►
From YouTube: SLSA Specifications Meeting (March 13, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1kMP62o3KI0IqjPRSNtUqADodBqpEL_wlL1PEOsl6u20/edit#heading=h.yfiy9b23vayj
B
All
right
now,
let's
see
good
good,
excellent.
A
Yeah
I'm
sitting
here
trying
to
do
some
last
minute,
that's
been
in
preparations
for
our
town
hall.
You
see,
I
got
my
college
shirt
on
today,
I'm
coloring
I'm,
calling
today
you
know.
A
I
think
it's
200
and
something
200
and
something
registrants.
B
A
B
But
if
you
need
me
in
a
three-piece
suit
and
a
tie
and
it's
important
and
it
will
help
the
world
be
a
better
place,
awesome
I
don't
need
that.
But
you
know
whatever.
E
D
G
B
H
No
I'm
here,
whether
you
want
me
or
not,
we
do
want
you.
A
Sorry
guys
I
I
am
I,
am
a
double
double
booked
as
per
usual
on
Thursday
morning.
So
please,
please
excuse
me.
B
Mark
this
is
David
wheeler,
it's
okay!
If
I
just
quickly
add
to
the
agenda.
Just
a
heads
up
about
the
survey.
H
Yeah,
that's
great.
Anyone
feel
free
to
add
agenda
items
just
go
right
ahead.
H
So
welcome
everyone
to
our
I
guess:
quad
weekly.
What
do
you
call
it
like
every
four
weeks,
I
just
updated
the
thing
at
the
top,
because
someone
said
no,
it's
not
on
the
fourth
Thursday
of
the
month.
H
H
First,
we
could
start
by
welcoming
any
new
new
members.
If
you'd
like
to
quickly
say
hi.
E
Oh
I,
don't
think
I've
been
to
one
of
these
before
hi
everyone.
My
name
is
Aditya
I'm,
one
of
them
again
herself
in
total
and
yeah
I've
been
tracking
a
lot
of
the
salsa
stuff
from
afar
and
I
hope.
You
may
get
more
of
these.
E
Hi,
my
name
is
Benjamin
Schmidt
I'm,
a
cyber
security
engineer
from
minor
corporation,
just
signing
on
to
hoping
to
get
a
deeper
understanding
of
salsa
and
everything.
That's
that's
going
around.
C
Hi
I'm
Claudia
ring
I've
been
jumping
into
a
lot
of
the
salsa
meetings
over
the
last
few
days,
I'm
from
active
state.
H
Okay,
well,
thanks
for
joining
everyone,
we'll
go
through
the
special
interest
group
updates,
which,
as
a
reminder,
is
the
kind
of
like
our
working
groups
within
salsa,
because
salsa
is
within
the
open,
ssf
supply
chain.
Integrity
working
group
so
like
this
subgroup,
is
called
special
interest
group.
On
the
specification
side,
we
put
out
a
1.0
released
candidate
and
announced
it
on
the
blog,
we're
Gathering
feedback.
Now,
thank
you
to
everyone.
Who's
contributed
either
with
issues
or
pull
requests
or
for
sharing
it.
H
H
My
guess
is:
it'll
probably
go
over
a
little
bit
just
from
like
the
current
number
of
issues
and
the
rate
of
change,
but
we'll
see
right
now,
there's
a
lot
of
pull
requests
going
on
around
organization,
Clarity,
simplification,
Etc,
for
example.
One
of
the
things
that
we
recently
decided
was
to
version
all
the
things
together.
Right
now
we
have
three
technically
three
different
specifications:
provenance,
VSA
and
salsa,
each
with
an
independent
version.
Number
like
things
like
that
to
just
kind
of
reduce
confusion,
use
consistent
terminology
throughout
Etc.
H
So
that's
what
we're
actively
working
on
now,
among
other
things,
I
know,
there's
a
lot
of
content
feedback
going.
This
issues
being
discussed
like
I
think,
for
example,
around
isolation
and
ephemeral,
Etc,
and
you
know
hopefully
we'll
get
to
those
probably
next
week,
I
think
so
far,
I
haven't
seen
any
major
feedback
that
was
like
I
think
the
tracks
are
a
bad
idea
or
something
like
that.
Certainly
any
feedback
major
like
that
would
be
welcome.
I'd
rather
hear
about
it
now
than
like
to
just
silently
think.
Oh
no.
H
This
was
a
bad
idea,
but
it's
seeming
like
there.
There
wouldn't
be
any
major
changes
to
the
spec
for
the
final
version.
As
far
as
I
can
tell,
and.
H
Please
speak
up
I
think
that's
anything
else.
I'm
missing
on
the
specification
side.
H
I
Just
quickly
on
specification,
I'm,
sorry
I
was
getting
myself
off
of
mute,
the
just
related
to
that
as
we
reach
the
the
1.0
stable
Milestone,
there's
a
separate
thread
of
work
around
comms
and
how
we're
going
to
coordinate
that
and
so
Jennifer
Plies
from
opennesses
have
kicked
off
across
company
one
below
comms
planning
call
yesterday
and
is
driving
that
forward,
and
so
that
stuff
is
in
process.
I
Gathering
quotes
coming
up
with
the
comms
distribution
plan,
The
Tick
Tock
of
how
these
things
are
going
to
roll
out
during
the
day
and
so
on,
and
so
there's
a
separate
thread.
There.
D
Yep
so
for
positioning
as
Isaac
said,
there's
a
salsa,
comms,
1.0
planning
social
positioning
as
of
about
a
month
ago,
is
now
SCI
positioning.
So
salsa
is
just
a
a
component
of
our
positioning
group
along
with
S2
ctuf
and
Fresca.
D
So
I
re
I
changed
the
link
for
the
positioning.
A
lot
was
done
in
the
past
couple
of
weeks.
D
D
But
there
is
one
talk
that
we're
going
to
need.
Help
with
one
that
was
accepted
was
really
for
Fresca
demo.
Of
how
real
time
can
you
show
a
salsa
build
level
two
or
three
at
the
conference
right
with
participants
and
potentially
even
them
having
their
laptops
along
to
follow,
along
with
the
sample
project
according
to
to
Mike?
D
There's
been
some
reshuffling
of
resources
in
in
Fresco,
where
they
may
not
be
able
to
contribute
anymore,
and
so
now
we
are
at
a
a
bad
point
in
time
where
we
really
need
those
devs
now
more
than
ever.
So
if
people
have
development
resources
to
help
build
that
kind
of
demo
lab
out
or
participants
in
ossna,
we
would
really
really
appreciate
the
help.
G
Yeah
just
to
provide
just
a
couple.
Little
other
points
there
yeah.
So
you
know
Fresca
is
an
open,
ssf
project.
It
does.
You
know
high
level
salsa
it
uses
Tech,
you
know,
uses
a
bunch
of
LF
projects
like
the
CD
foundations,
tecton
and
tecton
chains.
It
uses
a
bunch
of
other
stuff,
combines
it
all
together
to
make
kind
of
a
secure,
build
system.
G
I
think
one
of
the
things
that
that
has
come
up
before
is
you
know,
there's
there's
folks,
who
necessarily
can't
necessarily
just
use
pure
GitHub,
or
they
want
to
run
their
own
thing
or
better
understand
some
of
this
and
that's
kind
of
what
Fresca
kind
of
came
out
of,
but
yeah
due
to
some
reshuffling
among
some
of
the
folks
who
are
also
maintainers
other
than
myself
on
Fresca.
G
You
know
they've
kind
of
gotten
de-prioritized
a
little
bit,
so
it
is
kind
of
I
would
say
you
know
I'm
kind
of
one
of
the
the
one
maintainers
left
on
on
Fresca
there's
a
few
others,
but
they're
not
able
to
contribute
that
much,
and
so
we're
definitely
looking
for
for
more
folks
on
that
and
to
kind
of
go
through
that.
G
But
then
there's
also
a
separate
thing,
which
I
think
is
also
something
that
we
should
kind
of
look
at,
which
is
you
know
most
folks
are
not
moving
off
of
their
their
their
CI
systems
so
like.
If
folks
are
using
Jenkins,
they
want
to
continue
using
Jenkins,
so
I
think
some
of
the
other
stuff
that
we're
looking
at
long
term
is
like.
How
can
we
or
do
we
need
to
draw
the
line
in
the
sand
and
say
certain
other
CI
systems,
maybe
just
aren't
suitable
for
high
level
salsa
stuff.
H
Is
that
from
feedback
from
open
source
projects
or
from
like
companies
using
it
or
a
mix
of
both.
G
A
mix
of
both
you
know
a
lot
of
Open
Source
company.
Sorry,
a
lot
of
Open
Source
projects
right
now
are
just
comfortable
using
GitHub
and
GitHub
actions.
There's
been
a
couple
of
discussions
about
hey,
you
know
for
very
complicated
projects
where
something
like
a
simple
GitHub
action
isn't
going
to
work.
Something
like
sorry
if
Fresca
can
come
in
and
help
out
there,
but
Fresca
is
still
very
much
like
it's
pre
beta
at
this
point.
G
You
know
it
can
do
a
lot
of
this
sort
of
stuff,
but
it's
not
necessarily
the
easiest
thing
to
use,
and
we
have
a
bunch
of
things
on
our
roadmap
to
kind
of
do
that
and
on
that
front,
I
have
a
you
know,
a
big
sort
of
like
what
is
Fresca,
refresher,
sort
of
or
something
like
the
open,
ssf,
blog
and
and
so
on,
to
try
and
drive
up
maintainership,
but
just
throwing
that
out
there.
G
Just
due
to
you
know
some
some
ships
and
priorities
from
some
of
the
other
companies
who
have
been
working
on
us
with
Fresca
that
some
of
the
maintainers
have
been
re-prioritized
to
to
other
things.
H
All
right,
I
guess
it's
also
worth
mentioning
that
npm,
the
JavaScript
packaging
ecosystem
is
having
a
private
beta
right
now
of,
but
basically
salsa
like
having
propagating
provenance
with
alongside
the
package
and
generating
it
automatically
with
tooling
and
having
like
some
sort
of
verification.
H
That's
ongoing
and
I
think
I'm
not
sure
what
the
timeline
is
for
the
public
beta,
but
that's
on
the
on
the
open
source
ecosystem
side
that
there's
some
progress
being
made.
There
hey
Michael.
G
And
one
other
thing
just
as
a
donut,
completely
change
topics,
but
so
I
also
have
the
hold.
Let
me
bring
this
up
here
into
the
chat.
It's
it's
very
short.
I
haven't
finished
it
completely
yet,
but
definitely
looking
for
feedback
on
a
Blog
article
regarding
like
why
we
split
stuff
up
into
the
different
tracks.
G
Definitely
looking
for
for
feedback
on
on
that,
it's
I
don't
have
enough
time
to
make
something.
Much
more
comprehensive,
but
I
think
it's
like
a
at
least
an
initial
start,
and
if
folks
have
suggestions
about
like
things,
I
should
be
adding
I
can
definitely
add
in
stuff
there.
J
Yes,
I
have
a
question
regarding
specification
before
the
final
One
Zero
release.
Do
we
plan
to
change
the
the
way
we
navigate
into
the
specification?
I
saw
that
some
PR
word
in
that,
but
currently
it's
not
easy
with
the,
because
you
always
go
back
to
the
0.20.com
spec
and.
H
I
B
Whoops,
okay,
so,
let's
see
so
I
wanted
to
just
give
everybody
a
brief
heads
up
about
this
survey
that
came
out.
It
says
it's
a
salsa
survey
but
and
in
many
ways
it's
really
a
supply
chain
survey,
but
using
salsa
one
0.1
as
a
baseline.
So
you
know
basically-
and
it
had
some
frankly
I-
think
some
surprising
feedback.
B
You
know
I
I've
put
two
of
them
right
here.
You
can
see
the
summary
and
the
report
for
details,
but
basically
it
most.
The
practices
were
considered.
Helpful,
I
think
that's
good.
Some
of
the
practices
were
considered
substantially
more
difficult
than
others,
zero
surprise
there.
Hermetic
builds
and
reproducible
builds
in
particular
the
hardest.
And
yet,
when
asked
well,
what
are
you
actually
doing
there?
B
Wasn't
any
statistical
difference
I'm
not
entirely
sure
how
to
interpret
that
I'm
going
to
interpret
that
for
a
moment,
I'm
interpreting
it
as
somewhere
harder,
but
not
so
hard
that
they
make
people
who
are
very
interested
in
countering
attacks
that
not
enough
to
prevent
them
from
doing
it
anyway,
even
though
they're
considered
harder,
maybe
there's
other
ways
to
interpret
this,
but
I
found
that
intriguing.
So
anyway,
there's
the
blog
post.
It
links
the
full
report
enjoy.
B
G
I
think
the
so
a
couple
of
updates
from
tooling
just
to
bring
that
up
so
in
the
notes
I
put
in
a
a
1.0
tracking
issue
feel
free
to
add
in
additional
tools
or
pygmy.
G
If,
if
you
want
additional
tools
added
whatever
it
added
to
the
the
issue,
around
tools
that
are
planning
to
add,
1.0
support
or
there's
open
issues
for
1.0
support,
so
I
added
in
a
handful
of
tools,
I'm
sure,
I'm,
missing
a
bunch
so
feel
free
to
to
add
stuff
in
there
we're
looking
to
kind
of
see,
you
know
we're
looking
to
at
least
have
some
tracking
issues
for
for
the
1.0
support.
G
G
This
is
not
intended
to
be
like
a
declarative.
This
you
Thou
shalt.
Do
this,
but
one
of
the
things
that
has
been
discussed
is
it
would
be
really
nice.
If
you
know
you
could
have
consistent
tool.
Client,
you
know
consumer
side
tooling.
G
Around
some
of
these
things
and
I
know
there's
a
lot
of
different
work
on
this
front.
It's
more
just
hey.
Can
we
help
coordinate
with
some
of
these
groups
that
might
be
doing
this,
like
npm,
like
Pi
Pi,
like
gems
and
so
on,
and
not
saying
that
they
should
all
integrate,
implement
the
exact
same
thing,
but
if
they
sort
of
followed
similar
rules,
then
it
could
help
with
some
of
the
client-side
tooling
when
it
comes
to
implementation.
G
Having
gotten
a
lot
of
traction
on
that,
but
we're
looking
to
kind
of
continue
the
conversation
on
that
front
and
then
finally,
we're
also
looking
at
perhaps
having
something
like
some
basic
1.0
helper
libraries,
either
before
1.0
or
post
1.0,
to
help
tools
that
are
that
are
either
consuming
or
producing
salsa
to
make
sure
of
stuff
like
salsa,
Providence,
spec
validation.
G
Like
are
you
actually
following
the
the
rules
of
the
spec
and
stuff
like
go
rust
python,
whatever
libraries
that
folks
can
consume
as
well
as
maybe
some
other
helper
things,
to
help
out
some
of
the
other
tools
that
are
out
there,
and
most
of
that
work
can
probably
be
pulled
out
of
some
of
the
stuff.
That's
already
in
stuff,
like
the
salsa
GitHub
generator
in
the
salsa
verifier
and
those
sorts
of
tools,
but
wanted
to
throw
that
out.
There.
E
F
Yeah
hi,
so
just
to
follow
up
on
what
Mike
was
saying.
We
do
got
into
the
the
regarding
the
tools
that
will
support
salsa
there
is
on
salsa,
then
the
website
get
started
page
that
was
recently
revamped
and
it's
mostly
focusing
on
freely
available
tools,
namely
Fresca
and
the
GitHub
salsa
generator.
But
there
is,
at
the
end
of
the
page,
a
little
table
that
is
open
for
people
to
add
the
ideas
to
you
know
the
list
of
tools
that
claim
to
be
Southside
compliant.
E
F
Whatever
level
this
is
part
of
the
information
that's
recorded,
and
there
is
work
on
the
way
to
develop
a
conformance
program
where
they'll
be
able
to
a
certification
with
a
little
bit
of
more
legal
framework
around
it.
For
now,
it's
merely
based
on
you
know
self
claims,
but
but
it's
meant
to
be
open
and
to
provide
people
who
are
starting
some
pointers
as
to
which
tools
are
available
out
there.
F
H
So
Mike
is
there,
do
you
have
a
link
to
the
API,
the
distribution
API.
D
G
So
there's
no
work
on
it.
It's
just
literally
the
salsa
tooling
notes
so
yeah,
it's
mostly
just
some.
You
know
yeah
a
few
high
level
things
and
then
for
what
Dustin
said.
Yeah
so
I
I
went
to
the
security
working
groups.
The
I
think
it's
the
APAC
friendly
one
I
need
to
still
go
to
the
earlier
one.
For
me
at
least
a
Mia
one.
G
So
so
I
have
plans
to
to
go
to
that
one
as
well,
and
so
yeah,
the
before
kind
of
doing
anything,
I
think
the
only
high
level
and
I
think
it's.
It
should
be
in
those
notes,
but
the
high
level
guidelines
would
be
something
like
can.
We
follow
some
general
best
practices
and
assuming
we
could
can
also
some
of
these
groups
kind
of
have
some
like
a
handful
of
like
ways
to
sort
of
approach
it
because
not
everybody's
gonna,
say
yeah.
We
can
have
a
rest,
API
or
whatever
that
can
do.
G
You
know
with
these
specific
endpoints,
but
if
a
handful
of
them
can
do
that,
then
it
sort
of
simplifies,
I,
think
client,
consumer
stuff.
Quite
quite
a
lot.
H
Yeah
and
I
Linked
In,
the
notes
Dustin
also
started
a
pull
request
to
add
a
Distributing
provenance,
page
and
spec,
which
would
is
less
specific
than
an
API,
but
is
starting
on
like
General
guidelines,
for
how
you
know,
like
recommend,
basically
recommendations
for
how
to
distribute
provenance,
for
example,
like
the
notion
that
there's
like
releases
and
artifacts
within
a
release,
and
that
Providence
would
be
attached
to
an
artifact
Etc.
So
if
you
haven't
seen
that
and
you're
interested
in
the
space,
that
would
also
be
good
to
align
as
well.
H
I
H
Way,
there's
a
comment:
I
think
from
Nikola
about
just
navigation
if
any
sort
of
issues
like
that,
if
you
have
issues
even
if
they're
small,
please
do
just
file
issues
to
track
happy
to
hear
those,
whether
they're
big
issues
or
small
issues,
it's
helpful
having
that
feedback
to
to
for
prioritization.
F
H
Yeah,
okay,
once
going
twice,
okay,
it
looks
like
we
can
end
early.
Thank
you
everyone.
By
next
meeting,
we
should
have
a
1.0
published,
and
so
a
lot
of
this
work
should
be
happening.
As
always,
if
you
want
to
join
in
any
of
the
specific
working
groups,
you
could
join
on
slack
openssf.slack.com
in
the
there's,
like
a
salsa
group,.
H
Dev,
slash
Community
and
certainly
everyone's
welcome
in
these
groups
and
any
pull
requests
or
issues
or
implementation
work
yeah
that
that's
all
specification
for
the
suspect
work,
there's
also
tooling,
for
for
implementing,
tooling
and.