►
From YouTube: Supply Chain Integrity WG (February 28, 2023)
A
A
B
A
Yeah,
actually
I
need
to
remind
people
that
it's
happening
right
now.
Yeah.
A
Right
now,
I.
B
See
people
joining
oh
by
the
way
I
saw
that
it's
I,
don't
know
if
you
fixed
the
problem,
but
I
saw
that
it's
our
Google
Docs
is
still
with
no
permission
to
edit
right.
A
Yeah,
so
the
new
one
I
created
and
I
just
copied
over
the
original
one,
because
we're
changing
names,
I
didn't
want
to
change
the
name
of
the
older
file,
so
I,
just
kind
of
in
the
older
file.
I
pointed
to
this
new
document,
and
then
this
file
I
pointed
to
the
old
document.
So
that's
why
you
see
it
that
way.
A
A
And
thanks
folks
for
joining,
give
us
one
second,
while
we
get
situated
on
our
first
SCI
positioning,
subproject
meeting
and
end
our
new
time.
So
let
me
try
to
share
my
Chrome
browser.
A
And
if
you
want
to
share
something
about
yourself
by
all
means
and
Nick
I,
don't
think
I've
met
you
before,
but
welcome
to
the
to
the
call.
A
So
and
if
and
if,
if
you
would
like,
you
can
obviously
introduce
yourself
and
what
interests
you
about
this
particular
sub-project.
C
Of
course,
so
hello,
everyone,
my
name,
is
Nick
I
just
joined
the
OS
side,
which
is
the
open
source
initiative,
and
we
have
a
product
called
clearly
defined
and
I'm
about
one
week
in
into
the
new
this
new
job
and
I'm
trying
to
learn
what
projects
might
be
related
to
this
and
I
I
thought
this
meeting
and
I
want
to
learn
a
bit
more
about
it.
A
A
Here,
yeah
yeah
sure
yeah.
Let
me
there
you
go
I
put
it
in
the
chat
again.
The
meeting
notes.
So
essentially,
this
group
was
formerly
known
as
the
salsa
positioning
group.
A
Essentially,
what
we
would
do
is
we
would
try
to
educate
help
with
any
sort
of
Gap
analysis
for
the
salsa
community,
but,
as
of
yesterday,
I've
changed
it
because
there
was
a
vote
earlier
this
month
that
we
wanted
to
up
level
the
positioning
group
to
include
more
than
just
salsa.
So
now
this
group
is
going
to
be
focused
on
salsa,
S2,
c2f
and
Fresca,
so
trying
to
make
sure
that
we're
all
in
alignment
that
we
identify
gaps
across
each
of
the
different
projects
or
overlap.
A
Also,
you
know,
presentations
etc,
for
example
the
salsa
retina.
That's
also
sorry,
the
open
ssf
no
wrong
one
open
source,
Summit,
North
America.
Sorry,
we
submitted
talks
about
salsa
as
part
of
the
salsa
positioning
group.
So
as
as
the
positioning
group,
we
work
together
to
figure
out
the
the
abstract
and
the
title
and
then
submit
who
would
be
talking
Etc.
A
So
we
did
that
as
a
group
and
so
we're
representing
the
group,
not
necessarily
our
companies,
and
so
that's
the
vision
for
this
as
well,
but
with
a
broader
scope
for
Fresca
and
S2
c2s.
A
Yeah
but
but
welcome
I'm,
not
sure
if,
if
that
interests
you
or
if
you
know,
we
can
be
of
service
at
some
point
in
time,
but
we
definitely
want
to
evangelize
all
of
these
different
sub-projects.
D
Yeah
I
mean
I,
have
some
idea
of
clearly
defined
like
I've
been
following
this
project,
specifically
so
I
mean
I
just
wanted
to
sort
of
like
drop
by
and
talk
about
the
project,
but
I
think
generally
I'm
also
an
open
source
Enthusiast.
So
this
is.
This
is
probably
a
good
place
for
me
to
be.
D
A
Yes,
welcome
okay,
I,
of
course,
I.
Don't
Chris,
hey
I,
don't
know.
E
A
Saw
the
the
link
I
think
you
just
joined
so
I'm
posting
it
multiple
times
just
in
case
okay.
So
let's
go
ahead
and
get
started.
This
is
a
new
time
for
us,
so
we
might
get
some
some
people
that
don't
realize
that
there's
a
new
time
right
now,
but
one
of
the
first
items
that
I
would
like
to
talk
about
is
the
sub
projects.
Alignment,
but
I
don't
see
the
co-leads
here.
A
The
co-leads
are
Jay
from
s2c2s
and
then
Fresca
would
be
Mike
Lieberman.
He.
A
Oh
wait:
I,
don't
see
you
on
the
on
the
thing
oh
ding
Zoom
like
I,
have
to
like
it
didn't
tell
me
that
there
was
more
people.
Sorry,
hey
Jay,.
F
A
A
new
time-
yes,
yes
yeah,
so
thank
you
Jay
for
coming
so
at
least
we
have
I
know.
Mike
is
going
to
be
late
and
so
I
don't
want
to
necessarily
delay
the
topic
and
we
can
get
his
feedback.
But
you
know
we
have
talked
about.
A
You
know
how
do
we
get
the
three
sub
projects
to
align
so
that
we
can
better
explain
to
the
community
the
benefits
of
all
three
and
how
to
use
all
three
but
I
actually
don't
know
where
we
should
start,
and
so
that's
kind
of
the
first
question
right?
What
would
our
scope
be
and-
and
where
do
we
start.
F
Well,
the
the
scope,
the
scope
part
is,
is
important
and
I
think
you
I
think
you
hit
the
nail
on
the
head
with
the
scope
now
part
of
before
we
begin.
Let's
talk
about
the
recent
blog
that
just
came
out
around
version.
One
of
salsa
right
that
should
have
been
done
through
us,
I
think
I
think
we
can
all
what
else
they
grew
us,
but
we
should
have.
F
We
should
have
been
involved
in
this
Inception
right,
because
that's
a
block
the
whole
Rhyme
or
Reason
behind
the
positioning
Sig
is
is
so
that
we
have
visibility
over
that
kind
of
stuff,
and
then
we
can
see
when
that
stuff
is
coming.
We
can
have
a
an
opinion
on
it
and
things
of
that
nature,
so
I
think.
As
far
as
scope
is
concerned,
I
think
you
hit
the
nail
on
the
head,
but
but
if
we're,
if
we're
you
know,
what's
our
topic
of
focus,
how
do
we?
F
How
do
we
I
want
to
say
prevent
that
from
happening?
But
how
do
we
have
a
tighter,
for
instance,
I
found
out
about
that
from
Melba
right,
like
on
slack
AJ?
You
might
want
to
be
a
part
of
this
cool.
Let's,
let's
jump
in
I
think
we
should
look
at
that
blog
and
see
where
that
blog
intersects,
that
we
can
begin
to
tell
the
story
or
expand
from
that
to
how
does
build?
F
How
does
the
build
track?
Currently,
how
does
that?
Because?
What's
that
position
against
or
or
in
allows
that
aligned
with
s2c2f
was
was
s2c2f
in
that
West
Nebraska
and
that
and
we
could
begin
from
there
right
because
that's
out
now
and
that
and
that's
that's
an
RC
for
version
1.0,
which
is
great
and
and
it's
been
received,
but
pretty
believe
it
or
not-
has
been
received
pretty
well
right,
a
lot
of
the
community
that
that
that
I've
seen
that
I've
seen
that
blog.
F
That
said,
oh,
we
like
we
like
the
direction
that
this
is
heading
in
look
a
few
concerns
around
the
source
track
and
what
what
the
plan
is
around
that
and
and
Providence
something
you
know,
there's
some
things
to
iron
out,
but
the,
but
the
reception
of
that
has
been
great
I.
Think
we
can
take
that
and
then
expand
on
that
through
the
scope
of
making
sure
that
first
cut
and
c2f
and
salsa
are
aligned
towards
supply
chain,
Integrity
working
group
as
a
whole,
creating
this
supply
chain
security
framework.
F
That's
that
that's
the
framework,
that's
spread
across
the
the
open
ssf!
F
A
Yeah,
so,
and
and
for
folks
that
want
to
speak
after
me,
please
do
use
the
hand
race,
I
agree
right,
I
felt
like
we
should
have
been
more
involved,
I'm
glad
that
Mark
put
it
in
our
positioning
channel
right
to
get
visibility,
but
I
too
was
surprised
that
most
of
it
was
done.
A
So
then
I
started
thinking.
Well
at
what
point?
Is
it
the
sub
projects,
responsibility
versus
hours?
Because
we
also
don't
want
to
be
The
Gatekeepers?
A
We
do
want
to
have
input
right
to
to
evangelize,
so
I
think
there's
a
fine
balance
there,
where,
yes,
we
we
need
to
make
sure
that
you
know
they're,
not
we're
not
getting
them,
but
for
something
as
big
as
this
I
do
think.
There
should
have
been
more
collaboration.
A
So
potentially
that's
that
might
be
the
the
key
idea
is
that
if
it's
something
major
right
that
we
as
a
positioning
group
should
be
involved
to
help
unify
the
message
across
the
board,
but
maybe
if
it's
something
minor,
you
know
we
can
be
reviewers,
but
we're
not
Gatekeepers
I'm,
not
sure
how
to
navigate
that.
But
it's
just
a
thought.
B
Remember
just
one
question
so
I
can
understand
the
context
now,
because
I
think
that
it's
I
I
missed
the
meeting
that
we
you
promote
this
to
position
and
subi
project.
The
idea
is
now
that
it's
not
only
salsa.
You
are
integrated
as
well
as
it's
cucuf
and
Fresca
correct,
but
it's
the
new
Charter
of
this
group
just
to
understand
it's
just
increase
the
the
I
mean
the.
A
F
Okay,
this
should
also
be
noted
right,
so
so
both
salsa
and
s2c2f
are
are
projects
that
are
are
that
are
being
driven
towards
specifications
right
and
and
they're
being
driven
in
such
a
way
that
you
know
you're,
gaining
adopters,
you're,
you're,
you're,
identifying
ways
to
get
the
word
out
and
then
doing
all
these
different
things,
and
because
these
projects
are
are
both
being
worked
on
in
the
openness
and
stuff.
F
Underneath
this
working
group
being
worked
on
in
tandem,
then
the
conversation
should
not
be
siled
should
bring
those
conversations
together
because
they
both
feed
off
of
one
another.
There's
there's
a
bridging
between
the
two.
You
know,
there's
there's
you
know
and
and
that
conversation
that
message
needs
to
be
blasted
out.
F
F
Oh,
you
know
the
people
involved
in
in
doing
them
they
could
be
in
different
places,
but
combining
those
efforts
and
making
sure
that
you
know
that
they're
aligned
properly
can
only
strengthen
both
of
them
and
it
can
only
strengthen
the
message
of
what
we're
promoting
and
putting
out
from
from
the
openness
and
stuff,
and
this
particular
subgroup
when
we
talk
about
positioning
them,
we're
we're
talking
about
a
few
different
things
right,
so
we're
talking
about
how
we
send
that
message
out
to
the
industry
at
large
how
we
unify
our
messages
within
the
open
ssf.
F
Now
you
know
even
the
openness
and
stuff
itself
how's.
The
openness
itself
send
this
message
out.
So
so
the
message
is
coming
out
from
a
from
a
few
different
places.
This
can
only
make
what
we
do
stronger
as
a
whole.
Go
ahead.
Chris.
E
I
I'd
like
to
disagree
a
little
bit,
I,
don't
I,
didn't
I,
I,
didn't
and
still
don't
see
any
to
discuss
the
other
open
ssf
projects
in
the
1.0
release.
Candidate
blog
I
mean,
from
my
point
of
view,
that
was
an
RFC
that
we
posted
on
the
blog.
Instead
of
on
GitHub,
we
weren't
announcing
the
final
release.
We
weren't
talking
about
really
for
that
matter,
how
to
use
salsa
in
a
production
deployment
which
is
where
positioning
with
the
other
open,
ssf
projects
comes
into
play.
This
was
saying
we
have
a
thing.
F
The
only
I
want
to
say
the
only
kind
of
not
rebuttal
necessarily
but
the
only
thing
salsa
has
evolved
since
it
was
brought
in
to
the
open
ssf.
It
has
evolved
greatly
right
as
a
result
of
different
pieces
of
information.
That's
come
out
through
its
development
didn't
start
out
being
separate.
F
Tracks
became
separate
tracks
because
there
was
clear
identification
of
specific
gaps
and
those
the
identification
of
those
specific
gaps
came
through
bringing
in
S2
c2f
through
identifying
gaps
and
securing
the
build
pipelines
came
in
from
Fresca
through
grabs
in
the
in
those
in
those
those
other
things.
So,
while
I
agree
with
you,
you
know
about
the
messaging
in
in
the
blog,
I
would
say
that
there
should
I
believe
still
that
there
should.
F
You
don't
want
to
highlight
and
over
emphasize,
but
there
should
have
been
a
mention
at
least
where
the
work
was
being
done
because
of
the
changes
from
the
original
blog
posts
that
introduced
salsa
to
the
Community
Way
Back.
Even
before
the
summer.
A
And
Chris
I
don't
know
if
you
wanted
to
respond
before
I
comment.
E
S
I
mean
my
position
is
clear:
it's
a
non-sequitur
is
a
non-sequitur,
regardless
of
the
context
that
led
to
led
to
the
the
1.0
release
candidate.
A
Okay,
so-
and
thank
you,
Brandon
I
didn't
realize
that,
as
somebody
presenting
you
can't
raise
your
hand,
I
think
in
in
WebEx,
I
can
so
I
was
very
confused
as
to
how
to
raise
my
hand
so
I,
I,
I
I,
understand
both
points
of
views,
I
think
Chris
in
terms
of
involvement
pre.
A
This
meeting
right
we
were
the
social
positioning
group
and
it
was
a
shame
that
the
blog
was
created
without
collaborating
with
us
right,
because
that
that's
what
we're
trying
to
do
we're
trying
to
evangelize
right,
I,
even
I,
don't
think
you're
part
of
the
chats,
because
I
think
it's
only
the
sick
leads
but
I
said
hey.
You
know,
I
was
saying:
are
you
ready
for
the
RC?
You
know
notification.
A
What
do
I
need
to
help
with
in
terms
of
the
1.0
announcement
right,
because
that's
positioning
we're
trying
to
help
with
that
communication
with
that
evangelism
and
so
to
not
see
that
collaboration
was
a
little
disheartening
right.
It
could
have
just
been
an
oversight
and
that's
fine,
but
that
was
our
purpose
specifically
for
salsa,
and
today
right
we
now
have
expanded
scope,
but
for
salsa
specifically,
it
was
very
important
for
us
to
be
part
of
that
blog.
A
So
so,
yeah
again
I
understand
both
points
and
we
don't
want
to
be
a
blocker
necessarily,
and
there
is
a
time
and
a
place
for
mentioning
other
projects
and
when
not
to,
but
in
this
particular
case
I
think
from
my
point
of
view,
I
think
the
collaboration
it
didn't
start
with
collaboration
right
it.
It
started
with.
Okay,
just
give
us
feedback
and
I
think
that
is
more
of
my
concern.
A
Okay,
okay,
so
let's,
if
we
may
move
on
to
another
topic
so
outside
of
maybe
overlap
or
Gap
analysis,
it
sounds
like
blog
communication,
enablement.
Synergy
amplification
of
that
message
sounds
to
be
one
area
that
we
are
thinking
about.
A
I
know:
there's
been
talks
about
this
whole
supply
chain
security
taxonomy
in
the
last
monthly
meeting
for
Sci.
We
were
talking
about
hey,
we
need
a
sci
taxonomy
and
we
need
to
make
sure
we're
we're
talking
with
the
open,
ssf
groups
and
stuff
like
that.
So
should
that
be
part
of
our
scope
and
if
not
right,
I
guess
what
would
be
the
rebuttal
for
the
a
CI
working
group,
because
I
think
that
was
a
recommendation
to
tackle
with
the
folks
here.
F
Well,
I
can
I
can
say
offhand
that
you
know
to
work
on
a
a
supply
chain.
Taxonomy
is
definitely
needed.
I
I
am
working
on
a
proposal
to
centralize
that
effort
across
the
open
ssf,
that's
something
that
that
I
happen
to
be
working
on
with
chrome
over
in
the
in
the
best
practices
working
group
just
to
just
to
centralize
that
taxonomy
work
so
that
everyone
is
speaking
the
same
language,
taxonomy
and
personas.
A
F
Well,
specifically,
supply
chain
security,
I
mean
I,
mean
a
supply
chain,
security
and
and
all
aspects
there
would
mean
that
you
know
people
of
mind
that
you
know
supply
chain
security,
open
source
security
in
general.
This
is
across
the
open.
Sss
with
openness
is,
is
here
for
I'm
working
on
this
language
that
can
be
used
across
every
working
group
across
everything,
so
that
everyone
is
using
the
same
language,
same
voice.
A
So
is
this
a
part
of
a
different
project
or
group
that.
F
F
Sticking
this
under
a
whole
separate
working
group
that
this
can
be
developed
centrally.
So
all
other
working
groups
can
converge
into
this
effort
right.
Everyone
can
come
in
and
be
a
part
of
this
effort,
but
then
what
comes
out
of
it?
The
deliverable
out
of
it,
spreads
out
across
the
entirety
of
the
openness
itself,
so
that
everyone
is
is
speaking
and
speaking,
the
same
language
when
we're
developing
guides
or
when
we're
developing
Frameworks.
F
So
when
we're
developing,
you
know
projects
and
when
we're
you
know
the
the
development
tooling,
all
that
all
this
language
goes
in.
These
goes
into
go
all
this
language
as
create
goes
into
those
those
efforts.
A
F
That's
being
developed-
and
this
is
something
that
I'm
saying
to
them
like
please
by
all
means,
go
ahead
and
create
keep
creating
keep
keep
building,
keep
developing,
and
then
what
happens
is
that
what
gets
created
built
to
develop
to
get
pulled
in
that
I
mean
only
the
only
downside
to
that
is
depending
upon
what
the
consensus
is
in
that
group
around
some
of
these
terms
and
we'll
try
to
make
sure
that
we
that
we
keep
that
we
keep
a
lot
of
the
terms
and
a
lot
of
definitions
that
have
been
developed,
especially
if,
if
the,
if
they,
if
they're
you
know
similar
in
nature,
will
try
to
keep
as
much
as
we
can.
F
There
will
be
some
changes,
though.
Just
for
the
sake
of
of
you
know,
you
know
re,
you
know
revising
a
lot
of
a
lot
of
these
efforts.
The
idea,
though,
is
that
that
you
know,
like
I,
said
same.
F
A
Language:
okay,
okay,
any
other
things
that
aren't
covered
necessarily
in
terms
of
the
the
social
positioning
that
we
might
want
to
consider,
given
that
we
are
including
two
other
projects
to
the
mix
that
maybe
you
know
from
a
scope
perspective.
A
B
I
was
thinking
with
this
increased
scope
that,
of
course,
if
you're
thinking
about
missions,
of
course,
it's
just
simplified
communication.
That
I
mean
this
mystify,
the
the
the
several
projects.
It
looks
like
that
they
have
a
very
different
objectives,
one
at
the
end.
They
have,
of
course,
we'll
try
to
tackle
the
same
problem,
but
of
course,
each
one
it's
strong
and
one,
and
then
all
niche
of
course
set
together.
B
So
if
you're
thinking
about
the
mission
of
the
scope,
it's
a
lot
more
about
the
simplification
and
and
also
identify
gaps
that
exist
among
those
projects
like
a
work
as
a
facilitator.
So
if
you
think
that
it's
each
one
of
those
projects,
they
have
a
something
that
is
missing
to
be
seamless
connected
with
the
other
projects
that
I
think
that
it's
in
the
positioning
as
we
have
the
scope,
we
have
to
identify
just
think
that
if
I
always
think
about
everybody
is
talking
that
probably
should
have
in
the
scope.
B
A
And
did
I
capture
that
right
again,
I'm
not
very
good
at
live
note
taking
I
try.
A
Okay,
trying
to
think
what
else
the
other
thing
actually
we're
kind
of
it
might
be
under
this.
You
know
Communications
I'm
thinking
about
this
landing
page
right
for
the
open,
ssf
website
that
does
fall
under
our
scope,
but
I'm
wondering
if
that's
all
part
of
like
you
know,
blog
web
page,
slash,
Communications,
right
right,
so
enablement.
The
Synergy
amplification
simplification,
I
can't
spell
vacation
of
blog
web
page
and
Communications
kind
of
thing.
A
Okay,
so
then,
trying
to
think
about
you
know:
where
should
we
start
I
I
do
have
a
a
couple
of
ideas,
one
which
we
were
already
working
on,
because
we
were
salsa
positioning
is
not
only
the
landing
page,
but
then
there's
these
blog
ideas
right.
We
know
the
RC
blog
Force.
A
Also
1.0
launch
has
already
happened
and
obviously
things
might
change,
but
we
have
that
developer
Persona
that
we
were
already
working
on,
and
these
were
the
topics
that
I
presented
last
time,
not
last
time
that
maybe
it
was
like
two
or
three
weeks
ago
on
hey.
We
can
write
about
these
types
of
things
for
the
salsa
blog
to
help
promote
you
know
the
new
1.0.
You
know
why
certain
things
were
done
in
more
detail
like,
for
example,
why
break
up
you
know
build
versus
Source
right.
A
That
could
be
a
very
lengthy
blog
on
its
own
talking
about
s-bombs
versus
salsa
and
the
provenance.
That's
a
huge
question
all
the
time,
so
it'd
be
good
to
have
something
out
there
on
that.
So
just
wanting
to
get
the
team's
thought
on.
A
I
guess
I
think
we
have
to
focus
on
these
blog
ideas,
because
we
only
have
a
certain
amount
of
time:
hey
Mike,
thanks
for
joining,
and
so
if
we
are
going
to
focus
on
these
blogs,
this
would
help
with
this
landing
page
right.
If
we,
if
we
figure
out
this
landing
page
in
time
for
the
1.0
launch,
that
would
be
fantastic
because
then
we
can
promote
it
on
that
landing
page.
That
is
openss
website,
so
thoughts
on
the
priority
of
these
blogs.
A
Anybody
is
willing
to
be
an
owner
this
one
where
we
already
have
an
owner.
So
technically
it
was
multiple,
but
I
can
kind
of
lead
and
try
to
clean
up
with
help
right
so,
oh
and
Mike.
This
is
a
new
link
to
the
new
document
so
curious
about.
If
anybody,
oh
sorry,
go
ahead,.
G
E
A
Okay,
submit
may
be
joined
with
breakup,
yeah
I
think
this
also
tracks
when
I
was
thinking
about
it
was
more
of
hey.
We've
thought
of
you
know,
maybe
having
a
vulnerability
track,
or
you
know
some
of
these
other
tracks,
and
you
know
we're
thinking.
Maybe
the
way
this
would
work
is
you
know
somebody
would
submit
blah
blah
blah,
and
then
you
know
we're
looking
for
ideas
almost
like
the
RC
blog
right,
we're
looking
for
feedback
on.
Do
you
think
this
is
valuable?
A
That
could
be
a
sub
of
this.
The
Y
breakup,
but
it's
not
really
about
the
tracks
themselves.
It's
more
about
the
value
it
provides
being
separate.
So
not
sure
what
you
think
about
that
Chris.
G
So
one
of
the
interesting
things
I
don't
know
like
I,
I,
I,
think
and
once
again,
I
don't
know
exactly
how
we
want
to
split
it
up,
but
one
of
the
things
that
has
been
coming
up
a
little
bit
now
that
once
again
supply
chain
security
is,
is
very
overloaded.
G
A
lot
of
the
Darius
terms
are
very
overloaded,
but
there
is
an
interesting
depth
and
breadth
conversation
which
I
think
salsa
fits
pretty
well
into
and
I
think
that's
and
to
be
clear,
I
think
it
kind
of
fits
into
somewhere
in
that
salsa
tracks.
Why
break
up
kind
of
conversation
right
where
there
is
like
a
left
to
right
thing
which
is
sort
of
you
know,
which
I
think
that
that
diagram
that
Isaac
has
is
which
I
think
is
really
really
great
and
I?
Don't
have
it.
G
Yeah,
so
he
has,
he
has
actually
two
of
these
interesting
diagrams.
One
is
a
diagram,
I'll
I'll,
look
for
it
later,
I
think
it's
under
the
supply
chain,
Integrity
working
group
somewhere,
but
he
has
that
one
where
he
talks
about
the
hierarchy
right
where
yeah
like
at
the
bottom.
G
You
have
your
trust
like
who
do
you
trust
and,
and
it
kind
of
goes
up
from
there
and
then
I'll
I'll
find
the
some
of
this
stuff
later,
but
he
has
this
thing
where,
where
he
has
actually
hold
on
I
I,
have
that
diagram?
Give
me
one
second
here
I'll
it's
it's
on
it's
on
the
guac
I'll,
just
post
this
in
chat.
It's
it's
a
diagram
in
here!
Oh
here
it
is.
G
Has
he
has
this
diagram?
He
also
had
this
other
diagram
which
he
posted
in
one
of
the
chats
I.
Don't
really
remember
where
it
is
right,
this
second,
but
he
also
has
it
in
he
posted
something
in
Twitter
here
which
this
sort
of
diagram
is
kind
of.
Like
the
breath
conversation
versus
the
depth
conversation
right,
so
the
the
depth
conversation
rate
is,
you
know
who
do
I,
trust
the
trust
foundation
and
then
based
on
that
trust,
Foundation
I
want
to
make
assertions
about.
G
You
know
things
attestations
and
sort
of
generate
metadata
that
I
can
use.
So
this
is
stuff
like
salsa
and
that's
kind
of
where
salsa
fits,
and
then
you
know.
Obviously,
then
you
have
aggregation
synthesis,
which
is
saying:
hey
can
I
take
all
that
salsa
data,
along
with
other
data
like
s2c2f
and
and
other
sorts
of
metadata
s-bombs,
and
and
combine
all
that
metadata
into
a
better
understanding
and
then
can
I
build
policy
on
top
of
it,
and
then
this
diagram
sort
of
talks
about
the
end-to-end
flow
of
what
you
know.
G
All
this
sort
of
stuff
should
look
like
right,
where
you
have
all
those
attestations,
but
then
you
have
policy
at
each
level
where
you're
going
in
and
saying:
okay,
well,
I'm
checking
my
dependencies
right
and
and
I'm
checking
my
source
I'm
checking
my
bills,
I'm
doing
then
release
management
and
so
on
and
I
think
that's
where
like
right
now,
the
build
is
where
salsa
has
been
focused
and
then
the
additional
thing
here
is
we're.
Now
talking
about
Source
management
like
our
is
the
code
that
I'm
about
to
pull
in.
G
Is
the
code
oops
hey
there,
buddy
is
the
code
I'm
about
to
pull
in
from
my
source
code
management?
Is
it
trusted?
Is
it
code
that
that's
signed
by
the
right
parties?
Has
it
gone
through
the
right
security
scans
and
so
on?
That's
kind
of
where
this
new
salsa
source
track
comes
in,
but
I
think
it
kind
of
helps
out
with
also
some
of
the
stuff
that,
with
like
S2
c2f
of
saying,
hey
great
now
that
we
use
let's
say
done
the
right
security
scans
and
yeah
yeah
and
generate
it
in
attestation.
G
You
know,
then
again.
This
is
how
it
gets
consumed
and
so
on.
I
think
that
sort
of
thing
of
just
talking
about
the
breadth
and
depth
and
and
kind
of
explaining,
where
we're
sort
of
trying
to
fit
in
into
that
breadth
and
depth.
Conversation
is
I,
think
really
important
to
folks
who
are
saying:
hey,
okay,
cool
I
want
to
adopt
salsa
how
do
I?
How
do
I
actually
do
that.
A
You
might
thank
you.
Okay,
I
have
an
interest
in
this
one,
but
I
would
need
a
co-partner.
The
reason
why
I
have
an
interest
in
this
one
is
because
I've
I've
drawn
up
some
diagrams
already
for
the
case
of
breaking
it
up,
and
so
we
I
can
just
reuse
some
of
that.
A
So
that's
why
I'm
like
okay
I'm,
maybe
I'll,
lead
it
or
maybe
I
can
co-lead
it,
but
I
do
have
some
things
from
the
source
aspect
and
and
why
it's
important
to
break
it
up,
because
you
can't
just
say:
there's
also
level
four
compliant,
because
your
build
is
right.
You
have
to
also
consider
source.
A
A
I
I,
try
to
spit
out
my
words
as
much
as
I
can
and
write
down
and
then
I
have
somebody
word
Smith
it
for
me,
because
I'm
I'm,
not
that
great
okay,
the
what's
new
I,
think
this
is
just
a
a
tweak,
so
I
don't
know
who
actually
owns
that
one
right
now,
if
it's
you
Chris
or
if
it's
Mark
or
or
Josh.
A
Josh
right,
but
that
would
just
be
a
tweak,
so
this
was
before
the
the
blog
was
actually
came
out.
I
forget
who
brought
this
up,
but
someone
was
like.
Oh,
why
was
Salsa
level
2
skipped
in
the
web
page
and
then
there's
also.
You
know
why
we
didn't
even
finish
salsa
level,
four
or
you
know
put
it
into
the
1.0
I
know
it's
somewhat
in
the
the
RC
blog,
but
not
sure.
If
there's
value
in
a
blog
dedicated
to
this.
G
Yeah
I
think
highlighting
on
the
website
and
then
in
the
1.0
release,
sort
of
blog
I
think
that
would
be
just
sort
of
highlighted.
Like
hey,
we
got
rid
of
salsa
level
four
for
now
as
we're
sort
of
building
out
some
of
this
other
stuff.
We
believe
that
you
know
you
know
based
on
some
of
this
stuff.
Right
like
like
it
sounds
like
more
and
more.
A
Okay,
that
makes
sense
so
then
this
would
probably
be
maybe
a
tweak
to
what's
new
to
include
a
comment
on
it
on
this
okay,
so
then
that
would
be
well.
The
the
blog
part
would
be.
You
know
the
Chris,
Mark
and
Josh,
but
the
website
part
I'm.
Guessing
we're.
Gonna
have
to
open
up
a
PR
to
fix
a
website
right.
A
A
Okay,
I,
don't
know
why
everything's
in
bold
trying
to
get
rid
of
the
Bold,
but
coming
up
okay,
so
this
I'm
gonna
say
not
get
rid
of
I'm
just
gonna
low,
not
not
did
okay
and
then
there's
these
two
I
feel
like
this
might
have
to
wait
a
bit.
A
A
So
that's
something
that
we
talked
about
a
few
weeks
ago
may
need
to
tweak
existing
log
to
incorporate
be
new.
Cvs
has
I,
mean
I.
Think
everybody
on
this
call
knows
about
Vex
and
open
Vex.
Have
you
seen
anybody
get
confused
or
asked
about?
Well?
How
does
this
also
deal
with
Becks
or
openvx.
G
No
I,
no
yeah
I
haven't
seen
anything
about
that
I've
just
seen,
people
I
think
or
generally
confused
about
open.
You
know
like
Vex,
plus
cves,
plus,
open
Vex,
plus
salsa
plus
s-bombs
yeah
I.
Think
there's,
there's
folks,
who
are
just
confused
just
about
generally
about
the
landscape,
which
I
think
is
a
bit
which,
which
I
think
is
like
less
about
like
the
salsa
blog.
G
This
is
that's
where
something
like
I
can
imagine
a
supply
chain:
Integrity
positioning
blog
just
about
the
the
landscape
and
saying
hey,
here's,
how
s2c2f
fits
here's,
how
salsa
fits
here's?
How
you
know
the
new
Vex
stuff
fits.
F
Yeah
I
I
agree
with
that
with
Mike
I.
Think
a
lot
of
a
large
part
of
the
conversation
isn't
necessarily
about
versus
more
about
the
the
I
mean
I
hate
saying
this,
but
the
the
new,
the
newness
of
Beck's
documentations,
the
newness
of
s-bombs
and
how,
as
Dex
documents
and
s-bombs
work
together
in
the
understanding
of
those
against
what
they
currently
understand.
Other
things
to
be
I,
don't
I
think
I
think
once
the
once,
the
not
understanding
becomes
it.
F
A
Okay,
so
that's
yeah.
That
brings
up
a
good
point.
I'm
gonna
highlight
that
and
I
can't
remember
that
that
framework
that
came
out
by
I
think
it
was
off
security.
It
was.
G
I
know
and
once
again,
I
don't
know
many
of
these
folks
or
or
what
what
some
of
them
are
are
focused
on,
but
I
know
that
a
few
folks
have
sort
of
pointed
out
that
it
says
it's
an
open
standard,
but
nobody
knows
if
there's
Community
meetings.
Nobody
knows
if
there's
like
how
to
get
in
contact
with
anybody.
There's
there's
a
bunch
of
stuff
about
like
hey,
it's
an
open
framework
for
stuff,
but
there
seems
to
be
no
information
on
on
how
to
get
involved.
A
A
Okay,
he's
been
coming
up
lately
to
there
was
something
else.
Oh
and
here
let
me
I,
think
I've
had
it
up
over.
F
F
Saf
so
again,
I
gotta
go
back
into
yeah.
A
So
what
I'll
do
is
yeah,
so
this
one's
a
more
detail,
I
think
this
is
like
a
lower
priority
because
and
I
forget
who
I
think
Emmy
has
the
owns
owns
the
blog
on
this
one
yeah
she's,
the
one
that
submitted
it
if
I
remember
correctly,
so
I
can
talk
to
her
about
that.
A
So
does
anyone
want
to
own
this
one
or
oh
co-lead?
Sorry,
something
fell.
A
No
hints,
okay,
so
we'll
I
guess
we'll
leave
that
I'll
leave
that
one.
You
know
it's
a
lower
priority.
A
I
think
I
think
this
also
tracks
is
a
high.
This
is
a
high,
but
it's
pretty
much
done
right
and
and
it's
it's
gonna
get
done,
I'm
not
concerned
about
that
one
too.
The
developer
Persona
if
I
know
Jay
and
Bruno.
You
were
part
of
those
discussions.
A
F
F
Maybe
the
maybe
build
is
in
build
track,
is
in
a
build
track,
might
be
in
a
good
enough
place
that
we
can
that
we
can
actually
write
that
I
think
I
think
a
large
part
of
it
was
understanding
where
you
know
the
how
they
split
up
the
tracks.
F
What
what
was
coming
out
with
you
know,
the
release
1.0
is,
is
here,
I
think
we
I
think
we
may
be
in
a
good
place
to
do
that
from
a
position
of
the
1.0
build
I,
I,
I
I,
don't
want
I
I,
don't
feel
comfortable
doing
that
against
something.
That's
not
something.
That's
not
complete
yet,
but
one
but
1.0
is,
is
it's
fat?
You
know
we're
coming
up
on
it,
so
so
I
I
think
we
I
think
we
may
be
able
to
talk
about
from
a
place
of
1.0
I.
F
Think
that
changes
a
bit
that
could
change
a
bit
our
scope
of
the
of
the
blog
but
I
think
that's
something
for
us
to
sit
down
and
discuss
against
against
1.0
a
little
bit
more
find
out.
You
know
developer
personas
in
that,
and
then
we
can
do
that
a
little
bit
better.
A
Okay,
so
I
updated
that
link,
yeah
I,
remember
somebody
created
the
original
and
we
didn't
know
who
had
rights
so
I
just
created
another
one,
and-
and
this
is
kind
of
what
we
had
so
far.
A
Why
salsa
would
be
valuable
for
developer
to
care
enough
about
it
right
and
so
we're
trying
to
just
go
after
that?
Persona,
because
we
want
them
to
buy
into
this,
and
so,
if
I
think
we
might
need
to
change
a
couple
things
because
I
know,
while
we
were
writing
it,
yeah
I
think
it
was
a
provenance
that
that
broke
out
in
the
middle
of
us
writing
this
well.
F
It
wasn't
just
that
it
was
the
provenance,
it
was,
the
I
mean
the
tracks
broke
out.
Yeah,
there
were
different,
you
know,
level
the
the
levels
in
the
tracks
got
switched
up.
We
let
we
identified
One
requirement
and
one
level
that
was
in
one
on
one
site
that
was
contradictory
to
another
one.
There
was
a
whole
bunch
of
stuff
that
happened
during
the
time.
Yeah.
A
So
we'll
have
to
review
it
to
see,
is
it
aligned
anymore
I?
Think
most
of
it
is
but
there's
probably
some
parts
that
we'll
have
to
re
rewrite
or
re-rethink
about
how
we
write
about
the
the
new
changes.
Let
me
close
this
before
I
forget
so
I
mean
this
one
I
I
think
it
was
in
Fairly
good
shape.
It
was,
and
it
was
a
bunch
of
us
that
that
contributed
to
it.
A
It
wasn't
just
you
know,
you
can
see
all
the
the
different
people
so
now
it
would
be
SCI
a
positioning
group
but
yeah.
It
I
think
this
was
a
really
good
collaboration
across
many
many
different
people.
So.
B
A
A
A
I
added
the
new
link,
so
if
you
clicked
on
the
Old
Link
before
it's
been
fixed,
so
I
just
fixed
it
right
now,
it
should
take
you
to
the
correct
okay.
B
A
G
Yeah,
that
would
be
definitely
I,
think
a
supply
chain
Integrity
one,
also
one
where
I
I
be
careful.
It's
going
to
be
a
contentious
one.
A
D
F
A
I
know
I
know,
but
it's
important
right
because
I'm
hearing
this
constantly
right
people
don't
understand
the
differences
and
they're
constantly
asking
which
makes
me
also
think
about
what
other
feedback
have
you
seen
from
the
community
about
the
RC
launch
right?
If
there's
something
persistent
that
keeps
coming
up,
we'll
probably
want
to
write
something
about
it
or
address
it
in
the
the
you
know,
what's
new
blog
but
I
I
do
think
we
should
try
to
capture
the
the
common
themes,
as
we
see
them
come
in
over
the
next
couple
weeks
to
see.
F
The
one
well,
the
one
thing
that
that
keeps
coming
the
one
thing
I
hear,
and
it's
highlighted
here-
is
why
the
breakup
that
that
that
keeps
coming
up,
but
not
not
just
why
the
breakup,
I,
think
I,
think
everyone
agrees
and
and
is
happy
actually
about
the
breakup,
because
there
was
a
lot
that
went
into
the
original
that
the
the
original
spec
that
was
like
yo
that
this
this
is
a
lot
to
consume
in
one
time,
but
but
so
the
so.
F
The
breakup
is
great:
it's
just
well
okay,
so
we
have
the
build
now.
What
exactly
is
the
scope
of
the
source
going
to
be?
I
know
that
there
was
conversation
about
that,
especially
when
it
came
to
that.
To
that
actual
step.
Two
part
I
think
we
talked
about
that.
That
was
a
conversation
we
had
yesterday.
F
F
That
could
be
something.
That's
that's
better
understood
other
than
that
I
think,
like
I
said,
the
reception
has
been
has
been
actually
quite
decent.
A
Okay,
anybody
else
on
the
call
have
thought
someone
else
and
and
feel
free
to
talk
about
Fresca
and
s2c2s,
because
I
have
no
clue
on
that.
So,
if
you
think
that
there's
something
that
the
positioning
group
can
help
with
well.
F
That's
that's
that
needs
to
be
done.
I
mean
I,
don't
think
that
has
been
done
yet
and
that
definitely
needs
to
be
done,
especially
you
know,
being
able
to
to
graphically
depict
where
all
that
fits
together.
A
Okay,
shout
out
to
get
more
Hands-On
keyboard.
So
that's
a
good
one.
G
So
this
is
where
some
of
it
gets
a
little
complicated
due
to
some
of
the
internal
open
ssf
stuff.
So
this
might
go
on
to
either
an
open,
SF
blog
or
there's
some
back
and
forth
when
it
come
when
you
get
to
the
the
the
actual
like
hey.
G
This
is
a
working
group
that
wants
to
release
a
Blog
versus
a
project
that
wants
to
release
a
Blog,
there's
some
stuff
about
potentially
getting
the
attack
just
sort
of
involved,
so
that
they're
aware
that
hey
you're
about
to
you
know
announce
a
thing
and
there's
some
discussion
about
like
something
like
a
salsa
1.0
announcement.
Probably
it's
worthwhile
to
get
the
tack
involved
just
to
make
sure
that
everything
you
know
is
good
but
like
there
might
be.
You
know,
there's
certain
things
that
folks
want
to.
Maybe
talk
about
that.
G
You
don't
need
to
get
the
tech
involved
for
like
Hey
we're
doing.
You
know
a
little
explainer
on
you
know
the
different
salsa
levels
that
probably
doesn't
need
to
involve
the
whole
Tech,
but
I
think
some
of
that
still
not
quite
clear.
So
it's
probably
worthwhile
for
us
to
sort
of
reach
out
to
the
pack
just
to
kind
of
double
check
with
them.
Okay,.
A
A
Technically
a
project
so
do
we
have
a
space
that
we
could?
You
know,
release
blogs
on
I'm,
gonna,
guess
no.
A
Given
that
we
are
new
okay,
so
that's
an
action
item.
Let
me
where
do
I
put
that
I'm,
just
gonna
highlight
to
find
out
how
do
we,
how
do
we
publish
Vlogs,
SCI.
A
Okay,
I'll
highlight
that
so
I,
don't
forget:
okay,
okay,
so
these
are
lower.
This
is
lower.
This
is
not
needed.
A
A
E
Yeah,
so
these
blog
posts
are
all
for
the
1.0
release
is
the
idea
they
come
out
at
at
the
same
time
or
are
they
going
to
be
cascaded
like
how
much?
How
much
writing
time
do
we
have
to
work
with.
A
Yeah,
so
the
idea
would
be
that
we
would
do
it
one
after
the
other,
not
necessarily
all
at
the
same
time.
A
But
yes,
it
would
be
one
after
the
other
after
the
1.0
right,
because
we
want
to
make
sure
if
there's
any
changes
as
a
result
of
the
comments
that
we
try
to
address
it,
and
so
once
we
start
writing
it,
and
we
think
it's
an
okay
State
for
the
next
few
weeks,
then
we
can
put
a
PR
in
and
then
even
if
it's
approved,
we
wouldn't
necessarily
push
it
until
a
previous
blog
might,
you
know,
have
gone
out
as
an
example.
So
I'm
thinking
you
know,
obviously
the
what's
new.
A
A
D
A
Now,
do
you
think
a
month
worth
of
waiting
would
be
enough
to.
B
D
A
A
A
A
Maybe
we
can
do
this,
this
Fresco
one
because
that's
an
easy
and
then
this
s-bomb
one
and
then
maybe
this
is
four
I'll-
try
to
put
it
in
order.
So
that
way,
it's
not
confusing
bye
when
we
get
lots
of
blogs
to
write
and
we
need-
and
we
need
some
owners.
So
please,
please,
please,
please
volunteer!
A
Oh
I
do
have
to
drop
too
sorry.
I
didn't
realize
the
time.
Thank
you.
Everyone
for
joining
feel
free
to
keep
the
conversation
online.
I'll
try
to
do
meeting
notes
later
this
evening,
once
I'm
back
home.