►
From YouTube: SLSA Biweekly (May 11, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1cx3fOBfic6A0xc2on25ITK4vQHUdxgBmJoSS1LPqDJo/edit
A
B
B
D
B
B
Is
there
any
anything
anyone
would
like
to
discuss?
I
don't
know
I
could
I
could
throw
something
up
here
where
I
was
helping
to
review
this?
Let
me
pull
it
up.
B
The
thing
is
a
fascinating
proposal
that
everyone
should
take
a
look
at
it's
by
I'm,
not
sure
whether
I'm
saying
his
name
correctly
so
I
apologize,
Visa
I
think
wrote
an
interesting
proposal
for
using
something
called
a
policy,
so
you
know
how
GitHub
actions.
Now,
if
you
turn
on
the
npm,
build
Providence
thing,
you
can
spit
out
the
salsa.
B
You
know
the
build
provenance
attestations
right
and
it
gets
recorded
in
six
store
and
all
that
good
stuff
great
with
pizza
is
proposing
here
is
that
we
can
write
what
he
calls
a
policy
to
to
to
be
able
to
enforce
things,
to
be
able
to
say
okay
for
these
packages
with
certain
versions,
I
expect
them
to
come
from
this
source
code
repository
precisely,
and
it
needs
to
be
built
using
this
bill
system
specifically
which,
which
is
interesting,
because
then
you
can't
you
can't
change.
At
least
these
two
things,
the
properties
that
you
expect.
B
B
B
F
With
someone
else's
mind,
leading
the
meaning
to
I
have
a
bunch
of
background
noise
right
here,
so
I'll
try
to
be
on
mute
most
of
the
time.
B
So,
okay
with
the
okay,
so
let's
see
so
the
first
thing
on
the
agenda
is
welcome.
New
members
is
there
anyone
who'd
like
to
introduce
themselves
to
the
group.
G
I
can
Justin
I
would
at
Google
I've
been
working
in
the
space
outside
of
salsa,
but
in
Google
open
source.
It
goes
to
me
Google's
own
protections
for
supply
chain
for
a
long
time
with
Mark
and
others
well
good
to
be
here.
H
Is
this
introductions?
Yes,
my
name
is
Barrick
first
time
here,
I
work
for
Pangea
cyber.
We
do
some
security,
API
stuff
I
help
the
security
team.
You
know,
do
everything,
including
some
appsec
and
and
supply
chain
security,
stuff.
B
F
Yeah,
the
the
notes
are
I
pasted
in
the
chat,
but
you
could
also
always
get
to
it
at
salsa.deb
notes
and
then
the
the
first
one
is
community,
and
that
opens
up
the
meeting
notes
and
we
ask
everyone
records
attendance.
B
Cool
so
I
guess
we
can
move
on
to
the
next
next
thing
on
our
agenda.
First
thing
is
the
Sig
update
special
interest
group
update
first
Sig
is
specification
as
you're
all,
probably
aware.
It's
also
we
1.0
was
released,
no
significant
update.
C
Now
this
spec
repo
has
been
fairly
quiet.
A
bunch
of
folks
have
requested
some
clarifications,
but
there
hasn't
been
a
lot
of
activity
on
on
the
project.
Otherwise
it's
since
the
release,
so
yeah,
that's
about
it
from
the
specification
side.
F
Yeah
Mike
Lieberman
also
got
a
bunch
of
good
feedback
from
I
think
it
was
coupon,
and
so
we
still
have
like
the
backlog
to
go
through
I
think
we're
just
kind
of
taking
a
little
bit
of
a
breather
to
catch
up
on
other
non-salsa
work,
but
then
I
think
first
order.
Business
is
kind
of
going
through
through
the
feedback
and
addressing
that
and
and
simultaneously
working
on
the
roadmap
and
figure
out
what
to
do
next.
B
Absolutely
so
we
encourage
everyone
here
to
please
take
a
look
at
us
back
and
please
send
us
PRS
or
issues
to
help
us
fix
the
the
the
spec.
B
Positioning
which,
unfortunately
I've
not
had
the
time
to
attend
as
regularly
as
I
would
like
is
there?
Is
there
any
updates
here.
E
E
B
Next
tooling,
any
I
wish
Michael
Lieberman
was
here
because
he
usually
chairs
those
Sig
working
groups.
Does
anyone
have?
Is
anyone
aware
of
updates
here.
C
B
That's
also
fair
and
I
think
I
think
to
be
fair.
Also,
a
lot
of
people
are
trying
out
the
existing
tooling
as
it
is
so
we
will
figure
things
out
organically.
As
my
guess.
B
Cool,
let's
see
we
could
go
one
of
two
ways
here.
One
is
since
many
of
the
steering
committee
members
are
here.
We
could
talk
about
Bruno's,
excellent
work
on
putting
together
a
draft
for
formalizing
the
steering
committee
election
process,
or
we
could
discuss
PR's
first,
which
which
would
you
prefer.
B
E
Let's
share
my
screen:
let's
see
how
I
can
shoot
and
looks
like
I.
Don't
have
the
button
to
share
the
screen?
Okay,
yeah,
it
changed.
E
So
here's
the
the
link
for
the
proposition
I
think
that
I
can
share
the
the
link
to
to
wider
audience
because,
including
here,
just
those
people
that
said
they
would
like
to
collaborate
in
this
document.
So
keep
it
more
close
to
the
chest.
But
of
course,
let's,
let's
open
this
I
somewhere
half
of
the
this
structure,
but
as
we
have
today.
E
Get
better
thanks,
okay,
so
the
idea
is
that,
as
we
have
seven
members,
we
have
election
through
half
of
those
and
every
year.
So
three,
four,
three
four
three,
four,
that's
the
idea
and
then,
of
course
we
have.
The
candidate
expectation
looks
like
the
Joshua
already
brought
it
to
us
that
it's.
E
That
is
already
definition,
so
I
I
learned
this
this
morning,
so
I
have
to
update
the
documents
to
make
sure
that
you
have
the
right
reference
and
not
try
to
replicate
information
in
different
documents,
but
looking
for
the
the
voting
process,
first,
the
idea
again,
I
I
I,
run
through
this
process
recently
with
15.org
as
well,
and
we
try
to
do
something
in
that
that
direction
that,
in
our
case,
that
works
well,
so
I
think
that
it
also
can
be
applied
here
equally
that
it's
we
open
for
nomination.
E
We
left
for
like
four
weeks
and
the
received
nomination
a
nomination
will
be
in
the
form
like
the
name.
It's
a
form,
it's
a
one-page
document
that
you
feel
like
what
is
your
name,
your
title
company,
if
you
would
like
to
include
any
of
her
friends
like,
for
example,
LinkedIn
or
GitHub
link
and
and
a
nomination
statement,
it's
just
a
phrase
that
you
describe.
E
For
example,
what
is
the
qualification,
the
role
in
South,
sustaining
Community
member,
previously
prior
involvement
and
the
open
source
or
collaborative
efforts
as
well
collaboration
that
you
have
for
the
foundation
try
to
bring
relevant
information,
but
it's
one
paragraph
and,
as
we
can
assume,
for
example,
we
can
may
have,
for
example,
three
or
four
nominations,
but
we
can
have
a
15.
so
you're
not
able
to
have
them
to
present
themselves
if
you
have
15
20..
E
So
the
idea
is
that
it's
after,
like
four
weeks
I'm
just
making
this
four
weeks,
the
steering
Community
is
going
to
filter
those
candidates
that
you
think
that
it's
it's
can
fit
the
the
the
position,
and
then
you
publish
what
it's
the
day
for
the
election
and
the
date
of
the
election
will
be
something
like
a
each
candidate.
They
present
to
everybody.
E
But
it's
your
nomination
statement
and
five
Millions
to
present
and
five
minutes
to
answer
questions
from
the
student
committee
and
then
at
the
end
of
those
presentations,
we
can
deliberate
to
try
to
find
what
is
the
the
best
fit
and
we
have
a
formal
vote
and
then,
after
that,
we
we
can
decide
which
is
going
to
to
take
the
position.
E
However,
one
challenge
that
was
anticipating
since
the
beginning-
and
it
happened
as
well
with
the
other
other,
for
example,
funerals.org.
It
was
when
you
have,
for
example,
a
student
member
steering
committee
members
like
we
have
today,
and
you
have
two
years
of
Duty.
If
you
want
to
say
how
are
you
starting
breaking
down
so
in
that,
in
that
case
we
created
this
transitional
election.
So
we
increased
the
number
of
members
for
one
year
so
that
REM
the
the
original
Seven
they
go
to
the
election
the
following
year.
E
So,
for
example,
here
I
was
thinking
about
four
can
be
three
as
well.
For
example,
we
have
seven
from
2023,
we
can
add
like
three
or
four
members
and
then
in
2024
all
the
original
Seven
members
have
to
go
to
election.
So,
from
the
seven,
only
three
or
four
you'll
be
elected
and
continuing
with
the
two-year
cycle.
That's
a
way
that
it's
because
for
now
it's
going
to
say
wow.
Unless
we
have
enough
people
that
it's
going
to
say
well,
I
don't
want
it
to
serve
and
the
Syrian
Community
member.
E
F
Well,
one
our
governance
doc
says
that
we
could.
We
have
up
to
seven
members,
so
I
think
we
need
to
change
the
government
on
stock
to
say
that
I
didn't
I,
didn't
understand
the
justification
for
adding
more
is.
G
E
E
E
That
it's
volume
once
that's
transitional
action.
That
is
the
point.
It's
not
going
to
stay
like
10
on
11,
moving
forward
this
ub7,
but
from
2023
2024.
We
have
more.
F
Mean
it
says
that
we
are
supposed
to
group
ourselves
into
two
groups,
one
serving
initial
two-year
term.
One
searching
the
other
serving
initial
one-year
term
I
mean
we
could
change
the
doc
I
think
we
need,
like
a
vote
to
change
a
doc.
F
C
Yeah
I
think
it's
it's
slightly
harder
in
the
showtime,
but
less
work
in
the
long
term
contraction
it
could
be
difficult
and
especially
if
we,
if
we
have
the
initial
seven
members,
all
want
to
apply
for
re-election
like
how
the
voting
would
work.
If
it's
the
steering
committee
that
votes
for
new
members
would
be
like,
you
would
effectively
have
the
four
additional
members
voted
on.
Seven
members
seems
kind
of
scary.
G
F
C
I
think
I
think
it
would
be
I
mean
two
years
feels
like
an
awful
long
time.
I
think
it
would
be
better
to
get
to
that
point.
Two.
C
B
D
B
C
C
Was
just
gonna
say
we
should?
We
should
have
like
some
notion
of
what
happens
when
someone
relinquishes
the
kind
of
position
or
what
happens
when
someone
is
just
not
active
like
that?
We
we
should
document
that
I'm
not
sure
if
it's
captured
in
the
current
documentation
but
I
know
in
the
initial
governing
stocks.
C
We
had
a
two-year
term
because
I
I
yeah
generally
groups
like
this
try
to
avoid
having
the
entire
group
be
re-elected
on
an
annual
basis,
because
you
kind
of
run
into
issues
of
I
have
to
figure
out
everything
again
from
scratch
or
having
to
do
some
kind
of
transition
period
or
something.
D
Yeah,
it's
I'm,
sorry!
If
I
missed
it
was
there
anything
here
about
like
how
do
you
prevent
one
all
of
the
members
from
being
from
one
specific
company?
Oh.
F
The
current
governance
doc
says
the
committee
will
take
into
account
things
such
as
blah
blah
blah
blah,
as
well
as
the
need
to
maintenance
balance
perspective,
for
example,
no
more
than
two
people
from
the
same
group
yeah
that
writing
is
actually
a
little
bit
ambiguous,
I,
don't
know
if
the,
for
example
is
binding
or
not.
F
That
seems
like
something
we
should
just
clarify
and
it
seems
that
worthwhile
to
update
the
the
doc
trishank
list
referenced
the
in
todos
during
the
governor's
stock.
As
one
of
the
comments
that
one
is
much
more
explicit,
it
says
you
know
at
least
five
members,
no
more
than
two
may
have
defend
this.
The
same
organization.
D
Yeah
I
think
because
I
think
it
too
can
lead
to
kind
of
lazy
membership.
Also
of
like
hey.
We've
got
all
these
people
from
one
company
and
no
one.
Let's
not
put
it
in
a
document,
because
what?
If
no
one
from
other
companies
is
available?
But
we
can
always
seek
out
representatives
from
other
companies
in
order
to
maintain
that
diversity
on
the
on
the
board.
But.
H
I
Okay,
so
this
is
my
you
know
in
theory,
my
my
first
meeting
to
this
group
and
I'm,
probably
coming
at
you
know
right
time.
The
question
I
had
is
for
for
the
memberships
or
for
you
know
getting
onto
the
board
or
you
know
the
theologians:
is
it
necessary
for
the
candidate
to
be
representing
an
organization
I?
Ask
because
you
know
if
you
look
at
the
tech
sector
right
now,
so
many
people
are
facing
layoffs
and
you
know
they
are
in
their
transition
space.
I
So
is
this
more
of
an
individual
and
the
credit
credibility?
The
individual
brings
to
the
table
to
you
know
and
to
offer
to
the
open
source
community
over
here,
or
is
it
more
about
the
individual
representing
the
work,
that's
being
done
at
the
organization.
D
B
I
I
There
are
so
many
people
of
High
Caliber
who
have
been
laid
off
or
you
know
who
are
in
the
process
of
you,
know
transitioning
jobs
and
if
we
tie
them
to
an
organization
that
is,
you
know
a
disservice
to
the
to
the
individual
who
has
done
the
work.
I
So
you
know,
let's
be
clear
about
you,
know
making
this
as,
as
you
know,
participating
in
the
in
the
open
source
Community.
You
know
contributing
to
the
to
the
open
source
Community
rather
than
you
know.
Yes,
we
are
all
backed
by
our
organizations.
However,
there's
an
individual
who
drives
the
work.
F
Yeah
I,
don't
I,
guess
it's,
maybe
implicit
in
the
governance
talk,
but
the
the
intention
was
that
we're
well
I
I
believe
electing
individuals,
not
representatives
from
a
company
like
we've,
had
several
people
like
and
I
think
it's
tied
to
the
individual.
The
purpose
of
the
Georgia
companies
is
just
to
prevent
skew
of
like
if,
for
example,
everyone
is
from
works
at
the
same
company
that,
like
just
an.
G
F
Perspective
but
then
also
it
just
doesn't
feel
balanced.
B
B
Great
so
I
think
I
think
we've
wrapped
up
discussion
on
that
one.
Today
we
will
wait
to
get
more
feedback
from
the
community,
finalize
it
and
go
from
there.
I,
don't
think.
There's
anything
else
on
the
agenda
other
than
discussing
PRS,
and
particularly
this
is
for
the
salsa
proposals.
Repository
we
could
we
could.
We
could
discuss
that
for
those
those
those
are
interested,
otherwise
feel
free
to
to
tune
out
this
proposal.
In
particular,
let
me
share
my
screen:
I
guess
it's
easier.
B
And
feel
free
to
mention
other
PRS
too
right.
This
is
the
one
that
I'm
most
interested
in.
Oh
I
should
also
mention
that
there's
an
interesting
salsa
conformance
program.
So
let
me
not
forget
that
too.
Actually,
let
me
add
that
here
we
go
sequential,
very
nice,
okay,
so
I
think
if
I
got
his
name
correctly,
I
may
have
forgive
me
if
I'm
butchering,
but
Visa
who's
previously
at
Google
I
think
has
this
very
nice
proposal
here
which,
if
I,
understand
the
idea
correctly.
B
So
you
might
have
seen
news
about
how
GitHub
is
producing
Providence
right
for
you,
if
you,
if
you
opted
in,
and
so
so
at
least
if
people
opt
in
we'll
start
getting
all
this
very
nice
attestations
about
your
bills,
signed
using
full
show
and
and
stored
and
secur
all
that
good
stuff
and
I.
Think
if
I
understand
correctly,
what
vitsa
is
saying
here
great
now:
we're
well
positioned
to
start
using
what
he
calls
policies
to
to
be
able
to
enforce
things
before
you
admit
things
into
your
your
production.
B
So,
for
example,
you
could
say,
as
I
was
mentioning
earlier,
you
could
say
things
like
for
this
package.
In
a
certain
range
of
version,
let's
say
1.0.0
and
above
it
needs
to
come
from
this
GitHub
source
code
repository,
but
also
be
built
by
GitHub
actions
using
this
particular
workflow.
Let's
say
with
that
repo,
and
so
you
can
start
enforcing
this
and
checking
signatures
on
them
before
you
admit
these
packages,
Mark
have
I
done
Justice
to
this
PR.
Would
you
like
to
add
more
thoughts.
B
Yeah
so
so
I
think
I.
Think
Mark
had
sent
a
deadline
of
of
comments
for
today,
I
think,
which
I
think
is
reasonable,
because
it's
been
standing
outstanding
for
a
while
and
I
added
some
of
my
thoughts
yesterday,
I,
don't
know
Mark
how
you
feel
about
keeping
this
open
or
should
be
merged
as
a
draft
and
then
add
more
substantial
address,
more
substantial
feedback
and
following
PRS.
What
would
you?
What
would
you
propose
that
we
do
here.
F
I
think
if
there's
like
active
I'm
open
to
this
I
feel
like
if
there's
active,
discussion,
I'm
fine
with
it
but
like
I,
don't
want
just
kind
of
sitting
around
forever.
It's
currently
marked.
F
F
I
know
trishank
your
your
main
feedback
was
around
like
using
in
Toto
to
represent
that
I
I
feel
like
the
the
main
yeah
and
there's
certainly
is
there's
an
inconsistency
between
the
language
here
like
using
the
term
policy
and
the
language
that's
in
the
spec,
because
they
kind
of
start
in
the
same
place
and
then
diverged,
because
this
was
kind
of
being
written
for
a
while,
and
so
that
would
be
good
good
to
resolve
and
and
one
other.
F
F
As
a
brief
background,
the
the
main
kind
of
idea
here
I
think,
is
not
so
much
exactly
how
the
thing
is
encoded,
like
you
know,
you
mentioned
in
total.
F
To
require
that
I
think
we
should
make
that
a
good
option,
but
I
think
that
the
the
main
thing
is
like
how
it's
almost
like
the
policy
management
piece
of.
Where
does
policies
get?
Where
do
policies
get
checked?
And
how
do
you
know
what
policies
to
check
like
you
said?
You
know
when
you
see
an
npm
package,
Foo
version
one.
How
do
you?
F
The
big
question
is
like
how
are
you
supposed
to
know
where
what
the
source
repo
was
supposed
to
be
and
how
it
was
supposed
to
be
built
and
I
I,
don't
think
we
want
to
prescribe
and
saying
like
it
must
be
built
everything
from
GitHub
actions,
let's
let's
say,
but
rather
I-
think
it's
more
like
in
practice.
F
This
thing
is
built
from
GitHub
actions,
and
so
that's
what
a
legit
build
looks
like
like
that's
what
the
maintainer
is
doing
today,
and
so,
if
you
then
see
a
subsequent
build
from
something
else,
that
is
a
a
significant
change
and
it
should
be
authorized
somehow,
basically
like
that.
That's
I
think
to
me:
that's
like
the
high
level
idea,
but
it's
really
difficult
to
get
it
into
words
that
everyone
agrees
on
the
the
other.
The
other
kind
of
challenging
piece
is
like
in
this
diagram
right
here
that
you
have
presented.
F
Actually,
if
you
could
go
back
to
that,
oh
sorry,
yeah
yeah,
you
know
that
there's
there's
likely
in
most
cases,
and
we
have
this
in
the
spec
a
bit
two
places
that
we'll
want
to
do
these
kind
of
admission,
control
or
or
whatever
that.
E
H
F
Registry
right
there's
some
notion
of
like
you,
don't
want
bad
things
to
get
published,
and
so
you
need
some
notion
of
what
good
looks
like,
and
we
should
just
you
know
describe
it,
have
a
recommendation,
particularly
for
open
source
about
how
that
could
work.
Foreign
in
that
case,
maybe
it's
it's
not
clear
to
me
like
what
the
best
route
is.
F
Maybe
it
is
that
the
maintainers
of
the
package
say
what
good
looks
like
and
they
just
have
a
check
and
and
then
there's
some
sort
of
two-party
review
or
something
on
changes
to
that
policy,
or
maybe
it's
like
it
looks
like
the
previous
version
and
if
there's
a
significant
diff,
then
maybe
you
have
to
do
some
additional
checks
or
something
I
don't
know,
but
then
you
also
want
to
have
a
you
may
or
may
not
also
want
to
have
a
checkup
like
install
time
that,
like
regardless
of
the,
if
the
policy
was
checked
at
upload
time,
you
kind
of
want
to
also
check
at
use
time
and
there
that
check
might
be
a
little
bit
different.
F
For
example,
one
way
to
do
that
could
be
in
a
lock
file
like
when
you
have,
let's
say
you're
using
npm.
You
have
a
packagelock.json
file
that
lists
the
versions,
the
names
versions
and
hashes
of
everything
that
your
project
uses
your
dependencies.
F
When
your
dependencies
get
updated,
you
could
check
the
provenance
of
those
and
check,
compare
the
provenance
of
the
new
version
to
the
old
version
of
each
of
your
dependencies,
and
you
know
if
it
looks
roughly
the
same
and
is
like
kind
of
equivalent.
Then
you
say
good
and
if
not,
then
that's
a
signal
that
something
might
that
you
should
kind
of
approve
that
that
is
described
down
in,
like
I.
F
Think,
like
the
tofu
policies,
Trust
on
first
use
policies
as
like
an
idea
for
how
this
could
be
a
way
of
like
low
overhead
for
users
like
not
much
to
maintain,
but
so
those
are
kind
of
the
ideas
that
we
talked
about
and
would
like
to
get
feedback
on.
F
B
F
B
B
I
I
do
have
some
some
questions,
as
you
might
have
seen
about
things
like.
How
do
you
update
the
policies,
because
you
know
if
something
changes
Upstream?
How
do
Downstream
pick
it
up?
But
you
know
we
can
figure
that
out.
F
So
so
that's
actually,
where
I
think
the
like,
if
you
scroll
up
a
bit
to
the
diagram
again,
you
kind
of
might
have
two
different
policies
like
at
upload
time
from
the
package
registry.
That's
a
completely
automated
process
like
there's.
F
Well
from
the
package
Registries
side,
there's
no
human
in
like
npm,
saying
yes
or
no
right,
like
that's
a
machine,
and
so
then
you
do
have
that
question
of
like
how
do
you
know
which
policies
Etc,
like
you
described
on
the
install
side.
B
Policy-
sorry,
sorry,
just
to
clarify
you
mean
like
the
developers
would
come
in
and
say:
look
npm
I'm
going
to
use
this
repositories
and
build
platform.
Particular
you
produce
the
policy
and
store
it
and
use
it.
Okay,
great
thanks.
F
F
Think
that
model
makes
sense
at
least
to
me
and
then
there's
a
question
like
well.
How
do
you
accept
changes
to
that?
Like
sure
the
the
Box
on
the
right?
That's
one
where
I
I
feel
like
a
possibility.
That
I'd
like
to
explore
is
like
a
trust
on
first
use
thing:
where
effectively,
you
don't
have
to
get
it.
F
Maybe
you
could
seed
it
from
the
maintainer
the
package
maintainer
on
the
left,
but
once
you
accept
a
package
like,
let's
say,
I
start
using
package
Foo
and
it's
in
our
lock
file
and
in
our
project
my
project,
my
team's
project.
We
have
Foo
listed
as
one
of
our
dependencies
every
time
you
know
there
the
first
time
we
take
in
Foo.
We
have
to
make
some
sort
of
risk
determination
at
whether
that's
okay,
most
people
I
think
don't
do
it.
G
F
Think
there'd
be
some
sort
of
risk
determination
of
like.
Is
it
okay
to
do
that?
I
think
what
at
least
in
my
mind,
I,
don't
think.
There's
universities
in
in
my
mind
what
I
would
like
to
see
is
when
you
do
updates
and
you're
doing
version
bumps
that
those
could
be.
You
could
determine
those
be
low
risk
because,
like
it
was
built
from
the
same,
it
was
built
in
the
same
way
from
the
same
repository
just
a
different
version.
All
the
parameters
were
the
same.
F
So
for
like
the
salsa
build
track,
it
looks
kind
of
equivalent.
So
it's
low
risk
update
in
the
future.
We
could
have
more
signals
of
like
the
risk,
and
so
if
the
update
is
relatively
low
risk,
it's
just
automatic
and
for
example,
if
you're
using
dependabot
say
that
could
be
a
signal
in
there
versus
your
there's
a
version
button.
But
hey
it's
built
completely
differently.
F
That's
you
know,
there's
a
risk
that
perhaps
the
package
was
compromised
and
it
like
uploaded
something
bad
or
it
has
different
properties
than
it
used
to
so
so
that's
kind
of
what
I
was
thinking,
and
in
that
case
it's
kind
of
there's.
No
explicit
policy
would
just
be
kind
of
a
human
making,
a
risk
determination
of
like
by
comparing
old
to
new
I.
Don't
think
that
described
it
in
this
dock,
but
those
those
are
just
something.
I
wanted
to
talk
about
like
an
idea.
B
Cool
yeah
I
think
that's
interesting,
I'm
curious
about
some
details,
but
I
don't
think
we
need
to
discuss
that
here.
We
can
discuss
that
offline,
but
I'm
curious
about
things
like
when
you
when
you
say
tofu,
do
you
pull
it?
Do
you
pull
like
the
initial
version
of
the
policy
from
the
package
registry,
but
we
can.
We
can
discuss
that
offline,
so
Mark
I
guess
to
help
push.
Oh
Aditya
has
a
question.
Please.
A
Excuse
me
just
so:
I
I
only
really
became
aware
of
this
PR.
This
proposal
this
morning,
because
I
haven't
had
a
chance
to
really
read
it
in
any
level
of
detail.
A
lot
of
what
you
said,
Mark
made
sense
to
me.
I
I,
do
have
a
question
when
you
say:
okay,
I
also
understand
that
we
per
that
the
proposal
probably
shouldn't
be
too
prescriptive
with
level
with
respect
to
how
policies
are
specified
and
verified
and
I
get
all
of
that
so
I.
My
my
question
is
this
npm
specific
use
case?
A
Should
it
even
be
a
salsa
specific
proposal
at
all,
because
when
we
consider
that
npm
themselves,
if
they're
also
doing
something
called
publish
attestations
that
isn't
part
of
salsa,
for
example,
you
don't
want
to
be
doing
something
where
you
sell
so
specific
for
the
provenance
part
of
it
and
something
else
entirely
for
any
other
attestations
that
are
generated
along
the
way
or
and
I
guess
on
a
higher
level.
There's
also
the
question
of.
A
F
All
right,
yeah,
I,
think
so.
First
of
all,
this
is
it
just
is
using
npm
to
make
it
concrete
it.
All
these
Concepts
really
apply
to
almost
every
other
ecosystem
like
go
and
we'll
go.
Is
it
kind
of
a
smells
like,
but
probably
would
work
for
go
but
especially
PHP
and
Python
and
Ruby,
although
Ruby
doesn't
have
hashes
in
their
lock
file?
But
it's
not
really
specific.
None
of
the
concepts
here
are
really
specific
to
npm,
and
so
the
idea
would
be
to
start
with
one.
F
It
doesn't
really
matter
which
ecosystem
just
start
with
something
and
Implement
a
prototype
and
kind
of
get
make
some
decisions
on
how
it'll
work
and
start
to
prototype
and
see.
Can
we
get
this
in
a
way
that
we
think
it'll
actually
scale
to
be
turned
on
by
default
for
all
users,
but
in
a
way
that's
like
seamless
and
and
low
low
overhead,
like,
ideally,
people
wouldn't
even
know
what's
happening
right,
it
would
just
work
and
if
there's
something
risky
that
happens,
they'll
be
notified
and
say,
like.
F
A
A
Yeah
in
part
I'm,
just
like
I,
think
part
of
the
question
is
also
about
well.
Do
we
only
want
to
focus
on
problems?
I
know,
that's
the
key
thing
in
salsa
at
the
moment,
but
do
we
all
how
how
General
do
we
make
this
I
guess.
F
Disagree
I
mean
that
always
goes
true,
but
especially
now
I.
In
my
mind,
this
would
be
scoped
to
things
that
are
in
salsa,
like
this
scope
to
mitigating
the
threats
that
are
defined
by
salsa.
So
right
now
we
have
a
build
track.
That's
about
tampering
in
the
build
system,
and
this
would
be
checking
those
things
in
the
future.
We
have
source
track
that
maybe
talks
about
tampering
of
the
source
code
or
two
part
of
your
view
or
something
it
would
also
check
for
those
type
of
things
as
well.
F
Expanding
it,
but,
but
ideally
it
would.
The
design
would
be
conducive
to
expanding
to
more
things
that
are
not
defined
in
salsa,
because.
B
Yeah,
if
I
could
propose
something
I
think
this
model
has
worked
successfully
before
for
us
did
I
think
we
can
sort
of
have
it
both
ways.
Here's
what
I
mean
so
remember
before
salsa
1.0,
we
were
still
experimenting
with
Providence
right
and
we
had
0.1,
David,
0.2
and
so
on.
I
think
that's
the
phase
where
we
are
with
this
we're
experimenting
with
this,
and
once
we
are
ready
to
make
it
say
a
part
of
2.0
thing,
then
we
can,
of
course
it
has
to
be
more
generalizable.
I
would
think
everyone
would
want
that.
A
Yeah
I
think
I
think
the
dose
I
was
just
trying
to
get
a
feel
for
you
know
what
what
if
you
know
if,
if
and
when
this
proposal
is
accepted,
what
that
would
mean
for
broader
policy
spaces
and
manifestations
that
are
not
social,
specific
and
things
like
that
from
the
total
side,
I
want
to
note
that
you
know
I've
been
ignoring
in
for
slightly
ignoring
the
the
internet
enhancement
for
new
layouts,
but
I
should
have
a
bit
more
time
after
truck
day
well,
I
guess
from
Monday
and
and
I
I
want
to
kind
of
take
this
the
take
this
proposal
and
see
how
it
would
fit
into
what
we're
proposing
there
and
if
you
could,
if
we
could
have
like
an
internal
specific
way
of
implementing,
what's
proposed
here,
while
also
incorporating
and
in
the
npm
context,
the
publish
attestations
and
things
like
that.
F
Yeah,
that
sounds
good,
like
my
main,
like
my
big
interest,
is
mostly
getting
some
prototype
and
and
trying
stuff
out,
and
so
the
main
purpose
of
this
Doc,
in
my
mind,
is
to
get
people
talking.
Get
people
on
the
same
idea
come
up
with
something
that
we
could
all
work
toward
and.
A
A
That's
good
where,
where
I
just
want
to
add
one
more
thing,
we're
we're
approaching
the
prototyping
phase
as
well
and
and
I
think
we'd
be
using
a
lot
of
the
stuff
that
the
folks
that
testified
site
by
Cole,
Kennedy
and
Mikhail
I've
been
working
on
with
a
witness
where
they've
got
a
policy
tool.
That
say
that
allows
you
to
specify
you
know
expected
attributes
and,
and
it
spits
out
a
policy
that
kind
of
looks
like
an
internal
layout,
but
we're
you
know
working
on
bridging.
All
of
that.
A
B
Cool
I
think
I
think
I
think
that's
a
nice
nice
way
to
wrap
up
this
PR
keeping
in
mind
also
that
we
have
15
minutes
left.
It
wouldn't
be
mindful
of
everyone's
time
so
yeah.
So
it
sounds
like
it
sounds
like
I
think.
As
long
as
we
document
this,
this
sort
of
like
informal
agreement
that
we
have
here
I
think
that'll
be
a
good
way
to
make
progress
with
this
PR,
which
we
should.
B
Cool,
so
the
next
BR
and
I,
don't
know
if
Chris
is
here,
but
it's
also
very
interesting
is
the
I
the
problem
again.
Anyone
feel
free
to
correct
me
here
if
I'm
wrong,
but
the
problem
this
tries
to
solve
this
okay.
So
now
we've
got
V
1.0.
Now
we
know
how
to
define
things
like
build
level
tree,
but
how?
How
can
I
prove
this,
because
not
everything
is
provable
by
attestation
right,
you
can't
cryptographically
prove
unless
you
use
some
trusted
Hardware
kind
of
stuff,
but
even
then
are
you
really
isolated?
B
B
We
basically
guarantee,
if
you
trust
us,
we're
a
testing
that
we're
Bill
level
three
or
level
two
or
whatnot,
and
similarly
the
other
idea
is
they
have
Auditors
do
this
for
you,
so
third-party
attestations
do
the
same
effect,
but
there
are
some
differences
here
between
the
two
approaches.