►
From YouTube: SLSA Biweekly (April 13, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1cx3fOBfic6A0xc2on25ITK4vQHUdxgBmJoSS1LPqDJo/edit
B
And
and
and
as
you
know,
you
know
you,
you
shouldn't
update
any
libraries,
because
things
could
go
wrong.
B
I
say
that
in
gesture
we
actually
usually
pretty
good
about
updates,
but
it's
a
rails
app
and
we
haven't
updated
and
there's
a
major
version
update
and
my
experience
has
always
been
there's
some
fiddliness.
So
we
dealt
with
with
we
dealt
with
it
and
off.
We
go
all.
D
A
And
I
I,
actually
just
jumped
off
I
did
there's
like
a
Verizon
cyber
investment
hour
like
applied
to
it
months
ago
and
finally
presented
just
today
about
salsa
just.
B
B
D
I
I
mean
I,
have
no
objections.
It's
just
amusing
to
watch
the
oh
impending
deadline.
B
Hate
deadlines,
but
it's
hard
to
beat
them
in
terms
of
humans,
because
otherwise,
we'll
always
and
I'm
speaking
to
myself
as
well.
If
we
don't
always
want
to
push
it
till
tomorrow,
yeah.
B
B
You
know
it
making
something
you
know
like
like
this
I
just
mentioned
this
Library
update,
the
the
main
parts
of
it
were
updated,
were
done
almost
instantly
and
the
last
10
percent
took
you
know.
You
know
far
more
time
right.
A
B
I'm
chatting
with
the
rule
really
yeah
20
of
the
work
takes
80
percent
of
the
time,
so.
B
A
B
Really
really
I
I
do
want
to
commend
Mark's
hard
work.
Really
it's
it's
awesome
to
see
we're
doing
a
big
push
to
make
people
aware
of
it
and
I
mean,
of
course
the
risk
is
hey
great.
It's
coming
to
oh
and
and
there's
more
work
to
do,
but
but
I
do
think.
Congratulations
you
know
of
where
we
are
now
is
absolutely
in
order.
F
G
We
have
something
called
Tiff's
Treats
here:
I
already
have
salsa
I,
don't
want
salsa
for
delivery,
maybe
a
cookie
that
has
salsa
written
on
it.
They
actually
will
deliver
cookies
to
you
warm
here,
I
I,
don't
know
if
other
places
have
it.
But
yes.
H
Lots
of
books
update
the
the
signals
with
the
other
positioning
and
tooling.
E
H
Okay,
it's
five
past
the
hour.
I
think
we
should
get
started
as
always.
Please
register
attendance
in
the
Minimates
which
are
just
pasted
in
the
chat
and
a
reminder
to
buy
by
the
Linux
Foundation
code
of
conduct,
which
is
in
a
link
two
inches
thanks.
Everyone
for
joining
for
our
monthly
salsa
community
meeting.
First
I'd
like
to
take
time
to
welcome
any
new
members.
If
you
want
to
briefly
say
hi.
H
It
might
not
be
anyone
there.
Well
if
you,
if
you
want
to
speak
up,
we're
always
happy
to
say
hi.
If
I
missed
someone,
we
could
jump
into
the
special
interest.
Group
updates.
I,
look
at
the
list.
I
think
most
folks
are
already
aware
of
this,
but
we
have
a
1.0
release
planned
for
next
week.
The
plan
is
to
merge
the
changes
in
Market
as
approved
on
Tuesday
April
18th,
and
then
send
out
an
announcement
on
Wednesday
April
19th.
H
Okay,
those
are
the
two
pull
requests
that
actually
make
it
Market
as
an
approved
specification
and
make
it
the
default
version.
H
We
I'm
happy
to
go
over
like
a
summary
of
what's
in
it,
but
looking
at
the
attendee
list.
I
think
most
folks
are
familiar
with
that
already.
H
But
if
you'd
like
a
brief
summary
of
the
changes,
just
speak
up
and
I'm
happy
to
do
that,
the
there's
we
got
a
bunch
of
feedback
during
the
release
candidate
process
that
is
most
of
the
editorial
in
nature.
It's
not
actually
changes.
H
Changing
the
okay,
I'll
I'll
give
a
summary
a
second.
We
had
a
long,
a
bunch
of
feedback
that
results
in
editorial
changes
that
doesn't
really.
It
wouldn't
be
a
breaking
change
to
the
specification,
and
so
in
order
to
get
something
out
the
door,
we
decide
to
release
what
we
have
and
then
kind
of
work
through
the
editorial
cleanup
works
like
there's
things
around
turn,
can
more
consistent
terminology
and
making
things
a
little
bit
more
clear.
H
So
there's
still
certainly
more
work
to
be
done,
and
then,
after
the
1.0,
the
next
major
step
would
be
creating
a
the
frame.
The
foundation
for
future
tracks
like
the
source
track,
for
example,
yeah.
Why
not
I
briefly
present
the
what's
new
page.
H
So
here
I'll
paste
it
into
chat
and
into
the
meeting
notes
and
I'll
and
I'll
present.
This.
H
Okay,
so
briefly
in
1.0.
H
Oh
no
problem
in
1.0
the
the
the
main
change
is
that
we
are
taking
what
was
in
0.1
and
deferring
the
source
track
and
the
or
the
source
requirements
and
what
was
called
Salsa
level
4
before,
because
we
kind
of
finalizing
them
to
what's
stable
1.0,
we
didn't
feel
like
we
felt
like
would
take
a
lot
more
time
like
quarters
more
work.
H
H
The
other
major
changes
are
division
into
multiple
tracks,
which
I'll
talk
about
in
a
second
simplifications:
new
guidance
on
verification
and
updated
schemas
for
our
recommended
formats.
So
in
terms
of
stability,
1.0
is
a
stable
release.
It
is
not
necessarily
one
point:
it
doesn't
Mark
like
it's
complete.
H
It
contains
everything
we
want
to
do,
but
rather
it's
a
stable
foundation
on
which
we
could
add
further
breath
and
depth
in
the
future,
in
particular
the
what
was
in
the
Old
Source
requirements
like
two-party
review
and
retention
of
source
code
is
not
currently
in
the
1.0
spec.
What
was
called
Salsa
level
four
before
hermetic
builds
is
also
not
a
requirement,
because
we
kind
of
undefined
that
level
temporarily
and
also
what
was
previously
in
the
common
requirements
are
now
more
guidelines.
H
It
doesn't
mean
they
can't
become
requirements
of
future.
Just
that
we
didn't
get
have
enough
consensus
to
be
able
to
like
solidify
that
and
call
something
stable,
that
we
know
won't
change
in
the
future.
The
other
major
change
is
tracks.
Previously
we
had
a
just
logically
one
track:
salsa
levels,
one
two,
three
four
and
everything
was
bundled
into
this
one
set
of
levels.
We
decided
to
break
it
down
into
different
tracks,
each
with
our
own
set
of
levels
that
describe
particular
aspects
of
supply
chain
security.
H
So
the
current
what's
currently
defined
in
V
1.0,
is
just
a
build
track
and
we've
defined
build
levels
one
through
three.
In
future.
We
have
plans
for
like
a
source
track.
Maybe
a
vulnerabilities
track,
maybe
a
hard
ending
track.
Something
like
that.
H
We
also
change
the
layout
to
the
core
specification.
We
improve
terminology
rewrote
the
security
levels
overview
page.
H
We
rename
what
was
formerly
called
requirements
to
producing
artifacts,
because
it's
instructions
for
the
producer
and
the
build
system
and
then
added
new
guidance
for
Distributing
and
verifying
artifacts,
and
then
some
changes
to
the
schema
as
well
having
gone
to
any
more
details
but
I
think
that's
a
brief
summary.
H
Okay
and
yeah
Melba,
you
brought
up
the
the
what
was
it
called
the
s-bomb
thing?
Let's,
yes,
can
we
we
can
wait
after
the
upstate
updates,
yeah.
G
H
All
right
sounds
good,
I'll
put
it
just
as
an
agenda
and,
speaking
of
Melbourne,
do
you
want
to
give
a
positioning
update.
G
Sure
so,
the
the
past
month
we've
Jennifer
Bligh
on
the
final
press
release
for
the
1.0.
It
was
finalized
and
blessed,
it
seems
and
it
will
go,
live
April
19th,
given
that
salsa
gas
on
April
18th
in
terms
of
other
announcements,
around
1.0
there's
been
a
series
of
blogs
that
we've
been
working
on.
Mike
created
the
breadth
and
depths
of
salsa,
which
is
now
live
separately.
G
There
is
a
Blog
that
I'm
hoping
that
we
can
finalize
put
in
a
PR
by
end
of
week,
which
is
called
build
versus
Source,
it's
kind
of
an
extension
of
the
breath
and
depth
of
salsa,
where
it
is
more
detailed
scenario
of
the.
Why?
G
Because
some
people
still
don't
get
it
even
with
the
FAQs
and
the
descriptions
so
we're
hoping
that
these
pictures,
these
scenarios
can
help
people
understand
more
about
why
we
need
different
tracks
for
build
versus
Source
and
then
there's
a
positioning
development
blog
that
we
were
working
on
late
last
year
that
we
need
eyes
on,
because
Soul
Suspect
has
changed
so
much
since
last
year
that
we
want
to
make
sure
it
still
makes
sense.
G
So
would
love
for
the
group
to
chime
in
on
that.
That
was
several
of
us
that
worked
on
that
blog
last
year
and
we
kind
of
put
a
pause.
G
Any
questions
on
that
before
I
continue
nope
so
for
the
road
map
discussion,
as
you
may
or
may
not
be
aware
of
I'm
going
to
share
this
actually
I'm
not
going
to
share
it,
because
I
have
too
many
Chrome
windows
open
and
last
time,
I
tried
to
share
I,
put
something
IBM
confidential,
so
I
I'm
not
going
to
share
my
screen,
but
there's
a
link
to
the
roadmap.
If
you
go
to
slide
three
flight
two
and
slide
three
are
almost
the
same.
G
We
were
having
trouble
myself,
Chris,
Joshua,
lock
and
Aaron
have
contributed
to
this.
We
were
having
trouble
trying
to
figure
out
how
to
define
the
priorities
right.
Should
we
do
it
based
off
of
scheduling
right
or
should
we
just
say
this
is
what
we're
going
to
do
in
order.
G
There
are
some
reasons
why
we
would
want
to
put
in
like
first
half
second
half
timelines,
because
then
people
that
need
that
type
of
information
I
believe,
like
the
package
manager
Integrations,
they
need
to
know
what's
going
to
happen
when
so
they
can
start
planning
for
it,
and
but
at
the
same
time
we
are
volunteers
and
we
don't
necessarily
hold
to
any
deadlines
and
that's
fine.
G
It
can
just
be
a
Target
but
trying
to
get
an
answer
around
that
right.
How
do
we
present
this
information
into?
Are
these
right
things
to
put
in
here
and
if
so,
what's
the
order.
I
Yeah
I've
been
thinking
more
about
this,
and
a
colleague
suggested
that
perhaps
it
could
be
useful
instead
of
doing
exact
dates
or
even
half
recorder
estimates.
We
do
something
like
we're
working
on
this
now
we're
working
on
this
next
and
then
we'll
never
work
on
this.
So
you
have
three
buckets
that
are
ordered
against
each
other,
but
not
necessarily
with
deadlines
that
we
could
miss
and
okay.
F
I
definitely
like
that
it
kind
of
flows
in
with
with
the
way
I've
seen
a
lot
of
successful
projects
sort
of
work.
Any
kind
of
Flo
follows
that.
Also
it's
slightly
different
than
you
know,
your
must
should
could
would
won't,
but
I
I've
seen
this.
That
sort
of
model
be
quite
successful
so
that
folks,
don't
constantly
say
Hey.
You
missed
the
date
on
this
thing
and
I
was
prepping
for
it,
especially
when
you
know
it's.
That's
not
the
intention.
G
A
I
So
that
it
was
Pitch
to
me
as
now,
next,
never
so
I
guess
what
we're
working
on
now
is
kind
of.
What's
coming
next
got.
E
E
G
Okay,
so
then
I,
don't
I,
don't
know
how
you
want
to
handle
this
Mark
in
in
this
meeting.
I
would
like
to
get
some
feedback
on
this.
We've
been
trying
for
some
time
to
do
it
asynchronously
and
offline,
and
we've
not
gotten
any
feedback
so
I'm,
hoping
that
we
can
kind
of
just
plow
through
this.
Now,
not
sure
if
you,
if
you
want
to
do
that
or
not.
H
H
H
That's
probably
the
reason
why
I
raise
my
hand
is
just
we
had
put
tentative
dates
in
the
original
road
map
and,
like
we
were
off
by
like
six
months
like
we
wanted
to
release
1.0
like
in
the
fall,
so
I'd
be
hesitant
to
put
any
sort
of
dates,
given
our
track
record
so
far,
sure.
F
Sure
a
couple
things
from
the
the
tooling
group
there's
a
desire
from
a
lot
of
the
folks
who
are
working
on
stuff
like
the
salsa
generator,
the
salsa
verifier.
That's
within
the
salsa
repo
itself,
a
lot
of
those
folks
work,
West,
Coast
time
or
a
few
of
them
actually
work
out
in
Asia,
and
so
there's
desire
to
have
an
APAC
friendly
meeting.
F
So
that's
something
that's
being
discussed
so
we'll
probably
do
like
an
every
other
week,
sort
of
thing:
East,
Coast,
West
Coast
with
maybe
one
you
know
a
representative
trying
to
kind
of
update
each
other
as
needed
on
on
anything
that
might
be
applicable
there,
I
believe
so
in
in
the
chat.
F
Ian
Lewis
has
sort
of
volunteered
to
sort
of
help
lead
up
that
meeting,
he's
one
of
the
folks
from
Google
working
out
of
Japan,
so
the
trying
to
kind
of
just
organize
what
what
time
works
best,
because
originally
we
were
looking
to
kind
of
maybe
make
a
time
that
worked
best
and
it
seemed
like
half
the
folks
wanted
something
that
was
APAC
friendly
and
the
other
half
wanted
something
that
was.
You
know,
east
coast
and
Europe
friendly.
F
So
we'll
we'll
just
kind
of
split
up
into
two
meetings
and
have
in
every
other
meeting
thing
also
generally,
the
right
now
I
think
because
there's
been
all
this
Focus
to
get
the
1.0
spec
out,
it's
been
quite
kind
of
quiet.
On
the
tooling
side,
we
expect
that
to
pick
back
up
once
1.0
has
been
officially
released
because
then
folks
are
going
to
start
saying:
okay
great,
where
are
all
the
1.0
compliant
tools
separately?
F
I'm
gonna
be
super
busy
for
the
next
few
weeks
between
kubecon,
which
starts
next
week
and
was
it
open
source,
Summit
n,
a
which
is
a
couple
of
weeks
after
that
so
I'm
gonna
be
super
busy
and
might
not
be
able
to
sort
of
manage
those
meetings.
So
if
somebody
can,
you
know
help
out
there
definitely
interested
in
getting
some
help
to
kind
of
help
run
those
meetings
while
I'm
unavailable.
F
Next
there
was
a
desire
from
end
users
for
fully
open
source
salsa
Builders,
not
a
lot
of
work
in
that
space.
A
few
end
users
said
Hey.
What,
if
I,
don't
use
GitHub
there
doesn't
seem
to
be
a
lot
there
and
that
desire
also
seemed
to
be
mostly
from
folks
who
were
interested
in
salsifying
their
existing
like
Ci
systems,
as
opposed
to
adopting
something
new.
H
So,
to
clarify
this
is
for
folks
who
want
to
run
their
own
instance
of
a
builder.
F
Yeah,
so
this
is
stuff,
like
you
know
you,
you
know,
there's
a
lot
of
companies
that
are,
you
know.
Let's
say
your
your
big
Enterprise
of
the
world
who
are
like
yeah
I'm,
not
using
GitHub
actions,
I'm,
not
using
git
lab,
especially
as
a
service
I'm
running
self-hosted
Builders,
and
you
know
whether
it's
I'm
running
a
Jenkins
server
with
a
bunch
of
stuff
and
it's
it's
or
I'm,
running
tecton
or
in
certain
cases
a
handful
of
folks
running
Fresca
like
Hey.
F
How
do
I
make
that
compliant
with
salsa
without
having
to
you
know,
switch
over
to
stuff
there,
and
it
seemed
like
a
lot
of
folks
were
less
interested
in
sort
of
a
pipeline
aspect
and
more
of
just
like
hey.
How
could
I
turn?
How
can
I
just
create
a
secure
Builder?
F
H
Yeah
a
related
thing
is
a
topic
that
was
recently
brought
up
when
we
added
to
the
Future
directions
page
around,
like
possibly
a
future
like
operations
tracker
similar,
because
the
current
salsa
build
requirements
are
around
kind
of
the
application
layer
like
the
behavior
of
the
application.
But
it
doesn't
say
we're
kind
of
quiet
on
how
you
run
such
a
service.
But
running
such
a
service
is
like
really
half.
H
Equally
as
important
right
and
and
so
if
you
have
like
a
fully
salsa
open
source
Builder,
but
then
you
run
it
and
everyone
at
the
company
has
access
to
it
can
sh
to
it
or
something
like
that
or
they
can
all
access
the
private
Keys.
It
doesn't
do
any
good,
and
so
so
that's
probably
an
area
where,
like
future
specification,
work
can
might
also
help
as
well.
F
Yeah
and
and
I
think
one
of
the
things
this
is
just
something
I've
been
playing
around
with,
but
in
my
like
20
sort
of
time
is
potentially
something
like
a
a
open
source.
Salsa
Builder.
That
would
you
know
it's
not
a
CI
system.
The
idea
is
you.
It
was
something
that
you
call
that
runs
isolated.
F
You
know
builds
in
very,
very
specific,
secure
sorts
of
ways
and
I'm
hoping
you
know,
maybe
closer
to
June
I'll
have
something
to
show
off
on
on
that
front,
and
so
the
idea
was.
It
would
be
something
that
you
call
from
Jenkins
or
you
call
from
tecton
to
then
run
the
actual,
secure,
build
piece
and
it's
not
intended
to
be
sort
of
a
generic.
F
You
know
task
Runner
like
like
tecton
and
Jenkins
are
so
that's
that
there
is
a
tooling
1.0
support
tracking
issue.
Just
you
know,
once
again,
there's
there's
some
a
bunch
of
folks
who've
been
looking
at
the
release,
candidates
and
sort
of
prepping
code.
So
this
is
like
folks,
like
cosine
and
and
the
various
salsa
generator
stuff
that
we've
been.
You
know,
working
with
and
some
other
tools
in
there.
F
Npm
has
a
tracking
issue
for
this
as
well,
so
there's
a
bunch
of
things
there
that
folks
do
plan
to
support
salsa
from
a
it's
a
lot
of
folks
in
the
sort
of
like
how
do
I
generate
salsa
provenance,
just
even
like
as
a
library
or
whatever.
There
also
seem
to
be
some
interest,
as
in
maybe
the
salsa
framework,
providing
something
like
a
a
go
Lang.
F
Let's
say
representative
example
of
salsa
compliant
library
that
can
do
verification,
like
sorry
validation,
not
not
verification,
like
validation
of
as
well
as
generating
of
the
spec,
that
maybe
other
tools
could
just
use
as
opposed
to
having
to
make
sure
that
they,
you
know,
apply
the
spec
correctly.
F
F
That
salsa
was
about
to
go
1.0
and
that
there's
been
some
big
shifts
and
changes,
so
I've
been
reaching
out
to
some
of
the
open
source
groups
like
kubernetes
that
have
begun
to
already
apply
salsa
and
they
do
plan
to
kind
of
bump
it
up
and
bump.
F
You
know
bump
up
compliance,
so
there
is
a
tracking
issue
for
some
of
those
projects
and
I
kind
of
put
in
there
that
one
of
the
reasons
why
we
also
want
to
do
that
is
we
want
to
help
out,
obviously,
to
help
secure
the
open
source
supply
chain.
F
But
in
addition
to
that,
you
know
it
helps
with
salsa
adoption,
because
if
a
few
folks
see
hey
kubernetes
has
adopt
the
Tulsa
other
folks
might
be
a
bit
more
inclined
to
and
in
addition
to
that,
I
think
helping
out
with
some
of
those
projects,
even
just
in
like
helping
Point
them
in
the
right
direction
and
helping
some
of
that.
We.
K
F
It
provides
us
with
the
experience
we
need
to
generate
sort
of
generate
guides
for
folks
to
help.
You
know
in
other
folks's
adoption
help
provide
content
for
that.
So
there's
a
tracking
issue
for
that.
That's
also
in
the
document
still
looking
for
more
Hands-On
keyboard
folks
to
join
the
meeting.
F
You
know,
folks,
who,
who
can
actually
kind
of
we
can
help,
coordinate
and
make
sure
that
we're
not
all
kind
of
going
in
different
directions
on
on
someone's,
salsa,
tooling
stuff
and
then
finally,
there's
still
a
desire
among
end
users,
for
something
like
a
straightforward
way
to
ingest
salsa
and
other
supply
chain
metadata
like
s-bombs
and
those
sorts
of
things,
and
so
one
of
the
things
that
was
brought
up
was
you
know
something
like
General
guidelines
for
Distributing
s-bombs,
salsa,
attestations,
Vex
documents
yayada,
because
most
folks
want
to
say:
hey
I,
don't
want
to
have
to
have
have
like
12
different
tools
to
ingest
all
these
different
documents.
F
F
You
know
one
or
two
tools
that
can
ingest
all
of
these
different
documents
and
the
same
way
that
folks,
who
are
looking
at
building
tools
that
can
ingest
consume
those
documents
provide
metadata,
don't
want
to
have
like
a
ton
of
specific
code
for
here's,
how
I
ingest
from
here's,
how
I
ingest
an
s-bomb
from
ruby,
gems,
here's
how
I
ingest
an
s-bomb
from
npm,
which
is
going
to
be
completely
different
and
here's
how
I
ingest
salsa
attestation,
which
once
again
is
completely
different
from
you
know
in
each
of
those
ecosystems
as
well.
F
I
think
the
thing
that
folks
have
brought
up
is
they.
They
want
something
consistent
and
once
again
getting
the
open
source.
We
totally
recognize
that
getting
the
open
source,
Community,
especially
different
package
ecosystems,
to
agree
to
anything
is,
is
quite
difficult,
but
even
a
set
of
General
guidelines
like
oh
the
rest,
endpoint
or
not
rest
endpoint
I,
don't
want
to
say
rest
because
I
want
to
say
API,
but
the
routes
or
the
the
areas
that
these
things
should
be
downloaded
from
have
generally
relatively
consistent
naming.
F
Maybe
hopefully,
if
everything
turns
out
right
and
then
that
will
help.
Folks
who
are
looking
to
consume,
you
know
documents
like
salsa,
so
they
don't
have
to
have
a
ton
of
custom
Logic
for
every
single
ecosystem.
That
stuff
is
still
going
to
be
I,
think
a
very
long
long
set
of
conversations
and
that's
it
for
me.
J
Yeah
so
I
guess
I'm
wearing
kind
of
two
hats
right
now.
I'm
sort
of
trying
to
get
back
into
salsa
I've
just
had
a
lot
of
conflicts
the
past
few
weeks,
but
I'm
also
wearing
the
sort
of
intro
at
the
station.
Maintainer
hat.
J
So
is
there
anything
from
the
intodo
side
that
we
could
sort
of
collaborate
more
closely
on,
on
the
tooling
end,
to
sort
of
ease
some
of
that,
because
that
is
sort
of
one
of
the
Main
or
one
of
the
benefits
right
that
if
everyone
just
sort
of
used
the
C
envelope,
for
example,
that
that
might
ease
some
of
these
adoption
questions.
F
Sure
so,
there's
a
couple
things
from
my
end,
I
think
a
handful
of
it
and
I
know
there
is
some
interest
there
of
having
something
like
a
dictionary
of
I
know
from
like
I'm
just
talking
from
like
an
end
user
perspective.
What
folks
are
looking
for
is
something
like
a
here
are
a
set
of
in
Toto
attestations
that
are,
let's
say
well
supported
right.
Anybody
can
make
their
own
in
Toto
attestation
and
having
a
library
that
can,
you
know,
maybe
have
additional
logic
in
there.
That's
you
know
specific
for
those
attestations.
F
F
F
The
things
I
know
folks
have
been
looking
at
is
hey
it'd,
be
really
great
if
there's
a
way
to
encode
the
the
schema
for
a
particular
in
total
attestation
via
that
URL,
so
that
folks,
who
are
consuming,
can
just
sort
of
say
great
if
I
don't
have
that
information
locally,
can
I
just
reach
out
to
that
URL
fetch
information
about
how
to
parse
and
then
can
kind
of
continue
on
I
think
those
are.
Those
are
some
big
things
on
on
on
that
front,
Okay.
J
L
Thanks
thanks
Marcella
yeah.
So
is
this
something
that
folks
would
like
to
see
from
the
intolo
site?
L
The
steering
committee
just
recently
formed,
and
this
is
exactly
the
sort
of
feedback
that
we
would
love
so
so
please,
let
us
know
and
also
Aditya
who's
also
I
think
is
on.
This
call
might
be
able
to
speak
about
some
of
the
existing
work
about.
You
know
upcoming,
tooling,.
C
Yeah
I
am
but
I
think
the
highlights
were
mostly
covered
by
Marcel
I
was
you
know,
gonna
speak
up,
but
we're
still
almost
to
cover
those
points.
Two
two
Michael's
point
to
an
extent
about
eventually
mapping
predicates
to
natology
and
things
like
that.
We're
certainly
looking
at
it
from
the
internal
perspective
as
well,
especially
as
we're
now
working
on
updating,
internal
layouts
or
policies
to
support
attestations
and
things
like
that.
Yeah.
You
know
how.
C
How
can
I
write
a
policy
that
can
accept
multiple
predicates
that
you
know
maybe
are
semantically
equivalent
for
the
purposes
of
my
policy,
and
things
like
that,
so
yeah
definitely
I
think
we're
working
towards
similar
things.
There.
F
Yeah
and
and
to
give
you
a
practical
example,
just
real
quick,
you
know
the
the
guac
team.
F
You
know
that
has
been
sort
of
doing
this
is
we've
been
ingesting
right,
all
the
salsa
attestations
we
can
find
and
there's
not
a
ton
of
public
ones
that
but
kubernetes
actually
has
a
lot,
and
you
know:
we've
been
parsing
through
them
and
and
sort
of
mapping
them
into
sort
of
walks
internal
data
model.
But
you
know,
there's
definitely
the
the
case
of
like
hey.
F
If
we
need
to
sort
of
have
a
lot
of
specific
Logic
on
parsing
each
individual
document,
as
opposed
to
having
a
way
to
kind
of
more
easily
kind
of
pull
that
in,
and
you
know,
yeah
that
that
that's
pretty
much
it.
H
Okay,
should
I
move
on
to
the
next
topic
or
nobody
would
you
do
you
think
it's
higher
priority?
Well,
David.
Also,
if
there's
quick
notes,
maybe
we
should
do
those
before
diving
into
a
deeper
discussion.
D
B
I
put
some
little
notes
in
there
I
I,
just
some
quick
notes.
Just
basically
you
know
begging
everybody
else
to
spread
the
word
I'm,
certainly
going
to
you
know
in
the
19th
thing
and
also
just
long
term
and
I
know.
Jay
will
be
happy
for
me
to
say
this,
but
you
know,
let's
I
just
want
would
love
for
you
know
self.
So
folks,
please
take
a
look
and
let's
make
sure
that
s2c2f
and
salsa
you
know
I'm
not
expecting
to
say
exactly.
You
know,
cover
exactly
the
same
topics.
I
mean
it's
fine.
B
If
s2c2f
covers
things
that
salsa
doesn't
you
know
I
frankly,
I
expect
that
but
I
want
to
make
sure
that
these
two
are
not
in
Conflict
anywhere
and
if
so,
you
know,
let's
make
sure
we
raise
that
up,
quick
and
and
address
whatever.
The
issue
is.
H
Yeah
I
know
I
I
I,
think
Josh
Joshua
lock
is
not
here,
but
he
said
he
had
done
a
pass
and
didn't
at
least
he
didn't
see
anything
that
seemed
in
conflict.
B
H
Okay,
thanks
thanks
David
and
now,
but
do
you
want
to
talk
about
the
s-bomb
stuff
first
or
the
road
map?
First.
G
It
might
be
quicker
than
the
roadmap,
because
a
road
map
can
get
into
all
sorts
of
different
things,
and
so,
if
we
I'm
going
to
open
up
this,
this
PR
was
around
an
FAQ
item
on
s-bombs,
and
so
when
I
I
looked
at
the
language.
I
put
my
comments
in
here
the
salsa.dev
website
the
way
they
Define
it
is
very
similar
to
nist,
but
the
actual
FAQ.
G
H
Yeah,
so
the
briefly
that
someone
asked
about
whether
that's
you
know
salsa
has
anything
to
salsa
says
nothing
about
s-bomb
I
mentioned
I,
think
it's
that
we
really
should
say
something
about
s-bomb,
because
it's
like
on
top
of
people's
mind
and
so
I
put
it
in
the
comment
of
like
well.
My
personal
take:
is
this
I,
don't
know
if
it's
you
know,
consensus
I.
E
H
G
So
that's
a
brief
context.
Okay,
thanks
for
that
yeah
I'm,
trying
to
find
the
the
latest
modified.
So
that's
what
I
was
trying
to
do
is
I.
Think
it's
this
one.
It's
the
latest
I
can't
find
a
file
change
there.
It
goes.
G
G
Is
okay,
so
this
is
what
it
talks
and
what
it
talks
about
s,
phones
right
so
when
it
says
that
s-bomb
is
typically
focused
on
understanding
the
software
right
and
known
vulnerabilities
that
that's
partial
right
per
the
definition
on
salsa.dev,
which
is
very
similar
to
nist.
S-Bomb
is
also
about
provenance
of
that
software,
and
so
the
definition
of
provenance
here
is
different
than
what's
on
salsa.dev,
and
so
that's
what
I
I
was
trying
to
show
here.
That
Wonder
seems
to
be
a
discrepancy
between
salsa.dev
and
this
FAQ.
G
S-Bombs
are
good
practice,
blah
blah
blah
I,
don't
necessarily
agree
with
that,
because
again
s-bomb
is
it
can't
handle
provenance
and
therefore,
if
we
think
about
the
build
system,
the
provenance
of
the
build
system
not
of
the
actions
it's
doing,
but
the
software
that
makes
the
build
system
s-bomb
can
be
used
for
that.
Additionally,
to
say
that
you
know,
s-bomb
is
not
Suited.
G
You
could
probably
say
that
it's
not
as
bomb
is
traditionally
not
well
defined
for
build
actions
and
configurations.
If
that's
what
you're
intending
because
there
are
other
specifications
that
are
trying
to
do
that,
so
there's
I
think
there
needs
to
be
a
little
bit
more
clarity
and
then
also
fixing
the
discrepancy
between
this
FAQ
and
the
salsa.dev
I
like
this
also.devs
definition.
It
is
closely
aligning
with
what
the
industry
is
looking
at
right
now,
but
not
so
much
with
this
FAQ
says.
H
Yeah
I
yeah
I
haven't
had
time
to
comment
on
the
particular
programs
and
the
reason
why
I
had
said
my
original
thing
in
a
GitHub
comment,
as
opposed
to
sending
a
PR
is
because
I
think
it
it's
going
to
be.
You
know
take
some
time
to
like
really
come
up
with
wording.
That
is
clear
and
we
all
agree
with.
H
Maybe
a
more
accurate
way
to
say
it
would
be
that
in
practice
the
s-bomb,
tooling
and
format
that
exists
today
are
like
they're.
Not.
H
Let
me
the
other
way
around.
What
salsa
needs
for
the
build
track
is
a
particular
thing
type
of
information
generated
by
like
the
control
plane
of
a
build
system
and
to
the
s-bomb
formats
that
exist
today.
The
format
doesn't
make
that
particularly
easy
to
do,
and
also
that
data.
H
What
people
I
think
when
people
usually
think
of
an
s-bomb,
they
think
of
kind
of
more
finer
grained
information
than
the
salsa
provenance
would
give
them,
and
so
yeah
I
agree.
That's
not
accurate
to
say
that
Aspen
can't
support
it,
because
that
spawn
is
very,
very
general
can
contain
lots
and
lots
and
lots
of
different
type.
E
H
Abstraction
so
I
guess
in
my
mind
it's
more
about
like
in
most
cases
today,
as
tools
exist
today
there
will
likely
be
prominence
generated
by
the
build
system,
that's
just
like
the
overall
thing
and
then
more
fine-grained,
s-bomb
tooling.
That
is
about
the
kind
of
the
more
detailed
steps
of
what
happens,
but
it's
more
of
like
in
practice
rather
than
theoretically
that's
what
ought
to
happen.
At
least
that's
that's
my
mind.
I,
don't
know
how
to
word
that
and
I
also
don't
know
if
others
agree.
F
Yeah
yeah
no
I
agree
with
Mark
like
it's,
it's
more
of
we're,
talking
more
about
build
provenance,
so
it's
the
provenance
of
how
an
artifact
kind
of
went
from
source
to
this
thing-
and
it's
also,
you
know,
there's
a
bunch
of
other
properties,
whereas
you
know
I,
think
nist
really
did
a
bit
of
a
disservice
by
lumping
like
a
lot
of
things
in
there,
because
I
mean
if
you
look
at
sort
of
the
proliferation
of
all
the
different
bombs
right.
We
have
Network
bombs
and
and
d-bombs
and.
F
Bombs
and
like
there's
a
lot
of
these
different
things
that
are
trying
to
each
say:
no,
no,
we're
a
superset
of
of
all
of
this
and
I
think
where
Salsa's
strength
is
actually
no.
We,
we
are
laser
focused
on
this
thing
and
that's
kind
of
where,
where
we're
coming
through
I,
don't
know
how
I
would
word
that,
because
I
agree
like
there
is
an
element
there
of
like
s-bombs,
do
describe
an
element
of
provenance
like
hey.
This
thing
depends
on
a
thing,
and
this
is
where
it
came
from.
F
F
It
makes
no
claim
about
that
and
I'm
not
sure
how
we
word
it,
but
I
just
want
to
make
sure
that
that's
clear
and
also
makes
folks
understand
as
well,
that,
like
it
shouldn't,
get
lost
in
the
mix
of
all
the
stuff
that
people
are
talking
about,
because
you
know
the
ever.
F
You
know
you
talk
to
everybody
and
everybody
has
a
bomb
format
that
does
everything
and
and
we're
trying
to
say
well,
actually,
we
view
that
to
be
maybe
not
very
helpful,
because
we
think
that
that
you
know
the
the
key
here
is
about
really
hitting
these
things.
And
what
can
you
prove
about
those
things?
Yeah.
G
Yeah
completely
agree
and
that's
why
I
started
to
question
this
right,
because
s-bomb
is
a
huge
Focus
right
and
I.
Think
today
is
supposed
to
be
a
major
announce
day
for
the
executive
order
on
whether
or
not
June
is
the
official
time
where
everybody
has
to
comply
with
s-bombs
and
other
things,
and
so
it
will
be
top
of
mind
for
the
next
couple
months.
G
So
we
have
to
make
sure
that
we're
very
clear
on
okay,
we're
talking
about
build
provenance
which
includes
things
like,
like
you
said,
The
Trusted
control
plane,
give
examples
like
you
know
what
tecton
tasks
it's
doing,
et
cetera
et
cetera.
If
you
give
examples,
then
verses
a
software
bill
of
material
which
is
more
tailored
towards
the
software
components
that
make
up
the
thing
that
you're
building
or
the
thing
the
the
software
that
it
comprises
of
the
build
right
so
Jenkins
right
there
should
be
an
s-bomb
of
Jenkins
and
that
maybe
at
a
future
date.
G
If
we
don't
do
it
today,
we
will
ingest
an
s-bomb
as
I.
Believe
we've
had
discussions
about
that,
but
yeah.
This
just
needs
to
be
a
little
clearer
because
right
now
it's
I
I
definitely
don't
agree
with
the
way
it's
worded
go
ahead
on.
M
Yeah
so,
as
I
said
in
my
comment,
I
think
you
know
what's
important
is
to
recognize
those
things
are
moving
quickly
right
and
so,
in
my
opinion,
what's
more
more
important
is
to
to
acknowledge
that
you
know
these
are
moving
Parts
I
mean
in
provenance.
We
all
already
have
some.
You
know
option
to
to
have
dependencies,
which
is
clearly
the
realm
of
as
bombs
and
as
bombs
are
evolving
towards
having
some
kind
of
provenance
information
I
mean
the
Cyclone
DX,
a
formulation
that
they
claim.
Does
everything
I
mean?
M
If
you
ask
them,
they'll,
say
I
challenge
you
to
come
up
with
something
you
have
in
provenance.
That's
not
you
know
in
formulation
and
I
I
don't
want
to
get
into.
You
know
a
pieceing
contest
as
to
which
one
is
better,
but
so
I
think
we
have
to
acknowledge
that
these
things
are
moving
parts
and
we
don't
really
know
how
things
will
end
I
think
we
have
to
we're
better
off.
G
So
yeah
I,
just
wanted
to
to
you,
know,
bring
this
to
light
and
and
try
to
explain
verbally,
sometimes
slack
or
you
know,
PRS,
don't
necessarily
get
my
point
across
so
usually
I
do
better
when
I'm
speaking
with
someone
about
you
know
why
this
is
bothering
me
so
much
and
and
we
we
need
to
change
it,
because
this
I
think
we're
going
to
get
a
lot
of
pushback.
If
it's
written
this
way.
H
B
Is
specifically
to
you
know,
explain
what
how
you
know,
what
the
requirements
of
the
build
and
then
explain
that
Providence
I,
like
that
phrase,
laser
focused
and
maybe
throwing
the
word
historically
somewhere.
G
Oh,
thank
you
trishank.
Can
you
put
a
link
to
that
I
see
the
s-bomb
IT
project.
L
Oh
sure,
yeah
yeah,
so
sorry,
sorry
I
should
I
should
also
mention
it
in
the
meeting
yeah.
So
the
S
bombing
project
is
a
project
that
that
we're
planning
to
incubate
under
open,
ssf
I,
don't
think
it's
fully
official
yet
so,
but
the
idea
is
to
have
s-bombs
that
you
could
verify
technically
within
Toto
and
so
I.
Don't
think,
there's
any
contradiction
between
things
like
s-bombs
and
salsan
and
Toto.
Let
me
post
a
link.
G
I
think
the
next
item,
if
no
one
has
anything
else,
is
the
road
map.
We
only
have
a
couple
minutes,
but
hopefully
we
can.
We
can
make
some
progress.
Let
me
zoom
in
here
and
try
to
get
rid
of
some
of
these
comments.
How
do
I
anybody
knows
how
to
get
rid
of
the
comments.
I
would
appreciate
this
weekend.
F
So
I
think
there
is
a
way
under
the
oh
under
the
full
menu
I
think,
maybe
on
the
right
hand,
side.
E
F
Set
that
down
arrow,
maybe
that'll,
expand
out
yeah
I.
Think
if
you
there's
a
way
to,
is
it
under
view
I.
H
G
That
thank
you.
Thank
you.
Thank
you,
okay.
So
some
of
the
things
we
had
talked
about
anytime
I
try
to
zoom.
In
with
my
mouse.
It
goes
to
a
different
slide,
build
level.
One
versus
three
is
pretty
much
around
the
corner
right
and
same
thing
with
the
problem
specification.
G
Oh,
we
at
one
point
talked
about
creating
guidelines
for
postmoderno
truck
or
guidelines
for
a
track
post
1.0.
G
Do
you
think
that
this
would
come
next?
You
know
the
working
on
now
from
priority
perspective
and
I
can't
see
people's
screen
I
had
to
minimize
it
in
order
to
see
the
screen.
F
But
I
do
think
yeah
I
mean
I.
Think
the
one
of
the
based
on
based
on
the
conversation,
especially
given
a
lot
of
folks,
are
going
to
be
asking
this
I.
Think
one
of
the
the
top
priorities
is
I'm
blanking
on
his
name,
so
I
I
apologize,
the
the
I
think
it
was
from
Susa
who
had
talked
about
like
we
need
a
salsa
Builder
build
system
specification.
F
I,
think
that
would
probably
be
the
number
one
thing,
because
a
lot
of
folks
are
going
to
start
asking
like
okay
cool.
How
do
I
make
my
build
system
secure
in
a
way
that
you
know,
we
would
feel
confident
that
it
is
generating
accurate,
salsa
prominence
and
not
just
telling
us
that
it's
you
know
generating
salsa
V3.
F
Would
be
a
little
sub,
it
would
be
different
because
I
think
the
the
idea
here
is
the
build
track.
Is
a
I
think
Mark
correct
me
if
you
think
I'm
off
base
here,
but
I,
the
the
feeling
we
got
or
feeling
I
got
from
the
conversation
was.
F
It
would
be
different
because
it's
just
here's
good
ways
to
make
a
secure,
build
and
here's
how
it
then
integrates
into
allowing
you
to
make
a
a
you
know:
salsa
level,
three
or
whatever,
but
it's
different,
because
you
know
you
it's
it's
it's
different
audiences
one
audience
is
hey.
I
have
a
project
I
want
to
make
sure
that
the
provenance
is
secure
against
this
thing,
I
use
the
salsa
build
track.
I
want
to
make
sure
that
the
builders
are
providing.
F
G
Yeah
we
can
Circle
back
on
that,
because,
even
with
that
description,
I
still
think
it.
It
fits
under
there,
but
we'll
table
that
what
about
the
source
level,
one
I
just
put
level
one
two.
It
doesn't
have
to
be
level
one
and
two.
It
could
be
level
one
to
four,
but
there
was
some
thought
that
this
could
be
done
in
parallel
with
social,
build
level.
G
Four,
and
given
our
track
record
I'm,
not
so
sure
that
it
could
be
done
in
parallel,
so
just
trying
to
get
a
sense
of
where
does
the?
Where
do
these
fit
in
the
priority
list?.
G
I
Oh
right,
so
for
what
it's
worth,
if
people
are
willing
and
available,
I
I
certainly
hope
that
we
try
to
parallelize
build
level
four
and
the
source
track,
because
that
is
one
of
the
one
of
the
purported
benefits
of
splitting
into
tracks
in
terms
of
priority.
I
suspect
that
Source
levels,
one
and
two
would
come
together
faster
than
build
level
four.
So
if
we're
not
able
to
parallelize
it,
I
would
guess
that's
happening
first,
but
that's
just
a
hunch.
E
G
Okay,
so
then
I'll
keep
this
the
same
way
and
it
sounds
like
well
I
know
you
Chris
mentioned
you
and
Josh
think
that
it
could
be
a
simultaneous.
If
others
disagree.
Please
speak
up
now,
because
I
can't
see
or
hear
so.
M
G
Yeah
and
that's
my
concern
right.
Okay,
so
I'll
leave
this
like
this.
For
now,
what
about
any
sort
of
tooling.
G
K
Oh
yeah,
yeah
I
was
gonna
comment
on
the
topic
before
I
think
the
a
bill
level
four
should
wait
a
while.
Let
that
look,
let
one.o
breathe
in
its
current
form.
K
K
You
know
we
find
we
will
more
and
more
likely
will
find
gaps,
but
things
that
giveaway
give
give
put
some
heart
palpitations
and
for
those
that
have
reached
level
level
three
or
you
know,
level,
two
or
level
three,
but
then
find
that
what
was
level
two
or
level
three
is
no
longer
level
two
or
level
three
or
or
what
have
you,
because
we've
just
we've
discovered
New
pieces
of
information
that
contribute
better
to
level
four
so
that
it
that
made
raise.
L
K
Some
and
diminish
the
delegate
diminished
others
I.
H
Between
like
working
on
Source
or
build
or
whatever
other
track,
I
would
imagine
because,
like
this
is
like
we
are
not.
This
is
an
open
source
project
and
we're
not
paying
people
to
do
this,
that
it
would
be
whatever
contributors
are
willing
to
work
on
it
and
so
I
think.
If
people
have
the
bandwidth
to
think
about
source-
and
they
think
it's
important,
then
they
would
kind
of
start
and
try
to
get
momentum.
H
There
I
think,
if
there's
folks
who
have
a
desire
to
define
a
level
four
because
they
have
a
need
for
it,
they
could
get
momentum
there
and
I.
Think
it's
hard
for
me
to
know
like
which
direction
we
go.
I
would
also
Imagine.
Source
would
come
first
because
it
seems
like
a
higher
priority,
but
I
think
there's
I,
guess,
there's
hard
questions
in
both.
H
Neither
seems
like
an
easy
thing
to
add,
because
the
big
question
is
like
how
we
would
verify
how
it
actually
work,
but
so
I
would
imagine
it
might
be
kind
of
some
like
we
make
some
progress
here.
We
make
some
progress
there
and
eventually
it
materialize
into
something
that
we're
pretty
confident
with
that
we
could
yeah.
We
could
actually
release
okay.
G
Yeah
I
know
we're
at
time,
but
if,
if
folks,
can
kind
of
take
a
look
at
this
and
put
like
put
comments
on
what
you
think
the
bucket
should
be,
then
we'll
be
that
much
closer
to
having
this
not
only
for
open
source
Summit,
but
for
the
next.
You
know
supply
chain,
Integrity
working
group
positioning
meeting
so
that
people
can
take
a
look
at
as
well
as
the
bi-weekly
and
the
specification
call
for
that
matter.
F
Yeah
and
one
thing
just
to
and
at
the
very
end
here,
yeah
I
definitely
wanna
Echo
Mark's
statement
about
hey
everybody's
volunteers
here
so
I
think
when
it
one
of
the
challenges
we've
had
with
some
of
the
tooling
right,
people
are
going
to
be
expecting
tooling,
especially
open
source
tooling,
and
we
need
to
provide
incentives
for
folks
to
put
Hands-On
keyboard
and
help
out
with
with
the
tooling
I
mean
we
could
talk
about
that
out
of
offline.
G
Yeah
yeah
I
I
agree;
okay!
Oh
so!
Yes,
please,
post
your
your
comments
in
the
in
the
roadmap.
That
would
be
very
much
appreciated,
so
we
can
also
get
that
out
and
potentially
even
publish
it
on
the
salsa.gov
website.