Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
OpenSSF / SLSA Biweekly / 21 Feb 2023
OpenSSF / SLSA Biweekly / 21 Feb 2023
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: SLSA Positioning Meeting (February 21, 2023)

Description

Meeting notes: https://docs.google.com/document/d/1tpPOXVzNSwtpWA7cXhTPLAO6HIP50obUvoP85XqgVHM/edit#heading=h.yfiy9b23vayj
SLSA repo: https://github.com/slsa-framework/slsa

A

Hello, hey.

B

Guys, yeah I, just uh I'm, just on slack now I believe uh Melba was supposed to cancel.

A

Yeah, this is what I was thinking when I joined I was like I'm, not sure this is happening today. I know she has a sick kid and uh he might just want to bail out yeah yeah I mean.

B

She.

A

Just said that myself, yeah.

B

I'm not sure.

A

I will cancel for today. Apologies folks, yeah.

B

um Be on the lookout, though, because I believe that we're still trying to finalize the new time and.

A

Yeah, there's that too, on.

B

The last working group meeting we're gonna up level and have um s2c2f and salsa positioning meetings together.

B

um So that's a that's another uh another do out as well I'm imagining we want to talk about that as a Sig, um but though I know those two things were talked about the same week. So so so we got we gotta drill down on those yeah.

A

Yeah.

A

Okay, yeah all right. Well, that's it yeah all right! That's it! For today, at least.

C

Thank.

A

You I'm sure they're lost their souls. I guess are going to join, but this meeting has been official canceled, so I'll.

B

Stick around for a couple of minutes to.

A

Talk to you soon, bye.

D

Hi yeah I, just I, didn't even see that it was being canceled um but yeah I kind of wanted to hop in. Since it's been a really long time.

C

um

D

um Yeah, so um are these meetings happening weekly now it seems like most of the time right happening.

B

What.

D

Are they happening weekly, or at least most of the time.

B

Oh yeah, the opposition means a happening weekly, um but this meeting time is going to change a couple of meetings ago. We voted on having the meeting at an earlier time.

D

Okay,.

B

But I believe that, um but and also at the working group meeting, we decided to up level the meeting having it as like an s2c2f and salsa.

C

Positioning meeting so.

B

Earlier time, and also the the scope of the meeting is going to change as well, um all things to stay tuned up but yeah, the meaning for today is uh has got, has gotten uh gotten canceled.

D

All right, yeah, that's fine, um yeah, I'll I'll. Just try to keep an eye out for for the updates, then um yeah.

B

And I saw that you that you wanted to have your name added to the blog post, uh make sure you get on that get on in that blog and do some comments and stuff as well.

D

Yeah I did um I did leave some comments. I, don't necessarily need to have my name added uh I thought it was mostly for commenting, um but yeah yeah it. For now it looks like it's mostly going to be Mark and Chris. We're gonna, be the authors, um yeah.

B

And now: well, that's what it says: I'm not I'm, not terribly sure, I'm, not terribly sure what the shape, how that's going to shake out completely but yeah. That's definitely what it says.

D

Oh I totally misread that. um Oh wait, uh yeah I, don't know if they changed. It just says. Add.

B

To the Google Doc I don't know yeah, it has Mark's name and Mark and Mark said, oh uh great great, that my name is here. I, just don't want to be here by myself.

D

Yeah, let's see.

D

Yeah all right yeah. What are your thoughts on this on this blog post.

B

Oh, you didn't see my you didn't see the stuff I wrote in there so.

D

So I saw some of your comments. Yeah.

B

um Well, my thought my thoughts are are um as I comment as I comment regularly um man we doing when it comes to salsa we're doing a lot of before the horse type stuff.

D

Like.

B

I I really feel like we need to dot our eyes cross our T's and one of the comments in that said as much like you know, if you, if we keep putting this stuff out publicly and it keeps changing publicly, then you really are going to have a situation where you're going to be able you're going to begin to lose um confidence, yeah and and and the work like when it comes to a spec.

B

You don't have many opportunities to change when it becomes public. You don't have many opportunities to change the scope of the spec, because then it stops being a specification yeah. It starts just being a a great idea. Like you like you it it's a great idea. That becomes a specification when it's adopted, but if you keep changing the scope of it, you're not going to get much adoption and the people who have adopted it and then be like dude come on what am I supposed to do now.

B

You've done made me change all of these things in my org and now I can and now I don't even meet the requirements from the last changes, because now you've told me something else to do. Yeah.

C

And.

B

That keeps changing so so I I a lot of this I'm I'm on the team, because I I think this is so I think this is great work. I just feel like man.

B

We need to you, know, you're, making some bold statements on stuff that ain't done yet, and um you know just just the the just the fact alone that you have some people that say that they've adopted salsa well, I, don't know what's hot, what's also you're adopting, because things have been split off into four or five different tracks, which track did you adopt because the last time I checked we're not even on version one yet, and that is the build track. It ain't nothing else. Yeah.

C

So.

B

You so like you have a lot of people that have that are claiming adoption, but what have they adopted?.

D

Yeah.

B

Now become the problem.

D

um Yeah, no even one of the comments that I left um kind of towards the bottom of the of the document we're just like, oh, are you are we actually in support of the division I was like? Are we implying that we're gonna reverse some of our um to your point about it changing um too often well,.

B

I mean look, look I, mean think about the last time that you were I mean I, haven't seen you for a while right. So the last time, yeah I, think the last time I saw you that there wasn't provenance yet right, so they so they've broken off into like salsa Providence.

D

Yeah and then and then there's a.

B

Whole conversation about s-bomb versus salsa, Providence, yeah and then okay. So let's just let's talk about what the definition of provenance is right.

D

Yeah because the definition.

B

That salsa is using for Providence ain't, the definition of provenance yeah.

D

Yeah I, that's that's, always been kind of an issue. I've had I think they've, always called it. Providence I've.

B

Been a lot more involved yeah, you were one of the people. That said well. What providence are we talking about, because open source provenance is one thing that all that means is that you can trace uh open source component back to its original Source, like you can trace it back you, you know where.

D

It came from yeah.

B

So but what so? What's the salsa Providence? What what why is there a whole different definition of providence just for salsa? What is that you know I mean and then and then you're creating a provenance doc so to speak, yeah! Well, you you and then why is that being compared to an s-bomb.

D

Yeah I have no idea who brought in the esbom conversation, because salsa and s-bomb are completely different things.

B

I mean like Isis out there. You should see I when I saw I was like who I was like. Where did the conversation about s-bomb versus salsa Province and they were like Jay? Please don't get started, don't they shut up because I, because I came in on the tail end, it was like they're like Jay. We please, please don't bring that back up. Just I was like what the hell I couldn't believe it I was like what are they talking about? Oh thank you, but that's the kind of stuff that's happening.

B

um You know that's kind of stuff, that's happening behind the scenes that we don't hear about until it comes up and a lot of this stuff I mean like look I I I've said before I'm. Like you know, I, you know: okay, I I, don't I'm not terribly sure how the scope of salsa keeps changing, and that's, and once again in that blog I said the same thing. I said we got to be careful about scope creep here.

B

The scope of salsa has changed like three or four times since to someone like the scope of salsa has changed. I. Don't I don't even like I'm trying to figure out? Why too like? Why is I? Think I thought the scope was fine. It just needs to be built upon, but the scope has changed.

B

Yeah.

D

I.

B

I mean look, I still think it's a I still think it's a good effort, I think it's a good effort. I think the right people in the room to talk about it and help fix and help get it moved along and then do all that kind of stuff. I. Just think that that we need to make a decision on something and stick with it so that we can get to a 1.0 I think that's preventing us from 1.0.

D

Yeah, this is just how Brandon joined.

B

Oh, hey Brandon, um so this this meaning is a. This meeting was canceled. Oh.

C

It was okay, yeah.

B

It was canceled, um Marcelo and I. Just are just talking about the catching up. Okay, um I have not been there for the last few minutes and catching up a bit.

C

Well also to drop by this meeting at some point because to chime in on that spot and stuff. So.

B

Oh, you won the chime in on s-bomb stuff.

C

No I was told to kind of chime in the spawn stuff. Oh oh God, yeah, because.

D

I.

C

I'm I'm working kind of an intersection, so yeah, okay, um yeah I'm, working on the Salsa Salsa, like components of spdx and again I want to clarify sptx is not equals as home as a part of spdx. So that's also the.

B

Application.

C

Right: yeah, what what I mean look.

B

That so that argument in the in the in the conversation is is, uh is extremely uh extremely important um because of that small bit of confusion around what spdx you know actually is um in relation uh and in relation to to salsa.

B

You know it's it's just it's just a it's just a a form of uh of writing of writing. S-Bombs! It's not it's! Not it's not a it's! Not it's! It's a form of it's a form of a written s-bomb, but it's not I mean I I. Don't know that like a lot of these conversations are uh a lot of these conversations. Are a real uh man, we're like late in the game to be having a lot of these conversations.

B

I want to say late in the game. I'll just think that I just think in terms of the spec that's being written. A lot of this stuff is like you. You can't be talking about that at this late stage, we're talking about 1.0, you shouldn't be trying to adjudicate what is or isn't an s-bomb I. Don't even know like what what what.

B

um All.

C

I.

B

Want to do with reflect the respective positioning is make sure that we're telling the story um and telling it correctly and telling it the right way, the first time and not having to to to uh retract all the time.

C

Yeah I I think I have uh I, don't know what what what the group has been up to, but I would be happy to have like, at least from the SVS perspective, like write a write, a blog post on the salsa blog to kind of like Define, that if that's helpful,.

B

I mean at our next positioning meeting, because I think I think it might be relevant for both um salsa and s2c2f, especially if we do up level the positioning meeting to salsa and S2 c2f they'll talk about spdx because um you know I, don't want to say most s-bomb generating tools, but um the good majority of s-bomb, generating to their app I mean at least the ones being developed today are using um spdx to generate s-bombs and that's just because of of EO compliance and all that kind of stuff.

B

That's the spdx is a um is an ISO is an ISO spec. Currently um that meets EO uh that meets EO compliance.

B

um You know for for helping to write uh s bombs, so most generated tools are using spdx to write them.

B

It would be good for you to do that, but that would mean that that, um for salsa purposes and even for for um s2c2f that we'd be saying S no spdx is the um spdx is what we're going to be using to write ass bombs and I'm, not sure if you want to uh I'm not sure if we wanna pigeonhole into one technology because I don't know I'm, just saying I'm, not sure if we want to pigeonhole into that one technology to write s-bombs versus maybe something that maybe having a versatility or being able to use it at that spawn written in any uh written in any any standard or whatever is, is a nest bomb right?

B

Maybe we go there. I, don't know, I, think that's up to the spec say to adjudicate right, I, don't know.

C

Yeah yeah I mean that's still foaming up, um so no one really knows what the execution of the the yield verification is anyway.

B

Exactly exactly I mean, like all things that are still up in the air right I mean like you know what what is the and that and that's a big, that's a large part of this tool. A large part of this is the ambiguity um and and I guess we work through uh you know so so that that's why I say I mean I, don't know about a a Blog that just talks about spdx in relation to to salsa I. Think that we do need to have a discussion and then see where we want to go.

B

But you know.

C

Yeah I.

A

Guess I'll I'll.

C

Stay tuned, whatever that's going to be posted, so I, know maybe Charming on that cool, um all right, I'm, sorry to budget and I'll leave you all the chat.

D

No, it's totally fine.

C

All right cool have a good one.

D

You too thanks yeah I'm, probably gonna head out in a bit too huh I'm, probably gonna head out and in just a bit too um yeah So, based on what Brandon was saying. That was kind of an interesting point.

D

um Do you think the salsa V1 blog posts should have something about its relationship to s-bomb and how it's not an s-bomb.

B

Too,.

D

Much right, like so.

B

So that was one of the things that I mentioned in there when they went on a couple of paragraphs. They talked about the delineation between the tracks and then on my paragraph. They talk about how the build track incorporates one of the delineations of the other track like the Providence is.

B

It includes vert, note stuff from Burj Providence version, 0.1 I might do that's that is, you know, I mean so so I that being the case, I I, don't I think that no I I don't I, don't because I think to even introduce an argument about it's, not an s-bomb I think to even do that creates more questions than it does answers sure right, yeah. If you have to go out and say salsa is not an s-bomb well.

B

Why is that even a conversation to begin with, let's look deeper into any similarities or or differences, and now you're saying well, why would they even mention you know I mean like it creates it creates more that that was my whole thing about salsa Providence and that's what I'm like? Why would you even do that like yeah like and that's Farmer's Nest bomb, it's also Providence South, but why would you even put those two together and say verses? Why would you even put a verses in there.

D

I.

B

Mean s-bomb versus salsa problem. Why would you even do that like that, like that, like what? What doesn't even make any sense to me, but so so I would say: no, no, don't even they played this. An s-bomb should help meet certain salsa requirements. Sure, but but I think for the purposes of that blog, that that's not that's, not something you were mentioned in that blog unless it's somewhere benefits of the build track.

B

Is you know this is none of this none other and generating an s-bomb can help you meet the requirements of level, one two or three of salsa build track, but it's also build levels right that gave me I mean yeah, but but does that need to go in and not necessarily.

D

Yeah yeah I I've noticed not just not just even in the salsa meetings but internally and talking to other folks in other communities. There's still a lot of this sort of opposing mentality of like I mean people have asked me like Why Can't, This Be, instead of an s-bomb, that's not when s-bomb is for um and.

D

There's there's other standards for other information, um because.

B

People still don't fully understand the nature of an S1, yet.

D

Yeah.

B

No, that that's still being tossed around in the air, and now we talking about Vex documents that should accompany an espal. So.

D

The.

B

Next document exactly right and then you know, there's a there's, a a large contingent. That is still unaware of what these things actually are, what they're actually used for and then there are a lot of people who there are a lot of different thoughts around an s-bomb and what an s-bomb, and then you have P bombs and e-bombs and yeah the all kinds of bombs. I I mean it's like they. We didn't even get s-bomb out the door. Yet before now you got all these other bombs. Yeah.

B

It's hilarious, I, I, sit back and and I laugh about it, um but all an s-bomb is: is the ingredients of your software build yeah? That's it that that is it there's the there's? No, there is no salsa.

B

There is nothing else there other than the ingredients of your build and, and all that will do is help you prioritize um vulnerability, vulnerability remediation. Should the next document tell you that there is a component that was used that is affected by a certain vulnerability. Now you have to go into your s-bomb identify which component? That is, if it's there, the version number Etc, is it vulnerable? Is it not vulnerable? Okay?

B

Well, now, I have to go ahead and remediate that, but let's prioritize remediation of those vulnerabilities depending upon what part of the build that that particular component is in I mean that that's basically it, but all that does is fulfill a requirement of salsa, maybe a control of a requirement of a level of salsa, maybe or maybe it's good for level.

B

One I don't know, but again, I I, don't know, and the reason why I'm saying I don't know is because the the damn levels change so often that you that you that you can't know right. So so you know that, but but to equate an s-bomb with salsa is like that's just not that just ain't it yeah.

D

No, it's it's yeah. Definitely not um yeah I! Think uh my fear is it's gonna come up again, I've been a lot more involved in the spec on the specification side lately um and there's fields in the salsa Providence.

D

Now that are basically like a mini s-bomb like that's kind of what they amount to, because that's here's, here's the dependencies we use and here's the hash of dependency um and they list that and so I I think some people are going to look at that and be like well how's, this different from s-bomb um because, like what you're saying like they don't understand the the differences so.

D

Yeah all right, um while I have you here, I wanted to ask you about something entirely different, um that I've been meaning to reach out to you about um I'm, organizing a workshop in November um with some other folks um and we're looking for people to review like talk abstracts.

D

um Would you be potentially interested and available to do that.

A

Yeah.

D

Sure cool yeah, absolutely yeah, it's it's like part industry, part Academia. So there's going to be potentially good mix of stuff, um but yeah. We need some more industry folks um on our Review Committee. So.

B

Yeah and I got you um I'll even put on my doctor hat, for it.

D

Perfect yeah, yeah I know thanks so much um I'll I'll. Send you the the official like invite um but yeah cool cool thanks so much it.

C

Was good to catch.

D

Up yeah all right, I'll see you around all right, bye, bye,.