►
From YouTube: Sigstore Community Meeting - August 8, 2023
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
right,
well,
hello.
Everyone
welcome
to
today's
community
meeting.
As
always,
if
you'd
like
to
please
sign
in
on
the
community
meeting,
notes
and
add
any
project
updates
or
any
other
business
that
you'd
like
to
discuss
and
at
the
end,
we'll
have
a
chance
for
introductions.
If
there's
anyone
new
to
the
community,
that
would
like
to
say
hi,
this
might
be
a
short
meeting
today.
A
I,
don't
see
a
lot
of
updates
on
the
agenda,
so
I
think
just
to
kind
of
kick
things
off
for
the
services
and
for
cosign
I
think
the
only
update
that
might
be
relevant
would
be
an
update
to
the
build
kite
integration
for
folsio.
This
was
on
boarded
a
little
while
ago,
before
some
of
the
work
had
been
done
to
standardize.
The
claims
for
CI
platforms
like
GitHub
or
gitlab,
so
build
pad
is
actively
adding
a
few
more
extensions
that
come
from
their
identity
tokens,
so
that
should
be
very
useful.
A
It'll
align
it
nicely
with
some
of
the
other
CI
platforms.
Also
I,
don't
believe
there
were
any
updates
for
recore.
Were
there
any
updates
for
cosign
anybody
was
aware
of
Hector.
Was
there
anything
you
wanted
to
talk
about
for
cosine.
A
Alrighty
well
then,
we'll
move
right
along.
Do
we
have
anybody
working
on
clients
right
now
who
wanted
to
provide
any
updates.
A
Doesn't
look
like
it
I'll
give
two
quick
updates,
then,
from
recent
memory,
six
stores,
rust,
client
I,
think
is
actively
working
on
a
1.0
release.
They're
talking
a
bit
about
what
are
the
requirements
for
a
1.0
release,
so
you
can
check
out
the
issue
there.
I
can
link
that
in
the
community
notes
shortly
and
then
six
door,
python
I
believe,
has
a
release
candidate
for
a
2.0
release,
which
I
think
is
focused
on
improvements
to
the
API
surface,
for
the
clients.
A
There's
also
been
some
work
done
in
the
six
door:
bundle
repository
around
generating
a
release
for
rust
and
then
also
a
Json
schema
specification
of
the
bundle
format.
So
if
you
don't
want
to
use
protobuf,
you
can
use
Json
instead,
that
I
think
is
mostly
stable.
I
think
we're
ironing
out
a
few
a
few
bugs
in
that,
but
that
should
be
good
to
use
very
shortly.
A
Alrighty
moving
right
along
then
infrastructure
Paul
were
there
any
updates
that
you
had.
A
Alrighty
well
then,
we'll
we'll
just
keep
going
darks.
A
I,
don't
see
Patrick
or
Lisa,
so
I'm,
not
sure,
there's
any
updates
there,
then
the
only
one
that
I'm
aware
of
is
their.
A
They
are
currently
working
on
figuring
out
how
to
re-platform
the
docs
onto
Hugo.
One
thing
you
might
notice
is:
if
you
go
to
docs.dev,
it's
going
to
remain
static
and
it's
not
going
to
pick
up
updates
so
right
now
our
recommendation
is,
if
you
need
to
access
the
documentation,
do
sewn
Incognito.
We're
aware
of
this
caching
issue
and
re-platforming
on
to
Hugo
will
hopefully
resolve
that
caching
issue
that'll
be
coming
soon.
A
C
C
That
is
the
rear,
like
the
re-info
architecting
of
this
site,
which
I
think
a
few
of
us
wanted
to
just
you
know,
check
out
locally
and
make
sure
everything
looks
good
and
then
once
that
gets
merged
in
the
re-platform
piece
will
will
start
working
we'll
work
on
that,
but
he
has
a
lot
like
he
has
a
preview
available,
so
he
tested
it.
It's
just
a
matter
of
bringing
in
those
new
changes.
A
That's
really
great
to
hear
I'm
really
excited
to
see
that
land
I
know
that
the
caching's
been
a
sticking
point
for
everybody.
So.
A
Awesome
are
there
any
other
project
updates
anybody
wanted
to
shout
out
pasta.
A
Alrighty
continuing
on
Outreach
and
events,
I
didn't
have
anything
new
to
call
outs.
The
two
that
we
talked
about
last
time
were
the
cat
Summit
for
transparency
and
packaging
con
packaging.
Con
submissions
just
closed
yesterday.
I
know
that
the
open
ssf
working
group
for
package
repositories,
I
believe
submitted
a
talk.
A
A
All
righty:
well,
we
don't
have
any
other
business
written
on
the
agenda
right
now.
So
I'll
wait
one
minute
to
see
if
anybody
has
anything
they
want
to
chat
about.
B
Hayden
I
have
a
question
about
gold,
tough
and
and
what
is
the
progress?
How
we're
going
to
solve
the.
C
B
A
real
Russian
so
yeah
what
wanted
to
hear
a
bit
more.
A
A
A
The
root
cause
is
that
we
had
originally
generated
a
root
with
non-compliant
a
non-compliant
key
format.
So
the
tough
spec
defines
that
key
should
be
specified
in
a
pen
format.
These
were
specified
as
hex
encoded
keys.
A
This
was
updated,
but
it
was.
It
was
done
in
such
a
way
that
we
tried
to
make
it
backwards
compatible.
Now,
concurrently,
another
change
was
made
where
we
also
switched
another
non-compliant
string
that
specified
when
a
key
is
of
the
ecdsa.
Signing
algorithm
to
a
different
string
specifies
the
same
thing
that
was
not
applied
to
this
fix
for
these
hex
encoded
keys.
So
when
that
update
was
applied,
basically
loading
in
our
tough
root
failed
because
it
wasn't
able
to
find
a
verifier
to
verify
these
hex
encoded
keys.
A
The
fix
is,
there's
two
things
we
can
do
and
we're
going
to
do
both
of
them.
One
is
gotuf,
has
a
patch
out
or
has
a
PR
out,
and
it's
going
to
cut
a
patch
very
soon,
with
a
fix
so
for
this
backwards
compatible
verifier,
it
will
load
in
both
the
non-compliant
and
compliant
ecdsa
string.
The
other
fix
is
that
we're
going
to
go,
update
our
embedded
targets
and
root
metadata
for
six
door,
clients
for
go.
A
We
should
do
the
same
for
the
other
clients,
but
that's
not
as
pressing
because
go
tough
was
the
only
thing
that
was
non-compliant,
so
we're
going
to
do
both
of
these
we'll
cut
a
new
release
for
sync
store
and
then
with
go
tough,
also
cutting
a
new
release
that
should
fully
mitigate
the
issue.
A
A
Thanks
for
asking
about
that,
were
there
any
other
questions.
C
A
B
My
airports
are
not
connected,
so
I
want
to
I
want
to
mention
a
couple
officials
that
I'd
like
to
discuss
or
hopefully
make
progress
on,
so
I
could
add
them
to
the
with
I'll
I'll
paste
them
here.
B
So
if,
if
you
are
interested,
maybe
look
at
this
issue
and
comment
or
pin
me
or
and
another
one
is
for
the
time
Authority.
So
this
one
I'm
I'd
like
to
modify
kind
of
the.
C
B
Health
check,
so
we
kind
of
figure
out
the
conceptual
solution,
but
if
you
know
how
it
works
like
all
this
generate
code
generation
and
so
on,
I
I,
I
I'd
love
to
have
some
help
with
this.
B
A
A
So,
let's,
let's
tag
him
on
that
I
definitely
think
making
some
progress
would
be
good
on
it,
though
one
thing
to
just
be
aware
of
is
we
definitely
want
to
not
have
too
many
ways
of
providing
roots
without
starting
to
fix
things
up,
so
we
can
follow
up
on
that
and
let's
chat
more
offline
about
the
time,
stamping
one
I
think
we
had
talked
a
little
bit
about
some
proposals
for
this
I
think
your
suggested
suggestions
sounded
good.
B
A
Awesome
was
there
anything
else
anybody
wanted
to
chat
about.