►
From YouTube: SLSA Biweekly (January 19, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1cx3fOBfic6A0xc2on25ITK4vQHUdxgBmJoSS1LPqDJo/edit
C
C
C
C
Looks
like
we
haven't
had
anyone
join
the
past
couple
of
minutes,
so
I
think
we
get
started.
Welcome
everyone
happy
2023.
If
I
haven't
seen
you
as
a
reminder,
please
record
attention
in
the
meeting
notes,
I
think
put
a
link
in
the
chat.
I
think
everyone
already
saw
that
he's
here.
I
think
it
looks
like
not
in
people
and
also
that
will
abide
by
the
things
Foundation
code
of
conduct.
C
I
think
I
recognize
all
these
names.
I
think
I
recognize
everyone,
okay
and
we
could
get
start
with
updates
from
the
special
interest
groups.
I
could
go
first
for
the
specification
we
are
planning
to
tentatively
have
a
release
candidate
for
the
1.0
spec,
both
of
like
the
levels
and
the
provenance
optimistically
the
first
week
of
February.
C
C
And
then
hopefully,
Market
is
stable
after
a
significant
review
and
editing
period,
I
think
no
earlier
than
the
end
of
February,
but
realistically
probably
sometime
in
March,
and
you
know
once
we
we
get
it
finalized.
The
idea
is
that
we'll
kind
of
like
time
box
or
release
candidates
and
say
we're
going
to
cut
it
now,
but.
C
The
the
stable
release
so
we'll
mark
it
as
final
only
ones
we're
actually
confident,
and
we
think
it's
good,
the
the
thinking
being
that
what
people
really
want
is
a
stable
good
release.
And
so,
if
we
do
a
release
quickly
of
1.0
and
then
follow
up
with
1.1,
it
won't
actually
satisfy
what
people
want
which
is
like
they
just
want
it
done.
So
they
can
work
and
implement
it
and
there's
two
things
going
on.
C
One
is
the
spec
itself,
there's
two
four
there's
a
couple:
pull
requests
out
now:
I
didn't
link
to
them
in
the
meeting
notes,
notes
about
verifying
systems
and
verifying
artifacts.
Those
are
the
last
major
pieces
to
be
added
to
the
to
the
spec.
There's,
certainly
a
lot
more
writing
to
do
like
the
threats.
C
Page,
isn't
updated
yet
and
there's
a
bunch
of
to
do's
and
clarifications,
and
we
have
to
address
some
of
the
items
that
were
listed
in
the
on
the
project
board
on
like
clarification
clarifications,
but
the
the
core
bones
of
what
is
there
I
think
is
mostly
there,
and
so
the
plan
is
by
the
end
of
the
month
by
the
end
of
January.
C
We
should
have
at
least
all
submitted,
so
people
could
review
it
and
start
to
like
you
know,
internalize
these
Concepts
and
see
if
they
resonate
and
they
work
well,
and
we
could
we
have
time
to
edit
it
as
needed
and
then
the
Providence
1.0.
Similarly,
we
have
a
pull
request
right
now.
It's
not
submitted
yet
but
I'm
hoping
to
submit
it
hopefully
this
week
it
is
definitely
not
decided.
There's
some
open-ended.
C
Some
open
questions
there
around
like
what's
the
best
design,
because
there's,
at
least
in
my
opinion,
no
obvious
best
design,
but
what
we
want
to
do
is
have
it
submitted.
So
that
way,
people
can
easily
review
it
and
add
comments
and
start
to
implement
it
in
like
a
Proto,
you
know
Implement
prototypes,
and
so
we
can
get
get
better
feedback.
C
Yeah
I
think
those
are
the
main
things
on
this
spec
side
feel
free
to
jump
in
if
I
missed
anything.
Anyone.
E
Hey
Mark
so
for
the
first
item,
I
did
bring
up
in
the
last
salsa
meeting
of
the
year.
I
also
brought
it
up
in
the
salsa
specification
meeting,
and
then
we
also
talked
about
it
yesterday
in
the
supply
chain.
Integrity
working
group
meeting
about
more
communication,
more
collaboration
within
it's
also
within
supply
chain,
Integrity
working
group
and
so
for
salsa,
specifically
kind
of
like
what
Fresca
Mike
Mike
who's
on
the
call.
They
have
a
road
map
for
2023
right
I
would
like
to
see
salsa
have
a
road
map
as
well.
E
Obviously,
1.0
was
part
of
that,
but,
okay,
what's
after
that
right,
what
are
we
trying
to
aim
for
so
that
way
we
all
can
kind
of
go
towards
that
vision
from
a
tooling
from
a
positioning
perspective.
So
that's
kind
of
the
the
first
piece
and
then
as
part
of
that,
one
of
the
things
for
positioning
is
that
Laurent
brought
up
in
passing
was
about
conferences
for
2023
right,
so
that
yet
is
another
roadmap
item
as
the
salsa
Community.
E
What
do
we
want
to
participate
in
as
a
group,
not
necessarily
as
individuals
for
our
company
but
as
the
Sig
leads
or
as
a
group
which
conferences
are
we
going
to
try
to
Target
submitting
talks
to?
And
so
we've
started
doing
that?
Brainstorming
for
the
salsa
group
to
say:
okay,
we
want
to
have
a
salsa
for
beginners.
We
want
to
have
a
what's
new.
We
want
to
have
a
lab
right
and
submit
it
as
it's
also
a
group.
C
E
I
mean
I
can
drive
it
right,
so
yeah
I.
E
It's
just
we
got
to
do
it
right.
It's
kind
of
my
point,
so
I'm
hoping
I
think
many
of
you
agree.
So
it's
more
of
the
buy-in.
Let's,
let's
just
do
it.
C
F
Yeah
I
think
two
two
things
to
follow
up
on
on
the
the
conference
part
is
one
is
I
think
we
should
definitely
reach
out
to
the
the
chairs
and
those
who
are
putting
on
the
conferences
just
to
make
sure
that
we
could
potentially
have
some
time
Associated
specifically
for
salsa
right,
as
opposed
to
necessarily
being
to
compete
with
everybody
else,
who's
submitting
talks,
because
this
is
similar
to
let's
say
how
the
cncf
has
maintainer
tracks.
Where
you
know,
projects
like
ours
could
have.
F
You
know
a
handful
of
talks
that
are
just
allocated,
and
then
we
get
to
choose
as
as
we
see
fit,
and
another
reason
for
that
is
the
way
that
you
know
LF
or
at
least
most
LF
project
rules
work.
F
Oh
sorry,
LF
conference
rules
work
is
that
if
you
give
a
talk
like
you're
only
allowed
to
give
one
talk
at
a
conference
and
for
a
lot
of
folks
who
might
be
interested
in,
let's
say,
help
being
out
with
salsa
might
be
a
little
bit
less
inclined
to
if
they
find
out
like
hey.
Actually,
you
know
from
you
know
my
standpoint:
I
want
to
give
a
talk
on
this
thing
and
I
want
to
submit
a
talk
there,
but
I
would
you
know
and
I
can't
do
both.
F
So
this
that's
something
that
is
you
know,
whereas
in
the
cncf
at
least
you
can
give
a
talk
like
you
know,
you
could
give
a
talk.
That's
your
own
talk
on
whatever
you
want
to
do
in
open
source,
as
well
as
a
talk
as
on
behalf
as
a
maintainer
on
a
you
know,
cncf
related
project,
so
I
think
some
of
those
things
would
be
useful
to
just
sort
of
get
ironed
out
and
I
also
know
that
there's
a
million
different.
F
F
Okay,
so
from
the
tooling
side,
the
main
things
I
think
we're
focused
on
right
now
is
trying
to
hit
1.0,
and
it's
been
a
little.
We
haven't
had
a
ton
of
attendance,
the
past
a
few
weeks,
I'm
hoping
to
kind
of
bring
that
back
in
the
new
year.
The
main
things
are
and
I'll
add
this
into
the
oh
okay.
F
It's
thanks,
Melba
for
adding
it
in
so
the
the
main
things
that
we're
looking
to
try
and
do
is
the
big
one
is
any
projects
that
have
a
short
sort
of
release
cycle.
So
this
is
stuff
like
underneath
the
salsa
GitHub
GitHub
org
itself,
stuff
like
the
salsa,
GitHub
generator
and
and
so
on
those
those
sorts
of
things.
F
It
would
be
nice
to
see
if
we
can
get
those
pretty
much
as
soon
as
possible,
ready
for
the
draft
of
the
1.0
Providence
spec,
just
so
that
you
know
we
can
kind
of
show
some
examples
to
some
folks
on
how
to
how
they
might
implement
it
and
so
on
and
so
forth,
and
also
help
potentially
road
map
or
get
on
the
roadmap
for
some
other
projects
like
that,
have
a
longer
release.
F
Cadence,
like
tecton,
which
is
a
big
tecton
chains,
which
is
which
supports
V,
0.1
and
V
0.2
of
the
Providence
spec,
making
sure
that
they're
like
at
least
aware
of
hey
here's
this
draft,
they
might
not
be
willing
to
sort
of
implement
the
draft
if
the
draft
is
going
to
only
be
around
for,
let's
say
a
couple
of
months,
whereas
they
might
be
more,
you
know
pushed
for
sort
of
just
being
ready
for
the
full-fledged
1.0
when
it's
ready,
but
just
those
are,
the
things
I
think
were
kind
of
a
bit
focused
on.
F
Secondarily
we're
focused
on
still
working
with
some
of
the
different
ecosystems
and
projects
about
maybe
building
out
some
either
examples
or
documentation
around
what
we
believe
should
be
supported
or
or
like
the
best
practices
around
Distributing
salsa
metadata,
because
I
know
this
has
been
a
a
talk
in
the
past,
or
we
know
that
there's
been
a
talk
in
the
past
of
like
a
lot
of
folks
who,
who
let's
say,
run
different
packaging
ecosystems
are
like
hey.
F
If
we
were
to
distribute
salsa
Providence,
should
it
be
part
of
the
package?
Should
it
be
part
of
an
API?
That's
associated
with
the
package:
how
should
this
work
and
I
think
some
of
that
might
might
prove
to
be
useful
even
having
some,
like?
You
know,
a
simple,
a
simple
like
API
example,
or
something
like
that,
so
that
that's
those
are
I,
think
the
main
threads
Bruno
I,
don't
know
if
there's
anything
I,
oh
sorry,
no,
it
wasn't
Bruno.
F
It
was
Eric
who's
on
who
was
talking
about
something
else,
never
mind.
E
C
Thank
you,
I
saw
there's
a
thing
by
Laura
here,
but
he
doesn't
look
like
he's
at
the
meeting,
so
we'll
skip
that
and
is
odds
right
here
looks
like
ozer
is
not
here
as
well,
so
I
think
I
I'll
just
move
that
to
the
the
next
time
and
I'll.
Oh
Michael,
yeah.
F
Oh
yeah,
so
I
do
know
that
one
of
the
things
that
Lauren
had
brought
up
this
is
in
slack
chat,
was
potentially
something
like
a
salsa
Colin
and
if
that
makes
sense
and
I
think
I
I
know
personally
I
think
there's
more
than
enough
conference.
F
That's
just
my
my
opinion,
but
I
think
that
there
is
something
valuable
there
of
like,
especially
for
gearing
up
for
1.0,
and
this
is
something
I
forgot
to
talk
about
when
Melba
was
so
it
is,
it
might
still
be
worthwhile
to
have
something
like
a
pre
or
post
1.0
webinar,
or
something
like
that,
or
like
a
virtual
salsa
day
where,
like
hey,
we
are
releasing
1.0
or
we've
just
released
1.0,
and
you
want
to
know
stuff
like
here.
B
Just
just
to
underscore
something
I
thought
was
interesting.
You
know
helping
with
the
verifying
build
systems
PR,
it
seems
like
there
might
be
some
sort
of
Interest
around
creating
a
an
attestation
spec
for
verification
of
the
build
system
which
I
thought
was
kind
of
neat,
so
just
want.
B
F
Yeah
no
I
agree
with
you.
There
Aaron,
a
few
of
us,
have
been
looking
at,
for
example,
for
guac,
integrating
like
something
like
that
sort
of
attestation,
so
that
you
could
associate
all
builds
associated
with
that,
like
sorry
all
salsa
provenance
that
has
that
listed
as
potentially
like
a
build
ID
or
Builder
ID
or
Builder.
Whatever
can
you
know
so
folks
can
go
and
say:
oh,
this
has
been
certified
by
like
self-certified
or
it's
certified
by
a
third
party
auditor.
F
Okay,
cool
I
know
that
I
trust
like
I,
I,
transitively
trust
all
salsa
Providence.
That
is
based
on
this
that
that
comes
from
you
know
this
sort
of
questionnaire
or
whatever
support
the
other
thing.
Actually,
that's
related
there
that
that
I
I
don't
know
if
anybody's
heard
anything
back
regarding
the
salsa
conformance,
stuff,
I,
I
I
know.
F
A
lot
of
folks
are
starting
to
ask
a
lot
of
questions,
especially
with
the
questionnaire
PR
and
and
some
of
the
other
stuff
that
that's
been
getting
sort
of
Spun
up
there
where
I
know
a
lot
of
folks
are
just
like
hey
what
what's
kind
of
the
status
of
that
I.
Don't
know.
If
anybody
has
that
foreign.
C
F
I
I
could
definitely
follow
up,
I
believe
Kim,
and
there
was
somebody
else
who
were
helping
lead
that
up
so
I
can
I
can
reach
out.
C
Okay,
it
sounds
like
that's
it
I
wonder
actually,
should
we
make
this
just
a
30
minute
meeting
instead
of
60
Minutes,
it
seems
like
the
last
several
sessions.
We've
only
used
30
minutes.
F
So
I
was
just
gonna
say.
Actually
one
of
the
things
I
would
just
be
interested
in
is
I
love
if
like,
because
what
we
used
to
do
was
like
usually
the
first
30
minutes
would
be
stuff
like
this
and
then
usually
the
last
30
minutes
would
be
somebody
giving
a
demo
of
how
they
implemented
salsa
and
some
of
that
stuff
and
I'd
be
curious
to
know.
F
If,
if
folks
are,
you
know
interested
in
some
of
that
doing
some
of
that
again,
I
know
we're
interested
in
in
demoing
off
some
of
the
stuff
we've
done
with
guac
plus
salsa,
to
sort
of
show
how
you
can
sort
of
integrate
all
those
pieces
together,
but
we're
also
not
sure
which,
what's
the
best
meeting
anymore,
to
sort
of
show.
That
often
is
that
salsa
tooling,
is
that
more
of
a
salsa
positioning
demo,
because
it's
kind
of
like
combining
a
bunch
of
different
pieces
or
what.
A
Yeah
thanks
yeah
I,
think
I,
think
I
mean
Michael
does
raise
that
interesting.
Point
I
think
with
the
split
of
so
many
meetings.
Now
we
have,
you
know
a
meeting
for
tooling
and
specification,
and
so
on
that
we
may
not
need
the
whole
hour
for
the
general
meeting,
but
that's
just
my
two
cents.
Someone
else
go
ahead.
Please.
B
I
guess
I
can
repeat
myself
from
chat,
so
I
would
I
vote
to
try
to
keep
this
meeting
an
hour
and
focus
any
of
those
sort
of
like
demos
from
the
different
sigs
into
this.
B
F
Yeah
I
I,
like
that
idea,
Aaron
and
I,
don't
want
to
volunteer
Melba
but
Melba
I,
wonder
if,
if
the
positioning
meeting
like,
if
the
positioning
group
can
help
with
like
maybe
helping
organize
some
of
that
stuff,
like
you
know,
making
sure
that
folks
know
like
hey,
there's
assault,
there's
a
monthly
salsa
meeting
and
we're
always
looking
for
demos,
and
you
know,
and
that
sort
of
thing.
E
I
mean
yeah
I,
don't
mind
doing
that
now.
I
am
curious.
How
how
that
will
play
out
if
we're
up
up
I
forget
what
Josh
said
yesterday
upvoted
or
something
like
that:
they're
talking
about
moving
positioning
up
to
supply
chain
security,
oh.
F
E
If
so,
if
that
or
supply
chain
Integrity
rather
so,
if
that
happens,
then
there's
only
two
specification
and
tooling
right
and
then
this
meeting
right
so
again
I'm
more
than
happy
to
keep
doing
that
until
that
happens,
but
I
don't
know
once
if
that
happens,
and
what
do
we?
What
do
we
do
then.
D
C
Yeah
I
think
that
makes
sense.
So
then
the
Sig
meetings
would
be
about
more,
like
kind
of
nitty-gritty
topics
of
like
working
through
the
details,
and
this
is
just
a
more
general
interest
meeting
and
we
just
happen
to
not
use
up
the
time,
but
it's
useful
to
have
the
slot
available.
Okay
sounds
great
all
right.
Thanks
for
clarifying
everyone.
C
Okie
doke
all
right.
Well,
it
was
good
seeing
all
of
you,
although
I
think
I've
seen
most
of
you
in
the
same
meetings
and
we'll
see
you
again
in
in
the
next
meeting
or
talking
over
GitHub
or
on
slack
or
at
the
next
community
meeting
bye.
Everyone.