►
From YouTube: Supply Chain Integrity WG (May 16, 2023)
A
A
D
C
A
E
C
A
E
C
C
A
C
Hotel
bedroom,
which
was
literally
like
not
even
a
mile
away
from
you
all,
went
through
the
panel
talk.
It
was
very,
very
sad
that
I
was
not
there
and
sad
I
didn't
really
meet.
Actually
any
of
you.
The
only
person
I
actually
got
to
meet
up
with
was
Arno
because
I
heard
his
voice
and
his
voice
travels,
and
so
I
was
like.
Hey
I,
think
I
hear
Arno.
A
A
C
C
A
F
For
it
yeah
so
I
I
know
I
I
mentioned
some
of
this
in
the
specification
meeting,
but
I'll
reiterate
for
this
meeting
as
well
and
also
to
caveat
some
of
it
is
overall,
the
the
feedback
was
generally
great,
so
I
think
that's
that's
fantastic,
but
I
I
tend
to
sort
of
you
know
I.
We
do
want
to
focus
on
some
of
the
areas
where
a
few
folks
have
said
hey
what
about
this?
What
about
that
or
I
did
this
didn't
make
sense,
so
just
want
to
caveat
that
right.
F
F
F
You
know
the
Apache
Foundation,
a
lot
of
other
folks
have
been
building
on
local
workstations
for
a
while
and
to
say,
that's
less
secure
than
let's
say,
Travis
CI,
which
is
well
known
to
have
been
compromised
and
you
know
have
all
sorts
of
security
issues
is
like
it's
kind
of
you
know
it
doesn't
help
out
the
thing
that
they
actually
said
is
one
thing
to
push
for.
The
CI
thing
is:
if
you,
if
you're
running
off
a
laptop
I,
don't
know
where
that
actually
came
from.
F
F
You
know,
there's
also
been
some
pushback
from
a
few
other
folks
about
you,
know:
I,
don't
like
I,
don't
have
the
capacity
or
whatever
to
set
up
GitHub
or
whatever.
You
know
I
think,
there's
some
some
interesting
things
there
around.
How
do
we
make
it
simpler?
How
do
we
also
bring
folks
along
right
on
some
of
this?
You
know
and
and
stuff
like
that?
F
You
know
in
particular
around
threats.
So
one
of
the
things
that
that
folks
wanted
to
see
was
maybe
some
like
almost
like
specific
run-throughs
of
like
here
is
a
you
know:
here's
at
this
sort
of
supply
chain
attack
and
here's
how
salsa
would
have
blocked
it,
yep
yeah
threat
scenarios
and
then,
in
addition
to
the
threat
scenarios,
one
of
the
things
that
I
had
done
with
Fresca
a
while
back
was
almost
like
generate
like
tests
that
were
bad
right
like
showing
here
is
like
what
a
compromised.
Compiler
looks
like
that.
F
It,
you
know,
does
these
things
and
then
this
is
what
it
looks
like
from
the
perspective
of
salsa.
So
having
things
like
that
might
be
useful,
so
that
folks
kind
of
better
understand
like
the
things
they
should
be
looking
for
to
make
sure
that
they're
not
getting
compromised.
You
know
like,
as
a
reminder
like
you
know:
salsa
can
can
generate
malicious
code,
a
malicious
software,
but
the
idea
is,
if
you
are,
if
you're
a
high
enough
salsa
level
it's
hard.
You
know,
you
know
it's
not
the
build.
F
That
was
the
problem
that
got
compromised.
You
know
it's
like
your
dependencies.
Are
your
Source
was
where
it
got
compromised
and
so
you,
you
know
those
sorts
of
things.
So
that
was
some
of
that.
So
there's
also
been
some
confusion.
Still
over
salsa
version
versus
level
versus
track,
I
noticed
the
the
IBM
folks
had
a
code
genome
Hawk
and
the
code
genome
talk
talked
about
salsa,
V4
and
there's
probably
some
better
things.
We
could
do
there
just
to
make
sure.
F
C
F
Yeah
and
I
think
there
are
there's
some
stuff
there.
I,
don't
know
how
we
want
to
clarify
some
of
that.
Like
I
I,
don't
know
if
long
term,
we
want
to
do
something
like
salsa
level,
a
b
c
and
d,
or
something
like
that.
I,
don't
know
like
or
colors
or
or
or
or
or
just
keep
numbers,
but
just
try
and
make
sure
that
folks
really
tie
into
to
that
like
Matrix
or
something
like
that,
but
something
to
think
about.
G
F
G
D
Yeah
I
keep
I,
keep
saying
the
same
thing
so
a
lot
of
it
and
and
I
and
I
look
at
it,
both
as
someone
who's,
participating
and
and
leaning
in
and
making
sure
that
that
you
know,
wear,
dress
right,
dress
here
on
in
this
group
and
then,
of
course,
in
the
specification
meeting,
making
sure
I,
listen
in
and
take
a
look
at
those
things,
but
also
as
a
practitioner
out
in
the
wild.
As
someone
who
who
can
think
from
an
angle
of
a
consumer
of
the
Frameworks,
is
it
a
security
framework?
D
D
We
have
salsa
levels,
one
through
three
on
a
build
track.
Is
it
going
to
be
one
through
two
on
the
source
track?
What
does
signify
level
four
and
then
was
saying
these
are
security.
This
is
a
security
framework.
Okay,
so
we're
we're
applying
security
controls
and
then
we're
tossing
out
salsa
conformance.
What
is
it
and,
let's
be
very
clear
for
as
we're
positioning
here
on
what
these
different
aspects
are
and
then
be
very
specific
on
use
case
of
these
different
aspects
and
everything
else?
D
Otherwise
we're
going
to
keep
getting
these
questions
because
people
need
to
know
how
to
they
want
to
apply.
They
love
it.
They
want
it.
They
want
to
apply
it.
How
are
they
going
to
apply?
How
are
they
going
to
apply
it
in
these
very
different
use
cases?
These
are
very
different
use
cases
from
a
security
standpoint,
applying
controls,
and
that
could
be
business
unit.
It
could
be
it
could
be
business
shooting
it
could
be
organizationally
or
can
be
Enterprise
right.
How
are
we
applying
these
controls?
D
Maturity,
maturity,
level,
wise,
you
know
once
again
business
unit
organization,
Enterprise,
but
compliance
compliance
gets
to
a
whole
different
aspect
of
compliance
by
what
means
what
kind
of
business
are
we
solving
through
compliance?
I
think
you
know
it's
our
job
to
maybe
position
do
the
positioning,
but
it's
also
the
job
of
specification
side
to
narrow
these
focuses
and
and
make
sure
that
that
lines
are
drawn
where
they
need
to
be,
and
then
the
dotted
lines
are
dotted
where
they
need
to
be
otherwise
we're
going
to
keep
getting
these
kind
of
questions.
C
D
Yeah
is
it
a
maturity,
model,
security
framework
or
compliance
requirements,
and
if
it
is
all
three,
if
it
is
all
three,
what
are
the
three
that
it
is
and
then
let's
go
through
the
process
of
providing
detailed
descriptions
of
what
it
is
at
each
of
these
three
instances,
so
that
the
person
consuming
understands
how
to
consume
at
each
respective
level.
Within
the
organization.
C
H
Oh
no
worries
I
wanna
also
add
guidelines
because,
because,
as
I
was
looking
through,
all
the
content
on
the
salsa.dev
page
for
my
little
three
by
five
cards,
I
actually
saw
the
word
model
framework
requirement
and
guidelines
all
used
to
reference
salsa
throughout
the
the
various
descriptions
of
salsa,
so
I
would
I
would
plus
one
to
what
Jay
said,
because
that
was
confusing
to
me
as
well.
When
I
was
trying
to
put
the
messaging
together.
C
Okay,
yeah
I,
think
I
saw
some
discrepancies
when
I
was
doing
my
notes
in
the
hotels
and
I'll
have
to
talk
about
those
some
other
time.
So
then
we
probably
need
to
then
create
a
an
issue.
If
there's
not
one
already
against
the
specification
to
document
this
concern
and
things
that
we
might
need
to
consider
going
forward
so
that
we
can
address
it
on
the
on
the
specification
or
on
the
website.
F
Oh
yeah
I
was
just
gonna
comment
yeah.
This
is
what
happens
when
you
have
a
lot
of
a
I
guess
when
it
comes
to
a
lot
of
the
writing.
You
have
actual
technical,
Hands-On
keyboard
folks,
because,
honestly,
what
I'll
say
is
the
majority
of
us?
Don't
really
care
about
the
distinction,
because
we're
not
involved
in
that
space,
we're
just
like
oh
yeah.
What
do
you
need
us
to
do?
What
do
you
need
us
to
implement?
F
But
I
also
recognize
that
for
folks
who
do
exist
in
sort
of
the
compliance
space,
the
words
do
matter.
Even
if,
like
you
know
in
colloquial
sort
of
you
know,
Speech
you
saying
something
like
is
a
guideline
or
requirement,
but
you
know
a
lot
of
folks
outside
of
that
sort
of
compliance.
Space
are
going
to
say
yeah.
It
probably
means
it's
about
the
same
thing
when
they
dunked
to
be
clear.
F
I,
get
that,
like
you
know,
like
guidelines,
are
often
not
as
strict
as
requirements,
and
you
know
compliance
means
a
very
specific
thing
where
you
are,
you
know,
providing
evidence
of
a
thing
in
a
specific
way
and
and
all
and
all
that
sort
of
stuff.
So
I
definitely
think
that,
like
on
that
level,
I
know
you
know
the
specification
team
could
probably
use
a
bit
of
additional
help
in
that
wording
piece.
F
You
know,
because
the
the
tech,
you
know
what
I'll
say
is
like
generally
those
of
us
who
are
mostly
Engineers
we're
never
going
to
to
write
it
perfectly
in
a
way
that
can
be
understood
like
we
can
write
it
in
a
way
that
could
be
understood
by
other
Engineers.
But
salsa
is
not
something
that's
purely
being
read
by
Engineers
anymore
right.
It
is.
It
is
something
that
is
at
a
high
level
being
read
by
even
potentially
Executives
saying,
like
hey
I'm,
you
know
we
need
to
hit
these
require.
F
F
You
know
a
lot
of
Industries
have
policies
and
their
policies
are
considered
almost
as
good
as
regulatory
requirements
right
like
certain
companies,
especially
in
like
the
banking
and
fintech
and
finserv,
are
actually
required
to
abide
by
their
their
policies
and
I
mean
all
companies
at
some
level,
but
but
significantly
more
strictly.
And
so,
if
a
company
says
yep
we're
adopting
salsa
as
a
security
framework,
they
need
to
also
show
to
their
internal
folks
as
well
as
external
folks
that
they
are
in
fact
complying
with
salsa.
F
So
there's
some
Nuance
there
as
well,
so
we
I
think
updating
the
doc.
You
know
I,
think
making
some
of
that
clearer
and
also
yeah
clearing
cleaning
up
some
of
the
language
and-
and
we
could
definitely
use
some
help
from
folks
who
are
maybe
not
as
hands
on
keyboard
and
are
better
wordsmiths
and
than
the
engineering
folks.
Jay.
D
Yeah,
so
so,
to
your
point,
right
when
I,
when
I
talk
to
people
about
salsa
and
and
they're
and
they're
immediate
back
to
me,
is
well
our
our
Engineers
are
already
doing
X,
Y
and
Z
right
they're
already
following
this,
this
that
or
other
they're
already
following
this
right.
We
don't
want
them
to
have
to
think
about
what
else
to
follow,
and
my
immediate
response
to
that
is
consider
salsa
as
an
in
not
an
org.
So
by
implementing
these
respective
controls,
you
then,
would
become
compliant
at
Salsa
level.
D
That's
what
that's
that's
what
that
makes
it
that
takes
it
away
from
being
a
security
framework
they're
already
following
a
security
framework.
You
don't
want
to
put
for
the
organization
that
doesn't
necessarily
have
a
security
framework.
Then
they
can
Implement
those
controls
in
the
salsa
framework
towards
becoming
social
compliant.
That's
a
different
conversation
right,
but
it's
that
conversation
that
needs
to
be
had
in
that
kind
of
articulation.
D
That
needs
to
live
inside
of
the
specification
and
needs
to
live
and
how
we
position
it
in
order
for
us
to
not
get
as
many
questions
that
we
are
getting
that
present
the
confusion
and
more
questions
around
implementation
in
the
application
across
the
respective
Enterprise.
We're
not
getting
those
questions
and
that's
my
fear,
my
fear
is
our
questions
are
still
around
confusion.
D
D
H
I,
don't
know
if
that
ever
went
anywhere,
but
that's
where
I
was
thinking
of
like
this,
because
you
can
be
cmmc
certified,
and
so
that
was
what
my
comment
was
in
the
chat
like,
oh
and
then,
and
then
the
conformance
program
I
know
they.
They
spoke
to
that
during
open
ssf
as
well.
There
was
that
proposal
was
one
of
the
sessions.
F
Oh
yeah,
I
was
just
gonna,
say,
I
think
it's.
It's
definitely
worthwhile
to
have
like
I,
think
a
broader
conversation,
because
I
know
some
of
the
feedback
I've
gotten
in
once
again.
I
think
some
of
us
talk
to
different
audiences.
Some
of
us
are
focused
on
you
know,
talking
to
different
people,
whether
they're
sort
of
managers
or
compliance,
folks
or
security,
folks
or
or
just
engineers
and
I-
think
one
of
the
strengths
from
that
from
feedback
that
we
gotten
is
at
least
at
some
level.
F
The
requirements
of
salsa
are
very
clear
to
most
Engineers
like
there's
some.
You
know
vagueness
around
a
couple
of
pieces
that
maybe
need
to
be
clarified,
but
I
know
that's
one
of
the
the
key
things
and
I
know
one
of
the
things
that
I
know
that
having
worked
in
the
nist
and-
and
you
know,
nist
853
190-
all
that
good
stuff.
You
know
a
lot
of
Engineers
are
very
allergic
to
that
sort
of
way
of
framing
compared
to
let's
say,
security,
folks
and
so
I
do.
F
However,
we
kind
of
do
this.
I
I
do
want
to
make
sure
that
we
can
make
sure
that
we
are
still
being
inclusive
of
a
lot
of
the
the
different,
and
you
know
the
different
groups,
and
that
might
be
something
like
here
is
the
canonical
representation
of
let's
say
requirements,
but
here
are
how
we
frame
it
to
different
groups,
so
they
don't
feel
so
that
I
guess
they
understand
it.
F
If
that
makes
sense,
right,
I
just
want
to
make
sure,
because
I
know
one
of
the
biggest
pieces
of
feedback
that
people
had
brought
up
is
like
great.
You
gave
me
very
clear,
distinct.
The
build
should
be
doing
this.
The
build
should
be
doing
that
the
build
should
be
doing
this
and
I.
Compare
that
with,
let's
say
some
certain
other.
C
Yeah
they're,
not
a
PR,
just
just
an
issue
against
the
salsa
specification
and
you
can
copy
and
paste
a
lot
of
what
we
wrote.
I
I,
don't
know
what
the
the
format
is,
but
I
think
we
can
always
edit.
What's
there
I,
don't
think
it's
a
big
deal,
it's
just
so
that
we
can
start
having
that
conversation
with
the
broader
audience
right.
F
I
showed
off
the
the
new
npm
beta
for
the
GitHub
generator
that
had
just
been
released
the
day
before
so
folks
were
super
interested
in.
Seeing
that
and
the
thing
that
was
kind
of
nice
there
is
npm
can
actually
show
you
salsa
now
it
directly
inside
of
the
the
npm
website.
So
you
it
was.
It
was
really
nice
to
be
able
to
just
sort
of
show.
Folks
like
hey
here
is
a
here's.
This
GitHub
generator
tool,
and
here
it's
actually
being
used
in
the
outside
world.
F
You
know,
and
you
could
actually
look
at
the
you-
could
look
at
the
npm
website
and
actually
see
you
know.
Mike's
test
package
is
actually
salsa
verified
right,
which,
which
was
cool,
and
so
a
lot
of
folks
were
very
interested
in
that
a
lot
of
folks
were
were
very
interested
in,
like
hey.
Can
this
support
this
ecosystem
or
that
ecosystem
and
so
trying
to
bring
them
into
the
tooling
meetings
and
and
help
out
with
that
as
well?
What
else
I
think
generally
yeah?
It's
been?
F
F
F
But
I
do
think
that
if
some
of
those
organizations
themselves
like
if
Jenkins
wants
to
come
to
us
and
say
hey,
what
would
it
take
for
us
to
make
Jenkins
either
via
a
plug-in
or
something
else
make
it
salsa
compliant
I,
think
that
would
be
super
useful
I.
Just
don't
want
us
to
necessarily
spend
a
bunch
of
time
on
on
that,
because
then
people
are
going
to
say
hey
what
about
Circle
CI?
C
Yeah
I
think
we
had
talked
about
something
like
that
as
a
road
map
item
right
to
start
reaching
out
and
branching
out,
but
we
first
have
to
you
know,
get
our
ducks
in
a
row
in
openness
of
supper.
First,
before
we
start
doing
that,
Branch
out,
but
I.
Think
if
we
get
more
the
more
volunteers
we
get
I
think
the
faster
it'll
happen.
C
So
if
anybody
knows
folks
from,
for
example,
in
this
scenario,
team,
City
or
Jenkins
or
anybody
else
bring
them
to
the
specification,
bring
them
to
the
tooling
meetings
and
then
they
could
potentially
take
part
in
trying
to
enable
the
broader
community
and
some
of
those
items,
because
I
do
think
like
a
Blog
right
would
be
helpful
in
that
scenario
where
a
Jenkins
person
says
hey.
This
is
how
we
were
able
to
do
to
do
this
right.
It's
not
necessarily
about
productization,
it's
more
about
how
to
show
people
how
to
get
to
that.
B
Yeah,
just
kind
of
addressing
Michael's
comment
there
of
once.
We
start
adding
something
for
Jenkins
someone's
going
to
want
something
for
every
other
build
platform,
and
my
thought
there
is
do
we
need
to
build
this
for
every
CI
tool.
Or
could
we
make
some
kind
of
generic
salsa
Builder?
That
itself
could
be
run
from
within
inside
of
an
ACI
system,
and
you
just
launch
that
off
and
it
runs
some
like
some
kind
of
build
and
Essence
inside
of
it.
F
F
Whatever
it
doesn't
matter,
not
the
entire
thing
is
salsa
compliant
or
conformant
or
whatever,
but
the
Builder
is,
and
so
the
thing
that
actually
runs
the
compilation
step
is,
is
sort
of
that
trusted
build
service,
and
so
you
know
you
could
still
continue
to
use
your
own
CI
service.
You
want
to
go
and
actually
build
a
thing
cool.
You
pass
it
over
to
this
other
thing.
F
There
seem
to
be
some
interested
in
that
I'm,
hoping
to
you
know,
maybe
open
source
some
stuff
on
on
on
that
front.
But
yeah
a
lot
of
folks
are
saying:
hey.
You
know
we
want
to
use
our
own
existing
CI
system,
I.
Think
we
should
give
the
opportunity
right
to
folks,
like
Jenkins
team
City,
whatever
else.
What's
the
other
one
bamboo
right
to
come
in
and
you
know,
say:
yeah
we're,
building
salsa
Integrations
directly
in
our
system,
but
from
the
community,
effective
I.
F
Don't
think
you
know
you
know
we
can't
develop.
We
can't
develop
Integrations
for
everybody,
so
I
think
on
that
end.
You
know
there
might
still
be
some
interesting
stuff
there
right,
because
as
a
reminder
for
folks,
you
know
like
salsa,
you
know
the
build
itself
is
like
one
component,
and
so
if
you
can
wrap
that
build
in
some
secret
sauce
or
you
know
that
that
secures
it
it's
good
enough
to
be
salsa,
and
so
there
seemed
to
be
some
interest
in
something
like
put,
you
know,
could
Jenkins
could
team
City?
F
Could
bamboo
Etc
just
hand
off
to
something
like
the
salsa
secure,
build
service
that
runs
whatever
it
is?
It
itself
is
the
secure
thing.
Nobody
is
making
the
claim
that
the
entire
CI
system
is
secure
or
the
entire
CI
pipeline
is
secure,
but
at
least
that
build
step
is
secure,
which
I
think
is
is
important.
C
F
So
Fresca
right
now
is
a
secure
pipeline
via
tecton,
and
the
problem
is-
and
this
is
literally
feedback
we
got
during
the
got
during
the
the
the
panel
was
hey
I,
don't
want
to
run
tecton
tecton
chain,
spiffy
Spire.
All
these
different
components
in
my
ecosystem,
I
want
to
just
be
able
to
run
one
small
thing
and
and
and
move
on
or
I
want
to
run
something
that's
a
plug-in
into
Jenkins
and
just
run
it
now
in
in
certain
cases.
The
answer
is
sorry
too
bad,
because
you
know
certain
build
systems.
F
You
know
like
just
to
be
clear.
The
way
we've
looked
at
at
Jenkins
has
been
very
difficult
like
securing.
It
is
very
difficult
because
of
and
not
Jenkins
X
Jenkins
X
kind
of
took
a
lot
of
the
learnings
from
Jenkins
and
and
took
it
to
the
next
level,
but
there's
a
lot
of
concerns
with
how
Jenkins
is
sort
of
open
by
default,
and
so
you
could
potentially
run
us
Jenkins
that
is
salsa
compliant
and
conformant,
and
all
that
good
stuff
and
generating
all
the
right
provenance.
F
But
it
would
take
a
lot
of
time
and
effort
to
do
and
I
don't
know
if
anybody
is
is
working
on
that
sort
of
thing.
I
know,
I,
don't
want
to
work
on
that
sort
of
thing,
so
I
think
working
on
something
a
bit
more
generic.
That
is
like
you
know,
because
just
to
kind
of
take
us
back
right.
So
so
Fresca
itself
can
do
the
end-to-end
salsa
conformance
of
your
entire
pipeline
right.
F
It
does
all
the
right
things
in
different
places,
there's
still
a
few
things
here
or
there
that
need
to
be
fixed,
but
generally
that's
that's
the
the
intent
of
it.
Most
folks
are
like
hey
I,
don't
you
know
if
you're
telling
me
I
need
to
do
all
that
to
to
do
my
pipeline
I
have
some
simple
pipelines:
I,
don't
want
that.
F
What
I
want
is
I
want
to
have
my
normal
Pipeline
and
I
just
want
to
say
the
compilation,
the
build
the
packaging
step,
that's
salsa,
conformant,
and
so
is
there
something
I
could
just
call.
That's
just
that
one
little
small
piece,
and
so
that's
something
that
a
lot
of
folks
have
been
asking
about.
Is
there
something
like
that.
C
F
F
The
thing
we
need
to
figure
out
is
how
to
boost
the
Fresca
Community
a
bit
because,
right
now
it's
still
it's
like
a
there's,
a
couple
of
us
like
Brandon
Mitchell,
myself,
Brad
Beck
Remy,
but
most
of
the
folks
on
it
are.
You
know,
we're
talking.
Maybe
you
know
an
hour
a
week
kind
of
thing
they
can
dedicate
to
it,
whereas
some
of
the
stuff
you
know
is
going
to
require
a
lot
more.
B
F
You
know
it's:
okay,
I
actually
had
some
interesting
conversations
with
some
of
the
open
ssf
folks,
who
are
still
interested
in
pushing
some
of
the
Fresca
stuff.
I,
think
that
they
did
say
is
like
hey.
It
would
be
really
nice
to
do
something
like
what
Melba
just
described
of
like.
Could
we
simplify
Fresco
a
little
bit?
F
Can
we
say
here
is
now
a
new
component
of
Fresca
and
yayada,
and
you
know
maybe
come
back
to
the
larger
scale
architecture
later
and
in
fact,
actually
one
of
the
things
I
found
out
at
some
of
these
things
is
one
of
the
problems
with
Fresca.
Is
there
actually
are
a
lot
of
folks
who
are
looking
at
Fresca,
I,
won't
name
names
but
they're,
all
very
large
companies
that
are
looking
at
Fresca.
F
The
problem
is
they're
like
hey,
look
we're
not
adopting
Fresco,
but
we're
looking
at
Fresca
and
saying
like
hey,
let's
replace
you
know
this
component
with
this
other
component.
That
does
a
similar
thing.
Let's
replace
you
know
we're
using
Vault
for
Secrets
management.
Let's
replace
Vault
with
you
know
this
Secrets
manager
we
use,
let's
replace
tecton
with
with
openshift
pipelines.
Let's
replace
this
with
that
and
so
they're
looking
at
it
at
a
high
level.
F
But
we
can't
actually
talk
about
it
too
much.
We
can't
actually
contribute
back
even
from
here
are
our
use
cases
perspective,
which
is
you
know
not
the
greatest,
but
but
yeah
hoping
to
you
know,
maybe
follow
up
on
some
conference
conversations
this
week
that
I
had
last
week
to
see
if
folks
might
be
at
least
willing
to
talk
a
little
bit
more,
not
necessarily
Hands-On
keyboard,
but
at
least
be
able
to
talk
about
their
use
cases
and
express
interest,
because
I
feel
like
if
enough
folks
express
interest.
C
C
F
F
Let
me
take
a
look
and
and
start
working
on
it
and
also
the
fact
that
it's
smaller
makes
it
much
easier
to
actually
run
because,
like
technically
Fresca
can
run
locally
on
your
workstation.
But
a
lot
of
folks
are
just
like
running
mini
Cube
and
or
whatever
it's
a
whole
thing,
whereas
running
something.
F
That's
like
a
small
little
piece
is
is
much
easier,
like
I
I,
think
to
like
other
tools
that
are
applying
to
simplify
the
build
process
like
Co
and
some
of
the
stuff
like
build
kit
and
and
some
of
these
other
things,
I
look
at
those
things
and
I
go.
Oh
I
see
what
they're
doing
like
they've
kept
everything
super
simple.
They
kept
everything
you
know
at
some
level.
F
The
architecture
might
still
need
to
exist,
but
having
something
there
that
folks
can
point
to
and
say
this
is
the
secure,
Builder
and
yeah
if
I
need
the
full
thing.
Sure
I'll
take
a
look
at
Fresca,
but
if
I
just
need
a
secure,
build
piece,
I
could
just
use
that
I
think
folks
might
be
interested
there.
C
C
F
F
F
A
C
A
C
Like
freaking
out,
I
asked
Ops
and
they
didn't
seem
to
think
I
deleted
anything.
But
if
you
see
something
disappear
from
the
from
the
calendar
by
accident,
maybe
ping
me
in
terms
of
Fresco
or
secure
software
Factory,
because
I
did
it
through
Outlook
I
didn't
do
it
through
Google
Calendar,
because
apparently
I
have
special
powers
for
the
ossf
calendar
which
I
probably
shouldn't
have,
but
I
want
to
make
sure
I
don't
delete
something
by
accident.
C
G
Just
one
thing
completely
outside
of
this:
as
I
Was
preparing
for
the
panel
I
was
putting
a
slide
together
right
and
then
I
realized,
SCI
positioning.
Wasn't
there
in
the
David
wheeler
slides
listing
all
the
groups,
all
the
projects
and
Ace?
What
is
it
sigs
and
working
groups?
And
then,
when
I
was
following
up
I
realized
this
thing
the
SCI
positioning
has
no
landing
page,
no
Charter.
G
Because
if
you
look
at
the
I
mean
the
the
minutes,
where
you're
working
on
right
now,
if
you
look
at
the
top
of
the
page,
it
points
to
salsa
SCI,
but
it
doesn't
talk
about
SCI
positioning.
Specifically,
there
should
be
each
six,
each
working
groups-
Gusto
Charter-
it
doesn't
have
to
be
very
complicated,
but
they
should
be
at
least
a
landing
page.
I
say:
hey,
there's
this
group
that
exists,
and
this
is
what
it
does.
C
G
C
A
G
G
I
think
something
like
this
would
be
totally
fine,
and
just
so
you
know
the
tag
just
met
before
this
meeting
and
there's
going
to
be
a
task
force
kind
of
thing.
That's
going
to
look
at
doing
a
survey
of
all
of
open,
ssf,
taking
on
initiatives
and
check
that
they
have
a
readme
or
Charter
and
all
this
good
stuff.
So
this
is
not
wasted
time.
If
we
don't
do.
A
A
C
A
G
C
C
G
C
C
Yeah
yeah
I,
don't
know
okay
yeah
thanks
for
bringing
that
up.
I
know
it's
been
top
of
mind.
I
know
we
talked
about
it
last
week.
Now
what
about
our
blogs?
That
was
one
thing
that
we
weren't
sure
how
to
handle
right.
It's
also
has
a
place
for
blogs,
Fresca
s2c2fs,
but
positioning
as
a
whole
for
supply
chain
integrity.
C
G
D
D
A
A
F
So
I
I
had
a
question
and
and
I
know
this
is
now
for
I.
Don't
want
to
put
you
know,
I'm
going
to
put
the
new
Vice
chair
on
the
spot,
so
yeah
I,
think
one
of
the
things
that
I
think
would
also
be
useful
here
is
is
like
if
there
are
ways
that,
because
I
know
that
there's
some
templates
and
I
know
some
of
the
templates
didn't
exist
when
SCI
first
started
and
even
before
it
was
called
SEI,
it
was
called
developer
Identity
or
something
like
that.
Yeah
yeah.
F
So
if
there
are
things
that
I
think
that,
like
you
know,
both
from
the
perspective
of
things,
we
can
just
sort
of
follow
and
say
hey.
These
are
generally
what
we
should
be
doing
as
well
as
like.
If
there
are
things
that
maybe
we
think
are
kind
of
also
missing,
we
could
go
back
and
say
hey.
Can
we
update
some
of
the
the
governance
a
little
bit
because
it
seemed
to
be
a
little
unclear
around
how
to
approach
this.
G
G
We
actually
talk
specifically
about
templates
and
so
on,
because
in
fact
you
know,
Amanda
is
working
on
a
tool
that
will
automatically
forage
all
the
information
from
all
the
repos
in
terms
of
read
bees
and
whatnot
for
all
the
different
reports
related
to
open
ssf,
but
I
told
her
watch
out
because
it
might
look
like
there
is
a
charter.
But
if
you
look
into
it
you
know
it's
still
the
template
and
the
template.
G
That's
there
is
actually
very
complex
and
it
kind
of
you
know
leads
people
to
try
to
have
a
team,
CSC
and
all
sorts
of
things
that
must
group
don't
even
care
to
have,
and
so
this
is
a
long
story
to
say.
Yes,
we
are
aware-
and
we
do
want
to
improve
things
on
that
front
and
I-
think
Amanda
and
Francis
are
eager
to
help
us
get
there.
So
I
think
there's
a
good
chance.
We'll
have
some
improvements.
C
Yeah
and
I
know
we
talked
about
this
in
one
of
the
sci
working
group
meetings
in
terms
of
updating,
templates
and
governance
and
actually
I
think
Jay.
You
were
supposed
to
come
up
with
something
if
I
remember
correctly,
there
was
an
action
item
for
you
to
have
a
one-pager,
so
I'll
have
to
go,
find
those
notes,
but
I,
remember
us
talking
about.
C
C
C
All
right
so
I'll
I'll
find
it
I'll
find
it.
But
I
I
do
remember
us
talking
about
this,
because
there
was
a
lot
of
confusion
on
like
well.
What
what
are
the
rules?
What
should
we
be
doing
and
I
think
Jennifer
Bly
was
a
part
of
those
conversations
and
we
said:
okay,
we'll
drop
some
one
pagers
to
give
people
guidance
on
how
to
proceed,
but.
D
G
F
Yeah,
so
there's
like
something
going
on
on
the
Google
side,
which
I'm
trying
to
figure
out
is
randomly
and
a
bunch
of
other
working
groups
have
said
the
same
thing.
Randomly
Google
started
looking
at
like
Pi
Pi
and
ruby
gems,
and
some
other
package
repositories
as
being
potentially
suspicious,
which
is
weird
so
trying
to
find
out
which
of
the
the
actual
links
are
the
ones
that
are
being
seen
as
suspicious
I
couldn't
figure
it
out.
F
I
looked
through,
you
know,
there's
a
lot
of
links
in
here
and
there
seems
to
be
no
way
in
that
sort
of
header
to
actually
say
like
which
of
the
links
or
what
set
of
links
are
the
ones
that
are
being
viewed
as
suspicious,
because
you
know
who
knows
right,
like
somebody
might
have
gone
in
right,
because
it's
an
open
document,
someone
might
have
gone
in
and
changed
a
link
and
turned
it
into
something
suspicious.
But
there's
no
seemingly
no
way
for
me
to
find
where
that
is.
C
A
F
Being
but
I
know
that
with
some
of
the
groups
like
like
Maven
Central
and
so
on,
like
I,
think
some
of
the
package
of
repositories
were
the
ones
that
were
were
getting
linked
there,
which
I
think
it
sort
of
makes
sense
like
hey.
Some
of
those
package
repositories
ended
up
with
like
malicious
stuff
on
them.
Right
doesn't
mean
the
entire
package
report.
Pository
is
malicious,
but
I
wonder
if
Google
inadvertently
flagged
an
entire.
You
know
Pi
Pi
npm,
something
like
that
as
malicious.