►
From YouTube: Supply Chain Integrity WG (July 12, 2023)
Description
Agenda: https://docs.google.com/document/d/1xPs2sSbH3I9Ich7OyLOzl85oJshnK8Q6WoAgREE5-zA
B
A
The
salsa
positioning
meeting
notes
is
an
owner's
trash.
What.
B
A
I
know
some
of
the
Google
Docs
were
going
into
and
open
ssf
like
Google
share
or
something
so
I'm
wondering
if
that's
what
it
is.
A
Oh
silly
me
yeah
I'm
in
the
really
old
one,
it's
also
positioning
I,
I
typed
in
positioning
in
my
tab
in
my
search
bar
and
that's
the
one
that
came
up
first.
So,
okay.
B
A
D
B
B
A
A
Okay,
so.
A
Was
anybody
at
the
tech
yesterday
attack
meeting
I
think
it
went
well
for
the
FCI
working
group,
so,
if
someone's
able
to
give
an
update,
that
would
be
great
because
that
recording
probably
won't
be
out
for
at
least
a
week.
Maybe.
E
Yeah
I,
wasn't
there
I
didn't
read
the
I
did
read
the
notes
and
a
few
of
the
other
folks
who
were
there
largely
said,
like
the
supply
chain.
Integrity
stuff
is
good,
I,
think
the
which
is
one
of
the
comments
I
I
had
heard
from
folks,
but
it's
tangential
purely
to
this
is
they're
like
there's
so
much
stuff
in
the
open
ssf.
Now
that
they're,
really
it's
really
hard
to
sort
of
like
know
like
wait.
E
A
second
like
what
is
supply
chain
Integrity
working
group
working
on
that
makes
it
different
than
you
know
the
securing
you
know
critical
projects
working
group-
or
you
know
some
of
that
stuff,
which
I
think
is
that's
more
of
like
a
tack
problem
and
a
general
open,
ssf
problem
than
an
hour
problem.
Yeah.
A
A
There's
an
anonymous
wombat
and
then
Anonymous
Goose,
so
yeah
I
think
I
tried
to
read
through
the
notes,
but
it
didn't
really
say
anything.
It
just
said
you
know
the
FCI
working
group,
presentation
or
update,
and
then
I
gave
a
link
to
the
slides
which
we
read
ahead
of
time.
So
I
was
curious
about
the
any
of
the
conversations
that
were
happening
alive,
that
weren't
necessarily
captured
so,
but
it
seems,
like
you
know
they
weren't
anti.
What
we're
doing
otherwise
I
think
it
would
have
been
documented,
but
I
do
think.
A
There's
some
there's
some
working
groups
that
have
things
like
the
supply
chain
attack
framework
right.
Why
is
that
in
a
different
working
group?
Or
why
isn't
that
in
sci
working
group
right
so
that
that's
something
that
I've
been
noticing
like?
Okay,
well,
there's
a
whole
nother
group
that
has
supply
chain
attack
Frameworks
and
there
was
something
else
that
they
created.
That
said
supply
chain.
So
why
not
put
it
under
the
bigger
umbrella
of
supply,
chain,
integrity.
B
A
E
Or
yeah
I
was
actually
looking
to
maybe
get
a
call
with
omkar
just
to
kind
of
like
you
know.
This
is
just
more
of
like
from
a
personal
standpoint
of
like
hey,
you
know,
as
somebody
who
does
a
lot
of
stuff
in
the
openness
left.
Here's
just
some
general
thoughts,
here's
some
things,
I'm
saying
and
just
wanted
to
highlight
some
of
that,
but
yeah
I
think
the
the
main
things
are
great
like
which
I
think
is
is
something
I'm
hoping
comes
down.
Here
is
like
right.
E
You
know
we
want
to
have
autonomy.
I
actually
watched
a
really
interesting
video
about
this,
about
spotify's
culture
and
the
idea
here
is
you
want
to
give
like
at
a
high
level.
We
want
from
the
attack
and
open
ssf
itself.
We
want
the
vision,
but
we
want
autonomy
on
how
to
get
there.
E
You
know,
as
opposed
to
you,
know,
having
like
being
told
exactly
what
to
do
or
whatever,
but
like
we
want
to
make
sure
stuff
is,
is
aligned
and
and
and
all
that
good
stuff
and
so
I
think
that's
super
valuable
and
then
also
better
understanding
of
like
great
what?
What
is
that?
E
Like
we
would
want,
at
some
level
the
attack
to
help
us
Define
our
scope,
right
like
we
want
to
Define
our
own
scope,
but
we
want
the
tech
to
at
least
say:
hey,
there's
a
little
bit
of
overlap
here
with
this
other
group,
and
that
makes
sense
just
stay
coordinated
with
that
group.
Right
like
that,
would
be
super
valuable
because
you
know,
as
we've
found
multiple
times
before
is
we
found
like
somebody
starts
doing
some
sort
of
threat
model
and
we're
like
wait
a
second.
E
A
That
makes
sense.
Yeah
yeah
I
can
never
make
those
meetings
because
it
literally
conflicts
every
two
weeks,
with
a
showcase
meeting
that
we
have
for
our
sprints.
So
any
last
thoughts
on
the
attack
update.
A
Okay,
so
what
I
was
thinking
folks
was
to
go
through.
I
know
this
tax
sign
off.
We
could
probably
update
it
with
the
meeting
notes
from
today.
A
I
would
like
to
talk
more
about
the
the
videos
and
what
we
want
to
put
in
there.
Mike
and
I
talked
to
Jennifer
Bligh,
and
you
know,
although
they
don't
have
somebody,
you
know
deep,
skilled
video
editing,
they
have
some
folks
that
have
you
know
some
stuff
or
maybe
could
pick
up
things
quickly.
A
So
it's
not
super
polished,
but
it's
better
than
us
doing
a
screen
share
right
and
recording
that
and
sending
it
off.
So
we
need
to
start
thinking
about
what
we
want.
I
know.
Institutional
trust
is
not
enough.
That
was
Marcella
that
wanted
to
work
through
that,
but
I'm
not
opposed
to
providing
feedback
for
either
of
these.
So
what
are
people's
thoughts
on
on
that.
E
Yeah
I
mean
I.
Think
you
know.
Most
of
my
feedback
is
the
same
feedback
I
sort
of
gave
in
that
in
that
meeting,
which
is
just
like
hey.
E
Definitely,
we
should
have
some
of
these
things.
I
know
a
lot
of
folks
are
asking
for
something
like
some
webinars,
because
I
think
there's
like
a
little
bit
of
Beyond
The
Deep,
dive
and
salsa,
like
a
lot
of
folks,
are
asking
for
stuff,
like
they're,
really
asking
for
things
like
what
is
salsa.
Okay,
now
that
I
know
what
salsa
is.
Is
it
something
I
care
about
if
it
is
something
I
care
about?
Where
do
I
get
started
and
I
think
the
for
a
lot
of
folks?
E
E
I
think
over
time,
like
there's
a
separate
problem
in
some
of
the
things
that
I
think
we
had
discussed
as
well,
which
is
working
on
salsa
like
a
lot
of
folks.
There's
not
a
lot
of
tools
out
there
yet
right,
and
so
a
lot
of
folks
are
like
great.
But
how
do
I
do
this
on
Jenkins
right
and
the
problem
here
is,
like
you
know,
getting
a
bunch
of
volunteers
to
go
and
do
a
bunch
of
work
on
a
thing
that
maybe
they
don't
necessarily
really.
E
You
know
we're
all
volunteers
here,
and
so,
if
it's
somebody
who's
an
expert
in
Jenkins
and
has
been
doing
this
they're
like
oh
yeah,
we
want
to
open
source
that
that
guide
or
whatever,
but
for
folks
who
are
not
using
Jenkins
they're
gonna,
be
like
yeah.
It's
not
really
on.
E
You
know
something
I'm
super
focused
on
so
I
think
that's
like
another
concern
is
just
how
do
you
get
folks
who
are
like
yeah
I
want
to
write
an
implementation
guide,
but
a
lot
of
the
feedback
we
got
is
in
stuff
that
I
do
not
want
to
make
an
implementation
guide
for.
B
A
A
My
my
password
so
I'm
gonna
try
to
remember
stuff
that
you
said
so
one
is,
you
know.
Was
it
I,
remember
hearing?
Why
do
I
care
about
salsa
right.
E
Yeah
yeah
so
well,
it's
so
there's
a
little
bit
of.
Why
do
I
care
about
salsa?
So
that's
one
thing
and
then
how
do
I
get
started
right?
Like
yeah,
you
know
a
basic
implementation
guide,
but
then
that
second
piece,
what
makes
it
that?
What
makes
that
a
little
complicated
is
everybody
has
different
needs
for
their
like
their
build
and
their
secure
build,
and
so
a
lot
of
folks
are
asking
stuff
like
hey
I
use
Jenkins.
E
How
do
I
do
this,
and
the
problem
that
we
found
is
even
though
a
lot
of
folks
are
asking
for
oh
we'd
love
to
have
a
salsa
implementation
guide
for
something
like
Jenkins.
You
know,
or
you
know,
team
City
great
who's
going
to
do
that
right,
like
a
lot
of
folks
right
now.
Are
you
know
if
there
is
somebody
in
the
community
who's
an
expert
in
Jenkins
and
would
be
willing
to
do
that
right?
E
If
you,
if
I
you
know,
if
I
write
a
implementation
guide
on
Jenkins
I'm,
not
doing
this
other
thing
and
I'd
much
rather
be
doing
this
other
thing,
so
that's
kind
of
where
some
of
the
other
stuff
has
come
in
of
like
how
do
we
also
get
the
industry
to
come
in
and
say:
look
maybe
we
talked
to
the
Cloud
bees
folks
and
say:
hey
Cloud
bees,
you
know,
salsa
is
growing
in
in
size,
yeah,
yeah,
we'd
love
to
get
something
like
a
Jenkins
implementation
guide
for
salsa,
because
you
know
some
of
the
the
existing
members.
E
Just
don't
have
the
time
to
to
focus
on
it
or
don't
have
the
expertise
in
Jenkins.
You
know
to
do
that.
Work.
A
Okay,
that
now
that
makes
sense,
but
we
can
start
with
GitHub
actions
right.
E
A
A
Yeah
I
want
to
like
I
yeah
I,
get
completely
get
that
because
we
don't
use
GitHub
actions
internally,
but
maybe,
while
we're
trying
to
get
those
people
to
help,
we
can
get
started
with
the
other
stuff
and
then
maybe
by
the
time
we
publish
those,
then
we
can
publish
the
the
Jenkins
or
team
City
or
tecton
I
mean
we
can
put
call
out
internally
right
at
IBM
or
you
know,
wherever
hate
is
anybody
interested
in
in
showing
this
off?
A
So
we
could
potentially
do
it
internally.
We
can
do
like
LinkedIn.
We
can
do
the
any
any
slack
channel
on
open,
ssf
to
say,
hey
who's
interested
in
in
showing
this
off,
and
then
we
set
up
a
meeting
with
them
to
see.
If
it's
truly
what
we
think
it
is
right,
we
need
to
make
sure
they're
conforming
to
1.0
and
not
zero,
that
one
right
so
I
don't
know
what
thoughts
thoughts
on
the.
A
This
is
really
like
a
two
to
a
so
there's
a.
How
do
you
get
started?
These
are
the
use
cases.
Why
do
I
care
about
salsa?
What
else.
A
A
B
E
So
I
think
that
might
be
interesting
because
that's
actually
something
that
cncf
does
a
lot
with
their
like
people
will
often
record
videos
usually
for
stuff,
like
kubecon
of
like
what
are
like
the
latest
new
features
or
whatever
for
or
like
hey,
here's
a
new
project
and
what
what
is
the
scope
of
our
product?
What
is
our
goals
at
a
kind
of
like
you
know?
E
They
show
it
during
the
the
Keynotes
but
I
think
something
like
that
also
would
be
super
valuable,
just
to
kind
of
have
on
YouTube
as,
like
you
know,
for
folks
who
are
you
know
hey
once
again,
not
reading
or
whatever
or
just
you
know
like.
Where
do
I
get
start?
You
know
what
what
do
you
guys
do?
Oh,
okay,
cool!
You
know!
Here's!
Here's
that!
Here's
a
you
know
a
short
three
minute
YouTube
video
of
like
you
know
these
SEI
working
group.
E
A
Okay,
yeah
and
then
okay,
so
I'll
create
a
different
ticket
for
that,
because
that'll
be
kind
of
like
a
precursor
to
the.
You
know.
Why
do
I
care
about
salsa.
A
So
what
else?
In
terms
of
because
the
use
cases?
What
we
want
to
be
careful
of
is
the
the
videos
not
being
too
long
so
are
we
gonna
have
to
break
it
up
into
different
stages?
It's
like
yes,
there's
a
how
to
get
started,
but
maybe
there's
a
how
to
get
started
a
b
and
c
for
each
of
these.
So
just
try
to
make
sure
that
we
again
think
of
the
micro
video
concept.
So
can
we
condense
the
how
to
get
started
in
five
minutes?
I'm,
not
sure
that
we
can.
A
E
Yeah
it
was,
there
was
oh
she's
now
I'm
forgetting
as
well.
B
A
E
No
I
think
it
was
under
it's
a
terminology,
no.
E
A
A
E
E
It
is
sort
of
like
the
infrastructure
provider,
but
I
think
there's
going
to
be
so
actually
the
the
because
this
is
actually
something
that
came
up
a
few
times
in
some
of
the
conversations
is
that
like
there
is
some
overlap
between
producer
and
the
infrastructure
provider,
because
one
of
the
problems
is
like
hey.
If
you
have
a
company,
that's
not
going
to
be
using
a
service
like
so
they're,
not
going
to
be
using
GitHub
actions,
they're
going
to
be
using
their
own
thing,
then
they
are
both
producer
and
infrastructure
provider.
E
Unless
you
know,
depending
on
you
know
who
owns
the
stuff
internally,
you
know
you
might
have
a
different
department
owns
the
build
tool
itself
and
another
team
owns
the
usage
of
the
build
tool
because,
but
but
I
I
do
think
actually
at
some
level
actually
now
that
I
think
about
it,
the
infrastructure
provider,
because
the
infrastructure
provider
is
going
in
in
our
context,
right
I
believe,
is
not
just
purely
the
person
you
know.
So.
E
The
producer
in
this
context
is
the
person
who
is
writing
the
code
and
wants
to
use
a
salsa
build
right,
so
they
would
go
and
say:
okay,
I'm,
using
GitHub
actions
and
GitHub
actions
is,
is
also
conformant,
so
I
get
to
just
sort
of
use
that
and
I
get
salsa
provenance
right.
So
for
the
producer
and
there's
not
a
lot
of
stuff
there.
E
The
problem
comes
when
you
have
a
producer
who
also
runs
their
own
build
system
right,
so
I
think
that's
kind
of
where,
where
it
is
where
I
wouldn't
Focus
right
now,
at
least
on
the
infrastructure
provider,
who
is
the
like?
Okay,
you're
running
you
know,
you're
trying
to
develop
a
salsa
build
tool
as
a
service
like
I.
Don't
think
we
need
to
focus
too
much
on
that,
but
I
do
think
we
need
to
reach
out
to
folks
on
hey.
If
you
are,
you
know
running
a
build.
E
This
is
what
a
simple
build
looks
like
you
know
at
the
high
level
of
like
you
should
be:
securing
your
your
build
system,
whether
it
is
Jenkins
or
team,
City
or
GitHub
actions
or
whatever,
and
you
should
be
doing
these
things
and
then
you
should
be
generating
this
data
and
that's
kind
of
because
yeah
it's
gonna
be
super
easy.
If
it's
just
a
GitHub
actions
thing
right,
because
then
we
could
just
say
yeah,
you
use
GitHub
actions,
you
use
this
thing
and
you're
fine.
A
E
A
Right
now
we
know
we
can
do
a
salsa
build
with
GitHub
actions
right,
but
we
can't
just
go
Implement,
Jenkins
and
say
yeah.
We
can
do
a
salsa
build
with
Jenkins
I.
Don't
think
there
is
a
configuration
or
template
of
some
sort.
That
says,
if
you
use
this
you're
good
I
think
we
still
have
to
create
that
not
us,
but
in.
E
General,
yes,
yes,
yeah,
the
industry
or-
and
so
this
is
something
that
I
was
hoping
to
get
out
in
the
next
couple
of
weeks,
but
it
might
be
a
little
longer
now
was
so
I'm
working
on
a
tool
which
I
plan
to
open
source
that
would
just
sort
of
work
with
whatever
CI
tool
right,
which
would
split
up
CI
between
CI
and
the
build.
So
you
would
have
Jenkins
still
do
the
CI,
but
you
wouldn't
have
Jenkins
do
the
build.
E
E
Oh
sorry
go
ahead,
oh
so
yeah
because
I
think
the
thing
that
I
think
one
of
the
the
key
things
that
I
think
kind
of
comes
out
of
a
lot
of
the
the
issue
is
with
why
salsa
is
maybe
a
little
bit
more
complicated
for
certain
ecosystems
as
it
is
than
it
is
for
others
is
because
everybody
just
sort
of
loads
everything
into
just
purely
the
CI
and
like
okay,
my
you
know,
I
can't
move
off
of
Jenkins,
because
my
CI
system,
you
know
downloads
the
source
code
scans.
It
does
all
these
security
things.
E
So
that's
that's
one
of
the
the
key
goals.
I
have
and
I'm
mostly
done
with
something,
and
it's
also
mostly
done
with
something
that
would
allow
folks
to
plug
in
what
they
feel
is
comfortable,
whether
or
not
they
plug
in
a
container-based
build
or
they
plug
in
a
you
know,
secure
Enclave,
you
know
Intel
sgx,
you
know
super
secure,
build
or
they
plug
in.
You
know
just
a
VM
or
a
process
or
whatever.
E
So
that's
that's
something
I'm
I'm
working
on
and
and
hoping
to
get
at
least
a
beta
or
a
demo
version
of
it
out
in
the
you
know,
coming
weeks
once
a
month
able
to
type
again.
E
E
Yeah
thanks
thanks
and
you
know,
this
is
something
that
I
just
like
I,
don't
want
to
over
index
on
this
thing,
but
one
of
the
things
that
I'm
doing
with
it
is
it's
all
an
open,
API
specification
which
would
allow
folks
to
then
just
write
their
own
plugins
for
that
thing
as
they
see
fit.
E
So
if
they're,
like
hey
I,
want
to
add
this
new,
more
even
more
secure,
build,
great
salsa
consists
of
source
and
dependencies
as
inputs,
and
the
output
is
an
one
or
more
artifacts
and
a
salsa
attestation,
or
at
plus
other
things
like
an
s-bomb
or
whatever.
But
those
are
the
things
great.
As
long
as
I
have
an
API
like
as
long
as
you
sort
of
do
that
you
are
now
salsa
right
and,
and
then
it
becomes
whatever.
E
That
thing
is,
is
that
doing
all
the
right
things
from
a
Securities
perspective
and
then
that's
more
on
the
actual
consumer
to
say?
Yep
I
trust
this,
but
not
that.
A
Okay,
yeah,
that
that
would
be
really
cool
to
to
see
so
definitely
keep
us
updated
once
once
it
goes,
live
the
the
only
I
think
concern
I
have
is,
and
this
isn't
necessarily
for
like
the
open
source
maintainers,
but
if
you're
calling
a
secure
Builder.
A
E
But
I
think
that's
worthwhile
to
sort
of
say
is
like
hey
it's
up
to
you
to
do
two
things.
One
I
don't
know
my
headphones.
Just
died.
E
So
yeah
I
think
it.
It
does
two
things
one
is
you
need
to
sort
of
figure
out
like
if
you
use
a
service
or
something
like
that?
You
need
to
trust
with
you
know
which
service
do
I
trust
for
when
I'm
producing?
This
is
both
from
a
producer
and
a
consumer
standpoint
is
like
and
then
in
addition
that
you,
you
need
to
trust
whether
or
not
like
you
know,
especially
with
some
of
the
the
claims
of
like
hey
I,
ran
this
using
the
GitHub
actions,
Builder
great
well
when
I
consume
it.
E
Even
though
you're,
even
though
it's
salsa
I,
don't
trust
it.
You
know
or
whatever
right
I
think
that's.
Those
are
two
things
that
need
to
be
done
and
then
I
think
from
the
the
end
of
like
the
thing
I'm
building
as
well
is
like
yeah
different
folks
are
gonna,
say
different
things
right
where,
like
and
I,
think,
that's
kind
of.
Why?
E
When
thinking
about
the
build,
if
we
can
kind
of
keep
it
super
small
and
say
I
have
a
very
tiny
API,
that's
sort
of
like
a
Jenkins
itself,
but
all
it
can
do
is
run
salsa
builds.
So
you
don't
have
to
worry
about
like
well,
you
misconfigured
it,
and
so
it's
not
salsa
anymore.
It's
like
nope.
It
can
only
be
salsa
because
it's
only
configured
to
do
salsa.
So
if
you
tell
it
to
do
something
other
than
salsa,
it
just
won't
work
and
I.
Think
that
sort
of
thing
you
know
you
go
in.
E
You
say
great
now,
if
I
trust
that
you're
running
that
infrastructure
correctly
and
you're
not
lying
to
me
right,
because
anybody
could
lie
that
you
know
yeah
I'm
using
the
GitHub
actions
provider.
Are
you
really
or
are
you
using
something
that
looks
like
it
right?
It's
there's
lots
of
ways
to
sort
of
you
know
and
depending
on
you
know,
that's
where
some
of
the
other
trust
stuff,
like
the
anyway,
never
mind,
yeah
yeah,.
A
I
know
there's
a
institutional
trust
stuff
that
Marcelo
was
talking
about,
so
we
might
have
a
different
set
of
videos
about
trust
right,
and
so
we
can
handle
all
that.
But
at
least
you
know
we
might
say,
okay
for
this
demo
or
this
video,
you
have
to
assume
Trust
of
the
secure
Builder.
If
we're
gonna
use
your
ci2,
which
I
feel
like
by
the
time
we
do
release
this
video
it'll
be
available
so
that
we
could
show
something
like
this
off,
but
yeah
so
yeah.
This
is
some.
This
is
good
content.
A
What
about
the
the
verifier
persona?
I?
Guess
you
would
assume
that
they
have
received
a
you
know.
Software
package
slash
product,
slash
project
right.
A
E
We
might
wanna
like
at
a
very,
very
high
level,
just
sort
of
say:
yeah,
there's
also
going
to
be
VSA,
which
is
intended
to
be,
for
you
know,
consuming
elements
of
you
know
like
like
without
getting
into
too
many
details,
because
I
do
think
that
VSA
is
a
whole
other
set
of
things
that
take
some
time
to
to
rock
and
most
like
in,
and
the
other
problem,
too,
is
most
tools
right
now.
Don't
support
the
VSA.
A
So
that
could
be
a
different
video.
Then
we
don't
want
to
confuse
people
with
BSA
like
oh,
they
talked
about
this,
but
they
didn't
show
it.
So
we
might.
We
could
just
focus
on
the
salsa
provenance.
E
So
the
VSA
would
be
in
in
total
attestation
yeah.
That's
the
the
way
it's
set
up
right
now:
it's
it's!
What
do
they
call
it
86
or
whatever,
but
it's
yeah
in
Toto
out
of
station.
E
That's
also
in
Toto
and
I
think
the
thing
that's
worth,
highlighting
at
least
on
a
high
level
is
we
don't
require
that
people
use
purely
in
total
attestations.
But
given
that
it's
the
thing,
it's
essentially
the
de
facto,
because
it's
what
we've
been
using,
that's
sort
of
where,
where
folks
have
been
focused
on
but
like
I,
think
it's
worth
at
least
highlighting
to
certain
folks,
like,
especially
if
you
have
large
organizations
that
are
like
look
I'm,
not
Distributing,
My,
Salsa
provenance
I'm
only
including
All,
My,
Salsa,
Providence,
internally
and
I'm.
E
E
I
think
that's
worthwhile,
at
least
highlighting
that
you
know
you
know
because
I
think
in
in
the
documentation,
we
specifically
say,
like
we
highly
suggest
in
Toto,
just
because
it's
the
one
that
we're
building
all
the
tooling
around
in
the
open
source
space,
but
there's
nothing
that
stops
you
from
using
whatever
you
want,
especially
for
internal
use
cases
and
those
sorts
of
things.
A
E
E
In
our
case,
it
just
so
happens
that
the
the
Sig
store,
tooling
works,
really
well
with
in
Toto,
where
you
could
just
sort
of
say,
here's
an
intodo
document,
six
store
sign
it
and
it's
it
understands
how
to
sign
in
Toto
statements
and
turn
them
into
what's
referred
to
as
dizzy
envelopes,
where
dizzy
envelope
is
just
the
signature
plus
the
plus
the
actual
in
Toto
at
a
station,
and
so
you
can
think
of
it
as
just
it's
a
wrapper
around
the
in
Toto
statement,
and
then
the
in
Toto
statement
is
consists
of
a
header
which
is
just
what
is
this
in
Toto
statement
about
right?
E
What
is
the
subject
so
in
the
case
of
salsa
and
BSA,
it
would
be
like
here
is
the
thing
you
know:
here's
the
artifact
and
the
hash
of
the
artifact
that
I'm
talking
about
and
then
the
predicate.
In
this
case
the
predicate
would
be
either
VSA
or
salsa,
which
then
has
that
is
itself
like
a
specification
around.
Okay.
Here
are
the
the
the
the
keys
and
values
or
the
the
fields
of
the
document
of
that
I'm.
You
know
the
metadata
that
I'm
actually
expressing.
A
Okay
and
the
reason
why
I
ask
this
is
because
we
can
do
like
a
like
a
highlight
of
open,
ssf
yep
projects
to
do
the
verification
right,
and
so
we
can
do
a
quick
like
okay,
here,
six
store,
here's
in
Toto
and
then
we
have
salsa
prominence
right.
So
we
can
show
like
these
are
the
three
technologies
that
are
hooked
in
together
to
be
able
to
do
the
the
verifier,
so
that
could
be
kind
of
the
opening,
and
then
you
go
into
the
the
actual
use
case
scenario.
A
So
that
brings
me
to
another
point
that
we
want
to
do.
We
want
to
do
this
this
one.
It
definitely
is,
you
know
salsa
right,
but
there's
nothing
else
in
here
right
other
than
salsa.
E
Yeah,
you
know
obviously
depending
I,
might
want
to
contribute
whatever
I'm
building
to
open
ssf
long
term,
but
at
least
for
right.
B
E
I
don't
want
to
like
get
into
that
when
it's
just
you
know,
but
I
think
also,
maybe
something
as
a
follow-on
from
this
as
well
is
maybe
to
do
something
like
a
salsa
the
hard
way.
E
So
let's
just
assume
for
a
second
I.
Do
not
have
any
Builder
I
do
not
have
anything
I'm,
building
locally
right.
How
would
I
still
sort
of
generate
that
same
provenance
and
how
would
I
still
generate
it?
Just
let's
just
say
for
a
second
here
completely
manually,
so
that
somebody
who's
reading
through
this
goes
and
understands
the
concepts
of
like
oh
okay,
you're
filling
out
the
information
in
this
document,
then
you're
signing
that
document
and
then
you're
moving
that
document.
So
if
I'm
building
my
own
tool,
I
would
need
to
do
those
things.
E
I
would
need
to
pull
in
information
about
the
dependencies,
pull
in
information
about
the
source,
pull
in
information
about
the
build
command
and
then
run
that
in
a
secure
way
right
and
we're
not
going
to
talk
about
how
that
necessarily
gets
run
outside
of
like
here's,
maybe
a
shell
script,
just
to
kind
of
show
you
here's
it
actually
running
and
then
I
sign
that
document
and
then
I
publish
that
document.
So
somebody
who's
reading
through
this
can
go
and
understand.
Okay,
if
I
want
to
build
this
myself,
for
you
know
internal
CI
tool
X.
E
A
Yeah,
so
that
could
be
how
do
I
get
started?
Advanced,
basically
you're
rolling
up
your
sleeve
and
doing
it
all
on
your
own
okay,
so
I've
copied
that
and
I've
I
came
back
up
here,
because
I
was
thinking
well,
if
it's
just
salsa
in
this
part
and
again
this.
If
we
can
have
your
CI
tool,
we
can
mention
it
as
well.
A
If
there's
not
enough
for
the
opening,
we
can
also
talk
about
the
mobilization
plan
and
why
it's
also
or
or
link
back
to
the,
why
do
I
care
right,
but
I
do
think
we
should
have
like
a
opening
of
highlighting
something
at
the
beginning
to
set
the
stage
of
why
or
what
we're
we're
going
to
be
talking
about
Okay.
So
any
other
thoughts
from
folks
on
on
these
two
before
we
move
on
to
consumer.
C
No
one
thing
I
wanted
to
interject
on
Melba.
Is
you
know
you
you
keep
saying?
Oh?
Are
we
going
to
put
that
in
a
different
video?
A
lot
I
think
this
you
should.
You
know
you
should
kind
of
postpone
this
decision
process.
Look
at
the
kind
of
things
you
want
to
touch
on
and
then
maybe
it's
part
of
the
editing
afterwards.
A
Yeah,
no,
no,
that
that's
fair,
yeah
I
think
we're
we're
definitely
trying
to
keep
it
to
like
three
to
five
minutes.
We
want
these
to
be
micro,
videos,
so
I
think
yeah,
I
think
some
things
we
can
say
yeah.
This
has
to
be
a
different
video,
but
you,
you
know
you're
right,
like
some
of
this
stuff
right
here,
we
may
not
even
be
able
to
get
in
three
to
five.
A
D
C
B
E
What
are
the
things
that
has
been
suggested
to
me
now
that
I'm
also
mostly
done
with
a
book
on
supply
chain
security
and
the
folks
who
came
out
with
marketing
have
been
asking
us
to
do.
You
know
asking
me
to
do
some
stuff.
E
So
you
end
up
with
both
the
long
form
content
for
folks
who
want
to
have
it
as
well
as
the
short
form
content
there,
so
that
you
know
you
get
it
in
multiple
different.
You
know
multiple
different
ways
where
it's
like
okay
yeah,
for
the
folks
who
just
want
to
bite
size
thing
great
here.
It
is
if,
for
folks
who
want
the
full
blast
of
like
here's,
an
hour-long
webinar
on
salsa,
you
can
also
consume
it
and
we
don't
have
to
let's
say,
remake
the
content
each
time
we
just
maybe
need
to.
E
E
I
think
that
sort
of
thing
is
is
from
a
lot
of
you
know,
so
we
don't
have
to
repeat
ourselves
and
and.
E
A
Yeah
that
that's
a
good
point,
I'm
wondering
given
time
right.
I,
know
time
is
an
issue
if,
if
there's
like
an
hour-long,
video
and
I,
don't
know
that
we
even
have
a
time
to
do
an
hour-long
video
right.
We
we
have
three
minutes
like
okay.
Let's
just
do
this
little
piece
three
minutes,
but
to
like
set
up
the
whole
thing.
A
If
we
can
do
it
in
one,
go
and
swipe
it
up
great,
but
I'm,
cautious
that
we
may
not
even
be
able
to
allocate
that
much
time
to
doing
the
full.
You
know
long
form,
content.
We
could
probably
put
the
chunks
in
together
in
some
way,
but
I
think
that's
my
only
concern
yeah.
C
I,
like
your
idea,
I'm
like
at
I'm,
also
a
bit
concerned
about
you,
know:
I,
don't
know
who's
got
the
editing
skills
to
to
do
that
and
that
it
ends
up.
You
know
pretty
good.
E
Yeah
and
I
think
this
is
is
highly
based
on
based
off
our
conversation
with
Jennifer
is
like.
If
openssf
could
provide
us
with
some
shares,
then
then
it
might
be
much
easier,
yeah
and
in
fact,
I
think
I,
probably
wanna.
If
we
could
get
an
editor
run,
the
idea
be
by
an
editor
and
say
hey.
We
would
love
to
sort
of
record
this
in
some
way
where
we
could
reuse
some
of
the
content
in
different
places
and
what's
the
best
way
to
do
that,
yeah.
A
Yeah
we
we
spoke
with
Jennifer
last
week,
they're
they're,
trying
to
hire
a
more
Advanced
video,
editing
person,
they're.
Even
thinking
about
you,
know
subcontracting
out
to
do
some
of
this
stuff,
including
like
webinars,
but
we
told
them.
We
don't
want
things
to
be.
We
don't
need
things
to
be
super
polished.
We
just
need
it
to
be
better
than
us
doing
a
screen
share,
and
so
she
thinks
that
they
would
be
able
to
help.
A
So
if
we
provide
like
the
script
right,
if
we
provide
some,
you
know
some
guidance
that
they
could
work
with
us,
but
we
we
first
have
to
figure
out
what
we
want
to
talk
about
and
then
she
can
get
together
with
us
and
that
person
that
she
has
in
mind
to
do
some
of
the
preliminary
stuff
to
see
if
it'll
work
so
yeah
we're,
definitely
not
going
to
be
video
editing
at
least
I'm,
not
all.
A
Yeah
and
I
as
I
posted
I
posted
this,
because
I
didn't
want
to
lose
sometimes
GitHub
or
reset
or
something
on
me
and
then
I
lose
everything
that
I
typed
up
so
I
posted
it
so
not
to
lose.
It
and
Josh
said
I
thought
about
this,
but
I
understand
why
we
need
to
postpone
it.
You
know:
should
we
focus
on
infrastructure,
infrastructure,
provider-centric
messaging?
To
start
it's
the
ideal
path
to
adoption
is
enabling
a
few
feature.
Your
existing,
tooling
and
infrastructure
has
implemented
so
thoughts
on
that.
D
B
Okay,
so
this
is
a,
let
me
quote:
the
plus
one:
some
acting
random
are.
A
C
B
A
Writing
this
right
I
likes
this
idea.
A
Okay,
what
about
consumer.
A
E
Well,
so
this
kind
of
ties
back
into
a
little
bit
of
the
infrastructure
provider
in
like
the
verifier
at
some
level
is,
is
the
verifying
tool,
and
so
that
might
also
be
different
depending
on
the
there's,
a
lot
of
overlap
here
right,
because
the
same
thing
was
sort
of
like
infrastructure
provider
and
producer
right.
E
Those
two
are
potentially
linked
because
the
producer
says:
hey:
I
want
to
provide
salsa
at
a
station,
so
I'm
gonna
either
build
infrastructure
or
use
an
infrastructure
provider
who
can
provide
salsa
attestations
and
then
a
consumer
is
going
to
say:
hey
I
want
to
use
salsa
I
mean
I,
want
to
use
salsa
backed
software,
so
I'm
going
to
go
and
pick
either
a
verification
service
or
a
verification
tool.
Most
likely.
You
know
to
sort
of
do
that
verification.
A
D
Yeah,
so
that's
the
consumer
role
itself
is
very
it's
awkwardly
defined
because
it's
the
part.
Reading
the
description
we've
got
a
party
that
uses
software
provided
by
producer
May
verify
Providence
for
the
software
they
consume.
We
delegate
yada
yada,
whereas
the
verifiers
saying
in
the
sample
case
it's
talking
about
business
software
ingestion
system
and
when
I
see
that
I'm
thinking.
Okay,
that's
that
kind
of
fits
it
on
that
one
side
to
me
when
I
look
at
that
example,
but.
A
D
B
D
B
A
New
project
right
think
of
a
brand
new
project.
It
doesn't
have
anything
right.
The
source
is
all
custom.
It's
not
relying
on
anything
outside
right
that
that
is
the
producer,
creating
that
software,
so
if
you,
if
it
doesn't
have
any
outside
dependencies
or
any
projects,
this
this
whole
process
could
be
the
producer
doing
this
to
generate
that
new
software.
B
C
D
C
A
Yeah
I
think
the
reason
why
it's
true
on
this
way
is
because
in
theory,
you
should
pull
your
dependencies
during
build,
not
necessarily
from
the
internet,
but
you
should
you:
shouldn't
necessarily
have
to
have
your
dependencies
in
the
source
file
sure,
but
you
wouldn't
actually
have
that
code
or
that
package
until
build
time.
I.
Think
that's
why
it's
built
this
way,
but.
C
D
Yeah
we've
tried
for
the
the
Sterling
tool
chain
to
make
this
just
a
linear
picture
and
I
I
like
this.
Also
one
a
lot
better
that
it's
showing
that
it's
circular
it's
showing
where
the
depends
these
actually
get
pulled
in.
It
feels
like
a
much
a
much
better
representation.
What
really
happens.
D
A
B
A
A
A
A
B
C
I
can
always,
and
the
thing
is
the
thing
is
the
consumer
and
the
Very
fire
are
not
often,
you
know
exclusive
right.
It's
often
the
same
as
the
consumer.
You
want
the
consumer
to
act
as
the
fifth
guy
or
as
part
of
the
consumption
of
the
artifacts
they
want
to
use,
and
so
I
think
what
I
would
want
to
say.
But
the
consumer
is
mostly
already
addressed
in
the
verifier
part.
B
B
A
So
yeah,
okay!
Well
thanks
folks,
if
you
want
to
comment
on
not
only
the
Deep
dive
but
there's
also
the
institutional
trust,
one
feel
free
to
start
commenting
on
what
you
think
we
can
talk
about.