►
From YouTube: Supply Chain Integrity WG (March 28, 2023)
A
A
B
E
A
Okay,
so
please
do
sign
in
I.
Don't
know
why
this
looks
weird
here
for
folks
that
don't
know
I
think
Jay
knows
because
I
can't
ever
make
the
S2
c2f
meeting,
because
I
volunteer
during
that
time,
I
volunteer
for
it's
called
a
math
Penta
lot,
math
pentathlon
or
something
like
that.
It's
coaching
little
kids
on
like
strategic
math
games,
and
so
we
have
a
math
competition
this
weekend.
So
it
should
be,
should
be
pretty
fun.
So
I'm
kind
of
excited
about
that
yeah.
A
A
A
Is
but
there's
I
think
the
reason?
Why
is
because
they're
so
young
that
there's
a
lot
of
breaks
in
between
right,
so
each
like
in
15
minutes
to
just
like
play
one
game,
and
so
then
you
have
all
these
kids
and
they'll
snack
and
they'll
talk
and
you
know
they'll
wander
off
in
any
back
break
so
I
think
that's
why
I.
B
A
C
One
of
the
things
I'll
just
do
a
quick
shout
out
for
in
a
couple
of
weeks,
at
kubecon,
EU,
there's
going
to
be
a
security,
Village
area,
and
so
there's
gonna
be
open
like
a
open.
What
is
it
called
like
the
unconference
style
session
for
a
couple
hours,
and
so,
if
folks
are
interested
in
stopping
by
we'll
have
conversation
tables
out,
we'll
have
different
things
like
that.
C
B
D
Yeah,
thank
you
on
my
end
with
that
I'm
finalizing
some,
perhaps
a
bit
of
a
it's.
It
is
an
unconference.
So
it's
nothing
like
super
official.
As
in
like
it's
not
gonna,
be
you
know,
it's
gonna
be
very
laid
back,
but
the
idea
is
going
to
be
potentially
taking
also
some
cncf
projects
and
trying
to
salsify
them.
A
lot
of
them
are
already
using
GitHub
actions
and,
hey
just
add
this
GitHub
action
in
and
you're.
You
know
at
least
salsa
0.1,
we'll
get
you
to
1.0
in
a
few
weeks.
D
B
D
D
A
D
D
Looking
for
for
once
again,
you
know
feedback
on
it
because
you
know,
as
kind
of
we
said
hey
if
we
want
to
make
this
thing.
If
we
want
to
make
Fresca,
you
know
whether
it's
just
this
is
a
shiny
example
or
if
it's
hey.
This
is
a
project
that
people
should
be
able
to
deploy.
We
need
to
get
more
folks
and
more
eyes
on
it
and
so
wanted
to
get.
You
know
some
additional
thoughts,
especially
from
folks
who
are
like
Vaguely
Familiar
with
Fresca,
but
really
aren't
sure
on
it.
D
You
know
about
some
of
the
stuff
because,
as
I
had
sort
of
mentioned
before
is
I
see
Fresca
showing
up
in
a
lot
of
presentations,
but
but
when
it
comes
to
actually
getting
contributors
to
it,
it's
been
a
bit
difficult,
and
so,
if
it's
valuable
to
folks
hey,
let's,
let's
see
what
we
can
do
with
it.
If
it's
not
it's
not.
D
D
That
kind
of
goes
into
a
little
bit
of
the
build
versus
source,
and
that
was
something
that
was
brought
up
after
you
had
left
Melba
yesterday
from
the
specification
meeting
was
hey:
do
we
want
to
combine
these
things?
Yeah,
yeah,
I'm,
okay,
with
combining
them
or
or
or
whatever
I
I.
Only
really
I
don't
get
I.
Don't
go
deep
into
the
details
on
you
know
outside
of
just
the
high
level
like
the
build
is
about
the
build.
D
The
source
is
about
the
source
and
so
the
build
takes
in
source
code
and
does
stuff
with
it.
But
if
you
combine
the
two
things
it
becomes
more
complicated
to
say
the
build
takes
in
source
code
that
source
code
could
be
trusted.
If
it
follows,
let's
say
a
salsa
track
eventually
or
it
could
be
untrusted
but
salsa,
you
know,
but
the
salsa
build
piece
did
what
it
was
supposed
to
do
and
that's
kind
of
the
output
of
of
that
article.
D
Sure
yeah
yeah
yeah
this
was
also
like.
We
were
even
like
looking
at
this
just
more
from
hey.
Does
this
make
sense
to
folks
and
then,
let's
figure
out
what
the
Avenue
for
for
publishing
it
is
yeah.
It
would
be
great
if
it
was
up
on
the
open,
SF
blog
yeah.
This
is
kind
of
going
to
be
a
bit
of
a
call
to
action
for
folks
of
like
hey,
if
you
think
you
know,
if
you
care
about
you
know,
secure
builds
and
you
care
about
like
how
can
I
have
a
secure?
D
You
know
an
open
source,
secure,
build
that
does
stuff
like
S2,
c2f
salsa.
So,
on
here's
how
you
you,
you
know:
here's
here's,
a
build
system
that
can
do
that,
but
I
think
the
thing
that
we
wanted
to
start
doing
is
kind
of
saying,
like
hey
with,
given
that
a
lot
of
folks
who
were
originally
working
on
Fresca
had
gotten
moved
on
to
other
things.
D
We're
looking
for
you
know
additional
contributors
at
you
know
additional
maintainers
folks
who
are
who
are
interesting
and
interested
in
helping
shape
the
project
and
I
think
the
two
main
things
that
I
listed
in
that
article:
we're
looking
for
Hands-On
keyboard
contributors
like
folks
who
can
actually
write
some
of
the
code,
but
in
addition
to
that,
we're
also
looking
for
folks
who
they
have
the
need.
They're
like
I,
need
a
secure,
build
system.
E
D
Yeah
so
so
I
mean
I.
Think
the
thing
here
right
is
is
I.
Do
think,
like
I
want
additional
feedback
on
the.
What
is
Fresca
you
know,
particularly
like
yeah
I
mean
if
it's
just
like
simple
typo
fixes
that
that's
fine
but
I
I'm
kind
of
more
interested
in
some
of
the
high
level
like
I
read
this
and
I
still
don't
know
what
salsa
is.
You
know
I
I.
You
know
because,
given
that
I've
been
so
deep
in
the
in
in
it
with
Fresca,
you
know
I.
Can
you
know
I?
D
Might
not
you
know?
What's
the
word
it's
like
when
you've
been
staring
at
the
thing
too
long,
it's
it's
that
sort
of
thing
where
it's
like
somebody
else
comes
in
and
goes:
oh
that
doesn't
make
sense
and
you're
like
well
you're
right,
it
doesn't
make
sense.
I've
just
been
staring
at
it
so
long
that
it
you
know,
I,
don't
know
what
it's
like
to
be
an
outsider.
Looking
in
so
yeah,
definitely
looking
for
for
folks
to
to
come
in
and
help
out
there.
A
So
for
the
the
salsa
tracks,
one
I
remember:
we
also
brought
this
up
like
we
would
have
to
coordinate.
I
have
not
had
a
chance
to
look
at
that
pull
request.
The
reason
why
I'm
going
to
not
be
in
the
meeting
tomorrow
is
the
reason
why
I've
not
been
able
to
do
any
of
this
well
after
tomorrow.
I'll
have
more
free
time,
but
we
were
thinking
along
the
lines
of
it
is
more
high
level
than
build
versus
Source
right.
A
G
Yeah
I
don't
feel
strongly
about
whether
or
not
we
we
combine
the
two
but
I
I
did
notice
when
I
I
was
working
on
an
unrelated
PR
yesterday,
the
salsa
1.0
proposal
actually
has
a
breakdown
of
the
split
between
build
and
Source
levels
and
the
rationale
so
I
could,
it
might
make
sense
to
me
to
have
the
I
just
dropped
the
link
in
the
chat.
Okay,.
A
Yeah
this
is
yeah
I've
read
through
this
and
I
think
even
with
this
people
still
have
that
question.
At
least
what
I've
seen
not
sure
what
what
others
have
seen
in
terms
of
the
the
feedback
for
this
but
I
feel
like
people
don't
get
it
and,
and
maybe
it's
a
a
visual
thing,
I'm
a
visual
person.
So
if
I
don't
see
a
picture,
I
don't
understand
it.
D
D
D
A
A
A
E
E
E
Yeah
there's
a
link
to
it
in
this
document
where
it
started,
but
I
think
there
were
some
good
conversations
here
a
couple
weeks
ago
about
what
the
calls
to
action
should
be
and
kind
of
some
of
the
the
main
themes
so
I
think
fleshing
those
out
would
be
really
valuable
and
help
to
shape
that
messaging
to
meet
the
goals
right.
Yeah.
A
E
And
then
the
the
only
thing
I'll
add
there
is
was
hoping
that
we
could
get
a
a
good
working
drop
of
the
press
released
by
the
end
of
the
week.
So
by
the
end
of
March
around
the
31st
still
have
a
little
bit
of
time
to
collect
quotes
but
I
think
getting
us.
A
good
draft
and
moving
Us
in
the
right
direction
will
help
help
guide
to
the.
H
A
E
A
Yeah
and
I
know
for
for
myself
right,
I'm
kind
of
relying
on
Jeff
boric,
who
is
you
know
the
oldest
yeah
and
so
I
I've
told
him.
You
know
the
messaging
and
so
he's
dealing
with
the
legal
stuff
like
I.
Don't
want
to
have
to
deal
with
any
of
it
can
go.
Do
that
so
I'll
sync
with
him
today
for
for
the
IBM
quote,.
E
G
A
A
B
A
So
remember
the
last
time
when
I
was
taking
notes,
we
said
in
the
spec
today
there
was
build
system
package
manager,
ecosystem
and
then
consumers,
but
we
as
a
group
were
talking
about.
You
know
some
of
these
profiles
which
may
align
me
not
align
so
from
the
the
group
on
the
call
thoughts
on
what
should
stay.
What
should
go,
what
should
our
Focus
be
for
the
1.0
comms.
A
A
D
D
So
we
really
want
folks
who
could
you
know
so
we
want
like
it's,
and
it
is
a
bit
of
a
chicken
and
egg
thing,
at
least
from
my
perspective,
always
is
like
getting
that
initial
desire,
while
also
getting
you
know,
the
desire
only
lasts
as
long
as
you
can
have
folks
who
also
implement
it
and
folks
only
want
to
implement
it.
If
there's
a
desire
to
have
it
implemented,
so
I
think
those
are
probably
the
most
important
is
is
just
hey.
D
D
They
I
think
want
to
be
able
to
see
also
that
that
there
is
that
desire
that
people
are
saying
like
oh
I
would
love
if
ruby
gems
had
a
way
for
me
to
pull
down
salsa
attestations
related
to
those
ruby,
gems,
too,
and
so
I
think
you
know
when
it
comes
to
just
sort
of
the
general
what
we
want
to
get
out
there.
It's
it's
showing
that
there's
desire
on
both
ends
like
yeah
their
desire
to
implement
this
thing
and
there's
desire
to
actually
consume
it.
F
I
mean
I
I
mean
you
got
the
Seesaw
down
there,
you
got
devops
down
there,
you
got
compliance
done,
I,
don't
see,
is
I,
don't
see
product
security
down
there
and,
and
then-
and
you
know,
if
we're
thinking
about,
if
we're
thinking
anything
about
the
pipeline
who's
going
to
be
the
inventory
and
so
I
I
mean
God.
Having
been
on
one
end
of
this
who's
going
to
be,
you
know,
doing
the
proper
inventory
of
of
pipelines,
who's
going
to
be
making
sure
that
pipelines
are
scanned
and
pipelines.
F
A
F
Sometimes
it
falls
under
the
sea
Soul.
Definitely,
but
more
often
than
not.
At
least.
Let
me
put
like
this
I've
seen
it
I've
seen
it
both
ways,
but
more
often
than
not
I've
seen
that
fall
under
r
d,
then
I've
seen
them
follow.
I
I
see
a
dotted
line
right,
I,
see
I,
see
a
straight
line
under
r
d.
I
see
the
dotted
line
to
the
to
the
CSO,
meaning
they
might
have
a
a
reporting
on
operationally
to
the
Sea.
C
C
It's
really
hard,
though,
for
all
of
these
disparate
groups
to
talk
in
a
consistent
way
about
supply
chain
security,
about
even
like
how
to
define
it
or
how
to
approach
like
solving
it.
I
think
that
salsa,
in
my
mind,
like
helps
bridge
that
Gap
within
an
organ
organization,
by
giving
us
like
a
standard,
means
to
understand
and
talk
about
pieces
and
components
of
supply,
chain
security
and
and
gets
even
further
into
like
how
we
could
potentially
Implement
some
some
solutions
to
this
and
so
like,
rather
than
speaking
to
them
individually.
C
I've
been
thinking
more
of
salsa
of
like
how
to
bring
everybody
together
to
like
bring
everybody
to
the
table.
Have
everybody
a
part
of
the
conversation
and
have
everybody
understand
their
role
in
in
contributing
to
the
solution
rather
than
just
and
I
think
this?
This
also
goes
internally
and
externally,
so
like
when
you're
talking
to
a
vendor.
Hopefully
they
can
give
you
the
same
like
answer
about
supply
chain
security,
whether
you're
talking
to
vendor
X,
Y
or
Z,
and
the
same
thing
internally.
C
A
No,
no,
it
it's
okay,
I
can't
type
as
fast
as
you
talk
so
I
think.
That's
what
I
gathered
from
your
your
explanation
and
I
do
like
that.
I
think
there
was
one
of
the
missions.
The
core
missions
of
salsa
or
the
positioning
group
of
salsa
was
to
be
the
linga
Franca
of
supply
chain
security
right
so
that
that
is
very
much
the
the
intent
I
need
to
find
that.
B
B
H
We've
been
saying
a
lot
and
I
think
has
helped
some
of
our
customers
is
that
it's
also
a
way
to
actually
position
yourself
or
understand
where
you
fall
right
now
in
a
in
this
skate
in
the
landscape
of
security.
Right
like
are
you
doing
terribly,
not
so
bad,
pretty
good
great,
you
know
like
it
actually
gives
you
some
context
for
where
you
stand
and
a
way
to
continue
maturing.
A
A
If
that's
even
a
word,
you
know
things
like
compliance
right.
Product
security
is
going
to
want
to
know
if
they
are
being
compliant
and
compliance
is
going
to
need
that
for
their
evidence
for
Audits
and
blah
blah
blah
right,
and
so
maybe
we
can
have.
Some
sort
of
you
know
summarize
highlights
of
how
they
would
use
salsa
or
how
this
group
of
people
might
use.
Salsa
I,
don't
know
what
what
the
thoughts
are
on
that
or
if
I
made
any
sense.
A
I
think
we
can
there's
some
bullets
in
the
salsa
salsa.dev
right
for
the
benefits,
also
right
of
like
actually
using
salsa,
but
then
there's
also,
you
know
things
that
people
care
about
in
terms
of
like
the
White
House,
Executive,
Order
I
know
not.
Everybody
cares
about
that
because
not
everybody's
in
the
US
right,
but
that's
been
a
big
thing
lately,
which
is
driving
a
lot
of
adoption.
A
lot
of
these
things
right.
F
D
A
I
And
say:
I
have
that
consult
that
Consolidated
mapping
that
we're
working
on
cleaning
up,
because
we,
when
we
initially
did
it,
it
was
based
on,
like
the
their
very
first
like
0.1,
so
I,
don't
know
how
much
has
changed
but
I
when
our
analyst
Jennifer
she's,
taking
a
look
at
it
from
the
owoss
perspective
based
on
a
conversation.
I,
don't
know
if
it
was
in
this
meeting
or
another
meeting
that
that
sparked
a
discussion
around
whether
that
would
be
useful
as
well.
A
A
I
I
A
E
A
A
A
Okay,
so
Laura
to
confirm
ready
for
office
plan,
so
I'm
gonna
take
this
out
Laura.
You
have
access
to
this
doc,
but
I'll
put
it
in
here
in
the
in
the
notes,
but
I'll
take
it
out
of
the
comms,
because
I
don't
I,
don't
want
to
confuse
things.
If
it's
not
ready,
yeah
sounds
good
okay.
So
then
we
have
15
minutes
left
thinking
about
the
tool
makers,
tool
owner,
sis
admins
they
kind
of
fit
under
the
build
system
and
package
manager,
ecosystems
people
agree
with
that.
A
A
C
Once
again,
I'll,
eventually
like
a
week
or
two,
maybe
I'll,
stop
giving
my
naive
disclaimer,
but
currently
my
like
my
thoughts
on
this
would
be
that
developers
don't
care
about
salsa
and
or
like.
If
we
want
them
to
care.
We
need
to
make
it
really
easy
and
that's
an
opportunity
for
everyone
who
makes
tools
or
builds
builds.
A
F
That's
a
good
point
about
I
was
getting
ready
to
agree
with
you:
I
I
I
the
developers.
So
this
is
twofold
right
developers
if
they
can
get
away
with
you
know,
developers
want
to
meet
slos
simple,
but
they
have
no
problem,
especially
if
you
present
them
with
the
policy.
You
present
them
with
the
procedures.
You
present
them
with
the
right
direction.
F
They
have
no
problem
following
that
direction
and
it
might
hurt
a
little
bit,
but
if
everyone's
on
the
same
sheet
of
music
they're
more
than
welcome
to
it's
only
when
they're
than
when
there
are
exceptions-
and
they
know
that
there
are
exceptions
that
things
can
get
a
bit
confusing
yeah,
so
I
mean
I,
I,
think
I
I.
Think
developers
are.
You
know,
developers
care
when,
when
it's
a
top-down
situation,
if
you
could
provide
them
the
the
tools,
then
then
they're
solid
right.
F
I
I
would
agree
that,
and
it
varies
from
organ
from
organization
to
organization
to
if,
if
you
can
get
like
the
the
sea
level
and
the
senior
leadership
to
to
agree
and
there's
a
tie
to
revenue,
I
think
that's
a
motivating
factor
for
the
developers
as
well.
They
want
to
get
their
products
out
the
door.
G
F
F
You
know
a
lot
of
these
a
lot
of
these
controls
that
are
being
presented-
and
this
is
not
just
such
as
any
framework
right
A
lot
of
these
controls
being
presented,
can
provide
extra
time
constraints
on
meeting
respective
slos
and,
if
you're,
and
if
you
have
respect,
if
you
got
those
time
constraints,
then
you're
not
first
to
Market.
If
you're
not
first
to
Market,
that's
Revenue
loss,
ctOS
ain't
buying
it
right.
So
so
that
that's
a
that's
an
excellent
point.
F
We
may
need
to
provide
some
type
of
understanding
to
ctOS
that
this
needs
to
be
done
and
then
and
then
why
right
and
it
can't
just
be
because
if
you
don't
do
this,
then
this
no,
no,
no
you
you've
got
to
tie
in
some
type
of.
It's
got
to
be
reputation,
reputation,
impact
Revenue
impact,
something
else.
There's
got
to
be
a
rub
to
it.
F
If
we
don't
do
this,
then
you're,
not
in
compliance
of
this,
you
know,
which
means
that
you're
going
to
end
up
having
to
pay
more
money
later
on,
to
fix
this
right.
They
they
respond
to
that
very
well,
so
that
that's
something
else
too
I
I,
don't
know
how
you
how
you
do
that
with
this
this
early
on,
like
as
you
mentioned,
John
right
people
adopting
a
DOT
one
dot,
one
ain't
that
that's
that
there's
no
compliance
requirement
to
do
any
of
this
everybody's,
just
trying
to
jump
on
a
new
shiny
thing,
but
but
what?
F
What
is
the?
What
is
the
compliance
requirement
that
needs
that
that
can
be
met?
Should
you
adopt
this
until
this
becomes
in
itself
a
compliance
requirement?
That's
something
that
might
need
to
be
investigated
a
little
bit
further.
That's
not
our
scope
to
do
that
here,
but
that
might
be
something
that
gets
done:
spec
wise
right,
that
that's
that's!
That's
a
higher!
That's
a
different
conversation
because,
as
you
mentioned,
a
CTO
needs
to
buy
in
on
this.
I
F
I
mean
you're
going
to
have
those
that
that
will
build
something
right.
You
got
your
single,
your
single
maintainers
that
are
going
to
build
something,
and
so
this
is
great
to
use.
If
you
use
a
grade,
if
you
don't
that's
fine
too,
somebody
else
will
use
it,
but
those
that
actually
have
a
desire
to
be
used
in
in
those
larger
Enterprises
they're
going
to
want
to
meet
the
requirements
just
to
be
considered.
D
Yeah
I
think
we
just
need
to
be
careful
like
I.
Think.
The
the
thing
that
we're
trying
to
get
off
right
is
is
as
what
you
said.
Jay
is
like
we're
not
trying
to
like
you
know,
tell
people
who
are
just
like
hey
I
just
have
a
random
side
project.
You
must
use
salsa,
it's
like
no,
no
like
nobody's
telling
you
that.
D
But
what
we
are
saying,
though,
is
is
it's
the
other
way
around
right,
we're
saying,
if
you're
building
a
tool
that
you
plan
to
sell
to
Enterprises,
don't
use
the
random
side
project
from
some
random
person
right.
You
know,
unless
you're
planning,
to
secure
that
and
do
all
the
due
diligence
there
right,
I
think
that's
kind
of
the
thing
that
that
we're
trying
to
kind
of
get
off
you
know
get
like
the
the
idea
we're
trying
to
get
out
there.
A
A
D
D
You
know
you
might
see
like
like
if
we
look
at
something
like
jfrog,
artifactory,
J,
frog,
artifactory
did
not
start
off
as,
like,
let's
say
a
huge
security
company,
but
you
know
they
were
trying
to
kind
of
say
here's
how
a
place
to
store
your
artifacts
but
over
time.
Obviously,
that
sort
of
evolved
into
a
a
larger
thing
where
security
became
more
important,
so
I
think
it's
it's
folks
where
security
is
and
I
guess.
A
A
A
E
So
yeah
I
think
if
we
can
demonstrate
it
as
being
used.
That
would
be
important
to
include
in
here
in
terms
of
next
steps.
Do
you
think
it
would
be
possible
to
sit
down
with
with
some
of
you
and
kind
of
take
this
and
turn
it
into
parts
of
the
press?
Release
I'm
still
thinking
that
it
would
be
helpful
to
kind
of
see
that
see
see,
make
sure
that
what
we
have
there
is
reflective
of
the
the
messaging
fleshed
out
here.
A
B
A
A
A
In
the
spec
right,
these
are
consumers
of
attestations,
but
there's
also
consumers
as
they're
the
implementer,
so
they're
going
to
actually
be
using
so
I'm
curious.
As
to
your
thoughts
on
on
how
we
position
that,
if
we
keep
it
as
implementers
consumers
of
salt
of
salsa,
sorry-
because
that's
that's
not
in
a
spec
today,
it
just
says
consumers.