►
From YouTube: Supply Chain Integrity WG (March 28, 2023)
A
You're
like
I
gotta
go
I
gotta
go.
Let
me
bring
up
the
meeting
notes.
A
And
apologies
for
not
doing
the
agenda
this
morning.
It
it's
been
quite
the
day.
Okay,
if
you
haven't
signed
in
please
feel
free
to
sign
in
I,
was
starting
to
put
the
beat.
A
B
E
A
Okay,
so
please
do
sign
in
I.
Don't
know
why
this
looks
weird
here
for
folks
that
don't
know
I
think
Jay
knows
because
I
can't
ever
make
the
S2
c2f
meeting,
because
I
volunteer
during
that
time,
I
volunteer
for
it's
called
a
math
Penta
lot,
math
pentathlon
or
something
like
that.
It's
coaching
little
kids
on
like
strategic
math
games,
and
so
we
have
a
math
competition
this
weekend.
So
it
should
be,
should
be
pretty
fun.
So
I'm
kind
of
excited
about
that
yeah.
A
You
think
it's
like
there's
math,
there's
not
really
any
math,
it's
more
strategy
games
and
there
are
a
lot
of
fun
to
play
play
with.
Let's
see,
but
it's
it's
probably
going
to
be
chaos.
Crazy
thing
is
like
they
make
the
kids
sign
in
at
7
30
in
the
morning.
These
are
kindergartners.
A
It's
like
come
on,
they're
kindergarteners
and
it
lasts
to
like
one
or
something
like
that
and
playing
five
different
games.
It's
pretty
that's.
A
Is
but
there's
I
think
the
reason?
Why
is
because
they're
so
young
that
there's
a
lot
of
breaks
in
between
right,
so
each
like
in
15
minutes
to
just
like
play
one
game,
and
so
then
you
have
all
these
kids
and
they'll
snack
and
they'll
talk
and
you
know
they'll
wander
off
in
any
back
break
so
I
think
that's
why
I.
A
Yeah
I
I,
I,
I
I,
hear
you
Laura,
okay,
so
for
today's
agenda,
I
wanted
to
go
back
over
some
things
from
last
week.
So
did
anyone
have
anything
new
to
well?
First
newcomers
is
there
any
newcomers,
I
always
forget
any
newcomers
wanting
to
introduce
themselves
no
going
once
going
twice.
A
Okay,
are
there
any
agenda
items
that
people
want
to
bring
up
first,
before
we
kind
of
go
through
some
of
the
items
from
last
week,.
A
No
okay,
so.
C
One
of
the
things
I'll
just
do
a
quick
shout
out
for
in
a
couple
of
weeks,
at
kubecon,
EU,
there's
going
to
be
a
security,
Village
area,
and
so
there's
gonna
be
open
like
a
open.
What
is
it
called
like
the
unconference
style
session
for
a
couple
hours,
and
so,
if
folks
are
interested
in
stopping
by
we'll
have
conversation
tables
out,
we'll
have
different
things
like
that.
C
Definitely
I'm
I'm
hoping
to
bring
up
different
things
like
salsa
and
Fresca
and
and
other
things
like
that
on
top
of
the
other
Cloud
native
security,
things
that
we're
all
interested
in.
So
if
anybody
is
around
or
know
folks
who
are
attending,
please
send
them
that
way.
B
D
Yeah,
thank
you
on
my
end
with
that
I'm
finalizing
some,
perhaps
a
bit
of
a
it's.
It
is
an
unconference.
So
it's
nothing
like
super
official.
As
in
like
it's
not
gonna,
be
you
know,
it's
gonna
be
very
laid
back,
but
the
idea
is
going
to
be
potentially
taking
also
some
cncf
projects
and
trying
to
salsify
them.
A
lot
of
them
are
already
using
GitHub
actions
and,
hey
just
add
this
GitHub
action
in
and
you're.
You
know
at
least
salsa
0.1,
we'll
get
you
to
1.0
in
a
few
weeks.
D
But
but
the
idea
is
I
think
to
to
to
show
folks
how
easy
it
is
to
get
started
there.
So
there's
gonna
be
some
stuff
on
that.
It
should
be
really
fun.
B
D
Yeah
we're
we're
calling
it
the
security,
Village
or
the
unconference,
because
the
idea
there
being
that
everything
else
is
going
to
be
lots
of
talks,
there's
going
to
be
a
section
of
the
kubecon
hallway.
That's
just
going
to
be
booth
since
at
booths
and
tables
and
stuff
like
that.
D
A
D
So
a
couple
things
one
is
so
the
Fresca
stuff,
based
on
some
feedback,
some
general
feedback
from
last
week's
Fresca
meeting
I
rewrote
a
good
deal
of
it.
It's
it's
back
up.
D
Looking
for
for
once
again,
you
know
feedback
on
it
because
you
know,
as
kind
of
we
said
hey
if
we
want
to
make
this
thing.
If
we
want
to
make
Fresca,
you
know
whether
it's
just
this
is
a
shiny
example
or
if
it's
hey.
This
is
a
project
that
people
should
be
able
to
deploy.
We
need
to
get
more
folks
and
more
eyes
on
it
and
so
wanted
to
get.
You
know
some
additional
thoughts,
especially
from
folks
who
are
like
Vaguely
Familiar
with
Fresca,
but
really
aren't
sure
on
it.
D
You
know
about
some
of
the
stuff
because,
as
I
had
sort
of
mentioned
before
is
I
see
Fresca
showing
up
in
a
lot
of
presentations,
but
but
when
it
comes
to
actually
getting
contributors
to
it,
it's
been
a
bit
difficult,
and
so,
if
it's
valuable
to
folks
hey,
let's,
let's
see
what
we
can
do
with
it.
If
it's
not
it's
not.
D
You
know
we
can
kind
of
go
and
say
you
know:
okay,
not
every
project
is
successful,
but
I
know
that
you
know
with
some
of
the
stuff
we
had
discussed,
hey,
there's
a
lot
of
stuff
we're
going
to
be
talking
about
Fresca,
but
it's
going
to
be
hard
to
talk
about
Fresca,
if
you
know
not
naming
names,
but
some
folks
have
moved
on
to
other
projects
and
other
things
and
right
now,
it's
it's
mostly
just
Mike
who's
who's
holding
you
know,
and
a
few
other
folks
who
you
know
in
their
spare
time
are
holding
the
line
on
it,
but
a
lot
of
folks
aren't
doing
the
nine
to
five.
D
So
that's
that's
Fresca.
The
other
blog
article
is
the
other
blog
article
is
the
sort
of
split
the
breadth
and
depth
of
salsa.
D
That
kind
of
goes
into
a
little
bit
of
the
build
versus
source,
and
that
was
something
that
was
brought
up
after
you
had
left
Melba
yesterday
from
the
specification
meeting
was
hey:
do
we
want
to
combine
these
things?
Yeah,
yeah,
I'm,
okay,
with
combining
them
or
or
or
whatever
I
I.
Only
really
I
don't
get
I.
Don't
go
deep
into
the
details
on
you
know
outside
of
just
the
high
level
like
the
build
is
about
the
build.
D
The
source
is
about
the
source
and
so
the
build
takes
in
source
code
and
does
stuff
with
it.
But
if
you
combine
the
two
things
it
becomes
more
complicated
to
say
the
build
takes
in
source
code
that
source
code
could
be
trusted.
If
it
follows,
let's
say
a
salsa
track
eventually
or
it
could
be
untrusted
but
salsa,
you
know,
but
the
salsa
build
piece
did
what
it
was
supposed
to
do
and
that's
kind
of
the
output
of
of
that
article.
D
I
wrote
it's
it's
up,
so
there's
actually
a
I
have
a
PR
up
for
it.
That's.
D
Let
me
let
me
go
in.
Let
me
go
and
Link
that
here.
E
Traffic
comes
in
is
this
one
that
we
I
think
for
the
Fresca
I,
don't
believe
that
I'm
aware
of
I
can
go
back
and
check,
but
I
don't
believe,
we've
posted
anything
about
it
on
the
openssf
blog
more
generally,
so
I
think
this
would
be
a
great
one
of
those
that
it
would
make
sense
to
coordinate
and
post
both
places.
D
Sure
yeah
yeah
yeah
this
was
also
like.
We
were
even
like
looking
at
this
just
more
from
hey.
Does
this
make
sense
to
folks
and
then,
let's
figure
out
what
the
Avenue
for
for
publishing
it
is
yeah.
It
would
be
great
if
it
was
up
on
the
open,
SF
blog
yeah.
This
is
kind
of
going
to
be
a
bit
of
a
call
to
action
for
folks
of
like
hey,
if
you
think
you
know,
if
you
care
about
you
know,
secure
builds
and
you
care
about
like
how
can
I
have
a
secure?
D
You
know
an
open
source,
secure,
build
that
does
stuff
like
S2,
c2f
salsa.
So,
on
here's
how
you
you,
you
know:
here's
here's,
a
build
system
that
can
do
that,
but
I
think
the
thing
that
we
wanted
to
start
doing
is
kind
of
saying,
like
hey
with,
given
that
a
lot
of
folks
who
were
originally
working
on
Fresca
had
gotten
moved
on
to
other
things.
D
We're
looking
for
you
know
additional
contributors
at
you
know
additional
maintainers
folks
who
are
who
are
interesting
and
interested
in
helping
shape
the
project
and
I
think
the
two
main
things
that
I
listed
in
that
article:
we're
looking
for
Hands-On
keyboard
contributors
like
folks
who
can
actually
write
some
of
the
code,
but
in
addition
to
that,
we're
also
looking
for
folks
who
they
have
the
need.
They're
like
I,
need
a
secure,
build
system.
A
Yeah,
so
thanks
for
bringing
that
up
Jennifer,
so
should
we
submit
this
in
some
special
form
for
the
open
ssf
to
review.
E
You
can
just
the
best
way
to
do.
It
is
to
just
email
it
to
myself.
I
can't
I'll
drop
my
email
here
once
it's
ready
and
then
we'll
want
to
make
sure
the
working
group
leads
or
I
don't
know.
Is
there?
Is
there
a
point?
Person
for
Fresca
is
Mike
okay.
Well,
then
I
guess
you've
reviewed
it.
D
Yeah
so
so
I
mean
I.
Think
the
thing
here
right
is
is
I.
Do
think,
like
I
want
additional
feedback
on
the.
What
is
Fresca
you
know,
particularly
like
yeah
I
mean
if
it's
just
like
simple
typo
fixes
that
that's
fine
but
I
I'm
kind
of
more
interested
in
some
of
the
high
level
like
I
read
this
and
I
still
don't
know
what
salsa
is.
You
know
I
I.
You
know
because,
given
that
I've
been
so
deep
in
the
in
in
it
with
Fresca,
you
know
I.
Can
you
know
I?
D
Might
not
you
know?
What's
the
word
it's
like
when
you've
been
staring
at
the
thing
too
long,
it's
it's
that
sort
of
thing
where
it's
like
somebody
else
comes
in
and
goes:
oh
that
doesn't
make
sense
and
you're
like
well
you're
right,
it
doesn't
make
sense.
I've
just
been
staring
at
it
so
long
that
it
you
know,
I,
don't
know
what
it's
like
to
be
an
outsider.
Looking
in
so
yeah,
definitely
looking
for
for
folks
to
to
come
in
and
help
out
there.
A
So
for
the
the
salsa
tracks,
one
I
remember:
we
also
brought
this
up
like
we
would
have
to
coordinate.
I
have
not
had
a
chance
to
look
at
that
pull
request.
The
reason
why
I'm
going
to
not
be
in
the
meeting
tomorrow
is
the
reason
why
I've
not
been
able
to
do
any
of
this
well
after
tomorrow.
I'll
have
more
free
time,
but
we
were
thinking
along
the
lines
of
it
is
more
high
level
than
build
versus
Source
right.
A
We
really
do
want
people
to
understand
when
you
look
at
different
scenarios,
how
it
actually
makes
sense
to
separate
us
or
why
it
makes
sense,
because
if
you
just
say
you
know,
builds
versus
Builders
just
build
sources
to
Source.
Sometimes
people
just
don't
get
that
so
Chris
go
ahead.
G
Yeah
I
don't
feel
strongly
about
whether
or
not
we
we
combine
the
two
but
I
I
did
notice
when
I
I
was
working
on
an
unrelated
PR
yesterday,
the
salsa
1.0
proposal
actually
has
a
breakdown
of
the
split
between
build
and
Source
levels
and
the
rationale
so
I
could,
it
might
make
sense
to
me
to
have
the
I
just
dropped
the
link
in
the
chat.
Okay,.
A
Yeah
this
is
yeah
I've
read
through
this
and
I
think
even
with
this
people
still
have
that
question.
At
least
what
I've
seen
not
sure
what
what
others
have
seen
in
terms
of
the
the
feedback
for
this
but
I
feel
like
people
don't
get
it
and,
and
maybe
it's
a
a
visual
thing,
I'm
a
visual
person.
So
if
I
don't
see
a
picture,
I
don't
understand
it.
A
It
takes
me
a
long
time
to
understand
it.
So
maybe
that's
why
so
Mike
Chris
dots.
D
Yeah
I
mean
my
general
thought
is
as
I
agree
with
you
there
on
on
the
pictures,
I
would
add
pictures
to
mine
if
I
had
the
time
to
to
write
the
pictures.
D
The
I
think
the
the
the
thing
that
yeah
I
know,
based
on
a
lot
of
the
conversations
I
do
find
that,
like
I,
think
the
proposal
is
good,
I
think
yeah.
As
everybody
knows
like
it's
it's
you
know
we
want
also
some
of
that
like
he
doesn't
have
enough
of
the
like
the.
D
Why
or
like
the
history
and
and
just
sort
of
the
general
like
flow
of
what
you
know
folks
are
looking
for
in
there
and
I
think
the
thing
that,
when
I've
spoken
to
some
folks,
the
thing
that
people
have
brought
up
has
been
they're.
Looking
for
just
sort
of
the
general
like.
D
A
G
A
Okay,
and
with
that
said
there
I
know,
Chris
and
I
have
been
working
on
that
build
versus
Source
I'm,
not
going
to
talk
about
that
right
now,
we
might
be
able
to
talk
about
it
later.
My
copy
and
paste
is
just
not
working
for
me
today
for
some
reason
copy
and
it's
every
time
I'm
sharing
on
Zoom.
A
This
system
is
messing
with
my
copy
paste
there.
It
goes
okay,
anything
else
on
this
topic
before
we
go
on
to
this
also
one
that'll
comms
plan,
which
was
definitely
in
my
my
brain,
just
didn't,
write
it
down
Jennifer
great.
E
E
Yeah
sure
yeah,
so
I
I
think
I'd
really
like
to
get
help
from
this
group
kind
of
determining
the
overall
messaging
for
the
that
we
will
use
in
the
press.
Release
I,
don't
know.
If
is
there
a
link?
E
Yeah
there's
a
link
to
it
in
this
document
where
it
started,
but
I
think
there
were
some
good
conversations
here
a
couple
weeks
ago
about
what
the
calls
to
action
should
be
and
kind
of
some
of
the
the
main
themes
so
I
think
fleshing
those
out
would
be
really
valuable
and
help
to
shape
that
messaging
to
meet
the
goals
right.
Yeah.
A
Yeah
I
think
that
that
would
be
good
I
know.
We've
had
this
on
the
agenda
for
a
while,
and
we
did
add
some
stuff,
so
it
makes
sense
to
go
through
it
together
as
a
group
to
just
kind
of
hash
it
out.
E
And
then
the
the
only
thing
I'll
add
there
is
was
hoping
that
we
could
get
a
a
good
working
drop
of
the
press
released
by
the
end
of
the
week.
So
by
the
end
of
March
around
the
31st
still
have
a
little
bit
of
time
to
collect
quotes
but
I
think
getting
us.
A
good
draft
and
moving
Us
in
the
right
direction
will
help
help
guide
to
the.
A
Finish
line
so
for
for
folks
that
kind
of
raised
their
hands
last
time
for
quotes.
A
H
A
E
A
Yeah
and
I
know
for
for
myself
right,
I'm
kind
of
relying
on
Jeff
boric,
who
is
you
know
the
oldest
yeah
and
so
I
I've
told
him.
You
know
the
messaging
and
so
he's
dealing
with
the
legal
stuff
like
I.
Don't
want
to
have
to
deal
with
any
of
it
can
go.
Do
that
so
I'll
sync
with
him
today
for
for
the
IBM
quote,.
E
Wonderful
and
then,
if
there's
any
other
end
user
types,
that
folks
think
would
be
good
to
include
in
here.
Currently
the
only
confirmed
sort
of
vote
of
this
type
is
GitHub,
so
if
we
can
find
a
few
more
companies
that
might
want
to
provide
those
I
think
that'd
be
great.
I
thought.
E
To
do
it
without
digging
into
the
details,
it
seems
like
they're
they're,
not
planning
on
it,
for
this
one,
okay
got
it:
okay,.
G
A
Okay,
okay,
got
it
and
then
Red
Hat
Laura.
Do
you
know.
A
I
A
Okay
or.
B
A
Okay,
is
that
what
you
want
Jennifer
for
us
to
just
put
the
quotes
directly
in
here,
yep.
E
I
think
that'll
unless
there's
a
question
or
you
know
happy
to
answer
any
questions
but
yeah
when
it's
ready
just
drop
it
right
in
okay,.
A
Okay,
awesome
anything
else
Jennifer
on
this,
and
we
can
technically
make
this
a
working
session
to
just
finish
this
out
in
terms
of
the
goals
and
the
message.
A
So
remember
the
last
time
when
I
was
taking
notes,
we
said
in
the
spec
today
there
was
build
system
package
manager,
ecosystem
and
then
consumers,
but
we
as
a
group
were
talking
about.
You
know
some
of
these
profiles
which
may
align
me
not
align
so
from
the
the
group
on
the
call
thoughts
on
what
should
stay.
What
should
go,
what
should
our
Focus
be
for
the
1.0
comms.
A
A
And
this
is
what
we
proposed
I
think
it
was
like
a
meeting
or
two
ago.
I
can't
remember.
A
D
D
We
want
folks
to
both
want
salsa
right,
because
without
the
desire
for
consuming
salsa,
you
know
you
might
have
a
few
initial
folks
who
will
implement
it,
but
then
that
that'll
be
it.
D
So
we
really
want
folks
who
could
you
know
so
we
want
like
it's,
and
it
is
a
bit
of
a
chicken
and
egg
thing,
at
least
from
my
perspective,
always
is
like
getting
that
initial
desire,
while
also
getting
you
know,
the
desire
only
lasts
as
long
as
you
can
have
folks
who
also
implement
it
and
folks
only
want
to
implement
it.
If
there's
a
desire
to
have
it
implemented,
so
I
think
those
are
probably
the
most
important
is
is
just
hey.
D
We
want
folks
to
want
salsa
because
we
believe
having
that
provenance
metadata
is
really
really
useful
for
supply
chain
security,
and
then
we
want
package
manager.
You
know
folks
within
you
know,
obviously
organizations
as
well
as
open
source,
and
this
is
a
thing
that
I've
been
working
with.
D
D
They
I
think
want
to
be
able
to
see
also
that
that
there
is
that
desire
that
people
are
saying
like
oh
I
would
love
if
ruby
gems
had
a
way
for
me
to
pull
down
salsa
attestations
related
to
those
ruby,
gems,
too,
and
so
I
think
you
know
when
it
comes
to
just
sort
of
the
general
what
we
want
to
get
out
there.
It's
it's
showing
that
there's
desire
on
both
ends
like
yeah
their
desire
to
implement
this
thing
and
there's
desire
to
actually
consume
it.
A
I'm
taking
notes
here,
it's
not
necessarily
a
talking
point
and
I'll
just
move
it,
but
since
I'm
in
here.
F
I
mean
I
I
mean
you
got
the
Seesaw
down
there,
you
got
devops
down
there,
you
got
compliance
done,
I,
don't
see,
is
I,
don't
see
product
security
down
there
and,
and
then-
and
you
know,
if
we're
thinking
about,
if
we're
thinking
anything
about
the
pipeline
who's
going
to
be
the
inventory
and
so
I
I
mean
God.
Having
been
on
one
end
of
this
who's
going
to
be,
you
know,
doing
the
proper
inventory
of
of
pipelines,
who's
going
to
be
making
sure
that
pipelines
are
scanned
and
pipelines.
F
You
know
the
standardization
of
pipelines
and
all
that
right,
I
mean
I.
Think
all
that's
I
think
all
that
should
be
considered
here
as
well.
F
You
know
at
a
guy
dare
I
say
at
least
as
a
macro
level,
because
these
people
could
be
could
could
hold
gate
checks,
respective
gate
checks,
so
I,
so
definitely
security
analysts,
definitely
product
security,
whoever
whoever's
doing
the
threat,
modeling
right,
that's
usually
on
the
product
security
side.
F
They
might
do
do
some
kind
of
threat,
modeling
of
some
sort
or
they
may
fish
threat,
modeling
out
underneath
the
the
csos
org
product
security
folks,
don't
necessarily
need
to
fall
under
the
sea,
so
they
may
fall
into
r
d
in
some
instances,
depending
upon
how
you
have
your
your
security
teams
broken
up
right,
you
may
have
the
security
engineering
for
the
Enterprise
under
the
CSO
and
you
may
have
product
security
people
underneath
some
type
of
security,
privacy
and
compliance
arm
underneath
r
d,
or
something
like
that
I
mean
I've,
seen
organizations
do
that
it
looks
funky
on
paper,
but
it
seems
to
work
as
some
instances,
so
they
may
fish
threat
modeling
out,
though,
to
the
security
engineering
folks,
just
for
just
for
centralization
of
those
efforts
to
identify
at
an
Enterprise
level
where
our
our
your,
where
are
your
gaps
right
so
I
I
have
them
in
there
as
well.
A
F
Sometimes
it
falls
under
the
sea
Soul.
Definitely,
but
more
often
than
not.
At
least.
Let
me
put
like
this
I've
seen
it
I've
seen
it
both
ways,
but
more
often
than
not
I've
seen
that
fall
under
r
d,
then
I've
seen
them
follow.
I
I
see
a
dotted
line
right,
I,
see
I,
see
a
straight
line
under
r
d.
I
see
the
dotted
line
to
the
to
the
CSO,
meaning
they
might
have
a
a
reporting
on
operationally
to
the
Sea.
F
So
the
report
vulnerabilities
or
report
what
they
discover
here
there,
but
but
authoritatively
that
they
report
underneath
our
r
d.
C
That
little
tail
fine
by
it,
so
maybe
for
like
first
of
all,
full
disclosure
coming
into
this,
with
the
naive
understanding
of
salsa
and
and
what
we're
trying
to
accomplish,
but,
like
the
first
thing,
I
think
when
I
see
this
long
list
of
implementers
and
consumers
of
Salsas
like
how
long
is
this
post
going
to
be
that
we
succinctly
address
each
of
these
categories
of
of
people
and
it
sound
like
that
could
be
a
lot.
C
But
what
I'd
like
to
take
a
step
back
and
think
about
my
own
understanding
of
salsa.
One
of
the
things
that
that
comes
across
is
enabling,
like
all
of
these
people,
can
agree
on
a
very
small
set
of
things.
One
of
those
is
hopefully
supply.
Chain
security
is
important.
C
It's
really
hard,
though,
for
all
of
these
disparate
groups
to
talk
in
a
consistent
way
about
supply
chain
security,
about
even
like
how
to
define
it
or
how
to
approach
like
solving
it.
I
think
that
salsa,
in
my
mind,
like
helps
bridge
that
Gap
within
an
organ
organization,
by
giving
us
like
a
standard,
means
to
understand
and
talk
about
pieces
and
components
of
supply,
chain
security
and
and
gets
even
further
into
like
how
we
could
potentially
Implement
some
some
solutions
to
this
and
so
like,
rather
than
speaking
to
them
individually.
C
I've
been
thinking
more
of
salsa
of
like
how
to
bring
everybody
together
to
like
bring
everybody
to
the
table.
Have
everybody
a
part
of
the
conversation
and
have
everybody
understand
their
role
in
in
contributing
to
the
solution
rather
than
just
and
I
think
this?
This
also
goes
internally
and
externally,
so
like
when
you're
talking
to
a
vendor.
Hopefully
they
can
give
you
the
same
like
answer
about
supply
chain
security,
whether
you're
talking
to
vendor
X,
Y
or
Z,
and
the
same
thing
internally.
C
When
you
have
different
stakeholders,
they
can
they
can
talk
in
a
consistent
manner.
I,
don't
know
if
that
makes
any
sense
or
if
that's
helpful,
for
this
content,
but
that's
how
I'm
thinking
about
it
at
least.
A
No,
no,
it
it's
okay,
I
can't
type
as
fast
as
you
talk
so
I
think.
That's
what
I
gathered
from
your
your
explanation
and
I
do
like
that.
I
think
there
was
one
of
the
missions.
The
core
missions
of
salsa
or
the
positioning
group
of
salsa
was
to
be
the
linga
Franca
of
supply
chain
security
right
so
that
that
is
very
much
the
the
intent
I
need
to
find
that.
B
B
H
We've
been
saying
a
lot
and
I
think
has
helped
some
of
our
customers
is
that
it's
also
a
way
to
actually
position
yourself
or
understand
where
you
fall
right
now
in
a
in
this
skate
in
the
landscape
of
security.
Right
like
are
you
doing
terribly,
not
so
bad,
pretty
good
great,
you
know
like
it
actually
gives
you
some
context
for
where
you
stand
and
a
way
to
continue
maturing.
A
Did
I
capture
that
right,
like
understand
maturity,
levels
for
supply,
chain,
security
at
an
organization,
slash
product
level
or
component
level,
any
product,
one
of
the
things
as
I
think
when
I
think
it
was
John
that
you
mentioned
the
the
different
Persona
personas
in
it
being
a
very
long
blog
post
is
that
we
could
summarize
right
because
I
see
these
people,
depending
on
the
organization,
either
they're,
creating
something
that
would
need
to
implement
salsa
for
or
they're
working
with
a
third
party
or
consuming
third-party
software.
A
That
they
would
then
also
want
to
look
at
these
cell
set
stations.
So
potentially
that's
the
narrative
around
the
implementer,
slash
consumers,
and
we
can
say,
for
example,
at
the
CSO
and
you
know
devops.
So
maybe
it's
a
more
of
a
summarization
and
we
can
maybe
bulletize.
A
If
that's
even
a
word,
you
know
things
like
compliance
right.
Product
security
is
going
to
want
to
know
if
they
are
being
compliant
and
compliance
is
going
to
need
that
for
their
evidence
for
Audits
and
blah
blah
blah
right,
and
so
maybe
we
can
have.
Some
sort
of
you
know
summarize
highlights
of
how
they
would
use
salsa
or
how
this
group
of
people
might
use.
Salsa
I,
don't
know
what
what
the
thoughts
are
on
that
or
if
I
made
any
sense.
E
I,
like
that
idea,
I
like
showing
the
relevance
and
the
value
for
multiple
stakeholders
yeah
in
groups.
A
I
think
we
can
there's
some
bullets
in
the
salsa
salsa.dev
right
for
the
benefits,
also
right
of
like
actually
using
salsa,
but
then
there's
also,
you
know
things
that
people
care
about
in
terms
of
like
the
White
House,
Executive,
Order
I
know
not.
Everybody
cares
about
that
because
not
everybody's
in
the
US
right,
but
that's
been
a
big
thing
lately,
which
is
driving
a
lot
of
adoption.
A
lot
of
these
things
right.
F
Have
the
look
at
the
seat,
the
the
seat?
This
is
a
CRA
they're
working
on
right
now
the
Cyber
resiliency
Act
yeah.
D
A
I
And
say:
I
have
that
consult
that
Consolidated
mapping
that
we're
working
on
cleaning
up,
because
we,
when
we
initially
did
it,
it
was
based
on,
like
the
their
very
first
like
0.1,
so
I,
don't
know
how
much
has
changed
but
I
when
our
analyst
Jennifer
she's,
taking
a
look
at
it
from
the
owoss
perspective
based
on
a
conversation.
I,
don't
know
if
it
was
in
this
meeting
or
another
meeting
that
that
sparked
a
discussion
around
whether
that
would
be
useful
as
well.
A
It
could
have
been
part
of
the
social
positioning.
I
know
we
were
doing
that
at
the
beginning,
but
then
we
went
down
the
rabbit
hole
of
something
that
shall
not
be
named
because
I
don't
want
to
get
Jay's
wrath
again
on
on
that
one
thing:
yeah.
A
I
Yes,
I
actually
have
the
draft,
it's
a
public
copy.
Okay,
it
doesn't
have
a
lost
Fiat,
but
it
has
I
believe
it's
I'll
put
it
here,
make
sure
you
guys
can
access
it.
Okay,
cool.
I
That's
and
and
I
I'm
meeting
with
Jennifer
to
see
she
was
gonna
update.
It
I
just
don't
know
how
much,
how
far
she's
gotten
and
she
was
gonna
while
she
was
updating.
She
was
also
going
to
add
a
wasp
to
it,
to
the
columns
got.
A
E
Yeah,
the
actual
press
release
is
going
to
be
issued
on
the
19th,
hoping
to
have
a
good
draft
of
our
press
release
ready
by
the
end
of
this
week.
So
yeah
yeah.
That's.
A
The
gotcha
and
and
for
folks
that
are
wondering
in
the
comms
plan
right
here.
There
is
a
timeline
that
Jennifer
provided
of
when
things
are
expected
to
be
complete,
so
I
don't
know
that
you'll
be
able
to
have
that
ready
by
end
of
week,
Laura
I.
A
I
Me
in
my
Jennifer
I
meant
our
Jennifer
on
my
team.
Sorry,
it's.
A
Okay,
so
Laura
to
confirm
ready
for
office
plan,
so
I'm
gonna
take
this
out
Laura.
You
have
access
to
this
doc,
but
I'll
put
it
in
here
in
the
in
the
notes,
but
I'll
take
it
out
of
the
comms,
because
I
don't
I,
don't
want
to
confuse
things.
If
it's
not
ready,
yeah
sounds
good
okay.
So
then
we
have
15
minutes
left
thinking
about
the
tool
makers,
tool
owner,
sis
admins
they
kind
of
fit
under
the
build
system
and
package
manager,
ecosystems
people
agree
with
that.
A
A
Not
a
summary
thinking.
A
C
Once
again,
I'll,
eventually
like
a
week
or
two,
maybe
I'll,
stop
giving
my
naive
disclaimer,
but
currently
my
like
my
thoughts
on
this
would
be
that
developers
don't
care
about
salsa
and
or
like.
If
we
want
them
to
care.
We
need
to
make
it
really
easy
and
that's
an
opportunity
for
everyone
who
makes
tools
or
builds
builds.
C
You
know
build
systems
and
we've
seen
I
think
it's
worth
calling
out
the
like
the
momentum
that
people
have
already
like
moved
towards
adopting
salsa
like
I've,
never
seen
a
0.1
version
of
a
specification
adopted
in
like
hardly
any
tooling
that
wasn't
the
person
making
the
tooling
and
like,
at
the
same
time,
I've
seen
the
GitHub
salsa
generator
I've,
seen
tecton
change
supporting
for
early
for
like
week,
I
don't
know
if
we
can
call
out
all
the
different
types
of
tooling
that
have
already
introduced
support
for
it.
C
But
it's
surprised
me
and
been
really
encouraging
to
see
how
quickly
folks
are
are
looking
to
adopt
this.
A
Yeah
version
two
that
one
and
and
I
wrote
something
to
you
in
the
chat
that
I
challenge
that
developers
don't
care.
I'll
give
you
the
link.
We
were
working
on
that
like.
Why
should
developers
care
and
they
would
want
to
care,
but
that
that's
a
separate
conversation
so.
F
That's
a
good
point
about
I
was
getting
ready
to
agree
with
you:
I
I
I
the
developers.
So
this
is
twofold
right
developers
if
they
can
get
away
with
you
know,
developers
want
to
meet
slos
simple,
but
they
have
no
problem,
especially
if
you
present
them
with
the
policy.
You
present
them
with
the
procedures.
You
present
them
with
the
right
direction.
F
They
have
no
problem
following
that
direction
and
it
might
hurt
a
little
bit,
but
if
everyone's
on
the
same
sheet
of
music
they're
more
than
welcome
to
it's
only
when
they're
than
when
there
are
exceptions-
and
they
know
that
there
are
exceptions
that
things
can
get
a
bit
confusing
yeah,
so
I
mean
I,
I,
think
I
I.
Think
developers
are.
You
know,
developers
care
when,
when
it's
a
top-down
situation,
if
you
could
provide
them
the
the
tools,
then
then
they're
solid
right.
F
I
I
would
agree
that,
and
it
varies
from
organ
from
organization
to
organization
to
if,
if
you
can
get
like
the
the
sea
level
and
the
senior
leadership
to
to
agree
and
there's
a
tie
to
revenue,
I
think
that's
a
motivating
factor
for
the
developers
as
well.
They
want
to
get
their
products
out
the
door.
F
G
F
F
You
know
a
lot
of
these
a
lot
of
these
controls
that
are
being
presented-
and
this
is
not
just
such
as
any
framework
right
A
lot
of
these
controls
being
presented,
can
provide
extra
time
constraints
on
meeting
respective
slos
and,
if
you're,
and
if
you
have
respect,
if
you
got
those
time
constraints,
then
you're
not
first
to
Market.
If
you're
not
first
to
Market,
that's
Revenue
loss,
ctOS
ain't
buying
it
right.
So
so
that
that's
a
that's
an
excellent
point.
F
We
may
need
to
provide
some
type
of
understanding
to
ctOS
that
this
needs
to
be
done
and
then
and
then
why
right
and
it
can't
just
be
because
if
you
don't
do
this,
then
this
no,
no,
no
you
you've
got
to
tie
in
some
type
of.
It's
got
to
be
reputation,
reputation,
impact
Revenue
impact,
something
else.
There's
got
to
be
a
rub
to
it.
F
If
we
don't
do
this,
then
you're,
not
in
compliance
of
this,
you
know,
which
means
that
you're
going
to
end
up
having
to
pay
more
money
later
on,
to
fix
this
right.
They
they
respond
to
that
very
well,
so
that
that's
something
else
too
I
I,
don't
know
how
you
how
you
do
that
with
this
this
early
on,
like
as
you
mentioned,
John
right
people
adopting
a
DOT
one
dot,
one
ain't
that
that's
that
there's
no
compliance
requirement
to
do
any
of
this
everybody's,
just
trying
to
jump
on
a
new
shiny
thing,
but
but
what?
F
What
is
the?
What
is
the
compliance
requirement
that
needs
that
that
can
be
met?
Should
you
adopt
this
until
this
becomes
in
itself
a
compliance
requirement?
That's
something
that
might
need
to
be
investigated
a
little
bit
further.
That's
not
our
scope
to
do
that
here,
but
that
might
be
something
that
gets
done:
spec
wise
right,
that
that's
that's!
That's
a
higher!
That's
a
different
conversation
because,
as
you
mentioned,
a
CTO
needs
to
buy
in
on
this.
I
F
I
mean
you're
going
to
have
those
that
that
will
build
something
right.
You
got
your
single,
your
single
maintainers
that
are
going
to
build
something,
and
so
this
is
great
to
use.
If
you
use
a
grade,
if
you
don't
that's
fine
too,
somebody
else
will
use
it,
but
those
that
actually
have
a
desire
to
be
used
in
in
those
larger
Enterprises
they're
going
to
want
to
meet
the
requirements
just
to
be
considered.
D
Yeah
I
think
we
just
need
to
be
careful
like
I.
Think.
The
the
thing
that
we're
trying
to
get
off
right
is
is
as
what
you
said.
Jay
is
like
we're
not
trying
to
like
you
know,
tell
people
who
are
just
like
hey
I
just
have
a
random
side
project.
You
must
use
salsa,
it's
like
no,
no
like
nobody's
telling
you
that.
D
But
what
we
are
saying,
though,
is
is
it's
the
other
way
around
right,
we're
saying,
if
you're
building
a
tool
that
you
plan
to
sell
to
Enterprises,
don't
use
the
random
side
project
from
some
random
person
right.
You
know,
unless
you're
planning,
to
secure
that
and
do
all
the
due
diligence
there
right,
I
think
that's
kind
of
the
thing
that
that
we're
trying
to
kind
of
get
off
you
know
get
like
the
the
idea
we're
trying
to
get
out
there.
A
A
Because
the
developers
could
potentially
like
Fresca
as
an
example
right,
they
would
be
enabling
it's
also
or
if
they're,
a
part
of
the
package
manager,
ecosystems
and
their
developers
trying
to
implement
it
their
developer
right.
So
the
tool
makers
might
also
be
under
that
developer.
Persona.
D
D
You
know
a
logging
library
for
something
and
there's
gonna
be
folks
who
are
like
you
know,
for
example
like
kusare,
which
is
writing
software
for
for
security
purposes
and
for
folks
who
are
writing
software
for
security
purposes,
they're
going
to
be
the
folks
who
are
kind
of
in
that
area
and
then
also
folks
who
are
connected
there
right.
D
You
know
you
might
see
like
like
if
we
look
at
something
like
jfrog,
artifactory,
J,
frog,
artifactory
did
not
start
off
as,
like,
let's
say
a
huge
security
company,
but
you
know
they
were
trying
to
kind
of
say
here's
how
a
place
to
store
your
artifacts
but
over
time.
Obviously,
that
sort
of
evolved
into
a
a
larger
thing
where
security
became
more
important,
so
I
think
it's
it's
folks
where
security
is
and
I
guess.
D
In
most
software,
some
level
of
security
is
important,
but
I
guess
yeah
yeah
what
John
said
platform
yeah
platform
level
security,
software
producers.
A
That
would
be
including
the
package
manager,
oh
package
managers,
ecosystem.
A
So
Jennifer
I
was
gonna,
say
something
here
and
I.
Don't
remember
what
it
was.
Oh,
oh,
oh,
oh
before
I
forget
comment
about
the
I
think
I
put
that
in
even
in
the
blog
that
we
were
writing
about
Source
versus
track.
A
Jennifer.
Remember
the
the
that
survey
that
came
out
about
salsa
and
the
adoption
and
the
value
we
might
want
to
add
something
along
those
lines
in
here
that
hey
you
know
this
is
getting
adopted.
A
It
is
being
seen
as
valuable,
so
I
don't
know
if
there's
a
way
of
putting
that
in
there,
but
I
I.
Think
for
this
build
versus
Source
I
tried
to
say,
okay.
We
need
to
put
something
in
here
along
those
lines
because
nist
has
salsa
referenced
in
the
ssdf
right.
E
So
yeah
I
think
if
we
can
demonstrate
it
as
being
used.
That
would
be
important
to
include
in
here
in
terms
of
next
steps.
Do
you
think
it
would
be
possible
to
sit
down
with
with
some
of
you
and
kind
of
take
this
and
turn
it
into
parts
of
the
press?
Release
I'm
still
thinking
that
it
would
be
helpful
to
kind
of
see
that
see
see,
make
sure
that
what
we
have
there
is
reflective
of
the
the
messaging
fleshed
out
here.
A
A
I
think
after
Wednesday
I
can
start.
I
can
certainly
help
I.
Think
Wednesday
tomorrow
is
going
to
be
my
my
headache
day.
Unfortunately,
Mike
Chris
Claudia
Laura
John.
D
So
I'm
free
most,
you
know
I'm
free
most
afternoons
this
week,
except
maybe
this
afternoon,
but.
G
I'm,
pretty
tied
up
cleaning
up
this,
the
spec
for
rc2,
but
I
I
could
do
small
tasks
in
the
the
latter
half
of
the
week.
B
A
It
looks
like
Claudia
and
Mike
and
John
John
said
he
can
help
too.
So
we
had
two
minutes
left,
so
the
the
ask
is
for
it's
in
the
notes:
I
need
to
actually
put
it
better.
Here's
a
salsa
drafts
announcement.
A
To
do
async
with
Jennifer
try
to
add
some
comments
in
here,
not
comments,
but
you
know
language
verbiage
around
this
stuff.
I
think
we
have
what
we
need.
I
think
we've
made
a
decision
that
these
are
the
right
things,
the
only
thing
I
don't
know
it
doesn't
say
implementers
of
salsa.
A
In
the
spec
right,
these
are
consumers
of
attestations,
but
there's
also
consumers
as
they're
the
implementer,
so
they're
going
to
actually
be
using
so
I'm
curious.
As
to
your
thoughts
on
on
how
we
position
that,
if
we
keep
it
as
implementers
consumers
of
salt
of
salsa,
sorry-
because
that's
that's
not
in
a
spec
today,
it
just
says
consumers.
A
Okay,
if
you
can
add
garbage
on
that,
because
we're
running
out
of
we're
out
of
time
put
some
verbiage
around
like
the
the
different
personas
here
for
each
and
to
make
sure
that
we're
aligned
that
we're
not
missing
anybody
that
that
would
be
keywording.
E
A
E
Folks
can,
as
you
have
time,
take
a
look
at
the
draft
press
release
and
start
getting
some
ideas
in
there
and
I'll
also
be
I'm.
Sorry,
my
alerts
are
going
on.
I'll
also
be
in
that
in
the
document
as
well,
so
we
can
kind
of
work
on
and
Chris
I
think
you
had
a
your
hand
up,
but.
G
Yeah,
so
if
you
look
at
the
the
1.0
working
draft
of
the
website,
the
personas
we're
using
for
how
to
salsa
are
right.
Now
it
says
developers,
organizations
and
implementers
but
I
believe
that's
changing
to
infrastructure
providers,
producers
and
consumers.
G
No
1.0
without
without
the
RC
one
one
that'll
draft.
Okay,
that's
on
the
left
hand,
bar
I
believe,
there's
an
open
issue
to
change
those
I
will.
Let
me
pull
that
up
now,
but
we
we
have
talked
about
personas,
that
we're
using
on
the
website.
A
Okay,
that's
fine
thanks!
Jennifer
thanks!
Everyone
I'll
try
to
send
out
a
summary
later
tonight
of
of
the
action
items,
but
I
think
we're
we're
coming
along
thanks
folks,
for
all
your
help,
thanks
for
participating
and
joining
decent.