►
From YouTube: TAG Security Supply Chain WG 2022-01-13
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
While
we're
waiting,
let
me
post
the
the
notes
again
feel
free
to
sort
of
add
your
sort
of
attendance
to
the
notes
for
today.
B
All
right,
we
can
get
started
here
so
just
as
a
reminder
with
along
with
every
other
meeting
this.
This
meeting
is
a
part
of
the
cncf
and
therefore
falls
under
the
cncf's
code
of
conduct.
So
by
attending
this
meeting,
you're
abiding,
you
know
you
agree
to
abide
by
the
cncf's
code
of
conduct
and
also
please
note
that
this
meeting
is
recorded
and
will
be
uploaded
to
youtube
shortly
after
this
meeting
ends.
Usually
within
you
know
a
day
or
two
all
right
cool.
B
So
I
see
some
new
names
I
think
on
the
group.
So
is
there
anybody
who's
new?
Who
wants
to
maybe
introduce
themselves.
C
A
B
All
right,
okay,
cool,
so
not
a
whole
lot
on
the
agenda
for
today,
just
a
couple
of
updates,
so
one
thing
is
so:
andres
is
working
on
building
out
the
draft
for
the
reference
architecture,
as
in
like
just
sort
of
cleaning
up
the
the
formatting
of
the
paper.
B
The
sounds
like
there's
some
of
the
folks
on
the
cncf
side,
who
are
normally
responsible
for
that
are
kind
of
pretty
slammed
right
now,
so
we're
so
andres
is
sort
of
taking
that
on
and
should
hopefully
be
finishing
that
up.
We
hope
to
have
it
out,
maybe
even
tomorrow,
if
not
monday.
I
know
it
keeps
getting
pushed
back,
we're
still
trying
to
kind
of
get
it
out
as
soon
as
possible
so
that
we
can
get
it
in
front
of
the
community
for
community
feedback.
B
So
that's
the
the
big
thing,
the
other
thing
which
you
know
trying
to
one
second,
so
another
thing
for
next
week.
I
believe
hector
will
be
giving
a
demo
to
the
group
next
week
is
that
is
that
right.
B
Do
you
do
you
want
to
sort
of
just
give
like
a
two
sentence
overview
of
what
you,
what
you
want
to
show
off
next
next
meeting.
D
Yeah,
so
what
I
want
to
show
is
a
demo
that
will
basically
combine
or
focus
on
automation,
controller
based
on
the
his
bone
content
right
rather
than
whether
this
bond
is
signed
or
whether
the
the
authority
or
entity
that
signing
is
valid.
I
I
will
focus
on
content
validation
that
is
more
challenging.
This
aspect,
yeah.
B
Because
I
noticed
a
few
other
folks
have
joined,
you
know,
feel
free
to
add
your
attendance
to
the
sort
of
the
meeting
notes
there:
okay
cool,
so
the
only
other
main
thing
on
the
agenda,
and
this
is
just
something
I
need
to
post
in
the
slack
chat
and
see
if
I
can
send
out
some
emails.
Regarding
is,
I
know,
with
the
new
year.
A
lot
of
folks
have
changed
roles,
whether
it's
at
different
companies
at
you
know
or
even
within
the
same
company.
B
So
a
lot
of
folks
who-
who
or
I
don't
say
a
lot,
but
there
are
a
few
folks
who
have
expressed
that
this
time
for
this
meeting
might
not
work
as
much
more
so
I'm
gonna,
open
up
a
poll
to
to
just
see
is
this:
if
this
time
still
works
for
folks,
we
can
keep
this
time
if
some
folks
suggested
pushing
it
back
an
hour.
If
that
works
for
people
we
can,
we
can
check
that
or
any
other
time.
B
We
can
start
to
sort
of
look
at
that
all
right,
cool,
steve.
You
up
here
your
hand
up
there.
A
Yeah
thanks,
I
just
wanted
to
follow
up
from
last
week
we
talked
about
the
signing,
sorry,
the
s
bomb
roles
of
responsibilities,
kind
of
thing,
so
I
do
appreciate
the
feedback
that
I
got
from
folks
and
I
post
that
up
it's
in
the
word
doc,
also
or
sorry,
google
doc.
A
So
I
think
it's
mostly
is
a
point
of
conversation.
So
the
whole
factual
versus
in
third
is
an
interesting
split
between
s
bombs
and
scan
results.
So
I
just
wanted
to
get
that
out
there
for
a
conversation
and,
like
I
said,
I
appreciate
all
the
feedback
from
folks.
B
Cool
yeah,
you
know
steve
put
that
in
the
doc,
but
just
as
oh,
never
mind
you
just
you
also
just
posted
a
link
there.
I
was
just
gonna
all
right,
cool,
very
cool
yeah.
So
beyond
that
for
for
this
week,
there's
really
not
a
whole
lot
as
far
as
stuff.
That's
on
the
agenda!
B
So
that's
where
we
can
open
this
up
for
conversation,
if
folks
have
sort
of
oh
actually
before
before
any
of
that,
does
anybody
have
any
sort
of
updates
from
any
open
source
projects
that
they
feel
is
relevant
to
this?
To
this
group.
C
Yeah
I
have
a
small
one
of
my
own.
I
shared
previously
into
this
group
my
survey
of
the
open
source
supply
chain
landscape,
google,
docs
and
asked
for
input.
Folks
here
graciously
gave
me
some
input
on
that,
and
I
want
to.
Let
folks
know
that
I
moved
that
from
google
docs
over
to
github.
C
If
there
are
updates
in
projects
or
new
projects,
please
open
a
pr,
so
this
can
become
a
space
where
everybody
can
go,
look
and
see
a
huge
list
of
all
the
work
that's
happening,
and
if
anyone
has
ideas
on
how
to
synthesize
that
the
next
thing
I'm
going
to
do
and
I'd
love
to
propose
some
work
in
this
group
over
time
to
talk
about
synthesizing
that
and
forming
a
taxonomy
of
the
different
types
of
work,
similar
to
what
steve
was
just
referencing
like
what
are
the
different
functions
that
projects
fulfill
in
a
secure
software
supply
chain
or
soccer
factory.
B
Oh
yeah,
definitely
we
can
definitely
put
that.
You
know
put
that
out
to
the
broader
group.
I
know
you,
you
missing
a
couple
of
things
about
that
and
looking
for
feedback.
That's
definitely
something.
I
know
I'm
interested
in,
because
there
is
a
lot
of
you
know,
often
confusing
over
what
vocabulary
you're
using
and
how
we're
using
it,
and
we
want
to
make
sure
that
folks
are
are
fairly
sort
of.
B
Can
you
know
don't
necessarily
need
to
be
completely
in
lockstep
with
each
other
on
how
we
approach
some
of
these
problems,
but
even
just
sort
of
the
general
approach
and
and
making
sure
that
we're
all
sort
of
speaking
the
same
language
is
very
important.
B
Cool
any
other
updates.
A
B
Some
stuff
recently
priya,
I
I
I
believe
you
said
that
I
think
there's
supposed
to
be
a
new
chains.
Release
soon
is
that
correct.
B
Cool
and
I
should
have
a
fix
for
the
the
the
salsa
stuff,
probably
after
this
little
after
this
meeting.
C
B
B
You
know
a
set
of
tools,
aligned,
configured
and
aligned
to
the
to
the
the
work
that
we've
been
doing
in
this
group,
hoping
to
pub
you
know
once
we
get
approval
internally
to
publicize
this
a
little
bit
broader,
but
I
have
been
given.
I've
been
told
it's
okay
for
me
to
share
with
this
group,
and-
and
you
know,
if
it
shares
by
word
of
mouth-
that's
fine,
but
you
know
we're
doing
a
lot
of
work
on
this
end
to
sort
of
build
some.
B
You
know
build
sort
of
a
holistic
set
of
tools
that
could
be
used
as
as
a
jumping
off
point
for
somebody's.
You
know
supply
chain
security
journey
if
they
want
to
sort
of
approach.
Building
things
securely,
while
you
know,
and
something
like
a
github
actions
doesn't
necessarily
fit
the
bill.
They
need
something
a
little
bit
more
flexible,
but
that's
really
it
from
my
end,
any
other
updates
anything
else.
B
Otherwise
we
can
kind
of
just
maybe
you
know,
transition
to
sort
of
more
of
a
a
round
table.
We
can
maybe
talk
about
some
of
the
topics
that
steve,
steve
or
ava
brought
up.
A
All
right,
sorry
I'll
go
ahead,
pause
for
the
finding
the
b
button.
I
think
yeah.
This
is
one
of
the
things
I
was
hoping
to
get
into
at
the
next
round
of
discussions
for
this
kind,
as
we
think
about
papers
and
guidance
and
so
forth.
The
idea
that
an
s
bomb
could
be
used
to
be
much
more
informative
to
security
scanners
is
just
huge,
so
just
but
having
some
standards
around
that.
A
So
the
security
scanners
aren't
chasing
everybody's,
varied,
implement,
varied
opinion
and
implementation
of
scan
results
would
be
awesome
whether
you
know
the
various
s
s
bomb
formats.
Can
you
know
align
on
a
single
format
or
not?
I
don't
know,
but
at
least,
if
there's
a
framing
that
this
is
what
an
s
bomb
is
versus,
isn't
and
the
types
of
information
that
could
go
into
it.
A
I
just
think
would
really
help
secure
the
supply
chain
a
whole
lot
better
with
scanners
that
are
always
the
the
paper
kind
of
makes
this
position
that
there's
facts
that
are
known
as
information.
You
learn
over
time
and
I
think
those
two
pieces
are
pretty
important
elements
that
we
could
think
about.
A
B
Yeah
on
that
note,
I
know
that
there's
a
few
different
things
that
have
been
going
on,
whether
it's
the
was
it
trying
to
remember
all
that,
because
there's
the
vulnerability,
exploitability
exchange,
there's
a
bunch
of
these
things
that
are
going
around,
and
but
the
big
thing
I
think
that
folks
have
been
bringing
up
is
there's
going
to
be
always
a
combination
of
things
right,
you're
going
to
have
you
know
your
s-bombs
are
going
to
be
able
to
more
easily
tell
you
stuff,
just
like
hey,
I
have
unique
identifiers
for
my
or
hopefully
unique
identifiers
for
just
the
the
software,
that's
included,
and
maybe
some
additional
metadata
regarding
how
that
software
is
included
so
that
you
have
a
bit
of
a
better
understanding
of.
B
Like
you
know,
is
this
something?
That's
you
know
is
this
something
you
know
how?
How
is
it
included,
so
it
helps
inform
books
on
on
you
know.
Oh,
this
is
included
in
a
way
that
could
be
exploited
whatever
and-
and
I
think
some
of
that
helps
out
with
just
sort
of
more
easily
saying
yep.
There
might
be
a
piece
of
vulnerable
software
now,
because
a
new
cve
has
come
in
a
new.
However,
you
want
to
kind
of
explain
that
and
then
separately,
there's
also
increasing.
You
know,
as
time
goes
on.
B
Obviously,
there's
there's
the
scanning
tools
that
are
out
there
are
using
different.
You
know,
I
should
say
the
deep
scanning
tools
that
are
out
there
that
are
using
different
heuristics
and
different
algorithms
to
kind
of
figure
out.
If
particular
code
paths
are
vulnerable
to
some
sort
of
attack.
C
Point
of
clarification
that
today,
at
least
the
sisa
recommendations
for
an
s
bomb,
the
you
know
the
eos
minimum
elements
of
an
s-bomb
are
not
a
unique
identifier.
C
Yep,
so
my
my
proposal
with
git
bomb
is
actually
to
create
a
standardized
way
to
uniquely
identify
the
components
of
any
piece
of
software
in
a
way
that
is
hierarchical
and
also
compact
and
machine
readable,
and
to
me
that
the
compactness
and
the
completeness
are
both
key
elements
of
git
bomb.
That
things
like
spdx
do
not
yet
incorporate.
B
C
Yeah
I
was
going
to
throw
in
there
that
we're
discussing
whether
to
call
this
an
s-bomb
for
us
for
a
security
scan
result,
and
I
would
lean
toward
probably
calling
more
something
like
an
attestation
just
because
I
typically
when
I
think
of
an
s
bomb.
I
think
of
something
that's
static,
like
your
hip
bomb,
that's
not
going
to
change
over
time.
C
That's
it
will
be
passed
from
machine
to
machine
and
the
scan
results
are
going
to
be
dynamic,
they're
going
to
change
over
time,
and
so
it's
going
to
be
something
much
shorter,
lived
and
there's
just
going
to
be
a
security
server.
Saying
hey.
I
attest
that
this
happened
within
the
past
week
and
here's
the
result.
Yeah
there's
an
important
distinction
there
and
I'm
going
to
totally
rip
off
of
steve's
blog
post,
the
the
difference
between
the
ingredients
and
a
chemical
analysis
of
the
output
of
cooking,
something
right
after
I've
made
a
breakfast
quesadilla.
C
The
chemical
composition
of
that
mayard.
The
butter
burning
with
the
carbohydrates
is
totally
different
than
the
ingredients
that
I
put
into
it,
and
the
point
of
an
s-bomb
is
to
be
the
ingredient
list.
The
point
of
a
scan
is
to
find
out
what
happened
afterwards.
Is
there
mold
in
it?
Now
I
didn't
put
mold
in
the
food
or
I
didn't
put
charcoal
in
the
food.
These
are
different
results
and
they're
different
value.
A
Davis,
that's
exactly
the
kind
of
point
is
I
think
that
there's
some
really
interesting
conversations
around
what
can
be
done
with
information
and
where
it's
done
and
when
and
obviously
this
the
purpose
of
these
conversations
are
to
cue
up
these
because
attestations
are
interesting.
You
know
the
raw
ingredients
that
we
factually
know
not
were
inferred
after
the
fact
and
then
the
time-based
analysis
based
on
new
information
that
evolves
classifying
those
in
a
way,
I
think,
will
help
facilitate
the
conversations
that
I
think
everybody's
trying
to
get
out
of
securing
this
content.
B
So
one
thing
real,
quick
and
then
hector
so
yeah.
Actually
there
is
some
reasonable,
a
lot
of
folks
right
before
the
holidays
and
even
right
after
the
holidays
have
expressed
not
just
within
this
group
but
in
the
open,
ssf
among
just
sort
of
some
chats
offline.
B
A
good
deal
of
people
have
expressed
interest
in
hey
now
that
we're
generating
attestations
now
that
we're
generating
s-bombs
that
we're
generating
all
this
stuff
great.
What
do
we
do
with
all
of
it?
How
do
we
correlate
all
that
data
or
connect
all
that
data
in
in
you
know
such
that
we
can
get
these
sort
of
deeper
insights,
and
so
there
it
seems
to
be
a
lot
of
interest
there.
My
quick
two
cents
is.
B
I
would
really
prefer
that
it
didn't
become
necessarily
a
whole
new
working
group,
because
there's
there's
more
than
enough
working
groups
to
go
around,
but
but
maybe
even
just
a
couple
of
just
a
handful
of
introductory
meetings
and
then
saying
hey.
Maybe
it
makes
sense
for
this
working
group
to
really
spearhead
it
or
whatever?
I
think
you
think
would
be
there
and
but
but
yeah
so
I'll
definitely
keep
folks
in
this
group.
You
know.
C
C
Michael,
do
you
think
it
makes
sense
to
center
that
sort
of
taxonomy
discussion
in
the
open
ssf
as
a
working
group
there?
Maybe
in
one
of
the
existing
ones,
maybe
a
new
one
and
let
the
cncf
working
group
this
one
or
any.
You
know
once
within
this
utilize
the
output
of
a
c
of
an
open
ssf
based
discussion
on
the
taxonomy.
B
I
largely
agree
with
that.
I
would
want
to
make
sure
that
we
get
input
from
the
rest
of
the
group,
but
but
my
personal
two
senses
is,
is
I
I
agree
with
that
and
we
could
probably
have
a
kind
of
a
conversation
continue.
The
conversation
in
the
slack
just
to
kind
of
make
some
additional
thoughts.
D
Yeah,
so
I
think
this
conversation
is,
is
aligned
a
lot
with
with
what,
for
instance,
in
my
opinion,
cyclone
dx,
the
latest
version
that
has
been
released.
I
think,
one
day
ago
the
one
of
four
ads
has
features
and
parts
of
the
s
bomb
generation,
which
is
even
I
mean
before
they
will
have
vulnerabilities,
but
now
they
even
include
the
the
backs
and
other
additional
information
inside
this
one.
I
agree
with
with
everyone
here
that
probably
yeah
having
as
part
of
this
one
file,
looks
like
a
lot
of
information
and
unnecessary
as
well.
D
Probably
not
the
stations
could
be
a
solution,
but
I
also
think
and
at
being
where
we
use
cyclone
dx,
because
you
can
also
state
the
vulnerabilities
that
you
encounter
when,
when
you
release
a
version,
so
you
could
see
that
the
s-bomb
contain
all
these
dependencies.
At
the
same
time,
you
can
see
that
at
the
dates
I
I
ran
the
scan
report
and
there
were
no
critical
cves
and
those
are
the
cvs
that
my
scan
tool
detected.
D
B
Cool
yeah,
let
me
I
know
it's
mostly
just
been.
I
know
a
lot
of
folks
throughout
the
community
are
are
very,
very
interested
about
this
particular
thing.
I
know
it's
one
of
the
things
that,
after
a
lot
of
the
great
work
that
this
group
and
and
other
groups
have
sort
of
done
in
you
know,
the
tooling
is
in
sort
of
generating
s
bombs
or
generating
attestations
and
signing
of
things.
And
you
know
a
lot
of
folks
have
been
saying:
hey.
We.
We
have
all
this
data
now.
B
What
do
we
do
with
it?
How
do
we
you
know?
How
does
this
prevent
the
next
log
for
j
or
not
necessarily
prevent?
But
how
does
this
help
us
when
the
next
log4j
sort
of
situation
happens?
And
it's
like?
Oh
well,
we
need
to
be
able
to
kind
of
query
that
data.
You
know
link
that
data
such
that
you
can
have
something
like
a
graph.
I
know
I've
been
poking
around
with
some
ideas
around
that
as
well
and-
and
so
I
think
it's
definitely
worth
some
pretty
some
more
discussions.
C
C
B
Yeah,
so
the
only
one,
I'm
aware
of
that
that
does
this
and
to
be
clear,
we
recognize
that
it's
it's
hard
to
adopt
is
knicks
and
nyx
os
right,
because
they're
doing
a
similar
sort
of
thing,
where
they're
building
out
a
merkle
tree
of
all
the
dependencies,
they
can
go
and
say
you
know
hey.
Where
does
you
know
if
log4j
exists
in
my
merkle
tree?
It
will
just
you
know,
be
it
would
be
a
quick
check
with
that
said,
you
know
there's.
B
Obviously
you
would
need
to
be
completely
100
percent
inside
the
knicks
knicks
os
sort
of
universe
there
and
and
if
you're,
not
yeah,
yeah.
C
So
that's
that's.
The
same
end
results
a
miracle
tree
of
hashes
of
the
software
identities.
I
will.
I
will
dig
into
I
didn't
know.
Next
of
us
had
already
done
that.
That's
cool.
B
Yeah
yeah
yeah,
they
do
a
few
things
and
actually
I
think
that
there's
there's
a
lot
of
areas,
probably
for
collaboration
there,
probably
between
git
bomb
and
some
of
the
stuff.
I
had
actually
spoken
to
frederick
a
little
bit
offline
about
some
of
that.
It's
definitely,
I
think,
worthwhile
to
kind
of
look
into,
because
I
think
you
know
the
way
that
they
are
sort
of
managing.
B
That
makes
it
sort
of
also
a
little
difficult
to
then
distribute
some
of
that
information
if
you're
not
within
the
knicks
world,
whereas
I
think
git
bomb,
maybe
is
a-
is
a
little
bit
better
suited
for
that.
I'm
I'm!
You
know
I
haven't
taken
too
close
of
a
look
lately,
but.
A
B
What
else
any
other
topics
questions
comments,
thoughts.
B
Okay,
actually
does
it.
Anybody
know
anybody
from
the
the
cyclone
dx
side
who
might
be
able
to
maybe
give
a
demo
of
some
of
the
new
stuff
in
1.4.
So
one
of
my
my
big
open
questions
has
been
that
hey,
I
see
the
new
1.4
stuff
I
see
sort
of
like
you
know.
I've
read
through
the
the
press
releases,
but
I
I
I'm
a
little
confused
as
the
what's
the
diff
between
1.3
1.4.
B
What's
like
the
sort
of
big
sort
of
differences
there,
and
and
what
like
you
know,
what's
that,
what
are
some
of
the
takeaways?
I
don't
know
if
anybody
knows
folks,
whether
it's
steve
springett
or
any
of
those
other
folks
who
might
be
able
to
sort
of
give
a
demo
to
this
group.
B
All
right-
oh
yeah,
patrick
dwyer,
yeah,
yeah,
yeah
yeah.
I
can
go
and
reach
out
and
see
if,
in
the
next
couple
of
weeks,
we
can
get
somebody
to
kind
of
talk
through
talk
through
some
of
that.
Also
for
a
little
more
cross-pollination.
B
I
know
that
in
the
open
ssf
they
have
recently
changed
the
digital
identity
working
group
into
the
supply
chain,
integrity,
working
group-
they
are
so
that's
you
know
once
again,
I
think,
as
we're
kind
of
getting
into
the
new
year
and
and
more
of
these
groups
are
spinning
up
the
cncf,
I
think
obviously
open
to
sort
of
additional
feedback,
but
I
think
more
or
less.
We've
we've
centered
on
focusing
on
cloud-native
approaches
to
supply,
chain,
integrity
or
supply
chain
security.
B
Securing
the
supply
chain
for
cloud
native
tools
and
and
whatever
and
things
that
are
associated
with
just
sort
of
generally,
with
with
the
intersection
of
cloud
native
and
supply
chain,
as
opposed
to
sort
of
just
generic
open
source
stuff,
whereas
the
open
ssf
is
kind
of
a
little
bit
more
focused
on
the
the
higher
level
and
the
more
generic
just
sort
of
hey.
How
do
we
do
supply
chain
security
for
open
source
and
for
things
that
consume
open
source?
So
for
folks
who?
B
Yeah
yeah,
no
sorry,
I
don't
think
so,
and
it
probably
makes
sense
to
to
have
a
demo
from
them
as
well
yeah.
It
makes
sense
to
have
a
demo
from
them
as
well.
So
if
anybody
knows
spdx
folks
definitely
down
to
to
have
had
to
have
that
yeah
so
to
to
go
back
to
what
I
was
saying
before
so
recommend
anybody
who's
interested,
definitely
check
out
the
open
ssf.
You
know:
there's
work
on
the
supply
chain,
integrity,
stuff
that
I
think
is
really
interesting.
B
B
There
was
one
other
thing
I
wanted
to
bring
up
on
that
point.
Oh
yeah,
so
in
that
meeting
next
week,
going
to
be
a
few
of
us
on
my
side
are
going
to
be
demoing
that
secure
software
factory
we're
going
to
be
showing
off
how
we
use
how
we
use
a
couple
bunch
of
different
sorts
of
features
to
sort
of
help.
Secure
the
supply
chain
help
give
folks
an
easy
interface
for
certain
types
of
use.
Cases
such
that
they
can
kind
of
within
the
scope
of
the
secure
software
factory.
B
You
can
be
relatively
certain.
You
know,
assuming
that
you
trust
the
secure
software
factory
itself,
that
you
know
we're
building
code
in
the
right
ways
that
we're
all
you
know
that
we're
we're
doing
all
the
right
sorts
of
things
to
you
know
following
the
documents
that
we've
written
and
and
so
on,
I
will
definitely
reach
out.
B
Cool
right
so.
B
B
All
right
I'll
I'll
take
that
as
everybody
there.
So
in
that
case,
I
I
will
I'll
create
a
poll
in
the
in
the
in
the
slack
channel
for
potentially
rescheduling
the
meeting,
because
as
a
few
people
I
mentioned
a
slightly
different,
might
make
a
bit
more
sense
for
folks
and
some
people
can't
make
it
because
changing
roles
or
whatever.
So
I
just
want
to
make
sure
that
we
can
kind
of
get
as
many
people
involved
as
as
is
possible
and
then
beyond
that.
B
C
Ideas
for
parting
thoughts,
I
there's
a
question
the
paper
you
mentioned
going
out
soon.
I
also
saw
a
note
that
there's
a
plan
for
either.
Is
it
a
new
paper
or
a
revision
of
that
paper
in
time
for
kubecon
north
america
in
the
fall.
B
Yep
yep,
so
the
idea
would
be
that
it
will.
We
are
really
pushing
for
this
to
probably
be
a
living
architecture
document
right.
So
there's
a
there's,
a
couple
of
things:
there's
there
is
these
general
cncf
cloud
native
security
white
paper,
which
is
getting
a
big
v2
refresh,
but
then
the
supply
chain
stuff
that
we're
doing
we
sort
of
are
recognizing
that,
as
you
know,
we
put
something
in
there
and
then
the
next
day.
It's
no
longer
true,
because
somebody
has
changed
it
right.
B
You
know
we
might
say
certain
things
like.
Oh
this,
you
know
we
don't
have
a
great
way
for
associating
supply.
You
know
vulnerability
information
with
the
s-bomb.
C
B
Yeah
and
so
on
that
note,
where
we're
trying
to
do
that
and
then
the
other
thing,
just
just
as
an
fyi
is
one
of
the
big
reasons
why
we're
trying
to
release
a
draft
of
the
document
as
a
as
a
pdf
and
as
I
like,
a
mostly
finalized
looking
document.
B
The
main
reason
for
that
is
in
the
past,
we've
been
to
some
issues
where,
like
90
of
the
comments
are
like,
you
have
a
typo
here
as
opposed
to
more
meaningful,
like
hey
this
general,
this
general
thing
I
totally
disagree
with,
and
I
think
we
should
be
doing
this
like
we
want
more
of
the
comments
around
you
know,
hey.
B
C
Would
it
be-
and
maybe
you've
already
done
this-
and
I
I
kind
of
missed
meetings
for
a
few
months
from
other
distractions-
I'd
love
to
get
re-involved
in
both
of
those
the
the
cloud
native
security
overall
and
the
supply
chain
specifically?
Are
they
both
still
working
groups
with
their
own
meetings?
I
can
jump
into
the
slack
channels
or
has
the
organization
changed.
B
Sure
so,
as
far
as
the
normal
cncf
security
goes,
there
is
tag
security,
so
there's
that
happens
wednesdays
at
1
pm
eastern
time.
That's
when
that
meeting
happens,
there's
a
couple
of
other
working
groups
that
are
sort
of
that
are
have
come
out
of
that
there's
a
lot
of
different
working
groups
that.
A
C
Well,
perfect,
I'm
probably
not
in
all
the
slack
channels
right
now
and
that's
that's
what's
happening,
I'm
only
in
two
of
them.
It
looks
like
cool,
so
I
will
dig
into
that.
Thank
you
for
helping
me
figure
out
where
I've
been
missing
and
then
have
folks
been
working
on
or
in
some
of
the
supply
chain.
Conversations
here
how
notary
v2
fits
into
that
picture?
Has
that
been
part
of
a
discussion
so
far.
B
So
I
know
we
had
some
earlier
sorts
of
conversations
on
some
of
that
at
the
time
I
believe
there
was
still
a
lot
of
stuff
that
was
in
flux,
we're
definitely
down
to
have
more.
Like
you
know,
I
know
steve
had
given
a
little
bit
of
a
demo
a
couple
of
months
ago
on
some
of
that
stuff.
C
B
Yep
yep,
so
we're
definitely
you
know
we
do
cite
certain
things
on
there,
but
I
believe
when
we
were
citing
some
of
that
it
was
before
some
of
the
tooling
was
was
fully
baked
with
some
of
that.
But
now
I
know
that
now
that
it's
I
don't
know
if
it's
still.
B
Yep,
yes,
sounds
great
yep
and
then
yeah,
so
I'm
just
going
to
list
out
some
of
the
working
groups
real
quickly
that
I
think
some
folks
might
be
interested
in
so
there's
tag
security
itself
right
and
I
will
start
to
I'll
put
this
in
the
agenda
after
I'm
done
listing
these
things
off.
B
So
there
is
tag
security
itself
which
there's
the
white
paper
that
marina
had
mentioned.
There's
they're
doing
a
v2
of
that.
There
is
also
one
which
is
for
folks
who
are
maybe
work
with
the
federal
government,
a
lot
or
work
in
in
regulated
industries
a
lot.
There
is
tag
security.
There's
there
is
the
controls
working
group.
B
That's
under
tag
security,
which
is
trying
to
look
at
mapping
whether
it
is
tools
to
secure
two
controls
like
nist,
800,
190,
853,
whatever
or
also
just
other
sorts
of
international
standards
and
and
and
international
controls
as
well,
but
also
looking
at
ways
to
you
know:
hey
here's,
a
best
practices
document
that
we
think
that,
if
you
apply
those
best
practices
also
hits
these
controls.
B
It
pretty
much
a
whole
thing
there
to
try
and
get
all
that
sort
of
synced
up.
There's
also
a
governance
working
group,
which
is
more
around
what
sorts
of
things
can
we
do
to.
I
believe
it's
for
what
sorts
of
things
that
cloud
native
projects
can
do
for
their
own
governance
in
order
to
sort
of
help
out
with
security.
B
So
stuff,
like
you,
know,
hey
if,
if
one
person
has
full
admin
access
to
everything,
that's
probably
a
a
security
problem,
those
sorts
of
things
there's
there's
this
working
group
and
I
think
those
are
the
primary
ones
that
I
think
are
relevant.
Probably
to
the
folks
who
are
on
this
call.
B
B
Right,
if
not
just
a
reminder,
hector
will
be
demoing
next
week,
showing
some
of
the
stuff
regarding
how
to
to
do
sort
of
introspection
on
an
s
bomb
at
a
mission
control
time
so
that
they
can
so
that
we
can
look
at
an
s
bomb
and
and
control
kubernetes
and
mission
based
on
on
the
content
of
the
s
bomb,
and
I
will
keep
folks
updated
as
soon
as
that.
The
draft
of
the
the
reference
architecture
goes
out.
B
All
right
have
a
good
rest
of
your
week,
everybody
and
see
ya
next
week.