►
From YouTube: TAG Security Supply Chain WG 2021-11-18
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
All
right,
I
guess
we
can
get
started,
so
I
guess
I'll
give
the
whole
spiel
here
so
yeah.
As
a
reminder,
this
meeting
is
recorded
and
will
be
put
up
on
youtube
and
that
your
participation
in
the
meeting
by
participating
in
the
meeting
you're
agreeing
to
the
cncf
code
of
conduct
cool.
So
as
a
reminder,
you
know
the
the
draft
of
the.
B
The
reference
architecture
is
at
this
point
done.
We
are
waiting
on.
Let
me
see
here
who,
what
is
it
on
so.
A
B
Waiting
on
and
we're
waiting
on
a
ticket
with
cncf
itself
to
work
through
some
of
the
with
the
tech
writers
to
clean
up
bits
of
the
paper
fix
some
typos
that
sort
of
thing
and
also
publish
a
pdf
of
it.
You
know
create
a
layout
yaya
and
then
that's
something
we
can
then
publish
to
the
community,
and
you
know
for
comment
and
all
those
sorts
of
things.
B
So
I
believe
the
only
other
thing-
and
this
is
where
we
want
to
spend
some
time
with
this-
is-
is
discussing
about
next
steps.
How,
like
what
sorts
of
things
do
we
want
to
do
in
the
group
moving
forward
and
what
sorts
of
things
you
know
do
we
not
want
to
do
et
cetera?
So
just
keep
that
in
mind.
B
So
what
is
so
just
one
other
thing
from
an
update
from
my
perspective
is
there
is
interest
among
the
salsa
group
to
sort
of
collaborate
a
little
bit
more
with
what
we're
doing
and
figure
out
where
we
can
kind
of
help
each
other
out
where
there's
certain
there
might
be
certain
things
where
we
might
say
hey.
You
know
what
it
doesn't
really
make
sense
for
the
cncf
to
focus
too
much
on
this.
It
makes
more
sense
for
the
open
ssf,
which
is
a
little
bit
just
more
broadly.
B
Security
focused
to
focus
on,
and
then
here
are
things
that
you
know
are
very
much
specific
to
cloud
native
things
that
you
know.
Maybe
we
want
to
focus
on
a
little
bit
more,
so
those
are
the
updates
from
me.
Does
oh,
yes,
one!
Second,
I
will
post
the
yeah.
I
forgot
about
that.
B
I
will.
I
will
post
the
the
agenda
here
and,
let's
also,
let
me
go
and
copy
paste
some
of
this
stuff,
so
that
remember
put
your
attendance
in
there.
Give
me
one
second,
to
just
add
the
thing
here.
A
So
I
don't
have
an
update,
but
I
want
to
update
the
agenda
for
the
presentation
that
I've
scheduled.
I
remember
michaela
had
shared
a
blog
post
from
aws
on
their
devsecops,
tooling
and
reference
architecture
for
supply
chain,
so
he
will
be
coming
after
reinvent
on
9th,
so
I
will
add
it
to
the
agenda
as
a
presentation
yeah.
Thank
you.
A
I
guess
I'll
throw
the
question
out
going
forward.
Do
we
want
to
go
more
broadly
and
cover
more
of
the
end-to-end
scenarios
here,
or
do
we
want
to
go
potentially
deeper,
give
more
options
to
people
in
terms
of
different
kinds
of
build
tooling
that
people
might
want
to
run
or
yeah
I'm
kind
of
thinking
through
those
next
steps
of?
Where
does
it
make
sense
for
us
to
go.
A
A
B
Yeah,
I
agree
on
both
fronts.
There
I
will
say
I
think,
from
the
emission
control
perspective.
B
This
is
just
what
I've
noticed,
but
I
think
that
there
is
there's
a
lot
of
effort
going
on
in
there,
and
I
think
the
one
of
the
things
that
would
probably
be
useful
is
is
a
little
bit
of
push
from
this
group
to
help
consolidate
some
of
the
different,
because
it
seems,
like
you
know,
a
lot
of
the
common
tooling,
like
opec,
gatekeeper
and
and
kyverno
and
cosigned,
and
a
lot
of
these
things
were
all
starting
to
do
vaguely
similar
things.
B
But
I
think
one
of
the
things
that's
been
noticed
is
like
they
kind
of
do
things
slightly
different
enough
where,
if
you
try
to
do
you
know
it's
not
necessarily
super
easy
to
anyway.
It's
something
that
we
should
probably
just
maybe
talk
with
those
groups
and
see
if
we
can
come
up
with
some
ideas
of
just
like
I
don't
say
a
standard,
but
just
so
some
like
hey
here
are
some
pretty
reasonable,
best
practices
that
everybody
should
probably
support,
or
whatever
that's
my
only
two
cents
on
on
that
one.
B
Other
thing,
that's
probably
worth
noting,
because
I
know
I
briefly
mentioned
this,
but
this
is
something
so
there
is
discussion
among
some
of
the
groups,
and
I
think
this
is
where
some
of
the
leads
need
to
come
in,
and
we
need
to
have
some
discussion
with
them
as
well.
Is
there
is
some
discussion
around
yeah
like
what
we're
doing
here
in
the
cncf?
B
Right
where
you
know
the
cncf
is
going
to
be
focused
purely
on,
let's
say
the
cloud
native
pieces
that
make
it
very
easy
to
use
and
yaya,
whereas
maybe
some
of
these
other
groups
that
are
a
little
bit
more
focused
around
just
general,
you
know
general
security
might
look
at
it
more
from
a
like
a
big
picture
perspective,
but
once
again,
that
I
think
conversation
is
is
is
very
early
on
just
outside
of,
like
some
of
that.
B
I
know
I
posted
in
security
chat
a
few
days
ago,
or
I
guess
it
was
yesterday
that
there
were
some
folks
who
were
discussing
at
the
salsa
level
about
potentially
hey.
Does
it
make
sense,
for
example,
to
have
that
supply
chain
compromise.
B
List
of
supply
chain
attacks
does
it
make
sense
for
that
to
live
somewhere
else,
as
opposed
to
the
cncf,
because
it's
kind
of
broader
than
the
cncf,
and
maybe
the
cncf
just
sort
of
references
it
anyway.
Those
are
just
a
whole
lot
of
things
that
are
that
are
being
talked
about
behind
the
scenes
and-
and
I'm
sure
will,
as
more
of
that
opens
up
there'll-
be
more
opportunity
to
kind
of
talk
through
some
of
that.
A
I
think
that's
a
really
interesting
question
too,
because
the
cncf
does
have
projects
kind
of
across
the
supply
chain,
but
they
they
answer
kind
of
a
specific
version
of
of
those
questions
for
the
cloud
right
versus
those
other
organizations.
A
So
I
think
in
some
ways
it
makes
sense
for
for
this
group
to
focus
on
on
how
to
do
that,
how
to
build
the
end
to
end
using
you
know,
cncf
technologies
with
you
know
some
other
things
pulled
in
where
needed.
A
A
I,
like
your
thoughts
there
on
not
not
specifically
being
cloud
native
because
a
lot
of
organizations
I
work
with
are
kind
of
split
between
you
know
supporting
you
know,
next-gen.
You
know
cognitive
landscapes,
but
also
being
able
to
take
a
lot
of
those
practices
and
evolve,
those
into
their
existing
environments,
they're
on
premium,
vms,
etc.
B
Yep
agree
100
there,
and,
and
as
you
can
probably
imagine
you
know
coming
from
a
bank,
a
lot
of
that
sort
of
stuff
is
still
the
legacy
piece
and
one
of
the
things
that
you
know
was
brought
up
previously
and
I
think,
in
a
good
way
from
some
of
the
other
tag
security
leads
was,
it
probably
doesn't
make
sense
for
us,
the
cncf
to
delve
too
deep
into
legacy.
B
You
know,
serverless,
all
those
sorts
of
things
like
that's
how
you
know
we're
better
suited
for
that
sort
of
thing,
and
maybe
some
of
these
other
groups
are
better
suited
for
both
the
big
picture
and
then
potentially,
some
of
the
other
groups
are
are
better
suited
for
some
of
the
more
you
know.
Some
of
those
other
specific
questions
right,
like
maybe
finos
another
partner
organization,
is,
is
better
suited
for
some
of
the
financial
services,
like
the
things
that
are
specific
to
financial
services.
B
Like,
as
you
could
probably
imagine
like
hey
what
what
sorts
of
concerns
do
we
have
from
a
mainframe
perspective,
and-
and-
and
I
don't
know
like
atm
perspective-
I
don't
know
like
those
are-
I
think
things
are
better
suited
there,
whereas
we're
you
know,
obviously
I
think
more
equipped
to
handle
the
the
questions
around
using
cloud
native
to
supply
your
secure
chain,
secure
your
supply
chain
and
using
yeah
using
cloud
native
to
secure
your
supply
chain,
as
well
as
securing
a
cloud
native
supply
chain.
B
I
know
next
week
obviously
canceling
next
week's
meeting
because
of
of
the
the
u.s
thanksgiving
holiday,
but
wanted
to
kind
of
see
if
anybody
else
had
any
questions,
thoughts
et
cetera.
I
know
it's
it's
nearing
end
of
year.
So
for
a
lot
of
folks,
they
don't
really
have
a
ton
of
time
to
sort
of
work
on
some
of
this
stuff.
A
Yeah,
I
guess
my
my
main
question
is
kind
of
like
what's
the
plan
for
figuring
out,
what's
next
for
this
group,
because
I
know
we've
been
talking
about
that
a
bit
in
the
past
couple
weeks
and
with
the
holidays
coming
up
and
everything.
Maybe
the
answer
is
we
talk
in
january,
which
is
which
is
fine,
but
I'm
just
curious
yeah.
What's
what
how
do
we
figure
out?
What
the
next
steps
are?
Is
there
a
process
for
all
of
that.
B
Yeah,
so
once
again,
I'm
not
tech.
You
know
I'm
not
one
of
the
the
leads
on
on
the
group,
so
that's
I
I
know
that
andres
and
and
and
maybe
also
brendan,
will
probably
have
to
be,
we'll
have
to
probably
be
involved
in
in
some
of
those
conversations.
My
two
cents
is,
I
think,
probably
for
the
next
few
weeks,
given
all
the
things
that
are
going
on,
demos
probably
make
sense.
If
folks
have
interesting
things,
they
think
hey.
B
You
know
what
this
might
be,
something
we
want
to
work
on
in
the
you
know,
short
medium
term
future.
B
I
I
definitely
think
you
know
that
this
this
is
now
a
good
time
to
do
that
with
you
know
us
not
being
able
to
have,
let's
say,
a
full
sort
of
quorum
to
to
sort
of
as
like
in
a
working
session.
That
kind
of
thing,
so
that's
that
I
know
one
of
the
big
topics
is:
do
we
want
to
now
start
writing
code
for
that
sort
of
reference
implementation?
B
I
know
some
of
the
stuff
that
you
know
brendan
myself.
Some
of
the
other
folks
I
work
with
have
sort
of
built
out
an
open
source
set
of
things
once
again
that
open
source
set
of
things
is
just
purely
just
like
you
know
it,
it's
not
a
poc,
but
it
is
very
much
a
prototype.
It
only
supports
you
know
specific
things
right
now.
We
obviously
want
to
open
that
up
as
well
and
just
as
a
reminder
here,
it's
you
know
evolving
quickly,
but
this
is
where
that
code
is.
B
Currently,
there
is
some
discussion
as
to
whether
or
not
that
code
makes
sense
to
to
exist
under
the
open,
ssf
or
under
the
cncf
or
whatever,
but
we're
still
sort
of
working
through
some
of
those
details.
B
But
you
know
the
the
general
idea
there
is.
We
are
trying
to
sort
of
build
out
something
that
makes
it
very
easy
for
somebody
in
a
simple
use
case
to
sort
of
you
know,
generate
attestations
of
regarding
providence
and
all
that
sort
of
stuff
in
you
know
using
a
set
of
cloud-native
tools
in
a
cloud-native
way.
So
that's
one
thing
that
that
is
being
sort
of
discussed.
Does
that
make
sense
for
us
to
drive
forward?
Is
it
just
not
still
not
ready?
B
Yet
you
know
that's
one
thing:
there's
you
know
there's
questions
about.
Okay,
now
that
we
have
the
doc
out,
we
might
want
to
switch
to
more
of
an
iterative
model
because
of
how
quickly
things
are
moving
like,
as
you've
probably
noticed
if
you've
read.
The
draft
is
some
of
the
things
that
are
discussed
in
the
draft,
at
least
at
the
sort
of
detail.
B
Level
are
no
longer
valid
because
you
know
as
an
example
right,
like
you
know,
before
there
weren't
great
tooling,
around
emission
control,
but
now
between
gatekeeper
and
and
kyverno,
and
a
lot
of
these
other
cosigned,
and
some
of
these
other
emission
controllers.
They've
added
a
ton
of
new
features
to
validate
attestations,
to
validate
signatures
to
validate
all
these
things,
so
we
might
want
to
kind
of
switch
to
an
iterative
fashion
in
the
dock
and
just
kind
of
keep
updating
at
least
some
level
of
of
the
details
on
that.
B
Those
are
just
a
couple
of
examples,
but
once
again,
I'm
all
ears
as
well
for
for
ideas
on
what
we
might
want.
Next
steps
to
be
steve.
C
Yeah,
I'm
sorry.
I
was
a
couple
minutes
late,
so
I
just
I
wanted
to
clarify
something
on
the
on-prem.
Was
the
scope
related
to
mainframe
systems
that
we
just
don't
know
how
to
think
about
in
the
sense
of
distribution
and
so
forth,
or
was
it
related
to
just
on-prem
and
things
that
aren't
cloud
connected?
C
B
So
it's
a
two,
so
there's
two
things
so
so
one
like
the
high
level
question
is
what
should
be
the
focus
of
the
cloud
native
computing
foundations
approach
to
this
right,
like
what
what
work
should
we
be
focusing
on
and
what
work
should
we
maybe
defer
to
something
like
the
open
ssf,
which
is
a
little
bit
more
broadly
security
related
and
so
on
that
front?
You
know,
like
a
basic
example,
is
hey.
B
I
can
see
a
world
where
the
cncf
is
focused
on
two
things:
one
is
cloud-native
approaches
to
securing
supply
chain
so
stuff
like
using.
You
know,
tools
like
techton,
like
cloud
native
tools
like
you
know,
techton
and,
and
you
know,
kyverno
and
those
sorts
of
things
to
then
build
and
deploy
cloud
native
applications
in
a
way
where
we
have
some
guarantees
around
providence
and
then
separately.
It's
also,
you
know,
approaches
to
securing
cloud
native
supply
chain.
So
you
can.
B
You
can
imagine
right,
like
some
of
the
stuff
that
we're
doing
doesn't
stop
us
from
let's
say,
building
java
jar
files
that
do
just
run
on
vm
somewhere
or
you
know,
on
bare
metal
whatever
it
is.
You
know.
There's
nothing
to
necessarily
stop
us
from
doing
that,
but
we're
not
gonna
maybe
provide
all
the
sorts
of
guidance
around
you
know
these
are
maybe
some
of
the
concerns
you
might
have
when
you're
purely
working
on
longer
running
hardware
or
longer
running
systems,
we
might
not
get
too
deep
into
that.
C
Yeah
and
here's
the
struggle-
and
I
I
I'll
say
it,
and
I
know
the
challenge
of
saying
it:
what
is
the
definition
of
cloud
natives?
We
have
struggled
internally
at
microsoft,
multiple
times,
everybody's
got
a
different
opinion.
It's
just
it's
a
generic.
A
C
It's
not
the
first
time
we
try
to
figure
out
how
to
define
a
term
and
everybody's
got
a
different
perception
of
it.
I
the
thing
that
I'm
trying
to
get
a
sense
of
is
how
much
of
on-prem,
even
though
you're
doing
containers
and
all
of
those
you
know
whatever
technologies
we
want
to
talk
about,
but
the
on-prem
is
an
extension
of
the
cloud
they're
doing
everything
that
we
would
do
in
the
cloud,
but
they
have
reasons
for
doing
it.
On-Prem
it's
not
just
legacy
hardware.
It's
not
even
just
legacy
practices,
it's
just
for
whatever
reason.
C
Like
there's
a
dozen
different
reasons,
it's
not
really
important
to
try
to
clarify
it's
it's
another
location
and
then
the
other
part
of
it
is
it's
the
whole
v-net
problem,
the
the
what
we
sometimes
think
of
as
air
gap,
but
air
gap
is
not
submarines
and
oil
platforms.
Air
gap
is
every
company
trying
to
build
a
secure
system,
wants
to
limit
egress
and
ingress.
C
So
at
that
point,
if
I
don't
have
access
to
everything
all
the
time,
it
doesn't
matter
whether
it's
on-prem
or
in
the
cloud.
I
still
have
the
same
connectivity
constraint.
So
that's
what
I
was
trying
to
get
a
sense
of.
Do
we
define
cloud
native
as
I
can
connect
to
any
cloud
at
any
time,
and
I
assume
everything
in
between
is
reliable
or
it's
just
modern
practices
for
what
we
define
as
modern
today.
B
Yeah,
so
I
agree
with
you
to
be
clear.
I
I
I
agree
with
that
sort
of
general
thing.
There
want
to
get
other
folks
thoughts,
though,
on
on
that.
A
When
I
think
of
cloud
native,
I
think
of
more
than
technologies,
not
a
deployment
of
where
it's
going
to
be
deployed,
I
can
go
ahead
and
I
can
deploy
gm's,
but
I
can,
as
you
mentioned,
cool
in
aws
or
in
any
one
of
the
cloud
providers,
but
is
it
really
cloud
native?
Not
really?
It
just
means
I'm
hosting
it.
There.
A
So
I
like
to
focus
more
on
the
technology
implementation
of
cloud
native
versus
a
I
can
deploy
a
spring
boot
application
that
just
happens
to
be
sitting
on
a
vm
somewhere.
That's
not
necessarily
cloud
native,
it's
getting
closer,
but
not
necessarily
there,
and
to
piggyback
on
that.
I
would
say
that
I
would
define
it
by
looking
at
a
lot
of
the
other
products
within
the
cncf
and
saying:
is
it
possible
for
us
to
integrate
them,
not
that
we
have
integration,
but
just
are
we
designing
solutions
that
could
be
integrated
in
there?
A
Maybe
one
other
thing
to
slightly
sidestep
the
the
the
definition
part
would
be.
I
think
it
would
be
an
interesting
opportunity
to
connect
the
reference
architecture
to
the
actual
release
process,
build
process.
Everything
like
this.
A
Cncf
project,
so
we
could
not
only
say
like
hey,
here's
the
reference
architecture,
but
you
know
this
project
has
decided
to
adopt
the
reference
architecture.
They've
made
these
decisions,
and
this
is
how
they're
delivering
a
secure
and
you
know,
compliant
version
of
the
tess
or
you
know
some
other.
You
know
any
cncf
project
of
like
that
could
really
help
connect
the
reference
architecture
to
a
real
world
example.
That
would
take
effort
on
our
part
and
their
part,
if
they're
interested
in
doing
that
as
well.
But.
B
Yeah
on
on
that
front,
so
as
a
reminder
d2,
you
know
a
lot
of
this
stuff
I
want
to
make
sure
is
done
with
the
community,
but
there
there
is.
There
is
some
interest
among,
for
example,
the
salsa
folks
in
sort
of
saying
hey.
Can
we
take
some
of
the
the
reference
architecture?
Can
we
say,
okay,
yeah
and
based
on
what
the
reference
architecture
is
doing,
you
should
be
able
to
get
like
a
sauce
this
level
of
a
salsa
at
a
station.
C
C
It's
explicitly
blocked
and
I
have
to
double
check
the
salsa
levels.
I
would
hope
salsa
level,
like
the
highest
level,
includes
completely
isolated
environments
like
they
can't
talk
outside
of
their
environment.
So
I
maybe
that's
the
thread
that
I'm
pulling
on
and
just
to
see
how
much
we're
building
dependencies
on
assumptions
of
connectivity
as
opposed
to
building
dependencies,
that
I
can
be
completely
disconnected
and
still
get
a
secure
validation.
A
So,
building
on
that
question
and
asking
it
a
little
bit
differently
when
I've
previously
stepped
into
this
meeting
and
looked
at
the
secure
software
factory
work
that
folks
here
are
doing,
which
is
great.
A
I've
had
trouble
squaring
that,
with
the
way
salsa
describes
the
level
requirements,
many
of
which
are
not
use
a
tool.
They
are
optional
configuration
choices
or
approaches
to
using
a
tool.
Many
of
the
tools
listed
here
in
the
ssf
and
the
documents
we've
all
built
previously
could
be
used
in
ways
that
do
or
do
not
meet
salsa
level
requirements,
and
it
seems
very
much
not
aligned
like
not
leading
towards
the
same
goal.
A
For
example,
sauce
level,
three
and
four
use
an
ephemeral,
build
environment,
sauce
level.
Three
and
four
have
an
isolated,
build
right.
Have
it
hermetic
soft
level?
Four
to
steve's
point?
Can
you
do
the
build
in
a
way
that
does
not
reach
outside
the
build
environment
that
is
isolated
and
hermetic.
B
Oh
you're
absolutely
correct,
but
I
think
that,
given
what
I
would
say,
a
reference
implementation
and
what
the
reference
architecture
is
describing
is
the
reference
architecture,
isn't
necessarily
just
purely
describing
a
set
of
tools.
It's
describing
you
know
a
high
level
set
of
systems,
tools,
etc
that
you
need
to
use
in
specific
ways
to
sort
of
get.
B
You
know
a
level
of
supply
chain
security.
Now,
as
far
as
a
reference
implementation
right,
I
I
I
agree
as
well,
where
a
reference
implementation
is
not
just
going
to
be
install
tecton,
install
chains,
it's
going
to
be,
you
know
something
like
install
tekton
and
configure
it.
This
way
apply
this
policy
against
it,
and
so
on
and
yeah
there's
still
probably
going
to
be
some,
at
least
for
the
time
being.
B
Some
I
don't
want
to
say
hand
wavy,
but
some
fudging
of
the
things
they're
saying
like
hey,
look,
we're
sort
of
saying
we're
going
to
describe
certain
things
like.
Yes,
if
you
make
a
pipeline
that
says,
go
out
to
the
internet
and
you
know
we're
not
going
to
stop
you,
but
what
we,
what
we
might
say
is
like,
but
if
you,
if
you
do
that
you,
you
know,
your
salsa
attestations
are
not
going
to
be
at
the
the
level
that
you
expect.
B
A
If
you
want
to
line
up
to
the
salsa
levels,
you
might
prescribe
certain
configurations,
such
as
enable
outbound
network
access
that
limits
you
to
sales
level
too.
I
think
that
might
be
three,
I'm
not
sure,
or
you
know
you
prescribe
configuring
a
particular
component
of
the
tool
chain
that
prevents
outbound
network
access
and
that
helps
build
the
attestation
for
a
given
source
level.
Is
that
how
you're
thinking
of
it.
B
Yeah
largely
and
one
of
the
things
like
there's
two
approaches,
one
is
the
kind
of
like
hey.
B
This
is
what
we're
kind
of
showing
as
something
that
you
might
be
able
to
just
do
yourself
and
we're
just
going
to
describe
in
in
some
documentation
like
this
is
maybe
what
you
should
be
doing,
but
then
there's
also
the
potential
for
using
policy
systems
to
actually
enforce
some
of
that
to
say
that
hey,
if
your
pipeline,
you
know,
maybe
we
can
have
something
like
a
you
know:
salsa
3,
pipeline
compliant,
or
something
that
right
where,
if
you
try
to
deploy,
you
know
a
pipeline
to
this
environment
and
you
want
to
say
yep.
B
I
want
a
salsa
3
pipeline,
but
it
you
know,
goes
and
does
something
that
would
be
against
salsa,
3
it'll,
say
well
hold
on
you're
trying
to
deploy
a
new
pipeline
that
ain't
going
to
work
you
you
know
you
need
to
abide
by
these
rules
like
that's
kind
of
another
approach
that
we're.
I
think,
looking
at.
A
Okay,
that's
cool
and
then
pulling
that
back
to
steve's
question.
Would
I
be
correct
to
assume
that
as
you're
describing
those
different
recommended
configurations,
some
of
them
might
consider
disconnected
scenarios,
as
you
know
very
important,
and
some
might
not
or
how
are
you
thinking
of
disconnected
scenarios,
since
those
are
still
clouds.
B
B
Let's
say
right
now,
but
in
the
future
we
are
probably
going
to
be
looking
a
little
bit
more
at
those
sorts
of
things
and
largely
when
we
look
at
cloud
native
we're
looking
at
it
from
like
the
cncf
perspective
of
mostly
you
know,
I
don't
want
to
totally
paint
with
super
broad
strokes,
but
like
mostly
just
like
sort
of
containers
kubernetes
that
kind
of
thing,
and
it
doesn't
necessarily
need
to
exist
in
like
a
public
cloud,
a
private.
B
You
know
it
could
be
any
of
these
sorts
of
things
and
it
could
be,
for
example,
kubernetes
running
in
an
air-gapped
environment
as
well,
and
some
of
the
stuff
some
of
that
sort
of
stuff
we've
been
deferring
kind
of
to
our
best
practices
document.
B
C
Yeah,
maybe
I
mean
look,
I
love
the
iterative
model
and
the
whole
bit,
and
I
think
maybe
just
comes
back
to
kind
of
the
question
ava
was
just
saying
is:
is
this
a
scope
like
if
we
can
capture
that
this
is
in
scope
for
what
we
want
to
support
here
and
it's
just
not
done
yet
that's
great,
because
then
it
sets
expectations
for
what's
coming
and
don't
discount
a
b
or
c,
because
it
doesn't
support
it
yet,
but
it
is.
C
To
the
effort
in
an
end-to-end
experience
to
what
scope
they
should
be
thinking
about,
so
you
know
it's
okay,
to
have
obviously
cloud
connections
at
certain
points,
but
I
guess
has
been
a
fundamental
thing:
we've
been
doing
in
notre.
Dame
is
making
sure
that
things
can
move
across
environments
be
promoted
and
location
is
not
tied
to
identity,
so
that
you
can.
You
can
move
and
validate
something,
and
you
either
may
not
know
where
it
originally
came
from.
You
can't
connect
to
where
it
really
came
from
it
doesn't
matter.
C
B
Yeah
and
and
on
that
front
we
do
get
a
little
bit
into
that
in
the
reference
architecture
document.
As
you
know,
we
do
try
to
say
hey.
The
idea
here
is
that
you
know
if
you
have
attestations
associated
with
an
artifact
those
attestations
and
the
artifacts
can
move
around
and
that
doesn't
necessarily
materially
change.
You
know
change
anything.
B
I
I
think
that
there's
probably
some
details
we
want
to
get
into
for
for
the
next
sort
of
thing,
because
I
think
one
of
the
things
we
do
want
to
get
more
perspective
from
is
some
of
these.
You
know
environments
where
you
know
you
might
have
very
large
heterogeneous
environments
and
you
might
have
certain
more
isolated
environments.
You
want
promotion
into
those
isolated
environments
based
on
certain
policies
and
whatever,
and
so
so
some
of
those
environments
might
have
different
sets
of
security
concerns
and
different
policies
and
and
so
on.
C
B
C
I
just
trying
to
capture,
because
you
mentioned
something
about
what
this
group
might
do
versus
other
groups
in
cncf
do
and
I'm
hoping
it
isn't
an
or
rather
an
and
that
this
group
might
be
focused
on
this
level
of
scope.
But
it's
not
at
the
exclusion
of
something
else.
Something
else
might
just
be
added
on
to
it
or,
as
you
know,
it
was
just
saying
it
might
be:
hey
you're
doing
this
thing,
but
you
decide
not
to
do
air
gap.
A
Is
that
a
build
environment
or
being
able
to
deploy
to
an
air
gap
cloud?
Those
are
also
valuable
distinctions
to
capture.
B
Yeah,
yeah
and-
and
that
was
something
that
I
think
at
least
for
the
time
being,
I
don't
say
was
was
was
out
of
scope-
was
more
or
less
just.
B
B
The
issue
is
when
it
came
to
a
lot
of
these
things
is
we
we
recognize
that
the
air
gap
and
and
some
of
the
other
elements
around
sort
of
how
do
we
bootstrap
trust
and
should
we
sort
of
say
you
know
what
bootstrap
trust
at
at
a
hardware
level
and
use
hardware,
keys,
blah,
blah
and
and
there's
a
lot
of
those
sorts
of
things
that
that
we
sort
of
said,
hey,
look,
there's
a
lot
of
movement
in
that
area
and
we're
not
100
sure
where
we
might
want
to.
B
You
know
consolidate
on
so
we
in
the
architecture
document
we
do
sort
of
say,
hey
look.
You
know
some
of
these
things
might
have
to
be
a
little
bit
different
depending
on
if
you
are
existing
in
an
isolated
or
air-gapped
environment,
but
as
next
steps
we
definitely
do
want
to
dive
into
that
a
little
bit
more
and
we
also
want
to
bring
in
you
know,
experts
you
know,
for
example,
you
know
confidential
computing
and
and
and
so
on.
C
Sorry
struggling
for
mike
says
I'm
walking
around
yes.
That
makes
perfect
sense.
I
just
I
love
to
hear
that
it's
in
scope
and
it's
just
not
available
across
all
things
yet
so
it
just
becomes
a
checkpoint
for
people
to
say
I
don't
support
this
yet,
but
I
will
or
I
won't,
but
it
is
something
that's
in
scope,
so
as
projects
are
figuring
how
to
integrate
with
this
thing,
it's
one
of
the
things
they
have
to
keep
in
mind,
because
that
will
be
an
expectation
from
users.
At
the
end
of
the
day,.
B
Yeah
and
and
to
be
clear
in
the
way
that
the
reference
architecture
is
written
currently,
is
that
we
don't
really
make
much
of
an
opinion
on
access
to
the
internet
or
no
access
to
the
internet,
or
you
know
I
you
know,
and-
and
rather
I
should
just
say-
we
don't
really
make
much
of
an
opinion
right
now
regarding
how
isolated
your
environment
is,
and
we
do
sort
of
say,
hey,
look,
there's
going
to
be
certain
additional
guarantees
you
will
get
based
on
how
isolated
your
environment
is
we're
not
going
to
kind
of
go
too
deep
into
it
right
now,
but,
as
time
goes
on
and
we
kind
of
figure
out
a
little
bit
more
about
okay
yeah,
if
it's
a
completely
air-gapped
environment
here
are
the
things
you're
gonna
have
to
work
with
right,
because
you're
you're
gonna
need
to
say:
okay
well,
there's
gonna
be
need
to
be
ways
on
how
you
get
you
know,
access
to,
let's
say
dependencies
source
code,
those
sorts
of
things
you
might
say:
okay,
well,
okay,
that's
we're.
B
Gonna
have
an
environment
with
those
things
assumed
to
exist
or
whatever
right
like
there's
gonna,
be
that
sort
of
thing
and
then
was
I
gonna
say,
but
yeah
yeah
anyway,
I
don't
wanna
belabor
the
point
there
it's
just
mostly
as
it
stands
today,
the
the
the
art
reference
architecture
doesn't
make
an
opinion
one
way
or
the
other
on
whether
you
should
or
shouldn't
do
it
based
on
particular
circumstances.
B
That's
kind
of
I
think
something
that
would
be
very
useful
in
the
future
to
sort
of
dive
a
little
bit
more
into
yes,
you
know
what
we
described
in
the
reference
architecture
would
work
in
a
non-air-gapped
environment.
It
would
work
in
an
air-gapped
environment.
We
don't
really
make
much
of
a
decision
based
on
that
today,
but
we
can
provide
maybe
details
in
the
future
on
what
things
like
from
a
concerns
perspective.
B
You
have
to
be
concerned
about
with.
If
you
go
iso,
you
know
different
levels
of
isolation
as
well
as
what
additional
security
benefits
you
get
based
on
different
levels
of
isolation,.
C
B
If
not,
we
can
we
can
end
it
a
little
early
as
a
reminder.
Next
week,
meetings
cancelled,
most
folks
will
be
out
for
the
thanksgiving
holiday
here
in
the
u.s.
B
B
Here
and
as
a
reminder,
you
know
that
that
thing
I
linked
before,
regarding
you
know
this
open
source
software,
like
definitely
interested
in
seeing
you
know
if
anybody
else
poked
around
with
any
of
it,
have
any
questions,
concerns
et
cetera
but
yeah,
and
once
the
ref,
the
draft
of
the
ref
arc
it
goes
out,
we
should
you
know
we'll,
be
asking
for
obviously
public
comment
and
and
so
on,
and
then
as
another
reminder
for
anybody
who
had
sort
of
joined
late.
B
You
know
one
of
the
things
that
we
are
probably
going
to
do
in
the
future
is
the
ref
arc.
For
this
thing
is
I
get
that?
Usually
you
want
to
say
a
reference
architecture
is
not
something
that
sort
of
changes
every
other
day,
but
given
the
the
the
nature
of
the
supply
chain
space
and
how
quickly
different
things
are
moving
in
it
right,
you
know
we
might
end
up
making
it
into
something.
B
All
right
cool,
if
there's
nothing
else,
see
you
all
in
a
couple
of
weeks.
C
A
C
A
B
Yeah
yep
no
worries
no
problem
to
give
you
the
the
quick.
B
Yeah,
to
give
you
the
quick
summary
here,
so
what
happened
so
yeah,
waiting
on
the
cncf
to
clean
up
the
dock
still
and
and
have
a
pdf
on
it?
What
else
we
talked
a
little
bit
about
starting
to
have
some
discussions
on
okay.
Now
that
you
know
we're
going
to
be
releasing
the
ref
doc.
What
does
that
mean
good
point
and.
B
You
know
the
you
know
what
what
what
are
the
sort
of
next
steps
after
that
like
are
we
talking
about?
Are
we
going
to
keep
working
on
the
doc
in
an
iterative
fashion?
The
answer
is
probably
yes,
but
we
want
to
make
sure
that
people
we
want
to
make
sure
that
there's
almost
like
there's
some
clarity
that
we'll
probably
do
something
like
this
is
v.
B
So
so
there's
that
other
things
are
you
know
in
the
upcoming
weeks,
with
the
holidays
coming
up
for
for
most
folks
in
you
know,
you
know
western
countries,
it's
we're,
saying
hey,
maybe
the
next
few
weeks,
obviously
besides
next
week,
which
is
the
thanksgiving
holiday
here
in
the
us
which
so
no
meeting
next
week,
we're
going
to
have
probably
some
demos,
some
sort
of
just
you
know
chats.
Maybe
some
discussions
about
next
steps,
but
probably
the
will
really
really
ramp
back
up
again
in
january.
B
A
B
B
There's
some
discussion
right
now
about
between
the
groups
between
the
various
leads
of
openssf,
cncf
and
so
on
is
hey,
we're
doing
some
supply
chain
stuff.
Does
it
make
sense
for
the
supply
chain
like
it
probably
makes
sense
for
the
cncf
to
work
on
some
supply
chain,
stuff,
yeah.
B
A
B
Sense
at
the
finos
or
something
like
that
right,
yeah,
you
know
and
open
ssf,
maybe
makes
more
sense,
because
they're
super
focused
on
the
open
source
piece.
B
Maybe
it
makes
sense
for
them
and
they're
doing
this
with
I'm
not
sure
if
you've
seen
some
of
the
stuff
that's
coming
out
of
salsa,
but
a
bit
yeah
yeah
at
the
salsa
level,
they're
like
hey,
look
we're
looking
at
getting
salsa
attestations
on
pi
pi
right
like
like
on
the
python
packages,
and
so
already
they
have
across
thousands
of
packages
able
to
get
like
salsa
level,
two
attestations
and
so
hey,
that's
great
right.
B
You
know,
and
so
they
can
focus
more
on
sort
of
this
broader
open
source
picture
and
there's
maybe
a
couple
other
groups
that
can
focus
like,
for
example,
the
confidential
computing
consortium
or
whatever
they
can
focus,
maybe
more
on
the
hardware
making.
You
know
in
a
few
of
these
other
things
and
the
you
know,
the
cncf
can
maybe
focus
a
little
bit
more
on
a
securing
cloud
native
supply
chains
right
so
using
accent
and
and.
B
And
there
is,
there
is
also
then
the
other
thing
which
is
like
a
cloud
cloud-native
approach
to
securing
supply
chains,
so
like
hey,
using
cloud-native
tools
to
secure
your
supply
chain
right
because
certain
things
like
hey,
if
you're
using
spire
a
lot
of
these
things,
become
a
lot
easier
like
once.
Spire
is
integrated
and
everything.
Oh,
you
know
there's
there
is,
and
so
that's
kind
of
the
the
the
discussion
on
that
front.
B
There
is
discussion
about
hey
here's,
this
reference
implementation,
that's
the
code
I
sent
you
know
in
chat
here.
Maybe
that
makes
you
know.
We
have
a
lot
of
work
that
we're
sort
of
working
on
in
there
to
kind
of
make
it.
You
know
this
is
a
lot
of
the
stuff
that
that
we're
doing
off
on
the
side
here
to
be
clear,
it's
all
open
source.
At
some
point.
We
want
a
group
to
sort
of
take
it
and
sort
of.
We
don't
want
to.
C
B
Be
you
know
like
the
the
mike
and
his
team
show
we
wanted
to
be
the
broader
sort
of
community
and
we
want
to
say,
hey
look,
you
know
this
is
just
a
set
of
tools
that
we
were
using
at
the
time.
But
the
idea
here
is,
is
you
know,
probably
a
couple
more
weeks
worth
of
work,
but
the
you
know
you'll
be
able
to
run
a
single
script.
You
get
everything
sort
of
deployed,
you'll
be
able
to
kind
of
run
pipelines.
B
Those
pipelines
will
be,
will
have
a
policy
associated
with
them.
So
if
you
try
to
deploy
a
pipeline
that
isn't
secure
or
like
is
very
clearly
not
secure,
it's
going
to
go
into.
C
A
B
Blind
that
does
make
sense,
so
those
are
some
of
the
things
that
we're
looking
at
as
next
steps.
Among
you
know
other
things
and
to
be
clear,
like
that's
just
me
right
now
need
to
get
andres
and
and
brendan,
and
some
of
the
other
security
tag
leads
to
discuss
this
a
little
bit
more
and
yeah.
A
A
A
No,
not
really
I
mean
I've.
I
still
have
on
my
list
to
have
been
sort
of
bogged
down
with
something
else,
but
to
sort
of
run
the
secure.
You
know
the
software
factory
locally.
So
that's
that's
one
of
the
things
I've
been
meaning
to
play
with
and
sort
of
see
how
I
could
contribute.
So
if
you've
got
any
recommendations
on
how
to
contribute
to
that
I'd,
be
you
know
I'm
up
for
that.
B
Yep,
so
one
is
the
best
way
right
now
is.
B
Just
try
and
run
the
thing
and
open
up
an
issue.
If
you
just
go
and
say
like
this
doesn't
make
sense
like
I,
I
couldn't
get
it
to
run.
I
think
that's
like
the
the
number
one
thing
is
just
if,
if
it
takes
more
than
like
a
couple
of
minutes
for
you
to
figure
out
how
to
deploy
the
thing
and
then
to
be.
A
C
B
I
think
there's
still
some
work.
We
need
to
do
to
make
it
clearer
on
how
to
run
some
of
the
example
pipelines
and
how
to
get
your
own
pipeline
running
that
that's
something
that
we
need
to
work
on,
but
if
it
takes
more
than
a
few
seconds
for
you
to,
you
know
a
few
minutes
for
you
to
figure
out
how
to
deploy
the
thing
and
largely,
I
believe
it's
there.
B
Things
are
moving
really
really
quickly
on
the
team.
Is
it
should
just
be
something
along
the
lines
of
like
make
ssf
and
it
should
install
to
whatever
your
kubernetes
context
is.
B
A
I've
had
a
look.
I
looked
at
it
a
while
ago,
I
mean
a
while
ago,
like
a
month
or
something
it
looks
really
interesting.
It
looks
very
clever.
It
solves
a
bunch
of
problems
so.
B
So
we
are
using
that
pretty
heavily
in
there
and
the
reason
being
is
so
I
like
helm,
what
I
don't
like
is
helm,
templating,
okay,
and
that
what
the
reason
being
is
just
that
with
q,
it's
kind
of
a
different
thing
like
with
helm.
B
It's
kind
of
you
you've,
sort
of
inverted
control,
a
little
bit
where
it's
like
your
templates
are
pulling
stuff
in
in
in
a
certain
way,
whereas
in
with
q,
it's
no,
no,
my
q
functions
are
generating
my
configuration
as
opposed
to
my
configuration
pulling
in
the
values
it
needs
and
some
of
those
values.
It
can
be
a
little
unclear
where
they
exist
and
it's
it
becomes
sort
of
a
thing
where,
whereas
here
it's
like,
I
can
have
a
function.
That
is
something
like
generate
keys
and
then
I
can
go
and
say:
okay.
B
Well
now
I
just
pass
in
these
keys
into
the
functions
that
generate.
You
know
my
kyverno
policy,
okay,
that
you
know-
and
it
makes
it
very
easy
for
me
to
do
a
lot
of
that
now.
The
problem
is,
to
some
extent
that
q
is,
is
not
the
easiest
to
they
have
some
there's.
Some
concerns
with
their
docs
they're,
just
not
very
good,
and
they
recognize
they're,
not
very
good
they're
they're
they're
actually
planning
to
refresh
them
pretty
soon.
B
They
are
also
looking
to
sort
of
clear
up
a
few
things
that
are
literally
wrong
in
the
docs.
Okay.
Well
as
an
example,
they
don't
use
c
style
semantics
for
like
if
I
do
x
and
y,
you
know
c
in
you
know
c
style.
B
Semantics
should
say
that
if
x
is
false
y,
never
evaluates,
they
don't
do
that
they
actually
evaluate
both
of
them,
meaning
that,
if
you
have
something
like
if
x
is
null,
you
know,
oh
sorry,
if
x
is
not
equal
to
null
or
not
equal
to
undefined
or
what
they
call
bottom
in
this
case-
and
you
might
say
and
x,
contain
you
know
if
x
and
you
know,
perform
some
operation
on
x.
Well,
you
end
up
with
a
thing
where
you
could
write.
You
know
you
perform
an
operation
on
null
value
right.
B
You
know
which
becomes
an
issue
so
so
like
there's
a
couple
of
things
there
and
to
be
clear,
they're
clearing
a
lot
of
that
up
really
really
quickly.
But
beyond
that,
I
really
really
like
it,
especially
in
the
fact
that
today
I
can
just
go
in
and
say
I
can
import
kubernetes
custom
resources
that.
A
B
A
You
can
sort
of
encode
that
in
the
template
prior
to
actually
generating
the
data
inside
just
it
won't
it
won't
if
it
doesn't
match
the
template,
it
just
won't.
Do
it
yep,
yeah,
okay,
cool
that'll,
be
a
great
opportunity
for
me
to
try
and
play
with
cue
a
bit
more.
You
know
in
practice.
I
I
rather
like
the
whole,
you
know
finding
like
trying
to
deploy
bumping
into
stuff
and
then
documenting
that
and
ideally
pushing
you
know,
suggested
changes
to
improve
that.
So
that's
something
I'll
happily
do
so
I'll.
A
Cool
all
right
thanks
a
lot
for
the
for
the
roundup,
yeah,
really
helpful,
yeah
I'll
catch
you
online
and
yeah.
Thanks
again,.