►
From YouTube: Supply Chain Integrity WG (February 15, 2023)
A
Yeah,
my
video
is
totally
not
going
to
work
so
never
mind.
I
will
turn
it
off.
I
think
so.
I
was
looking
at
the
agenda
earlier
on
and
thank
you.
David
posting
the
the
link
in
the
docs
there.
Sorry
in
the
in
the
chat,
I
think
we
just
have
one
item
today
and
Mike.
You
could
get
us
started
if,
if
you
can
take
us
away
sure.
B
B
C
B
Security,
taxonomy
and
I
had
actually
heard
it
in
when
I
was
in
a
different
community
meeting
in
a
different
outside
of
the
open
SSS.
So
wanted
to
know.
If
there
was
folks
who
who
had
some
background
on
any
of
that
once
again,
I
know
that
a
lot
of
the
the
you
know
we're
still
sort
of
working
through
some
of
the
communication
and
and
some
of
that
stuff.
E
E
Where
you
know
you
know
this
may
come
as
a
shocker,
but
every
once
in
a
while.
The
academics
do
something
that
when
you
hear
about
what
they
did,
you
go.
Oh,
my
gosh.
What
a
sensible
thing
for
an
academic
to
do
so
they
went
out
and
tried
to
identify
every
single,
open
source
supply
chain
attack
that
ex
that
they
could
find,
and
then
they
you
know
they
they
put
them
into
categories
and
they
have
a
a
taxonomy
and
I
mean
I've.
Looked
it
over,
it's
pretty
good,
I!
E
E
E
Is
that's
right
that
is
yeah?
It's
it's
yeah,
that's
right
because
I
mean
it
is
for
the
attacks.
That
said
you
would,
you
know,
I
think
it's
quite
useful
for
Defenders,
because
the
idea
is
that
you
would
you
know
you
want
to
categorize
how
what
you're?
How
good
are
your
defenses?
The
answer
would
be
well.
It
can't
counters
this
and
this
it
helps
a
little
bit
against
that.
That's
not
a
complete
countermeasure
and
it
doesn't
do
anything
for
these
others.
B
Okay,
cool
yeah
that
definitely
helps
out
a
lot,
because
I
think
there
was
also
when
I
originally
introduced
it
was.
There
was
some
confusion
as
to
like
whether
that
taxonomy
was
going
to
become
something
like
an
ontology
about
how
to
define
the
term
like
terms
around
supply
chain
security.
This
seems
to
be
more
of
just
hey.
B
You
know
different
categories,
around
types
of
attacks
and
and
things
like
that
and
how
to
sort
of,
let's
say
mitigate
some
of
that,
like
you
know,
I'm,
look
just
I
have
the
PDF
up
and
just
sort
of
reading
through,
but
things
like
you
know,
reproducible
build
isolation
and,
and
those
sorts
of
things
which,
which
are
you
know,
safeguards
okay,
cool
yeah,
yeah,
I.
Think
I.
Think
this
is
is
useful.
I
think
we
is
there
anything
from
you
think
that,
from
like
this
group's
end
on
ways
to
contribute
or
provide
feedback.
E
B
No,
no,
no,
no
I
don't
mean
that
because
looking
so
crop
and
Jonathan
Meadows
and
a
few
folks
had
from
the
end
user
group
had
said,
there's
work
around
what
they
are
calling
the
hold
on
it's.
If
you
look
at
the
supply
chain,
Integrity
group,
from
from
slack
from
last
week
to
start
a
collaboration
around.
F
Yeah,
so
so
that
so
the
end
user's
working
group
working
on
the
taxonomy,
but
there's
you
know
we're
actively
pushing
to
try
to
bring
a
few
of
the
working
groups
in
including
the
best
practices
to
get
on
one
sheet
of
music.
I
mean
like
like
that's
that's
the
that's
the
long
and
short
of
it
to
work
on
the
taxonomy
and
The
Silo,
and
the
openness
and
stuff
is
that
that
should
be
a
non-starter,
because
we
each
are
working
on
different
initiatives
that
require
the
same
type
of
terms,
definitions
and
everything
else.
F
Reference
hell,
even
even
reference
architectures
depend
upon
what
we're
looking
at,
but
in
order
to
to
properly
do
and
in
order
to
properly
do
what
we're
trying
to
what
we're
attempting
to
do
in
the
diagram
of
society,
for
instance,
creating
creating
different
different
models
creating
different.
You
know,
images
of
you
know
different
Graphics
Etc.
Those
all
need
to
look
the
same,
I
mean
they
they
well.
F
They
need
to
read
the
same
contextually
and
in
order
to
do
that,
we
all
need
to
be
on
the
same
sheet
of
music
across
all
the
different
working
groups,
different
sigs,
underneath
and
end
up
different
projects
that
are
being
worked
on
so
so
yeah
I'm
I'm
inside
of
each
work
group
saying
the
same
thing:
let's
develop,
let's
come
together.
Maybe
this
should
be
help.
Dare
I
say
this
should
be
a
sub
committee
underneath
the
diagram
of
society
to
talk
about
you
know
bring
in
these
different
things.
F
Talk
about
them,
work
them
up
into
the
diagram
with
the
work,
the
diagram
of
society
doing
and
then
let
that
funnel
out
to
the
working
groups
as
a
found
as
foundational
items
that
are
used
to
create
or
help
create
these
different
Frameworks,
these
different
bills
and
work
in
these
different
projects.
I
just
do
something
new
out
right
now:
Arnold
I,
I,
Arnold
Arnold
will
look
at
that.
E
F
That's
that
I,
just
swap
in
the
chat
I,
just
put
the
notes
document
the
the
notes
and
agenda
document
for
the
diagram
of
society.
So
that
should
have
the
you
know
the
links
to
the
zoom
and
the
dates
and
times
you
know
all
the
stuff
that
are
in
those
pages
usually
have
that
put
it
up
there
in
the
chat.
E
B
B
Just
because
you
know
we
have
a
slightly
different
Viewpoint
I,
think
that
is
super
useful,
as
opposed
to
spinning
up
a
whole
other
work
stream
around.
That
I
also
know
that
there's
some
folks
working
throughout
a
few
of
the
different
groups
just
across
the
open
source
Community
around.
So
that's
like
the
taxonomy,
but
I
also
know
that
there's
a
few
folks
who
are
working
on
the
idea
of
sort
of
like
an
ontology
so
that
folks
can
start
to
in
the
very
least
if
they
don't
adopt
common
terms.
B
There
is
some
way
of
like
mapping
those
mop.
It
mapping
their
terms
to
Common
terms
like
things
like
you
know,
digest
versus
hash
versus
checksum,
that
kind
of
thing
and
so
I
believe
there's
some
folks
in
you
know
the
in
Toto
side
in
the
cncf
and
a
few
other
places
that
are
starting
to
try
and
build
out
some
of
those
things
so
that
when
different
tools
and
specifications
are
spun
up,
it
becomes
easier
to
understand.
E
You
know
here's
what
we're
suggesting
and
then
this
is
why
I
don't
know
if
anybody's
gonna
cross
check
between
that
and
some
of
these
other
things
like
the
like
that
archive
paper,
but
I
mean
that
might
be
a
useful
thing
to
do
now.
A
whole
lot
of
these
things
focused
on
it
on
taxonomy
on
categorizing,
the
attacks
as
opposed
to
the
defenses
I,
don't
I'll,
be
honest.
E
E
G
G
Additionally,
there
was
a
supply
chain,
Integrity
working
group
panel
that
was
submitted
for
open
source,
Summit,
North
America,
it's
labeled,
ketchup,
mustard
and
relish
of
supply
chain
security.
So
I
I
like
to
thank
Michelle
if
she's
not
on
for
that
title,
that
was
a
fantastic
title
and
so
yeah
we're
hoping
it
gets
accepted
and
it's
going
to
have
representation
from
the
three
groups:
salsa
Fresca
and
then
S2
c2f
and
with
that
said,
I've
been
working
on
starting
a
landing
page
for
salsa
on
the
openss
age.
G
It
was
something
that
was
recommended
to
me
and
Jay
brought
up
a
great
idea.
It's
like
why
don't
we
have
a
supply
chain,
Integrity
working
group
page
and
then
from
that
page
we
have
the
the
sub
communities
and
I
think
that's
a
great
idea,
because
there's
a
10-point
mobilization
plan,
and
that
is
the
one
of
the
main
reasons
why
we
are
doing
what
we
are
doing.
There
is
a
like
a
tile
that
kind
of
flips
over
that
says
supply
chain
security
and
you
flip
it
over
it
flips
over,
and
it
says
a
little
description.
A
Think
it's
a
great
idea:
Melba
I'm
I'm
super
supportive
and
I
love
the
continued
trajectory
of
up
leveling,
salsa
positioning
into
SCI
positioning.
That
goes
along
with
this.
That
kind
of
they're
looking
broadly
at
at
that
working
group
is
how
do
we
position
the
solutions
we
have
within
the
sci
problem
space
essentially
and
yeah
I
think
a
landing
page
for
that
I'll
open
a
set
at
all
would
be
awesome.
I
just
see
how
I
know
I
was
put
in
a
the
six-door
example.
G
G
I,
don't
see
any
thumbs
down
and
see
objections,
okay
and
then
the
reason
why
I
put
positioning
up
leveling
is
because
I
was
asked
by
the
specification
group
what
the
status
of
that
was.
If
we
were
going
to
stay
the
same
or
if
we
were
going
to
be
up,
leveled
and
I
didn't
really
have
an
answer
for
them,
and
so
that's
the
only
reason
why
that's
there.
A
So
I
think
I
mean
I
I
continue
to
think
it's.
It's
a
good
idea.
I
think
that
we
have
media
problems
to
tackle
that
the
sci
level
positioning
wise
than
salsa
and
I-
think
that
you
know
this
also
would
be
a
a
reasonable
subset
of
that,
particularly
as
we
learn
salsa
1.0.
We
can,
you
know
position
it
very
clearly
within
the
sci
space.
I
I
want
to
recognize
that
you
know
you
have
constraints
on
your
term
time,
Melba
and
like
we
all
do,
and
so
I
I
know
that
you
know.
There's
just
I.
A
Think
if
you
know
I
I
tend
to
have
the
instinct
is
I'd
rather
have
a
narrower
scope
and
do
things
well
than
have
a
broader
scope
and
kind
of
like
feel
spread
very
thin,
and
so,
if
that's
your
instinct,
certainly
I
appreciate
that,
and
so
really
it's
it's
going
to
be
down
to
you
and
your
comfort
level
and
finding
volunteers
to
help
drive
that
and
to
help
kind
of
put
it
together.
And
how
do
you
feel
about
that
broader
scope?
A
G
G
G
B
A
Okay,
I'm
gonna,
let's
I
I,
it
sounds
to
me
like
just
to
close
this
without
it
sounds
to
me,
like
we
have
agreement
in
principle
that
this
is
something
that
we
want
to
do.
Agreement
in
principle
with
with
co-leads
Melba
you'll
be
able
to
take
on
this.
This
larger
scope
within
that
SCI,
positioning,
scope
and
I,
think
you
know
it's.
We
need
to
look
at
putting
this
into
practice.
What
does
it
mean
in
terms
of
changing
the
name,
or
do
we
need
new
meeting
schedule?
F
E
Sure
how
to
answer
the
question
I
mean
you
know
as
long
as
you're
doing
within
your
working
group
the
things
the
working
group's
supposed
to
do.
Generally,
you
don't
need
to
ask
mother,
may
I
coordination
between
the
working
groups.
I
mean
you
don't
need
to
ask
permission
to
coordinate,
but
you
certainly
can
ask
that
talk
to
help
you
out.
E
C
E
Think
they
were
encouraging
to
put
here
primarily
to
help
make
sure
that
it
and
salsa
work
together,
not
apart
right,
but
each
working
group
frankly
I
mean
you
know.
S2Cdf
has
all
sorts
of
awesome
stuff.
Several
working
groups
said,
that's
awesome,
we'd
love
to
have
it,
so
it
certainly
wasn't
a
matter
of
you
know:
people
not
liking.
It.
E
So
you
know
again,
you
know
and
as
far
as
you
know,
accepting
submissions
in
basically
a
working
group
has
to
say
yes
and
if
it's
pre-existing,
there's
some
there's
some
some
small
ceremony,
primarily
just
to
protect
everybody
else,
to
make
sure
that
you
know
if
it
comes
in
that
there's
no
we're
copyright
or
trademark
or
other
issues
that
cause
troubles.
We
usually
don't
have
those
problems,
but
you
don't
want
you
don't
want
to
have
them
so
yeah.
F
I
think
from
a
working
group
standpoint,
I,
don't
I
mean
it's
as
simple
as
taking
the
the
to
take
in
the
the
sub
the
sub
cigs,
which
which
salsa
it's
also
positioning,
is
and
then
taking
that
and
just
moving
those
in
I
think
that's
a
working
group
decision,
I
think
a
work.
The
working
group
itself
can
make
that
decision
unto
itself
the
same
way.
The
same
way,
the
working
group
forms
the
six
in
general
I.
Don't
know
that
that
that
there's,
a
the
permission,
is
to
bring
that.
F
E
May
have
misunderstood
the
term
up
level,
because
if
it's
just
you
know
hey
within
the
working
group,
I
mean
here
we
are
we
we
decide
if
you
mean
by
like
putting
it
on
the
open,
ssf
website
and
making
a
big
pitch
for
it.
Okay,
I
see
a
shaking
heads
of
no
I
mean.
That's
that's
a
hey.
Please
do
this
yo!
We
can
talk
about
that,
but
if
you
want
to
put
something
on
the
website,
we're
we're
always
excited
to
hear
about
new
stuff
to
put
on
the
website.
A
Two
threads:
we
need
to
pull
on
here.
One
is
the
governance
side
of
things
which
you
know
we'll
need
to
make
sure
we
update
the
chart,
and
then
we
go
through
the
right
processor
for
doing
that,
because
this
is
an
expansion
in
JavaScript
I
tend
to
agree
with
David
that,
like
we
don't
need
to
go
down.
The
mother
may
I
think
at
this
level
within
openssf,
so
I
think.
A
If
there's
the
governance
side,
we
take
care
of
with
the
charter
and
making
sure
that
we
go
through
the
right
process
to
change
that
and
then
there's
the
mechanical
side
of.
We
need
the
meetings
renamed.
We
need
to
slack
Channel
renamed.
We
need
the
mailing
list,
rename
that's
all
and
that's
probably
an
open
ssf
operations
team
that
can
help
us
with
that.
E
Yeah
I
mean
if
you
are
changing,
like
the
the
charter
of
what
the
scope
of
the
group
is
you're
going
to
need.
You
do
need
to
get
an
okay
with
that,
with
the
attack
generally
they're,
going
to
be
fine
with
it
as
long
as
it's
reasonable,
which,
frankly
I
I,
would
be
surprised
if
it's
any
of
the
reasonable.
But
that's.
E
Where
you
do
need
to
say,
hey
attack,
we
want
to
change
our
Charter
from
this.
To
that,
to
be
honest,
it's
already
a
bit
of
a
challenge
and
Jay
again,
that's
experiences
firsthand.
You
know
these
groups
were
big
categories,
but
there's
more
than
a
little
overlap
between
them
and
sometimes
something
just
you
know
it
easily
fits
between
multiples
of
them,
but
the
notion
was
trying
to
make
it
so
there's
some
swim
Lanes
so
that
people
aren't
bumping
into
each
other
constantly
and
I
see.
Arnold
has
to
stand
up.
H
Yeah,
no,
but
actually
I,
think
you
pretty
much
answered
the
question
the
way
I
wanted
to
answer
yeah.
If
you
want
to
change
the
charter,
you
will
have
to
inform
the
attack
and
get
there
okay
and
if
it's
reasonable,
there
is
no
reason
to
think
the
attack
would
say
hell.
No,
so
it's
a
formality
really
but
yeah.
That's
the
right
thing
to
do.
Yeah.
E
G
C
B
B
That
would
be
useful
just
to
kind
of
help
us
as
we
go
through
to
make
sure
that
nothing
we're
doing
in
our
Charter
or
otherwise
is
sort
of
completely
contradict.
Obviously,
you
know
there's
going
to
be
some
discrepancies,
but
it
doesn't
completely
contradict
the
guidance
coming
from
the
governing
board.
G
A
We've
completed
the
agenda,
I
think
we've.
We've
got
some.
Certainly
in
terms
of
this.
The
document
at
the
bottom,
the
the
charter
of
the
the
SEO
working
group,
I,
will
figure
out
what
we
need
to
do
in
terms
of
presentation
to
the
attack
and
that
we're
aligned
there
I
think
we're
agreed
in
principle
and
with
the
up
leveling.
A
We
need
to
look
at
the
mechanics
on
the
governance
and
then
the
mechanics
side,
and
then
we've
got
some
follow-ups
to
do
in
the
end
users
group
around
taxonomy
and
with
that
I
can
give
everyone
27
minutes
back
and
across
a
dozen
people.
That's
like
several
hours
of
person,
person
calendar
time
for
read
up.
A
Look
at
Jay
he's
thrilled
my
recommendation,
as
always,
when
finishing
meetings
earlier,
is
you're
not
allowed
to
just
hang
up
and
sit
at
your
computer
and
do
email
and
just
turn
the
windows
and
do
something
else.
You've
got
to
stand
up
stretch
your
legs,
pet,
a
cat,
get
a
glass
of
water,
get
some
fresh
air,
maybe
say
hello
to
other
people
that
are
around
you
and
so
on,
and
then
you
can
get
back
to
work.
These
are
the
rules,
I
don't
make
them
up
I'm
just
here
to
remind
you
of
them.
A
Thank
you.
Everyone
I
will
see
you
all
soon
and
in
slack
and
so
on
and
I
hope,
you're
all
sharing
my
excitement
for
salsa
1.0
and
we
are
tantalizingly
close
now
and
we
are
days
and
weeks
away.
So
do
take
a
look
at
the
issue
which,
which
Melbourne
posted
and
get
ready
for
the
release
candida
that
I'm
in
the
very
near
term.