►
From YouTube: Supply Chain Integrity WG (April 4, 2023)
A
B
A
A
E
Hey
Jay:
do
you
mind
if
you
you
host,
because
my
husband
is
being
a
bit
loud
on
the
other
side
of
me
on
his
meeting.
A
Oh
good,
all
good
I
got
it
all
right
good
deal.
What
thank
you?
Everyone
for
joining
this
edition
of
our
supply
chain,
Integrity,
positioning
positioning
meeting,
where
we
talk
about
a
few
of
the
initiatives
that
we
have
currently
in
Flight,
Supply
and
trade
Integrity
working
group
and
how
we're
positioning
those
within
the
community
and
externally
within
the
market,
see
we
have
before
we.
We
do
anything
else,
we'd
like
to
welcome
all
of
our
newcomers.
A
Oh
also
yeah,
thanks
Melba,
please
so
go
ahead
and
hit
the
agenda
doc
there
with
the
with
the
attendance
as
well
Mark
your
attendance,
so
that
we
know
you're
here.
A
Also
after
that
do
we
have.
We
have
any
newcomers
to
this
meeting.
Please
introduce
yourself
so
that
we
know
who
you
are.
E
D
F
Simply
you
can
hear
me
yeah
Matt,
Coleman,
I,
work
for
IBM
security
and
based
in
the
UK
and
work
on
oh
I'm,
the
Emir
container
security
lead
for
IBM
security.
So
all
things
container,
related
and
devsecops
have
an
interest
in,
and
some
of
the
stuff
that
we've
been
looking
at
is
also
then
going
across
into
software.
A
Excellent
well
Welcome
Matt
glad
you're
here,
let's
see
is,
is
there?
Is
there
anything
so
because
this
this
is
one
of
a
few
Sig
meetings
that
that
we
do
that
that
are
surrounding
our
larger
initiatives?
Is
there?
Is
there
one
particular
thing
you
wanted
to
you
wanted
to
do
here
in
this
sig
meeting,
learn
from
the
seed
meeting
and
and
then
how
can
we
help
you
stay
a
while
yeah?
How
can
we
help
you
stay
away.
F
So,
as
Melba
said,
she's
invited
me
along
to
it,
so
hopefully
it's
the
right
place
to
be,
and
so
I'm
I'm
interested
in
the
Integrity
around
the
the
pipeline,
as
as
one
thing,
but
also
related
to
the
the
kind
of
view
that
I've
been
forming
of
and
and
Melbourne
knows,
because
we
were
discussing
at
this
kind
of
inception
model
of
how
the
different
aspects
of
the
Integrity
all
get
wrapped
around
each
other.
So
you'll
build
pipeline
itself
has
got
to
have
undergone
the
source.
F
Integrity
checks
for
how
you
build
it,
and
things
like
that
and
and
that
whole
kind
of
looping
in
and
out
of
how
it's
done
is,
is
a
point
of
interest
for
me.
So
just
trying
to
really
get
to
grips
and
understand.
What's
the
the
thinking
and
the
space
and
and
how
we
could
look
at
them,
taking
this
to
our
our
clients
and
making
sure
that
we're
we're
talking
about
it
in
the
right
way
and
so
developing
the
the
right
way
in
terms
of
how
we
want
to
talk
about
it
internally,.
A
Excellent,
well,
you
know
what
this
is
a
a
great
place
to
do
that
great
place
to
do
that.
One
of
the
initiatives
that
we
are
currently
thinking
about,
along
with
salsa
s2c2f
and
Fresca,
and
how
they're
positioned
together
also
how
we're
communicating
them
even
separately
out
in
the
community.
A
One
of
the
things
that
we're
also
doing
is
we're
working
on
a
complete
supply
chain,
Integrity
framework
that'll
that
that
we're
going
to
build
that
will
identify
even
more
gaps,
perhaps
that
we
can
evangelize
and
and
get
filled
across
supply
chain
security,
Spectrum,
I
think
one
of
the
things
we
should
think
about
here
in
as
our
90
right.
So
if
we
did
a
30,
60
90,
you
know
the
view
of
things
that
we're
working
on.
Maybe
the
90
views
should
be.
A
How
are
we
positioning
that
framework
that's
going
to
be
created
across
the
the
the
the
you
know
to
other
communities
across?
You
know
the
market
in
general,
because
I
think
that
stuff
is
very
important
as
well
and
and
Matt
you're
you're
in
the
right
place
for
it.
So
we'll
lean
on
you
a
lot
with
some
of
your
thoughts
and
thank
you
very
much
for
that
all
right,
I.
Think
if
we're
following
the
agenda.
A
Our
next
item,
then,
would
be
to
turn
over
to
Jennifer
Bligh
to
discuss,
updates
quotes
and
other
items.
I
think
we
have
a
Melba
Jennifer
one
two
punch
here
on
the
on
our
on
our
agenda
anyway,.
G
Yeah
sure
so
I
was
hoping
that
we
could
take
a
look
at
the
press,
release
draft
and
and
Melba
I
know
you
have
put
in
some
comments.
I
feel
like
we
need
to
be
able
to
finalize
this
relatively
soon
so
that
we
can
begin
pitching
it
to
the
Press
like
a
under
embargo.
G
G
I
know
you
put
in
some
messaging
points
about
speaking
to
the
different
audiences
I'd
like
to
keep
in
keep
that
open
for,
like
a
more
General
audience,
who
might
first
be
learning
about
salsa
and
what
it
is
and
and
and
kind
of
how
they
can
get
involved.
So
I
think
we
just
kind
of
need
to
have
that
mindset
on
mindset
as
we
as
we
finalize
this
content
like
what
what's
going
to
be
easy
for
people
to
access
and
understand.
G
So
do
we
want
to
take
a
look
now
hammer.
G
The
last
few
pieces
I'm
a
little
I'm
a
little
stumped
on
on
where
to
go
at
that.
If
you,
if
you
scroll
down
a
little
bit
in
the
sort
of
the
benefits
section,
what
this
group
would
Envision,
including
there
so
so
I
will
turn
to
those
of
you
here
to
to
help
build
up
that
part.
E
And
I
can't
raise
my
hand
so
I'll
I'll
talk
and
if
I
interrupt
somebody,
please
please
I
apologize
since
I
can't
raise
my
hand.
A
E
You
so
Jennifer
the
the
reason
why
I
brought
up
the
profiles
or
the
personas
was
because
I
noticed
some
Burbage
around
consumer
and
then
developers
and
so
I
was
like
well
what
about
the
implementers
right?
And
what
about
you
know
the
the
CSO
compliance
folks?
Are
they
beneficiaries?
E
We
can
condense
the
messaging,
but
there's
no
mention
anywhere.
The
only
mention
is
consumer
and
SEC
analyst
of
secops,
so
I
feel
like
we're
missing
a
big
chunk
of
the
audience,
and
so
we
need
to
craft
something
for
them
and
I'm,
not
a
Wordsmith
by
any
means,
so
I
just
did
my
best
with
the
implementers.
So
that
was
just
my
take
on
why
I
made
the
comments,
because
I
feel
like
we're
missing
a
wider
audience
that
we're
trying
to
Target.
G
H
Sure
yeah,
yeah,
yeah
I
think
the
yeah
I
think
the.
H
I'll
talk
about
a
little
bit
at
the
highest
level
and
then
and
then
go
into
the
individual,
I
think
roles
as
well.
H
You
know
because
I
think
one
of
the
things
that
we
we've
we've
been
driving
home
in
a
lot
of
the
various
blogs
and
other
things
that
we've
been
releasing
right
is
is
the
goal
here
is:
is
it's
supposed
to
help?
You
know
secure
the
supply
chain
it
does
so
by
making
you
feel
more
confident
that
what
the
build
is
telling
you
is
accurate,
not
necessarily
that
you
know
and
I'm,
not
a
Wordsmith
when
it
comes
to
this
stuff,
but
it's
accurate.
H
H
You
have
less
things
to
look
at,
there's
less
things
to
worry
about,
and
so
then,
to
kind
of
go
into
to
some
of
the
stuff
that
we
were
discussing
about
like
then,
who
you
know
each
of
the
individual
people
right,
it's
stuff
like
hey,
if
I'm
an-
and
you
know
if
I'm,
if
I'm
a
consumer
of
you
know
of
software,
I,
feel
more
confident
in
software
that
provides
salsa
attestations
that
it
is
in
fact
you
know
safe
and
trustworthy
right
if
I
am,
if
I
am
somebody
who
runs
a
build
service
right,
I
can,
if
my
build
service
is
also
compliant,
I
know
that
I'm
serving
my
customers
right
and
that
you
know
my
piece
of
the
supply
chain
picture
is
safe.
H
G
Yeah
I
think
I
think
that's
helpful.
My
do
you
or
Melba
kind
of
want
to
take
a
shot
at
at
getting
that
down
here
and
then
I'm
I'm
happy
to
take
it
and
kind
of
Wordsmith
it
from
there.
If
we
can
just
kind
of
get
it
laid
out.
G
My
one
comment
in
terms
of
what
these
groups
are
called:
are
they
like
widely
widely
used
terms?
I
mean?
Is
someone
going
to
understand
what
implementer
is.
E
D
C
C
Know
real
system,
implementers
and
providers
will
be
concerned
and.
E
Yeah,
okay,
so
I
thought.
Producers
in
this
case
meant
the
company's
producing
software
and
the
attestations.
C
D
E
So
that's
a
good
point:
Jennifer
Arno
I,
don't
know
if
you've
had
a
chance
to
look
at
the
announcement
this
this
announcement
and
know.
C
Whether
we
looked
at
it
earlier
but
I
was
busy,
so
the
news
by
the
way
is
the
we
are
done
with
all
the
pull
requests
against
the
spec
and
so
Mark
ludato
is
working
on.
The
full
request
to
publish
rc2
should
happen
today,
which
puts
us
on
track
to
get
the
final
version
published
April
19th
for
the
schedule,
because
we
need
two
weeks
of
review
to
comply
with
the
community
specification.
Community
specification
license
framework.
D
G
And
then
just
curious
to
to
ask
a
question
here:
do
we
do
we
have
a
timing
for
the
final
release
and
is
there
a
point
at
which
we're
going
to
confirm?
Yes,
we
really
are
moving
forward.
C
Yeah
so
yeah
the
the
release
would
be
April,
19th
and
then
I
guess
we
will
know.
When
do
we
have?
The
self-suspect
meeting
will
be
on
the
Monday
I
guess
that's
when
we
will
have
to
make
the
call,
depending
on
whether
we
have
you
know
anybody
has
found
some
problem.
We
are
too,
we
have
to
fix
the
spec
in
a
way
that
requires
us
to
do
an
rc3.
Then
we
would
have
to
cancel
or
postpone
the
release
of
the
final
version
by
another
two
weeks
or
so.
H
Agree,
yeah,
yeah,
I
think
it's
it's
pretty
high
confidence
like
unless
somebody
comes
in
out
of
the
blue.
D
H
Some
sort
of
major
thing
that
everybody
missed,
but
you
know
I,
think
the
problem
rate
is
is
if
we
go
back
to
sort
of
the
the
community's
specification
as
Arno
had
mentioned.
Like
we're,
you
know,
even
if
all
of
us
think
yeah
it's
good
to
go,
we
still
need
to
wait
two
weeks
and
and
for
any
sort
of
major
objections.
A
So
so
Jennifer
how
how
what's
your?
What's
your
I
guess?
How
much
time
do
you
need
to
get
this
to
the
Press?
Exactly
so
I
guess
the
nature
of
my
question
is:
let's
say:
for
instance,
RFC
2
comes
out.
Somebody
finds
something
that
says
all
this
needs
to
get
changed
and
now
we're
now
we
have
to
move
our
our
19th
date.
How
much
time
do
you
need
them,
because
we
could
we
can
still
get
the
press
release
done.
G
Mean
I
mean
the
more
time
the
better
is
what
I'll
say
and
kubecon
is
that
week.
So
a
lot
of
the
media
are
busy,
so
the
sooner
that
we
can
start
Outreach
the
better
the
sooner
we
know
where
we
stand
the
better.
A
Got
a
type
three
to
four
weeks,
Hitting
off
for
there,
because
you
have
that
you
have
coupon,
you
have
RSA,
you
have
open
Summit.
You
got
all
of
these
conferences
that
are
back
to
back
to
back
to
back
so
I
mean
any
time
within
there
will
probably
be
great
I
mean
you
want
to
get
it
ahead
of
all
of
them,
but
in
the
in
the
instance
that
somebody
finds
something
wrong
by
the
way
I
would
love
to
see
it
released.
On
the
19th,
that's
my
birthday!
A
C
G
C
G
Think
in
general,
a
lot
of
folks
a
lot
of
folks
put
press
releases
out
at
9
00
a.m.
Eastern,
that's
a
that's
a
standard.
It
doesn't
have
to
be
that
time.
We
can.
B
A
Going
back
to
the
to
the
press
release
we
have
a
few
of
the
contributing
organizations
with
quotes,
making
sure
that
these
are
actual
quotes
from
those
organizations
and
not
just
the
individual,
contributing
that
just
happens
to
be
from
those
organizations.
I'm
pretty
sure,
I
I
want
to
say
I,
know,
I
know
the
due
diligence
was
done,
but
I
wanted
to
make
sure
that
was
mentioned
here,
because
it's
just
in
the
off
chance
that
it's
not
you
know
the
individual
that
was
working
women,
we're
all
volunteers
right.
A
So
you
know
making
sure
that
these
companies
that
the
individuals
of
volunteer
from
are
on
board
saying
these
things
about
salsa,
rather
than
just
the
individual
saying
these
things.
We
want
to
make
sure
that
that's
a
that's
it
for
the
recording
that
that
I
mean
I'm,
pretty
sure
we
did
the
due
diligence,
but
in
our
due
diligence
from
from
our
from
our
our
group,
making
sure
we
did
that
go
ahead.
Melba.
E
So
that's
a
good
question
Jay,
so
Jennifer
this
I
know
Jeff
bork
was
working
on
and
he
put
it
in
here.
So
are
you
like
with
Jeff
bork?
Are
you
working
directly
with
these
people.
G
I
mean
it
I
think
it's
up
to
each
individual
organization
to
get
internal
approvals
within
their
own
organizations,
but
as
far
as
I'm
aware,
yes,
that
has
been
the
process
that
each
organization
has
followed.
Although
I
you
know,
I
don't
have
this
ability
and
which
teams
reviewed
the
quotes
on
their
end
or
which
ones
need
to.
So
that's
that's
an
expectation
coming
into
this.
G
C
H
Yeah
whoops,
sorry
yeah,
so
yeah
I
was
and
I
was
just
gonna
say
actually
one
of
the
folks
who,
who
did
kind
of
get
back
to
me
about
most
likely
not
being
able
to
contribute
a
quote,
was
was
John
Meadows
from
City
because
he
did
sort
of
say.
Did
he
getting
something
like
a
quote?
Is,
is
potentially
more
like
over
a
month
in
in
approvals
internally,
where
he
is,
which
is
of
course
very
different
than
my
situation,
where
it's
like?
H
G
Yeah
absolutely
I
think
it
needs
to
be
people
who
are
using
salsa
right
or
contributing
yeah,
so
I've
been
working
with
the
comms
representatives
from
these
different
organizations.
Okay,.
A
A
Can
we
put
down
there?
Oh
boy,
can
we
put
down
there
Microsoft
for
the
pending
as
well.
E
Sure
we're
we're
here
how
about
because
most
of
these
are
already
filled
out.
How
about
we
oh
wait.
This
is
alphabetical,
isn't
it
yeah.
G
Let's
just
do
it
alphabetical
order,
okay,
just
to
kind
of
avoid
any
yeah.
G
And
then
Jay
for
Microsoft
are,
will
you
be
providing
that
or
is
there
someone
that
I
should
contact.
A
I'm
gonna,
say
I'm
gonna
say
not
no,
but
hell
no,
but
I'm
working
internally
to
see
if
I,
gotcha,
okay,
if
we
can't
get
somebody
a
little
a
little
bit
above
my
my
pay
grade,
I
can
say
a
couple
of
words:
if,
if
that's,
if
that's
what
what
we
want
to
do,
I
just
this,
this
is
me
saying:
I,
don't
know
that
I
want
that.
I
would
like
my
org
to
be
left
out
of
the
loop
on
this
being
that
I
am
heavily
involved
in
it.
I'm
saying
I
mean
I.
Think
to
us.
G
G
Yeah,
just
in
terms
of
the
the
benefits
section,
if
you
could
spend
some
time
getting
that
fleshed
out,
that's
that's
the
main
thing
and
then
we
can
get
this
finalized
by
end
of
week
and
off
to
the
tech
and
off
to
the
Press
awesome.
A
All
right
good
deal
we're
so
we
had
we
set
aside
20
or
30
minutes
for
that,
which
was
great,
I
mean
we're
coming
right
up
to
it.
I
think
the
next
thing
we
have
on
our
agenda
here
are
our
blog
updates.
We're
starting
with
Mike's
breath
in
depth
of
salsa
and
I
did
owe
you
a
good
read
on
that,
but
I
mean
the
the
quick
scan,
look
looked
okay,
but
I
guess
we
could
talk.
A
We
could
talk
about
that
now,
so
there
was
that
there
was
a
status
on
what
is
Fresca
draft
of
Bill
versus
sources.
A
A
couple
of
the
couple
of
other
blog
posts
here,
we'll
start
at
the
top
with
breadth
and
depth
of
salsa.
Let's
go,
let's
go
into
it.
Mike.
H
Sure,
yeah
very
high
level
sort
of
overview
on
the
different
sort
of
just
the
the
general
reason
why
we
we
have
the
different
tracks
for
salsa
right
with
the
high
level
idea
being
right,
we're
starting
with
the
build
track,
because
the
build
is
one
of
the
most
critical
pieces
in
the
software.
H
You
know
development
life
cycle,
and
so
you
know
that's
why
the
initial
focus
is
on
that
build
and
we
removed
elements
regarding
stuff
like
Source
from
there,
because
we
didn't
want
to
kind
of
like
end
up
with
something
that
didn't
do
that
peace,
Justice
and
you
know,
given
the
limited
time
we
have,
you
know
we
wanted
to
just
kind
of
get
that
out
really
well
and
so
that
got
pushed
out.
H
And
then
you
know
the
idea
is
that
we'll
move
forward
with
stuff
like
source
and
dependency
tracks
and
maybe
other
tracks
in
the
future
and
yeah
it's
a
little
bit
of
a
call
to
action,
just
to
kind
of
get
a
bit
more
involved
and
so
far
I've
gotten
a
lot
of
great
feedback
on
on
it.
A
Excellent
yeah
I,
especially
like
the
I,
like
the
fourth
paragraph,
there
were
lined
out
future
future
thoughts
and
and
future
future
initiatives
such
as
source
and
then
and
then
there
was
the
dependency
track.
A
All
that
I,
like
that,
a
lot
and
I
like
the
I
liked,
where
what
my
thought
process
did
around
that
so
I
I
enjoy
I
enjoyed
that
I
enjoyed
that
that
fifth
paragraph
there
in
the
fifth
paragraph
there
as
well
yeah
good
man,
I
mean
you
know,
I
I,
like
I
said,
did
a
quick
scan
and
I
was
like.
Oh
this.
This
is
this
does
a
great
job
of
providing
the
the
kind
of
perspective.
That's
that's
needed.
D
A
H
Yep,
next
up
on
the
what
is
Fresca
sort
of
write
up,
you
know
still
looking
for
feedback.
I
got
a
lot
of
great
feedback
actually
from
from
VMware.
H
What's
his
name,
Tim
pepper,
who,
who
gave
me
a
lot
of
great
feedback
on
the
initial
sort
of
stuff
as
well?
As
you
know,
Arno
and
Jay
had
given
feedback
in
one
of
the
meetings
and
so
I
believe
it's
it's
in
a
you
know,
I
think
it's
in
a
reasonable
spot
from
at
least
the
content
perspective,
but
it
is
align
to
the
goals
of
Sci
is
kind
of
where
I
wanted
to
kind
of
get
some
additional
feedback
on.
H
You
know
with
the
once
again
for
folks
who
are
not
so
familiar
right
like
there
is
a
project
called
Fresca,
it's
a
secure,
build
example,
and
it
you
know
it
works
and
everything
else,
but
we're
trying
to
kind
of
figure
out.
You
know
due
to
sort
of
changing
priorities
and
and
also
some
confusion,
the
community.
What
can
we
be
doing
to
make
it?
You
know
you
know,
get
more
folks
contributing
to
it.
H
Garner
more
interest,
see
where
we
want
to
kind
of
you
know
where
we
want
to
see
freskin
the
future
you
know
and
and
get
folks.
The
two
main
folks
we're
looking
for
right
are
we're
looking
for
use
cases
from
from
potential
end
users,
even
if
it's
just
hey
Fresca
is
it
makes
sense
that
Fresca
is
like
an
educational
example.
It
doesn't
really
make
sense
as
an
actual
tool
that
gets
used.
H
That's
fine,
because
then
we
just
helps
us
focus
on
what
we
want
to
push
with
Fresca
and
then,
in
addition
to
that,
you
know.
Whichever
way
we
end
up
going
with
it,
we
need
some
additional
sort
of
Hands-On
keyboard
Engineers
to
actually
work
on
on
some
of
the
elements
in
Fresca
and
yeah
for
Melba.
You
know,
there's
definitely
you
know
the
potential
there
I
think
the
thing
is
just
we
kind
of
want
to
understand
a
little
bit
more
about
you
know.
H
Do
folks
want
to
have
a
secure,
build
system
that
packages
up
all
these
different
things
and
deploys
it
out
or
are
folks
really
interested
in
stuff.
Like
you
know
the
the
salt,
you
know
they
want
to
focus
more
on
the
salsa
GitHub
stuff
and
more
on
stuff.
Like
could
you
have
a
Jenkins
plug-in
that
secures
the
Jenkins
pipeline
to
make
it
more
salsa
and
that's
where
we
should
be
focusing
our
our
efforts
and
stuff
like
that?
H
But
but
that's
kind
of
you
know
what,
where,
where
this
is
at,
and
originally
it
was
like
several
pages
long,
like
seven
pages,
it's
now
now
only
two
pages
and
I
think
it.
It
really
highlights
the
high
level
things
where
we're
trying
to
do
while
also
providing
documentation
for
folks
who
are
interested
more
about.
How
is
this
architected?
How
can
I
get
involved?
They
can
join
Jonathan.
B
I
can
answer
your
question
of
whether
or
not
people
want
to
rebuild
their
entire
CI
system
or
patch
in
something
new.
You
can
make
it
so
that
you
can
patch
in
security.
People
will
take
it
they're
not
going
to
reinvent
everything
if
they
have
to
start
from
scratch,
it's
going
to
be
a
non-starter
for
most
people.
So
that's
just
the
realities.
I
mean
there's
idealist
views
of
the
world,
but
let's
be
practical
about
how
people
actually
do
things
yeah,
like
yeah.
H
Yeah,
no,
no,
so
to
be
clear,
I
I,
agree,
I
just
think
you
know,
there's
obviously
also
some
practical.
You
know
practicalities
right
if
you
look
at,
for
example,
a
lot
of
the
folks
who
you
know
and
I
don't
want
to
go
into
like
deep
into
the
the
problems
with
CI
but
like
if
you
look
at
like
you
know,
Jenkins
right
Jenkins
is
a
tool
that
tends
to
be
sort
of
open
by
default,
and
so
a
lot
of
the
things
make
it.
H
You
know
that
a
lot
of
the
security
things
that
folks
want
to
do
is
just
you
know,
making
let's
say
a
Jenkins
or
making
somebody's
Jenkins
into
something
softly
compliant
is
probably
difficult
with.
That
said,
there
might
be
other
things
we
could
do
with
Fresca
to
say:
hey.
Maybe
Fresca
is
a
series
of
best
practices
or
something
like
that
along
with
some
examples,
so
that
folks
could
start
following,
but
yeah
I
think
you
know
that
that's
something
we
we
quickly
discovered
is
even
if
you
package
up
hey
this
thing
deploys
out.
H
You
know
spiffy
spire,
kubernetes
and
all
the
different
things
like
tecton
tecton
chains
that
you
would
need
to
create.
Fresca
folks
are
still
you
know,
going
to
say,
hey.
How
does
this
fit
into
my
GitHub
actions
or
how
does
this
fit
into
my
you
know
my
local
Jenkins
installation,
or
something
like
that,
but
yeah.
If
there's
additional
sort
of
ideas
on
like
how
can
we
shape
Fresca,
to
be
more
like
that,
I
think
we're
also
open
to
that
as
well.
H
Even
if
it's
something
like
Fresca
becomes
just
the
secure
Builder
piece
like
we've
wrapped
up,
you
know,
we've
written
some
stuff
around,
you
know
build
kit
or
we've
written
some
stuff
around
you
know
a
build
container
to
sort
of
say
here
is
a
secure,
build
container
that
runs
purely
the
salsa
step.
That's
something
else.
We
can
look
at
Arna.
C
Yeah
no
I
just
wanted
to
say
I
mean
I
generally
agree
with
what
Jonathan
said
with
one
one
caveat.
I
guess
is
that
you
know
well,
there
is
not.
Everybody
uses
modern
Technologies,
yet
companies
tend
to
you
know
a
lot
of
companies
are
way
behind,
and
so
as
they
move
to
New
Technology
like
containers
cloud,
they
have
an
opportunity
to
adopt
new
build
systems,
and
so
there's
still
you
know
it's
not
an
All
or
Nothing
by
Green
General
people
will,
you
know,
are
attached
to
the
system
they
have
and
they
will
patch
it.
C
A
Okay,
if
you
go
into
the
next
blog
I,
think
that's
Melba
and
Christo
working
on
build
versus
source.
E
Yeah
yeah
John
today
wrong.
One
of
this
one
I
was
planning
on
redoing.
Some
of
the
the
images
so
that
it's
more
readable
but
Chris
is
has
definitely
helped
with
the
words
nothing
and
adding
some
some
content.
E
I
know
Mike
had
created
the
you
know
why
the
tracks,
but
this
really
Dives
deeper
into
why
separating
build
versus
Source,
because
some
people
might
think
okay
yeah.
It
makes
sense
to
separate
vulnerability
right.
It
makes
make
sense
to
separate
provenance,
but
it
might
not
make
sense
to
separate
build
and
source,
and
so
this
kind
of
goes
through
that
that
use
case
of
why
we
want
to
do
it,
because
you
can't
blame
trust
when
you
don't
see
or
control
everything,
and
so
that's
what
we're
trying
to
convey
here
again.
E
Looking
for
any
additional
feedback
definitely
need
to
revamp
some
of
the
imagery,
but
that's
the
imagery
that
I
have
right.
Now,
oh
and
now
I
can
reference
Mike's,
blog
I
know.
That
sounds
also
that
Dev
and
then
for
Jay
I
did
want
to
add,
like
a
s2c2f
flavor
in
here
somewhere,
but
I.
Don't
know
too
much
since
I've
not
been
able
to
join
the
meetings.
D
A
We
can
have
some,
especially
so
so
Mike's
blog,
believe
it
or
not.
You
could
have
reference
to
his
blogging
in
this
is
what
I
was
alluding
to
before
when
he
threw
that
dependency
track
thing
and
you're
talking
about
s2c12
I
mean
my
thought
immediately
went
to
the
application
of
controls
from
s2c2f
against
that
dependency
track.
A
Looking
at
how
effective
those
controls
are
from
a
salsa
perspective
that
that
was
where
my
mind
immediately
went
to
that
and
that's
like
I
can't
think
of
a
better
one-two
punch,
especially
when
it
comes
to
dependencies,
and
you
know,
from
from
from
a
a
consumer
standpoint
on
introduction.
I
mean
I'm
going
into
into
my
technical
thinking
with
this,
but
that'll
be
a
great
place
to
place
a
discussion
about
s2c2f
in
the
in
the
flavor
they're
in
when
we
consider
future
future
tracks
So.
A
Based
on
what
Mike's
blog
said,
this
might
be
a
a
build
versus
Source
versus
dependency,
just
to
keep
in
line
with
that
I,
like
I,
said
I
think
just
when
I
scanned
it
over
I
was
like
man.
This
is,
this
is
all
right
and
it
kind
of
speaks
to
the
stuff
that
even
we,
you
know
we're
gonna
say
we
I
mean
me,
you
and
Isaac
were
talking
about
this
was
months
ago,
when
we
sat
here
trying
to
figure
out
all
these
things
and
how
they're
working
together
this.
A
You
can
actually
reference
here
to
talk
about
all
the
other
things
that
we're
working
on
as
well,
so
that
that
was
that
was
actually
where
my
thought
was
going.
So
when
I
saw
that
I
thought,
that
was
great,
my
two
cents.
A
Let's,
let's
I'm
I,
don't
I,
don't
wanna
I,
don't
want
to
say
that
by
myself,
let's
bring
that
to
the
to
the
group
right
because
might
put
it
in
his
blog.
You
know.
I
know.
Isaac
had
mentioned
this
one
time
in
a
few
previous
meetings.
Let's
I
mean,
let's,
as
a
group,
think
about
it
right.
A
I
mean
I
think
unless
we
should
bring
this
before
the
the
before
the
the
salsa,
the
actual
salsa
sink
and
discuss
it
there
right
I
mean
maybe
that
maybe
that's
where
we
should
discuss
it,
decide
on
it
and
then
bring
it
back
right
so
that
we're
in
lockstep.
E
A
I,
don't
see
why
not,
but
no
I'd,
rather,
as
a
group,
you
know,
as
a
group,
we
decide
that
that's
because
the
dependency
track
is
is
new.
That's
that
would
be
the
maybe
second
it'd
be
the
first
time
we
see
it
in
writing.
Second
or
third
time,
we've
heard
it
in
and
and
voice
right.
E
E
This
was
everyone
in
this
also
positioning
group
working
on
this
together
and
what
we
really
need
help
on
is
one
making
sure
that
the
messaging
still
makes
sense
based
off
of
the
changes,
because
we
stopped
because
something
was
changing
from
underneath
us.
I,
don't
remember
what
it
was,
and
so
we
stopped
writing
this.
So
if
folks
could
take
a
look
see,
does
this
still
make
sense?
The
way
it's
written?
You.
A
Know
what
I
think
I
think
we
I
think
we
pause,
we
I,
don't
know
I,
think
we
paused
just
to
see
what
would
come
up
the
RC
and
what
would
end
up
becoming
1.0
before
we
before
we
talked
about
that
and
then,
of
course
not
hell
now
we're
talking
about
and
the
one
I'm
talking
about
new
tracks,
you
know
I
mean
and
how
that
held,
that
new
track
could
even
impact
how
we're
going
about
the
other
stuff
that
we're
working
on
too
we're
even
talking
about
Fresca.
A
D
E
So
we'll
need
to
we'll
have
to
have
a
title.
We
don't
have
a
catchy
title
at
all,
but
yeah.
If
folks
can
take
a
look
and
see
you
know
what
needs
to
be
tweaked
and
what
needs
to
be
added.
That
would
be
really
really
really
helpful.
E
D
A
H
One
oh
yeah,
yeah
yeah
I
just
wanted
to
throw
out
that
so
just
released
an
article
today
on
just
from
my
end
personally
released
an
article
kind
of
going
into
Sig,
store
and
salsa
and
with
actual
code.
Examples
if
folks
are
are
interested
in
in
that
as
well.
D
H
But
yeah
this
this
is
just
sort
of
a
you
know.
Just
an
introductory
article
on,
like
you
know,
and
I'm,
making
a
comparison
here
like
Hey.
How
do
I
know
I
can
trust
this
cat.
How
do
I
know
I'm
trusting
the
software
that
I'm
ingesting?
Well,
let's
take
a
look
and
let's
use
Sig
store,
along
with
the
salsa
attestations,
to
kind
of
show,
show
that
sort
of
stuff.
D
E
I,
like
this
okay
I,
do
have
a
question
for
you.
Mike
do
you
participate
in
sixth,
or
anybody
on
here
participate
in
sex
store.
H
I,
if
I
have
the
time
I
do
but
I
often
don't
have
the
time
but
I
I
do
participate
in
sick
story.
Yeah.
E
Hey
Isaac,
sir
yeah.
The
reason
why
I
ask
is
because
we
were
signing
s-bombs
with
a
with
our
own
internal
cosine
and
it
seems
like
six
door
changed
something
recently
where,
if
you
have
a
private
installation
of
six
door,
it
will
say
like
insecure.
You
have
to
put
like
some
insecure
flag,
so
I
thought
that
was
interesting
way
of
of
saying
that
when
you
know
companies
can
do
a
private
and
if
you
try
to
verify
the
blob,
it
says
you
know,
error
can't
there's
no
record
of
it
in
recore!
H
Yeah,
so
so
that
particular
thing
and
it's
something
I
think
that
a
lot
of
folks
are
confused
about
and
there's
probably
some
some
ways
that
to
to
make
it
a
little
better
but
I
believe
the
idea
is,
if
you're
running
your
own
recore
internally
it'll
work,
you
just
point
to
the
internal
recore,
but
if
you're
not
running
recore
at
all
and
you're,
just
signing
it
like
with
a
key
and
you're
Distributing
that
stuff,
you
know,
Sig
store
views
that
sort
of
to
be
outside
of
its
like
threat
model,
and
you
know
like
hey,
we
don't
really
are
looking
at
we're,
not
really
looking
at
those
sorts
of
things
and
we're
not.
H
You
know,
supporting
we're
not
fully
supporting
those
sorts
of
use
cases.
So
that's
why
they
view
it
as
insecure.
I
think
that
there's
legitimate
questions
as
to
like,
but
is
it
actually
insecure?
H
Or
is
it
just
a
slightly
different
use
case
with
different
attack
patterns
that
need
to
be
considered,
I
think
that's
worthwhile
to
kind
of
talk
with
about
them,
but
that's
kind
of
why
they,
they
sort
of
said
it
that
way,
they
believe
record
to
be
a
core
piece
of
Sig
store
and
if
you
use
cosine
without
it
they
you
know,
they
don't
believe
that
to
be
at
least
the
the
maintainers
of
six
door.
Don't
believe
that
to
be
secure
by
their
definition.
E
Yeah
yeah
I'm
curious
because
you
know
if,
if
private
organizations
right
like,
if
we
think
of
IBM,
if
we
have
a
our
own
six
door,
install
private,
including
record
and
we're
doing
salsa
attestations
and
we
sign
let's
get
store
and
we
give
that
at
the
station
to
a
third
party.
They
can't
necessarily
verify
that
blob
yep,
because
it's
private
and
but
that
is
on
purpose
right.
So
that's
that's
a
use
case.
E
I
get
the
public
right,
but
there's
also
a
use
case
for
private,
so
I'm
curious.
How
this
will
impact
that
implementation
of
salsa,
because
I
know
there's
very
much
wanting
to
use
six
door
for
for
signing
these.
These
artifacts.
H
A
A
We're
getting
into
the
salsa
2023
road
map,
I
took
a
I,
took
a
quick
look
at
the
I
mean.
Are
there
two
different
things
going
on
in
this
deck.
E
Yeah
there
is
so
I
I,
don't
see
Josh
on
here
or
Chris.
So
this
was
the
sorry
my
mouse
lately,
it's
very
very
sensitive
and
okay
I
want
to
zoom
in
like
clearly
that
didn't
work.
The
way
I
wanted
it
to
so.
If
I
zoom
out
it,
it
makes
it
bigger.
That's
interesting.
E
This
was
the
original,
with
some
extra
added
when
Chris
and
Josh
and
I
went
through.
They
were
saying
well,
maybe,
instead
of
putting
it
by
quarter,
we
should
do
it
by
priority
like
of
high
high
level
priority,
but
there
are
ecosystems,
or
you
know
the
the
folks
that
are
implementing
the
tooling
that
want
dates.
E
Obviously,
we
haven't
had
a
good
track
record
of
of
releasing
on
schedule,
and
it's
because
we're
volunteers.
So
how
do
we?
How
do
we
present
the
roadmap?
Do
we
want
to
say
orders
or
halves
or
do
we
want
to
say
this
is
what
we're
tackling
in
order
of
priority,
for
example,
this
it's
also
build
level.
Four
is
in
parallel
to
salsa
level,
one
to
two
Source
specifications
right
and
it
would
just
be
a
minor
version
release
to
what's
already
out
there,
which
would
be
1.0.
E
So
there's
a
lot
of
uncertainty
on
how
we
should
present
the
roadmap
in
terms
of
either
priority
or
in
terms
of
like
actual
timelines,
because,
depending
on
the
group,
that's
looking
at
this,
they
would
want
to
know
timelines
versus.
Maybe
they
don't
care
and
they
just
want
to
see
what
we're
tackling.
First,
that's
why
there's
two:
if
that's
what
you
were
asking.
E
Oh
yeah,
this
was
to
make
sure
we're
aligned.
This
was
just
like
back
up
like
to
make
sure
that
anything
that
we're
doing
is
being
aligned
at
the
tech
level
that
we're
not
doing
something
it's
really
off,
and
this
is
the
supply
chain
priorities
that
we
created.
A
Right
in
terms
of
it's
also
specifically
talked
about
above
I
I
think
that
I
think
that
may
require
some
massaging
a
bit
I
I,
don't
I.
A
Once
we
come
out
with
1.0
I
think
1.0
needs
to
breathe
a
little
bit
and
I
and
I,
and
then
I'm
not
sure
whether
you
tackle
level
four
build.
At
the
same
time
you
tackle
Source
one
and
two
I
think
you
can
let,
through
current
1.0
brief
for
a
while
start.
D
A
Into
source,
maybe
even
dependency
kind
of,
not
at
the
same
time,
you
could
do
them
in
Sprints,
but
I
think
that
build
level
four
can
come
a
little
bit
later.
I
think
you
have
a
little
bit
of
breathing
room
before
you.
You
get
adopters
on
to
level
one
as
it
stands
and
then
potentially
run
into
you.
A
You
could
you
could
prevent
yourself
from
coming
out
with
a
with
a
source
and
dependency
track
for
trying
to
over
rotate
on
the
on
a
build
look,
I
I
mean
we
can
PM
that
all
day,
I
I
don't
want
to
PM
that
right
here,
I
think
I
think
that
might
need
to
cut
that
thing.
That
needs
to
be
done
in
the
in
the
specification,
sick
and
not
and.
D
I
I'm
inclined
to
agree
with
you
Jay,
like
I
I.
Actually,
you
know
I
think
in
my
instincts
leave
me
in
the
in
the
same
direction
that
I
I
would
say,
beginning
to
to
nudge
outwards
horizontally,
and
the
scope
is
probably
a
higher
priority
than
getting
to
build
level.
Four
I
think
pot.
I
I.
Think
I'm
super
glad
to
see
this
coming
together,
because
I
do
think
that
part
of
part
of
adoption
for
salsa
1.0
will
be.
People
would
be
looking
themselves
100
and
go
okay.
This
looks
reasonable.
It's
good
now.
Give
me
now
give
me
a
strong
sense
that
this
has
a
future
and
a
team
working
on
it.
That
I
can
believe
in
and
I
think
that's
what
the
road
map
goes
to
substantiate
and.
F
I
Publishing
our
intent
in
our
road
map
is
more
important
than
putting
like
you
know:
resources
against
it
and
in
some
sense,
and
that
hey
we
have,
you
know
an
active
Community,
a
road
map,
a
set
of
priorities.
You
know
here's
what
you
can
expect
over
the
next
12
to
24
months,
but
Jay,
I,
I,
think
you're.
You
know
my
instincts
are
the
same
as
yours.
I
That
I
would
put
Source
above
build
level
four
in
order
to
have
a
proof
point
that
we
can
extend
or
so
can
extend
salsa
horizontally
before
we
focus
on
extending
it
vertically
further.
A
Yeah
you
you
want,
you
I
mean
as
much
as
you
want
to
be
right
and
then
compliance.
You
also
want
to
have
a
sense
of
accomplishment
as
well
and
I
think
for
future
releases.
It
can
include
level
four,
but
that
gives
I
mean
so
I
hate
playing
I
hate
playing
the
the
psychological
game,
but
it
gives
people
something
to
look
forward
to
and
then
at
the
same
time
you're
coming
out
with
source
and
then
that
gives
them
a
different
area
of
Focus
right
so
that
they
can
prioritize
what's
important
to
them.
A
Organizationally
I
I,
like
I,
said
I
I,
don't
I,
don't
know
that
I
want
to
over
rotate
on
that
in
the
positioning
meeting
expect
me
and
we
can
go
in,
though
we
can
go
all
the
way
in
North
Dallas,
but.
C
I
agree
with
what
you
guys
said
also
but
I
as
you
were
saying
Jay.
This
is
not
the
group
to
decide.
You
know
so.
I
think
we
can
defer
that
discussion
of
the
exact
real
map
I
think
this
group
to
the
to
the
Sig.
You
know
specs,
but
I
think
what
this
group
needs
to
focus
on
is
more
on
the
communication
aspect
of
that.
A
This
slide,
in
particular,
I
I,
think
you
know
everything
we
talked
about
just
now
added
in,
but
I
think
we
table
this
until
we
get
until
we
get
our
comments,
even
our
comments
right.
Maybe
we
may
not
come
to
a
consensus
in
the
spec
here
early
on,
that
might
be
a
3
30,
60
90
situation,
but
I
think
once
we
get
our
comments
over
there,
then
we
can
come
back
here
and
put
that
in
here
and
let
this
be
working.
While
we
come
to
a
a
consensus
there.
Okay.
E
Yeah
yeah
I
brought
it
here
today
was
more
for
the
deadlines
versus
like
you
know,
quarters
versus
you
know
priority,
because
this
is
a
positioning
matter
like
how
do
you
communicate
that
right
by
timeline
or
do
you
do
it
by
priority,
which
one
would
be
better
but
I
completely
agree
on
the
actual
decisions.
C
There's
another
item
which
we
may
have
to
at
least
have
on
the
radar.
Is
that
conformance
certification
program?
Yes,
it's
been
talked
about
it's
you
know,
I,
don't
see
much
progress,
but
you
know
at
some
point
it's
supposed
to
happen
and
if
it
happens,
I
think
the
system
thing
we
should
also.
You
know.
A
I,
don't
know,
I,
think
that
so
I
think
even
that
conversation
needs
to
needs
to
come
up
a
little
higher
to
the
actual
salsa
Sig,
because
I
think
we
need
to
decide
on
whether
or
not
this
is
a
a
I
mean
you
know,
for
compliance
purposes
or
or
for
or
for
compliance
purposes
for
for
control
purposes
or
both
right
are.
We
are
we
implementing
controls
that
someone's
going
to
build
a
compliance
requirement
around
is?
A
Is
this
going
to
be
both
control
based
and
then,
of
course,
that
conformance
program
right
that
needs
to
be
discussed
a
little
bit
higher,
so
I'm
right
there
with
you,
but
for
our
positioning?
We
need
to
include
that
as
well
and
also
right
now
our
blogs
are
doing
a
good
job
of
not
of
I
can't
say
dancing
around
that
part,
but
that's
going
to
be
something
that
needs
to
be
discussed
a
little
a
little
bit
later
on.
A
We,
we
got
two
minutes
left
and
there's
one
additional
item
about
with
a
to
do
and
that
to
do
is
is
around.
E
E
It
right
because
not
only
did
we
need
it
for
comms,
but
we
have
a
panel
coming
up
in
about
a
month,
so
we
need
to
get
started
on
that
like
now.
So
that
was
me
just
recording
that
we
need
to
start
doing
that.
A
E
A
C
A
Right
good
deal,
we
got
through
our
agenda,
wonderful
I,
we
have
one
minute
for
Annie
opens
if
anybody
wants
to
toss
anything
out
there.