►
From YouTube: SLSA Biweekly (November 17, 2022)
Description
Meeting notes: https://docs.google.com/document/d/1cx3fOBfic6A0xc2on25ITK4vQHUdxgBmJoSS1LPqDJo/edit
B
B
Too
bad
man
not
too
bad,
we
we
have
not
formerly
met.
A
Okay,
good
good
to
finally
meet
you,
so
I'm
trishank
I'm,
a
staff
security
engineer
here
at
datadog
and
I'm
passionate
about
supply
chain
security,
like
yourself.
B
You
know
the
administrative
Technical
and
physical
stuff
and
I've
played
in
every
single
played
in
every
single
part
of
of
those
throughout
my
entire
career
I'm,
a
security
principal
program
manager
at
Microsoft,
nice,
my
Rhyme
or
Reason,
is,
is
how
we
play
in
an
open
source
and
mainly
in
the
open
ssf,
so
gotcha.
A
B
This
is
this:
is
wonderful
man
yeah,
you
you
what
what
I've
been
able
to
to
see
over
the
last
eight
months
or
so,
and
then
just
the
of
that
Evolution
such
a
short
period
of
time
and,
of
course,
the
whole
year
that
has
been
the
openness
and
stuff
I.
Think
it's
absolutely
wonderful
man,
I
I'm
I'm,
so
I
I
feel
privileged
and
I
feel
I
feel
honored
every
time
I
get
on.
One
of
these
calls
because
there's
so
much
of
us
in
the
rooms
together
working
on
this
stuff.
It's
amazing.
B
Nope
I'm
in
San,
Bruno
California,
oh
okay,
okay,
my
my
team
is
scattered,
but
yeah
home
base,
I
guess
for
the
team
would
be
would
be
in
Redmond,
but
yeah
yeah,
I,
I,
work,
remote.
C
We're
gonna
give
it
a
few
minutes
for
some
of
our
folks
to
join
and,
while
folks
are
joining,
feel
free
to
add
your
attendance
to
the
meeting
notes
as
well
as.
C
Oh
I
think
you're,
adding
that
yes,
I
just
realized
yeah
so
feel
free
to
add
your
meeting,
no
City
attendance
as
well
as
anything
you
want
to
add
to
the
agenda.
F
C
Yeah
I
guess
we
could
get
started
just
as
a
reminder
if
anybody
who's
joining
now
feel
free
to
add
your
attendance
to
the
meeting
notes,
as
well
as
any
agenda
items
and
we
can
get
started
as
a
reminder.
This
meeting
is
being
recorded,
it'll
be
uploaded
to
YouTube
shortly
after,
and
your
participation
in
this
meeting
is
an
agreement
to
abide
by
the
open,
ssf
code
of
conduct
and
first
things
first
was
I'm,
not
sure,
but
is
there
anybody
new
on
the
call
who
wants
to
introduce
themselves.
G
Yeah
I'm
I'm
new
to
this
call
this
forum,
Matt
speakerman,
with
Dao
responsible
for
application
security
within
our
security
department
and
that
just
been
keeping
close
to
some
of
the
the
work
that's
being
done
with
salsa,
so
I
thought
I
would
try
to
get
a
little
bit
closer.
E
Say
hi
myself,
David
zinzian,
with
VMware
I
I
am
in
a
field
role.
These
days,
I
spent
30
years
doing
security
and
many
of
those
as
an
auditor
as
a
various
Financial
spheres
and
I've
been
following
salsa
for
a
while
now
I'm
super
excited
to
have
time
to
just
for
now,
listen
and
see
how
it's
going,
but
eventually
contribute
as
I'm
able
cool
glad.
C
All
right,
if
there's
nobody
else,
we
can
get
to
sort
of
updates
from
the
special
interest
groups
specification
Mark.
Do
you
want
to
take
that.
H
Sure
so
progress
continues
on
the
1.0
spec
work.
We've
discussed
various
topics
within
the
meetings
and
we're
making
progress
on
the
writing,
like
the
drafting
of
the
text,
but
I.
Don't
think,
there's
anything
big
enough
to
Warrant
discussion
at
this
group.
If
you
have
questions
I'm,
always
happy
to
answer
them,
there's
also
an
early
draft
of
a
1.0
provenance
format
that
hopefully
addresses
various
feedback
or
various
issues
that
we've
had
in
the
current
version.
H
It's
like
still
marked
as
a
draft
pull
request.
Don't
take
it
as
like.
This
is
definitely
what
it's
going
to
be,
but
so
far
feedback
has
been
pretty
positive.
If
you
have
opinions
or
thoughts
on
the
format,
I'd
certainly
love
to
hear
them.
H
Yeah,
that's,
basically
anyone
else's
back
meeting
I,
don't
think!
There's
you
know
looking
through
the
notes,
I,
don't
think,
there's
anything
else
that
kind
of
warrants
bringing
up
here.
H
Oh
in
terms
of
timeline,
because
this
come
up-
obviously
it's
taking
much
longer
than
expected,
as
most
software
projects
do,
the
plan
is
to
once
we
get
into
a
good
enough
state
that
is
like
readable
by
the
community
at
large.
We'll
have
a
review
period
of
I
would
say
at
least
a
month
where
community
members
can
look
at
it
make
sure
you
know
kind
of
test.
It
make
sure
it's
really
meeting
the
needs.
H
If
we
don't
have
any
major
issues,
ETC
and
then
we'll
mark
it
as
final
right
now,
the
the
1.0
thing
is
not
linked
from
the
main
site.
H
You
just
have
to
type
that
in
the
URL
bar,
because
we
don't
want
people
going
there,
because
it's
in
kind
of
a
state
of
flux
right
now,
once
it's
in
a
good
enough
state
that
people
could
actually
review
it,
then
we'll
start
linking
it
still,
calling
it
a
draft
and
then
once
we
as
a
community,
not
just
the
specification
Sig
but
or
but
the
whole
group
kind
of
the
consensus
is
that
it's
good
then
we'll
mark
this
final.
C
C
I
mean,
if
not
I
can
give
the
quick
update
from
the
couple
of
meetings
I've
been
from
the
meetings
I've
been
attending,
so
I
know
that
their
positioning
meeting
is
working
on
sort
of
a
big
blog
for
the
salsa
1.0
specification
focused
on
stuff,
like
developer
use
cases
and
and
the
problems
it's
trying
to
solve
and
really
kind
of
trying
to
highlight.
C
You
know
how
different
users
should
be
using
salsa
and
how
they
should
be
viewing
it
and
all
that
stuff,
and
it
looks
like
Melba
added
the
link
to
the
draft
of
that
doc.
Of
that
blog
feel
free
to
take
a
look
there
there's
a
few
other
things
that
I
believe
had
have
been
pushed
off.
C
For
now,
one
of
the
things
was
some
of
the
additional
sort
of
collaboration
between
different
other
working
groups
like
The
Cloud
native
controls,
working
group
like
to
start
doing,
mapping
of
controls
between
Cloud
native
and
salsa
and
salsa
and
other
sorts
of
specs,
but
I
believe
that's
been
sort
of
just
put
on
hold
until
it's
also
1.0
is
final.
You
know
is
finalized
as
well
as
there's
a
bunch
of
work,
that's
being
done
from
the
oscal
side.
C
That
might
be
another
few
months
before
it's
done
so
kind
of
just
holding
off
to
see
where
things
are
going
to
go
there
before
diving
too
far
in
that's
what
I
know
from
at
least
the
positioning
group
I
don't
know
if
anybody
else
has
any
updates
from
it.
B
Yeah
I'll
add
so
so,
yes
to
everything
that
that
that
Michael
just
said
also
we're
we're
due
to
have
another
meeting
here,
probably
after
the
holiday
but
Melba
Isaac
and
I
have
we've
had
our
first
meeting
regarding
position
regarding
how
how
positioned
or
how
well
positioned
and
then,
of
course,
continuing
the
deficit,
positioning,
salsa
and
S2
c2f
together.
B
So
so
those
meetings
have
have
commenced
as
well
and
and
we're
still
ironing
things
out
as
far
as
that's
concerned,
but
but
that
that
that
Falls,
in
line
with
trying
to
decide
whether
we're
maintaining
two
separate
positioning
meetings
or
if
we're
going
to
combine
in
terms
of
having
abridged
salsa
and
s2c2f
positioning,
meaning
or
or
maybe
or
maybe
do
all
three
so
that
so
that's
in
addition
to
discussions
being
had
in
the
in
the
positioning
meeting
as
well.
C
Update
there
so
that
cooling
meeting
I
can
provide
some
updates
there.
C
It's
been
a
bit
quiet
the
past
couple
of
weeks
because
of
a
combination
of
kubecon
prep,
as
well
as
kubecon,
fatigue
and
I
know
also
with
with
a
bunch
of
the
other.
Like
events
coming
up.
C
A
lot
of
folks
are
still
focused
on
those
like
this
open
source,
Summit
Japan,
which
is
in
a
couple
of
weeks,
and
then
a
couple
weeks
after
that
is
cloud
native
security,
con
the
Standalone
event
in
Seattle
and
then
like
a
month
or
two
after
that
is
kubecon
EU,
so
I
know
a
lot
of
fit
and
a
lot
of
those
cfps
are
closing
in
quite
quickly
and
I
know.
C
A
lot
of
folks
are
prepping
for
sort
of
talks
on
that
and
and
whatnot,
but
one
of
the
other
big
focuses
that
we
have
is
trying
to
also
build
like
make
sure
two
things.
One
is
make
sure
that
tools
are
going
to
be
like
a
lot
of
the
common
tools
that
we
have
are
going
to
be
ready
for
salsa
1.0,
so
we're
just
sort
of
following
the
spec
and
and
making
sure
that
you
know
once
the
the
the
spec
is
sort
of
finalized.
C
Even
as
a
draft
we
can
add
some
features
to
the
various
tools
to
make
sure
it
exports
them.
So
that's
going
to
require,
like
PR's,
to
to
some
tools
like
tecton
chains
and
and
the
various
salsa
generators,
and
all
that
also
one
of
the
things
that
was
brought
up
was.
C
We
should
be
sort
of
building
a
salsa
validator
like
even
just
like
a
super
simple
like
hey,
because
this
is
actually
a
common
problem
in
the
s-bomb
space
is
a
lot
of
the
tools
that
are
generating
s-bombs
that
are
claiming
to
be
Cyclone,
DX
or
spdx
are
actually
like.
You
know
it
mostly
matches
the
spec
and
that's
making
consumption
of
some
of
those
s-bombs
really
difficult,
because
it's
hard
to
rely
on
so
I
think
it'd
be
worthwhile
to
you
know,
really
have
something
that
you
know
can
really
enforce.
C
Enforce
it,
and
so
that
you
know
you
can
run
against
all
the
you
know,
salsa
stuff,
that
gets
generated
by
something
and
and
essentially
verify
that,
yes,
it's
a
correct
URI
for
the
Builder,
not
just
a
string
or
whatever,
because
that
sort
of
stuff
is
going
to
cause
a
lot
of
issues
for
the
tools
that
consume
it.
So
I
think
that's
one
thing
that
we're
looking
at
as
well
as
potentially
something
like
a
library
or
a
set
of
libraries
that
can
then
support
that
shishank.
A
Yeah
I
think
I
think
that
would
be
very
helpful,
but
unless
I
missed
something,
the
spec
says
that
you
may
use
the
the
in
dodo
provenance
format,
not
necessarily
so
that
might
complicate
things
a
little
bit
but
yeah.
It's
certainly
better
than
nothing.
Most
people
are
probably
going
to
follow.
Follow
the
format.
C
Yeah
yeah,
that's
true.
Sorry,
I
I
should
say
that
it's
it's
more
for
the
specification
for
the
yeah,
the
in
Toto
attestation,
format
and
yeah.
I.
Think
that's
that
that's
the
important
piece,
because
most
of
most
of
the
built-in
tools
are
all
supporting
that
as
the
format
but
yeah
good
point,
and
then
one
of
the
other
focuses
is
still
on
identifying
gaps
in
the
sort
of
just
salsa
ecosystem.
C
Like
aggregation
tools,
we
know
that
you
know
there's
some
stuff
like
like
guac
and
a
few
other
things
that
are
starting
to
come
out
there,
but
we're
still
sort
of
like
looking
at
what
else
there
is,
for
you
know
not
just
the
generation
of
salsa,
which
there's
a
lot
of
tools
that
are
coming
out
of
that,
but
also
tools
that
can
consume
salsa
Beyond,
just
like
some
simple,
like
policy
validation
of.
What's
in
the
salsa
document,
foreign.
I
C
Yeah
I,
agree
and
I
know
Mark.
This
is
something
that's
been
brought
up
multiple
times
in
the
specification
meeting
as
well.
Where
does
it
make
sense
to
say?
Maybe
something
along
the
lines
of
it's
also
one:
it's
not
required
to
use
the
spec,
but
maybe
salsa
2
or
salsa
three.
It
is
100
required,
or
do
we
still
want
to
say?
No,
no.
We
want
to
make
sure
that
it's
flexible.
H
H
You
could
also
apply
salsa
with
purely
within
an
organization
and
for
there
I,
don't
I,
don't
see
the
justification
for
requiring
that
like
if
one
company
decides
I'm
going
to
use
this
other
format
because
it
fits
our
needs
as
long
as
it
like
ticks
all
the
boxes,
it
seems
like
that
should
be
okay
to
me,
where
there's
no
interoperability
concern-
and
you
know
they
might
not
be
able
to
use
standard
tooling,
they
might
not
be
able
to
interact
outside
the
organization,
but
if
that's
what
they
choose,
it
seems
okay
to
me,
I,
don't
know
what
do
you
think.
I
So
so
I
think
it
is
okay,
I
think
they
are
setting
themselves
for
trouble,
I
mean
I'm
the
old
standards
guy,
so
I
apologize
here,
but
you
know
my
experience
is
standards
are
needed
because
there
are
plenty
of
companies
that
try
to
just
get
a
modality
approach
to
a
problem,
but
with
merge
in
that
positions.
If
nothing
else,
you
know
you
may
decide
to
set
up
on.
I
You
know
yourself
on
one
particular
approach,
but
eventually
you
you
acquired,
or
you
acquire
another
company
that
made
a
different
choice,
and
now
you
have
an
interprety
problem
anyway,
so
I
I'm
not
disagreeing
with
what
you're
saying,
Mark
I
think
it's,
it's
totally
reasonable
to
say
there
are
different
ways
to
implement
it,
and
we
should
allow
for
that.
I
do
think
that
if
we
provide
the
tools
during
the
specific
way
with
that
mandating
that
you
use
those
tools,
it
will
be
an
extra
incentive
for
people
to
use
those
rather
than
something
else
and
and
I.
I
A
Oh
I
agree:
yeah
I
just
wanted
to
add
the
point
that,
from
my
experience,
what
I've
seen
is
that
there's
often
confusion
between
the
sort
of
metadata
you
require
say,
uri's
and
stuff
like
that
and
the
formats
that
you
that
you
transport
this
metadata
in
so
I,
don't
think
I,
think
I.
Think
salsa
has
been
very
good
and
being
careful
about
saying,
I
think
that's
largely
an
intention.
I
think
everyone
wants
to
share
the
same
metadata
right
but
I
think
I.
Think
people
are
going
to
probably
transport
it
in
different
ways.
A
C
Yeah
so
two
things
one
is
I
I
agree
with
Arno
on
on
a
lot
of
that
as
well,
which
is
just
a
lot
of
I
I.
Think
by
and
large
everybody
is
using
in
Toto
anyway,
at
least
what
we've
seen
in
the
public
space
I
agree
that,
like
we
don't
necessarily
you
know,
I
I
agree
that
maybe
even
just
saying
hey,
it's
not
required,
but
all
the
tools
are
going
to
be
supporting
mostly
this
one,
unless
something
else
comes
along
might
be
a
good
way
to
just
sort
of
settle.
That.
C
I
also
agree
with
what
you
said:
trishank,
which
is
a
lot
of
folks,
are
going
to
want
to
distribute
it
in
different
ways,
especially
when
it
comes
to
stuff
like
the
envelope
that
might
be
signing
it
and
yayada
and
I.
Think
that
there's
there's
a
lot
of
interesting
stuff
there
and
I
know
one
of
the
things
that's
been
I.
Don't
necessarily
think
it's
it's
something
we
have
to
talk
about
here,
but
something
that
maybe
should
be
talked
about
in
either.
C
Maybe
the
supply
chain,
Integrity
working
group,
or
something
like
that
is
there's-
been
a
lot
of
discussion
about
an
ontology
around
some
of
this
stuff.
Right,
like
a
lot
of
folks,
are
coming
in
and
saying
hey
with
stuff
like
how
eventually
S2
c2f
and
similar
sorts
of
things
are
coming
in
and
like
how
everything
is
kind
of
going
to
be
named
and
whatever
there's
some
folks
are
are
asking.
C
There
might
be
a
lot
of
this
translation
and
I
think
we
just
kind
of
wanna
make
sure
that
we're
not
like
I
think
the
the
individual
tools
can't
support
the
entire
universe,
but
making
sure
that
it's
easily
translatable
between
and
I
know,
there's
lots
of
tools
out
there
that
can
translate
between
XML
and
Json
and
Json
and
XML,
but
making
sure
that
there
still
is
the
the
transport
format
and
protobots
and
whatever
is,
is
all
supported.
H
Yeah
I
I
guess
I
recommend
against
I'm
kind
of
on
Arno
side
in
terms
of
interoperability,
where
different
organizations
are
transmitting
the
data.
I
think
supporting
multiple
formats
is
really
confusing,
like
spdx
supports
like
six
different
serialization
or
formats,
or
something-
and
it's
super
confusing
like
I
know,
there's
good
reasons
that
they
do
that,
but
it
does
have
a
complexity,
cost
and
I
think
if
we
can
recommend
like
some
interoperable
format,
that's
like
I,
don't
care
so
much,
whether
it's
Json
or
something
else,
but
like
that.
H
B
Yeah
I
thought
that
that's
what
we
were
we're
looking
into
Oscar
I
thought
that
that
was
doubt
that
I'm
telling
you
oh,
it's
called
something
else.
I
I
thought
that
that
was
what
we
were
attempting
to
to
rectify
right,
Json,
XML
everything
they
can
all
go
into
all
Scout
and
oh
Scott's
supposed
to
be
able
to
take
all
of
those
formats
and
then
and
then
kick
out
something
that's
universally
acceptable
or
universally
can
be
universally
read
or
used
across
across
the
Spectrum.
B
Now
that
was
my
my
my
general
understanding
of
old
scholar
and
Oscar's
role
in
taking
a
lot
and
and
taking
in
a
lot
of
this
information
and
then
being
able
to
utilize
it
across
different
compliance
requirements
and
security,
Frameworks,
providing
reporting
and
and
everything
else.
So
that
was
my
general
thought
and
understanding
and
I
hope
that
that's
the
case,
because
if
that
is
the
case,
then
we're
we're
heading
in
the
right
direction.
C
Yeah,
so
so,
there's
some
elements
where
like
right
now
at
least
oscow
is
a
bit
more
focused
on
like
interrupt
between
like
not
the
formats
and
specifications
more
of
like
I
could
have
a
way
to
say
that
you
know
this
salsa
requirement
maps
to
these
three
nist
controls,
or
vice
versa,
or
like
this,
this
control
maps
to
these
two
salsa
requirements.
C
As
far
as
the
actual
I
think
there
still
needs
to
be
a
like
some
sort
of
translation
layer
where
somebody
would
say:
okay,
well,
I'm,
going
to
consume
salsa
data
and
convert
it
into
oscow
format,
because
oscow
format
itself
is
not
really
conducive
to,
and
it's
not
really
intended
for
some
of
those
things.
So
it
is
and
I
think
when
it
comes
to
a
lot
of
these
things.
This
is
where
I
think
also
a
lot
of
the
tooling
is
going
to
come
into
play
of
like
translating
aggregating
some
of
this
information.
C
You
know,
and
some
of
that,
but
yeah
I
think
like
like
I
I,
because
I
think
this
is
also
one
of
the
challenges
is:
how
do
you,
let's
say,
take
information
from
salsa,
pull
it
out
and
say
hey.
This
is
proof
that
meets
these
oscow
requirements
or
whatever
I
think
is
going
to
be
an
interesting
challenge.
I
think
it
kind
of
goes
back
to
the
thing,
though.
C
If
if
we
have
12
different
formats,
then
the
the
tool
is
going
to
have
to
support
every
tool
is
gonna
have
to
support
those
12
different
formats,
as
opposed
to
having
one
standardized
format
at
least
internally
right-
and
you
know,
if
folks
say
Hey,
you
have
some
internal
format
great.
If
you
want
to
use
this
tool,
you
got
to
translate
it
into
the
other
format.
C
I
think
is
probably
reasonable.
Yeah.
B
I
think
we
have
the
power
of
the
in
this
group
and
then
in
the
other
group,
so
at
least
those
that
are
meeting
underneath
the
openness
and
stuff
Banner
right
in
terms
of
all
the
all
the
different
Frameworks
and
specs
and
everything
else
that's
coming
out
of
what
we
do
across
the
board.
I
think
we
have
the
power
to
unify
under
under
a
specific
format,
to
kind
of
prevent
a
lot
of
that
and
create
and
create
those
bridges
and
in
parallels
to
make
things
that
are
that
are
interoperable.
B
You
know
I
I,
the
dare
I
say
I,
I
I
agree.
It
can
get
confusing
and
and
wild
real,
quick,
real,
quick.
F
J
Right,
oh
yeah,
I
wanted
to
mention
on
tooling
and
verification,
I
think
it.
If,
if
you
have
multiple
ecosystems
and
then
you
have
multiple
Builders
I,
don't
think
we
can
expect
every
ecosystem
like
npm,
pipe
pipe
pip
and
everything
to
basically
be
aware
of
the
how
to
verify
provenance
from
different
builders,
because
at
the
end
of
the
day,
it's
not
just
in
total.
It's
also
how
you
do
key
rotation,
whether
you
use
dsse
or
not.
J
For
example,
GCB
verification
looks
completely
different
from
you
know:
six
door
based
verification,
so
I
so
I
feel
like
it
would
be
you
so
and-
and
you
see
a
lot
of
efforts
already
in
the
ecosystem,
trying
to
generate
provenance
where
everyone
has
to
re-implement
six
store
for
their
own
ecosystem
that
isn't
going
to
scale
when
you
want
to
do
verification,
because
you're
going
to
have
different
builders,
so
I
think
having
like
one
utility
that
actually
understand
how
to
verify
provenance
from
different
Builders
and
making
sure
this
is
available
to
different
ecosystems,
whether
it's
through
a
service
or
you
know
whatever
it
is
I
think
that's
something
I
feel
is
missing
today.
J
I
think
we
can
tackle
it
through
the
salsa
verifier
that
we
have
if
we
can
decide
on
like,
what's
the
best
way
to
to
expose
this,
whether
it's
an
open,
ssf
service
or
it's
like
someone-
wants
to
run
it
locally
through
a
Docker
container
to
do
local
verification
but
like
if
we
could
be
in
a
state
where
every
ecosystem
doesn't
have
to
re-implement
and
keep
track
of
versioning
of
different
Builders.
J
That
would
be
very
useful
because
what
we've
seen
with
the
salsa
verifier
is
that
just
doing
GCB
there
were
a
lot
of
corner
cases.
Sometimes
they
didn't
actually
follow
the
specs.
You
know
to
the
letter-
and
this
is
going
to
happen,
especially
when
people
try
to
push
products.
Sometimes
it's
not.
You
know.
C
So
a
question
actually
because
I'd
be
interested
in
folks.
Thoughts
on
this
is
I
was
also
thinking,
because
this
is
also
a
a
fairly
common
theme
in
some
of
the
intuitive
stuff,
as
well
as
like
what
should
be.
C
Do
you
think
something
like
having
something
like
a
verifier
that
somebody
could
run,
maybe
even
something
that
would
be
a
public
service
that
could
be
useful,
but
do
you
also
think
that
we
should
have
libraries
for
verification
so
that,
if
folks,
let's
say
hey,
I,
have
a
Java
app
great,
you
could
use
the
source
of
java,
verifier
library
or
whatever,
which
would
also
probably
include
stuff
like
you
know,
would
probably
include
the
Sig
store
library
and,
or
you
know,
a
notary,
Library
and
so
on
as
well
as
you
know,
the
in
Toto
libraries,
for
that
or
do
you
think
that's
going
to
be
also
a
bit
of
a
mess
to
kind
of
maintain.
A
Now
those
those
are
very
good
questions
that
Laurent
and
and
Michael
erased.
I
know
it's
just
thinking
out
loud
here:
I
think
it
can
become
very
quickly
a
maintenance
nightmare
right,
because
the
way
I
don't
know
gcp,
does
it
and
then
there's
Java
I
might
do
it
differently,
npm
I.
Do
it
differently?
A
Python
might
do
it
differently,
at
least
for
now,
until
everyone
until
the
dust
settled
and
everyone
agrees
and
what's
what
I
think,
but
maybe
the
least
we
can
do,
is
sort
of
provide
like
a
plugable
interface
and
say:
look
we'll
take
care
of
the
basics
like
checking
the
metadata
inside
the
provenance
themselves.
Give
us
what
looks
like
a
prominence.
We
can
verify
that
stuff
for
you
and
then
we
can
plug
in,
like
modular
things
for
how
to
verify
signatures.
And
then
someone
writes
like
a
dizzy,
concrete
class
or
whatnot
right.
Does
this
make
sense.
C
Yeah,
yes,
I
I,
think
that
that
that
100
makes
sense
and
kind
of
how
I
would
think
that
this
would
hopefully
sort
of
work
right,
because
I
think
there's
like
a
couple
of
things.
One
is
the
signature,
slash
envelope,
format
and
Then,
followed
by
like
the
internal
payload
and
verifying
the
payload,
and
for
what
it's
worth.
This
is
something
that
we've
had
to
implement
ourselves
in
guac,
where
we
would
much
rather
say
you
know,
just
you
know,
give
us
arbitrary
documents.
Oh,
this
is
a
dizzy.
C
Okay,
cool
unpack,
the
you
know,
unpack
the
payload
and
figure
out
what
payload
it
is
and
then
pass
it
like
and
and
as
opposed
to
us,
having
to
now
go
in
and
re-implement
ourselves
like.
What
does
an
internal
document
look
like?
Oh,
we
want
to
just
use
the
in
total
library
and
and
in
fact,
okay
great.
It's
an
intodo
document
great
now.
What
type
of
in
total
document
is
it?
Oh,
it's
a
salsa
document
pool
use
the
salsa.
C
You
know
call
out
to
the
salsa
thing,
but
we'd
you
know
we
don't
want
to
have
to
do
the
implementation
ourselves
to
say.
Okay,
look
for
these
fields
in
this
in
Toto
doc.
You
know
in
this
predicate
in
an
internal
document
and
if
it
matches
all
these
fields,
then
you
know
you
have
a
100
valid
salsa.
We
would
much
rather
say
cool
now,
pass
this
to
the
salsa.
C
You
know
verifier,
which
is
managed
by
the
salsa
team
or
whatever
and
I
know
that
kind
of
comes
just
to
be
clear
as
I'm
talking
about
this
I
know
that
all
of
this
comes
with
the
caveat
is
every
single
new
thing
that
you
add
into
this
is
now
a
new
dependency,
which
is
now
a
new
supply
chain
issue
that
somebody
has
to
deal
with.
J
Yeah
I
think
it'd
be
great
to
have
library
apis,
but
realistically
I
don't
think
this
is
going
to
work
at
least
not
at
the
beginning.
I
mean
I
see
what
happened
to
six
store.
It's
it's
already
taking
like
one
year
to
develop
a
six
store
in
each
ecosystem
and
I.
Think
it's
also
a
verification.
You
multiply
this
by
the
number
of
Builders
and
the
number
of
versions
of
each
Builder
and
then
it
just
explodes.
J
J
But
if
they
want
to
say
oh,
you
can
build
on
GCB.
You
can
build
on
GitHub
and
and
maybe
on
Circle
CI
and
some
other
things.
Then
it's
I
think
that
that
looks
really
hard
to
scale.
C
Yeah
and
I
think
there
is
so.
H
Sure
the
I
agree
with
trishank's
comment
in
the
chat,
I
think
right
now.
A
lot
of
the
complexity
is
because
the
trust
model,
including
but
not
limited
to
the
public
key
infrastructure,
is
not
standardized
and
so
there's
you
know
each
system
does
its
own
thing
and
so
any
sort
of
code
that
has
to
support
multiple
sources
has
to
have
like
all
these
special
cases.
H
All
right
I
can
foresee
a
need
to
have
a
standardized
way
of
setting
up
this
trust
sort
of
like
we
have
SSL
and
that's
now
standardized
and
like
you,
don't
have
to
do
anything
special
depending
on
the
web
server.
You
don't
have
to
do
any
sort
of
special
logic.
H
You
just
know
you
could
do
the
SSL
and
there's
a
whole
certificate
chain
and
roots
of
trust
and
how
you
verify
the
paths
Etc
and
there's
a
standard
way
of
getting
the
certificates,
Etc,
I,
I,
think
for
Providence
and
attestations
more
generally
over
time.
H
We
will
want
to
develop
that
and
have
some
standard
mechanism
for
how
you
transmit
attestations.
What
the
roots
of
trust
are,
how
you
verify,
and
so
and
everyone
just
adopts
this
standard
interface,
and
so
that
way
it
simplifies
verification,
but,
and
it
would
be
great
to
work
on
it.
It
might
be
a
little
early
right
now
we
we
might
need
to
get
the
first
couple,
things
might
be
messy
and
then
once
we
see
what
kind
of
patterns
emerge,
then
that
might
make
sense
to
standardize
Michael.
C
Yeah
yeah
no
I
definitely
agree
with
you
on
that
and,
in
fact
actually
I
was
gonna
say
my
least
initial
thoughts
on
the
verifier
would
would
focus
a
little
bit
less
on
the
signature
piece
and
the
identity
piece
and
more
on
just
the
the
simpler
piece
of
assuming
somebody
is
giving.
You
know
an
86
salsa
predicate.
C
Is
that
actually
Matt
does
it
have
the
right
keys
and
values,
because
we've
already
sort
of
discovered
in
some
of
the
tools
some
folks
are
like
have
typos
or
misspellings,
and
so
somebody
goes
and
says
great
I'm
going
to
ingest
this
document
from
from
the
public
and
go
I
understand
why
I'm
not
ingesting
it
or
or
why
things
are
breaking
or
whatever,
and
so
what
we'd
love
to
see
is
some
of
that,
because
we've
also
seen
this
in
the
s-bomb
world,
where
a
lot
of
the
tools
are
not
actually
generating
s-bombs
that
are
valid
to
the
specification
they're
generating
s-bombs
that
are
similar,
but
don't
100
match
the
spec.
C
From
the
perspective
of
like
the
key
value
stuff
of
like
oops,
there's
a
you
know
your
thing:
doesn't
you
know
it
has
a
name
of
a
build
type
instead
of
a
URI
right
and
stuff
like
that
that
we
probably
want
to
also
catch
early
so
that
you
know
that
also
hurts
a
lot
of
the
interop
and
we've
been
seeing
this
with
some
of
the
tools
like
walk.
C
C
Another
thing,
I
think
that's
being
brought
up
in
the
in
Toto.
Space
is
a
concept
which
might
I
don't
know
if
it's
something
that
salsa
wants
to
get
involved
in
at
all.
But
it's
the
idea
of
like
a
predicate
dictionary,
which
is
this
idea
of
like
salsa,
would
be
a
predicate,
and
then
you
might
have
something
like
a
salsa
predicate,
like
people
would
potentially
have
mappings
into
internal
data
models
or
Twitter
ontology,
or
something
like
that,
which
would
then
help
with
some
of
the
the
mapping
back
and
forth
between
other
standards.
C
I
think
that's
a
significantly
longer
longer
tail
item,
but
something
that
I
know
some
folks
have
begun
to
kind
of
talk
about
like
so
that
somebody
can
say
great
I
have
all
this
salsa
data
and
something
like
oscow
great
here
is
a
mapping
of
salsa
Providence
data
into
a
combination
of
oscow
and
some
other
standard,
and
that's
still
somebody
else's
thing.
But
you
know
it
follows
a
common
mapping
pattern,
so
it
can
do
that.
K
Iron
and
just
one
thing
you
just
mentioned
as
well
around
you
know
keeping
it
really
simple
for
first
implementation
of
well
does
this.
Does
this
thing
that
was
produced
by
a
builder
or
tool
like?
Is
it
actually
the
format
and
is
it?
Is
it
what
we
expect
it
to
be?
Because
if
it's
broken,
then
a
computer
can't
even
process
it
right.
So
this
is
actually
going
to
help
the
tooling
and
Builder
platforms
and
such
with
development
and
essentially
QA
testing
right
at
the
lowest
level.
D
C
So
my
two
cents
on
it-
and
this
is
something
that
we've
been
working
on
with
with
a
combination
of
folks
in
the
cncf
guac
in
Toto-
is
short-term
schema,
validator
and
two
parts
of
the
schema
validator
one
is
an
86
validator,
just
which
would
be
relatively
simple.
It
just
checks
like
hey.
C
Do
you
have
a
list
of
subjects
and
whatever
and
then
do
you
also
have
a
predicate
and
the
predicate
is
a
valid
Json
and
then
you
would
have
individual
predicate
validators
for
each
of
those
things
you
know
so
you
know
salsa
would
be
one
I
know,
there's
a
thing
called
sky
or
something
like
that
that
some
folks
are
building
out.
C
Something
like
that.
I
think
would
be
one,
but
there
is.
There
are
some
folks
who
are
starting
to
ask
like.
Could
we
use
stuff
like
what
we're
seeing
in
the
semantic
web
and
similar?
Can
we
use
that
or
similar
ideas
to
develop?
What
Santiago
from
in
Toto
is
calling
up
and
I?
Think
some
other
folks
are
calling
a
a?
What
do
they
call
it?
A
predicate
dictionary
where
the
idea
is
we
could
have
a
bunch
of
predicates
and
either
have
a
bunch
of
ways
to
map
those
predicates
to
other
systems.
C
So
you
could
say:
okay
great
to
map
from
salsa
to
Tool
X's
internal
data
model.
It
looks
like
this
and
so
that
you
know
tools
would
not
necessarily
need
to
recompile
every
single
time.
There's
a
new
predicate
they
could
just
take
that
predicate
and
just
be
able
to.
You
know
know
that
this
is
a
mapping
to
an
internal
data
model
and
then
also,
maybe
even
longer
term,
have
something
that's
more
akin
to
and
I
know.
This
is
a
big
ask,
so
I'm
not
saying
that
this
is
like
you
know
anywhere.
C
You
know
this
is
years
off,
but
something
like
salsa
to
ontology
ontology
to
a
data
model
so
that
you
could
just
have
here
is
the
supply
chain,
security,
ontology,
and
anybody
who
supports
that
mapping
salsa,
would
say:
okay,
well
hash
maps
to
check
some
in
the
ontology
or
something
like
that
cool.
And
then
you
have
a
two-way
mapping
and
it
simplifies
certain
things.
I
know
it
brings
up
a
lot
of
other
problems,
but
that's
one
of
the
things
that's
being
discussed.
C
A
C
I
think
it's
it's
similar,
but
not
the
same.
The
idea
behind
the
typing
one
is
more
of
just
like.
Could
you
have
sub
groupings
inside
of
an
object
so,
for
example,
with
salsa
right?
You
might
have
something
like
where
you
want
to
define
a
way
in
salsa
to
say
what
I'm
expecting
here
is
a
URI
right
in
this
build
type
I'm
expecting
a
URI,
and
how
do
you
sort
of
tell
the
end
user
in
a
Json
schema
like
that?
C
Actually,
this
type
should
be,
or
in
the
Json
schema
and
the
Q
schema
and
a
protobuf
or
whatever
that
this
should
be
considered
a
URI
without
needing
to
actually
write
a
bunch
of
code
that
you
know
for
every
single.
You
know
language.
It's
something
that
some
way
of
like
looking
at
a
schema
and
being
able
to
kind
of
figure
that
out
would
be
useful,
so
that,
like
folks,
can
know
that,
like
as
an
example,
you
might
be
able
to
say
this
is
a
subject
type.
C
A
That's
that's
interesting
and
I'm
really
curious
about
a
semantic
web
stuff
there.
My
only
concern
is
that
I
think
the
w3c
has
been
trying
to
do
that
for
like
20
years.
Two
two
don't
know
well
but
I'm,
very
curious
to
see
the
latest
development.
C
This
any
further
but
yeah,
that's
just
some
stuff
that
some
folks
or
at
least,
are
interested
in
it
from
an
outcome
perspective
of
like
it
would
be
great
if
we
could
leverage
this
stuff
or
use.
Something
like
this
to
do
some
of
this
stuff,
so
that
folks
kind
of
get
that
better
interop
and
are
also
able
to
kind
of
say
great
I
can
just
if,
let's
say,
for
example,
a
lot
of
these
tools
that
come
in.
C
If
you
have
something
like
a
predicate
dictionary
and
as
long
as
it
follows
the
the
normal
predicate
dictionary
rules,
if
in
total,
if
if
salsa
generates,
when
salsa
2.0
comes
out,
if
a
tool,
if
the
total
predicate
dictionary
version
does
hasn't
increased,
then
great,
you
could
still
ingest
now
salsa
2.0,
you
might
not
have
as
deep
of
an
understanding.
You
might
be
missing
a
few
things
here
and
there,
but
you
can
still
get
value
out
of
it.
I
think
and
parse
it
anyway.
C
Yeah
as
somebody
who's
new
to
the
semantic
web
stuff
I
have
somebody
who's
really
really
new
to
it.
I've
been
reading
up
on
it
and
there's
so
much
stuff
that
I
do
not
understand,
just
mostly
just
from
I,
know
a
lot
of
it's
like
not
standard
sort
of
Json
formats.
It's
like
weird,
you
know
like
there's
a
lot
of,
but
it's
interesting
stuff,
just
to
be
clear.
It's
just
taking
a
while
to
rock
it.
Anybody
else
have
any
other
agenda
items
anything
else.
C
Oh
okay,
if
not,
we
can
end
15
minutes
early
and
just
as
a
reminder,
I
believe
the
next
meeting
we
pushed
I
think
we
pushed
up
a
the
meeting
up
a
week.
C
If
you
look
at
the
thing
here,
I
believe
so
our
next
meeting
is
December
15th
and
the
reason
is
to
we
don't
want
to
conflict
with
the
Christmas
holiday
that
a
lot
of
folks
on
this
call
celebrate
so
that'll
that'll,
be
on
the
15th
cool
and
if
there's
nothing
else
have
a
good
rest
of
your
day
and
some
of
you
all
see
Tamara
tooling.
So
you
all
see
later.