►
From YouTube: SSCS Working Group Meeting - July 31, 2023
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
We
just
got
done
with
16-2,
so
we
just
released
the
keyless
signing,
which
is
like
a
really
huge
milestone.
I
think
that's
going
to
unblock
a
bunch
of
other
improvements
in
the
future.
A
I
know.
We've
got
Aaron
working
on
the
UI
for
the
container
registry
to
show
that
it's
signed
in
the
container
registry,
because
right
now
that
experience
is
really
really
poor,
where
the
signature
is
not
correlated
at
all
with
the
image
itself
and
that's
something
that
we
definitely
need
to
improve
for
anybody
to
use
it
without
having
to
go
manually,
verify
the
images
themselves.
A
So
that
continues
to
be
a
priority.
I
think
it
would
be
good
for
Aaron
to
continue
working
on
that
the
next
highest
priority,
though,
on
the
list
is
this
idea
of
automatic
signing
or
having
signing
integrated
into
the
gitlab
runner
specifically
for
build
artifacts
So.
Eventually,
we
want
to
do
it
for
everything,
but
we
want
to
start
with
build
artifacts
first,
since
that's
the
easiest,
we
don't
have
to
contribute
into
another
open
source
tool
to
make
that
happen.
A
So
that
definitely
is
an
objective,
but
I
think
that's
going
to
take
some
time,
since
there
are
still
some
architectural
things
to
work
out
with
the
runner
team
on
all
of
that.
So
that
still
is
a
high
priority,
but
I
don't
know
that
it's
really
ready
to
go
into
development.
I
would
say
the
objective
for
16-3
would
probably
be
to
get
it
through.
A
We'll
call
it
refinement
or
you
know,
planning
breakdown,
I,
don't
know
what
you
want
to
call
it,
but
like
get
that
ready
for
development,
essentially,
would
be
my
objective
for
that
for
16-3.
B
There
I
think
we're
going
to
have
to
work,
firstly
with
the
runner
team
to
make
sure
that
are
finally
is
going
to
work
because
you
know
if,
if
we,
if
we
create
a
whole
implementation
plan,
oh
that
worker
is
going
to
be
for
nothing
if
it's
not
like
acceptable
for
the
random
team
in
terms
of
architecture
and
performance,
and
you
know
whatever
other
concerns
they
might
have,
and
so
I
I
think
that
we
really
need
somebody
from
that
group
to
help
us
with
respect
with
refining
the
implementation
plan.
A
A
I,
agree,
I,
think
that
would
be
ideal
to
have
somebody
from
that
team.
It's
just
going
to
take
a
little
bit
of
time
to
make
that
happen.
B
Okay,
so
in
the
meantime,
there's
a
couple
of
follow-up
issues
from
the
keyless
signing
that
Ali
had
that
I'm
planning
on
finishing
Aaron's
also
going
to
keep
working
on
the
container
image.
Signing
yeah
I.
Definitely
don't
want
to
pull
him
off
of
that
because
he
spent
a
lot
of
time
like
getting
acclimated
with
the
registry
code
base
and
stuff
and
there's
also
another
thing
that
came
up
and
that's
figuring
out,
kill
sign
in
for
self-managed,
like
I.
B
Think,
probably
that
the
tradition
that
we
already
delivered
in
16.2
for
the
kids
signing
would
probably
already
work
with
the
sub
posted
six
door
stack.
But
I
haven't
been
able
to
figure
out
how
to
actually
set
up
a
cell
posted
deck
to
test
that
and
find
out
so
I'm
kind
of
wondering
where
that
would
fit
into
the
priority
lists.
A
So
again,
I
probably
need
to
refine
the
priority
list
a
little
bit.
You
get
more
clear.
Let
me
go
see.
What's
there,
but
essentially
I
view
the
priorities
as
Priority
One
is
still
not
automatic
signing
of
build
artifacts,
even
though
it's
Priority
One,
we
may
not
be
able
to
make
a
ton
of
progress
on
it
this
milestone,
but
that
would
take
priority
over
anything
else.
A
So
as
much
as
we
can
move
that
forward,
let's
prioritize
that
and
then
the
second
one
is
what
Aaron's
working
on
UI
verification,
container
images
and
then
I
think
we
decided
to
slot
in
we.
We
finished
what's
currently
listed
on
our
priorities,
Pages
priority
three,
but
we
also
have
some
follow-up
issues
and
I
think
we
just
slot
those
in
there
do
keyless,
signing
and
I
think
the
self-managed
would
fall
in
with
that
as
well.
B
I
just
want
to
kind
of
look
and
try
and
schedule
some
of
the
issues
that
we
have
so
so
this
is
what
we
currently
have
on
a
milestone
for
16.3
there
there's
the
is
there
there's
some
of
the
stuff
that
Aaron's
working
on
for
the
registry
yep
so
like
implementing
the
oci
1.1
referrals
stick,
which
is
which
will
help
us
with
the
storing
signatures?
B
Then
I
have
these
these.
This
follow-up
work
from
okay,
the
signing
and
then
I
have
research
for
the
posted.
B
So
that's
what
they're
right
now
for
the
stuff,
that's
on
the
backlog.
B
B
A
B
We
actually
don't
need
this
for
the
sticks,
to
a
step
and
I'm
concerned
about
the
security
with
implementing
this
so
I'm,
leaving
it
up
to.
A
B
B
A
So
right
now,
at
the
technical
level,
we're
using
the
user
who
triggered
the
pipeline
we're
using
that
users
oidc
identity
to
generate
the
JWT
token
correct.
B
Yes,
that's
right,
so
so
the
background
on
this
issue.
This
is
kind
of
like
a
nice
to
have.
The
idea
is,
that
is
that
you
could
six
store.
Could.
B
A
B
Agree:
yeah
that
that
basically
solves
the
security
concerns.
Where,
like
you,
don't
have
every
single
job
being
able
to
access
the
token
and
still
like
if
six
door
can
use
this
environment
variable
automatically,
you
don't
have
to
configure
cosine
to
use
this
automatic.
It
automatically
detects
it.
So
I
think
this
essentially
solved
the
use
case
that
we
were
looking
for.
A
Yeah,
that
sounds
good,
I
guess.
One
thing
I
question,
though,
is
whether
we
want,
in
the
long
term
whether
we
want
to
continue
using
the
users
oidc
identity
and
instead,
whether
we
want
the
gitlab
runner,
who
is
doing
the
build
to
have
its
own
oidc
identity,
and
we
would
basically
be
certifying
that
you
know
we
inputted
this
gitlabci.yaml
file.
You
know
here's
the
repository
that
we
pointed
to
and
such
and
like
this
build.
Artifact
was
the
thing
that
came
out
the
other
end,
and
you
know
we
don't
know.
A
We
may
not
have
full
insight
into
like
exactly
what
build
scripts
were
called,
but
we
can
certify
and
say
this
build
artifact
was
produced
and
built
on
a
gitlab
runner,
whereas
if
we
use
the
user
so
IDC
identity,
it
seems
like
they
could
potentially
use
that
same
identity.
You
know
whether
it's
through
this
API
or
in
some
other
way
to
like
build
something
on
their
local
machine
and
sign
it.
B
So
I
think
I
think
that
the
identity
of
the
user
shouldn't
even
matter
there
are
claims
like
the
distinguisher
data,
has
a
bunch
of
claims
in
it
that
you
can
check,
and
so
what
you're
checking
shouldn't
even
be,
who
signed
the
artifact?
It
should
be
part
of
the
claims
like
what
project
did
it
come
from?
What
branch
was
it
built
from
stuff
like
that?
So
I,
don't
think
it
really
matters
which
identity
was
used?
It's
the
claims
in
the
signature
data
which
is
important.
A
Okay,
anyways
so
sorry
to
derail
on
that
back
to
the
board.
What
you
have
in
there
looks
good
to
me.
Do
we
need
more
work
for
16
3,
or
is
that
enough
to
keep
us
busy.
B
B
A
Yeah
yeah
I
mean
if
we
it
seems
like
that,
might
take
a
while,
and
so
the
other
thing
we
could
do
is
move
on
to
either
priority
four
or
priority
five
and
and
start
refining
those
and
create
issues
for
those.
So
that
might
be
another
option
or
if
there's
a
way,
you
could
help
Aaron
with
number
two
and
speed
that
up
I
guess
that
could
be
a
thing
too.
B
B
So
I'll
focus
on
the
stuff
and
then,
if
I
find
that,
if
I'm
able
to
finish
all
of
it,
then
you
can
I
can
search
for
some
other
stuff
to
pull
in,
like
as
a
stretch,
go.
A
A
Great
okay,
so
I
just
added
a
point
number
three
here:
I
personally
need
to
figure
out
where
we're
at
regarding
commit
signing.
I
know
we
had
a
community
contributor
who
added
a
whole
bunch
of
work.
I
know
you
added
a
bunch
of
work
as
far
as
like
SSH
signing
of
commits.
B
B
I
have
seen
I
did
see
that
a
good
job
from
source
code
was
working
on
having
greatly
automatically
signed
commits
with
SSH
when
you
make
commits
in
the
web
at
ee.
I
think
I
think
he
finished
that
I'm
not
sure,
but
it
looks
pretty
neat.
A
And
then
we
also
have
this
issue
which
another
Community
contributor
helped
with
talking
about.
Like
you
know,
web
IDE
commits
or
automated
web
commits
should
be
pgp,
signed
and
yeah.
This
is
what
you're
talking
about.
This
was
blocked
on
getting
it
into
Italy
I'm,
not
a
hundred
percent
sure
what
the
status
is
on
this,
so
that's
something
I
need
to
go
figure
out
is
just
to
see
where
we're
at,
and
then
we
also
have
this
issue.
A
That's
on
our
backlog,
which
is
support,
keyless
commit
signing
with
get
signed,
I
think
they're
all
like
closely
related.
There
are
some
advantages
still
that
you
pointed
out
here
to
to
using
get
sign
anyway
and
also
Billy
pointed
out
a
few
advantages
here
as
well.
A
So
I'm
not
sure,
though,
if
this
work
is
blocked
and
dependent
on
the
getaway
work
or
if
this
is
separate
from
that
giddly
work
or
I,
guess
I'm
struggling
to
figure
out
just
how
much
work
is
required
here.
Is
this
potentially
something
that
could
be
a
quick
win
that
we
could
just
do
really
easily
or
are
we
blocked
on
giddly
or
like
I.
B
B
Also,
we
were
planning
on
doing
the
container
image
signature
first,
because
the
commit
signature
code
is
very
old
and
it's
not
structured
in
a
way.
That's
very
maintainable.
So
it's
very
hard
to
add
new
signature
methods
to
it.
A
B
So
I've
I've
been
involved,
I've
been
involved
in
the
six-door
community.
This
fact
and
I've
asked
in
there
about
Ruby
Library
already,
and
there
are
people
in
the
community
who
are
interested,
but
the
the
Ruby
version
of
six
door
got
started
out
like
for
a
variety
of
reasons,
is
what
I've
heard
at
I
didn't
press
for
detail,
but
so
there's
a
few
people
who
are
interested.
It's
just
I,
don't
think
anybody
has
the
capacity
to
work
on
it,
but
six
store.
The
company
I
think
does
not
maintain
any
Ruby
code.
B
A
B
A
I
have
talked
with
some
others
in
the
past
who
were
interested
in
funding
work
that
might
help
us
further
our
objectives,
especially
if
it
was
in
conjunction
with
chain
guard
and
six
store.
So
since
we're
posting
this
publicly
on
YouTube,
I
won't
mention
like
who
they
are,
but
I
have
been
in
touch
with
some
others
in
the
past
who
are
interested
in
helping
fund
that,
let
me
reach
out
to
them
and
see.
This
seems
like
something
that
might
be
a
good
project
candidate
to
be
funded
by
that
group.
A
B
Yeah,
okay,
that
sounds
great
I,
do
think.
I
do
think
that
if
we
decide
to
like
write
our
own
six-store,
Ruby
Library,
we
would
need
some
help
like
from
chain
guard
or
from
somebody
in
six
store
Community,
with
figuring
out
the
technical
details,
because,
like
the
nitty-gritty
signature,
verification
is
difficult.
A
Okay,
thanks.
That
makes
a
lot
of
sense.
Okay,
that's
all
I
have
for
now.
Did
you
have
anything
else
to
discuss,
then.
B
A
A
B
Got
a
tip
certified
Runner,
and
so
we
went
back
and
forth
a
bit
on
on
how
to
do
create
a
pip
certified
version
and
we
were
like
Let's:
do
let's
do
SSH
signatures
because
those
those
are
like
in
the
standard
library
and
it
tips
and
that
I
believe
so
igorithm
implemented
that
and
I.
Think
there's
like
one
follow-up
issue
open
to
implement
the
same
thing
using
gpg,
but
I
think
I.
Think,
like
the
I
think
the
animated
sentiments
are
already
in
production,
they're
already
in
the
product,
so
I
think
it's
done.
A
B
So
I
I'm
I'm,
not
sure
I,
would
suggest
asking
Igor
or
the
PM
for
source
code
I.
Don't
remember
who
it
is
because
tourist
didn't
got
promoted
right.
B
The
PM
anymore,
but
yeah
I,
would
ask
them.
I
only
know
about
this,
because
I
reviewed
one
of
the
merge
requests
for
Igor.
A
A
B
Time
sounds
good.
I
I
might
be
going
to
help
him
with
that.
I
do
I.
Do
think.
I
didn't
completely
finish
the
refinement
for
that.
So
there's
still
a
couple
issues
that
we
need
to
create
regarding
certification,
yeah
and
and
that's
gonna-
that
we're
gonna
run
into
the
challenge
with,
with
the
stick
store
Library
when
we
get
around
to
that
so
yeah.