►
From YouTube: OpenSSF Vulnerability Disclosures WG (April 5, 2022)
B
A
Yeah,
no,
it's
really
pleased
with
what
josh
is
doing
with
the
tooling
group
so
far
trying
to
set
some
guidelines
and
parameters
and
direction
for
the
group.
So
that's
really
great.
A
It
is
unfortunate
that
it
overlaps
with
the
spx
tech
call,
but
you
know
what
are
you
gonna
do
only
so
many
hours
in
the
day.
D
C
Hey
vicky,
was
there
any
follow
up
on
changing
the
meeting
time?
I
I
think
I
received
the
email
from
syrup
about
the
doodle
poll,
but
I
didn't
see
anything
after
that.
A
A
And
let
me
check
for
those
of
you
who
haven't
seen
the
notes.
Yet
let
me
drop
a
notes
link
into
the
chat,
there's
a
google
doc
for
you
and
there's
something
on
the
agenda
for
today
to
talk
about
it,
which
means
it's
not
moved
yet
it
will
be
starting
the
20th
of
april.
There
will
be
a
new
time
at
11.
0
11
a.m,
eastern
time
on
wednesdays,
but
that
won't
be
into
the
next
call.
C
Okay,
sorry,
it
has
too
many
questions,
but
is
there
a
link
to
the
oh
okay?
There
is
a
link
to
the
google
you
just
post
it.
Okay.
Thank
you.
A
Just
just
now
post
it,
I'm
kind
of
surprised,
krog
isn't
here
yet
he's
usually
right
on
time,
so
he
must
have
had
another
call
just
beforehand.
A
E
E
Rit
department
has
done
you're
still
lucky,
it's
a
a
great
opportunity
to
work
for
a
company
that
has
such
an
active
I.t
department.
E
Soup
I
get
to
reboot
my
computer
every
wednesday
every
other
day.
I
get
some
updates.
It's
great.
Do
you
get
warning
before
the
computer
reboots?
It
says
you
can
reboot
now
or
you
can
delay
this
three
hours.
E
It's
cool
if
I
could
get.
A
Item
I
added
is,
as
I
mentioned
on
slack
thomas-
is
here
from
spdx,
so
he'll
be
talking
to
us.
I
don't
know
where
you
wish
to
put
that
on
the
agenda
and
I'll
I'm
liking.
The
braid.
E
Thank
you.
I
got
it
was
kind
of
everywhere.
Today
we
will
listen
to
thomas
shortly
after
we
clear
out
a
couple
business
items.
E
First
and
foremost,
as
is
tradition
with
the
group,
do
we
have
any
new
friends
that
are
here
today
that
want
to
introduce
themselves
to
the
group?
Can.
G
I
ask
her
for
a
quick
thing.
Could
somebody
add
the
working
group
meeting
notes
link
to
the
google
calendar,
invite.
E
B
E
Exactly
to
meeting
invite,
so
I
will
once
I
contact
my
dear
friend
jory
after
this
call,
I
will
see
about
getting
that
added
in
jonathan,
although
there's
some
new,
some
new,
exciting
nonsense
that
the
tac
is
implementing,
we
could
also
briefly
touch
on,
but
first
and
foremost
do
we
have
any
new
friends
that
wanted
to
say
hello
and
introduce
themselves.
F
I
think
I
may
have
not
been
to
this
one,
yet
so
I'll
say
yes,
I'm
tom,
I'm
helping
look
after
bleenberg's
software
supply
chain
efforts,
new
new
efforts
and
I
think,
post
some
admin
we
finally
managed
to
be
back
being
members,
would
open
ssf
some
dropballs
at
some
point
last
year,
we're
right
now,
I'm
kind
of
trying
to
drop
into
as
many
of
these
to
see
which
what
they're
about
and
which
we
can
get
value
from
and
contribute
back
to
as
well.
F
E
E
Jennifer,
did
you
want
to
say
hello?
Are
you
a
new
friend.
I
Hi,
yes,
I
am
similar
hi.
I
am
joining
just
to
sit
in
listening,
see
how,
if
at
all
this
will
apply
to
my
new
role.
I
am
starting
a
new
role
at
tide,
lift
and
security,
and
just
going
to
be
joining
a
bunch
of
different
groups
to
see
what
makes
the
most
sense.
E
Welcome
this
is
a
lot
of
fun
fun
crowd
here
and
we're
going
to
have
some
exciting
news
in
just
a
few
minutes.
Before
we
get
to
talk
about
spdx,
can
I
have
a
volunteer
to
assist
with
meeting
notes
today.
A
E
Thank
you
everyone's
welcome
to
type,
but
it's
just
nice
to
have
someone.
That's
focused
on
that
because
we'll
have
some
we'll
get
some
interesting
conversations,
so
I
saw
thomas's
hand
first,
you
want
to
introduce
yourself
thomas.
B
Yeah,
I
thought
so
yes,
I'm
invited,
but
I
also
wanted
to
join,
but
I
I
I've
been
sniffing
in
and
out
of
openness
as
f
and
then
I
sold
some
groups
for
another
developing,
so
I
actually
have
multiple
hats
on
so
I
used
to
be
the
head
of
open
source
for
hit
analysis.
Now,
I'm
a
new
head
of
open
source
for
another
company,
but
that's
not
yet
public,
so
yeah.
I
am.
B
B
Then
I'm
just
like
vicky,
I'm
on
the
steering
committee
of
the
to-do
group
so
doing
open
source
offices
helping
the
whole
open
source
management
enterprises
and
yeah.
Then
I
also
do
spdx
where
I
am
lead
for
the
vulnerabilities
profile
and
I've
been
doing
that
for,
and
I've
been
spx
already
for
for
many
many
years
since
the
beginning
and
then
also
double
in
in
open
chain
whenever
possible,
I'm
basically
trying
to
fix
the
yeah
it.
B
Basically,
it
started
out
like
I'm
in
my
my
original
heat
analysis
was
in
the
automotive
business
we
already
back
in,
like
autonomous
2016,
we
looked
at
the
supply
chain,
security
issues
and
yeah.
I
know
the
mode
of
supply
chains
are
very,
very
complex
and
yeah.
Well,
our
company
was
my
previous
employer
is
owned
by
bmw,
daimler
and
a
volkswagen
group,
and
and
and
also
by
continental
and
bosch,
and
all
of
them
basically
came
together
and
said
like
hey.
How
can
we
do
this?
B
But,
as
usual,
it
took
a
long
while,
and
so
the
best
solution
that
we
came
up
with
is
just
basically
all
open
source
offices
working
together
to
build
the
tooling
that
we
basically
need,
because
we
couldn't
find
anything
on
the
market
that
actually
works,
and
eventually
we
moved
to
the
linux
nation
and
under
acts
and
but
yeah,
so
we're
licensed
security
tool
originally
now
we
do
security
and
also
we
do
other
things
as
well.
For
basically,
what
is
vital
for
to
do
good
members
for
for
all
supposed,
basically.
E
Excellent
well
welcome,
hopefully
you'll
be
returning
many
times
in
the
future.
H
And
do
we
have
this.
E
Well,
we
won't
be
right
here,
but
we'll
be
near
we'll
be
adjacent
to
here
in
the
future
when
we
have
our
silver
spacesuits
and
flying
cars.
Any
other
new
friends
that
wanted
to
say
hello.
J
Hi
I'm
interested
myself.
I
came
last
meeting
but
I
was
having
some
technical
difficulties,
so
I
couldn't
say
hello,
but
my
name
is
abby
and
I'm
a
graduate
student
at
the
university
of
kansas
and
I'm
working
on
some
research
with
lorenzo
regarding
aggressive
bug
reports.
So
I
look
forward
to
attending
and
learning
helping
when
I
can.
E
All
right,
I
am
going
to
defer
if
it's
okay
with
the
group,
our
conversation
about
our
charter,
since
we
have
a
special
guest
today
that
wants
to
come
talk
about
spdx,
so
is,
is
that
okay
with
the
group,
if
we
defer
talking
about
the
charter
till
next
time,.
E
E
The
one
thing
I
did
want
to
talk
about
before
we
get
to
our
special
guest
is
we
did
a
doodle
poll
trying
to
find
a
little
bit
better
time,
so
we
could
have
some
more
folks
from
different
time
zones
participate
in
this
call
and
the
voting
is
in
and
I
am
pleased
to
announce
with
a
overwhelming
majority
of
eight
votes.
We
will
be
moving.
This
call
to
11
a.m.
Eastern
standard
time
to
noon
eastern
standard
time
on
wednesdays.
E
With
that
way,
we'll
be
able
to
pick
up
a
couple
friends
from
mia,
most
notably
marcus
from
suse.
He
really
was
anxious
to
participate,
so
I
will
work
with
jory
to
get
the
meeting,
invite
changed
and
per
jonathan's
suggestion.
I
will
get
the
see
if
we
get
the
meeting
notes
added
to
that
calendar.
Invite
any
questions
about
that.
E
And
and
if
we
need
to,
we
still
have
the
option.
If
we
have
folks
from
apac
that
are
super
interested
in
participating,
we
have
the
option
to
schedule
either
alternating
calls,
but
for
the
time
being,
the
majority
of
folks
that
participated
stated
they
wanted
to
go
wednesdays,
11
eastern
all,
right
without
further
ado,
I
will
yield
the
florida
thomas
that
wants
to
talk
about.
Spdx
defects,
welcome
thomas
and
please
take
it
away.
Sir.
B
New
machine
still
fixing
things
it
should
work
now.
B
B
All
right
so
yeah
yeah
talk
a
little
bit
about
spdx
and
what
we've
been
working
on
so
the
I
don't
know
how
much
people
know
originally
about
the
history
of
spdx.
Basically,
but
originally
it
came
out
of
that
of
the
license
compliance
world
where
people
wanted
to
share.
B
Exchange
information
about
license
obligations
like
which
licenses
are
found
in
regular
source
code
visualizes
as
applicable.
What
do
you
need
to
do
to
basically
comply
with
your
obligations?
So
it
was
basically
a
machine-readable
format
to
exchange
that,
so
that
if
a
vendor
produces
something,
they
could
just
produce
an
s-bomb
spx
as
one
with
it
and
then
basically
the
consumer
would
know
exactly
like.
Okay.
If
I
put
this
piece
of
software
in
my
software,
then
this
is
what
I
have
to
put
in
my
my
open
source
notices
over
time.
It
basically
has
evolved.
B
So
now
this
is
a
license
and
now
we're
adding
also
security
references.
But
in
the
current
version
that's
out
currently
version
2.2.
B
Basically
you
can't
you
know,
technically,
you
can
via
comments
it's
a
little
bit
hacky,
but
now
what
we're
now
doing
is
we
are
making
a
new
version
2.3,
where
we're
adding
security,
references
and
I'll
show
the
current
proposal
that's
currently
being
discussed
and
in
parallel,
we're
also
working
on
spx
3.0,
which
is
a
complete
overhaul
of
the
spec,
where
we're
really
enabling
much
more
scenarios.
B
The
biggest
change,
basically
in
in
in
3.0
is
that
we're
gonna
go
to
a
setup
with
profiles,
and
then
we
have
different
worker
group
for
different
profiles
so
in
in
two
dot
x.
Basically,
it's
one
thing
at
all:
you
can
you
have
licenses
and
that's
all
you
cannot
make
an
s1
without
license
information.
Well,
technically,
you
can.
You
can
set
all
the
fields
to.
I
have
no
opinion
which
is
kind
of
spx
makes
no
assertion,
but
you
have
like
lots
of
additional
data
that,
basically,
you
don't
need.
B
If
you
want
to
communicate
vulnerabilities-
or
you
can
add
the
optional,
the
licensing
profile-
or,
you
can
add,
say
the
provenance
profile,
which
is
basically
a
profile
where
the
idea
is
that
you
can
track
every
step,
how
software
is
being
built.
All
of
the
information
you
can
record
it.
So
that's
a
similar.
I
don't
know
if
people
are
familiar
with
within
toto
and
then
there's
also
a
user
profile.
That's
in
developed
in
in
japan,
that's
kind
of
describing
the
type
of
software
that
you're
that
you're
that
you're
dealing
with
but
yeah.
B
So
what
happened
was
there's
lots
of
discussion
on
3.0,
and
so
the
idea
was
actually
to
switch
earlier
this
year
already
to
2.0
and
but
there's
so
many
discussions.
So
many
new
features
that
people
want
to
stock
in,
so
2.0
is
kind
of
delayed.
So
at
some
point
I
was
like
no,
no,
no!
No!
I
need
to
ship
stuff.
B
Now
I
have
lots
of
my
users
that
want
to
communicate
security
information,
so
I'm
just
going
to
patch
up
the
2.x
with
a
minimum
thing
that
we
can
use
to
communicate
security
info
and
so
the
the
it's
still
on
the
discussion.
You're
now
originally
seeing
things
discussion,
we're
going
to
have
a
three
hour
workshop,
actually
this
week
to
hopefully
finalize
the
proposal
before
we're
gonna,
officially
post
it,
but
you're
gonna
kind
of
kind
of
like
a
sneak
peek.
This
is
literally
the
live
document
that
we're
working
on.
B
B
I
said
why
that
should
be
pretty
much
obvious,
but
they
said
it's
kind
of
a
patch,
but
it's
not
going
to
be
the
perfect
ones
fits
all
solution
is
that
this
is
a
patch
where
we
just
want
to
convey
some
information,
it's
better
than
nothing,
and
so
what
we're
going
to
do
with
our
current
proposal
in
spx
there's
a
concept
called
external
reference,
so
this
is
kind
of
a
a
link
to
something
else.
I
have
included
in
the
proposal
to
two
examples.
B
So,
for
instance,
here
there's
an
extra
reference
where
you,
you
can
add
a
link,
for
instance,
to
a
cpe
2.3
type,
and
here
we
have
another
one
additional
reference
to
a
perl.
I
don't
know
if
people
are
familiar
with
package
url,
but
you
can
basically
yeah.
This
is
another
way.
B
This
is
kind
of
a
pro
is
a
concept
kind
of
like
a
universal
identifier
for
for
packages,
which
is
actually
a
major
major
problem,
so
the
current
proposal
and
I'm
going
to
skip
some
of
the
other
wording,
is
to
add
a
new
external
reference
which
is
based
kind
of
on
an
osv
with
a
slight
twist
on
it,
but
we're
taking
some
of
the
bits
from
osv
but
absolute
minimum,
and
that's
what
basically
I'm
what
we're
proposing
to
add.
So
soon.
B
If
people
in
this
group
are
familiar
with
osv,
because
I
think
it's
now
open
as
f,
we
basically
took
advisory,
we're
adding
a
new
one
called
disclosure
there's
a
lot
of
discussion
on
this
one.
So
the
actual
descriptions
are
still
being
hashed
out
this
week,
but
the
advisor
should
be
pretty
much
clear
disclosure.
B
This
is
how
it
applies
to
our
products.
So
again
you
have
the
vulnerability,
and
then
you
have
another
document
that
says
like
okay,
but
this
is
the
impact
on
our
my
product
or
not
impact
all
the
stuff,
and
it's
just
gonna
be
linked.
Then
we
have
fix.
This
is
just
hey:
here's
the
fix
for
the
for
the
particular
vulnerability,
and
then
we
have
url.
That's
basically,
if
it's
none
of
the
above.
So
if
you
want
to
put
anything
so
in
osv,
this
is
called
web.
B
If
I
remember
correctly
and
so
yeah
what
we
there
was
a
lot
of
discussion
about
this.
Most
people
want
to
just
have
a
url,
but
from
the
open
source
community
we
and
also
from
the
toolings
or
when
I'm
also
a
2d
maintainer.
We
really
wanted
to
have
an
extra
options
where
you
can
spread
more
information,
so
this
is
kind
of
how
that
would
look
like
with
an
example
in
in
in
spdx
in
in
the
json
format.
B
B
To
make
adding
additional
packaged
identifiers
to
your
spdx
file
kind
of
well,
we
can
make
it
mandatory,
but
I
had
a
strong
recommendation
to
do
this
again.
The
problem
is,
there
are
various
tools.
Each
tool
will
make
their
own
format
of
spdex
identifier
right
now.
What?
If
you
basically
get
security
info
from
your
vendor
and
yeah?
How
do
you
cross-match
it
with
your
own
systems?
B
And
so
now?
Normally
we
have
cpes
and
we
have
pearls.
But
again,
these
fields
are
optional
in
the
spdx
pack
and
we
cannot
make
them
mandatory
without
breaking
backwards,
compatibility
and
stuff.
So
we're
just
going
to
add
a
if
you
add
security
information
exchange
in
your
specs
file.
We
strongly
recommend
to
add
these
identifiers
to
them.
There
is
some
kind
of
also
again.
I
understand
why
people
don't
include
them,
because,
basically
a
cpe,
you
can't
compute
it's.
You
need
to
have
a
database
basically
to
do
do
cross
matching,
but
hopefully
we'll
well.
B
B
The
problem
of
a
package-
identifier,
is
still
not
100
percent
solved,
but
at
least
we're
trying
to
add
them.
So
if
people
want
to
do
their
own
lookups,
it
makes
it
works
a
lot
easier.
We
had
many
other
options
that
were
being
discussed
and
what
but
there's
a
whole
list
in
this
document.
Let
me
see
if
I
can
find
one
of
this
here,
there's
a
whole
table.
So
again
we
had
all
other
options
with
even
more
facts
and
and
other
stuff.
But
what
we're
now
trying
to
do?
B
B
A
I
have
a
quick
one,
even
though
I've
been
attending
the
meetings,
I
haven't
been
paying
a
lot
of
attention
in
the
meetings,
so
full
disclosure
on
that.
So
this
is
not
going
to
be
pushed
up
to
iso
as
part
of
the
iso
standard
yet
correct,
because.
A
So
2.2
is
but
2.3
is
that
going
to
get
pushed
up
and
update
the
iso
standard.
B
B
Actually
I
would
have
to
double
check,
but
I
I
my
presumption
was
that
we
we
boot
because
it's
such
an
important
thing
to
add
security,
vulnerability,
information,
even
as
a
temporary
fix
and
and
and
well
I
mean-
I
say,
temporary
fix,
but
we
have
lots
of
spdx
users
that
basically
have
their
own
homegrown
solutions
or
so
for
them
to
upgrade
a
jump
to
3.0
will
maybe
take
them
one
or
two
years
and
for
them
making
the
jump
to
2.3
where
they
add
again
to
an
existing
field
to
other
types
is
much
more
easier
for
them
to
implement.
A
Okay,
yeah,
I
think
that
word
assume
is
pretty
dangerous,
especially
considering
the
amount
of
I
mean
in
general,
but
especially
considering
the
amount
of
work
here
so
because
I
just
happened
to
have
them
open
because
I
needed
that
link.
I
will
add
this
to
the
agenda,
for
the
defects
call
this
week.
B
You're
welcome,
oh
so
so
we
we
added
in
the
way
how
we
did
this
the
last
time.
So
the
going
to
iso
is
a
lot
of
work,
but
the
document
generation
was
kind
of
set
up
in
an
automated
way.
So
we
made
lots.
I
was,
I
spent
too
much
time
doing
that
work
so
that
we
will
be
set
up
when
we
go
to
iso
again.
It
would
just
be
a
few
presses
on
the
buttons
and
the
the
engine
would
spit
out
the
the
documents
again.
Basically,.
A
Okay,
I
will
defer
to
anyone
and
everyone
else
who
has
questions
about
spdx
and
how
it
might
interact
with
this
working
group.
E
While
you're
thinking
about
it,
I
was
curious.
How
would
you
foresee
this
working
with
an
initiative
like
vex
vulnerability,
exchange.
B
Oh
you're
going
to
dangerous.
I
feel
we
have
lots
and
lots
of
discussions
about
facts.
So
it's
in
this
proposal,
so
the
current
proposal
is
that
we
just
link
with
the
the
disclosure
document
you
can
link
to
a
vax
document
or
actually
there
there's
multiple
things
like
there
are
other
formats
as
well,
so
we
have
csaf
and
integrates
facts
and
all
other
stuff.
So
for
3.0
and
again,
this
is
where
the
major
work
for
me
is
going
to
start
is
how
we
can,
if
we're
going
to
harmonize.
B
If,
yes,
how
are
we
going
to
harmonize
but
for
2.
2.x
brian?
I
select
we're
just
going
to
make
it
a
link
to
any
type
of
document,
and
the
spec
is
not
aware
what
type
of
document
you're
sending
so
any
tool
that
parses
the
network
x
document.
They
would
just
make
it
a
link
and
say
you
can
get
more
information
in
3.0.
B
The
idea
is
that
we
would
actually
figure
out
a
way
how
we
can
actually
embed
it
in
the
spec
so
that
you
can
actually
use
it,
but
again
the
way
how
it's
going
to
look
like.
Is
it
a
csap
document
that,
for
instance,
and
embeds
an
spdx
document,
or
is
it
an
spx
document
that
links
to
a
c5
or
are
we
going
to
go
like
what
cyclondx
did
where
cyclondx
basically
embedded
vex
into
cyclone
dx?
Again,
there
are
so
many
multiple
options.
B
B
I
could
argue
the
other
way
around.
So
so
again,
there
are
so
many
there's
so
many
things
and
of
different
opinions,
and
I'm
not
trying
to
basically
to
bring
well
bring
some
consensus
in
the
group
to
say
like
hey.
B
This
direction
is
what
we're
saying
yeah,
but
yeah
vex
will
definitely
go
in
at
least
again
at
least
now
we
give
you
an
opportunity
to
link
to
a
vax
document
and
there's
also
and
haven't
shown
here,
but
what
you
could
do
is
you
could
do
something
say
imagine
that
this
is
a
link
to
a
very
document.
B
B
B
You
can
communicate
via
a
comment
in
the
external
graph
that
two
videos
actually
read
this
file,
that
this
is
a
vex
document,
but
in
the
last
meeting
we
explicitly
said-
and
there
was
a
proposal
to
add-
like
a
kind
of
particular
labeling
in
the
comments
to
indicate
what
type
of
document
was-
and
I
said,
like
bernard
the
group
of
sentences,
we
should
not
use
free
form
comment
fields
to
convey
information.
What
type
of
link
it
is.
B
B
E
So
you
brought
up
an
interesting
point,
thomas
in
a
past
life,
I
worked
for
a
very
large
commercial,
open
source
supplier
and
at
the
time
they
were
not
willing
to
the
standards
weren't
baked
enough
to
commit
to
producing
a
file
format
or
a
different
format.
So
could
you
maybe
talk
a
little
bit
about
what
the
adoption
of
this
of
spdx
in
general
by
both
kind
of
open
source
projects?
E
B
So
the
the
most
familiar
I
am
is
basically
the
what
is
basically,
my
industry
for
my
previous
employer,
which
is
automotive
and
basically
in
in
on
a
model
there
is
spdx,
is
basically
the
the
yeah
the
default.
It
also
has
to
do
with.
I
said,
because
I
work
on
rss
view
toolkit,
so
they
are
all
at
least
all
the
germans
are
adopting.
Also
you
took
it
because,
basically
it
it
not
only
allows
you
to
do
like
spx,
but
it
also
allows
you
to
do
basically
a
whole
validation
of
the
tool
chain.
B
So
it
gives
you
one
tool
which
you
can
use
to
do,
compliance
for
your
internal
development,
but
you
can
also
do
it
for
your
vendors
at
the
same
time
and
because
it's
all
open
source
and
because
all
of
the
open
source
offices
in
this
area
are
basically
working
together
on
code
development.
So
it's
a
user-developed
tool.
B
They
basically
yeah.
They
see
it
like.
Oh
yeah,
we
have
the
fitting.
So
it's
and
again,
because
I
have
multiple
head-ons
and
another
user
also
have
multiple
hat
on
it's.
Basically,
we
try
to
work
on
the
standard,
so
fix
the
standard,
build.
The
tooling,
and
once
we
have
done
next,
is
basically
whatever
we
can
do
to
to
help
well,
not
say
fix
the
community
but,
however,
to
make
things
better
in
in
the
community,
but
what
we
basically
recognized
already
years
and
years
ago
was
that
basically
and
that's
why
I've
been
pregnant.
B
Oh
hang
on
the
standard
cannot
cover
certain
use
cases,
so
I
cannot
do
very
basic
things
because
it
was
very
much
originally.
A
lot
of
the
original
people
were
focused
on
embedded
software.
So
now
I
wanted
to
do
package
managers.
I
want
to
do
dependency
trees.
Oh
that
doesn't
really
fit,
so
I
contributed
contributed,
contributed
to
spx.
So
now
it
does
this.
Well
then,
we
figured
out
like
okay,
hang
on
there's,
not
the
tools
that
do
this.
They
don't
really
work
for
our
use
cases.
B
For
me,
as
working
in
an
open
source
office,
this
is
like
a
hamster
wheel.
I
keep
on
importing
broken
open
source
software
and
then
I
need
to
fix
it.
I
need
to
clean
up
and
that's
where
my
personally
I
said
like
now.
I
don't
want
to
be
in
the
hamster
wheel.
What
can
we
do
to
basically
make
things
better
in
the
in
in
the
community
and
eventually
that
will
also
make
things
better
for
for
for
everybody,
but
it's
a
it's
a
long
battle.
B
A
So,
as
far
as
adoption,
both
from
the
open
source
side
and
from
the
the
enterprise
side,
especially
since
the
announcement
of
spdx
as
a
standard,
I've
personally
seen
it
grown
considerably,
which
is
part
of
the
reason
why
wipro
has
joined
us
pdx
and
why
I
spent
a
lot
of
time
over
there.
So
you
know
I
definitely
have
some
skin
in
this
game,
but
but
have
seen
a
lot
of
growth.
A
For
instance,
former
large
employers
of
leaders
of
this
group
are
working
to
get
spdx
identifiers
into
some
of
their
linux
distributions
and
to
standardize
that,
as
they
release
things
and
that's
on
the
open
source
side,
there's
also
a
number
of
other
open
source
projects
that
are
working
on
it.
The
spx
group
is
working
with
some
the
sdx
legal
group
as
they
get
the
cycles,
because
you
know
volunteers
and
crap
like
that.
A
A
But
it
is
definitely
moving
as
far
as
the
enterprise
side
of
things
it's
sbdx
is
being
picked
up
by
a
number
of
vendors,
and
so
a
number
of
the
supply
chain
analysis
sca
tools
out
there
do
support
as
as
pdx
as
an
output
format,
it's
starting
to
be
seen
as
something
that's
required
for
you
know,
eeo14028
or
whatever
in
the
heck.
A
That
number
is
because
it
is
mentioned
specifically
in
it
and
that's
gotten
it
a
whole
lot
of
attention,
which
is
great,
jaego
spdx,
but
you
know
again,
volunteers
attention.
You
have
to
be
able
to
scale
and
only
go
so
far,
but
it
is
actually
getting
picked
up
quite
a
lot,
which
is
nice
to
have
a
an
interchange
format
that
people
can
work
with.
There
are
obviously
others
so
you're
going
to
have
the
cyclone
dx's
new
things
like
that,
so
it's
not
a
competition.
A
So
much
is
just
different
standards
right,
and
that
means
that
people
get
to
pick
whichever
flavor
they
want
and
all
the
vendors
have
to
support
them.
As
we
all
know,
that's
how
that
works
so
jeff,
my
friend.
H
H
As
vicky
just
noted,
I
think
we're
going
to
be
in
a
position
where
we're
going
to
have
clients
asking
for
s-bombs
and
other
files
in
you
know
their
format.
Du
jour,
if
you
will
so
we're
gonna,
have
to
try
and
be
pretty
flexible.
B
Yeah,
so
this
is
the
this
is
a
funny
thing
for
us
like.
So
yes,
I
work
on
the
spx
standard,
but
I'm
also
a
maintainer
browser
toolkit
and
now,
as
a
toolkit,
we
support
both.
So
I
actually
so
I'm
my
co-core
maintainers
sebastian
schubert.
He
has
lots
of
interaction
with
steve's
sweet
spring,
and
so
ios
is
like
I'm
overloaded
already
with
all
the
other
stuff
sebastian,
you
communicate
it's
like
the
psychological
yeah,
so
basically,
from
a
tooling
perspective,
we
basically
support
both
and
and
and
so
yeah.
B
We
have
a
very
good
relationship
with
steve,
as
I
would
say
so
yeah
we
for
me
it
yeah.
These
are
two
standards.
I
actually
think
that
both
serve
their
own
particular
groups
and
yeah
in
once.
In
some
cases,
cycle
dx
is
better
in
other
spx
cases.
It
really
depends
what
kind
of
use
case
there
is
not
really
one
standard
that
basically
solves
everything,
no
matter
what
either
one
of
our
claim
and
then
we
also
have
something.
What
is
the
other
one
swift
from
the
nvd
but
yeah?
H
Seems
to
be
aging
out
and,
of
course,
if
someone
decided
that
they
were
going
to
fix
this,
they
would
come
up
with
a
hurricane
dx
and
then
we'd
have
three
that
we'd
have
to
support.
B
Yeah
yeah
so
yeah
it
it
it
is
it
it
is,
it
is
what
I
did,
but
what
it
is.
Basically,
it's
like
the
the
fun
well
again,
one
of
the
other
major
observations.
B
So
I
do
a
a
lot
of
talking
in
the
community
because
all
of
my
my
roles
and
also
a
lot
of
big
companies
and
they're
like
oh,
we
just
want-
did
s
bomb
just
there,
so
the
whole
asthma
discussion
yeah,
is
the
executive
order,
but
in
reality
this
whole
thing
thing
is,
even
though
we're
now
doing
I'm
doing
this
for
a
couple
of
years.
The
whole
discussion
is
really
really
in
its
infinity
states.
B
No,
neither
of
these
standards
has
really
won,
and
I
get
companies
that
I
talk
to,
because
I
I
do
some
some
consultancy
on
consulting
and
other
stuff
and
people
ask
me
a
lot
of
things
and
like
oh.
We
want
to
do
this
and
think
of
it
at
now
over
the
stage
that
yeah
tools
can
produce
an
s
bomb,
the
biggest
problem,
and
this
is
why
we
also
develop
our
things
which
over
here
is
the
quality
of
this
s
bomb
and
what
can
it
actually
detect
and
how
is
it
formatted?
B
So
we
started
basically
developing
our
own
open
source,
sca
tooling,
because
basically,
we
figured
out
that
a
lot
of
things
were
missed
and
and
if
you
want
to
create
a
high
quality
s-bomb,
you
need
something
that
you
can
highly
customize.
B
B
B
B
Even
now,
after
all
these
years
yeah,
we
know
we
cannot
recognize
anything.
So
what
we
built
in
in
our
toolkit
is
we
have
an
option
that
you
can
specify
an
additional
xpx
file
for
things
that
are
not
automatically
detected,
because
you
don't
want
to
know
how
many
times
I
figured
out
like.
Oh
hang
on
yeah.
B
This
is
actually
a
java
project,
but
hey
they
are
compiling
here,
opens
l
and
then
they're
making
java
live
embedding,
but
of
course,
opens
l
is
c
code
c
code
does
not
have
a
package
manager,
so
you
cannot
automatically
detect
it.
Then
people
are
like
oh
yeah,
then
I
built
this
large
databases
with
fingerprints
of
source
code
and
then
I
can
recognize
the
version.
B
No,
you
can't
because
guess
what
it's
open
source
code.
It
gets
forked
a
lot
forked
a
lot
and
altered
so,
but
the
funny
thing
is-
and
this
is
for
me-
do
something:
have
you
talked
to
the
actual
developer
because
he
probably
knows
exactly
which
version
or
variant
or
fork
of
openssl
they
stuck
in
the
code
and
yeah.
They
probably
have
recorded
on
some
wiki,
page
or
or
issues
somewhere
else.
What,
if
we
just
give
them
a
way
to
just
record
this
into
codebase?
B
So
then,
when
we
scan
their
code,
it
picks
up
the
svdx
file
and
it
knows
exactly:
oh,
they
got
this
cpus
code
from
this
website
and
this
is
the
exact
version.
So
we
don't
need
to
do
this
all
of
this
massive
database
and
so
for
us
it
was
like.
Yes,
we
built
a
tool
that
solves
our
problem
that
we
had
in
our
enterprise,
but
we
want
to
give
this
the
open
source
community,
the
open
source
community,
does
not
have
the
compute
to
scan
hundreds
and
thousands
of
resource
projects.
B
B
We
we
want
to
offer
something
that
that
is
solves
the
problem
and
for
us
the
solution
is
bigger,
open
source
tool
and
we
also
quickly
realized.
We
thought
eventually
it
is
like
two
years
and
we
see
often
new
tools,
popping
up
that
do
software
component
analysis
and
all
that
stuff,
and
we
see
them
pop
up
and
half
a
year.
They
are
dead
because
this
field
is
way
way
more
complexer
than
people.
B
Think
it
really
is
a
long
breath
marathon
battle
to
to
get
this
done,
and
that's
the
also
the
other
thing
that
we're
looking
in
spx
over
now
for
for
3.0
is.
We
need
to
get.
We
have
the
standards,
but
how
do
we
get
in
a
way
that,
if
that,
if
we
see
stuff
in
code
particular
dependency
tree,
how
can
we
align
that?
B
How
you
should
use
the
standard
so
that,
no
matter
what
tool
you
use,
if
you're
scanning
a
node
package,
you
always
get
pretty
much
the
same
specs
there
might
be
different
difference
in
licenses
that
might
be
different
than
what
security
vulnerabilities
are
detected,
but
at
least
we
know
that
the
dependency
tree
is
the
same,
and
hopefully
the
package
naming
and
all
the
other
stuff
is
the
same,
because
now
one
of
the
things
that
we
wanted
to
do
originally,
we
were
kind
of
naive,
we're
like.
Oh,
we
take
all
of
this
open
source.
B
That's
why
consuming
spdx,
where
you
actually
consume
the
dependency
tree
or
even
the
security
information
for
another
tool,
is
really
really
difficult,
because
each
tool
basically
does
it
in
their
own
way,
and
that's
why
for
3.0,
we
are
now
like
okay.
Well,
we
kind
of
need
to
go
there,
where
we
need
to
give
guidance
on
how
this
look
again.
We
can't
fix
this
for
2.x.
B
This
is
where,
at
least
on
the
open
source
side,
where
we
have
under
lf.
We
have
something
called
act,
so
we
basically
work
together
with
our
well,
I
say:
sister,
open
source
team
is
called
a
dark
circle
turn
so
spdx
os
toolkit
turn
physology
all
of
the
open
source
projects.
Basically,
in
this
space
and
scan
code,
we
all
meet
and
talk
to
each
other,
how
we
can
basically
collectively
work
together
and
that's
how
we
basically
also
help
spx
become
better
because
it's
tooling
and
standard
basically
people
all
talking
together
to
see
hey.
E
I
had
the
great
pleasure
to
meet
alan
friedman
way
back
the
beginning
of
2016,
so
I
was
been
aware
of
the
s
bomb
challenges
for
a
very
long
time.
It's
very
complex,
thomas,
so
as
you've
expressed.
E
So
what
can
this
working
group
do
to
help
further
your
message
to
get
more
maintainer
adoption
or
get
more
awareness
within
the
industry?
What
what?
How
can
we
partner
with
you
on
this.
B
Well,
yeah
awareness
is
awareness
is
good.
I
think
the
the
biggest
challenge
and
that's
kind
of
a
hat
is
help
with
the
3.0
and
especially
I'm
looking
for
input
from
the
open
source
community.
I
have
enough
vendors
on
the
table.
Like
the
the
security
vendors
on
table.
I
have
all
of
them
on
pretty
much.
I
can.
B
G
B
Literally,
I'm
looking
for
more
input
from
the
open
source
community.
So
again
we
have
very
interesting
discussions
like
how
do
you
do
security
vulnerabilities
for
first
to
say,
docker,
so
the
problem?
What
does
that
come
out
of
again?
This
is
why
we
built
it
to
the
problem
that
we
commonly
see
is
and
that
I
see
a
lot
of
defender
tools.
Do
it's
kind
of
a
best
effort
approach
where
oh,
we
matched
it
against
the
database.
B
Whatever
you
find,
that's
what
we
report
to
you
and
again
I
am
an
automotive,
but
I
also
have
good
relationship
with
the
medical
world.
Doing
like
a
best
enough
effort
for
creating
an
s-bomb
for
a
medical
device
is
simply
no
it's.
It
may
be
a
pacemaker.
We
need
to
know
what
actually
is
all
the
software
that's
in
there
there
can
be
still
some
unknowns,
but
we
cannot
have
like
oh
yeah.
We
did
the
kind
of
best
effort.
B
We
had
five
minutes
to
do
it
and
that's
the
the
level
of
compliance
is,
is
much
much
much
higher
and
but
software
is
really
really
complex.
So
how
do
you
do
that
translation?
So
this
is
where
we're
looking
at
the
community
like
how
do
we
do
it?
How
does
the
standard
look
like
most
security
standards
are
also
deviced
for
the
enterprise
use
case,
so
they
have
really
big.
If
people
are
familiar
with
the
csaf
standard,
it's
a
really
really
really
really
big
document.
B
This
is
why,
when
what
is
it
russ
cox
from
from
google,
he
he
pinged
me,
I
think
he's
also
normally
in
this
group
on
my
name
was
working
on
on,
and
I
read
that
that's
like
yeah.
This
is
something
I
can
work
with.
B
Instead
of
that,
if
you
that
it
becomes
a
standard,
that's
basically
only
an
enterprise
standard,
because
for
me
I,
like
the
the
real
solution,
is
building
things
for
the
open
source
community
community,
because
they're
really
the
source
where
things
are
being
created.
It's
not
done
in
the
interval.
Again,
it's
done
in
the
enterprise.
The
real
source
is
the
opposite
community.
We
need
to
make
some
a
standard
that
is
easy
for
them
to
adopt
where
they
can
easily.
If
needed,
can
write
a
library
in
a
couple
in
a
couple
of
weeks
in
their
favorite
language.
B
More
videos
and
then
yeah
when
the
big
battle
is
going
to
happen
with
csf
and
all
that
other
stuff.
I
probably
would
love
to
have
some
people
that
I
can
just
ping
and
reference
and
get
the
input
so
yeah.
I
was
actually
thinking
maybe
to
join
this
group.
I
need
to
see
how
my
schedule
this
call
is
currently
at
10
p.m.
In
the
night.
For
me,
oh.
E
B
E
I
was
mistaken,
I
thought
we
had
an
amazing
opportunity
for
you
but
checking
my
email.
I
was
wrong
about
the
date.
The
open
the
linux
foundation
is
putting
on
a
summer
security
conference
in
austin
texas
in
the
states,
and
they
created
a
whole
sub
conference
called
the
global
security
vulnerability.
B
E
And
unfortunately,
the
call
for
papers
just
closed,
but
that
might
have
been
a
good
opportunity
to
do
a
birds
of
a
feather
to
say,
hey.
I
would
like
to
talk
about
how
we
can
get
better
collaboration
or
better
engagement
with
spdx
and
work
on
the
next
version.
That
would
have
been
potentially
a
great
opportunity
to
get
developers
and
actual
non-vendory
folks
helping
out.
I.
E
Conference
if
anyone's
interested
in
going
in
the
meeting
notes,
but
unfortunately
the
cfp
just
closed.
B
Yeah,
unfortunately,
it's
also
covet
and
I
cannot
fly
into
the
u.s.
E
All
right,
oh
good,
you're
back
there
were
no
additional
comments
or
questions,
so
I
want
to
thank
you
for
coming.
Hopefully
this
will
be
a
habit
you'll
be
able
to
join
us
more
frequently.
E
I
think
this
is
something
very
definitely
of
interest
to
the
community
and
something
that
we
can
help
talk
about
and
help
raise
awareness
on
and
hopefully
contribute
to.
E
We
will
next
time
talk
about
the
charter,
so
please
take
a
moment
to
look
at
that
issue
and
get
if
you
have
any
comments
on
it,
and
I
wanted
to
thank
jory.
She
got
our
repository
set
up
for
our
next
project,
which
is
the
security
researchers
working
with
open
source
maintainers,
a
coordinated
vulnerability
disclosure
guide,
so
that
stub
is
out
in
git,
and
I
will
populate
the
straw,
man
or
the
document,
and
that
way
people
can
start
submitting
pull
requests
and
whatnot
and
comments
on
what's
there.
H
Just
thanks
vicky
for
all
the
speedy
typing
and
see
rob
thanks
for
leading
the
parade.
Oh.
E
Glad
to
do
it,
we
will
talk
to
everybody
in
two
weeks,
but
we'll
be
moving
the
meeting
time
to
us
eastern
morning
so
11
a.m.
Eastern
will
be
the
new
meeting
time
I'll
get
jory
to
adjust
the
meeting,
invite
and
get
that
sent
out
to
everybody.