►
From YouTube: SLSA Tooling Meeting (November 18, 2022)
Description
Meeting notes: https://docs.google.com/document/d/15Xp8-0Ff_BPg_LMKr1RIKtwAavXGdrgb1BoX4Cl2bE4/edit#heading=h.yfiy9b23vayj
A
A
E
Hi
nice
to
see
you
again:
Matt
hi,
hi,
I'm
Trish
young
I'm
used
to
be
Justin
student,
no
I'm,
a
datadox
cutie
engineer
there
I'm
going
to
salsa
steering
committee
like
like
Michael
and
I'm.
Looking
forward
to
joining
these
meetings,
I
I
kept
missing
it
on
the
cncf
calendar,
so
here
I'm.
Finally,
great
thanks.
B
F
B
Before
we
get
into
some
of
the
things
on
the
agenda
and
sorry
I'm
literally
updating
the
agenda
as
we
go
along
because
there's
a
couple
of
things
that
came
up
yesterday
in
the
in
salsa
meeting.
But
before
getting
into
that,
does
anybody
have
any
sort
of
updates
from
any
tools
that
they're
related
to
or
any
of
the
things
that
we've
been
that
are
sort
of
related
to
the
tooling
and
and
salsa.
B
G
So,
as
you
said,
RFC
is
now
merged,
so
but
in
practice
I
would
say
it
doesn't
really
change
much
like.
Even
if
the
RFC
wasn't
merged,
we
were
sort
of
working
on
the
details,
so
I
don't
really
I'm
trying
to
think
like
if
we
can
have
something
to
share
I,
don't
really
think
like
the
work
is
continuing
to
pursue
as
planned
beyond
that.
I'm
not
sure
like.
G
So
but
yeah.
We
are
aware
of
that,
and
we
had
like
got
good
feedback
from
Josh
lock
on
that,
so,
but
beyond
that,
I
can't
think
of
anything
else
really
interesting
to
share
like.
There
are
still,
of
course,
some
open
details
in
terms
of
when
the
salsa
predicates
are
generated
like
how
they
will
be
verified
and
to
what
extent
and
how
much
will
actually
be
in
the
hand
of
hands
of
the
Downstream
developers
compared
to
how
much
will
npm
itself
actually
try
to
verify
Beyond,
just
making
sure
that
the
cryptographic
material
adds
up.
G
C
B
G
Yeah
I
think
parts
of
what's
very
confusing
is
that
the
cjson
spec
itself
is
contradictionary.
It
says
in
the
human
readable
text
like
this
will
produce
perfectly
valid
Json.
But
then,
when
you
look
at
the
formal
specification,
it's
obvious
that
the
result
will
not
be
Json
possible.
So
it's
I
think
that
has
led
to
some
confusion.
B
G
H
E
G
G
I
think
I
mean
I.
I
can't
remember
the
details.
I
can
probably
dig
it
up,
but
Joshua
linked
to
an
issue
in
in
Python
tough
that
pretty
much
was
running
into
the
same
issue,
so
I've
yeah.
If
it's
maybe
maybe
it's
if
it's
clear
in
let's
say
the
top
specification
that
when
you're
looking
at
I
don't
know
the
cjson
spec,
because
I
think
cjson
is
not
related
to
tough
at
all.
It's
just.
D
G
H
B
C
A
B
B
But
one
of
the
ideas
was,
we
want
to
make
sure
you
know,
as
we
are
pushing
for
1.0,
we
want
to
make
sure
we
have
some
set
of
tools.
Libraries,
services
Etc-
that
can
verify
salsa,
attestations
and
I-
think
that,
just
to
be
clear,
I
think
that
there's
there's
stages
to
this
right,
because
I
think
there's
some
confusion
yesterday,
like
some
of
it
is
just
literally
because
this
is
actually
a
common
issue.
B
Among
some
of
the
s-bomb
stuff
today
is
a
lot
of
folks
are
actually
not
generating
s-bombs
that
are
valid
to
the
specs.
So
it's
not
even
just
about
verifying
like
hey,
is
this
signed
by
the
right
parties
is,
is
the
build
content
like?
Is
the
content
inside
there
correct
and
could
I
like
generate
a
new
build
out
of
this
sort
of
thing?
It's
beyond
that?
It's
more
of
like?
B
If
you
look
at
some
of
the
salsa
verifier
stuff,
it
uses
the
in
Toto
libraries
and
then
add
some
stuff
that
it
just
looks
for
salsa
on
top
of
it.
But
what
would
be
nice
is
to
be
able
to
sort
of
say
hey
if
we
have
something
like
a
Json
schema
or
whatever,
as
the
canonical
representation
of
salsa
1.0
spec,
we
want
to
be
able
to
go
back
to
it
and
say:
okay,
great
everything
should
be
able
to.
You
know
like
python.
F
H
B
Yeah,
at
least
not
not
yet
that's
I
think
like
what
I
would
say
is
like
stage.
One
right
is
just
essentially
doing
that,
because
that
that
sort
of
thing
is
is
complicated,
because
we
already
sort
of
discovered
early
on
a
bunch
of
bugs,
for
example,
in
tecton
chains
that
we
had
to
fix
where
tecton
chains
was
I.
B
Can
read
it
no
problem
because
they're
a
little
bit
less
rigorous.
But,
for
example,
a
lot
of
the
other
ones
like
especially
those
in
in
more
stricter
languages
like
rust,
tend
to
sort
of
complain,
because
it's
like
hey,
yes,
you're
90,
compliant
with
the
s-bomb
spec,
but
actually
the
s-bomb
spec
says
you
need
to
have
a
shot.
One
hash,
not
just
you
know
you
can't
replace
shot
one
with
shot.
256
you
need
to.
It
could
only
be
complementary.
B
So
there's
things
in
the
s-bomb
specs
that
kind
of
talk
about
that
sort
of
thing
and
there's
stuff.
That's
going
to
be
also
in
the
small
suspects
that
talk
about
that
sort
of
thing
and
we've
been
seeing
a
lot
of
that
kind
of
get
really
complicated.
So
it
would
be
really
great
to
be
able
to
say
point
to
something
whether
it's
the
Json
schema,
whether
it's
a
queue
definition,
whether
it's
some
other
sort
of
way
of
defining.
B
B
You
know
20
or
whatever
it
is,
and
that
you
can,
then
you
know
you
could
then
just
sort
of
take
that
schema
and
plug
it
into
whatever
language
you
want,
and
you
automatically
get
that
validation
piece
so
that
you
don't
have
to
worry
about
the
different
Implement,
because
we're
seeing
this
a
lot
in
a
lot
of
the
tooling
is
we're.
Seeing
you
know
somebody
there.
You
know
somebody
puts
in
most
of
the
salsa
stuff,
but
forgets
one
thing
or
another,
and
so
people
will
say
hey.
It
verifies
in
the
go
implementation,
but
not
the
rust.
B
B
So
you
know
most
most
of
it.
Right
now
is
obviously
using
dizzy,
but
the
the
basic
idea,
I
think
that
some
folks
have
said
is
like
hey
great.
We
want
to
be
able
to
to
go
in
and
say,
let's
verify
the
actual
signatures
and
that's
kind
of
what
the
verifier
is
doing
as
well.
Right
now,
there's
also
and
I.
B
Don't
know
if
this
is,
you
know
once
again
I'm
just
kind
of
rattling
out
what
were
sort
of
the
thoughts
in
my
head,
but
some
folks
have
also
said:
okay
cool
now,
one
of
the
other
things
is
like.
Maybe
this
is
stage
three
or
maybe
this
is
stage
two
I,
don't
know
which
one
we
want
to
kind
of
call
this,
but
is
actually
you
know,
is
inspecting
the
inspecting
the
values
in
or
expecting
the
content.
B
So,
like
stage
three
is
potentially
something
like
actually
inspecting
the
content,
so
looking
at
the
actual
values
of
inside
of
the
like
the
key
values
inside
of
the
predicate
and
actually
saying
yes,
this
matches
some
sort
of
policy
like
yes,
this.
We
only
allow
these
build
type
Uris
for
our
policy
cool,
oh
I,
just
realized
some
folks
have
their
hands
up
Frederick.
B
Salsa
or
you
know?
Can
you
check
that
you're
actually
validating
valid
salsa,
so
I
agree
that
that
probably
makes
sense
to
to
switch
I
was
just
kind
of
talking
about
it
more
from
the
perspective
of
maybe
even
a
prioritization
like
yeah
like
Step
One
is.
We
should
probably
make
sure
that
it
is
100
valid.
It's
also,
and
then
step
two
is,
let's
you
know
make
sure
that
the
signature
stuff
is
is
all
implemented
in
that
we're.
E
Yeah,
that's
a
that's.
A
good
comment
about
the
parsing
untrusted
payloads
I.
Think
that's
partly
the
problem
that
DC
was
designed
to
solve
for
yeah
with
things
like
canonicalization,
the
canonicalization
Json
can
only
Collide
whatever
you
get
the
idea,
but
the
problem
with
C
Json
is
you
have
to
parse
it
first
just
to
be
able
to
verify
the
signature,
whereas
with
Dizzy.
E
E
B
E
B
No,
no
I
think
the
the
idea
here
is
so
the
salsa
verifier
that
folks
are
looking
at
and
so
there's
a
bunch
of
different
discussion
about
what
what
this
might
end
up.
Looking
like,
and
you
know
what
the
actual
policy
might
be
and
if
there's
going
to
be
using
like
a
policy
engine
or
whatever,
but
I,
think
the
some
of
the
content
is
just
like.
Could
you
use
something
like
a
Json
path
like
things
to
just
sort
of
say
great?
B
Does
this
match
like
I'm,
expecting
stuff
to
look
like
this
inside
of
the
you
know
inside
the
Atta
station,
and
so
it
could
just
be
something
as
simple
as,
like
you
know,
a
yaml
file
with
some
elements
in
it
or
you
know
that
that
sort
of
I
think
a
little
bit.
You
know
much
more
up
for
discussion,
but
yeah,
that's
one
of
the
things
that
that
we're
like
looking
at
and
and
but
this
is
more
of
right
now,
at
least
like
conceptually.
B
It's
like
hey,
we
do
want
to
eventually
have
some
sort
of
mechanism,
and-
and
this
is
something
that
this
is
part
of
stuff
like
the
policy.
Like
a
combination
of
like
tooling
and
libraries
right
because
we
might
want
to
include
the
ability
to
sort
of
say,
hey
here-
is
a
way
to
apply
policies
to
it6
right.
E
B
That
I'm
not
sure
they
maybe
I,
know
that
there
there
there's
some
discussion
about
post
1.0
the
semantics
around
some
of
these
things
of
saying,
like
hey
great
now
that
we
have
1.0,
how
should
people
be
interpreting
or
not
interpreting?
How
should
people
be
using
the
different
pieces
of
content
inside
of
the
attestation?
B
So
this
might
be
something
like
hey.
Your
build
config
should
be
thought
of.
As
you
know,
the
inputs
to
the
build
or
whatever
you
know,
your
build
script
or
whatever,
and
so
it
should
be
thought
of
like
that.
So
if
you
have
a
policy
around
build
config,
that's
how
it
should
be
interpreted,
and
then
you
know
certain
metadata
about
timestamps
should
be
like.
Oh,
this
is
the
timestamp
of
when
the
build
was
recorded
to
have
started
and
the
timestamp
of
when
the
build
was.
You
know,
found
to
have
stopped
that
sort
of
thing.
I
Eric
I
was
just
gonna
Circle
back
and
kind
of
comment
on
the
conversation
around.
You
know
this
idea
of
the
the
metadata
verifier
tool
that
we're
talking
about
sounds
like
we're
going
to
build
it
from
the
ground
up
right
and
my
opinion.
From
like
a
phase.
One
versus
phase
two
perspective
is,
you
know,
I
think
phase.
I
You
know
Frederick
I,
think
you
made
the
point
to
like.
Maybe
we
should
prioritize
validating
the
authenticity
of
the
of
the
thing
first,
but
I
think
from
a
utility
perspective
and
kind
of
like
offering
this
for
like
value
to
the
community
from
a
valuable
perspective
rather
than
a
security
perspective,
I
I,
promote
kind
of
what
Mike
has
been
talking
about
for
validating
schema.
First,
it
has
like
a
first
win,
I'd
say,
but
I
think
it's
still
really
valid
right
to
to
make
sure
it
is
authentic.
Of
course,
please.
B
Yeah,
no
yeah,
I,
agree
and
I
just
to
be
clear,
I
think
it's
it's
less
about
the
right
like
if
you're
talking
about
it
conceptually
imagine
you
had
a
100
finished
product.
It
probably
would
look
something
like
you
know.
First,
you
check
the
signature.
Then
you
verify
that
it's
actually
valid
schema
right
and
then
well
actually
you'd
probably
first
check
like.
Is
it
a
valid
envelope?
Then
you
check
the
signature.
B
You
know,
you
know
50
line
thing
that
just
kind
of
will
parse
through
my
pieces
that
I
need
the
problem
that
we're
sort
of
seeing,
especially
in
the
s-bomb
space,
and
starting
to
see
a
little
bit
with
the
salsa
spaces
as
folks,
if
folks
are
not
using
some
of
the
existing
sort
of
libraries
out
there
and
they
sort
of
just
build
out
their
own
thing
and
they
just
sort
of
say,
yep,
I'm
expecting
to
see
Json
or
I.
You
know
I
use
the
The
Dizzy
stuff
and
then
I
get
a
base64
encoded
content
I.
B
You
know
then
turn
it
into
Json,
and
then
you
know
pull
it
into
my
local
thing
and
I
just
have
some
structs
for
what
I
the
content
that
I
want.
What
ends
up?
What
we're
seeing
is
some
people
are
already
building
out
policy
and
doing
certain
things
against
salsa
attestation
that
aren't
actually
valid
salsa.
They
just
look
like
velots,
also
so
that
as
soon
as
another,
as
soon
as
they
start
to
push
it
to
another
tool,
that
tool
like
will
complain
and
they
go
wait.
A
second.
B
This
tool
doesn't
complain
and
I
know
that
that's
more
of
a
community
problem,
but
it
would
be
great
to
sort
of
say
you
know:
hey.
There
is
this
salsa
verifier,
which
just
to
be
clear,
I,
think
most
of
this
content
should
go
into
the
salsa
verifier,
and
maybe
we
might
want
to
abstract
the
salsa
verifier
into
a
library
plus
the
tool,
but
the
salsa
verifier.
B
If
I
can
scroll
back
up
here,
that's
Linked
In
the
document
and
I'll
just
put
it
in
the
chat
just
so
that
folks
can
click
on
it.
This
salsa
verifier,
is
you
know
it's.
You
know,
CLI,
there's
a
bunch
of
stuff
in
here.
There's
there's
a
bunch
of
you
know
stuff
in
here.
For
actually
you
know
verifying
different
elements.
Yeah
yeah
I
think
you
know
for
for
folks
who
are
building
their
own
tools.
B
It'd
be
great
to
be
able
to
say:
hey
great
I
can
include
the
library
pieces
of
this
into
my
tool,
so
I
don't
have
to
call
out
to
the
CLI,
but
you
know
having
a
lot
of
this
in
here
would
be
be
really
great
separately.
One
of
the
things
I
was
talked
about
yesterday
in
in
the
the
conversation
was
in
the
salsa
comfort
in
the
salsa
meeting
was
Laurent
say
said.
B
Foreign
or
because
a
lot
of
people,
you
know
as
as
something
that
somebody
can
just
sort
of
say:
hey
I'm
gonna,
send
this
over
to
to
some.
You
know
to
some
API
so
that
folks
don't
have
to
run
it
themselves,
I'm
a
little
ambivalent
on
on
one
way
or
the
other
I'm
sure
it
comes
with
its
own
pros
and
cons,
because
now
you're
trusting
some
third-party
service
to
essentially
verify
that
but
yeah,
that's
kind
of
where,
where
we
landed
with
that
and
I'm
trying
to
think.
If
there
is.
B
A
J
B
B
But
it
comes
with.
You
know
some
requirements
right
where
you
are
essentially
asserting
that
you're
following
certain
rules-
and
you
know
if
you're
found
to
not
be
following
those
rules-
you'll
be
asked
not
to
say
you're
complying
to
salsa
and
the
reason
being
is
you
know,
obviously,
with
the
open,
ssf
and
Linux
Foundation?
Is
they
don't
want?
Just
everybody
Under
the
Sun
saying
yep
I'm
salsa
level?
B
You
know
every
single
person
needs
to
go
and
work
with
some
audit
firm
or
some
security
firm
to
sort
of
verify
that
they're
actually
following
all
the
salsa
rules
right,
you
know
for
certain
companies
that
might
make
sense-
and
you
know
especially
folks
who
might
say:
hey
yeah
we've
been
certified
by
some
big
security
vendor
or
audit
firm
and
yes,
they've
sort
of
verified
that
we're
doing
everything.
Salsa,
3
and
yeah
yeah,
that's
great,
but
there
might
be
some
self-certification
there
and
most
likely
there's
going
to
be
self-certification.
B
One
of
those
things
might
be
the
actual
Builders
themselves
so
that
the
you
know
open
source
Builders
like,
for
example,
tecton
and
Fresca,
and
Jenkins
and
circle
CI
and
GitHub
actions
and
whatever
might
all
be
able
to
come
in
and
say,
okay
great,
we
are
doing
you
know
we
can
release
a
document
that
says
we
are
doing
these
things
and
based
on
that,
you
can
go
and
say
great
I.
You
know
that
sounds
good
to
me
and
yes,
you're
complying,
but
you
know
as
an
end
user,
I
I
trust
that
or
whatever.
B
So
that's
that's
one
of
the
things
that
that's
coming
down
the
line
and
it's
something
that
we
probably
wanna
look
at,
especially
as
some
folks
have
sort
of
brought
up
like
there's
been
some
challenges
with
certain
build
systems
and
hitting
some
of
the
higher
level
salsa
stuff.
At
least
out
of
the
box
right
like
because,
like
you
know,
one
of
the
big
ones
is
like
Jenkins
is
relatively
open
out
of
the
box.
B
You
can
do
a
lot
of
things
and
add
a
lot
of
plugins
to
then
make
it
easier
to
comply
with
salsa,
but
I.
Think
there's
going
to
be
some
discussion
about
hey
could
could
we,
you
know,
write
up
something
if
somebody
is
a
you
know,
is
doing
a
lot
of
stuff
with
let's
say
Jenkins
right
now.
Could
they
write
some
something
up
to
say:
hey
here's,
how
we're
currently
trying
to
hit
all
the
salsa
requirements
via
something
like
Jenkins.
B
Some
of
the
other
ones
might
be
a
little
bit
easier
because
they're
kind
of
like
locked
down
by
default
and
stuff,
like
that,
you
know
or
stuff-
that's
like
more
declarative,
like
tecton
and
whatever,
but
that's
just
something
to
to
kind
of
think
through
and
does
it
do?
Does
anybody
have
any
thoughts
on
sort
of
that
like
Builder
certification
process
or
anything
like
that.
F
F
Some
of
the
discussion
points
you
know
we've
had
are:
how
do
you
do
this
with
multiple
different
tools
to
handle
these
different
ways?
The
plugins,
as
you
mentioned,
is
one
conversation
Point,
but
you
know
going
for
each
phase
of
salsa
and
having
to
do
multiple
scans
to
determine.
Are
you
still
compliant?
F
You
know
the
code
signing
aspect
of
it
for
one
for
one
thing
right,
you
know,
have
you
signed
it?
Have
you
checked
it
again?
You
know.
Are
the
repository
aspects
correct.
You
know
all
of
the
various
different
stage.
Stages
of
the
salsa
components
at
each
stage
in
the
sdlc
is
something
that
we're
we're
still
trying
to
kind
of
ideate
solutions
around
and
I.
F
But
in
you
know
the
more
open
source
type
of
tooling
I.
Don't
know
that
that's
enough
of
a
focus
yet
from
a
lot
of
the
communities,
so
it
definitely
needs
to
be,
but
it
becomes
that
kind
of
broad
conversation
of.
Should
it
be
more
of
a
facade,
Management
console
that
does
this
and
can
be
flexible
enough
to
incorporate
different
CI
CDs.
F
A
B
Cool
yeah
yeah
no
definitely
agree
with
you.
There
Eric,
especially
on
that
one
point
you
had
about
like
it's
more
than
just
the
the
CI
tool
right,
because
you
know
you
need
to
include
you
know,
scanners
and
whatever
else
and
I,
think
one
of
the
things
that
has
been
sort
of
brought
up.
You
know
previously
as
some
and
this
might
be
something
that
the
the
this
team
maybe
wants
to
kind
of
discuss.
A
little
bit
is
like
what
is
the
responsibility
of
the.
B
B
Isolated
environment
run.
You
know
this
scan,
let's
say
right,
but
you
know
Jenkins
or
tecton
or
whatever
you
know.
Github
actions
has
that
sort
of
ability
to
say,
hey
run,
you
know,
run
build
packs
Follow
by
run
this
scan
and
then
each
of
the.
So
so
that's
like
two
elements
and
then
the
other
element
is
the
actual
sort
of
pipeline
itself
right,
so
something
like
in
total,
layouts
or
or
tecton
or
Jenkins
file.
You
want
to
make
sure
that
those
things
are
structured
such
that
you
you
are
enforced.
B
You
know
you're
forced
to
run
the
right
things
to
hit
the
right
right
stuff
right
because,
depending
on
the
different
CI
tools,
you
know
if
you
do
not
use
like
if
your
GitHub
actions
or
whatever
do
not
use
the
the
salsa,
you
know
generator,
then
you're
not
generating
salsa
provenance,
and
so
what
what
sorts
of
things
can
you
do
to
essentially
enforce?
That
is
also
important.
Well,.
F
Yeah
and
I'd
take
that
a
step
further
to
say
that
there
needs
to
be.
You
know
how
Jenkins
will
provide
you,
some
limited
type
of
reporting
on
the
fact
that
you've
run
certain
jobs
and
everything
else.
You
need
to
have
some
sort
of
metrics
and
and
Reporting
structure.
That
shows
you
know
that
you've
actually
attained.
You
know
this
project
is
actually
validated
for
salsa
level,
one
and
level
two.
What
have
you
and
a
history
of
that
right?
So
it
was,
it
was
compliant.
Now
it's
not
on
a
given
given
time
frame.
F
You
know
that
that
type
of
and
at
what
stage
is
you
know
potentially,
like
you
know
it
passes,
you
know
the
first.
You
know
five
bullets
of
salsa,
but
the
next
you
know
several.
You
know
it
doesn't.
So
we
know
provenance
wise
based
on
that
and
where
the
gaps
are,
you
know
what
what
are
you
missing
to
be
fully
salsa
compliant
yeah?
Those
are
the
types
of
things
down
the
road
that
definitely
need
to
be
included.
F
So
the
projects
can
you
know
it's
a
kind
of
a
question
now
as
to
how
valid
badges
are,
and
things
like
that.
You
know
some
people
think
they
are
I,
think
they're,
very
valuable,
but
I
think
you
know
if
you
can
provide
hey.
You
know
my
project
is,
you
know,
salsa
level.
Three
compliance
is
a
badge
or
something
on
your
your
project,
because
it's
run
through
all
of
these.
These
Gates,
when
you
know
somebody
goes
to
pull
down
your
binary.
F
That's
that's
to
me.
That's
a
pretty
good
indicator
that
your
your
project
is
secure.
So
you
know
some
things
to
think
about.
You
know
it's,
but
I
definitely
think
that
we
have
to
talk
more
about.
You
know
the
the
metrics
and
the
observability
of
this
process
too.
Not
just
you
know
becoming
capable,
but
how
do
we
prove
that?
And
how
do
we
show
over
time
that
it's
it's
remains
compliant
all.
J
J
If,
if
it's
something
that
people
can
you
know
if
it's
based
off
multiple
components
and
if
someone
goes
in
and
changes
something
right
that
the
whole
certification
kind
of
goes
away
right,
so
it
seems
like
it
needs
to
be
some
kind
of
an
automated
way
of
continuously
validating
that
it's
in
the
right
step
and
I.
Think
that's
what
Eric
is
kind
of
referring
to,
but
I'm
just
wondering
if
it's,
if
that's
even
possible,
with
so
many
components
out
there
and
such
so
yeah.
B
So
this
was
something
that's
also
been
discussed.
A
little
bit
with
the
conformance
program
is
like,
like
certain
things
might
be
able
to
say,
hey
look
we're
gonna,
you
know
like
yes,
somebody
could
be
messing
with
the
the
pipeline
right
after
we
got
the
certification,
but
if
you
are
continuing
to
do
some
of
this,
like
if
you're,
let's
say
once
every
three
months,
six
months
a
year
or
whatever
it
might
get
caught,
and
then
also
from
the
policy
standpoint
of
the
organization-
that's
consuming
it,
they
might
want.
B
If
it
turns
out
a
third-party
audit
firm,
does
come
in
and
say:
hey
you're.
You
know
a
lot
of
this
stuff
should
show
up
and
also
if
it
turns
out
you're
lying.
A
lot
of
your
customers
are
probably
going
to
sue.
So
I
think
that
kind
of
thing
is
is
also
I
think
a
risk
there,
which
is
why
I
think
a
lot
of
folks
are
when
it
comes
to
some
of
this
self-certification.
B
I
think
we're
gonna
have
to
see
you
know.
Perhaps
larger
organizations
like
your
Microsoft
yeah.
You
know
your
Googles
and
and
red
hats
and
vmware's
or
whatever
to
sort
of
say:
hey
we,
you
know
we
looked
at
this
open
source
tool
and
we've
looked
at
what
they've
been
doing
and
you
know
we've
looked
at
their
self-certification
and
sort
of
revalidated
it
and
we
think
yeah
seems
to
be
the
right
sort
of
thing.
I
think
that's
going
to
be
an
another
way.
They
might
go
about
that.
J
B
Any
other
thoughts
about
like
Builders
and
certifications
and
and
whatnot
and
I
know
like
I,
know.
Fresca
is
working
a
lot
a
lot
on
this
in
the
open
source
space
right.
This
is
I
think
to
go
back
to
what
Eric
was
talking
about.
Is
you
know?
Fresca
is
trying
to
be
that
opinionated
set
of
Tools
Plus
the
pipelines
themselves
to
try
and
say
hey
in
order
to
actually
comply
with
a
high
level
of
salsa.
You
don't
get
to
Define
your
own
pipeline
that
lets
you
ignore
these
things.
B
B
Think
Fresca
is
trying
to
kind
of
do
that
sort
of
thing
and
I
think
we're
trying
to
look
at
like
how
easy
is
that
to
certify
and
I
think
that
there's
some
stuff
there
and
if
folks
are
interested,
you
know
we're
obviously
looking
for
more
contributors
on
that
one.
It's
an
open,
ssf
project,
but
anyone
else
have
any
other
thoughts
on
that.
Otherwise
we
can
kind
of
go
on
to
the
next
quick
sort
of
topic
which
is
sort
of
related
to
the
past
two
ones.
A
B
B
So
if
this
is
for
going
back
a
little
bit
so
salsa
is
for
folks
who
aren't
super
familiar
with
in
Toto
is
salsa
attestations
the
predicate
format,
which
is
the
Json
format
right
that
is
being
heavily
recommended
for
use
for
salsa.
You
don't
actually
have
to
use
it
to
be
compliant
with
salsa,
but
you
know
pretty
much.
Everybody
is
using
anybody.
Who's
using
salsa
is
more
or
less
using
the
the
in
total
predicate
format.
B
B
This
is
conceptually
you
have
a
a
set
of
Json
schemas
or
a
set
of
queue,
definitions
or
some
sort
of
way
of
saying
hey
I
have
this
is
this
is
how
this
is
some
sort
of
schema,
and
then
you
might
have
one
or
more
mappings
to
either
a
data
model
or
to
an
ontology
that
you
know
says:
like
hash
equals
checksum
in
this
data
model
or
hash
equals.
You
know,
and
that
could
be
itself
another
schema,
something
that
is
not
like
code
per
se.
B
B
You
know
with
a
new
version,
a
new
minor
revision
that
doesn't
really
modify
how
the
the
how
the
attestation
should
be
interpreted.
More
of
just
like
some
clarifications
or
some
extra
elements
here
and
there
you
can
have
ways
to
say
great
this
like
we,
we
now
support.
You
know
some
new
hashing
format,
okay,
cool
that
that
just
sort
of
maps
into
this
internally
into
some
internal
data
model
or
into
some
other
ontology.
So
that's
just
something
else.
J
J
B
Is
you
want
to
have
more
information
about
the
actual
schema
right
because,
like
protobufs
has
fairly
gen,
you
know
has
whatever
a
dozen
or
so
types
you
know
in
32,
in
64
or
whatever
stuff
like
that,
but
it
doesn't
have
stuff,
and
it
has
stuff
I
think
also
like
time
stamps,
but
it
doesn't
have,
for
example,
things
like
URI
validation
right.
You
probably
want
to
be
able
to
say
this
should
be
a
valid
URI
in
certain
contexts.
B
B
That's
something
that
Q
Lang
is
able
to
do
as
well,
and
so
I
think
that
sort
of
thing
is
is
kind
of
what
we're
sort
of
looking
at,
as
as
a
way
of
of
sort
of
you
know,
then
being
able
to
say,
I
predicate
you
know
any
sort
of
in
Toto
predicate
could
be.
You
know,
okay,
cool.
This
is
the
URI.
This
is
like,
for
example,
this
might
be
even
another
subtype
right,
you
know
right.
People
have
talked
about
okay
cool.
B
Could
we
have
something
like
subject
inside
of
in
Toto,
be
a
type
itself,
and
then
you
can
say:
okay,
great
or
or
something
like
name
plus
hash
is
some
sort
of
type
or
whatever,
and
then
you
can
then
inject
that
in
other
places,
so
that
you
know
the
way
that
it
gets.
Parsed
automatically
gets
parsed
the
same
way,
instead
of
having
to
kind
of
duplicate
a
lot
of
that
work
all
over
the
place.
Yeah.
J
B
B
Right
in
Toto,
in
Toto,
attestations
and
all
those
things
are
Uris.
Eventually
they
should
be
actually
resolvable
so
that
you
could
go
back
and
and
actually
pull
down
the
definition
from
the
URI
and
then
from
there.
You
should
be
able
to
say:
okay,
great
I
can
pull
this
down,
and
if
you
had
something
like
a
predicate
dictionary,
okay
check
the
predicate
dictionary
or
have
different
predicates
registered
with
your
dictionary
or
whatever,
and
that
should
have
some
sort
of
mapping
mechanism
to
your
internal
data
model
or
preferably
one
day.
You
know
and
I
know.
B
This
is
kind
of
I
know
this
is
a
pipe
dream,
but
you
could
have
something
where
it's
you
know
it
maps
to
an
ontology,
and
then
you
could
have
that
two-way
sync,
where
you
can
say
great
I
can
now
convert.
If
I
have
enough
information
in
salsa
I
can
convert
salsa
to
an
s-bomb
and
an
s-bomb
to
some
of
the
elements
that
I
need
for
salsa
or
whatever.