►
From YouTube: SLSA Meeting (January 26, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
B
Am
I
allowed
to
talk
about
it?
You
know
you
just
slip
me
enough:
100
bills
and
absolutely
yeah.
A
B
To
our
agenda
sure
now
one.
B
Is
I
have
I'm
actually
double
booked
today?
The
good
news
is
that
I
think
the
next
two
meetings
I
actually
get
to
be
here
hooray,
but
I'm
gonna
have
to
leave
after
a
little
bit.
But
absolutely
so.
If
you
wouldn't
mind
adding
me
early.
A
Cool
yeah
welcome,
welcome
everyone
else
like
I
was
saying
the
agenda's
a
little
light.
So
if
there's
topics
you
want
to
discuss,
feel
free
to
throw
them
in
the
chat
or
in
the
meeting
notes
doc
directly,
and
I
and
I
just
snuck
david
in
there
as
our
first
had
a
quick
discussion,
because
he
was
invited
with
a
bunch
of
folks
to
go
to
the
white
house
and
talk
about
supply
chain
security.
A
Awesome
should
I
announce
myself
mark
absolutely.
D
D
Kim
volunteered
to
join
the
steering
committee
because,
as
zach
announced
at
the
last
meeting,
he
he
was
stepping
down
so
kim
kim
volunteered.
We,
we
all
voted
to
to
say
yes,
so
we're
happy
to
have
kim
on
the
steering
committee.
B
B
A
Please
I
I
worked
at
google
for
a
while,
and
I
actually
helped
launch
the
salsa
project
with
mark.
It
was
very
fun
to
work
on
together
and
then
I
got
the
startup
itch
and
started
a
company
with
some
folks
related
to
this
space,
so
very
excited
to
still
be
involved
as
open
source.
It's
fun.
Everyone
sees
the
comment
which
is
the
saying
same
t,
same
project,
same
team,
different
company
or
something
so
it
was
a
bit
like
that.
A
So
yeah
excited
to
help
out
with
this
and
see
the
progress
that
salsa
has
made.
I
think
it's
resonating
with
a
lot
of
folks-
and
it's
really
interesting
to
see
yesterday-
was
on
a
call,
and
someone
made
me
laugh
because
they
knew
about
salsa
and
we're
asking
you
know:
do
you
follow
the
salsa
levels
and
they
said
no.
We
follow
the
yolo
level.
A
I
thought
that
was
pretty
funny.
I
got
a
kick
out
of
that
cool
all
right,
david.
E
C
A
Yeah
sure
so
we're
we're
very
new
we're
a
three-month-old
company.
We
just
put
a
blog
post
out
last
week.
Titled
wtf
is
chainguard,
so
feel
free
to
check
that
out
to
learn
a
bit
more
too,
but
we
are.
A
We
are
focused
on
helping
companies
with
supply
chain
security
stuff,
so
the
waste
also
fits
in
as
it's
resonating
with
a
lot
of
folks
but
they're
I
mean
not
quite
sure
like
where
to
start
or
how
to
how
to
start
adopting
something
like
salsa
and
so
we're
talking
to
folks
about
that
journey
and
trying
to
help
out
with
tools
and
services
and
products.
B
Yeah,
so
if
I
can
jump
in
on
the
next
item,
are
we
good
with
that.
B
Okay,
so
basically
I
went
to
the
white
house:
well
went
to
the
white
house
only
in
a
virtual
sense.
They
were
going
to
have
it
physically
and
I
was
all
excited
because
that's
that
was
pretty
cool
and
then
they
started
getting
worried
about
all
the
covet
restrictions
and
they
started
tamping
down
and
after
jim
zemlin
and
brian
bellendorf
flew
out
to
dc
to
be
part
of
it,
they
declared
it
was
going
to
be
all
virtual.
B
So
I
was
at
the
white
house
by
being
at
home,
calling
into
a
zoom
call
which
isn't
really
the
same
experience,
but
you
know
that's,
okay,
but
more
importantly,
though,
that
the
u.s
white
house
was
very
concerned,
it
was
true
this
this
particular
meeting
was
really
triggered
by
log4j,
and
you
know,
basically
they
were
trying
to
figure
out
well.
What
are
we
gonna
do
here?
B
B
You
know
their
overall
discussions
were
focused
on
preventing
vulnerabilities,
improving
the
process
for
finding
and
fixing
them,
and
when
that
fails-
and
there
is
a
vulnerability,
shortening
the
response
time
for
distributing
and
implementing
the
fixes-
it's
the
implementing,
for
example,
that's
a
big
problem
in
the
log
for
j.
You
don't
even
know
where
it
is
how
we're
going
to
replace
them.
B
All
that's
going
to
be
a
a
long-term
challenge,
so
we
in
the
lf
took
very
salsa,
was
definitely
part
of
the
discussion
we,
you
know
we
certainly
mentioned
them,
I'm
sure
several
times,
and
we
in
the
lf
tried
to
come
up
with
something
that
gave
an
overall
summary
of
kind
of
the
major
moving
parts.
B
The
you
know,
and
so
basically
right
now
we're
still
working
that,
but
just
so
you
know
this
is
kind
of
right
now
how
we're
trying
to
group
things
down.
B
B
We
certainly
mentioned
it
now.
One
challenge
I
have
is
that
they
their
the
meaning
was
you
know,
lf
and
a
couple
folks
gave
very
short
presentations
and
then
a
lot
of
the
time
was
spent
split
into
working
groups.
So
I
only
saw
the
working
group
I
was
in.
I
honestly
don't
know
what
all
the
working
groups
discussed,
but
the
I
guess
the
good
news
is
that
you
know
you
know
they.
It
was
raised.
B
Things
were
discussed,
they
want
to
have
our
another
meaning
three
months
from
then
to,
and
I,
and
at
least
from
the
lf
perspective.
I
think
we're
going
to
use
this
opportunity
to
try
to
convince
anybody
else.
Who's
not
already
involved
in
these
efforts
to
get
involved,
both
industry
and
frankly,
government.
Now
the
one
issue
that
I
would
say
and
add-
and
maybe
that's
an
issue
I
should
note
here-
is
you
know
this?
Is
you
know
you
know
where
this
is?
Not
us
only
okay,
you
know.
B
So
we
we
are
happy
when
governments
say
hey
we're
concerned,
here's
some
money,
please
fix,
but
we
don't
want
this
to
be
a
u.s
effort,
only
effort,
so
we
are
trying
to
also
talk
to
a
number
of
different
governments
of
really
remarkable
different
sizes.
B
B
Sorry
for
the
hi,
I'm
sorry
it's
a
little
high
level,
I'm
abstract,
but
I'm
not
sure
where
to
go
so
trying
to
make
it
quick
and
short.
Michael.
F
Question
yeah,
you
mentioned
other
governments,
I'm
very
interested
in
that
as
well.
Do
you
like
have
similar
events
started
to
bubble
up
in
other?
Like
do
you
have
any
information
about
other
similar
events
showing
up
in
other
governments,
and
should
we
in
fact,
maybe
start
a
like,
even
just
a
section
of
this
dock,
where
we
actually
start
to
build
out
contacts
and
points
of
interest
with
other
large
regulatory
entities,
whether
it's,
the
eu
or
a
country
or
whatever,.
B
I
haven't
been
told
that
the
list
of
countries
that
have
been
mooted
is
secret,
so
I
guess
I
can
say
them.
I
mean
really
we're
not
particularly
limited
countries.
We've
noted
might
be
especially
interested
include,
like
japan
and
germany
and
singapore.
So.
B
F
I
I
guess,
like
we
not
had
word
of
like
a
similar
cyber
security
style
summit
happening
in
japan
or
the
uk
at
this
point,
and
I'm
sort
of
surprised
that
that
hasn't
happened.
Obviously,
there's
a
lot
of
tech
in
the
u.s.
A
lot
of
the
players
are
us-based,
but
that's
not
exclusive,
and
certainly
the
problem
is,
is
completely
agnostic
as
to
which
country
you're
currently
getting
security
problems
from.
B
G
B
Said
you
know,
I
I
think
you
know
some
country
has
to
start.
B
I
mean,
and
us
is
as
perfectly
reasonable
as
any,
but
in
fact
that
was
one
of
our
one
of
our
the
lf's
requests
to
the
us
government.
Folks
is
they
have
contacts
with
some
of
these
other
governments,
because
you
know
government
to
government
interaction
is
a
thing
and
we're
hoping
that
they
will
be
able
to
put
some
of
us
in
contact
with
some
of
them.
So
think
of
that
as
a
it's,
a
starter,
it's
an
ongoing.
B
Hopefully
things
will
come
of
it.
I
I
don't
know
it
will
come
fit.
Yet.
If
you
don't
mind,
I
would
propose
that
we
hear
from
mark
lodato
and
then
trey
shank
and
then
bob
calloway,
I
I'm
not
sure,
but
the
order
showing
on
my
screen
may
not
be
the
right
order,
but
mark.
D
Yeah,
I
don't
know
if
it's
the
right
order,
but
either
way
that's
fine.
One.
One
thing
that
I
think,
like
it
kind
of,
seems
to
be
a
recurring
topic
that
we
should
figure
out
is
right.
D
Now,
salsa
is
focused
on
integrity,
which
is
protecting
against
tampering
and
there's
some
amount
of
identifying
dependencies,
which
is
also
used
for
vulnerability
management,
and
it
sounds
like
most
of
the
effort
during
the
or
the
discussions
at
the
white
house
and
a
lot
of
other
things,
around
vulnerabilities,
which
is
probably
a
the
more
pressing
issue
and
there's
there's
also
an
issue
of
like
developer,
trust
of
like
the.
What
was
it
called
where
the.
D
D
Yeah
yeah,
and
so
I
think
it's
worth
us
thinking
about
either
figuring
out
how
salsa
fits
into
the
broader
supply
chain
security
picture
or
expanding
it
to
getting
cover
covering
these
these
larger
issues
so
yeah
anyway.
I
just
want
to
plug
that
if
anyone
has
thoughts
or
or
wants
to
participate,
it's
definitely
an
area
that
I
I
think
we
need
to
expand
in.
B
Yeah
and
it's
okay,
if
salsa,
doesn't
do
everything
for
everybody
either
I
mean
there
is
the
risk
of.
If
you
try
to
do
everything,
you
end
up
doing
nothing
useful.
So
you
know
if
it
can
be
expanded
in
certain
areas
that
make
sense.
That's
great.
If
we
can
declare
this
is
this
area,
and
these
other
folks
do
this
other.
I
think
that's
fantastic
too,
so
I
don't
think
expect
to
solve
that
right
here
in
this
meeting.
But
it's
a
great
point:
yeah.
D
D
H
Wider
issue
I'd
really
like
to
be
involved
in
it,
because
we've
spent
a
lot
of
time
trying
to
piece
that
together
really
looking
at
it
from
an
end-to-end
perspective
and
where
salsa
fits
in
and
other
things
and-
and
I
think,
mark
you're
spot
on-
we
it
it
now
might
be
the
time
to
figure
out.
Where
does
it
fit?
Does
it
expand
or
where
does
that
go
so
I'd
be
keen
on
having
that
conversation?
If
others
are
ready
for
that,.
A
Should
we
add
that
to
the
next
one
of
these
working
groups
meetings
or
do
like
another
one-off
start.
G
Yeah
hi
thanks
thanks
for
the
white
house,
update.
That's
really
interesting.
Do
you
do
you
know
how,
if
you
know,
people
here
were
interested
to
join
working
groups?
Do
you
know
if
there's
a
process
to
apply
or.
G
Right
right
exactly
so,
so
the
question
becomes
which
which
which
working
groups
are
working
with
the
white
house,
and
how
can
we
help
if
we
wanted
to
so
do
we
join
the
open,
ssf.
B
Yeah
join
the
s
open.
Ssf
is
the
quick
answer.
That's
always
the
right
answer
or
I'll.
Join
the
lf
join
the
open,
ssf
join
the
specific
groups
working
on
the
things
you're
you're
interested
in
yeah.
So
it's
I
mean
you
know.
Salsa
is
obviously
a
a
an
important
you
know
project.
As
far
as
more
generally
you'll
be
shocked,
shocked
to
know
I
don't
control
the
white
house,
tomorrow's,
not
looking
good
either.
So
as
far
as
what
the
white
house
does
or
doesn't
do
really
that's
an
internal
matter.
B
I
know
that
they
had
another
meeting
a
week
later
internal
to
the
u.s
government.
I
wasn't
there,
I
just
you
know.
I
know
from
somebody.
I
know
that
they
had
a
meeting
or
they
were
going
to
have
a
meeting.
But
that's
all
I
have
I
mean
in
the
end.
The
us
government
decides
what
the
us's
government's
going
to
do
and,
of
course,
that's
a
whole
bunch
of
people
trying
to
figure
out
within
a
big
organization
what
they're
going
to
do
as
far
as
hey.
B
What
do
we
do
to
address,
and
I
I
think
really
it's
you
know,
join
the
various
groups
within
the
open,
ssf
or
more
generally,
you
know,
join
the
groups
trying
to
solve
the
problem.
I
think
the
white
house
is
basically
looking
for
existing
groups
trying
to
already
resolve
the
problem
and
maybe
trying
to
give
them
help
in
various
ways.
B
General
doesn't
want
to
create
new
things
unless
it
thinks
it
needs
to
that
we'd
like
to
work
with
existing
things
that
are
actually
solving
the
problem.
If
there's
something
that
already
exists,
that
at
least
that's
my
interpretation
from
that
from
that
past
meeting,
which
actually
makes
sense,
I
mean
why
you
know
what
please
don't
reinvent
the
wheel
if
folks
are
already
working
on
building
one.
G
Absolutely
that's
actually
very
good
to
know
thanks
yeah,
because
one
of
my
worries
would
be
something
you
know
you
know.
How
do
I
put
this
yeah
reinventing
the
wheel
from
the
top
down
might
not
be
the
best
idea
either.
B
Yeah
and
to
be
fair,
a
whole
bunch
of
folks
didn't
know
that
I
mean
you
know
it's.
I
was
interesting
to
see
at
the
top
level
I
mean
they
do
have
some
security
expertise.
I
mean
I
met
one
of
the
one
of
the
government
folks
used
to
be
the
lead
for
the
chrome
browser
security
team.
So
it's
not
like
they
can't
spell
software,
but
there's
a
spotty
level
of
knowledge.
Okay,
there
are,
there
are
some
knowledgeable
people.
There
are
some
less
knowledgeable
people
there,
but
again
they
don't
wanna.
B
I
Yeah
thanks,
given
the
format,
I
don't
know
how
much
of
this
actually
got
to
to
come
out
at
all,
I'm
looking
at
the
list
of
like
our
tasks
here
from
the
lf
perspective,
it
seems
like
not
a.
I
Would
be
contentious
or
disagreeable,
but
I'm
curious
if
any
of
the
other
dialogues
were
there
points
where
people
were
either
disagreeing
on
approach
or
just
in
you
know,
kind
of
areas
where
there
was
there
seems
to
be
a
misalignment
in
terms
of
how
I
imagine
most
people
are
not
going
to
argue
that
this
is
worthwhile
work.
So,
okay.
B
B
B
He
he's
a
sharp
cookie,
but
I
I
think
the
those
of
us
within
the
linux
foundation-
and
I
think
that
include
brian's
right-
that
includes
brian
bellendorf,
who,
by
the
way
is
one
of
the
founders
of
the
apache
software
foundation-
have
a
disagreement
with
the
leaders
of
the
apache
software
foundation
in
that
the
apache
software
foundation.
Leaders
right
now
believe
that
log4j
is
a
well-run
project.
There
are
no
problems.
We
just
need
some
more
contributors.
B
Now,
I'm
all
for
adding
more
contributors.
I
don't
think
adding
new
contributors
would
have
changed
log4j
at
all.
I
also
think
that
we
should
be
careful
not
to
shoot
messengers,
because
we
all
make
mistakes.
I
make
mistakes.
I
write
security
vulnerabilities.
There
are
experts
around
the
world
who
write
security,
vulnerabilities,
okay,
that's
not
the
issue
and
we
shouldn't.
We
shouldn't
pummel
people
for
making
mistakes,
but
it
is
reasonable
to
say
the
process
as
it
is,
is
not
good
enough.
B
We
need
to
change,
and
this
is,
I
think,
a
distinction
between
many
of
us
within
the
lf
and
I
think
many
of
our
partners,
member
companies,
don't
think
that
everything
is
fine
and
nothing
needs
to
change.
I
think
things
do
need
to
change
and
be
made
better,
which
is
why
we
have
groups
like
salsa,
where
we're
trying
to
figure
out
whether
requirements.
I
B
C
C
Yeah
I
had
I
have
two
questions
here
and
you
can
answer
them
in
whatever
order,
but
I'm
just
going
to
pose
them
both
to
you
real
fast.
What
was
the
conversations
around
funding
for
open
source
and
these
sorts
of
problems
in
terms
of
getting
funding
to
maintainers
and
the
other
question
was?
Was
there
any
discussion
to
around
the
the
fallout
that
evolved
due
to
this
log
for
j
vulnerability
around?
What
was
the
name
of
the
company
that
that
found
the
vulnerability
escapes
me?
C
But
the
chinese
government
came
down
and
said
you
know,
gave
that
company
a
bunch
of
you
know
for
not
disclosing
the
vulnerability
first
to
the
the
chinese
government,
vulnerability
handling
process
first,
and
so,
basically
that
that
company
is
getting
booted
out
of
the
threat
intel
feed
until
as
as
a
result,
as
as
repercussions
for
the
law.
B
I
am
going
to.
I
don't
know
enough
about
chinese
politics,
so
I'm
just
going
to
acknowledge
that
I'm
aware
of
it-
and
I
don't
have
any
more
to
add,
because
I
honestly
don't
understand
the
full
what's
what's
going
on
there,
so
you
know,
I'm
gonna
have
to
leave
that
to
others
who
understand
chinese
politics
and
contracts
and
other
situations
better
than
I
do
is
that
does
that
make
sense?
I
mean.
C
Basically
was
there:
was
there
any
concern
by
the
us
government
around
that
sort
of
repercussions
that
were
played
out
around
that,
or
is
that?
Is
that
just
not
a
conversation
that
even
had
it
seems
to
set
a
precedent
that,
like
you
know,
vulnerabilities,
need
to
be
disclosed
in
a
specific
way?
You
know
chinese
governments
become
more
and
more
controlling
of
vulnerabilities.
They
don't
let
security,
researchers
disclos,
you
know,
go
to
hacking
competitions
outside
of
the
country
stuff
like
this.
I'm
just
wondering
if
there's
been
any
kind
of
concern
or
discussion
in
that
area.
B
I
will
observe
that
the
us
government
is
not
that
different,
although
it
doesn't
impose
that
on
external
companies
within
the
us
government,
if
you
are
required,
if
you
work
for
the
us
government
or
a
one
of
its
contractors-
and
you
find
a
vulnerability,
you
are
supposed
to
report
it
to
a
process
called
the
vulnerabilities
equities
process,
who
then
decide
whether
or
not
to
report
that
to
the
supplier
or
to
be
used
for
exploitation.
B
It's
called
the
vep.
The
vep
is
extremely
opaque.
We
don't
know
how
many
are
processed.
We
don't
know
how
what
the
how
many
are
adjudicated
in
which
way.
B
I
am
on
public
record
as
saying
that
the
u.s
government
should
at
least
publicly
report
those
kind
of
statistics,
because
it's
a
very
opaque
process
today
and
after
that,
I'm
gonna
have
a
question.
C
B
There
was
a
discussion
that
that
okay,
elf
said
hey,
we
need
to
have
money
needs
to
be
put
here.
We
don't
care
really,
if
it's
the
us
government,
other
governments,
private
industry,
probably
a
combination
of
those.
They
acknowledge
that
funding
is
important
and
that's
one
of
those
things
that
I
expect
to
be
discussed
in
the
90
day
with
in
the
90
day
point
so.
The
last
side
house
meeting
was
much
more
of
a
discuss
issue,
discuss
options.
B
C
A
I
just
I
just
left
a
comment
on
there.
A
few
of
us
did.
I
personally
can't
make
30
minutes
earlier
work
all
the
time,
but
I
think
we
can
send
a
survey
out
to
a
doodle
pool
we'll
have
to
get
some
help.
B
A
Yeah
always
a
is
that,
like
the
third
hardest
problem
to
solve
with
engineering
is
meeting
times
now,
naming
counting
now
meeting
times.
B
D
B
K
Question
go
ahead:
tom
hi
I
saw
that
sisa
was
also
involved.
I'm
curious
because
salsa
is
like
a
super
set
of
the
s-bond
question
in
some
way,
so
I'm
wondering
if
you
could
expand
on
what
interaction
with
like
alan
friedman
and
that
whole
effort
was
present
in
that
meeting
and
or
if
there's
any
other
collaboration
between
them.
B
Okay,
alan
friedman
was
there
at
the
meeting
he
did
speak.
I
will
note
that
the
white
house
meeting
was
really
more
focused
on
getting
input
from
industry,
so
he
did
speak.
He
did
participate,
he
he
he
spoke
up.
He
listened
to
industry,
but
that
this
particular
white
house
mean
was
much
more
trying
to
get
information
from
industry
for
them
to
try
to
help
figure
out
what
to
do
next,
but
yeah.
B
Now
I
mean
s-bombs
are
obviously
you
know
important
and
they
were
discussed
a
number
of
times.
In
fact,
one
of
the
four
working
groups
was
specifically
on
s-bombs.
B
So,
okay,
yeah,
sorry
to
say,
hi
and
then
bounce,
but
it's
just
life.
So
thank
you.
You
know
happy
to
to
take
other
questions,
but
I
think
the
quick
bottom
line
is,
you
know:
salsa
got
visibility
at
the
u.s
white
house
level.
You
know
specific
mentions,
there's
a
number
of
folks
who
at
least
aren't
now
aware
of
it.
B
A
whole
lot
of
the
folks
in
the
white
house
meeting
were
actually
already
open,
ssf
members
and
already
knew
about
salsa,
but
we
now
have
a
few
more
who
are
at
least
more
aware
of
it,
and
hopefully
we
can
turn
this
into
greater
participation
in
salsa
and
really
many
of
these
other
security
related
projects.
I
think,
actually
we
will.
I
think,
we're
going
to
be
able
to
use
this
to
get
more
involvement
and
hopefully
more
buy-in
as
well
cool.
B
A
Yeah
sure
whatever
and
then
next
we
have
sean,
are
you
on
the
on
the
call.
J
I
am,
I
am
yes,
so,
unfortunately,
I'm
not
going
to
demo
our
platform
today,
because
we
just
put
in
some
performance
enhancements
yesterday
and
I
want
to
let
those
settle
before
we
start
doing
things
like
demos,
but
I
do
want
to
kind
of
give
a
brief
intro
to
the
way
that
we
build
stuff
and
what
the
platform
is
and
what
it
does
and
some
of
the
issues
we
we
see
with
some
of
the
the
requirements
for
salsa
compliance.
J
Okay,
so
the
active
state
platform
is
it's
an
extension
of
what
active
state
used
to
do,
but
it
goes
way
beyond
what
active
state
used
to
do
so.
Active
state
has
traditionally,
in
the
past,
been
providing
complete
distributions
for
perl,
python
and
and
tickle
for
multiple
platforms
that
people
could
kind
of
just
download
and
use.
So
we
would,
you
know
you
would
basically
get
what
active
state
decided
was
going
to
be
in
that
in
that
package.
J
So
you
would
get
pearl
and
a
whole
bunch
of
other
packages
that
we
curated
and
kept.
What
we've
decided
to
do
with
the
platform
is
create
something
that
effectively
is
able
to
build
an
arbitrary
set
of
open
source
components
and
glue
them
together
into
a
runtime
for
you,
whether
that's
focused
at
the
moment
is
still
being
able
to
produce
perl
and
python
runtimes,
but
you
get
to
choose
what
packages
go
in.
J
The
platform
has
multiple
components,
one
of
which
is
that
we
have
two
different
front
ends,
one
of
which
is
web-based
and
one
of
which
is
command
line
based,
and
they
basically
collate
requirements
from
users
in
terms
of
what
they
want
to
get
out
so
they'll
say:
okay.
Well,
I
want
python
3.9
and
I
want
requests
and
tensorflow
and
whatever
that
then
gets
passed
into
a
component
that
we
have
called
our
solver,
which
is
a
pubgrub
based,
sat
solver.
J
That
does
all
the
dependency
resolution
and
we
do
our
dependency
resolution
all
the
way
down,
not
just
down
as
far
as
the
ecosystem
goes,
we
will
take
it
down
to.
You
know,
see
libraries
that
need
to
be
imported
as
well,
so
things
outside
of
the
typical
ecosystem
for
the
language
that
you're
talking
about
will
go
down
further
into
that,
and
so
we'll
actually
give
you
things
like
that.
J
Xml2
zlib,
all
of
those
things
kind
of
everything
you
need
to
support
your
runtime
and
we'll
provide
it
to
you
in
a
complete
package
that
package
you
can
install
with
our
command
line
tool,
which
can
then
either
deploy
that
to
your
system
or
give
you
a
virtualized
environment,
and
so
we
have
a
general
solution,
providing
you
with
a
virtualized
development
environment
for
any
particular
mix
of
things
that
you
can
build
on
our
platform
once
the
the
solver
is
done.
J
What
it's
doing,
and
what
it's
going
to
do
as
we
go
forward
is,
is
create
something
that
we
call
a
build
plan,
and
that
is
a
a
description
of
everything
that
needs
to
be
built
and
the
order
in
which
it
needs
to
be
built
and
how
the
inputs
from
source
code
and
other
build
steps
feed
into
later
build
steps.
J
So
basically,
this
is
kind
of
a
diagrammatic
view
of
our
build
plan.
So
this
is
one.
This
is
a
simplified
one
for
building
the
python
core
on
windows,
for
example.
So
we
start
with
our
source.
We
know
that,
for
example,
in
this
case
zlib
we
build
with
cmake.
J
We
have
a
build
script
called
cmake
builder,
which
will
produce
an
artifact
that
feeds
us
input
into
the
python
core
builder,
along
with
the
python
call
source
that
then
builds
our
python
core
artifact
and
the
request
source
and
the
python
core
artifact
then
feed
into
the
build
of
requests.
J
Let
me
move
this
around
a
little
bit
because
it's
hopefully
not
moving
too
fast
from
which
we
build
a
wheel
and
then
from
the
wheel.
We
build
our
own
platform
artifact
and
then
there's
some
other
steps
here
that
I
want
to
go
into
a
little
bit
into
a
little
bit
more
detail
in
a
minute,
but
basically
that's
kind
of
the
flow
of
how
things
happen
in
our
system.
Everything
that
happens
here
in
one
of
these
build
steps
is
done
in
its
own
isolated
container.
J
So
everything
is
everything
is
hermetic
in
that
regard.
These
build
plans
are
kind
of
they're
set
in
stone
at
a
particular
time
stamp.
So
whenever
you
ask
for
the
same
requirements,
you
will
always
get
the
same
output.
So
in
that
case
we've
got
it.
We've
got.
Reproducible
bills
and
platform
makes
guarantees
on
that
part.
J
So
I
think
that
kind
of
and
then
yeah.
So
basically,
we
have
the
state
tool,
which
is
our
cli,
which
can
install
all
of
these
things
and
we're
working
on
ways
to
do.
Things
like
on
windows
be
able
to
take
all
of
the
outputs
of
the
build
process
and
create,
for
example,
a
windows
msi
installer,
based
on
the
based
on
all
the
things
that
we
built.
J
Now
I
want
to
get
into
a
few
of
the
issues
that
we
have
with
social
compliance
here
and
I
think
one
of
them
one
of
them
specifically
relates
to
windows.
Hey
sean.
J
A
couple
of
questions
it
looks
like
okay,
yeah,
I'm
happy
to
take
those
now
tom.
Should
we
start
with
you.
N
Coming
kind
of
new,
my
first
salsa
meeting
so
hi
everybody,
I'm
from
goldman
sachs.
I
lead
engineering
for
open
source
there,
so
just
trying
to
understand
kind
of
the
the
goals
behind
this
essentially
you're
trying
to
build
everything
and
literally
everything
from
source
and
then
do
it
in
a
secure
way
right.
So
there's
like
no
artifacts
that
would
actually
go
into
this
process.
It
would
only
be
from
source.
J
Yes,
so
basically
our
starting
point
is
always
source
code
and
we
work
from
the
source
code
from
pretty
much
everything
from
a
beer
linux
distro
with
gcc
on
and
installed,
and
then
everything
else
is
kind
of
built
by
the
platform
and
layered
on
top
and
so
every
time
you
need
something.
So
if
you
need
a
build
tool,
we'll
build
the
build
tool
and
that
will
go.
J
N
J
So
for
windows-
specifically,
we
have
this
this
step,
that
we
want
to
introduce
for
authentico
signing
using
microsoft's
authentico
system
to
assign
dynamically
loadable
libraries
and
executables
so
that
the
windows
operating
system
can
understand
how
to
trust
or
how
much
to
trust
the
things
that
we
build.
J
J
J
The
other
end
are
different
and
I
know
there's
again
a
get
out
of
jail
option
for
for
these
things
for
hermeticity
and
reproducibility,
but
we
would
need
to
use
them
for
pretty
much
everything
we
ever
built
on
windows,
because
everything
we
do
on
windows
is
going
to
go
through
this
step
in
order
to
detect
kind
of
our
executables
and
dynamic
load.
J
Libraries
so
yeah
that
that's
one
of
the
one
of
the
issues
that
we
have
with
it,
and
I'd
like
to
kind
of
open
up
a
little
bit
of
discussion
on
that
once
I'm
done
through
with
this.
J
The
other
thing
is
that
you
know
we
now.
You
know
this
is
a
very
small
build
plan
it.
It
doesn't
really
cover
an
awful
lot
of
of
what
we
what
we
can
do.
We
now
have
basically
also
offline
mirrors
of
pretty
much
all
of
pipe
pi
and
cpan
and
a
lot
of
c
libraries,
so
we
also
have
the
ability
to
detect
whether
anything
changes
upstream,
but
we
we
have
this
offline
mirror
of
of
pretty
much
everything
and
that's
where
we
grab
our
source
code
from
when
we're
doing
this
build.
J
We
have
a
separate
ingestion
pipeline
which
goes
through
and
trolls
pipi,
cpan
and
and
a
couple
of
other
repositories
for
source
code.
We
download
those
verify
them
against
their
signatures
and
then
we
store
them
offline
and
we
have
our
own
kind
of
mechanism
for
checksumming
and
signing
those
as
well.
J
The
problem
that
we
have
is
that
we're
now
looking
at
having
tens
of
millions
of
different
pieces
of
software
that
we
can
build
in
terms
of
all
of
the
kind
of
different
packages
you
can
get
from
pipi
and
cpan
and
all
their
relevant
versions.
J
So,
rather
than
having
a
build
script
for
every
one
of
those,
we
have
a
build
script
that
can
generally
build
a
perl
module.
We
have
a
one
that
can
generally
build
a
a
python
module
and
then
we
have
separate
ones
for
things
like
the
python
core,
and
we
have
you
know
like,
for
example,
this
we're
talking
about
building
zim
zlib.
J
J
The
problem
is
that
some
things
when
we're
doing
things
like
when
we
want
to
bootstrap
auto
tools,
autotools,
obviously
has
a
whole
bunch
of
different
parameters
that
you
need
to
feed
in
to
get
the
package
that
you
want
out
and
we
need
to
encode
those
and
we
encode
those
separately
from
the
build
script
as
configuration
for
that
build
script.
J
So
we
have
the
cmake
builder,
and
then
we
have
a
list
of
a
list
of
options
that
we
will
poke
through
from
cmake
of
from
the
cmake
builder
down
to
cmake
itself,
which
kind
of
makes
the
actual
cmake
builder
parameterized.
J
There
are
other
dimensions
to
this
as
well
in
that
we
also
want
our
users
to
be
able
to
do
things
like,
say,
okay.
Well,
I
want
everything
you're
going
to
build
me
built
with
the
debug
flags
turned
on,
and
so
the
users
can
at
that
at
that
top
level
say:
okay!
Well,
I
want
a
debuggable
build
and
that
will
trickle
down
through
options
to
all
of
our
builders
to
say:
okay,
the
user
has
requested
built
debug
in
their
build.
J
How
do
you
actually
apply
debug
information,
or
how
do
you
get
debug
information
out
of
this
build
and
every
builder
will
react
differently
to
that.
So
again,
there
are.
There
are
parameters
there,
and
you
know
there
are
other
dimensions
to
this
as
well,
so
whether
they
want
statically
linked
build,
whether
they
want
thread-enabled
builds,
whether
they
want
gpu-enabled
builds.
J
So
if
we
were
going
to
build
a
system
that
had
individual
build
scripts
for
every
one
of
these
potential
build
configurations,
we
would
be
looking
at
kind
of
potentially
you
know
hundreds
of
millions,
if
not
billions,
of
individual
build
scripts.
J
So
we
have
a
problem
there
in
terms
of
in
terms
of
how
we,
how
we
describe
this
system
and
whether
we
can
describe
it
as
parameter
list
when
we
have
these
kind
of
options
at
the
top
level,
so
yeah,
those
are
the
those
are
kind
of
that's
a
brief
overview
of
how
the
platform
builds
stuff
and
the
problems
that
we
have.
You
know
just
right
off
the
bat
with
with
kind
of
source
of
compliance,
so
yeah,
let's
open
it
up
to
questions
tom.
I
think
you
had
your
hand
up.
First.
P
Yeah,
I'm
sorry
is
there
someone
else,
so
I
yeah
thank
you
for
sharing.
So
my
like
my
initial
impression,
is
that
that
a
lot
of
the
a
lot
of
the
trouble
comes
is
related
to
the
boundary
that
that
salsa.
P
This
also
covers
you
are
describing
the
the
the
top
level
configuration
and
how
users
can
like
configure
that
and
put
settings
there,
which
then
influences
all
of
those
other
individual
boxes,
and
I
wonder
if
like
if
one
approach
is
is,
is
to
consider
that
conf
and
like
that
configuration
is
what
will
eventually
produce
the
like
msi
out
at
the
other
end
right
like
like.
P
Can
you
just
consider
that
top
level
builds
that
top-level
configuration
as
the
build
script
and
and
and
reference
that
in
the
in
the
salsa
providence
that
is
used
for
the
for
for
for
the
msi
build
process
which.
J
Yes,
you
know,
I
think
you
know
if
we,
if
we
did
look
at
it
at
that
higher
level,
we
could
kind
of
look
at
it
and
say:
yes,
okay,
it
is
sealed
and
parameterless
once
you
get
to
that
point,
you
know,
but
we
want
to
provide.
You
know
for
all
of
these
kind
of
intermediate
artifacts
that
we
have
within.
We
want
to
provide.
You
know
attestation
as
to
you
know
where
they
came
from
in
their
province.
P
So
my
my
understanding
is
that
the
the
the
parameter-less
requirement
really
comes
from
the
desire
that
end
users
can't
can't
nefariously
influence
the
build
and
and
and
provide
potentially
malicious
parameters,
and
so
one
one
thing
that
could
potentially
be
explored
is
can
whatever
process
is
like
reads
the
top
level
config
and
then
winds
up
giving
instructions
to
the
to
the
sort
of
individual
steps
if
like
like
that
process
is,
is,
is
automated
and
is
not
under
the
control
of
like
an
individual
user,
if
like
that
process
could
be,
could
could
actually
like
add
the
config
as
another
material
section
like
I
don't
know
exactly
how
how
how
it
would
be
reflected
in
the
provenance.
P
J
Yeah,
and
that
is
an
anti-goal
of
the
platform-
is
to
allow
yeah
allowing
users
direct
access
to
modifying
specific
build
parameters
down
at
that
level
is
an
anti-goal
of
the
platform
right.
P
And
then,
regarding
the
the
msi
signing,
I
like
the
approach
that
I
definitely
that
I
usually
consider
taking
is
that
is
that,
like?
I
would
want
to
evaluate
the
salsa
province
just
prior
to
signing
so
that
you
have
the
like
unsigned
thing,
which
is
probably
reproducible
and
you
have
the
salsa
providence
for
that,
and
then
you
throw
it
over
the
wall
to
like
the
signing
process
and
like
whatever
comes
out
of.
J
Okay,
mark,
I
think
you
were
next.
D
Yeah
yeah,
I
agree
with
tom's
suggestions.
Would
you
mind
following
filing
github
issues
for
these?
I
think
they're
great
points
and
I
feel
like,
as
tom
said,
we
have,
I
feel,
like
they're
solvable
problems,
but
I
think
the
salute.
D
In
my
opinion,
we
should
fix
the
spec
to
allow
these
sorts
of
things
right
like
it
is
that
what
you're
doing
is
like
completely
and
utterly
in
line
with
the
spirit
of
salsa
4,
and
we
just
need
to
fix
the
the
spec
to
to
work
around
these
kind
of
nuances,
because,
right
now
it
was
written.
You
know
not
anticipating
these
particular
nuances.
J
Hey
cool
tom,
I
think
you
were
next
again.
K
Hi
yeah,
so
I
mean
we
faced
exactly
the
same
problem
in
the
nix
world
of
like
we
have
these
general
like
build
python
package,
and
that
thing
has
parameters
right,
but
the
end
result
that
our
approach,
that
problem
is
that
we
then
bake
all
that
into
something
that
is
a
artifact
of
a
build
plan,
and
then
that
thing
doesn't
have
parameters
anymore
because
it's
been
locked
down,
and
so
I
suspect,
a
similar
approach
is
applicable
and
it's
something
I'd
like
to
see
baked
in
a
little
bit
more
into
like
how
the
standard
works.
K
There
are
situations
where
you
can't
quite
do
that,
because
something
is
going
to
change
like
the
time
stamp
example
that
you
talked
about
and
that's
why.
I
really
think
that
needs
to
be
kind
of
the
separation
between
here
is
the
artifact
and
the
part
of
the
providence.
That
is
pure
in
some
sense
right
or
you
know,
it
seems
like
we're
talking
about
a
similar
sense
of
purity
and
then
there's
the
portion
of
it,
which
is
impure
that
can
reference
into
the
pure
parts
about
like.
Oh,
this
is
a
time
stamp
for
that.
K
This
is
a
time
stamp
for
that
artifact,
and
then
that
way,
you
have
this
like
nice,
clean
separation
between
rather
than
mixing
it
all
up,
because
if
you
mix
it
then
all
of
it's
impure
and
all
of
it's
kind
of
generated
on
a
whim
rather
than
being
reproducible,
it
would
be.
It
would
be
very
embarrassing
if
the
provenance
for
reproducible
software
was
itself
not
reproducible
right.
J
Okay,
bella.
N
Yeah
hi,
so
not
so
much
from
a
reproducibility
perspective,
but
like
from
a
malicious
script
perspective,
which
is
what
I'm
understanding
as
part
of
this
right,
like
somebody
putting
in
a
parameter.
That
then
goes
and
does
something
malicious?
Oh
I'm
sorry,
can
you
hear
me
yes,
okay,
sure
so
like
I
think
I
would
probably
differentiate
between
a
boolean
parameter
and
just
like
an
arbitrary
string
parameter,
and
it
might
be
something
that
you
could
take
into
account
as
well
right,
so
boolean
is
like
generally
safe.
N
J
Yeah,
so
basically,
what
these
things
have
is
we
have
a
notion
of.
We
call
it
everything
everything
that
we
can
build.
Every
piece
of
you
know
every
module
we
can
build.
Is
we
refer
to
as
an
ingredient
because
we'll
be
using
a
kind
of
kitchen
model
to
kind
of
describe
everything
we
were
starting
with,
and
we
have
this.
We
have
this
notion
of
ingredient
options
and
these
are
the
things
these
are
the
parameters
that
can
be
passed
through,
but
those
are
fixed
as
well.
J
Users
can't
modify
those
they're
just
kind
of
things
that
we
know
and
we
are
baked
into
the
system
and
those
options
can
react
to
things
at
the
top
level
like
debug
static,
threaded,
then
gpu,
so
basically
they
will.
They
will
react
in
different
ways.
So
all
those
things
are
kind
of
predetermined
but
yeah.
That's
kind
of
how
that
fits
together.
J
Hey
anybody
else.
F
Yeah
sorry,
I
hadn't,
I
have
a
hand
up,
and
I
put
it
down.
I've
heard
the
words
pure
and
impure
used
in
various
contexts.
Instead
of
this
whole
conversation
was
right
about
so
the
parameterization.
F
I'm
less
concerned
about
reproducibility
and
more
concerned
about.
I
can
do
it
again,
understanding
the
same
parameters.
I
can
apply
it
again
and
get
you
know
at
least
what
I
consider
to
be
a
function
equivalent
result
and
that
somebody
whose
access
to
the
code
can't
go
off
and
use
that
to
go
and
do
other
strange
things
such
as
you
know
allowing
their
particular
pr
to
get
signed
in
a
way
that
shouldn't
or
something
like
that.
J
Yeah,
I
think
so
I
think,
that's
kind
of
a
little
bit
prior
to
how
to
where
our
build
chain
comes
in
but
yeah.
I
I
see
that,
and
I
think
I
think
you
know
there's
it
would
be
nice
to
be
able
to
specify
in
which
ways
we've
degraded
some
of
the
some
of
the
requirements.
J
So
you
know
when
we
say
okay.
Well,
we
did.
You
know
here's
an
artifact
prior
to
authentic
code
signing
and
here's
his
provenance
all
the
way
back
and
here's
one
that's
been
authentic,
signed
here's
his
provenance
and
we
had
to
degrade
hermeticity
and
reproducibility
because
we
had
to
go
out
for
a
timestamp.
D
Yeah
one
I
just
want
to
briefly
mention
that.
G
D
It's
not
clear.
The
the
motivation
for
the
parameter-less
requirement
is
around
understanding.
What
like
should
be
okay
right,
if
you,
if
it's,
maybe
it's
okay
like
to
have
debug
versus
optimized,
or
maybe
it's
not.
D
I
don't
know-
or
maybe
it's
okay
to
set
the
optimization
level
like
one
two,
three
four
and
those
are
just
known,
safe
and
then
so
when
you
consume
the
provenance,
you
have
effectively
some
policy
saying
which
parameters
are
okay,
which
aren't
it's
simplest,
if
we
just
say
just
no
parameters
and
then
it's
definitely
if
there's
no
parameters,
it's
definitely
safe
and
that's
why
we
kind
of
aired
on
that
side.
J
Okay,
tom,
you
have
your
hand
up
again,
I
think
nope,
okay,
scott,
you
have
yours
up.
M
Yeah,
I'm
just
going
to
piggyback
off
of
what
mark
was
saying
like
when
we
think
about
the
systems
and
designs
and
it's
about
modeling
what
parameters
can
be
used
and
reactions
to
them
so
that
we
we
know
what
they're
about
before
we
start
doing
the
builds,
and
then
they
can't
be
modified.
So
I,
like
kind
of
the
things
that
you're
suggesting
there
mark
that,
will
definitely
help
aid
us
as
we
keep
working
on
our
goals
and
be
able
to
feed
that
back,
and
it's
just
really
about
we.
M
I
come
from
a
functional
programming
background
and
that's
kind
of
where
we
think
about
that
kind
of
entire
world
is
like
we
just.
We
should
know
everything
going
in
before
we
start
this
whole
process,
so
they
can
make
really
really
strong
guarantees
through
the
entire
pipeline
and
circling
it
out.
So.
J
Okay,
jack.
O
Yeah,
I
was
wondering
sorry
about
the
noise.
In
the
background
soon
scene
is
great.
I
was
wondering
to
what
degree
this
could
be
framed
as
like
a
legal
space
of
configurations,
because
you
can
think
of
each
configuration
flag
providing
another
dimension,
and
particular
configuration
is
a
point
in
multiple
dimensions
and
therefore,
you
can
say
there's
a
space
which
is
legal
to
parameterize
in
the
space
which
is
not
so
you
could
say,
the
dimension
defined
by
this
parameter
is
no
longer
mismale
or
can
only
acceptance
ranges
and
so
on.
O
J
Yeah,
I
think
well
I
mean
the
platform
has
the
ability
to
reject
a
particular
configuration
as
invalid,
so
I
think
that's
something
that
we
could
explore
at
the
moment.
You
know
it's.
It's
used
really
to
say:
okay.
Well,
we
just
don't
know
how
to
do
this.
We
can't
build
this
that
way,
or
you
know,
that's
just
precluded
by
something
else.
J
J
Yeah
I
mean
nobody's
telling
us
what
the
use
case
for
their
for
their
stuff
is,
so
you
can't
say
well,
you
know,
debug
on
production
is
a
bad
idea,
so
we
don't
have
that
level
of
information,
but
yeah.
It's
an
interesting
thought
that
it
is
yeah.
You
know
it
is
a
multi-dimensional
thing
that
you
know
these
things
are
all
orthogonal
in
terms
of
whether
you
can
turn
them
on
or
off
so
yeah.
I
think
that's
an
interesting
interesting
take
on
it.
K
Do
you
is
that
like
something
that
is
somehow
semantically
like
they're
the
same
thing
with
one
variation
or
do
you
then
consider
them
to
be
so
completely
different
that
they're
divorced
from
each
other
because
of
the
potential
ramifications
like
an
example
of
this
would
be
like
enable
or
disable
cuda?
K
J
In
the
system
gets
a
deterministic
artifact
id,
which
is
effectively
the
merkle
tree
of
all
the
dependencies
and
inputs
for
that
artifact
that
generated
that
artifact.
So
you
know
the
the
build
scripts
itself,
any
parameters
that
were
passed
to
the
build
script,
the
you
know
the
specific
source
code
that
was
applied
and
any
you
know
any
top-level
build
parameters
that
would
collide
are
all
all
part
of
that
ident
identity.
So
if
you
change
something
and
say
okay
at
the
top
level,
I
would
like
debug
out.
We
treat
that
as
an
entirely
different,
build.
J
Okay,
any
other
questions.
A
Q
No
yeah,
just
a
quick
update
plan
to
donate
it
being
worked
through,
probably
we'll
have
more
details
at
the
supply
chain,
integrity
but
yeah.
I
want
to
give
a
couple
of
minutes
to
to
new
new
members
cool.
A
Thanks
yeah
any
any
new
members
on
the
call
that
want
to
say
a
quick
hello
before
we
all
drop
off.
E
Hi
just
want
to
say
hi,
my
name
is
brandon,
I'm
the
co-chair
for
cncf
tech
security
michael,
has
been
doing
a
great
job
and
kind
of
like
bridging
the
groups
together.
I
know
we
have
kind
of
a
little
bit
of
overlap
yeah.
So
so
I
wanted
to
to
say,
hi
reach
out
and
say
that
you
know
we
are.
We
are
looking
for
places
where
we
can
collaborate.
I
know
we
have
like
the
ssf
work.
We
have
the
catalog
bulbs,
which
kind
of
needs
a
little
bit
of
updating.
E
So
anyway,
we
can
kind
of
collaborate
on
that.
I
would
suggest
drawing
the
google
open
source
security
team,
I'm
so
going
to
be
diving
a
lot
deeper
into
the
salsa
and
supply
chain
stuff,
and
so
I
hope,
to
actively
engage
and
contribute
to
the
community.
A
N
Hi
I've
injured
myself
briefly
before,
but
just
wants
to
say,
like
maybe
slightly
lengthier
hello,
so
I'm
bella
weisman.
So
I
lead
engineering
for
open
source
like
goldman
sachs.
Then
we
recently
joined
the
open
ssf
and
we're
thinking
a
lot
about
supply
chain
security,
specifically
in
the
financial
industry
and
kind
of
how
we
can
you
know,
secure
things
a
little
bit
better.
N
C
It's
been
a
while
I've
been
out
for
a
long
time,
so
hi
jonathan
laichu,
I
formerly
have
gradle,
but
I'm
now
working
for
human.
I
was
awarded
the
dan
kaminsky
fellowship
so
I'll,
be
spending
the
next
year
doing
open
source
security
research,
the
dan
kaminsky
fellowship,
was
created
to
commemorate
the
name,
the
the
memory
of
dan
kaminski,
who
was
the
famous
security
researcher
who
passed
away
tragically
the
last
year,
and
so
you
know
putting
out
internet
fires
and
finding
security
vulnerabilities
and
fixing
fixing
them
at
scale.
R
A
Oh
cool,
I
gotta
run
nathan.
Do
you
want
to
go
really
quick,
your
hands
up.
S
M
Robertson,
cto
of
active
state
I've
been
promising
zach
that
I
would
be
enjoying
this
meeting
today
was
like
for
two
of
us
that
I
could
join
for
the
first
time
and
man.
I
love
it
and
I'm
gonna
start
rearranging
my
calendars
and
join
join
more
a
lot
of
great
talent.
Here.
It's
a
pleasure
meeting.
Everybody.