►
From YouTube: SLSA Specifications Meeting (May 1, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1kMP62o3KI0IqjPRSNtUqADodBqpEL_wlL1PEOsl6u20/edit#heading=h.yfiy9b23vayj
A
Hey
everybody
thanks
for
joining.
As
a
reminder,
please
register
your
attendance
in
the
meeting
notes,
which
are
just
pasted
in
the
chat
and
also,
if
you
have
any
agenda
items,
please
go
ahead
and
add
them.
A
First,
I'll
take
the
time
to
welcome
any
new
members.
If
you
want
to
briefly
say
hello,
you're
welcome
to
do
so.
B
Yeah
I'm
the
Victoria
I've
been
joining
some
other
meetings,
but
then
having
I'm,
not
a
secure
expert.
That's
why
I
tend
just
to
listen,
but
as
soon
as
salsa
one
is
now
formally
announced.
It
can
firmly
just
I
guess,
trying
to
understand
salsa
and
especially
in
relationship
to
like
s2c2f
and
understand
the
whole
nine
yard.
From
here
great
welcome.
A
I
think
that
might
be
so
welcome.
Hector
I
think
Mike
had
the
first
item
on
the
agenda.
C
Sure
so
I
know
I
spoke
about
some
of
this
in
some
of
the
other
salsa
meetings
last
week,
but
I
know
we
canceled
this
one
last
week,
so
for
I'll
go
over
at
least
some
of
the
stuff
real
quick,
so
kubecon
Europe
was
I
guess
about
two
weeks
ago.
At
this
point
overall,
it's
also
1.0
went
over
very
well
with
with
Folks
at
kubecon.
They
were
very
excited
there
as
well
and
for
folks
who
didn't
see
it.
C
There
was
a
few
projects,
in
particular
Argo
and
Prometheus,
that
went
through
salsa
V,
0.1
audits
through
the
cncf,
so
so
that,
and
that
went
over
pretty
well
as
well,
which
which
was
nice,
and
then
they
plan
to
continue
doing
that
now
for
salsa
1.0
and
then
there's
some
there's
some
interesting
discussions
happening
within
tag
security
under
the
cncf
about
potentially
requiring
like
salsa
projects
for
something
like
graduation.
C
You
must
have
you
know,
let's
say
something
like
this:
you
know
salsa
level,
two
or
salsa
level,
three
for
your
your
build,
there's
some
discussions
about
like
how
we
might
Implement
that.
So
that's
that's
something!
That's
kind
of
coming
around
and
pretty
cool
with
that
said,
there
was
some
stuff
that
that
people
had
questions
about.
C
One
is
there's
a
concern
around
like
really
right
now:
no
working
1.0
examples,
and,
and
how
can
we
start
getting
1.0?
You
know
what
what
does
1.0
look
like?
How
can
we
get
some
examples
around
there,
or
rather
I
should
say
why
1.0
examples
I
mean
1.0
for
the
spec
for
the
Providence.
It's
back.
C
I
know
that
that
largely
you
know,
stuff
is
still
compliant,
even
if
it
is
the
0.2
of
the
provenance
spec
but
I
know
folks
are
like
hey
I,
don't
see
any
examples
for
1.0
of
the
spec
there's
still
lots
of
questions
around
conformance
and
in
particular
one
of
the
things
that
was
kind
of
oh
actually,
before
I
continue
mark.
A
A
C
My
bad
via
the
links
you
can
see
the
1.0
example
and
that's
fine
I
think
the
thing
that
people
are
trying
to
say
is
like
hey:
what
does
that
kind
of
look
like
or
or
is
there
like
an
example
here
of,
let's
say
taking
the
social
GitHub
generator
or
or
something
like
that,
because
two
main
reasons
for
it?
One
is
for
end
users
to
better
understand
like
what
are
they
expecting?
C
What
should
that
kind
of
thing
look
like
and
secondarily
for
folks
who
are
building
out
tools,
they're
kind
of
just
sort
of
saying
hey?
What
does
this
you
know?
Is
there
like
a
good?
You
know,
example
here
that
I
can
take
a
look
at
for
for
my
own
tool,
whether
it's
a
generator
or
validator
or
verifier,
or
something
like
that
so
yeah.
That
was
the
other
thing.
There
was
lots
of
questions
around
conformance.
C
A
lot
of
folks
were
just
like:
hey
it's
a
little
unclear
to
me.
You
know,
there's
a
few
folks
who
were
had
good
feedback
which
I
you
know
around
like
Hey.
How
do
we
know
that
people
are
actually
following
salsa
and
not
just
claiming
to
I,
said
well,
there's
a
conformance
program
around
that
there's,
there's
also
I,
think
one
of
the
things
that
came
out
both
from
kubecon
as
well
as
some
of
the
discussions
right
after
kubecon.
C
Was
this
General
confusion
around
what
conformance
means,
and
perhaps
it
being
very,
it
feels
heavily
skewed
towards
SAS
right.
C
One
of
the
big
things
was
based
on
some
of
the
conformance
draft
stuff
and
based
on
some
of
what
we've
already
seen
as
the
examples
given
that
somebody
who
makes
a
claim
about
like
I
I,
have
a
salsa
conformance
Conformity
build
system.
It
is
very
clearly
I
have
a
running
system,
and
this
is
what
it
looks
like
and
that's
easier
to
do.
C
C
There's
some
confusion
around
what
that
that
is,
there
is
and
then
what
else
was
there
yeah
and
pretty
much
lots
of
questions
around
self-hosted
like
how
does
somebody
self-host
salsa
conformant,
build
system
and
provide
enough
data
to
be
conformant,
especially
given
that
some
of
the
stuff
might
be
hey,
I'm,
not
giving
you
access
to
my
you
know,
unlike
GitHub,
which
can
be
poked
around
a
bit
because
it's
public?
C
How
do
you
sort
of
do
that,
and
also
how
do
you
do
that
in
a
way
where
a
smaller
company
doesn't
feel
compelled
to
just
use
GitHub,
let's
say
or
git
lab
or
Circle
Ci
or
you
know
another
SAS?
You
know
they
might
feel
a
little
bit
pushed
in
that
direction,
that
that's
the
only
viable,
you
know
less
costly
option,
and
so
that
was
actually
a
thing
that
we
were
talking
about.
C
Also
in
the
tooling
side
that
it
might,
if
tooling,
can
make
it
very
easy
to
at
least
provide
a
report
or
something
like
that
of
a
salsa
compliant
build
system,
and
so
that
folks
can
just
sort
of
push
that
out
that
that
might
be
useful.
Anyway,
that's
I
think
those
were
the
the
main
things
and
then
there
was
just
some
general
thoughts
which
was
like
hey
they'd
love
to
see
more
examples.
C
Generally,
you
know
more
sorts
of
like
hey
if
you're
this
sort
of
company,
these
are
the
sorts
of
things
you're
doing
that
kind
of
thing
which
I
think
that'll
come
with
time
and
then
a
lot
of
questions
around
hey
I.
They
would
love
to
see
examples
or
demos
of
like
we
tried
to
do
a
thing.
You
have
salsa
three
compliance
cool.
This
is
how
it
we
detected
that
thing
or
we
detected
or
remediated
against
that
that
bad.
You
know
that
that
attack.
B
A
Thanks
Mike
yeah
I
would
like
to
personally
I
would
like
to
try
to
work
towards
addressing
these
sorts
of
things
like,
because
actually
this
rolls
into
Andrew's
next
topic
of
like.
Where
do
we
go
next?
A
I
I
would
like
to
you
know,
have
active
work
on
I'm
kidding,
because
all
these
are
kind
of
things
we
kind
of
knew
about
going
in,
but
didn't
have
time
to
address.
This
could
be
a
like
a
help
us
prioritize.
What
what
to
work
on.
D
D
I
think
and
my
goal
is
just
one:
just
went
to
win
and
I'll
I'll
talk
to
some
people
tomorrow,
but
we're
thinking
about
doing
a
some
type
of
salsa
1.0
plus
one
month
type
of
blog
post,
to
address
some
of
these
potential
issues
and
try
to
clarify
some
of
them
just
in
a
blog
post,
so
maybe
being
able
to
shed
some
light
on
on
some
of
these
types
of
questions
and
issues.
D
D
D
If
nobody
else
has
any
other
comments
on
on
what
might
present
I
can
just
talk
about
what
I
was
looking
for,
so
I
know
that
there
is
a
road
map,
but
that
road
map
for
2023
is
not
specific
in
terms
of
what
a
plan
is
when
we
want
to
try
and
start
working
on
the
next
iteration
of
of
salsa
and
and
so
I
I
was
just
curious.
What
thoughts
were
around
it?
D
I
know
that
trishank
had
some
comments
in
slack
as
well
about
a
common
period,
And
so
also
kind
of
maybe
trying
to
to
think
about
what
can
be
done
while
waiting
for
comment
period.
What
should
we
wait
to
hear
back
from
comments?
D
E
So
I
presented
the
the
road
map
to
this
specification
group,
as
well
as
the
overall
salsa
group,
and
the
consensus
was
that
they
didn't
want
to
put
timelines.
They
didn't
want
to
make
it
too
specific.
They
just
wanted
to
say
this
is
what's
next
and
then
or
this
is
what
we're
going
to
work
on
next
versus
you
know
future,
because
we
haven't
been
great
at
timelines,
so
that
was
just
the
feedback
that
the
group
had
for
the
roadmap,
which
is
why
it's
the
way
it
is,
and
so
obviously
we're
all
volunteers.
E
So
if
people
want
to
volunteer
for
a
specific
thing,
I
think
the
priorities
are
the
ones
that
are
up
top.
So
I
just
wanted
to
give
you
that
that
background,
if
you
weren't
on
those
meetings.
D
Yeah
I
wasn't
on
those
meetings.
I
was
a
little
bit
of
a
late
Joiner
to
the
community,
so
I
didn't
get
that
that
full
background
and
I
I
understand
that
there
are
no
timelines
committed
for
the
overall
priorities,
but
that
doesn't
mean
that
we
can't
identify,
maybe
some
shorter
timelines,
some
shorter
common
periods
or
whatnot
for
being
able
to
help
grow
the
the
specification
as
it's
currently
presented,
Mike.
C
Yeah,
so
I
can
I
have
one
of
the
things
actually
I
forgot
to
mention
was
some
of
the
stuff
that
that
folks
had
brought
up
at
kubecon
some
of
the
feedback
I
got
regarding
the
build
tracks,
I'm,
sorry
regarding
the
different
tracks
and
and
just
to
be
clear
overall,
they
really
appreciated
the
difference
in
track
so
that
they
understand
like
why
we've
pulled
out
a
lot
of
people.
Folks
had
questions
like
hey.
Why
exactly?
Did
you
stop
doing
two-person
code
review
again?
It's
like!
Well,
it's
not
that
it's
bad!
C
It's
that
we
want
to
separate
out
the
build
from
some
of
these
other
pieces.
I.
Think
generally
and
I
know
this
doesn't
help
is
generally
there.
There
seem
to
be
folks
who
wanted
a
little
bit
of
everything
like
you
had
folks
who
were
like
yeah,
I'd
love
to
see
the
source
stuff
get
fixed
up
a
little
bit
more.
You
had
folks
who
were
asking
for
you
know.
I
know
we
had
talked
about
this.
Maybe
something
like
a
build
system
track.
C
I
can't
remember
who
had
brought
this
up
previously,
but
around
hey
like
what?
What
does
it
take
to
make
a
salsa
a
salsa,
secure,
build
system
or
a
build
system
that
that
can
you
know,
you
know,
provide
secure,
salsa
Providence,
that
kind
of
thing,
so
there
was
some
stuff
around
that
that
seemed
to
be
less
of
a
concern.
C
They,
you
know,
sort
of
felt
like
a
conformance
program
or
whatever
would
help
out
there,
but
the
other
big
one
was
fossil
level
four,
even
if
it's
like
aspirational
and
not
or
a
spec
I.
Think
folks
really
want
to
know
that
salsa
hasn't
forgotten
about
the
future
steps
and-
and
some
of
these
other
things,
because
I
think
they
were
some
of
the
comments
I
had
gotten
were
like
something
akin
to
oh
did
was
Salsa
forced
to
to
lower
its
standard,
because
other
people
can't
hit
it.
I
was
like
no.
No,
no!
No!
C
It's
it's
more
because
of
confusion
around
what
hermetic
means
around
you
know.
What
does
it
count
like
what
counts
as
repeatability
versus
reproducibility
versus
whatever
so
I
think
those
were
the
big
ones
with
the
two,
the
two
big
ones
being
source
and
like
hitting
you
know,
L4
and
then
with
a
secondary
thing
of
like
hey,
even
if
folks
got
pointed
in
the
right
direction
of
look
at
this
other
specification
for
secure
builds.
We
think
that
if
you
generally
follow
these
rules,
you'll
probably
be
salsa.
Conformant
I.
D
Just
to
poke
on
the
the
aspirational
comment,
I
think
that
that
one
bit
of
feedback
that
I've
heard
is
that
there's
really
a
desire
to
be
able
to
have
bars,
set
and
metrics
to
find
that
are
measurable,
so
that
it
can
be
potentially
continuously
validated.
That
builds
are
actually
conforming
to
these
build
systems.
D
Assuming
you
have
some
kind
of
platform
level,
maybe
conformance,
but
then
any
kind
of
additional
requirements
on
top
of
some
base
platform
really
should
be
defined
in
a
way
such
that
proper
metadata
can
be
associated
with
it.
In
order
for
it
to
be
automated
in
its
acceptance.
F
Yeah
thanks
this.
This
may
be
well
anyway.
I
think
this
might
be
said
somewhere,
but,
but
if
not,
it
might
be
worth
pointing
out
is
that
it
looks
like
incorrect
me
if
I'm
wrong,
so
we're
certainly
focusing
on
the
build
track.
I
think
we've
sort
of
implicitly.
If
you
think
about
it,
it's
also
can
be
broken
into
four
separate
tracks
right
as
Bill.
Obviously
it
is
the
package
drag
which
I'm
not
sure
we
talked
about
is
the
dependencies
track.
F
If
you
want
to
call
it
that
and
then
the
source
track
which
we're
planning
to
maybe
go
into
salsa
2.0,
but
it
might
be
worth
pointing
out
that,
if
we're
not
planning
to
work
on
some
areas,
so,
for
example,
I
think
dependencies
track
is
one
of
them.
We
talk
about
how
you
might
integrate
as
bombs
into
salsa,
but
we
don't
mandate.
Anything
I
was
just
wondering
whether
it's
worth
clarifying
that
again,
we
don't
have
to
do
it
now,
but
might
be
worth
clarifying
following
Michael's
comment
earlier.
D
But
does
that
speak
to
a
process?
I
think
that,
like
what
Melba
shared
now
that
first
bullet
process
for
creating
tracks
is
that
kind
of
what
you're
you're
getting
at
is
it
doesn't
necessarily
only
have
to
be
four.
D
It's
whatever
is,
is
can
be
encapsulated
in
a
coherent
track,
which
has
progress
going
from
some
zero
level
to
to
some
higher
level.
It
doesn't
even
have
to
max
out
at
level
four
or
something
like
that
is.
Is
that
what
you
were
you're
talking
about,
or
was
there
something
else
that
you
were
thinking
of.
F
G
It
down
I
was
debating
putting
it
down
I
I
I'm,
going
back
to
the
conformance
the
program
and
talking
about
all
this
tooling
and
and
as
I
just
at
my
first
joined
joined.
The
group
here
I've
been
listening
a
lot
over
the
last
few
months,
I
think
I
stressed
I
was
a
former
auditor
and
that's
one
of
the
reasons
why
I
joined
salsa
is
to
kind
of
talk
about.
How
do
we
do
the
access
stations?
How
do
we?
G
How
do
we
actually
get
to
a
point
where
people
now
like
trust,
what
salsa
is,
but
what
people
are
saying
about
their
their
environments
like
if
they
say,
they're,
they're,
three
or
four?
What
does
that
really
mean
and
I'm
part
of
me,
and
this
will
put
my
hand
down
because
I'm
not
sure
how
to
bring
it
up?
G
Yet
it's
concerned
that
we're
solving
the
how
versus
the
why
or
the
what
first-
and
it
just
feels
like
we're-
you
know-
we've
got
a
great
we've
got
one
of
those
out
now
and
there's
some
questions
around
well,
how
do
well?
What
does
this
really
mean
and
we're
talking
about
tooling
and
various
things
without
actually
talking
about?
G
What
is
how
do
we
establish
the
trust?
So
that's
what
I
put
my
hand
out,
because
I
wasn't
sure
how
to
express
what
I
was
what
I
was
feeling
there
when
we
were
talking
about
that,
so
we
can
just
drop
it
for
now,
I'll
bring
it
back
up
when
I
can
think
better
about
it.
A
That's
a
good
point
personally,
I
foreign
I
think
a
lot
of
emphasis
and
questions
seem
to
be
on
like
how
do
we
transfer
trust
across
organizations
like
you
know,
you
have
a
vendor
and
they
are
doing
something,
and
how
do
you
verify
that
they
are
definitely
technically
doing
this
and
you
know
there's:
can
we
do
attestations
or
like
trusted
Computing
or
something
like
that?
A
A
A
We
actually
we
currently
have
the
salsa
that
they
have
Slash
use
cases
and
I
would
like
to
better
emphasize
that,
like
you
could
use
salsa
just
within
your
organization,
you
don't
have
to
convince
anyone
else,
you're
only
trying
to
convince
yourself,
and
so
that's
like
a
valid
thing
and
like
organizations
can
do
that
today
and
you
don't
have
to
solve
any
of
those
problems,
and
you
know
if
you
yeah
yeah.
G
I
love
security,
I
I
think
everyone
should
be
doing
security
because
it's
the
best
thing
to
do,
and
this
is
the
security
versus
compliance
discussion
in
a
moment,
as
as
the
federal
mandate
is
driving,
s-bombs
I
see
sausage
me
picked
up
speed
when
I
saw
well
okay
with
responsible.
What
are
we
gonna
do
about
it?
Why
are
we
doing
it?
How
do
we
attest
to
that?
G
Salsa
is
answering
that
question
for
me
if
we're,
but
we
can't
trust
people
we're
going
to
do
softly
because
the
best
thing
to
do
honestly
I,
don't
there
are
organizations
and
teams
that
will
you
know
I
I,
just
there's
going
to
be
driven
into
it.
People
are
busy
and
we
need
to
give
them
an
incentive
to.
Why
should
they
do
this
because
somebody's
gonna
mandate
somewhere-
and
we
want
to
make
sure
we're
alignment
source-
is
the
answer
for
that?
F
E
So
so
there
is
a
a
blog
post.
We
have
to
update
it
for
1.0,
but
there
was
at
least
one
or
two
around
that
that
topic
of
well
there's
this
White
House
Executive
Order,
there's
ssdf.
How
does
salsa
map
to
that?
So
one
of
the
the
tracks
on
the
positioning
group
is
updating
that
blog
post,
so
that
it
is
mapping
to
the
current
1.0,
because
right
now
that
blog
post
is
for
version
0.1.
A
Kind
of
kind
of
bring
it
back
to
Andrew's
original
point
about
what
we
are.
You
know
like
plans
and
roadmap
I
think
it
would.
It
seems
like
it
would
probably
be
a
good
idea
if
we
had
a
place
where
we
could
iterate
on
stuff.
That's
like
not
ready
to
be
published.
A
Like
the
you
know,
the
future
source
track
higher,
build
levels,
a
future
dependency
track
and
all
those
kind
of
like
half-baked
versions.
A
That
seems
like
that
might
be
a
good
approach.
Just
from
like
a
like.
How
do
we
present
this
information?
So
people
kind
of
see
like
what
is
the
current
work
in
progress
and
then
folks
that
kind
of
work
you
know
as
as
as
people
you
know,
have
an
interest
in
working
on
something
like
oh
I
want
to
try
to
resolve
the
source
track.
D
Yeah
I
think
that
makes
sense
because
just
having
a
scratch
pad
or
a
development
space
to
to
work,
maybe
somebody
wants
to
try
and
clarify
well,
like
I
opened
an
issue
where
I
feel
like
there
might
be
some,
we
might
have
to
figure
out
something
with
the
the
Builder
ID
being
unique
between
the
different
salsa
levels,
because
it
could
be
possible
that
you
would
fall
back
to
salsa
3
if
some
user
specific
input
for
self
support
doesn't
work
so
like.
D
If,
if
you
want
to
try
and
figure
out
what
it
means
to
be
build
salsa
for
and
maybe
what
that
has,
what
effect
that
has
in
the
provenance
Builder
ID,
then
you
have
a
space
to
do
that
without
modifying
the
the
published
specification.
G
I
want
to
go
back
a
little
bit
to
the
comments
from
kubecon
tie
into
this
a
little
bit
and
the
fact
that
people
felt
this
was
a
SAS
or
be
hard
for
the
on-prem
or,
and
it
feels
almost
like
you
know
we
went
from
that
into
a
tooling
conversation,
but
I'm
I'm,
going
through
as
we're
talking
I'm
kind
of
going
through
this.
This
spec
kind
of
reading
things
from
like
a.
G
How
would
somebody
attest
to
this,
and
it
got
me
thinking
about
in
my
my
experience-
was
one
of
the
PCI
space
I
referred
that
a
lot
and
things,
but
the
PCSB
says
here's
the
evidence.
You
need
to
gather
now,
PCI
messed
up,
because
they
didn't
allow
for
a
digital
way
of
gathering
it
and
having
and
having
tools
for
Automation,
and
we
can
solve
that
piece.
But
if
we're
looking
at
this,
the
spec
is
there
and
I
apologize.
I
missed
a
couple
meetings
with
traveling
things
over
the
last
few
few
weeks.
G
Where
are
we
with
actually
turning
some
of
these
things
into?
You
know:
how
do
we?
How
do
we
go
from
saying
how
you
do
something
to?
How
do
you
say
you've
done
that?
You
know
how
what
sort
of
evidence
is
a
minimum
level
of
evidence
to
specify
that,
with
or
without
a
tool
to
gather
it?
You
know
how
do
we
because
I
I
I'm
concerned
people
are
thinking
the
Zone
can
be
done
with
SAS,
because
they
can
they,
but
again,
SAS
providers
don't
share
how
they
do
the
back
end.
C
Yeah
so
I
think
that's
actually
one
of
the
questions
about
how
some
of
the
stuff
in
the
conformance
program
and-
and
this
was
also
something
that
was
brought
up
a
couple
of
weeks
ago-
I'm
blanking
on
the
name
of
the
the
person
who
brought
this
up
around
the
build
like
something
like
a
build
system
track
or
a
build
Service
track,
something
like
hey.
You
meet
these
sorts
of
requirements
based
on.
C
Let's
say
this
evidence
you
know,
and,
and
that
kind
of
thing
ghost
you
know
like
whatever
is
required
to
to
do
that,
and
we
haven't
really
defined
really
outside
of
saying
you
know,
run
run
it
in
a
trusted,
control,
plane
and-
and
you
should
be
doing
some
of
these
basic
things-
I
think
the
thing
that
has
kind
of
come
out
of
that,
though,
was
a
little
bit
of
like
if
I'm
a
giant
company
and
I
sell
CI
as
a
service.
C
It's
very
easy
for
me,
as
a
provider
to
provide
you
know,
somebody
came
in,
did
an
audit
or
whatever,
however,
I
provide
that
information
I
provide
that
to
the
public.
You
know,
whereas
a
lot
of
folks
were
like
wait.
Does
that
mean
me
as
an
Enterprise
I
need
to
use
one
of
these
sasses,
because
I
can't
provide
enough
information
publicly
for
some
reason
or
another,
like
that?
That's
kind
of
where
I
think
a
lot
of
the
confusion
lies
and
then
also
for
a
lot
of
folks
who
said
like
hey
I
run
a
small
company.
C
My
CI
system
is
something
I
run
internally,
but
in
order
for
me
to
do
you
know
all
this
reporting
we're
a
small
company.
I
can't
do
all
this
reporting
blah
blah
like
what
does
that
look
like?
How
do
you
make
that
easier
for
the
for
the
end
user,
I
think
for
first
for
these
smaller
organizations
that
are
like
selling
software
or
whatever.
A
Yeah
I,
like
I'm
I'm,
coming
at
this
from
a
big
company
perspective,
so
I
realize
I'm,
biased
here,
I
guess
when
I
think
about
this
of
like
when
we
consume
software
like
what
would
it
take
for
us
to
be
confident
that
someone
is
doing
this
I
mean
there's
also
better
is
the
anime
of
good
here
that,
like
right
now
we
don't
have
anything
and
so
putting
it
into
contracts.
A
Probably
goes
a
long
way
that,
like
you,
should
you
must
do
this
and
like
when
I
guess
it's
you
know,
I
also
think
it's
probably
similar
to
how
you
select
a
vendor
for
anything
else
like
if
you,
for
example,
if
you're
going
to
use
a
cloud
hosting
provider,
many
customers
want
some
sort
of
documentation
or
other
claims
from
the
company
that
they
are
following
certain
practices.
This
is
how
we
architect
our
system.
These
are
our
procedures.
This
is
how
we
do
this.
A
They,
you
know,
they'll
respond
to
specific
customer
requests
to
give
them
confidence
that
you
know
they're
they're
meeting
all
their
security
needs
and
you're
able
to
do
that
without
actually
letting
the
customer
come
in
and
like
query
things
and
look
at
source
code,
so
I
guess
I,
maybe
naively,
was
imagining
at
least
a
good
start
out
sort
of
like
that.
A
Not
as
much
of
a
you
know.
We
could
start
simply
as
a
informal
thing
and
then
you
know
make
it
more
rigid
as
needed.
H
Yeah
I'm
here
yeah
I'm,
listening
to
this
conversation,
I'm
not
entirely
sure
what
to
say,
because
I
I
believe
that
securing
a
build
platform
is
a
fundamentally
hard
task
and
it
will
not
be
easy,
especially
for
small
companies
and
sometimes
it's
worth
paying
other
companies
for
a
service.
I.
Don't
I
find
it
odd
to
shy
away
from
that.
C
So
I
I,
so
to
be
clear,
I
I
agree
with
with
that
General
premise
of
hey
it's
hard
to
secure
I,
don't
think
it's
necessarily
that
I
think
the
thing
is
when
you
look
at
a
lot
of
smaller
companies
that
are
like
hey
I'm,
doing
all
the
right
things,
but
it's
I
don't
have
a
whole
team
that
can
run
a
conformance
program
or
or
yada
yada
to
kind
of
prove
that
to
the
world
or
how
do
I
prove
that
to
the
world
is
kind
of
a
bigger
thing
and
I
also
like
one
of
the
things
that
was
a
very
clear
perception
from
a
lot
of
the
folks
at
kubecon
was
Salsa
is
something
that
can
only
be
handled
by
like
they
look
at
the
you
know.
C
I
don't
mean
this
like
as
an
accusation,
but
like
a
lot
of
folks
sort
of
look
at
a
lot
of
the
the
people
who
are
key
contributors
here
and
they
go
and
they
go
and
say:
oh
you
have
folks
from
you
know:
GitHub
you
have
folks
from
Google.
Oh
great,
it's
I
see
it's
something
to
push
GCB
or
something
to
push
GitHub
actions.
C
That's
not,
you
know,
I
recognize
that
that's
not
the
case
right.
It's
all
about
actual
security,
I
think
the
thing
here,
though,
is
I
think
we
have
a
almost
like
a
duty
to
make
it
sure
that
it's
easy
enough
for
other
folks
to
still
do.
A
A
I
I
think
if
I
were
selecting
a
vendor
and
they
were
a
small
company
that
probably
switching
to
a
cloud.
Well,
that's
a
smaller
big
it
matters,
but
like
there
are
some
advantages
to
having
a
a
single
hosted,
build
provider
right
because,
like
has
I
as
a
customer,
don't
have
to
evaluate
each
one
individually.
I
could
just
say:
okay,
I've
already
added
XYZ
company,
if
you're
using
them.
I
just
know
that
that
they're
doing
the
right
thing,
I
think
also.
B
A
I'm
not
sure
how
much
value
there
is
in
switching
that,
because
a
lot
of
this
is
around
how
we
could
scale
security,
because,
like
you're
trying
to
remove
trust
and
like
not
have
to
trust
everything
for
individual
developers
because,
like
I,
you
know
across
like
many
organizations
many
people
it's
hard
to
know
that
everyone's
doing
the
right
thing.
But
in
a
small
company
where
you
know
everyone
I'm
not
sure.
H
So,
following
the
chat
it,
it
sounds
like
I
I
should
say:
I'm
not
familiar
with
PCI,
but
it
sounds
like
the
my
proposal,
for
the
conformance
program
is
sorry.
Josh
is
in
my
proposal,
for
the
conformance
program
is
somewhat
similar
in
that
there
there
is
a
survey,
you
can
fill
it
out
yourself
and
publish
it
on
your
website
or
you
can
pay
somebody
to
inspect
your
system
and
fill
it
out
for
you
and
give
it
their
stamp
of
approval
it.
H
F
I
should
should
all
make
a
point
of
reading
it.
I
just
wanted
to
add
the
point
that
you
know
between
talking
about
like
big
shops
and
small
shops.
We
should
also
not
forget,
maybe
there's
something
in
between
like
open
source
communities
like
let's
say
Debian
Dave
probably
will
continue
to
maintain
their
own
private
bill
servers.
I
know,
Pipi
has
talked
about
someday
building
their
own
Wheels
Bill
farm.
So
we
have
to
keep
those
in
mind
also.
C
Yeah
and
just
to
be
clear,
I
actually
think
that
that
Chris's
proposal
is
mostly
there
and
I
think
the
thing
really
is
like
yeah,
as
somebody
who's
also
done.
C
Pci
compliance
right
like
there's
certain
things
that
absolutely
right,
if
you
are
a
payment
like
if
you're
one
of
the
big
payment
processors
like
a
Visa
or
a
MasterCard
right,
you're,
going
to
be
under
a
much
stricter
sort
of
set
of
requirements
compared
to
hey
I'm,
a
small
shop
that
just
so
happens
to
accept
credit
card
payments
right
I
think
the
thing
is
from
our
end:
I
just
think
there
is
it's
more,
it's
less
about
the
actual
content
and
more
about
how
we
message
and
communicate
that
content.
C
And
how
do
we
make
sure
that
folks
recognize
through
something
like
examples
or
similar
so
that
they
don't
just
assume?
Oh
I,
can
only
do
this
via
GitHub
right
or
you
know
in
a
lot
of
it,
has
less
to
do
with
anything
other
than
just
like.
If
you
look
at
the
blogs
or
you
look
at
the
the
projects
under
salsa
framework,
people
go
and
say:
oh
everything
seems
to
be
geared
towards
GitHub.
C
I
was
like
no,
this
there's
other
ones
out
there
right
and
I
pointed
folks
in
the
direction
of
some
of
the
other
things
like,
because
we
have
that
Jenkins
plugin
that
Samsung
had
contributed
and
and
there's
Fresca
and
there's
tecton
chains
and
there's
all
that
sort
of
stuff.
I
just
think
it's.
It's
I,
think
more
of
a
communication
and
messaging
problem.
A
Okay,
all
right!
Well,
it's
good,
seeing
everyone
we'll
talk
to
you
later
online
or
see
you
next
week,
foreign.