►
From YouTube: SLSA Biweekly (June 8, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1JbJZxeZOWE7rxT24iEozX35LIUl_Yoqd-DeSm6309GA/
A
Yeah
so
as
Melba
linked,
you
know,
don't
forget
to
sign
in
and
if
anybody
has
additional
agenda
items
feel
free
to
to
add
them
to
the
to
the
agenda.
A
C
B
I
guess
I'll
go
ahead
and
get
things
started
if
nobody
else's
volunteered
already
to
run
a
meeting
before
I
arrived.
B
Right
so
yeah,
okay,
welcome
everyone
to
the
monthly
salsa
community
meeting.
Just
so
you
know
this
meeting
is
being
recorded
and
we
will
abide
by
the
Linux
foundation's
code
of
conducts
during
the
meeting.
B
If
you
haven't
already,
please
add
your
name
to
the
attendees
list
in
the
notes
and
we'd
like
to
start
the
meeting
by
welcoming
new
members.
So
if
there's
anyone
who
hasn't
attended
before
and
would
like
to
kind
of
introduce
themselves,
please
feel
free
to
go
ahead
now.
D
Everyone
I'm
Chad
with
GitHub
actions.
Gab
has
some
attendance
to
these
meetings
I
understand
before
but
I.
This
is
my
first
time
coming
into
any
of
it
coming
up
from
a
different
bunch
of
different
things
in
the
company
and
now
focusing
on
supply,
chain
security
and
so
interested
to
see.
What's
going
on,
welcome.
B
B
Okay,
cool
so
next
step
in
the
meeting.
We
normally
do
a
brief
round
of
updates
from
the
different
teams
working
on
salsa.
So
we
have
several
meetings
and
kind
of
working
groups
where
the
first
one
is
the
specification,
the
folks
working
on
the
crossback
and
there's
the
positioning
and
group
which
is
actually
operating
kind
of
at
the
next
tier
up
in
the
organizational
hierarchy
of
the
open
SF
for
the
supply
chain.
Integrity
working
group.
B
But
they
still
come
here
and
tell
us
all
the
cool
stuff
they've
been
doing,
and
also
we
have
the
tooling
Team
who
are
working
on
implementations
of
salsa.
So
from
the
spec.
B
Things
have
been
kind
of
Fairly
quiet
since
the
the
1.0
release,
we're
kind
of
we
had
a
flurry
of
feedback
initially
and
now
we
are
hoping
to
see
some
implementations
and
get
some
kind
of
implementation
feedback.
But
we
haven't
been
doing
a
lot
of
directional
work
on
the
spec.
B
There's
a
proposal
from
Antonio
at
Google
to
move
to
change
the
way
we
kind
of
manage
the
project
in
terms
of
like
the
generated
spec,
how
I
guess,
published
and
also
like
the
git
operations,
and
how
we
perform
kind
of
revision,
control
of
the
spec.
Because
at
the
moment
we
have
multiple
redundant
copies
of
the
spec
for
each
version
that
we've
released
and
we
want
to
move
over
to
something
Branch
based.
B
And
there
was
some
discussion
in
the
meeting
this
week
about
how
we've
ended
up
in
a
situation
where
the
specification
itself
and
some
of
the
files
we
embed
in
it.
B
We
embed
kind
of
some
q
and
protobuf
files
in
there
to
demonstrate
the
schema
of
the
provenance
format
and
we
used
incorrect
annotation
that
doesn't
conform
to
the
entire
specification
in
one
of
those
files
of
the
queue
file,
and
so
that
created
some
ambiguity
in
the
spec,
because
we're
not
clear
about
what
is
the
canonical
kind
of
description
of
the
the
data
formats.
B
And
so
we
had
a
really
good
discussion
about
that
and
what
remediating
steps
we
should
take
and
how
we
should
handle
versioning
of
a
new
version
of
the
spec
that
fixes
that
and
as
far
as
I'm
aware,
I
haven't
had
a
chance
to
look
at
GitHub
today.
But
as
far
as
my
way
that
work
hasn't
happened
yet.
B
But
ultimately
we
will
release
a
new
minor
version
of
the
respect
to
bumps
the
provenance
format
so
that
we
correctly
annotating
that
field,
which
is
the
annotations
field
in
a
resource
descriptor.
So
that
looks
fairly
detailed.
I
think
that's
it
from
the
spec
side,
though
Mike
or
trishank
might
have
something
else
to
add.
E
There's
a
lot
of
debate
on
on
exactly
what
are
some
of
the
next
things
we'll
be
working
on
from
the
perspective
of
like
the
various
tracks.
We're
still
looking
for
that
as
well.
So
if,
if
folks
are
interested,
feel
free
to
sort
of
open
up
a
GitHub
issue
on
that,
because
we're
definitely
interested
to
see
what
are
the
things
that
that
folks
really
want
to
focus
on,
because
there's
been
a
lot
of
discussion
about
a
source
track,
a
lot
of
discussion
about
bringing
back
something
like
a
salsa
level.
E
Four,
with
specifically
trying
to
make
certain
definitions
clearer,
because
one
of
the
reasons
why
we
had
for
folks
who
are
new
one
of
the
reasons
why
we
removed
salsa
level,
four
from
salsa
build
level.
Four
from
V1
was
not
because
we
wanted
to
make
things
less
secure
or
to
to
some
folks
have
have
opined
that
it's
you
know
to
to
satisfy
folks
who
who
are
selling
products
or
whatever
that
can't
hit
those
things.
They're
like
no.
E
No
it's
just
because
nobody
could
agree
on
what
really
some
of
the
definitions
were
and,
and
a
lot
of
folks
were
getting
very
confused
by
what
was
meant
by
hermeticity
and
what
was
meant
by
some
of
these
other
things.
So
we
decided
to
take
a
step
back
first
and
so
there's
interest
there
as
well.
There's
also
there
was
some
interest
around
two
other
things.
One
was
a
around,
maybe
being
a
bit
more
specific,
whether
either
in
the
build
track
or
as
a
separate
track
as
something
like
build
infrastructure.
E
So
for
folks
who
are
like
hey?
What
would
it?
Even
though
you
know
the
specification
doesn't
really
make
have
a
lot
of
details
on
how
you
should
be
securing
your
build?
You're.
Sorry,
your
control,
your
build
control
plane.
It
just
says
you
should
have
a
trusted.
Control
trusted
build
control
plane,
but
what
you
know
folks
are
asking
like
how
how
do
I
know
that
should
be
trusted.
E
What
are
the
things
I
could
do
to
secure
that
so
there's
something
around,
perhaps
a
built
infrastructure
track,
and
then
there
were
folks
who
were
saying
hey
right
now.
The
build
the
build
track
is
very
much
focused
on
Providence,
which,
in
our
blog
articles
and
so
on,
we
have
a
lot
of
stuff
around.
What's
the
word,
none
of
the
stuff
in
the
build
provenance
track
really
talks
about
the
build
itself,
so
salsa
can
definitely
still
build
malware.
The
problem
is
sorry,
the
thing
that
that's
also
really
gives
you
is.
E
You
know
that
right,
like
you,
have
the
details
of
how
it
was
built.
You
have
the
details
of
how
it
came
to
be
so
you
can't
have
somebody
have
lied
to
you
about
how
it
got
built.
No,
it
actually
got
built
inside
of
your
build
system
and
then,
while
also
sort
of
eliminating
a
lot
of
the
ways
that
somebody
would
potentially
break
future
builds
stuff
like
that.
E
So
so
that's
really
where
the
core
of
a
lot
of
the
salsa
stuff
is,
and
so
folks
have
been
asking
like
hey
what
are
things
from
the
end
user
side
that
perhaps
you
should
look
at
when
running
a
build
and
stuff
like
that
and
does
that
belong
in
the
same
track
and
and
that
sort
of
thing
so
there's
some
debates
about
those
things.
There's
actually
a
lot
of
GitHub
issues
under
the
salsa
GitHub
and
feel
free
to
kind
of
take
a
look
at
some
of
those.
B
The
notion
of
terminology
has
come
up
a
few
times
in
the
last
few
weeks,
as
you
mentioned,
and
I
think
we're
trending
towards
like
just
being
very
explicit
about
what
we
mean,
instead
of
using
terms
that
we
increasingly
recognize
both
within
salsa
and
then
in
the
broader
supply
chain.
Effort
is
like
I
love.
These
words
carry
a
lot
of
context
for
people
with
different
backgrounds,
so
maybe
we
should
just
avoid
them.
B
E
Sorry
yeah
I
was
gonna,
say
I,
think
yeah,
either
avoid
them
or
or
make
sure
that
we
have
a
glossary
and
specifically
call
out
our
definitions
of
those
terms,
because
I
know.
As
an
example,
you
know
one
of
the
things
that's
been
brought
up
a
couple
of
times.
E
Right
is:
if
you're
in
the
compliance
world
at
a
station
means
one
thing:
if
you're
in
the
software
world
attestation
can
mean
another
thing:
if
you're
in
the
hardware
world
at
a
station
mean
something
specific
and
so
there's
a
lot
of
elements
there,
and
especially
when,
in
our
case,
we're
sort
of
combining
all
three
of
those
at
some
level,
it
can
cause
folks
to
get
very
confused.
Yeah.
B
I
think
that's
for
me.
That's
the
key
example
of
why
we
should
steer
away
from
defining
terms
and
just
avoiding
using
them,
because
we've
got
a
fairly
comprehensive
discussion
of
what
we
mean
by
an
attestation,
but
that
is
still
frequently
something
that
comes
up
because
the
term
is,
if
you
come
from
like
tpm-ish
trusted
Hardware
background
attestation
means
a
very
specific
thing
and
it
doesn't
matter
how
many
words
you
write
about
what
you
think
it
means
it
will
always
mean
that
thing
to
the
people.
B
With
that
background,
so
yeah
cool,
thank
you
and
someone
from
the
positioning
group
summarize
what
you've
been
doing.
I
think
we've
got
most
of
the
folks.
There.
F
Yeah
so
I
know
Jay
and
Bruno
and
might
have
probably
been
doing
most
of
the
work
while
I've
been
absent
for
some
of
the
things
recently
in
terms
of
deliverables,
we
were
able
to
at
a
higher
level
right,
there's
a
new
blog
for
salsa
Prescott
s2c2f
on
the
open,
ssf's
website.
Right.
It's
just
talking
about
the
supply
chain,
Integrity
working
group-
you
know
what
it's
about.
We
talk
about
this
also
one
that
oh
release
and
you
know
how
we
encourage
people
to
come
and
join
and
help
us.
F
There
has
been
a
new
meeting.
This
is
Sterling
tool
chain
meeting
which
I
gave
Rob
a
hard
time.
I'd,
say:
Rob,
you're
killing
me
I've
been
having
really
good
participation,
and
then
you
you
put
this
this
meeting
on
the
calendar,
so
that
meeting
is
now
conflicting
with
the
positioning
meeting.
So
there's
been
light
attendance
as
a
result,
so
I
need
to
create
a
new
Poll
for
new
meeting
times
to
move
the
positioning
meeting.
F
There's
still
some
pending
blog
drafts
that
we
haven't
been
able
to
get
out,
probably
do
mainly
to
me
being
out
and
then
I
know.
Jay
is
working
on
a
one-pager
blog
for
guidance,
Mike
Jay,
you
know,
do
you
want
to
add
anything
else.
G
No,
no,
that
pretty
much
covers
it,
yeah
that
pretty
that
pretty
much
covers
I,
can't
think
of
anything
else
that
we,
we
do
have
a
list
of
potential
blogs
that
that
or
things
that
we're
thinking
about
from
the
positioning
side
that
we
want
to
talk
about
and
and
of
course,
A
lot
of
it
really
does
depend
on
what
comes
out
of
meetings
like
this
and
the
spec
meeting
and
everything
else
so
that
we're
talking
with
the
right
voice.
G
As
we
continue
to
speak
about,
you
know
what
we're
doing
salsa
related,
but
other
than
that
I
mean
there's.
No
Melba
did
a
good
job
of
depicting
everything
we
have
going
on
right
now,.
E
On
that
one
and
I
think
the
the
only
thing
I
want
to
just
add
in
there
as
something
that's
come
up.
I
think
the
past,
maybe
month
or
two
is
just
as
salsa
has
begun
to
grow.
E
There
definitely
seems
to
be
some
like
areas
outside
of
let's
say
the
cyber
security
sort
of
area
where
folks
are
are,
are
either
just
hearing
us
also
or
haven't
heard
of
salsa,
yet
that
there
might
be
some
areas
for
us
to
you
know
and
we're
interested
in
in
hearing
from
from
other
folks,
as
well
as
like,
where
do
folks
want
to
see
us
focus
our
efforts,
not
just
on
the
salsa
side,
but
just
generally
for
the
supply
chain,
because
I
know
this.
E
The
positioning
group
is
part
of
the
higher
level
supply
chain,
Integrity
group
of
hey
with
some
of
the
stuff
that
we're
doing
from
supply
chain.
One
of
the
things
we
could
probably
also
focus
on
a
bit
more
is
is
talk
a
bit
more
about
supply
chain.
E
Integrity
I've,
given
a
couple
of
just
talks
recently
on
salsa
at
a
couple
of
smaller
sorts
of
devops
sort
of
related
events,
and
maybe
only
about
10
of
the
audience,
had
even
heard
of
supply
chain
security,
let
alone
salsa,
which
was
maybe
you
know
only
one
or
two
people
had
heard
of
salsa
before
so
I.
Think
there's
some
there's
a
lot
of
areas
where
we
can
maybe
help
spread
the
word
a
little
bit
because
we
might
be
so
you
know
some
of
us
might
be.
B
Cool,
can
you,
while
you're
on,
do
you
want
to
talk
about
the
tooling
sure.
E
Thanks
sure,
so
a
couple
things
so
one
I
think
the
biggest
one
I
I
know
I
put
some
stuff
in
the
notes
there,
so
one
of
the
biggest
ones.
Well,
so
there's
some
interest
in
salsifying
Jenkins
so
like
what
are
the
things
that
you
know,
a
lot
of
folks
are
like
hey,
it's
great,
that
there's
all
this
stuff
coming
out
from
GitHub
actions
and
from
stuff
like
Fresca
for
for
that
uses,
tecton
and
tecton
chains,
and
all
that
good
stuff
and
there's
a
couple
other.
E
You
know
things
that
people
are
looking
at,
but
you
know
the
the
elephant
in
the
room
is
still
Jenkins
like
hey.
A
lot
of
folks
are
still
using
Jenkins.
What
are
the
things?
People
could
do
to
potentially
do
best
practices
on
there
and
I
think
that
I
have
created
a
document
I
linked
it
in
in
the
meeting
notes,
there
seemed
to
be
some
interest:
I
haven't
really
worked
with
Jenkins
and
I'm.
E
Happy
I
haven't
worked
with
Jenkins
no
offense,
but
for
the
at
least
the
past
few
years,
so
I'm
not
probably
the
best
person
to
sort
of
lead
that
sort
of
thing.
E
So
if
there's
folks
out
there
who
are
interested
in
contributing
to
that
document
and
helping
lead
it
up,
I'm
definitely
willing
to
contribute,
especially
from
the
perspective
of
hey,
here's
generally,
how
salsa
works
and
and
here's
some
of
the
things
that
like
I,
could
poke
around
with,
but
I'm,
not
a
Jenkins
expert,
at
least
anymore,
and
so,
if,
if
folks
are
interested
on
that
side,
please
take
a
look
at
that
as
well,
and
so
that's
the
salsifying
Jenkins
also
generally
I
think
we're
looking
for
more
salsa
tool
developers
to
help
join
the
meeting.
E
I
believe
a
few
folks
have
begun
to
do
an
APAC,
friendly
time
zone
meeting
on
salsa,
because
there's
actually
a
couple
of
folks
over
from
Japan
Australia
Singapore,
who
are
starting
to
actually
write
up
some
interesting
salsa
stuff
and,
in
particular
I
know,
there's
the
Oracle
team.
They
announced
a
tool
called
macaron,
which
is
in
the
slack
chat.
I,
don't
have
the
links
off
that
off
the
top
of
my
head,
but
it's
it's
a
tool
that
can
help
generate
reports
and
do
salsa
verification
looks
pretty
cool.
E
In
addition
to
that,
you
know.
We
also
want
to
have
more
participation
from
end
users,
so
folks,
who
are
like
hey
I
plan
to
consume
these
things,
I
want
to
generate
salsa
or
I
want
to
consume
salsa,
but
I'm
doing
X
and
I
can't
use
GitHub
actions
or
I'm
doing
or
I'm
trying
to
consume
the
salsa
attestations
from
GitHub
action.
So
what
do
I
do
with
this
at
a
station?
I
think
that
sort
of
thing
would
be
useful.
E
You
know
we're
looking
for
more
participation
there
and
for
folks
who
aren't
aware
of
the
meeting
it
happens
at
10
a.m:
Eastern
Time,
right
now
there
is
a
separate
meeting
that
I'm
not
exactly
sure
how
often
it
happens,
that's
in
APAC
time
zone
and
there's
some
debate
on
on
there's
some
stuff
there.
So
that's
those
two
things.
People
have
also
been
asking
about:
salsa
V1
Providence,
because
right
now
it
looks
like
I
think
all
the
tools
have
only
really
done.
E
Salsa
V
0.2,
a
few
tools
have
begun
to
do
the
work
to
be
source
of
E1
to
to
generate
salsa
V1,
but
none
of
it
is
there
yet
and
just
as
for
folks
who
are
are
I
know,
that's
still
confusing
for
a
lot
of
people,
but
you
can
be
salsa
V1,
you
could
still
be.
You
could
still
be
doing
salsa
V1
without
jittering.
It's
also
V1
specification.
E
The
salsa
V1
specification
is
just
a
better
way
of
you
know,
and
that
itself
is
its
own.
Can
of
worms
right
now
and
then
separately.
One
of
the
things
that
I've
been
working
on
and
it's
open
source
is
I've,
been
working
on
a
tool
called
Specter
Specter
is
a
tool
written
in
Rust
to
validate
stuff
like
salsa
documents
and
other
in
total,
attestations
and
s-bombs,
and
it
tries
to
do
so
by
being
very,
very
strict.
E
So
it's
all
written
in
Rust
and
it
uses
like
it,
tries
to
be
very,
very
strict.
So
if
something
something
is
not
just
purely
a
string,
it
is
a
base64
encoded
string
or
it's
a
URL.
E
It's
it
actually
tries
to
be
very,
very
strict
and
if
it
doesn't
actually
match
the
semantics
from
the
spec,
it
will
try
to
fail
the
thing,
because
one
of
the
things
is
a
lot
of
folks
who
are
trying
to
consume
salsa
is
all
it
takes,
is
something
to
generate
something
that
looks
like
valid
salsa
and
it
breaks
everything
so
there's
some
stuff
on
that
end,
we're
doing
a
you
know,
I'm
doing
a
bunch
of
work
on
on
that
it
could
be
used
as
a
library
in
rusted
also
can
be
used
to
generate
I'm
building
out
a
couple
of
features
to
to
help
it
generate
like
fake
salsa
metadata
for
folks
who
want
to
test
out
their
own
tools
in
salsa.
E
It
can
also
be
used
to
one
of
the
things
I'm
working
on
is
is
to
also
translate
some
of
the
data
between
different
specifications.
So
hey
I
can
pull
information
that
came
out
of
an
s-bomb
injected
into
a
salsa
attestation,
or
vice
versa.
Stuff,
like
that.
B
Awesome
thanks
for
the
updates
everyone
I
should
have
asked.
If
there
were
any
questions
after
each
update,
I
really
shouldn't
I.
That
was
a
rookie
mistake.
Does
anyone
have
any
questions
about
any
of
those
updates?
That
would
be
a
good
time
to
ask
the
agendas
pretty
light.
B
Failing
that,
does
anyone
have
any
topics
they
would
like
to
just
in
time
add
to
the
agenda.
F
H
F
H
Yeah,
let
me
let
me
bring
you
the
the
link
to
the
election
process
that
you
have
been
discussing.
I
put
I
think
that
everybody
has
access,
but
we
didn't
have
a
lot
of
discussion
since
the
last
time,
and
we
have
been
I
mean
two
fundamentals:
decisions.
One
is
the
number
of
steering
committee
members
that
you'll
be
elected
every
period
and
the
another
one
is
who
it's
qualified
to
vote.
I.
H
Think
that
it's
we
we
have
to
take
a
decision
on
those
two
major
topics,
so
we
can
move
forward
as
I
I
sent
the
link
I
hope
that
you
can
join
as
well
put
your
your
thoughts
on
it.
That's
what
you
use
text
for
for
now.
B
H
B
It
more
about
how
do
we
or
do
we
even
need
to
worry
about
there
being
like
overlapping
terms
between
the
current
committee
and
the
next
committee,
and
so
if
we
were
to,
for
example,
try
and
elect
half
of
the
committee
each
election
cycle.
H
Yeah
yeah
sorry
go
ahead,
yeah
as
of
today,
I
think
that
it's
we're
toward
it.
If
the
the
point
that
it's
maybe
we
are
going
to
re-elect
the
whole
steering
committee
plus
a
number
of
new
candidates
to
go
to
everybody
that
wants
to
the
election,
that's
what
I'm
seeing
moving
toward
at
this
point.
But
of
course
we
have
all
agree.
E
Sure
so
I
think
one
of
the
things
that
might
be
worthwhile
to
also
go
over
for
folks
who
might
be
considering
something
like
this
during
committee
is
maybe
to
just
also
I
I.
Think
it's
been
a
you
know,
since
we
haven't
actually
used
a
whole
lot
of
like
in
our
governance
right.
E
We
do
say
that,
like
the
the
steering
committee
gets
to
vote
on
sort
of
overriding
certain
things
or
pushing
forward
certain
things,
I
think
it'd
be
worthwhile
to
kind
of
also
maybe
highlight
like
what
what
are
sort
of
the
the
responsibilities
as
well
as
powers
that
the
steering
committee
has
so
that
folks
knows
know
like,
like
other
than
just
sort
of
saying,
yeah
I'm,
a
I'm,
a
you
know,
I'm
a
a
normal
per.
You
know:
I'm
a
I'm,
a
big
contributor
to
salsa.
What
else
does
that
mean.
B
B
There's
a
certain
amount
documented
in
the
governance
repository
already,
but
I
think
one
of
the
reasons
why
people
are
uncertain
about
what
the
steering
committee
does
is
because
they
haven't
necessarily
needed
to
do
much
in
the
governance
of
the
project
so
far,
but
I
think
yeah
I
would
have
to
reread
the
governance
structure,
I
think
per
the
governing
stocks.
Some
of
the
stuff
the
steering
committee
does
is
arranging
meetings
like
this
and
kind
of
handling
the
the
broader
projects
outside
of
the
specific
working
groups
that
we
have
Melba.
F
Yeah
I
had
a
a
question
about.
You
know
how
big
the
steering
committee
should
be
relative
to
the
community
right
A
lot
of
times
the
people
that
actually
participate
and
are
actives.
They
are
on
the
steering
committee
and
then
there's
you
know,
maybe
one
or
two
that
kind
of
come
in
and
out.
So
if
everyone's
on
the
steering
commission
that
is
participating
that
kind
of
negates
the
the
point,
you
know
obviously
I'm
not
trying
to
shrink
the
committee
in
any
way
shape
or
form,
but
just
trying
to
think
about
that.
F
That
ratio
like
what
good
does
a
steering
committee
do
if
the
people
on
the
steering
committee
are
the
only
ones
contributing
I
know,
that's
not
the
case
today,
right
because
there
are
some
people
on
the
steering
committee
that
we
haven't
seen
in
a
while,
but
it
it's
something
to
consider
of
how
big
is
too
big,
given
the
size
of
the
the
community.
B
Yeah,
that's
a
fair
question:
I,
don't
know
how
we
resolved
that
honestly,
like
I,
think
some
of
the
ambiguity
is
that
the
original
steering
committee
was
both
the
steering
committee
function
as
defined
in
the
governance
documents,
but
also
some
of
the
indication
of
the
industry
consensus
behind
the
project,
but,
as
the
project
has
grown,
we've
seen
very
active
participation
from
people
outside
of
the
steering
committee.
B
That,
frankly,
better
indicates
that
the
industry
is
behind
this
as
the
standard
than
having
like
you
know,
seven
people
from
different
companies
on
the
steering
committee
does
the
participation
in
adoption
is,
is
larger
than
that,
so
I
think
part
of
yeah.
B
It's
a
great
question.
If
anyone
has
any
thoughts
on
like
how
we
answer
that,
whether
we
need
to
answer
that
before
we
do
the
next
election
cycle,
things
like
that.
F
I
I
There
is
no
definitely
no
automatic
rule
that
says.
Oh
as
the
community
grows,
we
could
increase
the
size
of
the
attack,
that's
for
sure,
but
if
I
may
I
mean
you
know
so,
I've
been
involved
with
this
salsa
space
for
quite
a
while.
I
Now,
and
you
know
the
thing
that
I
find
a
bit
weird
is
that
we
basically
don't
see
what
the
steering
committee
does,
and
maybe
it
comes
down
to
what
was
said
earlier,
that
it
hasn't
done
much,
which
maybe
is
a
good
thing,
because
there
was
no
real
issues
they
felt
like
well,
but
but
I
think
you
know
we
ought
to
be
a
bit
more
transparent
and
I.
Don't
know
who
would
run
I,
don't
know
what
they
would
sign
up
for.
I
mean
you
know.
I
If
you
look
at
the
tag,
for
instance,
which
is
a
big
part
of
the
government
structure
in
open
ssf,
it's
fully
transparent
right.
It
has
meetings
that
are
minuted
and
all
that
you
know
when
the
calls
are
you
can
attend
them.
I,
don't
think
anything
like
this
is
happening
with
the
steering
committee
that
I
know
of
so
I
think
we
need
to
fix
this.
B
B
It's
just
because
it's
not
very
active
and
so
I
can
completely
understand
why
that
might
leave
people
to
think
that
things
are
happening
behind
closed
doors
when
they
really
aren't
yeah
I
I
think
it
would
be
great
to
encourage
people
who
want
to
run
to
be
in
part
of
the
steering
committee
to
think
about
this,
like
transparency
and
how
active
they.
B
B
Really
legitimate
concert
and
and
welcome
some
new
ideas
around
that
as
we've
kind
of
intimated
but
I
was
just
stating
explicitly
like
the
the
active
members
of
the
steering
committee
are
people
who
are
active
in
the
broader
project,
and
so
it
can
be
difficult
to
draw
a
line
between
what
steering
committee
members
are
doing
versus
active
contributors
to
the
project
because
they
tend
to
be
the
same.
People.
B
B
I
Yeah,
that's
right,
I
mean
governing
board,
I
mean
it's
a
matter
of
your
level
of
of
membership
in
open
ssf.
If
you're
a
premium
member,
you
get
a
seat
on
the
board,
that's
all
it
takes,
so
it
will
grow
as
the
number
of
Premium
members
grows.
But
when
it
comes
to
the
tax
size,
I
mean
you
know,
to
be
fair.
I
think
there
have
been
people
pushing
back
on
the
idea.
I
Typically,
the
the
the
the
argument
that
I'm
aware
of
are
in
favor
of
increasing
has
to
do
with
having
better
representation
of
everything
that
goes
on
within
open
ssf,
all
the
different
groups
and
members
and
and
increasing
diversity.
If
you
will
and
and
the
cons
is
concerns
that
it
may
become
a
body
that
has
hard
time
reaching
consensus,
because
the
more
people,
the
more
voices
you
get,
the
harder
possibly
it
is
to
get
to
to
a
decision,
I
mean
I,
actually
think
this
is
mostly
a
falsehood.
I
You
know,
but
that
becomes
more
of
an
opinion.
I'm
not
stating
a
fact.
This
is
like
you
know,
others
will
have
different
opinions
on
that.
B
Sure,
cool
thanks,
Mike
I,
think
your
next
interview,
yeah.
E
E
It
was
just
like
hey,
we
should
probably
have
some
sort
of
steering
committee
and
I'm
pretty
sure
all
the
all
the
folks
who
are
on
the
call
were
end
up
just
on
the
steering
committee
just
by
default,
because
we
were
all
the
only
folks
who
were
participating
so
the
the
at
some
level,
the
salsa
community
meeting
was
at
at
first
just
the
folks
who
were
doing
all
that
who
were
like
very
much
involved
and
I.
E
Think
you
know,
with
with
an
understanding
that
we
wanted
to
make
sure
that
the
folks
who
were
showing
up
to
these
meetings
got.
You
know
a
bit
of
a
a
bigger
say,
because
one
of
the
things
that
is
still
fairly
common
right
in
in
any
open
source
meeting
is
is,
since
all
these
meetings
are
open.
It's
very
easy
for
somebody
to
let's
say
just
come
in
once:
every
you
know
three
four
months
and
potentially
derail
stuff
by
you
know
like
even
if
they
they're
well-meaning,
it's
like
hey.
E
Think
some
of
the
background
there,
but
I
do
think
that
now
that
we've
grown-
and
you
know
it's
not
just
the
seven
members
on
the
steering
committee
showing
up
it's-
you
know
you
have-
we
have
dozens
of
folks
within
opening
issues
and
joining
these
meetings
and
joining
the
specification
meeting
the
positioning
meeting,
the
the
tooling
meeting,
it's
probably
worthwhile
to
maybe
clarify
what
the
what
the
salsa
steering
committee
is
intended
for,
because
I
think
we've
only
ever
really
had
to
vote
on
a
handful
of
things
throughout
this
entire
process
and
it's
always
been
like
just
a
topic
in
one
of
these
meetings
to
begin
with,
but
yeah.
B
Thanks
Trisha.
J
Yeah,
those
are
all
very
valid
points
thanks
and
thanks
for
raising
this.
This
question,
it's
very
important
to
discuss
them
as
a
community.
I
can
vouch
that
I,
certainly
no
secret
meetings
that
we're
having
so
so
that
that
that
fact
is
true.
J
I
agree
that
so
I
think
I
think
part
partly
to
answer
Bruno's
questions
and
Melba's.
Questions,
too,
is
that
maybe
this
is
what
we
need
to
decide
before
we
solidify
the
election
process
is
to
clarify
what
we
expect
from
the
next
steering
committee.
I.
Think
that's
important
to
really
before
we
hold
an
election
at
all,
so.
B
We
had
some
good
suggestions
around
like
what
what
we
would
want,
what
properties
moved
on
and
from
the
steering
committee
with
transparency
and
being
active
and
things
and
I
think
for
the
most
part,
the
current
steering
committee
are
very
active
participants
in
the
community
like
we
have
all,
but
two
of
them
on
this
call,
and
one
of
those
two
is
very
active
in
the
project.
Otherwise,.
B
C
B
I
I
guess
the
the
obvious
question
is:
do
we
have
any
volunteers
to
kind
of
drive
forward
this
definition,
based
on
what
we
have
in
the
current
governance
document.
E
So
I
I,
don't
want
to
volunteer
on
this.
I
have
too
much
going
on
right
now,
but
actually
one
question
I
did
want
to
bring
up
is,
is
I,
think
it's
probably
worthwhile
just
and
and
Arno
you
might
have
the
info
here
of,
like
as
when
we
originally
created
the
salsa
steering
committee
whatever
it
was,
was
it
two
years
ago,
something
like
that?
We,
the
governance
or
the
open
SF,
was
also
not
fully
solidified
either.
E
I
Yeah,
so
I
can
answer
that
there
is
no
rules
there,
so
we're
pretty
much
free
to
do
what
we
want.
I
I.
There
is
the
point
of
you
know
like
if
we
have
an
election
who
gets
to
vote,
he's
actually
a
broader
issue
which
doesn't
pertain
only
to
the
election
of
the
steering
committee
right.
We
have
seen
it
in
other
working
groups
where
you
know
an
issue
comes
up.
I
This
is
really
not
well
defined
and
and
there's
the
question
of
well
who
gets
to
vote
right,
and
so
this
is
a
problem.
I
think
open
ssf.
I
The
attack
wants
to
tackle-
and
this
is
probably
something
I
would
expect-
will
come
up
with
some
Rule
and
that
will
be,
you
know,
broadly
applicable
to
everybody,
but
that's
about
it
for
now
and
when
it
comes
to
the
actual
steering
committee,
it's
up
to
every
working
group
to
Define
what
they
do
and
until
that
changes
and
the
tag
says
no
we're
going
to
put
some
standard
steering
community
garden
structure
that
everybody
has
to
follow.
I
think
here
we
can
do
what
we
want.
B
F
Would
it
be
worthwhile
to
go
through
the
current
definition
for
folks
on
the
call
and
just
go
through?
Do
we
still
agree
with
what's
written,
not
sure
if
that's
valuable
for
people
or
not.
B
Yeah
I
mean
if
you,
if
you'd
like
to
do
that,
if
anyone
has
a
strong
opinion,
either
way
making
known
please,
we
can
certainly
spend
a
few
minutes
doing
that.
I.
F
Have
I
have
it
open,
there's
only
like
four
points
on
the
steering
committee.
It
seems,
but
maybe
I'm
misreading
it.
A
D
I
Know
for
that
matter,
I,
don't
think
we
necessarily
need
those
during
Community
to
have
actual
meetings.
I.
Definitely
you
know
I
wouldn't
be
pushing
for
this,
but
there's
got
to
have
been
some
communication
and
I
think
it
would
be
good
for
the
existing
steering
committee
to
have
a
look
at
the
text
and
see
whether
it
captures
at
least
what's
being
done.
That
has
been
necessary.
I
A
E
Yeah
I
agree
with
that
and
I
think
the
like.
The
one
thing
I
wanted
to
actually
highlight
was
I'm,
pretty
sure
the
only
thing
the
steering
committee
has
done
above
and
beyond
just
what
general,
like
the
the
folks
who've
been
contributing.
E
A
bunch
is
just
that
last
Point,
the
making
decisions
when
Community
consensus
can't
cannot
be
reached,
which
I
think
we've
only
ever
had
to
do
a
couple
of
times
where
we
saw
that
there
was
a
contentious
issue
about
the
definition
of
something
and
the
steering
committee
kind
of
came
in
and
said
Yep.
This
seems
like
the
most
reasonable
solution
and
we
voted
on
it
and
I
think
that
also
only
happened.
A
handful
of
times.
I
E
But
yeah
so
on
on
that
end,
I
will
say,
and
maybe
we
just
make
it
clearer,
I
I
agree
with
you.
The
only
time
that's
ever
happened
is
we
took
the
vote
and
recorded
it
in
a
GitHub
issue
or
inside
of
the
Google
Doc,
so
we
always
recorded
it
somewhere
and
and
I
think,
but
I
think
making
that
clearer
to
your
point
is
is
so
that
folks
know
where
to
look
for
records
of
those
votes
as
opposed
to
go
fishing,
for
it
is,
is
really
important.
B
It's
all
about
the
minority
voting
has
all
been
done
on
GitHub
and
there
just
haven't
been
many
of
them
and
there's
multiple
positives
involved
at
this
point,
like
I
I'm.
Looking
at
the
list
here
and
seeing
like
collectively
reviewing
and
revising
the
roadmap
on
a
buying
your
basis,
I
mean
we.
We
have
collectively
reviews
them
revised
roadmap,
but
it
hasn't
been
on
a
buying
your
basis
because
we're
not
delivered
what
we
set
out
in
the
previous
roadmap
in
in
that
kind
of
initial
projection
of
I'm
drinking.
B
So
sorry
trishank,
you
have
to
end
up.
J
Yeah
thanks,
so
how
about
this
and
I'm
not
saying
that
this
is
the
best
proposal,
but
I'm
curious
to
hear
what
others
think
how
about
we
do
this
I
think
the
onus
is
on
the
current
steering
committee
members
right
now
to
to
to
meet
and
discuss
what
we
expect
the
next
steering
committee
to
do
and,
of
course,
we're
going
to
be
transparent
about
this.
J
We're
going
to
discuss
this,
maybe
there's
a
volunteer
or
two
writing
a
dog
together,
and
then
we
pitch
it
to
the
next
salsa
only
meeting
or
the
one
after
that.
But
the
point
is
we
present
something?
I
Yeah,
by
the
way,
it's
a
probability
statement
but
a
proposal,
but
you
know
you
could
you
could
also
entertain
the
idea
of
not
having
a
steering
committee?
If
it's
not,
you
know
we
could
rely
on
having
well,
we
have
people
who
are
involved,
and
this
is
the
community.
That's
this
making
those
decisions.
Do
you
actually
need
a
steering
committee?
You
know
my
experience,
I'll
be
open
about.
I
This
is,
like
you
know,
companies
when
they
go
open
collaboration,
style,
they'll,
fear,
they're
going
to
lose
control,
but
the
reality
is
the
control
is
within
the
or
in
the
hands
of
the
people
who
are
actively
engaged.
If
you
actively
engage
you
have,
you
have
at
least
some
amount
of
control
and
you
don't
need
to
have
special
powers
in
a
steering
could
be
that
says?
I
Well,
it
doesn't
matter
if
there's
if
it
doesn't
go
the
way
we
want
at
the
steering
committee
we
can
always
you
know,
shift
things
the
way
we
want
so
I'm
just
you
know
there
may
be
valid
reasons,
but
if
you
get
guys
felt
like
well,
we
haven't
had
much
to
do.
Maybe
we
don't
need
it,
that's
that
should
be,
at
least
in
people's
mind.
E
Yeah
so
yeah
I
think
I
I
agree
with
with
with
that
as
well.
E
I
think
it's
probably
worth
discussing
through
I
think
not
necessarily
A
Counterpoint
to
to
what
you
said,
but
something
that
I
think
is
still
valuable
either
way,
and
it's
kind
of
slightly
tangential
is
I
know
that
a
lot
of
different
like
growing
and
very
large
open
source
projects
have
the
the
concept
of
either
leads
or,
or
or
you
know,
some
sort
of
badge
or
something
like
that
for
especially
for
folks
who
you
know,
are
growing
Engineers
or
growing
contributors
in
open
source
so
that
they
can
kind
of
say,
hey
I'm
such
and
such
on
sauce
I'm,
a
lead
on
the
such
and
such
track
for
salsa,
and
it's
something
that
I
know
helps
a
lot
of
folks
and
and
as
it
helps
provide
incentive
for
a
lot
of
folks
who
do
a
lot
of
that
contribute.
E
You
know
contribution
from
like
a
contributor
letter
standpoint,
so
you
know
it
helps
them
in
their
careers
and
and
a
lot
of
their
their
personal
growth
as
well,
which
once
again,
it's
slightly
tangential
to
the
steering
committee
thing.
But
I
do
think
that
at
least
some
level
of
like
providing
you
know
more
of
that
incentive.
Even
if
it's
just
a
badge
of
honor
for
some
folks
is
something
that
I
know.
Some
people
appreciate
as
a
way
of
like
seeing
that
their
contributions
are
are
well
known
or
whatever
yeah.
So.
B
I
I
worked
in
the
show,
but
that's
the
notion
of
the
contributor
letter,
I
think
and
as
I
understand
it
there's
been
a
proposal
to
have
kind
of
a
high
level
one
in
the
open
SF
projects
to
adopt,
as
they
see
fit.
I
haven't
reviewed
it
personally,
but
I
think
it
would
be
worthwhile
for
us
to
look
at
that
and
see
how
we
can
Foster
our
contributors.
I
Tell
me
when
you
want
to
move
on,
but
you
know
what
Mike
just
said
is
very
relevant.
I
mean
I
think
it
is
true
that
people
need
to
get
recognition
and
it's
often
helpful
to
justify
the
time
they
spend
to
the
employer
on
an
activity
like
this,
so
I
totally
I'm
familiar
with
this
and
I
I
acknowledge
it.
But
in
fact
we
have
another
level
of
control
right,
which
is
the
maintainer
status,
and
so
in
a
sense
when
we
talk
about
you
know
what,
if
there's
a
big
issue?
I
B
Yeah
I
think
we
even
have
an
issue
for
that
in
the
governance
repository
that
we
need
to
bet
the
document
who
our
maintainers
are
because
the
the
kind
of
the
moniker
of
a
maintainers
in
most
open
source
projects
is
the
people
who
review
and
merge
code,
but
in
salsa
and
other
communities
we
have
a
lot
more
leadership
roles,
that
kind
of
fit
their
responsibilities
and
and
the
recognition
of
being
a
maintainer
without
necessarily
doing
that
kind
of
review
and
Hands-On
get
surgery.
So
that
would
be
I
agree.
B
It
would
be
super
useful,
I,
think
I
even
filed
the
issue.
It
would
be
better
to
document
that
stuff
Melba.
You
have
a
hand
raised
yeah.
F
I
can't
raise
my
hand
when
I'm
hearing
in
the
screen,
so
I
I
had
a
question
along
the
lines
of
the
maintainers
right
because
reading
this
and
might
be
reading
it
wrong,
it
seems
like
a
maintenance,
cannot
be
a
steering
committee.
Member
cannot
be
a
maintainer
I
I
could
be
reading
that
wrong
and
if
that's
the
case
and
I
think
we,
we
will
have
to
take
a
look
at
okay
who
who
are
the
maintainers
versus
steering
committee
members,
because
the
steering
committee
seems
more
leadership
right
less.
You
know
Hands-On
PR's
right.
F
Yes,
they
can
do
it,
but
that's
the
way.
It
seems
right,
there's
contributors
and
then
there's
the
leaders
of
the
contributors
and
then
there's
the
leaders
of
the
maintainers
that
are
the
leaders
of
the
contributors
right.
So
it
seems
almost
like
a
hierarchy,
and
so
I
would
expect
that
the
steering
committee
members
are
are
less
less
day-to-day
and
more
on
I,
don't
want
to
say
operations.
F
That's
not
quite
the
right
word,
I'm
looking
for,
but
yeah
I'm,
not
sure
what
word
I'm.
Looking
for.
C
B
C
B
Maybe
we
don't
need
a
steering
committee.
Maybe
we
just
need
a
better
like
document
and
recognize
the
different
leadership
roles
in
the
community
and
that
larger
set
of
Leaders
with
diverse
representation
skills
could
be.
You
know
sufficient
to
replace
the
steering
committee
Concepts,
really
interesting.
Questions
I.
B
Think
we've
had
a
bunch
of
great
discussion,
I'm
conscious
of
the
fact
that
we've
only
got
a
few
minutes
left
and
we
we
don't
have
a
I,
don't
think
we
have
a
direct
plan
of
action
for
next
steps,
so
I
think
we
should
focus
on
that
like
a
nutrition
suggested.
Maybe
the
steering
committee
that
exists
today
should
kind
of
take
ownership
of
of
this
definition.
B
I
I
don't
oppose
the
idea
I'm
curious.
If
anyone
else
has
any
strong
thoughts
on
way
forward
or
trishank.
If
you're
volunteering
to
the
Shepherd
that.
C
I
I
Not
one
project
is
really
three
different
projects,
and
so
you
cannot
have
maintainers
across
all
these
projects,
so
they
actually
need
some
kind
of
body
that
does
the
coordination
of
across
all
these
different
projects,
and
the
steering
committee
fits
well
that
role
I,
don't
know
that
we
have
that
first
salsa,
but
you
know
I'm
not
against
this
Turing
committee
I'm
not
trying
to
kill
it.
Don't
get
me
wrong,
I
think
if
there
is
some
value
to
it,
let's
keep
it,
but
we
should
better
Define
it
so
Trisha.
Thank
you
for
volunteering.
I
E
You
one
thing:
I
want
to
just
throw
out
there,
because
I
I
think
this
was
also
one
of
the
original
reasons
why
we've
had
discussed
something
like
a
steering
committee
was
less
about
that.
The
because
we've
seen
this
in
other
open
source
projects
a
little
bit
is
we
didn't
want
to
have.
What
had
to
have
happen
is,
and
it's
part
of
the
who's
allowed
to
vote
problem.
E
It's
the
we
didn't
want
to
have
you
know
a
half
dozen
people
from
one
company
all
start
joining
a
couple
of
the
meetings
and
trying
to
vote
just
purely
their
agenda
in
we
wanted
to
say,
hey
here's
a
bunch
of
members,
they
all
sort
of
largely
agree
on
the
general
Charter
of
what
Salsa's
trying
to
do-
and
you
know
we
might
disagree
on
some
things,
but
it's
not
like
we're
just
gonna
throw
a
million
people
from
company
X
and
be
like
yeah
now
Salsa's
this,
and
this
is
how
we're
pushing
it.
B
Yeah
I
think
that's
a
great
point
and
I
think
the
we've
talked
about
a
few
things
like
how
do
we?
How
do
we
handle
when
people
aren't
as
active
as
they
want
to
wear
but
I
think
we
need
to
be
wary
of
we're
acquiring
weekly
attendance
of
meetings
or
even
weekly
engagement
in
the
project
have
like.
B
We
want
Community
participants
to
be
active
if
they
have
these
leadership
roles,
but
for
people
who
have
jobs
which
aren't
just
working
on
salsa,
then
we
need
to
be
forgiving
of
other
priorities
as
well.
So
there's
definitely
a
band
selector.
B
Okay,
cool
lots
of
great
discussion
thanks
everyone,
and
thanks
trishank
for
volunteering,
to
take
this
to
take
this
forward.
Yeah
I'll,
happily
bunch
of
you.
Collaborate
on
that
and
I'll
see
it
when
you
share
it
with
a
broader
Community.
So
yeah
thanks
everyone
for
your
time
today
and
for
the
it's
a
good
discussion
and
see
you
in
the
next
meeting
in
a
month's
time.