Cloud Native Computing Foundation Security Special Interest Group, 16 Apr 2021

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: CNCF Supply Chain Security 2021-04-16

Description

CNCF Supply Chain Security 2021-04-16

A

Hey good morning, andy.

B

Good okay, good afternoon good morning,.

C

Right! That's right! Sorry about that! No.

B

Today, it's all.

C

Yes, good day, it's perfectly appropriate. I should know by now.

B

Oh, it's all right, I'm just uh bemoaning the loss of a day. You know just just one of those I'm I'm.

D

All too familiar with that recently.

B

Hi alex, I think,.

C

D

Gonna get john today.

B

uh John has um he was vaccinated, which is a good thing.

E

D

Me but he's taken.

B

A bit of a knock from it so.

D

I messaged him an hour ago about it, oh great, like I'll I'll I'll run today, if, if he can't make it, but he said you could make it, he said, he'd be fine. That's.

B

Far more recent information than I had then.

C

Okay, hopefully hopefully you can show.

D

Yeah I was finally able to get my first shot on tuesday awesome whereabouts. I live in california, so um I had. I did I volunteered to get it though you can you I'm not officially able to get it for another. Actually. Yesterday they opened up to everybody. So.

B

In the uk, we're right now um ages, 45 and above not too old under the bus, because, of course, fresh and useful.

D

Yes, yes, he's clearly 25., um that's crazy! Okay, so it's not even open to everybody in the uk. I don't know why, because we always hear about how advanced you guys were with with rollout. I figured.

B

It's been graded, going down from so that all um all high vulnerability, high vulnerability, it's not a threat assessment. um All highly vulnerable people um have been vaccinated, ages, 18 and above um and then they just worked it down care home workers, public I'd, say public servants, public facing.

D

Well, that's, that's! That's! That's good! It's I'm just surprised that they they aren't exposed to everybody. Now we're having demand issues here I mean there's huge swaths of the population who don't want to.

B

Get it so one of my so we've got a 90 vaccine uptake rate, which is insane that's super high and.

F

B

I don't know one of my friends on um um well a guy called eric johnson at sands, who uh is in iowa, said: oh, they basically had no visibility of this when I was talking to him about this the other day. But we've had this max, like almost a vaccine war going on with like uk european union- and it's just been so uncouth, I think it's a gentle way of putting it.

D

Right well, the us will very soon have a lot to just give out yeah.

G

D

Take it, nobody wants it here, uh a third at the place. I was volunteering on tuesday. A third of people didn't show because of the news around johnson johnson there's going to be a lot of people who are turned off.

D

B

It feels a little bit misleading because statistically it's such a it's a rounding error, but.

G

I appreciate the danger.

B

Of giving it to everybody but yeah, that's nuts.

D

All right, maybe we won't get john after all, should just probably plow into this or emily emily would be. Another person who'd be useful.

D

I think, ultimately, at this point that there's emily look at that summoned. I invoked hi emily.

H

I heard my name being called across the world. That's.

D

That's how zoom works now, it's a new feature. Let's call out.

H

The people- I'm not surprised, how's it going it's been a week.

D

Alex is like everything's great.

G

uh I I don't think.

D

G

Maybe we won't get john, should we.

D

Should we go through the the comments today emily how many, how many weeks of of open comment, do we get for this piece.

H

We only get two so next week, I think, is when it's supposed to be closed down locked down from any further comments.

H

So, let's go through the ones that we have outstanding. That kind of need a group decision. Does somebody want to drive that.

H

Volunteer, I can.

D

I can I can I can I can okay one moment to make this look professional, all right, sharing.

D

Screen draft software supplied all right. Can you all see.

H

Yep we're good I'd like to try to.

D

H

Make decisions relatively quick on some of these things that way we can get through them all, because I've got to get off in like 30 minutes.

D

Yeah, okay, great, um do we just want to go from the top down? Is there any particular? I know I know cole brought up the whole um there's a new commenter two days ago, who had a bunch of controversial stuff, um but if people don't respond, for instance, I s you know uh alex here brought up the whole like conflating of zero trust, I'm not personally, I don't I don't want to. I don't think this is a decent suggestion. That's my thing here. Can I just end it?

D

Let's not use zero trust in another.

D

I don't think it adds anything. I don't think we need to coin another term. Can I just.

B

Check yeah: it's not zero trust at all by.

D

Accepted definitions.

B

D

Sorry, sorry alex uh all right.

D

It is worth calling this the present, principally so I'm looking for headings to put my back pocket, I'm translating as a boy he's branding our paper and he's starting like six startups there. I think the point.

H

We want buzzword.

D

Bingo yeah: let's, let's get names to things, uh I think the point we want to get across for trust. We need data that can be us.

D

Yeah, let's just no, let's not call it anything. Is that right.

H

D

Boom, okay, sorry, uh emily! What about this? This other document needs to be restructured.

H

um That's an action item after.

D

Okay, I'll hold on to that. uh What do you think about this? I keep seeing it. I think it's a it's a add references to hardening techniques.

H

Was this done? Is it in the appendix.

D

Let's look: let's go to the appendix: um let's see, prayer, appendix containers.

F

Based container images.

D

It does not look like it. um I will make a comment and reach out to mike okay, that.

H

Needs to be resolved or we have to remove the sentence.

B

Yes, yeah, uh let's resolve by next week. I guess seven days.

H

Yep, if it's not resolved by then delete the sentence.

D

Oh also just real quick pick him on slack, because I feel like that. I I hate these uh announcements. My guns are.

A

A

D

All right, cool um next alex looks like uh okay uh personally identifying oh yeah, okay, so.

I

This was just in response to that comment about a point.

D

Yeah, I guess we could go with pii.

I

Yeah, I feel, like most people in our world probably know what pii phi stands for, but if we wanted to make sure we included the explanation, I just put it in there.

H

Yep include the explanation: if we reuse the abbreviation later throughout the document, we have to first introduce it.

D

I don't believe we do uh try and message him.

H

It looks like it's further down like next page.

I

It's like in the top of the next page there yeah.

D

Great awesome thanks alex we're handling that yeah, okay, great okay. These are the these. Are the meaty ones alex? What do you got here.

I

D

Wanted to potentially.

I

Split this between agent authentication versus human user authentication- and I I was just saying I think in the introduction- I'm not sure, yeah we're.

D

I

Function, matters that much at this point in the pair in the document.

J

But you know whatever we want to do.

B

I I wonder if the substance of this argument is that software entities should be required to mutually authenticate. That is not necessarily, I mean.

K

F

I there are authentication mechanism like other than mtls right, so I think we should keep it high level if we are good.

J

F

Much with the user authentication service authentication secure, then you know we have to do a lot like yeah, yeah, yeah.

D

I I I actually agree with your point here and that that's I'm I'm good with that. I I think this is. Should I put a comment.

H

Is it easier to do a quick rewrite and simply state that mutual authentication of identities should occur before interacting at any stage that way, we're not being explicit on user or software as uh independent entity objects.

D

So just take out, let me just.

F

Make sure I.

D

Know what you mean.

F

We secure authentication that it's not just limited to mutual authentication. I believe we want people to avoid a weak authentication right, so there are several weak authentications in a book user and service authentication spectrum I mean mtls is a kind of a secure authentication, but it's not necessarily the best authentication mechanism out there right so.

B

What do you think about the wording? Strong, strongly authenticates their identities and then it's.

E

E

D

I don't think I don't think anybody's unless we were going to go deep into what mutual authentication means later. I don't think it matters that much you could.

H

Just say: authenticate.

D

H

So so the reason why I I'm I want to stick mutual authentication in is because there are still a lot of organizations that have like they do authentication, but they do not do mutual authentication sure and if we don't call that out as mutual authentication being and being encompassed within a secure authentication practice they're going to continue to get away with it. I mean they are anyways unless they read the paper. But if there's a way that we can just slightly tweak that to.

F

H

F

Family, the following authentications: we are discussing later right, so one is a ssh and another is a token based authentication, so they don't have to mutually authenticate. That is a challenge that, like a client, don't have to authenticate the server there or you know most of the case. Server is authenticating the client only so that will be the challenge we might have like. If you will put a mutual authentication, the following authentications, you know we might have to rewrite those things right. So that's my thought.

B

It is ssh, it is the idea of mutual stage, authentication the acceptance of the the id that the auth um think that the fingerprint of the server you're connecting to and is, is using tls to authenticate, with a token saying that we've authenticated the server, because that we verified the tls certificate. Is that the level we're thinking emily.

F

So good yeah, so that tls itself don't have to be mtls right, so it can be one vtls.

B

And if it's one way tls the client is authenticating but they're also verifying the certificate of the server. I guess yeah in the weeds straight away here, but I'm just I don't quite understand.

D

Well also I'll go ahead. Emily.

H

I was gonna say I want to avoid any presumption that one way tls is acceptable. There are occasions where it is, but there are a lot of instances, especially in the supply chain, where having two atls is critical and I'm not sure the best way to present those exceptions. Early on.

I

Right, because this is what's like this particular paragraph is- is still our introduction. It's pretty we're not getting too much into the weeds here.

F

Right, I think we can keep it in my opinion. We can keep it like that, but you know it's it's an interesting area. If you want to explain- and you know some of those indication mechanisms- we are.

G

H

Would it be easier to add a footnote to the end of that sentence and say this is further the disgust for different areas later through the paper.

B

I think the thing that just made it clear for me emily is when you said specifically in the supply chain, and then I've looked at the sentence and it has the final clause being the supply chain. Maybe if we just refactor it for any stage of the supply chain, users and software entities should be required to mutually authenticate.

G

Just move this: it's.

B

Just changing yeah, it's just changing the object in the sentence. Well,.

D

I get your all's issues, I don't think it matters. I don't think we're addressing justin's comment at all, because justin really doesn't care about about the mutual aspect and go ahead. Yeah go please go ahead and uh make the change he.

F

D

Just cares about the fact that we're we're using the term user and software entities as if it's the same.

F

D

Which I would just go to the cheat route and just take out user and software and just say entities, but uh I also I kind of agree with you alex that in an introduction. Who cares we're not.

F

D

I I unfortunately cole's. I think it would be more confusing, in fact, to go to split it out into user authentication versus workload at the station. If anything, I would be like why here, let's do this later.

I

Well- and I think we we do- make those distinctions pretty clearly in a lot of the recommendations later in the paper. So I don't know that it's worth muddying the waters in the introduction.

D

I'm I'm 100 with you.

D

For interacting on this is uh you should mutually? I thought I could throw your days prior to interaction.

D

L

Good, that's a that's! A politically.

D

I should have probably commented on that.

D

Just said, nope.

B

I think you can get it back. Oh I was gonna see you can get it back with that button next to share.

D

It's not gone forever.

H

Does that work with the footnote and the rewrite.

B

H

All right, let's accept them and resolve and move on.

K

Beautiful accept.

D

Resolved and moved on: okay cool: let's keep going another justin cormack.

A

I think it is a good idea to add something about verifying the.

D

Signatures verifying the signatures currently a lot more people sign, git commits than actually have any verification workflow, and while that has some benefits in forensic situations, it doesn't.

H

That's that's a footnote later on. I wrote it it's about um merging.

D

Where do you have that footnote? Oh crap? No right here right here! Yes, it's.

H

D

Okay, I'm just gonna say addressed in footnote 17.

H

D

H

Can we link back to that uh footnote 17 here just to make it a little bit more explicit.

D

Sure is it going to mess with things that we're we're doing the actual foot the declaration later is that.

H

uh Well, we can add a footnote and copy and paste the same thing twice.

D

ah Genius all right um and then do you want it at the end of the page or do we want I'll.

F

D

You do it yeah um way you guys can move on, but I'm going to go ahead and end this. I think adding the footnote more than helps sound good.

D

I

This is old, this is not from the review period, but.

F

D

Probably clear.

D

What do you uh yeah just cleared out alex added.

H

So it just needs resolved.

K

G

Perfect 16.

D

Okay, so are we also going to keep 18.

H

Yeah, it's relevant, we'll just keep it twice.

D

F

I think we should uh change that sentence on this page right. Can you scroll up just um reach out where.

D

F

That heading is one page and content is another page right. So wait.

L

I'm scrolling down.

F

Scroll down slowly yeah there, I think the automatic software security scanning and testing the heading is in one page, the the footer, if you're just above the footer scroll.

H

D

F

H

You're talking.

F

D

Here, yeah that gets fixed, it gets fixed, but not yeah. You can't really do anything about it. Unfortunately,.

H

It's google docs at their finest yeah.

D

um Okay, we have this midi that was just recently reopened three days ago. Okay, so it was resolved wow. He he did not like that. I didn't read it that way: no need to reopen okay, closing again.

H

uh There were suggested changes. Are we accepting them.

D

From from him,.

H

uh No for this one right here.

D

H

They were linked.

D

I thought this had to do with the justin cormack piece.

H

Maybe well, let's just accept them.

D

Okay, yeah, I'm good with I. I saw this.

D

B

Some high security- I wonder if I was going to say signed hash, but no, that's tautology. Sorry carry on all right.

F

Security think it can be just read the last one.

L

D

Read the last one.

A

We had a discussion on this.

D

A

D

Those language, the document, should we wait for robert to get back.

F

Yeah, I think we are waiting on robert.

H

Three days ago, if someone can ping robert to get the adjusted language.

D

Is he in here on slack.

H

I don't know he authenticated with the google docs, so if you assign it to him, yeah.

D

He's here on slack.

H

Okay, cool, if he doesn't fix it, we're deleting the.

H

Comment, wait is that is it fixed.

D

H

There's the text is red.

G

We just put that yeah.

I

That's addressing his comment, I believe.

H

I

F

It's from somebody else exactly this old one right, so he agree alex.

H

So it looks like this is still outstanding.

F

I think robert is outstanding but alex, I think, he's okay, too. uh He accept explanation. Everything.

H

But cole has what what is this hold on? I need to read.

M

G

D

I'm 100 with a call on that that.

D

B

I wonder if that flies in the face of the github tokens, as somebody calls out in the in the next section.

I

Because I think that's exactly what um alexander barbados says in the comments below actually.

B

It it's the implication that it's, admittedly less secure option to frequently rotate access tokens. I think less secure is loaded because that's comparing tls to ssh. They both share some of the same ciphers anyway, and the access tokens can be scoped differently. So I think it's so so complex and people can argue from both sides. Maybe another.

B

D

Yeah, admittedly, less secured is the passive aggressive.

D

Well, neanderthal neanderthals used to use frequently rotated access tokens um option over varying.

F

I

D

Varying security concerns is frequently rotated axis we sound. So uh that's such a euphemism.

H

It addresses it and we're calling out that we know that there are politics in that. It's like emacs versus men,.

D

Yeah yep, I'm okay. With this, I I think this is great. It's important to know the problem with tokens, distribution secrets, exposing.

A

Exposing credentials to them.

D

Out of band, I believe, is hyphenated. Maybe now we have to check on that.

H

I think, as soon as andy finishes his edits, we accept them all and move on.

D

Yeah all this green and red is christmas over here, yeah right.

B

So there's another mild contention here: tokens should only be used if they're short-lived and issued out of band again those github personal access, tokens, yeah.

C

Not short-lived yeah, we.

F

Are addressing that in the next section where uh use of short-lived uh credentials, so we call them personal access, tokens, yeah.

B

Do you think this wording should only be used, um should stay or should change? Finland.

F

I think the man I think man in the movie is just one of the many attacks guys I think yeah.

H

So I added tokens in this context should only be used if they are short-lived, so we're specifically talking about this area and not discussing them later on.

K

M

A

I

Two items down we do have, I think vinod was just saying we have another recommendation that touches on this. I'm wondering if we need this paragraph here or if we're.

D

Yeah, that is the gist.

I

Of this accent.

D

Or that paragraph you short-lived the terminal credentials. Oh.

I

C

D

You're 100 right more details in just 20 seconds of reading.

D

H

D

Looks great yep.

H

All right accept all the things. Oh.

D

D

Gonna need to get osha in here for all this clicking I'll get an.

A

D

His his statement there.

H

It should resolve both of those comments just make.

D

D

Vendors should be required, not a reasonable ask at present for moderate risk categories. uh My I thought uh john did this john yeah john split this out. So this is actually.

G

But it's done fun. Bye-Bye.

B

I do wonder about that. One um justin is uh one of our one of the two sign-off people on this okay and um and he's uh I mean just in case people. Don't know him uh he's the cto of docker and I probably has a reasonable view on this. I I don't know how we can actually enforce vendors to to do this and.

H

Enforcing vendors to do something is not currently our problem.

L

H

And and justin's also our talk liaison so he's gonna re review it again and double check on his commentary and if something's an issue, I'm sure I will hear about it.

D

But but I mean, is it wrong, though, andy to say that in high secure high risk in categories, you would require your vendors to provide you that s-bomb.

B

It's laudable but only platform: one has the has the ability to do that. Maybe.

H

No, no, you can always ask, and they can say no yeah.

F

And you can say.

H

G

F

They are asking their vendors to provide a sperm or a provide discount for the risk, and the u.s government is bringing up the you know the law so bill. So I think yeah get more common that, like everyone, should provide yeah.

I

Cool may be more.

D

Common soon more adjusting comments uh alex.

I

We have this whole section right. I think this is gonna, be as soon as we update this graphic or do whatever we're gonna do here. That's just gonna all disappear, so I don't know we need to spend a lot of time on it. Wait.

H

What what what's wrong with.

I

C

Graphics, uh there's.

H

There's no commentary about something being wrong.

I

It's not the graphic, nothing wrong with the graphic we wanted to create a new graphic that illustrates, or that eliminates this paragraph here yeah. I.

D

Like the graphic.

I

We, like the graphic, why.

H

Didn't anybody.

I

Tell me you wanted another.

H

H

So what is the ask.

D

H

So at the moxiefox gmail.com.

D

Yeah, that's so annoying that it pulls your your personal contacts rather than all the people. Who've been part of this document. Sorry, um I will uh yeah that's also not working.

H

Fox fox at work.

D

Gmail.Com, like that yep add people to this discussion, send them an email all right.

D

Let's do that. Let's see if that works there you go.

H

Yay, so you want to you want a graphic to replace all that text yeah. I thought that's what the above one was supposed to be well.

H

C

H

Tools, you have the workers the pipeline orchestrator. Is there the build infrastructure, the source code, repository artifact repository and the signing infrastructure.

H

I mean it's a pretty big graphic that is shrunk down to be tiny.

D

Right right do.

H

They need labeled.

D

That might be it because I think the problem is is this list here. I think we agreed that which you can't label it right. There's no way. You'd have text the right size to do that. I guess you could you could put little numbers and then we could have.

H

You'd be surprised.

D

H

D

I mean, but the the the key thing here. I think we discussed that like listing this, just look yeah um it just yeah it felt like well. Why is the graphic even there? If people have to read this these two paragraphs and and see all these these pieces here also.

F

D

Clear at all how they communicate with each other. It's just a list like we could add anything to it.

H

So I will, um I will work on grouping or making identifying groups for each of the things.

D

H

Just might not be today.

D

Yeah, I think I mean.

I

You think that solves it. um We.

L

D

I

There will disappear.

D

Yep yeah: we won't need this.

H

Okay, I need to jump off. You all are doing great. Keep up the good work, be aggressive.

C

Thanks got that vibe cheers have a good day thanks a bunch adios.

D

B

This section calls me some uh sort of contact uh cognitive dissonance, because it's really focused on loading nvms and what this whole comment breaks down into is vms versus.

G

B

My instinct would actually be to defocus on vms a bit, but there is this annoying middle ground where people want to refresh the whole build environment and have vm based infrastructure with containers in.

B

So that's as far as I go.

D

Yeah um to blake's main concern here.

D

His issue was mostly the fact that we're we're conflating that image, there's stages in workers, context.

B

The the wording of this document is such that each stage is discarded, but well each worker has a single stage and.

F

B

One-To-One then discarding relationship, it's practically, it's untrue. Frankly, it's um it just it costs a lot. Doesn't it and shipping data and compute so sure I didn't yeah. Perhaps I should have weighed in earlier.

D

I I mean I, I think we're we're putting it out there, though, as the ideal andy like that's.

B

D

That's the whole yeah clearly in practice not easy to do not likely to happen, but uh the idea is that this is what we recommend for the most secure environments right um here we go. Let's, if we're not going to aggressively answer this one, I do kind of want to bring blake back into this.

D

Let me go ahead and message him. Just real quick.

D

uh And then, let's move on to the next robert van voorhees ah yeah, what do you uh I yet again brought him up here? Do we really need to expand on opens cap.

B

It's pretty old-school and standard.

D

I just I just we don't we don't do that for any of the other tools. Really, we don't go into what get lab is we don't? You know? um Why would we do it for some tools and not others? The idea was that this is a tool that that satisfies the need. Here it is here's here's the name of it should do you think, so I I should give him a couple more days. It's been four days he's gotten the email.

B

I think we stay, we do it aggressively, I don't. I agree, we haven't expanded other things.

D

Yeah, we don't, I don't see us needing all right, justin citation needed. uh He thinks it's wikipedia.

B

There is some evidence of this in um in platform, one again in in the iron bank containers um I I can I'll respond to him there. Okay,.

G

B

B

D

So all right, pinged blake thanks for handling that one andy, let's keep going. Oh whole swaths of the document without any.

D

This is rather old yeah. This is now two weeks old. I think this needs to collaborate. Are we talking about painting? Should we change the heading.

I

I feel like I remember us in a working session, actually working on exactly this issue, so I'm not sure if we still have work to do or if we can just clear it out. If it's not.

D

Piece of water, but you're, recording hashes over any remote data for verification during the build process should be done pitting specific versions. It's right there. I don't think we need to update the. I don't think we need to change the heading. I think that that's that's ridiculous, uh updated vital bugs blah blah blah blah blah blah yeah. I I I'm does anybody else think we don't address pinning yeah. I think it's good good done. Sorry, cole! I don't think we need to update the heading. It doesn't make any sense.

L

Therefore, it's important to use tools like the petabot or another bot to track and update.

J

D

Yeah, what's up with this rod,.

F

Sorry, you can close it. Sorry, I had to jump out.

D

Hey good news, everybody blake says we can just approve everything thanks.

D

Blake cool awesome, vernon that sounds aggressive.

D

All right we're back to justin cormack. um I don't like this term. Oh I'm kind of with them functionaries. What does that mean.

F

It is waiting for jason's feedback for a automatic process right so.

D

Yeah, I'm kind of with justin. The automated processes, though, definitely puts it.

B

In context, um I I think functioners is unique to in toto and frankly causes people like people saying cognitively.

I

Distance, can we just say.

B

I

By authorized entities or something along that line and replace.

B

Yeah yeah the magical entity.

F

D

I mean that's fine, just should I just replace this and an entity can be.

I

Either a human or an automated browser.

B

Yeah yeah authorized entities just just solved it. I think yeah function.

K

Really languishes.

B

Yeah, I don't like it much in the total either.

B

G

Entities look at that.

D

I'm kind of with justin on that that uh I don't know it's my enzo to.

F

D

I already went to mike um I'm going to keep that in there because it is supposed to be a placeholder emily thinks that needs to be expanded. As of nearly.

I

February 17th, I'm not sure if it's been expanded.

D

Or not, that's true, we don't know many of the core concepts of supply chain. Security can be applied to consumer as well as the corporation.

L

From raw materials.

B

D

That I think that is expanded here right. We go through.

I

I think it might be.

D

D

um I, like the the word nuanced all right. um I think that's that, oh damn.

D

I have barely looked at the this is the this. Is our.

B

This has become uh a little bit of a vendor. Shoot-Off. Hasn't it oh really yeah you can just it didn't. Look like this when it began, and uh perhaps unsurprising, I think unavoidable,.

F

Yeah minimum we are doing for them right, like we, don't allow the vendor to be in the front pages. So true.

D

Yeah yeah: it's also isn't it also a snapshot in time.

B

Good point yeah, I'm in there um they're not actually aligned, though, and notice.

F

B

F

So complicated someone just do multiple things and they won't necessarily fit in one category. So.

D

Oh yeah, I I feel like the formatting. If that's what you're worried about uh and.

B

D

To all be done differently,.

B

I will reject myself.

D

I mean just in general, somebody needs some fancier tables here, um but should we assign somebody to do to to to look at this and make sure it's consistent and make sense.

F

I I did add some of them, but I I will also check a double check again, I'm not sure if they're the original links who would.

D

How do how does the cncf do this so that it doesn't end up being oh.

B

Man, it's gonna need review, isn't it because are they going to allow.

B

Are we going to need to form a committee uh urgent committee formation, yeah.

D

uh All right I mean, and I'm gonna- I'm gonna ignore these. For now uh who.

M

Would own who would own.

B

D

Part about open source tools.

B

D

B

M

I can help.

B

F

I will help andy, then so andy's.

M

The primary question.

D

uh Yet again, uh what is the, how would I actually.

B

I guess this is a landscape review. Oh yeah,.

M

Sorry, I didn't realize.

F

Yeah, it's a bit controversial.

B

M

B

Just want to know: what's your email addresses, oh um just at subliminal suv,.

F

B

Me know: uh okay, that's no good! At gmail.

D

Obviously, that's.

B

Not work here, though, has it.

D

Oh yeah, no, no, but is that how it's? Yes? Okay, as long as it's spelled and then vanad uh uh sorry vanada? What ah okay you're just vanata oath yeah trick yeah lucky all right! Let's do this comment!

D

Cool! Okay, um I feel like this is. This is solid. We went through all the major comments about the actual meat and potatoes. um Emily's got a little bit of work on the the the actual uh document and then definitely something for what we just discussed here. uh Does anybody else have anything to bring up or do we get 15 minutes back on our friday.

B

I wonder because I've been scanned in attendance. What is the expectation of this group and, frankly, what can I pick up? Because I haven't picked up a number of things over the past few weeks.

D

So, uh like I said right now, it's still another week of comment. um I think andy.

L

D

Your sake, anybody who you can get this in front of to give us more feedback. I am still personally, I'm surprised, nobody's called out any of the recommendations as off or you.

F

D

I I I like that justin justin's really the first and I mean I guess there were a couple of others uh who who gave kind of subjective comments, uh but I think we should look more for that at this point rather than the whole. You know you didn't explain this enough or you didn't. I would love to see. Does this actually make sense? Are these consumable ideas? Are these concerns.

L

D

Could you could you take them um yeah.

F

Yeah, it's better to address them before publishing, otherwise there will be twitter walkthrough, and you know I.

D

I really do feel like with the way I we should think about. This is like uh for some of us. It's ironic, because it very well could be your boss is working on this, uh but imagine that your boss stumbles upon this white paper reads and is, like you know, sends it to you and says: go do this at our at your company like how many, how many, what the that will never happen here? Would you have yeah.

F

D

My kind of thinking on this whole idea is like I. We should probably have that conversation. What.

B

The per paragraph yeah.

D

Yeah exactly I I I'll be honest for a lot of this. uh You know we all know what the reality of of working somewhere that isn't even close to this transition looks like uh how do you? How do you make that incremental step based upon that and- and I do think that there needs to be a secondary piece of work? I think the strong.

L

D

In that light, yeah.

L

D

Post or something that that condenses and makes a recommendation.

B

An adoption guide, ultimately yeah zero.

I

B

M

Sort of what emily had in.

D

F

I

That uh comment that's way up at the top there's there's some link that she has to another document, and I think that was intended to be the starting of a uh either an implementation guide or series of blog posts or something uh this.

F

I

K

um That anyone's really.

I

Got anything with it since she started it, but I think that's what it was meant to be. Oh.

D

It's my favorite just a bulleted list.

B

Cool, uh I I love it. The fox says.

D

Nice um yeah, I do uh I just I. I should review this because this.

F

D

This is how I'd want to ingest it. I know I'm I'm lazy, I don't like words um so, okay, um but yeah other than that andy and alex I mean. uh Do you see anything that we need to put our effort to? Thankfully I can't draw so I can't do that graphic uh uh I mean I I think just getting a bigger audience is the is the way that we're gonna make sure that we were on the right track here, but otherwise it is it.

D

This might be some self-aggrandizing, but it reads well now um I think it reads. Well the I do like our format for how we do the recommendations. I think it's easy to read.

D

um You know, I know that there's a whole scrubbing aspect when they get to formatting uh and they make it more appealing, but I mean this is this: is it's solid.

F

I think maybe it's also good to share the link with the people who has big, controversial opinions or thoughts against the technology. Okay, so we can capture them early. Then it's like so.

D

F

D

A bunch of crusty devops people that I sent it to uh after asking emily, so I'm I mean I'm I'm ready to get get it torn apart. That's kind of my my goal right now, but yeah I mean.

F

I'll ask you guys, even though they don't agree with most of the things, what we are saying, but you know it is what it is.

D

I guess andy: it's 4 15! You can have a beer. Oh.

B

D

B

uh It's it's a local brewery, so it hasn't traveled far, I'm thinking of the planets at all times.

B

K

B

I mean this week, so I apologize because I've stolen the 15 minutes from everybody. um The last.

F

B

Wonder is, um uh I would have by default, sent this to maya at github, but she is no longer there has this gone into anybody at microsoft or github, who will have opinions.

D

I guess, if they're on the cncf mailing list.

B

Oh, that's true: it went to the technical oversight committee. Didn't it hit that.

F

B

Well, maybe that's one for john, I'm sure he's got machinations and has delivered shared with uh some open ups. As of guys also like perfect.

L

D

I do I do. I am surprised at how few comments we've gotten on that, though,.

B

D

B

Know it's it's a huge.

D

Document, I think it's potentially.

B

D

I told people I was like, even if you just pick one section just pick a section, I don't care just pick a section and don't.

B

Do any more than that yeah you're going to make her all day! Sorry yeah.

D

And, and is that, like a is that maybe something I mean yet again, that could be something the blog post tackles, uh but I I too kind of see the same thing andy, where I'd be like. If somebody gave me 52 pages.

D

I'd probably also be like. Well, I better really care about software supply chains.

F

D

Not reading 52 pages of this on my own, but that said that's why maybe a condensed recommendation list would be good um and even then for for the cncf. Maybe there needs to be a stronger, please. You know spend some time reading this and figuring it out, but.

I

Should we, uh I know it went out on the mailing list, should we just drop the link into some slack channels.

J

B

I wonder if it's part of that presentation, we can say uh we're looking for reviews on the build chain, the recommendations, code site and maybe people will just focus into a part that piques their interest.

D

Yeah that would be that'd, be just picking hey, you know. uh Every single developer could learn something from reading the securing the source code. I mean. That's, that's the one I'm gonna go with in terms of being like hey here. You go, um don't worry about the securing materials piece, but the yeah. I I think that's the way to do it, make it more approachable. It also sounds less like you know, if you say tell people to just read it. That's not actionable or really interesting. Read this whole document.

D

uh You know, but if you say hey, can you tell me whether or not you agree about the recommendations for securing source code or securing materials? That's much more actionable and much more like okay,.

D

Yeah anybody anybody who wants to uh to share- I I did reach out to emily to make sure that was okay, it's not internal at all, so cool! We'll! Try to do that! Andy, maybe maybe a certain uh employer uh we can. We can put it in front of people from that employer if they they have time on fridays, to do.

C

B

um Yeah, I I'll uh yes, yes, of course,.

D

Cool awesome: well that looks seven minutes. Seven minutes back in your life.

B

Excellent much.

D

Appreciated thanks thanks, andy have a good.

B

D

Of your day have a great weekend cheers.

B

Have a great weekend yourselves thanks, bye.