►
From YouTube: SLSA Biweekly (May 11, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1cx3fOBfic6A0xc2on25ITK4vQHUdxgBmJoSS1LPqDJo/edit
A
B
B
D
B
B
B
The
thing
is
a
fascinating
proposal
that
everyone
should
take
a
look
at
it's
by
I'm,
not
sure
whether
I'm
saying
his
name
correctly
so
I
apologize,
Visa
I
think
wrote
an
interesting
proposal
for
using
something
called
a
policy,
so
you
know
how
GitHub
actions.
Now,
if
you
turn
on
the
npm,
build
Providence
thing,
you
can
spit
out
the
salsa.
B
You
know
the
build
provenance
attestations
right
and
it
gets
recorded
in
six
store
and
all
that
good
stuff
great
with
pizza
is
proposing
here
is
that
we
can
write
what
he
calls
a
policy
to
to
to
be
able
to
enforce
things,
to
be
able
to
say
okay
for
these
packages
with
certain
versions,
I
expect
them
to
come
from
this
source
code
repository
precisely,
and
it
needs
to
be
built
using
this
bill
system
specifically
which,
which
is
interesting,
because
then
you
can't
you
can't
change.
At
least
these
two
things,
the
properties
that
you
expect.
B
B
B
B
G
H
B
B
C
F
Yeah
Mike
Lieberman
also
got
a
bunch
of
good
feedback
from
I
think
it
was
coupon,
and
so
we
still
have
like
the
backlog
to
go
through
I
think
we're
just
kind
of
taking
a
little
bit
of
a
breather
to
catch
up
on
other
non-salsa
work,
but
then
I
think
first
order.
Business
is
kind
of
going
through
through
the
feedback
and
addressing
that
and
and
simultaneously
working
on
the
roadmap
and
figure
out
what
to
do
next.
B
E
E
B
C
B
B
Cool,
let's
see
we
could
go
one
of
two
ways
here.
One
is
since
many
of
the
steering
committee
members
are
here.
We
could
talk
about
Bruno's,
excellent
work
on
putting
together
a
draft
for
formalizing
the
steering
committee
election
process,
or
we
could
discuss
PR's
first,
which
which
would
you
prefer.
B
E
E
So
here's
the
the
link
for
the
proposition
I
think
that
I
can
share
the
the
link
to
to
wider
audience
because,
including
here,
just
those
people
that
said
they
would
like
to
collaborate
in
this
document.
So
keep
it
more
close
to
the
chest.
But
of
course,
let's,
let's
open
this
I
somewhere
half
of
the
this
structure,
but
as
we
have
today.
E
E
We
left
for
like
four
weeks
and
the
received
nomination
a
nomination
will
be
in
the
form
like
the
name.
It's
a
form,
it's
a
one-page
document
that
you
feel
like
what
is
your
name,
your
title
company,
if
you
would
like
to
include
any
of
her
friends
like,
for
example,
LinkedIn
or
GitHub
link
and
and
a
nomination
statement,
it's
just
a
phrase
that
you
describe.
E
For
example,
what
is
the
qualification,
the
role
in
South,
sustaining
Community
member,
previously
prior
involvement
and
the
open
source
or
collaborative
efforts
as
well
collaboration
that
you
have
for
the
foundation
try
to
bring
relevant
information,
but
it's
one
paragraph
and,
as
we
can
assume,
for
example,
we
can
may
have,
for
example,
three
or
four
nominations,
but
we
can
have
a
15.
so
you're
not
able
to
have
them
to
present
themselves
if
you
have
15
20..
E
So
the
idea
is
that
it's
after,
like
four
weeks
I'm
just
making
this
four
weeks,
the
steering
Community
is
going
to
filter
those
candidates
that
you
think
that
it's
it's
can
fit
the
the
the
position,
and
then
you
publish
what
it's
the
day
for
the
election
and
the
date
of
the
election
will
be
something
like
a
each
candidate.
They
present
to
everybody.
E
However,
one
challenge
that
was
anticipating
since
the
beginning-
and
it
happened
as
well
with
the
other
other,
for
example,
funerals.org.
It
was
when
you
have,
for
example,
a
student
member
steering
committee
members
like
we
have
today,
and
you
have
two
years
of
Duty.
If
you
want
to
say
how
are
you
starting
breaking
down
so
in
that,
in
that
case
we
created
this
transitional
election.
So
we
increased
the
number
of
members
for
one
year
so
that
REM
the
the
original
Seven
they
go
to
the
election
the
following
year.
E
So,
for
example,
here
I
was
thinking
about
four
can
be
three
as
well.
For
example,
we
have
seven
from
2023,
we
can
add
like
three
or
four
members
and
then
in
2024
all
the
original
Seven
members
have
to
go
to
election.
So,
from
the
seven,
only
three
or
four
you'll
be
elected
and
continuing
with
the
two-year
cycle.
That's
a
way
that
it's
because
for
now
it's
going
to
say
wow.
Unless
we
have
enough
people
that
it's
going
to
say
well,
I
don't
want
it
to
serve
and
the
Syrian
Community
member.
E
F
G
E
E
E
F
F
C
Yeah
I
think
it's
it's
slightly
harder
in
the
showtime,
but
less
work
in
the
long
term
contraction
it
could
be
difficult
and
especially
if
we,
if
we
have
the
initial
seven
members,
all
want
to
apply
for
re-election
like
how
the
voting
would
work.
If
it's
the
steering
committee
that
votes
for
new
members
would
be
like,
you
would
effectively
have
the
four
additional
members
voted
on.
Seven
members
seems
kind
of
scary.
G
F
C
C
B
D
B
C
C
Was
just
gonna
say
we
should?
We
should
have
like
some
notion
of
what
happens
when
someone
relinquishes
the
kind
of
position
or
what
happens
when
someone
is
just
not
active
like
that?
We
we
should
document
that
I'm
not
sure
if
it's
captured
in
the
current
documentation
but
I
know
in
the
initial
governing
stocks.
D
F
That
seems
like
something
we
should
just
clarify
and
it
seems
that
worthwhile
to
update
the
the
doc
trishank
list
referenced
the
in
todos
during
the
governor's
stock.
As
one
of
the
comments
that
one
is
much
more
explicit,
it
says
you
know
at
least
five
members,
no
more
than
two
may
have
defend
this.
The
same
organization.
D
Yeah
I
think
because
I
think
it
too
can
lead
to
kind
of
lazy
membership.
Also
of
like
hey.
We've
got
all
these
people
from
one
company
and
no
one.
Let's
not
put
it
in
a
document,
because
what?
If
no
one
from
other
companies
is
available?
But
we
can
always
seek
out
representatives
from
other
companies
in
order
to
maintain
that
diversity
on
the
on
the
board.
But.
H
I
Okay,
so
this
is
my
you
know
in
theory,
my
my
first
meeting
to
this
group
and
I'm,
probably
coming
at
you
know
right
time.
The
question
I
had
is
for
for
the
memberships
or
for
you
know
getting
onto
the
board
or
you
know
the
theologians:
is
it
necessary
for
the
candidate
to
be
representing
an
organization
I?
Ask
because
you
know
if
you
look
at
the
tech
sector
right
now,
so
many
people
are
facing
layoffs
and
you
know
they
are
in
their
transition
space.
I
D
B
I
I
So
you
know,
let's
be
clear
about
you,
know
making
this
as,
as
you
know,
participating
in
the
in
the
open
source
Community.
You
know
contributing
to
the
to
the
open
source
Community
rather
than
you
know.
Yes,
we
are
all
backed
by
our
organizations.
However,
there's
an
individual
who
drives
the
work.
F
Yeah
I,
don't
I,
guess
it's,
maybe
implicit
in
the
governance
talk,
but
the
the
intention
was
that
we're
well
I
I
believe
electing
individuals,
not
representatives
from
a
company
like
we've,
had
several
people
like
and
I
think
it's
tied
to
the
individual.
The
purpose
of
the
Georgia
companies
is
just
to
prevent
skew
of
like
if,
for
example,
everyone
is
from
works
at
the
same
company
that,
like
just
an.
G
B
B
Great
so
I
think
I
think
we've
wrapped
up
discussion
on
that
one.
Today
we
will
wait
to
get
more
feedback
from
the
community,
finalize
it
and
go
from
there.
I,
don't
think.
There's
anything
else
on
the
agenda
other
than
discussing
PRS,
and
particularly
this
is
for
the
salsa
proposals.
Repository
we
could
we
could.
We
could
discuss
that
for
those
those
those
are
interested,
otherwise
feel
free
to
to
tune
out
this
proposal.
In
particular,
let
me
share
my
screen:
I
guess
it's
easier.
B
And
feel
free
to
mention
other
PRS
too
right.
This
is
the
one
that
I'm
most
interested
in.
Oh
I
should
also
mention
that
there's
an
interesting
salsa
conformance
program.
So
let
me
not
forget
that
too.
Actually,
let
me
add
that
here
we
go
sequential,
very
nice,
okay,
so
I
think
if
I
got
his
name
correctly,
I
may
have
forgive
me
if
I'm
butchering,
but
Visa
who's
previously
at
Google
I
think
has
this
very
nice
proposal
here
which,
if
I,
understand
the
idea
correctly.
B
So
you
might
have
seen
news
about
how
GitHub
is
producing
Providence
right
for
you,
if
you,
if
you
opted
in,
and
so
so
at
least
if
people
opt
in
we'll
start
getting
all
this
very
nice
attestations
about
your
bills,
signed
using
full
show
and
and
stored
and
secur
all
that
good
stuff
and
I.
Think
if
I
understand
correctly,
what
vitsa
is
saying
here
great
now:
we're
well
positioned
to
start
using
what
he
calls
policies
to
to
be
able
to
enforce
things
before
you
admit
things
into
your
your
production.
B
So,
for
example,
you
could
say,
as
I
was
mentioning
earlier,
you
could
say
things
like
for
this
package.
In
a
certain
range
of
version,
let's
say
1.0.0
and
above
it
needs
to
come
from
this
GitHub
source
code
repository,
but
also
be
built
by
GitHub
actions
using
this
particular
workflow.
Let's
say
with
that
repo,
and
so
you
can
start
enforcing
this
and
checking
signatures
on
them
before
you
admit
these
packages,
Mark
have
I
done
Justice
to
this
PR.
Would
you
like
to
add
more
thoughts.
B
Yeah
so
so
I
think
I.
Think
Mark
had
sent
a
deadline
of
of
comments
for
today,
I
think,
which
I
think
is
reasonable,
because
it's
been
standing
outstanding
for
a
while
and
I
added
some
of
my
thoughts
yesterday,
I,
don't
know
Mark
how
you
feel
about
keeping
this
open
or
should
be
merged
as
a
draft
and
then
add
more
substantial
address,
more
substantial
feedback
and
following
PRS.
What
would
you?
What
would
you
propose
that
we
do
here.
F
F
G
F
To
require
that
I
think
we
should
make
that
a
good
option,
but
I
think
that
the
the
main
thing
is
like
how
it's
almost
like
the
policy
management
piece
of.
Where
does
policies
get?
Where
do
policies
get
checked?
And
how
do
you
know
what
policies
to
check
like
you
said?
You
know
when
you
see
an
npm
package,
Foo
version
one.
How
do
you?
F
This
thing
is
built
from
GitHub
actions,
and
so
that's
what
a
legit
build
looks
like
like
that's
what
the
maintainer
is
doing
today,
and
so,
if
you
then
see
a
subsequent
build
from
something
else,
that
is
a
a
significant
change
and
it
should
be
authorized
somehow,
basically
like
that.
That's
I
think
to
me:
that's
like
the
high
level
idea,
but
it's
really
difficult
to
get
it
into
words
that
everyone
agrees
on
the
the
other.
The
other
kind
of
challenging
piece
is
like
in
this
diagram
right
here
that
you
have
presented.
E
H
F
Registry
right
there's
some
notion
of
like
you,
don't
want
bad
things
to
get
published,
and
so
you
need
some
notion
of
what
good
looks
like,
and
we
should
just
you
know
describe
it,
have
a
recommendation,
particularly
for
open
source
about
how
that
could
work.
Foreign
in
that
case,
maybe
it's
it's
not
clear
to
me
like
what
the
best
route
is.
F
F
When
your
dependencies
get
updated,
you
could
check
the
provenance
of
those
and
check,
compare
the
provenance
of
the
new
version
to
the
old
version
of
each
of
your
dependencies,
and
you
know
if
it
looks
roughly
the
same
and
is
like
kind
of
equivalent.
Then
you
say
good
and
if
not,
then
that's
a
signal
that
something
might
that
you
should
kind
of
approve
that
that
is
described
down
in,
like
I.
B
F
B
B
F
B
F
F
Think
that
model
makes
sense
at
least
to
me
and
then
there's
a
question
like
well.
How
do
you
accept
changes
to
that?
Like
sure
the
the
Box
on
the
right?
That's
one
where
I
I
feel
like
a
possibility.
That
I'd
like
to
explore
is
like
a
trust
on
first
use
thing:
where
effectively,
you
don't
have
to
get
it.
F
Maybe
you
could
seed
it
from
the
maintainer
the
package
maintainer
on
the
left,
but
once
you
accept
a
package
like,
let's
say,
I
start
using
package
Foo
and
it's
in
our
lock
file
and
in
our
project
my
project,
my
team's
project.
We
have
Foo
listed
as
one
of
our
dependencies
every
time
you
know
there
the
first
time
we
take
in
Foo.
We
have
to
make
some
sort
of
risk
determination
at
whether
that's
okay,
most
people
I
think
don't
do
it.
G
F
Think
there'd
be
some
sort
of
risk
determination
of
like.
Is
it
okay
to
do
that?
I
think
what
at
least
in
my
mind,
I,
don't
think.
There's
universities
in
in
my
mind
what
I
would
like
to
see
is
when
you
do
updates
and
you're
doing
version
bumps
that
those
could
be.
You
could
determine
those
be
low
risk
because,
like
it
was
built
from
the
same,
it
was
built
in
the
same
way
from
the
same
repository
just
a
different
version.
All
the
parameters
were
the
same.
F
So
for
like
the
salsa
build
track,
it
looks
kind
of
equivalent.
So
it's
low
risk
update
in
the
future.
We
could
have
more
signals
of
like
the
risk,
and
so
if
the
update
is
relatively
low
risk,
it's
just
automatic
and
for
example,
if
you're
using
dependabot
say
that
could
be
a
signal
in
there
versus
your
there's
a
version
button.
But
hey
it's
built
completely
differently.
F
That's
you
know,
there's
a
risk
that
perhaps
the
package
was
compromised
and
it
like
uploaded
something
bad
or
it
has
different
properties
than
it
used
to
so
so
that's
kind
of
what
I
was
thinking,
and
in
that
case
it's
kind
of
there's.
No
explicit
policy
would
just
be
kind
of
a
human
making,
a
risk
determination
of
like
by
comparing
old
to
new
I.
Don't
think
that
described
it
in
this
dock,
but
those
those
are
just
something.
I
wanted
to
talk
about
like
an
idea.
B
Cool
yeah
I
think
that's
interesting,
I'm
curious
about
some
details,
but
I
don't
think
we
need
to
discuss
that
here.
We
can
discuss
that
offline,
but
I'm
curious
about
things
like
when
you
when
you
say
tofu,
do
you
pull
it?
Do
you
pull
like
the
initial
version
of
the
policy
from
the
package
registry,
but
we
can.
We
can
discuss
that
offline,
so
Mark
I
guess
to
help
push.
Oh
Aditya
has
a
question.
Please.
A
Excuse
me
just
so:
I
I
only
really
became
aware
of
this
PR.
This
proposal
this
morning,
because
I
haven't
had
a
chance
to
really
read
it
in
any
level
of
detail.
A
lot
of
what
you
said,
Mark
made
sense
to
me.
I
I,
do
have
a
question
when
you
say:
okay,
I
also
understand
that
we
per
that
the
proposal
probably
shouldn't
be
too
prescriptive
with
level
with
respect
to
how
policies
are
specified
and
verified
and
I
get
all
of
that
so
I.
My
my
question
is
this
npm
specific
use
case?
A
Should
it
even
be
a
salsa
specific
proposal
at
all,
because
when
we
consider
that
npm
themselves,
if
they're
also
doing
something
called
publish
attestations
that
isn't
part
of
salsa,
for
example,
you
don't
want
to
be
doing
something
where
you
sell
so
specific
for
the
provenance
part
of
it
and
something
else
entirely
for
any
other
attestations
that
are
generated
along
the
way
or
and
I
guess
on
a
higher
level.
There's
also
the
question
of.
A
F
All
right,
yeah,
I,
think
so.
First
of
all,
this
is
it
just
is
using
npm
to
make
it
concrete
it.
All
these
Concepts
really
apply
to
almost
every
other
ecosystem
like
go
and
we'll
go.
Is
it
kind
of
a
smells
like,
but
probably
would
work
for
go
but
especially
PHP
and
Python
and
Ruby,
although
Ruby
doesn't
have
hashes
in
their
lock
file?
But
it's
not
really
specific.
None
of
the
concepts
here
are
really
specific
to
npm,
and
so
the
idea
would
be
to
start
with
one.
F
It
doesn't
really
matter
which
ecosystem
just
start
with
something
and
Implement
a
prototype
and
kind
of
get
make
some
decisions
on
how
it'll
work
and
start
to
prototype
and
see.
Can
we
get
this
in
a
way
that
we
think
it'll
actually
scale
to
be
turned
on
by
default
for
all
users,
but
in
a
way
that's
like
seamless
and
and
low
low
overhead,
like,
ideally,
people
wouldn't
even
know
what's
happening
right,
it
would
just
work
and
if
there's
something
risky
that
happens,
they'll
be
notified
and
say,
like.
F
A
A
F
Disagree
I
mean
that
always
goes
true,
but
especially
now
I.
In
my
mind,
this
would
be
scoped
to
things
that
are
in
salsa,
like
this
scope
to
mitigating
the
threats
that
are
defined
by
salsa.
So
right
now
we
have
a
build
track.
That's
about
tampering
in
the
build
system,
and
this
would
be
checking
those
things
in
the
future.
We
have
source
track
that
maybe
talks
about
tampering
of
the
source
code
or
two
part
of
your
view
or
something
it
would
also
check
for
those
type
of
things
as
well.
F
B
Yeah,
if
I
could
propose
something
I
think
this
model
has
worked
successfully
before
for
us
did
I
think
we
can
sort
of
have
it
both
ways.
Here's
what
I
mean
so
remember
before
salsa
1.0,
we
were
still
experimenting
with
Providence
right
and
we
had
0.1,
David,
0.2
and
so
on.
I
think
that's
the
phase
where
we
are
with
this
we're
experimenting
with
this,
and
once
we
are
ready
to
make
it
say
a
part
of
2.0
thing,
then
we
can,
of
course
it
has
to
be
more
generalizable.
I
would
think
everyone
would
want
that.
F
A
A
That's
good
where,
where
I
just
want
to
add
one
more
thing,
we're
we're
approaching
the
prototyping
phase
as
well
and
and
I
think
we'd
be
using
a
lot
of
the
stuff
that
the
folks
that
testified
site
by
Cole,
Kennedy
and
Mikhail
I've
been
working
on
with
a
witness
where
they've
got
a
policy
tool.
That
say
that
allows
you
to
specify
you
know
expected
attributes
and,
and
it
spits
out
a
policy
that
kind
of
looks
like
an
internal
layout,
but
we're
you
know
working
on
bridging.
All
of
that.
A
B
Cool
I
think
I
think
I
think
that's
a
nice
nice
way
to
wrap
up
this
PR
keeping
in
mind
also
that
we
have
15
minutes
left.
It
wouldn't
be
mindful
of
everyone's
time
so
yeah.
So
it
sounds
like
it
sounds
like
I
think.
As
long
as
we
document
this,
this
sort
of
like
informal
agreement
that
we
have
here
I
think
that'll
be
a
good
way
to
make
progress
with
this
PR,
which
we
should.
B
Cool,
so
the
next
BR
and
I,
don't
know
if
Chris
is
here,
but
it's
also
very
interesting
is
the
I
the
problem
again.
Anyone
feel
free
to
correct
me
here
if
I'm
wrong,
but
the
problem
this
tries
to
solve
this
okay.
So
now
we've
got
V
1.0.
Now
we
know
how
to
define
things
like
build
level
tree,
but
how?
How
can
I
prove
this,
because
not
everything
is
provable
by
attestation
right,
you
can't
cryptographically
prove
unless
you
use
some
trusted
Hardware
kind
of
stuff,
but
even
then
are
you
really
isolated?