►
From YouTube: SLSA Tooling Meeting (August 26, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
Yeah
yeah,
can
you
hear.
A
B
No
okay,
cool
awesome,
yeah
yeah,
so
we've
been
talking
with
the
cider
folks,
actually
a
bunch
trying
to
get
them
to
to
give
them
to
give
a
demo
or
or
whatever,
to
either
salsa
cncf.
The
the
main
issue
is
because
they're
all
out
in
israel,
the
timing.
C
B
Often
difficult
for
them,
but
we're
yeah
we're
trying
to
kind
of
get
something
set
up,
even
if
it's
like
a
recorded
demo
or
something
like
that.
Yeah
they've
shown
off
some
cool
stuff
and
they're,
actually
we're
trying
to
kind
of
say,
hey.
It
would
be
great
if
we
could
take
those
like
top
10
and
map
them
to
stuff.
That
sauce
is
doing
to
prevent.
D
A
Yeah
yeah
definitely
yeah.
I
like
that
list
a
ton
and
then
the
csd
is
really
interesting.
I'm
interested
in
kicking
the
tires
on
that
for
sure
it'd
be
kind
of
fun,
I'm
sure
to
do
a
little
ctf
internally.
B
Yeah
awesome
yeah
we're
trying
to
also
do
that.
We're
trying
to
work
with
them
to
maybe
also
turn
like
have
something
like
a
fresca
goat
like
hey.
Here
is
here's.
What
would
happen
if
you
disabled
this
thing
in
fresco?
Now
you
lose
this
sort
of
guarantee
which
would
no
longer
make
you
salsa
compliant.
Oh
hey!
If
this
thing
wasn't
working,
this
is
what
it
would
look
like.
A
B
A
B
A
Me
throw
that
in
the
hype
in
the
chat
I've
been
kind
of
poking
around
on
it.
Oh
there
you
go
nice,
one
foreign.
B
Yeah,
I
know
I
I
like
it
as
well
so
so
before
we
get
to
the
agenda,
is
there
anybody
new
to
the
meeting
who
wants
to
introduce
themselves.
A
Hi,
all
I'm
dan
applequist,
I'm
really
new
and
new
to
sneak
and
I'm
really
just
attending
open.
Some
open
ssf
calls
to
try
and
get
a
handle
on
all
of
the
work.
That's
happening
in
the
effort,
and
so
I'm,
if
I
ask
any
questions
I'll,
probably
be
stupid
questions,
so
I
apologize
in
advance.
B
That's
all
right,
it's
it's
still!
A
lot
of
us
are
still
getting.
You
know
it's
a
it's
a
broad
space.
So
this
there's
a
lot
of
stuff
out
there.
A
Go
to
dan
other
than
my
name
is
sunil,
and
I
work
for
sap
all
right,
cool.
B
Cool
cool
yeah
anybody
who
hasn't
put
stuff
in
the.
B
Attendance
in
there,
okay
cool,
so
the
agenda
from
last
time
was
to
start
building
out
or
sorry.
The
the
outcome
of
last
time
was
so
we
we
prioritized
largely
where
we
think
the
different
things
we
should
be
focused
on
are,
and
so
now
the
next
step
has
been
to
go
one
step
further
and
actually
list
out
some
requirements
so
that
we
can
now
hands-on
keyboard.
You
know
start
doing
some
dev
work,
and
so
let
me
this
is
linked
inside
of
the
the
notes,
but
I'll
also
share
it.
B
One
second
over
here
and
I
will
share
my
screen
as
well.
B
But
so
we've
been
tr
so
for
folks
who
are
relatively
new,
we
kind
of
went
through
first.
What
is
the
state
of
salsa
tooling
today?
You
know,
there's
various
different
builders,
various
different
generators,
various
different
whatevers,
there's,
there's
different
tools
like
you
know,
there's
like
the
sig
store
stuff
for
signing
and
and-
and
you
know,
there's
there's
notary-
that's
that's
coming
out
and
there's
record
there's
all
these
different
things
that
are
that.
B
Are
there
great
there's,
there's
different
build
tools
like
there's
plugins
being
written
for
jenkins
to
have
salsa,
there's
github
actions,
there's
fresca,
there's
tecton,
plus
chains,
there's
a
bunch
of
different
things.
B
So
there's
a
couple
of
big
gaps
and
the
big
gaps
that
we
sort
of
discovered
that
we
felt
like
we
needed
to
prioritize
as
a
group
was
the
attestation
distribution
and
discovery.
So
we
know
that
there's
a
decent
amount
of
builders,
things
to
verify
and
there's
a
lot
of
stuff
on
the
policy
end.
That's
already
been
done,
but
there's
not
really
a
lot
of
things
regarding
distribution.
For
you
know
how
do
I
actually
give
you
my
salsa
attestation?
B
That
sort
of
thing
is
being
done
in
oci
for
containers,
but
not
really
for
generic
packages
like
npm
or
or
you
know,
like
you
know,
in
maven
or
whatever,
for
jars,
and
that
kind
of
thing,
so
one
big
piece
is
hey:
how
do
we
do
package
distribution
and
what
things
are
still
required
to
do
to
at
least
get
that
started
so
that
when
we
start
to
do
the
push
and
finalize
salsa
1.0,
we
have
a
good
setup
there.
Another
thing
is
attestation
discovery.
B
B
If
certain
packages
don't
have
salsa
attestations,
they
want
to
know
before
they
start
really
really
going
deep
in
it,
and
so
they
want
to
be
able
to
make
decisions
on
that
they
want
to
you
know,
and
then
it
also
helps
them
sort
of
understand
their
supply
chain
like
if
they
go
back
and
say
great.
Here's
all
the
packages
I've
downloaded
and
their
dependencies
which
of
these
packages,
have
salsa
stations
and
then
there's
also
sort
of
the
out-of-band
attestation
distribution.
B
So,
given
that
not
everything
supports
it
via
package
distribution,
we
are
looking
at
stuff
like
hey.
If
I
distribute
you,
you
know,
distribute
you
a
file,
a
flat
file
that
is
a
salsa
attestation,
that's
assigned
whatever.
How
do
I
send
that
over
to
you?
How
do
I
you
know?
What
does
that
distribution
look
like?
Is
there
rest
end
points
we
should
be
creating
whatever
for
that
sort
of
thing.
So
those
are
the
three
pieces
for
the
high
level
requirements.
A
And
so
there's
so
many
different
flavors,
of
course
right
michael,
are
we
trying
to
solve
and
kind
of
create
a
example
tool
for
just
one
of
those
scenarios
to
start
obviously,.
B
Yeah,
I
think,
there's
a
lot
of
stuff,
that's
that's
being
done,
and
so
it's
a
combination
of
okay,
for
example,
ian
and
some
of
those
folks
have
been
doing
the
salsa
like
the
generic
generator
for
salsa
and
it
uses
json
l
files
and
you
know,
should
we
just
sort
of
say
hey?
Can
we
push
that
as
an
established
pattern
like
does
that
make
sense
to
the
group,
and
you
know
cool
yeah?
B
Let's
make
that
say
that
that's
probably
the
way
we
should
be
if
you're
doing
sort
of
flat
file
distribution,
maybe
that's
the
way
you
should
be
doing
it
versus
like.
Oh
we've
decided
a
different
format
is
better
or
whatever
that's
one
thing
I
think
we
are
also
looking
at
prioritizing.
You
know
some
of
that
which
is
like,
for
example,
there's
the
mpm
rfc
regarding
this
and
and
we
have
frederick
from
github
on
on
the
call
and
so
like
hey.
B
You
know
is
this
something
that
we
could
work
with
npm
on,
to
see
what
what
the
distribution
mechanism
should
be,
whether
it
is
those
you
know,
json,
l
files
or
somehow
included
in
the
npm
package
or
whatever,
because
I
know
there's
a
bunch
of
debate
going
on
in
the
rfc
on
that
and
so
on.
But
I
think
that's
kind
of
the
the
generic
thing
and
then
you
know
just
trying
to
figure
out
like
what
are
the
the
main
requirements
and
then
figuring
out
like.
B
Are
there
already
established
tools
that
just
need
to
have
features
in
them
or
do
we
need
new
tools
and
kind
of
push
that
push
that
out?
But
I
think
we're
trying
to
kind
of
figure
out.
B
You
know
these
are
the
three
big
categories
we
kind
of
kind
of
came
out
of
that
came
out
of
some
of
the
stuff
in
here
and
some
of
the
comments
over
here
and
you
know
now
we
can
maybe
get
into
some
of
the
specifics
on
like
a
couple
of
high
level
priorities
as
a
group,
we
can
start
to
push
out
and
I
think
it's
going
to
be
a
combination
of
literal
priority
and
then
members
of
the
group
who
actually
have
cycles
to
them
push
that.
B
Cool
any
questions
comments
on
on
this.
B
Oh,
I'm,
assuming
don't
know,
objections
means
it's.
It's
all
right.
B
Okay,
cool,
so
oh
I
I.
E
Q,
I
have
a
quick
question
about
package
distribution.
Sorry,
maybe
I
missed
because
I
just
joined
the
call.
Is
this
something
you
you
plan
to
do
like
with
every
ecosystem
separately
or
are
you
thinking
of
something
like
generic.
B
I
think
we
might
have
to
first.
I
think
we
might
have
to
first
try
it
with
one
package:
ecosystem,
see,
hey
here's,
how
it
generally
seems
to
work
and
then
try
and
abstract
and
be
like
here's,
probably
how
it
would
generically
work.
Inevitably,
there's
going
to
be
some
that
there's
gonna
be
some
outliers
that
that
you
know
just
the
way
that
they
maybe
do
a
package
is
just
like
yeah.
B
We
can't
fit
a
thing
in
there
or
we
can't
distribute
it
alongside
or
whatever
and
we'll
have
to
maybe
have
two
or
three
flavors
of
it
or
have
to
say
great
like
this,
we
can't
actually
distribute
it
with
the
package
in
any
way.
So
we
have
to
use
some
out-of-band
attestation
distribution
mechanism,
like
you
know,
but
I
think
starting
off.
We
can
probably
pick
you
know
one
or
two
things
like
oci
is
more
or
less
you
know
been
done,
and
I
don't
know
if
folks
saw,
I
think
it
was
yesterday.
B
The
oci
spec
changes
got
merged
into
maine,
which
means
that
now
attestations,
s-bombs,
etc
can
now
actually
be
types
in
in
oci
which
allow
and
and
even
beyond
that
right.
So
now,
eventually,
you
could
potentially
use
oci
as
like.
Oh
I
I
include
my
mpm
packages
in
an
oci
repo
they're,
just
files
there
and
then
npm
install,
becomes
sort
of
a
or
you
know,
there's
a
proxy
in
front
of
there.
That
actually
does
some
of
that
work.
B
That
can
then
distribute
all
the
stuff
there,
but
you
know
it
just
becomes
another
blob
inside
of
inside
of
there
with
the
manifest
and
everything
else
that
can
show
you
know
can
help
out
there
so
that
work
just
got
merged
yesterday.
It
hasn't
been
officially
released,
but
that
should
be
coming
in
the
coming
weeks.
E
Cool,
if
you
have
a
link
to
the
oh
sure,.
B
Yeah
yeah
yeah
yeah
one.
Second,
let
me
let
me
pull
that
up
one
second
yeah:
this
is
a
lot
of
folks
have
been
working
on
this,
but
but
on
my
end
you
know
one
of
the
folks
I
work
with
in
the
open
source
community.
A
lot
brandon
mitchell
has
been
very,
very,
very
spending
a
lot
of
time
pushing
it,
so
I'm
actually
just
I'll
just
push
it
also.
B
Both
in
I
will
link
in
both
this
document,
and
I
will
also
put
it
in
the
the
salsa
tooling,
meeting
doc
as
well.
B
So
I
I
linked
both
of
those
so
and
we
can
just
very
quickly
because
it
is.
It
is
really
big
and
also
very
impactful
to
what
we're
trying
to
do
here,
which
is
one,
is
the
os
os
oci
reference
type
stuff
which
allow
us
to
sort
of.
B
Yeah,
let
me
see
it's
kind
of
a
lot
of
stuff
too,
and
I
don't
know
I
don't
remember
exactly
when
each
piece
yeah.
So
these
two
are
tied
together.
The
the
image
types
and.
B
I
won't
go
too
deep
into
this,
but
basically
it's
regarding
now
like
there's
now
a
manifest
that
allows
you
to
kind
of
describe
actually
what's
in
there
there's
now.
Like
largely
you
know,
it's
just
objects,
so
objects
could
be
right,
a
blob
and
that
blob
could
be
a
container
image.
It
could
also
be
a
signature.
It
could
be
a
salsa
attestation,
it
could
be
whatever
and
through
stuff
like
they
call
it
artifact
types
but
they're
essentially
kind
of
like
mime
types.
I
guess
you
know
it
just
allows
you
to
kind
of
say
great.
B
This
is
a
signature
file
and
then
you
can
actually
go
and
say:
okay,
well,
there's
an
associated
signature
with
this
image
and
there's
an
associated
attestation
with
this
image
or
there's
an
associated
signature
with
this
blob,
and
that
makes
obviously
the
distribution
thing
much
much
simpler,
because
everything's
just
sort
of
encoded
in
oci
and
then,
when
you
go
to
pull
you
know
when
you
go
to
do
that,
you
can
say
great.
B
I
see
there's
an
image
fetch
me,
the
signature
or
signatures
associated
with
it
told
me,
pull
down
the
salsa
attestations
associated
with
it,
and
if
there
isn't
any
it's
just
okay,
there's
none.
If
there
is
them
it's
just
in
the
manifest,
and
so
there
doesn't
have
to
be
this
hunting
of
that
information.
E
So
I
have
a
follow-up
question:
do
you
imagine
like
us
or
open
ssf,
setting
up
a
new
registry
because,
like
I
imagine,
there's
like
I
don't
know
how
naming
like
name
spaces
would
work
like?
Let's
say
you
have
pi
pi
and
then
you
have
npm
or
like?
How
do
you
see
it
working?
Is
it
or
are
you
just
planning
on
reusing
existing
registries.
B
I
think
well,
so
I
think
the
idea
here
is
to
work
with
the
registry.
Folks
on
these
things,
I
think
there
is
some
discussion
that
we've
tried
to
start
with
the
open
ssf
around.
B
If
there
is
at
least
you
know,
because,
inevitably
that's
going
to
take
a
while
right
like
getting
you
know,
implementing
all
these
changes
in
npm
and
and
whatever
else
is
going
to
take
a
while,
it
might
make
sense
to
start
off
by
creating
some
generic
like
here's,
what
it
could
look
like
and
here's
what
an
implementation
of
that
could
look
like
like,
as
just
as
an
example
you
know
here
is
what
you
know.
We
took
some
npm
packages,
push
them
as
blobs
into
oci.
B
Here
is
like
we
wrote
a
very
simple
sort
of
you
know,
even
a
shell
script
that
goes
and
says:
okay.
B
Well,
I'm
gonna
pull
this
down
and
then
run
an
npm
install
locally,
but
I
pull
it
down,
verify
the
salsa
signature
and
then
pass
it
npm
or
whatever
right
like
there's,
probably
things
we
can
do
on
that
front,
just
to
start
to
show
like
what
the
flow
might
look
like,
but
I
do
I
do
think
the
the
idea
here
is
like
I
don't
think
we're
gonna
be
able
to
do
all
of
this
on
our
own
and
be
like
hey
great
we're,
forking
everybody's.
You
know,
registry
and
saying
this
is
where
it
all
is.
A
A
B
Yeah,
so
the
way
that
it
currently
for
folks
who
aren't
aware
the
way
it
currently
works
in
sig
store
is
that
there's
a
naming
scheme
for
the
actual
blobs
it
pushes
into
oci,
so
it
essentially
it's
the
the
digest
of
the
image
or
whatever
that
you,
you
are
signing
it's
or
at
testing
and
then
dot
att
for
attestation
dot.
You
know
s
bomb
for
s
bomb
or
whatever
and
using.
B
That
is
how
folks
sort
of
distribute
it
today,
but
of
course
that
doesn't
really
scale,
because
if
it's
not
actually
an
s
bomb
or
whatever
it
becomes
very
difficult
to
sort
of
maintain
compared
to
now,
we
have
actually
manifests
that
that
you
can
say
okay.
I
know
that
this
is
gonna,
be
this
type,
and
I
know
it's
supposed
to
have
this
thing
associated
with
it
and
that's
one
thing.
So
I
think
this
is
something
that
we
should
be.
You
know
at
least
some.
B
I
don't
know
if
anybody
here
is
works
with
the
oci
folks
a
reasonable
amount,
but
I
think
somebody
who
you
know
if
somebody
wants
to
take
this
as,
like
a
liaison,
say
great
cool,
now
that
this
is
done.
What
needs
to
actually
get
done
to
to
implement
this
in
some
of
the
tools,
I
believe
six
store
is
already
kind
of
ready
for
this.
I
don't
know
about
notary,
which
I
think
might
be
doing
a
little
bit
more
of
the
aorus
thing.
I'm
not
100
sure
on
that.
B
If
somebody's
familiar
with
the
the
notary
stuff
feel
free
to
to
bring
that
up,
brenden.
E
C
Talk
to
on
this,
I
can
see
with
the
I
can
get
him
on
to
this
meeting
to
discuss
that,
but
cool
yeah.
I
I
think,
like
my
understanding
with
oci
the
for
the
amount
that
I've
played
with
it,
I
feel
like
you-
could
probably
do
a
lot
of
these
things
today.
I
think
the
registry,
and
does
it
do
additional
validation,
should
take
it
but
yeah
I
think
it
may
be.
C
We
could
possibly
also
maybe
just
experiment
on
like
ghdr,
to
see
whether
it's
it's
going
to
take
the
the
data,
because
all
of
this
is
just
manifested
but
others
I
haven't
looked
at
the
pr.
B
Okay,
cool
yeah,
I'm
not
super
familiar
outside
of
as
an
end
user
brendan.
Can
you
just
sort
of
add
a
comment
just
with
the
person's
name,
so
we
know
like
okay,
we're
looking
into
this
to
try
and
pull
in
somebody
all
right,
yeah.
Well,
thanks.
A
Yeah,
so
I
had
actually
the
question.
So
if
we
are
storing
these
attestations
and
this
thing
in
ocr,
how
do
we
refer
them
because
the
packages
and
they
might
be
in
different
registry
right
npm?
It
is
in
its
own
registry,
for
if
it
is
in
the
same
ecosystem
like
image,
we
can
do
attach
it.
We
can
store
it
together,
but
if
it
is
across
different
registries,.
B
Yeah,
so
I
see
so
on
that
front,
I'm
talking
purely
from
the
perspective
of
you
would
distribute
everything
via
oci,
and
there
is
discussion
from
some
folks
about
potentially
leveraging
essentially
oci
as
the
backing
storage
for
stuff
like
this.
So
you
can
imagine
the
actual
files
being
used
to
do
some
of
this
sorry.
The
files
that
like
are
let's
say
you
know
and
just
to
be
clear-
I'm
not
saying
that
npm
has
agreed
to
this
or
anything
like
that,
but
you
can
imagine
like
hey.
B
An
npm
package
is
actually
being
stored
in
oci
as,
like
you
know,
with
a
data
type
artifact
type
slash,
you
know
oci
and
then
you
have
and
then
like
either
npm
or
a
package.
You
know
a
package
handler
interface
proxies
that
so
then,
when
you
go
to
do
npm
install,
let's
say
the
npm
tool
now
goes
and
says:
okay,
great,
I
know
when
I
do
npm
install.
I
pull
from
oci
in
these
ways
or
I
use
a
proxy
and
I
pull
it
from
that
way.
B
Something
like
that,
I
think
is,
is
the
way
that
some
folks
are
starting
to
look
at
this
now.
Granted
that
sort
of
thing
would
take
a
lot
of
work
and
effort
to
to
get
done,
because
it's
now
you're
completely
changing
how
this
works
from
you
know,
stuff,
like
you,
know,
http
endpoints,
that
are
being
used
to
download
these
things
to
now,
a.
A
Different
mechanism
yeah,
I
think
that's
what
I
was
thinking.
This
is
a
pretty
long
tail
assumption
right,
like
we
don't
know
when
that
could
happen
across
the
registry,
so
the
flip
side
is.
Is
there
a
way?
We
can
add
this
reference
external
reference
in
the
windows
or
test
station
right
so
from
ocr
right.
E
B
Yeah,
can
you
can
you
put
that
what
you're
thinking
down
in
the
out
of
band
at
a
devastation
distribution,
because
I
think
that's
that's
actually
like
valuable
some
way,
and
actually
this
is
kind
of
maybe
let's
just
actually
ask
frederick
frederick
what
what
sorts
of
things
are.
A
Yes,
so
we
are
currently
looking
into
relying
on
the
npm
registry
itself
to
serving
data
stations
and
the
major
reason
for
that
is
sort
of
from
let's
say,
reliability
perspective.
We
do
not
want
to
rely
on
a
third
party
system.
We
don't
have
control
over
that,
could
potentially
stop
our
users
from
installing
or
downloading
packages
if
they
are
verifying
them.
So
that's
sort
of
where
we
are
right
now
and
it
will
not
be
in
the
package
itself.
A
B
Yeah,
I
think
on
on
that
and
if
there's
any
open
questions
that
you
think
that
you
want
additional
input
from
from
our
end
feel
free
to
kind
of
pull
us
in
and
then
also
once
you
do
make
a
like,
and
once
some
of
those
decisions
are
sort
of
out.
I
think
we
would
be
interested
to
know
so
that
we
can
say
great
now.
B
Here's
probably
what
the
you
know,
because
we
anticipate
I
assume
right,
given
that
you
know
how
large
npm
is,
if
npm
is
doing
it
a
certain
way,
most
likely
other
folks
will
start
following
either
that
way
or
a
very
similar
way
to
the
same
problem.
So
so
I
think
that
will
will
help
out,
as
we
also
then
begin
to
build
tooling
for
the
other
ecosystems.
A
Yeah
I
can
reach
out
to
you.
I'm
gonna
go
on
pto
now
for
two
weeks,
but
I
will
definitely
contact
you
when
I'm
back
and
I
think
because
then
I
think
the
team
has
started
to
sort
of
sort
out
a
few
things
as
well.
So
I
can
try
to
get
something
on
your
calendar
at
that
time
and
we
can
start
to
talk
about
this
cool.
B
Is
anybody
else
on
the
call
familiar
with
any
other
package
managers
that
are
starting
to
look
package
managers
or
package
ecosystems
that
are
starting
to
look
at
salsa,
attestations
and
distribute
distribution
of
those
wholesaler
stations?
I
know
that
some
of
that,
like
I
know
I
saw
for
python,
there's
like
url
lib
and
a
few
other
packages
are
starting
to
use
the
the
github
generator
to
generate
those
json
l
files.
B
The
one
obviously
issue
right
now
is
that
you
need
to
be
very
specific,
like
you
need
to
have
access
to
that
json
l
file
to
then.
B
Later
frederick,
using
those
json-l
files
of
this
distribution
mechanism,
but
is
have
folks
given
any
thought
who
are
in
that
space
on
how
this
might
get
refined
into
something.
That's
actually
in
kind
of
python,
tooling,.
E
So
I
can
speak
a
little
bit
about
java,
because
we've
been
thinking
about
it.
We
we
know
it's
doable
and
we're
working
on
it
on
the
side.
It's
basically,
we
will
include
it
in
the.
I
think,
the
jaw,
the
final
jar.
Also,
I
forgot
what
it
is
the
maven
I
don't
know
if
it's
a
double,
including
the
jaw,
but
we
can
add
the
attestation
in
there
and
the
idea
that
we
had
for
the
consumer
was
maybe
to
create
a
little
maven
plugin
so
that
we
can
play
around
with
verification
on
the
consumer
side.
E
None
of
this
is
very
hard.
Six
store
already
has
a
maven
plugin,
where
they
show
how
you
can
package
up
everything,
so
we're
going
to
follow
something
similar.
That's
the
idea
that
we
have
at
least
for
java.
B
Cool,
and
do
you
know
so
is
maven
run
by
sona
type?
Is
that
correct.
E
Yes,
so
yeah
we
we
wanted
to
have
like
a
little
proof
of
concept
and
two
okay
and
then
reach
out
to
you
know,
get
the
ball
rolling
on
their
side.
I
know
they're
they're
on
board
with
six
store.
I
don't
know
you
know,
what's
there
yeah
state
of
mind
for
like
salsa
in
general,
but
yeah,
that's
kind
of
how
we
are
we're
thinking
about
it.
B
I
realize
that
this
is
no
longer
just
a
list
of
requirements,
I'll
just
I'll
just
call
this
work
cool
that
makes
sense.
Does
anybody
have
anything
else
for
any
of
the
other
package
managers?
Oh
I
just
saw
mike
has
has,
has
joined
the
call
hi
mike.
B
How's
it
going
good
good,
so
I
guess
we
had
a
couple
of
questions
for
you,
because
we
we
know
that
we
just
saw
that
the
image
spec
and
distribution
spec
work
just
got
merged.
D
Well,
yeah,
as
far
as
the
way
it's
merged
so
far,
I
mean
it's
in
a
in
a
branch
on
main
right:
it's
not
it's
not
been
approved
for
a
release,
yet
we'll
still
need
to
do
well
to
fix
it.
Yeah.
B
D
D
As
you
mentioned,
I'm
a
maintainer
for
continuity
and
distribution
specification.
We're
excited
to
bring
this
support
to
you,
guys
it's
going
to
happen,
probably
faster
than
expected,
but
it
still
needs.
You
know
some
flushing
out.
We
we
started
to
do
some
negotiations
and
architectural
discussions
in
container
d.
D
You
know
just
this
week
on
how
we're
going
to
bring
this
in,
where
we'll
pull
the
the
new
artifacts
and
and
how
right
we're
going
to
need
tooling
and
apis
and
all
the
layers,
so
that
you
can,
you
can,
you
know,
create,
create
the
new
artifacts
push
them
with
links,
and
you
know
refers
references
in
to
the
existing
images
that
sort
of
thing
we
want
to
do
with
performance,
though
so
it's
going
to
be
it's
going
to
be
interesting
because
there'll
be
different
patterns
where
people
you
know,
do
these
things
either
in
band
with
the
graph
for
the
images
or
out
of
band,
and
you
know
just
adding
additional
artifacts
to
point
to
existing
images
right,
but
I'm
not
sure
how
much
you
know
detail
you
guys
need
here.
B
Sure
yeah,
I
think
that
would
be
helpful
because
yeah
like
we
know
that
you
know
today,
a
lot
of
that
stuff
has
been
either
being
done
a
little
bit
ad
hoc
via,
like
you
know,
hey
the
toolings,
and
it's
not
really.
You
know
following
the
spec
per
se
right
and
like
you
know,
because
like
right
now
you
know
six
door.
The
way
that
they
are
sort
of
handling
sort
of
signatures
and
out
of
stations
is
just
sort
of
here's.
B
Here's
some
additional
blobs
with
a
specific
naming
scheme
and
that's
how
it's
used
to
sort
of
verify
and
then
the
the
oci
stuff
will
make
it
much
simpler
and
more
interop
and
all
that
great
stuff,
and
so
I
think,
just
as
we
kind
of
go
through
that
there's,
I
know
some
open
questions.
I
think
even
we
have
at
the
bottom
of
this
doc.
One
of
the
ones
was,
you
know,
hey
like
would
something
like
like
this?
Even
look
like
you
know,
with
the
artifact
type
for
a
salsa
attestation,
be
something
like.
D
Right,
so
what
we're
asking
the
people
to
do
when
they
come
up
with
a
new
artifact
type
like
this
one
is
to
register
it
at
ayanna.
Once
you've
got
it,
you
know
really
solid
on
what
you
want
to
do.
You
know
and
then
we'll
we'll
allow
you
to
create
that
artifact
in
in
our
you
know,
registries,
you
know,
push
it
up,
pull
it
down
that
sort
of
thing
and
you'll
be
able
to
have
it
it'd
be
in
an
image
that
references
right.
These
other
things
basically
refers
to
a
particular
thing.
D
That's
being
signed
right
and
and
you'll
say
you
know,
our
media
type
is
this
iana
type,
so
we
have
a
place
for
you
to.
Actually,
you
know
say
what
your
type
is
that
defines
what
the
blob
contents
is
for
the
artifact
as
well
as
you
know
what
you're
pointing
to
the
type
that
you're
pointing
to,
which
would
be
an
oci
image,
for
example,.
A
D
It
could
be
you're
signing
another
artifact
like
an
s
bomb.
It
sort
of
depends
what
you're
signing
right,
but
you
have
to
say
you're
you're,
saying
myanna
tight,
we're
we're
not
gonna.
You
know
slow
you
guys
down,
though,
if
you,
you
just
need
to
go
through
the
ayanna
process.
If
you
will,
you
know
to
specify
your
formatting.
B
Oh
yeah
yeah
yeah
and
to
be
clear,
we're
we're
ready
for
that
once
we
are
make
a
few
other
things
a
little
bit
clearer
and
we
better
understand
how
some
of
the
things
work.
I
think
the
thing
is
yeah.
We
just
want
to
know
yeah.
What
do
we
actually
need
to
do
to
actually
get
this
get
this
out
there
when
we
are
ready.
D
Right
now
now,
if
you
guys,
you
know
end
up
being
the
standard,
you
know
signing
type,
which
is
very
likely,
then
you
know
we'll
probably
want
to
register
that
as
a
list
of
recommended
types
to
be
used
right
in
the
artifacts
plural.
You
know
registry,
where
we
can.
Just
you
know,
highlight
you
as
something
that's
gone
through
the
ionic
process.
You
know
in
you
know,
show
demonstrations
and
examples
of
how
to
use
it,
link
to
the
code
where
it's
currently
tools
are
currently
located
for
storing.
D
I
I
assume
that
you're
going
to
want
either
to
store
your
your
signatures
in
your
own
signing
registry,
but
also
in
a
in
an
image
registry
right.
B
Yeah
yeah,
so
a
lot
of
folks,
even
today,
what
they're
sort
of
doing
is
they
have
some
of
this
in
a
transparency
log
or
a
ledger
of
some
kind
right.
You
know
for
tamper,
evidence
and
and
and
all
that
sort
of
stuff,
and
then
they
also
and
then
for
the
distribution
piece.
It's
very
simple,
to
say
great.
It's
stored
alongside
the
oci.
B
D
I
think
it's
it's
point
to
recognize
that
we're
currently
only
allowing
you
to
store
the
you
know
these
artifacts
in
the
same
registry.
By
digest,
we
don't
have
tags
or
anything
like
that,
so
you
probably
want
to
take
a
look
at
you
know
the
the
examples
we
don't.
We
don't
have
a
way
yet
to
have
third-party.
B
Okay,
cool,
so
I
guess
a
follow-up
question
is:
if
I
have
a,
could
I
have
so
so?
Can
the
types
only
refer
to
the
things
in
the
same
registry.
D
Yeah
at
this
point,
the
if
you
look
at
the
new
refers
api,
it
allows
you
to
query
for
things
that
are
referring
to
a
particular
digest
in
this
registry.
It's
not
I
mean
I,
I
suppose
you
could
come
up
with
another
design
where
the
registry
gets
its.
D
You
know
artifacts
from
a
remote
location,
but
that's
probably
not
going
to
be
what
you
want
for
performance
reasons,
yeah,
yeah
and
and
for
attestation
like
you
might
want
to
have
a
digest
on
the
index
right
in
that,
and
the
index
has
a
list
of
manifests
now,
including
the
artifact
manifest.
D
D
Okay,
that
that
way,
you
can
have
just
one
digest
for
the
whole
index
and
when
they
pull
that
index,
we
would
probably
want
to
get
the
platform
manifest
for
that
image,
as
well
as
the
artifacts
that
include
the
signatures
that
are
pointing
to
the
parts
of
you
know
that
that
platform
image,
if
that
makes
sense,
cool
cool
just
for
performance
reasons.
Now,
of
course,
there's
we
don't
have
patterns
yet
for
when
you
would
want
to
pull
any
of
these
artifacts.
D
That's
tricky,
isn't
it
yeah
yeah
and
do
you
want
to
have
them
local
on
cache
your
references
right
or
do
you
which
would
require
the
client
tooling,
to
also
support
the
reverse?
The
refers
you
know
api
or
should
just
be
in
the
image
we,
I
don't
think
we've
got
a
good
feel
yet
for
for
how
these
things
are
going
to
play
out.
D
You
know
that
for
the
entire
graph
and
artifacts
you
know
signatures,
s-bombs,
etc
and
scan
results
that
are
pointing
or
talking
about
the
you
know,
the
image
that
we've
requested
for
this
platform.
B
Yeah
yeah
that
that
that
makes
sense
you
know,
there's
there's
definitely
some
open
discussions
among
some
folks
about
what
something
like
you
know,
a
third
party
without
access
to
your
registry.
But
access
to
the
thing
saying
like
hey,
I
want
to
make
an
assertion
like
I
did.
A
scan
like
you
know,
for
example,
speak
or
whoever
you
know
hey,
we
did
a
scan
and
we
we
saw
that
this
seems
good
and
we
want
to
make
it
a
separate
third-party
assertion
about
this
thing.
D
That's
right,
michael,
I
guess
in
my
my
view,
that's
good
if
you
want
to
accept
third
party,
yes,
perspectives
on
your
images
and
your
artifact,
I
mean
what,
if
they're
encrypted,
we
do
have
brandon
here
right.
How
are
you
gonna
scan
my
encrypted
images?
I
I
don't
know
about
that.
I'm
not
sure
how
that
works,
so
so
yeah
this!
This
is
going
to
be
fun.
It's
going
to
be
a
fun
year,
yeah.
B
Yeah
yeah.
On
that
end,
we
we
out
of
band.
We
should
have
a
chat
because
we've
been
looking
at
that
with
trusted
execution
environments
and
the
sort
the
such
thanks
cool.
So.
B
B
E
And
composition
of
provenance
and
how
you
discover
provenance
when
you
have
a
container
and
say
its
base
image
and
maybe
stuff
that
you
pull
in
while
you
compile.
So
I
guess
let's
say
you
have
a
distralis
base
image,
and
then
you
do
something
with
python.
So
I'm
wondering
how
you
can
refer
to
this
in
the
specs.
I
heard
last
year
that
you
can
now
say
in
your
manifest
that
you
know
this
is
the
base
image
that
I
use
to
build
a
container.
C
I
I
I
guess
I
can.
I
can
talk
a
bit
about
at
least
from
the
spdx
anchor,
what
we're
doing
since
I've
been
working
at
dolphone
and
and
detail,
and
like
kind
of
we're,
trying
to
specify
like
how
to
create
an
s
bomb
to
kind
of
encode
all
these
things,
and
I
think
we
have
the
issue
open
in
the
spdex
examples
people.
So
let
me
let
me
paste
the
link
in
here,
but
I
think
exactly
like
we're
trying
to
figure
out.
C
You
know
how
do
you
encode
the
s1,
but
you
can
all
the
the
other
information
that
you
actually
want
to
make
some
policy
decisions
on,
and
you
know,
hopefully
that
can
be
part
of
the
s-bomb.
E
Okay,
I
guess
my
question
also
goes
into.
How
does
the
how
do
how
should
the
container
be
written,
how
how
should
the
dockerfile
be
written
so
that
the
the
compiler
is
aware
of
what
it
should
be
looking
at
because,
like
a
base,
image
is
something
that's
built
in,
so
I
suppose
docker
will
have
a
way
to
expose
it.
E
C
I
think
one
of
the
things
we're
also
working
and
discussing
on
this,
like
this
s1
composition,
stuff
so
being
able
to
take
multiple
as
forms
and
then
link
them
together.
C
I
think
the
open
question
is
still
on
like
discovery
of
the
sponsor
like
if
a
docker
docker
container
sees
like
an
npm
bundle
right,
how
how
does
it
retrieve
the
s
from
there?
We
have
a
cube
contact
that
we
are
kind
of
proposing.
Some
of
this
at
least
initially
basic
star,
I
think,
like
the
distribution,
is
sharing.
The
discovery
mechanism
is
still
kind
of
up
in
question.
I
think
that's
like
a
little
bit
of
what
we're
doing.
Guac
fall
as
well
to
kind
of
solve
that.
B
So
yeah,
I
know
that
there's
a
bunch
of
stuff
happening
on
on
that
end.
One
thing:
just
from
a
like
a
a
poc
that
we've
done
in
the
past
to
help
out
with
this
sort
of
thing
is
yeah.
We
we
sort
of
wrap
the
actual
digitalis
image
creation
piece
with
an
s
bomb,
and
then
we
just
sort
of
distribute
that
alongside
it,
so
that
when
you
know-
and
we
just
sort
of
like
that's
not
in
the
spec,
but
we
just
sort
of
by
convention
sort
of
say
great.
B
We
know
that
there's
an
s
bomb
here
for
this
thing,
and
so
we
pull
that
down
and
then
so
now
we
have.
You
know
we
have
a
base
s-bomb
the
actual
thing,
and
you
know
some
other
things
as
well
there,
which,
which
works,
is
not
ideal
right
until
you
know
if,
if
some
of
that
sort
of
stuff
gets
standardized
where
it
becomes
much
easier
to
say
great,
I
hear
you
know
I
can
always
like
have
an
s
bomb
link
to
some
higher
level
s
bomb.
B
Until
I
can't
anymore
that
definitely
helps
out.
E
B
So
we've
been
doing
it
a
little
bit
by
convention
like
we
use
nics
to
sort
of
generate
that
distro-less
sort
of
image,
and
then
we
just
sort
of
have
a
separate
builder
and
because
that
separate
builder
is
was
at
the
time
using
bazel.
They
just
sort
of
then
built
it
that
way,
and
so
we
just
had
those
two
layers
like
it
would.
It
would
begin
to
fall
apart
if
we
ended
up
doing
lots
of
different
like
hey.
I
now
have
another
layer,
that's
installing
a
bunch
of
other
stuff,
and
I
have
another
layer.
B
That's
all
you
know.
I
think
that
would
become
significantly
harder
to
sort
of
link.
I
think
practically.
I
think
one
of
the
things
that
just
from
a
best
practices
standpoint
you
know
similar
with
abstractions.
It's
like
once
you
start
getting
tons
of
layers.
It
becomes
much
harder
to
kind
of
reason
about
it,
but
yeah,
I
don't
know
yeah
yeah
because
and
you
can
with
layers
you
can
also
yeah.
B
You
can
move
stuff
and
layers
can
be
rebased
on
top
of
each
other
and
it
becomes
difficult
like
actually,
the
ordering
of
the
layers
is
actually
is
how
things
yeah.
So
that's
why?
Just
by
convention,
we
mostly
just
said
you
know,
initial
layer
is
like
the
base
image
and
then
the
next
layer
is
the
actual
thing
we're
building.
E
B
And
once
again,
we
could
be
also
wrong,
like
that's
just
just
to
sort
of
deal
with
the
complete
we
decided
to
say:
hey,
let's
avoid
the
complexity,
but
also
not
everybody
can
so
cool.
So
with
the
last
like
nine
minutes
or
so
are
there
any
additional
sort
of
package
distribution
folk
things
that
folks
wanted
to
kind
of
bring
up?
Otherwise
we
can
either
go
into
sort
of
out-of-band
attestation,
distribution
or
attestation
discovery
and
talk
a
little
bit
about
that.
B
B
B
Does
it
make
sense
just
to
kind
of
talk
through
a
little
bit
of
the
attestation
discovery
piece
and
brendan?
Do
you
want
to
talk
a
little
bit
about
that,
because
I
know
you've
been
doing
some
work
on
that
front.
C
Yeah,
I
guess
so
yeah
self
self
advertisement
here
marketing,
but
yeah
a
couple
of
months.
I've
been
working
on
the
graph,
a
concur
craft
discovery,
project
called
glock.
It's
still
kind.
D
C
Like
hits
down
in
coding-
but
this
is
the
this-
is
the
link
to
the
project.
Obviously
we
welcome
it's.
A
fully
open
source
project
welcome
mother
contributors
as
well,
but
basically
we
are
gonna
have
so
a
couple
of
us
already
also
on
the
calls
of
michael
paff
yeah.
C
So
one
of
the
things
that
we're
doing
is
we're
collecting
all
the
information,
whether
it's
from
oci
registries
from
6r,
we're
processing
them
doing
the
validation
and
then
including
them
in
like
a
neo4j
graph
database,
and
so
the
graph
database
will
include
all
the
information.
It
will
extract
the
relationships
out
of
the
attestations
and
then
create
the
links
between
the
the
nodes
in
the
graph,
and
it
also
tie
back
to
identity.
So
then,
you
can
do
a
graph
query
to
figure
out.
C
You
know
query
by
hash
to
find
out
what
to
find
that
node
of
artifact
and
all
the
documents
that
add
into
it,
as
well
as
link
to
transitive
dependencies
and
be
able
to
also
link
back
and
to
the
verification
as
well
to
see
that
okay,
these
documents
were
actually
verified.
This
was
how
it
was
verified
and
if
you
want,
you
can
also
do
the
verification
by
yourself.
B
Yeah
and
just
as
a
couple
other
things
just
adding,
there's
like
the
the
idea
here
is
as
an
end
user.
We
hope
it
helps
answer.
Questions
for
folks,
like
I
was
saying
you
know
maybe
a
little
earlier
was
it
should
help
answer
the
questions
like
hey,
I'm
required
to
have
salsa
ada
stations
for
my
for
for
my
packages.
So
what
what
packages
can?
B
I
include
that
have
salsa,
attestations
and
being
able
to
like
start
to
to
do
queries
against
that
and
and
kind
of
pull
some
of
that
information
out
and
then,
as
well
as
like
the
things
that
people
are
starting
to
discuss,
which
is
like
their
stuff
coming
out
of
the
salsa,
spec
and
salsa
positioning
about,
I
think
they
call
it
salsa
conformance
right,
like
if
you're
compliant
with
salsa
as
a
salsa
builder
or
if
you're
compliant
with
salsa
as
a
salsa
project
like
there's,
going
to
be
a
mechanism
to
sort
of
prove
that
right
to
the
world
or
or
have
a
third
party
that
has
been
you
know,
they're
an
audit
firm
and
they're
trusted
cool
they've.
B
You
know
stamped
your
thing,
and
so
you
might
say
great.
I
I'm
a
you,
know,
a
big
bank.
I
trust
these
audit
firms,
so
you
know,
can
I
go
out
and
validate
those
things
and
and
see
you
know,
for
example,
here's
public
information,
here's
some,
maybe
some
private
information
from
some
other
folks
or
here's.
You
know
third
parties
that
have
a
tesla
thing.
You
know
this
this.
You
know.
We
know
that,
for
example,
at
some
point,
oh,
it
turns
out
this
identity
right
whatever
it
might
be.
B
This
this
maintainer
or
this
organization
turned
out
to
be
bad
actors
great.
We
are
we're
going
to
sort
of
you
know.
I
know
you
know
me
as
an
end
user.
No
longer
trust
that.
A
Aaron,
I'm
curious
like
the
idea
behind
this
type
of
database.
Would
this
be
like
a
one
just
one
big
database
for
like
everything
or
would
there
be?
You
know
like
a
guac
database
for
different
package
management
systems
and
maybe
even
would
organizations
privatizations
has
their
own
internal
databases.
I
wonder.
B
It's
a
little
of
all
of
that,
I
think
yeah.
First
and
foremost,
we
want
to
similar
to
recore,
which
is
a
public
transparency
log.
I
believe
brendan
wright,
that
that
the
idea
is
to
make
this
a
public
service,
obviously
with
that
public
service
would
have
to
come
a
lot
of
restrictions
on
what
is
allowed
in
there.
What
is
not
allowed
in
there?
What
how
we're
actually
pulling
it
in
sla's
slos
right
because
it'd
be
very
easy
to
denial
of
service.
B
This
thing
or
otherwise
you
know
push
illegal
content
or
whatever
into
there,
and
so
so,
there's
definitely
stuff
on
that
end,
but
also
you
know,
as
somebody
who
recently
reformed
from
from
the
the
banking
industry,
you
know
that
that
sort
of
thing
is
banks
are
always
just
gonna,
say
great,
that's
great!
We
wanna
mirror
all
that
content
internally.
We
want
to,
you,
know,
maybe
pull
in
a
graph
from
a
separate.
B
You
know,
like
I,
don't
know
fire
eye
or
whatever
right,
like
you
know
some
other
third
party,
that
is
you
know,
maybe
sneak
or
whatever.
That
has
all
this
other
information
and
we
want
to
pull
in
their
graph
or
we
want
to
pull
in
data
from
that
they
might
just
be
giving
out,
and
then
we
want
to
add
it
to
our
graph
stuff
like
that,
I
think
is
going
to
be
inevitable.
A
Yeah
that
makes
sense
like
I
could
even
see
like
a
private
company
like
a
bank,
if
they're
I
mean,
or
something
offering
their
own
software
and
they're
doing
like
a
read-only
type
guac
for
people
as
consumers
right
and
then
they're
able
to
specifically
upload
what
they
want
to
upload
or
display.
That'd,
be
kind
of
neat.
B
Yeah,
no
that's
100,
where
we
would
like
to
see
this
go
because
we
we
do
think
that
there's
you
know
and
there's
going
to
be
lots
of
different
ways
that
people
are
going
to
want
to
distribute
this
and
guac
is
just
going
to
be
one
of
those
ways
and
but
we,
we
hope
to
kind
of
you
know,
make
it
easy
so
that
folks
can
like
better
understand
and
answer
questions
like
okay,
I
downloaded
these
50
things
like.
B
Are
there
any
major
cves
without
vexes?
For
example,
like
you
could
ask
that
sort
of
question
to
the
graph?
You
know,
and
you
know,
including
data
that,
like
okay,
including
the
data
that
came
out
of
sneak,
including
the
data
that
came
out
of
this
tool
and
including
the
attestation
came
out
of
all
these
different
places,
tie
it
all
together
and
be
able
to
kind
of
you
know
answer
some
of
those
deep
questions
are
really
important.
C
I
I
think,
also
with
the
graph
database
of
going
back
to
like
heavy
different
graphs
and
doing
queries
across
them.
It's
a
pretty
common
query
pattern.
So
that's
something
that
will
be
like
some
sort
of
federation
will
be
supported.
B
Cool,
so
we
only
got
two
minutes
anything
else.
People
wanted
to
talk
about,
or
otherwise
add
as
like
an
agenda
item
for
next
week.
B
Cool
well
either
way
so
so
for
next
week.
I
know
a
few
folks
have
talked
about
different
things
that
they
wanted
to
start
poking
around
with
here
and
next
week.
We
could
probably
finish
up
the
rest
of
this:
the
rest
of
the
pieces
here
around
attestation,
discovery
and
out-of-band
attestation
distribution
and
really
start
to
look
at
like
cool
here's.
Here's
a
let's!
Let's
open
up
this
pr
on
this
open
source
project!
A
B
So
naveen
said
he
was
gonna,
make
something,
and
then
I
don't
know
I'll
I'll
see
if
I
could
follow
up
with
him
if
he
actually
got
around
to
doing
it.
B
We
all
have
way
too
much
stuff
on
our
plate,
so
I'm
sure
like
I,
I
do
too
and
I've
forgotten
about
some
of
these
things.
So
if,
if
he
like
all
of
a
sudden
like
yeah,
I
just
don't
have
the
cycles,
that's
fine.
We
could
just
assign
it
to
somebody
else,
and
I'm
saying
not
me,
because
I
have
too
much.
B
Cool
any,
oh,
so
we're
at
time!
So
I'll
see
you
all
next
week.