►
From YouTube: Sigstore Community Meeting - June 28, 2022
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Okay,
hello
and
welcome
everybody
to
this
week's
six
store
meeting,
which
comes
after
two
weeks.
I
had
a
little
break
last
week
as
folks.
A
A
bunch
of
folks
got
a
chance
to
meet
face
to
face
at
the
open
source
summit
and
open
ssf
day,
which
hopefully,
we
can
get
an
update
on
later
for
the
previous
meeting
a
couple
of
weeks
ago.
That's
up
on
youtube
and
I've
got
the
link
there
in
the
meeting
notes.
A
So
we'll
kick
off
with
the
project
brown
robin
then
go
into
outreach
and
other
updates
and
then
finish
off
with
introductions
for
anyone,
who's,
new
or
relatively
new,
or
I
just
want
to
say,
hi,
because
they
haven't
spoken
up
for
a
while.
A
Okay
and
santiago
has
found
a
way
in
so
I'm
glad
that's
resolved
okay,
jumping
into
project
ground
robin.
Do
we
have
anything
for
rico.
D
D
D
Yeah
exactly
previously,
it
was
mostly
just
some
core
x,
509,
parsing
logic,
some
stuff
around
pem
and
dare
encodings.
I
think
there
was
some
oauth
flow
stuff
in
there
pretty
lightweight,
mostly
just
some
of
the
core
security
things,
but
we'll
we'll
want
to
continue
moving
things
there.
I
think
and
then
also
talk
more
about
what
exactly
quote-unquote
coastline
as
a
library
looks
like
basically
making
a
goaling
version
of
the
library.
D
E
E
But
I
think
my
personal
opinion
is
that,
like
when
there's
stuff,
that's
like
specific
about
like
record
entry,
parsing
or
finding
record
entries,
or
things
like
that
that,
like
ideally,
they
should
live
near
the
code
of
record
rather
than
six
or
six
store.
But
that's
like
my
personal
opinion,
and
if
you
think
that
that
is
nice
like
maybe
also
do
that
too.
A
A
A
Okay,
I
see
a
plus
two
yeah
and
I
don't
hear
from
jason,
but
let's
move
on
and
we
can
come
back
if
folks
wanna
get
back
to
that.
So
let's
go
to
get
sign.
F
Yeah,
so
a
few
updates
here,
I
haven't
cut
a
new
release
yet
so
this
isn't.
This
is
only
available
on
github
if
you
build
from
source
but
there's
two
new
features
that
have
been
sort
of
highly
requested
for
a
while
one
is
credential
caching,
so
this
uses
a
local
socket
to
basically
cache
recourse
certs
for
basically
their
10
minute
lifetime.
F
So
if
you
want
to
do
like
a
multi-commit
rebase,
you
can
do
everything
with
the
same
private
key
certificate
pair
and
then
the
other
thing
is
at
a
band
oauth
support.
So
thanks
bob
for
helping
me
out
here,
so
you
can
actually
use
getsign
in
an
ssh
session
or
somewhere,
where
you
don't
have
a
browser
necessarily
available
on
the
local
machine,
so
check
it
out.
If
you
have
feedback,
let
me
know.
A
Okay,
so
moving
on
to
the
java
integration,
I
added
this
one.
I
don't
know
if
patrick
or
appu,
but
I'll
just
mention
quickly.
We
are
having
a
go
with
moving
this
meeting
to
wednesdays
it's
now
at
an
earlier
time,
and
the
main
thinking
was
that
we
could
collaborate
with
some
folks
in
europe
and
make
it
easier
for
them
to
attend
the
meeting.
A
So
we're
going
to
try
it
at
that
time
slot
to
see
if
it
actually
has
the
desired
effect,
so
that
a
couple
of
folks
have
expressed
interest
from
joining
from
germany
and
other
parts
of
europe
we'll
actually
be
able
to
attend.
A
Okay,
thanks
anything
on
the
python
side
of
world.
E
So
quick
update
on
this,
we
have
a
v4
milestone
in
here,
which
I
will
link
it
over
there.
I
am
working
on
a
number
of
pr's
addressing
them
right
now,
they're
open.
So
if
you
want
to
take
a
look
at
especially
that
some
doc
prs
too
even
for
readability,
that'd
be
nice
and
the
schedule
is
on
the
six
store
maintainer
calendar,
which
I
will
also
drop
in
the
link
in
just
one.
Second,
that's
scheduled
for
july
12th.
E
So
I
will
likely
next
week
put
in
a
maybe
like
link
over
there
to
you
know,
help
do
verification.
So
if
you're
available
that
day,
please
subscribe.
C
So
on
that
note,
would
it
help
it
to
have
like
more
tough,
knowledgeable
people
help
you
with
some
of
the
pr's
for
the
v4
milestone
or.
C
E
It
okay
cool.
I
can
link
you
and
like
to
specific
issues
that
would
be.
C
C
I
I
think
we're
getting
better
every
time
we
do
like
a
root
rotation
but
yeah
happy
to
help.
A
Nice
yeah;
no
thanks
for
that
ezra
and
thanks
for
dropping
in
the
link
to
the
calendar
for
folks,
okay,
moving
on
to
six
door,
ga
who
wants
to
go
first
on
that,
one.
C
Sure
jump
in
just
this
heads
up
we're
moving
all
of
the
projects
to
a
dedicated
gcp
organization
that
will
be
able
to
walk
down
a
bit
more,
so
the
organization
is
being
created
and
I'd
like
to
move
the
staging
project
to
the
organization.
This
week
should
be
a
no-op,
but
there's
a
chance
that
things
go
wrong.
C
Yeah,
the
other
other
thing
to
note
on
that
is
that
also
unblocks
us,
hopefully
the
final
issue
before
we
can
move
all
of
the
outstanding
issues
and
tags
into
a
public
repo.
C
So
we
can
be
point
folks
to
that
list
issue
list
if
there
are
folks
that
want
to.
H
A
And
what
about
on
the
timeline?
Just
conscious
of
the
fact
june
is
the
day
we
had
on
the
website,
and
I
think
we
had
talked
about
being
updating
and
giving
folks
an
update
on
what
to
expect
for
the
ga.
Are
we
in
a
position
where
we
can
update
those
pages
and
what?
What
should
we
be
saying
there.
C
Yeah,
the
short
version
is
we'll
be
posting
a
blog
post
this
week
out
on
the
community
site
that
that
kind
of
reiterates
kind
of
the
current
position
and
kind
of
the
plan
going
forward,
based
on
a
lot
of
the
work
that
the
g8
kind
of
sub
team
has
been
doing
as
well
as
discussions
of
the
tse.
So
once
that
blog
post
goes
live,
then
we
can
update
the
websites
accordingly.
A
A
Okay,
so
moving
on
to
the
logo
refresh,
I
wanted
to
add
in
a
section
as
well,
since
we
do
have
the
new
main
logo
for
sigsto,
and
I
noticed
some
folks
have
started
to
roll
it
out
onto
various
places,
but
it's
not
quite
consistent,
but
for
now
I
thought
yeah.
If
you
have
made
an
update,
it's
nice
to
just
share
it
here
and
yeah.
At
some
point
we
can
create
a
running
list
of
all
the
outstanding
places.
A
We
need
to
update
it
so
in
spirit
of
that
yeah,
thanks
to
whoever
updated
it
on
twitter
and
also,
I
want
to
give
a
shout
out
to
adam
who
went
ahead
and
I'll
show
you
this
added
it
to
the
cdf
landscape,
so
it
sort
of
links
in
sig
still
there
and
puts
in
links
to
github
the
best
practices
badge
and
even
tweets.
So
that's
quite
nice
and
adam.
Are
you
on
the
call
actually.
G
I
always
forget:
I
have
to
turn
the
gain
way
up
for
google.
Yes,
I
am
here
it's
on
the
cnc
app
as
well.
Sorry
david
interrupt
so
that
got
merged
over
the
weekend,
and
I
don't
know
what
the
val
I
mean.
Cncf
is
ridiculous.
Now
at
how
big
it
is,
but
you
can.
A
H
It's
it's
the
same
old
ridiculous
thing.
I
keep
telling
everybody,
but
if
we
can
maximally
make
it
clear
that
getsign
isn't
a
dco,
everyone
knows
that
getsine
is
dash.
Lowercase
s,
you
add
a
text
line
to
the
commit.
If
you
think
you
have
anything
to
do
with
digital
signatures.
We've
got
to
make
that
clear
every
single
time,
because
everybody
already
does
get
signed.
H
Yes,
even
for
the
logo,
if
there's
a
way,
I
don't
know
if
there's
a
way
to
emphasize
that,
but
if
you
say
get
signed,
everybody
knows
what
it
is:
that's
not
digital
signing,
so
I
don't
know
how
we
solve
that.
But
if
there's
a
way
to
make
it
clear
even
in
the
logo
and
if
we
can't
you
know
as
soon
as
someone
clicks
on
it,
make
it
clear
that
we're
talking
digital
signatures
and
not
a
text
entry.
H
Yeah,
this
also
falls
on
get
issue.
A
lot
of
people
think
that's
true.
That
is
a
problem
we're
20
years
late.
H
A
A
H
A
Moving
on
to
get
some
logo
with
all
those
caveats
from
david,
I
do
want
to
point
out.
We
have
some
new
logo
concepts.
I
put
them
in
this
issue
and
also
share
them
in
slack.
Thanks
for
the
folks,
who've
already
dropped
some
comments
in
but
yeah.
Please
go
ahead
and
either
comment
in
slack.
Oh,
you
can
even
let
us
know
now,
but
here's
some
of
the
the
various
options
that
came
up
any
comments
at
this
stage.
A
Okay,
so
yeah,
please
take
a
look
and
then
also
the
other
issues
open
on
the
logo,
refresh
2,
which
includes
kind
of
just
brand
colors,
and
we
had
a
lot
of
feedback
on
the
other
logo.
So
we've
passed
the
that
feedback
on
and
we're
waiting
for
the
next
drop
and
I'll.
A
Let
folks
know
when
we've
got
updates
for
that,
but
yeah
and
in
general,
if
you
do
start
to
see
places
with
the
old
logos,
do
send
prs
or
updates,
and
maybe
at
some
point
we
can
include
that
in
a
blog
post,
maybe
with
one
of
the
the
kind
of
monthly
updates
going
out
on.
Sixth,
oh.
A
Sorry,
sorry
hang
on.
A
Okay,
sorry
about
that,
starting
to
yell
stuff
across
the
house,
open
ssf
day
and
open
source
summit.
Who
do
you
have
folks
who
manage
to
attend
and
can
share
some
overview
and
any
interesting
talks?
Discussions
related
to
the
six
star
that
happened
there.
B
I
know
priya's
talking
down
well
on
digital
signatures
and
six
door
was
coming
up
on
a
lot
of
talks.
So
I
know
that's
not
being
very
specific,
but
so
many
talks
that
I
did
manage
to
get
to
is
a
lot
of
chatter
about
sixth
or
so.
C
C
Yeah
the
lines
were
very
blurred,
but
there
was
also
an
interesting
talk
from
asura
about,
like
the
salsa.
A
Let's
look
forward
to
those
talks
being
posted
online
as
well
check
this
out.
G
Azer's
talk
stood
out
head
and
shoulders
over.
This
wasn't
my
favorite
conference
of
the
year,
but
it
was
nice
to
hear
sigstor
and
azra.
The
quality
of
azer's
talk
was
well
above
most
that
I
saw.
A
E
I
also
just
chime-
and
I
was
at
the
ask
the
expert
session
for
six
store
and
I
had
a
lot
of
people
come
up
about
like
from
like
what
is
six
star
to
like.
Oh,
I
have
the
specific
case,
and
I
want
to
use
it
so
I
have
like
three
or
four
follow-ups
so
you'll
start
to
see
some
issues
being
filed.
I
wrote
down
like
a
rough
list,
but
they
have
everything
to
do
with
like
I
want
to
use
sig
star
on
bitbucket
and
things
like.
I
also.
E
I
would
love
to
learn
more
about
how
recourse
in
total
attestation
types
are
working,
so
you'll
start
to
see
more
stuff
thrown
out
over
there
and
people
being
looped
in
on
slack.
So
look
out
for
that
today.
E
Actually,
I
think
it
might
be
worth
doing
like
an
oss
summit.
Recap
like
I'm
happy
to
share
my
ask
the
expert
stuff
in
there,
but
if
we
want
like
a
whole
like
sort
of
oss
summit,
recap
dock
with
every,
like
all
of
you
know,
ours,
priyas
and
any
other
six
door
talks
that'd
be
great.
E
Yeah
I
can
start
with
my
my
like
recap
on.
Like
stuff
people
came
up
to
me
about,
and
then
I
can
at
least
share
notes
next,
weekly
and
if
people
want
to
like,
create
that
and
add
it
into
a
blog
post,
I
can.
A
Yeah,
I'd
love
to
see
your
notes,
so
that
works
for
me
and
maybe
we
can
coincide
the
blog
post
with
when
the
talks
become
available,
because
then
we
can
link
directly
to
those
and
that
that
would
be
quite
nice
to
re-highlight
them
to
folks.
A
They,
I
I
don't
know
if
anyone
from
lf
or
open
ssf
has
an
answer,
but
yeah
it's
typically
a
week
or
two
after
the
event.
I
think
it's
fairly
speedy.
A
Okay,
nice
sixto
at
cubecon,
north
america.
I
think
no
update
on
that
we're
waiting
to
see
what
room
options
and
options
we
might
have
to
run
a
colo
and
potentially
have
a
booth,
but
nothing
from
my
side.
I
don't
know
if
luke
you
had
anything
to
add
on
both
sides
of
the
things.
B
I'm
sorry
I
just
switched
off
for
a
second
though
boof
at
the
next
event.
Next
kubecon.
Yes,
we
could
certainly
do
one
yeah
yeah,
I'm
sure
we
can
find
the
budget
to
do
that.
So
I
could
always
make
inquiries
but
sounds
like
a
good
idea.
B
I
guess
is
there
I
mean
not
to
to
delve
into
it
now,
but
is
there
expected
to
be
a
few
folks
there
we're
going
to
have
good
coverage
for
staff
in
the
booth,
yeah.
A
Yeah,
I
think
we're
looking.
A
H
Not
much
more
just
hey,
if
you
didn't
know,
there's
no
training
course
there's
a
link,
there's
the
title:
it's
an
eight-hour
course.
You
can
see
all
the
details.
C
Yeah,
we
yeah
we're
very
happy
that
this
course
is
up
and
where
we
are
going
to
expand
the
course
over
time
and
we're
yeah
really
excited
about
it.
We're
doing
some
some
post
blog
posts
about
it
and
yeah
any
feedback.
I'm
happy
to
john
speedmayers
and
I
are
happy
to
take
feedback
directly
because
we'll
continue
to
iterate
on
it.
Thank
you.
A
Yeah
and
there's
certainly
seen
a
lot
of
excitement
about
this
and
it
was
nice
to
see
it
looked
like
it
got
announced
on
the
big
screen
at
the
event
last
week,
and
here
we
have
over
100
folks
already
registered
for
the
course.
So
that's
pretty
amazing.
It's
not
even
been
out
for
a
full
week.
Yet.
A
Nice,
okay,
open
source
security,
podcast,
who
I
mean.
G
I
don't
know
if
this
is
exactly
the
right
place
to
put
it,
but
it
was
a
nice
acknowledgement,
I'm
basically
going
over
why
signing
hasn't
worked
and
then
just
with
a
whole
bunch
at
the
end
around,
except
for
six
stores.
Six
store
is
doing
great.
This
all
sucks,
but
sig
store
is
amazing,
so
it's
at
least
pretty
fun
to
listen
to
and
a
decent
podcast.
A
G
A
Perfect
yeah!
No
thanks
for
that
recommendation
and
yeah,
highlighting
that
as
well.
That's
nice
to
hear
I'll
take
a
listen.
A
Okay
and
case
studies,
I'm
trying
to
think
if
I
added
this
in
yeah.
No,
I
think
in
general,
we're
still
looking
for
folks
who
want
to
share
their
case
studies
on
how
they're
working
with
sigsto,
I
think,
end
user
case
studies
are
always
great
on
how
folks
are
using
it
internally,
as
well
as
integration
case
studies
of
how
you
integrated
six
door
into
your
tool
to
just
make
it
that
much
simpler
for
folks
to
to
use
it
in
conjunction
with
other
software.
A
So
yeah
folks.
I
guess
the
call
to
action
is
just
to
reach
out
to
me
if
you're
interested
in
this
and
we've
got
some
folks
who
can
help
us
do
the
the
write
ups
and
and
then
submit
that
to
the
six
door
blog
for
consideration.
A
A
A
Okay,
if
there's
nothing
new,
then
let's
go
on
to
introductions
anybody,
I
want
to
say
hi
he's
joining
for
the
first
time
or
reintroduce
themselves
tom
go
ahead.
Please.
I
Hello,
my
name
is
tom
tofo,
I'm
with
redhead,
and
I
want
to
say
hi
it's
my
first
time
here,
I'm
with
operate
first
and
we
will
be
looking
into
helping
you
out
and
helping
learning
from
you
as
well
on
the
community
managed
six
store
instance.
So
we
will
be
trying
to
help
that
there
share
our
experience
there
and
also
give
our
hands
to
to
business
to
help
you
do
that.
A
Okay,
I
think
that
brings
us
to
the
end
of
the
call
today.
So
thanks
everybody
for
joining
and
yeah
next
week.
My
next
call
is
next
week
and
there's
the
the
java
six
or
call
tomorrow.
If
folks
are
interested
thanks
very
much
and
have
a
good
week.