►
From YouTube: Sigstore Community Meeting - April 6, 2021 2021
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
Fix
up
this,
I
just
made
a
bit
of
a
hash
of
this.
Just
excuse
me
right
so
first
topic,
we
discussed
extending
the
meeting
length
because
it's
been
a
few
times,
so
we
go
for
30
minutes
and
a
few
times
we
still
had
sort
of
pending
items.
So
there
was
a
brief
discussion
around
this.
If
we
should
extend
to
45
or
an
hour
or
we
could
even
keep
the
latter
part
for
a
breakout
session
if
need
be.
A
A
I'm
inclined
to
go
to
a
suggestion
I
could
make,
but
I'm
not
strongly
fixed
to
any
particular
idea
is
we
could
go
for
45,
okay
for
the
normal
meeting
and
then
there's
a
final
15
for
folks
that
want
to
overflow
and
go
into
some
sort
of
breakout
session,
but
I'm
really
open
here
it's
you
know
this
could
be
a
I'd.
Rather,
this
be
a
community
decision.
A
That's
a
good
idea,
then
yeah
yeah,
that's
a
good
idea,
so
everybody
can
come
in
no
30
minutes.
They
can
get
up
to
speed
with
the
meeting,
okay
and
and
then
rather
than
cut
short
folks
that
are
diving
into
a
particular
topic.
They
can
then
go
on
for
a
bit
longer.
Okay,
great,
so
sound
good
anybody.
Anybody
have
any
objections
or
other
ideas.
If
not
I'll
extend
the
meeting
and
we'll
do
that
for
next
week,.
A
Cool
yeah
done,
okay,
so
office
hours
dan.
I
saw
that
you
booked
some
office
hours.
I
haven't
managed
to
pull
out
the
the
times
yet.
I
think
if
you
want
to
just
whack
those
into
the
document.
A
A
good
question,
yeah,
so
office
hours
is
something
it's
something
you
know
dan
came
up
with
the
idea
so
I'll.
Let
him
explain.
B
It's
just
what
it
sounds
like
some
maintainers
will
just
be
hanging
out
in
the
call
to
work
on
stuff
help.
People
get
on
board
answer
questions
anything
like
that,
so
we're
trying
to
do
it
every
week
or
so.
A
A
It's
just
an
open
forum
really
for
people
to
to
sort
of
find
a
place
in
the
community
and
ask
how
things
work.
A
A
Great
okay
so
help
needed.
I
don't
know
if
we
have
anything
particular
there.
There
is
one
that
I
created
and
I
can't
link
to
it.
I
don't
have
it
to
hand,
but
anybody
can
ping
me
on
slack
and
I'll
point
you
to
it.
We
need
to
implement
a
version
flag
on
all
of
the
clients.
A
cosign
already
has
one
okay,
but
all
of
the
clients
will
need
a
version
flag
and
the
servers
as
well
before
ceo
and
recall.
A
So
the
idea
is
version
obviously
gives
you
the
version
pretty
much
a
no-brainer,
but
it's
useful
for
if
somebody
opens
an
issue
they
can
say
I
was
using
version
1.2,
golang
version,
1.16,
etc,
sort
of
some
basic
details.
The
cosign
will
give
you
the
example.
I
think
you
use
the
git
tag
as
well
and
stuff
like
that,
so
they
can
then
open
an
issue
with
that.
And
likewise,
if-
or
I
should
say
when
there
is
a
security
advisory
and
people
need
to
understand,
are
they
affected?
A
How
do
they
upgrade?
The
version
flag
is
really
useful,
then.
So
you
can
say,
if
you're
between
this
release
and
this
release
you're
affected
and
you
need
to
apply,
you
need
to
upgrade
so
then
they
can
use
the
version
flag
to
find
out
exactly
where
they
stand.
So
that's
probably
a
good
first
issue
for
folks,
because
you
should
be
able
to
pretty
much
copy
the
implementation
in
cosine
and
just
move
that
into
the
into
the
other
projects.
So
full
co
recall
some
of
them,
such
as
the
ruby
gems
one.
A
B
No
I've
just
scrubbed
the
list,
not
off
the
top
of
my
head.
A
No
worries,
okay,
so
right
so
discourse,
github
discussions.
So
let
me
frame
this
we've
discussed
putting
up
a
forum
okay.
Now
this
won't
be
so
much
for
development
discussions.
There.
We
can
review
code
in
prs.
We
have
issues.
Okay,
this
will
be
a
more
located
towards
end
users.
Okay,
I
ran
the
command
it
didn't
work.
I
downloaded
I
tried
to
install
it,
wouldn't
work
this
sort
of
stuff.
Essentially,
so
eventually,
when
we
do
go
live-
and
you
know,
we
expect
a
lot
of
adoption,
there's
going
to
be
a
lot
of.
A
A
So
I
I've
I
emailed
the
linux
foundation
to
request
an
smtp
server
and
they
said
why
aren't
you
using
github
discussions?
Okay,
so
my
my
opinion
was,
I
don't
really
like
them
so
much,
but
I
thought
I
should
really
bring
it
to
the
community
to
see
what
your
thoughts
were.
So
some
people
might
feel
discussions
are
okay,
I
kind
of
prefer
not
for
the
simple
reason
that
I
don't
really
want:
generic
user
issues
mixed
in
with
development
pool
requests
and
and
so
forth.
A
B
A
D
A
D
A
D
A
C
Yeah,
I
mean
I'll
just
give
you
we
do
use
at
small
stuff
we
use
for
our
open
source.
We
use
github
discussions,
I
would
say
those
are
two
different
channels.
I
mean
that's
the
way
we
look
at
it
right
and
you
know
we're
also
trying
to
sort
of
meet
users
where
they
are
and
chat
is
different
than
github.
Discussions.
Like
you
know,
chat
is
more
synchronous
and-
and
I
think
you
know,
there's
more
back
and
forth
than
you
get
in
discussions.
C
We
do
like
discussions,
though
one
nice
thing
about
discussions
is
it
can
actually,
I
think,
make
it
easier
to
segment
the
development
stuff,
because
you
know
what
we
see
is.
You
know
people
will
open
issues
being
like.
I
tried
to
run
it
and
it
didn't
run
which
really
shouldn't
be
an
issue.
It's
it's
a
support
request,
but
they
use
issues
for
that
and
one
nice
thing
is
github
makes
it
really
easy
for
you
to
convert
back
and
forth.
C
So
you
don't
have
to
like
close,
won't
fix
it.
You
can
be
like
well.
This
should
really
be
a
discussion,
so
I'm
converting
it
and
then
you
can
support
there.
I'd
say
like
it
probably,
then
the
problem
with
that
is,
you
increase
the
support
burden,
because
now
you
have
you're
supporting
people
in
multiple
places,
so
yeah.
C
A
C
Other
benefit
by
the
way
is
searchability.
You
know
stuff,
that's
in.
A
So
it
seems
like
this
course
is:
maybe
just
edging
it
ahead.
So
discussions
is
good.
It's
got
merits
but
yeah,
okay,
well,
I've
got
a
discourse
up
and
running
so
well.
You
know
we
can
always
revert
to
discussions.
I
guess
if
need
be.
I
don't
know.
C
Just
another
data
point:
the
project
I
work
on
envoy
has
a
slack
channel
for
envoy
users
and
I
think
I,
it
kind
of
depends.
I
guess,
like
you
know
who
might
be
able
to
answer
those
questions,
but
I
feel,
like
developers
are
more
often
on
slack.
So
if
developers
are
answering
those
questions
and
you
know
that
they
can
chime
in
on
the
user's
channel
but
yeah
again,
just
another
data
point.
A
We
can
and
we
can
easily
create
a
user's
channel.
We
should
do
that
in
fact,
yeah.
In
fact,
we
you
know
we
might
even
make
general.
Could
I
don't
know
we
could
have
like
a
landing
channel?
I
don't
know
if
it
should
be
general,
but
where
people
land
into
sort
of
a
user
channel
and
then
from
there
they
can
work
out
how
to
branch
off
to
development
if
they
need
to
ask
cody
and
stuff
and
so
forth,
great
okay,
so
project
round
robin
so
falsio.
A
We
might
skip
over
this
because
I
don't
think
we
have
any
of
the
tough
folks
or
santiago
or
trishank
this
week.
So.
E
Well
from
looking
at
the
notes
here,
I
think
that
protocol,
like
a
the
protocol
document,
needs
to
be
down.
I
haven't
read
the
latest
iteration.
I
think
some
of
the
work
for
the
for
the
total
metablox
that
is
on
record
is
something
that
we've
been
working
on
and
will
be
relevant
for
the
for
the
tough
metadata
as
well.
E
So
I'm
hoping
to
make
a
pr
by
sunday
this
weekend,
so
we
can
start
yeah,
essentially
doing
dry
rounds
of
this
root
of
trust
ceremony,
type
of
type
of
work.
E
E
It's
almost
like
a
pgp
type,
but
it's
a
signature
type
for
tough
and
total
signatures.
Okay,
now
that's
a
good
question.
Architecturally
speaking,
how
much
is
there
a
shared
code
base
between
just
two
t
logs
and
how
useful
would
it
be
to
have
this
type
moved
around?
C
A
E
Yeah,
so
another
thing
that
I
wanted
to
eventually
talk
with
the
top
maintainers
is
that
we.
E
Found
out
that
tough
gold12
uses
cjson,
which
is
an
implementation,
but
obviously
json,
that
is
not
compliant
with
the
spec.
So
there
is
two
ways
to
fix:
that
is.
E
We
can
get
go
tough
depend
on
in
toto
which
has
a
compliant
implementation
of
cjson,
using
like
yeah
our
own
code,
or
we
can
just
essentially
move
the
burden
into
recoil
and
just
have
the
kind
of
conversation
be
done
on
recore
on
the
canada
convexation
function,
which
is
also
not
the
end
of
the
world,
but
that
would
mean
that
we
need
to
pull
in
in
total
as
a
dependency
for
the
meta
block
type,
even
though
we
will
be
using
it
for
top.
First,
I
don't
know
how
that
contentious.
Would
that
be.
E
Okay,
that
simplifies
my
life
a
lot
and
then
I
think,
later
down
the
line.
Maybe
we
can
move
that
logic
to
go
tough,
so
we
have
to
see
that
or
like
at
least
have
this
like
tight
binding
between
the
two.
A
A
bit
of
a
hack
on
this
as
well.
Okay,
so
I'm
not
going
to
reinvent
anything
myself,
but
I
wanted
to
try
and
get
a
basic
demo
working,
so
I've
I've
downloaded
twine
and
pipe.
I
am
warehouse
and
I
want
to
try
and
get
an
open
id
signing
happening.
Okay,
but
I'm
happy
to
follow
the
lead
of
of
how
the
signing
events
occur,
specific
to
taf
and
all
the
work
that
you've
done
there.
If
you
see
what
I
mean,
so
I
just
want
to
get
something
get
something
working
right.
A
E
So
something
that
I
that
I,
I
think
it's
cool
I
don't
know-
will
from
chilopress
on
the
call.
But
there
is
some
money
work
going
on
in
helping
twine,
and
this
other,
like
ipa,
related
tools
to
essentially
like
simplify
the
user
interface
for
verifying
signatures
over
packages,
and
I
think
I
mean
since
pep458
and
480
are
using
tough.
E
I
wonder
if
we
can
just
essentially
use
all
of
the
stuff
that
we're
doing
for
roots
of
trust
and
full
co
to
automate
a
delegation
mechanism
during
using
oicd
inside
of
a
inside
of
ipi
and
then
using
twine
to
verify
signatures
over
pipi
packages
on
recore
or
at
least
get
the
like
root
of
trust
information
and
all
the
delegation
information
and
eventually
get
a
signature
for
the
particular
package.
I
am
working
on
a
one
pager
that
I
wanted
to
share
and
I
think
I
should
be.
E
I
should
be
ready
with
this
early
next
week
as
well,
so
we
can
essentially
time
the
whole
user
story
of
how
you
can
go
to
full
co.
Get
your
key.
Have
it
delegated
for
like
a
pipi
namespace
for
package
and
then
be
able
to
use
twine
to
sign
using
that's
very
similar
to
cosine
story,
yeah.
A
E
And
then
also
use
pip
to
install
a
package
that
eventually
walks
all
the
way
through
the
delegation
graph
from
the
global
supply
chain,
not
only
for
ibi
but
to
eventually
verify
the
ipa
package.
A
Yeah,
that's
what
I'd
like
to
have
a
go.
Hacking
on
is
twine
signs
and
and
pip
verifies,
and
I
might
even
just
fork
warehouse
and
just
put
in
some
sort
of
this
is
signed
type
signal.
Yeah.
A
I
don't
expect
to
land
it
upstream
in
web
in
one
in
what's
going
to
say
in
wine
house
in
warehouse
just
just
really
so
that
we've
got
something
to
show
people
socialize.
The
idea.
E
Yeah
again,
I
think
I
think
we
can
get
some
momentum
from
the
existing
network.
I
think
I
think
they're
very
friendly
to
working
with
what
we
have
and.
A
E
Well
so,
since
they're
going
to
be
using
tough,
I
think
probably
it
has.
E
Well,
it
is
not
full
x509,
but
it's
it's
like
a
the
pen
stuff
that
we
already
have
so
there's
already
support
for
that.
I
expect
gpg
to
slowly
fade
out
yeah.
I
don't
know
if
you
know
this
but
like
now,
you
cannot,
unless
you
know
how
to
figure
out,
like
the
end
point
the
gpg
signatures
and
pipe.
I
are
not
really
visible.
A
E
Yeah-
and
I
don't
think
we
put
it-
I
think
we
put
it
up.
There's
a
paper
I
wrote
in
2016.
We
actually
got
some
like
the
pipi
people
to
give
us
their
logs
of
ipi
like
from
some
like
one
other
one
of
their
mirrors,
and
we
found
out
that
there's
less
than
one
percent
people
that
fetch
the
package
fetch
the
signature
and.
E
A
There's
a
guy
from
the
safe
drop
project,
he
did
a
an
audit
as
well
and
recently
three
percent
of
people
are
signing.
E
Yeah,
so
so
this
is
even
worse,
because
even
if
you
signed
people
won't
check
your
signature.
C
B
B
Yeah,
that's
that's
why
I
was
trying
to
mute
myself
yeah.
We
had
a
zero
two
release
and
then
more
excitingly
priya
started
signing
a
bunch
of
things
with
cosine
that
are
now
verifiable
and
everything.
So
the
distrolus
images.
If
people
are
familiar
with
those
are
now
signed
with
cosign,
we
need
to
work
with
kubernetes
and
other
clients
of
the
distrolus
images
to
start
verifying
those
signatures,
but
lots
of
progress
as
soon
as
that
gets
done,
we've
actually
protected
something
important.
A
Yeah,
so
so,
when
you
push
the
bottom
with
and
k,
eights
is
verifying
with
cosine.
A
I
want
to
do
a
massive,
concerted
effort
to
make
a
lot
of
noise
about
that,
because
that's
a
big
thing
so
yeah
so
I'll
really
think
about
pushing
the
button
on
everything
I
can
to
get
get
that
out
there
and
and
rinse
that
for
what
we
can,
because
that's
that's
massive,
that's
really
good!
So
that's
really
good
work.
That's
awesome!
Work.
A
Cool
okay,
so
anything
else
for
cosine.
C
I
just
transferred
over
to
sig
store
the
prototype,
get
signing
github
action
that
I
wrote
last
week,
so
that
is
available
for
people
to
play
with
if
they
like.
C
A
E
Well,
I
think
that's
a
nice.
We
are
finally
deploying
deploying
on
the
live
infrastructure.
Our
monitoring
script
is
going
to
be
deploying
deployed
soon,
so
I
also
preferred
some
nice
hardware
to
be
deployed
here
at
purdue
university,
so
my
hope
is
that
we
will
also
make
some
sort
of
noise
once
we
start
getting.
Our
initial
reports.
E
Part
of
the
goal
that
I
want
us
to
have
for
this
monitor,
is
for
to
move
some
of
the
sketches
that
dan
had
early
early
on
prepared,
which
were
again
this
use
cases
of
is
my
key
being
used.
Please
send
me
an
email,
it's
a!
E
I
don't
know
it's
something
being
signed
with
my
key
that
I
didn't
sign
that
part
of
the
user
interface
is
still
missing,
but
part
of
the
goal
is
to
also
make
a
like
an
early
showcase
of
what
can
be
done
and
then
a
sort
of
blog
post
that
we
can
show
everybody
all
the
things
that
you
could
do
and
how
you
can
actually
extend
and
improve
and
deploy
your
own
monitors.
E
I
think,
later
down
the
line.
We
start.
We
want
to
start
thinking
of
having
multiple
monitors,
gossiping
information
about
log,
so
that
the
law
cannot
equivocate
and
that
we
can
also
identify
geographically
relevant
supply
chain
compromise
services.
But
that's
that's
way
more
long-term
awesome.
A
So
for
the
email
check,
so
are
you
are
you
querying
redis?
Are
you
popping
entries
off
as
the
index
increments
or
how
are
you
monitoring
again.
E
Right
now
we
are
just
hitting
the
api
and
asking
for
leaves
okay.
No,
that's
my
understanding.
If
ff
is
still
here,
he
could
probably
talk
a
little
bit
more
in
detail,
but
that's.
E
Yes,
so
I
expect
that
we
may
become
expensive
in
terms
of
like
hitting
the
api
and
at
some
point
we
may
want
to
think
of
ways
to
improve
that
path.
But
for
now
I
really
want
us
to
get
something
basic
going.
A
On
yeah
yeah,
that's
that's
fine!
So
what
my
thinking
was
that
I've
got
an
issue
to
include
the
email
in
the
entries
api.
I
think
it's
the
entries
api,
that
where
you
can
query
redis,
so
you
can
do
a
redis
search,
okay,
so
which
is
obviously
a
lot
more
speedy.
But
you
know
I
don't
say
that,
because
I'm
worried
about
you
having
a
performance
impact
just
more
that
if
you
were
using
redis,
then
we'd
need
to
get
that
in
recall
for
you
first,
so
you
can
query
by
the
email.
E
Right,
I
mean
right
now
what
we're
doing
is
or
like
at
least
to
decide
if
we
do
want
to
keep
a
copy
of
the
log
so
that
we
can
perform
multiple
types
of
scans
over
log
information,
yeah
email,
this
one
type.
We
also
wanted
to
do
full
audits
on
some
scheduled
time
frames
so
that
we
full
audit
every
night
so
that
we
can
essentially
take
a
box
and
say
purdue,
monitor,
says
that
this
is
fully
audited
and
correct.
E
But
then
I
am
assuming
that
we'll
also
find
interesting
insights.
As
more
information
comes
in,
we
can
identify
critical
nodes.
E
We
can
identify
developer
changes
to
say
the
whole
chrome,
malicious
extension
situation
or
identify
what
the
next
left
pad
will
become,
and
I
think
for
all
of
that
having
this
like
local
troll
of
information,
and
this
like
pluggable
scanners,
with
a
simple
api,
so
that
everybody
can
start
writing
their
own
scan
modules
would
be
super
useful.
E
That's
essentially
what
where
things
are
at,
but
things
are
a
little
bit
rough
on
the
edges
and
I
hope
to
be
able
to
share
something
next
week
or
a
week
after
so
that
we
can
see.
A
E
Yeah,
so
this
is
time
to
our
purdue
university
course
timeline.
So
by
may
we
should
have
something.
A
Yeah,
whenever
you're
ready,
that's
fine,
yeah
great
okay,
let's
say:
let's
see
so
kitchen
sink
six
door.
Things
are
progressing
along
there.
We've
got
the
full
sign
operation
happening
now
and
it
stores
into
recall
we're
just
looking
at
the
verify
stuff
and
there's.
Also
a
big
patch
came
in
to
help
with
multiple
sigs
and
the
other
thing.
A
I
started
to
work
on
the
policy
to
work
out
how
we
could
have
a
policy
around
maintainers
we're
talking
to
dan
and
and
then
he
said,
look
you
you're
you're
almost
doing
what
they're
doing
at
tough
and
then
I
went
oh
okay.
He
pointed
me
towards
the
issue,
so
I've
I've
sort
of
held
off
on
that
and
I'll
look
at
what
you're
doing
there
so,
but
it
was
a
pretty
simple
format
and
it's
just
around.
The
idea
is
that
there
is
a
a
json
policy
file
which
lists
the
owner
of
the
project.
A
Okay
and
then
they
have
maintainers,
and
then
you
can
have
like
a
a
con,
a
sign
in
threshold.
So
if
your
signing
threshold
is
three,
then
you
expect
three
maintainers
to
sign
off
the
release
before
it
can
be
deemed
as
trustable.
The
verifier
operation
will
be
successful.
So
so,
just
looking
at
doing
something
like
that,
but
yeah
the
sig
saw
clients
are
coming
on
quite
well,
and
I
speak
to
some
folks
earlier
that
are
using
six
store
as
well
to
it's.
A
Actually,
they
built
it
into
cosine
to
validate
yaml
for
this
kube
admission
controller
project
that
they're
working
on
that's
pretty
interesting
as
well,
so
I'm
gonna
see
if
I
can
get
them
to
come
along
and
do
a
little
demo
of
their
work
as
well.
A
Cool
okay:
let's
have
a
look,
so
ruby
plugin,
not
much
to
update
there
eduardo
put
up
a
patch
with
the
open
id
stuff.
I
need
to
look
at
that.
I'm
a
little
bit.
I
don't
like
installing
ruby
on
my
host
machine
and
just
because
of
the
dependency
mess
that
you
can
get
in,
but
I
need
to
work
out.
I
need
to.
I
need
it
to
the
shell
needs
to
be
able
to
invoke
a
browser,
so
I
don't
know
that's
possible
from
a
container
or
a
vm.
A
A
Okay,
so
we've
got
other
communities,
so
I
don't
know
if
there's
anything
new
on
pipeline.
There's
various
stuff
here,
there's
an
action
item
on
marina
sketch
out
a
way
to
improve
the
pr.
How
about
crates?
Santiago!
I
can
see
your
name
there
invite
somebody
from
crates
rs
to
the
community.
A
A
I
can't
recall
frank's
surname
but
frank,
is
the
developer
of
mini-sign
and
also
the
wason's
sign
prototype
that
he
wrote
in
rust,
and
we
spoke
to
him
about
his
ideas
around
the
ecosystem,
attached
signatures,
detached
and
various
topics,
and
then
he
got
back
to
us
and
we
set
up
a
meeting
this
friday
to
try
and
pull
various
people
together
from
the
various
islands
that
there
are
in
wasm.
A
A
So
yeah
we're
we're
hoping
that
will
start
to
convert
to
some
sort
of
implementation
at
some
point
and
it's
sort
of
going
off,
frank's
email.
It
looks
like
I
don't
know:
I'm
not
the
best
person
to
to
have
a
to
be
the
arbiter
on
this,
but
it
looks
like
it
might
be
the
attached
route
that
the
community,
the
bytecode
alliance,
seem
to
be
warm
into.
A
So
the
idea
is
the
the
signature
will
be
and
perhaps
other
metadata
will
be
attached
to
the
wasm
module
itself
and
then
you'll
be
able
to
verify
that
was
a
module
and
yeah
we're
just
trying
to
work
out
what
the
distribution
methods
are.
Some
people
distribute
purely
in
a
oci
image
and
others
seem
to
just
pass
around
the
modules
and
it's
different
sort
of
methods
really
so
yeah.
I
don't
know
if
dan
or
is
there
not
answer
on
the
cool
stuff?
A
Oh,
he
had
to
drop
yeah
to
drop
and
I
see
as
was
dropped
as
well,
so
that
sort
of
brings
us
to
the
end.
Actually,
we've
overflowed,
haven't
we
so
yeah.
I
don't
have
any
more
anything
that
I've
missed
or
somebody
wanted
to
bring
up.
That's
a
particularly.
D
I
just
very
briefly
in
line
with
the
what
you
were
just
mentioning:
I've
started
trying
to
reach
out
to
some
communities
so
shooting
out
the
tour
and
to
I
can't
remember
who
else
sorry,
you
dropped
my
mind
ethereum.
I
think.
Basically,
I
thought
that
bitcoin
are
interested,
so
e3
and
probably
will
I
mean,
are
likely
to
be
they're
interested
in
the
security
of
the
network,
so
yeah,
I'm
gonna
start
no
knocking
on
doors
and
poking
it
on
windows.