Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
OpenSSF / SLSA Biweekly / 10 Mar 2023
OpenSSF / SLSA Biweekly / 10 Mar 2023
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: SLSA Tooling Meeting (March 10, 2023)

Description

Meeting notes: https://docs.google.com/document/d/15Xp8-0Ff_BPg_LMKr1RIKtwAavXGdrgb1BoX4Cl2bE4/edit#heading=h.yfiy9b23vayj

A

And we'll give it a couple minutes for some folks to join.

B

So guys Mike I, don't know what you're looking at but you're frowning. You don't seem to be very happy.

C

I'll stop editing, so we don't messes up.

D

All right, we can get started here.

E

Just as a reminder, this meeting is being recorded.

D

It'll be uploaded to uh YouTube um shortly after, and your participation in this meeting is an agreement to abide by the open, ssf code of conduct.

D

um Okay,.

E

Cool, uh so we don't there's not really much of an agenda uh right right now, um I know: 1.0 uh draft has gone out. uh We have the request for or it's open for comments. um Sorry, the release candidate, um it's open for comments. uh Beyond that I know we have some tracking issues across and I. I have um also a.

D

Cracking issue Within.

E

Salsa.

D

Itself.

F

Let me just go in here.

A

um As well uh and I believe that's in the notes, if it's not I'll, just post it again. um Second.

D

um Just for uh tracking.

E

um 1.0 support in the various tools.

E

Beyond that, um I don't know if anybody else has any updates regarding anything in 1.0 um I know: Frederick I, don't know. If you you were able to create an issue for the npm CLI. Sorry.

C

I have not continued to bug me and I will make sure it happens. Yeah no problem.

E

Also, if anybody else thinks that there's other tools out or knows of other tools that are supporting 1.0, oh sorry, supporting salsa or plan to support this also or supporting salsa I need to support 1.0 or whatever uh feel free to to add that, to um you know, add a tracking issue on that side and.

D

um And and so on,.

F

Yeah.

E

And uh yeah: that's that that's about it on that one! uh Does anybody else know of any other tools that that are maybe not on that list that should be on the list.

B

Wasn't there some effort for paipai to also support sofa.

E

Yeah I think so: um I haven't I, don't know any of the folks who might be working on that. um So I'm.

D

Not sure who I should be reaching out to to.

C

Yeah, that's a.

B

Good point I, don't know either, but that would be another package uh ecosystem that would seem to make sense to her on that list.

B

I don't know you know that I would nicely put things for which this seems like completely. You know uh new, but.

B

This case I think there's work going on, so maybe we need to figure this out.

E

Yeah I can definitely um uh so I know that a few of the folks from Google have been doing some stuff regarding python support. So I wonder if they might know some folks, um yeah, I'll, I'll ping them and and see.

E

Okay,.

G

Mr Michael I'll, see if rasca in in that issue you mentioned, but faster, is the solution right. So it's composed of bunch of tools um how you plan to certify that.

E

So, um generally, it's probably just going to be the tecton support that that gives us. This gives us the the 3.0 um stuff the thing about it, though, is, is right, like tecton chains, at least to the way it's set up uh or architected. It can't support um salsa 3 without uh without um spiffy spire or.

B

Some.

E

Sort of workload thing and so Fresca um once the tecton chain stuff goes through. uh We can immediately support salsa 3 and the salsa 1.0 um spec and everything else uh uh there. So I think it's more just trying to capture like if there's anything else that we would sort of go above and beyond tecton, um but yeah I I.

E

It's not necessarily like uh I, think it's more just uh tracking to make sure that once like tecton chains, anything else that might need to change in order to support all the 1.0 requirements in Spec that that Fresca then updates its requirements, uh its dependencies on tecton to um be updated to the latest version of chains and whatever else that's.

A

Right, yes, yeah thanks.

B

By the way, the salsa Dev website as a get started page, which was just updated and uh it does point to various tools, I think it would make sense for people to have a look at this in this group and see, if you know any additional stuff should be in there. It's pretty limited right now um we focused most of the information uh freely available tools, there's a table at the end that lists more especially Google Cloud build.

B

But um the expectation is that you know that we could add to this list and eventually there should be some government conformance certification program set up. That will give a more complete list, but for now anything can be added to that list. We're taking it on. You know we accept any claims, basically, there's no process to verify.

B

That's why there's a disclaimer that says: hey, there's! No, you know yeah I've come and Sue open, ssf it's. This turns out to be wrong when you think of that nature, but this is trying to help people find their ways to tools that might help them get there.

G

So I know is it under salsa Charter to have the certification program.

B

It will be eventually that's the plan. Oh okay,.

G

Because anyone can come say: okay, this is us and then we ourselves 30 minutes ago, certified okay.

B

Yes, that's the problem. Yeah and I mean you know this is this, is nothing new in the standard space right I mean we have this.

F

Problem and.

B

And that everybody goes through the trouble of funding certification programs that put a little bit of the goal framework around those claims. In this case there has been discussions about doing this for salsa there is a proposal, that's been floating around uh it it. You know it's not an easy task to put together yeah.

G

Stuff allocated.

B

To managing it, you need a legal framework, so it needs to be reviewed by the LF lawyers. I mean LF is no foreign.

B

For uh kubernetes, for instance, that I've been pointing to that can be used as an example which is within the LF umbrella. So we know if we were to use a framework similar to that it should be fairly easy to get the uh the ls lawyer happy.

B

But it's still, you know you still need some kind of resources are located to managing it because I know from the what's going on on the cscf side, and here kubernetes you have to keep pinging people and there's a whole process making sure the claims still stand and so on.

E

Let's see yeah yeah and it's also a delicate balance between what the open ssf itself takes on versus what the open, ssf, let's say, certifies like Auditors to do, and and how do you make sure that that's like that process is also relatively open to as many people, and you know all that good stuff, yep.

G

I just think this follows to our discussion right. We had when we wrote that cncf reference architecture like we are not saying it is. We are certifying anything. These are guidelines, yeah,.

B

Up to.

G

Everyone's discussion to determine aware of certifying anything that this protect on. If you use this, this is certified with that reference.

E

Yeah and I think it's it's a it's a delicate balance, because I I think also one of the other things that's come up. Is you know some folks are like actually I want you to tell me what I should be doing and um including like what tools I should use, but of course that means like.

E

If you tell people hey, you should use this tool um it it can potentially lead to. You know. Obviously uh uh uh you.

D

Know, winners.

E

And you know, like you just end up with folks who, who yeah everybody, will join a particular meeting all from a particular company and just be like? Oh yeah, we vote this thing in yeah. Oh.

B

That never happens.

E

Of course, not no, um uh or vice versa, right where you know somebody comes in with a project and everybody from you know other competing interests, all voted down or whatever it's it's. uh It's it's complicated and I.

E

Think the the thing that I think is worthwhile with the the salsa stuff is Yeah by having something like a conformance program and making sure that, from an audit perspective, whoever can be certified to do an official, open, ssf audit, whether it's the open, ssf itself or it's, the openssf defers to certain companies to be able to do that.

E

um That certification process needs to be open, and you know anybody can join as long as they're, obviously operating within good faith and and doing all the right things, um and then it's still up to the actual like end users, to like, say: yeah, I I, you know I support. Let's say like one of the big audit firms over you know some random company or hey I. Don't have the money to to to. uh You know hire one of these bigger ones.

E

I have a you know, but this other one is still certified by the open, ssf or whatever um I think that's going to be. uh It's gonna be an interesting balance.

B

Yeah and it's especially difficult if you cannot have like a test Suite but as you can just run and say, yeah I'm running the test suite and it says I'm complying. You know when it becomes a lot more like subjective based on the fine. You know analysis it becomes much harder to enforce any kind of you know. Verification system that uh makes those claims move verifiable.

E

Yeah yeah, especially when you have stuff like the the build service stuff um so I, know that, like uh actually one of the interesting tools um from Oracle and once again this is just like a from like one of the the researcher. You know, research, open, source sort of teams over there has been doing um this thing called macaron, uh which is a tool that is intended to be, like you know, generate those reports and be able to kind of try and verify, but it still relies on right now.

E

Oh you're running on one of the known good, build services like GitHub actions right, but even something like Fresca itself. Unless it's like a running service of Fresca, you have no way of knowing whether or not somebody's actually running Fresca. There's some.

E

Obviously you know theoretical work around like the ability to prove yes, you're actually running, like you can remotely attest that somebody is actually running exactly what you expect them to be running from like the software side, um but but I think that's kind of a much longer uh term sort of thing, um but yeah. The macaron thing is trying to do some of that, but obviously they're still sort of relying on the build service to say, like Hey, we're going to verify that.

E

Yes, the claims in here are there and that the um you know the token or sorry. You know what I mean like the keyless signing can be um traced back to GitHub, and so you know it was actually running on GitHub and not somewhere else, um but that sort of thing is makes more complicated if you're running it internally and you want to say, hey I trust this build my internal build service or or whatever.

F

Yeah.

D

What else um I don't want to uh so? What else was there, though, um so.

E

I know uh I don't want to put visa on the spot, but um uh are you still uh working on the npm policy.

D

uh If you you're, muted.

E

Still.

H

Yeah I'm just buying the bottom.

C

Can.

H

You hear me now: yes, actually working on that, but I'm also working on a lot of other stuff that I haven't been working on in all those years that I worked at Google.

H

um So, yes, uh there is a PR number, eight I think under salsa framework um that is going through approvals and then uh I will try to implement something but yeah. There is years and years of neglecting my other projects that I also catching up with so embellishing and balancing embarrassment on one side versus embarrassment on the other side, yeah no.

C

Problem but.

H

But the the intent is that that I I do a uh a uh initial version and then other people can work on it too. It's it should not be All Me by myself. Obviously so yeah that's my priority at this time.

A

Cool awesome thanks.

F

All right, let me actually put that in the notes there for a second, once I find probably too many tabs.

C

If you're looking for the link to the pull request, I added it in the chat mic, oh okay, cool.

D

uh Yeah cool awesome.

A

Give.

F

Me one second here.

D

um

E

And uh the only other thing I was gonna bring up was one of the things I'm looking to work on, mostly just as a um as a little thing to maybe.

C

Hold on.

H

I'm not seeing any smoke yet. Oh there. He is.

C

Sorry about that um one of the cats.

E

Tried to jump up and knocked over a whole thing of pants, so.

F

ah

E

um Anyway, I was gonna, say so um prepping for the 1.0 thing, one of the things I was going to try and do is maybe write up a quick um Library uh or something like that, um whether it's in queue or similar, because so a few folks uh and I think even in this call have been saying: hey it's great, that there's a salsa verifier, that's and all these social verifiers that are verifying like hey.

E

Is it doing all the right things, but there's also just sort of generic like need for a salsa like spec validator of just? Are you following? You know? Are you actually um following the the uh is the Json? Just you know have all the right, um Fields uh or those fields all valid you know like? Is that a valid URI yeah?

E

So that's stuff like the verifiers and whatever can just sort of use it, and so one of the things I was looking at was you know, maybe doing something um and I know we've been looking at? uh We had done some stuff in queue before, um but maybe doing something like either in queue or similar.

E

That can just it's like a super, simple tool that can, you know, verify it, and they could also be used as a library by some of the verifiers down the line that that are, you know, going to be looking at the specs so that everything can kind of you know I mean. Obviously people can re-implement it if they want, but you know the idea there being that hey if they're, building out salsa tools that ingest salsa metadata, oh cool, if I want to verify that it's valid.

E

It's also metadata I can just include this simple library or whatever and I know. This is also related to some of the stuff that that some folks are talking about, with, in total, go into the other ones. That, like could be around some common um I guess common uh in total library or at a Station Library, so that folks can sort of verify a lot of those different things anyway. Just just I was gonna quickly, write up something, maybe this weekend on on that.

E

Yeah beyond that, um does anybody else have any uh anything else uh regarding salsa, 1.0 or or anything the regarding the tooling. um Otherwise we can end a bit early, um I guess: I was just gonna. I was gonna, ask uh Brendan um any.

E

um uh Any updates on any of the stuff coming out of the implementations for uh the various um spec changes to.

C

Oci.

I

You.

C

Might.

I

Know if oci is making progress, um yeah right now now um we're trying, but it's uh it's slow going right now.

I

That that is a very abbreviated version of uh lots of drama.

I

All right.

E

Cool um so yeah, that's uh that's about it here. uh If anybody has anything else, obviously um bring it up now. Otherwise, uh see you all next week and remember: this should have like messages to anybody who might be interested in providing feedback and all that good stuff on 1.0.

A

All.

E

Right cool sounds.

A

Good.

E

See you all uh next week.

G

Thanks.