►
From YouTube: Sigstore Community Meeting - April 4, 2023
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Hello:
everyone
I'm
today's
guest
chair,
Hayden,
we'll
be
going
through
the
project
around
Robin
And,
discussing
also
some
of
the
upcoming
events.
We
have
lots
of
presentations
to
call
out
which
is
very
exciting,
then
we'll
have
a
little
bit
of
time
at
the
end.
For
any
other
business
which
it
looks
like
we
do
have
a
few
things
today.
A
And
if
you
haven't
already,
please
sign
in
if
you'd
like
to
so
to
start
updates
for
recore,
full
Co
and
cosine
a
couple
to
call
out
we've
released
recore
1.1.
This
has
a
number
of
bug,
fixes
and
enhancements.
There
have
been
no
breaking
changes,
so
you'll
see
that
it
was
cut
from
head,
not
from
a
release
branch
that
we
have.
A
We
also
have
full
Co
1.2,
which
I
had
mentioned
in
a
previous
week.
This
adds
support
for
additional
extensions
for
certificates
that
are
issued
for
CI
platforms.
Right
now.
We
just
have
GitHub
actions,
but
build
chitin.
Git
lab
will
be
two
others
that
should
have
these
extensions
added
in
a
future
release,
and
you
can
try
out
both
of
these
they've
been
released
to
our
production
environments,
accessible
at
recore
or
folsio.60.10.
A
Cool,
so
for
the
next
section
on
get
signed
time,
stamping
in
The
Roots
did
somebody
want
to
mention
the
updates,
the
V7
route,
signing.
A
I
can
mention
those
if
not
the
V7
route
is
being
signed
right
now.
The
major
difference
is
that
a
timestamp
Authority,
that's
being
operated
by
GitHub,
has
been
added
to
the
trusted
root
file,
and
an
npm
delegation
has
also
been
added,
there's
also
a
fixed
here.
A
That's
noted
for
The
Trusted
root
file,
and
one
thing
also
to
mention
is
that
if
you
weren't
aware
in
the
previous
V6
route,
this
trusted
root
file
was
added,
which
is
the
list
of
all
of
the
targets
that
previously
were
in
their
own
files
and
there's
additional
metadata
around
expiration.
For
each
of
these
that
can
now
be
used.
A
One
other
thing
to
mention
is
that
we
updated
the
staging
route
yesterday,
I,
don't
think
many
folks
are
using
this
I
think,
primarily
the
python,
JavaScript
and
Java
clients
I,
believe,
are
using
this
for
testing.
Something
to
note
is
that
we
had
to
update
the
staging
route
in
an
incompatible
way.
A
This,
hopefully,
will
be
the
only
time
that
we
do
that,
but
we
need
to
switch
over
the
route
to
a
new
set
of
keys.
So
if
you
have
an
embedded
staging
route,
you
need
to
update
it.
So
this
is
something
that
we're
discussing
right
now
with
six
star
python,
since
they
do
have
an
embedded
staging
route.
A
Sweet
continuing
on
were
there
any
updates
for
the
clients.
I
see
a
mention
of
six
door,
Java.
A
I,
don't
see
anyone
on
the
call,
I
think
who's
working
on
Sig
store,
Java,
so
I'll
just
read
this
verbatim
that
they've
released
an
updated,
Gradle,
plugin
I
believe
a
change
log
should
be
present
in
the
six
door,
Java
repo.
If
you'd
like
to
learn
more
about
what
was
in
this
or
any
other
updates
for
clients.
A
Cool
so
continuing
on
docs
so
looks
like
six
star's
been
accepted
to
Google
season
of
Docs
I,
don't
know
if
anybody
wanted
to
mention
anything
here.
I
don't
see
Lisa
McCall.
A
A
This
is
very,
very
exciting.
You
know
you
if
you've
seen
our
docs,
sometimes
they're
a
little
out
of
date,
there's
definitely
opportunities
to
improve
them.
I'll
mention,
if
you
see
anything
as
you're
scrolling
through
a
documentation
that
is
out
of
date
or
unclear.
Please
do
file
an
issue
in
the
docs
repo.
A
These
are
things
that
can
be
tackled
as
part
of
this
project
huge
shout
out
to
Lisa
for
going
through
the
process
of
getting
us
accepted
into
this,
and
then
Lisa
is
also
working
on
an
application
this
week
to
begin
the
hiring
process
for
see
some
talks.
A
Cool
continuing
on
to
outreach
and
events,
I
believe
we
talked
about
a
number
of
these
last
week,
but
kubecon
Europe
is
coming
up
very
shortly.
Pycon
2023
is
coming
up.
A
We
also
have
devox
France
and
it
looks
like
there
is
a
six-stop
six
star
Workshop
that
will
be
presented
and
open
source
North
America
in
Vancouver
I.
Believe
we
discussed
these
five
talks
last
week,
but
one
new
thing
to
call
out
is
that
we
have
open
ssf
days
schedule
published.
A
There
are
two
six
talks,
one
on
getting
involved
in
research
projects
and
one
on
some
of
the
fuzzing
work.
That's
been
done
in
recore.
A
This
is
It's
a
I
believe
it's
a
25
add-on
to
the
tickets
for
OSS.
Sorry,
actually,
it's
independent.
You
don't
need
a
ticket
to
Ossa.
A
A
A
Cool
for
six
store
landscape,
it
looks
like
traced
or
Tracy,
has
been
added
to
the
landscape
and,
as
always,
if
there's
any
other
projects
that
you
want
mentioned,
please
do
pilot,
PR
and
error.
Any
feedback
were
there
any
other
events
or
Outreach
folks
want
to
call
out.
A
Okay,
sweet
all
right
on
to
any
other
business
logos.
Did
anybody
have
an
update
here,
potentially
somebody
from
the
attack?
If
you're
aware.
A
Let
me
see
if
I
can
open
this
up
real,
quick
download
it
I
can't
easily
this
well
take
a
look
at
these
variations
here.
A
It
looks
like
1D
is
particularly
popular
and
looks
like
20
hours
ago.
This
is
what
was
decided
so
take
a
look
if
you
have
any
other
opinions
on
this,
thanks
to
everybody,
who's
chimed
in
so
far
on
this.
A
We
also
have
a
new
six
door.
Logo,
that's
been
updated,
you'll
see
that
it
has
now
been
integrated
in
all
of
the
places
you'll
see.
This
is
this
is
all
different
colors
of
the
logo.
So
if
you
are
using
the
logo
anywhere,
please
updated
accordingly.
A
Well,
we
can
maybe
come
back
to
that
in
a
future
week,
I'm,
not
sure
if
that's
for
referring
to
another
monitor
that's
been
built.
We
also
have
the
record
monitor
projects
under
the
six
door
organization
which
I'm
happy
to
demonstrate
or
show
in
a
future
week.
A
And
then
there
is
an
ask
for
a
status
on
this
issue.
I
believe
I
was
chatting
with
somebody
on
this
issue
recently,
so
I
think
the
the
short
answer
here
is
that
we
don't
have
any
status
right
now,
because
there's
a
workaround,
so
we
haven't
made
any
changes
to
fix
this
issue.
Yet
this
was
something
that
we
punted
from
the
V2
release
as
a
as
a
fast
follow
for
2.0.1.
A
If
there's
any
takers,
I'm
happy
to
talk
more
about
this
issue
and
what
needs
to
be
done,
I
think
I've
got
some
notes
in
a
where
is
this
linked
PR,
which
is
here
so,
if
anybody's
interested
in
taking
a
look,
do
let
me
know
I'm
happy
to
chat
through
it?
Otherwise
I
think
we'll
be
getting
to
this
at
some
point
soon,
but
I
can't
say
when.
B
A
Awesome,
thank
you.
Yeah
I'll
say
that
that,
for
the
most
part,
the
fix
is
it's
a
little
little
complicated
but
I.
Think
at
this
point
we
know
how
we
need
to
do
it.
The
main
reason
I
haven't
taken
a
look
at
it
again
is
just
there's
a
lot
of
tests
that
need
to
be
updated.
It's
part
of
this,
and
that
means
it'll
take
a
little
bit
of
time,
but
I'm
definitely
happy
to
chat
with
somebody
about
trying
to
get
this
fixed
and
I.
A
Think
if
we
also
talked
about
on
the
issue.
One
of
the
other
things
too,
is
that
we're
aware
of
the
the
BYO
pki
experience
is
sub-optimal
right
now.
This
was
an
intentional
decision
during
2.0
because
we
had
a
trade-off
between
requiring
identity
but
also
trying
to
support
certificates
that
don't
have
identity.
A
We
leans
pretty
hard
into
the
require
identity,
side
of
things
and
we've
gotten
some
good
feedback.
So
far,
so
I
think
there's
a
tracking
issue
for
BYO
pki
I
can
link
in
the
notes
later.
So,
if
folks
have
any
thoughts,
please
do
let
us
know
how
we
can
make
that
experience
better.
A
B
A
Awesome
well.
For
the
last
part,
we
leave
the
flow
floor
open
for
introductions.
So
if
there's
any
new
community
members
that
would
like
to
stay
high
now's
your
time,
but
no
pressure
If
not.
C
A
I
know:
let's,
let's
use
this
time
right
now,.
C
Okay,
would
you
mind
if
I
share
my
screen
for
a
bit?
Of
course?
Yes,
one
sec,
so
what
I'd
like
to
show?
You
is
a
prototype,
a
friend
of
mine
and
I,
built
because
we
realized
okay,
so
six
store
in
Rico
and
all
super
cool.
But
the
thing
is
hinges
on
is
basically
identity,
theft
or
when,
when
the
the
key
you
use
to
sign
or
sorry,
the
public
private
keeper
is
compromised.
C
So
our
idea
was
essentially
to
subscribe
to
to
monitor
the
log
and
send
out
notifications
when
yeah,
when
when
essentially
the
identity
we
wanted
to
afford,
gets
found
and
it
pings
you
when
entry
has
been
created
in
your
name
or
with
that
with
that
key.
C
So
what
I'm
just
going
to
show
is
just
a
basic
landing
page
and
I
was
and
I
wanted
to
show
this,
because
right
now
we're
crawling
record
and
I.
Don't
think
it's
in
the
Project's
interest
to
have
the
corona
running
around
running
on
there
all
the
time.
C
So
I
was
wondering
whether
maybe
it
makes
sense
to
integrate
that
with
the
project
and.
A
Is
really
really
awesome
to
see
I
I'd
love
to
talk
more
with
you
about
this,
so
we
have
a
record
monitor
repository
in
Sig
store.
Yes,
that
runs
on
GitHub
actions
and
I
think
there's
absolutely
an
opportunity
there
to
collaborate
and
figure
out
how
we
can
improve
that
it's
it's
very!
It's
it's
fairly!
Bare
Bones
right
now
aiming
to
accomplish
the
same
thing
right
tracking,
where
Keys
used
or
an
email
address
is
used.
A
Ultimately,
one
of
the
tricky
parts
of
recore
is
that
there's
so
many
different
ways
of
specifying
types
that
there's
a
lot
of
different
types
that
you
need
to
monitor,
I!
Think
a
a
UI
like
this
would
be
great
for
making
a
lot
easier
to
your
point
about
crawling
recore,
we've
talked
a
little
bit
about
figuring
out.
If
we
can
stand
up,
replicas
read
only
replicas
yeah.
That
would
be
perfect
for
yeah
I
I.
Don't
think
we'll
open
up
database
access
directly
but
read-only
replicas.
A
Well,
it's
and
it's
something
to
throw
around
right,
like
I,
believe
cert.sh,
which
is
a
monitor
for
certificate
transparency,
they've,
they've
decided
to
just
crawl,
all
of
the
CT
log
data
or
sorry
CT
log
services
and
then
I
think
they
just
get
direct
database
access,
but
yeah
we
talked
about
replicas
right
now.
It's
fine!
If
you're
crawling
it
I,
don't
I!
A
Guess
one
question
is:
is
this
you're
crawling
it
ingesting
all
the
entries,
caching
them
and
then
crawling
from
that
point
in
time
going
forward,
or
are
you
trying
to
periodically
recall
all
of.
C
B
C
Yeah
then
I'll
reach
out
to
you
on
sort
of
offline
hidden.
It's
very
cool
I
also
looked
at
the
RICO
monitor
thingy,
but
to
me
it
seemed
like
that
it
wasn't
mainly
for
making
sure
that
the
log
hasn't
been
pampered
with
that.
It's
sort
of
in
Integrity
is
still
there
whatever.
It
is.
A
Yeah,
the
the
that
was
the
original,
Focus,
oven,
I
think
you
can
see
it's.
We,
we
tacked
on
identity
monitoring,
given
we're
querying
everything
already
we
were
like
well,
we
can,
we
can
add,
on
identity
monitoring
too,
but
yeah
as
as
you
noted
right.
These
are
two
separate
roles,
which
is
consistency,
monitoring
for
making
sure
the
log
remains.
A
Monitoring
for
identities
yeah,
let's,
let's
have
some
some
time
to
chat;
I'd
love
to
yeah.
A
Not
currently,
no
okay,
all
right
I'll
mention
one
other
idea
we
have
thrown
around
two
at
one
point
is
publishing
every
entry
to
a
pub
sub
so
that
you
could
just
subscribe
and
get
every
entry
sent
to
you
I
think
there
might
be
a
open
issue
for
that
I'll
chase
that
down
and
send
that
to
you.
But
that
was
another
idea
that
we
had.
A
Yeah
I,
don't
see
it
I'll
I'll
chase
down.
If
not
I'll
file,
one
and
tag
you
awesome
really
excited
to
see
that
that
you're
working
on
this
is
definitely
an
area
that
has
needed
some
improvement.
A
Awesome
well,
were
there
any
other
any
other
businesses
or
introductions
that
people
wanted
to
give.
A
Awesome
well,
thank
you
all
for
attending.
We
will
meet
again
in
two
weeks.