►
From YouTube: Supply Chain Integrity WG (June 28, 2023)
Description
Agenda: https://docs.google.com/document/d/1xPs2sSbH3I9Ich7OyLOzl85oJshnK8Q6WoAgREE5-zA
B
A
A
B
B
Along
the
way,
let
me
get.
A
Today
is
June:
oh
okay,
June,
28th
and
I
will
put
this
in
the
chat.
So
if
people
can
sign
in.
B
A
That's
the
only
reason
why
I'm
in
the
office
is
because
I'm
donating
blood
today
just
having
a
a
blood
dries
but
other
than
that
I
hardly
ever
come
in
okay,
and
let
me
so
I'm
like
I'm
Gonna
Bump,
you
down.
A
So
that
we
can
welcome
you
folks,
okay,
so
I
know
there
is
at
least
one
new
person.
If
you
don't
mind
introducing
yourself
and
telling
us
a
little
bit
about
why
you
came
today,.
D
Hi
so
I
guess
that's
me:
I
am
Kathy
Crossley
and
at
Schneider,
Electric
I
have
been
working
on
the
software
transparency
and
the
s-bomb
initiative
at
our
company
for
the
last
several
years.
I'm
vice
president
for
supply
chain
security
and
I
wanted
to
get
more
aligned
to
what's
happening
in
the
open,
ssf
forums.
So
I
have
added
this.
D
One
I've
already
been
on
skip
meetings
for
the
ietf,
but
I
added
this
one
and
I
think
one
or
two
others
achieve
my
calendar
so
that
I
can
start
attending
I
think
it
was
the
now
I
can't
recall
which
one
it
was.
Oh,
the
end
users
working
group,
okay,
so.
A
Think
that
one
has
the
s-bomb
everywhere
right,
Mike
right,
yeah
yeah,
so
that
one's
a
good
one
to
attend
yeah
s-bombs
everywhere.
So,
okay,
well
welcome
Cassie.
So
this
meeting
it's
been
shifted
a
couple
times.
We
used
to
be
focused
mainly
on
salsa,
but
we've
been
up
leveled
earlier
this
year.
A
Basically,
we
are
focused
on
all
of
supply,
chain,
integrity
and
the
subgroups,
so
that
includes
Fresca,
S2,
c2f
and
potentially
guac,
once
it's
official
that
it
gets
donated
and
just
trying
to
get
the
word
out
and
education
to
people
about.
You
know
what
we're
trying
to
do
and
how
to
use
the
tools
Etc.
A
So
that's
really
what
we're
all
about
here
is
just
trying
to
evangelize
and
and
make
sure
that
you
know
we
have
coverage
across
all
of
the
different
work
subgroups
and
if
there
is
a
gap
anywhere
whether
it
be
in
our
Tooling
in
you
know,
maybe
our
assumptions
that
we
try
to
course
correct
when,
when
possible,
so
that's
yeah,
that's
pretty
much
it
and
and
that's.
D
One
of
the
reasons
why
I'm
joining
is
to
really
represent
the
OT
space
on
a
lot
of
these
pieces,
I'm
on
the
jcdc
OSS
group
for
OT,
and
even
just
like
the
S2
c2f,
it
doesn't
account
for
you
cannot
update
open
source
libraries
in
an
OT
world
without
going
through
a
full
regression
safety,
reliability
testing.
So
it's
rare
that
we
will
do
updates
sometimes
we'll
back
Port,
the
patches,
but
generally
from
an
OT
environment.
D
We
there's
already
enough
non-encrypted
protocols,
things
like
that,
so
you're
not
supposed
to
be
putting
them
on
the
Internet
for
certain
reasons
anyway.
So
the
the
likelihood
of
exposure.
So
in
fact
I
was
just
on
a
Adrian
and
I
were
on
the
RSA
webs
cast
along
with
Jeff
shut
from
Cisco
yesterday
on
supply
chain
software,
transparency,
okay,.
D
A
Okay,
well
welcome
yeah
you're,
definitely
in
in
good
company
right.
We
all
want
to
make
sure
that
we
we
cover
as
much
use
cases
that
we
possibly
can.
We
definitely
haven't,
talked
about
OT
I,
don't
recall
in
any
of
these
meetings
over
the
last
year,
so
it'd
be
good
to
have
a
different
perspective.
E
Sure
so
there's
two
things:
the
two
things
I
put
on
there
again.
F
Oh
right,
so
one
of
the
things
was
with
saucer
V1
out,
starting
to
still
see
some
folks
who
are
giving
presentations
on
salsa
still
using
old,
salsa
V
0.10.2
tables
diagrams
Etc.
So
one
of
the
things
that
and
then
this
in
addition
to
that
recently
had
a
discussion
with
some
of
the
other
folks
from
LF
Asia,
who
seem
to
be
interested
in
in
pushing
some
salsa
stuff
but
they're
like
hey.
F
You
know
whether
it's
inside
the
same,
you
know
just
inside
of
our
normal
salsa
repo
with
just
like
diagrams
or
whatever,
just
like
some
some
content
that
folks
can
just
sort
of
pull
from,
and
we
kind
of
Point
people
to
might
be
useful
yeah.
That's
that's
pretty
much
it
just
a
little
suggestion
there
of
like
hey,
I,
think
as
we're
looking
to-
and
this
is
kind
of
also
goes
beyond
that,
but
also
I,
think
one
of
the
things
that
might
be
really
useful
to
come
out
of
the
supply
chain.
F
Integrity
group
is
some
more
just
sort
of
basic
materials
for
like
what
the
mission
is
and
how
do
we
just
sort
of
describe
it
because
you
know
one
of
the
biggest
pieces
of
feedback
we've
gotten
was
wait,
I'm
still
confused,
because
somebody
else
just
showed
me
something
that
had
a
different
thing
or
somebody
had
a
diagram
that
said
salsa,
5
or
whatever
and
you're
like
yeah.
That's
not
true,
there's
confusion
still,
so
what
we
can
do
to
clarify.
That
would
be
great.
B
A
A
B
F
F
So
the
the
idea
here
is
a
lot
of
folks
are
like
they
look
at
salsa.dev
and
they're
like
okay,
which
of
these
diagrams
is
the
most
important
whatever
like
just
something
like:
hey
here's,
the
images,
here's
all
of
them
in
a
single
spot,
even
it
might
even
just
be
a
one-pager
that
points
people
to
oh.
If
you're
looking
for
diagrams
they're
under
salsa
dot,
you
know
they're
under
the
salsa
framework
under
slash
diagrams
or
whatever,
if
you're
looking
for
the
tables.
F
They're
good
like
this
is
what
the
table
looks
like,
so
that
folks,
who
are
pulling
out
of
it,
you
know,
can
just
say,
hey,
make
sure
that
you're
just
you
know
looking
here
for
for
salsa.
You
know
the
salsa
logo
yeah
yeah
a
lot
of
folks
right
now.
Are
you
know
just
you
know
right
clicking
the
image
on
the
website
pulling
off.
F
You
know
pulling
it
down
which,
which
makes
sense,
but
I
think
the
thing
that
would
be
useful
is
if
we
have
it
all
sort
of
centralized
and
and
once
again,
not
just
purely
salsa,
but
some
of
the
other
stuff
that
that
we've
been
building
in
the
supply
chain.
F
Integrity
group
for
presentation
purposes,
so
that
folks,
who
are
developing
presentations
or
whatever
we
can
just
say,
hey,
make
sure
you're
always
keeping
track
of
this
repo,
because
it's
always
going
to
have
the
latest
stuff
on
there,
because
you
know
I,
think
I
I
have
a
link
in
there.
You
know
somebody
give
another
talk
on
salsa
and
it
still
has
salsa
level
one
through
four.
It
still
talks
about
some
of
the
old
wording
we
were
using
and
and
so
on.
A
Okay,
got
it
and
I
saw
Marcella,
give
a
thumbs
up.
Anybody
have
any
thoughts
or
comments
on
this
approach.
G
Yeah
hi,
can
you
hear
me
I'm
not
using
the
same
headset
today?
Oh
yeah
I
can
hear
you
great
so
to
Mike's
point,
though
about
the
level
four
being
included.
Sometimes
at
least
internally
for
us
I
think,
there's
still
a
bit
of
an
assumption
that
a
level
four
will
exist
in
the
future,
and
so
how
can
we
sort
of
I
mean
we?
We
essentially
want
to
be
prepared
for
when
a
level,
four
or
other
tracks
do
you
come
in,
and
so
how
do
we
yeah?
G
How
do
we
resolve
this?
I
guess
is
a
question
that
probably
arises.
A
G
Yeah
so
essentially
right,
like
I,
think
a
lot
of
us
who
have
been
looking
at
Salsa
be
0.2,
for
example,
and
people
who
maybe
saw
0.2,
but
then
weren't
super
involved
with
version
one,
but
now
are
saying:
okay.
Well,
there
will
be
a
level
four
at
some
point.
C
G
Will
be
a
source
track
or
verified,
builds
or
all
these
different
aspects
we've
been
talking
about
and
so
I
guess
the
question
I'm
sort
of
putting
out
there
to
have
a
good
answer
is:
how
can
we
sort
of
communicate?
How
can
we
separate
the
two
better
in
Communications
and
sort
of
help?
F
Yeah
so
I
think
I
think
that
also
ties
into
some
of
what
what
I
think
that's
worthwhile
and
I
know.
This
is
like
we're
not
in
Oregon.
You
know
we're
not
a
company
per
se,
but
it's
there
is
that
thing
around,
like
you
know
the
way
that
different
organizations
set
up
sort
of
like
a
a
a
branding
guide
of
like
hey
here's,
how
you
sort
of
talk
about
these
things.
I
think
you
know,
writing
up
a
couple
of
small
things
around.
F
You
know,
like
maybe
an
FAQ
and
and
some
other
things,
so
that
folks
can
sort
of
read
that
up
like
the
thing
I'm
worried
about
is
like
so
we
removed
L4
and
people
are
still
super
confused
and,
like
I,
think
we
did
a
lot
of
great
work
on
the
actual
spec,
but
we're
not
doing
a
very
good
job
on
the
actual
marketing
on
the
the
education
on
a
lot
of
the
other
pieces
and
for
what
it's
worth
the
the
LF
has
very
clearly
expressed
that
they
will
be
more
than
happy
to
help
out
here.
F
Set
up
webinars
do
a
lot
of
that
leg.
Work
in
setting
it
up
because
I
know
we
all
have
way
too
much
stuff
on
our
plate,
but
yeah
I
think
on
on
that
end.
You
know
it
would
be
really
useful,
because
I
think
the
thing
here
is
like
there's
a
big
difference
between
saying
hey.
It
sounds
like
the
community's
probably
gearing
towards
pushing
towards
L4,
and
that
will
probably
look
something
like
this
versus.
F
This
is
what
it
is,
because
it's
gonna
be
very
different
for
folks
who
are
like
yeah
I'm,
familiar
with
salsa
V1,
V,
0.1
or
V
0.2
and
the
other
stuff
that
we
were
doing
and
then
salsa
V1
and
they
can
go
and
say:
okay,
I
see
you
took
out
L4
now
and
I
see
that,
but
for
folks
who
are
just
learning
they're,
seeing
the
stuff
and
going
I,
don't
understand,
I
see
over
here.
It
says:
L4
I
see
over
here.
F
It
says
all
three
I
see
somebody
wrote
an
article
in
you
know
blah
blah
that
says
L5.
What's
going
on
and
I
think
as
as,
at
least
from
the
perspective
of
of
the
LF,
it's
going
to
be
very
like
they're,
going
to
want
to
make
sure
that
we
are.
You
know
very
consistent
with
that
messaging
and
so
anything
that
we
could
do
to
help
out.
There
would
be
useful.
A
So
it
is,
I
may
I
want
to
piggyback
on
the
for
new
folks.
That
can
be
confusing.
That's
not
even
a
statement
just
about
L4.
There
are
people
that
come
to
me
asking.
How
do
I
do
this
like
it's,
not
about
the
coding?
A
It's
it's
about,
I,
don't
understand,
what's
happening
right
and
so
for
new
folks
that
don't
no
salsa,
they
haven't
been
around
they're,
just
trying
to
make
sense
of
it
and
what's
required,
and
it's
not
easy
for
them
to
even
figure
out,
what's
required
of
them
to
show
that
they
are
salsa
level
two
or
it's
also
level
three.
They
know
that.
There's
this
you
know
provenance.
They
know
that
there's
this
VSA,
but
they
still
don't
quite
get
it.
A
Even
though
there
is
the
salsa
got
death,
and
so
maybe
that
goes
back
to
some
of
the
issues
that
we
that
we
talked
about
and
I
created
where
maybe
we
need
to
start
doing
these
things
right
because
I
know
we
talked
about
these
like
a
deep
dive
on
salsa
right
training
modules,
and
that
would
be
with
the
LF
right
if
I'm
not
mistaken.
A
So,
potentially
you
know
once
you
start
getting
going
with
this.
We
can
definitely
help
that
confusion,
but
I
think
we
need
to
do
micro,
micro,
videos.
We
can't
wait.
You
know
months,
because
things
will
change
in
months,
so
I'm
I
mean
I
can
do
a
video
but
I'm
not
good
at
editing
or
anything
like
that.
A
So
how
can
we
quickly
put
out
like
a
two
minute?
This
is
salsa
101
for
new
people
like
this
is
what
it's
all
about.
How
can
we
get
to
that
point
where
we
start
talking
about?
Okay?
Yes,
there's
these
different
levels,
but
we're
just
going
to
focus
on
version
1.0,
which
is
the
latest
right,
and
this
is
what
it
means
so
I,
don't
know
what
folks
thoughts
are
on
on
that.
F
So
from
my
end,
definitely
here
on
that
one
and
in
fact,
actually
it's
some
of
the
one
of
the
things
that,
as
part
of
the
next
thing,
I
wanted
to
talk
about
which
I
think
actually
at
this
point
is
full
of
related.
F
So
Julian
from
LF
who
he's
the
VP
of
Linux
Foundation
openss
out
there
Asia
APAC
stuff,
which
I
had
just
learned
apparently
based
on
how
everything's
organized
it's
different
than
Japan,
so
there's
Japan
and
then
there
is
aipac,
which
you
know
so
so
just
so
so,
for
example,
stuff,
like
Singapore,
India
and
I,
think
even
Australia
or
all
kind
of
considered
part
of
that
section.
But
Japan
is
kind
of
its
own
thing.
F
But
anyway
he
was
talking
about
setting
up
some
webinars,
some
introductory
webinars,
probably
in
August
I
sort
of
said,
yep,
definitely
willing
to
kind
of
help
out.
There
I
think
one
of
the
things
that's
kind
of
related
here
and
it's
kind
of
also
related
to
some
of
the
issues
we're
running
into
from
the
tooling
perspective,
and
it's
something
that
bringing
up
to
the
open
ssf,
which
is
when
it
comes
to
the
spec.
F
Obviously
it's
a
huge
community
movement,
it's
it's
a
very
open
yayada,
but
when
it
comes
to
developing
content
outside
of
some
basic
stuff
right
when
it
comes
to
developing
training
and
content
and
yayada,
it's
hard
for
a
lot
of
groups
to
say:
hey
I,
just
don't
have
the
time,
and
this
is
volunteer
effort.
F
So
there's
discussion
about
you
know
what
could
from
a
you
know,
compensation,
standpoint
or,
or
some
sort
of
other
way
of
kind
of
doing
that,
and
one
of
the
things
that
was
discussed
was
like
hey,
whether
it's
you
know,
because
this
is
the
same
sort
of
thing
that
if
you'll
notice
LF
does
already
today
is
like
the
such
and
such
training
module
built
in
collaboration
with
a
certain
vendor
and
in
certain
cases
it's
money,
exchanges
hands,
and
you
know
the
LF
has
a
lot
of
money
from
all
of
our
member
dues.
F
So
so
they
can
help
pay
for
this
as
well.
But
in
addition
to
that,
there's
also
things
like
you
know:
publicity
from
the
person
who
is
let's
say
giving
that
you
know
it's
like
they
can
sort
of
say.
Oh,
the
LF
is
bringing
this
on
brought
to
you
in
collaboration
with
the
vendor
that
that
developed,
the
the
training
or
or
that
marketing,
which
is
is
I,
think
super
helpful
because
we're
seeing
the
same
thing
right
now
with
from
the
tooling
perspective
like
at
some
level.
F
It's
like
the
thing
I've
heard,
for
example,
reaching
out
to
some
of
the
folks
about
the
maven
thing
you
were
talking
about
that
was
it
yesterday
was
a
lot
of
people
are
like
great
who's,
paying
for
the
maven
tool
to
to
to
build
salsa
like
who's
paying
for
it
and
or
you
know
like
how
is
that
all
working
in
like
you
know,.
C
F
A
million
you
know,
there's
a
million
things
kind
of
going
on
there
and
so
yeah
I
think,
like
that's
kind
of
where
there's
been
some
push
right.
Like
there's
certain
things,
we
can
definitely
do
you.
You
know,
I
have
no
problem
like
attending
a
meeting
or
giving
a
presentation.
But
if
there's
going
to
be
something
like
hey
look,
we're
gonna
need
to
actually
generate
some
content.
F
We
all
have
way
too
many
things
on
our
plate.
So
there'll
have
to
be
some
way
of
saying,
like
yeah,
the
the
cost
of
doing
this
is
offset,
so
we
can
kind
of
actually
provide
it.
A
Yeah
yeah,
no,
that
that's
a
good
point.
So
Marshall
I
see
you,
you
wrote
micro.
Video
sounds
good
right.
It's
just
just
like
me
right.
It's
not
like
I'm
happy
to
help,
but
we
also
don't
want
to
wait
months
right.
A
I
know
for
the
salsa
one
that
oh
announcement
I
know
that's
bigger
because
they
have
to
come
up
with.
You
know
a
line
of
it's
not
speakers.
It's
people
that
they
that
interview
right
or
salsa
like,
like
you,
know,
tech
radar
or
something
like
that.
They
line
those
people
up
for
the
announcement,
but
it
was
a
little
over
a
month
just
to
get
that
announcement
out
that
door
and
it
was
not
just
one
person
that
was
many
people,
and
so
that's
my
concern.
A
G
B
A
Okay,
the
the
other
thing
I
think
I
mentioned
it
in
on
Monday
Mike.
For
you
know
the
Apex
stuff,
there
was
a
Google
person
in
APAC
that
did
a
salsa
presentation,
and
so
there
is
someone
over
there.
That
knows
right
outside
of
just
dlf,
that
knows
about
salsa
and
is
willing
to
talk
about
salsa.
So
potentially
we
can.
F
A
F
This
is
Julian
and,
and
those
folks
who
are
doing
that
sort
of
thing
and
I
know
somebody
from
Google,
but
it's
I
think
the
thing
is
that
person
is
not
really
a
huge
member
of
the
community
and
so
I
think.
The
thing
is:
how
do
we?
How
do
we
also,
then
one
of
the
big
questions
has
been
which
I
had
sort
of
said.
You
know
I
have
no
problem.
F
For
example,
you
know
once
once
or
twice
right
like
staying
up
till
2
A.M
and
giving
a
presentation
to
to
APAC
to
help
seed
that
and
then
from
there
the
community
can
kind
of
drive
it
Forward,
because
I
think
there
are
folks
also
from
Oracle
and
and
Samsung
and
other
places
that
are
somewhat
involved,
but,
like
it's
been
kind
of
difficult,
so
there's
there's
two
separate
things.
One
was
an
end
user
side
of
things.
Right
like
this
is
the.
F
How
are
we
helping
Drive
end
user
engagement
to
make
sure
that
folks
recognize
like
hey,
there's,
there's
stuff,
like
you
know,
Europe
folks,
who
are
focused
on
salsa,
you
know
separately.
There
is
that
discussion
of
how
do
we
get
those
same
folks?
Who
might
have
feedback
and
say
I
want
to
contribute
back
to
the
spec?
F
Is
there
ways
to
have
that
feedback
come
in
where
it's
not
like?
You
know,
because
for
a
lot
of
those
people,
I
believe
the
meeting
is
you
know
around
midnight,
but
somewhere
between,
like
11
p.m
and
1
a.m.
Their
time
whenever
we
have
a
lot
of
the
salsa
meetings,
and
so
are
there
ways
that
we
can
kind
of
synchronously
or
asynchronously
set
something
up
so
that
that
feedback
can
come
to
us
once
in
a
while.
F
That
would
be
valuable
as
well,
but
yeah
as
far
as
the
webinar
goes,
you
know
they
have
I
was
asked
to
kind
of
give
a
webinar,
no
problem
doing
that
at
least
initially
right
they'll.
You
know
but
I
think
in
addition,
that
some
folks
were
also
even
asking
like
hey.
F
Could
we
create
a
webinar
even
just
for
the
US
stuff,
because
a
lot
of
folks
have
a
lot
of
questions
about
salsa
and
the
community
meetings
are
not
necessarily
the
right
path
and
I
even
heard
from
a
few
folks
like
office
hours
are
great.
F
If
folks
have
like
a
really
specific,
larger
question
that
they
want
to
kind
of
get
addressed,
but
something
like
an
introductory
webinar,
something
like
hey
here-
is
US
showing
off
like
the
tools,
the
how
everything
works,
how
everything
is
structured
and
they
really
introductory
sort
of
training
of
this
is
what
salsa
is.
This
is
why
you
should
care,
and
then
this
is
a
basic
implementation
and
how
it
all
works,
and
what
are
your
the
expectations
against
a
lot
of
it
right
because,
like
you
know,
I
think
to
your
point
Melba.
F
It
depends
on
who
you're
talking
to,
because
you
read
the
requirements
and
like,
for
example,
it
makes
total
sense
to
me.
It
makes
total
sense
to
certain
folks,
but
other
folks
in
different
audiences
are
going
to
say
actually
I'm,
not
100,
sure
what
that
that
means
and
and
I
don't
know
where
to
get
started,
and-
and
you
know
that
sort
of
stuff.
A
Yeah
so
in
terms
of
the
the
I
know,
there's
the
webinars
and
we
talked
about
well
shouldn't.
We
use
the
salsa
community
right
meetings,
I
think
it's
is
it
bi-weekly
or
monthly?
Now,
no,
the
overall
one
to
do
some
of
this
stuff,
but
then
I
feel
like
the
people
that
show
up
don't
want
to
have
a
101.
They
want
to
have
more
advanced
things,
so
yeah.
F
Yeah
I
mean
talking
to
the
community.
The
thing
I
I
keep
hearing
time
and
again
is
the
the
community
meetings
are
very
useful
for
understanding
what
is
the
status
of
things?
What
is
the,
where
are
we
with
certain
bodies
of
work
or
hey?
I,
have
a
very
specific
question
about
like
I'm,
seeing
you
work
on
this,
but
why
are
you
working
on
this?
F
Not
that,
whereas
a
lot
of
folks
are
just
like,
where
do
I
get
started
with
salsa
and
the
that
sort
of
level
of
stuff
I
think
is,
is
confusing
to
folks
and
then
even
something
like
the
thing
I've
heard
is
even
something
like
in
office.
Hours
is
not
always
the
greatest
way
of
doing
that,
because
you
know
a
lot
of
folks
are
just
like.
No
no
I
want
to
just
I.
F
Don't
want
to
ask
questions,
I
want
to
just
be
told
here's
the
basics
and
then
afterwards,
oh
now,
I
have
a
question
that
seemed
that
thing
seemed
to
be,
which
is
why
I
think
a
lot
of
folks
are
pushing
for
this,
like
these
webinars,
these,
these
trainings
and
and
those
sorts
of
things
and
I
think
it
kind
of
goes
into.
You
know
some
of
the
stuff
that
Jay
was
talking
about
with
s2c2f
of
like
hey,
we've
recorded
a
bunch
of
training
content
and
that
sort
of
stuff
is
super
successful.
F
So
if
we
can
kind
of
create
some,
it's
also
training
content.
It
might
be.
You
know
super
valuable
and
I
think
as
we've
kind
of
talked
about
before,
as
well
as
like
not
everybody
wants
to
read
a
million
things,
so
even
something
like
a
micro
video,
a
a
you
know
something
like
a
five
minute
like
hey,
so
you
you
don't
know
what
salsa
is:
okay,
here's
the
basics.
Oh
great,
now,
I
have
that
idea
now
I
know
like
now:
I
can
dive
into
you
know
the
other
pieces.
A
You
created
training
content.
Was
that
because
Microsoft
created
it
or
how
did
you
go
about
doing
that?
Actually.
C
Work
yeah,
no,
we
were
going
with
LF
the
SKF
and
then
and
the
LF
training,
and
that's
who
we
were.
You
know
we,
we
started
the
the
process
with
them
and
then
all
we
had
to
do
was
follow
up
and
create
these
training
modules
and
it
take.
It
takes
a
little
bit
of
time,
but
we
even
inquired
not
just
about
s2c2f
in
the
training
model
and
the
training
modules
there.
C
But
we
even
asked
that
for
for
salsa
too,
because
we
figured
if
we
can
get
S2
c2f
in
those
training
modules
off
the
ground
that
we
might
think
about
getting
those
training
modules
set
up
for
salsa
as
well.
The
thing
about
sauce
is
that
it
once
again
we're
dealing
with
the
with
the
tracks,
so
the
training
modules
for
each
track,
how
the
hell
do
we
negotiate
that?
C
But
but
the
idea
was
to
utilize
the
systems
that
we
utilize
the
resources
we
already
have:
LF,
training
and
and
SKF.
That
is
already
right
in
training
for
LF.
Why
not
utilize
those
resources
for
all
of
these
Frameworks
and
everything
else
we
got
going
on
as
well,
so
so
that
that
was?
That
was
the
idea
behind
that,
but
it
wasn't.
C
It
wasn't,
definitely
wasn't
a
Microsoft
thing,
it
was
purely
an
openness
and
and-
and
it
was
purely
just-
you
know
so-
that
for
s2c12
for
salsa,
hell,
I
think
I
even
mentioned
this
to
Mike
before
about
Fresca.
Even
we
should
really
be
thinking
about
and
I
guess.
This
is
at
the
working
group
level.
I,
don't
know
that
that
week,
that
I
mean
do.
C
Side
but
I
think
that
the
working
group
level,
we
should
definitely
be
thinking
about
how
do
we,
especially
when
it
comes
to
adoption?
How
do
we,
you
know,
get
people
to
to
adopt,
and
the
best
way
to
do
that
is
through
providing
training
and
training
modules
to
get
a
better
understand
of
use
cases
and
everything
else.
C
So
we
talked
we
talked
with
Randall,
but
then,
but
then
we
ended
up
speaking
with
God
I
got
that
this
is.
This
is
going
back
months
like
I'm,
going
to
say
at
least
six
or
seven
months,
but
there
was
a
Tom
and
I
know.
Randall
Randall,
okay
entered
gave
us
the
introduction,
I
think
Randall,
actually
I,
think
Randall
is
still
doing
that
work
with
LF
and
SKF,
but
then
there
was
Tom
and
then
I
wanted
to
say.
Michael
and
I
can't
remember
their
names
they're
in
the
notes.
A
Yeah,
if
you,
if
you're
able
to
oh
I,
did
not
mean
to
do
that
if
you're
able
to
find
the
names-
and
if
you
want
you
can
tag
it
in
here,
because
we
have
a
task
in
the
working
group
to
start
doing
that.
So,
potentially
we
can
just
start
piggybacking
off
that
yeah.
C
B
Okay,
other
questions,
comments.
H
If
it's
helpful,
we
recently
released
a
pretty
thorough,
currently
ebook,
soon
to
be
real
book,
real,
real
printed
book
that
covers
a
lot
of
salsa
and
how
to
actually
start
incorporating
it,
and
we
do
like
we,
we
put
out
a
ton
of
salsa
content
on
the
active
State
Side.
One
of
the
things
that
we
get
asked
for
a
lot
is
just
like
examples
like
what
does
provenance
actually
look
like
or
what
is
an
s-bomb
or
an
attestation?
H
Actually
look
like
you
know,
I
think
people
are
confused
about
what
the
actual
print
output
should
be
and
then
also
what
they
should
do
with
it.
So
we
get
a
lot
of
questions
about
like
hey
once
I.
Have
this
thing
like
what
what
do
I
do
next
right?
H
So
that's
where
a
lot
of
our
resources
are
built
around
is
like
practical,
how
to
use
these
things
like
how
they
apply
to
the
exec
order
mandate
and
what
is
salsa
level
three
actually
mean
because
I
do
agree
with
whoever
made
this
comment
earlier,
that
people
are
confused
between
the
levels
now
and
what
the
highest
level
of
attainment
actually
is,
but
I'm
happy
to
share.
H
All
the
stuff
that
we've
written
to,
if
it's
helpful
and
volunteer
myself
in
the
active
State
group,
to
help
script
things
or
write
things
or
contribute
things
as
needed.
There,
yeah.
A
B
A
B
A
Did
this
I
just
want
to
do
a
regular
smile
without
having
to
click
on
stuff
anywho?
Any
other
thoughts
comments.
B
A
Okay,
so
I
I
heard
a
couple
volunteers
for
videos
and
Marcella
I
I
tried
to
tag
you,
but
it's
not
fine.
Now
it
finds
you
it
wasn't.
It
wasn't
letting
me
last
time:
okay,
it
just
I
had
to
like
copy
and
paste
it,
but
it
wasn't
linking
it
to
you
for
some
reason.
You
don't.
B
A
Why
and
I
am
not
logged
in
but
I
don't
know
when
you
wanted
to
try
to
do
this
one
because
you
said
that
could
be
a
quick,
a
quick
video.
G
Yeah,
yeah
and
I
think
some
of
it
I
might
at
least
start
with
just
pull
some
content
out
of
the
talks
I've
given
around
why
things
like
s-bomb,
salsa
and
other
metadata
are
needed
right
and
so,
like
yeah
I.
G
I
see
this,
knowing
that,
probably
it
will
take
me
longer
than
I
think
it
will
but
yeah
I
can
I
can
definitely
give
this
a
shot.
A
Okay,
yeah
yeah
feel
free
to
update
the
issue
right
and
then
in
parallel,
I'm
gonna
try
to
reach
out
to
Jennifer
Bligh.
A
Just
to
see
you
know
what
our
options
are
for
some
of
these
things,
so
that
maybe
you
can
make
it
faster
for
us
right
good.
Oh
yes,
I
can!
Here
you
go.
Oh
yeah.
A
Yeah,
let
me
know
if
you
can't
access
it
Claudia,
you
should
be
able
to
yeah,
okay
and
I
forgot,
to
mention
folks
that
I
mentioned
it
earlier
that
I'm
donating
blood
today,
which
is
why
I'm
in
the
office
so
I
actually
have
to
like
bolt
in
like
nine
minutes.
A
B
G
Yeah,
so
sorry,
just
to
close
out
on
the
video
script,
oh
sure
so
are
we
should
I
write
it
like
some
kind
of
script.
I
I
haven't
really
done
this
much,
but
I
can
sort
of
just
put
together
like
a
one-page
thing
and
I.
Guess
someone
just
reads
it
and
it
becomes
a
voiceover
I'm,
not
sure
I'm.
Not
sure
people
want
to
see
my
face
so
and
it's
really
not
the
important
part
right
so,
but
I
guess
timeline
wise,
like
should
we
aim
for
like
a.
A
This
one
or
any
yeah
I
would
say
this.
Also
ones
will
probably
want
to
plan
on
multiple,
like
what
the
logic
is,
not
logic,
what
the
content
is
and
and
think
of,
multiple
ones
like
you
know:
here's
intro
101
right
in
five
minutes
right
and
then
here
is
this
in
in
five
minutes
right,
because
if
we
just
do
one
and
then
take
another
month
or
two
to
release
the
next,
it
might
be
a
bit
much
or
too
long.
A
Rather
so,
I
think
this
one
might
take
a
little
bit
more
thought
process
behind.
So,
if
you
want
to
do
this,
one
I
think
you
said
you
had
content
for
this,
so
it
might
be
the
easiest
one
to
just
check
off
our
list.
Keep
doing
that.
Sorry
yeah,
so
I
can
yeah.
So.
D
A
I'm
fine,
with
whatever
you're
comfortable
with
and
I,
definitely
would,
if
you're
writing
a
script
right,
you
should
get
full
credit
for
it
and
I
know
you
don't
you
may
not
want
your
face
out
there.
I
can
understand
that,
but
if
we
can
figure
out
a
way
of
of
of
somehow
linking
you
to
it,
so
that
you
can
get
credit
for
it,
that
that
would
be
my
my
personal
option
or
my
preference
I
should
say
sure.
G
G
I'm
sure
there's
some
other
sort
of,
because
this
institutional
trust
question
versus
like
metadata
and
Providence,
is
I
think
there
there
might
be
some
other
sort
of
more
core
background
topics
that
would
help
people
understand
salsa,
so
maybe
that's
something
to
queue
up
for
a
future
meeting
is
just
figure
out.
What
some
of
these
other
topics
are.
That
would
provide
enough
background
for
people
to
help
to,
for
people
to
understand
salsa
right,
yeah.
F
Yeah
I
think
that
actually
ties
into
some
of
the
supply
chain,
Integrity
stuff,
because
I
think
one
of
the
interesting
things
I
found
recently
going
to
a
couple
of
like
more
developer,
focused
conferences
or
devops.
Focused
conferences
is
everybody
knows
of
solarwinds
everybody
knows
of
log4j.
F
F
You
know
maybe
five
to
ten
percent
have
heard
of
at
s-bomb
and
in
fact
some
folks
had
heard
of
salsa
from
a
build
security
perspective,
but
they
had
never
heard
like
they
didn't
know
that
that
was
tied
it
back
into
supply
chain.
There
was
like
oh
I
was
just
reading
it.
You
know,
reading
it
up
on
it
from
the
perspective
of,
like
you
know,
just
build
security.
F
Yeah
yeah,
so
this
was
actually
recently
at
devops
days
in
New,
York
City,
and
there
was
a
very
few
people
who
had
heard
of
supply
chain
security
before
that
and
yeah.
B
A
Okay,
yeah
yeah
I'm
definitely
giving
a
lot
of
internal
talks
about
supply
chain
security.
If
you
have
to
be
like
hey,
you
know
we're
not
trying
to
be.
You
know
peta's
in
CSO
right
and
we
very
much
are
trying
to
protect
ourselves
and
and
our
customers
right,
so
we're
not
trying
to
make
your
lives
miserable.
A
There's
a
real
need
to
do
some
of
this
stuff.
So
I
can
understand
people
not
knowing
and
then
once
you
kind
of
open
their
eyes
or
like
okay
I
get
it
I
get
it
now.
A
Okay,
does
somebody
want
to
take
over?
Do
you
want
to
continue
the
meeting,
because
I
do
have
to
drop.
B
C
I
mean
we
got,
it
was
like
with
15
minutes
like
18
minutes
left
I
mean
then,
unless
there's
anything
else,
anyone
wants
to
cover
in
these
18
minutes.
That's
good
in
case.
We
can
stop
here.
F
A
Okay,
well
thanks
folks
for
joining
in
Cassie.
Thank
you
for
joining
your
first
time.
Hopefully
we
can
talk
about.
You
know
OT
next
time
just
put
on
the
agenda.
D
No,
no
no
yeah
next
week,
but
no
I
just
wanted
to
to
participate
and
and
give
that
perspective.
So
we
don't
yeah
yeah
yeah.
A
Definitely
put
on
the
agenda
for
next
time,
but
yeah
we're
we're
grateful
to
have
you
thanks.
Everyone
see.