►
From YouTube: SLSA Meeting (July 7, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
One
second
I'm
on
my
MacBook
and
it's
being
a
little
strange
day
there.
It's,
let
me
just
share
the
agenda
and
once
again,
okay
or
just
like
share
the
screen
here.
Okay,
I'll
I'll,
give
the
whole
Spiel
here.
So
just
as
a
reminder,
so
this
meeting
is,
is
under
the
open,
ssf
and
is
being
also
is
being
recorded.
Right,
I,
don't
see
them.
A
A
Okay,
so
let's
go
through
the
agenda
so
usually
first
off,
we
start
with
any
introductions.
Is
that
is
this
anybody's
first
meeting
and
they
want
to
introduce
themselves.
A
A
This
is
my
first
time
doing
the
call
and
yeah
so
this
Jimmy
Ray
from
AWS-
and
this
is
my
first
time
in
this
meeting
as
well-
Mrs
Sebastian,
Awad
I'm
at
Anaconda
I've
previously
worked
on
tough
and
stuff
like
that
and
it's
my
first
technical
yeah
hi
everyone.
This
is
your,
but
this
is
my
first
time
attending
into
South
Summit.
A
Well,
anybody
else,
otherwise
we
can
get
started
with
the
agenda.
B
All
right
cool
well
welcome
everybody.
So,
let's
start
our
first
person
on
the
agenda
is.
C
B
D
That
way,
more
than
happy
to
create
it,
I
just
don't
know
where
to
create
it.
Based
off
of
that
thread
as
well
as
I
think
there
was
a
an
action
item
for
this
meeting
to
go
over.
If
the
community
thought
it
was
a
good
idea
to
have
at
the
top
saying
you
know,
guest
post
authored
by
like
a
guest
or
versus
an
official
Community
post
I,
think
that
was
also
in
issue
309.
B
B
Yeah
I'll
I
guess,
since
no
one
else
is
jumping
in
that
I
it
I'm
open
to
like
removing
the
guest
versus
other
posts
and
and
possibly
removing
the
banner
I.
Don't
feel
too
strongly
I'd
be
happy
to
see
those
contributions.
D
B
Is
I
think
why
the
guest
post
came
up
earlier,
so
you
know:
do
we
as
a
community
want
to
have
consensus
on
the
blogs
to
make
sure
it
is
in
line
with
our
a
mantra
so
to
speak
right
or
our
thinking
versus
a
guest
post
might
be
geared
towards
in
a
particular,
you
know
application
of
salsa
or
something
like
that
right.
It's
not
necessarily
the
community
speaking.
D
B
Think
we
we've
wanted
was
like
just
Clarity
right.
You
know
we
just
want
to
know
like
what
is
this
representing?
You
know.
Is
this
representing
the
the
collective
views
of
the
community,
or
is
this
just
one
person's
sort
of
thing
about
salsa
and
I?
Think
we'll
to
be
clear.
I
think
both
are
extraordinarily
valuable.
E
Yeah
I
think
also
like
you're
you're
idea.
F
Of
like
putting
down
like
writing
down
what
are
the
criteria
for
posting
and
like
what
is
the
purpose?
I
think
that
would
remove
that.
E
E
There's
an
effort
with
you
know,
multiple
participants
from
various
companies,
and
so
that's
what
would
be
representative
of
a
community
hosting
so
to
speak
right.
Obviously
it
would
have
to
go
through
the
official
review
versus
you
know.
One
person
submitting
something,
that's
more
of
a
guess
if
if
there
isn't
a
wide
consensus,
but
where
would
where
would
we
put
this?
For
my
own
knowledge,
I
know
that
there's
like
a
governance
folder,
but.
H
I
Just
a
file
and
link
to
like
the
file,
you
know
the
the
file
display
on
GitHub
I
feel,
like
part
of
the
contribution
guidelines
for
the
salsa
projects,.
J
G
J
Because
I
think
just
to
to.
H
Add
on
just
another
couple
of
cents,
there's
the
the
the
I
think
it's
also
valuable
to
to
maybe
just
highlight
like
a
couple
of
examples
as
well
of
like.
F
E
Have
an
idea
of
like
hey
look,
these
are
the
sorts
of
guest
posts
we're
actually
looking
for,
because
then
we
also
don't
want
to
just
you
know,
say:
hey
any
guest
post
that
meets
these
requirements
because
then
it's.
K
Just
gonna
lead
to
I
think
also
a
lot
of
folks
who
just
don't
know
like
what
sorts
of
things
are
folk,
what
what
is
the
salsa
Community
looking
for
in
a
guest
post,
if,
if
I
may
I
have
at
least
mined
two
main
kinds
of
posts,
that
doesn't
mean
others
can't
happen,
but
I
think
for
the
broad
Community.
It's
you
know,
hey,
you
know,
here's
this!
Here's
significant
change
to
salsa
or
here
is
clarification
or
you
know
just
a
broad
statement
for
the
individuals
at
least
I
thought.
K
What
we
were
talking
about
was
hey.
We
applied,
we
managed
to
apply
at
Salsa
in
our
project
or
on
our
company.
Here's
how
we
did
it
we're
not
and
and
I
I
think
you
can,
even
just
by
the
tone
for
that
second
category:
it's
not
a
this
is
the
one
true
way,
I
in
fact,
I
think
we
ought
to
be
careful
if
there
is
one
true
way
that
that
better
be
a
community
statement.
K
But
you
know:
if
it's
a
you
know:
hey
you
see
this
broad
requirement,
here's
how
we
did
it
in
our
circumstance
and
then
you
don't
really
need
to
get
a
broadcom.
You
know
you
know.
Do
we
all
agree
that
that's
how
they
do
it
I
mean
okay,
I
mean
we
probably
still
should
double
check
that
it's
not
just
you
know
the
the
cheap
sales
pitch,
but
at
least
that's
those
were
the
two
kinds
of
posts.
L
Yeah
I
mean
I
think
there
was
also
a
couple
of
things
that
seemed
to
be
related,
which
were-
and
maybe
this
is
this-
will
all
sort
of
settle
out
as
we
we
build
more
Community
consensus
around
some
of
the
things,
but
I
know
look
one
of
the
other
reasons
why
we
wanted
some
initial
guest
blogs
was
just
to
kind
of
show.
Folks
yeah,
like
hey
here's,
how
you
might
do
this.
This
is
how
we're
viewing
applying
this
and
I
think
it
also
ties
into
what
Mark
will
be
talking
about.
L
Items
which
is
just
the
general
like
hey.
K
We
want
to
make
sure
that
we
we
want
to
help
folks
as
salsa
is
building.
You
know
as
we're
building
out
salsa
and
gearing
towards
something
like
a
1.0
that
folks
understand
what
salsa
is
that
there's
a
lot
of
like
outside
of
the
the
actual?
What's
just
purely
on
the
website,
there's
a
lot
of
confusion
as
to
is
salsa
specification.
It's
also
a
set
of
requirements,
it's
also
a
set
of
requirements
and
a
specific
and
a
lot
of
these
things
were
leading
to
a
lot
of
confusion.
K
So
we
wanted
to
kind
of
get
some
guest
blogs
out
there,
just
to
kind
of
say:
hey,
like
salsa,
doesn't
replace
your
s-bomb
s-bomb
does
not
replace
your
salsa
and
and
help
folks
sort
of
understand
that
I
think
that
was
kind
of
a
one
of
the
the
key
things
there
right.
Although
I
I
would
think
that
that
would
belong
in
my
first
category
clarifications,
you
know:
here's
what
this
is:
here's
what
it
isn't,
whereas
that
second
one
was
more
the
you
know
how
we're
implementing,
how
we're
applying
would
be
that
second
category
yeah
yeah.
K
Sorry,
when
I.
E
Wanted
to
make
sure
that
if
somebody
is
coming
with
an
implementation
that
it's
also
in
conjunction
with
what
the
community
views
as
a
reasonable
application
of
it,
it's
like
if
somebody
says,
hey
here's,
how
we
apply
Tulsa
and
we
go.
You
know
the
community
goes.
Actually
we
don't
think
that's
salsa
I'm
sure
we
want
to
kind
of
call
that
out.
E
Yeah
good
point
anything
else
on
this
topic,
I'm
more
than
happy
to
you
know,
put
together.
What's
in
that
issue
together
in
one
file,
and
if
somebody
tells
me
where
to
put
it,
then.
L
I'm
more
than
happy
to
to
do
that,
yeah
I'd
say
if
you
could,
if
you're
willing
to
do
that,
and
you
can
open
a
pull
request
against
salsa
repository,
we
can
figure
out
any
remaining
details
there:
okay,
okay!
Thank
you.
The
other
question
I
had
was
around
our
security
process
around
code
contributions.
L
I
think
this
is
timely
because
a
couple
weeks
ago,
I
posted
this
thinking
that
there
would
be
a
meeting
during
ossna
that
I
didn't
see.
Any
security
policy
enabled
I,
didn't
see,
white
Source
scanning
or
mend
scanning,
I
didn't
see,
renovate
or
remediate
from
mend
as
well.
L
I
didn't
see
scorecard,
enabled
or
All-Star
and
now
I
see
renovate
enabled
on
some
code
repositories.
I
think
it
was
like
nine
days
ago,
someone.
K
Enabled
it
and
some
others
don't
so
trying
to
make
sure
that
if
there
is
code,
that's
being
contributed
by
the
community
as
a
sub
group
of
open
ssf,
that
we
use
Security
First,
and
we
have
that
policy
of
if
you're
going
to
create
a
new
code
repo.
These
are
the
things
that
you
must
do
before
we
start
doing
commit
codes.
You
know
onboard
renovate,
you
know,
do
scorecard,
etc,
etc.
I
think
that
will
help
make
things
consistent
across
the
repos.
It'll
also
give
the
community
the
feeling
of
hey.
K
They
take
security
seriously
as
open
ssf,
because,
right
now
it
just
looking
at
it.
It
doesn't
appear
that
Securities
baked
in
and
there's
nothing
I
can
see.
I'm
not.
B
I
think
in
conjunction
with
maybe
the
other
open,
ssf
groups
that
are
out
there
like
securing
repos
and
whatever.
E
It
would
be
nice
to
just
kind
of
say:
hey
here's
like
like
here's,
what
salsa
is
and
Salsa's
not
just
applying
salsa
to
itself,
but
also
applying
the
other
best
practices
in
the
community
to
how
we
manage
because
remember
salt
says
yeah
is
mostly
for
like
builds
right
now
in
Providence
around
that,
but
it
would
still
be
I
think
really
useful
to
to
sort
of
highlight
that.
Yes,
salsa
is
I,
don't
know
doing
two-person
code
reviews
on
all
code,
that's
coming
in
outside
of
let's
say
a
demo
repo
intended
to
show.
E
B
And
we
need
to
practice
what
we
preach
right.
So
I'm
not
sure
if
there
is
consensus
on
you
know
having
that
process
documented
and
then
we
can
slowly
start
making
sure
that
all
the
repos
are.
You
know,
checking
off
those
check
boxes,
but
you
know
I
I
won't.
B
B
Yeah,
that's
that
that's
great,
would
you
mind
filing
an
issue
and
then
I
think
I
think
it's
really
just
having
people.
Do
it
like
I,
I
personally,
don't
know
what
all
those
things
are
should
be
like
I,
don't
really.
This
is
my
first
480
open
source
world
like
I
previously
had
any
open
source
projects.
B
I've
just
been
following
the
scorecard
efforts,
and
you
know
some
of
the
other
open
ssf
projects
so
but
I
am
new
as
well
into
the.
E
Open
source
community
so
don't
don't
feel
bad
at
there
yeah
so
I
think
like
whatever,
like,
like
you
said,
just
like
the
previous
issue,
they
brought
up
I
think
documenting
what
it
is
setting
up
processes.
So
we
do
the
things
correctly
and
setting
up
the
the
salsa
framework
org.
It's
like
configuring.
However,
it's
supposed
to
be
configured
so
we
can
make
sure
that
all
the
things
get
done
correctly
would
sounds
fantastic
to
me.
That
would
be
really
great
there
any
objections.
Again,
that's
a
tough
crowd
today.
E
I
think
it
might
just
be
that
you're,
making
good
points
and
people
aren't
disagreeing
and
they're
not
likely
to
chime
in
to
say
yes
yeah
yeah
on
that.
Oh
sorry,
on
that
note,
I
I'm
definitely
down
to
sort
of
partner
on
some
of
that,
because
one
of
the
other,
so
it's
also
currently
I
guess-
falls
under
the
supply
chain.
Integrity
working
group,
correct
and,
and
one
of
the
other
projects
that
falls
under
the
supply
chain.
E
Integrity
group
Fresca
is
also
like
looking
at
the
same
problem
like
how
do
we
apply
not
just
salsa,
but
you
know
like
sort
card
and
whatever
and
to
what
Josh
said
is,
at
least
in
my
work
with
Fresca,
not
aware
of
and
like
a
set
of
like
here's,
all
the
open,
ssf
recommendations.
B
For
good
security
generally,
but
we
have
been
sort
of
doing
stuff
like
working
to
turn
on
scorecard
working
to
do
stuff.
With
with
the
security
insights
group
and
doing
like
sort
of
trying
to
integrate
all
of.
E
K
There's
all
these
other
security
things
that
we
ought
to
be
doing.
This
would
actually
be
a
pretty
good.
You
know
case
study
for
like
things
that
perhaps
could
go
in
a
future
level
or
future
criteria,
or
something
like
that.
So
it's
probably
worth
like
to
take
notes
now
of
like
what
are
all
the
things
I
I
want
to
be
enabled.
M
Yeah
definitely:
okay.
I
know
we
have
a
lot
on
the
agenda,
so
I'm
gonna
try
to
go
through
the
other
stuff.
M
K
Oh
go
ahead:
David
did
you
have
a
yeah
I
mean
you
know
if
you,
if
you
can
just
do
them
awesome,
if
not
create
specific
issues
about
you
know
what
to
do,
how
to
do
it
and
that
way
we
don't
lose
track
of
them.
Yeah
I,
don't
have
permissions
to
do
any
of
this
stuff.
You
would
have
to
be
a
repo
admin
to
do
like
the
scorecard
in
the
back
end
All-Star
in
the
back
end.
K
But
if
you
can
say
here's
an
issue,
do
follow
these
steps
or
link
to
those
steps,
yep
yeah,
the
the
more
specific
the
more
likely
it
is
that
some
poor
person
who
might
be
me
I
can
do
it.
Okay,
not
fair,
okay
for
steering
committee.
I,
wasn't
sure
again.
This
is
a
process.
Documentation
thing,
I,
I
didn't
see
the
criteria,
the
nominations,
the
expectations
right,
I,
like
you
know,
even
the
chair,
I'm,
like
I,
don't
know
what
the
chair
does
so
just
trying
to
get.
K
You
know
further
clarification
on
that
and
then
the
last
thing
on
my
list
is,
you
know,
there's
a
good
Gmail
integration
for
calendar
invites,
and
so,
if
there
is
a
meeting
coming
up
in
10
minutes,
It'll
notify
the
slack
Community
instead
of
somebody
having
to
to
write
it
so
not
sure
if
that's
worth
our
time
to
to
integrate
because
I
think
it
would,
it
would
help
bring
Focus
to
the
meetings
that
are
coming
up.
K
On
the
topic
of
steering
committee,
we
are
trying
to
like
formula
formalize
our
governance
documentation.
It
was,
it
was
losing
the
initial
phase
of
establishing
the
project
and
so
you're.
A
few
people
have
noticed
and
mentioned
that
there's
now
a
sales
of
framework
governance,
repository.
E
We're
trying
to
document
more
of
the
both
expectations
and
kind
of
processes.
E
I,
don't
know
that
it
answers
all
of
your
questions
yet,
but
I
think
it
should
so
I
I
don't
want
to
respond
to
every
reasonable
question
with.
Can
you
fail
initially,
but
I
think
that
that
repository
should
be
able
to
answer
the
question
so
got
it?
Okay,
so
yeah?
And
if
it's
like
a
meeting
with
someone
that
they
just
tell
me
the
process
and
then
I
can
write
it
down
I'm
more
than
happy
to
contribute
that
way
as
well.
E
Right,
it's
just
I,
don't
know
what
the
process
is
yeah,
so
one.
K
Of
one
of
the
action
items
that
is
filed
against
that
report,
one
of
the
issues
filed
against
that
repository
today
is
to
actually
name
like
we
have
all
of
our
steering
committee
members
named,
but
we
don't
have
maintainers
names,
but
those
are
distinct
roles
in
the
governance
documentation.
So
we
need
to.
We
need
to
do
that,
so
there
are
yeah.
This
is
still
work
in
progress,
but
I'd
like
you
to
be
able
to
answer
the
questions.
You're
asking
me
I'm
happy
to
work
with
you
on
that.
K
Yeah
I'm
just
noticing
we're
already
about
a
half
hour
and
it
might
be
worthwhile
to
start
talking
about
the
the
work
streams
make
sure
we
have
enough
time
for
that.
So
any
other
last
sort
of
comments
or
no
just
a
the
Gmail
integration
for
the
calendar.
People
want
to
chat
on
the
zoom
chat
on
plus.
L
One
on
the
Gmail
integration
for
the
the
meeting
invite
announcements
I
think
that
that's
about
it.
Thank
you,
automation,
meeting
notifications
in
the
select
channel
would
be
great
Isaac.
Did
it
today,
thanks
Isaac,
but
maybe
you
shouldn't
rely
on
humans
to
do
things
right.
What's
going
to
do
better.
L
K
L
K
L
Achieve
that,
so
the
work
streams
proposal
is
trying
to
identify
collaborative
collaborators
and
find
Space
to
collaborate
on
some
of
the
yeah.
Some
of
those
the
work.
That's
in
the
roadmap
that
we
have
in
the
proposal
repository
and.
E
Welcome
new
participants
and
for
folks
to
try
and
understand
the
community,
so
the
proposal
is
effectively
to
create
what
are
currently
called
work
streams
that
are
aligned
to
the
thought.
The
four
major
themes
of
the
roadmap,
which
is
the
specification
tooling
adoption
and
positioning
and
each
of
those
work
streams,
would
have
like
an
immediate
goal
that
that's
also
part
of
the
roadmap
that
they're
working
towards
and
that
all
feels
fairly
straightforward.
I
think
the
the
slightly
trickier
bit
is
how
to
facilitate
the
collaboration.
E
So
my
proposals
are
like
we
could
have
work
stream
communication
channels.
Each
work
stream
should
have
a
lead
to
help,
ensure
you
know
that
things
are
progressing
and
that
I
think
it
would
be
but
useful
to
establish
recurring
meetings
for
the
work
stream.
L
Week
we
could
hold
we're
actually
in
focused
meetings.
Of
course.
The
counter
argument
to
that
is
that
if
we
have
four
work,
streams
does
there's
a
chance
that
people
would
want
to
be
involved
in
all
four.
So
if,
if
there's
only
one
time
window
to
have
meetings,
people
would
have
to
choose
where
to
you
know
which
of
those
work
streams
to
focus
our
attention
on
which
may
not
be
desirable,
yeah,
so
I
think
the
main
thing
for
the
purpose
of
this
meeting
is
to
share
the
idea,
get
some.
K
Feedback
on
the
high
level
suggestions
and
where
there
are
kind
of
questions
like
recurring
meeting
and
things
we're
very
open
to
others,
ideas.
B
And
figure
out
how
we,
how
we
move
forward
with
this
I
think
assuming
there's
no
major
objections:
the
General
feedback.
Since
we've
mentioned
the
idea,
a.
K
Couple
weeks
ago
has
been
very
strong
people
asking
how
to
get
involved
so
I
think
we
trying
to
a
good
idea.
K
B
I've
just
completely
breathed
through
what
is
a
two-page
document,
so
I
should
pause
and
let.
K
Struggling
to
find
the
the
hands
up
button
on
Fallout
sharing
screen
so
I,
so
I
think
okay.
This
is
this
is
really
awesome.
One
question
that
just
sort
of
comes
out
and
and
I'd
be
interested
to
know
which,
which
thing
you
might
think
it
it
falls
under.
K
It
is
just
so
when
I
think
about
some
of
the
stuff
here,
like
I
know,
salsa
is
in
order
to
maybe
it's
positioning.
Maybe
it's
adoption,
it's
not
clear
to
be,
but
like,
for
example,
a
lot
of
folks
are
asking
like
Hey.
How
do
we?
How
do
we
collaborate
with
some
of
the
other
stuff
right
so
maybe
like
with
ssdf
s-bomb,
but
at
the
like
I
guess,
maybe
I'm
answering
my
own
question:
you're
probably
fall
under
positioning
or
whatever,
but
it's
it's
more
like
also
to
the
other
groups
like
hey
cncf,.
M
Is
doing
some
work,
maybe
getting
folks
to
sort
of
collaborate
with
the
cncf,
so
hey
like
Salsa's,
not
ready
yet,
but
maybe,
let's
start
working
with
you
to
sort
of
salsify
your
stuff
or
it's
kind
of
a
little
of
both
I
think
yeah.
Sorry
yeah,
that's
a
good
question.
I
did
put
something
in
the
document
about
trying
to
make
sure
we're
aligned
with
other
open
ssf
efforts,
but
I
didn't,
admittedly,
include
non-open,
ssf
efforts,
yeah
I
mean
I,
just
think.
It's
also
worthwhile
on
that
end.
M
Just
because,
like
I
know,
well,
specifically,
the
cncf
is
doing
some
work,
and
so
that
work
is
like
Hey.
How
do
we
map
this
to
salsa?
So
there's
definitely
stuff.
We
want
to
do
on
there.
There's
also,
you
know
some
other
projects
that
are
out
there.
That
would.
K
M
Of
also
seeing
you
know
where,
where
there
are
things
in
salsa
that
we
might
not
want
to
take
on
right,
we
might
want
to
say
hey,
look,
look
at
standard
X,
for
you
know
these
sorts
of
things.
We
think
that
it's
it's
the
mark.
E
A
bit
easier
to
prioritize
when
you
start
talking
about
the
actual
short-term
work,
I
think,
but
it's
definitely
something
we
should
bear
in
mind
so
I
I,
guess:
I'm
I
have
a
question.
N
K
Progress
I
mean
as
long
as
you've
got
the
people
to
do
it.
That's
awesome,
well-known
approach
to
solving
big
problems.
It's
breaking
them
apart,
I
I.
Do
wonder
if
adoption
is
kind
of.
M
Overlapping
with
tooling
and
partially
overlapping
with
positioning,
it's
I
mean
just
you
know,
I'm
wondering
I'm.
M
Goal
is
improved
tool
to
reduce
the
risk.
That's
part
of
tooling
and
to
me
positioning
and
adoption
are
kind
of
two
sides
of
the
same
coin:
I'm,
not
sure
how
different
they
are,
except
for
improving,
tooling,
which
I,
presumably
part
of
tooling,
so
I'm
wondering
if
we
can
not
do
adoption
but
move
or
make
adoption
and
positioning
kind
of
the
same
work
screen.
M
That's
for
my
initial
inclination
was
that
we
shouldn't,
like
adoption
effectively,
is
trying
to
encourage
open
source
projects
to
implement
the
salsa
requirements,
and
so
my
suggestion
in
italics
that
we
should
postpone
forming
this
work
stream
until
we
actually
have
some
tooling
to
you,
know,
recommend
right.
M
You're
still
encouraging
Outreach
right,
I
think
it's
related,
but
not
the
same,
like
the
positioning
is
how
we
align
with
other
emerging
and
existing
standards
and
like
specification
efforts
for
once
of
a
better
term,
whereas
adoption
is
like
the
integration
of
the
tooling
and
I
I'm,
an
open
source
engineer,
I'm,
probably
going
to
go
and
advocate
for
Celta
to
open
source
communities,
but
I'm,
probably
not
going
to
get
too
involved
in
like
US
Government
alignment,
because
I'm,
not
a
U.S
citizen
and
I.
M
You
know
I'm
times
a
disadvantage
for
those
conversations
and
all
the
other
reasons,
so
I
think
there's
probably
distinct
areas
of
focus
and
distinct
participants.
In
those
conversations,
thank
you
that
makes
more
sense
now.
Mark,
sorry,
yeah,
I.
Think
the
the
in
my
mind,
the
the
big
goal
of
breaking
up
in
the
work
streams,
I
would
say
even
is
less
about
like
divide
and
conquer,
but
rather
different
folks
are
interested
in
different
aspects
of
the
problem.
Like
there's.
M
Some
people
who
want
to
code
right
or
like
want
to
build
tools
and
they're,
not
so
interested
in
the
abstract
standards,
not
interested
in
like
the
theoretical
stuff
like
they
want
to
get
stuff
done
right
away
right.
Other
folks
are
more
interested
in
the
aspect
like
the
specification.
E
That
there's
like
a
build
service,
Thing
versus
like
a
client-side
thing,
I,
don't
know
I,
think
that's
the
main
thing
like
try
to
form
like
focus
groups
of
a
target,
a
small
smallish
number
of
people
who
all
want
to
kind
of
work
on
the
same
problem.
At
the
same
time
got
it
and
I
just
want
to
add
on
the
idea
of
evaluating
whether
the
group
should
continue
to
I
suggested
in
this
document
that
we
align
that
to
the
proposals.
Currently,
the
proposal
repository
has
a
roadmap.
E
That's
I
think
it's
six
months
out
and
I've
suggested
that
we
as
the
roadmap
each
time
we
evaluate
the
roadmap.
We
should
also
evaluate
whether
the
work
streams
make
sense
in
context
of
that
roadmap.
E
M
Like
a
like
a
Google
form,
or
something
like
that
to
sign
up
so
that
way,
we
just
collect
an
initial
list
of
names
for
people
who
are
interested
in
these
different
work
streams
and
then.
E
That
way
like
they
could
kind
of
self-organize,
would
it
be
valuable
for
in
this
meeting
to
just
nominate
an
initial
lead
for
each
one?
Just
so
that
way
we
have
a
person
who's
responsible
for
doing
it
to
actually
get
the
process
going
because
I
feel
like
if
there's
no
particular
lead.
It's
just
not
going
to
happen.
Yep
I
think
Melba
already
volunteered
to
do
the
positioning
well
yeah
we're
already
working
on
it.
So
yeah
I'm
more
than
happy
to
lead
that
one
did
I
get
the
name
right:
yep,
okay,.
E
I
I'd
be
happy
to
do
the
specification
one
unless
other
folks
would
prefer
to
lead
it.
B
Strongly
disagrees
with
my
suggestion
to
postpone
forming
this
until
we
have
my
car
inquiry
things
to
advocate
for.
B
B
If,
if
you
don't
have
the
time,
I
need
some
help,
I'm
happy
to
do
it
instead,
yep,
and
given
that
a
question
on
that,
oh
God,
thank
you.
If
I
have,
if
we
have
a
current
open
source
project,
it
is
not
related
to
the
openness
Set.
Can
we
migrate
it
under
okay,
of
course,
after
some
inspection
from
a
group,
absolutely.
M
Yep
yep
there's
there's
a
process
for
that
right
now.
It's
mostly
just
what
the
working
group
just
needs
to
sort
of
say,
yeah.
We
want
to
take
this
on
and
and
adopt
it
in
one
of
their
meetings.
B
It's
like
like
a
like
a
date,
but
I,
don't
know
what
your
licenses
are.
If
it's
a
Patcher
MIT
is
the
are
the
preferred
licenses.
M
Then
it
needs
to
go
for
approval
yeah,
it's
one
of
the
two
I
think
we've
still
won
the
patchy
too
at
the
time.
Okay,
that's
easy!
M
M
So,
just
to
round
this
one
out,
I
think
if
each
workstream
lead
can
start
the
sign
up
form
and
probably
a
slack
Channel
or
something
that
would
be
a
good
place
to
start
yeah.
Let's
the
leads,
let's
just
talk
together,
like
start
an
email
thread.
N
M
Box
and
just
do
do
you
know,
do
the
consolidate.
B
That
but
the
the
three
of
us.
L
Could
could
do
that.
L
It
might
also
be
good
to
have
like
a
a
backup
or
secondary
for
an
assistant
or
something
like
Eric
mentioned,
that
for
the
tooling
I
think
it's
always
good
to
have
another
person
to
help
yeah.
You
know.
Definitely
I
was
just
gonna
say,
like
I,
think
saying:
hey
lead
to
start
and
then
like
in
the
first
meeting.
We
say:
okay,
who's,
the
good
of
backup
or,
if
somebody
used
to
step
out
or
whatever
I
think,
that's
also
cool,
oh
yeah
yeah.
If,
if
Eric
wants
to
back
up
there,
yeah.
L
L
Sounds
great
cool
as
Jacques
mentioned,
though
time
checked,
I,
don't
know
if
we
want
to
like
get
the
greatest
spot
through,
we
could
set
up
an
email
chain
move
forward.
I
think
there's
two
other
topics
right
for.
M
Yeah
the
next
topic,
I
think
this
is
probably
for
the
tooling
work
stream,
unless
we
want
to
break
that
apart
further.
M
But
I
just
want
to
mention
that
the
some
folks
here
at
Google
who
are
out
this
week
so
they
couldn't
speak
I,
have
started
on
the
draft
of
like
a
policy
model
for
and
and
we're
thinking
about.
As
we
mentioned
in
the
road
map
like
how.
L
Could
we
integrate
salsa
into
to
python,
so
they've
started
a
draft
to
kind
of
get
to
to
get
the
process
going,
and
so
that
would
be
great
as
like
a
one
of
the
first
projects
for
the
the
tooling
work
stream
Mike
yeah.
Is
this
one
of
the
things
that
Brendan
Lum
was
working
on?
You
know,
This
was
Vita
venema
and
Simon
yeah
Brandon
Lum
was
working
on
a
separate
thing,
which
is
the
provenance
distribution
yep,
probably
like.
If
you
have
Providence,
how
do
you
get
it?
L
The
policy
model
was
was
more
of.
How
do
you
apply
some
sort
of
policy
to
protect
a
particular
package?
The
the
main
gist
of
the
problem
is
that
we
want.
M
Some
guarantee
that,
for
example,
the.
K
Requests
package
in
Python,
which
is
one
of
the
most
popular
packages
in
Pi,
Pi,
that
it's
supposed
to.
L
If
there
is
some
like,
for
example,
if
you
could
record
in
Pi
Pi
and
someone
wants
to
upload
a
malicious
version,
they.
B
If
you
have
something
different
well,
then
where
is
the
canonical
Source
read
from,
and
so
there's,
at
least
in
my
mind,
there's
no
obvious
best
answer
for
that.
It's
a.
J
Challenging
problem,
and
so
they've
done
some
initial
work
to
kind
of
lay
out
some
some
thoughts.
M
And
so,
hopefully
the
the
work
stream
participants
can
come
up
with
a
you
know,
a
good
model
and
solidify
that
and
then
figure
out
for
Pi
Pi
how
we
could
apply
it.
M
Cool
yeah
I
have
a
lot
of
thoughts
on
that,
but
I'm
for
the
sake
of
time.
I'll
leave
that
to
the
other
meetings
but
yeah.
Sorry.
E
Quick
question
now
this
is
very
exciting.
Looking
forward
to
joining
the
work
stream,
the
quick
question
the:
what
is
the
integration
of
salsa
python?
Again,
sorry,
maybe
I
missed
something
yeah.
The
the
notion
would
be
that
for.
M
H
O
Pi
Pi
from
only
being
able
to
upload
a
package
that
was
built
from
some
salsa
compliant
build
process
whatever
that
means
and
was
built
from
the
proper
Source.
E
Because,
like
for
example,
if
you
steal
a
credential,
you
could
just
upload
anything
at
all
right
now,
and
so
how
do
we
do
that?
Like
do
we
do
some
check
and
upload
time?
Do
we
do
some
monitoring?
Do
we
do
it
check
on
the
client
side?
B
Are
all
all
options,
so
it
would
be
more
of
Defense
in
depth.
It
wouldn't
be
getting
rid
of
the
credential
like
you
still
have
to
have
signing
or
some
sort
of
cryptography
thing.
But
in
addition
you
want
to
make
that
credential
less
powerful.
So
that
way,
even
in
like
either
an
Insider
who
is
like
compromised
or
malicious.
N
B
Someone's
credentials
have
been
stolen
that
that
power
is
limited,
that
they
could
only
do.
O
To
Joshua
yeah
I'm
waiting
on
them
I
think
it
would
be
make
sense
to
share
with
the
tooling
we're
extreme.
Like
start
with,
like
a
limited
group
of
reviewers,
rather
than
sharing
like
with
the
broad
Community,
because
I.
M
Think
it's
like
it
still
needs
more
refinement,
sounds
good.
Thanks
did
yeah
I
I
think
that
we've
talked
before,
but
I
don't
know.
If.
L
You
know,
maybe
it
was
in
a
different
context.
My
apologies,
maybe
I've
been
you
mark,
but
I
know
that
some
folks
have
been
talking
about.
You
know.
Reproducible
builds
where
you
submit
it
up
and
then
the
repo
rebuilds
to
verify
that
what
you
sent
up
was
rebuilt
and
you
know
maybe
give
a
caveat
for
okay
everything's
the
same
except
the
dates.
Well,
okay,
we'll
let
you
get
through
with
different
time
stamps!
L
I
I,
don't
think
it
conflicts
with
with
what
you
just
said,
but
I
mean
that's
something.
That's
another
option.
Yeah
I
think
that's.
L
For
the
policy
model
again
without
getting.
E
Too
detailed,
but
just
to
make
sure,
like
the
the
broader
Community,
is
kind
of
aware
of
the
general
problem.
That's
being
discussed,
I,
don't
think
that
actually
addresses
the
problem
at
hand
because
there's
the
question
of
what
should
the
sources
be
built
from
like.
A
E
B
The
usually
I
get
repo
and
the
idea
would
be
to
start
with
python
as.
L
Likely
path
first,
like
how
do
you
actually
trust
the
Providence.
L
L
Should
we
move
on
to
the
last
topic
Aaron,
so
my
the
last
topic
down
here
I've
been
you
know,
thinking
about
this
a
bit
and
the
answer
might
be
open
to
issue
which
is
fine.
You
can
do
that
so
first
salsa
provenance
generation,
right
I'm,
trying
to
think-
and
you
know,
looking
at
our
documentation
on
the
website-
should
we
create
salsa
provenance
for
every
step
of
you
know
a
pipeline
even
if
an
artifact's
not
generated.
L
Within
the
salsa
documentation,
I
had
a
quick
chat
with
Mark
on
the
side
before
this
his
you
know
his
end
mark.
You
can
reiterate,
of
course,
but
you
know,
if
an
artifact's
not
generated,
then
then
maybe
we
don't
need
to
document.
You
know
a
provenance
thing
for
that
step.
Specifically,
that's
the
questions
kind
of
stemming
from
right,
some
of
the
some
of
the
in
Toto
Basics
right,
where
you
know
some
of
the
intention
of
just
general
and
Toto
right,
is
documenting
every
step.
I
think
right.
L
L
I'm
going
to
turn
your
question
around
and
ask:
are
there
some
examples
of
steps
you
think
should
not
be
recorded
or
would
not
be
recorded
into
such
policy
and
and
we
wouldn't
be
fussed
about
it-.
L
It's
a
good
question
right:
I
mean:
are
there
I,
guess
I'll
turn
around
the
question
again
right?
Are
there
steps
that
don't
generate
a
an
artifact
right
so,
for
example,
yeah
and-
and
this
also
depends
on
the
definition
of
an
artifact
I?
L
Have
a
taxonomy
I
propose
that
a
little
while
back
of
like
there
have
been
four
things
that
happen
in
the
supply
chain,
basically
being
movement,
inspection,
assembly,
disassembly
and
transformation
from
one
kind
of
thing
to
a
different
kind
of
thing
and
I'm
I'm
curious
like
to
me
I,
believe
all
four
of
them
are
necessary
to
have
to
have
the
full
understanding
of
something
so
I'm
curious.
What
sort
of
things
you
foresee
that
would
fall
outside
of
that
taxonomy
do
I
need
to
extend
it.
E
N
Out
of
it,
of
course,
right
building
should
have
an
artifact,
Etc,
so
I
think
you're
onto
something
there,
especially
yeah
yeah.
This
was
actually
something.
L
Interesting
that
was
discussed
previously,
because
one
of
the
things
that
we've
been
doing
is,
for
example,
we've
been
generating
salsa
Providence
for
s-bombs,
so
that
we
know
that
the
s-bombs
were
run
using
an
approved
s-bomb
Builder,
and
that
sort
of
thing
there's
definitely
some
potential
quirks
around
like
how
deep
does
that
go
right?
You
know
you
could
like,
but
what
about
like?
L
Do
I
now
need
to
essentially
have
approve
the
s-bomb
builder
at
some
level
to
make
sure
that
it's
also
compliant,
and
it
can
lead
to
some
stuff
there,
which
I
think
is
actually
going
to
be
useful
for
both
the
tooling
team
and
the
specification
team
to
help
sort
of
like
say
you
know,
hey,
there's
going
to
be
certain
things
that
are
probably
worthwhile
in
the
specification
to
talk
about
with
this
is,
for
example,
like
a
compiled
artifact
versus
this
is
something
that
is
just
a
manipulation
of
some
text,
so
it
shouldn't
be
like
a
huge
change
like
there's
lots
of
stuff
that
we,
we
should
probably
kind
of
look
at
there.
L
Well,
yeah,
that
makes
sense,
I
mean
you
know
it
like
you're,
saying
Jacques,
every
step
probably
is
going
to
have
an
artifact
of
it.
I
suppose.
Let
me
think
about
it
that
way:
yeah
I,
think
of
it,
as
as
every
every
step
should
leave
a
trace,
I
guess,
even
if
there's
not
an
artifact
per
se
like
inspection,
you
can
say
that's
about
effect
in
the
test
results.
B
Of
let's
say
a
document
that
then
is
attested
to
there's
some
conversation.
There
I
personally
think
it's
the
latter
of
Document
Plus
attestation
than
necessarily
just
purely
an
attestation,
but
oh
realize
David
you
have
your
window.
B
L
And
time
not
just
you
know
either
dollars
or
time,
then
we
I
think
we
reasonably
have
to
start
backing
off
to
what's
the
most
important
part,
unless
we
can
make
it
so
cheap,
it
doesn't
matter.
L
Yeah
one
I
think,
like
the
higher
level
point
that
Aaron
brought
up
of
like
should
this
be
documented
somewhere.
B
L
L
Well
I'll
throw
an
issue
up
for
this.
If
we
want
to
kind
of
capture
that
discussion,
because
nod's
around
cool
great
great
I
think
we're
out
of
time
thanks
everyone.
Thank
you
for
joining
everybody
and.
B
We'll
send
out
an
email
about
the
sign
ups
for.