Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
OpenSSF / SLSA Biweekly / 13 Dec 2022
OpenSSF / SLSA Biweekly / 13 Dec 2022
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: SLSA Positioning Meeting (December 13, 2022)

Description

Meeting notes: https://docs.google.com/document/d/1tpPOXVzNSwtpWA7cXhTPLAO6HIP50obUvoP85XqgVHM/edit#heading=h.yfiy9b23vayj
SLSA repo: https://github.com/slsa-framework/slsa

A

You know.

B

Hey Jay thanks for joining I, see Jeff joining. um Let me share a screen.

A

And.

B

Me.

B

If you could sign in, you can hear me right, yep, okay, awesome, um I, don't have any agenda items today, um because there's going to be two meetings coming up the supply chain, Integrity one tomorrow and then the salsa one, and we need to talk to them about um some of this stuff yeah.

B

So I'm, not sure if you all had uh topics to discuss.

B

um If you wanted to discuss I, don't know a strategy for next year. Etc, um but I I personally, do not have anything for today.

C

I didn't have anything in mind.

D

No me neither I I was hoping that we'd uh I mean the means fall when they fall, but we're getting a little long in tooth in the month.

D

Dare I say like this. Is you know right around this time is, is a checkout time yeah.

B

Correct correct, um yeah and I was thinking that I would work on something but again because we haven't had those meetings yet with the broader team, there's not really much to work on other than that one blog to tweak up right, um so um yeah I, don't have anything in particular.

B

um So I guess let me ask you a question um because it could be just Just. Me, Myself and I um I feel, like I, have partly to blame not been as productive as we could have been given like all the canceled sessions Etc, um and given that obviously I don't dedicate a lot of time to this so trying to get a feel from the group on you know: how can we improve next year?

B

How can we get more deliverables out? um You know, given the the small size of the of the team uh and obviously waiting for the specification to be Unleashed right.

D

um

D

Dare I say a shorter shot? Well, um a a smaller Target with maybe a.

D

Maybe a a smaller, smaller Target with us, with a smaller shark group, I think um I. Think if we, if we take a lot of the things we want to do and we um space them out a little bit.

A

I.

D

Think I, I kind of think we've been a bit aggressive.

D

I had a couple of Duets. At the same time. Also, it doesn't really well I, don't know that it hurts either, but I'll say it doesn't help that we have that.

D

A lot of what we do here is largely depending on the variables that happen in the specification team, um not necessarily the tooling team, um but we don't always know uh in real time um what one hand is doing or how the head is thinking um about how the head is thinking whether or not the hand that's moving is moving according to the way that the head is thinking and then here we are supposed to be trying to um provide that broader context to the masses um based on trajectory that we don't really understand.

D

Like friends, I'll give you an example of it, um we're writing a positioning doc. At the same time, they made a decision to break off source and build oh by the way, they've also broken off Providence. Now yep right with that, that's like we! How? How are we like? Let's, let's say we got that done fast- it would have been wrong.

B

Yeah in a couple of weeks, yeah correct.

B

So so then the question is: how do we get ahead of that um and I'm guessing?

B

It would require either one of the leads, whether it be Mark or Josh, to be more participating in this meeting to help guide us or there has to be an offline conversation with them.

D

Yeah, the the part that the part that I said I don't know that it that it so the part, that's that will conflict with this right, it'll be a competing priority thing. Do we tell them to slow down right, I mean it's like you don't be like hey hold on a second. Let us get that part out before we can do you know or or do we or do we base what we do on forecasting right so so is. It is the way that we position now something that's future State, rather than current.

B

Okay,.

B

Thoughts from Jeff and Bruno.

C

um I I I've kind of echo a lot of what Jay said. um Obviously what what we do here is is depend on on the larger group, but um I do think that we we got really excited at the very beginning um and took on tons of stuff I. I know I did personally and then mostly because we all have day jobs.

C

um We I I, know I I got pulled away from this group for almost two months, just because I I was just doing other stuff.

C

um So so it I think we have to recognize what we are, and you know that we are kind of doing this or copious amounts of spare time and and make sure that we commit ourselves to to less and something that's a little more immediately actionable.

A

Okay,.

D

I can't agree more.

B

So what do you think those smaller objectives look like for next year right? We had thoughts on you know some blogs, which obviously we we are having some headwinds on um because of the variableness of the specification.

B

um So what else could we potentially do.

B

To help improve the cause, I guess.

C

You know it may be something as simple as working on one thing at a time.

D

Yeah, that's what I meant by a smaller Target right like like we, we small a target with a with an even smaller shock group right. You know one thing at a time focusing on that and then yeah that that that's a that's a huge, huge plus one for me, I mean at least that way and and then, if we we did that and then um I I guess I said focused on on future State stuff right.

D

But if we, if we did that and then made it above a future state, it might be something that we can that we can dig into, and it still has relevance like a like a couple of weeks from now, rather than we dig into it, and then we look up and then like well, we did a whole bunch of work yep for almost nothing. You know, I mean.

B

The development blog right uh was a smaller Target in in my view, so how do we make that even smaller.

D

It's the smaller Target but I think we got when they we've really we well.

D

We really got our our Minds Twisted when we look back at the spec as it was from when we started it and to when we were working on the in the middle and we look back at the spec and we saw the split that really and and then when we saw the split and then and then the fact that the split didn't take hold across all of the um the different uh media, Outlets or different Outlets, that were the blogs that were being used across the Spectrum. Then there was confusion, I.

A

Mean it seems, like we I mean like.

D

The the big, the the big that the head got a little ahead of itself um and that really that really drove a drove away. We had we asked questions that required answers that weren't really like for, like, for instance, right now. We asked questions that require answers, that we still have to wait to get um I. Think I, think you you, uh you know having having the the the other Sig leads attend.

D

This meeting is key: I mean we we attend theirs. Yeah right, we attend theirs, I mean them attending. This meeting is probably is probably something that needs to occur as well. Okay,.

A

You.

D

Know just or at least a representative right, maybe it doesn't have to be the the leads. Maybe it could be a representative I I either way um us having uh being able to ask a question real time or or or that or the whatever the the answer might be, or whatever you know whatever that variable or parameter is we're able to address it right then, and there, rather than having to go back based on something we see to get something clarified before we can before we can push on yeah.

B

Yeah we could potentially even revisit the schedule. I know there were some assumptions made at the beginning when we were figuring out the schedule for this call that they wanted certain people to be part of this call, but they've only ever attended to meetings at the beginning, and so that shifted what actually the majority was. So potentially we need to revisit also the schedule so that other people could potentially join um from the other six I know.

B

Mike does a good job and I know he's been on conferences and things like that, and he said he was going to step away for a little while right. So that's an example of the tooling thing right. He he holds that, um but for the specification, Mike is the closest thing, but he's not necessarily a lead right, so it'd be good to get Josh Orr mark um because they're driving a lot of the background stuff. Well.

D

So that that's what I was going to say too, they have to be somebody. That's that's uh not that's! On the uh the the ugly well I say internal internal to to to them external to us right. Somebody on the side where some of the conversations are happening off. uh You know off mic. I guess you know, they'd have to be privy to a lot of that stuff too.

B

um Yeah correct and that's where I think the the two leads come in for specification at the very least I know: Mark drives a lot of it. Yeah and I know there's other Google employees that also drive a lot of it behind the scenes um and then I know Josh is at the VMware side um and I'm sure he has conversations with Mark all the time, so either one of those I think would be more clued in uh I.

B

Think then the majority just because of the nature of how they're going about the work and they're drafting up documents left and right um prior to the meeting. uh You know after the meeting Etc et cetera.

A

Okay,.

A

um

B

Anything else you can think of.

D

um I'd like to I'd like to I, guess we can get this uh tomorrow or uh it does. Is it tomorrow that the next meetings are is.

B

The supply supply chain Integrity, is tomorrow and then the salsa is on Thursday yeah.

D

um Yeah I'd like to get so I I'll wait for the sauce meeting and I may or may not be able to attend that one I might have to be on the flight. uh I gotta be on the flight at some point. During the.

A

Day I may be able.

D

To get to that one, let me see a place not in school uh 12 right, so I might be. I may be able to attend that one. um What I'd like to know is for us.

D

What is what are, are the the um Boulder size items that that we want to get accomplished for next year, or maybe we can um just as an Outlook, uh take our cues or build some type of a um road map based on that, maybe we can get ahead of a few things.

B

Okay, I, don't see an agenda for that I know they like to cancel the meeting if there's not an agenda before the meeting which I'm not a fan of. um So let me this: is it right supply chain, integrity.

D

Working group mean I, think I I want to say they're going to have it because it'll be the last one of the year.

B

Yeah but I I do know that they've canceled it in the past when there's no agenda items yeah. uh So instead of this is uh December 14th, okay, uh agenda.

A

um

B

Future.

B

Or is it the working groups, no not working groups.

C

What are they called when they're.

B

On so salsa is a zig yeah, but then we.

D

Are I, don't know we sub six sub-working ground.

B

I, don't know what you call them. Yeah future road map, slash um priorities.

B

um Blockchain integrity or salsa right I feel, like that's a good agenda item.

B

Because there's also the collaborate I think you mentioned this multiple times, Jay right, the collaboration between the different teams under supply chain, integrity right, um and that can't really happen once a month.

D

Yeah yeah that there's got to be there's got to be better. um The the communication and crosstalk has got to be a little bit better.

B

Or is it Fresca like that Fresca.

D

Yeah F well, this should be all capitalized. Okay, like.

B

That yeah um and then.

D

As.

B

A.

D

Matter of fact, just they're just talking about that attack meeting this morning um about better Synergy between all of the you know between the some of these offshoot projects and then what some of the working groups are doing.

D

um You know every the working group said that we're doing all great stuff, but you know some of this stuff is, can be blunt to can be Blended together or find ways to to mix things, but you know bring things together or work a little bit more collaboratively across the spectrum of what we do in the open ssf which, which is you know, I mean that that's a must at this point.

B

um Approximate time uh I don't know, I feel like this is going to be like a a can of worms. These two well.

D

Yeah I mean there's going to be a lot of. You know this well, God, dare I say there might be some pushback on some of this I hope not, but there might be yeah.

B

Yeah, how can you be effective if there's no coordination right, it's kind of like a business if you're all off doing your own thing, you're never going to get anything done.

B

um You have to be aligned at some level with each other um Okay. So I will put that on the agenda for tomorrow and then I feel like maybe it's the same thing for salsa too right yeah. It's the same questions. Ultimately, what is this occurring critical projects? Okay,.

D

Those two happen at the same time: tomorrow, I I mean you.

A

Can't.

D

Avoid it I really feel like well, because securing um so this you really can't avoid it, but I feel like sometimes they need to space. These. Damn things out, give people a chance to yeah.

B

Yeah I I I agree um I'm, trying to click on that I want to. Let me click on it. That's weird! You see what it's doing. If I try to click on it, it it Scrolls down.

B

uh I just want to click on this. This.

A

One link.

B

That's all I want to do. I don't want to edit it I. Just wanna. Okay, leave salsa, okay, so I'm going to copy these two over here.

A

uh

B

Future is this one right.

D

Yeah yeah, okay,.

B

Maybe this should be talked about before. First I hate to you know, go before somebody else in their right, but I feel like this is gonna. This is gonna. Take up a lot of time uh between solstice.

D

Yeah true, who care? Who cares what they have to say? Oh God,.

B

That's fun, yeah and then.

B

Maybe this is just one since it's not talking about all three groups: yeah, okay, there, okay, at least we we have those two um and then there was this other one. The this one.

B

Right yeah.

B

Okay and then I think those are the only two.

B

Think that was that was it right: yeah yeah I think that was it um okay I've at least copied those down for the two meetings. um Anything else.

B

Supply chain integrity, Phoenix.

B

Okay, uh if there's nothing else and I won't keep you all um I, don't is there a meeting next week there might be I, don't remember, uh I, think I think there is oh because I said I'll be around Google Google Calendar there. It is uh December 18th.

B

Yeah there is so depending on what happens right might start getting working on on the other stuff. So if you're all are here, I'll see you next week. If not, then I'll see you next year, um okay, going once going twice: okay! Well thanks everyone for joining, um and hopefully we can get some answers from the larger Community about how to improve next year. Yeah.

D

All.

C

Right thanks.

D

Foreign.

D

Foreign.

A

Important.

A

Foreign.

A

Foreign.

A

Foreign.

A

Foreign.

A

Foreign.

A

Yes, foreign.

A

Foreign.

A

Foreign.

A

Foreign.