►
From YouTube: SLSA Biweekly (January 19, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1cx3fOBfic6A0xc2on25ITK4vQHUdxgBmJoSS1LPqDJo/edit
C
C
C
C
Looks
like
we
haven't
had
anyone
join
the
past
couple
of
minutes,
so
I
think
we
get
started.
Welcome
everyone
happy
2023.
If
I
haven't
seen
you
as
a
reminder,
please
record
attention
in
the
meeting
notes,
I
think
put
a
link
in
the
chat.
I
think
everyone
already
saw
that
he's
here.
I
think
it
looks
like
not
in
people
and
also
that
will
abide
by
the
things
Foundation
code
of
conduct.
C
I
think
I
recognize
all
these
names.
I
think
I
recognize
everyone,
okay
and
we
could
get
start
with
updates
from
the
special
interest
groups.
I
could
go
first
for
the
specification
we
are
planning
to
tentatively
have
a
release
candidate
for
the
1.0
spec,
both
of
like
the
levels
and
the
provenance
optimistically
the
first
week
of
February.
C
And
then
hopefully,
Market
is
stable
after
a
significant
review
and
editing
period,
I
think
no
earlier
than
the
end
of
February,
but
realistically
probably
sometime
in
March,
and
you
know
once
we
we
get
it
finalized.
The
idea
is
that
we'll
kind
of
like
time
box
or
release
candidates
and
say
we're
going
to
cut
it
now,
but.
C
The
the
stable
release
so
we'll
mark
it
as
final
only
ones
we're
actually
confident,
and
we
think
it's
good,
the
the
thinking
being
that
what
people
really
want
is
a
stable
good
release.
And
so,
if
we
do
a
release
quickly
of
1.0
and
then
follow
up
with
1.1,
it
won't
actually
satisfy
what
people
want
which
is
like
they
just
want
it
done.
So
they
can
work
and
implement
it
and
there's
two
things
going
on.
C
One
is
the
spec
itself,
there's
two
four
there's
a
couple:
pull
requests
out
now:
I
didn't
link
to
them
in
the
meeting
notes,
notes
about
verifying
systems
and
verifying
artifacts.
Those
are
the
last
major
pieces
to
be
added
to
the
to
the
spec.
There's,
certainly
a
lot
more
writing
to
do
like
the
threats.
C
We
should
have
at
least
all
submitted,
so
people
could
review
it
and
start
to
like
you
know,
internalize
these
Concepts
and
see
if
they
resonate
and
they
work
well,
and
we
could
we
have
time
to
edit
it
as
needed
and
then
the
Providence
1.0.
Similarly,
we
have
a
pull
request
right
now.
It's
not
submitted
yet
but
I'm
hoping
to
submit
it
hopefully
this
week
it
is
definitely
not
decided.
There's
some
open-ended.
C
Some
open
questions
there
around
like
what's
the
best
design,
because
there's,
at
least
in
my
opinion,
no
obvious
best
design,
but
what
we
want
to
do
is
have
it
submitted.
So
that
way,
people
can
easily
review
it
and
add
comments
and
start
to
implement
it
in
like
a
Proto,
you
know
Implement
prototypes,
and
so
we
can
get
get
better
feedback.
C
E
Hey
Mark
so
for
the
first
item,
I
did
bring
up
in
the
last
salsa
meeting
of
the
year.
I
also
brought
it
up
in
the
salsa
specification
meeting,
and
then
we
also
talked
about
it
yesterday
in
the
supply
chain.
Integrity
working
group
meeting
about
more
communication,
more
collaboration
within
it's
also
within
supply
chain,
Integrity
working
group
and
so
for
salsa,
specifically
kind
of
like
what
Fresca
Mike
Mike
who's
on
the
call.
They
have
a
road
map
for
2023
right
I
would
like
to
see
salsa
have
a
road
map
as
well.
E
Obviously,
1.0
was
part
of
that,
but,
okay,
what's
after
that
right,
what
are
we
trying
to
aim
for
so
that
way
we
all
can
kind
of
go
towards
that
vision
from
a
tooling
from
a
positioning
perspective.
So
that's
kind
of
the
the
first
piece
and
then
as
part
of
that,
one
of
the
things
for
positioning
is
that
Laurent
brought
up
in
passing
was
about
conferences
for
2023
right,
so
that
yet
is
another
roadmap
item
as
the
salsa
Community.
E
What
do
we
want
to
participate
in
as
a
group,
not
necessarily
as
individuals
for
our
company
but
as
the
Sig
leads
or
as
a
group
which
conferences
are
we
going
to
try
to
Target
submitting
talks
to?
And
so
we've
started
doing
that?
Brainstorming
for
the
salsa
group
to
say:
okay,
we
want
to
have
a
salsa
for
beginners.
We
want
to
have
a
what's
new.
We
want
to
have
a
lab
right
and
submit
it
as
it's
also
a
group.
C
D
E
C
F
Yeah
I
think
two
two
things
to
follow
up
on
on
the
the
conference
part
is
one
is
I
think
we
should
definitely
reach
out
to
the
the
chairs
and
those
who
are
putting
on
the
conferences
just
to
make
sure
that
we
could
potentially
have
some
time
Associated
specifically
for
salsa
right,
as
opposed
to
necessarily
being
to
compete
with
everybody
else,
who's
submitting
talks,
because
this
is
similar
to
let's
say
how
the
cncf
has
maintainer
tracks.
Where
you
know,
projects
like
ours
could
have.
F
Oh
sorry,
LF
conference
rules
work
is
that
if
you
give
a
talk
like
you're
only
allowed
to
give
one
talk
at
a
conference
and
for
a
lot
of
folks
who
might
be
interested
in,
let's
say,
help
being
out
with
salsa
might
be
a
little
bit
less
inclined
to
if
they
find
out
like
hey.
Actually,
you
know
from
you
know
my
standpoint:
I
want
to
give
a
talk
on
this
thing
and
I
want
to
submit
a
talk
there,
but
I
would
you
know
and
I
can't
do
both.
F
So
this
that's
something
that
is
you
know,
whereas
in
the
cncf
at
least
you
can
give
a
talk
like
you
know,
you
could
give
a
talk.
That's
your
own
talk
on
whatever
you
want
to
do
in
open
source,
as
well
as
a
talk
as
on
behalf
as
a
maintainer
on
a
you
know,
cncf
related
project,
so
I
think
some
of
those
things
would
be
useful
to
just
sort
of
get
ironed
out
and
I
also
know
that
there's
a
million
different.
F
F
F
It's
thanks,
Melba
for
adding
it
in
so
the
the
main
things
that
we're
looking
to
try
and
do
is
the
big
one
is
any
projects
that
have
a
short
sort
of
release
cycle.
So
this
is
stuff
like
underneath
the
salsa
GitHub
GitHub
org
itself,
stuff
like
the
salsa,
GitHub
generator
and
and
so
on
those
those
sorts
of
things.
F
If
we
were
to
distribute
salsa
Providence,
should
it
be
part
of
the
package?
Should
it
be
part
of
an
API?
That's
associated
with
the
package:
how
should
this
work
and
I
think
some
of
that
might
might
prove
to
be
useful
even
having
some,
like?
You
know,
a
simple,
a
simple
like
API
example,
or
something
like
that,
so
that
that's
those
are
I,
think
the
main
threads
Bruno
I,
don't
know
if
there's
anything
I,
oh
sorry,
no,
it
wasn't
Bruno.
E
C
B
B
F
Yeah
no
I
agree
with
you.
There
Aaron,
a
few
of
us,
have
been
looking
at,
for
example,
for
guac,
integrating
like
something
like
that
sort
of
attestation,
so
that
you
could
associate
all
builds
associated
with
that,
like
sorry
all
salsa
provenance
that
has
that
listed
as
potentially
like
a
build
ID
or
Builder
ID
or
Builder.
Whatever
can
you
know
so
folks
can
go
and
say:
oh,
this
has
been
certified
by
like
self-certified
or
it's
certified
by
a
third
party
auditor.
F
Okay,
cool
I
know
that
I
trust
like
I,
I,
transitively
trust
all
salsa
Providence.
That
is
based
on
this
that
that
comes
from
you
know
this
sort
of
questionnaire
or
whatever
support
the
other
thing.
Actually,
that's
related
there
that
that
I
I
don't
know
if
anybody's
heard
anything
back
regarding
the
salsa
conformance,
stuff,
I,
I
I
know.
F
C
C
F
So
I
was
just
gonna
say.
Actually
one
of
the
things
I
would
just
be
interested
in
is
I
love
if
like,
because
what
we
used
to
do
was
like
usually
the
first
30
minutes
would
be
stuff
like
this
and
then
usually
the
last
30
minutes
would
be
somebody
giving
a
demo
of
how
they
implemented
salsa
and
some
of
that
stuff
and
I'd
be
curious
to
know.
F
If,
if
folks
are,
you
know
interested
in
some
of
that
doing
some
of
that
again,
I
know
we're
interested
in
in
demoing
off
some
of
the
stuff
we've
done
with
guac
plus
salsa,
to
sort
of
show
how
you
can
sort
of
integrate
all
those
pieces
together,
but
we're
also
not
sure
which,
what's
the
best
meeting
anymore,
to
sort
of
show.
That
often
is
that
salsa
tooling,
is
that
more
of
a
salsa
positioning
demo,
because
it's
kind
of
like
combining
a
bunch
of
different
pieces
or
what.
A
Yeah
thanks
yeah
I,
think
I,
think
I
mean
Michael
does
raise
that
interesting.
Point
I
think
with
the
split
of
so
many
meetings.
Now
we
have,
you
know
a
meeting
for
tooling
and
specification,
and
so
on
that
we
may
not
need
the
whole
hour
for
the
general
meeting,
but
that's
just
my
two
cents.
Someone
else
go
ahead.
Please.
E
F
E
D
C
Yeah
I
think
that
makes
sense.
So
then
the
Sig
meetings
would
be
about
more,
like
kind
of
nitty-gritty
topics
of
like
working
through
the
details,
and
this
is
just
a
more
general
interest
meeting
and
we
just
happen
to
not
use
up
the
time,
but
it's
useful
to
have
the
slot
available.
Okay
sounds
great
all
right.
Thanks
for
clarifying
everyone.