►
From YouTube: SLSA bi weekly sync (August 8, 2021)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
So
the
next
item
that
was
on
the
agenda
was
to
just
talk
about
like
project
goals
for
salsa
of
it
was
touched
on
briefly
on
the
intros,
but
if
people
have
opinions
on
what
you
want
out
of
salsa
and
kind
of
what
we
know
where
to
kind
of
shape
where
we
go,
I
know
tom
on
the
google
side
has
some
thoughts.
A
B
Yeah,
so
from
from
from
my
perspective,
we
we
we
have.
We
have
a
couple
of
goals
for
salsa.
One
is
that
we
want
to
protect
all
of
the
software
that
that
google
distributes
and
like
and
and
give
our
users
a
way
to
to
to
have
confidence
in
that
software
beyond
just
like.
Well,
I
got
it
from
google,
so
I
guess
it's
fine.
B
We
we
and
we
want
to
give
google
confidence
in
the
software
that
that
we
use
and
that
we,
and
that
we
include
in
those
products
and
give
our
customers
the
same
ability
to
to
to
to
protect
their
their
their
software
and
and
end
users,
and
I
think
you
know
we
can
get
into
this
a
bit
more
later,
like
my
primary
goal
is,
is
is
to
prevent
tampering
as
as
distinct
from
like
vulnerability
management
and
then
further.
B
C
D
Here's
that
yes
fantastic
all
right,
so
I
can
cover
the
intro
and
our
goals
right
now.
So
I
have
community
and
marketing
at
active
state.
We've
been
building
enterprise,
distros
of
python
and
pearl
for
about
20
years,
but
we've
been
building
a
supply
chain
product
and
our
goal
with
salsa
is
really
to
try
and
implement
it,
but
in
a
turnkey
way
for
others
and
we're
really
excited
by
salsa,
because
it
describes
what
we're
doing
really
really
quite
well.
E
E
Yeah,
I
I
largely
agree
with
what
tom
said
earlier
at
datadog:
we're
also
interested
in
being
able
to
tell
customers
hey,
look,
here's
an
objective
framework.
The
whole
industry
is
using,
we
all
agree
on
the
nomenclature
and
what
these
levels
mean,
and
we
can
tell
customers
hey.
What
are
you
doing
to
improve
your
software
supply
chain?
G
Happy
to
jump
on
donnie
again
from
my
perspective,
we
one
of
our
portfolio.
Companies
is
package
cloud
which
is
package
deployment
for
a
range
of
customers,
and
our
perspective
is,
is
a
lot
of
our
customers.
We've
been
speaking
about,
have
had
concern
with
dependency
and
supply
chain
attacks,
and
so
we're
looking
at
ways
we
can
both
technically
and
otherwise
address
that
so
we're
looking.
We
were
building
something
similar
to
salsa.
G
We
saw
that-
and
we
think
just
better
to
have
the
community
around
that,
so
we're
jumping
on
board
with
with
this
and
we're
taking
a
look.
What
are
the
things
that
we
can
add
to
our
product
that
will
actually
secure
portions
of
that
and
then
look
at
the
areas
where
kind
of
like
a
shared
responsibility
model.
This
is
stuff
that
we
can
do
for
our
customers.
This
is
the
stuff
that
our
customers
should
be
doing
and
then
try
to
better
use
that
framework
to
communicate
like
hey
this.
G
This
customer
has
sauce
level
four.
So
when
you
download
packages
from
them
through
package
cloud,
you
know
the
supply
chain
has
been
secured.
So
finding
a
way,
I'm
kind
of
like
what
trishanka
said
about.
Can
you
automate
can
an
individual
with
no
technical
experience
validate
the
supply
chain
was,
was
secure?
Can
a
computer
validate
that?
Can
we
just
be
a
little
more
comfortable
and
confident
when
we
download
stuff
that
that
is
not
compromised.
H
Okay
sure
so
yeah
there's
two
main
use
cases
from
my
from
my
end.
First
from
a
financial
services
perspective,
it
would
be
great
to
kind
of
have
be
able
to
sort
of
just
attest
to
certain
levels
in
salsa
and
be
able
to
kind
of.
You
know
audit
against
that
that
helps
us
out
from
a
regulatory
perspective,
but
then
the
the
bigger
one
is
as
part
of
the
sort
of
cncf
software,
secure
software
factory
or
secure
supply
chain
reference
architecture
and
reference
implementation.
H
I
Yeah,
so
my
main,
when
I
started
across
the
main
region
I
wanted
to
get
involved
is
because
it
provides
really
tractable
kind
of
approachable
recommendations
for
securing
software
supply
chain.
That
map
quite
well
to
my
mental
model,
only
better
articulated
than
I
have
been
able
to
do
and
more
comprehensive
as
well.
So
I
saw
a
good
opportunity
to
provide
a
roadmap
to
kind
of
ecosystems
and
projects
and
also
corporations
that
I
wanted
to
help
contribute
to.
C
J
I
I
you
know
a
lot.
Some
of
you
already
know.
A
number
of
you
actually
already
know
me,
but
yeah,
I'm
interested
in
this.
Broadly,
you
know
the
you
know.
A
lot
of
folks
are
using
open
source
software,
but
there's
still
some
lingering
concerns
and
so
on,
and
I
want
to
harden
up
the
supply
chain
so
that
those
concerns
are
allayed
not
because
just
they
they
hear
some
words,
but
because
there's
actually
things
going
on
to
reduce
risks.
C
Great,
let
me
see
who
hasn't
spoken,
I
mean,
maybe
you
want
to
give
some
thoughts
on
what
you
feel.
K
I
think
it's
really
good
to
take
a
look
and
take
a
step
back
and
kind
of
look
at
this
from
a
more
macro
level
and
I
think
a
framework.
Something
like
this
is
so
important,
especially
in
open
source
software.
Where
there
aren't
a
ton
of,
I
guess
you
could
say
standards
or
things
that
everyone
follows
that
are
easily
like
auditable
or
reviewable.
So
it's
definitely.
L
I
think
I
think
everything
was
pretty
much
said,
but
on
my
side
you
know
it's
gonna,
be
you
know
baby
steps
at
first
anyways.
I
have
great
aspirations,
for
you
know
supply
chain
security,
as
everybody
knows
what's
going
on
in
the
world
these
days,
you
know,
I
think,
it's
incredibly
important
to
to
stop
focusing
on
that,
but
today
and
without
shame,
I
can
say
that
you
know
we're
pretty
much
nowhere.
So
it's
you
know
it's
it's
going
to
be
good
for
us.
To
start
with.
C
Great,
maybe
scott,
you
want
to
go
next
and
introduce
yourself
as
well.
M
I
missed
the
your
initial
ask
but
I'll
introduce
myself,
so
my
name
is
scott
stroud.
I
am
a
technical
account
manager
for
confluent.
M
I
focus
on
I'm
customer
facing
role
largely
for
us
department
of
defense
customers
and
I,
if
there's
any
other
people
kind
of
in
that
realm
on
this
call,
I
am
kind
of
their
entourage
for
doing
something
called
platform.
One
and
iron
bank,
and
so
my
interest
in
salsa-
and
this
came
way
of
the
call
you
guys
had
a
week
or
two
ago,
was
to
seek
a
lot
of
that
resonated
with
iron
what
iron
bank
does
and
what
their
goal
are
and
what
platform
one
does.
M
C
Okay,
anyone
else
that
hasn't
spoken
or
we
have
quite
a
bunch
of
google
folks.
Anyone
else
wants
to
add
anything
that
mark
or
tom,
said.
C
C
C
Okay,
the
next
topic
is
more
about
governance
like
so,
we
have
quite
a
bit
of
active
members
or
members
that
want
to
be
active
or
contribute
to
south
supreme
court.
I
think
it's
pretty
important
to
send
some
type
of
governance
model
in
terms
of
how
we
will
make
these
contributions
and
how
will
this
become
more
like
an
industry
standard
framework,
so
we
are
looking
for
ideas.
J
J
Yeah
the
salsa
governance
document
is
not
public.
It's
not
publicly
viewable.
C
Okay,
the
last
came
to
fix
it,
but
I
can
give
you
some
high
level
overview
of
the
things.
So
one
of
the
things,
let
me
open
that
up
quickly.
C
So
this
is
a
proposal
that
kim
created,
and
a
bunch
of
us
just
like
left
some
comments,
but
we
wanted
to
discuss
with
all
of
you
and
see
what
you
feel
like
the
first
thing
there
is
like
who
should
be
like
a
maintainer
of
the
salsa
framework.
So
there
are
a
couple
of
rules
proposed
there,
so
things
like
they
need
to
collaborate
at
least
once
in
like
a
three
month
period
and
attend.
Some
of
these
meetings
provide
some
feedback.
C
Also,
there
are
things
about
who
will
be
more
like
a
reviewer
or
maintainer
on
these
things,
so
we
are
open
to
ideas
on
how
we
should
do
this.
We
put
in
some
basic
things
in
there,
but
I
was
curious
if
any
folks
had
any
thoughts.
A
I
I
think
one
one
thing
that
like
I
would
love
it
just
to
echo
like
what
we've
heard
from
other
people
so
far
is
that.
A
I
suspect
that
we
probably
want
to
have
like
some
multi-tiered
thing
of
like
regular
changes
just
require
any
other
maintainer
to
approve,
but
any
sort
of
strategic
changes
require
some
sort
of
community
contribution,
and
I
think
we
need
to
be
careful
like
we
don't
just
want.
One
organization
like,
for
example,
there's
many
googlers
here
like
if
six
googlers
all
agree
that
shouldn't
be
sufficient
to
make
a
major
change
right.
A
A
To
go
ahead,
michael.
H
Oh
sorry,
yeah,
I
was
just
gonna
say
it's
a
second.
What
you
just
said
there
mark.
I
know
from
a
financial
services
perspective
that
it's
it's
a
hard
sell
to
sort
of
adopt
a
framework
like
that.
If
it's
like,
oh
it's,
you
know
mostly
one
company
sort
of
pushing
that
it
makes
it
much
easier
from
an
internal
governance
and
compliance
standpoint.
If
we
show
that
there's
a
diverse
set
of
folks
from
lots
of
different
companies.
C
Yeah,
I
also
want
to
echo
the
same
point,
which
is
we
want
to
make
sure
there
is
like
some
representation
from
every
company,
and
usually
I
would
want
to
restrict
like
per
complete
representation
to
like
one
person
or
something
so
that
we
have
like
a
good
consensus
on
things,
and
there
are
two
ideas
there.
One
is
either
we
do
like
a
steering
committee
with.
C
K
K
That
doesn't
necessarily
mean
I'm
saying
you
know
one
person
should
make
all
the
decisions
or
anything
like
that,
but
just
having
one-
or
at
least
you
know
a
easily
referenceable,
you
know
leads
or
people
that
you
know
if
there
are
any
questions
or
issues
to
just
go
to
the
to
those
people
directly
and
they
could
potentially
be
pointed
in
the
right
direction.
E
C
C
J
Yeah
I
got
a
couple
of
thoughts.
First
of
all,
the
three
months
before
ejecting
them
is
really
short,
I
would
say
12
or
just
stay
on
until
vote
off
you
and
the
other
concern
I
have
is
now.
Maybe
this
will
be
one
of
those
always
super
active,
so
it
doesn't
matter,
but
if
everybody
after
a
while
hey
we
like
salsa,
we
don't
really
see
any
changes.
J
This
kind
of
structure
easily
leads
to
a
situation.
There
are
zero
maintainers
because
nobody
was
doing
anything
for
three
months.
So
I
think
you
want
to
have
a
floor
of
at
least
the
last
three
on
the
island
stay
on.
C
A
I
don't
have
the
experience
in
other
open
source
organizations.
Would
it
make
sense
to
have
like
aside
from
just
maintainers,
who
can
make
you
know,
make
decisions
when
there's
a
disagreement
is?
Would
it
make
sense
to
have
like
a
very
small
steering
committee
like
three
like
three
persons,
or
something
like
that
in
order
to
facilitate
resolution
of
things
not
necessarily
to
like
lay
down
decisions
but
like
to
make
agreement?
K
D
I
I
I
commented
on
the
doc.
I
think
the
steering
committee
makes
that
like
having
a
subset
of
the
maintainers
for
decision
arbitration.
I
Is
potentially
useful,
I
guess
the
only
concern
is
trying
to
put
too
much
structure
in
place
too
soon,
but
it
depends
how
many
like
I
know,
there's
also
a
desire
to
have
diverse
participation.
So
if
you
can
generate
that
diverse
participation
quickly,
then
the
additional
structure
doesn't
make
sense.
C
I
agree
and
then
a
smaller
thing
in
the
dogs
too,
which
I
think
we
can
get
some
quick
approval
here.
One
is
like
any
change
should
require
at
least
two
maintainers
to
approve.
I
think
this
seems
okay.
I
don't
think
we
need
sharing
committee
here.
This
could
be
more
like
if,
let's
say
some
maintainers
feel
like
they
need
to
bring
it
up
to
steering
committee.
C
J
One
maintainer
or
what
do
people
like
I
mean
if
you've
got
enough
maintainers
to
do
that?
That's
fabulous.
I
mean
ideally
you'd
like
multiple
two
maintainers
two
different
organizations
would
be
even
better,
but
the
question
is:
do
you
have
the
personnel
to
do
it.
A
My
I
think
dan
comes
down
here.
My
inclination
is
to
have
some
sort
of
tiered
system
of
like
simple
fixes
and
minor
changes
that
just
affect
clarity,
but
don't
affect
content.
Maybe
just
require
a
single
thing
to
do
any
sort
of
substantial,
especially
breaking
changes
or
like
new
requirements,
or
something
like
that.
I
think
I
would
want
even
more
than
two.
I
would
want
some
sort
of
community
discussion,
so
it's
not
just
a
pull.
Request
comes
in
two
people
approve
it,
and
then
everyone
has
to
change.
I
suspect
it's
kind
of
a
judgment
call.
I
I
Possibly
just
a
cool
down
period
after
pull
requests
so
that
they
don't
get
rushed
through
requiring
a
certain
review
period
may
make
sense.
We've
talked
about
doing
similar
with
the
tough
specification
where
we
don't
expect
changes
to
just
be
accepted.
Probably
you
know
we
acknowledge
that
these
things
take
time
to
think
about
and
reason,
through
so
kind
of,
have
a
specified
period
for
trying
to
yeah
allow
that
reflection.
B
So
one
one
example
of
of
where
I
think,
involving
the
steering
committee
would
would
be
very
helpful,
would
be
something
like
the
the
issue
that
we
saw
earlier
this
week
like
should
we
add
source
control
requirements
to
to
to
to
a
lower
level.
I
think
that
that
that
generates
a
lot
of
discussion,
but
it's
not
quite
clear.
What's
like
actually,
and
I
think
that
getting
consensus
within
within
github
in
a
timely
manner
can
be
tricky.
But
if
you
have
a
steering
committee,
you
should
like
you
could
say
what
like.
K
K
Sometimes
you
just
need
somebody
that
can
or
a
group
of
people
that
can
have
that
ability
to
do
that.
So
I'm
in
agreement
there.
C
Sounds
good,
so
I
think
there
are
a
couple
of
things
we
are
hearing
here,
which
is
some
of
the
key
big
items.
We
will
try
to
discuss
it
at
the
salsa
meeting
here,
just
to
discuss
that
thing
like
before
landing
it
simple
things
can
just
go
through
one
maintainer
review
and
then
like
medium-sized
changes,
that
don't
require
discussion.
They
will
require
just
approval
from
two
reviewers
from
different
organizations.
C
Simple
things
are
typo
things.
Template
fixes
those
kind
of
things
like.
E
C
Those
would
be
right
right
right,
I
would
say:
okay,
you
really
gave
examples
that
got
it
okay
and
also,
I
would
say
the
steering
committee
members
will
make
sure
all
pr's
like
they
are
subscribed
to,
so
they
can
actually
jump
in
if
needed,
right
like
so.
If
a
maintainer
is
not
doing
the
right
thing
that
way
they
can
jump
in
with
stuff.
C
Maybe
then
the
next
item
is
looking
for
those
volunteers
like
so
for
steering
committee.
Any
particular
volunteers
like
that
really
want
to
contribute
to
the
spec
or
want
to
have
a
big
opinion.
There.
B
D
Certainly
interested
we've,
we've
got
a
good
number
of
customers
that
should
help
give
us
really
practical
input
here.
So
we're
certainly.
I
Yeah
I'd
be
interested
in
participating.
C
So
just
to
decide
on
this
thing
like
there
are
some
criteria.
You're
thinking
right
like
you,
should
have
contributed
to
the
spec
in
some
ways
and
stuff.
So
I
would
say
definitely
we
would
want
one
person
from
google
right.
We
started
this
effort,
so
we
want
to
make
sure
like
we
are
developing
it
the
right
way.
So
anyone
from
google
who
wants
to
volunteer
here.
C
Okay
and
I
definitely
like
joshua
because
he
contributed
quite
a
bit
to
the
spec.
So
do
people
have
any
concerns
on
having
joshua.
C
J
J
O
I
just
wanted
to
throw
in
a
comment,
so
I
work
on
techton
and
we
had.
I
guess
we
have
like
a
governing
board,
which
I
think
would
be
similar
to
the
steering
committee
that
you're
describing
and
we
kind
of
started
with
sort
of
like
a
bootstrap
set
of
people,
and
there
were
five
and
then
we
had
rules
about
like
company
representation.
Anyways
I'd
be
very
happy
to
share
the
docs
that
we
used
to
describe
that.
O
If
you
wanted
to
follow
something
similar
where
there's
kind
of
like
a
bootstrap
and
then
from
there,
you
go
into
like
periods
of
elections
and
that
kind
of
thing,
if
you
want
to
make
sure
that
you've
got
a
situation
where
you
can
potentially
have
like
another
thing,
is
I
wonder
if
you
would
want
to
solicit
on
the
mailing
list,
people
that
are
interested
as
well,
just
in
case
they're?
I
I'm
just
I'm
just
jumping
in
here.
O
I've
never
attended
a
meeting
before
so
feel
free
to
totally
ignore
me,
but
I'm
just
wondering
if
you
might
want
to
solicit
volunteers
for
this
on
the
mailing
list
as
well,
and
if
you
might
want
to
have
some
rules
around
like
how
long
these
people
are
going
to
be
in
the
position
for
anyways.
Yes,
definitely.
C
I
I
think
just
to
come
back
to
what
christopher's
saying
I
think
it
does
make
sense
to
establish
those
kind
of
processes,
but
we
we
could
maybe
bootstrap
now
and
establish
processes
for
like
re-electing
steering
committee
members
from
amongst
maintainers
or
something
like
that.
That's
fairly
common.
In
my
experience
with
open
source.
J
I
C
J
There's
all
sorts
of
ways,
and
really
it's
just
a
matter
of
agreeing
on
something,
as
I
said,
what's
more
important
is
having
a
way
to
make
decisions,
including
how
to
change,
because
no
matter
what
no
matter
what
you
set
you'll
find
out.
Oh,
I
want
to
change
it
and
even
if
it
was
perfect
at
one
time,
you'll
change
it
eventually,
as
things
get
bigger
smaller,
so
you
just
have
to
have.
C
J
And
I
I
would
suggest
larger
you've
got
the
people
and,
as
I
said,
if
you
only
have
three
one
goes
on
vacation
you're
down
to
two
to
two
people
who
can
disagree,
you
you
it's.
If
you're
gonna
have
a
steering
committee
at
all,
then
that
that
creates
a
problem.
C
Okay,
let's
do
five.
I
think
some
people
are
saying
fight
because
it
doesn't.
It
doesn't
get
too
big
to
like
to
make
decisions
harder
and
other
things.
So
let's
do
five.
Okay,
so
we
have
two
and
then
david
has
the
third
one.
There
is
the
perfect
neutral
one
to
have
in
the
mix,
so
that
is
everyone,
okay,
with
dating
being
the
third
one,
yep
some
thumbs
up:
okay,
okay,
okay,
let's
see
who
else
wants
to
be
like
more
involved
in
the
spec
like
we
need
two
more
volunteers,
I'm.
M
So
I
had
one
question:
we
discussed
having
diversity
of
who
the
vendors
where
they
were
on
these
committees.
I
want
and
I
apologize
if
there's
any
on
the
call,
but
I
mean
I'd
be
curious
if
there
was
any
like
non-commercial
entity,
people
that
are
in
this
organization,
because
I
mean
I
kind
of
like
that
diversity
as
well.
Be
it.
You
know,
academics.
C
J
Well,
I
I
I
do
represent
nonprofit,
which
is
not
now
it's
a
you
know,
a
commercial,
it's
a
group
of
commercial
organizations,
but
I'm
not.
I
I
technically
an
academic
because
I
teach
two
classes
as
a
side,
but
I
don't
think
I
would
normally
be
classed
that
way,
but
I
I
think
it's
more
of
the
multiple
organizations,
that's
key
if
we
can
have
people
from
governments
or
academia
awesome,
but
I
think
it's
more
just
multiple
organizations
and
will
already
start
to
represent
multiple
different
perspectives.
H
Yes
and
oh
yeah
and
I
was
just
going
to
say
you
know
obviously
I'm
working
at
a
in
a
private
company,
but
I'm
still
also
representing
the
cncf.
But
I
would
also
like
to
see-
and
I
can
check
from
my
side
for
the
cloud
native
computing
foundation
to
see
if
we
can
get
some
folks
who
are
specifically
working
for
them.
H
Yeah
for
what
it's
worth,
I'm
the
architect
of
the
secure
supply
chain,
cncf
stuff.
C
I
don't
know
trisha,
do
you
feel
comfortable
like?
I
also
want
to
make
sure
we
contribute
to
the
spec
as
well,
so
it
doesn't
need
to
be
a
decision
now,
like
maybe
for
the
next
two
weeks.
We
see
like
some
people
who
can
actually
contribute
to
the
spec
and
make
the
decisions
on,
let's
say
those
last
two
members
or
something,
but
I'm
just
curious
for
thoughts.
Anyone
else's
thoughts.
C
I
think
we
have
someone
else
right
instead
of
zach.
I
think
let
me
just
confirm
that
we
have
david
joshua.
Is
there
right?
Okay,
zach,
okay,.
G
E
So
I
like,
for
what
is
what
I
like
abhishek's
idea
of,
like
you
know,
let's
put
interest
on
there
and
sure
number
of
seats
are
limited,
the
expectation
that
is
rotating
we
don't
all
have
to
serve
right
now,
and
I
think
we
can
revisit
this
at
the
next
meeting
and
finalize.
C
C
Great
any
other
questions
on
this
before
we
move
forward.
C
Okay,
let's
see
the
next
item
I
don't
know
who
put
in
there.
This
is:
how
do
we
want
to
track
interest
outside
of
github
issues.
A
Feel
free
to
skip,
I
I
thought
one
kind
of
brief
topic
was
like
if
anyone
had
thoughts
or
experience
on
like
how
to
track
interest
in
this,
like
we
have
the
mailing
list,
like
everyone
here,
found
the
community
meeting,
but
there
might
be
there's
not
really
a
way
right
now
to
just
kind
of
give
like
positive
feedback
like
yes,
this
sounds
good
or
like
keep
track
of
who's
using
it
so
like.
If
you
just
look
at
the
committer
hoodie
commit
history.
A
It's
like
lopsided
based
on
the
people
who
are
making
the
changes.
But
if
organizations
look
at
this
and
say
yes,
it
looks
good.
I'm
also
going
to
use
it
without
actually
making
changes
because
they
don't
have
any
changes
to
make.
It
might
be
good
if
we
had
some
way
to
keep
track
of
that.
J
A
Yeah,
that's
true,
but
I
yeah
I
I
guess
like
it
is
just
keeping
like
looking
at
the
mailing
list
and
another,
because
I
forget
who
said
this.
Someone
said
like
if
you
look
like
it's
important
to
look
at
this
and
see
that
it's
not
just
a
one
company
thing,
but
a
kind
of
an
organization
that
represents
multiple
stakeholders,
kind
of
a
way
to
represent
that.
A
I
I
The
tracking
adoption
is
a
fairly
standard,
open
source
problem
where
people
don't
necessarily
talk
about
the
projects
they're
using
and
then
ten
years
later
you
find
out
that
one
of
them's
been
to
space
or
something-
and
I
think
that's
doubly
so-
with
security
related
things,
people
don't
want
to
say.
Oh,
we
didn't
have
good
security
practices,
but
now
we
do
so
there
might
be
a
problem
with
like
identifying
adoption
outside
of
contributions.
I
think,
but
a
fairly
an
increasingly
normal
way
to
do.
I
It
is
have
like
a
repository
where
people
submit
user
stories,
that's
kind
of
opt-in
and
that's
what
six
star
have
done
with
their
friends
repository,
but
I
also
think
there
aren't
any.
I
Oh,
no
sorry,
I
lied,
there's
only
one
person,
who's
country,
one
organization-
that's
contributed
to
our
repository
so
far
in
sort
of
two
months.
So
I
would
expect
that
to
be
a
fairly
quiet,
yeah,
that's
just
my
kind
of
experience,
expectation.
D
With
that
said
how
the
framework
is
structured?
What
organizations
want
to
make
public
statements,
especially
those
that
ship
software
publicly
about
salsa
compliance.
C
I
think
that
would
be
amazing
to
have
which
is
like
for
people
publicly
vouching
for
salsa
in
their
products
and
especially
in
their
open
source
projects
like,
and
ideally
it
could
be
even
a
transparent
level
like
no
matter
what
the
state
is.
It's
more
like
it
will
get
improved
over
time,
but
it
would
be
nice
to
have
people
transparent
about
it.
J
I
I
if
I
can
make
a
couple
comments.
You
know
gee,
wouldn't
people
always
announce
if
they're
doing
it,
not
necessarily
most
software
developers
don't
develop
products
for
the
public.
You
know
for
like
public
sale
if
you're
doing
contract
work
or
work
for
a
particular
organization
or
developing
software
within
a
company.
There's
no
reason
you
know
if
anything,
it's
a
negative,
because
somebody
might
say:
oh
you're,
not
doing
it
well
enough
or
whatever.
So
you
know
you
might
quietly
do
it
without
making
anything
public.
J
The
other
issue
is
that
you
might
evaluate
potential
products
without
you
know,
independently
of
whether
you
apply
it
yourselves,
in
other
words
gee.
I
really
like
it
that
they're
using
salsa-
and
I
I
I'm
not
sure
I
would
call
that
adoption
in
the
same
sense,
but
it's
certainly
if
somebody
says
we
prefer
to
buy
products
or
use
products
that
comply
with
salsa.
J
That's
a
signal.
I
think
a
lot
of
people
here
would
like
to
know.
H
Yeah
on
on
that
note,
I,
the
cncf,
has
done
a
pretty
good
job
at
sort
of,
and
maybe
the
larger
open
ssf
can
do
this
around
sort
of
like
reaching
out
to
the
constituent
members
to
see
who
is
adopting
this
and
another
thing
just
to
kind
of,
if
I
put
my
day
job
had
on
for
a
second
from
from
my
perspective,
like
you
know,
you'll
never
get
a
financial
services
company
to
explicitly.
You
know
publicly
state
this,
but
you
might
be
able
to
pseudonymously
attest
to
it.
H
You
know
we,
you
know,
might
be
able
to
say
multinational
bank
x,
you
know,
uses
salsa
in
this
way
without
explicitly
calling
it
out.
So
that's
that's
another
thing,
but
to
to
also
reiterate
david's
point
yeah
like
there's.
Definitely
something
you
know.
If
we
end
up
adopting
salsa,
we
would
also
somewhat
want
the
world
to
know.
We
are
looking
at
evaluating
artifacts
based
on
the
salsa
framework,
because
that
then
helps
out.
You
know
when
vendors
come
in,
they
recognize.
H
M
E
G
Yeah,
this
is
donnie,
that's
something
we
talked
about
actually
again
we're
on
the
package
deployment
world.
So
what
we
have
thought
of
doing
is
you
know
like
we
can
kind
of
like
a
shared
responsibility
model.
Like
I
mentioned
earlier,
we
could
say:
hey
our
company
will
take
care
of
all
these
elements
of
the
supply
chain
process.
G
This
is
stuff
that
we
can't
do
you
need
to
do,
but
we
can
audit
you.
We
can
go
go
through
with
you
and
then
say:
okay,
we've
now
reviewed
that
you're,
a
company
that
we
deploy
packages,
for,
we
can
say,
hey
here's
a
salsa
stamp
if
google's
okay
with
that,
the
community
is
okay
with
that
and
we
just
say
like
we
have
audited
this
company
to
salsa
level
three
and
they
can
put
on
their
website
when
they
download
package
muscle
say
this:
is
this
element
of
the
supply
chain
have
been
verified
and
audited?
J
J
You
know
I
I
run
the
ci
best
practices,
badge
bro,
you
know
we
very
much
encourage
people
to
put.
You
know,
basically
a
little
badge
on
their
github
site
where,
if
they
meet-
and
in
our
case
actually
it's
automatic
and
it's
it's
a
somewhat
different
system.
But
you
know
if
they
need
it,
they
get
a
badge
if
it
turns
out
that
they
falsified
a
claim,
we
can
remove
it,
and
you
know
we
haven't
had
to
be
honest.
We
haven't
had
too
many
problems.
J
The
problems
have
been
more
of
misunderstanding
or
some
such,
but
you
know,
there's
there's
a
few
bad
apples,
but
many
really
are
trying
to
meet
the
criteria
and
it's
a
matter
of
clarifying
things
but
having
something
to
show
for
I
worked
and
oh
look,
I
it.
I
got
an
a
it's
actually
pretty
motivating
for
a
lot
of
folks.
They
want
they
want.
You
know
the
ones
who
want
to
do
something
good
want
to
have
a
way
to
show
it.
D
C
And
that's
exactly
why
we
have
levels
right.
It's
not
like
you
have
to
just
achieve
that
ideal
state.
We
want
to
have
those
intermediate
things
speak
about
the
security
posture
as
well,
so
we
have
just
three
minutes
left.
Let's
just
quickly
run
into
this
next
question,
which
is
a
very
high
level
question
I
think
maybe
mark
you
put
in
there,
which
is
what
should
be
or
what
shouldn't
be
a
part
of
the
salsa
framework.
J
Can
I
can
I
put
a
pin
in
this?
I
think,
there's
no
way
we
can
answer
these
questions
in
three
minutes.
Okay,
is
that
fair?
I
I
think
these
are
too
important
to
try
to
do
in
three
minutes.
Are
we
let's
instead
talk
about
our
next
meeting
and
then
we
can
give
that
the
time
it
deserves?
What
do
you
think
about
that
sure?
Let's
do
that.
J
Yes,
so
what
I
propose
is
why
don't
we
have
that
discussion
offline?
You
know
issues,
email
whatever
and
then
come
back
to
that
question
on
the
25th
where,
hopefully
our
positions
are
either
it's
resolved
or
it's
not
resolved
and
we
can
discuss
it.
J
C
So
I
definitely
encourage,
like
the
steering
committee
members
and
others
to
check
out
this
all
suspect
file
any
issues
to
start
discussions.
It's
it's
a
community
developed
framework,
so
we
really
encourage
all
of
you
to
take
a
look
there
and
next
time
when
we
meet,
we
could
have
some
nice
discussion
topics.