►
From YouTube: SLSA Specifications Meeting (April 3, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1kMP62o3KI0IqjPRSNtUqADodBqpEL_wlL1PEOsl6u20/edit#heading=h.yfiy9b23vayj
A
Hi
everybody
as
usual,
we'll
wait
another
a
minute
to
see
if
I
some
people
continue
to
to
wander
in.
A
C
A
Okay,
why
don't
we
get
started
first
I'd
like
to
take
the
opportunity
to
welcome
any
new
members,
if
you'd
like
to
briefly
say
hi
foreign.
D
It's
quite
late
here:
I'm
walking
out
of
India
I
am
not
switching
on
the
video
today,
but
next
time,
I'll
try
to
switch
on.
My
video
I
generally
have
conflicted
calls
at
this
time.
Hence
I'm
unable
to
drive
this
call.
I
am
a
security
architect
in
IBM,
working
on
record.
The
working
at
the
control
lead
for
voluntary
management
for
IBM
Cloud,
currently
focusing
on
bringing
together
all
this
sanitization,
but
I
was
quite
interested
in
working
with
this
community
as
well
to
see
what
other
it
is
happening
here.
E
B
A
G
A
Said
last
week,
I
think
I
said:
I
tagged
things
that
I
thought
were
blockers
for
V1
I
didn't
notice.
If
anyone
else
had
it
anymore,
but
we
have
the
following
issues
which
I
could
share
the
screen,
so
I
guess
before
we
get
into
that,
I
think
what
we,
assuming
that
we
still
want
to
cut
through
the
candidate
today,
which
speak
up.
A
If
you
disagree
with
that
that
we
could
close,
you
know
any
pull
request
that
we
could
close
today,
any
last
minute
fixes,
especially
those
that
would
cause
some
sort
of
backwards.
Compatibility
problem
then
send
out
a
pull
request
today.
A
That
would
copy
the
directory
because
again
we're
using
directory
copies
for
our
versioning,
which
hopefully
will
fix
post
1.0
and
simultaneously
send
it
do
a
blog
post
and
send
out
a
mailing
list
announcement
which
I'm
hoping
other
people
know
more
about,
because
I
I
don't
know
the
details
of
what's
going
on
there.
A
Okay,
as
always,
feel
free
to
please
interrupt
okay,
so
I
just
want
to
quickly
just
look
at
the
the
tagged
V1
blockers.
Let
me
share
this
screen.
A
Okay,
by
the
way
now,
when
you
present
I,
don't
know
if
it
was
there
before
in
the
zoom
there's
a
little
check
mark
that
says,
share
tab
audio,
and
if
you
don't
do
that,
then
it
doesn't
take
over
your
microphone.
I
feel
like
I'm,
still
continually
learning
new
things
about
Zoom.
A
My
machine,
okay,
so
in
terms
of
right
now
we
have
six
open,
I,
think,
there's
five
issues
and
one
pull
request.
Maybe
the
I
just
filed
this
one
today,
maybe
let's
talk
about
it
in
a
minute.
A
We
have
an
issue
who
sets
expectations
for
which
there's
an
open,
pull
request,
I'd
like
to
get
that
resolved
and
merged
today,
although
I
feel
like
that
one,
we
might
want
to
continue
iterating
on
at
least
in
my
mind.
It
wasn't
super
obvious
that,
like
it
just
completely
resolved
the
issue,
there's
a
question
about,
should
we
add
a
new
salsa
level.
A
This
thing
from
Builder
ID,
my
feeling
is
I,
didn't
respond
on
the
thread
yet
that
no,
it
is
not
a
blocker
for
1.0,
and
so,
instead
of
introducing
a
new
thing
last
minute,
we
should
just
stick
with
what
we
have
and
then
iterate
it
on
in
the
in
the
future
version
which,
if
you
disagree
with
it
I'll,
maybe
I'll
take
just
the
for
Simplicity.
If
you
disagree
with
what
I'm
saying
either
speak
up
now
or
comment
on
the
thread,
but
otherwise,
well
that's
what
we
could
do.
A
This
is
I
think
as
a
thing
ongoing
a
pull
request
ongoing.
What's
new
page,
we
should
have
for
the
1.0
release.
We
don't
have
it
today,
I,
don't
think
we
should
block
the
release
candidate
two
on
it.
I'd
rather
just
get
that
out
the
door
and
then
work
on
that
this
week.
A
A
If
you
have
any
opinions
on
the
schema
of
the
format,
if
you
could
get
that
in
ideally
for
this
pull
request,
that
would
be
better
than
than
waiting
and
then
the
last
one
is
this
verifying
artifacts,
because
right
now
it
references
levels
but
doesn't
say
what
those
levels
are,
because
it
was
copied
from
it:
A,
Different,
Page,
so
I
I
don't
feel
like
any
of
those
are
hard
blockers
for
doing
the
release
candidate
today
it
seems
more
valuable
to
stick
to
a
schedule
and
have
a
review
period
and
fix
it.
A
Last
couple
issues
I
see
a
couple
heads
nodding.
So
I
guess
that's
useful.
But
if
you
disagree,
it'll
be
useful
to
know.
H
I,
don't
disagree.
I
think
it's
useful
to
agree
like
what
changes
are.
Okay
during
a
review
period,
which
is
one
of
the
things
you
added
to
the
agenda
like
I
completely
agree
with.
All
of
your
summary,
like
verifying
out
of
that
is
a
useful
change.
The
provenance
change
seems
fine
to
me.
The
expectation
change
I
think
seems
reasonable
to
kind
of
continue
to
iterate
on
after
the
RC
personally.
I
think.
H
That's
probably
okay,
because
we've
tended
to
be
quite
flexible
around
clarifications
and
agree
that
the
sales
level
field
shouldn't
be
a
V1
blocker.
If
that's
a
relative,
that's
like
a
reset
enough
and
large
enough
change.
That
I
think
we
should
kind
of
work
on
that
foreign.
F
F
F
I
A
Yeah,
coming
back
to
Arnold's
comment
with
the
who
sets
expectations.
A
A
Yeah
I
I
agree
with
what
you're
saying
right
now.
I,
don't
know
the
answer
to
the
questions,
but
I
agree
that
we
should
figure
out.
So
maybe
we
could
talk
about
that
for
a
minute.
A
So
the
like
the
the
gist
is
that
let
me
try
to
recap
the
problem
to
see
if
people
agree
with
that's
a
problem
statement,
because
that's
the
first
step
that
ex,
like
the
whole
concept
of
expectations,
is
kind
of
confusing
and
like
who
sets
the
expectations
as
a
producer
or
the
consumer,
and
so
Cara
pointed
out
like
sometimes
we
use
the
word
expectations
to
mean
two
slightly
different
things:
kind
of
the
actual
expected
values,
but
then
things
that
a
consumer
uses
to
do
a
verification.
A
So
the
proposal
in
the
pull
request
was
to
have
two
different
terms:
expectations
and
verification
policy.
The
whether
or
not
this
is
the
actual
particular
change.
I.
Think
arno's
point
is
that
if
we
change
around
these
Concepts
now
that's
more
of
just
an
editorial
change,
but
rather
like
changing
what
the
specification
means,
and
so
we
be
ideally.
A
And
certainly
before
approving
any
changes,
we
shouldn't
make
sure
that
this
doesn't
significantly
like
change.
What
the
specification
means
is
that
right,
I
said
it:
okay,
maybe
that
wasn't
a
very
good
recap,
but
is
it
correct
at
least.
J
I
mean
it
seems
consistent
with
other
open
issues.
They've
got
closed
where
we're
just
using
words
that
are
overloaded
and
going
through
and
picking
new
words,
so
that
it's
more
precise,
so
that's
it's
kind
of
in
line
with
I,
don't
think
like
I
guess
we
have
to
do
a
quick
check
to
see
if
it
changes
anything
but
I,
don't
think
if
we
stuck
with
those
two
and
figured
out
which
one
it
was
in
context
that
that's
going
to
change
anything
about
the
spec.
A
I
feel
like
a
kind
of
a
fundamental
problem
which
we've
been
discussing
for
months
is
like
when
we
look
at
this,
like
the
verifying
artifacts
like
how
does
this
fit
into
the
specification
and
that's
actually
maybe
to
Nicholas
Point?
This
was
the
the
issue
that
I
opened
today.
A
I
know
we
talked
about
the
conformance
program
of
like
how
we
certify
a
build
system,
but
then
is
the
checking
of
a
policy
or
expectations
like
part
of
the
specification,
or
is
it
verification
of
the
specification
at
least
I
personally?
Have
it
still
not
able
to
wrap
my
head
around
that.
J
I
mean
my
thought
is
that
we
can't
say
what
you're
going
to
do
with
your
verification,
and
so
it's
better
that
we're
saying
this
is
conformant
to
the
specification
and
then
you
can
do
additional
actions
based
on
that.
If
you
want
to,
but
we
shouldn't
be
dictating
what
people
are
doing,
we
should
just
be
dictating.
Does
this
comply.
K
Oh
yeah,
yeah,
I,
so
I
think
that
right,
like
there's,
there's
things
that
we
can
state
is
possible,
like
you
can
verify
like.
If
the
expectation
here
is
you're
you're
this
level
of
salsa
and
blah
blah
on
your
conformant,
then
you
should
be
able
to
verify
these
things
and
there's
probably
best
practices
that
we
can
suggest.
K
But
you
know
different
folks
are
going
to
come
in
with
different
sets
of
policies
and
needs
and
use
cases
so
yeah
that
we
also
don't
want
to
go
and
say
you
should
be
checking
all
of
these
things
or
none
of
these
things,
yeah
I,
think
I.
Think
that
is
very
much
based
on
the
use
case.
F
So
you
know
I
I
a
couple
of
this.
So
first
of
all,
I
think
you
know
it's
a
spec
and
we're
totally
entitled
to
say
to
be
compliant.
This
is
the
things
you
need
to
do,
and
but
the
thing
is,
we
have
different
types
of
people
who
are
going
to
try
to
you
know
be
compliant
with
conformant
with
the
spec
we've
said.
F
We
can
enforce
meconomic
features
to
have
seat
belts,
but
at
the
end
of
the
day,
if
the
drivers,
don't
the
users,
don't
put
the
seat
belt
on
so
going
to
do
much
good,
and
there
are
things
that
are
more
passive
like
airbag.
They
will
work,
no
matter
what
the
user
does,
and
so
salsa
does
some
of
this.
If
you
know,
but
but
to
get
the
full
benefit,
we
rely,
we
depend
on
the
consumer
to
do
certain
things,
and
this
is
what
this
section
does.
A
So
I
guess
my
concern
about
saying
must
hear
is
like
if
someone
doesn't
do
it,
what
is
the
impact
right
like
if,
on
the
build
system,
requirements
page,
if
you
don't
isolate
between
those
or
you
don't
generate
provenance
or
something
like
that,
then
you
would
not
be
allowed
to
say
you
are
salsa
build
level,
X,
compliant
conformant
or
whatever
the
word
is,
but
if
verification
doesn't
happening
or
you
skip
whatever
step
that
we
had
called
mandatory,
what
is
it
that
you
do
not
get
to
say
is
conformant.
A
I
guess
a
challenge
I
I
have
is
that
If
This
Were
a
requirement
for
calling
something
a
build
level,
then
I
would
get
it
it's
like.
That
is
a
requirement
of
level
three
but
I.
Think
where
we've
gone
the
past
couple
weeks
or
month
or
whatever
is
splitting
that
out.
So
the
build
level
is
satisfied
if
you
just
generate
provenance
and
then
the
verification
of
that
is
a
kind
of
a
separate
thing,
but
we
don't
have
like
a
name
for
that.
Maybe
yes,.
F
J
I
think
so
that's
the
thing
as
a
verification
page
itself,
I
want
to
be
less
specific,
but
if
we're
referencing
verification
on
the
level
requirements,
I
think
we
can
then
say.
You
must
do
something
to
your
point
for
certain
levels
or
certain
pieces
we
can
say,
and
you
must
do
verification
of
X
or
of
all
the
things,
and
that
would
make
perfect
sense
to
me
dictating
that
on
the
levels.
J
D
A
What
are
thoughts
on
taking
this
verifying
artifacts
page,
which
again
for
reference
frame?
Is
this
page,
the
verifying
artifacts
and
for
at
least
1.0?
A
We
call
them
guidelines
or
recommendations
and
use
avoid
saying
anything.
Anything
is
required
or
must
let's
say
like
you
should
do
this,
and
these
are
recommendations
which
would
avoid
the
problem
of
like.
If
you
don't
do
it,
then
are
you
social
compliance
or
not,
because
it
wasn't
a
requirement
in
the
first
place
and
but
would
still
give
us
the
opportunity
in
a
future
version
to
like
turn
that
into
a
give
it
a
name
and
add
requirements,
any
feelings,
positive
or
negative
about
that.
F
Well,
yes,
I
mean
basically
you're
you're
shrinking
further
the
scope
of
the
spec.
So
of
course
it
it
kind
of
removes
some
of
the
the
the
roadblocks
we
have
by
saying.
Okay,
let's
put
that
those
things
aside
and
it's
not
unreasonable
one.
So,
but
then,
basically,
what
you're
saying
is.
We
are
specifically
making
salsa
one
zero
about
build
systems
and
to
for
build
implementers.
I
Thank
you
I
agree
that
we
don't
address
the
consumer
side
in
the
sense
that
if
you
want
to
have
some
sense
of
security
from
every
package,
we
need
to
address
locally.
As
a
user,
the
transit
business,
you
need
to
address
the
source
track,
so
I
think
we
are
still
in
a
different
side
for
the
old
identification
part,
because
we
need
the
other
tracks,
I
think
to
give
something
really
useful
for
the
end
user,
I'm
not
sure
I'm,
very
clear
about
what
I'm
saying,
but
that's
my
feeling.
I
So
that's
why
I
would
keep
guidelines
for
now
and
I
agree
with
Mark
on
that
and
see
once
we
have
the
other
tracks
and
how
to
to
see
end
user
consumer
how
to
give
a
sense
of
security
when
you
use
something
and
defined,
and
it
will,
these
things
will
appear
by
themselves
when
we
develop
Tools
around
all
this,
probably
and
so
I
think
we
need
to
be
patient
on
that.
One.
K
So
trying
to
think
through
like
what
what
because
I
I
agree,
I
just
think
that
also
like,
when
I
think
purely
about
the
the
salsa
provenance
aspect
of
it
I've
always
thought
of
it.
I've
always
considered
it
purely
about
Providence.
It's
making
no
assertions
about
you
know
like
did
it
come
from
the
right
place,
just
that
this
is
the
place.
I
got
it
from
right.
The
build
system
is
making
this
claim.
Hey
I
got
it
from
this
place.
K
K
We
were
always
looking
at
it,
not
necessarily
as
a
way
to
sort
of
prove
that
necessarily
anything
was
good.
It
was
just
enough
information
that
when
you
were
verifying
like
for
audit
purposes
or
anything,
you
could
always
go
back
and
say:
hey
something
went
wrong.
Well,
let's
look
at
the
salsa
provenance
and
see.
Did
it
pull
from
the
right
place
and,
and
so
on
and
I
think
those
are
the
sorts
of
pieces
of
information
that
that
we
were
looking
at
when
we
were,
we
were
verifying
against
salsa
V
0.1
like
it
wasn't
necessarily.
K
H
If
we're
going
to
remove
verifying
Provident
from
like,
if
we're
going
to
make
that
recommendation,
we
should
probably
do
similar
with
the
Distributing
provenance
page
as
well.
I
think.
A
Yeah
prob,
probably
to
clarify
the
hypothetical
that.
A
Talking
about
on
the
verifying
artifacts
page,
it
would
be
to
I
mean
keep
the
same
content,
possibly
with
the
outstanding
pull
requests,
but
just
avoid.
The
word
must
basically
every
case
of
must
would
change
into
should
so
monitor?
Should
expectations
should
be
sufficient
Etc,
as
Nicholas
said
I
think
you
know,
maybe
we
would
turn
that
into
a
future
track
or
something
like
that
with
more
specificity.
One
thing,
I'll
note
is
that
right
now
we,
the
text
currently
says
the
phrase.
A
It
defines
a
salsa
conformant
system,
but
we
never
actually
say
I
think
what
that
is.
I
think
that
kind
of
introduces,
A,
New,
Concept
unintentionally
or
like
there's
kind
of
maybe
a
implicitly
some
sort
of
notion,
but
I,
don't
know
if
we've
ever
really
discussed
or
agreed
explicitly
about
what
that
means.
A
H
I
I
was
going
to
say
I
think,
like
the
the
focus
on
build
systems
has
been
fairly
consistent
and
implicit
through
the
1.0
effort.
So
I
don't
feel
like
we're.
H
Making
a
significant
kind
of
reduction
in
scope,
we're
just
acknowledging
the
existing
scope,
but
because
we've
talked
a
lot
about
how
you
know:
there's
a
chicken
and
egg
problem,
and
they
you
need
build
system
to
be
producing
the
problems
metadata
before
you
can
have
a
good
feel
for
how
to
integrate
that
into
different
ecosystems
and
things
and
we've
been
trying
to
provide
incremental
like
tooling
and
things
and
we
haven't
got
as
far
with
the
verification.
Well,
that's
not
fair.
H
This
also
verify
is
very
nice,
but
the
problems,
distribution
and
integration,
the
verification
into
kind
of
client
workflows
hasn't
particularly
well
tested
because
we
don't
have
a
large
number
of
systems
producing
the
legislation
yet
so
I
just
wanted
to
kind
of
make
Stakeout
duration.
F
So
I,
you
know
again:
I
don't
disagree
with
the
the
general
proposal
of
you
know
shrinking
down
the
scope
to
just
build
systems
and
making
salsa
mostly
about
you,
know,
build
system
implementers
and
defining
what
it
means
to
be
conformant
to
salsa.
For
that.
From
that
point
of
view,
but
back
to
what
and
in
line
with
what
you
just
showed
the
Mark,
you
know
what
does
it
mean
for
a
system
in
general
to
be
such
a
compliant?
F
I
mean
you
can
imagine
I'm
I'm,
you
know
I'm
selling,
some
kind
of
device,
it's
a
piece
of
hardware
and
it's
got
to
you
know,
have
some
software
on
it
and
I
could
claim
compliance
with
salsa.
If
I
said
no,
no,
you
know
I
checked
the
very
I
verify
the
problems
of
all
the
software
that
actually
put
on
my
device
and
I
mean
never
have
developed
anything
myself,
but
I'm
on
the
receiving
end
of
software
and
I
make
sure
I'm.
F
F
No,
no,
this
is
independent.
I
was
just
trying
to.
You
know
clarify
what
that
meant
earlier
by.
You
know
trying
to
Define
what
it
means
for
to
to
have
some
kind
of,
and
maybe
you're
right.
It
should
have
a
name,
a
different
kind
of
track.
They,
you
know
to
say
what
it
means
to
be
salsa,
compliant
from
a
consumer
side,
point
of
view,
but
so
I
again
I
didn't
mean
to
you
know
and
and
when
I
said
bust
earlier,
you
know,
I
didn't
mean
to
get
into
the
detail.
There
may.
F
A
A
A
I
guess
maybe
it
would
help
to
know
like
if
someone
could
take
the
other
side
of
like
you
know,
I
think
we've
had
several
people
mention
of
like
they
don't
disagree
with
that
idea,
but
if
there's
any
thoughts
on
like
an
argument
for
keeping
it,
as
is,
that
would
also
be
helpful
too
just
so,
you
can
kind
of
see.
A
K
Yeah
I
mean
I
I,
just
think
when
I
think
of,
like
verification
rate,
it
immediately
makes
me
think
of
what
are
the
attacks
I'm
trying
to
prevent
like
what
like
when
looking
at
this
sort
of
thing,
what
is
the?
What
is
the
the
goal
of
me
to
try
and
figure
out
like
hey
I,
want
to
use
this
also
compliant
artifact
and
I
want
to
verify
certain
elements
of
it
in
order
for
me
to
achieve
some
goal,
I'm
not
just
doing
it
for
for
my
own
health
or
whatever.
K
So
when
I
think
about
like
once
again
some
of
these
things
you
know
and
and
like
I,
think
it's
worthwhile,
just
you
know
and
I
don't
know
if
anybody
has
these
other
use.
Cases,
like
my
use
case
was
always
like
I
can
show
you
that
if
something
went
wrong,
it's
probably
not
the
build
system
right.
That
was
kind
of
one
of
the
key
things
that
I
was
taking
as
a
takeaway
from
salsa
was.
Let
me
look
at
source.
Let
me
look
at
dependencies
because
those
might
have
been
an
issue,
but
the
build
system.
K
If
I
look
at
it
and
it
seems
to
have
listed
all
the
right
things
and
it's
also
compliant
then
I'm
pretty
sure
it
performed
those
actions.
And
let
me
look
at
the
dependencies
or
the
source
as
the
the
place
of
the
problem
and
I
think.
Maybe
just
kind
of
like
thinking
through
some
of
those
things
might
help
out
with
understanding
what
what
we
should
be
verifying.
C
I
guess
I'll
jump
in
here,
I
I,
think
Mark
I've
been
I've
been
listening.
A
little
bit
and
I
mean
I
think
the
goal
you
know
when,
when
I
used
to
do
this
back
back
in
the
day,
I
I
just
think
about
I
just
want
to
know
I,
don't
even
want
to
like
I,
don't
even
want
to
take
any
action.
I
just
want
to
know
what's
out
there,
what
do
we
have?
C
How
are
we
being
protective
or
what
is
what
is
like
just
exposed
so
I
think
if
we
go
with
that
mindset
like
you
know,
I'll
call
it
a
soft
governance
of
just
letting
people
know
letting
people
be
aware
and
then
just
releasing.
You
know
iterative
iteratively,
releasing
we're
not
going
to
get
it
right
the
first
time.
So
let's
just
go
ahead
and
move
forward
and
and
it
will
adjust
as
we
go.
C
I
I
mean
I'm,
just
we're
just
trying
to
educate
everybody
out
in
the
world
that
hey
guys,
are
you
just
aware?
Are
you
aware,
from
a
soft
governance
perspective
and
hey
guys
if
you're
not
aware
hey,
you
should
maybe
try
these
tools
that
we
recommend.
Well,
the
you
know
the
guac,
the
macaroons,
the
in
total,
the
blah
blah
blah
right
and
then
hey,
maybe
hey.
Here's
an
example
of
what
we
would
do.
C
I,
don't
know
I,
just
I
I've
seen
this
I've
seen
this
work
in
the
past
and
just
making
suggestions,
but
I
think
we
should
just
just
do
it.
Let's
just
deploy
out
there,
we
have
nothing
to
lose,
but
but
people
giving
us
comments
and
telling
us
no,
that
you
guys
are
wrong
or
you
guys
yeah,
you
guys
are
great.
You
guys
did
it
did
a
great
job.
E
So
I
I
thoroughly
enjoy
showing
up
to
meetings
like
this.
With
that
naive
understanding
and
asking
questions
from
from
a
novice,
Viewpoint
I
I'm
I'm
curious
how
the
specification
defining
the
social
levels
doesn't
make
the
verification
implicit
like.
Why
does
there
need
to
be
like
this,
like,
contrary
or
other
half
of
the
side,
for
the
the
way
in
which
the
levels
are
defined?
That
there's
any
like
any
ability
to
have
an
interpretation
of
whether
or
not
something
is
verified.
A
Yeah,
that's
a
good
point,
I
think,
there's
there's
almost
two
halves
of
this.
One
is
actually
maybe
I'll
present
like
just
a
just.
So
we
have
a
visual
aid.
A
There's
currently
pull
requests
that
unifies
these
things,
but
that'll
use
this
picture.
Oh.
A
Right
here,
like
be
currently
defined
as
the
build
level
just
covers
these
threats
here
of
does
basically,
the
build
level
just
covers.
Is
the
provenance
trustworthy
like
it
claims
it
came
from
the
source?
A
How
confident
are
we
that
it
actually
came
from
the
source
and
someone
wasn't
lying
to
us,
but
we
also
want
to
cover
things
like.
Did
it
come
from
the
expected
Source
repo
or
like?
Did
you
build
from
an
unofficial
Fork?
Did
you
have
local
modifications
in
your
git
client
and
you
built
from
that
and
not
the
actual
thing
that
was
checked
in,
and
everyone
had
code
reviewed
and
that's
not
currently
covered
by
the
build
level?
A
It
was
suggested
last
week,
I,
think
of
or
maybe
in
a
previous
meeting
at
least.
Maybe
that
should
just
be
a
future
source
track
like
cover
a
b
and
c
in
this
diagram
as
a
source
track
and
then
I
think
that
would
actually
make
it
a
lot
cleaner
and
then
maybe
it
would
really
become
more
obvious
of
like
verifying
is
more
straightforward,
but
right
now,
I
think
we're
in
the
situation
where
we
have
the
build
level
plus
some
other
things
to
do.
K
Yeah,
the
only
thing
that
the
only
thing
I
was
going
to
sort
of
add
in
there
just
just
once
again
like
from
from,
like
the
perspective
of
hey,
consuming,
like
we
always
viewed
salsa
the
build
piece
if,
if
Source
or
dependencies
are
included,
they're,
not
necessarily
saying
that
the
source
and
dependencies
are
valid
source
and
dependencies,
just
that
the
Builder
built
these
source
independencies
and
it's
up
to
you
then
to
go
back,
and
you
know
figure
out
yeah
as
you
go
through.
K
A
G
It
goes
back
to
the
old
problem.
What
is
provenance
provenance
in
the
opinion
of
some
people
is
that
this
is
what
happened.
This
is
a
builder
that's
built
from
this
source
code.
It
doesn't
say
that
the
source
is
good,
that
the
program
is
benign.
It
just
says
that
it
was
built
from
this
source
code
and
with
the
buildsystem.com
that
can
address
certain
threats,
and
so
that
means
that
it's
half
of
the
it
solves
half
of
the
problem.
The
other
half
is
what
should
have
been
built
from,
and
that's
not
what
the
provenance
says.
G
Something
else
says
should
be
built
from
a
particular
source.
So
we
we
have
these
two
halves.
It
would
be
nice
if
Providence
could
say
this
program
is
good,
but
provenance
cannot
say
that
it
can
only
say
I
built
a
piece
of
software
from
a
particular
source,
with
particular
dependency
instances
so
or
looks
like
with
verification
and
and
build
problems
were
still
not
certain
about
the
boundaries
between
the
two.
J
I
think
everyone
keeps
saying,
there's
two
sides,
I
think
there's
possibly
three
or
more
because
earlier
we
mentioned
consumers
verifying
stuff,
so
I
think
there's
the
consumers
verifying
stuff
the
build
provenance,
the
source,
whatever
we
want
to
call
The
Source
step,
so
I
feel
like
I,
am
not
sure
who
said
it
earlier,
but
like
keeping
the
version
1.0
focused
in
on
the
build
makes
the
most
sense
to
me
with
the
expectation
that
we
start
working
towards
having
more
clear
source
and
consumer
depths
or
guidelines
iteratively
going
forward.
A
Sounds
good,
so
it
sounds
like
the
consensus
is
to
make
that
change.
I
could
send
out
a
pull
request
that
just
swaps
the
words
and
I
think
whoever
mentioned
it.
Maybe
Joshua
said
this.
We
should
probably
do
the
same
thing
for
the
Distributing
Providence
too,
because
it's
probably
in
the
same
boat.
A
Okay,
so
I
will
do
that.
I
could
also
comment
on
the
issue
to
say
that
we
discussed
it
at
today's
meeting.
I
think
in
the
interest
of
time
we
should
move
on
in
terms
of
the
mechanics
of
doing
the
release
today.
A
I
guess
there's
nothing
hard
that
it
has
to
be
today,
although
if
we
need
two
weeks
and
we
want
to
release
on
the
19th
and
we'll
have
to
do
it
today
or
tomorrow,
we
have
a
couple
outstanding:
pull
requests.
We
should
get
those
merged.
A
This
one
will
be
a
pull
request:
that'll
have
to
get
merged
to
and
then
a
pull
request
to
actually
do
the
thing
is
there
enough
time
in
the
day,
are
we
okay
having
folks,
whoever
you
know
most
probably
U.S,
based
folks,
I'm
guessing
because
most
people
in
Europe
or
Asia
are
going
to
be
asleep
just
doing
that
today,
I
mean
normally.
We
want
pull
requests
like
longer
time
to
comment.
F
If
we
can
afford
to
one
more
day,
I
think
we
should
that
that
way,
everybody
has
a
chance
to
see
it
before
we
publish
this
new
awesome.
B
A
Okay,
that
sounds
good
to
me
and
then
the
blog.
We
need
to
also
do
a
mailing
list
announcement
because
that's
listed
in
our
governance,
docs
I
think
it
could
just
be
a
copy
of
the
blog
post,
the
blog
post.
Does
anyone
here
involved
in
that.
J
One
of
my
co-workers,
I
believe,
is
because
we
need
to
also.
F
F
It
depends
which
blog
post
you're
talking
about,
because
so
my
cat,
the
one
that
we
we
we
reviewed,
there's
a
pull
request.
That's
just
on
the
the
salsa
Dev
website,
right
that
I
think
we
should
just
publish
it
already:
yeah
yeah,
it's.
K
Yeah
so
there's
two
separate
things:
one
is
the
release
candidate,
two
which
yeah
I,
think
I,
don't
know
if
we
have
anything
specifically
set
up
for
that
I'm
sure
we
could
probably
draft
something
up:
real,
quick
based
on
release
candidate,
one
just
picking
like
replace
with
the
release
candidate,
two
and
then
further.
We
have
we're
still
kind
of
working
on
the
1.0
stuff.
I
believe
that
there's
some
they
some
of
the
folks
from
the
open
ssf
side,
still
have
some
of
the
V
0.1
info.
K
A
Okay,
I'll
post
on
slack
to
see
if
anyone
has
already
had
rc2.
A
Like
a
full
1.0
post,
that's
announcement,
that's
being
drafted,
but
specifically
just
a
short
one
about
rc2
saying
you
know
the
second
police
candidate,
the
review
period
is
this:
we,
you
know,
barring
any
unforeseen
changes
we
plan
to
accept
it
or
vote
to
accept
or
whatever
it's
proper
language,
on
the
19th,
Etc
Nicola.
A
A
B
A
Okay,
I
I
actually
had
to
head
out
early.
If,
but.
A
Continue
running
the
meeting,
that
would
be
good.
One
thing
that
would
I
think
be
helpful
to
maybe
briefly
talk
about,
but
like
what
changes
are.
Okay
during
the
review
period.
A
A
A
F
F
But
so
I
mean
yeah
specifically
about
this
point.
I
think
it's!
You
know
it's
pretty
clear.
It's
it's
not!
Maybe
it's
easier
to
do
final
by
primer,
it's
easier
to
say
what
it's
not
right,
if
it's
not
editorial,
if
the
change
impacts,
the
compliance
of
an
implementation
right
so
I
have
an
implementation,
I
I,
implemented
against
the
draft,
and
now
I
need
to
go
change.
My
code
because
yeah
we
have
updated
the
spec,
then
that's
not
the
tutorial
formally.
That's
what
it's
about
now,
of
course.
F
Unless
you
know
it's
just
commas
and
typos,
there's
always
the
risk
that
it's
not
just
the
tutorial,
but
at
least
we
should
be
aware
when
we
make
changes
and
think
about
you
know,
do
we
expect
this
to
change
so,
for
instance,
if
you
think
there
are
cases
where
it's
very
simple
like
if
you
look
at
the
provenance
format,
if
you
change
the
name
of
an
ad
properly.
Well,
that's
it!
You
know
this
is
not
going
to
be
just
the
tutorial.
If
you
change
the
description
of
that
property,
then
you
know.
F
K
Yeah
I
was
just
gonna,
say:
yeah
I
mean
based
on
some
of
the
comments
about
this
sort
of
like
over
the
past
couple
of
weeks.
I
think
I've
just
been
trying
to
see.
You
know
since
we're
not
the
first
folks
to
write
up
a
a
specification
or
or
standard
or
framework
around
this
sort
of
thing.
K
You
know,
I
think
that
there's
a
lot
of
useful
information
about
how
generally
folks
handle
it
and
yeah
it's
like
yep.
That's
why
there's
so
many
you
know
you
see
like
or
like
this
documents
you
see
like
rev,
5,
rev6
and
a
lot
of
times.
It's
it's
not
necessarily
even
just
like
any
real
content
changes.
K
It's
like
a
clarification
because
hey
a
clarification,
two
people
are
going
in
opposite
directions
and
even
the
clarification
is
like
well,
you
you're
now
saying
that
the
way
I
was
doing
it
originally
was
completely
invalid,
which
is
is
not
the
you
know,
expectation
and
so
yeah.
We
just
got
to
be
careful
and
and
I
do
think
that
you
know
there's
a
lot
of
useful
history
out
there
that
we
can.
You
know
look
to
follow
to
make
sure
that
that
we're
doing
it
the
right
way.
F
Yeah
things
are
interesting
and
I
mean
you
know,
I
think
it's
easier
in
some
cases
like
I
was
saying
for
formats
and
if
you
can
have
like
tests,
you
know
once
if
we
are
tests,
it's
easier
to
find
out
here.
The
Prime
with
salsa
is
some
of
it
is
not.
You
know
hard
coded,
and
it's
not
like.
There's
still,
you
know,
I
think
has
been
said
before.
F
Salsa
is
its
roots
in
something
that's
more
aspirational
and
then
it's
it
becomes
a
bit
harder
to
test
and
to
have
hard
set
rules,
and
so
I
think
salsa
evolved
towards
something
that's
much
more
prescriptive,
but
it's
still,
you
know
in
some
areas
can
be
a
bit
more
challenging
to
figure
it
out.
F
So
that's
that's
how
it
is,
but
I
think
that
basically
sets
the
rules
for
what
we
can
allow
ourselves
to
change
after
we
have
published
all
C2
before
we
publish
the
final
version
with
that
doing
another
RC,
which
would
be
our
C3,
because
that's
the
that's
I
mean
it's
not
the
end
of
the
game.
F
F
K
Yeah
I
mean
it
can
wait
till
till
next
time.
I
think
one
of
the
things-
and
this
is
kind
of
more
of
a
post
1.0
thing,
one
of
the
things
that
folks
have
been
bringing
up
about
conformance
and
some
of
the
other
things.
Is
it's
great
that
that
we're
looking
at?
Like
you
know,
you
should
have
a
you
know,
a
document
somewhere
in
yayada,
but
some
folks
are
saying
like
how
can
I
distribute
that
information
in
sort
of
also
a
programmatic
and
automated
way
so
stuff
like
could
you
know?
Is
there?
K
Is
it
in
the
cards
to
have
something
like
a
salsa
conformance
attestation
that
could
have
as
this
like
you
know,
here
is
the
the
conformance
document
location
or
something
like
that
and
here's
a
bunch
of
other
information
so
that
folks,
who
are
are
coming
through?
You
know,
they're,
like
oh.
This
thing
claims
that
it
was
built
with
this
salsa
Builder
I.
Don't
necessarily
need
to
check
right
this.
K
Second,
that
that
it
is
in
fact
it's
also
conformant
and
have
somebody
review
the
document
but
I
when
I
pull
this
in
I
want
to
pull
down
that
attestation.
Was
it
signed
by
somebody,
I
trust
or
whatever
was
did
some
other
third
party,
that
I
do
trust,
certify
it
or
whatever?
And
then,
when
I
go
back,
you
know,
I
can
go
in
and
out
of
band
read
through
the
human
readable
documentation
and
and
go
through
that
sort
of
thing.
I
think
that's
just
you
know,
yeah
anyway,
Josh
UA.
H
Yeah,
so
we
definitely
did
talk,
I
think
Chris
who's
on
the
call
and
I
spoke
at
least
briefly
about
having
like
an
attestation
that
says
you
know
some
someone
has
reviewed
this
build
service
for
conformance
with
the
build
requirements,
and
you
know
he's
providing
an
attestation
that
they
perform
that
review.
H
We
spoke
about
it
if
I'm,
remembering
correctly
in
the
context
of
the
the
conformance
program,
which
is
a
post
1.0
activity,
so
I
I
expect
you
will
come
back
up
then
so
yeah
I
think
there's
some
something
we
likely
will
end
up
doing
effectively
and
just
figuring
out
how
to
distribute
those
and
how
they
fit
into
the
verification
cycle.
And
everything
is
something
we'll
need
to
figure
out.
H
H
F
You
know
so
I
I
was
going
to
say
so
in
the
conference
I
mean
you
know.
For
now
the
people
who've
been
working,
the
conformance
program,
the
looking
at
the
CNC
F1
and
the
cncf
as
basically
a
website
and
there's
a
there's,
a
repository.
This
is
how
the
register
their
claims
of
compliance
and
so
I
think
this
shouldn't
be
hard
to.
You
know
that
would
be
the
place
to
have
that
if
we
want
to
have
a
repository
of
attestations
of
claim
of
compliance
but
yeah.
F
Basically,
what
you're
saying
is
that
we
should
have.
This
is
a
requirement
for
the
conference
program
to
say:
hey.
We
want
to
have
machine,
readable,
attestations.
F
So
I
guess
it's
all
right.
We
are
out
of
time
anyway,
so
we'll
close
on
this,
and
we
can
discuss
this
further
next
time.
When
we
talk
about
the
conference
program
in
more
details
for
those
who
are
interested,
there
is
a
spread,
and
there
are
a
couple
of
people
who've
been
working
on
it.
There's
a
draft
being
worked
on.