►
From YouTube: CNCF CNF WG Meeting - 2021-10-18
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
Again,
we'll
be
starting
in
a
moment.
Please
go
to
the
meeting
minutes
and
add
your
name
and
any
meeting
comment
any
meeting
points
you
would
like
to
make
as
well
and
we'll
get
through
them
get
through
those
as
we
get
I'll
just
paste.
The
link
in
chat.
A
Okay
and
we're
off,
so
I
trust
I
was
out
of
the
country
I
am
out
of
the
country
in
fact,
so
it
made
it
a
little
difficult
for
me
to
attend
some
of
the
kubecon
stuff
that
was
going
on
last
week,
but
just
as
a
matter
of
interest
for
those
of
you
who
are
there
or
who
are
paying
attention
online.
Any
comments
that
you
want
to
raise
on
that
any
interesting
feedback.
Any
thoughts.
B
Well,
we
missed
having
you
there.
A
lot
of
the
stuff
had
gone
virtual,
so
there
were
definitely
a
lot
of
people
missing,
but
the
big
theme,
at
least
from
my
vantage
point,
seemed
to
be
focus
on
to
be
a
focus
on
supply
chain
defense,
and
I
think
that
this
is
something
that
we
will
be
able
to
capitalize
on
the
long
run.
Despite
the
fact
like.
B
A
Yes,
I
agree,
I
mean
the
work
I've
been
doing.
You
know
within
cisco,
oddly,
for
the
last
couple
of
weeks
has
been
supply
chain,
defense
work
as
well
or
this
discussions.
A
You
know
how
you
ensure
that
the
thing
you're
running
is
the
thing
that
your
developer
produced
for
you
and
that
it
didn't
get
tampered
with
on
the
way,
and
I
think
actually
we
mentioned
that
in
one
of
the
sessions
that
we
had,
I
mean
there
would
seem
to
be
no
consolidation
and
two
standards
available
for
how
it's
done,
and
I
think
it
depends
on
what
you
consider
to
be
end
to
end
security
as
in,
when
is
the
very
last
moment
at
which
you
can
check
the
contents
of
a
container
image
to
ensure
that
it's
what
you
intended
to
run,
or
I
would
guess,
a
helm
chart
or
anything
else,
that's
involved
in
making
these
things
work.
B
Yeah-
and
this
is
definitely
going
to
get
broken
up
into
multiple
problems-
the
very
first
problem
is
going
to
be
how
to
define.
What's
in
your
what's
in
your
artifacts,
and
to
do
this
recursively
with
the
vendors
you
bring
in
as
well.
So
you
as
your,
not
you
as
a
human,
but
you
as
the
company
produce
a
artifact,
and
then
you
can
say
well.
B
These
are
things
that
we
brought
in
and
here's
the
evidence
of
what
of
what
they
brought
in
and
so
on
and
so
on
until
you've
hit
some
bottom
turtle
somewhere.
That
represents
the
actual.
B
The
actual
leafs
of
the
of
the
grass,
and
I
think
part
of
it
is
a
lot
of
people
will
and
rightly
so
point
out
that
oh
this
doesn't
solve
the
supply
chain,
security
and
they're
right,
but
it
is.
It
is
a
component
that
can
lead
into
building
a
strategy
to
to
help
raise
the
bar
and
and
the
cost
of
performing
an
attack,
and
so
over
time
these
particular
artifacts
would
feed
into
more
dynamic
systems
like
things
to
work
out
like
what's
currently
running
in
your
infrastructure,
as
opposed
to
where.
B
Where
was
this
thing
built
and
should
I
should
I
gatekeep
on
it,
based
upon
a
cve
database
that
eventually
gets
populated
so
that
you
can
gather
what
you're,
what
your
risk
is
over
time
and
try
to
work
out
how
to
prioritize
your
resources
to
make
sure
that
you
upgrade
things
over
in
a
in
an
efficient
way.
So
so
I
don't
think
it'll
solve
all
the
problems
up
and
down
the
board,
but
if
it
helps
people
better,
you
make
use
of
their
resources
in
that
process.
A
Well,
I
have
one
question
there,
an
audience
participation
question.
I
think,
between
the
people,
who
are
you
know,
developing
a
cnf
and
putting
it
together
and
the
components
they
use
within
that
cnf
and
people
are
running
the
cnf,
whose
responsibility
is
it
to
make
sure
that
the
cnf
is
built
of
suitably
secure,
reliable
components.
B
B
I
think
that
we're
going
to
have
a
there's
a
couple
things
to
to
look
at
because
one
of
them
is,
I
may
have
a
set
of
artifacts
and
I
may
say
I
brought
this
thing
in,
but
how
do
you
know
that
I
followed
the
process
and
that
I
haven't
injected
something
in
the
middle
of
that
process
through
a
compiler,
that's
been
infected
or
someone
just
attests
through
through
a
key:
that's
been
stolen,
so
there
there's
a.
There
are
definitely
gaps
that
are
there.
B
There
are
some
things
that
you
can
bring
together
to
try
to
help
towards
this.
Like
you
may
say,
oh
we're
going
to
use
a
repeatable,
a
repeatable
build
and
we're
going
to
repeat
that,
build
across
multiple
systems
that
have
different
owners.
So
you
may
so
you
could
do
something
like
that,
of
course
that
drives
the
cost
up.
So
it
depends
entirely
on
how
much
you're
you're
willing
to
do
towards
making
that
end
meet
and
how
much
people
are
willing
to
spend,
because
every
controller
you
bring
in
has
a
has
a
cost.
C
You
can
look
at
things
like
the
recent
executive
order
of
of
the
us
administration
about
software
bill
of
materials,
where
it's
mandated
that
every
software
supplier
will
provide
a
software
build
of
materials
with
all
those
dependencies
on
the
software
when
they
provide.
I
think
it's
currently
addresses
suppliers
of
software
to
the
federal
government,
but
I
think
that
can
be
adopted
widely
in
the
industry.
So
I
think
there's
some
responsibility
of
the
software
vendor,
but
probably
it
won't
end
there,
and
that
would
be
just
one
step
of
of
securing
the
end-to-end
supply
chain.
B
Yeah
absolutely
and
the
the
executive
order
also
calls
out
critical
infrastructure.
So
if
you're
running
a
power
plant
or
something
somewhere
there,
the
question
becomes
what
is
critical
infrastructure.
The
question
that
I
do
not
know
the
answer
to
is
does
is:
is
service
providers?
Are
service
providers
going
to
be
considered
critical
infrastructure
and
if
so,
when
are
they
going
to
be
considered
critical
infrastructure
because
they
may
expand
it
over
time
as
well?
B
A
Is
that
I
mean
it
depends
who
you're
working
with?
If
you
are
using
an
open
source
cnf,
then
in
all
like,
you
have
to
build
it
and
the
cnf
bill
of
materials
is
under
your
control
or,
alternatively,
if
you're
not
building.
If
you're
pulling
a
built
item
off
of
the
internet,
then
the
supply
chain
security
is
completely
out
of
your
control.
You've,
literally
no
idea
what
anyone
built
it
from
it's
impossible
to
audit
if
you're
using
a
closed
source
cnf,
which
almost
certainly
is
built
from
multiple
components.
A
Is
your
supplier
necessarily
going
to
want
to
tell
you
every
single
version
and
every
single
patch
of
every
single
thing
that
they
are
using
to
build
that
because
there's
a
certain
quantity
of
intellectual
property
in
that,
along
with
a
lot
of
actual
hard
work,
to
make
it
possible
as
well?
To
be
honest,
so
is
it
appropriate
in
all
circumstances
or
is
actually
making
more
work
and
more
difficulty
than
it
would
otherwise
be?
A
To
basically
say
it
is
your
job
to
ensure
your
supply
chain
security,
and
you
know,
via
contractual
terms,
we
indemnify
ourselves
against
your
flaws.
C
I
I
think
yeah,
the
recent
executive
order
doesn't
leave
it
as
an
honor
system,
but
mandates
the
vendors
to
provide
this
software
build
material,
so
it's
not
up
to
their
discretion
whether
they
want
to
disclose
it
or
not.
I
mean,
of
course,
as
you
said,
it's
not
their
interest
and
they
might
be
reluctant
to
do
so,
but
I
think
this
executive
order
exactly
enforces
that
it
makes
them
provide
this
bill.
I.
A
I
miss
the
context
of
the
executive
order,
sorry,
which
executive
order.
C
So
the
executive
order
is,
I
don't
know
exactly
what's
the
scope
of
it,
what
software
it
covers,
but
it
mandates
that
software
vendors
provide
a
software
bill
of
material
with
with
the
software
they
provide.
I
think
it
may
be
limited
right
now
to
critical
infrastructure,
but
it
mandates
software
vendors
to
accompany
their
provided
software
with
the
software
bill
of
material
indicating
all
the
the
components
included
in
this
software
product.
B
Yeah,
the
the
first
turn
of
the
crack
crank
is:
if,
if
the
government
buys
your
software,
you
must
provide
a
software
bill
materials,
and
there
are
my
understanding-
is
they're
putting
that
as
a
full
stop
measure.
So
it
will
be
a
hard
requirement
if
we're
at
least
selling
into
the
us
government.
A
A
By
the
market
we're
dealing
with,
but
again
the
question
I'm
asking
myself
here
is:
will
that
stop
people
providing
software
under
those
terms?
Would
they
simply
refuse
to
do
it
or
what
it
would
they
be?
You
know
their
ability
to
provide
good
software
or
innovative
software
be
stifled
by
doing
it.
I
I
don't
know
the
answers
to
these
and
you
might
say
that
I've
got
a.
You
know
a
stake
in
this
that
I
don't
want
to
be
providing
this
stuff
and
it's
true.
I
don't,
but
that's
a
personal
thing.
A
It
just
seems
like
a
lot
of
work
for
actually
not
a
great
deal
of
value,
but
you
know
it's.
I
don't
know
what
the
right
answer
is,
which
gets
the
best
result
for
all
of
us.
That's
my
question.
D
D
You
know
one
of
the
things
that
I've
noticed
when
talking
to
some
of
these
kind
of
larger
vendors
is
that
what
they
are
really
pushing
right
now
as
a
competitive
advantage.
Is
this
controlled
supply
chain
because
they
have
no
interest
at
all
in
showing
their
source
code,
which
means
that
they've
added
a
lot
of
work
from
the
black
duck
to
the
foss
id
to
all
these
kind
of
source
code
scanning?
And
you
know
safe
repositories
and
a
lot
of
process.
D
We've
been
able
to
do
that
one
and
that
will
be
a
lot
of
their
competitive
advantage
when
it
comes
to
selling
these.
Let's
call
it
blackbox
cnfs,
which
has
some
specific
connections
up
to
the
management
system
so
that
they
through
that
system
can
validate
that
that
happens
for
the
open
source
or
the
more
mixed
ones.
D
D
So
my
view
on
this
would
probably
be
that
you
know
you
have
to
have
a
way
of
securing
an
open
source
supply
chain,
but
in
the
proprietary
supply
chain.
You
know
this
has
been
something
that
had
been
worked
on
for
five
or
six
or
seven
years
for
competitive
reasons,
to
push
this
thing
in
to
make
it
as
we're
feeling
right
now
in
a
very
complex
position
of
how
it
needs
to
be
done.
Does
this
make
sense.
A
A
There
will
be,
you
know,
a
g-lib
c
that
exists
in
the
upstream
repository.
There
will
be
a
version
that
red
hat
ships,
which
will
be
older
than
that
and
will
be
patched
up
to
hell
because
that's
what
they
do
there
will
be
a
version
of
canonical
that
is
older
than
that
and
patched
up
hill,
because
that's
what
they
do.
So
I'm
not
entirely
sure
that
I
see
that
there
is
a
clear
end
to
that
supply
chain,
the
source
in
this
instance.
A
The
other
problem
I
can
see
is
that
actually
you
know
as
a
company
trying
to
deliver
something.
That's
in
this
instance
we're
looking
at
security,
but
reliability
comes
into
this
as
well.
Let's
go
with
security
for
a
second
as
a
an
operator
of
cnfs,
I'm
actually
not
as
interested
in.
Where
is
this
software
coming
from
as
who
stands
behind
it?
A
Who
is
the
responsible
party
if
it
turns
out
that
there
is
a
problem
in
this,
and
I
might
be
able
to
get
a
jump
on
my
supply
as
being
terrible,
responsible
parties
if
they,
if
I
am
auditing
the
components
of
their
software,
but
I'm
not
going
to
go
back
to
the
gnu
project
for
glibc
and
say
well,
you
know
you
broke
my
application
and
I
lost
millions
of
dollars
and
now
I'm
going
to
sue
you
that
isn't
what's
going
to
happen
here,
so
I
mean
in
the
sense
of
this
being
a
potential
best
practice.
A
C
B
Yeah
I'll
tack
on
something
real,
quick
on
that
and
please
continue.
There
is
a
they
do
differentiate
in
the
stand,
the
standard
ones
that
are
catching
on.
They
do
differentiate
between
the
creator
and
the
supplier,
and
it
does
provide
for
path
to
provide
that.
So
you
might
say,
the
creator
is
gnu,
the
supplier
is
red,
hat
and
red
hat
is
the
one
responsible
for
the
contents
of
this.
So
there
is
something
for
that.
A
On
the
other
hand,
if
I'm
trusting
the
vendor
to
tell
me
what
g-libsy
they're
using
and
be
ride-
and
why
am
I
not
trusting
the
vendor
to
tell
me
that
they're
not
affected.
C
It's
a
good
question,
but
I
think
up
until
now
it
was
not
much
of
a
motivation
for
the
vendor
to
you
know
constantly
check
for
all
these
vulnerabilities.
If
it's
now
out
there
in
the
s-bomb
and
they
know
they're
under
scrutiny,
they
have
more
incentive,
maybe
to
make
sure
they're
covered
and
that
that.
A
C
I'm
not
saying
there
was
malice
in
from
the
side
of
the
vendor.
I've
been
working
for
vendors
for
30
years
now,
but
and
there
is
never
to
my
knowledge,
any
malice
or
active
hiding
of
vulnerabilities,
but
maybe
having
an
s-bomb
there
and
and
having
both
the
vendor
and
their
customers.
Be
aware
of
that
will
make.
B
Yeah-
and
I
think
part
of
it
is
where
they're
trying
to
shift
responsibilities
like
before
responsibility
was
entirely
on
the
vendors
and
after
getting
burned
by
various
attacks
like
solar
winds,
the
one
that
the
tax
lawyer
wins.
B
The
government,
I
think,
is
trying
to
push
some
of
the
responsibility
like
if
there's
a
problem,
and
then
you
should
own
it
step.
One
of
ownership
is
like
let's
go
trust
the
vendors
and
tell
them
hey.
You
need
to
do
something
about
it
that
fails.
You
still
loan
the
problem.
So
let's
move
it
up
the
stack
and
get
more
more
control.
B
If
you
cannot
produce
an
s
bomb
that
could
be
an
indicator
that
from
a
process
perspective,
you're,
you're,
not
mature,
and
you
actually
don't
know
where
your
software
comes
from
internally.
E
A
Trust
and
verify
right,
you,
you
can't
you
know,
if
somebody's
giving
me
an
s
bomb,
then
that's
effectively
me,
you
know
making
sure
I
can
verify
their
claims,
that
they're
auditing
for
security
problems
in
potential
source
components
and,
interestingly,
we've
moved
a
little
way
away
from
supply
chain
security
here,
but
still,
but
I
mean,
if
they
give
me
an
s
bomb
and
that
s
bomb
is
a
lie
or
a
fiction
or
out
of
date
or
simply
made
by
tools
that
get
it
wrong.
B
Yeah
and
the
issue
of
getting
it
right,
if
it's
a
mistake
like
you're
out
your
introduces
output,
that's
just
wrong!
I
mean
that's
one
thing:
if
it's
somebody
who's
lying
purposely
on
that,
then
they
risk
being
caught
and
then
it's
it's
literally
illegal
and
they
can
then
add
on
the
appropriate
consequences
for
that.
But
that
is
definitely
a
relevant.
E
B
Yeah,
that's
definitely.
A
major
risk
is
like
from
an
s1
perspective.
What,
if
the
tools
don't
produce
the
right
output
or
the
person
doesn't
figure
it
in
the
right
way
to
do
so.
So
a
large
part
of
this,
I
think,
is
going
to
be
hinged
on
how
easy
is
it
to
use
the
tools
and
how
mature
do
those
tools
become
over
over
time?
And
it's
definitely.
It
is
definitely
a
major
risk,
especially
now,
in
the
earlier
days,.
D
And
doesn't
this
go
down
almost
into
the
development
tool
chain
that
you
know?
Let's
say
there
is
a
vulnerability
somewhere
in
the
code.
You
know
there
are
two
ways
that
a
company
can
do
that
either
they
are
extremely
strict
with
what
code
they
let
in
and
you
know
they
only
use
their
own
code
or
they
have
this
kind
of
qualification
process.
D
All
the
cool
code
bring
something
that
works,
and
then
you
start
with
the
source
code
scanning
the
application
monitoring
you're,
basically
running
it
in
test
environment
that
customer
that
process
takes
a
month
before
you
can
certify
it
and
say
yeah
yeah.
This
thing
actually
works,
and
I'm
guessing
that
that
second
option,
that
a
lot
of
the
larger
vendors
have
been
doing.
D
It
doesn't
really
work
well
when
you're
having
thousands
of
different
components
that
can
go
wrong
in
various
times,
but
the
old,
the
other
option
of
actually
securing
each
and
every
component
that
goes
into
that
supply
chain
is
also
quite
complex
because
then
you're
stuck
in
the
fact
that
you're,
actually
you
know
using
old
components
with
bugs
and
security
fixes
that
might
have
been
fixed
in
upstream
versions.
A
lot
faster
right.
A
These
things
are
all
potentially
true,
and
I
think
the
other
thing
that's
always
missed
is
that
just
because
there's
a
cve
on
glibc
as
an
example
again
right.
If
it's
in
a
function,
I
don't
call,
then
it's
irrelevant
so
security
problems
with
components
built
into
a
system
do
not
necessarily
respect
security
problems
with
the
system.
They
are
a
question
mark.
They
are
not
absolutely.
D
So
what
you're
almost
saying
is
that
we
should
segment
the
type
of
cnfs
and
the
type
of
functions
if
there
are
communication
functions
to
the
rest
of
the
world
or
through
other
processes,
or
if
they
contain
these,
let's
call
it
larger
attack
surfaces,
while
other
cnfs
might
be.
You
know
less
valuable
in
that
regard.
B
Yeah
and
part
of
it
is
also
determining
where
to
spend
your
resources
like
you're
running
an
infosec
team.
You
have
limited
resources,
limited
time
to
do
any
given
task.
So
if
this
gives
you
a
roadmap
of
being
able
to
ask
the
vendors
hey,
can
you
validate
this
verify
for
me
versus
not
knowing
where
to
where
to
spend
some
of
some
of
your
some
of
your
time
and
also
to
also
look
at
the
the
updates?
B
Like
someone
comes
over
and
says
we
we
made
a
patch
with
with
glibc,
and
this
has
gone
into
our
systems.
Then
it
also
gives
an
opportunity
to
put
out
bug
bounties
for
those
things
and
say:
hey.
We
patched
this
particular
thing
or
we
want
to
prove
that
this
thing
is
not
vulnerable
to
the
cve,
because
we
believe
it's
been
cauterized.
If
you
can
find
a
path
that
uses
that
particular
code
path
or
use
exercises
that
feature,
then
you
get
a
much
larger
bounty
than
the
normal
bouncy.
A
Yeah,
but
coming
back
to
our
job,
if
we
were
recommending,
in
this
instance,
perhaps
an
interaction
between
the
way
that
a
developer
chooses
and
incorporates
components
and
the
way
that
an
operator
needs
to
assure
that
the
running
system,
you
know
the
actual
cnf
they've
been
given
is
secure,
what
best
practices
and
again
they
don't
have
to
be
perfect
and
they
don't
have
to
be
comprehensive.
They
just
have
to
be
things
that
we
can
write
down.
B
So
I've
spent
a
little
bit
of
time.
Looking
at
some
of
these
things,
I
can
write
up
an
initial
draft
of
what
such
a
best
practice
would
look
like
and
in
the
beginning,
it'll
primarily
be
use
one
of
the
tools
that
put
that
analyzes
the
incoming
packages,
the
incoming
artifacts,
generates
an
spdx
or
cyclone
dx,
either
it's
fine
and
and
signs
it
if
you're
in
the
open
source
world
use
something
like
six
store.
B
You
can
use
that
with
closed
source
as
well,
but
but
basically
you
have
something
that
is
assigned
at
a
point
in
time
that
you
can
then
provide
to
other
that
you
can
then
provide
downstream
and
just
as
a
first
turn
of
the
crank
other
turns
over
time
will
become
more
ideally
more
easy
to
produce
something,
but
also
more
rich
in
in
the
information
that
it
provides,
but
just
as
a
first
turn
of
the
crank-
and
this
is
actually
what
they
did
in
kubernetes,
so
kubernetes
now
has
is
now
producing
spdx
as
part
of
their
builds
and
those
I
don't
know
if
they're
being
signed
in
six
story.
B
Yet
if
it's
not
my
understanding
is
that's
the
goal,
and
I
know
the
people
who
wrote
that
code
as
well,
so
I'm
happy
to
go
ping
them
and
see
if
we
can
get
them
to
come
in
and
give
some
advice.
E
B
Yeah,
what's
interesting
with
this,
we
don't
want
the
vulnerability
information
directly
in
the
in
the
the
s-bomb.
We
want
it
to
be
something
that
can
where
the
s-bomb
can
act
as
a
key
to
those
vulnerabilities
and
so
as
because
of
vulnerabilities
over
time.
They
they
they
change.
They
tend,
they
tend
to
grow.
So
the
s-bomb
is
designed
to
be
a
static
element
that
you
build.
You
sign
and
it
never
changes
from
from
then
on.
B
A
It's
back
again,
sorry
about
that.
It's
it's
going
to
be
intermittent,
because
I
am
in
the
middle
of
nowhere
in
the
uk
and
it
leaves
you
with
rural
internet
problems.
Sorry
about
that
yeah!
I
I
trust
you're
riffing
on
the
concept,
but
okay,
frederick
you've,
just
signed
up
for
this
part
of
things.
What
we
could
do
in
terms
of
bill
of
materials
of
software
built
into
a
cnf.
A
As
I
say
I
think
you
know
it
becomes
a
broader
topic
of
working
out
whether
the
software
in
question
and
any
given
category
of
vulnerability
on
that
software
actually
makes
the
cnf
vulnerable
in
turn,
which
isn't
always
a
given
the
supply
chain
stuff
back
to
the
you
know
the
build
product
making
its
way
from
whoever
developed
it
to
production,
running
code
without
being
maliciously
modified
or
its
configuration
being
maliciously
modified.
Those
also
exist-
and
I
think
we
mentioned
earlier-
that,
yes,
there
are
a
couple
of
signing
solutions
out
there.
A
One
thing
I
have
as
a
question
at
the
moment
is
whether
any
of
those
signing
solutions
or
perhaps
how
far
those
signing
solutions
go
to
end
to
end
security.
Because
again,
if
I
take
a
container
and
I
store
its
table
on
my-
you
know,
target
node
and
that
table
is
changed
at
some
point
in
time.
By
whoever
then,
when
it's
unpacked
and
it's
run,
then
it
could
it's
been
tampered
with.
It's
no
longer
what
I
intend
it
to
be.
A
So
there
are
questions
there
about
how
far
from
an
end,
to
end
perspective,
you
can
take
that
and
obviously
the
start
is
the
same
question
right.
If
I'm
building
something
then
it
the
signature
of
a
container
is
typically
calculated
by
my
build
system.
But
what
goes
into
that
build
before
it's
signed
is
you
know,
potentially
alterable,
so
same
kind
of
thing
with
that
security?
A
It's
almost
the
question
of
how
do
I
ensure
that
the
bomb
that
we're
talking
about
here
actually
is
what's
reflected
by
a
signed
component,
again
more
questions
than
answers
in
my
head
at
this
point
in
time.
B
Yeah-
and
these
also,
these
are
some
of
the
conversations
that
we're
going
to
have
in
time
like
you
could
have
a
there
has
to
be
somewhere
where
some
entity
is
performing,
that
at
the
station
and
absorbing
the
risk
and
saying
like
I,
as
company
x,
declare
that
this
thing
is
is
accurate
to
the
best
of
our
knowledge
and
that
they
followed
some
process
and
they
may
even
be
required
to
provide,
in
the
long
run
some
process
information
on
how
something
was
built
which
they
could
do
with
something
like
in
toto,
which
basically
says.
B
I
followed
this
process
as
I
am
this
role,
and
I
follow
this
process
and
you
can
define
the
various
roles
that
led
up
to
it.
But
the
end
result
is
that
there
has
to
be
something
there,
that
you
can,
that
you
can
anchor
to,
and
if
it's
open
source
you're
pulling
in
that
that
entity
is
absorbing
the
risk
of
having
selected
those
open
source
tools
and
ensuring
that
the
source
code
coming
in
is
is
to
the
best
of
their
knowledge.
B
It's
we
want
to
make
one
of
the
things
and
I'm
going
to
be
going
around
the
the
circuit.
Talking
about
the
specific,
the
specific
thing
we
want
to
make
sure
that
the
entity
that
is
considered
to
be
responsible
or
signing
for
it
is
a
is
a
company
and
not
necessarily
the
name
of
a
human,
and
so
the
company
may
maintain
an
internal
list
of
of
names.
But
we
don't
want
the
legal
name
to
be
part
of
of
the
humans
to
be
within
the
the
s-bomb
itself.
C
B
State
actors
to
to
target
like
which
humans
do.
I
need
to
go
shake
down
in
order
to
make
a
change.
So
if
it's
like,
if
it's
a
large
vendor
or
a
vendor
of
a
company,
you
don't
you
don't
have
that
road
map,
but
you
trust
the
company
maintains
that.
B
Yeah,
but
even
with
curl,
like
you,
have
the
individual,
who
makes
it
when
red
hat
pulls
it
in,
they
have
people
who
are
responsible
for
ensuring
that
the
software
that
comes
into
the
platform
is
is
yeah
yeah.
So.
A
A
This
works,
that's
what
it
always
comes
down
to
that's
what
responsibility
is
that
the
consequences
land
somewhere,
they
don't
just
fly
around
and
ultimately,
if
you
haven't
it's
a
form
of
insurance
in
a
sense,
if
I'm
running
a
cnf
and
it
uses
kell-
and
I
don't
check
curl
and
I
get
it
from
a
vendor
who
makes
no
promises
about
the
quality
of
it
or
I
just
pulled
it
off
the
internet,
then,
when
it
breaks,
then
all
of
the
consequences
land
on
me.
I
bought
that
for
myself.
A
It's
both
normally,
I
mean
I,
I
want
to
know
the
liability
for
it.
Not
working
is
not
for
us
to
choose,
or
at
least
we
could
to
be
fair,
make
recommendations,
that's
precisely
what
we
do,
but
it
isn't
necessarily
for
us
to
make
final
choice.
If
so
somebody
says
well,
it's
all
right
as
long
as
to
fix
it
within
five
days,
then
yeah,
that's
great.
If
that's
what
you
choose
think,
oh,
you
know
knock
yourself
out.
A
There
are
plenty
of
people
running,
you
know,
production
networks
who
would
say
if
my
network
goes
down
for
more
than
10
minutes,
then
I
will
be
charging
you
a
million
dollars
an
hour
or
whatever.
But
again
the
the
actual
nature
of
the
contract
is
fine
and
good.
It's
really
just
a
matter
of
saying
I
got
this
from
you
and
I
can
prove
that
I
am
running
exactly
the
thing
you
shipped,
which
means
that
you
are
in
fact
liable
for
all
of
its
failings.
D
E
A
A
So
I
mean
a
an
operator
of
software
or
anything
else
is
effectively
not
saying
that
the
software
that
they've
been
given
in
much
the
same
way
as
routers
die
eventually
they're,
not
saying
that
the
components
they've
been
given
are
perfectly
reliable
and
will
live
forever
and
will
work
perfectly
they're
saying
that
they
can
deal
with
whatever
consequences
are
left
after
the
guarantees
they've
been
given.
D
D
D
A
Yeah,
it
comes
down
to
I
I
would
take
this
from.
There
is
a
big
picture
to
solve
and
that
big
picture
is
going
to
take
some
solving
in
terms
of
all
right.
When
I
bring
all
of
these
exciting
components
together,
then,
where
do
the
risks
get
the
biggest
risks
get
introduced?
And
how
do
I
mitigate
them?
But
we
can
also
take
it
from
the
other
way
around
right.
You
said
that
it
is
useful
to
have
a
manifest
for
a
cnf,
even
if
all
it
says
is
hello.
A
I
am
cnf
version
145,
but
it
might
also
say-
and
I'm
built
of
these
things-
and
it
is
important
that
that
manifest
ties
back
with
a
signature,
because
it's
the
only
secure
way
of
doing
this
to
someone
who
owns
the
thing,
the
cnf
and
some
degree
of
responsibility
on
this.
So
we
know
that
manifest
is
signed,
and
we
know
that
the
thing
that
manifest
refers
to
is
also
signed
to
avoid
tampering
and
change,
we
could
probably
put
best
practices
together
around
that
which
is
you
know
there
will
be
a
manifesto.
A
It
will
contain
at
least-
and
it
may
also
contain
this
sort
of
thing.
I
would
you
know,
I
don't
think
you
can
solve
the
world's
problems.
I
think,
if
you
could,
then
we've
effectively
solved
problems
in
a
lot
of
other
industries
besides
our
own,
but
I
think
you
could
at
least
nibble
away
at
the
corners
right.
There
needs
to
be
a
manifest.
It
will
contain
these
things.
A
D
A
Yeah,
so
I
mean
all
I'm
saying
is,
and
oddly
this
is
a
pitch,
though
I
seem
to
borrow
the
same
pitches
internally
and
externally,
but
it's
something
I've
been
saying
to
other
people
internally
this
week
is:
it
is
not
important
to
get
to
to
understand
your
end
goal
and
to
write
it
down
as
a
piece.
It's
important
to
write
down
the
start
of
this
in
a
way
that
you
can
add
to
it.
So
my
thinking
here
is,
if
we
know
there's
going
to
be
a
manifesto,
we
know
there's
going
to
be
signing.
A
A
Well,
there's
usually
a
lot
of
vocal
people
on
here
and
in
fact
I
think
it's
been
me
and
frederick
and
maybe
cj
that
have
been
doing
all
the
talking
today.
So
I
should
probably
apologize,
but
anyone
want
to
pitch
in
on
that.
Are
we
going
anywhere
in
the
right
direction
with
us.
C
I
think
there
were
some
good.
There
was
a
good
discussion
here
and
one
thing
to
remember:
it's
not
just
our
problem.
It's
as
frederick
mentioned
the
kubernetes
community
as
a
whole
needs
to
deal
with
it
or
the
software
industry
as
a
whole
needs
to
deal
with
it.
So
we
don't
I'm
feeling
that
we
don't
have
a
very
good
solutions
right
now,
but
at
least
we're
aware
of
the
problem.
So
I
think,
as.
B
A
A
Okay,
running
scared,
all
right
now
again
my
network
is
terrible,
but
at
the
moment
I
am
looking
at
the
the
agenda
and
I'm
saying
that
we've
run
out
of
agenda.
So
did
anyone
have
anything
else
I
wanted
to
raise
today.
B
A
Okay,
get
writing
your
papers
now.
B
Seriously
they've
been
pushing
the
the
cfps
earlier
and
earlier
because
of
the
the
size
so.
A
Hello
I'll
come
back
yeah.
Sorry
about
that
all
right
again,
if
there
is
anything
else,
then
now
is
your
moment.
Otherwise
I
will
give
you
the
last
sort
of
10
or
12
minutes
back
and
you
can
go
on
with
your
days.