►
From YouTube: SLSA Specifications Meeting (December 5, 2022)
Description
Meeting notes: https://docs.google.com/document/d/1kMP62o3KI0IqjPRSNtUqADodBqpEL_wlL1PEOsl6u20/edit#heading=h.yfiy9b23vayj
A
A
A
A
So
I
could
briefly
give
an
update
the
for
the
with
the
spec
1.0
change
to
530
pull
request
536,
which
split
requirements
by
party
several
of
you
viewed
that
so
thank
you
very
much
and
that
was
submitted,
as
we
mentioned
before
it's
full
of
to-do's,
but
now
we
have
that
and
we
can
make
kind
of
like
incremental
progress
on
tracking
them
down
here.
I
could
present
just
so
you
see
you
can
see
what
I'm
talking
about.
A
C
A
Three
different
kind
of
attributes
that
we
want
to
slice
by
or
for
there's
called
disposition
for
lack
of
a
better
word
of
like.
Is
it
coming
from
outside?
Or
is
it
something
set
by
the
build
system
internally
and
the
reason
why
we
care
about
this
is
because
the
external
ones
we
have
to
in
in
the
salsa
we
have
to
check
because
they're
set
by
users,
and
we
want
to
verify
that
they're
safe
within
the
system.
We're
generally
trusting
those,
and
so
it's
useful,
probably
to
split
it
at
a
high
level.
A
So
I?
Don't
think
it's
probably
worthwhile
to
spend
the
time
here,
but
I
just
want
to
mention
that
this
is
the
only
real
update
since
last
time.
If
you
have
any
thoughts
on
it,
I
think
opinions
would
be
welcome
to
try
to
get
past.
We
have
I
think
there's
like
three
different
options
that
I
have
different
commits
and
if
it's
unclear
like
where,
in
the
pull
request
to
find
the
thing,
just
let
me
know
and
I'll
do
it.
A
But
here's
here's
like
the
examples
that
I
happened
in
this
last
comment,
otherwise
I
think
other
than
that.
There's
most
of
the
comments
I
think
have
been
mostly
resolved
or
just
have
like
little
to
Do's
and
so
I
think
that
the
the
biggest
part
is
cleaning
up.
The
pull
request
to
like
make
the
documentation
more
clear,
not
have
documentation,
spread
across
multiple
files,
but
make
sure
it's
like
actually
in
markdown.
Things
like
that.
D
Yeah
so
I've
been
drafting
the
spec
for
how
to
verify
build
level
three
systems,
it's
almost
done,
I'm
putting
the
final
touches
on
and
it's
it's
in
Google
DOC
format,
I'll
be
posting
it
to
issue
508
this
afternoon.
So
please
read
give
feedback.
This
is
my
first
foray
into
spec.
Writing
so
I
I
need
input.
B
A
E
F
Don't
know
if
you
see
it's
me,
I
mean
if
we
have
time.
I
wouldn't
bother
the
whole
group
with
this,
but
I
I
thought
there
was
an
interesting
question
that
came
up
from
our
interaction,
which
is
what
I
was
trying
to
link
to
specifically
it's
there
at
the
bottom.
Actually
so,
for
those
who
haven't
seen
this
I
kind
of
took
a
step
at
putting
together
a
page
that
defines
different
stages
for
the
development
of
specification,
so
that
we
can
communicate
clearly
what
stage
the
spec
is,
whether
it's
in
basically
being
worked
on.
F
It's
we
are
asking
people
to
review
it
or
it's
stable,
that's
the
main
the
stages,
and
then
there
is
the
last
one
is
kind
of
meant
to
be
okay,
end
of
life
kind
of
thing.
And
what
came
out
of
this
is
you
know
in
my
proposal?
I
had
thought
we
just
retired
them
and
there
may
be
different
cases
which
lead
to
retiring
aspect
and
the
main
two
are.
We
have
updated
the
spec
with
a
new
version
altogether
or
we
we
abandon
it.
F
We
can
imagine
at
some
point
we're
working
on
some
document
and
then
we
say
you
know
what
let's
forget
that
one,
let's
start
over
or
something
like
this,
and
so
it
doesn't
have
to
happen.
But
and
and
so
what
Mark
you
said
is
wait.
I,
don't
know
that,
just
because
we're
releasing
a
new
version,
we
would
want
to
retire
the
the
previous
ones
and
I
thought.
That
was
an
interesting
question.
Do
we
really
want
to
entertain
the
idea
that
we
are
maintaining
several
versions
and
then
people?
F
You
know
we
are
letting
people
I,
don't
CBD,
but
you
know
we
are
actually
saying
it's
okay
to
stick
with
an
older
version.
That's
basically
what
I'm
trying
to
say
and
and
so
just
to
give
you
the
context-
and
you
know
I
apologize,
but
to
bring
that
up.
Like
you
know,
my
my
background
is
in
wtvc
mostly
and
where,
of
course,
the
specifications
are
called
recommendations.
F
So
you
know
it
quickly
became
obvious
that
there
were
things
we
didn't
want
to
recommend
anymore
because
they
were
old
things.
And
so,
if
there's
a
HTML5
spec,
you
don't
want
to
recommend
people
to
do
html4
anymore,
and
so
we
said,
okay,
we're
going
to
retire
html4
once
HTML5
is
out,
and
this
is
what
we
want
people
to
use.
So
my
expectation
was
here.
We
would
have
something
similar.
F
Let's
say
you
had
salsa
one,
you
don't
want
people
or,
if
you
say,
let's
say,
there's
a
salsa
too
and
there
was
in
salsa
one
before
two.
We
really
want
people
to
still
use
one
or
do
we
want
to
say
no
one
is
retired.
People
should
really
move.
Of
course
it
doesn't
mean
everybody
needs
to
move
over
at
night
and
they
keep.
Maybe
people
might
stick
with
the
old
one,
but
it's
a
matter
of
how
we
want
to
communicate
this.
So
Mark
go
ahead.
A
B
I
yeah
I
was
just
going
to
say
that
I've
been
thinking
about
this
a
bit
today
and
I'm
kind
of
torn,
like
I,
can
I,
don't
think
we
want
to
recommend
people
like
continue
to
use
older
versions
of
the
spec,
but
neither
do
we
want
to
make
people
feel
like
they
have
to
move
quickly,
especially
thinking
about
like
a
lot
of
the
changes.
We're
making
are
more
about
clarification
than
about
change
of
recommendations
and
especially
for
the
provenance
format.
I.
B
F
All
right
thanks,
I
I,
just
I'm,
going
to
object.
Mark!
Just
excuse
me
it's
just
because
I
realize
one
thing
just
because
we
only
have
one
stage
called
retired
for
both
Obsolete
and
abundant
doesn't
actually
mean.
We
cannot
have
two
versions
in
stable
stage
right.
We
could
have
two
different
versions
that
we
keep
in
stable
status,
which
means
that
you
can
actually
maintain
two
different
versions.
At
the
same
time,
when
we
retire,
one
is
completely
up
to
us.
We
don't
have
to
retire
someone.
C
F
A
A
Maybe
if
we
have
some
sort
of
language
I
think
what
we
want
to
get
at
is
that,
like
it's
still
a
valid
specification,
but
new
implementations
shouldn't
use
it
and
old
ones,
or
people
who
are
using
it
currently
using
it,
should
consider
upgrading
I,
guess
right,
something
like
that
anyway.
I
think
Sean
was
next.
E
Yeah
was
just
thinking
about
that
in
in
terms
of
what
Joshua
was
saying
about.
You
know,
making
people
who
have
already
implemented
the
0
0.2
version
of
the
provenance
spec
I
think
it
would
be
useful
to
at
least
call
out
that
this,
the
provenance
spec,
is
something
that
we
are
working
on.
Rather
than
have
that
become
a
shock
win.
E
E
I
know
that
there's
documentation
in
there
that
says
stuff
about
you
know
you
expect
things
to
change,
you
know
and
once
we
commit
to
1.0
we
will
not
be
making
so
many
Breaking
changes,
but
it's
yeah
there's
a
kind
of
Fairly
rapid
iteration
happening
on
the
on
the
provenance
format.
So
it
might
be
worth
trying
to
just
call
that
out
on
the
page
that
we've
got.
F
Yeah-
and
it's
like
just
to
add
to
this
to
respond
to
this-
is
the
you
know
the
proposal
I
put
together.
There's
this
notion.
There
are
some
stages
that
are
well
defined,
but
you
know
the
spec
itself.
The
documents
will
have
a
status
section
at
the
beginning
and
the
proposal
is
to
actually
have
it
on
every
page
that
not
only
links
to
the
definition,
but
also
that
allows
us
to
communicate
any
additional
information
we
want
to.
F
C
I
was
just
going
to
comment
that
perhaps
maybe,
instead
of
like
version
one
and
version
two
there's
some
notion
of
connecting
these
version
releases
with
a
date
I
mean
compliant
with
you
know,
salsa
level,
three
version.
One
sounds
pretty
great.
Unless
you
know
that
version
five
is
out
right,
so
I
don't
know,
maybe
there's
a
way
that
we
can
express
that
the
at
the
version
that
someone
is
claiming
is
three
years
old.
A
Yeah
on
the
date,
one
I
have
kind
of
gone
back
and
forth,
especially
because,
if
we're
not
doing
like
regular
releases
of
like
every
year,
then
it
might
just
be
the
three
years
actually
is
the
most
recent
one
or
it
could
be
three
versions
back,
I,
I,
I,
don't
know,
I,
don't
have
an
opinion
on
that.
The
one
suggestion
actually
is
that
right
now
that
the
spec,
the
the
pull
request,
defines
abandoned
of
like
a
spec
that
we
started
and
then
dropped
I,
maybe
I'm
not.
A
C
A
C
A
B
A
Yeah
for
the
purpose
of
resolving
this,
does
it
sound
like
so
far
we
have
just
to
summarize
it
because
you
haven't
had
this
book,
I
mean
I,
think
working
draft,
where
it's
like
rough
in
review,
where
it's
like,
basically
ready
for
review
stable,
where
it's
like
the
latest
version
in
stable,
and
it
sounds
like
we'll
want
one
more.
That's
like
outdated
or
something
like
that.
That
says
it
is,
you
know,
still
valid,
but
no
longer
maintained
and
it's
recommended
to
upgrade
to
the
new
one.
You
know
something
like
that.
F
So
I
still
like
the
term
retired
moral
because
and
we
can
I'd
rather
you
know
refine
the
definition
of
it,
because
this
is
something
that's.
You
know
controlled
that
at
some
point
we
make
a
decision.
We
retire
in
this
spec.
Why
outdated
this
kind
of
happens?
It
feels
like
you,
you're,
not
really,
you
know
making
that
decision.
It
just
happens
over
time.
F
Or
they're
too
stable.
Well,
that's
that's
exactly
what
I
was
trying
to
say
earlier
is
that
we
don't
have
to
do
that
at
all.
We
are
in
control
of
that
status
field
on
the
spec,
so
we
could
have
two
different
versions
or
end
versions
that
are
stable
and
would
they
stay
there
and
it's
entirely
up
to
us
to
go
and
say:
okay,
now
we're
going
to
retire
that
one
we
really
feel
like
people
should
no
longer
use
this.
F
F
F
The
idea
of
the
retired
was
because
it
was
encompassing
different
possible
scenarios
when
you
see
superseded.
It
means
you
can't
use
this
for
anything
else,
other
than
the
case
where
it
is
superseded
by
another
spec.
So
especially,
if
we
were
to
abandon
it
and
I
know
it's,
you
know
it
may
never
happen,
but
it
happens
more
often
than
you
know
you
think
so
you
never
know,
but
you
know,
because
you
could
you
know
you
have
to
think
this
is
not
like.
You
know
like
the
whole
salsa
spec.
A
B
I,
don't
have
very
strong
opinions.
I
just
have
the
kind
of
the
Python
pep
and
the
kubernetes
kept
terms
more
familiar
to
me.
So
they
used
to
use
superseded
in
place
and
peps
they've
switched
to
replaced
to
indicate
that
there's
like
a
more
up-to-date
thing.
You
should
use
instead,
but
I'm
yeah,
I
I,
don't
have
a
strong,
strong
feeling.
F
No,
but
so
that's
a
good
point
in
terms,
but
you
know
I
mean
again,
we
have
this
section,
you
put,
you
know
you
can
say
retired,
and
then
you
explain
why
right-
and
this
is
where
you
can
say
it
has
been
retired,
because
there's
this
newer
version,
which
you
should
be
using
it's
been
superseded.
You
could
use
that
in
the
section
below
or
you
can
say,
no,
it's
been
abandoned
because
being
merged
with
another
spec.
You
know
anything
like
this
could
be
in
the
section
that
goes
with
the
status
but
uh-huh.