Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
OpenSSF / SLSA Biweekly / 6 Feb 2023
OpenSSF / SLSA Biweekly / 6 Feb 2023
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: SLSA Specifications Meeting (February 6, 2023)

Description

Meeting notes: https://docs.google.com/document/d/1kMP62o3KI0IqjPRSNtUqADodBqpEL_wlL1PEOsl6u20/edit#heading=h.yfiy9b23vayj

A

How's it going.

B

Good hand.

C

Hey good.

B

Are you gonna now put unaffiliated.

A

I'm.

B

Affiliated.

A

Uh-Oh you're.

B

Muted yeah Vita, just retired uh Google last week last week last week,.

A

Congratulations happy.

D

Happy retirement but.

B

You're, muted Pizza.

C

Okay, that explains so. This is not to be confused with the involuntary separations last week.

C

My plan is to stay in Philadelphia, sauce and with other open source projects. The difference is that I now pay myself.

A

Okay, very nice.

D

Glad you're here yeah I'm.

C

Glad you're here until it stops being filmed in our list. You know.

A

That's fair yeah.

B

All right, so why don't we get uh started? uh Welcome everybody, uh Payson meeting notes if you could register your attendance um and uh remind me that we'll abide by the salsas and women's Foundation code product.

B

So uh we could welcome newcomers, there's no newcomers, um but if anyone joins light we could walk on them. I guess um there's nothing on the agenda.

B

um We should talk about the 1.0 progress and when we plan to do a release, candidate um I am did we talk about that last time, yeah um I am working on a uh the verification of the Providence section right now of like the steps in the spec of you know what specifically to um like, have how you verify um so expect a pull request request uh something. This week um the we haven't made a ton of progress, uh certainly slower than we wanted to. We wanted to have a release candidate by now.

B

um We're obviously past that um the some folks, some of my colleagues, did a pass over the spec and I think the biggest. Let me look up notes real, quick. um The the biggest um confusing part that they found was the um thanks.

A

David.

B

For taking notes uh the enumeration of the build level four and the source track that are like not defined, and yet we have some requirements there, um I've had several people mention that that they found that confusing I know. We talked about this right a couple months ago, when we were first doing it, um balancing the desire to have some kind of placeholders there for people to know that there will be future tracks and to Future levels, and also for people who are familiar with the old version to know where to have it.

B

uh But um the feedback so far was that it's kind of misleading, um so uh I I, don't know who is going to take a crack at addressing that? um But I want to bring up this group in case there's any.

E

If you don't mind, we want the document not to be confusing I, don't think that the best solution is to remove it entirely. I think moving it to a completely different section might be enough. You know future directions or something like that, but just making it really obviously different, not not where it is. If that makes any sense.

E

Oh and.

B

Thank you, John yeah, yeah, I think so um well, I mean I, guess.

B

So here let me present what we have, what we have.

C

And we already moved out some parts, so we delegated the provenance, for example,.

B

Here, so we so we're like, on the same page of what we're talking about featuring points. So we have the two sections one here is this possible future requirements where we list parameter lists, hermetic reviews, one dependencies complete, which.

D

Were just.

B

Copied and pasted from the old version right.

B

And then, if you click behind a click, you can see based the old text verbatim right. um Oh.

D

This is I'll.

B

Send a link here in case anyone wants to go straight to it without having to find it, um and then there is uh a section down here in their Source control, where again, there's currently no requirements but FYI. This was the stuff from the uh the the old version, um so it like sounds like requirements, but it's also kind of not requirements uh and then I think on the levels page.

B

We.

F

Have.

B

um

B

On the levels page, we similarly have level four not yet defined, um and a source track not yet defined.

E

Yeah see I, see, I think the problem is it's in a section, the title of which is requirements.

E

So this is the SEC the section.

E

You know this is the requirements without the requirements. um Let's see, I mean that's what the very top level says right. Where are we.

B

Yeah um I I think it's moving. I think sorry.

E

Go ahead, can we move to just like a completely different section and just make it super clear, because I I I I, just don't what I don't want to see is removal entirely because I think it is helpful, even though it's not well in the in the formal terminology, it's not normative.

B

Yeah I I think the um the specific feedback was that we're trying to build 1.0 as like a complete specification and that it's like ready uh so having things that are called like not yet defined, makes it sound like it's not actually complete, whereas really we're just trying to hit for like a future version. We expect something here right.

E

Exactly and you know, I I, don't think anybody would be surprised by a future Direction statement or something like that. You know the uh you know just as long as it's very clearly completely separated from the requirement section. If you know.

A

David.

D

You're.

A

I think you're onto something where um maybe we have that just like kind of like a big Link at the bottom here around like the future Direction um and like maybe the I, don't know if you'd call it the road map per se, but and then we have a link. That brings us right with with this block right here of the not yet defined um to this new page, which is the future Direction. All.

E

Right so that way, yeah.

A

Yeah.

B

So like another page here, that's like future Direction, maybe yeah and on the other ones we could link to it.

A

Yeah yeah because that's.

B

A.

A

Super Fair comment right: if we're releasing this thing, that's supposed to be good and it's complete and we just have a bunch of draft work in progress, things that doesn't look very good, so yeah I think it's really good to bring it away and show it future. Direction.

E

There's actually a good side to this. It means that when they show up and look at the requirements, they only see requirements. If it's not a requirement, um we're explaining a requirement. It's uh you know it's in something else.

B

Okay, um all.

D

Right.

B

So uh I'll create an issue for this uh and then um to kind of summarize what we talked about, and then um someone can create a pull request um if anyone wants to please volunteer uh otherwise, um someone from from Google will pick it up. Yeah Joshua.

F

I all volunteer through that: okay.

B

Great thanks.

D

I need to go and look at the whole thing now too I'm starting to lose the bubble with all the little specific changes.

B

Okay, um I'll I'll write a note to to the team group into that too. Okay great um so here let me actually put this into a subsection.

B

Just to indent this.

B

um What else on the 1.0 front.

B

The so we talked about um the certification, just to recap what we talked about in previously. It sounds like the and there's some discussion on slack as well and in the various issues um like the certification program.

B

um It sounds like we want to have some sort of language in the spec. That makes it clear that you need to.

B

We have some Texans slack I, think, maybe um that there needs to be a way for someone to know what trust level a particular Builder is. But the actual process for establishing that and- and you know, certifying- is outside of the spec um and the actual establishment of the program is not a blocker for 1.0 I. Think that's a recap of the. Let me see if I can find anything in this black.

F

Here, I just copy and paste it into the DOT.

B

Oh, you did the the thread that was.

B

Okay, thanks thanks a lot.

B

Great um just wanted to highlight that for folks in case you're, not like reading every single message uh in this library, because I think that's important. uh So so we need to do that. Yeah Chris uh had a list of things.

B

um Yeah actually I'll put it right at the top of those blockers.

B

um This was from the thread I just pasted in the meeting notes. uh I showed this tab instead, um so update the threats and mitigation. Page I think we have an issue for that certification programs are not blocking, but having some text in the spec uh Providence 1.0 verification examples, I'm working on that now, um I think the verification piece I think in the thread we talked about. That is the block up for the release of candidate. But more examples is not um verifying.

B

Artifacts I think fleshing that out, um yeah and then just the to-do's and and so the terminology would not be a blocker for a release candidate, but we would want to go by the time we call it. A stable um I just want to make sure everyone here is on the same page uh again, because not everyone follows uh Slack.

B

um Does this sound about right to folks any.

D

I.

B

Have one more thing.

E

One more thing: whoops, let's see my let's see it might I, am not muted for a change. Okay, so Mark I'm gonna- something that's not on your list, but maybe should be done, is maybe a couple crosswalks between this and uh let me hit s2c2f, which is Microsoft's. I mean they're, viewing it from a different viewpoint, but it might be good to see if there's any conflicts to you know. So let me add, let me just write the uh David, um maybe also a cross review of S2 c2f and.

D

Salsa.

E

V1 draft.

E

We just you know that doesn't mean necessarily A change is needed, but um if there's a conflict, I think would be good to know now.

B

Yeah.

E

That's.

B

A good point uh I would call that not blocking for a release candidate, but blocking for a final. Do you agree with that?.

E

uh Sure not blocking for release. Let me just make that note uh for release, but maybe I would say block for final I mean you know.

E

Even if it turns out there's a conflict, that's not necessarily a killer, but it we would I think it would be wise to know and frankly, I I would I would want there to be a good reason.

B

Yeah like knowing it and doing the review itself is the blocker, um and there may be further items that we would. We would address.

E

Right right, but at least at least we would have, we would be able to make an informed decision.

F

I think yeah I think it's important for the parent working group of both efforts right. The supply chain interpreter working group.

E

Right right, I I would like to do this, but I don't think it should just be me and I seem to keep getting pulled off on other emergency tasks that have to be done right. Then a problem I'm sure none of you have, uh but uh if we could get several people to do that cross review and you know either can and if one thing, if one says to do something another doesn't say anything I mean that's actually expected.

E

That would be expected Behavior to me, but if they kind of conflict, that's what I worry about.

F

Yeah, otherwise, adding to the agenda for the supply chain Integrity work next week.

B

I realize now what, um after this meeting, I, will create an issue for the release candidate. So that way we could all agree and have like a punch list of things. We want for a release candidate um and it would be, and then we could also add assignees, uh so we know who's working on what, um but then also it would be really helpful to know um like if folks could do a Passover and think like which, which ones actually are blocking everything.

B

My view for the release candidate, is that anything that, like a a reader who's already familiar with sauce I, can kind of get past is not a blocker for the release candidate, because we want to have the thing out the door as soon as possible, but there's like a major missing thing or something that's like you. Just can't understand it without it. That would be so it'd be really helpful to know.

B

um If anyone you know, does it pass and has opinions on things that, like that, that really are um the.

F

Most important I mean just to make sure.

B

That we all sanity check, um you know the like the necessary insufficient things.

B

I'll send that out uh after this meeting and then send an update on slack a link to it. In case uh people aren't subscribed on GitHub.

B

Okay,.

B

um

B

Sounds good the future the future Direction okay uh Joshua volunteered to tackle it uh Joshua. Can you create an issue for that? Oh.

F

Well,.

B

There, okay, um that just describes a problem of uh you, know being misleading Etc. uh That way we could track and add it to the release candidate list. um Okay,.

B

Look, that's it for my end, uh anything else.

B

Going once going twice, okie doke all right, well um good, seeing everyone. uh It was a short meeting and we'll speak together again over GitHub or slack, or something like that. All right have a good weekend. Everyone good bye.

A

Thanks bye, foreign.