►
From YouTube: SLSA Specifications Meeting (May 15, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1kMP62o3KI0IqjPRSNtUqADodBqpEL_wlL1PEOsl6u20/edit#heading=h.yfiy9b23vayj
B
C
D
E
D
F
F
F
You
can't
convince
me
that
anything
built
on
Travis
the
past
few
years
is
in
any
way
safe
and
so
I
I
thought
that
was
an
interesting
piece
of
feedback.
I
think
generally
I
think
still
what
we
have
there
makes
sense,
but
I
do
think
that
maybe
we
have
some
additional
clarifications
and
and
the
way
that
they
said
we
should
be
framing.
A
A
A
A
Different
vendors
I
don't
want
to
have
to
trust
a
thousand
different
things,
even
if
you
know
it
makes
sense
for
them
individually.
So
so
that's
probably
one
thing
we
could
talk
about
another
is
it
just
kind
of
hot
to
highlight.
Reproducible
builds
is
a
great
answer
for
here,
because
then
they
could
build
it
on
their
laptop
and
you
can
build
it
on
CI
and
you
could
trust
you
know
either.
E
Yeah
I,
actually
just
had
a
conversation
about
hosted,
builds
today
with
some
other
folks,
and
the
point
that
I
was
trying
to
arrive
at
is
that
if
you
have
something
running
on
somebody's
Hardware
that
it's
a
lot
easier
for
it
to
be
compromised
because
there
doesn't
have
to
be
a
pivot
involved,
and
so
it
just
is
an
individual
compromise.
That
would
then
compromise
the
build
system.
Whereas
if
something
is
hosted
and
again,
it
doesn't
have
to
be
hosted
on
some
external
service.
E
What
what
might
be
the
the
concern
is
more
with
Travis,
because
the
issues
that
have
happened
with
Travis
and
I
don't
know
if
there's
been
any
indication
from
the
Travis
from
those
that
are
running
Travis,
whether
there's
a
desire
to
start
attesting
to
some
salsa
level.
But
maybe
that's
not
the
best
example
to
include
in
there,
and
maybe
we
can
have
something
else.
I
think
it
was
included
in
there
to
to
indicate
that
it
is
a
service
as
as
something
that's
in
addition
to
GitHub
and
Google
Cloud.
F
Yeah
yeah
now
I
I
agree
there
and
I
think
there's
definitely
areas.
We
can
I
think
clarify
some
stuff,
whether
it's
in
blogs,
or
something
like
that.
Just
on
on
like
why
we
are
sort
of
viewing
the
build
Service
as
something
separate
from
the
hosted
and
I
think
a
lot
of
it
really
does
come
down
to
yeah.
You
can,
and
this
I
know
this
was
you
know
to
what
Joshua
has
said
is
on
the
npm
RFC.
There
was
some
pushback
like
hey.
F
Why
is
my
laptop,
not
good
enough
and
I
think
it
has
less
to
do
with
whether
or
not
you've
completely
secured
your
laptop?
It
has
more
to
do
with
both
what
you
said
there
right,
Andrew,
which
is
like,
if
I'm
running
on
a
laptop,
it's
much
easier
to
compromise,
a
single
laptop
than
to
compromise,
an
entire
build
system
generally,
and
it's
also
probably
easier
to
prove
that
the
build
system
is
secure
than
to
say
hey
this.
F
You
know
my
MacBook
that
I
carry
around
with
me
on
planes
and
go
wherever
and
so
on
is
is
a
little
bit
different
than
you
know,
something
that's
hosted
on.
You
know
whether
it's
the
cloud
or
in
a
data
center
or
whatever
and
then
but
but
with
that
said,
I-
think
that
there's
there's
definitely
areas.
We
can
kind
of
I.
Think
the
big
thing
which
you
highlighted
there
is
you
get
the
visibility
into.
This
is
a
build
service.
F
F
He
said
he
was
an
old
school
Apache
person
and
and
said
you
know,
when
you
know
you're
gonna,
it's
gonna
be
hard
to
convince
a
lot
of
the
sort
of
Apache
Foundation
folks
that
building
off
off
of
their
laptop
is
insecure.
But
building
you
know
from
a
known
place
is
often
much
better
than
just
building
off
an
unknown
place
and
then
the
unknown
Place
being
somebody's.
You
know
laptop.
F
F
C
Yeah
and
I
think
a
lot
of
these
questions
are
coming
off
the
off
the
back
of
of
the
clarity
around
whether
this
is
a
security
framework,
compliance
requirements
or
whether
we're
special,
some
type
of
conformance
and
I.
Think
what's
happening.
Is
you
know
when
we,
when
we
say
a
matter
of
compliance
and
we're
saying
that
that
you
know
or
with
saying
maturity
model
was
saying
compliance,
requirements
or
saying
security,
framework
or
health
say
security
framework
that
are
going
to
be
those
that
ask?
C
Well
what
are
the
threats
that
that
we're
trying
to
mitigate?
What's
the?
What's
the
threat
model
right,
you're
going
to
have
those
questions,
you're
saying
it's
a
maturity
model,
but
then
you're
going
to
have
to
have
those
respective
maturity
levels,
which
of
course,
we
do
levels
one
through
three.
At
this
point
and
if
you
say
it's
compliance
requirements
well,
then
you're
gonna
have
to
have
those
requirements
in
place
and
then
of
course,
because
this
isn't
a
a
because
it
because
we
don't
have
an
auditing
and
we're
still
trying
to
work
that
part
out.
C
But
since
this
isn't
being
audited
by
a
third
party,
you
do
have
to
tie
it
back
into
something
that
is
so.
A
lot
of
these
questions
are
coming
up
because
I
don't
know
that
that
we're
clear
enough
on
on
what
this
is
and
then
putting
out
the
the
justification
or
the
or
the
right
subsequent
information.
That's
tied
to
what
we're
saying
this
is
so
that's
the
only
reason
why
I
see
these
kind
of
questions
coming
up
and
Josh.
That's
a
good
question.
C
I'm,
with
with
Mike
on
this
one,
I
didn't
think
Josh
was
being
malicious
in
this
question.
I
think
he
was
providing
an
Avenue
for
us
to
to
quell
some
of
the
some
of
the
questions
that
he
might
be
getting
or
others
might
be
getting
out
there.
So
I
did
appreciate
the
question
and
I
appreciate
how
we
answered
that
question
in
the
moment.
C
A
F
Some
of
it
is
I
think
in
how
we
communicate
it
as
well,
which
is
more
for
the
positioning
group,
because
some
of
it
I
I
feel
like
was
a
bit
like.
Hey
I
haven't
read
the
docs.
What's
like
the
two,
you
know
the
two
second
Pitch,
but
in
addition
to
that,
one
of
the
things
that,
like
after
having
conversations
afterwards,
one
of
the
things
that
people
seem
to
sort
of
indicate-
and
this
is
something
that
I
we
had
done
with
Fresca
a
while
back-
was
like
almost
like.
F
F
Could
we
create
a
couple
of
examples
of
like
within
collaboration,
obviously
with
the
spec
here
you
know,
could
we
create
a
couple
of
like
this
is
what
a
malicious
example
looks
like,
and
here
is
why
it
doesn't
work,
because
I
think
a
lot
of
folks
are
just
getting
confused.
They're,
like
oh
I,
see
all
this
stuff,
but
I.
F
Is
you
can't
like
if
you
are
salsa
level,
three,
it's
much
harder
to
lie
about
you
generating
malware
like
you
go
back
and
you're
like
wait,
a
second
I
was
told,
I
was
pulling
in
these
things,
but
the
build
actually
seemed
to
have
been
pulling
in
a
bunch
of
other
stuff
or
the
you
know.
I
was
told
that
build
ran
these
commands.
But
this
thing
you
know
when,
when
the
GitHub
generator
or
whatever
recorded
these
other
commands,
so
what
what
happened
there
I
think
that's
where
salsa
is
is
coming
in.
A
Yeah
and
in
fact
yeah,
this
is
a
good
point.
I
wanted
to
do
this
for,
like
a
year
now
and
I.
Think
like
we
talked
about
I,
think
we
might
have
an
open
issue
about
this.
I
think
Joshua
and
I,
and
maybe
someone
else
from
VMware
talked
about
doing
this
a
while
back
like
a
basically
a
salsa
playground
or
something
like
that.
Where,
like
you,
could
actually
see
a
registry
and
like
try
things
of
like
there's
a
this
policy
in
place,
try
uploading
it
gets
rejected.
You
do
build
this
way.
It
gets
rejected.
A
I
I,
really
think
that
would
help
a
lot,
and
that
would
go
a
very,
very
long
way
to
to
explaining
I
think.
Another
thought
is
the
current
threats.
Page
is
like
very,
very
detailed
and
low
level,
because
it's
trying
to
be
exhaustive,
it
probably
would
be
good
to
have
a
more
narrative
talk.
That's
like
you
know!
Well
why
why
do
you
need
salsa
like,
but
here's
the
type
of
things
that
would
attach
you
know
prevent,
like
let's
say,
you're
a
company.
B
A
Official
documentation
would
be
pretty
I
think
if
we
make
that
less
about,
like
here's
like
a
a
list
of
a
example
I'd,
be
example,
C
example,
but
make
it
a
little
bit
more
Narrative
of
like
here's
an
example
source
to
prod
pipeline
or
publishing
software.
Some
kind
of
example,
scenario
and
say
like.
B
B
Is
you
know
it's
important
the
specifications
that
we
don't
say
the
same
thing
in
two
different
ways
where
you
can
introduce
discrepancies
right
so,
even
though
the
spec
might
be
a
bit
too
compact
for
everybody
to
comprehend
all
the
Gory
details,
there's
value
in
keeping
it
concise
and
that's
why
I
say
well,
you
can
always
add
blog
posts
and
whatnot,
because
then
there
is
no
issue.
If
there
is
a
discrepancy,
the
spec
is.
The
last
you
know
is
the
the
is
the
law.
B
F
Yeah
yeah-
and
there
was
also
a
some
folks
had
pointed
out
a
few
things
recently
on
on
that
and
I
think
somebody
had
called
something
Salsa
Salsa
version
for
when
they
met
salsa
level.
Four
and
yeah.
There
was
a
a
good
deal
of
confusion
on
some
of
those
yeah
yeah
salsa
V4
requires
yeah,
it's
somebody.
You
know
so
I
think
that
there's
some
stuff
that
you
know
I
think
as
time
goes
on,
it'll
get
better
and
I
think
there's
nothing.
A
B
No
I,
as
Mike
said,
I
think
people
may
get
the
the
right
mental
model.
Eventually
we
just
I,
don't
know
I.
Actually,
I
haven't
had
a
chance
to
look
at
the
spec
again
to
see
whether
we
are
clear
on
how
those
things
are,
but
it's
almost
like
maybe
having
a
graphic
that
shows
the
three
dimensions.
Version
tracks
and
levels
can
be
helpful.
B
F
D
F
And
then
yeah
art
there
was
a
ton
of
talks
on
salsa
at
open
source,
Summit
and
open
a
step
day.
There
was
the
panel.
There
was
the
Deep
dive
into
sort
of
the
actual
technical
stuff
and
I
want
to
thank
Ian
and
Laurent
from
the
ghost
team.
I
I
use
their
npm
Builder
as
a
the
beta
Builder
to
show
off
to
folks,
because
I
folks
were
also
asking
for
straightforward
examples.
F
I
think
a
lot
of
folks
were
asking
the
tooling
you
know
for
for
tooling,
like
hey,
is
there
tooling
for
team
city?
Is
there
tooling,
for
all
these
other
things
and
I
I
I
recommended
that
they
joined
the
the
tooling
group
and
and
help
help
us
build
that
up?
The
other
things
were
also.
There
was
some
feedback
from
a
couple
of
the
there's,
some
folks
from
the
various
ecosystems
like
Packaging
Systems
there.
F
There
seemed
to
be
still
some
interest
in
like
how
do
we
distribute
salsa
metadata,
and
maybe
is
there
a
way
to
distribute
it
relatively
in
sync,
with
the
rest
of
the
ecosystems,
so
that
we
don't
end
up
having
to
build
tools
that,
like
specific
support?
That
is
hard
to
build,
for
you
know:
Maven
Central
for
Pi
Pi
for
Gem
Etc.
F
H
So
I'm,
actually
I
I,
must
admit.
I
joined
about
10
minutes.
Late
I
had
trouble
getting
a
conference
room,
but
the
feedback
I
got
sounded
very
different
to
the
feedback.
The
rest
of
you
got,
which
was
primarily
positive
and
much
more
less
concerned
with
confusion
and
concerned
about
how
you
will
how
you
will
track
like
salsa.
Well,
I
mean
my
talks
are
also
conformant.
So
that's
what
people
talked
about,
but
they
wanted
to
know.
How
do
you
know
that
you're
doing
salsa
salsa?
What
will
audits
look
like?
H
What
I
did
hear
about
tooling
was
generally
positive
towards
the
GitHub
actions,
but
looking
for
support
from
other
ecosystems,
what
else
yeah
I
mean
I
could
go
into
more
specifics.
It
seems
about
50
of
people
hate
the
idea
of
self
attestation
to
of
salsa
level.
50
of
people
hate
the
idea
of
third-party
audits,
so
I
I
assume
we're
doing
something
right.
F
Yeah,
so
this
is
something
I
just
so
happy
like,
because
I
saw
a
similar
feedback.
I
didn't
get
didn't
get
nearly
as
much
as
Chris
did,
but
the
folks
that
I
saw-
and
this
is
the
same
way
I
found
with
pretty
much
any
any
one
of
these
requirements
is,
if
you
are
the
one
saying,
I'm,
salsa,
compliant
or
conformant,
you
obviously
just
want
to
self-certify.
F
If
you
are
somebody
who's
consuming
that
you
want
to
say
no
I
don't
want
to
just
consume
somebody's
self-assessment.
I
want
them
to
go
through
an
audit,
so
I
think
the
thing
I
always
find
is
is
folks
who
are
consuming
salsa
want
everybody
else
to
to
go
through
Audits,
and
if
you
are
the
one
who
is
producing
salsa,
you
want
to
just
say
yeah,
of
course,
I'm
salsa.
F
Here's,
my
self-assessment,
I,
think
I
I
think
around
that
I
I
also
think
that
you
know
a
lot
of
that
is
like
when
you
sit
down
with
folks
and
you
just
sort
of
say:
hey
you
still
get
to
trust.
Who
you
want
to
trust
I
think
is,
is
important
as
an
important
piece
that
I
think
folks
are
I.
I
know
one
of
the
other
things
that
kind
of
came
out
of
that
was
folks
were
books
were
trying
to
figure
out
like
if
I
am
a.
F
I
think
that
sort
of
thing
is
is
is
something
that
folks
are
looking
at
I.
Think
still,
though,
you
know,
different
companies
are
just
going
to
say:
yeah
I,
don't
trust
small
company
X,
because
even
if
they
did
get
an
audit
I,
just
don't
trust
that
you
know
they're,
they're,
small
and
whatever,
and
you
know
I,
don't
trust
them
or
whatever
it
is,
and
then
other
companies
will
be
like
Yep.
This
is
a
giant
company
and
and
I
think
generally
they
do.
The
right
things
and
and
I
trust
them.
H
Right,
which
is
reminds
me,
the
other
feedback
I
got
was
about
the
I
guess
the
economics
of
auditing.
The
question
is:
who
pays
for
it?
What
are
fees
like
and
to
be
honest,
I?
Don't
really
think
that
that's
necessarily
this,
but
like
I
I,
don't
think
that's
our
decision,
but
just
explaining
that
to
people
was
was
worthwhile.
F
F
There
is
I
guess
like
when
you
talk
about
PCI
compliance
right,
PCI
compliance
comes
with
pretty
hefty
fines.
If
it
turns
out,
you
broke
the
rules,
especially
if
you're,
like
you
know
a
you
know,
if
you
had
a
data
breach
and
you
were
taking
credit
card
information,
whereas
I
think
right
now,
at
least
when
it
comes
to
salsa.
There
is
none
of
that
that
might
get
codified
in
people's
contracts,
but
but
we'll
see.
F
F
Was
it
seemed
like
a
lot
of
folks
were
asking
about
source
track?
A
lot
of
folks
were
asking
about
also
something
like
a
build
L4
right.
A
lot
of
you
know
there
was
some
feedback
actually
I
forgot
to
mention
in
there
and
I
know
it's
something
that
we've
been
clearing
up
with
folks
is.
A
lot
of
people
were
still
like.
Where
did
the
Hermetic
requirement
go?
Where
did
the
reproducible
requirement?
Go?
F
Are
you
you
know?
Are
you
taking
security
features
out
because
they
weren't
popular
or
whatever
and
and
you're
you
know
bowing
to
corporate
interests,
is
like
no,
it's
just
that
people
couldn't
agree.
What
hermetic
meant
so
come
join
us
to
build
out
what
the
draft
level
four
means,
which,
which
is
big
and
then
separately,
people
are
asking
for.
You
know,
because
I
think
the
the
people
are
sort
of
saying
hey
now
that
I'm
doing
the
build,
but
you're
telling
me
that
the
build
could
produce
malware.
F
What
can
I
start
to
do
from
the
source
code
perspective
to
start
to
track
that,
and
then
a
third
thing
was
that
build
system
requirement
like
what
does
a
salsa
compliant
build
system?
Actually
look
like
and
are
there
requirements
that
we
can
specify
or
even
Point
people
in
in
the
direction
of
like
I'm,
just
sort
of
you
know,
throwing
it
out
there
right
where
there's
like
a
lot
of
different
CI
sort
of
security
Frameworks.
Could
you
point
you
know,
could
salsa
say
hey
while
we're
building
out
our
own?
A
D
A
A
I'm
glad
that
you
mentioned
that
Tiani
is
here,
we
I
think
the
biggest
blocker
to
that
I
mean
like
I.
Don't
think
anyone
stops
him
from
just
creating
a
fork
and
doing
that
because
most
of
the
hard
work
is
like
is
more
thinking,
work
and
then
thought
writing
work.
The
actual
translating
it
to
markdown
is
is
like
they
want
straightforward
piece,
so
I
think
people
could
do
it.
A
G
C
G
That
that
talks
looks
good
to
me.
I
will?
What?
What's
that
about
like
I
get
enough
feedback
I
will
commit
a
a
markdown
version
to
the
I
think
one
of
the
salsa
proposal
report
so
that
I
can
get
like
a
wider
feedback,
but
in
general,
like
I,
think
going
forward.
People
can
working
on
some
Branch
I
think
the
the
the
GitHub
action
could
just
automatically
build
in
and
and
then
deploy
to
to
the
website,
but
be
patient.
A
So
yeah
I
think
if
anyone
in
the
meantime
wants
to
start
on
that,
I
think
just
creating
a
creating
a
branch
for
now
for
a
branch
or
whatever
not
committing
to
Maine
would
be
the
way
to
go,
and
just
like
you
know,
create
like
section
headers
or
whatever
and
like
we
could
just
start
to
iterate
on
what
they
got.
Ideas
are
or.
A
Kind
of
in
the
idea
phase
and
like
what
should
the
levels
look
like
previously,
we
had
like
for
the
source
for
for
the
original
version.
We
had
nothing
I
think
at
level,
zero
at
level
one
and
then
like
verified
identity
and
retaining
the
source
code
at
level
two
and
then
two-party
review
I
think
at
level
three.
A
But
like
I'm,
it's
not
all
clear
to
me
that
those
should
be
the
levels
like
we
probably,
for
example,
Want
To,
Source
level,
one,
that's
something
other
than
nothing,
but
like
kind
of
like
flushing
at
that,
like
what
are
the
actual
requirements.
If,
if
retention
is
a
thing,
what
does
that
mean
or
does
that
go
in
like
some
sort
of
dependency
track
or
who
retains
it?
Is
it
the
source
owner
or
is
it
the
actual
build
system,
or
is
it
the
consumer
yeah
kind.
F
Cool
yeah,
no,
no
I
agree
with
you.
There
and
I
think
the
thing
that
that
actually
came
off
really
well
in
some
of
the
blogs
we've
done
and
some
of
the
other
information
we've
done
was
sort
of
in
how
we've
encapsulated
build
as
the
inputs,
the
build
and
the
outputs
and
like
that's
what
it
is
and
so
stuff
like
the
source
code
itself,
would
be
the
responsibility
of
a
source
code
track.
E
So
I
I
think
that
makes
sense
if
you're
trying
to
differentiate
between
the
build
track
versus
a
source
track.
But
I
I
think
that
there
is
still
cross
dependencies
and
cross
requirements
between
producers
and
build
systems
across
the
different
tracks,
like
maybe
there's
some
level
of
of
taking
a
source
track
and
taking
the
two-person
code
review.
Where
you
have
like
a
the
The
Producers
have
Associated
or
have
have
set
up
two-person
reviews
and
then
some
higher
level
is
the
build
platform
verifies
and
enforces
that
review.
F
Yeah
yeah
sorry,
I
I
agree
there
and
in
fact,
actually
the
way
I
was
thinking
it
conceptually
in
my
head
and
and
feel
you
know,
this
is
just
a
basic
idea
is
I
think
it
would
be
really
nice
to
eventually
have
the
build
track.
Say
yeah
like
let's
say
just,
for
example,
salsa
level,
four,
with
salsa
level.
Four,
you
should
be
accepting
salsa
level
like
as
part
of
your
build.
You
should
be
only
ingesting
source
of
salsa
source
track
level.
Three
or
whatever.
Right,
like
you
can
say,
hey
look
as
a
producer.
F
F
Yeah
I
don't
want
to
get
it
too
deep
into
where,
where
the
wording
might
come
in
but
yeah,
something
like
that
where
I
could
imagine
that,
as
we
begin
to
go
up
and
up
and
salsa
somebody
might
say,
hey
salsa
build
gives
me
one
thing:
salsa
source
gives
me
another
thing,
but
salsa
Source
plus
build
gives
me
something
better
right,
and
this
is
something
I
know
we
had
discussed
early
on.
Is
that
like
the
build
is
what
obviously
one
piece
like
the
build
component
itself
is?
Is
just
one
piece
of
a
larger
picture?
F
There's
something
that
each
of
those
things
like
source
and
build,
give
you.
But
then,
if
you
were
to
combine,
you
know,
Source
build
dependencies
and
packaging
and
Publishing
or
whatever
and
deployment
all
those
things
kind
of.
Give
you
something
much
more,
but
I
know
folks
were
kind
of.
You
know
the
the
big
feedback
we
had
gotten
from
a
lot
of
folks
is
like
hey.
We
can't
do
it
all.
How
do
we
kind
of
encapsulate
it
better
and
and
so
on,
so
on.