►
From YouTube: SLSA Positioning Meeting (February 7, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1tpPOXVzNSwtpWA7cXhTPLAO6HIP50obUvoP85XqgVHM/edit#heading=h.yfiy9b23vayj
SLSA repo: https://github.com/slsa-framework/slsa
A
A
A
A
A
So
I
don't
know
if,
if
you
all
have
heard
about
the
storms
in
Texas,
but
a
lot
of
my
trees
are
down
in
the
backyard,
so
I
have
a
lot
of
chain,
sawing
lineup
to
do
I'm
not
doing
it,
but
it
needs
to
get
done
so.
I
figured
I'd
share
that
little
tidbit
that
if
anybody
else
listens
to
the
recording
or
joined
from
Texas
I
feel
for
you
Okay,
so
updates.
A
C
A
A
That's
the
beginner
session
I
put
myself
and
Laura
Laura
has
slides
already
that
we
can
use
and
we
can
tweak
and
so
she's,
given
talks
like
this
before
so
potentially
you
know
we
we
can
swap
as
primary
secondary
I
know.
Laura.
You
said
you
might
have
travel
restrictions
so
we'll
see
how
that
plays
out
if
it
gets
selected,
but
hopefully
Emmy
will
will
allow
you
to
to
join
if
it
does
get
selected.
A
Oh
I
already
copied
that
and
then
Josh
did
a
fantastic
job
like
I.
Don't
think
he
was
working
on
it
overnight
or,
like
you
know,
previous
to
our
discussion
or
no,
but
he
did
a
really
good
job
of
coming
up
with
a
last
minute,
yeah
abstract
and
talk
for
the
salsa
1.0,
and
we
came
up
with
the
the
the
title
to
tweak
it.
I
don't
know
if
you
have
that
link
Arnel
for
the
for
his.
A
Is
yeah
yeah,
oh
yeah?
Only
if
you
can
find
it
so
we
were
able
to
yeah.
So
we
submitted
all
of
these
this
one.
We
did
put
it
in
as
a
panel,
as
was
discussed
last
week
with
Arno
and
and
Michelle
oh
Michelle,
you're,
here,
global
app,
so
DC
is
accepting
C
Is
there
a
way
we
can
coordinate
on
submissions,
sure
Do.
You
have
a
a
link
to
that.
Yeah.
E
E
E
A
Effort,
so
if,
if
we're
able
to
use
what
we
have
or
what
we
have
submitted,
that
would
be
great
but
I
guess
it
depends
on
what
it
is,
because
two
of
these
are
panels.
Discussions
right,
so
we
need
to
have
a
panel
of
people
to
deliver.
One
of
them
is
a
lab.
We
don't
have
the
tooling
for
it
yet
so,
depending
on
when
this
conference
is,
if
my
Lieberman
as
an
example
would
be
available,
those
are
the
kind
of
things
we'd
have
to
consider
for
that
one.
A
So
it
depends,
but
we
can
definitely
coordinate
that
and
give
you
the
most
of
the
abstract
is
here,
I,
think
I
tweaked
a
few
words
or
something
so
that
grammatically
it
sounded
better.
But
for
the
most
part,
what
we
have
here
is
what
we
submitted.
We
just
added
people
to
the
to
the
panels
or
to
the
talks
yeah.
E
C
A
B
A
E
C
E
E
A
E
Like
so
here's
the
thing:
I
have
my
own
sort
of
supply
chain
sort
of
discussions,
but
I
usually
throw
in
some
Dora
some
mbsp
some
other
stuff,
but
if
I'm,
what
I'm
asking
is?
Do
you
want
me
to
do
it
as
a
salsa
specific
talk?
If
you
want
one
of
those
I'm
happy
because
I'm
local
and
it's
a
backyard
event,
I'm
happy
to
do
that,
for
you
guys
got.
A
E
A
A
If
we
can
agree
on
a
small
subset
of
conferences
and
yes
and
then
anything
an
additional,
you
know
it's
okay,
but
at
least
give
us
a
small
list
of
okay.
This
is
what
we
want
to
Target
I,
think
that
would
be
really
useful,
but
yeah.
Okay,
I
did
put
a
please
sign
in
if
you
haven't
already
up
top
so
this
one
I
think
you
said:
February,
oh
February,
14th
deadline,
14.
my.
E
A
B
F
Hands
yeah,
so
yeah
I
was
just
gonna,
say
yeah
I.
Think
generally
I
can't
talk
to
everybody
but
I
believe,
like
the
majority
of
the
perspective
we've
gotten
has
been
like
yeah
submit
to
you
know
anybody
can
submit
to
anything
whatever
groups
you
know
want
to.
Obviously
there's
going
to
be
a
bit
more
of.
F
We
might
find
a
Kinder
audience
or
a
more
receptive
audience
to
something
like
the
open
ssf
day
or
you
know,
open
source,
Summit
stuff,
that's
directly
aligned,
but
there's
nothing
preventing
us
and
in
fact
we
should
be
encouraged
to
sort
of
reach
out
to
some
of
these
things.
It's
just
I
think
a
lot
of
it
is
based
on
the
individual
groups
and-
and
you
know,
for
example,
what
what
conferences
are
nearby
to
other
folks.
What
conferences
are
you
know,
can
folks
you
know
get
to
and
and
that
sort
of
thing.
C
I
completely
agree
with
you,
Michael
I
mean
so
I
have
participated
in
this
kind
of
committees.
For
a
long
time,
I
mean
the
general
kind
of
thing
role
is.
You
know
there
are
main
conferences
like
the
LF
open
source
Summit
there.
We
definitely
need
to
coordinate,
because
otherwise
we
would
have
many
people
submit
similar
content
or
presentation.
That
would
not
be
very
helpful,
but
then
be
beside
this.
You
know
there
are
plenty
for
the
conferences.
Anybody
is
welcome
to
go
and
talk
to
whatever
they
want
correct.
A
C
E
Right
but
I
I
just
want
to
be
on
message
and
I
mean
I've
I've
brought
up
salsa
before
another
talks,
I've
done,
but
if
I'm
gonna
it
seems
like
this
is
an
opportunity
to
be
on
message
and
really
push
the
message
of
salsa
in
a
vendor
neutral
way.
That
is
really
at
the
heart,
like
OAS
conferences,
are
very
strict
about
vendor
neutrality
right
and
they
re.
You
know
just
like
a
lot
of
the
Linux
Foundation
ones,
so
I
think
it's
a
good
opportunity.
That's
why
I
brought
it
up
yeah.
A
No,
no
absolutely
yeah
I
think
we're
trying
to
even
do
the
whole
maintainer
track
thing.
Open,
ssf,
slash
or
rather
open
source
Summit
doesn't
have
a
maintainer
track
and
they
don't
plan
on
it
this
year,
but
maybe
next
year,
and
so
that's
what
we're
trying
to
do.
It's
like
it's
anybody,
like,
like
folks,
said
anybody
can
do
a
talk
on
salsa
I
can
do
a
talk
on
salsa
just
for
IBM,
but
that
that's
not
what
we're
trying
to
do
here.
A
We're
trying
to
do
a
a
community
talk,
so
the
maintainers
or
the
leads
or
the
people
that
are
actively
participating,
actually
give
the
talks.
So
we
can
come
up
if
we
can
get
get
a
short
list
of
key
conferences
right
and
put
them
here.
That
would
be
fantastic,
and
then
we
can
try
to
see
okay.
One
of
the
deadlines
are
for
those.
What
can
we
reuse
or
what
do
we
need,
maybe
to
come
up
with
new
I?
Think
that
would
be
helpful.
F
F
F
As
an
example,
different
groups
within
the
cncf
get
maintainer
tracks
or
they'll
like,
for
example,
tag
security,
which
I'm
a
member
of
in
in
the
cncf,
gets
like
a
few
hours,
just
sort
of
dedicated
to
themselves
that
they
can
do
as
they
see
fit,
and
it
would
be
nice
to
be
able
to
see
like
on
something
like
an
open
ssf
day.
If
there
was
something
like
a
maintainer's
track
or
a
projects
track
where
stuff
like
you
know,
openssf
could
get
I'm.
F
Sorry
like
salsa
could
just
automatically
just
sort
of
get
in,
and
then
we
can.
You
know
this
group
here
can
decide,
along
with
the
broader
salsa
Community
say
like
hey.
We
have
two
slots
cool
so
if
folks
want
to
talk
about
stuff
on
their
own,
they're
still
allowed
to
submit.
But
if
you
want
to
have
a
talk
that
represents
salsa,
here's.
Here's
where
you
fit
in
I
think
that
would
be
useful.
They
just
said
that
that
sort
of
thing
needs
to
be
discussed,
I
believe
with
the
attack
yeah.
A
A
I'm
I'm
blanking
out
here,
there's
Jennifer
Bligh
and
then
there's
another
I
think
it's
Jen,
but
there
was
two
people
that
they
told
me
to
add
to
the
conversation
and
we
asked
you
know:
is
there
a
maintainer
track?
Is
there
an
open
ssf
day
they're
like
oh
we're,
not
100
on
open
ssf
day,
the
tech
still
has
yet
to
finalize
that
decision.
A
So,
potentially,
when
that
happens,
we
might
be
able
to
bring
it
up
when
they
start
talking
about
open
ssfs
and
if
there
are
plans
to
have
a
maintainer
or
project
slot
for
the
key
areas
that
they're
trying
to
focus
on
again,
I,
don't
know
what
their
plan
is.
I
know,
Arno.
You.
You
regularly
attend
the
tech
meetings.
A
C
C
A
G
C
C
A
E
G
C
G
Yeah
on
attack
me
into
that
I
know
that
that
came
up
and
it
was
pretty
much.
The
question
was:
how
much
time
is
needed
and
I
think
Jennifer
mentioned
something
about
30
days
is,
is
sufficient
I
I
mean
debatable,
but
I
think
where
they
all
landed,
though
collectively
was
that
there
would
be
an
open
ssf
day.
A
C
C
C
Of
them-
and
it
was
always
the
same
like
very,
very
high
level
and-
and
it's
always
planned
kind
of
last
minute-
so
there's
very
little
time
to
do
any
kind
of
formal
call
for
participation
with
program
committee
and
all
I,
don't
know.
I
know
Ava
wanted
to
have
the
thing
done
better.
So
maybe
that
will
happen.
A
D
D
A
Awesome
thanks
for
joining
so
you're
catching
the
tail
end
of
some
of
our
conversation.
We
just
submitted
some
talks,
as
a
positioning
group
we've
been
trying
to
at
least
for
this
year,
make
sure
that
we
do
submit
talks
at
conferences
that
we
try
to
write
more
blogs
and
kind
of
evangelize
salsa
educate
the
community
about
salsa,
and
so
that's
why
we
were
talking
about
the
open,
ssf
and
so
I
do
have
a
thread
with
see
Rob
and
David
wheeler
and
Jen.
G
A
There
you
go
Jennifer
blight,
oh
and
I
am
running
out
of
battery.
Give
me
one
second
I
need
to
move.
I
just
realized
my
battery,
and
so
I
do
have
a
conversation
with
them,
and
I
asked
about
open
ssf
day,
so
I'll
probably
keep
pinging
them
to
say,
where's
the
link
for
the
submission,
and
so
once
again.
D
The
cfp
for
the
the
Vancouver
event
is
open,
but
I
guess
there's
not
one
for
open,
ssf
I
would
be
the
the
thing
about
openness
at
FDA
and
part
of
the
reason
that
I
have
maybe
thought
about
not
doing
things
at
open
ssf
day
specifically,
is
because
yeah
it's
it
I,
don't
know
how
many
new
people
show
up
there
and
if
it's
not
new
people,
how
much
of
an
echo
chamber
are
we
just
creating
by
presenting
to
people
that
already
know
about
this
stuff
versus
like
new
people?
That
will
actually
learn
something.
A
Yeah
for
open
ssf,
they
we
at
least
in
this
group,
were
envisioning
a
high-level
talk
of
all
of
what
we've
done
or
going
to
do,
but
we
have
submitted
talks
to
the
General
open
source
Summit
and
that
actually
closed
already
for
Vancouver.
So
we're
really
now
just
talking
about
okay.
When
is
open,
ssf
day
cfp
going
to
come
up,
because
it
would
be
good
to
have
a
slot
to
talk
about
all
things
salsa
and
if
it's
not
just
salsa.
D
C
I
didn't
see
it,
but
it's
it's
pretty
typical.
They
do,
but
in
any
case
I
mean
Jonathan
the
you
know
the
we
don't
know
how
they're
going
to
run
this
openness
a
safe
day.
We
only
know
how
they've
run
them.
There
have
been
three
of
them
I
think
so
far,
and
they
all
have
been
very
high
level.
There
is
a
desire,
as
I
was
saying,
to
make
them
a
bit
more
structured
with
you
know,
having
giving
more
people
an
opportunity
to
speak
up
during
open
ssf
day.
D
A
A
The
open,
ssf
landing
page,
so
Tracy
already
gave
me
the
template,
so
I
will
have
to
find
the
link
for
the
template,
but
I
will
share
the
template
and
we
need
to
start
crafting
what
we
think
we
want
on
that
landing
page
and
part
of
that
landing
page.
Hopefully,
would
be
that
press
release
right.
So
hopefully
we
can
coordinate
it,
sync
it
in
in
time,
so
that
we
can
do
both
and
have
more
visibility.
That
way.
A
The
other
thing
is
about
chain
guard.
Did
some
survey
about
what
the
industry
thinks
about?
Salsa
I
have
asked
Tracy
if
chain
guard
could
provide
a
pre-review
at
the
very
least
to
the
Sig
leads,
so
that
we
can
prepare
a
follow-up
response
not
to
alter
the
findings,
but
if
they
say
these
are
the
deficiencies
we
can
talk
to
saying.
Okay,
well,
1.0
addresses
this
now
or
our
roadmap
in
Q4
is
going
to
address
this
right.
So
she
she
agreed
to
that.
A
The
pre-release
is
supposed
to
be
sometime
soon,
so
I'll
have
to
keep
tabs
on
that,
but
there
will
be
some
sort
of
pre-release.
That
I
will
ask.
At
the
very
least
the
Sig
leads.
I,
don't
know
if
I'll
be
able
to
open
up
further
than
that
and
it'll
probably
be
a
private
review,
because
it
is
a
pre-release.
It
won't
be
recorded.
A
Unfortunately,
so
once
it
does
get
released,
we
can
have
blogs
available
ready
to
talk
about
what
the
chain
guard
findings
were
or
what
the
industry
was
thinking
about,
salsa,
so
just
kind
of
a
heads
up
on
those
things.
So
these
were
all
things
that
I
talked
to
Tracy
Miranda
about
I
think
it
was
last
week
or
the
week
before.
I
can't
remember.
A
A
A
B
A
F
Yeah
also
source
is
not
really
in
much
of
the
1.0
release,
where
we're
mostly
focused
on
given
the
sort
of
lack
of
tools
in
the
source
end,
or
rather
I
should
say
the
lack
of
sort
of
Cutting
Edge
tools
on
the
source.
End
we've
been
mostly
focused
on
the
build
in
because
that's
where
a
lot
of
you
know
the
the
effort
has
been.
A
A
So
like
this
as
an
example,
was
a
template
that
she
gave
me,
and
so
we
would
want
to
create
something
like
this
I
know
that
there's
been,
for
example,
people
presenting
about
their
implementation
of
salsa.
We
might
want
to
link
those
recordings
or
presentations
here.
Here
are
the
recent
news
Etc
so
and
and
then
these
are
the
other
links,
so
it
doesn't
have
to
just
be
about
going
to
salsa.dev.
A
It
could
be
about
new
announcements
or
things
coming
up
and
how
it
plugs
into
the
overall
openness,
ssf
mobilization
plan,
but
hopefully
hoping
that
we
can
have
that
1.0
release
recording
here,
because
I
think
Tracy
said
that
this
page
aligned
very
well
with
their
update
or
their
release.
I
can't
remember,
and
so
it
gave
it
even
more
visibility,
I'm
so
hoping
that
we
can
get
that
squared
away.
So
I'll
have
to
find
the
template
that
she
gave
me
and
then
I'll
share.
A
It
all
share
it
out
with
you
all
on
Slack,
and
then
we
can
kind
of
start
putting
in
ideas
of
what
we
think
we
want
in
there
and
how
we
might
want
to
change
things,
and
they
have
some
editors
that
will
help
with
the
overall
design.
But
at
the
very
least,
if
we
can
give
them
a
high
level
idea,
and
we
can
give
them
the
content,
then
they
can
focus
on
actually
the
implementing
foreign.
A
A
A
A
A
A
lot
of
people
aren't
going
to
be
part
of
that
conversation
or
have
been
part
of
that
conversation.
So
there's
going
to
be
a
a
big
question
mark
once
they
see
that
it's
specifically
for
build
and
not
build
and
source,
and
so
I
think
a
Blog
about.
That
would
be
a
good
idea,
but
any
any
other
thoughts
on
other
things
that
we
could
talk
about
for
the
1.0
release.
F
So
I
think
one
of
the
big
ones
that
that
is
still
confusing
folks
and
I.
Think
it's
something
that
I
know.
This
is
part
of
what
we're
trying
to
do
with
the
positioning
group
anyway
is
really
sort
of
educating
folks
like
how
salsa
differs
from
an
s-bomb
and
why
it's
kind
of
different
than
what
an
s
bomb
is
and
how
it's
different
than
you
know,
there's
a
bunch
of
different
things
that
have
come
out
even
just
in
the
past
few
days.
There's
something
called
the
p-bomb
and
there's.
A
F
A
Yeah,
yes,
I
think
that's
where
yeah
I
think
I
had
salsa
provenance,
but
I
could
just
say
salsa
instead
of
salsa
provenance,
because
there's
that
discrepancy
right,
that
a
lot
of
people
see
including
myself
right.
So
if
I
have
that
that
idea
of
hey
this
is
not
quite
aligning
to
the
nist
definition.
Other
people
are
going
to
think
the
same
thing,
and
so,
if
we
can
clarify
you
know,
this
is
what
it
is
or
isn't
with
respect
to
the
the
nist
definitions
or
oauth
definition.
G
G
D
A
G
A
Yeah,
it's
it's
I,
don't
think
the
communications
have
been
working
well
and
so
I
need
to
create
a
meeting
to
say:
okay,
let's
do
this
live
because
I
don't
think
we
I
think
we're
disagreeing
fundamentally
on
what
it
should
or
shouldn't
be
and
then
I
feel
like
there
has
to
be
a
happy
medium.
So
we're
going
to
table
that
Jay.
Not
not.
This
call.
A
F
I
don't
want
us
to
get
because,
even
with
within
the
Linux
Foundation,
there's
a
thing
that
there's
a
Linux
Foundation
project
called
d-bomb.
There's
a
lot
of
these
different,
which
is
one
of
the
reasons
why
also
I,
like
I,
don't
want
to
get
into
it
here.
But
it's
like
Salsa's
trying
to
be
something
very
narrow
and
and
specific,
and
we
don't
want
to
get.
You
know
because
I
think
there's
a
lot
of
folks
who,
who
all
have
disagreements
on
on
what's
complete?
What's
not
yeah
yeah.
A
So
I
think
I
think
this
is
a
really
really
important
conversation
even
before
the
1.0
comes
out
right,
because
I
think
it
might
help
set
up
the
1.0
a
little
bit
when
it
is
time
to
release,
but
there's
a
lot
of
conversations
happening
in
this
space
and
when
you
look
at
the
nist
document
and
they
talk
about
provenance,
they
mentioned
salsa
right,
and
so
this
says
provenance
and
mentioned
salsa
as
a
reference.
But
salsa
does
not
reference.
A
This
definition
of
provenance,
so
there's
a
disconnect
there,
and
so
that
is
part
of
the
conversation
is
trying
to
figure
out.
Where
is
that
happy
medium?
And
what
are
we
truly
trying
to
aim
for
and
if
we
come
to
okay,
this
is
it.
This
is
what
we're
going
to
aim
for
we're
not
straying,
then
it's
a
position
that
we
have
to
communicate
out
to
the
industry
of
this.
Is
it
and
this
is
why
and
let's
just
move
on
right.
F
F
Yeah
and
with
you
know
so
one
of
the
things
that
I
think
is
really
useful.
That
nist
does
is
nist
has
like
all
those
citations
to
other
things
and
examples
so
that
they
could
show
like
hey.
You
know
we're,
maybe
not
100
in
line
with
this
other
thing,
but
you
know
here's
here's
you
know
where,
where
we
do
a
line,
here's
where
we
don't
align
with
that
said,
there's
still
going
to
be
lots
of
I.
Just
you
know,
throwing
you
out
there.
F
F
So
one
other
thing:
I
think
that
is
we.
We
talk
about
a
little
bit
in
the
blog
but
gearing
up
for
1.0
related
to
that
s-bomb
versus
salsa
Providence.
There's
also
the
other
piece
which
is
like
nist
ssbf,
the
secure
software
development
framework
versus
this
versus
there's
there's
an
O
wasp,
one
called
scbs
I
believe
is
the.
F
A
F
Yeah,
yet
yeah
so
I
mean
I.
I
know
a
little
bit
about
that
one
as
well
I
think
once
again,
I
think
where
nist
I'd
be
I,
think
where
we,
where
we're
well
positioned,
is
more
in
the
Simplicity
of
it.
You
know
the
S,
you
know
I
believe
to
be
once
again
the
folks
who
make
scps
don't
believe
so,
but
or
some
of
the
folks
I
should
say,
but
but
I
believe
that
salsa
is
a
compliment
to
scvs,
but
yeah
there's
a
lot
of
interesting
stuff.
There
application.
F
A
C
Yeah
but
Michael
I
mean
the
way
I
see
it
is
very
shortly.
You
know
is
on
the
one
end
we
have
salsa,
which
started
with
build
environment
information
and
is
moving
toward
extending
to
have
like
artifact
references
which
basically
gives
you.
You
know
Source
dependencies
information,
and
so
it's
evolving
in
that
direction
and
the
as
bomb
people
are
doing
the
same
walk
but
from
the
other
end
they
started
with
the
source
in
from
the
finances
information
and
they
are
moving
towards
adding
build
information.
C
So,
unfortunately,
it
means
that
we
have
an
overlap
with
two
communities
coming
from
different
and
and
going
towards.
You
know
the
same
other
end
but
Crossing.
You
know
in
parallel
Crossing
each
other
and
not
really
meeting
anywhere.
Unless
we
try
to
make
it
happen,
and
so
I
would
say
you
know
those
kind
of
accidents,
you
know
happen,
but
it's
if
we
can
try
to
enable
some
convergence.
If
we
can
I
think
we
should
try.
B
A
B
A
Put
it
in
here
yeah.
Thank
you
because
it's
hard
for
me
to
find
things
when
I'm
sharing.
Thank
you.
Yeah
yeah
I,
do
remember
that
one.
We
did
not
cover
the
software
component
verification
standard,
but
we
did
Cover,
ssdf
and
I
know
even
Brandon.
Lum
I
think
he
had
an
F-bomb
versus
salsa
blog
but
yeah.
This
one
was
talking
about
it
used
to
be
Trifecta,
and
then
we
talked
about
these
three,
but
this
was
based
off
version
dot.
One.
A
A
F
F
G
Yeah,
but
you
can
problems
page,
though,
if
you
go
to
salsa.dev
backslash
provenance,
that
page
is
still
that
page
is
still
visible
and
it'll
say
underneath
not
that
one
it'll
say
version
1.0,
that's
the
one
I
found
that
one's
there
and
it'll
say:
retired,
oh
so
yours
just
automatically
goes
for
that.
I'll
show
I'll,
show
you
my
screen
and
show
you
with.
G
C
D
G
A
A
C
G
G
Yeah,
as
a
matter
of
fact,
I
got
there
I
wonder
if
I
wonder
if
it'll
do
it
again
and
by
the
way
this
is
the
first
time
I've
ever
gone
to
this
site
on
this
system,
so
I,
usually
look
at
I
usually
go
on
my
on
my
other
system,
because
that's
my
other
system
is
the
one
I'm
usually
attending
meetings
on,
so
it's
the
first
time
I've
gone
there,
so
it
wouldn't
be
cashed,
but
I'll
show
you
here,
of
course.
Now
it's
going
to
probably
take
me
to
the
last
thing.
G
A
A
A
C
Think
I
think
the
problem
is,
and
we
haven't
had
a
chance
to
talk
about
this
in
the
spec
working
group.
But
I
was
texting,
but
you
know
it's
based
on
the
tools
that
are
available
today
and
they
it's
either.
You
pretty
much
do
nothing
you
salsa
one
or
if
you
use
the
right
tool,
you
get
to
salsa
3
right
away,
and
so
that's
why
this
spec,
or
this
page
basically
skips
salsa
to.
F
Yeah,
we
should
still
have
something
there,
but
I
think
salsa
yeah,
salsa
too,
is
is
the
only
real
difference
between
Salsa.
What
is
also
two
is
It's.
Also
two
is
you're
signing
it,
but
it's
like
it's
really.
You
know
a
a
really
minimal
change
compared
to
salsa
3,
which
is
you're
signing
it
and
you're
doing
the
right
things
to
protect
the
the
signing
material
from
Attack
right.
A
A
A
Your
recommendation,
but
it
shouldn't
be
the
we're
gonna,
ignore
your
use
case
or
the
way
you
want
to
migrate
right.
It
should
be
if
you
want
to
do
it
this
way.
You
can
go
one
two
three,
but
we
would
recommend
based
off
our
experience,
that
you
go
directly
to
three
and
start
with
three,
but
you
shouldn't
discount
people
wanting
to
do
one
and.
F
Yeah
I
think
the
original
a
lot
of
the
original
stuff
was,
if
you
don't
have
yeah,
if
you
don't
already
have
CI,
let's
say:
if
you
don't
already
have
a
build
system,
then
hitting
three
is
pretty
straightforward,
but
if
you
have
something
that
is
one
well
at
least
you're
starting
or
if
you
have
something
that's
close
to
one
at
least
you're
starting.
It's
just
that.
F
As
you
know,
a
lot
of
folks
I
think
you
know
on
this
call
no
like
if
you're,
building
out
CI
pipelines,
often
that
stuff
is
a
huge
amount
of
tech
debt.
So
it's
if
you're
starting
off
new
and
you
don't
have
something
that
exists.
It's
probably
easier
to
hit
three
than
it
is
to
say
well,
I'm,
going
to
start
and
hit
one
and
then
I'm
going
to
go
up
to
two
and
then
go
up
to
three
I.
F
A
Okay,
so
we
are
over
on
time
and
I
do
have
a
volunteer
event
to
go
to
so
I
will
have
to
cut
it
here,
but
thanks.
Everyone
for
joining
I
will
send
out
meeting
notes
later
today
and
I
will
make
sure
to
emphasize
the
the
landing
page
template.
So
that
way
folks
can
review
and
start
adding
comments
or
content
so
that
we
can
kind
of
just
get
that
done.