and
what
would
be
the
next
step
if
we
think
that
okay,
this
is
within
a
standard
deviation
of
the
right
Vision.
How
do
we
iterate
and
get
to
the
right
one.
F
Yeah,
you
know
what
I
I
love
that
I'll
be
I'll,
be
absolutely
interesting.
I'm,
honest
I,
love
that
not
just
for
this
working
group,
but
I
love
that
for
the
openness
itself,
you
you
know
if
we,
if
we
think
about
that
and
and
concept
and
then
the
overall
you
know
think
about
in
concept
of
the
openness
and
stuff
and
what
the
openness
of
represents
currently
and
then
what
what
it's
aspiring
to
be
across
the
globe
and
being
the
de
facto
hey.
F
If
you
want
to
understand
open
source
security,
you
come
here
to
understand
it
for
us
to
develop
a
universal
framework
that
can
be
accepted
globally
and
then
have
at
the
as
the
foundation
of
that
framework.
Salsa
s2c2f,
the
tooling,
with
Fresco,
and
we
come
up
with
any
other
things.
Those
gaps,
that's
phenomenal!
That's
that's
good!.
A
Yeah
I
I
dig
it,
and
actually
you
brought
Fresca
in
really
easy,
because
Fresco
it
feels
to
me
like
Fresca,
is
the
almost
a
a
reference
implementation.
This
is
demonstrating
how
to
make
it
real.
This
is
demonstrating
how
it
how
it
works
in
practice,
and
it's
a
valuable
proof
point
that
this.
This
is
not
just
an
academic
exercise
because
hey,
yes,
we've
got
these
Frameworks,
and
but
we
also
have
a
real
world
illustration
of
how
this
works
with
in
in
you
know,
with
with
tooling
and
automation
around
it
foreign.
D
Yeah
I
I.
Definitely
like
the
vision,
it's
just
making
it
a
reality
right
we
need.
We
need
to
get
the
leads
together
to
make
sure
that
we
all
agree
right.
I
know
it's
very
light
today,
probably
because
people
are
on
vacation,
but
I
I
love
the
the
Simplicity
of
the
vision,
and
now
it's
just
a
matter
of
okay.
How
do
we
go
execute
so
that
we're
talking
to
one
another
we're
not
stepping
on
each
other,
but
we
are
Marching
towards
the
same.
You
know
beat
of
the
drum
kind
of
thing.
A
I
I
love
it.
So
let
me
I
mean
there's
a
practical,
Next
Step.
Why
don't
I?
Did
you
just
write,
write
up
something
quick
and
I
mean
I
can
share
it
in
this.
Like
Channel,
like
you
say,
it's
quiet
right
now.
The
next
two
weeks
is
going
to
be
very,
very
dead
indeed,
and
maybe,
if
I,
if
I
throw
a
you
know
a
Google
doc
into
the
channel,
we
can
all
pile
into
that
work
on
it.
I'll
make
it
open
for
editing.
A
People
can
comment,
refine
help
tweak
over
the
in
between
now
and
the
next
meeting
in
a
month
and
then
in
the
next
meeting
a
month.
Maybe
we
have
a
bigger
attendance
and
we
could
even
kind
of
try
to
rally
people
to
come
and
say:
hey
we're
going
to
kick
off
2023
by
reviewing
what
this
draft
division
that
we
have
and
you
know
hey
we've
had
you
know
Jay,
given
us
a
rough
thumbs
up,
Amelia,
there's
a
rough
thumbs
up.
We've
had
the
seven
people
in
this
call
today.
A
Look
at
this
and
kind
of
like
it's
just
me,
riffing
on
it,
but
nodding
along
with
it
so
far,
and
if
we
get
it
into
a
Google
doc
refine
it
in
time
for
next
meeting.
Maybe
we
can
get
a
bigger
attendance
to
actually
kind
of
begin
to
Rally
around
it.
I
would
love
to
see
that
got
to
start
kicking
off
2023
with
yeah
we're
all
nodding
along
we're
all
singing
along
with
with
this
thing,
and
it
gets
us
and
then
I
think
we
yeah.
A
We
move
this
meeting
to
a
bi-weekly
Cadence
and
we're
we're
tracking
okay.
We
have
a
vision.
Now,
how
you
know
do
we
have
cells
that
contribute
towards
that
Vision?
Do
we
have
s2c
to
have
contributing
towards
that
Vision?
What
what
is?
What's
the
next
functional
area
that
we
want
to
go
conquer?
How
do
we
standardize
that
I
think
the
Enterprise,
the
Enterprise
use
cases
Enterprise
relevancy
of
this
is
super
interesting,
but
I
think
that
I
mean
part
of
the
the
value
that
open
ssf
brings
for
for
Enterprise
is
really
establishing.
A
Today,
it's
establishing
a
common
vocabulary,
a
common
reasoning
framework,
a
common
conceptualization
of
the
space,
and
it
feels
almost
to
me
like
if
we,
if
we
can
produce
and
deliver
against
this
vision
for
open
source
every
Enterprise.
Every
substantive
software
Enterprise
in
the
world
is
a
consumer
of
Open
Source,
and
so
these
practices
these
Frameworks
these
manifestations.
This
metadata
will
flow
transitively
into
Enterprise
anyway,
because
Enterprise
consumes
open
source
and-
and
maybe
that's
the
vector
into
Enterprise.
A
Adoption
here
is
that
every
Enterprise
on
Earth
today,
you
know
within
a
tenth
of
a
standard
deviation,
is
a
consumer
of
Open
Source,
and
so,
as
we
produce
sales
throughout
the
stations,
sdc2f
asset
stations,
you
know
other
metadata,
and
these
will
flow
into
Enterprise
and
Enterprise
will
begin
to
build
policy
engines
around
them
and
once
they
have
policy
engines
around
them
and
there
will
be
an
incentive
to
adopt
these
practices
internally
and
fit
into
the
same
policy
framework.
A
Again,
I'm
I'm
riffing
here,
but
but
Melba
I
I
appreciate
you
bringing
this
into
the
agenda,
because
this
is
something
which
is
has
definitely
been
lurking
and
I.
Think
it's.
It's
hindering
this
group
as
a
whole
that
we
do
have
this.
This
missing
middle,
that
you
and
Jay
are
pointing
to.
We
don't
have
a
strong
Vision
at
this
altitude
to
pull
all
this
stuff
together
in
service
of
what
it
is
supply
chain.
Integrity
means
to
open
ssf
and
if
we
can
fill
in
that
Gap
we're
going
to
have
a
much
better
23.
E
Agreed
so
so
this
was
forgive
me
if
this
is
entirely
obvious,
but
I
think
that
the
thing
that
I
really
honed
in
on
Isaac
your
your
message
is
this
scalable
aspect,
because
if
it's
just
standardized
practices
for
supply
chain,
like
that's
just
too
generic
and
too
vague
and
the
standardized
aspect,
I
think
kind
of
really
takes
it
to
to
something
that
there's
a
goal,
something
that
can
be
measured.
You.
E
A
Totally
and
actually
I
mean
we
we
might
as
well
I
mean
if
I
mean
yes
and
to
that
we
might
as
well
say:
okay
in
Services
Vision.
One
of
these
words
means,
and
when
we
say
scalable
we
mean
yes,
a
uniform
approach
across
languages
and
ecosystems.
Yes,
we
need
I
mean
automatable
and
automation
wherever
possible.
A
Perhaps
we
also
mean,
like
implementable,
key
points
of
Leverage
in
the
ecosystem,
for
instance,
like
hey
package
managers
before
you
know
a
they're,
a
point
of
Leverage
for
package
distribution
and
they're,
a
very
natural
trust
boundary,
which
is
which
is
useful
for
thinking
about
what
does
salsa
look
like
end
to
end
and
so
yeah.
We
can
start
looking
at
what
a
scalable
mean
to
us
and
then
Define
some
principles
for
how
we
prioritize
and
make
decisions
based
on
how
we
approach
this
Vision
as
a
whole,
but
I
think
yeah.
A
It's
you
raise
a
key
point
that
is
not
just
about
a
hey,
we'll
throw
some
batch
practices
into
the
world.
It's
like
how
do
we?
How
do
we
make
these?
You
know
automatable,
implementable
at
scale
uniform
across
languages
and
ecosystems.
What
are
the
key
points
of
Leverage,
for
you
know
for
establishing
the
you
know
the
right
trust
routes,
and
you
know
how
attestations
flow
throughout
the
supply
chain.
A
Thank
you,
I'm
sorry,
I
I'm
super
terrible
at
taking
those
while
I'm
rambling,
maybe
I,
should
take
more
notes
and
rainbow
lifts.
That's.
A
So
I
think
so
I
I'm
I'm
happy
to
to
take
the
action
of
like
kind
of
sketching.
Overlock
I
mean
I
can
I
can
I
can
have
something
and
put
a
dog
in
in
the
channel
that
we
can
all
look
at
and
work
on
and
ruminate
over
the
holidays
on
in
the
next
day
or
two,
and
we
can
maybe
use
that
to
start
to
drive
initial
consensus
and
then
once
we
have
that
kind
of
almost
nucleation
side
of
consensus,
we
can
start
to
build
outwards
upon
it.
Get
consensus
across.
A
You
know
the
supply
chain,
Integrity
working
group.
You
know
when
we
have,
you
know
in
a
broader
set
of
attendees
and
then
from
there
we
can
start.
We
can
then
formalize
by
saying
hey,
open,
ssf
we've.
You
know,
we've
reimagined,
that
our
Charter
and
vision
here
it
is,
is
what
we're
pursuing
as
a
working
group.
Here's
our
salsa
SDC
tofresco
and
everything
fits
into
it
here.
The
gaps
are
going
to
fit
into
23
and
here's
how
we
see
other
key
Partnerships
in
openssf.
D
I'm
excited
I,
I
again,
I
had
selfish
reasons,
I
felt
like
the
positioning
working
group.
We
we
had
a
lot
of
energy.
We
had
a
lot
of
ideas
and
again
the
left
hand's
not
talking
to
the
right
hand,
and
it
made
us
pivot
too
many
times
to
the
point
where
we
could
not
deliver
effectively
so
I'm
trying
to
avoid
that
mistake
again
in
2023.
A
The
other
thing
that
occurs
to
me
and
and
malva
Jay-
you
maybe
have
thoughts
on
this
too-
is
that
if
we,
if
we
did
have
you
know
a
a
crisp
articulation
of
what
we
think
this
group
is
about
and
what
collectively
we
want
to
get
down
and
where
we're
headed
at
the
supply
chain,
Integrity
level
I
think
we
could
even
start
to
look
at
what
organizations
and
people
and
other
things
do.
We
need
to
pull
into
this
group
to
make
it
happen.
Right
I
mean
we
have
representations
from
from
Microsoft
from
Google.
A
You
know
from
from
IBM
you
know.
Are
there?
Are
there
other
organizations
that
we
would
want
to
pull
in
and
actively
solicit
contributions
from
like
it
would
be
great
to
have
I,
don't
know
someone
from
npm
come
into
this
group
and
from
a
packet
or
something
from
IPI,
or
you
know
if
we
think
the
package
managers
are
a
key
point
of
Leverage
for
us
for
achieving
this
Vision
We
could
decide.
Okay,
let's
go
to
npm
and
say:
hey
we've
got
this
idea.
Can
you
provide
an
NDM
rep?
A
Can
we
pull
in
an
IPI
rep?
Can
we
pull
in
a
rust
grapes,
wrap,
come
you
know
what
and
what
other
key
points
of
Leverage
are
there
in
the
ecosystem
that
we
don't
have
access
to
that
we
can
actually
go
and
establish
access
to
from
this
working
group
again
I'm
just
kind
of
thinking
out
loud
here,
but
it
feels
to
me
like
once
we
have
the
once.
We
have
this
this
kind
of
vision
that
we
all
agree
Beyond.
We
can
even
look
at
you
know.
A
G
So
hi
this
is
Ono
I've
been
listening
and
I
I
want
to
interject
on
this
I
completely
agree
with
you
and
I
mean
earlier
we're
talking
about.
You
know:
revising
a
charter
and
basically
telling
openness,
stuff
hey.
This
is
what
we
want
to
do.
I
mean
practically
speaking.
This
is
going
to
the
tag
with
your
Charter
and
say:
hey.
We
are
revising
your
Charter
in
such
a
way.
Is
it
really?
Okay?
Are
you
we
want
everybody
to
be
aware
and
the
next
step.
G
B
G
C
F
Yeah
I
was
I
was
gonna.
Add
to
that
you
know
we
go
down
the
road
that
we're
talking
right
and
we
let
the
the
what
we're
doing
at
a
foundational
level
Drive
the
umbrella
right.
We
come
up
with
that
framework,
while
we're
coming
up
with
that
framework.
Why
are
we
coming
up
with
that
role
with
the
framework
will
be?
F
C
F
Reach
out
to
them
and
bring
them
in
yeah
yeah
to
may
not
necessarily
know
that
the
breadth
of
what
we're
doing
across
the
openness
and
stuff
it
might
even
be
an
Avenue
for
us
not
only
to
bring
someone
into
what
we're
doing
here
at
this
working
group,
but
maybe
open
them
up
to
the
openness
of
self
period
and
then
they'll
be
able
to
bring
other
people
into
other
working
groups
right.
Yeah,.
A
F
Across
the
board,
so,
like
I,
said,
I
think
this
is
a
fantastic
I
think
what
we're
talking
about
here
is
fantastic.
We
got
it
down
in
the
notes.
I
I,
you
know
UI
Melba,
we're
all
we're
all
over
the
place,
so
we're
I
mean
I,
can't
wait
for
2023
with
this.
This
is
going
to
be
our
thing.
F
C
A
I
feel
like
so
I
it
I
I'll
have
something
in
in
the
slack
Channel
by
the
end
of
the
week,
and
it
may
be
a
little
bit
rough
around
the
edges,
but
it'll
at
least
be
like
eight,
a
dark
articulating.
Some
of
you
know
what
we've
talked
about
here.
Maybe
I.
Can
you
know
I'll
put
some
placeholders
in
that
we
can
put
in
the
kind
of
you
know
operating
principles,
and
then
how
will
you
know
to
I
mean
to
to
William's
point
about?
A
You
know
how
we
operate
and
how
we
make
things
scalable,
and
then
we
can
work
on
that
ahead
of
a
meeting
in
a
month's
time
and
then
the
meeting
in
a
month's
time
I
will
actively
ask
people
to
come
and
attend
because
we
want
to
you
know:
do
a
22,
23
kickoff
around.
You
know
this
draft
Vision
that
we
have.
A
A
And
Trevor
awesome:
okay,
I
I
think
that
we
have.
We
have
a
a
plan
here
Melba.
Thank
you
again
for
bringing
this
and
putting
this
on
the
agenda
and
bringing
the
perspective
and
and
giving
us
all
the
kick
that
we
needed
and
also
for
taking
notes
behind.
My
rambling
I
really
appreciate
it.
A
A
That
I'm
going
to
call
this
to
a
close.
Thank
you
again,
I
hope
everyone
has
a
great
holiday
season.
Whatever
that
looks
like
for
you
all
and
I
will
see
you
all
in
January
and
let's,
let's
get
let's,
let's
get
us
into
a
great
position
to
have
a
kick-ass
23.