►
From YouTube: SLSA Specifications Meeting (June 12, 2023)
A
Am
better
and
the
the
Canadians
have
stopped
burning
their
forests,
presumably
because
there's
fewer
trees
now.
A
Yeah
I
don't
know
if
you've
heard
much
about
the
I
live
on
the
U.S
east
coast
and
the
U.S
east
Coast
has
been
covered
for
days.
I
have
heard
about
it,
yeah
yeah
I
mean
you
know.
Public
schools
are
have
basically
canceled
all
outdoor
events
and
just
I
decided
you
know,
I'm
not
exercising
I'll
just
sit
outside
under
a
awning
and
that
won't
be
too
bad
and
I
ended
up
with
a
headache
by
the
afternoons
and
well.
Okay,
that,
to
be
honest,
I
didn't
know
about
it.
I
went
out
enjoyed
the
day.
A
Right
right,
I
live
near
Washington
DC,
which
is
you
know
quite
a
bit
South
and
even
so
I
mean
you
know
serious
impact
on
air
quality.
It's
very
very
difficult
to
get
a
mental
picture
of
just
how
big
this
fire
was.
D
Yeah
yeah
I
I
was
out
at
devops
days
in
New,
York
City
and,
like
the
the
skies
were
all
like,
relatively
blue
and
then
Midway
through
I'm,
like
what
it's.
It's
all
everything's
Orange.
A
A
A
Yes,
I
did
and
that
one's
shocking
I
understand.
You
know
that
you
know
that
bad
things
happen,
but
normally
Bridges
don't
fall
down
even
under
a
pretty
stressful
situations.
So
I
am
certain.
There's
going
to
be
an
in-depth
investigation
of
that.
So
that's
rather
shocking.
A
So
it
turns
out
that
Mark
ledata
is
off
this
week,
so
we're
gonna
have
to
decide
on
a
chair,
I
guess
right
for
the
cat,
herder.
A
Does
anybody
want
to
I
mean
David
I'm,
sorry,
I.
C
Yeah
I
volunteered
last
week
to
run
the
meeting
when
Park
mentioned.
He
would
be
out
this
week,
so
I
can
certainly
okay
attempt
to
do
that.
We've
got
a
fairly
light
agenda,
although
David
does
you've
added
something
this
morning.
So
that
gives
us
something
to
talk
about
at
least
so.
I
should
first
of
all
mention
that
the
meeting
is.
F
C
Recorded
and
we
will
abide
by
the
Linux
Foundation
code
of
conduct
during
the
meeting,
as
we
always
do,
I
always
try
to
in
the
sales
Community
as
I
just
mentioned,
we've
got
a
really
light
agenda
today.
The
first
thing
we
always
do
is
welcome
new
members
and
give
them
an
opportunity
to
introduce
themselves
so
I'm,
not
sure
who,
whether
we
have
any
new
members
today
I
recognize
everyone's
names,
but
that
that
doesn't
mean
you've
been
to
this
meeting
before.
C
So,
please
speak
up
if,
if
you're
a
new
member
and
would
like
to
yeah,
introduce
yourself
to
the
group.
G
Hey
I'm
I'm
Josh,
Clements,
I'm,
I'm,
new-ish
I've,
been
I've,
been
lurking
a
bit
in
all
sorts
of
open,
ssf
stuff.
Just
because
I'm
I
saw
the
open
ssf
day
at
the
last
open
source.
Summit
and
I
made
the
mistake
again:
I
keep
I,
keep
using
the
same
joke.
Other
people
keep
yeah
and
thank
you
David.
You
keep
laughing
I
love.
It
I
made
the
mistake
of
telling
my
boss
that
I
went
to
those
things
and
he's
like
sweet.
G
You
are
you're
a
new
person
that
does
that
and
I'm
like
all
right
cool,
but
that's
okay,
I,
like
it
I
dig
it
you
go
so
far:
everybody's
really
welcoming
I
love
the
work.
Y'all
are
doing
and
I'm
looking
forward
to
participating
and
contributing.
C
G
Welcome
dress,
I'm,
also
near
DC
David,
so
maybe
someday
we'll
go
get
a
beer.
A
Love
to
love
to
see
you
see
very
many,
a
whole
bunch
of
Zoom
calls
so
I'm
always
welcome.
If
you're
in
the
area
you
know
come
come
meet
and
such
all.
H
And
I'm
Matt
Wood
I've
been
part
of
the
the
I
guess
attending
the
Integrity
I,
don't
know
weekly
meeting
or
bi-weekly
meeting
a
bit
for
a
while
first
time
at
this
particular
meeting
put
my
primary
focus.
These
days
is
trying
to
get
salsa
principles
and
and
stuff
implemented
internally
for
a
lot
of
RCI
and
so
yeah
I
want
to
make
sure
that
the
spec
is
is
I,
guess
understandable
within
an
Enterprise
context.
C
That's
awesome
if
you
any
any
yeah.
Anything
like
that
you
run
into
while
you're
working
to
like
adopt
cells
are
internally
is
definitely
feedback.
We
want
to
hear
and
try
and
address
so
yeah
welcome
to
the
group.
C
Else
then
we
can
move
on
to
the
next
topic.
C
I
put
issue
triage
on
here,
but
I'm
going
to
suggest
we
tackle
David's
discussion
topic.
First
I.
D
A
David
I
could
not
be
here.
Last
week,
I
I
noticed
that
some
discussions
happened
yes
about
meeting
conflict.
D
Yeah
yeah,
no,
no
problem
yeah,
it's
just
like,
because
I'm
like
yeah,
we
did
go
over
a
little
bit
of
issue,
873.
and
particularly
I.
D
Think
one
of
the
things
that
we
were
talking
about
was
just
to
kind
of
provide
a
little
bit
of
context
that
that,
maybe
isn't
exactly
in
the
thing
here
was,
but
what
what
was
hold
on
one
thing
that
was
brought
up
by
Mark
and
a
few
other
folks
was
like
not
getting
hung
up
on
definitions
and
more
just
sort
of
really
just
stating
very
clearly
what
what
we're
actually
intending
to
do
so
like,
as
opposed
to
saying
something
semantically
equivalent
just
listing
you
know
in
the
requirement
two
sentences
of
what
the
expectations
are.
A
Yeah
and
and
I
and
I
think
that
that's
a
fair
point,
the
phrase
I
used
I'm
the
one
who
created
this
this
issue-
anyways
873,
my
eyesight-
sounds
so
great
yeah
873.,
you
know
I
I,
don't
know
if
this
is
the
right
phrase,
but
I
think
verifiable.
Build
is
kind
of
the
the
notion
here.
I
think
you
know
so
much
of
salsa
right
now
you
know
the
current
track
is
all
about.
A
A
A
We
now
have
this
concept
just
tracks
and
in
fact
it
looks
like
we
have
multiple
levels
because
and
right
we
can
blame
Michael
scavetta
for
pointing
out
some
of
this,
where
what
some
of
the
challenges
in
building
reproducible
builds
are
because
of
things
like
date,
timestamps.
Well,
what
are
the
odds
of
the
date
times?
You
know
if
software
is
exactly
the
same
except
there's
some
internal
dates,
time
date
and
time
date,
timestamp
differences.
A
Does
that
represent
a
risk?
Probably
not
so
okay,
so
so
there's
there
basically
looks
like
there's
multiple
levels
of
way
to
to
to
deal
with
this,
so
unfortunately,
I
have
some
other
things
that,
in
the
short
term,
I'm
gonna
have
to
deal
with.
But
one
of
the
other
comments
was
hey
who's
going
to
be
doing
the
work.
I
think
that's
actually
a
fair
question.
It's
all
great
to
have
an
idea
and
nobody's
doing
any
work,
but
all
that's
not
going
to
go
anywhere
so
I'd
be
happy
to
help
with
that.
A
A
The
the
gold
standard
is
bit
for
bit
reproducibility
and
then
there's
a
then
there's.
Well,
what
can
you
back
off
if
you
assume
that
the
source
code
wasn't
malicious,
but
the
build
process
might
have
and
there's
ways
to
basically
rebuild
and
detect
certain
differences
that
are
highly
unlikely
to
produce
malicious
code
and
I'm
done
Mike
Michael
Lieberman.
H
D
Yeah
I
think
on
that
end,
there's
like
a
lot
of
different
properties,
whatever
we
want
to
call
them
there
right,
which
is
like
yeah
exactly
like
bit
for
bit
binary
reproducibility.
You
know
that
A
and
B
are
the
same.
No
I
think
you
know.
Even
among
you
know,
reproducible
quote.
Unquote.
Reproducible
builds
right.
It
depends
on
how
folks
sort
of
view
what
is
a
build
as
well
right
like
when
it
comes
to
some
of
that.
D
There's
there's
there's
things:
where
can
you
detect
that
actually
it
was
built
a
second
time
versus
just
somebody
gave
you
the
same
artifact
you
know
and
and
not
to
say
that
that's
a
that
you
know,
but
I
think.
The
thing
there
right
I
think
is
is
we're.
Looking
at
stuff,
like
you
know,
bid
for
bit
binary.
D
Reproducibility,
probably
you
know
you
know
it's
number
one,
but
there's
also
other
things
that
are
like
when
you
talk
about
reproducibility,
one
of
the
the
big
ones
that
kind
of
comes
out
of
that
like
basil,
Blaze,
pants
and
Nick's
world
is
the
like.
Can
you
reproduce
all
the
inputs
right?
Could
you
essentially
provide
the
same
because?
Well,
that's
actually
kind
of
a
very
complicated
problem
of
are
you
actually
holding
on
to
all
the
things
you
used
in
your
build
right
because
you're
not
using
it
and
it's
let's
say.
D
For
example,
one
of
the
things
that
happens
right
is,
oh,
it
turns
out
a
library
gets
updated
and
they
delete
the
old
version
of
the
library
and
now
all
of
a
sudden,
you're,
like
oh
well,
I,
haven't
updated
to
the
new
version
of
the
library,
but
I
can't
reproduce
this
anymore.
Because
right,
this
thing
doesn't
exist.
A
I
I
get
for
that
latter
one.
Let
me
quickly
respond,
I,
I,
guess.
My
my
notion
is
that
this
isn't
just
that
you
could
it's
conceptually
possible,
but
that
someone
is
actually
someone
has
independently
tried
to
do
well.
Independent
I,
don't
know,
maybe
be
a
little
careful
here,
but
basically
someone
is
actually
attempted
and
succeeded
in
reproducing
it
at
you
know
either
commit
for
bit
or
except
for
date,
time
stamps,
which
implies
that
at
least
at
the
time
of
the
event
you
the
bits
were
available.
A
Now
there
is
a
fair
question
about
you
know:
how
do
you
know
for
sure
the
bits
won't
go
away?
I
mean
that's.
That's
rough
I
mean
you
know
if,
if
if,
if
somebody
takes
the
internet
down,
there's
a
whole
lot
of
things,
that
I
won't
be
able
to
get.
D
Yeah
and
I
just
wanted
to
throw
one
more
thing
out
there,
which
I
think
is
is
I,
think
tied
to
that
concept
and
and
also
tied
to
the
tracks
is
I.
Think
one
of
the
things
we
had
brought
up
prior
right
was
one
of
the
reasons
why
we
had
gotten
rid
of
salsa
level.
Four
originally
was
because
we
wanted
to
focus
purely
on
the
things
that
were
completely
dependent
on
the
build
and
only
the
build,
but
I
think
when
we
start
to
look
at
some
of
the
stuff
like
reproducibility.
D
One
of
the
things
that
it
requires
is
the
ability
to
have
access
to
the
things
that
a
previous
build
had,
so
that
you
can
then
run
those
you
know,
reproducible
elements
and
then
that
kind
of
ties
into
no
longer
the
build.
Perhaps
in
certain
elements
right,
you
might
say,
okay
great
now,
there
needs
to
be
something
like
a
source
and
dependencies
track
where
the
source
independency
should
be
at.
You
know
you
should
be
able
to
go
back
at
a
given
time
and
look
at
your
source
of
dependencies
up
to
some
sometime
window.
F
F
Could
somebody
assuming
the
things
have
not
been
pulled
off
the
internet
reproduce
this
I
think
should
be
what
we
figure
out,
how
to
say
succinctively,
because
I
don't
think
we
want
to
hold
over
everyone's
head
the
requirement
that
they
do
what
we
do,
which
is
hold
a
copy
of
everything
like
that
would
be
great
if
they
do
because
that's
you
know
the
way
we
found
the
work
around
it
and
gave
people
pull
stuff,
but
I
don't
think
we
should
Force
everyone
into
that.
If
they
don't
want
to.
B
So
I've
been
going
down
that
path
a
while
back
of
what
would
happen
if
you
pulled
down
everything
and
cash
it
all
and
some
of
that
gets
into
what
Michael
and
David
been
talking
about,
which
is
that,
when
two
different
people
pull
it
down,
you're,
definitely
going
to
get
things
in
the
header,
HTTP
headers
stuff,
like
that,
if
you
start
proxying
all
the
requests
through
I'm,
just
comparing
two
different
two
different
builds
that
both
go
out
to
the
internet
and
proxy
and
pull
down
data
you're
going
to
get
differences
in
there
API
keys
to
access
things,
you're,
pulling
down
container
images,
yeah
Michael's
point
of
the
project
there
HP
lock
project
time,
stamps
all
kinds
of
stuff
to
show
up
in
those
HTTP
headers
that
you're
getting
down
to
this
problem
that
David's
looking
at,
which
is
how
do
you
compare
semi-reproducible
in
there?
A
I
mean
if
you
go
down
that
road,
there's
the
which
IP
address
did
I
download
this
from
you
know,
I,
probably
don't
care
did
I
get.
You
is
this
a
reputable
Source
am
I
getting
the
same
thing
yeah
in.
B
Some
cases,
yes
in
other
cases,
if
you
want
to
say,
tell
me
about
this
container
image
up
on
a
Docker
registry.
You
really
care
about
those
headers,
because
they
include
the
digest
of
what
that
tag
points
to.
They
include
the
media
type
of
what
that
is,
and
so
there
are
some
important
values
in
there.
You
don't
want
to
just
blanket
exclude
everything.
D
So
one
thing
I
think
that's
probably
worth
calling
out
here.
I
think
a
little
bit
is
is
I.
Think
this
sort
of
thing
of
like
even
sort
of
what
are
the
the
levels
of
reproducibility
of
the
inputs
per
second
I-
think
that
sort
of
thing
is
valuable
to
to
sort
of
even
make
levels
out
of
right.
You
might
say
great
this
level
is
you
know
you
can
pull
down
the
same
hash
every
time
there
might
be.
D
You
know,
because
I
I
think
sort
of
going
back
and
saying
you
know
something
like
Source
independencies
level.
Four
is
you
have
captured
those
things
because
in
certain
cases,
I
think
even
ssdf
or
one
of
the
the
nist
or
sisa
sort
of
things
that
came
out
recently
or
not
recently,
but
one
of
those
things
from
ssdf
or
similar
does
call
out
like
if
you
can,
you
should
actually
be.
D
You
should
be
holding
on
to
everything
you
download
right
so
that
you
always
can
go
back
to
it
for
forensics
and
other
purposes
and
yeah,
like
not
everybody's,
going
to
be
doing
that
and
in
fact
some
folks
might
say:
hey
I've
contracted
you
know,
I've
hired,
active
state
or
whatever
to
to
do
those
things
for
me
and
other
places
are
going
to
say.
D
Nope
I'm,
pulling
everything
down
myself
and
other
folks
are
gonna,
say
yeah
I'm,
actually
not
super
worried
about
that,
and
so
I'm,
okay
with
being
a
lower
salsa
dependency
level
than
than
you
know.
Other
folks,
sorry
Mikey.
E
Yeah
so
one
one
comment,
I
have
to
say,
and
they
reproducible
businesses
that
not
only
the
parts
of
the
product
are
important,
but
also
like
the
build
packages
and
the
military
and
all
the
actual
code
on
the
pipeline.
That
is
going
to
manipulate
this
data
into
an
artifact
we've
gone
I,
don't
think
like
exactly
this
world.
E
But
what
we've
done
in
our
own
product
is
like
following
file
system
on
The
Cisco
on
The
Cisco
level
with
Peter,
but
then
like
jumping
between
all
these
processes,
that
build
and
containers
and
namespace
to
follow
all
the
inputs
and
outputs
of
of
a
build
system
and
basically
explode
out
all
the
files
that
were
not
touched
and
the
files
that
were
attached
during
the
building
basically
have
like
a
big
amount
of
data
on
your
Builder.
What
was
the
process
on
the
file
system
level?
A
Yeah
by
the
way,
I
I
I
would
like
to
try
to
separate
the
can
I
get
the
source
and
keep
that
versus
the
build,
because
I
think
those
are
two
different
challenges.
A
A
Npm
has
a
process,
basically
after
left
pad,
where,
after
a
certain
number
of
days,
they
will
not
delete
packages
unless
I
presume
they
would,
if
it
was
legally
obligated,
but
other
than
that
they
won't
delete
them
and
that
at
least
partially
deals
with
the
problem
of
hey
I
can't
get
it
now.
I
realize
there's
more
to
it,
but
I
I
would
like
to
separate
the
problems,
because
otherwise
you
try
to
put
it
all
together
in
one
place,
it
gets
hard
I
think
that's
why
we
end
up
with
tracks.
In
the
first
place,.
C
Yeah
I
completely
agree.
I.
Think
we've
had
some
discussion
about
separate
dependencies
track
for
a
while
and
and
a
lot
of
the
things
we
were
just
talking
about
would
fall
within
to
concerts.
We've
discussed
yeah,
making
up
that
yeah.
Can
you
fully
enumerate
what
you
what
goes
into
your
build
ahead
of
time,
and
then
can
you
later
retrieve
those
things
and
stuff
one
of
the
things
I'm
wondering
about
with
the
semantically
reproducible
builds
or
I
forget?
What
second
term
are
you
introduced.
C
I
I'm,
not
I,
haven't
read
the
issue
in
detail.
So
forgive
me
if
you've
already
discussed
it
there,
but
I'm
curious
like
what
how
how
it
fits
into
the
threat
model
of
salsa
and
how
it
fits
into
the
guiding
principles,
because
we
ended
up
with
these
principles
about
you
know,
trusting
platforms
and
like
high
Automation
and
things,
and
my
experience
of
reproducible
bills
is
that
the
value
is
in
being
able
to
reproduce
it.
C
A
That
I
think
is
exactly
the
right
question.
If
you
don't
mind,
I
want
to
try
to
answer
it
quickly.
I,
don't
think
it's
as
written
clearly
as
it
should
be,
and
in
fact,
on
my
personal
website,
I
actually
talk
a
little
bit
about
this
because
there
doesn't
seem
it
doesn't
seem
to
be
written
down
anywhere,
which
is
kind
of
a
problem.
Okay,
so
all
right,
so
so
were
you
and
I
are
on
the
same
wavelength
here
all
right
so
and
hopefully,
maybe
as
part
of
this
process,
we
can
fix
that
all
right.
A
So,
given
that
here's
The
quick
summary,
the
threat
model
that
you
that
is
being
concerned
about
with
reproducible
build
is
that
the
source
code's?
Okay,
it
is
not
I,
just
read
the
source
code,
it
does
not
describe
malicious
software,
it
is
software
that
is
intended
to
do
some
Positive
Purpose,
okay.
However,
during
the
build
process
itself,
the
software
was
manipulated
in
a
way
so
that
the
resulting
build
was
malicious.
A
Okay,
that's
part
one
and
part
two
is
that
this
implies
that
somehow
someone
got
into
the
build
process
and
subverted
it.
This
is
not
an
idle
case.
This
is
exactly
what
happened
with
solar
winds:
okay
with
our
solarwinds
Orion,
specifically,
okay,
where
somebody
got
into
the
build
process
subverted
it.
The
original
source
code
was
fine,
the
resulting
executables
were
malicious.
Now,
there's
two
basic
approaches
to
dealing
with
this
and
I
would
argue
that
both
of
them
have
their
place.
One
approach
is
protect
the
stinking
build
environment,
which
seems
like
a
good
idea.
A
That's
where
salsa
is
today.
It's
you
know.
Basically,
you
try
to
put
the
build
environment
in
a
place
that
you
trust,
you'll,
Harden
it
up
now
to
be
fair.
The
solar
winds
folks
actually
did
have
their
own
separate,
build
environment.
They
had
some
protective
measures,
I
think
the
well
I
I
think
the
review
of
other
people
is
that
is
not.
It
was
not
as
hardened
as
it
well
as
it
should
have
been,
but
it
wasn't
just
sitting
underneath
somebody's
desk.
A
There
was
a
dedicated
system
specifically
for
building
and
there
was
an
attempt
at
hardening
so
inadequate.
So
the
other
approach
is,
you
know:
hey
hardening,
build
very
good
idea,
however,
if
they
hardening
something
against
all
attacks
for
all
future
times
rather
hard.
So
the
other
mechanism
mechanisms
protect
but
then
detect.
So
if
your
protection
mechanisms
fail,
do
we
have
a
detection
mechanism
to
detect
that
a
subverted
build
got
out
anyway,
and
that's
what
these
but
reproducible
builds
and
semantic
equivalency
are
all
about?
A
Can
you
examine
a
resultant,
build
and
verify
that
it
was
generated
from
the
sort
from
that
refuted
source
code?
Now
all
things
of
limit
patients
if
the
source
code's,
malicious?
What
reproducible
builds
and
semantic
equivalency
will
tell
you-
is
that
the
build
system
is
exactly
as
delicious
as
the
source
code
was
all
right.
It's
not.
It
doesn't
protect
against
malicious
Source
Code
by
itself.
It
does
not
protect
against
trusting
trust
attacks.
So
if
you
use
a
compiler,
that's
subverted.
So
if
it's
not
the
build
process,
but
the
actual
tools,
that's
a
different
kind
of
attack.
A
If
you
want
to
know
how
to
counter
that
attack,
I
I
know
somebody
wrote
a
PhD
dissertation
on
diverse
level,
compiling
and
there's
all
other
some
other
techniques
too.
For
dealing
with
that
case.
To
be
fair,
those
are
pretty
Advanced
attacks
and
you
need
you
would
need.
Reproducible
builds,
or
at
least
semantic
equivalency
before
you've,
even
worried
about
that
other
case.
So
I
I,
don't
think
you
know.
So.
Basically,
there
is
a
threat
model.
There
are
things
it
covers
and
things
it
doesn't.
It's
not
well
documented.
A
We
would
need
to
fix
that,
but,
but
hopefully,
verbally
and
I
didn't
try
to
take
notes,
because
it's
hard
for
me
to
talk
about
these
and
talks
at
the
same
time,
but
hopefully
at
least
that
makes
sense
that
there
is
a
threat
model
and
whether
or
not
that's
important.
Well,
that's
why
we
have
different
tracks.
You
don't.
C
So
I
I
know,
but
both
Mike
and
Brian
have
got
the
hands
up
so,
but
I
just
want
to
quickly
respond.
So
I
did
take
notes.
I
tried
to
summarize
what
you
said:
David
the
thing
I
wanted
to
just
quickly
point
out
is
that
we
have
in
the
past,
in
this
meeting,
discussed
how
reproducible
builds
might
be
a
way
to
achieve
salsa
without
necessarily
having
like
the
level
of
infrastructure
that
sales
currently
implies,
because
sales
is
about.
A
If
I
may
quickly
answer
and
then
let's
go
on
to
the
people
actually
raise
their
hands,
but
I
think
you
were
asking
a
question
with
me:
I
think
they
work
together
right.
You
know
the
old,
peanut
butter
and
jelly
kind
of
thing.
If
you
can
verify
a
whole
bunch
of
low
quality
builds,
you
know
it,
it
I
mean
you
know
all
your
reproductions
could
be
separated
too
you
you
wanna,
you
wanna,
protect
and
detect
I.
A
Don't
think
you
just
want
one
or
the
other,
maybe
a
week
in
one,
because
you
have
number
resources
but
I.
Think
really
you
want
both.
You
want
to
harden
the
build
to
reduce
the
likelihood
of
attack,
and
then
you
verify
it
anyway,
so
that
the
few
that
link
through
still
get
detected
and
I
think
was
it
Michael
or
Brandon.
I'm.
Sorry,
I,
don't
know
who
was
that
Michael's.
D
Oh
so
yeah
yeah,
no
I
agree
with
David
there
I
think
yeah,
I
think
the
things
from
that
I
think
we
were
thinking
through
from
like
the
threat
model
perspective
right
is
the
majority
of
stuff
in
build
provenance
right
is
around
essentially
protecting
against
attacks
to
the
actual
build
system,
and
so
you
can
help
prevent
or
detect
attacks
based
on
assuming
you
are
running.
Reproducible
builds
in
separate,
build
environments
and
I
think
that
was
one
key
bit
of
it.
D
I
think
that
makes
sense
to
be
part
of
the
build,
but
I
think
this
opened
up
another
sort
of
open
question,
especially
as
we
kind
of
move
on
to
tracks
right,
which
is
this,
is
where
it's
almost
like.
The
reproducible
element
relies
on
like
as
a
dependency.
D
It
relies
on
some
of
these
other
tracks,
potentially
right,
because
you
need
to
be
able
to
have
that
and
so
I
think
it's
probably
worthwhile,
as
we
think
through
the
threat
models,
and
we
think
through
some
of
this
stuff,
it's
like
if
we
go
to
like
a
source
track
and
a
build
track,
and
we
start
to
think
about
the
higher
level
build
track.
We
start
to
think
about
stuff
like
hey
these
requirements
from
the
higher
level.
D
Build
track,
depend
on
you
being
salsa
level,
two
Source,
or
something
like
that
right,
because,
based
on
this,
this
and
this
you
need
to
have
you
know
you
must
be
keeping
the
source
indefinitely
or
whatever
right.
Those
sorts
of
things
then
allow
you
to
then
say
Yep.
This
build
is
reproducible
because
I'm
holding
on
to
the
holding
on
to
that
information,
and
it's
not
something
that
you
would
imagine
being
a
requirement
of
the
build
itself,
because
the
build
should
just
if
you
give
you
you
gave
me
the
same
source
and
the
same
dependencies.
D
B
Yeah
we're
going
up
and
down
the
pipeline
here,
because
there's
you
go
up
the
pipeline
to
make
sure
that
everything
coming
in
is
right
and
I
was
raising
my
hand,
because
I
was
going
to
go.
The
other
direction
which
is
Downstream
of
us
in
the
pipeline
I
want
to
make
sure
that
we
don't
stop
short
and
say
we
just
want
to
use
reproducible
bills
for
detection
I.
Think
it's
very
trivial
to
go
from
detection
to
prevention
of
running
stuff
that
isn't,
reproducible.
B
You
can
just
have
multiple
signers
on
your
container
images,
if
you're
building
containers
just
from
two
different
places
and
then
set
a
policy
up
in
your
production
environment,
says
make
sure
this
was
signed
by
two
different
parties
out
there,
that
I
trust
and
so
I
think
it's
very
easy
to
go
from
that
detection
to
prevention
inside
I
Look.
To
add
that
in
there
as
well.
C
Cool
sorry,
yeah,
I
I
know
how
Mike
Owen
is
related
to
what
Brandon
just
said.
But
when
microsulking
one
of
the
things
I
was
a
little
worried
about,
is
that
a
talk
of
independent,
interdependent
tracks
sounds
like
well
sounds
complicated,
effectively
and
I'm
curious
it's
too
early
to
tell,
but
I
I
will
be
wary
of
defining
a
new
track
that
has
implicit
dependencies
on
parts
of
other
tracks,
because
the
track
system
had
been
imagined
to
be
independent.
D
Yeah,
so
I
think
they
should
be
very
clearly
explicit,
like
I
think
the
thing
right
with
some
of
the
build
stuff
as
we
as
we
start
to
think
of
it
a
little
bit
more
holistically
I
think
you
still
get
a
lot
of
value
out
of
them
still
being
completely
independent,
but
still
at
the
end
of
the
day,
right
like
one
of
the
things
we
were
talking
about
is
when
you
start
to
tie
the
pieces
together,
you
get
a
lot
more
benefit
right
because
you
end
up
with
a
situation
of
like
yeah
if
I
know
like
right
now,
the
build
stuff
is
just
like
I'm
gonna
pull
in
some
source
code
and
the
build
system
should
pull
in
the
source
code
from
the
right
place,
but
makes
no
has
no
idea
of
whether
or
not
it's
actually
downloading
Source
from
an
you
know
that
it
was
hacked
right.
D
It's
like
hey
I,
downloaded
this
from
an
approved
place,
but
it
turns
out
it
had
been
hacked
or
whatever,
whereas
you
could
imagine,
a
source
track
helps
provide
guarantees
around
what
that
source
is,
which
then
makes
the
the
build
a
little
bit
better.
But
I
do
think
that
for
what
it's
worth
I
think
one
of
the
things
we
should
probably
do
is
try
and
keep
those
dependencies
at
the
higher
levels
so
that,
like
most
folks,
it's
like.
D
Oh
it's
very
easy
to
independently
get
here
here
and
here,
but
if
you
want
to
get
to
the
max
level.
Okay,
that's
where
you're
thinking
about
the
the
big
picture,
that's
and
once
again,
I
think
that's
kind
of
like
much
further
down
the
line,
but
I
do
think
one
of
the
reasons
why
we
started
talking
about
hermeticity
and
we
started
talking
about
reproducibility
and
why
it
was
like
causing
us
issues
was
well.
D
If
we
require
reproducibility,
then
we
need
to
require
holding
on
to
the
source
and
dependencies
so
that
we
can
reproduce
them
and
is
that
a
requirement
of
the
build?
Probably
not
right?
It's
a
requirement
of
of
other
things
that
you
you
rely
on
as
part
of
that
sort
of
overall
software
delivery,
life
cycle.
C
Yeah,
okay,
so
I
I
think
we're
on
the
similar
page
at
least
the
way
I've
always
imagined
is
that
if
you
fully
declare
your
Imports,
you
can
reproduce
the
build.
If
you
can't
get
your
hand
on
those
inputs,
that
doesn't
mean
the
bill's,
not
reproducible
anymore.
That
just
means
you.
D
C
I
mean
we're
we're
going
down
and
down
here
so
I
mean
there's,
there's
potentially
some
really
interesting
work
to
come
out
of
this
I
think
I
just
encourage
us
to
be
focused
on
like
being
able
to
State
what
the
threat
is
and
how
we're
addressing
it.
Before
we
get
too
deep
into
the
complex
team,
yeah
well,.
E
C
I
feel,
like
we've
kind
of
Hit
the
point
of
commission
return
on
that
discussion.
We
can
jump
into
some
other
issue
triage
though
I
note
that
Chris
drove
that
last
week
and
he's
back
here
today.
A
Before
we
move
on,
if
do
I
get
it
I
I
just
like
to
get
a
sense
of
the
room,
it
sounds
like
people
are
intrigued
and
at
least
that
this
would
be
a
plausible
topic
to
pursue.
Obviously
need
things
need
to
be
worked
through
to
turn
this
from
a
nascent
vague
idea,
but
I
didn't
I
Heard
lots
of
interesting
discussion,
I
didn't
hear
any
strong
opposition
did
I
read
the
room
room
wrongly,
or
is
that
fair.
C
Yeah
I
think
that's
a
reasonable
interpretation.
There's
a
there's.
Clearly,
some
reproducible
build
fans
on
the
call.
The
only
concern
raised
was
like
how
it
fits
into
the
sales
and
model
right.
A
D
Yeah
I
think
the.
If
there's
the
the
thing
that
I
think
is
probably
worthwhile
as
takeaways
and
once
again,
I
know.
We
all
have
way
too
many
things
to
do
to
figure
out
all
this
right.
The
second
but
I
think
the
takeaway
is
I
heard.
Were
we
need
to
think
of
what
are
all
the
things
that
would
actually
be
part
of
this
and
then
think?
How
does
it
currently
fit
into
the
salsa
model?
D
Does
it
require
changes
to
how
we
think
about
the
salsa
model
at
all
and,
if
so,
how
with
those
that?
How
maybe
being
something
like
actually
reproducibility,
is
it's
a
requirement
of
the
build,
but
in
order
for
you
to
actually
still
be
able
to
do
the
reproducibility,
you
still
need
to
you
know
it
requires
some
element
of
source
or
dependencies.
You
know
requirements.
E
A
Right,
so
it
sounds
like
that.
This
is
of
interest
from
future
and
what
I
you
know,
what
I
would
suggest
right
now
is
there's
a
there
is
an
issue
post,
your
ideas
there
and
you
know
if
you're
interested
in
working
on
this
further
I'll
mention
that
too
in
the
issue.
C
Okay,
we
have.
C
Not
sure
how
useful
it
is
to
do
triage
here,
but
okay,
unless
anyone
is
super
enthusiastic
to
do
that,
I
think
I'm
going
to
propose
to
be
wrapper
early
or
unless
anyone
has
any
leg,
broken
topics.
I
H
I
I
I
also
wanted
to
ask:
did
I
miss
anything
or
where
did
we
leave
the
the
issue
we
talked
about
with
the
was
it
the
resource,
descriptor
type
for
the
format
we
said.
Vlk
will
hold
their
nose
and
call
it
a
minor
version.
Revision,
I
I
haven't
seen
any
PR.
C
That
is
absolutely
correct.
That
has
not
been
a
PR.
The
discussion
was
summarized
in
the
issue:
yeah.
H
C
That
would
probably
help
there's
some
ambiguity
because
we
all
agreed
it
would
be
easier
if
the
in
Toto
agitation
folks
changed
to
match
salsa
and
a
relationship
with
Father
stream
for
that
Community.
But
that
is
also
last
time.
I
checked,
hadn't
Hado.
Oh,
it
looks
like
there's
fairly
strong
consensus
towards
doing
that.
Okay,
I
will
volunteer
to
work
on
press
Associates.
I
Yeah
and
don't
get
me
wrong,
I
wasn't
trying
to
to
give
you
more
work
I,
but
it's
just
that
we
said
well.
If
we
fix
this
in
the
way
we
discussed,
we
should
do
it
quick.
You
know.
I
just
saw
the
guys
working
from
on
the
salsa
generator
GitHub
action
that
they
are
ready
to
announce.
Another
implementation,
I'm
like
okay
as
time
goes
by
we'll,
have
more
and
more
implementations
into
the
wild
and
it's
bad
enough,
we're
breaking
them.
The.
H
C
So
you
are,
it
would
make
sense,
and
maybe,
if
we
reached
out
to
those
folks
and
said,
hey
we're
going
to
do
this
imminently,
perhaps
you
want
to
hold
off.
C
C
Okay,
cool
I
will
endeavor
to
work
on
the
changes
required
this
week.
C
Okie
dokie
thanks
for
erasing
that
so
we
had.
C
Yeah,
just
two
issues
failed.
Since
the
last
time
we
met
and
discussed
issues,
one
was
on
making
more
of
the
fields
and
the
the
verification
summary
at
a
station
optional
and
better
describing
how
to
verify
VSA,
and
there
is
an
Associated
pull
request
for
that.
That
Chris
has
opened
as
a
draft.
While
we
work
on
other
things
for
the
v1.1.
I
So
I
saw
the
pr
in
fact
I
am
not
in
the
issue,
but
yeah
and
I
I
wanted
to
ask.
Aren't
we
breaking
backward
is
this?
Is
not
a
Backward
Compatible
change
again
right
because
for
the
producer?
Yes,
because
you
go
from
required
to
optional,
but
on
the
verifier
side,
all
of
a
sudden
you
need
to
handle
the
fact
that
it
may
not
be.
There
am
I
wrong
here.
C
Yeah
we're
making
various
required
Fields
optional,
so
that
does
change
the
semantics
for
the
verifier.
C
A
C
A
I
A
I
All
right
I
mean
wait,
we
have
like
do
we
have
the
people
from
Oracle
built
macaron.
Does
that
impact
macaron,
for
instance,.
I
Of
your
fire
doesn't
need
to
be
updated,
that's
all
I
mean
and
again
I
mean
David
this
not
to
say
that
we
cannot
do
it
because
we
already
agreed
with
Rick
salsa
one
with
one
one
anyway.
So
at
this
point,
where
it's
like
yeah
pack
as
many
making
changes
as
you
can
on
that
one.
So
you
don't
have
to
do
that.
Every
single
time.
D
So
yeah
this
would,
from
my
understanding
this
would
break
macaron
as
well
as
the
verifier
as
in
like
because
now
somebody
shows
it
is
optional.
It'll
still
try
and
parse
it
as
as
required.
The
macaron
folks
are
working
out
of
they
work
out
of
I,
believe
APAC
time
zones,
so
they're
not
going
to
be
on
now.
D
I
I
do
think,
though,
that,
and
this
is
less
about.
D
One
of
the
things
here
that
I
think
would
help
actually
never
mind,
never
mind.
C
Mean
I,
don't
think
it's
necessarily
the
writing.
It's
it's
a
valid
question.
I.
Do
wonder
if
we
need
to
be
like.
C
Different
group,
we
have
different
group
of
consensus
here
this
week
than
we
had
last
week
right
so
that
if
you
ask
the
same
question,
you'll
get
different
answer
because
there's
different
participants
so
I,
of
course,
I'm
wondering.
Do
we
need
to
better
document
our
like
approved
interpretation
of
what
December
requirements
mean
for
salsa,
because
otherwise
we
can
just
re-litigate
this
every
time
we
want
to
change
and
then
that
we
either
have
no
constraints
or
we
are
always
doing
major
version
increments.
C
So
I
think
it's
probably
reasonable
to
try
and
capture
consensus
around
an
interpretation
of
what
constitutes
a
breaking
change
or
not,
and
then
we
can
kind
of
refer
to
that
document
in
future.
A
Yeah
I
I
think
if
I
may
I
think
there's
two
different
issues.
Should
these
changes
be
accepted
and
then,
if
they
are,
what's
the
version
number
and
I
guess,
maybe
I
guess
we're
afraid.
If,
if
we,
if
it
becomes
a
major
number,
then
we
would
be
even
more
picky
about
accepting
I
I.
You
know
I
with
all
due
respect
to
Oracle
I.
Why
I
mean
none
of
these
things
seem
like
terrible
hardships,
I
mean
if
you
want
to
have.
A
A
You
know
the
URL,
you
know
here's
the
URL
and
you
have
to
be
authorized
to
see
it
so
I.
So
I
guess
I'm,
not
sure
we
want
step
one.
Do
we
actually
want
to
do
this
and
then
step
two?
What
is
the
version
number
if
we
do.
I
C
Well,
the
I
think
the
context
is
that
we
have
decided
to
make
a
Wonder
Woman
release
and
the
these
changes
are
specifically
being
suggested,
as
included
in
that
so
I
think
right,
we've
already
decided
we
want
to
make
a
reading
somewhere.
We
don't
want
it
to
be
a
major
version.
Increment.
D
Yeah
so
I
think
I'm
actually
of
the
opinion,
like,
obviously
that
that
the
more
sorts
of
these
changes,
the
the
harder
it
is
to
get
folks
to
build
tooling.
That
will
support
all
the
things
because,
like
I
think
I
mean
we're
seeing
this
pretty
heavily
even
now
in
the
s-bomb
space
that,
like
a
lot
of
folks,
are
not
actually
generating
valid
spdx
or
Cyclone
DX
they're
generating
stuff
that
looks
very
similar
to
it.
D
So
obviously
the
more
changes
we
make
in
this
space,
the
the
harder
it
is,
it's
going
to
be
to
sort
of
verify
those
things
so
I
do
want
to
say
that,
like
with
that
said,
I
do
think
the
the
more
we
can
encode.
These
changes
also
into
something
like
a
a
semantically
rich
data
type,
whether
it's
a
Json
schema
or,
or
you
know,
protobufs
with
annotations
or
similar.
D
D
So
in
certain
cases
there
could
be
a
change
to
something
like
the
protobuf
that
still
has
huge
semantic
changes,
and
you
would
have
no
idea
unless
you
like,
looked
at
the
update
to
the
to
the
actual
spec
and
and
so,
if
there's
things
that
I
I,
my
only
suggestion
is
just
around.
D
You
know
the
the
more
we
can
communicate
about
these
changes
and
make
them
also
very
simple
to
implement
the
the
better
because
we
we
don't
want
to
end
up
in
this
because
already
right,
like
one
of
the
things
is,
is
still
where
we
don't
have.
D
You
know
nobody's
really
following
salsa
1.0
spec.
Yet
as
far
as
I
can
tell
I
know,
there's
a
few
open,
PRS
and
that
sort
of
thing,
but
but
there's
there's
very
few
that
are
actually
following
1.0
yet
and
similar
with
like
VSA
and
stuff,
like
that.
C
Yeah,
so
in
the
discussion
around
annotations
we
last
week
we
said
we
need
to
clearly
mark
one
format
as
the
canonical
format
and
the
event
of
a
conflict
and
I
I
think
I'm
hearing
you
suggest
that
that
should
be
not
Pros
but
like
something
that
code
can
be
generated
from.
D
Yes,
as
much
as
possible
right,
there's
always
you're,
always
probably
going
to
lose
some
semantic
information
right
in
certain
cases,
annotations
won't
get
everything
right
because
you
might
annotate
something
you
know
as
like
hey.
This
is
even
though
it's
a
string,
it's
bytes,
which
means
it's
like
a
base64
encoded
set
of
bytes
right.
But
in
certain
cases
you
might
say,
hey.
This
is
a
shot
256
and
certain
things
are
going
to
have
annotations
that
say:
yeah.
We
support
arbitrary
sort
of
stuff
like
that,
but
other
things
are
going
to
say
no
no
shot.
D
D
Think
some
there's
going
to
be
some
back
and
forth
on
on
that,
but
the
easier
you
make
it
on
the
end
user,
the
the
easier
it's
going
to
be
to
sort
of
you
know,
Implement
and
like
just
as
an
example
right
like
some
of
the
stuff
I've
been
poking
around
with
with
a
tool
called
Specter
is
like
I
can
sort
of
generate.
D
You
know,
Json
schema
and
vice
versa,
take
Json,
schemas
and
turn
it
into
rough
code
and
yayada,
and
so
the
more
that
we
can-
or
you
know,
protobots
or
whatever
so
the
more
we
can
kind
of
include
in
there,
the
the
easier
it
is
for
those
updates
to
be
just
like.
Oh
I
pulled
in
the
new
Json
schema
I
pull
in
the
new.
What's
it
called
rdf
or
whatever
you
know,
what
are
those
things
I
pull
in
the
new
one
and
I
change.
D
You
know,
as
opposed
to
changing
thousands
of
lines.
I
just
change
a
few
hundred
lines
to
to
make
it
more
compliant
with
the
other.
One
I
think
that
sort
of
thing
is
is
really
useful
go,
and
this
is
to
be
clear
here.
This
is
something
from
somebody
who
is
actively
trying
to
write
salsa
tools,
and
so,
if
things
change,
it
makes
it.
You
know
it,
it
makes
it
a
little
bit
more
and
but
what
it's
worth,
though,
I
would
still
make
the
change
that
fixes
things.
D
I
think
the
thing
that
you're
gonna,
see,
though,
is
is
I,
think
there's
going
to
be
a
question
of
like
hey:
do
I
wait
for
salsa,
1.5
or
1.6
or
2.0
before
really
going
deep
in
it
and
I
think
and
when
I
think
about
that
decision,
it's
all
based
on
how
hard
is
it
going
to
be
for
me
to
implement
if
it's
just
I
point
to
this
new
Json
schema
this
new
Proto
buff
this
new
whatever
and
I
change
these
five
six
lines,
these
five
six
lines
right,
if
it's
or
if
I
just
include
you
know
the
new
ghost.
D
You
know
the
the
what
the
in
Toto
Library
the
secure
systems
lib
stuff,
if
I
just
include
the
new
version,
the
new
secure
systems,
lib
stuff
great,
it's
super
simple.
If
I
have
to
write,
you
know
rewrite
a
thousand
lines
of
code
that
that's
I'm,
a
little
less
inclined
to
maybe
we'll
think
about
only
doing
it
for
major
versions.
H
C
Tension
here,
I
do
work
on
another
open,
suspect
project.
That
basically
is
stuck
in
a
can.
We
ever
break
major
version
Loop,
but
I
do
think,
there's
a
risk
that
if
we,
if
there's
a
if
there's
too
much
Reliance
on
like
a
a
Proto
buffer,
similar,
then
folks
pay
even
less
attention
to
the
actual
spec
than
they
already
do.
And
therefore,
if
you
change
things
outside
of
the
data
format,
then
the
you
know
they
might
claim
compliance
without
actually
having
implemented
those
changes.
C
Right,
I
mean
I,
think
there's
attention
I
do
complete
exemplify.
It's
weird.
You
know
your
lived
experience,
trying
to
implement
tooling
for
this
I'm,
just
personally
conflicted
about
which
is
the
right
recommendation
to
make.
D
D
These
things
I
think
that's
okay,
right
like
because
one
of
the
things
I
think
is
is
super
nice
about
salsa
is
our
ability
to
be
flexible
right
and
with
that
comes
obviously
to
own
can
of
worms,
because
folks,
like
at
very
large
Enterprises,
are
going
to
say,
hey
look
my
my
life
cycle
to
implement
something
like
salsa
is
going
to
be
a
year,
and
if
you
have
five
or
six
versions
over
that
year,
that's
way
different
than
hey.
D
C
I
tried
to
capture
some
of
that
in
the
notes,
but
I
don't
know
if
I
did
a
good
job.
So
if
you
could
review
and
provide
feedback,
that'd
be
useful
or
just
review
an
update
even.
C
Oh
yeah.
The
other
issue
was
oh
look.
I'm
looking
in
the
wrong
repository,
I
was
momentarily
startled
by
an
issue.
I
didn't
recognize
it's
because
I'm
looking
at
a
different
repo,
so
the
only
other
new
issue
was
updating
the
notes
to
reflect
the
fact
that
openness
setups
have
moved
some
of
the
meeting
minutes
to
new
documents
that
are
in
there
share
Google
Drive.
So
we
have
some
convenience
redirectors
in
the
website
and
I've
already
filed
a
pull
request
to
go
up
to
those.
C
It
oh
cool,
thank
you
and
I
think
that's
everything
with
a
minute.
C
So
thanks
everyone:
it
was
a
way
livelier.
Discussion
than
I
was
expecting
and
a
lot
of
interesting
conversation
and
I
think
we've
got
some
good
future
work.
So
yeah
appreciate
everyone's
time
today
and
I'll
see
you
on
select
issue
tracker
and
then
hopefully,
here
next
week
or
maybe
not
next
week,
right,
it's
a
U.S
holiday
next
week.
I
think
we
agreed
to
cancel
all.
H
D
Yeah
I
think
we
sort
of
agreed
to
have
the
discussion
here
about
whether
or
not
we
should
cancel
all
right
I'm
down
for
canceling.
C
A
C
I
think,
given
yeah
I
think
we
should.
We
can
cancel
it
if
anyone
objects,
raise
your
hand.