Description: We ask for supply chain best practices, SLSA, SBOMs, all that information.. so as to ask the question - does my software have a secure supply chain? But is that question just a pipe dream? Or can we break it down to tangible questions that we can tackle.

Impact: Being able to provide direction on what policies we want to create will help inform the data we need to produce and inform the models of attestation in the supply chain ecosystems.

Scope: Probably a month's work collecting ideas and writing them down.

Working Doc: https://docs.google.com/document/d/1_7ZDL1TtFEA4dfR3oaaVRLoWNcqthNN5h-G84y4ITkA/edit

Additional info:

• Reference to supporting material
• Links to related site
• Feel free to delete this section if you don't have more info