►
From YouTube: Sigstore Community Meeting - Jan 10, 2023
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Awesome
well
welcome
everybody,
happy
New,
Year
and
we'll
go
through
all
of
the
projects
and
Outreach
and
events.
So
I've
thrown
a
few
things
yesterday
for
cosine
full
see
I'll
talk
about
those
in
a
minute
were
there
any
project
updates
for
recore.
A
I,
don't
believe
so.
Everything's
been
pretty
stable
in
Recoil
recently
for
folsio
I
wanted
to
mention
a
PR
that
is
currently
in
review.
This
is
to
standardize
the
full
Co
certificate
extensions.
This
came
off
of
a
separate
issue
to
try
to
standardize
the
CI
claims
for
sorry.
Oidc
claims
for
CI
systems
like
GitHub
actions
or
Circle
CI,
feel
free
to
take
a
look
at
this
I'll
just
share
this
briefly.
A
You
know
we'd
love
comments
on
this
or
in
the
other
issue,
for
what
we'd
like
to
see.
In
an
oidc
token,
the
main
focus
is
on:
how
do
we
represent
identity
for
a
CI
platform
and
separating
this
from
provenance,
because
this
is
something
that
you
know:
we've
intertwined
in
the
past
and
I
think
we'll
use
this
opportunity
to
make
sure
we
clarify
exactly
what
represents
an
identity,
so
this
will
be
open
for
a
little
bit.
Please
do
take
a
look
and.
A
B
Yeah
real
real,
quick
question
on
that
one
so
I
know
I
know:
there's
some
discussion
between
the
the
sort
of
various
options
of
just
the
the
Spectrum
runs
from
like
Let
each
provider
kind
of
live
in
its
own
universe
and
operate
totally
independently
to
force
all
providers
to
use
exactly
the
same
set
of
extensions
and
a
bunch
of
in-between
options.
So
roughly,
where
did
we
land
on
that
Spectrum?.
A
The
way
I'm
doing
this,
at
least
is
ideally
other
CI
platforms
are
going
to
be
able
to
use
the
the
proposed
options
so,
for
example,
here
these
are
some
of
the
values
that
that
GitHub
currently
puts.
A
In
its
token-
and
these
are
some
values
that
we'd
like
to
see
with
you-
know-
maybe
different
names
as
a
full
field,
maintainer
the
way
I
view
it
is,
it's
obviously
easier
if
you're
implementing
the
same,
but
if
other
platforms
say
no
we're
not
going
to
we're
not
going
to
deny
them
from
being
added
to
folsio,
I,
think
more
than
folsio
it's
easier
for
clients
that
need
to
verify
these
certificates.
A
If
the
claims
are
the
same
and
that's
I
think
going
to
be
the
driving
motivation,
not
full
Co
implementation,
I
think
we
do
have
some
other
CI
platforms
that
are
chiming
and
I
want
to
make
sure
that
we
get.
You
know
all
the
ones
that
have
expressed
interest
so
far
to
chime
in
if
this
is
something
that
they
want
to
do
eventually,
I
don't
expect
overnight.
You
know,
folks,
to
switch
over
to
these
new
values.
A
Awesome
going
on
to
cosine
Priya
did
you
want
to
mention
the
release
candidates.
C
Yeah,
so
we
have
one
release
candidate
from
a
couple
weeks
ago.
402.0
release
I
think
that
we're
probably
about
ready
to
do
the
next
one,
because
I
think
there's
already
breaking
changes
from
just
RC
0
to
rc1.
C
The
main
change
I
can
think
of
is
like
on
verification.
You
now
have
to
specify
the
issuer
and
subject
that
you
expect
to
get
so
yeah
I.
Think
probably
a
rc1
release
this
week
or
early
next
week
is
probably
a
good
idea,
but
definitely
start
trying
it
out.
If
you
have
any
client,
libraries
I
would
definitely
recommend
trying
to
upgrade
to
the
V2
version
they're
still
time,
but
there
are
a
lot
of
breaking
changes,
so
it
might
take
some
time
to
properly
upgrade
everything
so
I
definitely
recommend
getting
a
head
start.
D
Also
I
put
in
there's
a
command
both
like
in
the
API
and
on
the
CLI
for
like
a
test
blob
and
verify
blob
attestation.
That's
been
migrated
from
like
just
using
verify
blog
to
verify
out
of
stations,
but
it'd
be
nice
to
have
some
users
like
test
that
out,
especially
if
you
were
using
blob
verification
and
had
issues
in
the
past.
Before
about
that.
So
let
me
know
if
your
issues
are
fixed
with
the
new
command
or,
if
you
run
into
more
problems.
A
And
all
of
these
breaking
changes,
new
features
that
we're
adding
we'll
make
sure
to
document
these
about
the
changelog
and
in
the
blog
post,
once
we
release
2.0
or
get
a
little
bit
closer
to
the
the
final
release
candidate.
A
One
other
thing
to
mention
is
our
remaining
list
of
what
we
view
as
blocking
changes
for
the
2.0
release.
If
you
have
any
other
changes
that
you
see
as
blocking
mainly
that
these
are
going
to
be
breaking
changes,
let
us
know
and
feel
free
to
chime
in
on
the
issue,
that's
linked,
but
we
don't
have
too
much
left
to
get
through
the
next
item.
The
versioning
policy
is
that,
did
you
want
to
talk
about
that.
B
Yeah
real
quick,
this
shouldn't
be
news.
This
has
been
sitting
for
a
while,
but
basically
the
described
cosine
versioning
policy
was
not
what
we
were
doing
in
practice
for
a
long
time.
So
I
tried
to
write
down
something
that
was
a
little
more
reasonable
of
note.
Is
that
we're
not
going
to
be
following
strict
sember
for
cli's,
which
is
actually
really
quite
nice
for
this
2.0
launch?
B
It
means
that
we
don't
have
to
get
every
possible
breaking
change
in
right
away
for
for
2.0
I
I
still
think
you
know,
as
many
big
changes
should
go
into
the
2.0
as
we
can,
but
yeah
and
the
reason
for
that
is
basically
just
that
I.
Don't
think
this
is
maybe
my
my
little
pet
view
here,
but
but
I
don't
think.
Sember
makes
a
ton
of
sense
for
applications,
I
think
in
practice
that
always
winds
up.
This
is
why
your
browser
is
at
version
400
or
whatever
it's
at
like.
B
They
want
to
make
breaking
changes
way
too
frequently
and
that's
a
worse
user
experience
in
my
mind,
then
just
having
a
sensible
deprecation
policy
that
lasts
a
you
know
several
months
or
several
releases,
or
what
have
you
so
feel
free
to
go,
go
ahead
and
give
that
feedback,
but
I'm
planning
to
merge
the
new
versioning
policy
and
then
put
some
infrastructure
in
place
to
enforce
it.
Starting
end
of
this
week,
yeah
and
folks
have
mostly
about
a
chance
to
look
at
it.
E
A
Exactly
so
yeah,
please
take
a
look
at
the
versioning
policy,
give
some
comments
and
we'll
see
merch
band
a
week.
Then
all.
A
There
any
other
things
folks
want
to
add
about
cosign.
A
Cool
Billy:
do
you
want
to
talk
about
git,
sign.
F
Yeah,
so
this
is
a
PR
I
I
worked
on
over
the
break,
but
it
has
some
kind
of
interesting
implications
for
other
projects,
so
git
signed,
we
have
to
deal
with
the
interactive
flow,
probably
a
lot
more
than
cosine,
just
because
it's
like
part
of
everyone's
daily
development
cycle.
So
we
got
a
lot
of
feedback
of
like
how
can
we
make
working
with
interactive
flows
and
remote
sessions
easier?
And
so
we
came
up
with
this
idea
of.
F
Basically,
we
have
this
credential
cache
that
we
use
for
caching
full
certificates
for
10
minutes,
so
you
don't
have
to
keep
going
through
the
off
flow
every
single
time
and
what
we
did
was
we
actually
added
the
interactive
flow
to
that,
and
because
this
is
exposed
as
a
socket.
What
you
can
actually
do
with
this
is
now
forward
this
over
an
SSH
connection,
so
you
can
actually
do
an
interactive
flow
over
a
remote
session
using
your
local
browser.
So
that's
really
cool.
F
So
we're
going
to
add
this
to
git
sign,
but
this
might
be
also
useful
for
other
tools,
cosine
or
any
of
the
other
language
implementations
as
well.
Since
it's
just
a
socket,
so
if
you're
interested,
please
talk,
I'm
happy
to
you
know
talk
more
about
like
how
we
can
you
know,
make
this
more
generic
and
expand
it
out
if
it's
of
Interest.
So
let
me
know
foreign.
A
The
time
stamping
Authority
Meredith,
do
you
want
to
give
the
update
here.
E
Sure
yeah,
so
yesterday
we
released
version
zero,
two
one,
the
server
inclusive,
just
a
few
updates.
There's
also
an
update
to
the
to
the
pkcs
7
library
that
the
timestamp
authority
uses
I
believe
in
really
zero,
two
zero.
A
No
I
think
that's
mostly
it.
We
integrated
the
verification
Library
into
cosine,
and
this
will
be
one
of
the
things
we'll
we'll
also
talk
about
the
the
2.0
release,
but
you
can
kind
of
play
around
with
this
now
and
and
try
out
time,
stamping
if
you've
stood
up
a
timestamping
Authority,
so
yeah,
please
take
a
look
play
with
the
verification,
Library
spin
up
server.
Let
us
know
if
you
have
any
issues.
A
D
B
I
can
give
a
purely
administrative
one,
which
is
that
if
you
are
interested
in
language,
clients
and
you're,
not
already
in
the
clients
channel
in
slack,
you
should
be
and
of
note
right
now
we
are.
We
are
going
to
break
out
a
meeting
regular,
maybe
every
couple
weeks
or
something
like
that
meeting,
where
folks
from
different
language
ecosystems,
can
sync
up
and
make
sure.
E
A
Awesome
Oscar
did
you
have
anything
to
mention
about
the
tough
roots.
D
The
kind
of
preliminary
I
guess
I'll
just
give
people
a
heads
up.
There's
a
V6
Milestone
here
that
I
can
put
into
the
dock
I
created
this
this
week
to
track
a
next
root,
signing
event
that
I'm
hoping
to
Target
in
like
five
weeks
or
something
so
root
key
holders
as
well.
D
Just
a
heads
up,
I'll,
look
at
just
get
we'll
get
scheduling
that
pretty
soon
this
week
and
what
the
main
mission
here
is
that
it
will
include
the
targets
that
we
have
serialized
to
The
Trusted
root,
protobuf,
that's
defined
in
protobuf
specs.
So
this
way,
instead
of
collecting
one
target
per
instance
of
the
t,
log
or
full
Co
or
CT,
all
that
information
is
collected
into
a
single
file.
D
So
you
can
grab
that
unmarshall
it
and
use
each
of
the
components
with
a
lot
of
metadata
surrounding
its
usage.
So
that
should
hopefully
be
an
improvement.
If
clients
want
to
test
that
out
early,
so
yeah,
that's
that's
the
only
update.
Let
me
know
if
you,
if
you
want
to
take
a
look
at
that
milestone
for
any
issues.
A
Awesome
thanks
Astra
doc
updates
Zach.
Do
you
want
to
mention
architecture
Docs.
B
You'll
sense
a
theme
about
how
I've
been
spending
my
time
if
you're
interested
in
architecture
docs,
which
is
sort
of
us
writing
down
some
specifications
for
how
everything
works,
join
the
architecture,
architecture
docs
channel
in
slack
and
also
we
are
currently
scheduling
a
meeting
for
the
new
year
for
folks
interested
in
architecture.
Docs.
A
And
the
only
other
dock
update,
I
can
think
of
I
know
we're
moving
some
of
the
documentation
out
of
the
cosine
repo
into
the
docs
repo,
which
is
great
and
I.
Think
we'll
have
some
more
doc
updates
that
we
need
to
do
around
cosine
2.0,
since
the
experimental
flag
will
be
removed.
A
Awesome
all
right
going
on
to
outreach
and
events.
The
first
one
that's
worth
bringing
up
is
cloud
native
security
Con
in
North
America.
It's
coming
up,
February,
1st
and
2nd
in
Seattle
and
I.
Think
a
number
of
folks
from
the
six
store
Community
will
be
there
and
I
wanted
to
give
a
shout
out
to
a
number
of
folks
within
the
six
star
Community
who
got
talks
accepted
so
congrats
to
everybody.
A
There
are
a
lot
of
interesting
talks
in
the
supply
chain
track,
so
definitely
check
out
more
than
just
this
list
too.
But
I
think
this
is
a
very
solid
list
of
folks
from
the
six
door
Community
given
talks
on
various
things
around.
A
Other
Outreach
or
events
folks
could
think
of
coming
up.
I
know:
we've
got
kubecon
in
Europe,
coming
up
in
April,
I.
Believe
I,
don't
know
when
the
cfp
is
for
that's.
B
A
Cool
blog
posts,
so
we've
got
a
couple
blog
posts
that
were
written
end
of
December.
A
A
That
discussed
a
little
bit
about
six
store
and
we
wanted
to
clarify
some
of
the
details
and
talk
a
bit
about
why
Sigler
is
designed
the
way
it
is
I
think
this
is
a
really
really
great
blog
post
to
take
a
look
at,
especially
if
you're
new
to
Sig
store
and
even
if
you're,
not
it
talks
about
why
a
lot
of
parts
of
six
store
are
the
way
that
they
are.
A
Let's
take
a
look,
I
think
there's
some
discussion
in
slack
2
about
it,
Zach
I'm,
not
sure.
If
you
had
anything
else,
you
wanted
to
add
there.
No.
B
B
I
think
this
post
clears
up
why,
in
fact
it
remains
a
good
idea
and
so
I
think
that's
that's
been
more
or
less
settled
over
even
the
author
of
of
that
original
proposal,
I
think
has
withdrawn
The,
Proposal,
so
I
think
I
think
that's
pretty
settled,
which
is
nice
also
I've,
heard
feedback
that
some
folks
are
hearing
these
things
that
are
in
this
post
for
the
first
time
in
this
blog
post,
which
is
an
indication
that
we
need
to
spend
a
little
bit
more
time
on
our
our
general
docs.
B
So
hopefully,
some
of
and
all
of
that
I
I
would
be
happy
for
people
to
crib
and
copy
paste
in
in
the
docs
in
a
way
that
made
sense.
Thank
you.
A
And
if
you
have
any
points
that
you
know
you're
going
over
the
RCC,
this
doesn't
make
sense
or
I
think
we
could
be
more
detailed,
feel
free
to
file
issues
really
anywhere.
You
can
file
them
in
the
docs
repo.
You
can
file
them
a
cosign,
we'll
rewrap
them
or
just
come
chat
on
slack,
we'll
make
sure
an
issue
gets
filed.
A
If
you
have
any
case,
studies
feel
free
to
message:
Tracy
who's,
the
the
normal
chair
of
this
meeting
or
submit
interest
on
the
stock.
Those
will
go
into
a
blog
post
and
then
wind
up
in
the
the
roundups
I.
Don't
think,
there's
any
updates
here.
I
think
this
might
have
been
from
last
time,
but
we
have
a
openssf
landscape
page
for
Sig,
store
talks
about
the
projects
and
the
various
Integrations
and
who's
using
six
store.
A
If
you'd
like
to
be
included,
believe
Tracy
is
the
right
person
to
message
about
that.
I
see
nods,
so
yeah
I
think
Tracy
about
that
cool.
Sweet.
We're
now
on
to
the
any
other
business
section.
A
Is
there
anything
else
folks
want
to
chat
about.
A
Alrighty
well
then,
the
last
section
here
is
reserved
for
introductions.
So
if
you're
new
to
the
community-
and
you
wanted
to
say,
hi-
feel
free
to
drop
your
name
in
here
or
speak
up
now
and
just
say
hi,
you
know
who
you
work
for
if
you'd
like
yeah.
A
A
Well,
as
always,
if
you'd
like
to
come,
hang
out
chat
with
us
on
slack
or
hop
on
to
one
of
the
repos
and
chat
with
us
on
the
issues.