►
From YouTube: SLSA Tooling Meeting (January 20, 2023)
Description
Meeting notes: https://docs.google.com/document/d/15Xp8-0Ff_BPg_LMKr1RIKtwAavXGdrgb1BoX4Cl2bE4/edit#heading=h.yfiy9b23vayj
C
B
I'll
give
it
a
few
more
minutes
for
some
folks
to
join
I
know
it's
been
quite
busy
and
also
I
know
that
there's
been
some
shake-ups
that
a
lot
of
the
the
companies
over
the
past
few
days,
so
I
know
that
a
lot
of
folks
are
even,
if
not
impacted,
directly
impacted
in
some
way.
So
give
it
a
few
more
minutes.
B
C
B
It's
mostly
just
clarifications
like
we're,
calling
non-falsifiability
non-forgeability
as
opposed
to
non-falsifiability
so
and
some
like
clarifications
of
that
sort.
The
bigger
changes
have
been
in
the
specification,
so
the
specification
we've
been
trying
to
include
temporal
metadata
and
metadata
that
we
expect
to
change
build
to
build.
Even
if
you
have
a
reproducible
build.
We
expect
that
metadata
to
be
in
its
own
separate
section
so
that
folks
can
go
in
like
tools
would
be
it
would
make
it
much
easier
for
tools
to
just
say.
B
Are
these
two
things
identical
because
I
think
right
now,
what
a
lot
of
folks
are
doing
is
they're
sort
of
going
through
key
key
value
by
key
value
and
checking
if
each
of
those
things
is
equal
and
then
that
that's
causing
some,
you
know
not
issues,
but
it's
it's
not
as
easy
as
just
sort
of
saying:
hey,
here's
all
the
stuff
that
should
be
reproducible
and
then
I.
Can
you
know
if
I
see
that
the
hatches
are
the
same?
B
B
B
Okay,
cool
yeah
yeah,
actually,
that
was
something
I
was
gonna,
bring
up
in
a
little
bit.
I
know:
Visa
is
not
on
this
call,
but
and
I
don't
want
to
share
his
his
design
document
without
his
his
approval,
but
he's
been
working
on
some
npm
salsa
policy
tooling,
and
there
were
some
interesting
things
there
that
I
I,
actually
hadn't
realized
Which
is
less
than
one
percent
of
the
top
1000
packages
of
npm
include
package
log
files,
which
I
was
like.
Oh
okay,
that's
that's!
B
That's
a
little
scary
and
I
think
the
idea
was
potentially
using
salsa
provenance
as
something
akin
to
a
not
a
lock
file,
but
something
that
you
could
at
least
know
like.
Oh
I
pulled
in
something.
Oh,
no,
a
newer
version
came
out
that
doesn't
have
the
salsa
Providence.
It
must
not
be.
You
know
whatever
there's
some
stuff
there,
that
that
seemed
really
interesting
cool
yeah.
So
so,
if
there's
things
on
that
end,
that
you
would
need
some
support
from
the
other
folks.
B
On
the
salsa
side,
I
know
myself
I'm
interested
in
in
helping
out
any
way.
I
can
I
know
some
other
tools
that
are
out
there
like
tecton
and
tecton
chains.
They
have
a
little
bit
of
a
longer
release
Cadence,
so
we
might
try
to
say
hey
we're
going
to
wait
until
after
1.0
is
like
fully
adopted
before
trying
to
get
tecton.
B
Whoops
I
have
been
talking
on
mute.
Sorry,
can
you
hear
me
now?
Okay,
cool
sorry
about
that
so
yeah
yeah,
so
so
the
the
idea
here
behind
it
was
there's
a
bunch
of
different
stuff.
For
example,
under
the
you
know,
salsa
framework
under
a
bunch
of
these
other
different
repos
I'm.
Sorry,
you
know
projects
and
and
whatnot,
whether
it's
like
the
salsa
GitHub
generator
or
whether
it
is
what
else
there's
the
salsa
GitHub
generator.
B
B
It's
kind
of
that
sort
of
thing,
and
then
secondarily,
it's
also
to
show
some
examples
of
hey.
Here's
how
you
might
implement
this,
here's
how
you
might
you
know,
do
all
this
sort
of
stuff,
so
that's
really
kind
of
where,
where
we're
coming
from
there.
So
I
don't
know
if
there's
folks,
who
have
been
working
on
the
on
any
of
these
tools
and
in
fact,
actually
it's
probably
worthwhile
to
put
in
the
notes
here.
B
A
B
B
So
do
you
have
like
a
is
there
like
a
GitHub
issue
or
or
an
existing
PR
that
maybe
we
can
just
point
folks
to
if
they're,
just
sort
of
interested
and
understand
like
whether
they
want
to
obviously
help
participate
here
or
just
at
least
keep
track
of
like
hey?
What's
the
status
of
npm's
implementation
of
this
thing.
A
B
C
C
C
C
B
Okay,
so
from
the
I
will
say
from
obviously
the
from
the
Fresca
and
tecton
side.
You
know
Fresco
relies
on
tecton
today
we're
we
are
pretty
much
ready
to
support
the
1.0
requirements,
I
believe
from
the
Fresca
side
once
again,
tecton
it's
because
of
tecton
chains.
So
it's
it's
kind
of
a
combination
of
things
so
like
pecton
itself
doesn't
necessarily
hit
the
requirements,
but
a
configuration
of
tecton
with
the
right
integration
of
tools
does
support
the
The
Right
Stuff.
B
The
other
thing
here
is
a
but
with
that
said,
I
believe
protect
on
chains.
Just
given
that
it
has
its
release.
Cadence
is
is
significantly
longer
than
the
GitHub
generators
which
are
just
you
know.
Hey
I
made
an
update,
so
we
just
made
another
release
that
that
sort
of
thing
might
be
a
little
bit
easier
but
yeah.
If
folks,
are
aware
of
anything,
feel
free
to
point
folks
in
the
direction
of
that
ticket,
because
that
that
should
also
hopefully
help
folks
out
as
as
well.
C
B
B
B
So
the
so
one
of
the
things
that
we're
looking
to
do
is
a
lot
of
folks
have
been
asking
and
Frederick.
You
might
actually
be
able
to
help
out
here
regarding,
like
Distributing,
the
actual
attestations,
especially
for
different
package
ecosystems
or
different
build
systems,
and
so
on,
and
a
lot
of
folks
have
a
lot
of
different
opinions.
Obviously
folks
get
sort
of
implement
it
as
they
see
fit,
and
you
know
different
tools
will
support
different
things,
but
I
think
there's
been
enough
folks
who
are
just
like
hey.
B
Something
like
that
anyway,
those
things
that
will
help
out
with
distribution
as
well
and
so
I
think
I,
don't
know
if
there's
anybody
working
on
it
trying
to
get
a
hold
of
some
folks
who
I
know
had
chatted
about
this
and
seemed
interested
and
actually
that's
something
else
that
I
will
check
to
see.
If
there's
an
existing
issue
for.
B
B
Yes,
so
yeah,
that
was
something
that
Mark
had
added
and
then
one
of
the
things
that
was
brought
up
in
at
least
in
one
of
the
meetings
was
and
maybe
like.
We
as
a
group
can
not
necessarily
like
we
don't
want
to
dictate
how
folks
implement
it,
but
we
might
want
to
provide
at
least
a
list
of
suggestions
around.
You
know
just
to
say
like
hey,
if
everybody,
let's
say
just
as
an
example,
uses
this
sort
of
rest
API
with
these
sorts
of
endpoints
great.
B
A
You
no
no,
it's
totally
cool,
so
I,
don't
know
nothing,
I
can
say,
is
I,
probably
don't
have
this
exactly
in
my
head
and
I
can
find
it,
but
for
npm
we
will
probably,
if
I
remember
correctly,
we
would
have
like
a
rest.
Endpoint,
that's
called
attestation
and
you
would
call
it
with
package
name
and
package
version,
I.
Think
and
then
you
would
get
like
a
list
of
all
data
stations
stored
for
that
package
and
optional
with
a
filter
mechanist.
So
you
can
filter
for
specific
predicates.
That's
the
rough
idea.
C
B
B
Does
that
mean
I
have
to
actually
download
the
package
to
then
open
it
up
and
then
find
out
that
actually
wait
a
second
or
some
way
of
attaching
it
to
you
know
like
the
Powerball
or
whatever,
because
then
you
end
up
with
this
situation
of
like
oh
I,
have
a
total
with
the
attestation,
but
then
how
do
I
compare
that
with
the
hash
of
what
the
outputs
are?
There's
a
lot
of
different
like
things
there,
but
I
know
that
you
know
from
an
API
standpoint.
B
A
Yeah
one,
you
can
just
add
some
sort
of
background
I,
think
the
document
document
for
npm
is
already
pretty
large
and
that's
sort
of
one
approach.
We
decided
to
have
it
separately
and
especially
like
initially,
we
kind
of
guessed
that
there
will
be
maybe
not
slow,
adopted
adoption
per
se,
but
we
do
think
like
initially
a
lot
of
and
a
lot
of
the
packages
won't
have
any
other
stations
and
because
it's
terrible
or
or
the
document
is
not
signed,
it's
kind
of,
let's
say
a
compromised,
mirror
or
something.
A
B
Yeah
agreed
and
that's
also
another
thing
people
have
been
asking
about
which
is
just
like
hey.
Sometimes
you
have
a
build
attestation,
but
you
also
have
additional
attestations
that
come
afterwards
because
of
stuff
like
security
scans
or
whatever
yeah.
That's,
that's,
that's
that's
really
useful
there
and
so
yeah.
Let
me
so
there
is
an
existing
issue
here.
B
If
there's
anything
on
that
front
and
also
if
there's
anything
like
once
again,
I,
don't
know
if
I
mean
I,
assume
it's
going
to
be
open,
sourced
or
or
like
the
API
for,
for
it
is
the
for
the
distribution
will
be
open
sourced,
because
I
think
you
know
I
know
there
is
some
back
and
forth
about
whether
or
not
salsa
framework
like
openssf
wants
to
take
this
on
as
like.
Should
we
own
some
sort
of.
A
B
Cool
yeah
yeah,
because
I
think
from
from
our
end,
you
know
obviously
the
less
work
that
that
you
know,
because
we
would
love
to
be
able
to
not.
You
know,
obviously
steal
the
work,
but
you
know
say:
hey
the
you
know
the
npm
folks
have
built
this
thing.
We
would
love
to
maybe
make
that
you
know
a
demonstrative
example
or
maybe
even
provide
a
couple
of
suggestions
to
turn
it
into
something
that
could
make
it.
You
know
completely
generic
or
whatever
yeah
for
sure
foreign.
B
D
B
Yeah,
so
so
yeah
I,
I,
I,
read
it
it's
it's,
it's
quite
in-depth.
He
was
quite
in
depth.
There
I
think
the
thing
that
I
found
funny
was
I
was
like
hey.
Why
can't
we
just
use
package
lock
files
and
I
like
read
a
little
bit
further
along,
and
it's
like?
Oh
it's
because
nobody
is
actually
using
package.
B
It's
different
that
one
Brands
runs
and
build
and
then
further
different
than
what
actually
gets
deployed
into
production
is
just
like
yeah,
wild
and
and
I
think
that
sort
of
thing
would
be
useful
and
I
I
know
right
now.
It
seems
like
pizza's
proposal
is
interesting
because
it's
like,
could
you
use
salsa
policy
to
sort
of
essentially
say
actually
when
I
pull
down
packages
pull
down
the
latest
one
with
a
salsa
thing
that
reaches
the
match
of
this
policy?
B
There's
some
stuff
there
that
seemed
interesting,
but
I
know
you
know
previously.
One
of
the
things
that
I
had
done
to
secure
npm
builds
in
a
similar
way
to
some
of
this
stuff
was
regardless
of
whatever
I
was
doing
like
if
I
was
building
an
npm
pack
like
an
internal
npm
pool
package,
yeah
yada
is
even
if
the
Upstream
things
didn't
have
package
lock.json
is
I,
would
download
it
and
then
generate
my
own
package
lock
as
part
of
the
build
and
then
so
when
it
gets
actually
deployed
into
production
or
whatever.
B
A
B
Yeah
yeah,
okay,
yeah
does
any
I
mean
do
you?
Is
there
anything
else
folks
wanted
to
to
chat
over
I
I'm,
hoping
in
the
in
the
coming
weeks?
I
can
demo
off
some
of
the
cool
stuff
we've
been
doing
either
in
the
tooling
meeting
or
in
the
general
salsa
meeting
some
of
the
cool
stuff
we've
been
doing
with
Fresca
and
guac,
or
some
of
the
salsa
stuff
like
where
we
actually
have
Fresca,
generating
salsa
attestations.
A
B
B
For
my
build,
must
you
know,
apply
the
source
of
rules
and
and
these
policy
rules
and
when
generating
the
salsa
provenance,
must
also
follow
these
rules.
So
if
salsa
prominence
on
you
know,
if
you
built
something
and
it
doesn't
match
some
sort
of
salsa
Providence
rules
at
the
end,
it's
like
sorry,
you
don't
actually
get
publisher
package
that
kind
of
thing.