►
From YouTube: Supply Chain Integrity WG (May 2, 2023)
B
No
problem
I
hope
you
hope
you
feel
better
soon,
I'm,
actually
avoiding
my
own
spouse
here,
because
she's
she
came
down
with
something
and
I
know
that
I
have
you
know.
Next
week
we
have
open
source
Summit,
so
I'm
trying
my
best
not
to
get
sick
myself.
A
B
I
think
Mark
and
some
of
the
other
folks
have
done
I've
done
a
lot
of
it.
So.
C
How
the
formatting
or
I
don't
know
if
it's
like
a
Hugo
template
or
whatever.
D
C
Another
minute
or
two
while
folks,
while
we're
waiting
for
folks,
feel
free
to
add
your
attendance
in
the
in
the
meeting
notes.
Here.
C
One
last
time
here
feel
free
to
mature
attendance
in
the
meeting
notes.
Could
I
give
it,
maybe
just
one
more
minute.
C
All
right,
we
can
probably.
B
A
C
B
Here
for
for
today,
I
believe
looking
through
the
list
here,
everybody
who's
been
on.
This
meeting
has
been
on
this
meeting
before.
C
And
so
no
newcomers
here,
but.
B
I
think
one
of
the
things
just
some
additional
piece
of
the
one
of
the
things
on
the
agenda
for
salsa
1.0
feedback-
I,
don't
know
if
folks
other
than
myself
have
been
here
hearing
anything
from
this,
the
salsa
1.0
side,
largely
as
I
sort
of
mentioned
last
week,
a
little
bit
salsa
one
point:
feedback
has
largely
been
pretty
good.
You
know
a
lot
of
great
feedback
from
kubecon.
B
C
Had
some
interesting
thoughts
around
that
AJ,
you
have
your
hand
up.
E
B
Yeah
I'll
continue
on
so
I
think
you
know,
I
think
the
big
things
are
still
kind
of
repeats
from
the
last
couple
of
weeks
were:
salsa
1.0
seems,
you
know,
looks
pretty
good,
but
there's
not
really
a
lot
of
great
1.0
examples
yet
and
so
things
around
the
tooling
around
1.0
could
be
potentially
improved.
There
I
know
that
there
is
some
I
know,
there's
an
npm
one,
that's
being
planned
a
GitHub
action
on
that
and
there's
some
other
tools
that
are
being
built
out.
B
I
know
we
had
sort
of
my
company
had
announced
an
open
source
tool
called
Specter,
that
is,
you
know,
doing
stuff
with
salsa,
and
so
there's
some
stuff
there,
but
I
think
we
need
to
do
a
little
bit
more
and
also
maybe
provide
some
additional
documentation
for
folks
who
are
looking
to
implement,
let's
say,
salsa
and
or
sorry
Implement
tools
for
salsa
stuff
that
we
could
do
on
that
front
to
help
them
out.
B
One
of
the
other
big
pieces
of
feedback,
which
seemed
to
be
a
point
of
Confusion,
And
I
think
it's
something
that
we
just
need
to
do.
A
better
job
at
is
a
lot
of
folks
are,
are
still
very
confused
that
they
think
salsa
is
primarily
a
SAS
framework
which
it
isn't
it
supports.
Sas,
which
I
think
is,
is
a
key
feature
because
I
know
a
lot
of
Frameworks
just
assume
you
are
operating
anything
and
everything
yourself
and
I.
B
Think
having
that
information
and
highlighting
like
salsa
can
help
support
these
other
things,
assuming
that
those
those
infrastructure
providers
or
service
providers
are
attesting
to
or
sorry
like,
certifying
or
providing
conformance
to
certain
things.
I
think
that's
important,
but
I
know
that
you
know
there's
there's
a
lot
of
confusion
on
you
know:
hey
I'm,
a
small
software
vendor
who
doesn't
use
GitHub
actions
can
I
be
salsa
compliant
or
it's
also
conformant.
I
think
that
sort
of
thing
needs
to
be
addressed.
B
I
I
think
that
could
probably
be
addressed
in
a
couple
of
blog
articles
or
a
little
bit
of
documentation,
kind
of
highlighting
the
different
areas,
assaults
and
how
folks
can
sort
of
provide
that
information?
And
that's
that's,
I,
think
the
big
things
that
I
was
hearing
over
the
past
couple
of
weeks.
E
Oh
yeah
so
I
think
from
an
end
user
perspective
and
and
of
course,
those
in
in
the
developer
community
and
some
of
these,
some
of
the
organizations
that
I've
actually
worked
for
and,
of
course,
those
that
people
I've
worked
with
have
moved
on.
You
know
a
lot
of
first
of
all
great
feedback.
E
It's
also
one
dollar
part
of
the
the
part
of
the
heading
comes
in
developers.
You
know
some
of
these
organizations
in
r
d
r
d
areas
have
the
but
have
have
their
own.
E
You
know
that
they've
developed
it
with,
of
course,
with
other
public
Publications
and
standards
develop
their
own
development
life
cycles
and
they're
and
they're
they're
saying
well.
No,
our
developers
are
only
going
to
follow
one
thing,
and
you
know
we've
developed
this
thing
that
they're
following
you
know
from
from
end
to
end,
and
you
know
no
we're
not
I
went
unsure
about
something
that
we're
going
to
bring
in
that's
gonna
change.
How
we
do
things
part
of
the
things
that
I've
been
echoing
to
them
is
this
is
not
about
war.
It's
been.
E
This
can
be
an
end
right
and
I
think
that
it
might
be
a
good
job
for
for
us
to
help
articulate
something
like
that.
What's
the
end
right
so
saying
that
you
know
through
doing
through
doing
what
you
currently
do,
save
for
a
few
I've
and
I'll
say
this
being
a
person.
Who's
actually
had
to
audit
some
of
these
things
and
also
provide
advisory
towards
some
of
these
things
and
in
two
different
lives.
E
E
You
can,
then
you
can
then
attest
to
meeting
or
attest
to
conforming
to
or
testing
of
to
some
of
to
some
to
a
salsa
level
right.
Something
like
that.
So
it's
it's
us
being
able
to
properly
articulate
stuff
like
that.
That
might
make
it
a
hell
of
a
lot
better
for
a
lot
of
these
dare
I,
say
a
larger
organizations
who
have
who
have
their
you
know
to
say
to
say
something
like
teaching.
E
You
know,
please
forgive
this,
but
teaching
Old
Dogs
new
tricks
right
having
having
a
situation
where
you
can,
you
can
have
it's
important
and
not
necessarily
in
or
we
have
that
conversation
and-
and
you
know
we
put
that
out
and
that
might
make
a
lot
of
the
stomach
reminisce
a
little
less
right.
E
B
Yeah
I
definitely
agree
with
that
and
I
think.
That's
that's
something.
That's
also
gone
beyond
just
purely
the
salsa
side
as
well.
Right,
I
think
it's
something
that
actually
we
we've
noticed
in
the
cncf
with
the
supply
chain.
Working
group
that
we
have
there
is
a
lot
of
folks
are
looking
at
a
lot
of
the
standards
and
Frameworks
that
are
coming
out
and
they
say.
Oh,
this
is
a
I
use.
B
You
know,
I
use,
salsa
or
I
use
this
other
thing
and
a
lot
of
times
like
no.
No,
it's
it's
you're
doing
a
lot
of
this
other
stuff
and
in
addition
to
that,
I
think
the
thing
that
that
folks
often
need
to
recognize
is
like-
and
you
know,
I've
worked
at
a
very,
very
large
Banks,
for
example,
and
one
of
the
things
there
is
they,
you
know,
there's
a
lot
of
confusion
in
some
areas,
but
generally
the
way
that
they
sort
of
view
something
like
salsa
is
not.
B
We
are
adopting
salsa
as
our
build
framework
or
whatever
you
know
our
build
security
framework.
It
is
usually
something
along
the
lines
of
they
have
a
policy
that
says
we
must
adopt
a
community
standard
framework
for
for
for
builds,
and
then
it's
like
okay
cool
and
they
Define
sort
of
something
at
the
high
level
of
you
know.
Acme
Bank,
you
know,
build
a
security
framework,
okay,
we're
going
to
be
adopting
salsa,
but
we
also
have
these
additional
requirements.
B
You
know
we're
gonna
be
adopting
salsa
or
the
end-to-end
sort
of
consumption
we're
going
to
adopt
S2
c2f,
but
we're
also
going
to
be
including
this
because
of
PCI
compliance
and
we're
going
to
be
including
this
other
thing
and
in
certain
cases
they
might
say
hey,
we
do
you
know
95
to
salsa,
but
we
can't
do
this
thing
or
whatever.
B
You
know
that
and
and
I
think,
that's
kind
of
where
a
lot
of
these
organizations
are
coming
from
I
think
we
just
need
to
make
sure
that
folks
on
both
ends
recognize
realize
that,
because
I
know
that's
for
folks
who
haven't
worked
at
very
large
Enterprises,
it
can
sometimes
be
a
a
huge
surprise
when
they
find
out
that
actually,
a
lot
of
these
large
Enterprises
do
adopt
these
other
Frameworks.
They
just
don't
necessarily
they're,
not
shouting
it
to
the
world
they're.
B
Just
like
no,
no
salsa
is
part
of
the
Acme
Bank
build
security
policy
like
that's
just
kind
of
how
we
have
it
set
up
and
I
think
that's.
That's
kind
of
you
know
an
important
thing
to
maybe
even
get
across
in
something
like
a
Blog
article,
because
I
know
it's
it's
something.
That's
confused
a
lot
of
folks
when
it
comes
to
stuff
like
even
like
the
conformance
program
and
some
of
these
other
things
that
people
are
looking
at
false
at
as
a
oh.
B
D
B
E
Yeah
I
mean
look
for
better
or
worse,
and
the
reason
why
I
bring
up
larger
organizations,
especially
when
they
have,
especially
when
their
customers
are
medium,
a
small
to
medium
organizations,
but
their
customers
are
going
to
come
into
this,
and
especially,
if
they're,
newer
organizations
they're
going
to
come
into
this
saying
we
need
to
be.
We
need
to
be
salsa
compliant.
E
We're
not
there
yet,
but
that's
coming
right
and
in
the
instance
where
you're
like
well,
we
can't
ask
our
developers
to
do
something
new,
it's
like
well,
we
don't
necessarily
have
to
do
something
new.
Tell
some
of
the
tell
some
of
the
exceptions
to
policies
so
somebody's
going
to
say
you
kill
some
of
the
exceptions.
Then
you
then
you're
you're,
you're,
probably
right
in
the
ballpark
right
stuff,
like
that,
you
know,
and
by
the
way
I'm
I'm.
E
This
is
this
is
a
lot
more
complex
than
what
I'm
saying,
but
on
his
face,
you
know
having
seen
what
I've
seen
I'm
summing
it
up
to
like
just
he's
made
these
basic
things,
but
this
stuff
is
coming
and
the
pain
is
going
to
be
experienced
on
both
ends.
If
we
don't
properly
articulate
that
it
can
help
and
not
hurt-
or
it
can
add
to
and
not
take
away
from,
Right
add
to
positively
and
not
take
away
from
it.
B
So
that,
actually,
you
bring
up
a
good
point
there
as
something
maybe
we
might
want
to
take
a
look
at
which
is,
since
this
is
no
longer
just
purely
the
salsa
positioning
group
right,
it's
all
of
Sci.
B
Writing
something
like
a
you
know:
I,
don't
want
to
say
a
full-fledged
white
paper,
but
even
just
something
like
a
a
summary
document
for
folks
who
are
looking
at
some
of
the
stuff,
that's
being
built
on
the
supply
chain.
Side,
that's
coming
out
of
openssf,
so
that
folks
like
realize
that
these
things,
like
these
best
practices
and
and
and
a
lot
of
the
things
that
are
coming
out
of
this
org,
are
not
purely
just
like.
E
I
I
I'm
I'm,
actually
actually
on
board
with
that
I'm,
not
terribly
sure,
I'm,
not
terribly
sure
what
that
would
look
like
and
I
and
I
guess
with
that
I
don't
want
to
shoot
I,
don't
want
us
to
shoot
ourselves
in
the
foot
either
because
we
are
because
we
are
speaking
with
them.
We
are
speaking
with
the
government,
especially
with
respect
to
the
mobilization
plan,
and
of
course
we
have.
You
know
our
ongoing
conversation
about
the
wonderful
emerging
world
that
is
the
Sterling
tool
chain.
E
I,
don't
want
to
shoot
ourselves
in
the
foot
with
what
you
what
we're
saying.
D
E
You
have
to
do
or
don't
have
to
do
this
early
on
and
by
the
way
I'm
a
with
the
don't
have
to
necessarily
do
part
I.
Just
don't
want
us
to
write
something
that
pigeon
homes,
the
rest
of
the
open
ssf
one
way
or
the
other
ahead
of
pending
conversations.
B
Oh
yeah,
yeah,
no
I,
think
it's
it's
less
about
that.
I
think
it's
more
of
even
just
a
generic,
informative
document.
You
know
document,
you
know
it
could
be
something
for
you
know
the
open,
ssf
blog
or
you
know
it
like.
Even
just
something
I
think
like
two
pages
for
folks
to
sort
of
you
know
because
I
think
one
of
the
the
big
things
has
been
around
like
confusion,
both
at
like
organizations
at
every
level
who
sort
of
are
unsure
of
hey
I'm.
Looking
at
adopting
salsa.
E
A
Hey
Mike,
just
second
that
thought,
yeah
I
I
do
agree
with
trying
to
put
something
out,
I.
Think
at
one
point
early
on
in
the
notes
we
had
kind
of
like
a
sci
working
group,
blog
about
talking
about
the
mission
and
and
the
mobilization
plan
and
how
everything
aligns
and
and
whatnot.
So
maybe
maybe
we
need
to
start
that
up.
I
know
last
week,
I
wasn't
there,
but
I
think
there
was
some
talks
about.
You
know:
where
do
we
post
a
blog?
A
If
we
wanted
to
for
Sci
working
group,
we
didn't
have
rights,
and
now
we
do
so,
maybe
once
we
put
out
that
first
initial
blog
of
hey
this
is
our
new
Direction.
Maybe
we
start
tackling
some
of
the
more
broader
topics
of
hey.
This
is
how
you
could
right
we're,
not
saying
you
need
to
or
we're
crying
we
are
requiring
you
to.
But
this
is
how
open
as
a
step
is
envisioning
x,
y
z,.
C
F
Yeah
to
build
on
Melba's
point,
but
maybe
even
go
much
further
than
she
might
and
someone
as
a
a
a
a
provocative
statement.
F
I,
you
know
a
message
of
coexistence,
a
message
of
well
there's
always
more
than
one
way
to
do
it
and
you
can
do
multiple
at
the
same
time
to
the
recipient
might
ring
as
a
lack
of
confidence
in
the
appropriateness
of
One's,
Own
solution
and,
and
one
thing
I
see,
is
both
an
opportunity
and
a
threat
for
us
is
in
the
regulatory
space,
with
the
US
and
in
Europe
you're,
starting
to
see
calls
for
projects
and
software
producers
to
adopt
traceability.
F
The
kinds
of
traceability
of
process
that
salsa
is
really
suitable
for
and
it's
my
sincere
hope
that
we
end
up
in
the
world
where
all
those
requirements
can
kind
of
harmonize
to
the
degree
where
really
ACE
also
delivered,
process
and
attestation
system.
You
can
meet
those
regulatory
needs
and
allow
people
to
do
that
without
really
lifting
a
finger
if
their
tools
automatically
generate
it
right.
So
a
message
of
well
sure
I
have
three
or
four
different
things
running
at
the
same
time,
lose
against
that.
F
It
also
moves
a
little
bit
against
the
desire,
I
think
to
see
Simplicity,
yeah
kind
of
a
way
to
weave
salsa
and
six
door
together
to
be
kind
of
the
recommended
practice.
F
You
know,
there's,
there's
folks
talking
about
wanting
to
kind
of
combine
these
pieces
into
something
called
a
sterling
tool
chain.
An
optionality
comes
with
a
cost.
It's
always
it's
always
politically
nice,
but
it
it,
you
know,
comes
at
some
degree
of
operational
costs.
F
So
let
me
just
be
provocative
and
say:
maybe:
instead
we
should
have
some
confidence
in
our
solution
and
put
out
here's
how
to
convert
your
existing
home
built
and
cooled
process
to
salsa
or
or
here's
how
to
move
from
this
either
single
vendor
proprietary
thing
to
to
now
this
new
open
standard
I
mean
like
that.
Those
kinds
of
messages
instead
so
tell
me
if
I'm
a
mess
or
or
missing
the
boat,
entirely.
B
So
I
think
so
I
was
just
gonna
say.
Yeah
I
mean
I
think
that
that
makes
sense
at
some
level.
I
think
the
thing
that
you're
going
to
run
into
is
there's
going
to
be
some
Industries,
like
the
banking
industry,
for
example,
who
largely
largely
like
self-regulate
and
their
sort
of
thing.
B
Is
they
get
like
a
high
level
set
of
regulations,
something
along
the
lines
of
you
should
have
you
know
you
should
be
making
sure
that
you're
securing
your
supply
chain
and
what
they're
going
to
say
is
hey
we're
doing
a
bunch
of
different
things.
We're
we're
adopting
salsa
here
we're
doing
this
like
there's
going
to
be
very
little
interest
in
saying
yep,
everybody
should
be
adopting
salsa,
there's
going
to
be
a
lot
of
interest
in
saying
we
want
for
sorry
is
adopting
salsa
as
a
wholesale
component.
B
There
might
be
interest
in
saying,
like
oh
yeah
there.
A
lot
of
folks
are
very
interested
in
adopting
salsa
as
part
of
it's
kind
of
this
thing
of
like
in
the
banking
space,
which
it's
even
if,
if
even
if
it's
the
same
thing,
practically
from
a
political
standpoint,
they're
like
saying
no,
what
we
have
adopted
is
the
Acme
Bank
supply
chain
standard
and
the
Acme
Bank
supply
chain
standard
includes
this.
You
know
we
we
adopted
this
fips.
You
know
encryption
standard,
we
adopted,
you
know
salsa.
We
adopted
this.
B
We
adopted
that
that's
kind
of
the
way
that
it,
it
kind
of
always
ends
up
getting
communicated.
Even
if
practically
it's
the
same
sort
of
thing,
there's
a
lot
of
and
I
don't
want
to
go
down
the
rabbit
hole.
There's
there's
a
lot
of
like
nobody
wants
to
just
sort
of
come
out
and
say
you
know
we're
adopting
this
853
as
our
control,
catalog
and
I.
There's
a
whole
bunch
of
stuff
in
there
that
I
I
take
years
to
to
unpack.
E
Yeah
so
I
think
I
was
trying
to
find
the
find
the
security
framework
that
most
financial
institutions
I
can't
remember,
FBI
tcfdi
camera,
but
but
you
know,
financial
sector,
Health,
Care,
sector
payments,
these
very
heavily
regulated
Industries-
are
that
have
gotten
down
how
they
develop
tools
with
respect
to
privacy?
E
No,
that's
not!
It's
not
well.
This
PCI,
this
typical,
but
there's
the
other
one
from
from
the
financial
sector.
Mail,
but
I
can't
I,
can't
I
know
somebody
in
the
fft
is
something
it
begins
with.
The
first
letter
is
an
F
in
this,
like
can't
remember
what
the
hell
is,
but
it's
the
security
framework
that
you're
supposed
to
use
to
as
a
way
to
report,
whether
or
not
you're
meeting
certain
security
controls
in
the
financial
sector.
E
I
can't
remember
what
it
is
anyway,
they've
these
industries
and
and
the
people
that
build
tools
and
and
services,
and
everything
else
have
developed
these
their
their
their
development
life
cycles
such
that
they
can
con.
They
can
continue
to
meet
and
then
scale
according
to
regulatory
compliance.
E
That
being
the
case,
but
as
I
said
before,
salsa
can
be
an
and
to
this
situation.
I
I
would
be
very
careful
to
tell
them
move
all
of
the
way
you
do
things
over
to
salsa
and
signing
with
six
store.
I'd
be
very
careful
with
that.
I
would
rather
say
you
can
you
can
do
what
you
do
and
then
meet
these
levels
by?
E
Perhaps
you
know
adding
this
control
or
adding
this
not
necessarily
saying
move
over,
because
that
creates
a
whole
can
of
worms
that
that
you're
gonna
get
pushed
back
and
you're
going
to
get
straight
up.
Not
not
that
not
that
one
though
Mike
you're
gonna
get
confused
you're
going
to
get
probably
a
complete
like
I.
Don't
want
to
do
it,
you
know
or
I'm
not
going
to
do
it
because
I'm
fine
on
this
side,
because
I
meet
my
Regulatory
Compliance
right.
E
B
Yeah
and
and
I
think
with
that
said
to
to
a
little
bit
of
Brian's
point,
and
this
is
something
that
also
John
Meadows
over
at
City,
when
we
were
talking
about
Sterling
tool
chain,
had
a
lot
of
really
good
thoughts,
which
is
just
poor
small
to
medium
businesses.
It's
a
much
easier
sell
because
you
can
say
you
know
a
lot
of
smaller
to
medium.
Businesses
are
a
lot
more
flexible
right.
They
don't
have.
You
know
Legacy
processes
and
a
lot
of
these
things
right.
B
Like
you
know,
I've
worked
at
a
couple
of
banks
where
you
know
the
the
Legacy
processes
were
decades
old
and
getting
some
of
that
to
change
to
something
new
completely
wholesale
was
going
to
be
like
moving
a
mountain,
but
for
a
lot
of
small
to
medium
businesses.
It's
it's
a
lot
easier
and
also
as
part
of
something
like
a
sterling
tool
chain.
It's
a
much
easier
cell
to
say:
hey
you're,
a
startup
you're,
just
starting
start
signing
with
Sig
store
start
doing.
Salsa
start
adopting.
B
You
know
when
you
ingest
software
make
sure
that
you're
following
the
S2
c2f
practices,
that's
a
much
easier
sort
of
cell
compared
to
let's
say
you
know
your
your
giant
Banks,
your
jpmcs,
your
your
cities,
which
you
know
to
be
frank,
are
going
to
hire
a
you
know.
They're
gonna
hire
an
Accenture,
an
IBM,
a
giant
sort
of
firm
to
help
build
out
something
that
meets
their
needs
compared
to
let's
say
a
smaller
organization.
B
That's
going
to
say:
hey,
we
don't
have
that
sort
of
money
and
we
don't
necessarily
need
that
because
we
could
be
a
bit
more
flexible.
Let's
just
adopt
a
sterling
tool
chain.
Let's
just
adopt
some
of
those
things.
F
All
reasonable
answers,
I'm
just
doing
my
job
to
be
provocative,
but
but
but
also
I
know
that
humility
sells
well
in
open
source,
but
it
may
not
be
the
the
the
the
power
that
we
believe
it
is
when,
in
this
next
phase
to
drive
this
next
phase
of
adoption,
I
really
liked
reading
about
github's
adoption
of
it's
also
in
six
door
for
npm
Providence
and
that's
a
story.
I
would
love
to
see
repeated
across
all
the
major
language,
ecosystems
and
and
perhaps
even
demonstrable
Providence
cross
language
ecosystem.
F
For
for
the
you
know,
what
is
the
vast
majority
of
apps,
which
are
combinations
of
lots
of
different
languages
right,
so
yeah
I,
just
I,
want
more
of
that
and
I
want
a
bit
of
swagger
to
come
out
of
of
this
community
to
be
proud
of
kind
of
what
we
built
and
and
highlight
recognize
those
companies
that
are
building
it
to
us,
rather
than
just
adding
us
as
a
as
a
hey.
We
also
support
kind
of
kind
of
thing.
You
know
what
I
mean.
B
Yeah,
no
on
that
front,
yeah
I,
definitely
totally
agree
with
you
and
I.
Think
that
there's
a
lot
of
ways
for
us
to
to
do
that
in
in
that
space
and
I
think
we're
starting
to
see
a
lot
of
this
already
and
I
saw
even
at
kubecon
a
lot
of
folks
interested
on
this.
Like
you
know,
a
lot
of
folks
are
very
interested
in
adopting
salsa
and
making
it
very
public
that
they've
adopted,
salsa
I
think
the
things
there
is.
B
You
know
I
think,
and
this
is
kind
of
something
both
it's
a
problem
that
this
group
has
and
is
a
problem
that
we
can't
necessarily
do
ourselves,
like
the
positioning
group,
can't
I
think
the
tooling
groups
within
openssf
can,
which
is
just
hey
it's
hard
to
adopt
salsa.
If
there
is
like,
as
an
example,
there's
no,
you
know,
there's
not
really
a
lot
of
salsa
tools
for
rust,
for
example,
I'm
writing
up
some
personally
for
and
it's
open
source.
B
But
you
know:
hey,
there's
some
stuff
that
needs
to
happen
on
on
that
end
as
well,
and
if
we
can
start
to
kind
of
figure
out
how
we
we
start
to
address
some
of
those
as
well.
I
think
that
would
be
super
helpful
because
I
know
one
of
the
the
you
know
like
I
said
before,
like
the
some
of
the
biggest
feedback
we've
gotten
is,
we
have
stuff
like
cncf
is
doing
salsa
audits,
but
the
salsa
audits
right
now
were
like
highly
manual.
B
B
F
Well,
our
desire
is
to
support
all
of
you
and
and
and
support
our
members
and
support
what
the
what
the
open
source
ecosystem
needs
and
where
that
can
match
up
with
regulatory
changes
and
where
the
markets
are
heading
so
much
the
better
right
skates
where
the
puck
is
going.
C
B
Yeah
sounds
good.
Is
there
anything
else
on
that
front?
Otherwise
we
can
move
over
to
the
salsa,
build
versus
Source
blog
stuff.
B
Cool
so
I
I
don't
want
to
I
I
know:
Melba's
voice
is
I,
don't
want
to
hurt
her
voice
anymore,
so,
but
Melba
and
and
Chris
put
out
a
a
salsa
blog.
It's
there's
a
PR
open
for
it
overall
looks
pretty
good
I.
B
Think,
there's
a
couple
things
that
we
just
want
to
clear
up
in
here,
or
at
least
for
my
from
my
opinion,
but
overall
I
think
the
the
you
know
the
purpose
of
the
blog
for
folks
who
haven't
read
through
it
yet
was
to
sort
of
why
we
separated
out
build
and
source
and
there's
a
couple
of
different
reasons.
But
the
you
know,
some
of
the
primary
reasons
are
to
allow
for
the
separation
of
concerns
between
different
teams.
Groups.
B
Companies
right,
you
could
have
I,
could
use,
let's
say
GitHub
as
my
source
provider,
but
have
an
internal
build
system
or
vice
versa,
right
where
I
could
have
an
internal
Source
Code
system,
but
but
be
calling
out
to
a
SAS
for
running
my
build
the
way
that
without
having
these
build
tracks
without
separating
these
tracks,
we
have
that
problem
of
well.
B
If
I
include
two-person
code
review
well,
if
I
have,
if
I'm
using
let's
say
bitbucket
for
two-person
code
review
and
I'm
using
GitHub
actions
for
my
build
GitHub
actions
can't
produce
the
full
salsa
at
a
station.
So
that's
kind
of
I,
think
and
I
think
that's
actually
a
very,
very
good
point
that
hasn't
really
been
highlighted
in
a
lot
of
the
other
stuff
we've
released.
Is
that
like
we
want
to
make
it
separate
for
a
couple
of
different
reasons?
One
is
just
from
a
practical
standpoint
of
us
building
the
rules.
B
It's
often
easier
for
us
to
say
here's
the
build
set
of
rules.
You
can
focus
on
that.
Oh
here's,
the
source
set
of
rules.
You
can
focus
on
that.
The
dependency
said
you
know
or
whatever
right
like
the
the
source
and
and
build
set
of
rules,
and
then
you
know
integrate
with
also
stuff
like
the
S2
c2f
consumption
side.
Right
where
you
can
say
you
know,
and
all
of
those
pieces
together
kind
of
build
out.
B
B
One
is
I
think
it's
really
key
to
highlight
that
the
build
and
similar
sorts
of
things
can
be
part
of
one
particular
team
to
be
responsible
for
one
particular
department
and
different
departments
might
have
different
build
systems
whatever
or
you
might
be,
have
outsourced
it
to
a
completely.
You
know
different
SAS
and
that's
what
makes
salsa
super
useful
here.
B
Is
you
don't
need
to
have
one
individual
thing
manage
the
whole
thing
which,
which
is
huge,
I,
think
we
just
need
to
based
on
some
of
the
stuff
that
I
some
of
the
feedback
I
got
from
kubecon.
Is
we
just
need
to
really
make
sure
that
folks
recognize
that
it's
not
just
SAS
right?
It's
not
just
you
know
GCB
or
GitHub
actions
or
gitlab
CI.
That
can
do
this.
You
can
do
this
internally.
It
comes
with
its
own
set
of
risks
as
well
right.
B
You
know
by
doing
it
internally
versus
externally
and
certain
folks.
Maybe
want
to
do
something
more
rigorous,
internally,
I
think
those
sorts
of
things
just
need
to
be
clarified,
but
overall
I
I
really
liked
it
and
I
suggest
everybody
here
should
read
it
because
because
it
was
enjoyable
enjoyable
and
there
was
even
things-
I
hadn't
considered
and
I've
been
doing
a
lot
of
work
on
salsa
for
a
while.
C
A
B
B
I
know
that
we've
been
talking
about
roadmap
communication
and
and
how
we're
going
to
be
I
know
we're
still
sort
of
trying
to
finalize
a
couple
of
things.
I
know
that
a
lot
of
the
folks
are
very
much
roaring
and
ready
to
go
to
like
push
salsa
for
right.
Like
I
know,
we
pulled
out
salsa
four,
a
lot
of
things.
You
know
on
that
end.
I
think
this
group
can
maybe
do
to
once.
We
kind
of
sort
that
out
I
know.
B
One
of
the
things
that
was
discussed
a
little
bit
yesterday
was
okay
cool.
How
do
we
kind
of
let's
say
we
have
like
two
or
three
bodies
of
work
that
we're
going
to
be
focused
on
from
the
salsa
side,
at
least
how
do
we
communicate
that
out
to
everybody
and
and
I
think
that
that
might
be
something
that
we
want
to
think
about,
because.
B
One
of
the
things
that
was
also
brought
up
as
a
piece
of
feedback
is
a
lot
of
folks
were
not
aware
of
a
lot
of
the
work.
That's
was
going
on
in
the
salsa
side
that
led
to
1.0,
and
so
what
can
we
do
to
kind
of
just
generally,
whether
it's
like
a
a
monthly
like
update
to
the
drafts
and
some
of
those
things.
B
B
Yeah
I
mean
I,
think
even
I
I,
like
that
suggestion
and
I
think
also
something
like
a
even
if
we
don't
obviously
release
a
new
version
of
salsa
every
month
having
something
like
a
a
monthly
update
on
you
know,
just
the
high
level
items
that
we're
focused
on
might
also
prove
to
be
useful
so
that
folks
get
an
idea
of
hey.
B
You
know
we
didn't
find
much
interest
in
this
thing,
so
we
cut
up
we're
going
to
be
pushing
that
back
to
later,
and
if
somebody
comes
in-
and
you
know
all
of
a
sudden
four
people
like
see
it
on
the
internet
and
they
all
come
in
to
the
next
meeting.
They
go.
No,
no,
please
don't
drop
it.
Then
then
we
know
because,
like
that
was
actually
you
know
a
bit
of
a
surprise
to
us.
B
F
Think
I
think
a
pivot
from
a
1.0
to
thinking
about,
like
what
is
the
next
18
months
or
24
months
looks
like
is
a
great
opportunity
to
grow
the
contributor
Community.
It's
a
great
chance
to
be
able
to
say
one
of
those
out
look
at
us.
We
can
accomplish
a
thing.
We
can
actually
come
to
come
to
consensus
and
and
put
a
flag
in
the
ground.
Yes
and
now
we're
thinking
about
applying
this
to
source
source
systems
and
I
mean
all
these
other
kind
of
angles.
F
But
we
need
your
help
and
we
need
your
engagement
and
those
of
you
who
have
started
to
pick
up
salsa
you,
our
stakeholders
in
this
and
here's
a
place
to
come
out
and
come
in
and
tell
us
what
you
like,
but
understand
that
we're
going
to
gravitate
towards
the
duocracy
right.
F
You
know
we're
going
to
gravitate
towards
those
showing
up,
not
just
to
say,
I
want
a
pony,
but
those
actually
there
to
manifest
the
the
pony
with
all
the
other
people
who
want
a
pony
so
I
and
the
right
format,
for
that
might
be
very
different
than
a
call
like
telling
people
to
show
up
to
a
call
like
this.
F
You
know
at
the
you
know
hour
of
their
choosing,
because
it
this
can
be
a
little
bit
bit
too
cozy,
but
instead
to
have
like
a
webinar
have
like
it
feels
a
little
bit
more
like
a
publicly
promoted
event
and
say
come
co-design.
The
future
with
us
and
by
the
way
that
does
take
persistence,
does
take
some
some
commitment.
F
So
if
you
can
give
us
an
hour
every
two
weeks
and
and
meaning
if
you
can
meaningfully
contribute
to
bringing
your
expertise
and
background
and
encoding
that
in
a
in
you
know
the
the
salsa
2.0
document
or
1.5
or
whatever
you
want
to
label
it,
then
then,
please,
now
is
the
time
now
is
the
time
to
join,
is
kind
of
that
that
call
to
action
that
then
Jennifer
and
I
can
can
make
hay
out
of
and
get
to
a
broader
audience.
D
C
B
Yeah,
no,
that's
that
that's
a
a
good
suggestion.
I,
really
like
that
term,
duocracy
I
know.
That's
that's
one
of
the
things
that
we've
been
really
trying
to
to
push
very
very,
very
hard
is
like
hey
like
at
the
end
of
the
day.
B
You
know
we
could
have
a
once
every
three
months.
You
know
Summit
where
we
sit
down
and
do
these
things
or
we
could
have
these
multiple
meetings
and
and
sit
down
and
also
have
stuff
offline,
where
you
know
folks
are,
are
just
opening
up
PR's
to
fix
things
and
and
so
on,
and
at
the
end
of
the
day,
even
if
somebody
has
a
great
idea,
if
a
great
idea
isn't
actioned
on
it's
it's,
you
know
it's
just
an
idea,
which
is
something
that
I
know
that
it
has
worked
really
well.
D
B
You
know
it's
not
just
purely
about
you
know:
let's
sit
around
and
and
debate
the
exact
best
way
of
of
of
approaching
the
problem.
Let's
start
doing
it
and
you
know
we'll
we're
gonna
stumble
a
little
bit,
but
at
the
end
of
the
day,
we'll
you
know
having
something
good
was.
It
was
the
term
perfect,
is
the
enemy
of
the
good
or
whatever.
You
know
it's
better
to
have
something
good
now
than
to
have
something
perfect.
Never.
F
I
got
a
better
one
for
you.
Worse
is
better
there's
a
great
essay.
Some
of
you
might
know
by
dick
Gabriel,
who
is
a
researcher
at
a
at
Sun
for
a
while,
and
he
wrote
this
great
essay
called
versus
better
in
that
in
software,
it's
better
to
start
with
a
minimal
creation.
That's
a
little
bit
wrong
here.
F
I'll
drop
the
link
to
it
so
as
to
trigger
folks
to
jump
in
and
help
you
fix
it
and
for
it
to
feel
approachable
and
and
human,
rather
than
totally
polished
and
and
thus
unassailable,
and
that's
why
the
Wikipedia
grew
is
why
open
source
Works
frankly
and
anyways
he
puts
it
much
better
than
I.
Can.
F
But
I
think
it
also
helps
explain
why
we
have
so
many
bad
protocols
that
seem
to
survive
for
so
long
is
they
only
have
to
be
good
enough?
Yes,
yes,
and,
and
anyone
holding
off
forever
to
to
solve
the
the
forever
problem
is
going
to
be
his
what's
his
name
who
wrote
Xanadu,
yeah
the
web
takeover
and
he's
he
was
pissed
about
that,
but
he
waited
too
long.
B
Yeah,
that
was
that's
good,
yeah
I.
Think
that's
also
super
useful
because,
like
I
mean
you
know,
definitely.
B
Anyway,
never
mind,
I
won't
get
it,
but
yeah
that
that's
that's
great,
yeah
cool.
Are
there
any
other
topics
around
this
anything
else.
B
Oh
yes,
yes,
we're
going
to
be
canceling
next
week's
meeting,
because
I
mean
I
I
believe
most
of
us
on
this
call
will
be
out
open
source
Summit.
You
know.
Yes,
we
have.
You
know
we
have
I,
have
a
talk
and
as
well
as
a
panel
with
long
width
instance
the
folks
on
on
this
call,
looking
forward
to
that.
B
B
I
know
definitely
have
some
open
questions
still
about
some
of
the
stuff,
that's
going
on
with
Sterling
tool
chain
and
and
if
there's
anything
this
group
can
do
or
just
even
me
personally,
due
to
help
push
some
of
those
things,
because
I
I
think
that
Sterling
tool
chain
idea
is
is
great,
especially
for
in
the
open
source
space.
A
lot
of
folks
are
starting
to
ask
like
the
question
of
like
hey
I,
run
an
open
source
project.
B
I
want
to
do
the
right
things,
but
you
know:
hey
I'm,
just
a
volunteer.
What
can
I
be
doing?
What
can
I
be
adopting?
Are
there
any
scripts?
Are
there
any
nice
little
applications
that
will
do
a
lot
of
the
work
for
me
like
something
like
open,
ssf,
scorecard
and
All-Star,
and
those
things
I
know
folks
are
are
looking
for
a
lot
of
that
and
if
there's
things
that
this
group
can
do
to
to
help
communicate
that
help
provide
feedback.
I
know
I,
know
we're
very
interested
there.
B
Cool,
if
there's
nothing
else,
we
can
end
15
minutes
early
and
I'll
see
at
least
most
of
you
next
week
in
in
person
in
Vancouver.