►
From YouTube: Supply Chain Integrity WG (May 2, 2023)
B
A
D
C
C
B
A
C
B
B
I
think
one
of
the
things
just
some
additional
piece
of
the
one
of
the
things
on
the
agenda
for
salsa
1.0
feedback-
I,
don't
know
if
folks
other
than
myself
have
been
here
hearing
anything
from
this,
the
salsa
1.0
side,
largely
as
I
sort
of
mentioned
last
week,
a
little
bit
salsa
one
point:
feedback
has
largely
been
pretty
good.
You
know
a
lot
of
great
feedback
from
kubecon.
E
B
Yeah
I'll
continue
on
so
I
think
you
know,
I
think
the
big
things
are
still
kind
of
repeats
from
the
last
couple
of
weeks
were:
salsa
1.0
seems,
you
know,
looks
pretty
good,
but
there's
not
really
a
lot
of
great
1.0
examples
yet
and
so
things
around
the
tooling
around
1.0
could
be
potentially
improved.
There
I
know
that
there
is
some
I
know,
there's
an
npm
one,
that's
being
planned
a
GitHub
action
on
that
and
there's
some
other
tools
that
are
being
built
out.
B
One
of
the
other
big
pieces
of
feedback,
which
seemed
to
be
a
point
of
Confusion,
And
I
think
it's
something
that
we
just
need
to
do.
A
better
job
at
is
a
lot
of
folks
are,
are
still
very
confused
that
they
think
salsa
is
primarily
a
SAS
framework
which
it
isn't
it
supports.
Sas,
which
I
think
is,
is
a
key
feature
because
I
know
a
lot
of
Frameworks
just
assume
you
are
operating
anything
and
everything
yourself
and
I.
B
Think
having
that
information
and
highlighting
like
salsa
can
help
support
these
other
things,
assuming
that
those
those
infrastructure
providers
or
service
providers
are
attesting
to
or
sorry
like,
certifying
or
providing
conformance
to
certain
things.
I
think
that's
important,
but
I
know
that
you
know
there's
there's
a
lot
of
confusion
on
you
know:
hey
I'm,
a
small
software
vendor
who
doesn't
use
GitHub
actions
can
I
be
salsa
compliant
or
it's
also
conformant.
I
think
that
sort
of
thing
needs
to
be
addressed.
B
I
I
think
that
could
probably
be
addressed
in
a
couple
of
blog
articles
or
a
little
bit
of
documentation,
kind
of
highlighting
the
different
areas,
assaults
and
how
folks
can
sort
of
provide
that
information?
And
that's
that's,
I,
think
the
big
things
that
I
was
hearing
over
the
past
couple
of
weeks.
C
E
E
E
You
know
that
they've
developed
it
with,
of
course,
with
other
public
Publications
and
standards
develop
their
own
development
life
cycles
and
they're
and
they're
they're
saying
well.
No,
our
developers
are
only
going
to
follow
one
thing,
and
you
know
we've
developed
this
thing
that
they're
following
you
know
from
from
end
to
end,
and
you
know
no
we're
not
I
went
unsure
about
something
that
we're
going
to
bring
in
that's
gonna
change.
How
we
do
things
part
of
the
things
that
I've
been
echoing
to
them
is
this
is
not
about
war.
It's
been.
E
This
can
be
an
end
right
and
I
think
that
it
might
be
a
good
job
for
for
us
to
help
articulate
something
like
that.
What's
the
end
right
so
saying
that
you
know
through
doing
through
doing
what
you
currently
do,
save
for
a
few
I've
and
I'll
say
this
being
a
person.
Who's
actually
had
to
audit
some
of
these
things
and
also
provide
advisory
towards
some
of
these
things
and
in
two
different
lives.
E
You
can,
then
you
can
then
attest
to
meeting
or
attest
to
conforming
to
or
testing
of
to
some
of
to
some
to
a
salsa
level
right.
Something
like
that.
So
it's
it's
us
being
able
to
properly
articulate
stuff
like
that.
That
might
make
it
a
hell
of
a
lot
better
for
a
lot
of
these
dare
I,
say
a
larger
organizations
who
have
who
have
their
you
know
to
say
to
say
something
like
teaching.
B
Yeah
I
definitely
agree
with
that
and
I
think.
That's
that's
something.
That's
also
gone
beyond
just
purely
the
salsa
side
as
well.
Right,
I
think
it's
something
that
actually
we
we've
noticed
in
the
cncf
with
the
supply
chain.
Working
group
that
we
have
there
is
a
lot
of
folks
are
looking
at
a
lot
of
the
standards
and
Frameworks
that
are
coming
out
and
they
say.
Oh,
this
is
a
I
use.
B
You
know,
I
use,
salsa
or
I
use
this
other
thing
and
a
lot
of
times
like
no.
No,
it's
it's
you're
doing
a
lot
of
this
other
stuff
and
in
addition
to
that,
I
think
the
thing
that
that
folks
often
need
to
recognize
is
like-
and
you
know,
I've
worked
at
a
very,
very
large
Banks,
for
example,
and
one
of
the
things
there
is
they,
you
know,
there's
a
lot
of
confusion
in
some
areas,
but
generally
the
way
that
they
sort
of
view
something
like
salsa
is
not.
B
We
are
adopting
salsa
as
our
build
framework
or
whatever
you
know
our
build
security
framework.
It
is
usually
something
along
the
lines
of
they
have
a
policy
that
says
we
must
adopt
a
community
standard
framework
for
for
for
builds,
and
then
it's
like
okay
cool
and
they
Define
sort
of
something
at
the
high
level
of
you
know.
Acme
Bank,
you
know,
build
a
security
framework,
okay,
we're
going
to
be
adopting
salsa,
but
we
also
have
these
additional
requirements.
B
You
know
that
and
and
I
think,
that's
kind
of
where
a
lot
of
these
organizations
are
coming
from
I
think
we
just
need
to
make
sure
that
folks
on
both
ends
recognize
realize
that,
because
I
know
that's
for
folks
who
haven't
worked
at
very
large
Enterprises,
it
can
sometimes
be
a
a
huge
surprise
when
they
find
out
that
actually,
a
lot
of
these
large
Enterprises
do
adopt
these
other
Frameworks.
They
just
don't
necessarily
they're,
not
shouting
it
to
the
world
they're.
B
Just
like
no,
no
salsa
is
part
of
the
Acme
Bank
build
security
policy
like
that's
just
kind
of
how
we
have
it
set
up
and
I
think
that's.
That's
kind
of
you
know
an
important
thing
to
maybe
even
get
across
in
something
like
a
Blog
article,
because
I
know
it's
it's
something.
That's
confused
a
lot
of
folks
when
it
comes
to
stuff
like
even
like
the
conformance
program
and
some
of
these
other
things
that
people
are
looking
at
false
at
as
a
oh.
B
D
B
E
Yeah
I
mean
look
for
better
or
worse,
and
the
reason
why
I
bring
up
larger
organizations,
especially
when
they
have,
especially
when
their
customers
are
medium,
a
small
to
medium
organizations,
but
their
customers
are
going
to
come
into
this,
and
especially,
if
they're,
newer
organizations
they're
going
to
come
into
this
saying
we
need
to
be.
We
need
to
be
salsa
compliant.
E
We're
not
there
yet,
but
that's
coming
right
and
in
the
instance
where
you're
like
well,
we
can't
ask
our
developers
to
do
something
new,
it's
like
well,
we
don't
necessarily
have
to
do
something
new.
Tell
some
of
the
tell
some
of
the
exceptions
to
policies
so
somebody's
going
to
say
you
kill
some
of
the
exceptions.
Then
you
then
you're
you're,
you're,
probably
right
in
the
ballpark
right
stuff,
like
that,
you
know,
and
by
the
way
I'm
I'm.
E
This
is
this
is
a
lot
more
complex
than
what
I'm
saying,
but
on
his
face,
you
know
having
seen
what
I've
seen
I'm
summing
it
up
to
like
just
he's
made
these
basic
things,
but
this
stuff
is
coming
and
the
pain
is
going
to
be
experienced
on
both
ends.
If
we
don't
properly
articulate
that
it
can
help
and
not
hurt-
or
it
can
add
to
and
not
take
away
from,
Right
add
to
positively
and
not
take
away
from
it.
B
Writing
something
like
a
you
know:
I,
don't
want
to
say
a
full-fledged
white
paper,
but
even
just
something
like
a
a
summary
document
for
folks
who
are
looking
at
some
of
the
stuff,
that's
being
built
on
the
supply
chain.
Side,
that's
coming
out
of
openssf,
so
that
folks
like
realize
that
these
things,
like
these
best
practices
and
and
and
a
lot
of
the
things
that
are
coming
out
of
this
org,
are
not
purely
just
like.
E
I
I
I'm
I'm,
actually
actually
on
board
with
that
I'm,
not
terribly
sure,
I'm,
not
terribly
sure
what
that
would
look
like
and
I
and
I
guess
with
that
I
don't
want
to
shoot
I,
don't
want
us
to
shoot
ourselves
in
the
foot
either
because
we
are
because
we
are
speaking
with
them.
We
are
speaking
with
the
government,
especially
with
respect
to
the
mobilization
plan,
and
of
course
we
have.
You
know
our
ongoing
conversation
about
the
wonderful
emerging
world
that
is
the
Sterling
tool
chain.
D
E
B
Oh
yeah,
yeah,
no
I,
think
it's
it's
less
about
that.
I
think
it's
more
of
even
just
a
generic,
informative
document.
You
know
document,
you
know
it
could
be
something
for
you
know
the
open,
ssf
blog
or
you
know
it
like.
Even
just
something
I
think
like
two
pages
for
folks
to
sort
of
you
know
because
I
think
one
of
the
the
big
things
has
been
around
like
confusion,
both
at
like
organizations
at
every
level
who
sort
of
are
unsure
of
hey
I'm.
Looking
at
adopting
salsa.
E
A
Hey
Mike,
just
second
that
thought,
yeah
I
I
do
agree
with
trying
to
put
something
out,
I.
Think
at
one
point
early
on
in
the
notes
we
had
kind
of
like
a
sci
working
group,
blog
about
talking
about
the
mission
and
and
the
mobilization
plan
and
how
everything
aligns
and
and
whatnot.
So
maybe
maybe
we
need
to
start
that
up.
I
know
last
week,
I
wasn't
there,
but
I
think
there
was
some
talks
about.
You
know:
where
do
we
post
a
blog?
A
If
we
wanted
to
for
Sci
working
group,
we
didn't
have
rights,
and
now
we
do
so,
maybe
once
we
put
out
that
first
initial
blog
of
hey
this
is
our
new
Direction.
Maybe
we
start
tackling
some
of
the
more
broader
topics
of
hey.
This
is
how
you
could
right
we're,
not
saying
you
need
to
or
we're
crying
we
are
requiring
you
to.
But
this
is
how
open
as
a
step
is
envisioning
x,
y
z,.
C
F
The
kinds
of
traceability
of
process
that
salsa
is
really
suitable
for
and
it's
my
sincere
hope
that
we
end
up
in
the
world
where
all
those
requirements
can
kind
of
harmonize
to
the
degree
where
really
ACE
also
delivered,
process
and
attestation
system.
You
can
meet
those
regulatory
needs
and
allow
people
to
do
that
without
really
lifting
a
finger
if
their
tools
automatically
generate
it
right.
So
a
message
of
well
sure
I
have
three
or
four
different
things
running
at
the
same
time,
lose
against
that.
F
F
So
let
me
just
be
provocative
and
say:
maybe:
instead
we
should
have
some
confidence
in
our
solution
and
put
out
here's
how
to
convert
your
existing
home
built
and
cooled
process
to
salsa
or
or
here's
how
to
move
from
this
either
single
vendor
proprietary
thing
to
to
now
this
new
open
standard
I
mean
like
that.
Those
kinds
of
messages
instead
so
tell
me
if
I'm
a
mess
or
or
missing
the
boat,
entirely.
B
B
Is
they
get
like
a
high
level
set
of
regulations,
something
along
the
lines
of
you
should
have
you
know
you
should
be
making
sure
that
you're
securing
your
supply
chain
and
what
they're
going
to
say
is
hey
we're
doing
a
bunch
of
different
things.
We're
we're
adopting
salsa
here
we're
doing
this
like
there's
going
to
be
very
little
interest
in
saying
yep,
everybody
should
be
adopting
salsa,
there's
going
to
be
a
lot
of
interest
in
saying
we
want
for
sorry
is
adopting
salsa
as
a
wholesale
component.
B
There
might
be
interest
in
saying,
like
oh
yeah
there.
A
lot
of
folks
are
very
interested
in
adopting
salsa
as
part
of
it's
kind
of
this
thing
of
like
in
the
banking
space,
which
it's
even
if,
if
even
if
it's
the
same
thing,
practically
from
a
political
standpoint,
they're
like
saying
no,
what
we
have
adopted
is
the
Acme
Bank
supply
chain
standard
and
the
Acme
Bank
supply
chain
standard
includes
this.
You
know
we
we
adopted
this
fips.
You
know
encryption
standard,
we
adopted,
you
know
salsa.
We
adopted
this.
B
We
adopted
that
that's
kind
of
the
way
that
it,
it
kind
of
always
ends
up
getting
communicated.
Even
if
practically
it's
the
same
sort
of
thing,
there's
a
lot
of
and
I
don't
want
to
go
down
the
rabbit
hole.
There's
there's
a
lot
of
like
nobody
wants
to
just
sort
of
come
out
and
say
you
know
we're
adopting
this
853
as
our
control,
catalog
and
I.
There's
a
whole
bunch
of
stuff
in
there
that
I
I
take
years
to
to
unpack.
E
No,
that's
not!
It's
not
well.
This
PCI,
this
typical,
but
there's
the
other
one
from
from
the
financial
sector.
Mail,
but
I
can't
I,
can't
I
know
somebody
in
the
fft
is
something
it
begins
with.
The
first
letter
is
an
F
in
this,
like
can't
remember
what
the
hell
is,
but
it's
the
security
framework
that
you're
supposed
to
use
to
as
a
way
to
report,
whether
or
not
you're
meeting
certain
security
controls
in
the
financial
sector.
E
E
That
being
the
case,
but
as
I
said
before,
salsa
can
be
an
and
to
this
situation.
I
I
would
be
very
careful
to
tell
them
move
all
of
the
way
you
do
things
over
to
salsa
and
signing
with
six
store.
I'd
be
very
careful
with
that.
I
would
rather
say
you
can
you
can
do
what
you
do
and
then
meet
these
levels
by?
E
Perhaps
you
know
adding
this
control
or
adding
this
not
necessarily
saying
move
over,
because
that
creates
a
whole
can
of
worms
that
that
you're
gonna
get
pushed
back
and
you're
going
to
get
straight
up.
Not
not
that
not
that
one
though
Mike
you're
gonna
get
confused
you're
going
to
get
probably
a
complete
like
I.
Don't
want
to
do
it,
you
know
or
I'm
not
going
to
do
it
because
I'm
fine
on
this
side,
because
I
meet
my
Regulatory
Compliance
right.
E
B
Yeah
and
and
I
think
with
that
said
to
to
a
little
bit
of
Brian's
point,
and
this
is
something
that
also
John
Meadows
over
at
City,
when
we
were
talking
about
Sterling
tool
chain,
had
a
lot
of
really
good
thoughts,
which
is
just
poor
small
to
medium
businesses.
It's
a
much
easier
sell
because
you
can
say
you
know
a
lot
of
smaller
to
medium.
Businesses
are
a
lot
more
flexible
right.
They
don't
have.
You
know
Legacy
processes
and
a
lot
of
these
things
right.
B
Like
you
know,
I've
worked
at
a
couple
of
banks
where
you
know
the
the
Legacy
processes
were
decades
old
and
getting
some
of
that
to
change
to
something
new
completely
wholesale
was
going
to
be
like
moving
a
mountain,
but
for
a
lot
of
small
to
medium
businesses.
It's
it's
a
lot
easier
and
also
as
part
of
something
like
a
sterling
tool
chain.
It's
a
much
easier
cell
to
say:
hey
you're,
a
startup
you're,
just
starting
start
signing
with
Sig
store
start
doing.
Salsa
start
adopting.
B
You
know
when
you
ingest
software
make
sure
that
you're
following
the
S2
c2f
practices,
that's
a
much
easier
sort
of
cell
compared
to
let's
say
you
know
your
your
giant
Banks,
your
jpmcs,
your
your
cities,
which
you
know
to
be
frank,
are
going
to
hire
a
you
know.
They're
gonna
hire
an
Accenture,
an
IBM,
a
giant
sort
of
firm
to
help
build
out
something
that
meets
their
needs
compared
to
let's
say
a
smaller
organization.
B
F
All
reasonable
answers,
I'm
just
doing
my
job
to
be
provocative,
but
but
but
also
I
know
that
humility
sells
well
in
open
source,
but
it
may
not
be
the
the
the
the
power
that
we
believe
it
is
when,
in
this
next
phase
to
drive
this
next
phase
of
adoption,
I
really
liked
reading
about
github's
adoption
of
it's
also
in
six
door
for
npm
Providence
and
that's
a
story.
I
would
love
to
see
repeated
across
all
the
major
language,
ecosystems
and
and
perhaps
even
demonstrable
Providence
cross
language
ecosystem.
F
For
for
the
you
know,
what
is
the
vast
majority
of
apps,
which
are
combinations
of
lots
of
different
languages
right,
so
yeah
I,
just
I,
want
more
of
that
and
I
want
a
bit
of
swagger
to
come
out
of
of
this
community
to
be
proud
of
kind
of
what
we
built
and
and
highlight
recognize
those
companies
that
are
building
it
to
us,
rather
than
just
adding
us
as
a
as
a
hey.
We
also
support
kind
of
kind
of
thing.
You
know
what
I
mean.
B
Yeah,
no
on
that
front,
yeah
I,
definitely
totally
agree
with
you
and
I.
Think
that
there's
a
lot
of
ways
for
us
to
to
do
that
in
in
that
space
and
I
think
we're
starting
to
see
a
lot
of
this
already
and
I
saw
even
at
kubecon
a
lot
of
folks
interested
on
this.
Like
you
know,
a
lot
of
folks
are
very
interested
in
adopting
salsa
and
making
it
very
public
that
they've
adopted,
salsa
I
think
the
things
there
is.
B
You
know
I
think,
and
this
is
kind
of
something
both
it's
a
problem
that
this
group
has
and
is
a
problem
that
we
can't
necessarily
do
ourselves,
like
the
positioning
group,
can't
I
think
the
tooling
groups
within
openssf
can,
which
is
just
hey
it's
hard
to
adopt
salsa.
If
there
is
like,
as
an
example,
there's
no,
you
know,
there's
not
really
a
lot
of
salsa
tools
for
rust,
for
example,
I'm
writing
up
some
personally
for
and
it's
open
source.
B
But
you
know:
hey,
there's
some
stuff
that
needs
to
happen
on
on
that
end
as
well,
and
if
we
can
start
to
kind
of
figure
out
how
we
we
start
to
address
some
of
those
as
well.
I
think
that
would
be
super
helpful
because
I
know
one
of
the
the
you
know
like
I
said
before,
like
the
some
of
the
biggest
feedback
we've
gotten
is,
we
have
stuff
like
cncf
is
doing
salsa
audits,
but
the
salsa
audits
right
now
were
like
highly
manual.
B
C
B
B
B
Think,
there's
a
couple
things
that
we
just
want
to
clear
up
in
here,
or
at
least
for
my
from
my
opinion,
but
overall
I
think
the
the
you
know
the
purpose
of
the
blog
for
folks
who
haven't
read
through
it
yet
was
to
sort
of
why
we
separated
out
build
and
source
and
there's
a
couple
of
different
reasons.
But
the
you
know,
some
of
the
primary
reasons
are
to
allow
for
the
separation
of
concerns
between
different
teams.
Groups.
B
If
I
include
two-person
code
review
well,
if
I
have,
if
I'm
using
let's
say
bitbucket
for
two-person
code
review
and
I'm
using
GitHub
actions
for
my
build
GitHub
actions
can't
produce
the
full
salsa
at
a
station.
So
that's
kind
of
I,
think
and
I
think
that's
actually
a
very,
very
good
point
that
hasn't
really
been
highlighted
in
a
lot
of
the
other
stuff
we've
released.
Is
that
like
we
want
to
make
it
separate
for
a
couple
of
different
reasons?
One
is
just
from
a
practical
standpoint
of
us
building
the
rules.
B
It's
often
easier
for
us
to
say
here's
the
build
set
of
rules.
You
can
focus
on
that.
Oh
here's,
the
source
set
of
rules.
You
can
focus
on
that.
The
dependency
said
you
know
or
whatever
right
like
the
the
source
and
and
build
set
of
rules,
and
then
you
know
integrate
with
also
stuff
like
the
S2
c2f
consumption
side.
Right
where
you
can
say
you
know,
and
all
of
those
pieces
together
kind
of
build
out.
B
B
One
is
I
think
it's
really
key
to
highlight
that
the
build
and
similar
sorts
of
things
can
be
part
of
one
particular
team
to
be
responsible
for
one
particular
department
and
different
departments
might
have
different
build
systems
whatever
or
you
might
be,
have
outsourced
it
to
a
completely.
You
know
different
SAS
and
that's
what
makes
salsa
super
useful
here.
B
Is
you
don't
need
to
have
one
individual
thing
manage
the
whole
thing
which,
which
is
huge,
I,
think
we
just
need
to
based
on
some
of
the
stuff
that
I
some
of
the
feedback
I
got
from
kubecon.
Is
we
just
need
to
really
make
sure
that
folks
recognize
that
it's
not
just
SAS
right?
It's
not
just
you
know
GCB
or
GitHub
actions
or
gitlab
CI.
That
can
do
this.
You
can
do
this
internally.
It
comes
with
its
own
set
of
risks
as
well
right.
B
You
know
by
doing
it
internally
versus
externally
and
certain
folks.
Maybe
want
to
do
something
more
rigorous,
internally,
I
think
those
sorts
of
things
just
need
to
be
clarified,
but
overall
I
I
really
liked
it
and
I
suggest
everybody
here
should
read
it
because
because
it
was
enjoyable
enjoyable
and
there
was
even
things-
I
hadn't
considered
and
I've
been
doing
a
lot
of
work
on
salsa
for
a
while.
C
A
B
I
know
that
we've
been
talking
about
roadmap
communication
and
and
how
we're
going
to
be
I
know
we're
still
sort
of
trying
to
finalize
a
couple
of
things.
I
know
that
a
lot
of
the
folks
are
very
much
roaring
and
ready
to
go
to
like
push
salsa
for
right.
Like
I
know,
we
pulled
out
salsa
four,
a
lot
of
things.
You
know
on
that
end.
I
think
this
group
can
maybe
do
to
once.
We
kind
of
sort
that
out
I
know.
B
One
of
the
things
that
was
discussed
a
little
bit
yesterday
was
okay
cool.
How
do
we
kind
of
let's
say
we
have
like
two
or
three
bodies
of
work
that
we're
going
to
be
focused
on
from
the
salsa
side,
at
least
how
do
we
communicate
that
out
to
everybody
and
and
I
think
that
that
might
be
something
that
we
want
to
think
about,
because.
B
One
of
the
things
that
was
also
brought
up
as
a
piece
of
feedback
is
a
lot
of
folks
were
not
aware
of
a
lot
of
the
work.
That's
was
going
on
in
the
salsa
side
that
led
to
1.0,
and
so
what
can
we
do
to
kind
of
just
generally,
whether
it's
like
a
a
monthly
like
update
to
the
drafts
and
some
of
those
things.
B
B
You
know
we
didn't
find
much
interest
in
this
thing,
so
we
cut
up
we're
going
to
be
pushing
that
back
to
later,
and
if
somebody
comes
in-
and
you
know
all
of
a
sudden
four
people
like
see
it
on
the
internet
and
they
all
come
in
to
the
next
meeting.
They
go.
No,
no,
please
don't
drop
it.
Then
then
we
know
because,
like
that
was
actually
you
know
a
bit
of
a
surprise
to
us.
B
F
Think
I
think
a
pivot
from
a
1.0
to
thinking
about,
like
what
is
the
next
18
months
or
24
months
looks
like
is
a
great
opportunity
to
grow
the
contributor
Community.
It's
a
great
chance
to
be
able
to
say
one
of
those
out
look
at
us.
We
can
accomplish
a
thing.
We
can
actually
come
to
come
to
consensus
and
and
put
a
flag
in
the
ground.
Yes
and
now
we're
thinking
about
applying
this
to
source
source
systems
and
I
mean
all
these
other
kind
of
angles.
F
You
know
at
the
you
know
hour
of
their
choosing,
because
it
this
can
be
a
little
bit
bit
too
cozy,
but
instead
to
have
like
a
webinar
have
like
it
feels
a
little
bit
more
like
a
publicly
promoted
event
and
say
come
co-design.
The
future
with
us
and
by
the
way
that
does
take
persistence,
does
take
some
some
commitment.
D
C
B
B
You
know
we
could
have
a
once
every
three
months.
You
know
Summit
where
we
sit
down
and
do
these
things
or
we
could
have
these
multiple
meetings
and
and
sit
down
and
also
have
stuff
offline,
where
you
know
folks
are,
are
just
opening
up
PR's
to
fix
things
and
and
so
on,
and
at
the
end
of
the
day,
even
if
somebody
has
a
great
idea,
if
a
great
idea
isn't
actioned
on
it's
it's,
you
know
it's
just
an
idea,
which
is
something
that
I
know
that
it
has
worked
really
well.
D
B
You
know
it's
not
just
purely
about
you
know:
let's
sit
around
and
and
debate
the
exact
best
way
of
of
of
approaching
the
problem.
Let's
start
doing
it
and
you
know
we'll
we're
gonna
stumble
a
little
bit,
but
at
the
end
of
the
day,
we'll
you
know
having
something
good
was.
It
was
the
term
perfect,
is
the
enemy
of
the
good
or
whatever.
You
know
it's
better
to
have
something
good
now
than
to
have
something
perfect.
Never.
F
I
got
a
better
one
for
you.
Worse
is
better
there's
a
great
essay.
Some
of
you
might
know
by
dick
Gabriel,
who
is
a
researcher
at
a
at
Sun
for
a
while,
and
he
wrote
this
great
essay
called
versus
better
in
that
in
software,
it's
better
to
start
with
a
minimal
creation.
That's
a
little
bit
wrong
here.
F
F
But
I
think
it
also
helps
explain
why
we
have
so
many
bad
protocols
that
seem
to
survive
for
so
long
is
they
only
have
to
be
good
enough?
Yes,
yes,
and,
and
anyone
holding
off
forever
to
to
solve
the
the
forever
problem
is
going
to
be
his
what's
his
name
who
wrote
Xanadu,
yeah
the
web
takeover
and
he's
he
was
pissed
about
that,
but
he
waited
too
long.
B
B
B
Oh
yes,
yes,
we're
going
to
be
canceling
next
week's
meeting,
because
I
mean
I
I
believe
most
of
us
on
this
call
will
be
out
open
source
Summit.
You
know.
Yes,
we
have.
You
know
we
have
I,
have
a
talk
and
as
well
as
a
panel
with
long
width
instance
the
folks
on
on
this
call,
looking
forward
to
that.
B
I
know
definitely
have
some
open
questions
still
about
some
of
the
stuff,
that's
going
on
with
Sterling
tool
chain
and
and
if
there's
anything
this
group
can
do
or
just
even
me
personally,
due
to
help
push
some
of
those
things,
because
I
I
think
that
Sterling
tool
chain
idea
is
is
great,
especially
for
in
the
open
source
space.
A
lot
of
folks
are
starting
to
ask
like
the
question
of
like
hey
I,
run
an
open
source
project.
B
I
want
to
do
the
right
things,
but
you
know:
hey
I'm,
just
a
volunteer.
What
can
I
be
doing?
What
can
I
be
adopting?
Are
there
any
scripts?
Are
there
any
nice
little
applications
that
will
do
a
lot
of
the
work
for
me
like
something
like
open,
ssf,
scorecard
and
All-Star,
and
those
things
I
know
folks
are
are
looking
for
a
lot
of
that
and
if
there's
things
that
this
group
can
do
to
to
help
communicate
that
help
provide
feedback.
I
know
I,
know
we're
very
interested
there.