►
From YouTube: SLSA Meeting (August 18, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
No
so
actually
mark
organized
organized
it.
So
so
I
tossed
in
the
updates
for
the
tooling
one.
Okay.
A
And
I
toss
the
meeting
notes
in
the
chat,
looks
like
elba's
gonna
be
a
little
bit
late
and
mark's
out.
I
think
no
he's
here.
I
saw
something
you're
gonna
be
out.
Welcome
everybody
good
to
see
you
all
on
screen
this
this
week.
We
just
have
some
updates
from
all
the
special
interest
groups.
Slash
work,
streams,
slash
whatever
the
heck.
You
want
to
talk,
say,
call
people
doing
work
in
a
meet
and
having
meeting.
So
I
think
the
first
one
we're
gonna
start
with
the
specification
work
special
interest
group
sick
mark.
C
C
What
we
in
the
sig
have
decided
so
far,
and
here
decided
means
like
the
working
group.
Did
it
and
we'll
go
for
basically
propose
to
the
rest
of
the
group
once
once
it's
ready,
but
just
to
give
an
update
on
what
we've
decided
so
far
within
the
group
is
on
versioning.
C
We've
agreed
that
to
make
basically
to
once
we
decide
for
1.0
on
what
each
level
means
we
kind
of
agree.
We
won't
change
it
in
the
future.
Just
so
when
people
say
salsa
3,
it
just
kind
of
continues
to
mean
the
same
thing,
even
if
we
change
like
some
small
requirements
that
the
high
level
just
won't
change
across
versions
and
that's
to
avoid
confusion.
C
We
there's
the
currently
in
the
specification
there's
the
common
requirements
at
the
bottom.
If,
if
you
remember
that
is
currently
unspecified,
we've
agreed
at
a
high
level
to
replace
that
with
recommendations
plus
a
requirement
around
evidence
of
the
security
claims,
where
a
build
system
would
provide
like
a
white
paper
or
survey,
or
something
like
that,
describing
how
the
design,
implementation
and
operations
uphold
various
security
and
variants.
C
Another
major
decision
is
to
postpone
the
definition
of
salsa
for
basically
undefined
salsa
4
for
now
for
the
1.0
release,
given
that
most
of
the
confusion
and
conflicts
around
salsa
are
around
the
level
4
requirements
of
two-party
review
and
hermetic
builds
so
we'll
just
basically
defer
that
to
the
next
revision
and
finally
separate
the
tentatively,
we
will
have
two
different
sets
of
levels:
one
for
build
levels
so,
like
a
build
level,
just
describes
the
build
integrity
like
how
trustworthy
is
a
provenance
and
a
source
level
describes
how
trustworthy
is
the
source.
C
So
the
two-party
review
piece
would
be
in
the
source
level
and
not
the
build,
and
the
reason
for
this
is
to
allow
you
to
make
independent
progress
without
changing
how
the
source
is
built.
C
In
particular,
if
you
use,
for
example,
the
github
actions,
reusable
workflow,
that
that's
being
developed
that
can't
make
any
claims
about
whether
the
code
has
been
reviewed,
and
this
way
you
could
just
say
your
salsa
x
versus
saying
well,
salsa
x,
minus
the
two-party
review
requirement
and
next
up
is
figuring
out
how
to
incorporate
policy,
which
is
the
the
piece
that
visa
had
presented
at.
I
think
it
was
last
week
our
last
meeting.
A
Cool
any
anything
you
guys
need
help
with
other
calls
from
the
broader
community
here
to
look
at
or.
C
I
I
think
like,
if
you
have
you
know,
everyone
is
welcome
to
join,
and
if
you
have
opinions
on
the
things
that
we
listed
so
far,
we're
happy
to
hear
them.
I
think
it
probably
makes
sense
to
just
wait
and
release
it
like
as
a
unit
and
just
kind
of
instead
of
like
having
to
keep
trickling
people's
attention.
A
All
right,
melva,
are
you
back
online.
D
Yeah
yeah
sorry,
my
zoom
was
updating
so
for
positioning.
We
essentially
nailed
down
the
key
criterion
objectives
for
when
we're
evaluating
different
frameworks
and
standards
and
put
the
link
there
so
trying
to
figure
out.
Where
do
we
put
that?
Do
we
put
that
in
some
documentation,
page
somewhere
in
the
salsa
github
right
now,
it's
just
in
the
github
issue,
but
it
would
be
nice
to
put
that
somewhere
so
that
if
other
people
want
to
evaluate
and
help
it's
actually
posted
somewhere.
D
So
that's
the
one
one
question
and
then
the
next
thing
is
you
know.
Obviously
we
need
or
we're
gonna
have
the
sig
participants
start
evaluating
the
frameworks,
the
additional
frameworks
and
standards
that
we've
listed
in
that
github
issue.
D
So
if
anybody
else
wants
to
participate
by
all
means,
you
can
do
it
offline,
but
yeah
we're
just
looking
for
anyone
and
everyone
that
can
help
I'm
even
trying
to
recruit
some
ibm
legal
lawyers
or
ibm
cyber
security,
legal
that
are
well-versed
in
some
of
the
standards
and
help
me
map
some
of
the
that's
also
levels
to
the
standards.
D
So
I'm
not
sure
if
you
have
a
an
answer
for
that.
Where
do
we
post
something
like
that?
D
A
I
don't
see
why
we
couldn't
make
a
folder
in
here
for
positioning.
Does
anyone
see
any
issues
with
that.
A
Yeah,
I
think
we
can
just
throw
a
new
folder
up
here
for
positioning
or
maybe
under
resources.
I
don't
remember,
what's
in
there
today,
yeah.
D
Because
and
that
actually
begs
the
other
question
of
when
we
do
produce
artifacts
like,
for
example,
when
we
finalize
a
spreadsheet
or
if
we
have
some
sort
of
outside
of
blogs
like
if
we
like,
I
guess,
the
framework
of
visualization
as
an
example,
would
we
put
it
under
doc's
folder
right,
so
just
trying
to
get
a
sense
of
how
that
would
work
is.
C
C
For
publication
to
the
to
like,
basically
the
the
public,
or
is
this
just
for
kind
of
team
like
in
salsa
internal
discussions,.
C
Well,
I
guess
I
guess
either
go
ahead.
C
My
question
would
be
that,
or
at
least
my
default
would
be
things
that
we
want
to
like
publish
to
the
world
would
make
sense
to
go
on
the
website,
and
so,
if
we
find
some
way
to
be
able
to
post
things
on
the
website,
because
that's
just
easier
for
people
to
get
to
display,
so
that
was
in
the
docs
folder.
If
it's
stuff,
that's
just
internal
to
us
to
like
you,
know,
members
of
the
community
that
are
working
on
this.
D
D
Okay,
that
way
that
answers
the
question
then
yeah,
so
the
the
criteria
would
be
members
only,
and
it
would
be
obviously
in
here,
but
something
like
the
visualization
would
be
more
of
a
website
item.
Okay,
okay,
thank
you.
D
We
also
kind
of
expanded
on
the
initial
scope
and
charter,
which
is
also
in
the
github
issue,
but
we
want
to
submit
a
pr
for.
I
know:
josh
had
a
a
document
that
defined
the
sigs,
and
so
we
want
to
one
get
agreement
from
the
broader
community
on
what
the
positioning
sake
is
attempting
to
accomplish
and
and
what
their
scope
is.
For
example,
I
think
there's
a
mention
of
like
the
us
government,
but
there
are
other
frameworks
that
are
from
other
governments
right,
and
so,
where
does
that
lie?
D
D
It
a
framework
anymore.
I
want
to
call
it
a
visualization
and
supply
chain
visualization,
and
so
it
was
a
pretty
lively
discussion
on
you
know
what
changes
to
to
make
on
that
visualization
to
add
clarification,
and
then
you
know
start
doing
overlays
well.
This
is
where
salsa
works,
and
this
is
where
some
of
these
other
framework
standards.
You
know
this
is
what
they
attempt
to
address,
so
just
updating
that
visualization
and
then
putting
it
back
to
the
community
to
get
more
feedback.
A
Cool
for
yeah
for
the
scope
and
charter,
it
looks
like
you're
going
to
submit
a
pr
and
then
folks
can
review
it.
Do
you
want
to
discuss
that
now
or
do
you
just
want
to.
D
No,
I
want
to
clean
up
the
language
because
it
was
very
much
any
thoughts
that
came
to
mind
from
the
community.
I
just
put
it
in
the
github
issue,
so
I
want
to
kind
of
formalize
it
more
because
a
lot
of
it
overlaps.
B
Sure
so
we
we
started
off
by
mostly
focusing
on
building
out
some
categories
for
the
different
kinds
of
salsa,
tooling,
that
we
think
makes
sense
and
so
and
so
we're
also
generating
a
a
spreadsheet
for
it,
which
should
hopefully
be
done
soon.
But
the
basic
idea
behind
it
is
right.
B
We
want
to
kind
of
build
out
a
bunch
of
categories
for
the
tools
so
like
stuff
like
building
and
producing
salsa
provenance,
distribution
and
discovery
of
that
providence,
verification
and
decisioning
on
that
provenance
and
then
other
sorts
of
related
kinds
of
things
like
hey.
Does
it
make
sense
to
sort
of
work
with?
You
know
some
of
the
packaging
ecosystems
to
see
what
needs
to
be
done
and
what
needs
to
be
integrated
with
some
of
that.
B
So
as
an
example,
the
npm
rfc
that
came
out,
I
guess
it
was,
I
think.
B
Last
week,
they
we've
been
already
working
with
one
of
the
folks
who's,
leading
that
up
from
the
mpm
side,
frederick,
who
he's
been
joining
the
salsa,
tooling
meetings
and
we're
looking
at
like
hey,
is
there
effort
we
can
give
to
sort
of
from
a
hands-on
keyboard
perspective,
actually
help
out
with
things
that
that
need
to
be
done
from
the
mpm
tooling,
to
sort
of
get
it
to
integrate
with
salsa
so
and
we're
also
looking
at
potentially
other
other
packaging
ecosystems
like
pi,
pi
or
whatever
else,
and
then
also
with
other
things.
B
On
on
that
end.
Actually,
before
I
move
on
mark.
C
Yeah,
I
realize
I
don't
think
I
think
it's
happened
since
the
last
community
meeting.
It
might
be
worth.
C
B
Sure
yeah,
so
for
folks
who
aren't
familiar
mpm
announced,
I
believe
it
was.
Last
week
it's
been
a
very
very
busy
few
weeks,
so
I
don't
lose
track
of
time,
but
npm
announced
recently
that
they
will
be
using
six
store
to
do
signing
for
npm
packages
so
that
we
can
verify
identities
and
one
of
the
other
things
that
wasn't
in
the
announcement
but
but
was
in
the
rfc,
is
that
they
do
plan
on
actually
integrating
with
salsa.
B
So
the
idea
would
be
you
know
you
as
a
consumer
of
npm
stuff,
the
the
goal
would
be,
you
can
run
npm
install,
you
might
have
a
set
of
trusted,
keys
or
whatever
and
be
able
to
install
npm
with
some
level
of
npm
packages
based
on
some
sort
of
policy.
So
you
could
say
hey.
I
require
npm
to
have
salsa
level
2
for
all
their
provenance
for
the
packages.
B
I
download
that
kind
of
thing
that's
going
to
be
a
very,
very
long
road,
but
this
is
part
of
the
work
to
try
and
better
npm's
software
supply
chain,
because,
given
that
npm
is
such
a
huge
ecosystem
and
millions
upon
millions
of
downloads,
it's
also
one
that
is
often
attacked
for
supply
chain.
You
know
often
is
involved
in
supply,
chain
attacks,
and
so
we're
looking
to
sort
of
see
where
we
can
also
help
out
on
that
front.
B
So
yeah,
that's
that's
one
of
the
pieces
of
the
mpm,
sorry,
one
of
the
pieces
of
also
the
package
ecosystem
integration,
so
we're
looking
at
that
as
well.
Another
thing
that
is
something
that
we
want
to.
Maybe
you
know
eventually
hand
off
to
the
adoption
group,
but
maybe
is
something
along
the
lines
of
like
salsa
the
hard
way
or
some
sort
of
initial
kind
of.
Like
you
know,
training
kind
of
thing
of
of
this
is
is.
B
You
know
some
sort
of
best
prices
blogs
that
kind
of
thing,
and
then
the
other
stuff
is
like
other
tooling,
so
things
like
we're
related
somewhat
to
what's
going
on
in
the
s-bomb
world
and
are
there
areas
where
we
can
integrate
the
tooling
and
and
so
on.
So
this
is
like
s-bomb.
This
is
stuff
like,
for
example,
for
the
source.
B
If
we,
when
we
do
integrate
source
requirements
into
salsa,
we're
looking
at
stuff
like
hey,
how
does
the
prs
look
and,
and
what
would
the
tooling
there
look
that's
a
little
bit
more
long
term
and
then
finally,
one
of
the
other
thing
one
of
the
other
topic
tops
is
what
to
do
about
endemic
sorts
of
tools
that
are
related
to
builds
and
related
to
salt.
You
know
salsa
at
some
level,
but
they're,
maybe
not
integrated
with
salsa
today.
B
So
this
is
stuff
like
jenkins,
and
we
know
that
there's
lots
of
different
folks
who
are
starting
to
poke
around
with
generating
provenance
through
jenkins.
But
hey
can
we
start
to
a
consolidate
those
folks
together,
so
that
we
don't
have
like
five
or
six
different?
You
know
ways
of
of
doing
it.
In
the
open
source
world-
and
you
know
looking
at
other-
build
tools
to
so
to
make
it
clear
right,
because
I
think
some
folks
are
also
worried
that
you
know
the
the
primary
you
know.
B
Builders
for
salsa
right
now
are
mostly
github
actions
and-
and
you
know,
there's
also
tecton-
that
supports
it
in
fresca.
That
supports
it,
but
I
think
github
action
seems
to
be
the
really
popular
one.
That
folks
are
starting
to
really
look
at,
but
people
are
are
asking
some
legitimate
questions
you
know
about,
even
though,
like
hey
gitlab
does
support
it,
but
there
seems
to
be
some
confusion
about
what
who
supports
what
and
what
can
we
do
to
also
integrate
with
more
open
source
tools
and
and
promote
that
a
little
bit
more.
A
All
right
mark
was
reading
my
mind
and
added
a
added,
a
topic
here,
as
everyone
was
speaking,
I
was
thinking
about
the
website
and
it's
probably
not
being
updated
as
frequently
as
as
we
hope,
mark
I'll.
Let
you
just
talk
about
this.
C
Yeah
I
there
are
certain
things
that,
like
we
have
open
issues
for-
and
I
talked
about
it
in
previous
community
meetings
like
the
implementation,
leaves
something
to
be
desired.
C
There's
certain
changes
like
how
the
way
the
thing
is
built,
how
it's
actually
implemented
like
how
much
html
we
need,
etc
and
also
like
how
we
do
versioning
of
specifications
and
stuff
like
that,
and
so
I'm
trying
to
put
together
like
an
or
like
a
basically
a
request
for
proposals
on
how
to
like
maybe
contract,
that
out
or
something
like
that
to
make
changes.
So
this
wouldn't
be
content
changes.
C
I
think,
which
I
think
we
need
someone
from
the
community
to
write,
but
just
more
of
the
mechanical
changes
that
we
could
easily
like
describe.
C
A
One
thing
I
would
add,
I
think
the
six
store
folks
are
kind
of
bumping
into
the
same
issues,
so
I
think
they're
looking
at
different
frameworks
and
stuff
to
kind
of
rebuild
that
site
on
top
of
so
I
know
it's
worth
just
chatting
technically
that's
of
interest,
but
I
think
they're,
they're
kind
of
in
the
same
situation.
E
And
just
to
chime
in
for
the
website
and
mark,
I
know
you
mentioned
for
the
specification
special
interest
group
sounds
like
a
political
organization,
special
interest
group.
I
know
this
specification.
You
were
kind
of
talking
about
maybe
having
different
levels
for
different
subcategories,
so
I
could
definitely
see
you
know
updating
the
website
to
accommodate
those
different
levels
for
different
categories
being
relatively
crucial.
So
I
think
that's
probably
something
you're
talking
about
right.
C
Yeah
yeah,
I
I'd
like
the
time
of
the
like
the
members
here
to
be
spent
on,
like
writing,
content
and
figuring
out
how
to
do
it
and
not
spent
so
much
on
like
how
do
I
organize
the
markdown
files
or
work
with
this
framework
or
the
theme
or
whatever,
to
to
be
able
to
organize
this
way.
That
seemed
like
something
that
we
could
just
like.
You
know,
that's
a
generic
thing
that
that
doesn't
require
this
special
knowledge
of
the
people
in
this
group.
C
Yeah
we
have
one
now
it's
based
on
jekyll
and
github
pages,
but
the
theme.
C
Requires,
like
a
bunch
of
c
css
and,
like
you,
have
to
sprinkle
a
bunch
of
divs
and
classes
all
over
the
place
and
to
get
it
to
look
good,
is
a
pain
and
like
the
block
quotes,
aren't
formatted
correctly.
There's
no
sp
correct,
spacing
between
paragraphs.
C
You
can't
have
two
sub
menus
in
the
main
menu
because,
like
when
you
click
one,
they
both
come
down
like
a
bunch
of
like
implementation.
Stuff
like
that
with
the
theme
and
ideally
also
before
we
have
different
versions
of
the
spec
right
now
we
just
create
a
different
folder
and
like
just
copy
and
paste
the
files
and
then
make
modifications.
It
doesn't
really
it's
not
great
for
tracking
version
history
because
you
have
to
like
do
diffs
and
get
doesn't
really
do
well
for
copies
and
like
by
default.
C
You
have
to
use
like
some
flag
that
no
one
ever
remembers
to
use,
and
so
I'd
like
to
think
about
like
can
we
just
do
it
in
say
a
branch
and
so
we're
always
building
and
like
kind
of
do
it
more
naturally
in
version
control
and
then
it's
the
build
process
that
assembles
it
into
the
different
versions
sort
of
like
so.
The
spdx
community,
william
bartholomew
in
particular,
is
doing
something
similar
for
the
spdx
docs
around
like
keeping
track
of
branches
and
when
you
tag
it
automatically
builds.
C
And
so
I
talked
to
him
a
little
bit
about
how
they're
doing
they're
using
a
different
static
site,
generator
they're
using
make
docs
and
we're
using
jekyll
right
now,
and
so
I
think
well,
at
any
rate,
we're
not
using
make
docs
and
what
they're
using
is
make
docs.
So
the
specific
implementation
he
has
wouldn't
work
for
us.
So
there's
some
amount
of
like
work
in
changing
that.
F
Yeah,
the
translating
the
templates
is,
the
time
consuming
part
I'm
a
maniac,
so
I
tried
like
five
different
static
site
generators
last
year
and
moved
my
site
between
them
and
by
far
the
hardest
part
was
everybody
had
a
different
layout
and
different
clever
ways
of
defining
shared
styles.
A
C
If
you
have
thoughts
on
this,
please
reach
out
otherwise
I'll
just
kind
of
make
a
proposal
based
on
what
I've
been
seeing
in
the
issues.
A
Cool
kind
of
related
to
melba's
next
topic
here
I
I
I
don't
have
any
updates
yet
on
the
tech
and
the
definitions,
I'll
take
it
as
an
iai,
though,
unless
anyone
else
in
the
in
the
room
has
updates
on
on
what
they're
up
to.
I
know,
there's
still
some
like
just
governance,
higher
level
governance
discussion
going
on
there
and
there
is.
There-
is
budget
in
this
foundation.
So,
theoretically,
like
we
could
put
up
a
proposal
that
says
hey.
A
We
need
some
help
with
the
website
and
see
if
we
can
get
some
support
that
way.
Melba
did
you
have
any
anything
you
else
you
wanted
to
sort
of
add
to
this
or.
D
Yeah,
it
was
just
more
because
I
I
don't
think
I've
attended,
like
maybe
the
last
meeting,
but
I
know
the
the
one
that
I
did
attend.
You
know
was
kind
of
like
well.
Do
we
take
salsa
out
from
underneath
the
supply
chain?
Integrity?
Working
group
right,
you
know,
are
we
considered
a?
I
can't
remember
a
working
group
versus
a
sig
right
and
there
was
just
a
lot
of
questions
of
what
are
they
doing
with
us,
so
just
trying
to
get
an
update.
F
The
money
question
has
come
up
a
lot
in
tech
and
in
the
planning
committee
calls.
Brian
bellandoff
had
a
document
which
was
his
take
on
how
the
money
works
or
how
money
can
be
obtained,
which
I've
dropped,
a
link
into
the
chat,
and
you
know
some
of
it
was
through
tax.
Some
of
it
was
funds
directed
by
the
governing
board.
F
There
were
also
the
special
interest
funds
and
like
for
omega,
where
people
have
donated
money
with
a
specific
mission
and
then
finally,
there's
the
streams
funding
where
there's
a
bunch
of
companies
that
have
lined
up
and
said
we
have
all
this
money
ready
as
soon
as
you
come
to
us
with
shovel
ready
projects,
we
will
slap
money
on
the
table,
so
you
can
sort
of
fit
salsa
into
one
of
those
10
work
streams
that
the
mobilization
plan
laid
out.
A
Okay,
yeah
I'll
try
to
get
some
updates
unless
anyone
else
leads
me
to
it
or
right.
B
Yeah,
I
think
I
know
we.
Some
of
us
would
like
to
understand
a
bit
more
because,
especially
when
you
start
talking
about
like
hands-on
keyboard
with
some
of
the
open
source
work,
there
are
folks
who
are
like
hey.
I
would
love
to
contribute,
but
without
sort
of
some
sort
of
money
or
whatever
funding,
to
start
contributing
more
to
some
of
the
actual
features
and
and
some
of
that
sort
of
work.
It's
hard
for
some
folks
to
to
do
that.
A
Yeah,
okay,
all
right
any
other.
Last
minute
topics,
nope
cool
all
right
have
a
good
day.
Everybody.