►
From YouTube: Sigstore Office Hours - July 26, 2022
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Okay,
let's
get
started
everybody,
so
thanks
all
for
joining
today's
six
door.
Community
meeting
and
we'll
kick
off
as
usual
with
the
project
round
robin
and
let's
start
with
the
ricoh
project,
so
priya
see
you
have
an
update
there.
B
Yeah
it's
more
of
a
question.
I
we
had
been
thinking
about
report,
1.0
kind
of
as
like
a
step
that
we
would
take
before
announcing
ga
and
the
main
like
blocker,
for
that
was
sharding,
and
now
that
we
have
like
successfully
started
the
log
and
I
think,
we've
pretty
much
caught
all
the
bugs
associated
and
fixed
a
lot
of
them.
I
was
wondering
if
anyone
was
opposed
to
start
planning
for
record
1.0
or
what
people
were
thinking
about
it.
B
I
noticed
that
some
of
the
issues
were
tagged
with
like
ga
candidates,
so
I
was
wondering
if
that
is
like
the
same
as
record
1.0
and,
if,
like
those
are
the
issues
that
would
need
to
be
solved
before
1.0
or,
if
that's
kind,
of
more
related
to
something
else,
I'm
not,
as
I
guess
like.
I
was
hoping
someone
who's
like
more
familiar
with
me
here
who
can
answer
this
question.
B
A
Okay,
let's
move
on
to
cosine-
and
this
is
zach-
has
an
an
item
that
for
discussion.
You
want
to
go
ahead.
Zach.
C
Yeah
yeah
yeah
so
go
ahead
and
read
this
document.
I
think
hayden
shared
it
in
the
slack
last
week,
but
I
will
post
it
again
right
after
this
meeting.
It's
something
that
hayden
and
I
wrote
basically
at
the
moment
when
you
type
cosign
verify
and
you
cosign
verify
an
image
or
you
verify
blob
some
some
file.
C
It
checks
that
there
is
some
signature
and
that
that
signature
verifies
it
doesn't
check
who
that
signature
comes
from.
So
it
is
very
easy
to
make
cosine
verify
happy,
even
if
you
are
evil
and
and
so
that's
bad-
that's
that's
a
pretty
dangerous
default.
Behavior
we've
run
into
some
some
headaches
when
we're
trying
to
roll
out
six
door
support
to
the
python
ecosystem.
Where
people
ran
into
this.
C
It's
a
it's
a
little
bit
of
a
foot
gun,
and
so
our
proposal
is
to
make
it
required
to
pass
at
least
one
basically
or
requirement
on
the
signature.
When
you
are
calling
cosign
verify.
C
C
So
there's
some
details
about
the
flag,
names
and
stuff
in
there
and
I
would
love
to
bike
shed
those
the
one
thing
that
this
does
break
is
the
very
useful
for
debugging
purposes.
I'm
just
going
to
run
cosine
verify
see
what
it's
out
and
try
to
like,
like
that.
Information
is
useful
to
me,
so
we're
going
to
replace
that
with
a
new
command
called
cosine
inspect.
C
The
idea
is
that
cosine
inspect
just
says.
Let
me
let
me
print
out
a
bunch
of
information
about
this.
The
signature
this
object.
Whatever
that's
going
to
be
really
helpful
for
debugging
it.
It
may
or
may
not
be
publicly
documented,
but
it
definitely
isn't
going
to
be
the
recommended
workflow,
for
you
know,
doing
a
verification
and
up
in
a
pipeline
or
whatever.
So
please,
please,
you
know,
send
us
your
comments,
but
I
wanted
to.
C
I
wanted
to
share
that
out
and
I
would
like
to
not
go
too
much
into
detail
on
this
call.
But
I'd
like
to
hear
if
anyone
has
really
strong
objections
to
the
idea
in
principle
of
making
some
identity,
flag
or
key
flag
required.
C
All
right
I'll
count
down
from
five
four
three
two
all
right,
then
we'll
have
we'll
debate
all
the
details
on
the
document,
and
I
am
I'm
happy
to
to
talk
about
the
decisions
and
the
reasons
we
made
them
and
revisit
any
of
the
details,
but
yeah.
That's
that's
the
proposed
chance,
and
so
we'll
we'll
come
we'll
come
back
with
with
a
sort
of
timeline,
we'll
probably
deprecate
it
in
one
version
and
then
actually
make
this
behavior
an
error
in
a
future
version.
After
that.
A
A
D
A
Comments,
if
folks
want
to
make
thanks
for
the
nice
outline,
zack
and
yeah,
and
it's
also
good
to
see
just
the
the
result
of
feedback
coming
directly
from
the
folks
trying
to
use
it
with
the
package
managers.
So
yeah
appreciate
that.
A
Okay,
no
bite
shedding
on
that
one
right
now:
okay,
get
sign.
D
Yeah,
so
no
major
feature
updates
here.
It's
been
a
bit
of
a
lull,
but
one
thing
I
just
want
to
highlight
that
other
people
might
be
interested
in
is
we're
probably
gonna
start
taking
a
look
at
basically
source
attestations
and
how
we
can
start
attaching
those
to
the
repo.
D
So
if
you
are
interested,
please
leave
your
thoughts.
This
was
originally
discussed
in
an
issue
in
the
cosigner
repo
way
back
when
it
was
sort
of
kicked
off
by
matt,
but
we
sort
of
moved
the
discussion
into
the
good
sign
repo
and
it's
something
that
we're
probably
gonna
start
playing
around
with.
So
if
you
have
thoughts,
opinions
suggestions,
let
me
know.
A
A
Okay,
let's
move
on
thanks
billy,
any
updates
from
any
of
the
integration
projects
or
root
or
policy
controller.
B
Yeah,
sorry,
I
forgot
to
add
some
stuff
in
yep
we're
just
tugging
along.
We
are
getting
I'm
working
on
getting
our
own
calls
set
up
this
week,
so
we're
gonna
start
dry,
run
for
on
call
just
like
business
hours
just
to
update
playbooks
and
like
make
sure
everything's
running
smoothly,
and
we
have
just
generally
a
list
of
issues
that
we're
working
through
slowly.
So
if
anyone's
interested
in
helping.
Definitely
let
me
know.
A
Good
luck
with
all
that:
okay,
thank
you.
Okay,
sixto
logo,
refresh
yeah
the
just
to
confirm.
We
had
the
final
round
of
approval
from
the
tsc
on
the
issue,
and
now
there
is
a
pull
request.
I
just
created
today
with
the
new
design
file
and
importantly,
an
updated
brand
guidelines,
so
that
gives
just
an
overview
of
the
new
logos
and
just
kind
of
recommendations
for
like
minimum
sizing
and
color
schemes,
and
things
like
that.
A
So
once
that
is
merged,
and
we
can
get
a
couple
of
approvals
on
it,
then
all
the
files
should
be
available
in
git
for
for
use
and
will
can
start
updating
various
assets
and
then
start
using
the
new
logos
for
git
sign,
pulsio,
rico,
etc.
A
And
then,
following
that,
if
there's
requests,
I
know
there's
a
little
bit
of
a
pipeline
of
new
logos
for
like
policy
controller
and
maybe
other
things
we
can
start
addressing
those
separately
as
well.
A
E
Yeah,
so
this
was
approved
last
week
and
I
created
the
repo-
it's
basically
an
empty
repo
right
now,
I'm
working
on
closing
off
some
of
the
existing
issues
and
I
tag
them
for
the
doc
site
and
the
www
site
in
case.
Anybody
else
is
interested
in
taking
a
look
at
the
ones
that
are
still
existing
and
then
I'll
work
on
the
migration
piece.
A
E
Yeah,
I
don't.
I
don't
think
that
there's
vloggers,
I
will
need
help
with
just
pointing
that
website
to
it,
but
I
think
dan
knows
that
already,
okay.
A
Great
and
yeah
a
couple
of
other
things.
This
is
going
to
add
on
docs
and
I
can
see
eduardo's
on
the
call
as
well.
So
I
know
we
had
kept
thinking
of
setting
up
a
docs
call.
I
was
going
to
propose-
maybe
not
at
this
meeting
but
at
future
community
meetings.
If,
if
we
don't
have
a
heavy
agenda,
we
can
use
like
the
last
half
hour,
maybe
for
a
little
bit
of
a
working
meeting
to
start
going
through
some
updates
on
the
main
website.
A
The
docs,
the
github
repos,
some
of
the
other
work
like
logo
updates
and
things
would
would
be
good
updating
about
stages
of
ga
and
things
like
that.
So
yeah.
If
you've
got
enough
of
a
well
just
a
handful
of
people
who
are
up
for
that
yeah.
Let
me
know
what
you
think
cool.
I
see
some
nods
lisa
and
eduardo
and
yeah.
One
final
thing
I
did
want
to
broach
here:
no,
no
decisions
to
be
made,
but
the
case
of
six
sigstore.
A
We
just
had
the
brand
guidelines
updated
and
then
there's
this
open
question
of
like
we
use
six
door
with
the
lower
case,
but
we
find
it
increasingly
difficult
when
we
get
coverage
in
press
or
in
other
places,
people
will
tend
to
use
it
with
an
uppercase
s,
and
I
do
feel
maybe
it's
it's
time
to
stop
fighting
that
and
just
kind
of
go
with
the
the
uppercase
but
formalize
that
as
well,
because
I'm
starting
to
see
some
cases
where
people
will
capitalize
both
s's
and
sig
store,
and
I
think
it's
worth
having
a
style
guide
as
we
launch
into
some
docs
changes.
A
So
maybe
one
question
is:
is
there
any
like
what
do
people
feel
on
kind
of
the
the
capital
s
versus
not
and
in
this
call
anyone
very
attached
to
it
or
anyone
very
not
attached
to
it.
A
Okay,
I'm
not
hearing
any
strong
feelings
here,
but
I'll
kick
off
something
written
as
well,
so
we
can
see
get
some
wider
input.
A
A
A
Outreach
and
events
folks
here
I
was
wondering
how
many
managed
to
catch
the
new
style
office
hours
last
week.
Did
we
have
a
bunch
of
folks
who
were
on
that.
A
See
a
couple
of
hen
yeah.
I
wanted
to
get
any
thoughts
on
how
you
thought
that
went
and
I
put
the
link
in
there
for
anyone
who
hasn't
had
a
chance
to
catch
up.
We
had
three
presentation:
one
from
fabian
carmel
on
confidential
computing
from
edgeless
the
python
world
of
url
lib3
and
then
also
russ
demos.
Actually
it
was
two
rust
demos
and
then
jason
also
showed
t
log
registry,
so
pretty
packed
any
comments
on
what
worked
and
maybe
what
improvements
we
could
do
on
that.
A
Awesome,
okay
challenge
accepted,
but
yeah
no-
and
I
think
one
of
the
things
we
would
like
to
do
is
for
each
of
the
little
demos
not
little
but
the
quick,
concise
demos.
A
But
we
would
love
to
have
a
follow-up
kind
of
write-up
on
the
website
because
they
they
all
of
them,
had
quite
good
insights
and
have
fabian's
been
great
and
he's
kicked
us
off
working
with
us
on
a
case
study
so
put
that
in
the
darker
folks
want
to
take
a
look
and
I'll
be
looking
to
see
if
we
can
get
that
up
on
the
medium
site
and
then
looking
ahead
to
the
next
one,
which
will
be
next
week.
A
So
far,
we
have
the
github
action
demo
from
folks
from
trail
of
bits.
So
that's
for
python
and
I
I'm
gonna
go
hit
up
the
the
java
folks.
I
know
they've
got
an
upcoming
release
for
the
java
library
version,
1.0,
so
hoping
they
can
come
along
and
show
us
the
work
in
progress
or
the
1.0
version,
and
anybody
else
who's
got
a
an
integration
or
a
shiny,
new
feature
that
deserves
a
little
bit
more
of
a
show-and-tell
demo.
A
A
Okay
moving
on
so
this
is
a
big
announcement
happy
to
finally
report.
We
do
have
a
thumbs
up
for
a6.con
at
kubecon,
north
america,
which
will
be
in
detroit
in
october,
so
the
format
cncf
have
agreed
to
is
that
we
will
have
it
as
a
one
day
single
track
on
the
tuesday.
So
the
the
day
before
the
main
program,
and
we
have
a
room
for
about
200
people,
so
not
massive.
A
But
I
think
just
should
be
a
a
good
space
to
to
grab
a
bunch
of
the
community
and
bring
them
together
as
well
as
introduce
a
bunch
of
new
folks
to
sigsto.
A
So
we've
been
given
a
set
of
tasks
and
I'm
starting
to
pull
folks
in
to
help,
but
we're
looking
at
the
official
announcement
with
a
website
call
for
papers,
sponsorship,
brochure
and
registration,
all
kind
of
coming
together
to
be
available
on
august,
the
1st
and
then
the
cfp
will
run
for
a
few
weeks
and
then
we're
looking
to
have
a
schedule
announced
september
13th,
which
is
about
six
weeks
ahead
of
the
conference,
so
yeah
folks
to
keep
an
eye
out
for
the
call
for
papers
and
for
registrations.
A
For
those
who
can
be
there
in
person
and
if
your
companies
are
interested
in
sponsoring
there
is
a
brochure,
the
official
one
will
be
out
on
august
1st,
but
I
can
send
a
kind
of
mock-up
if
folks
want
an
early
look
at
it's
pretty
standard
for
all
cncf
collocated
events.
So
you
can
also
take
a
look
at
the
existing
ones
and
it's,
it's
all
the
same
tears
any
questions
about
six
at
kubecon.
A
And
the
only
other
event,
I'm
aware
of
is
that
we've
got
in
september,
open
source
summit
eu's
coming
up,
and
I
believe
a
bunch
of
folks
from
the
community
will
be
attending
that
and
a
couple
of
talks
as
well.
A
Okay,
moving
on
to
any
other
business,
this
one
I
wanted
to
highlight
we're
gonna,
make
an
attempt
to
share
a
six-door
monthly
update.
A
I
believe
luke's
done
some
in
the
past
before,
but
I've
dropped
this
document
in
with
in
an
attempt
to
maybe
formalize
it
a
little
and
the
main
thing
is
just
that:
we'll
have
a
due
date
and
a
publish
date
for
putting
together
a
post
and
then
the
idea
is,
if
you
have
any
new
new
and
noteworthy
stories
or
links
or
features,
you
drop
them
in
this
document
and
then
I'll
be
working
with
roxanne,
who
some
of
you
may
know
from
other
open
source
communities,
she's
a
fabulous
author
and
editor
will
be
helping
turn
it
into
a
comprehensive
post.
A
So
that
should
include
things
like
maybe
the
three
million
ricoh
entries
or,
if
santiago
writes
a
separate
post,
we'll
link
to
that
so
yeah,
please
go
ahead.
Action
item
is
just
drop
in
any
updates
and
seek
store
related
into
that
doc.
F
Yeah,
I
just
wanted
to
throw
this
out
there.
This
is
just
a
proposal
for
kind
of
more
integrations
between
sigstor
and
tough.
Specifically,
it
really
looks
at
solving
this
problem
of
how
do
you
know
which
signatures
on
images
or
other
things?
You
should
actually
trust,
not
just
that
it's
signed
but
who's
signing
it.
Why?
F
You
trust
this
person
to
sign
it
basically,
by
using
tough
with
a
couple
of
modifications
and
collaborations
with
the
existing
sig
store
tools,
the
doc
does
go
a
lot
into
tough
details,
and
so
I
encourage
folks
to
maybe
take
a
look
at
that
at
tough
before
attempting
to
crack
this
one.
But
everyone's
welcome
to
to
take
a
look.
I
appreciate
any
feedback.
There's.
F
A
A
As
soon
as
those
logos
get
sorted,
the
next
thing
is
swag.
We're
gonna
have
to
get
some
swag
going
here.
That's
good
thanks,
but
yeah.
Now,
thanks
marina
and
call
to
action,
everybody
do
take
a
look
and
any
questions
or
comments.
Add
them
in
there.
C
Yeah,
so
this
is
just
follow
from
discussion.
That's
been
happening
in
slack.
We
are
finding,
as
we
have
more
and
more
sig
store
clients
that
they
need
guidance
and
and
how
they
work.
If
we're
doing
a
python
implementation,
if
we're
doing
a
other
implementations,
it's
really
nice
to
not
have
to
just
reverse
engineer
the
go
code,
especially
because
many
of
the
decisions
in
the
go
code
were
made
not
on
purpose
but
rather
evolved.
C
So
we
are
very
interested
in
in
kind
of
having
somewhat
formal
documentation
for
all
the
components
of
six
star
and
their
apis
and
so
on.
To
some
extent
that
role
is
met
by
the
grpc
and
proto
specs,
but
I
think,
there's
a
whole
lot
more
color
that
can
be
given
by
a
formal
specification.
C
So
to
that
end,
we've
started
up
a
slack
channel
to
discuss
what
would
the
process
of
writing
up
slightly
more
formal
documentation,
look
like
and
that's
been
happening
in
the
architecture
docs
channel
in
slack,
I
just
wanted
to
make
an
announcement
we're
having
a
kind
of
exploratory
kickoff
meeting
next
week
at
thursday
august
4th
1,
1pm
eastern
time
and
I'll.
Let
you
all
I'll
do
that
translation?
Apologies!
C
If
if
you
can't
make
it
we,
we
tried
to
meet
the
the
times
of
everyone
in
that
channel,
but
you,
you
may
not
all
be
inside
of
that
channel.
If
there's
a
bunch
of
interest
weekend,
we
can
consider
rescheduling,
of
course,
but
yeah.
I
just
wanted
to
advertise
both
the
channel
and
that
meeting
and
hopefully
see
you
in
slack.
A
Nice
yeah,
no,
I
think,
that's
great
timing
and
for
having
those
kind
of
conversations.
As
we
see
fast,
progress
on
on
the
various
languages.
A
Otherwise,
we'll
move
on
to
the
section
of
the
call
where
we
do
introductions
for
anyone
new
or
someone
who's
returning
or
hasn't
spoken
for
a
while
and
would
like
to
just
say
hello
and
share
what
the
interest
in
six
star
is
or
what
they're
looking
forward
to
doing
in
the
community
going
forward.
F
Yes,
thank
you.
I'm
alvaro
figueroa
from
costa
rica,
I'm
working
right
now
in
microsoft,
but
I
also
do
a
lot
of
things
for
for
slackwood
and
risk
five,
and
also
for
myron
or
v5,
so
I'm
very
interested
in
seeing
how
can
I
apply
632
to
this
distribution?
So,
thank
you.
Everybody.
A
Awesome
yeah
and
welcome
and
always
exciting,
to
have
someone
from
costa
rica.
D
I
guess
people
might
already
know
me,
I'm
not
sure,
but
I'm
sebastian
a
lot
from
anaconda.
I
previously
worked
on
tough
and
obtain
and
stuff
like
that.
A
D
A
Wow
yeah,
I'm
thrilled
that
you
can
join
us
and,
as
I
mentioned
yeah,
no
thanks
thanks
for
jumping
in
on
a
lot
of
those
topics
so
glad
you
could
be
here.
A
We
have
this
meeting
for
contributors
and
then
a
little
bit
more
for
end
user
focus
one
every
alternative
week,
so
that
will
be
next
week's
office
hours
and
yeah,
as
always
feel
free
to
hit
me
up.
If
you
want
to
broach
any
questions
or
topics
you
you
think
might
be
interesting,
but
you
maybe
don't
want
to
ask
in
the
big
group
with
that.
I
don't
see
any
more
raised
hands
here.
Folks,
I
think
we'll
call
it
a
day.
So
yeah
thanks
everybody
for
joining
and
see
you
next
week.