►
From YouTube: Sigstore Community Meeting - July 11, 2023
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Alrighty,
hello,
everyone
welcome
to
today's
community
meeting.
As
always,
please
sign
in
if
you'd
like
to
we'll
do
a
project
around
Robin.
If
you
have
any
Outreach
or
events
that
you'd
like
to
call
out,
please
do
also,
if
you
have
any
other
business,
that's
not
covered
by
the
project
around
Robin.
Please
add
that
and
then
we'll
have
a
chance
at
the
end
for
introductions.
A
Alrighty,
so
let's
jump
into
it
first,
we
have
some
updates
from
the
services
side.
There
have
been
some
new
cuts
for
recore
and
folsio
Bob.
Did
you
want
to
mention
what
was
new
in
recore.
B
I'm
trying
to
remember
what
is
new
in
record:
pull
the
Chinese
news
live
real
quick.
We
had
a
couple
bug
fixes.
B
Yeah,
a
couple
bug
fixes
I
think
was
all
that
was
in
the
122
release:
no
substantively
new
function,
but
there's
a
interesting
PR
talking
about
adding
a
new
pub
sub
interface
to
recorder
that
James,
who
I
believe
is
on
this
call.
Yeah,
hey
James,
has
contributed
so
that
I
think
goodness
to
come
here,
hopefully
shortly
and
on
the
full
theater
side.
B
C
B
So
we
now
expose
the
standard
endpoints
and
the
helm.
Charts
associated
with
full
Co
have
been
updated
as
well
to
take
advantage
of
that
and
I
don't
know
if
you
want
to
speak
to
the
get
live.
One.
A
Yeah
there
was
a
an
update.
We've
been
chatting
with
gitlab
on
updating
one
of
the
claims
for
the
for
build
configuration.
There
was
an
issue
that
talked
a
lot
more
about
this,
but
yeah.
There
was
an
update
for
that.
So,
if
you
are
relying
on
this
recent
change,
there'll
just
be
a
change
in
what
the
expected
value
is.
A
Alrighty
moving
along
and
I'll
just
say
for
everyone
who
just
joined
we're
just
going
through
the
project
around
Robin,
if
you'd
like
to
sign
in
please
do
so
for.
D
A
Signed
for
time,
stamping
or
the
root
were
there
any
updates.
B
Do
you
want
to
mention
the
the
drop
in
the
timestamp
interval.
A
Yeah
I
called
this
out
last
week
as
something
we
were
going
to
do.
We
have
now
completed
this,
so
the
tough
time
stamp
lifetime
has
been
reduced
to
one
week.
This
is
what
this
means
is.
Is
clients
will
have
to
pull
a
little
more
frequently
since
the
timestamps
were
at
two
weeks
previously,
but
this
means
in
the
event
of
key
rotation
or
key
compromise,
we're
able
to
respond
more
quickly.
A
Your
client's
going
to
pick
up
the
changes
more
quickly,
we'd
like
to
reduce
the
lifetime
even
lower
than
one
week,
but
we're
starting
in
one
week
for
now.
A
Perfect
and
I
might
have
cut
somebody
off
earlier
was
somebody
going
to
say
something
around
cosine.
E
Hi
Dimitri,
it's
my
first
time
joining
here,
so
I
would
say:
I
have
a
pull
request
in
cosine
for
the
mtls
connection
to
timestamp,
Authority
and
Trident
is
reviewing
this.
So
if
you
have
any
corporate
setup
or
types
of
authority
so
that
you
run
with
certificates,
so
please
try
it
would
be.
Could
you
see
if
it
works
for
you
as
well
as
fast.
E
A
Awesome
well
welcome,
thanks
for
calling
that
out.
I'll
continue
to
take
a
look
at
that.
If
anybody
else
would
like
to
check
out
this
PR,
please
do
so.
A
All
righty
clients
Zach
did
you
have
an
update.
F
Yeah
I
can
go
ahead,
so
this
incline's
meeting
that
a
couple
hours
ago,
please
join
us
in
those
meetings
or
in
the
pound
clients
channel
on
the
slack.
If
you
would
like
to
join
they're
open
to
everyone
of
particular
interest
to
people
working
on
per
language,
client,
libraries,
the
big
updates-
are
this
isn't
new
since
the
last
time,
but
we
do
have
a
roadmap
available
in
the
repository
itself.
F
That
kind
of
runs
through
our
upcoming
priorities,
both
focusing
on
cosine
as
kind
of
an
Exemplar
client
and
things
we
want
to
do
to
coordinate
across
clients
and
then
the
the
other
thing
that's
that's
coming
up
lately
has
been
a
need
for
for
some
kind
of
maturity
model
for
clients,
because
if
we
say
oh,
you
know,
there
is
Asics
they're
a
rust
client
should
I
use
it
in
production.
I
don't
know,
and
can
we
can?
F
We
articulate
you
know
sort
of
requirements
in
terms
of
both
functionality,
conformance
with
the
test
Suite.
You
know
code
review
processes,
Etc
that
make
something
kind
of
a
blessed
client
and
one
one
thing
that
we've
been
having
some
discussion.
We're
gonna
have
a
candidate
model
pretty
soon,
but
one
thing
that
that
definitely
is
going
to
happen
is
having
different
kind
of
categories.
F
F
So
that's
that's
a
high
level
report
in
that
group
we're
trying
to
just
do
things
that
are
useful
in
common
across
all
of
these
clients
in
all
of
these
languages,
we're
trying
to
do
a
few
things
that
are
going
to
make
implementing
clients
in
new
languages
a
little
bit
easier
that
includes
having
you
know,
a
good
specification
for
what
a
client
should
do
when
signing
and
verifying
it's
also
going
to
include
things
like
common
data
formats,
like
the
the
six
door
bundle.
F
It's
going
to
include
things
like
telling
people
how
to
validate
recore
signatures,
offline
and
and
Hayden
I
know.
You've
you've
been
pushing
to
move
us
away
from
the
signed
entry
timestamps
over
towards
actual
validation
of
an
inclusion
proof,
which
is
a
little
bit
wonky,
and
we
can.
F
We
can
discuss
that
that
offline,
if
you,
if
anyone
wants
to
get
into
it
but
sort
of
coordinating
the
rollout
of
those
kinds
of
changes
across
clients
is,
has
been
kind
of
a
key
Focus
and
then
we're
we're
thinking
about
no
no
commitment
yet,
but
would
it
be
easier
to
potentially
have
a
shared
implementation
that
all
the
clients
in
all
the
languages
would
be
willing
to
use?
F
We
wouldn't
require
that
all
clients
in
all
languages
use
it,
but
it
does.
It
is
starting
to
feel
a
little
bit
wasteful
to
to
re-implement
a
pretty
complicated.
You
know,
verification,
workflow
and
I
think
at
least
count
like
seven
or
eight
different
programming
languages
and
and
trying
to
to
make
it
so
that
you
know
Java
experts
can
do
what
they
know
best,
which
is
making
things
idiomatic
for
Java.
F
You
know
and
and
same
for
for
every
other
language
as
appropriate.
There
might
be
constraints
that
prevent
you
from
you
know:
kind
of
shipping,
external
libraries
or
something
as
well.
So
that's
that's
another
Direction
where
we're
going
in
in
another.
One
is
kind
of
more
effort
on
on
this
conformance
testing
Library,
which
hopefully
will
be
tied
pretty
tightly
to
that
maturity
model
we
mentioned.
We
should
basically
be
able
to
throw
that
library
at
or
throw
the
test
suite
at
a
library
hook
it
up
properly
and
it'll.
F
Tell
you
hey!
You
have
implemented
this
level
of
support
for
signing
in
this
level
of
support
for
verification
or
not
yeah,
so
I
think
that's!
That's
the
high
level
update
happy
to
take
questions
now
or
later,
especially
asynchronously
in
that
in
that
clients,
Channel.
A
Okay,
awesome
well,
thank
you
for
that.
Update
I'm
really
excited
to
see
this.
You
know
I.
Think
we've
had
this.
This
conversation
a
lot
across
different
clients,
around
maturity
and
so
I
think
having
this
in
one
place
and
finalizing
these
details
will
be
really
great.
So
if
folks
are
interested
reach
out
on
the
client's
Channel,
you
can
get
involved
with
clients.
Also
there's
a
I
think
bi-weekly
sync,
that
should
be
linked
from
the
repository
or
hop
onto
this
issue.
A
All
righty
were
there
any
other
updates
for
the
clients.
A
Cool
moving
along
docs,
Lisa
or
Patrick.
Do
you
have
an
update.
G
Yeah
I
can
give
a
quick
update.
It's
not
that
much
to
report
this
week,
but
someone
mentioned
that
people
might
be
interested
in
a
friction
log
that
I
wrote
recently
for
one
of
the
workflows,
which
is
signing
a
Blog.
So
I
just
put
a
link
in
into
the
docs
and
there's
some
there's
been
some
work
going
on
with
reorganing
the
intro
to
the
front
matter
and
are
the
intro
sections
of
the
docs
and
so
on.
Lately.
So.
A
Thanks
for
the
update
and
thanks
for
starting
the
friction,
a
lot
on
this
I
think
that'll
definitely
help
clean
up
the
documentation.
E
In
terms
of
docs,
one
thing
that
kind
of
on
my
wish
list
is
to
improve
the
Dax
about
the
KMS
secrets
for
timestamp
server.
So
I
want
to
work
on
this,
but
if
anyone
kind
of
would
be
interested
to
cooperate
or
have
examples
or
something
so,
please
let
me
know
or
pin
me
so.
This
I
I
think
would
be
good
to
provide
more
extended
information
examples
and
just
because
currently
I
I'm
a
bit
of
pulling
my
hairs,
how
to
figure
figure
it
out
how
to.
E
H
E
And
my
colleagues
kind
of
finding
ourselves
a
little
bit
baffled
and
that
slows
us
down
with
the
kind
of
the
six
six
store
proof
of
concept.
Even
I'd.
D
We
do
have
some
general
issues
for
Azure,
gcp
and
AWS,
but
I
think
this.
Might
it
might
be
worth
it
to
make
your
own
issue
here,
but
we
would
really
appreciate
it.
Thank
you
so
much
for
offering
to
help
another.
E
Great
step
step
would
be
to
put
some
example
of
some
IAC
so
like
terraform
or
something
so
like.
What
could
you
do
to
set
up
the
pieces
that
are
needed
to
to
run
like
the
setup
like
say,
timestamping
time,
stamping
authorities?
So
that's
that's,
maybe
the
Second
Step.
But
it's
also
that
stuff
that
I'm
trying
to
figure
out.
A
E
A
Do
we
do
have
a
terraform
repository
and
I,
don't
recall
if
we
have
stuff
for
the
timestamp
server
we
might
there
there.
There
are
a
lot
of
examples
there.
We
also
have
a
repository
for
Helm
charts.
E
Is
it
on
the
sixth
floor,
jack
GitHub
organization.
A
It
is
yes,
I
can
link
to
both
of
those
okay.
A
Yeah,
this
is
also
I,
believe,
there's
a
open
issue
about
improving
the
documentation
around
spinning
up
services,
locally.
I
think
this
is
another
thing
that
we
can.
We
can
improve
to
these
real
quick.
A
Yeah
and
and
for
the
time
stamp,
Authority
feel
free
to
also
post
anything
in
the
The
timestamp
Authority,
repo
too,
when
we
created
it,
it
was
designed
around
a
specific
use
case,
which
is
why
you'll
kind
of
see
a
lot
of
the
docs
are
are
focused
on
a
specific
use
case
of
of
how
we're
spinning
things
up.
E
Another
thing
about
the
documentation
actually
developer,
documentation,
I
just
know
if
you
would
agree
that
there
might
be
a
room
to
improve
the
documentation
on
the
like
end-to-end
tests
like
how
to
what
what
they
do.
How
well
something
that
Beyond
just
reading
the
code
like
give
some
guidance,
how
to
use
them
and
also
how
to
how
to
go
about
expanding
I,
also
feel
it
a
little
bit.
A
Yeah
I'll
I,
guess
I'll
just
say
on
that
note
the
unfortunately
cosines
n10
tests
have
have
grown
quite
large
over
time.
It's
definitely
an
area
that
we
recognize
needs
some
improvements.
If
folks
have
ideas
of
how
to
start
teasing
apart
the
tests
making
a
little
bit
easier
to
understand,
get
involved.
That
would
be
great
right
now.
It's
it's
kind
of
grown
in
size,
The
Hope!
A
Is
that
we'll
clean
up
a
lot
of
this
stuff
when
we
rewrite
some
of
the
core
logic
within
six
store
go,
but
there
there's
definitely
some
opportunities
to
clean
things
up
in
the
short
term,.
A
Yeah,
that
would
be
great,
really
appreciate
you
diving
into
this.
A
Cool
Outreach
and
events
I,
don't
believe
we
had
any.
We
had
a
few
cfps
close
I
think
scored
actually
didn't
know.
This
I
think
scored
cfp
might
have
gotten
pushed
back
to
tomorrow.
So
I
think
you
might
have
one
more
day
to
submit
to
that.
A
A
Cool
moving
along
any
other
business.
F
So
yeah
I
put
something
there,
which
is,
which
is
just
the
old
Google
meet
a
lot
of
people
myself
included,
still
have
on
our
Google
Calendars
the
calendar
event
that
was
copied
a
while
ago,
and
so
a
lot
of
people
showed
up
to
the
the
old
meet
today.
So
I
don't
know
what,
if
anything,
we
can
do
about
making
sure
people
have
the
up
up
to
date,
Link
in
their
calendar.
F
One
thing
might
just
be
a
reminder
in
slack
that
we
have
updated
it
because
I
needed
this
great
event,
yeah
exactly
so
like
with
instructions.
For
so
like
you
have
to
go.
F
Add
the
you
have
to
have
the
six
door
community
calendar
added
to
your
Google
calendar
as
an
external
calendar,
but
then
for
it
to
show
up
on
the
calendar
you
use
every
day
you
need
to
like
click
and
copy,
and
then
it
won't
update
ever
again
in
the
future,
and
so
I
need
a
reminder
to
to,
at
a
discrete
point
in
time
to
go
ahead
and
do
that
so
I
think
Hayden.
The
thing
you
said
in
slack
was
good.
A
Yeah
definitely
can
do
thanks
for
calling
that
out.
The
community
calendar
should
have
been
updated.
Someone
picking
me
this
morning
about
the
doc,
so
that's
been
updated
and
the
stock
channel,
where
the
meat
invite
is
linked.
The
top
has
been
updated.
A
I
think
that
should
be
it
if
you
find
it
anywhere
else.
Let
me
know
also
it's
worth
noting
office
hours
we
updated
to
the
same
link.
Also
so
you'll
have
to
do
the
same
thing
for
office
hours,
so
I
will
post
another
update
in
general,
but
for
those
here
let
everyone
know
new
meeting
invite
the
old
events.
A
We've
updated.
The
the
sync
store
community
calendar
events,
so
there
shouldn't
be
an
old
one,
shared
anymore
I
think
it
would
be
if
you've
copied
it
to
your
personal
calendar
that
will
never
get
updated.
Unfortunately,.
A
H
B
Redirect
people
over
to
this
one
and
we'll
try
to
we'll
try
to
end
up
that
problem
with
the
bud.
B
Yeah
there's
one
with
the
foundation
level.
We
can
just
send
an
email
to
operations
at
openssf.org
with
the
new
link
and
they'll
change.
It.
A
A
Cool
any
other
business.
A
All
right,
so
the
last
part
of
the
meeting
we
reserve
for
introductions.
If
anyone
would
like
to
say
hi,
you
know
I
know:
we've
had
a
few
folks
say
hi
already
in
the
chat.
I
would
like
to
speak
up
or
say
hi
again
feel
free
to.
H
Hi,
my
name
is
Matt
Wood
I'm
joining
this
meeting
for
the
the
first
time,
but
I'm
familiar
with
six
store
I'm,
you
know
looking
at
six
or
on
the
potential
of
you
know
what
would
it
take
to
implement
something
similar
on
an
Enterprise
level
for
use
with
an
RCI
system?
C
I'll
just
say:
hi
again,
this
is
Lance
ball
I'm
at
red
hat
and
we'll
be
soon
working
with
the
team.
That's
very
active
already
in
in
the
safe
store,
Community,
so
I'm
just
kind
of
here
to
get
my
toes
wet.
E
A
I
A
All
righty
well
really
excited
to
have
everyone
near
the
community.
Thanks
for
joining,
we
have
office
hours
next
week
and
then
we'll
have
a
community
meeting
again
two
weeks
from
now
see
you
then.