►
From YouTube: SSCS Working Group Meeting - September 25, 2023
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
right,
Welcome
to
our
weekly
software
supply
chain
security
meeting
Aaron,
looks
like
you've
got
our
first
agenda
item
today.
B
Yes
and
thank
you
for
picking
this
up
so
I
I
have
been
working
on
the
registry
updates
as
they're
related
to
enabling
the
signature
information
to
make
its
way
to
the
the
front.
B
I
had
I
had
some
discussions
with
the
registry
team
and
I've
gotten
a
lot
of
help
from
them
on
making
sure
that
we're
working
on
the
right
things
actually
one
one
of
the
parts
that
I
had
originally
planned,
was
enabling
the
the
oci
refers
API
on
the
registry
side,
and
we
had
some
back
and
forth
about
that,
and
we
realized
that
that
is
not
a
necessary
part
of
what
we're
working
on
at
this
time,
because
the
what
I've
done
so
far
is
to
get
the
the
subjects
digest,
which
is
when
a
signature
is
pushed
into
the
registry.
B
The
subject
field
is
a
diet,
is
reference
to
the
the
actual
image
that
that
signature
applies
to
so
we're
working
on
exposing
that
information.
So
we
can
push
that
information
now
to
the
registry,
we're
updating
the
tags
API
in
the
registry
to
to
expose
that,
so
that
that
can
be
you
rail
side,
and
then
we
can
use
that
to
make
the
updates
to
the
UI.
That's
my
understanding.
B
So
far,
so
I
had
a
look
back
at
the
remaining
issues
that
we
had
under
that
epic,
which
is
the
the
user
experience
for.
For
this
there's
that
there's
been
a
lot
of
other
discussion,
I'm
sure
I've
kind
of
been
it's
there's
a
like
I,
said:
there's
it's
a
broad
project
and
I
was
trying
to
focus
on
on
the
on
getting
my
part
of
it
done,
but
the
the
other
issues
and
I
I
had
listed
these
out
sometime
last
month
in
this
epic.
B
So
we
know
what
we're
working
on
there
are
apps
after
we've
got
the
registry
work
done,
which
is
should
be
within
like
the
next
week
or
so
I'm.
B
Looking
at
the
next
three
that
are
on
that
list,
the
first
one
is
the
verification
which
kind
of
you
mentioned
that
later
Sam
is
about
to
where
about
what
needs
to
be
done
there
and,
like
I
said
it
seems
like
it's
a
fairly
complex
issue:
I
I
have
a
lot
to
catch
up
on
how
that's
done
so
yeah,
I
kind
of
was
thinking
that
that
might
be
a
pretty
a
pretty
heavy
thing
to
solve.
At
this
time.
B
Sorry
I'm
watching
you
update
the
notes
in
the
agenda
while
I'm
talking
through
this.
So
the
next
couple
of
issues
there
were
kind
of
taking
that
verification,
information
from
that
process
and
then
caching,
those
results
so
that
we
don't
have
to
keep
looking
them
up.
I,
don't
know
if
these
issues,
as
they
are,
are
kind
of
updating
with
how
what
we
expect
in
terms
of
getting
getting
the
UI
changes
done.
B
So
I
thought
I
thought
we
might
talk
through
that
and
just
see
what
specifically
we're
looking
at
place
so
that
we
can
get
what
needs
to
be
delivered
for
16.5
in
terms
of
the
front
end.
So
so.
A
Any
thoughts,
I,
probably
haven't
done
the
best
job
in
communicating
this,
but
because
the
verification
piece
is
effectively
blocked
right
now,
we're
just
de-prioritizing
that
and
then
I'm
going
to
keep
working
on
that
separately,
but
I
would
expect
it.
It
could
be
a
full
year
before
we're
unblocked
here.
So,
for
all
intents
and
purposes,
we're
just
going
to
move
that
to
the
backlog
and
instead
for
this
epic,
we
should
focus
only
on
associating
the
container
image
with
the
signature
and
showing
whether
or
not
it
is
signed.
A
But
we're
not
going
to
make
any
attempt
at
verifying
that
signature
right
now
and
that's
because
Sig
store
doesn't
have
a
ruby
library
and
there's
some
pretty
lengthy
discussion
there.
A
But
long
story
short
we're
looking
at
trying
to
get
the
community
to
fund
some
Rust
findings
for
the
six
door,
Library,
so
that
you
can
just
call
those
rust
findings
from
Ruby
directly
and
that
way
we
won't
have
to
maintain
a
whole
separate,
Ruby,
Sig,
store
library
with
its
own
set
of
bugs
and
vulnerabilities
and
maintenance
and
type
that,
and
everything
that
comes
along
with
that.
A
So
I
have
a
proposal
that
I'm
circulating
right
now
with
a
bunch
of
people
from
all
you
know
all
over,
so
we're
talking
about
it
with
one
of
the
ruby
gems
maintainers
we're
talking
about
it
with
one
of
the
Homebrew
maintainers,
because
they
have
a
vested
interest
in
this
as
well,
and
then
I've
been
talking
about
it
with
some
people
who
might
potentially
fund
the
project,
and
we
have
a
contractor
potentially
lined
up
to
go
and
build
the
work
if
we
can
get
the
funding
so
I'm
just
trying
to
connect
all
of
these
pieces.
A
But
even
once
that
happens,
it
still
is
going
to
take
time
to
build
those
rust
fighting
findings.
And
so
that's
why
I
say
a
year
is
because
between
all
of
the
work
to
get
the
funding
lined
up,
get
the
contractor
hired,
get
on
their
schedule
and
then
actually
do
the
engineering
work.
It's
probably
going
to
be
a
while.
A
So
don't
worry
about
anything
related
to
verification.
For
now,
the
biggest
thing
that
we're
trying
to
solve
for
at
the
moment
is
the
fact
that
in
the
UI,
the
signature
shows
up
as
a
completely
separate
line
item
from
the
original
container
image
and
short
of
download,
like
going
on
your
local
machine,
pulling
up
a
terminal,
running
Docker,
pull
and
pulling
down
all
of
those
signature
files
manually,
opening
them
up
and
inspecting
them
to
try
to
cross-correlate
them.
A
You
have
no
idea
which
signature
goes
with,
which
container
image
and
that's
the
biggest
problem
we're
trying
to
solve
at
this
point
with
the
given
scope.
So
if
we
can
even
just
associate
the
two
so
that
it's
one
line,
item
and
I
don't
have
to
go
digging
to
figure
out
which
signature
happens
to
be
that'll.
Be
enough
to
close
this
out.
For
now,.
A
C
So
those
three
that
you
went
through
the
three
issues
you've
gone
through
there,
we've
already
moved
them
into
backlog
and
blocked
for
now,
but
I.
Don't
think
that
there
is
any
issues
for
the
non-verification
and
just
aligning
those
the
signatures.
So
we
might
need
to
create
some
new
issues
for
the
rail
side
to
get
that
bit
of
work
done
so
that
we
can
then
get
into
the
front
end
work
which
is
relying
on
that.
B
Okay,
yeah
and
yeah.
Thank
you
for
walking
through
that
I
guess:
I
guess.
The
next
follow-up
question
I
would
have
would
be
once
once.
The
changes
to
the
registry
are
complete,
like
I,
said
getting
very
close
and
that
we
know
we're
kind
of
taking
a
different
route
than
what
was
here
before
I
I.
B
It
sounds
like
the
only
missing
piece,
then,
is
on
the
rails
end
to
have
something
there
to
turn
that
data
into
like
some
kind
of
Association,
so
that
that
can
be
pulled
from
the
front
end
and
I.
Don't
know
that
we've
really
gotten
any
more
specific
than
that
so
I'm
guessing
we'll
have
to
kind
of
work
out
some
more
detailed
requirements
on
that
side.
B
I'm
just
I'm
just
thinking
ahead
at
this
point
forget
about
another
week
or
so
of
work
on
the
registry.
But
if
anyone
has
any,
if
anyone
has
any
thoughts
on
what
I
can
provide
to
make
that
easier
and
and
be
happy
to
hear
it.
A
C
Yeah
so
I
just
added
a
link
to
their
conversation
and
the
Epic
which
Daniel
and
Brian
have
been
having
around
the
required
structure
for
the
front
end.
So
that'll
give
you
a
good
idea
on
what
is
required
on
the
rail
side.
Obviously,
you
just
need
to
create
some
whatever
issues
that
you
need
to
to
get
that
work
done.
D
D
Ahead,
yeah
I
was
just
thinking
like
there's
some
sort
of
digest
is
that,
like
some
base64
encoded
data
that
we
can
decode
for
the
user,
because,
basically
I
link
to
the
npm
provenance
blog
post
and
in
there
you
can
see
that
they're
showing
stuff
like
they're,
basically
showing
some
of
the
certificate.
Extensions
like
Source,
commit
build
file
and
then
they'll
link
to
the
transparency
log.
So
I
was
wondering
if
we
could
do
something
similar
to
that.
B
I'm
I
yeah
I'm
a
lot
less
familiar
with
the
specifics
of
that
so
I
understand.
If
there
are,
there
are
different
ways
implemented.
B
What
I've
been
working
on
is
adding
the
part
of
the
the
the
oci
spec
that
allows
us
to
add
a
subject
field
to
a
manifest,
which
is
basically
you
up.
You
you
push,
you
push
an
image
to
the
registry
and
then
you
push
the
separate
manifest
for.
B
And
the
subject
field
of
that
signature
manifest
points
back
to
the
original
image
that
is,
as
far
as
I
know,
is
like
specifically,
what
information
that
we're
going
to
be
exposing
in
the
tags
API
in
the
registry,
so
yeah,
it's
and
I'll
I'll
make
sure
that
I'm
I'm
right
about
this,
but
as
far
as
I
know,
it's
really
just
going
to
be
exposing
that
digest
that
points
back
to
the
original
image,
so
I'm.
B
Assuming
that
from
that
we
can,
we
can
form
those
associations
that
the
front
end
will
be
able
to
use
if.
B
Specific
in
there
I'll
I'll
I'll
make
sure
that
I'm
taking
that
into
consideration.
D
So
it
basically
tells
us
that
there
is
a
signature
for
this
image,
but
yes,
yeah
I
think
we
should
check
on
like
if
we
can
try
to
expose
some
details
about
like
what
signature.
Is
that,
like
some
way
to
basically
get
the
certificate
or
link
to
the
transparency?
Log,
which
shows
details
of
the
certificate
would
be
nice.
A
B
That
that
is
an
idea
that,
like
the
actual
signature,
object,
is
stored
in
the
registry
so
and
so
all
any
I.
Don't
wanna
I,
don't
wanna
over
promise
anything.
But
my
understanding
is
that
you
know
you.
We,
the
registry
will
expose
the
signature
itself
and
any
metadata
will
be
in
the
Manifest.
That
is,
that
is
pushed
along
with
the
signature.
So.
A
Yeah,
that
makes
sense
so
on
the
UI
side,
this
is
the
demo
that
Daniel
put
together
and
obviously,
if
we're
not
verifying,
we
couldn't
say
if
it
was
invalid
or
not
so
would
have
to
change
this
part
on
the
front
end.
But
basically
on
you
know
up
front,
it
would
either
be
signed
or
it
would
not
right
and
would
show
that
badge
on
the
outset.
And
then,
if
you
go
to
expand
it,
you
would
get
you
know
it
opens
up,
and
it
shows
you
all
these
details
and
then
there's
more
than
one
signature.
A
We
just
list
all
of
those
out
and
again
we
couldn't
validate
it.
So
just
either
it's
signed
or
not.
So
it
would
probably
just
remove
that
badge
there,
but
there
would
be
this
view
details
button
and
when
we
created
the
original
mocks,
we
didn't
know
what
data
you
could
or
couldn't
surface
so
we
just
dropped
stuff
in,
but
presumably
whatever
data
you
can
show
about
that
cert
if
there
is
like
a
base64
string
that
you
can
decode
for
them.
A
Ideally,
we
just
drop
that
in
here,
and
you
know
ideally
there'd
be
like
a
button
somewhere
in
here
too
to
download
the
signature,
so
they
could
go
verify
that
independently,
but
any
of
that
manifest
data
or
metadata
or
anything.
That's
there.
You
know
I
mean
ignore
the
actual
text.
That's
in
here.
It's
just
like
for
an
example,
but
you
know
ideally
we'd
be
able
to
show
all
of
that
here
once
they
click
on
that
details.
Button.
C
D
C
A
B
Yes
yeah:
this
is
exactly
what
I
was
trying
to
get
to,
but
sure
we'll
we'll
have
a
lot
more
back
and
forth
on
the
specifics
of
what
needs
to
be
exposed
there,
but
this
is.
This
is
a
very
good
good
start,
because
we're
definitely
capable
of
doing
this.
At
this
point.
A
Yeah
right
now,
I
think
Daniel's,
just
using
all
mocked
back-end
data,
so
it
it
might
be
helpful
just
to
coordinate
with
him
on
the
structure
of
the
data
that
you'll
be
sending
from
the
back
end.
If
you
can
fit
it
to
the
schema
in
the
format
that
he's
already
expecting
that's
great
or
if
you
need
to
make
changes
or
just
want
to
coordinate
with
Daniel.
B
Yes,
yeah,
that's
perfect
and
it's
great
that's
already
worked
out
because
I
think
that,
from
from
the
point
when
the
registry
work
is
done,
all
the
all
that's
kind
of
left
is
that
that
bridge
the
rails
back
ends.
So
we
can
kind
of
connect
those
two
enzymes
so.
A
Okay,
so
then
this
gets
us
and
let's
Ally
did
you
have
anything
else
to
discuss
on
your
point.
D
No,
nothing
else
from
me,
I
think
I
think
I
missed
Daniel's
demo.
So
thanks
for
showing
that
it
makes
a
lot
more
sense
now.
A
All
right,
so
then,
our
last,
my
last
question
is
just
to
check
in
on
expected
timelines.
Where
does
this
put
us
I?
Think
Daniel
on
the
Brennan
is
nearly
done
as
soon
as
we
can
get
him.
The
back
end
information.
So
where
does
this
put
us
as
far
as
our
projected
timeline
for
actually
delivering
this
whole
feature?
I
miss.
B
Yeah,
well
that
that's
another
reason
why
I
wanted
to
clarify
this,
because
now
now
that
we've
kind
of
understand,
what's
going
on,
I,
feel
a
lot
more
confident
in
getting
this
done
within
16.5
I
plan
on
getting
the
registry
work
done
by
the
end
of
this
week.
The
one
issue
that's
been
taking
forever
it's
just
because
of
the
it's
there's.
Just
it's
a
lot.
B
It's
and
I've
been
getting
a
lot
of
good
comments,
but
that
was
very
close
to
getting
through
review
and
be
merged,
and
then
I
have
the
next
issue,
which
is
exposing
the
the
referrer
info
in
the
tags.
Api
I
would
expect.
I
will
have
that
done
this
week,
and
so
so
from
that
point,
we'll
just
be
piecing
together.
The
the
rails
back
end
work,
so
that
Daniel
can
finish
what
he's
working
on
and
so
I
think.
That's
pretty
much
it
for
this.
A
So
yeah,
who
has
the
action
item
then
to
create
those
issues
for
the
API
changes
that
we
need.
B
A
Okay,
yeah
that
sounds
great
and
that
that
sounds
great
well
I,
don't
have
anything
else
to
discuss
today
then.
Does
anyone
else
have
anything
they
wanted
to
bring
up.
C
Just
quickly,
based
on
the
time
frame,
Aaron
just
went
through,
it
probably
will
slip
to
sixteen
six
just
based
on
that.
So
just
to
make
sure
we're
aware
of
that.
C
A
So,
if
there's
any
way,
I
can
help
with
that
or
anything
that
we
need
to
do
to
help
streamline
that.
If
we
have
any
ideas,
let
me
know
understand
if
it
is
going
to
be
16-6,
but
it
would
be
ideal
for
a
lot
of
reasons.
If
there's
any
way,
we
can
pull
that
in.
B
I
I,
don't
I
think
it's
going
to
depend
on
getting
the
getting
the
updates
made
in
the
tags
API
because
I
don't
at
this
point,
I'm,
not
exactly
sure
what
kind
of
how
that
currently
connects,
because
we're
going
to
be
adding
information
to
that,
and
so
like
I'll,
have
to
take
a
look
at
how
we're
currently
bridging
that
data
into
the
into
the
rail
side
of
things.
B
So
I
think
I.
I
would
say
that
has
to
be
in
place
first.
But
I
will
have
a
much
better
idea
of
the
scope
of
that
within
the
next
like
couple
of
days,
because
I'm
going
to
start
working
on
that
issue,
probably
right
away.
A
The
moment
not
much
yeah
I
mean
you
know
if
we
could,
if
there
is
any
way
that
having
others
come
in
and
help
would
do
you
risk
it
for
16-5
I'm
open
to
exploring
or
options
there,
whether
Charlie
might
be
interested
in
coming
and
helping
or
somebody
else,
even
just
Brian
may
be
able
to
help
with
this
as
well.
We
could
check
on
that
too.
So,
if
there's
any
way
to
parallelize
it
or
de-risk
it
or
pull
it
in
for
16.5
I'd
love
to
see
that
happen.
B
Yeah
yeah
I
was
just
gonna
say
I
will
I
will
update
daily
on
on
where
we
are.
If,
then,
if
we
find
vectors
where
people
can
help
in
other
areas,
or
we
can
split
off
some
of
this
work,
yeah
I'll
I'll
just
keep
I'll
just
keep,
throwing
out
anything
that
I
see.
That
might
be
helpful.
There.