►
From YouTube: Supply Chain Integrity WG (October 26, 2022)
C
D
B
B
E
B
Oh
and
I'm
glad
you're
here
Jay,
because
I
think
the
status
of
it
is
a
is
a
good
thing
to
talk
about.
C
Okay,
I
was
just
saying
that
the
status
of
solster
agenda
item
that's
going
to
be
covered
in
identical
form
tomorrow
in
the
salsa
meeting.
Do
we
want
to
do
it
here
as
well?
Do
we
want
to
do
it
in
both
that
that's
normally
one
that
we
Round
Up
to
sub
work
groups
in
the
salsa
overall.
C
It
is
I'm
just
saying
that
the
specification
positioning
and
tooling
round
rolls
up
to
the
salsa
working
group,
which
is
tomorrow
morning
salsa
overall
rounds
up
to
the
supply
chain,
which
is
today.
Do
we
want
to
duplicate
this
salsa
around
up
here,
because
we're
going
to
be
talking
through
specification,
positioning
and
tooling
this
time
tomorrow.
D
B
We
don't
have
to
take
a
brief
summary
here
would
be
appropriate
and
in
particular
there's
some
changes
that
are
in
its
march
to
1-0
salsa
is
intentionally
narrowing
the
scope.
D
Correct
right
so
I
I
suspect
that
whoever's
I
don't
know
if
Josh
is
here
or
Mark.
Ledato
is
here,
but
from
a
specification
perspective
right
project
1.0
is
underway,
right,
positioning,
we're
working
on
a
Blog
and
tooling
I
can't
talk
to
tooling.
But
you
know
this
is
just
a
quick
update
of
what
we've
been
doing
over
the
past
couple
weeks.
D
B
B
C
D
Yeah
so
I
was
out
for
two
weeks,
because
I
was
sick
and
Bruno
was
on
vacation,
so
we
hadn't
done
anything
until
this
past
week,
which
we
started
continuing
the
dev
blog
for
you
know,
salsa
and
what
that
means
for
developers.
So
there
hasn't
been
a
lot
of
progress
since
the
last
one.
B
D
C
E
Yeah,
if
I
recall,
I,
think
I
think
we.
There
was
some
discussion
on
how,
on
the
implications
of
Fresca
and
and
guac,
and
a
couple
of
the
other
Franklin
said
the
implications
of
those
on
the
tooling
that
that
that
gets,
developed
and
and
all
that
kind
of
stuff,
but
I'm
not
sure
about
the
the
exact.
How
far
we
got
into
specifics.
A
Oh
no
prospective
tools,
Etc.
C
So
I
mean
I
would
suggest
on
that
one:
let's
have
I'll,
never
update
pending
from
Michael
and
we'll
have
him
produce
that
day.
I
think
given
kubecon
I'm,
not
even
sure
how
well
attended
tomorrow's
overall
salsa
meeting
is
going
to
be
and
whether
we'll
get
an
update
from
Mike
there.
A
C
So
the
next
item
has
my
name
on
it,
but
really
I
wanted
to
kind
of
solicit
thoughts
from
people
in
the
group.
One
thing
that
has
occurred
to
me
is
that
we
have
ourselves
a
positioning
working
group,
I
think
that
the
bigger
problem
or
the
more
pressing
issue
that
we
have
at
the
moment
is
overall
positioning
in
the
supply
chain.
Integrity
scope,
which
is
what
kind
of
one
click
up
altitude
wise,
because
we
now
have
salsa
and
s2c2f.
C
You
know
both,
as
you
know,
Frameworks
for
supply
chain,
Security
in
the
same
spot
and
I.
Don't
think
that
we
have
a
great
story
explaining
to
external
folks
who
may
have
five
minutes
to
spend
thinking
about
this,
how
these
things
fit
together,
how
they're
different,
how
they're
similar
what
our
intent
is,
how
we
expect
them
to
evolve
over
time,
how
the
two
map
into
an
overall
problem
space?
C
How
we
think
about
that
problem,
space
and
I
think
there's
an
opportunity
to
take
the
solves
the
positioning,
work
at
sales,
positioning
subgroup
and
pull
that
up
to
supply
chain,
Integrity
working
group
level
and
so
have
that
group,
rather
than
focusing
narrowly
on
how
his
cells
are
positioned,
you'll
be
talking
about
how
is
openssf
Solutions
positioned
in
the
problem
space
around
supply
chain
Integrity,
which
is
work
that
I've
not
seen
happening
at
the
moment,
is
like
kind
of
for
Supply
to
your
integrity
overall
how's,
your
folks
conceptualize
this
space.
C
How
should
they
understand
salsa
and
s2c2f
and
Fresca
and
guac
and
other
things?
How
do
these
things
map
into
the
problem?
Space
and
I
think
that
we've
got
a
I
think
that
this
this
is
made
more
pressing
and
by
the
the
welcome
edition
of
s2c2f
into
the
supply
chain.
C
Integrity
working
group
that
you
know
one
thing:
I
don't
want
folks
and
we
can't
afford
folks
to
have
the
impression
of
is
that
oh
open,
ssf,
yeah
they've
got
they've,
got
two
supply
chain:
Frameworks
one's
from
Microsoft
one's
from
Google
I'm,
not
kind
of
sure
how
they
fit
together.
They
seem
to
be
competing
or
whatever
and
I
think
I
know
that
we
all
have
a
sense
of
what
does
s2c2f
do
what
it's
also
do.
Where
does
one
begin?
Where
does
the
other
end?
I?
C
Don't
think
that
we're
telling
a
good
story
about
that
externally
at
the
moment,
particularly
for
folks
who
don't
have
a
lot
of
time
to
spend
thinking
about
this,
and
so
I
I
just
wanted
to
get
this
group's
thoughts
on.
Do
we
need
to
pull
positioning
up
one
click
and
think
about
positioning
a
little
more
broadly
in
scope
and
I'll.
Stop
there
Mel,
but
you've
got
something
to
say.
D
Yes,
I
think
this
was
brought
up
in
the
last
position
or
the
last
Integrity
working
group
meeting
before
I
got
sick.
Somebody
mentioned
it
and
I.
Remember
thinking
you're
sending
me
up
for
more
work
but
and
Jay
had
mentioned
and
I
think
this
might
be
a
better
approach.
D
Right
now
is
that
maybe
each
of
the
ones
have
their
own
little
mini
positioning
and
then
they
work
together
until
it's
big
enough
that
we
pull
it
up
if
I
remember,
that's
how
the
conversation
went,
I
mean
I,
don't
mind,
but
it's
hard
enough
trying
to
get
one
blog
out
with
the
little
group
we
have
just
from
Tulsa,
let
alone
all
this
other
content.
Obviously
we
can
make
it
work,
but
Jay
is
that
how
you
remembered
the
conversation.
E
Yeah
absolutely
and
I
said
as
much
during
the
and
not
to
take
away
from
from
this
agenda
item
going
into
the
next
one,
but
I
think
this
I
think
there's
a
bridge
between
the
two
here
during
our
first
Sig
meeting,
we
said
as
much.
E
You
know
the
the
two
should
be,
dare
I
say,
say
separate,
but
equal,
but
I
also
agreed
with
Isaac
when
he
brought
it
up
there
about
having
the
positioning
meetings
together.
I
think
they
should
both
they
both
have
their
lanes
and
I.
Think
the
lane
should
be
talked
but
I
also
said,
and
I
said
this
in
our
meaning
Melba
that
either
should
not
speak
in
silo
of
the
other.
So
there
should
be
a
bridge
conversation
as
we
do
blog
posts,
as
we
evangelize
as
we
talk
I.
E
Think
that
there's
Lane
now
for
us
to
talk
about
when
we
talk
about
what
they
don't,
what
these
respective
Frameworks
don't
do
we
talk
about
what
we're
working
on
that
does.
E
Do
it
right
as
a
caveat
right
so
as
a
caveat
item,
and
then,
when
we
talk
about
the
other
one,
we
do
the
same
thing
and
then
when,
if,
if
we
do
it
correctly,
we
could
bring
these
specifications
out
as
a
dash
one
and
a
Dash
two
together
as
a
as
a
as
a
a
total
and
complete
supply
chain
security,
Suite
of
Frameworks
one's
dealing
with
being
actual
security
framework,
the
other
one
dealing
with
being
actual
compliance
requirements
that
need
to
be
met
that
can
be
met
through
meeting
specific
controls
on
either
end
right
and
I.
E
E
C
I
know
Jay
I
I,
think
I
mean
that
that
describes
exactly
what
I'm
talking
about
I'm,
not
suggesting
that
hey
these
things
should
be
the
same
thing
or
we
should
merge
them.
I
think
it'd
be
awesome
if
we
can
paint
that
picture
of
how
they
become
parts
of
a
greater
thing
over
time,
but
I
think
that
right
now,
I,
don't
think
that
we,
if
you
took
10
people
from
working
group,
Integrity
meeting
and
said,
describe
to
me
how
salsa
and
s2ctf
c2f
shared
this
space.
I,
don't
think
you'd
have
10
consistent
answers.
C
I
think
you'd
probably
have
15
answers
across
10
people
and
I.
Think
that
that's
it's
a
problem.
That's
new
to
the
supply
chain,
Integrity
working
group
in
the
last
month,
given
that
now
we
have
salsa
and
we
have
s2c2f
and
I-
think
it's
incumbent
honors
to
like
come
up
with
that
story
and
say
yes,
they're
separate
they're,
two
different
things:
they
speak
to
different
concerns,
but
paint
that
picture
for
people.
What
do
they
look
like
like
I,
want
to
see
like
a
map
of
the
problem
space
and
then
have
these
two
different
solutions.
C
Kind
of
you
know
lay
on
that
map
in
hopefully
a
non-overlapping
non-gap-living
way
and
have
a
great
coverage
of
the
problem
space
or
if
they
leave
gaps
today,
we
should
paint
a
picture
of
how
they
evolve
over
time
to
cover
the
problem.
Space.
C
A
B
Yeah,
so
so,
if
I
can
just
kind
of
pile
on
further,
you
know
these
are
good
problems
to
have.
First
of
all,
we're
you
know,
we've
got
a
whole
bunch
of
people
working
related
issues.
You
know
we
just
need
to
make
these
things
more
coordinated
I,
although
I
think
you
know,
positioning
has
been
looking
at
a
lot
of
different
things.
I
think
we
should
prioritize
first
of
all,
making
it
clear
how
salsa
and
I'm
sorry
I'm
still
working
on
the
new
name,
s2c2f
work
together.
B
Here's
what
I
would
propose
trying
to
come
up
with
one
slide,
multiple
people
working
together.
If
it
takes
you
more
than
one
slide,
it's
too
hard.
It's.
C
B
Them
we
wanted
to
say
and-
and
you
know
I'm
sure
we
need
the
words
and
backups
you
know
if
we
can
come
up
with
a
one
slide
and
I'm
sure
we'll
argue
and
going
back
and
that's
good,
that's
good.
You
know
we'll
we'll
try
to
figure
things
out,
but
if,
if
we
could
make
that
a
somewhat
short-term
objective,
yeah
and
maybe
maybe
different,
people
will
come
up
with
multiple
slides
as
as
should
I
go,
but
it
I
would
like
the
end
result
to
be
at
least
one
of
those
one
slide
here.
C
C
Sense,
but
it's
a
sense
of
bringing
all
the
best
ideas
and
producing
a
synthesis
of
them,
and
so
I'm
I'm,
less
yeah,
I.
Think
David
I
agree
with
what
you
said:
I
think
we
need.
We
need
a
slide.
I
see
a
gap
in
terms
of
work
being
done,
I,
don't
think
anyone
has
it
on
their
list
right
now
and
so
I.
My
idea
was
hey:
we
could
pull
salsa
positioning
up
a
click,
I
hear
Melba,
saying
gosh.
You
just
give
me
a
whole
ton
of
new
scope
and
we're
grappling
with
this
code.
C
Maybe
we
can
just
share
diagrams
in
slack
and
and
work
on
it
that
way
and
come
back
in
a
month
in
this
forum
and
look
at
where
we
got
to,
but
I
do
think
it's
important
that
we
have
a
common
conception
and
articulation
internally
about
how
these
two
things
you
know
are
adjacent
and
work
together.
Great
and
you
know,
don't
overlap
and
don't
leave
gaps
and
all
this
kind
of
stuff
and
have
that
internal
picture
that
we
can
then
begin
to.
E
Yeah
I
I
think
so
so
melbridge
says
so.
Melba
has
this
and
we
can
either
use
one
or
the
other
there's
two
of
them
out
there
there's
one
from
from
John
Meadows,
but
I
think
Melba
created
a
nice
end
to
end
life
cycle
diagram,
two
that
we
could
potentially,
if
with
a
few
alterations
and
a
few
different
things
added
to
it.
E
We
could
overlay
where
salsa
sits
on
that
diagram,
where
s2c2f
sits
on
that
diagram
and
then
the
so
so
David
one
slide
yes
I'm
just
going
to
say
two
I'm
gonna
say
we
paint
the
picture
with
the
first
one,
and
then
we
tell
them
what
the
picture
is
saying
on
the
second
right.
So
if
we
overlay
where
S2
c2f
is
on
on
that
on
it
and
then
puts
with
sauces
on
it
the
next
slide,
we
speak
to
what
everyone
is
looking
at
perfect.
A
D
D
I'm
sorry
yeah
quick
thing
so
I
know
I
talked
to
Jay
about
this
because
Jay
had
this
vision
of
you
know
this
is
these
two
are
perfect
together,
Synergy
and
I
think
we
have
it
written
down
in
the
positioning
to
do
a
Blog
around
this
and
he
was
if
I
remember
correctly
Jay.
D
He
had
content
already
that
we
could
potentially
alter.
So
that
was
one
thing,
but
the
the
other
thing
I
had
was
around
you
know.
If
if
we
do
see
an
SCI
positioning,
would
that
be
additional
or
would
it
truly
be
lifting
up
positioning
like
I?
Don't
really
care
about
that?
You
know
that
was
me
joking
around,
because
somebody
else
was
signing
me
up
for
extra
work
right,
but
you
know
I
don't
care
where
it
sits.
C
I
mean
since
I'll
I'll
do
give
my
take
on
that.
First,
since
I
propose
the
agenda
item,
I
mean
I
was
imagining
pulling
it
up
and
and
substituting
it
in
the
first
instance,
because
I
think
that
the
working
group
level
conversation
is
more
pressing
and
given
that
we
have
limited
bandwidth
limited,
you
know,
resources
to
commit
to
it.
I
would
say
between
the
two
I
think
that
we
have
more
of
a
gap
right
now
around
SCI
positioning.
C
Now
that
we
have
s2c2f
in
the
fold
and
so
and
I
think
that
you
know
we,
you
know,
we've
got
blog
posts
coming
from
an
open
ssf
from
Microsoft
about
s2c2f
and
I
I
want
to
get
ahead
of
you
know
as
s2c2f
becomes.
You
know
more
prominent
as
part
of
the
open
SSS
portfolio
as
it
becomes
more
of
a
conversation.
We
have
more
people
interested
and
more
people
showing
up
for
the
working
group
meetings.
C
I
I
wanted
to
get
ahead
of,
like
all
the
inevitable
questions
about
how
should
I
think
about
these
two
together
or
how
should
I
think
about
them
separately
and
so
I
I
think
my
idea
was
to
pull
it
up
a
click
and
and
rather
than
create
another
one,
but
just
because
not
because
there
isn't
a
need
at
the
sales
level,
but
more
because,
given
our
constrained
resources
and
time
and
hours
in
the
day
and
so
on,
I
think
the
more
pressing
Gap
at
the
moment
is
at
the
SEI
level.
E
Yeah,
you
know
what
I
I
dare
I
say:
I
was
thinking
more
of
a
iterative
approach
to
to
bringing
them
together
in
conversation,
but
nothing
says
that
we
can't
start
talking
to
them
positioning
them.
E
You
know
to
get
like
I
said
that
dash
one
and
dash
two
dash,
there's
Dash
three
and
dashboard.
You
gotta
understand
I'm,
considering
these
other
ones
that
are
out
here
in
the
wild
too,
the
guacs,
the
the
the
the
the
one
over
in
the
CDF,
the
the
Fresca
like
they.
E
There's
nothing
that
says
they
can't
head
in
that
direction
together,
be
developed
right
alongside
one
another
to
provide
that
that
that
complete
supply
chain
security
framework
and
and
compliance
requirements
that
everyone
can
use
I
I.
The
positioning
of
these
two
together
is
a
lot,
in
my
opinion,
a
lot
easier
and
a
better
story
than
trying
to
continue
to
position
them
apart.
Although
positioning
them
apart
towards
positioning
them
together
is
a
is
an
iterative
approach
that
alleviates
a
lot
of
the
confusion.
E
If
we
just
sit
there
hit
him
up,
hit
people
upside
the
head
now,
after
all
of
the
posts
and
and
story,
that's
being
told
around
salsa,
because
Salsa's
ahead
of
the
ahead
of
the
game
in
this
area
right
so
now,
if
we
just
all
of
a
sudden,
throw
s2c2
up
in
there,
it's
like
you
know,
you
don't
give
people
the
chance
to
breathe.
But
this
way
everyone
gets
a
chance
to
breathe.
E
C
So
I
think
I
mean
I
totally
hear
you
Jay
and
I
I.
Definitely,
like
I
hear
that
you
know
in
terms
of
like.
Do
we
want
to
just
smush
these
things
together
and
make
them
one
thing:
I,
don't
think
we
do
I
think
that'll
create
it'll
stall.
The
work
and
it'll
create
more
confusion
than
it
was
all
for
right
now.
C
I
do
think
like
this
idea
of
having
a
diagram
where
we
all
stare
at
the
thing
and
go
yeah
that
totally
matches
my
understanding
of
how
they
fit
together
or
how
they,
you
know,
are
adjacent
in
the
same
space,
and
then
we
can
start
telling
that
story
as
we
blog
about
them
as
we
evangelize
as
we
advocate
for
them
externally
and
I.
Think
you
know
to
your
point
about
creating
a
dash
one
and
dash.
C
Do
you
want
these
things
to
fit
well
enough
together
that
someone
says,
but
there's
kind
of
a
gap
in
between
then
we
need
a
dash
1.5.
Whatever
you
know
what
I
mean
you
want
to
make
sure
that
these
are.
These
are
Missy.
These
cover
the
space
without
gaps
and
without
overlap,
and
that's
that's
the
work
that
we
could
begin
to
converge
on
with
these
diagrams.
Yes,
I'm
gonna
I,
don't
wanna
like
again
I,
don't
monopolize
the
meeting
today
with
this
item.
C
I
think
that
we've
we've
reached
a
really
a
great,
immediate,
reachable,
viable
next
step
in
terms
of
these
diagrams
Isaac.
B
C
It's
super
easy
to
creating
an
aid,
a
diagram
and
sharing
it
in
in
the
slack.
B
B
So
I,
what
I
heard
was
at
least
Isaac
Melba
and
Jane
or
Jay
will
do
this
well.
Yeah
we're.
B
It
okay
Isaac
Melba
Jay
by
when.
C
So
I
I
think
it
would
be
great
to
have
something
that
we
share
in
the
slack
in
the
next
two
weeks,
and
then
we
can
all
talk.
We
can
discuss
that
and
then
gather
in
this
forum
in
a
month
to
to
close-
or
you
know
figure
out
where
are
we
are
the
still
open
questions
or
discussion?
I
don't
know,
Jade
Melba
does
that?
How
does
that
sit
with
you
good.
E
Good
to
go
with
it,
I
mean
it
actually
works
out.
I
mean
I'll,
be
on
vacation
for
half
of
half
of
November
I'll
be
at
the
member
Summit.
The
second
week
of
November.
So
two
weeks
sounds
right
because
because
after
that
my
Cycles
gets
real
small.
A
A
E
B
C
Be
clear,
the
the
the
diagram
slide
is
going
to
be
a
diagram
of
the
the
problem
space
and
we
show
where
it's
also
where
sqc2f
fits
I
think
bonus
points.
If
you
can
work
guac
and
Fresca
and
the
other
things
in
the
supply
chain
thing
into
that
thing
as
well
like
I,
think
it
would
be
great
to
have
a
picture
of
the
problem
space
overall,
rather
than
just
narrowing
to
just
Salsa
Fresh
salsa
s2ctf
yeah.
E
Yeah
we
we
could
do
that
as
a
matter
of
fact.
I
I'd
enjoy
doing
that,
because
I
do
I
do
want
to
visualize
what
all
that
looks
like,
because
I
think
there's
room
for
all
of
these
things
in
this
in
the
same
microcosm,
so
I
thought
I'd.
C
Be
willing
totally
awesome
sweet
thanks.
All
I
appreciate
it.
David
you
bringing
this
to
some
convergence
and
clarity.
B
My
thanks
to
everybody:
okay,
s2c2f,
Jay,
I,
don't
know
if
everybody
has
the
URL
for
that,
so
maybe
we
can,
but
before
we
let
you
off
the
hook
on
that.
If
we
can
pitch
for
you
for
for
a
link.
Oh.
E
Yeah
yeah,
give
me
give
me
give
me
one.
Second,.
B
E
E
So
we've
had
we
had
our
first
sigmean
that
happened.
That
was
great.
We
finally
got
thanks
to
David
for
this.
We
finally
got
the
calendar
straightened
out
with
subsequent
meetings,
so
the
meeting
should
be
updated
and
and
improper
I'm
still
working
on
the
getting
some
admin
rights
for
it,
so
that
it
has
meetings.
E
So,
especially
over
the
coming
next
couple
of
months
where
people
will
be
going
on
vacations
and
holidays,
we
may
have
to
move
a
few
meetings
or
cancel
a
few
meetings
and
and
and
we'll
be
able
to
work
that
out,
but
but
where
we're
at
right
now,
which
was
stood
up,
we're
looking
at
how
we're
how
we're
being
positioned
as
well
so
I
like
I,
said
Isaac
brought
this
conversation
up
during
that
meeting
as
well,
so
we're
working
on
what
subsequent
means.
Actually
look
that
look
like
there.
E
We
have
made
a
few
changes
to
the
framework.
You
know
per
a
couple
of
the
issues
that
we
had
before
on
on
the
old
repo,
so
we
brought
those
over
to
the
new
one.
We
made
some
changes
there.
E
We've
had
conversations
about
whether
or
not
not
even
whether
or
not,
but
but
having
this
positioned
correctly
as
a
as
a
as
a
project
underneath
the
LF
for
for
specification,
which
is
why
I
brought
that
up
earlier.
So
that's
that's
good
stuff.
That's
happening
there
also
making
sure
that
the
other
working
groups
who
did
want
to
be
involved
that
so
there
was
some
confusion
on
meeting
times.
I
fixed
that.
E
So
we
should
have
a
a
an
almost
bum
rushed
turnout
at
the
next
meeting,
which
I
can't
wait
for
because
there
are
a
lot
of
interested
parties
in
this
and
as
Isaac
was
alluding
to
before.
But
what
that
means
is
that,
especially
as
we
move
this,
you
know
as
we
move
this
in
parallel
with
with
salsa.
You
know
the
bridging
of
the
tube.
E
That
should
mean
a
lot
more
traction
and
a
lot
more,
a
lot
more
traction,
a
lot
more
people
involved
in
in
our
respective
salsa
meetings
as
well.
My
first
positioning
meeting
gets
gets
a
good
four
or
five
of
us
that
attend
those
means.
E
Every
single
time
that
should
jump
up
like
crazy
right
along
with
the
specification
means
I
know
Melba
doesn't
like
that
much
A
lot
too
many
people
too
many
people
in
the
in
the
room
does
not
create
a
situation
where
a
lot
of
the
good
work
that
we're
that
we're
attempting
to
get
done
gets
done
so
so
so,
but
but
nonetheless
done
in
the
open,
and
you
know
if
we
can
create
environments
where,
where,
where
things
are
with
things,
are
evangelized
and
most
of
us,
that's
all
the
better,
but
but
s2c2f
is
moving
in
that
regard.
E
So
so
I
all
I
can
say,
is
come
and
and
and
be
in
those
meetings
and
help
us
help
us
build
it
out.
The
way
it's
supposed
to
be
filled
out,
like
Isaac,
said
alleviating
the
gaps
and
and
yeah.
That's
that's
it.
Let's
see
what
you
guys.
C
I
was
just
gonna:
ask
if,
if
you
had
specific
and
no
thoughts
or
or
goals
around
adoption,
and
what
that
looks
like
for
s2c2f
like
who,
who
you
think
is
I,
don't
know
who
are
the
right
segments
to
Target
with
respect
to
adoption?
What
was
that
look
like?
How
do
you
make
it
real
in
terms
of
of
getting
it
out
there
and
having
folks
actually
pick
it
up
and
use
it.
E
E
You
know
so
consumers
of
Open
Source
consumers
of
of
packages
towards
their
own
respective
builds,
which
speaks
once
again
to
to
to
it's
bridging
with
salsa,
because
they're
they're
used
they're
using
the
framework
towards
making
more
secure
choices
on
how
they
consume
packages
towards
their
respective
builds,
but
they're
also
interested
in
using
salsa
to
understand
what
kind
of
compliance
requirements
they
need
to
have
to
meet
the
different
salsa
levels
per
their
respective
builds
right.
E
So
so
these
so
that,
so
that's
that's
the
one
two
punch,
that's
actually
the
kind
of
stuff
that
we
talk
about
right
and
one
of
the
things
that
came
out
of
our
positioning
meeting
yesterday
when
we
were
working
on
the
blog
was
what
are
some
examples
that
we
can
use
to
identify.
What
kind
of
issues?
What
kind
of
issues
and
what
kind
of
attack
did
me
Kyle?
What
can
we
catch
using
salsa
and
I
said?
E
Well,
we
need
what
kind
of
examples
do
we
have
right,
but
so
we
have
organizations
that
are
using
one
to
consume
and
then
using
salsa
on
their
response.
Effective
builds,
and
we
can
talk
to
that
picture
that
that's
that,
that's
all,
that's
all
the
better.
So
so
so
to
answer
your
question
Isaac,
it
really
is
about
identifying
those
organizations
that
are
consuming
open
source,
making
sure
we
get
this
in
front
of
them.
E
They
should
be
in
the
room
helping
to
develop
this
too
right
so
that
when
they
bring
it
back
to
their
organizations,
it
meets
their
respective
business
requirements
which,
which
this
is
more
tied
closely
to
than
salsa
is
salsa,
is
really
a
composite
primary
round,
build
not
so
much
identifying
the
nature
of
their
business
according
to
the
bill,
but
the
bills
in
general,
where,
when
you're
consuming
open
source
towards
building
a
package,
you
really
are
closer
to
the
business
need
or
what
your
business
requirements
are
and
and
those
people
being
in
the
room,
helping
to
develop
this
or
understand
this
in
terms
of
the
different
industries
that
are
going
to
consume
what
their
respective
businesses
know,
what
their
respective
business
posture
is,
what
their
business
requirements
are
and,
of
course,
their
security
posture
is,
as
it
relates
to
to
that
I
think
David
has
hand
up
next.
B
Yeah
and
and
Isaac
after
me,
too,
so
just
a
real
quick
note.
Once
salsa
gets
a
little
more,
you
know
review
and
looking
over
and
comparing
it
with
I'm.
Sorry
what
what
I'm
sorry
I
said,
the
wrong
thing
once
s2c2f
has
had
a
little
more
review
and
look
and
same
for
salsa,
and
we
work
out
a
little
more
about
how
these
work
together.
One
thing
that
I
intend
to
do
is:
rework
the
course.
The
fundamentals
course
we
we
literally
now
have
thousands
of
people
taking
that
course.
B
We
expect
to
have
more
modifying
the
section
on
basically
supply
chain
and
so
on.
To
specifically
cite
these
show
that
work
together
show
the
top
levels
cite
the
more
detailed
specs,
so
that
people
will
be
yeah
and
I
think
this
will
help
adoption
both
in
terms
of
people
at
least
have
the
big
picture
of
what
they're
doing
and
be
aware
of
those
specific
specs
and
then
can
go
and
get
those
for
more
details.
B
So
I
think
you
know
so
so
maybe
that's
not
the
same
as
a
particular
organization
adopting
but
I
think
we
can
take
multiple
tax
to
help
people
adopt
these
things.
As
they
mature
and
Isaac
oops,
your
hand
went
down.
A
A
E
C
No,
no,
it's
it's!
It's
okay,
I
mean
I.
I,
guess
I
mean
it's.
It's
super
early
days,
I
in
terms
of
the
organization's
interested
in
adopting
it
at
other
other
are
those
ones
that
are
coming
to
the
the
meeting
and
and
do
we
I
guess
what
is
this
I
guess?
My
question
comes
down
to
what
what
does
this
look
like
in
practice?
I
agree
with
everything
you've
said
about
getting
it
adopted
and
helping
solve
real
problems
in
in
the
real
world.
C
I
think
s2ctf
has
that
potential
I
guess
my
question
is:
what
does
it
look
like
in
practice
to
start
advocating
if
they
start
marketing
it
and
you
know,
are
we
gonna
stand
up
on
s2c2f.dev
website
explaining
it
like
kind
of?
How
do
these
pieces
come
together?
As
we
start
to
think
about
driving,
I
mean
first
of
all,
is
awareness
and
then
following
awareness,
there's
going
to
be
people
having
feedback
and
opinions
and
thoughts
about
why
they
can't
adopt
it
or
why
it
doesn't
quite
meet
their
needs.
A
E
So
that's
so
so
best
desired.
I!
Think
that
also
is
what
what
should
get
decided
inside
of
the
Sig
and
and
then
of
course,
once
we
get
that
umbrella,
positioning
meeting,
I,
don't
I
I,
don't
know
why
we
don't
have
a
DOT
Dev
that
taught
that's
just
an
sci.dev
where.
A
E
Talk
about
where
we
have
tabs
or
or
well,
we
have
tabs
for
eat
for
for
salsa
and
for
s2c2f,
and
then
there's
one
tab
goes
to
salsa.gov.
The
other
tab
goes
to
s2c2f.deb
and
then
there's
a
tab
that
says
how
do
these
work
together
right,
so
so
so
I
I
so
I,
while
I
while
I
say
yes
to
that
and
that's
desired
by
the
sink.
E
I
also
say
if
we're,
if
we're
talking
in
the
same
vein
of
building
that
total
supply
chain
integrity,
a
supply
chain,
security,
landscape
that
we're
talking
about
I,
don't
see
why
we
don't
have
one
governing.gov
and
then
have
tabs
for
each
one
of
these
and
then
the
tab
that
speaks
to
how
they
work
together
so
that
when
it
comes
to
adoption
like
I,
said,
I
I,
don't
see
one
being
I,
don't
see
one
adopted
over
the
other
I
don't
see
what
I
see
is
both
adopted
for
for
two
different
reasons.
E
Right
like
like,
they
have
two
different
reasons,
but
the
the
reasoning
behind
them
is
a
complete,
secure
supply
chain.
So
so
that
that's
that's
just
my
general
thought
and
of
course,
if
an
organization
doesn't
need
one
or
the
other,
then
they
can
adopt
one
or
the
other.
But
but
when
we
pitch
them
to
organizations
it
should
be
how
complete
of
a
of
a
of
a
of
a
infrastructure.
Do
you
want
right
so
yeah.
C
I
think
that's
a
it's
a
great
idea.
I
mean
in
terms
of
the
sci.dev
I,
think
that
I
mean
the
top
level.
Organization
of
that
thing
should
be
problem
oriented
rather
than
solution
oriented,
because
people
are
going
to
come
to
that
site
with
an
idea
of
what
their
problems
are,
and
we
should
talk
to
them
in
that
language
rather
than
talk
to
them
in
the
language
of
salsa
and
s2c2f,
with
which
they're
not
familiar
but
I
think
that
having
an
sci.dev
and
again,
this
comes
back
to
the
previously
generator
notes.
C
To
starting
to
articulate
what
we're
doing
in
the
language
of
problems
rather
than
Solutions
is
is
step,
one
of
that
and
then
having
sca.dev,
be
an
explainer
of
here's.
What
the
open
ssf
has
to
offer
in
this
problem
space,
but
I
love
that
idea
and
I'd
love
to
explore
that
and
again
I
guess
that's!
This
meeting
is
the
right
forum
for
that
being
the
overall
umbrella
meeting
at
SCI
level,
and
what
would
an
sei.dev
look
like
and
maybe
that'll
come
out
of
the
diagrams
that
we're
building.
A
B
So
I
I
don't
want
this
discussion
to
end.
Without
noting
the
next
meeting
is
November
1.
obviously
check
time
zone
but
3
P.M,
Eastern,
Time,
U.S,
Eastern,
Time.
B
If
I
got
that
wrong,
let
me
know
I
think
we
got
rid
of
the
other
SSC
meetings
unless
you
haven't
updated
your
the
calendars
update
on
the
open,
ssf
side
buff.
Obviously,
if
you've
reloaded
it
in
you'll
need
to
our
resync
update.
B
B
Yes,
let
me
know
if
you've
heard
this
song
before
so
my
understanding
is
that
the
LF
actually
has
been
developing
its
own,
basically
some
tooling,
to
help
with
this
and
they're
starting
to
deploy
it
out,
and
you
know
then
so
I
have
not
actually
used
it
myself.
The
theory
between
Brian
and
I
was
we
were
going
to.
Let
other
orgs
be
the
guinea
pigs
first,
but
my
understanding
is
that
some
oinking
has
already
occurred.
So
we
want
we're
the
So.
The
plan
now
is
just
just
start
slowly.
B
Moving
this
as
I
said,
I
actually
haven't
personally
used
it
seriously.
Yet
I
I
will
know
I.
My
understanding
is
I
guess
they
have
a
concept
between
public
and
private
meetings
so
for
the
public
ones.
We
would
encourage
people
to
use
their
lfids,
and
that
way
we
know
who
shows
up,
because
you
know
the
the
right
writing
down.
Your
attendance
on
a
dock
is
all
nice,
but
it's
really
nice
to
be
able
to
click
and
be
able
to
show
you
know
which
organizations
are
showing
up.
B
That's
particularly
of
importance
because
we
need
to
be
able
to
show
later
on
that
multiple
organizations
are
participating.
We
don't
want
a
single
organization,
I
mean
you
know.
We
want
multiple
organizations
to
be
involved.
If
they're
not
involved
in
things,
then
we
need
to
figure
out.
What's
going
on.
B
That
said,
you
can
just
show
up
without
putting
in
your
lfids
if
that's
important
to
you
or
without.
If
you
don't
even
have
one
so
beyond
that,
I
haven't
I,
haven't
used
it
in
Anger,
yet
but
I
think
that
is
one
of
its
capabilities,
but
I
guess
we're
all
gonna
find
out
together,
but
it
can't
be
worse
than
what
we
got
now.
B
B
C
My
meeting-
yes,
that
is,
we
are
out
of
agenda
and
I,
see
Melbourne's,
kicked
off
a
thread
in
the
slack
to
to
to
gather
and
do
diagramming
and
so
on,
and
we
can
continue
the
conversation
there,
but
this
was
great
David.
Thank
you
so
much
for
your
help
guiding
us
and
the
note-taking
and
everything
this
was
awesome.
I
think
we've
got
some.
We've
got
some
great
next
steps
around
the
the
overall
positioning
for
SEI,
which
I'm
excited
about.
B
C
Me
too
I
think
we've
got
a
great
story
to
tell
that's
the
thing.
I
honestly
think
we've
got
a
great
story
to
tell
and
that's
what
I
want
to
see
coming
together,
because
I
I
yeah
we've
got
some
great
stuff
in
the
portfolio
and
we
just
gotta
tell
her
an
equally
compelling
story
around
it.