►
From YouTube: Working Group: 2021-05-26
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
I
recognize
all
of
you,
so
I
don't
think
we
have
any
new
faces
today.
Next
standing
item,
release,
planning
and
updates
jesse,
do
you
want
to
kick
us
off
with
a
life
cycle.
B
Sure
I
don't
know
the
status
of
any
updates,
I
think
we're
kind
of
in
the
same
place
we
were
last
week.
I
want
to
say
I
know
we're
working
towards
finishing
up
the
thing
everything's
assigned
for
the
next
release.
I
think
work
just
continues
on
that.
I
don't
think
there's
anything
else
to
add.
C
What
what
is
peck
all
right,
so
I
know
that
we
have
an
rc
that
went
out
on
monday.
We
are
planning
to
schedule
the
actual
release
for
next
monday,
so
we
are
kind
of
in
that
feature
complete
period
right
now.
As
far
as
I'm
aware,
we
haven't
heard
of
any
like,
I
don't
know
any
real
issues
that
we
need
to
address
at
this
point
in
time.
A
A
A
B
A
I
think
I
don't
want
to
dive
into
the
weeds
in
this
update,
but
I
think
probably
one
thing
we
should
talk
about
is
whether,
like
last
working
group,
we
sort
of
planned
our
dream
file
system
structure,
but
I
think
there's
some
question
about
for
changing
the
meaning
of
the
cmb
dir,
but
that
prevent
older
builders
from
working
or
does
it
create
any
migration
problems.
So
I'd
say
that
it's
like
the
outstanding
discussion.
I
probably
still
need
to
happen
on
this
one.
If
we
are
happy
with
the
final
file
structure.
A
A
I'm
going
to
skip
over
this
black
one,
I'm
putting
up
a,
I
still
have
a
half
done
launcher
rc.
I
have
nothing
new
to
say
about
it
today.
Make
build
layers
read
only
for
subsequent
build
packs.
D
I
think
I
removed
all
the
controversial
parts
of
us
and
I
cross
linked
the
rfc
with
the
the
other
one
I
created
and
in
that
one
I
cross
linked
it
with
the
restructure,
so
that
if
we
restructure
the
whole
build
pack
like
the
workspace,
we
sorry
the
layers
directory.
We
also
move
the
shared
layers
along
wherever,
alongside
the
layers
directory
wherever
it
ends
up.
D
A
A
All
right,
so
it
seems
like
this
is
ready
for
re-review,
so
everyone
review,
I'm
gonna
re-request
my
own
review,
great
bill.
Peck
author
sub
team.
B
D
Here,
but
the
only
standing
changes,
I
think
were
about
the
name
of
the
team
which
we
really
named
to
build
back
author's,
tooling
team,
and
there
was
some
discussion
with
one
of
the
maintainers
at
pocatello
around
like
the
goal
of
this
team
and
like
what
kind
of
people
can
attend.
D
The
sub
team
sync
like
whether
it's
just
limited
to
the
people
who
are
contributing
to
the
tooling
in
that's
maintained
by
cnb
or
whether
it's
all
buildback
authors
and
I
think
terence,
updated
the
rfc
to
clarify
that
and
add
the
fact
that
this
is
more
supposed
to
be
like
they
can
advocate
for
buildback
authors.
So
if
they
have
some
issues
or
something
they
can
come
to
the
sub
team
syncs
and
this
team's
responsibility
is
to
raise
those
issues
at
appropriate
platforms.
A
That
all
sounds
good
to
me,
so
it
sounds
like
this
is
ready
for
votes.
I
know
because
I
technically
opened
this.
I
can't
vote
on
it.
E
Looks
like
I
just
I
just
voted
yeah.
So
terence
has
an
outstanding
comment,
but
oh
I
missed
joe
yeah
joe
and
steven
still
need
to
vote
too
yeah
I'll
request.
A
Terence
here
and
then.
A
E
A
A
Joe
counts
for
25
percent
of
the
core
team,
and
we
count
for
each
of
us
counts
for
less
than
that.
I'll,
send
you
this
thing
yeah
all
right.
Well,
maybe
I'm
pretty
sure
that
both
joe
and
steven
are
in
favor
of
this.
Maybe
we
can
just
pressure
them
a
little
bit.
It's
too
bad
they're,
not
here.
This
is
usually
the
forum
for
doing
that.
A
A
D
A
C
Cool
all
right,
I
added
that
one
just
wanted
to
you
know
congratulate
a
new
mentee
coming
in
through
the
lfx
mentorship
program.
C
A
To
remember,
to
give
them
a
big
welcome
next
time.
Okay
up
next
eu
friendly
meetings.
C
I
know
david
fralick
is
closer
to
that
time
zone
than
this
time
zone
and
he
has
not
been
able
to
attend
a
lot
of
the
meetings
which
I
assume
might
be
in
relation
to
the
time
zone
differences.
C
I
know
sam
just
joined
our
team
as
a
maintainer,
and
you
know
same
thing
for
him.
I
would
maybe
want
to
be
considerate
to
his
time
zone.
So
yeah,
I
don't
know
what
the
real
action
item
here
is,
but
again
I'd
be
happy
to
have
an
earlier
meeting.
If
that
aligns
better
with
eu.
E
I
think
that's
a
reasonable
expectation.
I
think
we're
gonna
have
to
make
a
a
hard
call.
I
think,
like
steven-
and
I
especially
are
going
to
have
to
do
some
serious
surgery
on
our
schedules
to
make
that
happen,
but
I
think
even
joe
had
started
having
conflicts
with
some
of
these
meetings
as
well.
So
I
think
that's
worth
it
are
we
thinking
just
sort
of
like
leadership
and
working
group
meetings
or
moving
all
of
them,
including
the
office
hours
and
sub
teams.
C
For
me,
I
think
the
mentality
or
philosophy
should
be
all
of
them
right,
but
I
think
maybe
the
action
item
for
this
would
be
like
a
doodle
right
where
people
could
just
throw
in
their
their
times,
and
that
way
we
try
to
land
on
something
that's
a
little
bit
more
inland
with
everybody's,
but
that
we
could
focus
on
the
major
meetings
like
working
group
and
office
hours.
I
think
leadership
is
also
one,
but
I
think
that's
outside
of
this
yeah.
D
A
Do
you
wonder
so
like
now,
we
have
some
representations
from
the
eu.
I
think
it
would
make
sense
to
move
this
working
group,
because
some
of
those
people
are
heavily
involved
in
the
project.
Do
we
want
to
keep
like
office
hours
in
a
pacific
friendly
time
zone
like
it
is
now
like?
Is
there
any
danger
that
we
move
everything
to
a
time
that
then
someone
from
california
cannot
attend
and.
B
E
D
I
think
so
currently
this
is
scheduled
at
8pm
london
time.
The
typical
times
that
I
find,
which
work
for
both
like
amea
new
york
and
west
coast
is
like
somewhere
between
10
to
1,
gmt.
B
E
B
E
I
mean,
like
that's
gonna,
be
that's
going
to
be
too
early
for
some
people
that
works
for
me.
I
think
the
build
packs
team
is
primarily
new
york.
Now.
A
I
know
when
I
used
to
schedule
a
global
manager
meeting
for
pivotal.
We
did
it
noon
new
york
time,
but
I
think
that's
still
hard
for
david
who's,
even
further
east
of
the
group
that
was
scheduled
to
be
best
for
so
maybe
we
could
try
like
a
11
new
york
time,
so
it
is
early
for
california,
but
it's
not
super
early
like
everyone
has
to
suffer
a
little
bit,
but
don't
have
to
suffer
quite
as
much
as
david
would
have
to
suffer
now
to
attend
this
meeting.
D
Also
do
like
one
meeting
with
which
is
cme
a
friendly
and
one
which
is
like
west
coast
friendly,
so
maybe
move
one
of
the
meetings,
that's
easier
for
new
york,
folks
and
emea
folks
and
one
which
is
on
the
other
side.
E
D
A
A
C
So
what
if
I
create
a
doodle
and
just
pass
it
around
up
in
a
public
slack
somewhere?
And
then
people
could
just
kind
of
vote
and.
C
And
I'll
focus
on
the
working
group
as
the
first
meeting
that
we'll
trial
this
on.
I
guess
one
of
the
other
things
sam.
You
mentioned
like
having
two
meetings
for
certain
things,
and
I
know
that
there's
other
projects
that
have
done
that
and
like
one
of
them
is
always
lacking,
and
so
they
eventually
just
like,
kill
one
of
them
and
they
ended
up
killing
the
one
for
me.
So
I
was
like
okay,
fine,
I
guess
I'll
I'll
get
up
at
six
in
the
morning.
Yeah.
B
D
Yeah,
I
think
we
talked
about
this
last
time.
I
don't
know
if
you
want
to
talk
about
it
now
or
during
the
office
hours,
but
I
did
a
bit
of
investigation
on
the
different
formats
with
some
examples,
and
I
also
tried
to
run
like
one
of
the
out
of
the
box
container
scanners
that
cyclone
dx
well
one
project
that
implements
the
cyclone.
The
expect
provides
on
like
a
app
image
created
by
pacquiao
buildbacks.
D
I
would
imagine
the
output
would
be
similar
for
heroku
or
the
google
cloud
ones,
and
I
was
just
wondering
if
anyone
was
interested
in
looking
at
those
or
should
this
like.
Should
the
rfc
be
literally
like
a
full-fledged
description
of
all
of
the
different
formats
going
into
depth
and
comparing
them
or
should
just
be,
propose
one
format
and
see
like
put.
E
Yes,
okay,
so
my
feeling
is
the
rsc
should
list
every
candidate
every
real
candidate
and
make
an
endorsement
of
one
or
two,
maybe
like
list
the
other
ones
in
alternatives,
so
that
there's
at
least
a
place
for
someone
to
raise
an
issue
saying
hey.
I
think
this
is
better
for
a
reason
why?
But
we
should
have
an
opinion
going
into
the
rfc.
D
B
D
No
js
sample
project
from
pocketo
this
I
had
to
pipe
through
y
j
or
whatever
it's
called
from
the
json
format.
That
cycle
in
dx
supports
this
is
the
original
cyclone
dx
jason
for
the
same
app
image.
D
D
It's
I,
from
what
I've
seen
they're
very
licensed
heavy
and
they
have
less
to
do
with
like
prominence
or
fixing
like
or
or
the
security
side
of
things
like
spdx
from
the
examples
I've
seen
and
the
conversion
that
cycle
and
the
exploit
seems
to
be
license
heavy
and
some
of
the
default
cyclone
dx
tools
use
heuristics
to
determine
licenses.
So
a
lot
of
the
output
into
spd-x
ends
up
being
empty.
D
Those
heuristics
depend
on
the
language
and
ecosystem
so
for
languages
that
have
first-class
support
for
including
licensed
metadata
in
their
package
distribution.
That's
fine,
but
for
others
it
it's
just
a
matter
of
scanning
it
appropriately,
but
cyclone
x
does
support
the
superset
of
spdx.
D
D
A
cycle
in
dx
tool
exists
in
that
specific
language
to
generate
the
bomb
automatically
from
those
typical
files
like
requirements
or
txt
package,
log
or
json,
or
go
mod.
D
There's
also
a
go
library
that
implements,
I
believe,
most
of
them,
but
not
all
of
them,
which
is
also
what
I
use
to
generate
these
bombs.
For
for
the
potato
containers,
let
me
just
get
that
link.
D
D
It
also
has
a
complimentary
security
scanner
that
can
do
both
generate
the
bomb
and,
like
reference
security
database
to
match
vulnerabilities,
at
least
so.
In
terms
of
tooling,
I
tried
to
do
a
similar
resource
for
svdx.
D
There
was
one
tool
I
found
which
was
written
in
python,
which
tried
to
like
under
the
container
and
like
do
some
weird
shell
commands
to
inspect
them.
The
sif
tool
took
less
than
a
second
to
scan
the
app
image
that
python
dual.
I
gave
up
after
two
minutes,
while
it
was
still
still
scanning
the
image
and
generating
the
spjs.
The
other
thing
is
spd-x
is
currently
is
not
structured
in
like
json
domino
or
yaml.
B
D
So
the
how
cyclone
dx
works
through
it
is
that
it
tries
to
convert
its
individual,
json
or
tom
it.
So
cyclone
dx
has
first-class
support
for
xml
and
json
there's
no
first
class
normal
support,
but
it's
fairly
easy
to
enter
the
mode
between
json
and
and
we
output
the
bom
on
the
label
as
a
json
individual.
So
how
cyclone
dx
converts
to
svdx
is
it
takes
like
some
of
its
like
prominence,
keys
and
converts
it
or
the
license,
keys
and
converts
it
to
that
spda
stack
format.
D
Unless
you
want
to,
then
I
I
didn't
consider
switch
because
that,
just
like,
I
couldn't
find
any
information
on
it.
Apart
from
some
random
us
government
websites
and
articles,
I
I
really
don't
know
what
or
what
kind
of
tool
tooling
existed
on
suite.
E
D
I
think
it
so
the
cyclone
dx
doesn't
scan
files
individually
spdx
does
it
looks
at
each
individual
file
or
source
code
file
and
can
generate
a
tag
for
it.
For
you,
cyclone
dx
treats
packages
as
like
as
a
whole,
and
it
has
ways
of
you
telling
it
that
you've
made
modifications
to
an
original
package
either
through
patches
or
commits,
or
some
other
changes
that
you
may
have
made,
but
so
it
uses
this
scheme
called
prl
to
to
to
say
that.
D
E
A
D
B
E
Yeah
yeah,
don't
worry
about
it,
but
you're
answering
my
question
so
like
one
of
the
phrasings
you
use
there.
Sam,
though,
like
is
kind
of
a
red
flag
for
me,
you
said
like
spdx
scans
for
individual
files,
but
like
really
this
that
that
notion,
the
idea
of
scanning
is
totally
an
implementation
detail
right,
we're
just
going
to
write
the
values
into
these
things.
D
The
other
thing
that's
missing
in
spdx
is
dependencies.
You
can't
say
this
file
and
this
file
are
related
in
this
way.
It
it's
it's
a
from
what
I've
seen
it's
mostly
a
flat
list.
D
Yeah,
the
the
other
great
thing
is,
I
also
used
it
to
scan
like
you
can
use
it
to
scan
operating
systems
which
spd
x
is
doesn't
like
again,
it's
not
a
first
cluster.
It
isn't
there
so
things
like
stacks
and
what
exactly
define
a
stack
are
are
fairly
easy
to
determine
once
you
have
like
a
s
bomb
in
cyclone
dx
format,
so
there
are
tools
that
will
take
base
image,
figure
out
everything
that
that's
there
to
that
describes
that
operating
system
and
put
it
in
the
s
bomb.
D
One
other
thing
that
we
may
be
interested
in
is
this
brl
thing,
which
defines
a
notion
of
how
dependencies
from
different
ecosystems
can
be
defined.
I
know
we've,
like
we've
struggled
a
bit
in
the
past
like
saying
that
this
bill
pack
is
only
conformed
with
this
stack
or
like
we
have
introduced
this
idea
of
mixins.
D
I
don't
know
if
that's
one
other
thing
that
may
that
we
may
be
interested
in
looking
at,
like
the
p
oral
specification
on
its
own,
if
that
makes
sense
to
adopt
for
other
things,
but
in
terms
of
generating
a
final
bomb,
it
looks
like
cyclone.
Dx
is
more
than
it
was
made
for
the
kind
of
issues
we
are
facing
today,
rather
than
like
license
checks
just
converted
to
spdx
and.
D
It's
it's
it.
It
accepts
spdx
type,
so
spdx
is
identified
for
licenses.
It
goes
in
the
spdx
tags,
so
it
it
reuses
them
so
that
you
can
convert
it
to
spdx.
A
D
Yeah,
so
I
think
that's
also
mentioned
in
that
same
link
I
put,
which
is
like
different
ways,
that
different
security
scanning
tools
identify
packages
so
yeah
for
different
kinds
of
components.
You
have
different
types
of
like
package,
identifiers,
I've
not
looked
deep
enough
into
the
tooling.
If,
with
for
all
of
these
two
links,
whether
like
they
provide
some
sort
of
conversion
between
these
tags,.
E
That
yeah,
I
don't
think
that
should
be
in
our
interest
like
just
looking
over
that
thing
that
link
that
sam
just
sent
emily
like
it
feels
to
me
like
the
answer
is
either
like
cpe
is
dedicated,
doing
swing
for
operating
system
packages
and
pearls
for
everything
else.
Right
like,
I
wouldn't
think
that
we'd
fill
in
both
of
those
but,
like
you
gotta,
you
gotta
put
a
bit
of
that
onto
the
security,
the
vulnerability
scanners
to
to
understand
that
they're
effectively,
two
different
databases
of
ids.
A
D
The
other
good
thing
is
that
cyclone
dx
also
has
a
merge
tool,
so
you
can
take
separate
layer
terminals,
for
example,
which
we
will
now
put
bombs
in
and
merge
them
to
create
the
final
bomb
for
the
container,
so
that
specification
is
also
laid
out,
which
I
think
may
have
been.
The
other
question
is
like:
how
do
you
combine
conflicting
things
or.
B
A
D
So
one
other
thing:
if
you,
if
you
look
at
like
the
the
normal
representation
I
put
in
for
cyclone
dx,
it
just
wait.
Let
me
post
that
again
so
that
again
needs
like
it
needs
that
bomb
format,
spec
speculation,
serial
number
version,
etc.
On
top,
you
would
have
to
figure
out
some
way
to
specify
that
I
don't
know
if
we
just
want
to
shove
this
whole
table
under
the
metadata
table
and
then
like
unwrap
it
when
we
export
it
out
or
should
we?
D
A
It
turns
out
that
if
we
sort
of
thought
of
labels
as
having
no
practical
limit
in
that
yes,
we
want
to
get
getting
the
config
blob
to
be
a
quick
operation
and
theoretically,
really
long.
Labels
could
slow
it
down
a
little
bit,
but
it
didn't
seem
to
have
huge
practical
consequences,
but
it
seems
like
you
can
basically
take
down
an
entire
case
node
if
you
have
really
long
labels,
because
the
cubelet
is
asking
container
d
over
grpc
for
basically
the
config
of
every
container
and
there's
a
message.
A
E
Yeah,
like
my
one,
can
like
I,
I
totally
empathize
with
that
concern
and
that
solution
to
it.
One
of
the
things
that
we
struggled
with
originally
or
like
in
the
older
versions
of
the
build
packs
is
now
you're
going
to
need
to
convince
every
single
security
team
like
vendor
that
they
need
to
know
to
look
at
this
cnb
specific
label
to
go,
find
out
which
layer
and
then
download
that
layer
and
then
extract
file
from
that
layer
and
then
come
up
with
an
answer
versus
they're
already
prepared
to
read
things
from
a
label.
A
I'm
not
sure
if
they're
prepared
to
the
read
things
from
a
label
exactly
the
way
we've
defined
it.
I
feel
like
there's
no
great
standard
for
like
co-locating
a
bomb
with
its
image
right
now
and
there's
some
desire
to
solve
that
in
notary
v3.
I
think
with
the
introduction
of
a
new
artifact
type
into
the
oci
spec,
so
that
you
could
then
include
a
bomb
artifact
along
with
your
image
and
sort
of
unite
them
together
as
a
first
class
oci
concept
in
the
registry.
A
I
don't
think
we're
anywhere
near
a
world
where
we
can
count
on
using
that,
because
it's
still
being
defined
and
even
after
it's
defined,
then
the
wait
for
every
registry
under
the
sun
to
roll
out
support
for
these
artifact
types.
I
think
that's,
like
the
very
long
term
end
game,
but
for
now
I
think
we're
already
doing
something:
custom
we're
not
using
a
well-known
label.
There
is
no
well-known
label.
A
E
Yeah
but
yeah
that's
definitely
a
problem,
but
I
don't
think
anybody's.
Actually,
thinking
of,
I
think
the
reason
no
one
knows
about
the
kubelet
limit
is
like
nobody's
even
doing
bombs.
This
big
right
like
to
be
clear.
The
the
the
labels
that
we're
breaking
things
with
are
not
our
bill
of
materials.
Our
bill
of
materials
is
actually
even
on
like
a
full.
Detailed
java.
E
E
D
A
Okay,
especially
if
you
know,
if
you
do
a
really
good
job
at
this
and
get
the
dependencies
like
do
the
whole
transitive
tree,
don't
like
bottom
out
when
you
hit
an
artifact
like
a
really
good
bomb
implementation,
I
think
puts
us
in
danger
of
creating
images
that
take
down
kate's
notes.
I
feel
like
that
would
not
be
a
good
look
for
bill
packs
as
a
whole.
E
Is
introducing
our
own,
like
writing
this
into
a
special
place
in
a
way
in
a
layer
and
having
a
special
label
that
points
at
it,
because
I
don't
think
it
can
be
part
of
like
our
metadata
label.
If
we
want
security,
vendors
to
adopt
it'll
have
to
be
a
dedicated
label
for
it,
like?
Is
that
better
than
us
exerting
the
effort
to
try
and
get
it
into
a
standardized
place
like
working
with
the
other
bits
of
the
community?.
A
I
just
I
don't
see
that
as
being
a
solution
that,
even
if
we
put
all
of
our
effort
into
it,
would
be
come
to
fruition
soon
enough.
D
B
D
So
like,
if
you
want
to
record
metadata
like
from
inside
the
container
about
the
container
so
like,
for
example,
certain
package
versions,
or
typically,
when
you're
doing
like
ml
experiments,
for
example,
you
want
to
figure
out
like
which
libraries
you're
using
and
record
that
somewhere
as
like
one
of
your
parameters.
I
don't
know
if
that
makes
sense,
but
that.
A
A
A
I
honestly
think
that
for
most
people,
like
you
know,
maybe
if
platforms
provided
a
way
that
when
you
ran
a
build,
you
got
this
back
as
a
file
like,
rather
than
trying
to
convince
all
these
scanners
right
now
to
like
adopt
our
temporary
standard
for
where
to
find
this
automatically
with
an
image
like
people
could
just
be
managing
it
themselves.
If
we,
if
we
provide
an
easy
way
for
them
to
get
it.
C
Yeah,
I
was
going
to
say
that
at
some
point
I
think
I
was
under
the
expectation
or
desire
that
the
bomb
would
be
file
based
similar
to
like
report
tamil
right,
where
we
would
have
it
in
a
physical
place
that
then
could
be
uploaded
similar
to
like
code
coverage
results
or
something
similar
like
that
to
a
secondary
tool.
That
then,
does
a
lot
more
of
the
tracking
itself,
as
opposed
to
going
to
registry
and
scanning
the
registry
itself.
D
I
mean
we
technically
have
a
command
right
now,
back,
inspect
image,
minus
minus
form,
it
looks
at
the
label,
we
could
just
look
at
the
file.
The
interface
remains
the
same.
You
get
the
same
output
back
and
I
think
kpac
also
has
a
similar
cli
tool
that
can
generate
the
bomb
as
a
file
from
the
image
metadata.
So
that's
at
the
store.
I
know
off
that
can.
E
Do
this
yeah
we've
already
got
the
abstraction
over
it,
so
the
so
it's
interesting
javier.
What
I
heard
you
saying
actually
is
like
more
than
one
artifact
is
created,
not
that
it's
still
inside
but,
like
you
know,
sort
of
when
a
build
is
complete
in
addition
to
having
an
out
an
image
that
was
output,
some
stream
of
bytes
has
returned
as
well,
which
actually,
I
think
that
aligns
actually
like
with
vmware's
internal
goals.
A
A
lot
of
people
want
to
take
it
out
of
the
image
and
put
it
somewhere
else.
I
do
think
there's
one
really
strong
case
for
wanting
it
to
be
in
the
image
and
not
just
always
separate,
which
is
in
the
case
of
image.
Signing
like
you
can
then,
in
some
ways
your
bomb
has
been
signed
with
your
image.
I
don't
know
like,
I
think.
B
E
D
And
we
can
have
both
right
like
so
the
other
use
case.
I'm
thinking
of
is
image
relocation.
You
take
the
image
you
promoted
somewhere
else.
You
want
the
bomb
to
go
with
it
along
with
the
signature.
Ideally,
so,
if
the
bomb
is
within
the
image-
and
you
can
regenerate
the
bomb
fairly
quickly
from
the
image
and
like
tools
like
back
and
provide
like
a
back
inspect
image,
minus
transform,
given
any
image
and
output
that
file-
that's
great,
so
once
this
file
is
generated,
you
can
either
push
it
as
a
separate
artifact.
E
E
E
D
D
Ingenious
in
the
way
it
currently
works
so
easily,
and
I
mean
whenever
asking
these
sort
of
questions,
it's
always
easier
to
just
answer
with.
Why
not
both,
I
don't
think
we
are
hurting
ourselves
by
putting
this
in
a
place
where
we
can
regenerate
it
easily
and
shove
it
into
other
places.
If
you
want
to.
B
C
Yeah,
I
think
I
would
say,
like
the
worst
option
is
putting
it
in
a
label.
Basically,
all
things
considered,
I
saw
matt
or
matthew
mcnew
unmute
himself
a
couple
times.
I
don't
know
if
he
had
anything
to
say.
Moran.
B
I
was
just
going
to
reiterate
what
emily
says:
I'm
going
to
go
about
the
problem
with
putting
the
bomb
outside
of
the
underlying
images
and
the
signature
that
you
have
doesn't
point
to
the
thing
that
actually
has
the
signature.
Cosine
itself
doesn't
really
have
that
problem
right
because
it
itself
is
creating
the.
D
Signature,
the
other
place,
if
you
want
to
hack
into
cosine,
is
cosine.
Has
this
idea
of
free
form
annotations
while
it
starts
with
the
the
certificate
and
you
can
just
put
arbitrary
stuff
in
it,
so
you
can
also
populate
that
with
the
s
bomb.
If
you
wanted
to,
I
don't
know
if
you
want
to
do
that,
but.
A
C
Did
we
confirm
that
annotations
don't
exist
or
aren't
persisted
in
some
form
or
fashion.
A
D
Yes,
there
are
still
other
open
questions
around
like
how
you
want
to
change
where
you,
where
we
want
to
allow
buildblack
authors
to
put
all
of
this
metadata
in,
because
a
lot
of
these
tools
just
can
generate
a
file.
So
it
might
just
be
easy
for
the
layer
terminal
to
reference
a
file.
Instead,
that
has
the
cyclone
dx
form
rather
than
trying
to
repurpose
it
into
the
current
metadata
table.
E
A
We,
like
just
I
just
merged
today
in
rfc,
for
putting
the
bomb
in
layer
towel
so
that
it
gets
restored
on
next
build
so
that
if
you're
using
a
layer,
you
don't
need
to
regenerate
the
s-bomb,
which
is
particularly
important
for
launch
only
layers
where,
like
maybe
you,
don't
have
the
contents
to
regenerate
it
from
so
so
far.
Making
this
work
is
really
dependent
on
us
filling
up
the
layer
metadata
with
everything
that
you
could
need
to
do.
The
s-bomb
or
like.
E
D
Yeah,
that's
what
I
was
thinking.
I
mean
in
terms
of
a
tooling
perspective,
if
you're
using
it,
if
you're
selling
out
and
calling
one
of
the
cyclone
dx
tools,
it
may
be
easier
if
you're
using
it
as
a
library,
then
it
doesn't
matter.
I
guess
you
can
just
convert
it
in
memory
and
start
it
into
the
image
data.