Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Cloud Native Computing Foundation / TAG Security / Supply Chain WG / 22 Jul 2021
Cloud Native Computing Foundation / TAG Security / Supply Chain WG / 22 Jul 2021
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: CNCF Security TAG Supply Chain WG 2021-07-22

Description

CNCF Security TAG Supply Chain WG 2021-07-22

A

Three.

B

Hey everyone.

C

Good morning, hello.

B

Brandon, hey ronda.

C

I haven't seen you in a while brandon.

B

Really.

C

I'm kidding.

C

I know it's, it's. Our calendars drive our lives right.

B

Yeah exactly.

A

All right.

B

Yeah all early, so let's wait a couple minutes.

A

Three.

B

Hey everyone just waiting a couple minutes.

C

Hello done.

D

All right now, how are you.

C

I'm doing great how about you.

D

I get to hang out with you all. I am in the best place.

B

Possible see this is that this right here this is the happy.

C

Pudding.

D

Here this is what we say very happy face.

C

That's great.

D

The only hard part I have to work with brandon, but that's okay, everybody.

B

Else is good.

D

I know I'm.

B

Sorry.

D

It's rough, it's rough for me.

A

I'm going to take offense that, even though you probably weren't even me and me.

D

It was the lump, not the mitchell, all right there we go hugs brandon, hugs.

B

All right, I felt still joining so let's wait a couple minutes. I think we are also expecting michael.

A

Recall with the formal title there going by the necklace today,.

E

Yeah, I think I logged in with my uh personal account today instead of a box, but one let me probably go change. My google profile stuff on my personal account at some point, but you know how that goes been there like that for 10 years, but I'm going to be there for another 10 years.

B

Yeah I haven't changed my github photo for like 10 years. I should go for that.

B

All right, so I think we have a good number of people and right now, just a couple more that still connecting and audio connected. So let's, let's get started so um just uh just a quick update, um I'm going to put in the link to the document as usual. These are meeting notes, um so we we have a a couple kind of um high level things to do and update about, um and also I'd like to before we dive into the details um as well.

B

I'd like to just go around to see if anyone has any specific updates on the interesting pieces of news to share that could be could be important for our group. So um a couple announcements, so one thing you may have noticed is.

B

Emily is, um and I are kind of stopping faces a bit in terms of participation, so she's stepping back a bit, I'm going to be participating a bit more um so yeah. Sorry then, stuck with me.

D

So for everybody I tried to veto that, but I got overruled everyone. So sorry, that's brandon, alum, not mitchell. Okay, just clarify.

B

Yeah so yeah we have to brandon says over here we have to be a bit. It's gonna be a bit tricky, um so another thing that we've done um so a couple of us offline. We met together um and talked about just between you know um the pms and and a couple folks here we talked about you know, taking a look at what we had in terms of the user stories, um kind of drawing from all the different presentations that we've had and start to kind of create an outline for the document.

B

So we're going to talk a little bit about what we have. So if you scroll down a little bit, you can see some information about what the overall structure of the the reference architecture paper would look like, and you can already see in like some filled in details, we're going to go through that in a little bit.

B

But we spent some time looking at that trying to create something where we can start working on and developing with the hopes to to to get something concrete, something there, because I'm moving forward with and then towards the end. We'll talk about contributing a donk. We do some um interactive brainstorming here, um how we can contribute to the the document and all the aspects. So the idea is, you know. Once you have a good foundation, you can start putting the reverse architecture together.

B

um So before we go ahead, just want to go around it's any any updates or any um news that anyone wants to share that's relevant to the supply chain. Working group.

B

All right, if not, let's go ahead so I'll share my screen um I'll talk a little bit about this and then I think I want to pass the time over to michael who's. um We've designated our chief architect to help uh structure, others together.

B

So what we have here is come. We took the previous mission and the scope that we had and we kind of brought it forward here again, just a reminder what the reference architecture is. uh We have this nice picture here that um you know it's from the supply chain: security by paper that we're going to use in reference as we are starting to build all these things together.

B

um So what we have here is um this is what we we discussed would be the structure of the paper. uh We will start with the general guiding principles. uh How do we decide? um What is the scope of the paper? This is going to be based on you know, supply chain, white paper. We may also reference.

B

um Sorry did someone say something: nope, okay, so um have a quick ask before we're going to discovery um pause on the editing.

F

I'll pause that it was an incomplete sentence, so yeah sorry supply chain paper is not a guiding principle. So just adding what we've discussed there yesterday go for it don't mean too distracting.

B

Yeah, it's just my eyes uh triggers.

F

The ocd.

D

And one point here I think, like I said it was taking all the meeting notes and concatenated to actual like tasks like that's. I think the our major thing yesterday that that um brandon, uh michael uh and andres and myself kind of did was just make this more of a functional like almost summary of what we need to do. So that's it.

B

Yeah yeah, so so these are kind of um you know. Not everything here is is of course, set in so we're just trying to to draw on the ideas, uh and obviously, as you can see, some of the details um are not filled up yet right.

B

um So initially, the the first aspect of the paper is to talk about how we are good in scope, um how we are scoping, this paper and reference architecture, as well as the kind of philosophies that we take for technologies, and things like that, so one thing we discussed was um we're drawing the principles from these different frameworks and papers.

B

How we determine scope is based on some of these things, as well as known technology and knowledge gaps, for example,.

B

You know if you can't do certain things a day of it is not known how to do how to carry out a certain function. Let's say for the sake of argument, nothing. This is telescope.

B

All right we had some echo there are we okay, okay,.

D

Rodney, could you mute if possible? Thank you.

B

Hello: okay, cool, okay, um oh rsi, right so um scoping in terms of technology and gaps. We talked about so that ideas like if something is not um not really achievable today or there's a lack of knowledge in the area. For the sake of argument, reproducible builds you'll say that you know, because there are these things which may not be in scope.

B

Today, uh however, we have this section at the bottom uh that says future considerations and iterations that talks about the things that we are going to say for this current reference architecture is our scope. Y is our scope, but why the same time we're talking about these because they are important factors that should be considered.

B

um And then the final point on the overall so-called guiding principles of the the the referendum architecture would be um when we are talking about the different components of the architecture or certain um actions of how things are processes of the architecture.

B

Here are some principles that we follow. Where you know in terms of technology and tooling, you know we, of course we favor, you know cncf open source generic in that order, um and also we have general anti-patterns, like you know, patented anti-patterns right. So you should harden things when it's possible. uh You should do immune. You should do immutable immutability as much as you can think of that.

B

So so this is going to be kind of like the high level talks about the document, and then we have the overall architecture, goals and stories. So this is really how it's. This is going to be the major structure of the reference architecture, so we discussed a few things. The main things were providence for build architects. Things like that.

B

um The artifacts are provenance for the dependencies as you're, ingesting them uh verification inputs and outputs. So this is a scanning happens, code scanning happens and all this stuff um securing a built environment. So this really goes into.

B

I think what most people would would really call the the secure build. So this is where the attestation of the environments come in to play and things like that: uh distribution and storage, artifacts and consumption artifacts by random. So between us.

B

I think we kind of found these categories to kind of represent most of what we were talking about um and I'm going to quickly go through the rest of the structure of the paper, and then I want to hand it over to um to michael and and andrews and dan, to kind of start, the brain. Stopping the discussion of. Let's talk about some of these things, uh whether we should add things in whether we should uh reword them. You know what are some things that we may be missing: brandon.

F

Real quick, I know this is this: is an eye chart for people, I'm getting comments and you're going fast, so quick checkpoint perhaps see if folks have thoughts or feedback, or this elicits a response that mine things are might not be aligned with what you had anticipated or how we had been moving before.

D

You go on we're generally opening up the floor for folks to comment at this point. um I know you're just seeing the document right now, but let's just open it up for discussion.

B

Yep.

G

I just wanted to quickly um say one thing just because I know some folks were using the um trello board and I think we still do plan to to use the trello board, but I think um there was some worry uh that we were sort of putting the cart in front of the horse there, where we were sort of splitting up bodies of work without really understanding the big picture of what we were trying to achieve, and so that's what this is for is to help us better sort of understand.

G

You know what are the high level boxes? What are the high level components that we assume will be part of a software factory and from there it will help. I think, better, inform what we are doing in the trello board and also help us prioritize. What we plan to work on.

A

Hey, um can you hear me.

C

Yeah.

A

Yeah cool thanks, I'm just sorry as a complete new comment to this group. I think this is my second uh meeting um yeah. I landed on the trailer board and I wasn't entirely sure where to start- and I think, if we'd linked- maybe to this to this um overall plan, that sort of, as you were saying, tries to give the big picture of what we're trying to achieve that. Would that would really put things in perspective and be really helpful.

G

Well, yeah that that's definitely the goal of why we're writing this up now is I I think we me we maybe went to a bit too quickly into sort of splitting up stuff into stories about even thinking necessarily about epics or the the big picture there.

C

And michael um I'm in agreement there, but I feel the reference architecture is much more detailed right. So for this diagram up there, it shows the overall cicd pipeline, but all the controls etc, that we need to build around that. I think we'll have a follow-up diagram which lays out all the security controls and other controls that we need to lay on top of it like. I think it.

D

Was I think it was more like a it's almost like a win, uh an overview kind of slo, graphic or illustration right, of course, that that's not the reference architecture? I totally agree like the idea here is that once we do figure out like which components we're going to actually use and brandon, if you can scroll down to the bottom, uh I kind of put a I'm I'm I'm kind of skipping around. But if you see here right that diagram will be based on some of these things right.

D

So we have this requirement, and this is whatever tools we do here and the one thing we want to make sure is that we're agnostic right so meaning we still have to any reference architecture has to have some type of suggested opponent component, but we also want to be able to have an alternate component. If, like, let's just say something is you know specific to a specific technology that a legacy technology can adhere to right and so right now to completely completely agree with you that top one was more like window dressing to say look.

D

This is the over overview and then, when we get into the meat, we'll have a really detailed uh diagram. Does that make sense.

C

It does um and- and I I feel we should focus on capabilities rather than products, and you know that's not.

D

Named.

C

Vendor products, so let's just talk about it.

D

Yeah we have to talk. I'm sorry, I'm sorry right now. Let me finish your thought. There.

C

Nobody's no, I'm done yeah. Thank you.

D

Yeah we have, but the things with reference architecture. We can't talk in conjecture of what uh uh you know in terms of what a a we need to be very specific on a reference architecture. This isn't like a best practices, doc, we've already written that for security. We have to be specific on which either projects or uh products we're going to be using here. But that's why I added that column for alternative right.

D

So then, if we are specific here and we know of a solution that also does similar functionality, then we that you know maybe somebody can do an iteration of it and create another diagram and another. You know uh and then them to the document. If that makes sense,.

C

So so dan, are you saying that we'll take cncf projects um and products that are part of the landscape and map them here? uh Based on the capabilities we need in this reference market.

D

I ideally yes and then we'll also provide an alternate because again like there might be some solutions that are very specific. The cloud native that do not work in um you know that don't work from a legacy perspective. um That was, I think, a concern that like andres, had had as well. I don't know if you want to add more context to that.

D

Sorry, to put you on the phone.

F

I I just rewarded the language around. The notes of cncf, where applicable, is, is the preference now we're we're writing this at this point in time, and a lot of it is temporal like software changes fast, a lot of people are working very interesting things. We're gonna, try to strive to say here is the the best reference that that captures or performs this, uh but that might change right. um The picture, though, could have several interpretations.

F

You could say: oh that's, the those are the system internals of a monolith that does we don't want this right. One of the goals here is here is not not to be something subjective for someone in any of our respective organizations to hit us up and say, hey, I I implemented your zero trust supply chain. Come have look and you take a peek as like. No you did it. This looks nothing like it. uh This doesn't follow. This is actually not secure. There's a lot of liability.

F

Here's I don't know like we're, wrote, what's we've implemented, what's in your in your architecture, so while well we're not and and the role of compliance or conformance uh for an architecture that doesn't exist yet we should try to make it very clear and very discreet and and well understood, and in some areas there's going to be explicit gaps and say: hey we we are. This is how this is like the desired end state. There is not a particular tool that performs this today that it's available upstream, but it's what we're trying to fill in.

F

So we might have to declare this john shell. You have your hand up.

A

Yeah, I don't mean to interrupt the conversation if there's anything else on that thread.

F

No go for it all right.

D

Please please interrupt that's what so.

A

uh Like generally, I'm a huge fan of coupling some of this more closely with the coupling the reference architecture with the best practices paper, because I think we we definitely exploded the scope uh in some of our early conversations.

A

uh I went through the paper myself a couple weeks back again and I realized how much there was as far as recommendations. It's not actually software um and so there's the kind of a couple of things in terms of like as we get to the point to the reference architecture.

A

Maybe some questions that come out of this is like how to best capture or point back to the policy recommendations or the organizational recommendations of what we think the requirements are and not to kind of like is andres was saying of like we don't want to be a situation where someone takes the reference architecture tries to deploy it and say now we're secure without doing all of the other stuff, um but I think that that's also maybe just a level set on the question.

A

I heard reference architecture paper before we talked about like a github repo and things like that of like are we do we still want to actually build something that connects some of these tools together, or are we going to just make multiple um recommendations on specific tools or components.

E

I think so what you're talking about right is. We talked about policy in that paper about what we need on what what needs to be implemented right and that might look at some of your controls, like fisma or, if you're, you know any of your federal fed, ramp or whatever right. Maybe we can implement that as policy as code in this reference architecture, where possible or say that hey this, this item would be an administrative policy that needs to be checked out about.

E

So I think we can make those distinctions on on it right and I think, there's a lot of things right now that happened in industry that could be implemented as policy as code uh using some cncf tooling that that that just isn't yet.

B

Yeah and to that command, we are still planning to have an implementation. um We just understand, and we we think it's it's going to be easier.

B

um If we kind of develop this, um then we can go, go to folks from different projects and be like we're building this common bot and it's going to be a much easier conversation.

G

Yeah, yeah and and along those those lines, I think the thing that we're trying to do is also figure out the prioritization of what best practices to look at first and and what capabilities to look at first, um because otherwise I think it's very easy, especially for um you know some folks on the call have have you know expressed where, like hey, I don't know where to start, um and I think it's gonna be useful to to provide um some of that guideline so that we we know, you know what sorts of things to to work on first.

G

Otherwise, you know we'll we can there's lots of rabbit holes. We can dive into.

F

So.

H

We want to do.

F

Everything but let's see how far we get, let's start with: let's, let's walk before we run.

H

Yeah one comment uh to follow for uh understand: right, like uh if someone says we are following these base practices, and we are following this supply chain security, and is there a way we can basically provide them? The validation? No, you are not or yes, you are right, like a certificate.

I

That's going to be very difficult. I see that being very because if one component is off, it's going to throw a failure and they're like this doesn't work what's wrong.

H

Right right, so people need probably need that assurance. Like are you following the uh this all the practices, or probably you are missing one of the recommendations. One of the things like signing. You are missing signing in whole uh pipeline right, so people can get there.

I

I think it would be great if we have a reference example.

H

That.

I

We can show people how it can be done and they can go ahead and either apply our recommendations or look at comparable products that they are in their organization or in their group.

B

Yeah, should you treat us already planning for the next thing, we're going to work on after the reference architecture.

F

One clarifying question there: how do you think around oh something I said on the call yesterday is like if someone places like regular traditional ancient infrastructure say like a jenkins, very large, installed jenkins they've had in place uh for a decade and they're they're, gonna, say well we're gonna try to like retrofit this and then call it a day and saying this.

F

This is now like zero trust or like it's, this conformant with a number of these things like do we want to make a gradient and say: hey, you're you're, either you're either doing the thing or you're not or do we want to say hey. This is modular. You can progressively adopt parts.

F

uh It is intended to be modular and extensible, but perhaps there's there's a progression to get there and I don't know, maybe we can take a page from kubernetes because, like five years ago, if you, if you came into an enterprise and say, oh, you want to modernize your infrastructure, you just have to do kubernetes. They would have said like no talk to me about the valley prop and the benefits like how do I get there? But how do you think about that.

I

This is gonna, be a it's gonna, be a crawl walk run for a lot of organizations. If you make it modular, you at least have them show value slowly. So I'm getting close to zero trust, I'm implementing patterns versus I have zero or nothing or everything. So it has to be modular.

F

Okay, I I love that framing that's useful.

A

Sorry for the most um yeah, I would tend to agree, I think there's only there can be a value in being like all or nothing. It's the value of example. um You can by showing something that's fully done and fully complete. You can say this is what it looks like when it's fully implemented anything less than this won't give you the maximum security. You can hope for. That's really, that's that's the only value I can see in that. But most of the time I think, walk you know.

A

Crawl walk run, makes more sense for organizations when they try to actually implement stuff. Not just look at you know, perfect examples.

D

It's just.

A

Like.

D

It's just like kubernetes in general, like moving applications, you're not going to move your whole stack over. You take little bite size chunks. I think we need to take the same idea here. um Yeah.

F

And this is what that first step after after you've tackled that big rock it just becomes so much easier.

D

Exactly brandon.

F

Back to you, I think.

D

We're.

F

I.

D

Think I think nicholas had something to say: go ahead, nicholas.

E

Yeah um well, it begs the question, then: what does that look like? Where do you start um right? And I see that it's comment about the slsa. I think that that's a good kind of document that's already out there, that we can take a look at um and see how how they did it and what's what their different levels are, and how that maps to the cloud native landscape and see if it fits um salsa.

E

Okay, like some chips and salsa.

F

Yeah, as I call me, and I feel, there's cultural appropriation there, but you know it is the number one.

A

Compliment.

D

It replaced ketchup as the number one condom in the world. I got that from a science episode yeah. Maybe it's changed. Go ahead. Sorry.

E

So yeah, I think that that uh what is it called uh the maturity? You know we use like a maturity matrix a lot. You see that a lot. So what? How does that map to the different tooling that we already have and do we have the tooling to meet that maturity matrix that we come up with.

F

Open question: let's capture it down,.

F

Any any other questions before we we run down through the rest of the dock here today. So far, further more questions will come.

B

Yeah, so I I think uh one of the things that we wanted to go through um at least is talk a little bit more about we're, hoping to see participation and now that the the outline is starting to to form up a little bit more.

B

So we have a section called components of the supply chain or secure software factory, and then we have also um defining the actions of supply chain on secure software factory, and the idea is, I think, the selling point that we want to work with is to start with defining the components and the actions, and you know it should follow uh directly from these two on these two aspects that the architecture is, you know will be really mainly just piecing them together.

B

um Another thing that we want to do is, um I think this has kind of come up within the past few discussions here about how we, what we want to target based on the scope of what we are doing. Can we say that this meets a particular salsa level?

B

I think that is something that we also want to um create kind of that association with we say this reference architecture um is targeting the salsa level if there are any other standards or any other um certifications or um references that we can point to, that will also be good.

B

Yeah, so I think the main thing we are we're hoping for is to do over the next week to build up the components and the actions as well to get one or two folks to to also look at how we should target our first architecture in relation to it with all these different standards.

B

um I think the way we want to do it is really it's going to be free from initially where everyone just adds in what you think is going to be a component of what should be essential actions of the supply chain, and then you know we'll review all of them. They'll go through them, we'll map them back to the overall architectural goals and stories, and that should give us in our basic structure we'll come together.

B

um We'll put the a picture together and we'll have a discussion around that.

H

So brandon, do you want us to update in this particular document or on the trailer board.

B

Yeah, I think for now: let's do this document. Okay, yeah um right now we have it kind of unstructured if you put something in, and you think it maps onto particular stories um of the supply chain. They're talking about, for example, providence verification, you can kind of just put a small bracket by the side, that'll be helpful as well, um but yeah.

B

I think I think this is where we we hope to get a lot of community feedback on is what you think are essential parts of the supply chain, and then that will build into a reference architecture, um dan andrews michael. Do you want to add on to that.

D

No.

D

Anybody else have any kind of overall thoughts of this. Are we trying to tackle too much here or thiago.

H

Hello, sorry.

A

I left my mickey open sorry, I thought you.

D

Had something to say, no worries.

F

Yes, what what like, marina or priya would think.

H

I can go, um I think, honestly, like it makes sense to me. I kind of agree with like the major components and kind of like the high level diagram. I think a lot of it corresponds like pretty well to the demo I gave a few weeks ago, which is why it sounds like pretty reasonable to me. Overall, I think this looks like a great starting place. It has a great list.

C

Of things I'm.

A

Sure, we'll think of other things, but yeah. This is a great place to start.

D

Ultimately, we want to kind of put folks names to this right, meaning like to take a look and do the review and make sure that everything is copacetic not only from the implementation perspective, but also like from the verbiage and all that fun stuff, because this should be a natural. I think that john mentioned earlier some natural accompaniment to the document that we have where we're actually instead of saying this is what you should do. It's here, we're showing you. This is what you should do. That should be our overarching uh uh mission here.

I

We're not just here to talk we're here to do, because if we can't actually implement what we're describing it's useless.

D

I wish I wish you were here every meeting andrew you just literally everything that was in my head. You delivered just said: that's amazing,.

B

So preferably, I think we'd like to have folks pick up certain contributions to this.

B

I think the most organic organic breakdown of this is based on the overall architectural goals and stories, so the components and actions for each of them.

G

Yeah, uh I was just going to say I I think one of the things I think that would help myself and- and I hope would help others as well- is even just sort of drawing up uh a diagram. Some flows of what this thing should look like you know, and it can be very high level not talking about necessarily particular tools at this moment, but just saying you know, I have some source code, I'm doing some stuff.

G

It goes through a process describe what that process. Largely looks like based on a lot of the stuff that we've talked about in the supply chain, security white paper, and it should, you know, create this output, that output being something like a um an artifact, with some level of attestations associated with them and and um a level of provenance and and whatnot, and then from there. I think it'll help us dive in a little bit more to figure out. You know what tools is. This are going to work with this.

G

What what tools will not work with this? The way that they're set up now and what sort of work to um actually start doing.

F

This this is just me, I don't think it. It might turn out to be the case, but I have the presumption that there's going to be a split of a lot of folks wanting to jump into like what's going to be the byproduct of of this supply chain. So we're going to talk about reproducible builds, but should should the machinery should the robots that make up the system, be reproducible.

F

So there's gonna be like a split of dimensions of like yes, we're gonna like try to dictate like the architecture by the outputs it should produce, but there's also a lower dimension of well. What are the attributes of the components that make it up? Should they all all have like commonality of like being the way that we secure these things? We probably don't want to want people like tinkering with a lot of manual configuration and like manual hardening.

F

So what what frameworks can we use to try to make this as intrinsically secure as possible, and that security gets declared up front.

G

Question about that, so are you talking about for the architecture we're describing itself like? How do we approach um building that architecture in a secure way.

F

Yes, exactly because we're calling this a a secure supply chain right, the architecture of a secure, some others have called it a secure software factory right like should that factory have uh a readiness scanner on the front door. uh Should there be like guardrails and fail-safe mechanisms on on the like machinery.

B

Yeah, so I think I think it's a as a principle. It's.

F

When we're.

B

Coming up with this high level action flows, we should consider those things and I think more more is better for now and then this is something that we can take. Take a look at together as a group and then kind of decide um whether it should be whether it should fit in here. Maybe we can put into guiding principles and somewhere else right, but I think what interest is important, where um I think, when we're building these action flows, we should as much as possible take into account. um You know a high level of security.

F

Yeah, like think of it, as as day zero considerations like back in the day like if, if you had conceived this like a decade ago or like two decades ago, you would have come up with a bill of materials of all the hardware to go by, and hardware arrives three months from now in the data center and like ready to like rocket stack and cable it like all those day, zero things uh of how like do.

F

We want to make this like here's, the architecture for like how how you piece this together and then like the day, one and day two of it like how do you configure it and fine tune it and like make sure it it gives you all this like tight, artifacts and like has golden images, etcetera, etcetera, etcetera,.

D

So how about make those, I think those we should make these kind of concerns items on the dock as of right now, because again, this this document can probably be 50 pages long, but we need an action and that's create a reference architecture right. So, let's talk today about what it is. We need to do um chief architect, michael lieberman. What do you think we need to do here, sir?.

G

um My suggestion- and I think I I mentioned it a few minutes ago- is- I would like to just kind of build a diagram with some boxes. Right with you know what this flow should generally look like, because then I think that helps out with some of those other questions we want to answer like okay, how do we secure those boxes? What should go in those boxes? I think um those things uh uh will be useful and also how do we prioritize, which boxes you know, need the most work right now and and whatnot.

F

That's fair, I, I think a useful way to reason about that we'll discuss if we want to make this like as secure by default up front as as we can and that blueprint or or not like we, we don't want people to go. Do this and like get hacked for like having things like wide open.

B

Yeah, so so I'm thinking that, um just to better illustrate this idea right, maybe why don't we um kind of talk about what one of these action flows may look like, and then I think if we can get folks to sign up to start developing action flows for particular aspects of the overall architecture and and sorry. I think that would be a good progress for for the week.

B

uh Michael, do you have an example of kind of like a flow, or maybe we can just start writing one.

G

um Not one I can share right now, um but uh uh hopefully there's something I can share um a little bit in the future. That is relatively generic, uh but um I think we can probably just start. You know getting started there. I think so there are some good um things from the supply chain: security document that can act. As you know, a good sort of baseline for us to sort of you know, base vocabulary on and and those sorts of things, but.

A

It seems like.

G

I'm sorry guys, oh, go ahead, no, go ahead! Good.

A

Bud.

G

Oh, the only thing I was just going to say is that yeah, I I definitely think like you know, I think, the things that we have, for example, from a components perspective right.

G

You know um that's more or less, you know what I'm thinking and somebody correct me if they think that maybe more of an action flow sort of like an actual sort of like a flow of you know, a thing should go here and then here and then here or more of like a architectural sort of like you know, I pull artifacts from here and I do these things and you know I sign this and then push that to that. You know to a build system and you know whatever um I'm open to either.

G

uh Personally, I think the component, one maybe just makes a little bit more sense, but once again I'm kind of I'm I'm open.

D

It seems like we need a poc of some sort using that you know using that diagram as a as a kind of driver. Michael, am I you am I trying my tl dr in that a bit.

G

um What what did that actually stand for sorry, I'm not.

D

I'm sorry like a v1 proof of concept of some sort.

G

Oh sorry, yes, yes, yes, um yeah, no, and it could just once again be very high level um like we're not necessarily saying uh tekton per se. We are saying cicd right, you know um we're not necessarily saying you know, uh I don't know like jfrog artifactory, we're saying artifact repository whatever you know something like like that in in a document, and then um I think, it'll help us sort of uh engage on what are the? uh What are the items that actually consist?

G

You know what what does a software factory consist of, or what does the secure plot supply chain actually consist of at a high level? And then we can start poking around about like what you know. What sort of work needs to be done for the arrows? What sorts of component, what sort of actual tools can be used to fill those boxes? Are there any? You know known general gaps like no tool seems to fit this box and we need to write something or we need to think of another way to do it.

G

I think it'll help us answer some of those questions.

B

So coming back, I'm gonna quote andrew over here we're here to work.

B

So can we have volunteers that wanna kind of help fill in the different um or give some like fill in the components and the actions for particular sub goals so, for example, providence verification things like that.

C

So brandon I'll take the verification of inputs and outputs the action flows for that.

C

You want me to comment there. Okay, are you at it? Thank you.

B

Who's adding stuff to the components. Now that sounds like you're you, you want to volunteer for one of these things.

B

Can we get um other faults they want to determine this.

B

Yeah I printed it, you type you on it. We got the false logins on this one.

B

Okay, thanks everyone for putting your names down.

G

um Do you does anybody think that there there's a need for even the higher level, like um uh just a a uh like some high-level boxes like what um I think it was john posted in in slack there? uh Maybe one level below that of just saying you know a secure um architecture, for this thing is going to require source source code control, it's going to require an artifact repository, um and then we can dive in it's going to require a artifact repository with these sorts of characteristics. That are, I think, more of that level.

G

Downflow of you know from a distribution and storage of artifacts perspective and so on, but even just kind of highlighting some of those boxes, and it's probably going to look very um very generic. Just like you have some source code control. You know you, you pull that down you. um uh You know you run it through some ci cd, you store the artifact in an artifact repository and so on, and then the level down is hey. Yeah the artifacts are getting signed.

G

The artifacts are going through these processes, um because I I do wonder just looking at this um and and somebody correct me uh if they think I'm I'm off base here is I I just do worry that that somebody there's some overlap between these pieces um and uh there's the potential for um people to clobber uh other people's ideas, especially when they they're overlapping, without sort of considering how it fits in the bigger picture.

C

I agree, michael, I think the base of blocking blocks have to be defined and then we can map the flows to those blocks.

D

I think we.

C

Have to.

D

Iterate these blocks and processes every week and again make sure that folks are chiming in this is not like. It's also been a asynchronous stock that you can. You know update as as the time goes as well, um and just I, what I hate to see is only like michael working on the aspects of this right, we'd love to see some some input. So, if you're, not if you're, not comfortable kind of chiming in here, just make sure that maybe either in the slack channel or in the docs a yellow on this.

F

I wouldn't be too worried about duplication uh if it risks. Oh, I don't want to step on on somebody else's toes or what I do my duplicate. What somebody else is working on. If duplication occurs or there's some overlap, we can.

F

We can like massage that a bit or we can, we can trim it down, but if you have thoughts and ideas just like dump those and and we can like structure those as as we go and trim those things, but I think it's good that we that we get a good initial dump also for for the folks that are on the call, I think we, the majority, have been pretty regular on on this call.

F

If, if folks are comfortable I'd rather just do like roll call and say hey, brandon lum, what do you want to work on rather than hey, volunteer yourself or something? If we go one by one and say hey, what would you like to do if anything?

F

This is a proposal.

B

Also, we have quite a we have most of the categories. For that I see some that have multiple. I think, that's fine. um I think you can have a discussion within yourselves, whether you're on the out how to split things or you know. I think, if you have an offline discussion to figure out whether you can agree on some split of the different components or different types of actions or if you want to get together and work on it.

B

That's also fine or we're going to work on this effortlessly and bring to different versions inside as well.

A

Yeah.

F

Make sure everyone gets gets everything uh I'll go through names, as I see them on on my screen, john, I see your name is down there. Already street pod sounds like you picked something as well uh priya uh your name is there? Is there something else you wanna you wanna take on.

H

um I agree with that, and I did I don't know if michael wants any help with kind of creating a high-level diagram, but if he does, I would be open to volunteering on that as well.

F

Amazing love it go for it uh axel.

F

What do you want to work on man.

A

Yeah um I'm happy to try and help on the on the problems. Part the sort of s-bomb build steps.

F

Okay, perfect uh michael leverman, our chief architect, I think you're going to be providing oversight across the board.

G

Yep and um I'm also as far as like specific stuff, I've done a lot of work with. um I have done a lot of work with securing build environments themselves, so I'm also comfortable with taking a little bit more of a deeper dive there. But uh if somebody else wanted to take that one I'd definitely be willing to sort of you know, somebody else can take it fantastic.

F

Brandon mitchell, what do you want to work on.

A

Stuff that I want to work on is um not finished yet, and so it's like the container image signing and the artifact stuff there's still notary. V2 is still in work. Artifact, spec and oci is still in work, so I'm not sure how that's going to apply to us since it's still being developed on the other side.

F

Gotcha.

F

Yeah, that's that's a good.

A

One to.

F

Think through.

A

Yeah, but on the good news, michael knows where to find me, so I'm going to be involved in doing stuff behind the scenes, no matter what.

F

Yeah things things there are super fluid I've been trying to keep. My finger on the pulse uh would be good if we like could, even if, if you're up and close to it, if you could write some language around it like hey, this is rapidly evolving, uh keep an eye on like this three things for like these three repositories.

F

If, if you provide like an explanation of of the direction things are heading, I think it will help shape shape this up nicely like what what special considerations to pick to pay to whatever and end ups become ends up becoming uh the signing and verification, spec or standard an implementation go with it. Yeah, marina.

I

I.

F

See I see your name on action flows, components. um What else do you want to work on.

A

I was thinking that, like the distribution um piece, so software distribution kind of yeah, but um from signing to all of that piece which I think is pause and get that piece there.

B

Okay, so I have a small request here. I I know that on the consumption artifacts by runtime, I know that in total kind of has a pretty unique view on this, as well as it has a kind of mature.

B

Taught about this as well, so I'm wondering if either uh would you or anyone that you know on your team.

A

Is it here um he might be good at that or I'm also happy to take it so.

A

I'm also happy to do it. I don't want to volunteer you, but.

H

I actually signed up for the prominence of build artifacts and verifying inputs and outputs stuff, but I think that also comes with play. So oh yeah.

F

You're getting well and told any chance you can, you can give it like a once or twice over beyond uh verification of inputs and outputs sure for sure awesome yeah, maybe give it a review.

F

Sweet thanks, marina uh claus mar nice to see you here.

A

Yeah thanks thanks for doing that. So I'm this is the first meeting, so I'm still trying to wrap my mind around this. uh So I don't know. Maybe next time I see what's going on and I see what I can contribute. Does that make sense.

F

And and he had reached out inquiring around uh introducing spire attestations.

A

Right right, so we are evaluating and looking at uh building and workload at the station that actually validates and verifies the outcome of the signing and all the build process and how to integrate that with the runtime attestation process for for workload whenever they are fetching an svid. So that's what we are looking for. Okay. Thank you. I like that.

F

Perfect uh someone just wiped it off. Oh yeah. I wrote it down.

B

I moved it down because it's yeah it's a component. Okay,.

F

And I'm happy to to work with, uh probably cole kennedy would be, would be a great person uh and I'm happy to to jump in there with you as well, and help explore that.

I

Perfect.

A

Thank you awesome.

D

And and uh andres anything in this document that says run time, I'm literally tagging myself so I'll handle anything. That's runtime.

F

Yes,.

B

Let's do it so andrus. um Can you shut up, um or at least like um figure out the organization for the storage and distribution since there's a lot of people there yeah um and then for the providence? I think they're, the one providence for build artifacts. I can create a chat with everyone and we can figure out how we're going to split that as well.

F

We got a a few more folks, uh andrew block, uh very acquainted and familiar with your work nice to have you here, uh you're a super power. What do you want to work on.

I

I wouldn't mind working on the the cicd pipeline um components. It wasn't the bottom of the define section, I'm not on the dock. It's further down. I thought csd pipeline security. Okay, you got it. I can I, but I can certainly provide input anywhere, but that's kind of an area that I would I'd like to work on.

F

Sweet, well, you you own that part and feel free to shuffle as as needed.

D

Deep dish pizza for you for getting that accomplished, he's from chicago you all it's a little joke! Everyone smile.

I

There's this thing called um uh bar style pizza, which people don't know about it's thin crust in chicago.

D

I hear you talked to uh jim from cockroach about that he's. He's literally wrote a blog post about it all right. Moving on off pizza back to uh software supply chain,.

F

Yeah, alexander marshall, another another super power, you're you're, a jack of all trades, and thanks for keeping us in line with the the prior effort in making sure it's coherent with that. um What do you want to work on? I see you like as being able to contribute across the board.

A

Alex sorry, I had to find the mute button. um I I I put my name down around the dependencies question and I'm also happy to help um with uh michael on the sort of high level diagram. If he's looking for more help on that, um and then I will just kind of jump in as um as I see places where I think I might be able to contribute sweet.

F

Amazing, gary yang hello, buddy. How are you.

A

Good I have myself set on distribution storage. I uh have limited bias, so I'm hoping to contribute where it makes sense.

B

So we are, we are going to be our time. Sorry, I'm interested! I may not be.

F

Able to one last person who is actor: hernan, fernandez, okay,.

H

uh Yeah, um I also have a limited bandwidth, but I would like to help whatever you decide or otherwise, uh on verification of inputs and outputs, um but yeah. It's the first time joining the meeting, we'll be happy to help any help. Anyhow,.

F

Welcome we're happy to have you on board, so just.

B

Wrap.

F

This up.

B

Yeah so quickly, logistically, I think we'll create threads for each of these topics within the main slack channel. um Like, like um john said, you know, let's try and keep everything public as possible, uh so others can chime in. um Let's see where we are next week. If we feel like it's useful to spend the time to just do some work, we can have some breakout sessions for next week's meeting. Instead.

B

Sound good.

D

Well done brandon lum, not mitchell. Well, you did good too, as.

B

Well, well done all friends all.

D

Brandeis are good today, deal.

B

All right thanks, everyone.

B

You.