►
From YouTube: Sigstore Community Meeting - March 15, 2022
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
We're
starting
the
recording
all
right
as
usual,
we'll
just
go
around
and
do
a
quick,
quick
update
across
all
of
the
projects
give
an
update
on
the
the
efforts
around
general
availability
of
the
full
ceo
and
recourse
services
if
azra
or
others
want
to
give
an
update
on
route
signing
and
then
we'll
go
to
other
topics
so,
starting
with
a
recore
lily.
Anything
right,
I
guess
lily,
I
don't
see
on.
I
know,
there's
been
a
couple
bugs
and
priya.
A
B
Yeah,
I
think
it's
mostly
just
that,
like
for
a
lot
of
the
different
like
all
pretty
much
all
of
our
api
calls,
we
need
to
be
able
to
specify
the
tree
id.
So
if
there
are
like
inactive
shards,
we
want
to
be
able
to
get
like
log
proof,
log
info
public
key
in
case
those
things
are
different
across
shards.
So
a
lot
of
it
is
just
adding
this
additional
like
tree
id
parameter
to
each
api
call.
So
you
can
like
direct
it
to
the
right
place.
A
Helps,
if
I
don't
put
myself
on
mute,
I
folks
want
to
go.
Take
a
look
at
those
pr's
and
the
addition
to
the
api.
I
would
appreciate
some
more
eyes
on
that.
A
A
Days
of
recore,
we
had
the
ability
to
to
upload
a
json
document
that
contain
url
links
to
public
keys,
signatures
or
artifacts
that
the
server
would
go
and
download
and
then
verify
the
content
on
before
making
an
entry.
In
the
blog
long
been
known
that
hey,
we
need
to
go
clean,
that
up
due
to
risks
around
ssrf
and
just
in
general.
We
don't
want
to
be
in
that
position.
So
there's
a
patch
that
removes
that
capability
across
all
of
the
different
custom
types,
so
folks
want
to
go.
A
A
All
right
on
to
fulcio
so
hayden,
I'm
going
to
flip
the
order
of
these
real
quick.
So
you
want
to
talk
about
the
pr
around
cert
or
subjects.
D
Yeah
we've
added
support
for
two
other
subject:
types
for
the
osdc
tokens.
One
would
be
for
uri,
so
you
can
specify
any
uri
scope
to
a
specific
domain
and
the
other
would
be
a
username
where
we
will
append
a
preconfigured
domain
to
that
username
and
then
that
gets
included
in
the
certificate.
This
should
hopefully
be
helpful
for
other
ecosystems
that
want
to
run
their
own
idps.
D
I
created
some
documentation
around
what's
currently
supported
for
oidc
and
that's
what
I
linked
there
so
feel
free
to
go.
Take
a
look
at
that.
If
you
have
any
questions,
let
me
know,
I
think
one
of
the
prs
by
the
way
is
still
acting
for
user
names,
that
pr
is
not
yet
submitted.
So
the
document
documentation
is
a
little
ahead
of
itself.
A
The
other
pr
that's
open
on
full
co,
again,
a
little
quick
history.
So
originally
we
had
started
both
recore
and
pulsio
to
have
open
api
specifications
that
were
used
as
input
to
code
generation
tools.
A
Given
that
full
co's
api
surface
is
pretty
simple
and
it
brought
in
quite
a
bit
of
dependencies
and
just
made
full
co
a
bit
bloated,
matt
and.
C
A
Had
removed
that
a
while
back
but
part
of
the
discussion,
that's
come
out
of
many
of
the
the
work
within
cosine
of
actually
breaking
apart
library.
Specific
interfaces,
which
would
include
a
full
co
client
and
a
recore
client,
has
kind
of
brought
back
this
desire
for
maybe
a
simpler,
cleaner
interface
specification
that
we
can
do
cogen
against
that,
isn't
it
doesn't
bring
along
all
upload.
So
there's
a
pr
that
actually
adds
that
interface
through
grpc
code
works
on
my
machine.
The
infamous
saying
doesn't
pass
ci
for
some
strange
reason.
C
A
Me
why
why
it
doesn't
work
in
a
cube
environment,
but
works
just
fine
in
docker?
I'm
all
I'm
welcome
to
any
input
if
folks
are
interested
to
dig
into
that,
but
in
general
I
know,
there's
already
been
some
good
feedback
in
terms
of
tweaking
the
interface
and
how
best
to
structure
we
will
leave
the
at
least
my
intent
is
to
leave
the
http
interface
and
leave
a
restful
end
point
for
both
fulcio
and
recore,
but
consolidate
that
into
a
single
code
path
as
we
go
forward.
A
So
we
don't
want
to
break
pre-existing
clients
but
again
trying
to
just
address
the
the
footprint
issue
when
it.
B
A
E
Sure
yeah
we
did
the
1.6
release
nothing
huge.
Since
then,
there's
been
a
ton
of
work
in
the
emission
controller,
though
I
don't
think
velay
is
here
because
the
time
shifted
a
little
bit
late.
Anybody
else
that's
been
working
on
cosine.
I
want
to
jump.
F
It's
going
yeah
we're
pretty
much
to
the
first
milestone,
which
I
think
basically
would
mean,
I
think.
In
the
next
week
we
should
be
able
to
match
what
the
current
functionality
is,
but
using
now
this
cluster
image
cluster
image
policy,
that's
been
thanks.
Bob
that's
been
added
on
the
vmware
side.
We're
gonna
try
to
scramble
on
that
this
afternoon
and
see
what
we
can
do
to
get
done
and
then,
of
course,
villa's
a
machine,
so
he's
cranking
out
new
details
every
day.
A
Not
esket,
I
know
there
was
a
road
map
published
that
was
in
last
week's
notes,
I'll
copy
that
back
just
for
awareness,
but
I
don't
know
if
there's
any
updates
on
that.
I'm
not
aware
of
anything.
That's
what's
happened
in
nascar
land
dan
shaking
his
head.
No,
so
all
right
so
priya
hayden,
I
guess
either
of
you
would
like
to
give
an
update
on
kind
of
where
we
stay
on
ga.
B
Yeah
for
sure,
so
nathan
got
the
pen
test
environment.
I've
been
running
last
week
for
our
security
audit,
so
they
will
have
a
report
ready
on
the
28th.
They
gave
like
a
quick
update
on
friday
and
they
were
like.
Oh
we've
been
looking
at
the
code.
B
I
haven't
found
anything
major,
yet
so
that's
good
to
hear,
but
they
still
have
two
weeks
so
we'll
see
what
happens
with
that
other
than
that
carlos
and
kenny
released
full
co
0.2
yesterday,
so
we
are
probably
going
to
try
deploying
it
to
the
pentest
environment
and
then
deploying
it
to
production
to
make
sure
it
kind
of
works
as
expected.
B
Hopefully
once
if
that
goes
well,
we
can
start
thinking
about
the
1.0
repulsio.
After
that,
can
he
set
up
releasing
and
have
action
across
a
few
projects
in
general,
I
think
adolfo's
gonna
work
on
he's
been
working
on
automating
impermissions
to
the
production
gcp
project,
and
I
think
all
that
terraform
code
is
like
finally
ready
to
be
deployed
sometime
today
or
tomorrow,
and
also
working
on.
B
We
have
a
lot
of
terraformer
in
for
a
staging
environment,
so
I
think
we're
gonna
start
working
on
automating
deploying
to
the
staging
environment.
Now
so
a
lot
of
behind
the
scenes
stuff
going
on
and
it's
all
starting
to
come
together.
B
A
Sure
that'll
come
back
up
here
in
a
second
but
okay
root.
Signing
we
did
last
meeting.
We
did
a
final
call
for
volunteers,
so
we've
tabulated
that
final
list
luke
and
dan
and
I
will
meet
with
marina
and
santiago
the
other
key
holders
and
make
that
a
decision
tomorrow-ish
and
then
we'll
notify
out
to
the
community.
Sorry.
B
A
Didn't
finish,
writing
that
sentence
right,
notify
the
community
of
who's
been
selected
azra.
Do
you
want
to
give
any
update
in
terms
of
the
timeline
of
once
we
make
that
announcement?
What
what
folks
should
expect.
E
Yeah,
so
we
are
currently
working
on.
E
Thank
you
to
everyone,
who's,
helping,
revamping
some
scripts
for
the
v2
to
v3,
update,
adding
in,
like
whatever
we
can
to
make
verification
like
easier
and
the
scripts
cleaner,
and
so
the
key
holder
we
probably
need
to
do
a
couple
practice,
runs
just
to
make
sure
the
key
holder's
environment
is
set
up
so
expect,
like
a
read,
signing
event
to
actually
happen
within,
like
v2
or
within
two
weeks
of
that,
and
if
you
are
interested
in,
like
you
know,
looking
at
scripts
and
have
like
some
idea
of
tough
feel
free
to
like
check
out.
E
What's
going
on
at
root
signing
or
there
are
lots
of
links
to
like
my
own
repository,
where
we're
doing
the
testing
over
there-
and
I,
like
lots
of
things,
would
help
like
creating
github
actions.
To
do
more
testing
would
help
so
feel
free
to
reach
out
to
me.
If
you
want
to
do
stuff
like
that,.
C
C
A
C
Yeah,
I
should
have
put
my
name
on
it.
I'm
sorry!
Yes,
so
I
got
asked
today
by
rupert
james
maintainer,
whether
there
was
a
sort
of
a
blessed
environment.
E
C
A
I
would
say
at
the
moment
the
correct
answer
is
the
production.
Intense
is
just
fine,
I
guess
priya,
I
don't
know
if
you
want
to
talk
about
kind
of
the
the
end
outcome
in
terms
of
we,
we
are
building
in
a
proper
progression
from
dev
to
staging
to
prod
and
gates,
and
you
know
typical
get
ups
patterns
there,
but
I
don't
know
if
you
want
to
talk
a
little
bit
more
to
that,
for
you.
B
But
if
people
are
interested
in
setting
up
their
own
staging
environment,
the
long-term
plan
for
all
the
terraform
code
we've
been
writing
is
to
make
the
terraform
module
for
setting
up,
stick
store
public,
and
then
people
can
kind
of
just
like
put
in
their
own
values
for
their
own
project
and
theoretically,
like
deploy
their
own
stick
store
pretty
easily.
B
That
is
kind
of
a
longer
term
thing.
We
don't
really
have
an
expected
timeline
on
that
on
when
that
would
be
made
public,
but
like
eventually
that
is
the
goal.
So
it
kind
of
depends
on
if
people
are
okay
to
use
the
staging
environment
themselves,
which
would
happen
sooner
or
if
they
really
want
to
set
it
up
themselves,
which
would
probably
take
longer.
A
Yeah,
I
think,
as
a
it's,
a
good
reminder
as
well
to
when
we
do
get
to
a
ga
point
of
view.
We
need,
we
probably
need
to
have
more
more
explicit
documentation
around
intended
use
of
different
endpoints
that
exist
across
the
different
services.
So
that's
maybe
a
good
thing
to
double
check
that
we've
got
in
the
productization
log.
A
All
right
second
bolt
is
mine.
The
open,
ssf
flash
sig
store
tac
has
purchased
a
booth
for
sig
store
at
kubecon
eu
in
valencia.
So
more
of
an
fyi
of
the
same
presence
that
we
had
in
la
at
the
last
goob
con.
We
intend
to
rinse
and
repeat
so
we'll
as
we
get
closer
to
the
event,
we'll
be
looking
for
any
volunteers
that
might
happen
to
be
in
attendance.
We'd
love
to
just
meet
you
in
person.
A
If
you're
willing
to
sign
up
for
a
little
bit
of
booth
duty
here
and
there
just
to
talk
to
folks,
I
think
we
had
some
really
good
conversations
met,
many
of
you
in
la
but
hope
to
meet
many
more
of
you
at
various
events.
As
the
world
gets
back
to
semi-normal
some
more
to
come
on
that
azra.
E
Yeah
so,
amongst
others
like
hayden
and
zach,
and
I
have
like
constantly
like
it's
kind
of
come
up
a
handful
of
times
and
hayden's
also
like
been
doing
a
lot
of
reading
on
gdpr
and
stuff
like
that,
and
so
I
think
I'm
just
gonna
start
a
doc
and
share
it
out,
maybe
in
slack
soon,
and
so,
if
you're
interested
also
reach
out
to
me
there,
mostly
around,
like
concerns
of
like
okay,
if
we
have
like
an
entry
on
the
log
that
needs
to
be
redacted
like
what
do
we
do,
and
I
don't
think
I
have
a
solution
for
it.
A
I
will
note
that
we
have
had
renewed
conversations
with
legal
at
the
lf
around
this
specific
topic,
so
you'll
see
shortly
apr
being
pushed
up
to
cosign
with
an
explicit
consent
prompt
for
you
are
uploading
information
with
pii
per
the
eu,
because
an
email
address
is
considered
personally
identifiable
information.
So
we'll
we'll
be
adding
that
and
we'll
we're
also
trying
to
figure
out
what
the
right
things
to
do
in
terms
of
full
seo
and
recore.
There
are
from
that
perspective,
so
more
to
come.
A
F
I'm
pretty
sure
my
teammate
won't
volunteer,
but
I
have
denny
long
on
from
vmware
has
just
hopped
on
to
work
with
kavitha
and
myself
to
help
out,
say:
hi
denny.
D
A
Awesome
good
to
meet
good
to
meet
everybody
all
right.