►
From YouTube: Sigstore Community Meeting August 23, 2022
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
righty
well
welcome
everybody.
If
you're
new
to
the
community,
please
join
the
the
six
store
dash
dead
mailing
list.
The
way
this
meeting
works
is
we'll,
do
a
project
round
robin
and
then
we'll
discuss
a
few
of
the
other
ongoing
events.
Typically
tracy
is
the
chair
for
this
meeting.
However,
she
is
out
this
week
so
to
kick
things
off
recore.
A
If
not,
I
will
mention
there
is
an
issue
which
we
I
recently
created.
This
is
for
including
the
sign
treehead
or
what's
called
a
checkpoint
with
inclusion
proofs.
This
is
something
that
we
think
is
necessary
to
include
so
that
effectively,
you
are
pinning
your
inclusion
proof
to
a
the
the
log
that
generated
that
inclusion.
Proof
I'm
working
on
adding
this,
hopefully
we'll
have
this
in
by
the
end
of
the
week.
A
A
Cool
fulcio,
I
don't
believe
we
have
any
updates
for
folso
either.
There
have
been
two
recent
issues.
Let
me
also
post
those
in
here
asking
for
some
new
identity
providers,
and
that
has
provoked
some
great
conversation.
A
So
there's
two
things
I'll
call
out
here:
the
first
one
of
these
is
a
identity
provider
called
edu
gain.
The
main
thing
here,
we're
happy
to
add
any
more
identity
providers
to
folseo.
A
The
main
thing
is
that
we
have
a
list
of
requirements
that
we
ask
of
identity
providers,
it's
a
bit
of
a
work
in
progress,
but
we
are
codifying
that
list
as
part
of
the
architecture
documents
that
we'll
be
writing,
so
we
might
use
this
identity
provider
to
kind
of
test
that
list
out
the
second
one
of
these
is
a
continuous
integration
idp.
That's
asking
to
be
added.
This
is
like
github
actions.
A
This
provoked
another
good
conversation.
I
believe
it
was
on
the
npm
rfc,
but
somebody
brought
up
that.
Ideally,
we
would
have
some
standardization
between
all
the
cis
in
terms
of
the
claims
that
are
provided
in
the
identity
tokens,
so
I'm
planning
to
create
another
focio
issue
so
that
we
can
discuss
a
bit
more
about
which
claims
we'd
like
there
so,
for
example,
moving
away
from
github
specific
claims
and,
more
generally
to
ones
around
workflow
and
whatnot.
A
Some
of
it
might
just
be
renaming
and
then
deciding
what's
what's
the
ideal
set
of
claims
for
that.
So
we
can
probably
then
discuss
that
during
the
next
community
meeting.
A
Alrighty
then
cosine.
B
I
I
have
one
thing
for
cosine,
which
is
in
past
community
meetings.
We've
mentioned
a
document
that
hayden
wrote
about,
requiring
that
when
you
verify
things
using
cosine,
you
provide
explicitly
what
identity
or
key
you
mean
to
be
verifying
them
against.
I
think
we're
at
a
point
where
that
document
has
something
I
would
describe
as
nobody
has
yelled
at
me
that
we
shouldn't
do
it,
and
so
I'm,
I
guess
tentatively
claiming
that
that's
in
a
position
for
us
to
to
move
forward
on.
B
So
I
will
maybe
follow
up
with
hayden
about
timelines
and
who's
gonna.
Do
that
work
and
if
you're
interested
talk
to
talk
to
me
and
hayden
comment
on
the
doc
and
if
you
really
don't
think
it's
a
good
idea,
I
guess
like
today
is
the
day
to
speak
up
about
it.
A
Perfect,
I
was
just
actually
thinking
about
that
yesterday,
so
yeah,
I
think
our
plan
is
initially
adding
a
deprecation
warning
in
so
that
will
be
the
first
thing
we
get
in
so
you'll
have
a
teeny
bit
more
time.
If
you
want
to
disagree
with
it,
but
otherwise
we're
planning
on
moving
ahead
and
also
getting
the
rest
of
the
clients
and
agreement
on
it
too,
though
they
have
been
already
lipton.
A
Cool,
I
don't
believe
there
are
any
other
coastline
updates,
I'm
taking
a
quick
look
at
open,
prs
and
issues.
I
believe
I
don't
see
anything
major,
so
less
gulf
coast,
synaptics.
A
Cool
git
sign
really
giving.
C
I
yeah
so
just
a
few
feature
updates
here,
so
pr
out
right
now
for
adding
git
config
support.
So
instead
of
just
configuring,
git
sign
with
environment
variables,
you
can
just
stick
that
in
your
git
config.
Just
like
you
do
with
anything
else,
so
that's
pretty
cool
and
then
I
also
opened
up
a
pr
upstream
with
dex.
There
was
some
feedback.
We
got
a
while
back
with
some
of
the
behavior
of
dex
and
how
it
handles
github.
C
Private
emails
will
actually
expose
like
your
primary
email
because
we
need
like
an
email
identity.
So
one
of
the
things
we
were
talking
about
was
like.
Oh
do
we
move
to
like
a
id
based
approach,
but
someone
actually
pointed
out
that
github
has
support
for
an
id
based
email
like
a
no
reply
email.
So
I
opened
up
a
a
a
pr
to
upstream
dex,
so
we
can
hopefully
get
that
upstreamed
and
then
pull
that
in
and
then
we
don't
have
to
expose
people's
private
emails
so
yeah.
That's
it.
A
This
is
a
fantastic
fix.
Thank
you
for
for
doing
this,
and
I
think
it's
really
good
that
this
is
index
and
that
we
don't
have
to
worry
about
trying
to
figure
this
out
and
and
full
co
on
our
own
for
context.
A
I
believe
there
was
a
question
from
zack.
Zack
said:
is
that
no
reply,
email
tied
to
your
github
handle.
C
Yeah,
so
it's
a
combination
of
your
username
plus
id.
So
even
if
your
username
changes,
it
should
still
be
unique
if
your
username
changes
it'll,
invalidate
it
but
like.
If
you
change
your
username,
then
someone
comes
in
and
then
takes.
Your
old
username
it'll
still
be
different.
C
D
Yeah,
I'm
not
positive
and
it
still
is
possible
to
if,
if,
when
somebody
deletes
their
account,
you
could
come
and
grab
that
same
username.
That's
why
some
of
the
discussions
around
identity
flowing
out
of
github
for
resurrection,
attacks
and
stuff,
like
that,
we,
I
think
we
added
the
the
user
id
into
the
rdc
claims,
set
a
little
while
back
earlier
this
year,
specifically
because
of
some
high
pi
had
some
concerns
in
there.
A
Awesome
alrighty,
let
us
continue
on
so
for
the
clients,
I
think,
oscar.
You
have
an
update
for
root,
signing.
D
Yeah
super
quick
just
comment
over
here
because
I
think
it
hasn't
been
said
yet
in
the
community
meeting,
but
the
next
route
signing
so
that
would
be
v5
is
scheduled
for
september
20th.
D
That
would
be
the
final
one
before
ga,
so
we'd
hopefully
have
enough
of
a
window
for
things
to
settle
before
then
that
will
include
python
tough
compatibility
so
for
like
six
star
python
and
python
developers,
you
should
have
verification
for
a
tough
working
gun
and
then
it
also
resolves
a
couple
of
other
ga
related
issues.
A
Awesome
very
much
looking
forward
to
that
did
any
of
the
other
clients
have
any
updates.
A
I'm
also
asked
patrick:
were
there
any
updates?
We
wanted
to
discuss
around
our
conversation
around
the
bundles
for
clients.
D
Yeah,
I
guess
we
could.
We
could
just
mention
that
I
think
we're
broadly
agreed
on
the
proposal,
I'll
link
it
into
this
doc
after
I
finish
talking,
but
we're
figuring
out
sort
of
how
to
roll
it
out
and
where
to
roll
it
out
and
as
sort
of
like
an
ai,
I'm
working
to
basically
define
the
spec
as
a
as
a
proto
with
frederick,
I
think,
and-
and
we
should.
A
A
Awesome.
Thank
you
for
that
update
all
right,
six
store,
ga
priya
or
kenny
dude
want
to
go
and
make
an
update.
E
Yeah
sorry,
I
forgot
to
write
in
the
actual
updates.
I
can
fill
them
in
after
this
we
have
a
target
date
of
october
25th,
which
is
the
same
day
as
six
door.
Con
we're
still
like
that
is
still
like
slightly
flexible,
depending
on
like
how
our
burn
down
goes,
but
that
is
like
kind
of
the
goal
right
now
and
other
than
that
yeah
we're
just
working
on
closing
out
issues.
Writing
docs,
seeing
how
our
driver
on
call
is
going
so
pretty
much
same
update
as
last
week.
A
Awesome
and
I'll
say
if
you're
interested
in
getting
involved
in
this
come
chat
with
one
of
us.
We
also
have
a
channel
six
door,
ga
for
discussing
ga
related
things.
A
All
righty
con
that
is
coming
up.
Are
there
any
updates?
I
believe
the
cfp
is
still
open.
Let
me
go
check
for
that.
D
E
D
E
Yeah
we're
reviewing
the
the
cfps
this
week.
A
Awesome-
and
I
believe,
according
to
this
notification,
will
be
monday
september
12th
for
cfps.
A
Cool
logo
refresh,
I
don't
think,
there's
any
more
updates
for
this-
is
that
correct.
D
Yeah
that
should
be
all
set
now
and
we've
been
we've
been
making
sure
that
all
of
the
logos
are
matching
everywhere.
So
if
you
see
any
stray
ones
feel
free
to
file
an
issue
about
that.
A
I'll
do
that
I've
come
upon
a
couple
places.
For
example,
I
think
the
transparency
log
website
is
using
the
old
logo.
I
can
make
an
issue
for
that.
A
I
think
I've
come
upon
it
on
some
websites
that
talk
about
start
using
their
technology.
A
Alrighty
docs.
D
There's
not
a
lot
of
updates
about
docs
that
I
have.
I
don't
know
about
anyone
else,
but
we
are
cutting
over
the
doc's
main
brand.
The
docs
branch
from
the
six
hour
website
into
his
own
repo
and
that's
coming
very
soon.
So
we'll
just
share
the
messaging
about
that.
B
Nope
other
than
to
say
we
aspirationally
are
targeting
sixxtorcon
as
a
date
at
which
we'll
have
something
to
share
with
the
community
and
again
you're
all
welcome
to
be
involved
in
that
effort
join
the
architecture
docs
channel
in
slack.
But
at
that
point
we
should
we.
We
should
have
something
to
share
with
you.
A
Awesome,
okay,
outreach
and
events
we
already
chatted
about
sixth
or
con
oss
eu
is
coming
up,
that'll
be
in
dublin
mid-september.
I
think
it's
the
week
of
september
10th.
There
is
a
open
ssf
day.
Just
a
reminder.
You
need
to
separately
register
for
that.
It's
free,
but
you
just
need
to
register
for
that.
On
top
of
the
registration
for
osseu.
A
A
Cool
blog
posts
did
anybody
have
any
blog
posts
they
wanted
to
to
chat
about
that
they've
written
one
that
I
want
to
mention
here?
Is
the
linux
foundation
actually
republished
a
recent
blog
post?
I
wrote
on
adopting
six
star
incrementally,
which
was
very
cool.
A
Alrighty
I'll
just
say:
if
folks
are
interested
in
writing,
blog
posts
feel
free
to
and
just
to
mention
on
the
general
channel
or
somewhere.
We
can
always
post
it
on
the
six
star,
medium
blog.
A
I'll
leave
an
update
from
the
team
writing,
sig,
store,
js
and
also
billy
discussing
get
signed
a
test.
So
if
you'd
like
to
see
more
about
that
check
out
the
office
hours.
D
A
Alrighty,
so
the
last
thing
here
is
just
any
other
business.
Nobody
posted
anything
here
so
I'll
just
give
everyone
10
seconds,
and
this
is
just
an
opportunity.
If
you
have
anything
else,
you
want
to
chat
about
about
six
store.
This
is
the
time.
A
Alrighty
in
my
head,
I'm
playing
the
jeopardy
theme
song,
though
sped
up
quite
a
lot,
even
though
it's
about
30
seconds
all
right
for
the
last
part
of
the
meeting.
If
anybody
is
new
to
the
community,
this
is
a
time
to
introduce
yourself
feel
free
to
this
is
most
certainly
not
mandatory,
but
yeah.
If
you
just
want
to
come,
say
hi
has
a
chance.
D
Very
hard
I'm
meredith
lancaster.
I
started
working
at
github
along
with
trevoras
and
brianda
hammer,
cody
sutherland
and
a
few
others
so
nice
to
be
here.
B
Dave
lester,
I
recently
joined
the
open
source
team
at
google
happy
to
be
here
nice
to
meet
you
all.
D
All
right,
okay,
here,
I'm
also
new
to
the
community,
I'm
involved
in
a
software
special
security
at
the
finance
company
and
I'm
from
getting
eager
to
learn
more
about.
How
could
I
integrate
some
of
the
tooling
here
with
what
we're,
having
currently
in
place,
based
on
graphics
and
and
see
how
everything
can
potentially
migrate
from
one
system
to
another.
A
Sweet
well,
nice
and
short,
concise
meeting
awesome.
Well,
like
I
mentioned
at
the
beginning,
if
you
are
interested
in
discussing
more
join
the
six
door
dev
mailing
list,
we
also
have
a
slack
channel
compost
in
general,
say
hi.
We
have
lots
of
good
stuff
going
on.
There
awesome
well
see
y'all
in
two
weeks.