►
Description
Meeting minutes: https://docs.google.com/document/d/1-f6m442MHg9hktrbcp-4sM9GbZC3HLTpZPpxMXjMCp4/edit#heading=h.pujncb7gxv4f
B
Brimwell
I'm
well
light
crowd
so
far,
but
we
can
give
it
a
minute.
A
A
D
Or
hi
my
name
is
Jeremiah.
D
I
am
working
at
Anaconda
right
now
and
I'm
working
on
some
of
our
security,
tooling
focused
around
s-bombs
and
cves
and
yeah
I
just
wanted
to
sort
of
pop
in
and
learn
a
little
bit
more
about
contributing
and
and
just
sort
of
be
at
least
a
fly
on
the
wall
for
the
first
little
bit
and
learn
where
I
can
help
welcome.
A
Okay,
oh
Andrew,
if
you're
talking,
you've
got
your
mute
on
I
think
or
at
least
I
can't
hear
you.
A
All
right,
we
might
press
on
an
Azure.
If
you
get
a
chance
when
we
come
back,
we
can
come
back
to
you,
okay.
So
the
first
item
on
the
agenda
is
from
Dustin,
who
sends
his
apologies.
He
couldn't
be
here
today
he's
drawn
our
attention
to
some
work
being
done
on
the
self-ser
release,
candidate
and
salsa.
A
It
basically
says
that
you
need
to
distribute
provenance
information
in
order
to
qualify
for
level
three
I
think
it's
been
a
while,
since
I
looked
at
it,
the
problems
format
and
what
the
exact
requirements
are
are
now
sort
of
being
discussed.
There's
a
link
there.
Please
take
a
look
when
you
get
a
chance.
A
I
looked
through
the
release
candidate,
one
of
salsa,
and
there
were
sort
of
like
a
few
to
do's
in
that
draft.
So
I
think
this
is
one
of
the
big
ones
that
needs
to
be
worked
out,
particularly
of
interest,
because
I
think,
as
different
ecosystems
evolve,
we
will
eventually
all
get
around
to
the
business
of
providing
provenance
when
it
is
possible
to
do
so
and
by
that
I
mean
essentially,
you
know
documentation.
A
A
I'll
take
some
answers
and
no,
which
leads
us
elegantly
to
the
second
one,
which
is
a
packaging
card.
Now
I,
don't
have
a
link
there,
because
I
only
just
saw
it
about
10
minutes
ago
on
Twitter,
but
packaging
con
ran
honestly
last
year
and
was
attended
by
a
lot
of
folks.
I.
Think
it's
relevant
to
this
group
and
I
would
encourage
folks
to
submit
papers
for
it.
It's
going
to
be
in
Berlin,
I
can't
remember
when
again
10
minutes
ago,.
A
It'll
be
in
October
October.
Oh
that's
good!
That
gives
me
lots
of
time
to
Echo
with
the
budget
yeah,
so
that
would
be
in
October
in
Berlin.
I
think
it
would
be
a
great
opportunity
for
folks
to
talk
about
what
they're
up
to
in
their
ecosystems
and
also
might
be
an
opportunity
for
us
to
talk
about
this
group
generally
as
a
as
a
venue
for
folks
to
talk
more
frequently
than
once
a
year.
A
This
might
be
a
record-breaking
short
session
unless
anybody
has
something
really
controversial.
That
needs
to
be
discussed
in
the
section.
I
haven't
added
yet
any
other
business.
Well,
it
would
help
if
I
put
my
cursor
down.
E
Yeah
so
I'm
Andrew
I'm
from
from
the
Google
open
source
security
team,
I'm
working
on
osv,
predominantly
doing
CD
conversion
work
trying
to
get
some
CVS
into
osv
and
I
figure.
If
us
APAC
people
don't
show
up
at
these
APAC
friendly
meetings,
then
they'll
probably
stop
happening.
So
I
thought
I'd
just
walk
in
and
say
hi.
A
Yeah
I
worry
about
that
myself.
Talking
of
timing
like
we,
we
tend
to
have
thinner
attendance
for
the
OPEC
time.
I.
Think
a
lot
of
folks
who
are
in
Europe
obviously
can't
do
it
and
in
the
US
at
least
on
the
East
Coast.
It's
it's
after
hours,
yeah,
so
I
do
want
to
keep
doing
them
because,
as
far
as
I
can
tell
about,
half
of
ghost
is
Australian.
E
It
feels
that
way,
sometimes
yeah
these
days.
It's
a
good
chunk
in
Sydney,
yeah,
I'm.
A
A
Yes,
well,
we
we're
all
learning
about
daylight
savings
because
it's
the
two
weeks
during
which
America
advances,
Daylight
Saving
in
Europe.
Doesn't
yes!
So
that's
why
it's
blast
as
well.
Was
there
any
other
business
that
folks
wanted
to
discuss?
I
see
trishank,
that
you
have
your
hand
up.
C
Yeah
hi
yeah
I
just
wanted
to
add
a
comment
to
Dustin's,
Dustin's,
PR
and
I'm,
not
sure
whether
I'm
looking
at
the
right
spec
version-
probably
not
I'm,
not
sure,
but
one
thing
does
not
clear
to
me
right
here
and
maybe
it's
worth
sharing
my
screen.
Maybe
someone
can
help
help
answer
this,
but
one
thing
I
didn't
see.
Where
is
the
thing?
Where
is
the
BR
when
he
actually
need
it,
but
when
I
reviewed
the.
C
So
let
me
pull
it
up,
I
think
it
is
here
there
we
go
right,
I
think
when
I
reviewed
the
pr
earlier
and
I'm
not
sure
whether
I'm
looking
at
the
same
page
here,
but
what's
not
clear
to
me
right
now,
is
exactly
how
you
would
verify
these
attestations.
Maybe
it's
supposed
to
be
deliberately
weak
right
now
for
1.0,
but
that's
that's
something
that
I
don't
see
too
much.
C
B
Thinking
on
this
issue,
tree
shock
is
that
it's
deliberately
not
prescriptive
there,
because
the
the
sort
of
requirements
are
going
to
differ
a
lot
based
on
how
you're
actually
deploying
this.
So
you
could
imagine
like
I
I,
like
to
borrow
a
Jacques
very
meaningfully.
B
Just
distinguishes
between,
like
software
signing
in
general
and
like
authorial
attestations
are
what
what
really
we
want
from
that
and
then
the
build
proven
on
side
of
the
stations
are
are
a
separate
class
of
things,
and
these
are
going
to
be
signed
by
separate
parties
right
and
and
so
I
think
you
have
in
your
head
tree
shock
and
and
a
bunch
of
the
folks
on
this
room
have
been
like
playing
with
this
ideal
kind
of
supply
chain.
B
That's
that's
got
these
attestations
as
one
component,
you
fetch
the
policy
that
you
use
to
verify
the
attestations,
which
is
going
to
be
like
an
intodo
layout
from
something
like
tough
right
to
make
sure
you're
getting
those
policies
securely
like
like
so
there's,
like
kind
of
an
end
goal,
dream
ideal
state
that
that
we
have
in
mind,
but
I,
don't
think
we
want
to
hold
up.
B
You
know
kind
of
like
nailing
down
some
of
the
formats
until
we
are
we're
much
closer
or
what
we
don't
want
to
wait
for
that
end
goal.
D
B
Like
you
get
you
get
very
like
cyclic
dependencies
I
think
is
the
worry.
So
that's
that's
not
knowing
a
ton
about
the
background
of
the
publication
of
this
specific
document,
because
I
haven't
been
involved
in
this
also
discussions,
but
that
would
be
my
hunch
is
basically
just
that
like
there
is
no
one-size-fits-all
answer
to
that
question
to
prescribe.
It
would
require
us
to
spec
out
like
this
ideal
system,
which
would
require
a
lot
of
work
and
maybe
not
even
be
a
good
fit
for
every
package.
So.
E
C
Exactly
you
know,
I
guess:
I
guess
this
is
something
that
I
need
to
bring
up
to
the
salsa,
but
but
you
know
agreed
yeah.
We
shouldn't
we
shouldn't
hold
up
salsa,
which
I
think
is
deliberately
focused
on
the
build
track
now,
for
this
reason
right
what
what
I'm
slightly
worried
is
about
is
about
The
Accidental.
What's
what's
the
word
for
it,
bifurcation
of
verification
standard
you
know,
but
I
guess
we
will
figure
this
out
all
organically.
A
C
Oh
I
think
I
think
it
could
very
easily
happen
accidentally
right
that
people
will
come
up
with
their
own
standards
for
and
there's
nothing
necessarily
wrong
with
that.
It's
just
that
you
you're
gonna
need
to
write
different
tooling
for
different
ecosystems.
Maybe
that's
not
a
bad
thing.
I'm
just
worried
about
how
this
will
all
actually
play
out
on
practice.
B
Yeah
I
think
I
think
this
is
this
effort
is
meant
to
sort
of
try
to
limit
the
extent
to
which
that
happens.
Right
I
think
it
was
inspired
in
part
by
npms
build
provenance,
which
is
which
is
sort
of
coming
out
right
and
I.
Think
in
the
near
term,
it's
very
much
going
to
be
every
you
know,
package
manager
for
themselves
in
terms
of
writing
a
verifier
and
and
writing
verification
policy.
B
The
Hope
is
that
you
know
once
we
have
a
couple
of
examples.
First,
that
the
everyone
who's
early
in
creating
those
examples
is
talking
to
each
other.
So
we
can
reuse
again
like
like
provenance
formats,
that's
exactly
what's
going
on
here
and
then
you
know
sort
of
as
as
we
see
these
used
in
a
couple
of
different
cases,
you
know
we
can.
B
We
can
sort
of
generalize
and
zoom
out
and
and
try
to
again
run
the
verification
code
not
directly
in
you
know:
npm's
implementation,
but
rather
npm
just
shells
out
to
in
Toto,
or
something
like
that.
You
know,
but
like
basically
that
the
verification
policy
hopefully
becomes
language
agnostic,
but
I
think
I
think
we
can
start
with
it.
B
You
know
where,
where
it
is
for
now
with
like
special
casing
in
each
package
manager,
and
then
hopefully
you
know,
as
as
the
the
sort
of
like
each
component
gets
standardized
in
a
way
that
meets
all
the
needs
we
can.
We
can
then
replace
the
the
ad
hoc
implementations
with
you
know,
with
shared
ones
and
I.
Think
again,
by
by
the
formats,
are
what
are
going
to
really
be
killer
there.
B
If
there
is,
you
know
like
that's
where
bifurcation
is
is
deadly,
you
know,
bifurcation
and
implementations
is,
is
less
worrisome
to
me
because
we
can
converge,
we
can
we
can
sort
of
make
them
compatible
and
replace.
You
know
kind
of
the
the
specific
implementation
with
it
with
a
general
one,
so
I'm
cautiously
optimistic
I,
guess
I
would
say,
but
I
think
you're
right
to
bring
bring
it
up
as
a
as
a
concern
and
something
we
should.
We
should
be
keeping
an
eye
on,
and
hopefully
that's
part
of.
B
The
role
of
this
group
right
is
to
just
monitor
you
know
and
if
it
seems
like
someone's
gonna
go,
build
something
that's
fundamentally
incompatible
with
everything
else
and
isn't
leading
to
this.
You
know
unified
vision
and
obviously
we
don't
want
to
impose
this
unified
Vision
on
anyone.
But
we
do
want
to
be
able
to
leverage
common
tooling
and
and
only
do
things
once
where
we,
where
we
don't
have
to.
C
No
I
think
I
think
that's
a
great
summary
thing.
So
so
my
rough
understanding
is,
it
seems
to
be
that
we're
deliberately
saying:
let's,
let's
start,
let's
iterate
right
we're
starting
with
the
build
track,
so
we
got
Bill
provenance,
attestations
and
probably
start
adding
Source
source
track
at
the
stations.
I
wouldn't
be
surprised
and
eventually
packaged
Registries
will
have
their
own
kind
of
weather
stations.
I
guess
eventually,
we'll
have
an
in
total
policy
to
piece
all
of
this
together.
That's
a
missing
part
of
the
picture
too.
B
Yes,
exactly
and
my
My
Hope
Is
that
perhaps
perhaps
in
Toto,
is
where
it's
sort
of
the
drive
for
for
unifying
all
of
this
can
come
from
because
in
Toto
is,
is
the
the
sort
of
piece
that
lets
you
specify.
You
know
my
package
is
secure
if
it
was
signed
by
trishank
and
it's
got
to
build
at
a
station
from
one
of
these
small
number
of
of
trusted,
build
Services
and-
and
that's
that
part,
if
in
Toto
understands
the
attestation
format
that
we're
using
right,
then
I
think
we're
in
actually
quite
good
shape.
B
B
For
you
know,
how
do
you
get
that
in
total
layout
and
again,
I
think
that's
where,
where
the
internal
folks
have
been
talking
to
the
tough
folks
and
and
that's
that
that
scene,
right
now,
I
think
isn't
incredibly
smooth
but
like
there
there's
work
in
progress
on
how
how
that
interaction
is
gonna.
Go.
B
Yeah,
no
and
again
I,
don't
I
don't
want
to
be.
You
know,
sort
of
blithefly,
optimistic,
I.
I
think
you
know,
you're
you're
right
to
this
is
something
we
got
to
keep
an
eye
on
and
left
unchecked.
You
know
open
source
ecosystems
are
gonna,
do
what
they
do
best,
which
is
come
up
with
a
million
incompatible.
Solutions
to
you
know
which,
which
I
think
is,
is
especially
problematic
in
a
security
context.
So.
B
Think
a
lot
about-
and
it
sounds
like
it's
something
that
you
think
a
lot
about
too
and
a
lot
of
other
folks
on
this
call.
So
let's
keep
having
this
discussion.
I
think
but
but
I
I
do
see
it
back
forward.
D
A
That's
an
interesting
discussion.
Definitely
speaking
for
myself,
avoiding
unnecessary
proliferation
through
mutual
persuasion
was
was
one
of
the
things
that
I
sort
of
thought
we
could
achieve
in
this
group
and
why
I
helped
set
it
up
still
any
other
business
that
folks
have,
or
should
we
wrap
up
early
and
go
our
separate
ways?
A
Going
once
going
twice
sold
to
the
man
with
the
blue
hat,
okay,
everybody.
We
will
see
you
next
time
at
the
Emir
friendly
time
that
is
10
I
think
a.m.
Eastern
time,
I
can't
remember
what
it
is.
Utc
and
I
wouldn't
even
try
to
guess
at
the
moment
as
usual,
it
will
be
on
the
calendar
I've
written
some
notes.
How
I
thought
your
conversation
went.
Please
check
to
see
that
I
didn't
misquote.
You
or
you
know,
create
legal
obligations
that
you'll
regret
for
the
rest
of
your
life.
That
sort.
A
All
right
well,
thank
you,
everybody
I
hope
you
have
a
great
day
evening
or
afternoon,
as
case
may
be,
and
we
will
see
you
next
time
thanks
very
much
thanks,
bye.