►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Hello,
everyone
welcome
to
cloud
native,
live
very
excited
to
have
you
all
visiting
us
once
again
and
seeing
this
amazing
program,
I'm
annie,
I'm
a
cncf
ambassador,
I'm
here
with
amazing
speaker
and
a
guest
as
well
a
bit
more
on
that
later
very
excited
to
be
here
today.
A
Just
as
always
before
these
streams,
please
keep
the
code
of
conduct
in
mind
so
that
we
essentially
be
respectful
within
the
chat
so
that
the
cncf
code
of
conduct
will
be
met
and
we
will
not
face
any
issues
there
so
be
respectful
of
our
of
our
other
watchers
and
speakers,
and
and
so
forth.
Very
happy
to
have
you
all
here.
As
always,
you
can
ask
questions
within
the
session
and
after
the
speech
has
and
so
forth
has
ended
very
happy
to
receive
those
as
well
but
yeah.
A
Yeah
perfect
so
excited
for
your
session
today
on
notary
versus
two
version:
two:
why
don't
you
get
started
and
show
us
what
you've
been
working
on.
B
Well,
thanks
and
thanks
for
the
opportunity
to
talk
about
all
the
great
work,
that's
been
happening
across
a
number
of
different
efforts.
You
know
we
one
of
the
things
that
we
started
out
and
a
while
ago
it
was
actually
this
effort
started
back
in
2018
at
a
kubecon
event,
where
we
all
realized.
We
really
needed
to
get
re-engaged
in
solving
the
signing
problem
around
content,
and
specifically
it
was
container
images.
B
Notary
v1
was
started
in
2015.
It
was
built
at
docker,
it
was.
It
came
out
as
docker
content,
trust
and
its
goal
was
to
sign
the
content
in
registries
and
that
you
know
it
did
one
of
the
things
that
there
was
a
couple
of
problems
with
notary,
v1
and
docker
content
trust
it.
There
was
some
usability
issues.
It
was
very
difficult
to
use
difficult
to
configure.
B
B
There's
trust
and
first
use
challenges,
but
the
fundamental
problem
with
it
was
it
didn't
support
content
promotion
if
I've
got
an
image
in
a
public
registry,
and
I
want
to
pull
it
into
my
private
registry,
it's
great
to
validate
the
signature
of
the
public
endpoint.
But
when
I
pull
it
into
my
private
registry,
we
wanted
to
be
able
to
validate
it
there
as
well,
and
the
problem
is
those
signatures
were
tied
to
the
location
of
the
content,
so
that
was
the
the
real
fundamental
problem
that
we
needed
to
go
out
and
solve.
B
So
that's
that's
kind
of
how
the
whole
project
started.
I
work
at
azure.
I
work
on
our
container
registries
that
works
on
the
private
registries,
our
customers
use
and
the
public
registries
that
we
support
for
microsoft,
content,
microsoft's
a
software
company,
not
just
a
cloud,
and
we
need
our
software
to
run
on
aws
on
google
on-prem.
This
is
like
everything
from
windows
to
sql,
to.net,
to
office,
apps
and
so
forth.
So
we
recognized
that
we
needed
to
solve
this
in
a
cross-cloud
vendor-neutral
way
and
not
azure
specific
right.
B
That
was
a
fundamental
goal
of
what
we
had
to
do.
So
we
got
a.
B
Together
and
we,
you
know,
it
was
a
who's
who
of
registries
and
cloud
providers.
It
was
awesome.
The
aws
folks
hosted
us
at
their
their
location
when
we
were
all
getting
together
on
a
regular
basis
and
we've
been
chugging
at
it.
Since
it's
it's
interesting,
one
of
the
a
lot
of
the
challenges
that
we've
been
facing
is
like
you
know:
how
do
you
sign
content
and
what
is
the
platform
capabilities
that
have
to
elevate
from
there?
So
that's
been
the
challenges
we've
faced
on.
B
What
is
exactly
are
the
investments
to
make
notary,
v1
and
docker
content
trust
required
additional
services
to
run
on
a
registry
they're
pretty
complicated
services
we
built
it
for
acr
after
a
month
or
so.
We
like
it's
still
not
done
and
still
a
lot
of
work
left,
and
we
have
some
pretty
pretty
really
talented
people
that
were
working
on
it
and
then,
when
it
was
all
done
it
still,
you
know
we
realized
it
didn't
support
the
core
scenarios
for
content
promotion.
B
We
recognized
that,
instead
of
just
putting
a
thing
that
only
supported
signatures
in
a
registry,
what
could
we
do
to
make
it
a
generic
capability
to
support
other
things
as
well?
So
and
then
we
didn't
want
to
have
to
create
yet
another
service.
B
So
what
one
of
the
fundamental
things
that,
for
instance,
that
we
came
up
with
was
all
the
helm
charts.
You
have
all
the
pod
spec
all
the
text,
files
that
you
have
strings,
that
reference.
Your
container
image
shouldn't
have
to
change
just
to
validate
a
signature
right.
We
didn't
want
anybody
to
have
to
change
their
existing
infrastructure.
B
The
the
analogy
we
like
to
use
is
going
into
an
airport,
and
you
know
that
workflow
of
getting
in
getting
approved
and
going
on
to
the
next
step,
you
should
be
able
to
use
your
existing
documents
and
there's
an
extra
check.
So
what
we
re,
what
one
of
the
things
that
we
you
know
designed
around
this
was
your
reference
doesn't
change,
but
you
can
get
information
from
your
reference.
B
So,
for
instance,
the
if
you
want
to
deploy
a
net
monitor
image
net,
monitor
colon,
v1
or
net,
monitor,
digest
abc123
that
shouldn't
change
just
because
you
want
to
validate
a
signature
on
it,
so
that
innovated
this
concept
of
reference
types
and
if
I
can
assign
a
signature
to
it,
then
why
can't
I
assign
a
sbom
a
software
bill
of
materials
or
a
system
bill
of
materials
or
a
scan
result.
B
So
there's
a
lot
of
interesting
things
that
kind
of
evolved
from
there.
It
might
help.
If
I
actually
show
a
little
animation
for
how
we
think
about
this
perfect.
B
I
like
comparing
to
systems
that
are
tried,
proven
because
there's
been
a
lot
of
work
put
into
those
and
they're
kind
of
tried
and
tested.
So
one
of
the
ones
that
I
like
using
is
the
process
of
going
to
an
airport,
which
is
what
we
used
to
do
when
we're
starting
to
do
again
in
some
aspects-
and
I
was
reminded
you
know
internationally
tsa.
What
does
that
mean?
B
So
if
I
go
to
the
airport
there's
that
person
that
keeps
you
from
going
into
the
secured
area,
a
transporter
transportation,
security
administration,
something
I'm
actually
not
sure
in
this
case,
it's
not
the
time
stamp
authority,
it's
the
of
the
person
that
says
you
cannot
enter
the
secured
staging
area
of
the
airport.
Yet
you
have
to
prove
who
you
are
so
I
walk
up
to
the
airport
and
I
say:
here's
my
pod
spec,
here's
my
helm
chart.
B
I
want
to
be
boarded
on
that
kubernetes
plane
over
there
and
you
know
the
agent
goes
that's
great.
But
who
are
you
it's
great?
You
want
to
go
there,
but
who
are
you
so
I
provide
them
some
identity.
B
Right,
I'm
steve
lasker,
regardless
whether
on
the
east
coast,
the
west
coast,
europe,
wherever
my
identity
is
independent
of
location.
So
the
agent
looks
at
that
and
says:
okay,
that's
your
identity!
Let
me
it's
from
one
of
the
50
states
or
one
of
a
bunch
of
different
countries.
If
it's
a
passport
and
they
may
or
may
not
accept
information
from
certain
states
that
don't
have
real
id,
for
instance,
just
a
detail
here
or
certain
countries
that
aren't
considered
trustworthy
for
whatever
that
means.
B
But
at
some
point
now
the
other
interesting
thing
is
I'm
outside
that
red
line.
I'm
handing
my
identity
through
the
hole
because
I'm
not
allowed
into
the
secure
zone
until
I've
proven
that
I'm
worthy
that
I
get
that
information
to
prove
who
I
am
is
separable
from
me.
Right
I
hand
it
through
the
window.
B
That's
really
important
from
what
I
call
it.
You
know
the
trojan
horse
attacks
if
I
had
to
go
into
the
airport
to
give
them
id.
I'm
like
hey
how
you
doing
you
know
yeah,
here's
my
id
and
by
the
way
I've
got
a
gun
pointing
at
you-
and
I
now
own
you.
B
B
B
B
Somebody
just
discovered
that
I
might
have
liquid
and
that's
something
they
should
look
for
or
solid
things
in
my
shoes
or
whatever
that
might
be
so
scan
is
done
and
you
know
I'm
approved
so
I'm
allowed
in,
but
I'm
in
the
staging
area.
Now
I'm
still
didn't
board
the
kubernetes
plane
right,
I'm
just
in
the
staging
area
and
I
might
have
to
go
through
some
additional
tests
and
verifications
or
whatever
now
agent
44
at
the
gate
to
the
plane
is
going
well,
whoa,
you're
not
getting
on
the
plane.
B
Yet
you
have
to
prove
that
you
are
allowed.
Have
you
been
approved
to
be
in
the
staging
area?
Prove
it
again.
I
give
them
my
pod
spec.
In
this
case
agent,
44,
doesn't
care
about
my
external
identity?
Doesn't
care
about
my
driver's
license
or
passport,
or
I
was
signed
by
wabit
networks
or
anything
like
that?
I'm
in
the
staging
area
of
a
particular
company
that
agent
99
signature
is
equivalent
to
my
company's
signature
that
you
know
proved
it
so
agent
44
can
say:
okay,
you've
been
signed.
B
I
will
sign
you
again
to
say
you're
worthy
to
go
into
the
production
plane
and
now
off
you
go.
So
that's
just
kind
of
an
interesting
analogy
that
we
use
for
content
promotion
that
if
I
were
to
apply
it
to
how
would
this
work
in
in
our
real
software.
B
So
we
have
the
small
company
rabbit
networks
that
nobody's
ever
heard
of
very
intentional
and
acme
rockets
is
our
company
that
we
work
at.
I
want
to
deploy
this
image
great.
I
was
able
to
reach
across
the
public
internet.
I
got
the
image
I
could
even
reach
across
the
public
internet
and
get
the
signature.
That's
all
fine.
I
do
have
a
policy
manager
that
says:
hey
content
must
be
signed,
sure
signed,
go
deploy
signed
by
who,
I
don't
know,
there's
no
policy
here.
B
Of
course
we
want
to
do
some
testing
of
signed
by
who,
but
the
other
thing
is
what
you
know:
how
many
of
you
have
environments
where
you
have
a
v-net
that
protects
that
environment?
There's
no
public
egress,
you
can't
go
off
to
evil
site,
dot,
co
or
you
know
public
registries.
They
want
that
locked
down
to
only
the
places
they
trust
from
a
network
boundary.
B
So
if
that
node
is
trying
to
reach
out
to
some
public
endpoint
to
get
the
software
bill
of
materials
to
get
some
scan
results
or
source
or
some
other
artifact,
you
can't
get
access
to
it.
So
this
was
the
kind
of
fundamental
principle:
it
wasn't
just
the
images
and
the
signatures
we
want
to
travel
with
the
artifacts
that
you're
trying
to
use
in
your
environment.
We
wanted
that
entire
graph.
B
So
and
of
course,
this
isn't
just
one
environment,
you
have
multiple
environments
and
within
each
of
those
you're
standing
up
a
private
registry
that
it's
accessible
from
within
that
v-net
and
it
might
be
a
hosted
registry
that
supports
peanuts.
You
might
stand
up,
you
know
an
open
source
registry
or
a
project
or
a
product,
it's
all
great,
but
that's
why
we
want
to
make
sure
that
all
these
can
support
these
capabilities.
B
So
the
next
one
is.
Do
I
bring
the
public
content
into
each
one
of
those
private
registries?
Well,
that's
not
really
a
scalable
solution.
We
don't
have
every
plane,
you
know
individually
check
every
person
right,
everybody
goes
into
the
secured
staging
area,
there's
approved,
that's
how
it
gets
promoted.
B
Companies
stand
up
internal
registries
which
has
the
approved
content
and
there's
lots
of
public
registries
that
people
interact
with
it.
You
know
I'm
having
fun
here
with
some
old
company
names
or
you
know,
fictitious
company
names
but
nvidia
oracle.
Microsoft
ibm,
there's
lots
of
public
registries
that
are
software
companies
that
distribute
their
content
from
their
registries.
B
B
B
So
now,
as
a
company
I
could
say
well,
I
do
trust
docker
hub
if
it's
certified
content
from
them.
I've
established
that
trust
and
relationship.
That's
fine!
Now
I
might
not
you
know.
Spacely
sprockets
may
not
become
docker
certified
content,
you
know
and
so
forth,
but
inside
of
acme
rockets
I
can
configure
who
I
trust.
B
I
don't
trust
weapon
networks,
but
I
trust
docker
hub.
I
might
trust
you
know
spacely
sprockets
and
some
other
ones,
so
I
could
pull
information
in.
But
what
you're
doing
is
you
can
establish
a
trust
policy
that
says
these
are
the
entities.
I
trust
these
are
the
states
that
I
trust
these
are
the
countries
that
I
trust,
maybe
countries.
B
I
don't
trust
to
do
an
exclusion
policy,
but
I
can
make
that
list
and
now,
when
I'm
pulling
stuff
in
into
the
staging
area,
I
can
see
if
any
of
those
are
passed,
one
it's
in
the
staging
area,
I
could
stamp
it
with
an
acme
rockets
key
and
now
all
internally.
I
don't
need
to
worry
about
the
policy
of
the
day,
for
what
was
externally
pulled
in
all
I
know
is
it
was
signed
by
acme
rockets.
It's
the
it's!
The
shared
library
content.
That's
approved,
I'm
going
to
work
from
that
content.
B
So
that's
that's
really
kind
of
the
the
fundamental
principles
of
what
we
wanted
to
support,
and
now
it
probably
helps
to
show
some
real
code
on
how
this
works,
but
were
there
any
questions
that
before
I
jump
in
there
is,
it
looks
like.
A
B
Okay,
so
I'm
really
happy
to
show
that
this
is
actually
working
with
azure
container
registry
now
so
we'll
show
the
interactions
it's
in
a
it's
in
dog
food,
it's
not
public,
just
yet
we're
working
through
the
last
details
of
it.
But
what
you'll
see
here
is
I
saved
as
an
environment
variable,
so
I
have
to
paste
it
every
time,
but
there's
the
wabitnetworks.azure
crio
registry,
that
we
have
it's
an
authenticator
registry,
so
we're
working
through
all
the
auth
stuff
as
well.
B
If
so,
now
what
I
want
to
do
is
you
know,
do
a
standard,
docker
build
docker,
push
nothing
magic
here,
I'm
now
going
to
build
this
image
and
put
it
into
the
registry,
and
I
want
to
sign
it.
Okay,
if
I
want
to
sign
something,
one
of
the
things
we've
been
focused
on
is:
what
is
it
that
our
customers
end
users
need
for
their
production
environments
right?
The
production
environments
are
the
you
know
the
critical
environments
that
they
don't
really
care
about.
Containers.
That's
the
tech.
B
They've
got
standard
practices
like
v-nets,
like
you
know,
x-509
certs,
for
for
signing
that's
what
the
crypto
boards
of
those
companies
have
approved.
So
what
we're
going
to
do
is
take
an
x-509
insert.
I
hear
I
did
a
self-signed
cert.
This
could
be
a
ca
cert
issued
publicly.
It
could
be
by
a
cloud
provider.
B
You
know,
doesn't
matter,
I'm
just
gonna.
That's
what
we're
using
here
is.
I
have
a
certificate
that
is
going
to
be
what
I'm
going
to
sign
with
and
now
I
can
simply
sign
that
image:
no
external,
no
other
additional
services.
It's
just
the
registry
capabilities
with
a
notation
cli
and
x509
cert,
which
is
what
companies
are
using
today.
B
I
can
see
what
signatures
are
on
that
image,
and
now
I
might
want
to
verify
that
image
like
I
want
to
see.
Does
that
image
pass
the
test
for
the
content?
I
trust
well,
it's
signed,
but
signed
by
who,
just
because
I
just
signed
it
here,
fine,
but
this
is
like
asking
that
agent
at
the
airport
to
validate
your
identity,
but
they
were
never
given
a
list
of
approved.
You
know
identities
that
they
are
allowed
to
trust,
so
node
notation
go
to
rev2.
The
notation
cli
has
a
trust.
B
B
Now,
here's
where
it
starts
to
get
really
interesting
great,
it's
fine
great,
you
know,
not
it
shouldn't
be
so
hard.
It
starts
to
get
interesting
is
to
well.
I
want
that
signature
to
travel.
I
don't
want
to
change
the
digest.
How
do
we
implement
these?
These
changes
on
you
know
a
system
so
that
we
can
promote
this
content.
B
The
aura
cli
is
oci
registry,
as
storage
is
how
the
project
started,
and
it's
basically
a
cli
for
interacting
with
the
registry
and
this
concept
of
being
able
to
push
reference
types
to
a
registry
is
an
implementation
through
an
auras,
artifact
spec.
It
basically
says
hey.
I
can
push
something
to
the
registry
and
it
says
this
thing
refers
to
this
other
one.
The
rscli
knows
how
to
ask
the
registry
hey
what
information
do
you
have
for
the
named
reference
that
you
were
using
before
we
don't
want
to
t?
B
B
A
B
I
always
worry
about
being
at
the
bottom
of
the
screen
regardless,
so
you
can't
see
it
on
a
stage,
but
people
look
at
the
screen,
so
it
also
can
get
trimmed.
So
apologies
about
that
so.
B
Seeing
here
is
that
graph
of
content
right
so
that
digest
here
is
the
signature.
It's
the
manifest
for
the
signature,
and
now
I
can
go,
find
the
blobs,
but
wait
there's
more.
So,
let's
one
of
the
things
we
said
we
wanted
to
do
was
want
to
up
level
the
registries
because
we
don't
want
to
break
existing
workflows.
B
B
If
I
look
at
the
list
of
files
on
my
machine,
I
see
the
file
names.
That's
because
that's
what
I
asked
for
that's
the
things
I
think
about.
If
I
want
to
see
the
attributes
of
a
file,
I
ask
it.
Please
give
me
the
attributes
of
the
file
when
I
copy
the
file.
Those
things
travel
with
it,
but
I
don't
my
list
of
a
list
of
files
isn't
populated
with
noise.
It's
it's
a
horizontal
info,
it's
another
pivot
of
information
that
can
be
displayed.
B
I
want
to
see
that
my
net
monitor
image
is
signed,
but
I
want
to
see
it
as
a
glyph
on
the
portal
that
shows
it.
I
don't
want
to
see
you
know
another
tag
that
that
shows
up
in
there.
So
that's
that's
part
of
the
way
we
think
about
the
the
breaking
changes
to
registries,
so,
okay,
and
if
but
whoops,
if
I
want
to
see
you
know
the
registry
does
the
registry
does
have
the
manifest,
so
I
can
go.
A
B
B
You
can
see
the
tag
is
there
and
there's
a
bunch
of
information
and
whether
it's
writable
and
all
that
goo
and
here's
another
digest?
That's
the
aura's
artifact
manifest
for
this
net
monitor
sorry,
the
notary,
v2
signature.
So
the
content
is
there.
We
can
manage
it
as
content,
but
we've
you
know,
made
sure
that
it's
it's
thought
of
as
an
attribute
to
the
net,
monitor
image.
B
So
a
couple
of
things,
let's
clear
out,
let's
pretend
we're
going
to
have
what
I
call
an
ephemeral
client,
where
I've
got
a
vm
that
shouldn't
have
anything
on
it,
because
we
want
to
make
sure
we're
not
pulling
in
information.
I
think
your
your
import
environment
shouldn't
have
state
from
something
else.
B
If
I
look
at
the
docker
images,
the
only
thing
I'm
going
to
see
is
a
local
instance
of
cncf
registry.
We'll
use
this
later.
So
that's
what
it's
showing
that
noise
well
anyway!
So,
for
all
intents
and
purposes
this
is
a
clean
environment
and
I'm
going
to
clear
out
the
notation
configuration.
So
I'm
going
to
clear
out
the
policy.
B
So
now
I
have
nothing
configured
now.
I
want
to
create
a
certificate
for,
and
I
could
pull
this
from
azure
key
vault,
but
the
idea
is
that
I
want
to
have
a
cert
that,
as
I
import
information
into
my
environment,
I
can
stamp
it
with
our
acme
rockets
key,
and
this
assumes
that
I've
done
the
security
scan.
I've
done
the
unit
testing
to
make
sure
that
update
to
the
debian
image
or
the
net
monitor
image
or
whatever
is
in
compliance
with
with
the
acme
rockets
policy.
B
It's
great
that
they
put
an
update.
But
if
they're
not
an
update
is
a
change.
Is
that
change
an
accidental
human
thing
that
might
break
my
environment
or
might
be
an
exploit?
Is
it
an
evil
person
that
made
a
change
right?
There's
lots
of
things
we
don't
want
to
blindly
pull
in
changes
from
public
locations,
and
if
we
look
at
our
configuration
policy
I
now
have.
I
have
no
verification
certs,
but
I
can
sign
things
with
the
acme
rockets
key.
B
B
I
can
verify
the
image,
but
I'm
verifying
it
at
this
point,
I'm
at
the
boarding
the
plane.
I
want
to
verify
that
it's
signed
with
the
acme
rockets
key
and
if
we
look
at
that
content,
we
can
see
that
the
net
monitor
image
notice.
The
indentation
here
there's
a
hash
of
the
artifact
types.
In
this
case
it's
a
notary,
v2
signature.
B
So,
okay,
so
I
start
off
with
simple
signatures:
I've
we
want
to
be
able
to
support
other
things
as
well.
So,
let's
create
a
really
highly
dense
s-bomb
that
the
software
build
materials.
It
has
a
long
list
of
all
the
packages
and
how
the
thing
was
built
and
there's
lots
of
great
projects
out
there.
I'm
just
going
to
create
a
simple
json
file
that
says
the
contents
are
good.
B
In
this
case,
I'm
going
to
push
it
to
the
net,
monitor
repo,
not
by
tag
just
the
net,
monitor
repo,
I'm
going
to
say
the
artifact
type,
is
an
s-bom
and
set
the
reference.
This
target
subject
is
that
net
monitor
image
right
and
then,
by
the
way,
just
take
this
dot,
s-bom
json
file
and
send
it
up
and
the
type
is
json.
B
I
don't
I
if
I
had
a
an
s-bomb
tool,
all
I'd
have
to
say
is
s-bomb
push,
but
because
I'm
using
a
generic
tool,
I
have
to
put
some
extra
information.
B
B
If
I
look
at
that
list,
I'm
now
seeing
a
richer
graph.
I've
got
our
net
monitor
image.
I've
got
two
signatures:
I've
got
another
hash
of
s-bombs
and
that's
the
first
s-bomb
that
I
pushed
and
by
the
way,
here's
the
signature
notice.
It's
hanging
off
of
it.
I'm
building
this
rich
tree
of
information
that,
because
everything
in
the
registry
I
want
to
be
able
to
sign,
but
wait.
There's
more.
B
Let's
say
I
want
to
generate
a
scan
result
and
I'm
using
snick,
which
comes
with
docker
cli
for
docker
scan,
and
I
this
is
a
little
more
meaningful.
There
is
a
bunch
of
goo
in
here,
not
important.
B
It
does
save
it
as
a
file.
So
I'm
going
to
push
that
using
auras
again,
I'm
going
to
do
the
same
thing,
get
the
digest
of
the
scan
result
and
I'm
going
to
use
notation
to
sign
that
digest
again,
I'm
signing
with
the
acti
rockets
key,
because
that's
what
I've
configured
and
if
I
look
at
aura's
discover
again,
my
graph
is
getting
richer
right.
I've
got
a
lot
more
information
now,
that's
in
here
so
now
I've
got
this
really
great
content
and
it's
on
a
registry.
B
B
I
can
say
hey
give
me
of
that
entire
graph
filter
it
to
the
notary
v
suit
signature
type,
and
then
I
get
back
just
the
signatures,
so
this
is
kind
of
the
the
things
we
wanted
us.
We
want
to
support
notation
for
notary
sorry,
we
want
to
support
notary
signatures
for
assigning
content,
but
we
saw
generic
patterns
that
lift
the
entire
ecosystem
up
and
rather
than
build
yet
another
service.
B
We
wanted
to
build
this
capability
into
registries,
so
now
there's
one
last
piece
that
I
just
want
to
show
from
a
pure
demo
perspective,
and
that
is
that
promotion
right.
So
I've
got
this
rich
graph
this
here,
that's
in
the
public
registry.
I
want
to
promote
that
to
my
private
registry.
B
If
I
was
using
my
file
system
and
I
had
a
powerpoint
file-
and
I
had
a
movie
file
that
I
did
with
some
media
program
and
I
had
some
go
go
lang.
Libraries,
if
I
want
to
copy
that
that
content
from
one
directory
to
another
would
I
have
to
go
fire
up,
powerpoint
and
golang
and
vs
code
and
your
media
file
whatever,
of
course
that's
silly.
B
B
What
I
want
to
do
is
copy
this,
and
I'm
going
to
use
a
little
early
version
of
something
because
now
I'm
going
to
say
or
us
copy
that
public
image
to
the
private
image
with
recursive
so
go
and
travel
down.
All
of
the
references
that
we
have
in
the
registry,
auras
doesn't
know
around
notation
or
s-bombs
or
snick
results,
or
your
favorite
thing
you
want
to
attach,
or
all
the
signatures
that
are
assigned
to
it.
It
just
knows
how
to
read
that
generic
graph
in
a
registry
and
poof
it
just
copied
that
whole
content.
B
So
that's
kind
of
what
you
know
what
we've
been
working
on
and
why
it
might
be
taking
a
little
longer,
because
we
feel
like
the
investments
that
we
need
to
make,
are
for
the
long
term.
We
really
want
to
make
sure
that
as
people
are
signing
their
content
and
they're
improving
their
platforms,
they
shouldn't
have
to
stand
up
yet
a
bunch
of
other
services
and
there'll
be
more
services
that
come
out,
but
we
should
have
to
run
another
whole
service
that
users
and
customers
and
operators
have
to
manage.
B
B
You
can
actually
remove
individual
pieces
on
there
because
they're
all
separate
individual
objects
that
are
stored
in
that
graph
anyway.
So
that's
I.
I
breathe
I'll
pause
and
look
at
notes
and
whatever,
but
this
is
the
where
we're
at
at
this
point
on
the
project.
We're
really
excited
about
it.
The
what
you're
seeing
here
is
a
combination
of
the
notary,
v2
work,
the
notation
cli
to
sign
verif
sign,
discover
verify
artifacts
in
a
registry.
It
doesn't
matter
what
they
are.
We
started
with
container
images.
We
realized
that
we
can
do
this
generically.
B
So,
let's
sign
everything
we
didn't
want
to
create.
Yet
another
service.
We
didn't
want
to
break
existing
workflows
that
people
have
for
how
they
interact
with
registries,
but
we
did
believe
registries
should
improve
their
capabilities
to
serve
the
users
for
these
capabilities.
So
there
is
enhancements
to
registries
here,
you're,
seeing
the
azure
container
registry
support
that
new
auras
artifact
manifest
most
users
shouldn't
have
to
care
we're
working
with
the
various
registry
operators.
So
they
can
add
these
capabilities.
B
A
A
Yeah
no
worries,
maybe
a
few
questions
from
my
side
at
the
moment,
so
we've
covered
quite
a
lot
already,
but,
as
you
probably
know,
supply
chain
is
supply
chain.
Security
is
a
very
popular
therapy.
So
can
you
explain
how
notary
2
fits
into
this
landscape
a
bit
more.
B
Yeah,
no,
it's
great.
In
fact,
let
me
pull
up
a
different
slide.
You
know
with
everything,
there's
always
a
question
of.
What's
your
focus
like
how
much
of
the
ocean
are
we
going
to
boil
with
this
effort
when
I
think
about
the
supply
chain,
there's
stages,
there's
the
creation
of
content
right,
there's
the
building
of
those
binaries
building
of
the
s-bombs,
all
of
that
information
and
then
there's
the
distribution.
B
We
tend
not
to
ask
our
parents
to
you,
know,
compile
and
install
from
a
git
repo.
They
tend
to
install
apps
from
an
app
store
or
from
you
know,
various
locations
or
our
corporate.
You
know
rollout
will
roll
out
something
or
we
click
an
install
button
from
various
distributors,
and
this
is
where
I
like
the
model
of
redistribution.
B
You
know
I
don't
go
typically
to
a
farm
and
go
to
the
cow
and
fill
up
my
bottle
from
the
cow
right.
The
milk
manufacturers
create
that
they
bottle
it.
They
distribute
it
to
qfc
safeway.
Whatever
the
stores
are
near
you
and
you
get
that
content
that
content
gets
built
and
it
gets
distributed,
it
might
get
distributed
on
docker
hub.
It
might
get
distributed
on
nvidia
or
mcr
or
whatever
you're
going
to
promote
it
into
your
registry.
B
We
want
to
make
sure
that
the
redistribution
of
content
is
the
part
that
we're
focused
on
as
you're
distributing
it,
the
things
that
prove
that
I'm
still
steve
lasker
and
I,
wherever
I'm
traveling,
that
net
monitor
image
is
always
signed
by
wabit
networks
wherever
it
goes.
The
kohler
faucet
is
always
from
kohler
that
point.
When
you
consume
it,
you
can
prove
that,
regardless
of
where
it
is
at
any
one
point
in
time,
it's
still
from
that
entity.
So
that's
the
detachable
signatures
that
we
think
about.
B
There's
a
lot
of
work
going
on
the
supply
chain,
part
and
what
I
call
to
the
left.
We're
not
what
I
call
the
you
know
this.
The
term
that's
referred
to
as
to
the
left
of
how
things
are
built
notary
has
nothing
to
do
with
how
gits
are
signed
or
commits
or
signed
or
files,
or
all
that
kind
of
detail.
There's
a
lot
of
great
efforts
that
are
around
that
the
closest
notary
gets
involved
in
that
is
like
you're,
when
you're
doing
a
docker
build,
for
instance,
and
your
from
statement
references
another
image.
B
We
want
to
make
sure
that
that
consumes
consumption
of
another
deployed
distributed
content
is
who
it
says
it
is,
so
it's
we're
really
kind
of
focused
on
the
distribution
and
validation
part
of
the
pipeline,
for
you
know
who
is
it
signed
by
an
entity?
You
trust
not
just
an
arbitrary
entity.
A
B
Lots
of
content,
so
you
know
I'm.
B
Answer
any
questions
from
folks.
If
there's
anything
else,
I
could
you
know,
there's
there's
always
interesting
things
to
talk
about.
You.
B
One
of
the
new
things
that
is
coming
up
is,
and
we've
all
seen
this-
you
know
docker
kind
of
winds
up
taking
the
burden
of
the
hit
on
this
with
we
all
want
to
pull
from
docker
hub,
and
it
turns
out
hosting
all
that
content
container
container
images
are
big
is
expensive.
It's
expensive,
it's
probably
problematic,
because
nobody
ever
wants
anything
to
be
deleted
and
so
forth.
B
That's
signed,
has
an
s
bomb,
has
some
scan
results
so
on
and
so
forth,
and
this
is
what
we're
really
trying
to
refer
to
is
really
teasing
out.
Identity
from
location
and
we've
been
working
with
the
spdx
and
cyclone
dx
community
recently
and
rose
judge
from
vmware
did
some
great
work
around
having
a
pearl
spec
for
oci
references
to
also
decouple
location
from
identity.
B
So
this
is
kind
of
a
model
we're
trying
to
get
to
that.
The
content
will
be
distributed
in
multiple
locations.
Just
like
you
can
get
milk
from
lots
of
locations,
but
you
want
to
know
who
was
that
milk
distributed
by?
So
if
there
is
a
problem
with
it,
we
know
which
ones
are
the
ones
that
we
should.
You
know
recall.
A
Great,
so
I
see
that
you
talk
a
little
about
s-bombs
and
scan
results
and
other
artifacts
in
the
registry.
So
is
notary
just
around
image
signing
or
how
does
it
go
from
there.
B
Yeah
great
question,
so
so
basically
they
said
the
trying
to
carve
out
where
we
wanted
to
focus
that
no
ev2
is
all
about
signing
things.
It
doesn't
care
what
it
is.
In
fact,
you
noticed
that
my
s-bomb
was
just
a
json
file.
I
didn't
worry
about
getting
the
details
of
cyclone
and
spdx
and
others.
The
is
literally
just
signing
anything
in
a
registry,
and
the
idea
is
maybe
we
could.
You
know,
use
that
same
algorithms
to
sign
stuff.
That's
not
necessarily
stored
in
the
registry.
B
There's
lots
of
other
great
projects
that
have
taken
on
those
things.
So
it's
sign
any
artifact,
that's
in
a
registry,
regardless
of
what
it
is
and
the
innovations
that
came
from
the
notary
requirements,
allow
other
things
to
be
put
into
a
registry
that
are
also
associated
so
we're
there
to
support
the
other
efforts.
We're
not
trying
to
overlap
with
those.
A
B
So,
like
we
really
like,
I
said
the
this
is
one
of
those
where,
if
you
look
too
narrow
at
a
problem,
it
seems
overly
simple
by
working
in
azure
and
working
in
the
center
with
container
registry
and
mcr
for
distributing
public
content.
You
know
we
see
all
of
the
complexities
that
users
face
and
we
recognize
that
it
wasn't
just
around
signing.
We
had
to
deal
with
content
promotion
with
v-nets
and
all
those
things.
B
So
the
graph
of
content
is
the
thing
that
we
showed
around
how
you
can
promote
that,
so
that
you
can
verify
that
artifact
in
the
location
that
you're
operating
you
shouldn't
have
to
be
able
to
say.
Well,
I'm
in
my
isolated
v-net
right,
I
have
no
public
egress,
but
now
I
need
to
validate
the
s-bombs
valid.
Well
where's,
the
s-bomb.
Oh,
it's
hosted
on
this
microsoft
service
out
in
the
cloud
or
it's
hosted
on
some
github
repository
or
something
well.
B
I
can't
get
to
it
because
my
v-net
is
locked
down
and
yeah.
We
can
go
and
ask
for
a
hold
we
put
in
the
v-net,
but
we
had
a
customer
described
this
as
putting
holes
in
the
submarine
right.
You
can't
just
have
that's
only
one
hole
in
the
submarine
it'll
be
fine
right,
any
hole
is
problematic,
so
we
wanted
to
make
sure
that
you
can
promote
that
content
and
that's
kind
of
and
we're
always
looking
for.
Better
words
naming
is
hard.
We
think
of
it.
As
this
rich
graph
of
artifacts.
B
A
Great
yeah
and
there's
been
a
lot
of
good
interactions
in
the
in
the
chat.
Not
so
many
questions
yet
so
far,
or
someone
learned
something
new
today
and
so
forth.
But
if
you
have
any
questions,
now
is
the
perfect
time
to
ask
them
everyone
listening
in.
We
do
not
have
too
much
time
anymore.
So
now
is
the
perfect
time
to
start
typing
those
out
so
that
we
have
also
the
time
to
answer
them.
B
Well,
this
was
a
last-minute
scheduled
thing,
so
I
I
appreciate
the
folks
that
did
apply.
There
was
another
session
that
it
wound
up
getting
canceled,
so
we
took
an
opportunistic
time
of,
like
I
think,
20
hours
notice,
so
thank
you,
bridget
and
karen
and
and
for
helping
us
get
that
coordinated
I'll
I'll
just
say
for
people
watching
the
video
later
on
by
all
means
reach
out,
there's
slack
channels.
There's
the
projects
reach
out
to
me
directly.
B
Then
we
can
connect
it
to
the
various
folks
that
have
been
working
on
the
various
projects.
It's
this
isn't
an
azure
thing.
It's
a
community
engagement.
We've
got
a
lot
of
great
support
and
we're
really
excited
for
the
the
work
that
can
be
done.
It's
there
are
a
number
of
different
projects.
This
impacts,
because
we
believe
that
this
is,
you
know,
a
place
that
can
innovate
in
a
number
number
of
areas.
It's
notary
for
the
actual
signing,
it's
the
the
tough
project
which
we're
working
on.
B
B
There's
the
work
we
did
in
auras
artifacts
to
enable
registries
support,
not
just
notary
signatures,
but
you
know
s-bombs
and
other
stuff,
there's
a
cncf
distribution
instance
of
this.
So
you
can
test
these
rich
capabilities
without
any
specific
cloud
and
that
cncf
distribution
instance
is
the
thing
that
runs
many
of
the
registry
projects
that
are
out
there.
B
So
we're
looking
to
finish
that
up
so
that
all
registries
can
take
on
these
capabilities
easily
and
we
can
get
on
to
the
next
big
problem.
So
we're
definitely
looking
for
more
help
more
feedback,
more
support
or
you
know
just
jump
in
that's
the
beauty
of
the
open
source
community.
Is
anybody
can
kind
of
jump
in
and
help.
A
Yeah,
definitely
that's
the
best
part.
So
definitely
everyone
jump
and
really
great
session
by
the
way,
so
far
a
question
from
missing
character.
Any
new
public
key
starts.
Okay,
key
stores.
B
By
key
stores,
I'm
not
exactly
sure
what
we're
referring
to
here
I
mean
what
what
notary
is
currently
focused
on
is
you
know
we
work,
we
kind
of
work
from
the
right
to
the
left,
from
production
back
and
what
we
heard
very
clearly
was.
These
are
services
that
build
and
sign
and
distribute
and
validate
content.
Users
are
part
of
the
critical
part
of
the
development
workflow
by
the
time
it
comes
distributed
and
consumed
expo
not
x.
B
509
certs
was
the
the
standard
that
we
wanted
to
focus
on
so
x,
509
search,
there's
lots
of
great.
You
know,
infrastructure
there
already
there's
innovations.
We
think
we
need
to
make.
We
wanted
to
build
on
the
capabilities
that
already
exist.
So
that's
what
we
do
today,
what
we
might
add
in
the
future.
You
know
there's
lots
of
great
opportunities
for
how
we
might
add
additional
signing
authorities.
If
you
will,
I
think,
that's
kind
of
what
you're
getting
at,
but
the
premise
here
for
key
stores
and
where
those
keys
are
managed.
B
A
Perfect
and
we
got
a
confirmation
from
this
in
character
that
was
exactly
what
they
wanted.
So
wonderful,
and
maybe
it's
staying
on
this
topic
a
bit
of
info
about
the
future
there
already.
But
do
you
have
any
kind
of
sneak
peeks
or
ideas
as
far
as
like
what
will
version
three
look
like
and
what
will
the
future
hold
for
for
the
project?
A
Sorry,
for
which
project
for
notary
or
like
oh.
B
For
notary
as
well
sorry
yeah,
I
mean
there's
look.
We
have
some
work
to
finish
here.
The
a
lot
of
interesting
things
are
coming
out
of
it.
You
know
we're
adding
we're
starting
to
add
search
capabilities
to
a
registry
which
has
been
a
long
standing
missing
thing.
You
know
all
registries
have
them,
but
everybody's
done
it
separately.
So
there's
no
common
way
to
get
information
out
of
a
registry.
B
If
you
have
multiple
s-bombs
or
multiple
scan
results
that
you
push
to
a
registry
which
one
is
the
current,
how
do
you
know
mondays
versus
wednesdays,
so
we're
thinking
about
how
we
could
do
ordering
and
stuff
we're
thinking
about
how
we
can
do
search
the
way
that
you
can
push
the
artifact
manifest
does
not
require
blobs,
so
we're
starting
to
have
the
ability
that
I
can
add
other
annotations
to
information
in
a
registry.
So
I
can
start
to
get
rich
metadata.
B
You
know
what
images
are
deployed.
What
images
should
be
deleted
because
they've
hit
some
kind
of
expiration
policy
who
built
to
that
image?
You
know
so.
There's
interesting,
rich
metadata
scenarios
that
we'd
like
to
be
able
to
add
to
registries,
and
that's
some
of
the
stuff
that
we're
you
know
we're
thinking
about,
but
we're
definitely
trying
to
make
sure
that
we
land
incremental
progress-
and
you
know
not
try
to
you
know,
like
I
said,
boil
the
ocean.
There
there's
lots
of
great
stuff
that
can
be
done.
A
Yeah
I'm
looking
forward
to
it
then
final
call,
I
think,
for
questions
from
the
audience,
but
I
have
to
say
that
that
there's
already
been
someone
from,
I
think
our
saying
great
demo
thanks
a
lot.
I
have
to
agree
really
great
session
already
so
far.
Do
you
have
any
any
final
notes
that
you
want
to
add
to
the
audience
or
so.
B
Let
us
know
how
you
what
you
think
about
it.
Is
it
helping
you?
What
are
the
gaps
you
know?
Would
you
like
to
get
involved?
There's
lots
of
great
opportunities.
B
We
certainly
have
more
problems
than
we
have
ability
to
solve
at
this
point,
so
we're
trying
to
carve
them
off
and
if
you
want
to
help
with
some
of
the
stuff
we're
already
working
on
great.
If
you
have
another
problem,
you
want
to
solve.
There's
a
a
great
question
around:
can
I
curl
binaries
out
of
a
registry,
so
we've
been
thinking
about
how
we
could
do
that,
so
we
you
know
so
we're
starting
to
get
some
ideas
around
it,
but
I
don't
have
anybody
that
can
actually
work
on
it
right
now.
B
So
there's
a
lot,
always
great
prayers,
the
more
people
that
we
have,
the
more
things
that
we
can
work
on.
So
that's
always
like
kind
of
a
call
out.
If
you
have
some
great
ideas-
and
you
want
to
see
those-
you
know,
ideas
added
and
improved
reach
out,
we'd
love
to
figure
out
how
we
can
help
you
help
yourself
and
you
know,
get
people
started
on
that.
So.
A
A
Really
good-
and
I
I
guess
these
are
the
links
to
get
involved
as
well,
so
everyone
take
pictures
and
notes,
or
you
can
obviously
watch
the
on-demand
recording
to
to
get
access
to
these
again,
so
everyone
can
get
involved,
it's
really
great.
So
if
there
is
no
longer
any
more
any
audience
questions,
I
think
we
can
start
wrapping
it
up
really
great
session.
Amazing
content,
great
demo.
A
Thank
you
so
much
for
for
speaking
with
us,
even
though
it
was
on
a
short
notice,
so
very
extra
thankful
for
that
as
well,
and
thank
you
everyone
in
the
audience
as
well
for
joining
the
latest
episode
of
cloud
native
live.
It
was
great
to
have
steve
here
from
microsoft.
A
Talking
about
notary
v2,
I
really
love
the
audience,
interaction
and
everything
here
today
and
don't
forget
to
join
us
next
week
when
we
bring
you
the
latest
cloud
native
code
every
wednesday
and
next
week
we
will
have
actually
a
session
on
improved
core
to
edge
mobility
and
resilience
for
cloud
native
applications.