►
From YouTube: SLSA Tooling Meeting (March 24, 2023)
Description
Meeting notes: https://docs.google.com/document/d/15Xp8-0Ff_BPg_LMKr1RIKtwAavXGdrgb1BoX4Cl2bE4/edit#heading=h.yfiy9b23vayj
C
Yeah
it's
what
afternoon,
there
right.
B
B
C
I'm
still
trying
to
get
more
there's
a
few
folks
who
reached
out
to
me
about,
like
hey
I,
can't
make
this
meeting.
You
know
because
they're
all
California
and
like.
C
B
C
Well
but
but
we'll
see,
yeah.
B
C
C
Wonderful
technology,
yeah
well
folks,
are
joining
I'm
going
to
oh.
What
happened
to
the
there
was
a
document
attached
to
this
thing.
Oh
right,
because
I
need
to
reach
back
out
to
the
the
Ops
folks
to
to
try
and
fix
that
yeah.
C
B
D
C
And
yeah
feel
free
to
you
know,
feel
free
to
add
your
your
name
to
the
attendance.
C
Nice
to
meet
you
so
yeah
we
can
get
started
as
a
reminder.
This
meeting
is
being
recorded,
it'll
be
uploaded
to
YouTube
sometime
soon,.
C
And
your
your
participation
in
this
meeting
is
an
agreement
to
abide
by
the
open,
ssf
code
of
conduct.
Well,
okay,
so
so,
first
off
is
there
any
new
members
who
want
to
introduce
themselves.
E
Yes,
of
course,
from
Italy
I'm
working
at
the
kubernetes
company,
we
are,
we
have
our
own
distribution
of
kubernetes
and
I'm
here
to
because
we
are
digging
a
lot
in
the
past
five
months
about
satellite
insecurity.
We
contributed
for
the
Italian
version
of
the
supply
chain,
security
book
on
the
essential
tax
security,
repo
and
I'm
I'm
here,
just
to
know
more
about
the
the
Sasa
framework,
tooling
and
all
the
stuff
around.
So
it's
a
complex
topic,
so
I
just
want
to
learn
more.
C
Cool
glad
glad
to
have
you
and
I'm
a
contributor
I
was
a
contributor
to
the
English
version
of
that
the
supply
chain,
the
tag,
security
supply
chain
book.
C
Cool
all
right
so
as
I
guess,
there's
not
a
lot
on
the
agenda
for
today,
just
as
and
just
post
this
again
in
here,
not
a
lot
on
the
agenda
for
today.
I
know
one
of
the
one
of
the
big
things
is
and
good
for
some
people,
bad
for
others.
Looking
at
maybe
rescheduling
the
meeting
or
or
trying
to
have
some
sort
of
meeting.
C
That's
also
convenient
for
some
of
the
folks
who
are
out
in
California
and
the
reason
being
is
that
a
lot
of
the
folks
who
are
currently
writing
a
lot
of
the
salsa
tools
like
a
lot
of
the
ones
that
are?
You
know
you
know
in
our
this
underneath
the
salsa
framework,
all
work
out
of
California
and
so
they've
been
or
working
out
on
the
west
coast
and
so
they've
been
asking
hey?
Is
there
a
more
convenient
time
to
run
this
meeting
and
so
there's
a
doodle
poll?
That's
up.
C
And
so
yeah
feel
free
to
to
put
stuff
in
in
that
poll
and
we'll
see
I
mean
I,
don't
know.
If
maybe
this
meeting
is
still
fine
for
coordination,
and
maybe
we
have
kind
of
like
a
a
meeting.
That's
a
bit
more
convenient
for
some
of
the
individual
projects,
just
to
kind
of
chat
through
stuff,
I
I.
Once
again,
I
don't
want
to
necessarily
say
hey.
We
should
have
more
more
and
more
and
more
meetings,
but
trying
to
make
something.
C
That's
convenient
for
everybody
is
obviously
impossible,
but
we
might
be
able
to
still
maybe
make
something
like
every
other
week
or
something
that
is
is
a
is
a
meeting
convenient
for
folks,
West
Coast.
Every
other
meeting
is
a
meeting
that's
convenient
for
folks.
C
You
know
in
Europe
and
and
so
on,
because
also
now
we
we
have
a
few
folks
who
I
believe
from
Oracle
who
have
been
working
on
macaron,
which
is
a
tool
that
they've
been
building
out.
That
can
generate
reports
based
on
salsa
compliance
and
can
do
a
bunch
of
salsa
verification
and
they
work
I
believe
out
of
Australia
I
I
think
that's
what
they
were
saying
or
somewhere
on
in
the
Pacific
and
and
they
they
seemed
interested
in
in
joining
as
well.
C
C
Most
of
the
feedback
is
mostly
clarifications.
It's
nothing
like
nobody's,
really
said
anything
specific
that
they
feel
like
salsa
is
bad
or
or
that
we're
totally
on
the
wrong
track.
It's
mostly
stuff,
like
we
split
up,
isolated
and
ephemeral
into
isolated
and
ephemeral,
and
now
we've
turned
it
back
into
I.
Believe
isolated.
C
C
You
know
in
space
kind
of
thing,
where
we're
in
isolated
build
should
not
be
able
to
manipulate
other
bills
that
running
at
the
same
time
and
ephemeral
was
hey,
builds
a
previous
bill
should
not
impact
a
future
build
and
I
think
the
problem
is
that
that
was
also
getting
confused,
and
so
we
just
sort
of
said
we
just
sort
of
renamed
it
back
to
isolated
and
we
sort
of
said
what
does
that
mean?
It
should
not
be
able
to.
You
know
a
previous
bill.
You
know
we're
just
saying
both
of
those
are
just
isolated.
C
So
yeah
I
think
there's
some
open.
You
know,
there's
there's
still
some
open
questions
on
exact
wording
and
feel
free
to
kind
of
put
that
in
there,
but
there's
nothing
I!
Think
nothing
really
from
the
tooling
perspective.
That
really
needs
to
be
there.
I
think
most
of
the
tools
that
that
folks
have
been
building
should
be
able
to
do
this
sort
of
thing
right
where,
where
nobody
is
sort
of
keeping
or
hopefully
nobody
is,
is
claiming
salsa
compliance.
C
While
you
know
not
cleaning
up
build
environments
after
they
they
run
and
allowing
sort
of
future
builds
to
to
read
stuff
from
the
environments
of
previous
builds.
So
that's
really
the
only
big
sort
of
change,
I've
seen
like
there's
a
few
other
things
that
are
clarifications
like
musts
versus
shoulds
and
and
those
sorts
of
things
or
no.
Is
there
anything
because
I
know
you've
been
keeping
track
of
a
lot
of
this?
Is
there
anything
in
any
of
the
the
rewording
that
you
think
impacts
how
some
of
the
tools
should
be
written.
D
Well,
there's
the
well
I'm,
not
sure
there
has
been
so
many
changes
to
be
honest,
but
I
think
there's
definitely
been
some
clarification
as
to
what
is
expected
of
the
different
parties.
We
try
to
better
specify.
What's
the
responsibility
of
the
producer
versus
the
consumer
versus
the
ecosystem,
like
package,
you
know
producer
kind
of
distribution,
ecosystem
and
so
depending
on,
where
you
are
in
that
food
chain,
you
probably
need
to
you
know,
have
a
close
look
at.
You
know
whether
it
has
impacted
you
or
not.
D
We
had
some,
for
instance,
clarification
as
to
you
know
who
who
sets
expectations
with
regard
to
what
you
know
needs
to
be
verified
and
and
especially
between
the
producer
and
the
and
the
consumer,
and
so
in
the
end
I
mean
there
were
some
changes.
They
were
contemplated.
I
think
we
kind
of
came
back,
so
it's
closer
to
what
it
was
in
the
previous
version,
so
there
may
be
less
changes
now
than
there
was
for
a
moment.
D
D
A
release
candidate
too
so
there's
going
to
be
another
specification
being
published
with
another
at
least
two
week
review
period
before
we
call
it
final,
but
there
there's
been
a
lot
of
editorial
changes,
and
this
is
what
makes
it
a
bit
challenging.
There
were
so
many
changes
put
in,
which
you
know
don't
get
me
wrong.
I
think
it's
for
the
better.
This
spec
is
much
better
off
now,
but
you
know
it's
hard
to
sometimes
identify.
Okay.
Is
that
just
editorial?
D
You
know,
there's
been
a
for
instance,
some
clarification
about
what
isolation
means
right
in
the
case
of
salsa
be
outside,
then
you
know
versus
a
fair
mural
and
other
things,
and
so
you
know
some
of
this.
Depending
on
how
you
read
it,
you
know
the
clarifications
that
are
being
made
may
not
necessarily
aligned
with
what
you
expected
the
way
you
you
know
you
individually
read
the
spec
in
the
first
place.
D
So,
for
that
reason,
I'm
a
bit
prudent
as
to
you
know
saying
well,
you
know
I
think
everybody
has
to
really
take
another
read
and
compare
you
know
see
if
it's,
if
it's
still
in
sync,
with
the
mental
model
you
had
before,
because
I
think
that's
where
they
may
be.
You
know
a
bit
of
a
mismatch
in
some
cases
because,
depending
on
how
you
read
the
spec,
because
that's
so
clear
you
know
you
may
have
had
a
different
interpretation.
That's
the
way
it's
been
clarified.
C
Cool
yeah
yeah
that
yeah
that
that
makes
sense.
Oh
sorry,
not
sure
what
happened
to
my
tab
here
with.
C
Cool
yeah
yeah,
no,
no
yeah,
I
I,
think
a
lot
of
details.
There
are
changing
so
I,
don't
know.
If
there's
anybody
on
this
meeting
who's
actively
working
on
any
of
the
tools.
I
mean
I,
know
Brendan
and
myself
sort
of
kind
of,
but
it's
we're
very
much
reliant
on
the
Upstream
Tool
that
we
use
tecton
to
actually
support
1.0,
but
I,
don't
know
if
there's
anybody
else
who
who
maybe
is
looking
to
have
their
tool
like
not
not.
C
You
know,
they're,
not
looking
to
necessarily
use
a
tool
but
they're
looking
to
sort
of
implement
a
tool
that
could
either
create
salsa
provenance
or
or
verify
salsa
prominence
or
validates
all
Providence.
Anything
like
that.
D
A
D
A
This
this
runtime
registration
that
parked
me
and
Aditya
we
have
been
looking
into
that-
creates
these
runtime
attestations
for
the
build.
We
got
the
intro
to
speak,
0.1
approved
within
Total,
Team
and
I.
Think
the
idea
is
to
basically
have
a
part
I
think
he
had
some
initial
implementation
for
that
we
need
to
with
the
integration
with
Techtron
chains.
So
once
you
run
your
tecton
pipeline,
the
attestations
runtime
attestation
get
created.
A
A
There's
some
yeah
there's
some
other
work
going
on
with
the
the
Tracy
team
also
and
with
the
witness.
So
there
are
other
two
tools
that
that
are
also
very
interested
in
doing
the
similar
attestation.
So
maybe
at
some
point
we
will
converge
and
we'll
we'll
make
some
decision
how
we
can
go
forward.
C
Yeah
I
know
that
this
those
sorts
of
runtime
attestations
were
something
that
was
being
discussed
originally,
as
maybe
a
way
to
help
prove
out
salsa
like
something
like
a
salsa
4,
but
now
with
salsa
for
sort
of
put
on
the
back
burner
to
a
future
version.
C
I
think
there's
a
I
think
in
probably
soon
one
of
the
things
that
I
think
folks
once
1.0
goes
out.
Folks
are
going
to
be
interested
in
hearing,
probably
more
about
that
sort
of
runtime
at
a
station
or
runtime
verification
stuff,
because
I
think
that's
that's
super
important
and
one
of
the
things
that
was
hey.
A
Yeah-
and
there
are
a
few
other
use
cases
that
I'm
trying
to
explore
around
how
can
once
we
generate
these
attestations,
what
I
mean
Beyond
just
attestation?
Can
we
use
that
lock
to
get
some
more
insights
into
the
build
right
like
where
the
dependencies
came
from?
Can
we
generate
some
a
bill
of
material
out
of
it
and
validate
them
so
yeah?
So
maybe
in
one
of
the
next
minute
meeting
we
can
go
in,
we
can
prevent
that.
B
A
Yeah
yeah
exactly
and
I
think
we
I
can
post
the
link
so
0.1.
For
this.
We
basically
propose
a
predicate
in
total
and
they
are
basically
approved
it
and
merge
it
at
0.1.
B
B
I
mean
I
can
also
mention
I.
Think
most
of
you
folks
already
know
or
heard
me
talk
about
it,
but
of
course
my
team
is
working
on
both
and
salsa
provenance
generation
and
consumption
via
the
npm
CLI
and
package
ecosystem.
Of
course,.
C
Yeah
is
that
still
is
there
any
updates,
or
still
just
kind
of
being.
B
D
D
E
D
C
C
Yeah
I
know:
I
spoke
to
Matt
I.
Think
a
little
bit
about
that,
because
I
know
there
was
some
discussion
about
like
hey.
Is
there
any
sort
of
collaboration
we
could
be
doing?
You
know
like
because
I
know,
obviously,
that
the
IBM
wants
more
internal
facing
and
and
and
and
whatnot,
but
hey
are
there
things
that,
like
you
see
that,
like
Fresca,
for
example,
is
doing
well?
C
That
could
be,
maybe
you
know
or
things
that
are
maybe
missing,
for
something
like
a
Fresca
that
that
folks
think
should
be
in
there
and
I'm
still
working
on
that
that
write-up,
based
on
the
conversation
on
on
Wednesday
yeah.
D
No
I
understand,
and
so
we
are
actually
engaged
with
the
tecton.
You
know,
developers
with
some
of
the
some
of
my
colleagues
actually
are
involved
in
Tech
talk
development,
and
so
there
are
some
changes
we
had
to
make.
You
know
for
that
purpose
that
we
are
pushing
back
into
tecton,
so
everybody
can
take
advantage
of
those.
D
We
don't
have.
The
problem
that
you
have
with
Fresca
with
you
know
was
Inspire,
because
we
don't
use
that.
D
We
have
you,
know
HSN,
and
things
like
this-
that
do
all
the
management
of
identity
and
credentials
for
us.
C
Yeah,
so
one
of
the
things
actually
I
can
talk
about
briefly,
if
folks
are
interested
more
as
one
of
the
tools
we're
working
on
as
consumers
of
salsa-
and
this
is
very
much
a
it-
is
in
no
way
complete
yet
but
I
just
figured
just
so
that
folks
understand
like
like,
like
one
of
the
things
that
we've
been
looking
at,
is
you
know
you
can
produce
salsa?
You
can
consume
salsa
at
like
a
one
to
one.
C
You
know:
hey
I,
have
a
package
I
want
to
just
sort
of
verify
something
about
that
package,
but
one
of
the
things
that
we've
been
exploring
through
the
project
called
guac
has
been,
which
is
also
open.
Source,
is
trying
to
kind
of
see
like.
Can
we
combine
s-bomb
data
salsa
data,
all
this
other
data
into
sort
of
a
larger
Knowledge
Graph
and
before
anybody
says
anything
I
want
you
to
know
that
everybody
who
myself
and
Brendan
Lum
who've
been
working
on
it.
This
piece
of
it.
C
We
are
not
front-end
developers.
So
so
please
don't
hate
on
our
UI
here,
but
you
know
we
have
been
working
on
some
stuff
that,
like
just
to
be
clear,
this
is
all
in
sort
of
a
graph
back
end
and
we
ingest.
You
know
we
ingest,
you
know
gigabytes
upon
gigabytes
of
salsa
attestation,
test
bombs,
so
and
so
so
forth,
and
so
you
know,
like
you,
get
nodes
and
edges
and
once
again,
I
know
that
this
is
not
particularly
valuable
right.
C
This
second,
but
you
know
we
can
we
have
folks
running
stuff
like
graphql
queries,
then,
when
running
those
graphql
queries
they
automatically
the
nodes
get
re-added.
Some
of
this
is
right
now
very
POC,
but
the
idea
would
be
those
things
like
where
you
have
salsa
subjects,
and
then
you
have
salsa
materials
or
no
sorry,
they're
now
resolved
dependencies
and
those
sorts
of
things.
C
You
can
then
continually
follow
those
resolve
dependencies
into
see
if
there's
other
things
that
are
in
there
and
can
kind
of
go
through,
and
you
know
and
fetch
sort
of
additional
data
and
that
sort
of
stuff
like
where
you'll
be
able
to
kind
of
do
a
bunch
of
things
on
that
end
and
if
I
go
to
show
just
sort
of
what
the
data
looks
here.
If
I
go
and
pull
up
a
query
in
a
second.
B
C
And
maybe
even
make
it
a
little
larger
here,
so
you
know,
guac
is
using
sort
of
a
graphql
API
to
actually
allow
folks
to
sort
of
access
stuff
like
salsa,
and
so
the
thing
here
and
a
lot
of
this
right
now
is
just
junk
test
data
that
kind
of
stuff.
It's
not
it's
not
really
demonstrative
of
the
actual
sort
of
data,
but
the
idea
here
is
like
you
know,
we
can
run
queries
like
hey,
find
me
all
artifacts
in
my
supply
chain
that
have
salsa
attestations.
C
We
are
doing
stuff
like
reachability
queries,
so
we
can
actually
sort
of
say:
hey
I.
Have
these
two
artifacts
are
there?
Is
there
a
chain
of
salsa
attestations
between
them?
C
Do
they
all
have
s-bombs
all
that
good
stuff
or
also
stuff,
like
hey
I,
have
an
artifact
here,
an
artifact
here:
do
they
depend
on
each
other
in
some
way
and
stuff
like
that,
and
so
we
were
able
to
pull
out
all
the
sort
of
salsa
metadata,
also
as
well
for
policy
and
all
that
good
stuff,
and
so
this
is
some
of
the
stuff
that
we're
looking
and
what
obviously,
right
now.
This
is
supporting.
C
Salsa
V
0.2
spec,
but
we
you
know,
we
plan
to
support
1.0
as
soon
as
as
soon
as
that's
live.
It
shouldn't
be
that
bad,
but
the
the
idea
here
would
be.
We
can
go
in,
and
you
know
also
do
queries
on
stuff
like
what
has
salsa
but
no
s-bomb
or
which
of
my
you
know.
If
I
go
and
I
say
hey,
this
thing
says
it
depends
on
this.
C
Do
I
have
an
s-bomb
that
says
it
depends
on
it
as
well,
or
is
that
missing
right
like
we
can
do
all
those
sorts
of
queries
to
kind
of
help
with
policy
and
all
that
good
stuff?
Anyway?
That's
just
something
I
wanted
to
kind
of
bring
up,
just
as
a
thing
that
you
know
is
being
worked
on
right
now,
and
you
know
as
as
sort
of
a
like
a
second
order.
C
Salsa
tool
like
it's.
It's
not
the
tool
that,
like
is
just
purely
to
sort
of
pull
down,
salsa
and
check.
What's
in
there
right
there,
it's
it's
to
go
and
actually
ingest
it
all
so
that
you
can
perform
analysis
on
it
later.
A
So
Michael
I
think
the
I
have
looked
into
this
depend
about
so
I.
Remember
in
last
Cloud
native
security
con.
They
presented
some
some
analysis
where
they
are
basically
capturing
this.
They
are
also
building
the
graph
and
they
are
putting
in
the
bill
and
these
attestations
and
everything
in
the
graph
and
keeping
up
the
growing
dependencies.
What
change
and
everything
you
can
highlight?
Maybe
it's.
We
can
sync
up
with
that.
Yeah.
C
Yeah,
that's
definitely
on
on
the
list
of
things
there
yeah.
So
this
is
just
not
it's
not
trying
to
say
specifically
this
artifact
yeah
yeah,
it's
it's
kind
of
just
sort
of,
in
this
case
we're
just
pulling
down
all
of
the
metadata
related
to
artifacts,
and
this
could
be
stuff.
That's
internal.
This
could
be
stuff,
that's
external
and
just
kind
of
going
through
and
is
not
necessarily
just
purely
for
the
like
hey
does
this
thing
have
a
vulnerability.
It
needs
to
be
updated,
it's
kind
of
whatever
you
want
it
to
be.
C
C
Because,
if
not,
we
can
kind
of
end
it
a
half
hour
early,
probably
planning
in
the
next
week
or
so
to
maybe
either
have
a
separate
meeting
specifically
for
the
folks
who
who
are
working
on
some
of
the
the
other
pieces
or
or
potentially
change
the
time
of
this
meeting.
Depending
on
some
of
the
feedback
we
get
on
meeting
times.
C
If
there's
nothing
else,
oh
sorry,
somebody
says
I
think
that
sounds
good
okay
cool.
If
not,
you
can
all
have
a
half
hour
back.
Yeah
thanks.
Everyone
bye.