►
From YouTube: SLSA Specifications Meeting (January 30, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1kMP62o3KI0IqjPRSNtUqADodBqpEL_wlL1PEOsl6u20/edit#heading=h.yfiy9b23vayj
D
D
E
A
E
A
Yeah
the
so
in
this
meeting
we
often
get
into
like
details
so
certainly
you're
welcome
to
join.
We
also
have
Steve
here
who
I
think
just
joined
the
call
who,
among
other
things,
is
I,
guess
the
maintainer
of
cyclone
DX
I'm,
not
sure
what
the
official
title
is,
but
he
will
be
joining
us
to
talk
about
the
formulation
which
is
I
think
logically,
similar
or
like
equivalent
I,
think
to
the
like
our
build
model
in
provenance,
so
anyways
Steve.
C
C
And
I'll
preface
this
with
I
invited
Steve
to
join
today's
meeting,
because
I
know
we're
doing
the
provenance
draft
and
there's
always
a
lot
of
conversations
about
you
know
how
can
we
use
a
nest
bomb
to
verify?
Social
compliance,
Etc
and
so
I
know
that
there
are
things
that
may
not
currently
be
in
the
specification,
but
I
know:
there's
work
being
done
on
the
1.5
specification
and
there
is
a
GitHub
issue
and
it's
also
about
formulation
and
trying
to
align
with
that.
F
Oh
okay,
yeah
I,
appreciate
that.
Let
me
just
share
my
thing
here:
okay,
all
right,
so
we're
working
on
a
lot
of
interesting
things
in
Cyclone
DX
this
year
and
into
next.
So
this
year
is
1.5.
We're
we're
targeting
the
beginning
of
Q2.
For
that
Q2
is
going
to
introduce
mlbomb
formulation.
Support.
Excuse
me,
formulation,
support
which
is
also
known
as
manufacturing
bill
of
materials
or
m-bomb,
which
is
an
industry
term
used
for
the
last
20
30
years.
F
We're
introducing
support
for
low
code
application
platforms,
which,
unfortunately,
no
build
material
format,
can
actually
describe
today,
so
we're
doing
that
doing
a
bunch
of
other
stuff,
especially
with
vulnerability
disclosure
reports,
one
six
we're
introducing
support
for
c-bomb
or
cryptographic
bill
of
material.
This
is
really
about
you
know:
post
Quantum.
F
F
F
One
thing
we
want
to
prevent,
however,
is
a
scenario
where
we
we.
It
provides
a
road
map
to
the
attacker,
so
in
all
of
the
ntia
discussions
going
back
to
2018
and
even
in
included
in
one
of
their
FAQs.
Is
this
idea
that
s-bombs
are
absolutely
not
a
road
map
to
the
attacker,
and
we
want
to
maintain
that.
However,
once
you
start
including
some
of
this
data
in
there
yeah,
it
actually
can
be
a
roadmap
to
the
attacker.
F
So
we
want
to
make
it
very
easy
for
organizations
to
be
able
to
externalize
this
or
to
be
able
to
include
or
exclude
It
On
Demand.
Thankfully,
the
Cyclone
DX
object
model
is
very,
very
simple
and
it
would
be
Elementary
for
us
to
either
include
it
or
exclude
it
pretty
much
on
demand
based
on
the
authorization
of
of
the
people
actually
requesting
the
bill
of
material.
F
In
essence,
formulation
describes
how
something
was
made
versus
how
something
should
have
been
made.
You
can
think
of
it
as
the
what
was
the
what
was
documented
on
the
recipe
versus
what
actually
happened
in
the
kitchen.
If
you
spilled
all
that
flour
on
the
counter
and
picked
it
up,
yeah
those
were
steps
on
the
recipe
that
weren't
included,
but
you
can
document
that
our
formulation
support
needs
to
support
all
the
types
of
inventory
that
we
support,
including
Hardware
software
and
all
the
services
that
that
we
support
as
well.
F
One
of
the
things
that
we're
trying
to
drive
at,
however,
is
describing
the
precise
Mechanics
for
reproducibility,
which
is
mostly
theoretical.
Today,
I
haven't
actually
been
able
to
create
what
I
would
consider
a
reproducive
build
I'm,
not
talking
about
the
bit
for
a
bit.
You
know
checksums
and
that
sort
of
that
that's
fairly
Elementary
but
true
reproducibility
is
really
really
hard
and
so
we're
trying
to
at
least
document
everything
around
that
that
would
allow
an
organization
to
truly
understand
what
is
necessary
for
true
reproducibility,
which
is
essentially
what
an
n-bomb
does
right.
F
If
I'm,
if
I
am
you
know,
manufacturing
a
million
widgets,
maybe
they're
iPhones,
maybe
they're
iot
toasters,
if
I'm
manufacturing
these
things
I
need
to
do
them
in
mass
and
across
potentially
multiple
factories
so
and
still
have
identical
end
products
as
at
the
result.
So
our
support
for
m-bombers
is
truly
truly
trying
to
capture
all
that.
It's
going
to
be
available
in
all
serialization
formats,
XML,
Json,
protobuf
and
finally,
it
maps
to
the
scvs
bomb
maturity
model,
which
will
also
be
out
I,
think
early
q2ish,
something
like
that.
F
Formulation
is
really
based
on
events,
so
it
consists
of
formulas
parallel
and
linear
sequences,
input
and
output
tasks
or
input
and
output
things.
It
could
be
components
Services,
whatever
tasks,
executors
configurations,
environments,
Etc,
so
we're
trying
to
capture
holistically
everything
necessary
for
for
true
reproducibility.
F
Some
of
the
scenarios
that
we're
trying
to
describe
in
formulation
is
how
was
my
software
made?
That's
easy,
how
was
my
ml
model
trained
a
little
bit
harder?
How
was
my
iot
toaster
manufactured
a
little
bit
harder
yet
and
finally,
how
was
my
service
deployed?
Hopefully
not
that
hard,
but
these
are
some
of
the
things
that
we're
trying
to
capture.
A
A
C
Could
this
help
with
that
salsa
level?
Three
level?
Four!
You
know
verification
Slash,
creating
of
that
artifact
that
a
build
process
would
go
through
Etc,
because
I
see
a
lot
of
the
same
things
in
the
definitions
today.
I
know
they're
not
in
Cyclone
DX
right
now,
but
just
trying
to
get
a
sense
of
would
this
help.
Is
this
very
similar
to
what
we're
trying
to
do,
but
we
can't
do
today
with
s-bombs,
because
there
isn't
a
place
for
it.
A
Yeah
overall
I
think
this
is
very
similar
to
what
is
in
our
provenance
format.
Although
the
salsa
Providence
format
is
much
more
limited
in
scope
like
it's
only
intended
to
cover
the
production
of
software
artifacts
as
opposed
to
like
Hardware
or
processes
and
there's
an
explicit
notion
of
like
it's,
it's
just
well,
I'm,
not
sure
if
we
should
talk
about
that
now
or
just
wait
to
the
end,
but
like
it's
kind
of
optimized
for
a
particular
use
case.
A
But
I
think
I
agree
with
you
that
if
we
could
have
one
format,
that
would
be
better
than
two
just
in
general
and
if
we
do
have
two
formats,
if
the
models
align.
That
would
be
better
then,
if
they're,
just
completely
different,
so
yeah
I
feel,
like
I,
feel
like
it's
maybe
worthwhile
to
go
to
the
end
of
the
presentation.
We
could
talk
about
how
much
overlap
there
is.
C
Okay,
yeah,
or
at
least
the
thought
process
of,
even
if
we
decide
to
have
two
paths
that
are
very
similar.
How
can
we
ingest
this
folks,
obviously
in
the
industry
we'll
get
to
pick
and
choose
and
if
they're
already
doing,
let's
say
Cyclone,
DX
or
spdx
they're
going
to
want
to
try
to
stick
with
it,
they're
not
going
to
want
to
try
something
new.
So
just
kind
of
keep
that
in
mind,
as
as
we
keep
going
through
this
foreign.
F
F
F
F
This
is
all
kind
of
subject
to
change.
By
the
way
we
we
still
haven't
flushed
a
lot
of
stuff
out,
but
in
fact,
I
think
we
got.
We
have
a
call
tomorrow
or
sometime
this
week
to
flush
some
more
stuff
out,
but
again
it
everything
is
based
on
events.
You
can
have
parallel
and
series
events
that
are
happening.
F
F
We
also
have
an
input
of
bluefish.java.
We
could
also
have
inputs
of
services
and
inputs
of
Hardware,
or
you
know,
whatever
else
we're
doing
as
well,
and
then
we're
outputting,
hello,
world.class
and
bluefish.class,
which
is
the
compiled
variants
of
those
things.
We
could
also
output
services
and
you
know,
all
kinds
of
other
stuff
as
well
right
now.
We've
this
event
contains
in
a
task
with
we're
tracking
who
it's
executed
by
the
steps
necessary
to
complete
that
task.
F
What
tools
are
responsible,
whether
it
was
automated
whether
human
intervention
was
required
or
not?
The
task
can
have
a
dependency
on
other
things.
So
if
you
need
something
else
to
run
either
sequentially
or
prior
to
you
can
specify
that
who
the
executor
was
so
in
this
particular
case
looks
like
it's
Jenkins
and
then
we've
got
the
bill
of
materials
to
Jenkins
and
that
sort
of
thing
we've
got
the
operating
system
that
it
was
running
on.
F
You
know
configuration
on
the
file
system
that
sort
of
thing
so
anyway,
that's
kind
of
what
we
have
today
again.
A
lot
of
this
stuff
is
going
to
be
a
lot
of
the
stuff
will
definitely
change,
but
this
is
kind
of
our
our
thought
process.
Today
we
are
working
with
the
we're
working
with
a
couple
of
different,
pretty
large
projects,
and
they
are
trying
to
see
if,
if
our
formulation,
support
will
actually
work
for
these
really
really
large
projects.
So
anyway,
that's
that's
where
we're
at
today.
C
A
A
Me
now
so
here
is
the
the
current
latest
draft.
It's
almost
to
be
submitted,
but
not
yet
submitted,
and
the
our
main
model
so
far
in
the
current
draft
is
that
we
have
we're
trying
to
model
the
the
build
as
a
whole
and
not
get
into
the
details,
because
the
particular
use
case
that
we're
trying
to
solve
is
to
make
that
a
build
runs
completely
automatically
that
we
have
to
trust
some
underlying
system,
some
platform,
whether
that's
like
a
build
service
like
GitHub
actions
or
Google
Cloud,
build
Circle
CI.
A
Something
like
that.
It
could
theoretically
be
like
a
hardware
trusted
some
something
either
way,
they're
like
some
sort
of
trust,
based
that
we
just
have
no
choice
to
to
trust,
and
we
just
identify
that
like
draw
a
box
around
it
and
identify
that
with
a
single
label
and
then
there's
some
amount
of
external
parameters
that
tenants
of
the
system
users
of
the
system
can
pass
in.
A
So,
for
example,
with
GitHub
actions,
the
platform
would
be
GitHub
actions
as
a
whole,
I'm
trusting
GitHub
as
an
organization
to
do
things
properly
and
have
the
right.
You
know
in
you
know,
Insider
controls
and
security
and
everything
and
then
the
parameters
to
that
would
be.
For
example,
let
me
give
an
example,
something
like
we
would
say.
This
was
GitHub
actions
workflow
the
parameters
were
this
workflow.
A
It
was
built
from
this
git
repository
at
Branch
main
using
the
workflow
name.
Release.Yaml
and
most
builds.
Don't
actually
have
any
parameters
in
practice,
but
technically
there's
ways
to
pass
in
additional
parameters,
and
we
capture
them
here,
and
you
know
we
could
record
additional
information
as
needed,
and
you
could
also
record
the
actual
artifacts
that
went
into
it.
A
But
the
like
the
most
interesting
bit
from
the
salsa
perspective,
like
that,
the
most
critical
bit
is
this
bit,
which
is
the
external
parameters
and
what
we
want.
What
we
want
is
verification
down
the
stream
that
these
were
as
expected.
So
if
you're
building,
for
example,
the
hello
world
binary,
it
really
is
supposed
to
come
from
this
particular
git
repo
and
this
particular
branch.
And
if
someone
builds
from
a
fork,
that's
what
we're
trying
to
detect.
A
F
F
You
know,
formulation
is
you
can
get
as
is
as
general
or
as
in
the
weeds
as
you
want,
and
if
you
want
to
provide
all
that,
you
know
Nitty
Gritty
detail
you
can,
but
if
you
just
want
to
provide
some
overviews
such
as
you
know,
set
the
oven
to
350
bake
for
25
minutes
type
of
thing.
You
can
certainly
get
as
as
general
as
that
as
well.
A
A
Equivalent
is
like
the
separation
of
like
who
made
what
claim,
because
I
think
that's
a
big
I'm
sure
it's
probably
possible
to
represent,
but
that's
kind
of
like
something
we're
trying
to
make
as
easy
to
get
right
as
possible.
That,
for
example,
GitHub
only
claims
that
I
took
this
input
and
I
ran
it.
It
doesn't
make
a
claim
that
it
ran
this
compiler
or
used
this
particular
source
file,
because
those
are
running
inside
the
VM
under
the
tenant's
control
and
so
GitHub
can't
make
any
claims
about
that.
A
D
F
A
A
So
please
excuse
that
difference.
So,
for
example,
if
you
have
a
container
image
that
was
produced
by
taking
let's
say
a
base
image
and
then
a
couple
binaries
and
some
other
files,
the
output
image
would
have
provenance
that
just
lists
what
the
inputs
were
and
then
each
of
those
inputs
would
have
its
own
provenance.
And
then
you
would
kind
of
like
assemble
them
kind
of
on
demand.
F
Yeah
so
Cyclone
has
this
concept
called
bomb
link.
We
we
have
a
registered
urn
that
allows
us
to
describe
the
identity,
so
every
bill
of
material
in
Cyclone
has
an
identity,
and
then
you
can
have
I.
You
know.
Each
individual
component
service
Etc
in
within
a
bomb
can
also
have
its
own
identity
and
with
bomb
link
which
is
again
a
formally
registered
Diana
spec.
But
you
can
specify
the
precise
bill
of
material
and
elements
within
that
bill
of
material
that
you
are
referencing
so
yeah.
All
of
that
would
be
possible.
C
C
I
have
one
more
question:
mark
I
thought
I
heard
you
say
and
I
think
I
see
it
in
the
GitHub
issue
that
the
provenance
definition
is
different
than
Cyclone
DX
and
so
I'm
curious
as
to
why
we're
not
using
the
nist
definition
of
provenance.
If
that's
what
the
industry
is
going
to
be
using
for
the
most
part
right.
A
I,
don't
know
if
we
want
to
get
into
this
here.
I
think
my
interpretation
of
the
nist
standard
is
different
than
Steve's,
so
I
don't
know
if
we're
going
to
resolve
that.
Okay,
like
when
I
read
the
text
of
what
missed
I
think
what
salsa
is
doing
does
meet
that
I.
Think
the
owasp
interpretation
is
different,
I
guess
at.
C
A
I
think
oh
I
feel
like
a
good,
probably
the
the
best
way
to
resolve.
This
would
be
for
like
to
get
an
example
like
to
get
examples
in
the
different
formats
like
we
have
a
one
and
we're
going
to
get
a
couple
more
of
the
salsa
provenance
format
like
to
actually
describe
you
know
right
now.
I
have
to
give
actions
we'll
do
something
for
git,
lab,
CI
and
and
a
couple.
A
Maybe
a
couple
others
see
what
it
looks
like
and
say:
okay,
you
know
this
is
how
someone
would
produce
it,
how
someone
would
consume
it?
Does
it
accurately
represent
what
we
want
Isaiah
ambiguous
and
then
we
could
say
well
for
the
Cyclone
DX
1.5
formulation
format.
What
would
that
look
like?
What
would
they
have
to
produce
and
compare
I?
Think?
That's
probably
the
best
ways
to
look
at
concrete
examples.
F
E
A
Suspect,
where
we're
at
right
now
is
that
it's
like
just
a
lack
of
bandwidth
and
trying
to
resolve
this
right
of
like
from
the
Cyclone
DX
side.
It
is
a
nice
to
have,
but
not
a
priority,
to
resolve
what
the
cells.
Aside.
On
the
salsa
side,
it
is
a
nice
to
have
to
resolve
with
the
Cyclone
DX,
but
not
a
prior.
You
know
not
the
number
one
priority
and
so
I
think
no
one
is
putting
at
the
top
of
their
list
to
try
to
resolve
the
differences,
so
I
suspect.
A
C
A
Yeah
we
have-
and
they
like
already
submitted
in
the
repo
in.
Let
me
paste
in
the
chat
and
also
the
meeting
notes
at
the
bottom.
There's
an
example
and
now
remember
this
would
be
actually
wrapped
inside,
like
a
dizzy
or
some
most
signed
thing,
because
it
would
be
signed
in
this
case
by
GitHub
or
some
entity
that
represents
GitHub
like
for
we
have
these
GitHub
actions,
reusable
workflows.
So
that's
the
entity
is
not
just
GitHub,
but
the
trust
bases
GitHub,
plus
this
project
plus
six
store.
A
F
B
B
What
of
what
we
got
going
on
right
this
moment,
so
we're
working
on
a
compliance
program
conformance
was
the
not
the
correct
terminology
we
learned
last
week,
so
we're
we're,
calling
it
The
the
compliance
program
and
basically
the
idea
is
to
allow
Builders,
so
that
would
be
like
a
GitHub
or
or
a
Google
cloud
or
or
anybody
who
offers
a
build
service
to
show
that
they
are
compliant
with
salsa
to
allow
people
to
trust
the
provenance.
That's
generated
from
the
build
service,
and
so
this
is
is
done.
B
So
there
are
several
draft.
Well,
there's
one
draft
PR
and
then
there's
a
a
full
PR
out
from
Chris
okay
over
over
at
Google,
where
we
are
working
on
integrating
it
into
the
requirements
so
that
we
can
kind
of
discuss,
discuss
what
it
means
to
be
certified
either
self-certified
or
third-party
audited
against
the
salsa
requirements.
B
B
So
we're
talking
to
the
salsa
verifier
project
on
you
know
exactly
how
different
Builders
sign
projects
and
how
we
could
connect
some
of
the
evidences
that
are
published
to
a
actual
piece
of
Providence.
So
we're
thinking
that
there
might
need
to
be
some
work
as
well
in
the
future
on
how
exactly
a
builder
signs
provenance,
because
in
some
cases,
from
what
we've
heard
recently
is
pretty
much
every
Builder
signs
Providence
in
a
different
way,
and
so
it's
very
hard
to
connect
a
a
particular
cryptographic.
B
Key
back
to
a
particular
build
service
and
so
kind
of
future.
Thinking
is
about
how
we,
how
we
want
to
standardize
that
so
that
the
tooling
can
kind
of
say:
oh
hey,
this
particular
build
service
that
signed
this
document.
They
have
published
information
under
the
registry,
you,
as
a
user
who's,
trying
to
verify
the
Providence
of
your
artifact.
B
So
that's
some
of
the
ongoing
thinking
and
work
and
please
do
look
at
those
two
PR's
and
please
give
give
feedback,
obviously
working
through
through
some
of
the
kind
of
more
legal,
complex
language,
and
so
we
want
to
make
sure
that
we
have
everyone
on
board
for
it,
because
this
is
we're
trying
to
set
up
that
structure.
Yeah.
C
So
I
know
one
of
the
reasons
why
this
all
came
about
was
because
people
were
claiming
salsa
level,
three
level,
four
compliance
and
requirements
weren't
really
set
in
stone.
So
how
do
you
intend
on
policing
that
if
they
don't
go
through
this-
and
they
are
saying,
there's
also
level
three?
So
it's
also
level
four
compliance.
B
Exactly
yeah,
so
the
idea
is
with
a
salsa
verifier.
If
you
trust
the
Builder
and
you
can
get
the
Providence
and
throw
it
into
a
verifier,
you
should
be
able
to
verify
pretty
much
all
aspects
of
salsa
as
a
consumer
yourself,
the
only
big
gap
there
is
that
you
have
to
trust
the
Builder
for
you
to
be
able
to
trust
the
attestations
right
to
a
large
degree.
So
we,
if
you
want
to
part
of
the
structure
of
the
certification
program,
is,
is
kind
of
a
work
in
progress
idea
of
of
Tears.
B
So
if
they
haven't
published
any
information
to
the
salsa
registry,
then
there's
kind
of
an
assumption
that,
as
a
user,
you
may
want
to
look
into
or
contact
the
build
systems.
The
owner
of
the
Builder
service
yourself
and
kind
of
get
some
information
because
they
haven't
provided
anything
publicly
and
then
kind
of
that
tier
one
is
well.
If
you
want,
you
can
look
at
the
answers,
they've
provided
and
then
tier
two
would
be
well.
B
A
G
In
the
very
least
police
like
very
obviously
Bad
actors
or
folks,
who
are
who
are
like
demonstrably
misrepresenting
salsa
because
I
know
one
of
the
the
problems
we
have
had
in
a
little
bit
in
the
past
was
you
know,
like
we've,
we've
seen
already
a
couple
of
folks,
mostly
just
due
to
ignorance,
more
so
than
maliciousness.
But
you
know
State
something
like
hey.
You
know,
there's
a
salsified
or
whatever
you're
like
there's.
Clearly
not
one
of
these
things.
G
Now,
in
certain
cases,
it's
just
like
hey,
there's
a
misunderstanding,
but
I
do
know
that
some
folks
are
I.
Think
a
little
worried,
not
so
much
about
like
the
self
attestation
part,
but
the
sort
of
like
yeah,
I'm,
salsa
for
and
I'm,
not
providing
a
self
assessment
or
whatever
right,
like
I'm
I'm,
hitting
salsa
but
I'm,
not
providing
a
sauce.
You
know
one
of
those
things
and
and
if
they
do
use
the
obviously
the
salsa
branding
it
begins
to
dilute
some
of
what
we're
trying
to
do.
B
Yeah
I
can't
speak
to
the
open,
ssf's
legal
teams
or
anything
like
that.
I
would
hope
that
they
would
defend
their
trademark
I
believe
it's
required
under
at
least
U.S
law
to
to
defend
your
trademark.
If
you
plan
on
protecting
it
at
any
time
in
the
future,
so
but
that's
not
something
that
I
can
I
can
speak
to
if
there's
anybody
from
open
ssf
on
the
call
that
wants
to
kind
of
address
that
please
do.
H
If
we're
able
to
demonstrate
this
with,
you
know
the
provenance
and
the
verify
verified,
build
system
type
of
spec
or
right,
the
compliance
spec
that
we're
kind
of
alluding
to
that's
going
to
be
really
important
and
I
think
Melba
right
with
the
positioning
right,
encouraging
people
to
not
just
trust
that
someone
says
that
they're
right
a
certain
level.
It's
actually
hey,
show
us
the
receipts
right.
Let's,
let's
use
some
salsa
tooling,
to
verify
this
information
through
a
policy
right.
That's
that's
where
the
rubber
meets
the
road
in.
B
I
Yeah
I
just
wanted
to
add
I
mean
so
typically,
certification
programs
run
with
the
within
a
legal
framework.
If
you
look
at
the
cncf
kubernetes
certification
program,
for
instance,
they
have
terms
and
conditions.
There
is
basically
you
know
when
you
apply
to
be
listed.
As
you
know,
a
conformance
certified
conformant
implementation
of
communities.
You
you
sign
a
contract,
you
need
to
name
somebody,
you
know
and
so
on,
and
there
are
terms
and
conditions,
including
something
that
says
hey
if
we
find
out.
You
know
that
you
actually,
this
is
a
false
claim.
I
I
Obviously,
if
you
have
tools
that
can
help,
you
can
run
tests,
and
you
know
that
makes
it
that
much
easier,
but
independently
of
whether
you
can
run
tests
or
realign
a
third
party
to
make
some
you
know
claim
there
are
some
legal
framework
at
the
end
of
the
day.
Anybody
can
challenge
it
and
if
the
case
might
be,
it
can
be
canceled.
B
B
I
C
G
G
Think
there's
also
some
worry
that,
depending
on
when
you
know
like
especially
with
how
this
stuff
gets
released,
there's
a
worry
that
if,
for
example,
all
of
a
sudden,
the
first
people
who
are
part
of
it
are,
let's
say
the
people
who
are
developing
the
con
I'm,
not
saying
that's
the
case
but
like
there's,
there's
a
concern.
I
think
like
are
these
people.
Who
already
are
you
know
under
the
table
or
whatever
starting
to
organize
like
yeah,
we'll
be
the
first
one
out
of
the
gate.
B
B
J
Yeah,
so
a
lot
of
this
stuff,
okay,
you
know
there's
too
much
that
there's
a
I
mean
this
is
what
I
hear
I
hear
a
lot
of
trusted
individuals
here
rather
than
processes,
a
lot
of
this
stuff
could
be
sorted
out.
The
CSA
does
a
pretty
good
job
of
this.
They
have
that
thing
called
the
Star
Registry
right.
You
have
like
this
one,
two
and
three,
where
you'll
have
those
that
self-attested,
those
that
have
gone
through
third-party
third-party.
J
You
know
Audits
and-
and
you
know
the
such
right
and
then
and
they'll
reg
and
then
they'll
be
able
to
provide
that
documentation
and
they'll
get
put
on
a
registry
right.
So
maybe
we
can
develop
a
registry
that
has
those
who
have
self-attested
those
who
have
been
through
third-party
audits.
Now,
on
the
other
end
of
that.
J
We'll
talk,
okay,
okay,
good
and
then,
of
course,
when
it
comes
to
auditors,
there's
a
processes
by
which
third
parties
can
become
Auditors
as
well.
So
you
don't
have
to
trust
or
of
a
specific
few.
You
can
have
a
process
for
it
and
they
can
complete
the
process
and
then
by
completing
the
process,
they
could
become
Auditors.
And
then
it's
open
to
everything.
Yeah.
B
J
B
B
A
A
I
A
E
A
A
Maybe
it
happens
automatically,
maybe
you
have
to
opt
in
for
it
right
now.
We
say
the
consumer
may
have
to
opt
in
Arnold
report,
request
that
that's
not
the
actual,
correct
use
of
the
term
May
from
like
a
technical
sense,
and
so
we
should
say
what
they
must
do.
But
then
the
question
is:
if
it's
opt-in,
what
is
mandatory?
I
I
Yeah
so
First
Take
on
the
technical
aspect,
I
mean
Maize
capitalized,
which
is
you
know,
RFC
2119,
which
is
not
the
right
use
of
that
term
here.
So
it
doesn't
mean
you
know.
The
answer
is
to
put
a
bus,
but
I
thought.
Well.
If
we
want
to
add
any
requirements,
we
should
express
it
in
that
way
and
yeah.
I
You
know,
compliant
and
provide
the
safety
feature,
but
if
it's
not
turned
on
it,
doesn't
do
you
any
good,
so
my
understanding
of
the
intent
was
here
to
say.
Well,
if
it's
not
on
by
default,
we
rely
on
the
consumer
to
actually
turn
it
off.
Honestly,
that's
my
interpretation
and
then
I
thought.
The
way
it
is
worded
here
is
not
correct
and
instead
we
should
say
something
along
those
lines
of
you
know.
If
it's
not
on
by
default,
the
consumer
must
turn
it
on
that's.
I
A
A
separate
topic
that
we've
talked
about
or
a
similar
topic
is
having
a
like
a
monitoring
only
mode.
So
if
we,
for
example,
just
monitor
that
all
the
you
know,
packages
are
salsa
compliant,
can
you
call
that
salsa,
even
if
there
is
no
actual
enforcement,
so
they
kind
of
are
related
here,
yeah
Aaron.
H
This
actually
speaks
pretty
nicely
to
the
comment.
I
made
a
little
bit
earlier
right,
so
if
you're
participating
as
a
consumer
in
this
in
the
salsa
ecosystem,
you're
participating
right,
you're,
not
just
viewing
a
badge
on
a
GitHub
repo,
so
I
think
if
we
consider
the
consumer
right,
they're,
not
a
passive
consumer,
they're,
an
active
consumer,
so
they
must
right
verify
this
thing.
So
I
think
it's
I
think
it's
appropriate
to
say
they
must
verify,
and
if
it's
an
opt-in
they
must
turn
it
on
right
or
else
they're,
not
a
salsa
consumer,
I.
Suppose
right.
K
Yeah
I
just
wanted
to
add
that
that
in
opt-in,
which
is
a
version
of
tough
for
automotives,
the
way
we
fixed
this
was
to
say
exactly
the
question
compliance
comes
in.
Are
you?
Are
you
really
compliant
if
you're
not
actually
verifying?
All
of
this?
You
know
nice
attestations
I.
On
the
other
hand,
I
do
think
that
there's
room
for
different
verification
modes,
so
to
speak,
which
is
what
we
ended
up
doing
in
updating.
I
So
we're
out
of
time
so
I
don't
expect
just
a
final
answer
on
this,
but
so
hopefully
this
has
raised.
You
know
the
the
you
know
the
issue
to
the
level
of
Interest
people
so
that
you
know
please
go
to
the
issue
and
speak
up,
so
we
can
get
to
resolution
then,
once
this
is
settled
when
we
agree
on
the
requirement,
I
can
rework
on
the
pr
to
get
the
proper
wording
in.
A
Yeah
yeah,
it's
kind
of
like
a
theoretical
thing
of
like
what
almost
like
what
does
salsa
mean.
Is
it
in
the
eye
of
the
beholder
something
around
that
you
know
like
what
Aaron
said
around
the
participant
thing?
It's
not
clear
in
my
head.
So
that's
why
I
created
a
separate
issue,
because
it's
almost
a
little
bit
more
Beyond,
just
the
one
wording
thing
so
certainly
any
comments
would
be
really
appreciated
there.
That
was
reveal
and
with
that
we're
out
of
time.
So
thank
you.