►
From YouTube: CNCF Security TAG Supply Chain WG 2021-07-29
Description
CNCF Security TAG Supply Chain WG 2021-07-29
A
B
A
I'm
going
to
show
the
doctor
in
the
chat
for
the
sake
of
photo
tracking,
let's
put
names
down
as
well,
for
the
meetings
and
the
attendance.
A
Awesome,
I
think
we
have
most
people
are
called,
so
I
think
let's
get
started
so
today's
agenda
is
we're
gonna,
go
through
announcements
and
then
we'll
do
some
check-ins
on
what
people
have
been
up
to
with
the
reference
architecture
and
then
we'll
go
through
some
of
the
material
of
the
reference
architecture
diagram.
There
seems
to
be
quite
a
lot
of
discussion
within
that
trend,
so
we'll
aim
to
spend
about
15
15
minutes
for
that
and
then
for
the
rest
of
the
time.
A
I
think
we
want
to
spend
a
bit
of
an
opportunity
to
go
into
breakout
sessions
to
work
on
the
specific
areas
and
we
we
will
figure
out
how
we're
going
to
do
breakout
sessions
and
get
that
I
tried
to
do
zoom
one,
but
I
don't
have
permissions
to
do
it.
Unfortunately,
we'll
figure
it
out.
A
So
I'm
gonna
put
the
meeting
link
in
the
description
again.
The
the
chat.
Please
put
your
name
down
cool,
so
quick
announcements.
Ava
has
shared
a
landscape
document
that
she's
been
working
on
for
the
surface
supply
chain.
A
We
will
be
taking
a
look
at
that
tomorrow,
and
you
know
this
we'll
also
socialize,
that
to
see
whether
other
folks
want
to
come
in
and
take
a
look
at
that
next
week
as
well
and
next
week
we
are
planning
to
have
the
outline
basically
pretty
much
done,
and
so
it
will
be
a
review
on
all
the
different
components
and
all
the
different
fields
that
we've
come
up
with
ava.
Do
you
want
to
give
like
a
quick
minute,
rundown
teaser
trailer
for
y'all
documents.
B
Sure,
thanks
so
as
I've
been
diving
in
this
space
and
chatting
with
folks
across
a
bunch
of
different
companies
and
and
multiple
foundations,
everyone
gave
me
a
different
perspective,
which
has
been
lovely
but
also
felt
a
little
bit
like
we're
all
in
the
dark,
touching
an
elephant
describing
different
parts
of
it
and
before
I
start
writing
any
code.
I
felt
like
I
wanted
to
understand,
even
if
it
helped
nobody
else,
but
it
sounds
like
it
will
help
others.
B
B
Lexical
analysis
of
why
all
the
different
projects
are
valid
and
valuable
and
how
they
might
integrate
with
each
other
or
support
each
other
in
different
configurations
and
since
each
project
that
I've
listed
so
far,
it
solves
part
of
the
supply
chain
puzzle,
but
no
one
project
solves
the
entirety
of
it
and
there,
I'm
sure,
are
valid
reasons
for
each
of
these
projects
to
to
exist.
B
B
It's
not
necessarily
relevant
to
what
the
technology
is,
but
it
provides
a
little
bit
of
a
backstory
to
why
I
wanted
to
understand
what
everyone's
doing
and
what
products
are
going
on,
and
then
I
got
a
little
bit
of
a
proposal
down
at
the
bottom.
The
main
document
analysis
document,
the
synthesis
section
at
the
end-
is
mostly
full
of
to-do's,
I'm
hoping
to
fill
that
in
through
discussions,
whether
as
a
group
or
one-on-one.
B
Once
we
all
kind
of
see
what
the
landscape
looks
like
there's
one
example
of
this
under
mapping
the
domain
right
now,
formats,
artifacts
and
tools.
That's
the
name
of
the
link-
and
this
is
just
a
I'll
drop-
the
direct
link
in
chat,
one
possible
presentation
of
a
lexical
description
of
the
domain
and
I'd
love
to
see
other
ideas
that
folks
have
been
working
on
or
even
have
ideas
and
I'm
happy
to
do
the
work
to
draw
it
and
flush
something
out
of
what
are
other
ways.
A
Awesome
thanks
ava
yeah.
Well,
let's,
let's
do
a
deep
dive
next
time,
brown
and
then
we'll
get
other
folks
as
well.
I
think
I
wanna
have
some
of
the
folks
are
also
working
on
the
cognitive
security
landscape
as
well.
So
you
can
look
and
see
whether
we
can
we
can
help
include
some
of
the
work
there
as
well.
B
B
I'd
love
those
contributions,
any
discussions
or
debate
around
some
of
the
hypotheses.
I've
got
in
here.
I'd
love
that
as
well.
If
you
want
to
do
it
in
the
doc
or
you
want
to
just
dm
me
on
slack,
that's
great
and
then
if
you
have
a
proposed
mapping
or
a
synthesis,
I
think
that'd
be
good
for
discussion,
so
you're
welcome
to
add
it
to
the
doc,
and
we
can
talk
about
it
next
week.
A
Great
so,
let's
I'm
looking
forward
to
that
and
I
think
a
lot
of
the
content.
There
will
also
educate
the
work
that
we're
doing
for
the
reference
architecture
as
well.
A
So
thanks
again
for
go
shoes,
just
do
quick
check-ins
if
you've
been
working
on
something
you
want
feedback
on
some
of
the
things
that
you've
done
or
just
quick
update
on.
What's
going
on,
so
I'm
gonna,
I'm
gonna
start
by
by
pointing
the
finger
at
michael
michaels.
E
Sure
yeah
two
updates
from
my
side.
One
is
the
open
ssf,
which
is
our
you
know,
partner
foundation
here
the
part
of
the
linux
foundation.
They
are
also
doing
some
work
with
supply
chain
security.
They
wanna.
Obviously
they
wanna
collaborate
with
us
a
bit
more
they're.
Looking,
maybe
in
I
believe,
on
august,
ninth.
E
Yes,
august
9th
at
10
a.m.
Pacific
time
I
think
that
they're,
looking
to
the
open
ssf
planning
committee,
wants
sort
of
just
a
brief
overview
of
the
work
we're
doing
as
part
of
the
cncf.
E
So
that's
just
something
to
throw
out
there.
This
literally
came
in,
I
guess
last
night,
but
yeah
there's
a
lot
of
organizations
working
on
this,
which
is
why
I
think
what
ava's
doing
is
is
really
great
as
well,
because
I
I
do
think
that
there's
a
lot
of
folks
all
working
on
different
pieces
and
we
do
want
to
sort
of
make
sure
that
at
least
we're
all
largely
aligned
to
the
same
sort
of
thing,
even
if
not
doing
the
same
specific
thing.
So
that's
one
update.
D
E
Cool
yeah
yeah:
I
can
do
that
and
yeah.
So
on
my
end,
there's
a
few
folks
who
who
mostly
attend
the
open
ssf
stuff,
but
what
was
the
oh.
The
second
update
is
first
regarding
salsa,
so.
E
I
reached
out
to
the
salsa
folks,
which
are
also
part
of
the
open
ssf,
though
right
now
mostly
googlers,
reaching
out
to
them
a
bit
about
how
we
can
increasingly
collaborate
and
also
sort
of
expressed
a
little
bit
of
you
know
not
a
massive
concern,
but
there
is
you
know
after
having
spoken
to
a
few
people
in
the
community.
There
is
a
concern
that
it
is
a
google
project
right.
You
know
it
is
there's
a
concern
that
is
very
much
being
pushed
to.
E
You
know
for
google,
a
potential
google
agenda,
but
like
regardless,
like
hey.
If
we
can
get
something,
that's
more
of
a
a
governance
around
it
and
something
that
is
clear
that
oh
this
is
actually
going
to
be
community
driven.
Then
I
think
it's
going
to
be
a
little
bit
of
an
easier
sell
to
the
community
and
other
and
other
folks.
So
that's
another
thing
that
that
I've
been
starting
to
discuss.
D
Breakthrough
one,
the
one
I'm
less
worried
about
the
governance,
I'm
more
about
like
hey
how
how
adopted
and
validated
this
has
been.
E
Correct-
and
I
think
that's
the
sort
of
thing
that
we're
we're
trying
to
also
or
I
would
love
to
to
get
more
involved
in
is
you
know,
hey.
I
recognize
that
this
has
worked
internally
well
for
google,
there
are
some
stuff
there
where
hey,
it's
not
going
to
work
for
everybody,
so
we
do
want
to
make
sure
that
if
let's
say
the
general
approach
that
they're
taking
seems
like
the
general
approach
and
just
my
personal
opinion,
it
seems
largely
reasonable.
E
I
think
that
there's
some
specifics
and
then
there's
some
other
pieces
in
there
that
I
feel
like
need
to
be
a
bit
more
focused
or
more
generic
or
whatever,
and
some
of
those
things
want
to
work
with
them
on
because
yeah,
I
agree,
like
you
know,
for
my
day
job,
it's
it's
hard
for
me
to
you
know
to
go
to
somebody
and
say
hey.
We
should
adopt
this
standard
that
so
far
nobody
else
is
adopted.
E
That's
going
to
be
a
hard
sell,
but
if
they
start
to
see
you
know
there
is
a
governance
there.
There
are
people
contributing
to
it.
There
seems
to
be
a
lot
of
movement
in
the
area,
they're
going
to
be
saying:
okay,
yep
we're,
maybe
not
going
to
say
officially
we're
adopting
it,
but
we
can
at
least
take
a
look
and
and
start
to
see.
You
know
at
least
kind
of
put
that
as
a
goal
to
eventually
adopt
it.
Yeah.
D
D
C
D
A
A
A
All
right,
if
not,
let's
go
ahead
with
with
the
architecture
diagram.
So
let's
aim
to
spend
about
15
minutes
on
this,
get
some
clarity
get
some
new
exercises
for
this,
and
then
we
go
ahead
and
go
to
the
breakout
sessions.
So
there
was
a
lot
of
chatter
in
the
thread
on
the
reference
architecture.
E
F
I
I
can
share
a
little
bit.
I
all
I
really
did
was
create
a
very
basic
flow
chart
based
on
the
white
paper
that
we
produced
the
supply
chain
best
practices
paper,
just
trying
to
break
it
down
into
sort
of
a
you
know,
a
visual
flowchart
form
there's
not
a
lot
of
detail
in
that
chart
here.
Let
me
see
if
I
can
grab
the
link
for
it
and
share
it
with
everybody,
real
quick,
so
that
folks
can
see
if.
F
I
don't
know
if
I
have
permissions
to
share
the
screen,
but
I
will
I
will
drop
this
link
in
here.
I'll
who
does
have
permissions
wants
to
share
it
feel
free
yeah.
So
it's
like.
I
said
this
is
not
going
to
win
any
design
awards.
This
is
not.
This
is
like
a
very,
very
basic
flowchart
sketch
here
just
trying
to
take
what
we
did
in
the
paper
and
put
it
into
something
that
we
can
follow.
F
The
main
data
point
on
here
that
I
tried
to
put
in
was
a
distinction
between
places
where
we're
defining
sort
of
some
basic
expectations.
F
You
know
so,
for
example,
for
a
source
repo
that
commits
will
be
signed,
that
there
won't
be
force
merges
or
whatever
those
were,
some
of
those
sorts
of
things
that
we
talked
about
in
the
in
the
best
practices
paper,
but
we're
not
prescribing
like.
Oh,
you
should
store
your
repos
in
github
or
you
should
use
you
know,
aws
code,
whatever
the
heck,
it's
called
these
days,
we're
not.
F
We
don't
like
that
sort
of
detail
level
we're
not
worried
about,
but
we're
setting
some
sort
of
basic
expectations
around
here
are
some
of
the
best
practices
for
this
versus
areas
where
we,
in
my
understanding,
are
making
more
specific
recommendations.
F
Here
are
the
tools
we
think
people
should
use
here
are
the
alternate
tools,
if
you
don't
want
to
use
those
and
sort
of
putting
a
more
specific
workflow
together,
so
that
was
sort
of
my
understanding
of
where
we
stand
and
just
trying
to
put
a
visual
on
that
to
lay
out
the
big
buckets
of
concern,
but,
like
I
said
this
is,
this
was
just
meant
to
be
a
conversation
starter
and
it's
pretty
basic
stuff.
G
I
have
a
suggestion
and
that
is
have
you
seen
the
dods
devsecops
paper.
They
have
like
a
generic
reference
architecture
too.
We
wish
we
can
compare
notes
and
see
where
we
can
supplement
this
with
that.
G
D
B
I
think
something
like
this
is
a
decent
entry
point
for
a
paper,
but
each
of
these
nine
steps
probably
deserves
its
own
deep
dive.
One
thing
I've
observed
is
this:
this
problem
space
is
fractal
each
one
of
these,
the
closer
you
get
to
it,
the
further
the
edges
of
securing
it
move
away
from
view.
B
E
Yeah,
you
bring
up
a
very
good
point
there
and
totally
agree,
and
I
think
the
idea
here
was
you
know
each
box,
or
even
sometimes
even
the
arrows
between
the
boxes
could
become
their
own
things.
E
I
think
the
thing
that
we
want
to
make
sure
of
is
that
because,
as
you
mentioned,
I
think
that's
a
very
good
way
to
describe
it,
since
it
is
fractal
a
lot
of
these
things,
it's
like,
if
we
think
you
know,
because
it's
supply
chain,
you
need
to
think
about
the
whole
thing
as
well
as
each
individual
piece
which,
which
is
huge
for
us,
because,
like
the
the
the
thing
that
I
I
think
we've
recognized
a
few
times
is
you
know,
people
sort
of
focus
purely
on.
E
You
know
securing
the
build,
but
they
don't
think
about.
Well.
Are
you
securing
the
inputs
of
the
build
and
are
you
securing
how
you're
downloading
them,
and
and
so
we
want
to
be
able
to
paint
a
a
reasonable
picture
that
sort
of
highlights
that
hey,
you
need
to
think
about
this
holistically,
there's
always
going
to
be
some
level
of
trade-off,
but
at
the
end
of
the
day
you
know,
assuming
you
sort
of
are
following
these
practices,
you
should
be
getting
an
artifact
that
you
can.
You
know
trust
within
some
confidence.
C
Yeah,
I
think
one
more
thing
is:
we
can
add
these
provenance
collections
across
this
across
basically
the
end
to
end
the
work
that
pe
has
been
doing
with
chains
and
everything
that
collect
the
provenance
of
when
the
task
finishes.
You
have
this
cryptographic
signature
of
what
tasks
actually
produce
this
artifact
and
basically
provide
the
attestations
going
forward
right
that
can
be
the
underlying
fabric
across
the
from
basically
code,
all
the
way
to
the
testing
and
everything
to
the
container.
E
Yeah,
I
mean
that's.
Definitely
the
key
piece
here
is
is
I
I
think-
and
I
think
that's
one
of
the
principles
in
there
about
you
know
provenance.
I
I.
The
only
thing
I
just
want
to
also
make
sure
is
clear,
because
I
think
some
folks
have
got
also
gotten
a
little
confused
by
it
in
the
past
was
that
there
is
also
an
element
to
trusting
the
providence
right
like
you.
E
If,
if
an
individual,
let's
say,
tecton
task
was
compromised
in
some
way,
then
you're
still,
you
know
it's
still
potentially
following
the
same
pattern.
You're
just
signing
something
that
was
was
compromised,
and
so
you
have
to
kind
of
also
still
have
the
same.
Sorts
of
you
know
secure,
build
processes,
secure,
ci,
cd
processes
right.
A
I
I
I
like
this
diagram
in
terms
of
like
how
it's
kind
of
playing
things
like
the
high
level,
I
think
probably
what
we
can
do
is
we
have
the
various
subtopics
right.
A
F
Yeah,
I
think,
when
what
what
I
heard
when,
when
michael
brought,
the
idea
of
making
this
diagram
last
week
was
that
we
wanted
something
just
to
sort
of
that,
we
could
look
at
to
make
sure
that
the
different
topics
that
we're
breaking
out
weren't
missing,
that
we
didn't
have
gaps
in
our
in
our
plan.
A
A
G
So
essentially,
these
are
building
blocks
right
and
we'll
drill
down
into
individual
blocks
with
more
details
and
controls
that
we
want
to
lay
out
is
that
okay.
E
Yep
and
the
only
thing,
the
only
thing
just
to
kind
of
make
sure
add
on
there,
while
still
keeping
the
big
picture
in
mind
right.
You
know
as
an
exam
once
again
as
a
quick
example
like
yeah,
if
we're
using
entoto
we're,
probably
going
to
use
entoto
across
the
whole
thing,
but
we're
also
going
to
specifically
look
at
how
we
use
entoto
in
each
of
the
boxes.
H
To
me
as
well,
that's
that's
something
I
was
just
going
to
add
is
that
I
mean
very
similar
to
what
you're
saying
michael
well,
I
really
I
like
what
you're
saying
over
about
the
fact
the
fractal
nature
of
it
it's
a
very
good
way
of
looking
at
it,
and
you
can
sort
of
drown
in
the
details
and
each
of
them
as
a
rabbit
hole.
But
thankfully
there
are
also
some
tools.
We're
going
to
be
able
to
reuse.
H
I
mean,
I
think,
like,
as
you
were
saying
in
total
covers
some
of
the
ground,
but
for
even
I
mean
I've
worked
on
on
key
lime.
So
it
comes
to
mind
to
me
often,
but
that's
one
way
of
making
sure
like
you
know,
you're
booting,
you're,
bootstrapping,
a
node
that
you
can
have
relatively
high
confidence
in,
and
you
can
use
that
in
different
parts
of
the
process
to
think
my
build
environment.
H
Well,
if
it's
loaded
with
on
a
key
line,
machine,
probably
more
secure
same
thing
for
the
bit,
you
know
for
the
putting
in
production
like
oh
well,
it's
on
a
key
line
machine
to
find
more
secure,
so
stuff
like
that.
Like
some
tools
we
can
reuse,
so
you
got
to
still
keep
in
mind
the
big
picture
and
and
sort
of
not
too
much
in
each
of
the
boxes
but
yeah.
I
think
everybody
here
has
got
that
in
mind.
So.
D
D
B
Yeah
yeah
so,
and
where
did
the
es
apply
in
this
diagram?
Do
they
apply
in
all
boxes
or
in
some
boxes?
I
I
can
envision
this
as
sort
of
here's
your
high
level
overview,
and
for
each
of
these
you
can
drill
down
into
what
technology
building
blocks
you
need
to
make
that
component,
secure
that
step,
secure
and
then
what
options
you
have
for
each
of
those
security
components.
A
So
so,
let's,
let's
try,
and
so
we
want
to
get
to
that
so,
but
before
we
get
to
that,
I
think
we
have
to
so.
We've
defined
already
the
different
areas,
and
so
the
the
idea
is
that
we
will
have
these
groups
drill
into
what
are
the
different
components
about
the
different
technologies,
from
the
components
and
so
on
right,
so
that's
that
would
be.
I
know,
there's
a
lot
of
excitement
around.
You
know
mapping
it.
The
real
technology
is
getting
closer
to
like
something
real
that
we
can.
We
can
execute
on.
A
So
I
wanna
so
I'd
say:
let's
take
the
next
step.
I
think
that
it
would
be
a
good
idea
to
split
this
architecture
up
for
now
in
terms
of
the
different
high
level
areas,
and
then
this
will
give
some
direction
for
the
different
groups
that
are
working
on
the
different
big
topics
to
start
producing
smaller.
A
A
A
This
is
the
injection
of
of
libraries
and
so
on
verification
input,
outputs.
This
is
more
unlike
code
scanning
image
scanning.
We
are
securing
the
build
environment,
so
this
is,
you
know,
attacked
on.
You
know
key
lime,
the
stuff
that
we
talked
about.
We
have
distributions
and
storage
of
artifacts
and
registries
distribution
and
so
on,
and
then
with
the
consumption
which
is
the
runtime
side
of
it.
C
I
guess
the
provenance
for
build
artifacts
would
kind
of
cover,
mostly
the
entire
middle
section,
because
you
probably
want
providence
across
like
it's.
I
guess
it
does.
C
Cover
like
a
few
different
boxes
like
you'd
want
the
providence
to
describe
the
entire
build
system,
you're
running
in
every
single
step
that
you
run
so
that
could
include
the
test
test
and
the
build
it's
like
in
general,
like
that
middle
section,
in
the
in
the
diagram,
I
think
it
will
cover
and
then
you'd
also
want
to
include
information
about
the
source
repo
in
that
a
little
bit
of
the
pre-built
as
well.
H
A
Right,
I
I
think
the
the
idea
behind
this
is
that
these
would
kind
of
be
in
sequence
right.
So
we
would
say
like
this
is
about
really
verifying
the
providence
for
it,
and
this
would
be
like
well,
this
isn't
necessarily
in
order,
but
there
will
be
some
overlap
and
that's
where,
like
we
will
make
the
transition
to
say.
Okay,
now
you
have
provenance
for
dependencies.
You're
gonna,
take
all
these
all
the
metadata
and
all
the
s-bombs
that
come
with
it,
and
this
is
how
you
produce
a
new
artifact.
D
Well
to
to
make
it
further
or
worse,
if
you
put
in
binary
authorization
into
the
picture,
then
it
also
covers
all
of
the
right
so
and
it's
also
cyclical
so
rather
than
trying
to
like
just
shove
it
into
a
particular
section.
We
can.
We
can
talk
about
provenance
and
do
like
our
own
diagram
that
all
relates
to
this.
Maybe
maybe
it
creates
grace
out
or
highlight
some
sections
over
the
others,
but
maybe
we
want
to
take
a
different
approach
or,
like
you
have
one
idea:
brandon
some
others
have
have
other
ideas.
A
We
have
to
change
my
screen
sharing
one
second
yeah.
I
don't.
I
don't
know
how
big
my
screen
is.
So,
okay,
no
so
yeah
one
second.
A
So
so
I
I
know
we
there
are
multiple
things.
I
think
the
main
thing
I
want
to
get
is
you
know:
we've
been
kind
of
doing
this
in
circles.
I
want
to
try
and
get
something
in
and
then
you
know
not
everything
that
that
we
end
up
doing
here.
It's
going
to
be
the
final,
and
so
the
shamrocks
are
good.
E
One
other
quick
thought
on
on
that
and
and
why
I
think
it
makes
sense
to
kind
of
have
those
two
things
be
separate
for
the
providence
for
build,
artifacts
and
and
the
ones
for
dependencies
is.
I
think
the
build
artifacts
are
largely
things
we
ourselves
can
do
you
know
we.
We
are
pretty
much,
you
know
if
we
are
controlling
what's
happening
and
how
it
gets
built.
Yeah
yeah
we
get
to
control
all
that
sort
of
stuff
and
then
the
providence
for
dependencies,
I
think,
is
a
little
bit.
E
We
can't
control,
we
might
be
able
to
provide
suggestions
like
you
know,
oh,
if
you
can
pull
in
the
source
code
directly
and
compile
it
yourself
and
store
it
yourself,
but
there's
inevitably
going
to
be
a
lot
of
different
trade-offs
and
a
lot
of
different
other
things
that
we're
just
going
to
have
to
say:
hey
when
you
know
considering
these
things
and
pulling
in
dependencies
here
are
the
trade-offs
you
need
to
make
when
you
don't
get
to
control,
whether
or
not
the
vendor
or
the
open
source
provider
is
giving
you
an
s
bomb
right.
E
A
I'm
gonna
also
add
a
section
over
here.
It's
called
overall
like
security
principles,
and
I
think
this
could
kind
of
fit
in
it's
a
good
introduction
as
well
as
people
are
like
you
know,
enter
and
provenance
is
important
and
then
you'll
be
seeing
like
things
like
these
appear
across
the
different
boxes
as
we're
moving
to
things
right.
A
C
So
so
in
the
first
one,
the
provenance
of
build
artifact
rights,
do
you
also
want
to
cover
the
provenance
of
our
pipelines
right
because
that
is
like
cicd
pipeline
is
technobase
or
the
database
right.
C
All
these
cs,
typical
csv
vulnerability
scanning
and
everything.
A
C
A
C
So
I
think,
if
we
had
in
these
in
the
later
bullet-defined
components
of
supply
chain,
there
was
one
section
called
securing
ci
cd
pipeline.
That
is
essentially
talking
about
securing
the.
If
you
are
talking
about
security
as
core
right,
we
are.
We
want
to
ensure
that
our
pipelines
that
they've
been
secure.
A
A
E
A
So
so
this
this
specific,
I
think
discussion
is
around
the
scope
of
this,
but
I'm
fine,
okay
right
so
maybe
for
now
just
put
built
plus
cicd
environment.
That's.
D
Fair
but
we're
we
are
conflating
the
strategy
of
how
to
come
up
with
content
with
the
actual
brainstorming
of
things,
and
we
already
have
like
people
for
the
sections
where
we
could
break
out
and
let
them
like
free
form
come
up
with
things
without
the
balance
of
the
diagram,
and
then
we
work
with
it.
Rather
than
constraining
it
up
front.
A
So
so
why
why
don't
we
do
this?
Now?
I
think
we
have
three
big
sections
with
groups
of
people
we
have
providence
of
their
artifacts.
We
have.
I
split
this
up
earlier
problem:
distribution
of
storage,
artifacts,
virulence
for
artifacts
verification
inputs
and
outputs.
There
are
overlaps
with
people
on
the
various
topics.
That's
why
it
just
shows
these
three
topics
so
that
there's
enough
representation.
A
Pick
and
like
note
down
what
you
think
is
relevant
for
that
particular
topic
and
the
particular
story
and
then
start
coming
up
with
some
flows,
some
action
for
those.
You
know
what
the
kind
of
like
more
detailed
drill
down
views
of
this
different
components
under
different
boxes
does
that?
Does
that
sound
good
to
everyone?.
A
For
how
long
till
the
end
of
the
call.
A
E
A
As
a
lead,
michael,
you
wanna
be
the
lead
for
the
provincial
artifacts,
sure,
yeah
and
then
aratna
and
I
did
yeah.
I
think
I
right
now.
Can
you
set
up
a
call
for
that?
One.
G
A
Yeah,
so
I
will
I'll
try
and
bounce
between
rooms
to
just
see
whether
there's
any
just
there's
consistency
around
what
what
everyone's
doing
just
to
make
sure
that
we're
not
going
into
crazy
directions,
and
so,
if
anyone
else
wants
to
contribute
to
these
just
put
the
name
down
here,
can
you
android
mic
and
right
now,
can
you
create
like
a
either
google
me
or
zoom
link
or
something
and
paste
it
in
the
in
the
channel.
A
H
Yeah,
so
how
do
we?
We
will
get
this
info
like
by
the
slack
threads.
There
was
a
thread
for
each
of
these,
so
yeah,
let's
or
just
maybe
just
in
the
slack
main
room
just
might
be
easier.
A
Yeah,
let's
just
do
it
in
the
the
stack
main
room
and
then
we
can
delete
the
messages
later
if
it
gets
too
messy
and
also
update
the
the
document
with
the
link
here.
That
would
be
helpful.
So
let's
do
that
now
we
can
stay
on
the
power
until
all
the
rooms
are
set
up.
A
Let
me
try
and
see
what
I
can
do:
one
fo
well
y'all.
How
do
I
zoom.
A
All
right
who
wants
this
meeting
room
that
I
created.
G
So
brandon
we
might
have
to
get
disconnected
here.
A
Okay,
yeah:
do
you
put
in
the?
Can
you
drop
the
change
up
in
the
side
channel
as
well,
and
then
I
will.
A
Or
just
just
send
a
message
to
move
the
link
as
well
document
just
in
case
other
people
want
to
join
here.
D
A
E
A
A
Okay,
yeah
mike
see
whether
that
works
for
you.
H
A
Yeah,
all
we
have
to
do
is
get
it
right
after
this
describing
our
experience.
A
A
A
A
Yeah,
he
put
it
in
the
zag
channel
I'll
paste
it
here.