►
From YouTube: SLSA Bi Weekly (October 27, 2022)
Description
Meeting notes: https://docs.google.com/document/d/1cx3fOBfic6A0xc2on25ITK4vQHUdxgBmJoSS1LPqDJo/edit
A
Thanks
for
coming
everyone,
if
you
as
always,
if
you
could
add
your
name
to
the
attendance
list
and
the
meeting
notes
which
I
just
sent
on
the
dock,
and
a
reminder
that,
by
joining
here
today,
you're
agreeing
to
buy
by
the
links,
Foundation
code
of
conduct,
I,
think
there's
quite
a
few
people
out
at
kubecon.
But
we
have
I
think
enough.
People
to
to
still
have
quorum
to
attend
and
we
could
also
give
updates.
A
C
A
A
A
The
other
second
major
area
is
verification
which
is
we've.
The
proposal
we
haven't
implemented
yet
is
splitting
in
between,
like
how
you
verify
a
particular
system,
such
as
a
build
system
which
is
like
a
manual
process
and
that's
the
the
conformance,
probably
something
to
do
with
the
conformance
program.
If
you
remember
from
previous
meetings
that
was
presented
and
then
something
around
how
we
verify
individual
artifacts,
so
the
idea
is
that
you
verify
a
systems
once
it's
a
kind
of
a
manual
intensive
process.
A
C
A
The
order
of
like
dozens
of
build
systems,
let's
say
but
then
hundreds
or
thousands
or
ten
thousands
or
hundreds
of
thousands
of
packages
that
are
built
using
those
systems
and
so
explaining
all
of
that
and
kind
of
defining.
It
is
this
this
second
major
area,
the
third
major
area
is
around
refining
the
existing
requirements,
and
these
are
like
the
various
things
that
are
confusing,
like
what
does
scripted
build,
mean
isolated
service
generator.
There's
various
questions
around
those
and
so
addressing
them
is,
is
listed
here.
A
There's
some
amount
of
work
around
improving
the
model
and
terminology
defining
Source
defining
package,
defining
better,
defining
Builder
Etc,
also
showing
having
a
picture
shows
up.
The
Builder
generates
Providence
Etc
and
then
the
last
major
is
around
explaining
the
reasoning
and
philosophy
and
benefits
of
like.
Why
are
the
level
structure
this
way?
What
do
you
get
out
of
it?
Where
does
this
requirement
come
from
Etc
and,
and
so
those
are,
the
this
whole
grouping
hopefully
helps
allow
people
to
dig
in
and
organize
work
and
kind
of
work
on.
A
C
A
So
there's
the
the
draft
spec
is
here
at
slash:
specs
1.0.
It's
it's
still
a
work
in
progress,
but
if
you
want
to
follow
along,
you
can
see
the
latest
changes.
The
levels
page
is
what
has
the
the
most
changes
so
far,
but
but
again,
we'll
do
a
final
review
with
the
whole
Community
once
once
we
do
all
our
all
our
iterations.
E
E
The
only
manual
command
if
any,
was
to
invoke
the
build
script,
and
then
it
goes
along
to
say
that
you
know
it
prevents
mistakes
such
as
building
from
a
client
with
with
prevents
mistakes
during
the
release
process,
such
as
building
from
a
client
with
local
modifications.
But
nowhere
does
it
say
that
it
should
be,
should
not
be
a
developer's
workstation.
E
So
I
just
wanted
to
bring
that
to
folks
attention
and
I'm
trying
to
stop
the
share
and
then
the
other
thing
is
during
the
supply
chain.
Integrity
working
group
meeting
yesterday,
it's
not
the
first
time.
It's
come
up.
It's
come
up
a
a
previous
time
where
they
want
to
level
up
the
positioning
meeting
or
the
positioning
group
to
be
more
like
a
supply
chain,
Integrity
positioning
for
a
variety
of
reasons.
E
You
know
guac
et
cetera,
how
they
all
work
together
and
then
everyone
can
use
that
diagram
to
talk
to
their
own
Parts,
but
just
wanted
to
mention
that
there's
there's
been
multiple
times
where
people
have
said.
We
should
probably
move
up
positioning
to
under
the
supply
chain,
Integrity
working
group
and
not
have
it
just
be
focused
on
salsa.
A
E
C
Mark
before
I
forget
and
I'll
say
it
here:
I
got
somebody
from
the
education
Sig
under
the
best
practices
working
group.
That's
actually
working
on
that
glossary
that
we
talked
about
and
the
spec
mean
I
I'm,
getting
them
to
come
over
to
the
meeting
so
that
we
can
build
that
connective
tissue
between
the
the
terms
that
we're
coming
up
with
and
salsa.
A
A
A
E
You
guys
are
giving
me
more
work
and
then
it
came
up
again
yesterday
and
I
mean
it
makes
sense.
I
think
my
only
concern
and
obviously
we'd
have
to
talk
about
it.
As
a
group
is
we
we
don't
want
it
to
become
cumbersome
because
even
right
now
with
something
with
smaller
scope,
it's
hard
to
just
get
something
out
because
of
the
differing
opinions
and
and
Etc.
So
when
you
add
scope,
that's
going
to
complicate
matters
worse
and
we're
already
a
small
group.
E
D
That's
probably
the
most
cresting
positioning
problem.
We
have
right
now,
I
think
there
is
definitely
still
work
to
be
done.
Around
positioning
salsa,
generally
positioning
working
group
certainly
has
value,
but
I
think
with
the
introduction
of
SDC.
To
that
into
open
ssf,
it
seems
to
me
that
that
kind
of
helping
people
and
with
the
overall
comprehension
of
how
SGC,
2000,
salsa
and
fit
together
within
supplier
chain
is
probably
moved
right
off.
C
C
This
might
be
an
excellent
opportunity,
especially
when
we
and,
as
Isaac
said
you
know,
when
we
look
at
the
S2
c2f
and
what
it
does
consumption
wise
when
we
work
on
that
diagram
and
then
that
subsequent
slide
to
explain
the
diagram
and
we
and
we
put
them
up
side
by
side
across
the
whole
across
the
whole
of
the
supply
chain.
A
spectrum
we'll
be
able
to
clearly
identify
gaps
in
each
and,
of
course,
those
would
be
worked
on
in
respective
six,
but
but
for
positioning
purposes.
C
There's
no
better
way
to
to
than
to
walk
them
together,
right
and
and
Bridge
them
together
and
close
gaps
together,
and
that
could
be
done
through
through
that
through
that
up,
leveled
positioning
meeting
as
we
talk
about
them
both
and
nothing
says
that
we
can't
have
the
separate
meanings
as
well.
But
we,
when
we
take,
take
from
that
meeting,
break
off
into
the
separate
meanings
to
to
build
and
everything
else,
but
then
bring
but
then
come
back
up
to
say,
hey
this
is
where
we're
at
hell.
We
even
talked
about
a
DOT
Dev.
C
That
would
be
an
sci.dev
that
then,
would
have
the
the
individual
tabs
of
each,
especially
when
we
begin
to
answer
quite
or
answer,
questions
or
or
you
know,
have
that
problem
statement
and
then
be
able
to
identify
solutions
to
those
respective
problem
statements
through
the
dot
Dev,
so
I
mean
like,
like
the
the
thought,
can
be
expanded,
but
that's
that's
what
the
general
idea
behind
the
icon.
This
was
thank
you.
D
B
D
B
So
I
know
you
know
Mark,
actually
you
me
and
Isaac
are
not
not.
I
was
like
sorry
Sean,
specifically
or
actually
probably
Isaac
too
have
been
in
some
of
the
recent
tooling
meetings
anyhow,
so
we
could
probably
collaborate
I'm
reading
on
our
agenda.
You
know
some
of
the
things
that
we've
been
talking
about.
Is
you
know,
understanding
and
documenting
what
tools
are
generating
valid.
C
C
A
A
A
A
Going
twice,
okay,
I
think
we
could
end
early
then.
As
a
reminder,
the
next
two
weeks
are
not
on
like
wait,
so
we
switched
to
a
four-week
Cadence,
but
the
next
two
weeks
are
moved
up
a
week
early
because
of
the
U.S
Thanksgiving
holiday
and
then
the
Christmas
holiday.
So
the
next
meeting
is
on
the
17th,
which
is
in
three
weeks
and
then
the
15th,
which
is
four
weeks
after
that
and
then
the
19th,
which
I
think
might
be
five
weeks.