►
From YouTube: SLSA Tooling Meeting (October 14, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
So
anyway,
I
posted
the
notes
in
in
the
chat
feel
free
to
add
your
name
and,
from
my
end,
feel
free
to
put
anything
in
the
agenda.
I,
don't
really
have
anything
for
personally.
On
my
end,
I
haven't
put
anything
in
there
just
because
I've
been
super
busy
with
kubecon
and
a
couple
of
the
other
conferences
and
whatnot
that
are
coming
up.
B
A
Yeah
yeah
definitely
actually
that
was
probably
going
to
be.
The
one
thing
I
want
to
add
on
to
the
agenda,
because
I
have
a
feeling
we're
going
to
probably
cancel
next
Friday.
Since
people
are
going
to
start
flying
out,
people
are
going
to
be
probably
really
busy,
so
most
likely
cancel
next
Friday
and
the
one
thing
on
the
agenda
for
my
end
is.
B
C
And
so
I'm
gonna
beat
her
as
well
and
also
on
the
sixth
doorcon.
Okay,
awesome
it's
on
Tuesday.
C
Yeah
Mike
on
that
topic
of
kubecon
I,
wonder
if
there's
if
we,
as
the
tooling
working
group,
can
have
like
an
agenda
to
try
to
further.
You
know
some
of
our
things
within
the
kubecon
space
in
person:
I'm
not
going
to
be
there
but
it'd
be
interesting.
C
A
So
well,
actually
before
we
we
get
into
that.
Why
don't
we
just
so
I,
don't
know
if
there's
anybody
my
zoom's
a
little
weird,
if
there's
anybody
new
on
the
call
who
wants
to
introduce
themselves.
C
Yeah
I
knew
on
the
call.
This
is
Sandra
Monroe
I'm,
with
Anaconda.
Typically
Preston
sometimes
shows
up
to
the
call
from
Anaconda,
but
we're
both
in
the
open
source
security
group
so
we'll
be
attending
and
it
kind
of
became
their
sponsor.
So
we're
also
going
to
be
attending
more
often
sure
cool
awesome
thanks
and
what.
A
A
Talk
you
know
here,
let
me
just
put
this
so
the
one
that
I'm
participating
in
and
parth
is
we
have
a
a
Fresca
talk.
A
You
know
we're
gonna,
go
we're
going
to
go
into
building
using
Fresca
and
then
taking
the
output
attestations
from
Fresca
and
ingesting
it
into
stuff.
Like
walk,
which
block
is
you
know
another
open
source
tool?
That's
intended
to
be
sort
of
a
a
graph
of
that
helps
you
sort
of
figure
out
like
what
has
salsa
attestations.
What
claims
are
being
made
in
those
salsa
attestations
what
identities
are
associated
with
it
and
do
I
trust
and
allow
it
to
sort
of
be
used
by
policy,
and
that
kind
of
thing.
A
Does
anybody
else
no
I
know
that
there's
a
couple
of
I
think
I
saw
something
on
the
Sig
store
side.
There's
a
couple
of
they
don't
make
it
easy
to
look
at
the.
C
Apartment,
we
are
doing
another
talk
on
runtime
attestation
at
security
con
on
Tuesday.
C
Yep
to
the
to
the
notes
there
and
I
was.
A
There's
also
another
talk
coming
from
specifically
I
actually
put
that
as
well.
There's
going
to
be
a
talk
on
Glock,
which
is
one
of
the
tools
on
the
ingestion
side.
So
we
we're
adjusting.
A
B
Mike
about
about
that
guac
guacamation
thing
I
had
a
chance
to
look
at
a
bit
of
the
documentation
on
that.
How
how
close
are
you
related
to
that
is
the
the
the
supply
chain
supply
chain
maturity
model
being
discussed
over
in
the
CDF
that
one
deals
with
the
testation
life
cycle?
It's
it's
also
a
Google
initiative,
too.
Is
it
deals
with
a
testation
life
cycle
deployment
release
management?
B
The
only
thing
it
doesn't
talk
about
is
the
end
of
life,
but
it's
definitely
the
stage
after
after
salsa
and
what
you
do
with
with
the
with
artifact
life
cycle
is.
This
is
artifact
in
in
ingestion
and
all
that
when
it
comes
to
guac
I
I'm
just
curious.
How
closely
related
those
are,
and
with
the
discussion
around
that's
like.
A
A
If
we
can
get
enough
folks
on
board
just
from
like
there's
just
too
many
meetings
to
too
few
people,
but
if
we
can
get
more
quotes,
we
want
to
kind
of
also
take
a
look
at
some
of
that
as
well.
But
walk
right
now
from
from
our
end,
is
mostly
just
like
rap
the
knowledge
graph
piece.
B
Right,
yeah,
I'm,
I'm
part
of
those
meetings
so
like
I
mean
I
I,
caught
wind
and
I
immediately
signed
up
and
and
jumped
on,
because,
even
even
in
in
their
documentation,
they
talk
about
being
a
a
a
a
a
add-on
back
piece
to
salsa
I
mean
they
actually
say
that
right
in
that
right
in
there
in
their
mission
in
in
the
vision
statement,
so
I
I
like
to
think
that
that
these
things
could
all
work
hand
in
hand.
B
I
was
just
curious
to
see
what
the
nature
of
the
conversation
might
be,
with
guac
deals
with
attestation
and
and
tell
us
what
that
whole
graph.
That
knowledge
analysis
around,
that
the
whole
graph
knowledge
analysis
and
they
deal
with
actual
life
cycle
on
the
back
end.
So
what
happens
with
the
document
station?
What
is
obtained
and
the
evidence
what's
obtained
and
how
you
maintain
a
life
cycle
of
that
guac.
B
A
C
Go
ahead
yeah,
so
they
you
know
the
meeting
I
think
the
kickoff
meeting
happened
last
week.
So
the
next
meeting
is
on
the
18th
right.
I
think
a
lot
of
people
current
attend.
So
there
was
and
I
couldn't
attend
myself.
So
I'm
actually
part
of
that
group
also
so
I'm
definitely
going
to
bring
up
the
whole.
You
know
guac
guac
piece
and
see
how
that
all
integrates
and
how
that
can
fit
into
that
maturity
model
and
everything.
So
I
think
the
discussion
is
definitely
relevant.
It
just
doesn't
happen
yet.
A
A
All
right
so
looking
through
just
so.
This
is
just
a
cursory
glance
here.
So
I
do
see
at
Sig,
Store
Khan.
A
There
is
and
I'll
just
copy
and
I'll
just
copy
the
link
into
the
agenda.
There
is
a
approach
to
salsa
for
yeah,
okay
and
I'll
just
add
the
link
there.
A
C
It
and
then
I
think
that
there's.
C
There
is
for
cloud
native
security,
oh
geez,.
A
Doesn't
look
like
there's
anything
at
Cloud
native
security,
con
yeah,
I,
don't
know
if
anybody's
familiar
with
anything,
any
other
sort
of
talks
happening
that
are
related
to
salsa.
If
not,
we
could
also
add
in
any
talks
that
folks
just
think
are
going
to
be
valuable
while
out
there.
If
there's
any
talks
that
anybody
who's
on
this
call
is
going
to
be
giving
that
they
think
is,
you
know
just
to
publicize
their
own
talk.
A
Cool
so
yeah
we
can
now
kind
of
go
and
just
say.
A
If
folks
feel
comfortable,
who
the
for
the
people
who
are
going
to
be
heading
out,
do
folks
want
to
just
include
like
a
an
email
that
they
can
kind
of,
and
we
can
maybe,
after
this
call,
we
can
send
out
an
email
just
to
see
if
who
wants
a
meet
up
for
coffee
or
in
between
sessions
and
and
have
a
chat,
sounds
good.
C
Oh
I,
just
kind
of
really
quick
wanted
to
bring
up
so
for
the
runtime
attestation,
so
we
are
looking
for
feedback
and
I
can
rank
in
terms
of
the
predicate.
So
we
created
a
new
predicate
type
for
runtime
and
I'll
link
the
in
the
chat
here,
but
so
it's
it's
kind
of
it's
it's
more
in
line
in
terms
of
it's
going
to
be
more
evidence
for
salsa.
C
So,
for
example,
like
you
know,
if,
if
salsa
is
saying
it
needs
to
be
a
hermetic
build
or
something
right,
you
can
go
and
check
these
the
runtime
at
a
station
to
see
if
there
is
any
kind
of
you
know,
TCP
connects
being
made
all
that
kind
of
stuff
right,
so
evidence
evidence
on
top
of
you
know
what
what's
salsa
is
providing,
so
you
can
take
a
look
at
that
link
I
sent
over.
Basically,
you
know
we're
trying
to
look
for
feedback
and
we're
trying
to
make
it
very
generic.
C
For
this
example,
we
kind
of
use
a
tetragon,
but
we
want
to.
We
want
to
support
the
other
tools.
So
if
there's
any
kind
of
you
know
like
feedback
in
terms
of
what
files
are
missing,
you
know
if
we
should
include
other
information.
You
know
like
such
as
materials.
Do
we
need
to
include
hashes
like?
Is
that
too
much
overlapping
information,
or
does
that
not
fit
in?
So
if
anyone
kind
of
wants
to
get
feedback?
That's
that's
open
for
discussion.
A
Cool
yeah
and
I
think
actually,
more
broadly,
that's
something
that's
been.
It's
been
brought
up
a
couple
of
times,
I.
Think
in
this
the
specification
meeting
just
around.
How
do
we
interrupt
between
different
metadata?
You
know
sources
so
that
like
hey,
if
there
is,
if
there's
additional
information
coming
from
the
build
itself
right
so
so
from
stuff
like
what
happened
in
the
build
or
whatever
is
there
ways
we
can
tie
that
back
into
salsa?
Are
there
ways
we
can
sort
of
create
specifications
of
the
individual
build
types?
A
So
if
I
like,
if
I
have
a
GitHub
build
type,
I
should
be
expecting
this
app.
You
know
this
these
these
elements
in
the
invocation
or
something
like
that,
and
so
that
for
this
it
sounds
also
like
hey.
A
While
the
build
is
running,
we
probably
also
want
to
capture
metadata
and
still
have
it
tie
back
to
some
of
the
stuff
in
salsa
I
know
we
could
easily
do
that
just
by
saying,
subject,
caches
match
and
then
they'll
be
the
be
there,
but
I
think
that
there's
still
something
probably
outside
the
scope
of
this
this
meeting,
but
that
we
should
probably
still
chat
about.
A
So
to
what
I
think
it
was
you
Aaron
who
was
saying
what
for
the
folks
who
are
going
in
person
or
who
you
know
even
virtually
watching
if
there's
anything
that
we
should
focus
on
yeah,
just
perfect
for.
C
My
intention
is
more
like
because
we're
you
know
we're
trying
to
talk
to
some
folks
that
are
you
know
in
different
ecosystems
right
so
like
I,
wonder
if,
if
it
would
be
good
to
try
to
identify
who.
D
C
C
And
I
think
I
was
I
was
also
kind
of
intending
more
like
like
in
addition
to
that,
you
know
if
we
were
able
to
meet
with
anyone
from
you
know
like
npm
kind
of
affiliate
or
even
like
pie,
pie
et
cetera
like
if
any
of
those
types
of
people
were
there
like.
That
would
help.
It
seems
like
what
we're
trying
to
do,
of
course
right
and
like
talk
about
that,
because
I
know
Mike
you've
been
kind
of
talking
about,
you
know
what
are
they
expecting
so
that
could
be
a
good
opportunity
yeah.
A
Actually,
I'll
actually
ask
Frederick
because
I
mean
he's
not
he's
been
working
alongside
some
of
the
stuff
with
GitHub
and
npm.
Do
you
know
Frederick?
Do
you
know
if
there's
folks
who
are
working
on
npn,
who
are
going
to
be
at
kubecon.
C
A
Yeah
I'm
not
super
familiar
from
any
of
the
other
folks
foreign.
Do
you
know
any
if
anybody's
from
oci
is
going
to
be
there.
A
Well,
I
might
ping
you
later
Brendan
to
see.
If
we
can,
you
know
even
just
set
up
a
you
know
something
like
a
15-minute
chat
or
something
just
so
we
can
kind
of
talk
through
what
some
of
the
challenges
might
be
and
and
what
some
of
the
stuff
that
we're
trying
to
do
with
between
you
know
getting
ourselves
ready
for
that.
D
It's
Merchant
Maine,
it's
a
release
candidate.
So
it's
going
to
be
a
long
while
before
we
actually
do
a
ga
release
on
that.
The
thing
we'll
we'll
eventually
be
waiting
on
is
to
see
some
of
the
Upstream
registries
implemented.
Opt-In,
give
us
a
thumbs
up
on
their
side
and
that
it's
a
chicken
and
egg
problem.
They
they
don't
want
to
move
before.
Ci
moves,
no
CI
don't
want
to
move
before
they
move.
So
it's
it's
just
trying
to
get
that.
Community
buy-in.
A
Yeah
yeah,
if
there's
anything
from
our
end
that
you
think
in
the
sort
of
ingesting
from
oci,
based
on
the
new
like
manifest
and
and
distribution,
spec
changes
and
all
that
good
stuff.
If
there's
stuff
that
you
think
we
can
focus
on,
you
know,
definitely
keep
us
in
the
loop
because,
because
that
would
not
I
mean
I
guess,
the
idea
here
is:
is
that
would
not
break
like
existing
stuff?
I
don't
know.
A
Is
there
actually
a
good
question
is:
is
there
like
a
a
reference
reference
implementation
of
the
of
a
registry
in
this
new
spec
yet
or.
D
I
think
there's
probably
a
branch
under
the
CI
playground
that
we
set
up
a
while
back.
So
there
is
something
for
distribution
that
people
want
to
play
around
with
it,
and
what
I've
seen
is.
Distribution
itself
is
working
on
some
of
the
PRS
and
changes
on
their
side,
so
they
can
actually
put
it
Upstream
on
their
repo.
D
The
other
thing
it
might
interest
you
is
that
at
the
little
mini
Summit,
a
couple
of
us
are
talking
about.
How
can
we
standardize
when
you're
shipping
around
things
like
s-bombs
and
attestations
all
this
stuff?
We've
got
the
format
for
saying
here's
how
you
can
package
an
artifact,
here's
how
you
push
it
up
to
a
registry.
Here's
how
you
associate
it
with
an
image.
D
We
want
to
try
to
document
the
standards
around.
We
don't
want
to
define
the
standards
ourselves
because
it's
kind
of
outside
of
our
body,
but
we
at
least
want
to
document
what
it
should
look
like
is
what
are
the
specific
media
Types
on
the
artifact
on
the
individual
layers,
so
that
if
someone
push
I'll
pick
an
example,
if
someone
push
an
spdx
artifact
up
to
a
registry,
what's
the
actual
artifact
media
type,
what's
the
layer,
media
type
or
the
blob
media
type
so
that
someone
else
looking
it
up
can
say?
D
D
So
that
is
being
discussed
because
there's
a
lot
of
different
ways.
You
could
write
it
because
from
for
example,
spdx
has
the
plus
Json
on
the
end
of
their
thing,
but
you
could
also
say
it's
an
application.
Jsonus,
the
individual
block
media
type,
a
lot
of
questions
up
in
the
air
there,
where
there
are
multiple
ways
you
can
implement
it
and
still
be
perfectly
valid
in
the
spec
and
it'll
be
nice
to
say,
here's
the
one
way
everybody
should
be
doing
it.
A
Yeah
yeah
that
that
that
actually
brings
up
another
thing.
I
wanted
to
bring
up
as
a
separate
agenda
item.
We
can
put
a
pin
in
it
now,
while
we're
continuing
this
conversation.
But
one
thing
I
did
want
to
bring
up
is
the.
A
What
tools
are
generating
like
valid
salsa
versus
mostly
valid
salsa
I
know
we
had
run
into
this
problem
early
on
with
I
think
some
stuff
in
techcon,
Chains
and
and
a
few
others
where
it's
like,
oh
like
there
was,
you
know
mostly
a
typo
and
a
key
value
kind
of
you
know
in
a
key
field,
you
know,
or
in
certain
cases
like
certain
things
were,
you
know
people
were
putting
in
strings
when
it
was
really
an
object
that
contained
a
string
like
that
kind
of
thing,
and
you
know
this
is
a
an
ongoing
problem
that
we've
been
discovering
with
stuff
like
spdx.
A
It's
just
s-bombs
in
general
is
actually,
as
it
turns
out.
Very
few
people
are
generating
actually
compliant
with
the
spec
s-bombs
they're
formed
similarly,
but
they're
not
actually
valid
and
I'm
curious,
especially
as
we
start
to
also
look
at
ingesting
that
metadata
coming
from
salsa.
If,
if
a
lot
of
those
things
are
not
quite
well
formed,
it's
going
to
make
ingestion
ingestion
really
really
difficult,
and
so
I
was
curious.
There
I
think
we
should.
Probably
this
group
should
maybe
do
a
little
bit
of
a
survey.
A
A
A
Anybody
else
have
any
thoughts
on
on
some
of
that.
Would
it
be
yeah.
A
Yeah,
so
so
that
was
definitely
something
we
we
were.
We've
been
chatting
about,
one
of
the
things
I've
done,
which
for
for
better
or
worse
and
I,
have
it
up
somewhere,
I'll,
go
and
fetch
it
a
little
later,
but
I
have
a
Ace,
a
a
spec
that
I
wrote
in
queue.
A
Probably
obviously
don't
want
it
in
something.
Just
purely
like,
you
probably
wanted
something
a
bit
more
widely
adopted
like
Json
schema,
but
I
know
some
other
folks
have
also
talked
about
hey.
Could
we
create
like
a
protobuf
out
of
it?
You
know
something
that
can
be
used
in
a
couple
of
different
models,
but
yeah
I
think
definitely
it's
gonna
be
like
a
Json
schema
would
be,
would
be
valuable
there
mark
do
you
do
you
have
any
thoughts.
D
Yeah
I
think
it
would
be
valuable.
It's
just
a
matter
of
putting
the
time
in
to
do
it.
Like
writing.
Raw
Json
schema
is
not
pleasant.
D
D
Although
you
know
we,
perhaps
we
want
to
make
a
change
that
like
we
should,
you
know,
make
it
protobuf
compatible
in
particular.
The
the
issue
is
that
we
have
these,
like
opaque
objects,
that
kind
of
the
type
is
defined
by
some
other
field.
Protobuf
has
a
way
of
doing
that.
It's
called
an
any
field,
but
it's
protobu
specific.
D
You
have
to
include
a
URL
to
the
descriptor,
the
proto-descriptor,
so
I
thought
it
was
like
two
proto-specific,
especially
since
we're
not
serializing
his
protobuf
we're
seeing
the
wire
format,
we're
serializing
as
Json,
so
basically
I
thought
about
that
and
then
I
just
kind
of
gave
up
and
worked
on
other
things
having
a
proper
Json
schema
or
something
like
that.
I
I
think
it
would
be
the
best
thing
to
do.
A
Yeah
I
just
linked
something
that
I
did
work
on
a
while
back
I.
Don't
think
this
is
quite
Q
I
think
is
is
is
not
quite
there
I
we
should
I
should
double
check
to
see
what
what
the
level
is
eventually
but
yeah
I
do
think
the
thing
that,
as
you
sort
of
mentioned,
is
sort
of
you
kind
of
want
to
have
additional
restrictions
on
what's
actually
happening
in
there.
A
So
you
want
to
add,
like
constraints
that
is
not
so
I'm,
not
a
super
expert
in
in
protobots,
but
I
know
by
default,
it's
mostly
just
sort
of
types
like
hey,
I
I.
This
is
a
string.
This
isn't.
This
is
a
struct
of
this,
these
things,
but
the
thing
that
I
noticed
that
Q
allowed
for
which
was
really
nice
is
you
could
say
this
is
a
Time
Field.
This
is
a
a
string
of
length
five.
This
is
a.
A
This
is
a
string
that
matches
this
regex
and
yayada.
The
problem
has
been
that
certain
things
aren't
available.
Quite
yet,
like
things
like
hey,
this
is
this
should
be
a
valid
URL
and
encoding
that
just
purely
in
queue
involves
awful,
regular
Expressions
or
you
know,
but
but
ideally
you
want
to
be
able
to
hook
back
into
something
like
like
a
validator
in
something
like
go
where
you
could
say
Yep.
This
should
be
a
valid.
A
A
Foreign
but
yeah
I
mean
and
and
the
other
thing
that
Q
can
do
is
Q
can
I,
think
I,
don't
know
if
it
got
merged,
but
they
they
have
two-way
sinks.
Also
with
both
Json
schema
and
I
believe
protobufs
as
well.
So
you
can
have
a
Json
schema,
become
q
and
and
Q
become
a
Json
schema
and
Q
become
a
protobuf,
and
by
and
import
a
protobuf
as
well
as
I
believe
also
go
ghost
trucks
you
can
you
can
parse
growth
structs
and
generate
a
scheme
out
of
it.
A
So
I'll
just
add
a
note
for
myself:
do
we
have
a
mark?
Do
you
know
if
we
have
an
open
issue
for
that
already
in
GitHub.
C
D
The
the
other
complexity
is
slight
complex,
again,
I
think
Json
schema
would
would
support
all
this,
because
it's
very
flexible
but
again
I
didn't
want
to
write
it
by
hand
is
because,
like
we
have
this
light,
this
I
think
the
main
thing
complexes
due
to
like
the
layering
concept,
because
we
have
the
well
the
outer
rapper's
opaque
the
envelope,
but
then
like
the
in
Toto
thing
just
has
a
Json
object
that
could
have
an
arbitrary
schema,
and
so
that's
I
think.
D
One
thing
you
know
it's
like
in
two
different
specs
like
one
is
in
the
Toto
repo
one
is
in
ours,
and
so
that
that
adds
a
little
bit
of
complexity,
although
you
could
always
just
describe
just
the
the
salsa
predicate
Jason
is
King
I,
don't
see
an
issue
in
our
repo
for
that.
A
Cool
yeah,
yeah
I
agree
with
you
about
the
Json
schema
stuff.
I
know,
there's
a
couple
of
other
libraries
that
contain
stuff
like
structs
from
other
languages
or
all
these
other
things
and
just
sort
of
generate
Json
schemas
out
of
them.
A
A
Mostly
around
kubecon
in
oh
wow,
sorry,
the
14th
in
I
guess
about
10
days.
A
Cool
any
other
topics,
anything
else
folks
wanted
to
bring
up.
A
Okie
dokie,
so
we
can
end
it
a
bit
early
today
and
I
everybody's
on
board
with
us
canceling
next
week,
because
I
think
most
folk.
You
know
at
least
half
of
the
folks
here
are
going
to
be
on
a
flight
to
kubecon
all
right
cool
well
for
the
folks
who
are
going
to
be
at
kubecon.
A
I'll
need
to
set
up
I'll,
send
out
a
group
email
to
the
folks
who
put
on
there
if
additional
folks,
if
you're
familiar
with
somebody
who's
who
wasn't
able
to
attend
this
meeting,
but
will
be
there
and
you
think
they'll
be
interesting
to
talk
to
feel
free
to
add
them
to.
You
know
ping
me
and
slack,
or
something
like
that
and
we'll
add
them
to
the
to
the
email
list
and
cool,
see
you
all
in
a
couple
weeks
or
after
kubecon.