►
From YouTube: SLSA Specifications Meeting (March 20, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1kMP62o3KI0IqjPRSNtUqADodBqpEL_wlL1PEOsl6u20/edit#heading=h.yfiy9b23vayj
B
B
B
To
this
meeting,
that's
right,
yeah,
because
we've
been
talking
on
slack
and
GitHub
evidence
being
a
hi
Andrew.
B
If
you
want
to
just
quickly
say
hi.
C
Hey
I'm
Andrew
hi
I,
currently
work
at
Red,
Hat,
okay,.
D
B
I
see
names
and
whether
it's
like
this
particular
meeting,
everyone,
hey
everybody
thanks
for
joining
anybody.
A
B
B
One
thing
I've
been
wondering
is:
should
we
have
another
release
candidate
before
we
mark
it?
As
final
I,
we've
had
like
a
lot
of
changes
since
the
original
release,
candidate
they've,
pretty
much
been
editorial
changes
I,
don't
think
we're
changing
a
ton
in
terms
of
like
this,
the
meaning
of
the
levels,
but
there's
like
quite
a
lot
of
text
and
a
lot
of
you
know,
new
explanation
terms
have
changed
and
so
I
was
wondering
like.
B
Would
it
be
good
to
have
another
well-defined
release
candidate
with
like
a
two-week
comment
period,
and
during
that
comment
period
we
just
don't
intend
to
make
any
more
changes.
Unlike
this
past
comment
period,
and
then
you
know
address
any
like
bug,
fixes
or
typos
or
whatever,
but
then
the
markets
table
then
on.
G
So
I
I
also
wanted
to
bring
up
versioning.
So
thank
you.
Nicole
I
think
that
I'm
in
favor
of
a
second
release,
candid
and
time-bounding
it
and
just
scheduling,
1.1
like
why,
don't
we
just
say
we're
gonna
have
quarterly
releases
big
bugs
will
go
into
the
into
the
next
one.
A
I'm,
the
next
yeah
Chris
I
think
that's
a
good
point
right,
just
like
having
it
scheduled,
just
kind
of
having
that
that
extra
just
little
bump,
maybe
like
you,
said,
Mark
one
more
review
before
we
do
the
one
but
then
having
a
scheduled
1.1
on
the
book
so
that
we
don't
have
to
keep
extending
per
se
I.
Think
it's
a
good
idea.
H
I'll
go
next
yeah
I
I
like
the
slightly
longer
review
period
for
an
rc2,
but
that's
yeah.
So
so,
let's
see
we
don't
want
to
keep
delaying
this
either,
but
I
think
it
might
be
worth
the
extra
little
time.
I
So
I
think
we
ought
to
have
a
second
candidate
release,
and
so
you
know,
Mark
and
I
actually
worked
on
something.
Maybe
that
not
everybody
has
realized,
but
we
had
to
align
the
spec
stages
that
we
had
defined.
Thankfully
they
were
really
not
too
far
from
it,
but
to
the
what's
in
the
community
specification
license
framework
that
we
use
that
governs
this
work.
Brian
belendov
actually
pointed
that
out
to
me
he
said:
are
you
guys
following
this
and
I
was
like?
Oh
wait?
Let
me
check
and
I
realized.
I
It
wasn't
exactly
the
right
wording,
so
we
kind
of
reshaped
everything.
Thankfully
you
know
as
the
same
number
of
stages.
They
actually
mean
the
same,
but
there
is
an
important
aspect
to
it,
which
is
you
know
it's
related
to
licensing
commitments
that
people
make
when
they
contribute
to
the
specification,
and
so
it
does
call
for
us
to
make
it
clear
that
when
we
go
when
we
go
to
to
when
we
publish
a
candidate
for
Approved
specification,
a
proof
specification
being
the
last
stage
which
we
used
to
call
stable,
that's
the
biggest
change.
I
You
know
we
have
to
clearly
highlight
this
is
an
important
step
because,
from
a
legal
point
of
view
they
are
I'm,
not
a
lawyer,
so
I
don't
want
to
advise
you
on
what
exactly
it
means.
I
suggest
you
get
your
lawyer
to
read
it.
If
you
care
and
inform
you,
but
essentially
there's
some.
You
know
boundaries.
There
are
some
deadlines
as
to
you
know,
if
you
want
to
exclude
some
intellectual
property,
you
might
have
related
to
your
contributions
and
to
the
specification
that's
going
to
be
approved.
I
So
we
didn't
really
do
that,
because
we're
not
completely
on
board
with
what
you
know
we
should
have
been
done
so
for
that
purpose
alone.
I
think
we
ought
to
do
it
and
make
it
clear.
So
we
don't
have
any
problem
down
the
line
and
also
I
think
you
know,
there's
been
tremendous
changes
made
to
the
spec.
A
lot
of
them
can
probably
be
labeled
as
a
tutorial,
but
clearly
not
everything
so
I
think
for
that
purpose
we
ought
to
have
another
release
and
so
from
the
communication,
Community
specification
process
point
of
view.
I
C
Yeah,
so
I
just
wanted
to
to
say
that
I,
don't
think
that
we
need
to
make
it
longer
than
two
weeks,
because
I
assume
that
most
people
who
were
engaged
in
providing
feedback
for
their
first
release
candidate,
we're
probably
going
to
be
continued
or
hopefully,
they're
continued
to
be
engaged
in
the
issues
and
so
I
think,
especially
with
the
with
the
recent
change
that
was
pushed
where
you
can
actually
view
the
entire
table
of
contents.
From
the
from
the
perspective
of
the
different
versions.
C
I
think
that
makes
it
really
easy
to
see
what
what
calls
included,
maybe
making
a
vpu
change
or
having
having
the
the
rc2
for
the
other
purposes,
but
also
in
the
communication
around
it.
Make
sure
that
we
highlight
that
it's
easier
to
to
see
the
entire
specification.
J
Yep
so
I
guess
I'm
going
to
pile
on
I
I
do
think.
Another
round
is
good
for
the
reasons
that
Arno
mentioned.
Other
folks
mentioned.
You
know,
there's
the
issue
that
if
you
make
so
many
editorial
changes,
it's
not
easy
to
see.
J
What's
changed
that
said,
I
I
think
that
I
I
Mark
I
agree
with
you
that
we
want
to
put
out
one
that
we
don't
expect
more
changes
on
I,
don't
know
how
many
changes
that
we've
received
already
it's
possible
that
there'll
be
a
whole
bunch
of
folks
showing
up
with
changes
on
the
very
last
deadline
day
which
case
oh
man,
we're
gonna
have
to
review.
It's
also
possible,
though,
that
you
know
people
who
are
interested
are
already
involved.
J
Most
of
them
have
already
said
they're
peace,
so
we
we
may
have
to
make
a
decision
once
we
what's
the
deadlines
passed,
but
I
would
say
as
soon
as
we
can
resolve
all
comments
put
in
by
the
deadline
then
put
out
a
two-week
ver
then
put
it
out.
I
think
two
weeks
is
is
fine,
especially
since
people
have
been
given
a
heads
up,
but
I
do
think.
Another
round
makes
sense
and
I
know
I
think
more
than
two
weeks.
J
You
don't
need
this
time,
though
I
think
we
ought
to
coordinate
with
Jennifer
Bligh
and
basically
just
we.
It
was
kind
of
a
lesson.
Oh
wait:
should
we
put
a
blog
post
on
it?
I,
don't
think,
there's
a
legal
requirement,
but
I
think
that
from
a
you
know,
hey.
We
are
honestly
doing
our
best
to
make
people
aware
to
review
this.
That's
about
to
go
out
the
door.
I
think
that's
important,
so
why
you
know
I
mean
we.
J
K
So
yeah
I,
my
question
I
think,
is-
is
more
on
the
the
The
Meta
end
of
like
Okay.
So
let's
assume,
okay
based
on
some
of
the
stuff.
We
were
talking
about
last
week,
a
little
bit
about
versioning
and
assuming
let's
say
we
do
something
like
hey
we're
gonna
do
quarterly
releases.
Does
that
also
include
stuff
like
what
we
might
consider,
something
that
you
know,
a
bug
that
wasn't
caught
or
or
a
typo
fix
or
or
whatever
I'm
just
curious?
K
I
E
Next
I
have
one
question:
should
we
address,
there
is
a
whole
bunch
of
to
do
in
the
spec,
especially
I
was
really
verifying
with
system
the
other
day,
and
they
have
a
bunch
of
places
where
there
are
to
do
like
align
the
schemas
style
and
stuff
like
that.
Should
we
address
all
of
them
before
1.0.
B
E
B
B
A
B
J
Yeah
so
the
thumbs
up
on
the
getting
rid
of
the
to-do's
either
do
them
or
remove
them
and
hope
I,
agree.
I,
hope,
that's
not
terribly
controversial.
I
just
realized
something
I
think
we're
referring
to
this
as
a
v
1.0.
J
We
might
want
to
refer
to
this
as
1.0.0.
So
that's
clearly
a
version
number
because
otherwise,
when
we
go
to,
if
we
there's
a
version,
0
1.9
1.10
is
is
also
possibly
version
1.01
again
so
putting
in
those
two
dots
helps.
C
A
J
I
B
B
We
should
probably
be
a
little
bit
more
critical
on
to
see
if
it
sort
of
like
ones
where,
for
example,
I
think
there's
ones
where
like
oh,
we
should
have
a
diagram
here,
because
I
think,
like
it's
just
a
big
wall
of
text
and
hard
to
follow
in
a
diagram
what
it
would
add,
a
lot.
B
That
would
be
nice
if
we
could
just
like
put
out
something
quickly
to
just
go.
Some
sort
of
visual
thing.
Things
like
that
are
like
the
terminology
is
different.
Between
these
two
pages.
We
need
to
align
those
those.
B
Okay,
so
then,
in
terms
of
the
schedule
which
we
we
keep
talking
about
a
lot,
should
we
still
shoot
for
like
there's
still
quite
a
bit
of
issues
open,
but
I
think
we're
getting
closer
and
closer.
B
Although
the
project
board
doesn't
look
that
way
to
resolving
a
lot
of
the
things,
should
we
shoot
for
like
have
all
the
changes
submitted
by
end
of
next
week,
and
then
we
can
make
a
decision
for
if
that's
ready
or
if
we
need
more
time,
I,
don't
know
what
the
process
I've
not
worked
in
Open
Source
before
so
I,
don't
know
like
or
on
any
sort
of
specifications
like
this
I.
Don't
know
like
what
is
a
good
idea
for
keeping
things
on
track.
K
I
can
just
provide
my
perspective
of
the
past
several
years
of
doing
I,
I
think
at
a
certain
point
you
just
kind
of
have
to
call
it
and
because
you
know
the
thing
about
open
source
rate
is,
is
since
we're
all
volunteers
here
and
we're
all
working
under
sort
of
a
very
flexible
sort
of
code
of
conduct
and
whatever
like
as
long
as
somebody's,
not
outwardly
trying
to
sabotage
something.
You
know
we
could
keep,
we
could
keep
going
and
and
in
perpetuity.
K
B
Makes
sense,
I
think
on
this
kind
of
a
similar
note
for
the
pull
requests
that
we
have
I
think
we
should
be
trying
to.
B
We've
talked
about
this
a
bunch
before
but
like
air,
on
the
side
of
let's
get
something
and
I
know
I'm
I'm,
worse,
get
something,
that's
good
enough
and
submit
it
and
then
so
we
have
something
in
there
and
then
we
could
always
have
further
pull
requests,
but
we,
you
know,
have
a
tendency
to
leave
pull
requests
open
for
weeks.
It'll
be
good
if
we
could
try
to
close
the
loop
faster,
especially
if
we
only
have
you
know.
A
B
C
I
B
Yeah
I
think
that
the
big
ones
that
are
still
open,
the
Distributing
Providence
one
I'm,
not
sure
what
the
status
is
GitHub,
doesn't
isn't
very
good
at
telling
you
like,
whose
turn
it
is
and
like
what's
waiting
for
what
it's
sure
being
Providence,
which
is
673
unifying
verifying
artifacts,
which
is
675.
B
description
across
also
page.
We
just
mentioned
format,
selector,
that's
a
pretty
minor
thing,
I,
don't
think.
That's
a
blocker,
though,
do
that
independently,
the
combined
ephemeral
and
isolated
700
is
going
to
active
comments
and
rewrite
understanding.
Sausage
was
just
opened,
so
I
think
the
rest
of
them
are
either
like
Dale
or
not
particularly
urgent.
B
Okay,
anything
else
on
the
1.0
release,
so
it
sounds
like
to
summarize
releasing
it
to
will
take
a
we'll
Target
another
two
weeks
and
we'll
discuss
next
week
at
the
spec
meeting
to
see
kind.
B
That,
along
that
those.
A
D
B
The
kind
of
period
closes
at
the
end
of
this
week,
I
I,
don't
know
we
talked
in
the
past
about
we
want
I.
Think
I
think
we
talked
about
I.
Think,
like
releases
announcements
are
generally
better
on
like
middle
of
the
week.
B
I
don't
know
if
that
also
applies
to
the
release
candidate
or
if
we
want
to
do
it
like
a
Friday
or
a
Monday,
but
I
would
imagine
you
know
we
could
maybe
Target
all
the
changes
we
wanted
and
submitted
by
the
31st
say
and
then
cut
the
release
candidate.
The
first
week
of
April.
J
J
B
That's
the
question:
that's
what
we're
trying
to
answer
I
mean
there's
like
a
bunch
of
open
issues,
I
guess,
I'm
hoping.
E
B
Could
get
through
it
within
the
next
two
weeks
and
for
most
of
them
just
say
like
good
enough
postpone
or
or
actually
address
yeah,
because
a
lot
of
the
issues
are
not
so
much
like
this
needs
to
be
fixed
but,
for
example,
like
there's
issues,
365
I'm,
not
looking
at
a
random
one
out
what
counts
as
service
generated.
B
Some
of
these
issues
were
opened
a
while
ago
and
haven't
had
further
comments
on,
and
so
maybe
we
could
just
say
it's
good
enough.
We
haven't
had
any
specific
comments.
We
haven't
talked
about
it
for
a
while.
Maybe
we
don't
need
any
further
clarification.
There
yeah.
I
I
B
Yeah
agreed
and
I
think
it'd
be
valuable.
Like
again,
we
had
this
project
board,
which
I'll
paste
in
the
chat
and
also
on
the
on
the
intermedi
notes.
B
There's
there's
a
bunch
of
things
listed
here
if
one
seem
like
they're,
either
addressed
or
lower
priority,
we
don't
need
to
do.
It
certainly
would
be
valuable
to
like
comment
on
them
and
you
know,
move
them
off
of
this
project
board
and
say
we're
not
going
to
do
it
either.
B
Okay,
are
there
any
other
topics
that
are
worth
discussing
now.
H
C
If
we
had
any
questions
now,
we
don't
have
to
address
it
immediately,
but
I
I
didn't
want
I
wanted
to
know
if,
as
part
of
the
ephemeral
and
isolated
conversations
that
are
happening,
I
feel
like
what
I'm
trying
to
different
differentiate
on
is
between
level
three
and
level.
Four
isolated
and
I
didn't
want
to
know
or
I
I
wanted
to
know
how
specific
in
the
future
directions.
C
We
should
be
about
what
we're
looking
at
going
forward
for
level
four
or
if
that
should
just
be
documented
as
a
GitHub
issue,
and
then
just
leave
it
generic
in
the
future
directions.
C
A
B
In
the
chat
too,
this
this
in
the
background
here,
this
ephemeral,
isolated,
is
the
topic
of
many
of
the
comments
we've
had
in
the
past,
and
so
I
think
this
is
really
valuable
to
to
resolve
the
especially
if
you
could
comment
on
the
pull
request.
I
think
there's
like
getting
the
wording
right
I
think
is
pretty
tricky
what
we
did
to
recap,
what
we
discussed
Andrew
and
I
on
the
thread.
It
seems
like
we're
kind
of
zeroing
in
on
the
requirements
for
level.
B
Three
are
things
from
the
build
system
that
the
build
system
must
guarantee
and
there's
no
requirements
on
like
what
the
tenant
has
to
do
or
the
where
the
producer
has
to
do.
B
The
original
wording
had
some
should
recommendations,
which
was
a
kind
of
ambiguous
and
and
confusing,
and
so
we
were
discussing
like
how
can
we
make
this
more
clear
and
it
seems
like
the
basic
kind
of
idea
is
that
at
level
three
it?
It
must
be
kind
of
secure
by
default.
B
But
if
the
users
open
up,
you
know
like
a
port
like
with
SSH
or
something
on
it,
for
example,
which
would
allow
a
remote
user
to
just
kind
of
run
arbitrary
commands
that
that
is
not
something
that
has
to
be
blocked
by
level
three,
but
maybe
a
future
version
would
and
so
like.
How
do
we
clearly
Express
that
that,
like
the
Builder,
has
a
requirement
to
like
be
to
some
amount
of
secure,
but
they
don't
have
to
like
block
everything?
Is
it
does
that
capture
danger?
C
Well,
yeah,
yeah,
I,
I
think
so
and
and
where
I
kind
of
understood
the
the
isolation
for
level
three
is
that
we
want
to
try
to.
C
It
comes
back
to
I
think
the
the
best
effort
wording
around
Providence
as
a
build
system.
C
We
need
to
work
towards
making
a
best
effort
to
ensuring
that
the
Providence
is
accurate
and
so,
like
part
of
the
confusion
that
I
came
towards
this
conversation
with,
is
around
the
difference
between
the
the
build
system
and
the
producer
and
the
the
suggestion
that
I
made
is
that
the
producer
should
should
not
intentionally
subvert
the
build
system's
best
effort
for
Providence
generation
and
so
I
think
trying
to
to
figure
out
how
to
word
the
the
maximum
isolation
in
level
three
from
both
the
producer
and
the
build
system.
C
In
order
to
achieve
that
best
effort.
And
then
it's
not
until
you
go
to
level
four
where
you
can
hopefully
achieve
maybe
a
little
bit
better
than
best
effort.
Once
you
start
having
further
requirements
on
the
build
system
and
on
the
user
to
prevent
the
like
network
access
whatnot
that
you
can
be
reasonably
confident
that
everything
that
is
contained
in
the
references
for
the
builds
is
actually
all
that's
needed
to
produce.
The
artifact.
E
G
I
just
want
to
make
sure
I
understand
correctly.
So
it's
the
idea,
then
that
at
L3
the
the
the
build
process
is
not
it's
not
adversarial
between
the
the
user
provided
build
and
the
platform.
B
I,
don't
know
I'd
phrase
it
that
way.
I
think
there
is
some
like
adversarial
of
like
the
the
build
like.
Let's
say,
the
build
platform
has
signing
keys
or
some
sort
of
cryptographic
secret.
B
The
producer
shouldn't
be
allowed
to
get
those
so
that
that
is
still
a
boundary
and
like
two
builds
still
need
to
be
isolated
from
one
another.
I
think
it's
more
around
like
if
you
I
think.
B
I'm,
not
sure
Andrew
agrees
with
me
like
if
you,
if
you
just
use
the
service
by
default
in
like
the
normal
way,
you
will
have
isolation
between
bills
and
the
providences,
particularly
like
the
external
parameters
list,
will
be
accurate
and
complete.
And
if
someone
were
to
rerun
that
build
with
those
same
external
parameters,
they'll
get
the
same
room
results,
maybe
not
bit
for
a
bit
identical,
because
maybe
it's
not
reproducible
but
like
logically
they'll
kind
of
get
the
same
thing,
but
a
build.
That
kind
of
does
kind
of
violates
the.
F
B
You
know
open
up
open
up
a
port
that
allows
like
some
something
else,
to
connect
and
run
arbitrary
commands
or
might
Farm
out
the
execution
to
another
service.
That's
not
part
of
the
Builder
and
there's
no
requirement
for
the
build
service
to
like
block
that
from
happening,
because
doing
that
sort
of
blocking
would
be
it.
C
And
speaking
to
the
adversarialness
of
it,
I
think
that
there
are
like
you're
gonna,
have
different
levels
of
or
different
types
of
attack
factors
that
you're
going
to
be
able
to
protect
against
level
three
and
level
four,
and
so
with
level.
Three.
C
The
important
thing
is
to
like,
in
order
to
or
level
three
is
there
to
help
Drive
adoption
to
these
build
systems
which
can
provide
level
three.
C
Build
whatever
the
terminology
is
verification.
C
And
then
it's
not
until
you
you
go
further.
Are
you
trying
to
really
get
beyond
what
is
just
the
provenance
he
so
at
level?
C
Three
we're
trying
to
make
sure
that
that
we
have
reasonable
confidence
around
the
Providence,
but
then
at
level
four
is
is
when
it
feels
like
you're,
maybe
you're
interested
in
in
builds
produced
with
level
four
Providence
level,
four
build
when
you
are
more
concerned
about
that
attack,
Vector
from
malicious
adversarial
actors,
and
so
I
think
that
it's
okay
to
leave
the
room
for
some
of
these
attacks
in
level
three
which
we're
not
going
to
be
able
to
and
and
somebody
looking
at
just
a
level.
C
Three
specification
might
ask
the
same
question
as
you,
which
is
I,
think
why
it's
partially
a
challenging
situation
to
only
describe
level
three,
knowing
that
there's
a
level
four
further,
knowing
that
we're
leaving
wiggle
room
here
or
an
intentional
malicious
actor
to
do
something
really
wonky
with
their
bill,
where
their
prominence
is
completely
inaccurate.
G
Yeah
that
makes
sense
to
me
then
I
think
my
my
only
concern
is
that
we
have
so
going
from
level
one
to
four.
We
have
potentially
two
discontinuities
we're
at
level,
one
to
level
two.
You
might
need
to
change,
build
system
level,
three
to
level
four.
You
may
need
to
change
the
logic
of
your
build.
C
Right
and
I
I
think
I
I
tried
to
make
that
clearer
with
an
earlier
PR,
where
the
action
for
the
producer
to
achieve
level
three
is
really
just
to
onboard
to
a
level
three
compliant
build
system,
and
so
it
is
intentionally
the
the
first
is
to
kind
of
Drive
adoption
towards
these
systems,
which
have
it
in
mind
to
try
and
Harden
themselves
and
then
only
once
they
they
get
into
those
Avenues
of
these
hardened
systems.
Can
they
then
explore
the
possibility
of
trying
to
further
Harden
against
these
attack
vectors.
G
Okay,
my
I
thought
that
the
action
for
for
level
two
is
getting
onto
the
build
system
that
that
has
goals
for
isolating
itself.
So
I
guess:
okay,
level,
level,
two
to
level
three,
the
user
doesn't
have
to
do
anything
level,
three
level,
four,
they
do.
I
C
Fine,
so
I
in
in
my
head,
I
was
I
was
describing
it
as
the
maximum.
Now
so
I
I
wasn't
I
haven't
been
focused
on
anything
other
than
level.
Three,
so
I
didn't
see
what
the
intricacies
are,
but
in
order
to
to
achieve
the
maximum
now
all
you
have
to
do
basically
is
to
start
using
some
compliance
system.
C
G
K
There's
still
some
minutia
there
around
like
what
counts,
as
as
the
sort
of
end
user
developers,
responsibility
versus
the
let's
say
in
certain
cases
right
the
implementer
of
the
build
service,
so
somebody
who's
actually
deploying
out
something
other
than
you
know,
because
I
know,
a
lot
of
the
focus
has
been
on
stuff
like
GitHub
actions,
but
like
tecton
and
tecton
chains
right
and
tecton
and
tecton
chains
right
can
do
stuff,
like
salsa
level
two,
but
you
still
have
to
give
it.
K
Let's
say
a
key,
and
so
the
idea
there
right
is
is
you
know
you
could
still
end
up
with
a
situation
where,
based
on
how
you've
set
up
tecton
and
tecton
chains,
even
though
it
could
do
level
two,
your
job
doesn't
provide
a
key,
so
it
doesn't
actually
sign
it
with.
So
it
doesn't
make
it
salsa
level.
Two,
it's
also
level
one.
So
there's
some
stuff
there
is
well
beyond
just
sort
of
like
the
hey.
These
are
things
you
actually
need
to
make
part
of
your.
K
You
know
the
lower
level
build
in
order
to
kind
of
get
that
to
work.
K
I
think
that
there's
also
separately
I
think
that
one
of
the
things
I
think
would
be
really
useful
is,
is
really
kind
of
focusing
a
little
bit
more
on
the
the
like.
What
are
the
actual
attack
vectors
so
that
we
can
then
kind
of
transform
that
into
sort
of
the
the
levels
there,
because,
like
I,
think
one
of
the
the
things
that's
a
little
unclear
to
me
is
like
what
is
let's
say,
the
attack
Vector
that
salsa
level
2
would
protect
against
versus
level.
Three
and
I.
K
Think
I
have
like
I,
have
some
thoughts
around
it,
but
I
think
that
sort
of
thing
is
is
I,
don't
want
to
say
that
this
is
the
case
exactly,
but
like
one
of
the
things
that's
confusing
me
is
is
unclear
exactly
like
is
the
requirements
we're
adding
in
to
say:
hey,
here's
the
attack
vector-
and
this
is
what
we're
trying
to
prevent.
So
these
are
the
new
requirements
or
are
the
requirements
just
kind
of
there
and
saying
like
hey?
What
are
the?
What
are
the
attack
vectors?
K
C
And
at
least
tangentially
related
to
that
is
issue
number
706
that
Mark
opened
today
again
in
that
came
out
of
this.
C
This
ephemeral,
isolated
PR
explaining
explain
that
you
must
Define
a
security
model
for
your
build
system,
because
I
think
that
Michael
what
what
I
hear
when
you're
saying
that
is
that
we
need
to
make
sure
that
anybody
who's
developing
a
build
system
has
a
security
model
so
that
they
know
what
is
within
the
the
trust
boundary
and
what
is
not
within
the
trust
boundary,
because
not
until
you
know
where
that
line
is
where
you're
you
differentiate,
custom
versus
untrusted.
Can
you
start
to
make
those
types
of
decisions
about?
C
Right,
it's
not
exactly
the
same
thing
that
that
you're
asking
but
I
feel
like
it's
maybe
at
least
a
necessary
requirement
in
order
to
get
to
that
level.
K
I
I,
agree
and
I
think
that
there's
also
a
couple
of
distinctions
I
think
we
do
a
pretty
good
job
at
kind
of
separating
out
now
the
the
idea
of
build
system
and
build
service,
and
some
of
these
other
things
I
do
think
that
we
might
need
to
be
a
bit
clearer
because
I
think
you
know
at
least
right
now,
I
think
the
vast
majority
of
folks
who
are
doing
salsa
from
what
I
can
tell,
and
once
again
this
is
just
publicly
at
least
like
that
I
can
tell
are
obviously
using
GitHub
actions
and
and
those
sorts
of
things
where
a
lot
of
the
things
around
what
that
trust
boundary
is,
is
not
directly
under
your
control.
K
There
are
certain
things
like
the
reusable
workflow
and
exactly
what
GitHub
action
you're
using
and
so
on,
but
like
a
lot
of
the
stuff
around
like
you're
sort
of
largely
assuming
that
GitHub
when
it
says
Hey,
different
jobs
or
not
be
able
to,
you
know
they're
isolated,
and
they
should
not.
You
know
one
job
should
not
be
able
to
interact
with
another
job,
you're
sort
of
trusting
GitHub
on
that
I.
K
Think
that
there's
some
open
questions
about
like
yeah
and
when
sort
of
exploring
that
just
a
bit
more
generically
like
if
I
look
at,
let's
say
Jenkins
or
I.
Look
at
some
of
these
things.
It's
not
just
purely
about
the
tool.
It's
also
how
you've
configured
the
tool
and
what
sort
of
constraints
you've
also
potentially
set
up
on
the
end
users
of
that
tool.
Right,
like
Jenkins,
is
pretty
well
known
for
being
pretty
open
by
default.
But
by
placing
you
know,
the
implementer
of
that
thing
could
place
a
ton
of
restrictions
on
it.
K
J
K
I
I
think
yeah
I
think
we,
the
the
thing
there
is,
is
and
I
think
we
do
and
a
decent
job
at
the
build
system,
but
we
might
want
to
sort
of
clarify
a
bit
that
when
we
call
when
we
say
build
system
we're
not
purely
saying
Jenkins,
tecton,
GitHub
actions,
we're
saying
it's
those
things
and
we
do
have
some
things
in
there
we
just
might.
We
do
have
some
things
around,
that
the
build
system
consists
of
the
people
and
processes,
and
so
on
that
surround
it.
K
We
just
might
want
to
make
sure
that
we're
we're
given
that
there's
a
bunch
of
stuff
out
there
I
think
we
just
need
to
make
sure
that
we're
crystal
clear
that
a
lot
of
folks
assume
build
tool
here,
like
you
know,
Jenkins
tecton,
yada
yada,
it's
those
things
configured
in
the
right
ways
with
the
right
Security
in
in
mind
that
are
capable
of
that
and
I.
Think
that
sort
of
thing,
though,
is,
does
get
confusion
confusing,
because
a
lot
of
folks
are
going
to
be
evaluating
and
saying
at
what
point?
K
Is
it
like
because
any
tool
that
you
know
if
you
configure
it?
The
right
way-
and
you
add
the
right
sorts
of
plugins-
and
you
add
you
change
it
in
the
right
ways-
could
be
salsa
level.
You
know
three
compliant
but,
like
certain
tools
are
inevitably
going
to
be
like
out
of
the
box,
it's
more
or
less
salsa
compliant.
K
E
I
I
agree
on
that.
That's
in
the
end,
it's
more
the.
What
will
be
B
level
three
or
two
will
be
the
Builder
ID
rather
than
the
build
type
I
mean,
for
example,
you
can
host
githubs
or
git
Labs
on
your
own
and
they
can
be
completely
unsecure
and
you
can,
if
you
don't,
then
run
them
in
a
separate
user.
You,
you
are
broken
breaking
starts
on
some
in
some
ways,
so
yeah
it's
the
instance
of
the
the
the
Builder.
It's
not
the
Builder
framework
in
the
end.
E
B
Thanks
so
can
I
ask
folks
who
participants
conversation,
have
an
opinion
to
review
Andrew's
pull
request
so
that
way
we
could
come
up
with.
We
could
figure
out.
Basically
what
we
should
expect
should
say:
I
agree
who
think
by
the
way,
whoever's
thinking
those
I
really
really
appreciate,
you're
doing
a
great
job.
So
thank
you
so
much.
It
doesn't
say
who
it
is.
On
my
screen
at
least.
B
You
Nicole,
the
like
the
self-hosted
versus
you
know
centrally
hosted
I
I
feel
like
I
agree
is,
is
a
big
thing
that
comes
up
a
lot
and
people
want
to
know
and
they
feel
like.
We
should
answer
that.
So
if
you
could
comment
on
the
pull
request
and
get
you
know,
we
could
come
and
do
it
there
I
think
that
would
be
great.
B
B
Arno
you
brought
up
expectations.
Do
you
want
to
go
first.
I
Yeah
so
expectations,
actually,
so
it
Bears
on
pull
request.
Is
it
675
so
the
way
the
one
zero
or
C1
has
it?
Is
it
says
that
expectations
are
set
of
constraints
on
the
packages
probed
on
submitted
data
that
the
package
producer
sets
and
the
proposal
I
mean
the
the
if
PR
675
were
to
be
merged,
as
is
it
actually
changes
this?
To
saying
that
you
know
the
it's
the
provenance
verifier
that
sets
the
expectation
and
I
think
that's
a
major
change
that
we
need
to
really
nail
down
and
I
think
it
has
to.
I
It
comes
from
a
bit
of
a
confusion,
I
think
the
the
intent
is
that
you
know
it's
understood
that
at
the
end
of
the
day,
the
verifier
is
in
control.
They
can
set
their
own
policies,
they
can
Define.
You
know
what
they
are
going
to
rely
on
to
do
the
verification
and-
and
so
from
that
point
of
view
they
can
override
whatever
comes
from
the
the
package
producer
anyway,
but
I
think
the
initial
intent
was
to
say:
well,
there
is
some
kind
of
default
expectations
that
are
being
defined
by
the
package
producer.
I
But
so
the
the
this
is
a
bit
different
from
what
and
and
where,
and
the
pull
request,
as
I
pointed
out
in
the
comments
is,
is
not
very
consistent
because
in
some
places
it
basically
says
is
that
and
I
have
to
give
Josh
credit.
He
is
the
one
who
who
defined
it
in
the
the
way.
I
just
said
it,
which
is
the
producer,
sets
default
expectations
and
the
fire
can
use
those
and
may
override
them
as
they
want.
I
G
Yeah
so
I
I
agree
with
the
framing
of
setting
expectations
and
setting
a
verification
policy.
Actually
I
hadn't
heard
that
from
Josh
I
had
a
talk
with
Kara
with
with
Care
at
the
end
of
last
week.
She
brought
that
up
to
me,
I'm
yeah,
I'm,
happy
with
that
split.
My
my
main
concern
or
I
had
two
main
concerns.
G
The
first
is
that
whatever
we
do
needs
to
work
for
a
trust
on
first
use
model,
because
that
is
more
or
less
how
the
internet
works
and
we
we
need
some
support
for
that,
and
the
other
is
that
I
I
didn't
want
to
put
us
in
a
situation
where
a
party
has
a
responsibility
that
is
not
actionable,
because
that
means
that
nobody
is
responsible,
and
so
my
concern
was
that
if
the
package
producer
is
responsible
for
making
sure
that
a
verifier
is
policy
or
whatever
a
verifiers
expectations
are
correct,
they
can't
do
anything
and
so
that
that's
what
I
was
trying
to
clarify.
G
I
So
I
I
think
we
we
need
to
confirm
the
model
right
once
we
have
the
model
we
all
agree.
This
is
what
we
want
to
say.
We
can
work
on
the
detail,
but
beyond
the
text
and
I'm
happy
to
review
again
some
changes,
but
so
I
want
to
know
if
anybody
disagree
with
the
model
I
laid
out,
which
is
actually
by
the
way,
it's
in
a
comment
from
Joshua
further
down
in
the
pull
request,
go
ahead.
F
I
I
So
we
are
not
claiming
to
change
that.
We
cannot
constrain
with
the
verifier
trust
and
text
into
account,
but
the
question
is
whether
their
expectations
that
are
set
by
the
producers
that
are
and
and
what
role
you
know
this
has
so
I
like
the
model
that
Joshua
laid
out,
which
is
basically
the
consumer,
can
take
a
slash.
Verifier
can
take
that
as
the
default,
but
it's
you
know
all
of
the
input
they
get.
G
So
I
I
do
worry,
though,
that
we're
we're
using
the
term
set
expectations
in
two
ways,
and
that
is
what
caused
my
confusion.
G
F
B
A
little
bit
worry
that
we
are
using
expectations
like
jargon,
to
mean
a
particular
concept,
but
that
concept
is
not
fully
fleshed
out
because
like
if
we
we're
just
talking
like
kind
of
real
world
terms,
I
think
that
basically,
the
way
it
works
is
that
the
producer
has
to
build
in
some
way
and
like
it,
maybe
using
passive
voice.
Because
it's
a
little
bit
easier
here
like
it
must.
B
It
must
be
knowable
what,
for
example,
Source
repo.
This
thing
is
supposed
to
come
from,
like
when
you
say
the
underscore
JS
package.
There
needs
to
be
like
a
proper
thing
to
compare
it
against.
Right,
like
there
is
some
sort
of
official,
Upstream
and
I
guess
we
could
talk
about
in
the
spec
of
like
who
decides
what
the
official
one
is.
B
But
I
would
imagine
in
most
cases
when
you
like,
when
you,
when
I
use
underscore.js
like
I
I,
don't
know
I'm,
gonna,
I'm
gonna
use
some
sort
of
process
to
figure
that
out,
and
maybe
it's
like
I
do
a
search
and
like
that's
the
first
one
and
I
say:
okay,
that's
good
enough
or
there's
metadata
in
the
in
npm.
That
says
that
that's
what
it's
supposed
to
be
but
I
think
that's.
B
Basically
what
we're
trying
to
say
is
that,
like
you
can
know
what
the
thing
is
supposed
to
be
built
from
and
I
think
what
we're
maybe
running
into
is
that
like
in
reality,
it's
messy
and
I
I
worry
that
we,
if
we
say
the
package
producer,
does
this
or
the
ecosystem?
Does
this
or
the
consumer?
Does
this
I
wonder
if
a
little
bit
more
vagueness
would
actually
be
useful,
yeah,
Michael.
K
K
Think,
inevitably,
a
lot
of
it
is
going
to
be
an
agreement
between
the
producer
and
verifier
right
and
I
like
when
I
think
about
it
right,
I,
think
about
hey.
If
I
you
know,
I've
worked
at
companies
large
and
small
and
I
think
the
thing
is
like
large
companies
are
going
to
say:
hey,
they
want
to
make
sure
a
bunch
of
stuff
from
at
least
like
the
people,
they're
actually
buying
from
right,
they're
going
to
say.
K
Well,
we
expect
this
stuff
is
going
to
be
in
your
salsa
metadata,
because
it's
not
just
like
I
think
salsa,
mostly
has
been
focused
around
guaranteeing
that
the
Providence
is,
is
a
tamper,
evident
or
tamper
proof,
but
I
think
different
companies
are
going
to
say
what
information
do
I
want
in
that
provenance
and
I.
Think
what
we'll
see
is
the
consumers
right
are
going
to
say:
hey
I,
demand
that
if
I
buy
something
from
you
that
you're
going
to
include
in
your
provenance,
you
know
the
this
Source.
K
You
know
like
exactly
the
source
that
it
came
from
or
or
whatever,
or
hear
what
the
the
resolve
dependency
should.
Look
like
and
I
think
that
itself
is
is:
is
okay,
I
think
it's
going
to
be
a
little
bit
more
complicated
when
you
look
at
open
source,
because
you
know
you
can't
really
make
a
demand
of
an
open
source
provider
in
most
cases
right
like
it's
going
to
be
one,
it's
gonna
be
different.
K
Let's
say
if
you
go
after,
like
a
big
sort
of
distro
out
there
like
like
Debian
or
whatever
right,
you
know,
saying
hey,
we
would
love
it
if
you
had
this
in
your
provenance
is
probably
reasonable
compared
to
you
know
some
random
person
who
you
know,
writes
an
npm
package
on
the
weekends
and
saying
actually
we
want
all
this
information
in
there
and
that's
going
to
put
a
big
burden
on
you
and
then
I
think
I.
K
I
still
think
that
you
know
generally,
the
the
build
service
right
is
more
responsible.
Just
purely
for
saying,
I
did
all
the
right
things
from
a
requirements
level
to
sign
the
stuff.
To
sort
of
show
that
tamper,
you
know
to
show
those
those
those
security
properties.
More
so
than
necessarily
saying
hey.
The
build
service
is
responsible
for
making
sure
that
the
up
you
know
I
can
fetch
the
Upstream
package
or
something
like
that.
K
Our
Upstream
source.
G
I
can
I
will
make
a
I
will
update
my
PR
with
what
I
understand
to
be
the
outcome
of
this
conversation.
I
will
do
that
by
the
end
of
the
day
today,
Pacific
time,
if
everyone
else
who
is
interested
could
review
it
in
the
next
day
or
so,
I
would
appreciate
it.
We
can
go
from
there.
F
And
someone
whose
entire
business
model
is
building
things
from
source
and
letting
open
source
people
build
things
from
Source
on
our
system
if
they
want
to
get
provenance
stuff
I,
like
that
last
paragraph,
where
we
were
saying
that
the
build
system
should
be
saying,
I
can
do
all
of
this
and
then
it's
kind
of
like
well.
You
know
not
guaranteeing
the
Upstream,
because
if
the
open
source
maintainer
tells
us
rubbish,
we're
gonna
put
the
rubbish
in
there.
You
know.
I
J
Yeah
I
was
intrigued
by
the
last
comment.
I'm
sorry,
I
didn't
hear,
I
wasn't
sure
who
said
it,
but
basically
you
know
if
a
build
system
gets
instructions
to
do
rubbish.
That
I
mean
that's
what
it's
going
to
do,
I,
don't
we
don't
want
to
impose
unreasonable
requirements?
J
J
F
I'll
give
it
a
review
and
at
least
see
if
it
sounds
to
me,
like
you
know
we
get
out
of
that,
get
a
you
know
to
best
effort,
you
know,
must
be
verifiably
produced
and
signed.
So
I
can
say
exactly
what
I
did
and
who
gave
me
what
and
then
this
way
we
can
say
well,
Bob
gave
me
x,
x
is
rubbish,
but
that's
not
my
fault.
I
recorded
Bob
gave
it
to
me
and
I
made
it.
You
know
verifiable.
B
Sounds
good,
okay,
we're
at
a
time.
Thank
you,
everybody
and
let's
continue
Chan
on
those
and
if
you
have,
if
you're
able
to
review
that
would
be
super
helpful
thanks.
Everyone
thank.