►
From YouTube: SLSA Specifications Meeting (April 10, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1kMP62o3KI0IqjPRSNtUqADodBqpEL_wlL1PEOsl6u20/edit#heading=h.yfiy9b23vayj
A
A
I
I,
don't
know
what
type
specifically
it's
my
friend's
cat,
but
yeah
he's
long,
hair
kind
of
annoying
because
it's
shedding
all
over
the
place
all
the
time.
But.
B
C
Looks
like
we
haven't
had
a
trickle
and
people
in
for
the
last
minute,
so
we
could
I
think
we
should
get
started.
Welcome
everyone
good
to
see
you
all
again.
As
a
reminder,
please
register
your
attendance
in
the
meeting
at
stock,
which
are
just
paste
in
a
chat
or,
as
always,
you
go
to
salsa.dev.
Slash
notes
for
like
also
a
reminder
to
follow
the
salsa
Frameworks
code
of
conduct,
which
and
there's
a
link
in
the
in
the
meeting
notes
for
that.
E
Thank
you,
hello.
My
name
is
Matt
Farina
I'm
interested
in
some
of
the
latest
changes
in
the
salsa
spec
that
everyone
seemed
to
learn
about
in
the
last
week.
C
I
think
that's
looking
at
the
list.
I
think
that's
everybody.
So,
as
always,
if
you
have
any
agenda
items,
please
go
ahead
and
add
them
to
to
the
meeting
notes.
C
I
put
a
couple:
pull
requests
that
I
to
highlight
for
a
review
they're,
basically
last
minute
changes
for
the
spec,
but
then
I
think
are
worth
Cons
considering,
but
that
really
do
need
some
Community
feedback.
The
first
one
is
pull
request
810.
These
are
all
Linked
In.
C
The
meeting
notes
Andrew
has
put
together
a
pull
request
to
so
I
unify
on
the
term
build
platform,
because
previously,
we
kind
of
say
sometimes,
let's
say
platform,
sometimes
we
say
system,
sometimes
we
say
service,
which
has
led
to
a
lot
of
confusion.
We've
had
a
lot
of
feedback
about
that
in
I
I,
in
my
opinion,
I
think
it
helps
a
lot
the,
but
it's
able
to
get
feedback
on
on
whether
that
makes
sense
and
in
particular
the
one
biggest
change.
C
It's
a
terminology
change,
but
we're
renaming
the
One
requirement
from
build
service
to
hosted
because
basically
we're
just
eliminating
service.
So
it's
like
one
fewer
term
to
have
to
Define
I,
guess
I'll.
Just
briefly
mention
these
three
things
and
see:
if
anyone
else
has
anything
and
then
we
can
discuss
as
needed,
or
else
people
could
just
comment
on
on
there,
the
the
issue-
I,
guess
I
guess
in
case
it's
health
I-
think
most
people
have
that
meeting
until
then.
So
you
can
see
what
I'm
we're
talking
about.
C
The
other
one
is
which
came
up
during
that
pull
request
is
in
the
provenance
schema.
We
currently
have
a
field
called
system
parameters,
We
call.
We
have
an
external
parameters
and
system
parameters,
because
that
pull
request
is
basically
eliminating
the
word
system.
That's
how
we
kind
of
noticed
this.
C
The
question
is:
should
we
rename
it
to
internal
parameters
or
perhaps
trusted
parameters
or
something
else
to
a
eliminate?
The
word
system
and
and
B
have
a
comparison
to
external
that
way.
There's
external
parameters
and
internal
parameters
it
it's
so
far,
like
I,
think
Andrew,
Tom
and
I
have
mentioned
that
have
said
it
seems
valuable.
C
But
the
question
is
like
how
this
agrees
with
our
release
candidate
process.
Like
can
we
make
such
a
change
this
late
in
the
game
and
the
Third
change
is
pull
request.
816
around
kind
of
explain
the
need
to
define
a
security
model
for
a
build
platform.
F
C
Kind
of
implicit
in
how
you
generate
provenance,
but
it's
adding
text
to
actually
explicitly
say
you
know
you
define
something
external
internal,
Etc,
I
think
those
are
the
three
outstanding
ones
that
are
worth
discussing.
Andrew.
H
Yeah
I
I
think
that
that
that's
accurate,
the
one
about
the
build
platform
is
a
gigantic
PR
and
I
do
apologize
for
that.
There's
not
really
a
better
way
to
make
that
big
of
a
change
so
but
but
I
think
Mark
did
a
good
job
of
catching
the
things
that
I
didn't
catch,
which
were
also
outside
of
the
scope
of
the
changes.
H
So
I
think
that
at
this
point
in
time,
I
feel
reasonably
comfortable
that
that
we
can
just
keep
it
to
the
the
parts
that
are
changed.
We
don't
have
to
do
too
much
investigation
outside
and
in
that
I
did
also
add
something
to
the
FAQ,
so
that
readers
would
be
aware
of
our
unification
on
the
concept
of
a
platform.
A
I
was
going
to
comment.
You
know,
based
on
kind
of
your
prompt
Mark
right
around.
Like
does
this
line
up
with
a
release
candidate?
Do
we
need
to
essentially
wait,
which
seems
odd?
You
know
if
this
is
an
improvement
unless
it's
like
truly
breaking
the
release
candidate
process
I
mean,
wouldn't
we
naturally
just
merge
these
PRS
in
anyway,
after
we're
at
1.0.
A
So
it's
just
interesting
extra
question
to
put
out
there.
I
bet
Arno
have
a
comment
on
that.
I
Yeah
I
do
I
mean
I
think
if
it's
just
terminology,
we
can
kind
of
say
hey
it's
just
you
know
you
call
one
thing
for
another,
but
funnily
we're
not
changing
the
requirements.
I
think
we
could
get
away
with
it.
We
just
you
know,
like
I,
said
changing
terminology.
If
you,
if
you
implement
it,
thinking,
hey
I'm,
doing
a
you
know,
build
service,
and
now
we
say
no,
we
call
it
build
platform.
It
really
doesn't
change.
What
you're
doing
your
implementation
would
be
exactly
the
same.
I
A
Yeah
and
just
to
jump
in
sorry
to
not
have
my
hand
raised,
but
you
know
within
the
dialogue
you
know
it
might
be
the
best
time
ever.
If
we're
changing
this,
you
know
terminology
to
do
it
before
it's
1.0,
because
it
might
be
more
of
a
rug
pull
if
we
do
it
later
so.
H
And
to
me,
I
I
also
hear
what
what
Arno
is
saying
about:
it's
just
terminology
and
that
being
applicable
for
eight
one,
five
as
well,
because
nobody
would
ideally
or
probably
nobody
would
have
done
any
implementation
towards
the
provenance
specification
V1
and
so
there's
nothing,
that's
being
changed.
It's
just
a
modification
in
the
key.
So
to
me,
I
feel
like
that
falls
in
the
same
justification.
H
I
If
you
have
right,
if
you
have
an
implementation
where
today
it
reads
system
parameters,
we
change
this,
you
have
to
change
your
code
by
definition,
this
cannot
be
considered
a
tutorial
now
I
mean
we
can
pinch
our
nodes
and
claim
that
hey
this
is
purely
editorial,
and
it
really
is,
you
know
you
might
be
right,
there's
no,
maybe
there's
no
implementation
working
to
actually
break
and
nobody's
going
to
come
and
sue
us,
but
you
know
if
we
want
to
be
strict
with
the
process.
This
is
clearly
not
a
tutorial
in
nature.
C
I
I
guess
yeah
I,
agree.
I
agree,
that's
not
editorial.
On
the
other
hand,
if
we
had
something
that
we
like,
if.
C
Should
we,
and
also
in
terms
of
the
governance
I,
don't
I,
guess
it
depends
on
how
you
interpret
the
DOT.
It's
the
the
government
stock.
Isn't
super
specific.
It
says
that
we
need
to
send
out
a
release
candidate
or
a
candidate
for
an
approved
specification
to
get
approval.
C
I
think
it
was
it's
almost
kind
of
written
in
in
the
model
of
like
you.
Do
one
draft
get
that
approved
and
then
that
thing
doesn't
get
touched
until
like
the
next
version
in
a
year
or
two
and
there's
absolutely
no
changes
in
between
so.
I
Let
me
let
me
talk
a
little
bit
more
about
the
the
from
the
governance.
The
the
community
specification
license
framework
point
of
view.
The
two-week
period
right
has
to
do
with
intellectual
property,
and
so,
from
that
point
of
view,
I,
don't
think,
there's
a
difference.
You
know
if
you
color
I
mean
technique,
I
mean
I
and
you
know
take
all
of
this
kind
of
sort.
I
Another
lawyer
I,
don't
claim
to
be
right,
but
I
have
spent
a
lot
of
time
on
these
kind
of
issues,
but
the
policies
and
whatnot
so
I
I
am
at
least
an
educated
engineer
on
that
front
and
my
understanding
of
what
this
is
about
is
you
know
if
somebody
had
some
patent,
you
know
that
would
read
on
the
spec
on
this
particular
feature
and
we
are
changing
it
now.
You
know
we're
infringing
on
some
patterns
different
than
others.
I
It
may
it
may
have
some
legal
implication
with
regard
to
licensing
commitment
made
by
contributors
and
so
on,
so
I'm
not
going
to
get
into
more
details,
but
this
is
essentially
what
this
kind
of
stuff
hinges
on
in
this
case,
I
would
think
you
know
it's
pretty
clear
that
you
know
changing
the
name
of
parameter
is
not
going
to
make
you
infringe
on
a
patent
more
than
than
other
or
anything
like
this.
So
there
is
no
impact
from
that
point
of
view.
I
think
you
know
that's
pretty
clear
I,
you
know
I
can't
imagine.
A
F
I
think
that
our
options
are
don't
change
it
now
and
have
a
lot
of
pain
in
a
year
versus
change.
It
now
and
wait
another
x
amount
of
time
or
just
do
it
now.
So
those
are
the
three
options
that
I
see.
C
I
yeah,
my
kind
of
feeling
is
I'm,
not
sure
unless
we're
making
a
bunch
of
other
breaking
changes
later.
I,
don't
think
I
would
rise
this
to
do
a
breaking
change
for
this
to
be
the
only
one,
so
it's
it
might
be
like
either
we
do
this
now
or
we
just
live
with
the
current
name.
I'm
sorry
I
know
you're
about
to
say
something.
I
No
but
you're
right,
I
agree
with
that.
I
mean
just
to
be
clear.
I
agree
with
you,
you
know
what
it
was
just
said
that
the
the
cleanest
option,
if
we
really
want
to
play
by
the
book
and
have
no
issue,
is
to
have
an
rc3
and
we
could
have
it
today,
lend
the
PRS
and
say:
okay,
all
C3
wait
two
weeks
and
have
their
prospective.
I
You
know
in
reality,
as
I
I,
you
know
I'm
fairly,
pragmatic
guy,
I'm,
not
religious,
but
this
kind
of
stuff
and
again
I,
don't
think
anybody's
going
to
come
and
show
us
I
mean
not
literally,
but
even
like.
You
know,
intellectually,
so,
I'm.
Okay,
if
we
said
hey
it's
not
completely
by
the
book,
but
it's
and
I
agree
that
you
know
it's
better
to
fix
it
now
than
afterward
zero.
There's,
no
doubt
I
think
nobody
is
going
to
argue
against
that.
So.
B
Yeah,
it's
just
going
to
add
that
pulling
the
Band-Aid
now
so
to
speak
is
probably
the
best
option.
Having
said
that,
I
I
also
want
to
raise
Aaron's
question
here
in
case
in
case
it
wasn't
already.
Is
anyone
aware
of
an
implementation
based
on
rc2.
J
So
I'm
not
aware
of
anybody,
who's,
implementing
and
I.
Think
there's
a
few
folks
who
posted
in
there
about
no
limitation
I
know
that
a
lot
of
Open
Source
projects
are
trying
to
see
like.
When
is
this
thing
more
or
less
finished
so
that
we
could
start?
You
know
doing
that
work
I
know
some
folks
have
been.
You
know
looking
at
you
know,
V
1.0
of
of
the
Providence
spec
and
some
other
things.
J
You
know,
there's
some
build
tools
that
are
trying
to
keep
track
of
of
what's
going
on.
They
want
to
know
when,
when
it's
done
so
that
they
can,
you
know,
I
would
say
finish.
Implementing
I
know
that
some
folks
are
like
they're.
Not
you
know
they
don't
plan
to
release
an
implementation
of
of
any
of
the
RCs.
They
just
plan
to
say
hey
if
this
is
more
to
less
what
it's
going
to
look
like.
Let's
start
the
work
now
so
that
we're
you
know
ready
around
the
time.
1.0
officially
releases.
A
And
I
was
going
to
jump
in
like
I.
Think
that's
a
really
good
point
right
like
maybe
this
is
like
a
80
20
rule
where
they've
already
implemented
or
prepared
80
of
it
and
they're
waiting
for
us
to
break
something
right.
Like
you
kind
of
eluded,
you
know
they
don't
want
to
do
a
full,
so
I
wonder
for
their
sake.
If
we
make
this,
you
know
breaking
change.
Can
we
make
sure
it's
very
much
noted
right
for
those
folks,
that'd
probably
be
the
best
political
move
for
us.
I
Yeah
I
totally
agree
with
that.
We
have
to
be
transparent
and
try
to
make
sure
people
are
aware.
I
mean
there
really
is.
If
somebody
is
working
implementation,
they
are
going
to
wait
for
one
zero
to
be
out
really
final
to
say.
Okay,
now
we
can
read
as
a
code
and
if
they
have
one
parameter
name
to
change.
It's
you
know
it's
not
going
to
take
them
weeks
to
to
fix
their
code
right
so
again,
I
mean
I,
it's
a
very
minor
change,
even
though
it
breaks
their
code.
I
C
I
guess
let
me
ask
because
one
thing
we
didn't
explicitly
talk
about.
Do
folks
think
this
is
a
good
change
right,
because,
like
all
this
is
is
assuming
that
it
is
like
a
pretty
big
Improvement.
I
just
want
to
make
sure
that
there
is
consensus
that
it
actually
isn't
a
worthwhile
Improvement.
I
C
I
K
C
Yeah
I
think
that
makes
sense.
My
my
inclination
would
be
to
keep
the
external
and
say
internal,
because
it
kind
of
trusted
raises
the
question
of
like
what's
trusted.
What's
not,
although
we
do
talk
about
that
later,
it
seems
like
external
has
resonated
with
people
and
that's
what
has
gotten
the
most
review,
so
my
inclination
would
be
to
mirror
that.
I
A
Just
to
throw
a
verbal
comment:
I
kind
of
Bend
towards
the
internal
external,
because
it's
more
of
like
a
fact-based
attribute,
because
trust
is
a
little
tricky
to
to
Define
his
posts.
So.
C
Okay,
that
sounds
good
sounds
like
no
one
was
in
favor
trusted
untrusted.
Okay,
so
is
it
sounds
like
doing
it
now?
No
one
has
strong
objections
to
it.
Actually,.
C
I
propose
that
we
make
this
change,
send
out
the
pull
request
today
and
then
do
maybe
like
reach
out
to
I.
Did
I
did
a
code
search,
I
posted
in
the
meeting
notes.
It
looks
like
there's
a
couple:
implementations
against
rc1
I
I
propose
that
we
make
this
change
even
though
it's
past
the
arc
period,
because
we
have
like
enough
folks
in
this
room
that
think
it's
worth
a
while
any
objections.
K
Oh
Chris
I
see
that
Jay
White
noted
in
the
chat
fear
that
there
will
be
a
loss
of
trust
in
the
spec.
If
we
don't
act
fast
enough,
I
was
wondering
if
they
wanted
to
to
speak
to
that.
G
Yeah,
absolutely
so,
as
somebody
who's
used
specs
in
the
past
right,
we
all
have,
if
I,
if
I,
if
I
touch
a
spec
or
if
I'm,
looking
at
these
RCS
and
I'm,
saying
okay,
I'm
raring
to
go,
I'm
wearing
to
go
and
I'm
prepping
all
my
whole
systems,
I'm
prepping
everything
forward
and
all
of
a
sudden
I
get
hit
with
a
change
after
V1
comes
out
and
I've
done.
All
this
work
to
prep
and
I
get
hit
with
this
kind
of
change.
G
I
got
to
go
back
then,
and
do
something
else
I'm
going
to
say
you
know
what
throw
my
hands
up,
especially
when
I'm,
in
a
situation
where
I'm
like
I,
throw
my
hands
up,
find
something
that's
a
little
bit
more
stable.
If
we,
if
we
do
things
that
that
too
late,
if
we
don't,
if
we
I
believe
we
should
just
do
this
now
and
somebody
said
to
tear
the
Band-Aid,
do
it
now
because
to
do
it
later
on,
you
could
potentially
run
into
a
situation
where
you
somebody's
gonna
say
well.
G
C
Okay,
great
thanks,
okay,
well
make
the
change
now.
If,
if
anyone
wants
to
volunteer
to
do
it,
just
I
think
just
go
ahead
and
take
that
issue,
if
not
I
will
as
a
fallback
but.
C
Else
please
go
right
ahead,
and
so
the
changes
I
think
would
be
to
change
both
the
salsa
repo.
We
also
have
the
two
example.
C
Build
type
definitions,
so
it
would
be
to
change
those
as
well
and
if
it
might
be
worthwhile
to
reach
out
to
a
couple
folks
like
I
know,
for
example,
npm,
oh
actually,
I
think
npm
has
been
working
on
salsa
provenance,
tooling,
but
I
don't
think
they
started
with
1.0
yet
anyway,
so
that
they
shouldn't
change.
C
C
Can't
do
one
pull
request
that
touches
multiple
repos
but
I
think
those
are
like
the
biggest
users
and
I
think
that
they're
fine
changing
knowing
that
change.
F
F
I
Reduce
one
zero:
this
is
as
light
as
you
know,
highlighted
clearly
as
it
was
before,
because
we
don't
want
people
to
you
know
not
notice
it.
We
publish
one
zero,
they
go
out
with
their
code
and
then
they
realize
somewhere
down
the
line.
It's
not
compatible
with
other
software,
because
we
have
actually
made
a
change.
They
didn't
realize
we
had
in
one
zero,
that's
their
real
real
danger.
G
C
Sounds
good?
Okay,
any
more
topics
on
that
I
propose
that
we
discuss
on
the
GitHub
issue,
okay
and
so
in
terms
of
pull
request,
any
more
reviews
or
eyeballs
on
the
the
two
outstanding
poor,
because
we
have
8,
10
and
8
16
would
be
valuable
as
well.
I
I'm
wondering
whether
we
should
put
a
note
in
the
rc2
spec,
that's
already
published,
the
warning
kind
of
thing
say:
watch
out
this
is
about
to
change.
So
if
somebody
is
actually
going
to
rc2
today
and
they're
they're
at
least
they
would
have
a
heads
up,
you
know
I
mean
we
have
the
advantages
we
have.
The
control
of
the
document
might
as
well.
C
Okay,
in
in
other
news
in
the
1.0
release,
I'm
working
now
on
a
what's
new
page,
which
was
kind
of
a
long
outstanding
issue,
I'm
I'm,
basically
taking
the
release
candidate,
one
announcement
that
we
had
and
just
updating
it
with
changes
since
then,
and
just
kind
of
fixing
up
and
expanding
on
that
a
bit
and
so
I'm
hoping
to
send
that
out
today
or
tomorrow
morning.
I
Yeah
I
I
actually
don't
know
if
I
posted
to
the
public,
Channel
I
talked
to
several
people
in
differences,
so
I
apologize,
I
lost
track
where
I
said
what
but
I
mean
I
know
what
it
is,
the
the
what
I
know.
So
let
me
make
sure
everybody
knows
so,
since
the
target
date
is
April
19th
and
we
have
a
two-week
period
between
rc2
and
the
release
of
the
approved
spec
one
zero,
it
will
be
actually
April.
I
18Th
will
be
two
weeks
exactly
after,
and
so
we
have
a
meeting
on
April
17th,
so
I
figured
well.
We
can,
you
know,
make
it
a
decision
on
the
17th
during
a
call
that
you
know.
Assuming
you
know,
the
sky
doesn't
fall
between
the
the
day
and
the
next
day
we
will
publish
the
1-0
on
April,
18th
and
then
there's
a
open.
I
Ssf
is
geared
up
to
publish
a
press
release
on
the
19th,
and
so
that
would
work
well
for
them
because
they
can
schedule
the
press
release
and-
and
you
know
we
can
just
say
yep.
It's
out-
we
have
a
short
period
between
the
press
release
and
the
actual
publication
publication
coming
the
night
before
essentially,
and
so
we
just
have
to
agree
on
the
17th
yeah.
If
nothing
wrong
happens
within
24
hours
in
24
hours,
we
publish
one
zero
and
assuming
that
nobody
comes
out
of
the
woodwork
and
say.
I
I
C
Think
this
is
a
good
idea,
especially
since
all
the
other
ones
that
we've
done
have
taken
like
a
couple
days
to
get
through,
because
there's
just
like
the
lag
time
of
getting
approvals
and
reviews.
So
I
think
this
is
a
really
good
idea.
I
And
by
the
way,
I
think
it
might
be
worth
mentioning
to
people.
That,
technically
is
the
you
know
in
the
repo
we've
been
working
on
one
zero,
keeping
the
one
zero
directory
as
the
draft,
and
so
that
will
then
become
the
approved
spec
of
C1
and
I'll
see
two
being
parallel
directories
in
the
repositories,
so
those
will
be
retired
and
they
will
be
mocked
as
retired,
but
so
the
one
zero
will
become
the
approved
spec.
C
All
right
sounds
good
and
then
just
because
we
talk
about
every
meeting
at
some
point
in
the
future,
we'll
get
a
better
versioning
version
control
system,
that's
not
making
directory
copies.
C
E
This
is
my
first
time
coming
to
one
of
your
meetings
and
so,
as
it
may
happen,
sometime
somebody
crashes
with
something
that
caught
their
attention
or
a
concern
or
something
when
I
talk
about
and
that's
kind
of
one
of
those
things
that
I
have
here
today,
there
were
a
number
of
us
who've
likely
been
paying
attention
to
salsa
at
a
distance
and
knew
what
the
0.1
spec
entailed,
but
hadn't
been
paying
a
lot
of
attention
to
the
work
since
then,
and
some
of
the
changes
in
the
1.0
and
some
of
the
things
that
were
even
pulled
out
and
shifted
around
conceptually
caught
a
number
of
people
off
guard
I
was
one
of
them,
but
I
thought
hey.
E
Let
me
check
myself
before
I
come
to
you
guys
and
so
I
started
asking
around
with
a
number
of
folks
at
some
various
companies
who
deal
with
security
and
build
systems,
and
things
like
that
to
check
myself
before
I
came
and
started
posting
issues,
and
that's
what
led
me
ultimately
here
and
one
of
the
things
that
I
know
is
that
your
build
system
matters
a
lot
right.
E
There's
a
big
variation
between
an
insecure
system,
right
system
where
somebody
is
running
some
build
system
and
every
node
has
you
know,
root
and
query
as
its
username
and
password
and
everyone
in
the
company
can
get
in
versus
one.
That's
handled
very
well
from
a
security,
an
operational
security
standpoint
and
the
salsa
dot.
One
had
things
like
the
common
rules
at
level.
Four
now
I
know
the
news.
E
Also
spec
with
the
build
levels
doesn't
have
level
four,
it's
one
of
those
things
you're
talking
about
in
the
future,
but
when
you
looked
at
it
before
it
took
that
build
security
into
account
and
made
it
something
that
people
could
see
at
a
glance
and
that's
one
of
those
things
that
I
realize
everybody
looks
for
badges
at
a
glance
right
when
I
go
and
I
do
something
with
go,
I
can
go
see
the
go
report
card.
What
level?
What
grade?
Did
it
get
right,
a
little
bit
of
a
gamification
there?
E
E
You
have
no
idea
you're,
just
guessing
at
the
quality
of
the
company
and
being
able
to
to
learn
some
of
this
show
it
off,
and
so
the
issue
that
I
filed
was
to
add
kind
of
a
build
systems
track.
It
was
my
first
shot
at
an
idea
of
trying
to
provide
something
here
as
a
getting
started
and
I
wanted
to
show
up
and
just
first
see
if
you
understand,
where
I'm
coming
from
and
what
you
all
think
about
this.
E
F
C
This
is
I,
think
super
helpful
I
think
this
is
like
the
type
of
really
good
feedback
and
critical.
Look
that
that
we
need
a
first
question.
C
Do
you
think
this
is
something
that
we
can
add
later
or
does
it
make
1.0
like
unworkable,
because
the
the
basic
model
for
1.0
is
that
we're
trying
to
Define,
like
the
the
subset
of
0.1,
that
we
have
broad
agreement
on
and
that
is
stable
and
when
we
think
like
the
things
that
are
kind
of
both
necessary,
but
also
that
we
have
agreement
on
and
we
didn't
yet
have
agreement
on
any
of
like
those
the
common
pieces,
which
is
why
we
didn't
kind
of
include
it?
C
E
E
I,
don't
think
that
it
is
so
much
a
blocker
I
I
would
like
to
see
it
noted
in
the
future
Direction
and
when
you
go
out
with
your
announcement,
I
think
explaining
you
know
that
we
took
this
highest
level
that
had
some
kind
of
nebulous
parts
to
it
and
we
didn't
get
broad
agreement
on
it.
So
that's
coming,
but
we
wanted
to
get
something
out.
First,
we're
pushing
this
off
to
the
future.
E
E
They
said,
we've
got
level
four
nailed
and
now
you're
saying
we
don't
have
level
four
anymore
and
I
think
providing
an
explanation
of
what's
going
on
and
the
direction
around
that
space
would
be
useful
for
those
folks
who
were
both
looking
for
it
and
producing
it
already,
because
you've
now
taken
that
away
and
so
that
that's
kind
of
there,
but
because
it
was
at
that
level.
Four
you
put
into
future
work,
I,
don't
think
it's
a
blocker,
because
it's
fits
into
that
now.
E
I
would
like
to
see
level
four
get
worked
out
because
I
think
that's
going
to
be
a
nice
level
of
Separation
and
and
I,
like
both
the
gamification
of
it,
of
getting
people
to
build
more
secure
things
and,
and
people
being
able
to
see
that
so
I'd
like
to
see
us
get
there,
but
I
don't
see
it
as
a
blocker.
If
that
makes
sense,.
J
So
yeah
I
think
so.
I
have
a
couple
of
questions
for
you,
but
I
also
wanted
to
just
kind
of
throw
some
stuff
out
there,
because
I
think
one
of
one
of
the
reasons
why
we
had
a
removed
level.
Four
and
some
of
the
specific
things
around
common
requirements
was
around
it
being
unclear
exactly
because
I
know
a
lot
of
folks
were
cleaning,
for
example,
level,
four
and
they're
right
up
so
you're
like
well.
J
Maybe
it's
level,
four
we're
not
sure,
and
so
we
wanted
to
kind
of
also
figure
out
like
how
can
we
make
that
clearer
so
that
there's
less
of
this
ambiguity,
because
there's
lots
of
folks
who
are
claiming
you
know
lots
of
things
and
and
I
think
the
thing
is
that
that
we
found
is
at
least
compared
to,
like
your
average
scorecard
or
or
similar
sort
of
linking
tool
that
can
kind
of
gamify
some
of
these
things.
J
When
you
start
to
look
at
a
build
service
and
all
of
its
complexities,
it's
a
little
bit
more
difficult
to
sort
of
you
know
it
requires
a
significant
amount
of
data
around
you
know.
How
are
you
configuring?
The
build
system,
how
have
you
secured
it?
You
know
what
is
the
infrastructure
you're
running
on?
J
You
know
who
who
has
authorization
for
that
infrastructure
and
so
on,
and
that's
kind
of
where
some
of
the
stuff
that
we've
been
doing
with
stuff,
like
the
the
salsa
conformance
program
as
well
kind
of
come
in
so
I
think
to
throw
something
back
to
you.
It's
I
think
we'd
be
interested
to
know
like
what
sorts
of
things
would
you
want
to
see
in
that
sort
of
gamification
that
that
somebody
could
you
know
and
and
who
would
be
the
one
let's
say
attesting
to
that
right?
J
You
know
who
would
be
the
one
coming
in
and
saying?
Yes,
you
are
you
know,
saying
that
you
know
you,
you
run
a
lockdown
control
plane
and
this
that
and
the
other
thing
and
therefore
you're,
hitting
the
the
salsa
level
four
require.
You
know
whatever
you
know
some
high
level
requirement
there.
E
Yeah,
you
know
that
gets
tricky
because
you're
talking
about
who
attests
to
it
I
do
like
the
idea
of
a
third
party
always
doing
via
testing.
We
went
in.
E
We
reviewed
this,
it's
the
kind
of
thing
that
you
get
with
so
many
other
places,
because
you
know
companies
like
to
inflate
themselves
to
look
better
and
I
personally
would
like
somebody
to
have
a
more
critical
eye
on
it,
and
so
I
mean
if
you
had
something
like
levels
right-
and
you
see
this
in
some
of
the
other
things
so
like
at
Tucson,
where
I'm
at
we
have
for
a
number
of
things
had
to
do
things
like
common
criteria
and
common
criteria
actually
gets
into
here's
the
levels
of
things
you
have
to
have
around
the
controls
you
have
and
then
you
get
audited
and
all
of
that,
and
so
you
can
get
those
certifications
for
certain
types
of
builds.
E
The
The
Branding
and
prominence
worldwide,
like
common
criteria,
is
fairly
popular
in
certain
circles
in
Europe,
but
it
doesn't
have
the
whole
worldwide
thing,
and
so
some
of
it's
been
worked
out
and
I
would
probably
look
to
those
to
see
what
they
have
done
and
both
to
agree
and
disagree
with
what
they've
got
already
but
I
like
the
idea
of
having
a
conformance
program
and
things
like
that,
because
you've
got
to
look
at
how
do
you
you
know:
do
two
people
always
have
to
access
the
cage?
Do
you
have
processes
in
place
like
that?
E
How
do
you
track
the
changes
that
happen
to
your
build
system?
There's
a
whole
lot
that
goes
into
it,
and
that's
probably
Way
Beyond.
What
we'll
talk
about
here,
but
yes,
you're,
absolutely
right
actually
getting
into
the
details
of
what
does
that
mean?
Is
hard
and
I
only
really
know
how
hard
it
is,
because
at
suso
we've
had
to
meet
all
of
that
to
meet
common
criteria
for
plus
and
to
get
there.
E
J
B
Yeah
I
just
wanted
to
add
thanks
thanks
for
raising
your
concerns.
This
is
this
is
precisely
the
stuff
that
we
need
to
know
so
so
appreciate
it.
I
just
wanted
to
Second
the
points
raised
earlier
that,
yes,
not
everything
here
is
going
to
be
easily
cryptographically.
Verifiable
right
in
total
can
help
to
some
extent
of
that,
but
you
you
that's,
that's
probably
why
we
came
up
with
the
idea
of
a
conformance
program.
B
So
if
human
third
party
artists
to
tell
you
okay,
we
really
did
do
the
checks
but
but
to
but
to
do
that
in
the
first
place
like
Michael
was
alluding
to
earlier.
We
we
need
a
more
objective
set
of
criteria
to
be
able
to
check
those
claims.
B
I
think
well,
it's
important
to
check
Bill
security.
This
is
precisely
the
sort
of
thing
that
in
Toto
is
supposed
to
help
with
in
the
first
place.
Is
that
to
a
very
large
extent
not
strictly
to
true,
but
to
a
very
large
extent,
you
can
get
away
with
not
fully
trusting
the
bill
service
in
the
first
place,
because
you
can
always
verify
it
to
some
extent,
not
completely
true.
If
you
don't
have
things
like
reproducible
bills,
it's
going
to
be
hard
to
double
check
whether
the
build
is
correct.
B
E
Yes,
and
so,
reproducible
builds
makes
a
a
big
difference
there,
because
you're
going
to
have
different
build
systems
by
different
organizations
for
most
things
in
open
source,
though
you're
not
going
to
end
up
with
that,
because
you're
not
going
to
have
multiple
bills,
I'm
not
going
to
take
a
cncf
project
over
here
and
say:
okay,
we've
got
it
in
two
build
systems.
You
can
trust.
Both
build
systems
haven't
been
compromised.
Look
they've
got
the
same
hatch
you're
not
going
to
end
up
with
that
kind
of
of
facility
there,
and
so
you
know.
E
Part
of
this
is
also
what's
practically
going
to
happen,
and
how
do
you
communicate
it
with
people,
because
it's
great
to
have
like
an
organization
come
in
vet,
your
build
system
processes
and
all
of
this
and
maybe
attest
to
it
in
a
way
that
can
be
grabbed.
But
then
now
you've
got
something:
that's
not
really
easily
human
partsable.
You
can't
see
it
as
a
glance
and
that's
another
characteristic
of
all
of
this
of
how
do
you
communicate
this,
because
so
there's
the
security
and
the
usability
that
I'd
like
to
see
taken
into
account.
B
Exactly
thanks
before
I'll
just
make
a
quick
point
before
before
I
pass
the
mic
to
Mark.
Yes,
I'm
glad
you,
you
spell
spelled
out
explicitly
something:
I
was
thinking
about,
but
I
think
I
think
everyone
thinks
about
it.
But
nobody
really
says
it
out
loud.
I
think
I
think
the
bill
security
being
being
able
to
measure
your
build
security.
Somehow
is
a
very
nice
way.
B
C
C
The
intention
was
that,
like
almost
the
intention
is
like
this
is
a
really
hard
problem
to
Define
what
the
security
requirements
are
and
deferring,
although
it
is
also
for,
is
like
kind
of
too
late
and
so
we're
kind
of
like
throwing
our
hands
up
in
the
air
and
saying,
instead
of
defining
levels,
we
have
this
guidance
around
verifying
systems
of
like
here's,
the
type
of
approach
that
one
might
take
when
choosing
whether
it's
good
enough
or
not,
which
doesn't
it's
not
very
satisfying,
it
doesn't
have
the
gamification
approach
that
you
mentioned.
C
E
The
only
thing
I
can
do
is
a
minor
addendum,
which
is
to
note
something
into
the
future
section.
So
that
way,
you
communicate
that
it
hasn't
been
dropped,
but
it
is
something
we're
considering
moving
forward
just
as
part
of
the
communications,
beyond
that,
if
I
had
something
simpler,
I
probably
would
have
filed
and
issue
the
idea
and
I
haven't
come
up
with
anything
simpler
when
somebody
else
has
one
I
would
love
to
hear
it.
Just
in
my
own,
creative
abilities
just
didn't
come
up
with
anything.
K
Maybe
we
could
Rebrand
the
verifying
build
systems
page
to
a
draft
of
a
build
track.
Is
that
helpful.
C
I
think
I
think
someone
else
also
brought
up
a
similar
thing,
and
we've
talked
in
previous
meetings
about
that.
It's
we
kind
of
have
this
conflict
of.
We
want
to
Define
like
the
stable
parts
of
the
spec
of
like
here's,
the
requirements
that
we
don't
think
they're
going
to
change
and
we're
kind
of
confident
that
when
we
say
this
means
salsa
build
level
three
that
like
that
will
continue
in
the
future.
But
we
also
want
to
give
an
indication
of
here's
a
bunch
of
things
that
are
good
to
do.
C
The
way
that
you
run
the
build
system
Etc,
we
could
kind
of
throw
more
things
on
future
directions,
but
we
we
could
kind
of
rephrase
it
into
like
a
future
directions.
There
might
be
a
future
salsa
build
track
or
Source
tracker
I'm.
I
C
Forget
what
you
called
it
Matt
like
operations
track
or
something
kind
of
be
more
specific
around
like
here's
things
that
are
probably
good
to
do,
and
whether
or
not
they
are
part
of
a
level
like
you're
not
going
to
go
wrong
doing
it,
because
it's
good
advice,
so
I
met.
E
Yeah
and
and
the
other
side
is
the
consumers
in
the
build
systems
right
so
I
was
thinking
of
both
the
producers
and
the
consumers
of
the
system.
You
need
to
communicate
to
the
consumers.
What's
going
on
we're
trying
to
kind
of
push
the
builders
and
operators
of
those
systems
to
improve
their
security,
also
convey
to
the
consumers
of
those
systems
where
they're
at
in
an
easy
to
do
manner.
That's
why
I
came
up
with
the
idea
of
a
build
systems.
E
Levels
I
was
building
on
your
idea
of
levels
and
you
did
the
build
levels,
and
then
you
talked
about
the.
What
was
it
Source
levels
coming
in
the
future
or
some
kind
of
source
track
and
I
thought
you
know
build
systems
is
another
area
you
could
also.
You
know,
trackify,
so
to
speak
with
levels
that
communicate
to
end
users
and
criteria
at
those
levels
which
would
kind
of
entice
people
who
build
and
operate
those
systems
to
meet
that
and
then
convey
that
in
in
a
very
easy
to
see
manner.
C
And,
and
so
it's
a
specific
recommendation
here
is
to
note
at
least
on
the
future
directions.
I
don't
know
if
okay,
maybe
Elsewhere
on
the
site,
like
the
requirements
page
or
the
verifying
systems
page,
but
at
least
on
the
future
directions
page
this,
and
also
in
the
the
what's
new,
which
I'm
writing
now
and
the
announcement.
E
I'm
the
kind
of
person
if
I
propose
something
I'm
willing
to
write
for
it,
but
I
also
probably
don't
know
all
the
right
places
to
write
it.
So
if
somebody
else
has
a
better
idea,
I'm
more
than
happy
to
do
it
I
fear.
If
I
did
it
even
if
I
wrote
it
today,
the
back
and
forth
might
go
beyond
Wednesday,
because
somebody
pointing
out
someplace
else
I
need
to
do
something,
but
I
am
willing
to
do
it.
If
nobody
else
is
up
for
it.
C
It
seems
like
a
strict
Improvement
to
add
it
to
some
places,
even
if
we
don't
have
it
like
every
place,
that
would
be
optimal,
starting
with
your
idea
of
adding
it
to
the
Future
directions.
C
I'd
be
fine,
adding
something
there.
You
know
like
another
track
page
and
if
we
just
start
there,
that's
at
least
noting
that
these
are
the
types
of
things
that
that
we're
thinking
about
like
what
we
don't
yet
know
how
we
would
make
a
track
or
even
if
we
would
necessarily
have
a
track
for
this.
But
these
are
the
types
of
things
that
we
would
think
about
and
then
maybe
point
to
the
verifying
systems
page
to
talk
about,
like
you
know
the
the
approach
to
looking
at
that.
E
Okay,
yeah,
if
you
want
I,
can
make
a
pull
request
like
that
and
try
to
get
something
in
today
or
tomorrow
morning
for
you.
If
that
would
work.
C
Good
being
it's
lucky
here
that
would
be
pull.
Requests
are
very
welcome.
Any
concerns
on
the
the
two-week
review
period.
This
is
our
topic
that
we
anytime
we
talk
about.
This
no
concerns.
Okay,
as
you
are
not
shaking
his
head.
I
No
no
I
mean
this
is
future
I
mean
it
was
just
it's
indicative.
It's
informative
at
this
point.
It's
not
even
nobody's
part
of
the
specs.
So
let's
see
we
can't
say
whatever
I
I
should
be
careful.
You
know,
as
always,
for
this
kind
of
stuff.
We
don't
want
to
commit
to
anything.
So
we
it
really
has
to
be
worded
into
hey.
This
is
the
kind
of
things
we
are
thinking
about.
You
know,
but
this
is
what
I
think
is
intended.
So
I
I
think
that's
that's
cool
good.
J
One
final
thing:
there
I
think
I
think
it's
on
I
I
also
agree
with
Arno
I,
don't
think
it's
it's
given
that
it's
all
future
stuff
I,
don't
think
it
makes
it
part
of
the
actual
spec,
but
I
do
think
I'd
be
curious
to
know
if
folks
have
thoughts
on.
J
If
folks
have
thoughts
around
like
is
rules
around
the
requirements
for
the
build
spec.
Do
we
want
to
mostly
like
there's
a
lot
of
there's
a
lot
of
content
out
there
already
on
that
right
like
when
it
comes
to,
let's
say
the
the
build
Providence
right,
there's,
not
a
lot
of
content
outside
of
salsa
on
that
kind
of
really
focused
on
that
piece,
but
when
it
comes
to
sort
of
secure,
build
infrastructure,
there
is
stuff.
J
Like
the
you
know,
the
the
white
paper
that
came
out
of
the
cncf,
the
secure
software
Factory
reference
architecture-
and
you
know,
and
some
other
things
like
there's
the
oh
wasp
there's
some
stuff
that
came
out
of
a
wasp
and
some
stuff
that
came
out
of
this
ssdf.
J
Do
we
want
to
as
much
as
we
can
like
focus
on
like
just
referring
to
those
things,
or
do
you
think
that,
or
do
folks
think
that,
like
there's
actually
enough
that
we're
doing
that
that
it
warrants
like
a
separate
set
of
requirements
that
that
we
ourselves
Define.
E
So
I
I
I'll
jump
on
this
I
think
it
does
warrant
a
separate
set
of
requirements
because
salsa,
like
a
couple
of
others,
does
one
thing
really:
well:
they
gamified
at
a
glance
right
which
pushes
people
to
try
for
higher
levels
more
levels
to
improve
on
it.
Reading
the
you
know,
cncf
paper
on
this,
it's
wonderful!
How
do
I
know
if
anybody's
done
it?
E
How
do
I
know
if
somebody's
done
it
without
a
significant
amount
of
research
and
even
then
can
I
tell
being
able
to
assess
it
as
an
end
user
and
to
be
able
to
do
that
fairly
quickly
is
so
useful
and
there
isn't
a
lot
of
that
out
there,
but
there's
a
lot
of
guidance
out
there
on
what
you
should
do.
E
That's
great
for
operators
of
it,
but
if
you're
a
consumer
trying
to
figure
out
how
an
operator
is
doing,
it's
I
sort
of
trust,
you
I
hope
and
if
there's
a
way
to
communicate
and
convey
some
of
this
I
think
it
would
be
great
and
I
know.
There's
some
other
specifications
out
there
that
do
some
of
this,
but
they're
more
Niche
and
a
lot
of
people.
Don't
know
about
them,
which
is
an
opportunity
for
salsa.
C
Is
always
great
to
have
a
someone
who
shows
up
to
the
first
meeting
kick
off
like
a
pretty
solid
half-hour
discussion,
so
thanks
a
lot
all
the
better
to
promise
to
send
a
PR
all
right,
I
think
we're
out
of
time.
Thank
thanks.
Everyone
for
joining
as,
as
always
I
appreciate
everyone
contributing,
and
we
will
again
please
look
out
for
pull
requests.
We
had
mentioned
as
a
reminder
up
in
the
meeting.