►
From YouTube: SLSA Positioning Meeting (January 24, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1tpPOXVzNSwtpWA7cXhTPLAO6HIP50obUvoP85XqgVHM/edit#heading=h.yfiy9b23vayj
SLSA repo: https://github.com/slsa-framework/slsa
A
A
Okay,
oh
you
said,
give
me
a
minute:
I
was
trying
to
figure
out
what
you
said
and
I
was
asking.
I
was
like
what
did
you
say?
I
didn't
hear
you,
okay,
all
right
now,
Bruno's
not
gonna,
be
with
us.
Today
he
is
traveling.
B
C
C
A
Okay,
it's
too
past
I'm
sure
we'll
have
people
trickling
in.
A
But
we
we
can
go
ahead
and
get
started.
So
let
me
share
share.
B
Let
me
also
open
the
document:
it's
not
opening.
Okay,.
C
C
A
A
So
there's
this
blog
and
I'll
put
it
here.
I
forgot
to
mention
it
last
week
and
so
I
put
at
the
end
of
the
notes
that
they're
trying
to
release
this
blog
on
salsa
and
in
Toto
and
what
it
means
Etc.
So
if,
if
folks
are
able
to
no
in
a
review
that
that
would
be
great
to
get
a
different
set
of
eyes,
because
the
majority
of
the
folks
that
have
reviewed
I
believe
are
from
the
in
Toto
community.
Okay,
I,
don't
recall,
yeah.
D
A
Know
Marcella
does
salsa
too
that's
pretty
much
it
so
I
want
some
more
salsa
eyes
on
this.
A
If,
if
possible,
I
think
it's
a
a
great
blog
I
think
the
only
big
concern
I
had
was
around
the
predicates
under
development
section,
because
this
blog
read
as
though
they
are
trying
to
advocate
for
software
supply
chain
attribute
integrity
versus
it
just
being
a
just
a
bullet
item.
So
it's
it
seemed
more
like
salsa
and
software
supply
chain
attribute
Integrity,
not
in
Toto
and
salsa.
So
that
was
my
my
biggest
feedback
for
them.
A
Is
this
feels
like
it
it's
forced
in
here,
so
any
any
other
eyes
on.
This
would
be
great
just
to
make
sure
that
I
didn't
miss
something
because
again,
there's
not
a
lot
of
salsa
eyes
on
this
right
now.
A
Thank
You
Leon
for
for
joining
and
I'm
gonna
put
the
notes
here
so
books
can
sign
in
so
please
please,
please
sign
in
Okay,
so
what
we
should
do
today,
I'm
looking
at
the
Timeline
first
draft
124.,
okay,.
B
A
Right
so
we
need
to
finish
the
the
abstracts
today.
That
was
our
our
goal.
So
let
me
put
this
here
right
final
review
by
131..
So
if
we
can
kind
of
succinctly
say
you
know,
this
is
the
abstract,
for
this
particular
talk
or
you
know,
lab
or
whatnot,
then
we
can
start
communicating
that
to
the
old,
so
the
other
salsa
leads
to
see
what
they
think.
Now.
One
thing
I
don't
have
on
here,
because
I
had
assumed
that
market
and
and
Joshua
were
working
on.
A
This
is
the
also
1.0
update
right.
We
don't
have
a
title
for
that,
so
I'm
gonna
ask
Josh
and
Mark
if
they
are
already
working.
A
Ask
so
that's
one
action
item
that
I've
been
meaning
to
to
document
and
if
I
don't
write
it
down,
I
I
forget
okay,
so
we're
good
with
the
titles.
A
The
person
coming
up
with
the
abstracts
or
title
but
I'm
thinking
like
come
and
join
the
salsa
is
it
called?
It's
also
work
group,
no.
A
Is
it
called
because
the
supply
chain
Integrity
working
group,
so
what
is
salsa
considered.
B
A
A
A
I'm
not
trying
to
recreate
the
wheel
or
anything
like
that.
This
is
this
fashion,
is.
A
A
Not
benefits.
A
What's
the
word
that
collaborate-
that's
not
the
word
I'm
thinking
of
how
to
participate
or
how
to
join
the
community.
A
Benefits
foreign
I
feel
like
there's
something
else
here
that
we
need
like
another.
A
A
A
On
on
this
abstract,
I
know,
there's
there's
somebody
else
in
here
and
thank
you
again
feel
free
to
word
Smith
it
if
you
need
to.
A
Thoughts
on
the
any
additional
thoughts,
Jay
or
hey,
and
if
I'm
mispronouncing,
your
name
Leon.
C
B
A
B
A
D
A
A
C
A
A
D
A
Got
started
their
biggest
challenge
to
adoption
and
you
know,
was.
C
B
D
That
last
one,
the
planning
and
transition
from
B1
to
1.0
I
think
that
went
to
the
provide
more
that
that
one
that
one
could
present
more
questions
and
answers
man,
because
because
I
mean
the
the
routes
taken
open
as
it
is
close
the
conversation
that
might
be
happening,
that
we
don't
get
the
chance
to
hear
right
along
with
all
the
stuff,
that's
happening
in
the
open
and
the
only
reason
why
I
say
that
is
because
I
mean
you
have.
You
went
from
just
the
build
Source
without
a
provenance.
D
A
What
do
they
do?
Okay,
okay,
yeah,
so
good
point
introduce
a
cannibals
but
I
think
it's
an
important
topic
right
to
touch
at
least
one
time
in
in
one
of
these
talks
right,
because
people
are
going
to
want
to
know
like
okay
should
I
start
with
version
dot,
one
and
then
transition
to
one
or,
if
I'm,
already
on
version,
one
or
I
think
I'm
on
version.1
right.
A
How
easy
might
it
be
to
to
transition
I
feel
like
that
could
be
a
subtopic
for
this
also
1.0
update
I
think
it's
it's
definitely
relevant
for
that
one.
Thank
you
for
that
feedback
Jay.
B
So
we
do
have
application
security
framework
software
supply
chain
cyber
security
framework.
Others,
like
you,
know
some
complaints,
so
many
things
are
there,
so
salsa
is
also
there
so,
where
text
exactly
fitted.
B
B
A
Yeah,
but
there's
more
than
just
ssdf
for
the
nest
standards
there's
also
cyber
s
CRM.
A
So
that's
why
I
wanna
keep
it
at
a
higher
level
of
which
standards
we'll
talk
about,
but
this
is
what
you're
referring
to
it's.
This
talk,
not
the
it's
also
1o
update
down
here
right.
B
Yeah,
and
also
we
I
think
we
have
already
mentioned
somewhere
like
salsa-
is
not
an
application
security
framework.
It
is
actually
a
software
supply
chain.
Cyber
security
framework.
C
A
D
That's
so.
B
It's
definitely
it's
not
like
it's
not
and
related
with,
or
it
may
be
similar
too,
but
it's
the
nest.
Ssd
framework
is
completely
different,
but
both
are
ssdf
framework
and
then
salsa.
Both
are
software
supply
chain.
Cyber
security
framework.
D
A
A
Oh
yeah
salsa
is
defined
as.
B
A
A
A
D
D
I
I
I
I
read
that
and
I'll
and
I'll
say
it
again.
I
am
not
that
we're
not
there
yeah
yeah.
A
A
B
D
Well,
I
think
that
I
think
that
in
itself,
that's
not
for
us
to
do
and,
of
course,
if
you
go
up
to
the
higher
supply
chain,
Integrity
working
group
we're
talking
about
maybe
emerging
emerging
positioning
efforts
all
besides
the
point.
Identity
is
a
big
key
here.
D
The
spec
itself
I
think
scope
wise
that
that's
a
that's
a
lot.
That's
a
lot
of
scope,
keep
going
on
there!
It's
not
a
security
framework.
The
compliance
framework.
D
B
D
B
So,
okay,
this
agreement,
Julia
played
for
any
applications
or
building
applications
only
related
to
that
right
or
any
other
things
like
building
an
infra
code
and.
B
It
for
the
development
of
the
ifp
or
something
or
it
can
be
reapplied
on
the
like
building
an
application
and
standards
for
an
application
standard
or.
C
A
In
my
point
of
view,
it's
to
build
any
sort
of
code
right,
regardless
of
what
that
code
is
right,
it
could
be
a
script,
it
could
be
an
application.
It
could
be.
The
infrastructure
is
code
that
that's
my
perspective,
Jay
John
C.
Do
you
wanna
chime
in.
D
Was
for
it
to
be
a
set
of
requirements
that
had
to
be
met
in
order
to
ensure
that
your
supply
chain
was
compliant
enough
to
safely
build
or
a
safely
code,
or
have
safely
or
have
safe
cold
practices?
D
A
Was
yeah
so
yes,
I!
Think
that's
that
that
then,
if
I
understand
that
correctly
from
you
Jay
from
Leon's
question
is
that
it
is
meant
for
anything
code
related
that
you
are
building
regardless
of
what
you
are
building
right.
A
Because
you
can
build
a
bunch
of
scripts
together
right
to
go
through
the
CI
CD
pipeline,
make
sure
it
does
all
the
scanning
make
sure
it
does
all
the
signing
gets
deployed
in
some
sort
of
container
image
right
or
it
can
be
an
application.
A
web
application.
A
It
can,
you
know,
go
through
this
CI
pipeline
to
you
know,
do
scanning,
for
example,
infrastructure
code,
so
anything
code
related
that
goes
through
that
CI
CD.
Yes,.
D
B
D
A
Something:
oh!
No!
No!
No!
No!
No!
No!
No!
No,
that
it
was
a
different
question:
yeah!
Okay,
so
we
do
have
a
Blog
about
the
trifecta
I'm,
trying
to
salsa
log
trifecta.
A
This
one
all
about
the
Baseline
it
talks
about
several
of
you
know,
missed
Frameworks
right,
that's
also
kind
of
helps,
Maps,
too,
and
and
and
how
the
different
levels
are
supposed
to
map
to
those
different
framework.
So
yeah
the
new
Cybertron
was
out
so
we
could
use
some
of
this.
It
probably
needs
some
updating,
but
we
could
use
this
blog
as
a
an
example.
We
also
have-
or
is
it
there's
a
spreadsheet
in
here.
A
Where'd
it
go
there,
it
is
it's
a
public,
Google
doc
where
we've
tried
to
do
that,
exercise
and
mapping
the
different
controls.
A
But
since
the
controls
are
changing
number
one,
it
doesn't
make
sense
to
do
it
right
now
and
two
we
were
trying
to
figure
out
a
way
of
and
I'm,
not
going
to
say
the
word
J
we're
trying
to
figure
out
a
way
of
automating
this
mapping
for
us
instead
of
us
manually,
typing
the
stuff
in
because
that's
what
we
were
doing
so
we
were
at
the
very
least
able
to
do
salsa
version
0.1
to
ssdf
version
1.1
and
some
of
the
other
things
that
we
had
plans,
but
given
that
the
requirements
for
salsa
are
changing,
we're
gonna
have
to
revisit
this,
because
this
is
this
is
old
right.
A
So
let
me
put
that
in
here,
no
I
keep
losing
my
place.
Okay,
reply:
okay,
back
to
abstracts.
D
Yeah
I
think
I
think
that's
something
that
we
really
do
need
to
iron
out
I
I,
because
of
because
when
we
do
these
talks
and
and
and
all
that
kind
of
stuff
like
that,
we
get
up
there.
Talking
about
the
secure
I
have
I
have
issue
with
a
mature
new
model
of
any
sort
calling
itself
a
security
framework.
C
D
Because
when
you
have
level
one
right,
if
you,
if
you
say
we're
salsa
level,
one
okay,
well
what
so
so
in
the
maturity
model,
you
have
a
defined
I'm,
just
taking
I'm
just
going
by
the
the
capability
maturity
model
right
where
you
you
have
one
through
five,
and
you
know
your
three
is
a
defined
and-
and
you
you
know,
four
is
managed.
Five
optimal
right
does
because
you're.
So
if
you
are
defined
in
most
organizations,
you
met
the
standard
right
to
have
a
defined
anything.
D
C
D
That
means
to
cure
yeah
right.
That
just
means
you've
met
criteria,
paperwork,
people,
process
and
procedure.
You
met
the
criteria
for
that
level,
which
is
what
we're
saying
with
salsa.
You
can
meet
level
one
two
and
three
level.
Four
is
still
right:
they
move
level
four
up
to
table
hell,
move
level,
four
off
the
table,
busted
out
these
these
other
instances,
but
there's
still
a
maturity
model
element
tool
which
I
still
think
is
great
I.
Think
a
compliance
requirement,
I
think
a
maturity
month.
D
I
think
that's
excellent
because
it
allows
it
to
be
Universal
across
all
of
these
other
security
Frameworks.
You
could
take
these
other
security.
Frameworks
apply
the
controls
there
in
and
applying
those
controls
will
help
you
meet
respective
salsa
levels,
agree
yeah,
but
to
say
that
salsa
is
a
security
framework.
D
I
think
I
think
diminishes.
D
D
D
B
Yeah
I
I
also
think
like
maturity
model
is
the
right
term,
then,
because
we
also
Define
different
levels
there.
So
in
that
case,
maturity
model
will
be
a
app
named
for
that.
D
A
Okay,
so
I'm
gonna
put
that
in
here,
so
I
don't
forget,
so
we
can
certainly
bring
it
up
and
make
sure
we
hash
it
out
before
the
conference.
Should
any
of
these
topics
get
accepted,
accepted
right.
That
would
be
fantastic,
so
but
I
I'm
we'll
see
Okay
so
abstract.
D
Also
also,
we
have
up
there
mapping
to
nist
standards.
Oh
that
conference
is
in.
D
A
Okay
is
ISO,
considered
a
framework.
A
D
Talking
about
secure
supply
chain,
I'm,
not
I,
can't
remember,
which
number
that
is
hold
on
a
second.
D
My
my
my
monitor
is
flickering
on
and
off
too
so.
If
you
can't
hear
me
for
whatever
reason
you.
C
A
C
A
A
A
Yeah
I
know
this
is
all
see
it
says:
weather
related
terrorists.
This
is
not
the
right
one
and
that's
why
I
was
like
well.
Maybe
it's
not.
D
I
think
27
036
has
there's
a
part
in
there
about
supplier
relationships,
27036.
A
C
A
D
Pretty
I'm
pretty
sure
that
that
this
is
that
that
this
deals
with
supply
chain
software
supply
chain
types
of
them,
I'm,
actually
pretty
sure
about
that
in
terms
of
what
exactly
is
covered
in
it,
I
mean
what
look
what
you
mean
help
we
think
about
open
source
right.
800-161
has
literally
like
two
controls
about
open
source.
D
C
D
Yeah
I
mean
specifically
hell
Dash
three
specifically
deals
with
guidelines
for
Hardware
software
and
Services
supply
chain
security.
C
D
A
C
A
A
Put
ISO
because
I'm
gonna
forget
what
that
means.
I
think
I,
don't
do
that.
Okay,
so
I
think
this
is
a
good
high
level.
You
know
what
what's
also
is:
what's
not
the
benefits
right
mapping
to
we'll
have
to
do
some
research
for
the
actual
presentation
on
which
security
Frameworks
are
relevant
for
this
audience.
B
A
Okay,
something
yeah
the
latest
one.o
specification
and
how
to
I
want
to
say,
join
the
community,
I
want
to
say
like
participate
in
the
community
or
you
know,
help
collaborate
whatever
I
still
think.
This
is
a
good
start
for
panel
discussion.
C
A
Was
worth
it,
that's
a
question
that
you
can
ask
live
but
I
don't
know
that
I
want
to
put
that
in
abstract,
so
I
feel
like
there
has
to
be
a
better
way
if
the.
A
Okay,
what
about
the
hands
on
lab,
slash
demo.
C
A
A
Hey
we're
going
to
take
this
code
from
this
repo
sample
and
take
maybe
if
it's
GitHub
action,
something
simple
right
that
we
have
access
to
and
take
it
through
that
Journey
right,
but
everybody
can
actually
do
it
on
their
own.
That's
my
vision!
Yeah
I!
Don't
want
to
I,
don't
want
to
say
that,
but
that's
that
was
our
intent
when.
A
That
everybody
can
bring
their
laptop
if
they
wanted
to,
but
if
they
don't
have
a
laptop,
that's
fine,
it
would
still
be
demonstrated
on
the
screen.
Yeah.
B
A
We
did
want
people
to
actually
bring
their
laptops
and
get
kind
of
acquainted
with
how
this
could
work.
If
it's
GitHub
actions,
fine,
if
it's
something
else,
fine
I,
don't
think
we've
figured
out
the
details
yet
right.
We
still
have
to
figure
out
how
to
do
that,
but
I
think
it
would
be
a
a
good
way
of
getting
people
seeing
how
salsa
could
work.
A
A
D
Well,
no
I
mean
so
open.
This
is
up
is
open
the
sub
day,
but
the
rest
of
it's
just
the
open
source
conference
I
mean.
But
if
this
is
being
presented
during
the
open
Summit,
then
you
know
you
can
you
can
say
open
ssf,
because
that's
where
we're
working
on
all
this
stuff
in
right,
so
it
would,
it
would
be
if
it's
during
the
open
Summit,
it
would
be
good
for
us
to
say
open
SSL
with
everything
that
we're
doing,
because
that's
what
we're
working
on
this
stuff
now.
A
A
A
Yeah
and
I
don't
quite
know
how
to
write
this
right,
I'm
guessing
this
is
how
we
would
write
it,
but
supply
chain,
Integra,
integrity,.
D
Supply
chain,
Integrity
working
group
I,
don't
think
so.
Yeah.
A
It
but.
A
A
Yeah,
oh
that
reminds
me
I
need
to
put
this
the
videos
for
this
also
specification
group
are
not
being
posted.
The
last
recording
was
from
November,
oh
sauerkraut,.
A
Or
working
group
see,
this
is
what
I
mean
like
we
need
to
have
like
catchy,
abstracts
I'm,
not
good
at
this.
This
is
everywhere.
I
wish
Michelle
was
on.
This
call.
Michelle
was
really
good
at
the
titles
enjoying
that.
A
Discuss
how,
as
to
c2f,
salsa
and
Oscar,
can
help
you
improve
your
software
supply
chain.
B
Like
do
we
need
to
add
a
software
supply
chain,
Integrity
or
anything
required.
No
right
account.
A
C
C
D
If
you
guys
can
hear
me,
okay,
where
were
we
at.
C
A
You're
fine
I
was
gonna,
go
look
up
the
mission
for
Sci,
oh
yeah,
it
is,
it
is,
and
then
I
just
saw
this
a
pragmatic
supply
chain
security
framework.
So
I
wasn't
sure
if,
if
that
also
needs
to
get
addressed
in
the
mission
for
supply
chain,
Integrity.
D
Oh
no
I
mean
no.
That
this
is
this
is
the
working
group's
vision
is
to
have
a
pragmatic
supply
chain
security
framework.
Okay,
the
framework
can
include
maturity,
model
yep
right,
so
you
have
s2c2f.
You
have
Fresca,
which
provides
tooling
to
tooling
for
artifacts.
Was
it
for
artifact
storage?
D
I
got
a
camera
with
the
camera
with
Fresco
does
exactly
I
knew
I
knew
it
I
knew
last
week,
camera
now
compliance
the
compliant
meeting,
the
compliance
requirements
of
or
the
maturity
levels
of
salsa
utilizing
I
mean
you
have
all
of
those
I
mean
that's
how
they
all
work
together
right
and
then
you
have
consumption
days
and
then
and
of
course,
from
a
producer
standpoint,
so
meeting
the
maturity
levels
from
a
producer
standpoint
and
then
of
course,
meeting
meeting,
because
s2c2f
is
also
a
maturity,
also
as
a
maturity.
D
D
Right
like
like
I,
I,
I,
I,
say
again
it's
if
we
put
if
we
take
security,
the
supply
chain,
Integrity
working
group,
to
create
a
security
framework,
you
can
create
a
security
framework
that
encompasses
the.
D
Right
that
encompasses
these
maturity
models,
but
it's
it
would
be
a
security
framework
that
does
it.
These
are
maturity
models
that
provide
a
way
to
see
where
your
at
implementing
the
controls
from
security,
Frameworks.
C
A
Christ
I
I
think
it
does
and
in
my
mind,
I
have
a
picture
of
like
a
document
and
then
within
that
document,
having
like
little
or
a
box
and
within
that
box,
having
other
little
boxes
and
that's
how
I'm
envisioning
it
right
so
I
I
think
it's
making
sense
in
my
head:
I
I'm
a
visual
person
right,
so
it
it
makes
sense,
I
think
so.
A
A
In
case
how
to
improve
your.
B
A
Obviously,
I
I
hate
that
stuff
I
hate
it
I
hate
it
I
hate
it
I
think
it's
just
because
I
didn't
grow
up
with
that
kind
of
palette.
My
palette
is
more
of
a
Caribbean
palette,
it's
very
it's
either
a
little
spicy
or
you
know
Bland,
and
so
that
is
a
very
Wasabi
tasting
like
it's
a
like
I,
don't
know,
I
can't
quite
explain
it's
not
Wasabi,
but
they
like
radish
and
cabbage,
and
it's
just
not
my
my
cup
of
tea.
A
It's
just
so
yeah
I
I
I
do
not
like
sauerkraut
at
all,
okay
I'm
trying
to
think
we
have
five
minutes
left
I
think
we
did
pretty
good.
C
A
Think
can
somebody
think
of
something
else
other
than
if
the
journey
was
worth
it.
A
Okay
and
then
the
update
I
mean
I'll,
have
to
ask
to
see
if
they're
they're
doing
something,
but
I
mean
this
could
be
very
simple.
You
know
come
and
learn
about
blah
blah
blah
I
think
we're
we're
pretty
good
here.
A
Anything
outside
of
the
security
framework
discussion
is
there
another
thing
that
we
might
want
to
bring
up
framework
labeling
in
salsa.dev.
A
A
C
A
Salsa
eyes
on
it:
okay!
Well,
if
there's
nothing
else,
I
will
send
this
out
probably
tonight
for
people
to
chime
in
from
the
rest
of
the
salsa
group
and
I.
Think
we've
pretty.
D
A
124.,
so
we'll
we'll
see
how
how
it
goes.
Okay,
thanks
folks,.