►
From YouTube: CNCF Supply Chain Security 2021-04-23
Description
CNCF Supply Chain Security 2021-04-23
A
It's
going
okay,
I
I
came
into
this
like
two
minutes
early
and
I
noticed
that
the
recording
button
is
just
always
on
and
like
sitting
here.
Thinking
like
is
emily
getting
this
this
video
of
me
and
just.
B
E
A
A
A
C
D
B
Yeah
no
yeah
terra
mystica
is
a
good
one.
That's
one
of
my
favorites
yeah.
B
A
Our
our
wi-fi
at
our
household,
my
my
wife,
and
I
love
it
like
we
played
it
too
much
anyway,
okay
enough
with
with
cncf
board
game
working
group
and
back
I'll
just
go
ahead
and
share
my
screen,
we'll
start
going
through
edits.
This
is
the
last
week.
Am
I
right
on
this
alex?
A
Yeah
this
is
it,
I
believe,
cool
okay.
I
I
figured
that's
why
coal
went
through
and
I
don't
know
if
you've
seen
it.
It's
like.
There's
there's
many
many
many
gram.
Radicals
yeah.
C
A
Learned:
what's
hyphena,
I
do
not,
I
is
it
okay.
Can
I
contest
this
very
first
comment.
Is
high
profile
really
hyphenated?
A
A
Oh,
it
is
oh,
no,
my
life
is
shattered.
I
mean
I'm
okay
with
that
yeah
and
and
alex
your
comment.
Oh,
I
think
I
misunderstood.
F
A
He
literally
wouldn't
hyphenated
a
bunch
of
stuff,
so
yeah
things
that
I
guess
he
got
out
his
dictionary
or
thesaurus
all
right
in
other
parts
of
the
stock.
We
use
a
space
instead
of
a
hyphen
for
key
rotation
yeah.
I
never
is
key
rotation.
Hyphenated.
Don't
tell
me
that
one.
A
Not
at
all
nope,
sorry,
sorry,
cold,
x,
I'll,
add
key,
though.
G
E
Bernard
you're
you're
in
the
uk,
please
please
tell
us
about
the
correct
english.
We
need
that.
I'm
not
british,
I'm
sorry,
which
is
not
my
first
language.
Well,
it's
not
ours,
either
all
right
to
further
harden
these
materials
that
have
suggested
that
source
materials
and
I
think
that's
fine.
A
Okay,
supplies
chain
security
is
developing
over
nascent.
I
love
the
use
of
the
word
nasa.
It's
so
good,
where
existing
information
is
often
focused
on
singular
independent,
I'm.
Okay.
With
that
I
mean
I
I
think
it's
I
think
this
is
is
a
little
bit
too
yeah.
You
wouldn't
know
that
this
refers
to
supply
chain
security,
so
I
I
can,
I
can
buy
kohl's
change
and
so
did
you
alex
alex?
A
D
Can
I
just
change
that,
for
you,
that's
a
single
on
this
go
out.
The
rest
of
the
set
seems.
D
A
I
do
kind
of
then
wonder
about
the
the
the
ominous.
A
more
holistic
approach
is
needed.
Comet
I
mean,
I
think,
that's
the
kind
of
summary
of
the
entire
paper,
but
I'm
I'm
good
with
it.
A
Yeah,
I
guess
it
says
that,
right
after
that's
the
paper,
it's
a
holistic
approach
to
software
supply
chain
security,
keen
with
n
with
a
additionally
anyone
with
a
with
a
and
with
an
interest
in
supply
chain
security
can
refer
this
document.
Okay
cool,
I
think
john's
good
john-
would
be
angry
about
the
loss
of
the
flowery
language
I
did
reach
out
to
mike,
and
he
said
he
said
that
he
would
he'd
be
on
top
of
this.
So
he
said,
he'd
have
time
middle
of
this
week,
I'll.
A
We'll
we'll
we'll
disincentivize
or
delegitimize
it,
for
example,
some
security
breaches.
D
Yeah,
let's
take
out
my
that's,
we
don't
want
to
say
mites
the
entire.
Let's
see
gaining
access,
yep
gaining
over
getting
sure
additional
additional.
A
Related
continuous
integration,
continuous
delivery
steps
should
all
be
automated
through
a
pipeline.
Oh
by
the
way,
john
is
going
to
join
here
in
a
minute
he's
just
running
late,
hey
tim,
I
didn't
see
you
join
snuck
in
there
hey.
D
A
Do
agree-
and
I
think
we
we
said
this
to
yeah
yeah
I
mean
the
entire
thing
is
about
pipeline
defined
as
code
so
yeah.
I
I
100
agree.
F
A
A
F
I
think
that
that
is
coal,
assuming
we're
keeping
that
recommendation
saying
it
shouldn't
just
be
for
high,
everybody
should
be
automating
and
then
sure
I
think
emily
was
just
responding
to
coal.
So
two
questions.
I
guess
that
we
have
there.
One
is:
are
we
keeping
this
one
and
the
second
is:
if
we
keep
it,
do
we
change
the.
A
F
B
B
No,
no,
no,
no,
no
to
be
clear,
like
I
might
not
have
put
that
in
the
right
place,
but
if
you
go
back
in
the
slack
a
little
bit,
I
do
remember
this
from
la
this
was
last
week
right
you,
you
wrote
it
like
partially
on
the
call
yeah
yeah,
where
emily
was
just
essentially
saying
that
she
felt
that
and
I
sort
of
agreed
where
the
idea
is.
We
should
be
definitely
recommending
that
all
steps.
C
B
Part
of
a
build
should
be
automated
outside
of
like
any
manual
sign-offs
code
reviews,
those
sorts
of
things.
You
know
the
thing
that
we
wanted
to
sort
of.
If
you
wanted
a
specific
example
that
she
she
called
out
was
we
don't
want
to
do
manual,
hash
validation,
like
somebody
going
and
saying
yep.
This
check
sum
relates
to
that
one
yeah,
that's
good!
We
want
to
make
sure
that
all
that
sort
of
stuff
is
automated.
A
C
A
Agree,
I
totally
agree
and
I
think
that
emily
has
a
good
point.
But
where
does
that
go.
A
F
Okay,
I'll
look
and
see
if
I
can
find
a
better
spot
for
it.
I
feel
like
we
get
close
to
this,
to
saying
exactly
this
in
the
introduction,
and
maybe
we
need
to
spell
it
out
more
and
then
we
definitely
have
some
other
places
where
we
get
close
to
it
and
maybe
need
to
spell
it
out
more.
So
let
me
see
if
I
can
find
a
better
spot
for
it
and
I'll
move
it,
and
then
we
can.
F
F
A
A
Yeah
yeah
defined
individual.
It's
this
yeah,
that's
what
you're
saying
it's
the
exact
same.
It's
just.
D
A
D
A
All
right
now,
more
grammar
policing
with
cole
a
generated
s-bomb,
provides
that
yeah.
That's
fine.
I
think,
speaking
in
the
present.
A
To
ensure
ooh
okay,
before
allowing
software
dependencies
into
the
system,
they
should
be
scanned
and
evaluated
to
ensure
the
level
of
the
vulnerabilities
they
bring.
Well,
that's
an
interesting
one.
I'm
going
to
give
the
floor
to
vanad
level
of
vulnerabilities
is
a
question.
We
do
know
that
there
are
cases
where
you
can
have
contextual
levels
of
vulnerabilities
right
right.
You
can
have
known
vulnerabilities
that
you're
accepting
in
your
environment.
Does
it
make
sense,
even
without
the
word
level
of
and
and
I'm
just
kidding,
putting
banana
on
the
spot
tim
mike
alex?
A
B
A
A
Oh,
let's
see
I
didn't
actually
take
a
minute
to
look
at
this.
Oh
that
looks
good.
You
can
kind
of
see
it
makes
it
makes
it
significantly
clearer,
good
job
emily.
I.
C
A
H
H
I
yeah
I,
I
want
the
thought
that
if
it
doesn't
need
to
be
there,
it
shouldn't
be
there
and
there's
threats
that
we
don't
know
about
things
and
if
they're
not
there,
we
don't
have
to
worry
about
those
threats.
B
Right,
yeah
that
that
was
out
also
my
line,
and
that
is
a
hill.
I'm
willing
to
die
on
something
yeah.
H
B
Honestly,
you
know,
I
know
one
of
the
big
things
that
you
know.
People
bring
up
about,
for
example
like
unicorns
right,
like
oh
unicorns,
are
safe,
because
if
you
don't
allow
networking
or
whatever
like
you,
can't
compromise
the
network,
if
you
don't
allow
networking
you,
don't
you
can't
compromise
like
a
text
editor,
if
you
don't
have
the
text
editor
installed
on
there
right.
H
Yeah,
I
think
I
think
the
point
to
where
we
talk
about
the
attack
factor
of
automated
attacking
automated
attacks,
mitigating
that
makes
it
a
makes
it
valid
right.
So
we
found
it
mitigates
automated
attack
attacks
by
removing
components
that
those
automated
attack
rely
on.
Therefore,
it
makes
it
an
effective
control.
A
F
H
A
It's
the
last
week,
I'm
gonna
say
I'm
just
gonna
put
enough
evidence
provided
statement
will
stay.
A
All
of
a
sudden
docker
stops
working
for
me
all
right.
C
A
Call
you
missed
our
going
over
your
grammar
grammar
fixings.
Oh
I'm
sorry.
H
A
A
Okay,
we
have.
We
have
these
two
as
well.
Nobody's
responded-
those-
I
guess
it's
actually
this
week,
so
this
is
fresh
encrypt
artifacts,
before
distribution
might
be
worth
laying
out
use
cases
where
encryption
of
container
images
is
likely
to
be
relevant.
Standard
practices
for
most
containerized
environments
is
to
avoid
storing
secrets
in
the
image
yep.
So,
whilst
ensuring
integrity
is
important,
confidentiality
image
is
less
of
a
concern.
D
That's
what
it
means
to
you
boring
this
section
here
is
button
and
encryption.
A
H
A
Does
anybody
know
who
originally
wrote
this
assurance
or
know
the
tricks
inside
of
google
docs
to
see
that.
F
H
Yeah,
so
let's
look
at
the
art:
let's
look
at
the
language
of
it
right.
The
contents
of
the
artifact
can
be
protected
by
encrypted
so
that
doesn't
increase
security
of
it.
This
ensures
the
contents
of
the
artifact
remain
confidential
and
transit
at
rest
until
it's
consumed.
Are
we
trying
to
write
a
paper
about
keeping
things
confidential.
A
Right
right,
this
might
be
you're
you're,
100
correct.
This
would
be
like
if,
if
confidentiality
was
your
utmost
concern,
this
is
certainly
a
recommendation,
but
are
we
doing
you're
right?
Are
we
talking
about
keeping
everything
as
confidential
as
possible?
I
don't
think
so.
No,
that's
extraneous,
and
it's
it's
out
of
scope
for
this
paper.
In
my
opinion,
anybody
on
the
call
speak
up
in
favor
of
keeping
this
in.
A
Sure
only
authorized
yes
yeah.
We
do
because
that
this
makes
no
sense
in
context.
Is
that
correct
encryption
allows
the
viewing
of
use
of,
or
use
of
an
artifact
to
be
tied
to
a
key
held
from
a
particular
distribution
infrastructure.
At
that
point,
we
have
nothing
in
the
encryption
section,
which
means
the
entire
section
goes
away.
A
A
Boom,
perfect:
okay,
we're
back
to
alex's
link
footnoting.
A
Think
so
too,
I,
okay,
okay
and
we're
already
down
to
the
glossary.
I
know
you
had
you
set
up
alex
a
separate
message
in
the
slack
channel
about
the
glossary
yeah.
I.
F
A
H
Yeah,
we
we've
got
pretty
good
footnotes,
I
think,
and
we
we
expand
things
inside
the
paper
and
our
end.
Users
have
access
to
reference
materials.
A
A
So,
just
literally
all
this
does
anybody
see
anything
retribute
like
worth
keeping
in
the
software
sources
and
software
groups
alex.
G
I
think
yeah
software
groups,
I
believe
we
had
a
discussion
in
the
beginning,
like
in
a
first
party
second
party
third
party,
to
make
it
easier
for
people
to
understand.
Like
you
know,
if
somebody
google,
it
you
know
again,
the
seo
may
not
be
the
first
party.
A
More
important
thing
are
we
going
to
be
setting
down?
This
is
a
are
we
going
to
define
this
in
this
paper
and
then
what's
funny
is
we'll
define
it,
but
we
won't
reference
it
anywhere.
Do
we
reference
that?
I
think.
G
Right
like
where
we
explain
about
procuring
and
everything,
so
that's
why
we
decide
to
explain
it
a
little
bit
more,
but
I
don't
know
it's
the
standard
terms
you
saw.
Somebody
in
the
group
define
all
these
terms,
so
maybe
yeah
can
we
change
into
a
footnote.
A
Could
just
wait
what
if
we
just
add
it
into
the
there
is
no
other
appendix
items.
Are
there.
F
Nope,
there's
just
the
gloss
or
the
the
container
one.
H
E
A
Do
you
think
sources
and
groups?
I
should
keep
yeah
yeah.
I
think
so
as
well
about
the
proper
titles
get
rid
of
that.
G
A
Right,
it's
probably
worth
us
checking
whether
or
not
we
we
actually
reference.
D
F
A
All
right,
let's
just
cover
ourselves,
look
for
the
word
glossary
to
make
sure
this
paper
leverages
several
yeah.
That's!
Oh!
That's!
Now,
in
our
appendix.
A
Look
no
more
reference
to
glossary;
there's
no
glossary
anymore.
All
right.
A
Okay,
so
what's
going
on
with
the
this,
is
this
gonna
become
become
its
own?
Separate
document?
Is
that
the
idea.
F
The
suggestion
is
to
move
so
I've
put
this
in
this
other
document
that
emily
has
that
is
going
to
turn
into
the
the
evaluation
framework,
but
the
suggestion
is
to
eventually
merge
it
all
into
the
cloud
native
security
map
that
is
already
underway.
Okay,.
A
Should
I
call
any,
should
we
even
look
at
these
comments,
or
do
you
think
those
should
be
considered
as
part
of
that
discussion.
G
A
F
A
A
F
Think
there's
some
material
in
here
that
we
don't
have
in
other
places
that
probably
will
be
useful
to
people.
So
I
think
it's
worth
keeping
the
appendix.
A
A
D
A
All
right
I'll
spend
a
little
bit
of
time
going
through
appendix
one
and
seeing
and
alex
I'll
click
the
check
mark
a
million
times.
I
might
ask
john
to
just
give
you
the
ability
to
go
and
prove
your
changes.
This
is
just
I
trust
your
grammar
there
anything
else
anybody
sees.
Let's
see.
I
can
try
to
give
you
you
all
back.
25
minutes
of.
C
F
F
Left
in
that
table
are
things
we
want
to
deal
with.
Someone
needs
to
go
post,
an
equivalent
comment
in
the
new
document,
so
somebody
wants
to
just
take
a
look
at
those
and
say:
oh
yeah.
This
is
still
open
for
discussion
and
then
make
a
note
of
that
in
the
new
document,
then
we
can
clear
it
out,
but
I
didn't
want
to.
I
didn't
want
to
delete
it
permanently
and
lose
all
those
comments.
If
there
were
still
things
that
we
cared
about
in
those
can
we
set
a.
A
Deadline
for
like
end
of
day
monday
for
getting
the
comments
out
if
you're
cleared
and
deleting
this
entire
section
I'll,
if
you
want
like
in
slack
I
can,
I
can
ping
everybody
who
has
a
comment,
the
most
recent
commenter
alex.
I
mean
you
know,
there's
not
that
many
people
it
looks
like
mostly
yeah.
It
looks
like
mostly
magnum
logan
is
the
only
one
who
really
needs
to
go
in
and
make
sure
they
get
ported
over
and
if
not,
I'm
going
to
ping.
G
A
C
D
What
is
this
section
referred
to
as
by
us?
This
is
the
open
source
tools
and
project.
D
A
Thing
all
right
cool
in
terms
of
let's
see
emily
had
a
bunch
of
items
that
need
that
need
gone
over
yeah
shared
responsibility.
Existing
corrections
need
resolve.
We
did
that
regarding
the
automated
assurance,
add
moderate
and
close
it
yeah.
That's
what
we
just
talked
about.
A
I
I
truly
think
getting
through
this
alex
if
we
get
through
the
appendix
on
containers
and
we
make
sure
that
it's
relevant
to
the
rest
of
the
paper.
A
A
A
I'm
gonna
go
ahead
and
hit
contain
on
this.
I'm
gonna
ping
mike
enzo
privately
and
just
be
like
hey.
Can
you
check
the
can
you
do
a
review
of
the.
A
Appendix
I
mean
what
I
don't
see
anything
else
for
us
to
to
work
towards.
Do
we
need
this
as
well?
D
A
Yeah
yeah
this
is
this
is
really
close.
I
mean
cool,
let's,
let's
I'll
I'll,
try
to
get
through
the
container
appendix
part.
Today,
everybody
else
20
minutes
back
in
your
life,
I'll
work
via
emily
and
john
in
terms
of
if
we
need
to
have
anything
ad
hoc
until
then,
but
this
is
likely
close
to
being
pushed
off.
A
Yeah,
it's
awesome.
Yeah
super
excited,
so
cool
everybody.
Thank
you
so
much
for
all
the
work
you've
done.
Thank
you
for
the
reviewing
anything
you
see,
see
something
say
something
just
just
put
it
in
the
dock.
We
can
still
review
comments.
It's
not
published
yet
and
thanks
a
bunch
have
a
great
weekend.