►
From YouTube: CNCF Supply Chain Security WG 2021-04-02
Description
CNCF Supply Chain Security WG 2021-04-02
A
C
A
Yeah,
let's
go
ahead
and
dive
into
this.
So
at
this
point
with
the
paper
I
I
was
chatting
with
john
a
little
bit
about
this
yesterday.
We
are
ultimately
ready
to
just
start,
tackling
and
and
getting
through
the
media
elements.
There
are
far
fewer
comments
than
there
were
even
a
week
ago.
I
mean
we're
we're
down
to
the
point
where
you
know:
there's
not
even
simple
recommendations.
Now
it's
kind
of
bigger
question
items.
So
I,
if
it's
good
with
you
all,
let's
try
to
shorten
this.
A
I
would
say
to
30
minutes
today.
Let's
address
some
of
the
the
more
meteor
comments
that
are
on
here
and
then
I
I
think
the
the
like
leaving
thing
would
be.
You
know,
recommending
you
all
go
through
and
either
pick
one
section
just
to
see.
If
there's
anything
else
you
can
find,
but
we've
we've
we're
really
ready
at
this
point
for
external
review
once
we
tackle.
I
think
these
last
kind
of
these
play
around.
B
D
It
a
little
bit,
but
I
don't
know
if
it
wasn't
nearly
like.
I
could
still
understand
you,
but
I
I
don't
know
if
it's.
A
A
I've
been
having
issues
recently
with
with
zoom,
where,
like
I,
I
don't
see
anything
on
my
end,
but
apparently
it
is
slowing
down.
So
I
vanad,
if
it
if
it
keeps
happening
just
let
me
know:
okay,
I'll
go
and
jiggle
the
the
plug
and
the
route
of
the
modem
or
something
I'll
figure,
something
out
the
router
all
right.
Does
that
sound
like
a
decent
plan
for
today
going
comment
by
comment
and
actually
just
like
trying
to
get
through
some
of
those
issues.
A
Anybody,
well
that's
a
good
plan.
Yeah
awesome,
so
hands
down
we're
actually
in
terms
of
the
the
introduction
aspect.
Things
are
are
pretty
solid
until
we
get
to
the
securing
build
pipelines
section.
A
This
is
this
has
been
the
kind
of
bane
of
our
existence,
and
this
was
the
most
controversial
aspect
of
when
we
were
reviewing
it
as
the
four
last
week,
and
so
one
of
the
things
we're
waiting
on
and
I'll
have
to
reach
out
to
emily
separately
and
see
if,
if
she
has
any
up
for
that
graphic
alex
glad
to
see
you
joined,
I
did
go
ahead
and
mention
before
I
we
delete
this.
Let's
wait
until
there's
a
graphic
there.
A
Just
so
we
remember
what
we're
trying
to
convey,
because
I
I
do
think
this
is
valuable,
but
I
don't
think
it's
presented
in
a
way,
that's
good,
so
that
that's
at
least
my
sentiment
there
does
anybody,
if
you've,
if
you're
familiar
with
this
section
of
build
infrastructure,
feel
that
bulldozing
all
this
text
away
and
replacing
with
the
graphic
that
that
clearly
shows
pretty
much
these
elements?
Does
anybody
feel
particularly
hurt
by
that
decision?.
A
A
This
whole
section
is
a
bit
too
much
text
which
gets
to
this
little
piece
by
you
alex
adding
in
another
sentence.
I
I
I
didn't
want
to
say
no
to
this.
There's
a
lot
going
on
in
this
in
this
paragraph
period,
a
lot
of
like
meaty
issue-
and
I
I
I'm
gonna,
be
honest.
I
did
not
actually
look
to
see
how
the
chat
went
with
around
build
worker
versus
build
steps.
A
A
F
I
mean
so
I
was
attempting
to
so
we
we
had
an
extended
terminology
debate
in
the
meeting
where
we
were
trying
to
go
through
this
section
about
what
they
were
and,
and
I
was
trying
to
figure
out
a
way
to
sort
of
make
sense
of
it
all.
And
so
that's
where
this
suggestion
is
coming
from
is
and-
and
I
can
rehash
what
else
I've
said
about
it.
F
But
but
basically
it
seems
to
me
that
we've
sort
of
collapsed
the
distinction
a
little
bit
and
the
suggestions
we're
making
where
we
are.
We
are
assuming
that
build
steps
are
being
run
on
containers
and
we're
also
recommending
that
all
of
those
be
isolated
and
have
a
separation
of
concern
so
that
each
one
is
running
on
its
own
container
and
so
to
me
it
seems,
like
we've
collapsed,
that
distinction
so
that
the
worker
and
the
step
are
there.
F
A
The
field
worker
ever
can,
you
repeat,.
G
A
A
A
A
A
Which
word
sorry
build
worker?
You
got
things
in
your
life
that
you
you
refer
to
as
build
workers,
and
people
would
know
what
you're
talking
about.
D
I
mean
at
my
last
place:
we
we
definitely
did
use
them
as
as
build
workers
and,
and
we
made
them
distinct
from
so
I
I
guess
the
thing
is
like
when
I
think
about
like
a
a
build
node
or
whatever
the
the
reason
why
I
kind
of
think
about
the
infrastructure.
Very
specifically,
there
is
when
securing
a
build
step.
D
D
Do
your
scans
do
all
the
additional
work
to
say:
yes,
we're
certain
that
that
build
worker
did
all
the
right
things.
That's
the
way
I've
always
used.
It
is
in
that
sort
of
context,
yeah.
A
Yeah,
which
is
what
I
mean,
that's
what
we're
getting
that's.
What
alex
was
saying
with
the
distinction
right
is
that
it's
the.
F
F
D
Yeah,
so
my
only
suggestion
would
just
be
to
make
sure
that
that's
clear
is
just
to
say,
hey
look.
We
are
making
some
assumptions
like
any
sort
of
step
that
is
doing
something
sensitive
or
doing
something
that
could
be
is
hard
to
predict
right,
like
you
know,
it's
one
thing
to
say:
hey
we're
running
a
linting
step,
a
linking
step.
You
probably
don't
need
to
worry
about
throwing
out
the
infrastructure
afterwards,
but
if
you
do
a
compilation
or
if
you're
so
particularly
packaging,
something
the
question
I
have.
A
D
A
D
There
could
be
a
way
to
make
it
easier
and
more.
You
know
straightforward
about
what
that
means,
because
I,
I
also
think
that
the
there's
another
reason
why
they're
distinct
is,
I
should
be
able
to
run
a
non-secure
build
locally
on
my
machine
right.
Those
build
steps
will
run
on
my
machine.
It'll
run
linting
it'll
run
a
compilation
step,
and
I
can
you
know,
get
my
artifact.
D
A
A
And
that
throws
a
wrench
into
everything
alex
that's
like
saying.
We
need
to
have
both
terminologies
and
be
specific
in
which
ones
we
use,
but
we're
not
throughout
the
paper.
That's
that's.
It.
F
D
So
I
would
say
the
build
worker
does
not
necessarily
that
well
okay,
so
this
is
once
again
yeah
there's
a
lot
of
ways
to
to
to
so
I
I
would
take
okay,
let's
take
a
step
back
for
just
a
second,
when
I
think
about
the
build,
I
think
about
it
in
in
two
separate
ways:
one
is
like
hey:
the
build
is
a
set
of
steps
that
can
run
anywhere
sure.
Then
there
is
a
canonical
build
or
whatever
you
want
to
call
it.
The
this
is
the
official
build
that
we
feel
is
secure.
D
That
we
feel
is
is
is
something
that
somebody
would
sign
off
on
and
the
reason
why
I
make
that
as
a
big
distinction
is
there's
like
there's
literal
like
money
dollar,
you
know
there's
money
associated
with
it,
there's
times
associated
with
it
and
whatnot,
where,
if
I
have
a
secure
build,
often
I'm
doing
additional
scans,
I'm
running
it
on
secure
infrastructure
that
has
a
cost
associated
with
it.
If
I'm
compiling
something
locally
just
to
test
out
the
functionality
like
it
doesn't
you
know
it
doesn't
matter
right
like
it
doesn't
matter?
D
Yeah
well
so
yes,
yes,
I
I
I
agree
with
that,
but
I
think
that
there
still
is.
I
think
what
you
could
say
is
if
you
were
defining
the
build
here,
the
build
steps
and
the
workers
purely
in
terms
of
a
secure,
build
and
just
say
we
are
not
like
specifically
call
out
like
we
are
not
putting
anything
in
here
about
running
this
build.
You
know,
on
anything
other
than
like
a
secure,
build
I'm
trying
to
think
of
a
word
for
it
like
a
developer,
build
or
you
know
a
non-secure
build.
D
You
know
anything
that
would
be.
You
know
the
idea
here,
just
being
that
the
build
steps
and
workers
here
as
defined,
should
only
be
considered
in
terms
of
you
know,
this
is
an
artifact
that
should
be
signed
off
on
you
know,
and
so
on.
Would
it
be
helpful
to
explicitly.
A
Write
out
build
steps
and
workers
are
distinct
concepts.
Workers
generally
refer
to
the
compute
resources,
but
steps
refer
to
the
the.
I
don't
want
to
say,
philosophical
the
the
concept
as
a
whole.
It
within
this
paper
we
will
and
and
based
upon
your
implementation,
they
could
be
one
of
the
same.
A
Is
that
worth
just
spelling
out
or
is
that
that
gonna
cause
even
more
confusion
and
then
and
then
what's
great,
is
that
we
can,
if
we,
if
we
do
that-
and
we
mentioned
specifically
that
within
the
paper
you
know
we-
we
expect
that
they
might
be
one
of
the
same.
We
don't
then
have
to
say
for
every
single
sentence,
build
steps
and
workers
I'm
worried
about
having
it
always
specified.
The
breaking
it
down
a
little
bit
alex
is
that.
F
F
We
are
leaning
into
this
being
recommendations
for
a
cloud
native
supply
chain
and
in
my
head,
like
one
of
the
things
that
that
make,
that
is
a
distinguishing
factor
of
that
is
that
we're
principally
talking
about
processes
that
are
running
as
containers
or
microservices,
or
something
in
that
sort
of
an
architecture
right,
and
so
I
wonder
so
that
so
that's
part
of
where
what
got
me
to
where
I
was
on
this,
you
know
on
this
connection
between
steps
and
workers
is.
Is
that
sort
of
containerized
architecture
is
I'm?
F
I'm
assuming
you
know,
containers
are
a
lot
more,
a
lot
more
disposable
than
if
you've
got
a
server
running
in
your
basement,
right
and-
and
so
so
that's
that's
part
of
where
I
got
to
where
I
was
and
I'm
trying
to
tie
this
back.
Sorry,
I
lost
my
training
thought
a
little
bit.
F
Back
to
your
original
question,
I
think
that
so
so
I'm
wondering
you
know
if
we're,
if
we're
laying
out
here's
the
distinction
between
those
two
things,
if
we're,
assuming
that
this
is
a
cloud
native
rec
set
of
recommendations
like
what
does
that
mean
for
the
for
how
we
want
to
phrase
that,
if
that
makes
sense,.
A
You
know
it's
funny,
I
I
think
you
and
michael
are
actually
agreeing
on
the
exact
same
thing.
I
think
you
guys
are
saying
exactly
the
same
and-
and
I
I
realize
here
that
you
you
just
spelled
out
what
you
you
mean,
and
it
covers
us
to
have
both
have
this
sentence
and
then
also
refer
to
both
of
them
here,
because
just
in
case
somebody
isn't
coming
to
this.
With
that
whole
worker
and
containerized
build
environment
in
mind.
This
covers
them
too
is.
A
Is
this
gonna
be
the
I
don't
personally,
I
don't
think
this
one
point
of
contention
is
gonna
ruin
the
paper.
I
don't,
I
don't
think
we're
at
an
existential
worry.
I
think
we're
probably
if
anything,
bike
setting
a
little
bit
on
this.
I
think
we
covered
it
by
your
sentence
that
you
just
put
in
there
alex.
A
I
know
I
I
didn't
like
the
addition
of
another
sentence,
but
I
think
it
does
actually
give
that
preface
that
you
need
to
then
read
this
okay,
I'm
I'm
worried
based
upon
how
much
blake
wrote
here
and
what
his
response
to
was
in
that
thread
that
this
might
not
be
the
end
of
this
conversation.
I'm
gonna
leave
this
comment
in
here
for
now.
A
If
somebody
feels
incredibly
strong
about
it,
let's
come
back
to
the
the
conversation.
I
did
like
your
comment
here:
hardened
oci
container.
Let's
let
me
just
read
this
out
so
that
everybody
in
the
call
can
hear
it.
A
hardened
oci
container
may
descend
from
scratch,
such
as
empty
fruit
file
system
suitable
for
statically.
That's
not
a
great
sentence
for
statically
linked
binaries
distro
lists
such
as
scratch
with
locale
and
public
certificates
or
in
organizations
manage
minimal
base
image
such
as
red
hat's
ubi,
with
additional
public
keys
or
internal
configuration.
B
I
think
yeah,
so
I
think
there
is
one
expert
is
missing
there
like
a.
There
is
also
a
pattern
where
scratch
space
images
are
using
like
a
sidecar
approach,
like
you
know,
expertly
handling,
tls
and
certificators
offloaded
to
side
car.
So
I
think
what
I,
what
I
understood
is:
if
you,
if
the
scratch
option
is
available,
then
a
ubi
minimal
base
image
is
another
option,
but
I
think
scratch
plus
side.
Car
is
also
a
good
alternative
to
what
you
play
base
image.
A
You
could
take
out
this
entire
middle
section
here
I
mean
I
because
the
distro
list,
such
as
scratch
with
low
cal
locale
and
public
certificates,
doesn't
actually
provide
any.
I
mean
that's
just
saying
scratch
with
your
own
stuff
put
on
it,
you're
still
saying
scratch:
it
doesn't.
The
whole
goal
of
this
paragraph
seems
to
be
use
the
scratch
image
as
your
base
right.
A
That's
the
that's
all
it's
saying
so,
providing
like
six
options
about
or
expanding
on
that
by
saying
that
you
can
put
your
put
public
certificates
and
locale
information
on
it
doesn't
help.
A
Yeah
I
mean
I'm
I'm
good
with
minimal
image,
so
I
hardened
I'm
not
even
gonna
turn
on
suggesting
by
the
way
I
don't
know
who
owns
this
document,
but
anonymous
people
can
still
come
in
and
edit.
I
know
that
because
I
stupidly
didn't
sign
in
because
gmail
doesn't
have
or
google
doesn't
handle.
Can
we
turn
off
anonymous,
edits.
B
C
A
Okay,
I'll
bother
john
I'll
see
if
he
can,
if
he
can
edit
it
that'd,
be
nice
yeah
yeah.
It
would
be
it
I'll
get
in
the
information,
but
okay.
So
for
rewriting
this
particular
quite
long
sentence.
A
May
is
also
the
wrong
word
here
I
mean.
Should
let's,
let's
start
with
we're
back
to
recommending
we're?
Not
it
doesn't
just
happen
by
chance
that
it
descends
a
hardened
oci
container
should
descend
from
I.
I
think
the
double
quotes
scratch
that's
like
from.
B
A
A
Nope
nope
and
then
do
we
want
to
keep
in
this
or
an
organization's
minimal
image
minimal,
base
image
such
as
red
hat
tbi.
Do
we
need
to
to
include
this.
D
H
H
B
A
H
Yeah
we
could
probably
define
what
a
mineral
image
is
in
the
glossary
and
there's
a
minimal
image
is
defined
as
scratch,
ubi,
whatever
the
one
that
google
has
or
similar
artifact.
A
Sweet
bingo
all
right
cool
whoo,
additional
tools
such
as
open,
scap
goss.
What
is
blake
and
blake
like
wrote,
another
paragraph
in
the
comment
about
the
paragraph.
There
should
actually
be
shared
another.
A
I
don't
actually
to
be
honest
this
this.
This
first
sentence
to
me
used
to
validate
the
removal
of
potentially
sensitive
files
or
configurations
in
the
container
at
build
time.
What
does
that
mean
validate
the
removal
of
potentially
sensitive
files?
This
is
very.
I
mean
that
that
that
what
does
that
mean?
Does
anybody
have
a
secrets,
secret
sanitation,
maybe
that
they're
removed.
A
Well,
I
mean
the
the
tools
themselves.
Look
at
the
right,
exactly
alex
it.
I
guess
it
verifies
that
you
are
using
a
minimal
image
or
you're
using
an
image
with
yeah,
I
think
by
potentially
sensitive
files
and
configurations.
It
means
you
know
it
has
something
running
on
it
that
you
didn't
want
running
in
your
environment.
That's
the
that's
the
question
right
or
that's
what
this
is.
A
This
is
saying
you
can
use
tools
to
validate
the
actual
container
images
you're
running,
to
make
sure
that
you
are
you
you're
not
running,
I
don't
know
ftp
or
or
or
something
that's
going
to.
A
Yeah
something
exposed,
but
I
don't
think
that
sentence
says
that
eloquently
or
or
even
concisely,.
F
Can
we
can
we
collapse
this
whole
paragraph
into
one
sentence
added
to
the
paragraph
above
it
that
just
says
you
know
your
bit.
You
should
then
validate
your
base
image
with
tools
that
ensure
that
there's
nothing
else
running
in
it
that
you
didn't
plan
on
running.
That's
not
very
well
said,
but
you
know
something
to
that
effect.
B
A
So
is
openness
cap
our
premium
tool
that
we'd
recommend
here
which
will,
if,
if
I
only
had
to
list
one
which
one
would
it
be
probably.
A
Additionally,
tools
such
as
openscap
should
be
used
to
validate
that
an
image
is
truly
minimal.
H
C
A
B
H
H
H
H
A
Runtime
hardening
should
be
provided
by
the
underlying
orchestration
platform.
Protections
may
include
policies
like
setcomp,
app,
armor,
suv.
A
D
So
I
agree
with
the
general
like
what
that
first
sentence
sentences
like
the
the
idea
there
being
that
you
know
the
orchestration
platform,
I
assume
being
something
like
sure,
eddie's
right,
but
I
agree
that
the
the
second
sentence,
I'm
not
exactly
sure
like
protections-
may
include
policies
like
and
then
it
certainly.
A
A
A
Do
we
even
need
to
say
this
just
does?
Is
it
valuable
to
have
this
in.
A
There
I
mean
back
to
you:
is
it
actionable
to
say
that
that
runtime
hardening
should
be
done
by
the
orchestration
platform?
Would
that
be
news
to
anybody.
B
No,
I
think
there
is
a
value
there,
but
I
think
to
get
a
proper
value.
I
think
that
that
need
to
be
another
big
paragraph
like
it's
so
things
out
there
and
it's
not
giving
a
clear
guidance
like
it's
just
putting
some
names
or
policies,
but
it
is
a
bit
over
complicating
like,
in
my
view,
so.
A
We
talk
about,
I
know
we
talk
about
network,
we.
We
definitely
have
an
entire
section
on
these
two,
so
this
is
covered.
I
don't
know
about
setcomp
app,
armor
sc
linux.
I
don't
recall
that
being
in
another
part
of
the
of
the
paper.
Anybody
no,
but
I
I
think
just
I
think,
you're
right.
If
or
not
it
feels
wrong
to
just
dangle
it.
There.
B
H
Where
do
we
talk
about?
Where
do
we
talk
about
locking
down
the
the
build
worker
right?
Maybe
that
should
be
along
there?
That's
where.
G
A
Insecuring
we
we're
missing.
This
is
at
the
wrong
level.
Somebody
changed
this.
This
should
be
heading
one
there
you
go.
Okay,
sorry
driving
me
nuts.
Let's
see
cryptographically
guaranteed
policy
adherence
validate,
build
artifacts,
validate
environment
dependencies
before
usage.
Would
that
be
what
we're
where
you
would
talk
about?
Runtime.
A
H
A
That
does
not
seem
to
be
the
case
there.
Yeah.
A
Do
we
need
to
create
a
new
recommendation
around
runtime
security.
A
I
mean,
I
think
as
well.
That
seems
to
be
something
completely
missing
all
right,
if
you
throw
the
heading
in
there
I'll
I'll
start
working
on
that.
I
It's
not
just
build
workers
right,
so
it's.
What
was
that.
A
H
G
A
A
Do
we
reference
immutable
and
potentially
ephemeral
pipelines?
I
see
the
word
immutable
bolded.
A
A
A
D
Yeah,
I
I
don't
know
what
it
means
by
ephemeral,
what
what
what
we
mean
by
ephemeral
pipelines,
I'm.
A
A
D
D
On
some
sort
of
logic,
it
would
figure
out.
Oh,
I
should
be
running
this
pipeline,
and
actually
we
want
to
sort
of
recommend
against
necessarily
that
sort
of
thing,
because
we
want
to
make
sure
that
the
pipelines
are
very
clearly
defined
and
we
don't
want
to
actually
have
a
I.
I
would
at
least
think
we
don't
want
to
actually
have
a
lot
of
logic
in
how
we,
I
guess
the
thing
there
is
like
you
know.
D
The
the
pipeline,
when
I
think
about
it,
should
not
have
like
the
logic
should
be
very
straightforward
and
simple
to
say:
oh
the
pipeline
says
you
should
be
building
this
thing
or
be
doing
this
thing.
The
pipeline
should
not
be
saying
well
based
on
a
bunch
of
logic
and
heuristics
and
whatever
it
should
be
running
this
random
thing.
I
want
to
make
sure
that,
and
that
was
where
I
was
a
little
confused
by,
but
I
think
yeah,
so
maybe
I'm
still
confused
by
what
is
meant
by
ephemeral
in
in
that
case,.
A
Well,
it's
funny
because
he,
as
you
just
saw
he
does
ephemeral
credentials,
is
fine
creation
of
multiple
ephemeral
and
ephemeral
and
immutable
pipelines.
So
yet
again
he
is
using
this
term
ephemeral
pipelines,
but
I
still
I
still
wonder
if
you
can
ex.
B
D
Well
well
hold
on,
like
I,
I
think
the
thing
there
that
that
the
way
I
I
would
argue
is
right.
You
know
the
pipeline.
If
I'm,
if
I
have
a
pipeline
right
and
I'm
thinking
of
the
so
I
guess
the
way
I'm
thinking
about
it
is
is
the
pipeline
is
essentially
you
know
a
set
of
code
that
tells
the
ephemeral
workers
what
they
should
be
doing
right
and
if
you
were
to
say
the
pipeline
itself
is
ephemeral.
D
I'm
thinking
that
code
is
ephemeral,
as
in
that
code
is
short-lived
or
perhaps
generated
by
some
other
process,
and
maybe
it's
a
it's
a
pedantic
sort
of
argument.
But
but
that's
the
way
I
I
sort
of
read
that.
A
But
that's
not
and
okay,
so
going
back
to
that
michael,
do
you
feel
strongly
about
that?
Like
that's
to
me,
I'm
like
no,
that's
not
important.
The
ephemera.
A
A
E
A
Now,
let's
not
bring
up
the
word
workers
anymore
than
we
have
to,
but
I
think
let's
see
build
infrastructure
we
were
down
here.
I
think
I
think
it
still
makes
sense.
Yes,
we
bought
and
brought
it
up.
John
thanks,
john.
H
There,
let
me
know
if
that
meets
the
intent
there
sure.
Let
me
just
describe
me
nuts,
oh,
I
know
I'm
horrible
at
spelling.
A
That's
all
right
all
right
out
of
banned
verification
of
execution
policy
with
tools
such
as
how
to
ban
verification
like
execution
policy.
What's
execution
policy,
if
I'm,
if
I'm.
H
A
That
that
I
can
read-
and
I
can
be
like
okay-
there
are
execution
policies
that
come
from
setcomp
app,
armor
se,
linux
that
nobody
ever
wants
to
deal
with,
because
it's
boring
that
help
verify
the
runtime
environment
security.
A
A
A
A
We
should
also
suggest
pinning
yeah
dependency
pinning
who
wants
to
take
that.
A
I
I
am,
I
mean
so
I
I
read
that.
A
I
C
Actually
now
I
of
course
lost
it.
This
is
story.
A
My
life
with
this
paper-
I
did
have
a
question
about
this,
mainly
on.
A
First
off
this
recommendation
to
remove
or
verify
external
requirements
from
the
build
process,
doesn't
that
seem
like
conflicting
advice?
Do
you
either
want
to
remove
it
or
verify
it?
So
I
verify
cool
that
makes
sense.
Remove
that's
really
actionable
and
I
better
see
concrete
examples
about
what
I
remove.
Anybody
have.
A
A
F
A
Can
we
just
say
marine
on
that
note
if
we,
if
we
change
it
to
just
verify,
can
we
have
like
one
quick
little
zinger
at
the
end,
like.
H
A
Need
the
requests
library
anyway,
all
right
yeah
not
did
I
just
I
just
trigger
you.
B
No,
I
think,
reading
that
it
is
kind
of
not
same
across
all
the
lang
programming
languages.
So
I
don't
know
what
is
external
sources
if
artifact
itself
is
an
external
source,
a
bill
server?
It
is
an
external
source
right,
so
rendering
I
don't
know
what
is
a
practicality
of
rendering
in
all
programming
languages
right.
So,
in
my
view,
it
should
be
like
the
dependency
should
be
free
in
the
frozen
before
before
the
build
time
like.
G
B
Put
like
in
you
know
like
npm
or
python,
greater
than
or
less
than
or
something
like
that
and
then
getting
a
version
during
the
build
time.
So
instead
of
that
explicitly
mention
the
version
number
so
that
there
is
a
consistency
during
the
build
on
each
time
rather
than
is
built,
it
may
have
different
behavior,
because
artifactory
may
have
a
new
version
for
that
package,
and
then
they
will
get
a
new
version
next
time
right
so
rendering
I
don't
know
how
practical
it
is
even
go
along
move
from
vendor
to
go
module
right.
A
I
hear
what
you're
saying
and
I
believe
in
the
paper
we
do
recommend
storing
all
the
artifacts
yourself
right
so
not
pulling
from.
Is
it
an
external
resource
or
is
it
an
external
requirement.
B
Artifact
itself
is
mirroring
from
external,
like
maven,
central
or
pipeline
right,
so
artifact
is
an
internal
clone
for
external
artifactories
right,
so
it
is,
but
even
the
artifact
itself
is
outside
a
build
system.
It's
not
a
part
of
a
jenkins
pipeline
build
process,
but
I
I
mean
in
my
opinion
we
are
over
complicating
this
sentence
or
you
know
it
is
more
like
what
john
was
the
pinning
dependencies
is
the
main
thing
here
right.
We
need
to
freeze
the
dependencies
we
shouldn't.
B
We
should
be
able
to
reproduce
it
every
time
we
build
it
right,
so
we
no
one
should
mention
greater
than
less
than
this
version
or
something
like
there
should
be
a
specific,
explicit
version
number
which
should
be
same
across
all
the
builds
right.
So
that's
my
view.
Instead
of
highlighting
rendering
rendering
may
not
be
practical.
A
C
B
B
Yeah
it'd
be
confusing
different
lines,
so
the
first
one
is
reaching
out
to
external
sources
at
build
time.
That's
fine,
but
you
say:
internal
artifact
is
an
external
source.
Maybe
you
may
not
be,
but
even
artifactory
you
know.
Sometimes
if
it
is
not
an
artifact,
it
will
try
to
pull
it
from
the
external
like
maven,
central
and
things
like
that.
But
you
know
there
can
be
always
that
challenge
external
resources
can
change
and
disappear.
B
A
So
yeah
yeah
yeah,
the
question
is:
what
is
the
actual
recommendation
to
somebody
about?
Reproducible
builds
and
and
pulling
down
external
requirements
is.
G
A
That
you
pin
the
version
and
get
the
same
exact
external
source
every
single
time,
verifying
it
via
the
the
hash
of
it
or
whatnot.
Is
that
the
recommendation?
I
don't.
H
Think
we
can
recommend
that
we're
not
there
yet.
So
I
think
we
can
say
this
is
what
we
should
do,
but
because
we
can't
do
that
the
community
isn't
there.
Yet
you
know
we,
you
should
incorporate
that
into
your
risk
assessment
of
the
software
yeah.
A
H
A
Okay
yeah.
I
like
that
to
venard's
point.
A
Increases
now
I
don't
I
mean
we
can't
start
with
you
know,
let's
take
out,
ideally
the
the
entire
page
or
paper
is
one
big,
ideally
sentence.
Depending
specific
versions
of
external
requirements
increases.
A
E
Through
a
throughout
a
software
throughout
soft.
G
A
life
cycle
do,
if,
if
we
do
include,
I
mean
since
we're,
including
this,
do
we
also
want
to
make
a
recommendation
about
specifically
here
about
keeping
you
know,
pinned
versions
up
to
date
as
things
change
in
the
external
resources.
A
You
know
what's
funny
I
mean
at
that
shouldn't
you,
wouldn't
you
get
like.
Presumably
your
scanning
tools
would
tell
you
right,
they'd
be
like
well.
B
Yeah,
it
might
contradict
with
what
we
are
pinning
right.
So
if,
if
you
are
saying
up
to
date,
most
pro
people
will
use
latest
tag
or
without
explicit
version
which
will
again
the
control
will
be
yeah
outside.
So
you
don't
know
what
version
you
are
exactly
getting
during
the
build,
because
there
will
be
a
new
version
in
the
artifactory,
so
the
checksums
and
everything
is
different.
B
I
A
A
I
I
mean,
if
you're,
if
you're,
using
even
if
you're
using
dependable,
renovate
bot
the
the
recommendation
to
pin
it
still
exists,
so
you
still
should
pin
to
that
existing
version.
B
Yeah
there
is
a
challenge
with
the
pinning
right
so
mostly
developers
once
the
once.
They
explicitly
mention
a
version.
They
don't
change,
they
don't
update
it
that
frequently
right
like
so
that's
one
of
the
reason
like
some
people
use
later,
so
don't
mention
the
actual
version.
So
you
know
using
pinning,
can
introduce
this
problem
of
not
not
frequently
get
updated
this
software
right.
B
So
I
I
think
it's
a
good
idea
to
recommend
them
depend
about
or
renovate,
but
along
the
same
that
to
avoid
any
you
know,
legacy
versions,
use
tools
like
dependable
to
get
the
regular
update
versions
right
so
so
they
can.
People
can,
even
though
they
explicitly
mention
the
version
in
their
pom
file
or
requirements.txt.
B
A
I
mean
yeah,
but
you
should
also
have
a
system
like
the
pentabot
or
renovatebot
that
you
know,
even
if
I
pin.
If
I
create
an
open
source
project
today
and
I
pin
a
specific
version
of
a
python
package,
the
petabot
is
still
going
to
yell
at
me.
Yeah.
B
Yeah,
that's
a
good
thing,
but
if
dependent
was
bought
was
not
there
like,
like
many
other
companies
like
bit
packet
or
a
git
lab
type
of
repository,
they
just
keep
that
old
version
forever
right,
so
they
can
use
renovate
bot.
In
that
case,
to.
B
A
Yeah,
who
would
use
bitbucket
yeah,
I
agree
I
agree.
Does
that
need
to
be?
Does
that
need
to
be
one
extra
sentence?
A
B
A
Throw
it
in
there
can.
I
can
I
put
that
on
you
either
vanader
or
aditya
yeah.
That
makes
sense,
yeah
sure,
just
just
like
a
quick
one,
all
right,
nothing,
nothing
too
long,
so
I
know
we're
over
if
anybody
can
continue
going
through.
Look
at
the
comments,
if
it's
not
something
that
you
feel
confident
over
writing,
add
a
comment
in
and
and
feel
the
fire
I
mean.
A
I
think
our
goal
right
now
should
be
to
clear
out
all
these
points
of
contention,
and
then
I
mean
that
that
should
be
don't
even
go
and
read
it
first,
let's,
let's
actually
knock
out
all
these
pieces,
because
we
can
always
add
more
comments
in
the
next
round
of
edits,
but
this
is
getting
significantly
more
coherent,
we're
getting
closer
to
the
point
of
being
able
to
just
read
it
top
to
bottom
and
yeah
seriously
anything
over
the
weekend.
A
I
I
wouldn't
mind
next
week
putting
in
a
little
bit
of
time
to
do
this
again.
I
think
this
is
this
is
useful
to
just
have
very
straightforward
pushing
through.
So
thank
you
all
for
coming
have
a
great
rest
of
your
your
weekend.
Look
forward
to
finishing
this
out
for
sure
audios.