►
From YouTube: Sigstore Community Meeting - May 17, 2022
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Okay,
we're
live.
Welcome
everybody
to
this
week's
six
door
community
meeting-
I
am
your
chair,
I'm
tracy
miranda
from
chain
guard
and
we
will
kick
off
straight
off
with
a
the
project
round,
robin
so
yeah.
Bearing
in
mind.
We
may
have
some
folks
on
the
ground
at
kubecon,
but
we'll
cover
with
what
we
have
so
anyone
here
for
who
can
speak
to
rico.
B
C
A
Hayden
all
right
and
going
on
to
cosine,
you
have
tough
root
rotation.
B
I'll
chime
in
here
too,
just
a
small
update
here
last
week
we
rotated
out
the
tough
routes
and
got
a
v3
version
of
the
route.
The
the
tldr
is
it's
pretty
much
the
exact
same
set
of
targets
that
we
had
signed
before.
Just
we
did
the
ceremony
with
the
five
key
holders.
B
Due
to
a
number
of
reasons,
we
didn't
get
a
chance
to
rotate
out
the.
I
think
it
was
rotate
out
luke
for
joshua
we're
planning
on
doing
another
signing
ceremony,
probably
in
a
few
weeks
or
so
I'll-
have
some
more
information
on
that
in
future
weeks.
But
if
you're
using
cosine,
you
should
automatically
pick
up
the
new
tough
metadata.
D
So
sorry
I
haven't,
I
haven't,
jumped
in
here
a
lot.
So
if
we
need
to
move
some
of
this
stuff
to
a
different
part
of
the
agenda,
we
can
but
I've
been
going
been
a
lot
going
on
with
cosine
in
the
cosine
project.
I
think
the
group
has
decided
to
eventually
split
out
cosine
into
its
own
repo
and
we'll
we'll
rename
it
policy
controller
under
six
store.
D
We,
I
guess,
vmware
we're
going
to
file
an
issue
we
would
like
to
to
do
the
renaming
part
as
soon
as
we
can
we're
just
we're
working
on
internal
product
timeline
that
we
would
like
to
get
the
the
new
policy
controller
name
into
before
we
we
build
our
product,
so
we'd
like
to
do
that.
As
soon
as
we
can,
I
wanted
to
bring
that
up
for
any
sort
of
concerns
or
questions.
D
We
don't
necessarily
need
to
split
out
the
repo
yet
but
we'd
like
to
get
the
renaming
in
so
again.
If,
if,
if
that's
all
right.
E
D
I
think
we're
filing
one
asap
like
we
just
talked
about
it
a
few
minutes
ago.
I
think
we're
going
to
file
an
issue.
I
don't
think
we've
done
it
yet.
Okay,
cool
some
of
some
of
the
discussion
was
on
some
other
issues,
but
I
think
the
the
specific
issue,
or
or
pr
or
whatever
we
need
to
to
do
the
work
hasn't
been
filed.
E
Don't
think
billy
is
here
billy
if
you're
here
yell,
but
otherwise
I'll
I'll
talk
about
get
sign.
We
got
the
repo
set
up.
Last
week
we
cut
a
release
to
make
sure
that
release
automation
works.
It
works.
There
is
a
v001
alpha
release
if
you
want
to
try
it
out.
Otherwise,
I
I
can't
speak
for
anyone
else,
but
I've
been
using
it
on
everything
all
week
and
it's
worked
exactly
like
it's
supposed
to.
E
E
The
next
one
is
also
me
for
esket
the
the
pr
to
support,
fetching
arbitrary
urls
and
signing
arbitrary
urls
it's
merged.
So,
if
you're
interested
in
trying
that
out,
let
me
know
I'm
hoping
to
do
some
esket
meetings
in
future
in
future
weeks.
This
is
not
the
week
to
start
doing
meetings
for
things
it
turns
out,
but
next
week,
maybe
so,
if
you're
interested
in
esket,
either
as
a
user
or
a
potential
developer,
let
me
know:
join
the
sk
channel
in
the
slack
and
we'll
invite
you.
A
A
C
Yeah
so
we're
targeting
june
21st,
which
is
the
open
ssf
conference
in
austin.
We
had
a
meeting
last
week
where
we
kind
of
finally
ran
through
all
the
remaining
items
in
the
to-do
list.
I
think
I
think
we're
definitely
targeting
june
21st
and
we're
gonna
like
try
to
wrap
up
all
the
items
in
the
list
by
then
yeah.
I
don't
know
if
mckenney
or
he
didn't
have
any
other
thing
anything
else
to
say.
D
B
One
thing
to
add
is
that
if
you
have
any
very
large
features,
you're
planning
to
add
to
the
services
side
of
things,
we
probably
will
not
include
those
in
the
1.0
releases.
At
this
point
for
stability,
bug,
fixes
and
security
fixes
are-
and
I
think
minor
refactors
are
probably
fine-
it'll-
probably
be
kind
of
at
the
discretion
of
the
reviewer
worst
case.
B
We
might
cherry
pick
some
things
and
if
we
have
to
when
we
cut
a
release,
but
at
this
point
I
think
any
really
large
features
will
probably
be
punted
to
last
or
1.0.
If
you
have
a
really
large
feature
that
you
think
is
breaking
for
some
reason
that
you
want
to
get
in
a
chat
with
one
of
us
asap.
A
Yeah,
I
think
it's
great
to
draw
that
line
just
get
the
the
release
out
and
then
yeah
continuously
add
to
it
yeah,
so
the
other
half
of
that
is
then
I
I
will
kick
off
kind
of
outreach
side
of
it,
because
that
does
have
a
long
lead
time
so
work
with
folks
to
draft
an
announcement
and
then
it
would
be
great
to
start
getting
folks
to
offer.
Who
can
do
community
quotes
probably
max
of
one
per
company,
but
getting
those
who've
been
involved
with
the
release.
A
A
So
when
we
do
announce,
we
can
amplify
it
from
all
the
different
angles
and
yeah
just
make
a
big
deal
of
it
and
for
those
who
will
be
on
the
ground
at
the
event,
maybe
we
can
like
have
a
party
or
swag
a
cake
or
whatever
it'll,
be
fun
open
to
ideas
so
yeah.
I
think
the
call
to
action
there
is,
if
you're
interested
in
contributing
a
quote
on
your
own
behalf
or
on
behalf
of
your
company.
A
Please
reach
out
to
me
and
if
you've
got
pr
folks,
we
should
be
looping
in.
Let
me
know
I'll
look
to
set
up
a
call,
a
distinct
call
on
outreach
for,
for
the
ga.
A
Awesome:
okay,
so
demo
time,
I'm
gonna
hand
over
to
jason
to
give
us
the
latest
on
sigsto
and
maven
and
yeah.
Let
me
know
if
you
need
to
share
the
screen
I'll,
stop
sharing.
F
All
right,
just
let
me
know
when
you
can
see
the
screen
yeah,
I
can
see
it
great,
so
the
execution
of
maven,
which
I'll
show
is
fairly
quick,
not
terribly
exciting,
but
I'll
describe
what
I
have
tried
to
do
first
and
what
will
come
next,
so
the
initial
version
of
the
plugin
I
have
released
to
maven
central,
so
the
maven
six
door
plug-in
uses
the
maven
six
store
plug-in
to
like
add
all
the
signatures.
So
there's
an
officially
released
version
there.
I
wouldn't
say
it
is
usable
by
very
large
projects.
F
I
tried
it
on
a
project
this
morning
with
150
modules
and
it
didn't
wasn't
very
convenient
to
use.
It
would
have
worked,
but
we
didn't
finish
going
through
the
process,
so
it
will
work
for
relatively
small
projects
because
it
only
caches
the
key
pair
and
the
signing
cert
for
the
maven
session.
So
it
works,
it
will
send
things
to
maven
central.
It
generates
the
pgp
signatures,
along
with
the
x-509
signatures
to
satisfy
the
current
requirements
of
maven
central
when
maven
central
has
a
verifier
that
can
deal
with
the
x-509
certs
and
call
that
good.
F
Then
the
pgp
signatures
can
be
shed
and
there's
probably
a
bunch
of
issues
that
need
to
be
sorted
out
in
terms
of
do.
We
want
to
add
some
metadata
to
the
deployment
to
describe
the
file
layout
right
now,
I'm
using
dot,
pen
and
sig,
but
if
that
changes
in
the
future
and
tools
crawl
over
the
repository,
maybe
we
want
to
deposit
some
piece
of
metadata
that
sonotype
or
anybody
else
walking
over
all
of
the
artifacts
in
central
can
use
to
figure
out
various
versions
of
the
directory
layout
that
we've
used.
F
F
So
the
way
that
the
plugin
works
is
it
does
integrate
the
pgp
signing
as
well,
because
the
ordering
needs
to
be
handled
of
the
generation
of
the
x509
certificates
and
then
those
need
to
be
signed
by
pgp
in
order
for
it
to
work
correctly.
So
a
normal
maven
project
would
disable
their
current
pgp
signing
and
enable
it
in
the
six
store
plugin.
So
it
will
currently
work
with
the
gpg
agent
or
nbars
to
pick
up
the
passphrase
or
also
to
pick
up
the
private
key.
F
And
that
is
going
through
the
prepare
phase,
making
the
tag
again,
not
super
exciting.
It
will
generate
the
signatures
and
then
kick
out
to
oidc
server
from
six
store.
I'm
gonna
use
my
github
identity.
F
F
F
F
I
am
testing
with
three
large
open
source
projects
and
three
smaller
open
source
projects.
Hopefully
I
will
get
all
of
those
to
work
and
then
I'm
hoping
next
week's
demo
will
be
a
fully
automated
release
from
github
using
automation.
To
do
the
id
token
that's
placed
in
the
environment
by
github
and
automating
the
closing
and
releasing
of
the
staging
repositories
in
nexus,
and
that
is
the
sum
total
that
is
it.
F
Anybody
have
any
questions
there
are.
There
are
certainly
some
outstanding
questions
in
terms
of
do
we
use
one
sign
insert
per
artifact
how
I
would
set
up
the
usage
for
large
projects.
I'm
probably
gonna
have
to
change
the
plugin
to
handle
cases
where
everything
is
collected
at
the
end
of
the
build,
and
then
the
signatures
are
generated,
because
the
project
that
I
tried
this
morning
takes
about
90
minutes
to
build.
F
So
it
was
bouncing
out
to
the
oidc
server
all
the
time
which
is
doable
once,
but
that's
not
the
way
we
would
want
people
to
have
to
work
so
anyway.
Working,
I
think
in
a
week,
it'll
be
a
lot
better
and
I
think
in
a
couple
weeks
it
would
be
ready
for
any
project
to
try.
G
C
A
A
Because
I
was
thinking
about
it,
okay,
yeah-
and
I
think
that
looks
amazing.
If
do
you
have
the
link
to
the
repo
you
showed
if
you
could
drop
that
into
the
notes
of
the
chat
and
I'll
put
that
in
the
notes
and
yeah
looking
forward
to
the
progress
and
the
fully
automated
version
when
that
is
ready,.
F
Great
I'll
I'll
update
the
notes
in
about
an
hour
I'll
push
it
all
out
into
a
public
view
and
then
I'll
update
the
notes.
A
Open
it
share
the
link
to
the
gradle
issue
if
that's
of
any
use
just
fyi.
C
A
Next
item,
I
had
just
just
a
little
on
outreach
and
events.
I
believe
this
set
of
folks
at
kubecon
eu,
which
is
in
valencia
and
there's
a
sig
stool
booth
running
all
three
days.
Is
there
anyone
on
the
call
who's
at
cubecon
wants
to
share
a
bit
of
an
update.
A
Good
luck
with
that
say
hello
to
everybody,
but
yes,
definitely
seeing
a
lot
of
tweets
out
there
and
the
other
thing.
What
mentioning
is
there's
an
open
ssf
day
this
will
be
the
week
of
june
21st.
I
think
it's
on
the
monday
ahead
of
the
open
source
summit
and
I
didn't
know
priya
will
be
giving
a
talk
on
six
store
and
there
may
be
other
six
stone,
open,
ssf
content,
that's
in
austin,
and
they
may
be
a
virtual
option.
A
So,
if
folks
can
make
it
to
that,
do
please
join
the
community
there
and
a
reminder.
That's
likely
to
be
the
events
and
surrounding
events
where
we
make
the
announcement
around
the
ga,
so
it'll
be
nice
to
have
some
folks
in
person
where
possible.
A
The
only
other
thing
I
was
going
to
mention,
if
you
do
have
some
talks
or
you've
seen
talks
that
folks
are
giving
on
sigsto.
I
think
we
can
add
those
in
onto
the
youtube
channel
and
just
set
up
some
playlists
there,
so
I'll
be
taking
a
look
at
seeing
how
we
can
clean
that
up.
But
in
the
meantime,
just
drop
them
in
the
notes
and
we'll
get
those
added.
A
A
C
Hello,
I
have
a
question
about
the
docs
working
group
and
I
remember
I'm
not
sure
if
I
missed
the
the
calendar
event
or
if
I
remember
we
talked
about
a
meeting
a
bit,
but
I
wasn't
able
to
find
it
on
the
calendar
anymore.
So
I'm
not
sure.
A
Yeah
no
so
bit
of
my
bad,
so
we
were
going
to
set
that
up
as
a
wednesday
meeting
every
couple
of
weeks
and
then
I
ended
up
taking
on
the
the
role
for
the
community
chair
for
this
meeting.
So
yeah
I'm
gonna
have
the
bandwidth,
but
there's
a
couple
of
options.
So
one
is.
We
have
docs
as
a
regular
part
of
the
community
meeting,
but
equally
my
colleague
lisa
might
be
helping
to
just
get
that
going.
C
Yeah
I'm
here
so
a
few
meetings
ago
we
decided
to
bring
up
docs
regularly
in
the
meetings.
If
anything
is
coming
up,
but
for
sprint
planning.
We
would
have
a
working
group
and
we
are
going
to
do
a
ga
doc
sprint.
So
we'll
discuss
that
more,
maybe
next
week
or
I
could
reach
out
to
you
directly
on
the
docs
channel
in
slack.
A
So,
yes,
yes,
so
you
haven't
missed
anything
in
conclusion,
the
intent
is
still
to
do
something
but
yeah
it's
just
my
taking
on
this
meeting.
We
just
needed
to
change
things
a
little.
C
H
Neil
mcburnett
long
ago
worked
at
bell
labs
and
with
the
ietf
and
then
internet
2
on
their
id
trust
conference,
section
about
identity
and
trust
and
all
those
good
things,
and
now,
mostly
working
with
transparency
and
providence
information
around
election
integrity.
Just
limiting
audit
software
and
stuff
like
that.
So
I.
C
H
G
Hey
everyone,
yes,
I'm
samson,
I
joined
trainguard
about
three
weeks
ago
and
really
excited
to
be
here,
I'm
sure
I'm
still
probably
still
on
boarding
and
I'm
getting
to
know
more
about.
H
G
Store
and
hopefully,
hopefully
get
to
talk
to
pray
and
learn
more
and
see
how
I
can
contribute.
A
Otherwise,
yeah
happy
to
keep
that
short
and
sweet
today
and
yeah.
Next
week
we
will
have
I'll
reach
out
to
billy
about
a
get
signed.
Demo
we've
got
a
follow-up
maven
one
that
will
be
awesome
and
we'll
be
doing
more
planning
towards
the
ga
and
also
the
project
updates,
but
yeah
thanks.
Everybody
for
joining
today
take
care.