►
From YouTube: SLSA Specifications Meeting (May 1, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1kMP62o3KI0IqjPRSNtUqADodBqpEL_wlL1PEOsl6u20/edit#heading=h.yfiy9b23vayj
A
A
B
Yeah
I'm
the
Victoria
I've
been
joining
some
other
meetings,
but
then
having
I'm,
not
a
secure
expert.
That's
why
I
tend
just
to
listen,
but
as
soon
as
salsa
one
is
now
formally
announced.
It
can
firmly
just
I
guess,
trying
to
understand
salsa
and
especially
in
relationship
to
like
s2c2f
and
understand
the
whole
nine
yard.
From
here
great
welcome.
C
Sure
so
I
know
I
spoke
about
some
of
this
in
some
of
the
other
salsa
meetings
last
week,
but
I
know
we
canceled
this
one
last
week,
so
for
I'll
go
over
at
least
some
of
the
stuff
real
quick,
so
kubecon
Europe
was
I
guess
about
two
weeks
ago.
At
this
point
overall,
it's
also
1.0
went
over
very
well
with
with
Folks
at
kubecon.
They
were
very
excited
there
as
well
and
for
folks
who
didn't
see
it.
C
You
must
have
you
know,
let's
say
something
like
this:
you
know
salsa
level,
two
or
salsa
level,
three
for
your
your
build,
there's
some
discussions
about
like
how
we
might
Implement
that.
So
that's
that's
something!
That's
kind
of
coming
around
and
pretty
cool
with
that
said,
there
was
some
stuff
that
that
people
had
questions
about.
C
A
C
My
bad
via
the
links
you
can
see
the
1.0
example
and
that's
fine
I
think
the
thing
that
people
are
trying
to
say
is
like
hey:
what
does
that
kind
of
look
like
or
or
is
there
like
an
example
here
of,
let's
say
taking
the
social
GitHub
generator
or
or
something
like
that,
because
two
main
reasons
for
it?
One
is
for
end
users
to
better
understand
like
what
are
they
expecting?
C
What
should
that
kind
of
thing
look
like
and
secondarily
for
folks
who
are
building
out
tools,
they're
kind
of
just
sort
of
saying
hey?
What
does
this
you
know?
Is
there
like
a
good?
You
know,
example
here
that
I
can
take
a
look
at
for
for
my
own
tool,
whether
it's
a
generator
or
validator
or
verifier,
or
something
like
that
so
yeah.
That
was
the
other
thing.
There
was
lots
of
questions
around
conformance.
C
A
lot
of
folks
were
just
like:
hey
it's
a
little
unclear
to
me.
You
know,
there's
a
few
folks
who
were
had
good
feedback
which
I
you
know
around
like
Hey.
How
do
we
know
that
people
are
actually
following
salsa
and
not
just
claiming
to
I,
said
well,
there's
a
conformance
program
around
that
there's,
there's
also
I,
think
one
of
the
things
that
came
out
both
from
kubecon
as
well
as
some
of
the
discussions
right
after
kubecon.
C
One
of
the
big
things
was
based
on
some
of
the
conformance
draft
stuff
and
based
on
some
of
what
we've
already
seen
as
the
examples
given
that
somebody
who
makes
a
claim
about
like
I
I,
have
a
salsa
conformance
Conformity
build
system.
It
is
very
clearly
I
have
a
running
system,
and
this
is
what
it
looks
like
and
that's
easier
to
do.
C
C
How
do
you
sort
of
do
that,
and
also
how
do
you
do
that
in
a
way
where
a
smaller
company
doesn't
feel
compelled
to
just
use
GitHub,
let's
say
or
git
lab
or
Circle
Ci
or
you
know
another
SAS?
You
know
they
might
feel
a
little
bit
pushed
in
that
direction,
that
that's
the
only
viable,
you
know
less
costly
option,
and
so
that
was
actually
a
thing
that
we
were
talking
about.
C
Also
in
the
tooling
side
that
it
might,
if
tooling,
can
make
it
very
easy
to
at
least
provide
a
report
or
something
like
that
of
a
salsa
compliant
build
system,
and
so
that
folks
can
just
sort
of
push
that
out
that
that
might
be
useful.
Anyway,
that's
I
think
those
were
the
the
main
things
and
then
there
was
just
some
general
thoughts
which
was
like
hey
they'd
love
to
see
more
examples.
C
Generally,
you
know
more
sorts
of
like
hey
if
you're
this
sort
of
company,
these
are
the
sorts
of
things
you're
doing
that
kind
of
thing
which
I
think
that'll
come
with
time
and
then
a
lot
of
questions
around
hey
I.
They
would
love
to
see
examples
or
demos
of
like
we
tried
to
do
a
thing.
You
have
salsa
three
compliance
cool.
This
is
how
it
we
detected
that
thing
or
we
detected
or
remediated
against
that
that
bad.
You
know
that
that
attack.
B
A
A
D
D
If
nobody
else
has
any
other
comments
on
on
what
might
present
I
can
just
talk
about
what
I
was
looking
for,
so
I
know
that
there
is
a
road
map,
but
that
road
map
for
2023
is
not
specific
in
terms
of
what
a
plan
is
when
we
want
to
try
and
start
working
on
the
next
iteration
of
of
salsa
and
and
so
I
I
was
just
curious.
What
thoughts
were
around
it?
D
D
E
So
I
presented
the
the
road
map
to
this
specification
group,
as
well
as
the
overall
salsa
group,
and
the
consensus
was
that
they
didn't
want
to
put
timelines.
They
didn't
want
to
make
it
too
specific.
They
just
wanted
to
say
this
is
what's
next
and
then
or
this
is
what
we're
going
to
work
on
next
versus
you
know
future,
because
we
haven't
been
great
at
timelines,
so
that
was
just
the
feedback
that
the
group
had
for
the
roadmap,
which
is
why
it's
the
way
it
is,
and
so
obviously
we're
all
volunteers.
E
D
Yeah
I
wasn't
on
those
meetings.
I
was
a
little
bit
of
a
late
Joiner
to
the
community,
so
I
didn't
get
that
that
full
background
and
I
I
understand
that
there
are
no
timelines
committed
for
the
overall
priorities,
but
that
doesn't
mean
that
we
can't
identify,
maybe
some
shorter
timelines,
some
shorter
common
periods
or
whatnot
for
being
able
to
help
grow
the
the
specification
as
it's
currently
presented,
Mike.
C
Yeah,
so
I
can
I
have
one
of
the
things
actually
I
forgot
to
mention
was
some
of
the
stuff
that
that
folks
had
brought
up
at
kubecon
some
of
the
feedback
I
got
regarding
the
build
tracks,
I'm,
sorry
regarding
the
different
tracks
and
and
just
to
be
clear
overall,
they
really
appreciated
the
difference
in
track
so
that
they
understand
like
why
we've
pulled
out
a
lot
of
people.
Folks
had
questions
like
hey.
Why
exactly?
Did
you
stop
doing
two-person
code
review
again?
It's
like!
Well,
it's
not
that
it's
bad!
C
It's
that
we
want
to
separate
out
the
build
from
some
of
these
other
pieces.
I.
Think
generally
and
I
know
this
doesn't
help
is
generally
there.
There
seem
to
be
folks
who
wanted
a
little
bit
of
everything
like
you
had
folks
who
were
like
yeah,
I'd
love
to
see
the
source
stuff
get
fixed
up
a
little
bit
more.
You
had
folks
who
were
asking
for
you
know.
I
know
we
had
talked
about
this.
Maybe
something
like
a
build
system
track.
C
I
can't
remember
who
had
brought
this
up
previously,
but
around
hey
like
what?
What
does
it
take
to
make
a
salsa
a
salsa,
secure,
build
system
or
a
build
system
that
that
can
you
know,
you
know,
provide
secure,
salsa
Providence,
that
kind
of
thing,
so
there
was
some
stuff
around
that
that
seemed
to
be
less
of
a
concern.
C
They,
you
know,
sort
of
felt
like
a
conformance
program
or
whatever
would
help
out
there,
but
the
other
big
one
was
fossil
level
four,
even
if
it's
like
aspirational
and
not
or
a
spec
I.
Think
folks
really
want
to
know
that
salsa
hasn't
forgotten
about
the
future
steps
and-
and
some
of
these
other
things,
because
I
think
they
were
some
of
the
comments
I
had
gotten
were
like
something
akin
to
oh
did
was
Salsa
forced
to
to
lower
its
standard,
because
other
people
can't
hit
it.
I
was
like
no.
No,
no!
No!
C
It's
it's
more
because
of
confusion
around
what
hermetic
means
around
you
know.
What
does
it
count
like
what
counts
as
repeatability
versus
reproducibility
versus
whatever
so
I
think
those
were
the
big
ones
with
the
two,
the
two
big
ones
being
source
and
like
hitting
you
know,
L4
and
then
with
a
secondary
thing
of
like
hey,
even
if
folks
got
pointed
in
the
right
direction
of
look
at
this
other
specification
for
secure
builds.
We
think
that
if
you
generally
follow
these
rules,
you'll
probably
be
salsa.
Conformant
I.
D
Just
to
poke
on
the
the
aspirational
comment,
I
think
that
that
one
bit
of
feedback
that
I've
heard
is
that
there's
really
a
desire
to
be
able
to
have
bars,
set
and
metrics
to
find
that
are
measurable,
so
that
it
can
be
potentially
continuously
validated.
That
builds
are
actually
conforming
to
these
build
systems.
D
F
Yeah
thanks
this.
This
may
be
well
anyway.
I
think
this
might
be
said
somewhere,
but,
but
if
not,
it
might
be
worth
pointing
out
is
that
it
looks
like
incorrect
me
if
I'm
wrong,
so
we're
certainly
focusing
on
the
build
track.
I
think
we've
sort
of
implicitly.
If
you
think
about
it,
it's
also
can
be
broken
into
four
separate
tracks
right
as
Bill.
Obviously
it
is
the
package
drag
which
I'm
not
sure
we
talked
about
is
the
dependencies
track.
F
If
you
want
to
call
it
that
and
then
the
source
track
which
we're
planning
to
maybe
go
into
salsa
2.0,
but
it
might
be
worth
pointing
out
that,
if
we're
not
planning
to
work
on
some
areas,
so,
for
example,
I
think
dependencies
track
is
one
of
them.
We
talk
about
how
you
might
integrate
as
bombs
into
salsa,
but
we
don't
mandate.
Anything
I
was
just
wondering
whether
it's
worth
clarifying
that
again,
we
don't
have
to
do
it
now,
but
might
be
worth
clarifying
following
Michael's
comment
earlier.
D
D
It's
whatever
is,
is
can
be
encapsulated
in
a
coherent
track,
which
has
progress
going
from
some
zero
level
to
to
some
higher
level.
It
doesn't
even
have
to
max
out
at
level
four
or
something
like
that
is.
Is
that
what
you
were
you're
talking
about,
or
was
there
something
else
that
you
were
thinking
of.
F
G
It
down
I
was
debating
putting
it
down
I
I
I'm,
going
back
to
the
conformance
the
program
and
talking
about
all
this
tooling
and
and
as
I
just
at
my
first
joined
joined.
The
group
here
I've
been
listening
a
lot
over
the
last
few
months,
I
think
I
stressed
I
was
a
former
auditor
and
that's
one
of
the
reasons
why
I
joined
salsa
is
to
kind
of
talk
about.
How
do
we
do
the
access
stations?
How
do
we?
G
How
do
we
actually
get
to
a
point
where
people
now
like
trust,
what
salsa
is,
but
what
people
are
saying
about
their
their
environments
like
if
they
say,
they're,
they're,
three
or
four?
What
does
that
really
mean
and
I'm
part
of
me,
and
this
will
put
my
hand
down
because
I'm
not
sure
how
to
bring
it
up?
G
Yet
it's
concerned
that
we're
solving
the
how
versus
the
why
or
the
what
first-
and
it
just
feels
like
we're-
you
know-
we've
got
a
great
we've
got
one
of
those
out
now
and
there's
some
questions
around
well,
how
do
well?
What
does
this
really
mean
and
we're
talking
about
tooling
and
various
things
without
actually
talking
about?
G
A
A
G
I
love
security,
I
I
think
everyone
should
be
doing
security
because
it's
the
best
thing
to
do,
and
this
is
the
security
versus
compliance
discussion
in
a
moment,
as
as
the
federal
mandate
is
driving,
s-bombs
I
see
sausage
me
picked
up
speed
when
I
saw
well
okay
with
responsible.
What
are
we
gonna
do
about
it?
Why
are
we
doing
it?
How
do
we
attest
to
that?
G
Salsa
is
answering
that
question
for
me
if
we're,
but
we
can't
trust
people
we're
going
to
do
softly
because
the
best
thing
to
do
honestly
I,
don't
there
are
organizations
and
teams
that
will
you
know
I
I,
just
there's
going
to
be
driven
into
it.
People
are
busy
and
we
need
to
give
them
an
incentive
to.
Why
should
they
do
this
because
somebody's
gonna
mandate
somewhere-
and
we
want
to
make
sure
we're
alignment
source-
is
the
answer
for
that?
F
E
So
so
there
is
a
a
blog
post.
We
have
to
update
it
for
1.0,
but
there
was
at
least
one
or
two
around
that
that
topic
of
well
there's
this
White
House
Executive
Order,
there's
ssdf.
How
does
salsa
map
to
that?
So
one
of
the
the
tracks
on
the
positioning
group
is
updating
that
blog
post,
so
that
it
is
mapping
to
the
current
1.0,
because
right
now
that
blog
post
is
for
version
0.1.
A
A
That
seems
like
that
might
be
a
good
approach.
Just
from
like
a
like.
How
do
we
present
this
information?
So
people
kind
of
see
like
what
is
the
current
work
in
progress
and
then
folks
that
kind
of
work
you
know
as
as
as
people
you
know,
have
an
interest
in
working
on
something
like
oh
I
want
to
try
to
resolve
the
source
track.
G
I
want
to
go
back
a
little
bit
to
the
comments
from
kubecon
tie
into
this
a
little
bit
and
the
fact
that
people
felt
this
was
a
SAS
or
be
hard
for
the
on-prem
or,
and
it
feels
almost
like
you
know
we
went
from
that
into
a
tooling
conversation,
but
I'm
I'm,
going
through
as
we're
talking
I'm
kind
of
going
through
this.
This
spec
kind
of
reading
things
from
like
a.
G
How
would
somebody
attest
to
this,
and
it
got
me
thinking
about
in
my
my
experience-
was
one
of
the
PCI
space
I
referred
that
a
lot
and
things,
but
the
PCSB
says
here's
the
evidence.
You
need
to
gather
now,
PCI
messed
up,
because
they
didn't
allow
for
a
digital
way
of
gathering
it
and
having
and
having
tools
for
Automation,
and
we
can
solve
that
piece.
But
if
we're
looking
at
this,
the
spec
is
there
and
I
apologize.
I
missed
a
couple
meetings
with
traveling
things
over
the
last
few
few
weeks.
G
Where
are
we
with
actually
turning
some
of
these
things
into?
You
know:
how
do
we?
How
do
we
go
from
saying
how
you
do
something
to?
How
do
you
say
you've
done
that?
You
know
how
what
sort
of
evidence
is
a
minimum
level
of
evidence
to
specify
that,
with
or
without
a
tool
to
gather
it?
You
know
how
do
we
because
I
I
I'm
concerned
people
are
thinking
the
Zone
can
be
done
with
SAS,
because
they
can
they,
but
again,
SAS
providers
don't
share
how
they
do
the
back
end.
C
Yeah
so
I
think
that's
actually
one
of
the
questions
about
how
some
of
the
stuff
in
the
conformance
program
and-
and
this
was
also
something
that
was
brought
up
a
couple
of
weeks
ago-
I'm
blanking
on
the
name
of
the
the
person
who
brought
this
up
around
the
build
like
something
like
a
build
system
track
or
a
build
Service
track,
something
like
hey.
You
meet
these
sorts
of
requirements
based
on.
C
It's
very
easy
for
me,
as
a
provider
to
provide
you
know,
somebody
came
in,
did
an
audit
or
whatever,
however,
I
provide
that
information
I
provide
that
to
the
public.
You
know,
whereas
a
lot
of
folks
were
like
wait.
Does
that
mean
me
as
an
Enterprise
I
need
to
use
one
of
these
sasses,
because
I
can't
provide
enough
information
publicly
for
some
reason
or
another,
like
that?
That's
kind
of
where
I
think
a
lot
of
the
confusion
lies
and
then
also
for
a
lot
of
folks
who
said
like
hey
I
run
a
small
company.
C
My
CI
system
is
something
I
run
internally,
but
in
order
for
me
to
do
you
know
all
this
reporting
we're
a
small
company.
I
can't
do
all
this
reporting
blah
blah
like
what
does
that
look
like?
How
do
you
make
that
easier
for
the
for
the
end
user,
I
think
for
first
for
these
smaller
organizations
that
are
like
selling
software
or
whatever.
A
Probably
goes
a
long
way
that,
like
you,
should
you
must
do
this
and
like
when
I
guess
it's
you
know,
I
also
think
it's
probably
similar
to
how
you
select
a
vendor
for
anything
else
like
if
you,
for
example,
if
you're
going
to
use
a
cloud
hosting
provider,
many
customers
want
some
sort
of
documentation
or
other
claims
from
the
company
that
they
are
following
certain
practices.
This
is
how
we
architect
our
system.
These
are
our
procedures.
This
is
how
we
do
this.
A
H
Yeah
I'm
here
yeah
I'm,
listening
to
this
conversation,
I'm
not
entirely
sure
what
to
say,
because
I
I
believe
that
securing
a
build
platform
is
a
fundamentally
hard
task
and
it
will
not
be
easy,
especially
for
small
companies
and
sometimes
it's
worth
paying
other
companies
for
a
service.
I.
Don't
I
find
it
odd
to
shy
away
from
that.
C
I
don't
mean
this
like
as
an
accusation,
but
like
a
lot
of
folks
sort
of
look
at
a
lot
of
the
the
people
who
are
key
contributors
here
and
they
go
and
they
go
and
say:
oh
you
have
folks
from
you
know:
GitHub
you
have
folks
from
Google.
Oh
great,
it's
I
see
it's
something
to
push
GCB
or
something
to
push
GitHub
actions.
C
A
A
I
I
think
if
I
were
selecting
a
vendor
and
they
were
a
small
company
that
probably
switching
to
a
cloud.
Well,
that's
a
smaller
big
it
matters,
but
like
there
are
some
advantages
to
having
a
a
single
hosted,
build
provider
right
because,
like
has
I
as
a
customer,
don't
have
to
evaluate
each
one
individually.
I
could
just
say:
okay,
I've
already
added
XYZ
company,
if
you're
using
them.
I
just
know
that
that
they're
doing
the
right
thing,
I
think
also.
B
A
I'm
not
sure
how
much
value
there
is
in
switching
that,
because
a
lot
of
this
is
around
how
we
could
scale
security,
because,
like
you're
trying
to
remove
trust
and
like
not
have
to
trust
everything
for
individual
developers
because,
like
I,
you
know
across
like
many
organizations
many
people
it's
hard
to
know
that
everyone's
doing
the
right
thing.
But
in
a
small
company
where
you
know
everyone
I'm
not
sure.
H
So,
following
the
chat
it,
it
sounds
like
I
I
should
say:
I'm
not
familiar
with
PCI,
but
it
sounds
like
the
my
proposal,
for
the
conformance
program
is
sorry.
Josh
is
in
my
proposal,
for
the
conformance
program
is
somewhat
similar
in
that
there
there
is
a
survey,
you
can
fill
it
out
yourself
and
publish
it
on
your
website
or
you
can
pay
somebody
to
inspect
your
system
and
fill
it
out
for
you
and
give
it
their
stamp
of
approval
it.
F
I
should
should
all
make
a
point
of
reading
it.
I
just
wanted
to
add
the
point
that
you
know
between
talking
about
like
big
shops
and
small
shops.
We
should
also
not
forget,
maybe
there's
something
in
between
like
open
source
communities
like
let's
say
Debian
Dave
probably
will
continue
to
maintain
their
own
private
bill
servers.
I
know,
Pipi
has
talked
about
someday
building
their
own
Wheels
Bill
farm.
So
we
have
to
keep
those
in
mind
also.
C
And
how
do
we
make
sure
that
folks
recognize
through
something
like
examples
or
similar
so
that
they
don't
just
assume?
Oh
I,
can
only
do
this
via
GitHub
right
or
you
know
in
a
lot
of
it,
has
less
to
do
with
anything
other
than
just
like.
If
you
look
at
the
blogs
or
you
look
at
the
the
projects
under
salsa
framework,
people
go
and
say:
oh
everything
seems
to
be
geared
towards
GitHub.
C
I
was
like
no,
this
there's
other
ones
out
there
right
and
I
pointed
folks
in
the
direction
of
some
of
the
other
things
like,
because
we
have
that
Jenkins
plugin
that
Samsung
had
contributed
and
and
there's
Fresca
and
there's
tecton
chains
and
there's
all
that
sort
of
stuff.
I
just
think
it's.
It's
I,
think
more
of
a
communication
and
messaging
problem.