►
From YouTube: Sigstore Community Meeting - May 16, 2023
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Okay,
let's
get
started
hello
and
welcome
everybody
to
today's
six
door.
Community
meeting
we'll
start
as
ever
with
the
project
around
Robin
then
go
into
update
on
Outreach
and
events
and
then
cover
any
other
business.
A
B
I'll,
just
mention
real
real
briefly
that
that
first
vulnerability
was
in
the
OSS.
At
the
open
ssf
day,
there
was
a
talk
on
fuzzing
recore
done
by
the
the
sort
of
forgetting
the
name,
but
the
person
who
found
this
this
bug
and
they
were
actually
able
to
do
this
by
you-
know
putting
in
pretty
extensive
fuzz
tests
for
all
the
recore
types.
So
interesting
talk
when
the
recordings
are
up.
I
would
definitely
recommend
you.
B
You
take
a
take
a
look
at
that
and
this
bug
sort
of
it
was
somebody
basically
could
have
stuck
a
big
like
Zip
bomb
in
in
and
tried
to
upload
that
into
recore
and
record
during
the
course
of
signature.
Verification
would
have
just
like
un
untacked
it
and
unpacked
it
and
unpacked
it
and
unpacked.
It
run
out
of
memory
and
crashed,
and
you
could
have
taken
a
record
instance
down.
So
not
not
the
sort
of
vulnerability
that
leads
to,
like
you
know,
exfiltrated
data
or
anything
like
that.
B
Remote
code
execution,
but
still
enough
to
someone,
could
have
taken
record
down
at
any
point
so
glad
to
have
that
fixed
in
so
really
cool
to
see
the
the
that
fuzzling
efforts
paying
off.
A
Yeah
no
I
hadn't
heard
that
story.
Yes,
that's
a
great
great
testimonial
for
for
fuzzing
and
yeah.
Finding
vulnerabilities
awesome
thanks
for
that.
Zach
and
falsio
looks
like
we've
got
a
1.31
which
includes
a
fix
for
the
gitlab
CI
issuer.
A
A
Okay,
any
cosine
updates.
A
Okay,
let's
like
not
get
sign
time,
stamping
or
root
I
know.
Billy
was
a
open
source.
Summit
North
America
had
some
talks
on
git
sign
at
cdcon
and
other
events
and
yeah.
It
was
generally
having
a
lot
of
conversations
around
git
signs
of
oh
wait
till
he's
back
in
and
he
can
share
more
on
any
any
outcomes
from
from
those
conversations:
clients,
a
six-star,
Java
python,
rust,
JavaScript
yeah.
B
I
I
can
take
this
one,
nothing
terribly
exciting
to
report
other
than
the
clients
group
I
think
I
may
have
mentioned.
This
last
call
is
now
piloting
the
semi-official
special
interest
group
structure
inside
the
six
door
Community.
What
does
this
mean?
Basically,
just
we
have
meetings
as
before
they're
on
the
six
door
calendar
and
there
is
I-
guess
some
kind
of
decision-making
Authority,
largely
so
that
we
don't
have
to
bug
the
TSC
with
you
know,
kind
of
mundane
Quest
technical
questions
that
they
they.
B
To
get
into
so
that
group
is
a
lot
of
fun
if
you
are
trying
to
write
a
six
hour
client
in
a
new
language,
if
you're
interested
in
various
applications
of
six-door,
you
know
clients
so
like.
How
do
you
do
verification
for
use
case
x?
What
does
it
look
like
in
policy
controller?
What
does
it
look
like
in
cosine
the
way
we've
phrased?
B
It
is
that
the
Sig
clients
group
doesn't
really
have
authority
over
any
of
the
individual
clients,
but
is
is
sort
of
like
a
central
decision-making
body
for
making
sure
or
on
the
same
page,
trying
to
make
your
lives
easier
as
a
client,
implementer
so
swing
by
there's
a
road
map
and
there's
a
GitHub,
repo
and
I
will
drop
links
to
those
they're
they're
the
same.
The
roadmap
is
in
the
readme
they
have
Rico,
so
I
will
I
will
drop
a
like
to
that
now.
B
Yeah
and
open
open
the
questions,
but
otherwise
would
love
to
see
you
at
the
meetings
which
are
occasionally
you'll
have
to
I.
Think
every
couple
you'll
have
to
look
at
the
repo
for
that.
A
Great
yeah,
thanks
for
sharing
that
update.
D
C
Real
update
there
is
that
we
are
doing.
We
have
a
burn
down
tracker
for
a
2.0
release,
which
includes
which
API
changes,
most
of
them
are
I,
think
wanted
by
the
community
just
in
terms
of
visibility,
yeah.
A
C
Then
the
other
big
thing,
that's
part
of
that
release-
will
be
a
root
past
verification,
so
ratcheting
down
the
proof
on
online
inclusion,
Griff's
site
light,
so
yeah
we
don't
have.
We
don't
have
that
currently
scheduled
just
because
trail
of
its
Empire
doesn't
have.
We.
B
C
Up
our
last
series
of
contracts
on
six
door,
however,
we
do
have
someone
continuous
funding
for
policy
development
under
six
door,
so
maybe
we'll
include
some
of
that
work
under
under
that
budget.
C
Yeah,
so
we've
been
working
with,
so
the
German
government
has
expressed
an
interest
in
using
six
door
for
or
rather
fun,
Team
Six
store,
for
you
saw
an
open
source
ecosystems,
and
so
we
have
got
we
gained
some.
We
got
some
funding
from
that,
basically
to
work
on
policy
development
for
different
ecosystems,
so,
for
example,
for
Pi
Pi,
et
cetera
in
terms
of
How
It's,
actually
applying
six
core
bundles
to
meaningful.
But
it's
meaningfully
consuming
things
like
bubbles
in
disease
systems
and
so.
C
Partially,
look
like
development,
so
python
standards
development
for
consuming
sixth
score,
but
it
also
probably
look
like
coordination
with
a
six-door
client's
interest
group
to
make
sure
that
these
things
can
be
reused
across
multiple
ecosystems.
A
Awesome
yeah:
no,
that's
really
great
news:
yeah
we'll
look
forward
to
the
2.0
release,
as
as
things
go
down,
and
you
could
get
through
that
list
and
yeah
it's
nice
to
see
this
funding
announcement.
I
think
I
had
seen.
There
were
some
announcements
last
week.
Suddenly
the
the
JavaScript
Community
got
one
for
supply
chain
security
and
yeah,
it's
in
Python,
one
so
yeah,
but
nice
to
see
governments
coming
stepping
in
to
support
some
of
this
critical
work.
A
A
Any
updates
on
the
documentation
front,
there's
no
updates
right
now.
We're
gonna
kick
off
with
Patrick
this
month.
A
A
There
was
a
lot
of
co-located
events
and
relevant
tracks.
So
there
was
an
open
ssf
day.
There
was
cdcon,
which
featured
a
good
sign
talk,
there's
also
a
supply
chain
security
track.
Zach
stays
showed
the
the
awesome
work,
that's
been
happening
with
six
store
and
npm
and
there
were
a
whole
bunch
of
community
talks
and
yeah
overall
yeah,
my
Impressions.
It
was
pretty
great.
The
the
six
door
featured
prominently.
A
B
I
mean
you've
heard
from
me
plenty
today,
but
I'm
happy
to
go.
B
Was
it
was
a
great
conference
cool
to
get
together
some
of
the
folks
working
on
Pipi
Upstream,
so
so
William
has
been
doing
a
great
job
in
the
six
door.
Python
Library
he's
been
coordinating
a
lot
with
Dustin
Ingram
who's
at
the
psf
and
works
on
sort
of
the
the
organizationally
complicated,
but
the
basically
the
Pi
Pi
back
end
and
especially
security.
B
So
having
some
some
interesting
chats
about
how
that's
been
going
talking,
you
know
hearing
about
npm
efforts
trying
to
kind
of
unify
and
push
out
the
the
message
of
Sig
store
across
other
other
ecosystems,
interesting
to
hear
that
the
Rusk
Foundation
has
hired
basically
a
full-time
I'm,
forgetting
the
exact
phrasing
of
the
job
title,
but
basically
someone
with
with
security
in
mind
full
time
so
hoping
to
see
whether
there
have
been
proposals
for
getting
package
signing
on
crates.io
for
a
long
long
time.
B
I
would
be
really
excited
to
see
some
of
those
moving
forward.
Hopefully,
with
with
some
of
those
things
store
stuff
in
mind,
I
will
tease
I,
guess
a
little
bit.
Privacy
concerns
have
been
a
big
issue,
so
one
of
the
great
things
about
the
way
the
npm
deployment
works
is
that
the
deployment
authorization
is
tied
to
the
repositories
themselves
and
not
like
any.
You
know
identities
that
you
have
your
your
email
address,
or
whatever
same
with
the
recent
Pipi
trusted
Publishers.
That's
that's.
B
A
kind
of
repository
scope
did
not
scoped
to
you
know.
Zach
is
allowed
to
sign
this
package,
so
there
are
proposals
on
the
table
for
basically
using
six
in
order
to
sign
oh
I'm,
the
maintainer
of
this
package.
My
name
is
Zach
and
I
would
like
to
publish
a
release.
B
There
are
some
sort
of
you
know.
Privacy
worries
I,
think
you
know
relatively
like
compared
to
certain
other
things
you
might
do
online,
but
but
still
privacy
worries
associated
with
that
and
so
interested
in
exploring
some
of
the
ways
we
can.
B
We
can
kind
of
prevent
some
of
those
issues
from
from
popping
up
and
I
think
we
have
a
couple
of
promising
paths
forward
and
you'll
be
hearing
more
from
me
about
about
some
of
those
pretty
pretty
shortly
so
yeah
that,
from
my
end,
that's
that's
kind
of
the
the
big
developments
and
discussions
that
have
been
happening.
Nothing
should
be
out
of
the
blue
from
anyone
to
anyone
who's
been
following
along
at
home.
B
A
Yeah
thanks
for
that,
and
maybe
the
only
other
one
I'll
mention
like
Hayden
and
I
were
chatting
as
well
like
at
the
last
six
talk
on.
A
There
was
talk
of
having
a
follow-up
and
maybe
making
it
more
contributor
oriented
and
certainly
doing
a
lot
with
client
implementers.
So
there's
definitely
an
appetite
for
that,
but
we
haven't
quite
figured
out
what
might
be
a
good
event
to
co-locate
what
part
of
the
world
to
do
it
in
what
sort
of
timing.
A
So
we
were
kind
of
just
comparing
notes
on
events.
People
were
going
to,
but
yeah
nothing
is
really
stood
out
yet,
but
if
anyone's
interested
in
in
helping
push
the
conversation
along
or
has
some
specific
ideas
yeah
to
to
let
myself
know-
and
yes,
it
was
to
talk
to
that
with
Hayden
and
a
couple
of
other
folks.
A
Yes,
we'll
keep
a
look
out
for
the
videos
and
I
think
they'll
be
like
yeah,
pretty
much
a
treasure
Trove
of
stuff
we
can
share
in
the
community
and
I.
Don't
know
that
we
have
any
other
events
coming
up.
I
believe
the
call
for
papers
for
open
source
Europe,
which
is
in
Bilbao
in
maybe
September
October,
that's
closed
now,
so
just
waiting
to
see
which,
if
any
talks
got
accepted,
blog
posts.
A
I
think
we've
got
a
case
study
that
we
want
to
get
out
on
Thursday.
This
has
been
sitting
around
for
a
while,
but
we've
just
been
waiting
with
the
folks
who
helped
write
it.
So
we
could
coordinate
a
little
bit
of
promotion
and
yeah
just
get
the
TSC
to
finalize
the
approvals
I
think
haven't
already
followed
up
on
the
blog
post
pipeline,
but
if
anyone's
got
one
or
want
some
pointers
on
writing,
one
do
feel
free
to
reach
out
okay
on
to
any
other
business.
A
D
Yeah
hi
I'm
Marcella.
This
is
my
first
time
joining
I'm
at
Intel
I'm,
a
research
scientist.
There
I've
been
moderately
sort
of
lurking
for
the
past
year,
but
trying
to
become
a
little
more
involved,
so
yeah
I'm
glad
I
could
join
today.
A
Awesome
yeah
very
welcome
and
thanks
for
saying,
hi
and
yeah
just
do
feel
free
to
make
this
community
your
own,
and
let
us
know
if
this
any
specific
types
of
things
you'd
like
to
see
this
week.
We're
kind
of
contributive
focused
the
community
office.
Sorry,
the
office
hours
next
week
is
definitely
focused
more
on
demos
and
ways.
People
are
integrating
and
using
sick
still,
so
I
think
welcome
to
keep
coming
along.
B
B
D
B
Yeah
yeah
no
and
it's
been
exciting
to
watch
where
that's
gone.
That's
really
taken
off
in
the
past
couple
of
years,
and
a
lot
of
those
techniques
are
gonna.
I
think
apply
to
to
some
of
what
we're
interested
in
over
here
as
well.
A
Awesome
great
anyone
else
making
intros.