►
From YouTube: SLSA Specifications Meeting (January 23, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1kMP62o3KI0IqjPRSNtUqADodBqpEL_wlL1PEOsl6u20/edit#heading=h.yfiy9b23vayj
A
B
B
Well,
you
know
I
mean
I,
not
saying
that
a
big
note
be
careful.
What
you
wish
for
a
thing
about
I
can
imagine
having
a
having
a
family
and
people
running
around
kids
and
even
things
to
do
and
all
that
kind
of
stuff
you
can
get
a
I'm
gonna,
do
a
little
daunting,
not
saying
that
I
don't
want
that,
because
I
absolutely
do
but,
like
I
said,
be
careful
what
you
wish
for
a
writing.
C
C
D
E
C
D
C
C
No,
no
Joshua
Locke.
D
C
And
I
was
hired
into
my
team.
They
told
me
be
glad
your
name
isn't
Chris,
because
we
probably
wouldn't
have
been
able
to
hire
you
because.
C
C
D
F
I
know
Joshua
and
Michael
said
they
couldn't
be
here
today.
I
don't
know
about
others.
F
Put
the
main
notes
in
chat
and
you
want
to
use
it
as
a
reminder.
Please
record
your
attendance
in
the
meeting
notes
and
that
we're
going
to
abide
by
the
links,
Foundation
code
of
conduct
is
there
yeah,
so
see.
Welcome
newcomers.
Is
there
anyone
here
who
hasn't
participated
before
no
okay,
yeah
I
reckon
so
I
can
give
a
brief
update
on
the
provenance,
spec
I
think.
Actually,
a
lot
of
people
here
have
in
fact
reviewed
the
the
Providence
back
I
submitted
an
initial
draft
of
the
V1
provenance
spec.
F
The
big
I
tried
to
mark
with
r
the
RFC.
If
you
search
for
RFC
cases
where
there's
like
significant
days,
agreement
or
or
or
places
where
we're
particularly
looking
for
comments,
the
biggest
one
is
how
we
record
external
parameters
right
now.
F
It's
a
bit
awkward
if
you
follow
that
conversation
on
the
thread
and
so
I'm
putting
together
pull
request
right
now
that
basically
allows
just
an
arbitrary
Json
object
as
a
parameter
and
kind
of
shifts
around
how
we
do
like
the
recording
of
the
digest
piece
I'm
still
putting
it
together.
So
I
won't
bother
explaining
it
like
a
Half
Baked
idea.
F
Now
but
I'd
be
interested
for
folks
to
kind
of,
like
maybe
put
together,
one
like
by
hand
or
think
about
like
how
would
I
actually
record
a
real
world
thing,
because
I
think
that's
really
what's
going
to
tell
us
whether
it's
good
or
not,
is
when
people
actually
go
to
try
to
implement
it
like.
Oh,
this
is
awkward.
F
Here's
the
rough
edges
and
I'll
try
to
do
the
same
thing
for
like
ones
internally
at
Google
to
to
know
like
because
we
have
like
a
about
like
half
a
dozen
different
build
systems
internally
that
that
we
have
provenance
for
in
our
own
internal
format
and
then
I
could
try
conver.
F
Think
it's
insults
a
problem,
that's
one
format
and
then
I
could
try
converting
it
to
this.
This
new
format
and
see
you
know
how
well
the
the
concepts
Translate
any
other
comments
on
the
prominence.
F
In
the
in
this
spec,
we
say
that
this
is
the
recommended
format
and
in
in
in
in
the
0.1
version
of
the
salsa
requirements,
we
we
had
kind
of
like
a
dual
list
in
the
requirements.
There's
the
abstract
list
of
things
you
do
and
in
the
provenance
format
the
concrete
ways
that
you
could
record
it
and,
like
the
reader,
had
to
kind
of
mentally
map
back
and
forth.
F
So
in
the
current
draft,
this
requirements
just
say:
either
use
salsa,
Providence
or
something
equivalent
and
in
the
prominence
thing
it
says
like
this
is
required
and
here's
the
guidance
and
so,
if
you're,
using
a
different
format,
I'm
hoping
that,
like
the
reader,
can
just
like
translate
internally,
you
know
and
and
say
like,
oh
well,
we
don't,
you
know,
use
this
other
format
for
whatever
reason,
rather
than
kind
of
trying
to
like
do
everything
twice.
G
Now,
yes,
Chris
and
I
are
working
on
on
those
we'll
talk
about
that
next
week.
In
this
meeting,
I
want
to
touch
base
with
him
one
more
time
and
and
kind
of
get
everything
pulled
together
before
we
before
we
kind
of
do
a
presentation,
so
shouldn't
take
too
long
in
the
next
meeting,
but
do
review
the
that
pull
request.
That'll
be
super
useful,
we're
going
to
work
on
them,
machine,
readable
version,
Slash
kind
of
fillable
version
of
the
verification
for
build
systems
work.
F
Yeah
yeah,
my
I
I,
also
I,
think
I'm
meeting
with
Chris
later
today,
yeah
and
that
piece.
It
wasn't
clear
to
me
like
the
role
of
attestations
there
and
that's
probably
something
we
should
all
talk
about.
F
You
know
like
an
attestation
for
an
artifact
I,
think
we're
all
clear
on
because,
like
an
artifact
has
a
digest
and-
and
we
have
a
prominence
for
that,
I
think
what
is
probably
less
widely
agreed
upon
is
the
having
like
an
attestation
for
a
whole
build
system
like
one
organization
would
certify
GitHub
actions
or
Google
Cloud
build
or
Circle
Ci,
or
whatever,
at
least
in
some
configuration
meets.
Something.
F
I
could
see
that,
having
value
it's
less
clear
to
me
that
it
should
be
a
requirement
or
exactly
how
that
works.
So
I
think
we
have
to
maybe
figure
out
like
what
the
balance
to
strike
there
is
yeah
well.
G
We're
kind
of
thinking
of
it
as
where
the
the
idea
is
that
your
you
know
some
things.
You
cannot
verify
from
a
user
point
of
view.
Out
of
a
builder,
you
kind
of
have
to
trust
to
some
extent
a
builder
so
in
in
that
process
we're
trying
to
think
of
how
a
builder
would
State
hey
this
is
you
know
this
is
why
we,
you
should
trust
us
when
we
say
we
have
produced
a
certain
level
of
of
artifact.
You
know
so.
G
We've
produced
a
build
and
it
satisfies
these
requirements
right
and
so
as
part
of
like
salsa
verifier.
As
long
as
you
trust
that
builder,
then
it
can
kind
of
pass
some
basic
checks.
So
that's
what
we're
the
general
outline
of
what
we're
thinking,
but
it
is
obviously
it
is
kind
of
a
difficult.
Where
would
that
go
and
what
would
it
look
like
and
and
all
of
that
stuff
and
what
needs
to
be
manual
and
what
can
be
automatic
is
another
question,
so
so
yeah
I'll
I'm
talking
with
him
later
this
week.
G
So
if
you
have
any
particular
concerns,
please
do
bring
them
up.
I
know
you
said
you're
talking
to
him.
If
you
can
address
them
with
him
and
and
then
we
can
talk
about
it
and
kind
of
further
that
progress.
D
Yeah
I
mean
you
can
attest
some
build
Properties
by
reproducing
by
doing
a
verified
reproducible,
build
if
you're
trying
to
attest
that
something
secret.
That's
not
going
to
do
it,
but
and
I
realize
that
that's
not
a
requirement
for
cells,
at
least
the
salsa
one
through
three
that
we're
working
on.
F
D
Right
right
and
that's
you
know
if,
if
you're
worried
that
the
build
itself
was
subverted,
your
options
are
few
for
countering
that.
G
Yep
I
think
that's
just
that
level
of
assurance
and
trust
that
we're
talking
about
is,
like
you
know,
if
a
build
system
like
it's
a
build
system
provider
has
said,
we
follow
these
best
practices
that
we've
kind
of
laid
out
as
part
of
Salsa's
spec.
Then
a
user
can
say
well
if
that,
if
GitHub
says
they
did
this
and
that
or
the
other
or
Circle
Ci
or
or
Google
Cloud
Builder,
you
know
if
they
say
they've
done
these
things
and
I'm
reasonably
confident
in
these
other
things
right.
So
that's
kind
of
the
direction
foreign.
F
I
guess
the
other
major
thing
in
the
spec
space
would
be
cleaning
up,
there's
like
a
bunch
of
to-do's
and
and
open
references.
F
So
if
anyone
you
know
feel
free
to
to
grab
again,
we
still
have
that
project
board.
Where
is
it,
let
me
find
a
look.
F
E
Yeah
sorry
I
I
just
wanted
to
follow
up
on
the
conformance
aspect.
I,
you
know,
I
get
the
feeling
we're
mixing
two
different
concepts
in
in
this.
There
is,
the
notion
of
conformance
is
one
thing
and
the
notion
of
certification
is
another
and
this
seems
to
be
mixing
both
into
one
thing
called
conformance
and
so
typically
in
the
standard
you
know
in
the
specification
it
is
said
somewhere
well.
This
is
what
it
means
to
be
conformant
or
compliant
to
the
specification.
E
It
basically
says:
You
must,
you
know,
follow
actually
Implement
all
the
best
yeah
right
statements
and
requirements,
and
and
then
how
this
is
assessed.
Right
is
a
different
story
altogether,
I,
don't
know
why
we
go
into
the
notion
of
adding
possible
third
parties
Auditors
into
discussing
conformance.
This
is
you
know
now
there
is
this
notion
that
some
people
are
going
to
claim
conformance
and
whether
you
trust
it
or
not,
is
you
know
an
interesting
question
that
is
typically
addressed
through
certification
or
self-certification
or
third-party
certification,
but
it's
a
bit.
E
There's
a
Nuance
there
that
I
don't
see
here
and
I
have
to
admit
it
kind
of
escaped
me
initially,
because
I
read,
conformance
and
I,
don't
think
I
I
thought.
When
I
read
the
text,
there
was
another
Google
doc
commented
on,
which
is
which
red
actually
like
certification
program
to
me
and
and
I
didn't
realize
it
was
called
conformance
program
and
then
I,
Was,
Heard
told
about
oh
there's,
a
conformance
program
and
I
was
like
what
is
that
and
I
realized.
Oh,
it's
really
a
certification
program
called
conformance
program
and
so
I
think
it
we.
E
E
E
If
you
were
to
write
a
spec
about,
like
you
know,
there's
often
a
notion
of
there
are
different
actors
that
can
Implement
just
like
here
we
have
producers
and
consumers
and
we
may
want
to
Define
what
it
is
to
be
conformant
to
South
Side
to
producer
of
artifacts
what
it
is
to
be
conformant
if
you
are
a
consumer
of
artifacts,
but
this
is
again
and
that
should
belong
in
the
spec.
Then
you
know
we
should
have
aside
from
the
spec.
You
know
Define
a
certification
program.
F
The
so
clearly,
you
should
go
like
on
the
site
somewhere,
I,
think
you're,
saying
yes
and
I
think
we
want
to
communicate
that
this
certification
program,
if
we
switch
to
the
reporting
certification
program,
exists
and
like
to
the
even
if
it's
not
an
external
like
it's
just
like
self-claimed
or
whatever,
that
whole
notion
of
like
how
that
works
and
I.
Think
that's
a
big
question
that
people
have
right
now
is
like
how
that
works.
F
E
F
So
I
think
maybe
some
two
two
challenges
here.
One
is
that
you
know
it
as
opposed
to
like
a
protocol
or
a
program
or
a
format
like
there's
like
a
right
and
a
wrong
like
things
could
actually
operate,
whereas
here,
like
you,
could
just
do
this
and
it
could
just
not
be
true
and
there's
no
way
of
knowing
like
that.
It
happened
or
not.
I
guess
so.
F
For
example,
if
like
I
won't
use
a
real
world
example
like
Foo
Builder
food
build
service,
awesome,
build
service
claims
that
they're
doing
something,
but
they
just
don't
like
they
say
we're
salsa
three
things
would
continue
to
work.
It
just
would
not
be
secure.
F
E
But
but
so
let's
leave
your
practice.
Pragmatic
I
mean
oh
practical.
We
have
colleagues
in
IBM
we're
working
on
a
product
that
implements
you
know
a
pipeline
and
they
want
to
produce
salsa
programs
and
they
are
asking
okay.
What
is
it
going
to
take
for
me
to
be
compliant
with
salsa
and
to
be
able
to
say
we
are
conformant
right
and
the
answer
ought
to
be
okay.
You
have
to
do
all
this
much
that
are
in
the
suspect.
E
As
a
producer
of
artifacts
and
and
you
know,
then
they
can
implement
it
and
they
can
go
around
and
claim
hey.
We
implemented
right
and
then
you
people
are
free
to
agree
or
disagree,
believe
it
or
not,
trust
it
or
not.
And
then
you
can
say
okay,
but
now
we
we
have
too
many
people
who
are
claiming
left
and
right.
They
are
compliant
when
they
maybe
not.
E
So
then
we
put
a
certification
program
in
place
that
will
actually
look
into
this
and
you
know
there's
certain
tests
that
can
be
run
and
again
there
are
different
ways
to
run
it,
whether
it's
a
self
attestation
certification
or
it's
a
third
party
or
whatnot.
There
can
be
requirements
set
up
to
Define
what
it
means
to
be
to
be
able
to
certify,
but
this
is
a
different
thing
altogether.
Right,
I
mean.
F
What
like
so,
let's
take
the
world
like
before
you
get
into
the
certification
program.
It's
really
just
people
claiming
stuff
in
that
world.
Would
that
be
entirely
within
the
spec,
like
because
I
think
something
needs
to
describe
like
how
the
overall
thing
works,
that
like
a
verifier
yeah,
it
exists
and
it
has
a
pre-configured
list
of
what
services
trusted
at
what
level
and
there's
some
process
that
someone
makes
a
decision
that
a
particular
Builder
is
at
a
level
and
they
have
to
go
on
some
list.
D
Yeah
I've
I've
been
involved
in
a
number
of
certification
efforts
in
in
the
past,
both
security
and
not
security,
and
and
typically
they
are
treated
separately.
You
know
if
you've
got
well,
let's
start
with
the
non-secured
example.
That's
probably
easier,
you
know
a
number
of
line
programming
languages
have
specs,
you
know
you
know
C
or
eight
or
whatever
you
know,
here's
the
spec,
here's
the
what
the
languages
you
do,
these
things
to
implement
a
compiler
you
may
there
may
or
may
not
be
a
conformance
test,
Suite
or
verification
process.
D
Not
all
compilers
go
through
even
when
they
exist,
not
all
compilers
necessarily
go
through
it.
That's
considered
separate.
On
the
other
hand,
you
do
get
stronger
Assurance
when
they
go.
If
they
do
through
go
through
that,
hopefully
that
it's
actually
doing
the
right
thing.
I
will
I
from
the
security
World
I
spent
way
too
much
time.
D
On
the
you
know,
it's
been
a
significant
amount
of
time
with
the
common
criteria
where
they
actually
do
have
that
separation
of
you
know
hear
the
things
you
have
to
do
to
claim
certain
make
certain
claims,
and
at
least
originally
they
had
levels
and
then
separately,
you
can
go
through
a
process
for
verification.
I
will
say
one
of
the
things
that
really
hurt
the
common
criteria
was
the
costs
to
do
that
verification.
The
validation
costs
were
born
by
in
their
case
by
the
software
maker,
and
you
know
six
digit.
D
Second,
seven
digit
prices
to
get
a
a
document
is
that
takes
many
many
months
to
get
through,
and
it's
not
clear
that
many
people
actually
want
to
care.
It's
kind
of
a
problem,
so
there's
always
so
I
think
it's
important
to
separate
the.
What
is
it
required
to
meet
a
certain
level
versus
the
effort
to
determine
whether
or
not
that
statement
is
true
and.
A
D
F
F
Yeah
so
the.
F
What
is
not
clear
to
me
is
two
things,
one,
the
just
the
overall
description,
the
picture
that,
like
you
know
a
software
producer,
make
something
and
they
use
a
build
service
because
there
could
be
multiple
software
producers
all
using
the
same,
build
service,
the
build
service
generates
provenance
and
then
some
consumer.
Some
Downstream
system
verifies
the
provenance
and
Maps
the
Builder's
identity
to
a
software
to
a
level
and
how
that
mapping
takes
place
and
is
configured
and
like
under
what
you
know
how
that
works.
F
F
Thing
is
the
like:
the
verifying
systems
thing
that
Chris
just
posted
that
thing
was
submitted.
One
of
the
things
that
we
chose
to
do
for
1.0
is
not
have
a
list
of
criteria,
for
what
conformance
is
for
how
secure
a
build
service
needs
to
be
I.
Think
we
punted
on
that
of,
like
there
exists
tons
of
those
things
of
like
how
do
you
define
a
secure
system
like
you?
F
Could
you're
going
to
have
like
a
missed
thousand
page
document,
because,
like
securing
systems,
is
really
really
hard
and
we're
probably
not
gonna,
you
know
break
any
new
ground
there,
but
instead
the
idea
is
to
have
this
kind
of
survey
or
document
or
something
like
that
to
just
kind
of
explain
to
convince
the
reader
why
they
should
be
secure
and
that
could
either
a
consumer
could
just
read
that
directly
and
be
like
okay.
F
You
know
so
and
so
says
this
I'll
add
them
to
my
level
one
list
or
if
somebody
uses
that
as
part
of
a
formal
certification
process.
So
anyway,
that's
where
I'm
kind
of
struggling
with
you
know
in
terms
of
like,
what's
in
Spec
and
what's
not
sorry
for
talking
so
long,
Jay.
B
Yeah,
so
one
word
that
I
didn't
hear
and
I
think
it's
a
caveat
to
what
everyone
is
saying
and
I
think
if
we
said
this
one
word
and
then
build
some
structure
around
it,
we
we
may
be
able
to
squeeze
both
sides
against
the
middle
David
was
alluding
to
this
there's
a
certification
process
and
then
there's
an
accreditation
process
when
you,
when
you
go
through
the
accreditation
process,
you're
it's
the
accreditation
process
is
like
it's
sort
of
like
certifying
Conformity
right.
B
So
this
is
to
to
Arnold's
points,
and
this
is
to
David's
point
two,
especially
when
you're
considering
you
know,
security
perspective
versus
non-security
perspective,
and
you
see
this
every
which
way
for
something,
for
example,
in
the
military
right
and
you
and
you'll
have
what's
called
an
a
Golden
Master
right
and
and
then
you
have
this
Golden
Master,
and
this
could
be
a
derivative
of
whatever
operating
system
that
they
bring
in,
but
they
take
they
take
some
stuff
up.
B
B
First
of
all,
your
certification
process
right
and
then
says,
based
on
the
accreditation
of
your
certification
process,
we
can
say
that
your
Golden
Master
is
indeed
what
it's
supposed
to
be
because
you
guys
have
gone
through
the
process
of
using
that
certification
process,
and
we
said
that,
based
on
our
accreditation
of
that
process
that
that
you
have
conformed
to
the
process
they're
in
so
I.
Think
if
we
take
that
one
word
accreditation
bake
that
in.
B
I
think
that
that,
as
far
as
it's
also's
concerned,
you
absolutely
can
have
you
know
certification
which
can
be.
You
could
do
a
self
attestation,
you
can.
You
could
even
have
an
audit
team
somewhere
internally
say:
hey
yeah,
we
can,
you
know,
come
in
based
on
your
self-attestation.
Take
that
stuff
in
and
say:
hey
yeah.
You
follow
this
yeah
you're
salsa
level
this
and
that
other.
But
then
we
can
have
an
independent
third
party
who
gets
plus
I
mean
this.
B
These
are
all
aspirational
right,
but
then
that
can
come
in
and
say
we
can
accredit
it.
We
can
accredit
the
process
you
used
for
certifying
Conformity
I
said
a
lot
of
damn
words,
but
I
think
the
difference
between
certification
and
accreditation
lives
here
and
I.
Think
if
we
parse
those
out
and
then
build
structure
around
them
conversation
and
be
a
lot
more
fluid
all
in
there.
D
Yeah,
at
least
under
nist,
they
Define
those
certification
versus
accreditation,
a
little
differently
I,
stuck
that
in
the
notes,
I
mean
I'm,
not
we're
we're
not
going
to
solve
the
problem
that
people
use
different
work,
the
same
words
to
mean
different
things,
but
whatever
we
mean
we
should
Define
them.
Clearly,.
C
D
Yeah
I
put
in
so
okay,
so
at
least
under
nist
certification
is
for
verifying
either
people
have
adequate
credentials
or
that
products
meet
certain
requirements
because
I
think,
which
is
I,
think
what
we
were
primarily
talking
about,
which
is
why
I've
been
using
the
word
certification
under
nist
accreditation
seems,
is
more
about
that.
C
D
They've
got
a
lab,
they
meet
certain
calibrations
and
so
on.
I,
don't
think
that
we're
doing
that,
although
maybe
we.
C
B
Jane,
if
I
will
wash
it
off,
please
you'll
have
missed
standards
but
I
think
with
respect
to
to
builds
and
respect
to
Security
in
general.
The
that
there
is
a
clear
I
mean
clear
definition
of
what
accreditation
is
and
it
is
you
you
are
looking
at
Conformity
you
you're
you're,
looking
at
whether
or
not
there's
Conformity
against
a
recognized
standard
right.
So
so
you
so
how?
B
Well
you
conformed
to
the
certification
process
right,
so
there's
a
process,
there's
a
certification
process
that
there's
a
spec
and
then
you're
you're
you're,
going
through
the
certification
process
based
on
that
spec.
But
then
now
you're
accrediting
the
process
you
used
right
so
so
so
now
we're
talking
and
it's
not
it's
not
different
than
what
you
just
said
right,
but
but
take
in
the
steps
you
took
to
to
certify
against
the
spec.
Now
you're
accrediting
the
steps
you
took
and
the
measure
whether
or
not
you
conform
to
it
correctly,
and
sometimes
that's
some.
B
That's
that's
very
important
because
then
two
different
organizations
can
certify
differently
and
come
to
maybe
come
to
the
same
conclusion
or
they
will
come
to
a
different
conclusion.
But
the
steps
may
not
the
steps
May
aren't
as
on
face,
may
look
a
little
different.
But
if
you
come
in
with
a
third
party
and
say,
can
we
accredit
the
Step
Shoes?
They
may
have
missed
something
right
or
they
may
not
have
taken
enough
time
on
something
or
the
documentation
might
look
different.
B
The
the
I
mean
anything
right,
but
that
I
mean
I,
think
that
gets
a
little
Ridge.
That
gets
a
little
bit
more
rigid
than
than
maybe
it
needs
to
be,
but
yeah.
But
there
is
a
clear
you
know:
certification
versus
accreditation
versus
accreditation
process,
I'll
stop.
There,
though
Joshua
has
a
has
something.
He
wants
to
say
two
of
them
hand
down.
G
Yeah
I
think
like
going
back
to
the
kind
of
original
original
issue
that
we're
trying
to
figure
out
is
for
spec,
B,
1.0
I,
definitely
think
I
I
agree
with
with
Mark
on.
We
want
some
sort
of
bridge
between
whatever
future
certification
process
looks
like
whatever
that
looks
like
in
the
future.
We
need
some
sort
of
bridge
between
that
and
the
spec
I
I
firmly
believe
we
have
to
have
some
sort
of
bridge
there
where,
whether
it's
you
know
a
builder
sticks
sticks
another
attestation
in
there
that
says,
hey
here's.
G
Our
here
is
our
how
we
have
figured
out
that
we're
level
three
you
know
and
they've
signed
that
attestation
or
something
something
along
those
lines
so
that
a
user
can
can
trust
a
builder
from
from
that
perspective,
so
we
we
I,
feel
like
we
have
to
have
a
bridge
from
the
spec
to
the
certification
at
some
point
so
that
people
like
you
said
you
know,
don't
go
around
and
and
claim
salsa
level
X
without
any
proof,
right
and
kind
of
dilute
the
the
trademark.
G
To
some
extent
is
we
want
it
to
be
a
valuable
tool
for
for
people
to
use,
so
we
can't
really
let
people
go
and
dilute
the
the
name.
So
we
need
that
bridge.
I,
don't
know
what
that
looks
like
and
then
we
need
to
have
them
aligned
for
the
for
the
1.0
release,
whether
that's
we,
whether
we
need
to
change
the
terms
from
conformance
to
certification,
I,
think
that's
fine
as
long
as
we
Define
everything
appropriately.
G
So
we
just
need
to
I
guess
from
my
point
of
view,
because
I'm
working
with
Chris
on
this
I
I
would
love
to
know
where
this
stuff
needs
to
live.
Do
we
need
to
move
things
out
of
the
spec
folder
on
the
website
and
and
create
something
new?
You
know
a
certification
header
on
the
on
the
website
or
what
do
we
need
to
do
in
order
to
kind
of
move
forward
on
providing
providing
users?
G
Basically
the
information
they
need
to
evaluate
their
Builders
when
they're
trying
to
select
you
know
either
who
to
use
or
who
to
trust
or
or
anything
like
that.
E
So
let
me
ask
a
clarification,
question
and
I
apologize,
if
not
showing
my
ignorance
here,
but
you
know
we're
not
talking
about
adding
some
kind
of
digital
signature
that
is
discoverable
by
the
consumer
right,
because
then
that
would
justify
adding
it.
In
my
opinion,
into
the
into
the
spec
is
like
you
know,
you
say:
oh
the
producer
I
test
those
things
and
they
claim
compliance,
and
this
is
something
that
is
signed
by
some
kind
of
you
know,
additional
certifier,
slash,
auditor
or
whatever
you
call
it.
G
G
Right
is
to
have
it
might
be
very
valuable,
to
have
some
some
Auditors
trusted
that
are
vetted
or
accredited
by
the
open
ssf
that
then,
as
part
of
tooling,
you
know
we
can
automatically
trust
them
right.
That
would
be
super
awesome.
If
down
the
road,
a
user
can
automatically
trust
what
a
Builder
said,
because
it
was
audited
to
a
certain
level
by
an
accredited
auditor
right.
G
That
would
be
awesome,
so
I
think
that's
kind
of
one
bridge,
but
then
the
other
bridge
is
like
if
I'm
running
the
verifier
tool
can
I
add
in
my
CLI
dash
dash
trust,
keys
and
I
trust.
A
builder
key
and
therefore
everything
works
out.
Fine
and
I
get
my
green
check
mark
or
can
I
say,
I
trust.
G
You
know,
I
trust,
GitHub,
I,
trust,
Google,
I
trust.
You
know
several
different
groups
and
not
have
to
put
in
a
key.
You
know
how
does
that
look
for
me
from
a
user
interface
perspective?
How
does
that
bridge
is
part
of
the
question.
F
Con
I'm,
trying
to
figure
out
the
right
words
conformance,
does
not
require
such
a
signature
type
of
thing
like
if
you
have
a
pre-configured
list
of
like
these
public
keys
or
pki,
whatever
identities
mapped
to
these
salsa
levels
and
you
and
that
that
would
be
sufficient
to
meet
salsa
and
that
you
don't
need
this
more
complicated.
F
Like
signing
of
that
list,
it
sounds
like
such
a
thing
could
be
useful
and
that
would
almost
be
like
a
separate
spec
for
how
that
would
work.
I
guess
anyway.
That's
what
I
was
thinking
because,
like
you
know,
for
example,
within
Google,
we
don't
have
like
we've
been
doing
this
for
a
while
and
we've
been
implementing
this.
But
we
don't
have
such
a
signature
thing
and
I.
E
No
but
I
agree
and
I.
You
know
following
up
on
what
Josh
was
talking,
but
I
think
it
could
be
useful
to
have
that.
Maybe
at
some
point
but
I
I
just
wanted
to
make
sure
I
wasn't
missing
that
this
was
already
the
case,
so
you're
saying
no
so
therefore
I
mean
you
know,
I'll
take
the
action.
I
can
tell
another
look
at
the
conformance
PR
with
that
specifically
in
mind
trying
to,
but
for
me
as
I
think
David
articulated
pretty
well.
E
There's
this
you
know
conformance
when
it
comes
to
this
spec
should
be
limited
to
what
it
means
to
be
for
an
implementation,
whether
it's
a
you
know,
producer
consumer,
but
you
know
what
it
means
to
be
compliant
with
the
spec,
not
how
this
is
being
assessed
or
by
whom,
and
the
certification
you
know
is-
should
be
separated
from
the
spec
and
it's
it's
this
notion
of
you
know:
how
do
you
make
this
assessment?
Whether
somebody
is
entitled
to
make
this
these
claims
about
compliance
or
conformance
with
the
self-suspect
and
at
what
level.
F
So
yeah
I
appreciate
you
taking
a
look
the
and
it's
in
particular
the
verifying
I.
E
E
F
Yeah
and
the
verifying
build
system
thing
is
already
submitted,
and
so
you
know
we
can
move
that.
Of
course.
F
One
thing
maybe
to
keep
in
mind
or
like
the
question,
maybe
to
try
to
answer,
is:
is
there
what
I
had
been
thinking
but
now
I'm,
starting
to
doubt
it
based
on
this
conversation,
is
that
there's
acquirement
essentially
to
publish
such
information
that
you,
you
would
need
to
like,
make
some
effort
to
explain
to
people
why
you
should
be
trusted
to
be
this
level.
F
The
process
by
which
someone
makes
that
decision
maybe
would
not
be
part
of
the
spec,
but
just
like
yeah,
but
maybe
that
should
all
move
to
the
conformance
thing.
I
don't
know
the
other
thing
is
that,
like
it
seems
like.
Ideally,
we
would
have
something
in
the
requirements
for
like
how
secure
it
is
right
of,
like
you,
don't
want
just
an
entirely
insecure
like
if
I
just
run
a
random
machine.
That's
like
unpatched
I,
don't
do
any
security.
F
B
E
G
Yeah,
at
the
end
of
the
day,
I
think
a
lot
of
organizations
are
asking
this
question
of
how
when
spec
1.0
comes
out,
they
want
to
know
how
they
can
go
and
say:
hey
consumers,
hey
our
customers,
hey
other
people.
We
we
are
level
three,
you
know
but
do
as
an
organization.
The
question
for
us
is:
where
do
we
want
our
trademark
used
and
what
requirements
do
we
want
to
put
in
place
before
we?
G
Let
anyone
go
and
say
that,
so
we
need
to
figure
that
out
before
V1,
otherwise
we're
going
to
be
in
a
world
of
a
world
of
mess
and
I,
don't
know
exactly
how
it
seems
like
there's
a
lot
of
questions
about
how
that's
going
to
happen
right
this
moment.
D
E
But
that's
wrong,
but
no,
but
Joshua
I
agree
with
you
that
this
is
a
very
good
point,
and
this
is
what
certification
programs
for
you.
You
have
one
in
cncf,
you
know
and
and
people
claim
compliance
and
then
they
are
being
you
know,
challenged,
and
there
is
a
bunch
of
tests
and
stuff
and
there's
like
it's
actually
a
self
certification
program.
E
But
there
are
different
ways:
you
can
do
it
and
that's
totally
reasonable
and
I'm
not
saying
we
shouldn't
do
it
it
by
the
way
I
I
pointed
out
in
the
Google
Doc
as
a
comment
that
those
things
do
require
resources
right
to
be
done
right,
because
it's
not
a
one-time
thing.
It's
like
every
time
a
vendor
says
hey.
We
want
to
be
certified,
they.
E
Basically
they
have
a
web
page
that
lists
all
the
vendors
with
their
offerings
and
and
there's
somebody
at
the
nearest
Foundation,
the
cncf
that
has
for
job
to
Ping
those
people
every
six
months
or
so
and
say:
I,
hey,
I,
Saw,
You
released,
so
many
new
versions
of
your
product.
Are
you
sure
you're
still
compliant?
If,
if
you
do,
you
have
to,
you
know,
file
an
application
and
they
have
to
keep
it
maintained
all
the
time,
because
otherwise
Things
become
Obsolete
and
they
still
remain
there.
E
F
E
And
no,
this
is
hard.
It's
it
comes
down
to
you
know,
and
now
it's
not
it's.
You
know
it
comes
down
to
what
is
it
that
you
require
to
be
compliant
with
the
self-suspect
right
and
and
indeed
there's
some
kind
of
assumption
there
and
there
may
be
requirements
that
are
more
qualitative
than
anything
else,
and
you
know
you
cannot
necessarily
easily
test,
and
that
is
just
going
to
try
to
formalize
in
some
kind
of
you
know
way
to
say
well,
yeah
things
should
be.
E
You
know
up
to
date
with
the
latest
patches
and
not
have
like
obsolete.
You
know
coding
it
and
so
on.
F
So
maybe,
as
a
next
step,
actually
certainly
you
know
welcome
anyone
else.
Opinion
hasn't
spoken
up
yet
maybe
as
a
Next
Step.
F
Joshua
and
Chris
could
think
about
maybe
splitting
it
out
and
I
know
if
you
have
ideas
on
how
to
do
that
too,
or
certainly
anyone
else.
So
maybe
that
would
be
like
a
like.
You
know,
in
terms
of
the
way
that
we
organize.
We
have
this
spec
itself
and
and
attestations,
and
then
this
would
be
like
a
separate
thing
like
certification
and.
G
Makes
sense
that
makes
total
sense
to
me
I.
Imagine
it
being
as
separate
I,
don't
know,
maybe
it's
it
kind
of
they
kind
of
align
to
the
spec
pretty
tightly,
because
obviously
you're
wanting
to
certify
conformance
to
the
specs,
so
it
might
be
in
the
same
like
folder
in
the
in
the
code,
and
it
might
be,
you
know,
kind
of
close
to
it,
but
not
not
in
it.
If
that
makes.
E
Sense
is
right,
I
mean
we
have
yeah,
and
so
I
actually
haven't
seen
this
because
it's
not
being
merged
yet.
But
if
it's
a
profile
of
and
merge,
I
actually
reorganized
a
little
bit.
The
specifications
menu
to
separate
salsa
from
the
attestation
specs
and
the
stage
is
a
spec
page,
and
now
we
can
see
how
certification
would
be
there
or
conformance.
If
you
want
to
call
it
that
way.
But.
C
E
E
It
yeah
it
is
there,
it's
called
I,
don't
know.
Is
this
52.
G
I
mean
72
572.
E
G
E
I
mean
I,
you
know,
I,
think
it's
historical
and
the
the
specification
menu
kind
of
shows
its
age
and
I.
Try
to
separate
the
cell
suspect
from
the
rest,
because
I
mean
you
know,
maybe
again
I'm
old
school
but
I'm,
trying
to
think
in
blocks
like
okay,
there's
something
we
want
to
call
the
South
but
specification
and
in
practice
in
the
repo
we
have
a
folder
for
that
and
the
menu
does
not
reflect
it.
So
I
try
to
reorganize
it
to
encapsulate
all
of
those
into
one
block
in
a
sub
menu
underneath
the
Traditions
menu.
E
I
love
it
again.
Another
look
at
the
I
think
the
conformance
section.
There
should
be
a
conference
section
in
the
spec
that
says
what
it
means
to
be,
what
the
text
to
be
conformed
and
then
there
should
be
a
certification
page
that
talks
about.
How
do
we
verify
those
conformance
claims
by
different
implementers.
E
E
So
I
the
requirements
definitely
is
very
strongly
tied
to
this.
The
the
question
and
actually
I
think
it
might
be
all
in
there
I
I.
This
is
something
I
looked
at
this
weekend.
A
little
at
some
point
and
I
was
trying
to
figure
this
out
whether
we
needed
a
conformance
section,
exactly
separated
that
or
not,
but
I,
don't
think
so,
because
we
already
have
the
reference
to
the
definition,
the
formal
definition
of
must
and
that
pretty
much
untouched.
It's
it's
so.
E
G
Don't
know
yeah,
so
if
we
have
the
requirements-
and
we
say
something
along
the
lines
of
of
like
you
know,
satisfication
of
these
requirements
will
constitute
conformance
with
salsa
level
three
or
something
like
that.
Please
see
this
page
for
details
on
who
has
been
certified
to
to
meet
this
or
these
requirements.
Something
like
that.
Would
that
make
sense.
Yes,.
G
G
Yep
Christopher,
that's
exactly
exactly
what
the
conformance
program
kind
of
is
addressing
those
two
different
levels,
but
since
we
already
got
salsa
levels
in
the
Google
Doc
for
the
conformance
program,
if
you
look
at
that,
we
actually
called
them
tiers,
I,
don't
know
if
that's
something
that
we'll
want
to
keep
around
or
or
kind
of
how
we'll
talk
about
them
in
the
future.
But
thinking
about
the
the
self-attested
is
kind
of
that
minimum
viable
product
that
we're
thinking
for
for
V1
and
then,
as
time
goes
on.
G
If
we
can
get
funding
or
or
set
up
some
sort
of
structure
where
obviously
the
whatever
the
certification
program
or
or
or
if
there's
a
third-party
like
auditor.
G
What
was
the
term
that
we
were
using
earlier
Jay
that
you
that
you
mentioned
accreditation?
If
we
have
an
accreditation
program,
that
kind
of
will
come
along
later
to
fill
that
gap
of
that
higher
level
of
assurance.
Hopefully,.
F
Yeah
I
feel
like
I
I,
don't
I
think
we're
I
just
want
to
make
sure
I'm
supposed
to
make
sure
we're
on
the
same
page.
I,
don't
think
we
want
to
block
1.0
on
an
actual
formal
certification
program
like
self-certification
will
will
be
what
we
have.
Yes,
let
me
release
1.0
yeah
and
so
like
yeah,
that
I
think
that
just
needs
to
be
made
clear
that,
basically,
you
know
you
kind
of
I
think
we
want
some
sort
of
guidelines
of
like
you
know.
G
That's
the
the
thought
on
the
on
the
registry
and
I
like
if
we
split
this
spec
from
the
certification
and
with
V1,
we
have
self-certification
with
a
registry
that
can
be
filled
over
time.
That
would
provide
that
location
where
users
can
get
information
and
evaluate
whether
or
not
they
trust
a
builder
or
not.
G
I
think
that
would
be
high
value
and
since,
if
they're
split,
then
we
don't
have
to
wait
on
the
registry
being
updated,
I
mean
the
spec
being
updated
to
add
additional
self-certifications
to
a
sort
of
registry
as
well
so
I
think
that's
a
decent
direction
to
take.
It.
F
Yeah
I
think
that's
a
good
idea
now.
It
also
solves
a
problem
where
I
said,
like
I,
don't
think
an
organization
that
does
salsa
internally,
just
like
privately
for
their
own
purposes,
should
not
be
called
Salsa,
because
they
don't
do
this
I
think
by
splitting
out
certification.
That
would
solve
that
problem
right,
because
it's
no
longer
part
of
the
requirements.
G
G
Yeah
yeah.
That
would
be
that
that
higher
level
of
assurance-
but
you
might
not
want
to
if
you
are
verbally
vertically
integrated
in
that
way,
you
might
not
want
to
publish
details
about
your
Builder
publicly
on
something
like
a
registry
so
separating
out
the
spec
makes
sense
for
that,
because
then
you
can
still
be
produce.
It's
also
level
X.
You
know
artifacts
without
having
to
produce
anything
else
for
your
Builder
that
you
use.
D
You
you
know
what
you
you
just
mentioned:
the
word
that
Mark
mentioned
earlier,
publish
and
I'm
wondering.
Maybe
we
need
to
tease
that
a
little
bit
I
think
it's
important
to
write
down
somewhere.
Here's
what
we
did
I
think
for
an
open
source
project.
There's
really
no
reason
not
to
publish
it
but
I.
Think
if
you're
talking
about
proprietary
vendors,
you
could
easily
talk
about.
You
know:
yes,
they've
documented
it,
but
we
don't
publish
it
publicly.
D
D
Are
very
specific,
like
you
know,
if
you're
building
a
Transformer
I
mean
a
physical
Transformer,
not
a
not
a
software
thing,
the
the
list
of
people
who
want
to
buy
it
is
a
relatively
small
list.
D
You
may
not
want
to
make
that
public.
You
maybe
only
want
to
make
that
to
potential
buyers.
G
Yeah
I
guess
the
information
I
would
want
the
information
to
be
available
to
whoever
is
consuming
the
product
of
the
build
system
right,
and
so,
if
that's
one
of
those
situations
where
you
know
I'm
consuming
I'm,
consuming
Providence
from
X
vendor
and
they
don't
publish
their
thing,
you
know
publicly
about
their
build
systems,
but
that
I
can
get
access
to
it.
You
know
privately
because
I'm
one
of
their
five
customers
in
the
world,
then
that
would
make
sense,
but.
D
G
Yeah
yeah
I
I
was
thinking
for
some
for
a
lot
of
the
major
Builder
solutions.
They
would
want
some
information
to
be
public
and
we
would
want
some
information
to
be
public
because
the
all
of
Open
Source
uses
a
selection
of
these
these
Builders.
And
so
that's
why
I
was
thinking
of
public
registry
that
at
least
links
to
where
you
can
get
access
to
some
of
this
information.
G
It
says
hey.
If
you
want
to
know
how,
how
GitHub
manages
the
security
of
their
builder,
then
here's
a
link
to
their
documentation,
and
maybe
you
have
to
sign
in.
Maybe
you
have
to
sign
an
NDA
to
to
fully
read
it,
but
at
the
end
of
the
day,
there's
a
pointer
that
says.
E
E
G
E
Put
a
link,
I,
put
a
link
to
the
cncs
conformance
page
for
communities,
and
you
do
have
to
scroll
through
this,
because
the
how
it
works
is,
at
the
very
end,
after
all
the
logos
and
that
actually
points
to
all
the
products
that
claim
compliance
right,
and
so
this
is
very
public.
It's
some
kind
of
registry,
just
like
you
were
talking
about
you
know
of
people
who
claim
compliance
for
the
offerings
and
they
do
use
that
as
a
bragging
right
right.
E
C
G
G
So
that
would
let
you
keep
more
details,
private,
so
that's
something
that
some
of
those
institutions
will
want
to
take
advantage
of
and
and
just
because
they
have
Secret
Sauce,
that
they
got
to
protect
or
whatever,
but
I,
don't
really
believe
in
the
secret
sauce
stuff.
But
that's
a
personal
issue
of
mine.
D
A
F
Right
so
this
I
thought
this
was
pretty
productive
all
right,
so
we
know
what
next
steps
are:
Arno,
Joshua
and
Chris
I
think
have
an
idea
to
kind
of
work
together
to
come
up
with
some
alternative
and
it
sounds
promising
so
great
all
right
thanks.
Everyone
yeah
well,
we'll
probably
talk
online
through
pull,
requests
and
chat,
and
things
like
that
and
or
see
you
next
week.
Bye.
Everyone
have
a
great
thank
you.