►
From YouTube: Supply Chain Integrity WG (April 11, 2023)
A
A
A
A
We
started
teaching
the
littles
tennis.
This
weekend
we
even
got
like
a
little
racket
for
the
two-year-old
I
didn't
know
they
made
them
that
small,
it's
it's
pretty
funny.
Obviously
she
doesn't
quite
know
what
to
do
with
it,
but
she
wanted
to
follow
in
big
sister's
footsteps.
So
it's
it's
pretty
funny
to
to
watch
them,
trying
to
hit
a
tennis
ball
Demoin.
What
oh
nice?
A
A
Okay,
so
welcome
to
the
supply
chain.
Integrity
working
group
positioning,
six
and
I'd
like
to
give
some
time
to
newcomers
to
welcome
any
newcomers
that
might
have
that
might
be
wanting
to
learn
more
about
salsa
or
maybe
just
trying
to
figure
out
what
salsa
is
or
what
this
group
is.
Anybody
want
to
speak.
B
B
B
C
A
A
And
I
forgot
to
mention
we
also
are
gonna,
start
doing
a
Fresca
and
s2c2f
sorry.
That
was
my
my
brain.
Going
back
to
my
old
ways.
We
used
to
be
the
salsa
positioning
group
and
then
we
recently
became
the
supply
chain
Integrity
working
group,
so
we
we
do
more
than
just
salsa,
but
right
now
we're
focusing
on
salsa,
because
they're
going
to
have
a
big
release
so
welcome
and
then
I
see:
Chris's
Tech,
busy
environment
lurking
learning,
okay,
reproducible
builds
projects,
so
I'm
sure
you
know
about
salsa,
then
Chris.
A
A
D
Well,
I
just
want
to
say
a
big
thank
you
to
everyone
for
pulling
the
press
release
together.
We
have
it
finalized.
So
a
huge
thank
you
to
all
of
you
here
and
others
who
are
providing
input.
Much
appreciated
so
I
think
we're
on
track
to
release
this
on
April
19th
and
start
our
press
Outreach
this
week.
B
E
A
D
A
D
You
mean
for
the
the
made
the
main
announcement.
Yes
correct.
Yes,
there
is
an
embargoal
until
9
A.M
Eastern
on
the
19th,
so
we
ask
that
you
refrain
from
sharing
and
any
press
we're
also
asking
that
they
don't
publish
until
after
that
time
as
well
on
19th.
But
then,
after
that,
copious
sharing
is
encouraged.
I.
A
E
E
F
E
D
A
A
A
A
A
B
A
So,
okay
awesome
yeah
because
I
I'm
definitely
going
through
and
changing
some
of
the
diagrams.
But
if
anything's
wrong
with
the
blog,
if
something's
missing,
please
do
comment
and
then
we
can
try
to
try
to
fix
it
and
then
I
can
try
to
coordinate
with
Chris
to
see
if
he
can
help
Wordsmith
some
stuff.
E
A
A
After
sorry,
my
hands
are
not
syncing
with
my
brain,
okay,
okay
and
then
this
would
probably
be
the
second
one
so
we'll
get
there.
Oh,
let's
see
the
road
map
it
wasn't
brought
up
yesterday
in
the
spec
meeting,
so
we'll
have
to
defer
that
so
I
just
wanted
to
make
sure
I
kept
that
on,
but
the
sci
Gap
analysis
I
do
have
an
ask
on
slack
on
on
timelines,
not
timeline,
sorry
times
to
meet,
to
do
that.
Sei
Gap
analysis,
slash
panel
prep
for
ossna.
A
A
Nope,
okay
conformance
program:
does
anybody
know
what's
happening
with
the
conformance
program?
That's
pretty
much
it
because
we
know
the
announce
is
coming
and
it
would
be
key
to
have
something
either
on
the
salsa.dev
website
or
in
a
separate
blog
I.
Think
we
even
discussed
maybe
having
a
Blog
around
the
conformance
program
to
start
talking
about
hey.
This
is
coming
and
here's
a
preview
I
could
not
find
it
in
it's
also.dev,
so
I'm
trying
to
understand.
Where
is
the
conformance
program
at
where
do
they
need
help?
E
So
I
did
talk
with
with
Chris.
Briefly
yesterday,
you
know
he's
he's
doing
the
talk
at
the
open
ssf
day
in
Vancouver
on
on
this,
and
so
I
think
nice,
you
know
with
with
1.0
kind
of
I,
think
most
of
Chris's
own,
you
know
he's
not
on
the
critical
path
anymore
for
anything
one
dollar
related,
and
so
his
attention
has
turned
to
this
is
his
next
concern.
B
A
E
B
E
A
A
D
You
mean
you
mean
the
date
of
the
the
open
ssf
day.
Yes,
correct
yeah,
so
the
reasoning
behind
it
was
that
the
get
Ops
con
and
I
can't
remember
exactly
what's
called
cdfcon
was
on
Monday
Tuesday,
so
it
made
it
not
ideal
dates
and
then
supply
chain
security.
Con
is
on
Thursday
and
Friday,
so
didn't
want
to
clash
with
that
either.
So,
basically
that
left
us
with
the
the
start
date,
Wednesday
and
and
really
there
was
no
other
ideal
place
to
drop
it.
A
A
F
In
the
spec
meeting,
we
just
had
a
discussion
around
changing
a
few
of
the
terms
and
the
way,
some
of
the
terms
written
in
definitions
and
everything
that
would
that
basically,
is
going
to
happen.
Like
you
know,
rip
tear
the
Band-Aid
off,
put
it
in
now
before
the
release
of
1.0.
That
way,
we're
not
you
know,
having
to
wait
and-
and
you
know,
run
the
risk
of
those
that
are
that
are
ready
to
implement
not
being
able
to
implement
because
they're
trying
to
to
back
date,
information
so
once
window
releases.
F
A
A
So
it
it
that
that
was
kind
of
my
my
next
go-to
is
hey,
given
that
we
have
this
time,
blocked
should
I
know.
1.0
is
not
officially
released,
but
we
can
still
talk
about
Fresca
and
s2c2f
and
trying
to
figure
out
okay.
How?
How
do
we
prep
for
this
panel
with
respect
to
these
three
I?
Think
there
is
a
diagramming
Society
or
something
like
that
in
open
ssf,
you
know:
do
you
have
a
diagram
that
we
we
can
leverage?
If
not
right?
H
B
H
So
I
actually
wanted
to.
You
know
I'm
glad
you
bring
that
up,
because
I
do
think
we
have
to
to
agree
on
what
we
want
to
achieve
with
that
Panola.
How
we
want
to
get
organized
I
mean
I'm,
just
you
know,
going
to
be
landing
questions
or
raising
questions
for
the
different
members
on
the
panel
to
speak
up.
H
But
you
know
to
to
answer
your
specific
question:
diagram,
Society,
I'm
actually
also
involved
in
that
one
and
I.
Don't
think
we
really
is
going
to
help
us
much
here.
I
mean
we
could
use
that
as
a
general
intro
there
is
I
can
probably
find
it
in
a
few
minutes
and
share
it
with
you.
Conveniently
you
know.
A
H
H
H
H
So
those
of
us
who
are
familiar
with
salsa
will
recognize
some
of
this
diagram
right.
It's
it's
used
in
the
salsa
aspect,
and-
and
so
here,
David
wheeler
I
mean
he
deserves
a
lot
of
credit
for
going
through
all
the
different
projects,
working
groups
and
six
and
figuring
out.
You
know
how
to
represent
those
and
that's
the
best
you're
gonna
get
at
this
point
from
the
diagram
of
society.
H
F
This
is
what
Arnold
was
talking
about
right,
so
he
took
a.
He
took
a
look
at
and
said
this
is
everything
that
we're
doing
and
then
he
said,
Put
it
against
the
original
diagram
that
we
had
for
salsa
when
we
go
into
the
from
developer
to
Consumer
and
then
put
each
one
or
attempted
to
put
each
one
of
the
things
that
we're
working
on
and
how
they
relate
to
the
supply
chain
in
general,
from
A,
cicd,
View
and
yeah.
It's
phenomenal.
H
H
Just
so
you
know
there
is,
the
goal
is
actually
to
try
to
raise
this
to
be
like
the
go-to
kind
of
slide
deck
for
everybody
interested
in
presenting
an
open
ssf,
with
the
expectation
that
people
will
take
it
and
do
whatever
they
want
them
and
not
use
the
whole
deck
as
is
necessarily
but
so
the
this
is
still
in
the
progress.
But
the
intent
is
to
be
able
to
raise
this,
so
it
becomes
more
visible
to
the
opennessf
community,
so
everybody
can
use
it.
That
includes
us,
obviously,
so
go
ahead.
H
H
Talked
about
the
fact
that
we
wanted
to
I
think
this
is
the
italic
stuff
now,
because
some
of
the
groups
are
not
actually
active,
and
that
was
one
of
the
things
we
talked
about
last
week
on
our
call
is
we
should
try
to
reflect
the
fact
that
you
know
not
all
those
are
the
same.
Some
groups
are
much
more
active
than
others.
F
Yeah,
that's
how
we
came
up
with
the
italicized
with
the
brackets.
You
want
to
make
it
to
you
know
for
those
that
are
colorblind
with
one
color
or
another.
We
just
settled
on
italicized
or
bracketed,
or
something
like
that.
As
a
matter
of
fact
do
out.
Here
is
the
apply
some
kind
of
a
legend
somewhere
I.
Think
David
was
gonna
figure
that
part
out,
but
placing
kind
of
a
legend
that
tells
people.
F
A
F
A
A
My
math
coaching
is
is
coming
to
an
end,
so
I'm
trying
to
understand
how
someone
like
myself,
gets
better
prepared
to
answer
questions
on
the
deficiencies,
not
deficiencies,
the
gaps
that
salsa
may
not
cover
currently
versus
s22f,
or
you
know
future
thinking
and
the
same
thing
with
Fresca
trying
to
understand
how?
How
do
we
prep
for
that?
Are
there
any
key
diagrams
Docs
that
we
should
reference.
F
Adrian
is
giving
a
talk
at
a
RSA
and
and
what
they
asked
him
to
do,
and
this
is
the
only
reason
why
I'm
mentioning
this,
because
I
think
it's
probably
one
of
the
most
complete
you
know
talks
because
they
asked
him
to
actually
put
a
lot
of
the
spec
in
the
presentation.
So
he
has
that
there
as
well
so
I
and
so
I.
Have
it's
either
that's
either
in
the
notes
or
or
up
in
the
GitHub,
so
so
between
the
the
actual
spec.
F
That's
up
right
now,
the
you
know
we
did
a
few
issues
that
are
up
as
well,
that
that
we're
that
we're
currently
going
through
and
working
out
and
then
there's
the
his
conference
notes
and
all
that
kind
of
stuff.
Those
things
should
be
able
to
get
you
get
you
well
get
you
dug
in
enough.
So
when
you
join,
you
know
your
your
you're
impactful
yeah
I
mean
like
that.
I
mean
that
that's
that's
it
thus
far.
F
A
B
A
A
G
There
haven't
really
had
much
interest
from
developers
who
were
interested
in
contributing
to
the
project
and
really
that's
I,
think
still
the
number
one
thing
that
we
we
need
to
have
you
know
if
folks
are
not
interested
they're,
not
interested,
but
yeah
I
mean
I.
Think
on
on
that
end,
you
know.
My
priorities
have
shifted.
A
little
bit
like
I
can
still
contribute
to
Fresca
and
still
maintain
Fresca,
but
it's
too
much
work.
G
If
it's
I'm
the
only
person
who
is
who's
doing
that,
or
primarily
the
only
person
who's
who's
doing
that
there
was
some
somebody
from
miter
said
they
might
be
interested
a
few
folks
from
VMware
said
they
might
be
interested.
But
at
this
point
might
Is
Not
Really
Gonna
move
the
needle
on
it.
So
you
know
I'm
I'm
gonna,
give
it
I,
don't
know
another
week,
maybe
two
and
I'm
at
least
on
my
end,
I'm
gonna
call
it.
A
G
H
I
think
it's
fine
to
say:
look,
you
know
conceptually
that's
what
the
panel
is
about
right,
I,
don't
know
how
much
we're
going
to
get
in
the
details,
but
it's
okay
to
you
know
the
way.
I
Envision
thing
is
sorry.
I
didn't
mean
to
interrupt
you
Mike,
but
you
know
it's.
We
we
have
the
way
we
presented.
We
have
40
minutes
right,
so
we're
going
to
do
a
bit
of
intro.
If
each
person
introduces
themselves,
then
I
can
give
like
a
quick
intro
on
the
working
groups,
the
different
pieces.
H
We
have,
you
know
probably
building
on
the
deck
that
we
just
looked
at.
You
know
at
a
high
level.
What
are
the
different
pieces
we're
talking
about
and
then
each
and
every
one
of
you
could
talk
more
deeply
on
each
piece
and
there
Mike
you.
The
point
is
to
this
describe
what
Fresca
is
about
and
then
you
can
get
into
a
little
bit
of
the
status
and
it's
totally
fine
to
say,
okay,
well
or
not,
that's
also
one
zero
and
by
the
way,
we're
interested
in
you
know
getting
help.
H
H
G
G
A
Okay,
yeah
yeah:
this
was
I
need
to
click
on
that
yeah.
That
was
a
talk.
I
was
referencing,
sorry,
I,
don't
know,
I
wasn't
specific,
because
we
we
did
want
a
more
Hands-On
approach
that
you
know.
If
somebody,
if,
if
Mike
is
demoing,
you
know
doing
a
salsa
compliant
build
with
some
random
GitHub
repo
or
test
repo
that
if
somebody
in
the
audience
had
their
laptop,
they
could
do
the
same.
A
H
Well,
the
the
the
way
we
set
it
up
right
is
that
we,
you
know,
if
you're
an
external
party,
you
hear
about
open,
ssf
you're
here,
but
it's
just
starting
to
look
into
it.
You're
going
to
see
this
like
alphabet
soup
and
you're
going
to
be
like
okay,
what
do
I
do
with
all
that
right
and
our
goal
should
be
that
at
the
end
of
the
pan,
all
people
have
a
better
understanding
of
the
different
acronyms
what
they
mean
and
how
they
relate
to
one
another
that
that's
my
view
on
this.
A
A
H
A
A
G
I
was
just
saying:
yeah
I,
think
I
mean
you
know
that
very
very
the
the
very
simple
difference
is
just
is
that
you
know
the
stuff
that
falls
under
salsa
itself
is
just
examples
coming
from
the
salsa
project.
You
know,
whereas
Fresca
is
it's
also
compliant,
but
it's
not
specifically
a
tool
built
to
show
off
salsa,
whereas
the
tools
within
those
projects
are
specifically
to
you
know,
show
off
salsa
maintained
by
the
salsa
community.
F
All
right
so
I'm
I'm
putting
in
here
where
they're
at
currently
and
I'm
not
sure
what
this
is
an
old
version
or
the
or
the
most
current
but
I
know.
As
of
the
last
bit
of
notes,
they
were
done
with
with
putting
up
a
diagram
of
a
large-scale
architecture
and
what's
coming
up
next,
is
to
do
a
threat
model
against
it.
F
The
threat
modeling
against
it,
but
I'll
put
that
here
in
the
chat
from
the
end
users
group.
So
this
is
just
basically
the
architectures
that
you
know
the
diagrams
of
the
architectures
that
they
that
they
put
up
to
do
threat
models
against,
so
direct
models
are
coming.
They
haven't
gotten
to
that
part
yet,
but
that's
on
the
horizon.
F
A
D
H
G
Yeah,
so
so
the
idea
is,
you
see
all
those
boxes
and
all
those
different
things.
Imagine
if
you
had
a
suite
of
tools
that
would
plug
in
to
the
sdlc
the
the
Sterling
tool
chain
is,
is
only
been
talked
at
the
governing
board.
So
there's
a
couple
of
presentations
on
it.
I've
shared
it
a
couple
of
times,
I
I
I,
know
that
let
me
I'll
see
if
I
can
find
the
link
to
to
the
presentation
it
does.
G
It
hasn't
been
called
out
specifically
as
the
Sterling
tool
chain
has
just
been
what
people
have
been
calling.
What
people
have
been
saying
is
the
name,
but
basically
the
the
idea
would
be
all
those
boxes
you
see
above
around,
like
the
sdlc
and
and
and
and
probably
even
Beyond.
This
like
secure
development,
secure
everything
else
like
what
what
sorts
of
things
would
need
to
be
done
to
sort
of
fit
into
those
boxes
right,
so
you
can
imagine.
G
G
Maybe
you
know
like
some
vs
code
plugin,
helps
with
secure
development,
and
all
of
these
things,
combined
plus
a
bunch
of
configuration
around
them,
would
be
that
Sterling
tool
chain.
There's
a
couple
of
problems
with
that
right,
which
is
anybody?
Can
you
know
just
sort
of
say:
hey:
here's,
a
set
of
tools,
that'll
help
you
out,
it's
really
the
glue
code
that
that
makes
them
all
work
together.
G
That's
the
hard
part
and
one
of
the
things
that
has
been
pretty
consistent
across
the
board,
that,
as
we've
seen
in
the
open
source
Community,
if
you
have
a
new
project,
that's
code
and
you
know
like
hey:
I,
have
a
new
go
project
or
something
like
that.
People
want
to
work
on
that.
If
you
have
something,
that's
like.
Oh
I
have
a
vs
code
plugin
that
pulls
the
policy
from
this
other
thing
and
the
policy
shared
across
here
here
and
here-
and
you
know
that's
what
those
sorts
of
projects
are
not
like.
A
G
H
Meant
to
describe
like
a
whole
chain
of
tools,
specific
tools,
how
they
combine
together
and
all
that
and
in
fact,
I
mean
I
heard
it
from
David
William
himself
that
you
know
he
said
the
the
so-called
Sterling
tool
chain
might
be
a
set
of
tool
chains,
because
you
also
have
to
account
for
the
fact
that
there
are
different
programming
languages.
The
different
tools
may
not
apply
to
different.
You
know
certain
languages.
H
It's
not
like
every
tool
in
the
chain
is
going
to
be
language
neutral
right
and
when
you
deal
with
like
programming
languages,
they
all
have
their
own
package
packaging
system,
for
instance,
ecosystem
with
different
tools.
So
it's
hard
to
accommodate
for
all
of
that.
In
a
way,
that's
completely
generic.
G
So
that's
one
challenge
like
this.
What
we're
building
here
is
not
going
to
be
used
wholesale
by
your
average
enter
large
Enterprise,
but
one
of
the
things
that
people
are
saying
is
that
your
small
companies
are
not
like
your
small
devs,
the
your
your
smaller
sort
of
software
firms
that
are
selling
potentially
their
software
to
large
larger
organizations.
They
want
to
say
how
do
I
prove
s2c2f,
salsa,
yada
yada.
G
B
A
H
A
H
G
G
B
C
One
comment:
I,
just
posted
a
link
in
the
chat
to
Google
Docs
document
that
will
send
out
to
yeah.
Well,
where
did
I
get
this
from
I?
Think
crowbe
created
an
issue
on
in
the
tech
repo
saying
that
the
tag
and
some
other
folks
have
started
to
have
conversations
around
that
concept
and
honestly
I
still
have
to
read
that
document
myself
it's
in
my
to-do
list,
but
so
some
of
the
tech
people,
if
not
all
I,
don't
know,
have
had
conversations
around
that.
Oh
it's
14
pages.
C
H
B
A
B
B
A
A
Okay,
I'll,
give
you
all
three
minutes
back
to
your
day
and
I'll
sync
with
the
panel
folks
offline
to
start
getting
some
meetings
set
up
so
that
we
can
continue
these
conversations.
I
appreciate
everyone
that
joined
and
hung
around
for
these
panel
talks
and
your
contributions
today.
Thank
you,
George.
Oh,
wait.
Wait!
Oh
wait!
Oh
I
can't
remember
the
pronunciation
now.