►
From YouTube: SLSA Specifications Meeting (June 12, 2023)
A
Yeah
I
don't
know
if
you've
heard
much
about
the
I
live
on
the
U.S
east
coast
and
the
U.S
east
Coast
has
been
covered
for
days.
I
have
heard
about
it,
yeah
yeah
I
mean
you
know.
Public
schools
are
have
basically
canceled
all
outdoor
events
and
just
I
decided
you
know,
I'm
not
exercising
I'll
just
sit
outside
under
a
awning
and
that
won't
be
too
bad
and
I
ended
up
with
a
headache
by
the
afternoons
and
well.
Okay,
that,
to
be
honest,
I
didn't
know
about
it.
I
went
out
enjoyed
the
day.
A
D
A
A
C
Yeah
I
volunteered
last
week
to
run
the
meeting
when
Park
mentioned.
He
would
be
out
this
week,
so
I
can
certainly
okay
attempt
to
do
that.
We've
got
a
fairly
light
agenda,
although
David
does
you've
added
something
this
morning.
So
that
gives
us
something
to
talk
about
at
least
so.
I
should
first
of
all
mention
that
the
meeting
is.
F
C
Recorded
and
we
will
abide
by
the
Linux
Foundation
code
of
conduct
during
the
meeting,
as
we
always
do,
I
always
try
to
in
the
sales
Community
as
I
just
mentioned,
we've
got
a
really
light
agenda
today.
The
first
thing
we
always
do
is
welcome
new
members
and
give
them
an
opportunity
to
introduce
themselves
so
I'm,
not
sure
who,
whether
we
have
any
new
members
today
I
recognize
everyone's
names,
but
that
that
doesn't
mean
you've
been
to
this
meeting
before.
G
Hey
I'm
I'm
Josh,
Clements,
I'm,
I'm,
new-ish
I've,
been
I've,
been
lurking
a
bit
in
all
sorts
of
open,
ssf
stuff.
Just
because
I'm
I
saw
the
open
ssf
day
at
the
last
open
source.
Summit
and
I
made
the
mistake
again:
I
keep
I,
keep
using
the
same
joke.
Other
people
keep
yeah
and
thank
you
David.
You
keep
laughing
I
love.
It
I
made
the
mistake
of
telling
my
boss
that
I
went
to
those
things
and
he's
like
sweet.
G
C
A
H
And
I'm
Matt
Wood
I've
been
part
of
the
the
I
guess
attending
the
Integrity
I,
don't
know
weekly
meeting
or
bi-weekly
meeting
a
bit
for
a
while
first
time
at
this
particular
meeting
put
my
primary
focus.
These
days
is
trying
to
get
salsa
principles
and
and
stuff
implemented
internally
for
a
lot
of
RCI
and
so
yeah
I
want
to
make
sure
that
the
spec
is
is
I,
guess
understandable
within
an
Enterprise
context.
C
C
A
D
A
Yeah
and
and
I
and
I
think
that
that's
a
fair
point,
the
phrase
I
used
I'm
the
one
who
created
this
this
issue-
anyways
873,
my
eyesight-
sounds
so
great
yeah
873.,
you
know
I
I,
don't
know
if
this
is
the
right
phrase,
but
I
think
verifiable.
Build
is
kind
of
the
the
notion
here.
I
think
you
know
so
much
of
salsa
right
now
you
know
the
current
track
is
all
about.
A
A
A
We
now
have
this
concept
just
tracks
and
in
fact
it
looks
like
we
have
multiple
levels
because
and
right
we
can
blame
Michael
scavetta
for
pointing
out
some
of
this,
where
what
some
of
the
challenges
in
building
reproducible
builds
are
because
of
things
like
date,
timestamps.
Well,
what
are
the
odds
of
the
date
times?
You
know
if
software
is
exactly
the
same
except
there's
some
internal
dates,
time
date
and
time
date,
timestamp
differences.
A
Does
that
represent
a
risk?
Probably
not
so
okay,
so
so
there's
there
basically
looks
like
there's
multiple
levels
of
way
to
to
to
deal
with
this,
so
unfortunately,
I
have
some
other
things
that,
in
the
short
term,
I'm
gonna
have
to
deal
with.
But
one
of
the
other
comments
was
hey
who's
going
to
be
doing
the
work.
I
think
that's
actually
a
fair
question.
It's
all
great
to
have
an
idea
and
nobody's
doing
any
work,
but
all
that's
not
going
to
go
anywhere
so
I'd
be
happy
to
help
with
that.
A
A
The
the
gold
standard
is
bit
for
bit
reproducibility
and
then
there's
a
then
there's.
Well,
what
can
you
back
off
if
you
assume
that
the
source
code
wasn't
malicious,
but
the
build
process
might
have
and
there's
ways
to
basically
rebuild
and
detect
certain
differences
that
are
highly
unlikely
to
produce
malicious
code
and
I'm
done
Mike
Michael
Lieberman.
H
D
Yeah
I
think
on
that
end,
there's
like
a
lot
of
different
properties,
whatever
we
want
to
call
them
there
right,
which
is
like
yeah
exactly
like
bit
for
bit
binary
reproducibility.
You
know
that
A
and
B
are
the
same.
No
I
think
you
know.
Even
among
you
know,
reproducible
quote.
Unquote.
Reproducible
builds
right.
It
depends
on
how
folks
sort
of
view
what
is
a
build
as
well
right
like
when
it
comes
to
some
of
that.
D
There's
there's
there's
things:
where
can
you
detect
that
actually
it
was
built
a
second
time
versus
just
somebody
gave
you
the
same
artifact
you
know
and
and
not
to
say
that
that's
a
that
you
know,
but
I
think.
The
thing
there
right
I
think
is
is
we're.
Looking
at
stuff,
like
you
know,
bid
for
bit
binary.
D
Reproducibility,
probably
you
know
you
know
it's
number
one,
but
there's
also
other
things
that
are
like
when
you
talk
about
reproducibility,
one
of
the
the
big
ones
that
kind
of
comes
out
of
that
like
basil,
Blaze,
pants
and
Nick's
world
is
the
like.
Can
you
reproduce
all
the
inputs
right?
Could
you
essentially
provide
the
same
because?
Well,
that's
actually
kind
of
a
very
complicated
problem
of
are
you
actually
holding
on
to
all
the
things
you
used
in
your
build
right
because
you're
not
using
it
and
it's
let's
say.
D
For
example,
one
of
the
things
that
happens
right
is,
oh,
it
turns
out
a
library
gets
updated
and
they
delete
the
old
version
of
the
library
and
now
all
of
a
sudden,
you're,
like
oh
well,
I,
haven't
updated
to
the
new
version
of
the
library,
but
I
can't
reproduce
this
anymore.
Because
right,
this
thing
doesn't
exist.
A
I
I
get
for
that
latter
one.
Let
me
quickly
respond,
I,
I,
guess.
My
my
notion
is
that
this
isn't
just
that
you
could
it's
conceptually
possible,
but
that
someone
is
actually
someone
has
independently
tried
to
do
well.
Independent
I,
don't
know,
maybe
be
a
little
careful
here,
but
basically
someone
is
actually
attempted
and
succeeded
in
reproducing
it
at
you
know
either
commit
for
bit
or
except
for
date,
time
stamps,
which
implies
that
at
least
at
the
time
of
the
event
you
the
bits
were
available.
A
D
Yeah
and
I
just
wanted
to
throw
one
more
thing
out
there,
which
I
think
is
is
I,
think
tied
to
that
concept
and
and
also
tied
to
the
tracks
is
I.
Think
one
of
the
things
we
had
brought
up
prior
right
was
one
of
the
reasons
why
we
had
gotten
rid
of
salsa
level.
Four
originally
was
because
we
wanted
to
focus
purely
on
the
things
that
were
completely
dependent
on
the
build
and
only
the
build,
but
I
think
when
we
start
to
look
at
some
of
the
stuff
like
reproducibility.
D
One
of
the
things
that
it
requires
is
the
ability
to
have
access
to
the
things
that
a
previous
build
had,
so
that
you
can
then
run
those
you
know,
reproducible
elements
and
then
that
kind
of
ties
into
no
longer
the
build.
Perhaps
in
certain
elements
right,
you
might
say,
okay
great
now,
there
needs
to
be
something
like
a
source
and
dependencies
track
where
the
source
independency
should
be
at.
You
know
you
should
be
able
to
go
back
at
a
given
time
and
look
at
your
source
of
dependencies
up
to
some
sometime
window.
D
F
F
Could
somebody
assuming
the
things
have
not
been
pulled
off
the
internet
reproduce
this
I
think
should
be
what
we
figure
out,
how
to
say
succinctively,
because
I
don't
think
we
want
to
hold
over
everyone's
head
the
requirement
that
they
do
what
we
do,
which
is
hold
a
copy
of
everything
like
that
would
be
great
if
they
do
because
that's
you
know
the
way
we
found
the
work
around
it
and
gave
people
pull
stuff,
but
I
don't
think
we
should
Force
everyone
into
that.
If
they
don't
want
to.
A
B
Some
cases,
yes
in
other
cases,
if
you
want
to
say,
tell
me
about
this
container
image
up
on
a
Docker
registry.
You
really
care
about
those
headers,
because
they
include
the
digest
of
what
that
tag
points
to.
They
include
the
media
type
of
what
that
is,
and
so
there
are
some
important
values
in
there.
You
don't
want
to
just
blanket
exclude
everything.
D
So
one
thing
I
think
that's
probably
worth
calling
out
here.
I
think
a
little
bit
is
is
I.
Think
this
sort
of
thing
of
like
even
sort
of
what
are
the
the
levels
of
reproducibility
of
the
inputs
per
second
I-
think
that
sort
of
thing
is
valuable
to
to
sort
of
even
make
levels
out
of
right.
You
might
say
great
this
level
is
you
know
you
can
pull
down
the
same
hash
every
time
there
might
be.
D
You
know,
because
I
I
think
sort
of
going
back
and
saying
you
know
something
like
Source
independencies
level.
Four
is
you
have
captured
those
things
because
in
certain
cases,
I
think
even
ssdf
or
one
of
the
the
nist
or
sisa
sort
of
things
that
came
out
recently
or
not
recently,
but
one
of
those
things
from
ssdf
or
similar
does
call
out
like
if
you
can,
you
should
actually
be.
D
E
Yeah
so
one
one
comment,
I
have
to
say,
and
they
reproducible
businesses
that
not
only
the
parts
of
the
product
are
important,
but
also
like
the
build
packages
and
the
military
and
all
the
actual
code
on
the
pipeline.
That
is
going
to
manipulate
this
data
into
an
artifact
we've
gone
I,
don't
think
like
exactly
this
world.
E
But
what
we've
done
in
our
own
product
is
like
following
file
system
on
The
Cisco
on
The
Cisco
level
with
Peter,
but
then
like
jumping
between
all
these
processes,
that
build
and
containers
and
namespace
to
follow
all
the
inputs
and
outputs
of
of
a
build
system
and
basically
explode
out
all
the
files
that
were
not
touched
and
the
files
that
were
attached
during
the
building
basically
have
like
a
big
amount
of
data
on
your
Builder.
What
was
the
process
on
the
file
system
level?
A
A
Npm
has
a
process,
basically
after
left
pad,
where,
after
a
certain
number
of
days,
they
will
not
delete
packages
unless
I
presume
they
would,
if
it
was
legally
obligated,
but
other
than
that
they
won't
delete
them
and
that
at
least
partially
deals
with
the
problem
of
hey
I
can't
get
it
now.
I
realize
there's
more
to
it,
but
I
I
would
like
to
separate
the
problems,
because
otherwise
you
try
to
put
it
all
together
in
one
place,
it
gets
hard
I
think
that's
why
we
end
up
with
tracks.
In
the
first
place,.
C
Yeah
I
completely
agree.
I.
Think
we've
had
some
discussion
about
separate
dependencies
track
for
a
while
and
and
a
lot
of
the
things
we
were
just
talking
about
would
fall
within
to
concerts.
We've
discussed
yeah,
making
up
that
yeah.
Can
you
fully
enumerate
what
you
what
goes
into
your
build
ahead
of
time,
and
then
can
you
later
retrieve
those
things
and
stuff
one
of
the
things
I'm
wondering
about
with
the
semantically
reproducible
builds
or
I
forget?
What
second
term
are
you
introduced.
C
I
I'm,
not
I,
haven't
read
the
issue
in
detail.
So
forgive
me
if
you've
already
discussed
it
there,
but
I'm
curious
like
what
how
how
it
fits
into
the
threat
model
of
salsa
and
how
it
fits
into
the
guiding
principles,
because
we
ended
up
with
these
principles
about
you
know,
trusting
platforms
and
like
high
Automation
and
things,
and
my
experience
of
reproducible
bills
is
that
the
value
is
in
being
able
to
reproduce
it.
A
That
I
think
is
exactly
the
right
question.
If
you
don't
mind,
I
want
to
try
to
answer
it
quickly.
I,
don't
think
it's
as
written
clearly
as
it
should
be,
and
in
fact,
on
my
personal
website,
I
actually
talk
a
little
bit
about
this
because
there
doesn't
seem
it
doesn't
seem
to
be
written
down
anywhere,
which
is
kind
of
a
problem.
Okay,
so
all
right,
so
so
were
you
and
I
are
on
the
same
wavelength
here
all
right
so
and
hopefully,
maybe
as
part
of
this
process,
we
can
fix
that
all
right.
A
So,
given
that
here's
The
quick
summary,
the
threat
model
that
you
that
is
being
concerned
about
with
reproducible
build
is
that
the
source
code's?
Okay,
it
is
not
I,
just
read
the
source
code,
it
does
not
describe
malicious
software,
it
is
software
that
is
intended
to
do
some
Positive
Purpose,
okay.
However,
during
the
build
process
itself,
the
software
was
manipulated
in
a
way
so
that
the
resulting
build
was
malicious.
A
Okay,
that's
part
one
and
part
two
is
that
this
implies
that
somehow
someone
got
into
the
build
process
and
subverted
it.
This
is
not
an
idle
case.
This
is
exactly
what
happened
with
solar
winds:
okay
with
our
solarwinds
Orion,
specifically,
okay,
where
somebody
got
into
the
build
process
subverted
it.
The
original
source
code
was
fine,
the
resulting
executables
were
malicious.
Now,
there's
two
basic
approaches
to
dealing
with
this
and
I
would
argue
that
both
of
them
have
their
place.
One
approach
is
protect
the
stinking
build
environment,
which
seems
like
a
good
idea.
A
That's
where
salsa
is
today.
It's
you
know.
Basically,
you
try
to
put
the
build
environment
in
a
place
that
you
trust,
you'll,
Harden
it
up
now
to
be
fair.
The
solar
winds
folks
actually
did
have
their
own
separate,
build
environment.
They
had
some
protective
measures,
I
think
the
well
I
I
think
the
review
of
other
people
is
that
is
not.
It
was
not
as
hardened
as
it
well
as
it
should
have
been,
but
it
wasn't
just
sitting
underneath
somebody's
desk.
A
There
was
a
dedicated
system
specifically
for
building
and
there
was
an
attempt
at
hardening
so
inadequate.
So
the
other
approach
is,
you
know:
hey
hardening,
build
very
good
idea,
however,
if
they
hardening
something
against
all
attacks
for
all
future
times
rather
hard.
So
the
other
mechanism
mechanisms
protect
but
then
detect.
So
if
your
protection
mechanisms
fail,
do
we
have
a
detection
mechanism
to
detect
that
a
subverted
build
got
out
anyway,
and
that's
what
these
but
reproducible
builds
and
semantic
equivalency
are
all
about?
A
Can
you
examine
a
resultant,
build
and
verify
that
it
was
generated
from
the
sort
from
that
refuted
source
code?
Now
all
things
of
limit
patients
if
the
source
code's,
malicious?
What
reproducible
builds
and
semantic
equivalency
will
tell
you-
is
that
the
build
system
is
exactly
as
delicious
as
the
source
code
was
all
right.
It's
not.
It
doesn't
protect
against
malicious
Source
Code
by
itself.
It
does
not
protect
against
trusting
trust
attacks.
So
if
you
use
a
compiler,
that's
subverted.
So
if
it's
not
the
build
process,
but
the
actual
tools,
that's
a
different
kind
of
attack.
A
If
you
want
to
know
how
to
counter
that
attack,
I
I
know
somebody
wrote
a
PhD
dissertation
on
diverse
level,
compiling
and
there's
all
other
some
other
techniques
too.
For
dealing
with
that
case.
To
be
fair,
those
are
pretty
Advanced
attacks
and
you
need
you
would
need.
Reproducible
builds,
or
at
least
semantic
equivalency
before
you've,
even
worried
about
that
other
case.
So
I
I,
don't
think
you
know.
So.
Basically,
there
is
a
threat
model.
There
are
things
it
covers
and
things
it
doesn't.
It's
not
well
documented.
A
We
would
need
to
fix
that,
but,
but
hopefully,
verbally
and
I
didn't
try
to
take
notes,
because
it's
hard
for
me
to
talk
about
these
and
talks
at
the
same
time,
but
hopefully
at
least
that
makes
sense
that
there
is
a
threat
model
and
whether
or
not
that's
important.
Well,
that's
why
we
have
different
tracks.
You
don't.
C
So
I
I
know,
but
both
Mike
and
Brian
have
got
the
hands
up
so,
but
I
just
want
to
quickly
respond.
So
I
did
take
notes.
I
tried
to
summarize
what
you
said:
David
the
thing
I
wanted
to
just
quickly
point
out
is
that
we
have
in
the
past,
in
this
meeting,
discussed
how
reproducible
builds
might
be
a
way
to
achieve
salsa
without
necessarily
having
like
the
level
of
infrastructure
that
sales
currently
implies,
because
sales
is
about.
A
If
I
may
quickly
answer
and
then
let's
go
on
to
the
people
actually
raise
their
hands,
but
I
think
you
were
asking
a
question
with
me:
I
think
they
work
together
right.
You
know
the
old,
peanut
butter
and
jelly
kind
of
thing.
If
you
can
verify
a
whole
bunch
of
low
quality
builds,
you
know
it,
it
I
mean
you
know
all
your
reproductions
could
be
separated
too
you
you
wanna,
you
wanna,
protect
and
detect
I.
A
Don't
think
you
just
want
one
or
the
other,
maybe
a
week
in
one,
because
you
have
number
resources
but
I.
Think
really
you
want
both.
You
want
to
harden
the
build
to
reduce
the
likelihood
of
attack,
and
then
you
verify
it
anyway,
so
that
the
few
that
link
through
still
get
detected
and
I
think
was
it
Michael
or
Brandon.
I'm.
Sorry,
I,
don't
know
who
was
that
Michael's.
D
Oh
so
yeah
yeah,
no
I
agree
with
David
there
I
think
yeah,
I
think
the
things
from
that
I
think
we
were
thinking
through
from
like
the
threat
model
perspective
right
is
the
majority
of
stuff
in
build
provenance
right
is
around
essentially
protecting
against
attacks
to
the
actual
build
system,
and
so
you
can
help
prevent
or
detect
attacks
based
on
assuming
you
are
running.
Reproducible
builds
in
separate,
build
environments
and
I
think
that
was
one
key
bit
of
it.
D
D
It
relies
on
some
of
these
other
tracks,
potentially
right,
because
you
need
to
be
able
to
have
that
and
so
I
think
it's
probably
worthwhile,
as
we
think
through
the
threat
models,
and
we
think
through
some
of
this
stuff,
it's
like
if
we
go
to
like
a
source
track
and
a
build
track,
and
we
start
to
think
about
the
higher
level
build
track.
We
start
to
think
about
stuff
like
hey
these
requirements
from
the
higher
level.
D
Build
track,
depend
on
you
being
salsa
level,
two
Source,
or
something
like
that
right,
because,
based
on
this,
this
and
this
you
need
to
have
you
know
you
must
be
keeping
the
source
indefinitely
or
whatever
right.
Those
sorts
of
things
then
allow
you
to
then
say
Yep.
This
build
is
reproducible
because
I'm
holding
on
to
the
holding
on
to
that
information,
and
it's
not
something
that
you
would
imagine
being
a
requirement
of
the
build
itself,
because
the
build
should
just
if
you
give
you
you
gave
me
the
same
source
and
the
same
dependencies.
D
B
Yeah
we're
going
up
and
down
the
pipeline
here,
because
there's
you
go
up
the
pipeline
to
make
sure
that
everything
coming
in
is
right
and
I
was
raising
my
hand,
because
I
was
going
to
go.
The
other
direction
which
is
Downstream
of
us
in
the
pipeline
I
want
to
make
sure
that
we
don't
stop
short
and
say
we
just
want
to
use
reproducible
bills
for
detection
I.
Think
it's
very
trivial
to
go
from
detection
to
prevention
of
running
stuff
that
isn't,
reproducible.
B
You
can
just
have
multiple
signers
on
your
container
images,
if
you're
building
containers
just
from
two
different
places
and
then
set
a
policy
up
in
your
production
environment,
says
make
sure
this
was
signed
by
two
different
parties
out
there,
that
I
trust
and
so
I
think
it's
very
easy
to
go
from
that
detection
to
prevention
inside
I
Look.
To
add
that
in
there
as
well.
C
Cool
sorry,
yeah,
I
I
know
how
Mike
Owen
is
related
to
what
Brandon
just
said.
But
when
microsulking
one
of
the
things
I
was
a
little
worried
about,
is
that
a
talk
of
independent,
interdependent
tracks
sounds
like
well
sounds
complicated,
effectively
and
I'm
curious
it's
too
early
to
tell,
but
I
I
will
be
wary
of
defining
a
new
track
that
has
implicit
dependencies
on
parts
of
other
tracks,
because
the
track
system
had
been
imagined
to
be
independent.
D
It's
like
hey
I,
downloaded
this
from
an
approved
place,
but
it
turns
out
it
had
been
hacked
or
whatever,
whereas
you
could
imagine,
a
source
track
helps
provide
guarantees
around
what
that
source
is,
which
then
makes
the
the
build
a
little
bit
better.
But
I
do
think
that
for
what
it's
worth
I
think
one
of
the
things
we
should
probably
do
is
try
and
keep
those
dependencies
at
the
higher
levels
so
that,
like
most
folks,
it's
like.
D
Oh
it's
very
easy
to
independently
get
here
here
and
here,
but
if
you
want
to
get
to
the
max
level.
Okay,
that's
where
you're
thinking
about
the
the
big
picture,
that's
and
once
again,
I
think
that's
kind
of
like
much
further
down
the
line,
but
I
do
think
one
of
the
reasons
why
we
started
talking
about
hermeticity
and
we
started
talking
about
reproducibility
and
why
it
was
like
causing
us
issues
was
well.
D
If
we
require
reproducibility,
then
we
need
to
require
holding
on
to
the
source
and
dependencies
so
that
we
can
reproduce
them
and
is
that
a
requirement
of
the
build?
Probably
not
right?
It's
a
requirement
of
of
other
things
that
you
you
rely
on
as
part
of
that
sort
of
overall
software
delivery,
life
cycle.
C
D
C
I
mean
we're
we're
going
down
and
down
here
so
I
mean
there's,
there's
potentially
some
really
interesting
work
to
come
out
of
this
I
think
I
just
encourage
us
to
be
focused
on
like
being
able
to
State
what
the
threat
is
and
how
we're
addressing
it.
Before
we
get
too
deep
into
the
complex
team,
yeah
well,.
E
C
C
A
Before
we
move
on,
if
do
I
get
it
I
I
just
like
to
get
a
sense
of
the
room,
it
sounds
like
people
are
intrigued
and
at
least
that
this
would
be
a
plausible
topic
to
pursue.
Obviously
need
things
need
to
be
worked
through
to
turn
this
from
a
nascent
vague
idea,
but
I
didn't
I
Heard
lots
of
interesting
discussion,
I
didn't
hear
any
strong
opposition
did
I
read
the
room
room
wrongly,
or
is
that
fair.
C
A
D
Yeah
I
think
the.
If
there's
the
the
thing
that
I
think
is
probably
worthwhile
as
takeaways
and
once
again,
I
know.
We
all
have
way
too
many
things
to
do
to
figure
out
all
this
right.
The
second
but
I
think
the
takeaway
is
I
heard.
Were
we
need
to
think
of
what
are
all
the
things
that
would
actually
be
part
of
this
and
then
think?
How
does
it
currently
fit
into
the
salsa
model?
D
Does
it
require
changes
to
how
we
think
about
the
salsa
model
at
all
and,
if
so,
how
with
those
that?
How
maybe
being
something
like
actually
reproducibility,
is
it's
a
requirement
of
the
build,
but
in
order
for
you
to
actually
still
be
able
to
do
the
reproducibility,
you
still
need
to
you
know
it
requires
some
element
of
source
or
dependencies.
You
know
requirements.
E
A
I
H
I
C
H
C
That
would
probably
help
there's
some
ambiguity
because
we
all
agreed
it
would
be
easier
if
the
in
Toto
agitation
folks
changed
to
match
salsa
and
a
relationship
with
Father
stream
for
that
Community.
But
that
is
also
last
time.
I
checked,
hadn't
Hado.
Oh,
it
looks
like
there's
fairly
strong
consensus
towards
doing
that.
Okay,
I
will
volunteer
to
work
on
press
Associates.
I
Yeah
and
don't
get
me
wrong,
I
wasn't
trying
to
to
give
you
more
work
I,
but
it's
just
that
we
said
well.
If
we
fix
this
in
the
way
we
discussed,
we
should
do
it
quick.
You
know.
I
just
saw
the
guys
working
from
on
the
salsa
generator
GitHub
action
that
they
are
ready
to
announce.
Another
implementation,
I'm
like
okay
as
time
goes
by
we'll,
have
more
and
more
implementations
into
the
wild
and
it's
bad
enough,
we're
breaking
them.
The.
H
C
C
Yeah,
just
two
issues
failed.
Since
the
last
time
we
met
and
discussed
issues,
one
was
on
making
more
of
the
fields
and
the
the
verification
summary
at
a
station
optional
and
better
describing
how
to
verify
VSA,
and
there
is
an
Associated
pull
request
for
that.
That
Chris
has
opened
as
a
draft.
While
we
work
on
other
things
for
the
v1.1.
I
So
I
saw
the
pr
in
fact
I
am
not
in
the
issue,
but
yeah
and
I
I
wanted
to
ask.
Aren't
we
breaking
backward
is
this?
Is
not
a
Backward
Compatible
change
again
right
because
for
the
producer?
Yes,
because
you
go
from
required
to
optional,
but
on
the
verifier
side,
all
of
a
sudden
you
need
to
handle
the
fact
that
it
may
not
be.
There
am
I
wrong
here.
C
C
A
C
A
I
A
I
I
Of
your
fire
doesn't
need
to
be
updated,
that's
all
I
mean
and
again
I
mean
David
this
not
to
say
that
we
cannot
do
it
because
we
already
agreed
with
Rick
salsa
one
with
one
one
anyway.
So
at
this
point,
where
it's
like
yeah
pack
as
many
making
changes
as
you
can
on
that
one.
So
you
don't
have
to
do
that.
Every
single
time.
D
So
yeah
this
would,
from
my
understanding
this
would
break
macaron
as
well
as
the
verifier
as
in
like
because
now
somebody
shows
it
is
optional.
It'll
still
try
and
parse
it
as
as
required.
The
macaron
folks
are
working
out
of
they
work
out
of
I,
believe
APAC
time
zones,
so
they're
not
going
to
be
on
now.
H
C
C
Different
group,
we
have
different
group
of
consensus
here
this
week
than
we
had
last
week
right
so
that
if
you
ask
the
same
question,
you'll
get
different
answer
because
there's
different
participants
so
I,
of
course,
I'm
wondering.
Do
we
need
to
better
document
our
like
approved
interpretation
of
what
December
requirements
mean
for
salsa,
because
otherwise
we
can
just
re-litigate
this
every
time
we
want
to
change
and
then
that
we
either
have
no
constraints
or
we
are
always
doing
major
version
increments.
A
Yeah
I
I
think
if
I
may
I
think
there's
two
different
issues.
Should
these
changes
be
accepted
and
then,
if
they
are,
what's
the
version
number
and
I
guess,
maybe
I
guess
we're
afraid.
If,
if
we,
if
it
becomes
a
major
number,
then
we
would
be
even
more
picky
about
accepting
I
I.
You
know
I
with
all
due
respect
to
Oracle
I.
Why
I
mean
none
of
these
things
seem
like
terrible
hardships,
I
mean
if
you
want
to
have.
A
A
I
C
D
Yeah
so
I
think
I'm
actually
of
the
opinion,
like,
obviously
that
that
the
more
sorts
of
these
changes,
the
the
harder
it
is
to
get
folks
to
build
tooling.
That
will
support
all
the
things
because,
like
I
think
I
mean
we're
seeing
this
pretty
heavily
even
now
in
the
s-bomb
space
that,
like
a
lot
of
folks,
are
not
actually
generating
valid
spdx
or
Cyclone
DX
they're
generating
stuff
that
looks
very
similar
to
it.
D
So
obviously
the
more
changes
we
make
in
this
space,
the
the
harder
it
is,
it's
going
to
be
to
sort
of
verify
those
things
so
I
do
want
to
say
that,
like
with
that
said,
I
do
think
the
the
more
we
can
encode.
These
changes
also
into
something
like
a
a
semantically
rich
data
type,
whether
it's
a
Json
schema
or,
or
you
know,
protobufs
with
annotations
or
similar.
D
D
D
Yes,
as
much
as
possible
right,
there's
always
you're,
always
probably
going
to
lose
some
semantic
information
right
in
certain
cases,
annotations
won't
get
everything
right
because
you
might
annotate
something
you
know
as
like
hey.
This
is
even
though
it's
a
string,
it's
bytes,
which
means
it's
like
a
base64
encoded
set
of
bytes
right.
But
in
certain
cases
you
might
say,
hey.
This
is
a
shot
256
and
certain
things
are
going
to
have
annotations
that
say:
yeah.
We
support
arbitrary
sort
of
stuff
like
that,
but
other
things
are
going
to
say
no
no
shot.
D
D
You
know,
Json
schema
and
vice
versa,
take
Json,
schemas
and
turn
it
into
rough
code
and
yayada,
and
so
the
more
that
we
can-
or
you
know,
protobots
or
whatever
so
the
more
we
can
kind
of
include
in
there,
the
the
easier
it
is
for
those
updates
to
be
just
like.
Oh
I
pulled
in
the
new
Json
schema
I
pull
in
the
new.
What's
it
called
rdf
or
whatever
you
know,
what
are
those
things
I
pull
in
the
new
one
and
I
change.
D
You
know,
as
opposed
to
changing
thousands
of
lines.
I
just
change
a
few
hundred
lines
to
to
make
it
more
compliant
with
the
other.
One
I
think
that
sort
of
thing
is
is
really
useful
go,
and
this
is
to
be
clear
here.
This
is
something
from
somebody
who
is
actively
trying
to
write
salsa
tools,
and
so,
if
things
change,
it
makes
it.
You
know
it,
it
makes
it
a
little
bit
more
and
but
what
it's
worth,
though,
I
would
still
make
the
change
that
fixes
things.
D
You
know
the
the
what
the
in
Toto
Library
the
secure
systems
lib
stuff,
if
I
just
include
the
new
version,
the
new
secure
systems,
lib
stuff
great,
it's
super
simple.
If
I
have
to
write,
you
know
rewrite
a
thousand
lines
of
code
that
that's
I'm,
a
little
less
inclined
to
maybe
we'll
think
about
only
doing
it
for
major
versions.
H
C
Tension
here,
I
do
work
on
another
open,
suspect
project.
That
basically
is
stuck
in
a
can.
We
ever
break
major
version
Loop,
but
I
do
think,
there's
a
risk
that
if
we,
if
there's
a
if
there's
too
much
Reliance
on
like
a
a
Proto
buffer,
similar,
then
folks
pay
even
less
attention
to
the
actual
spec
than
they
already
do.
And
therefore,
if
you
change
things
outside
of
the
data
format,
then
the
you
know
they
might
claim
compliance
without
actually
having
implemented
those
changes.
C
D
D
C
C
Oh
yeah.
The
other
issue
was
oh
look.
I'm
looking
in
the
wrong
repository,
I
was
momentarily
startled
by
an
issue.
I
didn't
recognize
it's
because
I'm
looking
at
a
different
repo,
so
the
only
other
new
issue
was
updating
the
notes
to
reflect
the
fact
that
openness
setups
have
moved
some
of
the
meeting
minutes
to
new
documents
that
are
in
there
share
Google
Drive.
So
we
have
some
convenience
redirectors
in
the
website
and
I've
already
filed
a
pull
request
to
go
up
to
those.
C
So
thanks
everyone:
it
was
a
way
livelier.
Discussion
than
I
was
expecting
and
a
lot
of
interesting
conversation
and
I
think
we've
got
some
good
future
work.
So
yeah
appreciate
everyone's
time
today
and
I'll
see
you
on
select
issue
tracker
and
then
hopefully,
here
next
week
or
maybe
not
next
week,
right,
it's
a
U.S
holiday
next
week.
I
think
we
agreed
to
cancel
all.