Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
OpenSSF / SLSA Biweekly / 13 Mar 2023
OpenSSF / SLSA Biweekly / 13 Mar 2023
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: SLSA Specifications Meeting (March 13, 2023)

Description

Meeting notes: https://docs.google.com/document/d/1kMP62o3KI0IqjPRSNtUqADodBqpEL_wlL1PEOsl6u20/edit#heading=h.yfiy9b23vayj

A

Hey good morning, sir how's everything.

B

All right now, let's see ah good good, ah excellent.

A

Yeah I'm sitting here trying to do some last minute, uh that's been in preparations for our town hall. You see, I got my college shirt on today, I'm coloring I'm, calling today you know.

B

Dr White, it's a pleasure to meet you.

A

I think it's 200 and something uh 200 and something registrants.

B

This is not a collared shirt, but it's it's a slightly. You know it's not a t-shirt. It's it's got that little thing going on. That's.

A

All right, it's all right, I, had to go a break from the normal everybody's. Just seeing me at hoodies, I felt, like you know, let me let me go ahead and and put something else on. Let me do something else today. Let me surprise people.

B

You know I, you tell me what the dress code is. I'll show up, I draw the line at nude.

B

But uh if you need me in a three-piece suit and a tie and it's important and it will help the world be a better place, awesome um I don't need that. But you know whatever.

B

All right, so it is a.

C

Pleasure.

B

um Let's uh I suspect everyone's going to show up in about 60 seconds or 120 seconds.

A

We'll see.

B

Turn my things off for just a second here.

B

With Jay, you're, muted intentionally or what.

D

Hello, hello,.

E

David.

D

Are you talking to the group J or are you on a separate call.

D

Okay, I'll take that as a separate call.

B

All right, everybody, I'm, gonna I, believe that is the correct link for today.

B

And we can.

F

I think I think Mark is probably still on PTO, but I could be wrong here.

D

Did he sign himself in because.

G

Oh, no, no! No! The news, fake news, my bad big.

D

News.

D

Yeah he signed himself in but or somebody copied and pasted His Name by accident, um not sure yeah.

B

I, don't see him on the call, so I'm gonna put a dash PTO question mark just to warn us that oh.

G

He's.

B

He just joined, oh welcome, excellent Mark. We were afraid you weren't going to be here today. Oh.

H

No uh I'm here, whether you want me or not, we do want you.

A

Sorry guys I I am I, am a double uh um double booked as per usual on Thursday morning. So please, please excuse me.

D

No worries Jay I just wanted to make sure. If you were talking to us, you knew you were on mute.

A

It looks like a presentation: oh geez, I, can't even lower the volume.

B

um Mark uh this is David wheeler, it's okay! If I just quickly add to the agenda. Just a heads up about the um uh survey.

H

Yeah, that's great. Anyone feel free to add uh agenda items um just go right ahead.

H

um Okay, I think we should probably get started at the rate of incoming people is slowing down.

H

um So welcome everyone uh to our I guess: quad weekly. What do you call it like every four weeks, I just updated the thing at the top, because someone said no, it's not on the fourth Thursday of the month.

H

um As a reminder, please sign in to the um meeting notes to register your attendance, um the uh and as a reminder um we'll be following the Linux Foundation code of conduct.

H

uh First, we could start by welcoming any new new members. If you'd like to quickly say hi.

E

Oh I, don't think I've been to one of these before hi everyone. My name is Aditya I'm, one of them again herself in total and uh yeah I've been uh tracking a lot of the salsa stuff from afar and I hope. You may get more of these.

H

Okay, welcome.

C

To this meeting.

H

At least I know: we've met in a.

E

Lot of internal.

H

Meetings.

E

Hi, my name is uh Benjamin Schmidt um I'm, a cyber security engineer from minor corporation, uh just signing on to uh hoping to get a deeper understanding of salsa and everything. That's that's going around.

H

Okay, welcome.

C

Hi um I'm Claudia ring I've been jumping into a lot of the salsa meetings over the last few days, I'm from active state.

F

Anybody else.

H

Okay, well, um uh thanks for joining everyone, uh we'll go through the special interest group updates, uh which, as a reminder, is the kind of like our working groups within salsa, um because salsa is within the open, ssf supply chain. Integrity working group um so like this subgroup, is called special interest group. uh On the specification side, um we uh put out a 1.0 released candidate um and announced it on the blog, we're Gathering feedback. Now, thank you to everyone. Who's contributed uh either with issues or pull requests or for sharing it.

H

um We're asking for feedback by March 24th to give us time to incorporate it uh to incorporate into the final version um and then looking to finalize that and I think we still need to talk in the specification group about the exact timeline but I think ideally end of the month.

H

um My guess is: it'll probably go over a little bit uh just from like the current number of issues and the rate of change, but we'll see um right now, there's a lot of pull requests going on around organization, uh Clarity, simplification, Etc, um for example. One of the things that we recently decided was to version all the things together. Right now we have three technically three different specifications: provenance, VSA and salsa, each with an independent version. Number like things like that to just kind of reduce confusion, use consistent terminology throughout Etc.

H

So that's what we're actively working on now, among other things, I know, there's a lot of content um feedback going. This issues uh being discussed like I think, for example, around isolation and ephemeral, Etc, um and you know hopefully we'll get to those probably next week, I think um so far, I haven't seen any major feedback that was like uh I think the tracks are a bad idea or something like that. Certainly any feedback major like that would be welcome. I'd rather hear about it now than like to just silently think. Oh no.

H

This was a bad idea, um but uh it's seeming like there. There wouldn't be any major changes to the spec uh for the final version. As far as I can tell, uh and.

I

If anyone disagrees or has other opinions.

H

Please speak up um I think that's anything else. I'm missing on the specification side.

H

Okay, I'll take the sound. It says: no, if you think of anything, just feel free to chime in uh positioning.

I

Just quickly on specification, I'm, sorry I was getting myself off of mute, um the uh just related to that as we reach the the 1.0 stable um Milestone, there's a separate thread of work around comms and how we're going to coordinate that and so Jennifer Plies from opennesses have kicked off uh across company uh one below comms planning call yesterday and is driving that forward, um and so uh that stuff is in process.

I

Gathering quotes uh coming up with the comms distribution plan, The Tick Tock of uh how these things are going to roll out during the day and so on, and so there's a separate thread. There.

D

Yep uh so for positioning um as Isaac said, uh there's a salsa, comms, 1.0 planning uh social positioning as of about a month ago, is now SCI positioning. So salsa is just a uh a component of our positioning group along with S2 ctuf and Fresca.

D

um So I re I changed the link for the positioning. A lot was done in the past couple of weeks.

D

um Comps being one of them were having some blogs in process um to coordinate with the 1.0 release and then also um we did get two of our group's talks accepted for ossna Vancouver two were wait listed, and these were the ones that were submitted by the group, not necessarily others in salsa.

D

um But there is one talk that we're going to need. Help with um one that was accepted uh was really for Fresca demo. Of how real time can you show a salsa build level two or three at the conference right with participants and potentially even um uh them having their laptops along to follow, along with the sample project according to to Mike?

D

um There's been some reshuffling of resources in in Fresco, where they may not be able to contribute anymore, and so now we are at a uh a bad point in time where we really need those devs now more than ever. So if people have development resources to help build that kind of demo lab out or participants in ossna, we would really really appreciate the help.

G

Yeah just to provide uh just um a couple. Little other points there yeah. So um you know Fresca is an open, ssf project. uh It does. You know high level salsa it uses Tech, you know, uses a bunch of LF projects like the CD foundations, tecton and tecton chains. It uses a bunch of other stuff, combines it all together to make kind of a secure, build system.

G

uh I think one of the things that that has come up before is you know, there's there's folks, who necessarily can't necessarily just use pure GitHub, or they want to run their own thing or better understand some of this and that's kind of what Fresca kind of came out of, um but uh yeah due to some reshuffling among some of the folks who are also maintainers other than myself uh on Fresca.

G

You know they've kind of gotten de-prioritized a little bit, so it is kind of I would say you know uh uh I'm kind of one of the the one maintainers left on on Fresca there's a few others, but they're not uh able to contribute that much, and so we're definitely looking for for more folks uh on that um and to kind of go through that.

G

um But then there's also a separate thing, which I think is also something that we should kind of look at, which is um you know most folks are not moving off of their their uh their CI systems so like. If folks are using Jenkins, they want to continue using Jenkins, so I think some of the other stuff that we're looking at long term is like. How can we um or do we need to draw the line in the sand and say certain other uh CI systems, maybe just aren't suitable for high level salsa stuff.

H

Is that from uh feedback from open source projects or from like companies using it or a mix of both.

G

A mix of both um you know a lot of Open Source company. uh Sorry, a lot of Open Source projects right now are just comfortable using uh GitHub and GitHub actions. um There's been a couple of discussions about hey, uh you know for very complicated projects where something like a simple GitHub action isn't going to work. Something like uh sorry if Fresca can come in and help out there, but Fresca is still very much like it's pre beta at this point.

G

um You know it can do a lot of this sort of stuff, but it's not necessarily the easiest thing to use, and we have a bunch of things on our roadmap to kind of do that and on that front, I have a um you know, a big sort of like what is Fresca, refresher, sort of or something like um the open, ssf, blog and and so on, to try and drive up um maintainership, but just uh throwing that out there.

G

Just um due to you know some some ships and priorities from some of the other companies who have been working on us with Fresca that some of the maintainers have been re-prioritized to to other things.

H

All right, I guess it's also worth mentioning um that npm, the JavaScript um packaging ecosystem uh is having a private beta right now of, um but basically salsa like having um propagating provenance with um alongside the package and generating it automatically with tooling and uh having like some sort of verification.

E

So that's.

H

That's ongoing and I think I'm not sure what the timeline is for the public beta, um but that's on the on the open source ecosystem side that there's some progress being made. There hey Michael.

G

um And one other thing uh just as a donut, completely change topics, but so I also have um uh the uh hold. Let me bring this up here into the chat. um It's it's very short. uh I haven't finished it completely yet, but definitely looking for feedback on a Blog article regarding like why we split stuff up into the different tracks.

G

um Definitely looking for for feedback on on that, it's uh I don't have enough time to make something. Much more comprehensive, but um I think it's like a at least an initial start, and if folks have suggestions about like things, I should be adding I can definitely add in stuff uh there.

E

uh Nicholas.

J

Yes, uh I have a question regarding specification before the final One Zero release. Do we plan to change the the way we navigate into the specification? I saw that some PR word in that, but currently it's not easy with the, because you always go back to the 0.20.com spec and.

H

It's it's not.

J

Easy to read.

H

Yes, I, that is yes, uh it is nice. A nice me too I have a I, a pull request, I'm going to send out once the there's a current one, that's doing a little bit of reorganization with estimate I'm going to send it out today, uh yeah, because it.

I

Just.

H

Drives me insane: it always jumps back to the wrong version. Yeah.

H

Anything else on Sig updates.

H

um I also know Michael's request for feedback on the doc uh David.

B

Whoops, okay, so, um let's see so I wanted to just give everybody a brief heads up about this uh survey that came out. It says it's a salsa survey but and in many ways it's really a supply chain survey, but using salsa one 0.1 as a baseline. So you know basically- and it had some frankly I- think some surprising um uh feedback.

B

um You know I I've put two of them right here. You can see the uh summary and the report for details, but basically it most. The practices were considered. Helpful, um I think that's good. um Some of the practices were considered substantially more difficult than others, zero surprise there. Hermetic builds and reproducible builds in particular the hardest. And yet, when asked well, what are you actually doing there?

B

Wasn't any statistical difference um I'm not entirely sure how to interpret that I'm going to interpret that for a moment, I'm interpreting it as somewhere harder, but not so hard that they make people who are very interested in countering attacks uh that not enough to prevent them from doing it anyway, even though they're considered harder, um maybe there's other ways to interpret this, but I found that um intriguing. So anyway, there's the blog post. It links the full report enjoy.

B

Thanks.

H

um Any other topics or questions um that would be worth discussing in a group, yeah Michael, oh.

G

I think the so a couple of updates from tooling um just to bring that up um so uh in the notes I put in a a 1.0 tracking issue feel free to add in additional tools or pygmy.

G

If, if um you want additional tools added whatever it added to the the issue, around tools that are planning to add, 1.0 support or there's open issues for 1.0 support, um so I added in a handful of tools, I'm sure, I'm, missing a bunch so feel free to to add stuff in there we're looking to kind of see, you know we're looking to at least have some tracking issues for for the 1.0 support.

G

um The next thing uh on that note as well, is uh one second: where did I put the uh something here um uh one was uh there there's some discussion around the distribution spec for something like how how should folks distribute um salsa provenance from something like a packaging ecosystem?

G

um This is not intended to be like a declarative. This you Thou shalt. Do this, but one of the things that has been discussed is it would be really nice. If you know um you could have consistent tool. Client, you know consumer side tooling.

G

um Around some of these things and I know there's a lot of different work on this front. It's more just hey. Can we help coordinate with some of these groups that might be doing this, like npm, like uh Pi Pi, like gems and so on, and not saying that they should all integrate, implement the exact same thing, but if they sort of followed similar rules, then it could help with some of the client-side tooling um when it comes to implementation.

G

um Having gotten a lot of traction on that, but we're looking to kind of continue uh the conversation on that front and then finally, um we're also looking at uh perhaps having something like some basic 1.0 helper libraries, um either before 1.0 or post 1.0, to help tools that are that are either consuming or producing salsa to make sure of stuff like salsa, Providence, spec validation.

G

Like are you actually following the the rules of the spec and stuff like go rust python, whatever um libraries that folks can consume as well as maybe some other helper things, um to help out some of the other tools that are out there, and most of that work can probably be pulled out of some of the stuff. That's already in stuff, like the salsa GitHub generator in the salsa verifier and those sorts of tools, but wanted to throw that out. There.

E

Arno.

F

Yeah hi, so just to follow up on what Mike was saying. We do got into the the regarding the tools that will support salsa um there is on salsa, then the website uh get started page that was uh recently revamped and uh it's mostly focusing on uh freely available tools, namely Fresca and uh the GitHub salsa generator. But uh there is, at the end of the page, a little table that is open for people to add the ideas to you know the list of tools that claim to be Southside compliant.

E

To.

F

Whatever level this is part of the information that's recorded, and there is work on the way to develop a conformance program where they'll be able to a certification with a little bit of more legal framework around it. For now, it's merely based on you know self claims, but but it's meant to be open and to provide people who are starting some pointers as to which tools are available out there.

F

Foreign.

H

So uh Mike is there, do you have a link to the API, the distribution API.

D

Work.

G

um So there's no work on it. It's just literally the salsa tooling uh notes so yeah, it's mostly just some. You know yeah a few high level things and then um for what Dustin said. Yeah so I I went to the security working groups. The I think it's the APAC friendly one um I need to still go to the uh earlier one. uh For me at least uh a Mia one.

G

um uh So so I have plans to to go to that one uh as well, and so yeah, the before kind of doing anything, I think the only high level and I think it's. It should be in those notes, but the high level guidelines would be something like can. We follow some general best practices and assuming we could can also some of these groups kind of have some like a handful of like ways to sort of approach it because not everybody's gonna, say yeah. We can have a rest, API or whatever that can do.

G

You know with these specific endpoints, but if a handful of them can do that, then it sort of simplifies, I, think um client, consumer stuff. uh uh Quite uh quite a lot.

H

Yeah and I Linked In, the notes um Dustin also started a pull request to add a Distributing provenance, page and spec, um which would is less specific than an API, um but is starting on like General guidelines, for how you know, like recommend, basically recommendations for how to distribute provenance, for example, um like the notion that there's like releases and artifacts within a release, and that Providence would be attached to an artifact Etc. So if you haven't seen that and you're interested in the space, that would also be good to align as well.

H

But.

I

By the.

H

Way, there's a comment: um I think from Nikola um about uh just navigation if any sort of issues like that, if you have issues even if they're small, please do just file issues uh to track um uh happy to hear those, whether they're big issues or small issues, um it's helpful having that feedback to to for prioritization.

F

And obviously, the sooner the better yes.

H

Thank you, although some things like navigation, is not really tied to a specific version, but.

F

It's nice to have it in for the 1.0, for the spec I was thinking, you know. Did people find issues the specs it's better, not to bring them up on the last day.

H

Any other topics.

H

Yeah, okay, once going twice, okay, uh it looks like we can end early. uh Thank you everyone. um By next meeting, we should have a 1.0 published, and so a lot of this work should be happening. As always, if you want to join in any of the specific working groups, you could join on slack openssf.slack.com uh in the there's, like a salsa group,.

E

It's also on salsa.

H

Dev, slash Community um and uh certainly everyone's welcome in these groups and any pull requests or issues or implementation work um yeah that that's all specification for the suspect work, there's also tooling, for for implementing, tooling and.

I

What is now called SCI positioning.

H

um For for the broader positioning Works, um so all right thanks, everyone uh good seeing you and uh we'll talk again, probably online and meet again next uh four weeks bye, everyone.