►
From YouTube: Foundational Infrastructure Working Group - Sept 7, 2023
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
B
A
A
A
B
A
A
A
B
D
A
B
D
A
A
B
B
All
right,
inbox,
metrics
and
API
metrics
does
not
show.
Oh
yes,
we
talked
about
this
last
week
was
this.
This
was
the
other
thing.
I
was
supposed
to
look
at
I.
Couldn't
find
this
I
remember
two
things
I
was
supposed
to
do
from
last
meeting
I
was
supposed
to
oh,
no,
he
was
going
to
make
an
issue.
No,
this
is
the
issue
we
made
right:
okay,
yeah
yeah.
So
now
I
was
gonna.
Preemptively
look
at
this,
but
so
this
is
something
we're
speculating.
Puma,
problematic.
C
I
walked
into
this,
and
I
was
wondering
how
at
all
we
can
get
genetic
API
metrics.
So
the
moment
the
metrics
service
and
a
separate
process.
C
E
C
B
That
puts
us
in
a
better
spot
than
the
cloud
controllers
and
because
they
just
have
one
server
set
and
then
that's
so
now
you
have
the
request.
The
metric
request
going
to
any
one
of
them.
So
at
least
here
we
have
a
single
point
where
metrics
are
being
collected
and
we
could
aggregate
the
Puma
metrics
there
using
gauges
or
something
where
it's
like.
The
Puma
processes.
Telemetrics,
hey
I
got
a
request.
B
C
Metrics
for
the
API
endpoints,
you
have
you
know
on
on
your
on
the
server
which
happens
automatically,
but
when
we
have
separate
processes,
we
have
to
implement
something.
In
addition
to
get
the
commuters
metrics.
B
C
B
E
Yeah
we
currently
underlining
it,
and
maybe
we
already
find
a
solution,
but
yeah,
let's
see
at
least
we
will
investigate
a
little
bit
more
okay.
B
B
B
B
B
A
B
B
One
of
these
got
solved,
and
this
one
this
one,
but
then
he's
still
okay,
I'm
just
going
to
reference
this
so
his
his
looking
at
the
logs
there
was
a
health
monitor
complained
that
the
cert
wasn't
valid
for
eight
hours
and
then
it
was
because
the
time
stamps
were
wrong,
which
I
don't
know
if
anybody's
seen
this
before
I,
don't
know
how
you
would
end
up
in
this
situation,
because.
A
It's
like
in
your
virtual
machine
time
like
time
drift
with
your
host,
so
your
generated
the
search
or
your
host
and
then
the
the
time
in
the
virtual
machine
was
lagging
behind.
I
guess.
B
But
maybe
I
don't
know,
maybe
one
of
his
boxes,
I,
don't
know
he
said
he
swapped
the
time
zones
or
something
and
then
it
it
worked,
but
yeah
I'm
going
to
leave
all
these
tabs
open.
So
that's
a
reference
I'm
going
to
say
is
all
these
still
really
necessary,
because
this
is
like
the
same
things
like
the
boss.
Director
wasn't
rendering
this
one
probably
the
same
thing:
the
Nets.
Well,
no,
that's
interesting!
B
So
the
Nets
creds,
let
him
create
the
boss
director
VM,
whereas
this
one's
the
agents
failing
to
come
up
I
would
have
expected
this
same
problem
with
the
creative
on
the
director.
This
is
well.
This
is
great
jump
box,
but
in
the
Bosch
repo
we'll
get
some
I'll
I'll
ask
him
which
of
these
are
still
active.
B
And
this
one
is
from
Ramon
where
I
told
him,
we
should
use
spot
instances
and
he
was
like
did
you
know?
He
can't
you
spotted
I
was
like
oh
didn't
know
that
apparently
that's
only
on
AWS,
so
an
issue
for
to
create
the
ability
to
use
spottings
is
we
can
use
preemptable,
which
is
like
spot
but
different.
D
B
Does
he
have
the
job
specs?
Not
yet
yeah
I
was
wondering
what
the
inputs
to
this
were
going
to
be
just
because
the
spot
pricing
was
very
confusing
to
me
as
far
as
like
you
got
a
bid,
and
then
it
wasn't
clear
from
the
docs.
If
I
bid,
like
the
price
of
a
current
on-demand
instance,
do
I
pay
that
much
or
do
I
pay
with
the
current
like
price
spot
price
is,
and
then
it
only
gets
preempted
once
the
spot
price.
A
A
B
All
right,
fantastic
I,
think
Ramon
already
enabled
the
prioritized
or
the
preemptable
on
our
new
Bosch
instances.
Bosch
deployed
VMS
for,
in
the
stem
cell
bats,
not
the
actual
director,
but
when
the
bats
spin
up
the
VMS
that
it
only
keeps
for
an
hour
are
preemptable
which,
considering
how
often
those
are
running
these
days
with
all
the
auto
bumping
of
all
the
Lobster
cli's
and
the
agent
probably
will
save
the
foundation.
Some
amount
of
money.
A
C
A
B
B
C
I,
remember
this
even
before
my
vacation
I
think
this
is
oh.
D
A
September,
so
we
can
probably
do
close
to
to
inactivity.
B
D
B
B
What
I
was
tricked
August.
A
B
All
right,
what's
next,
what
do
we
do?
Next?
B
A
Yeah
so
I
think
about
the
there's,
basically
two
sides
or
two
overlapping
concerns,
and
the
question
is:
what
are
we
gonna
focus
on
so
there's
the
like
Integrity
of
our
source,
like
of
the
source,
but
also
like
the
third
party-
things
that
we're
putting
in
like
our
the
broader
Source
tree
right,
because
a
partial
release
in
the
end
is
a
snapshot
of
a
source
tree
yeah.
When
you
consider
blobs
being
Source,
artifacts
I
mean
they
can
be
binaries
but-
and
there
is
I-
mean
some
risk
with
third-party
libraries
in
your
vendor
direction.
A
Right
like
that
those
could,
the
the
vendor
directory
doesn't
match
your
go
some
file
or
something
same
for
gems
right
like
that
is
a
thing
that
you
might
want
to
tighten.
More
importantly,
you
want
to
have
some
some
proof
of
where
a
blob
came
from
and
for
blobs
you
probably
want
to
do
even
more,
and
then
you
want
to
know
where
it
was
downloaded
from,
but
you
also
want
to
know
what
it
is
and
like
what
it
is
means.
A
What's
the
for
example,
package
name,
what's
the
package
URL?
What's
the
CPE
like
these
things
that
you
would
need
if
you
want
to
generate
an
S1
for
later
use
like
that
information
for
for
blobs
is
just
missing
for
third-party
libraries.
We
actually
have
those
things
because
I
go,
some
file
can
be
seen
as
an
s-bomb
right,
or
at
least
it
can
be
converted
into
an
S4
using
a
scanner
or
something
for
blobs.
We
don't
have
that
so
I
think
like
and
in
this
discussion.
A
We
we
have
proposed
to
maybe
also
include
s-bombs
in
watch
releases
and
embed
them
in
there
I'm.
Currently,
I
I,
don't
know,
I
always
go
back
and
forth
between
the
shoot
as
bonus
B
and
the
brush
release.
Or
should
we
make
it
so
that
it's
easier
to
scan
a
brush
release
with
an
asthma
like?
Can
we
export
or
like
emit
all
the
artifacts
or
all
the
pieces
in
our
source
snapshot
that
we.
A
The
the
provenance
part
we
we
need
to
do
nonetheless,
the
s-pom
bar
I,
don't
know
yet
who
should
own
that
yeah?
So
we
don't
know
where
these
things
came
from
right,
so
we
we
have
to
trust
part
of
what
we
trust
about
so
we're.
Both
the
CIA
bot
is
bumping
these
things,
which
is
nice,
but
it
would
be
great
to
know
where
these
things
were
downloaded
from,
and
it
would
be
great
to
know
what
these
things
are.
A
D
B
A
I
mean
it's
more
like
it
could
also
just
be
in
your
Source
three
right
because,
like
if
you
have,
you
are
vendoring
in
some
other
thing.
That
already
has
has
booms
in
their
Source
Repository
right
being
flexible,
like
basically,
we
have
this.
B
A
A
A
So
but
yeah
so
I
think
that
that's
one
part
of
it
right
so
adding
or
require
I
mean
the
ability
to
add
an
s-bomb
to
an
abortion.
Ad
blog
I
think
would
be
really
valuable.
A
A
So
we
do
that
now
in
CI,
but
you
can
also
do
it
manually
on
your
machine
right,
so
ideally
having
a
trusted
way
to
do
that
and
guys
could
be
implemented
with,
say,
a
reusable
GitHub
action
where
you
would
have
a
GitHub
action,
actually
do
the
Porsche
ad
form
and
then
sign
an
attestation
saying
that
it
added
that
blob
and
It
produced
these
files
and
have
that
in
the
search
report.
Repository
makes
it
so
that
you
can
actually
confidently
say
this
thing
was
locked
tampered
with.
A
C
A
B
Yeah
I
feel
like
that
piece
of
it
is
like
at
the
low
the
the
lowest
end
of
priority,
though,
like
the
make
sure,
because
it's
like,
if
Bosch
well,
I,
guess
it
depends
I
guess
we
do
have
binaries
and
blobs
a
lot
of
times
it's
Source,
but
sometimes
it's
binaries
and
you
can't
really
validate
or
resource
you
like
I
can
validate
that
this
source
is,
is
what,
although
to
be
fair,
if
we
most
of
it,
is
still
like
gotten
from
a
known
good
location
that
you
can
still
you
know,
they're
all
we
have
shots
for
all
of
them,
and
so
you.
A
D
A
The
other
thing
is
just
trusting
some
set
of
things
and
that's
like
the
reusable
GitHub
action
type
thing
with
salsa
attestations.
That's
where
the
the
salsa
people
are
going,
which.
B
B
D
B
A
Not
and
not
verifiable,
like
you
need
an
auditing
so
like
an
external
auditing
person
to
come
in
and
look
at
all
the
stuff
you're
doing
and
like
forget
it.
That
can
be
done
right
because
it's
such
a
big
thing
and
everybody
knows
about
it.
So
it's
like
useful
and
useful
investment.
So
yeah
we
can
like
say:
okay.
This.
B
Yeah,
which
seems
fine,
it
still
seems
to
me
like
recording
that
path
of
trust
is
a
higher
priority
like
recording.
This
is
the
blob.
This
is
where
we
got
it
from.
This
is
what
we
know
about
it,
so
that
somebody
could
come
by,
unfortunately,
not
in
an
easily
automated
fashion,
but
you
could
come
by
and
be
like.
Okay,
this
is
the
this
is
the
s-bomb
I
can
show
that
this.
This
thing.
D
A
A
Us
through
the
bar
CLI,
so
barcla
shouldn't
care
about
any
of
that.
It
shouldn't
care
about
like
validating
at
the
station.
That
should
happen
around
this
right
right
and
that
would
probably
need
to
be
fleshed
out
and
then
probably
lead
to
an
RFC.
That
then
needs
to
be
adopted
by
everybody
in
the
but
I
mean
like
that's
not
Bosch
like
Bosch
needs
to
just
be
able
to
deal
with
these
files
if
they
exist.
B
A
So
yeah,
that's
what
this
is
about:
I
guess
so:
making
sure
that
we
can
format
these
files
and
then
how
are
we
gonna
surface
these
files
like?
What's
the
so
once
you
have
these
files?
And
you
know
about
these
files
and
you
so
given
a
release?
Okay,
you
don't
like
inspect
the
release
and
show
these
files
I
even
thought
that
maybe
we
can
do
something
where
we
can
go
from
a
watch
release
to
an
oci
image
right.
So
an
oci
image
would
just
contained
the.
A
That
so,
it
would
just
contain
the
The
Source
tree,
but
also
like
these
supply
chain
files,
so
that
it's
easy
to
run
an
S1
generator
against
it.
A
So
we
basically
say
the
in
because
a
lot
of
these
s-bomb
generators
support
oci
images
right.
That
seems
to
be
a
pretty
common
format,
the
problem
that
I
feel
we
have
with
parts
releases
nowadays
when
you
run
such
a
scan
against
it.
It's
a
nested
tar
structure,
that's
a
problem,
so
we
could
flatten
that
structure.
A
Sorry,
people
around
me
the
the
it's
the
lack
of
yeah.
It's
sometimes
there's
files
in
your
tree
structure
that
that
you
don't
want
scanners
to
look
at.
A
For
example,
I,
don't
know
some
test
directory,
that's
actually
not
used
or
like
with
the
go
binary
the
sort
of
go
itself
right.
It
has
all
these
like
performance
things
with
gold,
mod
files
in
them
that
have
outdated
dependencies
that
nobody
is
actually
using,
but
that
are
causing
scanners
to
find
all
sorts
of
high
CVS
right
like.
A
Things
we
want,
so
we
want
to
have
more
control
over
what
we're
surfacing
as
authors,
but
I
don't
know
if
we
actually
want
to
be
the
ones
generating
as
both,
because
as
bombs
I
don't
know,
they
seem
kind
of
like
there's,
always
a
different
format
that
you
need,
or
a
different
version
of,
a
format
that
you
need
so
having
an
ability
to
give
an
abortion
release,
export
a
thing
and
then
run
that
flavor
of
scanner
against.
It
is
probably
more
valuable
as
an
interface.
D
C
I
also
think
that
we
should
focus
first
to
enable
management
of
such
data,
don't
care
about
generation
or
the
attestation,
and
if
we
see
another
additional
value
in
something
corrected,
then
we
can
iterate.
C
Of
that
yeah,
but
we
can
narrow
the
scope
here,
just
as
is
also
the
title
of
the
discussion
to
make
possible
to
provide
such
data
with
these
things.
A
I
mean
yeah,
that's
the
the
question
like.
So,
if
you
go
with
the
oci
image,
then
it's
basically,
you
just
show
that
expanded
Source
tree
that
is
embedded
in
a
Bosch
release
right
and
just
expose
that.
So
then,
at
that
point
you
maybe
don't
care
at
all,
because
you
already
have
options
in
your
spec
file
to
fills
or
files
right.
So
you
can
limit
what
you
have
there
or
so.
B
A
A
B
D
A
B
Mean
those
are
some
of
it's
about
those
things,
some
of
it's
like
I,
don't
know.
A
lot
of
a
lot
of
them
are
poorly
structured,
go
repositories
with
back
from
the
day
when,
like
gopat,
we
like
exported
gopath
and
whatnot,
but
then
a
lot
of
them
aren't
go
code
they're,
like
other
there's,
there's
a
long
tail
of
like
nonsense
in
Bosch
releases
that,
like
the
scanners,
are
just
gonna
like
throw
up
their
hands,
and
it's
like
it
didn't
find
this.
B
So
we
need
like
it
feels
like
a
scanner
would
be
nice,
but
it's
it's
only
going
to
get
us
like
80
or
90
of
the
way
there
it
feels
like,
and
so
we
either
it's
like
make
something
that
can
do.
You
know
just
store
the
best
bomb,
or
we
just
give
up
on
that
last
20
percent,
which
that
doesn't
sound
like
an
option
that
last.
A
B
B
E
B
To
you
get
to
centralize
that
the
problem
for
those
shared
packages
rather
than
everybody
doing
it,
especially
since
those
things
are
often
just
binaries,
that
somebody
has
to
identify
in
Scanners,
sometimes
do
that
well
and
sometimes
do
it
poorly,
but
then
yeah
then
it's
you
know
the.
B
If,
if
the
the
blobs
you
know,
we
we
make
some
wave
when
adding
a
blob,
you
get.
You
get
some
s-bomb
data
that
way
you
get
some
preventer
package
and
then
you
know
you're
left
with
your
Source
folder
and
your
other
things
that
you
sort
of
it's
your
job
to
come
up
with
when
doing,
create,
release
and
like.
Ideally,
there
is
a
tooling
that
we
make
to
make
an
oci
image,
so
you
could
just
scan
it.
B
You
know
they
generate
the
oci
image,
I'm
just
going
to
use
the
scanner
and
scan
that,
because
I
have
a
very
sane
project
layout
that
conforms
to
the
scanners
are
going
to
have
no
problem
with
it.
So
I
just
run
that
save
the
s-bomb
use
that,
in
my
create
release,
yeah.
A
So
that
I
think
would
be
something
that
you
want
in
that
like
exporting
or
like
exporting
to
an
oci
image
like
I
would
like
to
see
things
on
their
varvik
packages
and
then
the
package
name
and
then
I,
don't
know
Source
or
something
right.
So
you
actually
know
the
how
to
correlate
it
to
the
to
the
Bosch
package.
Again.
B
Yeah
I
think
that
makes
sense
like
as
far
as
the
oci
layout,
getting
it
to
scan
and
being
able
to
take
that
data
and
bring
it
back.
Yeah.
A
A
But
I
mean
like
we:
if
we
can
at
least
turn
out
like
a
working
pattern
for
all
of
the
releases
that
are
within
like
CF
deployment
right,
so
that
I
think
would
be
the
scope.
I
think
that
should
be
good
enough
and
we
like
we
can
iterate
on
adding
the
missing
things
but
like
if
we
have
at
least
a
bit
of
confidence
that
we
can
tackle
it
for
standardize
it
enough
for
those
releases.
I
think
we
are
in
a
good
spot.
B
It's
a
great
thing:
it's
a
great
thing.
Oh,
it
really
shouldn't
be
a
thing
anymore.
In
fairness,
like
the
the
only
reasons.
I
know
that
people
do
pre-packing.
Well,
it's
mostly
just
Cloud
controller
these
days
and
it's
to
get
those
gems
in
there
which
they
should
just
use.
Git
lfs,
just
vendor
the
gems.
At
this
point
like
get
offs,
avoids
the
problem.
While
you
didn't
want
to
vendor
the
gems
yeah.
A
Yeah,
but
those
things
are
like
a
concern
like
if
we
go
with
that,
like
higher
level
thing
like
standardizing,
how
you
add,
blobs
and
create
releases
through
an
RFC
like
we
can
and
start
enforcing
those
types
of
things,
but
we
cannot
take
it
away
from
Bosch,
but
right,
like
of
the
other
layer,
we
can
try
to
enforce
those
best
practices.
B
A
D
A
I
mean
that's
totally
diverging,
so
yeah
would
be
great
if
people
think
about
use
cases
that
wouldn't
be
tackled
with
that
wouldn't
work
with
just
scanning
an
oci
export
of
opportunities
and.
B
A
C
It
is
maybe
one
example
so
on
oh.
A
Yeah,
someone
is
what
like
David
Tim,
you
know,
starting
this
track
is
working
on
doing
a
proof
of
concept
of
that
workflow.
A
D
E
B
Sounds
like
the
robots
failed,
we'll
take
a
look
at
that
today.
This
is
I,
think
the
first
automatic
final
release
cut,
which.