►
From YouTube: CNCF SIG Security Supply Chain Security 2021-04-30
Description
CNCF SIG Security Supply Chain Security 2021-04-30
C
B
B
C
A
C
Usually
like
the
most
controlled,
you
can
use
it
as
an
independent
verification
tool
to
be
like
hey
or
at
least
within,
like
defense
systems.
You
have
this
team
that
produces
a
golden
image,
and
then
you
have
another
team
that
goes
through
a
similar
process
and
creates
a
deliverable
packaged
good,
and
then
you
compare
the
two
of
them,
so
any
deviations
from
that
from
the
packaged
good
that
are
different
than
the
golden
image
are
problematic.
C
So
it's
like
that
usually
like
when
I
hear
the
term
golden
image.
I
think
of
it's
this
thing
that
sits
on
a
pedestal
and
like
the
angel,
choirs
sing
and
there's
light
coming
down
from
the
heavens
on
it,
and
it's
like
you,
don't
touch
it.
The
problem
is:
is
that
a
lot
of
instances
where
golden
images
occur
as
the
source
of
truth?
They
often
go
unmaintained
so
like
once
an
organization
produces
this.
They
never
update
it,
because
it's
good,
we
don't
touch
it
and
that's
a
cultural
change.
C
I
get
his
concern.
I
think
it's
a
valid
concern,
because
it's
it's
very
overloaded.
I
try
to
avoid
golden
image
whenever
I
can,
because
there's
just
a
bad
history
there.
So
if
we
want
to
call
it
genesis
image
if
we
want
to
call
it
base
builder
image-
maybe
that's
maybe
that's
more
explicit
and
clear.
B
B
A
C
We're
genuinely
not
talking
about
a
golden
image
and
it's
traditional
sense
we're
talking
about
the
base
image
in
that
this
is
the
thing
that
is
not
part
of
your
software
product.
It's
not
part
of
the
end
result
of
what's
being
built.
It
is
an
ephemeral
object
that
is
spun
up,
serves
its
purpose
and
disappears.
B
B
C
C
C
C
C
H
F
C
B
F
C
B
B
B
B
C
C
G
A
C
H
C
C
B
A
C
C
Yeah
I
it's
been
killing
me
all
morning.
I
have
like
these
new
monitors
and
now
I
can
notice
spot
color
distinguishes
at
that
level.
Wow
yeah.
The
easiest
way
to
tell
is,
if
you
click
the
end
of
the
sentence
and
you
click
up
higher
in
the
paragraph.
If
the
little
text
color
icon
turns
white
like
it
indicates
that
there's
an
inconsistent
color
between
your
selection,
so
I've
changed
it
to.
B
B
G
B
A
F
C
C
It's
like
there's
supposed
to
be
a
term
that
talks
about
like
minimal
functionality
and
like
separating
the
different
functional
components,
to
do
the
one
thing
that
they
do
well
and
encapsulate
them
such
that
they
do.
That
thing,
that's
that's
the
genesis
of
why
libraries
exist.
You
write
a
library
to
do
a
thing.
F
C
C
B
F
B
B
C
C
I
think
we
start
with
a
issue
that
gets
submitted
to
the
cncf
service
desk
to
get
support
for
conversion
to
a
pdf
as
well
as
conversion
to
markdown.
We
need
to
clean
up
the
supply
chain,
part
of
the
repo
to
ensure
that
this
has
a
place
for
it,
because
I
don't
think
we
have
a
paper
section.
So
we
as
a
sig
need
to
decide
where
we're
putting
our
papers,
how
we're
managing
them
like
the
cloud
native
security
paper
is
a
general
one.
That's
fine
at
a
top
level,
but
a
supply
chain
paper.