►
From YouTube: SLSA Specifications Meeting (June 26, 2023)
A
Hey
everybody
welcome
back
after
a
holiday
week
in
the
U.S
as
a
reminder,
if
you
could
register
your
attendance
in
the
meeting,
notes
and
add
any
agenda
items
that
you
might
have.
A
I
see
one
from
Mike
and
just
the
regular
issue
triage
and
walk
with
the
new
members.
A
We
could
welcome
new
members,
although
looking
at
the
list
I
think
I
don't
see
anyone
new
here,
but
if
I'm
mistaken
please
speak
up
is
Chris
here,
yeah
Chris
Chris.
Do
you
want
to
go
through
the
triage.
B
A
You're
on
it
thanks
Chris
I
assume,
that's
you
typing
or
whoever's
typing.
Next,
let's
put
this
here.
D
D
All
right
so
yeah
so
got
a
little
bit
of
more.
You
know
just
talking
to
folks
and
and
and
been
in
some
meetings
regarding
sort
of
salsa,
V1
I.
Think
generally,
you
know.
Some
of
this
is
obviously
stuff
that
we're
talking
about
in
the
SEI
positioning
group,
but
some
of
it
I
think
is
related
to
some
of
the
things
that
we're
doing
here,
largely
folks,
I
think
are
very
they
like
the
they
like
how
mostly
straightforward
salsa
V1
is.
D
It
seems
very
understandable,
very
clear
and
so
on.
The
the
areas
where
folks
seem
to
be
most
confused
by
is
just
okay,
but
but
how
do
I
actually
implement
this
now,
even
if
there
is
some
like
you
know,
obviously,
there's
there's
more
than
enough
companies
out
there
that
can
help
folks
implement
it,
but
from
a
representative
example,
standpoint,
I
think
folks
are
trying
to
look
at
stuff
Beyond.
D
Just
purely
the
you
know,
the
the
other
feedback
I
got
was
like
hey
if
I'm
not
looking
at
a
SAS,
if
I'm
some
giant
company
who
has
a
Jenkins
or
a
team
City
or
you
know
whatever
else
right
what
what?
What
sorts
of
things
like
you
don't
have
to
tell
me
exactly,
but
what
sorts
of
things
are
folks
doing?
D
I
think
that
sort
of
thing
seem
to
be
some
interest
in
and
and
also
understanding
what
is
the
status
of
some
of
the
tools
that
are
out
there
like
there
seemed
to
be
some
interest
on
on
figuring
out,
like
you
know,
are
there
salsa
V1,
compliant
tools
and
yada
yada
and
that
that
seemed
to
be
the
the
big
feedback
I've
been
getting
even
just
in
the
past
couple
of
weeks.
A
E
I
had
feedback
and
sorry
I've
been
out
for
a
while
one
of
the
things
that
one
of
the
product
teams
here,
they're,
obviously
trying
to
implement
salsa
and
they're
having
issues
with
them
even
and
generating
that
provenance
for
Maven
packages
and
I
know
npm
has
done
something
with
regards
to
it's
also
one:
do
you
know
if
there's
a
contact
or
plans
on
helping
like
the
maven,
you
know
repository
or
you
know,
package
manager
for
Java
specifically
help
become
or
help
people
become
salsa
compliant.
D
So
is
the
a
question
I
have
is:
is
the
issue
here
that,
like
npm,
has
built-in
support
for
public
packages
and
you're
looking
for?
Is
there
going
to
be
built-in
support
for
like
Upstream
Maven,
to
support
salsa,
or
is
the
thing
here
that
may
even
like
building
a
package
in
Maven
is
difficult
to
do
via
salsa.
E
E
The
other
issue
they're
having
is
like
when
you
are
doing
I
know
it's
also
not
nothing
to
do
with
tecton
or
tecton
tool
genes,
but
when
they,
when
you're
a
pass,
you
know
platform
as
a
service
and
you're
trying
to
generate
a
salsa
provenance
for
a
customer's
application,
the
tool
chains
or
the
or
you
know
the
pipelines
they're
generating
provenance
for
the
underlying
infrastructure
right
which
the
customer
doesn't
really
care
about.
E
E
Of
whether
you're
Amazon
or
Google,
Cloud
or
IBM
Cloud
customers
shouldn't
care,
what's
underneath
they
should
just
get
an
attestation
that
says
yes,
I
am
salsa
level,
three
build
compliant
and
they
don't
necessarily
need
to
know
the
details
of
what's
underneath
but
still
being
able
to
verify
so
I
know
those
are
two
different
things,
but
that's
the
two
feedback
that
I've
been
hearing
from
some
of
the
people
internally.
D
On
that
second
part,
I
think
that's
nobody
has
to
the
idea
here
is,
is
it's
if
you
trust
you
know
Google,
let's
say
then
you
TR,
you
know
if
you
I'm
just
saying
like.
If
you
trust
cloud
provider
XYZ
with
a
salsa
build,
then
you
are
trusting
the
underlying
infrastructure.
You
don't
need
to
know
everything
about
that
infrastructure
and
in
fact,
like
I
I'm,
pretty
sure
it's
also
isn't
clear
enough
about
it.
I
I
don't
know.
D
Maybe
we
could
be
even
clearer
just
to
kind
of
really
hit
that
home,
but
I
I
do
believe
that
you
know
and
correctly,
if
I'm
wrong,
there's
there's
the
idea
here.
Is
we
have
that
idea
of
the
trusted
control
plane
and
as
long
as
you
know,
you,
as
the
end
user,
are
saying:
yes,
I
trust
this
control
plane,
then
then
I
don't
necessarily
care
about
the
underlying
infrastructure.
D
Like
you
know
the
details
on
how
all
that
stuff
is
done,
that's
one
bit
as
far
as
the
maven
piece
I
think
it's
worthwhile,
obviously
to
sort
of
pull
in
other
folks
who
might
be
interested
in
building
out,
Maven,
tooling
and
and
so
on,
but
I
I
believe
you
know.
This
is
where
some
of
this
here
might
be
worthwhile
to
to
you
know:
I.
You
know,
based
on
I,
think
some
recent
conversations
I
think
it's
up
to
the
industry,
to
you
know
build
Maven
tooling.
D
For
for
this
sort
of
thing,
I
don't
know
if
there's
anybody
who
is
currently
building
anything
out
of
that
I
know
that
yeah
Nicole
sort
of
posted
here
there's
there's
some
work
on.
D
There's
been
some
work
on
witness
attesters,
but
they're
not
they're
slightly
different
than
salsa
testers,
but
they
might
be
able
to.
You
might
be
able
to
kind
of
use
that.
C
F
Yeah
so
I've
been
working
on
the
salsa,
GitHub
generators
and-
and
we
have
three
Java
builders-
that
we're
going
to
announce
next
month,
one
for
Gradle,
one
for
Maven
and
one
four
J
releaser,
which
is
a
Java,
build
action.
E
It
helps,
but
some.
E
It
does
help
some,
but
not
everybody,
uses
GitHub
action
as.
E
You
know
internally,
we
use
GitHub,
Enterprise
and
the
way
the
GitHub
Enterprise
Works
internally,
it's
behind.
What's
on
public
GitHub
Enterprise,
not
because
of
our
choosing,
and
so
it
doesn't
have
GitHub
actions.
So
we
can't
even
have
that
as
an
option,
so
it
does
help,
but
it
would
be
good
like
npm
right
if
Nathan
was
able
to
kind
of
do
this,
for
the
industry
versus
everybody
having
to
come
up
with
something
on
their
own.
G
On
our
side,
we
have
our
own
build
system,
and
what
we
do
is
that
we
are
going
to
distribute
only
the
things
and
our
customer
needs
to
reproduce
the
bills,
but
nothing
about
the
control
plane
itself
and
basically
the
control
plane
does
not
impact
the
output
of
the
build
it.
Just
it's
an
automation
for
us,
but
it
doesn't
impact
the.
So
that's
where
we
stop
the
provenance
for
us,
I,
don't
know
if
it's.
E
If
that
is
helpful,
I'm
just
curious,
you
know
if
a
customer
wanted
to
verify
right,
how
do
they
verify
that
attestation
right
if
they
don't
have
the
provenance
file
to
verify
against,
because
that
Providence
file
might
share
too
much
information?
E
D
I'm
now
I
think
a
little
confused.
There
never
mind,
never
mind.
B
So
I
think
the
scenario
you're
describing
is
what
vs
says
they're
for
where
you
can't
share
full
provenance,
because
it's
sharing
too
much
information.
But
you
do
want
to
offer
some
some
attestation,
that's
also
was
was
done
and
that
the
artifact
beat
some
level.
E
C
H
H
So
I
I
did
something
weird
that
like
I,
can
take
an
s-bomb
and
very
Providence
I,
don't
recommend
it,
but
that's
what
I
needed
to
do
for
my
clients.
D
So
I
think
some
of
my
confusion
because
I
think
there's
there's
two
separate
problems
here.
One
is
making
a
generation
of
the
provenance
easy
when
you
run
something
like
Maven,
because,
like
npm
itself
also
is
probably
worth
pointing
out
that
npm
uses
the
GitHub
generator
for
the
provenance
and
currently
doesn't
support
anything
outside
of
that
I
mean
they
do
plan
to
support
potentially
other
SAS
Runners
for
sort
of
the
npm
side
of
things.
So
so
that's
actually
something
separate
as
well,
which
is
like
yeah.
D
They
actually
don't
support
like
you
can't
use.
D
As
far
as
I
know,
you
can
still
generate
salsa
Providence,
but
it's
not
through
that
built-in
npm
piece
I
believe
somebody
can
correct
me
if
I'm
wrong
there
and
then
then,
on
the
other
end,
is
the
actual
sort
of
like
yeah
I,
don't
want
to
potentially
give
them
everything
and
then
and
and
then,
how
do
I
do
that
like?
E
Yeah,
so
for
the
npm,
if
npm
is
providing
it's
also
provenance
for
a
given
package,
and
maybe
a
misunderstanding
this:
why
would
it
matter
that
they're
using
GitHub
action
because
they're
providing
it.
D
But
because
you
need
to
so
in
this
case,
it's
it's
for
open
source
projects,
mostly
for
open
source
projects
here,
and
the
idea
here
is:
if
I'm
an
open
source
provider,
I
can
go
and
say:
hey
I
am
using
I
am
using
something
and,
and
that
thing
is
generating
salsa
Providence
and
it
gets
pushed
to
npm.
But
npm
has
said
they
will
only
take
provenance
from
approved
Services
right
because
got
it.
D
It's
now
on
npm
to
say
who
do
I
trust
from
a
salsa
build
perspective
and
in
this
case
obviously
npm
Microsoft
everything
else.
It's
very
easy
for
them
to
save
right
now,
at
least
that
for
for
GitHub,
but
I
do
believe
that
they're
planning
to
support
git
lab
and
other
Circle,
CI
and
and
others
as
well.
But
but
at
that
point
I
believe
the
idea
is
and
in
fact
they've
pretty
Str.
They
pretty
much
said
like
there's
no
way
for
them
to
just
sort
of
take
a
random
person.
D
E
Got
it?
Okay,
thanks
for
clarifying
and
appreciate
all
the
feedback
I
might
reach
out
to
a
couple
folks
afterwards,.
F
Yeah
I
wanted
to
get
back
on
the
What
Michael
said
on
npm,
only
trust
certain
Builders
I
guess
that
makes
sense,
but
I
I
think
there
would
also
be
some
value
of
having
I
mean
some.
F
It
would
be
good
to
have
provenance
even
if
it's
not
signed,
because
if,
if
other
people
can
then
verify
that,
maybe
when
they,
when
they
run
the
build,
they
get
the
same,
the
same
content
or
maybe
they
they
just
want
to
rebuild
and
decide
that
they
don't
want
to
use
the
Upstream
package
that
could
also
be
you
know,
having
unsigned
provenance
can
basically
provide
some
hints
on
how
to
build
the
package.
Basically,
if
some
people
don't
feel
comfortable,
you
know
using
the
Upstream
package
or
something
like
that.
E
Yeah
I
think
that's
what
I
was
envisioning,
that
it
didn't
matter
what
it
was
from
an
npm
package
standpoint
right,
some,
you
know,
would
be
trusted
and
some
others
wouldn't.
But
at
least
you
would
still
have
data
about
that
package
and
you
wouldn't
have
to
create
it
on
your
own.
E
A
Well,
in
in
a
in
terms
of
other
feedback
from
V1
I've,
also
heard
from
a
couple
like
in
my
discussions
with
other
implementers
within
my
company,
the
I
think
there's
still
more
work
to
do
to
make
well
I
guess
two,
two
main
things:
one
I
think
we
still
have
more
work
to
do:
make
salsa
more
like
the
build
track,
more
clear,
like
what
the
objectives
are
and
exactly
like,
similar
to
Mike
said
like
how
to
actually
implement
it,
because
I
still
think
it
is
not
the
point
where
someone
just
picks
up
and
just
does
it
like.
A
For
example,
what
is
the
relationship
between
external
parameters
and
resolved
dependencies?
There's
been
a
lot
of
back
and
forth
discussion
about
that,
for
example,
trying
to
write
those
real
quick
like,
for
example,
if
you
take
a
git
repo
as
a
parameter,
and
you
accept
like
a
a
URL
and
a
branch
name.
Ultimately
that
gets
resolved
to
some
sort
of
commit.
A
Where,
like
do
you
just
record
those
as
two
separate
fields
and
then
normalize
it
in
resolved
dependencies?
Do
you
just
record
and
resolve
dependencies?
Because
it's
only
like
it's
kind
of
duplicate
information?
Do
you
normalize
it
into
a
URL
in
external
parameters,
so
that
way,
it's
in
kind
of
a
standard
format?
A
Do
you
put
the
commit
in
external
parameters?
I
mean
I,
have
opinions
and
I've.
You
know
interpreted
that,
but
I
don't
think
it's
at
to
the
point
where,
like
I,
feel
like
we
need
documentation
and
kind
of
like
sort
of
like
applied
rulings
or
almost
something
like
that
where
we
say
you
know,
these
are
our
suggestions.
It
kind
of
looks
like
this.
A
A
There
is
possibly
as
separate
thing
of
the
thing
to
be
built
in
GitHub
actions,
for
example.
That
is
not
a
parameter.
It's
a
two
are
the
same,
but
in
other
systems
like,
for
example,
Google,
Cloud
build
or
tecton,
you
could
have
I'm,
not
sure
about
technology,
but
Google
Cloud
build.
You
could
have
it
as
two
different
parameters
and
then
like
a
bunch
of
additional
stuff
in
some
sort
of
schema,
usually
key
value
pairs,
but
not
always
so
that
might
be
some
value
in
in
just
because
they
all
kind
of
represent
the
same
stuff.
D
Yeah,
so
on
on
the
two
things
you
put
put
out
there
so
on
the
first
one
I
think
yeah,
so
we
we've
heard
similar
and
and
one
of
the
things
that
I
think
we
at
least
initially
came
to,
and
obviously
you
know
be
interested
in
feedback
is
having
duplicate.
Information
is
better
than
not
having
the
information
at
all,
so
at
least
to
start
off
with
I.
D
Think
folks
would
be
seem
to
be
okay
with
something
like
yeah,
it's
okay,
to
maybe
say
that
you
know
I
have
the
commit
ID
duplicated
in
both
as
a
parameter
as
well
as,
let's
say,
the
the
dependencies
or
whatever
there
seem
to
be
like
folks,
seem
to
be
okay
with
that
sort
of
thing,
because,
like
hey
I'd
rather
capture
it
in
multiple
places
than
forget
to
capture
it
in
one,
you
know.
D
So
that's
that's
one
thing
and
then
to
the
other
point
you
brought
up
so
one
of
the
things
we're
working
on
and
you
know,
we'd
love
to
open
source
soon
is
we're
starting
to
poke
around
with
the
idea
of
almost
like
a
salsa
API.
So
the
idea
is
I
have
a
salsa
Builder.
The
salsa
builder
takes
in
some
parameters
and
an
output
is
a
is,
is
a
salsa.
D
It
is
a
is
a
salsa
attestation
and
then
the
idea
here
would
be
whatever
the
implementation
is
is
obviously
you
know
you
need
to
from
a
conformance
standpoint,
but
the
actual
API
should
be
pretty
straightforward
of
like
what
are
the
expected
inputs
and
then
what
are
the
expected
outputs,
and
so
that's
something
that
I
think
we've
also
been
poking
around
with,
but
I
think
yeah
on
that
end,
I
think
it
would
be
worthwhile
to
kind
of
talk
about
maybe
some
best
practices
at
some
point
around
like
yeah.
What?
D
What
do
folks
normally
expect
from
an
input?
Sorry
normally
expect
for
like
a
salsa
build
to
require
as
far
as
inputs,
and
what
should
you
know
and
and
what
are
the
sort
of
conditions
for
the
API
and
then
what
would
the
expected
outputs
be
and
then
obviously
the
implementation
itself
is
is
very
clearly
defined
in
some
of
the
salsa
pieces,
salsa
levels.
A
Yeah
that
makes
sense
and
I
I,
think
yeah
I
think
something
to
make
this
easier.
Another
piece,
I've,
also
I'm
running
into
like
repeatedly
is
foreign
I,
think
we
have
an
open
Bug
for
this.
Our
issue,
like
the
need,
maybe
I,
think
we
need
to
be
more
upfront
about.
The
idea
is
that
you
model
the
build,
like
you
define
some
interface
like
you,
draw
a
box
around
the
build
and
say
the
external
parameters.
A
Are
things
Crossing
that
interface
and
we're
not
really
describing
the
details
of
what
goes
on
inside,
because
that
comes
up
a
lot.
For
example,
a
lot
of
CI
CD
systems
have
like
multiple
levels
of
abstraction.
A
There's
like
a
workflow
and
the
workflow
has
like
a
pipeline,
say
or
something
like
that,
and
that
has
multiple
jobs
and
each
they
each
run
in,
like
a
VM,
say,
and
the
jobs
had
multiple
tasks
which
may
be
run
in
containers
and
are
you
describing
like
how
they
work
and
that
level
of
deep
tail
because
it
comes
up
with
like
this
information
could
be
useful.
A
That
information
could
be
useful,
and
so
you
kind
of
get
off
in
I
I
feel
like
a
misleading
track
like
that,
you
know,
I
feel
like
those
that
information
is.
We
should
be
thinking
about.
What
is
the
use
case
for
why
you're
doing
that,
and
like
s-bomb,
for
example,
is
designed
to
have
that
level
of
detail,
and
so
I
think
that
we
probably
need
more
guidance
around
like
what
information
recording,
how
we
model
it
and
why
and
to
limit
the
amount
of
work.
A
D
Yeah
I've
actually
heard
similar
feedback.
A
lot
of
the
feedback
I've
heard
is
that
hey
I,
don't
necessarily
need
provenance
for
these
QA
tests.
That
I'm
running
that
are
other
steps
in
my
CI
CD
pipeline
I
only
really
care
about
getting
it
for
the
the
actual.
You
know
my
package,
the
the
whether
it's
like
I
built
a
container
and
here's
how
I
built
it
or
I
built
this
go
app
and
and
here's
what
how
it
here's
the
inputs
of
the
go
app.
D
All
these
other
pieces,
though
maybe
long
term,
are
important
for
something
like
a
salsa,
maybe
not
super
important
right
now,
where
the
the
bigger
thing
you
know
to
kind
of
go
back
to
a
little
bit
of
what
melbo
is
saying
is
like
Hey:
how
do
I
just
get
it
from
my
War
file?
That's
the
thing:
I
care
about
yeah
yeah,.
C
H
Yeah
so
I
I
think
I
understand
the
question
a
bit
differently
and
I
tried
to
answer
and
see
if
it's
recorded
what
you
were
asking
so
in
my
own
Providence
creation
and
actually
in
all
of
my
evidence,
creation
not
only
like
results,
are
provenance.
One
I
find
it
useful
to
like
normalize
I
call
these
like,
like
it's
groups
of
fields.
H
So
if,
if
you're
talking
about
the
build
so
I
have
a
pipeline
object
with
a
workflow,
a
job,
a
build
ID,
a
actor
I
have
some
normalization
and
then
I
go
over
all
these
actual
CIS
and
I
see
how
I
normalize
everything
into
specific
fields
now,
specifically
in
in
salsa
what
I
do
is
I
put
it
in
the
environment:
object
which
is
kind
of
natural
for
it,
but
but
I
Define
how
these
subfields
should
be
filled
so
I
have
these
a
git
object
with
commit
a
branch
of
ref,
a
URL
I?
H
Define
it
a
bit
better
for
my
for
all
my
evidence
and
I
basically
use
it
mostly
for
indexing
like
the
subject
is
not
enough
in
the
Intel
attestation.
For
me,
it's
like
it's
not
enough
for
me
to
know
the
hash
or
the
name
of
an
attestation.
I
would
like
to
query
at
the
stations
connected
to
a
git
commit
or
at
the
station,
connected
to
a
specific
build
on
a
specific
CI.
So
that's
how
I
find
this
this
one.
This
in
my
application.
A
Thanks
so
so
yeah
I
feel,
like
you
know,
we
already
have
the
open
issues.
I
I,
don't
want
to
open
another
issue,
but
I
think
these
these
kinds
of
things
that
we're
talking
about
it's
probably
useful
to
kind
of
regularly
talk
about
and
see
what
are,
the
the
most
important
and
and
try
to
improve
the
docs
I'm.
A
Be
in
the
coming
weeks,
spending
more
time
on
on
kind
of
getting
through
the
backlog,
and
so,
if
folks
want
to,
you
know,
obviously
any
contributions
to
trying
to
figure
out
how
to
better
address
this,
either
with
existing
docs
or
like.
If
we
need
larger
changes.
Ideas
on
you
know
for
like
a
V2
type
of
thing,
not.
I
A
I
want
to
start
a
conversation
about
V2
now
but
like
if
there
are
any
sort
of
fundamental
problems
or
like.
Oh,
this
was
a
bad
idea.
We
could
start
recording
that
too
I.
A
All
right,
great
I,
think
Mike
had
the
next
one
on
APAC
time
zone,
yeah.
D
So
it's
sort
of
related
to
the
the
feedback
actually,
but
so
speaking
to
a
couple
of
different
folks
actually
about
some
of
the
feedback
and
one
of
the
things
that
kind
of
came
up
as
a
key
piece
was:
there's
actually
a
lot
of
interest
in
aipac.
You
know
countries
and
and
organizations
that
are
out
there
that
are
very
interested
in
salsa.
D
They,
a
lot
of
them,
have
a
lot
of
very.
They
have
a
lot
of
open
questions
and
stuff
like
that,
and
there
seem
to
be
interest
around
like
hey.
What
can
we
do
to
start
like
building
out
a
community
out
there,
because
I
know
that,
for
example,
you
know
Samsung
had
contributed
to
Jenkins
plug-in
to
to
us
to
the
to
the
salsa
Community.
They
also
have
a
bunch
of
stuff.
D
So
I'm
sorry
cat
bit
me
so
anyway.
So
this
from
the
the
salsa
side
of
things
interest
in
the
APAC
stuff
we
have
like
Samsung
and
some
other
groups
out
there,
because
I
know
the
the
folks
from
Oracle
have
built
out
some
stuff.
There
also
just
seems
to
be
interest
over
there.
They
also
seem
to
be
interest
in
something
like
some
recorded
content
coming
from
us
beyond
the
blogs,
whether
it
is
something
like
a
salsa.
D
You
know,
but
but
but
but
like
here's,
just
some
general
ideas
stuff
like
a
webinar
stuff
like
even
you
know,
myself,
I
I
might
be
recording
some
stuff
on
behalf
of
the
the
LF
to
to
send
out
to
some
of
those
folks
out
there,
but
there
seem
to
be
some
interest
to
see.
If
also
there's,
maybe
we
can
extend
the
community
a
bit.
I
know
it's
a
little
difficult,
especially
with
a
meeting
like
this.
D
Where
this
you
know,
a
lot
of
the
folks
who've
been
working
on
the
specification
for
so
long
are,
are
mostly
working
at
these
hours,
but
it
might
still
be
useful
to
at
least
get
some
sort
of
meetings
going.
So
we
can
also
maybe
collect
that
feedback
on
an
ongoing
basis
and
and
make
sure
it
kind
of
comes
back
here.
So
we
get
a
better
idea
of
like
how's
the
rest
of
the
world
using
salsa.
Are
there
any
issues
they're
running
into
and
yeah.
E
We
could
do
once
a
month,
APAC
friendly
time
zone
meeting
and
see
if
people
participate.
So
that
way,
it's
not.
You
know
too
too
too
much
overhead
at
the
beginning,
and
if
people
do
join,
then
we
might
be
able
to
get
folks
from
APAC
to
help
run.
That
meeting
at
a
more
frequent
timeline.
D
Well,
yeah,
it
seems
like
there's
there's
interest.
I
can
definitely
forward
on
that
information
over
to
to
Julian
from
the
LF
who's.
Who
was
the
one
who
I
was
talking
with
about
some
of
that
intra
that
there
was
some
interest
over
there.
J
I
think
the
biggest
challenge
is
going
to
be
cross-pollination
between
the
two
groups
like
but
yeah
I
I
fully
support
the
Endeavor
I,
just
I'm
unlikely
to
attend
personally.
D
Same
here
but
I
so
at
least
me
personally,
I'm
I'm
out
in
Asia
once
or
twice
a
year,
so
I
might
be
able
to
still
be
able
to
at
least
help
out
there.
But
it
does
sound
like
the
the
LF
is
interested
in
even
from
you
know
the
LF
side,
helping
organize
that
if
they
can,
you
know
so,
whether
it's
you
know
making
sure
those
meetings
get
recorded
and
the
notes
get
put
somewhere
that
we
can.
D
You
know
and
helping
facilitate
the
cross-pollination,
because
yeah
I
I
agree
that
that
sort
of
stuff
can
often
get
lost
because
we're
seeing
that
in
a
lot
of
the
other
groups
where
it's
like
hey
the
Europe
folks,
were
discussing
the
same
exact
thing
and
came
into
slightly
different
conclusions.
And
how
do
you
reconcile
and
and
that
sort
of
thing.
J
Is
yeah
I'd
be
curious
if
if
and
Asia
specific
meeting
is
desired
or
if
better
asynchronous
communication
is
is
desired
or
desirable
like
that
would
be
a
great
first
topic
of
discussion
for
an
Apec
friendly
meeting.
Imagine
just.
E
E
Was
going
to
say,
I
know,
there's
some
folks
here
from
the
Europe
time
zone
I,
don't
know
how
much
overlap
there
is
because
I
think
it's
late
for
you
all
late
afternoon,
right
right
now,
Josh
and
Nicholas
I,
don't
know
who
else
is.
E
E
But
it's
still
early
enough
for
Asia
Pacific
that
it's
not
sleepy
time
yet.
E
No,
it
wouldn't
be
U.S
West,
Coast
friendly.
There
won't
be
any
time
that
would
be
U.S,
West,
Coast,
friendly
and
Asia
Pacific
frenzy
with
the
rest
of.
So
that's
why
I
was
recommending.
Maybe
if
there
was
like
a
a
Europe,
APAC
friendly
time
like
once
a
month,
then
that
would
help
you
know
at
least
get
some
more
coverage
and
it
could
just
be
an
additional
meeting,
or
maybe
one
of
the
four
meetings
a
month
would
be
APAC
friendly.
A
A
A
No
way
that
everyone
will
be
able
to
participate
just
because
people
are
distributed
all
around
the
globe
and
there's
correct
non-overlapping
working
hours,
and
so
it
seems
like
that's
will
have
the
case
that
some
subsets
go
to
different
meetings
and
that's
what
we'll
live
with
so
I
think
if
anyone
wants
to
organize
that
we
could
just
go
ahead
and
just
propose
a
particular
time
or
if
we
do
some
sort
of
alternate
alternation.
I
think
that
represents
I
didn't
hear
anyone
opposed
to
that
idea
like
once
a
month
or
something
like
that.
D
Yeah
yeah
so
on
that
in
in
that
case,
can
definitely
get
back
to
the
LF
on
on
that
one
and
I
think
at
least
probably
you
know
and
I
have
no
problem
doing
this
once
or
twice,
but
I
I
have
no
problem
sort
of
helping
facilitate
the
initial
sort
of
meetings.
Just
so
that
folks,
like
understand,
like
hey
here's
somebody
from
the
salsa
Community,
as
opposed
to
it
just
being
a
bunch
of
folks
who
are
probably
going
to
have
questions
and
then
be
like
wait.
A
second
there's.
D
Nobody
here,
who's
worked
on
salsa,
but
I
know
that
there
are
like,
for
example,
some
folks
who
might
be
interested
who,
who
have
done
a
lot
of
work
on
salsa
like,
for
example,
Ian
Lewis,
who
I
know
is,
is
out
in
in
Tokyo
and
some
other
folks
who,
who
have
been
doing
at
least
some
work
on
that
end.
D
Who
might
be
able
to
help
like
I
know
also
the
Oracle
folks,
but
I
know
that
at
least
from
the
the
LF
side,
they're
they're
interested
because
they've
been
getting
feedback
from
some
organizations.
Saying
hey.
We
want
to
learn
more
about
salsa,
but
the
only
times
that
you
know
the
only
times
where
that
seems
to
be
available
is
at,
like
you
know,
12
a.m
or
2
A.M
their
time.
E
I
know
that
openness
and
stuff
has
had
two
meetups
in
Hong,
Kong
or
China.
Recently,
one
was
in
Hong,
Kong
I
think
the
other
one
was
maybe
in
Shanghai.
E
So
one
of
the
meetings
there
was
a
Google
person
that
talked
about
salsa
I,
don't
know
if
they
work
with
you
all
Mark
and
I.
Think
I
forget
who
else
is
from
Google
on
here,
but
there
does
seem
to
be
some
people
that
are
tuned
in
in
in
China
and
so
potentially
those
could
also
be
folks
since
they
presented
on
it.
They
could
help
facilitate
as
well.
A
Sounds
good
shall
I
move
on
to
the
next
agenda.
B
Yeah
I
think
that's
me
just
and
FYI
the
conformance
program
proposal
I'm
going
to
merge
the
the
pr
on
Friday.
It's
been
sitting
without
any
real
discussion
for
quite
a
few
weeks.
B
It
I'm
going
to
submit
it
as
a
draft,
so
it
can
still
change,
but
I
just
want
to
close
out
the
pr
so
take
another
look
if
you're,
interested
and
I
do
need
volunteers
to
be
either
maintainers
or
reviewers
for
the
self
attestation
questionnaires
I'll
reach
out
to
a
few
folks
individually
as
well,
but
I
want
to
give
everyone
interested
the
opportunity
to
volunteer.
B
Then,
moving
on
to
the
issue
backlog,
there
is
there's
a
giant
backlog
here.
So
I
grabbed
was
this
four
issues
that
I
think
we
can.
We
can
clear
off
relatively
easily.
The
first
is
trustlessness
of
provenance
using
public
dlts.
This
is
this
is
an
issue,
a
drive-by
issue
from
someone
who
is
is
interested
in
putting
salsa
on
the
blockchain
I,
don't
see
it
as
actionable
and
I
think
we
should
close
it.
B
Done
all
right
next,
this
I
believe
is
the
issue
Mark
mentioned
earlier
about
clarifying
how
the
the
requirements
that
you
model,
your
your
build
system
and
Define
its
inputs
and
outputs.
B
It
looks
like
there's
been
some
work
on
this
already,
so
I
think
what
we
need
to
do
to
make
this
actionable
to
close
out
is
find
the
gap
between
where,
where
we
are,
and
what
exactly
we
want
do.
I
have
a
volunteer
for
that.
D
I
Grace,
when
you
close
the
issues
like
this,
it's
good
to
put
a
little
comment
saying
you
know,
protocol
decision
on
the
call
put
a
reference
just
date
so
that
you
know
the
one
you
just
closed
before.
I
was
like
if
somebody
just
looks
at
the
git
and
they're
like.
Oh,
it
was
closed,
no
explanation.
So
it
looks
a
bit
weird.
J
B
B
So
I
guess
Mark
is
the
one
to
answer
that
question
or
is
what
what
would
he
like
to
see
taken
up
or
should
the
issue
be
closed
and
a
new
one
opened.
A
For
706
yeah
yeah.
A
Assign
it
to
me
and
then
I
will
do
something
with
it
either
make
it
more
actionable
or
perhaps
propose
something
myself.
That's.
B
Let's
see
the
next
one
is
eight
six
six
I'll
drop
it
in
the
chat.
This
came
out
of
the
conversation
a
few
weeks
ago
about
security
framework
compliance
requirements,
maturity
models
and
I'm.
E
Yeah
so
866
I
remember
this
being
talked
about
by
Jay
a
while
ago
that
there's
mention
throughout
the
either
the
website,
or
maybe
the
FAQs
there's
difference
between.
Like
you
know
what
a
security
framework
is
versus
compliance
requirement
versus
the
maturity
model,
so
I
think
he's
requesting
that
there'd
be
more
clarity
on
what
social
truly
is.
If
it's,
if
we're
trying
to
go
for
a
security
framework,
let's
call
it
that
consistently
but
I
don't
believe
he
thinks
it's
a
security
framework.
E
So
I
think
that's
where
the
the
issue
comes
from
yeah.
I
D
D
But
attestation
has
multiple
definitions
depending
on
context
right,
like
there's
an
attestation
as
far
as
like
this
is
just
an
example
of
some
of
the
stuff
that
he
was
pointing
out,
but
they're
like,
for
example,
an
attestation
in
compliance
means
somebody
has
signed
off
on
a
thing
to
hit
some
sort
of
requirement
from
a
regulatory
sort
of
standpoint
right
or
some
sort
of
policy
standpoint,
which
is
different
than
let's
say
a
hardware
attestation
which
a
hardware
attestation
is,
you
know,
usually
a
security
like
a
TPM
or
a
similar
security.
D
You
know
Hardware
security
device,
making
a
claim
on
the
state
of
something
happening
in
the
hardware
and
which
is
very
different
than
an
attestation,
or
not
very
different,
but
like
it's
different
than
an
attestation,
as
far
as
in
Toto
is,
is,
is
calling
it,
which
is
like
a
claim,
and
they
are
they're
all
related,
but
I
think
it's
worthwhile
really
like.
D
In
a
glossary
or
something
like
that,
just
highlighting
a
little
bit
of
what
we
mean
so
that
folks,
who
are
looking
at
it
because
once
again,
once
you
start
to
talk
to
enough
people,
there's
going
to
be
folks
who
are
like
oh
yeah
at
a
station,
I
know
the
in
Toto
stuff,
but
there's
gonna
be
other
folks
who
are
like
looking
at
Salsa
and
saying:
hey
does
salsa
fit
into
our
broader,
like
controls
framework,
and
then
they
bring
that
in
and
they
go
wait
a
second
when
they
say
attestation
here
who
who's
that
who's,
a
testing
like
who's,
the
person
signing
off
on
this
and
then
they're
gonna
go
and
say:
oh
okay,
I
see,
you
know,
they're
gonna
get
confused
and
then
it's
like.
D
But
if
there's
a
glossary
that
says
hey
when
we
say
attestation
we
are
making.
We
are
specifically
talking
about
this
this
and
this
especially
in
a
glossary,
so
that
somebody
who
is
you
know
just
unrel,
you
know
who
is
coming
at
it
from
a
different
context,
can
understand
what
context
we're
talking
about
it.
J
Yeah
I
remember:
we
had
a
a
like
fairly
healthy
discussion
about
this
a
few
weeks
back
and
I.
Think
one
of
the
conclusions
was
that
many
of
us
working
on
cell
so
didn't
have
the
context
to
be
able
to
make
the
clarification
that
was
being
requested.
Specifically
with
regards
to
the
question
the
initial
question.
In
the
the
issue
like
but
I,
I
can't
tell
you
what
the
distinction
is
between
a
security
framework,
compliance
requirements
and
a
maturity
model.
J
We
do
have
a
terminology
page
where
we
try
to
make
some
of
the
other
things
clearer,
so
I
I'm
wondering
if
it
makes
sense
instead
of
saying
like
we
should
be
clearer
about
x.
If
we
have
like
a
a
blog
post
or
a
document
that
is
like
salsa
for
I,
don't
know
people
who
understand
sucks
or
whatever
or
salsa,
for
people
that
have
this
kind
of
job
function
and
instead
of
trying
to
make
the
text
like
the
spec
over
all
of
these
different
things
or
a
glossary
cover.
J
All
of
these
different
things
instead
provide
like
a
focused
document
that
introduces
it
for
people
with
this
particular
background,
just
a
suggestion:
I
I
I'm,
not
sure
we
can
do
much
with
this
issue,
as
it
is
so
I'm
trying
to
think
of
ways
that
we
can
try
and
address
the
issue
being
problems
based.
B
J
Yeah
I'm
not
even
yeah
in
some
ways
it
feels
like
punting,
because
I'm,
not
a
compliance
officer,
so
I
still
can't
do
that
but
like.
If
can
we
can
we
make
this
a
more
tractable
issue
so
that
people
with
those
skills
can
can
help
us
to
offer
something
because
I
I
don't
feel
like
trying
to
disambiguate
the
terminology
in
respect
is
going
to
be
something
I'm
struggling
to
see
how
we
would
be
able
to
do
that
and
still
satisfy
for
the
multiple
different
audiences.
J
Ultimately,
you
know
there's
lots
of
efforts
happening
within
security
and
software
supply
chain
security.
More
specifically,
where
these
terms
are
very
loaded
depending
on
what
context
you
come
with,
and
so,
instead
of
trying
to
disambiguate
the
terms
I'll
find
the
alternative
terms.
I'm
wondering
if
providing
focused
documentation
for
those
specific
audiences
is
the
easier
way
to
make
things
clearer.
B
That
sounds
good
to
me.
I'll
I
can
update
the
bug
with
that
suggestion
or
sorry
the
issue
with
that
suggestion.
It
also
occurs
to
me
now
that
the
dashboard
does
not
have
an
untriaged
portion,
so
everything
old
got
stuck
in
backlog.
I
think
it.
This
issue
does
truly
belong
on
a
backlog
which
is
different
to
being
untriaged,
so
I'll
make
that
change.
B
B
The
last
issue-
I
I
picked
up
is
727.
Let
me
drop
it
in
the
chat.
This
one
I
believe
is
pretty
much
shovel
ready
is
declare
a
preference
for
signing
methodologies
that
rely
on
transparency
logs.
This
came
out
of
a
REV
of
the
review
for
the
verifying
artifacts
page
and
provided
the
change
is
not
controversial.
It's
pretty
straightforward.
If
somebody,
for
example,
were
looking
for
a
first
issue
in
the
spec.
J
Yeah
I
think
the
anything
that
that
prevents
this
from
being
shovel
already
well
yeah,
maybe
Shuffle
ready
for
existing
contributors.
But
the
issue
lacks
some
context,
short
of
bouncing
you
to
read
through
the
the
conversation
in
the
in
the
pr
so
yeah
sorry
bit
of
a
tangent,
I
guess
but
I'm
trying
to
see
if
we're
drawing
a
distinction
between
contributions
that
are
good
for
new
contributors
or
contributions
that
are
kind
of
work
was
ready
to
do
for
existing
contributors
and
I.
Think
you
probably
meant
the
latter.
B
No,
no
need
to
be
sorry.
I
actually
also
haven't
quite
decided.
What
I
think
the
shovel
worthy
tag
means
because
I
don't
think
we
have
a
good
first
issue
tag.
Maybe
we
should
but
okay
I
will
I
will
mark
this
as
shovel
ready
do
we
have
a
volunteer
to
pick
it
up.
B
A
Yes,
thanks
a
lot
Chris
thanks,
everyone
for
participating
all
right
thanks.
Everyone
we'll
see
you
again
soon.
J
It's
July
4th
next
week.
I
think.
Does
that
mean
like
what
are
we
likely
to
have
a
meeting?
It's
on?
Tuesday,
not
Monday,
but
you
know.
A
A
Okay,
all
right
great
good
point:
I'll!
Add
it
to
the
notes
right
now.
Thank
you
so
much
for
remembering
that
great
all
right,
well,
I'll
see
everyone
in
two
weeks
then.