►
From YouTube: Supply Chain Integrity WG (March 14, 2023)
A
B
Fun
and
interesting,
yeah
cool
cool
cool,
I,
don't
know
if
I've
talked
to
you
since
you
actually
officially
started
I,
don't
know
if
you're
are
you
Alpha
and
Omega,
something
else
I'm,
not
sure
how
to
categorize
you,
but.
A
I
work
for
the
Linux
Foundation
I
am
a
part
of
the
open
source
security,
Foundation
staff
I
work
for,
but
yes,
I,
I'm
part
of
Alpha
Omega,
predominantly
security
researcher
for
Omega,
okay,.
A
C
A
Three
technically
now
that
Amazon
has
funded
the
project,
so
yeah
yeah,
hello,
Michael.
D
E
Folks,
hey
folks,
sorry
I'm,
I'm
late
still
trying
to
get
situated
from
travel
last
week.
E
You,
let's
see
trying
to
get
things
on
here,
so
we
have
Bruno
I,
don't
see
Mike
or
Jay,
but
I
I'm
sure
that
they
will
soon
give
me
a
sub
project.
E
And
then
I
don't
see
an
agenda
for
today,
but
I.
Remember
Isaac,
saying
that
he
added
something
to
the
agenda.
F
Yeah
I
I
put
them
in
the
I,
put
some
items
in
the
agenda
Chorale
at
the
top
of
the
kind
of
the
next
time
section.
I
didn't
I
didn't
want.
E
E
But
I
was
in
New
York
for
some
training
and
then
mingling
with
Executives
all.
E
Yeah,
so
it
was,
it
was
quite
the
the
event
very
much
enjoyed
it,
but
let
me
I
definitely
am
still
recuperating
from
all
that
mingling
I'm
I'm,
not
a
mingling
kind
of
person.
It
takes
a
lot
out
of
me
so
to
be
on
all
the
time
was
just.
F
E
E
Let's
see
see
virtual
I'm,
okay,
actually
in
person
is
a
different
story.
Okay,
so
agenda.
It
sounds
like
Isaac.
You
had
one
well,
where
is
yours,
I
see
it
now
and
then
Tracy
you
had
one
where's
yours,
Tracy
I
can't.
Did
you
write
it
on.
B
B
Name,
that's
the
salsa,
plus
plus
one
Tracy
like
that:
okay,
okay,.
B
E
One
and
then
there's
this
okay,
so
I'm
gonna
get
rid
of
those
two
from
up
here
and
then
before
we
start.
Those
I
would
like
a
quick
update
from
my
J
Bruno
from
last
week,
but
I
do
want
to
say
congrats
to
the
team
that
we
got
two
accepted
talks
for
ossna
Vancouver.
We
got
two
wait
listed
and
one
declined
so
I
still
consider
that
it's
a
success.
E
Yeah,
so
now
it's
just
hoping
that
you
know
someone
drops
out
so
that
our
waitlisted
stuff
makes
it
so
we'll
we'll
see.
E
Yeah
I
think
the
deadlines
is
Friday,
so
we'll
we'll
have
to
talk
about
that
at
towards
the
end,
because
I
know
we
have
a
lot
going
on
with
the
the
blogs
and
stuff
update
and
then
I'll
put
that
at
the
end
and
then
open
ssfd,
cfp,
okay,
so
Jay
like
Bruno.
Can
you
give
a
brief
update
from
last
week
again.
H
Sure
so
there
was
a
bunch
of
one
second
here,
so
there
was
a
bunch
of
updates
regarding
some
of
the
blogs.
Some
of
them
had
actually
I
believe
had
gone
out
already.
I
I.
H
H
Okay,
yeah,
so
beyond
that
so
I
I
there
was
there
didn't,
seem
to
be
a
lot
of
folks
who
who
had
progress
on
on
some
of
the
other
blogs.
I
know
that
there
were
some
folks
who
are
still
doing
research
and
and
doing
some
of
that
sort
of
stuff.
So
I
have
a
a
graph
that
I'm
still
working
on
which
I
still
have
a
a
Blog
here,
for
which
hopefully
folks
can
see
it.
It's
it's
once
again.
It's
still
very
very
early
on.
E
I'm
gonna
copy
this
table
back
up.
Okay,
so
that
way,
people
can
see
it.
Oh
sorry,
I'm
not
sharing
my
screen.
No.
E
So
out
of
touch
right
now,
it's
not
like
I
said
I'm
all
over
the
place.
I
think
you
can
see.
Yeah
I,
don't
know
we're
seeing
too
much,
but
now
you
can
see
less
okay.
H
H
And
depth
also
so
yeah,
so
you
know
I'm
still
working
on
it.
I
think
I'm
taking
it's
it's
hard,
because
I
I
also
need
to
help
out
with
the
salsa
specifications
and
some
of
the
other
things
there
seems
to
be
I.
Think
one
of
the
things-
that's
that's
that's
growing
a
little
concerning
for
for
the
the
release
is,
there
still
seems
to
be
a
lot
of
pretty
pretty
serious
confusion
around
some
of
the
definitions
around
salsa
around.
H
Why
we
for
some
folks
either
we
made
it
too
restrictive
and
for
other
folks,
we've
opened
it
up
where
salsa
is
not
particularly
effective
and
I.
Think
both
of
those
are
misconceptions.
I
just
think
we
need
to
do
a
better
job
at
really
making
sure
that
the
definitions
are
crisp
and
clear
and
that
the
intentions
are
are
crisp
and
clear,
and
so
things
we
need
to
do
a
lot
more
to
to
do
that.
You
know
so.
For
example,
some
of
the
definitions
around
isolated
and
ephemeral
are
causing
confusion.
H
A
lot
of
folks
who
sort
of
think
that
you
know
and
I
think
it's
a
misconception
but
they're
thinking
that
you
know.
There's
there's
Whispers
of
like
hey:
have
we
made?
H
Have
we
made
salsa
too
easy
specifically
so
that
certain
companies
can
look
like
they're?
They
fully
adopted
salsa
and
they're
good
and
you're,
not
actually
hitting
some
of
the
the
the
not
actually
hitting
like
not
actually
stopping
supply
chain
attacks,
I
think
and
to
be
clear,
I,
don't
think
that's
actually
the
case
I
think
it's
it's
a
misconception
and
I.
Think
with
that
said,
though,
that
that
misconception
can
lead
to
folks
saying
yeah,
I'm
salsa
compliant,
because
my
interpretation
of
isolated
and
ephemeral
is
this
thing.
E
H
Is
mostly
just
around
stuff
like?
Why
are
we
splitting
up
salsa
or
you
know,
why
is
salsa
split
up
into
those
different
tracks
and
more
or
less
just
sort
of
saying
you
know?
Oh,
the
reason
why
the
build
is
super
important
and
we
believe
that
source
is
just
a
separate
set
of
things
that
you
want
to
make
sure
is
clear
and
consistent,
whereas
the
build
you
just
carry.
That
is
what
I
pulled
in
what
I
said.
I
was
going
to
pull
in
right.
H
Even
if
that
thing
is
nefarious
right,
you
had
the
whole
point
of
salsa
provenance
is
you
are
establishing
provenance?
You
know
where
that
thing
came
from.
So
if
it
didn't
do
the
right
things,
then
you
could
always
go
back
and
you're
not
running
into
a
situation.
Like
the
you
know,
solar
wind
Sunburst,
where
they
thought
they
were
building
the
right
source
code,
but
it
turned
out
they
were
linking
to
something
that
was
malicious
and
they
had
no
way
of
actually
seeing
that.
E
Okay,
so
I
know
these
two
are
very
they're
talking
about
similar
things
and
I've
not
started
anything
since
I
was
on
a
work
travel
last
week,
I
don't
know
if
Chris
K
is
on,
but
I
I
know
that
this
is
something
on
my
to-do
lists
and
and
Chris
K,
so
we'll
have
to
coordinate
to
make
sure
that
this
was
specifically
about
diving,
deeper
into
build
and
source.
E
C
C
Right,
I
I
also
consider
myself
sort
of
a
newcomer,
although
I've
been
in
near
orbit
or
in
the
periphery
of
things.
For
some
time,
hello,
all
I
wanted
to
chime
in
to
what
Michael
was
saying:
I
wonder
if
Mike
some
of
it
is
a
function
of
what
we
discussed
during
the
spec
call
yesterday
of
there's
the
perception
from
people
seeing
wano
that
oh,
this
is
done,
and
it's
ratified
and
they're
gonna
they're
putting
a
lot
of
energy
on.
We
need
to
form
a
solid
understanding
of
this
definitions
and
live
by
them.
C
I
wonder
if
it's
a
function
of
well,
this
is
this
is
evolving,
and
this
is
subject
to
get
more
refined
over
time,
and
that
could
be
what
you're
writing
here
or
that
could
be
a
roadmap,
a
public
roadmap
with
midterm
long-term
Horizon.
Even
going
back
to
the
discussion
around
well,
how
do
we
convey
big
changes
of
definitions?
Is
it?
Do
we
bump
a
major
version
of
salsa?
Do
we
do
minor
versions
and
people
are
going
to
scramble
and
be
scum,
so
in
order
to
front
load
or
pre-load?
C
What
is
expected
to
change?
I
wonder
if
a
like
an
artifact,
not
quite
a
vision,
not
quite
a
road
map
but
in
between
obviously
with
the
Proviso.
These
are
forward-looking
statements
and
what
gets
caught
within
a
quarter
might
change
but
yeah,
just
from
the
end
user
perspective.
So
there's
like
less
cognitive
overhead
around
or
attaching
to
close
to
what
things
are
called
today.
B
I
B
Something
pseudo
newcomer
along
around
openssf
a
little,
but
my
name
is
John
C,
Myers
and
I
work
at
chain
guard
and
I've
never
been
to
this
particular
group
before
so
nice
to
meet
you
all.
J
Yep
I'm,
also
new
to
the
group
I
just
joined,
active
State
and
so
active
state
has
been
hovering
around
the
secure
supply
chain
and
compliance
space
for
20
years.
So
I
thought
it
was
time
that
we
jumped
in
to
work
with
you
guys
great
to
meet
you.
E
I
So
so,
to
add
to
that
right,
so
I
think
a
large
part
of
that
is
to
make
sure
that,
with
respect
to
to
salsa
build
that
we
we
differentiate,
what's
considered
what
the
evolution
of
of
those
specs
right,
1.0
versus,
2.0
and
I
think
we
were
talking
about
something
like
that
yesterday.
But
then,
when
we
come
out
to
source
source
is
a
whole
new
1.0,
it's
it
does
not
it
because
I
think
what
happens
is
it
you
know,
especially
with
what
I'm
hearing
is
people
are
assuming.
I
I
That
said
well,
if
I'm,
if
I'm
a
consumer
of
this
and
you're,
telling
me
that
you
split
up
between
source
and
build,
and
you
got
the
1.0,
what
happens
if
when
we
come
out
with
source
of
we
come
out
with
something
else,
it's
going
to
change
dramatically.
What
now
constitutes
meeting
level
one
or
level
two
or
level
three
right?
How
do
I
trust
the
spec
now
to
do
what
it
says?
It's
going
to
do
if,
by
me,
saying
I'm
by
me
saying
I've
met
level
if
I
use
version
one
and
I'm
at
level.
I
I
There's
another
salsa
track.
You
can
have
version
one
or
version
two
build.
You
can
have
version
one
source
that
it's
it
can
be
very
confusing,
but
I
think
if
they
think
we
do
the
work
to
make
sure
we
parse
these
things
out,
so
that
they're
understood
that
hey
just
because
you
meet
one
does
not
mean
you
meet
the
other.
You
still
need
to
do
work
and
due
diligence
to
meet
the
other,
or
maybe
the
other
doesn't
apply
to
you
at
all.
I
Maybe,
while
past
you
is
just
the
build
right
and-
and
we
we
do
our
our
our
best
effort
to
organize
our
thoughts
and
deliver
that
kind
of
message
or
communicate
that
appropriately,
so
that
those
that
are
consuming
this
are
consuming
the
right
ones
when
they
need
to
consume
it.
Yeah
that
that's
my
that's
my
two
cents
and
anyway,
and
please,
if
I'm,
not
understand
I'm
sure
somebody
else
will
chime
in
and
add
a
little
bit
more
color
yeah.
C
And
in
a
way
you
have
expressed
this
before
with
transitive
identities,
transitive
dependencies
and
leaving
those
out
of
scope
at
one
point
like
Mike,
you
remember
saying:
well,
we
can't
solve
all
the
things
right
off
the
bat,
so
we
we
have
to
start
off
with
what
is
feasible
but
again
from
from
a
consumer
perspective.
People
are
going
to
be
tell
me
what
I
need
to
know
up
front
that
is
expected
to
change.
H
Your
hand
yeah
yeah,
so
actually
one
of
the
things
you
know,
I
think
that
that
it
would
be
worthwhile
yeah
is
to
kind
of
we
need
to
clar.
You
know
a
meta
issue
for
salsa
that
we
need
to
kind
of
clarify.
Is
you
know
stuff
like
what
do
what
to
expect
between
versions,
so
that
folks
understand
like
if
I'm
on
version,
one-
and
you
know
a
minor
release-
will
update
these
sorts
of
things.
H
A
major
release
will
update
these
sorts
of
things,
and
this
is
what
folks
should
expect
and
then,
at
the
same
time
also
I
think
we
really
need
to
make
sure
that
we're
crystal
clear
with
hey
1.0
is
designed
right
now,
I
think
to
like
once
again
like
this
is
an
actual
example
here,
I,
based
on
a
lot
of
our
conversations,
1.0
is
designed
to
hit
certain
attacks
against
the
build
right.
H
It
doesn't
prevent
folks
from
ingesting
bad
source
code
or
bad
dependencies,
but
what
it
does
do
is
if
you're,
a
high
salsa
level
like
salsa
level.
Three,
you
have,
you
should
have
increased
confidence
that,
yes,
your
build,
builds
something
malicious,
because
we
can
go
back
and
look
at
those
dependencies
or
look
at
that
code
and
know
that
yeah
it
pulled
in
the
wrong
source
code,
whereas
it,
if
you're
only
on
salsa
level
one.
H
Then
you
can't
really
be
sure
that
you
know
what's
being
reported,
is
actually
accurate
and
wasn't
tampered
with
similar
to
something
like
a
Sunburst
style
attack
where
you
know
it
pulled
in
the
right
source
code.
But
then
the
build
was
actually
compromised,
and
so
it
thought
you
were.
You
thought
you
were
linking
against
this
Library.
You
ended
up
linking
against
a
different
one.
E
F
Yeah
so
I
mean
I
I
think
you
know,
I
I
think
this
is
I
agree
with
everything
that's
been
said
and
Mike
certainly
like
I
think
having
providing
some
clarity
around
where
this
thing
is
going.
I
think
is,
is
the
theme
of
what
I'm
hearing
and
where
we
are
today
what
you
can
expect
to
get
from
where
we
are
today
and
then
what
you
can
expect
over
the
next
six
to
12
months
say,
and
so
you
know
at
the
top
of
the
year,
I
shared
this.
F
This
document
about
you
know,
hey
here's
a
you
know
a
proposed
vision
for
for
this
working
group
for
the
SEO
working
group,
and
you
know
that
that
laid
out
exactly
this
kind
of
you
know
what
I
was
hoping
to
get
alignment
on
with
respect
to
kind
of
where
are
we
going
and
if
we
can
get
agreement
in
in
the
sci
working
group
around
the
vision
in
the
document?
We
can
start
communicating
about
this
externally
and
you
know
the
one
of
the
things
the
document
was
proposing
was
hey.
F
F
I
would
like
us
to
get
agreement
on,
hey
dependencies
will
be
coming
over
time
and
what
we'll
do
there
is
we'll
say:
there's
all
this
great
work
on
s2c2f
well,
Let's
Fold,
that
into
salsa
too,
and
let's
have
that
become
the
salsa
dependencies
track
and,
let's
start
unifying
on
a
Consolidated
roadmag
roadmap
for
supply
chain,
Integrity
in
the
open,
ssf
and
our
you
know
our
Vanguard.
Our
Marquee
framework
here
is
salsa.
We
have
a
great
base
to
build
on
1.0
we've
got
building
Providence
covered
Source.
F
F
Let's
start
talking
about
vulnerability,
Management
in
a
subsequent
version,
but
I
think
that
that
a
precursor
to
be
able
to
articulate
the
future
is
Broad
agreement
in
this
group
about
what
the
future
looks
like
and
that's
what
I
was
trying
to
get
at
with
the
vision
dog
which
I
shared
I
hit
in
the
end
of
December
and
so
like
I
realize,
there's
a
whole
bunch
of
open
comments
in
in
that
dark,
which
you
know
is
on
me
to
kind
of
go
and
start
processing
and
resolving.
F
But
if
I
would
love
to
start
to
get
a
consensus
in
this
group
around,
you
know,
broadly,
we
consider
directionally
that
enriching
salsa
over
time
with
additional
tracks
or
additional
sets
of
concerns.
You
know
and
going
down
that
list
in
priority
order
is
where
we're
going
as
a
team,
and
you
know
we
will
layer
in
Source,
we
will
layer
in
dependencies.
We
will
layer
in
vulnerability
management
whatever
that
may
be.
If
we
can
get
agreement
on
that,
then
definitely
we
can
start
articulating
to
Consumers.
F
Here's
where
we
are
today,
here's
what
you
can
expect
in
six
to
12
months
and
here's
what
you
can
expect
in
24
to
36
months
and
I
I
think
you
know
if
people
are
nodding
along
with
a
document
and
where
this
is
at,
like
we
can
begin
to
communicate
that
today,.
E
C
C
Still
there
are
a
lot
of
things
that
are
NP
problems,
just
like
things
that
computer
science
hasn't
tackled
so
being
very
clear
on
like
these
things
are
not
at
all
in
scope,
because
we
just
don't
know
how
to
solve
them
as
an
industry,
it's
probably
important
to
tackle
those
misconceptions
and
yeah,
no
matter
how
things
are
going
to
evolved,
like
just
from
a
like
unless
you
constrain
the
problem,
you're
not
gonna,
ever
get
to
like
solving
the
provenance
of
your
like
Silicon
and
like
the
sand.
That's
making
up
your
silicon.
F
C
F
I
I
I
love
that
too
and
again
I
would
come
back
to
the
dock
and
I
think
the
doc
covers
that
with
respect
to
like
outlining
what
is
the
jar
to
admission
and
where
are
the
boundaries
of
that,
because
to
your
point
like
the
last
thing
you
want
to
do
is
have
something
that's
so
expensive.
You
know
everything
is,
is
conceivably
in
scope,
I'm,
sorry,
Melba
go
ahead,
yeah.
E
I
can't
raise
my
hand
when
I'm
sharing,
so
I
did
put
the
link
to
the
doc.
That
Isaac
is
talking
about.
I,
also
put
a
link
to
the
roadmap
that
we
had
started.
E
We
didn't
quite,
we
got
feedback
on
it,
we
haven't
finished
it,
but
I
think
the
terms
about
or
the
the
comments
about
communicating
out
to
the
community.
This
is
where
we're
going
that
Vision
I
think
is
going
to
be
important
for
that
1.0
release.
E
I
Is
sound
there
I
think
that
the
collaborative
efforts
and
the
nature
around
all
the
things
we're
doing,
especially
at
a
higher
at
the
larger
working
group
level.
Man,
these
things
are
all
things
that
we
do
need
as
a
team
to
drill
down
on
you
know
so
that
so
that
this
group,
this
see,
has
has
even
more
of
a
tight
foothold
on
how
we're
presenting
to
the
community
at
large.
These
efforts,
so
I'm
right,
I'm
right
there
with
Isaac
I,
will
say
that
how
what
this?
What
shape
that
takes?
I
E
Okay,
so
I'll
try
to
write
down
some
action
items
and
then
we'll
go
back
to
see
if
people
agree,
but
Isaac
I
don't
want
to
take
up
time.
If
you
wanted
to
share
your
screen
or
share
something
feel
free.
F
Yeah
so
I
mean
in
terms
of
the
the
next
item.
I
mean
there
was
a
an
active
and
an
encouraging
thread
on
the
mailing
list
last
week
and
Jennifer
Bligh.
What
I
think
has
joined
us
this
week
as
well?
It's
gonna,
you
know,
run
point
on
kind
of
you
know:
hey,
let's
establish
a
center
of
gravity
around
communicating
ourselves,
one
at
zero,
that's
an
open,
ssf
announcement
and
then
there's
a
constellation
of
you
know.
F
Companies
around
that
who
want
to
you
know,
Echo
the
the
core
message
on
their
own
and
operated
properties,
and
so
I've
kind
of
sketched
out
this.
This
comms
plan
shared
in
in
the
mailing
list
and
I'm,
anticipating
Jennifer
kind
of
running
with
with
much
of
this,
but
what
I'd
proposed
in
terms
of
responsibilities
is
I,
I
think
it's
probably
this
group's
responsibility
to
you
know
establish
what
are
the
core
talking
points
like
if
there
are
three
key
messages
we
want
to
deliver
alongside
the
salsa
wanted
our
mailing
list?
F
You
know
with
audience
X
or
audience
where
why
in
long
form
and
that's
where
you
know
we
expand
to
have-
and
you
know
the
open,
ssf
blog
post
and
the
the
surrounding
constellation
of
columns
and
press
briefings
and
so
on,
but
I
I
have
not
seen
anywhere
yet
you
know
a
bullet
list
of
what
are
the
key
messages
that
you
know
we
want
to
land
alongside
1.0
and
so
I
thought
I'd
bring
it
to
this
group.
F
I,
don't
have
anything
more
than
that
that
empty
placeholder
right
now,
I've,
just
kind
of
you
know
I
can
I
can
propose
what
I
think
they
are.
But
that
would
be
awfully
presumptuous
of
me.
I!
F
Don't
want
to
do
that
and
I
think
that
you
know
I,
don't
know
whether
we
want
to
do
it
live
in
this
group
today
or
whether
we
want
to
take
it
offline
and
try
and
get
it
done,
async
and
slack
and
docs
by
the
end
of
the
week
or
something
but
time's
pressing
as
we
come
to
1.0
and
I
think
that
we
really
need
to
delay
that
groundwork
of
what
are
the
you
know.
What's
the
core
set
of
messages
that
we
want
to
want
to
communicate
alongside
1.0.
E
So
I'm
wondering
if
this
is
kind
of
what
this
this
table
is
a
couple
weeks
ago
we
said:
okay,
we
want
to
communicate
things
like.
Why
are
we
breaking
up
build
versus
Source
right?
We
want
to
talk
about
the
tracks,
the
what's
new,
there's
something
out
there,
but
we
need
to
edit
it
based
off
of
anything
we
change,
but
then,
additionally,
there
is
some
SDI
blogs
right.
What's
the
difference
between
you
know,
salsa
provenance
versus
you
know,
mbomb
spdx,
blah
blah
right.
There's
a
lot
of
questions
usually
around
that.
E
So
I
don't
know
if
this
is
what
you're
referring
to
or
if
you're
or,
if
you're
thinking
something
different,
I.
F
I
think
it's
to
to
me:
I'll
go
just
quickly.
Jennifer
and
I
I.
Think
to
me
it's
more
about
acknowledging
that
this.
This
also
1.0
com
may
be
the
first
time
someone
has
heard
about
salsa.
They
may
come
to
this
blog.
Having
never
heard
about
salsa
before
when
salsa
was
initially
launched
two
years
ago,
supply
chain
was
not
as
current
a
cons.
F
I
mean
it
was
a
concurrent
concern
amongst
caucus
set
of
folks
in
a
no,
but
now
it
is
everywhere
and
everywhere
has
thoughts
and
concerns
and
ideas
versus
pledge,
insecurity,
but
I
think
that
there's
so
there's
an
element
in
which,
yes,
we
should
talk
about
what
happens,
to
build
and
and
what
happens
to
the
tracks.
And
why
do
we
do
scope?
And
it
feels
to
me
like
more
fundamentally
than
that,
there's
like
bullet
number,
one
of
our
core
message
could
be
open.
Ssf
is
launch
salsa
1.0.
F
This
is
an
important
Milestone
towards
X,
Y
and
Z
and
his
ways
you
care
about
it,
and
it's
it's
really,
starting
from
from
that
groundwork
like
for
someone,
who's
never
heard
about
salsa
before
I've
heard
about
it.
Now
because
there's
the
1.0
launch
and
there's
a
lot
of
noise
about
it,
and
they
just
want
to
understand
how
it
fits
in
sorry,
Jennifer.
G
Sorry
this
is
Tracy
yeah
I'm,
just
going
to
say
something,
quick
and
then
I
have
to
jump
to
another
meeting,
but
yeah
totally
agree,
I,
think
you're
speaking
to
the
world,
who've,
never
heard
of
salsa
before
and
just
being
crystal
clear
on
it's
a
framework
for
supply
chain
security
and
integrity
and
just
hitting
why
people
should
use
it
and
and
the
fact
it
includes
provenance
which
I
don't
think
comes
across
when
you
first
come
across
it.
G
But
just
the
quality
is
like
it's:
it's
practic
practical,
it's
actionable,
I,
think
all
that's
good
stuff,
but
keep
it
very
high
level,
and
with
that
this
is
awesome,
but
I.
E
Gotta
jump;
okay,
thank
you
for
joining
Jennifer.
K
Yeah
thanks
Tracy
yeah.
Thank
you
so
much
Isaac
for
getting
us
going
with
this
document.
The
the
comms
planning
I
think
it's
really
helpful
and
I
think
it'd
be
really
great
to
get
from
this
group,
in
addition
to
sort
of
those
overarching
key
messages
and
main
goals,
kind
of.
What's
the
call
to
action
like
what?
What
do
you
want?
People
who
are
learning
about
this?
K
Maybe
for
the
first
time
to
do
and
kind
of
thinking
about
that
and
how
we
can
incorporate
that
into
our
all
of
our
messaging
around
us.
F
K
B
F
I
mean
I'll
just
emphatic
agreement
with
Jennifer
there
in
terms
of
like
crafting
a
call
to
action.
What
do
we
want
people
to
do?
They've
read
about
the
salsa
1.0
launch.
What
now.
E
So
I'm
wondering
about
the
this,
it's
gonna
depend
on
the
persona,
and
so
that's
why
we
started
a
developer
Persona
to
coincide
with
the
1.0
launch.
It's
like
as
a
developer.
Why
do
you
care
about
salsa
all
right?
What's
in
it,
for
you
I'm,
not
sure
if
you
can
have
a
call
to
action
for
an
all-inclusive
audience,
because
it
depends
on
what
it
is
that
you
are
doing.
Are
you
trying
to
check
off
a
box?
Are
you
trying
to
incorporate
it
into
your
build?
F
Yeah
no
I,
I,
agree
and
so
I
think
I
mean
in
the
in
the
comms
plan
like
step
number
one
which
I
have
there
in
terms
of
goals
is
literally
like
which
audiences
are
we
trying
to
reach
and
with
what
result
like
I
have
not
seen
that
written
down
anywhere.
We
probably
have
our
own
answers
to
that
question,
but
I
think
that
we
need
to
get
agreement
on
on
exactly
that
and
from
there
we
go
to
okay.
F
What
are
the
core
messages,
given
that
we
want
to
reach
these
three
audiences
I
mean
I,
think
developers
is
is
one
part,
but,
to
be
honest
with
you,
I
think
that
actually,
at
this
stage,
getting
to
a
1.0
and
Tool
makers
is
a
massive
constituent.
That's
super
important,
like
salsa,
is
going
to
live
or
die
based
on
the
support
it
has
in
the
tooling
ecosystem,
and
so
there
should
be
a
call
to
action
for
hey.
You
make
a
build
system.
F
You
make
a
cicd
system,
you
make
an
admission
control
policy
controller
like
there's,
there's
a
whole
schooling
ecosystem
in
supply
chain
that
we
need
to
be
speaking
to
too,
because
adoption
is
is
going
to
rely
on
on
those
people,
essentially
implementing
support
for
sales
up
and
down
the
supply
chain,
and
so
I
think.
Yes,
there's
a
message
for
individual
developers.
Why?
What
is
salsa?
Why
should
I
care
about
it?
F
There's
a
message
of
a
tool
owners,
there's
a
message
for
csos
there's
a
message
for
devops
people,
and
so
I
think
you
know
within
the
Commerce
plan,
like
it's
being
crisp
on,
who
are
the
audiences
trying
to
reach,
and
what
are
we
trying
to
get
each
to
do
from
there?
We
can
go
okay.
How
do
we
best
affect
that
result,
and
so
I
I
don't
know?
I
was
trying
to
lay
this
out
in
the
in
the
comments,
but
I
guess
where
I'm
at
right
now
is.
F
If
we
all
agree
that
this
is
a
reasonable
framework
to
to
approach
this
1.0
comms,
the
question
becomes,
how
do
we
put
you
know,
flesh
on
these
bones,
like
who's
response,
literally
who's
responsible
for
writing?
The
list
of
who
are
the
audiences
we
care
about
is
that
Jennifer
is
that
Melbourne
is
that
Jay?
Is
that
me
is
that
this
group,
because
with
two
or
three
weeks
to
go,
we
don't
we
don't
have
much
time
on
it.
E
So
Marcella
you
have
your
hand
up
yeah.
L
I,
first
of
all,
totally
want
to
agree
with
that's
what
Isaac
was
saying
about,
including
very
specifically
targeting
tool
makers
to
owners,
sys
admins
people
who
will
actually
be
implementing
salsa
developer
in
a
salsa
level.
Three
builds
right,
which
is
mostly
automated
developers,
shouldn't
really
be
interacting
with
salsa
very
much
right,
and
so
maybe
even
laying
out
the
different
how
different
people
interact
with
but
salsa
or
you
salsa
on
the
different
levels
might
be
a
good
way
to
try
to
clarify
some
things.
L
But
the
reason
I
raised
my
hand
originally
was
actually
to
sort
of
push
back
a
little
bit
on
this
on
on
labeling
salsa
sort
of
just
generically
for
soccer
supply
chain
Integrity,
because
it's
also
targeting
build
right
now
with
the
1.0
release,
right
and
so
I
think
that's
going
to
cause
more
confusion.
L
If
we're
not
specific
about
what
it
is
that
we're
targeting,
so
that
that
was
kind
of
just
my
comment,
because
I
think
that's
exactly
what
people
have
been
struggling
with
as
well,
isn't:
s-bomb
also
for
supply
chain
security
and
they're,
both
First
Supply
Chain
security,
but
in
very
different
ways
right,
and
so,
if
we
can
articulate
that
I
think
that
might
help
people
so.
D
Yes,
hi
so
I
just
wanted
to
follow
up
on
this
person
to
and
and
point
out
that
the
specification
actually
kind
of
defines
a
few
of
those
right.
It
talks
indeed
about
build
systems,
and
so
that's
the
primary
target
is
and
I
think
developer
is
too
generic
a
term
because,
if
you're
a
developer
of
a
build
system,
then
you
know.
That
definitely
is
something
you
shouldn't
worry
about,
but
there
is
also
the
consumer
people
right
so
in
the
cell,
suspect
I
think
we
I
can
identify
at
least
three
three
audiences.
D
Yeah-
and
so
these
are
clearly
talked
about
in
the
spec
I,
you
know-
maybe
others
can
tell
me
if
I'm
missing
any
others,
but
those
three
are
clearly
identified
in
respect
today.
F
Yeah
I
I
like
that
and
I,
particularly
let
me
know,
I'll
just
put
my
hand
up
in
the
middle,
because
I
was
going
to
throw
in
package
managers
and
then
you
did
I
think
package
managers
is
a
critical
audience
that
we've
got
to
speak
to
and
and
I
think
it
was
to
Claudia's
point
or
I
forgot.
F
You
mentioned
it,
but
like,
ultimately,
we
might
expect
and
aim
for
salsa
to
just
disappear
and
it
just
Fades
into
it,
becomes
part
of
the
accepted
and
taken
for
granted
infrastructure
in
the
same
way
that
I
use
npm
install
today
I,
don't
wonder
whether
it's
using
SSL
to
do
his
Network
ons
I,
just
assume
that
it
is
that
it's
taken
care
of
npm
install
in
three
months
time
will
also
be
doing
salsa,
provenance,
verification
and
I
won't
have
to
think
about
that
either.
I
won't
have
to
implement
the
verification
itself.
F
It's
my
tool
set
will
just
kind
of
understand
this
natively
in
the
same
way
that
I
expect
my
tool
set
today
to
do
the
right
thing
when
it
comes
to
network
layer,
comms
and
so
I.
Think
that,
like
looking
at
that
as
the
ultimate
outcome
like
in
in
the
short
term,
we
might
expect
individual
developers
to
think
and
care
about
salsa,
but
in
the
long
term,
salsa
should
just
kind
of
meld
into
the
infrastructure
and
disappear
in
the
same
way
that
you
know
for
most
people.
F
Thinking
about
SSL
is
not
something
they'll
do
every
day.
It's
just
an
important,
it's
a
vital
part
of
what
they
rely
on
every
single
day,
but
they
never
really
think
about
it
too.
Hard
I
think
I
think
a
personal.
The
same
way.
J
Yeah
I
was
just
gonna,
throw
out
there
if
there's
anything
that
we
can
use
for
context
or
a
specific
scenario
that
usually
helps
too
right.
So
I
don't
know
if
something
like
the
executive
order,
mandate
for
cyber
security
or
anything
that's
coming
down,
that's
real
that
we
can
say
hey.
This
is
how
salsa
would
apply
in
a
specific
scenario
if
you
are
a
developer,
if
you
are
a
CSO,
if
you
are
a
you
know,
devops
manager.
J
This
account
also
could
help
you
with
something
like
the
executive
order
mandate
and
actually
put
it
into
more
of
a
real
life.
You
know
this
is
happening
right
now,
and
this
is
how
far
I
can
get
you
with
something
like
National
compliance
issue.
E
Yeah
we
have
a
an
existing
blog,
it's
an
older
one
that
would
have
to
get
updated
I'm
looking
for
it.
For
some
reason,
I
don't
see
it
on
here
where
we
do
call
out
the
executive
update
and
we
do
call
out
nist,
ssdf
and
Etc,
and
we
would
just
need
to
update
it
based
off
the
current
spec
and
so
that
might
might
help
with
that
go
ahead.
H
Oh
sorry,
yeah.
We
might
want
to
also
coordinate
with
some
of
the
folks
from
sisa
on
that,
because
sisa
actually
cites
scvs
as
well
as
salsa
as
things
to
take
a
look
at
when
when
securing
the
supply
chain,
and
so
they
have
they've
already
done
some
of
that.
On
the
other
end
of
saying,
hey,
because
there's
this
executive
order
and
and
then
yayada,
you
should
look
at
things
like
salsa,
and
we
should
you
know,
cite
some
of
their
stuff
as
well.
H
E
Are
they
yes,
I
see
a?
What
is
this,
this
Google
doc,
I'm,
sorry
that
you
have
up
here
at
1107
that
must
have
been
the
meeting
notes
I'm.
Just
looking
at
the
notes.
Now
sorry
I
see
it
now
yeah
the
developer
ones.
E
Yeah
I
know
the
nist.
Fsdf
has
a
reference
to
salsa
in
the
examples,
so
I
do
know
that
it's
being
referenced
right
now
in
different
places.
Let
me
do
this:
okay,
Isaac.
F
Yeah
I
was
so
I
was
just
gonna
and
we've
we
had
10
minutes
on
this.
We've
got
other
things
on
the
agenda
like
I.
Just
wanted
to
come
back
to
and
I
guess
Jennifer
can
can
probably
guide
us
to
Jennifer
What
specifically,
do
you
need
from
this
group
in
order
to
make
progress
on
on
salsa
1.0
comms?
Is
it
talking
points?
Do
you
have
talking
points?
Is
it
suggested
audiences?
F
Is
it
like
I
guess,
like
my
interest,
is
in
making
sure
that
we
have
great
1.0
commas
to
go
alongside
the
release
and
it
feels
to
me
like
there's
a
bunch
of
stuff.
We
need
to
get
done
and
I'm
just
not
clear
on
exactly
how
to
actuate
that
work
like
who's
going
to
be
doing
it
and
on
what
schedule,
and
so
maybe
Jennifer
you
can
guide
us
with
respect
to
what
are
you
blocked
on
and
what
can
the
SEI
positioning
working
group
help
with
in
order
to
unblock
you,
yeah.
K
I
think
all
of
the
above
I
think
the
best
people,
people
who
write
and
really
describe
what
it
is
and
what's
happening
and
why
it's
important
and
why
you
should
care
is,
is
really
the
folks
in
this
group,
so
I'd
love.
K
If
we
could
work
together
on
coming
up
with
those
key
themes,
the
messaging,
even
the
goals
like
what
really
what
what
is
it
for
each
key
audience
that
we're
trying
to
achieve
and
I
think
that
kind
of
clarity,
then
I
am
happy
to
take
it
from
there
and
work
on
the
distribution
plans.
K
I
want
I'd
like
to
set
up
a
meeting
with
some
of
the
organizations
involved
to
help
get
quotes,
and
you
know
if
there's
any
testimonials,
that
kind
of
thing
so
I
think
kind
of
just
working
on
those
Basics
would
be
really
helpful.
F
There's
there's
an
action
for
us
all
to
dive
into
the
salsa
1.0
comms
plan
dark
and
I,
see
Melba
you've
been
adding
some
stuff
as
we
go
there
and
just
like
throw
stuff
in
there
like
there's
literally
placeholders
for
goals
and
audience
and
key
message,
and
what
results
do
we
want
and
what
next
action
do
we
want
people
to
take
and
I
think
that
we
just
need
to
kind
of
gather
people
from
this
team
over
the
next
few
days
to
literally
throw
stuff
in
that
dog,
Jennifer
and
I
can
can
help.
F
You
know
synthesize
distill,
it
down,
accept
comments
in
the
dark
and
so
on
as
we
go,
but
it
feels
like
that's
probably
the
right
venue
to
to
centralize
this
working
Jennifer.
Does
that
sound
right
to
you.
F
You
know
what
I
let
in
the
interest
of
time
this
isn't
an
urgent
item,
and
so
let's
we
can
put
this
back
in
the
holding
item
and
come
back
to
it,
because
I
do
want
to
make
sure
that
we
get
to
to
John
and
Tracy
actually
Tracy's
gone.
Maybe
it's
just
John.
E
B
B
So
I
wanted
to
present
the
results
of
a
software
supply
chain
security
survey
that
focused
mostly
on
salsa
related
security
requirements,
not
all
of
salsa
but
a
portion
and
some
other
things.
Other
software
supply
chain,
security,
related
security
items
that
a
number
of
organizations
myself
and
chain
guard
Tracy,
the
eclipse,
Foundation
the
Russ
foundation
and
open
ssf,
big
shout
out
to
Jennifer
Bligh,
but
others
too
conducted
last
summer
and
fall
of
2022
and
I.
B
So
Jennifer
asked
myself
and
Tracy
to
come
and
present
it
because
she
thought
rightfully
so
that
it
would
be
of
interest
and
potentially
useful
too,
for
especially
for
deliberations
over
the
release
candidate
for
salsa.
So
I'm
gonna
tell
you
a
little
bit
about
this
survey,
and
hopefully
it's
very
least
interesting.
Glad
to
answer
questions
and
I
know
we're
a
little
short
on
time.
B
I'll
I'll
try
to
finish
by
eastern
time
something
like
12
53,
take
a
few
questions
and
I
can
always
talk
and
slack
with
other
interested
parties
or
over
Google
meet
or
whatever
you
would
like.
So
I'm
John,
speed,
I,
think
I
mentioned
this,
but
I
work
as
a
as
a
researcher
at
chain
guard
in
their
r
d
lab
and
if
Isaac
already
has
a
question
I'm
glad
to
answer
it.
B
Okay,
well
I'm
glad
to
insert
later
too
Isaac.
So
the
first
question
you
might
have
is:
why
do
a
survey
in
salsa
in
these
practices
what's
to
gain
and
I
really
had
a
very
simple
motivation?
B
I
think
another
Partners
did
about
a
year
ago,
which
is
when
they
started
April
and
May
of
2022,
which
is
how
widely
practices
practiced
are
different
software
supply
chain
security
practices?
It's
a
pretty
simple
question:
it's
actually
surprisingly
difficult
to
answer.
It's
gotten
a
little
easier
over
the
past
year.
B
In
tandem
with
this
survey,
there's
been
some
others
that
I'll
mention
that
have
helped
shed
light
on
this
and
there's
a
couple
other
questions
that
I
thought
were
of
interest
and
the
salsa
Community
has
been
wrestling
with
them,
which
is
how
useful
how
much
do
participants
software
professionals
think
these
different
practices
are
useful
or
not,
and
how
easy
or
hard
are
they
perceived
to
be
so
it
seemed
like
a
nice
step,
there's
so
many
other
questions
to
answer
too,
but
some
a
nice
step
would
be
answering
those
questions
at
a
minimum.
B
So
that's
what
we
did.
So
we
asked
a
number
of
questions.
I'll
I'll
show
you
not
all
of
them,
but
a
few
of
them
on
the
prevalence,
helpfulness
and
difficulty
of
10
software
supply
chain
security
practices.
Seven
seven
of
them
come
from
salsa.
Three
of
them
are
not
in
salsa
at
least
not
right.
Now
and
I'll
be
very
clear.
Since
this
was
done
last
summer
in
Fall
we
were
focused
on
version
0.1.
So
of
course
we
had
no
magic
ball.
We
weren't
trying
to
predict
what
salsa
1.0
would
be.
B
We
just
went
with
what
was
a
what
is
available,
so
we
got
167
respondents.
We
gathered
them
largely
through
the
professional
networks
of
the
organizations
I
mentioned,
and
it's
certainly
not
representative.
In
the
statistical
sense,
there
is
no
list
of
software
professionals
that
one
can
simply
sample
from
In.
Traditional
survey
sampling,
but
I'll
show
you
one
more
slide
and
I'll
say
a
little
bit
more.
B
L
B
B
There
are
persons
from
all
over
the
world,
a
number
of
major
regions,
Europe
actually
had
the
most
respondents
and
a
wide
range
of
security
postures.
Some
organizations
that,
where
the
person
submitted
to
having
very
little
security,
Consciousness
and
some
on
the
opposite,
Spectrum
and
all
these
details
will
be
in
the
report-
that's
published.
It's
actually
supposed
to
come
out
tomorrow,
I
believe
fingers
crossed,
and
so
you
can
see
see
all
the
details.
B
There
there's
a
lot
more
about
who
took
this
survey
so
I'm
going
to
show
you
three
slides
that
I
consider
the
meat
of
this
survey
and
they're
data,
Rich
and
but
I'm
gonna
point
out
at
least
my
broad
observations
on
them,
and
then
we
can
open
up
back
up
the
questions
and
comments.
So
one
is
what
is
the
prevalence
of
these
different
practices
and
you'll
see
a
number
of
salsa
related
practices
and
then
some
non
salsa
related
ones
I'll
just
point
out
a
couple
things:
one
there's
a
lot
of
variation.
B
Some
of
them
are
common.
You
know,
for
instance,
centralized
build
service
is
over
50.
Other
assignments
say
they
always
do
that.
Some
of
them
are
less
common,
hermetic
builds
for
instance,
and
so
lots
of
variation.
That's
really
the
main
takeaway
here.
B
Let
me
show
you
I'm
glad
to
come
back
to
this
slide
too.
Second,
is
perceived
helpfulness,
the
funny
thing
or
surprising
thing
really
is
there's
actually
relatively
surprisingly
little
variants
among
these
answers,
I'm
not
really
quite
sure.
Why
but
I
think
it's
mostly
a
good
story.
You'll
see
that
all
the
different
practices,
50
of
respondents
at
least,
said
that
these
practices
are
extremely
helpful
or
very
helpful
in
their
opinion.
So
I'd
say
it's
an
open
door
for
most
of
these
practices.
B
You
don't
see
a
lot
of
pushback
sure
there
are
some
people
who
aren't
more
skeptical
end,
but
they're
they're
minority
Melba.
Has
our
question,
has
our
hand
up
I
think.
E
B
That's
a
good
question,
so
there
is
the
there's
a
there
is
a
strong
relationship
for
any
given
practice
between
whether
you
view
it
as
helpful
or
not,
and
whether
you
adopt
it
or
is
not
David
wheeler
has
rightfully
pointed
out
it's
hard
to
know
which
direction
this
goes.
Is
it
that
people
adopt
it
and
therefore
they
kind
of
think
themselves
from
thinking
it's
useful.
B
Between
the
level
of
perceived
difficulty
and
adoption,
which
is
also
surprising
to
me,
so
it
does
seem
like
if
you
think
it's
more
helpful
on
average
you're
more
likely
to
adopt
it.
So
it
definitely
points
to
the
usefulness
of
messaging
and
Communications
related
to
explaining
the
the
usefulness
of
any
particular
practice.
If
you
want
to
encourage
it,
so
I
think
it's
kind
of
a
good
news
story.
B
Is
that
does
that
answer
your
question?
Melba,
okay,
cool,
so
I'll
do
one
more
I,
it's
12,
52.
perceived
difficulty!
There's
a
lot
of
variation
here
again,
I'll
just
point
out.
The
key
thing
that
stands
out
to
me
is
that
hermetic
builds
and
reproducible
bills
are
perceived
as
much
harder.
I
think
this
is
consistent
with
the
consensus
that
I
at
least
I've
observed
among
salsa,
community
members
and
but
that's
not
to
say
that
is
objective
reality.
Once
again,
it's
only
perceived
difficulty
Melba
again.
B
B
We
weren't
able
to
ask
that,
or
we
didn't
ask
that
we
could
have.
We
did
not
so
I
can't
untangle
that,
for
you
unfortunately,.
B
So,
for
me,
the
big
takeaway
is
I
think
that
it's
actually
mostly
good
news
if
some
of
these
have
zero
percent
adoption
and
were
widely
considered
difficult,
I
would
think
that
we
should
be.
This
group
should
be
a
little
nervous
about
that.
You
know
these
things
were
perceived
as
foreign
exotic
obscure
esoteric,
but
that's
just
not
the
case.
A
lot
of
these
have
moderate
adoption
already
or
even
strong
adoption,
the
broadly
perceived
as
useful.
B
There
is
variation
in
how
difficult
they
are
perceived,
and
there
are
certainly
lots
of
room
to
make
these
more
widespread.
Don't
get
me
wrong,
but
I
think
the
picture
could
be
worse.
B
I
will
say
that
the
one
thing
that
sticks
out-
and
this
is
based
a
little
bit
on
some
of
the
free
text-
responses
too,
which
are
hard
to
summarize,
but
a
little
on
the
data
is
that
I
think
provenance
as
an
idea
has
a
ways
to
go.
Not
in
that
it's
underdeveloped
I
mean
there's
lots
of
active
development
about
discussion
about
what
should
be
in
provenance,
but
I
think
at
in
terms
of
the
pr
messaging
campaign
about
provenance.
B
You
know
it
certainly
points
here
in
the
survey
results
that
Providence
was
actually
considered
the
third
hardest
to
implement,
which
might
surprise
some
people
in
the
salsa,
Community
I.
Think
that's
partially
my
messaging
issue
and
also
it
was
relatively
less
common
as
practiced
in
the
prevalence.
So
you
know
I
joke
here.
Could
there
be
a
provenance
everywhere
campaign
but
and
that's
all
I've
got
I'm
glad
to
take
questions
thanks
so
much
Melba
for
hosting
us.
E
Yeah,
thank
you.
I
know.
I
talked
to
Tracy
about
getting
a
preview
of
the
results
just
to
see
if
we
need
to
put
out
some
blogs-
and
there
is
a
lot
of
good
news
and
I
think
maybe
what
we
need
to
ask
a
community
is
it's
been
a
year
almost
since
the
survey,
those
1.0
help
with
the
with
the
difficulty
with
the
awareness
or
has
the
awareness
increased?
E
What
else
can
we
do
to
make
it
less
difficult?
So
I
think
that
this
is
good
to
see.
I
don't
know
if
others
on
the
team
have
any
comments
on
what
we
shared.
I
Yeah
I
mean
I,
think
I,
think
I
mean
I,
think
the
survey
purposes
I
think
the
all
the
changes
that
have
occurred
since
this
survey,
kind
of
and
now
you're
dealing
with
a
whole
different
sample
but
I
mean
dare
I,
say
that
the
population
I
guess
felt
that
the
population
might
even
be
different,
let
alone
the
sample
of
the
population
that
completed
the
survey
already
and
then,
of
course,
with
all
the
changes
like.
I
For
instance,
there
was
still
a
level
four
when
this
survey
was
conducted
a
level
four
of
of
of
the
framework
before
the
the
split
right
before
the
the
break-off
of
the
different
different
tracks.
So
I
mean,
like
I,
said
I
think
as
a
foundational
item,
just
to
get
a
gauge,
wonderful,
I,
think
the
date.
I
Bit
have
been
updated.
E
B
Sorry
go
ahead.
Sorry,
yeah
I
think
it's
certainly
true.
I
mean
the
spec
is
changing
imminently
and
I.
I
guess
I
would
point
out
that
the
survey
didn't
specifically
ask
about
levels.
It
didn't
so
it
broke
it
down
by
the
different
requirements
or
security
practices.
So
I
was
my.
My
intention
was
that
to
make
it
more
broadly
useful
than
asking
about
difficulties
and
usefulness,
there's
also
one
two
three
and
four,
but
everything
you
said
is
fair.
B
E
E
Months
later,
right
and
then
I
guess,
a
second
question
I
have
is:
is
there
something
we
can
do
in
terms
of?
Can
we
have
a?
You
know
pulse
like
a
pulse
right
now,
all
those
same
metrics
those
same
questions?
E
Can
we
do
that
to
get
that
latest
data
and
not
have
to
wait?
You
know,
months
and
months
for
for
data,
because
technology
changes
quickly,
we
don't
have
time,
but
unfortunately,
to
to
wait
six
months,
and
it's
also
will
be
at
level
two
or
something
right.
B
B
One
is
it
probably
is
possible
to
have
quick
pull
surveys
that
openssf
could
run
on
a
wide
variety
of
software
supply
chain
security
topics
to
include
salsa
I
mean
I
would
take
this
up
with
Jennifer
and
other
members
of
openss
of
team,
but
that
seems
like
it
could
be
a
broadly
useful
thing
and
not
just
to
this
group,
and
you
could
imagine
working
with
partner
organizations
a
number
of
the
companies
here
and
others
to
reach
a
ride.
Network,
you
know
get
a
few
hundred
responses
every
three
months
or
something
like
that.
B
That
seems
like
a
cool
idea.
Second,
there's
another
approach,
but
I
think
it's
a
little
too
technically
difficult
now,
but
I'd
love
to
be
told,
I'm
wrong
it
of
actually
looking
at
software
artifacts
Associated,
especially
with
open
source
software
repositories
and
as
salsa
becomes
more
widespread
and
mature
checking
things
like
for
salsa
badges
or
even
having
a
tool
that
checks
for
salsa
practices
on
open
source
projects
could
give
another
way
of
doing,
engage
without
doing
a
survey.
But
it
there
are
technical
complications.
There.
E
Well,
I
know
we
are
pretty
much
at
time,
so
we
didn't
get
to
two
of
the
things.
I
know
openness
ssf
day
cfp.
Does
it
close
Friday?
Is
that
right.
E
I
for
the
for
the
group,
I
think
the
the
ketchup
mustard
relish
of
supply
chain
security
I
feel
like
we
need
to
submit
that.
Maybe
it's
not
so
much
of
a
panel
but
I
think
that
is
an
important
story
to
tell
right.
We
have
a
new
Mission
scope
that
we're
trying
to
do
across
the
board.
We
have
you
know
S2
c2f,
since
the
last
osfna,
and
now
we
have
this
positioning
group,
so
I
think
we
should
submit
that
and
we
would
just
kind
of
not
do
it
as
a
panel
form.
I
E
Thumbs
up
thumbs
down
our
nose
is
good
I'm,
not
seeing
anything
so
I'm,
I'm
and
I
think.
Actually,
there
are
some
people
that
have
probably
dropped
that
probably
need
to
thanks
Jennifer
that
need
to
vote.
So
I'll
put
it
up
on
the
on
the
slack
channel
for
people
with
a
thumbs
up
thumbs
down,
but
I
think
that
would
have
a
good
chance
of
of
getting
in.
That
was
one
of
the
first
ones
that
were
accepted.
E
So,
okay
thanks
everyone
for
joining
lots
of
to-do's,
we'll
we'll
slack
offline
to
try
to
get
some
of
this
stuff
taken
care
of
offline.
Okay
thanks,
everyone
have
a
good
day
bye.
Thank
you.