►
From YouTube: Sigstore community meeting - March 23, 2021
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
B
A
A
So
did
somebody
just
let
somebody
in
I
just
wanted
to
check
others
can
do
it
as
well:
brilliant,
okay,
that's
good,
okay,
so
yeah.
So
there
is
a
youtube
channel.
There's
a
community
calendar!
Okay!
Previously,
I
think
we
were
using
my
personal
calendar,
whereas
this
one
allows
us
to
to
automate
things
I
believe
to
a
degree,
and
we
can
also
anybody.
That's
part
of
the
main
list
can
can
access
that
calendar
and
then
there's
a
bit
of
tie-in
as
well
to
our
docs
as
well.
A
B
Sure
my
calendar
was
rapidly
filling
up
with
meetings
that
made
me
sad,
so
I
was
trying
to
block
out
a
couple
hours
to
get
some
work
done
on
six
store,
and
I
decided
why
not
just
invite
anybody
else
that
wants
to
come
hack
on
stuff
at
the
same
time.
So
that's
why
there
wasn't
much
plan
in
your
organization,
it'll
be
pretty
casual.
There's
this
breakout
rooms
feature
in
google
me
that
we
could
try
if
it
gets
too
big.
B
If
you
click
the
little
triangle
square
circle,
you
can
see
that
I've
never
actually
clicked
that
button
before
so
I
don't
know
what'll
happen,
but
hopefully
we
can
try
that
out
later.
If
people
want
to
work
on
a
couple
different
things,
we
can
answer
questions
help
people
get
some
pr's
sent
in
if
they
want,
whatever
people
want,
so
that'll
be
open-ended
and
fun.
Hopefully,.
A
A
I
guess
folks
in
europe
as
well,
so
that
so
that'll
be
in
the
morning.
Okay,
let
me
come
back
to
so
help
needed,
add
issue
pr
template
to
kickstart
used
as
issue
template
with
mentorship
opportunities
mark
you,
you
had
a
like
a
proposal
merged,
didn't
you
and
you
were
gonna,
kick
off
some
stuff
yeah.
C
For
like
how
you
could
structure
kanban
boards
just
to
organize
incoming
tasks,
in
addition,
initially
some
automation
that
could
make
that
a
little
bit
easier.
I
proposed
three
different
automation:
actions
that
the
community
could
use
some
of
them
help
with
pull
requests,
some
of
them
help
with
just
organizing
issues
and
yeah.
It's
really
up
to
the
community,
which
ones
you
know
they
want
to
support
or
that
that
the
community
wants
to
use.
B
A
Awesome
and
something
else
I
think
we
mentioned
last
weekend-
I
didn't
manage
to
get
down,
was
there's
a
there's,
a
site
called
goodfirstissues.com,
or
maybe
it's
a
repository
that
renders
a
site
yeah.
So.
A
Can
anybody
remember,
let
me
see
if
I
can
google
it
quickly.
I
think
I
mentioned
it
upper
graph
grabs,
that's
it
yeah
yeah!
So.
C
A
A
They
make
sure
your
project
sort
of
is
active
and
has
more
than
one
person.
I
guess
I
don't
even
know
if
that's
a
criteria
but
they'll
they'll
check
you
over
if
they
think
you're
suitable
for
the
program
which
you're
very
likely
to
be
they'll,
merge
and
then
people
can
then
that
their
website
will
then
aggregate
in
the
good
first
issue
label
for
people
to
to
search
and
find
stuff
to
work
on
great
okay.
A
So
that's
help
needed
okay
project
round
robin
so
for
this
one.
It's
really
if
anybody
has
anything
that
they
wanted
to
raise
with
a
an
audience
just
to
get
more
opinions
and
views
on
any
particular
thing
that
they
have
going
on.
So,
let's
see
fulcio.
A
A
Let
me
think
what
I've
been
up
to
full
seo
wise,
so
we
discussed
the
reef,
the
sort
of
the
refactor
briefly
didn't
we
client-side
stuff.
So
I
started
working
on
that.
So
originally
we
had
client,
tooling
and
server
tooling
in
the
same
repository
and
we're
going
to
look
to
just
migrate,
some
of
the
client
stuff
out
and
just
start
to
refactor
things
there
because
it
you
know,
it's
all
worked
out
very
well.
We
sort
of
prototyped
with
full
co,
but
now
things
are
starting
to
settle.
A
We
can
start
to
refactor
and
and
set
code
into
the
relevant
projects.
B
Yes,
this
isn't
directly
full
co,
but
it's
related,
which
is
just
figuring
out
our
kind
of
tough
root,
key
protection
model
for
the
full
co
root,
cert
and
all
the
other
root
certs,
because
we
have
them
for
her
full
city
root,
cert
and
all
of
our
other
root
keys,
because
we
have
keys
flying
around
for
pretty
much.
All
of
these
projects,
marina
and
santiago
have
been
helping
out
with
coming
up
with
that
plan
right
now,
it's
it's
not
great.
A
F
Yeah
I
just
looked
briefly
over
what
you
put.
I
think
I
had
a
couple
ideas
about
using
threshold
signatures
with
some
compromise,
new
zealand,
so
that
we
have
like
multiple
different
people,
signing
these
root
keys
for
each
of
the
projects,
so
that
you
know
if
anyone
he
gets
lost
or
compromised.
We
still
have
like
the
whole
project,
doesn't
have
to
to
redo
that
trust
yeah.
So
I
think
it's
just
a
matter
of
making
getting
the
details
of
that
plan
in
place
figuring
out
when
to
do
the
ceremony.
That
kind
of
thing.
A
And
the
the
key
holders
are
going
to
be
done:
bob
myself,
santiago
and
marina.
So
we've
got
a
sort
of
multi-vendor
and
a
academic
mix.
Nice
mix
of
folks
there.
A
Great
okay,
so
fulso
any
other.
D
Yeah,
well,
I
I
was
thinking
talking
with
dan
about
splitting
it
out
splitting
out
the
wrapper,
so
we
could
support
tough
types
and
in
total
types
and
then
figure
out
the
internals
later,
but
I
think
that
may
be
relevant
for
this,
like
tough
support
within
full
seo.
D
I
don't
know
how
these
two
things
would
tie
in
together,
but
but
I
wonder,
I
wonder
if
that's
something
we
would
like
to
to
pick
up-
and
I
don't
know
maybe
marina
you're
interested
in
splitting
that
logic
out
of
my
out
of
my
branch
and.
F
Yeah,
I'd
have
to
look
at
that.
I
don't
know
if
it
makes
more
sense
to
do
it
all
as
one
piece
with
all
the
different
types
or
for
me
to
separate
out
the
tough
metadata
pieces,
but
I
can
do
either
of
those
things.
D
Yeah,
so
my
my
impression
is
that
maybe
we
can
split
up
the
meta
block
type
as
it
sounds
like,
because
that's
that's
the
thing
that
we
share
and
and
then
we
figure
out
the
internal,
tough
bits
and
the
internal
and
total
pieces.
So
like
separate
tasks
just
so
that
we
can
start
sketching
things
more
easily
and
we
can
submit
signed
metadata
regardless
of
what
it
is.
B
D
In
she's
working
on
the
policy
slash
supply
chain,
intelligence
part,
so
it's
that'll
be
tied
into
the
monitor
work,
but
I
think
we
would
want
to
probably
pay
attention
to
that.
So
we
can
build
that
story.
D
D
Amanda's
working
on
the
monitor
with
me,
I'm
multitasking,
but
but
we
are
essentially
setting
up
the
early
like
full
audit
code,
which
is
essentially
what
we're
trying
to
do
as
the
first
approach.
This
will
be
a
kubernetes
cluster
on
the
purdue
infrastructure
that
will
be
mirroring
and
doing
a
full
audit
over
the
recoil
log.
The
goal
is
to
also
expose
this
for,
like
more
elaborate
supply
chain
intelligence
work,
so
that
we
could
do,
for
example,
a
more
generalized
jurisdiction
analysis.
Something
like
dan
was
doing
with
his
examples,
which
is.
D
D
It
doesn't
have
to
be
like
only
the
things
that
we
say,
but
rather
something
that
you
could
stick
in
a
container
or
use
common
interfaces
and
then
start
answering
your
own
like
supply
chain
questions
and
the
other
one
is
to
actually
provide
people
with
a
hosted
service
in
which
they
can
just
say,
like
hey,
send
me
an
email.
When
you
see
this
key.
D
It
is
a
separate
repo,
but
we're
using
a
lot
of
the
like
share
code
just
to
help
us
do
all
the
heavy
lifting
we
we
actually
started.
This
is
with
some
undergraduate
students
at
purdue.
We
started
pretty
much
copying
the
record
cli
and
like
cutting
out
whatever
we
thought,
maybe
not
necessary
for
the
mirroring
agent,
it's
still
very,
very
early
stages,
but
you
can
take
a
look
at
it
on
this
repo.
D
D
D
Doing
most
of
my
students,
it's
the
first
time
they
touch
like
cloud
negative
technology,
so
they're
like
learning,
ansible
learning
kubernetes.
D
A
So
I
guess
not
to
discuss
in
depth
now
but
and
you
you're
all
aware
of
this
thursday,
there's
a
big
open,
ssl
high
issue,
that's
going
to
come
out
of
embargo,
we're
not
really
in
production
here.
You
know
we,
we
kind
of.
We
have
plenty
of
warnings
and
caveats,
but
we
might
have
to
patch
code.
Possibly
who
knows
you
know
who
really
knows?
I
am
I
had
a
meeting
with
mark
cox
this
morning.
He
just
cancelled.
It
can't
come
so
I
think
he's
sort
of
he's
on
the
open,
ssl,
gb
and
one
of
their.
D
A
Yeah,
so
there's
gonna
be
a
lot
of
people
in
the
late
night
on
thursday
yeah
right.
Let
me
I'm
back
on
track,
so
I'll
show.
B
You
guys
co-sign
right
there
yeah
before
we
jump
on
I'm
trying
to
think
of
where
we
might
be
using
open
ssl.
I
think
the
only
spot
I
can
think
of
is
our.
You
know.
Nginx
termination,
ingress
thing
so
I'll
be
ready
to
yeah
anywhere
else.
I
can't
think
of
the
ghost
stuff
all
uses
its
own
stack.
We
don't
use
openssl.
A
B
A
A
Good,
okay,
yeah,
so
so
cosine.
B
Yeah
lots
of
fun
cosine.
We
got
our
first
release
out
last
week.
The
main
purpose
of
that
was
just
to
have
a
tool
we
can
use
to
start
signing
other
stuff.
I
tried
to
be
as
careful
as
possible
to
sign
this
release
and
everything
with
like
it
itself
and
everything
knowing
that
we'd
get
complaints.
If
we
weren't
signing
our
own
tooling,
I
thought
we
did
a
pretty
good
job.
We
we
did
get
some
complaints,
which
I
knew
we
were
going
to
get
anyway.
B
Why
aren't
you
putting
this
in
the
transparency
log
and
using
your
cas
and
everything
like
that,
but
it's
better
than
most
stuff
and
we'll
improve
as
we
go
forward.
We
really
just
needed
a
tool
to
start
signing
other
stuff
with
for
the
next
set
of
releases,
so
it's
in
good
shape.
Now
I've
been
working
on
github
action
and
containers
and
stuff
like
that
that
we're
publishing
and
signing
and
just
getting
us
some
infrastructure
that
we
can
use
to
start
spamming,
the
rest
of
our
stuff.
B
B
E
Just
like
I
don't
work
at
google
so
anyway,
yeah
I'm
right
now,
looking
at
the
command
line,
ux
planning
to
add
some
examples
into
the
help,
messages
and
polish,
some
of
the
you
know
mutually
exclusive
flags
and
stuff
like
that.
Pre
actually
has
provided
some
aprs
on
those.
So
thanks
for
that.
C
C
A
So
if
one
thing
I
you
might
have
seen,
then
I
think
I
put
it
into
a
maintainers
channel.
I
cleaned
up
all
the
oidc
code
and
I've
got
that
key
code
where
you
can
just
pass
in
the
algorithm
and
stuff
like
that.
So
I
plan
to
put
that
into
the
kitchen
sink
kitchen
sink,
that
anybody
doesn't
know
that
sig
stores
last
six
store.
So
that's
the
sort
of
signing
client
that
kind
of
is
a
you
know,
a
bag
of
all
tricks.
A
So
to
say,
and
if
you
wanted
to,
I
can
make
the
pull
request
into
cosign.
You
can
pull
that
in
and
then
you
can
remove
all
that
boilerplate
stuff.
Then
that's
useful!
Okay!
I'll!
Do
that
great?
Let
me
see
I've
got
a
couple
of
noisy
dogs
in
the
background,
so
you
might
hear
snorts
and
clicky
paws.
A
It's
not
me
right,
yeah,
ruby,
plugin!
That's
we've
got
somebody
he's
not
made
the
meeting
today,
but
eduardo
is
starting
to
work
on
the
the
ruby,
gems,
plugin,
okay
and
he's
somebody.
That's
worked
in
the
ruby
and
rails
community
for
quite
some
time
and
he's
doing
stuff
around
security
devops,
so
he's
gonna.
Take
that
on
which
is
good,
because
I
started
to
look
at
it
and
I
I
got
somewhere,
but
I
really
I
don't
really
know
what
I'm
doing
there.
A
To
be
honest,
it's
you
know
it's
very
like
a
lot
of
the
libraries
you
find
libraries
and
they've
not
had
a
you
know.
The
last
commit
was
merged
nine
years
ago
and
stuff
like
that.
So
it's
it's
a
funny
one
might
as
well.
I
don't
know
if
I
put
it
on
there
but
bob
oh
yeah,
we
have
maven
plugin.
C
C
Yeah
in
the
same
vein
as
the
rubygem
work
wanted
to
have
a
hook
to
where
you
had
a
palm
file
for
building
something
in
java
that
we
could
actually
just
have
a
task
in
the
in
that
palm
to
essentially
follow
the
same.
A
C
Got
that
mocked
up
seems
to
work
as
best
I
can
tell
jar
center
claims
that
everything
is
is
happy,
so
I'll
be
publishing
that
to
to
a
repo
in
the
community.
It
certainly
is
needs
a
little
bit
of
work.
My
job
is
pretty
rusty,
but
it
seems
functional.
D
Speaking
of
which
we
have
any
total
plugin,
and
I
wonder
if
we
can
also
play
with
those
two
things
see
if
we
could
add
a
because
in
total
the
total
plugin
actually
has
a
portable
transport
system,
so
we
could
just
add
a
injector
like
whatever
it's
happening
on
this
build
and
then
submit
it
to
the
recaller.
D
C
Yeah
I'll
think
you
santiago,
when
I,
when
I
push
that
up,
then
at
least
we
can
maybe
spit
off
a
thread
and
start
looking
at
that.
A
And
that's
actually
a
good
point.
I've
been
thinking
about
how
we're
going
to
start
to
approach.
Pi
pi
so
be
interesting
to
to
get
your
thoughts
there.
Santiago
and
I've
also
started
to
do
some
due
diligence
on
crates
as
well.
Look
at
how
we
can
work
there
yeah,
I
don't
know
a
great
deal
yet
I'm
just
reading
their
sort
of
backlog
of
we
need
to
sign
things
fred's
so,
but
any
thoughts
on
pie
pie.
I
had
some
people.
C
D
Spoken
terms,
you
guys,
surprisingly
great
person
to
talk
about
it,
she's
working
on
the
tough
integration
for
pacquiao,
and
I
think
that
the
whole
thing
could
tie
in
very
well
in
that
they
could
publish
their
root
keys
into
six
store
and
maybe
even
the
root
metadata
into
recore
and
yeah.
Oh,
let
me
ring
that
you're,
the
one
that
knows
better.
F
Yeah,
so
we
have
they're
currently
in
the
pocket
process
of
implementing,
what's
called
pep
458,
so
the
peps
are
like
the
augmentations
to
basically
anything
in
python,
but
in
this
case
to
warehouse
kind
of
the
distribution
piece
so
that
one's
in
process.
We
also
have
a
pep
480,
which
does
like
a
more
advanced,
tough
model
that
actually
allows
for
end-to-end
signing
and
not
just
signing
by
pipeyi
of
images,
and
I
think
that
that
might
be
a
really
great
place
to
either
include
this
integration
there
or
add
it
as
an
extension
to
that.
F
But
I
think
that
there's
definitely
a
good
tie-in.
I
know
joshua
recently
posted
on
there
about
allowing
for
using
folky
keys
in
pep480,
and
so
maybe
we
can
do
more
extension
there.
I
can.
D
Yeah,
it
is
actually
interesting
because,
on
the
discussions
for
458,
there
was
a
lot
of
talk
about
using
transparency
logs,
so
I
think
that
they
will
probably
be
very
receptive
to
the
idea
of
using
six
store
above
recoil
and
full
co
with
existing
top
infrastructure.
D
B
To
have
a
really
long
blog
post,
I
should
try
to
link
to
it
says
why
pie
pie
doesn't
allow
signing
or
something
like
that,
and
it
outlines
all
the
problems
with
signing,
and
that
was
one
of
the
blog
posts
that
helped
motivate
all
the
stuff
to
record
in
city
store.
It
was
what,
if
we
fix
all
of
these
problems,
so
if
we
come
back
and
say
we
fixed
your
blog
post
now,
will
you
start
allowing
signing?
I
think
it'd
be
a
pretty
funny
story.
A
D
I
see
they
need
to
have
the
sponsor
inside
of
the
python
community,
which
I
think
now
I
forgot
who
it
is,
but
but
anyway
the
the
seed
is
already
planted
in
a
sense
that
there
there's
the
interest,
there's
more
of
a
work.
That
needs
to
be
done
to
build
consensus
around
the
community
to
allocate
resources
to
identify
how
we
can
actually
get
there
in
a
way
that
the
whole
community
is
happy
with.
I.
F
Think
is
that
there's
actually
there's
currently
some
fun.
The
python
software
foundation
actually
currently
has
some
funding
for
secure
distribution
through
a
grant
that
they
have.
So
this
is
kind
of
good
timing.
If
we
can
get
more
of
this
into
that
same
grant,
then
you
know
it
might
actually
get
done
faster.
So.
D
So
what
I
think
that
this
is
my
personal
opinion,
what
I
think
would
be
ideal
is
we
could
try
to
nail
down
the
story
as
we
have
it
with
tough
stick
store,
because
I
think
the
the
delta
would
be
also
very
minimal.
Thinking
of,
like
we
think
of
the
system,
you
already
have
the
tough
bits
living
in
your
repos.
D
Way
I
so
I
I
think
that
yeah,
like
going
back
to
the
action
point
on
the
on
full
co.
C
D
Cosign,
I
think
it
was
we
could.
We
could
start
like
having
a
story
that
we
can
also
share
with
them
and
say
like
hey
by
the
way
you
could
be
like
patient
cereal
of
this.
Like
super
cool,
twin
signing
story,.
D
I
think
marina
is
the
like
she's
on
top
of
all
of
what's
happening
in
that
department.
I'm
sorry
I
keep
on
bringing
you
up,
but
I
I
really
think.
F
I'd
happen
to
be
a
point
person
there.
I
think
that
it
would
be
nice
to
maybe
map
it
out
a
little
bit
more
and
see
if
it
makes
more
sense
to
include
this
into
the
pep
480,
which
is
mostly
in
place
and
kind
of
in
the
process
of
of
being
approved
or
if
it
becomes
like
a
bigger
delta,
then
maybe
it
makes
sense
to
open
a
new
one
and
you
know,
go
through
the
the
python
approval
process
separately.
So.
A
F
We
can
start
in
google
docs
and
then,
as
it
gets
mapped
out,
we
can
convert
that
to
a
pr
onto
the
so
sounds.
A
D
Wanted
to
get
in
on
the
notes
that
we
had
some
early
talks
with
the
crates
people
when
they
were
signing
their
first
prototype.
So
I
I'll
do
that
I'll
live
up
those
notes
and
maybe
they're
interested
in
joining.
I
think
they,
you
have
probably
already
spoke
with
them.
Tony
or
sherry
is
one
of
them,
but
but
I
can
take
that
as
an
action
point
and
maybe
invite
them
to
a
community.
A
Yeah
great
yeah,
yeah
yeah,
of
course
yeah.
So
if
one
of
them
comes
on,
we
can
sort
of
any
sort
of
project
comes
on.
We
can
make
the
agenda
useful
to
them
and
fantastic
okay.
Last
of
all,
I
don't
know
who's
taking
minutes,
but
you're
a
rock
star.
It's
really
good,
just
everything's
being
captured
there.
Well,
that
is
me,
awesome
great
stuff.
Okay,
everybody
good
to
see
you
and
don't
forget
the
open
office
event
that
does
put
together
open
office
hours,
not
open
office
open
office
is
the
that's
the
software.