►
From YouTube: OmniBOR: Bringing the Receipts for Supply Chain Security - Frederick Kautz, SPIFFE/SPIRE
Description
Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
OmniBOR: Bringing the Receipts for Supply Chain Security - Frederick Kautz, SPIFFE/SPIRE
Supply Chain requirements got you down? Getting an endless array of false positives from you ‘SBOM scanners’ ? Spending more of your time proving you don’t have a ‘false positive’ from your scanners than fixing real vulnerabilities in your code? There has to be a better way. There is. Come hear from Aeva and Ed about a new way to capture the full artifact dependency graph of your software, not as a ‘scan’ after the fact, but as an output of your build tools themselves. Find out when this feature is coming to a build tool near you.
A
So
today
we're
going
to
talk
about
get
bomb
now.
Originally
this
talk
was
going
to
be
given
by
Ed
warnecke
and
Ava
black,
but
Ed
warnicki
gots
iced
in
in
Austin
and
Ava
black
came
down
with
an
illness,
and
so
we
went
down
through
the
Rolodex
of
various
other
omnibor
or
people
who
are
present
and
I
was
top
of
the
list.
So
so
please
excuse
me
the
slide
deck
is
not
one
that
I
that
I
wrote,
but
I
will
do
my
best
to
give
the
spirit
of
the
of
the
talk.
A
I
did
write
a
significant
portion
of
two
of
the
six
implementations
of
omnibor,
so
I
can
definitely
answer
questions
on
the
technical
side.
Please
raise
your
hand
and
interrupt
me
if
you
have
questions
along
the
way,
because
it's
better
to
get
the
questions
out
as
we
go
rather
than
let
them
sit
and
linger
because
there'll
be
other
people
with
the
same
set
of
questions,
and
but
it's
up
to
you
on
how
you
want
to
deal
with
that.
A
But
if
we
go
back
in
time,
we
actually
can
see
that
much
of
the
much
of
the
work
that
had
been
done,
that
led
up
to
to
omnivore
was
the
creation
of
spdx,
which
was
launched
in
February
2010
and
before
that,
where
some
of
that
working
from
was
from
initially
the
an
industrialized
s-bomb
that
would
have
been
done
at
Cisco,
where
Cisco
had
a
requirement
to
know
exactly
where
all
their
infrastructure
or
all
of
their
stuff
was
coming
from.
So
they
can
work
out
what
let's
make
it
work
out
where?
A
A
But
at
the
same
time,
much
was
learned
so
again
back
to
the
timeline
Colonial
pipeline
hack
may
6..
Take
a
look
at
the
Timeline
between
May
6
to
May.
12Th
was
the
time
between
when
they
and
actually
what
this
means
is
that
they
were
actually
working
on
the
on
the
release,
but
they
were
just
waiting
for
the
opportune
time
to
actually
release
it
out,
and
this
was
huge.
So
the
timing
was
perfect.
They
launched
it
got
got
the
support.
A
The
first
omnibor
talk
well
at
the
time
was
called
gitbomb,
but
now
the
first
omnibar
talk
occurred,
May
28th.
We
actually
were
doing
a
lot
of
work
before
this
as
well
to
lead
up
to
it,
but
we
ended
up
talking
about
like
amongst
each
other
and
and
having
like
various
private
conversations
between
people
we
launched
it.
You
know
we
actually
did
the
the
community
launch
in
February
of
last
year,
so
it's
slightly
under
a
year
old
when
we
announced
it.
A
A
So,
however,
one
of
the
things
that
we
did
and
especially
Ava
black,
was
absolutely
fantastic.
With
this
for
six
months
went
around
and
spoke
with
various
people,
so
she
would
listen
to
to
what
people
have
to
say
about
about
the
space,
usually
over
a
cup
of
tea
or
coffee
or
something
similar,
hence
the
hence
the
the
baby
Yoda
and
found
that
there
was.
There
were
issues
around
how
s-bombs
were
were
done.
A
But
in
order
to
answer
the
question
whether
you're,
safe
or
not,
you
also
have
to
look
at
again.
We
saw
The
Rat's
Nest
before
you
also
have
to
look
at
the
Simplicity
of
the
thing
you're
doing,
because
you
cannot
answer
that
question
if
things
are
too
complex
and
if
things
are
too
complex,
there's
no
way
you're
going
to
be
able
to
get
everyone
on
board,
and
so
we
found
We've.
A
Many
of
us
on
on
the
on
the
project
have
significant
distributed
systems
experience,
and
so
we
aim
towards
things
that
are
more
simple:
to
try
to
keep
reliable,
try
to
keep
it
performant
and
also
so.
You
can
actually
reason
about
the
security
I
want
to
make
a
point
here.
There's
actually
great
talk
by
I
think
it
was
about
15
years
ago,
maybe
at
strange
loot
by
a
guy
named
Rich
hickey,
who
created
the
closure
language.
A
The
talk
was
not
about
closure.
The
talk
was
about
simple
versus
easy.
Just
because
it's
something
as
simple
doesn't
mean
it's
easy.
Just
because
easy
doesn't
mean
it's
simple
and
very
often
you
can
get
lulled
into
the
idea
that
something
is
easy
and
then
work
out
later
on
that
when
something
breaks
you
now
have
this
massive
Rat's
Nest
that
you
have
to
do
you
have
to
deal
with,
so
we
wanted
to
avoid
that.
A
When
you
look
at
the
complexity
of
something
so
on
here,
we
have
a
very
simple
example
of
a
line
graph
and
you
think
okay,
well,
I
can
actually
use
two
points,
X
and
Y
in
order
to
identify
where,
where
something
is,
if
you
change
your
perspective,
you
actually
only
need
one
number,
because
you
could
say
well,
let's
angle
ourselves
in
such
a
way
that
we
only
need
one
number
in
order
to
identify
where
things
where
things
are
actually
at
so
part
of
what
we're
looking
at
is
well.
How
do
we
change
our
perspective?
A
A
We
worked
out
if
we
make
it
a
little
bit
smaller
a
little
bit
smaller
there's
you
know
what
what
actually
gets
to
the
heart
of
what
we
want
to
do
so,
there's
three
simple
questions
that
we
that
we
ran
that
we
came
across
the
first
one
is:
what
is
the
identity
of
something
like
what
it
by
identity?
I
don't
mean
like
this
is
the
the
URI
or
URL
of
the
package,
or
this
is
the
human
name.
We
give
it
like.
What
is
the
canonical
identity
of?
A
What
of
what
a
thing
is
dependency
of
is
what
is
in
the?
What
is
in
the
artifact
metadata
is
things
are
not
in
the
artifact
that
are
not
the
identity
of
it,
but
are
something
extra
that
we've
learned
about
it?
So
we
have
to
have
the
ability
to
attach
metadata
to
whatever,
whatever
it
is
that
we're
doing.
A
really
good
example
of
metadata
could
be
something
like
the
the
license
of
a
project
could
be.
Who
who
compiled
it
is
is
metadata.
What
what
did
your
image
scanner
say
about?
A
We
asked
what
is
what
is
a
software
Art
Attack
artifact,
so
an
artifact
in
this
scenario
is
any
software
object,
that
is
of
Interest
one
thing
that
all
software
artifacts
up
to
now
have
in
common
and
who
knows,
maybe
in
the
far
future
this
will
change,
but
something
all
happened
in
common
right
now
is
that
they're
represented
as
a
byte
of
arrays.
It
doesn't
matter
whether
using
source
code
or
object
files,
jar
files,
python
or
python
C,
Deb,
bmrpms,
oci
images,
they're,
all
they're
all
represented
as
a
buy
as
an
array
of
bytes.
A
So
we
say
the
two
artifacts
are
equivalent
if
and
only
if
the
byte
array
of
one
is
equal
to
the
byte
array
of
the
second.
So
with
this,
this
gives
us
a
sense
as
to
what
a
unique
of
a
unique
artifact
ID,
of
course,
it'd
be
terrible
to
stick
the
whole
application
in
a
nest
bomb.
So
we
have
to
do
something
a
little
bit
smarter,
but
in
general
there's
three
properties.
A
It's
canonical
independent
parties
presented
with
equivalent
artifacts,
can
derive
the
same
identity
that
they
are
unique
in
that
two
non-equivalent
artifacts
have
a
separate
and
distinct
identity
and
that
it
is
immutable
that,
once
you
have
the
identity
of
something,
it's
not
going
to
shift
into
something
else.
So
these
are
the
three
properties
we're
looking
for
some
identity.
Non-Solutions
that
we
ran
into
was
you'll,
often
see
many
things
that
is
actually
prevalent
in
many
s-bomb
when
people
think
of
s-bombs,
it's
like
well
the
file
name.
The
file
name
is
the
identity
of
the
thing.
A
A
A
The
minimum
elements
of
an
s-bomb
which
I
am
actually
a
fan
of
I,
know
a
lot
of
people
rail
against
them,
but
the
reason
I'm,
a
fan
of
them
is
because
they're
very
simple,
there's
something
that
companies
can
do
today
that
move
the
needle,
but
also
sets
them
up.
So
if
they
can
do
this
and
then
they
can
do
a
little
bit
more
next
time
and
then
they
can
do
a
little
bit
more
of
this
year
or
next
year
and
so
on,
so
it
actually
gets
them
in
a
baseline.
A
A
You
compile
the
same
version,
we're
actually
coming
up
with
two
different
pieces
of
software,
because
in
general,
there's
maybe
around
3
000
line
or
three
thousand
files
that
actually
get
used
and
depending
on
how
I
configure
it
and
how
you
configure
it,
you're
going
to
get
two
different
outcomes
and
that's
assuming
that
the
bills
are
also
deterministic
as
well.
So
we'll
ignore
the
term
like
you
can
ignore
determinism
rather
pretend
it's
all
deterministic
and
you
still
have
the
same
problem,
which
makes
which
makes
us
all
sad.
A
So
it
turns
out
that
we
already
have
a
an
interesting
solution
for
identity.
So
if
you
look
at
git,
git,
actually
computes
an
object,
ID
to
be
the
the
identity
and
what
it
you
have,
this
algorithm
called
the
gitode
and
so
in
terms
of
a
getoid.
It
takes
the
contents
of
that
and
it
generates
a
20,
byte,
hash
or
I
should
say
160
bit
hash,
which
is
a
size
of
a
shot
one.
There
is
work
to
turn
it
into
shot.
A
Two
I
know
that
violates
the
immutable
immutability
project
property
you
were
talking
about
before.
We
actually
have
a
solution
for
that
that
we've
included
in
the
spec,
but
that's
but
we'll
get
into
that
later.
In
short,
the
it
has
a
solution
towards
that,
which
is
basically
that
you
have
a
goodoid
that
getoid
ends
up
in
a
file
system
which
happens
to
be
the
git
object,
repository
itself
and
everything
inside
of
that
is
identified
by
their
gitoid
and
so
what
we
did
with
omnibor
to
really
dive
into
this.
A
A
So
so
you
have
identity
of
that
object
and
the
and
the
identity
of
the
things
that
went
into
that
object.
So
that's
the
example
of
the
lowest
one
right
here.
You
have
getoid
of
each
of
each
file.
Those
all
get
wrapped
up
into
whatever,
whatever
those
things
came
together
to
produce
ends
up
with
its
own
gitode
that
is
unique
to
to
itself
and
and
that's
then
represented
as
part
of
as
part
of
the
dependency
graph.
The
same
thing
happens
when
you
go
further
up
where
you
have.
A
You
have
an
omnibor
document
that
is
consumed
by
another
omnivore
documents.
As
you
get
more
hierarchy,
you
say
that
the
particular
blob
of
a
particular
item
is
represented
by
a
omnivore
getoid
of
that
particular
thing.
So
what
this
does
is
it
gives
us
a
graph
like
you
can
think
of
it
like
a
I,
I,
often
call
the
the
Bor
a
a
bag
of
receipts
of
cryptographic
receipts,
because
at
that
point
it's
what
you're
doing
is
you
have
a
set
of
identity?
A
So
git
is
a
is
a
Mercury
masquerading
as
a
VCS
as
a
as
a
versioning
as
a
version
control
system.
So
does
everyone
know
what
a
Merkle
tree
is?
Is
there
any
people
who
don't
know
what
a
Merkle
tree
is?
Okay,
so
a
Merkle
tree
is
a
is
a
special
kind
of
tree
that
is
defined
as
if
you
have
a
hash
of
all
of
the
chil
of
all
the
of
all
the
sub
trees.
A
You
have
a
tree
that
has
several
sub
trees
underneath
of
it
and
you
take
the
hash
of
those
sub
trees
and
those
those
sub
trees
themselves
have
Leaf
elements
and
those
Leaf
elements
also
have
their
own
set
of
half
so
you're
looking
at
hashes.
All
in
such
a
way
that
that,
if
you
change
a
file,
it
only
changes
that
file
all
of
the
parents
of
that
particular
file
going
up
to
the
to
the
root.
So
that
way
you
don't
change
most
most
of
the
most
of
the
dag.
A
You
only
see
in
the
in
the
representation
the
changes
of
the
of
the
leaf
element
that
was
changed
and
the
parents
moving
moving
up
to
up
to
the
roots.
With
like
minimum
amount
of
changes
you
can
make
generally
from
a
growth
perspective,
the
the
growth,
the
growth
of
changes
over
time.
Each
change
might
change,
maybe
a
log.
It's
a
logarithmic
based
upon
the
quantity
of
data
you
have
in
it.
So
it's
very
efficient.
It's
the
reason
why
I
used
to
get
up
in
the
in
the
morning
I'd
go
to
work.
A
I
would
hit
SVN
update.
I
go.
Have
breakfast
come
back
watch
it
finish.
It
was
all
ruined
by
git,
because
I
did
get
it.
I
would
I
would
do
my
get
pull
and
then,
like
five
seconds
later,
I
can't
take
my
breakfast
that
fast,
so
Merkle
trees
are
the
is
the
magic
behind
it,
and
so
so
git
uses
that
it
uses
the
the
gitode
as
the
as
the
identifier.
A
So
you
now
that
we
have
this
like
dependency
graph.
We
don't
ask
the
question:
what
is
in
the
artifact,
so
in
this
scenario
we
have
the
identity
of
a
C
file.
Maybe
some
headers
and
those
go
through
a
compiler.
You
releases
out.
It
generates
an
object,
so
we
want
to
capture
that
information
and
then
and
the
same
with
the
other
side.
A
So
we
now
have
two
object
files
and
then
those
get
linked
together
to
create
an
executable,
it's
actually
more
complex
than
that,
because
you
also
have
shared
objects
that
may
already
be
present
on
the
system.
So
when
you
run
it,
when
you
run
an
application,
it's
not
just
the
executable
image.
It's
also
all
of
the
additional
dependencies
that
were
in
the
environment
that
get
pulled
into
it
through
your
through
your
through
your
operating
system,
which
also
have
their
own
set
of
things.
A
A
A
So,
in
short,
you
were
able
to
use
those
getoids
as
artifact
IDs
to
represent
the
whole
set
of
dependencies
that
come
along
with
it,
and
so,
when
we
mentioned
so
going
back
to
this,
like
just
to
repeat
you
have
your
artifact
like
this
particular
artifact
has
two
entries,
so
you
see
a
blob.
You
have
the
getaway
that's
attached
to
it,
and
then
you
have
an
artifact
with
artifact
three
has
its
own
Omni
board,
that's
attached
to
it
as
well,
in
lexical
order.
So
that
way
you
get
a
canonicalized
view
of
it.
A
So
you're
not
you're,
not
guessing
as
to
like
what
orders
did
I
see
things.
Everything
is
is
explicitly
ordered
by
by
lexical.
So
this
brings
the
question
of
metadata.
What
is
known
about
it?
So
there
was
a
great
comment
that
was
put
together
by
by
Jeff
who's,
another
omnibor,
Community
member,
and
he
and
contributor.
He
said
an
s-bomb
is
a
format
for
organizing
metadata
that
describes
the
makeup
of
software
artifacts.
A
So
in
other
words,
omnibor
is
specifically
about
the
identity
of
things.
It's
not
a
it's
it's
not
about.
How
do
you
store
the
the
metadata,
but
we
still
have
this
metadata
we
have
to.
We
have
to
look
at
so
we
have
dependencies.
All
the
stuff
in
Orange
is
stuff
that
is
within
omnibor,
and
you
have
all
of
the
purple
stuff
on
the
side
that
is,
that
is
metadata.
A
So
what
what
we
are
looking
at
as
a
pattern
is
that
the
metadata
can
use
the
getoids
in
the
orange
boxes
to
decorate
the
tree.
So
you
might
you'll
have
an
a
separate
database
where
one
of
them
might
be
I
ran
an
image
scanner.
Another
one
might
be.
I
ran
something
that
checks
licenses.
A
third
one
might
be
something
like
who
compiled
it
and
gave
it
to
me.
So
you
have
this
metadata,
that's
that
sits
to
the
side
and
that
metadata
is
actually
can
be
dynamic
because
I
run
an
image
scanner.
A
Today,
I
run
it
again.
Six
months
from
now,
it's
probably
going
to
change
unless
it's
a
very
simple
program
that
that's
yeah,
it'll
change,
so
so,
in
short,
we
we
want
to
make
sure
we
can
keep
this
separate
but
use
the
use.
The
Omni
bore
graph
as
the
identifier
in
order
to,
in
order
to
work,
to
work
out
like
what.
What
what
is
the
metadata
apply
to
so
getting
back
to
the
example
from
Jeff
omnibor
is
the
funnel
left.
A
So
in
that
scenario,
it's
it's
also
we're
looking
at
what
at
what
is
known
from
a
from
a
metadata.
But
it's
not
enough
to
know
what
is
known.
It's
also
important
to
know
how
how
it
is
how
it
is
known
and,
more
specifically,
once
if
you
can
understand
how
it's
known
you,
the
question
then
is:
can
you
trust
that
information
that's
on
there?
A
So
this
part,
this
particular
section,
was
written
by
by
Ava
and
Ava's
a
major
voice
in
terms
of
in
terms
of
trust
and
I'll.
Try
to
paraphrase
the
best,
because
this
was
her
part
of
the
slides
and
now,
to
paraphrase,
when
you
look
at
something,
that's
trust
trust
is
you
have
to
look
at?
What
is
it
that
you're
trusting?
Are
you
trusting
the
source
code,
that's
going
into
it
or
what
something
says?
Are
you
trusting?
Are
you
trusting
it
because
I
gave
it
to
you?
A
Are
you
trusting
it
because
my
signature
is
is
on
it
like?
What
is
it
really
where
we
root
that
that
trust
in
and
signatures
are
a
great
example
because
something
could
be
signed
like?
How
do
you
know
what
like
what
was
behind
that
what
was
signed?
What
what
was
in
it
like
signatures,
give
you
an
important
piece
of
information
but
they're,
also
very
limited
in
terms
of
the
total
quantity
information
they
can
give
you,
which
then
brings
us
back
to
our
sad
Kermit
and
by
the
way,
the
the
first
time
this
image
was
used.
A
A
Trust
is
not
a
property,
but
rather
is
an
assessment
based
on
experience,
a
declaration
made
by
an
observer,
not
a
property
of
what
of
of
of
of
what
is
being
observed,
and
this
is
super
important,
because
just
because
I
give
you
something
I
and
I
say:
oh
I
used
all
these
secure
development
practices
in
order
to
so
you
can
trust
it.
You
can't
trust
it
simply
because
I
followed
a
set
of
patterns.
I
said
what
you
have
to
do
is
observe.
A
What's
what's
around
it,
so
part
of
the
idea
is
like:
how
do
we
give
you
that
metadata?
How
do
we
make
sure
we
can
link
everything
together
and
pull
that
information
from
from
the
places
that
have
the
ability
to
actually
pull?
To
give
you
the
the
best
information
and
trust
is
also
Mike.
Purcell
wrote
a
book
on
trusting
in
computer
system,
of
which
Ava
was
a
editor
on
trust,
is
time
dependent
as
if
I
trust,
my
my
image
scanner
today,
but
am
I
going
to
trust
the
output
a
year
from
now?
A
Absolutely
not
it's
asymmetrical
and
asymmetrical.
The
best
way
I
can
describe
this
is
the
relationship
you
have
with
your
bank
is
not
the
same
relationship
your
bank
has
with
you,
and
so
it's
also
contextual,
like
you
go
into
your
bank
you're,
going
to
have
a
different
set
of
services
that
you
trust
them
for
than
compared
to
like.
Maybe
you
go
into
a
doctor
for
a
surgery
or
something
similar,
so
so
it's
contextual
in
that
response.
The
same
goes
with
computer
systems.
A
A
A
How
about
how
about
scanning
the
output?
So
how
many
people
here
can
say
what
kind
of
a
pie
this
is?
Is
this
an?
Is
it
an
apple
pie
or
is
this
a
is
this
pears
I
mean
for
for
me
if
it's,
if
it
has
coconut
in
it,
I'm
probably
gonna
have
a
bad
flavor
that
I'm
not
gonna,
like
I
got
a
I
got
a
friend
who,
if
it's
an
apple
pie,
it'll
it'll
need
an
EpiPen,
so
knowing
what's
inside
of
it
is
super
important.
The
same
goes
with
software.
A
You
have
to
know.
What's
inside
of
it,
a
scanner
gives
you
some
information,
but
it's
not
going
to
be
absolutely
perfect.
So
what
you
want
to
try
to
do
is
you
want
to
try
to
drive
that
to
something
that's
a
little
bit
more
accurate
in
terms
of
what
we
can
trust
and
we
can
actually
trust
the
build
tools.
So
we
look
at
the
build
tools.
The
build
tools
will
give
us.
The
information
have
have
the
information
they
have.
A
What
was
going
into
buy,
build
tools,
I
mean
the
compiler
itself,
not
Jenkins,
not
Maven,
or
the
make
file.
I
specifically
mean
the
build
tool
that
is
actually
doing
the
transformation,
and
so
we
can
trust
the.
We
can
trust
the
build
tools
to
give
us
to
give
us
more
accurate
information,
not
to
say
that
it's
100
perfect,
but
it's
the
it
is
the
best
place
where
we
can
find
that
information
at
least
get
some
form
of
attestation
out
of
it
in
terms
of
like.
What's
what
C
files
with
or
what
go
files?
What
headers?
A
That's
there
in
a
language,
heterogeneous
environment,
regardless
of
the
packing
formats
regardless
of-
and
the
key
here
is
it
has-
is
it
has
to
get
to
a
point
where
there's
no
developer
effort,
you
run
go
build,
you
run,
you
run
GCC,
you
run
a
rest
or
cargo
build
like
this
is
stuff
that
should
that
should
just
work.
It
should
just
give
you
that
information.
A
You
have
that
information
available
because
you
have
the
metadata
that
was
attached
to
it,
and
you
can
say
these
ghettoids
are
known
to
have
that
vulnerability
based
upon
where,
when
the
patch
was
in
based
upon
when
the
version,
the
version
it
was
first
found,
and
so
you
can
look
and
see
whether
or
not
those
files
were
included
as
part
of
as
part
of
the
build
and
also
in
the
future.
Let's
say
six
months
or
a
year
from
now,
another
vulnerability
comes
out.
A
The
ability
to
tag
those
those
particular
getoids
as
as
being
unsafe
is
something
that
would
be
of
huge
use
to
to
infrastructure
and
consumers.
So
in
short,
we
have.
We
have
construction
of
multiple,
multiple
systems.
Actually,
this
is
an
older
deck.
We
actually
have
two
others
that
we
have
so
we
have
go
rust.
We
have
work
going
on
in
llbm,
bombsh,
there's
also
work
going
on
in
GCC
as
well.
A
So
so
we've
been
working
with
the
compiler
communities
in
order
to
get
this
stuff
in
with
the
with
the
expectation
that,
if
you're
building
tools
you'll
be
able
to
use
that
those
annotations
to
to
generate
the
data
I'll
make
sure
when
this
gets
published,
I'll
publish
in
the
new
version
of
it
it
has.
It
has
the
additional
two
links
on
there
and
with
that
you're
also
welcome
to
to
join
and
and
get
involved.
A
A
Okay,
that's
a
good
question,
so
non
non-compiled.
We
can
take
the
the
omnibor
or
the
ghetto
weights
of
the
files
themselves
and
and
put
them
to
put
them
together
in
terms
of
saying
what
what
a
package
is,
what
what
a
package
is
and
also
analyze.
So
we
still
get
some
of
the
benefits
of
like
I,
have
a
file
that
has
an
own
vulnerability
that
I
maybe
pulled
from
another
project
and
then
be
able
to
tell
that
that
was
an
or
maybe
a
dependency
of
when
I
compile
in.
But.
A
Things
like
Python
and
symbol
and
Ruby
and
similar
are
a
little
bit
more
difficult
and
they
have
to
work
them
into
into
that.
We've
not
worked
with
those
particular
communities
just
yet
because
we've
been
focusing
primarily
on
the
compiled
ones,
but
we
definitely
see
ways
that
we
can
tie
into
it
like.
Maybe
when
you
do
a
when
you
load
in
the
python
file
or
load
in
a
ruby
file,
you
could
check
the
getoid
and
check
against
a
list
and
see
whether
or
not
you
want
to
accept
that
or
not.
A
A
The
question
is
whether
we
intend
to
capture
the
getaways
of
the
build
tools
themselves,
so
we're
we're
having
some
discussion
on
this,
because
if
you
capture
the
build
tools
that
does
affect
the
the
output
and
whether
you
want
the
zoo
effect
or
not,
is
sort
of
up
in
the
is
up
in
the
air.
There
is
integration
with
that.
We've
been
looking
at
with
a
project
called
in
Toto,
which
captures
those
build.
Tools
are
and
I
have
an
implementation
of
of
in
Toto
that
I've
been
working
with
to
to
capture
the
build
tools
as
as
getoid.
A
A
In
other
words,
like
I
ran
this
Transformer
or
preprocessor
I
ran
this
compiler
I
ran
this
test,
and
this
is
the
group
that
built
it
that
gets
signed
gets
stuck
into
maybe
a
six
door
or
something
similar,
but
there's
also
the
question
as
to
whether
you
could
trust
the
the
tool
or
not
and
part
of
there's
a
couple
things
towards
this.
So
one
of
them
is
when
you're
building
out
your
CI
CD
system
itself.
A
So
there's
there
are
things
there
that
help
with
some
of
that
observability,
but
at
the
end
of
the
day,
if
it's
about,
should
you
run
a
particular
piece
of
software
or
not,
you
still
have
to
root
that
trust
into
something
and
that
something
is
is
tied
to
do.
You
trust
the
agent
that
that
built
it,
and
do
you
trust
the
agent
to
to
try
to
capture
that
that
information
effectively.
So
you
still
have
you
still
have
that
issue
in
terms
of
build
trust.