►
From YouTube: OpenSSF TAC Meeting (July 27, 2021)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
Hello,
I
just
got
an
email.
I
think
that
we
may
end
up
getting
postponed
but
to
another
time,
but.
C
I
am
this
is
my
first
meeting
interested
to
see
how
it
goes.
B
C
No,
I
think
that's
really
fine.
No,
I
was
so
I
work
with
axe
and
he
was
like.
I
don't
know
if
this
is
happening
or
not
today,
so
I
I
already
knew
so
it's
all
right.
B
Okay,
so
ryan,
where,
let's
see
here,
we
won't
be
having
a
meeting
on
july
27
that's
today,
so
we
are
going
to
have
more
agenda
items
next.
Okay,
all
righty!
Okay,
drat!
Oh,
look!
Okay!
You
know!
I
see
some
other
folks
here.
Let
me.
B
Ryan,
so
I
saw
your
post
that
you're
canceling
this
meeting,
and
here
you
are
anyway.
Oh
when
I
didn't.
B
B
D
B
Okay,
the
tag
meeting
is,
you
know,
I'm
gonna
post
to
the
tooling
folks
right
now.
I
I
don't
know
very
very
many
people
named
ryan,
and
so
I
just
saw
four
letters
and
all
that
stuff.
B
So
let
me
let
me
send
an
email
just
to
make
sure
anybody
who's
on
the
tooling
list
is
taking
place
now.
Thank
you.
D
B
Okay,
all
right,
so
I'm
gonna,
I'm
posting
right
now,
so
hopefully
that
will
reduce
the
confusion.
So
so
my
apologies
and
I'm
glad
here-
and
I
just
posted
to
the
tooling
group
so
that
perhaps
that
will
prevent
that
confusion
anyway.
D
It
does
look
like
a
few.
People
are
still
joining
so
we'll
we'll
give
a
few
more
minutes.
So
hopefully
that
wasn't
too
much
confusion,
but
I
know
anytime,
I
get
an
email
from
him.
I
see
ryan
and
it's
from
open
ssf
like
wait.
I
didn't
send
anything.
B
E
B
D
D
Okay,
I
think
we've
got
a
good
chunk
of
people
now,
so
I
just
hit
up
on
the
agenda
real
quick.
So
at
the
meeting
notes
in
here,
please
go
ahead
and
add
yourselves
in
there
for
me,
let
me
have
a
chance
and
we
have
a
few
things
on
the
agenda.
D
So
of
course,
I
emailed
david
yesterday
asking
if
he
could
present,
because
we
didn't
have
much
else
to
discuss
and
then
immediately
got
more
things
to
discuss.
So
so
there's
three
main
things
that
we
want
to
talk
about
today.
First,
is
the
vote
on
the
ostif
budget
and
then,
secondly,
kay
is
going
to
give
a
presentation
on
supply
chain
security
and
the
executive
order
and
kind
of
some
viewpoints
from
that
and
how
it
might
dovetail
with
open,
ssf
and
then
david
that
I've
requested
to
discuss
his
process
for
security.
D
So,
if
folks
remember
from
our
previous
meeting
that
was
about
a
month
ago,
because
we
did
miss
the
last
one,
the
original
budget
request
from
osnif
was
significantly
more
than
the
funds
that
are
available
in
openssf,
and
so
we
had
them
go
back
and
and
redo
their
proposal
with
the
funds
that
we
actually
have
available,
which
is
60
000
instead
of
the
2.8
million,
or
something
like
that
that
it
was
originally,
and
so
they
sent
a
proposal
to
the
tac
mailing
list.
D
If
you
haven't
seen
that
I
can
forward
it
again,
but
this
is
a
quick
summary
of
it
and
basically,
what
they're
saying
is
that
with
the
60
000
they're
going
to
dedicate
their
resources
towards
completing
an
end-to-end
review
of
symphony
and
for
those
of
you
that
are
not
familiar
with
symphony.
It's
basically,
it's
a
popular
component,
open
source
component
used
in
php
frameworks,
so
it's
fairly
prevalent
and
it
has
a
lot
of
security
functions
built
into
it.
D
So
this
is
their
current
proposal
for
open
ssf.
I
believe
dan
lawrence
has
already
voted
to
say
that
he
approved
there
might
have
been
one
others.
I
apologize.
I'm
super
behind
on
email
from
being
out
of
the
office
for
a
little
while,
but
if
folks
can
reply
to
those
threads
today
with
voting
or
we
can
go
ahead
and
do
what
we've
done
in
the
past
with
other
ones,
where
we
create
an
issue
on
github
and
let
people
approve
it
that
way
either
way.
D
We
can
do
that,
so
we
can
take
votes
now
if
we
have
quorum,
I'm
not
sure.
If
we
have
everybody,
I
see
rao.
I
know
dan's
already
voted
phil's
here.
F
I
haven't
had
a
chance
to
catch
up
on
the
email
front,
I'm
good
with
this
approach.
My
only
question
there
is:
is
there
any
reason
we're
going
with
the
number
eight
rather
than
what
happened
to
the
one
to
seven
right?
Is
that
sixty
thousand
not
enough
or
what's
the
rationale,
though,
I'm
just
curious
on
that
one.
D
Oh,
it's
yeah.
It
was
basically
based
on
they
have
this
sorted
list
right
where
they've
looked
at
the
criticality
scores
and
a
number
of
other
factors,
so
they're
looking
at
the
criticality
score,
but
they're
also
looking
at
like.
What's
the
most
value
for
that
amount
of
money
of
the
amount
of
effort
they
can
put
in
to
a
particular
project
and
so
looking
at
their
sorted
list,
they
decided
that,
for
that
amount
of
effort,
this
project
would
receive
the
most
benefit,
and
so
that's
why.
F
B
G
Yeah
I
can
I
I
just
found
the
email
thread.
I
thought
I
actually
thought
I
had
said
approve
at
some
point,
but
I
did
not
so
I'll
respond
to
the
thread.
D
B
H
All
right,
we
will
for
this
one
we're
close
to
the
governing
board
meeting,
which
is
next
thursday,
so
it
might
be
easiest
to
just
have
a
vote
for
it
at
the
governing
board
meeting.
B
H
D
Excellent:
okay:
our
next
agenda
item
is
with
k
so
for
her
presentation,
I'll
go
ahead
and
stop
sharing.
D
B
I
D
H
H
Okay,
so
this
is
a
a
deck
and
I
actually
shared
this
with
the
openness
asset
planning
committee
yesterday.
So
some
of
you
will
have
seen
this,
but
not
everyone
and
ryan
said
he
was
looking
for
content
and
I
said
well:
I've
got
something
I
can
share
and,
and
we
might
after
we
look
at
this
and
think
about
it.
We
might
decide
it
would
be
interesting
to
create
another
working
group
in
openssf.
H
So
this
deck
covers
the
u.s
white
house
executive
order
on
cyber
security.
It
also
covers
software
bill
of
materials
and
then
a
proposed
industry
approach
to
supply
chain
integrity
and
I'll
kind
of
launch
through
this
is
it
based
on
it.
It
covers
certainly
some
thinking
that
we've
been
having
at
microsoft,
but
we're
we're
very
interested
in
this,
not
being
a
microsoft
proposal,
but
something
that's
you
know
the
community
all
gets
behind.
H
So
we'll
start
off,
we'll
talk
about
the
executive
order,
software
bill
of
materials
and
then
industry
approach
so
for
the
executive
order.
Many
of
you
may
be
familiar
with
that.
So
I'll.
Try
I'll
probably
go
through
this
quickly,
but
if
you
do
have
questions
feel
free
to
jump
in
at
any
time
and
I'll
slow
down
and
address.
H
So
the
executive
order
covers
a
number
of
things.
There
are
11
total
sections
in
it
and
for
this
we're
going
to
be
focusing
on
section
four,
which
has
to
do
with
enhancing
software
supply
chain
security.
H
In
a
recent
nist
workshop,
the
you
know
one
of
the
speakers
there
gave
this
quote
and
this
kind
of
summarizes.
You
know
what
the
executive
orders
is
getting
at
we're
not
here
to
tell
you
how
to
build
your
software,
but
we're
here
to
tell
you
which
software
we're
willing
to
buy.
So
this
is
about
procurement
of
software,
the
us
government's
procurement
of
software
and
the
requirements
that
they'll
be
putting
forward
so
key
dates,
and
these
are
specific
to
section
four
of
the
executive
order.
H
Several
of
these
dates
like
the
first
four
of
them
on
this.
Actually,
five
of
them
now
on
this
timeline
are
in
the
past,
so
the
order
was
introduced
in
may
of
this
may
mid-may,
and
initially
the
government
was
soliciting
input.
H
David
wheeler
provided
some
input
from
the
linux
foundation,
microsoft
and
I'm
sure
other
companies
here
also
provided
information.
The
government
is
now
reviewing
that
and
is
coming
back
with
some.
You
know
further
refining
what
they
laid
out
in
the
executive
order
based
on
this
input
and
their
own
deliberations.
H
The
next
big
dates
coming
up
in
november.
We
should
get
a
preliminary
guidelines
from
the
department
of
homeland
security
for
their
requirements
for
providers
of
software
in
february
they
should
have
their
final
guidelines
out
and
then
just
30
days
from
that
in
march,
us,
the
government
agencies
will
be
required
to
comply
with
those
requirements.
H
So
it's
a
it's
a
really
short
timeline
overall
10
months
from
start
to
finish,
and
from
now
to
finish,
is
is
only
about
six
months.
I
should
be
more
careful
when
I
say
finish.
Finish
means
you
know
we.
The
government
sees
this
as
a
as
an
ongoing
process,
so
they'll
they'll
pick
some
set
that
they
start
with
some
set
of
software,
some
set
of
security
requirements,
but
they
envision
that
those
will,
the
set
of
software
will
become
broader
and
the
security
requirements
will
become
broader
over
time.
H
So
section
four
e
deals
with
security
requirements
for
specifically
with
security
requirements
for
software
procurement,
and
those
include
things
like
using
secure
development
environments,
maintaining
trusted
source
code,
supply
chains,
checking
and
remediating
vulnerabilities
and
we'll
go
through
all
of
these,
providing
an
s
bomb,
conforming
with
some
sort
of
security
software
development
practice.
H
H
So,
for
you
know,
for
example,
for
checking
and
meeting
remediating
vulnerabilities
they're,
looking
for
artifacts
of
tools
and
processes
that
were
executed
and
then
also
publicly
managed
or
pub
making
available
a
summary
of
risks,
assessed
and
mitigated
for
the
software
for
the
requirement
to
provide
an
s-bomb.
H
So
that's
an
overview
of
the
you
know.
What's
in
the
executive
order,
and
you
know
how
we
think
about
these
requirements
and
the
evidence
needed
to
demonstrate
conformance.
B
Okay,
if
I
can
interrupt
on
that
previous
previous
slide,
yeah
kane-
I
talked
earlier
that
ended
up
with
that
long
text
in
the
header
at
the
top,
because
the
executive
order
is,
of
course,
very
high
level
and
all
not
only
exactly
what's
going
to
be
required,
but
the
evidence
required.
I
think
at
least
my
expectation
is
we're
going
to
get
more
information
as
as
as
they
refine
it.
H
B
H
Agree
thanks,
uh-huh,
okay,
so
now,
let's
talk
about
software
builds
of
materials
and
spdx
is
one
of
the
formats
that
can
be
used
to
satisfy
the
production
of
a
software
bill
of
materials.
The
other
two
are
cyclone
dx
and.
H
Know
so
what
is
the
software
building
materials
according
to
the
ndia?
H
It's
a
machine-readable
inventory
of
software
components,
information
about
the
components
and
their
and
the
relationships,
including
hierarchical
relationships
from
the
full
tree
of
dependencies
and
the
ntia
ntia
stands
for
national
telecommunications
and
information
agency,
something
like
that
and
they've
listed
as
a
minimum
set
of
elements
that
are
required
for
an
s
bomb.
H
This
is
we
certainly
in
in
from
microsoft
perspective.
We
think
this
is
a
low
bar.
Actually,
maybe
they
said
it
this
way.
So
I
won't,
I
won't
say
microsoft
perspective,
but
ndia
is
setting
a
low
bar
for
broad
adoption
and
enabling
vulnerability
assessment
and
integrity,
so
the
use
cases,
vulnerability,
assessment
assessment
and
integrity
checking.
H
So
why
are
they
important
again?
This
has
to
it's
not
only
about
vulnerability
checking,
but
it's
in
part
about
vulnerability.
Checking
and
the
key
for
vulnerability.
Checking
is
the
ability
to
identify
software
so
that
vulnerabilities
can
be
associated
with
software,
and
the
software
you
know
can
come
in
many
shapes
and
sizes.
It
might
be
code,
that's
in
a
source
code
database.
H
It
might
be
a
you
know,
some
packaged
code
and
by
packaged
I
mean
you
know,
developer
packaging,
so
in
a
in
a
pi
pi
package
or
npm
or
nougat
or
or
it
might
be,
you
know
software
that
was
used
in
an
end
product.
H
H
So
again
back
on
the
slide
where
we
talked
about
security
requirements
and
evidence,
software
bill
of
materials
is
kind
of
the
core
and
then
all
of
those
other
pieces
of
evidence
that
need
to
be
provided
would
identify
that
those
were
performed
against
software.
That's
identified
using
the
software
bill
of
materials.
H
So
david
and
others
who
were
in
the
talk
yesterday,
I
also
included
some
in
that
one.
I
included
some
additional
information
about
spdx
I'll
I'll
mention
that
here
I
don't
have
them
to
have
slides.
So
spdx
is
one
of
the
formats
that
can
be
used.
H
H
Now
we'll
move
on
to
what
and
again
this
is
I'm
framing
it
the
way,
we're
thinking
about
it
at
microsoft,
but
we
would
love
for
to
collaborate
with
others
and
come
up
with
an
industry
approach,
so
you
know
broaden
the
way,
we're
thinking
or
make
changes
to
requirements,
etc.
H
Here's
an
overview,
so
we
see
the
kind
of
the
base
parts
of
supply
chain
integrity
as
the
the
following
one.
Is
that
there's
a
supply
chain,
data
store
and
I'll
just
you
know,
describe
each
of
these
elements
in
more
detail
later
the
supply
chain
data
store.
You
know
it's
where
things
like
evidence
and
policy
go,
but
in
this
workflow
some
organization
creates
a
supply
chain
data
store.
Then
the
next
piece
of
the
workflow
number
two
is
a
policy
manager.
H
Since
you
know
someone
who's
whose
job
it
is
to
say,
you
know,
for
my
organization
or
for
my
software
project,
I'll
only
accept
software
components
that
meet
a
certain
set
of
requirements,
so
the
policy
manager
defines
the
requirements
using
policy
and
then
submits
that
policy,
which
is
a
document,
assigns
it
and
submits
it
to
the
data
store
where
it's
logged
and
it
can
be
queried
and
retrieved
by
others
so
step.
Three.
The
a
supplier
creates,
a
product
you
know
could
could
be
anything
could
be
source
code
could
be
a
package.
H
Software
product
could
be
a
cloud
service
at
microsoft.
We
even
think
of
this
very
broadly
we're
looking
at
a
model
that
encompasses
hardware,
software,
machine
learning,
data
sets
and
even
digital
digital
media,
so
images
and
videos,
etc
anyway,
so
supplier
creates
a
product
and
then
provides
evidence
about
what
what
work
was
done
for
that
product
to
to
meet
requirements,
whether
those
be
internal
requirements
or
external,
and
then
that
evidence
is
also
signed
and
then
submitted
to
the
data
store
and
the
last
piece
of
it
is
the
user.
H
The
user
retrieves
evidence
they
retrieve
the
policy
that
the
evidence
is.
Is
supposed
to
meet
they
retrieves
the
product
and
then
they
verify
using
the
product
and
the
evidence
that
the
policy
was
satisfied.
F
H
So
I
don't-
I
don't
cover
that
in
this
slide,
but
I
can
talk
to
that.
So
we
we
actually
think
that
this
happens
at
multiple
levels.
So
if
you
take
this
particular
drawing,
you
might
imagine
that
all
of
this
is
happening
just
inside
of
an
organization,
so
maybe
maybe
jpmc
has
has
you
know
one
setup
that
looks
something
like
this
and
microsoft
has
something
like
this
and
possibly
in
the
open
source
project,
although
this
could
be
heavyweight
for
an
individual,
open
source
project.
H
Maybe
you'd.
Imagine
well
anyway,
so
I
think
there's
this
there's
this
local
scope
and
there
can
be
policies
and
suppliers
and
users
at
the
local
scope
and
they
might
have
a
data
store,
a
local
scope,
data
store
and
then
there's
also
kind
of
a
broader
scope,
and
maybe
it's
a
global
scope
and
I'll
talk
more
about
that
in
the
next
slide.
H
Maybe
you
think
about
this
kind
of
like
the
dns
system,
where
you
can
have
local
dns,
and
you
know
this
is
the
set
of
information-
that's
exchanged
locally
and
then
there
can
be
a
global
dns
and
possibly
information.
That's
in
that
local
store
could
get
pushed
to
a
global
one
or
possibly
the
ones
that
are
managed
locally.
Some
part
of
it
could
be
confederated.
I
I
just
wanted
to
mention.
I
mean
no
questions
really
but
like
this
is
like
a
very
relevant
topic:
I'm
a
security
researcher
at
sonotype
and
also
with
a
sal
image
today
with
us
from
sono
type.
So
you
know,
we've
also
collaborated
with
nti
in
the
past
so
like
anyway,
we
can
help,
because,
literally,
if
you
see
my
blog
post
over
the
last
year
right,
it's
been
all
about
like
technical,
not
maybe
so
higher
level,
but
right
all
about
like
supply,
chain
infections
and
malware.
H
Right,
yeah,
great
great
and-
and
I'm
thinking
we'll
talk
about
this
later,
you
know,
maybe
we
want
to
create
a
working
group
inside
of
open
ssf,
but
but
you
know,
let's,
let's
talk,
okay,
so
now,
if
we
think
about
the
executive
order-
and
now
I
get
into
this-
you
know
concept
of
a
more
of
a
global
supply
chain.
So
in
this
diagram
we
think,
let's
think
about
an
industry
consortium,
creates
a
distributed,
supply
chain
data
store
and
I'm
not
describing
you
know
where
that
consortium
is.
H
H
You
know
some
other
industry
standards
body,
not
sure,
but
imagine
for
a
moment
that
there's
some
sort
of
distributed
supply
chain
data
store,
and
in
this
case
what
might
happen
is
that
the
us
government,
you
might
think
of
them
as
a
policy
manager
and
they
would
submit
a
policy
to
the
data
store.
It
might
not
be
the
you
know
for
lots
of
reasons
about
how
the
us
government
works.
H
It
might
not
be
the
us
government
that
submits
something,
but
maybe
someone
else
creates
this
schematized
policy
that
you
know
identifies
that
that
maps
one-to-one
with
the
eo
requirements,
but
this
policy
would
also
be
available
from
a
data
store
and
then
imagine
that
oss
developers
would
submit
evidence
for
their
source
code
to
this
data
store,
and
maybe
it's
not
oss
developers
doing
anything
explicitly.
Maybe
it's
happening
under
the
covers,
so
maybe
the
oss
developer
is
using
github
or
git
lab
or
some
other
sem
and
there's.
H
You
know
some
feature
provided
by
the
scm
that
says
you
know
automatically
provide
evidence
about
eo
conformance
to
a
data
store.
H
H
Their
source
code
is
used
by
some
company,
which
is
part
of
ingesting
that
source
code
does
a
verification
test
against
you
know
using
the
evidence
in
the
policy
that's
in
this
global
store,
then
they
create
their
own
package
software
and
then
the
package
software
goes
to
the
us
government
and
again
they
can
check
the
evidence
and
policy
from
from
some
global
store.
H
When
I,
when
I
talk
with
our
ceo
at
microsoft,
by
the
way
he
doesn't
think
there'll
be
a
global
store,
he
thinks
it
will
all
be
distributed,
so
companies
would
have
their
own
and-
and
so
in
fact
you
know,
company
a
would
be
going
to
company
b
to
get
the
data
from
them
again
that
you
know
these
things
are
all
this
is
an
early
conceptualization
and
stuff.
We
would
need
to
sort
out.
H
Okay,
so
then,
as
we
think
about
how
to
you
know,
how
would
we
go
through?
You
know,
refining
this
and
actually
delivering
something.
You
know,
we
think
the
the
big
picture,
mission,
individuals
and
our
organizations
can
produce
and
consume
trust
for
the
products
across
and
supply
chains,
and
then
we've
been
thinking
about
the
guiding
principles,
as
this
needs
to
be
an
industry
collaborative
effort.
So
we
don't
think
any
one
organization
can
do
this
alone,
similar
to
how
we
think
about.
You
know
why
we
all
came
together
under
open
ssf.
H
We
think
it
needs
to
be
both.
We
need
industry
standards
which
is
kind
of
a
slower,
longer
term
process,
and
we
also
need
fast
iteration.
So
we,
you
know,
we
we
microsoft,
certainly
have
been
active
in
some
industry
standards
projects
around
supply
chain
security.
H
We
know
there
are
others
who
are
and
kind
of
an
ethos
for
open
source.
Is
that
running
code
and
rough
consensus
in
running
code?
And
so
you
know
we
want
to
have
a
world
where
both
things
are
happening.
H
There's
rough
consensus
running
code,
you
know
trying
things
and
then
all
of
that
you
know
accrues
to
some
industry
standards
as
we
go
along
and
essentially
the
the
standards
part
is
is
just
so
that
we
can
have
that
that
smooth
flow
of
information
standard
schemas
for
submitting
data
for
submitting
policy
for
querying
data
that
you
know
the
standards
are
the
things
that
enable
a
lot
of
that.
H
H
H
We
want
this
to
be
a
general
model,
inclusive
of
all
product
types,
and
but
we
do
think
software
is
the
starting
place
for
it.
Automation
is
a
key
piece
of
this,
so
you
know
the
evidence
should
be
generated
in
the
background
this
kind
of
gets
to
the
next
bullet.
H
So
the
user
experience
should
be
that
the
right
thing
happens
generally
in
the
background
it
shouldn't
require,
certainly
for
developers
it
shouldn't
require.
You
know,
manual
creation
of
evidence,
tools,
the
tools
that
they
usually
create
that
evidence,
and
then
there
should
be
user
experiences
for
creating
policy,
and
the
verification
should
be
built
into
tools
that
people
are
using
and
then
to
you
know
ensure
that
this
data
and
policy
flow
through
the
system
and
people
can
trust
it.
H
H
The
data
should
be
tamper,
proof
and
then
something
that
we've
been
looking
at
from
microsoft
is
that
the
store
should
be
guaranteed
by
a
hardware
route
of
trust,
because
that's
the
you
know
the
the
kind
of
the
industry
industry
standard
gold
star
for
roots
roots
of
trust.
H
But
that's
you
know
also
something
that
we
can
talk
about
is
just
we've.
We've
been
looking
a
lot
of
using
confidential
compute
technologies
for
the
store.
H
We
the
way
that
we've
been
thinking
about
it
is
that
you
know
over
the
longer
run,
we'd
like
to
have
a-
and
I
equate
this
to
the
email
model
we
would
like
to
have
there
be
kind
of
a
base
standard,
but
then
it
can
be
extended
a
base
standard
for
data,
but
then
other
other
data
formats
could
be
used.
So
when
I
go
back
to
the
email
model
in
email,
you
can
have
different
content
types.
So
email
can
come.
H
You
know,
text
is
one
model,
then
there's
html
and
rtf
and
and
other
you
know,
other
types
of
content
can
be
an
email,
then
in
in
an
email
message.
So
we'd
like
there
to
be
a
base
that
gets
extended
over
time
so
that
when
we're
querying,
so
you
can
do
rich
queries.
H
Like
I
can
say,
when
I'm
querying
the
data
store,
I
can
say
for
saw,
you
know
for
a
certain
software
component.
Tell
me
all
of
the
evidence,
that's
related
to
that
software
component
and
that's
easiest
to
do
if
there's
a
common
evidence.
Data
model
so
also
for
policy,
we're
looking
for
a
data
model
and
exchange
format
and
then
for
the
data
store,
we're
looking
at
a
service
definition
an
api.
H
So
how
do
I
query
for
how
do
I?
How
do
I
enter
data
into
the
system?
How
do
I
query
for
data?
That's
in
the
system?
How
do
I
retrieve
it?
All
of
those
things
would
be
defined
in
the
data
store
api,
and
then
there
also
would
be
requirements
for
functionality
of
the
data
store
so
again
distributed
identity
management.
H
How
the
anyway
I
won't
go
through
all
of
these.
So
those
are
some
of
the
standards
that
we're
that
we're
looking
to
have
created.
H
This
is
not
a
new
concept
so
and
in
fact,
I
think
probably
a
lot
of
companies
might
have
done
their
own
implementation,
something
like
this
internally.
Microsoft
has
probably
10
different
internal
implementations
of
something
like
this.
H
The
the
key
point
here
is
to
try
to
get
people
doing
it
in
a
similar
way.
So
we
can
exchange
related
products,
are
the
in
total
project
and
in
toto
kind
of
deals
with
supply
chain,
evidence
and
policy.
They
use
different
terms.
They
use
metadata
and
and
selecting
layouts
six
door
looks
at
distributed
identity
and
then
also
evidence
signing
in
particular
source
code.
H
Signing
salsa
is
another
project
and
they're
looking
at
policy
for
supply
chain
based
on
the
criticality
of
software
and
then
also
the
verification
of
policy
using
evidence,
and
then
there
are
the
other
spd-x
cycle
and
dx
squid
and
others
that
are
existing
data
formats,
and
so
you
know
all
of
these.
We
think
kind
of
play
play
parts
in
the
overall
and
if
we,
you
know,
if
all
of
us
are
coordinating
across
all
of
these,
we
can
be
accruing
to
the
larger
vision.
H
H
We
microsoft
and
some
others
mitre,
and
a
group
out
of
germany
that
works
on
standards
and
some
folks
from
qualcomm
and
cisco
have
been
having
some
meetings
where
we're
starting
to
work
through
some
of
these
proposed
standards
that
I
mentioned,
but
even
more
than
working
through
the
standards,
we
do
have
an
implementation
that
we're
working
on
and
it's
based
on
a
our
particular.
Our
implementation
is
based
on
a
framework
called
the
confidential
consortium
framework.
H
The
code
is
open
sourced,
both
the
the
documentation
for
it
and
the
and
the
code
is
open
sourced
from
microsoft,
and
then
this
supply
chain,
what
we're,
calling
the
supply
chain,
integrity
model
or
skim,
is
some
additional
features
based
on
top
of
ccf
and
we're
intending
to
make
that
open
source
and
we're
also
looking
to
provide-
and
this
is
this
is
early
and
not
completely
confirmed
by
early
thinking-
is
that
microsoft
would
provide
a
cloud
service.
H
That
would
be
this
data
store
and
we
could
use
that
for
our
own
internal
uses
and
customers
could
use
it
for
theirs.
If
that's
something
that
they're
interested
in-
and
you
know
where
for
our
own
internal
use,
we
don't
yet
have
a
version
of
the
store
that
we're
that
we're
that
we're
testing
against,
but
we
think
that
we'll
have
that
in
the
next
couple
of
weeks.
So
it's
so
it's
coming
along,
and
I
think
that's
that's
all
that
I
have
to
to
describe
about
that.
H
So
let
me
open
up
now,
for
you
know
other
questions
or
you
know,
do
we?
Are
we
interested
in
having
a
working
group,
an
open
ssf?
We
could
have
a
working
group
that
you
know
we
could
look
at
a
couple
of
ways
to
do
this.
There
could
be
a
working
group,
that's
focused
on
the
broader
supply
chain,
integrity
scope.
C
Well,
I
mean
I'm
happy
to
jump
in
on
that.
I
really
enjoyed
this.
This
was
thank
you.
I
mean
I
do
that
whole
thing,
but
I
haven't
seen
it
crystallized
so
well
so
far,
yeah
I've,
I
mean
my
my
background
on
this.
Is
I
have
been
focusing
I'm
pretty
interested
in
what
the
changes
to
the
supply
chain,
particularly
in
the
sort
of
more
global
sense
of
open
source,
looks
like
I
just
wrote
a
hackernoon
post
exactly
on
this
last
week.
C
I
would
love
I
mean
I
can
definitely
pull
from
that
perspective.
There's
a
couple
of
things
that
I
think
are
really
worth
sort
of
pulling
on
the
threads
for
one
of
them
is
actually
really
particularly
sort
of
the
data
store
and
the
like
querying
of
that,
because
beyond
just
collecting
and
storing
and
doing
that
efficiently,
what
that's
actually
going
to
allow
you
or
us
as
a
community
to
do
is
develop
a
security
taxonomy
which
is
hugely
valuable
right
right.
C
I
think
I
yeah,
I
think
so,
sort
of
this
pipeline
effort
and
making
sure
that
we
do
that
in
a
way
right.
If
we're
talking
about
global
engagement
in
this
kind
of
thing,
a
way
that's
efficient
does
have
to
be
under
the
hood,
but
the
output
of
this
is
really
really
really
powerful
and
I
don't
think
people
really
realize
that
as
soon
as
this
is
an
effect,
we
get
a
level
of
information.
We've
never
had
right.
C
Not
I
am
brand
new,
so
hello
to
everyone
who
I
haven't
met.
Who
is
everyone
except
axe?
So
I'm
new
to
sonotype,
so
this
is
my
first
month
with
them,
but
I
come
from
a
background
in
actually
machine
learning
and
I
just
spent
the
last
10
years
working
in
basically
security
clearance
with
you
know
us
air
force
nih
pretty
familiar
with
working
on
problems
in
this
kind
of
area,
but
now
that
I've
stepped
out
of
that,
I'm
trying
to
save
the
world-
and
this
is
one
of
these-
save
the
world.
D
D
My
brain
is
not
quite
all
there
yet,
but
so
one
of
the
things-
okay-
that
that
you
that
you
mentioned
here,
was
creating
a
working
group
and
one
of
the
things
that
I've
thought
about
with
this
is:
should
we
create
a
working
group
dedicated
to
this,
or
should
we
leverage
the
attack
in
our
role
as
influencers
of
the
technical
strategy
within
openssf,
because
a
lot
of
these
pieces,
you
know,
as
you
went
through,
it
clearly
fall
in
existing
working
groups
that
we
have,
but
they
would
need
to
be
coordinated
right.
D
D
You
know
that's
responsible
for
coordination
of
these
things,
as
it
relates
to
executive
order,
or
do
we
just
simply
leverage
the
tax
for
that?
I
don't
particularly
have
a
preference
either
way
to
kind
of
throw
this
out
to
the
group
for
discussion
and
thoughts
of
what
what
you
folks
think.
B
Just
as
a
quick
reminder,
I
mean
on
the
way
I
don't.
I
don't
vote
on
any
of
these
things,
but
hopefully
you
you.
Let
me
you,
but
you
let
me
talk.
I
I'm
not
looking
for
new
working
groups
to
be
a
member
of
so
if
we
can,
if
we
can
add
it
to
existing
work
of
different
existing
working
groups,
I
I
think
it
would
be.
It
would
be
easier
than
trying
to
divide
up
people
into
yet
more
groups.
B
I
I
think,
there's
a
point
at
which
you
know:
unless
we
have
too
many
people
too
many
people
too
many
working
groups
can
kind
of
dilute.
But
I
guess
I
have
to
also
repeat
what
ryan
said.
I
don't
really
care
in
the
broad
scheme.
You
know:
let's,
let's
identify
the
most
important
things
and
work
them,
then
you
know
and
then,
however,
we
organize
I'll
work
with,
but
I
do
think
we
have
to
be
careful
about
creating
too
many
working
groups
and
then
there's
no
we're
spending
all
our
time,
meaning
instead
of
working.
J
I
will
say,
though,
you
know
trying
to
attend
many
workers
as
possible,
that
this
is
my
main
complaint.
Any
one
working
group
is
no
one,
has
the
big
picture
and-
and
I'm
blown
away
by
what
you
know
case
presented
today
and
if
there
is
leadership,
who's
willing
to
lead
a
group.
I
think
that
that
should
limit
that
should
eliminate
a
lot
of
obstacles
for
us
going
forward
with
the
group
I'd
love
to
see
some.
It
can
even
be
a
short-term
working
group.
J
You
can
have
a
duration
of
producing
this
material
and
get
the
work
engaged
to
coordinate
then
disband.
But
I'd
love
to
have
somebody
address
exactly
what's
being
shown
right
now.
The
big
picture-
and
you
know
probably
creating
a
road
map
and
making
sure
all
the
work
groups
know
where
they're
at
on
the
roadmap
and
what
deliverables
are
expected
to
produce
against
that
workout.
I'd
love
to
see
that.
D
Yeah
and
matt-
that's
that's
a
great
point
and
what
you
just
stated
is
exactly
what
the
role
of
the
attack
is
meant
to
be.
So
we
have
spent
a
lot
of
time
in
the
in
the
past,
like
as
a
new
organization,
just
getting
our
processes
in
place
and
working
with
the
existing
six
working
groups,
and
we
tried
to
build
this
technical
vision.
D
We
did
that
and
then
now
it's
time
to
kind
of
you
know
rubber
meet
the
road
kind
of
situation
where
that's
all
great
things
are
running,
and
now
this
is
exactly
what
we
need
to
do
so.
We've
had
on
the
agenda
like
reviewing
a
backlog
of
things
that
this
giant
document
that
david
has
graciously
put
together
of
all
the
ideas
that
we've
had
and
then
this
executive
order
came
out
and
we're
like
okay.
D
Maybe
we
should
rally
around
this
and
then
you
know
ks
put
this
together,
which
is
phenomenal
and
definitely
will
help
coordinate
all
that.
So
if
we,
if
we
want
to
work
off
of
this
and
the
tac,
can
drive
this
as
sort
of
the
strategy
that
we
want
to
to
target
and
coordinate
with
those
working
groups,
we
know
what
the
vision
is
and
who
needs
to
do.
What
work
and
then
help
provide
that.
That's
precisely
what
we're
supposed
to
be
doing.
J
D
Yeah
like
this,
this
group
was
already
looking
at
supply
chain
security
as
sort
of
an
overarching
strategy,
and
then,
when
the
executive
order
came
out,
it
sort
of
solidified
some
of
the
the
key
points
right.
So
I
think
the
executive
order
sort
of
just
happened
to
land
with
what
we
were
already
kind
of
thinking
and
then
just
expanded
on
it.
So
I
agree
like
we
shouldn't
be
just
you
know,
chasing
every
new
thing
that
comes
out
this
one
just
happened
to
fit
with
where
we
were
already
thinking.
H
You
know
if
we're
just
tossing
out
ideas
and
we
had
discussed
early
on
when
the
digital
identity
attestation
group
came
out.
We
talked
about.
Maybe
the
scope
of
that
working
group
could
be
broader
to
encompass
supply
chain.
So
that
might
be
another
way
to
go,
is
maybe
think
about
taking
an
existing
working
group,
maybe
kind
of
expanding
its
scope
a
little
and
then
we
could.
You
know,
keep
the
number
of
meetings
that
we
all
have
limited,
which
I
totally
agree
with
david
and
also
you
know,
but
anyway,
but
that's
that's.
D
Yeah,
I
actually
agree
with
that,
because
I
think,
if
you
look
at
the
digital
identity
at
the
station
working
group,
the
security
and
critical
projects
working
group,
I
know
they've
been
looking
a
lot
lately
for
agenda
topics,
which
kind
of
seems
like
maybe
they're
striving
for
a
sense
of
direction.
This
could
be
that
direction.
That
kind
of
helps
drive
that,
yes,
we
could
propose
these
on
the
agenda.
D
You
know,
okay,
if
you
want
to
drive
this
or
we
could
talk
to
dan
and
kim
and
and
see
how
they
feel
about
incorporating
this
and
making
it
more
of
a
central
theme
within
those
working
groups
and
then
how
they
can
coordinate
with
the
other
ones,
because
I
agree
I'd
rather
leverage
what
we
have
and
then
just
try
to
expand
on
it
rather
than
creating
something
entirely
new
and
then
trying
to
coordinate
again
and
whatever
role
the
tech
can
play
in
helping
to
coordinate
that
you
know.
That's
why
we're
here.
D
So
you
know
we'll
do
that
and
we
can
start
getting
these
leads,
hopefully
showing
up
at
the
tack
meetings
that
we've
been
trying
to
do
for
the
past
few
months
to
help
coordinate
as
well.
But
I
I
think
this
is
a
great
way
personally
to
to
drive
a
lot
of
these
working
groups
forward
and
give
them
a
sense
of
coordination
and
collaboration,
and
all
that
you
know,
follow
those
great
buzzwords.
So.
D
Yeah,
I
think,
that's
a
reasonable
plan.
I
don't
think
we
should
try
to
present
it
as
sort
of
a
like
that
we're
dictating
what
work
they
should
do.
Rather,
I
think
most
of
them
are
already
in
agreement
on
focusing
on
supply,
chain
security,
and
so
now,
just
kind
of
coming
and
working
with
the
leads
and
saying
hey,
like
we've
got
this
overarching
view
this
is
you
know
what
open
ssf
is
going
to
target
over
the
next
year?
J
No,
no,
it's
a
good,
no,
it's
good
for
them.
I
think
a
lot
of
work
groups
don't
in
the
membership.
Doesn't
they
don't
understand
this?
This
overarching
thing
right,
so
it's
good
to
have
that
as
an
artifact
that
placed
in
front
of
them
and
have
the
work
group
chairs
and
workgroups
acknowledge
if
they
have
things
that
apply
to
this,
what
they
are
and
know
that
they
should
report
on
them
regularly
for
newsletters
and
whatnot.
D
Agreed
yeah,
so
I
think
maybe
the
right
approach,
maybe
going
forward
here,
is
myself
and
kay
and
david
knew.
Where
else
wants
to
be
involved.
We
kind
of
create
this
basic
strategy
have
a
meeting
with
the
leads
to
help
coordinate
all
of
this
and
figure
out
what
next
steps
for
the
their
each
working
group
should
be,
and
then
we
can
kind
of
resync
and
start
getting
into
sort
of
a
rhythm
of
business
where
we
start
having
these
checkpoints
and
figuring
out
where
everybody
wants
to
tie
in.
H
D
Okay,
we'll
set
something
up-
hopefully
soon,
just
fyi
I
will
be
in
and
out
I'm
got
my
honeymoon
coming
up
so
I'll
try
to
do
as
much
as
I
can
in
the
meantime,
but
we'll
get
that
we'll
get
that
started
and
I
think
that'll
help
drive
a
lot
of
progress,
but
in
the
interest
of
time
david
I
don't
know
how
long
you
needed
to
go
through.
I
know
we
only
have
seven
minutes
left.
D
We
can
leverage
this
time
for
for
you
to
to
give
your
presentation
or
discussion,
or
we
can
just
kind
of
wrap
up
here
and
say
for
another
time.
If
you
need
more
time.
B
I
I
don't
need
more
time.
I
I
think
that
I
think
mine's
really
straightforward,
so
shall
we
just
go
for
it?
Take
it
away.
Take
it
away
all
right.
Let
me
I'm
going
to
try
to
share
my
screen.
Let's
see
if
that
works,
maybe
it
works
all
right.
It
is
giving
me
the
illusion
that
it
worked.
Okay,
so
ryan
asked
me
to
you
know
I
I
shared
out
to
the
tech,
my
usual
overs
oversight,
process
and
ryan
said.
Oh,
we
should.
B
That
sounds
like
something
other
people
should
know
about.
I
wish
you
should
tell
talk
a
little
bit
about
it,
so
here
I
am
so
I
wrote
a
one-page
doc.
I
have
the
link
in
the
in
the
notes
here.
Actually
I
probably
should
stick
this
also
in
the
chat.
Let's
see
here,
chat
all
right,
so
that's
the
doc
that
I'm
going
to
be
talking
about
all
right
in
the
chat
is
a
link
to
it.
B
So,
basically,
if,
whenever
the
lf
funds
security
focused
work,
you
know-
and
you
know,
including
any
of
its
foundations
like
the
open,
ssf,
typically
there's
some
oversight,
it's
not
a
requirement,
but
often
I
end
up
being
the
person
doing
a
lot
of
the
oversight.
I
already
oversee
a
number
of
little
projects,
some
of
open,
ssf
related
some,
not
but
regardless
of
that,
so
I
wrote
up
this
one
page
that
explains
by
default.
B
If
I'm
overseeing
it
and
we
don't
make
any
changes,
what
happens
so
first
up,
I'm
do
make
it
clear
most
of
the
times
most
security
work
is
being
done
by
other
folks,
either
by
volunteers,
or
you
know
somebody
not
some
organization,
not
the
aleph
itself,
funds,
an
employee
say,
and
they
go
do
something.
That's
great.
B
Okay,
don't
need
to
do
anything,
but
if
the
lf
or
an
lf
project
or
foundation
like
the
open,
ssf
funds
work,
this
is
and
and
if,
if
you
ask,
you
know
if,
if
if
I
end
up
being
the
person
overseeing
the
work,
this
is
what
typically
happens
and
exception.
Security
audits
are
actually
pretty
similar
but
somewhat
different.
I
also
oversee
astiff
when
they
get
engaged
for
a
number
of
things,
but
other
than
that.
Here's
what
typically
happens
all
right.
First
of
all,
there's
usually
a
contract.
What
happens
funds
set
aside?
B
It's
approved
it's
funded.
They
have
to
send
a
lf
a
little
personal
information
because
of
taxes
and
then
what?
Basically
it's
pretty
straightforward.
What
I
ask
people
to
do
is
every
month
or
some
other
period,
the
email
out,
an
invoice
hey,
please
pay
me
and
you
link
to
here's
the
key,
a
stable,
url,
that's
publicly
accessible,
that
tells
the
world
some
stuff
about
what
you
did
with
the
money.
So,
basically
briefly,
what's
been
accomplished,
why
it's
important
give
credit
provide
some
identifier.
Now
the
identifier
doesn't
have
to
be
your
personal
name.
B
It
just
has
to
be
something
because
that
helps
make
it
clear
what
it
is.
As
far
as
what's
been
accomplished,
we
want
them
to
point
off
to
details,
but
usually
a
lot
of
folks,
for
example,
they're
going
to
write
code,
we
want
them
to
point
to
the
get
commits
it
doesn't
have
to
be
in
there.
You
please
don't
need
to
copy
paste.
Just
you
know
have
links
to
your
get
commits.
B
The
whole
process
is
intended
to
be
lightweight.
I
tell
people
it
shouldn't.
Take
you
more
more
than
20
minutes
and
remember
that
if
it's
funded
this
way,
you
have
to
release
stuff
under
an
open
technology,
license
like
an
open
source
software
license,
and
then
you
know
if
it
seems
like
you
know,
progress
is
getting.
You
know,
people
there's,
there's
actual
reasonable
efforts.
Then
they
get
funded.
We
expect
problems
are
gonna
happen.
B
Sometimes
we
just
wanna
see
credible
efforts
and,
if
there's
a
real
roadblock,
we
want
them
to
suggest
ways
to
overcome
it
or
provide
some
partial
or
incremental
benefits.
The
overall
goal
of
this
is
to
provide
confidence
to
funders.
We
aren't
wasting
money
and
really
a
broader
thing
which
is
noted
up
here.
We
want
people
to
consider
funding,
open
source,
offer
security
as
normal,
and
we
want
to
normalize
that
so
the
more
that
people
post.
Oh
look,
here's
what
we
did,
here's
what
we
did,
the
more
people
start
seeing
that
oh
wait
a
minute.
B
I
could
do
that
too,
and
you
know
that
helps
the
open,
ssf
and
lots
of
other
folks
too.
So
anyway,
it's
this
wasn't
supposed
to
be
complicated
supposed
to
be
simple,
but
hopefully
it
kind
of
makes
sense.
Questions.
B
I
I
will
note,
by
the
way
really
I've
only
had
one
person
pushback
most
of
the
folks
I
work
with
say:
oh
yeah.
This
makes
sense
and
off
we
go
so
so
in
general,
I
haven't
had
any
pushback
on
this
process,
but
it'd
be
useful
to
you
know
more
publicly.
What
in
the
world
is
this?
What
is
this
that's
going
on?
B
D
B
Supposed
to
be,
I
mean
I'm
the
one
that
receives
all
this
stuff,
so
I
don't
want
to
read
a
million
pages
of
stuff
and
really
my
hope,
because
it's
all
public,
my
hope
is
again.
We
want
to
normalize
this
whole.
Oh
yeah,
this
overlook
this
was
funded
and
open.
Ssf
is
funding
this
and
you
know
things
are
happening
so
anyway.
That's
the
hope.
D
C
I
guess,
on
my
part,
so
to
be
in
touch
with
everyone.
I've
got
the
slack.
Is
there
anywhere
else
that
I
should
be
looking
to
connect
on
things
aside
from
these
meetings.
D
Slack
these
meetings,
a
lot
of
conversations,
also
happen
on
github
and
then
the
mailing
lists
so
join
any.
You
know
working
group
mailing
list,
the
tac
mailing
list
that
you
might
be
interested
in
so
yeah
between
those
channels.
You
should
pretty
much
get
everything
covered
and
if
you
have
any
other
questions,
feel
free
to
reach
out.
D
All
right
thanks
everyone
and
thank
you
to
our
new
attendees,
I'm
happy
to
have
you
guys
here
so
looking
forward
to
having
having
you
again
and
we'll
talk
in
two
weeks,
all
right
thanks.
Everyone
bye.