Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
OpenSSF / SLSA Biweekly / 8 Jun 2023
OpenSSF / SLSA Biweekly / 8 Jun 2023
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: SLSA Biweekly (June 8, 2023)

Description

Meeting notes: https://docs.google.com/document/d/1JbJZxeZOWE7rxT24iEozX35LIUl_Yoqd-DeSm6309GA/

A

Yeah so as Melba uh linked, you know, don't forget to sign in and if anybody has uh additional um agenda items feel free to to add them to the uh to the agenda.

A

And I guess we'll give it a couple of minutes from where some more folks to join.

B

Hello, everyone.

A

Hello.

B

We're just loading up the meeting minutes notes.

C

Foreign.

B

Agenda today.

B

I guess I'll go ahead and get things started if nobody else's um volunteered already to run a meeting before I arrived.

A

Yeah go ahead all.

B

Right so yeah, okay, welcome everyone to the monthly salsa community meeting. um Just so you know this meeting is being recorded um and we will abide by the Linux foundation's code of conducts during the meeting.

B

um If you haven't already, please add your name to the attendees list in the notes and um we'd like to start the meeting by welcoming new members. So if there's anyone who hasn't attended before and would like to kind of introduce themselves, uh please feel free to go ahead now.

D

Everyone uh I'm Chad with GitHub actions. um Gab has some attendance to these meetings I understand before but I. This is my first time coming into any of it um coming up from a different bunch of different things in the company and now focusing on supply, chain security and so interested to see. What's going on, welcome.

B

Chad.

B

uh Anyone else.

B

Okay, cool um so next step in the meeting. We normally do a brief round of updates from the different teams uh working on salsa. So we have uh several meetings um and kind of working groups where the first one is uh the specification, the folks working on the crossback and there's the positioning and group which is actually operating uh kind of at the next tier up in the organizational hierarchy of the open SF um for the supply chain. Integrity working group.

B

But they still come here and tell us all the cool stuff they've been doing, and also we have the tooling uh Team uh who are working on implementations of salsa. um So from the spec.

B

um Things have been kind of Fairly quiet uh since the the 1.0 release, we're kind of uh we had a flurry of feedback initially um and now we are um hoping to see some implementations and get some kind of implementation feedback. But we haven't been doing a lot of directional work on the spec.

B

uh There's a proposal from Antonio at Google to move uh to change the way we kind of manage the project in terms of like the generated spec, how I guess, published and also like the git operations, and how we uh perform uh kind of revision, control of the spec. Because at the moment we have multiple redundant copies of the spec uh for each version that we've released and we want to move over to something Branch based.

B

And there was some discussion in the meeting this week about um how we've ended up in a situation where the specification itself um and some of the files we embed in it.

B

We embed kind of uh some q and protobuf files in there to demonstrate the schema of the provenance format and we used um incorrect annotation that doesn't conform to the entire specification uh in one of those files of the queue file, and so that created some ambiguity in the spec, uh because we're not clear about what is the canonical um kind of description of the the data formats.

B

And so we had a really good discussion about that and what remediating steps we should take and how we should uh handle versioning of a new version of the spec that fixes that um and as far as I'm aware, I haven't had a chance to look at GitHub today. But as far as my way that work hasn't happened yet.

B

um But ultimately we will um release a new minor version of the uh respect to bumps uh the provenance format so that we uh correctly annotating that field, which is the um annotations field in a resource descriptor. So that looks fairly detailed. uh I think that's it from the spec side, though um Mike or trishank might have something else to add.

B

The regular attendees of the meeting as well.

A

Yeah so I I know that.

E

um There's a lot of debate on on exactly what are some of the next things we'll be working on from the perspective of like the various tracks. We're still uh looking for that as well. So if, if folks are um uh interested, feel free to sort of open up a GitHub issue um on that, uh because we're definitely interested to see what are the things that that folks really want to focus on, because there's been a lot of discussion about a source track, a lot of discussion about bringing back something like a salsa level.

E

Four, with specifically trying to make certain definitions clearer, because one of the reasons why we had for folks who are new one of the reasons why we removed salsa level, four from uh salsa build level. Four from um V1 was not because we wanted to make things less secure or to to some folks have have uh opined that it's you know to to satisfy folks who who are selling products or whatever that can't hit those things. They're like no.

E

No it's just because nobody could agree on what really some of the definitions were and, and a lot of folks were getting very confused by what was meant by hermeticity and what was meant by some of these other things. So we decided to take a step back first um and so there's interest there as well. There's also uh there was some interest around uh two other things. One was a around, maybe being a bit more specific, whether either in the build track or as a separate track as something like build infrastructure.

E

So for folks who are like hey? What would it? um Even though you know the specification doesn't really make uh have a lot of details on how you should be securing your build? um You're. Sorry, your control, your build control plane. It just says you should have a trusted. Control trusted build control plane, but what you know folks are asking like how how do I know that should be trusted.

E

What are the things I could do to secure that um so there's something around, perhaps a built infrastructure track, and then there were folks who were saying hey right now. The build the build uh track is very much focused on Providence, which, in our blog articles and so on, we have a lot of stuff around. uh What's the word, uh none of the stuff in the build provenance track really talks about the build itself, so salsa can definitely still build malware. The problem is uh sorry, the thing that that's also really gives you is.

E

You know that right, like you, have the details of how it was built. You have the details of how it came to be so you can't have somebody have lied to you about how it got built. No, it actually got built inside of your uh build system and then, while also uh sort of eliminating a lot of the ways that somebody would potentially um break future builds stuff like that.

E

So so that's really where um the core of a lot of the salsa stuff is, and so folks have been asking like hey what are things from the end user side that perhaps you should look at uh when running a build um and stuff like that and does that belong in the same track and and that sort of thing so there's some uh debates about those uh things. There's actually a lot of GitHub issues under the salsa GitHub and feel free to kind of take a look at some of those.

B

Thanks, thank you.

B

The notion of terminology has come up a few times in the last few weeks, uh as you mentioned, and uh I think we're trending towards like just being very explicit about what we mean, instead of using terms that we increasingly recognize both within salsa and then in the broader supply chain. Effort is like uh I love. These words carry a lot of context for people with uh different backgrounds, so um maybe we should just avoid them.

B

Yeah.

E

Sorry yeah I was gonna, say I, think yeah, either avoid them or or make sure that we have a glossary and specifically call out um our definitions of those terms, because I know. As an example, um you know one of the things that's been brought up a couple of times.

E

Right is: uh if you're in the compliance world at a station means one thing: if you're in the software world uh attestation can mean another thing: if you're in the hardware world at a station mean something specific uh and so there's a lot of elements uh there, uh and especially when, in our case, we're sort of combining all three of those at some level, um it can cause folks to get very confused. Yeah.

B

I think that's uh for me. That's the key example of why um we should steer away from defining terms and just avoiding using them, because we've got a fairly comprehensive discussion of what we mean by an attestation, but that is still frequently something that comes up because the term is, if you come from like uh tpm-ish uh trusted uh Hardware background attestation means a very specific thing and it doesn't matter how many words you write about what you think it means it will always mean that thing to the people.

B

With that background, so yeah cool, thank you um and someone from the positioning group uh summarize what you've been doing. I think we've got most of the folks. There.

F

Yeah so um I know uh Jay and Bruno uh and might have probably been uh doing most of the work while I've been absent um for some of the things uh recently in terms of deliverables, we were able to at a higher level right, there's a new blog for salsa Prescott s2c2f on the open, ssf's website. Right. It's just talking about the supply chain, Integrity working group- you know what it's about. We talk about this also one that oh release um and you know how we encourage people to come and join and help us.

F

um There has been a new meeting. This is Sterling tool chain meeting which I gave Rob a hard time. I'd, say: Rob, you're killing me I've been having really good participation, and then you you put this uh this meeting on the calendar, so that meeting uh is now conflicting with the positioning meeting. uh So there's been light attendance uh as a result, so I need to create a new Poll for new meeting times to move the positioning meeting.

F

um There's still some pending blog drafts um that we haven't been able to get out, um probably do mainly to me being out um and then I know. Jay is working on a one-pager blog for guidance, um Mike uh Jay, you know, do you want to add anything else.

G

uh No, no, that pretty much covers it, um um yeah that pretty that pretty much covers I, can't think of anything else that uh we, we do have a list of um potential uh blogs that that or things that we're thinking about um from the positioning side that we want to talk about and and of course, A lot of it really does depend on uh what comes out of meetings like this and the spec meeting and everything else so that we're talking with the right voice.

G

As we continue to speak about, you know what we're doing uh salsa related, uh but other than that I mean there's. No Melba did a good job of uh depicting everything we have going on right now,.

A

Yeah I agree.

E

uh On that one and I think the the only thing I want to just add in there uh as something that's come up. I think uh the past, maybe month or two is just uh as salsa has begun to grow.

E

um There definitely seems to be some like areas outside of let's say the cyber security sort of area where folks are are, are either just hearing us also or haven't heard of salsa, yet um that there might be some areas for us to you know and we're interested in in hearing from from other folks, as well as like, where do folks want to see us um focus our efforts, not just on the salsa side, but just generally for the supply chain, because I know this.

E

The positioning group is part of the higher level supply chain, Integrity group of hey with some of the stuff that we're doing from supply chain. One of the things we could probably also uh focus on a bit more is is um uh talk a bit more about supply chain.

E

Integrity I've, given a couple of just talks recently on um uh salsa at a couple of smaller sorts of devops sort of related events, and maybe only about 10 of the audience, had even heard of supply chain security, let alone salsa, which was maybe you know only uh one or two people had heard of salsa before so I. Think there's some there's a lot of areas where we can maybe help spread the word a little bit because we might be so you know uh some of us might be.

E

You know you know cyber security bubble in in sort of a security, Space Bubble.

B

Cool, um can you, while you're on, do you want to talk about the tooling uh sure.

E

Thanks sure, so a couple things um uh so one I think the biggest one I I know I put some stuff in the notes there, uh so one of the biggest ones. uh Well, so there's some interest in salsifying Jenkins so like what are the things that uh you know, a lot of folks are like hey, it's great, that there's all this stuff coming out from GitHub actions and from stuff like Fresca for for that uses, tecton and tecton chains, and all that good stuff and there's a couple other.

E

You know things that people are looking at, but you know the the elephant in the room is still Jenkins like hey. A lot of folks are still using Jenkins. What are the things? People could do to potentially um do best practices on there uh and I think that um I have created a document I linked it in in the meeting notes, uh there seemed to be some interest: um I haven't really worked with Jenkins uh and I'm.

E

Happy I haven't worked with Jenkins no offense, uh but for the at least the past few years, um so I'm not probably the best person to sort of lead that sort of thing.

E

So if there's folks out there um who are interested in contributing to that document and helping lead it up, I'm definitely willing to contribute, uh especially from the perspective of hey, here's generally, how salsa works and and here's some of the things that like I, could poke around with, but I'm, not a Jenkins expert, at least anymore, um and so, if, if folks are interested on that side, uh please uh take a look at that as well, and so that's the salsifying Jenkins um also uh generally I think we're looking for more salsa uh tool developers to help join the meeting.

E

um I believe a few folks um have begun to do an APAC, friendly time zone uh meeting on salsa, uh because there's actually a couple of folks over from Japan Australia Singapore, who are starting to actually write up some interesting salsa stuff and, um in particular I know, there's the Oracle team. uh They announced a tool called macaron, which is in the slack chat. I, don't have the links off that off the top of my head, but it's it's a tool that can help generate reports and do salsa verification looks pretty cool.

E

uh In addition to that, uh you know. We also want to have more participation from end users, so folks, who are like hey I plan to consume these things, I want to generate salsa or I want to consume salsa, but I'm doing X and I can't use GitHub actions or I'm doing uh or I'm trying to consume the salsa attestations from GitHub action. So what do I do with this uh at a station? I think that sort of thing would be uh useful.

E

um You know we're looking for more participation there um and for folks who aren't uh aware of the meeting it happens at uh 10 a.m: Eastern Time, right now uh there is a separate meeting that I'm not exactly sure how often it happens, that's in APAC time zone and there's some debate uh on on uh there's some stuff there. uh So that's those two things. um People have also been asking about: salsa V1 Providence, uh because right now it looks like I think all the tools have only really done.

E

Salsa V 0.2, a few tools have begun to do the work to be source of E1 um to to generate salsa V1, but none of it uh is there yet and just as for folks who are are uh I know, that's still confusing for a lot of people, but you can be salsa V1, you could still be. uh You could still be doing salsa V1 without jittering. It's also V1 specification.

E

um The salsa V1 specification is just a better way of you know, uh and that itself is its own. Can of worms right now uh and then separately. One of the things that I've been working on and it's open source is I've, been working on a tool called Specter uh Specter is a tool written in Rust to validate stuff like salsa documents and other in total, attestations and s-bombs, and it tries to do so by being very, very strict.

E

So uh it's all written in Rust and it uses like it, tries to be very, very strict. So if something something is not just purely a string, it is a base64 encoded string or it's a URL.

E

It's it actually tries to be very, very strict and if it doesn't actually match the semantics from uh the spec, it will try to fail the thing, because one of the things is uh a lot of folks who are trying to consume salsa is all it takes, is um something to generate something that looks like valid salsa and it breaks everything um so there's some stuff uh on that end, uh we're doing a you know, I'm doing a bunch of work on on that it could be used as a library in rusted also can be used to generate I'm building out a couple of features to to help it generate like fake salsa metadata for folks who want to test out their own tools in salsa.

E

It can also be used to um uh one of the things I'm working on is is to also translate some of the data between different specifications. So hey I can pull information that came out of an s-bomb injected into a salsa attestation, or vice versa. Stuff, like that.

B

Awesome thanks for the updates everyone I should have asked. If there were any questions after each update, I really shouldn't I. That was a rookie mistake. um Does anyone have any questions about any of those updates? That would be a good time to ask the agendas pretty light.

B

Failing that, does anyone have any topics they would like to uh just in time add to the agenda.

F

um If, if um folks don't mind, I know many were out during the last meeting and I see a topic that was presented by Bruno, so I don't know if Bruno's willing to get an update on the steering committee.

H

Yeah.

F

Process.

H

Yeah, let me let me bring you the um the link to the election process that you have been discussing. I put I think that everybody has access, uh but uh we didn't have a lot of discussion since the last time, and we have been uh I mean two fundamentals: uh decisions. One is uh the number of uh steering committee members that you'll be elected every period and uh the another one is who it's qualified to vote. I.

H

Think that it's uh we we have to take a decision on those two major topics, so we can move forward as I I sent the link I hope that you can join as well put your your thoughts on it. That's what you use text for for now.

B

um If I remember correctly, the the question around how many committee members to elect uh wasn't necessarily about increasing or reducing the size of the committee, but.

H

Was.

B

It more about how do we or do we even need to worry about there being like um overlapping terms between the current committee and the next committee, and so if we were to, for example, try and elect uh half of the committee each election cycle.

B

um How would we do that without arbitrarily culling members from the current committee, and so.

H

Yeah yeah sorry go ahead, yeah as of today, I think that it's uh we're uh toward it. If the the point that it's maybe we are going to re-elect the whole steering committee plus a number of new candidates to go to everybody that wants to the election, that's what I'm seeing moving toward at this point. But of course we have all agree.

B

Topic: okay, Mike you've had your handle. First.

E

Sure um so I think one of the things that might be worthwhile to also go over for folks who might be considering something like this during committee is maybe to just also uh I I. Think it's been a you know, since we haven't actually uh used a whole lot of like um in our governance right.

E

We do say that, like the the steering committee gets to vote on sort of overriding certain things um or pushing forward certain things, I think it'd be worthwhile to kind of also um maybe highlight like what what are sort of the the responsibilities as well as powers that the steering committee has so that folks knows know like, like other than just sort of saying, yeah I'm, a I'm, a uh you know, I'm a a normal per. You know: I'm a uh uh I'm, a big contributor to salsa. What else does that mean.

B

Yeah.

C

That's a fair point.

B

There's a certain amount documented in the governance repository already, but um I think one of the reasons why uh people are uncertain about what the steering committee does is because they haven't necessarily needed to do much uh in the governance of the project so far, but I think um yeah I would have to reread the governance structure, I think per the governing stocks. Some of the stuff the steering committee does is arranging meetings like this and um kind of handling the um the broader projects outside of the specific working groups that we have Melba.

B

Do you have comment yeah.

F

Yeah I had a a question about. You know how big the steering committee should be relative to the community right A lot of times um the people that actually participate and are um actives. They are on the steering committee and then there's you know, maybe one or two that kind of come in and out. So if everyone's on the steering commission that is participating that kind of negates the the point, uh you know obviously I'm not trying to shrink the committee in any way shape or form, but just trying to think about that.

F

That ratio like what good does a steering committee do if the people on the steering committee are the only ones contributing I know, that's not the case today, right because there are some people on the steering committee that we haven't seen in a while, um but it it's something to consider of how big is too big, given the size of the the community.

B

Yeah, that's a fair question: uh I, don't know how we resolved that honestly, like I, think some of the ambiguity is that the original steering committee was um both the steering committee function as defined in the governance documents, but also some of the indication of the industry consensus behind the project, but, as the project has grown, we've seen very active participation from people outside of the steering committee.

B

That, uh frankly, better indicates that the industry is behind this as the standard than having like you know, seven people from different companies on the steering committee does the participation in adoption is, is larger than that, um so uh I think part of yeah.

B

It's a great question. um If anyone has any thoughts on like how we answer that, whether we need to answer that before we do the next election cycle, things like that.

F

Because I think it doesn't attack or the governing board for open ssf have a similar model right based off of the number of people in the organization. There might be a need for a new seat or something I think there's some concept like that. If I'm not mistaken, yeah.

H

What will be the ideal ratio? It's a good idea.

F

So Arno you're on the tech now so I, don't know if.

I

You yeah, the tech, does not have the the tag doesn't have a rule like this there's been discussions of the governing board level to increase the size of the attack. It has not happened at least to date.

I

um There is no definitely no automatic rule that says. Oh as the community grows, we could increase the size of the attack, that's for sure, but if I may I mean you know so, I've been involved with this salsa space for quite a while.

I

Now, and you know the thing that I find a bit weird is that we basically don't see what the steering committee does, and maybe it comes down to what was said earlier, that it hasn't done much, which maybe is a good thing, because there was no real issues they felt like well, but but I think you know we ought to be a bit more transparent and I. Don't know who would run I, don't know what they would sign up for. I mean you know.

I

If you look at the tag, for instance, which is a big part of the government structure in open ssf, it's fully transparent right. It has meetings that are minuted and all that you know when the calls are you can attend them. I, don't think anything like this is happening with the steering committee that I know of so I think we need to fix this.

B

uh So I I can speak like I agree. The steering committee should be transparent. I should states that the reason there are no public meetings is because there are no meetings. It's not because the steering committee is not transparent.

B

It's just because uh it's not very active and so I can completely understand why that might um leave people to think that things are happening behind closed doors when they really aren't uh yeah I I think it would be great to um encourage people who want to run to be in part of the steering committee to uh think about this, um like transparency and how active they.

B

uh The steering committee may need to be um what they could be doing outside of, like reactive, responsive things that we haven't really had to do much of so far, um but I.

I

Think, as they're.

B

uh Really legitimate concert and um and welcome some new ideas around that um as we've kind of intimated but I was just stating explicitly like the the active members of the steering committee are people who are active in the broader project, and so it can be difficult to draw a line between what steering committee members are doing versus um active contributors to the project because they tend to be the same. People.

B

I also wanted to just uh quickly comment on uh I know. I think you mentioned that there has been a suggestion from the openness fgb about increasing the size of the attack.

B

um Is it is that, like uh it's the impetus for that proportional representation of kind of the open ssf membership, um or is it reference a better representation of maybe the governing board, because I know they're, like I, think the governing board has grown, but the tech hasn't.

I

Yeah, that's right, I mean governing board, I mean it's a matter of your level of uh of membership in open ssf. If you're a premium member, you get a seat on the board, that's all it takes, so it will grow as the number of Premium members grows. But uh when it comes to the tax size, I mean you know, to be fair. I think there have been people pushing back on the idea.

I

uh Typically, the the the the argument that I'm aware of are in favor of increasing has to do with having better representation of everything that goes on within open ssf, all the different groups and members and and increasing diversity. If you will and um and the cons is concerns that it may become a body that has hard time reaching consensus, because the more people, the more voices you get, the harder possibly it is to get to to a decision, I mean I, actually think this is mostly a falsehood.

I

You know, um but that becomes more of an opinion. I'm not stating a fact. This is like you know, others will have different opinions on that.

B

Sure, cool thanks, um Mike I, think your next interview, yeah.

E

um So yeah uh wanted to provide uh also, like maybe two sentences of of uh of of background I think like which was in I, think it was like the first or second one of these meetings.

E

um It was just like hey, we should probably have some sort of steering committee and I'm pretty sure all the all the folks who are on the call were end up just on the steering committee just by default, because we were all uh the only folks who were participating um so the the at some level, the salsa community meeting was at at first just the folks who were doing all that who were like very much involved and I.

E

Think you know, with with an understanding that we wanted to make sure that the folks who were showing up to these meetings um got. You know a bit of a a bigger say, because one of the things that is still fairly common right in in any open source meeting is is, since all these meetings are open. It's very easy for somebody to let's say just come in once: every you know three four months and potentially derail stuff by you know like even if they they're well-meaning, it's like hey.

E

We need to make sure that the folks who are contributing somewhat get a a bigger say on on it, so that was kind of I.

E

Think some of the background there, but I do think that now that we've grown- and you know it's not just the seven members on the steering committee showing up it's- you know you have- we have dozens of folks within opening issues and joining these meetings and joining the specification meeting the positioning meeting, the the tooling meeting, uh it's probably worthwhile to maybe clarify what the what the salsa steering committee is intended for, because I think we've only ever really had to vote on a handful of things throughout this entire process and it's always been like just a topic in one of these meetings to begin with, um but yeah.

E

If we do grow, I can anticipate us needing to have a salsa steering committee meeting.

B

Thanks uh Trisha.

J

Yeah, those are all very valid points thanks and thanks for raising this. This question, it's very important to discuss them as a community. um I can vouch that I, certainly no um secret meetings that we're having um so so that that that fact is true.

J

um I agree that so I think I think part partly to answer Bruno's questions and Melba's. Questions, too, um is that maybe this is what we need to decide before we solidify the election process is to clarify what we expect from the next steering committee. I. Think that's important to really uh before we hold an election at all, so.

B

uh It sounds like there's fairly broad consensus on that in the chat.

B

um We had some good suggestions around like uh what what we would want, uh what properties moved on and from the steering committee with transparency and being active and things and I think for the most part, the current steering committee are very active participants in the community like we have all, but two of them on this call, and one of those two is very active in the project. Otherwise,.

B

um But I think maybe uh I've certainly wondered if there's a uh better distinction to be drawn between uh steering committee members and uh people involved in the project on a sort of daily basis. um So.

C

Just.

B

I I guess the the obvious question is: do we have any volunteers to kind of drive forward this definition, um based on what we have in the current um governance document.

E

So I I, don't want to volunteer on this. I have too much uh going on right now, but actually one question I did want to bring up is, is I, think it's probably worthwhile just um and and Arno you might have uh the info here of, like uh as when we originally created the salsa steering committee whatever it was, uh was it two years ago, uh something like that? um We, uh the governance or the open SF, was also not fully solidified either.

E

So we also want to make sure that whatever we end up doing with the salsa steering committee doesn't somehow contradict something. That's like a core piece of the the you know: open ssf's governance. Now that it's been a bit more solidified either.

I

Yeah, so I can answer that there is no rules there, so we're pretty much free to do what we want. I I. There is the point of you know like if we have an election who gets to vote, he's actually a broader issue which doesn't pertain only to the election of the steering committee right. We have seen it in other working groups where you know an issue comes up.

I

There's a proposal made to create a project to adopt a project or something like this and there's a formal vote that takes place, but this is very well undefined.

I

um This is really not well defined and uh and there's the question of well who gets to vote right, and so this is a problem. I think open ssf.

I

The attack wants to tackle- and this is probably something I would expect- will come up with some Rule and that will be, you know, broadly applicable to everybody, but uh that's about it for now and when it comes to the actual steering committee, it's up to every working group to Define what they do and until that changes and the tag says no we're going to put some standard steering community garden structure that everybody has to follow. I think here we can do what we want.

B

Mobile.

F

Would it be worthwhile to go through the current definition for folks on the call um and just go through? Do we still agree with what's written, um not sure if that's valuable for people or not.

B

um Yeah I mean if you, if you'd like to do that, if anyone has a strong opinion, either way uh making known please, we can certainly spend a few minutes doing that. I.

F

Have I have it open, uh there's only like four points on the steering committee. It seems, but maybe I'm misreading it.

A

Yeah.

I

So if I may enthusiastic, one thing is, you know there is what's in the text and there is what you guys have done, whatever it is, and.

D

You.

I

Know for that matter, I, don't think we necessarily need those during Community to have actual meetings. I. Definitely you know I wouldn't be pushing for this, but there's got to have been some communication and I think it would be good for the existing steering committee to have a look at the text and see whether it captures at least what's being done. That has been necessary.

I

You know what you guys have had to do and whether this is useful and if it's actually captured in there and if there are things that you say well based on our experience, this is a relevant. We should drop that I think that would be a good first thing to do.

A

Yeah.

E

uh Yeah I agree with that and I think the like. The one thing I wanted to actually highlight was I'm, pretty sure um the only thing uh the steering committee has done above and beyond just what general, like the the folks who've been contributing.

E

A bunch is just that last Point, um the making decisions when Community consensus can't cannot be reached, which I think we've only ever had to do a couple of times where we saw that there was a contentious issue about the definition of something and the steering committee kind of came in and said Yep. This seems like the most reasonable solution and we voted on it and I think that also only happened. A handful of times.

F

um

I

Because see I mean this is the kind of stuff I meant by transparency. You should have a clear record of when this takes place right and there may be some record somewhere that I, don't I'm, not saying yeah.

E

But yeah so on on that end, I will say, uh and maybe we just make it clearer, I I agree with you. The only time that's ever happened is we took the vote and recorded it in a GitHub issue or inside of the Google Doc, um so we always recorded it somewhere um and and I think, uh but I think making that clearer to your point is is uh so that folks know where to look for records of those votes as opposed to go fishing, for it is, is really important.

I

Yep sounds good thanks. Yeah.

B

It's all about the minority voting has all been done on GitHub uh and there just haven't been many of them uh and there's multiple positives involved at this point, like uh I I'm. Looking at the list here and seeing like collectively reviewing and revising the roadmap on a buying your basis, I mean we. We have collectively reviews them revised roadmap, but it hasn't been on a buying your basis because we're not uh delivered uh what we set out in the previous roadmap in in that kind of uh initial projection of uh I'm drinking.

B

So um sorry trishank, you have to end up.

J

Yeah thanks, um so how about this um and I'm not saying that this is the best proposal, but I'm curious to hear what others think how about we do this I think the onus is on the current steering committee members right now to to to meet and discuss what we expect the next steering committee to do and, of course, we're going to be transparent about this.

J

We're going to discuss this, maybe there's a volunteer or two writing a dog together, and then we pitch it to the next uh salsa only meeting or the one after that. But the point is we present something?

J

What does this think.

I

Yeah, by the way, it's a probability statement but a proposal, but you know you could you could also entertain the idea of not having a steering committee? If it's not, you know we could rely on having well, we have people who are involved, and this is the community. That's this making those decisions. Do you actually need a steering committee? You know my experience, I'll be open about.

I

This is, like you know, companies when they go open collaboration, style, they'll, fear, they're going to lose control, but the reality is the control is within the or in the hands of the people who are actively engaged. If you actively engage you have, you have at least some amount of control and you don't need to have special powers in a steering could be that says?

I

Well, it doesn't matter if there's if it doesn't go the way we want at the steering committee we can always you know, shift things the way we want so I'm just you know there may be valid reasons, but if you get guys felt like well, we haven't had much to do. Maybe we don't need it, that's that should be, at least in people's mind.

E

Yeah so yeah I think I I agree with with with uh that as well.

E

I think it's probably worth uh discussing through I think um not necessarily A Counterpoint to to what you said, but something that I think is still valuable either way, and it's kind of slightly tangential is I know that a lot of different like growing and very large open source projects have the the concept of either leads or, um uh or or you know, some sort of badge or something like that for especially for folks who you know, are growing Engineers or growing contributors in open source so that they can kind of say, hey I'm uh such and such uh on sauce I'm, a lead on the such and such track for salsa, um and it's something that I know helps a lot of folks uh and and as it helps provide incentive for a lot of folks who do a lot of that contribute.

E

You know contribution from like a contributor letter standpoint, so you know it helps them in their careers and and a lot of their their personal growth uh as well, which once again, it's slightly tangential to the steering committee thing. But I do think that um at least some level of like uh providing you know more of that incentive. Even if it's just a badge of honor for some folks uh is something that I know. Some people uh appreciate as a way of like seeing that their contributions are are well known or whatever yeah. So.

B

I I worked in the show, but that's the notion of the contributor letter, I think and as I understand it there's been a proposal to have kind of a high level one in the open SF projects to adopt, as they see fit. um I haven't reviewed it personally, but uh I think it would be worthwhile for us to look at that and see how we can um Foster our contributors.

I

Tell me when you want to move on, but you know what Mike just said is very relevant. I mean I think it is true that people need to get recognition and it's often helpful to justify the time they spend to the employer on an activity like this, so I totally I'm familiar with this and I I acknowledge it. But in fact we have another level of control right, which is the maintainer status, and so in a sense when we talk about you know what, if there's a big issue?

I

Well, the maintainers have more control than Lambda contributors, and so that should be fully documented. Who the maintainers are, and maybe that's enough. We don't need a steering committee on top of the maintainers. The maintainers could be the virtual steering committee kind of thing. They do.

B

Yeah I think we even have an issue for that in the governance repository that we need to bet the document who our maintainers are because the the uh kind of the moniker of a maintainers in most open source projects is the people who review and merge code, but uh in salsa and other communities we have a lot more leadership roles, that kind of fit their responsibilities and and the recognition of being a maintainer without necessarily doing that kind of uh review and um Hands-On get surgery. So that would be I agree.

B

It would be super useful, I, think I even filed the issue. um It would be better to document uh that stuff uh Melba. You have a hand raised yeah.

F

I can't raise my hand when I'm hearing in the screen, um so I I had a question along the lines of the maintainers right because reading this and might be reading it wrong, it seems like a maintenance, cannot be a steering committee. Member cannot be a maintainer I I could be reading that wrong and if that's the case and I think we, we will have to take a look at okay who who are the maintainers um versus steering committee members, because the steering committee seems more leadership right less. You know Hands-On PR's right.

F

Yes, they can do it, but that's the way. It seems right, there's contributors and then there's the leaders of the contributors and then there's the leaders of the maintainers that are the leaders of the contributors right. So it seems almost like a hierarchy, and so I would expect that the steering committee members are are less um less day-to-day uh and more on um I, don't want to say operations.

F

um That's not quite the right word, I'm looking for, but yeah I'm, not sure what word I'm. Looking for.

B

I think you got it with strategy and strategic.

F

There you go there, you go.

B

I I mean my read of the governance docs and the governance stocks were instigated or were formalized kind of after the swords are already true, but I don't read that that maintainers can't be part of the steering committee only that they they cannot be involved in a vote by the steering committee when it affects their maintainer status, got.

C

It okay.

B

But I yeah I mean there's been some really interesting discussion there. That reflects like the growth of the community and the diversification of roles within the community and the different types of leadership we have, and maybe.

C

Yeah.

B

Maybe we don't need a steering committee. Maybe we just need a better like document and recognize the different leadership roles in the community and that uh larger set of uh Leaders with diverse representation skills could be. um You know sufficient to replace the uh steering committee Concepts, really interesting. Questions uh I.

B

Think we've had a bunch of great discussion, I'm conscious of the fact that we've only got a few minutes left and we we don't have a um I, don't think we have a direct plan of action for next steps, so I think we should focus on that like a nutrition uh suggested. Maybe the steering committee that exists today um should kind of take ownership of of this definition.

B

I I don't oppose the idea um I'm curious. If anyone else has any strong thoughts on uh way forward or trishank. If you're volunteering to the Shepherd that.

J

Effort, I, guess I accidentally volunteered myself and yeah I'll. Do it.

C

He.

I

Says you actually raised the six-store case, which is indeed the case where they have a steering committee, but I think they have a situation that actually makes a lot of sense for me to understand committee, because they are in fact I mean as I. Think. Most people here should know six stories.

I

Not one project is really three different projects, and so you cannot have maintainers across all these projects, so they actually need some kind of body that does the coordination of across all these different projects, and the steering committee fits well that role I, don't know that we have that first salsa, but you know I'm not against this Turing committee I'm not trying to kill it. Don't get me wrong, I think if there is some value to it, let's keep it, but we should better Define it so Trisha. Thank you for volunteering.

I

Thank.

E

You one thing: I want to just throw out there, because I I think this was also one of the original reasons why we've had discussed something like a steering committee was less about that. The um because we've seen this in other open source projects a little bit is we didn't want to have. What had to have happen is, and it's part of the who's allowed to vote problem.

E

um It's the we didn't want to have you know a half dozen people from one company all start joining a couple of the meetings and trying to vote just purely their agenda in we wanted to say, hey here's a bunch of members, they all sort of largely agree on the general Charter of what Salsa's trying to do- and you know we might disagree on some things, but it's not like we're just gonna throw a million people from company X and be like yeah now Salsa's this, and this is how we're pushing it.

B

Yeah I think that's a great point and I think the um we've talked about a few things like uh how do we? How do we handle when people aren't as active as they want to wear but um I think we need to be wary of we're acquiring weekly attendance of meetings or even weekly engagement in the project have like.

B

We want uh Community participants to be active if they have these leadership roles, but um for people who have jobs which aren't just working on salsa, then uh we need to be forgiving of other priorities as well. So there's definitely a band selector.

B

Okay, cool lots of great discussion um thanks everyone, uh and thanks trishank for volunteering, to take this to take this forward. um Yeah I'll, happily bunch of you. Collaborate on that um and I'll see it when you share it with a broader Community. uh So yeah thanks everyone for your time today and for the uh it's a good discussion and see you in the next meeting in a month's time.

J

Thanks Jack.