►
From YouTube: SLSA Positioning Meeting (February 7, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1tpPOXVzNSwtpWA7cXhTPLAO6HIP50obUvoP85XqgVHM/edit#heading=h.yfiy9b23vayj
SLSA repo: https://github.com/slsa-framework/slsa
A
A
Bear
with
me,
Zuma
was
giving
me
some
problems
joining
so
and
I.
Think
the
link
in
the
meeting
notes
is
doesn't
have
the
password
embedded,
and
so
it
wasn't
working
for
me.
So
I
need
to
change
that
link
edit
I'm
going
to
do
it
right
now.
A
Bear
with
me,
while
bring
up
the
notes,
Here.
A
A
A
So
I
don't
know
if,
if
you
all
have
heard
about
the
storms
in
Texas,
but
a
lot
of
my
trees
are
down
in
the
backyard,
so
I
have
a
lot
of
chain,
sawing
lineup
to
do
I'm
not
doing
it,
but
it
needs
to
get
done
so.
I
figured
I'd
share
that
little
tidbit
that
if
anybody
else
listens
to
the
recording
or
joined
from
Texas
I
feel
for
you
Okay,
so
updates.
A
We
did
submit
all
the
talks,
which
is
awesome.
We
got
to
submit
all
the
talks.
Let
me
do
I,
don't
know
why
these
are
oh
I,
don't
want
I
want
regular
bullets,
so
we
submitted
all
the
talks
this
weekend
because
of
the
storms
last
week.
A
A
C
In
particular,
I
don't
even
know
his
title.
I
couldn't
find
that,
but.
A
Correct
yeah
and
so
I'm
gonna
copy
these
up
here,
because
we
did
submit
these,
which
is
awesome
for
the
app
set
condiment.
A
That's
the
beginner
session
I
put
myself
and
Laura
Laura
has
slides
already
that
we
can
use
and
we
can
tweak
and
so
she's,
given
talks
like
this
before
so
potentially
you
know
we
we
can
swap
as
primary
secondary
I
know.
Laura.
You
said
you
might
have
travel
restrictions
so
we'll
see
how
that
plays
out
if
it
gets
selected,
but
hopefully
Emmy
will
will
allow
you
to
to
join
if
it
does
get
selected.
A
Oh
I
already
copied
that
and
then
Josh
did
a
fantastic
job
like
I.
Don't
think
he
was
working
on
it
overnight
or,
like
you
know,
previous
to
our
discussion
or
no,
but
he
did
a
really
good
job
of
coming
up
with
a
last
minute,
yeah
abstract
and
talk
for
the
salsa
1.0,
and
we
came
up
with
the
the
the
title
to
tweak
it.
I
don't
know
if
you
have
that
link
Arnel
for
the
for
his.
A
Is
yeah
yeah,
oh
yeah?
Only
if
you
can
find
it
so
we
were
able
to
yeah.
So
we
submitted
all
of
these
this
one.
We
did
put
it
in
as
a
panel,
as
was
discussed
last
week
with
Arno
and
and
Michelle
oh
Michelle,
you're,
here,
global
app,
so
DC
is
accepting
C
Is
there
a
way
we
can
coordinate
on
submissions,
sure
Do.
You
have
a
a
link
to
that.
Yeah.
E
Sure
I'm
happy
to
deliver
it
if
that,
because
I'm
local,
that's
the
only
reason
why
I
bring
it
up
that
way
that
nobody
has
to
worry
about
travel
if
we
can
agree
on
a
deck,
I'm
I'm
happy
to
do
that
as
I
I'm
in
devrel.
So
I
do
that
kind
of
thing.
So.
E
But
I
the
the
deadline
is
they
extended?
The
deadline?
I,
don't
know
how
this
got
past
me
in
the
first
place,
I'm,
usually
on
all
these
lists,
but
I
got
the
follow-up,
so
they
extended
the
deadline
for
cfp
until
February
13th,
so
that
doesn't
give
us
much
time
if.
A
Yeah,
so
I
can
give
you
everything
that
I
submitted
three
Arnold
submitted
this
one
and
then
Josh
submitted
the
last
one
I'm
getting
the
the
link
from
Arno.
E
A
Effort,
so
if,
if
we're
able
to
use
what
we
have
or
what
we
have
submitted,
that
would
be
great
but
I
guess
it
depends
on
what
it
is,
because
two
of
these
are
panels.
Discussions
right,
so
we
need
to
have
a
panel
of
people
to
deliver.
One
of
them
is
a
lab.
We
don't
have
the
tooling
for
it
yet
so,
depending
on
when
this
conference
is,
if
my
Lieberman
as
an
example
would
be
available,
those
are
the
kind
of
things
we'd
have
to
consider
for
that
one.
A
So
it
depends,
but
we
can
definitely
coordinate
that
and
give
you
the
most
of
the
abstract
is
here,
I,
think
I
tweaked
a
few
words
or
something
so
that
grammatically
it
sounded
better.
But
for
the
most
part,
what
we
have
here
is
what
we
submitted.
We
just
added
people
to
the
to
the
panels
or
to
the
talks
yeah.
E
I,
probably
won't,
unless
we
can
connect
I,
don't
know
if
they
want
to
fly
in
for
appsec
DC,
but
I'm
happy
to
like
pick
one
of
the
ones
that
isn't
a
panel.
Is
it
on
here?
Is
it
pretty
clear
which
ones
aren't
panels.
A
C
A
C
And
cut
short
mustard
hot
panels,
the
others
or
not:
okay,
yeah.
B
A
Yeah,
there's
a
there
is
a
deck
that
we
are
going
to
start
from,
but
we
haven't
finalized
that
deck
in
any
way
shape
or
form.
So
this
one
is
the
other
one
dancing
our
way
to
salsa
1.0.
A
This
one
I
would
not
submit
unless
it's
Mark
or
Josh
right,
that's
presenting
as
the
maintainers
dancing
our
way
out.
A
Yeah
yeah
so
yeah.
E
C
E
E
A
Okay,
yeah
and
this
one
Josh
did
write
up.
He.
He
came
up
with
the
write-up,
the
the
title.
He
even
came
up
with
the
title
and
we
tweaked
it
right.
So
this
is
kind
of
Josh's
baby
right
here
versus
the
rest
was
done.
I
know
with
you
right,
yeah.
E
Like
so
here's
the
thing:
I
have
my
own
sort
of
supply
chain
sort
of
discussions,
but
I
usually
throw
in
some
Dora
some
mbsp
some
other
stuff,
but
if
I'm,
what
I'm
asking
is?
Do
you
want
me
to
do
it
as
a
salsa
specific
talk?
If
you
want
one
of
those
I'm
happy
because
I'm
local
and
it's
a
backyard
event,
I'm
happy
to
do
that,
for
you
guys
got.
A
So
that's
really
the
only
one
I
can
see
right
now.
That
doesn't
mean
that
we
can't
come
up
with
other
ones,
but
this
one
this
one
wasn't
on
our
radar
this.
This
abstract
DC.
E
But
other
if
you're
not
putting
appsec
a
wasp
events
on
our
radar,
I
I
would
recommend
that
we
do
that's
an
that's
our
target
audience
in
a
lot
of
ways.
Yeah
just
suggestion.
Yeah.
A
A
Well,
so
it
was
more
from
the
perspective
of
the
supply
chain.
Integrity
working
group
right
I
think
we're
trying
to
have
more
alignment
together
to
try
to
have
the
coordinated
talks
and
then
try
to
focus
on
specific
conferences
right.
A
A
If
we
can
agree
on
a
small
subset
of
conferences
and
yes
and
then
anything
an
additional,
you
know
it's
okay,
but
at
least
give
us
a
small
list
of
okay.
This
is
what
we
want
to
Target
I,
think
that
would
be
really
useful,
but
yeah.
Okay,
I
did
put
a
please
sign
in
if
you
haven't
already
up
top
so
this
one
I
think
you
said:
February,
oh
February,
14th
deadline,
14.
my.
E
It's
a
13th
I
have
to
submit
by
the
13th
I
can
just
Cobble
together
from
that.
If,
if
that's,
okay
with
everyone
I
just
don't
want
to
piss
anybody
off.
Oh.
A
A
Problem
yeah,
so
Mike
did
you
have
your.
F
Hands
yeah,
so
yeah
I
was
just
gonna,
say
yeah
I.
Think
generally
I
can't
talk
to
everybody
but
I
believe,
like
the
majority
of
the
perspective
we've
gotten
has
been
like
yeah
submit
to
you
know
anybody
can
submit
to
anything
whatever
groups
you
know
want
to.
Obviously
there's
going
to
be
a
bit
more
of.
F
We
might
find
a
Kinder
audience
or
a
more
receptive
audience
to
something
like
the
open
ssf
day
or
you
know,
open
source,
Summit
stuff,
that's
directly
aligned,
but
there's
nothing
preventing
us
and
in
fact
we
should
be
encouraged
to
sort
of
reach
out
to
some
of
these
things.
It's
just
I
think
a
lot
of
it
is
based
on
the
individual
groups
and-
and
you
know,
for
example,
what
what
conferences
are
nearby
to
other
folks.
What
conferences
are
you
know,
can
folks
you
know
get
to
and
and
that
sort
of
thing.
C
I
completely
agree
with
you,
Michael
I
mean
so
I
have
participated
in
this
kind
of
committees.
For
a
long
time,
I
mean
the
general
kind
of
thing
role
is.
You
know
there
are
main
conferences
like
the
LF
open
source
Summit
there.
We
definitely
need
to
coordinate,
because
otherwise
we
would
have
many
people
submit
similar
content
or
presentation.
That
would
not
be
very
helpful,
but
then
be
beside
this.
You
know
there
are
plenty
for
the
conferences.
Anybody
is
welcome
to
go
and
talk
to
whatever
they
want
correct.
A
C
E
Right
but
I
I
just
want
to
be
on
message
and
I
mean
I've
I've
brought
up
salsa
before
another
talks,
I've
done,
but
if
I'm
gonna
it
seems
like
this
is
an
opportunity
to
be
on
message
and
really
push
the
message
of
salsa
in
a
vendor
neutral
way.
That
is
really
at
the
heart,
like
OAS
conferences,
are
very
strict
about
vendor
neutrality
right
and
they
re.
You
know
just
like
a
lot
of
the
Linux
Foundation
ones,
so
I
think
it's
a
good
opportunity.
That's
why
I
brought
it
up
yeah.
A
No,
no
absolutely
yeah
I
think
we're
trying
to
even
do
the
whole
maintainer
track
thing.
Open,
ssf,
slash
or
rather
open
source
Summit
doesn't
have
a
maintainer
track
and
they
don't
plan
on
it
this
year,
but
maybe
next
year,
and
so
that's
what
we're
trying
to
do.
It's
like
it's
anybody,
like,
like
folks,
said
anybody
can
do
a
talk
on
salsa
I
can
do
a
talk
on
salsa
just
for
IBM,
but
that
that's
not
what
we're
trying
to
do
here.
A
We're
trying
to
do
a
a
community
talk,
so
the
maintainers
or
the
leads
or
the
people
that
are
actively
participating,
actually
give
the
talks.
So
we
can
come
up
if
we
can
get
get
a
short
list
of
key
conferences
right
and
put
them
here.
That
would
be
fantastic,
and
then
we
can
try
to
see
okay.
One
of
the
deadlines
are
for
those.
What
can
we
reuse
or
what
do
we
need,
maybe
to
come
up
with
new
I?
Think
that
would
be
helpful.
F
Yeah
that
would
be
helpful
and
one
other
thing
to
to
add
in
there.
It's
something
that
so
I
was
at
Cloud
native
security
con
last
week,
also
representing
salsa
at
the
open
ssf
Booth,
one
of
the
things
that
I
was
bringing
up
to
Brian
and
some
of
the
other
folks
who
are
you
know
the
at
openssf.
F
They
recommended
that
we
maybe
put
up
as
a
topic
to
the
tech,
some
of
this
of
just
like
hey
generally.
It
would
be
great
to
have
some
of
that
alignment.
Like
I,
think
I
had
mentioned
before.
F
As
an
example,
different
groups
within
the
cncf
get
maintainer
tracks
or
they'll
like,
for
example,
tag
security,
which
I'm
a
member
of
in
in
the
cncf,
gets
like
a
few
hours,
just
sort
of
dedicated
to
themselves
that
they
can
do
as
they
see
fit,
and
it
would
be
nice
to
be
able
to
see
like
on
something
like
an
open
ssf
day.
If
there
was
something
like
a
maintainer's
track
or
a
projects
track
where
stuff
like
you
know,
openssf
could
get
I'm.
F
Sorry
like
salsa
could
just
automatically
just
sort
of
get
in,
and
then
we
can.
You
know
this
group
here
can
decide,
along
with
the
broader
salsa
Community
say
like
hey.
We
have
two
slots
cool
so
if
folks
want
to
talk
about
stuff
on
their
own,
they're
still
allowed
to
submit.
But
if
you
want
to
have
a
talk
that
represents
salsa,
here's.
Here's
where
you
fit
in
I
think
that
would
be
useful.
They
just
said
that
that
sort
of
thing
needs
to
be
discussed,
I
believe
with
the
attack
yeah.
A
Yeah
and
I
and
I
did
have
that
convo,
oh
I,
think
Arno
was
on
there,
I,
don't
know
Mike,
you
were
there,
no
Bruno
and
Arno
were
there
because
Bruno
was
covering
for
me
and
then
Arno
had
questions
I
reached
out
to
David
wheeler
a
c-rob
I,
don't
know
his
real
name.
Sorry
I
just
know
the
handle.
A
You
go
and
Jen.
A
I'm
I'm
blanking
out
here,
there's
Jennifer
Bligh
and
then
there's
another
I
think
it's
Jen,
but
there
was
two
people
that
they
told
me
to
add
to
the
conversation
and
we
asked
you
know:
is
there
a
maintainer
track?
Is
there
an
open
ssf
day
they're
like
oh
we're,
not
100
on
open
ssf
day,
the
tech
still
has
yet
to
finalize
that
decision.
A
So,
potentially,
when
that
happens,
we
might
be
able
to
bring
it
up
when
they
start
talking
about
open
ssfs
and
if
there
are
plans
to
have
a
maintainer
or
project
slot
for
the
key
areas
that
they're
trying
to
focus
on
again,
I,
don't
know
what
their
plan
is.
I
know,
Arno.
You.
You
regularly
attend
the
tech
meetings.
A
C
F
Yeah
yeah
I
was
just
gonna,
say
yeah
that
as
far
as
even
just
last
Thursday,
they
still
hadn't
voted
on
it.
C
A
A
G
C
A
Yeah,
so
that
that
that's
in
a
nutshell,.
A
So
so
yeah
and
Michelle
I
can
also
work
offline
with
you
on.
If
you
need
any
other
information
and
I'll
have
to
double
check
my
submissions
to
make
sure
that
I
did
like
I
said
tweak
a
couple
words.
E
A
G
C
G
Yeah
on
attack
me
into
that
I
know
that
that
came
up
and
it
was
pretty
much.
The
question
was:
how
much
time
is
needed
and
I
think
Jennifer
mentioned
something
about
30
days
is,
is
sufficient
I
I
mean
debatable,
but
I
think
where
they
all
landed,
though
collectively
was
that
there
would
be
an
open
ssf
day.
G
I
mean
it
needs
to
get
voted
on,
of
course,
but
that's
where
that
I
mean
the
consensus
was
yes
for
that,
and
the
only
reason
why
I'm
saying
that
is
because
if
we
have
any
plans
or
if
we're
thinking
about
it,
we
might
we
might
want
to
get
ahead
of
the
curve
and
and
decide
what
we
want
to
do
for
it
now,
because
I
think
the
window.
A
F
Okay,
yeah,
hopefully,
that
the
the
cfp
opens
for
that
sooner
rather
than
later,
as
somebody
who's
been
on,
some
of
the
you
know,
reviewers
the
the
program
committees
for
some
of
these
things
you
know
reviewing
whatever
it
might
be
like
a
few
hundred
submissions
is,
is
not
not
an
easy
task
to
get
done,
and
often
like,
usually
it's
like
a
two
weeks
or
so
that
they
that
you
have
to
review.
C
C
C
Of
them-
and
it
was
always
the
same
like
very,
very
high
level
and-
and
it's
always
planned
kind
of
last
minute-
so
there's
very
little
time
to
do
any
kind
of
formal
call
for
participation
with
program
committee
and
all
I,
don't
know.
I
know
Ava
wanted
to
have
the
thing
done
better.
So
maybe
that
will
happen.
A
So
I
just
put
in
I
see
a
new
person.
I,
don't
recall
seeing
you,
but
if
you
wanted
to
introduce
yourself
feel
free,
if
not
that's.
Okay,.
D
D
Yeah,
open
source
security
researcher
mostly
focused
on
automating
fixmest
vulnerabilities
at
scale
through
book,
pull
request
generation
yeah.
That's
that's.
That's
me
in
a
nutshell,.
A
Awesome
thanks
for
joining
so
you're
catching
the
tail
end
of
some
of
our
conversation.
We
just
submitted
some
talks,
as
a
positioning
group
we've
been
trying
to
at
least
for
this
year,
make
sure
that
we
do
submit
talks
at
conferences
that
we
try
to
write
more
blogs
and
kind
of
evangelize
salsa
educate
the
community
about
salsa,
and
so
that's
why
we
were
talking
about
the
open,
ssf
and
so
I
do
have
a
thread
with
see
Rob
and
David
wheeler
and
Jen.
G
A
There
you
go
Jennifer
blight,
oh
and
I
am
running
out
of
battery.
Give
me
one
second
I
need
to
move.
I
just
realized
my
battery,
and
so
I
do
have
a
conversation
with
them,
and
I
asked
about
open
ssf
day,
so
I'll
probably
keep
pinging
them
to
say,
where's
the
link
for
the
submission,
and
so
once
again.
D
The
cfp
for
the
the
Vancouver
event
is
open,
but
I
guess
there's
not
one
for
open,
ssf
I
would
be
the
the
thing
about
openness
at
FDA
and
part
of
the
reason
that
I
have
maybe
thought
about
not
doing
things
at
open
ssf
day
specifically,
is
because
yeah
it's
it
I,
don't
know
how
many
new
people
show
up
there
and
if
it's
not
new
people,
how
much
of
an
echo
chamber
are
we
just
creating
by
presenting
to
people
that
already
know
about
this
stuff
versus
like
new
people?
That
will
actually
learn
something.
A
Yeah
for
open
ssf,
they
we
at
least
in
this
group,
were
envisioning
a
high-level
talk
of
all
of
what
we've
done
or
going
to
do,
but
we
have
submitted
talks
to
the
General
open
source
Summit
and
that
actually
closed
already
for
Vancouver.
So
we're
really
now
just
talking
about
okay.
When
is
open,
ssf
day
cfp
going
to
come
up,
because
it
would
be
good
to
have
a
slot
to
talk
about
all
things
salsa
and
if
it's
not
just
salsa.
D
I
think
the
open
source
Summit
North
America
cfp
I
thought
they
extended
it
to
the
14th.
Did
they.
C
I
didn't
see
it,
but
it's
it's
pretty
typical.
They
do,
but
in
any
case
I
mean
Jonathan
the
you
know
the
we
don't
know
how
they're
going
to
run
this
openness
a
safe
day.
We
only
know
how
they've
run
them.
There
have
been
three
of
them
I
think
so
far,
and
they
all
have
been
very
high
level.
There
is
a
desire,
as
I
was
saying,
to
make
them
a
bit
more
structured
with
you
know,
having
giving
more
people
an
opportunity
to
speak
up
during
open
ssf
day.
D
A
I'm,
sorry,
but
there
is
one
that
was
extended,
that
Michelle
mentioned
there's
Global
appsec
DC
that
was
extended
to
February
13th,
so
I,
don't
know
if
that's
what
you're
thinking
of
but
yeah
okay,
so
quick
pivot
I
do
want
to
talk
about
this,
because
it
is
important.
A
A
The
open,
ssf
landing
page,
so
Tracy
already
gave
me
the
template,
so
I
will
have
to
find
the
link
for
the
template,
but
I
will
share
the
template
and
we
need
to
start
crafting
what
we
think
we
want
on
that
landing
page
and
part
of
that
landing
page.
Hopefully,
would
be
that
press
release
right.
So
hopefully
we
can
coordinate
it,
sync
it
in
in
time,
so
that
we
can
do
both
and
have
more
visibility.
That
way.
A
The
other
thing
is
about
chain
guard.
Did
some
survey
about
what
the
industry
thinks
about?
Salsa
I
have
asked
Tracy
if
chain
guard
could
provide
a
pre-review
at
the
very
least
to
the
Sig
leads,
so
that
we
can
prepare
a
follow-up
response
not
to
alter
the
findings,
but
if
they
say
these
are
the
deficiencies
we
can
talk
to
saying.
Okay,
well,
1.0
addresses
this
now
or
our
roadmap
in
Q4
is
going
to
address
this
right.
So
she
she
agreed
to
that.
A
The
pre-release
is
supposed
to
be
sometime
soon,
so
I'll
have
to
keep
tabs
on
that,
but
there
will
be
some
sort
of
pre-release.
That
I
will
ask.
At
the
very
least
the
Sig
leads.
I,
don't
know
if
I'll
be
able
to
open
up
further
than
that
and
it'll
probably
be
a
private
review,
because
it
is
a
pre-release.
It
won't
be
recorded.
A
Unfortunately,
so
once
it
does
get
released,
we
can
have
blogs
available
ready
to
talk
about
what
the
chain
guard
findings
were
or
what
the
industry
was
thinking
about,
salsa,
so
just
kind
of
a
heads
up
on
those
things.
So
these
were
all
things
that
I
talked
to
Tracy
Miranda
about
I
think
it
was
last
week
or
the
week
before.
I
can't
remember.
A
Yes,
pre-release
of
survey
results,
yes,
correct,
they're,
gonna,
rip,
they're
gonna
do
a
an
entire
report.
Is
my
understanding
and
I
think
they're
going
to
do
a
blog
post
about
it.
A
A
So
she
said
that
she
she's
willing
to
do
that
so
be
on
the
lookout
for
that
and
then
again
the
the
web,
the
open,
ssf
landing
page
I'll
I'll
provide
a
link
to
that
I.
Don't
have
it
right
now,
so
any
thoughts
and
comments
on
that.
A
B
Oh
sorry,
quick
question
so
that
that's
not
gonna
include
The
Source
Integrity
piece
is,
as
it
is
just
going
to
be
build
Integrity.
Is
that
still
the
case
which.
A
One
the
press
release
yeah
the
press
release
is
the
the
salsa
build
1.0
release
right
what
they've
been
working
on,
because
we
do
know
that
that's
not
including
source,
okay
yeah,
at
least
that's
what
I
understood
from
Isaac
that
he's
he's
working
on
it?
Music.
Yes,.
F
Yeah
also
source
is
not
really
in
much
of
the
1.0
release,
where
we're
mostly
focused
on
given
the
sort
of
lack
of
tools
in
the
source
end,
or
rather
I
should
say
the
lack
of
sort
of
Cutting
Edge
tools
on
the
source.
End
we've
been
mostly
focused
on
the
build
in
because
that's
where
a
lot
of
you
know
the
the
effort
has
been.
A
A
A
So
like
this
as
an
example,
was
a
template
that
she
gave
me,
and
so
we
would
want
to
create
something
like
this
I
know
that
there's
been,
for
example,
people
presenting
about
their
implementation
of
salsa.
We
might
want
to
link
those
recordings
or
presentations
here.
Here
are
the
recent
news
Etc
so
and
and
then
these
are
the
other
links,
so
it
doesn't
have
to
just
be
about
going
to
salsa.dev.
A
It
could
be
about
new
announcements
or
things
coming
up
and
how
it
plugs
into
the
overall
openness,
ssf
mobilization
plan,
but
hopefully
hoping
that
we
can
have
that
1.0
release
recording
here,
because
I
think
Tracy
said
that
this
page
aligned
very
well
with
their
update
or
their
release.
I
can't
remember,
and
so
it
gave
it
even
more
visibility,
I'm
so
hoping
that
we
can
get
that
squared
away.
So
I'll
have
to
find
the
template
that
she
gave
me
and
then
I'll
share.
A
It
all
share
it
out
with
you
all
on
Slack,
and
then
we
can
kind
of
start
putting
in
ideas
of
what
we
think
we
want
in
there
and
how
we
might
want
to
change
things,
and
they
have
some
editors
that
will
help
with
the
overall
design.
But
at
the
very
least,
if
we
can
give
them
a
high
level
idea,
and
we
can
give
them
the
content,
then
they
can
focus
on
actually
the
implementing
foreign.
A
A
A
Okay,
do
we
do
we
have
a
new
timeline
for
for
the
RF,
for
the
request
for
comment.
A
A
Got
it
okay,
so
based
off
of
that
I
know,
these
were
some
blog
ideas
that
I
was
thinking
about.
In
terms
of
once
we
go
into
RFC
phase.
A
Obviously
we're
going
to
get
a
lot
of
feedback,
but
if
we
can
start
thinking
about
the
the
one,
the
developer
blog,
that
we
started
and
didn't
finish
because
things
changed
on
us
to
finish:
that
developer
blog
focus
on
a
what's
new
blog
right,
a
comparison
of
old
versus
new
talk
about
s-bomb
versus
salsa
provenance,
at
least
from
the
1.0
perspective,
and
what
we're
doing
tactically
versus
roadmap
and
then
why
we
broke
up
build
versus
source.
A
A
lot
of
people
aren't
going
to
be
part
of
that
conversation
or
have
been
part
of
that
conversation.
So
there's
going
to
be
a
a
big
question
mark
once
they
see
that
it's
specifically
for
build
and
not
build
and
source,
and
so
I
think
a
Blog
about.
That
would
be
a
good
idea,
but
any
any
other
thoughts
on
other
things
that
we
could
talk
about
for
the
1.0
release.
F
So
I
think
one
of
the
big
ones
that
that
is
still
confusing
folks
and
I.
Think
it's
something
that
I
know.
This
is
part
of
what
we're
trying
to
do
with
the
positioning
group
anyway
is
really
sort
of
educating
folks
like
how
salsa
differs
from
an
s-bomb
and
why
it's
kind
of
different
than
what
an
s
bomb
is
and
how
it's
different
than
you
know,
there's
a
bunch
of
different
things
that
have
come
out
even
just
in
the
past
few
days.
There's
something
called
the
p-bomb
and
there's.
A
F
They
say
hey,
why
would
I
use
salsa
and
not
this,
and
why
would
I
use
an
s-bomb
and
not
salsa
in
you
know
those
sorts
of
things,
yeah,
I,
think
I.
Think
the
the
I
think,
at
least
in
my
opinion,
Salsa's
greatest
strength-
is
in
the
fact
that
it's
not
trying
to
be
everything.
F
It's
just
trying
to
be
this
one
specific,
hey
we're
trying
to
verify
the
Integrity
of
source
to
the
artifact,
so
that
you
have
a
better
understanding
that,
yes,
what
went
into
the
artifact
is
what
actually
came
out
so
that
if
some,
you
know
that
doesn't
stop
things
from
getting
compromised,
but
it
prevents,
or
it
helps
prevent
these
sorts
of
attacks
and
and
those
sorts
of
things
and
then
provides
better
information
for
other
systems
later
down
the
line,
whether
it's
a
p-bomb
s-bomb,
whatever.
A
Yeah,
yes,
I
think
that's
where
yeah
I
think
I
had
salsa
provenance,
but
I
could
just
say
salsa
instead
of
salsa
provenance,
because
there's
that
discrepancy
right,
that
a
lot
of
people
see
including
myself
right.
So
if
I
have
that
that
idea
of
hey
this
is
not
quite
aligning
to
the
nist
definition.
Other
people
are
going
to
think
the
same
thing,
and
so,
if
we
can
clarify
you
know,
this
is
what
it
is
or
isn't
with
respect
to
the
the
nist
definitions
or
oauth
definition.
A
Right,
then,
I
think
that'll
help
the
conversation
of
making
that
distinction,
because,
like
even
like
someone
like
myself,
I'm,
still
trying
to
not
connect
the
dots
but
trying
to
figure
out
why
the
Gap,
right
and
I
know
that's
a
different
conversation
but
I
think
that
would
probably
be
aligned
with
the
with
with
this
kind
of
topic,.
G
G
D
G
Don't
see
a
description,
salsa
is
you
you
could
you
would
use
s-bombs
as
part
of
me,
helping
to
meet
one
of
the
levels
in
in
salsa
like
I
I,
don't,
but
in
terms.
A
G
A
Yeah,
it's
it's
I,
don't
think
the
communications
have
been
working
well
and
so
I
need
to
create
a
meeting
to
say:
okay,
let's
do
this
live
because
I
don't
think
we
I
think
we're
disagreeing
fundamentally
on
what
it
should
or
shouldn't
be
and
then
I
feel
like
there
has
to
be
a
happy
medium.
So
we're
going
to
table
that
Jay.
Not
not.
This
call.
A
A
F
I
don't
want
us
to
get
because,
even
with
within
the
Linux
Foundation,
there's
a
thing
that
there's
a
Linux
Foundation
project
called
d-bomb.
There's
a
lot
of
these
different,
which
is
one
of
the
reasons
why
also
I,
like
I,
don't
want
to
get
into
it
here.
But
it's
like
Salsa's
trying
to
be
something
very
narrow
and
and
specific,
and
we
don't
want
to
get.
You
know
because
I
think
there's
a
lot
of
folks
who,
who
all
have
disagreements
on
on
what's
complete?
What's
not
yeah
yeah.
A
So
I
think
I
think
this
is
a
really
really
important
conversation
even
before
the
1.0
comes
out
right,
because
I
think
it
might
help
set
up
the
1.0
a
little
bit
when
it
is
time
to
release,
but
there's
a
lot
of
conversations
happening
in
this
space
and
when
you
look
at
the
nist
document
and
they
talk
about
provenance,
they
mentioned
salsa
right,
and
so
this
says
provenance
and
mentioned
salsa
as
a
reference.
But
salsa
does
not
reference.
A
This
definition
of
provenance,
so
there's
a
disconnect
there,
and
so
that
is
part
of
the
conversation
is
trying
to
figure
out.
Where
is
that
happy
medium?
And
what
are
we
truly
trying
to
aim
for
and
if
we
come
to
okay,
this
is
it.
This
is
what
we're
going
to
aim
for
we're
not
straying,
then
it's
a
position
that
we
have
to
communicate
out
to
the
industry
of
this.
Is
it
and
this
is
why
and
let's
just
move
on
right.
F
F
Yeah
and
with
you
know
so
one
of
the
things
that
I
think
is
really
useful.
That
nist
does
is
nist
has
like
all
those
citations
to
other
things
and
examples
so
that
they
could
show
like
hey.
You
know
we're,
maybe
not
100
in
line
with
this
other
thing,
but
you
know
here's
here's
you
know
where,
where
we
do
a
line,
here's
where
we
don't
align
with
that
said,
there's
still
going
to
be
lots
of
I.
Just
you
know,
throwing
you
out
there.
F
There's
gonna,
be
lots
of
folks
who
are
going
to
come
in
and
say
well.
My
interpretation
of
this
definition
is
actually
separate
from
me.
You
know
your
interpretation
of
the
definition
but
I
think
if
we
have
at
least
a
little
bit
more
there,
it
can
help
out
yeah
yeah.
A
Yeah
at
least
an
agreement
between
the
Sig
leads
and
and
the
key
contributors
would
be
nice
because
I
don't
think
we
even
have
that
right
now,
especially
not
with
me
and
again,
I
think
it
might
be
communication,
so
we'll
we'll
table
that
thoughts,
questions
comments,
other
ideas
of
what
we
could
potentially
talk
about
in
terms
of
a
Blog.
F
So
one
other
thing:
I
think
that
is
we.
We
talk
about
a
little
bit
in
the
blog
but
gearing
up
for
1.0
related
to
that
s-bomb
versus
salsa
Providence.
There's
also
the
other
piece
which
is
like
nist
ssbf,
the
secure
software
development
framework
versus
this
versus
there's
there's
an
O
wasp,
one
called
scbs
I
believe
is
the.
F
A
F
Yeah,
yet
yeah
so
I
mean
I.
I
know
a
little
bit
about
that
one
as
well
I
think
once
again,
I
think
where
nist
I'd
be
I,
think
where
we,
where
we're
well
positioned,
is
more
in
the
Simplicity
of
it.
You
know
the
S,
you
know
I
believe
to
be
once
again
the
folks
who
make
scps
don't
believe
so,
but
or
some
of
the
folks
I
should
say,
but
but
I
believe
that
salsa
is
a
compliment
to
scvs,
but
yeah
there's
a
lot
of
interesting
stuff.
There
application.
F
Yeah
because
I
believe,
if
you
yeah,
if
you
look
at
that,
there's
like
you
know
something
like
50
or
so
requirements.
Whereas
our
thing
that
has
about
like
ten
yeah.
A
C
Yeah
but
Michael
I
mean
the
way
I
see
it
is
very
shortly.
You
know
is
on
the
one
end
we
have
salsa,
which
started
with
build
environment
information
and
is
moving
toward
extending
to
have
like
artifact
references
which
basically
gives
you.
You
know
Source
dependencies
information,
and
so
it's
evolving
in
that
direction
and
the
as
bomb
people
are
doing
the
same
walk
but
from
the
other
end
they
started
with
the
source
in
from
the
finances
information
and
they
are
moving
towards
adding
build
information.
C
So,
unfortunately,
it
means
that
we
have
an
overlap
with
two
communities
coming
from
different
and
and
going
towards.
You
know
the
same
other
end
but
Crossing.
You
know
in
parallel
Crossing
each
other
and
not
really
meeting
anywhere.
Unless
we
try
to
make
it
happen,
and
so
I
would
say
you
know
those
kind
of
accidents,
you
know
happen,
but
it's
if
we
can
try
to
enable
some
convergence.
If
we
can
I
think
we
should
try.
B
A
B
A
Put
it
in
here
yeah.
Thank
you
because
it's
hard
for
me
to
find
things
when
I'm
sharing.
Thank
you.
Yeah
yeah
I,
do
remember
that
one.
We
did
not
cover
the
software
component
verification
standard,
but
we
did
Cover,
ssdf
and
I
know
even
Brandon.
Lum
I
think
he
had
an
F-bomb
versus
salsa
blog
but
yeah.
This
one
was
talking
about
it
used
to
be
Trifecta,
and
then
we
talked
about
these
three,
but
this
was
based
off
version
dot.
One.
A
So
that's
the
only
thing
about
it.
This
is
older,
so
we
might
need
to
do
an
update
to
this
based
off
of
1.0,
so
maybe
update,
say
previous
or
1.0
spec,
so
I
think
that's
going
to
have
to
get
done
too.
A
G
The
the
link
to
salsa
Province
that
that
link
doesn't
work.
F
So
so
now
it
now,
it's
actually
just
considered
a
draft
on
the
actual
salsa
page.
So
if
you
click
salsa
I
believe
it's
just
the
the
normal
thing
just
like.
So,
if
you
just
change
the
V
yeah
one
point
yeah
there
we
go.
F
G
Yeah,
but
you
can
problems
page,
though,
if
you
go
to
salsa.dev
backslash
provenance,
that
page
is
still
that
page
is
still
visible
and
it'll
say
underneath
not
that
one
it'll
say
version
1.0,
that's
the
one
I
found
that
one's
there
and
it'll
say:
retired,
oh
so
yours
just
automatically
goes
for
that.
I'll
show
I'll,
show
you
my
screen
and
show
you
with.
G
C
D
G
A
A
C
There
to
search
for
it,
but
I,
guess
geez.
It's
like
cast
or
like
yeah,
the
bookmark.
That's
you
go.
G
G
Yeah,
as
a
matter
of
fact,
I
got
there
I
wonder
if
I
wonder
if
it'll
do
it
again
and
by
the
way
this
is
the
first
time
I've
ever
gone
to
this
site
on
this
system,
so
I,
usually
look
at
I
usually
go
on
my
on
my
other
system,
because
that's
my
other
system
is
the
one
I'm
usually
attending
meetings
on,
so
it's
the
first
time
I've
gone
there,
so
it
wouldn't
be
cashed,
but
I'll
show
you
here,
of
course.
Now
it's
going
to
probably
take
me
to
the
last
thing.
G
A
C
Browsers
click
on
the
link
from
where
this
is
a
chrome
brows.
This
is
a
Chrome
browser.
A
Could
be
okay?
Let
me
see.
I've
lost
my
windows
here
there
you
go
share
Chrome.
You
should
see
this
okay
salsa
level.
Two
is
skipped.
B
Oh
yeah
I
was
just
looking
at
the
get
started
page
and
it
I
didn't
know
if
it
was
on
purpose,
but
there's
reaching
level
one
and
then
then
level
two
and
then
I
was
just
wondering
if
there's
a
reason
why
we
don't
talk
about
level
two
I.
A
C
Think
I
think
the
problem
is,
and
we
haven't
had
a
chance
to
talk
about
this
in
the
spec
working
group.
But
I
was
texting,
but
you
know
it's
based
on
the
tools
that
are
available
today
and
they
it's
either.
You
pretty
much
do
nothing
you
salsa
one
or
if
you
use
the
right
tool,
you
get
to
salsa
3
right
away,
and
so
that's
why
this
spec,
or
this
page
basically
skips
salsa
to.
F
Yeah,
we
should
still
have
something
there,
but
I
think
salsa
yeah,
salsa
too,
is
is
the
only
real
difference
between
Salsa.
What
is
also
two
is
It's.
Also
two
is
you're
signing
it,
but
it's
like
it's
really.
You
know
a
a
really
minimal
change
compared
to
salsa
3,
which
is
you're
signing
it
and
you're
doing
the
right
things
to
protect
the
the
signing
material
from
Attack
right.
A
A
C
Too
yeah,
and
in
fact
the
pull
request
I
can
tell
you
are
coming
to
donate,
is
that
it
says
if
you
haven't
started,
you
might
as
well
just
aim
for
salsa
3
directly,
because
you're
kind
of
wasting
your
time
going
through
L1,
first
and
L2,
because
it's
not
a
linear
progression
anyway
and
the
work
you
do
getting
to
one
and
two
is
kind
of
maybe
a
waste
of
time.
A
Your
recommendation,
but
it
shouldn't
be
the
we're
gonna,
ignore
your
use
case
or
the
way
you
want
to
migrate
right.
It
should
be
if
you
want
to
do
it
this
way.
You
can
go
one
two
three,
but
we
would
recommend
based
off
our
experience,
that
you
go
directly
to
three
and
start
with
three,
but
you
shouldn't
discount
people
wanting
to
do
one
and.
F
Yeah
I
think
the
original
a
lot
of
the
original
stuff
was,
if
you
don't
have
yeah,
if
you
don't
already
have
CI,
let's
say:
if
you
don't
already
have
a
build
system,
then
hitting
three
is
pretty
straightforward,
but
if
you
have
something
that
is
one
well
at
least
you're
starting
or
if
you
have
something
that's
close
to
one
at
least
you're
starting.
It's
just
that.
F
As
you
know,
a
lot
of
folks
I
think
you
know
on
this
call
no
like
if
you're,
building
out
CI
pipelines,
often
that
stuff
is
a
huge
amount
of
tech
debt.
So
it's
if
you're
starting
off
new
and
you
don't
have
something
that
exists.
It's
probably
easier
to
hit
three
than
it
is
to
say
well,
I'm,
going
to
start
and
hit
one
and
then
I'm
going
to
go
up
to
two
and
then
go
up
to
three
I.
F
A
Okay,
so
we
are
over
on
time
and
I
do
have
a
volunteer
event
to
go
to
so
I
will
have
to
cut
it
here,
but
thanks.
Everyone
for
joining
I
will
send
out
meeting
notes
later
today
and
I
will
make
sure
to
emphasize
the
the
landing
page
template.
So
that
way
folks
can
review
and
start
adding
comments
or
content
so
that
we
can
kind
of
just
get
that
done.
C
A
Oh
okay,
I'm
gonna
copy
paste
because
I'm
gonna
lose
those
yeah.