►
From YouTube: Sigstore Community Meeting - July 5, 2022
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Okay,
we
are
going
to
jump
straight
into
things
and
just
start
with
a
project
round
robin.
A
With
the
recall
show
there
were
no
recur,
updates,
excellent,
okay,
good
sign.
We
can
always
jump
back
to
those
as
folks
come
in,
but
let's
keep
it
moving
billy
I
saw
billy.
How
was
that
from
you.
C
The
0.2
release
this
afternoon,
if
there's
anything
that
is
on
your
mind
or
you
want
in
before
I
cut
the
release,
just
let
me
know
otherwise,
yeah
look
forward
to
it.
A
A
Okay
on
to
six
star
ga-
I
don't
know
if
folks
have
had
a
chance
to
see
this,
but
had
a
a
pretty
important
blog
post
went
out
last
week
on
the
29th,
and
this
is
finally
the
formal
response
on
where
six
store
is
at
with
general
availability.
A
It
kind
of
covers
a
bit
of
the
history
of
what's
happened
to
date
and
also
what
what
we're
looking
forward
to
in
terms
of
a
general
availability
for
six
door
and
its
various
components,
and
I
think
the
yeah,
the
tldr,
is
kind
of
looking
at
a
four
month
out
window
of
just
running
the
services
and
finishing
up
some
of
the
things
listed
and
then
we
should
be
in
a
good
position
to
go,
live
with
ga
study,
fair
summary
priya,
oh
bob,
great
yeah.
So
please
to
take
a
look.
A
If
you
haven't
already
and
do
let
us
know,
if
there's
any
questions
or
comments
on
that,
and
otherwise
we'll
jump
into
normal.
Ga
updates.
Is
there
anything
since
last
week
to
update
on
priya
and
others?
A
A
Okay,
no
worries
but
yeah.
E
A
I
would
suggest
we
like,
we
can
start
referencing,
that
blog
post
and
looking
at
the
various
places
on
sixth
or
property
that
we
we
talk
about.
The
gn
just
put
pointers
there
so
folks
when
they
come
into
it
kind
of
have
a
better
understanding
of
what
it
means.
As
they're
adopting
the
project.
A
Okay,
so
with
that
in
mind,
I
think
we
had
some
consensus
on
the
new
logos
for
git
sign
and
also
full
seo,
and
so
this
is
kind
of
the
first
proposal
of
subproject,
colors
and
they're,
put
next
to
sixter
with
the
new
logo
and
it's
full
color
palette.
So
the
idea
was
to
have
something
that
all
jives
together,
we
use
the
sig
store
blue
throughout,
but
there
is
a
way
to
sort
of
show.
A
Everything
is
related
to
the
six
store
project,
but
each
thing
is
its
own
kind
of
somewhat
independent
sub-project.
A
So
this
is
first
revealed
to
the
group
any
questions
or
comments
or
things
things
you
like
things.
You
don't
like.
C
C
A
Yeah,
I
think
that's
a
great
question
like
we.
I'm
not
sure
there
was
specific
kind
of
guidance
around
who
gets
the
logo
or
not.
So
I
don't
know
the
folks
have
thoughts.
I
think
logos
are
pretty
useful
when
things
start
to
have
their
own
identity
and
people
talk
about
them
as
independent
things
you
might
adopt
or
use,
and
we
want
to
kind
of
build
a
brand
out
around
that
any
thoughts
around
like
policy
controller
from
folks.
C
I
think
the
there's
like
more
general
question
about
like
how
many
projects
have
and
should
have
a
logo,
and
I
think
there's
also
something
about.
We
have
a
lot
of
little
things
that
could
use
a
logo,
but
but
we
cannot
just
give
every
logo
to
the
like.
I
don't
know
50
repos
we
have
out
there.
I
wonder
if
we
want
to
just.
C
Define
like
a
recommendation
saying
like
hey
once
your
project
has
like
this
amount
of
usage-
maybe
not
maybe
not
higher
numbers
but
just
kind
of
like
hey.
If
you
want
your
project
within
six
doors
have
a
logo.
Why
don't
you
propose
it
in
the
community
meeting
saying?
Why
is
it
like?
What
does
it
need
it
right
to
be
like
identified
at
the
end
of
the
day?
C
I
think
it's
also
a
matter
of
having
resources,
and
I
really
don't
know
if
we
have
like
a
designer
on
on
staff
or
we
need
to
like
collect
a
batch
of
the
project
and
then
send
them
over
and
come
back
and
so
on
so
forth.
A
Yeah-
and
I
think
that
makes
sense
and
like
with
my
experience
in
cdf
like
you,
take
something
like
the
tacton
project
and
they
would
do
logos
for
any
kind
of
part
of
the
project
that
was
significant
and,
in
that
case,
like
cdf,
the
parent
organization
would
support
them
with
the
logos
on
on
demand
and
it
was
kind
of
nice
because
they
always
tied
it
back
to
their
cat
logo,
so
it
all
kind
of
fit
together
so
yeah.
A
I
think
it
makes
sense
coming
up
with
something
some
similar
guidelines
and-
and
I
think
like
I
can
see
a
place
where
we
get
to
where
we've
got
a
kind
of
you
know,
sig
stove,
for
python
or
for
java
they
might,
it
might
be
nice
to
kind
of
be
able
to
have
some
stronger
identities
with
those
okay.
Let
me
take
a
look
at
some
of
the
guidelines.
Other
projects
might
have,
and
maybe
there's
something
lightweight
we
can
borrow
and
and
use
that.
A
A
Should
we
should
we
make
the
git
sign
sorry,
should
we
make
the
git
sign
check
mark
green
instead
of
red
yeah?
We
could
swap
that.
I
think
the
reason
that
one
I
actually
requested
red
in
a
little
bit
of
a
nod
to
the
git
logo,
but
yeah
we
can
would
would
switching
out.
We
could
switch
it
to
the
green
like
a
full
seal
and
change
the
full
seal
color
to
avoid
using
red
completely
in
the
palette.
A
D
D
C
I
I
don't
mean
to
like
push
for
that.
I
just
found
it
funny
that
I
I
thought
it
was
green
for
a
while
yeah
like
it's
just
it's
just
hard
to
make
a
logo
that,
like
it's
perfectly
friendly
with
all
blind
types,
cool.
A
Yeah,
I
can
try
a
few
tweaks
and
see
what
optimize,
where
we
can
okay
and
then
yeah,
following
that.
The
plan
will
be
then
to
just
start
propagating
the
logos
and
all
the
various
properties
and
just
going
around
updating
where
sixto
is
used.
C
A
Right
moving
on
to
outreach
and
events,
yeah,
no,
no
big
updates
here,
but
just
to
clarify
for
cubeco
north
america.
We
are
still
pursuing
a
couple
of
avenues.
One
is
looking
at
a
one
day,
co-located
event
aiming
to
get
a
room
for
about
200
folks
and
to
have
that
focused
on
a
set
of
six
store
talks,
hopefully
including
a
lot
of
case
studies
from
folks
using
six
stone
practice
and
then,
as
a
distinct
item.
A
I
think
we
are
also
considering
having
a
booth
during
the
main
conference
is
a
place
for
people
to
gather,
ask
the
experts
or
just
chat
with
community
folks
in
general,
so
we'll
keep
you
posted
as
those
things
shape
up
or
if
we
do
end
up
being
in
a
position
to
run
a
call
for
papers
and
separately.
From
that
case
studies
I
don't
know
folks
recall
a
while
back.
I
had
a
call
out
for
various
case
studies
of
folks
using
sigsto
out
in
the
wild.
A
We
do
have
a
couple
of
folks
who
are
working
on
them.
I
don't
know
if
we
have
fabian
on
the
call,
but
he
works
with
folks
at
edgeless
and
he's
willing
to
start
working
on
on
one
case
study.
A
C
I
think
it's
pretty
much.
Whoever
has
threats
that
I
think
luke
is
the
one
who
has
the
credits
just
from
like
previous
publications,
I
think
also
dan
does
have
them.
I
don't
know
how
medium
accepted
works,
but
I
know
that
they
have
approved
from
me
in
the
past.
A
So
just
hit
up
down
and
look
as
something
is
ready
sure.
C
Another
thing
that
I
wanted
to
add
is
I
guess
I
can
wait
for
any
other
business.
Actually,
okay,.
C
C
I
don't
know
if
we
want
to
block
it
or
we
just
want
to
say,
like
hey
this
individual
wrote
a
blog
post
and
experience
with
six
star
python.
A
Great
yeah,
I
guess
that
I'm
promoting
that
through
sixto
social
and
again
I
guess
I'm
assuming
luke
is
the
contact
for
that.
A
It
brings
up
another
question
for
me,
and
maybe
this
is
something
we
can.
A
Discuss
like
when
we
come
on
to
the
six
store
website,
we
don't.
I
do
wonder
whether
we
should
have
a
section
which
is
based
on
language
community,
so
just
coming
in
and
sort
of
saying
here:
sigsto,
here's
how
you
might
use
it
in
java,
here's
how
you
might
use
it
in
python
and
then
we
could
have
a
potentially
a
landing
page
for
each
community.
That's
as
is
progressing
off.
A
C
I
think
that'd
be
interesting,
for
example
in
in
particular
at
sixth
or
python.
I
think
there
it
would
be
interesting
to
point
to
like
existing
pets
around
software
signing
like
there's
pet
480,
that
tries
to
combine
telephone
and
on
pipi,
and
I
think,
there's
a
question
to
like
mention
six
stores.
Well,
so
it
could.
C
C
A
Yeah
now
I
think
well
think
about-
and
I
know
we
still
have
sort
of
plans
for
kind
of
a
documentation,
focus
and
rehash
of
of
the
website,
so
I'll,
throw
that
in
the
list
and
well
I'm
sure
we
can
plan
something
at
some
point
to
to
bring
in
a
wider
discussion
around
it
but
yeah.
A
In
the
meantime,
let's
see
if
we
can
get
that
blog
post,
promoted
and
retweeted
or
even
I
don't
know
whether
we
repost
things
on
medium
but
yeah
I'd
certainly
be
plus
one
too
to
have
that
featured
on
the
six
star
blog.
C
A
Okay,
anyway,
is
there
any
other
business.
B
Yeah,
so
I
had
a
couple
of
questions
about
some
of
the
stuff
regarding
moving
to
sort
of
1.0.
If
there's
nothing
else
to
chat
about,
in
particular,.
E
B
A
couple
of
questions
regarding
like
recore
1.0,
just
because
I
know
in
the
community,
I
think
there's
there's
some
confusion
as
to
what
recore
is
actually
really
intended
for
and
what
like
the
use
cases
will
that
will
be
supported
in
1.0,
because
a
lot
of
folks
are
using
record
for
all
sorts
of
things,
and
it
sounds
like
some
of
those
use.
B
Cases
are
really
not
intended
at
least
yet,
and
so
some
of
those
use
cases
might
not
be
like
something
that
we
we
want
to
call
out
is
just
sort
of
saying:
hey,
here's
the
things
that
that
are
supported
for
for
1.0
and
separately.
I
think
one
of
the
things
was
just
given
that
there's
a
lot
of
discussion
today
about
you,
know,
recore,
holding
on
to
records
of
attestations
and
all
this
other
stuff,
that
a
lot
of
folks
are
not
really
sure.
B
If
you
know
some
people
today
are
starting
to
use
recoil
as
their
sort
of
canonical
store
of
where
their
attestations
live
and
based
on
some
of
the
conversations
within
the
community,
and
in
this
group
it
sounds
like
that's,
probably
not
the
intention,
but
I
think
you
know
some
of
these
things
as
we
kind
of
push
towards
1.0
might
be
worthwhile
to
clarify.
E
I'll
take
an
attempt
at
muddy
in
the
waters,
so
so
I
guess
to
me,
the
guarantees
around
1.0
have
a
lot
less
to
do
with
any
one
particular
use
case
and
have
a
lot
more
to
do
with
you
know.
E
If
something
winds
up
in
record,
it's
still
going
to
be
readable
for
this
period
of
time
and,
like
you
know,
has
a
lot
to
do
with
availability
and
has
a
lot
to
do
with
you
know
what
volume
of
of
sort
of
write
requests
are
we
going
to
be
able
to
handle,
and
I
think
we
have
you
know,
sort
of
blessed
use
cases
in
mind
for
what
we
want
people
to
do
with
that.
But
can
I
ask
you
michael,
like
what
do
you
think
might
break
like
like?
B
Well,
so
I
I
don't
think
it's
necessary,
I
think
there's
yeah,
I
think,
there's
two
separate
problems,
one
is,
is
the
I
guess,
the
the
general
like
stability
of
record,
which
it
sounds
like
hey
we're
just
trying
to
guarantee
the
stability
of
record
within
some.
You
know
slo,
or
something
like
that
that
that
that
makes
sense.
B
I
think
the
thing
also
is
that,
as
we
kind
of
hit
1.0
like
I
I
know,
a
lot
of
folks
in
the
community
are
just
going
to
say:
okay
great,
what
are
those
blessed
use
cases
just
so
we
have
an
understanding
of
like
what
should
what
should
be
living
in
in
record
and
and
and
so
on,
because,
like
I
know
just
in-
and
I
think
it's
kind
of
related
in
the
sense
of
as
six
door
kind
of
reaches
that
general-
that
ga
release
a
lot
of
folks
are
now
saying
great.
B
What
are
the
use
cases
right,
because
there's
lots
of
things
you
could
do
with
six
store?
I
can
sign
all
sorts
of
things,
but
there
are
certain
things
that
folks
are
saying.
You
know
you
might
be
able
to
do
this,
but
it's
really
not
one
of
the
things
that
that
we
were
really
at
least
yet
looking
at
in
just
some
of
those
things,
I
think
sort
of
making
folks
understand
right
because,
like
you
know,
you
ask
folks
like
where,
should
I
be
storing
my
attestations?
B
Most
people
say:
oh,
if
you're
using
containers,
you
should
store
it
in
oci,
but
a
lot
of
folks
are
saying
actually
like
what
happens.
If
I
don't
have
a
container,
should
you
know?
Can
I
sign,
I
don't
know
a
java
jar
and
include
that
somehow
in
the
jar
and
the
answer
today,
the
stick
store
is
like?
B
E
Yeah
that
that
clarifies
a
lot.
I
think
I
don't
have
an
answer
to
you,
but
I
I
think
it
is
a
great
idea
to
a
and
you
know,
sort
of
in
a
as
we
roll
out
1.0
to
sort
of
tell
people
what
they
should
be
using
recore
for
and
basically
say
everything
else
talk
to
us
in
slack,
we'll
we'll
try
to
help.
But
you
know
outside
of
us
upholding
the
guarantees.
That's
all
that's
you
know
the
slos
and
so
on.
That's
that's
all
you
got.
B
Yeah,
so
as
an
example,
some
folks
have
been
starting
to
use
recore
to
sort
of
check,
other
people's
attestations
and
that
sort
of
thing,
if
you
start
to
see,
tons
and
tons
and
tons
of
folks
of
writing
and
reading
to
record
and
using
it
almost
like
a
database
as
opposed
to
a
record
store.
You
know
like
a
store
that
this
thing
has
happened
at
this
time
or
whatever
I
think
you
know.
A
It's
never
happened
before
in
someone
cool.
Now
I
think
this
is
yeah.
It's
a
really
interesting
discussion
and
one
I
think
we
should
revisit
and
just
bearing
in
mind,
I
think,
there's
not
a
usual
quorum
of
folks
on
the
call,
but
it's
a
a
worthwhile
one
as
we
gear
up
to
ga
being
clear
about
those
use
cases
and
I
think,
looking
beyond
gaa
and
certainly
as
I
start
to
talk
to
more
folks,
actually
using
six
store
starting
to
think
about.
A
You
know
road
maps
and-
and
we
can
talk
about
blessed
use
cases,
but
we
should
also
be
talking
about
if
folks
want
to
come
in
and
extend
those
use
cases
and
figure
out.
How
does
it
work
with
javas
and
jar?
There's
a
path
for
them
to
talk
about
what
they
would
like
to
support
and
how
that
fits
together.
A
D
Yeah,
I
should
probably
say
something
more
than
a
passive
aggressive
remark
in
the
comments
about
having
a
searchable
database
for
those
of
you
who
know
me.
I
have
for
many
years,
and
by
many
years
I
mean
about
a
year
and
a
half
lobbied
for
the
idea
of
a
universal
asset
graph,
or
at
least
some
database.
That
is
meant
to
be
a
canonical
shared
representation
that
is
optimized
for
querying
easily
and
quickly.
D
D
So
I
would
generally
say
I'm
fine
with
writing
as
much
as
possible
to
the
log
to
create
that
tamper,
evident
series
of
events
with
with
you
know
a
trustworthy
time
index,
but
it
should
then
be
transformed
into
a
form.
C
C
I
haven't
jumped
in
and
sorry
I'm
jumping
in
between
that,
but
my
understanding
is
this
is
why
we
also
want
to
have
a
more
thorough
monitoring
project,
because
we're
already
looking
at
every
single
entry
that
comes
in
and
we're
actually
very
close
to
just
indexing
and
presenting
this
for
users,
I
think,
being
able
to
read
the
log
and
essentially
provide
it
in
an
indexed
way,
is
useful.
C
Now
I
think
part
of
the
problem
is:
do
we
need
to
read
the
log
and
that's
enough
or
do
we
need
to
read
the
log
and
go
to
an
oci
registry
and
then
figure
out
figure
that
out
and
what
does
that
really
mean?
It's
almost
as
if,
as
if
we
said
like?
Oh
the
certificate,
transparency
works
very
well,
but
the
only
thing
that
we
keep
is
leave
certificates
and
no.
C
The
roots,
so
so
what
do
we
do
about
it
and,
in
fact,
certificate?
Transparency
logs
do
actually
need
to
check
the
certificate
chain
before
they
let
it
in
into
the
log
itself
right.
C
So
I'm
not
I'm
not
like
a
disagreeing
with
anybody,
but
I
I
think,
since
we're
taking
on
a
bigger
like
challenge,
we
may
want
to
like
outline
exactly
where
do
we
cut
in
terms
of
like?
What's
in
the
log
and
what's
not
in
the
log,
how
do
we?
How
do
we
provide
meaningful
security
and
entities
without
just
making
ct
2.0,
and
that's
it
michael.
B
Yeah,
so
that
that
actually
yeah,
the
the
the
a
lot
of
what
I
was
saying
was
actually
also
predicated
on
that
sort
of
idea
that
you
know
jacques
sort
of
universal
asset
graph
and
some
of
the
other
stuff.
You
know
I'm
working
with
santiago
and
brendan
mum
and
a
few
other
folks
on
on
some
sorts
of
stuff
in
in
this
area
and
a
better
understanding
like
stuff
like
okay.
What
should
live
in
record
or
you'd,
be
the
canonical
store
in
you
know
what
should
be
canonically
stored
and
record.
B
What
shouldn't
is
also
going
to
help
us
better
understand
like
what
we
should
be
putting
into
recore
versus
other
tools
that
we're
building
out
with
the
idea
right,
like
just
you
know,
I
don't
want
to
go
too
deep
down
the
rabbit
hole
of
all
the
potential
use
cases
or
whatever,
but
like
the
idea
there
being
that,
you
know,
lots
of
people
are
going
to
be
attesting
to
all
sorts
of
different
things
and
you're
going
to
have
third
party
people
attesting
to
other
people's
artifacts
and
they're
not
going
to
have
access
to
push
those
attestations
into.
B
Let's
say
you
know
their
their
container
registry,
but
they
can,
you
know,
push
it
into
some
other
database
that
just
sort
of
says.
That
is
a
public
store
of
knowledge
and
saying
hey.
If
you
trust
this
identity
of
this
third
party,
then
you
trust
their
attestation
or
whatever
right,
and
I
think
these
sorts
of
things
are
things
we're
trying
to
kind
of
better
understand
like
does
it
make
sense
to
put
a
lot
of
this
into
recoil
versus
something
else.
A
Okay,
I
think
this
is
yeah
one
with
we'll
leave
this
on
the
agenda
and
suddenly,
let
folks
know
asynchronously.
We
should
come
back
to
it
and
yeah
have
a
build
on
this
discussion
and
see
kind
of
what
we
can
capture
or
what
makes
sense
to
explore.
A
Okay,
I
don't
see
any
requests
but
yeah,
no
thanks,
everybody
who
was
able
to
join
today
and
yeah.
We'll
pick
up
the
discussion
next
week
and
I'm
sure
we'll
have
a
a
lot
more
people
to
join
but
yeah
glad
you
could
all
make
it
and
thanks
and
have
a
good
week.