►
From YouTube: CNCF SIG Security Supply Chain Security 2021-03-19
Description
CNCF SIG Security Supply Chain Security 2021-03-19
A
B
B
A
D
D
Yeah,
so
sorry
yeah,
I
didn't
have
a
chance
to
go
through
recently
all
the
documents,
but
we
still
have
some
areas
which
need
to
which
needs
some
more
content.
Regarding
this
okay,
sorry,
I
think
we
have
more
conduct.
Maybe
I
need
to
read
the
read
the
recent
document,
I'm
not
in
a
good
state
to
come
in
now,
so.
E
So
I
think
the
the
first
thing
that
I
would
point
to
is:
we
have
sort
of
a
a
philosophical
discussion
about
the
executive
summary
and
whether
or
not
it
should
be
in
bullet
list
form
or
paragraph
form.
So
if
we
have
feelings
about
that
and
come
to
a
decision,
basically
all
of
those
changes
can
either
be
accepted
or
rejected,
depending
on
which
way
we
want
to
go
with
that.
E
I
I
think
that
I
don't
know
I
don't
have
a
strong
feeling
on
this.
I
think
that
it's
probably
easier
to
read
in
a
bullet
form
for
someone
who's
interested
in
scanning
this
to
get
a
summary
of
of
what
the
paper
is
about,
but
it
is,
but
I
don't
know
I
don't
have
strong
opinions
on
this.
I'm
I'm
just
sort
of
relaying
the
state
of
the
of
the
field.
I
guess
gotcha.
F
Yeah,
so
I
think
we
should
decide
that
if
we
are
writing
it
for
c
level
or
executives
in
general
that
people
at
c
level
or
director
level,
then
I
should.
I
think
we
should
use
more
of
a
paragraph
approach
right,
a
short
executive
summary
which
basically
tells
the
problems
that
we
are
trying
to
address
and
basically
just
say.
F
Okay,
if
you
read
this
paper,
you
will
have
some
information
about
it
because
it
basically
the
focus,
should
be
on
what
problem
we
are
trying
to
address,
and
then
we
kind
of
say:
okay,
if
you're
more
interested,
go
ahead,
read
the
paper
right
if
our
audience
is
more
technical
in
nature,
like
an
administrator
like
like
some
sort
of
I
mean
I
mean
you
guys
know
what
I'm
talking
about
right
there.
There
is
a
second
tier
right
that
that
is
more
technical
in
nature.
If
we
are
trying
to
address
them,
then
we
can.
F
I
I'm
in
favor
of
including
bullet
points.
This
is
my
past
experience,
but
but
yeah.
This
is
my
observation.
We
have
to
target
the
audience
and
then
focus
on
either
the
problem
for
executives
and
then
solution
kind
of
thing
for
for
the
middle
tier.
If,
if
the
intent
for
the
paper
is
to
to
focus
on
middle
tier
right.
B
Perhaps
they're
going
to
be
somewhat
technical,
I'm
trying
to
think
how
would
this
arrive
at
the
hands
or
like
the
eyes
for
for
that
matter
of
of
an
executive
or
the
c-level
suite?
Would
that
be
through
someone
in
the
organization
passing
it
on
to
them
as
a
package
part
of
like
the
approval
of
something?
Or
would
these
folks
also
possibly
arrive
at
the
document
on
their
own.
B
G
I
agree:
I
think
that
the
the
target
of
the
rest
of
the
document
seems
to
mostly
be
kind
of
engineers
or
people
who
would
be
making
like
making
the
technical
decisions,
so
maybe
something
I
said.
I
actually
think
that
bullets
would
be
okay,
just
to
kind
of
give
a
really
quick
summary
where
you
can
skim
through
see
the
parts
that
matter
to
you.
But
I
could
see
the
argument
for
paragraphs
as
well.
I
don't
have
a
strong
preference,
but
I
do
like
the
idea
of
bullets
as
a
summary.
H
H
E
No
right
now,
the
so
it
was
originally
written
in
bullet
point
form
and
then-
and
I
think
that
the
two
people
who
who
I
think
have
the
strongest
feelings
about
this
are
both
not
on
the
call
but
but
emily
created
a
suggested
version
of
it.
That
incorporates
all
that
same
material
into
a
paragraph
form
and
then
her
suggested
deletion
of
the
of
the
bullets.
E
Okay,
yeah:
I
think
that
emily's
suggestions
in
the
paragraphs
are
essentially
rephrasing
and
duplicating.
What's
in
the
bullet
points,
it's
in
a
slightly
shorter
form.
There
may
be
slightly
more.
The
bullet
points
may
spell
things
out
a
little
bit
more,
but
it's
yeah
they're,
pretty
they're,
pretty
much
duplicative
of
each
other.
B
Okay
yeah,
my
my
usual
problem
with
anything
written
is
that
there's
typically
just
many
words
to
it,
even
if
it's
a
white
paper,
I
I
like
the
bullet
points,
whichever
like
you
can
you
can
vote
it
feels
like
the
team
is
inclining
towards
the
bullet
points.
I
wouldn't
discard
the
other
content.
I
would.
I
would
put
it
into
an
abstract
that
links
to
this
document
or
something
or
a
little
teaser,
so.
E
So
I'll
put
a
I'll
put
a
thread
in
slack
and
we
can
all
chime
in
and
vote
and
then
we
can
clear
those
suggestions
out
based
on
that
sound
good.
That's
perfect!.
B
Yep
thanks
for
bringing
this
one
up,
michael,
what's
up,
how
are
you
all
right,
cool
where's
your
mind
at
regarding
the
paper.
H
It's
it's
hard
for
me
to
really
gauge.
This
is
my
first
sort
of
white
paper.
I've
participated
in
so
looking
at
it.
You
know
I
think,
like
last,
I
read
it.
This
was
around.
I
guess
sunday
of
around
sunday
I
mean
largely.
I
think
we
have
a
lot
of
the
content.
I
think
the
things
are
mostly
just
like
the
things
from
my
perspective
are
just
a
handful
of
you
know.
H
Oh
this,
this
content's
still
good,
but
maybe
it
belongs
in
a
different
spot,
that's
really
about
it,
but
I
think
in
general
the
content
seems
good.
The
general
flow
of
it
seems
good.
I
just
think
that
in
certain
cases
it
can
be
a
little
it's.
I
found
that
it
was
a
little
confusing
and
this
is
just
more
of
a
general
thing,
not
any
specific
examples,
but
like
hey,
does
it
make
sense
to
kind
of
provide
this
recommendation
here
or
somewhere
else?
That
was
about
it?
B
Yeah
yeah,
okay,
yeah
and
feel
free
wherever
you
have
an
opinion
to
do
that,
like
we,
we
still
have
time
to
do
that,
we're
trying
to
almost
get
over
the
finish
line
but
like
after
that
point
and
printing
something
out
or
post
editing,
it's
it's
harder.
So
right
now
we
still
have
time
and
well.
Hopefully
things
are
meeting
your
expectations
regarding
like
what
you
had
in
mind
when,
when
you
came
in
at
it.
H
G
How
are
you
I'm
good
yeah?
I
have.
I
didn't,
have
a
chance
to
go
over
the
full
document
this
past
week,
but
I
think
that
some
of
the
sections
near
the
end
still
have,
I
think,
more
comments
and
stuff
than
stuff
near
the
beginning
that
you
know
at
some
point
we
should
go
through,
but
I
think
overall,
I
think
the
content
is
mostly
in
place,
as
everyone
else
has
said.
It's
kind
of
a
matter
of
making
it
flow
correctly.
G
B
Yeah
go
with
a
fine
tooth.
Comb
perhaps
makes
complete
sense.
Emily
made
the
suggestion
of
having
three
people
focus
like
their
undivided
attention
on
on
making
sure
of
that
flow
and
like
a
consistent
narrative
voice.
If
there
are,
there
are
questions
that
are
left
behind
or
comments
that
are
left
behind.
That's
that's
also
a
good
opportunity
like
people
taking
that
task
to
to
go
through
those.
So
if
the
team
is
a
little
bit
blocked
or
unclear
on
how
to
answer
something,
we
can
leave
it
for
those
folks
to
make
a
determination.
B
If
you
have
interest
in
taking
up
that
hoping
to
go
at
it.
I
don't
want
to
like
well.
A
Yeah,
so
I
filled
in
appendix
one
for
containers.
I
think
faisal
is
the
only
one
that
gave
feedback
in
that
area,
and
I
think
mike
enzor
also
needs
to
give
feedback
and.
A
Andy
martin
as
well,
but
I
haven't
heard
from
those
folks-
the
content
is
more
or
less
in
place,
probably
need
to
make
it
flow.
As
usual,
there
may
be
some.
A
There
may
be
some
pushback
against
some
of
the
recommendations
that
I
have
in
there.
So
I
would
encourage
folks
to
take
a
look
one
more
question
I
have
about
the
document.
Is
there
a
way
to
refer
to
other
areas
in
the
document
like
internal
links?
Do
we
have
that.
B
We
should
have
the
ability
to
hyperlink
sections,
so
let
me
go
ahead
and
add
a
table
of
contents
in
the
meantime
that
can
give
us
some
of
the
hyperlinks
and
we
we
reuse
that
throughout
the
document
the
cmcf
team
doing
the
post
edit
would
make
sure
that
whatever
format,
pdf
or
html
that
those
links
were
followed,
but
they
would
need
to
know
what
we
want
linked.
So
yeah,
thanks
for
bringing
that
up
on
the
appendix
on
containers.
What
kind
of
feedback
are
you
looking
for.
A
Sorry
about
that,
the
feedback
just
in
general,
whether
folks
agree
or
disagree
with
the
the
recommendations.
I
over
my
experience
with
talking
to
folks
about
this.
There
are
some
people
who
feel
like
it's
going
too
far,
or
you
know
there
are
places
where
nobody
people
say
that
this
isn't
an
issue.
A
A
B
Want
to
spend
like
5-10
minutes
doing
like
a
group
readout
of
this,
or
do
we
want
to
go
on
through
the
list?
What
do
folks
want
to
do?
Does
anyone
feel
strongly
about
this
or
we
want
nisha
to
put
it
in
the
chat
and
we
we
go
back
and
revisit
the
section
make
sure
that
yeah,
if,
as
you
say
like
you,
want
to
thumbs
up
for
people
or
you
want,
like,
perhaps
other
recommendations
be
included
or
perhaps
if
a
recommendation
is
too
strong,
perhaps
generalize.
A
It
maybe
easier,
maybe
the
place
with
the
most
contention
is
the
multi-stage
docker
bills,
because
there's
recommendations
online.
That
say
to
leverage
multi-stage
docker
bills,
and
I've
said
if
you're
going
to
use
multi-stage
docker
bills,
be
careful
and
propagate.
A
Now
the
thing
with
build
packs
is
that
the
the
build
pipeline
itself
is
managed
by
several
suppliers,
and
each
of
those
suppliers
may
be
doing
different
types
of
auditing
on
their.
You
know
build
pipeline
and
the
final
build
packs
that
they
deliver,
so
that
that
is
going
to
be
a
harder
thing
to
give
recommendations
on.
I
would
expect
that
the
folks,
the
suppliers
of
the
bill
packs,
would
follow
the
build
worker
recommendations.
A
No,
I
my
understanding
is
that,
because
docker
file
is
a
leaky
abstraction,
it
is
very
difficult
to
update
a
docker.
A
container
image
built
out
of
a
docker
file
or
it's
difficult
to
you
know,
keep
track
of
what
exactly
happened
and.
G
A
Think,
like
the
thing
about
bill
packs,
is
that
because
of
the
bill
packs
specification,
it
is
easy
to
like
rebase
or
update
the
lower
level
dependencies
if
there
happens
to
be
an
updated
bill
pack,
but
again
the
update
it.
It
requires
that
you
trust
the
whole
build
pipeline,
including
all
of
the
bill
pipelines
that
other
suppliers
are
providing
not
sure
what
the
auditing
aspect
of
it
is.
Perhaps
I
can
put
some
information
about
it
if
one
were
to
use
that
framework
to
create
build
packs.
A
Yeah,
it's
very
difficult
for
an
end
user
to
glean
any
information
about
the
supply
chain
in
any
of
these
situations.
So
really.
A
So
it's
especially
hard
for
the
cloud
native
bill
packs
folks
to
provide
that
information
as
well.
That
said,
they're
making
improvements
in
the
way
they
report
these
kinds
of
metadata
and
auditing
the
pipelines.
A
B
Makes
sense
well
and
in
general
there's
great
technology,
but
it's
so
hard
to
operationalize
and
consume,
and
that's
that's
a
big
thing
of
the
paper
right
like
are
we
meeting
people
where
they're
at
like
what
can
they
make
the
most
out
of
their
existing
infrastructure?
Tooling
versus
steer
them
to
use
like
new
breakthrough
technologies
that
are
not
quite
fully
like
productionized
or
quite
fully
like
made
easy
for
large
enterprises,
and
people
would
not
have
a
lot
of
technical
jobs,
cool
I'll
pause
there?
Let's
put
this
one.
B
D
D
G
A
Yeah,
I
think,
that's
all
it's
fleshed
out
over
there.
They
do
mention
spam
format,
cyclone
dx
and
spdx.
A
So,
specifically
with
regards
to
containers
and
s-bombs.
Is
there
something
you're
looking
for
over
there.
D
No,
I
mean
there
was
a
recommendation
in
the
end
like
saying
that
you
know
spd
x3
amc
include
and
everything
like
that,
but
from
my
understanding,
expedia
3
is
not
available
yet
so
I
I
don't
know
who
exactly
wrote
or
suggest
that
so
I
don't
know
if
we
should
include
something
which
are
not
available
now
or
is
that
something
you
have
added
or
is
someone
else?
Do
you
know
that
remember.
D
D
A
D
A
Working
on
it-
and
actually
I
don't
really
know
when
it's
going
to
be
available,
but
that's
a
that's
a
good
point
that
we
shouldn't
really
put
something
in
the
document
that
isn't
available.
So
I
can
correct
that
yeah.
B
Okay
now
see
call
and
magnum
the
call
who
I
hadn't
seen
before,
but
going
through
the
previous
list
aditya.
How
are
you
what's
going
on?
Oh.
I
Pretty
good,
so
I
didn't
get
a
lot
of
chance
to
look
at
the
document
as
a
whole.
I
was
kind
of
coming
through
it.
I
did
leave
a
couple
of
comments
now
about
some
of
the
pipeline
stuff,
but
I
think
they're,
minor
things
and-
and
I
think
marina
also
mentioned-
that
the
end
of
the
document
still
needs
a
little
bit.
It
still
has
a
bunch
of
things
that
need
to
be
resolved,
but
I
I
think
we
get
to
that
but
yeah.
I
think
overall,
it's
looking
pretty
good.
The
content
makes
sense.
B
J
Yeah,
I
just
you
know
I'm
joining
today.
It's
been
a
busy
week
for
me,
so
I
haven't
had
a
chance
to
go
through
the
document
again
this
week.
I
should
have
some
time
this
weekend
and
then
monday
and
tuesday
to
go
through
and
help
out
where
I
can
weather's
improving
I'd
expect
you
to.
J
Pretty
soon
man,
it's
it's
warming
up.
We
gotta
get
rid
of
this
rain,
another
10
degrees
and
I'll
be
good.
Nice.
K
Hi
yeah,
I'm
just
listening.
I
need
to
go
back
to
the
document
and
and
read
through
it
again.
It's
been
a
while
also.
I
know
that
I
had
a
a
few
sections
under
my
name,
so
I'll
just
check.
If,
though,
someone
had
pick
up
those,
if
not
then
I'll
work
on
it
this
weekend,.
C
B
If
folks
could
chime
in
there,
that
would
be
really
good,
so
we
can
get
over
that
one
and
we
know
which
way
to
go
next
up
would
be
well.
Let's
try
to
go
through
outstanding
documents.
We
can
do
that.
I
can
share
my
screen
and
we
can.
We
can
work
through
this
bottom
up
or
we
can
divide
and
conquer
ahead
of
that.
If,
if
you
feel
you
have
a
particular
inclination
or
feel
very
energized
around
tying,
this
up
start
to
finish.
B
B
L
L
Yeah,
I
probably
have
blinders
okay,
I
I
not
to
say
alex
alex
is
like
I
just
volunteered
retrieve
way
to
throw
that
in
the
trash
like
I,
I
I'm
good.
If
it's
us
initially,
I
do
think
it
would
be
good
to
have
outsiders
as
well.
Read
it
just
to
see
I
mean
I
I
think
I
think.
Actually,
if
we
start
today,
just
identifying
three
people
and
I'll
gladly
stand
up
to
be
that
one
of
those
reviewers.
I
don't.
L
I
don't
mind
that
at
all
and
just
read
it
from
top
to
bottom
and
and
give
some
like
make
sure
that
it's
sensible
I'm
down
for
that,
but
I
think
we
should,
in
addition,
have
people
outside
read
it
totally
and.
L
B
A
B
Else
in
mind
feel
free
to
also
share
with
them.
L
B
Okay,
fantastic
yeah
and
like
if
you're
taking
this
up,
like
really
really
look
for
like
that.
Consistent,
like
narrative,
like
that
one
voice
make
sure
that,
like
expressions,
jargon,
tone
et
cetera,
marina
I've
heard
from
you
some
some
things
that
made
me
think
you'd
want
to
take
up
and
part
of
that.
I
don't
want
to
like
throw
you
at
it,
but
yeah.
B
Awesome
and
if
there's
any
others
do
not
feel
any
restraint,
we
don't
need
to
cap.
This
at
3-3
is
a
good
working
number
but
feel
free
to
reach
out
to
this
folks.
If
you
want
to
assist
with
that
as
well
awesome,
so
we
can
check
mark
that
one.
What
else.
B
We
are
so
first
off
before
before
locking
it
to
this
three
people.
I
think
we're
gonna
need
to
push
out
the
schedule
for
a
week,
because
there's
there's
plenty
of
comments.
There's
your
appendix
one
and
there's
some
other
things
here
and
there
that
are
not
quite
there
like
two
to
michael's
point
and
like
reshuffling
of
things
before,
like
the
team
of
three
do
their
do
their
run
through.
Let's
see
one.
B
A
Perhaps
I
need
to
do
that
because
some
of
the
stuff
is
in
bullet
points
like
containers
as
bill
workers
and
build
scripts
that
use
containers
yeah.
You
know
what
how
about
I
do
that
like
we
can,
we
can
leave
appendix
one
and
then
I'll
work
on
it,
some
more
and
maybe
come
back
next
week
and
take
a
look
at
it.
A
So
I
would
like
the
folks
who
created
the
build
workers
stuff
to
take
a
look
at
containers
as
built
workers
other
than
that
I
think
I'm
pretty
okay
with
it
mike
ensor
expressed
interest
in
looking
at
these
recommendations,
but
yeah,
maybe
maybe
it'll,
maybe
he'll
get
to
it.
You
know
much
much
later
so.
Okay.
A
I
I
actually
I
I
should
actually
address
faisal's
comment
here.
So
faisal
asked
whether
we
should
include
example,
doctor
files
that
follow
these.
What's
the
group's.
D
A
I
don't
think
any
open
source
github
projects
follow
any
of
these
recommendations.
D
No,
I
was
recommending
more
like
a
create
a
personal
project
in
the
game
we
can't
guarantee
if
they
change
something
in
the
future
right,
so
maybe
misha.
You
can
have
a
example
project
or
something
like
and
they
put
that
reference
link.
So
you
have
a
guarantee
that
you,
you
are
not
going
to
change
anything
right
so.
L
Was
there
wasn't
there
an
effort
vanada
to
do
exactly
that
as
part
of
this
white
paper,
to
have
something
that
we
can
point
to
as
being
like
this?
This
takes
our
white
paper
and
applies
the
practices
that
we
recommend
is
that
it
was
I
I
do
seem
to
recall.
I
don't
know
if
that
effort
got
lost
or
if
it's
you
know
I
I
remember
we
talked
about
it
at
least.
L
E
B
It's
a
great
idea:
we
can
host
it
in
the
six
security
repo
and
make
it
like
either
companion
references
or
something
like
that
right.
The
challenge
is
like
we
all
want
like.
We
all
think
it's
great.
The
challenge
is
like
getting
someone
to
commit
to
do
it
and
produce
it
and
have
someone
else
review
it.
A
Yeah
we
have
we
have
like
in
internal
to
the
company.
We
have
examples
and
that's
okay,
because
you
know
we
know
where
we
know
what
our
pipeline
looks
like
we
can
be
able
to.
You
know,
provide
examples,
but
if
you
were
to
do
if
you
were
to
do
put
something
out
there
in
the
public,
I
I
don't
really
know
how
that
information
is
going
to
be
used
or
abused,
and
I
don't
want
to
take
responsibility
for
that.
A
L
I
I
had
a
a
bent
on
this
a
couple
of
like
actually
when
I
first
started
getting
involved
here.
It
happened
to
correlate
with
a
time
where
I
hadn't
visited
flask
in
like
years,
and
I
wanted
to
see
what
the
2021
way
of
doing
flash
development
worked,
and
I
was
like.
Oh
maybe
I
can
use
this.
It's
just
a
simple
cred
app,
there's
nothing
special
about
it
and
I
was
like.
Maybe
I
can
use
this
to
show
off
those
pipeline
pieces,
the
actual
software
supply
chain.
L
You
know,
features
that
I
don't
get
to
work
with
all
normally
you
know
I
could
I
could
just
I
could.
I
could
take
off
you.
I'd
use
cookie
cutter
already
is
containerized.
The
entire
thing
is
is
very
straightforward.
It
doesn't
matter
what
the
app
does.
We
don't
even
have
to
the
functionality.
Doesn't
matter.
It's
really
are
we
doing
the
proper
things
of
the
pipeline
that
that
you
know
the
the
the
cookie
cutter
comes
with
all
unit
testing?
What
I
think
would
be
adding
would
be
the
container
specific.
L
You
know
security
like
signing
the
and
then
going
through
and
like
showing
the
different
configurations
for
working
in
github,
and
I
I
hate
providing
screenshots
as
documentation
of
that.
Unfortunately,
when
we're
talking
about
project
level,
things
like
this,
how
else
would
you
demonstrate
it
unless
you
give
somebody
access
to
the
project
which
we're
not
going
to
do
for
everybody
who
reads
the
paper
so,
and
maybe
this
is
a
secondary
blog
post
or
something
that
comes
out
later.
L
B
Make
it
a
stretch
goal
if
anyone
has
time
like
scrub
like
sanitize,
something
out
and
share
it,
be
it
a
screenshot
or
an
actual
template
would
be
awesome,
I'll
try
to
get
something
you're,
the
man.
Thank
you,
nisha.
How?
How
are
you
feeling
do?
You
have
other
open
questions
before
we
move
further
up.
G
B
B
B
D
Can
I
resolve
my
comments,
I
mean
I
will
have
to
edit
it
right
so
yeah,
so
the
one
I
was
discussing
with
miksha
about
that's
pdx
right,
so
I
put
it
as
a
command.
Maybe
I
will
go
and
edit
it
instead
of
leaving
it
as
a
comment.
B
L
L
Sorry
with
the
you're,
let
me
just
make
sure
andres,
I'm
I'm
getting
your
your
request
here.
We
do
want
to
have
an
example
with
spdx
as
the
the
actual
like
display
format,
so
that
we
have
something
to
refer
to.
Is
that
the
question
andres.
D
No,
no,
no,
sorry,
I
think
it's
before
it
joined.
So
there
was
a
live
couple
of
lines
there
referring
about
spd
s3,
which
is
not
ready
yet
like.
So
it
is
kind
of
recommending
experience
over
cyclone
saying
that
spds,
3,
win
future
will
have
something
like
this,
so
I
I
discuss
with
the
nisha
and
she
agreed
that
we
can
remove
it
because
it's
not
the
current
state
of
spdx.
So
that's
what
I
was
saying.
L
Yeah,
so
that's
that
gets
to
the
question
of
like
do
we
recommend
you
know
it's
just
like
linking
to
a
github
project
at
that
point,
if
we
specif
specify
a
particular
version
or
tool
to
go
with,
because
it
dates
us
real,
fast
right
yeah,
whereas
the
whole
idea
that
we're
trying
to
get
across
is
to
use
the
general
concept
and
then,
as
of
2021
today,
you
know,
spd
x3
is
a
good
example
of
you
know
where
you
should
strive
to
be.
D
Not
really
richard
so
experience
three
as
a
standard
is
not
released
yet
and
right.
They
don't
have
plans
to
release
anything
soon.
So
I
think
that
is
a
reason
like
you
know,
it's
better
to
remove
a
particular
line.
It's
just
a
recommending
one
over
another
saying
that
future
it
might
happen,
but
we
are
not
sure
it
is
going
to
happen
in
that
in
the
future
standard.
So
I
think
we
shouldn't
do
that
right,
like
a
unless
it
is.
D
N
B
B
Question
yeah
that
that's
what
I
was
trying
to
hint
that
with
be
not
talking
about
spdx
and
like
thinking
well,
what
artifacts
of
any
and
what
formats
it's
one
thing
to
show:
a
a
sample
config
of
a
docker
file
or
a
template
of
a
docker
file.
But
an
spdx
is
more
something
you
can
actually
export
share,
publish
and
we
can
do
like.
We
don't
need
to
like
go
like
end-to-end
as
scenario
for
for
the
paper.
But,
like
maybe
people
don't
know
what
an
spdx
file
is
we're
like
yeah.
L
It
might
do
we
have
any
actual
artifacts
as
part
of
this
paper
where
it
shows
just
even
an
idea.
I
don't
see
any
in
the
document,
but
I
don't
know
if
there
are
some
referenced
where
it's
like.
This
is
what
that
s-bomb
looks
like
this
is
what
you
know
just
just
even
even
looking
at
the
configuration
settings,
I
I
mean
yet
again.
I
don't
want
this
to
be
screenshot,
documentation
style,
but
it
does
help
to
paint
the
picture
a
little
bit
about
what
you
would
expect
to
see.
D
So
we
have
hyperlinked
both
in
spdx
and
cyclone
in
the
footer
right.
So
but
you
know
those
standards
are
both
optional
and
mandatory
things
right
in
the
spec
right.
So
it
is
very
difficult
to
you
know,
put
one
form
or
another
like
that.
That's
my
thought,
like
maybe
you
know
we
just
direct
the
read
up
to
go
and
read
the
spike
and
understand
what
is
in
the
spike.
D
B
B
L
No
sorry
I
I
ended
up.
I
I
got
distracted
by
another.
That
was
my
question
mark
face
an
email
came
across,
I'm
sorry,
andres.
B
D
My
thoughts
around
that
right,
like
we
are
betting
on
something
we
don't
control
and
we
can't
guarantee
right.
We
don't
know
if
notary
v2
will
come
out
or
exp3
will
come
out
right
like
there
are
risk
related
to
that.
I
don't
know
if
you
should,
like
you
know,
come
something
direct
somebody
saying
that
watch
out
this,
but
you
know
yeah.
If
there
is
some
level
of
assurance.
D
E
I
think
it's
fine
to
put
in
more,
for
I
mean
I
think
we
we
are
already
mentioning
a
lot
of
current
projects
and
and
standards
like
you
know,
in
toto
and
notary
and
and
and
to
uf,
and
you
know,
and
where
you
know
those
things
are
going
to
change
too,
as
the
paper
evolves
and
as
or
as
time
goes
by.
E
So
I
don't
know,
I
I
think
it's
fine
to
I
mean
if
anything,
I
think,
if
you
know,
if
we're
saying
we're
looking
for
you
know,
keep
an
eye
out
for
this
project
to
come
out
with
this
new
feature
set
of
features.
If
anything
that
may
provide
a
little
extra
push
behind
some
of
those
projects,
I
would
think.
B
Yeah
totally
one
thing:
one
thing
I'm
particularly
energized
about
that.
I
don't
feel
that
I
can
actually
write
about
it
because
I
don't
know
any
implementation
for
it,
but
is
the
use
of
end
clubs
or
virtual
security
class,
so
signing
keys,
never
leave
the
machine
and
do
like
multi
secure
computation
of
things
and
have
like
any
signature
threshold
you
want,
but
and
like
the
different
building
blocks
exist
like
you
have
tes,
you
have
vse
that
you
could.
B
D
And
also,
we
need
to
consider
that
in
a
different
kind
of,
like
I
mean,
if
you
guys
notice
the
recent
sixth
or
right
like
they
have
an
approach
without
even
focusing
on
the
long-lived
private
case
right
like
they
just
use
a
short-lived
tokens
and
they're
signing
stuff
and
binding
the
signature
to
an
identity
of
a
developer,
or
something
like
that.
So
you
know
there
can
be
different
methods
and
different
ways
to
do
the
stuff
like
yeah.
B
Totally
yeah
and
like
with
sex
store,
I
think
you
could
like
really
enhance
that
with
multi-party
computation
like
no
one.
No
one
really
has
the
keys
because,
like
what
six
stores
place
and
trust
is
like
proof
of
you
having
your
email
and
hopefully
they
build
like
and
often
to
google,
off
that
you
can
have
mfa.
But
if
someone
has
your
email,
I'm
like
well,
it's
a
public
ledger.
B
Cool,
so
I'm
rambling,
we
have
five
minutes
to
go.
I
will
I
will
push
out
the
schedule
for
a
week,
though,
while
we
haven't
kicked
off
the
like
richard,
alex
marina,
going
and
end
to
end
start
familiarizing
with,
like
the
bulk
of
the
content,
as
you
might
have
been
peeking
into
particular
sections.
B
D
Yeah,
so
I
have
a
thought
on
restricting
the
editing
capability
at
this
stage
like
I
think
we
shouldn't
allow
some
random
anonymous
people
to
come
and
edit
it
right
like.
I
think
we
are
almost
near
to
the
completion
phase.
Maybe
I
don't
know.
I
think
I
should
also
discuss
with
john,
because
I
think
he's
the
author
of
the
document
right
like
currently
anyone
with
the
link
candidate.
D
Maybe
we
can
restrict
at
this
point
like
on
the
working
group
members
only,
and
if
someone
want
to
have
any
taxes,
they
can
request
for
their
taxes
or
something
I
don't
know
or
you
know,
maybe
we
can
leave
the
command
and
other
things.
As
for
everybody,
with
the
link,
but
just
editing,
it
is
very
difficult
to
you
know,
track
who
actually
edited
stuff
and
to
find
out
all
the
details,
or
at
least
for
me.
I
don't
know,
google
docs
that
well
so
yeah.
B
D
L
I'm
not
I'm
not
when
I
talk
about
getting
external
folks
to
do
this,
I'm
not
saying
they'd
come
in
and
and
put
comments
in
our
google
doc.
In
fact,
I
would
actually
export
a
pdf
and
be
like
hey
read
this
and
tell
me:
does
it
make
sense
to
you?
Are
you
offended
like
give
me
your?
You
know
instant
feedback,
I'm
not
I'm
not!
I
don't
want.
We
can't
do
editing
by
committee.
It
is
a
public
document.
Now
anybody.
L
I
could
just
pass
the
link
to
anybody
and
then
come
in
there
and
comment,
but
I
mean
no,
that's
not
when
I
say
have
somebody
external
read
it.
It
wouldn't
be
find
the
grammar
issues.
It'd
be.
Does
this?
Have
you
know
cohesive
vision?
You
know
I
I
would
want
to
do
my
initial
review.
First
too,
I
I
think
I,
if
I
see
massive,
you
know
if
I
feel
confused
by
it.
Clearly
I'm
not
going
to
go
and
and
try
to
get
somebody
else
to
try
to
sift
through
it.
D
Yeah
yeah
thanks,
sorry,
sorry
to
interrupt.
I
think
I
didn't
explain
what
I
want
to
say
and
clearly,
like
the
current
permission
of
the
document
right,
if
anyone
with
the
link
can
go
and
add
themselves
as
an
editor
and
they
detend
a
document
right
like
so
that
means
anyone
can
come
and
join
it,
make
it
very
difficult
to
keep
track
of
who
who
edited
and
anonymous
edit
and
things
like
there
are
so
many
problems
like
that.
D
D
D
Yeah
I
mean
there:
can
even
people
just
find
this
link
randomly.
You
know
I
mean
they
might
be
expecting
that
this
is
the
initial
stage
of
the
document
and
they
may
come
and
they
add
a
whole
bunch
of
things
like
a
hunter
page
or
something
like
that,
like
that's
what
I
was
trying
to
avoid.
Maybe
we
need
to
make
sure
that
they
they
will
come
through
the
slack
channels
and
meetings,
or
at
least
they
will
have
some
contests
before
going
and
jumping
into
editing
right
like
so.
D
B
B
We
we
you,
can
make
the
recommendation
to
jonathan.
I
don't
know
if
I
have
ownership
of
the
dock
to
like
change
the
sharing
rights
yeah,
I
don't
so,
and
it's
already
late
in
the
uk.
I
doubt
we're
gonna
grab
him
before
monday,
though
he
might
check
slack
so
yeah
feel
free
to
feel
free
to
address
that
with
him.
I
would
I
wouldn't
tighten
it
too
much.
This
is
like
a
open
collaborative
knowledge
production
thing,
but
I
hear
what
you're
oh.
O
D
So
so
john,
we
were
talking
about
the
permission
of
the
document
at
this
stage.
Right
like
I
was
proposing,
should
we
leave
it
like
a
edit
anyone
with
access
link
at
this
point
of
this
document,
because
you
know
even
someone
might
find
this
link
somewhere
in
in
online
or
in
their
chat,
and
they
may
be
thinking
that
it
might
be
the
initial
state
of
the
document
and
come
and
add
a
whole
bunch
of
thing.
Maybe
we
can
add
all
the
working
group
members
as
a
default
editor.
D
O
How
have
people
seen
this
working
in
the
past
at
this
particular
stage.
C
B
I
was
pretty
kept
on
the
wrap
so
like
those
who
didn't
know
that
the
work
was
going
on
didn't
know
where
to
find
the
the
link
right-
and
I
think
our
our
eco
chamber
of
six
security
is-
is
the
extent
that
that
folks
know
about
this.
We
haven't
necessarily
publicly
advertised
about
it.
I
think
the
concern
comes
from.
We
suggested
running
it
by.
B
Final
readers
and
getting
their
input,
I
think,
there's
value
in
that
at
the
same
time.
Well,
authors
might
want
to
protect
like
the
integrity
of
their
content
and
not
have
someone
with
no
context
or
familiarity
come
and
like
scratch.
The
text
apart
right
or
if
they
do
so
like
we
want
to
have
version
control,
understand
why
they
did
it.
Why
is
it?
What
is
it
that
they're
suggesting,
but
I
think
like
to
to
v
naught's
point
like
we
can
just
sit.
L
B
O
B
B
There
there
are
a
few
outstanding
sections
that
still
require
work.
It
deems
pushing
out
the
schedule
a
week,
particularly
the
appendix,
on
containers.
Glossary
isn't
complete
content
needs
to
be
shuffled
around.
B
We
did
get
three
people
to
sign
up
marina,
richard
and
alex
to
give
it
the
start
to
finish
comp
and
like
give
it
a
consistent
voice.
O
B
O
There
you
go
there,
you
go!
Okay!
Apologies
for
that!
That's
a
little
unfortunate!
Well!
The
good
news
is
I've
got
another
hour
with
a
couple
of
the
the
team
to
continue
on.
I
guess
I'm
sorry,
and
so
so
let
me
let
me
change
the
contribution
thing.
So
that's
fair
enough,
but
how
did
you
get
on
over
the
last
hour.
E
Alex
we,
I
think,
we,
I
think,
we've
we've
done
well.
I
started
a
poll
in
the
slack
channel
on
whether
to
go
bullet
points
or
paragraphs
for
the
executive
summary
so
feel
free
to
chime
in
there
and
and
that
will
resolve
basically
all
of
those
suggestions
and
comments
in
the
executive
summary
and
one
fell
swoop.
Once
we
make
a
decision
on
that.
O
There's
still,
there's
still
quite
a
lot
of
comments
in
the
in
the
dark.
One
of
the
things
we
were
going
to
do
was
go,
or
I
was
going
to
do,
is
go
through
from
sort
of
midway
down
and
start
start
finishing
them
off
or
accepting
rejecting
kind
of
on
mass.
B
Right
and
we're
we're
each
going
to
try
to
tackle
a
few
of
those,
ideally
five,
each
to
divide
and
conquer
and
like
don't
leave
it
all
on
you
or.
M
O
Yeah,
I
think
there
was
a
couple
where
last
week
we
were
talking
about
actually
adding
data
to
the
appendix,
and
one
of
the
things
that
we'd
suggested
was
look,
there's
a
fairly
significant
chunk
of
additional
content.
O
You
want
to
write
okay,
let's
sort
of
update
that
document
appropriately,
but
if
you
want
to
take
it
and
add
that
that
it
massive
additional
content,
take
it
to
an
appendix,
and
if
you
get
that
in
time
great,
if
you
don't,
then
you
know
it's
perhaps
for
an
additional
virgin
or
a
reference
to
it
to
an
external
document
so
that
you
don't
end
up
rewriting
half
the
document
right
in
the
middle
of
it.
At
this
point,.
B
Yeah
one
one
other
thing
that
came
up
is:
we
talked
initially
about
providing
resources
and
references
to
config
files
and
manifests
along
with
appendix
one
that
is
in
containers.
It
talks
about
docker
files.
We
had
a
discussion
of
whether
build
packs
should
fit
in
there.
There's
some
some
contention
around
well
how
how
reproductive?
How?
How
effectively
can
you
achieve
reproductible
results
across
multi-stage
builds
with
either
of
these
things?
B
There's
that
part,
but
then
the
other
part
is.
Should
we
be
providing
a
docker
file
here?
Should
we
provide
an
spdx
file
to
show
what
an
actual
bomb
is
and
provide
provide
like
the
look
and
feel
for
it
he's
going
to
try
to
do
that
best
effort?
It
is
a
space
stretch
assignment
we
could.
We
could
create
a
repo
under
cncf,
slash
security
for,
like
companion,
material
to
the
white
paper,
but
yeah
we
did
mark
it
as
like.
B
Hey
we
don't
need
to
get
to
this,
like
it'll,
be
really
nice
to
have
yeah
right.
O
Fair
enough,
I
was
just
reading
also
through
emily's
suggestions
on
the
single
voice.
Narrative
was
that
discussed
about
getting
a
couple
of
volunteers
to
go
through
yeah?
Have
we
and
we've
identified
those
volunteers
or.
O
O
Okay,
cool-
I
guess
it's
already
over
time
right,
so
I'm
gonna
go
through
the
the
back
end
of
the
document
and
and
probably
reach
out
to
a
couple
of
the
other
guys
as
well
and
and
usefully
use
the
the
rest
of
that
hour
and
update
calendars
and
such.
B
Okay,
yeah
overall
overall,
everyone
expressed
feeling
content
with
the
state
of
things
like
people
are
happy
content
and
not
content.
Let
me,
let
me
be
clear
on
the
english
is
my
second
language:
full
disclosure.
O
I
I
think
I
think
we
we
have
a
huge
amount
of
good
detail
in
here.
It
just
needs,
it
just
needs
a
chunk
of
polishing,
I
think
and
and
editing,
and
I
think
I
think
we'll
get
there
so
yeah.
B
Okay,
cool
between
reshuffling
and
yeah,
one
or
two
passes
yeah
going
through
will
will
get
us
there
yep.
We
got
the
substance
which
you
don't
want.
A
super
fluffy
white
paper
with
with
zero
technical
substance
to
it.
K
I
don't
know
I
I
think
yeah
we'll
have
to
figure
out.
I
think
we
have
some
scenarios
on
supply
chain
already
that
andrew
wrote
but
yeah.
We
can
think
about
it
so
that
we
can
promote
that
as
well.
During
the
ctf
cool.
B
B
I
G
Yeah,
I
think
it's
just
a
different
format
really,
but
I
think
that
like
content-wise,
I
think
it
would
be.
It
would
be
good.
It's
just
the
the
structure
and
format
and
all
those
things
that
are
different.
Different
styles.
O
B
M
O
F
I
B
O
No,
it's
all
good,
it's
all
good
because
we
were,
we
were
quite
a
few
of
us
were
stuck
on.
Another
call
actually
was
about
similar
sort
of
topics,
so
we
we
should
should
have
an
hour
to
focus
on.
This
is
quite
decent
and
I
think
a
couple
of
people
have
actually
reached
out
to
me
to
say
again
over
the
weekend,
they're
going
to
be
focusing
on
it,
which
is
which
is
reasonable.
O
So
I
think
I
think
we've
got
a
lot
of
good
content
in
there.
I
do
think
it
needs
some
pretty
heavy
editing,
so
we'll
we'll
definitely
shoot
through
that.
So
that's
reasonable.
B
Yeah
one
thing
I
I
had
a
hope
to
to
see
more
of
it
being
incorporated
is
nascent
and
emerging
technologies,
but
seems
to
the
consensus
was
like
well,
let's
talk
about
tried
and
proven,
and
what's
either
openly
available
or
commercially
available,
like
we
talked
about
like
virtual,
secure
enclaves
and
like
using
like
multi-party
computation
for
like
signature
thresholds
and
all
those
things
like
even
like
talk
about
sbdx
v3
notary
v2.
But
we.
O
We
did
discuss
that
right
right
at
one
of
the
early
stages,
and
I
think
one
of
the
things
that
we
started
to
split
out
was
look.
We
we
can
go
into
the
future
state
right,
but
then
it
gets
into
more
of
a
more
of
a
debate
and
more
of
a
sort
of
an
awareness
campaign
about
some
of
the
new
technologies
that
are
coming
online,
where
in
which,
which
we
would
be
good
to
do
right
and
especially
if
we
identify
gaps
in
the
current
infrastructure.
O
But
I
think
one
of
the
benefits
of
doing
a
paper
like
this
is
that
look
there
isn't
anywhere
else
where
it
actually
strings
together
that
level
of
advice
and
guidance.
That
gives
you
that
real
clear
recommendation
of
what
to
do
just
today
right-
and
I
think
that
was
you
know
a
lot.
A
lot
of
us
thought
that
look
at
least
if
we
can
focus
on
what
we're
trying
to
do
today
or
what's
what's
capable
of
being
doing
just
sort
of
on
the
edge,
perhaps
a
little
bit
close
to
some
new
functionality,
but
not
bleeding
edge.
O
O
K
B
B
Road
maps
and
availabilities
of
things
yeah,
but
maybe
there's
like
an
addendum.
I
I
can
try
to
take
a
step
at
that
saying
hey
at
the
time
of
this
writing,
there's
there's
proposals
right,
there's
rfcs,
there's
like
oci
spec
that
was
written
six
years
ago
and
a
lot
of
those
capabilities
haven't
been
realized
or
quite
manifested.
But
these
are
the
things
to
watch
over
time,
not
an
exclusive
list.
There
are
anymore,
but
from
our
vantage
point
and
cncf,
these
are
the
the
projects
that
we
track.
O
I
think
that's
reasonable
right,
I
mean
yeah,
I
think
fair
enough
as
long
as
you
know,
we
caveat
that
with
at
the
moment
and
and
dot
dot
dot
right,
but
I
think
that
could
be
good
to
sort
of
seed
some
of
those
conversations,
but
I
think
that's
definitely
one
that
we
we're
going
to
start
opening
up
a
lot
of
debate
about
how
we
could
put
this
stuff
together.
O
Yeah
exactly
well
we're
still
going
to
be
tackling
this
for
a
while
right.
So
so
it's
a
good
start
all
right,
excellent
cool
all
right!
Well,
thanks!
Thanks
for
chairing
the
call
and
and
going
through
it,
I'll
I'll,
watch
the
video
and
spend
some
time
with
a
couple
of
guys
getting
together
and
we'll
go
through
the
doc
today,
fantastic.