►
From YouTube: SLSA Meeting (September 29, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
C
C
A
Can
someone
post
the
the
meeting
notes,
link
I'm
on
a
new
laptop
and
I?
Don't
have
all
my
my
favorites?
Thank
you.
B
E
D
Looks
like
we're
gonna
do
the
updates.
First,
let's
go
ahead
and
get
started
since
we
got
a
packed
agenda
today.
Who
wants
to
kick
off
the
updates
for
the
for
the
six
specification
group
going
first
and
hello,
everybody
I
think
I
said
that.
D
A
Sure
yeah
I
just
got
the
link
I'm
on
a
new
laptop,
so
I
didn't
have
any
of
the
links.
So
the
last
two
sessions,
the
working
session
and
the
the
actual
broader
one
we
had
a
brief
overview
from
Microsoft
on
their
new
framework.
A
Red
Hat
also
had
brought
up
a
discussion
in
the
salsa
specification
meeting,
which
was
brought
to
the
positioning
about
you
know
badging.
What
does
that
look
like
where,
where
you
know
what
the
progress
is,
so
we're
I
think
we're
going
to
have
someone
try
to
come
in
to
discuss
that
that
badging
and
how
it
would
work
the
migration
from
Google
Groups
to
I?
Think
it's
like
groups.io
or
something
like
that.
A
We
were
going
to
try
to
do,
but
we
don't
know
how
to
do
it
and
we're
looking
for
instructions
on
how
do
we
migrate,
because
it
is
a
requirement
by
end
of
the
year
to
go
from
Google
Groups
to
like
some?
What
is
it?
It
says:
groups.io
mailing
list
first,
so
I'm
not
sure
where
we
go
for
that.
A
Additionally,
we
were
talking
a
little
bit
more
about
Oscar
oscow
and
trying
to
make
sure
that
we
are
in
alignment
of
how
we
need
to
change
the
Json
formatting
that
I
created,
and
then
we
just
finished
the
the
charter.
It
was
just
like
a
few
sentences,
so
I'll
have
to
open
up
a
PR
for
that.
That's
pretty
much.
It.
D
Cool
yeah
I
can
make
a
couple
of
comments
on
those
things.
So
just
for
folks
to
be
aware.
Yesterday
we
as
part
of
the
broader
software
supply
chain
working
group
which
salsa
lives
under
we
did
do
like
a
consensus
vote
for
the
OSS
SSC
framework
to
to
support
that
project
under
the
supply
chain.
Integrity
working
group
and
that
was
approved,
I
think
there's
still.
The
steps
attack
needs
to
take
to
actually
ratify
the
project,
but
just
letting
folks
know
that
that
happened.
D
The
salsa,
badging
I
think
that
probably
ties
in
a
bit
to
the
discussion.
We're
going
to
have
a
bit
later
today
about
us
also
conformance
program.
So
maybe
there's
some
yeah
some
tie-ins
there
and
then
the
transition
to
Google
Groups
was
that
attacker
I
worked
for
a
governing
board
decision.
It.
A
Was
oh,
can
you
hear
me
now
yep,
okay
yeah,
so
when
when
we
set
up
the
calendar
invites
for
the
sigs
someone
I'll
have
to
give
you
the
name
later.
Someone
responded
from
the
Ops
mailing
list
saying
that
we
have
to
migrate
off
of
it.
So
I'm
guessing
it's
an
open,
ssf
Ops
person,
but
I
can
find
the
name
and
put
it
yeah.
I
I.
D
Can
follow
up
too
like
if
it's
yeah
I
want
to
make
sure
that
it
was
actually
attack
or
a
governing
board
decision,
and
then
we
can
work
with
them
to
migrate
over.
You
did
cool
alrighty,
any
other
updates
from
specification
or
tooling
working
group
that
wants
to
I.
B
F
So
for
the
specification
working
group,
no
no
major
updates,
but
work
has
started
on
the
1.0.
You
might
have
seen
some
pull
requests.
I.
F
We
are
making
the
draft
kind
of
unpublished
changes
visible
at
the
URL
there.
It's
also
the
dev,
slash
backslash,
review
1.0
and
there's,
if
you
can,
if
you
actually,
if
you
click
on
that,
there's
the
yep.
F
There's
like
a
warning
Banner
at
the
top
saying
it's
unpublished
and
also
we
don't
link
to
it
from
the
main
page
right
now.
There's
no
content
changes
right
now,
we'll
we'll
send
pull
requests
to
do
that.
So
the
process
for
1.0
for
anyone
interested
is
that
we
will.
We
have
GitHub
issues
and
like
tags
and
Milestones,
which
I
listed
in
the
meeting
notes
on
issues
that
we
plan
to
address
in
either
plan
have
not
yet
decided
or
we
will
address
in
1.0
or
we
won't.
F
So
that's
how
we're
tracking
the
work
and
we
will
publish
them
to
that
site
once
it's
ready
for
a
broader
Community
review.
That's
when
we'll
kind
of
call
out
for
reviews.
So
if
you're
don't
worry,
if
that
you're,
not
seeing
every
single
pull
request
well
to
kind
of
do
one
big
review
at
the
end
of
like
the
full
published
thing
and
get
feedback
that
and
that's
when
we'll
kind
of
make
it
more
visible,
get
feedback
and
then
finally
mark
it
as
final.
F
Just
want
to
in
case
anyone
isn't
nuanced
in
the
terminology
here.
This
is
just
for
the
levels.
I
know,
there's
a
desire
to
mark
that
provenance
format
says
1.0
as
well,
but
I
think
there's
just
no
one
who
has
bandwidth
to
work
on
that.
D
Cool
I
don't
see
any
tooling
things.
G
Here,
Michael
yeah,
sorry,
yeah
I
have
a
couple
of
small
updates,
so
yeah
we're
still
looking
at
some
of
the
oci
stuff
that
is
still
planned
to
be
implemented
in
the
new
tooling.
G
Now
that,
now
that
the
oci
changes
were
merged
in
a
little
while
ago,
which
make
certain
things
like
associating
a
salsa
attestation
with
an
actual
image
as
part
of
the
Manifest,
which
then
makes
things
like
you
know,
get
when
you
download
the
image
you
automatically
download
the
associated
attestation,
so
you
can
automatically
mirror
it
and
and
whatever,
as
well
as
have
like
references
to
the
individual
layers.
G
So
if,
like
you
could
have
like
a
salsa
attestation
against
like
this
layer
as
opposed
to
necessarily
you
know
the
image
itself
and
that
helps
out
with
certain
things
of
oh
okay,
cool
I
have
a
salsa
adaptation,
but
it's
only
for
you
know
the
parent
image
not
for
this
image
and
so
there's
a
bunch
of
work.
That's
kind
of
do
going
on.
On
that
end,
there's
also
some
discussions
looking
through
the
in
in
some
of
the
GitHub
generator
work.
G
That's
getting
done
around
making
the
GitHub
generator
a
bit
more
pluggable,
and
this
is
also
something
that
I
see
I've
seen
a
few
different
folks
do
and
we
should
probably
think
about
how
we
want
to
whether
or
not
we
want
to
kind
of
push
this
as
a
use
case
for
salsa
or
say
we're
supporting
this
use
case
for
salsa,
which
is
some
folks
are
saying
like
hey.
G
Does
it
make
sense
to
have
salsa
attestations
for
s-bombs
so
that
I
generated
an
s-bomb
in
this
way
and
here's
the
tool
that
I
use
to
build
that
s-bomb?
So
it's
almost
like
you're
building
provenance
for
additional
metadata
or
if
we
don't
want
to
get
into
that,
and
we
want
to
say
no.
No,
it's
also
is
more,
for
you
know
when
we
say
artifacts,
it's
more
for
executable,
artifacts
or
whatever.
G
I
tend
to
lean
towards
the
former
of
we
should
just
support
arbitrary
artifacts,
but
definitely
down
for
for
and
I'm
I'm
already
using
it
actually
for
for
that
purpose,
but
down
to
to
hear
other
people's
opinions
on
that
and
then
separately,
we're
still
kind
of
having
some
discussions
with
a
couple
of
the
different
groups,
including
Maven,
Central
and
and
so
on
around
how
are
different
folks,
looking
at
Distributing
salsa
attestations
along
with
the
package
and
how
like
what
do
those
things
start
to
look
like,
because
for
as
much
as
is
possible,
we
want
to
at
least
provide
some
some
standardization
and
some
consensus
around
the
processes
by
which
people
are
doing
this,
so
that
when
a
new
you
know
package
manager,
says
hey,
we
want
to
support
salsa
too.
G
We
can
point
to
you,
know
folks
and
say:
hey
here's
largely
how
they're
doing
it,
how
the
community's
implementing
that
feature.
So
that's
that's
pretty
much
it
from
the
the
tooling
side.
G
So
yeah
that's
happening
a
little
bit
of
out
of
band
there.
There
was
a
proposal
from
the
ghost
team,
the
Google
open
source
security
team
on
that
sort
of
thing.
The
other
thing,
too,
is
just
this
is
just
kind
of
an
ongoing
thing
of
of
you
know,
given
that
salsa
itself,
just
sort
of
says
it's
for
artifacts
folks,
have
said
great
I'm,
building
an
s-bomb,
that's
an
artifact.
Let's,
let
me
build
a
salsa
attestation
for
it.
G
You
know
some
folks
have
begun
to
also
do
stuff,
like
they
separate
out
salsa
attestations
for
the
packaging
of
an
artifact
from
the
actual
compilation
of
the
artifact
I.
Think
just
we
need
to
do.
We
do
probably
want
to
have
some
ideas
around.
B
Makes
sense
I
would
push
against
creating
two
final
granularity
of
of
claims
like
we'd
like
to
support
arbitrary,
different
types
of
content
as
to
what
it
maps
to
from
a
claims
point
of
view.
Isn't
it
a
longer
term
discussion,
but
growing
too
granular
means
that
the
amount
of
data
that
we're
having
to
to
carry
around
in
the
store
and
archive
for
the
next
15
years
is
going
to
grow
and
grow
and
grow.
So
I
would
resist
against
going
too
far
down
the
rabbit
hole
here.
D
All
right
yeah,
so
the
next
thing
is
the
open,
ssf
supply
chain.
Integrity
working
group
I
just
mentioned
this
Jay
did
you
want
to
say
anything
more.
H
Yep,
let
me
just
turn
this
down
on
this
other
meeting
yeah
around
this
time.
I
have
to
do.
I
have
to
do
double
meetings
to
apologize
about
that
yeah
exciting
times
right.
So
yesterday
we
had
the
boat
and
great
part
is
that
at
the
end,
user's
working
group
meeting
this
morning,
they
were
a
little
bummed
that
the
supply
chain
Integrity
working
group,
got
to
it
first.
H
H
Working
group
actually
said
that,
because
it's
now
going
to
supply
chain
Integrity
working
group
that
they
want
to
make
sure
that
they
bring
the
members
of
that
working
group
over
to
the
supply
chain,
Integrity
working
group
and
to
the
project
the
SSC
project,
to
make
sure
that
that
everyone
is
involved
and
that
it's
targeting
and
addresses
the
right
thing
from
a
conception
standpoint,
which
is
great,
as
I
said
before,
I
want
salsa
and
the
SSC
or
whatever
we
end
up,
calling
it,
because
that
name
is
going
to
change
as
well
to
support
its
adoption
and
supply
chain
Integrity
working
group
and
support
its
adoption
under
the
openness
of
stuff.
H
That
name
is
going
to
change
we're
gonna.
You
know
we
already
have
a
pull
request,
Microsoft
and
and
all
the
branding
that's
going
to
be
taken
away
from
us,
so
that
we
can
support
true,
a
true
open
fashion
and
it's
working.
But
we
want
both
of
these
to
March
forward
bridged
their
own
separate
entities,
Bridge
them
together,
marching
forward,
and
so
these
are
ongoing
discussions
that
I've
already
started
to
have
here
and
then
the
other
and
and
then
the
other.
H
And
then
respective
sigs,
as
well,
the
blog
post
that
I'm
currently
working
on
Melba
I
I
hate
doing
this
right
right
here,
but
but
I'll
begin
with
Melba
and
maybe
and
maybe
Michael
as
well
to
to
change
focus
of
that
blog
post.
To
be
more
of
a
a
joint
blog
post.
H
I
think
that
that
blog
post
would
be
fantastic,
especially
once
we
bring
it
in
it'll
paint
that
picture
it's
something
that
we
can
go
to
the
to
the
public
with
into
the
industry
with
and
I
think
that'll
be
more
of
a
compelling
and
exciting
story,
I'm
willing
to
get
whatever
feedback.
Anyone
else
has
on
that,
but
but
that
that's
that's
what
I'm
envisioning
in
my
mind,
just
because
I'm
trying
to
push
the
envelope
on
us
getting
to
ISO
to
ISO
status
sooner
than
later,
all
right,
so
so
that
so
I'll
pause.
I'll!
D
H
Yeah,
so
Adrian
and
I
have
been
talking
and
I
think
what
we're
going
to
end
up
doing
we
have
so
we
would
like
to
create
some
type
of
a
reference
architecture
of
sorts.
We.
We
also
wanted
to
create
some
type
of
a
say,
a
road
map
where
we
want
to
create
some
type
of
a
of
a
concept
on
how
these
two
Frameworks
and
I
think
and
I
think
there's
a
conversation
with
Fresca
too
right.
H
I
think
those
conversations
are,
those
can
be
had
internal
to
the
meetings
that
we're
about
to
have,
but
I
do
want
to
highlight
where
salsa
is
or
what
was
where
sauces,
what
that
scope
is
SSC
where
that
is
what
that
scope
is,
how
they
Bridge
together
and
I,
and
I
and
I
need
Melba
on
this,
because
Melba's
exceptionally
good
at
at
the
at
diagramming
and
stuff,
like
that
at
putting
putting
putting
making
pictures,
look
like
look
like
words,
or
vice
versa,
right
I'm,
not
that
good
at
that.
H
So
so,
but
but
I
think
that
that
is
that
that
takes
a
better
picture
than
me
just
putting
words
on
paper,
I
think
the
words
on
papers
for
the
blog
post,
that
comes
of
that
after
the
fact
right.
So
so
so!
Yes,
the
answer
to
your
question
is
yes:
I'm
gonna
need
some
help.
Adrian
and
I
are
already
talking
about
it
and
and
we're
also
going
to
get
to
get
a
few
people.
You
know
from
from
the
from
the
inside
here
to
come
on
over
and
and
help
out
with
that
as
well.
H
Basically,
what
was
going
to
come
down
to
is
there's
going
to
be
an
all
hands
type
of
thing.
My
from
for
the
vision
that
is
this
all
hands
are
required
so
so
exciting
times
and
plenty
of
room
for
everybody.
There
plenty
of
meat
for
everybody
that
you
want.
D
All
right
next
on
the
agenda
is
me
one
thing
that
I
discussed
with
steering
committee
members
is
moving
this
general
meeting
to
a
monthly
Cadence,
since
we
have
so
many
sub
meetings
happening
right
now.
One
comment
was
brought
up
that
we
don't
have
an
APAC
friendly
time
zone,
so
I
pushed
I
put
a
ping
in
slack
in
the
mailing
list
to
see
if
folks
from
that
region
would
be
attending
regularly.
I
didn't
get
any
interest
back
sort
of
assume.
D
No
one
is
on
the
call
today
from
that
time
zone,
but
my
my
point
is:
if
we
do
get
interest
and
people
are
looking
for
a
APAC
friendly
time,
we
could
probably
look
at
alternating
the
meeting
times
and
a
lot
of
working
groups.
Do
it
this
way,
and
if
we
do
the
alternation,
then
it
might
make
sense
to
keep
this
at
in
every
other
week.
So
we'd
alternate
every
other
week,
but
yeah
I
see
a
couple
of
hands
up,
not.
A
Bad
yeah,
so
I
have
a
colleague
in
APAC
that
would
love
to
be
partaking
in
this,
but
this
is
so
late
for
him.
So
I
don't
mind
helping
him.
You
know,
try
to
get
on
board
and
facilitating
those
every
other
week
discussions
if
we
have
a
good
audience
for
it.
D
G
Real
quick,
so
yeah
I,
reached
out
to
a
couple
of
folks
who
they
might
be
interested,
might
not
be
interested.
It's
a
little
unclear
at
this
point,
so
I
would
just
say
until
we
get
a
little
bit
more
interest,
we
could
just
yeah
wait.
D
Table
time,
okay,
which
then
kind
of
dovetails
into
another
part
of
my
question,
I
want
to
open
it
up
for
other
folks
that
are
interested
in
kind
of
helping
facilitate
this
meeting.
It's
been
me
and
then
I,
usually
ping
in
Mike
or
Mark,
with
Otto
at
the
last
minute.
If
I
can't
make
it
so
I
think
some
of
the
you
know
the
Sig
leads
or
other
steering
commit
steering
committee
members
we
do
like
a
round
robin
for
for
for
folks
that
can
help
facilitate.
That
would
be
awesome,
I
guess!
D
F
Yeah
I
just
wanted
to
ask
that
if
there's
any
volunteers
to
do
more,
obviously,
contributions
are
are
even
more
welcome
but
reviewing
a
pull
request.
I
think
lately,
a
lot
of
the
commits
on
the
repo
have
like
authored
by
me,
reviewed
by
Joshua,
Locke
and
so
I
think
it's
probably
healthy
to
have
more
people
reviewing
it
I
think.
Even
if
you
look
at
it
and
don't
have
an
opinion
just
like
saying
that
would
be
valuable.
F
So,
if
you're
interested
like
either
you
could
jump
in
or
we
could
add
you
to
the
code
owners
which
gets
people
automatically
listed
as
reviewers
whenever
there's
a
pull
request
in
a
particular
area
so
like
if
you're
interested,
for
example,
just
in
the
specification
or
just
in
the
provenance
format,
or
something
like
that,
even
that
would
be
valuable
so
either
you
could
reach
out
to
me
or
just
start
doing
it
or
anything
like
that.
But
I
just
want
to
put
out
a
call.
F
Yeah
right
now,
that's
happening
so
put
it's
like
part
of
it
is
actual
content.
Part
of
it
is
like
implementation
of
like.
Oh,
we
need
a
new
page
that
does
this
and
so
I
have
to
write
some.
The
template
doesn't
work
so
I
have
to
change
around
the
liquid
templates
and
make
CSS
changes,
blah
blah
blah.
F
So
sometimes
there's
things
like
that
if
it's
helpful
I
could
split
those
more
out
of
like
implementation,
changes
versus
content
changes.
If
that
helps
people
review,
if,
like
usually
I,
just
kind
of
mix
them
together,
like
or
or
like,
have
multiple
commits
in
the
pull
request,
but
just
then
one
pull
request
and
not
flood
people
with
lots
of
different
reviews,
but
if
we,
if
we
want
to
change
How
how
how
we
do
pull
requests
that
to
make
it
easier
to
review,
that's
I'm,
also
open
to
that
too.
D
Cool
yeah,
most.
F
I
see
salsa
issues
if
there's
any
open
issues
right
now
or
pull
requests,
I
think
there's
no
pull
request
now,
but,
for
example,
like
the
Theory
I'll
put
in
the
in
the
meeting
notes
an
example
example.
F
F
So
in
the
in
the
top
post
I.
Try
to
like
explain
a
summary
of
everything.
F
There's
always
a
if
you
scroll
down
a
little
bit
like
I,
try
to
link
to
it
in
the
first
post,
but
there's
always
a
deploy
preview
right
there
that
you
could
click.
It
might
not
always
be
obvious,
which
page
has
changed
so
you
might
have
to
change.
The
url
in
this
case,
you'd,
have
to
add
a
slash,
spec,
slash,
V,
1.0.
F
And
then
you
can
see
that
and
like,
for
example,
in
this
case,
I
originally
had
it
at
the
bottom
and
I
didn't
have
a
dismiss
button
in
Joshua's
so
who
reviewed
this
said
like?
Oh,
it's
probably
more
visible
at
the
top,
so
that
was
like
an
example
of
it
really
useful
review.
F
Or
you
know
anything
of
that
sort
or
the
colors
are
not
readable
or
I.
Don't
think
that
will
properly
it's
like
in
the
way
or
it
won't
properly
prevent
people
from
accidentally
relying
on
or
something
anything
like
that
is
valuable.
F
If
you
hit
the
files
change
button,
you
can
Geo
this
one
has
a
lot
because
I
broke
it
up
into
a
bunch
of
different
commits
the
commits
tab.
Actually,
not
everyone.
Does
this
I?
Do
this
usually
kind
of
breaks
up
into
smaller
chunks
of
like
copy
the
directory?
Add
the
banner
change
this
CSS
blah
blah
blah,
and
then
you
could
view
individual
things.
F
Github
also
has
a
if
you
view
any
particular
markdown
file
on
the
files
change
page,
probably
not
here.
This.
B
F
Oh
yeah,
like
there's
like
the
little
the
little
paper
icon
in
the
top
right
of
the
window,
will
show
like
a
rendered
version.
It
doesn't
render
exactly
the
same
as
the
website,
but
it
shows
like
in
green,
was
added
red
was
removed,
and
so
it
could
give
you
like.
A
visual
diff.
F
In
this
case,
everything
is
new,
so
it's
not
really
useful,
but
in
other
Pages,
so
that
that
could
help
review
as
well
and
if
you're,
only
reviewing
partially
of
like
I
only
reviewed
the
content
or
I
only
reviewed
the
implementation.
But
I
don't
have
an
opinion
that
that
even
that
would
be
valuable
too
and
just
say
it.
On
the
on
the
comment.
D
Awesome,
yeah
and
if
you
need
help
with
GitHub,
there's
lots
of
GitHub
tutorials
how
to
get
through
our
review.
F
If
you
go
to
the
file,
you
have
to
click
files
changed
and
then
that
review
changes
thing
and
then
you
could
add
a
comment
you
could.
Also,
as
you
add
comments
you
could
hit
them.
You
could
do
like
start
draft
and
then
it'll
send
them
all
in
bulk.
Instead
of
sending
like
an
email
for
every
single
one,.
D
Cool
already,
thanks,
Mark,
more
reviewers,
welcome
all
right.
We
got
about
30
minutes
left
and
I'm
gonna,
kick
it
over
to
Jason
Lutz
and
Tracy
Miranda
and
Joshua
that
are
going
to
talk
through
what
is
salsa
conformance
program
can
look
like.
J
Go
ahead
and
share
the
screen:
okay,
all
right!
So,
as
Kim
mentioned,
we
were
tasked
to
kind
of
put
together
some
ideas
to
propose
a
conformance
program
and
to
basically
fill
those
ideas
out
here,
and
so
everything
needs
to
really
be
legally
reviewed
and
we
want
to
throw
it
out
to
the
community
so
that
some
inputs
in
there,
but
we
just
wanted
to
have
something
basic
to
start
with
and
so
I'll
go
ahead
and
show
my
slides
and
so
we're
basing
this
off
of
another
framework.
J
That's
out
there
and
we'll
we'll
talk
a
little
bit
about
that,
so
that
we're
not
really
Reinventing
the
wheel
but
we're
basing
it
off
of
a
pretty
popular
framework.
That's
out
there
in
the
cloud
security
space
and
we'll
address
those
so
Joshua's
going
to
go
into
what
is
conformance
and
then
we'll
talk
about
our
proposal.
I
Yeah,
so
basically
it's
also
conformance
is
the
the
intent
is
for
us
to
be
able
to
create
a
program
so
that
organizations
can
assert
their
their
compliance
with
the
salsa
framework
in
a
kind
of
a
trustworthy
and
transparent
way
that
gives
consumers
and
organizations
kind
of
a
fair
playing
field.
I
We
propose
that
we
separate
this
into
two
tiers
almost
so
the
first
would
be
a
way
for
an
organization
to
self-assert
their
conformance,
so
they
would
assess
themselves
and
and
then
another.
The
second
tier
would
be
a
third
party
certification,
so
that
would
be
an
external
audit.
I
I
We
want
to
provide
a
public
kind
of
registry
or
transparency
log
of
the
different
responses
to
to
the
framework
so
which
elements
of
the
requirements
an
organization
needs
and
whether
or
not
that
is
attested
just
by
the
organization
itself
or
by
the
organization
and
a
third
party
reviewer,
and
the
idea
is
that
that
would
be
available
for
anyone
to
be
able
to
review
on
on
the
salsa
website
and
so
kind
of
that
leads
into
the
question
of
who
exactly
would
be
able
to
do
these
reviews.
I
I
But
the
idea
is
that
firms
would
be
approved
to
complete
salsa
assessments,
and
so
they
would
provide
the
standards
of
evidence
laid
out
by
the
salsa
framework
that
are
agreed
upon
by
the
community,
and
they
would
be
required
to
meet
those
kind
of
Technical
and
legal
requirements
in
order
to
be
an
authorized
auditor
and
they
would
be
listed
on
the
salsa
website
that
it's
the
general
idea
so
that
an
organization
who
who
wants
to
get
their
services
could
quickly
contact
them.
I
Obviously,
these
requirements.
We
need
to
kind
of
work,
work
them
out
and
figure
out
exactly
how
an
auditor
would
be
would
be
qualified,
but
the
a
couple
examples
could
be
that
they
are
professionals
trained
on
salsa
or
have
comparable
audit
experience.
They
participate
in
the
community
or,
and
they
have
legal
agreements
with
the
Linux
Foundation.
Those
are
just
a
couple
of
examples
of
what
could
allow
an
audit
organization
to
be
considered
authorized
to
do
to
do
salsa
reviews-
and
so
this
is
kind
of
this
mirrors
very
strongly.
J
Sure,
yeah
and
so
I
don't
mean
to
blatantly
just
show
the
other
program,
but
why
not?
You
know
we're
not
we're
going
to
reinvent
the
wheel,
but
I
think
this
is
a
great
example
of
how
the
approach
could
be
done
and
again.
This
is
to
the
community
and
it's
for
for
the
community
to
decide,
but,
for
example,
the
car,
the
cloud
security
Alliance
has
a
security
trust,
Assurance
risk
program,
the
star
program
in
which
they
give
badges
basically
for
the
different
levels.
J
So,
as
you
can
see,
Star
level,
one
would
be
the
self
attestation,
so
basically
they're
answering
the
questions
on
how
they
address
the
control
objectives
and
the
framework.
So
in
our
case
salsa,
they
would
just
basically
answer
the
questions
on
how
they
feel
they
meet
those
requirements
in
the
salsa
levels
and
then
a
second
level
if
we
should
go
forward
with
with
this
approach,
would
be
allowing
those
third
parties
to
do
audit,
and
that
would
give
a
second
level
of
of
assurance.
J
There's
also
some
variants
with
this.
They
are
also
trying
to
introduce
continuous
Assurance.
So
if
an
organization
has
automated
monitoring
to
ensure
there's
no
Drift
from
the
compliance
that
might
be
a
Nuance
to
the
different
levels,
so
anybody's
free
to
go
out
to
the
CSA
and
look
we're
not
involved
with
the
CSA
in
any
way
or
promoted
that
again
we're
just
using
this
as
an
example
of
a
framework
where
the
transparency
is
involved,
and
so
what
I'm
showing
on
my
screen
is.
J
For
example,
Google
gcp
is
a
a
register,
a
register
in
the
star
program,
and
you
can
see
that
they
have
Star
level
one
star
level.
Two.
You
could
actually
go
there
and
click
the
listing
and
see
how
they
responded
to
the
controls
framework
that
the
CSA
has
which,
by
the
way,
is
called
the
cloud
controls
Matrix
and
what
what
I'm
showing
here
is
the
ciq.
J
If
you
click
on
that,
it's
basically
like
300
different
questions
on
how
they're
addressing
the
control
of
directives
and
it's
transparent
and
available
to
the
public.
Obviously
an
organization
would
want
to
put
too
much
detail
about
how
they're
meeting
these
controls.
They
wouldn't
want
to
lift
list
special
tools,
techniques
and
so
on,
but
they
would
basically
outline
how
they
addressed
those
different
levels.
J
I'm
sure
there's
probably
a
lot
of
questions
about
this,
but
continuing
on
there's
1
500
entries
in
here
so
Google,
red
hat
and
others
have
submitted
to
the
Star
Registry,
so
passing
it
over
to
Josh.
Maybe
a
little
bit
more
detail
on
the
conformance.
I
Yeah,
so
basically,
we
obviously
we
already
have
levels
in
salsa,
so
we
kind
of
proposed
that
we
have
a
different
tiers
of
conformance
to
the
to
the
framework.
So
tier
one
would
be
that
self-assessment
where
the
organization
goes
and
fills
a
a
spreadsheet,
a
table
of
compliance
Etc
to
detail
which
controls
they
meet
and
maybe
give
some
details
on
on
how
they'd
meet
it
or
potentially,
why
they
don't
meet
it
and
so
or
give
caveats
to
their
their
answer,
and
so
tier
one
would
be.
I
That
would
be
that
the
self-assessment
was
completed
and
it
was
submitted
and
it
potentially
reviewed
on
as
a
PR
and
and
that
would
be
included
on
in
the
registry,
and
so
then
that
second
level,
that
Jason
was
talking
about
that
continuous
monitoring.
I
It
could
be
a
second
little
Nuance
to
to
tier
one.
It
could
be
that
the
organization
also
implemented
checks,
automated
checks
that
run
continuously
that
validate
their
stated,
their
their
salsa
level,
and
we
also
want
to
kind
of
talk
about
this,
should,
where
possible,
we
want
it
to
be
independently
verified
by
the
consumer
of
the
build
service
it
wherever
possible.
So,
just
because
you're
tier
one
and
you
don't
have
third
party-
you
don't
have
a
third
party
review
it
it.
I
Where
possible,
a
consumer
should
be
able
to
verify
to
some
extent
this
from
for
themselves
to
give
a
little
bit
more
trust
to
it,
and
then
tier
two
obviously
would
be
the
audited
conformance.
I
So
that's
where
the
the
third
party
comes
in
and
verifies
the
claims,
and
so
not
the
evidence
wouldn't
necessarily
be
put
on
the
registry,
but
part
of
agreements
with
Linux,
Foundation
or
any
or
anybody
else
would
be
that
the
evidence
needs
to
be
maintained
and
retained
by
the
third
party
auditor
and
and
that
would
include
those
some
of
the
same
details
as
tier
one.
But
it
would
be
come
with
the
additional
attestation
that
a
third
party
had
reviewed.
I
A
trusted
third
party
had
reviewed
and
agreed
with
the
salsa
level
or
if
they
disagree,
show
exactly
where
they
do
and
again,
where
possible.
Verifiably
verify
should
be
independently
verifiable
by
the
consumer.
I
J
Yeah
and
so
just
giving
an
example
of
maybe
what
a
self
access
station
would
look
like
from
an
organization
about
how
they're
delivering
software
so
the
very
first
requirement
from
salsa
version
controlled
every
change
to
the
source
is
tracked
and
Version
Control.
J
So
an
organization
might
respond
company,
XYZ
utilize,
the
git
base
distribution
code,
repository
for
all
code,
the
implementations
that
configured
about
security
practices
as
defined
by
a
third-party
vendor
and
so
on.
So
you
could
see
that
it
would
just
be
a
high
level
discussion
on
on
how
their
addressing
the
salsa
controls
that
are
listed.
So
this
is
just
a
screenshot
kind
of
showing
what
response
from
an
organization
about
their
software
delivery
methods
how
they
made
this
also.
B
D
J
That's
exactly
what
I
was
doing.
I
was
gonna,
say,
I
do
see
some
hands
up
so,
okay,
so
sorry
go.
E
So
I
think
one
of
the
one
of
the
looking
at
this.
You
know
some
foundational
thinking
laid
out.
One
of
the
things
that
that
I'm,
not
clear
on
in
this
framework,
is
to
to
what
the
the
certification
as
it
were,
is
attaching
I'll
be
certifying
people
who
make
big
Builders
like.
Are
we
going
to
come
in
and
say
hey
someone
has
certified
the
GitHub
action,
space,
Builder
or
GitHub
reusable
workflows
as
a
tool,
or
are
we
certifying
an
artifact
to
say
the
artifact?
E
Yes,
we
looked
at
how
this
artifact
was
generated
and
we
think
it
solves
level
three
or
are
we
certifying
A
supplier
software
and
their
practices,
or
are
we
certifying
a
project
which
may
belong
to
a
supplier
and
from
which
many
artifacts
may
come
like?
Do
you
have
I
thought
on
kind
of
at
what
level
or
to
What
entity
these
these?
These
conformance
certifications
attach.
J
Yeah
I'll
take
a
shot
at
that
and
Josh.
If
you'd
like
to
address
that
so
yeah
I
agree,
the
scoping
would
be
an
issue
that
we
would
have
to
address
with
the
community.
But
I
would
think
that
a
somebody
that
wants
to
attest
that
they're
doing
salsa
would
scope
it
down
to
the
various
levels
that
you
had
like
mentioned,
so,
whether
it's
in
their
secure
software
delivery
or
what
they're
doing
in
their
pipelines
so
yeah
I.
That
is
definitely
an
issue
that
would
need
to
be
addressed
as
far
as
the
scoping
yeah.
I
I
know
it
should
be
the
the
idea
is
that
it
should
be
as
as
flexible
as
possible
right,
because
a
lot
of
organizations
not
only
use
a
third-party
tool,
but
they
add
customizations
on
top
of
that
as
part
of
their
build
pipeline.
So
if
you're
a
company
that
supplies
software
and
has
a
lot
of
heavily
customized
build
pipeline,
you
should
be
capable
of
of
executing
this
as
well.
So
it's
obviously
the
it's
good
for
the
tool
to
be
compliant,
but,
as
I'm
sure,
we've
all
seen.
I
Build
pipelines
are
varied
and
and
numerous
in
in
a
lot
of
cases,
so
it
it
would
be
down.
I
To
probably
be
I
was
thinking
the
organization
that
supplies
software
and
the
build
service,
and
basically
anyone
who
would
see
value
from
a
testing
to
salsa
compliance
should
have
the
capability
to
access
this
conformance
program
to
some
extent,
but
obviously
scoping
of
which
things
are
applicable,
to
which
types
of
organizations
will
be
a
detail
that
we'll
need
to
kind
of
work
through
as
time
goes
on,
because
not
everything
will
be
applicable
to
every
type
of
organization
based
on
what
they
do
exactly.
E
I
I
think
you're
you're
right
apart
from
characterizing
it
as
a
detail
it.
It
sounds
fairly
fundamental
to
the
the
the
shape
and
definition
of
this
program
and
the
scope
and
feasibility
of
it,
and
so
I
I
think
I
mean
I
I.
Think
even
at
this
level,
at
these
slides
I
would
want
to
see
Clarity
on
wait.
What
is
it
with
certifying?
E
Are
we
certifying
Builders
or
tool
chains
or
practices
or
organizations
or
artifacts
or
projects
or
repos
or
like
there's
such
a
a
broad
view,
and
any
one
of
these
could
be
applicable
to
be
clear
any
one
of
these
may
we
may
want
to
go
yeah
yeah.
We
want
to
certify
this
set
of
practices
that
this
organization
uses
to
generate
this
artifact
from
this
repo,
but
I
think
even
at
this
high
level,
I
think
we
should
have
an
idea
about
what
what
it
is.
This
program
is
certifying
like.
Who
is
it?
E
Who
owns
the
certification
at
the
end
of
the
day?
And
what
does
that
attach?
And
then
you
know
the
process
is
to
support
that
will
be
the
details
that
flow
from
there,
but
it
feels
fairly
high
on
the
decision
Tree
in
terms
of
a
program
like
this,
to
always
edifying
Builders
or
tools
or
companies
or
suppliers
or
repos.
Or
you
know,
if
you
see
what
I
mean
and
you
so
the
example
that
you
gave
on
the
the
slide
had
the
certification
about
a
source
requirement.
E
That's
out
of
scope
of
you,
know
kind
of
the
machine,
attestations
that
are
generated
on
provenance
today,
and
so
it
seems
that
they
would
there's
something
around.
You
know
a
salsa
VSA
here
which
would
talk
about
the
overall
set
of
requirements,
whereas
profitance,
which
is
where
we've
been
focused
today,
is
just
build
and
profit
instead
of
requirements
and
doesn't
speak
to
the
source,
so
I,
I,
guess
what
I'm
saying
is:
I
love.
This
line
of
thinking
you've
got
here.
E
J
C
Yeah
I
was
gonna,
so
Isaac
you're
you're
spot
on
around.
You
know
like
what
is
the
scope
of
the
thing
that's
being
certified
here.
I
mean
I
right
in
the
meeting
two
or
three
meetings
back
I
guess:
I
did
a
self
audit
of
the
salsa
level,
2
right
on
my
own
and
kind
of
showed
how
I'm
meeting
those
salsa
level
two
levels.
C
You
know
that
doesn't
represent
every
single
artifact
coming
out
of
my
organization,
though
right
so
like
it
is
the
scope
of
like
what
is
that
thing
and
I
think
this
is.
This
topic
is
crucial.
C
You
know
for
building
Trust
on
Isaac
I
know
you
have
a
pretty
cool
PowerPoint.
You
shared
in
the
tooling
meeting
a
couple
meetings
back.
You
know
like
how
do
we?
How
do
we
trust
these
different
things?
So
yeah
I'm
just
underscoring
that
the
question
I
do
have
for
you
guys,
like
from
a
CSA
certification
perspective,
you're
kind
of
showing
that,
as
an
example,
what
how
do
they
do?
The
scoping
there
right,
because
that
would
be
an
interesting
experiment
to
understand.
J
Yeah
I
would
say
that
the
CSA
has
a
cloud
controls,
Matrix
framework,
and
so
it
would
be
up
to
each
individual
organization
on
how
they're
applying
that
framework
to
their
Cloud
program.
So
the
way
I've
seen
it
is,
you
could
scope
it
to
a
particular
area
that
you've
that
you've
done
your
Cloud
program,
but
usually
it's
for,
like
SAS
providers,
to
prove
that
they're
doing
what
they
say.
They're
doing
and
there's
a
another
document
called
the
ciq,
which
is
a
questionnaire
that
allows
questions
to
be
answered,
and
so
you
could
deep
diver
dive
into
that.
J
So
it
really
depends
on
what
the
organization
is
trying
to
attest
to
so
usually
with
the
CSA.
It's
around
the
whole
Cloud
security
program
and
it
it
goes
outside
of
just
the
cloud
you
you
would
use
something
like
the
CIS
benchmarks,
if
you
were
just
saying:
hey,
I'm,
doing
gcp
or
AWS,
but
this
is
more
around
the
whole
organization,
my
hr's
even
included
application
security
and
so
on.
So
usually
it's
it's
around
the
SAS
that
they're
providing
okay.
B
Thank
you
mark.
F
Yeah,
thanks
for
presenting
I
think
this
is
really
great.
I
I
think
it's
really
exciting.
Two
two
comments:
one
on
the
to
follow
up
on
on
Isaac's
coping
question.
I
would
imagine,
like
part
part
of
the
sauce.
One
thing
I
want
to
address
in
1.0
and
explain
it
concretely.
1.0.
F
Is
that
the
the
main
idea
of
salsa
is
that
you
kind
of
you
don't
have
to
do
this
review
on
every
single
piece
of
software
you
develop,
but
instead
you
just
trust
a
small
number
of
build
Services
SAS
and
do
this
type
of
audit
certification
on
them
and
everything
produced
by
them.
We
could
automatically
verify,
and
so
you
you
would
type
back
to
like
okay,
which
are
the
things
that
you
Services.
F
You
trust
and
you
gain
trust
through
this
type
of
process
that
you
just
described,
and
then
we
can
automatically
verify
through
provenance
and
other
controls
that,
like
all
the
stuff
being
spit
out
of
that
meets
a
certain
level
and
so
I
would
imagine
that's
how
we
we'd
want
to
position
this
I
I.
Imagine
it
also
depends
on
like
whether
it's
open
versus
closed
source
and
also
like
whether
you're
delivering
software
versus
actually
a
service,
because
if
you
think
about
something
like
open
source,
you
would
just
say
well.
F
If
you're
getting
closed
Source
software,
you
probably
need
an
additional
certification
that
they're
actually
using
the
Builder
that
was
certified
and
like
their
internal
process,
is
followed
and
then
I
think
a
step
further
would
be
like
SAS
itself
of,
like
let's
say,
like
I'll
use,
my
own
company,
as
example
like
you,
use,
Google
cloud
or
whatever
some
certification,
that
all
of
the
software
running
has
met
this
salsa
process,
which
in
turn
have
been
built
on
salsa
compliant,
build
Services
internally.
F
That's
something
I
think
that's
also
we
haven't
gotten
into
yet
of
like
certifying
Services
versus
software,
but
but
yeah.
It
is
this.
This
whole
framework
seems
really
good
to
me.
F
The
one
more
comment:
this
is
completely
in
line
with
what
we
had
proposed
for
1.0,
where
we're
moving
away
from
this
common
requirements
and
making,
maybe
that
more
just
like
suggestions
and
having
it
be
like
a
explanation
of
why
you
meet
this.
What
you
presented
here
is
like
a
a
much
better
version
of
that
of
what
we
had
proposed
and
so
like
I
think
we
should
develop.
One
point
like
we
should
work
together
and
do
this
in
in
parallel.
F
As
far
as
1.0
goes
because,
like
I
feel
like
this
should
be
like
a
not
just
like
an
add-on
but
a
first
class
property
of
the
specification,
and
we
should
develop
like
that,
the
self
attestation
form
or
whatever
and
design
the
specification
with
that
in
mind.
So.
G
Yeah
yeah,
no
so
Echo
a
lot
of
Mark's
feedback
as
as
well
I.
Think
the
the
areas
I
know
that
we're
kind
of
interested
in
is
sort
of
diving
into
what
is
the
difference
between
the
open
source
and
closed
Source
stuff
right
because
a
closed
Source.
G
You
know
a
company
raid
like
that.
That's
running
I,
don't
know
Jenkins
internally,
but
they
are
potentially
doing
all
the
right
things
and
securing
everything
and
and
and
whatnot
might
be
sort
of
generating
that
and
then
there's
also
still-
and
this
is
sort
of
more
open
for
the
the
specification
which
is
like
some
of
these
salsa
requirements
are
potentially
things
that
individual
projects
do
as
opposed
to
the
Builder
itself
and
so
making
clear
I.
G
Think
some
of
that
distinction
would
be
useful
because
it's
like
obviously,
if
you're
certifying
a
builder,
you
can
only
certify
what
the
Builder's
actually
doing,
whereas
the
project
can
certify
like
I'm.
You
know
using
this
builder
in
a
correct
way,
and
these
are
my
additional
sorts
of
things
that
are
are
true
about
my
project.
That
kind
of
take
it
to
that
next
level
or
whatever.
J
Yeah
I'm
definitely
seeing
a
lot
of
issues
about
the
scoping
of
that
yeah
Tracy.
Okay,.
K
So
I
think
discussion
and
maybe
I
wanted
to
introduce
the
the
kind
of
process
side
because,
like
this
is
what
it
takes
to
get
to
the
conformance.
We
need
to
have
these
conversations
and
work
as
a
community
to
work
out
the
nitty-gritty,
and
it
sounds
like
the
specification
working
group
might
be
the
right
home
to
say
that's
where
the
conformance
program
should
evolve
and
like
from
a
process
side.
I
want
to
highlight
a
couple
of
things
like.
K
Ultimately,
we
need
a
proposal
that
would
go
to
the
openssf
board,
who
would
have
to
approve
kind
of
the
the
overall
conformance
program
because
it's
overseen
by
openssf
and
then
there's
just
a
bunch
of
decisions
to
be
made,
like
you
know,
are
you
certifying
against
a
specific
version?
How
long
does
it
last?
What
is
the
language
we
use?
What
did
the
The
Branding?
What
is
the
the
logo
you
get?
K
I
We
do
have,
if
can
you
open
that
document
real,
quick
Jason,
because
I.
I
A
little
bit
on
what
you're
asking
there.
B
Absolutely
let
me
jump
into
that,
so
here
we
go,
I
should
be
sharing.
I
Yeah,
so
this
is
the
kind
of
proposal
document
that
includes
or
details
on
what
the
PowerPoint
or
the
the
slide
deck
kind
of
showed
and
if
you
scroll
down,
you
can
see
like
we
have
an
example
of
what
a
badge
could
look
like.
Obviously,
all
of
this
is
draft
and-
and
so
I
think
this
would
be
a
great
place
for
us
to
start
and
it
can
move
to
wherever
it
needs
to
live,
to
be
most
effective
for
anybody.
I
Whatever
working
group
is
most
appropriate,
but
we'd
love
to
start
getting
feedback
and
in
this
doc,
I
think
Jason
can
here.
I
can
change
it
to
comment
there.
We
go
yeah,
so
we'd
love
to
get
feedback
in
this
doc
to
start
kind
of
working
through
some
of
these
things
that,
obviously
we
didn't
see
like
like
the
scoping
issue
and
obviously
the
legal
review
will
have
to
come
at
some
point
because
it
deals
with
trademark
and
Licensing
and
all
that
jazz,
so
yeah.
I
So
if,
if
the
specification
group
is
the
right
place
for
this
to
start
being
kind
of
hammered
out,
I
think
that
would
be
great
for
us
to
get
this
in.
There
and
kind
of
discuss
on
a
more
detailed
point
and
if
we
could
get
feedback
before
that
happens,
that'd
be
great.
So
we
could
discuss
specific
topics.
J
Yeah
and
I
do
see
some
questions
about
whether
a
slide
link
is
available
or
we
can
edit
this
document
yeah
I.
We
need
to
put
these
in
the
right
spot
for
right
now.
Josh
and
I
were
just
working
together
on
getting
this
together,
so
yeah.
This
needs
to
be
put
into
the
right
area
where
everybody
can
access
and
edit
should
this.
I
Yep
so
I've
just
marked
both
of
the
this
document
and
the
presentation
as
commenter.
So
anyone
with
the
link
can
comment.
The
link
to
the
presentation
is
in
the
document
and
the
document
is
in
the
meeting
notes.
So
anyone
can
comment
kind
of
through
that
chain
if
they'd,
like
so.
B
F
In
terms
of
like
what
Sig,
to
put
this
in
I,
think
the
I
wonder
if
it
makes
well
there's
at
least
kind
of
two
parts
here:
one
is
the
actual
survey
and
what
questions
and
like
those
kind
of
details
and
what
the
assessment
does
I
think
that
clearly
goes
in
the
specification
because
it
goes
hand
in
hand
with
what
the
requirements
are.
F
G
Well,
and
also
throw
another
wrench
in
the
works
like
once
I
think
this
is
the
process
is
all
spun
up.
There's
most
likely
going
to
be
work
on
the
the
tooling
group
to
say:
hey
here
are
automated
assessments
as
well,
but
I
think
like
from
what
it
sounds
like
it.
G
Probably
you
know
just
my
two
senses
is
this
initial
piece
probably
goes
through
the
specification
group,
then,
as
we
kind
of
start
to
vocalize
it
through
with
the
outside
world,
it
probably
is
going
to
go
and
open
up
also
to
the
positioning
group
and
then
once
everything's
sorted
out.
It
would
probably
go
into
like
you
know
any
you
know.
Any
automated
tooling
would
probably
come
out
of
the
tooling
group,
be.
K
Yes,
so
maybe
saying
starting
in
the
specification
group
till
we
have
a
proposal,
that's
been
approved
and
then
it
can
be
implemented
where
it
makes
sense,
sounds
good.
B
J
So
it
sounds
like
we're
headed
in
the
right
direction.
Thank
you
guys
for
letting
us
present
I
really
appreciate
it.
J
B
G
Yeah
so
Kim
had
to
hop
off.
She
actually
just
pinged
me
to
see
if
I
take
us
out
so
so
we
have
five
more
minutes.
Are
there
any
other
topics
anybody
wanted
to
bring
up?
Otherwise
we
can
end
it
five
minutes
early.