►
From YouTube: SLSA Tooling Meeting (November 4, 2022)
Description
Meeting notes: https://docs.google.com/document/d/15Xp8-0Ff_BPg_LMKr1RIKtwAavXGdrgb1BoX4Cl2bE4/edit#heading=h.yfiy9b23vayj
A
A
A
A
C
A
So
just
I
think
it
was
a
very
like
people
who
are
coupons,
so
not
a
lot
of
things
going
on
so
I
think,
like
the
first
thing
you
can
just
quickly
talk
about.
Is
it's
like
if
there's
any
interesting
talks
or
anything
you
saw
at
kubecon
that
you
know
worth
mentioning
here
in
the
group
it
is
being
recorded.
So
we
can,
you
know
some
people
kind
of
want
to
come
back
to
it
later.
They
can
definitely
take
it
and
see
if
there's
any
kind
of
talks
that
they
miss
that
were
of
importance.
C
A
So
people
are
like
and
Michael
is
Mike
Mike
is
out
this
morning
and
you
might
I
think
he
said
he
was
running
a
little
bit
late,
so
I'm
just
running
the
meeting
in
the
meantime,
and
it
might
be
pretty
quick
if
there's
any
kind.
I
I
posted
the
document
in
chat,
so
you
can
sign
in
and
if
you
have
any
kind
of
agenda
items
you
want
to
speak
about,
we
can
definitely
do
that
right
now.
We're
just
kind
of
talking
about
you
know.
D
A
Yeah
I
think
I
think
tetragon
got
a
lot
of
Spotlight
ebpf
day.
So
there's
a
lot
of
talk
about
tetragon
and
multiple
different
talks.
You
know,
I
spoke
about
it,
I
know,
Cole
Cole
Kennedy
spoke
about
it
in
terms
of
integrating
it
with
with
witness,
and
there
was
a
whole
ebpf
day
and
this
people
were
just
very
interested
in
you
know,
because
it
makes
it
so
easy
to
start
capturing.
You
know
runtime
processes
within
kubernetes
itself,
because
it
all
automatically
isolates
based
off
pods.
D
A
A
Okay,
awesome
I
think
we
can
keep
moving
forward.
So
one
of
the
things
that
actually
we
discussed
last
meeting
was
like
the
ability
of
of
actually
no
sorry.
This
is
first
that's
about
or
for
salsa
attestations,
but
the
other
thing
that
we
were
also
looking
into
was
in
terms
of
s-bombs
right.
How
valid
are
s-bombs
in
terms
of
like
hey
like?
Are
they
capturing
their
information?
Are
they
worthwhile
like?
Are
they
you
know?
Are
they
just
doing
it
for
compliance
sake,
or
are
they
actually
capturing
information?
A
A
Think
he's
the
California
time,
so
you
might
not
be,
might
not
be
able
to
join
us,
but
Justin
Abrams
from
eBay
had
a
great
suggestion
in
terms
of
of
generating
an
s-bomb
scorecard,
and
he
actually
has
that
posted
in
the
salsa
tooling
stock
channel
here
I
think
he
he
just
publicized
one
of
the
things
that
he
was
working
in
working
on
internally
quickly.
Just
and
I
can
post
a
link
to
that
here
in
the
in
the
channel
or
in
the
chat
oops.
A
So
what
so?
What
this
is
basically
is
meant
to
do.
Is
kind
of
act
like
you
know
how
scorecard
acts
for
repos
and
so
forth
is
like
hey.
Can
we
can
we
grade
how
how
good
s-bombs
are
in
terms
of?
Are
they
valid
to
the
spec?
Are
they
capturing
information
that
that
we
need
you
know
of
the
containing
hashes
and
so
forth,
like
how
you
know?
How
good
are
they
so
this
this?
A
This
gives
us
an
ability
to
you
know
if
they,
we
kind
of
know
like
yes,
some
of
these
tools
are
generating
better
s-bombs
than
others.
How
do
we
fix
them
and
so
forth,
and
we
can
you
know
grade
those
keep
adding
features
to
it
and
keep
creating
different
things
like
spdx
and
Cyclone
DX
I.
Think
for
now
what
he
did
in
his
this
POC
is
just
like
start
capturing
an
xpdx
one
and
just
see
okay.
What
information
is
it
is
there
and
what
is
missing?
A
Basically,
so
that's
the
POC
I'm,
nothing
that
I'm
interested
in
helping
him
out.
So
we're
discussing
and
I'm
going
to
work
on
it.
Probably
this
afternoon
and
start
adding
in
some
more
features,
start
capturing
other
information
and
then
I
think
we
definitely
want
to
have
some
kind
of
a
grading
schema.
So
I
think
we'll
take
a
initial
stab
at
figuring
out
what
kind
of
a
grading
scheme
we
would
want
and
then
and
then
go
and
then
you
know
come
back
to
the
community
kind
of
review
that
and
see.
A
D
A
So
what
I
think
what
we
want
is
either
you
can
start
creating
issues
or
or
start
you
know,
fixing
those
Upstream
projects
be
like
hey
look.
This
is
not
creating
the
proper
things,
maybe
there's
something
so
there's
an
issue
with
the
Upstream
project
or
right.
It
kind
of
gives
us
more
evidence
to
push
back
on
some
of
the
projects.
Being
like
hey
look,
you
guys
are
generating
s-bombs,
but
they're,
not
they're,
not
as
complete
or
as
accurate
as
we
need
them
to
be
kind
of
thing.
A
D
A
D
A
So
if
you
can
start
like
hey,
just
have
an
automated
way
of
just
validating
which
this
just
starts,
throwing
a
bunch
of
s-bombs
in
there
and
see
what
it
looks
like
right.
Then
we
can
have
a
much
deeper
understanding
and
that's
I
think
that's
that's
what
we're
trying
to
get
to
so
and
yeah
like
we
can
start
fixing
them
I.
A
Think
because
I
think
the
more
quality
data
we
have
right,
the
better
things
we
can
do
with
it
and
if
they're
just
s-bombs
are
being
generated
just
for
compliance
sake
and
not
including
much
information,
then
it's
not
helping
anybody
right.
So
but
that's
that's
the
overall
goal
for
this
project,
so
it's
very
much
in
his
infancy,
like
I,
think
Johnny
Abrams
is
literally
started
working
on
it
on
you
know
yesterday
or
something
so
we're
I'm.
A
A
B
A
A
A
So
that
that's
a
more
overarching
meeting
that
people
kind
of
come
together
and
talk
about,
you
know
the
various
things
that
they're
working
on
from
these
various
different
working
groups
right.
This
is
a
salsa,
tooling
group,
and
then
there
are
positioning
and
and
so
forth,
there's
a
bunch
of
other
ones
that
that
people
kind
of
join
and
talk
through
different
topics.