►
From YouTube: SLSA Specifications Meeting (May 15, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1kMP62o3KI0IqjPRSNtUqADodBqpEL_wlL1PEOsl6u20/edit#heading=h.yfiy9b23vayj
B
C
A
Everyone,
and
as
a
reminder,
if
you
could
please
register
your
attendance,
I,
mean
notes
doc,
which
I
just
pasted
into
the
chat
and
look
at
it.
D
E
A
All
right,
great
I,
think
Mike
had
the
first
agenda
item.
I,
guess.
D
A
Could
well
yeah,
okay,
yeah
Mike
had
the
first
agenda.
You
want
to
go.
F
There
is
a
once
I
can
hear.
Let
me
pull
this
back
up
so
got
a
lot
of
great
feedback
at
open
source
Summit.
Both
OSS
both
open
ssf
day,
as
well
as
the
rest
of
the
summit,
I'll,
create
an
issue
in
GitHub
with
some
of
that
feedback.
When
I
want
to
get
a
chance,
there
was
some.
F
You
know,
one
of
the
biggest
I
think
pieces
of
interesting
feedback
was
there
was
some
pushback
from
some
folks
who
were
more
like
older
school,
open
source
developers
on
the
building,
local
versus
building
hosted
and
one
of
the
reasons
being.
Is
they
they
said?
F
Hey
look,
you
know
it's
you're,
you're
gonna,
be
it's
gonna
be
hard
to
convince
folks
that,
like
hosted,
is
better
than
you
know,
a
a
laptop
or
something
like
that
when
you
have
a
lot
of
Bad
actors
in
the
in
the
build
space,
so
you
know,
and
and
in
particular
I
know,
the
Travis
situation
was
was
brought
up
a
couple
of
times
where
you
know
a
lot
of
folks
are
like
hey
I.
F
You
can't
convince
me
that
anything
built
on
Travis
the
past
few
years
is
in
any
way
safe
and
so
I
I
thought
that
was
an
interesting
piece
of
feedback.
I
think
generally
I
think
still
what
we
have
there
makes
sense,
but
I
do
think
that
maybe
we
have
some
additional
clarifications
and
and
the
way
that
they
said
we
should
be
framing.
F
It
is
it's
more
about
knowing
where
something
was
built
right,
it's
hard
to
know
where
something
was
built
if
it
was
built
on
somebody's
laptop
versus
CI-
and
that
is
you
know
in
many
ways
more
important
than
necessarily
purely
the
security
of
the
CI
tool,
but
anyway,
there's
some
interesting
stuff
on
on
that
front.
A
Yeah
I
think
two
two
kind
of
quick
thoughts
on
that
I
think
it's
completely
legitimate
feedback.
Let
me
guess.
A
A
Point
well
taken.
Another
thing
that
we
could
maybe
focus
on
is
like
from
the
individual
team
or
individual
person's
perspective.
That's
a
totally
legit
answer
right.
It
probably
is
more
secure
because,
like
they
run
it
themselves,
but
it's
more
about
the
consumers
like
if.
A
Different
vendors
I
don't
want
to
have
to
trust
a
thousand
different
things,
even
if
you
know
it
makes
sense
for
them
individually.
So
so
that's
probably
one
thing
we
could
talk
about
another
is
it
just
kind
of
hot
to
highlight.
Reproducible
builds
is
a
great
answer
for
here,
because
then
they
could
build
it
on
their
laptop
and
you
can
build
it
on
CI
and
you
could
trust
you
know
either.
E
Yeah
I,
actually
just
had
a
conversation
about
hosted,
builds
today
with
some
other
folks,
and
the
point
that
I
was
trying
to
arrive
at
is
that
if
you
have
something
running
on
somebody's
Hardware
that
it's
a
lot
easier
for
it
to
be
compromised
because
there
doesn't
have
to
be
a
pivot
involved,
and
so
it
just
is
an
individual
compromise.
That
would
then
compromise
the
build
system.
Whereas
if
something
is
hosted
and
again,
it
doesn't
have
to
be
hosted
on
some
external
service.
E
It
could
be
hosted
on
some
internal
service
if
you're
concerned
about
things
being
outside
the
the
firewall
that
there
at
least
has
to
be
some
pivot,
which
would
require
some
credentials
to
be
able
to
be
retrieved
from
the
the
system
which
is
compromised
instead
of
just
the
system
being
compromised,
and
then
the
builds
immediately
being
able
to
be
compromised
and
I
think
that
another
key
point
about
it
being
hosted
is
that
it's
enabled
to
be
reused
for
multiple
different
build
for
multiple
different
artifact
builds,
and
that
goes
with
the
corollary
or
there's
the
the
principle
of
trusting
systems
and
verifying
artifacts
and
its
corollary
of
limiting
the
amount
of
trusted
systems
I.
E
What
what
might
be
the
the
concern
is
more
with
Travis,
because
the
issues
that
have
happened
with
Travis
and
I
don't
know
if
there's
been
any
indication
from
the
Travis
from
those
that
are
running
Travis,
whether
there's
a
desire
to
start
attesting
to
some
salsa
level.
But
maybe
that's
not
the
best
example
to
include
in
there,
and
maybe
we
can
have
something
else.
I
think
it
was
included
in
there
to
to
indicate
that
it
is
a
service
as
as
something
that's
in
addition
to
GitHub
and
Google
Cloud.
F
Yeah
yeah
now
I
I
agree
there
and
I
think
there's
definitely
areas.
We
can
I
think
clarify
some
stuff,
whether
it's
in
blogs,
or
something
like
that.
Just
on
on
like
why
we
are
sort
of
viewing
the
build
Service
as
something
separate
from
the
hosted
and
I
think
a
lot
of
it
really
does
come
down
to
yeah.
You
can,
and
this
I
know
this
was
you
know
to
what
Joshua
has
said
is
on
the
npm
RFC.
There
was
some
pushback
like
hey.
F
Why
is
my
laptop,
not
good
enough
and
I
think
it
has
less
to
do
with
whether
or
not
you've
completely
secured
your
laptop?
It
has
more
to
do
with
both
what
you
said
there
right,
Andrew,
which
is
like,
if
I'm
running
on
a
laptop,
it's
much
easier
to
compromise,
a
single
laptop
than
to
compromise,
an
entire
build
system
generally,
and
it's
also
probably
easier
to
prove
that
the
build
system
is
secure
than
to
say
hey
this.
F
You
know
my
MacBook
that
I
carry
around
with
me
on
planes
and
go
wherever
and
so
on
is
is
a
little
bit
different
than
you
know,
something
that's
hosted
on.
You
know
whether
it's
the
cloud
or
in
a
data
center
or
whatever
and
then
but
but
with
that
said,
I-
think
that
there's
there's
definitely
areas.
We
can
kind
of
I.
Think
the
big
thing
which
you
highlighted
there
is
you
get
the
visibility
into.
This
is
a
build
service.
F
This
is
one
thing
that
I
now
need
to
keep
track
of,
as
opposed
to.
If
everybody
was
building
on
their
laptops,
I
would
need
to
keep
track
of
the
security
of
you
know:
10
000,
different
Services
or
you
know,
10
000
different,
build
Services,
where
those
build
services
are
other
people's
laptops.
F
F
He
said
he
was
an
old
school
Apache
person
and
and
said
you
know,
when
you
know
you're
gonna,
it's
gonna
be
hard
to
convince
a
lot
of
the
sort
of
Apache
Foundation
folks
that
building
off
off
of
their
laptop
is
insecure.
But
building
you
know
from
a
known
place
is
often
much
better
than
just
building
off
an
unknown
place
and
then
the
unknown
Place
being
somebody's.
You
know
laptop.
A
Yeah
and
what
you
said
originally
may
be
focusing
on,
like
the
wording
of
like
we're
not
saying
like
the
laptop
is
insecure,
but
rather
we
have
it's
easier
for
us
to
gain
confidence
in
it
right,
yeah,.
F
Oh
folks
were
also
asking
for
more
examples,
so
in
particular,
folks
were
asking
for
more
from
like
a
threat
model
perspective
of
you
know.
These
are
the
threats
that
we're
trying
to
mitigate
using
salsa
and
then
like
here
are
literal
examples
of
those
threats.
F
So
a
good
question
that
had
been
brought
up
by
it
was
a
bit
of
a
clickbaity
question,
but
I
I
reckon
it
is
actually
pretty
good
because
from
a
discussion,
Point
Josh
presser's
had
brought
up
hey
what
sorts
of
threats
are
you
actually
dealing
with
here
because,
like
you
know,
for
example,
if
we
take
solarwinds
right,
how
would
how
would
they
also
have
prevented
salt,
solar
winds
and
those
sorts
of
things?
F
C
Yeah
and
I
think
a
lot
of
these
questions
are
coming
off
the
off
the
back
of
of
the
clarity
around
whether
this
is
a
security
framework,
compliance
requirements
or
whether
we're
special,
some
type
of
conformance
and
I.
Think
what's
happening.
Is
you
know
when
we,
when
we
say
a
matter
of
compliance
and
we're
saying
that
that
you
know
or
with
saying
maturity
model
was
saying
compliance,
requirements
or
saying
security,
framework
or
health
say
security
framework
that
are
going
to
be
those
that
ask?
C
Well
what
are
the
threats
that
that
we're
trying
to
mitigate?
What's
the?
What's
the
threat
model
right,
you're
going
to
have
those
questions,
you're
saying
it's
a
maturity
model,
but
then
you're
going
to
have
to
have
those
respective
maturity
levels,
which
of
course,
we
do
levels
one
through
three.
At
this
point
and
if
you
say
it's
compliance
requirements
well,
then
you're
gonna
have
to
have
those
requirements
in
place
and
then
of
course,
because
this
isn't
a
a
because
it
because
we
don't
have
an
auditing
and
we're
still
trying
to
work
that
part
out.
C
But
since
this
isn't
being
audited
by
a
third
party,
you
do
have
to
tie
it
back
into
something
that
is
so.
A
lot
of
these
questions
are
coming
up
because
I
don't
know
that
that
we're
clear
enough
on
on
what
this
is
and
then
putting
out
the
the
justification
or
the
or
the
right
subsequent
information.
That's
tied
to
what
we're
saying
this
is
so
that's
the
only
reason
why
I
see
these
kind
of
questions
coming
up
and
Josh.
That's
a
good
question.
C
I'm,
with
with
Mike
on
this
one,
I
didn't
think
Josh
was
being
malicious
in
this
question.
I
think
he
was
providing
an
Avenue
for
us
to
to
quell
some
of
the
some
of
the
questions
that
he
might
be
getting
or
others
might
be
getting
out
there.
So
I
did
appreciate
the
question
and
I
appreciate
how
we
answered
that
question
in
the
moment.
C
A
We
have
the
threats
page
that
kind
of
goes
into
detail.
Could
you
talk
briefly
about
like
the
Delta
between
that
and
what
they're
looking
for.
F
Some
of
it
is
I
think
in
how
we
communicate
it
as
well,
which
is
more
for
the
positioning
group,
because
some
of
it
I
I
feel
like
was
a
bit
like.
Hey
I
haven't
read
the
docs.
What's
like
the
two,
you
know
the
two
second
Pitch,
but
in
addition
to
that,
one
of
the
things
that,
like
after
having
conversations
afterwards,
one
of
the
things
that
people
seem
to
sort
of
indicate-
and
this
is
something
that
I
we
had
done
with
Fresca
a
while
back-
was
like
almost
like.
F
If
let's
say
we
have,
you
know
we
have
the
new
npm
salsa
builder
in
GitHub
and
yayada.
Could
you
create
like?
Could
we-
and
this
is
maybe
for
the
tooling
group?
F
Could
we
create
a
couple
of
examples
of
like
within
collaboration,
obviously
with
the
spec
here
you
know,
could
we
create
a
couple
of
like
this
is
what
a
malicious
example
looks
like,
and
here
is
why
it
doesn't
work,
because
I
think
a
lot
of
folks
are
just
getting
confused.
They're,
like
oh
I,
see
all
this
stuff,
but
I.
F
Think,
and-
and
this
is
something
that
actually
came
out
of
the
talk
I
gave
that
gave
the
Deep
dive,
which
was
like
salsa,
will
like
the
key
piece
and
it's
it's
important-
that
people
recognize
is
that
salsa
can
be
used
to
generate
malware,
but
what
salsa
can't
be
done?
F
Is
you
can't
like
if
you
are
salsa
level,
three,
it's
much
harder
to
lie
about
you
generating
malware
like
you
go
back
and
you're
like
wait,
a
second
I
was
told,
I
was
pulling
in
these
things,
but
the
build
actually
seemed
to
have
been
pulling
in
a
bunch
of
other
stuff
or
the
you
know.
I
was
told
that
build
ran
these
commands.
But
this
thing
you
know
when,
when
the
GitHub
generator
or
whatever
recorded
these
other
commands,
so
what
what
happened
there
I
think
that's
where
salsa
is
is
coming
in.
A
Yeah
and
in
fact
yeah,
this
is
a
good
point.
I
wanted
to
do
this
for,
like
a
year
now
and
I.
Think
like
we
talked
about
I,
think
we
might
have
an
open
issue
about
this.
I
think
Joshua
and
I,
and
maybe
someone
else
from
VMware
talked
about
doing
this
a
while
back
like
a
basically
a
salsa
playground
or
something
like
that.
Where,
like
you,
could
actually
see
a
registry
and
like
try
things
of
like
there's
a
this
policy
in
place,
try
uploading
it
gets
rejected.
You
do
build
this
way.
It
gets
rejected.
A
I
I,
really
think
that
would
help
a
lot,
and
that
would
go
a
very,
very
long
way
to
to
explaining
I
think.
Another
thought
is
the
current
threats.
Page
is
like
very,
very
detailed
and
low
level,
because
it's
trying
to
be
exhaustive,
it
probably
would
be
good
to
have
a
more
narrative
talk.
That's
like
you
know!
Well
why
why
do
you
need
salsa
like,
but
here's
the
type
of
things
that
would
attach
you
know
prevent,
like
let's
say,
you're
a
company.
A
You
know
one
of
the
engineers
machines
is
compromised
and
even
though
you
have
checked
in
code,
here's
the
you
know
their
build
machine
is
used
to
like
deploy
malicious
things
to
prod,
and
this
is
how
it
gets
checked,
or
something
and
kind
of
walk
through,
like
the
main
attacks
that
we're
we're
worried
about.
B
A
Official
documentation
would
be
pretty
I
think
if
we
make
that
less
about,
like
here's
like
a
a
list
of
a
example
I'd,
be
example,
C
example,
but
make
it
a
little
bit
more
Narrative
of
like
here's
an
example
source
to
prod
pipeline
or
publishing
software.
Some
kind
of
example,
scenario
and
say
like.
B
B
Is
you
know
it's
important
the
specifications
that
we
don't
say
the
same
thing
in
two
different
ways
where
you
can
introduce
discrepancies
right
so,
even
though
the
spec
might
be
a
bit
too
compact
for
everybody
to
comprehend
all
the
Gory
details,
there's
value
in
keeping
it
concise
and
that's
why
I
say
well,
you
can
always
add
blog
posts
and
whatnot,
because
then
there
is
no
issue.
If
there
is
a
discrepancy,
the
spec
is.
The
last
you
know
is
the
the
is
the
law.
B
Yeah
I
agree:
we
if
we
clearly
labeled
this
as
informational,
then
I
agree.
Then
that's
no
problem.
F
Yeah
yeah-
and
there
was
also
a
some
folks
had
pointed
out
a
few
things
recently
on
on
that
and
I
think
somebody
had
called
something
Salsa
Salsa
version
for
when
they
met
salsa
level.
Four
and
yeah.
There
was
a
a
good
deal
of
confusion
on
some
of
those
yeah
yeah
salsa
V4
requires
yeah,
it's
somebody.
You
know
so
I
think
that
there's
some
stuff
that
you
know
I
think
as
time
goes
on,
it'll
get
better
and
I
think
there's
nothing.
F
We
could
really
do
to
to
fix
all
the
to
fix
all
the
issues,
but
yeah.
A
About
when
choosing
version
numbers
right
of
like
V
and
I,
worried
about
that
and
so
I
I
don't
know
about
how
everyone
else
feels.
But
I.
B
No
I,
as
Mike
said,
I
think
people
may
get
the
the
right
mental
model.
Eventually
we
just
I,
don't
know
I.
Actually,
I
haven't
had
a
chance
to
look
at
the
spec
again
to
see
whether
we
are
clear
on
how
those
things
are,
but
it's
almost
like
maybe
having
a
graphic
that
shows
the
three
dimensions.
Version
tracks
and
levels
can
be
helpful.
B
F
Yeah
I
agreed,
yeah
I,
think
I
mean
I,
think
some
of
it
will
as
actually
that
ties
into
my
next
thing
is
a
few
folks
had
also
been
saying
they
sort
of
recommended
that
maybe
we
have
through
something
like
the
open,
ssf
a
couple
of
webinars.
F
You
know
that
sort
of
thing
and
then
also
open
up
for
questions
so
that
folks,
who
who
are
kind
of
like
learning
you
know,
because
the
the
the
thing
that
we
also
got
feedback
on
is
a
lot
of
folks
are
learning
about
salsa
through
a
number
of
different
reasons.
F
You
know
some
devs
who
were
there
were
like
yeah.
You
know
somebody
an
executive
told
me
about
this
salsa
thing
that
they
heard
about,
and
they
wanted
me
to
learn
about
it.
Some
folks
are
devs
who
are
just
like
yep
I.
F
You
know
learned
about
it
through
you
know
some
blog
or
whatever,
and
other
folks
are
getting
coming
in
through
a
number
of
other
means,
and
so
I
think
folks
are
interested
in
in
seeing
something
like
a
webinar
that
can
you
know
where
they
can
learn
about
salsa
in
kind
of
more
of
a
you
know,
less
formal
sort
of
you
know
discussion
kind
of
like
here's,
a
presentation
on
what
salsa
is
and
that
kind
of
thing.
D
F
And
then
yeah
art
there
was
a
ton
of
talks
on
salsa
at
open
source,
Summit
and
open
a
step
day.
There
was
the
panel.
There
was
the
Deep
dive
into
sort
of
the
actual
technical
stuff
and
I
want
to
thank
Ian
and
Laurent
from
the
ghost
team.
I
I
use
their
npm
Builder
as
a
the
beta
Builder
to
show
off
to
folks,
because
I
folks
were
also
asking
for
straightforward
examples.
F
I
think
a
lot
of
folks
were
asking
the
tooling
you
know
for
for
tooling,
like
hey,
is
there
tooling
for
team
city?
Is
there
tooling,
for
all
these
other
things
and
I
I
I
recommended
that
they
joined
the
the
tooling
group
and
and
help
help
us
build
that
up?
The
other
things
were
also.
There
was
some
feedback
from
a
couple
of
the
there's,
some
folks
from
the
various
ecosystems
like
Packaging
Systems
there.
F
There
seemed
to
be
still
some
interest
in
like
how
do
we
distribute
salsa
metadata,
and
maybe
is
there
a
way
to
distribute
it
relatively
in
sync,
with
the
rest
of
the
ecosystems,
so
that
we
don't
end
up
having
to
build
tools
that,
like
specific
support?
That
is
hard
to
build,
for
you
know:
Maven
Central
for
Pi
Pi
for
Gem
Etc.
F
Yeah,
that's
about
it.
Oh
and
then
Chris
also
had
some
great
talks
on
I'll
hand
it
over
to
him
yeah.
H
So
I'm,
actually
I
I,
must
admit.
I
joined
about
10
minutes.
Late
I
had
trouble
getting
a
conference
room,
but
the
feedback
I
got
sounded
very
different
to
the
feedback.
The
rest
of
you
got,
which
was
primarily
positive
and
much
more
less
concerned
with
confusion
and
concerned
about
how
you
will
how
you
will
track
like
salsa.
Well,
I
mean
my
talks
are
also
conformant.
So
that's
what
people
talked
about,
but
they
wanted
to
know.
How
do
you
know
that
you're
doing
salsa
salsa?
What
will
audits
look
like?
H
Who
will
be
auditors,
I,
guess,
I
I
was
hearing
from
the
people
who
don't
care
about
the
particular
requirements
and
more
about
about
what
it
looks
like
for
the
business
overall.
H
What
I
did
hear
about
tooling
was
generally
positive
towards
the
GitHub
actions,
but
looking
for
support
from
other
ecosystems,
what
else
yeah
I
mean
I
could
go
into
more
specifics.
It
seems
about
50
of
people
hate
the
idea
of
self
attestation
to
of
salsa
level.
50
of
people
hate
the
idea
of
third-party
audits,
so
I
I
assume
we're
doing
something
right.
F
Yeah,
so
this
is
something
I
just
so
happy
like,
because
I
saw
a
similar
feedback.
I
didn't
get
didn't
get
nearly
as
much
as
Chris
did,
but
the
folks
that
I
saw-
and
this
is
the
same
way
I
found
with
pretty
much
any
any
one
of
these
requirements
is,
if
you
are
the
one
saying,
I'm,
salsa,
compliant
or
conformant,
you
obviously
just
want
to
self-certify.
F
If
you
are
somebody
who's
consuming
that
you
want
to
say
no
I
don't
want
to
just
consume
somebody's
self-assessment.
I
want
them
to
go
through
an
audit,
so
I
think
the
thing
I
always
find
is
is
folks
who
are
consuming
salsa
want
everybody
else
to
to
go
through
Audits,
and
if
you
are
the
one
who
is
producing
salsa,
you
want
to
just
say
yeah,
of
course,
I'm
salsa.
F
Here's,
my
self-assessment,
I,
think
I
I
think
around
that
I
I
also
think
that
you
know
a
lot
of
that
is
like
when
you
sit
down
with
folks
and
you
just
sort
of
say:
hey
you
still
get
to
trust.
Who
you
want
to
trust
I
think
is,
is
important
as
an
important
piece
that
I
think
folks
are
I.
I
know
one
of
the
other
things
that
kind
of
came
out
of
that
was
folks
were
books
were
trying
to
figure
out
like
if
I
am
a.
F
You
know
a
big
Financial
firm
who
do
I
trust
I,
don't
know
that's
why
I
want
these
audits
because,
at
least
if
you
go
through
an
audit
of
you
know
from
some
big
audit
firm,
yeah,
I
trust
that
big
audit,
firm
or
I
trust
openssf
to
certify
these
audit
firms,
to
be
you
know,
salsa
conformance
audit
compliant
or
whatever
it
is
right.
F
I
think
that
sort
of
thing
is
is
is
something
that
folks
are
looking
at
I.
Think
still,
though,
you
know,
different
companies
are
just
going
to
say:
yeah
I,
don't
trust
small
company
X,
because
even
if
they
did
get
an
audit
I,
just
don't
trust
that
you
know
they're,
they're,
small
and
whatever,
and
you
know
I,
don't
trust
them
or
whatever
it
is,
and
then
other
companies
will
be
like
Yep.
This
is
a
giant
company
and
and
I
think
generally
they
do.
The
right
things
and
and
I
trust
them.
H
Right,
which
is
reminds
me,
the
other
feedback
I
got
was
about
the
I
guess
the
economics
of
auditing.
The
question
is:
who
pays
for
it?
What
are
fees
like
and
to
be
honest,
I?
Don't
really
think
that
that's
necessarily
this,
but
like
I
I,
don't
think
that's
our
decision,
but
just
explaining
that
to
people
was
was
worthwhile.
F
Yeah
so
I
I,
agree,
I,
think
there's
something
interesting,
because
we
are
coming
in
slightly
different
right
where,
like
you
know,
if
you
go
to
PCI
or
some
of
these
other
things
that
are
quite
a
bit
more
strict
and
it
comes
in
from
a
I'm
trying
to
think
of
how
to
explain
it.
It's
just
like.
F
There
is
I
guess
like
when
you
talk
about
PCI
compliance
right,
PCI
compliance
comes
with
pretty
hefty
fines.
If
it
turns
out,
you
broke
the
rules,
especially
if
you're,
like
you
know
a
you
know,
if
you
had
a
data
breach
and
you
were
taking
credit
card
information,
whereas
I
think
right
now,
at
least
when
it
comes
to
salsa.
There
is
none
of
that
that
might
get
codified
in
people's
contracts,
but
but
we'll
see.
F
Cool
so
I
think
that
was
all
of
open
as
like
I
think
that
was
all
open
source
Summit.
What
else
and
then
I
think
the
general
thing
for
for
this
was
prioritizing
new
work.
A
lot
of
the
feedback
I
know
that
just
sort
of
gathering
from
a
lot
of
different
folks.
F
Was
it
seemed
like
a
lot
of
folks
were
asking
about
source
track?
A
lot
of
folks
were
asking
about
also
something
like
a
build
L4
right.
A
lot
of
you
know
there
was
some
feedback
actually
I
forgot
to
mention
in
there
and
I
know
it's
something
that
we've
been
clearing
up
with
folks
is.
A
lot
of
people
were
still
like.
Where
did
the
Hermetic
requirement
go?
Where
did
the
reproducible
requirement?
Go?
F
Are
you
you
know?
Are
you
taking
security
features
out
because
they
weren't
popular
or
whatever
and
and
you're
you
know
bowing
to
corporate
interests,
is
like
no,
it's
just
that
people
couldn't
agree.
What
hermetic
meant
so
come
join
us
to
build
out
what
the
draft
level
four
means,
which,
which
is
big
and
then
separately,
people
are
asking
for.
You
know,
because
I
think
the
the
people
are
sort
of
saying
hey
now
that
I'm
doing
the
build,
but
you're
telling
me
that
the
build
could
produce
malware.
F
What
can
I
start
to
do
from
the
source
code
perspective
to
start
to
track
that,
and
then
a
third
thing
was
that
build
system
requirement
like
what
does
a
salsa
compliant
build
system?
Actually
look
like
and
are
there
requirements
that
we
can
specify
or
even
Point
people
in
in
the
direction
of
like
I'm,
just
sort
of
you
know,
throwing
it
out
there
right
where
there's
like
a
lot
of
different
CI
sort
of
security
Frameworks.
Could
you
point
you
know,
could
salsa
say
hey
while
we're
building
out
our
own?
A
D
A
A
Like
not
kind
of
the
tooling
or
the
conformance
program
is
addressing
our
now
growing
list
of
feedback
and
I
think
there's
not
really
anything
blocking
that
other
than
just
people
spending.
You
know
one
of
us
spending
time
on
that
and.
A
I'm
glad
that
you
mentioned
that
Tiani
is
here,
we
I
think
the
biggest
blocker
to
that
I
mean
like
I.
Don't
think
anyone
stops
him
from
just
creating
a
fork
and
doing
that
because
most
of
the
hard
work
is
like
is
more
thinking,
work
and
then
thought
writing
work.
The
actual
translating
it
to
markdown
is
is
like
they
want
straightforward
piece,
so
I
think
people
could
do
it.
A
G
Yeah
so
so,
I'm
working
on
a
dock,
editing
and
I'm
now
getting
feedback
and
then
trying
to
like
trying
to
build
some
profile
concept
myself.
So.
C
G
That
that
talks
looks
good
to
me.
I
will?
What?
What's
that
about
like
I
get
enough
feedback
I
will
commit
a
a
markdown
version
to
the
I
think
one
of
the
salsa
proposal
report
so
that
I
can
get
like
a
wider
feedback,
but
in
general,
like
I,
think
going
forward.
People
can
working
on
some
Branch
I
think
the
the
the
GitHub
action
could
just
automatically
build
in
and
and
then
deploy
to
to
the
website,
but
be
patient.
A
So
yeah
I
think
if
anyone
in
the
meantime
wants
to
start
on
that,
I
think
just
creating
a
creating
a
branch
for
now
for
a
branch
or
whatever
not
committing
to
Maine
would
be
the
way
to
go,
and
just
like
you
know,
create
like
section
headers
or
whatever
and
like
we
could
just
start
to
iterate
on
what
they
got.
Ideas
are
or.
A
Kind
of
in
the
idea
phase
and
like
what
should
the
levels
look
like
previously,
we
had
like
for
the
source
for
for
the
original
version.
We
had
nothing
I
think
at
level,
zero
at
level
one
and
then
like
verified
identity
and
retaining
the
source
code
at
level
two
and
then
two-party
review
I
think
at
level
three.
A
But
like
I'm,
it's
not
all
clear
to
me
that
those
should
be
the
levels
like
we
probably,
for
example,
Want
To,
Source
level,
one,
that's
something
other
than
nothing,
but
like
kind
of
like
flushing
at
that,
like
what
are
the
actual
requirements.
If,
if
retention
is
a
thing,
what
does
that
mean
or
does
that
go
in
like
some
sort
of
dependency
track
or
who
retains
it?
Is
it
the
source
owner
or
is
it
the
actual
build
system,
or
is
it
the
consumer
yeah
kind.
F
Cool
yeah,
no,
no
I
agree
with
you.
There
and
I
think
the
thing
that
that
actually
came
off
really
well
in
some
of
the
blogs
we've
done
and
some
of
the
other
information
we've
done
was
sort
of
in
how
we've
encapsulated
build
as
the
inputs,
the
build
and
the
outputs
and
like
that's
what
it
is
and
so
stuff
like
the
source
code
itself,
would
be
the
responsibility
of
a
source
code
track.
F
But
the
build
would
just
be
responsible
to
say:
hey,
I
am
pulling
down
this
source
code,
and
this
is
what
I
recorded
you
know
and
that
sort
of
thing
which
I
thought
was
was
really
useful,
because
I
think
a
lot
of
folks
were
kind
of
which
helped
out
between
V,
0.1
and
1.0
was
folks
were
getting
confused
by
like
hey
I,
just
run
the
build
system,
and
now
you're
telling
me
I
need
to
be
responsible
for
how
source
code
is
two-person
code
reviewed,
like
that,
doesn't
make
sense
to
me,
whereas
here
now
it's
nice
and
encapsulated
so
the
person
you
know
usually
I
would
say
you
know,
the
build
system
is
owned
by
a
team
or
an
organization.
F
You
know,
and
sometimes
the
same
team
and
organization
owns
both,
but
you
know
in
many
cases
that's
not
true,
and
it
also
lets
folks
sort
of
pick
and
choose
right
where
but
yeah
the
basic
idea,
I
think
being
people
are
very
interested
in
keeping
those
things
somewhat
granular
so
that
they
can
say
yeah
I'm,
you
know
I,
don't
own
the
build
system,
but
I
can
be
salsa
level.
F
Four,
you
know
conformant
with
this
sort
of
thing
and
I
think
that
helps
out
a
lot
because,
especially
within
certain
organizations,
you
know,
you're
gonna
have
different
people
able
to
perform
different
options,
be
able
to
do
certain
things.
E
So
I
I
think
that
makes
sense
if
you're
trying
to
differentiate
between
the
build
track
versus
a
source
track.
But
I
I
think
that
there
is
still
cross
dependencies
and
cross
requirements
between
producers
and
build
systems
across
the
different
tracks,
like
maybe
there's
some
level
of
of
taking
a
source
track
and
taking
the
two-person
code
review.
Where
you
have
like
a
the
The
Producers
have
Associated
or
have
have
set
up
two-person
reviews
and
then
some
higher
level
is
the
build
platform
verifies
and
enforces
that
review.
F
Yeah
yeah
sorry,
I
I
agree
there
and
in
fact,
actually
the
way
I
was
thinking
it
conceptually
in
my
head
and
and
feel
you
know,
this
is
just
a
basic
idea
is
I
think
it
would
be
really
nice
to
eventually
have
the
build
track.
Say
yeah
like
let's
say
just,
for
example,
salsa
level,
four,
with
salsa
level.
Four,
you
should
be
accepting
salsa
level
like
as
part
of
your
build.
You
should
be
only
ingesting
source
of
salsa
source
track
level.
Three
or
whatever.
Right,
like
you
can
say,
hey
look
as
a
producer.
F
F
Yeah
I
don't
want
to
get
it
too
deep
into
where,
where
the
wording
might
come
in
but
yeah,
something
like
that
where
I
could
imagine
that,
as
we
begin
to
go
up
and
up
and
salsa
somebody
might
say,
hey
salsa
build
gives
me
one
thing:
salsa
source
gives
me
another
thing,
but
salsa
Source
plus
build
gives
me
something
better
right,
and
this
is
something
I
know
we
had
discussed
early
on.
Is
that
like
the
build
is
what
obviously
one
piece
like
the
build
component
itself
is?
Is
just
one
piece
of
a
larger
picture?
F
There's
something
that
each
of
those
things
like
source
and
build,
give
you.
But
then,
if
you
were
to
combine,
you
know,
Source
build
dependencies
and
packaging
and
Publishing
or
whatever
and
deployment
all
those
things
kind
of.
Give
you
something
much
more,
but
I
know
folks
were
kind
of.
You
know
the
the
big
feedback
we
had
gotten
from
a
lot
of
folks
is
like
hey.
We
can't
do
it
all.
How
do
we
kind
of
encapsulate
it
better
and
and
so
on,
so
on.
A
In
terms
of
mechanically,
like
for
the
original
question
like
how
do
we,
someone
can
start
to
make
sure
we're
not
like
stepping
on
each
other's
Toes
or
something
like
that?
I.
A
A
Go
once
twice
okey-doke
all
right.
Well,
it's
good,
seeing
everybody
thanks
Mike
for
giving
the
great
feedback
again
from
another
Summit
I
really
appreciate
that
thanks
everyone
for
joining
we'll
see
you
next
time.