►
From YouTube: Supply Chain Integrity WG (April 4, 2023)
A
B
A
A
A
Oh
good,
all
good
I
got
it
all
right
good
deal.
What
thank
you?
Everyone
for
joining
this
edition
of
our
supply
chain,
Integrity,
positioning
positioning
meeting,
where
we
talk
about
a
few
of
the
initiatives
that
we
have
currently
in
Flight,
Supply
and
trade
Integrity
working
group
and
how
we're
positioning
those
within
the
community
and
externally
within
the
market,
see
we
have
before
we.
We
do
anything
else,
we'd
like
to
welcome
all
of
our
newcomers.
A
E
D
F
Simply
you
can
hear
me
yeah
Matt,
Coleman,
I,
work
for
IBM
security
and
based
in
the
UK
and
work
on
oh
I'm,
the
Emir
container
security
lead
for
IBM
security.
So
all
things
container,
related
and
devsecops
have
an
interest
in,
and
some
of
the
stuff
that
we've
been
looking
at
is
also
then
going
across
into
software.
A
Excellent
well
Welcome
Matt
glad
you're
here,
let's
see
is,
is
there?
Is
there
anything
so
because
this
this
is
one
of
a
few
Sig
meetings
that
that
we
do
that
that
are
surrounding
our
larger
initiatives?
Is
there?
Is
there
one
particular
thing
you
wanted
to
you
wanted
to
do
here
in
this
sig
meeting,
learn
from
the
seed
meeting
and
and
then
how
can
we
help
you
stay
a
while
yeah?
How
can
we
help
you
stay
away.
F
So,
as
Melba
said,
she's
invited
me
along
to
it,
so
hopefully
it's
the
right
place
to
be,
and
so
I'm
I'm
interested
in
the
Integrity
around
the
the
pipeline,
as
as
one
thing,
but
also
related
to
the
the
kind
of
view
that
I've
been
forming
of
and
and
Melbourne
knows,
because
we
were
discussing
at
this
kind
of
inception
model
of
how
the
different
aspects
of
the
Integrity
all
get
wrapped
around
each
other.
So
you'll
build
pipeline
itself
has
got
to
have
undergone
the
source.
F
Integrity
checks
for
how
you
build
it,
and
things
like
that
and
and
that
whole
kind
of
looping
in
and
out
of
how
it's
done
is,
is
a
point
of
interest
for
me.
So
just
trying
to
really
get
to
grips
and
understand.
What's
the
the
thinking
and
the
space
and
and
how
we
could
look
at
them,
taking
this
to
our
our
clients
and
making
sure
that
we're
we're
talking
about
it
in
the
right
way
and
so
developing
the
the
right
way
in
terms
of
how
we
want
to
talk
about
it
internally,.
A
A
One
of
the
things
that
we're
also
doing
is
we're
working
on
a
complete
supply
chain,
Integrity
framework
that'll
that
that
we're
going
to
build
that
will
identify
even
more
gaps,
perhaps
that
we
can
evangelize
and
and
get
filled
across
supply
chain
security,
Spectrum,
I
think
one
of
the
things
we
should
think
about
here
in
as
our
90
right.
So
if
we
did
a
30,
60
90,
you
know
the
view
of
things
that
we're
working
on.
Maybe
the
90
views
should
be.
A
How
are
we
positioning
that
framework
that's
going
to
be
created
across
the
the
the
the
you
know
to
other
communities
across?
You
know
the
market
in
general,
because
I
think
that
stuff
is
very
important
as
well
and
and
Matt
you're
you're
in
the
right
place
for
it.
So
we'll
lean
on
you
a
lot
with
some
of
your
thoughts
and
thank
you
very
much
for
that
all
right,
I.
Think
if
we're
following
the
agenda.
A
G
G
I
know
you
put
in
some
messaging
points
about
speaking
to
the
different
audiences
I'd
like
to
keep
in
keep
that
open
for,
like
a
more
General
audience,
who
might
first
be
learning
about
salsa
and
what
it
is
and
and
and
kind
of
how
they
can
get
involved.
So
I
think
we
just
kind
of
need
to
have
that
mindset
on
mindset
as
we
as
we
finalize
this
content
like
what
what's
going
to
be
easy
for
people
to
access
and
understand.
G
A
E
E
We
can
condense
the
messaging,
but
there's
no
mention
anywhere.
The
only
mention
is
consumer
and
SEC
analyst
of
secops,
so
I
feel
like
we're
missing
a
big
chunk
of
the
audience,
and
so
we
need
to
craft
something
for
them
and
I'm,
not
a
Wordsmith
by
any
means,
so
I
just
did
my
best
with
the
implementers.
So
that
was
just
my
take
on
why
I
made
the
comments,
because
I
feel
like
we're
missing
a
wider
audience
that
we're
trying
to
Target.
G
H
You
know
because
I
think
one
of
the
things
that
we
we've
we've
been
driving
home
in
a
lot
of
the
various
blogs
and
other
things
that
we've
been
releasing
right
is
is
the
goal
here
is:
is
it's
supposed
to
help?
You
know
secure
the
supply
chain
it
does
so
by
making
you
feel
more
confident
that
what
the
build
is
telling
you
is
accurate,
not
necessarily
that
you
know
and
I'm,
not
a
Wordsmith
when
it
comes
to
this
stuff,
but
it's
accurate.
H
G
G
E
D
C
E
C
D
C
Whether
we
looked
at
it
earlier
but
I
was
busy,
so
the
news
by
the
way
is
the
we
are
done
with
all
the
pull
requests
against
the
spec
and
so
Mark
ludato
is
working
on.
The
full
request
to
publish
rc2
should
happen
today,
which
puts
us
on
track
to
get
the
final
version
published
April
19th
for
the
schedule,
because
we
need
two
weeks
of
review
to
comply
with
the
community
specification.
Community
specification
license
framework.
D
G
C
Yeah
so
yeah
the
the
release
would
be
April,
19th
and
then
I
guess
we
will
know.
When
do
we
have?
The
self-suspect
meeting
will
be
on
the
Monday
I
guess
that's
when
we
will
have
to
make
the
call,
depending
on
whether
we
have
you
know
anybody
has
found
some
problem.
We
are
too,
we
have
to
fix
the
spec
in
a
way
that
requires
us
to
do
an
rc3.
Then
we
would
have
to
cancel
or
postpone
the
release
of
the
final
version
by
another
two
weeks
or
so.
D
H
Some
sort
of
major
thing
that
everybody
missed,
but
you
know
I,
think
the
problem
rate
is
is
if
we
go
back
to
sort
of
the
the
community's
specification
as
Arno
had
mentioned.
Like
we're,
you
know,
even
if
all
of
us
think
yeah
it's
good
to
go,
we
still
need
to
wait
two
weeks
and
and
for
any
sort
of
major
objections.
A
So
so
Jennifer
how
how
what's
your?
What's
your
I
guess?
How
much
time
do
you
need
to
get
this
to
the
Press?
Exactly
so
I
guess
the
nature
of
my
question
is:
let's
say:
for
instance,
RFC
2
comes
out.
Somebody
finds
something
that
says
all
this
needs
to
get
changed
and
now
we're
now
we
have
to
move
our
our
19th
date.
How
much
time
do
you
need
them,
because
we
could
we
can
still
get
the
press
release
done.
G
A
Got
a
type
three
to
four
weeks,
Hitting
off
for
there,
because
you
have
that
you
have
coupon,
you
have
RSA,
you
have
open
Summit.
You
got
all
of
these
conferences
that
are
back
to
back
to
back
to
back
so
I
mean
any
time
within
there
will
probably
be
great
I
mean
you
want
to
get
it
ahead
of
all
of
them,
but
in
the
in
the
instance
that
somebody
finds
something
wrong
by
the
way
I
would
love
to
see
it
released.
On
the
19th,
that's
my
birthday!
A
C
G
C
G
B
A
Going
back
to
the
to
the
press
release
we
have
a
few
of
the
contributing
organizations
with
quotes,
making
sure
that
these
are
actual
quotes
from
those
organizations
and
not
just
the
individual,
contributing
that
just
happens
to
be
from
those
organizations.
I'm
pretty
sure,
I
I
want
to
say
I,
know,
I
know
the
due
diligence
was
done,
but
I
wanted
to
make
sure
that
was
mentioned
here,
because
it's
just
in
the
off
chance
that
it's
not
you
know
the
individual
that
was
working
women,
we're
all
volunteers
right.
A
So
you
know
making
sure
that
these
companies
that
the
individuals
of
volunteer
from
are
on
board
saying
these
things
about
salsa,
rather
than
just
the
individual
saying
these
things.
We
want
to
make
sure
that
that's
a
that's
it
for
the
recording
that
that
I
mean
I'm,
pretty
sure
we
did
the
due
diligence,
but
in
our
due
diligence
from
from
our
from
our
our
group,
making
sure
we
did
that
go
ahead.
Melba.
E
G
I
mean
it
I
think
it's
up
to
each
individual
organization
to
get
internal
approvals
within
their
own
organizations,
but
as
far
as
I'm
aware,
yes,
that
has
been
the
process
that
each
organization
has
followed.
Although
I
you
know,
I
don't
have
this
ability
and
which
teams
reviewed
the
quotes
on
their
end
or
which
ones
need
to.
So
that's
that's
an
expectation
coming
into
this.
G
C
H
Yeah
whoops,
sorry
yeah,
so
yeah
I
was
and
I
was
just
gonna
say
actually
one
of
the
folks
who,
who
did
kind
of
get
back
to
me
about
most
likely
not
being
able
to
contribute
a
quote,
was
was
John
Meadows
from
City
because
he
did
sort
of
say.
Did
he
getting
something
like
a
quote?
Is,
is
potentially
more
like
over
a
month
in
in
approvals
internally,
where
he
is,
which
is
of
course
very
different
than
my
situation,
where
it's
like?
G
A
E
A
I'm
gonna,
say
I'm
gonna
say
not
no,
but
hell
no,
but
I'm
working
internally
to
see
if
I,
gotcha,
okay,
if
we
can't
get
somebody
a
little
a
little
bit
above
my
my
pay
grade,
I
can
say
a
couple
of
words:
if,
if
that's,
if
that's
what
what
we
want
to
do,
I
just
this,
this
is
me
saying:
I,
don't
know
that
I
want
that.
I
would
like
my
org
to
be
left
out
of
the
loop
on
this
being
that
I
am
heavily
involved
in
it.
I'm
saying
I
mean
I.
Think
to
us.
A
G
A
All
right
good
deal
we're
so
we
had
we
set
aside
20
or
30
minutes
for
that,
which
was
great,
I
mean
we're
coming
right
up
to
it.
I
think
the
next
thing
we
have
on
our
agenda
here
are
our
blog
updates.
We're
starting
with
Mike's
breath
in
depth
of
salsa
and
I
did
owe
you
a
good
read
on
that,
but
I
mean
the
the
quick
scan,
look
looked
okay,
but
I
guess
we
could
talk.
A
A
All
that
I,
like
that,
a
lot
and
I
like
the
I
liked,
where
what
my
thought
process
did
around
that
so
I
I
enjoy
I
enjoyed
that
I
enjoyed
that
that
fifth
paragraph
there
in
the
fifth
paragraph
there
as
well
yeah
good
man,
I
mean
you
know,
I
I,
like
I
said,
did
a
quick
scan
and
I
was
like.
Oh
this.
This
is
this
does
a
great
job
of
providing
the
the
kind
of
perspective.
That's
that's
needed.
D
A
H
H
What's
his
name,
Tim
pepper,
who,
who
gave
me
a
lot
of
great
feedback
on
the
initial
sort
of
stuff
as
well?
As
you
know,
Arno
and
Jay
had
given
feedback
in
one
of
the
meetings
and
so
I
believe
it's
it's
in
a
you
know,
I
think
it's
in
a
reasonable
spot
from
at
least
the
content
perspective,
but
it
is
align
to
the
goals
of
Sci
is
kind
of
where
I
wanted
to
kind
of
get
some
additional
feedback
on.
H
You
know
with
the
once
again
for
folks
who
are
not
so
familiar
right
like
there
is
a
project
called
Fresca,
it's
a
secure,
build
example,
and
it
you
know
it
works
and
everything
else,
but
we're
trying
to
kind
of
figure
out.
You
know
due
to
sort
of
changing
priorities
and
and
also
some
confusion,
the
community.
What
can
we
be
doing
to
make
it?
You
know
you
know,
get
more
folks
contributing
to
it.
H
Garner
more
interest,
see
where
we
want
to
kind
of
you
know
where
we
want
to
see
freskin
the
future
you
know
and
and
get
folks.
The
two
main
folks
we're
looking
for
right
are
we're
looking
for
use
cases
from
from
potential
end
users,
even
if
it's
just
hey
Fresca
is
it
makes
sense
that
Fresca
is
like
an
educational
example.
It
doesn't
really
make
sense
as
an
actual
tool
that
gets
used.
H
That's
fine,
because
then
we
just
helps
us
focus
on
what
we
want
to
push
with
Fresca
and
then,
in
addition
to
that,
you
know.
Whichever
way
we
end
up
going
with
it,
we
need
some
additional
sort
of
Hands-On
keyboard
Engineers
to
actually
work
on
on
some
of
the
elements
in
Fresca
and
yeah
for
Melba.
You
know,
there's
definitely
you
know
the
potential
there
I
think
the
thing
is
just
we
kind
of
want
to
understand
a
little
bit
more
about
you
know.
H
Do
folks
want
to
have
a
secure,
build
system
that
packages
up
all
these
different
things
and
deploys
it
out
or
are
folks
really
interested
in
stuff.
Like
you
know
the
the
salt,
you
know
they
want
to
focus
more
on
the
salsa
GitHub
stuff
and
more
on
stuff.
Like
could
you
have
a
Jenkins
plug-in
that
secures
the
Jenkins
pipeline
to
make
it
more
salsa
and
that's
where
we
should
be
focusing
our
our
efforts
and
stuff
like
that?
H
But
but
that's
kind
of
you
know
what,
where,
where
this
is
at,
and
originally
it
was
like
several
pages
long,
like
seven
pages,
it's
now
now
only
two
pages
and
I
think
it.
It
really
highlights
the
high
level
things
where
we're
trying
to
do
while
also
providing
documentation
for
folks
who
are
interested
more
about.
How
is
this
architected?
How
can
I
get
involved?
They
can
join
Jonathan.
B
I
can
answer
your
question
of
whether
or
not
people
want
to
rebuild
their
entire
CI
system
or
patch
in
something
new.
You
can
make
it
so
that
you
can
patch
in
security.
People
will
take
it
they're
not
going
to
reinvent
everything
if
they
have
to
start
from
scratch,
it's
going
to
be
a
non-starter
for
most
people.
So
that's
just
the
realities.
I
mean
there's
idealist
views
of
the
world,
but
let's
be
practical
about
how
people
actually
do
things
yeah,
like
yeah.
H
Yeah,
no,
no,
so
to
be
clear,
I
I,
agree,
I
just
think
you
know,
there's
obviously
also
some
practical.
You
know
practicalities
right
if
you
look
at,
for
example,
a
lot
of
the
folks
who
you
know
and
I
don't
want
to
go
into
like
deep
into
the
the
problems
with
CI
but
like
if
you
look
at
like
you
know,
Jenkins
right
Jenkins
is
a
tool
that
tends
to
be
sort
of
open
by
default,
and
so
a
lot
of
the
things
make
it.
H
You
know
that
a
lot
of
the
security
things
that
folks
want
to
do
is
just
you
know,
making
let's
say
a
Jenkins
or
making
somebody's
Jenkins
into
something
softly
compliant
is
probably
difficult
with.
That
said,
there
might
be
other
things
we
could
do
with
Fresca
to
say:
hey.
Maybe
Fresca
is
a
series
of
best
practices
or
something
like
that
along
with
some
examples,
so
that
folks
could
start
following,
but
yeah
I
think
you
know
that
that's
something
we
we
quickly
discovered
is
even
if
you
package
up
hey
this
thing
deploys
out.
H
You
know
spiffy
spire,
kubernetes
and
all
the
different
things
like
tecton
tecton
chains
that
you
would
need
to
create.
Fresca
folks
are
still
you
know,
going
to
say,
hey.
How
does
this
fit
into
my
GitHub
actions
or
how
does
this
fit
into
my
you
know
my
local
Jenkins
installation,
or
something
like
that,
but
yeah.
If
there's
additional
sort
of
ideas
on
like
how
can
we
shape
Fresca,
to
be
more
like
that,
I
think
we're
also
open
to
that
as
well.
H
Even
if
it's
something
like
Fresca
becomes
just
the
secure
Builder
piece
like
we've
wrapped
up,
you
know,
we've
written
some
stuff
around,
you
know
build
kit
or
we've
written
some
stuff
around
you
know
a
build
container
to
sort
of
say
here
is
a
secure,
build
container
that
runs
purely
the
salsa
step.
That's
something
else.
We
can
look
at
Arna.
C
Yeah
no
I
just
wanted
to
say
I
mean
I
generally
agree
with
what
Jonathan
said
with
one
one
caveat.
I
guess
is
that
you
know
well,
there
is
not.
Everybody
uses
modern
Technologies,
yet
companies
tend
to
you
know
a
lot
of
companies
are
way
behind,
and
so
as
they
move
to
New
Technology
like
containers
cloud,
they
have
an
opportunity
to
adopt
new
build
systems,
and
so
there's
still
you
know
it's
not
an
All
or
Nothing
by
Green
General
people
will,
you
know,
are
attached
to
the
system
they
have
and
they
will
patch
it.
C
A
E
E
I
know
Mike
had
created
the
you
know
why
the
tracks,
but
this
really
Dives
deeper
into
why
separating
build
versus
Source,
because
some
people
might
think
okay
yeah.
It
makes
sense
to
separate
vulnerability
right.
It
makes
make
sense
to
separate
provenance,
but
it
might
not
make
sense
to
separate
build
and
source,
and
so
this
kind
of
goes
through
that
that
use
case
of
why
we
want
to
do
it,
because
you
can't
blame
trust
when
you
don't
see
or
control
everything,
and
so
that's
what
we're
trying
to
convey
here
again.
E
Looking
for
any
additional
feedback
definitely
need
to
revamp
some
of
the
imagery,
but
that's
the
imagery
that
I
have
right.
Now,
oh
and
now
I
can
reference
Mike's,
blog
I
know.
That
sounds
also
that
Dev
and
then
for
Jay
I
did
want
to
add,
like
a
s2c2f
flavor
in
here
somewhere,
but
I.
Don't
know
too
much
since
I've
not
been
able
to
join
the
meetings.
D
A
We
can
have
some,
especially
so
so
Mike's
blog,
believe
it
or
not.
You
could
have
reference
to
his
blogging
in
this
is
what
I
was
alluding
to
before
when
he
threw
that
dependency
track
thing
and
you're
talking
about
s2c12
I
mean
my
thought
immediately
went
to
the
application
of
controls
from
s2c2f
against
that
dependency
track.
A
Looking
at
how
effective
those
controls
are
from
a
salsa
perspective
that
that
was
where
my
mind
immediately
went
to
that
and
that's
like
I
can't
think
of
a
better
one-two
punch,
especially
when
it
comes
to
dependencies,
and
you
know,
from
from
from
a
a
consumer
standpoint
on
introduction.
I
mean
I'm
going
into
into
my
technical
thinking
with
this,
but
that'll
be
a
great
place
to
place
a
discussion
about
s2c2f
in
the
in
the
flavor
they're
in
when
we
consider
future
future
tracks
So.
A
Based
on
what
Mike's
blog
said,
this
might
be
a
a
build
versus
Source
versus
dependency,
just
to
keep
in
line
with
that
I,
like
I,
said
I
think
just
when
I
scanned
it
over
I
was
like
man.
This
is,
this
is
all
right
and
it
kind
of
speaks
to
the
stuff
that
even
we,
you
know
we're
gonna
say
we
I
mean
me,
you
and
Isaac
were
talking
about
this
was
months
ago,
when
we
sat
here
trying
to
figure
out
all
these
things
and
how
they're
working
together
this.
A
A
E
A
E
E
This
was
everyone
in
this
also
positioning
group
working
on
this
together
and
what
we
really
need
help
on
is
one
making
sure
that
the
messaging
still
makes
sense
based
off
of
the
changes,
because
we
stopped
because
something
was
changing
from
underneath
us.
I,
don't
remember
what
it
was,
and
so
we
stopped
writing
this.
So
if
folks
could
take
a
look
see,
does
this
still
make
sense?
The
way
it's
written?
You.
D
E
E
E
D
A
H
D
H
But
yeah
this
this
is
just
sort
of
a
you
know.
Just
an
introductory
article
on,
like
you
know,
and
I'm,
making
a
comparison
here
like
Hey.
How
do
I
know
I
can
trust
this
cat.
How
do
I
know
I'm
trusting
the
software
that
I'm
ingesting?
Well,
let's
take
a
look
and
let's
use
Sig
store,
along
with
the
salsa
attestations,
to
kind
of
show,
show
that
sort
of
stuff.
D
E
H
I
E
Hey
Isaac,
sir
yeah.
The
reason
why
I
ask
is
because
we
were
signing
s-bombs
with
a
with
our
own
internal
cosine
and
it
seems
like
six
door
changed
something
recently
where,
if
you
have
a
private
installation
of
six
door,
it
will
say
like
insecure.
You
have
to
put
like
some
insecure
flag,
so
I
thought
that
was
interesting
way
of
of
saying
that
when
you
know
companies
can
do
a
private
and
if
you
try
to
verify
the
blob,
it
says
you
know,
error
can't
there's
no
record
of
it
in
recore!
H
H
Or
is
it
just
a
slightly
different
use
case
with
different
attack
patterns
that
need
to
be
considered,
I
think
that's
worthwhile
to
kind
of
talk
with
about
them,
but
that's
kind
of
why
they,
they
sort
of
said
it
that
way,
they
believe
record
to
be
a
core
piece
of
Sig
store
and
if
you
use
cosine
without
it
they
you
know,
they
don't
believe
that
to
be
at
least
the
the
maintainers
of
six
door.
Don't
believe
that
to
be
secure
by
their
definition.
E
Yeah
yeah
I'm
curious
because
you
know
if,
if
private
organizations
right
like,
if
we
think
of
IBM,
if
we
have
a
our
own
six
door,
install
private,
including
record
and
we're
doing
salsa
attestations
and
we
sign
let's
get
store
and
we
give
that
at
the
station
to
a
third
party.
They
can't
necessarily
verify
that
blob
yep,
because
it's
private
and
but
that
is
on
purpose
right.
So
that's
that's
a
use
case.
E
H
A
A
E
E
This
was
the
original,
with
some
extra
added
when
Chris
and
Josh
and
I
went
through.
They
were
saying
well,
maybe,
instead
of
putting
it
by
quarter,
we
should
do
it
by
priority
like
of
high
high
level
priority,
but
there
are
ecosystems,
or
you
know
the
the
folks
that
are
implementing
the
tooling
that
want
dates.
E
Obviously,
we
haven't
had
a
good
track
record
of
of
releasing
on
schedule,
and
it's
because
we're
volunteers.
So
how
do
we?
How
do
we
present
the
roadmap?
Do
we
want
to
say
orders
or
halves
or
do
we
want
to
say
this
is
what
we're
tackling
in
order
of
priority,
for
example,
this
it's
also
build
level.
Four
is
in
parallel
to
salsa
level,
one
to
two
Source
specifications
right
and
it
would
just
be
a
minor
version
release
to
what's
already
out
there,
which
would
be
1.0.
E
So
there's
a
lot
of
uncertainty
on
how
we
should
present
the
roadmap
in
terms
of
either
priority
or
in
terms
of
like
actual
timelines,
because,
depending
on
the
group,
that's
looking
at
this,
they
would
want
to
know
timelines
versus.
Maybe
they
don't
care
and
they
just
want
to
see
what
we're
tackling.
First,
that's
why
there's
two:
if
that's
what
you
were
asking.
E
A
D
A
A
You
could
you
could
prevent
yourself
from
coming
out
with
a
with
a
source
and
dependency
track
for
trying
to
over
rotate
on
the
on
a
build
look,
I
I
mean
we
can
PM
that
all
day,
I
I
don't
want
to
PM
that
right
here,
I
think
I
think
that
might
need
to
cut
that
thing.
That
needs
to
be
done
in
the
in
the
specification,
sick
and
not
and.
D
I
I
I.
Think
I'm
super
glad
to
see
this
coming
together,
because
I
do
think
that
part
of
part
of
adoption
for
salsa
1.0
will
be.
People
would
be
looking
themselves
100
and
go
okay.
This
looks
reasonable.
It's
good
now.
Give
me
now
give
me
a
strong
sense
that
this
has
a
future
and
a
team
working
on
it.
That
I
can
believe
in
and
I
think
that's
what
the
road
map
goes
to
substantiate
and.
F
I
Publishing
our
intent
in
our
road
map
is
more
important
than
putting
like
you
know:
resources
against
it
and
in
some
sense,
and
that
hey
we
have,
you
know
an
active
Community,
a
road
map,
a
set
of
priorities.
You
know
here's
what
you
can
expect
over
the
next
12
to
24
months,
but
Jay,
I,
I,
think
you're.
You
know
my
instincts
are
the
same
as
yours.
A
Yeah
you
you
want,
you
I
mean
as
much
as
you
want
to
be
right
and
then
compliance.
You
also
want
to
have
a
sense
of
accomplishment
as
well
and
I
think
for
future
releases.
It
can
include
level
four,
but
that
gives
I
mean
so
I
hate
playing
I
hate
playing
the
the
psychological
game,
but
it
gives
people
something
to
look
forward
to
and
then
at
the
same
time
you're
coming
out
with
source
and
then
that
gives
them
a
different
area
of
Focus
right
so
that
they
can
prioritize
what's
important
to
them.
C
I
agree
with
what
you
guys
said
also
but
I
as
you
were
saying
Jay.
This
is
not
the
group
to
decide.
You
know
so.
I
think
we
can
defer
that
discussion
of
the
exact
real
map
I
think
this
group
to
the
to
the
Sig.
You
know
specs,
but
I
think
what
this
group
needs
to
focus
on
is
more
on
the
communication
aspect
of
that.
A
This
slide,
in
particular,
I
I,
think
you
know
everything
we
talked
about
just
now
added
in,
but
I
think
we
table
this
until
we
get
until
we
get
our
comments,
even
our
comments
right.
Maybe
we
may
not
come
to
a
consensus
in
the
spec
here
early
on,
that
might
be
a
3
30,
60
90
situation,
but
I
think
once
we
get
our
comments
over
there,
then
we
can
come
back
here
and
put
that
in
here
and
let
this
be
working.
While
we
come
to
a
a
consensus
there.
Okay.
C
There's
another
item
which
we
may
have
to
at
least
have
on
the
radar.
Is
that
conformance
certification
program?
Yes,
it's
been
talked
about
it's
you
know,
I,
don't
see
much
progress,
but
you
know
at
some
point
it's
supposed
to
happen
and
if
it
happens,
I
think
the
system
thing
we
should
also.
You
know.
A
I,
don't
know,
I,
think
that
so
I
think
even
that
conversation
needs
to
needs
to
come
up
a
little
higher
to
the
actual
salsa
Sig,
because
I
think
we
need
to
decide
on
whether
or
not
this
is
a
a
I
mean
you
know,
for
compliance
purposes
or
or
for
or
for
compliance
purposes
for
for
control
purposes
or
both
right
are.
We
are
we
implementing
controls
that
someone's
going
to
build
a
compliance
requirement
around
is?
A
Is
this
going
to
be
both
control
based
and
then,
of
course,
that
conformance
program
right
that
needs
to
be
discussed
a
little
bit
higher,
so
I'm
right
there
with
you,
but
for
our
positioning?
We
need
to
include
that
as
well
and
also
right
now
our
blogs
are
doing
a
good
job
of
not
of
I
can't
say
dancing
around
that
part,
but
that's
going
to
be
something
that
needs
to
be
discussed
a
little
a
little
bit
later
on.