►
From YouTube: Sigstore Community Meeting - June 14, 2022
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Okay,
we're
live
yeah
good
morning
good
afternoon,
whatever
time
you're
joining,
welcome
everyone
to
the
six
door
community
meeting
and
we
are
gonna
kick
off
with
a
project
round
robin
for
anyone
who's
joining
new.
Just
before
we
get
into
this,
there
will
be
an
opportunity
towards
the
end
of
the
call
to
say,
hi
and
introduce
yourself
so
yeah
just
enjoy
listen
and,
at
the
end,
you're
welcome
to
to
give
a
quick
hello,
so
project
round
robin.
A
Okay,
I'm
moving
on
pulsio.
C
Sorry
I
was
muted
for
record
if
we
jump
back
there,
quick,
there's
one
pr,
that's
pretty
close
to
ready
to
go
in
from
frederick
on
adding
code
support,
so
that
should
make
it
into
the
next
release.
A
Okay,
full
seo
hayden
was
your
update,
for
was
it
full
see
that
had
no
update,
no.
B
Yeah
yeah
there
are
some
pr's,
but
I'll
talk
about
them
when
they're
merged
they're,
just
some
small
things.
C
D
Yeah,
I
could
take
this
one,
so
we
had
a
blog
post
go
out
last
week.
I'm
sorry
entered
a
kids
sign
which
had
a
nice
wave
of
of
new
people,
trying
it
out
so
we're
over
400
stars
in
github.
Now
we
also
released
0.1
in
0.1.1,
basically
to
ship
the
the
changes
to
the
public
folso
instance
yeah,
and
then
we've
also
been
helping
out
with
the
the
six
store
six
store
packages.
D
We've
been
using
git
sign
as
basically
like
the
the
guinea
pig
for,
like
oh,
like
what
things
do
to
co-sign
and
get
signed
share
so
we'll
be
trying
to
pull
more
things
into
there.
So
we
can
remove
the
the
cosine
dependency
all
together.
So
that's
it
for
good
sign.
A
Yeah
now
that's
amazing
and
congratulations
yeah.
It
was
a
great
blog
post
and
I'm
glad
that
it
picked
up
so
much
traction
so
nice
to
see
that
people
care
about
commit
signing.
C
I
don't
know
how
who's
here
so
I'll
just
start
talking.
We
have
a
recore
client
in
landed
last
week.
We
up
who
updated
the
full
show
client
to
use
grpc.
I
see
a
question
here,
I'm
not
sure
if
you
asked
it
does
anybody
know
where
that
came
from.
C
Where
do
we
store
secrets
that
can
be
shared
with
developers
on
a
project?
No
anybody,
okay,
and
that's
news
for
java.
Unless
anybody
else
does
anything
that
that
secrets
question
might
belong
under
ga
or
something
different
yeah,
I
don't
understand
what
that
has
to
do
with
java
or
who
put
it
there.
A
A
No
okay
end
route
got
the
signing
event.
Is
that
marina
or
someone
who
can
speak
to
it.
B
B
So
I
think
this
is
just
a
calendar
for
those
who
are
key
holders
when
we'll
contact
you
about
testing
and
then
when
the
signing
actually
should
happen,
our
plan
is
we
have
the
the
postmortem
that
we're
still
going
through
some
of
the
items
that
came
out
of
it
and
once
those
are
all
wrapped
up,
we'll
do
the
v4
signing
and
then
six
months
from
that
a
v5
group.
B
A
Okay,
great,
so
that's
a
project
update
unless
there's
anything
else.
Anyone
wants
to
add
we'll
move
on
to
six
door.
Ga.
A
E
Yeah,
so
I
would
say.
A
E
Weekly
meetings
on
mondays
to
go
through
a
list
of
task
items.
E
Last
week
at
the
tse
meeting,
we
reviewed
the
current
list
of
open
issues
and
started
to
do
the
prioritization
work
around
what
we
feel
it
felt
like
needed
to
be
in
in
scope,
4,
ga
versus
out
of
scope
for
ga
we're
also
in
the
process
of
editing
a
whether
you
want,
I
guess
effectively,
it's
a
blog
post
to
where
we're
ultimately
going
to
state
what
is
mga,
what
the
intent
for,
where
we
want
to
take
the
community
in
terms
of
offering
these
services
removing
the
experimental
flags
and
setting
up
proper
slos
and
on-call
rotations
and
all
the
stuff
that
goes
along
with
it,
so
that
that's
currently
being
edited
by
the
tac
members.
E
Updates
to
share
around
that,
but
there's
also
kind
of
the
technical
work.
That's
been
going
on
to
continue
to
harden,
run
books
and
clean
up
the
additional
infrastructure
items
that
go
along
with
all
that.
So
I
don't
want
to
under
undersell
the
technical
work
going
along
with
the
administrative
overhead
that
goes
along
with
getting
all
this
pulled
together.
But
so
I
don't
know
priya
or
kenny.
B
C
No
worries
yeah;
no,
no
big
updates.
I
think
we're
just
you
know
chugging
along
working
through
some
of
the
issues.
Once
we
have
that
defined
list,
then
I
think
we
can
start
working
on
that
and,
like
really,
you
know,
start
making
progress
again
as
yeah.
E
That
sense-
and
we
as
hayden
pointed
out
to
me
earlier,
I
think
it
was
also
in
the
one
of
the
slack
channels,
us
central
one,
which
is
a
gcp
region
in
iowa,
was
having
some
api
issues
with
gke
this
morning.
I
don't
know
if
that's
actually
resolved
or
not,
but
so
we're
we're
technically
in
some
sort
of
an
outage
as
we
speak
here.
So
it.
C
Was
resolved,
it
was
only
three
hours
ago,
yeah.
G
C
B
One
one
other
small
thing
I
just
want
to
point
out
is:
this
is
also
talked
about
in
the
sixth
or
j
channel,
though,
if
you're
on
hacker
news,
it's,
I
think
the
top
post
right
now
grifana.
I
think
I
said
that
right.
I
just
announced
a
open
source
project
for
on-call,
very
interesting
promising
project.
This
is
an
alternative
to
pagerduty,
which
is
a
paid
product.
It'll,
be
interesting
to
see.
You
know.
Comparisons
of
the
two
as
people
start
learning
more
about
this
new
project.
B
I'll
drop,
a
link
in
the
doc
now,
but
just
wanted
to
mention.
I
think,
it'll
definitely
be
something
we'll
look
into
to
manage
on
call.
A
Okay,
so
moving
on
to
just
general
outreach
and
events
next
week
is
the
open
source
summit
with
the
starter
day
of
open
ssf
day.
I
believe
the
a
bunch
of
folks
on
this
call
will
be
at
that
event,
so
yeah
a
great
opportunity,
folks
to
to
connect
and
get
together.
A
I
did
see
one
specific
zigzag
talk
which
is
demystifying
digital
signatures
from
priya
on
the
monday
and
yeah.
I
believe,
there's
a
sixth
announcement.
Lisa
are
you
on
the
call.
C
Yes,
so
john
speed,
mayors
and
I
have
recently
completed
a
full
course
of
the
of
six
store
through
the
linux
foundation,
where
it's
going
to
be
soft
released
this
week.
But
we
will
announce
that
full
release
next
week
with
the
open
source
summit,
and
this
will
be
free
for
the
community
to
use
through
edx.
And
if
folks
want
to
get
a
certificate
through
the
linux
foundation.
They
could
go
through
the
course
that
way.
A
A
I
think
traditionally,
six
dollars
had
a
booth
at
kubecon,
so
one
open
question
is:
is
there
any
intent
to
have
another
booth
and
there's
another
option
as
well
around
a
co-located
day,
so
kubecon
typically
opens
up
the
days
ahead
of
the
conference
to
project
collocation.
A
We
do
kind
of
need
one
or
two
companies
to
sponsor
it
to
to
make
it
happen,
but
that
that's
looking
likely
that
we
can
figure
something
out
there.
So
one
big
question
is:
if
that
were
to
go
ahead.
What
would
we
call
it?
Would
it
be
like
the
six
star
days,
six
door,
con
six
to
summit
so
open
to
ideas
if
folks
wanna
throw
this
out
in
the
dock
or
in
the
channel
and
then?
A
Secondly,
folks,
if
any
of
your
companies
are
interested
in
sponsoring,
I
think
let
me
or
the
tfc
know
we'll
start
to
gather
interest,
so
we
can
see
if
we
have
enough
momentum
to
make
this
actually
happen.
It
should
be
yeah
pretty
cool.
E
I
think
yeah
sounds
like
a
great
idea
to
me.
I
think
it
would
be
a
lot
of
fun
and
we
have
plenty
of
stuff
to
cover,
but
obviously
it
depends
on
folks
showing
up
to
pay.
So,
yes,
I
think
aspirationally.
I
think
the
booth
is
something
we
want
to
continue
to
do.
It's
been
well
well,
attended
both
the
last
two
kubecons.
E
E
A
Okay
yeah
now
that
will
be
exciting
logo
updates
round
two,
let
me
drop
an
issue
in.
A
But
yes,
folks
recall:
we
went
through
a
logo
refresh
for
the
main
sig
star
logo,
and
that
was
completed.
The
next
kind
of
follow-up
items
were
to
get
a
just.
We
have
the
existing
guidelines
which
have
the
old
logo,
so
those
need
an
update
and
also
we
wanted
an
update
for
the
subproject
logos.
A
So
there
is
an
issue
with
this
and
I
have
got
some
things
to
show
so
I'll
show
those
here
you're
welcome
to
give
feedback
here
or
drop
it
in
the
github
issue,
but
there's
a
set
of
I
don't
know.
If
you
can
see
this
is
showing
up.
A
So
this
color
palettes,
so
the
idea
is
to
because
we
have
a
new
color
for
the
main
logo.
We
want
to
get
something
complementary,
that
we
can
use
for
subproject
logos
and
also
on
the
website.
So
there's
a
few
options
through
there
I'll
flip
through
them
quickly.
A
But
feel
free
to
take
a
look
in
your
own
time
and
leave
any
comments
and
then
the
other
side
of
it.
Let
me
bring
up.
A
Was
the
idea
of
using
the
similar
type
seal
but
using
the
existing
symbols
for
the
sub
projects
and
also
making
it
clear
that
they're
part
of
the
sig
store
project?
So
I
think,
there's
two
variants
on
there
and
I
believe
we
did
want
a
different
logo
for
falcio.
I
know
I
discussed
that
with
luke,
so
we're
gonna
request
that
and
also
a
new
logo
for
the
git
sign
project
that
fits
in
there.
A
E
Yeah,
just
on
the
the
last
project,
specific
logos,
I
know
that
kind
of
ties
in
with
a
point
that
was
made
in
slack
earlier
today
around
maybe
not
proposing
a
name
change,
but
even
adding
just
a
six
or
four
ceo
certificate
authority
or
six
store
recorder.
You
know
a
transparency
log
or
something
like
that
to
where
the
names
are.
Just
you
know,
project
names
and
we
don't
know
what
they
ultimately
mean.
In
terms
of
that,
I
guess
renaming.
G
A
C
Two
things
one
very
quickly
is:
could
we
get
a
link
in
the
docs
just
because
I
can't
find
that
easily?
The
other
one
is
probably
the
closest
we
can
technically
get
to
bike
shading
without
a
bike
sharing
being
subject
which
is
to
talk
about
colors
very
quickly,
red
and
blue
are
very
hard
to
look
at
like
the
eye
is
bad
at
resolving
these
two,
in
contrast,
so
I
would,
I
would
be
against
red
and
blue
being
used
together.
A
C
Yeah,
it's
just
when
you
have
them
like
together,
like
for
people
like
me,
who
have
dodgy
eyes,
it
becomes
very
blurry,
like
typing
those
two
colors
on
top
of
each
other.
So
basically,
just
a
different
mix
is
what
I'm
driving
in.
A
A
But
yeah,
I
think,
there's
something
to
be
said
about
certain
colors,
especially
red
for
colorblindness
and
things
as
well.
A
Okay,
so
I
have
dropped
the
link
to
that.
So
do
feel
free
to
go
and
give
feedback
at
your
leisure
and
then
we'll
we'll
collate.
All
of
that
again
send
it
back
and
just
iterate
as
needed
until
we
get
to
general
consensus
on
the
new
set
of
logos
and
the
brand
kit.
A
Okay
on
to
any
other
business
bob,
so
should
we
cancel
the
meeting
next
week
to
the
open
source
summit
north
america
yeah,
I'm
open
to
that?
If
a
lot
of
folks
are
there,
we
could,
if
there's
some
specific
working
topics
for
folks
who
aren't
there.
I'd
also
be
open
to
doing
a
working
meeting.
I'm
not
going
to
be
there
personally,
so
quick
show
of
hands.
Anybody
strongly
want
to
have
the
meeting
next
week.
F
Hey
I'll
take
this
because
hayden's
had
a
couple
of
agenda
items
already,
so
the
the
summary
is
there
is
a
proposed
enhancement
to
oauth,
not
oidc,
but
to
oauth
called
depops,
which
stands
for
demonstration
of
proof
of
possession
at
the
application
layer
at
the
application
layer.
Just
didn't
make
it
into
the
acronym.
So
I
I
don't
know
about
that.
There's
a
lot
of
detail
in
the
documents
I've
linked
below,
but
the
short
version
of
what
they
are
is.
F
They
are
like
regular
oauth
tokens,
but
they
actually
bind
a
key
pair,
the
public
key
and
a
key
pair
to
the
access
token
that
they're
that
they're
granting
you
there
have
been.
Some
folks
who
have
sort
of
talked
about
could
are
depop
sort
of
a
replacement
for
fulcio
and
they
seem
like
they
might
do
it
in
in
practice,
the
as
as
they
are
implemented
and
proposed.
Today
they
do
not
and
hayden,
and
I
independently
try
to
investigate
this
question.
F
We
both
came
to
very
similar
conclusions,
which
is,
it
would
be
possible
to
really
contort
the
depop
proposal
to
make
it
work
as
sort
of
a
way
that
moved
a
lot
of
the
role
of
fulcio
into
the
oidc
providers,
but
in
the
near
term
it's
not
going
to
happen.
So
this
is
a.
I
guess,
not
that
interesting
of
an
agenda
item
and
that
all
I
am
saying
is
it
probably
nothing
is
going
to
happen.
F
It's
a
it's
a
cool
technology
with
some
benefits,
but
we
are
not
planning
to
adopt
it
in
the
near
term
and
certainly
not
as
a
as
a
replacement
for
falcio.
So
more
more
details
in
the
dark,
but
just
wanted
to
share
those
out
and
hayden
has
a
doc.
I
have
a
doc,
I
think
they're,
both
pretty
similar,
because
you
know
we.
We
have
pretty
similar
opinions
on
this,
and
the
only
reason
there
are
two
docs
is
because
we
made
them
without
knowing
about
each
other.
A
Thanks
yeah
great
minds,
think
alike,
but
yeah.
No
thanks
for
highlighting
that,
and
anybody
who
wants
to
please
do
feel
free
to
to
dig
into
that.
A
Okay
yeah.
Now
we
open
to
any
new
items,
and
I
see
josh
is
in
there
just
you
wanna
go
ahead.
B
Sure
yeah-
I
wasn't
here
last
week
on
this-
call
that
I
see
villa
started
talking
about
this.
A
bunch
of
the
like
server-side
cosigned
code
from
cosine
was
moved
into
a
new
repo,
so
there's
a
link
there.
G
I
posted
something
in
that
comment
that
I
mean
hella
sketchy
repo,
don't
get
me
wrong,
but
digging
into
the
whatever
organizations
behind
that
it's
called
like
a
tpm
but
interested
just
to
see
what
like
initial
thoughts
are
without
contextualizing,
that
much
room.
G
Is
actually
right
there,
it's
it's
being
shared
on
the
screen,
it's
any
other
business.
I
just
made
a
comment
and
linked
to
get.
B
A
A
All
right,
wait,
didn't
you
go
ahead,
cameron
and
then
we'll
do
erica
and
kara.
G
Okay,
right
on
yeah
cameron,
bernosky,
this
is
actually
my
first
six
store
community
meeting.
My
company
joined
open
ssf
a
long
ago,
maybe
and
kind
of
a
different
but
aligned
line
of
effort
for
some
of
the
stuff
that's
happening
in
the
department
of
defense
is
like
what
I
have
been
focused
on
and
so
catching
up
and
yeah.
A
Awesome
yeah
welcome
glad
you
can
join
us
and
yeah
keep
bringing
up
things
on
the
agenda.
Next
erica
hi.
C
A
C
Cara
o'cara
hi,
I'm
kara
olga
I'm
from
google,
I'm
a
technical
writer,
so
I'm
also
looking
to
help
out
with
documentation.
So
hey
great.
G
Hello,
I've
actually
been
to
the
meeting,
but
it's
been
some
time
since
I've
been
able
to
attend
so
I'll.
Reintroduce
myself.
My
name
is
eric
tice
I
work
for
wipro
technologies.
I
lead
the
technical,
consulting
and
center
of
excellence
within
our
osvo
group.
Wipro
is
a
member
of
openssf
that
have
been
taking
part
in
a
lot
of
the
mobilization
and
other
projects
that
have
been
going
on
more
recently.
G
Our
interest
in
sigstor
is,
as
part
of
a
lot
of
these
working
groups
and
the
salsa
framework
and
a
number
of
other
components
we're
looking
at
ways
to
improve
kind
of
best
practices
and
automate
the
tooling
around
digital
signatures
and
other
components
within
the
sdlc
for
very
much
trying
to
push
the
developer
shift
left
as
part
of
our
devsecops
practice
and
offerings.
G
So
we
do
a
lot
of
this
work.
I
have
a
number
of
people
in
my
coe
who
are
ramping
up
on
go
for
the
components
that
they,
you
know,
have
less
experience
and
go.
Most
of
them
are
java
and
they're
looking
for
places
to
contribute
to
the
various
projects
within
sig
store,
so
we'll
be
trying
to
jump
in
and
be
proactively
contributing
as
soon
as
possible.
A
Yeah,
that's
awesome
and
yeah
I'd
love
to
hear
it
and
yeah
and
to
you
eric
and
to
everybody
else.
Yeah
do
let
us
know
like
we.
We
do
have
this
agenda
around
the
projects,
but
we'd
also
like
to
cover
other
topics
of
interest,
especially
from
kind
of
the
end
user
perspective.
So
if
there's
something
you
you
want
to
bring
up,
yeah
feel
free
to
reach
out
to
me,
and
I
can
help
get
that
on
the
agenda
or
set
up
appropriate
discussions
for
topics
folks
want
to
see
covered
in
these
meetings.
A
Great
so
welcome,
and
we
have
paul
so
yeah
great
to
welcome
intros
re-intros
paul
go
ahead.
B
Oh
sorry
about
that,
my
mic
wasn't
set
paula
software
engineer
at.
A
Welcome
paul,
okay
with
that
yeah
nice
to
see
so
many
new
faces
and
old
pieces
yeah
anything
anybody
else
wants
to
cover
otherwise
we'll
leave
it
there
and
all
your
lucky
folks
who
are
meeting
next
week
do
enjoy.