►
From YouTube: SLSA Specifications Meeting (February 6, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1kMP62o3KI0IqjPRSNtUqADodBqpEL_wlL1PEOsl6u20/edit#heading=h.yfiy9b23vayj
A
B
Muted
yeah
Vita,
just
retired
Google
last
week
last
week
last
week,.
C
B
All
right,
so
why
don't
we
get
started?
Welcome
everybody,
Payson
meeting
notes
if
you
could
register
your
attendance
and
remind
me
that
we'll
abide
by
the
salsas
and
women's
Foundation
code
product.
B
B
We
should
talk
about
the
1.0
progress
and
when
we
plan
to
do
a
release,
candidate
I
am
did
we
talk
about
that
last
time,
yeah
I
am
working
on
a
the
verification
of
the
Providence
section
right
now
of
like
the
steps
in
the
spec
of
you
know
what
specifically
to
like,
have
how
you
verify
so
expect
a
pull
request
request
something.
This
week
the
we
haven't
made
a
ton
of
progress,
certainly
slower
than
we
wanted
to.
We
wanted
to
have
a
release
candidate
by
now.
B
We're
obviously
past
that
the
some
folks,
some
of
my
colleagues,
did
a
pass
over
the
spec
and
I
think
the
biggest.
Let
me
look
up
notes
real,
quick.
The
the
biggest
confusing
part
that
they
found
was
the
thanks.
A
B
For
taking
notes
the
enumeration
of
the
build
level
four
and
the
source
track
that
are
like
not
defined,
and
yet
we
have
some
requirements
there,
I've
had
several
people
mention
that
that
they
found
that
confusing
I
know.
We
talked
about
this
right
a
couple
months
ago,
when
we
were
first
doing
it,
balancing
the
desire
to
have
some
kind
of
placeholders
there
for
people
to
know
that
there
will
be
future
tracks
and
to
Future
levels,
and
also
for
people
who
are
familiar
with
the
old
version
to
know
where
to
have
it.
B
E
If
you
don't
mind,
we
want
the
document
not
to
be
confusing
I,
don't
think
that
the
best
solution
is
to
remove
it
entirely.
I
think
moving
it
to
a
completely
different
section
might
be
enough.
You
know
future
directions
or
something
like
that,
but
just
making
it
really
obviously
different,
not
not
where
it
is.
If
that
makes
any
sense.
E
B
Thank
you,
John
yeah,
yeah,
I
think
so
well,
I
mean
I,
guess.
B
B
Send
a
link
here
in
case
anyone
wants
to
go
straight
to
it
without
having
to
find
it,
and
then
there
is
a
section
down
here
in
their
Source
control,
where
again,
there's
currently
no
requirements
but
FYI.
This
was
the
stuff
from
the
the
the
old
version,
so
it
like
sounds
like
requirements,
but
it's
also
kind
of
not
requirements
and
then
I
think
on
the
levels
page.
B
F
B
On
the
levels
page,
we
similarly
have
level
four
not
yet
defined,
and
a
source
track
not
yet
defined.
E
You
know
this
is
the
requirements
without
the
requirements.
Let's
see,
I
mean
that's
what
the
very
top
level
says
right.
Where
are
we.
B
Yeah
I
I
think
it's
moving.
I
think
sorry.
B
Yeah
I
I
think
the
the
specific
feedback
was
that
we're
trying
to
build
1.0
as
like
a
complete
specification
and
that
it's
like
ready
so
having
things
that
are
called
like
not
yet
defined,
makes
it
sound
like
it's
not
actually
complete,
whereas
really
we're
just
trying
to
hit
for
like
a
future
version.
We
expect
something
here
right.
E
Exactly
and
you
know,
I
I,
don't
think
anybody
would
be
surprised
by
a
future
Direction
statement
or
something
like
that.
You
know
the
you
know
just
as
long
as
it's
very
clearly
completely
separated
from
the
requirement
section.
If
you
know.
A
D
A
I
think
you're
onto
something
where
maybe
we
have
that
just
like
kind
of
like
a
big
Link
at
the
bottom
here
around
like
the
future
Direction
and
like
maybe
the
I,
don't
know
if
you'd
call
it
the
road
map
per
se,
but
and
then
we
have
a
link.
That
brings
us
right
with
with
this
block
right
here
of
the
not
yet
defined
to
this
new
page,
which
is
the
future
Direction.
All.
A
B
A
E
There's
actually
a
good
side
to
this.
It
means
that
when
they
show
up
and
look
at
the
requirements,
they
only
see
requirements.
If
it's
not
a
requirement,
we're
explaining
a
requirement.
It's
you
know
it's
in
something
else.
B
Okay,
all.
D
B
So
I'll
create
an
issue
for
this
and
then
to
kind
of
summarize
what
we
talked
about,
and
then
someone
can
create
a
pull
request
if
anyone
wants
to
please
volunteer
otherwise,
someone
from
from
Google
will
pick
it
up.
Yeah
Joshua.
B
Okay,
I'll
I'll
write
a
note
to
to
the
team
group
into
that
too.
Okay
great
so
here
let
me
actually
put
this
into
a
subsection.
B
The
so
we
talked
about
the
certification,
just
to
recap
what
we
talked
about
in
previously.
It
sounds
like
the
and
there's
some
discussion
on
slack
as
well
and
in
the
various
issues
like
the
certification
program.
B
It
sounds
like
we
want
to
have
some
sort
of
language
in
the
spec.
That
makes
it
clear
that
you
need
to.
B
We
have
some
Texans
slack
I,
think,
maybe
that
there
needs
to
be
a
way
for
someone
to
know
what
trust
level
a
particular
Builder
is.
But
the
actual
process
for
establishing
that
and-
and
you
know,
certifying-
is
outside
of
the
spec
and
the
actual
establishment
of
the
program
is
not
a
blocker
for
1.0
I.
Think
that's
a
recap
of
the.
Let
me
see
if
I
can
find
anything
in
this
black.
B
Great
just
wanted
to
highlight
that
for
folks
in
case
you're,
not
like
reading
every
single
message
in
this
library,
because
I
think
that's
important.
So
so
we
need
to
do
that.
Yeah
Chris
had
a
list
of
things.
B
This
was
from
the
thread
I
just
pasted
in
the
meeting
notes.
I
showed
this
tab
instead,
so
update
the
threats
and
mitigation.
Page
I
think
we
have
an
issue
for
that
certification
programs
are
not
blocking,
but
having
some
text
in
the
spec
Providence
1.0
verification
examples,
I'm
working
on
that
now,
I
think
the
verification
piece
I
think
in
the
thread
we
talked
about.
That
is
the
block
up
for
the
release
of
candidate.
But
more
examples
is
not
verifying.
B
Artifacts
I
think
fleshing
that
out,
yeah
and
then
just
the
to-do's
and
and
so
the
terminology
would
not
be
a
blocker
for
a
release
candidate,
but
we
would
want
to
go
by
the
time
we
call
it.
A
stable
I
just
want
to
make
sure
everyone
here
is
on
the
same
page
again,
because
not
everyone
follows
Slack.
D
E
One
more
thing:
whoops,
let's
see
my
let's
see
it
might
I,
am
not
muted
for
a
change.
Okay,
so
Mark
I'm
gonna-
something
that's
not
on
your
list,
but
maybe
should
be
done,
is
maybe
a
couple
crosswalks
between
this
and
let
me
hit
s2c2f,
which
is
Microsoft's.
I
mean
they're,
viewing
it
from
a
different
viewpoint,
but
it
might
be
good
to
see
if
there's
any
conflicts
to
you
know.
So
let
me
add,
let
me
just
write
the
David,
maybe
also
a
cross
review
of
S2
c2f
and.
D
E
We
just
you
know
that
doesn't
mean
necessarily
A
change
is
needed,
but
if
there's
a
conflict,
I
think
would
be
good
to
know
now.
B
E
B
A
good
point
I
would
call
that
not
blocking
for
a
release
candidate,
but
blocking
for
a
final.
Do
you
agree
with
that?.
E
Sure
not
blocking
for
release.
Let
me
just
make
that
note
for
release,
but
maybe
I
would
say
block
for
final
I
mean
you
know.
B
Yeah
like
knowing
it
and
doing
the
review
itself
is
the
blocker,
and
there
may
be
further
items
that
we
would.
We
would
address.
F
E
Right
right,
I
I
would
like
to
do
this,
but
I
don't
think
it
should
just
be
me
and
I
seem
to
keep
getting
pulled
off
on
other
emergency
tasks
that
have
to
be
done
right.
Then
a
problem
I'm
sure
none
of
you
have,
but
if
we
could
get
several
people
to
do
that
cross
review
and
you
know
either
can
and
if
one
thing,
if
one
says
to
do
something
another
doesn't
say
anything
I
mean
that's
actually
expected.
B
I
realize
now
what,
after
this
meeting,
I,
will
create
an
issue
for
the
release
candidate.
So
that
way
we
could
all
agree
and
have
like
a
punch
list
of
things.
We
want
for
a
release
candidate
and
it
would
be,
and
then
we
could
also
add
assignees,
so
we
know
who's
working
on
what,
but
then
also
it
would
be
really
helpful
to
know
like
if
folks
could
do
a
Passover
and
think
like
which,
which
ones
actually
are
blocking
everything.
B
My
view
for
the
release
candidate,
is
that
anything
that,
like
a
a
reader
who's
already
familiar
with
sauce
I,
can
kind
of
get
past
is
not
a
blocker
for
the
release
candidate,
because
we
want
to
have
the
thing
out
the
door
as
soon
as
possible,
but
there's
like
a
major
missing
thing
or
something
that's
like
you.
Just
can't
understand
it
without
it.
That
would
be
so
it'd
be
really
helpful
to
know.
B
That
we
all
sanity
check,
you
know
the
like
the
necessary
insufficient
things.
B
I'll
send
that
out
after
this
meeting
and
then
send
an
update
on
slack
a
link
to
it.
In
case
people
aren't
subscribed
on
GitHub.
B
B
Sounds
good
the
future
the
future
Direction
okay
Joshua
volunteered
to
tackle
it
Joshua.
Can
you
create
an
issue
for
that?
Oh.
F
B
There,
okay,
that
just
describes
a
problem
of
you,
know
being
misleading
Etc.
That
way
we
could
track
and
add
it
to
the
release
candidate
list.
Okay,.
B
Look,
that's
it
for
my
end,
anything
else.
B
Going
once
going
twice,
okie
doke
all
right,
well
good,
seeing
everyone.
It
was
a
short
meeting
and
we'll
speak
together
again
over
GitHub
or
slack,
or
something
like
that.
All
right
have
a
good
weekend.
Everyone
good
bye.