►
From YouTube: SLSA Specifications Meeting (November 28, 2022)
Description
Meeting notes: https://docs.google.com/document/d/1kMP62o3KI0IqjPRSNtUqADodBqpEL_wlL1PEOsl6u20/edit#heading=h.yfiy9b23vayj
B
A
A
I
just
haven't
had
time
to
address
them,
I'm
hoping
to
get
to
that
this
week,
or
next,
the
spec
1.0,
as
promised
I
sent
out
for
review
last
week,
it's
in
a
very
draft
state
with
a
bunch
of
to-do's
Joshua,
already
commented
on
it,
suggesting
that
we
merge
it
and
then
iterate
on
it
in
subsequent
pull
requests.
It
would
be
good.
A
You
know,
I'm
happy
to
do
that.
I,
just
you
know
always
like
to
leave
comment
periods
open
because
I
feel
like
once
something
is
submitted.
It's
kind
of
a
larger
barrier
to
comment
on,
and
so
I
just
want
to
make
sure
it's
there's
enough
period
that
people
can
comment.
But
if,
if
everyone
here
is
okay
with
that,
then
then
I'll
just
do
that
and
probably
the
provenance
one
well
The
Province
I
think
needs
a
little
bit
more
work.
C
A
A
Maybe
takes
care
of
things
of
like
there's
a
convention
for
how
you
distribute
provenance,
there's
just
a
convention
for
how
you
set
what
expectations
of
what
the
province
ought
to
look
like,
there's,
maybe
tooling,
to
automatically
verify
it.
So,
every
time
you
do
an
installer
and
upgrade
it
just
happens
for
you,
I,
don't
think
we
want
to
have
every
individual
consumer
Implement
their
own
or
run
their
own
thing,
and
so
shifting
it
to
infrastructure.
A
I
think
is
what
we
kind
of
want
to
suggest,
not
that
it's
required
but
suggested,
and
so
framing
it.
In
this
way,
we've
already
had
feedback
changing
package.
Instead
of
packaging
but
other
than
that
little
nitpick,
one
other
term
I
posted
today
was
maybe
distribution
ecosystem
or
something
like
that,
but
because
I'm
afraid
that
package
ecosystem
implies
too
much
like
it
has
to
be
Pi
Pi,
say,
whereas
in
reality
I
think
it's
more
of
like
some
sort
of
convention
infrastructure
that
happens
automatically
Joshua.
D
D
D
D
D
This
whole
notion,
anyway,
of
how
what
we've
got
the
a
lot
of
text
and
diagrams
about
the
build
model
and
how
you
produce
provenance,
but
we
don't
have
much
yet
in
the
way
of
descriptions
about
how
this
fits
into
the
larger
ecosystem
of
Distributing
the
provenance
and
then
having
some
expectations
about
the
Providence
content
and
how
you
evaluate
that
to
make
a
decision
kind
of
use
time.
So
I
started
playing
around
with
some
words
and
pictures
for
that
last
week,
and
this
is
this:
is
the
picture
I've
got
so
far.
D
A
D
D
There
should
be
implicit
Expectations
by
the
packaging
or
package
ecosystem,
but
then
a
user
can
set
their
own
expectations,
so
the
ecosystem
might
Define,
like
we've
talked
a
lot
about
how
there's
a
canonical
kind
of
source
repository
and
builder
for
most
like
projects
and
the
ecosystem
would
Define
that,
but
your
user
might
still
say:
yeah
I'm,
okay,
with
taking
sales
level,
three
things
from
Pipi,
but
salsa
level.
One
thing
from
IPI
I'm
not
going
to
touch
so
I
I
wanted
to
indicate
that
there's
two
places
where
expectations
can
be
set.
D
C
Don't
know
yeah
I'd
just
like
to
reiterate
revisiting
looking
at
dfds
data
flow
diagrams
as
a
model
for
this,
because
they
Define
things
about
what
the
direction
of
arrows
mean
and
where
security
boundaries
are,
and
things
like
that
I
can't
remember.
I
can't
remember
where
the
best
reference
for
them
is
but
I
learned
about
them
from
Adam
sure
Stack's
threat,
modeling
book,
fair
model
book,
yeah,
okay,.
C
B
A
C
A
A
C
A
A
B
Yeah
hi,
I
I,
think
you
know,
I
would
suggest
to
other
status
section
I
know
you
have
a
pop-up
that
says
hey.
This
is
just
the
draft,
but
it's
fairly
common.
If
you
look
like
him
directly
see,
there's
a
status
section,
the
beginning
document
that
clearly
states
what
you're
expecting
what
the
expectation
of
the
reader
should
be
about
the
status
of
the
document
and
whether
you're
actually
inviting
comments
or
not
and
I,
think
that
would
actually
you
know,
address
some
of
the
challenges
you
seem
to
be.
B
You
know
you
don't
want
to
look
like
you're
pushing
too
hard
on.
This
is
the
where
we're
going
and
whether
you
actually
inviting
comments
from
the
broader
you
know,
Community
I
think
you
can
address
this
in
the
section.
That's
a
bit.
You
know
more
verbors
than
what
you
have
in
that
little
puppet
that
says
hey.
This
is
just
a
draft,
but
otherwise
I
think
you
should
go
ahead
and
merge.
B
B
A
B
Can
have
at
the
beginning
of
the
document
yeah
the
status
section
that
clearly
states
everything
you
want
to
say.
You
know
what
people
should
expect
about
the
status
of
the
document,
what
it
means
for
the
group
and
whether
you're
inviting
comments
from
the
border
or
not.
Yet
you
might
say,
hey
we're,
still
very
much.
You
know
trying
to
figure
this
out.
Maybe
it's
not
worth
your
travel.
Unless
you
really
want
to
be
part
of
the
group
and
and
then
you
can
indeed
have
a
link
to
that
section
from
the
different
pages
with
your
pop-up.
A
Links
to
it
instead
of
having
that
blurb
copied
every
time.
That's
right,
yeah,
that's
a
really
good
idea!
Yeah
I'll
do
that.
That
sounds
really
good.
Then
I'd
be
less
concerned
about
well.
We
still
have
to
like
figure
out
when
to
like
unhide
it
of
like.
When
is
it
good
enough
that
leave
a
link
to
it,
but
but.
B
C
B
A
Yeah
we
just
type
the
URL,
it's
just
like
yeah
I,
don't
want
people
to
land
on
it.
That,
like
think,
oh,
this
is
the
next
version,
and
this
is
like
what's
going
to
be
published
in
a
week,
but
rather
like
this
is
like
a
total
rough
yeah,
but
yeah
an
explanation
thing
and
maybe
we
could
use
terminology
that
makes
it
clear,
like
different
statuses,
of
like
draft
means
like
it's
totally
being
edited
it's
half
written
and
then
in
review,
or
something
like
that.
B
Say:
yeah
w3c
you
can
look
at
any
specular.
Pc
you'll
find
that's
not
working.
There.
I
mean
you
don't
want
to
inherit
the
whole
Pro.
You
know
specification
that
the
recommendation
track
of
directvc
is
a
bit
too
much.
You
don't
want
all
of
that,
but
there
is
like
you
know.
There's
working
draft
is
the
key
first
thing
that
you
can
hang
on
to
to
communicate.
This
is
still
work
in
progress.
D
I,
like
this
suggestion,
because
there's
there's
kind
of
there's
multiple
considerations
before
it's
ready
for
like
General
feedback
like
whether
we've
hit
all
of
the
features
or
whether
we've
made
sure
we're
consistent
in
terminology
or
whatever
else
we
need
to
do
before
we
get
that
like
General
feedback,
but
there's
definitely
some
use
in
getting
more
feedback
as
long
as
the
reader
is
prepared
for
what
kind
of
feedback
we
need
at
this
point,
that's
a
great
suggestion.
Thanks.
B
Yeah
I
mean
the
historically
there
to
see,
didn't
want
to
call
whether
it
produced
as
standards,
because
they
don't
want
to
look
like
they
were
infringing
on
formal,
dangerous
standards,
organization,
ISO
and
so
on.
So
they
use
recommendation.
That's
Timber,
Nancy,
being
too
humble
in
my
opinion,
but
that's
how
it
is,
and
so,
but
you
know
you
can
call
it
whatever
you
want.
You
know
my
recommendation
is
to
not
call
it
standard.
B
You
can
stick
with
specifications
a
good
term
because
it
doesn't
carry
any
kind
of
you
know,
meeting
with
regard
to
the
formal
status.
But
so
you
can,
you
could
say,
working
draft
and
then
propose
specification
and
specification.
For
instance,
it's
short
enough
that
you
get
three
levels
when
you
have
settled
all
these
issues
internally,
you
feel
like
hey.
This
is
good
right
and
you
just
want
to
give
a
final
period
of
review.
You
say
proper
specification
and
then,
when
it's
final
you
say
specific
test.
You
could
call
it
final,
but
you
don't
have
to.
B
B
A
B
A
B
B
Documents,
that's
kind
of
like
your
specification
life
cycle
kind
of
thing
and
you
define
that
once
and
for
all
and
I
mean
if
we
feel
like
we
need
to
change
it
at
some
point.
Probably
you
should
change
it
across
the
board.
Yes,
so
I
think
it
is
a
top
level
kind
of
thing
okay
like,
but
it
is
orthogonal
to
the
versions
right
I
mean.
B
B
A
A
A
Yeah
I
think
that's
separate
question
is
like
the
in
the
URL.
Should
you
indicate
that
it's
a
draft
or
not?
Yes,
that's
what
I
thought
you
were
asking
yeah
include.
It
says
so
one
thing
I
did
in
in
the
Providence
1.0
full
request
was
added
a
query
parameter
for
that,
because
in
the
past
we've
added
it
like
a
separate
page,
but
that's
just
a
pain.
It's
a
pain
for
that
to
step
redirects
to
the
new
one.
A
What
we
could
do
is
just
have
a
query
program.
It
just
gets
ignored,
but
this
part
is
a
form
of
documentation
because
it
might
be
it
kind
of
would
be
useful.
To
note
like
when
you
link
to
like
spec
1.0,
that
whoever
linked
to
it
was
linking
to
a
draft
at
the
time
you
could
have
like
JavaScript
that
just
appends
the
question
mark
draft
or
whatever.
B
I
I'm
honestly
I'm
trying
not
to
bring
in
all
the
baggage
that
I
have
with
WTC,
which
has
a
fairly
complex
model
with
URLs
that
you
know
always
point
to
the
letters
and
each
each
new
specification
version.
You
know,
has
its
own
URL,
but
it
always
points
to
letters,
and
you
can
always
see
it.
You
can
kind
of
they
have
the
whole
chain.
You
can
walk
through
all
the
different
versions
of
drafts
they
had
and
stuff
I.
Don't
basically
want
to
produce.
All
of
this.
There
is
some.
B
D
I
I
somewhat
like
the
idea
of
having
a
parameter
that
indicates
your
optic
interviewing
this
preview
kind
of
like
previewing,
something
in
a
Content
management
system
or
something
so
that
where,
if
people
are
sharing
the
URL
around
there's
additional
context
in
there.
But
I
yeah
I
haven't
thought
about
this
long
and
heard
like
someone
who's
scarred
by
w3c
processes.
So.
A
B
So
I
will
add
another
piece
on
that
because
you
know,
if
you
look
at
the
HTML
spec,
for
instance,
right
I
mean
everything
we
see
used
to
be
a
strong
believer
in
providing
stable
versions
that
you
could
point
to
and
clearly
the
jury
you
know
has
concluded
that
no,
this
doesn't
matter
what
you
know.
The
industry
now
is
settling
on.
B
What's
called
living
standards
right
which,
because
if
there
is
a
bug
you
find
you're
gonna
fix
it,
then
you
want
everybody
to
use
the
fixed
version,
so
the
value
of
pointing
to
old
version
doesn't
really
get
off.
It
isn't
very
high
I
mean
for
archaeologists,
maybe
it
just
I
don't
need.
But
what
really
matters
is
to
be
able
to
point
to
the
letters
version
and
have
people
use
that
as
much
as
possible.
A
A
If
anyone
or
myself
like
we
could
add
like
little,
we
could
document
the
convention
of
like
using
question
mark
draft
or
working
draft,
or
something
like
that
just
to
indicate
of
like
if
you're
linking
to
that
you're
really
like.
You
know
that
this
is
completely
unstable
versus
once
we
have
something
we're
guaranteeing
it's
mostly
stable.
A
B
Yeah
I
wouldn't
bother
for
the
drafts,
but
for
the
the
the
actual
specs.
Yes,
the
the
released
version.
I
think
it
is
useful
to
do
that
and
there
let
me
see
I
did
that
after
quite
a
few
years.
But
now,
if
you
go
to
an
old
version
of
HTML,
I
will
say
this
has
been.
This
is
Obsolete
and
it's
been
superseded
by
and
it
provides
your
pointer
to
the
newer
version.