It's really exciting that people from so many software ecosystems are acknowledging the shared goal and duty of securing the software supply chain.

One project I was hoping to see there is sigstore[0], but maybe the ideas behind that will get discussed even without a formal timeslot.

[0] https://security.googleblog.com/2021/03/introducing-sigstore...

The main holdup of Sigstore is that it only works for containers today.

The same Trillian project backs Go's global sumdb, would be cool to see the signature and attestations happening as well