►
From YouTube: SLSA Bi Weekly (June 9, 2022)
Description
Meeting notes: https://docs.google.com/document/d/1cx3fOBfic6A0xc2on25ITK4vQHUdxgBmJoSS1LPqDJo/edit
A
C
C
A
All
right,
that's
for
next
time,
yeah
there
was
a.
There
was
a
cool
post
from
it's
suse
of
people.
I
don't
have
the
link
here,
but
how
they're
reaching
is
also
level
four
and
so
yeah.
I
see
avashek
added
a
potential
future
talk
on
this,
so
if
anyone
knows
about
that
or
can
speak
to
it,
that
would
be
awesome
to
see
in
the
future.
E
E
I
can
I
can
talk
about
it
a
bit
today
or
in
a
later
session,
on
whatever
you
prefer.
F
Oh,
I
was
just
gonna,
say
yeah
and
obviously
I
don't
think
we'll
have
enough
time
for
like
a
full-fledged
demo
or
anything
like
that.
But
yeah.
Just
like
a
brief.
You
know,
discussion
would
be
pretty
cool.
A
D
G
And
hi
everyone,
my
name
is
ivan
tablin
and
I'm
head
of
solution,
certifications
at
souza,
so
working
very
closely
with
styan's
teams
and
to
marcus
in
product
security.
A
Sweet
last
call
cool
all
right.
Well,
welcome
everyone!
So
joshua
you
are
the
first
on
the
list.
I
don't
see
you
on
the
call,
but
I
can't
see
everyone.
B
Take
it
away.
I
was
volunteered
to
talk
about
this
effectively,
so
we've
been
talking
a
bit
about
how
the
project's
organized
and
the
the
calls
now
we've
got
a
fairly
significant
number
of
participants
for
the
calls
each
week
and
enough
stuff
to
talk
about
that.
B
We
can't
cover
everything,
that's
happening
within
the
project,
so
we've
started
to
think
about
forming
like
working
groups
or
whatever
some
other
term,
but
tactical
teams
focused
around
different
goals
of
the
project,
to
try
and
have
a
smaller
set
of
people
that
we
can
gather
to
do
like
working
meetings
and
progress.
B
Some
of
the
open,
like
efforts
that
have
been
proposed
in
the
roadmap
so
and
you
can
see
in
a
minute
we've
we've
got
four
possible
groups
that
we
could
form
so
focusing
around
getting
the
1.0
version
of
the
spec
out.
One
focused
around
alignment
with
standardization
efforts,
particularly
the
ssdf
framework
from
nist,
I
think,
and
all
the
s-bum
efforts
that
are
happening
and
one
work
stream,
as
isaac
suggested
focused
around
tooling
and
another
focused
around
vulnerability
management.
B
F
Yeah
yeah
she
she
had
to
just
step
out
for
a
second,
so
she
asked
me
to
take
over
here
for
a
minute
yeah.
I
think
you
know
once
again
just
to
be
clear
to
the
the
group
here.
The
big
thing
is,
like
you
know.
Obviously
all
of
these
groups
are
open.
F
We
want
to
make
sure
that
it's
clear
that
it's
not
like
some
sort
of
closed
group
anybody's
allowed
to
sort
of
participate
and
contribute,
but
we
do
want
to
make
sure
that,
like
hey,
your
participating
in
these
groups
should
mean
that
you
are
sort
of
dedicating
at
least
some
time
here.
There's
no.
Currently
you
know
once
again.
This
is
just
like
a
pitch,
I
believe,
there's
no
actual
times
for
anything
yet
and
yeah.
F
B
Yeah
so
good
questions.
I
think
nothing.
This
is
just
like
the
seat
of
an
idea
and
the
main
motivation
is
to
be
able
to
get
to
make
progress
on
some
of
the
things
that
might
require
discussion
in
consensus
building,
but
probably
don't
need
all
30
participants
in
the
cult
to
be
involved,
so
there's
definitely
no
intent
of
any
kind
of
exclusion.
B
I
am
in
a
different
time
zone
to
many
of
the
sales
contributors,
so
I
I'm
encouraging
that
we
like,
if
we
are
going
to
hold
meetings,
we
give
significant
notice
so
that
folks
can
choose
to
join
or
not
and
that
we
capture,
like
any
guidance
projects,
we'll
capture
any
outcomes
in
a
public
place.
B
And
if
you
have
ideas
about
how
to
achieve
this
recommendations
or
success
stories
from
other
similar
efforts,
then
we'd
be
happy
to
hear
them
and
learn
from
them.
And
and
as
for
the
question
of
like
alignment
with
other
openstaff
working
groups,
I
suspect
there
will
be
some
attempts
to
kind
of
interact.
B
I
should
emphasize
that
these
work
streams
are
specifically
focused
around
salsa,
so
it's
not
generic
security,
tooling,
it's
tooling,
to
generate,
for
example,
social
province
metadata,
so
go
ahead.
Mike
you've
got
hand
raised.
F
Oh
yeah
yeah,
I
just
wanted
to
yeah.
I
think
I
I
agree
with
you
on
on
on
all
those
points.
Why
am
I
blanking
all
of
a
sudden?
F
You
know
I'll
get
back
to
it.
I'm
sorry.
H
Isaac
yeah.
No,
I
I'm
a
huge
fan
of
this
idea.
I'm
really
love
it.
I
think
it'll
create
some
some
concentrated
effort
to
actually
move
things
forward.
I
agree
like
these.
I
think
anyone.
H
To
show
up
and
participate
in
these
things
totally
welcome,
there's
no
exclusionary
intent.
I
think
it's
just
that,
like
the
intent
is
convergence
and
and
forward
motion
on
a
number
of
things,
so
I
think
I
mean
the
one
suggestion
I
would
have
is:
potentially
the
alignment
of
the
ssdf
and
s1
we
generalized
into
you
know:
alignment
with
you
know
adjacent
concerns
and
that
group
can
start
with
ssdf
and
s1,
but
potentially
over
time
we
may
want
to
look
at
skip.
F
F
Is
I
really
like
how
the
cncf
security
tag
handles
some
of
this
stuff,
which
is
they
sort
of
like
they
split
out
the
different
sort
of
work
streams
and
then,
like
a
meeting
like
this,
would
be
available
for
sort
of
updates
from
those
work
streams
like
that
would
be
like
the
first
like
15
minutes
of
the
meeting
or
whatever
is
usually
dedicated
to
you
know:
hey.
Are
there
any
updates
from
this
work
stream?
Anything
that
should
be
brought
to
the
larger
group
and
and
those
sorts
of
those
sorts
of
things.
B
Streams,
it
sounds
like
we've
got
a
lot
of
support
for
the
idea
and
we
just
need
to
or
we
need
to
try
and
firm
up
the
details.
Brandon
looks
like
you've
got:
let's
go
ahead.
I
Yeah
I
just
wanted
to
share
a
little
bit
about
like
how
we
hardly
say
cncf.
We
do
the
work,
the
working
groups
and
stuff
like
that.
I
think
we
found
that
having
a
kind
of
proposal
around
deliverables
would
really
help
drive
the
working
group,
if
not
it
kind
of
comes,
if
not
it
kind
of
like
goes
into
too
many
directions.
So
I
I
think,
that's
helpful.
If
we
have
anything
that
we
can
kind
of
like
list
out
as
like
a
particular
developers.
B
How
often
would
these
work
streams
meet
when
we,
so
I
I
think
we
shouldn't
like
try
and
add
loads
of
meetings
or
even
necessarily
even
standing
meetings,
but
one
idea
that
a
couple
of
ideas
that
were
proposed
were
on
the
kind
of
opposite
weeks
of
this
call,
maybe
or
another
idea
might
be
to
shorten
this
call
and
use
the
second
half
of
it
for
a
working
meeting
on
one
of
the
workstream
topics,
or
even
just
breaking
out
into
separate
meetings
for
the
different
work
streams
that
might
be
a
good
way
forward.
B
One
of
the
primary
motivation
factors
is
like
making
the
meeting
effective
for
each
of
the
participants,
so
everyone
a
lot
of
people
that
join,
have
different
priorities
so
being
able
to
break
out
into
working
meetings.
The
second
half
of
meeting
might
be
a
good
way
forward.
B
Any
and
all
ideas
welcome.
I
know
a
lot
of
people
have
a
lot
of
meetings
and
wouldn't
be
too
excited
about
adding
another
regular
one
to
the
calendar.
So
if
you've
got
creative
ideas
and
not
tell
them.
H
I
really
like
the
opposite
week's
idea.
That's
a
that's!
A
terrific
idea,
big
plus
one
for
me
on
that.
B
I
think
that
does
conflict
with.
Is
it
the
supply
chain,
integrity,
working
group.
F
So
so
one
quick
thing-
and
I
think
it's
probably
sort
of
related
to
at
least
some
of
this
stuff
is-
is
I
have
a
feeling
you
know
most
likely
it'll
start
one
way
and
then
over
time
shift
a
little
bit.
I
think
one
of
the
big
things
here
that
I
know
we
want
to
that.
I
know
is
a
big
one,
like
the
salsa
1.0
thing
here
of
like
hey
there's,
you
know
as
since
we
started
a
little
less
than
a
year
ago.
F
A
lot
of
folks
have
you
know
a
lot
of
stuff
has
sort
of
changed
and
there's
also
been.
You
know
a
reasonable
amount
of
confusion
on
like
hey.
What
does
does
this
thing
count
as
salsa?
This
thing
not
count
to
salsa?
Oh,
hey!
Here's,
a
here's,
a
big
gap
in
what
we're
doing
so.
I
think
you
know.
A
lot
of
this
for
now
is
is
also
very
much
like
a
short-term
hey.
F
We
need
to
get
some
big
things
done
sooner
rather
than
later
to
to
stop
some
of
that
that
confusion,
because
you
know
if,
if
folks
are
keeping
an
eye
on
the
github
you'll
notice,
there's
there's
a
lot
of
folks
asking
the
same.
You
know
opening
up
similar
github
issues
about
either
a
confusion
with
a
thing
or
saying
hey.
How
are
we
mapping
to
other
things
and
and
that
sort
of
stuff?
So
I
think
we
want
to
also,
as
part
of
this
like
really
get
together
and
start
start.
F
You
know
pounding
out
some
of
that
work
and
then
I'm
sure
over
time.
You
know
if,
after
three
months
go
okay,
we
did
this
whole
bunch
of
stuff
and
now
some
of
those
work
streams
are-
maybe
you
know
not
don't
have
as
much
to
do.
We
can
probably
you
know,
switch
it
up,
make
it
more
part
of
the
regular
meeting,
whatever.
B
Yeah
and
the
the
work
streams
are
aligned
to
things
that
all
the
the
straw
person
work.
Streams
in
the
dark
are
aligned
to
like
scenes
in
the
road
map.
So
it's
entirely
possible
that
in
six
months
time
we
we
review
the
road
map
and
say
well
that
work
stream,
like
mike
said,
is,
is
wrapped
up,
but
we've
we're
going
to
start
a
new
road
map
with
a
different
work
treatment,
change,
change,
meetings
for
that.
A
Cool
any
other
comments
on
that
I'm
excited,
so
I
think
next
steps
are
kind
of
figure
out
a
time.
It
sounds
like
there's
some
strong
support
for
switching
up
every
other
week
or
adding
another
weekly.
B
I
will
take
an
action
item
to
try
and
schedule
something
or
you
know,
provide
to
to
refine
for
next
steps,
get
something
more
concrete
together.
H
Thanks
joshua
and
please
don't
pull
me
if
I
can
be
at
all
helpful,
this
is
isaac
and
shall
we
should
we
use
this
to
slack,
to
coordinate
and
give
updates
to
the
the
team.
More
generally,
if
there's
updates
before
the
next
community
meeting
sounds.
B
Good
yeah
slacker,
I
think
I
think
the
select
more
alive
than
the
discussion
group
so
we'll
use
that.
H
C
J
So
I
just
wanted
to
take
it
to
this
group
and
get
your
thoughts
on
that.
What
exactly
that
should
be?
I
could
see
actually
potentially
three
different
things
that
that
could
be.
I
could
see
that
being
like
a
list
of
the
environment
variables,
especially
in
the
context
of
git
lab
and
building
something
inside
of
gitlab.
It
could
be
the
you
know,
those
environment
variables
that
are
passed
into
the
ci
job.
It
could
potentially
be
like
the
variables
itself
or
the
script
portion
of
the
build
job,
or
maybe
it
means
like
the
exact
command.
J
That's
used
like
if
it's
a
make
command.
You
know
what
parameters
are
passed
into
that
make
command
and
I
wasn't
really
sure
which
of
all
of
those
would
be,
and
then
it
also
was
brought
up
that
there's
some
potential
for
secrets
to
be
exposed,
because
actually
you
know
there
are
a
lot
of
different
builds
out
there
and,
if
we're
turning
this
on
by
default
for
all
of
the
builds
that
are
done
in
gitlab,
there's
the
potential
that
those
would
include
secrets
of
some
kind
for
any
of
those
three.
J
F
So
I
think-
and
this
is
the
the
once
again
just
this-
this
is
the
way
we've
been
interpreting.
It
is
as
as
much
as
is
possible.
It's
been
the
inputs
to
whatever
the
build
service
does.
So
if
the
build
service
says
you
know,
I'm
spinning
a
thing
with
these
things.
F
You
know
it
would
be
the
inputs
there.
Salsa
still
is
flexible
enough
where,
if
for
some
reason,
you
know
you're
not
doing
it
that
way
and
how
you're
just
sort
of
saying
like
hey,
I'm
I'm,
you
know
running,
you
know
some
shell
script
and
then
your
inputs
would
be
the
inputs
to
that
shell
script.
Something
like
that.
So
I
think
there's
some
flexibility
there,
but
if
you
combine
it
with
some
of
the
other
sort
of
build
service
should
be
doing
these
things
sort
of
requirements.
F
Then
it's
essentially
whatever
the
build
service
is
doing
so
like
as
an
example,
it's
like
something
like
techton.
It
would
be
like
the
inputs
to
the
tecton
task.
You
know
or
if
it's
jenkins
is
like
the
you
know,
the
inputs
to
the
jenkins
step.
J
So
would
it
be
the
inputs
to
that
specific,
build
step,
or
would
it
be
so
again
like
in
gitlab
we
have
environment
variables
and
those
get
employ
applied
to
the
entire
ci
pipeline
when
it
kicks
off.
You
know
the
the
ci
pipeline
as
a
whole,
and
then
you
also
potentially
have
those
environment
variables
also
act
as
inputs
into
each
of
the
different
jobs
that
get
run,
and
then
you
have
your
individual
build
job
with
the
script
that
gets
executed
there.
J
F
Somebody
who
has
access
and
whatever
is
auditing,
can
go
back
and
say:
okay,
well,
the
shell
script
hook
that
they
used
was
this
one?
I
can
go
back
and
then
look
at
the
environment
variables,
look
at
the
shell
script
or
whatever
or
look
at
you
know
how
it's
called
and
and
be
able
to
pull
that
through
and
be
able
to.
You
know
determine
like
how
what
was
actually
run.
I
think
like,
because
at
the
end
of
the
day,
it's
all
about
like
the
goal
here
is
just
to
kind
of
figure
out.
F
If
somebody
was
auditing
and
had
access
to
everything
they
needed
to
have
access
to.
Could
they
essentially
replay
the
build.
J
Got
it
okay,
so
that
makes
sense
as
far
as
what
the
spec
is
requiring.
I
guess
the
follow-up
question
to
that,
then,
would
just
be
you
know,
of
course
it's
not
best
practice
to
expose
secrets
in
that
way,
but
we
actually
have
you
know.
Environment
variables
can
be
configured
as
protected.
They
also
can
be
configured
as
hidden,
and
so
generally
users
will
put
secrets
there,
and-
and
actually
it
is-
you
know,
considered-
you
know
reasonably
safe
to
put
secrets
in
that
are
protected
or
hidden.
J
A
lot
of
users
will
do
that
and
some
users
will
still
put
in
secrets
that
are
not
protected
or
hidden
variables,
and
it
sounds
like
what
we're
actually
looking
for
here
to
meet.
The
requirement
would
require
us
to
to
output
all
of
the
variables,
even
if
they
are
protected
or
hidden,
so
that
they
could
fully
reproduce
that
build,
but
then,
at
the
same
time,
if
we're
publishing
that
as
an
artifact
there's
some
potential
there
for
secret
exposure.
So
I
don't
know
what
are
your
thoughts
on
how
to
balance
that.
K
Yeah,
so
my
opinion
is
just
thinking
about
the
various
salsa
levels
and
compliance
or
for
provenance
capabilities
is
really
you
kind
of
tie
this
into
using
other
tools
in
the
pipeline.
K
That's
that's
a
huge
issue
with
security,
so,
in
this
context,
using
tools,
as
I
noted
in
the
chat
like
whispers
or
blue
bracket
or
other
components
that
will
actually
scan
your
code
at
various
times
in
a
pipeline
to
verify
that
none
of
those
are
accessible
would
be
would
be
a
key
component.
I
don't
believe
that
any
of
the
reports
should
have
it
any
of
that
data
in
them.
It
should
note
that
there
is
a
potential
issue
and
where,
in
what
file
it
exists
in,
but
I
don't
know
that
we
ever.
I
K
K
I
don't
think
they're,
you
know
in
a
perfect
world,
if
you're,
following
kind
of
best
practices
or
good
practices,
as
the
case
may
be,
you
really
don't
want
to
have
any
any
of
those
critical
or
crucial
keys
or
identifying
or
secure
authentication
type
of
components.
Inside
of
any
of
your
files,
which
I
think
you
know,
I
certainly
heard
others
say,
but
you
know
it
really
should
be
part
of
the
maturity
or
the
level
to
decide
you
know.
K
Have
you
met
this
level
because
you're
incorporating
these
types
of
scans
into
your
your
process,
and
you
know
something
something
for
the
group
to
consider
that's
kind
of
how
we're
interpreting
it
and
how
we're
trying
to
implement
salsa
based
on
the
components
in
our
own
pipeline.
J
Yeah,
so
just
a
minor
clarification
there,
these
variables
or
or
potential
secrets
would
not
actually
be
stored
in
files
in
the
repository,
but
they
would
just
be
being
passed
in
as
environment
variables,
but
it
sounds
like
your
suggestion
is
just
to
avoid
passing
in
secrets
of
any
kind
which
I
know
at
least
for
some
organizations.
Some
builds
may
still
require
those.
K
Well,
but
even
so,
if
you're
automating
this
this
process,
which
would
be
the
right
recommended
way
of
doing
it,
you
you
can
certainly
make
those
variables
that
are
passed
in
you
know
come
from
an
encrypted
source
and
they're
they're,
not
something
that's
being
manually,
entered
or
allowed
to
be
manually
entered
right.
This
is
the
conversation
about
at
what
level
are
we
fully
automated
versus
somebody's?
Doing
this
manually
would
be
the
the
conversation
point.
I
think
we
would
also
need
to
discuss.
C
K
Think
the
aim
for
for
doing
this
would
be
to
automate
as
much
as
possible
to
remove
the
potential
for
a
human
to
make
the
these
kind
of
mistakes
or
to
hack.
The
system
would
be
my
my
opinion,
but
certainly
you
know
point
taken
you
know.
Sometimes
some
people
will
manually
do
this,
but
in
an
automated
system,
there's
certainly
ways
around
that.
J
Right
so,
if
there's
an
automated
system
in
place,
do
we
still
include
those
those
you
know
those
variables
as
inputs?
You
know,
they're
they're
technically
are
like
build
instructions.
They
still
ultimately
get
passed
into
the
build,
even
if
it's
coming
from
an
encrypted
or
automated
source,
I'm
almost
wondering,
if
maybe
we
should
store.
Instead,
you
know
put
in
the
provenance
like
a
pointer
and
just
say
we
reference
this
variable
in
this
location.
B
Yeah,
the
point
is
to
be
able
to
reproduce
the
build
right.
So
if
your
build
service
can
reproduce
the
build,
it
has
enough
information,
whether
I
don't
think
it,
I
don't
think
anyone's
suggesting
you
store
all
of
that
secret
information
as
part
of
the
providence
metadata,
but
that
there
is
enough
information
in
the
province
metadata
that
you'll
be
able
to
reproduce
the
builder
at
life
point,
and
I
think
the
other
part
that's
worth
thinking
about
is
that
salsa
today
is
increasingly
like
we're
trying.
B
One
of
the
proposals
in
the
roadmap
for
1.0
is
tightening
the
scope
a
bit.
So
it's
just
about
that
build
integrity
piece.
So
it's
when
you,
even
when
you're
thinking
about
reproducibility,
it's
rarely
like.
B
Can
I
recreate
the
same
subject
for
the
same
output,
artifact
and
so
how
many
of
those
secrets
are
actually
directly
influencing
the
produced
artifact
as
well.
So
you
wouldn't
necessarily,
if
you're
running
a
very
built
vulnerability
scanner
as
part
of
your
pipeline,
and
you
need
a
secret
to
authenticate
to
it.
That
secret
is
not
necessary
to
reproduce
the
artifacts
that
the
problems
metadata
is
describing
right.
F
No,
no
yeah,
no
yeah.
The
only
thing
I
was
just
gonna
was
just
gonna,
say
yeah,
like
the
way
that-
and
I
know
that
this
is
not
available
for
everybody
yet
but
yeah.
I
like
the
way
we've
sort
of
done.
It
is
like
often
the
the
secret
is
something
that
is
like
a
pointer
to
some
location
where
the
secret
is
or
whatever,
and
you
know
that's
how
you're
requesting
the
build.
You
know
the
build
itself
would
request
the
secret
get
a
token
that
kind
of
thing
yeah
I
think.
F
Like
generally,
it's
just
you
know
what
whatever
to
repeat
a
lot
of
what
other
folks
have
been
saying
is
just
mostly
like
I've
been
using
the
term
repeat
the
build,
as
opposed
to
reproduce
the
build
just
because
reproduce
often
has
the
connotation
of
like
bit
for
bit
sort
of
reproducibility,
whereas
repeat,
is
kind
of
like
I,
you
know
I'm
able
to
just
sort
of
run
the
same
thing
multiple
times,
and
I
have
you
know,
information
that
hey
this
source
code
was
run
with
these
parameters.
F
This
source
code
was
with
these
parameters
in
this
build
script
or
whatever.
That
means
I
can
go
in,
you
know,
and
this
was
also
the
build
environment.
So
now
I
can
go
in
and
repeat
that
build
you
know,
because,
because
the
the
spirit
of
what
we're
trying
to
get
across
here
is
yeah
like
can
you
if,
given
the
same,
build
environment
by
that,
I
just
mean,
like
you,
know,
container
image
os
whatever
packages
yeah
build
script,
source
code
and
parameters?
F
Could
I
rerun
the
thing
and
then
it's
okay
to
say
certain
things
like
secrets
are
things
you
need
to
essentially
re-request,
because
we
don't
you
know,
record
or
log
the
secrets
separately.
I
think
you
know
we
also
need
to
just
sort
of
like
if
folks
are
sort
of
worried
because
they're
like
oh
I'm,
not
sure.
If
I'm
putting
my
secrets
in
the
clear,
I
think
that's
sort
of
a
separate
problem
where
we
say
like
I
would
almost
be.
You
know
if
I
record
that
and
I
go
oh
wow.
F
I
should
not
be
doing
that
and
know
to
fix
it
rather
than
just
sort
of
say
hey.
I
don't
record
my
bills
because
I
might
be
doing
something
silly
in
those
builds
I'd.
Much
rather
know
that
I'm
doing
something
bad
and
go
and
correct.
It
then
just
say
you
know
what
I
might
be
doing
something
bad
I'd
rather
not
know.
J
Got
it
okay?
So
I
think
at
this
point
I
have
enough
information
to
to
bring
this
back.
It
sounds
like
what
I'm
hearing
is
that
the
key
piece
here
is
just
being
able
to
either
repeat
the
build,
as
you
said,
or
reproduce
the
build.
But
the
key
point
is
that
you
have
the
instructions
that
are
necessary
and
we
don't
necessarily
have
to
add
the
value
of
any
environment
variables
in
to
the
provenance.
J
J
J
You
know
we
have
a
lot
of
users
in
a
lot
of
different
scenarios
and
circumstances,
and
you
know
by
and
large
typically
we
don't
see
people
manually
putting
in
variables,
but
we
do
see
them
storing
them
as
environment
variables
and
they
may
even
be
taking
appropriate
precautions
to
mask
them.
You
know,
protect
them,
make
them
hidden
and
so
forth,
but
you
know
those
do
still
ultimately
get
fed
in
and
they
also
reference.
J
You
know
variables
from
other
systems
like
we
have
an
integration
with
vault,
so
they
may
be
referencing
secret
store
stored
in
vault
as
part
of
their
build
instructions,
and
so
you
know
even
if
it's
being
brought
in
in
an
encrypted
automated
fashion,
those
are
still
build
inputs,
and
so
that's
where
we're
running
into
that
confusion
about
how
might
we
meet
this
salsa
requirement
without
exposing
those
secrets?
But
I
think
I
have
what
I
need
here
to
to
move
forward.
J
I
think
the
takeaway,
for
me
is
likely
what
we'll
do
is
avoid
storing
any
values
at
all
in
the
automatically
generated
provenance
and
instead
focus
on
just
pointing
to
the
time
and
location
of
any
build
inputs.
A
Cool,
do
we
do
you
think
we
need
an
issue
here
on
the
salsa
side
to
clarify
the
documentation
around?
This
sounds
like
maybe
based
on
this.
B
All
right,
that'd
be
good
thanks.
Then
we've
got
an
existing
one
around
reproducibility,
where
I'm
going
to
add
a
couple
of
the
comments
from
this
discussion.
But
if
you
could
find
one
about
the
the
initial
confusion,
the
build
build
instruction
piece
that
would
be
useful.
A
Cool
the
next
one's,
pretty
pretty
easy
or
pretty
short,
we've
been
there.
We
chatted
last
time
about
the
community
spec
and
adopting
that
within
salsa,
we're
working
through
that
and
hope
to
have
a
proposal
to
come
back
with.
A
With
there's
a
few
outstanding
issues
that
we
need
to
get
through
around
the
scope
of
salsa,
which
I
know
is
a
work
in
progress
thing
in
the
governance
because
we
have
a,
we
have
a
governance
structure
now
with
the
steering
committee
and
so
looking
at
that
again
so
hope
to
have
more
updates,
probably
next
meeting
and
then
the
one
thing
here
is.
We
do
need
some
points
of
contact
for
the
code
of
conduct
melba.
Thank
you
for
volunteering.
A
H
Just
to
just
to
raise
awareness
of
this,
this
blog
post
brandon
created
a
pr
for
it
recently.
This
is
a
revision
of
a
document.
I
posted
the
community
a
few
weeks
back.
H
You
know:
we've
incorporated
some
feedback,
we've
taken
a
pass
today
tonight,
I'd
love
to
get
feedback
broadly
from
the
community,
and
the
link
is
in
slack
there's
a
little
bit
of
discussion
and
slack,
but
to
abhishek's
point
I
think
the
most
productive
thing
would
be
to
move
discussion
comments,
feedback
disagreements
ads
to
the
pr
itself,
and
so
I
invite
everyone
to
do
that.
Thanks
in
advance
really
appreciate
your
input
emmy.
I
appreciate
your
your
input
as
well.
H
I
know
you
gave
some
feedback
on
early
draft
michael
same
to
you
as
well.
I
appreciate
that
I'm
so
so.
Please
look
for
your
your
previous
feedback
to
incorporate
it
in
this
draft,
and
let
me
know
if
you
think
that
it's
not
and
yeah
looking
forward
to
getting
this
out
with
with
y'all's
review
and
approval.
Thank
you.
A
Cool
go
ahead.
F
Oh
yeah,
I
was
just.
F
F
That
should
be
interesting
and
there's
a
bunch
of
initiatives
across
the
cncf
open
ssf
to
start
doing
some
of
these,
like
mappings
and
and
how,
like
you,
know,
who's,
you
know
what
standards
best
practices
are
responsible
for,
what
that
could
prove
to
be
really
interesting,
and
then
I
also
know
that
some
folks
have
been
chatting
about.
Could
we
do
like
a
salsa
oscar
model,
potentially
once
maybe
we're
a
little
bit
closer
to
like
something
like
1.0.
H
That's
a
it's
a
great
idea,
and
I
think
you
know
it
comes
back
to
the
idea.
You
know
joshua's
proposal
for
the
work
streams.
I
think
that
would
be
a
you
know:
alignment
with
adjacency's
work
stream
topic
could
be
hostile.
I
think
that
the
mapping
thing
has
been
super
interesting
to
think
about
ssdf,
because
there's
definitely
the
mapping
in
terms
of
the
you
know:
salsa
requirements
to
ssds
tasks
and
practices
and
there's
a
question
of
kind
of
the
scope
of
the
coverage
there.
H
Just
that
you
know
the
recommendations,
requirements
themselves
and
I
think,
there's
also
a
useful
comparison
to
be
made
between
ssdf
and
sales,
with
ssd
being
a
descriptive.
You
know
non-prioritized
non-sequenced
set
of
tasks,
whereas
salsa
is,
is
much
more
prescriptive.
It's
implicitly
sequenced
by
the
levels.
H
I
think
it
actually
makes
ulcer
an
interesting
and
useful
complement
to
ssdf
that,
if
salsa,
it
feels
to
me,
has
the
flavor
of
a
transformation
framework
where
you
know
you
can
grab
on
the
the
bottom
rung
of
the
ladder
and
whatever
rung
you're
on
the
next
rung
is
usually
within
reach.
You
can
climb
them
up
better
climb
up
these
rungs.
I
think,
just
from
a
a
pragmatic
standpoint,
I
really
like
the
approachability
of
salsa
and
for
folks
who
aren't
skilled
in
the
arts
of
interpreting
and
complying
with
government
regulations,
so
do
do
yeah.
H
I
definitely
encourage
you
all
to
take
a
look
at
the
blog
post
draft
with
with
those
two
things
in
mind:
the
kind
of
the
scope
of
the
requirements
and
how
they
map
and
but
then
also
that
the
nature
of
the
two
frameworks
themselves
and
how
those
approaches
differ.
F
It
oh
emmy,
it's
up
next.
L
I
wonder
why
it
happened
last
time
too
yeah
hi,
I'm
emmy
eddie
from
red
hot,
so
one
I
must.
I
might
have
missed
this.
The
very
beginning
do
what's
your
like?
Do
you
have
an
estimated
time
on
when
this
will
go
out?
Isaac.
H
That's
a
good
question.
I
mean,
I
think
that
the
last
last
blog
post
we
did
along
these
lines
was
with
salsa
and
s
bomb,
and
I
think
that
was
kind
of
that
was
in
this
review
period
for
about
a
week
or
so
it
would
be
great
to
aim
for
that
that
same
amount.
But
I
I
dare
say
you
know
we'd
like
to
get
you
know,
broad
consensus
and
then
folks
nodding
along
with
the
content
in
the
blog
post.
H
L
Okay,
so
a
couple
of
thoughts
here
I
made
an
a
note
in
the
in
the
document
itself
about
the
mapping
piece,
so
I
have
a
I
have
that
mapping
in
a
spreadsheet
of
like
each
control
and
which
ssdf
control
like
which
ssdf
line
it
goes
to,
but
there's
also
excuse
me
nist
sp
800-161r1
that
has
extensive
detail
in
it.
That
also
directly
maps.
L
Is
that
something
that
we
wanted
to
mention
in
the
blog
post?
It's
just
another
resource
for
folks.
Looking
into
salsa
right,
I.
H
Think
that
that
would
be
great,
would
you
mind
paying
that
to
me
at
me
and
I
can
I
can
take
a
look
and
where
we
might
anchor
that
in
the
blog
post,
that
would
be
great
yep.
I
think
the
other
thing
I
mean
since
since
you're
here
that
you
raised
a
really
interesting
input
on
the
last
draft,
around
automation
and
tooling
itself,
and
I
think
there's
I
think
it's
it's
a
good
point.
I
think
that
salsa
definitely
needs
an
automation
and
tooling
component.
H
It's
not
clear
to
me
the
extent
to
which
we
think
of
tools
and
automation
as
within
the
scope
of
salsa
itself
versus
you
know
the
enabling
ecosystem
around
salsa,
and
so
I
I
think
your
your
point
of
view
is
is
well
taken
that
you
know
tools
and
automation
are
an
essential
piece
of
making
salsa,
ultimately
scalable
and
adoptable,
but
the
specification
itself
doesn't
speak
to
or
or
cover,
automation
or
tooling.
I
don't
know
what
other
people
think
about
how
people
think
about
the
scope
of
salsa
in
that
frame.
K
I
could
make
a
comment
on
that.
This
is
eric
in
context.
You
know
in
the
best
practices
working
group
and
the
tooling
working
groups
for
openssf.
This
is
the
topic.
That's
come
up.
I
brought
some
of
this
up
before,
but
it'd
be
great
to
actually
have
some
cases
shown
with
some
example.
Pipelines
put
together
that
adhere
to
the
salsa
framework,
based
on
the
tools
that
are
suggested
in
those
working
groups
and
having
some
actual
actionable
workflows
and
cases
that
show
each
level
of
salsa
compliance.
K
H
Eric
I
mean
I
it
feels
like
I
mean
potentially
there's
I
mean
I
know
we
had
tooling
as
a
proposed
work
stream
and
and
potentially
that's
something
which
that
work
stream
could
pick
up
is
looking
at.
You
know
what
are
the
key,
you
know,
kind
of
user
or
practitioner
journeys
are
around
salsa
and
what
tools
today
support
them?
H
Either
custom
build
tools
for
salsa,
specifically
or
you
know,
tools
that
are
existing
in
the
ecosystem,
which
are
adding
support
for
salsa
light
github
actions
you
know
like,
but
I
think
I
I
really
like
that
framing.
I
I
L
L
Just
to
like
tack
on
to
that,
and
the
reason
I
put
it
into
the
blog
post
is
based
on
the
content
of
the
blog
post
you're
targeting.
How
is
this
consumable?
L
There
are
a
lot
of
frameworks
out
there
for
a
lot
of
different
security
things
and
it's
extraordinarily
overwhelming
for
what
we
what
was
mentioned
in
the
blog
post,
which
is
organizations
that
are
smaller,
that
don't
have
these
large
engineering
organizations
in
them
and
don't
know
how
to
tackle
it.
L
We
need
to
rethink
that
control
and
how
we're
putting
that
out
there,
because
it's
not
going
to
be
a
customer,
is
not
going
to
understand
that
we
can't
verify
that
salsa
requirement,
so
we're
never
going
to
be
able
to
meet
it.
So
having
automation
in
mind
at
the
same
time
as
we're
creating
a
framework
at
the
same
time,
we're
talking
about
the
framework
is
going
to
increase
adoption
right,
and
so
that's
that
was
my
intention
of
kind
of
highlighting
that.
H
That's
a
great
point,
and
let
me
take
that
and
make
sure
we
do
weave
that
in
to
to
explicitly
say
that
you
know
the
salsa
working
groups
considers
automation
as
a
as
a
critical
piece
of
adoption
we're
working
on
it.
We
have
our
attention
on
it
and
there
there
is
a
work
stream
around
it.
I
think
your
right
is
an
important
point
to
land
that.
Yes,
we
consider
that
the
tooling
ecosystem
around
salsa
is
critical
to
adoption
and
we
have
a
focus
on
it.
F
So
two
things
along
those
lines.
One
is,
I
think,
also
one
of
the
things
that
you
know:
it's
not
the
the
the
autumn,
not
just
the
automation,
tooling,
that
helps
us
sort
of
achieve
salsa,
but
also
like
there's
kind
of
a
a
hierarchy
of
like
you
have
your
ssdf,
which
is
very
descriptive.
You
have
your
salsa,
which
is
prescriptive,
but
still
sort
of
very
agnostic
on
how
you
sort
of
get
there
and
then
there's
kind
of
a
level
down
there
of
like
if
you're
in
the
cloud
native
space.
F
This
is
more
of
what
it
looks
like
for
you
and
then
here
are
specific
examples
and
one
to
just
call
out
just
because
it's
one
of
the
things
I
run
for
the
the
open,
ssf
supply
chain,
integrity,
working
group,
there's
a
tool
called
fresca,
which
is
sort
of
built
on
top
of
like
tecton
and
tecton
chains
and
and
key
verno
and
other
open
ssf
and
cncf
projects
that
do
do
have
examples
of
sort
of
like
salsa,
one
two,
three
sort
of
pipelines
and
so
that
it
also
helps
sort
of
show
like
hey.
F
If
you,
if
you're
doing
these
sorts
of
things-
and
you
know
you
don't
have
signing
keys
or
whatever
we
can
do,
salsa
one.
For
you
know
this
is
what's
also
one
would
look
like
if,
if
you
have,
you
know,
signing
keys
and
a
build
service,
this
is
what
salsa
2
does
for
you
hey
if
you're
using
spiffy
spire,
and
you
know
very
short-lived
identities
where
we
can
sort
of
do
more
of
that
non-falsifiability.
A
E
No,
I
I
can
just
give
a
quick
overview
if
you
want
okay
yeah.
So,
let's,
let's
begin
so
last
year,
we
noticed
that
salsa
exists
basically
fresh
as
it
was
published.
We
went
and
presented
that
to
our
management
and
management
likes
it.
They
like
having
certifications
like
showing
something
off
and
so
on,
and
they
tasked
us
this
doing
gap
analyzers
to
see
what
exactly
is
missing
with
our
build
service
with
our
product
development
and
they
set
us
the
goal
to
have
something
to
announce
here
at
susicon.
E
Zuzicon
is
happening
this
week
so
started
two
days
ago,
just
to
emphasize
that
zuzer
is
focusing
really
on
supply,
chain
security
and
improving
supply
chain
security,
so
we're
coming
to
scissors
from
the
outside,
so
we
haven't
been
able
to
really
participate
mostly
of
time,
constraint,
issue
and
so
on.
E
So
we
implemented
this
from
looking
at
from
the
outside,
on
your
web
pages,
on
your
documentation
on
your
standards
and
so
on
so
and
and
worked
from
that
from
that
angle,
our
museum's
enterprise
products
are
built
by
a
build
service
that
we
also
call
it
build
service,
something
that
suse
has
developed
on
their
own
core
and
also
open
source
called
open
or
open,
build
service,
and
we've
been
doing
that
for
15
years
plus.
So
it's
also
second
generation.
E
So
there
was
something
before
that
it
was
derived
from
and
we
have
actually
been
through
criteria
certification
on
top
of
that
found
that
kind
of
similar
to
what
zeiss
is
achieving
saisa
is
more
descriptive,
more
focused
on
actually
the
build
service
parts
so
that
we
also
really
like
that.
That
part.
E
So
we
went
and
took
a
look,
so
what
the
build
service,
what
a
good
service
is
doing
for
us
at
zoos
is
that
it
manages
our
packages
that
in
turn,
gets
built
into
rpms.
Mostly,
it
stores
the
package
in
separate
projects
and
copying
them
between
projects
is
there's
an
abstraction
called
submit
requests.
You
can
think
of
it
like
a
pull
request
that
can
be
handled
by
that
can
be
yeah
that
can
be
monitored
by
that
can
be
reviewed
that
can
be
accepted
by
humans
or
bots,
depending
on
the
configuration.
E
So
it's
quite
flexible,
we
modeled
our
release
process
on
this
kind
of
sources
come
from
one
place,
one
project
to
the
other.
We
modeled
our
release
process
on
top
of
that
go
for
our
zoozo
product
and
also
for
our
cess
products.
E
So
the
build
cell
stores
these
sources.
It
actually
builds
them
in
these
kind
of
projects
in
this
kind
of
hermetic
setting,
and
even
as
I
joined
zuzer
like
20
years
ago,
it
was
already
doing.
Change
group
builds
that
turned
into
kbm
builds
that
turned
into
focusing
on
these
builds
in
the
build
cluster
in
a
separate
data
center.
E
So
it
does
the
source
management,
it
does
the
build
management
and
in
the
end
it
produces
and
also
science
rpms.
It
collects
rpms
into
ftp
trees
into
isos
into
container
images
these
days
or
several
forms
of
public
cloud
every.
So
it's
something
really
from
checking
in
resources
to
have
in
the
final
binary
site.
E
So
we
took
a
look
and
the
kind
of
build
part
like
the
semantic
ephemeral,
these
kind
of
conditions,
at
least
what
we
read
from
the
standard
we
are
meeting
and
we
communicated
that
back
to
our
management
management
said:
please
reach
out
to
level
four,
at
least
for
the
0.1
standard.
So
we
interpreted
that
and
went
through
that,
so
we
had.
E
What
we
had
to
do
in
the
last
month
is
that
we
really
had
to
do
more
enforcement,
so
we
had
some
policy
enforcement
of
two
person
reviews,
but
as
far
as
we
understand
science,
it's
really
mandating
that
it's
technologically
enforced
and
not
policy
enforced.
E
So
that
was
a
bigger
change
that
we
had
to
go
through
and,
of
course,
the
whole
provenance
topic.
So
we
really
started
generating
provenance
from
scratch
in
our
tooling
so
that
the
build
service
was
keeping
this
kind
of
built
environment
structure
already,
but
in
an
internal
form,
an
internal
xml,
plain
text
blob.
So
that's
something
that
our
team,
our
build
service
implementation
team
worked
on
to
generate
in
total
provenance,
and
it's
something
where
we
reached
a,
I
think,
a
good
level.
We
still
need
to
think
with
the
actual
in
total
efforts.
E
If
that
is
all
meeting,
what
is
what
is
wanted
there?
What
is
needed
there,
yeah
so
with
with
administration
with
the
common
part,
is
this
fourth,
fourth
pillar.
That
was
a
bit
interesting
because
at
the
same
time
that
we
are
using
the
build
service,
a
separate
team
is
also
developing
it
and
operating
it.
So
that
kind
of
challenge
like
the
operation
challenge,
that
it
also
needs
to
have
the
similar
restrictions
similar
as
a
only
as
small
human
interaction
as
possible.
E
Two
personal
reviews
also
for
administration
class,
that
that
is
interesting
for
a
devops
style,
developed,
build
service
a
bit,
so
there
we
had
to
do
some
adjustments
to
to
help
with
that
yeah
and
so
yeah
so,
and
I
also
offer
the
white
paper
together
so
on
with
our
documentation
team
on
a
very
quick
basis
that
I
not
sure
if
I,
if
you
have
feeling,
but
it
wasn't
an
email
thread,
I
can
supply
that
so
yeah.
E
So
we
you
see
us
basically
as
implementers
that
just
looked
at
this
from
the
outside
took
all
the
points
and
went
through
it
and
of
course
we
want
to
continue
this
work.
So
we
see
that
we
can
join
the
community
calls
here
and
follow
up
the
further
standardization
approach.
So
they
are
looking
at
the
1.0
standard
that
you
mentioned
earlier
and
if
we
can
meet
that,
if
you
can
also
help
influence
that
a
bit
or
help
you
help
here
and
this
with
our
view
on
linux
distribution
development.
E
So
I
think
that
is
a
very
short
seven
minute
summary.
A
E
A
Yeah
be
great
if
you'd
be
interested
in
doing
a
blog
post
on
the
salsa
blog
too,
as
kind
of
like
a
case
study,
I
think
we've
been
talking
about
trying
to
get
more
of
those
and
it'd
be
really
helpful
to
see
how
someone's
actually
achieved.
F
F
Oh
yeah
yeah,
I
think
one
of
the
things
I
know
I'm
very
interested
in
is
like
yeah,
it's
like
you're,
generating
this,
this
salsa
provenance
metadata.
You
know,
how
are
you
distributing
that
to
let's
say
the
end
users
or
how
can
they,
how
are
they
consuming
it
so
that
somebody
on
who's
consuming
these
packages
can
go
in
and
say
yep?
I
I
validated
that
this
is.
You
know
a
salsa
4
package
coming
from
susa.
E
So
currently
we
put
the
json
files,
besides
our
rpms,
so
on
our
ftp
trees,
not
sure
if
there's
anything
better
so
that
we
have
not
looked
into
that
deeply
yet,
and
also
how
to
do
this
for
isos.
If
we
can
merge
that
or
if
you
can
put
this
in
a
bigger
blob,
also
containers,
that's
something
we
have
also
not
not
yet
deeply
looked
at
yeah
and
the
real
angle
like
how
can
users
look
at
that?
That's
also
an
open
topic
that
we
need
to
investigate.
B
So
I'm
curious
if
this
is
implemented
by
default
in
all
open
user,
build
service
instances
or
if
it's
just
like
for
the
enterprise.
B
E
Sorry
yeah,
so
this
is
implemented
in
our
open,
build
service,
open
source
instance,
and
we
have
so
both
our
ex
our
two
hosted
instances
for
open
source
and
our
hosted
instance
for
the
internal
slash
development
is
both
generating
the
provenance
now
yeah
cool.
B
Find
a
link
on
the
for
like
tumbleweed
and
link
or
something
and
have
a
look
at
that
thanks
yeah,
we.
E
Had
a
bit
of
trouble
with,
I
still
have,
I
think,
on
my
item,
how
to
get
covenants
signed
and
how
to
verify
signatures.
That's
something
I
still
need
to
find
out,
but
so
we
are
still
we
are.
We
are
already
doing
this
wrapping
base,
64,
encoded,
strapping
and
signing,
but
how
to
if
the
signature
is
correct.
I
have
not
yet
looked
at
that.
This
was
an
open
topic
for
me.
F
Offline,
I
can
definitely
point
to
the
right
direction.
I
think
a
lot
of
the
six
store
folks
have
you
know
good,
as
well
as
the
entota
folks
have
have
good
thoughts
around
that.