►
From YouTube: SLSA Positioning Meeting (January 31, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1tpPOXVzNSwtpWA7cXhTPLAO6HIP50obUvoP85XqgVHM/edit#heading=h.yfiy9b23vayj
SLSA repo: https://github.com/slsa-framework/slsa
A
A
B
A
A
A
A
B
A
A
A
A
A
B
B
A
Yeah,
so
what
I
have
to
do
today
is
just
generalize,
the
abstract,
make
sure
that
it's
everybody
agree,
and
so
we
can
walk
to
submit
those
to
open
ssf
day
and
I.
Think
that
it's
maybe
other
events
that
melbaits
also.
She
told
me
that
it's
Target
as
well,
but
it
mostly
open
ssf.
That's
what
I
understood
for
her.
Let
me
know
if
I'm
wrong.
A
Yeah,
so
just
just
on
top
of
my
head,
because
I'm
reading
those
abstracts
right
now,
at
least
when
you
create
those
titles,
I
was
assuming
that
it's,
for
example,
the
beginning.
It
was
something
for
beginner
in
software
supply
chain,
not
only
salsa,
I,
don't
know,
if
that.
That's
the
intention
here
in
this
abstract,
because
I'm
ready
and
say
well,
if
you're
in
the
beginning,
maybe
I
would
like
to
know
how
s
bomb,
what
with
the
salsa
and
work
with
Vex
and
things
like
that.
B
A
Yeah,
because
very
complementaries,
no,
for
example,
I
I,
don't
know
about,
for
example,
especially,
for
example,
people
that
it's
starting
to
get
into
the
software
supply
chain.
Sometimes
you
have
to
explain
oh,
but
it's
South
and
acid
Bond.
They
they
compete
with
each
other.
I
think
that
it's
as
a
bonus
was
all
that
I
need.
I,
never
thought
about
that.
We
need
to
framework,
and
then
people
that
it's
really
starting
I,
don't
know
if
you
have
the
same
same
same
challenge
explained
for
someone
that
it's
new.
B
C
A
C
A
A
Final,
okay,
that's
so
you
can
Define.
Okay,
it's
still
in
draft
two
world.
This
is
the
final,
oh,
okay,
the
the
next
one
I.
If
you
remember
correctly,
it's
it's
not
a
like
a
it's
done.
The
presentation,
it's
more
a
panel
discussion,
that's
right
that
will
bring
people
that
it's
try
to
at
least
deploy
is
salsa
and
they
come
to
share
their
experiences.
A
A
B
Yeah
I
I,
but
at
the
same
time
I
think
we,
the
the
I,
remember
we
talked
about
this
a
few
weeks
ago.
I'm
there
was
this
notion
that
okay,
we're
going
to
tell
the
world
hey,
you
need
to.
You,
know,
look
into
this
and
and
get
on
the
bandwagon
so
to
speak,
and
people
when
we
say
okay,
but
why
should
I
do
all
this
right?
And
this
was
about
you
know,
especially
if
we
stopped
talking
about
well.
Don't
expect
this
to
be
easy.
B
D
D
B
A
A
B
A
D
A
D
C
A
C
A
We
know
that
I,
don't
know
if
you
have
any
panelists
already
confirming
for
this
I
know
that
I
try
internally
Intel.
You
are
not
at
that
stage.
When
you're
talking
about
salsa
I
know
Verizon,
it's
an
option.
Melbourne
was
working
with
to
see
if
internally,
at
ABM
as
well,
but
so
far,
I
think
that
the
only
one
that
you
have
on
the
lineup,
it's
a
Verizon.
That
I
mean
that
has
potential.
B
I
mean
we
we
are,
you
know
we
have
our
own
offering
for
like
and,
and
we
are
actually
developed
a
pipeline.
We
are
trying
to
figure
out
what
it
takes
to
be
well,
you
know
so
so-called
conformant
with
salsa
and
and
you
know,
but
we
already
have
been
doing
work
in
that
space.
I
mean
we.
We
can
definitely
participate
in
this
and
some
of
the
challenges,
like
I
said
you
know,
I
was
touching
on
earlier,
for
instance,
the
overlap
with
his
mom
on
the
one
end.
Where
did
you
put
some
work
into
developing?
B
As
you
know,
production
of
this
bombs
and
then
we're
like?
We
look
at
the
salsa
or
say
hey
so
now
we
have
to
do
to
produce
Providence
for
salsa
and
guess
what
there
is
a
big
overlap
and
yeah.
They
are
not
exactly
the
same,
but
it's
a
bit
like
they
really
have
to
do
this
too.
Can
this
be
the
same
anyway
yeah
so
I
I
wouldn't
call
it
like.
You
know,
I
wouldn't
say
we
are
done
yet,
but
we
definitely
some
experience
to
share.
B
A
A
A
But,
as
you
mentioned,
we
are
internally
focused
on
one
bomb
because
of
course
we
already
have
the
bomb
for
Hardware,
but
it
now
has
a
bomb
in
something
that
it's
I
have
to
come
together
and
but
Salsa's
like
okay,
let's
first
have
the
the
the
one
bomb
and
then
later,
as
you
mentioned,
but
that's
the
reason
that
they
they
said.
Well,
maybe
you
are
not
good
of
candidates
yet
for
this
panel,
not
this
year,
not
for
this
time
frame
but
looking
forward.
Sales
is
something
that
you
it's
in.
Your
roadmap.
B
Yeah,
so
I
think
you
know
some
of
it.
Maybe
you
know
like
we
were
saying:
is
it?
Was
it
worth
it
I
mean?
Did
you
put
it
that
way?
I
wouldn't
be
able
to
answer
it
fully
because
I'd
say
well.
We
are
it's
still
working
progress,
but
I
could
still
share
what
I
think
about
it,
whether
it's
worth
it
or
not,
right
I,
think
so.
I
did
somebody.
You
could
probably
do
the
same
for
Intel
I.
Don't
think
that
necessarily
should
stop
you
from
participating.
I
mean,
let's
face
it.
B
I
mean
salsa
is
still
in
the
works.
We're
still
developing
the
spec.
Who
has
the
you
know
who
is
in
the
position
to
say
yeah,
we've
done
it
and
I
can
tell
you
all
about
what
it
takes
to
get
there.
It's
like.
Well,
nobody
has
done
it
per
se,
I
mean
maybe
Google
is
a
bit
more.
You
know
experienced
because
they
started
this
early
and
it's
based
on
some
of
the
internal
Works.
B
A
B
But
of
course,
but
you
know
I
I'm
on
the
specification
work
group-
and
you
know
with
this
discussion
that
I
said:
oh
maybe
you
know
there
are
discussions
and
then
you
hear
Google
person
say:
hey
I,
don't
know
if
we
can
have
that
requirement,
because
maybe
you
know
I
don't
know
if
you
would
be
comfortable
with
having
this
in
the
spec
and
mean
which
means
that
Google
is
not
performant
on
day
one
Google,
Cloud
and
I'm
like
well.
Sorry,
you
know
this
is
what
happens
in
it
during
the
standardization
process.
B
So
I
mean
I
mean
those
things
guys.
So
for
me
those
things
is
like
well,
hello,
that's
just
the
way
it
is,
but
so
yeah
I
I
know
the
you
know,
Google
and
I'm
sure
there
are
other
companies
that
will
claim
they
already
are
compliant,
but
I
don't
think
we
should
take
this
for
granted.
Then
it
doesn't
matter
we
shouldn't
I
mean
if
otherwise,
you
know.
Maybe
there
is
like
two
people,
we're
gonna
be
on
the
stage.
I
don't
know
yeah.
So
I
don't
think
this.
This
qualifies
what
I'm
trying
to
say.
B
E
E
C
B
C
E
You
know
that
that
these
are
all
things
that
need
to
be
discussed
and
break
them
apart,
pull
them
back
together,
I
mean
all
done
and
Earnest
of
course,
but
but
now
we,
you
know
now
we're
really
dealing
with
a
situation
of
what
does
it
mean
to
be
level
three
and
is
last
year's
level.
Three,
today's
level
three
or
two
or
one
no.
C
A
Okay,
so
this
is
what
I
have
one
two
three
cells
in
action
join
open
ssf.
It's
also
group
four
live
Hands-On
demonstration
of
how
to
betin
has
also
compliant
building
with
simple
Ripple,
who
it's
going
to
to
put
in
this
together,
just
what
just
abstract
that
you're
putting
out,
and
if
you
gotta
approve
it
we
try
to
to
do
it.
A
E
I
think
this
one
so
first
1.0
needs
to
be
ratified
before
anything
else.
I
think
with
this
one
it
unless
that
doesn't
happen,
I
think
that
a
thing
we
probably
could
still
do
something
like
this,
but
I
think
it.
We
really
do
need
to
qualify
it
yeah
before
before
it
happens,
right
so
exactly
what
what
do
we
mean
by
salsa
and
action
to
this
point?
What
does
that
look
like
to
this
point,
especially
if
1.0
isn't
ratified
and
we
can't
say
according
to
1.0,
this
is
you
you
know
we
have.
B
Agree
with
you,
Jay
I
mean
it's
got
to
have
all
the
right
disclaimers,
not
brought
to
say
you
know
what
it's
not
exactly
all
done
and
ready
yet,
but
you
know
this
is
where
things
stand
and
I
mean
I.
Wasn't
part
of
the
group
that
put
that
together
initially
I
can
imagine
they
want
to
leverage
some
of
the
tools
that
are
available
today
and
that
will
need
to
be
indeed
revised
and
updated
as
the
spec
progresses.
There
was
one
zero.
A
B
A
B
Raise
a
flag
request:
there's
a
pull
request
already
submitted
yesterday
against
this
page.
That
provides
a
lot
more
details
and
shows
this.
You
know
not
quite
as
easy,
but
there
are
submissions
yeah,
but
I
think
it
does
highlight
some
of
the
things
they
probably
want
to
to
demo
at
the
at
the
event.
I
don't
know
so
I,
don't
know
that
and
there's
any
one
of
you
is
familiar
with
this.
Maybe
we
cannot
deal
with
this
now.
B
B
C
B
But
if
it's
based
on
sub
open
resource
tool,
why
not
I
mean?
And
with
the
proper
disclaimer
that
says
you
know,
the
spec
is
still
not
finalized.
Those
tokens
are
still
very
much
work
in
progress.
We
will
keep
updating
them
as
expect
progresses.
People
have
the
proper
information.
They
can
still
get
a
sense
of
what
we're
talking
about
right.
I
think
it
could
still
be
useful,
but.
E
But
just
just
need
to
qualify
it.
That's
all
you
just
need
to
qualify
to
say
hey.
This
is
so
according
to
this,
what
the
spec
is
currently
and
the
current
available
tools
to
reach
this
level
according
to
where
the
spec
is
currently.
This
is
how
it
can
be
done,
and
then
you
can
be
fully
transparent
with
that.
Yes,.
B
E
C
C
B
Me
I
mean
I'm
telling
you
there
are
people
like
Michael
Lieberman
who
works
on
Fresca.
He
already
has
something:
it's
not
you
know,
production
ready
by
any
means,
but
I'm
sure
he
would
then
mind
to
run
this
duel
and
say
hey
absolutely,
so
you
can
enable
it
and
it's
worth
what
it's
worth,
but
you
know
so
I
know
I'm
I'm,
personally,
I,
don't
see
a
problem
with
putting
submitting
it
and
you
know
I
I
assume
not
apparently
none
of
us
here
today
can
do
it.
E
B
A
B
A
Okay
and
you
have
the
last
one-
the
ketchup,
mustard
and
release
to
softer
supply
chain
security,
but
from
it's
almost
lunch
time
right
so
I,
don't
know
what
it
means
skip
to
soccer
and
join
the
open,
ssf
Integrity
working
group.
We
will
discuss
how
to
improve
and
standardize
this
software
Supply
it
was
it
was.
You
are
abstract
to
Jay
I,
don't.
E
Know
well,
we
we
all
worked
on
it,
but
the
the
title
was,
the
title
was
still
in
denial
came
with
it.
I
think
this
right
here
is
something
a
bit
more,
dare
I,
say
easier
for
us
to
do
right,
because
we
all
can
you
know
having
a
especially
when
you
when
you're
at
the
working
group
level
in
your
in
your
in
all
of
these
meetings,
you
can
clearly
draw
the
lines
between
s2c2f
Salsa,
Fresca,
hell
even
guacin,
and
everything
else,
and
you
see
where
they
all
have
relevance
and
they
all
fit
together.
E
So
this
is
a.
This
is
a
better
discussion
holistically
across
everything
that
we're
working
on
in
the
working
group
and
then,
of
course,
using
you
know
the
the
the
idea
of
of
positioning
right
where
you
know
where
we're
talking
about
you
know
having
an
umbrella
positioning
Sig
for
for
S2,
c2f,
salsa
and
and
Fresca
together.
This
this
is.
This
is
a
a
good
win,
not
just
for
salsa
and
and
but
for
s2c2f
for
Fresco
hell.
E
This
is
a
good
win
for
the
supply
chain,
Integrity
working
group
to
highlight
what
we're
working
on
period
right.
We
could
even
discuss
after
you
know,
we
talk
about
these
things
right
and
we
can
even
then
discuss
the
broader
supply
chain
security
framework
being
worked
on
that
incorporates
all
of
these
things.
So
I
I
think
this
one
is
a
is
a
is
a
great
win
for
open
ssf
supply
chain,
Integrity
working
group
just.
E
Think
it's
a
panel,
okay,
I,
think
I.
Think
it's
a
panel
right
because
I
think
taking
people
for
you.
You'd
have
to
have
everyone
from
each
one
of
these
sigs
sitting
on
stage
together,
feeding
off
one
another
discussing
how
they
all
fit
and
then
taking
questions
from
the
audience
about
the
direction
that
each
of
these
are
heading
in
hell
and
then
and
then
you
know,
like
I,
said
full
transparency.
E
What
the
gaps
are,
how
we're
addressing
those
gaps,
how
we're
addressing
those
gaps
together
right,
what
we're,
what
we're
doing
as
a
community
to
address
those
gaps
right
so
so
does
that
I
mean
that
that's
this
is
definitely
a
a
panel.
You
know,
I,
don't
think
you
can
I,
don't
think
you
can
do
this.
Just
just
one
person
or
two
people
up
the
election.
I
think
this
really
does
need
to
be
a
panel
and.