►
From YouTube: SLSA Tooling Meeting (January 20, 2023)
Description
Meeting notes: https://docs.google.com/document/d/15Xp8-0Ff_BPg_LMKr1RIKtwAavXGdrgb1BoX4Cl2bE4/edit#heading=h.yfiy9b23vayj
B
It's
going
all
right
how
you
doing
oh
I'm,
pretty
okay,.
C
D
B
I'll
give
it
a
few
more
minutes
for
some
folks
to
join
I
know
it's
been
quite
busy
and
also
I
know
that
there's
been
some
shake-ups
that
a
lot
of
the
the
companies
over
the
past
few
days,
so
I
know
that
a
lot
of
folks
are
even,
if
not
impacted,
directly
impacted
in
some
way.
So
give
it
a
few
more
minutes.
B
Yeah,
there's
the
doc
feel
free
to
reach
out
to
the
open
ssf.
If
I
I'm
sometimes
struggle
to
kind
of
get
a
response,
but.
C
B
Okay,
we
could
probably
get
started
and
see
as
folks
hop
on
so
the
agenda
for
today
actually
was
mostly
gonna,
try
and
see
if
we
can
get
some
folks
also.
B
Actually
you
know
just
as
a
reminder:
meetings
being
recorded,
it'll
be
uploaded
to
YouTube
shortly
thereafter,
and
also
your
contrast
or
your
participation
in
this
meeting
is
an
agreement
to
abide
by
the
open,
ssf
code
of
conduct,
and
so
just
as
a
reminder,
like
the
only
major
thing
on
the
agenda
was
you
know
looking
for
we're
looking
for
contributors
for
getting
tools
ready
for
1.0,
spec
and
requirements
so
for
the
most
part,
I
believe
1.0,
based
on
the
changes
we've
seen
in
the
spec,
it's
a
little
bit
of
minutia,
but
it's
not
really
any
sort
of
material
change
between
0.2
requirements
and
1.0.
B
It's
mostly
just
clarifications
like
we're,
calling
non-falsifiability
non-forgeability
as
opposed
to
non-falsifiability
so
and
some
like
clarifications
of
that
sort.
The
bigger
changes
have
been
in
the
specification,
so
the
specification
we've
been
trying
to
include
temporal
metadata
and
metadata
that
we
expect
to
change
build
to
build.
Even
if
you
have
a
reproducible
build.
We
expect
that
metadata
to
be
in
its
own
separate
section
so
that
folks
can
go
in
like
tools
would
be
it
would
make
it
much
easier
for
tools
to
just
say.
B
Take
the
take
the
hash
of
this
section
of
the
of
of
you
know
these
keys
and
values
of
in
sorry
in
the
in
the
province
document,
and
then
you
know
so
that
we
can
pretty
much.
B
You
know
very
easily
see
that
you
know
different
sections
of
the
the
document,
whether
or
not
they're
the
same,
and
that
should
be
the
stuff
that
is,
you
know,
quote
unquote,
reproducible
right
so
like
if
it
has
all
the
same
hash
inputs,
all
the
various
same
hash,
outputs
and
you
know
the
same
sort
of
inputs
for
the
the
build
and
whatnot.
B
B
Are
these
two
things
identical
because
I
think
right
now,
what
a
lot
of
folks
are
doing
is
they're
sort
of
going
through
key
key
value
by
key
value
and
checking
if
each
of
those
things
is
equal
and
then
that
that's
causing
some,
you
know
not
issues,
but
it's
it's
not
as
easy
as
just
sort
of
saying:
hey,
here's
all
the
stuff
that
should
be
reproducible
and
then
I.
Can
you
know
if
I
see
that
the
hatches
are
the
same?
B
Now,
let
me
go
key
value
by
key
value
to
to
see
what's
what's
changed,
so
that's
one
of
the
big
things
I
was
hoping
to
to
get
some
of
the
folks
who've
been
working
on
the
GitHub
generator
stuff
to
maybe
stop
by
AI.
I
know
that
even
you
know
I
know.
B
A
lot
of
those
folks
are
from
Google
I
know:
there's
been
some
stuff
this
morning
for
those
of
us
here
in
the
east
coast
at
least
I
know,
there's
been
some
some
shake-ups
there,
so
hopefully
nobody's
impacted,
but
anyway,
looking
to
kind
of
work
with
some
of
them
on
getting
something
like
a
1.0,
spec
ready
and
that's
supposed
to
be
in
preparation
for
1.0,
which
once
again
most
likely
sometime
Feb,
will
be
in
a
draft
form
and
then
it'll
probably
be
a
month
or
two
of
getting
back
feedback.
B
And
then
you
know
figure,
probably
before
the
summer
I
assume
you
know,
the
full-fledged
1.0
will
be
released.
So
that's
that
the
other
thing
is
Mike
can.
A
I
adjust
something
to
that,
so
you
did
mention
the
it's
also
Builder
from
Google,
but
even
from
npm
we
are
targeting
the
wonderful
effect
or
the
built-in
provenance
generation
in
the
CLI.
B
Okay,
cool
yeah
yeah,
actually,
that
was
something
I
was
gonna,
bring
up
in
a
little
bit.
I
know:
Visa
is
not
on
this
call,
but
and
I
don't
want
to
share
his
his
design
document
without
his
his
approval,
but
he's
been
working
on
some
npm
salsa
policy
tooling,
and
there
were
some
interesting
things
there
that
I
I,
actually
hadn't
realized
Which
is
less
than
one
percent
of
the
top
1000
packages
of
npm
include
package
log
files,
which
I
was
like.
Oh
okay,
that's
that's!
B
That's
a
little
scary
and
I
think
the
idea
was
potentially
using
salsa
provenance
as
something
akin
to
a
not
a
lock
file,
but
something
that
you
could
at
least
know
like.
Oh
I
pulled
in
something.
Oh,
no,
a
newer
version
came
out
that
doesn't
have
the
salsa
Providence.
It
must
not
be.
You
know
whatever
there's
some
stuff
there,
that
that
seemed
really
interesting
cool
yeah.
So
so,
if
there's
things
on
that
end,
that
you
would
need
some
support
from
the
other
folks.
B
On
the
salsa
side,
I
know
myself
I'm
interested
in
in
helping
out
any
way.
I
can
I
know
some
other
tools
that
are
out
there
like
tecton
and
tecton
chains.
They
have
a
little
bit
of
a
longer
release
Cadence,
so
we
might
try
to
say
hey
we're
going
to
wait
until
after
1.0
is
like
fully
adopted
before
trying
to
get
tecton.
B
Sorry
tecton
attacked
on
chains
to
to
accept
that
yeah
hi.
So.
B
Specific
issues
of
PRS
that
we
can
help
with
so
I
think
the
thing
was.
B
Whoops
I
have
been
talking
on
mute.
Sorry,
can
you
hear
me
now?
Okay,
cool
sorry
about
that
so
yeah
yeah,
so
so
the
the
idea
here
behind
it
was
there's
a
bunch
of
different
stuff.
For
example,
under
the
you
know,
salsa
framework
under
a
bunch
of
these
other
different
repos
I'm.
Sorry,
you
know
projects
and
and
whatnot,
whether
it's
like
the
salsa
GitHub
generator
or
whether
it
is
what
else
there's
the
salsa
GitHub
generator.
B
There
is
the
there's
a
salsa
verifier,
there's
the
salt
there's
a
Jenkins
one!
B
There's
you
know
stuff,
that's
coming
from
other
groups
like
npm,
there
is
stuff,
like
you
know,
Fresca
and
tecton,
and
these
all
support
you
know,
or
they
all
support
salsa
today
and
some
of
them
we
want
to
see,
can
we
prep
them
for
salsa
1.0,
because
I
think
one
of
the
first
things
that's
going
to
happen
is
once
we
go
into
once
we
start
to
say:
there's
a
draft
people
are
going
to
start
to
immediately
start
asking
like
questions
about
how
do
I
implement
it
and
or
or
you
know
what
tools
support
this
so
I
know
how
if
I
can
prep
myself
and
yeah,
yeah
and
I
think
that
sort
of
thing
is
going
to
be
useful
to
just
have
you
know,
the
two
main
goals
are.
B
B
It's
kind
of
that
sort
of
thing,
and
then
secondarily,
it's
also
to
show
some
examples
of
hey.
Here's
how
you
might
implement
this,
here's
how
you
might
you
know,
do
all
this
sort
of
stuff,
so
that's
really
kind
of
where,
where
we're
coming
from
there.
So
I
don't
know
if
there's
folks,
who
have
been
working
on
the
on
any
of
these
tools
and
in
fact,
actually
it's
probably
worthwhile
to
put
in
the
notes
here.
B
Let's
see:
oh
okay,
so
you
very
cool
you've
somebody's
been
already
adding
thanks,
whoever's
been
adding
in
there.
So
D
is
the
npm
thing.
Is
that
just
the
npm
CLI.
B
So
is
the
is
the
getting
npm
to
support.
This
thing
is
that
is
that
just
the
npm
CLI.
A
Yes
and
of
course,
any
back
in
store
of
the
other
stations,
because
we
would
sort
of
need
to
verify
part
of
them
as
well
to
make
sure
like
yeah
crypto
to
cryptographic.
Material
holds
up
Etc,
but
primarily
I
would
say
on
the
CLI.
Some
on
the
server
side.
B
B
So
do
you
have
like
a
is
there
like
a
GitHub
issue
or
or
an
existing
PR
that
maybe
we
can
just
point
folks
to
if
they're,
just
sort
of
interested
and
understand
like
whether
they
want
to
obviously
help
participate
here
or
just
at
least
keep
track
of
like
hey?
What's
the
status
of
npm's
implementation
of
this
thing.
A
Aware
of
in
my
head,
there
probably
are
I:
I
can
go
and
see
if
I
find
someone
and
then
I
will
add
them.
B
Sure
yeah
just
just
want
to
make
sure
that,
as
we
kind
of
do,
this
I
was
gonna,
probably
after
this
this
meeting.
Actually,
in
fact,
let
me
do
that
right
now,
I'm
going
to
create
a
GitHub
issue
under
salsa
framework.
C
C
C
B
C
B
So
that
was
that.
B
Okay,
so
from
the
I
will
say
from
obviously
the
from
the
Fresca
and
tecton
side.
You
know
Fresco
relies
on
tecton
today
we're
we
are
pretty
much
ready
to
support
the
1.0
requirements,
I
believe
from
the
Fresca
side
once
again,
tecton
it's
because
of
tecton
chains.
So
it's
it's
kind
of
a
combination
of
things
so
like
pecton
itself
doesn't
necessarily
hit
the
requirements,
but
a
configuration
of
tecton
with
the
right
integration
of
tools
does
support
the
The
Right
Stuff.
B
The
other
thing
here
is
a
but
with
that
said,
I
believe
protect
on
chains.
Just
given
that
it
has
its
release.
Cadence
is
is
significantly
longer
than
the
GitHub
generators
which
are
just
you
know.
Hey
I
made
an
update,
so
we
just
made
another
release
that
that
sort
of
thing
might
be
a
little
bit
easier
but
yeah.
If
folks,
are
aware
of
anything,
feel
free
to
point
folks
in
the
direction
of
that
ticket,
because
that
that
should
also
hopefully
help
folks
out
as
as
well.
C
B
And
then
the
does
anybody
else
have
anything
else
from
the
tool
side
that
they
wanted
to
chat
through.
Otherwise
we
can
talk
a
little
bit
about
the
attestation
sort
of
Discovery
and
and
distribution.
B
Okay,
so
I
know
we
had
talked
about
this
previously
and
I
know.
Mark
has
been
talking
about
it
as
well.
B
So
the
so
one
of
the
things
that
we're
looking
to
do
is
a
lot
of
folks
have
been
asking
and
Frederick.
You
might
actually
be
able
to
help
out
here
regarding,
like
Distributing,
the
actual
attestations,
especially
for
different
package
ecosystems
or
different
build
systems,
and
so
on,
and
a
lot
of
folks
have
a
lot
of
different
opinions.
Obviously
folks
get
sort
of
implement
it
as
they
see
fit,
and
you
know
different
tools
will
support
different
things,
but
I
think
there's
been
enough
folks
who
are
just
like
hey.
B
It
would
be
great,
though,
if,
let's
just
say
like
as
an
example,
you
know
if
npm
and
python-
and
you
know
Ruby
all
sort
of
do
it
similarly,
so
that
the
tools
that
let's
say,
would
then
pull
down
the
stations,
could
pull
it
down
in
similar
ways
similar
to
how
like
with
containers
more
or
less
you
know,
folks,
are,
are
either
following
the
existing
sort
of
sing
store
convention
or,
as
time
goes
on,
they're
planning
to
follow
the
the
the
the
the
new
oci
spec
stuff,
which
the
the
distribution,
spec
and
there's
a
lot
of
stuff
in
there
prefers
API.
B
Something
like
that
anyway,
those
things
that
will
help
out
with
distribution
as
well
and
so
I
think
I,
don't
know
if
there's
anybody
working
on
it
trying
to
get
a
hold
of
some
folks
who
I
know
had
chatted
about
this
and
seemed
interested
and
actually
that's
something
else
that
I
will
check
to
see.
If
there's
an
existing
issue
for.
A
So
on
that
I'm,
actually
looking
at
the
current
salsa
sort
of
one
one
little
speck
and
if
I'm
not
wrong
here,
I
think
there
is
like
a
section
in
this
spec
that
says,
like
each
ecosystem
should
Define
how
to
discover
and
download
other
stations.
B
B
Yes,
so
yeah,
that
was
something
that
Mark
had
added
and
then
one
of
the
things
that
was
brought
up
in
at
least
in
one
of
the
meetings
was
and
maybe
like.
We
as
a
group
can
not
necessarily
like
we
don't
want
to
dictate
how
folks
implement
it,
but
we
might
want
to
provide
at
least
a
list
of
suggestions
around.
You
know
just
to
say
like
hey,
if
everybody,
let's
say
just
as
an
example,
uses
this
sort
of
rest
API
with
these
sorts
of
endpoints
great.
B
A
You
no
no,
it's
totally
cool,
so
I,
don't
know
nothing,
I
can
say,
is
I,
probably
don't
have
this
exactly
in
my
head
and
I
can
find
it,
but
for
npm
we
will
probably,
if
I
remember
correctly,
we
would
have
like
a
rest.
Endpoint,
that's
called
attestation
and
you
would
call
it
with
package
name
and
package
version,
I.
Think
and
then
you
would
get
like
a
list
of
all
data
stations
stored
for
that
package
and
optional
with
a
filter
mechanist.
So
you
can
filter
for
specific
predicates.
That's
the
rough
idea.
C
A
Sorry,
no
just
and
that's
sort
of
how
it's
designed
and
implemented,
but
yeah
I'm
gonna
see
if
I
can
find
any
specs
on
that,
because
I
know
there
are.
B
For
what
it's
worth,
I
like
that
approach,
I
know
some
folks
have
been
talking
about
hey.
Does
it
make
sense
to
include
the
attestation
in
the
tarball
or
whatever?
And
of
course
that
leads
to
you
know
other
sorts
of
issues
of
like?
B
Does
that
mean
I
have
to
actually
download
the
package
to
then
open
it
up
and
then
find
out
that
actually
wait
a
second
or
some
way
of
attaching
it
to
you
know
like
the
Powerball
or
whatever,
because
then
you
end
up
with
this
situation
of
like
oh
I,
have
a
total
with
the
attestation,
but
then
how
do
I
compare
that
with
the
hash
of
what
the
outputs
are?
There's
a
lot
of
different
like
things
there,
but
I
know
that
you
know
from
an
API
standpoint.
B
A
Yeah
one,
you
can
just
add
some
sort
of
background
I,
think
the
document
document
for
npm
is
already
pretty
large
and
that's
sort
of
one
approach.
We
decided
to
have
it
separately
and
especially
like
initially,
we
kind
of
guessed
that
there
will
be
maybe
not
slow,
adopted
adoption
per
se,
but
we
do
think
like
initially
a
lot
of
and
a
lot
of
the
packages
won't
have
any
other
stations
and
because
it's
terrible
or
or
the
document
is
not
signed,
it's
kind
of,
let's
say
a
compromised,
mirror
or
something.
A
B
Cool
yeah,
yeah
and
I
know
you
know
some
folks
are
are
starting
to
ask
like
the
similar
sort
of
questions
with,
and
this
also
simplifies
it
like
hey
I,
have
an
you
know:
I'm
using
artifactory
or
soda
type
Nexus
or
whatever
and
I
want
to
know.
B
If
there's
attestations
associated
with
this
and
just
having
something
like
a
simple
API
that
is
like
hey
I'm,
about
to
download
this
package
can
I
just
query
to
see
if
there
is
a
if
there
are
other
stations
associated
with
it
to
be
useful
and
once
again,
this
is
also
something
similar
that
we're
doing
with
guac
as
well
already.
B
Yeah
agreed
and
that's
also
another
thing
people
have
been
asking
about
which
is
just
like
hey.
Sometimes
you
have
a
build
attestation,
but
you
also
have
additional
attestations
that
come
afterwards
because
of
stuff
like
security
scans
or
whatever
yeah.
That's,
that's,
that's
that's
really
useful
there
and
so
yeah.
Let
me
so
there
is
an
existing
issue
here.
B
So
there
was
this
issue
that
was
opened
around
this
time
last
year
and
I
will
add
this
to
the
foreign.
B
B
Okay,
cool-
let's
see
if
this
right
here
yeah
so
I
guess
if
I'd
be
interested.
B
If
there's
anything
on
that
front
and
also
if
there's
anything
like
once
again,
I,
don't
know
if
I
mean
I,
assume
it's
going
to
be
open,
sourced
or
or
like
the
API
for,
for
it
is
the
for
the
distribution
will
be
open
sourced,
because
I
think
you
know
I
know
there
is
some
back
and
forth
about
whether
or
not
salsa
framework
like
openssf
wants
to
take
this
on
as
like.
Should
we
own
some
sort
of.
B
Like
reference
implementation
of
like
what
a
distribution,
API
could
be,
and
just
sort
of,
say,
hey
if
folks
want
to
use
this
distribution,
API
right
like
just
a,
and
this
could
be
like
a
generic
just
sort
of
like
it's
a
generic
rest
API
that
just
sort
of
takes
in
you
know,
let's
say
just
something
like
it
could
take
in
a
hash
and
or
a
name
of
an
artifact,
some
Province
things
similar
to
pretty
much
what
you
just
sort
of
said
with
the
npm
stuff
like
does
it
make
sense
for,
for
you
know
for
that?
B
B
A
Yeah
I'm
looking
right
now,
I,
don't
think
we
have
any
public
document
on
this.
Yet
I'm
going
over
to
RFC
to
see
how
well
it
was
or
if
it
even
was
specified
in
there.
B
Cool
yeah
yeah,
because
I
think
from
from
our
end,
you
know
obviously
the
less
work
that
that
you
know,
because
we
would
love
to
be
able
to
not.
You
know,
obviously
steal
the
work,
but
you
know
say:
hey
the
you
know
the
npm
folks
have
built
this
thing.
We
would
love
to
maybe
make
that
you
know
a
demonstrative
example
or
maybe
even
provide
a
couple
of
suggestions
to
turn
it
into
something
that
could
make
it.
You
know
completely
generic
or
whatever
yeah
for
sure
foreign.
B
Yeah
and
then
also
I,
don't
know
if
you've
talked
to
like
separately.
Have
you
talked
to
Pizza
lately.
D
B
Yeah,
so
so
yeah
I,
I,
I,
read
it
it's
it's,
it's
quite
in-depth.
He
was
quite
in
depth.
There
I
think
the
thing
that
I
found
funny
was
I
was
like
hey.
Why
can't
we
just
use
package
lock
files
and
I
like
read
a
little
bit
further
along,
and
it's
like?
Oh
it's
because
nobody
is
actually
using
package.
B
Log
files
and
I
also
know
that
I'm
not
going
to
get
into
too
many
details,
but
there
are
some
folks
who
seem
to
be
pushing
back
against
recommending
the
use
of
packagelock.json
for
some
reason,
but
I
I
do
think
that
that
sort
of
thing
would
be
really
useful,
because
I
know
like
as
somebody
who
used
to
in
a
previous
life
like
six
seven
years
ago,
did
a
lot
with
node.js
the
amount
of
times
running
into
issues,
because
someone
does
an
npm
on
their
local
debt
machine.
B
It's
different
that
one
Brands
runs
and
build
and
then
further
different
than
what
actually
gets
deployed
into
production
is
just
like
yeah,
wild
and
and
I
think
that
sort
of
thing
would
be
useful
and
I
I
know
right
now.
It
seems
like
pizza's
proposal
is
interesting
because
it's
like,
could
you
use
salsa
policy
to
sort
of
essentially
say
actually
when
I
pull
down
packages
pull
down
the
latest
one
with
a
salsa
thing
that
reaches
the
match
of
this
policy?
B
There's
some
stuff
there
that
seemed
interesting,
but
I
know
you
know
previously.
One
of
the
things
that
I
had
done
to
secure
npm
builds
in
a
similar
way
to
some
of
this
stuff
was
regardless
of
whatever
I
was
doing
like
if
I
was
building
an
npm
pack
like
an
internal
npm
pool
package,
yeah
yada
is
even
if
the
Upstream
things
didn't
have
package
lock.json
is
I,
would
download
it
and
then
generate
my
own
package
lock
as
part
of
the
build
and
then
so
when
it
gets
actually
deployed
into
production
or
whatever.
B
A
B
Yeah
yeah,
okay,
yeah
does
any
I
mean
do
you?
Is
there
anything
else
folks
wanted
to
to
chat
over
I
I'm,
hoping
in
the
in
the
coming
weeks?
I
can
demo
off
some
of
the
cool
stuff
we've
been
doing
either
in
the
tooling
meeting
or
in
the
general
salsa
meeting
some
of
the
cool
stuff
we've
been
doing
with
Fresca
and
guac,
or
some
of
the
salsa
stuff
like
where
we
actually
have
Fresca,
generating
salsa
attestations.
B
Those
salsa
attestations
automatically
getting
put
into
the
knowledge
graph
and
then
can
be
used
for
for
policy
and
there's
some
cool
things
there
that
that
you
know
we've
and
some
of
the
stuff
that
I
know
we're
going
to
want
to
do
with,
for
example,
with
npm
is
we'd
love
to
be
able
to
sort
of
have
some
way
of
maybe
even
subscribing
if
we
could
to
like
the
npm
like
feed
to
sort
of,
say,
hey
pull
the
old
packages
that
have
been
updated
over
the
past
day
and
pull
down
all
their
stations
if
they
do
have
them
that
sort
of
thing,
there's
some
cool.
A
B
Cool
yeah,
that's
that's,
definitely
something.
We've
used
interested
in
and
yeah
there's
some
cool
yeah.
B
The
other
thing
from
the
from
the
Nebraska
side,
we're
looking
at
also
doing
like
salsa
policy
stuff
at
build
time
as
well,
to
sort
of
say,
hey
like
even
though
salsa
itself
is
not
transitive,
we
want
to
sort
of
say,
but
you
could
be
transitive
if
you
want
to
right
like
we
want
to
like
make
it
so
that
you
know
you
could
go
above
and
beyond
and
sort
of
enforce
stuff
like
all
the
dependencies
I
pull
in.
B
For
my
build,
must
you
know,
apply
the
source
of
rules
and
and
these
policy
rules
and
when
generating
the
salsa
provenance,
must
also
follow
these
rules.
So
if
salsa
prominence
on
you
know,
if
you
built
something
and
it
doesn't
match
some
sort
of
salsa
Providence
rules
at
the
end,
it's
like
sorry,
you
don't
actually
get
publisher
package
that
kind
of
thing.
B
B
So
I'll
see
everybody
next
week
and
have
a
have
a
good
weekend.
Everybody.