►
From YouTube: Supply Chain Integrity WG (June 14, 2023)
Description
Agenda: https://docs.google.com/document/d/1xPs2sSbH3I9Ich7OyLOzl85oJshnK8Q6WoAgREE5-zA
A
Up
okay,
so
let
me
I,
don't
know
how
much
of
a
crowd
we're
gonna
get
today,
given
that
this
is
not
our
normal
time
and
it
was
shifted,
interestingly
enough,
even
though
I
shifted
it
when
I
accepted
the
invite
on
my
IBM
side,
it's
not
on
my
calendar,
even
though
I
accepted
the
shift
so
I
don't.
C
Let's
see,
okay,
let
me
copy
the
paste
this.
Where
is
my
I
can
never
find
my
windows
chat
participants.
C
A
This
may
be
a
short
meeting,
but
we'll
try
to
make
the
best
of.
C
A
If
you
can
sign
in
that'd,
be
fantastic,
just
put
the
link
there
for
today,
I
was
kind
of
wanting
to
just
continue
on
the
conversation
from
last
time,
which
is
one
the
positioning
meeting
time.
A
C
A
So
I'm
not
looking
to
lose
my
my
normal
participants
right.
Yes,
we
could
gain
more,
but
I
don't
want
to
lose
by
my
my
core
team
that
has
been
around
for
a
while,
so
I'm,
not
sure
if,
if
this
time
actually
works
for
folks,
because
it
didn't
seem
like
there
was
anything
on
the
Google
Calendar
that
I
could
see
on
my
end
that
conflicts
with
this
time
but
yeah
looking
for
any
any
thoughts,
it
looks
like
Bruno.
It
helps
with
you.
A
It
works
for
Mike,
I,
I,
know:
okay,
okay,
so
let's
try
out
this
time
slot
every
other
week
and
see
what
happens.
Let's
see
how
that
works
for
us.
Well,
one
two,
three.
A
Okay,
that
works
for
me.
I,
wanted
to
give
a
quick
update
just
on
the
s2c2f
Gap
analysis,
I
need
to
say,
analysis
coverage.
There
you
go
coverage
analysis
versus
salsa
versus
Fresca
in
the
June
6
meeting
I
I
did
start
going
through
the
document
with
the
broader
team
and
then
the
next
meetings
on
the
20th
right,
Jay.
A
Okay,
so
we'll
continue
that
review
and
then
I'm
sure
there'll
be
plenty
of
action
items
that
come
from
it,
so
at
least
that
work
is
underway.
So
that
way
we
can
have
that
broader
supply
chain,
Integrity
coverage
and
really
looking
at
the
the
details
of
each
of
the
specifications
or
requirements
to
say:
okay,
there's
a
gap
right
here
or
there's
an
opportunity
to
potentially
enhance
this.
This
area,
where
it
transitions
from
one
to
the
other
and
you'll,
have
to
excuse
my
voice.
A
Allergies
are
wreaking
havoc
on
my
throat,
as
you
can
hear.
So
any
questions
or
comments
about
the
S2
c2f.
A
Okay,
so
I
did
want
to
go
through
the
GitHub
there.
It
is
this
GitHub
repo,
oh
there's,
new
issues
are
these
old.
These
are
old,
okay,
I
did
go
in
here
and
and
do
some
cleanup
of
the
supply
chain.
Integrity
working
group
repo.
A
There
is
a
charter
update,
see
Rob
created
this
a
long
time
ago,
but
I
know
that
Isaac
had
been
working
on
a
sci
working
group,
a
charter
and
I
actually
added
it
into
this
open
PR.
There
were
I
think
some
comments
from
Josh,
but
I
didn't
get
any
other
comments.
Oh
hi
Marcia
thanks
for
joining
this
is
the
the
pr.
If
folks
are
interested,
it
would
be
good
for
folks
to
kind
of
chime
in
on
this
and
no
worries
and
and
see
what
you
all
think
again.
A
This
was
like
a
direct
copy
and
paste
of
the.
Where
is
it
Charter
right?
This
is
the
draft
Charter
that
Isaac
had
created
right
and
we
had
all
gone
through
and
started.
Adding
notes.
I
know,
Marshall
I,
see
that
you
have
a
new
new
comments.
A
I
think
a
lot
of
the
old
comments
have
been
cleared
out,
but
I
remember,
beginning
of
this
year.
We
went
through
this,
so
it
would
be
good
to
get
folks
as
feedback
on
the
pr.
Oh
go
ahead.
Marcia.
D
Oh
I
just
wanted
to
say
that
I
think
Isaac
and
I
already
resolved
most
of
those
comments.
Okay,
maybe
yeah
I
guess
if
there's
still
some
outstanding
ones,
then.
A
Yeah
I'm
not
able
to
resolve
them
on
my
because
I
don't
own.
Well,
maybe
this
one
I
can
but
I'm
not
going
yeah
I
think
those
are
the
only
two
comments.
One
was
automation
with
automated
tooling
and
then
this
one,
but
those
are
those
are
not
not
too
bad
to
to
cover
and
we
can
put
them
in
the
pr.
A
So
this
PR
I
created
a
while
ago.
So
if
there
was
any
changes
that
you
did,
that
he
already
resolved
and
I'm
not
seeing
feel
free
to.
You
know,
look
at
the
the
pr
and
and
try
try
to
fix
it
in
in
the
actual
PR,
because
what
I
want
to
do
is
just
add
this
already
and
as
a
first
iteration,
we
need
to
reiterate
on
it.
That's
fine,
but
we
need
a
charter
in
there
per
the
I
think
it's
attack
rule
or
something
like
that.
A
Is
that
right,
Mike
or
J
that
the
attack
has
a
rule
about
all
the
working
groups
have
to
have
charters.
B
So
the
working
groups-
yes,
the
working
groups-
all
need
to
have
Charters
yeah.
E
But
I
think
I
think
they're
moving
I
think
they're
going
after
six.
Two
so
I
mean
working
group.
Six
everybody
needs
to
have
a
charter.
Everybody
needs
to
have
a
you
know,
a
mission,
a
vision,
scope
and
all
that
yeah.
A
E
The
very
least
there
should
still
there
should
be
a
scope,
Mission,
a
vision
or
objective
in
the
scope.
At
the
very
least.
A
So
one
quick
update
on
my
end
I
did
circulate
the
visioned
off
to
the
attack
for
review
as
promised,
so
that
was
on
June
6th,
so
I
can
I
can
add
a
comment
here
like
how
do
I
add
a
color,
nope,
oh
and
because
I'm
not
logged
in
I'll
do
that
later.
But
there
was
a
comment
that
the
charter
Mission
Isaac.
C
A
That
way,
we
can
just
go
ahead
and
just
commit
this,
because
this
this
did
go
into
strategy
and
the
the
looking
back
and
the
priorities
I.
E
Believe
Isaac,
we'll
put
it
up
as
an
issue.
I
know,
I
talked
about
it
in
attack
and
I
think
there
was
an
issue
creating
on
it,
but
I'm
not
terribly
sure
about
that
part
and
I'm,
not
next
to
my
computer
right
now
to
actually
look
at
it.
Okay,.
A
Okay,
so
what
I'll
do
is
I'll
put
you
mean,
like
attack,
issue
right.
E
A
You
remember
maybe
Jay
or
someone
to
add,
link
later
yeah,
because
I
I'm
not
I,
have
a
stand
up
every
day
at
that
time.
So
I
can
never
join
yeah
attack
meetings.
A
So
so
that
was
one
thing
that
it
would
be
good
to
get
folks
eyes
on
comments
in
the
pr.
The
other
thing
that
I
noticed
that
there
was
a
setting.yamo
file.
A
A
and
then
myself,
her
contributors,
I
I,
don't
know
who
all
contributes
to
this
group
on
a
regular
basis
at
a
higher
level
right,
there's
a
positioning
but
then
there's
the
the
stop.
The
working
group
proper
and
so
I
put
you
Mike,
because
I
know
you're
all
pretty
much
on
all
these,
but
I,
don't
know
the
rest
of
these
people
right.
B
So
see,
annexec
is,
is
he's
the
CTO
of
the
the
cncf
M
Peters
I'm,
not
sure,
but
Joshua
is
Joshua
from
who's
from
salsa.
A
B
A
Original
so
I
don't
yeah.
That
makes
sense
right,
because
I
was
like
okay.
Well,
we
can
always
add
them
back
but
like
I
know
who
Luke
Heinz
is
but
I've
not
seen
him
in
a
meeting
for
Sci
working
group
in
a
long
time,
yeah.
So
I,
I
kind
of
put.
You
know
this
section
of
previous
collaborators
just
in
case,
but
I
wasn't
sure
what
else
we
wanted
to
have
in
here
and
what
else
we
should
be
putting
in
here,
but
I
just
figured
I'd
I'd.
A
Keep
it
to
its
original
purpose,
which
was
it
seems
to
be
to
set
permissions
based
off
the
username
yeah.
C
A
And
then
I
think
that's
it.
The
readme's
I
remember
correctly
yeah
the
readmead
was
just
notes.
Oh
I
know
that
the
attack
at
some
point
was
trying
to
push
us
away
from
Google
Docs
and
into
something
else.
Does
anybody
know
if
that's
still
the
case.
B
B
And,
and
in
fact,
actually
one
of
the
things
I
know
that
that
has
come
up
a
few
times
has
been
that
you
know
a
lot
of
things
like
whether
it's
hack,
MD
or
or
similar,
it's
less
about
it's
less
about
the
individual
tool
and
more
about
companies
being
worried,
obviously
about
easy
access
to
a
tool
that
allows
exfiltration
of
data
and
so
I'd
be
curious
to
know
if
any
potential
alternative
solves
that
problem
versus
you
know
it
being
an
issue
there.
A
Okay,
okay
and
then
the
other
thing
I
don't
know,
did
I
create
I,
don't
know
if
I
created
it
in
this
structure,
but
I
tried
to
create
based
off
what
we
talked
about,
or
maybe
I
didn't.
Yet
we
were
talking
about
doing
nested
boulders,
where
maybe
it's
in
my
branch
and
that's
why
I
can't
see
it.
Give
me
one
second
there
it
goes
that
we
would
have
a
positioning
Sig
holder
in
here.
A
This
is
where
you
know
the
positioning
Sig
Charter
Etc,
which
is
a
little
bit
different
from
the
the
working
group,
and
we
would
just
need
to
alter
the
salsa
one
that
we
had
before
and
expand
the
scope.
But
then
the
blogs
for
positioning
would
be
here,
I,
remember
us
talking
about
that
and
recording
it
previously
and
we
were
going
to
try
to
do
the
same
thing
for
the
FCI
working
group
logs,
but
the
SEI
working
group
logs
there's
no
place
currently
for
it.
A
E
C
A
C
A
Okay,
anything
else
that
folks
want
to
discuss.
I
know
that
there's
probably
conferences
coming
up,
there's
blogs
that
still
are
in
play
that
we
need
to
work
through.
C
A
A
We
already
started
these
two,
but
what
about
conferences
and
maybe
tutorials
for
newcomers
I
was
explaining
how
not
everybody
is
a
a
reader
right,
I,
don't
like
reading
log
articles.
So
what
if
we
did
something
a
combination
of
like
a
video
like
an
actual
small
YouTube,
video
or
audio
clips
on
the
different
stuff
on
that
subcommittee,
the
different.
A
Fresca
stc2f
to
brought
in
the
audience
that
we
can
reach
right
because
not
everybody's
going
to
have
time
to
read
the
blogs.
Not
everyone
may
even
know
where
to
get
the
blogs.
Sometimes
it's
hard
for
me
to
find
some
of
the
Vlogs
to
be
honest
with
you
right
versus
maybe
a
short
video
clip.
That's
on
YouTube
that
you
can
just
say
you
know
as
SDI
working
group
101
or
something
like
that.
Just
just
you
know,
throwing
stuff
out
there.
So
I
don't
know
what
the
next
phase
of
this
group
should
be.
A
Obviously,
I
have
some
thoughts,
but
it
would
be
good
to
hear
from
the
broader
team
on
where
do
you
think
we
should
go
next
or
tackle
next.
B
Twice,
oh,
no,
no
so
I
was
gonna
comment
a
little
bit
here,
so
I
know
one
of
the
things
that
that
we
would
I
know
we
had
discussed
early
early
on
when
positioning
and
adoption
were
going
to
be
two
separate
things
was
hey
it
probably
some
of
the
adoption
stuff
made
more
sense
to
fit
into
positioning
at
least
early
on
before
we
were
ready
with
1.0
I.
B
Do
wonder
if
if-
and
this
is
you
know-
I'm
talking
purely
about
salsa
right
now,
but
I
do
think
it's
kind
of
tied
to
some
of
the
other
stuff
like
S2,
c2f,
Fresca
or
whatever
else.
You
know.
I
know
that,
just
yesterday
a
bunch
of
us,
the
the
co.
You
know
us
co-creators
of
of
guac
submitted
that
we
plan
to.
B
We
would
like
to
contribute
guac
to
supply
chain,
Integrity
group
as
and
the
open
ssf,
but
I
think
one
of
the
things
that
I
think
would
be
useful
for
for
is
to
sort
of
discuss
like
I
doubt
that
there
is
a
large
enough
scope
on
adoption,
yet
to
say:
hey,
let's
split
off
adoption
into
its
own
thing,
but
I
do
think
that
maybe
we
want
to
talk
a
little
bit
about
hey
s2c2f
rate
is
1.0
already
Salsa's
1.0.
B
What
can
we
do
to
start
like
driving
that
adoption?
Now
that
that
1.0?
Is
that,
like
you
know,
both
of
those
things
are
1.0,
you
know
I
think
we
still
want
to
drive.
Obviously
Community
engagement,
while
going
through
that
that's
still
kind
of
like
you
know
the
day-to-day,
but
I
do
think
that
especially
looking
at
you
know
so
far,
at
least
on
the
salsa
side.
B
Very
few
folks
are
adopting
salsa
1.0,
yet
there's
no
real
tools
on
that
front.
Yet
there's
actually
I'm
not
really
familiar
with
anybody
who's
building
tools
on
that
front
outside
of
a
couple
of
the
sort
of
examples
we've
given,
and
so
when
it
comes
to
some
of
these
things
that
we're
looking
it
would
be
really
nice
to
sort
of
I.
Think
from
our
end
see
what
we
could
do
to
help
Drive
adoption
of
like
S2
c2f
of
salsa
and
anything
else
that
that's
coming
out
of
this
group.
C
A
A
D
So
this
is
something
I've
seen
in
some
other
projects.
They
have
what
they
call
office,
hours
and
I.
Think
walk
also
has
that
right,
and
so
that
tends
to
be
a
lot
more
sort
of
demo
and
how
the
tools
are
actually
being
used,
and
sometimes
it's
adopters,
and
sometimes
it's
I,
don't
know
I
guess
maybe
the
maintainers
themselves,
showing
off
a
new
feature
and
I
think
I
sort
of
initially
thought
that
the
sort
of
regular
supply
chain
Integrity
group
would
be
for
that.
D
But
maybe
maybe
this
is
the
better
Forum
I'm,
actually
not
sure
yeah.
A
That's
a
good
point:
I
I
know
Isaac's
wanting
more
demos
but
yeah
I'll
table
that
thought.
For
for
a
second
Mike,
you
had
a
comment.
B
Yeah
yeah
yeah
I
was
also
looking
to
suggest
things
like
office
hours,
other
folks
that
suggested
stuff
like
webinars
like
you
know,
and
this
is
for
all
the
things
within
the
supply
chain-
Integrity
group,
whether
it
is
Fresca,
whether
it's
also
whether
it's
S2
c2f
and
so
on.
I
think
that
sort
of
thing
is
is
super
useful.
A
lot
of
folks
are
are
asking
a
lot
of
good
questions
about.
B
Like
hey,
I
wanna,
you
know
I
want
to
salsify
my
Jenkins,
so
how
would
I
go
about
doing
that
and
I
think
some
of
that
sort
of
stuff
is
is
useful.
I
think
the
thing
that
we're
starting
to
see
a
little
bit
is
also
there's
more
than
enough
work
to
go
around
from
the
the
spec
side
and
some
of
the
other
things
that
we're
working
on,
and
so
when
it
comes
to
helping
Drive
adoption,
I
think
folks,
a
lot
of
folks
within
some
of
the
other.
B
You
know
groups
like
The,
you
know
the
folks
who
are
working
on.
Let's
say
some
of
the
salsa
tools
and
and
whatever
our
little
you
know,
stretched
a
little
thin
on
that
front.
C
B
So
I
mean
that's
also
something
I
think
maybe
this
group
can
also
help
do
is
help
maybe
drive
that
message
back
up
to
the
attack
around
like
hey
folks
are
asking.
You
know,
you
know
what
how
are
fo.
You
know
some
of
the
stuff
like
how
do
I
do
certain
things
with
salsa,
and
you
know
and
I
know
that
with
some
of
the
groups
you
know
they
have
projects
that,
like
they
are
funding,
let's
say:
hey,
we
we
hired
a
consulting
firm
to
come.
B
You
know,
Drive,
the
the
salsifying
Jenkins
or
whatever
so
I
I.
Do
wonder
if
there's
some
stuff
on
on
that
end
or
you
know,
because
I
I
I'll
say
it's
just
a
lot
of
the
community
members
I
think
the
ones
I
spoke
to
do
seem
a
little
pert
out
from
the
the
huge
drive
towards
1.0
and
then
like
great
1.0
is
out.
I
have
other
things.
I
need
to
address.
A
Okay,
so
that
that's
a
good
point
on
the
attack
and
the
funding,
so
we
could
definitely
look
at
that
option.
I'm
trying
to
think
about
like
when
I
know,
the
the
tools
for
1.0
are
are
small
right.
So,
let's
just
take
it's
also
1.0
as
an
example.
How
would
we
drive
adoption
if
the
tools
aren't
there
right?
How
do
we
even
do
a
demo
if
the
tools
aren't
there.
A
B
Yeah
and
I
mean
I
think
this
is
also
you
know,
depending
on
who
you
speak
to
right
like
there's.
There's
obviously
concerns
that
there's
a
lot
of
like
vendors
who
are
not
involved
in
the
community
who
are
claiming
you
know,
hey
I
have
salsa,
and
then
you
start
to
read
through
their
Market
textures
and
it's
like
I,
don't
think
they
understand.
Salsa
I
think
some
of
the
conformant
stuff
might
help
out
there,
but
I
do
think.
B
You
know,
for
example,
I
think
for
the
past
three
weeks
now,
we've
essentially
had
almost
no
agenda
for
the
salsa
tooling
meeting
just
and
we
need
to
have
you
know
Engineers
who
are
interested
or
focused
on
that
sort
of
thing
and,
like
that's
very
much
like
a
and
I
and
I
get
it
right,
like
Engineers
tend
to
not
like
meetings,
I,
don't
like
meetings
but
but
but
at
the
same
time
I
think
there's
a
lot
of
interesting,
like
actual.
B
If
we
can
maybe
also
from
a
positioning
standpoint
Drive
the
message
home
that
that
sort
of
meeting
is
not
intended
to
be
a
let's
just
you
know
and
I
don't
mean
this
to
be
I.
Think
what
we're
doing
here
is
really
great,
but
for
engineers
they're
like
yeah,
when
do
I
start
writing
the
code
right
so.
A
B
Think
those
and
those
meetings
like
that
are
intended
to
be
that
sort
of
thing
of
hey.
Let
me
talk
to
other
people
who
are
developing
tools
to
figure
out
like
where
can
we
sync
up,
like
oh,
hey,
I'm,
going
to
be
open
sourcing,
this
thing,
but
my
company's
not
super
interested
in
open
sourcing,
these
other
pieces
of
it.
So
at
least
folks
like
know
like
what
is
to
be
expected,
or
you
know,
for
example-
I
mean
as
a
actually
as
a
good
example.
Here.
B
One
of
the
things
that
is
is
a
little
frustrating
is
a
lot
of
the
salsa
tools
that
come
out
of
this
out
of
salsa
framework
are
right
now
being
developed
by
Google,
but
the
Google
teams
are
not
really
communicating
with
the
salsa
tooling
folks,
so
a
lot
of
times
we
learn
about
a
new
tool,
that's
being
developed
way
after
you
know,
when
a
lot
of
folks
were
like
talking
about
maybe
building
a
tool
like
that
in
the
broader
community,
so
I
think
there's
a
lot
of
areas
you
know
folks
can
can
help
out
there
and-
and
you
know,
I-
think
we
need
like
one
or
two.
B
You
know,
folks,
who
are
those
project
manager
types
who
can
like
keep
folks
on
on
topic,
but
beyond
that
I
think
you
know,
we
need
a
actually
some
Engineers
to
show
some
of
this
stuff
off
to
show
some
of
those
representative
examples,
and
this
also
kind
of
ties
into
some
of
the
work.
That's
going
to
start
being
done
on
the
Sterling
tool
chain
side
right
where.
C
B
Sterling
tool,
you
know,
and
or
whatever
it's
formerly
known
as
Sterling
tool
chain
and
that
thing
I
think
is
also
interesting,
just
because
you
know
salsa
and
s2c2f
fit
in
there
as
those
Open
Standards
that
the
tools
should
be
abiding
by
and
I
think
that
there
is
a
lot
of
work
from
an
actual
engineering
standpoint
and
I.
Think
one
of
the
problems,
at
least
within
the
openssf,
has
been
there's.
Not
many
quote.
B
Unquote,
full-fledged
tools
within
openssf,
most
of
openssf
is
around
like
even
scorecard
is
a
tool,
but
it's
in
service
of
a
lot
of
other
things
in
service
of
a
standard.
You
know
the
the
scorecard
what
they're
checking
up
on
and
so
I
think
that
there's
there's
some
challenges
there
around
actually
getting
Engineers
to
work
on
stuff
within
the
opennessf
compared
to
let's
say
the
cncf,
where
you
have
a
lot
of
in
those
cases,
I
just
want
to
say
more
generally,
what
we've
noticed
is
cntf.
B
Most
projects
are
backed
by
a
company
of
some
sort
right.
So,
even
though
it's
open
source,
like
you,
have
oppa,
which
is
backed
by
styra
and
you
have
in
other
companies
as
well,
but
like
they're,
the
ones
who
who
really
were
helping
Drive
some
of
this
even
stuff
like
in
Toto
and
tough,
you
have
you
know,
NYU
driving,
driving
that-
and
you
have
you
know,
kieverno,
which
is
I'm
blanking
on
the
name
of
of
the
folks.
B
Who've
been
working
on
that,
but
anyway,
there's
a
lot
of
these
companies
that
are
backing
those
sorts
of
projects
and
even
though
they're
open
source
and
they're
open
to
the
community,
you
still
have
this
sort
of
corporate
backing
behind
it,
whereas
I
don't
think
we're
seeing
that
with
a
lot
of
the
sort
of
S2,
c2f
or
or
salsa
tools.
Yet,
right,
like
you
know,
at
least
in
the
open
source
space
I
should
say
you
know
we
see
a
couple
of
things
from
Google
for
the
salsa
stuff,
but
it's
all.
B
It's
all
like
examples,
they're,
not
really
or
not
just
examples,
but
they're
they're
like
very
keyed
towards
like
the
GitHub
stuff,
because
just
like
it's
the
simplest
case
and
as
folks
are
coming
in
they're
like
hey,
is
there
any
tools
that
are
coming
out
of
this?
That,
like.
A
B
And
and
something
that,
like
somebody
I
know
because
I
know,
a
lot
of
folks
are
going
to
come
in
and
say
you
know
like
if
I
go
and
look
at
like
just
an
example,
some
random
cncf
project,
right,
I,
know
I
could
go
and
look
at
like
cross
plane
right,
I
know:
I
was
up.
Something
is
anyway,
there's
like
there's
like
a
lot
of
those
tools
in
the
cntf
that
hey
I
know
why
there's
like
an
Enterprise,
that's
backing
this
or
whatever.
There's
a
company.
That's
backing
this.
B
So
if
I
need
to
buy
an
Enterprise
version
of
that
thing,
whatever
they
can
do
that
anyway,
my
point
just
being
that
I
think
that
there's
a
little
worry
where
there's
a
lot
of
things
within
the
salsa
space.
That's
just
sort
of
like
yeah
I
wrote
a
thing:
I
threw
it
out
there,
but
there's
not
really
a
ton
of
support
behind
it
because
nobody's
necessarily
selling
a
salsa
Builder.
Yet-
and
this
is
sort
of
outside
of
a
few
folks
like
active,
State
and
and
those
people.
A
B
So
I
think
that
I
think
the
thing
is,
if
you
look
at
it
right,
you
have
tecton
I
think
is
probably
one
of
the
larger
sort
of
things
that
has
adopted.
Salsa,
yes
and
I.
Think
the
thing
that
folks
are
are
looking
for
is
is
like
more
of
that
right
is
hey.
Are
there?
You
know,
for
example,
there's
there's
that
tool
macaron
that
came
out
of
Oracle,
but
if
you
read
through
the
Oracle
stuff,
it's
like
it's
very
they've
made
it
very
clear
that
it
is
like
purely
like
a
research
thing.
B
It's
not
like
a
thing
that
they're
really
backing
holistically,
at
least
as
far
as
I
can
tell
and
who
knows,
maybe
they're
gonna,
try
and
back
it
a
bit
more
but
but
I
think
I.
Think
folks
are
are
starting
to
look
for
because
like
when
a
lot
of
times
in
the
salsa,
tooling
meetings
and
some
of
these
other
meetings,
folks
are
always
asking
where's
my
plugin
for
Jenkins
where's,
my
plug-in
for
this
thing
and
and
once
again,
I'm
not
saying
that's
our
responsibility
right.
You
know
I.
B
Think
folks,
who
want
to
work
on
the
Jenkins
stuff,
should
come
in
and
work
on,
Jenkins,
but
I
think
when
we
start
to
look
at
some
of
that
ecosystem
of
tools,
especially
when
I
think
about
stuff.
That's
more
around
the
the
interface
side,
as
opposed
to
the
actual
implementation
side.
B
I
think
a
lot
of
folks
are
asking
more
around
like
hey,
even
if
you
had
a
handful
of
tools
that
showed
me
this
picture
of
as
an
example,
you
know
this
kind
of
goes
into
that
Sterling
tool
chain
bit
was
if
I
had
a
tool
or
a
set
of
tools
that
interop
right.
Where
I
write
some
code,
the
code
gets
signed
by
six
door.
Let's
say
and
I
push
it
to.
You
know
a
hardened
code,
repo
and
I'm,
while
doing
this
I'm.
B
Also
following
the
the
the
the
St
you
know,
I'm
following
all
the
practices
and
I
can
keep
track
that
I'm
following
the
practices
in
s2c2f
and
then
it's
generating
me
salsa,
you
know,
builds
with
s-bombs
and
yayada
I.
Think
folks
are
like
asking
like
Hey.
How
do
I
actually
go
and
do
that
right
like
right
now
the
main
thing
is:
people
are
asking
like:
hey
I,
don't
I'm,
not
using
GitHub?
What
else
is
there
for
salsa
and
I?
Don't
know
what
the
the
answer
is.
You.
C
B
Some
companies
are
doing
some
corporate
backing,
but
it's
like
it's
not
really
at
the
Forefront.
I
guess
is
the
thing
like
it's
not
like.
A
lot
of
folks
are
shouting
from
the
hills.
Yeah
we're
salsa
conformant
because,
like
I
believe,
red
hat
is
doing
some
stuff
on
on
that.
But
the
idea
is
like
hey:
they
have
their
trusted
open
source
or
something
like
that
and
I
believe
they're,
generating
salsa
adaptations.
Out
of
that.
But
I
think
folks
are
asking
for
a
larger
Suite
of
tools
in
the
open
source
space.
B
At
least
that
can
show
what
salsa
does
for
them.
A
The
ranch
yeah,
no,
no,
no,
no
worries
yeah.
While
you
were
talking,
it
reminded
me
of
I,
call
it
a
macaroon
but
I.
Don't
think
that's
how
you
say
it
because
a
picture
does
have
a
picture
of
macaroons.
We
actually
did
try
it
when
I
saw
it.
I
was
like
Hey.
Can
someone
try
this
and
it
took
64
minutes
against
22
packages
to
get
this
result
right
and
I'm
like
that's,
not
scalable.
C
A
A
A
B
Yeah
I
mean
I
think
on
that
front,
it's
worthwhile
just
to
kind
of
separate
like
who
is,
let's
say,
an
open,
ssf,
actual
open,
ssf
project
versus
just
an
open
source
project
versus
also
a
vendor
product.
Just
because
getting
into
that
thing
leads
to
a
whole
lot
of
politicking
as
well,
once
again,
I
think
we
should
just
you
know
if
if
these
are
issues
they're
running
into
I,
think
it's
worthwhile
to
give
that
feedback
and
say
hey.
Have
you
considered
why
it
takes
so
long
or
whatever?
And
then
maybe
you
can.
A
C
B
A
D
Oh
I
wanted
to
add
that
I
mean
I,
think
Oracle
actually
I
said
Oracle
red
hat
I
have
I'm
having
a
bit
of
a
hard
time
keeping
track
of
some
of
these
newer
tools
that
are
coming
out
that
are
actually
focused
more
on
validation
and
policy
around
salsa,
but
there's
also
seed
Wing
from
Red,
Hat,
I
believe
and
red
hat
I.
Think
earlier
this
week,
even
demoed
some
other
separate
tool
but
I
think
yeah.
It's
a
to
Mike's
Point.
D
It's
not
I,
don't
know
that
it
should
be
the
open,
SSS
responsibility
to
I
I,
don't
know
what
the
right
word
is
like
promote
or
or
demo
or
teach
all
of
these.
These
tools,
when
the
issue
still
seems
to
be
that
people
aren't
fully
grasping
salsa,
yet
I
don't
know.
B
So
yeah
I
can
talk
a
little
bit.
Yeah
I
can
talk
also
a
little
bit
on
the
seed
Wing
end,
so
seed
Wing
is
coming
out
of
like
a
open
source
source
research
arm
from
Red
Hat
they're
working
with
us
on
guac,
and
one
of
the
things
that
they're
doing
is
they're,
essentially
using
guac
as
the
sort
of
Baseline
for
a
lot
of
policy,
and
so
the
idea
would
be
you
know.
B
Seed
Wing
calls
into
guac,
for
example,
pulls
out
metadata
about
salsa
and
all
that
sort
of
stuff
and
is
able
to
yeah
I
believe
that,
actually
is,
is
see
like
that's
their
kind
of
like
demo.
B
But
the
idea
is,
they
can
generate
policies
and
the
policies
go
in
and
call
out
to
stuff
like
like
walk
and
guac,
which
stores
a
bunch
of
data
about
salsa,
and
can
you
know
Cascade
up
so
that
you
can,
you
know,
do
a
bunch
of
stuff
on
that
end,
so
I
I
do
think
that
there
is
I,
think
the
big
things
right
are,
and
this
is
the
thing
that
we're
seeing
also
just
this
is
just
to
be
clear,
even
though
we
have
a
problem
here.
B
B
I
think
folks
want
to
better
understand,
like
what
should
I
be
doing
with
the
salsa
thing
right:
oh
you're,
using
it
to
kind
of
introspect
and
help
say
like
yes,
I
took
this
build
from
this
party
and
I
think
it's
good,
that's
kind
of
at
the
high
level,
and
then
you
can
kind
of
dive
in
and
say
you
know,
assuming
that
I
believe
what
they're
they're
giving
me
is
trustworthy
and
that
they're
actually
following
salsa
I,
can
dive
in
and
figure
out
that,
yes,
they
ran
these
commands
in
these
ways
and
I
think
that
seems
pretty
reasonable
to
me
and
I'm,
okay
with
using
that
in
my
supply
chain
and
then
also
all
that
metadata
can
be
used.
B
If
there
is
an
issue
in
the
future
to
go
back
and
say,
hey
what
happened
you
know,
oh
it
turns
out
like
this
line,
which
seemed
innocuous
is
actually
bad
cool.
We
knew
to
fix
that.
So
there's
that
and
then
I
think
that
helps
drive
back
this
sort
of
thing
of
what
are
folks.
Actually,
you
know
looking
for
right
like
what
what
are
folks,
what
do
folks
need
right
from
the
build
perspective
and
the
producing
perspective,
I
think
that
also
but
they're
kind
of
tied.
B
D
Oh
no
worries
yeah,
I,
I'm,
just
sort
of
trying
to
add
some
thoughts,
because
what
we
are
describing
sort
of
made
me
think
of
well,
would
it
be
sort
of
worthwhile-
and
this
is
something
that
I
sort
of
realized
in
conversations
I've
had
internally
and
externally,
that
a
lot
of
sort
of
adopters
are
just
like.
D
Well,
I
want
to
be
able
to
prevent
solar
winds,
and
so
is
it
partially
also
a
matter
of
going
back
and
saying:
hey
solar
winds
that
this
here's,
how
salsa
would
have
helped
or
could
help
you
detect
a
solarwinds
type
attack
I'm,
not
sure
how
we
build
that
I.
Don't,
but
but
I
do
wonder
if
something
tangible
like
that,
would
sort
of
help.
A
lot
of
people
understand
the
the
utility
and
value
salsa
and
again.
The
question
now
is:
who
builds
that?
How
is
it
designed?
D
How
do
we
like
disseminate
that
information,
but
yeah
just
having
some
something
concrete
to
Anchor
the
the
use
of
salsa
that
isn't
compliance.
B
B
Remember
a
few
folks
were
talking
to
us
about,
like
hey
the
key
things
for
salsa
for
them
are
one
is
I,
know
that
an
approved
Builder
built
this
right,
so
even
if
even
if
they're,
not
following
any
rules
or
whatever
or
I,
just
trust
them
right.
It's
like
okay,
who
do
I
trust
to
have
built
this
thing
right.
Where
did
this
actually
come
from?
B
Is
super
useful
because
that
already
eliminates
a
whole
class
of
like
impersonation
attacks
right
where
hey
assuming
you,
they
haven't
stolen,
keys
or
credentials
or
or
or,
and
those
sort
of
things,
assuming
that
you've
you've
done
that
we
are
able
to
assuming
we're
able
to
do
that.
Then
we
can
go
back
to
something
like.
B
So
the
thing
right
with
salsa
is
not
necessarily
I
mean
there's
certain
elements
that
would
have
prevented
certain
pieces
of
solar
winds
right,
especially
the
you
know,
if
it
will
actually
sorry
it's
not
salsa
per
se,
but
but
using,
for
example,
the
GitHub
method,
you're,
not
keeping
you
know,
you're
you're,
renewing
the
keys,
so
unless
they
were
able
to
steal
some
mechanism
that
gave
them
persistent
access.
B
They're
able
to
you,
know,
you're
getting
new
keys,
I
think
but
I
think
that
to
to
your
point,
there
I
think
that's
super
important.
Maybe
something
from
the
positioning
group
should
really
drive.
Is
that
because
lots
of
folks
are
still
asking
like
where's
the
threat
model,
we
do
you
have
some
elements
of
a
threat
model
on
the
site,
but
I
think
folks
are
really
looking
for
something
out
quite
a
bit
more
in
depth
so
that
they
really
understand
like.
B
Oh,
this
requirement
really
does
all
these
things
and
also
here's,
maybe
an
example
of
how
it
does
that
right,
like
an
actual
sort
of
description
of
well.
If
you
have
a
you
know
like
those
those
attack,
trees
right
like
well,
this
sort
of
prevents
the
attack
over
here
this
sort
of
prevents
the
attack
over
here,
and
so
they
never
end
up
getting
access
to
what
you
know.
D
No,
no
I,
I,
I
I
totally
take
your
point
and
I
guess
I.
Remember
asking
a
really
long
time
ago.
How
do
some
of
these
requirements
map
to
helping
you
detect
right
because,
like
you
said,
salsa,
doesn't
prevent
a
solarwinds
type
attack
or
eat,
maybe
just
that
one
particular
step
right
where
they,
like
infiltrated.
The
compilation
phase
that
a
salsa
Providence
document
would
make
that
detectable
right,
but
I
I,
don't
know
something.
D
He
said
also
got
me
thinking
about
the
fact
that
both
people
trust
who
generated
or
the
The,
Entity
or
organization
that
generated
the
salsa
Providence.
Are
they
still
going
to
go
in
and
inspect
it
or
do
they
often
just
say:
oh
hey,
it's
a
trusted,
signer,
I'm,
good
and
I.
D
Imagine
it's
a
bit
of
a
sort
of
use
case
or
Case
by
case
decision,
but
I'm
a
little
bit
concerned
if
people
are
still
just
stuck
on
this
institutional
trust
aspect
when
salsa
is
doing
so
much
more
or
can
can
be
used
for
so
much
more
right.
B
Yeah
and
I
think
on
that
end
that
that's
maybe
also
another,
actually,
that's,
probably
a
good
blog
topic
but
like
because,
like
the
way
I've
seen
it
discussed
was
like
you
know,
is
that
quote
unquote.
You
know
trust
but
verify
kind
of
thing
of
like
yeah,
not
necessarily
it's
you've
first
want
to
validate
the
identity,
but
then
you
also
want
to
essentially
set
check
like
hey.
B
Is
it
still
doing
the
right
stuff
in
there
and
I
think
folks
will
start
off
at
the
trust
piece,
but
then
over
time
get
better
and
even
if
the
verification
happens
out
of
band
or
the
verification
happens,
only
at
audit
time
or
or
the
verification
happens
like
when
something's
gone
wrong,
it's
least
better
than
nothing,
because
right
now,
like
the
thing
that
when
we
talk
to
a
lot
of
folks
in
the
community,
the
big
thing
that
they
ask
is
like,
like
you
asked
them
like
well:
how?
Where
did
this
artifact
get
built?
B
B
You
know
we
have
the
list
of
like
General
commands
that
it
ran
and
we
did
a
you
know,
a
basic
lint
to
make
sure
that
it
wasn't
curling
from
you
know
some
random
website
or
something
like
that.
I
think
that
sort
of
thing
is
also
super
super
valuable.
There
I
think
the
big
thing
that
I
I
do
think
that
you
know
a
lot
of
folks
at
least
initially
are
just
gonna,
say:
yep,
it's
signed
by
the
right
party,
I'm,
okay,
with
it
yeah.
A
D
Maybe
that
maybe
that's
something
to
maybe
that's
a
good
starting
point
is
to
talk
about
how
it's
not
enough
to
Simply
trust
who
even
the
metadata
came
from.
If
that
makes
sense
and
sort
of
yeah
tell
the
story
that
that
Mike
was
just
describing
around.
C
D
Yeah,
because
even
in
the
case
of
solar
winds
is
something
I
say
to
people
a
lot.
Solar
winds
was
a
trusted
organization
and,
and
the
attackers
took
advantage
of
just
this
institutional
trust,
yeah
Jeffrey.
F
It
seems
like
it
would
be
good
to
try
and
you
know,
in
addition
to
you
know,
potential
blog
activity
on
the
openssf
website.
You
know
what
else
could
the
best
practices
work
in
group
or
another
arm's
length
working
group
around
education
do
to
help,
because
I
think
that
you
know
this
group
and
the
other
cigs
that
are
doing
good
work
around
various
elements
of
what's
happening
with
the
open,
ssf
shouldn't
be
left
to
their
own
devices
to
try
and
help
you
know
better
propagate
the
important
work,
that's
being
done.
B
I
think
also,
it
goes
also
the
other
way
too
I
think
it
would
be
really
worthwhile
to
maybe
have
some
of
those
groups
provide
feedback
to
salsa
about
like
hey.
What
are
you
know?
What
are
you
seeing
as
the
issues
when,
let's
say
they
talk
about
it's
also
about?
Why
folks
are
finding
it
difficult,
let's
say
or
something
like
that.
That
might
also
be
useful
too.
F
A
What
else
it
shows
a
lot
taught
so
I,
don't
think
we
have
everything
nailed
down
per
se,
yeah.
B
So
so
one
thing
I
think,
would
be
a
good
Next
Step
that
a
lot
of
folks
have
been
asking
for
is
like
a
little
bit
more
of-
and
this
sounds
like
more
of
a
webinar
or
a
recorded
video
like
an
hour
long
like
deep
dive
into
salsa,
so
that
folks
can
just
sort
of
like
go
and
look
at
the
one,
video
and
watch
it.
You
know
because
I
know
so
not
everybody's
going
to
read
through
the
whole
spec
and
know
exactly
what
everything
means.
B
A
lot
of
folks
are
just
like:
hey
before
I
even
use
the
spec
or
even
after
I've,
read
the
spec
like
okay.
Now,
how
do
I
actually
implement
this?
It
might
be
worthwhile
to
take
some
example
right
because,
like
I
got
a
lot
of
good
feedback
showing
a
lot
of
the
GitHub
stuff
to
folks
inside
of
in
at
open
source,
Summit
I
got
a
lot
of
great
feedback
on
on
that
they
were
like.
B
This
is
how
you
know
something
like
salsa
helps
and
not
just
salsa
right.
This
is
the
sort
of
thing
I
think
we
should
also
look
through
the
rest
of
the
stuff
and
see
you
know
the
sci
group,
like
hey
here's,
how
S2
c2f
complemented
and
protects
against
these
things
and
yada
yada,
but
like
talking
purely
about
the
salsa
thing
for
a
second
like
I,
think
the
salsa
bit
is
super
important,
because
then
you
get
to
just
sort
of
point
to
that.
B
You
know
like
we
can
point
to
hey
here's,
the
high
level
sort
of
executive
summary
why
folks
are
interested
like
what's
the
problem,
you
know
the
problem
is
hey.
You
have
solar
wind.
You
have
all
these.
You
have
stuff
like
typo
squatting.
You
have
all
these
sorts
of
attacks.
This
also
protects
against
them,
because
by
doing
these
things,
then
here
is
a
representative
implementation
and
I
know.
B
B
Like
you
know,
in
one
of
my
example,
repos
I
had
like
this
is:
what
happens
when
you
have
a
compromised
compiler?
This
is
what
the
attack
looks
like,
and
this
is
how
something
like
Fresca
would
protect
against
it,
and
so,
if
we
have
I
think
a
few
more
of
those
of
like
here
is
literally
some
bad
code,
and
if
we
ran
it
through
us,
you
know
if
we
ran
it
through
a
salsa
build,
it
should
get
caught
or
something
like
that
right,
like
here,
is
here's
something
and
here's
how
salsa
would
catch
that.
C
A
A
Sometimes
people
only
have
like
you
know
five,
ten
minutes
to
listen
to
something
so
I'm
all
for
you
know
some
webinar
video
of
some
sort
to
not
only
for
salsa
but
for
s2c2f
as
well
right
because
I
I
do
think
that
will
drive
a
broader
audience
and
more
adoption
Jeff.
You
have
your
hand
up
where's
that
old.
D
Oh
on
the
video
I
think
even
just
having
a
I,
don't
know
two
three
minute:
Quick
Clip
or
something
to
talk
about
this
institutional
trust
versus
I.
Don't
know,
sort
of
attribute,
based
stress
or
whatever
you
want
to
call
it
is.
It
would
probably
be
better
than
a
blog.
Like
you
said,
okay.
A
E
Yeah
this
goes
along
the
lines
of
I,
guess:
I,
guess
what
Mike
and
what's
all
those
things?
What
about
training
modules?
E
I
know
that
Adrian
and
I
as
part
of
us
c2f,
we
were
talking
with
LF
and
we
were
talking
with
SKF
about
producing
training
modules
that
that
can
be
given
during
you
know,
and
we
we
missed
the
open
Summit
to
do
this,
but
maybe
if
we
could,
you
know,
get
them
developed
and
then-
and
this
is
for
salsa
and
s2c2f-
and
maybe
even
Fresca-
and
if
we
bring
guacamole
all
that
kind
of
stuff
but
get
training
modules
set
up
and
then,
as
part
of
like
I,
don't
know
if
you
do
it
with
proposals
or
if
during
the
cfp
process
or
maybe
getting
getting
through
the
planning
committee,
but
actually
have
a
room
set
up.
E
I
thought
that
idea
was
phenomenal.
We
start,
we
actually
started
the
process.
You
know
where
it's
a
slow
process,
of
course,
because
you
got
to
write
these
damn
things,
but
you
know
I,
think
that
would
be
very
beneficial
and
speaks
to
what
marcelia
and
Michael's
talking
about.
A
We
have
two
minutes
left
folks,
any
other
last
minute
thoughts,
comments
on
this,
and
also
should
we
be
using
GitHub
to
start
to
tackle
these
because
usually
I
highlight
the
action
items
here
right,
but
you
know
sometimes
we
forget,
sometimes
they
get
lost.
I
have
to
go,
find
the
highlights.
So
how
do
we
want
to
track
these?
Do
we
just
keep
them
on
here?
Do
we
want
to
open
up
GitHub
issues
in
the
Integrity
working
group,
Marcella.
D
I
think
GitHub
issues
are
a
good
way
for
me
for
me
to
track
things
recently,
but
that's
I'm,
one
opinion
yeah
I.
My
question
in
the
last
minute-
and
maybe
this
is
something
to
talk
about
the
next
time-
is
the
question
of
what
the
time
frame
is
or
the
sort
of
when
we
plan
to
have
some
of
these
next
steps
done
or
how
we're
going
to
be
tracking
progress.
A
Yeah
yeah,
okay,
that
sounds
good,
so
I
can
take
a
crack
at
opening
up
some
of
these,
and
maybe
the
time
frames
conversation
will
come
through
I,
don't
know
what
NTD
means:
Bruno
need
to
drop
need
to
drop.
I
got
it:
okay,
thanks,
Bruno,
okay,
so
yeah,
so
we
can
potentially
talk
about
time
frames
in
the
open
and
then,
when
we
regroup
again,
we
can
maybe
finalize
it
if
it's
not
already
finalizing
the
GitHub
issue,
so,
okay!