►
From YouTube: Supply Chain Integrity WG (May 24 2023)
A
B
C
B
I'm
actually
triple
booked
so
yeah,
so
I'm
I
intend
to
be
here.
I've
already
sent
an
email
that
I'm
here
for
a
little
bit
and
then
I'm
going
to
rush
off
to
the
other
one.
B
Yeah
I
I,
already
yeah.
We
do
have
a
doodle
poll
to
fix
that
other
meetings
time.
This
was
not
one
of
the
options
on
the
new,
but.
C
A
D
Okay,
just
while
we're
going
to
get
started
here,
I'm
going
to
give
folks
an
extra
one
minute
to
turn
up
in
the
meantime,
please
do
pop
into
the
agenda.
Doc.
I
will
post
it
in
chat,
yeah
and
add
your
name
to
the
top.
D
Okay,
just
before
we
get
started
here,
or
rather
as
we
get
started
here,
I
want
to
give
the
opportunity
for
anyone
who's
new
anyone,
who's
not
been
to
these
meetings
before
and
or
not
introduce
themselves
before.
To
do
so,
and
there's
no
obligation
to
do
so,
but
if
you
want
to
say
hi
to
the
group,
just
please
introduce
yourself.
That
would
be
awesome.
E
C
D
All
right
got:
it
no
worries
anyone
else,
who's
new
wants
to
say,
hi,
introduce
himself
to
the
group.
D
Nope,
in
that
case,
we
will
proceed
to
the
first
generator
today
and
we
have
Laurie
Williams
here
to
talk
to
us
about
some
work.
She's
been
doing
on
proactive,
secure
software
supply
chain
and
risk
management
framework
Laurie.
Take
it
away.
E
Ice
cream
I
have
a
few
slides
and
so,
as
Isaac
said,
the
proactive
software
Supply
Chain
management
risk
management
framework,
so
I'm
at
NC
State
a
professor
there,
but
the
work
that
I'll
be
talking
about
has
been
done
on
a
sabbatical
synopsis
which
is
just
finishing
up,
and
so
you
know,
as
we
all
know,
with
supply
chain,
there's
lots
of
different
help
coming
from
lots
of
different
places,
which
is
good,
but
it
also
does
leave
some
confusion.
So
people
wonder
you
know,
okay,
all
of
that.
But
what
should
we
do?
E
And
so
what
I
did
through
this
academic
year
was
take
all
of
the
Frameworks
and
unite
them
into
one
framework.
So
all
of
the
different
tasks
from
all
of
the
different
Frameworks
into
one
place-
and
there
is
a
link
to
that
place.
I'm
in
the
document
in
the
notes-
and
so
it
turned
out
to
be
72
different
things
from
all
of
the
different
Frameworks
I.
D
We're
going
back
one
one
slide
where
yeah
this
isn't
here
so
like
what
were
the
criteria
for
including
or
not
including
a
framework
here,
at
least
like
how?
How
did
you
decide
these
are
the
right,
eight
ones
to
incorporate
into
this
framework.
E
Yeah
yeah,
that's
a
good
question
and
so
I
mean
the
ones
so
be.
Sim
is
a
synopsis
framework,
so
I
you
know
and
they're
they
were
paying
my
sabbaticals.
So
that's
one
and
then
you
know
the
the
others
were
so
like
executive
order
and
ssdf
gets
a
lot
of
attention.
E
So
it
was
really
what
what
gets
attention
and,
as
you
know,
and
so
in
a
lot
of
cases,
we
all
know
which
ones
get
attention
but
then,
as
I
was
going
through
and
as
I'll
talk
about,
I've
been
interviewing
people
at
different
companies
and
then,
as
there
would
be
more
companies
talking
about
one,
a
framework
like
I'll
say
the
cloud
native
was
one
of
those
that
came
up
because
a
number
of
companies
were
talking
about
that
framework
and
then
I
included
it
into
the
framework.
And
so
there.
A
D
E
Guess
yeah,
that's
a
good
question
and
I
could
think
about
which
ones
and
and
also
suggestions
for
for
them,
as
well
I
can't
think
of
any
off
the
top
of
my
head
and
so
the
next
cyber
supply
chain.
That's
800,
161.
E
So
I
can't
think
of
any
off
the
top
of
my
head,
I
mean
I,
think
yeah,
but
I'm
I'm
open
to
others
that
you
feel
that
should
be
included,
yeah
yeah
so
anyway.
So
four
groups
15
practices
which
are
in
the
blue,
which
are
groupings
of
specific
tasks,
and
this
is
a
model
where
I
took
the
software
development
life
cycle
and
laid
out
the
practices
to
where
they
were
on
the
software
development
life
cycle.
E
In
those
four
groups,
and
so
the
groups,
you
know,
have
the
different
practices
under
them
and
then
the
callers
were,
who
would
be
the
primary
person
that
would
likely?
E
A
I'm
so
Claire
clarification
question.
Is
this
the
the
like
the
security
model
focused
on
I
from
from
this
slide
I'm,
presuming
that
it's
focused
on
the
business
not
on
the
producer
side
of
the
artifacts
or
the
or
the
locations
of
these
artifacts
are
getting
consumed
from
public
open
reap
open,
artifact
hosts.
It's
mostly
focused
on
how
the
organizations
consume
them.
Is
that
accurate.
E
E
If
that
makes
sense,
I
mean
so
there's
a
practice
about
in-house
development
as
well
or
a
task
about
in-house
development,
and
then
there's
also
so
internally
developed
source
code
is
over
on
the
left.
Third-Party
components
is
down
on
the
bottom,
so
it
doesn't
it's
trying
not
to
be.
You
know,
trying
to
be
open
to
the
perspective.
A
No
sorry
so.
A
Yeah
so
I'm,
just
I'm
trying
to
I'm
trying
to
are
are
I
guess
is,
is
the
problem
or
the
is
it
not?
Is
the
scope
of
this,
the
consumer
who's
building
an
application,
or
is
the
scope
all
the
way
from
the
third
party
component
that
you're
that,
like
I
guess
what
is
this
scoped
to
and
does?
Is
this
focused
on
the
open
source
producer
consumer
yeah
where
in
that
pipeline,
or
is
it
all
of
the
above.
E
Okay-
and
this
is
what
the
body
of
most
of
the
framework
looks
like
so
like
the
pink
is
the
group,
so
the
group
is
governance.
Underneath
the
group
is
a
practice
like
perform
compliance
and
then
the
age
of
task
has
a
task
name,
the
objective
of
accomplishing
that
task.
A
E
All
right
yeah,
so
this
is
this-
is
the
body
of
it.
So
there's
72
entries
like
this,
and
then
you
know,
why
did
why
were
all
of
the
Frameworks
unique
because
it
is
intended
to
be
end
to
end
from
the
management
aspects
to
the
deployment
aspects,
so
the
top
line
is
how
the
you
know
my
framework
came
out
and
then
of
the
four
groupings,
the
governance.
E
A
lot
of
those
practices
are
in
the
nist,
800
161,
and
so
the
way
to
look
at
this
I
put
in
bread,
the
most
influential
framework
for
each
one
of
the
groups
and
then
in
the
parentheses,
are
specific
tasks
that
were
only
mentioned
in
one.
In
many
of
the
cases
the
tasks
are
mentioned
in
multiple
Frameworks,
but
like
under
governance,
there's
23
and
in
my
framework
a
lot
of
them
came
from
nist
800
161..
E
The
product
tasks
primarily
came
from
ssdf.
The
cloud
native,
a
lot
of
the
environment
came
from
there
and
then
deployment
came
from
ssdf
and
then
some
unique
ones
from
different
Frameworks
so
like
I,
did
see,
as
people
mentioned
the
different
Frameworks.
In
order
to
be
more
comprehensive.
Really
all
of
the
Frameworks
were
needed.
E
E
E
So
an
example
of
so
component
Choice,
the
S2
c2f
is
the
four
is
in
red,
doesn't
say
that
that's
four
unique
practices,
but
it
would
say
that
the
s2c2
have
had
at
least
one
practice
that
no
one
else
had,
and
that's
that's
how
you
got
to
be
a
red,
but
you
know
you:
can
you
can
see
the
contribution
of
each
of
these?
And
one
thing
you
know
yeah
I'll
talk
about
it,
then
how
we
can
all
work
together.
F
I
have
a
quick
question:
I
mean
first
of
all,
I'm
impressed
because
that's
the
amount
of
work
this
must
have
required
is
pretty
staggering.
So
you
know
congrats
for
putting
all
that
work,
but
but
so
I
I'm
trying
to
understand
the
the
categories
that
you
have
on
the
left.
Did
you
come
up
with
that
list
to
start
with,
or
this
as
you
went
through
all
the
different
Frameworks?
You
know
things
came
up
and
you
say:
oh
I,
don't
have
a
category
for
this,
so
I'll.
Add
it
there.
F
E
E
B
I
got
a
question
and
sorry
if
this
maybe
duplicates
what
Jonathan
asked
earlier,
but
I'm
trying
to
figure
out
is
the
expectation
that
an
organization
this
is
applied
to
an
organization
or
to
an
to
a
software
project,
I'm
not
sure
I,
understand
this.
That's.
B
Us
quickly
because,
because,
like
you
know,
most
the
nist
stuff,
like
800
161,
assumes
there's
an
organization
for
most
open
source
projects.
There
is
no
legal
organization,
so
it's
often
been
a
challenge
so
I'm
trying
to
figure
out
where
the
intended
application
is
here.
E
Yeah
so
I
mean
I
would
I
would
say
a
product
so
product
in
that
just
say:
it's
I
know
some
js,
IBM
or
J
is
Microsoft.
We
use
Microsoft
as
an
example.
Microsoft
has
lots
of
products
and
each
one
of
them
would
have
a
different
structure
and
you'll
see
I've
been
interviewing
companies
to
find
out.
I
mean
the
the
main
research
objective
is
to
find
out.
How
are
we
doing?
E
That's
that's
my
research
objective
and
so
as
I
went
through
and
interviewed
companies,
then
I
would
interview
like
a
certain
product
and
there
is
one
open
source
product
that
I
would
like
to
get
involved
with
to
see.
How
does
it
differ?
So
it
is
true
that
some
of
the
practices
might
be
n
a
you
know
for
some
for
some
people
and
not
applicable,
applicable.
E
B
B
That
that's
a
way
larger
and
they're
and
they're
focused
on
Supply
chains.
You
I
would
expect
them
to
do
better.
I
I
think
I
do
well
at
that
I'm.
Thinking
of
of
relatively
small
projects,
which
don't
have
organizational
structures
and
right
you
know
you
know
is
even
is
one
of
my
favorites,
because
it's
a
it's
a
it's
a
JavaScript
package
to
tell
you
if
a
number
is
even
or
odd.
B
The
the
the
the
the
I
think
it's
one
line
of
code,
the
you
know,
you
know,
and
you
know,
there's
one
person.
It
hasn't
been
updated
a
long
time.
A
B
So
I
I
think
that's
I.
I
think
it
would
be
very,
very
you
know:
I
worked
with
best
part
I
would
recommend,
trying
to
find
and
triangulate
many
different
kinds
of
projects
to
your
big
and
small,
but
make
sure
you
cover
the
small,
because
the
small
ones
are
very
much
far
more
numerous
but
challenging
yeah.
E
E
Good
chat,
events
and
okay,
all
right,
so
so
the
the
objective
of
the
framework-
and
this
is
again
a
synopsis
sabbatical
so
like
trying
to
unite
all
of
the
Frameworks
to
so
that
industry
can
proactively
mitigate
supply
chain
risks
through
guided
adoption
of
tasks
so
and,
and
what
I've
been
doing
is
interviewing
companies
so
that
to
provide
a
picture
of
how
people
are
doing
and
I'll
provide
a
hypothetical
picture
in
in
a
moment
so
to
support
assessment,
scoring
comparison
against
peers
standards
and
guidelines
and
I'll
show
you
what
I
mean.
E
So
if
people
are
familiar
with,
synopsis
has
a
beast
and
building
security
and
maturity,
model
and
they've
had
it
for
13
years
and
they
have
like
121
practices,
software
security
practices
and
they
go
into
companies
and
I.
Ask
you:
do
you
do
this
and
get
some
proof?
And
so
then
the
company
comes
out
of
it.
Having
a
report
like
this
like
saying,
you're
the
company
you're
in
blue
and.
E
E
Related
to
policy,
but
the
industry
is
doing
pretty
well
I
mean
you
can
compare
yourself
to
that,
and
that's
really.
The
purpose
of
these
interviews,
I'm
doing
is,
is
to
give
the
companies
that's
been
participating
this
type
of
a
picture,
but
then
synopsis
does
publish
this,
be
some
report,
which
is
an
industry-wide
which
you
know.
If
then
I
will
publish
an
industry
report
without
the
you
on
it
that
can
show
everyone.
How
are
we
doing
on
adopting
these
practices
from
these
Frameworks?
E
So
this
is
the
type
of
spider
chart
or
radar
chart
for
all
of
the
practices,
but
I
also
will
publish,
like
just
say
only
the
ssdf
practices.
So
how
are
we
doing
at
the
ssdf?
How
are
we
doing
it?
S2
c2l
of
the
companies
that
I'm
going
to
be
on
does
that
make
sense
any
questions
about
that.
C
C
The
last
one
was
employment,
governance,
yeah
environment,
so
so
and
I'm
not
sure
where
this
would
probably
go,
probably
somewhere
in
the
good
point.
But
one
thing:
I
don't
see
here
that
you'll
only
find-
and
maybe
a
couple
of
these
is
end
of
life
that
is
I'm
I'm,
a
stickler
about
that,
because
that
doesn't
it's
arguable,
you
argue
so
I
think
that
should
be
part
of
any.
C
C
Then,
to
create
vulnerabilities
if
they're
still
being
used
on
Legacy
and
Legacy
piece
of
equipment
in
the
wild
right
right.
These
are
things
I
think
about,
but,
like
I
said,
only
only
a
few
talk
about
that.
I,
don't
see
that
reflected
here.
It's
a
composition
of
all
of
these
other
Frameworks
yeah.
E
No
I
mean
and
you're
exactly
right
and
I.
Think
in
that
the
life
cycle,
part
I,
think
I
had
end
of
life
on
the
right,
but
nothing
maps
to
it,
and
so
my
first
pass
was
to
really
take
all
of
the
Frameworks
that
are
out
there
and
not
them,
because
72
is
a
lot
already,
but
I
do
I
think
there
are
things
that
aren't
in
those
Frameworks
and
and
I
agree
with
you.
That
end
of
life
is
something
that
could
be
added,
something
that
you
know.
We
all
know
and
love
that
is
not
in.
E
There
is
the
use
of
generative
AI.
You
know
there's
nothing
about
generative
AI
in
any
of
the
Frameworks.
Yet
so
you
know
I'm
at
version
0.2
and
and
maybe
I
should
be
adding
some
more
practices
that
don't
map
to
any
of
the
other
Frameworks
like
end
of
life,
so
I
agree.
E
Okay,
so
as
far
as
next
steps,
I
mean
I
will
I'm
I'm
finishing
up
my
sabbatical,
we'll
publish
an
industry
report
of
how
are
we
doing
for
adopting
these
practices
in
the
different
areas?
That's
pretty
near
term.
I
also
want
to
take
this
framework
and
develop
levels
so
and
my
levels,
my
preference,
is
that
level.
One
says
you
really
really
have
to
do.
E
This
attackers
are
using
this
attack,
vector
and-
and
these
are
mitigations
for
the
attack
vectors
so
adopt
these
first
and
second
and
third
so
trying
to
get
some
of
that
in
in
there
and
then
automate
the
collection
of
the
data,
if
possible,
I
mean
in
the
framework.
E
I
didn't
highlight
it
so
much
but
like
if
you
look
at
the
bottom,
I
do
have
the
open,
SSS
scorecard
metrics
in
there
and
so
trying
to
show
which
of
the
practices
are
being
automatically
assessed
now
and
trying
to
improve
that
and
then,
as
far
as
you
know,
how
I
would
love
your
help.
First
of
all,
I
did
these
mappings,
myself
and
I
know
from
a
scientific
standpoint.
That's
not
great,
like
having
two
people.
Look
at
anything
is
is
important.
E
Some
of
the
mappings
came
from
different
places
like
you
know,
they
mapped
between
each
other,
so
some
of
them
were
not
just
me.
A
lot
of
them
were
just
me,
and
so
you
know,
if
you're,
if
you
really
love
salsa
or
something
take
a
look
at
the
framework
and
see
where
I
match
the
practices
of
that
framework
and
give
them
feedback,
and
we
really
love
them
and
I
am
still
looking
for
a
couple
more
companies
to
take
part
in
empirical
studies.
E
So
you
know
interviewing
people
within
the
company
to
find
out
if
they're,
adopting
the
practices
or
not
so
to
be
part
of
this
industrial
study
and
then
overall
provide
feedback
and
and
I
hope
that
you
find
it
useful.
That's
really
what
it's
all
about
is
trying
to
bring
everything
together
in
order
to
help
everyone.
D
That
was
great
Lori.
Thank
you.
I'm
super
useful
and
thanks
for
sharing
the
slides
for
everyone
else
that
slides
a
link
to
the
the
agenda
document
and
Laurie
is
it.
Oh
you've
got
your
email
address
in
those
okay,
people
contact
you
directly,
absolutely.
D
That
great
I
will
make
a
note
in
the
the
note
today
as
well.
The
folks
are
going
to
be
careful
interest
in
participating
or
helping
or
being
part
of
the
study
and
so
on
right.
Thank
you.
So
much
I
appreciate
that
all.
D
Okay,
it's
for
another
questions.
We
have.
We
talked
a
little
while
ago,
I'm
trying
to
figure
out
how
long
ago
it
was
maybe
a
month
or
so
about
selling
tool
chain.
Oh
there
we
go,
it
was
it's
in
the
notes
for
April
12th
and
at
the
time
it
was
a
fairly
nebulous
concept.
D
I'm,
not
sure
that
really
we
had
great
consensus
on
what
was
going
on
what
was
needed
and
we've
we
suspected
that
David
may
be
able
to
come
back
to
us
in
about
a
month
or
so
and
give
us
an
update
and
so
David.
This
is
your
chance
to
do
that.
If
you
have
updates.
B
Yeah
so
I
actually
I
actually
put
in
some
notes,
Here
to
at
least
try
to
pre-answer
some
questions
as
it
were,
so
the
governing
board
had
this.
Frankly,
you
know
the
governing
board
basically
said
hey.
You
know,
after
looking
at
the
very
various
options,
we
really
want
to
move
in
this
direction
of
something
called
a
sterling
tool
chain,
and
the
question
is:
what
does
that
mean?
And
the
answer
is
well:
it's
this
a
tool
chain,
that's
Sterling!
Somehow
it
we
had
a
little
more
than
that.
B
That's
not
entirely
fair,
but
not
a
lot.
It
was
I
think
about
a
paragraph
but
I.
If,
if
I
was
going
to
summarize
it
in
one
word,
I
would
I
guess
I
would
use
the
word
automation.
The
notion
here
is
that
they,
basically
if
we
want
to
see
things
done
at
scale,
we
want.
We
need
to
see
more
easy,
more
automation,
so
that
things
don't
have
to
be
done
by
hand
every
time
and
that
will
far
and
that
will
increase
likelihood
of
adoption
of
of
various
ideas.
B
I.
The
the
problem
is
that's
very
nebulous
and
so
I
was
asked
to
try
to
create
a
very
early
draft
of
a
concept
and
so
I
started
with
the
mobilization
plan
and
this
idea
of
Automation
and
whatever
the
government
board
had
said
and
tried
to
create
something
that
tried
to
square
the
circles
between
those
ideas.
B
B
That
was
not
my
preference,
so
I
have
not
been
able
to
do
anything
with
this
more
recently
and
I'm,
not
even
sure,
if
I
really
have
the
the
pen
on
this,
but
basically
I
I
mean
early
draft
I've,
distributed
around
primarily
to
the
open
ssf
working
group
leads
to.
You
know,
get
some
initial
feedback
to
have
something
a
little
cleaner
and
then
go
go
back
and
go
further.
B
I
think
one
feedback
point
which
I'm
at
least
I'm,
very
sensitive
to
and
I
think
is
right,
is
you
know
in
general
developers
will
not
change
the
tools
that
they
use?
This
is
not
a
might
not,
it
is
a
will
not.
It
does
not
happen
Okay
in
rare
cases
they
might
change,
but
in
general
they
will
not.
So
if
there's
something
that
says
and
change
your
tool,
that's
the
end
of
the
discussion.
So
we
need
to
deal
with
that
in
a
pragmatic
way
and
I
think.
B
Now
exactly
what
it's
supposed
to
do
and
so
on.
You
know
we're
frankly,
still
working
on
on
that,
but
you
know
basically
trying
to
make
it
easy
to
create
a
new
new
project.
If
it's
not
already
there,
you
know,
and
then
you
know
various
things
to
deal
with
some
common
issues
to
to
counter
attacks
anywhere
from
you
know,
improving
the
likelihood
that
it's
not
going
to
have
vulnerabilities
in
the
first
place,
hardening
up
the
build
and
so
on
now
getting
s-bombs
and
so
on.
D
B
Okay,
because
I
mean,
if
you
but
but
I
I,
think
the
quick
answer
is
build
code
right
code,
not
just
an
architecture
now
I
do
think
that
figuring
out
on
architecture
is
a
necessary
part
of
that,
but
basically
the
governing
board.
Basically,
where
this
came
from
was
we
actually
had
somebody
interview
each
of
the
governing
board
members?
Hey?
What
do
you
want
to
do?
What
do
you
want
to
see
and
they
ended
up
with?
B
Oh
I,
guess
it's
three
paragraphs
ooh,
it's
not
just
one,
but
each
of
those
Fergus
is
pretty
short
so
but
I'll
I'll
point
out,
in
particular
the
middle
paragraph
we
will
build
and
we
will
build
an
autonomous
tool
chain.
Okay,
so
not
just
an
architecture
but
actual
code,
because
in
the
end
nobody
cares
about.
Architectures
really
architectures
are
useless
unless
they
are
implemented
somehow
with
code
with
Hardware
with
people
you
know,
but
if,
if
they
don't
turn
into
something
that
you
use,
then
it's
just
another
document
we
can
ignore.
B
Now
that
doesn't
mean
that
documents
are
useless
because
it's
hard
to
write
code.
If
you
don't
know
what
it's
supposed
to
do
so
so
I
I,
don't
think
those
two
ideas
are
in
Conflict,
but
I
think
the
goal
is
to
eventually
have
code.
Now
we
don't
have
to
necessarily
write
it.
All.
In
fact,
I
think
the
goal
would
be
to
as
much
as
possible,
not
write
it
but
use.
What's.
What's
there
and
much
more
focus
on
integrating
piece
parts.
D
And
so
so
one
way
of
reading
that,
because
I
think
Chrome
had
a
similar
comment
in
your
document
like
we
will
build
an
autonomous
tool
chain.
One
could
squint
and
read
that,
as
we
will
assemble
an
anonymous
dual
chain,
which
could
be
that
we
take
parts
off
the
shelf
and
put
this
thing
together
in
a
way
that
we
think
is
represents
best
practice.
But
it's
not
necessary
that
we're
building
all
the
components
in
this
world
Journey.
B
Oh
right,
no,
no,
absolutely
not
I
think
it
would
be
crazy
to
re-implement
things
from
scratch
when
there
are
perfectly
good
components
out
there
I
mean
I'm,
not
sure
there
is
an
open
source
way,
but
if
there
is
I
would
say,
reuse
is
reuse,
where
practical
is
definitely
part
of
that.
B
A
D
B
B
B
D
B
I've
actually
talked
with
the
Fresca
people
a
little
bit
so
okay,
I'm
gonna,
say
some
things
and
I
don't
mean
them
to
be
negative:
okay,
I,
truly,
don't
I'm,
not
sure.
Okay.
B
A
B
D
B
They
are
getting
almost,
they
have
gotten
very
little
pickup
and
it's
not
because
people
look
at
Fresca
and
say:
oh
what
a
terrible
idea
you
people
are
stupid.
That's
not
what
anyone
is
saying:
it's
the
but
I'm,
not
Cloud
native
or
but
I
already
have
a
tool,
Suite
and
so
and
so
I
I
think
they
are
victims
of
the
problem.
I
just
mentioned
earlier
in
general
developers.
B
Won't
you
know,
after
investing
years
of
effort
and
understanding
the
tools
that
they
use,
they're
generally
not
just
going
to
pick
up
and
swap
I,
don't
think
that's
a
killer
by
the
way
for
the
Sterling
tool
chain
concept,
because
I
think
the
goal
is
automation
so,
as
I
said,
to
oversimplify
to
one
word,
but
we
need
to
find
a
way
to
help
people
get
from
where
they
are
to
where
we
think
they
want
to
be
I,
know.
F
Yeah
so
first
on
Frisk,
I,
I
agree
with
you
and
I
think
they
would
agree
as
well
and
I
heard
Mike
liberman
with
one
of
the
leaders
of
the
Fresca
project.
Actually,
he
said
the
other
day
that
they
are
thinking
of
trying
to
extract
the
build
part
of
Fresca
so
that
that
could
be
reused
alone
and
integrated
to
an
existing
pipeline,
as
opposed
to
just
do
what
you're
saying
like
you
know,
throw
away
your
pipeline
use
this
one
instead,
which
indeed
doesn't
fly
very
well.
F
The
the
other
part
is
I
mean
Fresca
cannot
be
any
way.
The
whole
solution
right,
because
the
tool
chain
we're
talking
about,
encompasses
a
lot
more
than
what
frescott
even
tries
to
do.
Yeah
so
I
mean
things
like
you
know.
The
scanning
things
that
are
talked
about
in
the
in
the
Sterling
tool
chain
document
for
now
is
not
even
a
scope
for
Fresca
and
by
the
way,
one
more
point.
The
Fresco
thing
is
I've
heard
people
say
they
use
it
as
a
reference
when
they
are
trying
to
implement
salsa
and
try
to
figure
out
okay.
D
As
kind
of
when
Microsoft,
you
know
fleshes
out
fairly
complete
samples
like
contoso
or
or
Northwind
or
I'm,
sure
Jay
can
give
you
what
the
latest
are.
But
these
are
kind
of
you
know
fully
almost
fully
implemented
examples,
but
the
intent
is
they're
educational
in
nature.
It's
not
you're
expected
to
take
this
thing
and
deploy
it.
It's
more
like
this
helps.
You
understand
how
to
how
to
put
things
together.
D
D
So
in
in
terms
of
next
steps
for
Sterling
tool
chain,
David
is,
is
the
the
document
you're
linked
to
is.
Is
it
a
process
of
kind
of
refining,
incorporating
comments,
kind
of
whittling
that
down
until
it's
smooth
and
shiny
and
and
then
once
we've
got
agreement
on
this
concept?
We
go
okay.
Now,
let's
make
it
happen.
B
I
sure
answer
yes,
okay,
I
mean
to
be
honest,
I
think
it's
been
a
the
phrase.
If
you
think
you
you
have
a
problem
of
hey,
what
does
Sterling
tool
chain
mean?
Imagine
the
people
who
are
trying
to
figure
out
how
to
implement
it
so.
B
It's
so
so,
as
I
said,
I
think
there's
General
agreement
that
the
you
know,
automation,
but
that's
actually
been.
The
challenge
is
to
try
to
go
from
highly
abstract
couple
words:
ideas
into
okay.
Now
what.
F
But
so
the
tag
actually
is
looking
into
it.
Now
right
I
mean
it's
one
of
the
one
of
the
the
work
items
that
the
attack,
the
new
tech,
has
decided
to
try
to
tackle
and
the
way
I
see
it
is
the
governing
board.
Basically,
you
know
at
this
bright
idea
and
just
throw
it
out
and
say:
hey
tack,
you
go
figure
out
what
that
means
and
make
it
happen,
and
so
the
attack
is
trying
to
you
know,
say:
okay,
what
does
it
mean
a
better
frame,
what
that
might
actually
mean,
but
I
I?
F
The
tag
is
not
going
to
do
that.
Work
either
right.
So
I
think
once
we
have
a
better
definition
of
with
the
Sterling
tool
chain
is
the
attack?
Will
then
figure
out
okay
who's
going
to
do
it
and
they
may
be.
You
know,
maybe
a
new
project
within
the
open
ssf
that
gets
started
to
look
into
this
and
actually
do
the
implementation,
and
there
may
be
multiple
ones,
because
one
of
the
challenges
is
you
know,
having
a
generic
tool
chain
is
now
going
to
work
across
all
the
different
ecosystems
you
have.
F
F
Some
architecture
that
you
know
is
applicable
across
the
different
framework,
the
different
ecosystems,
the
kind
of
features
you
want
to
have
what
functionality
should
be
you
know
implemented
by
the
tool
chain
when
it
comes
to
the
actual
implementation,
I
suspect
we
may
have
variations
there,
so
there
may
be
different
projects,
but
I
know
you
know
one
that
focuses
on
a
particular
ecosystem
and
another
to
another
ecosystem
and
so
on.
But
this
is
yet
to
be
defined.
I
mean
you
know,
I'm,
just
sharing
my
thoughts
on
that.
D
Any
other
thoughts
from
the
group
before
we
move
on
from
this
topic.
B
I
need
to
run
to
another
meeting
that
I'm
also
supposed
to
be
in
I'm
triple
booked.
So
all
right
thanks.