►
From YouTube: SLSA Positioning Meeting (January 17, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1tpPOXVzNSwtpWA7cXhTPLAO6HIP50obUvoP85XqgVHM/edit#heading=h.yfiy9b23vayj
SLSA repo: https://github.com/slsa-framework/slsa
A
C
A
A
A
If
there's
a
better
time
that
might
be
more
suitable
for
some
of
the
other
Sig
leads
so
that
we
can
know
what
each
of
the
different
cigs
are
doing
within
salsa,
so
we're
trying
to
see
if
a
an
earlier
time
might
make
more
sense
or
if
it
could
even
work.
So
if
you
have
a
few
minutes,
if
you
can
fill
that
out,
that'd
be
fantastic
and
then
second
item
is
obviously
signed
in
I
haven't
even
signed
in.
A
A
A
Tracy
is
finally
back
from
vacation,
so
she's
gonna
set
up
a
meeting
to
kind
of
go
through
like
what
we
need
to
do
to
kind
of
kick
start
this
process
off
and-
and
you
know
what
types
of
things
that
they
need
from
us
and
before
I
go
on
to
other
things.
Does
anybody
have
any
topics
to
discuss
that?
Aren't
these
last
three.
A
If
folks
on
on
this
call,
aren't
aware,
basically
1.0
is
scheduled
or
RFC
February
and
they're
going
to
give
about
a
month
of
Time
for
That
RFC
and
during
that
time,
what's
going
to
happen,
is
the
positioning
group
and
the
tooling
group
are
going
to
try
to
make
sure
that
they
are
ready
for
the
1.0
launch
tooling
can
handle
the
1.0
changes
and
then
positioning?
Can
you
know
get
ready
with
all
the
logs
that
we
need
for
the
1.0
launch
and
so
they're
going
to
give
it
about
a
month?
A
And
if
tooling
and
positioning
is
not
ready
or
something
else
comes
up,
then
they'll
just
push
the
RFC
for
a
little
bit
so
that
we
can
try
to
finish
the
the
1.0
push
and
and
kind
of
all
be
in
alignment.
So
that's!
What's
happening,
and
so
I've
started
to
think
about
the
blog,
like
the
blog
that
we
were
working
on,
that
we
probably
need
to,
we
might
need
to
tweak
hi
jumpsy.
Thank
you
for
joining.
A
E
A
A
A
So
that
could
be
something
interesting
for
you
to
attend
as
well,
but
for
for
today's
meeting
we're
talking
about
the
open
source,
Summit
North
America
conference,
that's
coming
up
in
May
and
we
are
trying
to
submit
talks
as
a
salsa
group
to
discuss
salsa
to
the
community
and
so
we're
hoping
to
wrap
some
of
that
up
today
and
then,
after
that.
If
we
do
have
time,
then
we'll
talk
about
some
of
the
blog
ideas
for
the
1.0
launch.
A
Why
break
up
build
versus
Source
so
I?
Obviously
we
have
the
developer
blog
that
we
started,
and
then
this
is
an
obvious
one
right,
the
what's
new,
but
then
these
two
kind
of
came
up
in
my
head
of
hey
we're
going
to
get
a
lot
of
questions
on
this
right,
the
s-bomb
versus
it's
also
Providence.
Why
is
this
also
provenance
the
way
it
is?
A
Why
is
the
format
different
Etc,
so
I
think
that
would
be
good
to
tackle
head
first
and
then
why
the
breakup
right
people
are
probably
going
to
be
confused.
The
what's
new
will
probably
dive
into
okay.
We
have
broken
it
up,
but
it
may
not
go
into
detail
as
to
the
why
it
was
best
to
break
it
up.
So
that
might
be
another
area
that
we
might
want
to
discuss.
B
Melba
on
the
s
bomb
versus
salsa,
Providence
I
mean
I,
don't
think
it's
a
big
secret.
I
can
say
we
had
some
internal
discussion
within
IVF
as
to
whether
it
made
sense
to
keep
those
things
different
or
if
it
would
make
sense
on
contrary
to
kind
of
have
some
kind
of
convergence
and
for
those
who
are
not
familiar
with
this
I
mean
essentially
salsa
Providence
0.2
X
was
essentially
about
the
build
environment,
but
in
the
next
version
the
one
zero.
B
It
actually
encompasses
a
lot
of
the
stuff
that
you
would
typically
find
in
nesbomb,
which
means
you
have
the
is
especially
with
regard
to
the
dependencies.
So
it
goes
beyond
just
capturing
information
about
the
build
environment
and
also
provides
information
about
the
dependencies
which
you
would
typically
find
in
the
next
Bob
and
so
into
internally.
We
thought
well,
should
wouldn't
be
nice
to
kind
of
consolidate
those
things.
B
A
It's
not
dedicated
to
that
right,
and
so
it's
not
off
the
table
for
it
to
converge,
or
you
know,
be
one
in
the
same,
but
right
now,
tactically
they're
not
able
to
get
what
they
need
from
the
specification
and
so
I've
asked
Matt
Rakowski
for
the
1.5
CDX
specification
draft
that
he's
helping
with
to
see.
If
that
helps
any
or
to
see.
If,
if
there
is
a
gap,
can
we
release
it
in
the
1.5
to
make
the
transition
quicker?
B
A
A
Okay,
so
for
folks
that
weren't
here
last
week,
we
went
through
some
of
these
conference
talks
for
open
source
Summit,
and
we
wanted
to
do
one
first
also
for
for
beginners.
These
were
all
the
titles
that
were
come
up
with
and
we
didn't
really
vote
on
a
final
one.
So
it
would
be
great
if
we
can
kind
of
narrow
it
down
to
one.
A
So
do
folks
have
a
preference-
and
maybe
I
should
number
these
so
that
way
we
can
just
vote
based
off
number
which,
which
title
you
think
would
better
shoot
a
salsa
for
beginners
conversation
now,
there's
also
the
app
set
condiment
salsa.
It
goes
with
all
your
apps
can
I
have
some
salsa
with
that
it's
salsa,
not
seltzer
salsa,
it's
absec,
not
a
dance.
It's
also
with
your
security
teams,
also
dancing
in
your
pipeline.
A
F
B
A
A
That
was
Michelle
Michelle
was
awesome.
Okay,
she
was
just
like
turn
like
putting
these
stuff
down
like
constantly
I.
Think
Bruno
came
up
with
the
good
bad
and
ugly
about
salsa
and
I
thought
that
was
really
good
for
a
panel
discussion.
So
I
think
we
have
that
one
settled
but
yeah
this.
This
was
all
Michelle
last
week
and
yeah
she
was.
She
was
on
fire.
A
A
A
B
First,
one
is
not
descriptive
enough
because
it's
too
generic,
you
have
absolutely
no
clue
what
this
is
about.
At
least
the
other
one
have
up.
Second,
it
so
I
think
it's
a
bit
better
and
I
I
think
I
would
lean
towards
two,
because
the
withers
goes
well.
If
it's
well,
actually
it
depends.
Is
that
a
it's
not
a
workshop
right,
it's
just
a
demo.
It's.
A
D
F
D
F
D
D
Aaw
either
that
way
because
I'm
not
administered
but
like
what
we
are
in
mentioned
on
point
number
two
and
three
like
what
will
be
the
content
of
this
demo.
So
my
understanding
on
that
is,
we
will
demonstrate
how
a
CI
CD
pipeline
will
utilize
salsa
salsa
for
like
built
and
deployment,
basically
right.
So
that's
what
the
demo
I'm
expecting
to
be
there
as
part
of
this,
or
do
you
think
any
other
things
also
coming
in
the
picture.
A
Obviously
we
could
have
a
a
more
higher
level
level,
three
or
level
four
I
don't
want
to
commit
to
level
three
because
I
know
there's
still
some
level
three
things
that
are
being
defined
and
level
four
we're
not
even
touching
so
I
think
we,
we
decided.
Okay,
if
we
do
a
level
one
level,
two
demo
and
then
just
talk
to
level
three
and
level
four.
That.
A
D
Have
seen
happier
salsa
level
192
demo
with
the
Google
Cloud
build
pipeline,
but
I
also
know
that
you
know
gitlab
also
supporting
this,
but
maybe
my
question
is
like:
are
we
showing
the
demo
with
gitlab
or
with
the
Google
Cloud,
build
pipelines
to
show
this
SLS
level
192,
or
are
we
having
some
other
thoughts
on
it?
How.
A
Do
we
demonstrate
it
yeah?
We
we've
not
decided
that.
Yet
this
is
just
okay,
hey!
We
want
to
submit
a
talk
on
this
because
between
the
tooling,
our
group
and
potentially
the
the
specification
group,
we
can
come
up
with
a
demo
of
some
sort,
but
we
don't
need
the
specifics.
Yet
it's
more
of
okay,
let's
see
if
we
can
get
a
Hands-On
demo
and
if
they
say
yes,
then
we
can
come
up
with
the
demo.
A
A
F
D
F
G
D
A
Just
this
team,
it's
all
the
three
different
teams
to
try
to.
You
know
talk
about
salsa,
so
we
haven't
decided,
you
know
who
would
be
presenting
or
who
would
be
hosting,
but
we
thought
that
these
would
be
really
good
talks
to
to
submit
and
then
once
we
were
done
with
the
abstracts
we
were
gonna
put
it
out
for
the
other
sick
leads
to
to
take
a
look.
A
A
B
B
A
B
A
A
F
B
F
B
B
F
B
F
D
A
C
F
D
But
just
like
Bill
last
time
also,
we
discussed
this
point
just
in
future.
Salsa
is
a
scope
only
for
the
absec
or
is
in
maybe
future.
It
will
also
consider
any
code
like
infrastructure
such
as
the
code
tomorrow
comes
into
picture.
Whether
are
we
defining
salsa
for
that.
Also,
in
that
case,
can
we
say
salsa
only
for
absec,
it
can
be
foreign.
F
B
F
A
A
A
D
F
A
A
B
But
I
I
I
agree
with
that.
I
think
it's
it's
one
of
those
cases.
It's
like
you
know
trying
to
find
a
compromise
and
I,
don't
think
it
stopped.
You
from
you
know
expanding
when
you
present
about
it
and
point
out
that
it
goes
beyond
upset
strictly
speaking,
obviously,
but
I
think
it
kind
of
frames
it
and
pretty
well.
G
Well,
I
kind
of
a
agree
with
you
do
with
you
before:
I
I
did
like
it's
also
dancing
in
your
pipeline.
I
like
that
density
of
pipeline
one,
but
but
I
kind
of
I
kind
of
like
your
reasoning
before
about
about
the
Newbie
ones,
I
mean
other
than
that
I
think
I
think
there's
all
these
are
all
really
good.
G
B
F
A
G
F
A
G
I
saw
the
whole
bunch
of
stuff
after
that,
so
salsa,
it's
abstract,
not
a
dance
like
that.
I
think
I
feel
a
bit
more
rigid
that
one
might
be,
might
be
your
flavor
if
you
like,
you,
know
kind
of
directing
you
you
don't
find
enjoyment
from
this.
You
just
want
to
get
your
information
and
get
in
and
get
out.
It's
also
dancing
in
your
pipelines
a
bit
more
fun
right.
If
you,
if
you
actually
enjoy
this
stuff-
and
you
want
to
you-
know
your
your
happy
go
lucky
about
learning
something
about
salsa.
G
That
might
be
a
bit
more.
Your
flavor,
but
I
also
like
the
comments,
the
four
and
five
because
they
really
go
towards
the
the
the
new
the
Newbie
right,
I
mean
I,
don't
know
I
I,
like
I,
said
I'm,
not
a
marketing
person,
so
you
you're,
you
know,
I'll,
read,
I'll,
read
an
article
without
looking
at
the
title.
B
B
A
D
Yeah,
after
changing
the
title,
because
from
my
understanding
like
it's
not
only
limited
to
abstract
so
in
near
future,
we
will
also
come
the
infrastructure
as
God
yeah
right.
For
example,
I
I
have
done
earlier,
like
the
Tata
from
pipeline
implementation,
design
and
development
decision
implementations.
So
there
there
are
some
security
features.
We
added
using
different
tools
like
TF
sex,
Chaco
Etc.
D
A
D
F
F
D
A
A
F
A
Could
be
you
know,
just
new
new
developers
that
you
know
they're
being
told
hey,
you
need
to
figure
out
how
to
do
this
right,
so
I'm.
Just
thinking
from
that
mindset
that
beginner
mindset,
you
can't
assume
they
know
anything
about
pipeline,
but
at
the
same
time
you
can't
assume
they
know
anything
about
appsec
either.
B
B
F
A
A
H
I'm
sure
folks
are
going
to
want
to
hear
about,
like
you
know,
I
mean
I.
Think
number
one
is
probably
the
most
important
one,
but
I
think
you
know
to
highlight
some
of
those
experiences.
I
think
the
things
I've
always
heard
from
a
few
folks
is
is
like
how
do
they
like?
How
did
those
companies
get
started
in
the
salsa
adoption
journey?
I
know
that
was
one
of
the
the
big
things
we've
been.
You
know
asked
a
bunch
of
times
like.
H
A
Okay,
one
of
the
things
that
I
I
think
I
mentioned
too,
is
like
how
1.0
affects
them
right.
I
think
that's
something
to
to
really
gain
from
folks
that
have
already
gone
through
their
Journey
with
version.1
and
then
thinking
about
okay.
Well,
what
do
they
now
have
to
think
about
with
1.0,
especially
having
just
come
out?
B
D
B
F
D
A
F
A
D
So
can
we
also
like
you
know
where
are
the
like?
You
know
publicly
people
can
use
it
like,
for
example,
as
I
told
like
you
know
the
products
or
the
correctly
available
industry
Solutions,
which
already
adapt
salsa
standards
so
like
gitlab
or
who
will
not
build
or
that
like
how
many
such
products
are
available,
so
that
people
can
start
using
it
and
get
the
benefit
of
salsa.
A
I,
don't
think
we
can
do
that.
Okay,
because
the
conformance
program
right
yeah,
the
we
would
one
need
to
I
mean
we
can
have
metrics,
could
potentially
at
metrics
from
the
conformance
program
right
right
now.
People
are
self-attesting
and
I.
Don't
know
that
everybody's
been
validated,
oh
man
so,
and
some
of
these
may
not
even
be
products.
I
believe
Aaron
was
all
internal
right.
It
wasn't
for
a
product,
it's
internal
I
think
this
was
a
product
I,
think
Google
had
internal
and
external
yeah.
H
B
B
A
F
B
B
Because
then
I
mean
there
may
be
one
question
which
is
about
what
you
were
saying
earlier
for
the
if,
if
it
affects
some
people,
it's
like
you
know,
how
do
you
anticipate
given?
We
have
families
that
have
already
experienced
you
know
which
also
one
zero
or
zero
one
you
can
ask.
So
how
do
you
anticipate
anything
specific
to
the
transition
from
zero
one
to
one
zero.
F
B
So
there
are
a
broader
question
that
I
think
could
be
interesting.
I,
don't
know
how
long
this
would
be,
but
you
know
it's
more
like
because
now
we're
talking
about
like
all
the
technical
aspects,
but
to
anybody
does
anybody
have
already
some
kind
of
like
feedback
as
to
you
know?
Was
it
worth
it
in
a
way?
This
is
what
I
was
trying
to
get
to
it's.
C
B
B
Because,
right
now
it's
all
about?
Oh
well,
you
need
to
do
this.
You
need
to
do
that
to
to
improve
your
security
posture
and
salsa
is
the
way
you
measure
this
and
whatnot,
but
I
think
it'd
be
interesting
to
see
if
people
already
have,
and
obviously
this
is
the
kind
of
stuff
the
panelists
would
have
to
decide.
People
participate
if
they,
if
they
have
information
they
can
share
on
that.
But
I
think
it
would
be
interesting
to
ask
that
question
if
they
have
some
answers.
Yeah.
A
A
C
D
D
A
A
F
A
A
G
A
G
G
G
A
Okay,
thank
you
yeah,
because,
obviously
we
want
to
as
a
group
you
know
talk
about
salsa,
but
I
I,
don't
even
know
the
first
thing
about
open
ssf
day
and
where
the
links
are
I
tried,
searching
for
it
and
I
couldn't
find
anything.
So
how
do
you
possibly
submit
call
for
papers
right
if
there's
no
link?
So
if
you
can
find
that
out,
that
would
be
fantastic.