►
From YouTube: Supply Chain Integrity WG (March 14, 2023)
A
A
C
D
E
F
E
E
F
E
E
B
B
E
One
and
then
there's
this
okay,
so
I'm
gonna
get
rid
of
those
two
from
up
here
and
then
before
we
start.
Those
I
would
like
a
quick
update
from
my
J
Bruno
from
last
week,
but
I
do
want
to
say
congrats
to
the
team
that
we
got
two
accepted
talks
for
ossna
Vancouver.
We
got
two
wait
listed
and
one
declined
so
I
still
consider
that
it's
a
success.
E
Yeah
I
think
the
deadlines
is
Friday,
so
we'll
we'll
have
to
talk
about
that
at
towards
the
end,
because
I
know
we
have
a
lot
going
on
with
the
the
blogs
and
stuff
update
and
then
I'll
put
that
at
the
end
and
then
open
ssfd,
cfp,
okay,
so
Jay
like
Bruno.
Can
you
give
a
brief
update
from
last
week
again.
H
H
H
Okay,
yeah,
so
beyond
that
so
I
I
there
was
there
didn't,
seem
to
be
a
lot
of
folks
who
who
had
progress
on
on
some
of
the
other
blogs.
I
know
that
there
were
some
folks
who
are
still
doing
research
and
and
doing
some
of
that
sort
of
stuff.
So
I
have
a
a
graph
that
I'm
still
working
on
which
I
still
have
a
a
Blog
here,
for
which
hopefully
folks
can
see
it.
It's
it's
once
again.
It's
still
very
very
early
on.
E
E
H
And
depth
also
so
yeah,
so
you
know
I'm
still
working
on
it.
I
think
I'm
taking
it's
it's
hard,
because
I
I
also
need
to
help
out
with
the
salsa
specifications
and
some
of
the
other
things
there
seems
to
be
I.
Think
one
of
the
things-
that's
that's
that's
growing
a
little
concerning
for
for
the
the
release
is,
there
still
seems
to
be
a
lot
of
pretty
pretty
serious
confusion
around
some
of
the
definitions
around
salsa
around.
H
Why
we
for
some
folks
either
we
made
it
too
restrictive
and
for
other
folks,
we've
opened
it
up
where
salsa
is
not
particularly
effective
and
I.
Think
both
of
those
are
misconceptions.
I
just
think
we
need
to
do
a
better
job
at
really
making
sure
that
the
definitions
are
crisp
and
clear
and
that
the
intentions
are
are
crisp
and
clear,
and
so
things
we
need
to
do
a
lot
more
to
to
do
that.
You
know
so.
For
example,
some
of
the
definitions
around
isolated
and
ephemeral
are
causing
confusion.
H
H
Have
we
made
salsa
too
easy
specifically
so
that
certain
companies
can
look
like
they're?
They
fully
adopted
salsa
and
they're
good
and
you're,
not
actually
hitting
some
of
the
the
the
not
actually
hitting
like
not
actually
stopping
supply
chain
attacks,
I
think
and
to
be
clear,
I,
don't
think
that's
actually
the
case
I
think
it's
it's
a
misconception
and
I.
Think
with
that
said,
though,
that
that
misconception
can
lead
to
folks
saying
yeah,
I'm
salsa
compliant,
because
my
interpretation
of
isolated
and
ephemeral
is
this
thing.
H
Is
mostly
just
around
stuff
like?
Why
are
we
splitting
up
salsa
or
you
know,
why
is
salsa
split
up
into
those
different
tracks
and
more
or
less
just
sort
of
saying
you
know?
Oh,
the
reason
why
the
build
is
super
important
and
we
believe
that
source
is
just
a
separate
set
of
things
that
you
want
to
make
sure
is
clear
and
consistent,
whereas
the
build
you
just
carry.
That
is
what
I
pulled
in
what
I
said.
I
was
going
to
pull
in
right.
H
Even
if
that
thing
is
nefarious
right,
you
had
the
whole
point
of
salsa
provenance
is
you
are
establishing
provenance?
You
know
where
that
thing
came
from.
So
if
it
didn't
do
the
right
things,
then
you
could
always
go
back
and
you're
not
running
into
a
situation.
Like
the
you
know,
solar
wind
Sunburst,
where
they
thought
they
were
building
the
right
source
code,
but
it
turned
out
they
were
linking
to
something
that
was
malicious
and
they
had
no
way
of
actually
seeing
that.
E
C
C
Right,
I
I
also
consider
myself
sort
of
a
newcomer,
although
I've
been
in
near
orbit
or
in
the
periphery
of
things.
For
some
time,
hello,
all
I
wanted
to
chime
in
to
what
Michael
was
saying:
I
wonder
if
Mike
some
of
it
is
a
function
of
what
we
discussed
during
the
spec
call
yesterday
of
there's
the
perception
from
people
seeing
wano
that
oh,
this
is
done,
and
it's
ratified
and
they're
gonna
they're
putting
a
lot
of
energy
on.
We
need
to
form
a
solid
understanding
of
this
definitions
and
live
by
them.
C
I
wonder
if
it's
a
function
of
well,
this
is
this
is
evolving,
and
this
is
subject
to
get
more
refined
over
time,
and
that
could
be
what
you're
writing
here
or
that
could
be
a
roadmap,
a
public
roadmap
with
midterm
long-term
Horizon.
Even
going
back
to
the
discussion
around
well,
how
do
we
convey
big
changes
of
definitions?
Is
it?
Do
we
bump
a
major
version
of
salsa?
Do
we
do
minor
versions
and
people
are
going
to
scramble
and
be
scum,
so
in
order
to
front
load
or
pre-load?
C
What
is
expected
to
change?
I
wonder
if
a
like
an
artifact,
not
quite
a
vision,
not
quite
a
road
map
but
in
between
obviously
with
the
Proviso.
These
are
forward-looking
statements
and
what
gets
caught
within
a
quarter
might
change
but
yeah,
just
from
the
end
user
perspective.
So
there's
like
less
cognitive
overhead
around
or
attaching
to
close
to
what
things
are
called
today.
B
I
J
E
I
So
so,
to
add
to
that
right,
so
I
think
a
large
part
of
that
is
to
make
sure
that,
with
respect
to
to
salsa
build
that
we
we
differentiate,
what's
considered
what
the
evolution
of
of
those
specs
right,
1.0
versus,
2.0
and
I
think
we
were
talking
about
something
like
that
yesterday.
But
then,
when
we
come
out
to
source
source
is
a
whole
new
1.0,
it's
it
does
not
it
because
I
think
what
happens
is
it
you
know,
especially
with
what
I'm
hearing
is
people
are
assuming.
I
I
That
said
well,
if
I'm,
if
I'm
a
consumer
of
this
and
you're,
telling
me
that
you
split
up
between
source
and
build,
and
you
got
the
1.0,
what
happens
if
when
we
come
out
with
source
of
we
come
out
with
something
else,
it's
going
to
change
dramatically.
What
now
constitutes
meeting
level
one
or
level
two
or
level
three
right?
How
do
I
trust
the
spec
now
to
do
what
it
says?
It's
going
to
do
if,
by
me,
saying
I'm
by
me
saying
I've
met
level
if
I
use
version
one
and
I'm
at
level.
I
I
There's
another
salsa
track.
You
can
have
version
one
or
version
two
build.
You
can
have
version
one
source
that
it's
it
can
be
very
confusing,
but
I
think
if
they
think
we
do
the
work
to
make
sure
we
parse
these
things
out,
so
that
they're
understood
that
hey
just
because
you
meet
one
does
not
mean
you
meet
the
other.
You
still
need
to
do
work
and
due
diligence
to
meet
the
other,
or
maybe
the
other
doesn't
apply
to
you
at
all.
I
Maybe,
while
past
you
is
just
the
build
right
and-
and
we
we
do
our
our
our
best
effort
to
organize
our
thoughts
and
deliver
that
kind
of
message
or
communicate
that
appropriately,
so
that
those
that
are
consuming
this
are
consuming
the
right
ones
when
they
need
to
consume
it.
Yeah
that
that's
my
that's
my
two
cents
and
anyway,
and
please,
if
I'm,
not
understand
I'm
sure
somebody
else
will
chime
in
and
add
a
little
bit
more
color
yeah.
C
And
in
a
way
you
have
expressed
this
before
with
transitive
identities,
transitive
dependencies
and
leaving
those
out
of
scope
at
one
point
like
Mike,
you
remember
saying:
well,
we
can't
solve
all
the
things
right
off
the
bat,
so
we
we
have
to
start
off
with
what
is
feasible
but
again
from
from
a
consumer
perspective.
People
are
going
to
be
tell
me
what
I
need
to
know
up
front
that
is
expected
to
change.
H
Your
hand
yeah
yeah,
so
actually
one
of
the
things
you
know,
I
think
that
that
it
would
be
worthwhile
yeah
is
to
kind
of
we
need
to
clar.
You
know
a
meta
issue
for
salsa
that
we
need
to
kind
of
clarify.
Is
you
know
stuff
like
what
do
what
to
expect
between
versions,
so
that
folks
understand
like
if
I'm
on
version,
one-
and
you
know
a
minor
release-
will
update
these
sorts
of
things.
H
It
doesn't
prevent
folks
from
ingesting
bad
source
code
or
bad
dependencies,
but
what
it
does
do
is
if
you're,
a
high
salsa
level
like
salsa
level.
Three,
you
have,
you
should
have
increased
confidence
that,
yes,
your
build,
builds
something
malicious,
because
we
can
go
back
and
look
at
those
dependencies
or
look
at
that
code
and
know
that
yeah
it
pulled
in
the
wrong
source
code,
whereas
it,
if
you're
only
on
salsa
level
one.
H
Then
you
can't
really
be
sure
that
you
know
what's
being
reported,
is
actually
accurate
and
wasn't
tampered
with
similar
to
something
like
a
Sunburst
style
attack
where
you
know
it
pulled
in
the
right
source
code.
But
then
the
build
was
actually
compromised,
and
so
it
thought
you
were.
You
thought
you
were
linking
against
this
Library.
You
ended
up
linking
against
a
different
one.
E
F
Yeah
so
I
mean
I
I
think
you
know,
I
I
think
this
is
I
agree
with
everything
that's
been
said
and
Mike
certainly
like
I
think
having
providing
some
clarity
around
where
this
thing
is
going.
I
think
is,
is
the
theme
of
what
I'm
hearing
and
where
we
are
today
what
you
can
expect
to
get
from
where
we
are
today
and
then
what
you
can
expect
over
the
next
six
to
12
months
say,
and
so
you
know
at
the
top
of
the
year,
I
shared
this.
F
This
document
about
you
know,
hey
here's
a
you
know
a
proposed
vision
for
for
this
working
group
for
the
SEO
working
group,
and
you
know
that
that
laid
out
exactly
this
kind
of
you
know
what
I
was
hoping
to
get
alignment
on
with
respect
to
kind
of
where
are
we
going
and
if
we
can
get
agreement
in
in
the
sci
working
group
around
the
vision
in
the
document?
We
can
start
communicating
about
this
externally
and
you
know
the
one
of
the
things
the
document
was
proposing
was
hey.
F
F
I
would
like
us
to
get
agreement
on,
hey
dependencies
will
be
coming
over
time
and
what
we'll
do
there
is
we'll
say:
there's
all
this
great
work
on
s2c2f
well,
Let's
Fold,
that
into
salsa
too,
and
let's
have
that
become
the
salsa
dependencies
track
and,
let's
start
unifying
on
a
Consolidated
roadmag
roadmap
for
supply
chain,
Integrity
in
the
open,
ssf
and
our
you
know
our
Vanguard.
Our
Marquee
framework
here
is
salsa.
We
have
a
great
base
to
build
on
1.0
we've
got
building
Providence
covered
Source.
F
F
But
if
I
would
love
to
start
to
get
a
consensus
in
this
group
around,
you
know,
broadly,
we
consider
directionally
that
enriching
salsa
over
time
with
additional
tracks
or
additional
sets
of
concerns.
You
know
and
going
down
that
list
in
priority
order
is
where
we're
going
as
a
team,
and
you
know
we
will
layer
in
Source,
we
will
layer
in
dependencies.
We
will
layer
in
vulnerability
management
whatever
that
may
be.
If
we
can
get
agreement
on
that,
then
definitely
we
can
start
articulating
to
Consumers.
E
C
C
Still
there
are
a
lot
of
things
that
are
NP
problems,
just
like
things
that
computer
science
hasn't
tackled
so
being
very
clear
on
like
these
things
are
not
at
all
in
scope,
because
we
just
don't
know
how
to
solve
them
as
an
industry,
it's
probably
important
to
tackle
those
misconceptions
and
yeah,
no
matter
how
things
are
going
to
evolved,
like
just
from
a
like
unless
you
constrain
the
problem,
you're
not
gonna,
ever
get
to
like
solving
the
provenance
of
your
like
Silicon
and
like
the
sand.
That's
making
up
your
silicon.
F
C
F
I
I
I
love
that
too
and
again
I
would
come
back
to
the
dock
and
I
think
the
doc
covers
that
with
respect
to
like
outlining
what
is
the
jar
to
admission
and
where
are
the
boundaries
of
that,
because
to
your
point
like
the
last
thing
you
want
to
do
is
have
something
that's
so
expensive.
You
know
everything
is,
is
conceivably
in
scope,
I'm,
sorry,
Melba
go
ahead,
yeah.
E
E
E
I
Is
sound
there
I
think
that
the
collaborative
efforts
and
the
nature
around
all
the
things
we're
doing,
especially
at
a
higher
at
the
larger
working
group
level.
Man,
these
things
are
all
things
that
we
do
need
as
a
team
to
drill
down
on
you
know
so
that
so
that
this
group,
this
see,
has
has
even
more
of
a
tight
foothold
on
how
we're
presenting
to
the
community
at
large.
These
efforts,
so
I'm
right,
I'm
right
there
with
Isaac
I,
will
say
that
how
what
this?
What
shape
that
takes?
I
E
F
Yeah
so
I
mean
in
terms
of
the
the
next
item.
I
mean
there
was
a
an
active
and
an
encouraging
thread
on
the
mailing
list
last
week
and
Jennifer
Bligh.
What
I
think
has
joined
us
this
week
as
well?
It's
gonna,
you
know,
run
point
on
kind
of
you
know:
hey,
let's
establish
a
center
of
gravity
around
communicating
ourselves,
one
at
zero,
that's
an
open,
ssf
announcement
and
then
there's
a
constellation
of
you
know.
F
Companies
around
that
who
want
to
you
know,
Echo
the
the
core
message
on
their
own
and
operated
properties,
and
so
I've
kind
of
sketched
out
this.
This
comms
plan
shared
in
in
the
mailing
list
and
I'm,
anticipating
Jennifer
kind
of
running
with
with
much
of
this,
but
what
I'd
proposed
in
terms
of
responsibilities
is
I,
I
think
it's
probably
this
group's
responsibility
to
you
know
establish
what
are
the
core
talking
points
like
if
there
are
three
key
messages
we
want
to
deliver
alongside
the
salsa
wanted
our
mailing
list?
F
F
Don't
want
to
do
that
and
I
think
that
you
know
I,
don't
know
whether
we
want
to
do
it
live
in
this
group
today
or
whether
we
want
to
take
it
offline
and
try
and
get
it
done,
async
and
slack
and
docs
by
the
end
of
the
week
or
something
but
time's
pressing
as
we
come
to
1.0
and
I
think
that
we
really
need
to
delay
that
groundwork
of
what
are
the
you
know.
What's
the
core
set
of
messages
that
we
want
to
want
to
communicate
alongside
1.0.
E
So
I'm
wondering
if
this
is
kind
of
what
this
this
table
is
a
couple
weeks
ago
we
said:
okay,
we
want
to
communicate
things
like.
Why
are
we
breaking
up
build
versus
Source
right?
We
want
to
talk
about
the
tracks,
the
what's
new,
there's
something
out
there,
but
we
need
to
edit
it
based
off
of
anything
we
change,
but
then,
additionally,
there
is
some
SDI
blogs
right.
What's
the
difference
between
you
know,
salsa
provenance
versus
you
know,
mbomb
spdx,
blah
blah
right.
There's
a
lot
of
questions
usually
around
that.
F
I
think
it's
to
to
me:
I'll
go
just
quickly.
Jennifer
and
I
I.
Think
to
me
it's
more
about
acknowledging
that
this.
This
also
1.0
com
may
be
the
first
time
someone
has
heard
about
salsa.
They
may
come
to
this
blog.
Having
never
heard
about
salsa
before
when
salsa
was
initially
launched
two
years
ago,
supply
chain
was
not
as
current
a
cons.
F
I
mean
it
was
a
concurrent
concern
amongst
caucus
set
of
folks
in
a
no,
but
now
it
is
everywhere
and
everywhere
has
thoughts
and
concerns
and
ideas
versus
pledge,
insecurity,
but
I
think
that
there's
so
there's
an
element
in
which,
yes,
we
should
talk
about
what
happens,
to
build
and
and
what
happens
to
the
tracks.
And
why
do
we
do
scope?
And
it
feels
to
me
like
more
fundamentally
than
that,
there's
like
bullet
number,
one
of
our
core
message
could
be
open.
Ssf
is
launch
salsa
1.0.
F
This
is
an
important
Milestone
towards
X,
Y
and
Z
and
his
ways
you
care
about
it,
and
it's
it's
really,
starting
from
from
that
groundwork
like
for
someone,
who's
never
heard
about
salsa
before
I've
heard
about
it.
Now
because
there's
the
1.0
launch
and
there's
a
lot
of
noise
about
it,
and
they
just
want
to
understand
how
it
fits
in
sorry,
Jennifer.
K
Yeah
thanks
Tracy
yeah.
Thank
you
so
much
Isaac
for
getting
us
going
with
this
document.
The
the
comms
planning
I
think
it's
really
helpful
and
I
think
it'd
be
really
great
to
get
from
this
group,
in
addition
to
sort
of
those
overarching
key
messages
and
main
goals,
kind
of.
What's
the
call
to
action
like
what?
What
do
you
want?
People
who
are
learning
about
this?
F
K
B
F
E
So
I'm
wondering
about
the
this,
it's
gonna
depend
on
the
persona,
and
so
that's
why
we
started
a
developer
Persona
to
coincide
with
the
1.0
launch.
It's
like
as
a
developer.
Why
do
you
care
about
salsa
all
right?
What's
in
it,
for
you
I'm,
not
sure
if
you
can
have
a
call
to
action
for
an
all-inclusive
audience,
because
it
depends
on
what
it
is
that
you
are
doing.
Are
you
trying
to
check
off
a
box?
Are
you
trying
to
incorporate
it
into
your
build?
F
Yeah
no
I,
I,
agree
and
so
I
think
I
mean
in
the
in
the
comms
plan
like
step
number
one
which
I
have
there
in
terms
of
goals
is
literally
like
which
audiences
are
we
trying
to
reach
and
with
what
result
like
I
have
not
seen
that
written
down
anywhere.
We
probably
have
our
own
answers
to
that
question,
but
I
think
that
we
need
to
get
agreement
on
on
exactly
that
and
from
there
we
go
to
okay.
F
What
are
the
core
messages,
given
that
we
want
to
reach
these
three
audiences
I
mean
I,
think
developers
is
is
one
part,
but,
to
be
honest
with
you,
I
think
that
actually,
at
this
stage,
getting
to
a
1.0
and
Tool
makers
is
a
massive
constituent.
That's
super
important,
like
salsa,
is
going
to
live
or
die
based
on
the
support
it
has
in
the
tooling
ecosystem,
and
so
there
should
be
a
call
to
action
for
hey.
You
make
a
build
system.
F
You
make
a
cicd
system,
you
make
an
admission
control
policy
controller
like
there's,
there's
a
whole
schooling
ecosystem
in
supply
chain
that
we
need
to
be
speaking
to
too,
because
adoption
is
is
going
to
rely
on
on
those
people,
essentially
implementing
support
for
sales
up
and
down
the
supply
chain,
and
so
I
think.
Yes,
there's
a
message
for
individual
developers.
Why?
What
is
salsa?
Why
should
I
care
about
it?
F
There's
a
message
of
a
tool
owners,
there's
a
message
for
csos
there's
a
message
for
devops
people,
and
so
I
think
you
know
within
the
Commerce
plan,
like
it's
being
crisp
on,
who
are
the
audiences
trying
to
reach,
and
what
are
we
trying
to
get
each
to
do
from
there?
We
can
go
okay.
How
do
we
best
affect
that
result,
and
so
I
I
don't
know?
I
was
trying
to
lay
this
out
in
the
in
the
comments,
but
I
guess
where
I'm
at
right
now
is.
F
If
we
all
agree
that
this
is
a
reasonable
framework
to
to
approach
this
1.0
comms,
the
question
becomes,
how
do
we
put
you
know,
flesh
on
these
bones,
like
who's
response,
literally
who's
responsible
for
writing?
The
list
of
who
are
the
audiences
we
care
about
is
that
Jennifer
is
that
Melbourne
is
that
Jay?
Is
that
me
is
that
this
group,
because
with
two
or
three
weeks
to
go,
we
don't
we
don't
have
much
time
on
it.
L
I,
first
of
all,
totally
want
to
agree
with
that's
what
Isaac
was
saying
about,
including
very
specifically
targeting
tool
makers
to
owners,
sys
admins
people
who
will
actually
be
implementing
salsa
developer
in
a
salsa
level.
Three
builds
right,
which
is
mostly
automated
developers,
shouldn't
really
be
interacting
with
salsa
very
much
right,
and
so
maybe
even
laying
out
the
different
how
different
people
interact
with
but
salsa
or
you
salsa
on
the
different
levels
might
be
a
good
way
to
try
to
clarify
some
things.
E
D
Yes,
hi
so
I
just
wanted
to
follow
up
on
this
person
to
and
and
point
out
that
the
specification
actually
kind
of
defines
a
few
of
those
right.
It
talks
indeed
about
build
systems,
and
so
that's
the
primary
target
is
and
I
think
developer
is
too
generic
a
term
because,
if
you're
a
developer
of
a
build
system,
then
you
know.
That
definitely
is
something
you
shouldn't
worry
about,
but
there
is
also
the
consumer
people
right
so
in
the
cell,
suspect
I
think
we
I
can
identify
at
least
three
three
audiences.
F
You
mentioned
it,
but
like,
ultimately,
we
might
expect
and
aim
for
salsa
to
just
disappear
and
it
just
Fades
into
it,
becomes
part
of
the
accepted
and
taken
for
granted
infrastructure
in
the
same
way
that
I
use
npm
install
today
I,
don't
wonder
whether
it's
using
SSL
to
do
his
Network
ons
I,
just
assume
that
it
is
that
it's
taken
care
of
npm
install
in
three
months
time
will
also
be
doing
salsa,
provenance,
verification
and
I
won't
have
to
think
about
that
either.
I
won't
have
to
implement
the
verification
itself.
F
It's
my
tool
set
will
just
kind
of
understand
this
natively
in
the
same
way
that
I
expect
my
tool
set
today
to
do
the
right
thing
when
it
comes
to
network
layer,
comms
and
so
I.
Think
that,
like
looking
at
that
as
the
ultimate
outcome
like
in
in
the
short
term,
we
might
expect
individual
developers
to
think
and
care
about
salsa,
but
in
the
long
term,
salsa
should
just
kind
of
meld
into
the
infrastructure
and
disappear
in
the
same
way
that
you
know
for
most
people.
F
J
Yeah
I
was
just
gonna,
throw
out
there
if
there's
anything
that
we
can
use
for
context
or
a
specific
scenario
that
usually
helps
too
right.
So
I
don't
know
if
something
like
the
executive
order,
mandate
for
cyber
security
or
anything
that's
coming
down,
that's
real
that
we
can
say
hey.
This
is
how
salsa
would
apply
in
a
specific
scenario
if
you
are
a
developer,
if
you
are
a
CSO,
if
you
are
a
you
know,
devops
manager.
J
E
Yeah
we
have
a
an
existing
blog,
it's
an
older
one
that
would
have
to
get
updated
I'm
looking
for
it.
For
some
reason,
I
don't
see
it
on
here
where
we
do
call
out
the
executive
update
and
we
do
call
out
nist,
ssdf
and
Etc,
and
we
would
just
need
to
update
it
based
off
the
current
spec
and
so
that
might
might
help
with
that
go
ahead.
H
Oh
sorry,
yeah.
We
might
want
to
also
coordinate
with
some
of
the
folks
from
sisa
on
that,
because
sisa
actually
cites
scvs
as
well
as
salsa
as
things
to
take
a
look
at
when
when
securing
the
supply
chain,
and
so
they
have
they've
already
done
some
of
that.
On
the
other
end
of
saying,
hey,
because
there's
this
executive
order
and
and
then
yayada,
you
should
look
at
things
like
salsa,
and
we
should
you
know,
cite
some
of
their
stuff
as
well.
H
E
E
F
Yeah
I
was
so
I
was
just
gonna
and
we've
we
had
10
minutes
on
this.
We've
got
other
things
on
the
agenda
like
I.
Just
wanted
to
come
back
to
and
I
guess
Jennifer
can
can
probably
guide
us
to
Jennifer
What
specifically,
do
you
need
from
this
group
in
order
to
make
progress
on
on
salsa
1.0
comms?
Is
it
talking
points?
Do
you
have
talking
points?
Is
it
suggested
audiences?
F
Is
it
like
I
guess,
like
my
interest,
is
in
making
sure
that
we
have
great
1.0
commas
to
go
alongside
the
release
and
it
feels
to
me
like
there's
a
bunch
of
stuff.
We
need
to
get
done
and
I'm
just
not
clear
on
exactly
how
to
actuate
that
work
like
who's
going
to
be
doing
it
and
on
what
schedule,
and
so
maybe
Jennifer
you
can
guide
us
with
respect
to
what
are
you
blocked
on
and
what
can
the
SEI
positioning
working
group
help
with
in
order
to
unblock
you,
yeah.
F
F
B
B
So
I
wanted
to
present
the
results
of
a
software
supply
chain
security
survey
that
focused
mostly
on
salsa
related
security
requirements,
not
all
of
salsa
but
a
portion
and
some
other
things.
Other
software
supply
chain,
security,
related
security
items
that
a
number
of
organizations
myself
and
chain
guard
Tracy,
the
eclipse,
Foundation
the
Russ
foundation
and
open
ssf,
big
shout
out
to
Jennifer
Bligh,
but
others
too
conducted
last
summer
and
fall
of
2022
and
I.
B
So
Jennifer
asked
myself
and
Tracy
to
come
and
present
it
because
she
thought
rightfully
so
that
it
would
be
of
interest
and
potentially
useful
too,
for
especially
for
deliberations
over
the
release
candidate
for
salsa.
So
I'm
gonna
tell
you
a
little
bit
about
this
survey,
and
hopefully
it's
very
least
interesting.
Glad
to
answer
questions
and
I
know
we're
a
little
short
on
time.
B
I'll
I'll
try
to
finish
by
eastern
time
something
like
12
53,
take
a
few
questions
and
I
can
always
talk
and
slack
with
other
interested
parties
or
over
Google
meet
or
whatever
you
would
like.
So
I'm
John,
speed,
I,
think
I
mentioned
this,
but
I
work
as
a
as
a
researcher
at
chain
guard
in
their
r
d
lab
and
if
Isaac
already
has
a
question
I'm
glad
to
answer
it.
B
B
I
think
another
Partners
did
about
a
year
ago,
which
is
when
they
started
April
and
May
of
2022,
which
is
how
widely
practices
practiced
are
different
software
supply
chain
security
practices?
It's
a
pretty
simple
question:
it's
actually
surprisingly
difficult
to
answer.
It's
gotten
a
little
easier
over
the
past
year.
B
So
that's
what
we
did.
So
we
asked
a
number
of
questions.
I'll
I'll
show
you
not
all
of
them,
but
a
few
of
them
on
the
prevalence,
helpfulness
and
difficulty
of
10
software
supply
chain
security
practices.
Seven
seven
of
them
come
from
salsa.
Three
of
them
are
not
in
salsa
at
least
not
right.
Now
and
I'll
be
very
clear.
Since
this
was
done
last
summer
in
Fall
we
were
focused
on
version
0.1.
So
of
course
we
had
no
magic
ball.
We
weren't
trying
to
predict
what
salsa
1.0
would
be.
B
We
just
went
with
what
was
a
what
is
available,
so
we
got
167
respondents.
We
gathered
them
largely
through
the
professional
networks
of
the
organizations
I
mentioned,
and
it's
certainly
not
representative.
In
the
statistical
sense,
there
is
no
list
of
software
professionals
that
one
can
simply
sample
from
In.
Traditional
survey
sampling,
but
I'll
show
you
one
more
slide
and
I'll
say
a
little
bit
more.
B
L
B
B
There
are
persons
from
all
over
the
world,
a
number
of
major
regions,
Europe
actually
had
the
most
respondents
and
a
wide
range
of
security
postures.
Some
organizations
that,
where
the
person
submitted
to
having
very
little
security,
Consciousness
and
some
on
the
opposite,
Spectrum
and
all
these
details
will
be
in
the
report-
that's
published.
It's
actually
supposed
to
come
out
tomorrow,
I
believe
fingers
crossed,
and
so
you
can
see
see
all
the
details.
B
There
there's
a
lot
more
about
who
took
this
survey
so
I'm
going
to
show
you
three
slides
that
I
consider
the
meat
of
this
survey
and
they're
data,
Rich
and
but
I'm
gonna
point
out
at
least
my
broad
observations
on
them,
and
then
we
can
open
up
back
up
the
questions
and
comments.
So
one
is
what
is
the
prevalence
of
these
different
practices
and
you'll
see
a
number
of
salsa
related
practices
and
then
some
non
salsa
related
ones
I'll
just
point
out
a
couple
things:
one
there's
a
lot
of
variation.
B
B
Let
me
show
you
I'm
glad
to
come
back
to
this
slide
too.
Second,
is
perceived
helpfulness,
the
funny
thing
or
surprising
thing
really
is
there's
actually
relatively
surprisingly
little
variants
among
these
answers,
I'm
not
really
quite
sure.
Why
but
I
think
it's
mostly
a
good
story.
You'll
see
that
all
the
different
practices,
50
of
respondents
at
least,
said
that
these
practices
are
extremely
helpful
or
very
helpful
in
their
opinion.
So
I'd
say
it's
an
open
door
for
most
of
these
practices.
B
E
B
That's
a
good
question,
so
there
is
the
there's
a
there
is
a
strong
relationship
for
any
given
practice
between
whether
you
view
it
as
helpful
or
not,
and
whether
you
adopt
it
or
is
not
David
wheeler
has
rightfully
pointed
out
it's
hard
to
know
which
direction
this
goes.
Is
it
that
people
adopt
it
and
therefore
they
kind
of
think
themselves
from
thinking
it's
useful.
B
Between
the
level
of
perceived
difficulty
and
adoption,
which
is
also
surprising
to
me,
so
it
does
seem
like
if
you
think
it's
more
helpful
on
average
you're
more
likely
to
adopt
it.
So
it
definitely
points
to
the
usefulness
of
messaging
and
Communications
related
to
explaining
the
the
usefulness
of
any
particular
practice.
If
you
want
to
encourage
it,
so
I
think
it's
kind
of
a
good
news
story.
B
Is
that
does
that
answer
your
question?
Melba,
okay,
cool,
so
I'll
do
one
more
I,
it's
12,
52.
perceived
difficulty!
There's
a
lot
of
variation
here
again,
I'll
just
point
out.
The
key
thing
that
stands
out
to
me
is
that
hermetic
builds
and
reproducible
bills
are
perceived
as
much
harder.
I
think
this
is
consistent
with
the
consensus
that
I
at
least
I've
observed
among
salsa,
community
members
and
but
that's
not
to
say
that
is
objective
reality.
Once
again,
it's
only
perceived
difficulty
Melba
again.
B
B
B
So,
for
me,
the
big
takeaway
is
I
think
that
it's
actually
mostly
good
news
if
some
of
these
have
zero
percent
adoption
and
were
widely
considered
difficult,
I
would
think
that
we
should
be.
This
group
should
be
a
little
nervous
about
that.
You
know
these
things
were
perceived
as
foreign
exotic
obscure
esoteric,
but
that's
just
not
the
case.
A
lot
of
these
have
moderate
adoption
already
or
even
strong
adoption,
the
broadly
perceived
as
useful.
B
B
I
will
say
that
the
one
thing
that
sticks
out-
and
this
is
based
a
little
bit
on
some
of
the
free
text-
responses
too,
which
are
hard
to
summarize,
but
a
little
on
the
data
is
that
I
think
provenance
as
an
idea
has
a
ways
to
go.
Not
in
that
it's
underdeveloped
I
mean
there's
lots
of
active
development
about
discussion
about
what
should
be
in
provenance,
but
I
think
at
in
terms
of
the
pr
messaging
campaign
about
provenance.
B
You
know
it
certainly
points
here
in
the
survey
results
that
Providence
was
actually
considered
the
third
hardest
to
implement,
which
might
surprise
some
people
in
the
salsa,
Community
I.
Think
that's
partially
my
messaging
issue
and
also
it
was
relatively
less
common
as
practiced
in
the
prevalence.
So
you
know
I
joke
here.
Could
there
be
a
provenance
everywhere
campaign
but
and
that's
all
I've
got
I'm
glad
to
take
questions
thanks
so
much
Melba
for
hosting
us.
B
E
Yeah,
thank
you.
I
know.
I
talked
to
Tracy
about
getting
a
preview
of
the
results
just
to
see
if
we
need
to
put
out
some
blogs-
and
there
is
a
lot
of
good
news
and
I
think
maybe
what
we
need
to
ask
a
community
is
it's
been
a
year
almost
since
the
survey,
those
1.0
help
with
the
with
the
difficulty
with
the
awareness
or
has
the
awareness
increased?
E
I
For
instance,
there
was
still
a
level
four
when
this
survey
was
conducted
a
level
four
of
of
of
the
framework
before
the
the
split
right
before
the
the
break-off
of
the
different
different
tracks.
So
I
mean,
like
I,
said
I
think
as
a
foundational
item,
just
to
get
a
gauge,
wonderful,
I,
think
the
date.
E
B
Sorry
go
ahead.
Sorry,
yeah
I
think
it's
certainly
true.
I
mean
the
spec
is
changing
imminently
and
I.
I
guess
I
would
point
out
that
the
survey
didn't
specifically
ask
about
levels.
It
didn't
so
it
broke
it
down
by
the
different
requirements
or
security
practices.
So
I
was
my.
My
intention
was
that
to
make
it
more
broadly
useful
than
asking
about
difficulties
and
usefulness,
there's
also
one
two
three
and
four,
but
everything
you
said
is
fair.
B
E
E
E
B
B
One
is
it
probably
is
possible
to
have
quick
pull
surveys
that
openssf
could
run
on
a
wide
variety
of
software
supply
chain
security
topics
to
include
salsa
I
mean
I
would
take
this
up
with
Jennifer
and
other
members
of
openss
of
team,
but
that
seems
like
it
could
be
a
broadly
useful
thing
and
not
just
to
this
group,
and
you
could
imagine
working
with
partner
organizations
a
number
of
the
companies
here
and
others
to
reach
a
ride.
Network,
you
know
get
a
few
hundred
responses
every
three
months
or
something
like
that.
B
That
seems
like
a
cool
idea.
Second,
there's
another
approach,
but
I
think
it's
a
little
too
technically
difficult
now,
but
I'd
love
to
be
told,
I'm
wrong
it
of
actually
looking
at
software
artifacts
Associated,
especially
with
open
source
software
repositories
and
as
salsa
becomes
more
widespread
and
mature
checking
things
like
for
salsa
badges
or
even
having
a
tool
that
checks
for
salsa
practices
on
open
source
projects
could
give
another
way
of
doing,
engage
without
doing
a
survey.
But
it
there
are
technical
complications.
There.
E
E
I
for
the
for
the
group,
I
think
the
the
ketchup
mustard
relish
of
supply
chain
security
I
feel
like
we
need
to
submit
that.
Maybe
it's
not
so
much
of
a
panel
but
I
think
that
is
an
important
story
to
tell
right.
We
have
a
new
Mission
scope
that
we're
trying
to
do
across
the
board.
We
have
you
know
S2
c2f,
since
the
last
osfna,
and
now
we
have
this
positioning
group,
so
I
think
we
should
submit
that
and
we
would
just
kind
of
not
do
it
as
a
panel
form.
I
E
Thumbs
up
thumbs
down
our
nose
is
good
I'm,
not
seeing
anything
so
I'm,
I'm
and
I
think.
Actually,
there
are
some
people
that
have
probably
dropped
that
probably
need
to
thanks
Jennifer
that
need
to
vote.
So
I'll
put
it
up
on
the
on
the
slack
channel
for
people
with
a
thumbs
up
thumbs
down,
but
I
think
that
would
have
a
good
chance
of
of
getting
in.
That
was
one
of
the
first
ones
that
were
accepted.