►
From YouTube: SLSA Specifications Meeting (April 17, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1kMP62o3KI0IqjPRSNtUqADodBqpEL_wlL1PEOsl6u20/edit#heading=h.yfiy9b23vayj
A
B
Hey
everybody
I'm.
Sorry
too,
man
I'm
eating
my
lunch.
That's
what
I'm
gonna
keep
turning
up
my
camera
periodically
welcome
everyone.
As
a
reminder,
please
register
attendance
in
the
meeting
notes
which
you
just
sent
in
the
chat.
B
If
you
have
any
agenda
items,
please
go
ahead
and
add
them.
I
put
one
discussion
topic
is
David
here
looks
like
David
is
not
here
a
topic
that
I
David
wheeler
brought
up
in
a
pull
request.
That
I
think
is
worth
briefly
discussing
it's
low
priorities,
if
you
have
anything
else,
feel
free
to
preempt
that
the.
B
First,
the
only
two
topics
I
had
were
one
I
I,
think
if
you
could
review
The,
Proposal
829
832
to
Mark
V1
as
approved
and
as
if
you
do.
B
That
and
then
please
mark
your
approval
on
GitHub
and
then
832
makes
V1
the
default
which
we'll
submit
after
the
two
I
separate
them.
Just
because
technically
they're
too
distinct
actions
we
could
have.
They
prove
that.
B
Show
up
by
default
and
so
sorry,
yes,
it's
in
the
meeting
notes,
8,
29
and
8
32.
B
Just
the
GitHub
open
pool
requests,
you'll
you'll.
B
B
So
far,
we
haven't
heard,
to
my
knowledge,
any
significant
feedback
that
would
present
prevent
us
from
considering
it
approved
and
I
think
the
according
to
our
governance.
The
process
is
that
the
maintainers
approve
it
assuming
that,
like
with
the
intention
that
it
represents
a
consensus
of
the
community
and
so
I,
think
I,
don't
think
we
need
it
like
specifically
formal
approvals
or
every
single.
B
I
think
that
would
be
helpful.
That
would
be
nice
to
just
record
so
that
and
then
we'll
merge
it
tomorrow
afternoon
and
then
the
pr
emails
go
out
Wednesday
morning,
Wednesday
I
think
9
A.M
Eastern
anything.
D
No
I
think
we
should
have
a
formal
you
know
decision
made
on
this
meeting,
but
this
is
the
plan.
So
we
can,
you
know
document
it
say:
yeah,
everybody
agreed.
D
In
addition
to
the
GitHub
process,
sure
what
what.
B
D
Particular
I
think
so
we
should
acknowledge
that
there
were
no
major
issues
raised
in
the
last
two
weeks
right,
so
we
are
good
to
go
with
the
plan
to
move
the
specification
from
basically
release
candidate
towards
the
candidate
approved
specification
to
approve
specification
under
the
committee
license
framework.
D
B
Anything
more
on
the
1.0
or
last
minute
topics.
Okay,
the
only
thing
I
had
currently
is
that
I
thought
was
worth
a
brief
discussion.
Is
the
terminology
I
sent
out
a
pull
request
to
update
the
diagram?
Let
me
present
it
here.
B
Try
to
zoom
in
sorry
the
GitHub
doesn't
make
it
easy
to
zoom.
E
B
We
had
an
earlier
pull
request
that
went
through
and
eliminated
basically
has
a
single
term
producer
for
everything
like
we
have
producer
and
consumer
and
and
whenever
we
need
a
word
we
default
to
producer
and
when
we
want
to
be
more
specific,
we
kind
of
spell
that
out
in
plain
English,
like
there's
cases
where
we
say
where
we
had
maintainer,
we
were
placed
with
Insider
threat
or
individual.
B
If
we're
trying
to
emphasize
that
it's
a
person
instead
of
an
organization
and
I,
think
we
didn't
really
need
the
word
developer
or
a
maintainer,
because
we
only
have
the
build
track
and
it
doesn't
really
come
up
or
where
it
does.
We
could
just
easily
spell
it
out,
but
I
think
David
might
he's,
unfortunately
not
here,
but
he
might
have
some
larger
concerns,
which
I
asked
him
in
the
pull
request.
B
B
Blocker
for
1.0,
by
the
way,
it's
just
I,
think
it's.
We
could
easily
Swatch
soft
terms
and
then
also
for
this
particular
diagram.
B
I
kind
of
feel
like
developer,
looks
better
here
because,
like
the
developer
is
the
one
who
goes
into
the
source
versus
producers,
kind
of
implies
an
organization
and
kind
of
implies,
touching
all
the
different
parts,
but
my
weak
feeling
I
I,
like
weekly
lean
toward
just
having
a
single
consistent
term
instead
of
having
the
word
developer
only
in
this
diagram,
but
nowhere
else
in
the
site.
So.
C
B
Just
wanted
to
open
that
up
because.
F
D
Yeah
so
I
agree
with
that
and
and
if
you
look
at
the
terminology
now
we
have
defined
different
walls
and
we
have
producer,
and
it
actually
says
that
you
know
it
can
be
a
maintainer
or
safe
a
software
vendor.
So
it's
you
know
it's
kind
of
like
an
organization
possibly
and
goes
you
know,
you
know
the
same
line
of
you
know,
maybe
developers
to
reduce
it,
but.
C
D
So
I
think
it's
you
know
I'm
happy
to
go
with
producer.
This
would
have
been
using
in
the
spec
for
a
while
now
and
I
think
we
should
keep
it
that
way.
So
I
agree
with
the
updates
that
are
gone.
A
Yeah
I
also
agree.
You.
C
C
A
Is
where
people
are
looking
at
something
that
makes
total
sense?
The
other
quick
question
I
didn't
look
at
the
other
images.
Are
there
other
ones
because
isn't
there
another
image
where
there's
a
bunch
of
listings
of
vulnerabilities
along
the
supply
chain
as
well
or
is
that
a
different
thing?
Okay?
Here
we
go
good
excellent.
B
Yeah,
this
updates
all
of
the
an
import
request.
Description,
I,
didn't
update
the
ones
that
are
only
visible
in
V
0.1
and
the
release
candidate,
and
so
there's
a
little
bit
of
an
inconsistency
there
but
yeah.
If.
C
B
B
Good
idea,
Okay,
so
all
right
so
I
couldn't
quite
tell
from
it
sounds
like
the
weak
preference
is
to
switch
to
producer,
not
that
people
particularly
like
producer,
but
rather
it's
consistent
with
what
we
use
elsewhere,
and
so
the
consistency
is
a
clear
gain
and
maybe
there's
still
a
question
of
perhaps
there's
a
better
word
that
we
could
use
other
than
producer.
But
that's
a
larger
discussion
does
that
capture.
D
Yeah,
except
that
I,
don't
think
switching
to
producer
is
the
right.
You
know
is
the
right
thing
to
say
here,
because
the
switch
has
already
been
laid
in
the
spec
right.
Aligning
the
diagram
to
the
to
the
text.
Part
of
the
spec
to
me
is
not
you
know,
it
doesn't
constitute
switch,
but
yeah
I
think
we
should
continue
on
switching
to
the
producer.
You
know
and
alignment
diagrams
with
the
spec
with
the
text
yeah.
B
Yeah
that
yeah
thanks
thanks
for
saying
that
yeah,
the
I,
think
David
kind
of
questioned
the
choice
of
switching
to
producer.
D
B
I
think
like
looking
at
like,
for
example,
other
it
for
the
bro
okay.
So
it
sounds
like
this
one.
Fine.
If
you
have
comments
on
the
pull
request,
please,
please
do
add
them
save
my
by
end
of
day,
but
it
sounds
for
the
broader
question
of
like
is
producer.
The
best
word
for
that
s-bomb
calls
it.
What
do
they
call
it
supplier,
which
I
think
maps
to
what
we
call
producer?
B
Although
I
don't
know,
if
there's
like
some
sort
of
subtle
difference,
that
might
be
one
thing
to
consider
of
like
having
a
consistency
across
so
people
don't
say
you.
B
The
same
thing:
yeah
I
I,
don't
like
the
word
Supply
here
either
for
further
for
what
it's
worth,
but
it
does
kind
of
call
into
a
question
of
like
well.
If
salsa
says
producer
and
s-bomb
says
supplier,
are
they
the
same?
Are
they
different?
If
we
literally
use
the
same
word
and
say
it's
the
same
thing
then.
B
B
I
think
that
term
is
pretty
entrenched
in
s-bomb
I,
think
it
also
kind
of
comes
in
like
if
you
think
about
a
manufacturing
pipeline.
B
You
there's
kind
of
like
a
supplier
and
a
distributor
I,
don't
think
espan
talks
about
distributor
but,
like
I,
think
the
terms
kind
of
come
from
the
manufacturing
world,
where
you
know
like
there's
a
actually
I'm,
not
sure
someone
could
correct
me
if
I'm
wrong,
but
I
feel
like
supplier
is
like
the
end
entity
of
like
who's,
saying
how
to
assemble
all
the
things
and
the
individual
Parts
can
come
from
other
suppliers
and
then
there's
some
manufacturer
that
converts
all
those
parts
into
a
a
widget
or
something
and
then
a
distributor
which
I
think
we
would
call
package
ecosystem
that,
like
then,
sends
it
out
but
yeah
okay.
B
So
it
sounds
like
there's
not
any
particular
Groundswell
of
support
in
terms
of
changing
this
term.
Okay,.
C
B
E
D
C
B
B
Sure
I.
E
Guess
I'll
attempt
to
give
a
tldr
sure
so
in
827
there's
a
proposal
for
how
do
we
reference
that
s-bomb
and
salsa
currently
are
different,
even
though,
like
in
the
future
they're
kind
of
potentially
going
to
have
a
lot
of
overlap,
and
so
there's
a
proposal
in
there
for
how
we
reference
it.
I,
like
the
revision
on
it
I
do
think.
F
Yeah
thanks
thanks
for
raising
this
issue.
Now
now
on.
The
second
at
first
I
was
I
thought.
Maybe
we
could
say
something
slightly
more
prescriptive,
but
I
think
I.
Think
I
like
the
the
way
it's
worded
now,
because
but
part
of
what
I'm
worried
about
is
we
there
might
be
an
accidental
biofurrication.
Dude
do
I
make
sense.
Some
people
might
put
s-bombs
in
their
salsa
at
a
station.
F
Some
people
might
use
s-bombs
instead
of
salsa
attestations,
I'm
kind
of
worried
about
the
Divergence
there,
but
maybe
it's
too
early-
and
we
probably
don't
want
to
be
prescriptive
here
either
any
any
thoughts
on
this.
D
That's
why
I
was
you
know
in
one
of
my
first
comments
was
trying
to
be
broad
enough
that
people
would
not
be
offended
that
we
seem
to
you
know
Corner
them
in
this
small
Niche
that
they
may
not
feel
like.
This
is
where
they
honestly,
you
know
they
want
to
be
in
and
and
especially
given
the
amount
of
development
there
is
that
we
already
know
about.
So
that's
you
know
mostly.
D
What
I
I
would
like
us
to
keep
working
on
is
trying
to
make
sure
that
the
way
we
frame
things
is
Broad
enough
that
nobody
feels
offended
by
the
way
we
portray
things
and
that
we
also
make
it.
You
know
open
enough
in
terms
of
how
things
can
evolve,
which
I
think
you
know,
there's
been
some
effort
to
try
and
do
that
for
sure.
B
Yeah
I
I,
don't
think
I
fully
captured
anything
else.
So
if
anyone
could
continue
typing,
that
would
be
yeah
if
you,
if
you
know,
if
you
look
at
the
pull
request.
My
comment
on
from
four
days
ago
on
the
13th
at
5
PM,
starting
with
what
do
you
think
about
the
following
I
one
approach
could
be
instead
of
talking
about
like
the
difference
between.
B
Could
be
just
be
talking
about
like
why
doesn't
salsa
say
anything
about
s-bomb,
which
is
a
little
bit
like
we
could
be
more
authoritarian,
authoritative
there,
because
we're
just
explaining
the
reasoning,
as
opposed
to
saying
something
is
true
and
so
I
yeah.
If
you
could.
B
B
Why
don't
we
require
s-bomb,
and
the
short
answer
is
like
the
we
kind
of
say
precisely
what
we
tried
to
spell
out
the
necessary
things
without
using
the
term
respawn,
because
s-bomb
is
kind
of
ambiguous
at
the
moment
and
saying
s-bomb
is
not
a
good
match
for
the
things,
the
specific
things
that
we're
trying
to
do,
and
then
why
this
also
like
invent
a
new
formats
of
using
existing
s-bomb
format,
and
that
has
more
of
a
simple
answer
of
like
we
can't
with
the
formats
that
are
available
today.
B
So
for
now
so
yeah
anyway
feedback
and
say
Andrew
yeah.
G
I
haven't
read
the
the
pr,
so
I
can't
speak
to
the
pr
specifically,
but
based
on
the
the
conversation
around
it
I
feel
like
this
actually
or
in
in
my
head
that
this
relates
to
the
same
confusion
around
Providence
versus
attestation.
So
if
you
look
at
the
attestation
model
that
that
is
published,
the
Providence
in
spdx
and
Etc
are
just
some
are
different,
predicates
and
and
so
like
to
me,
stating
that
you
can
have
multiple
predicates
in
one
envelope.
G
You
can
have
multiple
predicates,
being
attested
with
a
single
signature,
and
so
it
might
be
relevant
to
have
multiple
predicates
there
in
in
a
single
envelope.
If
you
are
concerned
about
the
specific
provenance,
maybe
what
is
defined
in
the
the
provenance
V1
specification.
G
If
you
are
concerned
about
specific
bombs,
then
that
could
be
another
predicate
and
so
I
like
I,
don't
know
if
if
it
would
clarify
the
the
situation
at
all,
if,
if
we're
trying
to
be
more
precise
about
what
it
means
to
have,
an
attestation
is
an
attestation,
because
I
we've
kind
of
loosely
said
that
that
Providence
is
at
a
station.
But
it
is
an
attestation,
but
it's
not
a
sign
attestation.
G
According
to
the
attestation
model,
it
is
an
in
total
attestation,
but
not
the
the
entire
attestation
envelope,
and
so
maybe,
if
we
can
hook
at
that
a
little
bit
or
pull
it
apart
a
little
bit,
it
might
make
more
sense.
B
Yeah
I
I
I
mean
regarding
esbom.
It
seems
like
I,
don't
know,
but
I
get
the
impression
that
when
people
say
like
there's
a
lot
of
stuff
that
were
rolled
into
s-bomb
and
it's
kind
of
both
is
like
simultaneously
a
particular
format
and
people
often
has
a
notion
of
a
minimum
set
of
data.
That
should
be
in
the
thing
and
also
particularly
use
cases
that
will
be
solved
by
having
that
data.
F
I
might
be
missing
something,
but
is
there
a
way
to
include
s-bomb
metadata
right
now
in
in
Providence,
attestations.
B
Yes,
there
is
a
you
could
either
click
create
it
as
an
output
file
put
in
the
subject
or
you
could
put
in
the
byproducts
there's
an
open
issue
to
document
that
it's
probably
like
a
the
equivalent
of
like
a
one-line
change
just
having
gotten
around
to
it.
F
Oh
I,
like
it
I
like
it
that
I
think
that
would
go
a
long
way
to
its
clarifying
this.
A
D
A
B
Yeah,
so
if
it's
in
the
subject,
it
would
effectively
say
well
either
way,
it
would
effectively
say
that
this
build
process
resulted
in
this.
B
B
Okay,
so
review
on
those
those
were
comments
would
be
welcome
any
more
things
to
discuss,
or
should
we
break
now.
A
I
have
a
very
small
one
right,
so
I
threw
this
issue
out.
8
21.!
Don't
intend
to
have
a
discussion
on
it
today,
but
just
want
to
bring
awareness
if
anyone
is
interested
in
Etiquette,
merge,
requests
or
pull
requests
and
helping
to
document
that
that
would
be
really
nice.
I
know,
Josh
and
Mark
have
already
and
and
I
don't
know.
Also,
you
guys
already
contributed
to
the
issue.
So
thank
you.
B
Sounds
good
yeah
I
already
put
my
comments
on
there.
I
think
I
think
it'd
be
great
to
have
in
document
and
start
making
progress
towards
and.
B
All
right,
good,
seeing
you
everyone
and
I'll
talk
to
you
on
through
other
asynchronous
mean
bye.
Everyone,
foreign.