►
From YouTube: SLSA Tooling Meeting (May 5, 2023)
Description
Meeting notes: https://docs.google.com/document/d/15Xp8-0Ff_BPg_LMKr1RIKtwAavXGdrgb1BoX4Cl2bE4/edit#heading=h.yfiy9b23vayj
A
B
You
yeah
from
a
hike
I
did
last
fall
in
the
lower
mountains
here
in
Sweden,
so
it
was
an
amazing
day
like
the
weather.
Was
unreal.
A
Yeah
I
I
don't
have
that
in
the
Hudson
Valley
in
New
York.
Oh.
B
A
We
have
lots
of
trees,
but
not
landscape,
like
this
yeah.
B
No,
it's
yeah,
it's
one
of
the
perks
I
think
it's!
The
the
place
is
four
hours
away
from
where
I
live,
so
it's
yeah
fairly
easy
to
get
there
by
car,
which
is
nice.
C
We'll
give
it
a
couple
minutes
and
then
get
started
here:
foreign.
C
For
anybody
else
to
join
feel
free
to
add
your
attendance
and
any
agenda
items
to
the
meeting.
A
C
Right,
we
can
probably
get
started,
has
reminded
of
this
meeting
is
being
recorded,
it'll
be
uploaded
to
YouTube
shortly
shortly
after,
and
your
participation
in
this
meeting
is
an
agreement
to
abide
by
the
open,
ssf
code
of
conduct.
C
C
C
Was
open
source
to
North
America
is
next
week,
I,
don't
know
who,
on
this
call,
if
anybody
is
is
going,
but
if,
if.
C
If
folks
are
going
to
be
out
at
open
source,
Summit
North
America
I'll
be
out
there
there's
going
to
be
a
couple
of
or
a
handful
of
salsa
talks,
there's
going
to
be
a
salsa
panel
that
I'm
on,
as
well
as
I'll,
be
giving
a
talk
just
generally
on
like
how
to
get
started
with
salsa
I'll,
probably
be
just
using
the
GitHub
action
for
salsa,
while
also
maybe
pointing
folks
in
the
direction
of
a
couple
of
other
tools
for
salsa
as
well
yeah
for
folks
who
will
be
there.
C
Okay,
see
Brandon
Mitchell
mentioned
that
he's
gonna,
be
there
hope
to
see
you
there
in
person
yeah
and
if
there's
any
other
talks
that
folks
are
aware
of
that.
That
seem
good,
feel
free
to
you
know,
put
it
into
the
the
docs.
C
See
for
anybody
who's
joining
now
feel
free
to
put
your
attendance
in
the
meeting
notes.
C
Cool
glad
to
have
your
support
cool,
so
let
me
one
second
here.
C
It
so
okay
looks
like
there's
a
talk
on
npm
Providence
from
Folks
at
GitHub
and
npm,
so
Trevor
and
Zach
yeah.
That
sounds.
C
Awesome
looking
forward
to
that
one.
B
C
Okay,
so
it
looks
like.
C
It
looks
like
a
couple
of
us
are
cutting
out
there
all
right.
So
next,
up
on
the
agenda
is
the
git
lab
npm
Providence
in
progress
Ive.
B
Details
on
that
one
yeah
I
think
it's
more
for
your
information
like
it.
It
won't
be
massively
different
from
the
work
we
did
for
provenance
generation
in
GitHub
action,
Runners,
it's
pretty
much
the
same
story,
but
for
git
lab
action,
certain
git
love,
runners
or
gitlab
pipelines.
Maybe
it's
cool,
but
I
just
want
to
make
sure
everyone
knows
that
the
work
is
happening
so
it
it's
I
mean
it
has
never
been.
The
idea
that
Providence
for
npm
should
be
exclusive
and
GitHub
actions.
B
B
Cool
awesome:
let's.
C
Just
it's
good
stuff:
do
you
know
if
there's
because
I
know
with
the
RFC
that
had
gone
out
regarding
you
know
the
provenance
and
everything
else
do
you
know
where
there's
like
guidance
on
this
Providence
generation,
like
anything
that
that
folks
would
like?
Let's
say
you
know,
I,
don't
know
just
go:
throw
a
company
out
there
like
Circle
CI
is
like
hey.
Now
we
want
to
be
involved.
B
Yeah
good
question
I
think
the
best
the
best
guide
we
have
would
actually
be
how
they
would
be
integrated
with
full
seal,
because
in
the
end
of
the
day,
I
think
that's
the
biggest
adoption
blocker
or
it
could
be
the
biggest
seduction,
blocker
and
as
part
of
getting
the
CI
provider
on
to
fulsio,
you
usually
have
to,
or
you
have
to
meet
some
certain
requirements
which
are
typically
the
requirements
we
are
interested
in,
such
as
like
identifying
the
identity
of
the
Builder
or
to
get
commit.
B
Cool
I
can
try
to
find
a
link
to
to
the
full
Co
sort
of
requirements
to
to
be
integrated
with
that.
So
just
give
me
a
few
seconds.
Yeah.
C
Yeah,
no!
No!
No,
that
that's
awesome
though
yeah
I
know-
and
this
is
some
of
the
stuff
that
I
know-
we've
talked
about
in
a
couple
of
the
other
beatings
has
been
just
like
folks-
are
starting
to
ask
like
a
lot
of
questions
about
what's
required
by
who
to
do
what,
when
it
comes
to
all
these
different
things
that
are
kind
of
coming
out
and
then
in
addition
to
that,
other
ecosystems
are
like
hey.
C
Maybe
we
should
adopt
sort
of
similar
practices
and
some
of
those
ecosystems
right
like
some
of
them,
it's
going
to
be
a
little
bit
easier
than
others
right,
because
some
of
those
ecosystems,
the
majority
of
builds,
are
perhaps
happening
within.
You
know
some
giant
Enterprises
CI
compared
to
to
like
npm,
which
I
think
the
vast
majority
of
npm
packages
are
are
being
built
out
in
the
open,
so
source.
So
saying,
hey.
C
You
need
to
build
this
out
in
the
open
on
one
of
n
number
of
of
hosted
providers
that
all
at
least
provide
for
open
source.
Some
sort
of
free
tier
I
think
is,
is
fine,
I
think
the
I
think
just
trying
to
kind
of
understand.
You
know
for
some
of
these
other
ecosystems
as
well
as
some
you
know.
Some
of
the
folks
who
are
starting
to
like
this
is
I
think
a
separate
problem
which
is
the
like.
Hey.
C
You
know,
folks,
on
my
end,
are
asking
like
hey
what
I
do
is
like
I'm
I'm,
a
B2B
software
like
I,
don't
publish
any
of
this
stuff
to
to
to
public,
but
how
do
I
like
I,
have
a
tool
that
generates
salsa
modules
in
order
to
get
rather
salsa
provenance
against
some
packages?
I
distribute
those
packages
in
a
sort
of
closed
ecosystem
B2B.
C
How
do
I,
you
know,
also
go
out
and
how
do
I
provide
that,
while
also
asserting
that
I
am
salsa
compliant
more
publicly,
though
so
that
folks
know?
Oh,
you
go
and
you
buy
my
software
I'm.
You
know
I'm
generating
salsa
conformant
software
foreign,
which
I
know
is
I.
Think
we
had
talked
about
that
also
a
little
bit
last
week
as
as
well,
which
is
you.
B
Know
yeah
just
one
thing:
I'm,
not
sure.
If
this
is
commonly
known
like
it
is
public
information
but
for
npm
provenance
we
do
not
accept
any
problem
statement
that
is
not
built
on
public
or
Cloud
infrastructure
like
if
you're
building
on
your
local
desktop
or
whatever
private
Runner
you're
running
in
your
company's
infrastructure
will
not
accept
that,
so
it
has
to
be
from
public
CI
provider.
B
C
Yeah,
no
and
and
I
think
so,
I
totally
agree
with
that
and
I
totally
agree
with
open
source
ecosystems.
Taking
that
stance,
I
think
the
the
question
that
has
come
up
is-
and
this
is
it's
not
so
much
a
question
for
the
the
tools
themselves
other
than
the
tools
should
should
help
promote
easy.
You
know
whatever
is
you
know
if
I'm
somebody
who,
just
you
know,
I,
don't
I'm
not
providing
stuff
to
npm
I'm
selling,
my
own,
you
know
whatever
it
is.
C
One
of
the
things
was
just
like
how
do
I
provide
provenance
and
also
make
a
an
assertion
that
I
am
providing
salsa
conformant
Providence
that
complies
with,
like
you
know,
Linux,
Foundation,
trademarks
and
yayada?
How
do
I
do
that?
Without
being?
Let's
say,
you
know,
building
out
in
the
public.
That
kind
of
thing.
F
So
so
Michael
I'm
I'm,
not
sure
if
this
answers
your
your
question
but
I
I'd
always
imagine
that
that,
like
this
is
one
of
the
primary
motivators
for
for
using
the
for
using
the
VSA,
where,
like
a
provider,
could
could
build
the
software
verify
it
against
whatever
policy
they
want,
and
then
they
can
use
the
VSA
as
a
statement
that
says
this
software
with
this
hash.
F
C
Oh
yeah
yeah,
so
I
think
there
is
so
there's
a
couple
of
different
separate
problems
and
I.
C
Think
like
eighty
percent
of
the
problem
is,
is
more
on
the
specification
and
positioning
side
and
20
of
the
problem
is:
how
do
we
actually
implement
it
via
the
tools
but
I
think
the
the
open
question
so
as
I
I
mentioned
for
for
folks
who
weren't
in
some
of
the
other
meetings,
pretty
much
one
of
the
the
biggest
pieces
of
feedback
I
got
when
at
kubecon
EU,
you
know
after
the
announcement
a
lot
of
folks
were
super
excited,
but
one
of
the
the
consistent
pieces
of
feedback
was
a
lot
of
folks
were
like
they're
looking
at
the
npm
stuff,
as
if
it's
the
only
thing
right
like
they're
saying
like
oh
wait.
C
A
second
is
everything
supposed
to
be
open
source
or
is
salsa
only
for
like
SAS
and
I'm
like
no?
No,
that's
not
that's
not
the
case
for
certain
ecosystems
where
they
like.
You
know
you
can
imagine
right.
There
could
be
like
a
Linux
Foundation
build
system
for
Linux
Foundation
projects
right,
like
that.
You
know
that
they
hosted
their
own
thing
and
said
we're.
You
know
we're
gonna
host
our
own
thing
and
you
might
say
great:
they
get
into
fulsio
everything's,
good
I.
C
Think
the
there's
just
some
open
questions
from
folks,
just
sort
of
generally,
like
hey
I,
you
know
I'm
not
sure
if
it's
also
primarily
an
open
source.
Only
thing
is
it
primarily
a
SAS
only
thing
and
those
things
are
not
the
the
case
it
just.
The
focus
has
been
on
some
of
these
open
source
use
cases
because
of
how
easy
it
is,
and
also
the
mission
of
you
know.
Groups
like
openssf
is
primarily
in
that
open
source
space,
but
I
know
as
we
try
to
get
wider
industry
adoption.
C
You
know,
there's
some
open
questions
about.
How
do
we
better
communicate?
Some
of
that
out
once
again,
I,
don't
think
the
communication
is
really
the
responsibility
of
this
particular
meeting
group.
But
I
do
think
when
it
comes
to
some
of
the
tooling
right
like
if
there's
you
know,
I
I
know
that
there's
the
Oracle
test
or
the
Oracle
lab
group
created
a
project
called
macaron,
which
I
know
is
in
the
the
list
of
things
inside
of
the
tools
here.
C
I
think
it's
from
a
couple
of
weeks
ago,
but
macaron
is
like
a
way
of
like
hey:
I
can
go
and
essentially
do
a
bunch
of
Investigation
into
your
infrastructure
and
whatever
else
and
say,
yep
I
I
took
a
look
at
you
know,
let's
just
I,
don't
think
they
support
this
yet,
but
the
idea
there
being
hey
I,
took
a
look
at
your
terraform
and
I
noticed
that
your
terraform
seems
to
spit
up
a
build
system.
That
is,
you
know,
relatively
secure.
C
You
know
you
might
need
to
have
some
additional
human
attestation
or
human
assertions
on
top
of
that,
but
basically
I
think
that's
kind
of
where
folks
are
sort
of
interested,
because
when
they
start
to
go
and
say,
okay,
great
I,
don't
you
know
I'm
not
providing
software
in
the
open
source,
but
I
still
want
to
use
salsa?
How
do
I
do
that.
B
So
my
reflection
that
would
be
like
I,
think
order.
Confusion
might
be
that
a
lot
of
the
fuss
is
around
various
open
source
project
or
Tools
around
salsa,
because
it's
super
easy
to
blog
about
what
you're
doing
for
for
open
source,
whereas
I
don't
think
a
lot
of
companies
are
blogging
about
their
internal
salsa
uses,
but
I'm.
C
Yeah
I,
so
I
could
reach
out
to
one
company
on
on
my
end,
that
I
know
is
is
doing
some
stuff
there
I,
don't
know
if
I'll
make
it
public,
but
I
I
can
definitely
check
with
them.
It's
a
it's.
A
hedge
fund
that
is
looking
to
you
know
build
all
their
software
salsa,
where
they
give
it
to
sort
of
partner.
Folks,
cool.
C
Yep
and
then
I
think
the
rest
of
the
the
concern
seem
to
be
more
from
like
a
documentation
and
other
blogging
sort
of
standpoint
of
like
yeah,
when
most
of
the
examples
that
people
are
talking
about
are
all
the
open
source
or
all
the
SAS
like
yeah
I
use,
GitHub
actions
for
this
or
I
use
or
or
you
know,
here's
how
I
took
the
cncf
project
like
the
public
cncf
audit
on
Prometheus
and
what
was
the
other
one
Argo
I
think
on
salsa.
It's
like
hey,
that's
great!
C
Is
it
mostly?
Yes,
you
know
there
was
some
confusion
on
on
it
being
public
versus
or
it
being
primarily
like
a
SAS
open
source
sort
of
thing
separately.
I
know
that
the
conformance
program
I
have
some
comments
out
there
on
that
to
sort
of
make
sure
that
folks
recognize
that
the
idea
here
is
not
to
purely
support
one
or
the
other.
The
idea
is
to
to
say
hey.
This
is
one
of
the
first
Frameworks
that
can
support
a
SAS
quite
easily
right,
which
I
think
is
super
important.
C
A
lot
of
folks
sort
of
assumed
you
had
to
control
everything
from
source
to
to
the
actual
package
release,
which
has
been
the
case
for
most
sorts
of
these
kinds
of
Frameworks
for
years
and
years
and
years.
C
But
now
that
you
could
split
that
up,
you
can
say:
hey
I
outsourced,
my
storage
to
GitHub
like
to
the
code,
but
I
have
my
own
internal
Runners,
because
I
have
some
special
use
case
or
whatever,
or
you
know,
I
I
published
to
you,
know
assass
artifact
repository,
but
everything
else
is
internal
or
whatever,
like
this
I,
think,
there's
there's
a
lot
of
great
stuff
on
that
end.
I
just
think
that
yeah,
when
it
comes
to
some
of
the
other
pieces,
I
think
when
it
comes
to
like
self-hosted
and
yayada.
C
A
lot
of
folks
are
asking
a
lot
of
good
questions,
but
not
they're,
not
sure,
and
then
in
addition
to
that,
I
think
with
the
conformance
thing
they're
a
little
unsure
of
how
to
claim
they
are
salsa.
Without
you
know,
running
afoul
of
of
Linux
Foundation
lawyers,
which
I
know
just
to
be
clear,
I
know
in
general.
They
only
go
after
folks
who
are
egregiously.
Being
like.
Oh
we're.
C
You
know
we're
sponsored
by
the
Linux
Foundation,
where
you
know
trying
to
to
make
a
an
illegitimate
connection,
but
I
know
that
a
lot
of
folks
are
like
Hey.
How
do
I,
how
do
I
say
I'm
salsa
without
you
know,
ostensibly
lying
to
people.
How
do
I
kind
of
get
that
badge
and
say?
Yep
I
spoke
to
all
the
right
people.
I
did
all
the
right
things
and
I
am
you
know.
My
build
system
is
also
compliant.
F
So
so
Michael
along
those
lines
it
like
is
there
a
difference?
Is
there
a
difference
between
like
statements
that
you
might
make
on
a
web
page
like
a
badge
that
that
that
you
list
and
like
versus
you
know
any
of
the
metadata
that
you
might
produce
and
and
and
really
switch
sort
of
necessarily
lists
salsa,
like
I'm
thinking
about
the
VSA,
where
like
well
yeah,
the
data
format
has
like
this
particular
salsa
level
in
it.
What
I
don't
recall
is
like
if
the
VSA
format
says
anything
like
hey?
F
C
I
think
the
thing
that's
coming
out
of
it
is
so
I've
spoken
to
some
companies,
and
some
of
the
companies
do
want
to.
For
example,
say
they
want
to
come
out
and
say
we
want
to
be
able
to
tell
our
customers.
C
We
have
followed
the
salsa,
you
know
not
just
generating
salsa,
you
know
generating
salsa
provenance,
but
we
want
to
be
able
to
go
out
and
say
that
and
I
know
with
the
conformance
program.
There's
a
combination
of
a
self,
a
self
attestation
or
a
self-audit
or
whatever
you
can.
You
can
write
a
a
statement
on
that
and
then
you
know
separately
for
for
for
companies
that
are
maybe
a
bit
more.
You
know,
and
at
the
end
of
the
day,
it's
always
going
to
be
me,
as
the
user
do.
C
I
trust
this
company
sure,
but
I
know
that
when
it
comes
to
also
the
dilution
of
the
brand
a
little
bit
I
know
the
Linux
foundation
and
openssf
has
said
hey.
We
don't,
like.
We've
already
had
a
couple
of
cases
where
a
few
companies
have
said
like
we're,
salsa
four
plus
they're
like
what
like
that's,
not
a
thing
and
they
start
to
kind
of,
and
they
you
start
to
ask
them
like
how
are
they
achieving
salsa
and
they
start
to
go
and
say
well
we're
doing
you
know
it's
like.
C
Oh,
so,
you're
kind
of
taking
our
brand
and-
and
you
know
by
hour-
I
just
mean
the
Linux
foundations,
brand
and
and
you're
sort
of
making
a
claim
without
like
there's
nothing
really
to
back
that
up
and-
and
you
have
enough
of
those
blog
articles
and
folks
get
to
get
very
confused
because
even
with
the
salsa
1.0
release,
there
were
a
couple
of
articles
that
I
don't
know
if
everybody
saw,
but
there
were
a
couple
articles
that
had
gone
out
where
some
folks
had
gotten
kind
of
confused.
C
They
still
thought
that
they
were
four
salsa
levels.
Still
looking
at
the
old
version.
There
was
a
lot
of
stuff
like
that
that
hey,
if
we
can
have
something,
that's
a
a
a
conformance
program
that
that
is
pretty
you
know,
rigorous
and
whatever
it's
like.
Yes,
if,
if
I
am
just
a
like
a
small
company,
I
can't
pay
for
an
audit,
that's
fine,
I
can
just
say
here's
what
I'm
doing
here's.
You
know
here's
my
whole
setup
and
also
try
and
make
it
as
easy
as
possible
for
them
to
to
make
those
claims.
C
You
know
and
and
here's
what
I'm
doing,
because,
especially
for
you
know,
I
think
the
majority
of
software
using
gitlab
GitHub
actions,
Circle
CI
and
whatever
is
going
to
fit.
You
know
the
average
use
case,
but
I
know
with
a
lot
of
folks,
especially
in
the
fintech
space.
C
One
of
the
big
things
is
like
hey:
I
want
to
run
a
build
in
a
hyper
private
sort
of
you
know
setup,
which
is
also
why
I
know.
Last
week
we
were
talking
about
some
of
the
stuff
with
project
Oak
and
how
some
people
are
trying
to
look
at.
C
You
know
myself
included,
and
some
other
folks
are
starting
to
look
at
stuff
like
could
you
run
a
salsa
build
inside
of
a
trusted
Enclave
or
trusted
execution
environment
in
that
sort
of
thing
where
you
could
start
to
say,
hey
the
where
the
hardware
like
what
is
actually
running.
This
is
a
little
less
important
as
long
as
it's
running
it
on
something
that
is
compliant
with
you
know
some
sort
of
Hardware.
C
You
know
security
standard,
but
anyway,
that's
that's
much
further
further
along,
but
but
yeah
I
think
the
the
basic
idea
is
just
trying
to
figure
out
like
also
to
take
a
step
back,
it's
about
like
who
is
making
what
claim
and
how
and
in
what
cases.
I
think
is
just
trying
to
figure
out
how
to
make
that
clearer
to
both
the
folks
who
are
making
those
claims,
as
well
as
the
folks
who
are
intended
to
consume
those
claims.
C
Is
is
useful
because
I
know
a
lot
of
it
it's
and
to
be
clear,
it's
still
very
early,
but
a
lot
there's
a
lot
of
confusion
right
now
around
you
know,
because
a
couple
of
folks
from
kubecon
were
like
hey
I,
like
does
salsa
support
Jenkins,
because
I
only
see
like
GitHub
actions
or
is
it
just
like
a
GitHub
actions
thing
like
no?
C
No,
it
just
so
happened
that
the
tools
to
write
for
this
GitHub
actions
is
just
super
easy
compared
to
doing
it
first
for
Jenkins,
which
is
a
separate
problem
which
Jenkins
tends
to
be
very
open
and
yeah
yeah,
but
I.
Think
kind
of
some
of
the
stuff,
for
this
group
I
think
is
how
can
we
start
to
make
some
of
those
tools
to
make?
And
potentially
this
is
some
of
the
stuff
that
we
talked
about
last
week
for
anybody
who
wasn't
here
was
like.
C
C
And
I
know
I
ranted
on
for
a
while
to
be
clear,
I
think
it's
just
you
know.
Everything
in
salsa
I
think
is
great.
I.
Just
think
that
there's
a
lot
of
still
confusion
and
some
somebody
else,
I
think
in
the
positioning
group
brought
up
webinars
I
think
it
might
have
actually
been
Brian
bellendorf
himself
brought
up.
You
know
webinars
with
the
tools
like.
C
If
folks
have
you
know,
salsa
tools,
maybe
we
can
give
you
know
an
hour
and
a
half
webinar
kind
of
thing
and
just
show
off
like
here
is
the
GitHub
action
here
is
how
folks
have
done
it
with
tecton
and
tecton
chains
or
Fresca
or
whatever
you
know,
here's
some
of
the
other
tools
that
are
coming
out
and
and
something
like
that
might
proof
to
be
useful.
C
E
I
I
just
have
more
kind
of
a
landscape
question
so
because
I
interested
in
this
topic,
because
I
actually
listened
to
some
of
the
earlier
supply
chain,
videos
back
in
2021
and
22.
One
thing
actually
I
think
he
said
is
actually
salsa
is
actually
a
kind
of
implementation.
Implementation
of
in
total.
So
so
I
just
want
to
understand
that,
and
also
also
between
the
two
of
use
by
salsa
and
used
to
use
by
like
S2
c2f.
What's
the
differences
and
is
there
like
a
documentation
on
those.
C
E
C
Okay,
so
so
Aditya
top
and
Tom
who's
Tom's
little
on
this
call
wrote
A
Blog
on
in
Toto
in
salsa
and
sort
of
where
the
you
know
where
trying
to
help
folks
better
understand.
C
You
know.
The
idea
here
is
salsa
is
a
set
of
requirements
and
then
the
salsa
provenance
is
an
is
a
type
of
in
Toto
statement
or
sorry,
a
type
of
in
Toto
predicate,
which
you
know,
is
used
in
an
intodo
statement.
Tom.
Do
you
wanna.
F
Yeah,
yes,
so
I
right,
so
the
thrust
of
the
blog
post
is
is,
is
basically
that
that
salsa
provenance
and
salsa
vsas
are
like
just
one
or
are
just
two
types
of
of
of
in
total
predicates,
and
that
and
then
until
the
predicates
in
a
total
stations
can
can
be
used
to
express
many
more
things
about
about
yourself
or
supplies
chain
that
that
you
might
care
to
to
track.
F
This
was
not
meant
to
say,
like
these.
Things
cannot
eventually
be
in
the
domain
of
of
salsa.
I
know
that
salsa
has
has
ideas
on
like,
unlike
new,
unlike
new
tracks,
that
cover
that
cover
other
things
and
I.
Think
that
our
hope
on
the
antenna
attestation
side
is
that
is
that
those
is
that
the
new
data
required
to
to
to
implement
those
those
tracks
can
be
can
be
encoded
in
in
Toto,
attestations.
C
Yeah
and
if
anything
after
that
is
still
like,
maybe
not
clear,
you
know,
feel
free
to
to
provide
that
feedback,
because,
obviously,
as
we
continue
on
we're
going
to
want
to
update
documentation,
create
new
new
blog
articles
and
and
so
on,
to
make
it
to
make
the
distinction
clearer
as
well,
which
is
like
in
Toto,
is
a
project
that
salsa
uses
to
provide
that
provenance
as
well.
As
you
know,
other
things
like
the
BSA.
E
Yeah
and,
of
course,
that
I
know
there
was
a
discussion
about
salsa
versus
to
cqf
and
about
tooling
I,
guess
that
it's
got
to
be
part
of
it.
C
Yep
but
yeah,
that
was,
that
was
a
good
question.
It's
one
that
we
if
we
got
a
lot,
which
is
why
a
teacher
and
Tom
wrote
up
that
article.
C
All
right
any
other
topics,
otherwise
I
have
a
smaller
thing.
C
All
right
so
I
know,
based
on
the
last
couple
of
weeks,
some
of
our
conversations
I
wrote
up
a
tool
open
source
tool
for
for
generating
salsa
Providence,
as
well
as
sort
of
doing
a
bunch
of
different
things
with
salsa
Providence
called
specter
and
there's
some
stuff
in
here
which
I'm
hoping
can
you
know
it's
open
source
so,
and
you
know,
depending
on
how
things
go,
maybe
we'll
try
and
contribute
it
back
to
the
open
ssf
if
folks
find
interest
in
it,
but
there's
some
additional
features
that
I
I
added
in
there-
and
this
is
like
as
a
reminder,
this
tool
is
not
like
a
tool.
C
That's
necessarily
intended
to
be
like
it's
not
a
build
Tool
directly.
It's
a
it
is
a
tool
for
helping
sort
of
build
the
build
tools
and
other
things
hasn't
been
an
official
release.
Yet
it's
all
written
in
Rust.
So
for
folks
who
know
rust
and
that
kind
of
thing,
but
there's
some
stuff
in
here,
if
I
kind
of
and
the
UI
ux
stuff
is,
is
still
going
to
be
worked
on
quite
a
bit.
C
C
One
thing
I
will
say
is
rust
can
be
quite
slow
to
compile,
so
I
can
generate
from
the
sort
of
structs
Within
rust
here.
A
C
There
we
go,
I
can
have
like
a
NATO
statement.
I
could
have
a
bunch
of
stuff
in
it.
I
can
have
you
know,
Providence
statement.
I
can
have
information
about
the
predicates
and
all
this
stuff.
These
are
all
strucks
in
here
using
using
this
rust
library
that
I'm
using
called
was
it
schemer
RS?
It
lets
me
sort
of
take
those
and
generate
Json
schema
out
of
it.
C
C
Right
I
can
now
generate
rust
code
out
of
the
Json
schema
as
well.
It's
not
exactly
a
one-to-one
mapping.
You
know
where
it's
not
even
rather
I
shouldn't
say
it's
like
it's
not
invertible
exactly.
It
generates
slightly
different
rust
and
Json
schema
as
going
in
and
going
out,
but
I
think
the
the
general
thing
here
is
one
of
the
big.
You
know
questions
that
folks
that
had
is
like
hey.
Is
there
stuff
to
help
me
kind
of
figure
out
how
to
implement
the
salsa
stuff
a
little
bit
easier?
C
Is
that
stuff
that
can
help
me
generate
code,
for
it?
Is
there
stuff
that
can
like
I
I
require
you
know
a
Json,
spec
or
I
require
a
you
know,
protobufs
and
so
on
and
so
forth
and
I
know
that
we
have
some
official
Proto
Buffs
and
we
have
a
few.
You
know
some
Q
code
and
so
on,
but
you
know
the
idea
here
is
to
have
something
like
this
be
able
to
generate
back
and
forth.
You
know
it
could
be
salsa
today
you
could
do
s-bombs
tomorrow.
C
It
doesn't
necessarily
need
to
be
tied
directly
into
salsa,
but
the
idea
here
being
making
it
super
simple
to
sort
of
validate
as
well
as
validate
then
I
showed
off
the
validation
a
bit
last
week
where
I
can
go
and
take
you
know
one
of
these
documents
validate
them
and
then
you
know
it'll
come
back
with
you
know.
Yes,
this
is
a
valid
salsa
document
or
no
it's
not
about
it's
also
document
and
it
does
like,
as
as
I
kind
of
brought
up
also
last
week.
It
doesn't.
C
It
has
some
semantic
understanding
of
the
types
as
well.
So
the
idea
would
be.
Is
this
an
actual
hash
of
the
right
length
and
the
right
size
and
the
right
yeah?
You
know
if,
if
not
hey,
it's
not
a
valid
hash.
Is
this
actually
valid
base64
encoded
content?
C
If
it's
not
like,
you
know,
don't
claim
it's
a
it's
a
valid
salsa
document
and
then
eventually
the
idea
would
also
be
to
it
to
be
a
verifier
that
can
go
out
to
the
various
URLs
verify
that
the
content
is
correct
or
whatever,
based
on
on
some
of
those
things
so
yeah.
That's
that
that's
really
about
it,
there's
some
you
know
feel
free
to.
F
So
I
I
guess
as
like
one
of
the
internal
attestation,
maintainers
I'm,
I
I'm
interested
in
and
where
you
see
this
going
like
we've.
We've
recently
been
putting
some
effort
into
into
defining
into
defining
protobots
for
the
various
internal
predicates
and
like
doing
code
generation
for
those
things
for
go
and
Java
and
like
Python
and
I
like
if
I
guess
like
it
would
be
nice.
F
If,
if,
if
folks
could
like
settle
on
sort
of
like
one
one
way
to
do
it,
but
but
but
perhaps
that's
being
overly
overly.
C
Yeah
no
I
I
hear
you
and
I
think
it's
the
thing,
at
least
for
the
foreseeable
future.
I
think
what
you're
gonna
see
is
because
I
know
that
there's
also
like
plugins,
for
example,
for
protobufs
that
allow
you
to
let's
say,
introduce
constraints
into
a
product
Beyond.
Just
like
this
is
a
string.
That
kind
of
thing
you
can
say
like
well.
This
is
a
string
that
should
be
of
length
this
that
meets
this
regular
expression
or
whatever
so
I
I
do
think
that
on
that
end,
I
think,
at
least
in
the
short
term.
C
We
just
need
to
be
relatively
flexible
with,
while
still
telling
folks.
Like
look,
you
know,
this
is
the
canonical
way
of
doing
it.
We're
going
to
provide
some
tools
to
help
you
out,
because
you
know
a
lot
of
folks
are
going
to
come
in
and
say:
hey
all
of
my
stuff
uses
Json
schema.
So
if
you
can't
provide
me
a
Json
schema,
you
know,
and
you
go
okay
great
well,
we
can
probably
do
a
Json
schema,
but
we're
going
to
tell
you
right
now.
C
F
Yeah,
and
and
like
maybe
maybe
really,
the
important
part
is
not
like.
Is
there
a
canonical
way
to
define
the
layout,
but
rather
is
there
a
canonical
and
authoritative
validator
so
that
I
can
say,
regardless
of
how
I'm
generating
this
thing,
if
I
pass
it
through
this
tool,
it
will
tell
me
yes,
it's
good
or
no,
it's
not,
and
then
it
and
then
and
then
I'm
free
to
sort
of
to
sort
of
implement
that.
However,
I
wish.
C
Yeah,
so
that's
definitely
one
of
the
goals
of
Specter
and
the
reason
why
I
chose
rust,
for
it
was
specifically
because
of
how
like
the
thing
I
found
was.
C
Actually,
if
you
look
at
a
lot
of
the
s-bomb
tools,
I
found
that
a
lot
of
the
s-bomb
tools
are
very
loose
in
their
validation
very
loose
in
their
generation,
and
a
lot
of
it
is
I,
don't
want
to
say
caused
by,
but
but
it's
impacted
by
languages
that
are
either
dynamically
typed
or
languages
that
are
more
Loosely
typed
than
rust,
which
is
like
very,
very
strictly
type,
strictly
typed
and
lets
you
sort
of
encode,
very,
very
complicated
sets
of
types
and
constraints
and
all
that
stuff
and
so
I
found
that,
like
a
lot
of
the
s-bomb
tools
like
when
using
like,
they
were
breaking,
you
know
some
of
the
stuff
in
guac,
for
example,
they
were
breaking
our
ingestion
into
guac
and
wait
a
second
hey.
C
C
It's
actually,
you
know
this
field
is
required.
These
other
fields
are
all
optional,
like
there's
lots
of
things
in
there
that
were
required,
optional,
yeah
yeah,
that
that
were
not
getting
caught
by
a
lot
of
these
other
tools.
C
So
that's
one
of
the
reasons
why
I
I
was
had
picked
rust,
for
that
was
to
say,
I
get
a
lot
of
these
great
compile
time
checks,
which
is
also
why
some
of
it
is
can
be
a
bit
slow
to
compile.
But
the
you
know
there's
a
lot
in
there
and
in
fact,
actually
let
me
go
in
just
share
it
just
to
kind
of
like
I.
C
Don't
want
to
turn
this
into
a
oh
here's,
all
the
things
I
love
about
rust
but
like
if
I
go
in
and
share
this
if
I
go
in
and
just
kind
of
take,
let's
say
the
the
in
Toto
statement
here,
everything
is
using
a
package
called
survey,
which
is
it's
it's
serialization
deserialization
package
for
rust
and
I
can
just
derive
all
of
these
different
things
from
the
structs
as
long
as
they
are
like
basic
types
like
strings
and
yayada,
and
that
serialization
deserialization
can
be
used
to
then
just
continue
to
serialize
and
deserialize
other
things
so
like
here,
I
have
something
that's
a
subject
which
is
a
list
of
you
know
you
get
a
list
of
subjects
and
subjects
themselves
are
consist
of
a
name
and
a
digest
set
and
a
digest
set
consists
of
these
things
and
as
long
as
each
of
these
things
derives
deserialize
and
serialized,
it
just
automatically
works
at
the
end.
C
All
of
this
stuff
just
kind
of
immediately
works,
and
if
there
are
certain
things,
for
example,
if
I
go
into,
let's
see,
is
it
and
now
I
realized
that
this
this
resource
descriptor
should
probably
be
in
its
own
file,
but
the
resource
description
descriptor
in
here
you'll
notice.
Here
right,
this
is
a
base64
like
there
is
no
default,
base64
encoded,
deserialization
thing
so
I
had
to
write
my
own.
C
It
turns
out.
There
might
actually
be
one
out
there
that
I'll
probably
switch
to,
but
here
hey
I
can
you
know,
have
this
content,
which
is
turning
into
some
bytes
as
long
as
you
know,
it
actually
matches
that
right.
If
somebody
gives
me
a
random
string
in
most
cases
that
random
string
would
probably
like
if
I
was
using
most
other
things
like
that,
random
string
would
have
to
be
checked.
C
You'd
have
to
write
a
bunch
of
you
know,
logic
somewhere
in
there
to
check
at
runtime,
like
hey
when
I
pull
this
in
the
check.
Is
this
a
base64
encoded
string?
If
not,
you
know
throw
an
error,
blah
blah,
whereas
here
it
lets
me
kind
of
very
easily
keep
all
of
this
content
right
here.
The
other
thing
is,
you
know,
using
tools
like
that,
there's
a
tool
called
typify
which
I
I
started
using
that's
kind
of
that
out
of
the
oxide
folks
that
I
integrated
into
this
I
can
generate.
C
You
know
from
a
Json
schema
into
this.
I
can
also
potentially
take
protobufs.
You
know
and
I
can
turn
them
into
rust
and
so
on.
So
the
idea
here
would
be
you
could
you
know
the
first
pass
comes
in
here
and
then
you
know
we
would
still
probably
expect
a
human
to
come
in
and,
like
you
know,
make
it
more
rigorous,
but
that's
like
that's
kind
of
one
of
the.
You
know
the
reasons
why
I
think
I
chose
to
do
it.
C
This
way
was
just
how
sort
of
you
know
there's
a
bit
of
a
learning
curve,
but
once
folks
like
for
folks
who
know
rust,
it's
like
hey,
okay,
I
see,
you
know
this
is
a
URL,
so
it
uses
the
you
know.
It
uses
the
URL
serializer
deserializer
it.
You
know
and
can
sort
of
take
care
of
all
these
things
without
having
to
do.
C
You
know,
for
example,
in
go
right
where
you
have
to
sort
of
you
get
a
lot
of
you
have
to
like
recursively
deserialize,
all
the
different
things,
whereas
here
you
can
sort
of
just
come
in
and
say,
here's
here's,
the
entire
specification
and
it'll
just
take
care
of
the
rest.
Does
that
make
sense.
C
And
then
this
because
I'm
I'm
encoding
some
of
the
semantic
information
inside
of
the
types
it
lets
me
longer
term,
make
it
also
much
easier
to
then
eventually
verify
right,
where
I
can
now
go
in
and
say
great
I
now
have
this
base64
encoded
set
of
bytes
I
can
do
something
with
it
as
part
of
a
verification.
I
have
a
set
of
URLs
that
I
know
those
URLs
are
actually
valid.
Urls
I
can
now
verify
that
those
URLs
are
resolvable
that
they
get
me.
What
I
need.
C
Cool
yeah
that
was
about
it
and
I,
think
you
know
the
other
thing
just
to
kind
of
end.
It
with
is
just
yeah
like
I.
Think
folks
are
asking
for
a
lot
more
tools
like
something
like
Specter
right.
You
know
it
could
be
in
any
language
that
you
know
doesn't
have
to
be
this,
but
just
this
idea
of
hey
how
do
I
know
I,
like
I
I
I'm,
trying
to
make
a
tool
that
that
implements
salsa
1.0?
How
do
I
know
I'm
doing
the
right
thing
is?
F
All
right,
yeah
one
100
and
there's
only
like
there's
only
so
much
value
that
that
you
can
get
from
just
looking
at
the
Json
output
and
like
trying
to
see
if
it's
doing
everything
right.
So
this
is
really.
This
is
really
nice.
C
To
see
oh
yeah
and
one
of
the
things
I
forgot
to
show
but
I'll
just
talk
about
it
is,
is
I
also
included
a
couple
of
other
things
in
here
as
well.
That
makes
it
much
easier
to
to
verify
like
where,
in
the
Json
also
something
has
gone
wrong,
because
a
lot
of
the
tools
I
noticed,
like
kind
of
just
tell
you
like
the
first
example
of
like
oh
you're,
missing
a
field
here.
C
This
will
actually
go
through
and
loop
through
and
provides
an
ability
to
say
yeah
like
you're
missing.
You
know
these
five
Fields,
as
opposed
to
just
oh
you're,
missing
this
field
and
it
short
circuits.
C
You
know,
because
that
that
to
be
clear,
I
get
that
in
most
cases
you
want
to
Short
Circuit
during
serialization
deserialization,
but
in
in
the
case
of
something
like
hey
I'm,
generating
salsa
documents.
I
want
to
know
like
oh
I,
don't
want
to
just
know
that
I'm
missing
this
one
field
updated.
Then
it
says
oh
you're,
also
missing
this
other
field.
I
want
to
know
all
the
fields,
I'm
missing
or
all
the
fields
that
are
mismatched
types.
C
So
it
there's
a
lot
that
needs
to
be
done
on
the
user
experience
and
UI
side,
but
the
the
general
gist
of
it
is
going
to
be
hey,
here's
a
whole
bunch
of
stuff,
here's
how
to
and
also
hopefully
hold
somebody's
hand
throughout
the
whole
process
so
that
as
they
kind
of
go
through.
Oh
here
are
the
fields
that
are
missing,
you're
passing
in
a
URL
that
or
it
looks
like
a
URL,
but
it's
not
actually
URL
and
oh
cool.
C
You
know
do
the
five
or
six
things
that
they
need
to
do
fix
it,
and
then
you
know
it
comes
through
and
it's
like
looks
good
great
now.
Now
it's
and
then
also
have
something
like
a
verification
system
in
here.
So
are
you
actually
generating
stuff
that
can
then
be
consumed
by
people
to
to?
Actually
you
know
verify
stuff.
C
C
Yeah
yeah,
and
in
fact
this
is
this-
is
that
reason
is
exactly
why,
like
the
you
know,
for
folks
who
are
familiar
with
guac
at
all
the
thing
that
we've
been
building
with
guac,
you
know
Google
ourselves,
Purdue
University
City.
C
The
thing
we
we
very
quickly
realized
was
like
a
lot
of
the
s-bombs.
We
were
ingesting
and
some
of
the
salsa
attestations.
We
were
ingesting
into
guac
weren't,
actually
valid
right
like
they.
You
know,
because,
because
in
order
for
us
to
pull
out
all
that
semantic
value,
we
we
need
to
check
the
thou.
Shall
you
know
it's
like?
Yes,
if
this
is
optional,
it's
optional,
if
it's
required,
it
has
to
be
there,
because
we
can't
possibly
key
off
of
things
that
don't
exist,
and
so
we
ran
it.
C
You
know
we
started
running
into
all
sorts
of
issues
where
we
had
to
throw
out.
You
know
we
have
to
throw
out
these
5000
s
bombs
because
they're
not
actually
valid
to
the
spec
they're
they're
close
they're
90
valid,
but
you
know
they
they
in
particular.
One
of
the
common
examples
is
it's
very
easy
to
trick
one
of
the
s-bomb
generators
into
giving
you
a
a
hash
that
is
not
sha1.
C
You
could
just
tell
it
like
I
want
to
use
a
shot,
256
hash,
great,
but
spdx
and
I
think
Cyclone
DX
as
well
both
require
at
least
right.
Now.
It's
also
the
the
new
versions.
Don't
I
think
require
one
at
least,
and
then
you
could
have
other
ones
in
addition,
but
most
s-bomb
generation
tools,
if
you
just
said
I
want
shot
256,
it
just
went
great
I'll
just
get
it.
Give
you
only
a
shot
256.
when
it
needed
to
give
you
a
shot,
one
plus
a
shot.
256.
C
and
I
know
that's
like
super
pedantic,
but
like
when,
when
your
tools
when
you're
saying
like
wait
a
second,
no,
no
I
need
to
be
compliant
with
the
spec
and
I'm
going
to
expect
the
sha-1
everywhere,
because
it's
required,
if
it
doesn't
show
up,
you
know
it.
It
leads
to
all
sorts
of
issues
and
it
leads
to
you
know
a
lot
of
like
heuristics
and
things
that
end
up
leading
to
a
lot
of
the
the
issues
we
see.
C
Cool
yeah
and
and
I
agree
with
that
Brendan
yeah,
if
they
can't
get
the
text
right,
I
also
have
concerns
about
getting
the
content
right,
and
that
was
also
something
that
you
know
for
folks
who
aren't
aware:
there's
there's
a
really
good
YouTube
video
that
Ian
cold
water,
Duffy
and
a
bunch
of
other
folks
put
on.
Where
is
this
cubecon?
Let
me
bring
this
up
just
because
I
think
it's
it's
very
valuable
for
folks
who
is
yeah,
it's
called.
C
Malicious
compliance
here-
and
this
is
one
of
the
issues
like
when
I
mean
this-
is
not
totally
related
to
this
specific
thing,
but
I
think.
C
One
of
the
things
that
that
came
up
is
like,
if
you're,
if
you're
doing
only
like
a,
if
you're,
not
being
rigorous
about
a
lot
of
things
and
you're
just
kind
of
looking
at
you
know-
and
this
is
I-
think
something
that
helps
out
like
this
is
one
of
the
key
use
cases
of
salsa
here
is
like.
C
If,
if
you
can
determine
that
the
build
process
was
okay,
then
you
are.
You
have
increased
confidence
that,
by
generating
the
the
s-bomb
that
somebody
has
not
messed
with
the
container
somewhere
in
the
middle
right,
and
this
talk
just
the
the
very
quick
summary
is
they
showed
that
if
you
mess
with
a
container
and
do
something
like
remove
the
package
database,
it
doesn't
fail
closed.
It
just
fails
open,
so
it'll
just
be
like.
C
Oh
I
found
no
packages
great
and
you're,
like
oh
great,
so
now,
I
have
an
s-bomb
that
has
nothing
of
value
in
there,
even
though
it
actually
has
all
these
packages
with
all
these
vulnerabilities
and
then
also
doing
small
things
like
removing
Etsy
release
file
and
some
of
these
other
things
that
are
messing
with
a
file
here
or
there
and
all
of
a
sudden.
It
can't
detect
the
vulnerability
anymore.
C
Even
though
the
vulnerability
is
still
there,
and
you
know
you
might
say
well,
you
know
you
can't
expect
all
these
tools
to
know
everything,
but
at
the
same
time
you
would
expect
those
tools
to
be
like
hey.
This
is
weird
I'm.
Expecting
this
thing
to
exist,
it
doesn't
exist,
I
should
probably
say
unknown
or
can't
generate.
You
know
something
instead
of
just
sort
of
saying.
Oh,
it's
fine
I'm
going
to
fail
open.
C
Yes,
yes,
Brendan
yeah,
deleting
the
metadata
from
an
image
breaks
the
tool
that
builds
metadata
on
the
metadata,
yeah,
yeah,
that's
and
so
I'm,
hoping
like
I
I.
This
is
actually
just
you
know.
I
I
can't
stay
strongly
enough.
How
much
I
actually
like
that
salsa
is
here
because
I've
actually
used
salsa
or
my
s-bomb
generation,
in
addition
to
the
build
where
I
can
say,
I
built
this
container
and
ran
the
s-bomb
generation
during
this
step,
and
here's
like
you
know,
I
took
it
yeah.
You
know
I
built
this
image
with
this.
C
C
Sorry
also
the
s-bomb
generation
was
happened
on
the
actual
thing
you
know,
and
obviously
we
want
to
have
s-bomb
generation
happen
and,
as
early
on
in
the
process
as
possible,
like
off
of
the
you
know,
you
want
to
have
I
know
that
they
now
have
the
the
sisa
s-bomb
types,
which
are
something
we
need
to
keep
keep
track
of,
but
like
the
idea
of
like
you
could
have
an
s-bomb
based
on
the
you
know,
the
dependencies
Manifest
you're
gonna
have
an
s-bomb
that
gets
scanned
afterwards
and
and
so
on
and
I
think
both
are
valuable
just
from
what
the
first
one
is
like
hey,
what
should
be
there
and
the
second
one
is
what
actually
ended
up
there
is
is
an
interesting
thing
anyway.
C
So
for
folks
who'll
be
at
open
source
Summit
next
week,
I'll
see
you
there
for
folks
who
aren't
going
to
be
I'll.
Definitely
we'll
we'll
collect
a
list
of
talks
that
we
feel
are
valuable
once
they're
uploaded
on
YouTube
and
yeah.
So
next
week
we'll
cancel
this
meeting
because
I
have
a
feeling
of
a
few
of
us
are
going
to
be
over
there
or
we'll
see.
If
there's
interest
still
for
for
the
meeting
next
week,
we
can
have
it
I
just
won't,
be
there.
I
know
Frederick.
C
Anyway,
otherwise,
I'll
see
you
in
a
couple
weeks.