►
From YouTube: Supply Chain Integrity WG (October 26, 2022)
C
D
B
B
E
C
C
It
is
I'm
just
saying
that
the
specification
positioning
and
tooling
round
rolls
up
to
the
salsa
working
group,
which
is
tomorrow
morning
salsa
overall
rounds
up
to
the
supply
chain,
which
is
today.
Do
we
want
to
duplicate
this
salsa
around
up
here,
because
we're
going
to
be
talking
through
specification,
positioning
and
tooling
this
time
tomorrow.
D
D
Correct
right
so
I
I
suspect
that
whoever's
I
don't
know
if
Josh
is
here
or
Mark.
Ledato
is
here,
but
from
a
specification
perspective
right
project
1.0
is
underway,
right,
positioning,
we're
working
on
a
Blog
and
tooling
I
can't
talk
to
tooling.
But
you
know
this
is
just
a
quick
update
of
what
we've
been
doing
over
the
past
couple
weeks.
D
B
B
C
D
B
C
E
Yeah,
if
I
recall,
I,
think
I
think
we.
There
was
some
discussion
on
how,
on
the
implications
of
Fresca
and
and
guac,
and
a
couple
of
the
other
Franklin
said
the
implications
of
those
on
the
tooling
that
that
that
gets,
developed
and
and
all
that
kind
of
stuff,
but
I'm
not
sure
about
the
the
exact.
How
far
we
got
into
specifics.
C
A
C
So
the
next
item
has
my
name
on
it,
but
really
I
wanted
to
kind
of
solicit
thoughts
from
people
in
the
group.
One
thing
that
has
occurred
to
me
is
that
we
have
ourselves
a
positioning
working
group,
I
think
that
the
bigger
problem
or
the
more
pressing
issue
that
we
have
at
the
moment
is
overall
positioning
in
the
supply
chain.
Integrity
scope,
which
is
what
kind
of
one
click
up
altitude
wise,
because
we
now
have
salsa
and
s2c2f.
C
You
know
both,
as
you
know,
Frameworks
for
supply
chain,
Security
in
the
same
spot
and
I.
Don't
think
that
we
have
a
great
story
explaining
to
external
folks
who
may
have
five
minutes
to
spend
thinking
about
this,
how
these
things
fit
together,
how
they're
different,
how
they're
similar
what
our
intent
is,
how
we
expect
them
to
evolve
over
time,
how
the
two
map
into
an
overall
problem
space?
C
C
Integrity
working
group
that
you
know
one
thing:
I
don't
want
folks
and
we
can't
afford
folks
to
have
the
impression
of
is
that
oh
open,
ssf,
yeah
they've
got
they've,
got
two
supply
chain:
Frameworks
one's
from
Microsoft
one's
from
Google
I'm,
not
kind
of
sure
how
they
fit
together.
They
seem
to
be
competing
or
whatever
and
I
think
I
know
that
we
all
have
a
sense
of
what
does
s2c2f
do
what
it's
also
do.
Where
does
one
begin?
Where
does
the
other
end?
I?
C
Don't
think
that
we're
telling
a
good
story
about
that
externally
at
the
moment,
particularly
for
folks
who
don't
have
a
lot
of
time
to
spend
thinking
about
this,
and
so
I
I
just
wanted
to
get
this
group's
thoughts
on.
Do
we
need
to
pull
positioning
up
one
click
and
think
about
positioning
a
little
more
broadly
in
scope
and
I'll.
Stop
there
Mel,
but
you've
got
something
to
say.
D
D
Right
now
is
that
maybe
each
of
the
ones
have
their
own
little
mini
positioning
and
then
they
work
together
until
it's
big
enough
that
we
pull
it
up
if
I
remember,
that's
how
the
conversation
went,
I
mean
I,
don't
mind,
but
it's
hard
enough
trying
to
get
one
blog
out
with
the
little
group
we
have
just
from
Tulsa,
let
alone
all
this
other
content.
Obviously
we
can
make
it
work,
but
Jay
is
that
how
you
remembered
the
conversation.
E
You
know
the
the
two
should
be,
dare
I
say,
say
separate,
but
equal,
but
I
also
agreed
with
Isaac
when
he
brought
it
up
there
about
having
the
positioning
meetings
together.
I
think
they
should
both
they
both
have
their
lanes
and
I.
Think
the
lane
should
be
talked
but
I
also
said,
and
I
said
this
in
our
meaning
Melba
that
either
should
not
speak
in
silo
of
the
other.
So
there
should
be
a
bridge
conversation
as
we
do
blog
posts,
as
we
evangelize
as
we
talk
I.
E
E
C
I
know
Jay
I
I,
think
I
mean
that
that
describes
exactly
what
I'm
talking
about
I'm,
not
suggesting
that
hey
these
things
should
be
the
same
thing
or
we
should
merge
them.
I
think
it'd
be
awesome
if
we
can
paint
that
picture
of
how
they
become
parts
of
a
greater
thing
over
time,
but
I
think
that
right
now,
I,
don't
think
that
we,
if
you
took
10
people
from
working
group,
Integrity
meeting
and
said,
describe
to
me
how
salsa
and
s2ctf
c2f
shared
this
space.
I,
don't
think
you'd
have
10
consistent
answers.
C
I
think
you'd
probably
have
15
answers
across
10
people
and
I.
Think
that
that's
it's
a
problem.
That's
new
to
the
supply
chain,
Integrity
working
group
in
the
last
month,
given
that
now
we
have
salsa
and
we
have
s2c2f
and
I-
think
it's
incumbent
honors
to
like
come
up
with
that
story
and
say
yes,
they're
separate
they're,
two
different
things:
they
speak
to
different
concerns,
but
paint
that
picture
for
people.
What
do
they
look
like
like
I,
want
to
see
like
a
map
of
the
problem
space
and
then
have
these
two
different
solutions.
C
C
A
B
Yeah,
so
so,
if
I
can
just
kind
of
pile
on
further,
you
know
these
are
good
problems
to
have.
First
of
all,
we're
you
know,
we've
got
a
whole
bunch
of
people
working
related
issues.
You
know
we
just
need
to
make
these
things
more
coordinated
I,
although
I
think
you
know,
positioning
has
been
looking
at
a
lot
of
different
things.
I
think
we
should
prioritize
first
of
all,
making
it
clear
how
salsa
and
I'm
sorry
I'm
still
working
on
the
new
name,
s2c2f
work
together.
B
C
B
Them
we
wanted
to
say
and-
and
you
know
I'm
sure
we
need
the
words
and
backups
you
know
if
we
can
come
up
with
a
one
slide
and
I'm
sure
we'll
argue
and
going
back
and
that's
good,
that's
good.
You
know
we'll
we'll
try
to
figure
things
out,
but
if,
if
we
could
make
that
a
somewhat
short-term
objective,
yeah
and
maybe
maybe
different,
people
will
come
up
with
multiple
slides
as
as
should
I
go,
but
it
I
would
like
the
end
result
to
be
at
least
one
of
those
one
slide
here.
C
C
Sense,
but
it's
a
sense
of
bringing
all
the
best
ideas
and
producing
a
synthesis
of
them,
and
so
I'm
I'm,
less
yeah,
I.
Think
David
I
agree
with
what
you
said:
I
think
we
need.
We
need
a
slide.
I
see
a
gap
in
terms
of
work
being
done,
I,
don't
think
anyone
has
it
on
their
list
right
now
and
so
I.
My
idea
was
hey:
we
could
pull
salsa
positioning
up
a
click,
I
hear
Melba,
saying
gosh.
You
just
give
me
a
whole
ton
of
new
scope
and
we're
grappling
with
this
code.
C
Maybe
we
can
just
share
diagrams
in
slack
and
and
work
on
it
that
way
and
come
back
in
a
month
in
this
forum
and
look
at
where
we
got
to,
but
I
do
think
it's
important
that
we
have
a
common
conception
and
articulation
internally
about
how
these
two
things
you
know
are
adjacent
and
work
together.
Great
and
you
know,
don't
overlap
and
don't
leave
gaps
and
all
this
kind
of
stuff
and
have
that
internal
picture
that
we
can
then
begin
to.
E
Yeah
I
I
think
so
so
melbridge
says
so.
Melba
has
this
and
we
can
either
use
one
or
the
other
there's
two
of
them
out
there
there's
one
from
from
John
Meadows,
but
I
think
Melba
created
a
nice
end
to
end
life
cycle
diagram,
two
that
we
could
potentially,
if
with
a
few
alterations
and
a
few
different
things
added
to
it.
E
We
could
overlay
where
salsa
sits
on
that
diagram,
where
s2c2f
sits
on
that
diagram
and
then
the
so
so
David
one
slide
yes
I'm
just
going
to
say
two
I'm
gonna
say
we
paint
the
picture
with
the
first
one,
and
then
we
tell
them
what
the
picture
is
saying
on
the
second
right.
So
if
we
overlay
where
S2
c2f
is
on
on
that
on
it
and
then
puts
with
sauces
on
it
the
next
slide,
we
speak
to
what
everyone
is
looking
at
perfect.
A
D
D
He
had
content
already
that
we
could
potentially
alter.
So
that
was
one
thing,
but
the
the
other
thing
I
had
was
around
you
know.
If
if
we
do
see
an
SCI
positioning,
would
that
be
additional
or
would
it
truly
be
lifting
up
positioning
like
I?
Don't
really
care
about
that?
You
know
that
was
me
joking
around,
because
somebody
else
was
signing
me
up
for
extra
work
right,
but
you
know
I
don't
care
where
it
sits.
C
I
mean
since
I'll
I'll
do
give
my
take
on
that.
First,
since
I
propose
the
agenda
item,
I
mean
I
was
imagining
pulling
it
up
and
and
substituting
it
in
the
first
instance,
because
I
think
that
the
working
group
level
conversation
is
more
pressing
and
given
that
we
have
limited
bandwidth
limited,
you
know,
resources
to
commit
to
it.
I
would
say
between
the
two
I
think
that
we
have
more
of
a
gap
right
now
around
SCI
positioning.
C
Now
that
we
have
s2c2f
in
the
fold
and
so
and
I
think
that
you
know
we,
you
know,
we've
got
blog
posts
coming
from
an
open
ssf
from
Microsoft
about
s2c2f
and
I
I
want
to
get
ahead
of
you
know
as
s2c2f
becomes.
You
know
more
prominent
as
part
of
the
open
SSS
portfolio
as
it
becomes
more
of
a
conversation.
We
have
more
people
interested
and
more
people
showing
up
for
the
working
group
meetings.
E
E
There's
nothing
that
says
they
can't
head
in
that
direction
together,
be
developed
right
alongside
one
another
to
provide
that
that
that
complete
supply
chain
security
framework
and
and
compliance
requirements
that
everyone
can
use
I
I.
The
positioning
of
these
two
together
is
a
lot,
in
my
opinion,
a
lot
easier
and
a
better
story
than
trying
to
continue
to
position
them
apart.
Although
positioning
them
apart
towards
positioning
them
together
is
a
is
an
iterative
approach
that
alleviates
a
lot
of
the
confusion.
E
If
we
just
sit
there
hit
him
up,
hit
people
upside
the
head
now,
after
all
of
the
posts
and
and
story,
that's
being
told
around
salsa,
because
Salsa's
ahead
of
the
ahead
of
the
game
in
this
area
right
so
now,
if
we
just
all
of
a
sudden,
throw
s2c2
up
in
there,
it's
like
you
know,
you
don't
give
people
the
chance
to
breathe.
But
this
way
everyone
gets
a
chance
to
breathe.
E
C
So
I
think
I
mean
I
totally
hear
you
Jay
and
I
I.
Definitely,
like
I
hear
that
you
know
in
terms
of
like.
Do
we
want
to
just
smush
these
things
together
and
make
them
one
thing:
I,
don't
think
we
do
I
think
that'll
create
it'll
stall.
The
work
and
it'll
create
more
confusion
than
it
was
all
for
right
now.
C
I
do
think
like
this
idea
of
having
a
diagram
where
we
all
stare
at
the
thing
and
go
yeah
that
totally
matches
my
understanding
of
how
they
fit
together
or
how
they,
you
know,
are
adjacent
in
the
same
space,
and
then
we
can
start
telling
that
story
as
we
blog
about
them
as
we
evangelize
as
we
advocate
for
them
externally
and
I.
Think
you
know
to
your
point
about
creating
a
dash
one
and
dash.
C
Do
you
want
these
things
to
fit
well
enough
together
that
someone
says,
but
there's
kind
of
a
gap
in
between
then
we
need
a
dash
1.5.
Whatever
you
know
what
I
mean
you
want
to
make
sure
that
these
are.
These
are
Missy.
These
cover
the
space
without
gaps
and
without
overlap,
and
that's
that's
the
work
that
we
could
begin
to
converge
on
with
these
diagrams.
Yes,
I'm
gonna
I,
don't
wanna
like
again
I,
don't
monopolize
the
meeting
today
with
this
item.
B
B
C
So
I
I
think
it
would
be
great
to
have
something
that
we
share
in
the
slack
in
the
next
two
weeks,
and
then
we
can
all
talk.
We
can
discuss
that
and
then
gather
in
this
forum
in
a
month
to
to
close-
or
you
know
figure
out
where
are
we
are
the
still
open
questions
or
discussion?
I
don't
know,
Jade
Melba
does
that?
How
does
that
sit
with
you
good.
E
A
A
E
B
C
Be
clear,
the
the
the
diagram
slide
is
going
to
be
a
diagram
of
the
the
problem
space
and
we
show
where
it's
also
where
sqc2f
fits
I
think
bonus
points.
If
you
can
work
guac
and
Fresca
and
the
other
things
in
the
supply
chain
thing
into
that
thing
as
well
like
I,
think
it
would
be
great
to
have
a
picture
of
the
problem
space
overall,
rather
than
just
narrowing
to
just
Salsa
Fresh
salsa
s2ctf
yeah.
E
C
B
B
E
E
So
we've
had
we
had
our
first
sigmean
that
happened.
That
was
great.
We
finally
got
thanks
to
David
for
this.
We
finally
got
the
calendar
straightened
out
with
subsequent
meetings,
so
the
meeting
should
be
updated
and
and
improper
I'm
still
working
on
the
getting
some
admin
rights
for
it,
so
that
it
has
meetings.
E
So,
especially
over
the
coming
next
couple
of
months
where
people
will
be
going
on
vacations
and
holidays,
we
may
have
to
move
a
few
meetings
or
cancel
a
few
meetings
and
and
and
we'll
be
able
to
work
that
out,
but
but
where
we're
at
right
now,
which
was
stood
up,
we're
looking
at
how
we're
how
we're
being
positioned
as
well
so
I
like
I,
said
Isaac
brought
this
conversation
up
during
that
meeting
as
well,
so
we're
working
on
what
subsequent
means.
Actually
look
that
look
like
there.
E
E
We've
had
conversations
about
whether
or
not
not
even
whether
or
not,
but
but
having
this
positioned
correctly
as
a
as
a
as
a
project
underneath
the
LF
for
for
specification,
which
is
why
I
brought
that
up
earlier.
So
that's
that's
good
stuff.
That's
happening
there
also
making
sure
that
the
other
working
groups
who
did
want
to
be
involved
that
so
there
was
some
confusion
on
meeting
times.
I
fixed
that.
E
So
we
should
have
a
a
an
almost
bum
rushed
turnout
at
the
next
meeting,
which
I
can't
wait
for
because
there
are
a
lot
of
interested
parties
in
this
and
as
Isaac
was
alluding
to
before.
But
what
that
means
is
that,
especially
as
we
move
this,
you
know
as
we
move
this
in
parallel
with
with
salsa.
You
know
the
bridging
of
the
tube.
E
E
C
I
was
just
gonna:
ask
if,
if
you
had
specific
and
no
thoughts
or
or
goals
around
adoption,
and
what
that
looks
like
for
s2c2f
like
who,
who
you
think
is
I,
don't
know
who
are
the
right
segments
to
Target
with
respect
to
adoption?
What
was
that
look
like?
How
do
you
make
it
real
in
terms
of
of
getting
it
out
there
and
having
folks
actually
pick
it
up
and
use
it.
E
E
So
so
these
so
that,
so
that's
that's
the
one
two
punch,
that's
actually
the
kind
of
stuff
that
we
talk
about
right
and
one
of
the
things
that
came
out
of
our
positioning
meeting
yesterday
when
we
were
working
on
the
blog
was
what
are
some
examples
that
we
can
use
to
identify.
What
kind
of
issues?
What
kind
of
issues
and
what
kind
of
attack
did
me
Kyle?
What
can
we
catch
using
salsa
and
I
said?
E
Well,
we
need
what
kind
of
examples
do
we
have
right,
but
so
we
have
organizations
that
are
using
one
to
consume
and
then
using
salsa
on
their
response.
Effective
builds,
and
we
can
talk
to
that
picture
that
that's
that,
that's
all,
that's
all
the
better.
So
so
so
to
answer
your
question
Isaac,
it
really
is
about
identifying
those
organizations
that
are
consuming
open
source,
making
sure
we
get
this
in
front
of
them.
B
Yeah
and
and
Isaac
after
me,
too,
so
just
a
real
quick
note.
Once
salsa
gets
a
little
more,
you
know
review
and
looking
over
and
comparing
it
with
I'm.
Sorry
what
what
I'm
sorry
I
said,
the
wrong
thing
once
s2c2f
has
had
a
little
more
review
and
look
and
same
for
salsa,
and
we
work
out
a
little
more
about
how
these
work
together.
One
thing
that
I
intend
to
do
is:
rework
the
course.
The
fundamentals
course
we
we
literally
now
have
thousands
of
people
taking
that
course.
B
We
expect
to
have
more
modifying
the
section
on
basically
supply
chain
and
so
on.
To
specifically
cite
these
show
that
work
together
show
the
top
levels
cite
the
more
detailed
specs,
so
that
people
will
be
yeah
and
I
think
this
will
help
adoption
both
in
terms
of
people
at
least
have
the
big
picture
of
what
they're
doing
and
be
aware
of
those
specific
specs
and
then
can
go
and
get
those
for
more
details.
B
A
A
E
C
No,
no,
it's
it's!
It's
okay,
I
mean
I.
I,
guess
I
mean
it's.
It's
super
early
days,
I
in
terms
of
the
organization's
interested
in
adopting
it
at
other
other
are
those
ones
that
are
coming
to
the
the
meeting
and
and
do
we
I
guess
what
is
this
I
guess?
My
question
comes
down
to
what
what
does
this
look
like
in
practice?
I
agree
with
everything
you've
said
about
getting
it
adopted
and
helping
solve
real
problems
in
in
the
real
world.
C
I
think
s2ctf
has
that
potential
I
guess
my
question
is:
what
does
it
look
like
in
practice
to
start
advocating
if
they
start
marketing
it
and
you
know,
are
we
gonna
stand
up
on
s2c2f.dev
website
explaining
it
like
kind
of?
How
do
these
pieces
come
together?
As
we
start
to
think
about
driving,
I
mean
first
of
all,
is
awareness
and
then
following
awareness,
there's
going
to
be
people
having
feedback
and
opinions
and
thoughts
about
why
they
can't
adopt
it
or
why
it
doesn't
quite
meet
their
needs.
A
E
A
E
Talk
about
where
we
have
tabs
or
or
well,
we
have
tabs
for
eat
for
for
salsa
and
for
s2c2f,
and
then
there's
one
tab
goes
to
salsa.gov.
The
other
tab
goes
to
s2c2f.deb
and
then
there's
a
tab
that
says
how
do
these
work
together
right,
so
so
so
I
I
so
I,
while
I
while
I
say
yes
to
that
and
that's
desired
by
the
sink.
E
Right
like
like,
they
have
two
different
reasons,
but
the
the
reasoning
behind
them
is
a
complete,
secure
supply
chain.
So
so
that
that's
that's
just
my
general
thought
and
of
course,
if
an
organization
doesn't
need
one
or
the
other,
then
they
can
adopt
one
or
the
other.
But
but
when
we
pitch
them
to
organizations
it
should
be
how
complete
of
a
of
a
of
a
of
a
infrastructure.
Do
you
want
right
so
yeah.
C
I
think
that's
a
it's
a
great
idea.
I
mean
in
terms
of
the
sci.dev
I,
think
that
I
mean
the
top
level.
Organization
of
that
thing
should
be
problem
oriented
rather
than
solution
oriented,
because
people
are
going
to
come
to
that
site
with
an
idea
of
what
their
problems
are,
and
we
should
talk
to
them
in
that
language
rather
than
talk
to
them
in
the
language
of
salsa
and
s2c2f,
with
which
they're
not
familiar
but
I
think
that
having
an
sci.dev
and
again,
this
comes
back
to
the
previously
generator
notes.
C
To
starting
to
articulate
what
we're
doing
in
the
language
of
problems
rather
than
Solutions
is
is
step,
one
of
that
and
then
having
sca.dev,
be
an
explainer
of
here's.
What
the
open
ssf
has
to
offer
in
this
problem
space,
but
I
love
that
idea
and
I'd
love
to
explore
that
and
again
I
guess
that's!
This
meeting
is
the
right
forum
for
that
being
the
overall
umbrella
meeting
at
SCI
level,
and
what
would
an
sei.dev
look
like
and
maybe
that'll
come
out
of
the
diagrams
that
we're
building.
A
B
B
B
B
Yes,
let
me
know
if
you've
heard
this
song
before
so
my
understanding
is
that
the
LF
actually
has
been
developing
its
own,
basically
some
tooling,
to
help
with
this
and
they're
starting
to
deploy
it
out,
and
you
know
then
so
I
have
not
actually
used
it
myself.
The
theory
between
Brian
and
I
was
we
were
going
to.
Let
other
orgs
be
the
guinea
pigs
first,
but
my
understanding
is
that
some
oinking
has
already
occurred.
So
we
want
we're
the
So.
The
plan
now
is
just
just
start
slowly.
B
Moving
this
as
I
said,
I
actually
haven't
personally
used
it
seriously.
Yet
I
I
will
know
I.
My
understanding
is
I
guess
they
have
a
concept
between
public
and
private
meetings
so
for
the
public
ones.
We
would
encourage
people
to
use
their
lfids,
and
that
way
we
know
who
shows
up,
because
you
know
the
the
right
writing
down.
Your
attendance
on
a
dock
is
all
nice,
but
it's
really
nice
to
be
able
to
click
and
be
able
to
show
you
know
which
organizations
are
showing
up.
B
That's
particularly
of
importance
because
we
need
to
be
able
to
show
later
on
that
multiple
organizations
are
participating.
We
don't
want
a
single
organization,
I
mean
you
know.
We
want
multiple
organizations
to
be
involved.
If
they're
not
involved
in
things,
then
we
need
to
figure
out.
What's
going
on.
B
That
said,
you
can
just
show
up
without
putting
in
your
lfids
if
that's
important
to
you
or
without.
If
you
don't
even
have
one
so
beyond
that,
I
haven't
I,
haven't
used
it
in
Anger,
yet
but
I
think
that
is
one
of
its
capabilities,
but
I
guess
we're
all
gonna
find
out
together,
but
it
can't
be
worse
than
what
we
got
now.
B
B
C
My
meeting-
yes,
that
is,
we
are
out
of
agenda
and
I,
see
Melbourne's,
kicked
off
a
thread
in
the
slack
to
to
to
gather
and
do
diagramming
and
so
on,
and
we
can
continue
the
conversation
there,
but
this
was
great
David.
Thank
you
so
much
for
your
help
guiding
us
and
the
note-taking
and
everything
this
was
awesome.
I
think
we've
got
some.
We've
got
some
great
next
steps
around
the
the
overall
positioning
for
SEI,
which
I'm
excited
about.