►
From YouTube: SLSA Tooling Meeting (March 10, 2023)
Description
Meeting notes: https://docs.google.com/document/d/15Xp8-0Ff_BPg_LMKr1RIKtwAavXGdrgb1BoX4Cl2bE4/edit#heading=h.yfiy9b23vayj
B
D
It'll
be
uploaded
to
YouTube
shortly
after,
and
your
participation
in
this
meeting
is
an
agreement
to
abide
by
the
open,
ssf
code
of
conduct.
E
E
D
E
Beyond
that,
I
don't
know
if
anybody
else
has
any
updates
regarding
anything
in
1.0
I
know:
Frederick
I,
don't
know.
If
you
you
were
able
to
create
an
issue
for
the
npm
CLI.
Sorry.
E
Also,
if
anybody
else
thinks
that
there's
other
tools
out
or
knows
of
other
tools
that
are
supporting
1.0,
oh
sorry,
supporting
salsa
or
plan
to
support
this
also
or
supporting
salsa
I
need
to
support
1.0
or
whatever
feel
free
to
to
add
that,
to
you
know,
add
a
tracking
issue
on
that
side
and.
F
E
And
yeah:
that's
that
that's
about
it
on
that
one!
Does
anybody
else
know
of
any
other
tools
that
that
are
maybe
not
on
that
list
that
should
be
on
the
list.
E
Yeah
I
think
so:
I
haven't
I,
don't
know
any
of
the
folks
who
might
be
working
on
that.
So
I'm.
B
Good
point
I,
don't
know
either,
but
that
would
be
another
package
ecosystem
that
would
seem
to
make
sense
to
her
on
that
list.
B
E
Yeah
I
can
definitely
so
I
know
that
a
few
of
the
folks
from
Google
have
been
doing
some
stuff
regarding
python
support.
So
I
wonder
if
they
might
know
some
folks,
yeah,
I'll,
I'll
ping
them
and
and
see.
E
G
E
So,
generally,
it's
probably
just
going
to
be
the
tecton
support
that
that
gives
us.
This
gives
us
the
the
3.0
stuff
the
thing
about
it,
though,
is,
is
right,
like
tecton
chains,
at
least
to
the
way
it's
set
up
or
architected.
It
can't
support
salsa
3
without
without
spiffy
spire
or.
B
E
Sort
of
workload
thing
and
so
Fresca
once
the
tecton
chain
stuff
goes
through.
We
can
immediately
support
salsa
3
and
the
salsa
1.0
spec
and
everything
else
there.
So
I
think
it's
more
just
trying
to
capture
like
if
there's
anything
else
that
we
would
sort
of
go
above
and
beyond
tecton,
but
yeah
I
I.
E
It's
not
necessarily
like
I,
think
it's
more
just
tracking
to
make
sure
that
once
like
tecton
chains,
anything
else
that
might
need
to
change
in
order
to
support
all
the
1.0
requirements
in
Spec
that
that
Fresca
then
updates
its
requirements,
its
dependencies
on
tecton
to
be
updated
to
the
latest
version
of
chains
and
whatever
else
that's.
B
By
the
way,
the
salsa
Dev
website
as
a
get
started
page,
which
was
just
updated
and
it
does
point
to
various
tools,
I
think
it
would
make
sense
for
people
to
have
a
look
at
this
in
this
group
and
see,
if
you
know
any
additional
stuff
should
be
in
there.
It's
pretty
limited
right
now
we
focused
most
of
the
information
freely
available
tools,
there's
a
table
at
the
end
that
lists
more
especially
Google
Cloud
build.
B
But
the
expectation
is
that
you
know
that
we
could
add
to
this
list
and
eventually
there
should
be
some
government
conformance
certification
program
set
up.
That
will
give
a
more
complete
list,
but
for
now
anything
can
be
added
to
that
list.
We're
taking
it
on.
You
know
we
accept
any
claims,
basically,
there's
no
process
to
verify.
B
G
B
B
And
that
everybody
goes
through
the
trouble
of
funding
certification
programs
that
put
a
little
bit
of
the
goal
framework
around
those
claims.
In
this
case
there
has
been
discussions
about
doing
this
for
salsa
there
is
a
proposal,
that's
been
floating
around
it
it.
You
know
it's
not
an
easy
task
to
put
together
yeah.
B
B
For
kubernetes,
for
instance,
that
I've
been
pointing
to
that
can
be
used
as
an
example
which
is
within
the
LF
umbrella.
So
we
know
if
we
were
to
use
a
framework
similar
to
that
it
should
be
fairly
easy
to
get
the
the
ls
lawyer
happy.
G
B
G
E
Yeah
and
I
think
it's
it's
a
it's
a
delicate
balance,
because
I
I
think
also
one
of
the
other
things
that's
come
up.
Is
you
know
some
folks
are
like
actually
I
want
you
to
tell
me
what
I
should
be
doing
and
including
like
what
tools
I
should
use,
but
of
course
that
means
like.
E
If
you
tell
people
hey,
you
should
use
this
tool
it
it
can
potentially
lead
to.
You
know.
Obviously
you.
E
E
Of
course,
not
no,
or
vice
versa,
right
where
you
know
somebody
comes
in
with
a
project
and
everybody
from
you
know
other
competing
interests,
all
voted
down
or
whatever
it's
it's.
It's
it's
complicated
and
I.
E
That
certification
process
needs
to
be
open,
and
you
know
anybody
can
join
as
long
as
they're,
obviously
operating
within
good
faith
and
and
doing
all
the
right
things,
and
then
it's
still
up
to
the
actual
like
end
users,
to
like,
say:
yeah,
I
I,
you
know
I
support.
Let's
say
like
one
of
the
big
audit
firms
over
you
know
some
random
company
or
hey
I.
Don't
have
the
money
to
to
to.
You
know
hire
one
of
these
bigger
ones.
E
I
have
a
you
know,
but
this
other
one
is
still
certified
by
the
open,
ssf
or
whatever
I
think
that's
going
to
be.
It's
gonna
be
an
interesting
balance.
B
Yeah
and
it's
especially
difficult
if
you
cannot
have
like
a
test
Suite
but
as
you
can
just
run
and
say,
yeah
I'm
running
the
test
suite
and
it
says
I'm
complying.
You
know
when
it
becomes
a
lot
more
like
subjective
based
on
the
fine.
You
know
analysis
it
becomes
much
harder
to
enforce
any
kind
of
you
know.
Verification
system
that
makes
those
claims
move
verifiable.
E
Yeah
yeah,
especially
when
you
have
stuff
like
the
the
build
service
stuff
so
I,
know
that,
like
actually
one
of
the
interesting
tools
from
Oracle
and
once
again
this
is
just
like
a
from
like
one
of
the
the
researcher.
You
know,
research,
open,
source
sort
of
teams
over
there
has
been
doing
this
thing
called
macaron,
which
is
a
tool
that
is
intended
to
be,
like
you
know,
generate
those
reports
and
be
able
to
kind
of
try
and
verify,
but
it
still
relies
on
right
now.
E
E
Obviously
you
know
theoretical
work
around
like
the
ability
to
prove
yes,
you're
actually
running,
like
you
can
remotely
attest
that
somebody
is
actually
running
exactly
what
you
expect
them
to
be
running
from
like
the
software
side,
but
but
I
think
that's
kind
of
a
much
longer
term
sort
of
thing,
but
yeah.
The
macaron
thing
is
trying
to
do
some
of
that,
but
obviously
they're
still
sort
of
relying
on
the
build
service
to
say,
like
Hey,
we're
going
to
verify
that.
E
Yes,
the
claims
in
here
are
there
and
that
the
you
know
the
token
or
sorry.
You
know
what
I
mean
like
the
keyless
signing
can
be
traced
back
to
GitHub,
and
so
you
know
it
was
actually
running
on
GitHub
and
not
somewhere
else,
but
that
sort
of
thing
is
makes
more
complicated
if
you're
running
it
internally
and
you
want
to
say,
hey
I
trust
this
build
my
internal
build
service
or
or
whatever.
F
D
What
else
I
don't
want
to
so?
What
else
was
there,
though,
so.
E
I
know
I
don't
want
to
put
visa
on
the
spot,
but
are
you
still
working
on
the
npm
policy.
E
C
H
So,
yes,
there
is
a
PR
number,
eight
I
think
under
salsa
framework
that
is
going
through
approvals
and
then
I
will
try
to
implement
something
but
yeah.
There
is
years
and
years
of
neglecting
my
other
projects
that
I
also
catching
up
with
so
embellishing
and
balancing
embarrassment
on
one
side
versus
embarrassment
on
the
other
side,
yeah
no.
H
But
the
the
intent
is
that
that
I
I
do
a
a
initial
version
and
then
other
people
can
work
on
it
too.
It's
it
should
not
be
All
Me
by
myself.
Obviously
so
yeah
that's
my
priority
at
this
time.
A
E
And
the
only
other
thing
I
was
gonna
bring
up
was
one
of
the
things
I'm
looking
to
work
on,
mostly
just
as
a
as
a
little
thing
to
maybe.
C
C
Sorry
about
that
one
of
the
cats.
E
Anyway,
I
was
gonna,
say
so
prepping
for
the
1.0
thing,
one
of
the
things
I
was
going
to
try
and
do
is
maybe
write
up
a
quick
Library
or
something
like
that,
whether
it's
in
queue
or
similar,
because
so
a
few
folks
and
I
think
even
in
this
call
have
been
saying:
hey
it's
great,
that
there's
a
salsa
verifier,
that's
and
all
these
social
verifiers
that
are
verifying
like
hey.
E
Is
it
doing
all
the
right
things,
but
there's
also
just
sort
of
generic
like
need
for
a
salsa
like
spec
validator
of
just?
Are
you
following?
You
know?
Are
you
actually
following
the
the
is
the
Json?
Just
you
know
have
all
the
right,
Fields
or
those
fields
all
valid
you
know
like?
Is
that
a
valid
URI
yeah?
E
So
that's
stuff
like
the
verifiers
and
whatever
can
just
sort
of
use
it,
and
so
one
of
the
things
I
was
looking
at
was
you
know,
maybe
doing
something
and
I
know
we've
been
looking
at?
We
had
done
some
stuff
in
queue
before,
but
maybe
doing
something
like
either
in
queue
or
similar.
E
That
can
just
it's
like
a
super,
simple
tool
that
can,
you
know,
verify
it,
and
they
could
also
be
used
as
a
library
by
some
of
the
verifiers
down
the
line
that
that
are,
you
know,
going
to
be
looking
at
the
specs
so
that
everything
can
kind
of
you
know
I
mean.
Obviously
people
can
re-implement
it
if
they
want,
but
you
know
the
idea
there
being
that
hey
if
they're,
building
out
salsa
tools
that
ingest
salsa
metadata,
oh
cool,
if
I
want
to
verify
that
it's
valid.
E
It's
also
metadata
I
can
just
include
this
simple
library
or
whatever
and
I
know.
This
is
also
related
to
some
of
the
stuff
that
that
some
folks
are
talking
about,
with,
in
total,
go
into
the
other
ones.
That,
like
could
be
around
some
common
I
guess
common
in
total
library
or
at
a
Station
Library,
so
that
folks
can
sort
of
verify
a
lot
of
those
different
things
anyway.
Just
just
I
was
gonna
quickly,
write
up
something,
maybe
this
weekend
on
on
that.
E
Yeah
beyond
that,
does
anybody
else
have
any
anything
else
regarding
salsa,
1.0
or
or
anything
the
regarding
the
tooling.
Otherwise
we
can
end
a
bit
early,
I
guess:
I
was
just
gonna.
I
was
gonna,
ask
Brendan
any.
E
C
I
C
I
Know
if
oci
is
making
progress,
yeah
right
now
now
we're
trying,
but
it's
it's
slow
going
right
now.
I
That
that
is
a
very
abbreviated
version
of
lots
of
drama.
E
Cool
so
yeah,
that's
that's
about
it
here.
If
anybody
has
anything
else,
obviously
bring
it
up
now.
Otherwise,
see
you
all
next
week
and
remember:
this
should
have
like
messages
to
anybody
who
might
be
interested
in
providing
feedback
and
all
that
good
stuff
on
1.0.
A
A
E
See
you
all
next
week.