►
From YouTube: SLSA Specifications Meeting (April 10, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1kMP62o3KI0IqjPRSNtUqADodBqpEL_wlL1PEOsl6u20/edit#heading=h.yfiy9b23vayj
A
A
B
C
Looks
like
we
haven't
had
a
trickle
and
people
in
for
the
last
minute,
so
we
could
I
think
we
should
get
started.
Welcome
everyone
good
to
see
you
all
again.
As
a
reminder,
please
register
your
attendance
in
the
meeting
at
stock,
which
are
just
paste
in
a
chat
or,
as
always,
you
go
to
salsa.dev.
Slash
notes
for
like
also
a
reminder
to
follow
the
salsa
Frameworks
code
of
conduct,
which
and
there's
a
link
in
the
in
the
meeting
notes
for
that.
E
C
C
C
The
meeting
notes
Andrew
has
put
together
a
pull
request
to
so
I
unify
on
the
term
build
platform,
because
previously,
we
kind
of
say
sometimes,
let's
say
platform,
sometimes
we
say
system,
sometimes
we
say
service,
which
has
led
to
a
lot
of
confusion.
We've
had
a
lot
of
feedback
about
that
in
I
I,
in
my
opinion,
I
think
it
helps
a
lot
the,
but
it's
able
to
get
feedback
on
on
whether
that
makes
sense
and
in
particular
the
one
biggest
change.
C
It's
a
terminology
change,
but
we're
renaming
the
One
requirement
from
build
service
to
hosted
because
basically
we're
just
eliminating
service.
So
it's
like
one
fewer
term
to
have
to
Define
I,
guess
I'll.
Just
briefly
mention
these
three
things
and
see:
if
anyone
else
has
anything
and
then
we
can
discuss
as
needed,
or
else
people
could
just
comment
on
on
there,
the
the
issue-
I,
guess
I
guess
in
case
it's
health
I-
think
most
people
have
that
meeting
until
then.
So
you
can
see
what
I'm
we're
talking
about.
C
The
other
one
is
which
came
up
during
that
pull
request
is
in
the
provenance
schema.
We
currently
have
a
field
called
system
parameters,
We
call.
We
have
an
external
parameters
and
system
parameters,
because
that
pull
request
is
basically
eliminating
the
word
system.
That's
how
we
kind
of
noticed
this.
C
The
question
is:
should
we
rename
it
to
internal
parameters
or
perhaps
trusted
parameters
or
something
else
to
a
eliminate?
The
word
system
and
and
B
have
a
comparison
to
external
that
way.
There's
external
parameters
and
internal
parameters
it
it's
so
far,
like
I,
think
Andrew,
Tom
and
I
have
mentioned
that
have
said
it
seems
valuable.
C
F
C
H
Yeah
I
I
think
that
that
that's
accurate,
the
one
about
the
build
platform
is
a
gigantic
PR
and
I
do
apologize
for
that.
There's
not
really
a
better
way
to
make
that
big
of
a
change
so
but
but
I
think
Mark
did
a
good
job
of
catching
the
things
that
I
didn't
catch,
which
were
also
outside
of
the
scope
of
the
changes.
H
So
I
think
that
at
this
point
in
time,
I
feel
reasonably
comfortable
that
that
we
can
just
keep
it
to
the
the
parts
that
are
changed.
We
don't
have
to
do
too
much
investigation
outside
and
in
that
I
did
also
add
something
to
the
FAQ,
so
that
readers
would
be
aware
of
our
unification
on
the
concept
of
a
platform.
A
I
was
going
to
comment.
You
know,
based
on
kind
of
your
prompt
Mark
right
around.
Like
does
this
line
up
with
a
release
candidate?
Do
we
need
to
essentially
wait,
which
seems
odd?
You
know
if
this
is
an
improvement
unless
it's
like
truly
breaking
the
release
candidate
process
I
mean,
wouldn't
we
naturally
just
merge
these
PRS
in
anyway,
after
we're
at
1.0.
I
Yeah
I
do
I
mean
I
think
if
it's
just
terminology,
we
can
kind
of
say
hey
it's
just
you
know
you
call
one
thing
for
another,
but
funnily
we're
not
changing
the
requirements.
I
think
we
could
get
away
with
it.
We
just
you
know,
like
I,
said
changing
terminology.
If
you,
if
you
implement
it,
thinking,
hey
I'm,
doing
a
you
know,
build
service,
and
now
we
say
no,
we
call
it
build
platform.
It
really
doesn't
change.
What
you're
doing
your
implementation
would
be
exactly
the
same.
I
A
H
And
to
me,
I
I
also
hear
what
what
Arno
is
saying
about:
it's
just
terminology
and
that
being
applicable
for
eight
one,
five
as
well,
because
nobody
would
ideally
or
probably
nobody
would
have
done
any
implementation
towards
the
provenance
specification
V1
and
so
there's
nothing,
that's
being
changed.
It's
just
a
modification
in
the
key.
So
to
me,
I
feel
like
that
falls
in
the
same
justification.
H
I
If
you
have
right,
if
you
have
an
implementation
where
today
it
reads
system
parameters,
we
change
this,
you
have
to
change
your
code
by
definition,
this
cannot
be
considered
a
tutorial
now
I
mean
we
can
pinch
our
nodes
and
claim
that
hey
this
is
purely
editorial,
and
it
really
is,
you
know
you
might
be
right,
there's
no,
maybe
there's
no
implementation
working
to
actually
break
and
nobody's
going
to
come
and
sue
us,
but
you
know
if
we
want
to
be
strict
with
the
process.
This
is
clearly
not
a
tutorial
in
nature.
C
C
C
I
Let
me
let
me
talk
a
little
bit
more
about
the
the
from
the
governance.
The
the
community
specification
license
framework
point
of
view.
The
two-week
period
right
has
to
do
with
intellectual
property,
and
so,
from
that
point
of
view,
I,
don't
think,
there's
a
difference.
You
know
if
you
color
I
mean
technique,
I
mean
I
and
you
know
take
all
of
this
kind
of
sort.
I
Another
lawyer
I,
don't
claim
to
be
right,
but
I
have
spent
a
lot
of
time
on
these
kind
of
issues,
but
the
policies
and
whatnot
so
I
I
am
at
least
an
educated
engineer
on
that
front
and
my
understanding
of
what
this
is
about
is
you
know
if
somebody
had
some
patent,
you
know
that
would
read
on
the
spec
on
this
particular
feature
and
we
are
changing
it
now.
You
know
we're
infringing
on
some
patterns
different
than
others.
I
It
may
it
may
have
some
legal
implication
with
regard
to
licensing
commitment
made
by
contributors
and
so
on,
so
I'm
not
going
to
get
into
more
details,
but
this
is
essentially
what
this
kind
of
stuff
hinges
on
in
this
case,
I
would
think
you
know
it's
pretty
clear
that
you
know
changing
the
name
of
parameter
is
not
going
to
make
you
infringe
on
a
patent
more
than
than
other
or
anything
like
this.
So
there
is
no
impact
from
that
point
of
view.
I
think
you
know
that's
pretty
clear
I,
you
know
I
can't
imagine.
A
F
C
I
yeah,
my
kind
of
feeling
is
I'm,
not
sure
unless
we're
making
a
bunch
of
other
breaking
changes
later.
I,
don't
think
I
would
rise
this
to
do
a
breaking
change
for
this
to
be
the
only
one,
so
it's
it
might
be
like
either
we
do
this
now
or
we
just
live
with
the
current
name.
I'm
sorry
I
know
you're
about
to
say
something.
I
No
but
you're
right,
I
agree
with
that.
I
mean
just
to
be
clear.
I
agree
with
you,
you
know
what
it
was
just
said
that
the
the
cleanest
option,
if
we
really
want
to
play
by
the
book
and
have
no
issue,
is
to
have
an
rc3
and
we
could
have
it
today,
lend
the
PRS
and
say:
okay,
all
C3
wait
two
weeks
and
have
their
prospective.
I
You
know
in
reality,
as
I
I,
you
know
I'm
fairly,
pragmatic
guy,
I'm,
not
religious,
but
this
kind
of
stuff
and
again
I,
don't
think
anybody's
going
to
come
and
show
us
I
mean
not
literally,
but
even
like.
You
know,
intellectually,
so,
I'm.
Okay,
if
we
said
hey
it's
not
completely
by
the
book,
but
it's
and
I
agree
that
you
know
it's
better
to
fix
it
now
than
afterward
zero.
There's,
no
doubt
I
think
nobody
is
going
to
argue
against
that.
So.
B
J
So
I'm
not
aware
of
anybody,
who's,
implementing
and
I.
Think
there's
a
few
folks
who
posted
in
there
about
no
limitation
I
know
that
a
lot
of
Open
Source
projects
are
trying
to
see
like.
When
is
this
thing
more
or
less
finished
so
that
we
could
start?
You
know
doing
that
work
I
know
some
folks
have
been.
You
know
looking
at
you
know,
V
1.0
of
of
the
Providence
spec
and
some
other
things.
J
You
know,
there's
some
build
tools
that
are
trying
to
keep
track
of
of
what's
going
on.
They
want
to
know
when,
when
it's
done
so
that
they
can,
you
know,
I
would
say
finish.
Implementing
I
know
that
some
folks
are
like
they're.
Not
you
know
they
don't
plan
to
release
an
implementation
of
of
any
of
the
RCs.
They
just
plan
to
say
hey
if
this
is
more
to
less
what
it's
going
to
look
like.
Let's
start
the
work
now
so
that
we're
you
know
ready
around
the
time.
1.0
officially
releases.
A
And
I
was
going
to
jump
in
like
I.
Think
that's
a
really
good
point
right
like
maybe
this
is
like
a
80
20
rule
where
they've
already
implemented
or
prepared
80
of
it
and
they're
waiting
for
us
to
break
something
right.
Like
you
kind
of
eluded,
you
know
they
don't
want
to
do
a
full,
so
I
wonder
for
their
sake.
If
we
make
this,
you
know
breaking
change.
Can
we
make
sure
it's
very
much
noted
right
for
those
folks,
that'd
probably
be
the
best
political
move
for
us.
I
Yeah
I
totally
agree
with
that.
We
have
to
be
transparent
and
try
to
make
sure
people
are
aware.
I
mean
there
really
is.
If
somebody
is
working
implementation,
they
are
going
to
wait
for
one
zero
to
be
out
really
final
to
say.
Okay,
now
we
can
read
as
a
code
and
if
they
have
one
parameter
name
to
change.
It's
you
know
it's
not
going
to
take
them
weeks
to
to
fix
their
code
right
so
again,
I
mean
I,
it's
a
very
minor
change,
even
though
it
breaks
their
code.
I
C
I
C
I
C
Yeah
I
think
that
makes
sense.
My
my
inclination
would
be
to
keep
the
external
and
say
internal,
because
it
kind
of
trusted
raises
the
question
of
like
what's
trusted.
What's
not,
although
we
do
talk
about
that
later,
it
seems
like
external
has
resonated
with
people
and
that's
what
has
gotten
the
most
review,
so
my
inclination
would
be
to
mirror
that.
I
A
C
C
I
propose
that
we
make
this
change,
send
out
the
pull
request
today
and
then
do
maybe
like
reach
out
to
I.
Did
I
did
a
code
search,
I
posted
in
the
meeting
notes.
It
looks
like
there's
a
couple:
implementations
against
rc1
I
I
propose
that
we
make
this
change
even
though
it's
past
the
arc
period,
because
we
have
like
enough
folks
in
this
room
that
think
it's
worth
a
while
any
objections.
K
G
Yeah,
absolutely
so,
as
somebody
who's
used
specs
in
the
past
right,
we
all
have,
if
I,
if
I,
if
I
touch
a
spec
or
if
I'm,
looking
at
these
RCS
and
I'm,
saying
okay,
I'm
raring
to
go,
I'm
wearing
to
go
and
I'm
prepping
all
my
whole
systems,
I'm
prepping
everything
forward
and
all
of
a
sudden
I
get
hit
with
a
change
after
V1
comes
out
and
I've
done.
All
this
work
to
prep
and
I
get
hit
with
this
kind
of
change.
G
I
got
to
go
back
then,
and
do
something
else
I'm
going
to
say
you
know
what
throw
my
hands
up,
especially
when
I'm,
in
a
situation
where
I'm
like
I,
throw
my
hands
up,
find
something
that's
a
little
bit
more
stable.
If
we,
if
we
do
things
that
that
too
late,
if
we
don't,
if
we
I
believe
we
should
just
do
this
now
and
somebody
said
to
tear
the
Band-Aid,
do
it
now
because
to
do
it
later
on,
you
could
potentially
run
into
a
situation
where
you
somebody's
gonna
say
well.
G
C
I
C
F
F
I
Reduce
one
zero:
this
is
as
light
as
you
know,
highlighted
clearly
as
it
was
before,
because
we
don't
want
people
to
you
know
not
notice
it.
We
publish
one
zero,
they
go
out
with
their
code
and
then
they
realize
somewhere
down
the
line.
It's
not
compatible
with
other
software,
because
we
have
actually
made
a
change.
They
didn't
realize
we
had
in
one
zero,
that's
their
real
real
danger.
G
C
I
I'm
wondering
whether
we
should
put
a
note
in
the
rc2
spec,
that's
already
published,
the
warning
kind
of
thing
say:
watch
out
this
is
about
to
change.
So
if
somebody
is
actually
going
to
rc2
today
and
they're
they're
at
least
they
would
have
a
heads
up,
you
know
I
mean
we
have
the
advantages
we
have.
The
control
of
the
document
might
as
well.
I
Yeah
I
I
actually
don't
know
if
I
posted
to
the
public,
Channel
I
talked
to
several
people
in
differences,
so
I
apologize,
I
lost
track
where
I
said
what
but
I
mean
I
know
what
it
is,
the
the
what
I
know.
So
let
me
make
sure
everybody
knows
so,
since
the
target
date
is
April
19th
and
we
have
a
two-week
period
between
rc2
and
the
release
of
the
approved
spec
one
zero,
it
will
be
actually
April.
I
18Th
will
be
two
weeks
exactly
after,
and
so
we
have
a
meeting
on
April
17th,
so
I
figured
well.
We
can,
you
know,
make
it
a
decision
on
the
17th
during
a
call
that
you
know.
Assuming
you
know,
the
sky
doesn't
fall
between
the
the
day
and
the
next
day
we
will
publish
the
1-0
on
April,
18th
and
then
there's
a
open.
I
Ssf
is
geared
up
to
publish
a
press
release
on
the
19th,
and
so
that
would
work
well
for
them
because
they
can
schedule
the
press
release
and-
and
you
know
we
can
just
say
yep.
It's
out-
we
have
a
short
period
between
the
press
release
and
the
actual
publication
publication
coming
the
night
before
essentially,
and
so
we
just
have
to
agree
on
the
17th
yeah.
If
nothing
wrong
happens
within
24
hours
in
24
hours,
we
publish
one
zero
and
assuming
that
nobody
comes
out
of
the
woodwork
and
say.
I
I
C
I
And
by
the
way,
I
think
it
might
be
worth
mentioning
to
people.
That,
technically
is
the
you
know
in
the
repo
we've
been
working
on
one
zero,
keeping
the
one
zero
directory
as
the
draft,
and
so
that
will
then
become
the
approved
spec
of
C1
and
I'll
see
two
being
parallel
directories
in
the
repositories,
so
those
will
be
retired
and
they
will
be
mocked
as
retired,
but
so
the
one
zero
will
become
the
approved
spec.
E
There's
a
big
variation
between
an
insecure
system,
right
system
where
somebody
is
running
some
build
system
and
every
node
has
you
know,
root
and
query
as
its
username
and
password
and
everyone
in
the
company
can
get
in
versus
one.
That's
handled
very
well
from
a
security,
an
operational
security
standpoint
and
the
salsa
dot.
One
had
things
like
the
common
rules
at
level.
Four
now
I
know
the
news.
E
Also
spec
with
the
build
levels
doesn't
have
level
four,
it's
one
of
those
things
you're
talking
about
in
the
future,
but
when
you
looked
at
it
before
it
took
that
build
security
into
account
and
made
it
something
that
people
could
see
at
a
glance
and
that's
one
of
those
things
that
I
realize
everybody
looks
for
badges
at
a
glance
right
when
I
go
and
I
do
something
with
go,
I
can
go
see
the
go
report
card.
What
level?
What
grade?
Did
it
get
right,
a
little
bit
of
a
gamification
there?
E
E
You
have
no
idea
you're,
just
guessing
at
the
quality
of
the
company
and
being
able
to
to
learn
some
of
this
show
it
off,
and
so
the
issue
that
I
filed
was
to
add
kind
of
a
build
systems
track.
It
was
my
first
shot
at
an
idea
of
trying
to
provide
something
here
as
a
getting
started
and
I
wanted
to
show
up
and
just
first
see
if
you
understand,
where
I'm
coming
from
and
what
you
all
think
about
this.
E
F
C
E
I,
don't
think
that
it
is
so
much
a
blocker
I
I
would
like
to
see
it
noted
in
the
future
Direction
and
when
you
go
out
with
your
announcement,
I
think
explaining
you
know
that
we
took
this
highest
level
that
had
some
kind
of
nebulous
parts
to
it
and
we
didn't
get
broad
agreement
on
it.
So
that's
coming,
but
we
wanted
to
get
something
out.
First,
we're
pushing
this
off
to
the
future.
E
E
They
said,
we've
got
level
four
nailed
and
now
you're
saying
we
don't
have
level
four
anymore
and
I
think
providing
an
explanation
of
what's
going
on
and
the
direction
around
that
space
would
be
useful
for
those
folks
who
were
both
looking
for
it
and
producing
it
already,
because
you've
now
taken
that
away
and
so
that
that's
kind
of
there,
but
because
it
was
at
that
level.
Four
you
put
into
future
work,
I,
don't
think
it's
a
blocker,
because
it's
fits
into
that
now.
E
I
would
like
to
see
level
four
get
worked
out
because
I
think
that's
going
to
be
a
nice
level
of
Separation
and
and
I,
like
both
the
gamification
of
it,
of
getting
people
to
build
more
secure
things
and,
and
people
being
able
to
see
that
so
I'd
like
to
see
us
get
there,
but
I
don't
see
it
as
a
blocker.
If
that
makes
sense,.
J
So
yeah
I
think
so.
I
have
a
couple
of
questions
for
you,
but
I
also
wanted
to
just
kind
of
throw
some
stuff
out
there,
because
I
think
one
of
one
of
the
reasons
why
we
had
a
removed
level.
Four
and
some
of
the
specific
things
around
common
requirements
was
around
it
being
unclear
exactly
because
I
know
a
lot
of
folks
were
cleaning,
for
example,
level,
four
and
they're
right
up
so
you're
like
well.
J
When
you
start
to
look
at
a
build
service
and
all
of
its
complexities,
it's
a
little
bit
more
difficult
to
sort
of
you
know
it
requires
a
significant
amount
of
data
around
you
know.
How
are
you
configuring?
The
build
system,
how
have
you
secured
it?
You
know
what
is
the
infrastructure
you're
running
on?
J
You
know
who
who
has
authorization
for
that
infrastructure
and
so
on,
and
that's
kind
of
where
some
of
the
stuff
that
we've
been
doing
with
stuff,
like
the
the
salsa
conformance
program
as
well
kind
of
come
in
so
I
think
to
throw
something
back
to
you.
It's
I
think
we'd
be
interested
to
know
like
what
sorts
of
things
would
you
want
to
see
in
that
sort
of
gamification
that
that
somebody
could
you
know
and
and
who
would
be
the
one
let's
say
attesting
to
that
right?
J
E
E
The
The
Branding
and
prominence
worldwide,
like
common
criteria,
is
fairly
popular
in
certain
circles
in
Europe,
but
it
doesn't
have
the
whole
worldwide
thing,
and
so
some
of
it's
been
worked
out
and
I
would
probably
look
to
those
to
see
what
they
have
done
and
both
to
agree
and
disagree
with
what
they've
got
already
but
I
like
the
idea
of
having
a
conformance
program
and
things
like
that,
because
you've
got
to
look
at
how
do
you
you
know:
do
two
people
always
have
to
access
the
cage?
Do
you
have
processes
in
place
like
that?
E
How
do
you
track
the
changes
that
happen
to
your
build
system?
There's
a
whole
lot
that
goes
into
it,
and
that's
probably
Way
Beyond.
What
we'll
talk
about
here,
but
yes,
you're,
absolutely
right
actually
getting
into
the
details
of
what
does
that
mean?
Is
hard
and
I
only
really
know
how
hard
it
is,
because
at
suso
we've
had
to
meet
all
of
that
to
meet
common
criteria
for
plus
and
to
get
there.
E
J
B
Yeah
I
just
wanted
to
add
thanks
thanks
for
raising
your
concerns.
This
is
this
is
precisely
the
stuff
that
we
need
to
know
so
so
appreciate
it.
I
just
wanted
to
Second
the
points
raised
earlier
that,
yes,
not
everything
here
is
going
to
be
easily
cryptographically.
Verifiable
right
in
total
can
help
to
some
extent
of
that,
but
you
you
that's,
that's
probably
why
we
came
up
with
the
idea
of
a
conformance
program.
B
B
I
think
well,
it's
important
to
check
Bill
security.
This
is
precisely
the
sort
of
thing
that
in
Toto
is
supposed
to
help
with
in
the
first
place.
Is
that
to
a
very
large
extent
not
strictly
to
true,
but
to
a
very
large
extent,
you
can
get
away
with
not
fully
trusting
the
bill
service
in
the
first
place,
because
you
can
always
verify
it
to
some
extent,
not
completely
true.
If
you
don't
have
things
like
reproducible
bills,
it's
going
to
be
hard
to
double
check
whether
the
build
is
correct.
B
E
Yes,
and
so,
reproducible
builds
makes
a
a
big
difference
there,
because
you're
going
to
have
different
build
systems
by
different
organizations
for
most
things
in
open
source,
though
you're
not
going
to
end
up
with
that,
because
you're
not
going
to
have
multiple
bills,
I'm
not
going
to
take
a
cncf
project
over
here
and
say:
okay,
we've
got
it
in
two
build
systems.
You
can
trust.
Both
build
systems
haven't
been
compromised.
Look
they've
got
the
same
hatch
you're
not
going
to
end
up
with
that
kind
of
of
facility
there,
and
so
you
know.
E
Part
of
this
is
also
what's
practically
going
to
happen,
and
how
do
you
communicate
it
with
people,
because
it's
great
to
have
like
an
organization
come
in
vet,
your
build
system
processes
and
all
of
this
and
maybe
attest
to
it
in
a
way
that
can
be
grabbed.
But
then
now
you've
got
something:
that's
not
really
easily
human
partsable.
You
can't
see
it
as
a
glance
and
that's
another
characteristic
of
all
of
this
of
how
do
you
communicate
this,
because
so
there's
the
security
and
the
usability
that
I'd
like
to
see
taken
into
account.
B
Exactly
thanks
before
I'll
just
make
a
quick
point
before
before
I
pass
the
mic
to
Mark.
Yes,
I'm
glad
you,
you
spell
spelled
out
explicitly
something:
I
was
thinking
about,
but
I
think
I
think
everyone
thinks
about
it.
But
nobody
really
says
it
out
loud.
I
think
I
think
the
bill
security
being
being
able
to
measure
your
build
security.
Somehow
is
a
very
nice
way.
B
E
The
only
thing
I
can
do
is
a
minor
addendum,
which
is
to
note
something
into
the
future
section.
So
that
way,
you
communicate
that
it
hasn't
been
dropped,
but
it
is
something
we're
considering
moving
forward
just
as
part
of
the
communications,
beyond
that,
if
I
had
something
simpler,
I
probably
would
have
filed
and
issue
the
idea
and
I
haven't
come
up
with
anything
simpler
when
somebody
else
has
one
I
would
love
to
hear
it.
Just
in
my
own,
creative
abilities
just
didn't
come
up
with
anything.
K
C
I
think
I
think
someone
else
also
brought
up
a
similar
thing,
and
we've
talked
in
previous
meetings
about
that.
It's
we
kind
of
have
this
conflict
of.
We
want
to
Define
like
the
stable
parts
of
the
spec
of
like
here's,
the
requirements
that
we
don't
think
they're
going
to
change
and
we're
kind
of
confident
that
when
we
say
this
means
salsa
build
level
three
that
like
that
will
continue
in
the
future.
But
we
also
want
to
give
an
indication
of
here's
a
bunch
of
things
that
are
good
to
do.
C
I
E
Yeah
and
and
the
other
side
is
the
consumers
in
the
build
systems
right
so
I
was
thinking
of
both
the
producers
and
the
consumers
of
the
system.
You
need
to
communicate
to
the
consumers.
What's
going
on
we're
trying
to
kind
of
push
the
builders
and
operators
of
those
systems
to
improve
their
security,
also
convey
to
the
consumers
of
those
systems
where
they're
at
in
an
easy
to
do
manner.
That's
why
I
came
up
with
the
idea
of
a
build
systems.
E
Levels
I
was
building
on
your
idea
of
levels
and
you
did
the
build
levels,
and
then
you
talked
about
the.
What
was
it
Source
levels
coming
in
the
future
or
some
kind
of
source
track
and
I
thought
you
know
build
systems
is
another
area
you
could
also.
You
know,
trackify,
so
to
speak
with
levels
that
communicate
to
end
users
and
criteria
at
those
levels
which
would
kind
of
entice
people
who
build
and
operate
those
systems
to
meet
that
and
then
convey
that
in
in
a
very
easy
to
see
manner.
C
And,
and
so
it's
a
specific
recommendation
here
is
to
note
at
least
on
the
future
directions.
I
don't
know
if
okay,
maybe
Elsewhere
on
the
site,
like
the
requirements
page
or
the
verifying
systems
page,
but
at
least
on
the
future
directions
page
this,
and
also
in
the
the
what's
new,
which
I'm
writing
now
and
the
announcement.
E
I'm
the
kind
of
person
if
I
propose
something
I'm
willing
to
write
for
it,
but
I
also
probably
don't
know
all
the
right
places
to
write
it.
So
if
somebody
else
has
a
better
idea,
I'm
more
than
happy
to
do
it
I
fear.
If
I
did
it
even
if
I
wrote
it
today,
the
back
and
forth
might
go
beyond
Wednesday,
because
somebody
pointing
out
someplace
else
I
need
to
do
something,
but
I
am
willing
to
do
it.
If
nobody
else
is
up
for
it.
C
I'd
be
fine,
adding
something
there.
You
know
like
another
track
page
and
if
we
just
start
there,
that's
at
least
noting
that
these
are
the
types
of
things
that
that
we're
thinking
about
like
what
we
don't
yet
know
how
we
would
make
a
track
or
even
if
we
would
necessarily
have
a
track
for
this.
But
these
are
the
types
of
things
that
we
would
think
about
and
then
maybe
point
to
the
verifying
systems
page
to
talk
about,
like
you
know
the
the
approach
to
looking
at
that.
E
C
I
No
no
I
mean
this
is
future
I
mean
it
was
just
it's
indicative.
It's
informative
at
this
point.
It's
not
even
nobody's
part
of
the
specs.
So
let's
see
we
can't
say
whatever
I
I
should
be
careful.
You
know,
as
always,
for
this
kind
of
stuff.
We
don't
want
to
commit
to
anything.
So
we
it
really
has
to
be
worded
into
hey.
This
is
the
kind
of
things
we
are
thinking
about.
You
know,
but
this
is
what
I
think
is
intended.
So
I
I
think
that's
that's
cool
good.
J
If
folks
have
thoughts
around
like
is
rules
around
the
requirements
for
the
build
spec.
Do
we
want
to
mostly
like
there's
a
lot
of
there's
a
lot
of
content
out
there
already
on
that
right
like
when
it
comes
to,
let's
say
the
the
build
Providence
right,
there's,
not
a
lot
of
content
outside
of
salsa
on
that
kind
of
really
focused
on
that
piece,
but
when
it
comes
to
sort
of
secure,
build
infrastructure,
there
is
stuff.
E
So
I
I
I'll
jump
on
this
I
think
it
does
warrant
a
separate
set
of
requirements
because
salsa,
like
a
couple
of
others,
does
one
thing
really:
well:
they
gamified
at
a
glance
right
which
pushes
people
to
try
for
higher
levels
more
levels
to
improve
on
it.
Reading
the
you
know,
cncf
paper
on
this,
it's
wonderful!
How
do
I
know
if
anybody's
done
it?
E
That's
great
for
operators
of
it,
but
if
you're
a
consumer
trying
to
figure
out
how
an
operator
is
doing,
it's
I
sort
of
trust,
you
I
hope
and
if
there's
a
way
to
communicate
and
convey
some
of
this
I
think
it
would
be
great
and
I
know.
There's
some
other
specifications
out
there
that
do
some
of
this,
but
they're
more
Niche
and
a
lot
of
people.
Don't
know
about
them,
which
is
an
opportunity
for
salsa.
C
Is
always
great
to
have
a
someone
who
shows
up
to
the
first
meeting
kick
off
like
a
pretty
solid
half-hour
discussion,
so
thanks
a
lot
all
the
better
to
promise
to
send
a
PR
all
right,
I
think
we're
out
of
time.
Thank
thanks.
Everyone
for
joining
as,
as
always
I
appreciate
everyone
contributing,
and
we
will
again
please
look
out
for
pull
requests.
We
had
mentioned
as
a
reminder
up
in
the
meeting.