►
From YouTube: SLSA Positioning Meeting (November 22, 2022)
Description
Meeting notes: https://docs.google.com/document/d/1tpPOXVzNSwtpWA7cXhTPLAO6HIP50obUvoP85XqgVHM/edit#heading=h.yfiy9b23vayj
SLSA repo: https://github.com/slsa-framework/slsa
B
A
B
A
A
Okay,
okay,
yeah
so
starting
tomorrow,
not
tomorrow,
A
lot
of
times
for
Thanksgiving
week,
people
will
take
off
the
whole
week
or
sometimes
they'll
start
dropping
as
the
days
progress
so
either
today
or
tomorrow.
Usually
people
like
tomorrow,
I'm
not
working.
So
okay
right,
you
know,
but
today
I
am
so.
It
just
depends.
B
A
Yes,
correct,
correct
yeah,
so
so
yeah
we,
we
may
not
have
a
lot
of
folks,
but
that's
okay.
We
could
still
get
some
work
done,
which
is
why
I
keep
some
of
these
sessions
yeah,
because
if
I
don't
have
dedicated
time
to
work
on
this,
it's
it's
probably
not
going
to
get
done.
So
at
the
very
least,
I
can
get
something
done
during
this
one
hour
session.
A
A
A
B
Think
I
have
a
scene
that
that
changes
as
well.
It's
it's
for
me.
It
looks
good.
So
the
point
what
I
thought
was
like
you
know
when
we
say
about
salsa
quality
is
actually
something
different
from
what
salsa
provides.
If
you
make
it
secure,
we
cannot
I
mean
Quality.
Security
is
also
part
of
that.
We
can
say
when
we
say
quality
is
there.
Then
security
is
also
in
in
in
line
with
that
or
integrated
with
that,
but
it's
actually
kind
of
two
two
terms
right
yeah.
B
B
A
C
A
Okay,
well
welcome.
Welcome,
for
thank
you
for
joining
I
was
telling
jumpsy
that
I
suspect
today
is
going
to
be
a
light
day
for
two
reasons:
one.
This
is
a
an
optional
meeting,
it's
a
working
session.
So
that
way
we
can
get
stuff
done,
but
then
also
because
of
the
holidays
right
people
tend
to
either
have
the
whole
week
off
or
they
start
dropping
off
as
the
day
progresses,
so
so
yeah,
it
might
just
be
the
three
of
us.
A
And
so
what
we've
been
working
on
is
a
Blog
right
now
to
focus
on
Developers
right
and
like
why
they
should
care
about
salsa
right,
how
it
helps
them,
okay,
and
so
that
that
that's,
what
we're
kind
of
looking
at
right
now
and
just
trying
to
finish
up
that
blog
and
the
the
link
is
in
the
meeting
notes.
But
I
will
also
put
it
here.
Let
me
find
the
chat
chat.
A
This
is
where
the
blog
is
so
feel
free
to
you
know
peruse
through
and
and
this
isn't
one
person
thing,
it's
multiple
people
that
have
contributed
to
this
and
we're
just
trying
to
finalize
it.
So
what
John
C
was
talking
about
was
you
know
this?
This
wording
of
build
quality,
so
I
just
changed
it
to
build
Integrity
I
didn't
I,
didn't
write
that
paragraph
So
I'm
just
going
to
suggest
it
for
now
assistant
Mickey
build
process.
D
A
A
Yeah,
that's
that's
my
goal
for
today
and
yesterday
I'm
getting
to
get
stuff
done
that
I
never
have
time
to
do
because
nobody's
bothering
me
right.
So
it's
just
been
a
little
quieter
at
work
and
you
know
doing
some
coding
which
I
haven't
done
in
a
long
time,
and
so
it's
it's
been
a
pretty
fun.
You
know
24
hours
and
you
know
hoping
that
we
can
at
least
submit
something
as
a
PR
for
a
Blog
I'm
hoping
right.
We've
been
working
on
this
for
a
while,
and
it's
like
at
the
very
end.
A
A
There
was
a
huge
thread
with
Mark,
because
I
was
trying
to
express,
like
you
know,
I
I
shared
this
picture
with
him,
and
then
the
downloading
dependencies
triggered
the
thought
of
well.
Maybe
this
isn't
something
that
we've
actually
talked
about
yet,
and
we
should
and
so
I
need
to
alter
the
picture
so
that
it
doesn't
have
the
dependencies
part
or
we
can
try
to
see
if
we
can
get
it
in
the
1.0
specification.
I
don't
know.
A
So
that's
something
that
you
know
Mark
was
concerned
about
with
the
dependencies,
but
I
was
trying
to
get
a
handle
of
you
know.
What
is
it
preventing
right?
What
is
it?
Is
it
catching
an
error,
and
so
he
was
kind
of
going
through
and
explaining
it?
So
I
was
going
to
modify
this
language
a
little
bit
to
express
what
he
wrote
in
a
different
way
for
for
the
Developers.
A
C
C
D
A
A
But
so
I'm
trying
to
understand
like
here,
prevent
a
bad
compile
for
you
know
being
submitted
because
it's
not
matching
Upstream
code,
one
of
the
things
they
said
well,
Sean
Lowry
said
well:
what's
local
versus
Upstream,
right
and
Upstream
doesn't
mean
open
source
Community?
Necessarily
it's
just
whatever
the
build
system
says
hey.
You
need
to
go
pull
code
from
that's
what
I'm
considering
Upstream.
Could
it
be
an
open
source
repository?
Yes,
could
it
be
internal?
A
Yes,
yeah,
for
all
intents
purposes,
is
wherever
the
build
system
defines
that
Upstream
repo
and
then
for
local
is
anything
that's
on
the
user
system
right,
whether
it's
their
laptop,
it's
a
personal
desktop.
It
could
heck.
It
could
be
a
you
know:
vdi
environment,
in
a
cloud
somewhere
somewhere
where
it's
not
what's
the
word
somewhere,
where
the
developers
working
so
I'm,
not
sure
if
these
are
clear
enough
and
if
there's
any
tweaks
that
you
all
think
I
should
make
to
these
definitions.
D
A
A
A
Yeah
because
I
I
completely
agree
if
we
had
those
definitions-
yes,
but
I,
think
those
are
very
much
in
flux
and
I
I,
don't
know
when
we're
gonna
get
those
at
least
preliminary
definitions
where
people
are
like
yeah.
We
think
this
is
good.
It's
just
a
tweaking
of
a
word
or
two
here
or
there
I
thought
I
heard
someone
else
speak.
B
C
A
B
Diagram
so
there
we
have
mentioned
about
a
running
unit
test.
So
if
we
are
adding
running
unit
test,
unit
test
is
a
kind
of
best
practices
to
be
part
of
the
build
in.
In
that
case,
vulnerability
check
is
also
part
of
that
that
build
right.
So
we
can
add
more,
like
you
know,
steps
in
in
that
build
process.
So
if
we
are
indented
only
to
the
core
build
activity
like
importing
downloading
source
code
downloading
dependency
and
we
mood
out
or
add
additional
steps,
also
like
vulnerability
analysis,
I
mean
this
is
just
a
thought
process.
A
A
A
D
A
A
Got
it
so
what
are
your
thoughts
on
right?
Obviously,
we
can't
release
this
until
1.0
gets
released
right.
So
what?
If
we
do
it?
Where
we're
timing
it
right,
we
do
submit
the
pr
so
that
everybody's
in
agreement
and
if
something
changes
before
it
gets
published,
we
would
know
because
it's
dependent
on
right.
D
B
A
Chart
I
didn't
want
to
reference
it
because
of
block
per
se.
It
was
just
because
it
helps
give
the
user
a
way
of
visualizing
right,
and
this
was
the
only
place
I
could
find.
It
was
Google's,
blog
right
and
so
I
thought
this
was
a
really
good
diagram
right.
It
simplifies
things.
It
helps.
It
helps
the
reader
digest
where
salsa
is
in
the
grand
scheme
of
things.
So
that's
the
only
reason
why
I
mention
it
right
here,
but
we
don't
discuss
it
further.
A
A
A
This
so
for
Matt
may
not,
since
he
wasn't
part
of
these
meetings
before
so.
This
is
what
problems
it
can
catch
right
so
at
a
high
level
helping
to
prevent
misconfiguration
local
modifications
and
data
processing
errors.
Somebody
also
said
reduce
time
to
release
debug
and
determine
root
cause
and
then
improve
transparency
in
building
a
secure
software
supply
chain.
A
So
this
one
I
don't
remember
who
mentioned
it?
It
could
have
been
Laura.
It
could
have
been
somebody
else
right
talk
to
the
developer,
about
reducing
their
time
at
work
right.
Do
they
have
to
stay
late
at
work
if
their
code
gets,
you
know
not
approved
right
before
production
push
that's
going
to
cause
them
to
stay
later
right,
and
so
it
reduces
that
risk
of
that
happening
and
them
having
this
day
later
so
I,
don't
know
quite
how
to
word
this.
A
D
A
If
you
put
something
in
the
build
that
you're
not
supposed
to
and
it
gets
caught
right
before
production
right,
it's
gonna
delay
everything
same
thing
for
vulnerability
if
they
find
a
vulnerability
or
a
package
that
wasn't
approved
for
a
legal
review
or
for
use
blah
blah
blah,
it's
gonna
get
right.
So
these
were
the
reasons
right,
gating
near
production,
security
issues,
security
design
against
policy.
So
there
could
be
something
that
you're
doing
it
they're
like
no
way
we
would
never.
We
would
never
do
this.
D
B
Can
add
one
point
Jay
here
I
remember
on
that
discussion.
He
was
actually
particularly
telling
about
the
security
team's
approval
before
the
release.
It's
not
the
general
approval.
I
think
it's
a
security
team's
approval,
so
usually
just
do
it
for
production,
we'll
be
waiting
for
the
security
team,
but
if
we
put
this
Salsas
into
or
the
or
the
pipeline,
so
this
attestation
will
have
happened
in
advance
or
in
an
automated
way,
so
that
then
we
don't
need
that
manual
approval
that
may
help
to
speed
up
our
release.
D
C
D
B
B
D
Yeah,
we
can
absolutely
point
to
like
part
two
and
say
further
further
details,
as
we
mentioned
in
part
two.
But
what
like
I
said
once
again,
when
I
saw
the
caution,
let's
make
sure
that
it
is
in
fact
there
is
tooling,
and
that
has
been
discussed
before
we
mention
it
here,
because
there'll
be
a
part.
Two
in
the
the
part,
two
doesn't
cooperate.
What
we
talk
about
in
part,
one
at
the
time
of
part,
two's
release,
you
know,
I
mean
it's
we're
going
to
lose
the
audience.
A
A
B
A
B
D
C
C
A
D
A
C
A
A
A
A
And
whoever's
writing.
Thank
you.
I
appreciate
it
very
much
and
then
s-bombs
was
something
I
know
a
Bruno
Bruno
mentioned
right,
A
lot
of
people
when,
when
they
think
about
salsa
first
thing,
they're
they're
gonna
probably
ask
us:
how
does
this
help
me
with
f-bombs
right
because
everybody's
thinking
about
us
bombs,
even
though
it's
not
one?
In
the
same
so
this
was
I,
don't
remember
where
I
somebody
mentioned
this
right.
A
It's
an
on-ramp
to
building
a
more
secure
software
supply
chain,
and
that's
also
one
produces
the
s-bomb
right
and
then
you
can
use
that
for
any
number
of
reasons
and
salsa
level
2
would
produce
a
sine
death
bomb
which
prevents
tampering
of
the
artifact
I.
Couldn't
really
come
up
with
anything
in
terms
of
why
a
developer
would
care
about
that
right.
I
can't
imagine
a
developer
caring
about
that.
A
A
A
A
C
A
A
D
Well,
no
so,
actually
responding
to
what
you
were
saying
about
the
s-bomb
stuff.
I
mean
I,
I,
I,
I,
I.
Think
you
you,
may
you
made
the
point
with
what
you
said:
I
I,
don't
know,
but
I
don't
know
why
a
developer
would
care
necessarily
I
I
mean
I,
I.
Think
from
a
build
perspective,
the
s-bomb
is
important
from
both
from
a
developer
perspective.
I,
don't
know
why
a
developer
would
what
what
care
you
know
prior
to
you
know,
prior
to
the
to
a
nest
Barn
being
developed
for
for
the
build
itself.
D
B
Yeah
other
way
around
among
more
things
where
maybe
I'm
not
right
here
so
is
it
like,
for
example,
lab
or
Cloud
build
when
it's
it's
creating
the
prominence
information
is
like
mandatory
to
create
the
s-bomb
format,
because
somewhere
I
remember
it's
mentioned.
Salsa
format
and
S4
format
are
two
different
format
and
currently
Cloud
build
uses,
salsa
format
and
gitlab,
or
maybe
some
other
tool
use
the
system
format.
So
are
we
specifying
for
salsa
level
one?
The
provenance
information
should
be
in
s-bomb
format,.
D
A
But
salsa,
is
it
really,
you
know
it?
It
doesn't
really
care
about
how
you
create
your
s-bomb
necessarily
right
right
now
we
don't
have
Source
defined,
but
doesn't
care
about
how
you
generate
that
s-bomb
necessarily
from
the
accuracy
or
the
formatting.
It's
just
saying
your
build
is
supposed
to
generate
something.
D
A
Correct
yeah,
so
that
was
yeah
I
think
there
was
a
benefit
because
some
of
these
benefits
for
for
jumpsy
and
Matt
I've
copied
them
at
the
bottom.
This
was
actually
in
salsa
documentation
and
one
of
them
mentions
provenance
at
some
at
some
level.
I
can't
remember
where-
and
we
had
a
interesting
conversation
about
that,
because
we
weren't
sure
if
it
was
for
build
or
if
it
was
for
a
source
yeah,
we
don't
have
source
levels
defined,
but
I
don't
know
that
we've
defined
provenance
for
build.
B
So
in
another
way
around
like
we
have
different
mechanism
for
for
proving
or
for
providing
Integrity
to
the
field,
so
we
can
have
different
signing
procedure.
We
can
have
different
type
of
signers
yeah,
so
I
should
say
it
would
be
like
either
prominence
or
Integrity
of
the
build
and
how
to
actual
Integrity
is
through
the
attestation
and
signing
procedure
which
can
be
done
in
different
ways.
D
D
I
mean
if
we,
if
we're
talking
about
signing
that,
that's
a
that,
that's
a
that's
a
that's
a
bit
later
right,
I
mean
we're.
I
mean
hell,
especially
if
we're
addressing
vulnerabilities
and
all
that
kind
of
stuff-
and
you
know
sign
something
unless
you,
unless
you're
good
with
the.
Unless
you
go
with
the
package
right
I
mean
I.
I,
dare
I
say
that
we
we're
talking
about
levels,
one
and
two
dare
I
say
that
might
be
a
level
three,
a
level
three
item.
D
D
D
D
D
D
D
A
So
it's
like
you
just
you
just
got
to
get
prepared
for
it
and
if
somebody
asks
you
for
an
Xbox,
you
have
to
know
what
it
is
right,
but
outside
of
that
I,
don't
know
how
to
sell
it
right
to
a
developer
themselves.
Right
me
as
a
security
professional
right,
that's
all
I'm
talking
about
as
a
developer.
C
Well,
that's
a
I
think
that's
a
broader
challenge
as
well
with
the
who
cares
part
because
I
guess
I
I,
like
I,
said
I'm
I'm
still
really
new
in
this
space,
I'm
more
of
a
security
generalist,
but
it
seems
like
the
alignment
to
business
value
and
and
getting
agile
teams
working
together
with
the
with
the
same
goal.
There
should
be
a
focus
on
building
the
highest
quality
product
that
we
can
to
support
the
business
outcomes
that
were
we're
all
you're
getting
paid
to
deliver
right.
C
The
the
reason
that
we
all
work
for
a
company
is
to
provide
business
value
and
fully
understanding
or
understanding
to
the
best
of
our
abilities.
The
components
that
we
use
is
part
of
the
job
right.
I.
Think
the
the
stuff
that
we've
already
written
down
or
you've
all
written
down
around
quality
is
is
spot
on,
because
the
analogy
that
I
have
in
my
head
and
I'm
not
saying
it's
right
is
if
a
an
automobile
manufacturer
picks
a
a
component
company
that
has
faulty
equipment.
C
The
news
is
going
to
look
at
that
automobile
manufacturer,
not
the
component
company
when
things
go
wrong
and
the
due
diligence
lies
on
that
automobile
manufacturer
and
then
the
developer
analogy
to
me.
That's
the
the
easiest
way
to
resonate
with
the
people
that
are
putting
together
the
applications
or
cars
in
this
analogy
and
I
saw
up
above
something
about
the
ingredients
and
I
think
that
was
really
telling
of
making
this
relatable.
C
D
D
Because
if
we're
talking
about
Downstream
well,
then
we're
verifying,
you
know
we're
verifying
the
the
yes,
whatever
whatever
signing
mechanism
or
whatever
hash
came
with
the
with
the
package
that
we're
pulling
down
that's
going
to
be
used
towards
our
Downstream
product
or
whatever
it
is
that
we're
developing
versus
something
that,
where
some
something
that
developer
might
be
building,
that's
that's
being
sent
Upstream
right.
That
gets
that
gets
an
s-bomb
later
on,
or
maybe
I
mean.
We
need
to
make
sure
we
preface
this
preface
this
properly
for
the
reader
I
mean.
A
Yeah
I
thought
the
way
the
way
it
was
explained
it
sounded
like
it's
like
if
we
were
to
assume
this
is
our
build
environment.
This
is
our
s-bomb
that
we're
producing,
because
it's
also
level
one.
You
say
that
you're
going
to
produce
in
that
spot
mode
effect,
but
that
doesn't
mean
that
the
dependencies
that
you
are
using
having
that
spawn
having.
A
Level
one
right
so
I
think
this
is
the
perspective
of
a
product
or
application
that
you
are
building
as
a
developer,
because
then
you
have
the
control
of
creating
an
s-bomb,
but
I
get
your
point
about
the
dependencies
or
the
components
that
you
are
ingesting
and
trying
to
get
those
s-bombs
I.
Don't
think.
D
D
How
do
you
verify
the
trust?
How
do
you
verify
what
what
well
first
of
all,
what
is
trust
in
your
environment
right
how
you?
What
what
do
you
believe
to
be
trustworthy?
You
know
what's
a
trustworthy
process
for
you
right,
you
don't
trust
the
product
trusted
process,
so
you
have
a
process
that
your
that
you
deem
to
determine
what
something
is:
is
trusted
what
is
trusted
or
what
isn't
and
should
that
include
its
own
s-bomb
right.
D
C
Yeah
and
I
agree
with
Jay.
We
could.
We
could
write
a
whole
blog
about
the
accountability,
because
that's
kind
of
what
we
talked
about
with
the
cultural
aspect
and
but
to
me
Trust
of
components,
is
a
is
a
risk
management
activity
and
whether
whether
the
components
are
internal
or
open
source,
there's
certainly
different
degrees
of
trust.
But
at
the
end
of
the
day,
it
comes
down
to
risk
management
accountability.
C
A
D
C
A
With
the
readers
and
say
you
know,
as
a
you
know,
Junior
developer,
you
may
not
care
about
s-poms
right,
you
may
not
get
excited,
but
this
is
why
you
should
care.
So
maybe
we
have
to
call
that
out.
It's
like.
Yes,
you
may
not
care
about
it.
You
may
you
may
get
asked
for
one
here
and
there
you,
you
may
see
one
here
and
there,
but
this
is
ultimately
why
you
should
care
about
best
bumps.
A
A
B
B
Yeah,
okay,
so
I
was
telling,
like
developers,
should
also
taken
care
of
the
information
out
of
what
is
Boom.
So
when
like
I
was
a
developer
like,
we
were
also
forced
to
do
all
the
qaqc
checks
and
vulnerability
analysis
and
everything
in
the
laptop
itself
or
the
not
the
development
machine
itself.
So
here
I
was
thinking
like
you
know.
B
The
program's
information
need
to
worry
or
need
to
be
considered
only
in
the
in
the
build
orchestrators
like
Cloud,
build
or
gitlab
or
such
tools,
but
in
a
case
where,
in
the
cell
lslsa
level,
one
or
level
2
phase,
when
people
are
building
something
from
their
own
laptop
still,
the
laptop
can
create
an
s-bomb
format.
Output
which
can
be
also
used
to
deploy,
to
I,
mean
securely
deeper
to
a
environment
or
to
a
cluster
or
to
a
Computing
engine.
Basically,.
A
A
A
A
B
A
B
A
You,
if
you
can
all
take
a
look
at
this,
this
one,
oh
yeah
and
that's
the
other
thing
set
up
PR
to
release
after
1.0
PR
into
time
of
independency
to
ensure
we
didn't
miss
or
something
wasn't
dropped
from
that
respect,
Okay
so
yeah.
If
folks,
can,
can
take
a
look
and
feel
free.
Like
I
said
I'm
I'm,
not
the
only
writer
in
here
there's
multiple
and
I'm,
also
not
the
best
writer
in
the
world.