►
From YouTube: Supply Chain Integrity WG (April 11, 2023)
A
A
Okay,
so
I
know
some,
some
people
are
stragglers,
but
if
you
don't
have
the
link
please
sign
in-
and
this
meant
this
was
supposed
to
be
I.
Don't
need
to
fix
this
earlier.
A
A
We
started
teaching
the
littles
tennis.
This
weekend
we
even
got
like
a
little
racket
for
the
two-year-old
I
didn't
know
they
made
them
that
small,
it's
it's
pretty
funny.
Obviously
she
doesn't
quite
know
what
to
do
with
it,
but
she
wanted
to
follow
in
big
sister's
footsteps.
So
it's
it's
pretty
funny
to
to
watch
them,
trying
to
hit
a
tennis
ball
Demoin.
What
oh
nice?
A
Oh
good!
Luck
on
your
your
demo
and
this
yeah
working
group
I
will
be
there.
Okay
I
think
we
can
go
ahead
and
get
started.
I'm,
gonna,
post
a
link
one
more
time
for
folks
that
don't
have
the
link
to
the
meeting
notes.
A
Okay,
so
welcome
to
the
supply
chain.
Integrity
working
group
positioning,
six
and
I'd
like
to
give
some
time
to
newcomers
to
welcome
any
newcomers
that
might
have
that
might
be
wanting
to
learn
more
about
salsa
or
maybe
just
trying
to
figure
out
what
salsa
is
or
what
this
group
is.
Anybody
want
to
speak.
B
B
C
Yeah
hi
I'm
I'm
good
I'm,
with
Erickson
just
doing
exactly
what
you
just
said:
I'm
listening
in
because
I
think
I
haven't
joined
this
group
before
and
just
interested
in
what
you're
doing
so
welcome.
A
Yeah,
and
and
for
for
George
right,
is
that
how
you
pronounce
your
name.
B
C
I
know
what
salt
says.
Certainly
but
I
haven't
I
haven't
joined
any
previous
salsa
working
group
meetings
or.
A
A
And
I
forgot
to
mention
we
also
are
gonna,
start
doing
a
Fresca
and
s2c2f
sorry.
That
was
my
my
brain.
Going
back
to
my
old
ways.
We
used
to
be
the
salsa
positioning
group
and
then
we
recently
became
the
supply
chain
Integrity
working
group,
so
we
we
do
more
than
just
salsa,
but
right
now
we're
focusing
on
salsa,
because
they're
going
to
have
a
big
release
so
welcome
and
then
I
see:
Chris's
Tech,
busy
environment
lurking
learning,
okay,
reproducible
builds
projects,
so
I'm
sure
you
know
about
salsa,
then
Chris.
A
Let
me,
let
me
put
this
in
here.
Well,
welcome!
Welcome,
again
we're
trying
to
finish
the
salsa
1.0
comms,
that's
kind
of
our
our
first
priority
should
be
coming
up
here
soon
and
then
we
can
start
focusing
efforts
elsewhere.
A
Definitely
s2c2f
is
is
on
my
mind
and
Fresca.
So
for
social
one.cons
Jennifer.
Do
you
have
any
updates?
Do
you
need
anything
from
us.
D
Well,
I
just
want
to
say
a
big
thank
you
to
everyone
for
pulling
the
press
release
together.
We
have
it
finalized.
So
a
huge
thank
you
to
all
of
you
here
and
others
who
are
providing
input.
Much
appreciated
so
I
think
we're
on
track
to
release
this
on
April
19th
and
start
our
press
Outreach
this
week.
B
E
You
so
much
you've
done
just
such
a
terrific
job.
Putting
all
this
together,
I
really
appreciate
it
and
so
excited
for
next
week.
A
Awesome
yeah
and
again,
let
us
know
if
you
need
something
anything
else
right,
I
know,
there's
also
one
that
all
comes
is
also.
You
know,
blogs
the
salsa
perspective
and
a
reminder
for
folks
on
the
call.
There's
a
oh
I
forget,
embargo
embargo
period,
right.
D
A
D
You
mean
for
the
the
made
the
main
announcement.
Yes
correct.
Yes,
there
is
an
embargoal
until
9
A.M
Eastern
on
the
19th,
so
we
ask
that
you
refrain
from
sharing
and
any
press
we're
also
asking
that
they
don't
publish
until
after
that
time
as
well
on
19th.
But
then,
after
that,
copious
sharing
is
encouraged.
I.
A
I
thought
there
was
a
a
like
a
one
week
or
two
week,
grace
period
after
open
source.
Sorry
open,
ssf,
announces
yeah
1.0
that
you
would
like
people
to
also
adhere
to.
Yes,.
D
So,
sharing
of
the
main
announcement
we
encourage
and
I'll
be
in
touch
with
each
of
the
the
companies
that
provided
a
quote
with
a
little
graphic
kind
of
throwing
that
into
a
graphic
for
sharing
and
but
for
announcements
related
to
the
salsa
1.0,
but
company
specific
asking
for
a
one-week
hold
period.
D
E
E
E
Think
that's
awesome
and
I'm
a
huge
fan
of
having
open
ssf.
You
know
be
the
center
of
gravity
for
this
and
and
have
that
opportunity
to
have
clear
air
for
a
week.
So
again,
thanks
for
pulling
it
all
together.
D
Yes,
thank
you
for
clarifying
that
Isaac.
It's
kind
of
to
have
us
all
moving
forward
in
the
same
direction,
getting
momentum
behind
the
the
main
announcement
and
kind
of
building
that
recognition
and
excitement
without
kind
of
clouding
the
water,
the
clouding
the
waters
yeah.
A
A
A
Okay,
awesome
so
for
the
blogs
I
know:
Mike
you
released,
one
blog
about
the
tracks
seems
like
it's
getting
some
some
good
traction
I
think
the
other
blogs
there
was
the
build
versus
source
that
I
think
we
were
wanting
to
to
do
afterwards.
A
Does
anybody
disagree
on
releasing
this
one?
Next.
A
We
still
have
a
little
bit
of
work
to
do
on
the
build
versus
source.
What
are
what
are
the
team's
thoughts.
A
Okay,
there's
there's
no
objections,
no,
no
yay
or
nay
so
I'll
just
put
it
on
here
for
the
next
releases
build
versus
source.
Let's
see,
when
did
you
release
yours
Mike?
Was
it
last
Monday.
A
Let
me
see
April
3rd
yeah,
okay,
so,
let's
see
if
we
can
get
this
out.
A
Maybe
it
has
some
work
to
do
or
there's
some
work
to
do
on
the
blog
itself.
I'm
almost
done
changing
some
of
the
the
diagrams
I
think.
Only
myself,
Chris
and
Mike
have
reviewed
the
document
or
provided
feedback.
So
obviously
we'd
want
more
feedback
before
we
put
it
into
an
official
PR.
B
A
So,
okay
awesome
yeah
because
I
I'm
definitely
going
through
and
changing
some
of
the
diagrams.
But
if
anything's
wrong
with
the
blog,
if
something's
missing,
please
do
comment
and
then
we
can
try
to
try
to
fix
it
and
then
I
can
try
to
coordinate
with
Chris
to
see
if
he
can
help
Wordsmith
some
stuff.
E
A
Okay,
Isaac
to
YouTube,
and
it
and
I
welcome
everybody
on
the
call
as
a
review
of
the
blog.
So
that
way
we
can
try
to
get
it
out
this
week.
If
not,
then
we'll
have
to
wait
a
couple
days
after
the
announce
so
try
to
get
it
out
this
week.
A
After
sorry,
my
hands
are
not
syncing
with
my
brain,
okay,
okay
and
then
this
would
probably
be
the
second
one
so
we'll
get
there.
Oh,
let's
see
the
road
map
it
wasn't
brought
up
yesterday
in
the
spec
meeting,
so
we'll
have
to
defer
that
so
I
just
wanted
to
make
sure
I
kept
that
on,
but
the
sci
Gap
analysis
I
do
have
an
ask
on
slack
on
on
timelines,
not
timeline,
sorry
times
to
meet,
to
do
that.
Sei
Gap
analysis,
slash
panel
prep
for
ossna.
A
So
if
you
can
respond
to
that,
that
would
be
fantastic
before
I
get
to
the
conformance
program.
Is
there
anything
else
that
people
want
to
bring
up?
That's
not
on
the
agenda.
A
Nope,
okay
conformance
program:
does
anybody
know
what's
happening
with
the
conformance
program?
That's
pretty
much
it
because
we
know
the
announce
is
coming
and
it
would
be
key
to
have
something
either
on
the
salsa.dev
website
or
in
a
separate
blog
I.
Think
we
even
discussed
maybe
having
a
Blog
around
the
conformance
program
to
start
talking
about
hey.
This
is
coming
and
here's
a
preview
I
could
not
find
it
in
it's
also.dev,
so
I'm
trying
to
understand.
Where
is
the
conformance
program
at
where
do
they
need
help?
A
E
So
I
did
talk
with
with
Chris.
Briefly
yesterday,
you
know
he's
he's
doing
the
talk
at
the
open
ssf
day
in
Vancouver
on
on
this,
and
so
I
think
nice,
you
know
with
with
1.0
kind
of
I,
think
most
of
Chris's
own,
you
know
he's
not
on
the
critical
path
anymore
for
anything
one
dollar
related,
and
so
his
attention
has
turned
to
this
is
his
next
concern.
B
A
B
E
A
A
But
that's
good
to
know
that
he
has
a
talk
which
I'm
a
little
sad
that
it's
during
the
same
day,
it's
not
the
previous
day
of
the
conference.
It's
the
same
day,
it
starts
at
tag
on
Doc,
should
I
get
updates
from.
E
To
learn
that
as
well,
I
just
learned
that
yesterday
that
it's
on
the
first
day,
yeah.
D
You
mean
you
mean
the
date
of
the
the
open
ssf
day.
Yes,
correct
yeah,
so
the
reasoning
behind
it
was
that
the
get
Ops
con
and
I
can't
remember
exactly
what's
called
cdfcon
was
on
Monday
Tuesday,
so
it
made
it
not
ideal
dates
and
then
supply
chain
security.
Con
is
on
Thursday
and
Friday,
so
didn't
want
to
clash
with
that
either.
So,
basically
that
left
us
with
the
the
start
date,
Wednesday
and
and
really
there
was
no
other
ideal
place
to
drop
it.
D
But
this
way
it
avoided
overlapping
with
some
things
that
we
we
didn't
want
it
to
clash
with
got.
A
It
okay,
thanks
for
that
Insight.
That
makes
sense
now
I
was
like
why
I'm
like
I
would
have
happily
have
come
in
much
earlier
for
for
open
sour
open
ssf
day,
but
that
makes
sense
now.
Okay,
any
other
topics.
A
No,
so
then
what
I
would
suggest
if,
as
I
do
have
key
people
on
this
call
for
the
sci
Gap
analysis
slash
panel,
oh,
go
ahead.
Jake.
F
Yeah
I
would
say
that
those
of
us
who
are
given
our
given
that
panel
discussion-
yes,
ketchup,
mustard
and
relish
yes,
once
once
one
dollar
becomes
a
reality,
we
should
sit
down
and
really
take
in
1.0
in
its
entirety,
so
that
when
we're
up
there,
given
this
panel
discussion,
we're
we're
not
you
know
we're
not
speaking
to
to
Old
versus
versus
new
they're.
F
In
the
spec
meeting,
we
just
had
a
discussion
around
changing
a
few
of
the
terms
and
the
way,
some
of
the
terms
written
in
definitions
and
everything
that
would
that
basically,
is
going
to
happen.
Like
you
know,
rip
tear
the
Band-Aid
off,
put
it
in
now
before
the
release
of
1.0.
That
way,
we're
not
you
know,
having
to
wait
and-
and
you
know,
run
the
risk
of
those
that
are
that
are
ready
to
implement
not
being
able
to
implement
because
they're
trying
to
to
back
date,
information
so
once
window
releases.
F
We
want
to
make
sure
that
we
have
our
our
our
talking
points
in
our
information
right
going
into
that
panel
discussion
in
case
there
are
any
questions
that
are
related
directly.
You
know
some
of
them
related
directly
to
the
changes
that
we're
getting
ready
to
do
here
over
the
next
week
or
two.
A
A
So
it
it
that
that
was
kind
of
my
my
next
go-to
is
hey,
given
that
we
have
this
time,
blocked
should
I
know.
1.0
is
not
officially
released,
but
we
can
still
talk
about
Fresca
and
s2c2f
and
trying
to
figure
out
okay.
How?
How
do
we
prep
for
this
panel
with
respect
to
these
three
I?
Think
there
is
a
diagramming
Society
or
something
like
that
in
open
ssf,
you
know:
do
you
have
a
diagram
that
we
we
can
leverage?
If
not
right?
H
B
H
So
I
actually
wanted
to.
You
know
I'm
glad
you
bring
that
up,
because
I
do
think
we
have
to
to
agree
on
what
we
want
to
achieve
with
that
Panola.
How
we
want
to
get
organized
I
mean
I'm,
just
you
know,
going
to
be
landing
questions
or
raising
questions
for
the
different
members
on
the
panel
to
speak
up.
H
But
you
know
to
to
answer
your
specific
question:
diagram,
Society,
I'm
actually
also
involved
in
that
one
and
I.
Don't
think
we
really
is
going
to
help
us
much
here.
I
mean
we
could
use
that
as
a
general
intro
there
is
I
can
probably
find
it
in
a
few
minutes
and
share
it
with
you.
Conveniently
you
know.
H
The
thing
that
we
have
the
most
ready
to
use
is:
there's
a
slide
deck
that
David
wheeler
mostly
maintains,
and
it
does
use
the
basically
the
salsa
City
cicd
Pipeline,
with
the
threats
to
position,
the
different
working
groups
and
six
that
are,
you
know,
of
open
ssf.
A
H
H
H
A
meeting
last
week
where
we
took
you
know
another
pass
at
smoothing
out
some
of
the
details
on
the
diagram,
but
it's
and
we
could
use
that
yeah
there
you
go.
Thank
you
Jay.
H
So
those
of
us
who
are
familiar
with
salsa
will
recognize
some
of
this
diagram
right.
It's
it's
used
in
the
salsa
aspect,
and-
and
so
here,
David
wheeler
I
mean
he
deserves
a
lot
of
credit
for
going
through
all
the
different
projects,
working
groups
and
six
and
figuring
out.
You
know
how
to
represent
those
and
that's
the
best
you're
gonna
get
at
this
point
from
the
diagram
of
society.
H
F
This
is
what
Arnold
was
talking
about
right,
so
he
took
a.
He
took
a
look
at
and
said
this
is
everything
that
we're
doing
and
then
he
said,
Put
it
against
the
original
diagram
that
we
had
for
salsa
when
we
go
into
the
from
developer
to
Consumer
and
then
put
each
one
or
attempted
to
put
each
one
of
the
things
that
we're
working
on
and
how
they
relate
to
the
supply
chain
in
general,
from
A,
cicd,
View
and
yeah.
It's
phenomenal.
A
Yeah,
if
you
can
share
the
link
Jay,
that
would
be
really
really
good.
I.
H
H
Just
so
you
know
there
is,
the
goal
is
actually
to
try
to
raise
this
to
be
like
the
go-to
kind
of
slide
deck
for
everybody
interested
in
presenting
an
open
ssf,
with
the
expectation
that
people
will
take
it
and
do
whatever
they
want
them
and
not
use
the
whole
deck
as
is
necessarily
but
so
the
this
is
still
in
the
progress.
But
the
intent
is
to
be
able
to
raise
this,
so
it
becomes
more
visible
to
the
opennessf
community,
so
everybody
can
use
it.
That
includes
us,
obviously,
so
go
ahead.
A
No
thanks
for
that
and
I'm
gonna
put
the
the
link
to
this
thanks
Jay
for
for
sharing
the
link
is
here
so
that
people
can
have
yeah
I've
seen
this
it
slightly
different
from
last
year's
I
think
it.
H
H
Talked
about
the
fact
that
we
wanted
to
I
think
this
is
the
italic
stuff
now,
because
some
of
the
groups
are
not
actually
active,
and
that
was
one
of
the
things
we
talked
about
last
week
on
our
call
is
we
should
try
to
reflect
the
fact
that
you
know
not
all
those
are
the
same.
Some
groups
are
much
more
active
than
others.
F
Yeah,
that's
how
we
came
up
with
the
italicized
with
the
brackets.
You
want
to
make
it
to
you
know
for
those
that
are
colorblind
with
one
color
or
another.
We
just
settled
on
italicized
or
bracketed,
or
something
like
that.
As
a
matter
of
fact
do
out.
Here
is
the
apply
some
kind
of
a
legend
somewhere
I.
Think
David
was
gonna
figure
that
part
out,
but
placing
kind
of
a
legend
that
tells
people.
A
That
might
be
something
that
we
might
want
to
Overlay
with
these
three
just
thinking
outside
of
the
box,
and
let
me
delete
some
of
these
annotations
they're
horrible.
F
A
So
Jay
are
you
able
to
grab
the
in
the
supply
chain,
attack
reference
architecture?
Do
they
have
a
diagram.
F
Yeah,
let
me
let
me
see
if
I
can't,
if
I
can't
pull
something
up
right
now,.
F
Right
now
also,
you
know
and
I'm
currently
working
on
and
I
keep
saying
this
and
of
course
you
know
one
day,
I'll
actually
get
to
finish
it,
but
but
I'm
working
on
a
proposal
to
try
to
pull
out
a
taxonomy,
an
actual
taxonomy
Sig
to
help
with
that
taxonomy
effort,
stuff
I.
F
I'm
not
sure
whether
that'll
Encompass
the
the
attack
reference
architecture,
but
let
me
see
if
I
can't
pull
that
up.
Okay,.
A
So
from
from
an
s2c2f
and
and
Fresca
perspective
right,
these
are
two
weaknesses.
Pretty
soon
I'll
be
able
to
join
the
s2c2f
meetings.
A
My
math
coaching
is
is
coming
to
an
end,
so
I'm
trying
to
understand
how
someone
like
myself,
gets
better
prepared
to
answer
questions
on
the
deficiencies,
not
deficiencies,
the
gaps
that
salsa
may
not
cover
currently
versus
s22f,
or
you
know
future
thinking
and
the
same
thing
with
Fresca
trying
to
understand
how?
How
do
we
prep
for
that?
Are
there
any
key
diagrams
Docs
that
we
should
reference.
F
F
Adrian
is
giving
a
talk
at
a
RSA
and
and
what
they
asked
him
to
do,
and
this
is
the
only
reason
why
I'm
mentioning
this,
because
I
think
it's
probably
one
of
the
most
complete
you
know
talks
because
they
asked
him
to
actually
put
a
lot
of
the
spec
in
the
presentation.
So
he
has
that
there
as
well
so
I
and
so
I.
Have
it's
either
that's
either
in
the
notes
or
or
up
in
the
GitHub,
so
so
between
the
the
actual
spec.
F
That's
up
right
now,
the
you
know
we
did
a
few
issues
that
are
up
as
well,
that
that
we're
that
we're
currently
going
through
and
working
out
and
then
there's
the
his
conference
notes
and
all
that
kind
of
stuff.
Those
things
should
be
able
to
get
you
get
you
well
get
you
dug
in
enough.
So
when
you
join,
you
know
your
your
you're
impactful
yeah
I
mean
like
that.
I
mean
that
that's
that's
it
thus
far.
F
F
So
so
we
got.
We
got
that
type
of
stuff
discussed
today
and-
and
you
know
so
so,
whenever
you
come
in
yo
you'll
be
well
prepared
to
it.
With
those
items,
you'll
be
well
prepared
to
to
dig
in.
A
B
A
Me
put
this
here:
okay,
thanks
for
that
and
remind
us
again
when
that
meeting
is
it's
at
two
Central
right.
It's.
F
Two
Central
yep,
it's
well
12
Pacific
to
Central
today.
A
Eastern
I'll
have
to
look
at
my
calendar
yeah,
okay,
awesome,
okay.
What
about
Fresca
Mike
I
know
you
did
the
blog
post
but
I'm
sure,
there's
more
to
Fresca
than
the
blog
post.
G
So
yeah
still
looking
on
looking
at
the
getting
feedback
before
and
and
also
looking
at,
you
know
which
path
it
makes
sense
to
sort
of
release
that
under
whether
it's
under
the
official
openssf,
blog
or
some
other
mechanism
to
sort
of
get
that
out
there
that
call
to
action
but
yeah
still
looking
for
for
some
feedback.
G
There
haven't
really
had
much
interest
from
developers
who
were
interested
in
contributing
to
the
project
and
really
that's
I,
think
still
the
number
one
thing
that
we
we
need
to
have
you
know
if
folks
are
not
interested
they're,
not
interested,
but
yeah
I
mean
I.
Think
on
on
that
end,
you
know.
My
priorities
have
shifted.
A
little
bit
like
I
can
still
contribute
to
Fresca
and
still
maintain
Fresca,
but
it's
too
much
work.
G
If
it's
I'm
the
only
person
who
is
who's
doing
that,
or
primarily
the
only
person
who's
who's
doing
that
there
was
some
somebody
from
miter
said
they
might
be
interested
a
few
folks
from
VMware
said
they
might
be
interested.
But
at
this
point
might
Is
Not
Really
Gonna
move
the
needle
on
it.
So
you
know
I'm
I'm
gonna,
give
it
I,
don't
know
another
week,
maybe
two
and
I'm
at
least
on
my
end,
I'm
gonna
call
it.
A
Okay,
so
I
know
that
we
have
that
talk
or
the
the
tooling
to
show
you
know:
salsa
compliant,
build
I.
Think
it's
also
level
two
or
three
I
can't
remember
what
we
put
in
the
the
abstract
hello.
G
H
I
think
it's
fine
to
say:
look,
you
know
conceptually
that's
what
the
panel
is
about
right,
I,
don't
know
how
much
we're
going
to
get
in
the
details,
but
it's
okay
to
you
know
the
way.
I
Envision
thing
is
sorry.
I
didn't
mean
to
interrupt
you
Mike,
but
you
know
it's.
We
we
have
the
way
we
presented.
We
have
40
minutes
right,
so
we're
going
to
do
a
bit
of
intro.
If
each
person
introduces
themselves,
then
I
can
give
like
a
quick
intro
on
the
working
groups,
the
different
pieces.
H
We
have,
you
know
probably
building
on
the
deck
that
we
just
looked
at.
You
know
at
a
high
level.
What
are
the
different
pieces
we're
talking
about
and
then
each
and
every
one
of
you
could
talk
more
deeply
on
each
piece
and
there
Mike
you.
The
point
is
to
this
describe
what
Fresca
is
about
and
then
you
can
get
into
a
little
bit
of
the
status
and
it's
totally
fine
to
say,
okay,
well
or
not,
that's
also
one
zero
and
by
the
way,
we're
interested
in
you
know
getting
help.
H
H
G
Yeah
so
I
I
think
I
think
one
of
the
things
that
that
that's
also
I
think
for
the
panel
yeah.
That's
that's
fine,
I
think
the
thing
is
we
also
have
a
talk.
That's
supposed
to
be
more
of
I,
think
I'm,
the
one
giving
that
talk,
that's
more
on
just
sort
of
the
tooling
for
salsa.
G
You
know
Salsa,
Salsa,
stuff
and
I.
Think
on
that
and
you
know
I
think
we
had
expected
1.0
to
go
out
a
little
earlier,
which
would
have
meant
that
we
probably
would
have
had
support
for
salsa
1.0
yeah,
because
I
think
this
is
the
talk.
That's
going
to
be
a
bit
more
of
an
actual
demo.
Okay,.
A
Okay,
yeah
yeah:
this
was
I
need
to
click
on
that
yeah.
That
was
a
talk.
I
was
referencing,
sorry,
I,
don't
know,
I
wasn't
specific,
because
we
we
did
want
a
more
Hands-On
approach
that
you
know.
If
somebody,
if,
if
Mike
is
demoing,
you
know
doing
a
salsa
compliant
build
with
some
random
GitHub
repo
or
test
repo
that
if
somebody
in
the
audience
had
their
laptop,
they
could
do
the
same.
A
Okay,
okay,
and
to
your
point,
Arno,
you
are
correct
about
the
questions.
Questions
for
the
panel
that
I
guess
would
depend
on
our
goal
for
the
panel
right.
If
I
go
back
to
the
schedule,
all
I
have
to
do
is
look
for
ketchup.
H
Well,
the
the
the
way
we
set
it
up
right
is
that
we,
you
know,
if
you're
an
external
party,
you
hear
about
open,
ssf
you're
here,
but
it's
just
starting
to
look
into
it.
You're
going
to
see
this
like
alphabet
soup
and
you're
going
to
be
like
okay,
what
do
I
do
with
all
that
right
and
our
goal
should
be
that
at
the
end
of
the
pan,
all
people
have
a
better
understanding
of
the
different
acronyms
what
they
mean
and
how
they
relate
to
one
another
that
that's
my
view
on
this.
A
A
H
A
Where's.
The.
A
Let's
see
yeah
I
know,
that's
a
question.
Oh,
what
did
you
get
the
question
Mike
about
the
difference
between
the
salsa,
tooling
versus
fresco.
G
I
was
just
saying:
yeah
I,
think
I
mean
you
know
that
very
very
the
the
very
simple
difference
is
just
is
that
you
know
the
stuff
that
falls
under
salsa
itself
is
just
examples
coming
from
the
salsa
project.
You
know,
whereas
Fresca
is
it's
also
compliant,
but
it's
not
specifically
a
tool
built
to
show
off
salsa,
whereas
the
tools
within
those
projects
are
specifically
to
you
know,
show
off
salsa
maintained
by
the
salsa
community.
F
All
right
so
I'm
I'm
putting
in
here
where
they're
at
currently
and
I'm
not
sure
what
this
is
an
old
version
or
the
or
the
most
current
but
I
know.
As
of
the
last
bit
of
notes,
they
were
done
with
with
putting
up
a
diagram
of
a
large-scale
architecture
and
what's
coming
up
next,
is
to
do
a
threat
model
against
it.
F
The
threat
modeling
against
it,
but
I'll
put
that
here
in
the
chat
from
the
end
users
group.
So
this
is
just
basically
the
architectures
that
you
know
the
diagrams
of
the
architectures
that
they
that
they
put
up
to
do
threat
models
against,
so
direct
models
are
coming.
They
haven't
gotten
to
that
part
yet,
but
that's
on
the
horizon.
F
I
was
checking
to
see
if
they
had
done
it
somewhere
else.
If
there
was
a
different
dock
that
was
generated
somewhere
else,
but
but
there
isn't
that
that
is,
that
is
the
is
the
duck
that
was
being
worked
from.
F
Small
scale
architecture,
an
example
large
scale,
and
the
next
thing
is
to
do
a
threat
model
against
against
both
or
the
large-scale
architecture.
A
What
other
questions
do
you
think
the
audience
is
going
to
want
to
know,
or
rather
no
answers
to
during
the
panel
based
off
of
what
we
said,
how
to
use
how
to
start
leveraging
I
think
that's
going
to
be
key.
I
think
people
are
going
to
think
that
each
one
has
their
own
tooling.
A
Right,
this
is
what
we
we
said
that
we
would
talk
about,
so
we
we
definitely
need
to
make
sure
that
we
we
touch
on
these.
D
G
Be
yeah
that
was
supposed
to
sort
of
highlight
the
end-to-end
picture
of
like
what
what
is
required
to
secure
your
sdlc
I
mean
I
have
stuff
that
I
like
I,
know,
I,
know
the
answer
to
this
question,
but
I,
don't
think
the
majority
of
folks
who
were
looking
at
us
know
the
answer
to
this
question.
H
G
Yeah,
so
so
the
idea
is,
you
see
all
those
boxes
and
all
those
different
things.
Imagine
if
you
had
a
suite
of
tools
that
would
plug
in
to
the
sdlc
the
the
Sterling
tool
chain
is,
is
only
been
talked
at
the
governing
board.
So
there's
a
couple
of
presentations
on
it.
I've
shared
it
a
couple
of
times,
I
I
I,
know
that
let
me
I'll
see
if
I
can
find
the
link
to
to
the
presentation
it
does.
G
It
hasn't
been
called
out
specifically
as
the
Sterling
tool
chain
has
just
been
what
people
have
been
calling.
What
people
have
been
saying
is
the
name,
but
basically
the
the
idea
would
be
all
those
boxes
you
see
above
around,
like
the
sdlc
and
and
and
and
probably
even
Beyond.
This
like
secure
development,
secure
everything
else
like
what
what
sorts
of
things
would
need
to
be
done
to
sort
of
fit
into
those
boxes
right,
so
you
can
imagine.
G
Oh
Fresco
maybe
fits
into
the
build
piece
right
and
then,
like
the
arrows,
are
probably
the
the
specifications
for
stuff.
Like
you
know,
s2c2fs
also
yeah
yeah
scorecard
helps
with
the
securing
like
what
you're
pulling
it.
What
code
you're
pulling
in
or
you
know
whatever.
G
Maybe
you
know
like
some
vs
code
plugin,
helps
with
secure
development,
and
all
of
these
things,
combined
plus
a
bunch
of
configuration
around
them,
would
be
that
Sterling
tool
chain.
There's
a
couple
of
problems
with
that
right,
which
is
anybody?
Can
you
know
just
sort
of
say:
hey:
here's,
a
set
of
tools,
that'll
help
you
out,
it's
really
the
glue
code
that
that
makes
them
all
work
together.
G
That's
the
hard
part
and
one
of
the
things
that
has
been
pretty
consistent
across
the
board,
that,
as
we've
seen
in
the
open
source
Community,
if
you
have
a
new
project,
that's
code
and
you
know
like
hey:
I,
have
a
new
go
project
or
something
like
that.
People
want
to
work
on
that.
If
you
have
something,
that's
like.
Oh
I
have
a
vs
code
plugin
that
pulls
the
policy
from
this
other
thing
and
the
policy
shared
across
here
here
and
here-
and
you
know
that's
what
those
sorts
of
projects
are
not
like.
G
We
we
haven't
found
a
lot
of
folks
who
seem
interested
in
building
that
out
that
that's
that
that's
been
a
challenge.
A
I
had
it
yeah.
If
you
can
provide
a
link
to
the
presentation
you
mentioned
it
I
think
earlier
in
a
different
meeting,
but
but
there's
not
a
a
link,
so
that
would
be
good
for
my
own
education,
but
it
sounds
like
just
eating
our
own
dog
food.
That's.
G
H
Meant
to
describe
like
a
whole
chain
of
tools,
specific
tools,
how
they
combine
together
and
all
that
and
in
fact,
I
mean
I
heard
it
from
David
William
himself
that
you
know
he
said
the
the
so-called
Sterling
tool
chain
might
be
a
set
of
tool
chains,
because
you
also
have
to
account
for
the
fact
that
there
are
different
programming
languages.
The
different
tools
may
not
apply
to
different.
You
know
certain
languages.
H
It's
not
like
every
tool
in
the
chain
is
going
to
be
language
neutral
right
and
when
you
deal
with
like
programming
languages,
they
all
have
their
own
package
packaging
system,
for
instance,
ecosystem
with
different
tools.
So
it's
hard
to
accommodate
for
all
of
that.
In
a
way,
that's
completely
generic.
G
It's
making
it
yeah
it's
making
it
consistent
right,
like
so
one
of
the
one
of
the
big
reasons
when
I
spoke
to
a
few
of
the
members
of
the
governing
board
on
this
is
one
of
the
big
reasons
they
wanted
is
two
things
one
is
they
wanted
to
show
once
again
similar
to
how
Fresca
is
an
example
of
what
a
secure
build
could
be,
and
we
could
show
people
like
yeah
if
you
use
spiffy
Spire,
if
you
use
tecton
and
tecton
chains
and
so
on,
it
doesn't
actually
call
out
actually
does
call
out
Sterling
tool
chain
at
the
top
in
the
first
in
the
first
or
second
slide,
I
guess
the
thing
there
right
is
your
average
giant
Enterprise
is
going
to
build
it
themselves
or
hire
a
big
consultancy
to
help
build
out
their
secure,
sdlc,
they're,
gonna,
say
yeah,
give
us
you,
know
vs
code,
plugins
and
Ides,
and
and
secure
build
tools
for
this
that
and
the
other
thing,
and
they
will
configure
it
and
get
build
all
the
glue
for
it.
G
So
that's
one
challenge
like
this.
What
we're
building
here
is
not
going
to
be
used
wholesale
by
your
average
enter
large
Enterprise,
but
one
of
the
things
that
people
are
saying
is
that
your
small
companies
are
not
like
your
small
devs,
the
your
your
smaller
sort
of
software
firms
that
are
selling
potentially
their
software
to
large
larger
organizations.
They
want
to
say
how
do
I
prove
s2c2f,
salsa,
yada
yada.
G
B
G
That
right-
and
so
that's
supposed
to
be
where
the
Sterling
tool
chain
would
come
in
to
help
out,
because
you
know
getting
all
of
these
smaller
firms
to
build
their
own
sdlc
secure
us
DLC
is
gonna,
it's
gonna
be
difficult,
so
that's
kind
of
some
of
the
the
reasoning
behind
it,
but
there
are
so
many
caveats,
there's
so
many
potential
challenges
as
as
Arno
brought
up
like
you
have
you
know
it's
going
to
look
different
for
rust
than
it
is
going
to
be,
for
C
is
going
to
be
different
than
Java
is
gonna,
be
different
than
node
and
getting
those
things
consistent
is
is
going
to
be
a
huge
open
source
undertaking
and
as
of
right
now,
the
thing
that
I
think
I'm
worried
about
is
that
people
have
been
talking
about
it
now
for
five
months
and
still
there's
still
no
meetings
on
it.
A
H
A
H
A
Yeah,
it
is
weird
that
that's
in
a
different
group,
not
under
this
working
group
but
I,
see
this
as
documentation.
H
Open
ssf
is
also
hiring.
What
is
it
a
Chief
Architect
supposed
to
try
to
help
us
with
this.
G
Yeah,
the
last
last
I
saw
the
the
wreck
is
still
up.
I,
don't
know
if,
if
they're
interviewing
candidates
but.
G
B
C
One
comment:
I,
just
posted
a
link
in
the
chat
to
Google
Docs
document
that
will
send
out
to
yeah.
Well,
where
did
I
get
this
from
I?
Think
crowbe
created
an
issue
on
in
the
tech
repo
saying
that
the
tag
and
some
other
folks
have
started
to
have
conversations
around
that
concept
and
honestly
I
still
have
to
read
that
document
myself
it's
in
my
to-do
list,
but
so
some
of
the
tech
people,
if
not
all
I,
don't
know,
have
had
conversations
around
that.
Oh
it's
14
pages.
C
That's
probably
why
I
didn't
read
it
yet
so,
but
in
general
I
agree,
there's
more
concept
than
content,
but
honestly
that
that
might
be
something
that
that
sheds
some
light
on
this
stalling
tool.
Train
thing.
A
H
But
so
I
think
to
get
back
to
where
we
started.
I
think
Mike
brought
it
up,
because
you
know
when
we're
talking
about
tools,
and
but
people
need
to
be
aware
of
when
they
want
to
try
to
get
into
this
space.
B
A
Yeah,
so
when
is
everyone
arriving
I'm
arriving
Monday
night
because
it
was
the
only
direct
flight
from
Austin
versus
being
on
a
plane
for
like
eight
to
ten
hours
on
Tuesday?
So
when
are
folks
arriving.
F
I'll,
be
there
on
Tuesday.
B
B
A
Okay,
Tuesday
the
rivals
I'll
have
to
ask
them
because
we
could
potentially
just
practice
in
person
maybe
the
day
before,
just
a
one,
one
go
okay,
anything
else,
because
we're
coming
up
on
time
as
three
minutes.
A
A
Okay,
I'll,
give
you
all
three
minutes
back
to
your
day
and
I'll
sync
with
the
panel
folks
offline
to
start
getting
some
meetings
set
up
so
that
we
can
continue
these
conversations.
I
appreciate
everyone
that
joined
and
hung
around
for
these
panel
talks
and
your
contributions
today.
Thank
you,
George.
Oh,
wait.
Wait!
Oh
wait!
Oh
I
can't
remember
the
pronunciation
now.