►
From YouTube: SLSA Specifications Meeting (June 5, 2023)
D
Just
paste
the
link
in
the
chat
and
if
you
have
any
agenda
items,
please
just
add
it
to
the
notes
we
just
we
have
a
couple
right
now.
What's
on
the
agenda
is
a
couple
discussion
topics
from
issues
that
came
up
this
past
week
or
the
past
two
weeks,
I
guess,
since
we
didn't
meet
last
week
first,
we
could
welcome
any
new
members.
If
there's
anyone
new
here,
if
you
want
to
say
hi.
D
And
it
doesn't
look
like
it:
okay,
quick
note
on
scheduling
next
week,
I'm
out,
so
if
someone
could
run
run,
the
meeting
that
would
be
great.
The
following
week
is
a
U.S
another
U.S
holiday.
It's
Juneteenth,
I,
don't
know
if
we
need
to
decide
now
whether
to
go
but
like
like
I
I'm
off,
for
example,
and
a
lot
of
us
companies
are
off
so
I
guess.
You
could
decide
next
week
whether
to
cancel
the
following
week
or
not
yeah,
it's
yeah.
A
D
There's
a
discrepancy
in
the
type
of
a
field,
the
app
there's,
an
annotations
field,
unlike
resolved
dependencies.
Briefly.
The
reason
why
it
came
up
is
that
we,
the
text,
says
one
thing
it
links
to
the
in
total
specification,
which
defines
the
type
as
being
a
Json
object
in.
We
have
a
queue
and
protophile
that
also
describes
it.
F
D
D
But
the
thing
I
wanted
to
specifically
bring
up
at
this
meeting
is
an
issue
that
Arno
raised
I
see
what
he
just
joined,
welcome
Marna,
which
is
that
we
had
decided
and
V1
to
version
the
two
together.
I'm
sorry
version
the
spec
like
the
levels
and
the
provenance
format
together,
because
most
people
just
call
it
the
same
anyway.
D
G
E
F
Yeah,
but
so
we
say
we
state
that
we
use
them
there
and
according
to
Sam
there,
this
is
a
breaking
change,
so
it
requires
a
major
version
number
bump
which,
as
Mark
said
I,
don't
think
anybody
will
say.
Okay,
here's
all
set
here
is
salsa
to
zero
and
people
are
going
to
be
like
what
and
we
say,
oh
yeah
we're
just
changing
a
type
of
an
attribute
in
the
format
and
everybody's
going
to
be
like.
What
are
you
kidding
me
so.
D
D
Purpose
of
all
of
this
is
to
reduce
confusion.
Right,
like
the
reason
of
sember
is
that
we
have
a
major
minor
and
Patch
to
indicate
breaking
changes
and
like
what
people
set
expectations,
but
at
the
same
time
you
know
will
it
cause
any
confusion
by
having
an
immediately
new
version
of
salsa,
yeah
Mike.
A
Yeah
yeah
I'm
not
going
to
talk
about
Solutions,
but
but
I
will
want
to
talk
about
just
from
practical.
You
know
like
one
of
the
things
I
think
from
a
practicality
standpoint,
whether
it's
here
or
there
is,
is
as
far
as
I'm
aware
nobody's
actually
using
salsa
people
and
yet
the
the
the
actual
the
I
mean
they
might
be
implementing
it
internally,
but
I
have
not
seen
anyone
other
than
myself
actually
like
develop.
A
I
mean
I,
know
that,
like
there's
a
couple
of
libraries
that
have
done
it,
but
most
of
the
tools
still
haven't
used,
the
new
version
everything's
using
the
0.2
of
the
Providence.
Still
so
in
the
very
least,
whatever
direction
we
end
up
going
I
think
it's
going
to
be
a
relatively
minor
hiccup
like
I,
don't
think,
there's
gonna,
be
anybody
who's
like!
Oh,
no,
now
I,
gotta,
re-implement
everything
but
yeah
I
just
want
to
throw
that
out.
There.
F
So
I
I,
you
know
I,
think
you're,
probably
right
there,
but
I
mean
it's
it's
worth
pointing
out
that
so
the
spec
as
it
stands
is
broken.
It's
not
just
that.
Oh,
it's
not
saying
the
right
thing.
It's
saying
two
different
things
right,
because
if
you
follow
the
link
to
the
definition
that
you
know
that
points
to
the
Intel
to
attestations
back,
then
you
get
a
different
definition
than
the
one
that's
embedded
in
the
spec,
so
in
effect
or
spec
embeds
two
different
definitions
that
are
contradictory.
F
The
question
is,
you
know:
I
I,
fear
that
you
know
the
right.
One
is
the
linked
one
and
this
you
know,
as
some
of
us
have
commented,
they
would
have
been
better
if
we
had
stuck
to
just
one
and
and
not
try
to
embed
it,
because
this
is
why
we
have
a
problem.
But
you
know
the
question
is
which
one
do
people
actually
use?
F
E
B
Yeah
I
I
think
I
would
agree
with
well
I'm,
not
saying
with
the
additional
kind
of
coloring
that
I
I
think
people
are
trying
not
even
to
read
our
spec
and
really
just
want
to
get
a
library
that
implements
the
format
and
so
the
users
of
V1.
That
I'm,
aware
of
are
all
using
the
same
like
go,
implementation
and
so
I
think.
That's
a
factor
like
how.
What
does
that
Implement,
but.
B
B
A
Around
you
know
like
I
I
would
prefer
something
like
hey
if
we
Define
something
in
two
places:
yeah,
that's
definitely
a
huge
mess
up
on
our
standpoint,
but
if
one
of
our
dependencies
in
this
case
in
Toto
has
to
find
it
differently
than
maybe
how
we
stated
it,
I
would
say
we
you
know
our
dependency
takes
precedence,
and
then
we
should
also
make
sure
that
whatever
we
link
to
is
a
static
link,
so
that
we
also
don't
end
up
inadvertently
pulling
in
like
a
new
version
of
that
thing.
If
it
if
it
does
get
updated.
C
D
D
F
Yeah
and
to
follow
up
on
you
know
what
I
was
saying:
it's
like
when
we
have
multiple
definitions,
I
mean
it.
We
might
want
to
still
do
that
in
the
future,
because
it's
convenient,
but
then
we
have
to
I
think
you
know
I've
seen
studying
links
that
points
to
something
that's
not
going
to
move.
Is
it
wise
thing
to
do,
but
we
also
should
have
some
wording
about
you
know
if
there's
a
discrepancy.
F
A
This
is
the
canonical
definition,
and
you
know
if
it
would
not
in
any
way
be
different
like
if
it
uses
a
dependency
on
a
particular
other
object
or
other
type.
It
would
refer
to
that
other
type
as
opposed
to
re-implementing.
It
yeah
once
again,
I'm
not
saying
use
rdf
I'm,
just
saying
that
that
that's
kind
of
what
they're
doing.
D
G
F
C
Joshua,
the
URI
okay,
anyway,
what
do
you
call
yeah
I,
agree:
I
agree.
We
have
to
be
practical
here.
We
can't
go
to
2.0
just
to
just
to
fix
this
I
will
repeat
what
I've
said
in
the
GitHub
issue.
We
want
to
be
careful
about
doing
this
also,
because
what
do
we
find,
hopefully
not
Dutch
wood,
but
what?
If
we
find
yet
another,
you
know
backward
and
compatible
fix.
We
want
to
be
careful
not
to
accidentally
yeah
yeah
use
this
escape
hatch
too
often,
but
I
think
everyone
understands
this.
C
The
the
other
one
is
I
wonder
if
pointing
to
a
reference
implementation
of
the
spec
might
help.
But
again
we
have
to
be
careful
a
bit
of
the
language
there,
because
it's
possible
that
the
spec
Stills,
the
specs
is
one
thing
and
the
implementation
does
another
and
you
still
need
to
specify
which
one
takes
precedence
up.
Joshua.
B
B
D
That
also
sounds
good
to
me
and
I'm.
Fine
I'm,
fine,
just
one
quick
question
just
to
play:
Devil's
Advocate.
One
thing
that
Arnold
mentioned
in
the
thread
is,
you
know,
saying
like
about
like
we're
tying
the
versions
of
this
like
this
little
levels
in
the
Providence
together,
just
to
think
about
it
for
one
minute
before
we
decide
to
do
the
other
which
again.
Finally,
if
we.
D
D
A
Yeah
I
mean
I,
think
so
so
I
think
the
problem
that
you
know
the
the
the
issues
that
we
always
want
to
kind
of
avoid
is
like
too
much
of
the
difference.
Differences
like
I
I,
you
know
I,
don't
want
to
throw
out.
You
know
too
many
solutions,
whether
or
not
it
should
be.
Something
like
minor
revisions
can
be
an
update
to
one
or
the
other,
without
them
being
necessarily
in
sync
or
whatever.
A
You
know,
I,
think
it's
gonna,
I,
don't
have
an
answer.
I
just
think
that
it's
it's
gonna
cause
some
confusion
either
way.
I
just
think.
Whatever
is
the
the
solution.
That
is
both
is
that
right
balance
between
allowing
us
to
update
without
jumping
through
a
million
hoops
and
eliminating
the
majority
of
confusion,
I
think
that's
kind
of
the
option.
I
think.
B
I
think
another
option
we
should
consider
is
just
moving
the
problems
at
a
station
or
the
the
two
access
stations
out
of
the
space
out
of
the
cell.
To
repository
like
there's
already
there's
the
intercoator
stations
repo,
where
there's
a
growing
number
of
attestations,
so
it
would
fit
nicely
there
or
it
could
be
its
own
separate
repository
to
make
the
separate
versioning
less
confusing.
B
Exactly
and
I
just
think
it
it
has
the
potential
to
reduce
the
confusion
in
like.
Why
is
this
version
separately,
but
it
also
may
make
things
more
difficult
in
the
having
the
two
live
side
by
side
can
make
like
editing,
thermostat
right.
So
it's
like
which
do
you
prioritize,
and
so
far
we've
argued
that
it
makes
more
sense
to
have
it
live
alongside
the
spec,
because
then
we
can
edit
the
two
and
tandem.
F
F
I
mean
doesn't
don't
we
have
to
update
South
the
cell
suspect
anyway
to
point
to
the
new
version.
I
mean:
what's
the
tie
there
and-
and
you
know,
because
in
a
way,
if
one
zero
says
well,
that's
the
format
we
were
using
you're
supposed
to
use
for
provenance,
and
now
we
publish
a
different
provenance
version.
The
South
suspect
still
says
it's
the
other
one.
We
haven't
solved
the
problem.
We
still
have
to
modify
the
cell
suspect
and
that's
why
I'm
hesitant
to
you
know
I
I
kind
of
like
the
idea.
F
That's
why
I
brought
it
up
in
the
in
the
GitHub
thread,
but
in
the
end
I
was
like.
Well,
maybe
this
isn't
really
solving
the
problem.
Maybe
you
could
solve
it
once
for
ever
in
separating
that,
but
at
least
once
we
still
have
a
problem,
I
think
but
Mark.
Maybe
you
have
a
better
sense
of
what
the
tie-in
is.
There.
D
Yeah
I,
don't
think
yeah,
that's
a
good
point
too
I
I
mean
we
would
need
to
fix
the
we
need
to
point,
but
I,
don't
think
it
would
require
a
version
bump
of
the
spec
to
just
say,
like
nothing
in
the
provenance
format
like
semantically
is
changing
and
so
I
don't
think
the
spec
relies
on
on
a
good
difference.
It's
not
like
the
build
model
is
different
or
like
there's
like
a
different
concept
of
external
parameters,
Etc
so,
but
it
is
a
point
that,
like
right
now,
they're
tied
together
in
some.
D
H
Right,
let's
see
I've
got
a
few
thoughts.
The
first
is
that
I
don't
think
we
need
to
bump
the
spec
version
to
change
the
version
number,
because
the
versioning
page
is
not
part
of
the
part
of
the
versions
directory
of
the
site.
I
I,
don't
know
how,
if
that's
an
implementation
detail
or
if
it
matters
I'm,
throwing
it
out
there
I'm,
not
a
big
fan
of
separating
the
two
versions.
Again,
though,
because
we
just
reunified
the
versioning,
because
it
was
confusing
to
implementers
and
I'm
worried
that
we
will
relitigate
this
every
two
months.
H
That
being
said,
I
think
I
think
that
we
could
make
this
correction
as
V
1.1
just
take
our
licks
for
there
being
a
mistake
in
the
spec
and
maybe
get
a
little
bit
less
precious
about
bumping
the
version
number
we
can
adopt
patch
versions
if
we're
going,
because
we
can
expect
kind
of
a
lot
of
changes
with
the
with
an
attestation
format,
but
I
I.
Think.
The
biggest
concern
for
me
is
that
we
not
relitigate
versioning
every
couple
of
months.
D
I
Okay,
so
I
posted
a
link,
there's
a
question
around
who
should
implement
the
provenance
spec
like
actually
for
in
go
that
came
up
on
the
internal
side
a
month
or
two
ago,
and
there
was
actually
an
expectation
that
in
Toto
would
be
the
implementer.
Even
though
there
is
a
proto-spec.
Also
on
the
salsa
side,
because
we've
been
moving
towards
using
protobufts
to
implement
the
attestation
layer
and
predicates,
we
ended
up
with
a
separate
Proto
definition
that
actually
already
Imports
the
intoda
specified
resource
descriptor
right,
which
is
the
problematic
type.
I
So
we
have
on
the
internal
side,
actually
merged
a
V1
provenance
predicate
again
I,
don't
think
it's
really
being
used
anywhere.
So
if
we
wanted
to
remove
it,
I
think
it
would
be
a
pretty
easy
fix
if
we
wanted
to
remove
it
from
the
in
Toto
side,
but
I'm
still
sensing
a
little
bit
of
sort
of
back
and
forth
between
who
should
own
the
implementation
versus
who
should
own
the
dot.
I
C
Yeah,
if
I
could
I
think
I
think
there's
a
way
to
fix
this,
where
we
don't
have
to
answer
this
question
right
now,
whether
we're
moving
the
Providence
attestation,
backup
stream
so
to
speak,
but
I
think
it's
definitely
worth
resolving
one
way
or
another.
We
should
document
this
officially
in
the
site,
so.
E
D
A
I
I
do
think
not
for
this
conversation,
maybe
for
something
like
next
week
or
in
the
coming
weeks.
I
I
would
also
be
interested
in
understanding
a
little
bit
more.
What
that
canonical
representation
actually
is
because
I
I
know
that
we're
using
produce,
but
without
sort
of
some
of
the
plugins
you
could
use
with
protos.
You
lose
a
lot
of
the
semantic
meaning
in
in
their
you
know,
so
it
could
lead
to
different
implementations,
still
breaking
some
of
that.
B
Yeah
I,
don't
think
it
was
ever
articulated
explicitly.
A
new
web
I
think
it
was
discussed
in
a
pull
request
that
we
didn't
want
the
Proto
buff
NQ
file
to
be
like
necessary
things
that
people
use
for
their
implementation.
We
wanted
them
to
be
like
supplementary
to
the
spectex,
to
help
people
reason
about
what
the
spec
is
saying.
That's
my
recollection
at
least,
and
so
as
a
consequence
of
that
we
did
like
avoid
complicated
protocol
features
that
we
didn't
think
were
easy
to
read
without
being
approach.
Perfect
expert,
for
example,.
D
Ultimately
that
was
less
work
and
I.
Don't
think
this
would
have
actually
fixed
this
particular
issue,
because
we
are
like
we
effectively
that
we
want
to
both
link
to
the
in
total
spec,
but
also
inline
it
so
people
could
read
so
they
don't
have
to
jump
between
two
different
things
and
that's
where
this
particular
problem
lied.
Is
that
like
we
both
copied
it
and
linked
and
the
two
disagreed
and
we
didn't
realize
that
they
disagreed
so
yeah
illiterate
Proto
definition
is
exactly
what
I
wanted,
but
I
I.
A
Yeah,
if
folks
are
interested
I'm
working
on
that
sort
of
project,
so,
if
folks
are
interested
in
contributing
we
could
we
could
discuss.
That's
one
of
the
things
that
actually
we've
been
talking
about
a
little
bit
in
the
salsa
tooling
side
is
even
if
it's
not
the
canonical
definition
having
something
that
can
translate
between
these
things
at
least
reasonably
to
get
somebody
let's
say,
80
of
the
way
there
is
is
useful.
D
D
F
You
know
I
think
that's
fine,
I
I
just
want
to
say
that
if
we
think
the
in
total
attestation
definition
is,
is
the
primary
source
it
since
we
can,
unless
we
can
link
from
the
other
I
mean
we
could.
But
you
know
today
we
don't
have
a
link
from
the
the
Q
version
or
the
port
above
version,
so
that
means
the
text
would
want.
F
You
would
want
the
text
to
be
the
primary
source,
and-
and
so
that's
what
you
would
want
to
see
in,
but
as
I
pointed
out,
I,
don't
think
this
is
what
most
software
engineer
will
will
take.
I
mean
I,
look
at
the
photograph
or
because
I'm
like
yeah.
This
is,
you
know
much
more
concise
way.
Something
I
can
read
very
quickly
and
say:
I
know
what
that
means
and
I
think
that's
what
most
people
are
going
to
do.
F
F
D
F
F
F
E
D
H
H
H
So
there
are
two
issues
that
came
in
and
also
two
PR's,
that
I
thought
could
so
going
through
them
quickly.
Now
this
one
I
opened
the
folks
who
build
the
GitHub
generators
are
working
on
I
believe
it.
This
came
up
specifically
for
their
container
build
generator.
They
miss
they
they're
missing
the
config
Source
from
the
provenance
format
0.2,
and
they
think
that
adding
an
additional
fields
to
the
external
parameters
that
that
marks
out
the
source
code
of
the
build
is
useful
for
making
builds
more
reproducible
based
on
their
provenance
thoughts.
H
D
Yeah
I,
actually
I
spoke
with
some
some
of
the
folks
separately,
I
I
think
what's
needed
as
a
model
right
now,
we
don't
have
a
model
for
what
the
word
Source
means,
and
that
was
like
one
of
the
things
that
we
wanted
to
do
with
v
0.2
and
then
went
in
the
other
direction.
Just
say
you
know
we're
not
even
going
to
Define
it
because
we
don't
need
it.
D
Yeah
I,
agree,
I
feel
like
we
kind
of
need
it
I.
My
gut
feeling
is
that
this
would
be
a
good
thing
for
a
a
true
V2
that,
like
we
kind
of
someone,
it's
almost
like
a
like
a
Divergence,
then
convergence
type
of
thing
where,
like
you
start
out
with
one
thing,
and
then
you
have
different
use
cases,
so
you
kind
of
diverge
based
on
different
needs,
and
then
you
realize
where
the
commonalities
are,
and
then
we
could
converge
onto
like
some
common
model.
D
H
H
H
H
H
A
Think
to
to
what
Mark
had
said.
We
should
just
sort
of
describe
that
thing,
as
opposed
to
necessarily
defining
necessarily
just
using
a
word
or
using
a
phrase
and
then
defining
it.
Maybe
just
sort
of
spelling
it
out
and
so
I
do
think
that
the
the
idea
there
is
is
is
good.
Whether
or
not
we
should
pick
those
particular
words
and
phrases
is,
is
I,
think
Up,
For,
Debate.
J
J
J
If,
if
there's
not
something
like
and
so
I
I,
don't
know
if
that,
if
we
need
to
have
like
some
kind
of
summary
on
each
of
these
additional
tracks,
that
says
this
is
the
core
tenant
that
we're
trying
to
achieve
with
this
track.
I
think
that
we
could
achieve
I
think
we
can
figure
that
out
for
a
reproducible
track
as
well
and
and
so
I
I
think
that
it
does
make
sense
to
me
to
have
a
reproducible
track.
C
C
I
also
agree
that
it's
important
to
figure
out.
What's
common
to
it,
because
at
least
to
me,
it's
not
clear
that,
while
it's
not
even
clear
to
me
that
you
necessarily
need
a
hermetic
build
environment
for
reproducible
bills,
I
mean
I
could
always
look
outside
so
long
as
that
third
party
mirror
is
reproducible
I,
don't
necessarily
care
whether
I'm
using
something
hermetic
anyway
just
wanted
to
bring
out
yeah.
We
need
to.
We
need
to
figure
this
out.
What
defines
a
reproducible
bills
track.
A
A
It's
been
very
useful
to
just
be
able
to
say
Yep.
This
track
works
on
that
box,
and
so
I
think
you
know
if
we
go,
let's
say
make
it
separate
from
as
opposed
to
salsa
build
level
four.
We
we
make
it
a
separate
track
or
whatever
I
think
it's
worthwhile
to
just
sort
of
explain
exactly
where
that
fits
in,
and
maybe
it's
something
like
the
box
within
the
box
right.
You
know,
with
the
build
Providence
helps
protect
against
this.
Then
the
build
reproducibility
track
protects
against.
D
E
D
D
It
seems,
like
reproducibility,
solves
a
bunch
of
different
problems,
one
of
which
is
trustworthiness
of
the
build
and
tampering
of
the
build,
which
is
the
build
track
and
reproducible
builds
is
one
way
of
Doom
a
system
of
multiple
verifi.
Reproducables
is
one
way
of
doing
that
and
then,
as
Andrew
said
like
having
like.
E
E
A
If
I,
if
I,
think
about
what
we've
built
so
far,
you're
talking
about
securing
the
build
infra
and
making
sure
that
a
bad
build
itself
can't
compromise
other
builds.
You
know
like
if
I
start
to
think
about
what
the
goals
of
the
current
track
are
right
and
so
far
nothing
in
the
existing
build
track.
Actually,
talks
about
the
security
of
the
builds
you're
actually
running
right,
we're
sort
of
saying
that's
untrusted
user
code
that
we
don't
actually
know
if
it's
doing
anything
suspicious.
A
J
If
we
identify
what
that
common
theme
is,
it
makes
sense
to
have
a
reproducible
track
and
I.
Think
reproducible
still
like
reproducible
falls
in
the
same
scenario
of
hermetic.
We
shouldn't
use
the
word
reproducible.
We
shouldn't
use
the
word
hermetic
in
in
the
in
the
the
conversations
that
we've
had
around
hermetic
I
know,
like
I,
think
a
dependencies
track
was
tossed
out.
There
I
think
that
still
doesn't
quite
make
sense,
and
so
I
think
that
a
lot
of
these
Concepts
fit
well
together
and
have
a
common
goal.
H
F
Yeah
I
I
think
this
is
a
really
not
very
you
know
it's
just
the
FAQ
and
we
can
be
really
relaxed
about
that.
One
I'm
sorry,
but
I
didn't
get.
What's
the
what's
the
the
takeaway
from
the
discussion
before,
though,
on
the
issue
I
mean
what,
in
terms
of
like,
we
were
supposed
to
do
some
triage
here.
What's
the
outcome
of
the
discussion,
what
do
we
do
with
that
issue?.
H
H
B
I
mean
yeah
I
think
in
terms
of
like
issue
triage.
This
issue
is
too
large
and
needs
being
if
we
covered
many
topics
as
part
of
that
description.
It
covers
many
topics.
Ideally
it
would
be
broken
down
into
my
tractable
things,
but
as
Chris
Reich
said,
we
need
someone
to
someone
who
cares
about
how
to
own
it.
I
I
think
there
is
a
certain
amount
of
folding
into
existing
issues
that
could
happen
or
has
probably
happened,
but
backlog
makes
sense
until
there's
someone
there
will
excellent.