►
From YouTube: CNCF Supply Chain Security 2021-04-16
Description
CNCF Supply Chain Security 2021-04-16
B
Oh,
it's
all
right,
I'm
just
bemoaning
the
loss
of
a
day.
You
know
just
just
one
of
those
I'm
I'm.
C
E
D
D
B
In
the
uk,
we're
right
now
ages,
45
and
above
not
too
old
under
the
bus,
because,
of
course,
fresh
and
useful.
D
B
It's
been
graded,
going
down
from
so
that
all
all
high
vulnerability,
high
vulnerability,
it's
not
a
threat
assessment.
All
highly
vulnerable
people
have
been
vaccinated,
ages,
18
and
above
and
then
they
just
worked
it
down
care
home
workers,
public
I'd,
say
public
servants,
public
facing.
D
B
I
don't
know
one
of
my
friends
on
well
a
guy
called
eric
johnson
at
sands,
who
is
in
iowa,
said:
oh,
they
basically
had
no
visibility
of
this
when
I
was
talking
to
him
about
this
the
other
day.
But
we've
had
this
max,
like
almost
a
vaccine
war
going
on
with
like
uk
european
union-
and
it's
just
been
so
uncouth,
I
think
it's
a
gentle
way
of
putting
it.
G
D
D
H
D
D
Yeah,
okay,
great,
do
we
just
want
to
go
from
the
top
down?
Is
there
any
particular?
I
know
I
know
cole
brought
up
the
whole
there's
a
new
commenter
two
days
ago,
who
had
a
bunch
of
controversial
stuff,
but
if
people
don't
respond,
for
instance,
I
s
you
know
alex
here
brought
up
the
whole
like
conflating
of
zero
trust,
I'm
not
personally,
I
don't
I
don't
want
to.
I
don't
think
this
is
a
decent
suggestion.
That's
my
thing
here.
Can
I
just
end
it?
B
D
Sorry,
sorry
alex
all
right.
D
D
Bingo
yeah:
let's,
let's
get
names
to
things,
I
think
the
point
we
want
to
get
across
for
trust.
We
need
data
that
can
be
us.
D
Okay,
I'll
hold
on
to
that.
What
do
you
think
about
this?
I
keep
seeing
it.
I
think
it's
a
it's
a
add
references
to
hardening
techniques.
D
Let's
look:
let's
go
to
the
appendix:
let's
see,
prayer,
appendix
containers.
D
It
does
not
look
like
it.
I
will
make
a
comment
and
reach
out
to
mike
okay,
that.
B
Yes,
yeah,
let's
resolve
by
next
week.
I
guess
seven
days.
D
A
D
All
right,
cool
next
alex
looks
like
okay
personally
identifying
oh
yeah,
okay,
so.
D
I
don't
believe
we
do
try
and
message
him.
D
I
B
K
D
H
F
We
secure
authentication
that
it's
not
just
limited
to
mutual
authentication.
I
believe
we
want
people
to
avoid
a
weak
authentication
right,
so
there
are
several
weak
authentications
in
a
book
user
and
service
authentication
spectrum
I
mean
mtls
is
a
kind
of
a
secure
authentication,
but
it's
not
necessarily
the
best
authentication
mechanism
out
there
right
so.
B
D
H
So
so
the
reason
why
I
I'm
I
want
to
stick
mutual
authentication
in
is
because
there
are
still
a
lot
of
organizations
that
have
like
they
do
authentication,
but
they
do
not
do
mutual
authentication
sure
and
if
we
don't
call
that
out
as
mutual
authentication
being
and
being
encompassed
within
a
secure
authentication
practice
they're
going
to
continue
to
get
away
with
it.
I
mean
they
are
anyways
unless
they
read
the
paper.
But
if
there's
a
way
that
we
can
just
slightly
tweak
that
to.
F
H
F
Family,
the
following
authentications:
we
are
discussing
later
right,
so
one
is
a
ssh
and
another
is
a
token
based
authentication,
so
they
don't
have
to
mutually
authenticate.
That
is
a
challenge
that,
like
a
client,
don't
have
to
authenticate
the
server
there
or
you
know
most
of
the
case.
Server
is
authenticating
the
client
only
so
that
will
be
the
challenge
we
might
have
like.
If
you
will
put
a
mutual
authentication,
the
following
authentications,
you
know
we
might
have
to
rewrite
those
things
right.
So
that's
my
thought.
B
It
is
ssh,
it
is
the
idea
of
mutual
stage,
authentication
the
acceptance
of
the
the
id
that
the
auth
think
that
the
fingerprint
of
the
server
you're
connecting
to
and
is,
is
using
tls
to
authenticate,
with
a
token
saying
that
we've
authenticated
the
server,
because
that
we
verified
the
tls
certificate.
Is
that
the
level
we're
thinking
emily.
B
H
I
F
B
I
think
the
thing
that
just
made
it
clear
for
me
emily
is
when
you
said
specifically
in
the
supply
chain,
and
then
I've
looked
at
the
sentence
and
it
has
the
final
clause
being
the
supply
chain.
Maybe
if
we
just
refactor
it
for
any
stage
of
the
supply
chain,
users
and
software
entities
should
be
required
to
mutually
authenticate.
D
F
F
D
Which
I
would
just
go
to
the
cheat
route
and
just
take
out
user
and
software
and
just
say
entities,
but
I
also
I
kind
of
agree
with
you
alex
that
in
an
introduction.
Who
cares
we're
not.
F
D
I
D
For
interacting
on
this
is
you
should
mutually?
I
thought
I
could
throw
your
days
prior
to
interaction.
D
B
B
H
D
H
Can
we
link
back
to
that
footnote
17
here
just
to
make
it
a
little
bit
more
explicit.
F
D
You
do
it
yeah
way
you
guys
can
move
on,
but
I'm
going
to
go
ahead
and
end
this.
I
think
adding
the
footnote
more
than
helps
sound
good.
D
What
do
you
yeah
just
cleared
out
alex
added.
F
I
think
we
should
change
that
sentence
on
this
page
right.
Can
you
scroll
up
just
reach
out
where.
D
F
F
D
D
Okay,
we
have
this
midi
that
was
just
recently
reopened
three
days
ago.
Okay,
so
it
was
resolved
wow.
He
he
did
not
like
that.
I
didn't
read
it
that
way:
no
need
to
reopen
okay,
closing
again.
H
There
were
suggested
changes.
Are
we
accepting
them.
D
B
D
A
I
F
M
G
I
Because
I
think
that's
exactly
what
alexander
barbados
says
in
the
comments
below
actually.
B
It
it's
the
implication
that
it's,
admittedly
less
secure
option
to
frequently
rotate
access
tokens.
I
think
less
secure
is
loaded
because
that's
comparing
tls
to
ssh.
They
both
share
some
of
the
same
ciphers
anyway,
and
the
access
tokens
can
be
scoped
differently.
So
I
think
it's
so
so
complex
and
people
can
argue
from
both
sides.
Maybe
another.
B
D
Well,
neanderthal
neanderthals
used
to
use
frequently
rotated
access
tokens
option
over
varying.
F
D
Varying
security
concerns
is
frequently
rotated
axis
we
sound.
So
that's
such
a
euphemism.
H
D
F
Are
addressing
that
in
the
next
section
where
use
of
short-lived
credentials,
so
we
call
them
personal
access,
tokens,
yeah.
B
Do
you
think
this
wording
should
only
be
used,
should
stay
or
should
change?
Finland.
K
M
I
I
C
D
D
A
D
Vendors
should
be
required,
not
a
reasonable
ask
at
present
for
moderate
risk
categories.
My
I
thought
john
did
this
john
yeah
john
split
this
out.
So
this
is
actually.
B
I
do
wonder
about
that.
One
justin
is
one
of
our
one
of
the
two
sign-off
people
on
this
okay
and
and
he's
I
mean
just
in
case
people.
Don't
know
him
he's
the
cto
of
docker
and
I
probably
has
a
reasonable
view
on
this.
I
I
don't
know
how
we
can
actually
enforce
vendors
to
to
do
this
and.
L
H
G
F
I
I
C
Graphics,
there's.
I
H
D
D
Yeah,
that's
so
annoying
that
it
pulls
your
your
personal
contacts
rather
than
all
the
people.
Who've
been
part
of
this
document.
Sorry,
I
will
yeah
that's
also
not
working.
H
H
H
D
D
D
D
H
So
I
will,
I
will
work
on
grouping
or
making
identifying
groups
for
each
of
the
things.
D
B
This
section
calls
me
some
sort
of
contact
cognitive
dissonance,
because
it's
really
focused
on
loading
nvms
and
what
this
whole
comment
breaks
down
into
is
vms
versus.
D
Yeah
to
blake's
main
concern
here.
F
B
D
That's
the
whole
yeah
clearly
in
practice
not
easy
to
do
not
likely
to
happen,
but
the
idea
is
that
this
is
what
we
recommend
for
the
most
secure
environments
right
here
we
go.
Let's,
if
we're
not
going
to
aggressively
answer
this
one,
I
do
kind
of
want
to
bring
blake
back
into
this.
D
And
then,
let's
move
on
to
the
next
robert
van
voorhees
yeah,
what
do
you
I
yet
again
brought
him
up
here?
Do
we
really
need
to
expand
on
opens
cap.
D
I
just
I
just
we
don't
we
don't
do
that
for
any
of
the
other
tools.
Really,
we
don't
go
into
what
get
lab
is
we
don't?
You
know?
Why
would
we
do
it
for
some
tools
and
not
others?
The
idea
was
that
this
is
a
tool
that
that
satisfies
the
need.
Here
it
is
here's
here's
the
name
of
it
should
do
you
think,
so
I
I
should
give
him
a
couple
more
days.
It's
been
four
days
he's
gotten
the
email.
D
Yeah,
we
don't,
I
don't
see
us
needing
all
right,
justin
citation
needed.
He
thinks
it's
wikipedia.
B
There
is
some
evidence
of
this
in
in
platform,
one
again
in
in
the
iron
bank
containers
I
I
can
I'll
respond
to
him
there.
Okay,.
G
B
D
D
I
D
Piece
of
water,
but
you're,
recording
hashes
over
any
remote
data
for
verification
during
the
build
process
should
be
done
pitting
specific
versions.
It's
right
there.
I
don't
think
we
need
to
update
the.
I
don't
think
we
need
to
change
the
heading.
I
think
that
that's
that's
ridiculous,
updated
vital
bugs
blah
blah
blah
blah
blah
blah
yeah.
I
I
I'm
does
anybody
else
think
we
don't
address
pinning
yeah.
I
think
it's
good
good
done.
Sorry,
cole!
I
don't
think
we
need
to
update
the
heading.
It
doesn't
make
any
sense.
J
D
All
right
we're
back
to
justin
cormack.
I
don't
like
this
term.
Oh
I'm
kind
of
with
them
functionaries.
What
does
that
mean.
B
In
context,
I
I
think
functioners
is
unique
to
in
toto
and
frankly
causes
people
like
people
saying
cognitively.
B
F
D
I'm
kind
of
with
justin
on
that
that
I
don't
know
it's
my
enzo
to.
F
D
I
already
went
to
mike
I'm
going
to
keep
that
in
there
because
it
is
supposed
to
be
a
placeholder
emily
thinks
that
needs
to
be
expanded.
As
of
nearly.
D
B
This
has
become
a
little
bit
of
a
vendor.
Shoot-Off.
Hasn't
it
oh
really
yeah
you
can
just
it
didn't.
Look
like
this
when
it
began,
and
perhaps
unsurprising,
I
think
unavoidable,.
F
B
Good
point
yeah,
I'm
in
there
they're
not
actually
aligned,
though,
and
notice.
F
D
I
mean
just
in
general,
somebody
needs
some
fancier
tables
here,
but
should
we
assign
somebody
to
do
to
to
to
look
at
this
and
make
sure
it's
consistent
and
make
sense.
B
Are
we
going
to
need
to
form
a
committee
urgent
committee
formation,
yeah.
D
All
right
I
mean,
and
I'm
gonna-
I'm
gonna
ignore
these.
For
now
who.
B
B
B
B
B
Just
want
to
know:
what's
your
email
addresses,
oh
just
at
subliminal
suv,.
F
D
Oh
yeah,
no,
no,
but
is
that
how
it's?
Yes?
Okay,
as
long
as
it's
spelled
and
then
vanad
sorry
vanada?
What
okay
you're
just
vanata
oath
yeah
trick
yeah
lucky
all
right!
Let's
do
this
comment!
D
Cool!
Okay,
I
feel
like
this
is.
This
is
solid.
We
went
through
all
the
major
comments
about
the
actual
meat
and
potatoes.
Emily's
got
a
little
bit
of
work
on
the
the
the
actual
document
and
then
definitely
something
for
what
we
just
discussed
here.
Does
anybody
else
have
anything
to
bring
up
or
do
we
get
15
minutes
back
on
our
friday.
B
D
So,
like
I
said
right
now,
it's
still
another
week
of
comment.
I
think
andy.
L
D
F
D
I
I
I
like
that
justin
justin's
really
the
first
and
I
mean
I
guess
there
were
a
couple
of
others
who
who
gave
kind
of
subjective
comments,
but
I
think
we
should
look
more
for
that
at
this
point
rather
than
the
whole.
You
know
you
didn't
explain
this
enough
or
you
didn't.
I
would
love
to
see.
Does
this
actually
make
sense?
Are
these
consumable
ideas?
Are
these
concerns.
L
D
D
I
really
do
feel
like
with
the
way
I
we
should
think
about.
This
is
like
for
some
of
us.
It's
ironic,
because
it
very
well
could
be
your
boss
is
working
on
this,
but
imagine
that
your
boss
stumbles
upon
this
white
paper
reads
and
is,
like
you
know,
sends
it
to
you
and
says:
go
do
this
at
our
at
your
company
like
how
many,
how
many,
what
the
that
will
never
happen
here?
Would
you
have
yeah.
D
D
Yeah
exactly
I
I
I'll
be
honest
for
a
lot
of
this.
You
know
we
all
know
what
the
reality
of
of
working
somewhere
that
isn't
even
close
to
this
transition
looks
like
how
do
you?
How
do
you
make
that
incremental
step
based
upon
that
and-
and
I
do
think
that
there
needs
to
be
a
secondary
piece
of
work?
I
think
the
strong.
L
L
D
F
I
That
comment
that's
way
up
at
the
top
there's
there's
some
link
that
she
has
to
another
document,
and
I
think
that
was
intended
to
be
the
starting
of
a
either
an
implementation
guide
or
series
of
blog
posts
or
something
this.
F
I
B
Cool,
I
I
love
it.
The
fox
says.
D
Nice
yeah,
I
do
I
just
I.
I
should
review
this
because
this.
F
D
This
is
how
I'd
want
to
ingest
it.
I
know
I'm
I'm
lazy,
I
don't
like
words
so,
okay,
but
yeah
other
than
that
andy
and
alex
I
mean.
Do
you
see
anything
that
we
need
to
put
our
effort
to?
Thankfully
I
can't
draw
so
I
can't
do
that
graphic
I
mean
I
I
think
just
getting
a
bigger
audience
is
the
is
the
way
that
we're
gonna
make
sure
that
we
were
on
the
right
track
here,
but
otherwise
it
is
it.
D
D
F
F
D
A
bunch
of
crusty
devops
people
that
I
sent
it
to
after
asking
emily,
so
I'm
I
mean
I'm
I'm
ready
to
get
get
it
torn
apart.
That's
kind
of
my
my
goal
right
now,
but
yeah
I
mean.
B
D
K
F
B
Wonder
is,
I
would
have
by
default,
sent
this
to
maya
at
github,
but
she
is
no
longer
there
has
this
gone
into
anybody
at
microsoft
or
github,
who
will
have
opinions.
F
B
L
B
D
D
And,
and
is
that,
like
a
is
that
maybe
something
I
mean
yet
again,
that
could
be
something
the
blog
post
tackles,
but
I
I
too
kind
of
see
the
same
thing
andy,
where
I'd
be
like.
If
somebody
gave
me
52
pages.
F
D
I
Should
we,
I
know
it
went
out
on
the
mailing
list,
should
we
just
drop
the
link
into
some
slack
channels.
J
B
I
wonder
if
it's
part
of
that
presentation,
we
can
say
we're
looking
for
reviews
on
the
build
chain,
the
recommendations,
code
site
and
maybe
people
will
just
focus
into
a
part
that
piques
their
interest.
D
Yeah
that
would
be
that'd,
be
just
picking
hey,
you
know.
Every
single
developer
could
learn
something
from
reading
the
securing
the
source
code.
I
mean.
That's,
that's
the
one
I'm
gonna
go
with
in
terms
of
being
like
hey
here.
You
go,
don't
worry
about
the
securing
materials
piece,
but
the
yeah.
I
I
think
that's
the
way
to
do
it,
make
it
more
approachable.
It
also
sounds
less
like
you
know,
if
you
say
tell
people
to
just
read
it.
That's
not
actionable
or
really
interesting.
Read
this
whole
document.
D
You
know,
but
if
you
say
hey,
can
you
tell
me
whether
or
not
you
agree
about
the
recommendations
for
securing
source
code
or
securing
materials?
That's
much
more
actionable
and
much
more
like
okay,.
D
Yeah
anybody
anybody
who
wants
to
to
share-
I
I
did
reach
out
to
emily
to
make
sure
that
was
okay,
it's
not
internal
at
all,
so
cool!
We'll!
Try
to
do
that!
Andy,
maybe
maybe
a
certain
employer
we
can.
We
can
put
it
in
front
of
people
from
that
employer
if
they
they
have
time
on
fridays,
to
do.