►
From YouTube: Sigstore Community Meeting - May 24, 2022
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
I
have
one
comment:
the
tests
now
should
should
be
able
to
run
in
a
networkless
environment.
The
the
network
full
tests
are
opt
in.
C
Nothing
major
the
I
added
an
issue
for
an
api
where
we're
able
to
fetch
the
full
seo
configuration
programmatically.
So
this
would
be
useful
for
clients
to
be
able
to
discover
what
issuers
are
supported
by
the
full
co
instance
without
going
to
read
configuration
code.
So
that's
there
feel
free
to
chime
in
if
there's
any
comments
on
it.
D
I
don't
know
if
anybody
else
has
anything
but
the
the
policy
controller.
Oh,
this
is
a
bigger
issue
than
this
policy
controller
got
renamed
from
cosigned
in
the
repo
to
policy
controller.
It's
a
breaking,
go
api
change.
I
think
also
the
if
you
have
the
ammo
files,
you'll
need
to
rename
them
rename
the
api
group
and
they
the
globs,
now
support
star
star
globs,
which,
aside
from
making
markdown
think
everything
is
bold,
also
matches
multiple
path
elements.
D
When
you
specify
an
image
in
a
repo,
you
can
do
star
star
to
get
all
of
those.
Let
me
know
if
anything
breaks
as
a
result
of
that,
because
double
star
globbing
is
not
really
specified
anywhere.
So.
E
Yeah,
I
could,
I
can
figure
something
so
I
put
my
hand
up.
E
E
Yeah,
okay,
so
so
is
it
useful
that
group
do
you?
Are
you
planning
on
heading
there
on
thursday,
jason
or
others.
E
D
Surfaced
but
then
the
falcio,
like
other
larger
false
humor
fires
happened.
So
I
stopped
doing
that
cool
but
I'll
get
back
to
it.
A
Okay,
moving
on
to
oh,
hang
on
I'll
move
on,
but
just
let
me
know
if
you
want
to
bring
that
up.
Hayden
get
sign.
G
G
Here,
maybe
can
you
hear
me
now
yeah,
so
better,
just
the
api
version
was
bumped
up
to
v1
beta
1,
I
think,
and
some
other
just
basic
work
there
for
cosine
to,
but
I
I
think
we
were
hoping
to
see
when
we
could
cut
a
release
this
week
for
cosine
or
cosine
with
all
the
with
all
the
latest
changes.
D
So
we
also
wanted
to
move
the
the
now
named
policy
controller
out
into
its
own
repo.
Do
you
want
to
do
that
before
we
cut
that
or
after
we
cut
that
it's
sort
of
how
many
breakages
do
you
want.
G
Yeah
vmware
vmware
prefers
to
move
it
after
we
cut
it
because
once
we
move
it
now,
then
we
have
to
do
this
whole
big
process
to
import
it
to
vmware
and
test
it
again
or
whatever.
But
that's
that's.
It's
a
selfish.
Ask
so
hate
to
make
make
that
ask,
but
that's
that
would
be
our
preference.
If
nobody
else
has
one.
D
H
J
Okay,
yeah,
I
would
highly
advocate
for
putting
in
the
tough
change
I
have
the
actual
change
done,
but
I'm
still
working
on
getting
all
the
tests
done
like,
as
I
guess,
we'll
talk
about
it
more
in
the
tough
post-mortem
but
like
it
doesn't
fetch
any
updated
targets
ever
so
like.
We
definitely
need
that
fixed.
C
And
the
the
statement
I
just
need
to
get
back
to
it
I'll
try
to
get
that
wrapped
up
today.
Just
need
to
respond
to
coming.
C
A
Okay,
just
a
quick
note
for
folks
who
might
be
new
joining
us.
You'll
have
a
chance
to
introduce
yourself
at
the
end.
If
you
do
want
access
to
the
doc,
you
do
need
to
join
the
zig
store,
dev
mailing
list,
I'll
drop
in
a
link,
so
you
can
do
that
and
get
access.
A
Okay,
in
the
meantime,
get
signed.
K
Yeah,
I
could
take
this
so
not
too
much
to
update
with
kubecon,
but
I
just
want
to
point
out
244
stars,
so
thank
you,
everyone
for
the
support
and
top
of
mind.
So
this
is
some
of
the
feedback
I
was
seeing
on
twitter.
It
was
no
surprise
to
us
when
we,
when
we
initially
released
it,
the
tty
support
so
being
able
to
use
it
like
within
ssh
sessions.
K
Stuff
like
that,
and
then
also
key
caching
for
rebasing
stuff
like
that,
are
definitely
top
of
mind,
and
those
will
probably
be
the
things
that
we
focus
on
next.
H
So
there's
one
discussion:
maybe
we
could
maybe
notice
the
wrong
or
right
time
about
rfc3161,
timestamps
and
git.
Nobody
likes
them,
but
as
far
as
I
know,
they're
required
just
by
get.
Is
there
any
way
around
that?
C
K
I
actually
I
don't
know
if
it's
necessary,
it's
it's,
it's
a
it's
extra
metadata
that
we
can
add,
but
I
don't
know
I
I
don't
think
it
is
100
necessary,
like
we
could
just
do
the
cert
based
and
only
that
and
still
show
up
as
verified.
K
I
we
probably
need
to
loop
in
something
from
github
to
know
for
certain
I
don't
know
off
the
top,
that's
probably
something
specific
to
the
implementation.
I
know
that
the
github
s
mime
sign
tool
has
support
for
time,
timestamp
authorities,
but
I
also
believe
like
that
is
not
enabled
by
default
and
it
still
works.
I
believe
so
we
might
be
able
to
get
away
without
it.
I
think.
A
Okay,
I
see
something
on
tough
the
root
signing.
J
Yeah,
so
hayden
very
kindly
did
a
lot
of
work
around
handling
some
route,
signing
issues
and
also
starting
this
postmortem,
that's
linked
over
here,
and
I
it's
shared
externally.
So
you
can
go
ahead
and
read
it
and
we
put
together
a
bunch
of
ais
that
we
want
to
make
sure
are
done
before
our
next
route,
signing
and
also
just
yeah,
so
including
things
including
fixes
and
like
mitigations
and
process
improvements
around
the
route
signing.
J
So
in
addition
to
that,
it
also
means
that
we
have
to
go
and
actually
rotate
out
our
old
key
holder
luke
and
introduce
joshua
the
new
key
holder
since
because
of
this
issue,
we
did
not
do
that,
and
so
please
take
a
look
at
the
ais
and,
if
you're
interested
in
helping
any
of
the
unassigned
ones
out,
like
maybe
feel
free
to
add
a
comment.
Otherwise
kate
and
I
will
probably
go
in
through
and
address
some
of
the
un
assigned
ones
later
on
between
us
and
yeah.
J
Leave
any
comments
here.
If
you,
if
there
are
any
more
details
that
like
are
not
in
this
postmortem,
that
you
want
again
feel
free
to
add
some
comments
over
there
and
we
can
take
a
look
over
there,
anything
else,
hayden.
C
I'll
just
mention,
if
you're
not
familiar
with
the
post-mortem
process
generally,
the
goal
of
it
is
to
spend
some
time
reflecting
on
things
that
didn't
go
well
during
the
process,
but
also
things
that
did
go
well
places
where
we
got
lucky
and
then
coming
up
with
action
items
to
address
all
of
those
points
where
things
didn't
go.
Well,
so
that's
what
you
see
here.
Priorities
are
a
little
iffy
here.
C
It's
tough
because
p0s
typically
means
something
that
you
immediately
need
to
handle,
but
we
define
p0s
as
something
that
needs
to
happen
before
the
next
route.
Signing
events,
I
have
more
confidence
in
it.
G
J
Yeah,
just
to
like
finalize
things,
I
guess
like,
as
even
though
like
the
root
didn't
go,
the
route
signing
didn't
go
quite
as
planned
for
v3,
like
I'm
very
grateful
that
we
have
this
postmortem
process,
because
there
are
a
lot
of
bugs
in
here
that,
like
we
totally
did
not
realize
unless
we
had
done
that
route
signing
so
overall.
Hopefully
this
will
prevent
on
similar
issues
by
us
like
improving
the
testing
and
process.
A
J
Okay,
yeah,
that's
a
good
question,
so
our
current
route
that
we
signed
like
two
weeks
ago
or
something
is
valid
until
november,
so
like
technically,
the
route
won't
expire
until
then.
But
ideally
we
should
do
the
next
read
signing
before
ga
or
whenever
we
want
to
like
call
for
something
like
that,
because
most
of
these
ais
are
quite
needed
before
we
actually
guarantee
that
we'd
be
able
to
survive
a
compromise.
A
I
I
like
to
speak
to
this,
so
we
had
our
weekly
meeting
and
bob
mentioned
that
the
tac
is
going
to
provide
official
meaning
of
what
g,
what
we
want,
ga
for
six
star
to
mean,
and
that
will
mostly
cover
like
the
slos
and
what
time
of
guarantees
and
what
type
of
support
and
on-call
that
we
will
provide,
where
we
also
reviewed
the
slo
dock,
that
I've
linked
here
and
we're
you're
hoping
to
provide
a
24
7
on-call
rotation,
that
that
is
still
going
to
be
worked
out
by
how
that
would
look
like
by
the
attack
the
we're
in
the
process
of
migrating
the
production
environment
to
automated
framework,
and
that
is
blocked
on
needing
more
additional
testing.
I
I
Bob
do
you
want
to
talk
to
like
that
is
just
to
confirm.
The
timeline
is
to
get
the
official
meaning
of
gae
from
tag
this
week.
Is
that
correct?
That's
what.
I
H
On
vacation,
so
we're
going
to
try
to
get
it
done
as
soon
as
possible,
but
yeah,
I
think
that's
the
intent.
E
Yeah,
so
the
tax
thursday
dan,
you
you
go
away
on
wednesday.
Do
we
need
to
bring
it
forward.
I
And
I
just
want
to
mention
that,
while
last
week
we
mentioned
that
we
are
aiming
for
a
g8
date
of
the
week
of
june
21st,
since
we
the
operations
side,
we're
still
that
is
still
up
in
the
air,
and
we
want
that
in
place
before
ga
we
might
be
pushing
out
the
g8
date.
I
think
this
is
up
to
what
tac
decides
on
how
that
is
handled.
So
I
guess
after
this
week,
hopefully
tech
will
have
a
bit
more
clarity
on
what's
an
appropriate
ged.
A
Okay
yeah
now
that's
a
good
update
to
have
and
yeah
look
forward
to
understanding
what
that
date
is.
We
had
mentioned
at
the
meeting
last
week,
we're
gonna
kick
off
just
gathering
the
pr
folks
and
reaching
out
for
quotes.
I
I
do
think
this
is
still
worth
doing
given.
A
A
I
I
I
think
our
current
slo
is
like
its
best
effort.
It
should
be
mostly
available,
but
there's
no
strong
guarantees.
C
I
I
would
not
recommend
anybody
feel
closed
at
this
moment,
because
we
don't
have
a
eslo
that
guarantees
full
coverage.
You
know
we've
the
we've
tested
most
of
it,
but
you
know.
Ultimately,
if
there
is
some
sort
of
outage
after
working
hours,
it
there's
no
guarantee
that
it'd
be
responding
to.
A
Anything
else
on
60,
ga,
okay.
I
look
forward
to
hearing
the
outcome
of
the
tag
call
okay,
so
moving
on
to
outreach
and
events,
I
threw
in
a
little
header
for
a
kubecon.
I
know
there
was
a
six-star
booth
I
wasn't
attending,
but
certainly
from
social
media.
They
looked
like
a
lot
of
activity.
E
H
E
But
when
you
got
into
the
body
it
was
there's
quite
a
lot
of
coverage.
Yeah.
A
Nice
yeah
and
thanks
luke
for
spearheading
the
effort
and
red
hat
on
running
the
boost.
A
I
will
say
that
the
next
date
for
cubeco
in
north
america-
I
think
it's
been
extended
to
third
of
june,
but
maybe
we
can.
We
can
fix
the
presence
of
six
still
talks
and
have
some
very
specific
talks
about
using
six
store
and
how
people
can
adopt
it
so
again,
highly
encourage
folks
here
to
submit
talks
for
kubecon,
north
america
and
let's,
let's
keep
the
sig,
stop
presence
going.
E
E
Closed
for
talks,
but
you
know
they'll
be
the
open.
Ssf
will
be
there,
so
so
when
I
hear
from
them
I'll
try
and
update
if
we're
doing
anything
with
the
opencsf
as
well.
E
D
E
M
Oh
yeah,
sorry,
I
should
have
put
my
name
so
I've.
I've
heard
a
lot
of
folks
sort
of
ask
questions,
there's
a
lot
of
questions
and
sort
of
uncertainty
around
six
door
and
privacy
and-
and
there
are
a
number
of
reasons
one
might
be
concerned-
you
know
by
default-
we're
basically
pushing
everyone's
email
addresses
into
into
the
the
vulcio
log
in
in
those
certificates.
You
know,
there's
there's
a
number
of
other
things
and
I
just
wanted
to
kind
of
explore.
M
You
know
the
problem
right
like
what
might
not
be
privacy
respecting
you
know,
depending
on
what
what
you
care
about
in
six
store
and
and
what
might
we
do
about
it,
and
I
tried
to
divide
that
between
things
that
are
are
possible
right
now.
You
know
sort
of
work
arounds
or
things
like
that
things
that
are
sort
of
on
the
near
term
horizon
that
we
have.
M
You
know
we
know
how
to
do
and
there's
been
some
amount
of
interest
in
and
if,
if
you
know,
there's
a
strong
interest,
we'll
probably
get
these
things
done
and
then
some
more
more,
I
guess
experimental
or
or
speculative
work
as
as
well.
I
wrote
this
up
largely
just
to
to
sort
of
have
something
to
hand
to
folks
when
when
they
you
know,
raise
these
concerns
and
say
hey,
you
know,
this
is
something
we're
thinking
about.
M
You
have
some
options
right
now
and
in
longer
term,
hopefully,
you'll
have
you'll
have
more,
but
I
I
shared
this
out
last
week
in
the
slack
I
got
some
great
great
feedback,
especially
from
hayden.
So
thank
thank
you
very
much,
but
I
think
I
think
this
might
be
a
fun
thing.
You
know
just
just
to
throw
up
on
on
the
six
door
blog
and-
and
I'm
pretty
explicit
in
there,
that
it's
not
you,
know
binding.
L
Love
I'll.
M
Send
it
out
in
the
slack
again
would
love
feedback
there.
You
know
through
the
end
of
the
week
and
then,
if
reception
is
positive,
we
can.
We
can
talk
about
putting
that
out
somewhere
public
to
point
you.
A
Thank
you,
zach.
I'm
looking
forward
to
reading
that
as
well,
and
I
highly
encourage
especially
folks
who
are
kind
of
new
and
learning
about
ziggs
store
to
take
a
look
as
well
and
see
if
that
makes
sense
or
if
there's
sort
of
unanswered
questions
around
privacy
and
sig
still
do
highlight
that,
because
I
think
it's
a
this
is
a
a
strong
area.
We
should
be
able
to
communicate
very
clearly
to
all
all
the
folks
who
want
to
use
sigsto.
A
M
Again,
to
be
clear
about
the
epistemic
status
here,
this
is,
this
is
sort
of
a
brain
dump.
You
know
what
came
to
mind
when
I
sat
down
at
an
empty
google,
doc
and
thought
about.
You
know
privacy
and
sig
store,
so
it
it's
not
comprehensive.
I
would
love.
You
know
your
your
additions
both
to
sort
of
privacy
concerns
and
to
things
we
can
do
about
it.
A
Okay,
it
doesn't
sound
like
there's
any
questions,
so
thanks,
zach
and
demo
time.
Okay,
so
we
have
billy's
going
to
give
us
the
latest
on
the
git
sign
and
github
app
demo.
So
I'll
stop
sharing
my
screen
and
really
you
can
take
over.
K
Cool
yeah
so
for
for
good
sign,
one
of
sort
of
the
common
pieces
of
feedback
we've
heard
a
lot
is,
like
you
know,
github
and
gitlab
have
these
verified
badges,
and
you
know
when
I
use
the
get
signed,
keyless
signatures,
they
don't
show
up
as
verified
and
we
sort
of
documented
some
of
some
of
the
steps
like.
Oh,
this
is
what
we
needed
to
make
these
verified,
but
they're
largely
changes
that
would
need
to
be
done
on
github
and
gitlab
side.
K
So
we
don't
really
have
that
much
control
over
that
there
have
been
some
discussions.
Some
informal
discussions
kicked
off
I've
heard
and
we'll
keep
working
towards
like
you
sort
of
a
partnership
with
with
you
know,
source
provider
platforms.
But
in
the
meantime
you
know
what
we
were
thinking
about
is
like
okay.
What
can
we
do
in
the
short
term?
K
And
so
this
is
something
that
we've
been
playing
around
with
internally
at
chinguard,
but
it
is
something
that's
sort
of
just
broadly
useful
and
like
just
sort
of
generating
ideas
of
like
how
can
we
use
good
science
to
sort
of
enforce
smarter
policies
for
code
review
and
sort
of
tying?
These
identity
bits
together,
so
it's
a
quick
demo,
so
this
is
just
the
sample
repo.
K
K
So
this
is
unsigned
commits
and
basically
what's
happening
behind
the
scenes
is:
there's
a
github
app,
that's
looking
for
new
pull
requests
and
when
it
sees
this
it's
going
to
see
like
oh
hey,
you
didn't
sign
your
commits,
you
know
so
we're
just
going
to
throw
an
error.
K
You
know
these
links,
don't
actually
go
anywhere
right
now,
but
you
know
you
can
imagine
like
hey
like
go
sign
your
links
this.
I
do
it
stuff
like
that,
and
what
we
can
do
now
is
if
we
enable
signing
so
it
might
get
config
there's.
Basically,
good
sign
is
already
set
up,
so
we
can
just
go
ahead
and
get
commits
and
message
doesn't
really
matter,
but
this
will
be
assigned
commits
so
we'll
go
through
the
get
send
flow
center
commits.
K
You
can
see-
oh
hey,
it's
unverified,
but
now
there's
this
new
check
right.
So
we
have
this
github
app,
checking!
Oh
hey!
You
know
we
saw
there
was
a
successful
git,
commit
signature
and
and
because
it's
a
github,
app
data
maps
are
a
little
bit
different
than
traditional
oauth,
github,
apps
or
github
integrations
they're,
not
really
called
apps,
and
so
we
can
actually
display
markdown
here,
and
so
what
we
can
show
here
is
like.
Oh
hey.
We
checked
these
things
so
like
we
were
able
to
find
the
signature
we
parsed
it.
K
We
found
it
in
recore,
here's
the
certificate
that
was
used
and
then
here's
the
corresponding
recall
entry.
That
was
that
was
here
as
well.
So
again,
this
is
just
something
we've
been
playing
around
with
we've
been
using
internally
with
with
success.
K
It's
just
sort
of
one
idea
that
we've
been
playing
around
with
of
like
you
know:
how
do
we
start
enforcing
policy
one
just
for
signatures,
but
then
also
we've
been
thinking
about
ideas
for,
like
you
know,
how
do
we
tie
like
one
of
the
things
we
can
do
here
is
like?
Can
we
tie
github
identity
to
pull
requests?
So
does
the
signature
that's
on
the
commit
match,
the
the
user,
that's
sort
of
making
the
pull
request
as
well?
That's
not
implemented
here,
but
it's
like
sort
of
ideas
of
you
know.
K
What
are
the
things
that
we
can
do
next
and
you
know
other
things
related
to
that.
So
that's
all!
I
have
pretty
quick
demo
but
happy
to
take
any
questions.
L
Yeah
sure,
just
just
a
small
point,
at
least
when
you're
in
the
context
of
git
I
might.
This
is
a
very
small
thing,
because
I
think
this
is
cool.
So
when
you
say
signed,
I
may
I
suggest
you
say
digitally
signed
or
cryptographically
signed
in
the
world
of
get
signed
means
you,
you
add
and
are
signing
a
dco
with
signed
off
by
and
you
know
so.
L
K
L
E
K
Yeah,
I
don't
I
don't
know
yet
I'm
supportive
of
it,
but
yeah
I
mean
again.
This
is
just
something
that
we've
been
playing
around
in
terms
of.
A
F
Yeah,
so
something
david,
something
that
spins
off
from
david's
question
is
the
digital
signature.
Is
it
attached
to
the
author
or
the
committer.
F
K
Oh,
I
believe
that's
how
git
works
so
the
so
the
signature
is
using
the
same
mechanism
that
you'd
use
for
normal
digital
signatures
for
git.
It's
just
it's
just
replacing
this
the
signing
tool,
that's
being
invoked
by
yet
so
whatever
identity
is
sort
of
local
to
that
that
committer
at
that
time
is
the
one
that's
going
to
be
using.
F
Maybe
maybe
something
we
could
do
because
one
of
my
one
of
my
very
low
on
my
list
of
nitpicks
these
days
is
to
refer
to
signing
as
authorial
attestation,
and
this
is
committed
at
her
station.
K
Yeah
so
so
part
of
the
problem
with
like
authoring
signatures
is
that,
like
rebasing,
is
a
feature
where
you're
you're
effectively
impersonating
other
users,
and
that
is
viewed
as
a
feature
within
git,
and
it's
really
only
the
committer.
That's
that's
sort
of
saying,
like
oh
I'm,
applying
this
to
this
branch
into
this
history.
F
Yeah,
that's
a
good,
that's
a
good
point!
There's
another
thing
I
hadn't
thought
about
for
people
who
are
from
beloved
cults,
like
myself,
where
paper
programming
is
done
all
day,
that's
definitely
going
to
be
a
question
that
comes
up
as
well.
As
can
can
two
people
attach?
Can
you
attach
both
authorial
and
committer
attestations.
K
With
this
mechanism,
no,
but
one
of
the
other
things
we
want
to
start
playing
around
with
is
like.
Can
we
also
digitally
sign
like
get
notes
or
other
sort
of
special
refs
on
top
of
that,
and
that
would
be
a
place
where
we
can
sort
of
put
other
attestations
onto
commits,
though
they
wouldn't
be
on
the
commit
itself
right.
So
you'd
have
like
one
signature
embedded
in
the
commit.
K
That
would
be
like
okay,
who
committed
this
to
the
repository,
and
then
everything
else
would
be
sort
of
shoved
into
a
special
ref
either
either
we
could
use
get
notes
to
start
or
we
can
even
look
into
putting
it
into
like
a
different
rough
space.
If
we
wanted
to.
B
So,
in
order
to
get
the
github
like
verified
badge
to
green
right
now,
I
guess
you'd
have
to
to
plug
a
public
key
in.
Is
it
just
fundamentally
impossible
to
do
that
with
this
kind
of
signing
method,
because
you
know
this
would
probably
break
other
things
like
get
sure
I
get
log
with
show
signature
and
then
like
adding
the
public
key
to
my
to
to
my
store,
will
then
show
okay.
This
person
has
signed
this,
whereas
if
I
have
to
go
check
recall
so,
for
individual
commits
that'll
be
a
bit.
K
Funny
so
for
git
sign
because
it
plugs
into
the
good
tool
itself
like
it
follows
the
same
interface.
Git
log
will
work
out
of
the
box
because
it
will
invoke
the
verified
method
for
that.
The
changes
that
need
to
be
made
for
the
green
verified
badge
need
to
be
made
by
github,
and
so
there's
there's
two
main
reasons
right
now
why
it
doesn't
show
up
as
verified.
K
One
is
because
github
relies
on
the
debian
ca
certificate
bundle,
which
is
a
mirror
of
what
mozilla
uses
and
the
six
store
route
is
not
part
of
that
today.
K
So
that's
that's
one
reason
if
we
did
that
they
would
start
showing
up
for
green,
but
only
for
10
minutes,
basically
for
the
lifetime
of
certificates,
and
so
the
next
step
that
they
would
need
to
do
is
basically
start
checking
recore
to
basically
do
the
same
thing
that
like
cosine
and
get
sine
do
of
like
okay
signature
checks
out
plus
it's
it's
evident.
It's
it's
present
in
the
transparency
log.
K
B
So
one
more
question
slightly
less
related
to
the
demo,
but
still
on
the
topic
of
this
this
signing
tool,
I
guess:
does
this
pose
any
additional
benefits
compared
to
like
so
dan
had
a
medium
article
that
mentioned
how,
if
you
compromise
someone's
github
account,
you
can
just
replace
the
the
public
keys.
B
So
if
you
don't
have
like
a
web
of
trust,
you
know
posting
a
public
key
elsewhere,
just
having
it
in
github
isn't
much
of
a
protection.
So
if
you
were
to
use
this
and
just
awards
with
github,
would
that
be
the
exact
same
problem
or
is
there
a
way
to
enforce
multiple
oauth
providers?
At
the
same
time,
that
kind
of
thing.
C
Don't
trust
these
commits
and
then
once
you
have
control
of
your
account
again,
you
can
trust
it
again.
You
could.
C
Sign
with
different
odc
providers-
and
that
might
give
you
some
other
guarantee,
but
I
think
that's
kind
of
the
the
thing
in
general
with
the
record
transparency
log
is,
you
will
have
compromised
signatures
there,
but
the
only
tool
you
have
against
that
is
to
write
policy.
That
says,
don't
trust
during
these
compromise
periods-
and
this
is
a
time
when
I
know
my
account-
was
and
was
compromised
basically.
B
Okay
and
if
github
was
modified
to
make
the
the
badge
go
from
yellow
to
green,
would
it
need
some
additional
work
to
to
review
those
policies
and
then
maybe
mark
as
yellow
or
red,
or
something
based
on
that.
K
Yeah,
that's
actually
a
really
good
point.
Yeah
I
I
haven't
had
any
personal
conversation
with
github,
yet
I
I
know
other
people
have
had
informal
conversations
with
friends
at
github
but
yeah.
I
think
that's
something
that
we
would
need
to
work
through
for
sure.
A
A
Okay,
a
few
other
aob's.
I
threw
in
just
a
quick
update
on
logos
thanks
all
the
input
folks
had
over
the
last
few
weeks,
we're
waiting
on
the
final
design
files
from
the
lf
creative
services
team
and
yeah,
then
we'll
be
able
to
start
propagating
those
and
and
doing
any
follow-ups.
A
Another
point
on
standardization,
as
we've
got
a
number
of
different
language
communities
who
are
starting
to
integrate
with
sigstor.
So
folks,
like
python,
ninja
java,
I
think
it's
time
to
start
the
conversation
around
what
would
standardizing
some
of
those
apis
or
even
having
a
specification
around
sigstor
look
like
now.
A
This
happens
to
be
one
of
the
specialist
areas
which
the
linux
foundation
does
support
its
projects
on
and
there's
a
whole
raft
of
options
and
it
kind
of
comes
down
to
the
community
and
their
goals
and
their
timelines,
and
it
can
be
done
in
various
ways
from
starting
with
some
incremental
lightweight
motions
to
building
up
to
you
know,
big
standard
bodies,
so
jerry
berson
actually
does
a
lot
in
this
space
and
she
was
willing
to
come
along
and
start
a
a
discussion
which
initially
is
just
more
like
you
know
where.
A
A
So
it's
a
whole
kind
of
spectrum,
but
I
thought
it
would
be
worthwhile
having
a
an
open
discussion
to
get
folks
on
the
same
page
of
what
are
the
questions
we
should
be
asking
ourselves
yeah,
so
jerry
we'll
come
into
that
and
yeah
just
in
your
question
luke.
A
So
we're
not
talking
about
picking
a
specific
standard,
yet
I
think
once
jury
talks
us
through
the
options
they
they
will
come
a
point
where
we
we
do
want
to
sort
of
maybe
map
out
a
road
map
or
then
have
the
attack,
decide
what
makes
sense.
A
So,
yes,
you
have
any
questions
and
thoughts
on
on
that
and
we
will
allocate
some
time
at
the
to
the
end
of
the
next
meeting
to
start
learning
about
that
and
see.
If
there's
any
initial
things,
we
should
start
to
put
in
place
just
things
like
for
some
standardization
things.
You
have
to
formally
capture
decisions
or
discussions,
and
I
think
it's
worth
knowing
about
now.
L
Yeah,
let's
just
go
quickly.
I
think
one
of
the
other
issues
is
that
some
organizations
like
to
play
patent
games
so
that
you
know
there
are
there
are
licenses
and
things
you
can
use
to
counteract
that.
If
you
want
to
go
down
that
road,
so
there's
a
couple
things
you
can
do
that
can
prevent
future
pain
later
and
we
recommend
preventing
future
pain.
If
we
can
help
it.
A
Yeah
and
I'll
add
like
when
I
was
at
cdf,
we
had
the
cd
events
project
and
even
in
the
early
days,
they
had
the
an
initial
discussion
and
it
was
worthwhile
just
to
start
planting
the
seeds
for
folks
to
think
about
down
the
road.
A
All
right
and
a
final
note
on
the
six
star
youtube
channel,
roxanne
jonkers,
who
also
works
with
some
lynx
foundation.
Communities,
has
helped
to
clean
up
some
of
the
playlists
and
also
linked
in
some
community
talks.
You
could
find
on
sigsto,
but
we
wanted
to
just
let
folks
know
if
you
have
a
talk
on
six
door,
you
think
that
should
be
featured
on
the
six
store
youtube
channel.
A
A
Okay,
so
intros.
This
is
the
part
of
the
call
where,
if
you're
new
or
relatively
new
to
the
community,
we'd
love
you
to
say
hello
and
welcome
you,
and
if
you
can
share
what
what
brings
you
here,
what
you're
looking
to
to
get
out
of
six
store
work
with
the
community
on
we'd
love
to
hear
it
so
yeah.
First
of
all,
go
ahead.
Isaac.
G
Hi
there
I'm
I'm
isaac,
I
work
at
google,
and
so
I
work
with
with
bob
azra
appu,
simon
and
so
on,
and
the
open
source
team
at
google,
I'm
new
to
google
about
two
months
here
and
just
ramping
up
on
all
things:
six
store,
salsa,
open,
ssf,
and
so
thank
you
for
the
kind
welcome
and
then
I'm
gonna
be
in
listening
mode
for
a
while.
But
thanks
for
having
me
here.
C
B
C
I'm
brian
de
hamer,
I'm
a
new
hire
at
github
on
the
recently
formed
package
security
team,
so
we're
definitely
very
interested
in
what's
happening
with
six
door
and
I'm
sure
we'll
be
integrating
some
of
this
stuff
into
our
work.
I'm
still
trying
to
get
my
feet
under
me,
so
I'm
not
entirely
sure
what
I'm
gonna
be
doing
in
the
short
term,
but
yeah
so
we'll
be
here
lurking
listening
for
a
while,
but
hoping
to
be
contributing
shortly.
L
I
guess
technically
I
I
may
be
new
to
this
particular
meeting,
though
a
whole
lot
of
you
know
me
so,
but
I'm
at
the
linux
foundation,
mostly.
I
assume
that
other
folks
like
like
dan
and
luke,
have
things
well
in
hand,
but
I
wanted
to
slip
in
because
you
know
I'm
very
much
from
looking
forward
to
all
the
cool
things
that
all
of
you
are
doing.
A
Okay,
let's
leave
it
there
for
today
and
yes,
I
can
eduardo
and
saying
welcome
all
thanks
very
much
for
all
your
updates
and
demos.
Today,
next
week's
meeting
same
time
same
place,
we
do
have
jewelry
on
the
schedule
and
anyone
else
please
feel
free
to
add
to
that
over
the
week
and
thanks
very
much,
everybody
have
a
good
week.