►
From YouTube: SLSA Positioning Meeting (February 14, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1tpPOXVzNSwtpWA7cXhTPLAO6HIP50obUvoP85XqgVHM/edit#heading=h.yfiy9b23vayj
SLSA repo: https://github.com/slsa-framework/slsa
A
A
A
C
Yeah,
the
same
thing
happened
to
the
the
tooling
group,
like
around
the
start
of
the
New
Year.
All
of
a
sudden.
Our
first
meeting
either
was
like
end
of
December
early
January
that
we
couldn't
edit.
The
document
and
yeah
I
I
had
issues
trying
to
get
the
LF
on
it.
Just
because
I
was
super
busy,
so
I
just
ended
up
creating
a
new
document
and
saying
hey,
start
editing
this
one
I
just
copy
pasted,
but
yeah.
B
A
A
C
A
A
A
So,
given
that
the
participants
have
changed
just
trying
to
figure
out
if
there's
a
way
that
maybe
we
could
do
it
earlier
and
if
if
we
would
have
a
good
representation
again,
this
is
just
a
high
level
of
what
the
results
were,
but
it
almost
looks
like
either
you
can't
do.
You
could
do
Monday,
but
it's
right
before
the
specification
call
I'm,
not
sure
people
would
like
that
very
much.
A
That's
a
lot
of
meetings
in
one
day
so
potentially
spacing
it
out.
If
we
think
about
Tuesday
Tuesday,
it
looks
like
not
really
a
whole
lot
of
people
would
be
around
n
or
11.
It's
really
more
of
noon
to
one,
let's
see
and
then
Wednesday.
The
problem
was
Wednesday
and
Thursday,
so
that
there's
a
a
monthly
meeting
on
Wednesday
and
Thursday
for
supply
chain
integrity
and
for
salsa
at
noon
to
one
Eastern.
A
B
Well,
please
switch
to
I
mean
it
could
work
if
we
made
it
every
other
weekend.
So
if
we
did
it
like,
for
instance,
that
this
Integrity
meetings
only
once
a
month
I
believe
right.
Yes,
so
if
we
made
it
I
mean
I
mean
help
we
did
every
other
week.
We
still
might
run
up
against
that
one,
maybe
two
or
three
times
a
year.
Man
yeah,
maybe
a
few
more
times,
maybe
maybe
a
little
bit
more
than
that.
We're
up
against
that
one
yeah!
C
Yeah,
it's
it's
hard,
there's
just
so
many
Community
meetings,
yeah
I,
don't
have
a
a
great
answer.
I
know
for
myself.
Actually
some
stuff
should
switch
around
on
my
end,
where
10
to
11
on
Tuesdays
are
now
open
for
me,
but
now
11
to
noon
on,
Tuesdays
and
and
also
Brendan
Lum
will
also
have
that
same
conflict
11
to
noon
on.
Tuesdays
is.
C
D
C
C
D
A
A
B
D
A
Okay,
it
looks
like
right
now,
at
least
between
the
few
of
us,
on
the
call
that
seems
to
work
so
I'll
ask
a
couple
of
other
folks
that
typically
attend
a
meeting.
If,
if
Tuesday
noon
seems
like
it
would
work
for
the
majority.
If,
yes,
then
I'll
start
to
reschedule
it
for
a
little
bit
earlier
and
see
how
that
works
see
what
kind
of
attendance
we
get
okay.
So
let
me
stop
sharing
that,
then.
A
Let
me
share
the
meeting
notes.
Okay,
I
did
speak
with
Michelle.
Yesterday
she
submitted
the
beginners
talk
to
Global
appsec
DC.
So
basically
it
was
the
same.
This
I
believe
it
was
the
same
title
and
Abstract
I,
provided
that
to
her
so
that
she
could
represent
the
social
community
in
DC,
so
that
happened.
I
think
yesterday
was
the
deadline
and
then
I
wanted
to
review
the
ossf
landing
page
with
folks,
but
before
I
do
that?
Are
there
other
topics
that
people
wanted
to
cover.
A
C
A
C
C
If
there's
anything,
we
could
do
to
sort
of
push
contributors
in
the
community
to
sort
of
like
swarm
on
some
of
these
final
ticket
items
like
you
know
whether
it's
like
a
daily
slack
call
to
action
like
just
a
reminder
here
are
some
of
the
the
big
you
know
here
are
some
of
the
things
I
think
that
that
might
be
useful,
because
I
already
reached
out
to
Mark
about
hey.
If
there's
anything
I
need
to.
C
C
A
A
D
A
B
A
C
B
D
A
D
A
To
revisit
it,
I
think
Our
concern
has
been
things
have
shifted
so
much
while
we
were
writing
just
that,
one
that
we're
worried
that
if
we
start
the
other
ones,
it's
going
to
shift
even
more,
especially
during
the
request
for
Content
comment.
So
we
don't
necessarily
want
to
start
too
early
in
case
something
fundamental
does
change
because
it
did
happen
with
the
provenance
part
right
Jay,
where.
D
B
B
A
Yeah,
no
I
completely
agree
and
I
actually
brought
that
up
to
Tracy
I
said
hey
instead
of
just
also,
why
not
do
the
supply
chain,
Integrity,
working,
group
and
I?
Think
if
I
remember
correctly
in
a
nutshell,
it
was
because
people
are
more
focus
on
the
actual
Community
versus
the
working
group,
something
along
those
lines
where
it's
it's
all
about.
The
actual
you
know
project,
not
the
working
group.
So
that
was
the
explanation
given
to
me,
but
I
did
advocate,
for
that
we
can
always
go
back
to
say
no.
A
A
Yeah
so
I
to
figure
out
you
know
what
do
we
need
to
do,
and
so
she
gave
me
the
template
and
when
I
was
meeting
with
her
I
asked
well,
why
just
salsa
right
what?
Why
not
do
because
I
see
you
know,
there's
Sig
store,
cosine,
recore
right,
it's
still
under
six
store,
but
you
know
there's
a
bunch
of
different
projects.
So
I
was
thinking
well
supply
chain
Integrity.
A
A
C
D
B
Yeah,
that's
a
I
mean
I,
don't
want
to
say,
that's
a
bit
short-sighted
I
like
even
let
me
put
like
this.
Even
if
you,
even
if
you
did
a
supply
chain,
it
doesn't
have
to
be
supply
chain
Integrity.
If
you
just
did
a
supply
chain
site
right,
because
I
mean
that's.
That's
what
that
that's!
What
the
the
culmination
of
this
is
is
secure
supply
chain.
B
You
just
did
a
site
like
that,
and
then
you
did
one
for
salsa
only
right
now
right,
but
you
had
the
other
ones
and
then
they
said
and
then,
if
you
clicked
on
them,
it
says
you
know.
No,
you
know
how
you
know
how
old
school
websites
used
to
say,
work
in
progress
or
curly.
You
know
what
I'm
talking
about
right.
You
could
easily
do
that
and
and
then
now
you're
you
have
a
template
for
what
will
end
up
becoming
something
that
you
know.
If
we
do
it
correctly.
D
Well,
by
the
way
you
know
in
all
fairness,
I
think
there
are
different
ways
to
look
at
it.
That
they're,
not
necessarily
you
know
exclusive
and-
and
you
know,
if
you
think
in
terms
of
community
You,
could
argue.
Okay,
you
know,
salsa
is
one
point
of
view.
That
address
is
specific
audience
and
the
s2c2f
is
a
different
community
and
if
they
want
to,
you
know
make
that
the
axis
for,
like
you
know
how
you
organize
things.
B
Let
me
let
me
let
me
put,
let
me
put
you
like
this
right,
so
so
blue
hat,
who
had
just
happened,
that's
the
that's
a
conference
that's
held
by
held
here
by
Microsoft
in
Seattle
blue
hat
conference,
and
they
came
to
me
and
asked
me
about
slides
and
they
were
getting
ready
to
talk
about
the
openness
itself
when
they
were
talking
about.
You
know
producer,
focused
threats
and
vulnerable,
no
threats
and
then
consumer-focused
threats
and
they
had
a
whole
bunch
of
slides.
I
said
well,
those
slides
look
great.
B
But
if
you're
talking
about
the
openness
itself,
you
ought
to
put
in
what
has
to
do
with
producer,
Focus
consumer
focus
and,
if
you're
thinking
about
supply
chain.
These
are
the
things
that
we're
working
on
so
I
had
them
produce
a
slide.
That
literally
said
salsa,
s2c2f
and
Fresca
right
on
it.
That
was
the
slide.
The
whole
slide.
Okay,
I
mean
I
like
it
like
it,
I
I,
don't
I,
don't
know
that
that
dare
I
say
we
need
to
stop
talking
about
these
things
as
if
they
don't
feed
off
of
each
other
anymore.
B
B
Build
you
put
the
encryption
to
lower
it.
That's
just
secure
Bill
pipeline,
you
think
about
it.
That
way,
but
we're
all
working
on
these
things
and
look
who's
in
this
meeting.
Mike
is
in
this
meeting
you're
in
this
meeting
I'm
in
this
meeting
and
we're
scattered
across
all
three
of
these
things
there's
a
case
that
could
be
made
for
us
to
anyway
I'm.
So
boxing
again
sorry.
D
A
That's
really
all
that
I
see
on
the
website,
I'm,
not
saying
that
there
isn't
something
somewhere
else,
but
that's
what
I've
been
able
to
see-
and
you
see
this
part
where
it
says-
improved
software
Supply
chains.
We
should
be
able
to
click
on
this
and
have
that
supply
chain
website
that
you're
referring
to
with
the
working
groups
or
the
you
know,
communities
that
are
underneath
it
to
say
this
is
what
we're
doing
right,
but
right
now
it
doesn't
there's
no
linkage
in
here.
Maybe
in
the
plan
it
shows
it.
A
C
A
A
C
A
A
A
A
A
If
you
don't
have
your
window
open
all
the
way
right,
even
if
I,
like
minimize
it
and
I
minimize
the
the
font
it
you
have
to
scroll
at
in
some
cases,
but
it
almost
looks
like
an
afterthought
versus
this
should
be
front
and
center
like
this
is
the
problem
it's
trying
to
solve
right.
This
is
why
we're
doing
this
and
why
we're
focusing
on
Sig
store
the
same
thing
as
salsa
or
any
of
the
other
things.
A
D
You're
touching
and
one
of
my
paint
piece
with
open
ssf,
which
I
have
openly
shared
with
Brian
several
times,
which
is
there,
isn't
one
way
to
to
describe
how
things
are
organized
within
open
ssf,
and
so
the
mobilization
plan
was
actually
added
after
the
fact
and
they
went
through
this
exercise
and
tried
to
map
it
to
the
existing
activities.
We
don't
open
ssf,
it
is
an
afterthought,
and
so
here
I'm
even
surprised
they
put
a
reference.
Do
you
think
it
should
be
front
and
center?
D
Yeah
I
think
so,
but
when
I
asked
when
Brian
came
up
with
the
mobization
plan,
I
said:
is
that
the
way
we're
going
to
organize
everything-
and
he
said
no?
No,
no,
not
at
all
and
I
said
why
not
you're
just
adding
yet
another
way
to
look
at
the
way
their
the
activities
are
organized.
It's
a
nightmare.
It's
so
confusing
already
and
you
just
I
didn't
get
another
point
of
view.
You're
not
helping.
D
A
C
Yeah,
no
I
I
think
you
hit
a
lot
of
the
good
stuff.
I
know
one
of
the
it's
still
a
big
thing
that
also
a
lot
of
end
users
have
been
asking
is
like
yeah.
How
does
salsa
fit
into
this
mobilization
plan?
How
does
salsa
fit
into
this
new
Sterling
tool
chain
that
folks
have
been
talking
about?
How
does
this
fit
into
you
know?
Alpha
Omega
is
one
of
the
big
projects
like
does
it
fit
in
yeah
yeah,
and
a
lot
of
that
sort
of
stuff
is
not
there
and
once
again,
I.
C
Yeah
yeah
and
to
be
clear:
it's
not
necessarily
that,
like
there's
anybody
at
fault
outside
of
you
know,
it
would
be
great
if
there
was
a
general
like
hey.
If
there's
something
missing
like
a
taxonomy
thing,
then
it
should
be
a
partnership
between
the
folks
who
are
focused
on
that.
Plus
this.
You
know
the
end
user
group
or
whatever
right
yeah.
B
I
think
that
sort
of
stuff-
that's
something
I've
been
trying
I've
been
trying
to
get
I've
been
I've,
been
saying
that
since
the
summertime
you
know,
I
mean
there's
certain
things
that
we
ought
to
not
be
doing
like
in
in
a
silo
and
that
and
that's
one
of
them,
especially
since
we
have
the
best
practices
working
group
that
has
a
whole
damn.
You
know
terms
a
terms
and
definitions,
thing
that
they're
working
on
and
you've
all
heard
me
saying
many,
and
not
just
not
just
in
that
meeting,
but
also
many
a
salsa
meaning,
hey
guys.
B
Have
we
reached
out
to
the
to
the
terms
and
and
definitions
team
to
see
what
their
terms
and
definitions
are?
Maybe
we
can
take
some
of
these
terms
and
bring
them
over
there.
Maybe
we
could
take
some
of
those
terms
and
bring
them
over
here,
but
one
thing
we
need
to
do
is
be
speaking
with
one
voice.
No,
we
should
be
across
the
entire
open
ssf.
We
should
not
be
saying
one
thing
here
and
then
another
thing
over
there
and
they
mean
the
same
thing.
That
should
not
happen
across
the
whole
open,
necessary.
C
D
A
D
A
D
A
A
C
B
A
D
Let
me
we
can
ask
David
for
the
letters
version
if
there
is
one
somewhere
else:
oh
Brian,
maybe
as
it
okay
100.
What?
If
there's
somebody
in
the
staff
who
is
like
the
official
owner
of
the
slide
that
you
would
want
to
get
to
update
the
you
know
the
source
of
Truth
so
that
everybody
else
get
the
updates,
because
otherwise
you
know
it's
the
kind
of
game
that
never
ends
where
Mike
you
say:
hey
David
fix
it's
missing,
Fresca
they
added
there
and
then
the
next
guy
doesn't
and
then
it
gets.
You
know
it
propagates.
A
Fresca
and
S2
c2f,
and
if
you
know
of
others
that
need
to
be
added
to
the
mobilization
plan,
you
know
feel
free
to
point
them
out,
but
yeah.
If
we
can
get
the
the
actual
name
copy
of
whatever
it
seems
like
it
might
be
this
one,
but
because
I
don't
see
any
revision,
history
I,
don't
know
if
it
truly
is
or
if
it's
like
a
static
document
that
is
getting
published
every
so
often
and
it's
not
truly
the
live
one.
B
D
A
D
A
I
think
in
terms
of
the
taxonomy
we
could
definitely
I'm
pretty
sure
the
monthly
meeting
is
tomorrow
or
supply
chain.
Integrity
working
group
we
could
potentially
bring
it
up
tomorrow
to
say:
hey.
Does
anybody
know
about
what
the
end
user's
working
group
is
doing,
and
is
anybody
partnering
with
them?
If
not,
and
someone
raised
their
hand
to
go
partner
with
right,
because
it
would
be
good
to
know
if
they're
working
in
a
silo
or
not,
especially
if
they're
not
working
with
the
best
practices
working
group
I,
don't
know.
If
anyone
can
answer
that
even.
B
Oh,
no,
that
no,
it's
definitely
siled
work
that
I'm
that
I'm
actively
trying
to
get
some
some
tentacles
out
and
say:
hey,
let's
all
bring
this
in.
Let's
all
you
know
come
together
around
this.
It's
definitely
siled
work,
I
mean
there's
a
The
Proposal
is
being
pitched
to
the
tech
for
this
work
from
the
end
users
working
group
and
then
was
saying.
Well,
maybe
this
should
be
like
a
like
a
a
Consortium.
Maybe
maybe
we
should
come
together
and
Pitch
together.
This
shouldn't
be
pitched
by
you
know
it's
by
one
working
group.
A
A
Should
we
have
salsa
case
studies
right
for
maybe
version
dot
one
and
then
maybe
people
that
are
potentially
going
to
attempt
1.0
when
it's
in
RFC
I,
don't
know
if
that's
a
good
idea
or
not,
but
there's
a
lot
of
options
here
and
so
curious
about
your
thoughts
on
what
should
be
contained
on
this
page.
So
we
can
kind
of
start
putting
that
that
that
vision
and
message
together.
B
A
B
Not
sure
if
we
could
even
put
that
down
there
like
that
I,
don't
even
I,
don't
even
know
if
that's
if
we
can
actually
do
that,
because
it
because
it's
a
I
mean
we,
you
know
we're
we're
working
towards
a
spec.
But
you
know
if
organizations
are
willing
to
say,
hey,
yeah,
we're
we're
adopting
or
we're
currently
using
it
in
our
organization
that
could
be
put
down
as
well
definitely
partner
organizations.
You
know,
organizations
that
are
working
to
to
make
it
better
right.
B
That
might
be
a
different
case.
Where
do
does
a
company
want
to
say,
hey
yeah,
we're
openly
adopting
this?
Do
they
want
that?
To
be
known?
That's
a
that!
That's
that's
that
those
are
those
are
legal
things
right
there,
but
as
far
as
volunteers
are
concerned-
or
we
can
just
put
our
names
down
not
necessarily
put
down
the
organization
that
we're
that
we're
coming
from
now,
yeah.
A
B
The
what's
the
the
the
the
advantage
or
disadvantage
to
that
Advantage.
You
can
do
that
and
you're
doing
it
as
a
volunteer
disadvantage
for
the
organization
that
you're,
representing,
especially
if
your
organization's
member
organization
of
the
openness
and
stuff
is
your
organization,
will
probably
say:
hey
I
want
our
name
on
that,
because
we're
we're
actively
working
towards
producing
something,
that's
going
to
be
used
globally.
Then
another
organization
may
say:
well
we
don't
put
money
up.
Therefore,
we
don't
want
our
name
on
it.
B
B
A
B
A
D
B
B
D
A
A
D
You
definitely
yeah
I,
know,
I,
think
that
I
mean
people
are
going
to
invest
money
in
being
compliant,
no
conformant
with
salsa,
and
if
they
are
members,
especially
of
openness
except
they
should
be
able
to.
There
should
be
a
member
benefit
yeah
to
be
able
to
advertise
that
they
are
conformant
yeah.
A
B
D
B
A
A
A
B
A
B
So
I
think
the
blessing
there
is.
That
is
that
there's
an
argument?
Oh
this!
This
is
truly
a
blessing.
There's
an
argument
on
why
there's
no
level
two,
because
if
you
do
this
one
thing
it
should
take
you
from
one
to
three
and
and
of
course
now
you
got
to
shrug
the
shoulders
and
say
well:
I
I,
don't
in
the
land
of
just
creating
in
the
land
of
creation
of
specs
man,
I,
imagine
you
can
do
whatever
the
hell
you
want,
but
but
I
think
I.
B
D
I
agree
with
you,
Jay
I,
think
that's
a
very
accurate
point
and
and
I
do
find
that
odd.
And
if
you
look
at
the
get
started
page
they
have
on
the
south
Sunday
website.
It
basically
says:
don't
bother
with
one
and
two
just
go
through
three.
It's
easy
just
do
this
and
you're
like
then,
why
do
we
expect
this
out.
D
D
B
B
A
A
Right
so
it'll
say
compile
your
go
project
using
a
salsa
3
compliant
Builder,
but
the
other
one
is
talking
about
generating
provenance
for
your
right.
So
there
are
two
different
tools,
both
claiming
to
be
salsa
level,
three
compliant.
But
again
it's
also
level
three
wasn't
even
well
defined
in
version.1.
So
how
can
and
it's
very
it's
not
finalized
in
one.
So
how
can
you
claim
Solstice.
D
A
D
Mean
Jay
you're,
going
to
love
that
one
I
mean
if
you
go
to
the
salsa
Dev,
you
know
website
get
started,
there's
a
pull
request
right
now
that
I've
objected
to
which
you
know
tries
to
revive
that
document.
Saying
basically,
if
you
use
GitHub,
do
this,
if
you
use
Google
Cloud,
do
that
and
if
you
use
friends
can't
do
this
and
if
you
use
something
else
well,
don't
just
use
one
of
those
foreign.
D
A
D
B
I
say
if
I
say
something
it'll
only
sound
like
I'm,
so
boxing
again
this
this
certain
things
like
You're,
Gonna,
well,
I
mean
you
gotta
understand,
like
I
I've
been
I've,
been
working
on
policies
and
proceeds.
It's
been,
it's
been
over
a
decade,
I've
been
doing
this
stuff
and
you
there
really
is
a
a
you.
Gotta
follow
the
bouncing
ball
with
this,
because
otherwise
adoption
becomes
extremely
difficult
and
adoption
with
any
seriousness
becomes
difficult.
B
I
I
I
mean
if
you,
if
you
do
this
incorrectly
you're,
going
to
end
up
with
a
paperweight,
because
people
are
not
going
to
trust
you
anymore.
You
know
I
mean
you
have
to
be
very,
very
careful
about
how
much
you
try.
There's
a
certain
point
where
you,
where
you
try
to
get
adopters
to
to
a
spec,
and
at
that
point
you
should
be,
you
should
only
be
refining.
You
should
only
be
smoothing
out
edges
at
that
point.
You
shouldn't
be
tossing
back
and
forth.
B
What's
one,
what's
two,
what's
three,
what's
two,
what's
one,
what's
this,
what's
that,
what's
the
other
go
over
there
do
this,
because
this
is
three
well
didn't
you
just
say
that
that's
not
three!
Yet
because
three,
we
even
hit
version
one
you,
if
you
keep
doing
that
too
much
you're
going
to
lose
people.
Yes,
you're
gonna
lose
people
you're,
not
gonna,
trust.
You
yep.
A
Yeah-
and
that
was
the
point
I
made
I,
don't
know,
I,
don't
think
it
was
this
week.
It
was
probably
a
couple
weeks
ago,
where
I
said:
are
we
solid
with
one
with
level
one?
Yes,
okay,
are
we
solid
with
two?
Yes,
okay,
are
we
followed
with
three
no
don't
put
in
the
1.0
draft,
because
if
you
keep
changing
things
from
from
people
like
the
foundational
things
you're
making
people
do
rework
and
then
you
lose
that
trust
people
aren't
going
to
want
to
implement
it
and
you
have
to
make
it
easy
to
implement
so.
D
I,
don't
want
to
speak,
you
know,
I,
don't
want
to
speak
lbs
on
Google
I'm,
not
a
Google,
employee
I,
don't
know
exactly,
but
it
seems
to
me
that
they
are
pressing
to
get
someone
out,
so
they
can
claim
that
Google
cloud
is
salsa
3
compliant.
So
the
idea
of
removing
level
three
probably
doesn't
fit
their
agenda,
but
you
know
I.
This
is
speculation
from
my
point.
To
be
honest,.
D
A
D
I
am
an
old
standards
guy
and
you
know
standards
take
a
long
time
to
do
and
you
can't
just
rush
them.
It's
it's
solved.
It
doesn't
happen
like
yeah
when
I
heard
Mark,
you
know
back
before
it
was
before
Thanksgiving.
He
said
he
wanted
to
be
done
by
Thanksgiving
and
I
was
like
it's
just
completely
unrealistic,
and
now
he
says:
okay,
we
need
to
be
done
by
the
end
of
the
month,
but
I.