►
From YouTube: SLSA Tooling Meeting (May 5, 2023)
Description
Meeting notes: https://docs.google.com/document/d/15Xp8-0Ff_BPg_LMKr1RIKtwAavXGdrgb1BoX4Cl2bE4/edit#heading=h.yfiy9b23vayj
A
B
B
B
A
C
C
B
C
B
C
B
Details
on
that
one
yeah
I
think
it's
more
for
your
information
like
it.
It
won't
be
massively
different
from
the
work
we
did
for
provenance
generation
in
GitHub
action,
Runners,
it's
pretty
much
the
same
story,
but
for
git
lab
action,
certain
git
love,
runners
or
gitlab
pipelines.
Maybe
it's
cool,
but
I
just
want
to
make
sure
everyone
knows
that
the
work
is
happening
so
it
it's
I
mean
it
has
never
been.
The
idea
that
Providence
for
npm
should
be
exclusive
and
GitHub
actions.
B
C
Just
it's
good
stuff:
do
you
know
if
there's
because
I
know
with
the
RFC
that
had
gone
out
regarding
you
know
the
provenance
and
everything
else
do
you
know
where
there's
like
guidance
on
this
Providence
generation,
like
anything
that
that
folks
would
like?
Let's
say
you
know,
I,
don't
know
just
go:
throw
a
company
out
there
like
Circle
CI
is
like
hey.
Now
we
want
to
be
involved.
B
C
Yeah,
no!
No!
No,
that
that's
awesome
though
yeah
I
know-
and
this
is
some
of
the
stuff
that
I
know-
we've
talked
about
in
a
couple
of
the
other
beatings
has
been
just
like
folks-
are
starting
to
ask
like
a
lot
of
questions
about
what's
required
by
who
to
do
what,
when
it
comes
to
all
these
different
things
that
are
kind
of
coming
out
and
then
in
addition
to
that,
other
ecosystems
are
like
hey.
C
Maybe
we
should
adopt
sort
of
similar
practices
and
some
of
those
ecosystems
right
like
some
of
them,
it's
going
to
be
a
little
bit
easier
than
others
right,
because
some
of
those
ecosystems,
the
majority
of
builds,
are
perhaps
happening
within.
You
know
some
giant
Enterprises
CI
compared
to
to
like
npm,
which
I
think
the
vast
majority
of
npm
packages
are
are
being
built
out
in
the
open,
so
source.
So
saying,
hey.
C
You
need
to
build
this
out
in
the
open
on
one
of
n
number
of
of
hosted
providers
that
all
at
least
provide
for
open
source.
Some
sort
of
free
tier
I
think
is,
is
fine,
I
think
the
I
think
just
trying
to
kind
of
understand.
You
know
for
some
of
these
other
ecosystems
as
well
as
some
you
know.
Some
of
the
folks
who
are
starting
to
like
this
is
I
think
a
separate
problem
which
is
the
like.
Hey.
C
You
know,
folks,
on
my
end,
are
asking
like
hey
what
I
do
is
like
I'm
I'm,
a
B2B
software
like
I,
don't
publish
any
of
this
stuff
to
to
to
public,
but
how
do
I
like
I,
have
a
tool
that
generates
salsa
modules
in
order
to
get
rather
salsa
provenance
against
some
packages?
I
distribute
those
packages
in
a
sort
of
closed
ecosystem
B2B.
C
How
do
I,
you
know,
also
go
out
and
how
do
I
provide
that,
while
also
asserting
that
I
am
salsa
compliant
more
publicly,
though
so
that
folks
know?
Oh,
you
go
and
you
buy
my
software
I'm.
You
know
I'm
generating
salsa
conformant
software
foreign,
which
I
know
is
I.
Think
we
had
talked
about
that
also
a
little
bit
last
week
as
as
well,
which
is
you.
B
Know
yeah
just
one
thing:
I'm,
not
sure.
If
this
is
commonly
known
like
it
is
public
information
but
for
npm
provenance
we
do
not
accept
any
problem
statement
that
is
not
built
on
public
or
Cloud
infrastructure
like
if
you're
building
on
your
local
desktop
or
whatever
private
Runner
you're
running
in
your
company's
infrastructure
will
not
accept
that,
so
it
has
to
be
from
public
CI
provider.
B
C
Yeah,
no
and
and
I
think
so,
I
totally
agree
with
that
and
I
totally
agree
with
open
source
ecosystems.
Taking
that
stance,
I
think
the
the
question
that
has
come
up
is-
and
this
is
it's
not
so
much
a
question
for
the
the
tools
themselves
other
than
the
tools
should
should
help
promote
easy.
You
know
whatever
is
you
know
if
I'm
somebody
who,
just
you
know,
I,
don't
I'm
not
providing
stuff
to
npm
I'm
selling,
my
own,
you
know
whatever
it
is.
C
One
of
the
things
was
just
like
how
do
I
provide
provenance
and
also
make
a
an
assertion
that
I
am
providing
salsa
conformant
Providence
that
complies
with,
like
you
know,
Linux,
Foundation,
trademarks
and
yayada?
How
do
I
do
that?
Without
being?
Let's
say,
you
know,
building
out
in
the
public.
That
kind
of
thing.
C
A
second
is
everything
supposed
to
be
open
source
or
is
salsa
only
for
like
SAS
and
I'm
like
no?
No,
that's
not
that's
not
the
case
for
certain
ecosystems
where
they
like.
You
know
you
can
imagine
right.
There
could
be
like
a
Linux
Foundation
build
system
for
Linux
Foundation
projects
right,
like
that.
You
know
that
they
hosted
their
own
thing
and
said
we're.
You
know
we're
gonna
host
our
own
thing
and
you
might
say
great:
they
get
into
fulsio
everything's,
good
I.
C
Think
the
there's
just
some
open
questions
from
folks,
just
sort
of
generally,
like
hey
I,
you
know
I'm
not
sure
if
it's
also
primarily
an
open
source.
Only
thing
is
it
primarily
a
SAS
only
thing
and
those
things
are
not
the
the
case
it
just.
The
focus
has
been
on
some
of
these
open
source
use
cases
because
of
how
easy
it
is,
and
also
the
mission
of
you
know.
Groups
like
openssf
is
primarily
in
that
open
source
space,
but
I
know
as
we
try
to
get
wider
industry
adoption.
C
You
know,
there's
some
open
questions
about.
How
do
we
better
communicate?
Some
of
that
out
once
again,
I,
don't
think
the
communication
is
really
the
responsibility
of
this
particular
meeting
group.
But
I
do
think
when
it
comes
to
some
of
the
tooling
right
like
if
there's
you
know,
I
I
know
that
there's
the
Oracle
test
or
the
Oracle
lab
group
created
a
project
called
macaron,
which
I
know
is
in
the
the
list
of
things
inside
of
the
tools
here.
C
I
think
it's
from
a
couple
of
weeks
ago,
but
macaron
is
like
a
way
of
like
hey:
I
can
go
and
essentially
do
a
bunch
of
Investigation
into
your
infrastructure
and
whatever
else
and
say,
yep
I
I
took
a
look
at
you
know,
let's
just
I,
don't
think
they
support
this
yet,
but
the
idea
there
being
hey
I,
took
a
look
at
your
terraform
and
I
noticed
that
your
terraform
seems
to
spit
up
a
build
system.
That
is,
you
know,
relatively
secure.
C
You
know
you
might
need
to
have
some
additional
human
attestation
or
human
assertions
on
top
of
that,
but
basically
I
think
that's
kind
of
where
folks
are
sort
of
interested,
because
when
they
start
to
go
and
say,
okay,
great
I,
don't
you
know
I'm
not
providing
software
in
the
open
source,
but
I
still
want
to
use
salsa?
How
do
I
do
that.
B
So
my
reflection
that
would
be
like
I,
think
order.
Confusion
might
be
that
a
lot
of
the
fuss
is
around
various
open
source
project
or
Tools
around
salsa,
because
it's
super
easy
to
blog
about
what
you're
doing
for
for
open
source,
whereas
I
don't
think
a
lot
of
companies
are
blogging
about
their
internal
salsa
uses,
but
I'm.
C
Yeah
I,
so
I
could
reach
out
to
one
company
on
on
my
end,
that
I
know
is
is
doing
some
stuff
there
I,
don't
know
if
I'll
make
it
public,
but
I
I
can
definitely
check
with
them.
It's
a
it's.
A
hedge
fund
that
is
looking
to
you
know
build
all
their
software
salsa,
where
they
give
it
to
sort
of
partner.
Folks,
cool.
C
Yep
and
then
I
think
the
rest
of
the
the
concern
seem
to
be
more
from
like
a
documentation
and
other
blogging
sort
of
standpoint
of
like
yeah,
when
most
of
the
examples
that
people
are
talking
about
are
all
the
open
source
or
all
the
SAS
like
yeah
I
use,
GitHub
actions
for
this
or
I
use
or
or
you
know,
here's
how
I
took
the
cncf
project
like
the
public
cncf
audit
on
Prometheus
and
what
was
the
other
one
Argo
I
think
on
salsa.
It's
like
hey,
that's
great!
C
Is
it
mostly?
Yes,
you
know
there
was
some
confusion
on
on
it
being
public
versus
or
it
being
primarily
like
a
SAS
open
source
sort
of
thing
separately.
I
know
that
the
conformance
program
I
have
some
comments
out
there
on
that
to
sort
of
make
sure
that
folks
recognize
that
the
idea
here
is
not
to
purely
support
one
or
the
other.
The
idea
is
to
to
say
hey.
This
is
one
of
the
first
Frameworks
that
can
support
a
SAS
quite
easily
right,
which
I
think
is
super
important.
C
But
now
that
you
could
split
that
up,
you
can
say:
hey
I
outsourced,
my
storage
to
GitHub
like
to
the
code,
but
I
have
my
own
internal
Runners,
because
I
have
some
special
use
case
or
whatever,
or
you
know,
I
I
published
to
you,
know
assass
artifact
repository,
but
everything
else
is
internal
or
whatever,
like
this
I,
think,
there's
there's
a
lot
of
great
stuff
on
that
end.
I
just
think
that
yeah,
when
it
comes
to
some
of
the
other
pieces,
I
think
when
it
comes
to
like
self-hosted
and
yayada.
C
A
lot
of
folks
are
asking
a
lot
of
good
questions,
but
not
they're,
not
sure,
and
then
in
addition
to
that,
I
think
with
the
conformance
thing
they're
a
little
unsure
of
how
to
claim
they
are
salsa.
Without
you
know,
running
afoul
of
of
Linux
Foundation
lawyers,
which
I
know
just
to
be
clear,
I
know
in
general.
They
only
go
after
folks
who
are
egregiously.
Being
like.
Oh
we're.
C
You
know
we're
sponsored
by
the
Linux
Foundation,
where
you
know
trying
to
to
make
a
an
illegitimate
connection,
but
I
know
that
a
lot
of
folks
are
like
Hey.
How
do
I,
how
do
I
say
I'm
salsa
without
you
know,
ostensibly
lying
to
people.
How
do
I
kind
of
get
that
badge
and
say?
Yep
I
spoke
to
all
the
right
people.
I
did
all
the
right
things
and
I
am
you
know.
My
build
system
is
also
compliant.
F
So
so
Michael
along
those
lines
it
like
is
there
a
difference?
Is
there
a
difference
between
like
statements
that
you
might
make
on
a
web
page
like
a
badge
that
that
that
you
list
and
like
versus
you
know
any
of
the
metadata
that
you
might
produce
and
and
and
really
switch
sort
of
necessarily
lists
salsa,
like
I'm
thinking
about
the
VSA,
where
like
well
yeah,
the
data
format
has
like
this
particular
salsa
level
in
it.
What
I
don't
recall
is
like
if
the
VSA
format
says
anything
like
hey?
F
C
C
We
have
followed
the
salsa,
you
know
not
just
generating
salsa,
you
know
generating
salsa
provenance,
but
we
want
to
be
able
to
go
out
and
say
that
and
I
know
with
the
conformance
program.
There's
a
combination
of
a
self,
a
self
attestation
or
a
self-audit
or
whatever
you
can.
You
can
write
a
a
statement
on
that
and
then
you
know
separately
for
for
for
companies
that
are
maybe
a
bit
more.
You
know,
and
at
the
end
of
the
day,
it's
always
going
to
be
me,
as
the
user
do.
C
I
trust
this
company
sure,
but
I
know
that
when
it
comes
to
also
the
dilution
of
the
brand
a
little
bit
I
know
the
Linux
foundation
and
openssf
has
said
hey.
We
don't,
like.
We've
already
had
a
couple
of
cases
where
a
few
companies
have
said
like
we're,
salsa
four
plus
they're
like
what
like
that's,
not
a
thing
and
they
start
to
kind
of,
and
they
you
start
to
ask
them
like
how
are
they
achieving
salsa
and
they
start
to
go
and
say
well
we're
doing
you
know
it's
like.
C
They
still
thought
that
they
were
four
salsa
levels.
Still
looking
at
the
old
version.
There
was
a
lot
of
stuff
like
that
that
hey,
if
we
can
have
something,
that's
a
a
a
conformance
program
that
that
is
pretty
you
know,
rigorous
and
whatever
it's
like.
Yes,
if,
if
I
am
just
a
like
a
small
company,
I
can't
pay
for
an
audit,
that's
fine,
I
can
just
say
here's
what
I'm
doing
here's.
You
know
here's
my
whole
setup
and
also
try
and
make
it
as
easy
as
possible
for
them
to
to
make
those
claims.
C
C
C
You
know
myself
included,
and
some
other
folks
are
starting
to
look
at
stuff
like
could
you
run
a
salsa
build
inside
of
a
trusted
Enclave
or
trusted
execution
environment
in
that
sort
of
thing
where
you
could
start
to
say,
hey
the
where
the
hardware
like
what
is
actually
running.
This
is
a
little
less
important
as
long
as
it's
running
it
on
something
that
is
compliant
with
you
know
some
sort
of
Hardware.
C
You
know
security
standard,
but
anyway,
that's
that's
much
further
further
along,
but
but
yeah
I
think
the
the
basic
idea
is
just
trying
to
figure
out
like
also
to
take
a
step
back,
it's
about
like
who
is
making
what
claim
and
how
and
in
what
cases.
I
think
is
just
trying
to
figure
out
how
to
make
that
clearer
to
both
the
folks
who
are
making
those
claims,
as
well
as
the
folks
who
are
intended
to
consume
those
claims.
C
No,
it
just
so
happened
that
the
tools
to
write
for
this
GitHub
actions
is
just
super
easy
compared
to
doing
it
first
for
Jenkins,
which
is
a
separate
problem
which
Jenkins
tends
to
be
very
open
and
yeah
yeah,
but
I.
Think
kind
of
some
of
the
stuff,
for
this
group
I
think
is
how
can
we
start
to
make
some
of
those
tools
to
make?
And
potentially
this
is
some
of
the
stuff
that
we
talked
about
last
week
for
anybody
who
wasn't
here
was
like.
C
C
And
I
know
I
ranted
on
for
a
while
to
be
clear,
I
think
it's
just
you
know.
Everything
in
salsa
I
think
is
great.
I.
Just
think
that
there's
a
lot
of
still
confusion
and
some
somebody
else,
I
think
in
the
positioning
group
brought
up
webinars
I
think
it
might
have
actually
been
Brian
bellendorf
himself
brought
up.
You
know
webinars
with
the
tools
like.
E
I
I
just
have
more
kind
of
a
landscape
question
so
because
I
interested
in
this
topic,
because
I
actually
listened
to
some
of
the
earlier
supply
chain,
videos
back
in
2021
and
22.
One
thing
actually
I
think
he
said
is
actually
salsa
is
actually
a
kind
of
implementation.
Implementation
of
in
total.
So
so
I
just
want
to
understand
that,
and
also
also
between
the
two
of
use
by
salsa
and
used
to
use
by
like
S2
c2f.
What's
the
differences
and
is
there
like
a
documentation
on
those.
C
E
C
F
This
was
not
meant
to
say,
like
these.
Things
cannot
eventually
be
in
the
domain
of
of
salsa.
I
know
that
salsa
has
has
ideas
on
like,
unlike
new,
unlike
new
tracks,
that
cover
that
cover
other
things
and
I.
Think
that
our
hope
on
the
antenna
attestation
side
is
that
is
that
those
is
that
the
new
data
required
to
to
to
implement
those
those
tracks
can
be
can
be
encoded
in
in
Toto,
attestations.
C
Yeah
and
if
anything
after
that
is
still
like,
maybe
not
clear,
you
know,
feel
free
to
to
provide
that
feedback,
because,
obviously,
as
we
continue
on
we're
going
to
want
to
update
documentation,
create
new
new
blog
articles
and
and
so
on,
to
make
it
to
make
the
distinction
clearer
as
well,
which
is
like
in
Toto,
is
a
project
that
salsa
uses
to
provide
that
provenance
as
well.
As
you
know,
other
things
like
the
BSA.
C
C
That's
necessarily
intended
to
be
like
it's
not
a
build
Tool
directly.
It's
a
it
is
a
tool
for
helping
sort
of
build
the
build
tools
and
other
things
hasn't
been
an
official
release.
Yet
it's
all
written
in
Rust.
So
for
folks
who
know
rust
and
that
kind
of
thing,
but
there's
some
stuff
in
here,
if
I
kind
of
and
the
UI
ux
stuff
is,
is
still
going
to
be
worked
on
quite
a
bit.
A
C
There
we
go,
I
can
have
like
a
NATO
statement.
I
could
have
a
bunch
of
stuff
in
it.
I
can
have
you
know,
Providence
statement.
I
can
have
information
about
the
predicates
and
all
this
stuff.
These
are
all
strucks
in
here
using
using
this
rust
library
that
I'm
using
called
was
it
schemer
RS?
It
lets
me
sort
of
take
those
and
generate
Json
schema
out
of
it.
C
C
Right
I
can
now
generate
rust
code
out
of
the
Json
schema
as
well.
It's
not
exactly
a
one-to-one
mapping.
You
know
where
it's
not
even
rather
I
shouldn't
say
it's
like
it's
not
invertible
exactly.
It
generates
slightly
different
rust
and
Json
schema
as
going
in
and
going
out,
but
I
think
the
the
general
thing
here
is
one
of
the
big.
You
know
questions
that
folks
that
had
is
like
hey.
Is
there
stuff
to
help
me
kind
of
figure
out
how
to
implement
the
salsa
stuff
a
little
bit
easier?
C
Is
that
stuff
that
can
help
me
generate
code,
for
it?
Is
there
stuff
that
can
like
I
I
require
you
know
a
Json,
spec
or
I
require
a
you
know,
protobufs
and
so
on
and
so
forth
and
I
know
that
we
have
some
official
Proto
Buffs
and
we
have
a
few.
You
know
some
Q
code
and
so
on,
but
you
know
the
idea
here
is
to
have
something
like
this
be
able
to
generate
back
and
forth.
You
know
it
could
be
salsa
today
you
could
do
s-bombs
tomorrow.
C
It
doesn't
necessarily
need
to
be
tied
directly
into
salsa,
but
the
idea
here
being
making
it
super
simple
to
sort
of
validate
as
well
as
validate
then
I
showed
off
the
validation
a
bit
last
week
where
I
can
go
and
take
you
know
one
of
these
documents
validate
them
and
then
you
know
it'll
come
back
with
you
know.
Yes,
this
is
a
valid
salsa
document
or
no
it's
not
about
it's
also
document
and
it
does
like,
as
as
I
kind
of
brought
up
also
last
week.
It
doesn't.
C
C
If
it's
not
like,
you
know,
don't
claim
it's
a
it's
a
valid
salsa
document
and
then
eventually
the
idea
would
also
be
to
it
to
be
a
verifier
that
can
go
out
to
the
various
URLs
verify
that
the
content
is
correct
or
whatever,
based
on
on
some
of
those
things
so
yeah.
That's
that
that's
really
about
it,
there's
some
you
know
feel
free
to.
F
So
I
I
guess
as
like
one
of
the
internal
attestation,
maintainers
I'm,
I
I'm
interested
in
and
where
you
see
this
going
like
we've.
We've
recently
been
putting
some
effort
into
into
defining
into
defining
protobots
for
the
various
internal
predicates
and
like
doing
code
generation
for
those
things
for
go
and
Java
and
like
Python
and
I
like
if
I
guess
like
it
would
be
nice.
C
Yeah
no
I
I
hear
you
and
I
think
it's
the
thing,
at
least
for
the
foreseeable
future.
I
think
what
you're
gonna
see
is
because
I
know
that
there's
also
like
plugins,
for
example,
for
protobufs
that
allow
you
to
let's
say,
introduce
constraints
into
a
product
Beyond.
Just
like
this
is
a
string.
That
kind
of
thing
you
can
say
like
well.
This
is
a
string
that
should
be
of
length
this
that
meets
this
regular
expression
or
whatever
so
I
I
do
think
that
on
that
end,
I
think,
at
least
in
the
short
term.
C
We
just
need
to
be
relatively
flexible
with,
while
still
telling
folks.
Like
look,
you
know,
this
is
the
canonical
way
of
doing
it.
We're
going
to
provide
some
tools
to
help
you
out,
because
you
know
a
lot
of
folks
are
going
to
come
in
and
say:
hey
all
of
my
stuff
uses
Json
schema.
So
if
you
can't
provide
me
a
Json
schema,
you
know,
and
you
go
okay
great
well,
we
can
probably
do
a
Json
schema,
but
we're
going
to
tell
you
right
now.
C
F
Yeah,
and
and
like
maybe
maybe
really,
the
important
part
is
not
like.
Is
there
a
canonical
way
to
define
the
layout,
but
rather
is
there
a
canonical
and
authoritative
validator
so
that
I
can
say,
regardless
of
how
I'm
generating
this
thing,
if
I
pass
it
through
this
tool,
it
will
tell
me
yes,
it's
good
or
no,
it's
not,
and
then
it
and
then
and
then
I'm
free
to
sort
of
to
sort
of
implement
that.
However,
I
wish.
C
C
C
So
that's
one
of
the
reasons
why
I
I
was
had
picked
rust,
for
that
was
to
say,
I
get
a
lot
of
these
great
compile
time
checks,
which
is
also
why
some
of
it
is
can
be
a
bit
slow
to
compile.
But
the
you
know
there's
a
lot
in
there
and
in
fact,
actually
let
me
go
in
just
share
it
just
to
kind
of
like
I.
C
All
of
this
stuff
just
kind
of
immediately
works,
and
if
there
are
certain
things,
for
example,
if
I
go
into,
let's
see,
is
it
and
now
I
realized
that
this
this
resource
descriptor
should
probably
be
in
its
own
file,
but
the
resource
description
descriptor
in
here
you'll
notice.
Here
right,
this
is
a
base64
like
there
is
no
default,
base64
encoded,
deserialization
thing
so
I
had
to
write
my
own.
C
It
turns
out.
There
might
actually
be
one
out
there
that
I'll
probably
switch
to,
but
here
hey
I
can
you
know,
have
this
content,
which
is
turning
into
some
bytes
as
long
as
you
know,
it
actually
matches
that
right.
If
somebody
gives
me
a
random
string
in
most
cases
that
random
string
would
probably
like
if
I
was
using
most
other
things
like
that,
random
string
would
have
to
be
checked.
C
You'd
have
to
write
a
bunch
of
you
know,
logic
somewhere
in
there
to
check
at
runtime,
like
hey
when
I
pull
this
in
the
check.
Is
this
a
base64
encoded
string?
If
not,
you
know
throw
an
error,
blah
blah,
whereas
here
it
lets
me
kind
of
very
easily
keep
all
of
this
content
right
here.
The
other
thing
is,
you
know,
using
tools
like
that,
there's
a
tool
called
typify
which
I
I
started
using
that's
kind
of
that
out
of
the
oxide
folks
that
I
integrated
into
this
I
can
generate.
C
You
know
from
a
Json
schema
into
this.
I
can
also
potentially
take
protobufs.
You
know
and
I
can
turn
them
into
rust
and
so
on.
So
the
idea
here
would
be
you
could
you
know
the
first
pass
comes
in
here
and
then
you
know
we
would
still
probably
expect
a
human
to
come
in
and,
like
you
know,
make
it
more
rigorous,
but
that's
like
that's
kind
of
one
of
the.
You
know
the
reasons
why
I
think
I
chose
to
do
it.
C
This
way
was
just
how
sort
of
you
know
there's
a
bit
of
a
learning
curve,
but
once
folks
like
for
folks
who
know
rust,
it's
like
hey,
okay,
I
see,
you
know
this
is
a
URL,
so
it
uses
the
you
know.
It
uses
the
URL
serializer
deserializer
it.
You
know
and
can
sort
of
take
care
of
all
these
things
without
having
to
do.
C
C
And
then
this
because
I'm
I'm
encoding
some
of
the
semantic
information
inside
of
the
types
it
lets
me
longer
term,
make
it
also
much
easier
to
then
eventually
verify
right,
where
I
can
now
go
in
and
say
great
I
now
have
this
base64
encoded
set
of
bytes
I
can
do
something
with
it
as
part
of
a
verification.
I
have
a
set
of
URLs
that
I
know
those
URLs
are
actually
valid.
Urls
I
can
now
verify
that
those
URLs
are
resolvable
that
they
get
me.
What
I
need.
C
Cool
yeah
that
was
about
it
and
I,
think
you
know
the
other
thing
just
to
kind
of
end.
It
with
is
just
yeah
like
I.
Think
folks
are
asking
for
a
lot
more
tools
like
something
like
Specter
right.
You
know
it
could
be
in
any
language
that
you
know
doesn't
have
to
be
this,
but
just
this
idea
of
hey
how
do
I
know
I,
like
I
I
I'm,
trying
to
make
a
tool
that
that
implements
salsa
1.0?
How
do
I
know
I'm
doing
the
right
thing
is?
F
C
To
see
oh
yeah
and
one
of
the
things
I
forgot
to
show
but
I'll
just
talk
about
it
is,
is
I
also
included
a
couple
of
other
things
in
here
as
well.
That
makes
it
much
easier
to
to
verify
like
where,
in
the
Json
also
something
has
gone
wrong,
because
a
lot
of
the
tools
I
noticed,
like
kind
of
just
tell
you
like
the
first
example
of
like
oh
you're,
missing
a
field
here.
C
C
You
know,
because
that
that
to
be
clear,
I
get
that
in
most
cases
you
want
to
Short
Circuit
during
serialization
deserialization,
but
in
in
the
case
of
something
like
hey
I'm,
generating
salsa
documents.
I
want
to
know
like
oh
I,
don't
want
to
just
know
that
I'm
missing
this
one
field
updated.
Then
it
says
oh
you're,
also
missing
this
other
field.
I
want
to
know
all
the
fields,
I'm
missing
or
all
the
fields
that
are
mismatched
types.
C
So
it
there's
a
lot
that
needs
to
be
done
on
the
user
experience
and
UI
side,
but
the
the
general
gist
of
it
is
going
to
be
hey,
here's
a
whole
bunch
of
stuff,
here's
how
to
and
also
hopefully
hold
somebody's
hand
throughout
the
whole
process
so
that
as
they
kind
of
go
through.
Oh
here
are
the
fields
that
are
missing,
you're
passing
in
a
URL
that
or
it
looks
like
a
URL,
but
it's
not
actually
URL
and
oh
cool.
C
You
know
do
the
five
or
six
things
that
they
need
to
do
fix
it,
and
then
you
know
it
comes
through
and
it's
like
looks
good
great
now.
Now
it's
and
then
also
have
something
like
a
verification
system
in
here.
So
are
you
actually
generating
stuff
that
can
then
be
consumed
by
people
to
to?
Actually
you
know
verify
stuff.
C
C
The
thing
we
we
very
quickly
realized
was
like
a
lot
of
the
s-bombs.
We
were
ingesting
and
some
of
the
salsa
attestations.
We
were
ingesting
into
guac
weren't,
actually
valid
right
like
they.
You
know,
because,
because
in
order
for
us
to
pull
out
all
that
semantic
value,
we
we
need
to
check
the
thou.
Shall
you
know
it's
like?
Yes,
if
this
is
optional,
it's
optional,
if
it's
required,
it
has
to
be
there,
because
we
can't
possibly
key
off
of
things
that
don't
exist,
and
so
we
ran
it.
C
You
know
we
started
running
into
all
sorts
of
issues
where
we
had
to
throw
out.
You
know
we
have
to
throw
out
these
5000
s
bombs
because
they're
not
actually
valid
to
the
spec
they're
they're
close
they're
90
valid,
but
you
know
they
they
in
particular.
One
of
the
common
examples
is
it's
very
easy
to
trick
one
of
the
s-bomb
generators
into
giving
you
a
a
hash
that
is
not
sha1.
C
You
could
just
tell
it
like
I
want
to
use
a
shot,
256
hash,
great,
but
spdx
and
I
think
Cyclone
DX
as
well
both
require
at
least
right.
Now.
It's
also
the
the
new
versions.
Don't
I
think
require
one
at
least,
and
then
you
could
have
other
ones
in
addition,
but
most
s-bomb
generation
tools,
if
you
just
said
I
want
shot
256,
it
just
went
great
I'll
just
get
it.
Give
you
only
a
shot
256.
when
it
needed
to
give
you
a
shot,
one
plus
a
shot.
256.
C
and
I
know
that's
like
super
pedantic,
but
like
when,
when
your
tools
when
you're
saying
like
wait
a
second,
no,
no
I
need
to
be
compliant
with
the
spec
and
I'm
going
to
expect
the
sha-1
everywhere,
because
it's
required,
if
it
doesn't
show
up,
you
know
it.
It
leads
to
all
sorts
of
issues
and
it
leads
to
you
know
a
lot
of
like
heuristics
and
things
that
end
up
leading
to
a
lot
of
the
the
issues
we
see.
C
Cool
yeah
and
and
I
agree
with
that
Brendan
yeah,
if
they
can't
get
the
text
right,
I
also
have
concerns
about
getting
the
content
right,
and
that
was
also
something
that
you
know
for
folks
who
aren't
aware:
there's
there's
a
really
good
YouTube
video
that
Ian
cold
water,
Duffy
and
a
bunch
of
other
folks
put
on.
Where
is
this
cubecon?
Let
me
bring
this
up
just
because
I
think
it's
it's
very
valuable
for
folks
who
is
yeah,
it's
called.
C
If,
if
you
can
determine
that
the
build
process
was
okay,
then
you
are.
You
have
increased
confidence
that,
by
generating
the
the
s-bomb
that
somebody
has
not
messed
with
the
container
somewhere
in
the
middle
right,
and
this
talk
just
the
the
very
quick
summary
is
they
showed
that
if
you
mess
with
a
container
and
do
something
like
remove
the
package
database,
it
doesn't
fail
closed.
It
just
fails
open,
so
it'll
just
be
like.
C
Oh
I
found
no
packages
great
and
you're,
like
oh
great,
so
now,
I
have
an
s-bomb
that
has
nothing
of
value
in
there,
even
though
it
actually
has
all
these
packages
with
all
these
vulnerabilities
and
then
also
doing
small
things
like
removing
Etsy
release
file
and
some
of
these
other
things
that
are
messing
with
a
file
here
or
there
and
all
of
a
sudden.
It
can't
detect
the
vulnerability
anymore.
C
Even
though
the
vulnerability
is
still
there,
and
you
know
you
might
say
well,
you
know
you
can't
expect
all
these
tools
to
know
everything,
but
at
the
same
time
you
would
expect
those
tools
to
be
like
hey.
This
is
weird
I'm.
Expecting
this
thing
to
exist,
it
doesn't
exist,
I
should
probably
say
unknown
or
can't
generate.
You
know
something
instead
of
just
sort
of
saying.
Oh,
it's
fine
I'm
going
to
fail
open.
C
Yes,
yes,
Brendan
yeah,
deleting
the
metadata
from
an
image
breaks
the
tool
that
builds
metadata
on
the
metadata,
yeah,
yeah,
that's
and
so
I'm,
hoping
like
I
I.
This
is
actually
just
you
know.
I
I
can't
stay
strongly
enough.
How
much
I
actually
like
that
salsa
is
here
because
I've
actually
used
salsa
or
my
s-bomb
generation,
in
addition
to
the
build
where
I
can
say,
I
built
this
container
and
ran
the
s-bomb
generation
during
this
step,
and
here's
like
you
know,
I
took
it
yeah.
You
know
I
built
this
image
with
this.
C
C
So
for
folks
who'll
be
at
open
source
Summit
next
week,
I'll
see
you
there
for
folks
who
aren't
going
to
be
I'll.
Definitely
we'll
we'll
collect
a
list
of
talks
that
we
feel
are
valuable
once
they're
uploaded
on
YouTube
and
yeah.
So
next
week
we'll
cancel
this
meeting
because
I
have
a
feeling
of
a
few
of
us
are
going
to
be
over
there
or
we'll
see.
If
there's
interest
still
for
for
the
meeting
next
week,
we
can
have
it
I
just
won't,
be
there.
I
know
Frederick.