►
From YouTube: SLSA Tooling Meeting (September 23, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
right,
we
can
get
started
and
I
apologize
in
advance,
there's
a
massive
Hornet
that
somehow
got
into
my
room
and
is
flying
around
my
head
here
so
trying
to
avoid
getting
stung.
Okay.
So
just
as
a
a
reminder
to
folks,
please
if
you
want
add
your
name
to
the
to
the
meeting
notes
and
anything
else,
you
want
to
add
as
an
item
for
the
agenda
and.
A
Yeah
Preston
I,
yeah
and
yeah,
so
just
as
also
a
reminder,
this
meeting
is
being
recorded,
it'll
be
uploaded
to
YouTube.
Shortly
after
and
also
this
meeting.
Your
participation
in
this
meeting
is
an
agreement
to
abide
by
the
yeah
openssf
code
of
conduct.
A
Okay,
so
I
know
we
have
something
from
Jeremy
a
a
presentation
on
salsa
using
auris
at
Microsoft
and
but
before
we
do
that,
are
there
any?
Are
there
any
other
sort
of
big
updates
that
folks
wanted
to
bring
up
anything
sort
of
anything
critical?
A
The
only
thing
for
my
end,
just
is
I
saw
that
Adolfo
AKA
perco
released
his
and
I'm
gonna
I
apologize
if
I
butcher,
the
name
tejolete
tool,
which
is
a
it's
a
salsa,
Builder
and
I
know
that
at
some
point
we
want
to
see
if
he
can
give
us
a
demo
of
that
tool,
because
that
that
tool
is,
it
seems
like
a
sort
of
a
generic
salsa
Builder
and
we're
wondering
if
there's
anything
that,
like
we
can
collaborate
with
some
of
the
the
existing
sort
of
GitHub
builders.
B
B
He's
out
on
PTO
right
now,
but
oh
okay,
that's
his
there's
a
PR
that
was
open
to
donate,
that
to
the
kubernetes
project.
Our
intent
is
to
use
it
within
the
release
process
for
just
general
kubernetes
artifacts
cool.
We
are
going
to
initially
put
it
into
some
other
repos
I
just
started
working
on,
trying
to
add
it
to
our
bomb
repo,
so
we're
gonna,
try
it
out
on
the
like
the
baby
projects
before
we
move
on
to
the
the
bigger
ones.
A
Cool
cool,
and
so
is
it
mostly
like
and
to
be
clear,
I
know
nothing
really
about
it.
Is
it
mostly
a?
Is
it
mostly
a
tool
for
stuff
like
building
kubernetes,
as
in
like
did
it
come
out
of
building
kubernetes
has
mostly
been
focused
on
the
the
kubernetes.
No.
B
That's,
of
course,
a
more
generic,
it's
more
generic,
it's
aimed
at
just
being
generic
to
work
in
GitHub
actions
or
Google
Cloud,
build
and
kind
of
working
in
the
sense
that
it
works
around
the
build
process.
So
it
starts
build
process
happens
it
interrogates
what
happens
to
generate
the
artifacts
afterwards
I
think
we
did
a
demo
of
it
at
one
of
the
Sig
release
meetings.
Maybe
last
month,
I
will
go
and
dig
up
a
I'll
find
the
recording.
Whichever
meeting
we
did,
that
in
and
I'll
drop
it
into
the
meeting
notes.
Here.
A
All
right
over
to
you,
Jeremy.
B
All
right
cool,
let
me
see
if
I
can
share
my
screen.
Okay,
so
there
was
a
an
ask
in
slack
both
on
the
cncf
slack
and
in
the
salsa
tooling
Channel
from
Sean
I.
B
Don't
know
if
Sean's
on
the
call
right
now,
oh
yeah,
there
you
go
asking
about
oras
and
oci
artifacts
work
that
had
just
merged
in
to
the
oci
spec,
and
we've
actually
been
investigating
that
ourselves
internally
to
Microsoft's
kind
of
doing
some
dog
fooding
on
like
seeing
what
the
spec
looks
like
kind
of
trying
out
the
tooling
that
existed
and
then
trying
to
figure
out
what
we
want
to
do
with
our
internal
pipelines.
B
So
my
team
publishes
all
the
open
source
that
we
consume
within
Azure,
so
we
build
things
from
from
Upstream
like
like
kubernetes
and
lots
of
other
projects,
and
we
publish
those
containers
and
binaries
like
Cube
CTL
into
internal
Registries.
B
B
There's
lots
of
internal
discussions
about
what
the
right
thing
for
us
to
use.
It
is
for
that,
but
we
have
implemented
some
workflows
just
to
kind
of
show
what
it
might
look
like
if
we're
going
to
consume
that
tooling,
so
I
just
wanted
to
show
that
and
then
we
could
use
that
as
like
a
discussion
point.
B
If
anybody
has
questions
Steve,
one
Steve
Lasker
wanted
me
to
come
to
kind
of
represent
things
he's
on
vacation,
but
I
think
there
is
general
interest
in
in
any
kind
of
collaboration
that
could
happen
with
the
oci
artifact
spec
stuff.
Oras
itself
is
not
implementing
the
oci
spec,
yet
it's
still
implementing
the
artifact
spec.
That
was
like
you
know
before:
puzzle
e
and
stuff,
but
there's
work
in
Flight
right
now
to
start
moving
that
plus
ACR,
which
is
our
container
registry,
to
implement
that
interface
with
that
spec.
B
So
let
me
share
and
then
we
can
take
a
look
at
what
we're
doing
so
far.
B
Okay,
so
let
me
know
if
that
text
is
big
enough.
B
Okay,
so
the
oras
tool
you
know
implements
mostly
what
the
oci
artifact
spec
looks
like
and
in
particular
it's
leveraging
the
refers
or
the
subject
piece
of
that.
So
you
can
put
an
artifact
into
a
registry
and
then
using
the
refers
or
the
subject,
you
can
associate
that
or
refer
it
to
something
else,
so
we're
taking
advantage
of
that
for
our
distribution
of
like
the
evidence
that
we're
producing
for
the
containers.
B
So
if
we
take
a
look
at
the
the
kubernetes
API
server
as
an
example,
so
this
is
just
one
thing
that
we're
building
we
publish
things
to
ACR
and
they
get
onboarded
into
MCR,
so
we're
able
to
copy
the
things
back
and
forth
to
different
Registries.
But
this
is
the
125.0
AMD
64
container
that
was
built
and
we
run
that
we'll
get
back
that
image
and
then
we
can
see
all
the
things
that
we've
attached
to
it.
B
So
we're
building
an
in
Toto
Providence
file
like
a
we're,
a
bare
minimum
kind
of
like
Providence
file
for
the
thing
we're
building,
that's
still
a
work
in
progress.
We
are
generating
an
spdx
bomb
for
that
and
then
we're
signing
the
container
itself
and
then
we're
also
assigning
those
two
artifacts.
B
So
the
the
the
spec
is
great
because
it
allows
you
to
to
associate
things
in
multiple
levels.
Right
like
we
can
associate
this
s
or
this
Providence
file
with
the
container
image.
We
can
also
sign
that
thing
and
then
associate
the
signature
with
the
Providence
file.
We
can
associate
the
signature
of
the
s-bomb
with
the
profit
with
the
s-bomb
and
then
the
s-bombs
associated
with
the
image
itself.
B
We
can
grab
the
blob
and
take
a
look
at
what
it
looks
like.
So
you
can
see
what
that
kind
of
looks
like
in
terms
of.
C
Are
those
blobs
or
manifest
they're.
C
B
B
So
there's
a
problem,
smile
right
and
like
in
like
a
Providence
Style,
it's
just
the
blob
that
came
back
for
all
the
things
it
built.
But
if
we
do
that
again,.
C
B
Okay,
so
the
the
spec
looks.
The
thing
we
pushed
to
the
registry
looks
like
that:
it's
artifact
type
and
then
the
blobs
that
are
associated
with
so
that's
the
the
actual
Json
file
that
we
pushed
and
then
this
is
the
the
bit
that
relates
the
two
together.
So
this
can
really
point
at
anything
right.
It's
just
pointing
at
a
digest,
that's
in
the
registry,
so
it
works
at
multiple
levels.
You
can
do
things
at
layers
if
you
wanted
to
do
that.
B
I
assume
we're
going
to
experiment
with
that
pretty
soon,
but
it's
been
working
pretty
well
for
us
we're
starting
to
do
some
experiments
with
consuming
these
resources
like
inside
of
AKs.
That's
really
early
work
right
now,
so
it's
not
gotten
much
past
the
kind
of
proof
of
concept
stage,
but
it's
been,
it
seems,
like
it's
been
a
good
way
for
us
to
distribute
these
sense
of
evidence,
along
with
the
containers,
we're
publishing
and
the
fact
that
we
can
sign
those
things
and
Associate.
B
B
Yeah
sign
language
certificate,
cool
yeah,
so
we're
doing
that
for
the
containers
right
now
we're
trying
to
figure
out
how
we
want
to
do
this
with
binaries
too.
So
we
do
publish
like
we
do,
build
a
cube,
CTL
binary.
B
We
do
publish
a
couple
of
other
binaries
for
other
projects
and
right
now
they
get
pushed
to
a
storage
account
we're
considering
whether
we
want
to
use
registry
to
distribute
those
as
well,
because
it
would
allow
us
to
do
the
same
kind
of
attachment
of
evidence
along
the
way
yeah,
so
I
I,
guess,
that's
all
I
had
to
kind
of
show
what
for
folks,
I
didn't
get
to
come
to
the
meeting
last
week,
but
I
saw
you
discussed
the
artifact
stuff
a
little
bit.
C
I'm
curious
on
this,
if
they
start
publishing
the
you're
talking
about
adding
this,
like
the
kubernetes
images,
things
like
that
they're
published
on
a
different
registry
right.
B
Yeah,
so
these
are
our
internal
images.
We,
okay,
we
don't
consume
Upstream
artifacts
directly.
We
build
everything
from
source
and
republish
it
internally,
like
just
getting
rid
of
the
dependency
on
external
third-party
things
is
always
a
good
thing
for
first
Party
Services.
When
we
want
to
run
our
stuff,
it
would
be
bad
to
necessarily
have
a
dependency
on
Google
or
Docker.
B
I,
don't
think
we'll
see
like
this
specific
thing.
We
have
discussed
what
we
want
to
do
with
with
the
Upstream
kubernetes
things
and
whether
we
use
cosine
to
do
that
because
cosine
has
the
ability
to
also
publish
you,
know
s-bombs
and
other
pieces
of
evidence,
along
with
the
tooling,
that
does
not
implement
the
oci
spec.
Yet
I
don't
know
if
if
they
have
intentions
to
to
migrate
to
that
or
not
but.
B
It
works
in
a
kind
of
similar
way
right,
like
you're.
Getting
I
mean
it
works
in
a
way
that,
like
it's,
generating
a
a
tag
that
Associates
the
two
back
and
forth
but
Adolfo
and
I
were
discussing
whether
we
wanted
to
do
that
for
the
Upstream
artifacts.
We
hadn't
done
that
yet,
but
I
think
we
want
to
be
able
to
get
to
a
point
where
we
can
possibly
distribute
those
things
as
well.
C
B
B
C
Yeah
I
think
that's
something
that's
very
cool.
It
looks
super
useful.
So
is
there
any
client-side
tooling
for
automatically
uploading
pairs
of
things
like
artifacts
and
attestations.
B
I,
don't
think
so
yet,
mostly
because
this
is
so
new
I,
don't
think
anybody's
built
tooling.
That
does
that
we
we
actually
like.
We
have
so
everything
that
happened.
Let
me
share
price
again.
B
We've
been
discussing
open
sourcing,
some
of
that
stuff,
it's
pretty
specific
to
our
workflow
right
now,
but
this
is
all
done
using
the
orus
go
Library
and
the
notary
stuff
is
implemented
a
little
differently,
but
it's
not
using
that
or
Us
tool,
specifically
so
for
publishing.
We've
implemented
that
we've
been
discussing
like
personally
I
think
that
having
multiple
tools
is
useful,
but
also
it's
not
the
greatest
experience.
B
So
if
you
want
to
consume
these
things
and
do
any
kind
of
verification
on
them,
I
think
it
would
maybe
better
to
have
like
a
supply
chain
tool
that
kind
of
kind
of
work.
With
those
things
like
like
cosine
like
you,
can
pull
those
things
and
you
can
sign,
you
can
verify
those
things
you
can
do
the
things
you
need
to
do
with
that
tool
right
now.
This
tooling
is
kind
of
disjoint
We've.
B
We've
integrated
it
into
like
our
internal
azcu
tool
that
we
use,
but
I,
don't
I
think
this
is
still
at
such
a
nascent
point
that
there
has
like
for
the
oci
stuff.
In
specific
I,
don't
think
there's
any
tooling
yet.
C
What
I
have
seen
from
the
community
is,
if
you're
generating
something
like
an
s-bomb,
you
can
generate
that
to
a
file
and
then
you
can
upload
it
with
like
an
ORS
or
yeah
Crane
or
right
now,
I've
got
the
red
client
tool
over
there.
That
does
have
the
new
spec
Implement
in
it.
So
if
you
want
to
try
that
out
that
one
exists
as
well,
so
it's
a
two-step
process:
it's
not
a
one-step
process
in
terms
of
attaching
the
s-bomb
to
it.
B
Yeah
and
that's
what
we're
doing
internally
for
our
Tool
I
I
can
I
have
to
get
permission
to
show
that,
since
that's
like
internal
develops,
but
I
can
come
back
and
show
that
off.
If
folks
are
interested
and
that's
essentially
what
we're
doing
we
build
the
images
to
tars
locally.
We
scan
those
and
then
when
we
push
everything,
it
goes
as
one
Big
Blob
of
things.
Together
we
push
the
image.
We
push
the
the
things
that
are
associated
with
it.
The
signatures
go
along
with
that
and
it's
kind
of
one
operation.
C
Got
a
talk
that
I
gave
at
the
open
source
Summit
in
Austin
talking
about
trying
to
get
us
to
use
the
oci
layout
a
lot
more
and
I.
Think
it's
going
along
with
what
you're
saying
to
using
the
tar
file
I
build
the
image
to
the
local
directory.
It's
like
a
guitar
format,
but
it's
just
expanded
on
the
file
system
and
then
do
all
the
s-bomb
generation
assigning
everything
local
in
there
and
then
push
it
all
up
to
the
registry
at
once.
So,
if
anybody's
interested
in
that
that
video
is
up
online
as
well,
yeah.
B
I
think
that's
a
great
approach
to
go
with.
We
actually
saw
that
after,
like
we've
implemented
all
of
this
stuff
for
a
while,
and
we
saw
that
video
and
it
kind
of
gave
us
some
some
validation
like
it's
approach,
it's
pretty
good.
The.
A
Yeah
I
opened
up
the
window,
I'm
hoping
it
understands
that
you
could.
Okay
I
found
its
way
to
the
window
and
it's
almost
out
and
once
it
gets.
A
Let's
see
you
know
well
I'll
get
to
that
whenever
he's
ready
to
leave
cool
so.
A
Sorry
I
missed
the
the
demo.
I
will
probably
I
will
watch
the
recording
later,
but.
C
A
But
okay
cool!
So
are
there
any
other
topics
for
discussion?
Anything
else
that
folks
wanted
to
bring
up.
A
Okay,
I,
don't
know
why
I
was
crawling
on
the
window
and
decided
not
to
leave
all
right.
Well,
I'm
gonna
go
take
care
of
this.
If
I'll
I
guess
I'll
see
you
all
next
week.
Unless
there's
anything
else,
folks
wanted
to
bring
up.