►
From YouTube: Supply Chain Integrity WG (June 14, 2023)
Description
Agenda: https://docs.google.com/document/d/1xPs2sSbH3I9Ich7OyLOzl85oJshnK8Q6WoAgREE5-zA
C
C
C
C
A
So
I'm
not
looking
to
lose
my
my
normal
participants
right.
Yes,
we
could
gain
more,
but
I
don't
want
to
lose
by
my
my
core
team
that
has
been
around
for
a
while,
so
I'm,
not
sure
if,
if
this
time
actually
works
for
folks,
because
it
didn't
seem
like
there
was
anything
on
the
Google
Calendar
that
I
could
see
on
my
end
that
conflicts
with
this
time
but
yeah
looking
for
any
any
thoughts,
it
looks
like
Bruno.
It
helps
with
you.
A
A
Okay,
that
works
for
me.
I,
wanted
to
give
a
quick
update
just
on
the
s2c2f
Gap
analysis,
I
need
to
say,
analysis
coverage.
There
you
go
coverage
analysis
versus
salsa
versus
Fresca
in
the
June
6
meeting
I
I
did
start
going
through
the
document
with
the
broader
team
and
then
the
next
meetings
on
the
20th
right,
Jay.
A
Okay,
so
we'll
continue
that
review
and
then
I'm
sure
there'll
be
plenty
of
action
items
that
come
from
it,
so
at
least
that
work
is
underway.
So
that
way
we
can
have
that
broader
supply
chain,
Integrity
coverage
and
really
looking
at
the
the
details
of
each
of
the
specifications
or
requirements
to
say:
okay,
there's
a
gap
right
here
or
there's
an
opportunity
to
potentially
enhance
this.
This
area,
where
it
transitions
from
one
to
the
other
and
you'll,
have
to
excuse
my
voice.
A
A
A
There
is
a
charter
update,
see
Rob
created
this
a
long
time
ago,
but
I
know
that
Isaac
had
been
working
on
a
sci
working
group,
a
charter
and
I
actually
added
it
into
this
open
PR.
There
were
I
think
some
comments
from
Josh,
but
I
didn't
get
any
other
comments.
Oh
hi
Marcia
thanks
for
joining
this
is
the
the
pr.
If
folks
are
interested,
it
would
be
good
for
folks
to
kind
of
chime
in
on
this
and
no
worries
and
and
see
what
you
all
think
again.
A
A
D
A
A
So
this
PR
I
created
a
while
ago.
So
if
there
was
any
changes
that
you
did,
that
he
already
resolved
and
I'm
not
seeing
feel
free
to.
You
know,
look
at
the
the
pr
and
and
try
try
to
fix
it
in
in
the
actual
PR,
because
what
I
want
to
do
is
just
add
this
already
and
as
a
first
iteration,
we
need
to
reiterate
on
it.
That's
fine,
but
we
need
a
charter
in
there
per
the
I
think
it's
attack
rule
or
something
like
that.
E
A
E
A
So
one
quick
update
on
my
end
I
did
circulate
the
visioned
off
to
the
attack
for
review
as
promised,
so
that
was
on
June
6th,
so
I
can
I
can
add
a
comment
here
like
how
do
I
add
a
color,
nope,
oh
and
because
I'm
not
logged
in
I'll
do
that
later.
But
there
was
a
comment
that
the
charter
Mission
Isaac.
C
E
E
A
A
A
and
then
myself,
her
contributors,
I
I,
don't
know
who
all
contributes
to
this
group
on
a
regular
basis
at
a
higher
level
right,
there's
a
positioning
but
then
there's
the
the
stop.
The
working
group
proper
and
so
I
put
you
Mike,
because
I
know
you're
all
pretty
much
on
all
these,
but
I,
don't
know
the
rest
of
these
people
right.
A
A
Original
so
I
don't
yeah.
That
makes
sense
right,
because
I
was
like
okay.
Well,
we
can
always
add
them
back
but
like
I
know
who
Luke
Heinz
is
but
I've
not
seen
him
in
a
meeting
for
Sci
working
group
in
a
long
time,
yeah.
So
I,
I
kind
of
put.
You
know
this
section
of
previous
collaborators
just
in
case,
but
I
wasn't
sure
what
else
we
wanted
to
have
in
here
and
what
else
we
should
be
putting
in
here,
but
I
just
figured
I'd
I'd.
C
A
A
Okay,
okay
and
then
the
other
thing
I
don't
know,
did
I
create
I,
don't
know
if
I
created
it
in
this
structure,
but
I
tried
to
create
based
off
what
we
talked
about,
or
maybe
I
didn't.
Yet
we
were
talking
about
doing
nested
boulders,
where
maybe
it's
in
my
branch
and
that's
why
I
can't
see
it.
Give
me
one
second
there
it
goes
that
we
would
have
a
positioning
Sig
holder
in
here.
A
This
is
where
you
know
the
positioning
Sig
Charter
Etc,
which
is
a
little
bit
different
from
the
the
working
group,
and
we
would
just
need
to
alter
the
salsa
one
that
we
had
before
and
expand
the
scope.
But
then
the
blogs
for
positioning
would
be
here,
I,
remember
us
talking
about
that
and
recording
it
previously
and
we
were
going
to
try
to
do
the
same
thing
for
the
FCI
working
group
logs,
but
the
SEI
working
group
logs
there's
no
place
currently
for
it.
A
E
C
A
C
A
C
A
A
We
already
started
these
two,
but
what
about
conferences
and
maybe
tutorials
for
newcomers
I
was
explaining
how
not
everybody
is
a
a
reader
right,
I,
don't
like
reading
log
articles.
So
what
if
we
did
something
a
combination
of
like
a
video
like
an
actual
small
YouTube,
video
or
audio
clips
on
the
different
stuff
on
that
subcommittee,
the
different.
A
Fresca
stc2f
to
brought
in
the
audience
that
we
can
reach
right
because
not
everybody's
going
to
have
time
to
read
the
blogs.
Not
everyone
may
even
know
where
to
get
the
blogs.
Sometimes
it's
hard
for
me
to
find
some
of
the
Vlogs
to
be
honest
with
you
right
versus
maybe
a
short
video
clip.
That's
on
YouTube
that
you
can
just
say
you
know
as
SDI
working
group
101
or
something
like
that.
Just
just
you
know,
throwing
stuff
out
there.
So
I
don't
know
what
the
next
phase
of
this
group
should
be.
B
Do
wonder
if
if-
and
this
is
you
know-
I'm
talking
purely
about
salsa
right
now,
but
I
do
think
it's
kind
of
tied
to
some
of
the
other
stuff
like
S2,
c2f,
Fresca
or
whatever
else.
You
know.
I
know
that,
just
yesterday
a
bunch
of
us,
the
the
co.
You
know
us
co-creators
of
of
guac
submitted
that
we
plan
to.
B
What
can
we
do
to
start
like
driving
that
adoption?
Now
that
that
1.0?
Is
that,
like
you
know,
both
of
those
things
are
1.0,
you
know
I
think
we
still
want
to
drive.
Obviously
Community
engagement,
while
going
through
that
that's
still
kind
of
like
you
know
the
day-to-day,
but
I
do
think
that
especially
looking
at
you
know
so
far,
at
least
on
the
salsa
side.
B
Very
few
folks
are
adopting
salsa
1.0,
yet
there's
no
real
tools
on
that
front.
Yet
there's
actually
I'm
not
really
familiar
with
anybody
who's
building
tools
on
that
front
outside
of
a
couple
of
the
sort
of
examples
we've
given,
and
so
when
it
comes
to
some
of
these
things
that
we're
looking
it
would
be
really
nice
to
sort
of
I.
Think
from
our
end
see
what
we
could
do
to
help
Drive
adoption
of
like
S2
c2f
of
salsa
and
anything
else
that
that's
coming
out
of
this
group.
C
A
D
So
this
is
something
I've
seen
in
some
other
projects.
They
have
what
they
call
office,
hours
and
I.
Think
walk
also
has
that
right,
and
so
that
tends
to
be
a
lot
more
sort
of
demo
and
how
the
tools
are
actually
being
used,
and
sometimes
it's
adopters,
and
sometimes
it's
I,
don't
know
I
guess
maybe
the
maintainers
themselves,
showing
off
a
new
feature
and
I
think
I
sort
of
initially
thought
that
the
sort
of
regular
supply
chain
Integrity
group
would
be
for
that.
A
B
Yeah
yeah
yeah
I
was
also
looking
to
suggest
things
like
office
hours,
other
folks
that
suggested
stuff
like
webinars
like
you
know,
and
this
is
for
all
the
things
within
the
supply
chain-
Integrity
group,
whether
it
is
Fresca,
whether
it's
also
whether
it's
S2
c2f
and
so
on.
I
think
that
sort
of
thing
is
is
super
useful.
A
lot
of
folks
are
are
asking
a
lot
of
good
questions
about.
B
Like
hey,
I
wanna,
you
know
I
want
to
salsify
my
Jenkins,
so
how
would
I
go
about
doing
that
and
I
think
some
of
that
sort
of
stuff
is
is
useful.
I
think
the
thing
that
we're
starting
to
see
a
little
bit
is
also
there's
more
than
enough
work
to
go
around
from
the
the
spec
side
and
some
of
the
other
things
that
we're
working
on,
and
so
when
it
comes
to
helping
Drive
adoption,
I
think
folks,
a
lot
of
folks
within
some
of
the
other.
B
C
B
So
I
mean
that's
also
something
I
think
maybe
this
group
can
also
help
do
is
help
maybe
drive
that
message
back
up
to
the
attack
around
like
hey
folks
are
asking.
You
know,
you
know
what
how
are
fo.
You
know
some
of
the
stuff
like
how
do
I
do
certain
things
with
salsa,
and
you
know
and
I
know
that
with
some
of
the
groups
you
know
they
have
projects
that,
like
they
are
funding,
let's
say:
hey,
we
we
hired
a
consulting
firm
to
come.
B
You
know,
Drive,
the
the
salsifying
Jenkins
or
whatever
so
I
I.
Do
wonder
if
there's
some
stuff
on
on
that
end
or
you
know,
because
I
I
I'll
say
it's
just
a
lot
of
the
community
members
I
think
the
ones
I
spoke
to
do
seem
a
little
pert
out
from
the
the
huge
drive
towards
1.0
and
then
like
great
1.0
is
out.
I
have
other
things.
I
need
to
address.
A
Okay,
so
that
that's
a
good
point
on
the
attack
and
the
funding,
so
we
could
definitely
look
at
that
option.
I'm
trying
to
think
about
like
when
I
know,
the
the
tools
for
1.0
are
are
small
right.
So,
let's
just
take
it's
also
1.0
as
an
example.
How
would
we
drive
adoption
if
the
tools
aren't
there
right?
How
do
we
even
do
a
demo
if
the
tools
aren't
there.
A
B
Yeah
and
I
mean
I
think
this
is
also
you
know,
depending
on
who
you
speak
to
right
like
there's.
There's
obviously
concerns
that
there's
a
lot
of
like
vendors
who
are
not
involved
in
the
community
who
are
claiming
you
know,
hey
I
have
salsa,
and
then
you
start
to
read
through
their
Market
textures
and
it's
like
I,
don't
think
they
understand.
Salsa
I
think
some
of
the
conformant
stuff
might
help
out
there,
but
I
do
think.
B
A
B
Think
those
and
those
meetings
like
that
are
intended
to
be
that
sort
of
thing
of
hey.
Let
me
talk
to
other
people
who
are
developing
tools
to
figure
out
like
where
can
we
sync
up,
like
oh,
hey,
I'm,
going
to
be
open
sourcing,
this
thing,
but
my
company's
not
super
interested
in
open
sourcing,
these
other
pieces
of
it.
So
at
least
folks
like
know
like
what
is
to
be
expected,
or
you
know,
for
example-
I
mean
as
a
actually
as
a
good
example.
Here.
B
You
know,
folks,
who
are
those
project
manager
types
who
can
like
keep
folks
on
on
topic,
but
beyond
that
I
think
you
know,
we
need
a
actually
some
Engineers
to
show
some
of
this
stuff
off
to
show
some
of
those
representative
examples,
and
this
also
kind
of
ties
into
some
of
the
work.
That's
going
to
start
being
done
on
the
Sterling
tool
chain
side
right
where.
C
B
Sterling
tool,
you
know,
and
or
whatever
it's
formerly
known
as
Sterling
tool
chain
and
that
thing
I
think
is
also
interesting,
just
because
you
know
salsa
and
s2c2f
fit
in
there
as
those
Open
Standards
that
the
tools
should
be
abiding
by
and
I
think
that
there
is
a
lot
of
work
from
an
actual
engineering
standpoint
and
I.
Think
one
of
the
problems,
at
least
within
the
openssf,
has
been
there's.
Not
many
quote.
B
Unquote,
full-fledged
tools
within
openssf,
most
of
openssf
is
around
like
even
scorecard
is
a
tool,
but
it's
in
service
of
a
lot
of
other
things
in
service
of
a
standard.
You
know
the
the
scorecard
what
they're
checking
up
on
and
so
I
think
that
there's
there's
some
challenges
there
around
actually
getting
Engineers
to
work
on
stuff
within
the
opennessf
compared
to
let's
say
the
cncf,
where
you
have
a
lot
of
in
those
cases,
I
just
want
to
say
more
generally,
what
we've
noticed
is
cntf.
B
Most
projects
are
backed
by
a
company
of
some
sort
right.
So,
even
though
it's
open
source,
like
you,
have
oppa,
which
is
backed
by
styra
and
you
have
in
other
companies
as
well,
but
like
they're,
the
ones
who
who
really
were
helping
Drive
some
of
this
even
stuff
like
in
Toto
and
tough,
you
have
you
know,
NYU
driving,
driving
that-
and
you
have
you
know,
kieverno,
which
is
I'm
blanking
on
the
name
of
of
the
folks.
B
Who've
been
working
on
that,
but
anyway,
there's
a
lot
of
these
companies
that
are
backing
those
sorts
of
projects
and
even
though
they're
open
source
and
they're
open
to
the
community,
you
still
have
this
sort
of
corporate
backing
behind
it,
whereas
I
don't
think
we're
seeing
that
with
a
lot
of
the
sort
of
S2,
c2f
or
or
salsa
tools.
Yet,
right,
like
you
know,
at
least
in
the
open
source
space
I
should
say
you
know
we
see
a
couple
of
things
from
Google
for
the
salsa
stuff,
but
it's
all.
B
A
B
And
and
something
that,
like
somebody
I
know
because
I
know,
a
lot
of
folks
are
going
to
come
in
and
say
you
know
like
if
I
go
and
look
at
like
just
an
example,
some
random
cncf
project,
right,
I,
know
I
could
go
and
look
at
like
cross
plane
right,
I
know:
I
was
up.
Something
is
anyway,
there's
like
there's
like
a
lot
of
those
tools
in
the
cntf
that
hey
I
know
why
there's
like
an
Enterprise,
that's
backing
this
or
whatever.
There's
a
company.
That's
backing
this.
B
So
if
I
need
to
buy
an
Enterprise
version
of
that
thing,
whatever
they
can
do
that
anyway,
my
point
just
being
that
I
think
that
there's
a
little
worry
where
there's
a
lot
of
things
within
the
salsa
space.
That's
just
sort
of
like
yeah
I
wrote
a
thing:
I
threw
it
out
there,
but
there's
not
really
a
ton
of
support
behind
it
because
nobody's
necessarily
selling
a
salsa
Builder.
Yet-
and
this
is
sort
of
outside
of
a
few
folks
like
active,
State
and
and
those
people.
A
B
So
I
think
that
I
think
the
thing
is,
if
you
look
at
it
right,
you
have
tecton
I
think
is
probably
one
of
the
larger
sort
of
things
that
has
adopted.
Salsa,
yes
and
I.
Think
the
thing
that
folks
are
are
looking
for
is
is
like
more
of
that
right
is
hey.
Are
there?
You
know,
for
example,
there's
there's
that
tool
macaron
that
came
out
of
Oracle,
but
if
you
read
through
the
Oracle
stuff,
it's
like
it's
very
they've
made
it
very
clear
that
it
is
like
purely
like
a
research
thing.
B
It's
not
like
a
thing
that
they're
really
backing
holistically,
at
least
as
far
as
I
can
tell
and
who
knows,
maybe
they're
gonna,
try
and
back
it
a
bit
more
but
but
I
think
I.
Think
folks
are
are
starting
to
look
for
because
like
when
a
lot
of
times
in
the
salsa,
tooling
meetings
and
some
of
these
other
meetings,
folks
are
always
asking
where's
my
plugin
for
Jenkins
where's,
my
plug-in
for
this
thing
and
and
once
again,
I'm
not
saying
that's
our
responsibility
right.
You
know
I.
B
B
I
think
a
lot
of
folks
are
asking
more
around
like
hey,
even
if
you
had
a
handful
of
tools
that
showed
me
this
picture
of
as
an
example,
you
know
this
kind
of
goes
into
that
Sterling
tool
chain
bit
was
if
I
had
a
tool
or
a
set
of
tools
that
interop
right.
Where
I
write
some
code,
the
code
gets
signed
by
six
door.
Let's
say
and
I
push
it
to.
You
know
a
hardened
code,
repo
and
I'm,
while
doing
this
I'm.
B
Also
following
the
the
the
the
St
you
know,
I'm
following
all
the
practices
and
I
can
keep
track
that
I'm
following
the
practices
in
s2c2f
and
then
it's
generating
me
salsa,
you
know,
builds
with
s-bombs
and
yayada
I.
Think
folks
are
like
asking
like
Hey.
How
do
I
actually
go
and
do
that
right
like
right
now
the
main
thing
is:
people
are
asking
like:
hey
I,
don't
I'm,
not
using
GitHub?
What
else
is
there
for
salsa
and
I?
Don't
know
what
the
the
answer
is.
You.
C
B
Some
companies
are
doing
some
corporate
backing,
but
it's
like
it's
not
really
at
the
Forefront.
I
guess
is
the
thing
like
it's
not
like.
A
lot
of
folks
are
shouting
from
the
hills.
Yeah
we're
salsa
conformant
because,
like
I
believe,
red
hat
is
doing
some
stuff
on
on
that.
But
the
idea
is
like
hey:
they
have
their
trusted
open
source
or
something
like
that
and
I
believe
they're,
generating
salsa
adaptations.
Out
of
that.
But
I
think
folks
are
asking
for
a
larger
Suite
of
tools
in
the
open
source
space.
A
The
ranch
yeah,
no,
no,
no,
no
worries
yeah.
While
you
were
talking,
it
reminded
me
of
I,
call
it
a
macaroon
but
I.
Don't
think
that's
how
you
say
it
because
a
picture
does
have
a
picture
of
macaroons.
We
actually
did
try
it
when
I
saw
it.
I
was
like
Hey.
Can
someone
try
this
and
it
took
64
minutes
against
22
packages
to
get
this
result
right
and
I'm
like
that's,
not
scalable.
C
A
A
A
B
Yeah
I
mean
I
think
on
that
front,
it's
worthwhile
just
to
kind
of
separate
like
who
is,
let's
say,
an
open,
ssf,
actual
open,
ssf
project
versus
just
an
open
source
project
versus
also
a
vendor
product.
Just
because
getting
into
that
thing
leads
to
a
whole
lot
of
politicking
as
well,
once
again,
I
think
we
should
just
you
know
if
if
these
are
issues
they're
running
into
I,
think
it's
worthwhile
to
give
that
feedback
and
say
hey.
Have
you
considered
why
it
takes
so
long
or
whatever?
And
then
maybe
you
can.
A
C
B
A
D
Oh
I
wanted
to
add
that
I
mean
I,
think
Oracle
actually
I
said
Oracle
red
hat
I
have
I'm
having
a
bit
of
a
hard
time
keeping
track
of
some
of
these
newer
tools
that
are
coming
out
that
are
actually
focused
more
on
validation
and
policy
around
salsa,
but
there's
also
seed
Wing
from
Red,
Hat,
I
believe
and
red
hat
I.
Think
earlier
this
week,
even
demoed
some
other
separate
tool
but
I
think
yeah.
It's
a
to
Mike's
Point.
D
B
So
yeah
I
can
talk
a
little
bit.
Yeah
I
can
talk
also
a
little
bit
on
the
seed
Wing
end,
so
seed
Wing
is
coming
out
of
like
a
open
source
source
research
arm
from
Red
Hat
they're
working
with
us
on
guac,
and
one
of
the
things
that
they're
doing
is
they're,
essentially
using
guac
as
the
sort
of
Baseline
for
a
lot
of
policy,
and
so
the
idea
would
be
you
know.
A
B
B
If
there
is
an
issue
in
the
future
to
go
back
and
say,
hey
what
happened
you
know,
oh
it
turns
out
like
this
line,
which
seemed
innocuous
is
actually
bad
cool.
We
knew
to
fix
that.
So
there's
that
and
then
I
think
that
helps
drive
back
this
sort
of
thing
of
what
are
folks.
Actually,
you
know
looking
for
right
like
what
what
are
folks,
what
do
folks
need
right
from
the
build
perspective
and
the
producing
perspective,
I
think
that
also
but
they're
kind
of
tied.
B
D
Well,
I
want
to
be
able
to
prevent
solar
winds,
and
so
is
it
partially
also
a
matter
of
going
back
and
saying:
hey
solar
winds
that
this
here's,
how
salsa
would
have
helped
or
could
help
you
detect
a
solarwinds
type
attack
I'm,
not
sure
how
we
build
that
I.
Don't,
but
but
I
do
wonder
if
something
tangible
like
that,
would
sort
of
help.
A
lot
of
people
understand
the
the
utility
and
value
salsa
and
again.
The
question
now
is:
who
builds
that?
How
is
it
designed?
B
B
Remember
a
few
folks
were
talking
to
us
about,
like
hey
the
key
things
for
salsa
for
them
are
one
is
I,
know
that
an
approved
Builder
built
this
right,
so
even
if
even
if
they're,
not
following
any
rules
or
whatever
or
I,
just
trust
them
right.
It's
like
okay,
who
do
I
trust
to
have
built
this
thing
right.
Where
did
this
actually
come
from?
B
Is
super
useful
because
that
already
eliminates
a
whole
class
of
like
impersonation
attacks
right
where
hey
assuming
you,
they
haven't
stolen,
keys
or
credentials
or
or
or,
and
those
sort
of
things,
assuming
that
you've
you've
done
that
we
are
able
to
assuming
we're
able
to
do
that.
Then
we
can
go
back
to
something
like.
B
They're
able
to
you,
know,
you're
getting
new
keys,
I
think
but
I
think
that
to
to
your
point,
there
I
think
that's
super
important.
Maybe
something
from
the
positioning
group
should
really
drive.
Is
that
because
lots
of
folks
are
still
asking
like
where's
the
threat
model,
we
do
you
have
some
elements
of
a
threat
model
on
the
site,
but
I
think
folks
are
really
looking
for
something
out
quite
a
bit
more
in
depth
so
that
they
really
understand
like.
B
Oh,
this
requirement
really
does
all
these
things
and
also
here's,
maybe
an
example
of
how
it
does
that
right,
like
an
actual
sort
of
description
of
well.
If
you
have
a
you
know
like
those
those
attack,
trees
right
like
well,
this
sort
of
prevents
the
attack
over
here
this
sort
of
prevents
the
attack
over
here,
and
so
they
never
end
up
getting
access
to
what
you
know.
D
No,
no
I,
I,
I
I
totally
take
your
point
and
I
guess
I.
Remember
asking
a
really
long
time
ago.
How
do
some
of
these
requirements
map
to
helping
you
detect
right
because,
like
you
said,
salsa,
doesn't
prevent
a
solarwinds
type
attack
or
eat,
maybe
just
that
one
particular
step
right
where
they,
like
infiltrated.
The
compilation
phase
that
a
salsa
Providence
document
would
make
that
detectable
right,
but
I
I,
don't
know
something.
D
B
Yeah
and
I
think
on
that
end
that
that's
maybe
also
another,
actually,
that's,
probably
a
good
blog
topic
but
like
because,
like
the
way
I've
seen
it
discussed
was
like
you
know,
is
that
quote
unquote.
You
know
trust
but
verify
kind
of
thing
of
like
yeah,
not
necessarily
it's
you've
first
want
to
validate
the
identity,
but
then
you
also
want
to
essentially
set
check
like
hey.
B
Is
it
still
doing
the
right
stuff
in
there
and
I
think
folks
will
start
off
at
the
trust
piece,
but
then
over
time
get
better
and
even
if
the
verification
happens
out
of
band
or
the
verification
happens,
only
at
audit
time
or
or
the
verification
happens
like
when
something's
gone
wrong,
it's
least
better
than
nothing,
because
right
now,
like
the
thing
that
when
we
talk
to
a
lot
of
folks
in
the
community,
the
big
thing
that
they
ask
is
like,
like
you
asked
them
like
well:
how?
Where
did
this
artifact
get
built?
B
B
You
know
we
have
the
list
of
like
General
commands
that
it
ran
and
we
did
a
you
know,
a
basic
lint
to
make
sure
that
it
wasn't
curling
from
you
know
some
random
website
or
something
like
that.
I
think
that
sort
of
thing
is
also
super
super
valuable.
There
I
think
the
big
thing
that
I
I
do
think
that
you
know
a
lot
of
folks
at
least
initially
are
just
gonna,
say:
yep,
it's
signed
by
the
right
party,
I'm,
okay,
with
it
yeah.
A
D
C
D
F
It
seems
like
it
would
be
good
to
try
and
you
know,
in
addition
to
you
know,
potential
blog
activity
on
the
openssf
website.
You
know
what
else
could
the
best
practices
work
in
group
or
another
arm's
length
working
group
around
education
do
to
help,
because
I
think
that
you
know
this
group
and
the
other
cigs
that
are
doing
good
work
around
various
elements
of
what's
happening
with
the
open,
ssf
shouldn't
be
left
to
their
own
devices
to
try
and
help
you
know
better
propagate
the
important
work,
that's
being
done.
B
I
think
also,
it
goes
also
the
other
way
too
I
think
it
would
be
really
worthwhile
to
maybe
have
some
of
those
groups
provide
feedback
to
salsa
about
like
hey.
What
are
you
know?
What
are
you
seeing
as
the
issues
when,
let's
say
they
talk
about
it's
also
about?
Why
folks
are
finding
it
difficult,
let's
say
or
something
like
that.
That
might
also
be
useful
too.
F
B
So
so
one
thing
I
think,
would
be
a
good
Next
Step
that
a
lot
of
folks
have
been
asking
for
is
like
a
little
bit
more
of-
and
this
sounds
like
more
of
a
webinar
or
a
recorded
video
like
an
hour
long
like
deep
dive
into
salsa,
so
that
folks
can
just
sort
of
like
go
and
look
at
the
one,
video
and
watch
it.
You
know
because
I
know
so
not
everybody's
going
to
read
through
the
whole
spec
and
know
exactly
what
everything
means.
B
A
lot
of
folks
are
just
like:
hey
before
I
even
use
the
spec
or
even
after
I've,
read
the
spec
like
okay.
Now,
how
do
I
actually
implement
this?
It
might
be
worthwhile
to
take
some
example
right
because,
like
I
got
a
lot
of
good
feedback
showing
a
lot
of
the
GitHub
stuff
to
folks
inside
of
in
at
open
source,
Summit
I
got
a
lot
of
great
feedback
on
on
that
they
were
like.
B
This
is
how
you
know
something
like
salsa
helps
and
not
just
salsa
right.
This
is
the
sort
of
thing
I
think
we
should
also
look
through
the
rest
of
the
stuff
and
see
you
know
the
sci
group,
like
hey
here's,
how
S2
c2f
complemented
and
protects
against
these
things
and
yada
yada,
but
like
talking
purely
about
the
salsa
thing
for
a
second
like
I,
think
the
salsa
bit
is
super
important,
because
then
you
get
to
just
sort
of
point
to
that.
B
You
know
like
we
can
point
to
hey
here's,
the
high
level
sort
of
executive
summary
why
folks
are
interested
like
what's
the
problem,
you
know
the
problem
is
hey.
You
have
solar
wind.
You
have
all
these.
You
have
stuff
like
typo
squatting.
You
have
all
these
sorts
of
attacks.
This
also
protects
against
them,
because
by
doing
these
things,
then
here
is
a
representative
implementation
and
I
know.
B
B
Like
you
know,
in
one
of
my
example,
repos
I
had
like
this
is:
what
happens
when
you
have
a
compromised
compiler?
This
is
what
the
attack
looks
like,
and
this
is
how
something
like
Fresca
would
protect
against
it,
and
so,
if
we
have
I
think
a
few
more
of
those
of
like
here
is
literally
some
bad
code,
and
if
we
ran
it
through
us,
you
know
if
we
ran
it
through
a
salsa
build,
it
should
get
caught
or
something
like
that
right,
like
here,
is
here's
something
and
here's
how
salsa
would
catch
that.
C
A
A
Sometimes
people
only
have
like
you
know
five,
ten
minutes
to
listen
to
something
so
I'm
all
for
you
know
some
webinar
video
of
some
sort
to
not
only
for
salsa
but
for
s2c2f
as
well
right
because
I
I
do
think
that
will
drive
a
broader
audience
and
more
adoption
Jeff.
You
have
your
hand
up
where's
that
old.
D
A
E
E
A
We
have
two
minutes
left
folks,
any
other
last
minute
thoughts,
comments
on
this,
and
also
should
we
be
using
GitHub
to
start
to
tackle
these
because
usually
I
highlight
the
action
items
here
right,
but
you
know
sometimes
we
forget,
sometimes
they
get
lost.
I
have
to
go,
find
the
highlights.
So
how
do
we
want
to
track
these?
Do
we
just
keep
them
on
here?
Do
we
want
to
open
up
GitHub
issues
in
the
Integrity
working
group,
Marcella.
D
I
think
GitHub
issues
are
a
good
way
for
me
for
me
to
track
things
recently,
but
that's
I'm,
one
opinion
yeah
I.
My
question
in
the
last
minute-
and
maybe
this
is
something
to
talk
about
the
next
time-
is
the
question
of
what
the
time
frame
is
or
the
sort
of
when
we
plan
to
have
some
of
these
next
steps
done
or
how
we're
going
to
be
tracking
progress.
A
Yeah
yeah,
okay,
that
sounds
good,
so
I
can
take
a
crack
at
opening
up
some
of
these,
and
maybe
the
time
frames
conversation
will
come
through
I,
don't
know
what
NTD
means:
Bruno
need
to
drop
need
to
drop.
I
got
it:
okay,
thanks,
Bruno,
okay,
so
yeah,
so
we
can
potentially
talk
about
time
frames
in
the
open
and
then,
when
we
regroup
again,
we
can
maybe
finalize
it
if
it's
not
already
finalizing
the
GitHub
issue,
so,
okay!