►
From YouTube: CNCF Security TAG Supply Chain WG 2021-09-02
Description
CNCF Security TAG Supply Chain WG 2021-09-02
C
C
D
C
E
C
D
E
E
And
there's
michael,
I
see
him
just
popped
up
in
the
in
the
chat
list
cool.
I
think
enough.
Folks
are
here.
I
think
I'll
be
doing
a
little
bit
of
the
talking
today,
but
I
think
ed's
going
to
also
do
a
chunk
of
the
presenting
we've
been
poking
at
this
idea
of
get
bombs.
E
I
don't
know
I'm
still
letting
my
morning,
coffee
settle
in,
I'm
gonna
drop
a
couple
links
in
chat
here.
E
I
think
ed
will
run
through
a
presentation,
and
I've
got
a
sort
of
the
beginnings
of
a
white
paper
on
this
and
what
we're
really
looking
for
is
feedback
and
collaborators
who
wants
to
work
on
this
with
us
who
wants
to
come
tinker
and
hack
on
it
and
I'll
probably
have
a
bunch
of
comments
both
of
us
might
at
the
end
of
this,
of
who
else,
we've
socialized
it
with
just
yesterday,
I
met
with
some
of
the
oci
folks
about
getting
the
compatibility
of
this
idea
with
containers
seems
to
fit
pretty
well
so
ed,
I'm
gonna.
B
Sure
so
we're
gonna
be
talking
today
about
a
git
bomb
which
is
sort
of
an
attempt
to
get
to
a
verifiable
artifactory.
It's
particularly
useful
for
enabling
launch
time
security
scanning,
but
it
can
be
used
for
a
whole
variety
of
things.
I
wanted
to
briefly
stop
and
call
out
you
know
ava
black
and
frederick
house,
who
are
collaborators
that
I
have
in
this
particular
endeavor,
so
really
quickly.
How
many
of
you
folks,
like
the
unix
model,
quick,
show
of
hands?
You
know
they
basically
build
a
tool.
That
does
one
thing.
B
Well,
that
can
be
you
know,
strung
together
with
other
tools:
okay,
good,
fantastic
you're,
gonna,
love.
This,
then
because
it
does
exactly
one
thing.
So
this
is
a
security
crowd,
so
I'm
sure
you're
familiar
with
the
colonial
pipeline
hack.
That
happened
recently
in
the
resulting
cyber
security
executive
order
in
the
united
states
that
came
down
that
was
primarily
focused
on
two
things.
B
One
was
zero
trust
networking,
the
other
one
was
s-bombs
or
software
bill
of
materials,
and
so
when
this
sort
of
landed,
s-bombs
became
a
hot
topic
again
and
usually
when
you
look
at
sort
of
what
people
are
doing
with
software
bills
and
materials,
they're
building
some
sort
of
a
tree
where
they've
got
some
artifact
that
they're
talking
about
and
then
a
whole
bunch
of
metadata
about
the
artifact
and
artifacts
can
be
things
like
executables,
dotto
files,
source
code
files,
class
files,
you
know,
containers,
they
come
in
all
kinds
of
shapes
and
flavors
and
they
typically
have
all
kinds
of
different
ways
they
get
identified
and
then
metadata
is
stuff
like
okay.
B
What
vendor
did
you
get
this
from?
What's
the
release
version?
What's
the
contact
information
give
me
licensing,
information,
copyright,
information,
etc,
etc,
and
they
usually
get
built
out
sort
of
this
way
in
a
tree,
and
there
are
a
few
competing
standards
in
this
area:
suid
spdx,
cyclin,
dx,
I'm
mostly
familiar
with
spdx.
B
I
used
to
work
with
those
folks
way
back
in
the
early
days,
which
is
kind
of
how
I
got
this
thinking
about
this
again,
and
so,
when
thinking
about
this,
like
this,
this
kind
of
a
thing
when
you've
got
a
tree
with
metadata.
It
gets
a
little
bit
of
mess,
get
a
little
bit
messy
for
a
variety
of
reasons,
and
so
often
when
faced
with
hard
problems,
I'll,
try
and
take
inspiration
from
very
simple
systems
that
are
powerful,
which
is
sort
of
how
I
got
thinking
about
get
again.
B
So
how
many
folks
are
familiar
with
git
internals
like
what's
actually
going
on
inside,
get
okay?
How
many
folks
are
aware
that
git
is
actually
an
object,
data,
an
object,
store
masquerading
as
an
scm,
okay,
good
and,
and
so
basically
git
says.
Okay,
I've
got
objects
and
it's
got
a
very
simple
object:
format,
there's
some
kind
of
a
type,
a
space
the
size
as
an
ascii
string
base,
10
of
the
content,
a
null
character,
and
then
it's
content
now
some
interesting
things
about
this.
B
B
And
then
you
could
take
this
git
object,
the
header
and
the
contents,
and
you
apply
sha-1
to
it
and
you
get
a
git
ref
and
the
git
ref
gives
you
a
almost
certain
to
be
unique
identifier
for
the
array
of
bytes.
Now
we
all
know
that
hashes
in
principle
can
collide
all
hashes
can,
in
principle
collide.
B
B
Also,
probably
some
of
you
are
probably
jumping
up
and
down
screaming
right
now
in
your
heads
about
shawwan
and
the
shattered
folks
and
the
fact
that
they
claim
to
have
broken
it.
And
yes,
they
have
in
fact
demonstrated
that
in
a
pdf
in
which
you
have
infinite
flexibility
to
introduce
junk
data,
you
can
in
fact
very
expensively
break
sha-1,
but
there's
a
lot
more
structure
to
this
than
what
you
get
in
their
example.
B
That
makes
it
enormously
harder
to
actually
break
git
ref
and
I'm
aware
of
no
actual
demonstrations
of
breaking
git
rough
or
anybody
even
getting
close
at
this
point.
But
then
that
result
is
you
get
this
40
character,
byte
string
of
which
we're
usually
familiar
with
the
first
seven
or
20
bytes?
Frankly,
and
of
course,
when
you
look
at
blobs,
as
I
said,
that's
just
a
bite
array
now
the
interesting
thing
to
really
keep
in
mind
here
is
it's
the
content
of
the
files.
This
does
not
include
file,
name
or
path
information.
B
It
does
not
include
mode
information,
it
does
not
include
any
metadata,
it's
just
the
contents,
so
any
file
anywhere
with
the
same
contents
will
have
the
same
blob
object
now.
This
is
really
important
when
you're
building
an
artifactory,
because
when
you're
building
an
artifact
tree
where
that
file
happens
to
be
located
is
metadata
about
it.
It's
not
actually
a
fundamental
thing
about
what
gets
built
into
it.
B
Then
it
doesn't
actually
matter
that
we
were
in
different
home
directories
when
we
built
it
in
terms
of
all
the
characteristics
around
vulnerability,
information,
licensing
information
and
everything
else
that
you
actually
care
about
with
an
spom,
and
you
know
so.
Basically,
this
is
a
super
important
and
useful
characteristic
of
get
lobs.
B
B
That
was
the
first
realization.
The
second
realization
is,
you
got
to
separate
the
metadata
from
the
artifactory,
and
the
reason
this
is
crucial
is
that
metadata
can
vary
independent
of
the
artifact
tree
I
mentioned
before.
For
example,
there
are
people
who
want
to
put
contact
information
into
the
metadata
for
the
artifact
tree.
Well,
when
you've
got
companies
that
are
providing
support
for
things,
I
may
send
you
exactly
the
same
artifact
from
cisco
that
you
got
from
yoyodyne,
but
we
may
have
entirely
different
contact
information.
B
So,
just
to
sort
of
give
you
an
example
of
what
I
mean
by
artifact
trees,
because
pictures
help
a
lot
of
people
right.
This
is
sort
of
a
familiar
one
from
the
sea
world.
Right,
you
get
a
bunch
of
dot
c
files;
they
pull
in
a
bunch
of
header
files,
those
get
compiled,
2.0
files,
which
are
another
node
in
the
tree.
Those
get
linked
together
into
an
executable
so
like
this
is
sort
of
the
hello
world
of.
How
do
you
think
about
this?
The
c
case?
B
Now,
of
course,
you
can
get
more
complicated.
You
can
say
well
what,
if
I've
got
static,
libraries
that
I'm
linking
in
right?
Well,
that's
actually
not
so
hard,
because,
again
c
and
h,
files
get
linked,
auto
files
in
the
case
of
the
static
library,
those
get
linked
into
a
dot
a
file.
When
you
build
your
executable
from
a
static
library,
you
link
the
dot
a
file
into
your
executable.
It's
still
a
tree,
and
you
still
have
these
artifacts
that
are
all
bytes.
B
One
that
gets
really
fun
is
running
executables
because
oftentimes,
at
least
in
the
sea
world,
when
you
have
an
executable
you're,
not
actually
really
executable
by
yourself.
You've
got
a
link
in
shared
shared
libraries,
but
again
these
are
just
things
with
their
own
artifact
tree,
and
so
you
can
actually
reason
about
the
running
executable
tree
independent
of
the
executable,
because,
for
example,
it
may
be
that
this
executable
is
vulnerable
with
particular
versions
of
a
shared
library,
but
not
with
others,
and
so
in
terms
of
reasoning
about
vulnerabilities
at
runtime.
B
You
actually
care
about
the
running
x,
running
artifact
trade.
B
This
also
works
for
other
languages
go,
does
something
very
similar
with
autofiles
and
they
files
java,
albeit
slightly
boring,
compiles
java
files
to
class
files
and
rolls
them
up
into
jars.
B
Python
is
extremely
boring
in
this
regard,
because
py
files
get
compiled
to
pyc
files,
and
then
they
all
get
dynamically
linked
at
runtimes.
You
you
in
python
you're
always
dealing
with
the
runtime
artifact
tree,
and
I
can
literally
go
on
and
on
like
every
single
example,
I've
looked
at
has
something
that
looks
like
this
that
can
fit
into
this
particular
approach.
B
B
B
You
know
a
new
line,
blob
space,
the
get
ref
of
artifact
five,
a
new
line.
You
keep
going
down
the
line
and,
of
course
you
want
everyone
to
come
to
the
same
conclusion.
So
you
lexically
order
this,
but
it
turns
out
to
be
really
easy
to
lexically
order
this
and
arrive
at
the
same
answer
any
time,
you're
compiling
four
and
five
into
two.
B
And,
of
course,
you
can
do
the
same
thing
exactly
with
artifact
three
to
get
its
get
bomb
file
for
artifact
three
and
then,
where
things
get
fun
is
artifact
one,
because
artifact
one
has
children
artifact
two
and
three,
but
they
also
have
children.
So
how
do
you
capture
the
treeness
of
this
and
the
answer
is
and
for
those
of
you
who
play
with
merkel
trees?
None
of
this
is
rocket
science.
B
You
simply
say:
look
if
you're
an
artifact
that
has
children
who
themselves
have
children,
then
you
start
the
same
way.
You
know
basically
blob
space
in
the
get
rid
of
the
artifact.
That's
your
immediate
child,
but
then,
if
your
immediate
child
has
itself
a
get
bomb,
you
simply
say
bomb
space
and
the
get
ref
of
the
get
bomb
of
that
particular
child.
B
So
now
these
git
bump
files
now
describe
the
tree.
You've
got
a
very,
very
simple
format
for
how
to
deal
with
these
and
because
we're
lexically
ordering
so
we're
going
to
get
this
the
same
way.
Every
time
I
can
tell
looking
at
this
particular
bomb.
You
know
I
I
can
basically
tell
if
you
give
me
the
collection
of
the
git
bomb
files
that
I've
actually
got
a
tree.
It's
the
same
method
with
merkle
trees,
that's
used
by
git
itself
to
make
sure
that
you
actually
are
getting
the
code
that
you
expected
from
a
particular
commit.
B
Then
you
could
have
all
of
your
metadata
reference
either
the
artifacts
by
their
git
ref
or
if
they
need
to
reference
the
parent
child
relationships
by
the
get
ref
of
the
git
bomb
for
that
parent-child
relationship
right.
So,
if
you
want
to
say,
okay,
artifact
7
is
a
source
code
file
that
is
the
source
of
a
known
cve.
B
You
can
reference
that
as
metadata.
If
you
want
to
say,
artifact
6
is
actually
licensed
as
gplv3.
You
can
reference
that
as
metadata,
and
this
way
you
can
actually
have
all
kinds
of
independent
reasoning
about
metadata,
both
in
s-bom
formats,
but
even
also
in
other
places,
because
the
artifact
tree
gives
you
a
skeleton
to
put
all
of
that
stuff
on
by
the
way.
Stop
me
at
any
point.
Folks.
If
you
have
questions,
I
love
questions.
B
Okay,
so
the
really
cool
part
about
this
is
the
fact
that
metadata
references
into
the
tree
is
that
it
turns
out.
This
means
that
git
bomb
is
compatible
with
the
other
s
bomb
approaches
already
in
the
world,
because
all
of
them
allow
some
form
of
external
identifier
that
you
can
use
to
reference
things
and,
and
so
don't
think
of
get
bomb
as
a
competitor
to
the
existing
s
bomber
approaches,
because
we're
not
they're
doing
way
more
stuff
than
we're
doing.
Remember
we
love
the
unix
model.
B
All
we're
doing
is
building
an
artifact
tree
with
very
high
precision,
we're
actually
complementary
to
all
of
these
approaches,
as
well
as
a
bunch
of
other
things
you
could
choose
to
do
in
the
future.
B
So
this
is
where
we
get
really
fun,
because
now
that
we
have
a
git
ref
for
the
git
bomb
for
a
particular
artifact,
we
can
ask
ourselves
it's
small,
it's
literally
20
bytes
in
size.
Where
can
we
stick
it
where
we
can
always
find
it
and,
of
course
the?
Where
do
you
stick
it?
Where
you
can
always
find
it?
Well,
of
course
you
stick
it
in
the
artifact.
B
B
Okay,
that's
cool,
so
l
files.
This
is
fairly
easy
and
it's
actually
also
cheap.
It's
sort
of
going
to
cost
you
about
89,
bytes
per
executable,
and
while
the
iot
people
there
do
exist,
people
from
89
bytes
is
a
stretch.
That's
not
most
of
us
ar
files
they're.
Basically
things
like
that.
A
files
also,
I
think
it's
devs-
are
also
done
as
dot
a
file
ar
files.
You
can
simply
embed
the
git
bomb
identifier
into
an
archive
entry,
name,
dot.
Bom.
B
You
can
play
the
same
game
with
general
artifact
files,
your
general
archive
files,
the
same
thing
can
be
done
with
annotations.
In
java,
in
pyc
files,
the
python
community
could
choose
to
adopt
an
understore
underscore
bomb
that
gets
computed
by
the
python
compiler
we're
looking
at
container
images,
there's
actually
space
in
the
manifest
for
annotations.
B
B
This
is
a
very
doable
thing
and
then,
of
course,
the
question
is
who
embeds
that
get
ref
into
the
artifact
and
of
course
the
natural
answer
is
let
your
compilers
and
linkers
do
it,
and
the
reason
this
is
the
natural
answer
is
particularly
if
you've
ever
had
the
misfortune
of
trying
to
figure
this
stuff
out
from
c
your
compilers
and
linkers
are
the
people
who
authoritatively
know
what
child
artifacts
are
being
built
into
the
new
artifact
because
they're
writing
the
new
artifact,
and
so
that
becomes
a
very
easy
method
and
it
also
becomes
a
very
transparent
method.
B
Because
then,
if
I
sit
down-
and
I
write
a
program
in
c
and
I
haul
out
a
git
bomb
enabled
lvm
and
I
build
it,
everything
is
get
bombed
right.
So
if
this
moves
its
way
into
the
compiler
linker
chain
and
a
variety
of
people
have
expressed
interest
in
doing
so,
then
you
sort
of
have
this
coming
through
with
great
fidelity,
relatively
free
and.
E
E
It
is
the
authoritative
reference
and
also
the
amount
of
effort
it
would
take
to
convince
every
software
developer
out
there,
a
project
out
there
to
change
their
ci
system
or
process
or
remember,
to
run
an
extra
step
after
their
build
is
exponentially
larger
than
the
number
of
compilers
out
there
that
we
could
go
work
with
typically
compiler
folks
are
also
much
more
concerned
about
security
and
doing
this.
Well,
it's
just
a
much
easier
surface
area
to
go.
Get
this
work
done!
B
Yeah,
the
other
thing
that
I
found-
I
I
at
one
point
was
quite
close
to
a
group
of
folks
who
were
basically
looking
at
out
looking
after
the
build
for
a
piece
of
software
that
had
about
3000
developers
working
on
it,
so
industrial
grade
software
and
that's
where
I
basically
learned
that
you
can't
trust
anyone,
but
the
compiler
linker,
because
they
were
highly
motivated
to
extract
this
information
and
a
whole
bunch
of
other
information
about
the
builds
in
a
reliable
way.
B
And
you
know
if
you
started
talking
to
them,
you
got
an
endless
assertion
of
corner
cases
where,
if
you
wanted
the
compiler
a
linker
for
this,
it
broke
down
and
broke
down
badly,
and
then
I
sort
of
hum
a
few
bars
about
how
you
might
you
know
one
of
the
ways
you
might
propagate
this
forward
through
the
tool
chain
so
that
you
can
move
the
breadcrumbs
forward
and
collect
them
at
the
end
of
building
an
artifact.
But
I'm
not
going
to
spend
too
much
time
on
that
right
now.
B
B
That's
been
signed
by
the
vendors,
so
they
I
know
that's
the
artifact
I
got
from
the
vendor,
then
I
can
look
in
that
artifact
and
I
can
see
the
get
bomb
ref
in
that
l
section
of
that
executable,
for
example,
and
then,
if
I'm
given
something
that
purports
to
be
the
get
bomb,
I
can
know
specifically
whether
that's
actually
the
get
bomb
or
not
because
tampering
with
the
git
bomb
would
change
to
get
rough
and
therefore
tell
me
that
I'm
not
getting
the
information.
I
thought
I
should
get.
B
So
distributing
git
bombs
also
becomes
super
easy.
You
can
literally
just
do
it
by
simple
static
pattern.
You
know,
example:
dot
com,
slash
bomb,
slash,
ref,
the
get
ref
of
the
artifact
could
give
you
the
you
know
the
git
bomb
file
that
you're
looking
for
or
they
get.
You
know
the
you
could
do
it
by
you
know
you
could
ask
for
a
fully
resolved
version
with
all
the
get
bombs
of
all
the
children.
You
could
also
ask
for
metadata
about
a
particular
git
ref,
so
it
all
becomes
fairly
referenceable
in
a
static
pattern.
B
E
Imagine
at
container
launch
time
opa
being
able
to
express
a
policy
that
says
cross-reference
the
get
bomb
of
this
container
image
against.
You
know
all
the
all
the
hashes
of
all
the
things
in
it
against
this
list
of
known
vulnerable
packages
and
if
you
find
any
matches
block
the
launch
of
that
container,.
B
B
Unfortunately,
food.c
has
been
copied
everywhere
across
the
known
universe,
because
it's
bsd
licensed
it's
a
single
file.
It
works.
Nobody
really
has
to
deal
with
it.
Much
imagine
being
able
to
now
see
that
food.c
has
been
built
into
things
in
the
artifact
tree
of
that
thing.
That
ava
was
just
describing
that's
enormously
more
powerful
than
just
packages.
F
I
I
think
I
would
have
a
question
just
about
how
willing
the
the
the
folks,
who
are
sort
of
managing
the
vulnerability
databases
to
include
some
of
these
things
that
I
think
one
of
the
big
issues
we've
seen
is
that
you
know
implementing
any
sort
of
change
like
that.
You
know,
like
often
I
think
cves
are
mostly
just
focused
around
packages
and
also
not
really
including
a
lot
of
metadata
where
sometimes
it's
like.
Actually,
this
package
doesn't
include
this
vulnerability.
B
C
E
B
I
mean-
and
please
also
note-
and
I
do
want
to
distinguish
this
strongly
from
scanning
tools,
because
scanning
tools
are
usually
trying
to
rummage
through
data
and
figure
things
out,
and
if
you
actually
use
scanning
tools
in
a
lot
of
these
environments,
you
often
get
a
lot
of
false
positives
that
are
difficult
to
sort
through.
It's
very
easy
for
them
to
miss
things
here,
we're
talking
about
providing
a
high
fidelity,
high
precision
picture
of
the
artifact
tree,
and
it's
not
so
much
of
a
matter
of
scanning.
B
Yeah,
the
other
one
that's
actually
kind
of
nice
about
this
is
in
talking
to
folks
who
are
interested
in
being
able
to
disclaim
vulnerabilities.
You
can
attach
the
disclaimers
to
artifact
refs
as
well.
So
if
take
my
apocryphal
food.c,
that
has
a
bunch
of
you
know
really
useful
crypto
implementations
in
it,
but
it
turns
out
that
it's
one
function
in
particular
that's
the
source
of
the
vulnerability.
B
B
That
simply
says.
We
know
we
have
this
file,
it's
vulnerable.
If
you
call
this
function,
we
have
looked,
and
we
do
not
call
that
function
and
therefore
we
disclaim
actually
having
this
vulnerability
simply
because
we
we
are
building
this
violet
and
that
gets
to
be
a
huge
operational
issue
if
you're,
actually
a
vendor
who
ships
software,
because
how
many
folks
actually
ship
software
that
industrial
scale
on
this
call.
B
I
think
you
might
have
vulnerability
your
cvex
for
a
variety,
whatever
reason
and
the
thing
is
even
if
you've
actually
been
really
on
top
of
your
game-
and
you
know
you
don't
the
means
by
which
you
communicate
this
to
your
customer
is
incredibly
expensive
because
it
usually
turns
into
support
calls
simply
being
able
to
mechanize
this,
not
only
in
terms
of
how
you
publish
the
information,
but
in
a
way
that
your
consumers
can
mechanize
their
consumption
of.
It
is
a
huge
win
for
everybody.
B
So,
as
I
mentioned,
there
are
other
uses,
not
just
vulnerability
stuff.
I
think
ava
mentioned
assassination
with
opa.
I
love
that
use
case.
A
lot
there's
also
a
lot
of
interesting
stuff
that
can
be
done
around
forensics.
B
B
I've
got
people
that
I'm
dealing
with
internally,
who
are
very
interested
in
repeatable
and
verifiable,
builds,
and
so
getting
that
high
fidelity
artifact
tree
picture
is
the
huge
win
for
them
on
repeatable
builds
because
the
first
question
about
reputable
builds
is
why
exactly
do
you
believe?
That's
the
same,
build.
B
So
questions
discussion,
feedback.
F
Now
this
looks
really
cool,
definitely
interested
in
understanding
a
lot
more
about
this.
I
know
there's
like
several
projects
out
there
that
are
starting
to
do
use,
merkle,
trees
to
start
to
sort
of
either
build
s-bombs
or
better
trace
the
understanding
of
of
the
supply
chain
it.
Actually,
I
guess
my
first
question
is:
is
there
any
sort
of
have
you
written
any
code
for
this
sort
of
thing
yet,
or
is
it
mostly
conceptual
right
now.
B
So
I
I've
started
hacking
a
bit
on
code.
I've
just
become
deeply
delusioned
with
the
fact
that
goes.
Elf.
Parser
is
only
a
person,
not
a
writer,
so
I'm
fixing
that
I've
started
writing
a
little
bit
of
toy
code
and
I've
got
several
folks
who
are
looking
at
various
compiler
implementations.
I've
had
folks
have
taken
a
look
at
lvm
and
gcc.
It
appears
to
be
eminently
doable
there
and
there's
some
interest
in
upstreaming
in
that
direction.
E
Looking
at
rust
and
dot
net
c
sharp
as
well,
there's
already
similar
work
as
far
as
generating
the
bomb
in
the
compiler
itself
for
net.
So
there's
definitely
interest.
We
don't
have.
I
don't
have
running
code
either
right
now,
but
all
in
the
code
for
this
needs
to
end
up
in
a
bunch
of
different
compilers.
E
So
I
think
the
first,
the
first
piece
of
code
to
write
is
just
going
to
be
an
example
of
building
these
the
git
bomb
documents
and
the
hashing
in
this
format
working
out
the
api
for
it.
E
F
Well,
yeah,
I
don't
know
if
this
tool
might
be
useful,
but
I
did
post
it
in
chat.
There
is
the
the
folks
from
nix
wrote
a
thing
called
patch
elf,
which
is
a
tool
that
they
use
to
sort
of
deterministically
link.
F
You
know,
since,
since
they
are
trying
to
take
the
hard
path
of
literally
compiling
everything
from
scratch
and
making
sure
that
they
can
deterministically
sort
of
link,
everything
to
just
their
specific
shared
objects
and
libraries,
but
it
could
prove
to
be
interesting,
so
I
just
figured
I'd
throw
that
out
there.
I
I
know
very
little
about
it
outside
of
that
they
use
it.
B
Yeah,
so
that
that
that's
actually
fascinating
because
it
sort
of
gives
you
it
it
gives
it
gives
a
starting
point
to
sort
of
because
you
you
drew
it
into.
B
I
know
much
more
about
elves
than
I
intended
to
know
because
at
some
point
I
had
somebody
who
was
mumbling
darkly
about
sizes
of
things,
so
I
went
through
and
actually
figured
out
the
size
count
on
what
it
would
take
to
insert
into
elf
binaries.
So
yeah.
E
D
A
E
B
Yeah
you,
the
the
the
the
real
goal
here,
is
essentially
to
get
to
a
point
of
thoughtless
ubiquity,
because
engineers
are
lazy,
it's
what
we
pay
them
for.
E
E
A
You
can
also
ping
oci
and
ask
them
if
they
want
to
add
a
name
under
their
namespace
and
they
would
document
it
and
that
that
point
you're
now
verified
so
multiple
ways
to
go
down
that
path.
B
Yeah-
and
this
is
actually
super
helpful,
because
the
thing
is
one
of
the
nice
things
about
talking
to
people
at
this
particular
stage
of
the
process.
Is
you
get
a
lot
of
good
feedback
that
you
can
incorporate
into
things
going
forward
because
we
do
wind
up
with
better
stuff
together
than
a
part?
B
The
other
thing
that's
going
to
be
super
interesting
here
is
that
how
this
gets
embedded
into
a
particular
artifact
is
going
to
be
a
little
bit
bespoke
to
the
kind
of
artifact
you're
talking
about
right.
I'm
not
going
to
stick
an
elf
section
into
a
container
image
because
it
doesn't
have
l
sections
and
the
what
constitutes
an
artifactory
is
also
going
to
be.
A
little
bit
spoke
to
languages.
B
You
know,
python
is
not
going
to
have
got
h
files,
for
example,
but
part
of
the
goal
here
was
to
have
a
single
single
way
of
doing
this.
That
is
so
freaking
simple
that
everyone
can
use
it
productively,
sort
of
back
to
the
unix
model.
When
I
commented
at
the
beginning,
you
know
one
thing
that
one
thing
does
something
super
super
well
simply
and
links
with
other
things.
That's
the
whole
goal
here:
it's
ambitiously
unambitious.
What
we're
doing.
E
This
seems
to
answer
a
chunk
of
that
in
a
really
concise
way,
in
terms
of
how
how
to
write
about
it
in
a
reference
architecture
document
not
sure
yet.
But
I'd
love
to
I'd
love
help
getting
this
added
to
the
build
tools
and
added
to
the
paper
talking
about
how
it
can
be
used
in
whether
it's
you
know
container
image,
registry
or
container
build
chain.
C
A
So
I've
got
two
questions
coming
off
of
this
one
is
we
talked
about
having
the
linker
throw
this
in,
like
the
elf
header
stuff,
like
that,
are
we
in
any
way
verifying
that,
or
are
we
just
assuming
that
we're
now
trusting
the
linker
to
do
the
right
thing.
B
That
you
should
trust
your
compiler
for
those
of
you
who,
I
think
it
was
pike
who
wrote
the
paper
about
that.
E
Exactly
so,
there's
a
actually
a
counter
to
that.
I
link
it
in
the
hackmd
that
you
all
have
access
to
diverse
double
compiling
the
phd
thesis
from
david
wheeler.
E
A
Yeah
as
not
so
much,
I
think
that
we're
going
to
get
a
malicious
compiler
breaks
everything,
but
more
that
if
the
compiler
is
fed,
maybe
bad
data
or
somebody
just
influence
a
broken
version
of
this
or
somebody
just
reruns
the
same
build
with
stale
data
every
single
time.
It
forgets
to
update
this
one
field:
there's
no
hard
link
in.
E
There
that
requires
is
there,
so
so
this
is
not
s-bomb
data
in,
in
the
sense
of
all
of
that,
metadata
of
you
know
the
file
path
or
who's
doing
the
build.
What
system
it's
on?
That
is
the
kind
of
thing
that's
often
captured
in
a
more
robust
s-bomb.
That's
not
captured
in
a
git
bomb.
Git
bomb
is
just
the
artifacts
that
go
in
and
come
out.
E
So
there
is
nothing
that
can
be
stale
about
this,
like
if
you've
got
an
old
header
file
or
an
olds.so
that
you're
linking
in
well,
your
binary
is
going
to
have
that
in
it.
It's
it's
not
stale
metadata.
It's
a
stale,
build.
B
Yeah,
the
the
point
about
steel
metadata
actually
gets
to
some
one
of
the
reasons
why
separating
metadata
from
the
artifact
tree
is
a
really
important
thing,
because
you
could
issue
a
corrected
s-bomb
that
points
to
the
same
artifactory
and
say:
oh,
wait.
Crap,
we
forgot
to
update
this
metadata
without
invalidating
your
artifact
tree
at
all.
Right,
you
can
say:
oh
wait.
B
We
we
forgot
to
update
some,
you
know
licensing
information
or
some
vulnerability,
information
or
some
other
piece
of
metadata
about
it,
because
the
thing
that
we're
actually
going
through
and
validating
in
git
bomb
is
the
artifact
tree.
The
metadata
is
declarations
about
the
artifacts
and
the
relationships
in
the
tree
and
it's
entirely
possible
to
not
only
update
those
without
invalidating
the
tree.
B
That's
perfectly
valid
because
the
artifact
trees
are
the
same
if
the
byte
array
is
the
same
and
the
metadata
can
be
different
if
it's
coming
from
different
suppliers,
and
this
allows
us
to
reason
about
certain
kinds
of
things
that
are
crucially
important
to
separate.
B
There
are
two
kinds
of
data
that
I've
seen
people
co-mingle
on
this
one
is
commingling
the
identity
of
an
artifact,
in
other
words,
what
it
is
with
its
location,
in
other
words
where
it
is
because
if
I
have
the
same
artifact
in
two
different
places,
it's
still
the
same
artifact,
the
other
one
that
I
see,
people
co-mingle
is
commingling
an
artifact
identity
with
the
artifact's
providence,
meaning
if
I
got
it
from
hp
versus
getting
it
from
red
hat.
B
A
A
Yeah
I'm
just
looking
at
where
the
borders
are
and
where
we
need
to
potentially
add
security
or
where
this
covers
us,
and
so
I'm
just
kind
of
drawing
those
lines.
So
the
hash
we're
going
to
get
out
of
this.
It's
just
a
single
hash.
It's
not
the
whole
tree
itself,
and
so
you
need
that
pointer.
Going
back
to
you
know
some
gif
on
database
of
some
kind
out
there
that
says.
Okay,
this
hash
you've
got
represents
this
entire
tree
of
data.
A
B
That
that's
so
part
of
it
is
that
we're
going
to
discover
better
practice
as
we
go
along,
so
you
don't
want
to
make
too
much
into
the
initial
notion
right.
So
when
I'm
talking
about
distributing
git
bombs,
I
expect
to
see
best
practices
emerge,
but
I
don't
think
that
when
specifying
git
bomb
you
want
to
be
pedantic
about
what
that
should
be.
So
take
this
slide
as
a
suggestion
more
than
anything,
but
because
the
things
you're
talking
about
are
entirely
because
the
things
you're
talking
about
are
basically
entirely
identifiable,
but
they
get
refs.
B
You
could
literally
just
put
up
a
static
sub
domain
if
you're
a
vendor
where
people
can
go
grab
this
information,
you
could
also
see
people
scraping
those
and
putting
together
more
centralized
databases
for
you
to
go
run
against
you
could
easily
imagine
you
know
somebody
like
github
collecting
data
around
things
like
this,
for
their
releases,
for
example,
and
publishing
that
as
part
of
your
release,
all
this
stuff
becomes
doable.
B
We're
sort
of
in
an
interesting
place
regardless
with
regard
to
this,
which
is
a
whole
lot
of
stuff,
is
mechanically
possible.
We're
going
to
have
a
whole
lot
of
fun
figuring
out.
What's
wise.
A
Yeah,
I
guess
where
I'm
going
with
that,
and
maybe
it's
just
that
there
needs
to
be
that
single
source
out
there,
like
a
github.
That's
doing
this,
for
us
is
that
if
I've
got
a
single
binary,
it
may
have
come
from
hp.
Do
I
know
to
go
to
the
hp,
git
bomb
server,
to
look
this
up
versus
someone
else?
Maybe
they
repackage
the
binary
from
someone
else,
and
so
do.
I
know
which
server
to
go
ping,
that
on.
B
Yeah,
no,
absolutely
and
there's
some
interesting
stuff
in
there.
Git
bomb
itself
is
not
explicitly
trying
to
solve
the
distribution
problem.
We're
trying
to
make
solving
it
easy,
if
that
makes
sense
by
having
bite-sized
chunks
that
better
in
standard
formats
and
like
I
said
because
your
question
is
in
fact
a
really
good
question.
I
sort
of
hum
a
few
bars
on
the
slide
about
distributing
git
bombs,
sort
of
as
a
solution
exists
humming,
but
I'm
by
no
means
saying
that
this
particular
distribution
solution
is
the
optimal
one.
B
I
think
will
be
interesting
to
see
what
sort
of
settles
out
with
it.
The
other
thing
is
the
git
bombs
will
tend
to
be
very
small
and
light
because
they're
a
very
fixed
structure
of
a
very
small
size.
So
I
also
don't
expect
them
to
be
super
expensive
in
terms
of
carrying
that
stuff
around.
B
F
Yeah,
I
think,
there's
another
thing
that
I
think
has
been
brought
up
a
couple
of
times
in
these
discussions,
which
is
when
it
comes
to
a
lot
of
these
things.
F
You
know,
there's
inevitably
going
to
be
areas
where
you
know,
if
you're
talking
about
open
source
right,
it's
going
to
be
easy
to
audit,
like
the
build
of
open
source,
can
be
easy
to
audit
that
yes
you're
generating
valid
sorts
of
things,
but
I
think
some
folks
have
kind
of
also
brought
up
that
there
is
the
potential
for
saying
hey
if
some
of
these
things
start
to
get
encoded
in
I'm
trying
to
think
of
of
a
good
term,
because
I
know
standard
is
overloaded
and
yeah
yeah
but,
like
I
don't
want
to
it's
a
simple.
C
F
Yes,
yes,
but,
but
I'm
saying,
like
you
can
potentially
sort
of
require
vendors
to
have
audits
that
somebody,
a
third
party,
is
saying
yep.
We
believe
your
build
system
is
generating
reasonable
s
bombs
here
that
we
are
signing
off
on
that
and
then
be
able
to.
It
would
be
useful
to
better
to
understand
how,
like
some
of
those
out
of
band
attestations
could
also
be
potentially
coming
in
there.
Where
somebody
third
party
has
come
in
and
said,
I
am
certifying
that
vendor
x
is
doing
the
right
thing.
E
So
having
vendors
provide
attestations,
they
have
inspected
something
they've
audited,
something
they
approve
of
something
yes,
absolutely
as
gets
at
the
beginning.
Following
the
unix
model,
git
bomb
is
trying
to
do
one
thing
and
do
it
well
and
not
solve
that
problem.
There
are
other
proposals
for
how
to
distribute,
attestations
and
audits
that
could
usually
reference
a
git
bomb
and
say:
yes,
we've
audited
this
git
bomb
at
this
time
by
this
vendor.
On
this
platform
it
is
trustable-
and
here
is
the
window
of
time
for
which
this
certificate
is
valid.
B
I
mean
it's
interesting
because
there's
a
lot
of
creative
things,
you
can
do
around
the
skeleton
because
again
get
bombs
not
doing
very
much.
It's
sort
of
doing
one
simple
thing
and
your
idea
actually
is
close
to
one
that
I
that
it
occurred
to
me,
which
is
how
many
folks
have
actually
been
involved
with
acquiring
a
software-based
company
like
the
due
diligence
process.
B
So
one
of
the
things
that
almost
always
happens
is
you
go
get
a
third
party
auditor
who
to
whom
the
the
company
you're
looking
to
acquire
sends
their
code
for
all
kinds
of
hygienic
examination.
B
Now
you
don't
get
it
as
the
potential
acquirer,
but
the
third
party
that's
going
to
do
the
hygienic
examination
say
for
things
like
open
source
contamination.
They
get
the
code
and
there's
there's.
I
think
one
dominant
vendor
in
this
space
that
I'm
aware
of
there
are
probably
others,
but
you
could
actually
accentuate
that
process
by
saying
look:
okay,
you've
been
you
know
you,
the
company,
that
I'm
trying
looking
to
acquire.
You
keep
publishing
executables
and
they
have
git
bomb
reps,
so
we're
going
to
give
those
git
bomb
refs
to
the
source
code.
B
Auditor
and
now
we
can
actually
check
to
see
if
you're,
actually
giving
the
source
code
auditor
the
code
that
you
really
built
into
the
executables
you've
been
shipping.
B
Oh
so
typically
you'll
take
if
I'm
a
company
x
that
is
looking
to
be
acquired
by
big
corp
right
and
I
will
send
my
big
corp
will
say:
I
want
to
make
sure
I'm
not
buying
something.
That's
so
gpl
contaminated.
I
can't
use
it
right,
so
big
corp
will
turn
to
auditor
x,
will
send
their
code
to
auditor,
and
auditor
will
go
through
the
code
and
produce
some
kind
of
report
about
open
source
usage
and
possible
contamination.
B
This
is
because
you
know
little
company
x
doesn't
want
to
simply
give
their
code
to
big
core
they're
legitimate
concerns
with
that.
If
this
becomes
common
practice,
little
company
x
has
been
selling
their
product
that
has
get
on
refs
in
it,
at
which
point
the
auditors
can
look
at
the
get
bomb
rest
in
the
executable
that
were
being
shipped
historically
by
company
x
and
say:
okay,
the
source
code
you
gave
us
doesn't
match
those
get
refs
those
git
bomb
trees.
E
The
previous
idea
for
vendors
of
open
source,
pro
or
vendors,
who
are
taking
open
source
and
wrapping
it
in
a
service
agreement,
makes
a
downstream
consumer
of
that
have
better
tools
to
be
able
to
audit
what
they're
receiving
and
say.
Hey,
you
told
me,
you
were
you,
know
rolling,
kubernetes
together
in
this
way,
but
the
hashes
for
the
thing
you
sent
me
don't
match
the
git
bomb.
For
the
thing
you
said
it
was.
C
B
So
other
questions,
ideas,
other
stuff.
E
I
guess
I'll
I'll
pull
andre's
question
back
a
little
bit.
The
the
content
of
this
meeting
stream
is
focused
a
lot
around
producing,
hopefully
a
white
paper
or
reference
architecture
for
the
cncf
supply
chain
work.
How
would
we
best
integrate
the
what
ed
and
I
just
shared
today
into
that
work
stream
in
the
timeline
you
all
have
given
that
we
don't
have
running
code
for
this
right
now?
F
F
With
that
said,
I
think
some
of
the
concepts
here
are
definitely
things
we
might
cite
in
sort
of
the
future
work.
That's
you
know
that
that
we
think
is
coming
out
and
I'd
be
interested
with.
You
know
some
of
the
folks
who
are
very
focused
on
the
notary
and
sick
store
stuff
right,
like
some
of
that,
like
how
do
you
see
all
of
this
kind
of
coming
together
and
and
and
where
do
you
see
that
synthesis
I'd
be
interested
in
hearing
more
thoughts
from
from
other
folks?
On
that.
E
And
that's
just
a
clarification.
I
believe
notary
v2
already
supports
everything
we
need
for
this.
A
E
So,
let's
I
would,
I
would
say,
let's
get
that
in
if,
if
at
all
possible,
let's
get
it
in,
at
least
as
an
example
to
say:
hey
here's
how
you
could
embed
a
get
bomb
metadata
into
your
your
artifact
annotations,
your
container
annotation.
B
Yeah,
so
the
the
the
final
question
I
want
to
ask
is
because
every
time
I
I
talked
to
a
new
group
of
folks
about
git
bomb
and
I
think,
davis
had
the
same
experience.
We
discover
another
set
of
folks
that
we
should
be
talking
to
about
gitbang.
D
Well,
tying
it
back
to
the
paper.
I
think
the
papers
can
give
you
reach
to
a
broader
audience.
We
do
have
dedicated
assignees
for
it
for
the
different
areas
we
can
help
you
identify
who
those
are.
I
don't
know
if
it'd
be
prudent
at
this
point
in
time
for
to
say,
hey,
we're,
opening
up
the
doc
to
you.
Try
to
slot
this
in
here
or
wedge
it
in
or
that,
as
michael
pointed
out,
it
we're
cutting
it
a
little
bit
close.
D
B
Yeah
and
that's
fair-
I
mean
I,
I
have
a
basic
principle
that
I
live
by,
which
is
no
unnatural
acts.
I
try
and
avoid
asking
encouraging
or
even
having
people
mistakingly
commit
unnatural
acts
on
my
behalf
and
your
basic
statement,
which
reads
true
to
me
sort
of
says:
look
we're
not
going
to
go,
commit
a
natural
acts
in
this
process
around
git
bomb,
and
I
am
a
million
percent
behind
that.
D
D
C
A
I
wanted
to
make
sure
we
got
that
in
you're,
asking
who
else
in
the
one
name
that
came
to
mind
for
me
was
like
the
open
ssf.
So
if
you
haven't
already
pinged
them,
they
might
be
worth
chatting
with.
A
E
It's
such
a
long
list,
though
I
mean
people,
keep
adding
more
to
it
every
week.
I
turn
around
there's
new
contributions.
Thank
you
by
the
way
to
those
of
you
here,
who've
been
adding
to
it,
but
oh
yeah.
C
A
D
C
Cool
sorry,
one
quick
request
in
terms
it's
a
bit
housekeeping.
Almost
I
was
looking
at
the
the
no
for
the
meeting,
and
one
thing
that's
lacking.
Maybe
for
newcomers
is
at
the
top
sort
of
a
clear
indication
of
what
the
current
goals
of
the
working
group
is,
because
you
can
land
in
the
document
and
sort
of
try
and
catch
up
on
all
the
notes,
but
it
would
just
be,
I
think,
convene
to
have
a
bit
at
the
top,
like
you
know,
we're
working
on
getting
this
document
out.
C
You
know
here's
where
you
can
contribute
or
somehow
that
I
was
looking
through
it
earlier
and
couldn't
quite
find
something.
E
Yeah
at
the
moment,
contributing
to
this
is
talking
to
me
or
ed,
or
somebody
else
involved.
We
have
not
set
up
like
a
separate
organization
for
it.
C
Yeah,
sorry,
sorry,
my
point
was
more
general
to
the
whole
working
group
not
specifically
get
bomb,
though
it
would
be
also
interesting
for
git
bomb.
Obviously-
and
I
I
guess,
you'll
reach
that
point
in
time-
it
seems
like
it's,
you
know
quite
new.
Also
it's
really
cool.
So
thanks
a
lot
for
presenting
but
yeah.
My
my
point
was
more
about
the
the
working
group
in
general.
F
C
All
right,
no
as
well
I'll,
have
a
I'll,
try
and
looks
better
through
the
document
and
if
I
can't
find
any,
if
I
can't
find
it
I'll
just
you
know
ping
some
of
you
but
yeah
no
worries
I'll.
Do
it
then.
D
We
have
five
minutes
left.
Do
we
want
to
wrap
with
git
bumps
and
talk
a
little
bit
about
administrative
things
and
timelines?
How
we're
tracking.
D
You
have
if
you
could
share
the
the
link
to
the
slides
I'll
post
a
recording
later
today
and
I'll
make
sure
to
include
the
slides
there
and
we'll
promote
it
to
our
channels.
Thank
you
very
much
great
presentation.
So
michael
yeah,
as
you
were,
saying,
we're
trying
to
target
kubecon
for
a
published
draft
open
for
comments.
D
A
Just
looking
back
the
document,
knowing
that
I
have
some
updates
in
there
too,
so
I'll
get
it
as
fast
as
I
can
for
my
part,
but
yeah
don't
wait
up
for
me.
I
guess
it's.
The
key
detail.
F
But
from
my
end,
just
to
kind
of
highlight.
C
F
Cool
from
from
my
end,
yeah,
I
think
things
are-
are
really
starting
to
come
together.
The
only
part-
and
this
is
also,
I
think,
the
weakest
part
from
my
perspective
just
like
from
sorry,
my
understanding
is
just
around-
I
think
some
of
that
sort
of
like
how
do
we
distribute
identities
and
yaya,
and
how
does
that
all
sort
of
look
inside
this
inside
the
big
picture?
F
F
Anybody
have
any
thoughts
around
any
sort
of
big
gaps
that
they
think
that,
like
are
missing
here
that
like,
if
we
were
to
say,
hey,
you
know
other
than
outside,
of
like
filling
in
some
details.
Is
there
anything
that
they
think
we
can't
possibly
have
be
securing
a
supply
chain?
If
we're
not
doing
this
thing
or
if
we're
not
talking
about
this
thing,
is
there
anything
that
folks
think
is
still
sort
of
like
a
huge
gap.
F
Hoping
silence
is
a
good
sign
there
it.
If
that's
the
case,
do
we
think
that
in
general
the
scope
is
now
pretty
decent
that
we
haven't
kind
of
like
you
know,
because,
because
assuming
all
those
things,
I
think
one
of
the
other
things
that
we
probably
want
to
start
working
on
is
just
talking
a
little
bit
about
what
the
reference
architecture
actually
gives
you
right
like
assuming
you
follow
this
reference
architecture,
here's
the
sorts
of
things
that
you
could
expect
us
minimum.
F
You
know
that
that
that
helps
lowering
that
these
are
the
sorts
of
risks,
that
the
reference
architecture
will
help
lower
these
the
sorts
of
attacks
that
this
helps
mitigate.
F
Well,
I
I
think
that
there
are
definitely
things
that,
like
at
the
end
of
the
day,
I
don't
want
to
say
guarantee,
because
when
it
comes
to
any
of
these
things,
right,
like
I
think,
as
we
sort
of
talked
about
right,
if,
if,
if
somewhere
down
the
line,
even
if
you
did
all
these
things
and
it
turned
out-
you
know
somebody
compromised
intel
chips,
yeah
you're,
probably
still
you
know,
you
can't
necessarily
trust
that.
So
I
think
the
thing
here
is
like
you
know,
one
is
temper.
F
Expectations
like
we
might
be
able
to
say
this
is
a
guarantee
within
this
sort
of
general
framework,
but
I
don't
think
we
can.
Specifically.
You
know,
I
think,
when
it
comes
to
you
know
most
security
things
very
few
people
are
guaranteeing
stuff
they're,
saying
we're
minimizing
these
sorts
of
risks.
Where
you
know
that
kind
of
thing.
D
D
D
D
So
we
we're
like
at
this
point
where
well,
we
think
we're
we're
covered
on
like
the
minimum
viable
architecture
for
a
secure
supply
chain.
At
least
we
think
so
we
want
to
test
that
assumption,
so
we
want
to
float
a
very
early
rough
draft
that
we
have
for
you
to
poke
holes
at,
and
the
other
thing
we
want
to
do
next
is
like
well,
we
want
to
talk
about
the
security
of
this
architecture
as
a
whole,
which
is
what
michael
was
talking
about
like
talk
about
talk
about
risk.
B
Yeah,
well,
I
absolutely
cannot
guarantee
time.
I
have.
I
definitely
have
interest,
and
I
also
have
history
because
I
was
building
s
bombs
in
07
at
industrial
scale,
in
order
to
be
able
to
track
a
number
of
considerations,
and
I
was
involved
in
the
very
early
days
of
speediac.
So
I
understand
a
lot
of
the
history
of
that
stuff
and
I
also
understand
really
really
well
how
these
things
actually
break
down
and
the
places
where
they're
actually
real
and
where
the
theater
and
there's
a
lot
more
theater
than
anyone
needs
to
talk
about.
E
D
E
F
Yeah,
I
was
thinking
maybe
starting
off
funneling
through
you,
ava,
where
it's
like.
If
there
are
specific
people
who
are
like
oh
yeah,
I
have
a
ton
on
that.
Then
we
can
add
them
in,
but
I
think
to
start
off
like
not
sort
of
send
it
out
a
huge
blast.
Unless
there's
like
specific
people
who
who
have
a
lot
to
sort
of
contribute,
no.
D
One
one
other
thing
on
just
like
housekeeping
of
the
dock:
we're
trying
to
keep
comments
to
a
minimum
suggestions
are
preferable.
D
Okay,
if
you
have,
if
you
have
trouble
with
something
the
way
it
is
expressed
or
you
think
it's
like
there's
not
like
high
fidelity
or
like
technicality
to
it
and
you
you
can
take
a
step
at
like
expressing
that
better
or
more
accurately
just
go
for
it
so
kind
of
like
the
question
or
the
commentary
doesn't
arise
in
first
place.
E
Okay,
so
suggestions
preferred
to
comments.
Is
this
the
only
meeting
discussing
the
doc
and
is
it's
the
right
slack
channel
to
you
know,
go
back
and
forth
in
questions
on
the
dock?
If
I
or
ed
have
any.
F
There
is
a
so
specifically
for
that
we
we
can
introduce,
we
can
invite
you
to
the
the
the
ref
architect
arc
writers,
room.
F
Yeah,
so
that's
like,
like
very
specifically
about
you,
know
different.
You
know
comments
about
like
hey.
Does
this
make
sense
in
the
doc
yeah
yeah
general
supply
chain,
stuff
or
keeping
in
the
other
room?
So
I
can
invite
you
both.