►
From YouTube: SLSA Positioning Meeting (November 22, 2022)
Description
Meeting notes: https://docs.google.com/document/d/1tpPOXVzNSwtpWA7cXhTPLAO6HIP50obUvoP85XqgVHM/edit#heading=h.yfiy9b23vayj
SLSA repo: https://github.com/slsa-framework/slsa
B
A
I
know
today
is
a
working
session,
so
it's
it's
purely
optional
and
I
know
it's
right
before
the
U.S
holidays.
So
it's
possible
that
you
know
we
might
have
a
very
light
crowd
today.
B
A
A
Okay,
okay,
yeah
so
starting
tomorrow,
not
tomorrow,
A
lot
of
times
for
Thanksgiving
week,
people
will
take
off
the
whole
week
or
sometimes
they'll
start
dropping
as
the
days
progress
so
either
today
or
tomorrow.
Usually
people
like
tomorrow,
I'm
not
working.
So
okay
right,
you
know,
but
today
I
am
so.
It
just
depends.
B
A
Yes,
correct,
correct
yeah,
so
so
yeah
we,
we
may
not
have
a
lot
of
folks,
but
that's
okay.
We
could
still
get
some
work
done,
which
is
why
I
keep
some
of
these
sessions
yeah,
because
if
I
don't
have
dedicated
time
to
work
on
this,
it's
it's
probably
not
going
to
get
done.
So
at
the
very
least,
I
can
get
something
done
during
this
one
hour
session.
A
A
A
Stir
or
not
start,
but
finish,
the
the
blog
as
much
as
we
can
so
I,
don't
I'm
starting
to
get
my
voice
back.
I
was
sick.
Last
week
my
my
my
little
one
got
sick
and
then
she
got
me
sick,
so
I'm
still
kind
of
recuperating.
So
you'll
have
to
excuse
my
my
raspy
voice
today.
A
A
Now
we
just
have
a
couple
of
things
and
I
know
you
commented
on
a
couple
of
things
for
like
prevent
yeah.
You
know
instead
of
helps,
instead
of
prevent,
helps
to
prevent
so
I
did
some
modifications
here
and
there
for
that,
and
let
me
see
what
other
comments
you
had
in
here.
B
Think
I
have
a
scene
that
that
changes
as
well.
It's
it's
for
me.
It
looks
good.
So
the
point
what
I
thought
was
like
you
know
when
we
say
about
salsa
quality
is
actually
something
different
from
what
salsa
provides.
If
you
make
it
secure,
we
cannot
I
mean
Quality.
Security
is
also
part
of
that.
We
can
say
when
we
say
quality
is
there.
Then
security
is
also
in
in
in
line
with
that
or
integrated
with
that,
but
it's
actually
kind
of
two
two
terms
right
yeah.
B
So
when
we
say
salsa
provides
build
quality,
so
the
build
quality
is
also
some
part
coming
from
the
built
engine,
say
the
compiler
or
the
the
build
tool
or
the
machine
which
we
are
building
so.
B
And
also
the
build
steps,
whatever
we
configure
for
that.
So
when
we
say
build,
involve
multiple
stages
and
to
make
that
our
psychology
build.
My
my
doubt
was
like
whether
it's
also
supported
each
stage.
B
We
are
creating
provenance
information.
This
is
the
only
step
one
among
the
steps
in
the
build.
So
when
we
say
the
build
quality,
salsa
is
not
focused
on
the
entire
build
quality
yeah.
Maybe
that
that's
good
yeah.
A
Okay
and
I
think
I
missed
hi
Matt.
Thank
you
for
joining.
Are
you
a
new
a
new
person
joining
us
today?
C
A
Okay,
well
welcome.
Welcome,
for
thank
you
for
joining
I
was
telling
jumpsy
that
I
suspect
today
is
going
to
be
a
light
day
for
two
reasons:
one.
This
is
a
an
optional
meeting,
it's
a
working
session.
So
that
way
we
can
get
stuff
done,
but
then
also
because
of
the
holidays
right
people
tend
to
either
have
the
whole
week
off
or
they
start
dropping
off
as
the
day
progresses,
so
so
yeah,
it
might
just
be
the
three
of
us.
A
There
might
be
other
people,
but
just
wanted
to
give
you
that
heads
up,
but
thank
you
for
joining,
and
what
brings
you
here
today:
hey,
there's
Jay.
C
Yeah
so
yeah
happy
to
be
here
and
I've
just
over
the
last
year
and
a
half
been
moving
into
the
application
security
space
at
Dao
and
one
of
the
things
that
I'm
accountable
for
are
making
sure
that
we
have
the
right
security
requirements
and
I've
just
been
looking
into
cyber
threats
and
saw
you
know
the
opportunity
to
improve
security
specifically
related
to
the
software
supply
chain.
C
And
that
led
me
to
salsa,
and
then
I
saw
that
it
was
tied
to
open
ssf
and
I
thought
that'd
be
an
opportunity
to
at
least
learn
a
little
bit
more
behind
the
scenes
on
where
Salsa's
at
with
the
vision
is
and
how
I
can
take.
A
Well,
thanks
for
joining
yeah,
so
for
the
positioning
meeting
we
do
have
a
oh
actually,
I,
don't
know
if
I've
ever
come,
I
think
I
did
commit
the
charter.
A
A
And
so
what
we've
been
working
on
is
a
Blog
right
now
to
focus
on
Developers
right
and
like
why
they
should
care
about
salsa
right,
how
it
helps
them,
okay,
and
so
that
that
that's,
what
we're
kind
of
looking
at
right
now
and
just
trying
to
finish
up
that
blog
and
the
the
link
is
in
the
meeting
notes.
But
I
will
also
put
it
here.
Let
me
find
the
chat
chat.
A
This
is
where
the
blog
is
so
feel
free
to
you
know
peruse
through
and
and
this
isn't
one
person
thing,
it's
multiple
people
that
have
contributed
to
this
and
we're
just
trying
to
finalize
it.
So
what
John
C
was
talking
about
was
you
know
this?
This
wording
of
build
quality,
so
I
just
changed
it
to
build
Integrity
I
didn't
I,
didn't
write
that
paragraph
So
I'm
just
going
to
suggest
it
for
now
assistant
Mickey
build
process.
A
Oh
I
see
this
one
jumpsuit
yeah
I'll
have
to
edit
that
one
later
and
thanks
Jay
for
joining
haven't
haven't
talked
to
you
in
a
while.
D
A
D
I
was
gonna,
say
another
big
push
next
week
and
the
week
after
and
then
going
and
going
into
going
into
Christmas,
but
I
figured
you
finish
up
a
few
things
clear.
A
Yeah,
that's
that's
my
goal
for
today
and
yesterday
I'm
getting
to
get
stuff
done
that
I
never
have
time
to
do
because
nobody's
bothering
me
right.
So
it's
just
been
a
little
quieter
at
work
and
you
know
doing
some
coding
which
I
haven't
done
in
a
long
time,
and
so
it's
it's
been
a
pretty
fun.
You
know
24
hours
and
you
know
hoping
that
we
can
at
least
submit
something
as
a
PR
for
a
Blog
I'm
hoping
right.
We've
been
working
on
this
for
a
while,
and
it's
like
at
the
very
end.
A
So
I
think
where,
where
we
need
the
most
help
one
is
this
call
to
action?
It's
the
like
very
blah,
there's
nothing
in
here,
so
that
definitely
needs
to
be
beefed
up
right
like
what
do
we
want
developers
to
take
away
from
this?
What
should
they
do?
Next?
A
A
There
was
a
huge
thread
with
Mark,
because
I
was
trying
to
express,
like
you
know,
I
I
shared
this
picture
with
him,
and
then
the
downloading
dependencies
triggered
the
thought
of
well.
Maybe
this
isn't
something
that
we've
actually
talked
about
yet,
and
we
should
and
so
I
need
to
alter
the
picture
so
that
it
doesn't
have
the
dependencies
part
or
we
can
try
to
see
if
we
can
get
it
in
the
1.0
specification.
I
don't
know.
A
So
that's
something
that
you
know
Mark
was
concerned
about
with
the
dependencies,
but
I
was
trying
to
get
a
handle
of
you
know.
What
is
it
preventing
right?
What
is
it?
Is
it
catching
an
error,
and
so
he
was
kind
of
going
through
and
explaining
it?
So
I
was
going
to
modify
this
language
a
little
bit
to
express
what
he
wrote
in
a
different
way
for
for
the
Developers.
A
So
I
don't
know
if
you
saw
that
thread
Jay
it's
on
the
specification.
Let
me
see
and
I
can
I
can
tag
you
all.
Are
you
on
an
open,
ssf,
slack
Channel
map
yep.
C
C
A
D
A
It
went
haywire
after
I
it
it
I
was
asking
about
something
very
specific,
and
then
it
went
completely
sideways
to
like
some
other
topic,
so
I'm
just
trying
to
focus
on
this
little
bit
here,
but
I
did
tag
you
three.
So
if
you
wanted
to
follow
the
thread
you
could
so
just
just
in
case.
A
But
so
I'm
trying
to
understand
like
here,
prevent
a
bad
compile
for
you
know
being
submitted
because
it's
not
matching
Upstream
code,
one
of
the
things
they
said
well,
Sean
Lowry
said
well:
what's
local
versus
Upstream,
right
and
Upstream
doesn't
mean
open
source
Community?
Necessarily
it's
just
whatever
the
build
system
says
hey.
You
need
to
go
pull
code
from
that's
what
I'm
considering
Upstream.
Could
it
be
an
open
source
repository?
Yes,
could
it
be
internal?
A
Yes,
yeah,
for
all
intents
purposes,
is
wherever
the
build
system
defines
that
Upstream
repo
and
then
for
local
is
anything
that's
on
the
user
system
right,
whether
it's
their
laptop,
it's
a
personal
desktop.
It
could
heck.
It
could
be
a
you
know:
vdi
environment,
in
a
cloud
somewhere
somewhere
where
it's
not
what's
the
word
somewhere,
where
the
developers
working
so
I'm,
not
sure
if
these
are
clear
enough
and
if
there's
any
tweaks
that
you
all
think
I
should
make
to
these
definitions.
D
A
A
D
Consistent
are
consistent
across
the
board
right
so
like
like
we're
using
these
definitions,
but
they're
also
used
not
only
in
in
with
respect
to
salsa,
but
respect
to
the
openness
and
stuff
in
general.
A
Yeah
because
I
I
completely
agree
if
we
had
those
definitions-
yes,
but
I,
think
those
are
very
much
in
flux
and
I
I,
don't
know
when
we're
gonna
get
those
at
least
preliminary
definitions
where
people
are
like
yeah.
We
think
this
is
good.
It's
just
a
tweaking
of
a
word
or
two
here
or
there
I
thought
I
heard
someone
else
speak.
B
I
think
that
that
particular
specific
I
mean
specifically
we
mentioned
about
what
is
Lockland
Upstream
is
will
be
good.
We
help
in
Shield
readers
to
understand
what
exactly.
C
A
Yeah
yeah
I
think
for
for
this
entire
Vlog,
which
is
not
very
big.
It
should
be
consistent
across
the
board
and
we'll
definitely
make
sure
of
that.
B
Diagram
so
there
we
have
mentioned
about
a
running
unit
test.
So
if
we
are
adding
running
unit
test,
unit
test
is
a
kind
of
best
practices
to
be
part
of
the
build
in.
In
that
case,
vulnerability
check
is
also
part
of
that
that
build
right.
So
we
can
add
more,
like
you
know,
steps
in
in
that
build
process.
So
if
we
are
indented
only
to
the
core
build
activity
like
importing
downloading
source
code
downloading
dependency
and
we
mood
out
or
add
additional
steps,
also
like
vulnerability
analysis,
I
mean
this
is
just
a
thought
process.
A
That,
okay,
yeah,
let
me
I'm
gonna,
have
to
reach
out
to
Jory
on
editing
that
that
this
recording,
I
I,
don't
know
why
that
Chrome
browser
popped
up,
I
I
have
access
to
this,
or
rather
I
created
this.
So
that's
a
good
point.
Let
me
let
me
edit
it
and
then
I'll.
Do
a
new
comment.
A
D
I
think
I
I
think
this
I
mean
I,
think
I
think
it's
a
slippery
slope,
I
I
and
the
reason
why
I
say
that
is
because
I
I
looked
at
the
the
thread
and
I've
looked
at
a
couple
of
the
the
sites
to
see
what
changes
have
occurred
and
where
we're
at
now
with
a
lot
of
those
changes
in
terms
of
the
spec.
D
D
If
that
makes
sense,
what
I'm
afraid
of
from
from
this
blog's
perspective
is
we're
going
to
call
out
something,
because
so
we've
already
right,
we've
already
found
discrepancies
right.
That
we've
said
that
we've
that
we've
sent
back
and
and
and
and
verbalized
to
the
to
the
spec
team.
A
D
My
fear
is
that
they're
still
hammering
that
stuff
out
and
when
we
issue
the
pr
we
could
be
issued
in
the
pr
a
little
premature
towards
them,
hammering
something
out,
and
we
may
be
highlighting
something
that
might
not
get
dare
I
say
we
might
end
up
being
smarter
than
the
fifth
grader
on
this
one.
A
Got
it
so
what
are
your
thoughts
on
right?
Obviously,
we
can't
release
this
until
1.0
gets
released
right.
So
what?
If
we
do
it?
Where
we're
timing
it
right,
we
do
submit
the
pr
so
that
everybody's
in
agreement
and
if
something
changes
before
it
gets
published,
we
would
know
because
it's
dependent
on
right.
D
A
D
I'm
good
with
that
I'm
good
with
that
I
also
saw
in
the
beginning
we
referenced
guac
is
that
is
yeah.
A
I
I
did
do
that
because
of
this
chart.
I
liked.
B
A
Chart
I
didn't
want
to
reference
it
because
of
block
per
se.
It
was
just
because
it
helps
give
the
user
a
way
of
visualizing
right,
and
this
was
the
only
place
I
could
find.
It
was
Google's,
blog
right
and
so
I
thought
this
was
a
really
good
diagram
right.
It
simplifies
things.
It
helps.
It
helps
the
reader
digest
where
salsa
is
in
the
grand
scheme
of
things.
So
that's
the
only
reason
why
I
mention
it
right
here,
but
we
don't
discuss
it
further.
A
Yeah,
so
if
there's
another
picture
that
helps
by
all
means
I'm
all
ears,
I
think
this
was
the
best
one
that
I
found
at
the
time,
because
I
think
it
was
Sean
shared
it
with
us
like
three
meetings
ago
or
something
like
that
and
I'm
like.
Oh
that's,
a
really
good
good
diagram.
A
A
This
so
for
Matt
may
not,
since
he
wasn't
part
of
these
meetings
before
so.
This
is
what
problems
it
can
catch
right
so
at
a
high
level
helping
to
prevent
misconfiguration
local
modifications
and
data
processing
errors.
Somebody
also
said
reduce
time
to
release
debug
and
determine
root
cause
and
then
improve
transparency
in
building
a
secure
software
supply
chain.
A
So
this
one
I
don't
remember
who
mentioned
it?
It
could
have
been
Laura.
It
could
have
been
somebody
else
right
talk
to
the
developer,
about
reducing
their
time
at
work
right.
Do
they
have
to
stay
late
at
work
if
their
code
gets,
you
know
not
approved
right
before
production
push
that's
going
to
cause
them
to
stay
later
right,
and
so
it
reduces
that
risk
of
that
happening
and
them
having
this
day
later
so
I,
don't
know
quite
how
to
word
this.
A
So
this
is
another
area
that
I
think
I
need
help
on
to
try
to
get
into
that
mindset
of.
You
really
want
to
sell
this
as
a
if
you
want
to
reduce
your
time
at
work,
kind
of
thing,
yeah.
D
I'm
curious
to
I'm
curious
to
how
to
to
how
that
parallel
was
drawn.
Given
the
current
during
the
current
levels,
at
at
one
and
two
levels,
one
and
two
I'm
curious
to
see
how.
A
If
you
put
something
in
the
build
that
you're
not
supposed
to
and
it
gets
caught
right
before
production
right,
it's
gonna
delay
everything
same
thing
for
vulnerability
if
they
find
a
vulnerability
or
a
package
that
wasn't
approved
for
a
legal
review
or
for
use
blah
blah
blah,
it's
gonna
get
right.
So
these
were
the
reasons
right,
gating
near
production,
security
issues,
security
design
against
policy.
So
there
could
be
something
that
you're
doing
it
they're
like
no
way
we
would
never.
We
would
never
do
this.
D
B
Can
add
one
point
Jay
here
I
remember
on
that
discussion.
He
was
actually
particularly
telling
about
the
security
team's
approval
before
the
release.
It's
not
the
general
approval.
I
think
it's
a
security
team's
approval,
so
usually
just
do
it
for
production,
we'll
be
waiting
for
the
security
team,
but
if
we
put
this
Salsas
into
or
the
or
the
pipeline,
so
this
attestation
will
have
happened
in
advance
or
in
an
automated
way,
so
that
then
we
don't
need
that
manual
approval
that
may
help
to
speed
up
our
release.
D
C
D
B
B
Yeah
there
we
can
choose,
we
can
give
the
options
like
use.
Devops
orchestrator
such
as
Cloud,
build
or
or
GitHub
or
GitHub.
D
Yeah,
we
can
absolutely
point
to
like
part
two
and
say
further
further
details,
as
we
mentioned
in
part
two.
But
what
like
I
said
once
again,
when
I
saw
the
caution,
let's
make
sure
that
it
is
in
fact
there
is
tooling,
and
that
has
been
discussed
before
we
mention
it
here,
because
there'll
be
a
part.
Two
in
the
the
part,
two
doesn't
cooperate.
What
we
talk
about
in
part,
one
at
the
time
of
part,
two's
release,
you
know,
I
mean
it's
we're
going
to
lose
the
audience.
A
B
Can
just
mention
something
called
automated
process
of
releases
incorporating
salsa
will
helps
to
reduce
time
to
release
Deepak
and
determine.com.
A
B
Yeah
with
like
salsa
integrated
Builders,
so
that's
what
our
aim
right
so.
A
What
what's
would
it
be
social
requirements
integrated.
B
Or
another
way,
around
automated
process
of
being
and
release
with
salsa
enabled
build
systems.
It's
also
yeah.
A
B
D
A
B
You're
talking
here
on
mute,
oh
sorry,
yeah,
we
can
say
like
security
approvals,.
B
Approval
can
be,
like
you
know,
replace
the
with
automated
process
of
attestation
or
yeah.
A
So
I'm
wondering
if
we
should
change
this
type
well,
should
we
change
the
title.
C
Yeah
I
was
thinking,
I
know
I'm
brand
new
here.
But
to
me
this
was
like
building
more
predictable
change
management
activities.
I
think
it
might
be
maybe
change
my
insurance
too
generic
and
not
going
to
resonate
with
the
development
Community,
but
building
more
predictable,
continuous
deployment.
C
I
think
that
touches
on
the
The
General
sentiment
of
this
use
case
and
I.
Think
that
feeds
very
well
into
the
call
to
action
on.
C
Think
if
we
put
the
ad
car
mindset
on
the
what's
in
it
for
me
for
the
developer,
that
that
would
be
a
big
one.
A
D
A
Know
what
you
were
gonna
say
so
I
didn't
know
if
it
was
something
to
add
or
if
it
was
more
of
a
general
comment.
So
now
I
I
miss
my
my
opportunity.
C
A
Yes,
definitely,
please
do
so.
You
should
have
access
to
edit
or
suggest
this
document
I
think
we
we
opened
it
up.
So
it
wasn't
just
one
person
that
could
edit.
A
Yeah,
foreign,
okay,
so
I'm
glad
that
this
is
resonating
because
I
again
I,
don't
I.
All
I
remembered
was
a
you
know
the
staying
late,
but
the
other
thing
was
about
the
debugging
and
root
cause.
A
If
something
fails,
I
think
it
was
around
the
artifacts
that
get
generated
that
could
help
with
debugging
and
finding
root
cause
of
why
something
would
have
failed.
A
Let's
say
it
didn't
pull
from
the
right
from
the
right
repo
as
an
example
or
it
didn't
pull
all
the
dependencies
or
I.
Don't
know,
I
think
that's.
That
was
another
reason
why
someone
said
that
this
is
really
useful
is
for
troubleshooting.
If
there
is
a
failure
of
some
sort.
A
And
whoever's
writing.
Thank
you.
I
appreciate
it
very
much
and
then
s-bombs
was
something
I
know
a
Bruno
Bruno
mentioned
right,
A
lot
of
people
when,
when
they
think
about
salsa
first
thing,
they're
they're
gonna
probably
ask
us:
how
does
this
help
me
with
f-bombs
right
because
everybody's
thinking
about
us
bombs,
even
though
it's
not
one?
In
the
same
so
this
was
I,
don't
remember
where
I
somebody
mentioned
this
right.
A
It's
an
on-ramp
to
building
a
more
secure
software
supply
chain,
and
that's
also
one
produces
the
s-bomb
right
and
then
you
can
use
that
for
any
number
of
reasons
and
salsa
level
2
would
produce
a
sine
death
bomb
which
prevents
tampering
of
the
artifact
I.
Couldn't
really
come
up
with
anything
in
terms
of
why
a
developer
would
care
about
that
right.
I
can't
imagine
a
developer
caring
about
that.
A
A
A
A
C
A
A
Good,
okay,
so
that's
my
webcam
microphone,
I
I,
basically
stopped
hearing
you
after
I
said
whoever's.
Writing!
Thank
you!
So
I
don't
know
if
people
were
talking
or
not
after
that.
D
Well,
no
so,
actually
responding
to
what
you
were
saying
about
the
s-bomb
stuff.
I
mean
I,
I,
I,
I,
I.
Think
you
you,
may
you
made
the
point
with
what
you
said:
I
I,
don't
know,
but
I
don't
know
why
a
developer
would
care
necessarily
I
I
mean
I,
I.
Think
from
a
build
perspective,
the
s-bomb
is
important
from
both
from
a
developer
perspective.
I,
don't
know
why
a
developer
would
what
what
care
you
know
prior
to
you
know,
prior
to
the
to
a
nest
Barn
being
developed
for
for
the
build
itself.
D
B
Yeah
other
way
around
among
more
things
where
maybe
I'm
not
right
here
so
is
it
like,
for
example,
lab
or
Cloud
build
when
it's
it's
creating
the
prominence
information
is
like
mandatory
to
create
the
s-bomb
format,
because
somewhere
I
remember
it's
mentioned.
Salsa
format
and
S4
format
are
two
different
format
and
currently
Cloud
build
uses,
salsa
format
and
gitlab,
or
maybe
some
other
tool
use
the
system
format.
So
are
we
specifying
for
salsa
level
one?
The
provenance
information
should
be
in
s-bomb
format,.
D
Well,
there
isn't,
isn't
there
a
a
use
case
for
spdx
or
something
like
that?
I,
yes,.
A
But
salsa,
is
it
really,
you
know
it?
It
doesn't
really
care
about
how
you
create
your
s-bomb
necessarily
right
right
now
we
don't
have
Source
defined,
but
doesn't
care
about
how
you
generate
that
s-bomb
necessarily
from
the
accuracy
or
the
formatting.
It's
just
saying
your
build
is
supposed
to
generate
something.
D
That
was
one
of
the
items
of
contention
that
we
discovered
early
on
and
whether
or
not
that
that
was
actually
a
part
of
the.
If
that
was
actually
part
of
levels,
one
and
and
two
and
not
and
not
not
well
and
I,
might
even
show,
because
love
is
one
and
two
or
more
about
the
build
versus
The
Source.
A
Correct
yeah,
so
that
was
yeah
I
think
there
was
a
benefit
because
some
of
these
benefits
for
for
jumpsy
and
Matt
I've
copied
them
at
the
bottom.
This
was
actually
in
salsa
documentation
and
one
of
them
mentions
provenance
at
some
at
some
level.
I
can't
remember
where-
and
we
had
a
interesting
conversation
about
that,
because
we
weren't
sure
if
it
was
for
build
or
if
it
was
for
a
source
yeah,
we
don't
have
source
levels
defined,
but
I
don't
know
that
we've
defined
provenance
for
build.
B
B
So
in
another
way
around
like
we
have
different
mechanism
for
for
proving
or
for
providing
Integrity
to
the
field,
so
we
can
have
different
signing
procedure.
We
can
have
different
type
of
signers
yeah,
so
I
should
say
it
would
be
like
either
prominence
or
Integrity
of
the
build
and
how
to
actual
Integrity
is
through
the
attestation
and
signing
procedure
which
can
be
done
in
different
ways.
D
I
think
we
if
we
say
that
I
think
we're
back
to
we're
back
to
the
question.
What
does
that
have
to
do
with
the
developer?
D
I
mean
if
we,
if
we're
talking
about
signing
that,
that's
a
that,
that's
a
that's
a
that's
a
bit
later
right,
I
mean
we're.
I
mean
hell,
especially
if
we're
addressing
vulnerabilities
and
all
that
kind
of
stuff-
and
you
know
sign
something
unless
you,
unless
you're
good
with
the.
Unless
you
go
with
the
package
right
I
mean
I.
I,
dare
I
say
that
we
we're
talking
about
levels,
one
and
two
dare
I
say
that
might
be
a
level
three,
a
level
three
item.
D
A
I
want
to
make
sure
I
know.
We
talked
about
integrity
up
here
somewhere.
D
I
mean
that
that
unless
we're
making
a
reference
towards
iteration
and
then
all
that
and
release
management,
I
but
then
once
again,
but
then
I
think
I
think
we
might
even
be
scope
creeping
on
that
one
too.
So
I
digress.
B
I
can
see
in
the
slsa
specification
itself
mentioned
something
called
request:
Version
Control
and
hosted
build
services
that
generates
authenticated
prominence,
so
that
terminology
is
already
there
in
in
cells
about
them.
D
B
Is
dot
it's
dot?
One
sorry
yeah.
D
D
What's
it
going
to
be
exactly
and
then
we
saw
the
differences
between
source
and
build
just
split
off
between
source
and
build,
and
this
was
one
of
the
one
of
the
things
that
spilled
off
between
source
and
build.
D
D
That
this
is
building,
and
it
should
should
talk
about
so
at
the
I
know.
I
think
this
is
it
I
think
this
is
the
one
I
found
before
this
is
a
source
track
not
yet
defined.
D
A
I,
remember
so
build
provenance
is
defined,
so
let's
at
least
copy
that
down
and
put
that
in
here
in
the
comments
to
build
problems.
A
So
it's
like
you
just
you
just
got
to
get
prepared
for
it
and
if
somebody
asks
you
for
an
Xbox,
you
have
to
know
what
it
is
right,
but
outside
of
that
I,
don't
know
how
to
sell
it
right
to
a
developer
themselves.
Right
me
as
a
security
professional
right,
that's
all
I'm
talking
about
as
a
developer.
A
They're
like
what
is
this
that's
bomb
stuff,
everybody
keeps
talking
about
right,
like
they
don't
really
care
only
if
you're
higher
up
in
terms
of
the
the
felt
like
if
you're
a
senior
developer
or
you
know,
you're,
overseeing
a
project,
then
you
care,
but
you
know
a
lower
level
developer,
does
not
care.
C
Well,
that's
a
I
think
that's
a
broader
challenge
as
well
with
the
who
cares
part
because
I
guess
I
I,
like
I,
said
I'm
I'm
still
really
new
in
this
space,
I'm
more
of
a
security
generalist,
but
it
seems
like
the
alignment
to
business
value
and
and
getting
agile
teams
working
together
with
the
with
the
same
goal.
There
should
be
a
focus
on
building
the
highest
quality
product
that
we
can
to
support
the
business
outcomes
that
were
we're
all
you're
getting
paid
to
deliver
right.
C
The
the
reason
that
we
all
work
for
a
company
is
to
provide
business
value
and
fully
understanding
or
understanding
to
the
best
of
our
abilities.
The
components
that
we
use
is
part
of
the
job
right.
I.
Think
the
the
stuff
that
we've
already
written
down
or
you've
all
written
down
around
quality
is
is
spot
on,
because
the
analogy
that
I
have
in
my
head
and
I'm
not
saying
it's
right
is
if
a
an
automobile
manufacturer
picks
a
a
component
company
that
has
faulty
equipment.
C
The
news
is
going
to
look
at
that
automobile
manufacturer,
not
the
component
company
when
things
go
wrong
and
the
due
diligence
lies
on
that
automobile
manufacturer
and
then
the
developer
analogy
to
me.
That's
the
the
easiest
way
to
resonate
with
the
people
that
are
putting
together
the
applications
or
cars
in
this
analogy
and
I
saw
up
above
something
about
the
ingredients
and
I
think
that
was
really
telling
of
making
this
relatable.
C
D
D
D
Because
if
we're
talking
about
Downstream
well,
then
we're
verifying,
you
know
we're
verifying
the
the
yes,
whatever
whatever
signing
mechanism
or
whatever
hash
came
with
the
with
the
package
that
we're
pulling
down
that's
going
to
be
used
towards
our
Downstream
product
or
whatever
it
is
that
we're
developing
versus
something
that,
where
some
something
that
developer
might
be
building,
that's
that's
being
sent
Upstream
right.
That
gets
that
gets
an
s-bomb
later
on,
or
maybe
I
mean.
We
need
to
make
sure
we
preface
this
preface
this
properly
for
the
reader
I
mean.
A
Yeah
I
thought
the
way
the
way
it
was
explained
it
sounded
like
it's
like
if
we
were
to
assume
this
is
our
build
environment.
This
is
our
s-bomb
that
we're
producing,
because
it's
also
level
one.
You
say
that
you're
going
to
produce
in
that
spot
mode
effect,
but
that
doesn't
mean
that
the
dependencies
that
you
are
using
having
that
spawn
having.
A
Level
one
right
so
I
think
this
is
the
perspective
of
a
product
or
application
that
you
are
building
as
a
developer,
because
then
you
have
the
control
of
creating
an
s-bomb,
but
I
get
your
point
about
the
dependencies
or
the
components
that
you
are
ingesting
and
trying
to
get
those
s-bombs
I.
Don't
think.
D
D
How
do
you
verify
the
trust?
How
do
you
verify
what
what
well
first
of
all,
what
is
trust
in
your
environment
right
how
you?
What
what
do
you
believe
to
be
trustworthy?
You
know
what's
a
trustworthy
process
for
you
right,
you
don't
trust
the
product
trusted
process,
so
you
have
a
process
that
your
that
you
deem
to
determine
what
something
is:
is
trusted
what
is
trusted
or
what
isn't
and
should
that
include
its
own
s-bomb
right.
D
C
Yeah
and
I
agree
with
Jay.
We
could.
We
could
write
a
whole
blog
about
the
accountability,
because
that's
kind
of
what
we
talked
about
with
the
cultural
aspect
and
but
to
me
Trust
of
components,
is
a
is
a
risk
management
activity
and
whether
whether
the
components
are
internal
or
open
source,
there's
certainly
different
degrees
of
trust.
But
at
the
end
of
the
day,
it
comes
down
to
risk
management
accountability.
C
A
Okay,
thank
you
so
I
think
you're
spot
on
about
this
is
we
need
to
clarify
that
this
is
a
bomb
for
product
application
right
and
maybe
in
a
in
a
future
blog
in
a
future
Vlog.
We
will
cover
the
concept
of
trusted.
A
Yes,
trusted
components,
something
like
that.
D
A
Yeah,
the
other
thing
I
like
this,
because
it
still
goes
back
to
what
was
talked
about
up
here,
which
I'm
trying
to
remember
her
name,
Michelle
Michelle
wrote
a
lot
of
this
I
think
we
can
also.
C
A
With
the
readers
and
say
you
know,
as
a
you
know,
Junior
developer,
you
may
not
care
about
s-poms
right,
you
may
not
get
excited,
but
this
is
why
you
should
care.
So
maybe
we
have
to
call
that
out.
It's
like.
Yes,
you
may
not
care
about
it.
You
may
you
may
get
asked
for
one
here
and
there
you,
you
may
see
one
here
and
there,
but
this
is
ultimately
why
you
should
care
about
best
bumps.
A
Potentially,
that
is
something
we
still
have
to
call
out
like.
Yes,
it
improves
transparency,
but
oh
Junior
developer.
A
A
So
there
was
a
lot
of
echo
there.
Jumpsy
I
think
I
caught
most
of
what
you
said,
but
just.
A
There's
a
there's
a
big
Echo
but
yeah
the
shift
left
principle.
B
B
Yeah,
okay,
so
I
was
telling,
like
developers,
should
also
taken
care
of
the
information
out
of
what
is
Boom.
So
when
like
I
was
a
developer
like,
we
were
also
forced
to
do
all
the
qaqc
checks
and
vulnerability
analysis
and
everything
in
the
laptop
itself
or
the
not
the
development
machine
itself.
So
here
I
was
thinking
like
you
know.
B
The
program's
information
need
to
worry
or
need
to
be
considered
only
in
the
in
the
build
orchestrators
like
Cloud,
build
or
gitlab
or
such
tools,
but
in
a
case
where,
in
the
cell
lslsa
level,
one
or
level
2
phase,
when
people
are
building
something
from
their
own
laptop
still,
the
laptop
can
create
an
s-bomb
format.
Output
which
can
be
also
used
to
deploy,
to
I,
mean
securely
deeper
to
a
environment
or
to
a
cluster
or
to
a
Computing
engine.
Basically,.
A
Yeah
that
makes
sense
yeah,
so
the
shift
left
principle
and
I
copied
your
your
comment.
Matt
I
meant
to
put
something
about
the.
What.
A
Me
it's
okay,
so
okay,
so
we
only
have
one
minute
left.
So
what
I'm
gonna
do
here
call
to
action.
I
think.
A
Okay,
there's
some
stuff
there,
so
we
need
to
to
do
except
the
I
think
it's
a
debug,
troubleshooting
and
salsa
and
s-bomb
heart
right.
I
think
the
other
part
was
okay.
If
I
remember
correctly,.
A
B
A
B
A
You,
if
you
can
all
take
a
look
at
this,
this
one,
oh
yeah
and
that's
the
other
thing
set
up
PR
to
release
after
1.0
PR
into
time
of
independency
to
ensure
we
didn't
miss
or
something
wasn't
dropped
from
that
respect,
Okay
so
yeah.
If
folks,
can,
can
take
a
look
and
feel
free.
Like
I
said
I'm
I'm,
not
the
only
writer
in
here
there's
multiple
and
I'm,
also
not
the
best
writer
in
the
world.
A
So
please
feel
free
to
to
add
words,
but
I
think
we're
we're
very,
very
close
to
being
done.
It's
just
a
little
bit
of
of
tweaking
here
and
there
yeah.
It
was
good
yeah.
A
Well,
thanks
folks,
for
joining
and
for
those
that
are
celebrating
Happy
gobble
day
hope
you
hope
you
enjoy
lots
and
lots
of
turkey.
If
that's
your
thing,
if
that's
not
your
thing
hope
you
enjoy
something
yummy
to
eat,
but
hopefully
I'll
I'll,
hear
you
and
see
you
all
next
week.