►
From YouTube: SLSA Bi Weekly (October 27, 2022)
Description
Meeting notes: https://docs.google.com/document/d/1cx3fOBfic6A0xc2on25ITK4vQHUdxgBmJoSS1LPqDJo/edit
A
Thanks
for
coming
everyone,
if
you
as
always,
if
you
could
add
your
name
to
the
attendance
list
and
the
meeting
notes
which
I
just
sent
on
the
dock,
and
a
reminder
that,
by
joining
here
today,
you're
agreeing
to
buy
by
the
links,
Foundation
code
of
conduct,
I,
think
there's
quite
a
few
people
out
at
kubecon.
But
we
have
I
think
enough.
People
to
to
still
have
quorum
to
attend
and
we
could
also
give
updates.
A
C
A
Anyone
who's
watching
on
the
video
we
could
start
with
our
special
interest
group
updates,
although
I
think
we
usually
start
with
seeing
anyone.
If
anyone
is
new
to
the
group
who
wants
to
say
hi.
A
All
right,
so
we
could,
we
could
get
into
the
special
interest
group
updates.
On
the
specification
side,
we
created
a
project
board
here.
Actually
let
me
present.
A
The
we
created
a
project
board
to
show
to
group
because
there's
so
many
issues,
GitHub,
that's
a
little
bit
hard
to
keep
track
and
so
there's
now
this
project
board,
which
I
can't
easily
switch
tabs.
A
That
groups
everything
kind
of
by
objective,
so
there's
some
top
level
project
management
stuff
around
the
specification
itself
in
Marquee
and
final
restructuring
of
the
levels
is
the
one
major
thing
that
was
proposed
for
view
one
around
splitting
build
versus
Source
levels
and
also
separate,
like
what's
required,
of
the
actual
main
project,
maintainers
versus
like
the
platforms
that
they
run
on,
like
the
build
systems.
A
The
other
second
major
area
is
verification
which
is
we've.
The
proposal
we
haven't
implemented
yet
is
splitting
in
between,
like
how
you
verify
a
particular
system,
such
as
a
build
system
which
is
like
a
manual
process
and
that's
the
the
conformance,
probably
something
to
do
with
the
conformance
program.
If
you
remember
from
previous
meetings
that
was
presented
and
then
something
around
how
we
verify
individual
artifacts,
so
the
idea
is
that
you
verify
a
systems
once
it's
a
kind
of
a
manual
intensive
process.
A
C
A
The
order
of
like
dozens
of
build
systems,
let's
say
but
then
hundreds
or
thousands
or
ten
thousands
or
hundreds
of
thousands
of
packages
that
are
built
using
those
systems
and
so
explaining
all
of
that
and
kind
of
defining.
It
is
this
this
second
major
area,
the
third
major
area
is
around
refining
the
existing
requirements,
and
these
are
like
the
various
things
that
are
confusing,
like
what
does
scripted
build,
mean
isolated
service
generator.
There's
various
questions
around
those
and
so
addressing
them
is,
is
listed
here.
A
There's
some
amount
of
work
around
improving
the
model
and
terminology
defining
Source
defining
package,
defining
better,
defining
Builder
Etc,
also
showing
having
a
picture
shows
up.
The
Builder
generates
Providence
Etc
and
then
the
last
major
is
around
explaining
the
reasoning
and
philosophy
and
benefits
of
like.
Why
are
the
level
structure
this
way?
What
do
you
get
out
of
it?
Where
does
this
requirement
come
from
Etc
and,
and
so
those
are,
the
this
whole
grouping
hopefully
helps
allow
people
to
dig
in
and
organize
work
and
kind
of
work
on.
A
You
know
one
coherent,
Thing
versus
like
a
sea
of
50
issues,
for
example.
There's
also
been
some
changes
to
the
1.0
Branch.
We
have
a
directory
because
we're
not
using
get
branches
for
this
that
are
visible
on
salsa.dev
spec,
slash,
V
1.0,
which
I'll
add.
C
A
So
there's
the
the
draft
spec
is
here
at
slash:
specs
1.0.
It's
it's
still
a
work
in
progress,
but
if
you
want
to
follow
along,
you
can
see
the
latest
changes.
The
levels
page
is
what
has
the
the
most
changes
so
far,
but
but
again,
we'll
do
a
final
review
with
the
whole
Community
once
once
we
do
all
our
all
our
iterations.
E
So
for
positioning,
what
two
meetings
canceled
without
saying
for
two
weeks
and
Bruno
was
on
vacation,
so
we
met
for
the
first
time
this
past
week
and
we
started
off
with
the
development
blog
of
you
know,
white,
why
developers
should
care
about
salsa
and
what
does
it
help
with
et
cetera,
et
cetera
and
while
going
through
that
exercise,
we
noticed
some
discrepancies
in
the
level
one
version
1.0
description
or
build
and
I'm
going
to
take
the
screen
over
real
quick.
E
It
is
just
right
here,
I,
don't
know!
If
you
can,
you
see
my
I
screamed,
so
this
is
taken
from
two
different
web
websites
within
salsa,
which
I
I
did
put
here.
One
talks
about
you
know
all
build
steps
were
fully
defined
in
some
sort
of
build
script.
E
The
only
manual
command
if
any,
was
to
invoke
the
build
script,
and
then
it
goes
along
to
say
that
you
know
it
prevents
mistakes
such
as
building
from
a
client
with
with
prevents
mistakes
during
the
release
process,
such
as
building
from
a
client
with
local
modifications.
But
nowhere
does
it
say
that
it
should
be,
should
not
be
a
developer's
workstation.
E
A
good
example
that
doesn't
get
mentioned
till
level
two,
so
this
looks
more
like
a
level
two
statement
and
I
mentioned
this
one
to
you
yesterday,
Mark
about
the
inventory
of
software,
we're
not
doing
anything
about
a
source,
but
we
are
for
build
so
making
this
clear,
clearer
would
help,
because
if
we,
if
we
don't,
then
again,
there's
going
to
be
that
confusion
and
then
we
won't
be
able
to
write
this
blog
properly
either
we
were
trying
to
and
we're
like
well,
it
doesn't
really
seem
like
the
the
there's,
a
one-to-one
there's,
some
hiccups
here
and
I
think
we
need
to
fix
some.
E
So
I
just
wanted
to
bring
that
to
folks
attention
and
I'm
trying
to
stop
the
share
and
then
the
other
thing
is
during
the
supply
chain.
Integrity
working
group
meeting
yesterday,
it's
not
the
first
time.
It's
come
up.
It's
come
up
a
a
previous
time
where
they
want
to
level
up
the
positioning
meeting
or
the
positioning
group
to
be
more
like
a
supply
chain,
Integrity
positioning
for
a
variety
of
reasons.
E
E
You
know
guac
et
cetera,
how
they
all
work
together
and
then
everyone
can
use
that
diagram
to
talk
to
their
own
Parts,
but
just
wanted
to
mention
that
there's
there's
been
multiple
times
where
people
have
said.
We
should
probably
move
up
positioning
to
under
the
supply
chain,
Integrity
working
group
and
not
have
it
just
be
focused
on
salsa.
A
B
Was
just
going
to
quickly
ask
Melba
for
the,
for
the
discrepancies?
B
Is
that
the
so
that's
the
1.0
spec
or
is
that
the
existing?
It
looks
like
one
piano:
okay,
yeah.
E
B
Yeah
that'll
be
something
good
for
us
for
the
for
the
spec
group
to.
C
Mark
before
I
forget
and
I'll
say
it
here:
I
got
somebody
from
the
education
Sig
under
the
best
practices
working
group.
That's
actually
working
on
that
glossary
that
we
talked
about
and
the
spec
mean
I
I'm,
getting
them
to
come
over
to
the
meeting
so
that
we
can
build
that
connective
tissue
between
the
the
terms
that
we're
coming
up
with
and
salsa.
C
What's
currently
in
the
glossary
and
maybe
cross
cross
pollinating
right
so
taking
what
what
we
have
bringing
it
there
taking
what
they
have
so
that
all
the
the
language
is
the
same
right
so
I'm
having
to
come
over
there
just
to
talk
about
what
they're
doing
glossary
wise,
how
far
they've,
gotten
and
and
just
to
give
that
that
kind
of
once
over
to
the
to
the
group
and
on
the
spec
meeting.
A
Great
great
and
I
also
shared
within
the
spec
group,
I
think
I
filed
an
issue
for
it.
I
also
created
a
doc
as
well
that
we
could.
You
know
we
could
merge.
A
Melba
so
the
the
talk
about
kind
of
elevating
the
positioning
working
group
to
up
to
the
oh,
the
the.
A
Is
that
is
there
any
like
progress
or
like
I
know
like
the
topic
has
come
up
a
lot?
Is
there
any
like
decisions
or
progress
towards
making
a
decision
there.
E
No,
the
first
time
it
came
up.
You
know,
like
I
kind
of
joked
about
it
and
said
you.
A
E
You
guys
are
giving
me
more
work
and
then
it
came
up
again
yesterday
and
I
mean
it
makes
sense.
I
think
my
only
concern
and
obviously
we'd
have
to
talk
about
it.
As
a
group
is
we
we
don't
want
it
to
become
cumbersome
because
even
right
now
with
something
with
smaller
scope,
it's
hard
to
just
get
something
out
because
of
the
differing
opinions
and
and
Etc.
So
when
you
add
scope,
that's
going
to
complicate
matters
worse
and
we're
already
a
small
group.
E
So
that's
my
only
concern
it's
not
so
much
to
work
or
anything.
It's
like
how
do
we
make
sure
that
we
actually
have
tangible
outcomes
that
we
can
deliver
on
with
a
larger
scope,
we're
trying?
But
you
know,
even
with
the
smaller
scope
that
we
have
right
now.
It's
proven
quite
challenging.
D
I
I,
just
on
that,
just
to
Echo,
Melba
I,
think
I
mean
I'm
I'm,
one
of
the
people,
who's
who's
agitating
for
this
kind
of
upscoping
and
positioning
and
I
I
totally
hear
what
novels
coming
from
with
respect
to
the
scope
and
the
work
at
the
hand
and
the
limited
resources
we
have
I.
D
That's
probably
the
most
cresting
positioning
problem.
We
have
right
now,
I
think
there
is
definitely
still
work
to
be
done.
Around
positioning
salsa,
generally
positioning
working
group
certainly
has
value,
but
I
think
with
the
introduction
of
SDC.
To
that
into
open
ssf,
it
seems
to
me
that
that
kind
of
helping
people
and
with
the
overall
comprehension
of
how
SGC,
2000,
salsa
and
fit
together
within
supplier
chain
is
probably
moved
right
off.
D
The
top
of
the
stack
in
terms
of
overall
positioning
work
priorities,
but
I'm
I'm
chatting
with
Melbourne
JLo
and
today
and
we'll
continue
looking
down
on
that.
C
Yeah
I
stepped
away
for
a
couple
of
seconds,
but
but
to
Echo
well
Melba
in
and
Isaac.
You
know,
with
the
narrowing
of
of
the
scope
of
salsa
into
into
its
respective
tracks
right,
build
track
and
then
the
source
track.
C
This
might
be
an
excellent
opportunity,
especially
when
we
and,
as
Isaac
said
you
know,
when
we
look
at
the
S2
c2f
and
what
it
does
consumption
wise
when
we
work
on
that
diagram
and
then
that
subsequent
slide
to
explain
the
diagram
and
we
and
we
put
them
up
side
by
side
across
the
whole
across
the
whole
of
the
supply
chain.
A
spectrum
we'll
be
able
to
clearly
identify
gaps
in
each
and,
of
course,
those
would
be
worked
on
in
respective
six,
but
but
for
positioning
purposes.
C
There's
no
better
way
to
to
than
to
walk
them
together,
right
and
and
Bridge
them
together
and
close
gaps
together,
and
that
could
be
done
through
through
that
through
that
up,
leveled
positioning
meeting
as
we
talk
about
them
both
and
nothing
says
that
we
can't
have
the
separate
meanings
as
well.
But
we,
when
we
take,
take
from
that
meeting,
break
off
into
the
separate
meanings
to
to
build
and
everything
else,
but
then
bring
but
then
come
back
up
to
say,
hey
this
is
where
we're
at
hell.
We
even
talked
about
a
DOT
Dev.
C
That
would
be
an
sci.dev
that
then,
would
have
the
the
individual
tabs
of
each,
especially
when
we
begin
to
answer
quite
or
answer,
questions
or
or
you
know,
have
that
problem
statement
and
then
be
able
to
identify
solutions
to
those
respective
problem
statements
through
the
dot
Dev,
so
I
mean
like,
like
the
the
thought,
can
be
expanded,
but
that's
that's
what
the
general
idea
behind
the
icon.
This
was
thank
you.
D
B
D
B
So
I
know
you
know
Mark,
actually
you
me
and
Isaac
are
not
not.
I
was
like
sorry
Sean,
specifically
or
actually
probably
Isaac
too
have
been
in
some
of
the
recent
tooling
meetings
anyhow,
so
we
could
probably
collaborate
I'm
reading
on
our
agenda.
You
know
some
of
the
things
that
we've
been
talking
about.
Is
you
know,
understanding
and
documenting
what
tools
are
generating
valid.
C
B
B
To
start
to,
like
document
that
and
point
some
of
those
ecosystems
to
the
right
spot,
if,
if
they're
off
the
Mark
and
then
also
we're
kind
of
specifically
looking
at
attestation,
distribution,
Discovery
still
kind
of
poking
at
that
and
trying
to
figure
out
kind
of
what
direction
we
want
to
go
as.
C
A
Okay,
I
think
that's
it
from
the
Sig
updates.
Are
there
any
other
topics?
We
don't
have
anything
else
scheduled
for
today?
Are
there
any
other
topics
that
people
like
to
bring
up,
discuss.
A
A
A
Going
twice,
okay,
I
think
we
could
end
early
then.
As
a
reminder,
the
next
two
weeks
are
not
on
like
wait,
so
we
switched
to
a
four-week
Cadence,
but
the
next
two
weeks
are
moved
up
a
week
early
because
of
the
U.S
Thanksgiving
holiday
and
then
the
Christmas
holiday.
So
the
next
meeting
is
on
the
17th,
which
is
in
three
weeks
and
then
the
15th,
which
is
four
weeks
after
that
and
then
the
19th,
which
I
think
might
be
five
weeks.
A
Basically,
these
were
kind
of
one-off
moves,
as
opposed
to
like
regenerating
the
schedule
so
either
way,
we'll
keep
this
node
stock
as
the
official
thing
of
what
is
the
next
meetings
and
the
open
ssf
calendar
also
has
calendar,
invites
that
will
keep
in
sync
as
well,
so
I
just
want
to
remind
people.