►
From YouTube: Supply Chain Integrity WG (March 15, 2023)
C
Not
too
bad
at
all,
you
know
with
it
with
a
huge
power
outage
in
the
area
I'm
on
a
on
my
cell
phone
cell
phone,
so
power
gets
destroyed,
I'm
actually
going
to
end
up
going
to
work
at
my
going
to
work
at
my
gym
today,
I
just
buy
it
still
pretty
early,
so
I'll
head
out
there.
After
after
this
meeting.
C
A
C
A
A
A
All
right,
sweet
Let's,
let
us
begin
you're,
welcome,
Albert
I
signed
you
in
I,
was
using
my
time
to
transcribe
names
from
the
The
rosters
meeting
into
the
dock.
I
think
I
got
everyone.
Oh
Joshua's
here
welcome
everyone
I
wanted
to
start
off
by
just
giving
the
opportunity
for
anyone
who's
new
to
this
meeting.
Who
wants
to
introduce
himself
to
do
so
if
you're
new
to
this
meeting
and
don't
introduce
yourself?
D
E
D
A
Cool
and
then
we
have
in
the
chat
we
have
Benjamin
Smith,
Schmidt,
sorry,
who
is
from
from
miter
and
posted
a
an
introduction
into
the
chat
for
folks
who
want
to
look
for
it
there
and
Benjamin's
audio,
isn't
working
so
we'll
keep
an
eye
on
the
chat.
Hey
Benjamin,
welcome
to
YouTube
and
Tim
great
to
have
you
here,
I'm
Joshua
excited
that
you're
still
going
to
be
involved
in
all
this
stuff.
That's
that's
awesome.
A
Just
before
we
get
started
going
down
the
agenda,
so
we
have
I
wanted
to
just
invite
a
little
bit
more
discussion
on
the
2023
Vision
I
have
also
hoped.
Maybe
we
could
pull
an
update
on
salsa
on
s2c2f
and
presser
as
well
and
does
anyone
before
we
get
started
on
that?
Does
anyone
have
anything
they'd
like
to
add
to
the
agenda.
E
E
E
It's
the
best
of
my
knowledge,
I
haven't
seen
them
when
I've
attended
the
meetings
anyway
and
Isaac
you've
been
doing
a
bunch
of
the
meeting
facilitation
and
drafting
the
you
know
the
vision
document,
so
it
seems
like
there's,
there's,
obviously
some
leadership
being
done
by
you
in
this
space
and
I
think
we
should
recognize
your
leadership
and
ensure
that
the
working
group
is
positioned
to
yeah,
continue
to
grow
and
be
successful
in
the
future.
It's
an
important
space
that
we're
all
invested
in.
A
That
is
a
good
point,
so
I
mean.
Does
anyone
and
I
guess
I
should
go
back
to
Dan
and
Kim
with
with
questions
about
this,
but
it
feels
to
me
like
we
should
maybe
start
with
updating
just
looking
here
updated.
Essentially,
are
we
saying
that
we?
We
should
be
updating
the
record
of
of
this.
This
working
group
leadership
in
in
GitHub
and
start
there
and
then
have
that
that
documented
leadership
better
represent
the
the
reality
of
the
situation.
F
Him
yeah,
yeah,
yeah,
so
I
know
officially
Dan
stepped
down
a
while
ago,
but
I
guess
it
just
never
got
recorded
in
the
GitHub
because
he
was
just
like
hey
he.
He
I
think
he
got
accepted
into
the
attack.
It
was
like
I'm
just
not
going
to
have
enough
time
for
this
I
guess
the
readme
never
got
updated
to
reflect
that
and
then
separately.
I.
Think
the
to
the
other
point
is
like
yeah.
F
I
know
that
Kim
sort
of
mentioned,
like
he
just
doesn't,
have
the
time
to
attend
these
meetings
anymore,
which
is
like
hey,
that's,
okay,
but
then
we
just
need
to
I
think
have
a
process
and
I
know.
That's
why
she
had
said:
hey
I,
think
Isaac
is
a
great
fit
and
he
has
been
I.
Just
don't
think.
We've
like
there's
two
there's
two
problems.
One
is
I
know
open.
F
Ssf
is
gonna
want
like
just
more
generally
they're
gonna
want
to
have
a
bit
more
of
it
being
formalized
in
some
way
of
you
know
like.
Was
there
a
vote?
I,
don't
think
they're.
You
know
I
personally,
don't
think
there
needs
to
be
a
vote,
but
they're
going
to
probably
ask
some
of
those
questions
as
well
and
and
Melba,
just
just
as
FYI
I
believe
I
believe
open
ssf
has
an
actual
process
for
how
this
is
supposed
to
go
about.
C
Yeah
this
is
a
simple
working
group
vote
and
then
you're
right,
the
two
chairs.
This
is
a
simple
working
group
vote
and
then
all
we
do
after
we
vote
and
and
we
and
we
decide
who's
going
to
be
the
chair.
All
we
do
is
is
tell
that
to
the
tech.
That's
not
that!
That's
that!
That's
not
something
that
that's
incredibly
incredibly
difficult
to
do.
The
working
group
governs
itself
in
that
manner.
A
C
Think
Isaac's
sitting
in
that
top
seat
is,
is
great
and
then
everyone
can
vote
on
on
on
the
rest
of
us
and
you
know
I
I
and
then
after
that,
it's
just
as
simple
as
going
to
the
Tech
and
saying
hey,
Tech
working
group
chairs
for
the
supply
chain.
Integrity
working
group
are
now
Isaac
and
then
whoever
else,
whoever
else
we
we
okay
so
so
Mike
is
so
so
Mike
has
declined.
C
C
A
No,
that
that's
all
good
I
mean
I
was
just
looking
back
through
the
the
nose
to
determine
kind
of
you
know
when
we
last
Saw,
Kim,
I,
think
September
or
so
was
the
last
time,
but
I
remember
in
October.
She
had
asked
me
she
said:
hey.
She
doesn't
have
time
to
come
to
this.
Much
would
I
mind
kind
of
stepping
in
and
so
I've
I
I
did
that
and
I
I
I'm
I
don't
want
to
decline.
A
I
also
don't
want
to
get
in
the
way
of
anyone
else's
Ambitions
of
leading
this
thing
because
you
know
I
I
stepped
into
fill
in
for
Kim,
nothing
really
any
any
more
than
that
and
I
certainly
wasn't.
You
know.
I
wasn't
nominating
myself
to
be
to
believe,
even
though
I've
been
kind
of
driving
these
meetings,
I
in
terms
I
mean
so,
do
we
Jay?
Are
you
suggesting
that
we
should
have
a
vote
here?
Actually
I
know?
Why
don't
you
go
since
you
have
your
hand
up.
G
Yeah
I
just
wanted
to
highlight
that
I
mean
you
know
what
was
said
before
was
mostly
true.
I
think
Jake
pretty
much
nailed
it
in
terms
of
the
process.
There's
not
much
I
do
want
to
point
out
that
today
the
GitHub
repository
for
this
working
group
as
an
empty
governance
that
still
says
to
do
so.
That
doesn't
help
much.
But
in
fact
there
is
no
absolute
requirements
at
the
organization
level
to
have
two
chairs
or
how
those
decisions
are
made.
Each
group
can
pretty
much
manage
decide
to
do
this.
It
should
have
been.
G
You
know.
The
group
should
have
gone
through
the
process
of
figuring
out
their
governance
and
the
charter
a
long
time
ago.
It
has
not
happened,
so
you
know
I.
Think
you'll
be
good
at
some
point.
If
somebody
could
get
to
do
that,
but
so
yes,
essentially
if
people
who
typically
participate
and
say
yeah
we're
happy
to
have
you
as
becoming
the
chair,
that's
I
I.
Nobody
is
going
to
object
and
from
a
process
point
of
view,
we're
okay,
we
can
indeed
just
inform
the
attack
of
the
change
and
that's
it.
A
Okay
I
mean
it
sounds
like
you
know,
my
name's
tentatively
studied
for
chair.
It
sounds
like
Melbourne
Jay,
as
as
co-chairs
I
don't
like
to
to
Arnold's
Point
like
it
sounds
like
there's
no
specific
prescription
around
how
many
shares
and
co-shares
we
have,
and
so
my
my
preference
would
be
to
invite
Jay
and
Melba
both
to
coach
air
rather
than
us
having
to
choose
one.
G
I
I
think
one
good
way
to
actually
do
that
is
to
do
a
pull
request
against
the
repository
that
names,
the
leaders
of
the
group
and
you
can
have
everybody
else,
say
yeah
yeah,
and
then
you
can
go
back
to
the
tackle,
whoever
you
know
if
they
ever
question.
How
do
you
come
up
with
that?
You
can
say
well
this
this
is
you
know
it's
all
in
GitHub.
E
H
G
E
A
E
A
I
B
F
A
Me,
let
me
do
it
this
way.
How
about
we
do
this
I
will
invite
anyone
and
I
will
not
take
it
personally.
I
I,
swear
I
will
invite
anyone
to
object
to
this.
If
there
are
no
objections
in
this
group,
I
will
create
a
PR
on
the
readme
document
that
there
were
no
objections
in
this
meeting
and
that
you
know
the
pr
on
the
readme.
Anyone
else
who
wants
to
weigh
in
on
that
PR
can
do
so,
and
I'll
drop
a
link
to
it
in
the
slack
it.
G
G
F
No
objections,
I
I
accessed
more
or
less
gonna
suggest
the
same
thing.
I
think
the
only
thing
is
just
make
sure
that
also,
if
possible,
I
guess
when
this
gets
uploaded
to
YouTube,
make
sure
that
that's
also
linked
in
the
pr
and
then
also
where
you
posted
slack,
is
linked
to
the
pr
just
because
one
of
the
things
that's
happened
a
couple
of
times
and
it's
just
because
of
keeping
track
of
it
is
not
the
easiest.
F
A
Yeah,
no
I
think
that's
that's
a
good
point,
because
the
last
thing
you
want
to
do
is
kind
of
in
18
months
time.
So
I
want
to
declare
something
that
we
did
invalid
because
there
isn't
sufficient
audit
Trail
to
to
connect
the
dots
and
and
make
it
governancely
proper
Okay.
So
closing
this
issue
out
I
have
the
action.
Let
me
just
assign
that
to
myself
or
I'll,
just
minimize
the
window
and
shoot
myself
in
the
foot.
I'm
gonna.
Add
myself,
as
the
owner
of
this
action.
A
A
Sweet
so
the
next
item,
the
2023
vision
and
we're
kind
of
a
quarter
of
the
way
into
2023
now
I
should
call
this
a
vision
for
pose.
Also,
it
is
representative
of
me.
We
it
feels
that
yes,
the
year
is
going
very
fast.
It
feels
like
we
should.
We
should
try
and
get
this
into
a
shape
that
we're
all
kind
of
nodding,
along
with
it.
I
am
I,
didn't
have
a
look
whoa,
there's
a
link,
not
work.
A
B
A
Thanks
Melba,
so
I
was
I
was
been
taking
a
look
at
this
and
trying
to
process
and
include
and
close
out
comments.
Kind
of
you
know:
I
had
a
whole
bunch
of
super
useful
edits
from
from
folks
who
regulars
at
the
meeting.
Also
folks,
I'd
never
even
met
before
or
heard
it
before,
and
did
some
some
work
kind
of
incorporating
those
comments.
A
You
know
wording
of
the
mission
and
vision
and
how
to
clarify
the
wording,
and
what
do
we
mean
when
we
say
shared
vocabulary
and
what
type
of
vocabulary
we're
going
to
be
using
and
I
added
some
notes
on
that.
But
there
wasn't
anyone
saying
no.
No!
This
is
the
wrong
Mission.
This
is
the
wrong
scope,
or
you
know
this.
This
Vision,
you
know,
isn't
expensive
enough
or
is
too
constraining
like
there
weren't.
I
There's
a
couple
of
things
that
I
had
commented
on
about
Fresca
right,
like
enable
adoption
with
tooling
I,
don't
think
that
there's
much
on
it
like
I
agree
with
everything
on
here.
I
think,
like
you
said
it's
just
a
little
bit
of
wording
or
cleaning
up
and
now
I'm
thinking
about
the
fact
that
there's
an
SCI
positioning
group.
I
A
I
The
price
the
priorities
like
2023
priorities
right
it
talks
about
you,
know
the
mission
and
vision,
it's
also
with
building
provenance
and
then
there's
enable
adoption
with
tooling
and
then
I
think
I
made
a
call
out
for
Fresca,
but
we
also
and
there's
a
calling
for
s2c2f.
But
now
that
positioning
is
a
sub-project
of
Sci
and
not
of
salsa.
I
A
That
is
a
good
point,
so
I'm
I'm,
noting
that
but
the
SEO
position
group
postdates
that
the
document
and
there's
a
chance
to
incorporate
the
the
new
structure
we
have
into
2023
priorities
and
I,
think
I,
think
you're
right
and
so
as
I
go
down.
I
mean
you'll
notice
in
the
dark.
As
you
see
like
kind
of
there's
much
more
comments
in
the
doc
at
the
bottom,
and
that's
because
literally
I've
been
going
from
top
to
bottom
addressing
comments.
You
know
incorporating
feedback
and
so
on.
A
I
just
haven't
gotten
all
the
way
down
the
dock,
but
as
I
get
down
to
2023.
Priorities
continue
to
incorporate
the
feedback,
continue
to
refine
and
clarify
I
will
add.
I'd.
Add
that
as
the
role
you
know,
or
at
least
some
some
notes
on
the
role
of
the
SEI
positioning
working
group
and
how
we
see
work
in
that
group,
either
driving
or
being
part
of
that
that
proposed
2023
priorities
does.
B
I
Yeah
yeah
just
trying
to
figure
out
how
it
fits
in
right
if
we
have
our
own.
Obviously
we
want
to
enable
like
you,
it's
put
under
an
umbrella
framework
right
and
communicate
that
framework
and
make
sure
everybody
is
aligned
and
it's
more
of
a
do.
We
need
to
put
that
somewhere
in
here.
I
don't
know,
but
if
we
do
then
I
guess
now
is
the
time
to
jot
it
down
somewhere.
That.
A
G
You
know
primarily
about
producing
code,
while
a
Sig
is
has
a
primary
function,
so
I
think
in
the
case
of
positioning
is
definitely
falls
into
the
category
of
six.
I
do
also
wanted
to
say
you
know.
I
have
attended
quite
a
few
of
the
positioning
meetings,
and
one
thing
that
has
seems
to
have
happened
is
because
this
working
group
has
not
been
very
active.
I
Is
also
about
finding
gaps
like,
for
example,
when
we,
when
we
scoped
it
for
salsa,
we
said:
okay,
if
there's
any
gaps,
there's
any
overlaps.
How
do
we
communicate
that?
How
do
we
enable
salsa
to
be
better?
So
now
it's
just
a
broader
scope.
Obviously
we
can
talk
about
that
here
in
terms
of
maybe
vision
of
what
each
group,
including
positioning,
should
focus
on,
but
I
think
it's
always
been
in
the
the
charter
that
any
gaps
or
overlap
that
we
find
we're
able
to
effectively
communicate
to
the
community
and
help
improve
the
framework.
I
F
This
group,
like,
as
in
this
particular
meeting,
got
sort
of
deprioritized
a
little
bit
and
then
also
with
with
folks
like
the
co-chairs
who
who
got
pulled
into
other
priorities
it
it.
The
meeting
first
I
think
went
from
I
think
it
was
weekly
and
then
it
went
to
bi-weekly
and
then
eventually
to
monthly
and
so
I
think.
C
Yeah
so
I
mean
just
just
to
chime
in
you
know,
so
this
is
as
a
caveat
to
what
Melba
said
some
of
the
stuff
that
we've
done,
especially
when
it
comes
to
finding
gaps
led
to
a
lot
of
the
changes
that
happened
over
the
last
six
months.
When
it
came
to
salsa
I
mean
I.
Remember
one
of
our
meetings.
We
identified
a
gap
between
what
different
sites
different
salsa
site
said
about
the
different
requirements
and
that
and
that
led
into
digging
deeper
on
okay.
What
does
that
mean
exactly
right?
C
So
that's
some
of
the
good
work
that
comes
out
of
it.
You
know
we
Isaac
you,
you
I
didn't
know,
but
we
had
a.
We
had
a
a
conversation
over
slack
and
we
would
even
going
into
doing
other
things.
I
mean
what
I
think
what
this
means
is,
especially
when
it
comes
to.
You
know
us
coming
together
right
now.
This
one
is
that
this
very
much
needs
to
be
come
bi-weekly
again
and
that
just
adds
to
direction
as
the
focus
into
what
we
do.
C
What
we're
doing
during
the
positioning
meeting
you
know
because
and
hell
we,
but
we
are
having
conversations
around
this
topic
and
other
working
group
and
other
Sig
meetings
that
we
all
attend,
that
that
should
better,
probably
be
had
here
a
little
bit
more
often
so
that
we
can
build
those
out
and
and
actually
water
those
plants
a
little
bit
more
while
those
plants
a
little
bit
more
here.
So
we
can
watch
them
grow
out
across
the
entirety
of
the
openness
and
stuff.
C
So
so
I
mean
I,
I'm
I'm,
with
Arno
on
this
more
often
and
and
and
that'll.
Allow
us
to
be
a
little
bit
more
focused
in
the
positioning
meeting
so
that
the
conversations
that
we're
having
that
we
don't,
we
don't
wait
a
month
to
get
guidance
on
on
a
lot
of
that
information
that
we're
coming
out,
because
that
stuff
is
real
time.
When
we,
when
we
come
about
it,
it's
real
time.
C
Also,
it
should
be
noticed
that
Jennifer
black
for
marketing
is
attending
those
positioning
meetings
now
too.
So
when
we
want
to
get
the
word
out
right
that
that
word
can
can
come
out
a
little
bit
more
real
time,
a
little
bit
more
in
the
moment,
and
we
do
need
to
have
the
larger
body
in
on
in
on
those
plans
a
little
bit
more
readily
so
I'm
with
Arnold
on
this
morning.
I
like
the
direction
that
that
we're
heading
in
absolutely.
A
I
I,
like
it
too
and
I
think
what
what
I'm
hearing
what
I'm
hearing
Jay
is
that
because
this
meeting
hasn't
been
frequent
enough,
some
of
that
slack
has
been
picked
up
by
other
working
groups
which
might
be
more
usefully
spent
on
their
core
Charters.
And
so
you
know,
we've
been
discussing
SEO
topics
broadly
in
Sea
positioning,
where
it's
actually
a
more
appropriate
venue
might
be
this
meeting
if
only
it
happened,
often
enough
so
I
I
think
that's!
That's
reasonable.
A
I
had
a
slight
discomfort
when
this
meeting
was
moved
down
to
monthly
in
the
first
place,
I
have
slight
discomfort
again,
moving
it
back
up
to
bi-weekly,
just
in
terms
of
the
workload
but
I
will,
with
my
two
wonderful
co-chairs
to
be
I.
Will
I
will
make
that
adjustment?
Let's
do
it
bi-weekly
and
let's
make
sure
we
have
a
field
agenda
and
use
the
time
productively.
A
A
So
I
think
you
know
just
in
the
interest
of
time.
I
want
to
move
on
from
this
side
and
what
I'm
hearing
is
we
don't
there's?
No,
it
doesn't
feel
like
there's
any
kind
of
huge
discomfort
or
heartburn
around
it,
the
overall
direction
of
the
dark
or
the
kind
of
the
mission
and
vision
as
articulated
again
roughly.
This
is
you
know,
within
a
standard
deviation
or
so,
which
is
great
input,
and
what
I
will
do
then
is
continue
to
work
through
the
comments.
A
You
know
we
can
use
this
this
now
bi-weekly
for
to
really
drive
this
forward
and
end
up
with
a
document
which
we
can
say
you
know
we
think
this
is
what
we
want
to
be
doing
and
propose
that
as
attack
and
to
the
attack-
and
you
know,
make
it
official
and
and
make
it
a
part
of
our
Charter
on
GitHub
and
so
on.
Does
that
sound
right?
A
B
F
Yeah
I
could
talk
a
lot,
so
1.0
draft
is
or
sorry
release.
Candidate
I
should
say
is
live.
It's
being
it's
open
for
comment.
We
got
actually
a
good
deal
comments.
Luckily,
the
majority
of
comments
seem
to
be
focused
around
a
couple
of
key
areas,
most
folks
Rock,
most
of
it,
but
there's
a
little
concerned
about
in
particular
like
isolated
and
ephemeral
and
definitions
around
that
and
a
few
other
things
as
well.
F
B
I
We
need
to
communicate
in
terms
of
blogs
the
whys
and
the
you
know.
Why
should
you
care
why
certain
things
happen
along
with
Communications
with
Jennifer
Bligh,
and
we
have
a
meeting
later
today
about
those
comms
first
also
1.0,
but
the
other
thing
I
did
want
to
mention
about
salsa
that
I
thought
was
interesting.
There
was
a
survey
last
last
summer
and
I'm
looking
for
it
and
essentially
in
terms
of
Salsa's
usefulness,
adoption.
I
It
seems
like
there's
a
moderate
to
high
adoption
of
salsa
based
off
of
last
summer
and
the
practices
are
considered
useful.
Some
are
hardly
difficult,
but
some
are
hard,
but
difficulty
doesn't
appear
to
be
a
major
impediment.
So
that's
good
news
and
I've
asked
potentially
open
ssap
to
do
a
post
check
for
all
the
SEI
sigs
is
C.
Maybe
quarterly
are
people
adopting
these?
I
Is
it
useful
because
if
we
have
those
data
points-
and
we
know
if
we
need
to
Pivot
I,
think
more
more
frequently,
so
that
was,
it
was
a
pretty
good
meeting.
I
I
don't
know
how
many
people
we
had
like,
maybe
10,
12
and
I-
think
that's
the
first
time
we've
ever
had
that
much
of
an
audience
so
I'm
happy
to
see
the
the
traction
in
the
SEI
positioning.
A
Thanks
Melba
I
wanted
to
add
a
couple
of
things:
a
first
of
all
to
to
re-emphasize
yeah
I
thought
that
survey
was
super
interesting
and
so,
if
you've
not
taken
a
look
at
that
I'm
trying
to
dig
up
a
link
to
it,
so
I
can
put
it
in
the
dark.
It
was
posted
either
this
morning
or
yesterday
in
one
of
the
opennesses
of
slack
channels,
known
as
the
salsa
plus
plus
survey
I,
think,
but
it
was
really
really
interesting.
A
Data
and
very
thoughtfully
done
also
Melba
wanted
to
give
you
a
shout
out
for
putting
the
notes
in
slack.
Something
that's
occurred
to
me
is
that
when
the
notes
from
these
meetings
this
in
the
dark
every
time,
I
want
to
find
them,
I
need
to
go
into
my
calendar
I
need.
If
I
remember
what
day
the
meeting
was
I
need
to
find
the
meeting
open
it
up,
find
the
right
of
the
15
links
that
are
in
the
meeting
in
Via
exit.
A
E
Want
to
wholeheartedly
agree
with
the
sentiment
there
and
yeah
just
like
putting
them
being
slack.
Go
on
a
mail
list
seems
good,
maybe
even
like
the
summarized
notes
in
the
repository,
but
archival
purposes
might
be,
might
be
useful.
Just
something
to
consider
I
definitely
agree
like
making
it
easier
to
see.
What's
happened
without
having
to
watch
a
long,
recording
or
dig
through
Google
Docs
would
be
super
useful
thanks.
C
C
Eight
hour,
training,
blog
and
I
think
we're
selling
on
four
or
five
different
modules
in
that
training
block.
But
it
was
a
great
conversation
we
built
out
the
outline
for
it
and
something
that
we
can
March
forward
with
and
then,
of
course,
we
talked
about
the
upcoming
open.
Summit
talked
about
the
upcoming
RSA
presentation
that
Adrian
will
be
given.
So
all
that
stuff
is
is
a
is
for
marching.
I
mean
that
that's
where
we're
at
now.
C
We
even
discussed
one
of
the
issues
that
David
brought
up
where
we're
going
to
actually
make.
We
might
be
adding
to
the
guidance
a
little
bit
based
on
some
of
the
things
he
was
saying
and
and
not,
and
not
because
it's
a
vulnerability
that
that's
that's,
you
know
likely
to
occur,
but
it's
out
there
and
that
we
should
let
people
know
about
it
and
I
think
that
was
special
too.
So
you
know,
maybe
some
updates
to
the
framework
will
happen.
C
The
training
portion
of
this
I
do
want
to
bring
before
the
larger
working
group,
especially
once
we
get
to
a
a
finalized
stay
with
it,
because
I
think
that's
I,
think
that
would
be
great
for
the
for
the
work
group
to
get
some
eyes
on
itself,
so
so
definitely
want
to
do
that
that
that's
what
without
what
we
had
in
our
latest
meeting
and
and
we're
marching
forward
with.
At
this
point.
A
That's
awesome,
I'm
getting
into
RSA
at
Kudos
there
I
mean
the
RSA
is
a
is
a
big
deal.
It's
difficult
to
get
stuff
accepted
and
yeah
shout
out
to
the
team
there
and
that's
awesome.
I
was
looking
at
the
schedule
the
other
day
and
super
super
pleased
to
see
Adrian
doing
that
stuff,
cool,
Fresca,
Michael
I'm
guessing
this
was
you
who
pasted
this.
B
F
F
Yep
so
yeah,
so
not
a
whole
lot
of
movement
on
Fresca
the
past
month.
There's
a
couple
of
different
things
going
on
and
I:
don't
want
to
put
anyone
out
on
blast
or
anything
like
that,
but
it
does
sound
like
Fresca
from
some
of
the
companies
of
some
of
the
maintainers
that
has
been
de-prioritized
for
myself.
F
You
know
it
is
something
that
is
and
code,
and
so
we
need
more
contributors
and
maintainers
would
love
to
work
with
folks
to
kind
of
figure
out
what
that
might
look
like
myself,
I'm
also,
you
know
I'm
still
able
to
obviously
contribute
and
maintain
it,
but
I.
It
is
no
longer
like
you
know
as
big
of
a
priority
as
it
used
to
be
for
me,
so
I
just
don't
have
as
much
time
on
it
and
it
does
require
some.
You
know
a
good
deal
of
TLC
as
well.
F
As
you
know,
some
of
the
the
struggles
that
we've
been
running
into
has
also
been
in
sort
of
general
adoption.
There's
a
lot
of
folks
who
look
at
what
what
Fresco
is
doing
and
say
hey.
This
is
a
really
good
example,
but
you
know
nobody's
moving
off
of
their
Jenkins,
let's
say
or
or
existing
CI.
So
there's
there's
some
open
questions
about
hey.
How
do
we
want
to
move
forward
with
Fresca,
and
so
that's
definitely
something
that
we're
looking
for.
I
So
I
think
this
is
for
everyone
on
the
call
for
us
it's
going
to
be
really
key,
because
one
a
talk
that
we
submitted
was
based
off,
Fresca,
tooling,
to
say
we're
going
to
show
you
how
to
do
this
in
person.
So
we
need
people
to
go
and
help
with
this.
If
I,
if
I
were
a
hardcore
developer,
then
I
would
totally
do
it.
But
it
takes
me
eight
hours
to
write
a
hello
world.
I
can
do
it,
but
it's
going
to
take
me
a
while.
H
So
I
actually
am
just
a
lurker
on
most
of
the
stuff
that
this
that
this
group
puts
out,
but
I
saw
that
this
was
the
topic
for
the
agendas.
That's
that's
why
I
came
today
was
to
ask
more
questions
about
this,
so
Eddie
and
I
just
want
to
type
I
organize
our
open
source
engagements
and
one
of
the
things
that's
on
the
horizon.
H
What
are
the
skill
sets
that
you
guys
are
needing
I'm
a
maintainer
for
an
open
source
project
that
has
three
different
working
groups,
so
I'm
very
familiar
with
the
the
desperate
need
for
documentation
that
chronically
exists
inside
of
every
project,
but
this
is
this
is
something
that
I
really
want
to
see
if
we
can
help
get
people
on
board
with,
but
I
need
more
conversation
documentation.
Anything
that
that
we
can
can
do
to
help
get
me
up
to
speed
with
the
need.
F
Whoops
but
yeah,
that's
actually
something
that
I
have
for
so
the
Fresca
meeting
is
every
other,
so
is
every
other
Wednesday
at
10
a.m.
Eastern
time
so
it'll
be
happening
on
this
upcoming
Wednesday.
It's
on
the
open,
ssf
calendar
and
actually
one
of
the
the
action
items
I
do
have
to
make
sure
I
have
for
next
week
is
sort
of
you
know
a
I'm
writing
up
a
little
bit
of
a
what
is
Fresca.
F
F
You
know
at
a
very,
very
high
level
and
I
don't
want
to
take
up
too
much
time
here
on
it,
but
the
at
a
very
high
level,
the
the
idea
behind
Fresco
was
it.
It
came
out
of
work
that
was
happening
in
the
cncf
around
what
was
called
the
secure
software
Factory,
and
so
the
secure
software
Factory
was
a
set
of
best
practices
around
securing
your
build
and
it
was
a
bit
more
like,
whereas
salsa
is
a
bit
more
high
level.
These
are
the
things
that
should
get
done.
F
Eventually,
the
idea
should
be,
you
know,
be
able
to
follow
the
practices
that
are
coming
out
of
S2
c2f
follow
the
practice
that
are
coming
out
of
like
the
secure
you
know,
SSD
the
nists,
ssdf
and
so
on,
and
be
able
to
kind
of
be
that
thing,
while
also
being
simple
right.
So
not
everything
you
know,
GitHub
actions
are
not
going
to
work
for
everybody,
and
the
idea
would
be
something
like
Fresco.
It
could
be
a
tool
that
could
be
deployed
out
into
other
people's
environments.
F
Of
the
high
level
goal
and
the
key
things
that
were
just
very
quickly
that
we're
looking
to
kind
of
get
out
of
it
most
recently
is
the
big
thing
is
we're
looking
to
develop
a
framework
by
which
folks
can
write
their
builds,
because
right
now
their
builds
are
in
you
know,
their
tecton
builds,
but
their
tecton
builds
plus
policy
rules.
Plus
all
these
other
things-
and
we
use
a
language
called
Q
to
manage
that.
But
we
need
a
lot
more
effort
to
kind
of
make
that
simple.
F
So
the
idea
would
be
you
just
you
know
you
could
just
import
the
the
go
Lang
Pipeline
and
just
fill
in
the
blanks,
and
it
makes
sure
that
your
build
is
hits.
You
know
salsa
for
well,
not
salsa,
for,
but
what
used
to
be
Colts
also
four,
because
it
could
be
hermetic,
it
could
be
all
these
other
things
and
so
on
anyway,
Josh.
E
Yeah
I
think
you
kind
of
answered
some
like
question,
but
I
I
want
to
encourage
you
when
you're
writing
the
stock
to
like
think
about
whether
this
is
for
production
use
or
reference
architecture
I
think
it
kind
of
attempts
to
straddle
the
line
right
now,
but
that
might
not
I'm
not
sure
yeah.
We
should.
We
should
be
explicit
about
whether
we're
trying
to
achieve
both
I
suppose
and
then
I'm
I'm
really
curious.
E
If
we
can
articulate
the
architecture
or
the
relationship
between
the
different
components
in
the
architecture
and
like
Fresca,
so
that
we
can
effectively
describe
what
Fresca
does
that
those
components
don't
do
without
that
that
magic
and
I
think
you
started
to
hint
up
possibilities
for
what
that
could
be.
But
it's
not
clear
to
me
what
that
yeah,
what
what
that
is
today
right.
F
Cool,
do
you
mind
if
I
as
so
I've,
been
writing
something
up?
Do
you
mind
if
I,
I
s?
Well,
actually
I'll
I'll
put
it
out
in
the
slack
when
I'm
done,
the
like
I
have
a
couple
of
documents.
I've
been
writing
up
around
hey
to
folks
who
are
not
super
familiar
with
Fresco
I
guess,
like
myself.
Obviously,
I've
been
so
deep
in
it.
F
If
you
were
to
just
take
something
like
not
Jenkins
X,
but
if
you'd
take
something
like
the
basic
Jenkins,
it's
not
something.
That's
super
easy
without
adding
on
a
ton
of
stuff
to
make
it
salsa
compliant
and
even
then
there's
an
argument
of
you
know
are
the
rules
and
and
the
security
concerns
with
with
Jenkins.
Does
that
make
it
just
impractical
to
do
high-level
salsa?
F
And
it's
the
same
way
here
where
something
like
tecton
and
tecton
chains?
Well,
tecton
itself
doesn't
get
you
any
salsa,
but
tecton
chains
gets
you
some
salsa,
but
then
tecton
chains
with
signing
Keys
gets
you
salsa,
II
and
then
tecton
's,
plus
the
species
firework
that
we're
still
trying
to
get
try
to
get
merged
will
get
you
to
salsa
three.
F
But
then
you
know
the
stuff
around
Fresca
helps
tie
all
that
together
makes
it
simple,
as
well
as
potentially
making
it
easier
when
these
other
salsa,
you
know
like
whatever
it
is
when
salsa
2
comes
out
and
we
have
higher
level
requirements
around
hermeticity
and
so
on.
It's
like
oh
yeah,
it'll
it'll,
be
a
it'll
it'll,
be
ready
for
that.
E
E
The
other
thing
I
want
to
suggest
is
like
a
position
for
Fresca
is
and
I
think
you're
there
already,
but
I
think
it's
worth
articulating
is
that
I
think
it
makes
sense
to
push
for
Fresco
to
be
as
minimal
as
possible
so
that
all
the
changes
are
in
the
constituent
upstream
and
Fresco's
just
like
how
to
stitch
that
all
together
in
a
way
that
helps
achieve
what
the
working
group
here
is
recommending
and
I
think
we
potentially
avoid
some
friction.
If
we
are
explicit
about
that.
F
Yes,
yes,
so
the
the
two
other
goals
which
that
brings
up
you
brought
something
very
good
there
right.
Well,
the
two
things
are:
you
know,
if
possible,
you
know
it
should
just
be
in
the
Upstream
tools
and
when
not
you
know,
Fresca
can
fit.
You
know,
can
fill
the
Gap
the
Gap
until
one
of
the
Upstream
tools
does
and
then
finally
I
think
you
did
the
third
piece.
There
is
either
way.
F
F
Some
folks
have
read
it.
Some
folks
have
not
read
it
and
and
I
think
a
high
level
overview
of
what
are
the
key
pieces
there
or
is
something
else
that
I'm
I'm
putting
in
there
yeah,
because,
like
the
the
summary
like
I
could
honestly
summarize
in
about
you
know
four
or
five
bullet
points.
What
are
the
key
aspects
of
the
secure
software
Factory
and
it's
mostly
just
related
to
securing
the
orchestration
to
build
securing
the
Sorry
by
securing
the
pipeline
definition
right
to
make
sure
that
you
can't
run
something
silly.
A
You
know
either
with
with
Josh,
first
of
all
to
get
initial
feedback
and
then
with
the
group
or
just
broadly
with
the
group,
but
it
would
be
great
to
get
a
bunch
of
eyes
on
this
and
help
shape
it
and
understand
it
and
find
the
right
right
way
to
drive
it
Forward
with
that.
Thank
you.
All
it's
been
super
productive
I
will
follow
Melba's
best
friend.
To
summarize
the
notes
post
them
in
the
slack.