►
From YouTube: CNCF Notary Project 2020-09-14
Description
CNCF Notary Project 2020-09-14
A
B
B
B
So
I've
pasted,
I
pasted
a
link
to
our
roaming
docs.
We
don't
really
have
an
agenda
today
I
sent
out
on
the
slack
channel
if
anybody
wanted
to
chat,
I'm
happy
to
talk
about
whatever
anybody
wants
or
some
updates
that
people
are
asking
about.
B
We've
been
mostly
doing
work
in
distribution
to
make
sure
we
can
push
and
pull
and
discover
artifacts
signatures
in
a
registry
so
that
we
can
sign
things.
So
it's
there
has
been
progress,
but
the
progress
hasn't
really
been
specific
to
notary
other
than
a
little
naval
notary.
A
So
then,
that
work
for
publishing,
artifacts
that
and
discovering
artifacts,
that's
how
notably
signatures,
would
be
discovered.
B
B
B
B
I
it's
all
to
reinforce
that,
like
the
we
want
to
keep
the
root
of
the
projects
to
be,
what
will
eventually
be
the
reference
implementation,
the
spec
on
the
projects
that
are
in
notary
project
and
then
the
forks
that
are
in
notary
project
are
staging
grounds
for
what
we
want
to
kind
of
figure
out
end
to
end
now,
in
fact,
I
was
talking
with
chris
about
this
today,
because
we
we
want
to
make
sure
everybody
unders.
B
In
fact,
I'm
probably
going
to
push
some
updates
to
the
readmes
and
the
root
of
those
forks
to
say
look.
These
are
not
forks
that
will
be
ever
shipped
by
themselves.
The
idea
is
that
these
are
forks,
that
we're
going
to
prototype
and
then
experiences,
and
if
we
like
them,
we
being
this.
You
know
community
both
here
and
the
oci
group,
then,
as
we
get
all
the
pieces
coordinated,
and
we
like
that.
This
works
well
with
this
other
one,
then
we'll
make
prs
upstream
to
those
projects,
and
those
would
come
back
down.
B
B
B
Share
that
the
requirements
of
course
is
where
we've
started
and
that's
capturing
what
we're
actually
trying
to
do
for
goals,
non-goals
scenarios
and
so
forth,
and
then
what
you'll
see
is
there's
a
bunch
of
other
projects.
Some
are
forked,
some
aren't
so
the
other
one
that's
natively
here
is
nv2
and
you'll
notice
that
the
default
project
is
prototype
one,
and
this
talks
about
the
end
and
experience
that
we're
trying
to
build
around
those
requirements.
A
And
tell
us
the
distribution
one
have
any
nobody
specific
changes
in
it.
Yet.
B
B
So
that's
we've
been
kind
of
getting
conversations
there
kind
of
staged
for
this,
and
I
actually
have
to
look
at
this
all
right
so
there's
five
days
ago,
I
have
to
go
back
and
look
at
this
again,
but
so
that's
the
stuff-
that's
happening
there
and
we
have
been
making
sure
that
all
the
pr's
happen
here.
B
So
there's
there's
the
pr
and
the
actual
distribution
spec.
But
if
you
look
at
nv2
the
we've
been
trying
to
lead
with
docs,
so
here's
the
the
various
the
distribution
proposal
and
then
there's
so
this
is
the
actual
api.
This
was
the
conversation
of
what
the
experiences
we're
shooting
for.
B
B
Second,
public
requests.
B
B
So
here
persistence,
push,
discovery,
pull
and
then
some
examples.
In
fact,
sam
provided
some
feedback
last
week
last
friday
or
whatever,
and
I
had
to
go
look
through
that
today.
But
basically
this
is
the
one
where
we're
talking
about
a
couple
of
different
options
for
how
we
would
look
things
up.
B
So
here
is
option
one,
basically,
there's
a
manifest
that
points
back
to
another,
the
thing
that
you
would
actually
sign,
so
we
use
the
net
monitor
software
as
the
thing
that
we're
signing
and
then
there's
another
option
here
where
we're
actually
using
index,
which
is
more
native
to
a
registry
or
how
things
are
tracked.
B
There
is
an
extreme
to
this
where
actually
here
is
using
index
to
sign
another
index
where
each
thing
is
signed
and
I'm
purposely
not
going
into
detail,
which
I'm
happy
to
go
back
I'll
just
put
some
context
and
then
here's
an
even
further
more
true,
accurate
representation
that
instead
of
the
index,
storing
the
signature
itself,
it
would
destroy
another
manifest.
B
So
it's
kind
of
a
an
extreme.
You
know
clarity
of
implementation,
which
is
a
good
conversation
questions
whether
we
want
to
go
that
far
and
then
okay,
so
that's
the
persistence
model,
and
then
we
talk
about
how
we
would
link
those.
So
the
most
of
this
conversation
has
been
more
distribution.
Spec
focused
like
the
notary
folks
that
are
pure
focused
on
their
signature.
Stuff,
like
I
just
want
to
get
these
signatures
in
and
out.
B
So
this
has
been
the
majority
of
conversations
we've
been
having
in
the
oci
distribution,
spec
working
group
with
some
overlap
here
of
people
and
then
there's
a
discovery
api
that
we've
been
saying.
Look
if
I've
there's
this
reverse
lookup
model,
because
what
you're
basically
saying
is.
I
want
the
image,
the
image
any
artifact,
but
I
want
to
know
what
signatures
were
associated
with
this
because
remember
we
have
loosely
coupled
art
loosely
coupled
artifacts.
B
The
signature
is
does
not
is
not
put
directly
on
the
thing
that
you're
signing,
because
that
would
change
its
digest.
They're
loosely
coupled
and
you
have
a
collection
of
signatures
that
could
actually
happen
later
on.
A
B
Yes,
I'm
trying
to
see
if
there's
a
picture,
it
works.
I
like
pictures
and
others
like
text
so,
but
it
helps
have
both
the
let
me
use
the
non
exploded
version
here,
so
yeah
so
and
what
the
so,
if
I
push
an
image
I'll
just
use
image
as
an
example,
this
net
monitor
software.
B
I
later
I'm
going
to
push
a
signature
and
the
signatures.
You
know,
there's
co,
there's
two
of
them
in
this
case,
one
for
wabit
networks,
which
is
the
company
that
distributes
net,
monitor
and
acme
rockets,
which
is
consuming
it,
but
they
want
to
have
a
signature
that
says
this
is
good
in
my
environment,
the
way
distribution
works
today
is
you
push
a
thing
and
you
find
out
the
thing
that
it
references
which,
of
course
it
needs
to
know
at
the
time
it's
pushed,
so
normally
that
will
be
layers.
B
B
So
that's
the
thing
that
we're
trying
to
find
a
a
reasonable
api
that
would
be
used
for
signatures
that
could
be
used
for
other
things
as
well.
So
it's
not
like
it's
not
we're
not
trying
to
necessarily
special
type
signatures
in
a
registry
of
both.
B
I,
the
interesting
one
is
metadata
which
I've
got
another
proposal,
I'm
working
on,
which
probably
wouldn't
be
stored
as
blobs,
so
not
directly,
although
I'm
I'm
thinking
about
it,
because
this
as
well
as
the
fact
that
you
know
like
the
the
use
of
indexes,
is
not
used
heavily
in
registries.
In
fact,
number
of
registries
didn't
even
support
indexes
until
recently,
what
we're
seeing
is
multi-arc
manifest
is
becoming
more
used.
B
We're
seeing
that
and
I'll
come
back
to
how
this
ties
back.
Basically,
sorry,
when
you
start
seeing
more
uses
of
index,
then
you
actually
want
to
be
careful
about
deleting
any
manifests
that
are
consumed
by
an
index.
So
we
think
the
broader
use
of
index
even
from
multi-arc,
will
surface.
This
need
to
have
apis
that
help
you
figure
out
what
is
referenced
by
something
so
just
the
generic
use
of
index
for
multi-arc
the
use
of
index
for
whether
to
be
signatures
or
cnab,
which
is
a
collection
of
things
or
other
artifact
types.
A
A
Okay,
well
thanks
for
that,
I
feel
good,
more
questions.
Anyone
else
want
to
talk.
B
Yeah,
sorry,
I
might
have
confused
it,
so
we
have
been
struggling
on
global
time
zones
and
some
of
my
own
team
is
scattered
around
chiwei
works
and
lives
out
of
china
out
of
shanghai,
avarol
is
temporarily
in
india.
That's
gonna
be
coming
back
to
canada,
so
within
our
own
team,
we've
been
struggling
with
that,
rather
than
we,
which,
when
we
had
a
couple
of
meetings,
there's
a
couple
of
topics
that
I
really
wanted
to
make
sure.
Obviously
and
chiwe
were
there.
B
B
Yeah,
no,
absolutely
those
are
the
tuesday
sorry,
the
wednesday
at
two
meetings,
yeah
yeah
and
what
we've
been
trying
to
do
is
make
sure
that
anything
that
we
are
proposing
like
we
were
at
some
points
just
having
things
amongst
our
own
repo
so
and
realized.
Look
let's
just
be
much
more
transparent
about
the
work.
There
wasn't
any
secrecy
or
anything.
It
was
just
a
matter
of
where
this
change
is
made.
So
we've
been
trying
to
get
all
the
proposals
pushed
to
these
projects.
B
In
fact,
that's
why
that
was
one
of
the
reasons
why
we
went
and
added
like
here.
If
I
just
look
at
distribution,
second
you're
gonna
see
everything's
got
a
prototype,
one,
that's
a
default
in
the
notary
project,
specifically,
so
that
we
can
make
sure
that
everything
we're
doing
is
kind
of
staged
in
a
way
that
people
can
see
and
comment
on.
B
Let's
figure
that
this
was
mostly
just
a
catch-up
week
like
I
was
really
just
want
to
make
sure
I
didn't
want
to.
We
have
been
making
progress,
it's
just
not
as
obvious
here
so
I
figured
I'd
hold
the
meeting.
D
B
Yeah
great
question:
it's
it's!
The
balance
of
engineering
actually
making
stuff
possible
and
pm's
trying
to
describe
it
and
understand
it
ourselves.
So
what
happened
was
if
you
remember
a
couple
of
weeks
ago
we've
been
make
trying
to
make
progress.
You
specifically
using
tough
implementation,
the
you
know
the
update
framework
implementation
and
we
were
struggling
on
a
number
of
different
dimensions
which
repos
get
used
to
go
into
it,
the
time
stamp
and
roll
back
in
some
of
the
others.
So
shewe
who's
knows
the
space
really
well
and
did
our
docker
content.
B
Trust
implementation
for
acr
had
some
ideas,
but
what
happened
was
we
couldn't
figure
out
how
to
make
them
all
work
in
the
goal
of
what
we're
trying
to
do
now
with
the
ephemeral
clients
and
some
of
the
gaps
rather
than
just
you
know,
shelve
it?
What
we
wanted
to
do
was
shove
it
without
visibility.
We
wanted
to
take
what
he
had
thought
and
capture
that.
B
So
all
that
is
is
like
a
shelf
of
some
thought
process
and
how
we
could
persist
it
into
the
signature
work,
but
there's
a
whole
bunch
of
loose
ends
like
how
do
we
have
a
a
second
place
of
verification
to
make
sure
that
the
timestamp
stuff
is
val,
valid
and
others.
So
it's
and
actually
not
intentionally
doesn't
it's.
We
didn't
have
the
time
to
capture
all
the
information
about
it,
but
we
didn't
want
to
lose
the
work
in
progress.
So
that's
that's
why
it's
just
parked
there
for
now.
B
I'm
trying
to
think
of
what
what
context
could
I
even
provide
that
we
were
talking
beyond
what
I
just
said?
That's
basically
it
I
mean
basically
that's
like
if
we
were
to
serialize
the
metadata
for
the
update
framework
into
an
artifact
that
we
could
push
into
a
registry.
That's
what
g
was
thinking
about
all
of
the
things
that
go
around
it.
How
do
you
maintain
the
time
stamps?
How
do
you
make
sure
that
an
ephemeral
client
can
get
information
from
two
sources
to
know
that
this
wasn't
just
hacked?
B
Sorry,
it's
literally
a
matter
of
how
we
continue
to
make
some
progress
versus,
because
what
we
said
is
we
wanted
to
make
that
in
a
phase
two,
because
we
just
felt
like
we
were
not
making
any
progress
by
having
all
of
that
conversation,
but
we
just
wanted
to
capture
at
least
where
we're
at
that's
the
best
answer.
I
have.
B
I
I'm
hoping
that
we
can
get
through
this
iteration
of
prototype
one
if
you
will
pretty
relatively
quickly
that
we
can
kind
of.
Yes,
we
like
this
engine
experience.
Yes,
we
like
the
apis,
we're
talking
about
distribution,
which
would,
in
theory,
apply
to
the
tough
metadata
as
well,
and
then
we
could
come
back
and
figure
like
how
do
we
assure
a
rollback
of
a
hacked
registry
when
you,
when
the
client
isn't
a
trustable?
Well,
not
trustable?
B
The
the
update
framework
kind
of
is
based
on
the
fact
that
the
client
knows
what
it
was
at
some
point
and
if
it
talks
to
the
registry,
it
says:
hey
what
do
you
have
now
and
it
goes
and
it
can
figure
out,
wait
you've
gone
back
in
time.
I
don't
trust
you
now,
when
the
client
has
no
information,
no
reference
data,
because
it's
a
newly
instanced
object.
Every
time
we
need
some
other
place
to
get
that
information
from.
So
that's
that's.
A
Well,
the
update
framework
is
the
one
that
handles
rollbacks
just
by
having
very
short
time
spans
on
signatures
right,
or
am
I
mixing
things
up?
A
Okay,
so
I
mean
I,
I
guess
one
question
there
would
be:
is
that
gonna
be
a
problem
in
terms
of
storage
on
our
servers
for
restoring
the
artifacts
under
the
signature.
B
Yeah
there's
been
a
couple
of,
and
those
are
great
questions.
That's
exactly
there's
a
couple
of
questions
that
come
about
that
and
it's
been
viewed
as
scalability,
and
so
the
the
update
framework
folks
went
off
and
did
a
whole
bunch
of
scalability
things
and
came
up
with
a
pattern
that
says
they
can
distill
this
down
pretty
small.
B
So
it's
not
a
lot
of
content
and
there's
some
great
work
there,
but
we
we
really
haven't
been
able
to
get
a
good
articulation
of
the
security
problems
of
two
customers
and
or
even
two
teams
in
the
same
customer
sharing
a
registry.
So
you
have
things
like
docker
hub
and
now
you
know
github,
where
you
have
multiple
completely
independent
entities
that
are
sharing
the
same
registry.
You
know
docker
hub
and
github,
and
I
for
others.
B
I
refer
to
the
coke
and
pepsi
scenario,
or
maybe
hatfield
mccoys
whatever,
and
the
idea
is
that
there
should
be
absolutely
no
knowledge
of
or
sharing
or
any
sort
of
data
whatsoever
between
the
two
even
of
digest.
B
So
we
need
to
be
able
to
solve
that
the
so
you
can't
really
even
use
metadata
that
goes
across
those
two
customers,
even
within
the
same
company,
so
we'll
take
wabit
networks
here
or
acme
rockets
is
the
consuming
company
there's
multiple
teams
inside
that
company,
and
they
also
may
not
want
their
data
shared
across
them
too,
but
we
also
have
just
a
general
explosion
of
registries.
B
I
think
part
of
the
update
framework
stuff
was
based
around
where
there
was
npm
or
pi
pi
as
a
single
registry,
and
what
we're
seeing
is
that
that
really
isn't
the
model
that
customers
are
scaling
out
to
those
become
interesting
sources,
and
this
is
a
much
larger
conversation,
but
the
reality
is
customers
need
to
bring
their
content
into
their
own
registry,
so
they
can
secure
it
and
approve
it,
but
we
also
see
lots
of
public
places
for
stuff
to
get
to
get
information
from
so
there's
there
is
no
one
registry
to
secure
so
there's
a
there's.
B
B
Compute
instance
that
you
can
then
decide
how
you
want
to
provision,
there's
no
history
to
it.
So
now,
if
I
want
to
get
history
that
says
hey
last
time,
I
talked
to
dockerhub
debian,
which
was
a
week
ago
or
yesterday.
Here's
the
the
timestamp
data
that
I
had,
but
that's
not
on
that
compute
node,
because
it
wasn't
yours
two
seconds
ago.
B
Where
do
you
get
that
information
from
where
do
you
persist
that
state,
so
that
whole
balance,
coupled
with
lots
of
registries,
is
the
tangled
nest
that
we
have
to
figure
out
and
how
do
we
really
handle
update
framework
kind
of
semantics.
B
A
Me
turn
a
bit
block
the
wind.
Is
this
any
better
yeah
that
is
actually
okay?
I'm
just
wondering
whether
is
this
call
on
other
weeks
the
place
to
discuss
that
or
is
there
some
other
venue
where
you
discuss
with
where
tough
people
show
up
people
from
the
tough
community.
B
So
they
were
actively
involved.
In
fact,
I'm
doing
a
quick
look
here.
I
I
don't
see
marina
or
justin
here
today
we
have
or
trisha.
I
don't
want
to
leave
anybody
out.
We
have
been
discussing
with
them
for
a
while.
That's
how
these
conversations
started
and
we
got
caught
up
in
all.
So
I
can't
say:
there's
any
one
good
meeting
where
you
can
look
for
half
an
hour
and
hear
this
discussion.
Everybody
comes
together,
go
yes!
This
is
a
problem.
We
should
figure
out
how
to
solve
it.
B
It's
more
of
the
first
several
meetings
that
we
had
of
notary
v2
got
wrapped
up
in
that
and
that's
when
several
weeks
ago
we
decided
to
split
this
out,
be
two
pro
two
phases.
B
So
that's,
unfortunately,
that
what
I
just
gave
you
this
summer
is
probably
the
best
summary
of
it
and
we
need
to
reconvene
and
and
do
that,
have
that
conversation
but,
like
I
said
we
kind
of
we
felt
we
needed
to
separate
it
out
into
phase
one
and
phase
two
where
we
can
get
the
the
end
to
end
kind
of
figured
out,
and
then
we
can
figure
out
how
to
roll.
This
update
rollback
semantics
into
the.
B
B
So,
yes,
we
will
have
that
again.
I
don't
have
an
exact
time
frame,
yet
we
have
been
talking
behind
the
scenes,
not
behind
the
scenes.
Like
you
know,
just
one-on-ones
and
and
several
discussions
of
hey,
we
still
need
to
address
this.
B
I
think
the
question
from
you
for
research,
for
you
is
what
are
they?
What
are
the
pieces
that
you
really
feel
are
important
that
we
need
to
capture
those
are
really
helpful.
A
Right
so
the
the
situation
I've
got
in
mind
right
now
is:
let's
say
that
I'm
not
with
them
anymore,
but
let's
say
I'm
with
ubuntu
and
I've.
I've
got
a
container
store,
an
image
store
that
I'm
I'm
publishing
for
people
to
use
and
you've
got
another
company
that
wants
to
have
their
lab
and
be
mainly
off
the
net,
but
they
want
to
use
our
images
so
they're
going
to
download
them
they're
going
to
somehow
they're
going
to
need
to
delegate
to
the
signatures.
A
So
if
we're
using
the
update
framework
and
we're
using
very
short
signature
time
frames,
we're
now
basically
saying
that
this
proxy
environment
is
going
to
have
to
every
hour
fetch
new
signatures
from
the
public
service,
and
that
seems
like
a
potential
problem.
So
I'm
wondering
if
that's
been
considered.
B
Yeah,
actually,
that's
a
great
that's
a
great
summary
of
it,
because
that
you're
starting
to
get
into
there's
no
single
registry
that
everybody
authoritatively
goes
to.
There's
not
only
private
registries
that
people
pull
content
to,
but
there's
also
air
gap
registries
that
people
pull
content
into,
which
was
right
much
in
what
you
were
saying.
There's
a
combination
of
there's,
a
known
problem:
how
do
you
propagate
that
out?
So
the
thought
has
been
key.
Revocation
versus
a
particular
registry
got
hacked.
Those
are
two
different
things
that
I
don't
think.
B
We've
fully
wrestled
with
other
than
we
do.
C
A
C
B
Sorry,
I
don't
know
if
I
heard
it
wrong.
I
key
revocation
is
part
of
it.
Nya's
has
been
trying
to
drive
that
he
has
meetings
on
friday
mornings,
but
has
been
tied
up
in
other
things,
so
he
hasn't
been
able
to.
I
think
he
says
he's
going
to
start
again
this
week,
so
it's
it's
definitely
part
of
what
we
want
to
do
with
notary
it's.
What
we've
done
is
we've
just
split
that
out
that
the
key
management
and
the
risks
associated
with
that
is
part
of
this
working
group.
B
That
is
an
active
work.
It's
part
of
what
I
would
call
phase
one
it's
just
we've
got
some
of
this
stuff
is
just
so
detailed
that
has
we
there's
some
keyer
key
experts
in
the
industry
that
we
really
need
to
be
thinking
about
this
and
niaz
has
been
driving
that
working
group,
so
I
think
he
said
he
was
gonna
restart
it
back
this
friday.
He
had
a
couple
weeks
where
he
had
to
go
off
between
vacation
and
some
other
problems.
C
B
B
This
is
where
the
I
mean
you
look
around
the
submarine
scenario
where
it
like
goes
under.
You
know,
but
we
we
have
other
sea
going.
Vessels,
I
think,
is
one
of
the
ways
I
was
categorizing,
whether
it
be
container
ships
or
cruise
lines.
Eventually
they'll
be
cruise
lines
again
that
you
know
it's
too
expensive
to
take
updates,
while
they're
at
sea,
so
they
do
it
while
they're
in
port,
and
that
might
be
a
week
so
yeah.
Those
are
definitely
policies
where
some
other
team
might
be.
A
Well,
I
need
to
think
about
how
how
to
express
this
better,
but
I
could
imagine
an
air
gap
scenario
where
the
regular
schedule
is
every
week,
there's
updates,
but
then
on
tuesday.
Oh,
my
god,
there's
this.
A
We
absolutely
have
to
have
this
fix
in
so
we
bring
the
fix
in
how
do
we
it
since
our
regular
cadence
is
weekly.
We've
now
put
a
week-long
valid
signature
on
these
things,
but
we
have
to
in
fact
invalidate
them
now,
because
on
tuesday
we
got
this
other
thing
and
I'm
not
quite
sure
how
that
fits
in.
Unless
we
have
a
separate
service
running
inside
the
airgap
environment
that
every
day
maybe
just
says
well,
these
things
should
still
be
valid
so
I'll.
A
B
I
I
think,
that's
a
input
into
an
answer
and
oh
I
didn't
realize
I
was
sharing
sorry,
I
I
was
multitasking
for
something
I
wanted
to
queue
up
so
one.
I
would
absolutely
promote
you
to
please
meet
with
niaz
on
friday
mornings,
because
it
sounds
like
you're
bringing
up
all
of
the
right
conversations
that
we
want
to
focus
in
the
key
management
scenarios.
B
So
we've
been
trying
to
focus
on
slack
as
the
the
place
where
we're
having
the
conversation
on
a
you
know,
fluid
conversation,
and
then
he
has
the
friday
mornings.
I
think
it's
like
at
7
30
a.m
or
something
that
we
have
to
he.
He
drives
that
discussion.
B
The
latest
docker
terms
of
service
has
kind
of
been
a
way
to
drive
some
of
this
conversation
forward.
I
actually
think
it's
for
the
it's
the
wrong,
it's
being
perceived
a
little
bit
harshly
than
it
should
the
the
reality
is
upstream
content
even
well
intended
security
fixes
can
break
downstream
apps
right,
my
environment
may
not
be
dependent,
maybe
dependent
on
some
behavior.
B
That
was
just
deemed
to
be
insecure
and
the
question
is:
can
you
just
blindly
bring
up
stream
content
in
or
do
you
need
to
verify
it?
Whether
the
upstream
contention
even
available
is
another
problem
which
kind
of
talked
about
in
this
article?
But
I
think
what
I'm
trying
to
get
more
thought
process
around.
B
Is
this
promotion
workflow
that
you
bring
stuff
into
your
environment,
whatever
that
environment
is
and
you're
going
to
test
it
and
validate
it,
that
it
works
for
you
and
what
works
for
one
company
is
going
to
be
different
than
it
works
for
another
company.
B
So
I
think
there
is
part
of
this
workflow.
That's
a
piece
to
that,
so
that
that's
kind
of
the
larger
thinking
and
what
I,
what
the
real
problem
is.
We
just
don't
have
good
tooling
around
this
I
mean
even
with
an
acr
where
we've
got
this
acr
task
infrastructure.
We
do
base
image,
update,
monitoring
all
the
raw
components
are
there,
but
it's
like
going
to
home
depot
and
finding
an
aisle
of
wooden
nails
and
so
go
build
a
you
know,
a
million
dollar
house
which
isn't
that
big.
B
Oh
azure
container
registry,
sorry,
the
service
that
I
run
for
in
azure-
and
this
is
how
this
is
where
we
think
about
this
stuff,
but
we're
we're
trying
to
have
these
conversations
in
a
broader
place,
because
acr
is
a
consumption
of
it
for
our
customers.
We
make
our
microsoft
software
available
on
mcr
and
just
like,
I
would
say,
nobody
should
ever
be
dependent
on
production
content,
directly
pulled
from
docker
up
or
mcr.
B
You
should
always
have
in
their
registries.
We
need
better,
tooling,
better
workflow
and,
of
course,
the
signatures
have
to
be
able
to
go
into
those
environments,
which
is
how
it's
very
grounded
in
this
conversation
here.
So
I
think
the
key
management
conversations
we're
having
here
need
to
play
into
this,
because
if
I
bring
content
across
not
only
do
I
want
to
test
it
if
it's
good
content
to
make
sure
it
works.
B
My
environment
to
the
point
here
is:
if
that
got
hacked,
I
need
to
make
sure
that
I
know
that
that
content
is
no
longer
valid.
So
that's
anyway,
that's
just
kind
of
the
conversation
I
was
trying
to
have
here
with
this.
This
post.
B
And
the
the
link
is
in
the
chat
session
if
anybody's
interested,
so
please
help
yeah.
It
sounds
like
you
got
some
great
input.
I
would
again
encourage
on
friday
mornings
at
7
30.
Let
me
put
the
cncf
calendar
up
for
that.
B
Yeah,
so
I'm
realizing,
we
don't
have
so
here.
Let's
see
friday,
cncf
notary
v2.
I
don't
know
what
time's
on
2
30
p.m.
It
sounds
very
nice,
but
that
is
not
seattle,
time
or
pacific
time,
but
it
might
be
a
good
time
for
you
guys.
B
But
the
at
the
top
of
our
hackmd
is
the
the
calendar.
The
actually
noted
youtube
conversations
on
slack.
The
only
thing
it
is
missing
here
is
actually
the
notary
project.
So
let
me
just
do
that
right.
B
B
B
There's
nothing
else
we
can
give
time
back
to
folks
just
want
to
make
sure
and
now
let
me
see
what
we've
got
stirring
this
week
to
see
make
sure
we
have
something
I'll
try
to
make
sure.
We
have
some
good
update
next
week
that,
even
if
it's
just
the
distribution
stuff
we've
been
working
on
to
give
a
good
summary
to
it,
because
I
don't
know
we
I
think
we
cancelled
last
week
because
the
holidays,
I
want
to
make
sure
we
keep
good
momentum.
People
feeling
that
we're
making
progress.