►
From YouTube: SLSA Positioning Meeting (January 10, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1tpPOXVzNSwtpWA7cXhTPLAO6HIP50obUvoP85XqgVHM/edit#heading=h.yfiy9b23vayj
SLSA repo: https://github.com/slsa-framework/slsa
A
B
A
A
A
A
So
that's
that's
what
happened
and
I've
since
fixed
that
and
so
I
apologized
in
the
slack
Channel
I'm
like
hey
sorry,
it
wasn't
on
the
calendar.
I
didn't
realize,
but
it
was
on
my
internal
calendar,
which
is
why
I
I
started
it
up
and
there
was
a
couple
of
other
people
that
had
the
same
thing
where
they
had
it
on
their
internal
calendar
or
they
figured
it
was
probably
happening
and
just
not
on
the
calendar.
Hi
Kathy.
Thank
you
for
joining.
A
C
C
C
A
Pretty
funny
because
this
past
Monday
I
had
this
but
I
had
put
stuff
on
the
agenda
for
the
specification
meeting
to
talk
about
that
yeah
and
then
my
manager
put
something
over
that
time
slot
for
like
the
priorities
for
2023
and
things
like
that
and
I'm.
Like
that's
the
worst
slot
I'm
like
I'm,
sorry,
I
can't
attend
you're
gonna
have
to
record
so
I
missed
that
meeting
for
first
awesome
meeting,
because
I
was
like
I
can't
I'm
on
the
agenda.
C
A
C
A
Okay,
so
I
know
I,
think
hi
Bruno
thanks
for
joining
and
I'm
trying
to
get
my
windows
organized
here,
so
I
don't
have
to
like
look
all
the
way
over
there
to
see
everybody
and
get
my
my
chat
if
you
can
sign
in
that,
would
be
nice
folks
that
just
joined
Cedar
fever
season
here,
so
my
allergies
are
acting
up.
So
if
you
see
me
disappear,
I'm,
probably
you
know
dealing
with
my
nose
because
it
this
is
the
time
of
year
that
sucks
to.
A
A
But
what
we
did
was
we
said:
okay,
we
know
2023,
we
have
buy-in
from
many
different
people
that
we're
going
to
start
aligning
prioritizing
same
vision
together
right
and
one
of
the
things
that
came
up
was
conferences
right.
How
do
we
make
sure
that
we
are
as
a
group
presenting
or
have
representation
in
these
conferences,
and
so
what
we
did?
The
last
session
is
we
kind
of
did
a
high
level
brainstorming
of
what
could
we
do
not
only
as
a
positioning
group
but
potentially
even
with
the
other
group
saying?
A
Okay,
you
as
a
social
specification
Sig,
you
should
talk
about
the
1.0
update
in
detail
right,
so
that's
not
something
we
would
do,
but
that's
something
that
Josh
and
Mark
potentially
do
so.
We
were
thinking
of
more
than
just
our
group,
but
across
salsa
to
figure
out
what
could
we
submit
and
we
came
up
with
this
timeline
to
say:
okay
will
have
a
first
draft
of
all
of
these
Talks
by
the
24th,
we'll
all
review
by
the
31st
or
first
draft
24th.
A
We
need
to
review
that
that
drop
by
the
31st,
because
submission
will
be
on
Friday
the
3rd,
because
I
think
it's
due
the
5th.
So
the
timeline
is
coming
up
real,
quick
for
those
submissions.
It's
a
lot
shorter
this
time
around
than
last
year,
and
so
what
I've
done
here
is
I've
started
to
break
out
some
of
the
ones
I
didn't
do
the
roadmap
update,
because,
obviously
we
don't
have
the
right
people
on
this
call.
Thank
you
for
joining
Michelle,
feel
free
to
sign
in
I
know.
Let
me
where's
the
chat.
A
I,
don't
know
where
the
chat
is.
I've
lost
the
chat.
If
someone
can
oh
wait,
I
found
it.
Yes,
there
you
go
so
my
goal
for
today
is
to
try
to
say:
okay.
What
do
we
think
we
would
talk
about
in
terms
of
like
a
an
abstract
at
a
high
level?
We
did
some
of
that
brainstorming
last
week,
but
I
think
if
we
can
start
writing
down
some
words
for
each
of
these
I
think
it
would
go
a
long
way.
So
that's
the
focus
on
the
call.
B
C
A
A
D
A
In
Vancouver
so
that
time
we're
like
okay,
we
know
this
is
a
big
one.
Typically
open
ssf.
Is
there
there's
a
supply
chain
security
con
there,
so
this
one
I
suspect
we
would
want
to
participate
in
and
for
the
other
ones,
I'm,
not
sure
right.
We
would
have
to
have
that
discussion
with
the
supply
chain,
Integrity
working
group
to
say,
okay,
what
do
you
think
we
should
prioritize
right?
A
We
can't
do
everything
necessarily,
but
you
know
what
do
you
think
as
a
group
we
can
do,
people
can
submit
their
own
talks
if
they
want,
but
as
a
group,
as
leads
as
particulars
or
participants,
what
could
we
provide
for
for
this
year,
so
yeah
so
for
for
this
one?
We
talked
about
this
last
time.
We
talked
about
the
business
problem
like
you
know
why.
Why
would
someone
care
right?
A
Because
if
you
don't
tell
them
the
why
you're
pretty
much
gonna
lose
them
the
1.0
launch
right
now,
it's
10
the
the
RFC
is
going
to
be
beginning
of
February
and
then
they're
thinking
of
wrapping
up
by
March
1st.
That's
the
goal
right
now,
so
it
should
be
well
out
there.
If
we
stick
to
this
timeline
for
1.0
launching
so
and
then
you
know
having
potentially
a
road
map,
if
we,
if
we
coordinate
with
the
supply
chain,
Integrity
working
group
with
salsa,
obviously
the
the
Sig
leads
as
well
as
attack.
A
B
A
Yeah,
it's
supposed
to
be
billed
level
one
two
and
they
won
a
target
for
three
as
well.
So
that's
what
they're
trying
to
go
for
by
March?
First,
okay,
there
is
APR
currently
for,
let
me
see
I
think
it's
pool
or
high
five
five
I
can't
remember:
there's
a
like
525
Maybe
PR
request
that
talks
specifically
about
provenance
I
have
not
had
a
chance
to
read
that
PR.
B
B
They
pull
provenance
out
completely
and
made
its
own
thing
now.
I,
don't
know
if
that
was
intentional.
I,
don't
know
if
that
was
just
a
work
on
it
and
then
maybe
put
it
back
in,
but
I
do
know
that
privacy,
prominence
version,
1.0
initial
job,
they
pulled
Providence
out
and
I'm
and
I
and
I
and
I
and
I
think
that
had
something
to
do
with
what
we
brought
to
them
a
couple
of
months
ago.
A
A
What
are
the
packages
that
make
up
the
build
environment
and
not
the
application
or
the
package
that
which
you
are
building
but
I've,
not
gotten
a
response,
because
that
was
this
morning,
so
I
need
to
go
through
it,
but
I'm
not
100
sure
like
what
what
in
1.0
is
officially
launching.
There
is
that
proposal,
and
yesterday
they
said
what
they
wanted
to
do
was
meet
that
proposal
at
least
the
majority
of
what
they
set
out
to
do.
A
E
Year
it's
in
April
and
we
may
have
already
missed
the
cfp.
I
I'm,
but
I
mean
I
it.
That
would
have
been
a
great
place
to
actually
talk
about
salsa
because
the
audience
I
here's
the
problem
that
I
perceive
that's
happened
with
the
direction
salsa
is
going,
which
is
great,
I
mean
it's
focused
very
heavily
on
developers
and
implementers,
but
not
on
cisos,
really
and
ciso's
here,
supply
chain
security
and
they
go
and
they
run
around
and
they
go.
E
Let's
buy
us
some
of
that
and
like
that,
that's
not
what
this
is.
This
is
process
right
and
with
some
tooling
that
maybe
understands
it
and
there's
a
captive
audience
at
RSA
right
of
cisos
and
security
directors,
and
things
like
that
and
this
the
opportunity
is
there
to
help
them
talk
to
and
learn
how
to
talk
to
developers
right.
E
There
are
other
conferences
like
this,
so
we
probably
want
to
try
to
Target
them.
If
you
have
a
if
there
are
b-sides
events,
local
to
you,
those
Community
backyard.
Events
are
great,
I
have
just
FYI
recommended
I've
been
working
internally
with
the
event
coordinator
for
in
Google,
Cloud
for
RSA
security
conference
and
explained
I
said:
look.
E
We
need
to
not
just
talk
about
Chronicle
and
you
know
and
Mandy
that's
great,
but
we
also
need
to
talk
about
salsa,
mvsp
and
Dora
and
Salsa's
right
at
the
top
of
the
list
right.
So
any
content
that
we
have
that
could
be
on
a
you
know
like
talking
points
or
Associated
blog
post
I
mean
that
we
can
help
push
there
I'm
willing
to
make
that
happen
in
our
booth,
yeah.
A
That's
actually
another
reason
why
we
said
we
think
a
month
worth
of
time
will
give
the
tooling
group
an
hour
group
enough
time
to
create
blogs
to
create
the
tooling
required
for
1.0,
and
if
we
can't
meet
the
March
1st,
we
would
just
extend
the
RFC
deadline
so
that
we
can
get
up
to
speed
for
the
1.0
launch.
So
we
want
to
be
in
lockstep
for
all
the
the
different
salsa
to
groups
us
and
the
tooling
to
make
sure
everything
is
in
order.
A
E
By
the
way,
there's
more
than
one
RSA,
there's
RSA,
also
in
Europe
and
there's
appsec
us,
but
there's
also
other
appsec
events
that
we
could
Target
I
mean
they're
all
over
the
world
besides
all
over
the
place.
So
that's
what
I
would
recommend
that
was
what
I
had
on
my
content
plan
is
RSA
besides
and
any
owasp
event.
A
A
D
A
A
A
D
A
A
A
D
A
E
A
A
No,
no,
no,
but
by
all
means,
because
it
says
Anonymous
so
I
don't
know
who's
typing,
but
clearly
you
have
an
accident,
so
I'm
gonna,
let
you
do
your
thing,
I!
Think
for
the
content.
The
only
thing
about
the
content
that
we
care
about
for
the
abstract
is
making
sure
that
we
cover
high
enough
level
statement
that
we
could
add
extra
things
in
there
if
we
need
to
as
an
example
right
so
right
now
we're
just
talking
about
the
business
problem
and
why
do
I
care?
A
B
A
A
A
E
So
when
you're
doing
cfps
I
think
you
gotta
grab
them
at
the
beginning
and
you
could
have
a
subtitle.
So
if
you
have
the
catchy
one,
like
you
know,
chips
and
salsa
for
beg,
you
know
beginner
supply,
chain
security
or
something
like
you
have
the
catchy
thing
at
the
beginning,
hook
them
and
then
have
the
description
like
the
subtitle.
A
E
A
E
Remember
nobody's
gonna
know
what
the
hell
salsa
is
right
and
that's
the
point
like
so
you
want
to
say,
like
you
have
the
ab,
the
the
the
model
name
right,
you
have
salsa
and
you
say
pick
one
of
those
and
then
you
say
something
about
it's
about.
You
know
the
basics
of
supply,
chain,
security
right
and
then
they're
going
to
be
intrigued
right.
So
you're
saying
oh,
what's
it's
not
spelled
like
salsa?
What
does
that
mean?
E
That
sounds
interesting
right,
so
you
you
want
to
tell
them
what
salsa
is
right
kind
of
in
the
title,
which
is
oh,
it's
about
supply
chain,
because
they're
not
going
to
remember
they're,
not
they've,
never
heard
of
like
a
lot
of
people
haven't
heard
of
slsa
right
and
especially
if
you
focus
on
like
I
put
here
so
say:
let's
say
you:
do
you
go
to
b-sides
or
you
go
to
you?
Do
it
at
RSA
security
conference?
Okay,
not
those
aren't
developer
conferences
right,
but
you
want
crossover.
E
A
E
So
the
second
FYI
so
having
been
worked
on
security
teams
and
been
a
security
architect,
I
will
tell
you
when
they
see
nist.
That's
like
you
almost
want
to
put
that
very
close
to
the
top,
because
that
answers
the
regulatory
question
and
the
the
you
know.
Like
any
time
you
a
ciso,
sees
that
oh
there's,
a
nist
standard.
A
A
E
I
I
can
tell
you
some
of
those
like
assessment
language
formats
like
vendors,
might
end
up
using
it,
but
I
I,
don't
know
like
I've.
Never
had
the
an
oscow
conversation
in
an
Enterprise
I
can
tell
you
that
I
have
never
I
actually
had
to
look
it
up
and
I
remembered
what
you
were
like
the
for
the
the
format
and
everything
like
but
yeah
I've
never
had
that
conversation
in
an
Enterprise
I
can
tell
you.
A
Yeah
I
think
I
think
the
it's
possible
in
an
Enterprise.
This
is
just
my
theory
here.
The
reason
why
obscow
hasn't
been
talked
to
enough,
because
they're
I
think
nist
does
use
Oscar
if
I'm
not
mistaken,
but
I
think
in
Enterprise
they're
doing
things
so
manually
and
they're
used
to
doing
things
so
manually
that
they're
not
thinking
about
how
do
we
scale
this
so
that
we
don't
have
to
waste
time
cross-checking.
All
of
these
you
know
controls
this,
that
control
that's
what
allscal
is
intended
to
do.
A
E
I,
don't
think
that's
it.
I
mean
every
place.
I've
worked
over
the
last
five
years.
They
are
trying
to
automate
like
Capital
One
For
example
tries
to
correlate
and
automate
a
lot
of
this
I
that
we
didn't.
We
never
talked
about.
Oscow
I
mean
maybe
somebody
brought
it
up,
but
I
think
you're
more
likely
in
my
experience,
like
it's
sort
of
like
the
Sarah
format,
you're
more
likely
to
have
that
conversation
with
a
vendor
I'm.
Just
just
my
my
impression.
Having
worked
on
the
Enterprise
side,
yeah
well,.
B
F
B
One
area
will
input,
we'll
have
we'll
have
inputs
that
are
in
one
format.
Another
area
will
have
inputs,
another
format
and
it's
supposed
to
produce
something
when
you're
for
the
purposes
of
auditing,
so
that
you
don't
have
to
so
that
one
person
doesn't
have
to
go
to
all
these
different
places.
All
these
different
places
can
feed
into
one
tool
with
their
different
format,
and
it's
supposed
to
regurgitate
some
or
it's
supposed
to
spit
out
something,
that's
readable
that
says:
hey
based
on
all
of
these
inputs
from
all
of
these
different
formats.
E
I
mean
irm
is
like
I
was
having
this
conversation
earlier
internally
and
irm
is
like
everybody,
you
know
the
single
pane
of
glass,
irm
centralized
dashboard
automating.
All
these,
it's
just
so
most
places
are
so
far
away
because
most
of
it
is
just
a
jumble
of
trying
to
get
these
tools
to
plug
into
each
other.
I
mean
I,
I
mean
maybe
I
I
don't
mean
to
sound
like
a
negative
Nelly,
but
having
lived
it
in
banking,
I,
just
I.
B
I
just
think
the
tool
hasn't
been
built
yet
that
can
produce
the
the
report
or
whatever
it
is,
that
needs
to
be
produced
that
uses
all
the
information.
I
I
think
that
I
I
don't
I'm,
not
saying
that
it's
not
good
I'm,
just
saying
that
everyone
I've
spoken
to
everyone
I've
reached
out
to
about
it.
They
all
it's
like.
There's,
no,
there's
no
ending
to
the
story.
This.
This
is
just
additional
questions.
There's
no
yeah.
E
A
A
A
F
A
I
have
not
yet
asked
anybody
internally
for
folks
on
this
call.
Would
there
be
anybody
from
your
organizations
or
organizations
that
you
know
have
done
kind
of
that?
We've
done
salsa
demo
to
the
broader
community
that
maybe
we
could
reach
out
to
because
it'd
be
good
to
have
different
perspectives
right
Verizon's,
a
telecom
right
red
hat
is
pure
open
source
software,
so
it'd
be
good
to
have
different
industry,
slash
sectors
participating
so
that
there
is
a
diverse
point
of
view.
A
A
A
Was
it
level
three
so
yeah?
We
should
probably
record
that
so
Jay
do
you
know
as
an
example
Microsoft
right,
I
know
at
IBM
we're
doing
something
but
I
think
it's
mostly
internal
I.
Don't
think
we
have
an
official
product.
That's
been
announced.
I'd
have
to
go
double
check,
so
my
does
Microsoft
have
anything
I
know
Bruno.
You
were
going
to
check
for
on
your
end,
okay,.
B
Yeah
that
this
is
still
touch
and
go
as
far
as
salsa
is
concerned.
Inside
of
Microsoft
I
know
that
that
there's
been
talk
about
a
few
that's
been
talked
actually
Salsa,
Fresca
guac
there's
been
a
lot
of
talk
about
about
all
of
these
internally,
but
I
think
I
think
there
are
still
it's
still
touch
and
go
with
salsa,
mainly
because
there
hasn't
been
a
nail
down
yet
of
what
of
where
salsa
is
going
to
land
version.
One.
F
F
B
A
F
B
Hang
stuff
on
on
a
on
a
on
a
maybe
I
mean
I'd,
really
like
that.
It
helped
I
I
and
I'm
following
I'm
following
the
GitHub
site
I'm,
following
all
the
conversations,
because
I'd
really
like
to
know
too
for
the
purposes
of
what
we're
attempting
to
do,
where
we're
gonna
fall
at
a
version
one,
because
a
large
part
of
how
we're
trying
to
help
position
relies
on
that.
You
know
so
so
yeah
that
that's
where
it's
from
a
Microsoft
standpoint,
we're
trying
to
figure
that
part
out.
E
E
D
B
B
A
A
Claim
level
three,
and
so
we
we
could
certainly
who,
if,
if
there
is
a
person,
I
think
this
is
valuable
perspective.
If
there
is
a
person
that
can
talk
to,
we
used
to
version
dot
one,
if
you
see
level
three
but
because
of
version
1.0
now
we
are,
you
know
level.
You
know
two
for
build
Etc
right.
That
is
an
interesting
story,
because
there
are
plenty
of
people
that
have
gone
down.
A
This
version
point
one
Journey,
and
so
they
need
to
be
aware
that,
just
because
you
were
level
three
or
level
four
before
doesn't
mean
you're
gonna,
be
that
come
time
when
you
revisit
version
1.0,
so
I
think
that's
a
really
really
valuable
perspective.
If
we
could
find
a
person
that
could
speak
to
that
at
Google.
E
Big
deal
I
mean
if
you
want
I
mean
they
talk
a
lot
about
salsa
internally
like
a
lot,
so
it's
very
yeah
I.
We
probably
did
talk
about
it
at
next,
because
we
have
products
that
we
link
to
salsa.
You
know
to
say:
hey
we're
so
like
so
we
have
that,
but
we
we
also
have
discussions
like
about
our
product
side
where
we're
implementing
salsa
ourselves
right,
you
see
so
you
do
Which
comp
I
mean
I
can
have
both
I
can
get
both
conversations.
C
D
A
D
A
A
And
I
did
get
confirmation
from
Aaron.
It
was
level
two
because
of
a
constraint,
git
lab
side.
If
I,
if
I
understand
GL
is
gitlab
so
that
that's
something
that's
good
to
talk
about
right.
It's
like
well
I
can't
get
past
this
because
we're
using
x
y
z
and
that
thing
that
tool
can't
do
you
know
this
requirement
of
salsa.
A
A
E
We
can't
repeat
that
sorry,
there's
something
called
Innovation
sandbox
and
launch
pad
at
RSA
security
conference
and
that's
that
environment
is
ex
explicitly
for
the
purpose.
Like
I
remember,
once
I
saw
a
bunch
of
TPM
presentations
at
Innovation,
sandbox
and
that
might
be
I,
don't
know
if
they
do
open
source
things,
but
it
it's
worth
maybe
taking
a
look
at,
but.
A
Yeah
I've
not
heard
of
it
I
think
when
we
talked
about
this
last
week
right
we
were
hoping
that
would
be
more
interactive,
that
it's
not
necessarily
a
website
that
you
go
to
to
do
this,
but
that
could
be
an
option
for
those
that
don't
have
a
laptop.
So
that's
a
good
point.
You
know,
maybe,
for
those
without
laptops,
slash,
Dev
tools
right,
because
there's
going
to
be
a
bunch
of
different
people,
so
we
talked
about
you
know
a
lot
of
people,
especially
you
know
people
that
want
to
implement
salsa.
A
A
A
No
and
then
I
think
for
this
may
need
tooling
groups
help
slash
tools
right,
I
suspect
that
they
they
have
something
up
their
sleeves
right
and
I'm,
not
sure
if
it's
them.
That
would
be
doing
this
right,
but
this
is
kind
of
like
a
beginner
way
of
looking
at
it.
Maybe
there's
also
an
advanced
version
of
the
the
demo.
A
A
A
E
F
D
A
A
F
Came
in
yeah,
it's
just
as
Prime
as
promised,
but
I
I
had
a
overview,
a
salsa
overview
that
I
did
in
May
for
internal
to
Red,
Hat
and
I
scrubbed
it
of
The,
Branding
and
and
left
kind
of
just
the
basics,
so
that
you
didn't
have
to
start
from
school.
We
wouldn't
have
to
start
from
scratch
and
then
added
I,
just
added
a
road
map.
A
blank
roadmap
slide
to
the
end.
A
It's
also
yeah
we'll
have
to
think
about
this
salsa
Hands-On
demo,
and
obviously
we
can
do
this
offline
as
well
right
if
you
come
up
with
something
put
it
here,
if
you
think
of
a
really
good
abstract
put
it
here,
there's
no
reason
again
that
one
person
has
to
do
it
or
that
we
even
have
to
meet
I.
Think
now
that
everybody
gets
the
gist
of
what
we're
doing
it's
it's
easy
to
to
collaborate
and
do
it
offline.
B
B
A
Yeah
so
I
I
do
like
the
the
the
title,
so
it
really
sounds
like
we
need
to
vote
on
The
Beginner's
one
and
then
talk
about
this
one
I
think
I
like
salsa
with
us.
You
know
the
dance
of
abstract.
Oh
what,
if
it's
salsa
with
us,
oh
I,
see
what
you
did
is
this.
The
the
sub
cap,
caption
or
subtitle.
Is
that
what
this
is
Michelle?
A
E
E
F
E
A
E
A
B
Update
I,
don't
even
know
that
that's
been
decided,
yeah
I
asked
about
that
last
week
or
the
week
or
the
week
before
that.
Well,
there's
going
to
be
an
open
ssf
day
and
I
guess
they're
still
trying
to
figure
that
part
out,
but
I
can
ask
David
Willow
a
crow.
You
know:
okay,
what
that's
gonna,
where
they're
landing
on
any
of
any
of
that
stuff.
Okay,.
A
Yeah,
that
would
be
fantastic
because
I
was
like
I,
don't
even
know
where
to
begin
with
this,
because
the
expert
Lounge
is
great,
for
you
know,
whiteboarding
or
just
ad-hoc
conversations
and
questions
that
people
can't
ask
during
the
sessions
or
after
the
session
and
then
the
open
ssf
day.
If
we
had
a
presentation
about
salsa,
then
we
would
want
to
be
included
in
the
open
ssf
day
but
I.
Thank
you.
Laura
and
I
actually
have
to
run
two.