►
From YouTube: SLSA Positioning Meeting (November 8, 2022)
Description
Meeting notes: https://docs.google.com/document/d/1tpPOXVzNSwtpWA7cXhTPLAO6HIP50obUvoP85XqgVHM/edit#heading=h.yfiy9b23vayj
SLSA repo: https://github.com/slsa-framework/slsa
B
B
B
A
A
D
A
B
C
B
C
B
B
A
C
A
A
You
know,
tongue
sticking
out
I
already
voted,
because
I'm,
not
waiting
in
line
or
just
like
Mike
is
going
to
be
waiting
in
line
pretty
soon
here
for
voting
I
try
to
do
things
early,
I,
don't
like
waiting
in
line
so
I'm
just
poking
fun
at
the
folks
that
we'll
have
to
wait
in
line
to
vote
today
for
the
midterms
hi
Laura.
Welcome
is.
D
Same
I
just
was
trying
to
heat
up
soup
and
quickly
before
this
meeting
and
of
course,
I.
It
was
a
glass
jar
of
soup
and
it
just
shattered
all
over
the
kitchen,
I'm
sorry
yeah
and
I'd
like,
but
they
made
the
kid
they're
a
little
bit
older,
so
they
got
the
broom
and
the
dustpan
and
they
got
shoes
on
and
they're
helping
I
think
that
mostly
would
last
but
they're
helping
scoop
it
I'm,
like
oh,
my
gosh.
Can
you
guys
please
I
know.
A
Okay,
so
for
for
jumpsuit
and
Laura
right
so
for
the
positioning
group,
what
we're
trying
to
do
is
trying
to
you
know,
educate
evangelize,
you
know
what
salsa
is
how
it
can
help.
We
were
doing
some
earlier
efforts
on
mapping
to
the
different
kind
of
Frameworks.
We
kind
of
put
that
on
pause
for
a
little
bit,
because
we
wanted
to
do
it
in
an
automated
fashion.
A
So,
right
now,
what
we're
doing
is
we're
focusing
on
trying
to
put
out
a
few
blogs
and
sorry
if
you
can
hear
a
background
noise
and
so
the
blog
that
we're
working
on
right
now,
it's
called
the
developer.
Blog
of
you
know
why
a
developer
cares
about
salsa
and
we're
focusing
on
level
one
and
level
two.
A
A
D
In
catch-up
mode
on,
but
we
I
did
present
the
the
concept
of
of
the
end-to-end
software
supply
chain
framework
that
doesn't,
it
isn't
just
exclusively
salsa
as
something
that
is,
is
new
for
to
work
on
this
quarter
at
our
security
industry,
coordination
qbr,
so
I'm
really
looking
forward
to
contributing
and
seeing
where
the
best
we
can
pick.
Okay.
B
A
A
Basically,
for
the
part,
one,
the
intent
of
the
blog
is
just
you
know
how
salsa
helps
right
very
light,
not
too
prescriptive,
so
that
we
can
get.
You
know
the
developer.
Slash
I
think
we
also
mentioned
product
manager
to
buy
in
to
the
concept
of
salsa
right,
and
so
she
did
a
really
good
job
of
trying
to
make
the
analogy
and
linking
back
to
the
devsecops
manifesto
like.
Why
are
we
actually
doing
this?
A
Why
should
they
care
and
so
feel
free
to
read
through
that
I
think
this
part
is
pretty
pretty
golden
right
now.
I
also
think
most
of
these
two,
the
Y,
should
shop.
The
software
developers
and
product
managers
consider
salsa
I
think
this
is
pretty
good.
There
was
a
Clarity
that
these
are
Developer,
specific
and
I,
wasn't
sure
quite
how
to
word
that
right,
because
it
just
says
salsa
level
one
to
two,
but
it
doesn't
say
that
it's
for
the.
A
B
A
D
I
would
say:
I
was
looking
for
something
that
it's
been
a
couple
of
months
since
I
I
I
had
to
add
additional
resources
to
something
similar
about
explaining
the
security
requirements
to
a
software
developer,
because
what
we
get
off
oftentimes
the
the
response
that
they
don't
work
in
security,
and
so
what
you
know
not
not
all
of
them
right,
just
occasional,
like
I,
don't
work
in
Securities
to
insecurity
is
not
my
job.
So.
A
D
Actually
took
some
time
to,
and
it
may
take
me
a
few
minutes
to
to
find
the
reference
where
it's
it
states
that,
like
security
is
a
software
is
part
of
the
software
development
life
cycle.
So
maybe
just
something
like
that.
That
ties
it
together
to
say
this
is
why
you
should
care,
and
it's
not
just
because
we
said
so,
but
because.
A
Yeah
yeah
so
yeah
definitely
then
check
this
part
that
Michelle
contributed
to
on
what
you
have
seen
success,
because
Michelle
mentioned
that
she's
seen
success
in
this
type
of
messaging
to
developers,
and
so,
if
there's
something
missing
or
something,
maybe
we
can
enhance
by
all
means
we
we
can
add
to
it
and
I.
So
I
think
this
would
be
a
good
section
for
you
to
to
take
a
look
at
once.
You
do
find
that
reference
that
you're
you're
trying
to
look
for.
A
A
Vice
also
levels
there's
this
what's
not
covered
by
salsa
levels,
so
we
want
to
make
sure
that
we
are
putting
salsa
in
the
right.
I
guess
position
right,
like
it's
not
going
to
fix
all
your
problems
right
and
so
I
think.
This
is
why
we
added
the
what
is
not
covered
by
salsa
yeah,
but
I
do
go
ahead,
yeah,
but
we,
but
I
am
curious
about
if
we
should
add
something
like
for
these
things
that
we
don't
cover.
B
Just
one
one
thing
that
I
would
like
to
add
here,
like
there
are
some
already
some
security
specification
like
Nest
Securities
specification
and
all
which
more
detailed
about
the
different
security
guidelines
and
all
and
salsa
is
actually
looks
like
giving
a
lighter
version
of
that.
So,
if
you
are
able
to
correlate,
then
people
will
be
able
to
understand
like
those
who
know
that
this
partnist
or
some
other
security
standards,
they
will
be
able
to
understand
where
salsa
placed
in
in
the
security
guideline
slot.
C
So
I
I
think
also
one
thing
that
we
can
maybe
even
be
a
bit
stronger
on,
is
just
like
making
it
very
clear
here,
because
I
know
you
know,
I'm
a
I'm
I
come
from
that
Dev
world
that
then
transferred
more
into
security,
so
I
understand
where
a
lot
of
folks
are
coming
from,
and
so
there's
like
two
things
one
is
like
salsa
is
not
like:
it's
not
an
application
security
framework
right.
It's
not
in
trying
to
tell
you
how
to
prevent
stuff,
like
you
know,
inadvertently,
introducing
a
SQL
injection
attack.
C
C
Salsa
says:
hey
no,
like
we're,
not
that
we
want
to
make
sure
that
we're
very
focused
around
just
purely
the
you
know,
the
the
supply
chain
piece,
so
the
provenance
making
sure
that
hey
I
I
have
some
code
I,
maybe
I
have
some
dependencies
and
then
that
ends
up
in
production.
At
some
point
you
know
like
and
and
yeah
is
everything
in
there
being
tracked
in
a
good
way
and
so
on
and
so
forth.
Such
that
I
can
trust.
It
I
think
that's
one
thing.
C
The
other
thing
I
think
that
I've
also
found
a
lot
of
success
in
having
been
on
the
other
side
of
being
a
developer
is
like
being
a
developer,
being
told
hey,
you
need
to
do
the
security
stuff
is
the
the
the
earlier
on
in
the
process.
It's
pushed
to
me
the
better
right,
because
then
I
don't
have
to
worry
about,
like
the
worry
is
always
which
has
happened
to
me.
C
C
So
that's
kind
of
I
think
the
when
I
think
about
like
what
developers
are
interested
in
I
feel
like
are
sorry
like
why
they
should
care
about.
This
sort
of
thing
is
like
hey.
This
helps
you
out
with
all
of
these
pieces.
It
helps
you
out
with
making
sure
that
hey
you
don't
inadvertently,
introduce
something
that
is
gonna.
You
know,
hurt
your
self,
your
organization,
your
team
Etc,
as
well
as
just
sort
of
making
sure
that
that's
you
know
more
straightforward
and
something
that
helps
you
go
home
at
a
reasonable
time.
Yeah.
A
I
do
like
that
use
case
about.
You
know
right
before
production
push.
Something
goes
wrong.
I
think
that
would
resonate
and
I'm
wondering
I'll
go
into
this
part
here
in
a
second
but
I.
Think
I'm
going
to
add
that
as
a
use
case,
right
here
and
I'm
going
to
actually
add
it
as
use
case
three,
because
I
think
use
case,
three
would
be
stronger
than
four
like
use
case.
One
and
two
they're
okay,
but
I
can
build
upon
the
story
of
okay
developer.
Does
this
developer?
Does
this?
A
C
Yeah
and
I
think
one
thing
to
just
add
in
there,
like,
as
literal
things
that
have
happened
to
me
right
as
I
saw
I
used
to
work
at
Banks
a
lot
and
you
would
you
would
there
was
a
gating
process
and
usually
the
problem
was
that
security
was
usually
a
gating
process
right
near
production
and
that
sort
of
gating
process
led
to
a
lot
of
inefficiencies.
Because
sometimes
you
know
a
security.
C
Design
kind
of
question
was
still
being
addressed
right
before
you're
ready
to
go
to
production
when
you
would
expect
that
to
sort
of
be
handled
significantly
earlier
on,
so
that
you
have
that,
like
quick
feedback,
loop
of
like
oh,
we
have
this
idea.
Actually
that's
never
going
to
pass
policy,
so
we
should
just
you
know,
you
know
ignore
it,
whereas
you
know
the
thing
that
has
happened
to
us,
or
you
know
myself
and
and
a
lot
of
folks
who
work
at
very
large
Enterprises.
A
C
Like
so
designs,
so
like
security
designs
like
like,
if
you
know-
and
this
is
something
that
in
in
some
of
that
diagram-
that
you
had
earlier
on
Melba
with
like
the
the
holistic
sdlc
thing-
and
it's
something
that
also
we've
been-
you
know,
we
showed
off
a
little
bit
at
kubecon.
Is
that
idea
of
you
know?
Security
is
often
like
security
is
in
each
stage
of
the
sdlc
and
right
now,
folk
people
are
way
too
focused
on,
like
the
end
stage
of
implementation.
C
C
Hey
you
should
be
funding
security,
you
know
as
part
of
planning,
and
you
should
be
you
know
getting
that
ready
and
then,
as
part
of
like
analysis
or
your
design
phase
or
whatever
you
want
to
call
it.
You
know
all
of
these
things
should
get
done,
which
then
makes
everything
else
much
simpler.
So
you
don't
get
surprised.
You
know
right
before
production
or.
D
That
makes
sense,
you
know
whatever
there's
also
I,
it
wasn't
the
exact
source
that
I
was
looking
for,
but
it's
been
shared
before
is
the
the
application
of
root
calls
analysis
kind
of
ties
into?
That,
too,
is
like
how
you
could
save
time
and
money,
and
you
know
developer
hours
having
something
like
salsa
that
help
guide
you
through,
like
the
software
testing
piece
of
it.
So
there's
there's
that
aspect
of
that
we've
talked
about
it.
It's
been
a
while.
D
A
A
Yeah
now
I'm
wondering
more
and
more
here.
Let
me
show
you
something
really
quickly.
I
was
trying
to
do
this
with
a
J
and
Isaac
I
didn't
finish
right,
but
we
were
trying
to
say
okay,
what
is
salsa
versus?
What's
not
salsa
right,
so
it's
also
build.
We
didn't
go
into
the
levels
right,
but
the
dark
green
is,
you
know,
salsa
build
the
light.
Green
is
social
source,
but
you
see
the
the
blues.
Is
we
called
it?
C
C
You
know,
because,
because
I
think,
like
a
simplified
version
of
something
like
this,
would
make
it
a
bit
clearer
and
then
the
the
thing
I'm
reminded
of
a
little
bit
is
so.
This
helps
out
with
the
sort
of
like
trying
to
have
folks
understand
kind
of
like
how
how
salsa
fits
in
right,
where
you
know
where
the.
If
you
you
know
salsa,
is
very
much
focused
right
now,
at
least
on
the
source
to
artifact
kind
of
stuff
and
then
separately.
I
know.
C
One
of
the
things
that
we
had
talked
about
is
potentially
on
like
a
V2.
We
probably
want
to
also
include
like
maybe
even
go,
all
the
way
back
to
developer
right,
so
developer,
writing
source
right
and
helping
protect
that
and
helping
sort
of
help
out
there
and
then
potentially
even
doing
something
like
not
just
tell
artifact
but
all
the
way
into
production.
Something
like
that.
So
that's
something
I
know
that
we've
talked
about
like
eventually
hitting,
but
right
now
we
want
to
make
sure
that,
like
the
big
piece,
that's
that's
missing.
C
A
C
And
so
that
image
like
what
I
like
there
is,
you
have
sort
of
you're
talking
about
the
end
to
end
sort
of
thing,
and
this
is
sort
of
saying
what
are
the
layers
to
kind
of
get
to
supply
chain
security
right
where
the
trust
Foundation
is
just
like.
You
want
to
make
sure
that
you're
assigning
identities
to
things
and
then
the
software
out
of
stations
is
where
salsa
fits,
which
is
hey.
C
A
A
B
I
have
I
have
a
question
a
little
bit
out
of
thing
like
you
know,
this
salsa
like
currently
is
mentioning
about
the
application
build
and
deployment
scenarios
securing
that
part
right
so
when
it
comes
to
infrastructure
as
code
now,
that
is
also
software
part,
even
a
similar
rate.
So
in
that
case
RV,
for
example,
considering
the
terraform
or
any
ieac
code
development.
Are
we
considering
salsa
standard
to
incorporate
infrastructure
approaching,
build
and
deployment
securing
infrastructure
building
deployment
as
well.
C
So,
probably
like
not
from
the
perspective
of
like
actual
like
hey,
are
we
securing
the
deployment
of
this
thing?
Salsa
would
be
consumed
by
those
things.
To
sort
of
say
is
my
stuff
salsa
compliant,
because
I
have
a
policy
that
all
applications
must
be,
it's
also
compliant.
So
if
that's
the
case,
then
I'm
going
to
let
that
get
deployed
now
separately.
C
C
That
sort
of
thing
could
also
go
through
the
salsa
process
to
say
that
this
set
of
infrastructure
code
has
is
is
also
compliant,
but
as
far
as
like,
actually
securing
an
artifact
getting
deployed
out.
That's
something
that's
kind
of
like
outside
of
the
scope
of
salsa,
but
the
intention
is
and
Google
calls
it
binary
authorization.
A
bunch
of
other
folks
call
a
bunch
of
different
other
things.
But
the
idea
of
like
saying,
hey,
I,
have
a
policy
and
only
things
that
meet
that
policy
are
allowed
to
go
to
to
get
deployed.
Yeah.
B
So
what
I
feel
yeah?
That's
that's
good.
So
just
wanted
to
consider
the
use
case
where,
when
we
write
IAC
chords
like
the
rough
form,
we
do
have
also
vulnerabilities
check,
like
we
do
in
applications
say,
for
example,
for
application.
We
use
tools
like
sonar
Cube
or
check
marks
kind
of
tool
which
will
do
the
vulnerability
analysis
of
the
application
code
similar
to
that
terraform
also
have
foreign.
B
Which
will
do
the
vulnerability
check
of
the
terraform
code?
It's
again
like
you
mentioned
Michael,
like
it's
happening
in
the
left,
part
of
the
development
life
cycle,
so
so
salsa,
whether
I
mean
my
question
or
my
doubt
was
like
whether
this
process
is
also
in
line
with
the
salsa
level.
Standard
can
be,
for
example,
can
I
say
an
infrastructure
provisioning
pipeline
like
CHP
is
now
applicable
for
terraform.
Also
so
now
can
I
say:
I
have
a
statement
like
my
cicd
pipeline
for
infrastructure.
Proportioning
using
terraform
is
salsa3
complete.
C
C
So
the
idea
behind
it
is
salsa
itself
largely
just
says
you
should
have
a
secure
pipeline,
but
we're
not
going
to
tell
you
what
that
is,
because
everybody's
going
to
have
different
things,
and
you
know
like
if
you're
running,
an
air-gapped,
military-grade
environment,
it's
going
to
look
very
different
than
if
Mike
is.
You
know,
updating
his
blog
right,
so
there's
gonna
be
a
very
big
difference
there.
C
We
have
a
way
of
saying
in
the
salsa
we
can
see
that,
like
you
ran
like
we
have
records
of
you
running,
you
know
certain
security
scans
generating
of
s-bombs
and
so
on,
whereas
before
like
the
problem,
was
you
might
be
running
a
security
scan
a
sonar
Cube
black
duck
Vera
code.
Whatever
right,
you
might
be
running
some
of
those
scams,
the
problem
is
one
of
the
things
that
often
happens.
C
Is
you
don't
have
records
that
you
actually
ran
it
against
what
you
expected
to
run
and
that
kind
of
is
like
the
the
one
of
the
things
is
that's
one
of
the
things
that
we
saw
with
like
the
sonar
cubes
solarwinds
situation
right
is.
We
saw
that
it
turned
out.
You
thought
you
were
scanning
what
you
were
deploying,
but
you
weren't
right.
You
were,
you
were
scanning
something
else,
and
you
were
deploying
this
other
thing
right
and
that
thing
was
signed.
Yeah
yeah.
C
So
this
thing
because
it
keeps
track
of
the
hashes
and
everything
else,
and
it's
also
integrated
into
stuff
like
in
Toto
right.
It
makes
it
very
very
easy
for
us
to
have
to
say
that,
yes,
you
know
step
a
is
downloading
the
code
step.
B
is
linting,
doing
security
lending
step.
C
is
running
the
actual
build
step.
C
C
Yes,
so
salsa
is
really
at
this
point,
like
mostly
recommended
for
anything
that
involves
a
transformation
step
or
something
that
you
want
to
keep
track
of,
because
if
you
want
to
keep
track
of
like
different
things
that
are
happening,
and
you
want
to
have
a
record
that,
like
your
build
system,
signed
off
and
said,
I
ran
these
steps,
so
you
can't
have
just
somebody
say
you
know
falsify
a
record
of
that
thing.
That's
where
salsa
comes
in.
A
A
C
Yeah,
so
so
that
helps
out
I.
Believe
Isaac
has
like
this
originally
stemmed
from
some
demos.
I
guess
Isaac
has
been
giving
once
again,
I,
don't
work
at
Google,
so
I
don't
know
if
he's
been
doing
it
internally,
but
my
understanding
that
this
is
all
you
know.
This
is
stuff
that
they've
been
obviously
sharing
outside
because
they've
made
it
public
but
yeah.
C
But
I
remember
from
his
slide
deck
he
was
going
through
and
talking
through
each
individual
thing,
where
you
know
the
trust
Foundation
is
saying
you
need
to
have
IAM
and
a
signing
mechanism
and
so
on.
And
then
you
need
to
generate
attestations,
sign
those
attestations
based
on
the
trust
and
so
on,
and
then
okay,
then
the
aggregation
and
synthesis
is
saying.
A
Okay,
are
we
good
to
go
on
to
the
to
the
next
one,
which
is
the
problems
it
can
catch
thumbs
up,
I,
see
Smiles,
except
for
Jason,
and
no
pressure
Jason,
okay,
Okay.
So
the
the
use
cases
that
we
have
so
far
is
the
local
modification
for
for
local
testing
of
a
yaml
file
right
so
developer,
configures
or
changes
something
in
their
yaml
file
locally.
A
They
forget
about
it
and
they
attempt
to
build
the
code
according
to
how
it
was
explained
to
us.
I
think
it
was
earlier
last
week.
It
would
prevent
that
bad
compile
all
right.
It
would
say
no
what
you
currently
have
on
your
system
does
not
match
the
Upstream,
and
so
it
would
not
compile
the
code
or
would
not
build
the
code.
A
A
C
Yeah
I
think
for
the
most
part,
like
the
salsa
one
is
less
focused
like
it's
also
one's
trying
to
like
build
the
on-ramp
to
security.
It's
not
really
itself
very
useful
from
the
perspective
of
like
actual
security,
but
it
does
help
in
a
couple
of
ways.
One
is
assuming
right
like
it
doesn't
really
protect
against
a
bad
actor,
but
it
does
help
from
like
the
perspective
of
an
investigation
or
audit.
Assuming
your
build
system
hasn't
been
compromised
right.
C
Assuming
that
you
are
trusting
all
the
internal
parties,
it
helps
you
go
back
and
audit
and
you
know
find
stuff
like.
Oh
it
turns
out.
You
know
this
build
happened
on
this
day,
yeah
as
Laura's
messaging
right
like
it's,
it's
stuff
like
it's
more
like
it
just
helps
build
an
audit
Trail.
It's
just
not
necessarily
A
a
trusted
audit
Trail,
just
an
audit
Trail
yeah.
A
Yeah
and
I
think
some
of
these
were
for
for
Laura
and
jumpsuit
that
weren't
here
in
the
past
couple
of
meetings,
there's
these
two
Links
at
the
bottom,
like
all
the
way
at
the
bottom.
If
you
scroll,
where
we're
getting
some
of
this
information-
and
it
talked
about
you
know,
documentation,
mistake
prevention,
inventory
and
level.
Two
is
reduced,
attack,
surface,
weak
tampering,
protection
and.
C
A
Goes
and
it
talks
about
the
benefits,
and
so
this
is
already
on
Salsa's,
GitHub,
I,
think
GitHub,
repo
and
there's
I
think
this.
This
picture
right
here
I
think,
is
on
the
dev
website,
if
I'm
not
mistaken,
I
I
can't
remember,
which
is
which
so
that's
where
we're
getting
some
of
the
stuff.
From
this,
these
two
pieces
of
information,
I.
D
Think
it
also
helps
with
like
what
they
call
the
unwitting
non-malicious
threat
Insider
threat.
So
there's
like
they
probably
don't
go
that
down
into
the
weeds
when
we
talk
about
different
threat
actors,
but
there's
there's
a
I
I
have
some
experience
in
like
the
in
developing
an
Insider
threat
program
and
there's
that
unwitting.
D
You
know
whether
it
be
a
developer
or
just
an
employee
who
thinks
they're
doing
the
right
thing.
But
you
know
they
make
a
mistake,
and
so
that's
where
that
data
processing
error
comment
comes
from.
Is
that
there's
there's
that
that
that
piece
is
considered
a
threat
actor
but
not
in
the
same
sense
that
most
folks
immediately
think
of
of
a
malicious
that
actor?
That's
targeting
that
particular
system.
A
D
A
D
B
Yeah,
as
you
mentioned
here
in
the
locker
system,
this
is
also
applicable
when
we
are
building
this
with
the
cloud,
build
art
and
things
or
something
like
that
right,
that's
so
taskful.
So
we
need
to
consider
that,
as
also
to
this,
it
can
happen
when
we
are
doing
this
in
tools
like
in
Champions
or
Cloud
Builder.
B
A
C
B
Yeah,
it's
usually
the
on
those
scenarios.
Service
account
will
be
the
like.
You
know
the
the
authorized
identity
to
do
this
so
yeah.
So
with
that
access
still,
this
can
happen.
Other
could
be
so.
Some
organization
will
have
their
own
to
avoid
the
security
issues
they
have
their
own
locally
or
internal
dependency
repositories,
artifact
Registries,
internally
maintained
and
no
packages
like,
for
example,
in
PM,
not
jsnb
package.
B
B
C
And
and
I
think
what
you're
saying
there
is
is
stuff
that,
like
one
of
the
you
know
a
lot
of
a
lot
of
the
stuff
there,
that
salsa
sort
of
hits
to
help
out
these
things
are
things
like
hey.
It
doesn't
necessarily
prevent
somebody
from
building
against
the
wrong
thing,
but
it
provides
a
record
that
they
did
build
against
the
wrong
thing.
So
you
can
go
back
and
have
your
policy
that
says,
wait
a
second
you
weren't
supposed
to
do
that
and
and
and
then
from
there
right.
C
D
Was
gonna
say
that
that
ties
back
up
to
that
root
cause
analysis
thing
that
I
I
posted
or
attached
as
a
comment
before
that
could
also
kind
of
loop
back
around
into
having
a
record
of
that
and
being
able
to
to
do
either
debugging
or
an
investigation
with
that
type
of
information.
Sorry
I
didn't
mean:
okay,
no.
A
C
Build
script
right
like
the
idea,
so
so
what
that
prevents
is,
if
you
just
have
something
like
make,
build
right,
that's
how
you
build
yep!
Well,
that's
a
build
script
like
if,
if
you
do
something
like
oh
go,
build
CP,
you
know
CP
this
file
over
here
and
then,
like
you're
manually
running
all
those
commands
to
package
up
your
application.
Then
all
it
takes
is
one.
A
A
We
could
then
build
the
use
cases
around
us
to
say.
Well,
if
you
change
the
settings.yaml,
if
you
misnamed
the
files,
if
you
downloaded
additional
dependencies
in
that
same
directory
structure,
then
based
off
of
level
one,
it
should,
in
theory
prevent
it
from
actually
doing
a
build
complete.
Should
it
not.
A
Because
here's
the
build
all.sh,
here's
the
build
script
right,
it's
supposed
to
you-
know,
build
the
source
build
from
Source
rather,
but
you,
as
a
user,
have
changed
the
yaml
file
on
your
local
system.
You
might
have
downloaded
additional
dependencies
on
your
local
system
so
from
level
one
perspective,
even
though
you
have
that
build
all.sh,
would
it
actually
Finish
the
build?
A
Is
the
assumption
that
it's
supposed
to
check
that
yes,
Upstream
is
is
is
not
correct?
It's
not
matching,
or
are
we
saying?
Okay,
yes,
level,
one,
you
have
a
build
script,
and
even
if
you
have
all
these
other
things
that
are
changed,
it's
not
necessarily
going
to
catch
that,
but
it
would
be
an
audit
trail
that
this
is
where
it
went
wrong.
A
A
B
A
D
C
Foreign
yeah,
so
I
mean
I,
can
talk
a
little
bit
about
like
what
the
the
concern
is
and
like
how
what
we're
trying
to
do
with
salsa
to
kind
of
prevent
it,
and
so
the
you
know,
the
the
concern
with
a
lot
of
this
right
is
is,
if,
let's
say,
I'm
running
this
locally
right.
You
know
my
local
laptop.
The
worry
is
hey.
I
have
something
malicious
on
my
machine
or
you
know
something
like
that
or
me
who's,
just
a
developer,
maybe
messes
with
something.
C
While
it's
running
that
kind
of
thing,
once
you
get
to
like
level
two
and
you're
running
it
in
like
a
bill
like
or
once
you're
required
to
run
it
in
a
build
service.
I
can't
remember
if
it's
level,
two
or
level
three
I
think
it's
level
two
once
you're
required
to
run
into
build
service.
The
idea
is:
hey
that
build
service
right,
your
you
should
be.
You
know,
there's
an
expectation
and
it's
in
the
requirements
that
there's
an
expectation
that
you're
securing
this
build
service.
C
C
An
admin
on
Jenkins
can
just
log
in
and
start
messing
with
stuff,
but
the
idea
would
be
you
know,
you're
securing
that
build
service,
and
so
the
idea,
once
you
get
to
like
level
three,
where
even
the
build
surface
is
signing
the
provenance,
then
what
ends
up
happening
is
the
build
itself
is
not
signing
the
provenance.
So
even
if
the
build
reports,
false
information,
you
have
a
separate
service
signing
it.
So
you
don't
so
you
you,
you
have
the
lower
risk
of,
let's
say
the
downloading
of
dependencies.
C
You
downloaded
a
malicious
dependency
and
in
certain
languages
like
or
certain
ecosystems
like
npm,
even
downloading
a
dependency
can
run
arbitrary
code,
and
so
you
can
end
up
with
a
situation
right
where
you
downloaded,
where
you
downloaded
a
dependency.
That
starts
trying
to
steal
your
secrets,
and
if
you
are,
you
know
if
you're
having
the,
if
you're
having
your
build
itself
like
if
your
build
script
calls
something
like
Sig
store
or
notary
to
sign
the
the
resulted
artifact.
C
So
that's
one
big
worry,
and
so
the
idea
is
salsa
prevents
these
sorts
of
things
by
saying:
well,
no,
the
build
service
at
level
three
is
actually
doing
the
signing
and
is
also
introspecting.
So,
even
if
a
particular
build
is
attempting
to
lie,
you
still
know
the
inputs,
so
you
could
go
back
and
rebuild
it
on
a
bunch
of
different
Hardware
or
whatever
a
bunch
of
different
build
infrastructure
and
double
check
like
hey,
I'm
gonna
run
it
in
a
bunch
of
different
places,
and
then
it
helps
you
figure
out.
C
C
A
C
A
A
A
C
C
Hardened
this
in
some
of
the
actually
no
I
guess
this
is-
is
still
there
but
yeah,
so
the
I
I
get,
and
so
maybe
this
needs
to
be
refined
even
a
little
bit
further
to
make
it
a
little
bit
clearer,
but
I
believe.
The
idea
here
is
like
if
I
were
to
open
up
my
vs
code
and
modify
some
files
run,
go
build
yep.
C
You
know
mistakes
during
the
release
process,
such
as
building
from
a
commit
that
is
not
present
in
the
Upstream
repo
or
if
the
expectation
here
is
that
the
build
process
includes
downloading
the
source
which,
if
that's
the
case,
then
the
idea
and
and
which
either
way.
We
should
make
sure
that
it's
clear,
because
that
that
could
also
be
the
case,
in
which
case
like
your
bill,
your
build
process
is
essentially
hey,
I
have
a
build.sh
script
or
whatever
that
downloads.
C
The
code
runs
the
build
and
so
on,
but
yeah
I'm
not
exactly
sure
what
you
mean.
What
what's
meant
by
that
and
now
that
now
that
you
kind
of
talked
about
like
how
you're
reading
it
and
I
think
how
you're
reading
it
also
makes
sense,
but
it
it
kind
of
complicates
I
think
what
we're
trying
to
kind
of
get
out
of
there.
Yeah.
A
So
yeah,
so
that's
where
and
it
looks
like
here-
reduces
yeah.
It
could
be
reduces
mistakes
because
here
is
so
that
it
generates
and
distributes
at
the
station
describing
how
it
was
built
who
built
it.
What
was
the
process
command
so
here
it
almost
seems
like
okay,
it's
just
recording
what's
happening
and
then
here
it
says
automatically
where
the
art
exists
and
matches
the
expectation.
A
A
B
One
point
not
related
to
this
document:
I
mean
since
Michael
also
mentioned
about
that
preventive
world.
So
in
the
slsa.site
the
home
page
itself,
we
were
mentioning
like
prevent
armoring
and
all
those
details.
So
instead
it
would
be
like
to
say
help
to
prevent
right.
I
mean
just
the
thought
process.