Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
OpenSSF / SLSA Biweekly / 6 Jan 2023
OpenSSF / SLSA Biweekly / 6 Jan 2023
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: SLSA Tooling Meeting (January 6, 2023)

Description

Meeting notes: https://docs.google.com/document/d/15Xp8-0Ff_BPg_LMKr1RIKtwAavXGdrgb1BoX4Cl2bE4/edit#heading=h.yfiy9b23vayj

A

Hey: hey Mike, Happy, New, Year,.

B

Happy New Year.

A

Happy New, Year Brad.

A

Nice to meet you hi nice to meet you too.

A

Am I.

C

uh My headset.

D

Doesn't seem to want to work.

D

uh Can folks hear me yep very cool yeah.

C

I, don't know where my headphones weren't working.

B

Foreign.

A

Does anyone know where to document for this meeting is if there's one, this is not on the calendar right.

D

Oh, do they forget to include it in there yeah there's. Definitely one here.

A

Yeah I don't see it on.

B

The account send the title.

A

Of the title really yeah.

D

Of the slack chat, yeah yeah, it's.

A

A slack chat; okay, it's not in the calendar right, okay,.

D

Yeah yeah not sure why uh it's not on the calendar. Invite I know that the calendar invite got deleted off the.

B

Also,.

D

Inadvertently got deleted off the uh the thing here.

B

Help me.

A

Sorry, what's this lecture at Gold is: is there a separate channel for salsa dueling I'm? Guessing there is yep salsa Dash tooling. There we go yeah, okay, great.

D

Also not sure why all of a sudden I don't have access to my own. The dock that I get.

C

Yeah I I have a request. Edit access also I can't change anything.

A

um Yeah well.

D

That's that's weird because I'm pretty sure I'm, the one who created the dog.

C

um Could be wrong.

D

um uh Let me go and.

D

Is there a way to see who has who's the owner of a document.

A

It's a good question: let's see.

C

um

C

Okay,.

D

I mean worse, comes to worse, I'll, just copy and paste into a new Doc and we'll just start using that one.

A

Yeah I feel good someone. Someone could update the cncf calendar, then why that would also be great.

D

Yeah um I I emailed the open ssf folks to to fix the invite but I guess they didn't um I'll I'll email them again.

B

Wait.

B

To copy.

C

And.

C

Give me one second and.

B

Sure.

C

Editor.

D

All right so I'm going to share it in chat here and then I'm also going to update the.

D

The.

C

Openssf thing and I'm going to change.

D

All right for uh folks who are on um so as I posted in chat here feel free to add your um your name into uh into the attendance and as well as anything.

C

All right.

D

um

C

There.

C

One second.

D

I'm not sure if anybody has any uh because I know it's been a few weeks so I know some folks probably forgot that the meeting's still on um but we'll try and get folks back on in the coming weeks. Now, because we're trying to drive towards uh 1.0 so yeah we can get started uh just as a reminder. This meeting is being recorded, it'll be uploaded to uh YouTube shortly after and your participation in this meeting is an agreement to abide by uh the openssf code of conduct.

D

Oh, it looks like Ian's joined, joining Hi Ian.

D

Feel free to add your.

D

Hey whoops I copied the wrong thing feel free to add your thing into the meeting notes.

D

uh Okay, um so anyway, uh the main uh agenda piece other than anything else that that folks want to bring up and folks want to kind of um include in in what we're doing uh one of the things just as an update uh So. The plan is, you know, we're already sort of I would say like four to five months late on 1.0 for salsa, but the idea is to get salsa out by the end of um February uh to salsa 1.0 at the end of February, um with the idea.

D

You know, like I, think now that there's a lot more eyes on it, a lot more eyes on salsa, it's a little bit harder to make some of the changes, because there's obviously a lot of community feedback and those sorts of things, and we are trying to also build out a a bit of a process where we're trying to say, let's say stuff like clarifications, don't necessarily need to be um 100 percent uh done in order to have another release.

D

So we can say you know hey if, if there's a little bit of confusion about what something has meant, that's okay, as long as like it is clear that, like it doesn't materially change, you know some sort of meaning right. It's it's like talking about. You know like as an example is the exact thing here. You know when we say hash are we talking about which hash, algorithms or whatever it's like?

D

Look that is going to get updated or whatever, but this is what it means, and this is you know um anyway, that that's kind of where we're pushing on a lot of the 1.0 stuff, um we're hoping to get that out uh in Feb as part of that uh we're going to want to as as part of the salsa tooling meeting. The thing that we're gonna uh want to do is make sure that we're prepared for all the 1.0 changes.

D

So there's going to be a new spec, um it's a little bit cleaner, it's a little bit nicer because it also splits up um reproducible metadata as in like stuff, that is, you know, um The Source uh and those sorts of things um are put into one section.

D

As well as sort of more non-reproducible metadata stuff like time stamps and those things are going into a separate like metadata section of the uh the salsa um provenance spec with the intent there of saying like hey, if you just want to check, if two metadata, you know, if two things are the same, and you want to just look at the those pieces, you could just look at that sub object in the Json um which, which you know simplifies a lot of stuff, as opposed to saying. Oh I need to compare all of these fields.

D

um Now you could just sort of say: I can just compare this one field with this other field, and it should be fine um and once again, that's assuming canonical Json or some sort of canonicalization uh scheme there cool. uh So that's kind of um the only stuff, uh I think we're uh that that's sort of really changed.

D

I know that I believe um not next week, but the week after I think is supposed to be the next like full-blown salsa meeting um with the the monthly salsa meeting, where we're going to be talking about that a little bit more um parth, you have your hand up.

C

Yeah I had a question: um was there like evidence, field going to be added? I know there were some talks about that, like adding in evidence like hey, you know for some other things like I have a traumatic or something right it provided. Some kind of evidence is that is that true, or is that being added or not yeah.

D

So let me let me look like we could actually look at the spec right now. um What's proposed, there I believe um the idea was to allow for it. The thing that folks were talking about was whether or not some of the existing Fields can just be used for that information, and you could just sort of you know Point folks to um to that.

D

Let me go and take a look.

C

um

D

Boy, it's one of those big uh those big PR's, which makes GitHub go really slow.

D

Air it so this is that and let me go and we can kind of.

C

um

B

Foreign.

D

Let me share my screen in a second here.

C

And then.

B

So.

A

Sorry Michael just to clarify you need um PR five to five to be reviewed by the committee. Now.

D

Oh, it already is being yeah.

A

Because I still I see that it's still in draft.

D

Yeah, no, it's it's still in draft, but um most of us on you know. uh Most of us have been having chats in in the the um slack as well as in some of the other ones, because there's the salsa specification meeting, um which it happens on Monday, which is where a lot of this is uh a lot of that discussion, is, is happening and it's it's a combination of folks. But you know who are part of um the committee and not.

B

Cool.

A

Thanks so I'll make it a point to uh to review these two.

D

And so right now they're using um q a bit to sort of do some of the um uh some of this, but but even um I believe from what.

D

uh Mark was saying: is he didn't want it to be? Let's say this idea here was not supposed to be fully fledged like hey.

D

um The idea right now is to be more like just syntactic sugar around um a Json spec. This is not intended to be like the like you wouldn't at least at the state.

D

It is right now this is more intended as documentation than to be used as a um like a schema, validator right, because there's certain things in here like the timestamp, where you know you could use a regular expression or there's some hooks in in queue that are coming, that allow you to sort of validate against the timestamp he's just saying string um as well as, like you know, some of these things here is like hey, we're just sort of saying shot: 256 String, Shot, 512 string and so on, um whereas you could have like a regular expression that says you know here's what the you know so, but just to keep it simple for now, that's kind of what he's um doing there, uh and so there's a bunch of stuff.

D

In here um it's been a few weeks since I've been able to read it as well, because I was out of the country for a while uh foreign.

D

But yeah I believe there's. um The idea here is to have elements in a build definition. There's elements of um uh the Run details, there's going to be uh metadata, which is like the time stamp information um and so on and so uh yeah, let's see, is there anything that yeah?

D

He also has um this document which he went over in one of the meetings where the idea here is he's trying to sort of separate out the stuff that is stuff that you don't necessarily control like the stuff in Orange right like you're, not you know, at least when you're sort of looking at it you're like yeah you're, not exactly sure what dependencies you might be pulling in if you're not using the right sort of build or whatever and and there's a lot of things there, um and these are all sort of external sort of stuff and yeah yada and then the stuff, that's in green, so the stuff that's in Orange is mostly like the external pieces.

D

The stuff that's in red, obviously, is the build itself and then the stuff, that's in green is stuff. That's supposed to be part of like owned by the build platform itself. In this case, you know the build platform, any sort of parameters that fit into the system, um the environment uh that that you're building on and that sort of thing, uh cool, um I, don't remember! If there's like what else there is here.

C

So it doesn't look like the evidence field. Okay,.

D

Yeah I mean one of the things um as well is I. Believe byproducts here is one of those things um I believe that was at least the one of the intents here. Let me just make sure.

D

So yeah byproducts is just like what like these could be any sort of output from a build, and some of those outputs could be even include stuff like evidence um whether or not we want to split that into its own separate field. um I haven't really given it much thought personally.

D

Foreign, but I know that some folks have been talking about. For example, like you know, you might have separate salsa documents for even the evidence themselves. You know, depending on how you want to do it, but yeah um the I. Remember that the the there was a lot of concern.

D

I, don't remember exactly what the concern was about, including evidence in the salsa, where the salsa here is just trying to more or less just provide the Providence piece and sort of adding in additional information seemed to be potentially not what you wanted to do compared to just sort of saying here is like the byproduct and the byproduct is, let's say the logs or whatever and just saying, go, take a look over there.

C

Yeah I mean I think there was talks in the intuitive attestations right that Sky predicate could be something that could provide that kind of evidence or link back.

D

To something.

C

So.

D

Yeah yeah.

D

But yeah I'll have to go back and and read and read some of this stuff.

D

Let me um and remember that Monday is when, when the majority of of sort of talk about that sort of thing goes into place, I think for this this um meeting, the main focus is like how um for this group- or you know, uh some of the tools like the GitHub generator, techton and so on will need to be updated to support that 1.0 um uh spec um and you know what can we do to to get that over the line as well?

D

As you know, folks, who are you know, there's there's folks like Frederick from GitHub who's, looking at doing some of the stuff for npm and like what sorts of things need to get done to get kind of get that across the line there, foreign.

D

We're hoping to also have Fresca um integrated with with 1.0, like the.

B

You.

C

Know we're.

D

One of the first or whatever yeah um yeah, so that's that um any that's all I had for you know.

C

uh

D

um I guess uh question is anybody else, have any other sort of agenda items or anything else they wanted to bring up.

D

Okie dokie yeah, we could probably end it a little early I know. A lot of folks are still um a few folks, don't get back till like a week or two from now.

D

um I know, for example, like Brendan still out in Asia, and um a few other folks had said, like yeah they're still on on vacation uh this week, cool um so yeah. Just as a reminder, you know we'll I'll probably like if folks have questions or whatever about some of the different salsa tooling things we can chat about it in in the slack um I believe you know, there's some talk here about how what can we do to make um you know?

D

One of the things we want to do is maybe have some canonical tooling, which is already something like the salsa generator and salsa validator. That is under here, like what can we do to make that 1.0, um maybe a few things to make it easier to consume and all that good stuff, but yeah? um If that's it, uh everybody happy Friday everybody and uh have a good weekend.

A

Yep you too, thank you. Thanks, bye, everyone.