►
From YouTube: SLSA Specifications Meeting (November 7, 2022)
Description
Meeting notes: https://docs.google.com/document/d/1kMP62o3KI0IqjPRSNtUqADodBqpEL_wlL1PEOsl6u20/edit#heading=h.yfiy9b23vayj
A
B
D
D
F
F
Let's
say
in
this
context
for
salsa,
where
you're,
where
you're
just
sort
of
saying
you
know
using
something
like
let's
say:
spiffy
Spire
or
you
know
in
GitHub
I
believe
each
individual
GitHub
run
has
its
own
sort
of
unique
identity
and
so
that
it
kind
of
helps
protect
against
sorts
of
attacks.
That
could
be.
F
You
know
you
don't
have
long-running
credentials
for
a
single
build
to
lots
of
other
services
and
that
it
should
also
include
like
signing
secrets
and
those
sorts
of
things
now.
I
think
where
people
are
getting
confused
is
they're.
Thinking
that
the
build
service
piece
just
that
requirement
just
means
like.
Oh,
you
should
be
using
a
short-lived
key
and
I
think
to
be
clear.
F
You
actually
have
that
looking
at
what's
happening
in
the
building
in
the
build
introspecting
the
build
and
whatever
and
then
generating
the
Providence
and
then
signing
it
with
the
the
purpose
being
that
we
don't
want
to
have
the
build
generate
its
own
Providence
and
sign
its
own
Providence,
because
obviously,
a
build
is
potentially
where
the
user-defined
options
are
happening.
It's
very
arbitrary,
what's
actually
happening
in
there
and
you
kind
of
want
to
have
that
in
a
separate
trust
domain.
F
Of
course,
a
security
domain
and
so
I
think
that's
kind
of
where
a
lot
of
that
confusion
is
and
I,
and
the
other
thing
I
just
want
to
add
on
there
is.
It
does
still
sound
like
something
like
ephemeral,
keys
or
or
workload.
Identities
is
still
probably
something
that
either
we
recommend
or
we
when
we
look
at
you
know
the
the
the
the
other
requirements
for
saying
a
secure
build
system.
F
D
Yeah
yeah
I
think
one
thing
and
Sean
had
also
suggested
something
nice
too
like
if
we
could
somehow
introduce
into
the
specification
both
The
Province
back
and
the
course
I'll
suspect
the
idea
of
like
trust,
domains
or
security
boundaries,
or
something
like
that.
I
think.
That's
like
the
big
thing.
It
seems
to
be.
That's
the
big
thing.
That's
missing
that
like
if
we
can
better
explain
that
I
think
and
have
a
visualization
for
what
that
looks.
Like
I,
think
that'll
help
a
lot
I
think.
That's!
Maybe
one
out
outcome
of
this
discussion.
D
I
know
we
also
had
some
others.
It's
also
1.0.
What's
it
called
the
dashboard
I
had
I
raised
an
issue
before
of
like
does?
Is
that
salsa,
three
or
not
so
like?
If,
if
GitHub
has
a
effectively
GitHub
and
six
door
in
this
case
combined,
you
get
an
x509
certificate
that
says
this
artifact
really
was
produced
by
this
workflow
and
the
security
boundary
is
the
workflow.
Does
that
meet
level?
Three.
F
F
D
Yeah
I
think
I
mean
I
I.
Think
we
should
split
up
like
recommended.
Implementation
versus
the
actual
requirements
like
I
could
see
why
we
would
recommend
having
a
standard
format,
Etc
I,
think
from
a
requirements
perspective.
If
someone
implements
it
using
the
next
five
minutes,
I
could
I
could
see
that,
but
like
I
so
I
liked
this
issue
issue
321
I,
put
in
the
meeting
notes
that
if.
D
F
Yeah
so
I
I
think
that
last
thing
you
said
like
answers.
The
question
which
I
think
the
answer
is
generally
yes,
because
I
think
you
know
if
I
look
at
the
intent,
if
I
go
back
to
sort
of
the
intent
of
the
requirement,
the
intent
of
the
requirement
is
to
make
sure
that
an
end
user
build,
which
is
arbitrary
actions
right.
F
F
I
can
use
whether
it's
chains
or
whether
it's
the
GitHub,
reusable
workflows,
I,
can
go
and
say
well,
yeah
I'm,
using
that
that
has
access
and
all
it's
doing
is
introspecting
on
the
build
and
then
or
you
know,
pulling
inputs
or
whatever
and
generating
the
provenance
and
then
signing
that
and
that's
all
it's
doing
and
the
end
user
has
no
ability
to
do
that.
None
of
the
actual
the
compilation!
No
other!
You
know
any
of
those
sorts
of
steps,
actually
have
the
ability
to
look
back.
That
I
think
it
it
meets
that
requirement.
F
I.
Think,
as
you
sort
of
mentioned
there
also
earlier
is
like
we
might
make
particular
recommendations
just
from
like
a
hey
generally
doing
it.
This
way
is
safer
than
that
way,
but
I
think
they're
both
hitting
the
requirement
and
I
also
think
that,
like
because
I
also
think
about
it,
if
I
go
back
to
like
chains,
definitely
hits
that
requirement.
F
But
you
also
still
have
the
same
issue
right
where
if
chains
gets
hacked
well,
then
you
know
you're
still,
you
know
then
you're
generating
bad
profitance
anyway
and
I
think
it's
the
same
thing
here
with
a
reusable
workflow
like
if
somehow
GitHub
itself
is
hacked.
Where
you
know
the
reusable
workflow
is
not
doing
what
you
expect
it
to
then
you
still
have
that
same
problem
and
so
I
think
it
hits
that
I
I
think
it
does
it
hit
all
the
requirements
there.
D
F
F
Three,
because
the
end
user
can
go
and
modify
that
the,
because
a
lot
of
these
things
are
actually
happening
in
the
same
like
trust
domain
and
whatever,
like
there's
a
lot
more
there's
a
lot,
there's
significantly
more
areas
where
it
could
be
attacked
and
in
certain
cases,
I've
actually
just
seen
a
build
script
and
part
of
that
build
script
is
cosine.
Yeah
yeah,
in
which
case
you're
literally
running
it
as
part
of
the
comp
like
the
same
step,
you're
doing
the
compilation,
and
so
all
it
takes
is
let's
say,
for
example,
the
npm
stuff.
F
A
Yeah
Aaron
in
that,
if
you
guys
remember,
the
demo,
I
did
with
the
git
lab
piece,
so
I
think
that's
the
example
level
two
versus
level
three
because
git
lab
is,
is
the
build
service,
it's
actually
generating
the
provenance
without
interaction
from
the
end
user.
However,
it's
not
signed
so
I
had
to
create
a
job
right.
That's
that's
from
the
end
user
in
the
CI,
that's
doing
cosine
sine
on
that
provenance
document.
B
A
A
It's
accessible
to
like
the
CI
job,
but
it's
also
technically,
you
know
the
end
user
could
could
script
any
job
they
want
using
that
secret
in
a
way,
unfortunately,
so
I'm
not
a
huge
fan
of
the
way
that
it's
happening.
That's
why
I'm
kind
of
pushing
on
gitlab
to
do
the
signature
in
the
build
Service
as
well
and
they're
working
on
that,
which
is
nice.
F
To
make
sure
is
clear
because,
like
the
generation
of
the
Providence
means
you
can't
have
a
malicious
developer
or
a
you
know,
some
part
of
the
build
generate
fake
Providence
without
at
least
you
having
some
insight
into
what
happened
right,
whereas
you
know
the
things
that
when
I
look
at
the
other
way
right,
you
have
the
build
service.
Doing
this,
the
build
surface
is
getting
a
set
of
inputs,
it's
it's
like
all.
F
F
F
F
Oh
I
mean
I
think
this
is
so
when
I
think
about
workload,
identities,
I
think
about
you
are
essentially
securing
that
a
particular
thing
is
at
least
spun
up
doing
what
it
was
spun
up
to
do.
And,
yes,
something
could
have
you
know,
executed
into
that
environment
and
is
tampering
with
it
or
something
that
you
don't
realize
is
in
that
environment
could
be
doing
something
that
that
you
don't
expect.
F
So,
when
I
think
about
the
workload
identity
is
and
I
think
about
the
service
generation.
Piece
right
that
doesn't
hit
the
service
generation
piece
directly
or
it
doesn't,
it
doesn't
hit
it
because
it
still
doesn't
prevent
something
like
somebody
executing
in
to
an
environment
and
modifying
the
modifying
Providence
or
generate
generating
bad
Providence
and
then
using
if
it's,
if
it's
signing
with
its
own
workload,
identity
right
or
something
like
that
like,
for
example,
if
you,
you
know,
give
a
particular
GitHub
action.
F
Direct
access
to
you
know
like
through
something
like
six
store
and
keyless
to
sign.
Using
the
oidc
token,
like
you
know
that
only
that
one
build
is
like
you,
don't
you
don't
worry
it's
a
separate
concern
like
you're.
Not
worried
that
somebody
has
stolen
a
credential
that
they
can
then
use
to
now
sign
whatever
they
want,
but
they
still
have
signed
a
bad
build.
D
D
The
workloaded
anniversity
build
service
signing.
If
something
has
client-side
tooling,
like
let's
say,
there's
a
workload
workflow
that
does
the
oidc
to
six
store
thing,
gets
a
signing,
sir,
from
Sig
store
and
uses
whatever
to
sign,
to
generate
and
sign
Providence.
All
within
the
workflow,
like
like
a
client-side
tooling,
like,
for
example,
and
npm,
is
talking
about
baking
this
into
the
npm
client.
F
I
would
be
suggesting
largely
that
sounds
like
level
two
to
me
and
the
the
reason
being
is,
if
I
have
an
arbitrary
build
environment
right
and
like
just
as
an
example,
the
npm
thing
right,
if,
if
I
download
one
of
those
npm
malicious
packages
that
steals
credentials
or
whatever
right
like
one
of
those
things
that
you
know
on
installation,
time
runs
a
thing.
What
is
to
prevent?
F
I
think
the
thing
that's
stopping
that
from
level
three
when
I
look
at
it
from
a
service
thing:
the
service,
if
you
have
secure
like
if
you
have
secured
the
service
right,
which
is
something
that
you
should
just
be
doing
to
begin
with
right
and
there's
an
expectation
that
whatever
is
orchestrating
the
builds
is
like
you
know,
relatively
secure
and
because
that
build
service
is
not
the
thing
running.
The
arbitrary
actions
right
you're,
not
installing
you
know,
you're,
not
running
npm,
install
on
the
Node.
That's
running
the
build
service
right.
F
The
build
service
is
potentially
audited
and
yeah,
because
you're
doing
that,
then
there's
less
of
a
worry
that
you
are.
You
know,
there's
less
of
a
worry
that,
for
example,
if
I'm
running
tecton
chains
that
tecton
chains
itself
gets
compromised
or
if
I'm
running
GitHub,
that
GitHub
actions
itself
is
compromised.
F
F
I
got
to
the
build,
so
this
is
what
I'm
signing
for
the
build
provenance
versus
having
an
end
users
like,
what's
under
an
end,
user's,
control
or
or
potentially
under,
like
if
you
download
a
malicious
package
that
could
go
in
and
say,
hey
I
installed
these
packages
that
it
didn't
install.
You
know
what
I
mean
or,
or
it
included
materials
that
are
not.
D
My
inclination
would
be
to
call
that
level
three,
because
it's
not
clear
like
what
requirement
I
would
point
to
to
say
that
that
why
that's
not
like
the
distinction
seems
unclear
to
me
between
that
and
level.
Three,
because
effectively,
the
bits
of
the
provenance
are
embedded
in
the
x509
cert.
In
this
particular
six-store
case,
like
the
the
things
that
are
required
at
level,
three
are
embedded
in
there.
The
entry,
like
the
the
top
level
input,
slash,
I,
think
in
the
VO2
it's
called.
F
So
because
it's
embedded
the
x509
I
agree
with
you
like
it.
Can't
it
can't
be
falsified.
However,
what
happens
if
you
end
up
with
Providence
that
like
like?
Is
there
a
concern
here?
Because
we
we
need
to
make
sure
that
the
end
user
whoever's
consuming
the
Providence
knows
that
the
x509
is
the
thing
to
verify
it
against
versus
the
provenance
itself.
F
Right
because,
because
you
could
end
up
in
a
situation
right
where,
if
you
do
have
a
compromise,
build
the
the
compromise,
build
might
be
generating
bad
Providence
or
like
bad
Provident
like
a
bad
predicate
right,
it
would
be
generating
a
bad
predicate,
but
the
x0509
would
say
well
no
hold
on
the
x509.
Would
not
map
back
to
the
predicate,
but
the
end
user
would
then
need
to
know
that
it
has
to
check
that.
F
To
sort
of
essentially
say
that
this
thing
couldn't
have
signed
something
bad
like
I
think
we
just
need
to
make
that
clear,
because
I'm
not
independent,
I'm,
not
sure
if
there's
enough
like,
if
there's
enough
stuff,
where
everything
that
would
be
required
from
level
three
provenance
could
be
encoded
directly
in
the
workload
identity,
then
I
think
it's
fine
right.
I
think
that,
yes,
it
absolutely
does
hit
L3,
but
if
there's
anything
missing,
then
it
doesn't
yeah
but
I'd
be
curious
to
you
also.
If
anybody
else
has
any
additional
thoughts
there.
D
D
F
Yeah
and
for
folks
who
are
interested
I'm,
pretty
sure
this
is
also
going
to
be
a
topic
on
Friday's
pooling
meeting.
Just
because,
like
this
sort
of
thing
right
as
we're
talking
about
consuming
since
we're
talking
about
consuming
provenance
right,
a
lot
of
the
provenance
tools
will
have
to
make
that
distinction
we'll
have
to
make
that
distinction
about
like
hey.
F
D
F
No
I,
don't
think
so.
Well,
the
only
other
thing,
which
is
just
something
that,
in
addition,
which
is
just
and
it
sounds
like
it
might
be
better
suited
for
the
the
the
like
the
generic
requirements
of
like
hey
this
sort
of
assumes.
You
have
a
reasonable
build
system
that
is
secure,
right
and
and
those
sorts
of
things
I
think
some
of
that
workload.
F
Identity
is
still
things
that,
like
we
probably
you
know,
I,
don't
know
if
we
want
to
make
those
direct
suggestions,
but
but
it's
something
that
we
want
to
make
sure
of
is
because
I
think
stuff,
like
ephemeral,
ephemeral,
keys
or
or
sorry
ephemeral.
Finding
secrets
are
still
good
for
other
reasons:
Beyond
just
the
the
the
the
non-falsifiability
piece
like
some
of
it's
just
also
the
fact
that
hey,
you
know
that,
let's
say
your
build
system
was
potentially
compromised
between
you
know
during
this
week.
F
D
D
So
the
three
main
updates
that
have
happened
in
the
last
week
there
was
which
again
I'm,
as
always
I'm
just
saying
I'm
submitting
them
be
in
order
to
move
things
along,
but
always
happy
to
take
comments
and
we'll
do
a
final
review.
At
the
end,
one
is
around
framing
levels:
around
tamper
protection,
the
main
gist
is.
Let
me
open
the
preview.
D
D
D
D
Doc,
which
is
we
need
a
better
intro
here,
but
the
main
thing
of
like
Trust
Systems,
verify
artifacts
to
lay
down.
You
know
we
have
no
choice
but
to
manually
verify
a
system,
but
we
can
automatically
verify
all
the
artifacts
created
by
that
that
we
trust
anchor
like
anchoring
code,
not
individuals,
because
one
of
the
main
kind
of
push
backups
also
would
be
like
well,
I
trust.
All
these
people,
like
they're,
doing
the
right
thing,
which
is
fine
if
you
like,
have
three.
D
If
you
know
those
three
people,
but
when
you're
talking
about
large
organizations
either
like
third
party
or
I,
don't
know
those
individuals
or
like
in
a
large
organization
where
you
have
like
hundreds
or
thousands
or
tens
of
thousands
or
a
hundred
thousand
people
is
no
longer
scalable
to
like
trust
individuals
and
then
prefer
attestations
over
just
inferences
of
like
well.
The
thing
was
configured
this
way,
so
I
assume
nothing
bad
could
have
happened,
but
instead
we
want
to
explicit
attestation
of
like
this
good
thing
did
happen
as
opposed
to
I.
D
It's
still
like,
there's
a
bunch
of
to-do's
in
here
and
like
I,
didn't
create
a
markdown
I
didn't
like
protobuf
and
so
like
it
doesn't
look
pretty,
but
I'd
be
interested
in
getting
people's
thoughts.
Originally
I
was
going
to
push
this
off
until
after
the
spec
1.0
release,
but
I've
had
a
bunch
of
conversations
with
folks
where
there's
a
lot
of
confusion
around
like
what
is
a
config
Source.
What
is
an
entry
point?
D
You
know
what
are
the
security
boundaries,
and
hopefully
this
is
maybe
getting
towards
an
improvement.
The
big
thing
again
brought
by
Mike
and
by
Sean
that's
missing.
Right
now
is
like
somehow
defining
like
what
these
trust
domains
or
security
boundaries
or
I.
Don't
know
what
to
call
them.
I
don't
even
know
how
to
picture
it.
Really
if.
D
There's
a
list
of
other
optional
things,
I
think
I
assume
this
would
be
optional
level,
three,
maybe
at
level
four.
We
would
require
this
of
like
resolved
dependencies
and
then
some
sort
of
per
Run
details
of
like
who
ran
the
build.
What
time
stamps
Etc
that
hopefully
have
a
better
separation
of
concerns
around
everything,
so
yeah
Mike.
F
F
D
D
Because
it's
not
ready
to
submit
I,
but
by
the
way
like
I
want.
Ideally,
we
would
have
something
like
defining
a
schema
in
markdown
sucks,
but
I
haven't
found
any
good
language
to
do.
This
Proto
seems
like
a
decent
compromise,
because,
like
it's,
nice
syntax
of
like
I
could
do
message
versus
like
was
it
called.
Json
scheme
is
horrible
to
write
by
hand.
D
We
like
about
a
bunch
of
markdown
and
like
Json
or
animal,
seems
terrible
too.
So
what
I'm
hoping
is
that
we
could
just
parse
this
file
and
generate
just
turn
it
into
markdown
like
take
all
this.
You
know
all
this
stuff
have
something
like
and
there's
the
tools
that
do.
This
turn,
that
into
a
Json,
which
we
can
then
render
as
a
template
or
something
like
that.
D
D
But
yeah
to
the
actual
content
area,
comment,
yeah
I
think
that's
and
we
should
be
clear
of
like
whether
that's
Ace
I
guess
at
level.
Is
there
a
difference
between
the
levels
and
is
that
necessary?
Like
does
it
have
to
describe
all
of
the
inputs,
because
that
that's
actually
maybe
a
change
from
the
0.1
release,
which
is
that
we
said
at
level
three?
You
just
have
to
list
the
entry
points
and
the
the
entry
point
Without
Really,
defining
exactly
what
that
is
and
then
level
four.
D
F
So
yeah
I
don't
exactly
know
where
we
should
have
it,
because
I
think
there's
a
lot
of
there's
a
lot
of
open
questions
about
also
trying
to
make
it
as
like
make
that
on-ramp
onto
the
higher
levels
as
easy,
as
is
possible
like
at
some
point.
We
do
need
to
absolutely
require
that
I
also
do
think
that
like,
if
we
let's
say
do
require
it
like
there's,
there's
ways
to
trivially,
implement
it
and
I'm.
Also
thinking
does
any
of
that
defeat.
F
The
spirit
of
the
requirement
like
if
I
just
said,
hey
I,
took
a
snapshot
of
the
container
right
at
the
end
of
this
I
took
a
snapshot
of
the
container
that
contained
everything.
I
needed
and
I
gave
you
that
hash,
but
there's
essentially
no
way
to
pull
that
down
that
information.
You
know
there's
no
way
for
you
to
get
access
to
that
container.
That
contained
those
dependencies.
F
Is
that
like
essentially
defeating
the
spirit
of
of
the
the
thing
there,
but
also
I
could
imagine
right
like
taking
a
snapshot
and
let's
say
in
the
case
of
Open
Source,
taking
a
snapshot
of
that
image
of
the
build
image
that
includes
the
dependencies
and
all
you
need
to
do
is
just
run.
You
know
GCC
or
or
run,
make
or
whatever,
and
it
does
everything
else,
and
it
does
again
that's
kind
of
your
you've
enclosed,
a
hermetic
kind
of
environment.
D
G
Hi
folks,
yeah
I,
just
just
quick
group,
a
cap
on
the
salsa
conformance
programmer
a
while
back
long
before
kubecon
and
stuff.
We
had
a
call
where
Jason
lives
in
Josh,
from
Red
Hat
presented
on
an
overview
of
the
conformance
program,
and
one
of
the
conclusions
was
that
this
was
the
the
best
meeting
to
help
nurture
that
and
drive
that
forward
and
yeah
I
think,
based
on
the
earlier
conversation
that
that
definitely
applies
so
yeah
I
just
wanted
to
get
it
on
the
agenda
today,
I
think
today.
G
C
Yeah
this
is
Jason
yeah
we'd
definitely
like
to
re-engage
on
this
and
keep
it
on
the
radar.
But
again
you
mentioned
a
lot
of
the
details
are
being
hammered
out.
But,
yes,
the
conformance
ticket
is
five
one
five
and
it's
tied
to
some
of
the
other
issues
that
are
related
to
this,
and
so
Josh
and
I
probably
should
kind
of
probably
do
a
presentation
again
or
depending
on
how
how
this
group
wants
to
adjust
that.
But
we
can
definitely
present
what
we
are
proposing
as
a
conformance
program.
E
Ahead,
yeah
I
I
just
wanted
to
remark
on
the
conformance
proposal
document
I
I
read
it
earlier
today:
I
missed
the
meeting
where
it
was
first
presented
and
I
really
like
the
idea,
but
I'm
kind
of
the
third
party
assessment
aspect
I'm
a
little
a
little
wary
of
at
this
stage.
So
I'm
curious.
What
what
sort
of
timeline
you
imagine
working
towards
with
with
the
kind
of
tier
one
tier
two
establishing
processes
and
things.
G
Yeah
I
don't
think
we
have
a
timeline
and
I
think
it's
safe
to
say
we
could
also
split
it
up
and
just
do
the
proposal
on
a
self
audit,
so
yeah
totally
open
to
feedback
from
folks
and
yeah
I.
Think
the
more
we
dig
into
it,
the
more
it
does
seem
to
have
yeah.
There's
lots
of
specific
things
we'll
need
to
address
so
yeah
I'm,
not
sure.
If
that
helps,
but
that's
generally
the
thinking
you
can
do
it
as
two
stages
of
just
So.
G
E
Yeah
I
think
the
I
think
that
makes
sense,
not
least
of
all,
because
I
think,
if
I,
if
I
look
at
the
few
public
instances
of
people
claiming
like
conformance
themselves,
level,
three
and
four
today
I
think
it's
going
to
be
hard
to
define
a
good
assessment
for
the
third
party.
Assessors,
so
I
I
think
the
the
phased
approach
and,
seeing
you
know
the
shape
of
salsa
one
and
how
people
are
self-assessing
cell
for
one
will
really
inform
how
we
Define
the
requirements
for
the
third
party
assessment
to.
G
F
To
do
yeah,
oh
yeah,
so
just
a
a
quick
comment.
Yeah
I
think
it
makes
sense
to
have
this
here
and
then
separately.
I
do
think
that
maybe
once
in
a
while
having
some
representative
who's
been
working
on
the
conformance
work
to
also
show
up
to
the
tooling
meeting,
because
I
know,
one
of
the
big
things
is
as
we're
going
through
the
tooling
stuff.
F
We
want
to
also
make
sure
that,
especially
in
the
open
source,
tooling,
that,
like
you
know
because
there's
the
two
pieces,
one
is
like
conformance
as
a
project
and
there's
probably
also
conformance
as
a
build
system,
or
you
know,
like
different
rules,
might
be
conformant
to
different
things.
Like
you
know,
hey
this.
This
hits
these
requirements
and
I
know
we
wanted
to
kind
of
like
there's
a
lot
of
uncertainty
in
in
the
tooling
meeting.
F
A
lot
of
folks
are
confused
as
they're
like
hey
and,
if
am
I
or
re-certifying,
for
example
like
GitHub
as
a
build.
You
know,
GitHub
actions
is
a
build
system
and
if
that's
the
case,
do
you
certify
like
tecton
and
tecton
chains
as
a
build
system?
And
then
do
you
certify
or
do
you
certify
this
installation
of
tecton
and
tecton
chains,
and
there
was
I
know,
there's
been
some
confusion
around
that
as
well?
That
we
want
to
clear
up.
F
D
D
D
Do
wonder
if
we
could
continue
to
iterate
on
the
survey
over
time
that,
like
we,
don't
have
I'm
worried
about
having
to
get
everything
right
perfectly
the
first
time
right,
because
it's
it's
impossible
to
ever
get
anything
right
the
first
time,
and
so
if
we
could
have
something
where
we
could
start
with
something,
that's
good
enough
and
then
evolve.
It
would
be
valuable
and.
B
D
Don't
know
if
we
want
to
time
those
to
the
salsa
releases
of
like
we
do
a
1.1
a
1.2
or
we
do
some
sort
of
rolling
thing.
I,
don't
know
what
the
best
plan
is,
but
trying
to
figure
out
like
how
we
evolve
it
over
time,
because
we're
going
to
get
better
at
it
over
time
and
trying
to
figure
out
that
I'm
like.
G
I
think
that
makes
sense,
and
one
of
the
things
to
decide
in
the
certification
is
how
we
tie
it
to
the
releases.
So
if
you
certify
against
1.0,
does
that
apply?
Does
that
not
expire?
But
if
the
version
changes
you
need
to
re-certify
and
things
like
that,
so
just
I
guess
I
guess
articulating
the
relationship
between
them
and
then
I
think
what
you
say
makes
a
lot
of
sense.
Just
we
can
always
fix
things
in
future
releases
and
tighten
them
up.
So,
let's
yeah,
let's
not
do
the
Perfection
as
the
enemy
of.
D
Yeah,
we
should
also,
as
part
of
this,
it's
not
let's
say
in
the
checklist
in
515,
but
we
need
to
like
I,
don't
know
whether
it's
here
or
in
the
higher
level
task,
but
like
we
need
to
figure
out
like
where
in
the
requirements
do
we
stick
this
right,
like
that?
You
have
to
do
this
and
like
how
does
that
like
just
mechanically
fit
in
like
do?
How
do
you
and
what
format
do
you
publish
the
survey
is,
is
anything
okay?
D
How?
How
do
we
verify
this
exists
like?
What
is
the
process
for
for
verifying
this
of
like
it
seems
like?
Probably
in
practice
we
have,
we
will
have
one
certifying
body
which
is
the
salsa
framework,
because
we
have
to
salsa
verifier
tool,
and
so
that
comes
with
a
default
list
of
things
that
they
can
verify
right.
You
can
like
verify,
GitHub
actions
and
I
think
people
work
on
Google,
Cloud,
build
and
gitlab
and
Etc,
and
so
I
think
just
de
facto.
D
There
is
some
list
where
some
people
have
made
a
decision
of
like
well.
This
thing,
like
the
conversation
we
had
for
the
first
half
hour,
this
thing
is
level
three
or
this
thing
is
level
two,
and
you
know
if
we
could
work
that
in
of
like
just
explaining
that
that's
the
current
state
I
think
that
would
be
good
and
then
also
talk
about
well,
you
know
that's
where
we
are
today
where
we
want
to
be.
Is
this.