►
From YouTube: Supply Chain Integrity WG (February 15, 2023)
A
Yeah,
my
video
is
totally
not
going
to
work
so
never
mind.
I
will
turn
it
off.
I
think
so.
I
was
looking
at
the
agenda
earlier
on
and
thank
you.
David
posting
the
the
link
in
the
docs
there.
Sorry
in
the
in
the
chat,
I
think
we
just
have
one
item
today
and
Mike.
You
could
get
us
started
if,
if
you
can
take
us
away
sure.
B
Sure
actually
I
mean
before
we
get
started.
Is
there
anybody
sort
of
new
to
the
group
who
maybe
wants
to
introduce
themselves?
Oh.
C
Me
and
am
I
am
Caroline
Cameron
I
work
in
supply
chain,
security
at
IBM
and
I.
Actually,
work
with
Melba
is
on
the
call.
D
I
am
Andrew
McNamara
I
used
to
be
a
student
around
will
and
catch
NC
State,
but
I've
been
interested
in
usable
privacy
and
security
for
a
bit
so
I
might
red
hat.
B
Cool
glad
to
have
new
folks
aboard
anybody
else.
B
Okay,
so
yeah
the
the
only
thing
I
wanted
to
just
kind
of
open
up
a
conversation
topic
just
because
I
I've
been
hearing
that,
from
a
few
folks
from
the
new
I
believe
end
user
working
group
that
there
is
interest
in
starting
sort
of
a
a
taxonomy
on
a
few
different
things,
and
one
of
the
things
that
they
were
talking
about
was
a
supply
chain.
B
Security,
taxonomy
and
I
had
actually
heard
it
in
when
I
was
in
a
different
community
meeting
in
a
different
outside
of
the
open
SSS.
So
wanted
to
know.
If
there
was
folks
who
who
had
some
background
on
any
of
that
once
again,
I
know
that
a
lot
of
the
the
you
know
we're
still
sort
of
working
through
some
of
the
communication
and
and
some
of
that
stuff.
E
Yeah,
so
this
has
actually
been
raised
up
at
the
open,
ssf
tack
and
the
the
attack
has
not
done
anything
about
this,
but
there
have
been
discussions
about
adopting
a
particular
document.
I've
just
put
a
link
in
the
chat
taxonomy
of
attacks
on
open
source,
Supply
software
supply
chain
attacks.
E
Where
you
know
you
know
this
may
come
as
a
shocker,
but
every
once
in
a
while.
The
academics
do
something
that
when
you
hear
about
what
they
did,
you
go.
Oh,
my
gosh.
What
a
sensible
thing
for
an
academic
to
do
so
they
went
out
and
tried
to
identify
every
single,
open
source
supply
chain
attack
that
ex
that
they
could
find,
and
then
they
you
know
they
they
put
them
into
categories
and
they
have
a
a
taxonomy
and
I
mean
I've.
Looked
it
over,
it's
pretty
good,
I!
E
E
E
But
as
I
said,
the
attack
is
not
done
that
at
this
point,
but
that's
at
least
up
for
discussion,
because
obviously
it's
helpful
to
have
the
same
terms.
And
you
know
if
you're
trying
to
attack
your
counter
attacks,
know
which
ones
you're
counting
which
ones
you
are.
Okay,.
E
Is
that's
right
that
is
yeah?
It's
it's
yeah,
that's
right
because
I
mean
it
is
for
the
attacks.
That
said
you
would,
you
know,
I
think
it's
quite
useful
for
Defenders,
because
the
idea
is
that
you
would
you
know
you
want
to
categorize
how
what
you're?
How
good
are
your
defenses?
The
answer
would
be
well.
It
can't
counters
this
and
this
it
helps
a
little
bit
against
that.
That's
not
a
complete
countermeasure
and
it
doesn't
do
anything
for
these
others.
B
Okay,
cool
yeah
that
definitely
helps
out
a
lot,
because
I
think
there
was
also
when
I
originally
introduced
it
was.
There
was
some
confusion
as
to
like
whether
that
taxonomy
was
going
to
become
something
like
an
ontology
about
how
to
define
the
term
like
terms
around
supply
chain
security.
This
seems
to
be
more
of
just
hey.
B
You
know
different
categories,
around
types
of
attacks
and
and
things
like
that
and
how
to
sort
of,
let's
say
mitigate
some
of
that,
like
you
know,
I'm,
look
just
I
have
the
PDF
up
and
just
sort
of
reading
through,
but
things
like
you
know,
reproducible
build
isolation
and,
and
those
sorts
of
things
which,
which
are
you
know,
safeguards
okay,
cool
yeah,
yeah,
I.
Think
I.
Think
this
is
is
useful.
I
think
we
is
there
anything
from
you
think
that,
from
like
this
group's
end
on
ways
to
contribute
or
provide
feedback.
E
B
No,
no,
no,
no
I
don't
mean
that
because
looking
so
crop
and
Jonathan
Meadows
and
a
few
folks
had
from
the
end
user
group
had
said,
there's
work
around
what
they
are
calling
the
hold
on
it's.
If
you
look
at
the
supply
chain,
Integrity
group,
from
from
slack
from
last
week
to
start
a
collaboration
around.
B
This
problem,
the
supply
chain,
taxonomy-
does
actually
use
J
on
does
do
you
have
a
any
I
think
you
were
working
on
some
of
that,
but
some
of
those
folks,
foreign.
F
Yeah,
so
so
that
so
the
end
user's
working
group
working
on
the
taxonomy,
but
there's
you
know
we're
actively
pushing
to
try
to
bring
a
few
of
the
working
groups
in
including
the
best
practices
to
get
on
one
sheet
of
music.
I
mean
like
like
that's
that's
the
that's
the
long
and
short
of
it
to
work
on
the
taxonomy
and
The
Silo,
and
the
openness
and
stuff
is
that
that
should
be
a
non-starter,
because
we
each
are
working
on
different
initiatives
that
require
the
same
type
of
terms,
definitions
and
everything
else.
F
Reference
hell,
even
even
reference
architectures
depend
upon
what
we're
looking
at,
but
in
order
to
to
properly
do
and
in
order
to
properly
do
what
we're
trying
to
what
we're
attempting
to
do
in
the
diagram
of
society,
for
instance,
creating
creating
different
different
models
creating
different.
You
know,
images
of
you
know
different
Graphics
Etc.
Those
all
need
to
look
the
same,
I
mean
they
they
well.
F
They
need
to
read
the
same
contextually
and
in
order
to
do
that,
we
all
need
to
be
on
the
same
sheet
of
music
across
all
the
different
working
groups,
different
sigs,
underneath
and
end
up
different
projects
that
are
being
worked
on
so
so
yeah
I'm
I'm
inside
of
each
work
group
saying
the
same
thing:
let's
develop,
let's
come
together.
Maybe
this
should
be
help.
Dare
I
say
this
should
be
a
sub
committee
underneath
the
diagram
of
society
to
talk
about
you
know
bring
in
these
different
things.
F
Talk
about
them,
work
them
up
into
the
diagram
with
the
work,
the
diagram
of
society
doing
and
then
let
that
funnel
out
to
the
working
groups
as
a
found
as
foundational
items
that
are
used
to
create
or
help
create
these
different
Frameworks,
these
different
bills
and
work
in
these
different
projects.
I
just
do
something
new
out
right
now:
Arnold
I,
I,
Arnold
Arnold
will
look
at
that.
F
Just
do
something
new
I'm
spitballing,
but
Mike
that
that's
that's
something
that
you
know
you
know
I'm
thinking
about
as
I
talk
right
now
and
of
course,
I'll
I'll
leave
that
on
the
table
here
for
the
for
the
for
the
good
order.
E
What
does
it
say?
Miter
also
has
things
like
attack
and
although
it's
it's
a
different
kind
of
thing.
F
That's
that
I,
just
swap
in
the
chat
I,
just
put
the
notes
document
the
the
notes
and
agenda
document
for
the
diagram
of
society.
So
that
should
have
the
you
know
the
links
to
the
zoom
and
the
dates
and
times
you
know
all
the
stuff
that
are
in
those
pages
usually
have
that
put
it
up
there
in
the
chat.
E
Okay,
I
want
I
want
to
copy
that
into
the
notes.
Speak
because,
as
you
know,
the
big
risk
is,
you
know
they
disappear
after
the
call
yeah.
B
Out
there,
yeah
I
think
I'm
definitely
on
board
with
with
less
Reinventing
the
wheel
like.
If
somebody
else
has
done
all
the
work
around
the
taxonomy
and
we
could
just
adopt
it
or
we
can,
you
know,
just
sort
of
provide
whatever
you
know,
hey
we're
largely
adopting
this
with
these
key
differences.
B
Just
because
you
know
we
have
a
slightly
different
Viewpoint
I,
think
that
is
super
useful,
as
opposed
to
spinning
up
a
whole
other
work
stream
around.
That
I
also
know
that
there's
some
folks
working
throughout
a
few
of
the
different
groups
just
across
the
open
source
Community
around.
So
that's
like
the
taxonomy,
but
I
also
know
that
there's
a
few
folks
who
are
working
on
the
idea
of
sort
of
like
an
ontology
so
that
folks
can
start
to
in
the
very
least
if
they
don't
adopt
common
terms.
B
There
is
some
way
of
like
mapping
those
mop.
It
mapping
their
terms
to
Common
terms
like
things
like
you
know,
digest
versus
hash
versus
checksum,
that
kind
of
thing
and
so
I
believe
there's
some
folks
in
you
know
the
in
Toto
side
in
the
cncf
and
a
few
other
places
that
are
starting
to
try
and
build
out
some
of
those
things
so
that
when
different
tools
and
specifications
are
spun
up,
it
becomes
easier
to
understand.
B
E
Yeah,
just
a
real
quick
note
at
the
risk
of
putting
Port
J
on
the
spot
here,
so
the
sdc2f
has
in
its
front
matter
a
actually
a
really
nice
list
of
you
know
here
are
the
things
you're
worried
about
and
then
mapping
mapping
back
to
kind
of
show.
E
You
know
here's
what
we're
suggesting
and
then
this
is
why
I
don't
know
if
anybody's
gonna
cross
check
between
that
and
some
of
these
other
things
like
the
like
that
archive
paper,
but
I
mean
that
might
be
a
useful
thing
to
do
now.
A
whole
lot
of
these
things
focused
on
it
on
taxonomy
on
categorizing,
the
attacks
as
opposed
to
the
defenses
I,
don't
I'll,
be
honest.
E
I'm
not
I,
think
trying
to
take
a
taxonomy
of
the
defenses
is
harder
so
and
again
and
I
think
it's
actually
easier
to
categorize
off
the
defenses.
But
then.
B
Yeah
so
I
think
the
takeaway
here
is
just
to
I
guess
work
with
the
end
user
group
and
kind
of
you
know
that
that
seems.
E
A
Okay,
Melba
sells
the
positioning
update
over
to
you.
G
Thanks
Isaac
a
couple
things:
the
salsa
spec
pre-rfc
draft
is
out
in
a
PR.
If
you
have
been
actively
engaged
for
the
1.0
draft,
it
would
be
great
to
have
people
comment
on
it.
If
you
don't
have
history
with
it,
it
may
be
too
much.
G
You
might
want
to
wait
for
the
RFC
but
I'm
trying
to
get
folks
to
try
to
look
at
that
issue,
606
to
make
sure
that
we
can
progress,
we're
trying
to
aim
for
end
of
week,
I'm,
not
sure
that
that's
achievable,
but
it's
a
Target
that
we're
we're
trying
to
go
for.
G
Additionally,
there
was
a
supply
chain,
Integrity
working
group
panel
that
was
submitted
for
open
source,
Summit,
North
America,
it's
labeled,
ketchup,
mustard
and
relish
of
supply
chain
security.
So
I
I
like
to
thank
Michelle
if
she's
not
on
for
that
title,
that
was
a
fantastic
title
and
so
yeah
we're
hoping
it
gets
accepted
and
it's
going
to
have
representation
from
the
three
groups:
salsa
Fresca
and
then
S2
c2f
and
with
that
said,
I've
been
working
on
starting
a
landing
page
for
salsa
on
the
openss
age.
G
It
was
something
that
was
recommended
to
me
and
Jay
brought
up
a
great
idea.
It's
like
why
don't
we
have
a
supply
chain,
Integrity
working
group
page
and
then
from
that
page
we
have
the
the
sub
communities
and
I
think
that's
a
great
idea,
because
there's
a
10-point
mobilization
plan,
and
that
is
the
one
of
the
main
reasons
why
we
are
doing
what
we
are
doing.
There
is
a
like
a
tile
that
kind
of
flips
over
that
says
supply
chain
security
and
you
flip
it
over
it
flips
over,
and
it
says
a
little
description.
G
Why
not
have
a
link
from
that
to
this
page
to
get
all
the
information
about
what
we're
doing,
how
it
fits
into
the
overall
picture
of
that
10-point,
mobilization
plan
and
then
obviously
Isaac
and
Jay
and
know
we
were
working
on
that
diagram
of
how
does
all
of
this
link
together
Fresca
to
c2f
and
salsa,
so
not
sure
about
the
thoughts
on
that
I
know.
G
There
was
a
an
argument
against
a
working
group
page
because
there's
already
a
link
and
that
communities
are
the
main
focus
but
I
I
I
think
it
would
be
a
better
idea
if
we
were
to
do
the
SEI
working
group
page
instead
with
the
sub
pages
I.
A
Think
it's
a
great
idea:
Melba
I'm
I'm
super
supportive
and
I
love
the
continued
trajectory
of
up
leveling,
salsa
positioning
into
SCI
positioning.
That
goes
along
with
this.
That
kind
of
they're
looking
broadly
at
at
that
working
group
is
how
do
we
position
the
solutions
we
have
within
the
sci
problem
space
essentially
and
yeah
I
think
a
landing
page
for
that
I'll
open
a
set
at
all
would
be
awesome.
I
just
see
how
I
know
I
was
put
in
a
the
six-door
example.
G
Okay,
does
anybody
object
to
that
concept
of
having
a
working
group
main
page
versus
a
community
main
page
right?
Each
Community
would
have
their
own,
but
it
really
should
be
focused
on
the
whole
supply
chain.
Integrity.
G
I,
don't
see
any
thumbs
down
and
see
objections,
okay
and
then
the
reason
why
I
put
positioning
up
leveling
is
because
I
was
asked
by
the
specification
group
what
the
status
of
that
was.
If
we
were
going
to
stay
the
same
or
if
we
were
going
to
be
up,
leveled
and
I
didn't
really
have
an
answer
for
them,
and
so
that's
the
only
reason
why
that's
there.
A
So
I
think
I
mean
I
I
continue
to
think
it's.
It's
a
good
idea.
I
think
that
we
have
media
problems
to
tackle
that
the
sci
level
positioning
wise
than
salsa
and
I-
think
that
you
know
this
also
would
be
a
a
reasonable
subset
of
that,
particularly
as
we
learn
salsa
1.0.
We
can,
you
know
position
it
very
clearly
within
the
sci
space.
I
I
want
to
recognize
that
you
know
you
have
constraints
on
your
term
time,
Melba
and
like
we
all
do,
and
so
I
I
know
that
you
know.
There's
just
I.
A
Think
if
you
know
I
I
tend
to
have
the
instinct
is
I'd
rather
have
a
narrower
scope
and
do
things
well
than
have
a
broader
scope
and
kind
of
like
feel
spread
very
thin,
and
so,
if
that's
your
instinct,
certainly
I
appreciate
that,
and
so
really
it's
it's
going
to
be
down
to
you
and
your
comfort
level
and
finding
volunteers
to
help
drive
that
and
to
help
kind
of
put
it
together.
And
how
do
you
feel
about
that
broader
scope?
A
G
Yeah
yeah
I
think
I
I,
don't
think
it
was
in
this
meeting.
It
might
have
been
in
a
the
spec
meeting.
I
said
as
long
as
I
have
co-leads
from
Fresca
and
sqc2f
I'm
game.
But
I
can't
talk
to
those
two
right,
so
I
need
co-leads
to
represent
that
right,
because
without
it
it's
going
to
fail.
G
So
and
I
think
I
I
got
agreement
from
from
Jay
and
Mike.
Sorry
to
put
you
on
the
spot
that
they
would.
They
would
help
co-lead
that
positioning
group
if
it
were
up
leveled
but
I'll
need
to
get
a
agreement
again.
Just
in.
G
B
B
But
yeah.
A
Okay,
I'm
gonna,
let's
I
I,
it
sounds
to
me
like
just
to
close
this
without
it
sounds
to
me,
like
we
have
agreement
in
principle
that
this
is
something
that
we
want
to
do.
Agreement
in
principle
with
with
co-leads
Melba
you'll
be
able
to
take
on
this.
This
larger
scope
within
that
SCI,
positioning,
scope
and
I,
think
you
know
it's.
We
need
to
look
at
putting
this
into
practice.
What
does
it
mean
in
terms
of
changing
the
name,
or
do
we
need
new
meeting
schedule?
A
F
You
know
what
we
made
so
the
Mike
Melba
and
we
both
attend.
The
the
current
salsa
positioning
meeting
and
I
know
that
we
were
working
on
a
new
time.
For
that
I
say
we
the
new
time
that
we
that
we
agreed
on
and
I
I
want
to
say
it's
Tuesday,
but
a
little
bit
earlier.
F
E
Sure
how
to
answer
the
question
I
mean
you
know
as
long
as
you're
doing
within
your
working
group
the
things
the
working
group's
supposed
to
do.
Generally,
you
don't
need
to
ask
mother,
may
I
coordination
between
the
working
groups.
I
mean
you
don't
need
to
ask
permission
to
coordinate,
but
you
certainly
can
ask
that
talk
to
help
you
out.
E
C
E
Think
they
were
encouraging
to
put
here
primarily
to
help
make
sure
that
it
and
salsa
work
together,
not
apart
right,
but
each
working
group
frankly
I
mean
you
know.
S2Cdf
has
all
sorts
of
awesome
stuff.
Several
working
groups
said,
that's
awesome,
we'd
love
to
have
it,
so
it
certainly
wasn't
a
matter
of
you
know:
people
not
liking.
It.
E
So
you
know
again,
you
know
and
as
far
as
you
know,
accepting
submissions
in
basically
a
working
group
has
to
say
yes
and
if
it's
pre-existing,
there's
some
there's
some
some
small
ceremony,
primarily
just
to
protect
everybody
else,
to
make
sure
that
you
know
if
it
comes
in
that
there's
no
we're
copyright
or
trademark
or
other
issues
that
cause
troubles.
We
usually
don't
have
those
problems,
but
you
don't
want
you
don't
want
to
have
them
so
yeah.
F
I
think
from
a
working
group
standpoint,
I,
don't
I
mean
it's
as
simple
as
taking
the
the
to
take
in
the
the
sub
the
sub
cigs,
which
which
salsa
it's
also
positioning,
is
and
then
taking
that
and
just
moving
those
in
I
think
that's
a
working
group
decision,
I
think
a
work.
The
working
group
itself
can
make
that
decision
unto
itself
the
same
way.
The
same
way,
the
working
group
forms
the
six
in
general
I.
Don't
know
that
that
that
there's,
a
the
permission,
is
to
bring
that.
F
E
May
have
misunderstood
the
term
up
level,
because
if
it's
just
you
know
hey
within
the
working
group,
I
mean
here
we
are
we
we
decide
if
you
mean
by
like
putting
it
on
the
open,
ssf
website
and
making
a
big
pitch
for
it.
Okay,
I
see
a
shaking
heads
of
no
I
mean.
That's
that's
a
hey.
Please
do
this
yo!
We
can
talk
about
that,
but
if
you
want
to
put
something
on
the
website,
we're
we're
always
excited
to
hear
about
new
stuff
to
put
on
the
website.
A
So
I
I
think
sorry
I'll.
Let
you
in
just
one
minute.
A
Two
threads:
we
need
to
pull
on
here.
One
is
the
governance
side
of
things
which
you
know
we'll
need
to
make
sure
we
update
the
chart,
and
then
we
go
through
the
right
processor
for
doing
that,
because
this
is
an
expansion
in
JavaScript
I
tend
to
agree
with
David
that,
like
we
don't
need
to
go
down.
The
mother
may
I
think
at
this
level
within
openssf,
so
I
think.
A
If
there's
the
governance
side,
we
take
care
of
with
the
charter
and
making
sure
that
we
go
through
the
right
process
to
change
that
and
then
there's
the
mechanical
side
of.
We
need
the
meetings
renamed.
We
need
to
slack
Channel
renamed.
We
need
the
mailing
list,
rename
that's
all
and
that's
probably
an
open
ssf
operations
team
that
can
help
us
with
that.
E
Yeah
I
mean
if
you
are
changing,
like
the
the
charter
of
what
the
scope
of
the
group
is
you're
going
to
need.
You
do
need
to
get
an
okay
with
that,
with
the
attack
generally
they're,
going
to
be
fine
with
it
as
long
as
it's
reasonable,
which,
frankly
I
I,
would
be
surprised
if
it's
any
of
the
reasonable.
But
that's.
E
Where
you
do
need
to
say,
hey
attack,
we
want
to
change
our
Charter
from
this.
To
that,
to
be
honest,
it's
already
a
bit
of
a
challenge
and
Jay
again,
that's
experiences
firsthand.
You
know
these
groups
were
big
categories,
but
there's
more
than
a
little
overlap
between
them
and
sometimes
something
just
you
know
it
easily
fits
between
multiples
of
them,
but
the
notion
was
trying
to
make
it
so
there's
some
swim
Lanes
so
that
people
aren't
bumping
into
each
other
constantly
and
I
see.
Arnold
has
to
stand
up.
H
Yeah,
no,
but
actually
I,
think
you
pretty
much
answered
the
question
the
way
I
wanted
to
answer
yeah.
If
you
want
to
change
the
charter,
you
will
have
to
inform
the
attack
and
get
there
okay
and
if
it's
reasonable,
there
is
no
reason
to
think
the
attack
would
say
hell.
No,
so
it's
a
formality
really
but
yeah.
That's
the
right
thing
to
do.
Yeah.
E
G
C
B
Yeah
also
well
I
I
know
it's
Brian
dropped
off,
but
I
was
actually
going
to
say
one
of
the
other
things
that
that
I
think
would
be
useful
in
sort
of
some
of
the
interaction
here
is
also,
and
then
we
brought
it
up
previously
is
like
as
new
directions
generally
for
open
ssf
get
like
sort
of
voted
on
by
the
governing
board.
B
B
That
would
be
useful
just
to
kind
of
help
us
as
we
go
through
to
make
sure
that
nothing
we're
doing
in
our
Charter
or
otherwise
is
sort
of
completely
contradict.
Obviously,
you
know
there's
going
to
be
some
discrepancies,
but
it
doesn't
completely
contradict
the
guidance
coming
from
the
governing
board.
G
A
We've
completed
the
agenda,
I
think
we've.
We've
got
some.
Certainly
in
terms
of
this.
The
document
at
the
bottom,
the
the
charter
of
the
the
SEO
working
group,
I,
will
figure
out
what
we
need
to
do
in
terms
of
presentation
to
the
attack
and
that
we're
aligned
there
I
think
we're
agreed
in
principle
and
with
the
up
leveling.
A
We
need
to
look
at
the
mechanics
on
the
governance
and
then
the
mechanics
side,
and
then
we've
got
some
follow-ups
to
do
in
the
end
users
group
around
taxonomy
and
with
that
I
can
give
everyone
27
minutes
back
and
across
a
dozen
people.
That's
like
several
hours
of
person,
person
calendar
time
for
read
up.
A
Look
at
Jay
he's
thrilled
my
recommendation,
as
always,
when
finishing
meetings
earlier,
is
you're
not
allowed
to
just
hang
up
and
sit
at
your
computer
and
do
email
and
just
turn
the
windows
and
do
something
else.
You've
got
to
stand
up
stretch
your
legs,
pet,
a
cat,
get
a
glass
of
water,
get
some
fresh
air,
maybe
say
hello
to
other
people
that
are
around
you
and
so
on,
and
then
you
can
get
back
to
work.
These
are
the
rules,
I
don't
make
them
up
I'm
just
here
to
remind
you
of
them.
A
Thank
you.
Everyone
I
will
see
you
all
soon
and
in
slack
and
so
on
and
I
hope,
you're
all
sharing
my
excitement
for
salsa
1.0
and
we
are
tantalizingly
close
now
and
we
are
days
and
weeks
away.
So
do
take
a
look
at
the
issue
which,
which
Melbourne
posted
and
get
ready
for
the
release
candida
that
I'm
in
the
very
near
term.