►
From YouTube: Supply Chain Integrity WG (June 28, 2023)
Description
Agenda: https://docs.google.com/document/d/1xPs2sSbH3I9Ich7OyLOzl85oJshnK8Q6WoAgREE5-zA
B
A
A
B
B
A
D
Hi
so
I
guess
that's
me:
I
am
Kathy
Crossley
and
at
Schneider,
Electric
I
have
been
working
on
the
software
transparency
and
the
s-bomb
initiative
at
our
company
for
the
last
several
years.
I'm
vice
president
for
supply
chain
security
and
I
wanted
to
get
more
aligned
to
what's
happening
in
the
open,
ssf
forums.
So
I
have
added
this.
D
A
A
Basically,
we
are
focused
on
all
of
supply,
chain,
integrity
and
the
subgroups,
so
that
includes
Fresca,
S2,
c2f
and
potentially
guac,
once
it's
official
that
it
gets
donated
and
just
trying
to
get
the
word
out
and
education
to
people
about.
You
know
what
we're
trying
to
do
and
how
to
use
the
tools
Etc.
D
One
of
the
reasons
why
I'm
joining
is
to
really
represent
the
OT
space
on
a
lot
of
these
pieces,
I'm
on
the
jcdc
OSS
group
for
OT,
and
even
just
like
the
S2
c2f,
it
doesn't
account
for
you
cannot
update
open
source
libraries
in
an
OT
world
without
going
through
a
full
regression
safety,
reliability
testing.
So
it's
rare
that
we
will
do
updates
sometimes
we'll
back
Port,
the
patches,
but
generally
from
an
OT
environment.
D
We
there's
already
enough
non-encrypted
protocols,
things
like
that,
so
you're
not
supposed
to
be
putting
them
on
the
Internet
for
certain
reasons
anyway.
So
the
the
likelihood
of
exposure.
So
in
fact
I
was
just
on
a
Adrian
and
I
were
on
the
RSA
webs
cast
along
with
Jeff
shut
from
Cisco
yesterday
on
supply
chain
software,
transparency,
okay,.
D
A
F
Oh
right,
so
one
of
the
things
was
with
saucer
V1
out,
starting
to
still
see
some
folks
who
are
giving
presentations
on
salsa
still
using
old,
salsa
V
0.10.2
tables
diagrams
Etc.
So
one
of
the
things
that
and
then
this
in
addition
to
that
recently
had
a
discussion
with
some
of
the
other
folks
from
LF
Asia,
who
seem
to
be
interested
in
in
pushing
some
salsa
stuff
but
they're
like
hey.
F
You
know
whether
it's
inside
the
same,
you
know
just
inside
of
our
normal
salsa
repo
with
just
like
diagrams
or
whatever,
just
like
some
some
content
that
folks
can
just
sort
of
pull
from,
and
we
kind
of
Point
people
to
might
be
useful
yeah.
That's
that's
pretty
much
it
just
a
little
suggestion
there
of
like
hey,
I,
think
as
we're
looking
to-
and
this
is
kind
of
also
goes
beyond
that,
but
also
I,
think
one
of
the
things
that
might
be
really
useful
to
come
out
of
the
supply
chain.
F
Integrity
group
is
some
more
just
sort
of
basic
materials
for
like
what
the
mission
is
and
how
do
we
just
sort
of
describe
it
because
you
know
one
of
the
biggest
pieces
of
feedback
we've
gotten
was
wait,
I'm
still
confused,
because
somebody
else
just
showed
me
something
that
had
a
different
thing
or
somebody
had
a
diagram
that
said
salsa,
5
or
whatever
and
you're
like
yeah.
That's
not
true,
there's
confusion
still,
so
what
we
can
do
to
clarify.
That
would
be
great.
B
A
B
F
F
So
the
the
idea
here
is
a
lot
of
folks
are
like
they
look
at
salsa.dev
and
they're
like
okay,
which
of
these
diagrams
is
the
most
important
whatever
like
just
something
like:
hey
here's,
the
images,
here's
all
of
them
in
a
single
spot,
even
it
might
even
just
be
a
one-pager
that
points
people
to
oh.
If
you're
looking
for
diagrams
they're
under
salsa
dot,
you
know
they're
under
the
salsa
framework
under
slash
diagrams
or
whatever,
if
you're
looking
for
the
tables.
F
They're
good
like
this
is
what
the
table
looks
like,
so
that
folks,
who
are
pulling
out
of
it,
you
know,
can
just
say,
hey,
make
sure
that
you're
just
you
know
looking
here
for
for
salsa.
You
know
the
salsa
logo
yeah
yeah
a
lot
of
folks
right
now.
Are
you
know
just
you
know
right
clicking
the
image
on
the
website
pulling
off.
F
Integrity
group
for
presentation
purposes,
so
that
folks,
who
are
developing
presentations
or
whatever
we
can
just
say,
hey,
make
sure
you're
always
keeping
track
of
this
repo,
because
it's
always
going
to
have
the
latest
stuff
on
there,
because
you
know
I,
think
I
I
have
a
link
in
there.
You
know
somebody
give
another
talk
on
salsa
and
it
still
has
salsa
level
one
through
four.
It
still
talks
about
some
of
the
old
wording
we
were
using
and
and
so
on.
A
G
Yeah
hi,
can
you
hear
me
I'm
not
using
the
same
headset
today?
Oh
yeah
I
can
hear
you
great
so
to
Mike's
point,
though
about
the
level
four
being
included.
Sometimes
at
least
internally
for
us
I
think,
there's
still
a
bit
of
an
assumption
that
a
level
four
will
exist
in
the
future,
and
so
how
can
we
sort
of
I
mean
we?
We
essentially
want
to
be
prepared
for
when
a
level,
four
or
other
tracks
do
you
come
in,
and
so
how
do
we
yeah?
A
G
C
G
F
Yeah
so
I
think
I
think
that
also
ties
into
some
of
what
what
I
think
that's
worthwhile
and
I
know.
This
is
like
we're
not
in
Oregon.
You
know
we're
not
a
company
per
se,
but
it's
there
is
that
thing
around,
like
you
know
the
way
that
different
organizations
set
up
sort
of
like
a
a
a
branding
guide
of
like
hey
here's,
how
you
sort
of
talk
about
these
things.
I
think
you
know,
writing
up
a
couple
of
small
things
around.
F
Set
up
webinars
do
a
lot
of
that
leg.
Work
in
setting
it
up
because
I
know
we
all
have
way
too
much
stuff
on
our
plate,
but
yeah
I
think
on
on
that
end.
You
know
it
would
be
really
useful,
because
I
think
the
thing
here
is
like
there's
a
big
difference
between
saying
hey.
It
sounds
like
the
community's
probably
gearing
towards
pushing
towards
L4,
and
that
will
probably
look
something
like
this
versus.
F
This
is
what
it
is,
because
it's
gonna
be
very
different
for
folks
who
are
like
yeah
I'm,
familiar
with
salsa
V1,
V,
0.1
or
V
0.2
and
the
other
stuff
that
we
were
doing
and
then
salsa
V1
and
they
can
go
and
say:
okay,
I
see
you
took
out
L4
now
and
I
see
that,
but
for
folks
who
are
just
learning
they're,
seeing
the
stuff
and
going
I,
don't
understand,
I
see
over
here.
It
says:
L4
I
see
over
here.
F
It
says
all
three
I
see
somebody
wrote
an
article
in
you
know
blah
blah
that
says
L5.
What's
going
on
and
I
think
as
as,
at
least
from
the
perspective
of
of
the
LF,
it's
going
to
be
very
like
they're,
going
to
want
to
make
sure
that
we
are.
You
know
very
consistent
with
that
messaging
and
so
anything
that
we
could
do
to
help
out.
There
would
be
useful.
A
A
It's
it's
about,
I,
don't
understand,
what's
happening
right
and
so
for
new
folks
that
don't
no
salsa,
they
haven't
been
around
they're,
just
trying
to
make
sense
of
it
and
what's
required,
and
it's
not
easy
for
them
to
even
figure
out,
what's
required
of
them
to
show
that
they
are
salsa
level
two
or
it's
also
level
three.
They
know
that.
There's
this
you
know
provenance.
They
know
that
there's
this
VSA,
but
they
still
don't
quite
get
it.
A
So,
potentially
you
know
once
you
start
getting
going
with
this.
We
can
definitely
help
that
confusion,
but
I
think
we
need
to
do
micro,
micro,
videos.
We
can't
wait.
You
know
months,
because
things
will
change
in
months,
so
I'm
I
mean
I
can
do
a
video
but
I'm
not
good
at
editing
or
anything
like
that.
A
So
how
can
we
quickly
put
out
like
a
two
minute?
This
is
salsa
101
for
new
people
like
this
is
what
it's
all
about.
How
can
we
get
to
that
point
where
we
start
talking
about?
Okay?
Yes,
there's
these
different
levels,
but
we're
just
going
to
focus
on
version
1.0,
which
is
the
latest
right,
and
this
is
what
it
means
so
I,
don't
know
what
folks
thoughts
are
on
on
that.
F
So
Julian
from
LF
who
he's
the
VP
of
Linux
Foundation
openss
out
there
Asia
APAC
stuff,
which
I
had
just
learned
apparently
based
on
how
everything's
organized
it's
different
than
Japan,
so
there's
Japan
and
then
there
is
aipac,
which
you
know
so
so
just
so
so,
for
example,
stuff,
like
Singapore,
India
and
I,
think
even
Australia
or
all
kind
of
considered
part
of
that
section.
But
Japan
is
kind
of
its
own
thing.
F
But
anyway
he
was
talking
about
setting
up
some
webinars,
some
introductory
webinars,
probably
in
August
I
sort
of
said,
yep,
definitely
willing
to
kind
of
help
out.
There
I
think
one
of
the
things
that's
kind
of
related
here
and
it's
kind
of
also
related
to
some
of
the
issues
we're
running
into
from
the
tooling
perspective,
and
it's
something
that
bringing
up
to
the
open
ssf,
which
is
when
it
comes
to
the
spec.
F
So
so
they
can
help
pay
for
this
as
well.
But
in
addition
to
that,
there's
also
things
like
you
know:
publicity
from
the
person
who
is
let's
say
giving
that
you
know
it's
like
they
can
sort
of
say.
Oh,
the
LF
is
bringing
this
on
brought
to
you
in
collaboration
with
the
vendor
that
that
developed,
the
the
training
or
or
that
marketing,
which
is
is
I,
think
super
helpful
because
we're
seeing
the
same
thing
right
now
with
from
the
tooling
perspective
like
at
some
level.
C
F
A
million
you
know,
there's
a
million
things
kind
of
going
on
there
and
so
yeah
I
think,
like
that's
kind
of
where
there's
been
some
push
right.
Like
there's
certain
things,
we
can
definitely
do
you.
You
know,
I
have
no
problem
like
attending
a
meeting
or
giving
a
presentation.
But
if
there's
going
to
be
something
like
hey
look,
we're
gonna
need
to
actually
generate
some
content.
F
A
A
I
know
for
the
salsa
one
that
oh
announcement
I
know
that's
bigger
because
they
have
to
come
up
with.
You
know
a
line
of
it's
not
speakers.
It's
people
that
they
that
interview
right
or
salsa
like,
like
you,
know,
tech
radar
or
something
like
that.
They
line
those
people
up
for
the
announcement,
but
it
was
a
little
over
a
month
just
to
get
that
announcement
out
that
door
and
it
was
not
just
one
person
that
was
many
people,
and
so
that's
my
concern.
A
G
B
A
Okay,
the
the
other
thing
I
think
I
mentioned
it
in
on
Monday
Mike.
For
you
know
the
Apex
stuff,
there
was
a
Google
person
in
APAC
that
did
a
salsa
presentation,
and
so
there
is
someone
over
there.
That
knows
right
outside
of
just
dlf,
that
knows
about
salsa
and
is
willing
to
talk
about
salsa.
So
potentially
we
can.
F
A
F
This
is
Julian
and,
and
those
folks
who
are
doing
that
sort
of
thing
and
I
know
somebody
from
Google,
but
it's
I
think
the
thing
is
that
person
is
not
really
a
huge
member
of
the
community
and
so
I
think.
The
thing
is:
how
do
we?
How
do
we
also,
then
one
of
the
big
questions
has
been
which
I
had
sort
of
said.
You
know
I
have
no
problem.
F
For
example,
you
know
once
once
or
twice
right
like
staying
up
till
2
A.M
and
giving
a
presentation
to
to
APAC
to
help
seed
that
and
then
from
there
the
community
can
kind
of
drive
it
Forward,
because
I
think
there
are
folks
also
from
Oracle
and
and
Samsung
and
other
places
that
are
somewhat
involved,
but,
like
it's
been
kind
of
difficult,
so
there's
there's
two
separate
things.
One
was
an
end
user
side
of
things.
Right
like
this
is
the.
F
How
are
we
helping
Drive
end
user
engagement
to
make
sure
that
folks
recognize
like
hey,
there's,
there's
stuff,
like
you
know,
Europe
folks,
who
are
focused
on
salsa,
you
know
separately.
There
is
that
discussion
of
how
do
we
get
those
same
folks?
Who
might
have
feedback
and
say
I
want
to
contribute
back
to
the
spec?
F
Is
there
ways
to
have
that
feedback
come
in
where
it's
not
like?
You
know,
because
for
a
lot
of
those
people,
I
believe
the
meeting
is
you
know
around
midnight,
but
somewhere
between,
like
11
p.m
and
1
a.m.
Their
time
whenever
we
have
a
lot
of
the
salsa
meetings,
and
so
are
there
ways
that
we
can
kind
of
synchronously
or
asynchronously
set
something
up
so
that
that
feedback
can
come
to
us
once
in
a
while.
F
F
If
folks
have
like
a
really
specific,
larger
question
that
they
want
to
kind
of
get
addressed,
but
something
like
an
introductory
webinar,
something
like
hey
here-
is
US
showing
off
like
the
tools,
the
how
everything
works,
how
everything
is
structured
and
they
really
introductory
sort
of
training
of
this
is
what
salsa
is.
This
is
why
you
should
care,
and
then
this
is
a
basic
implementation
and
how
it
all
works,
and
what
are
your
the
expectations
against
a
lot
of
it
right
because,
like
you
know,
I
think
to
your
point
Melba.
F
It
depends
on
who
you're
talking
to,
because
you
read
the
requirements
and
like,
for
example,
it
makes
total
sense
to
me.
It
makes
total
sense
to
certain
folks,
but
other
folks
in
different
audiences
are
going
to
say
actually
I'm,
not
100,
sure
what
that
that
means
and
and
I
don't
know
where
to
get
started,
and-
and
you
know
that
sort
of
stuff.
A
Yeah
so
in
terms
of
the
the
I
know,
there's
the
webinars
and
we
talked
about
well
shouldn't.
We
use
the
salsa
community
right
meetings,
I
think
it's
is
it
bi-weekly
or
monthly?
Now,
no,
the
overall
one
to
do
some
of
this
stuff,
but
then
I
feel
like
the
people
that
show
up
don't
want
to
have
a
101.
They
want
to
have
more
advanced
things,
so
yeah.
F
Yeah
I
mean
talking
to
the
community.
The
thing
I
I
keep
hearing
time
and
again
is
the
the
community
meetings
are
very
useful
for
understanding
what
is
the
status
of
things?
What
is
the,
where
are
we
with
certain
bodies
of
work
or
hey?
I,
have
a
very
specific
question
about
like
I'm,
seeing
you
work
on
this,
but
why
are
you
working
on
this?
F
Not
that,
whereas
a
lot
of
folks
are
just
like,
where
do
I
get
started
with
salsa
and
the
that
sort
of
level
of
stuff
I
think
is,
is
confusing
to
folks
and
then
even
something
like
the
thing
I've
heard
is
even
something
like
in
office.
Hours
is
not
always
the
greatest
way
of
doing
that,
because
you
know
a
lot
of
folks
are
just
like.
No
no
I
want
to
just
I.
F
Don't
want
to
ask
questions,
I
want
to
just
be
told
here's
the
basics
and
then
afterwards,
oh
now,
I
have
a
question
that
seemed
that
thing
seemed
to
be,
which
is
why
I
think
a
lot
of
folks
are
pushing
for
this,
like
these
webinars,
these,
these
trainings
and
and
those
sorts
of
things
and
I
think
it
kind
of
goes
into.
You
know
some
of
the
stuff
that
Jay
was
talking
about
with
s2c2f
of
like
hey,
we've
recorded
a
bunch
of
training
content
and
that
sort
of
stuff
is
super
successful.
F
So
if
we
can
kind
of
create
some,
it's
also
training
content.
It
might
be.
You
know
super
valuable
and
I
think
as
we've
kind
of
talked
about
before,
as
well
as
like
not
everybody
wants
to
read
a
million
things,
so
even
something
like
a
micro
video,
a
a
you
know
something
like
a
five
minute
like
hey,
so
you
you
don't
know
what
salsa
is:
okay,
here's
the
basics.
Oh
great,
now,
I
have
that
idea
now
I
know
like
now:
I
can
dive
into
you
know
the
other
pieces.
A
C
Work
yeah,
no,
we
were
going
with
LF
the
SKF
and
then
and
the
LF
training,
and
that's
who
we
were.
You
know
we,
we
started
the
the
process
with
them
and
then
all
we
had
to
do
was
follow
up
and
create
these
training
modules
and
it
take.
It
takes
a
little
bit
of
time,
but
we
even
inquired
not
just
about
s2c2f
in
the
training
model
and
the
training
modules
there.
C
But
we
even
asked
that
for
for
salsa
too,
because
we
figured
if
we
can
get
S2
c2f
in
those
training
modules
off
the
ground
that
we
might
think
about
getting
those
training
modules
set
up
for
salsa
as
well.
The
thing
about
sauce
is
that
it
once
again
we're
dealing
with
the
with
the
tracks,
so
the
training
modules
for
each
track,
how
the
hell
do
we
negotiate
that?
C
But
but
the
idea
was
to
utilize
the
systems
that
we
utilize
the
resources
we
already
have:
LF,
training
and
and
SKF.
That
is
already
right
in
training
for
LF.
Why
not
utilize
those
resources
for
all
of
these
Frameworks
and
everything
else
we
got
going
on
as
well,
so
so
that
that
was?
That
was
the
idea
behind
that,
but
it
wasn't.
C
It
wasn't,
definitely
wasn't
a
Microsoft
thing,
it
was
purely
an
openness
and
and-
and
it
was
purely
just-
you
know
so-
that
for
s2c12
for
salsa,
hell,
I
think
I
even
mentioned
this
to
Mike
before
about
Fresca.
Even
we
should
really
be
thinking
about
and
I
guess.
This
is
at
the
working
group
level.
I,
don't
know
that
that
week,
that
I
mean
do.
C
Side
but
I
think
that
the
working
group
level,
we
should
definitely
be
thinking
about
how
do
we,
especially
when
it
comes
to
adoption?
How
do
we,
you
know,
get
people
to
to
adopt,
and
the
best
way
to
do
that
is
through
providing
training
and
training
modules
to
get
a
better
understand
of
use
cases
and
everything
else.
C
So
we
talked
we
talked
with
Randall,
but
then,
but
then
we
ended
up
speaking
with
God
I
got
that
this
is.
This
is
going
back
months
like
I'm,
going
to
say
at
least
six
or
seven
months,
but
there
was
a
Tom
and
I
know.
Randall
Randall,
okay
entered
gave
us
the
introduction,
I
think
Randall,
actually
I,
think
Randall
is
still
doing
that
work
with
LF
and
SKF,
but
then
there
was
Tom
and
then
I
wanted
to
say.
Michael
and
I
can't
remember
their
names
they're
in
the
notes.
A
C
H
If
it's
helpful,
we
recently
released
a
pretty
thorough,
currently
ebook,
soon
to
be
real
book,
real,
real
printed
book
that
covers
a
lot
of
salsa
and
how
to
actually
start
incorporating
it,
and
we
do
like
we,
we
put
out
a
ton
of
salsa
content
on
the
active
State
Side.
One
of
the
things
that
we
get
asked
for
a
lot
is
just
like
examples
like
what
does
provenance
actually
look
like
or
what
is
an
s-bomb
or
an
attestation?
H
H
A
B
A
B
A
B
A
B
A
B
G
Yeah,
so
sorry,
just
to
close
out
on
the
video
script,
oh
sure
so
are
we
should
I
write
it
like
some
kind
of
script.
I
I
haven't
really
done
this
much,
but
I
can
sort
of
just
put
together
like
a
one-page
thing
and
I.
Guess
someone
just
reads
it
and
it
becomes
a
voiceover
I'm,
not
sure
I'm.
Not
sure
people
want
to
see
my
face
so
and
it's
really
not
the
important
part
right
so,
but
I
guess
timeline
wise,
like
should
we
aim
for
like
a.
A
This
one
or
any
yeah
I
would
say
this.
Also
ones
will
probably
want
to
plan
on
multiple,
like
what
the
logic
is,
not
logic,
what
the
content
is
and
and
think
of,
multiple
ones
like
you
know:
here's
intro
101
right
in
five
minutes
right
and
then
here
is
this
in
in
five
minutes
right,
because
if
we
just
do
one
and
then
take
another
month
or
two
to
release
the
next,
it
might
be
a
bit
much
or
too
long.
A
D
A
I'm
fine,
with
whatever
you're
comfortable
with
and
I,
definitely
would,
if
you're
writing
a
script
right,
you
should
get
full
credit
for
it
and
I
know
you
don't
you
may
not
want
your
face
out
there.
I
can
understand
that,
but
if
we
can
figure
out
a
way
of
of
of
somehow
linking
you
to
it,
so
that
you
can
get
credit
for
it,
that
that
would
be
my
my
personal
option
or
my
preference
I
should
say
sure.
G
G
I'm
sure
there's
some
other
sort
of,
because
this
institutional
trust
question
versus
like
metadata
and
Providence,
is
I
think
there
there
might
be
some
other
sort
of
more
core
background
topics
that
would
help
people
understand
salsa,
so
maybe
that's
something
to
queue
up
for
a
future
meeting
is
just
figure
out.
What
some
of
these
other
topics
are.
That
would
provide
enough
background
for
people
to
help
to,
for
people
to
understand
salsa
right,
yeah.
F
F
F
You
know
maybe
five
to
ten
percent
have
heard
of
at
s-bomb
and
in
fact
some
folks
had
heard
of
salsa
from
a
build
security
perspective,
but
they
had
never
heard
like
they
didn't
know
that
that
was
tied
it
back
into
supply
chain.
There
was
like
oh
I
was
just
reading
it.
You
know,
reading
it
up
on
it
from
the
perspective
of,
like
you
know,
just
build
security.
B
A
Okay,
yeah
yeah
I'm
definitely
giving
a
lot
of
internal
talks
about
supply
chain
security.
If
you
have
to
be
like
hey,
you
know
we're
not
trying
to
be.
You
know
peta's
in
CSO
right
and
we
very
much
are
trying
to
protect
ourselves
and
and
our
customers
right,
so
we're
not
trying
to
make
your
lives
miserable.