Add a meeting Rate this page

A

Hey michael.

B

Hey how's it going.

A

It's going okay, I uh I came into this like two minutes early and I noticed that the recording button is just always on and like sitting here. Thinking like is emily getting this this video of me and just.

C

Posting it on the.

D

Internet, mr.

A

Julian doddling, on zoom for two minutes.

A

I'm going through some of the edits now.

A

Today I learned that state of the art is separated by hyphens.

B

I.

E

Will be.

B

Back in a second I'm just going to pour myself a little bit more coffee.

A

Not a problem make sure to clock.

A

Out.

A

Hey alex.

A

Can you actually hear alex.

D

And I think you're on mute, oh nope, there you go.

A

Hey.

A

Alex.

A

uh

A

Mike we're going to need a a higher definition camera so that we can further evaluate the shelf behind you for what's on there, book, wise and and.

C

Board.

A

Game wise, of course, oh, I see you have terra mystica down in the far right. That's a good.

A

One, I guess this is this: is it.

D

I can't hear you am, I muted now.

B

uh Whoops, no, I I muted myself oops not.

D

That.

B

um Yeah no uh yeah terra mystica is a good one. That's one of my favorites yeah.

E

The successor is is better, oh.

B

Yeah yeah, I haven't been able to find it in stock anymore. I.

A

Have a project- it's literally the name.

B

Of.

A

Our our wi-fi at our household, my my wife, and I love it like we played it too much anyway, okay enough with with cncf board game working group uh and uh back I'll just go ahead and share my screen, we'll start going through edits. um This is the last week. Am I right on this uh alex?

A

This is the final.

E

Week so yeah and therefore.

A

uh Yeah this is it, I believe, cool okay. I I figured that's why coal went through and I don't know if you've seen it. It's like. uh There's there's many many many gram. Radicals yeah.

C

I.

A

Learned: um what's hyphena, I do not, I is it okay. Can I contest this very first comment. Is high profile really hyphenated?

A

Can I really can I just google that and just be like yeah look, I had to do it for state of the art. I didn't believe it. I was like nah there's no way hold on hold on okay, so high profile, no okay, high profile.

A

Oh, it is oh, no, my life is shattered. um I mean I'm okay with that yeah and and alex your comment. uh Oh, I think I misunderstood.

F

There I thought he was deleting it and I didn't realize it.

A

Was a hyphenation.

F

Yeah.

A

He literally wouldn't hyphenated a bunch of stuff, so uh yeah things that I guess he got out his dictionary or thesaurus all right um in other parts of the stock. We use a space instead of a hyphen for key rotation yeah. I never is key rotation. Hyphenated. Don't tell me that one.

F

Google doesn't think it is. I.

A

Don't think it is, it wouldn't make sense.

F

Yeah, no, no.

A

Not at all nope, sorry, sorry, cold, x, uh I'll, add key, though.

G

We're just checking the seo right like it doesn't mean there might be official dish. Maybe we need to check in with dictionary or something yeah.

E

Bernard you're you're in the uk, please please tell us about the correct english. We need that. I'm not british, I'm sorry, which is not my first language. Well, it's not ours, either uh all right uh to further harden these materials that have suggested that source materials and I think that's fine.

A

Sure yep, let's see some materials.

A

That's that comment stays for now.

A

Okay, supplies chain security is developing over nascent. I love the use of the word nasa. It's so good, um where existing information is often focused on singular independent, I'm. Okay. With that I mean I I think it's I think this is is a little bit too yeah. uh You wouldn't know that this refers to supply chain security, so I I can, I can buy kohl's change and so did you alex alex?

A

Could you have the ability to just if you want, if you see something that cole says like that, especially grammatical things or clarity, sort of stuff? Why don't we just accept them?.

F

I actually don't have the ability to accept anymore, I'm not on the adjudicators list, so.

D

Can I just change that, for you, uh that's a single on this go out. The rest of the set seems.

D

Right.

A

So alex, are you agreeing that that needs to be deleted.

F

Yes, yeah, I'm saying I think we should just drop that.

A

I do kind of then wonder about the the the ominous. A more holistic approach is needed. Comet I mean, um I think, that's the kind of summary of the entire paper, but I'm I'm good with it.

A

Yeah, I guess it says that, right after that's the paper, it's a holistic approach to software supply chain security, keen with n with a additionally anyone with a with a and with an interest in supply chain security can refer this document. Okay cool, I think john's good john- would be angry about the loss of the flowery language I did reach out to mike, uh and he said he said that he would he'd be on top of this. So he said, he'd have time uh middle of this week, I'll.

D

Reach out to him again and if not we'll just get.

A

We'll we'll we'll disincentivize or delegitimize it, uh for example, some security breaches.

D

Yeah, let's take out my that's, we don't want to say mites the entire. uh Let's see gaining access, yep gaining over getting sure additional additional.

F

Over another yeah.

D

Yep greed alex that's a great space additional other threat, excellent.

D

All right, this is recent, build.

A

Related continuous integration, continuous delivery steps should all be automated through a pipeline. Oh by the way, john is going to join here in a minute um he's just running late, uh hey tim, I didn't see you join snuck in there um hey.

D

This recommendation feels like a summary of much of the rest of the paper beyond source code section. Do we need this here? I.

A

Do agree- and I think we we said this to uh yeah yeah I mean the entire thing is about pipeline defined as code so yeah. I I 100 agree.

F

I personally, I think we could. We could drop this recommendation because we're going to talk about this in so many other ways in so many different.

A

Places but- and it's brought up in the introduction- I mean it's literally.

F

Highlighted.

A

If you didn't read anything yeah, no, and it has nothing to do with source code. Why is it in the source code? Section right? I I 100 agree. uh I don't know what this is.

A

I'm it almost feels like these are separate uh comments.

F

I think that that is coal, assuming we're keeping that recommendation saying it shouldn't just be for high, everybody should be automating and then sure I think emily was just responding to coal. So um two questions. I guess that we have there. One is: are we keeping this one and the second is: if we keep it, do we change the.

A

No, I.

F

Mean.

A

I'm going to recommend to delete it.

B

uh Just just real quick, um so uh the reason why I had written that- and I maybe put it in the wrong spot there uh was emily said it wasn't clear that whether or not we were making an actual recommendation to automate all steps as part of the build um and making sure that that was clear to folks.

A

God, damn it now that you know it's, you wrote it. I I I.

B

Mean that.

A

I would delete it, I'm just kidding no.

B

No, no, no, no, no to be clear, like uh I might not have put that in the right place, but if you go back in the slack a little bit, um I do remember this from la this was last week right you, you wrote it like partially on the call um yeah yeah, where emily was just essentially saying that she felt that and I sort of agreed um where the idea is. We should be definitely recommending that all steps.

C

As.

B

Part of a build should be um automated outside of like any manual sign-offs code reviews, those sorts of things. um You know the thing that we wanted to sort of. If you wanted a specific example that she she called out was we don't want to do manual, hash validation, like somebody going and saying yep. This check sum relates to that one yeah, that's good! We want to make sure that all that sort of stuff is automated.

A

Yeah, the the only thing is that that goes above all the sections like it doesn't it doesn't fit in source code right. This is the.

A

That's that's kind of my. I think that's what we're saying here mike I.

C

Totally.

A

Agree, I totally agree and I think that emily has a good point. um But where does that go.

F

If you all.

A

Are are.

F

Okay, I'll look and see if I can find a better spot for it. I feel like we get close to this, to saying exactly this in the introduction, and maybe we need to spell it out more and then we definitely have some other places where we get close to it and maybe need to spell it out more. So let me see if I can find a better spot for it and I'll move it, and then we can.

F

um Somebody can sign off on where I've moved it to okay, but I won't waste the rest of our time on this call trying to find that spot.

A

Okay, she did a footnote fix, perfect.

D

Sure I see the difference between this recommendation.

E

uh I.

F

Think she's fixed this more or less. I think they're still kind of redundant, but I think it works so yeah.

D

What is and not, is not considered acceptable so that potential cause contributors are advised in it.

D

Okay, okay I'll take it.

A

This is similar. This is similar to like the code owners use of the code owners project or which is, I think, further down right.

A

uh Yeah yeah defined individual. It's this yeah, that's what you're saying it's the exact same. uh It's just.

D

Yeah.

A

Maybe it's more granular, I'm not sure.

D

All right replace certificate or ssh certificate head foot, no cool. I think I'll. Take.

A

That.

A

You got a good lgtm from coal. There.

D

Oh third-party artifacts, open source libraries and any other dependencies should be verified as part of the continuous integration pipeline. Just called no checksums yep yeah. I can agree anybody nope.

A

All right now, more grammar policing with cole uh a generated s-bomb, provides that yeah. That's fine. I think, uh speaking in the present.

D

Rather than mm-hmm yep, that's fine can.

A

To ensure ooh okay, before allowing software dependencies into the system, they should be scanned and evaluated to ensure the level of the vulnerabilities they bring. Well, that's an interesting one. I'm going to give the floor to vanad uh level of vulnerabilities is a question. We do know that there are cases where you can have contextual levels of vulnerabilities right right. You can have known vulnerabilities that you're accepting in your environment. Does it make sense, even without the word level of and and I'm just kidding, putting banana on the spot tim mike alex?

A

Do you have any.

G

So he's asking to remove the level of vulnerability.

A

Yeah essentially say ensure the vulnerabilities themselves are within risk limits, not the level of as if there was like a threshold, which I think in some cases there is a threshold of vulnerabilities that you can allow.

A

I mean.

B

I mean I, I think it sounds like saying basically the same thing with fewer words. All our abilities bring in our within the risk limits is the same thing as saying the level of them is acceptable.

A

That that makes sense. That's fine! That's that's! I'm not I'm! Maybe reading into it too much uh delete. There's a bunch of these where I just move the.

F

Link from the text down.

A

Here, yep.

F

Got it cool.

A

I see it.

A

Oh, let's see I didn't actually take a minute to look at this. Oh that looks good. You can kind of see uh it makes it makes it significantly clearer, good job emily. I.

C

Yeah.

A

I would never do that. My the letters would run off the page is: are we just gonna ignore justin cormax? Oh, I guess uh cole got to it.

A

What did I say.

H

Oh, the.

A

Removing components there you are yeah, I I am staying out of this yeah.

H

I yeah I, I want the thought that if it doesn't need to be there, it shouldn't be there um and there's threats that we don't know about things and if they're not there, we don't have to worry about those threats.

B

Right, yeah that that was um out also my line, and uh that is a hill. I'm willing to die on something uh yeah.

H

Like.

B

Honestly, you know, I know one of the big things that you know. People bring up about, for example like unicorns right, like oh unicorns, are safe, because if you don't allow networking or whatever like you, can't compromise the network, if you don't allow networking you, don't you can't compromise like a text editor, if you don't have the text editor installed on there right.

H

Yeah, I think I think the point to where we talk about the attack factor of automated attacking automated attacks, mitigating that um makes it a makes it valid right. So we found it mitigates automated attack attacks by removing components that those automated attack rely on. Therefore, it makes it an effective control.

A

Okay, so how many people's responses does it take to overwrite? One response: one comment from justin cormack.

A

I think I think everybody's kind of in unison here- oh there's, this guy.

F

I think.

F

When I read his comment, I wasn't sure that he was actually disagreeing.

D

With usually api based images, yeah.

H

And they do do that at the iron bank. I have, I can show you all the documentation about minimizing it and pulling stuff out. So that's.

A

True, I mean I, I think, from the arguments from the variety of voices here, I'm good with checking this and keeping it in.

G

Yeah, I think it can reopen if it just.

A

It's the last week, um I'm gonna say I'm just gonna put enough evidence provided statement will stay.

A

Sorry justin.

G

You'll receive the replay now yeah.

A

All of a sudden docker stops working for me uh all right.

C

Please.

C

Dr hub, don't have this ubi concept.

H

You've been rate limited.

D

That's fine awesome alex. I see the links are going added, footnote.

A

Call you missed our uh going over your grammar grammar fixings. Oh I'm sorry.

H

Something got messed up in the doc and I think I made some changes that I didn't want to. So I apologize if there's some issues that no it's it's fine so far, everything's.

D

Been good, especially ruining my life with high profile.

A

All right delete, link yeah. This is all good alex. If this is the bulk of this we're in a good place.

A

Okay, we have. uh We have these two as well. Nobody's responded- those- uh I guess it's actually this week, so this is fresh um encrypt artifacts, before distribution might be worth laying out use cases where encryption of container images is likely to be relevant. Standard practices for most containerized environments is to avoid storing secrets in the image yep. So, whilst ensuring integrity is important, confidentiality image is less of a concern.

D

That's what it means to you boring uh this section here is button and encryption.

A

Yeah, so this is saying we are recommending in high security environments to client-side encrypt. The actual image is that the the the debate up here yeah and does that do anything I mean I, I kind of agree with them.

H

Yeah, it's.

A

A base image that doesn't have secrets and stuff in it. Why? Why does that matter?.

H

I don't I've never seen an image encrypted.

H

I don't know that if that gives you any sort of like a verification right, if, if you want to hide the materials of the image, well, yeah sure encrypt it, but does that increase your security yeah.

A

And is it something you'd recommend to be a common practice? Probably not. I think, if.

H

You want to verify it right, you verify the hash of the or the sum of that image or artifact, and then you know it's what you know it is encryption is to keep it secret. Yep.

A

Does anybody know who originally wrote this assurance or know the uh tricks inside of google docs to see that.

H

It's it sounds like it may have come from.

F

Oh, I feel like I remember this being a brandon lum edition, but I am not sure of that.

F

Okay.

G

From the dod team do they have any use case.

H

Yeah, so let's look at the art: let's look at the language of it right. The contents of the artifact can be protected by encrypted so that doesn't increase security of it. This ensures the contents of the artifact remain confidential and transit at rest until it's consumed. Are we trying to write a paper about keeping things confidential.

A

Right right, this might be you're you're, 100 correct. This would be like if, if confidentiality was your utmost concern, this is certainly a recommendation, but are we doing you're right? Are we talking about keeping everything as confidential as possible? I don't think so. No, that's extraneous, and it's it's out of scope for this paper. In my opinion, anybody on the call speak up in favor of keeping this in.

A

It's just.

A

uh I go ahead and.

G

I haven't seen any encrypted matches.

A

Sure only authorized yes yeah. We do because that this makes no sense in context. Is that correct encryption allows the viewing of use of, or use of an artifact to be tied to a key held from a particular distribution infrastructure. um At that point, we have nothing in the encryption section, which means the entire section goes away.

A

Okay, I'm gonna make a a comment then, just uh just.

A

To.

D

Man, I can't type this one yeah.

H

We talk about, we talk about signing a lot right, we don't talk about encryption.

A

Boom, perfect: okay, uh we're back to alex's link footnoting.

D

So rewarding to click the check mark. Thank you alex that.

H

Was really.

D

Fun, the.

H

Other day I was going through.

E

That I'm glad you guys joined my twitch stream.

G

I think that you should give permission to like students. I.

A

Think so too, I, okay, okay uh uh and we're already down to the glossary. I know you had you set up alex a separate message in the slack channel about the glossary um yeah. I.

F

Summarized it here, but but basically I think that so there's a lot of gaps in the glossary. Most of these terms are either used once or not at all, and I'm not really sure why we need to define them here.

A

My suggestion.

F

Let's just dump the glossary rather than waste time trying to finish it.

A

I'm 100 with you: is it normal to have a glossary in a tech paper like this, unless it's for a tool for terms that exist? Nowhere else. Do our users have google, they they sure do.

A

Yeah, can we just put, I mean.

G

I think we are not declining him to hear right, like this.

H

Yeah, we uh we've got pretty good footnotes, I think, and we we expand things inside the paper and our end. Users have access to reference materials.

A

I I agree, uh and we don't need to define personas. If you don't it, if you can't effectively recognize the personas that are part of the the software supply chain, work, probably not a good paper for you,.

H

Yeah, I think it was.

A

A really good exercise to organize.

H

This paper right.

A

So, just uh literally all this uh does anybody see anything retribute like worth keeping in the software sources and software groups alex.

G

I think um yeah software groups, I believe we had a discussion in the beginning, like in a first party second party third party, to make it easier for people to understand. Like you know, if somebody google, it you know again, the seo may not be the first party.

H

Is this something new we're defining software groups? Does this exist anywhere in literature.

A

More important thing are we going to be setting down? This is a are we going to define this uh in this paper and then what's funny is we'll define it, but we won't reference it anywhere. Do we reference that? I think.

G

uh Right like where we explain about procuring and everything, so that's why we decide to explain it a little bit more, but I don't know it's the standard terms you saw. Somebody in the group define all these terms, so maybe yeah can we change into a footnote.

A

uh

G

Yeah, maybe yeah. We.

A

Could just wait what if we just add it into the uh there is no other appendix items. Are there.

F

Nope, there's just the gloss or the uh the uh container one.

A

Should we do appendix 2 software groups.

H

Yeah.

D

I don't know what kind of header this is looks like title.

H

Yeah it's good stuff, but it seems like it.

E

Is a.

H

New definition right, so we need to definitely talk about it.

D

All right, let's go back up.

A

uh Do you think sources and groups? I should keep yeah yeah. I think so as well about the proper titles get rid of that.

G

But I also like calls idea alex it's ridiculous food, not right like that, might help. While reading this, some of the terminology.

A

Right, uh it's probably worth us checking whether or not we we actually reference.

D

Them.

A

uh And should it be instead of software groups, should it be software software context, software.

A

Doesn't matter.

G

All right.

A

I'm gonna mark that as resolved alex is that good.

D

On the droid, no, we still didn't get drawn to join.

A

All right so can we recommend just for this all goes yeah.

F

Yeah.

A

All right, um let's just cover ourselves, look for the word glossary to make sure this paper leverages several yeah. That's! Oh! That's! Now, in our appendix.

F

Right right.

A

um Look no more reference to glossary; there's no glossary anymore. All right.

A

Okay, so uh what's going on with the this, is this gonna become become its own? Separate document? Is that the idea.

G

I think alex- or somebody mentioned to put it in the landscape- work right or I don't know who yeah the.

F

The suggestion um is to move so I've put this in this other document that emily has that is going to turn into the uh the evaluation framework, um but the suggestion is to eventually merge it all into um the cloud native security map that is already underway. Okay,.

A

Should I uh call any, should we even look at these comments, or do you think those should be considered as part of that discussion.

G

I think if we will remove it, I think spread that like so. Let me move from this to the yeah.

G

Okay.

G

You know the container registry and things like.

A

That.

A

I have not spent any time looking at the appendix for this containers alex.

F

I just looked at this hour or so ago, so this is. That was my first time reading through this section, okay,.

A

I don't want to read with you on the call: that's not fun.

A

Do you find.

E

It useful.

A

Cole.

E

Do I find.

C

What useful.

A

The I'm sorry that wasn't cool that was alex. He was talking, I'm sorry alex. Do you find? Did you find reading this actually helpful? The the base container images appendix I.

F

Think there's some material in here that we don't have in other places that probably will be useful to people. um So I think it's worth keeping the appendix.

A

Do we actually call out the appendix in the paper, refer.

C

To appendix.

A

C, uh that's within that project. That's within that paper details of techniques to harden these capabilities see. Should I specify this to be appendix section one container-based images.

A

Okay,.

D

Okay,.

A

And that's it so really very few references to use the appendix.

A

um

A

All right I'll spend a little bit of time going through appendix one and seeing and alex I'll click the check mark a million times. um I might ask john to just give you the ability to go and prove your changes. This is just I trust your grammar there um anything else anybody sees. Let's see. I can try to give you you all back. 25 minutes of.

C

Your life.

A

um I.

C

Just want to clarify it, so we are moving the table from this paper right, like yeah, yeah, yeah,.

F

Yeah who's, facilitating that I left it in there only because when I copied and pasted it over, the comments didn't come with it. So if any.

C

Of those comments.

F

Left in that table are things we want to deal with. Someone needs to go post, an equivalent comment in the new document, um so somebody wants to just take a look at those and say: oh yeah. This is still open for discussion and then make a note of that in the new document, then we can clear it out, but I didn't want to. I didn't want to delete it permanently and lose all those comments. If there were still things that we cared about in those uh can we set a.

A

Deadline for like end of day monday for getting the comments out if you're cleared and deleting this entire section um I'll, if you want like in slack I can, I can ping everybody who has a comment, the most recent commenter uh alex. I mean uh you know, there's not that many people it looks like mostly yeah. It looks like mostly magnum logan is the only one who really needs to go in and make sure they get ported over and if not, I'm going to ping.

A

You as well, because I think making sure this paper gets that gets put over correctly um is good.

G

What are the prior arts? Do? We need to keep it there or.

A

Yeah, I don't know, that's another good question.

G

Yeah.

A

uh That's kind of an emily question: uh the prior art- I I assume I mean it's just like a references section ultimately.

C

Okay,.

A

I'll ping emily and ask her as well in the in the channel.

D

uh What is this section referred to as by us? This is the open source tools and project.

D

Max.

A

Thing all right um cool uh in terms of let's see emily had a bunch of items that need that need gone over yeah shared responsibility. Existing corrections need resolve. We did that regarding the automated assurance, add moderate and close it yeah. That's what we just talked about.

D

Sage, keys, justin, comradex cut yep. We kind of tackled all those.

A

Yep, okay,.

A

I I truly think uh getting through this alex uh if we get through the appendix on containers and we make sure that it's relevant to the rest of the paper.

A

There's.

A

And alex, if you can, if, if this, this is probably the last of the actual meat and potatoes in the paper that needs to be satisfied, uh I'm gonna go ahead and clap.

A

I'm gonna uh go ahead and hit contain on this. I'm gonna ping mike enzo privately and just be like hey. Can you check the can you do a review of the.

A

Appendix um I mean what I don't see anything else for us to to work towards. uh Do we need this as well?

A

This needs to be satisfied. Yeah just accept it sure awesome.

D

Okay,.

A

Yeah yeah this is this is really close. I mean um cool, let's, let's I'll I'll, try to get through the container appendix part. Today, everybody else uh 20 minutes back in your life, um I'll work via emily and john in terms of if we need to have anything ad hoc until then, but uh this is likely close to being pushed off.

H

That's pretty cool.

A

Yeah, it's awesome. uh Yeah super excited, so um cool everybody. uh Thank you so much for all the work you've done. Thank you for the reviewing anything you see, uh see something say something just just put it in the dock. We can still review comments. It's not published yet and thanks a bunch have a great weekend.

G

Youtube. Thank you.

G

Bye.
youtube image
From YouTube: CNCF Supply Chain Security 2021-04-23

Description

CNCF Supply Chain Security 2021-04-23