►
From YouTube: CNCF Security TAG Supply Chain WG 2021-09-23
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
Yeah,
so
I
think
in
the
chains
we
know
right,
it
is
basically
doing
a
great
job
in
collecting
the
provenance
of
individual
tasks,
and
in
this
we
are
basically
saying
that,
when
the
pipelines
execution
start,
we
need
to
collect
the
evidence
from
the
event
when
the
event
was
created
start
with
the
event
payload
capture,
the
that
that
event
payload.
Whatever
parameters
you
you
pass
to
the
your
pipeline
and
task
they
get
passed
properly,
so
we
are
essentially
when
we
collect
the
provenance,
we
collect
it
into
end.
A
D
Sorry
to
jump
in
I
just
got
here:
are
we
talking
about
touchdown
chain?
Yes,.
A
Yeah,
so
so
the
the
proposal
that
we
have
submitted
recently,
I
put
it
on
jane's
channel
as
well
yeah.
D
B
Yeah
great
update
so
well
great
great
turnout.
I
I
see
everyone
who's
been
working
hard
at
this
of
all
all
of
all
of
those
who
spend
a
lot
of
time,
probably
like
alex
and
priya
you're
among
the
two
have
done
the
most
in
the
apps
and
the
in
the
absence
of
of
michael.
I
would
I
would
defer
with
you
like
what
do
you
see
us
missing
like
how?
B
Where
do
you
feel
like
we're
at
at
this
point,
like
you,
have
a
better
sense
of
gap,
analysis
and
you're
also
going
to
be
the
ones
talking
to
kubecon
about
it.
So
I
I
know
you
feel
a
sense
of
urgency
because
you
want
to
be
able
to
have
stuff
to
talk
about
in
the
show,
so
priya
alex.
D
I
think
so
our
talk
is
actually
pre-recorded,
so
we
submitted
it
last
week,
but
we
basically
were
hoping
that
the
draft
of
the
reference
architecture
could
at
least
be
out
for,
like
public
review
and
public
comment
by
kubecon.
So
I
don't
know
if
anyone
has
like
an
idea
like
if
they
think
that
would
be
possible
or
not,
but
I
think
because
we
kind
of
were
recording
the
video
the
past
couple
weeks.
D
E
I
think
I
mean
I
think
that
it
depends
on
what
we
are
intending
to
have
available
for
public
comment
by
kubecon.
So
I
think
we
have,
because
because
the
document
is
sort
of
broken
up
in
sections
that
are
you
know
it's
kind
of
a
funnel.
That's
getting
more
and
more
specific
as
we
work
through
the
document.
So
we
have
a
you
know.
The
first
section
which
I
feel
like
is
in
pretty
good
shape.
E
It
needs
a
little
bit
of
refining,
but
I
think
it
could
be
ready
for
people
to
start
looking
at
and
commenting
on
in
in
a
few
weeks.
Is
that
section
that
is
like
here's,
the
theory
of
what
a
software
factory
looks
like
right
and
then
it
gets
progressively
more
sort
of,
and
then
here's
you
know
how
you
actually
build
it
as
we
go
down
right
and-
and
so
I
think
like
depending
on
where
we
want
like.
E
If
what
we
want
is
to
say
you
know,
here's
the
here's,
the
theoretical
sketch
and
we
want
people
to
comment
on
that
and
and
give
feedback
on
that
before
we
get
too
deep
into
the
weeds
of
implementing
this
thing.
I
think
we
could
have
that
ready
to
go
in
a
couple
of
weeks
or
in
a
few
weeks.
Not
you
know,
100
ready
to
go
but
ready
enough
that
we
could
invite
people
to
start
putting
extra
eyes
on.
Does
that
make
sense.
D
B
Don't
add
extra
stuff
there,
maybe
like
a
once
over
so
when
we
do
get
a
review
like
people
can
like
address
more
the
substance
rather
than
hey.
You
have
a
typo
here.
You
have
a
grammatical
error,
so
we
can
just
tie
it
in
like
a
very
light
like
editorial,
not
even
editorial,
but
let's
lock
that
that
theoretical
sketch
do
you
think,
like
that's
represented
or
like
that
started
to
take
shape
from
the
rest
of
the
sections
or
that's
like
the
diagram.
We're
missing
that
we
punted
to
cncf
to
do
the
illustration
for
us.
E
Myself
hold
on
sorry,
I
think
that
in
my
head,
that
is
everything
up
to
the
prototyping
section.
So
I
think
it's
it's
the
it's
the
inputs,
outputs,
it's
the
components
and
the
actions
and
capabilities
sections
that
kind
of
go
through
the
stages
the
as
of
yet
unnumbered
stages.
E
I
I
think
that,
like
those
sections
have
a
lot
of
meat
in
them
already
and
they
need
a
little
bit
of
refining,
but
I
think
that
those
could
be
refined
over
the
next
few
weeks
if
we
really
focus
on
that
and
and
be
in
a
place
that
they
were
ready
for
receiving
extra
feedback
and
comment
from
folks
who
haven't
been
buried
in
this
for
a
while.
E
Now,
I
think
it
from
the
prototyping
section
on
is
where
basically,
it's
mostly
empty
pages,
it's
just
an
outline
still
and
and
that's
where,
and
it's
also
where
I
think
it
starts
to
get
much
more
down
into
here's,
how
this
thing
would
actually
be
built
and
we're
not
ready
for
that
until
we
feel
good
about
the
stuff.
Above
that
line.
Does
that
make.
C
D
F
How
would
how
would
the
group
feel
about
putting
that
in
the
document
itself,
like
maybe
just
above
the
table
of
contents
saying
you
know
this
is
where
it
stands
right
now
as
of
this
date?
This
is
what
we're
going
to
try
to
not
move,
and
this
is
what
we're
going
to
try
and
concentrate
on
that'll.
B
F
F
B
Can
do
it?
Okay,
I
can
do
it.
Okay,
great
idea,
excellent
I'll
own
it
so
progress
current
state,
current
state.
I
write
something.
C
B
One
thing
to
to
try
to
close:
I
wanted
to
do
a
quick
run
through
of
the
comments,
some
of
them,
it's
unclear
how
we
want
to
proceed
on
the
suggestions
or,
what's
being
pointed
out,
there's
some
discussion
so
as
we
can
try
to
start
closing
down
on
the
top.
Let
me
just
scroll
through
this
is
ticket
has
been
open
for
the
diagrams.
B
B
Okay,
this
is
not
contentious,
it
should
be
elaborated.
Salsa
seems
important
to
call
out
what
do
you
think
alexa.
D
B
B
But
for
the
time
being,
let's
remove
that
additional
work.
Okay,
so
sounds
like
until
this
point
other
than
two
slide
additions
up
to
here
is
like
no
changes
above
this
mark
right.
Let's
do
a
line
break.
C
C
E
I
interpreted
that
as
being
about
the
diagram
above
as
well,
but
I
could
be
wrong
about
that.
B
E
Yeah
we
had
we
I
had.
I
had
made
that
big
chart
of
all
the
inputs
and
outputs
here
and
then
I
felt
like
maybe
it
was
redundant
to
have
the
giant
chart
and
then
also
have
all
the
paragraphs
of
text
that
we
had
after
it.
So
I
moved
the
chart
into
the
prototyping
section.
I
figured
that's
a
good
place
to
have
something:
that's
summarizing
all
of
this
content,
it's
still
in
the
dock.
If
we
want
to
move
it
back,
we
can,
but
that's
that's
all
that
that
means
so.
B
So
we
could
remove
this.
There's
some
discussion
and
like
well
is:
is
it
technically
accurate?
D
B
B
D
C
C
F
C
Right,
I
think
we
could
rephrase
this
to
take
into
account
the
fact
that,
like
tags
are
bad
for
now,
a
handful
of
reasons,
not
just
that
you
might
you
don't
know
what
you
will
get
yeah
or
we
could
now
that
we've
now
that
we've
advocated
for
immutable
digest,
we
could
remove
this
sentence
entirely
as
as
redundant,
but
I
don't
know
how
people
feel.
B
I,
like
the
language
you
used,
I
think
it'd
be
beneficial
for
the
reader
to
understand
the
reasoning
behind
it.
Yeah
and
even
like
the
digest,
doesn't
guarantee
you're
you're
gonna
be
getting
latest.
You
should
be
aware
of
this
like
expressing
that,
like
the
way
you
conveyed
it,
even
in
those
exact
words
like
it's,
it's
very
good
right
like
we're,
we're
educating
people
so
I'll
leave
it
to
you,
jason
right.
C
Yeah,
that's
not
me
yeah
I'll
I'll,
just
I'll,
plus
myself
in
and.
B
Yeah,
I
don't
have
my
your
email
and
my
contacts,
so
that's
why
it's
not
coming
up
the
next
one.
This
is
also
true
along
the
same
line
of
thinking.
How
do
you
all
feel.
B
D
B
Jason
replace
accept
suggestion.
C
Yeah,
I
think
we
I
think
we
can
rephrase
this
to
say
that
it
is.
You
are
not
guaranteed
to
get
the
latest
thing.
It
is
literally
un
impossible
to
tell
what
you
will
get
when
you
ask
for
things
by
tag.
C
B
I
don't
think
we're
group
controlling
it
drop
me
a
dm
with
your
email
and
I'll.
Add
you
when
I'm
not
screen,
sharing
or
yeah.
B
Cool
cryptographic,
material.
B
Outputs
artifacts,
brandon
mitchell
good
call
out.
We
need
consistency
between
artifacts
or
well.
The
spelling
like
american
spelling,
greater
spelling
the.
F
B
B
We
keep
reiterating
that
yeah.
So
would
you
mind
pulling
the
other
mentions
here.
C
Awesome
so
a
quick
question
andreas
in
outwards:
it's
not
just
the
artifacts.
It
could
also
be
vulnerabilities
right
or
a
report
that
says.
Oh,
you
got
these
risks
and
there's
some
image
or
something
to
that.
Is
that
not
considered
an
output
here?
In
this
context,.
C
C
B
Yeah
have
a
read
at
the
metadata
document
section
on
their
outputs
and
and
see
whether
speaks
to
that.
I
think
it
does
but
would
be
good
to
to
make
sure
that
that
is
clearly
conveyed.
B
F
B
C
C
I
don't
actually
think
that
they're
really
outputs.
Honestly,
I
would
because
I
mean,
if
you
trust
them
as
outputs
from
the
same
places
of
the
things
that
they're
verifying.
I
feel
like
that,
that
kind
of
ruins
the
separation
of
concerns
right
between
the
the
generating
trust
in
the
keys
and
then
verifying
things
with
those
keys,
yeah.
F
C
Oh
yeah,
like
the
oh
yeah,
like
that,
either
the
delegation
chain
or
the
certificate
chain
yeah
that
makes
sense
as
an
actual
output
of
the
software
factory,
but
I
wouldn't
yeah.
I
think
we
should
definitely
make
sure
that's
very
clearly
eliminated,
though
you
know,
mistakenly
thinking
we're
suggesting
getting
your
root
of
trust
as
an
output.
B
Do
it
keep
it
out
of
band
it's
it's
an
external
system
or
like
external
cryptographic,
material
cool.
So
we'll
look
for
the
suggestion.
It
sounds
like
plucking
it
out
from
under
outputs.
It's
it's
like
the
sensible
thing
to
do.
Just
for
clarity.
E
I
think
we've
resolved
this
in
the
there's,
a
footnote
down
there
that
I
think
addresses
brandon's
follow-up
on
my
question
and
I
think
so,
if
everybody's
happy
with
how
that
is
phrased
and
with
the
footnote,
then
I
think
we
can.
We
can
mark
this
one
down.
C
C
A
Yeah,
I
think
we
will
cover
that
in
the
mediterranean.
I
just
added
all
those
things,
so
I
was
not
sure
what
chains
is
supposed
to
do
so
I
think
it's
redundant
at
the
moment.
A
B
C
B
D
D
G
B
D
I
mean
like
the
idea
was
like,
maybe,
instead
of
like
your
build
system
taking
care
of
your
supply
chain
like
maybe
you
have
something
watching
your
build
system
and
doing
it
for
you,
but
since
change
is
really
the
only
thing
I
can.
Think
of
that.
Does
that,
like
I
don't
know
if
it
makes
sense
to
call
it
out,
like
specifically.
D
It
it
can
be
like
the
way
that
it
works,
like
the
way
that
we
have
it
set
up
right
now
is
that,
like
text
on
chains
will
just
watch
your
builds
and
then
it'll
sign
things
for
you,
it'll
generate
provenance
for
you
and
that's
all
stuff.
That
could
happen
in
the
build
itself,
but
it's
just
like
the
architecture
of
how
tekton
is
set
up
that
we
made
we
like
built
it
that
way.
So
it's
not
like
a
requirement
to
have
that
component.
F
I
mean
I,
I
was
curious,
because
I've
done
with
other
tools,
I've
I've
done
explorations
of
collecting
detailed
data
and
being
able
to
reconstruct
histories
from
that
data,
and,
in
fact
the
the
tool
in
question
has
gone
on
to
implement
a
feature
called
causality,
where
you
can
basically
take
a
particular
version
of
something
and
say:
where
are
all
the
places
that
turned
up
and
how
do
they
get
consumed?
And
how
do
they
get
pushed
forward,
which
is
probably
like
a
different
perspective
than
chains
gives
you,
but
still
is.
D
F
I
think
there's
a
case
to
have
it,
even
if
it's
at
this
point
mostly,
what's
the
word,
I'm
looking
for
advocative
there,
you
go,
there's
a
fancy
word.
I
can't
think
of
the
word
I
actually
want
to
use.
F
Essentially
you
know
like
a
a
sense
of
where
we
want
the
world
to
be.
Even
if
most
of
the
world
is
not
there
yet
does
that
make
sense,
I
guess
there's
gonna
be
attention
in
the
paper
right
between
the
ideal
world
that
may
or
may
not
exist
yet
versus
what
people
would
do
with
tools
they
have
in
hand
today
yeah,
which
essentially
means
what
can
you
do
with
jenkins.
B
C
D
Yeah,
I
don't
think
we've
talked
about
like
if
we
are
advocating
one
way
or
another.
I
think
I
think
we
literally
just
had
this
in
here,
so
that
change
was
covered
in
case
we
because
we
did
like
we
do
bring
it
up
later
on,
and
I
I
thought
that
the
question
was
like
is
it?
Does
it
make
sense
to
have
a
whole
section
here
if
it's
really
only
referencing
one
tool,
but
it
seems
like
there
are
other
things
that
can
observe
pipelines
that
can
do
interesting
stuff.
So
maybe
yeah.
C
Basically,
if
it's
describing
a
separate
component
that
observes
and
reports,
then
that
does
only
only
describe
chains
today,
as
far
as
I
know,
but
to
jacques
point
other
things:
do
this
just
integrated
with
the
tool
or
other
things
do
this
with
you
know
some
other
way,
and
so,
if
we
just
are
more
vague
about
or
less
prescriptive
about
how
it
should
be
organized
and
operated,
then
it
can
include
causality
or
probably
some
jenkins,
plug-in
or
probably
some
other
thing
yeah,
it's
useful.
A
B
A
C
F
I
I
think
observers
has
got
a
word
as
any.
The
the
goal
seems
to
be
some
way
of
of
assuring
yourself
that
a
particular
history
occurred.
F
So
for
me,
that
would
be
that
would
be
close
to
either
one
of
process
mining.
But
that's
designed
to
deal
with
like
vague,
unstructured,
not
very
well
put
together.
Data
sets
and
then
a
sort
of
a
branch
of
process
mining
which
is
conformance
checking
where
you
have
a
definition
of
what
should
have
happened.
And
then
you
have
evidence,
and
you
compare
the
two
to
see
whether
what
happened
happened,
and
only
that
happened
and
chains
is
like
a
really
strong
statement
of
that
and
causality
is
a
a
reasonably
strong
statement
of
that.
F
So
I
guess
the
question
is
like
going
back
a
step.
It
seems
like
the
purpose
of
having
an
observer
is
to
do
that.
Conformance
checking
is
to
show
yourself
that
no
more
happened
than
was
supposed
to
happen
and
no
less
happened.
That
was
supposed
to
happen
that
only
in
exactly
the
design
of
the
pipeline
occurred.
B
B
B
B
Sweet
yeah
we
haven't,
we
haven't
like
spoken
to
that.
That's
like
solid
rationale
behind
it,
so
without
spending
more
time
with
this,
removing
it
for
the
time
being,.
F
I
was
just
adding
item
f
when
I
saw
that
the
comment
came
back
at
me,
asking
if
the
scope
made
sense
and
said
yeah,
so
I
figured
I'll
just
throw
it
in
there.
If
we
wanted
to
accept
it,
that
would
make
your
job
easier.
A
B
Okay,
alex:
what's
what's
your
take
on
this
section?
Do
we
want
to
incorporate
stuff
here
at
this
point?
Let
your
pot
do
that
part
and
then
make
a
call
on
it.
E
I'm
fine
with
that.
My
recollection
is.
We
spent
a
lot
of
time
in
the
last
meeting
discussing
whether
or
not
we
needed
these
to
be
three
separate
items
here,
and
I
guess
there
are
conceptually
three
concerns
that
the
emission
controller
is
looking
at
and
whether
we
wanted
to
write
them
out
as
three
separate
concepts.
Basically,
so
I
think
I
think,
if,
if
somebody's
willing
to
take
a
stab
at
that,
we
we
tagged
it
in
the
last
meeting
and
go
for
it
as
far
as
I'm
concerned.
B
B
A
A
Then
there
are
various
images
that
you
are
using
in
your
pipeline.
You
need,
you
are
basically
placed
you
check
whether
you
are
allowed
to
execute
those
images
right.
So
it's
basically
different,
as
I
said,
life
cycle
or
different
stages,
where
we
want
to
basically
put
this
gatekeepers.
Are
these
controls.
B
A
I
think
this
the
latest
section
was
there
already.
We
probably
need
some
elaboration
or
some
illustration
in
the
option,
but
we
can.
I
can
take
a
look.
We
can
decide,
we
can
reach
it
from
the
contents.
C
B
Yeah,
something
like
like
spire
would
only
get
kicked
in
once
you
have
instantiated
a
workload.
F
And
thought
processes,
the
mission
controller
would
check
that
it
would
be
a
signed
image.
The
mutating
image
controller
can
say:
here's
the
label
said
it
was
signed,
then
it
was
signed,
yeah
and
then
spire
can
kick
in
and
say.
Okay,
I
will
give
you
a
certificate
because
you're
running
an
assigned
workload
that
I
trust.
A
B
Yes,
so
if
you
pass
that
as
a
label,
you
can
you
can
check
for
the
presence
of
that
signature
if
it's,
if
it's
a
match
or
not,.
F
B
C
B
So
I
placed
that
here
so
it
doesn't
get
lost
cool.
If
I
resolved
the
comment,
yep.
C
B
Actions
and
capabilities
alex
all
stages
of
mission
control
again,
but
it
does
belong
here
right
where
we're
talking
about
it.
From
from
a
different
vantage
point,.
E
Yeah,
I
mean,
I
think,
what
we've
done
so
far
is
we've.
We've
laid
out
sort
of
defining
what
all
the
different
pieces
of
the
factory
are
and
now
we're
laying
out
how
they
interact
with
each
other
in
the
different
stages
of
the
factory
running
right,
and
so
one
of
those
well
really
in
all
of
those
stages,
everything
has
to
pass
through
an
emissions
control
check
right,
and
so
I
think
that's
what
this
is.
I
think
that
I
was
my
comment
was
my.
E
B
G
Sorry
for
being
late,
just
just
my
thing
finished
up.
I
actually
had
a
question
actually
about
that.
I
think
one
of
the
other
things
that
we
also
want
to
make
sure
right
is
that
you're
doing
a
mission
control
for
the
secure
software
factory
itself.
Right,
like
you,
want
to
validate
that,
whatever
images
you're
using
you
know,
let's
say
you're
using
tekton.
You
know
you
want
to
make
sure
that
the
images
are
are.
G
Are
you
know
correct
and
then,
in
addition
to
that,
yes,
you
also
want
to
have
a
mission
control
inside
the
build,
as
you
mentioned
right
like
you,
want
to
essentially
validate
that
if
I'm
running
a
particular
build
build
image
or
something
like
that,
let's
say
I'm,
you
know
using
kanika
what
was
mechanical,
build
image
also
signed
that
sort
of
thing.
C
B
Okay
stage,
one
alex.
B
E
Yeah,
I
think
we
need
to
I.
I
can
take
a
stab
at
that
if
you
want,
but
I
think
we
just
need
to
make
sure
that
that
reflects
the
scope
that
we've
talked
about
in
the
in
the
previous
admission
controller
section
that,
when
we're
describing
how
it
interacts
with
the
other
pieces
of
the
pipeline
here
that
it
actually
reflects
what
we've
said
above.
B
E
B
Agreed
this
diagram
does
it
belong
in
prototyping,
or
it's
good
to
have
an
illustration
here,
because
it's
been
like
a
a
lot
of
words
till
this
point
and
very
little
diagrams.
A
C
B
Let's
resolve
that
state
zero
michael
tell
us
about
this.
G
Yep,
so
this
one
was
the
the
one
that
maybe
the
emission
control
piece
would
probably
solve
so
yeah.
This
was
resolved.
Okay,.
E
Scroll
just
a
little
bit,
I'm
trying
to
get
my
bearings
for
where,
where
we
are
oh
yeah,
I
think
that
yeah
my
recollection
is.
There
was
a
lot
of
redundancy
here
to
what
we've
already
said
about
source
repos
in
the
input
section.
So
we
perhaps
can
just
consolidate
this
content
into
that
and
not
rehash
it
here.
But
if
we
think
it's
important
enough
that
we
need
to
say
it
twice,
then
that's
fine
too.
B
Well,
we're
framing
it
here
is
like
it's
out
of
scope,
but
let
us
tell
you
about
it
anyway.
Have
it,
but
let's
consolidate
it
and
we
can
say
like
hey.
A
detailed
explanation
of
this
is
is
beyond
this
scope,
but
yeah
not
out
of
scope.
If,
if
we're
talking
about
it,.
F
E
B
G
Yeah
yeah.
My
only
comment
additional
comment
on
on
that
piece.
That
yeah,
like
I
think,
providing
guidelines
of
just
saying
whatever
you
are,
are
using,
should
either
be
trusted
implicitly
because
of
some.
You
know,
because
you
do
trust
it
or
it
should
go
through
some
process
to
sort
of
establish
that
trust.
G
You
know
just
as
to
just
give
an
example
of
what
I
was
thinking
about
right
is,
is,
if
you
let's
say,
don't
trust
the
techton
directly,
because
you're
like
hey,
I'm,
not
sure,
if
they're
doing
all
the
right
stuff,
then
you
need
to
apply
scans
or
manually
validate
those
things
before
you
then
say
hey.
I
trust
this
and
I'm
going
to
sign
it
with
my
key
now,
as
that
sort
of
baseline
to
then
have
the
have
the
secure
software
factory
go
through
it.
It.
B
Sounds
sounds
reasonable.
I
I
see
brandon
solved
his
own
comment.
We
should
probably
a
little
bit
more
clearer
if
it
like
you
do
scratch
your
head
too,
like
what
does
this
mean
like
go
through
a
strong
pipeline,
but
I
think
we
we
have
an
understanding
of
what
we're
trying
to
to
express
consider
the
leading.
Does
anyone
feel
strongly
about
this
sentence
of
the
pipeline
framework
generates
an
api
exposed
through
scheduling,
blah
blah
blah.
F
F
B
Think
about
it,
I'll
defer
this
one
to
you
and
yeah,
like
is
the
software
factory
like
bearing
responsibility
like
also,
let's
think
about
this
one,
like
the
subject
in
the
sentence
like
the
use
of
the
word
responsible,
maybe
there's
a
maybe
is
concerned
with
the
insurance.
B
Okay,
we
don't
have
a
lot
of
time
left,
so
we
could
ship
gears
and
go
bottom
up.
We
could
like
just
try
to
go
over
the
things
rather
than
every
comment,
like
anything
that
has
like
a
threat
like
this
one.
It
might
be
contentious,
but
there
seems
there's
agreement
here.
B
E
I
think
I
I
can.
I
can
take
a
look
at
this.
One
too.
I
might
my
overall
read
was
that
this
particular
stage
as
it's
written
right
now
actually
stretches
into
several
of
our
stages
and
that
maybe
it
needs
to
be
split
out
and
and
re
reworded.
So
it's
a
little
bit
more
concise
in
its
scope,
and
I
think
that
would
resolve
some
of
the
questions
that
are
here.
G
Yeah,
I
think,
as
per
what
we
put
in
the
white
paper,
the
thing
that
we
want
to
really
sort
of
focus
on
is
conceptually
your
build,
should
have
access
to
its
source
code
and
dependencies
already
locally
like
either
through
a
shared
volume
or
through
some
other
non-network
mechanism.
G
Right,
you
know,
yeah,
like
the
idea
we
should
make
the
builds
hermetic,
but
I
also
know
that,
depending
on
who
you
talk
to,
they
have
different
definitions
of
what
truly
hermetic
means,
but
I
think
that
the
main
things
are
you
should
not
be
reaching
out
to
the
internet
as
part
of
your
as
part
of
your
actual
build
step
like
that
should
have
happened
before
the
build
step
gone
through
all
the
right,
validations
and
checks,
and
then
your
build
itself
should
only
concern
itself
with
stuff
like
compiling
and
packaging.
Okay,.
B
Perfect,
let's,
let's
sidebar
that
discussion
to
the
two
of
you,
michael
and
alex,
let's
close
up
on
it,
brandon
good
call
out
here
pipeline
definitions,
separate
build
images,
yeah.
B
But
one
for
the
time
being
alex
you're,
making
an
assumption.
E
So
this
is
getting
into
the
the
prototyping
section,
so
I
don't
know
how
much
time
we
want
to
spend
on
this,
but
this
is
just
I
I
was
trying
to
think
about
how
we
wanted
to
structure
this
part
of
the
paper
earlier,
and
I
made
this
table
here
just
to
kind
of
get
the
wheels.
Turning,
and
maybe
people
will
like
this
idea
or
not
like
this
idea-
do
whatever
you
want
with
it.
E
It
was
just
you
know,
trying
to
to
flush
out
what
something
might
look
like,
but
my
my
assumption
here
in
this
particular
example
of
how
I
worked
this
out
for
this
stage,
was
that
everything's
passing
through
the
scheduling
orchestration
platform
in
my
head.
That's
based
on
how
the
kubernetes
api
handles
everything
that
you
don't
like
directly
call
the
scheduler.
E
You
call
the
api,
for
example,
and
that,
but
maybe
that
so
maybe
that's
too
technology
specific,
and
we
don't
want
to
say
that
in
our
prototype,
maybe
it
is,
but
maybe
it
reflects
something
that
we
actually
do
want
to
say.
So
I
don't
know
that's
that
was
just
leaving
that
there
for
discussion.
B
So
we
wanted
to
make
the
the
most
substance
like
packet
in
here
right
and
and
here's
what
we
were
saying
at
the
at
the
start
of
the
call
we
need
to
close
up
on
on
things
further
up
before
we
shift
all
of
our
attention
to
this.
But
what?
What
direction?
What
guidance
do
you
want
to
give
to
folks
of
like
how
to
pitch
in
here
or
go
about
it?.
E
What
I
was
doing,
I'm
assuming
that
we
are
not
yet
trying
to
actually
flush
something
out
in
code,
and
so
I'm
making
something
that
is
like
a
combination
of
pseudo
code
or
some
sort
of
cheap
knockoff
on
uml,
or
something
like
that
that
just
sort
of
describes
how
things
flow,
through
the
various
components
that
we
have
outlined
in
our
sort
of
more
theoretical
section,
above
if
people
like
the
way
that
I
have
done
this,
I'm
also
finding
it
kind
of
a
useful
exercise
to
try
to
work
out
something
like
this
for
the
different
stages
and
helping
to
figure
out
like
oh,
have
we
missed
something
in
our
descriptions
above
because
there's
you
know
a
necessary
step
that
has
to
happen
here
for
this
stage
to
work,
and
we
don't
talk
about
it
or
something
right
like
so.
E
I
think
it
may
be
useful
in
that
regard
too,
to
start
playing
around
with
this,
but
it's
but
like
I
said,
the
format
is
just
I
just
like
threw
something
down,
and
if
people
like
the
format
that
I
have
have
put
down
here,
then
great,
we
can
use
that
and
if
people
say
nah
this
is
this
is
not
the
way
we
should
do
this.
Then
I'm
happy
to
hear
other
suggestions
too,
and
I
think
michael
has
some
ideas
as
well.
G
He
does
so
the
yeah.
The
only
thing
I
wanted
to
add
is
so
I
I
do
have
a
more
or
less
end-to-end
demo
of
this
thing,
using
majority
of
the
tools,
as
we've
described
here,
not
stuff,
that
is
internal
vendor
stuff.
But
so,
if
folks
are
interested,
I
down
to
even
show
after
this
meeting
what
what
that
sort
of
thing
looks
like,
because
I
think
that
there
are
still
some
sort
of
interesting
like
you
know,
caveats
or
things
that
do
or
don't
currently
exist.
G
You
know
in
the
outside
world,
I
think,
even
as
we
were
building
some
of
the
stuff
in
the
demo,
people
were
building
the
features
that
we
needed
to
actually
have
to
show
this
thing.
So
so
there's
definitely
probably
going
to
be
caveats
there
and-
and
you
know
whatnot,
but
it's
if
folks
are
interested,
I'm
down
to
show
it
and
it's
also
all
open
source.
B
That'd
be
super
beneficial,
and
I
think
what
priya
had
shown
when
when
we
first
kicked
off,
would
also
be
very
beneficial
here
as
something
to
anchor
around,
and
we
can.
We
can
use
those
both.
I
I
see
folks
starting
to
drop.
B
I'm
sure,
like
folks,
like
axel
and
jason,
have
a
lot
of
desire
to
jump
at
this.
Like
we've
been
looking
into
this,
and
you
have
your
perspectives
around
how
to
prototype
yep,
I
don't
know
if,
like
folks,
want
to
like
make
their
own
personal
copy
and
like
work
on
their
own
on
a
prototype,
and
then
we
compare
prototypes.
B
Do
we
want
to
set
up
some
time
before,
like
the
meeting
next
week,
to
try
to
like
make
progress
on
the
prototype
as
a
group
I'll
put
it
out
there
like?
How
do
folks
want
to
want
to
attack
this
section.
G
G
So
it's
using,
for
example,
the
the
process
for
tecton
chains
that
priya
showed
off
is
I'm
blanking
on
the
person's
name,
but
he
goes
by
a
developer
guy
using
the
work
that
he
had
done
with
regards
to
opa
for
policy
stuff
and
there's
lots
of
other
folks
in
the
community
that
we've
sort.
You
know
we
sort
of
said:
hey,
okay,
they've
taken
this
approach
seems
pretty
good.
Can
we
now
implement
this
as
part
of
that
sort
of
end-to-end
thing?
D
Yeah
that
sounds
good
to
me
because
I
think
like
since
I
did
my
demo
at
the
start,
there
are
like
a
few
pieces
that
we've
added
in
so
like.
I
never
had
an
admission
controller
or
anything
like
that.
So
I
think
that
michael's
demo
will
probably
like
kind
of
have
like
the
core
components
that
mine
had.
So
I'm
good
with
using
his
as
like
a
jumping
off
point
jason.
B
B
Yeah,
I
agree:
cool
alex
sounds
good
to
me
cool,
then
mapping,
probably
we
want
to
complete
the
stables,
that's
kind
of
like
low
hanging
fruit
future
work,
spare
okay,
some
appendixes,
let's
remove
them.
If
we
don't
have
anything
like,
I
don't
think
we
want
to
over
rotate
on
filling
in
missing
content
here
when
we
still
have
quite
a
bit
to
do
further
up
anything.
We
said
at
the
start
of
the
call
that
we
try
to
get
to
recover
or
speak
to
that
we
haven't.
E
B
Well,
I
I
I
told
you
how
to
blanket
statement
the
talk
right
cool.
That's
that
we're
time.
Whoever
wants
to
hang
out
and
we
can
talk
more,
but.
G
B
G
B
C
B
C
B
G
Sure
yeah
yeah
yeah
my
my
schedule
just
freed
up
after
just
now,
so
okay,
so
I'm
gonna
give
me
one
second
here.
G
C
G
Yes,
yes,
hopefully
just
came
out
of
another
one
of
literally
this,
so
hopefully
this
all
works.
Can
you
all
see
my
screen?
G
Yes,
okay,
cool,
so
I'm
gonna
show
what
this
sort
of
thing
looks
like
it's.
It's
a
lot
of
it's
based
on
what
priya
showed,
but
I'm
also
going
to
show
sort
of
just
like
hey.
What
is
an
example
like
supply,
you
know,
supply
chain
attack
and
why
we
need
to
be
really
rigorous
in
all
the
different
areas.
G
G
So
it's
going
through
doing
the
normal
source
stuff
right
now,
I'm
just
running
kaneko,
I'm
doing
some
additional
things
here,
like
you
know,
creating
s-bomb
and
doing
a
few
other
things
and
I'll.
I
can
get
into
the
details
of
what's
going
on
there,
but
I
think
you
know
once
again,
wanna
shout
out
to
literally
everybody
in
the
community
who
it's
like
each
of
them
had
a
different
piece
that
they
kind
of
figured
out
and
I'm
like.
Oh,
if
I
take
this,
and
it
should
be,
we
should
be
able
to
get
all
this
in.
G
There
takes
two
three
minutes
here
and
it's
doing
all
the
sorts
of
stuff
that
techton
does
right.
It's
going
to
be
signing
with
the
various
keys,
and
one
of
the
things
that
this
demo
doesn't
show
is
all
the
various
keys,
we'll
probably
need
and
have
in
all
the
different
areas
right
now,
I'm
just
mostly
just
using
two
keys
just
for
for
the
demo.
G
So
it
did
all
this
stuff
and
if
I
go
and
you
know
do
a
crane,
ls
whoops,
let
me.
G
G
I
go
and
do
this
right.
I
can
go
and
validate
a
couple
things
that
it's
you
know
the
image
was
signed.
I
can
validate
that
in
this
case,
chains
has
the
attestations
for
it,
and
so
these
chains
attestations
are
essentially
salsa
level.
Something
compliant
I'll
need
to
kind
of
do
some
additional
validation
there,
but
they're
salsa
compliant
yayata.
But
what's
the
problem
here
like
okay,
I
you
know
I'm
validating
this
stuff,
but
what's
the
problem
well,
one
of
the
problems
is.
G
C
G
That's
how
the
attack
came
in
and
so
the
parent
image
wasn't
signed,
and
so
that's
how
the
attacker
got
in
and
so
now,
even
though
I'm
signing
all
the
right
stuff
well,
I
wasn't
validating
the
signature
of
my
parent
image.
So
that's
how
the
attack
came
in.
That's
why
you
know
we
need
to
be
really
rigorous
about
all
the
different
things,
we're
validating
and
checking.
G
So
now,
let's
assume
for
for
an
example
here
right
that
I'm
I'm
I'm
going
to
be
building.
You
know
against
a
real
signed
version
and
we're
going
to
be
or
actually
know
what.
Let
me
show
you
one
more
of
this.
Actually,
so
it's
going
to
do
all
that
and
now
let
me
show
you
how
I
would
validate
against
it.
Once
again,
some
of
this
stuff
will
be
managed,
I
think,
by
canaco
internally
at
some
point.
G
G
G
There
we
go
typo
somewhere,
but
now
you
can
see
here
right.
Well,
the
parent
image
wasn't
signed,
so
the
image
doesn't
get
built.
So
now,
let's
just
show
what
what
that
would
look
like
with
against
the
real
signed
image.
G
And
then
I
can
show
you
how
policy
is
then
enforced
continually.
So
while
that's
now
gonna
be
rebuilding
the.
G
While
that's
rebuilding,
let
me
just
show
you
some
of
the
stuff,
so
I'm
currently
using
two
emission
controllers
for
right
now,
probably
going
to
switch
to
one
at
some
point,
but
using
kyverno
here
to
sort
of
validate
a
couple
of
things.
G
One
is
I'm
validating
that
the
tecton
images
themselves
that
I'm
using
inside
here
are
signed,
and
that
includes
some
of
the
tecton
task
images
that
are
like
the
git
image
and
those
things
I'm
validating
that
they're
signed
by
tecton,
I'm
for
now,
just
saying
yep,
I'm
assuming
the
tecton
images
are
good
because
they've
been
signed
by
the
tecton
folks.
I
trust
them
yeah,
yada
and
then
from
here
I'm
also
validating
whoops,
that
I'm
validating
that
the
images,
the
other
images
that
I'm
using
here
are
signed
with
my
key
right.
G
So
if
they
are
not
signed
with
my
key,
then
they're,
you
know
don't
run
them
and
then
separately
as
another
proof
of
concept,
because,
as
far
as
I
can
tell,
kyberno
can't
do
sort
of
like
remote
api
calls
I'm
using
opa.
For
what
like,
I
would
consider
almost
like
a
production
level
policy
control.
G
So
now
that
that's
all
done
here,
it
got
built
it
got
built
against
the
signed
image
it
validated
it
over
here.
Once
again,
all
same
caveats
are
are
in
place
here.
So
if
I
do
a
docker
pull.
G
G
G
Right,
so,
if
I
go-
and
I
run
this
random
curl
right-
I
want
to
run
my
curl
thing.
Oh,
it
doesn't
work.
Why
well
two
reasons.
One
is
that
curl
image
wasn't
signed
right.
So
it's
not
going
to
run
in
my
production
namespace,
because
I
have
an
emission
controller
in
there
and
the
other
reason
it
doesn't
have
a
doesn't,
have
a
valid
s-bomb
whoops
valid.
Oh,
it
doesn't
have
a
valid
signature.
It
doesn't
have
a
valid
s
bomb.
G
There's
another
thing
in
there
which
I
might
have
inadvertently
commented
out,
which
is
let
me,
go
and
double
check
that
real,
quick.
F
G
It's
opa,
okay,
thanks
separately
for
the
inside
of
the
tekton
namespace,
I
was
using
kyverno
just
because
it
was
a
little
simpler
to
get
set
up
originally,
but
for
the
the
additional
stuff
like
validating,
of
the
actual
attestations
and
validating
of
some
additional
metadata
in
here.
It's
essentially
this.
G
So
right
now
I
I've
realized
that
that
was
actually
a
poc
which
I'm
not
sure
why
it's,
including
that
constraint
right
now,
I'm
not
finished
with
that
one,
but
the
the
thing
that
I
am
doing
actually
that's,
probably
worthwhile
showing
is
I'm
right
now,
just
taking
an
s
bomb
of
the
source
files
and
sort
of
pushing
that
out
as
an
example.
So
if
I
were
to
do.
G
And
this
is
some
additional
work.
I'm
I'm
doing
here
right
is.
I
have
this
s-bomb
sources
file.
I
can
s-get
it
and
I
have
a
an
additional
some
additional
tooling
I'm
using
to
sort
of,
and
I
have
to
validate
it
against
the
key
keys,
cosine
dot,
sbom
the
hub
and.
C
G
So
this
is
how
I'm
getting
that
file,
and
so
I
have
essentially
built
in
a
built-in
api
based
on
a
lot
of
the
work
that
the
individual,
who
goes
by
a
developer
guy
on
on
github
him
and
some
of
the
other
folks
what
they
had
done
around
sort
of
validating
out
of
stations
and
validating
these
things
I
can
actually,
then
you
know,
use
the
same
thing
to
do
like
just
arbitrary
blobs,
and
so
I
can
upload
arbitrary
blobs
sign
those
arbitrary
blobs
and
those
arbitrary
blobs
can
just
be
whatever
metadata
we
want,
and
so
ideally
what
we
have
is
we
have
it
almost
like
two
steps
right.
G
You
have
an
attestation
and
the
materials
cited
in
that
attestation
should
also
be,
if
possible,
included
in
the
registry
or
included
in
the
repo
alongside
your
actual
image,
and
then
you
can
always
go
back
and
audit
right
or
do
some
additional
validation
against
those
things,
and
it's
just
like
very
simple
to
actually
do
that
yeah.
So
I'm
I
think
it's
there's
a
typo
somewhere,
but
the
other
thing
that
I'm
actually
doing
here
is
I'm.
G
I
am
validating
tecton
chains
provenance
here,
and
so
I'm
actually
going
in
to
this
api,
which
was
again
the
api,
is
based
on
the
work
that
those
folks
had
done.
Our
team,
my
team
has
and
myself
have
written
a
bunch
of
code
to
actually
add
some
additional
things
on
there,
but
hey
it
pulls
down
the
attestation
decodes
it
essentially
for
right
now
validates
that
there
is.
You
know
it's
of
techton
chain's,
providence
type
right.
G
We
can
include
additional
metadata
in
there
and
whatever,
but
then,
based
on
all
of
that
information,
we
can
go
and
say
yep
yeah.
It
has
all
the
right
attestations,
they're,
all
in
the
right
format,
they
all
using
the
right
predicate
type.
G
If
we
need
to
do
an
audit
after
the
fact
we
can
go
and
look
at
the
materials
that
were
in
that
at
a
station
and
go
and
say
hey
this
thing,
attested
to
this
thing,
let
me
double
check
the
s-bomb
or
whatever,
and
then,
if
we
need
to,
we
can
also
go
deeper
level
stuff
in
there
as
well.
Like,
let's
say:
hey,
we
discovered
a
particular
you
know.
Hash
is
bad
in
the
s-bomb
right.
G
Okay,
cool,
we
can
say
you
know
we
can
do
a
further
level
audit,
but
we
can
say
no
new
applications
will
get
deployed
if
they
have
that
in
their
sbom,
and
we
can
use
this
to
sort
of
continue
to
do
that
sort
of
thing.
G
Yeah
yeah,
I
I
was
just
about
to
say
yeah,
so
when
it
comes
to
a
lot
of
this,
you
know
sort
of
stuff.
You
know,
first
off
all
this
code
is
is
open.
So
if
other
folks
wanted
to
take
a
look
feel
free.
Obviously
you
don't
have
my
keys
and
you
don't
have
access
to
my
repo,
so
you'd
have
to
change
a
few
different
things,
but
largely
it
should
work,
but
in
writing
it
up
in
there.
G
I
think
that's
where
I
want
to
have
a
conversation
with
alex
and
a
few
other
folks
to
kind
of
figure
figure.
Some
of
that
out,
because
my
my
headspace
has
been
so
deep
in
the
code.
I
don't
think
I'm
the
best
person
to
ask
right
now
regarding
that,
but
I
think
generally,
I
think
we
have
a
good
idea
of
how
these
things
should
link
up
like
you
should
have
your
mission
controller,
be
able
to
make
these
sorts
of
requests
either
via
an
api
or
through
a
plug-in
right.
G
Some
of
this
stuff,
like
here,
might
go
away
once
some
of
the
plug-ins
for
opa
are
finalized
because
there's
supposed
to
be
an
opa
plug-in
for
cosign
yeah,
some
of
it.
Some
of
that
might
go
away
or
we
might
still
include
it.
You
know,
depending
on
you
know
this
sort
of
thing
that
I
wrote
up.
I
can
do
some
higher
level
validation
should
that
be
a
plug-in
in
cosine
versus
being
a
plug-in
somewhere
else.
G
I
don't
know,
but
we
can,
in
the
very
least
keep
it
sort
of
very
high
level
saying
you
know
your
admission
controller
should
do
these
things
your
you
know
your
your
build.
You
know
we're
assuming
here,
like
you
have
signed
the
base
level,
builder
images
or
you're
using
or
you're
trusting
the
sign
things.
G
Here's
how
you
would
do
that
right
and
I
think
we
can
kind
of
keep
it
at
that
level
and
then,
when
we
actually
try
and
show
off
an
actual
prototype
implementation
of
this
thing,
we
can
then
get
a
little
bit
deeper.
B
Here's
here's
a
far-fetched
idea:
how
about
we
don't
write
about
it?
How
about?
We
include
little
ascii,
theater
clips
and,
like
short
videos
into
each
of
the
stage,
sections
and
say:
hey
here's
what
what
should
occur
because
trying
to
express
this
in
words,
it's
going
to
take
a
lot
of
effort
versus
we
can.
We
can
include
like
hey.
Maybe
we
don't
push
this
out
as
a
pdf,
but
we
do
a
github
page
for
it
and
we
have.
G
Yeah
yeah,
I
mean
that
that
seems
fine
to
me.
I
think
the
one
thing
that
I
will
say
is
that
some
of
this
stuff,
obviously
like
will,
will
need
to
be
cleaned
up
a
little
bit.
I
think
you
know.
Even
before
this
meeting
I
was
demoing
it
to
other
folks,
internally
yeah,
so
so
some
you
know
once
again.
G
None
of
this
is
using
any
sort
of
internal
whatever,
but-
and
this
is
all
using
the
open
source
stuff,
but
I
think
the
other
thing
that's
probably
worthwhile
in
highlighting
is
some
of
this
stuff,
like
even
these
pieces,
could
have
only
been
possible
in
the
past
like
three
days
right.
Some
of
the
features
did
not
exist
two
or
three
days
ago.
B
E
Yeah,
I
think,
that's
a
that's
a
good
approach
yeah,
so
I
guess
my
so
my
I'm
stepping
back
my
sort
of
meta
question
here
in
terms
of
how
we
have
structured
the
paper
so
far
is
this
demo.
E
Prototype
is
definitely
tied
to
very
specific
tools,
which
are
the
tools
we're
planning
to
recommend
right,
but
the
way
we've
structured
it
so
far
is
sort
of
moving
down
this
funnel
from
very,
very
theoretical,
getting
gradually
more
and
more
concrete
right,
and
so
my
so
my
sort
of
meta
question
in
terms
of
the
architecture
of
the
paper
is:
do
we
want
this
to
be
the
next
stage
after
our
theoretical
overview
of
a
software
factory?
Or
do
we
want
this
to
be
a
sort
of
later
piece
of
the
of
the
puzzle
that
we
say?
E
B
Royal,
we
aside
what
what's
your
selfish?
What's
your
selfish
perspective,
what
would
you
do
if
this
was?
I.
E
E
We
have
a
work
you
know,
michael,
has
put
together
an
awesome
working
demonstration
of
how
those
tools
fit
together,
like
I
think
that
it's
fine
to
say
you
know,
here's
here's
how
you
know
if,
if
we
were
building
this
from
scratch,
here's
what
it
would
look
like
right
and
and
then
you
know,
and
then
we
can
have
a
an
addition
that
says,
and
then
here
are
some
other
tools
that
you
might
consider
if
you,
for
whatever
reason,
don't
want
to
use
tecton
in
your
environment,
here's
something
that
you
could
do
something
similar
with
or
if
you
don't
want
to
use
x,
you
know
here's
another
alternative
and
have
that
mapping
afterwards.
G
E
You
can
build
it,
you
know
you
can
you
can
substitute
in
these
other
things?
If
you
want
to.
B
We're
also
talking
like
hey
to
the
best
of
our
knowledge.
This
is
the
only
implementation
of
this
today
we
want
to
steer
that
direction.
This
is
a
reference
sure
you
could.
You
could
like
build
this
with
something
else
or
like
you,
could
reverse
engineer
it
and
like
refactor
it
all.
If
you
want
like
michael.
G
Yeah
yeah,
the
only
thing
I
was
gonna
add
on
there
was,
I
think
we
can
maybe
just
show
the
example
and
maybe
throw
in
some
caveats
of
like
if
you
do
plan
to
use
another
emission
controller
make
sure
it
does
this
in
order
to
like
otherwise
it
just
won't
work
right
like
so.
G
As
an
example,
right,
like
is
great,
but
like
it's
missing
a
couple,
a
couple
of
things
today,
it
that
would
prevent
us
from
sort
of
using
it
in
that
holistic
way,
whereas
opa
does
have
some
of
those
features,
and
some
of
those
features
are
just
literally
an
hdp
request
feature
where
I
can
have
oppa.
You
know
call
out
to
an
api
pull
in
information
and
then
just
parse
that
json
any
way
I
want.
G
If
your
admission
controller
has
that
functionality
go
ahead,
you
should
be
able
to
swap
it
out
and
be
able
to
do
whatever
you
need
to
do,
and
the
same
thing
goes
with.
You
know
when
it
comes
to
a
ci
cd
system
right
like
if
your
ci
cd
system
can
sign
the
individual
tasks
and
provide
all
that
metadata
for,
like
a
run
of
all
these
things,
then
go
ahead.
If
it
can't
well,
you
know,
chains
can,
and-
and
so
that's
where
you
know
tecton
plus
chains
can,
I
should
say.
F
Sorry,
I
was
going
to
say
yeah
it's
important,
like
it's
important
to
be
descriptive
rather
than
prescriptive.
I
think
you
this
in
this
case
you're
saying
you
know
this
is
how
we
build
it
and
we
build
it
because
it
has
a
these
technical
properties
like
that.
You
need,
but
also
be.
It
adheres
to
these
principles
that
we
were
describing
before.
F
So
what
really
matters
right
now
is
that
you
follow
the
principles,
because
that's
really
what
we're
trying
to
convey
are
those
main
principles,
but
then
practically
when
you
want
to
build
it,
then
you
also
need
these
technical
capacities
to
build
it.
Like
this.
That
being
said,
you
know
as
long
as
you're
idea
to
the
principles.
That's
what
really
matters
I
mean
this
might
be
a
very
sort
of
you
know,
intellectualization
of
it
like
very
high
level,
but
that
was
that's.
My
understanding
like
we
want
to.
F
You
know
it's
great
to
show
a
practical
example
of
what
it
is
to
say
that
you
know
to
show
that
it's
not
actual
just
fluff
and
we're
just
talking
about
theoretical
stuff,
but
simultaneously
you
want
to
make
sure,
as
you
were
saying
andres
you
were
saying,
like
you
know,
if
people
can
build
another
way,
you
know
knock
yourself
out
it's
great.
If
there's
multiple
implementations
as
long
as
they
you
know,
don't
betray
the
principles
we're
trying
to
convey.
E
I
think,
maybe
that's
a
great
way
to
structure
it
in
terms
of
the
writing
is
to
say
all
right.
Here's
the
demo
and
we
chose
this
tool
for
this
reason,
and
if
you
want
to
choose
something
else,
follow
these
principles.
I
think
that's
that's
a
good
way
to
you
know
so
that
we're
not.
We
don't
have
to
write
out
how
you
implement
it
in
every
single
step,
because
we
have
the
demo.
That's
gonna.
That's
gonna
do
that,
but
we
can
instead
say-
and
this
was
the
rationale
for
choosing
this
piece
for
the
demo.
F
Yeah
agreed
and
there's
a,
I
think,
there's
a
large.
You
know
at
this
point
in
time
aspect
to
it
I
mean,
as
michael
was
saying
you
know,
some
of
this
was
made
available,
like
became
possible
three
days
ago,
so
saying
you
know
this.
It
is
like
this
also
because
this
is
how
it
can
be
done
right
now.
Probably
you
know
goes
a
long
way
to
explaining
the
choice
of
some
of
these
tools.
G
Yeah
like,
if,
if
you
look
actually
at
some
of
the
code,
I've
been
pushing
out,
some
of
the
code
is
like
my
my
co-based
image
right,
because
I
had
to
recompile.
You
know
some
of
this
myself
and
and
push
some
of
these
things
out.
Some
of
these
things
are
not
in
released
versions,
yet
some
of
those
versions
should
probably
be
coming
soon
but
yeah.
I
think
that
just
need
to
make
sure
that
that's
crystal
clear
to
folks
so
that
they
don't
go
and
say.
Oh,
why
can't
I
just
do
this
thing?
G
It's
it's
it's
in
the
demo
and
it's
like
well,
actually
it's
it's
in
the
demo
and
it's
probably
in
maine
inside
of
a
lot
of
folks
repos
but
maybe
hasn't
been
released
today.
So
I
also
don't
know
how
we
want
to
say
that
when
it
comes
to
the
demo
right,
like
what
versions
of
the
software
were
you
on,
we
at
this
point,
I
think
we
might
have
to
say
we're
on
versions
of
these
pieces
of
the
software's
hash
id's.
G
You
know
hash
commit
ids
because
we're
at
that
level,
which
is
also
not
ideal
right,
because
it's
it's
it's
not
as
nice
as
you're
saying
as
long
as
you're
on
version,
one
point
x
of
techton
you're,
good,
it's
like
actually
as
long
as
you're
on
this
commit
id
of
techton
you're
good.
E
G
I
mean,
I
think,
to
some
extent
with
a
lot
of
these
things,
given
that
and
priya
correct
me
if
I'm
wrong,
I
think
we
had
kind
of
talked
about
this
before
is
some
of
some
of
that
work,
like
the
the
specifically
the
uploading
of
the
issue
with
uploading
chains
to
to
the
image
itself,
I
think
some
of
that
stuff
can
just
you
know
if
it's
in
the
next
release,
that's
coming
up
soon
or
whatever
we
could
just
put
it.
You
know
once
it's
there.
G
I
think
largely
the
the
thing
luckily
for
us
is
a
lot
of
the
tools
that
we're
talking
with.
I
mean
most
of
the
maintainer.
You
know,
maintainers
are
part
of
this
conversation
at
some
level,
so
I'm
sure
if
we
said
hey,
look
we
want
to
go
forward
with
this.
Can
you
include
that
feature
in
the
next
release?
You
know,
can
you
include
this
feature
in
the
release
and
release
it
so
that
we
can
then
cite
it?
I
think
we
might
be
able
to
that
might
be
the
easiest.
D
Yeah
definitely
possible
at
least
which
things
we're
going
to
do
a
release
today,
so
the
bugs
that
you
were
facing
like
for
the
demo
should
be
resolved.
I
think
the
like
more
complicated
part
with
tecton
and
chains
is
like
adding
this
fire
integration,
just
because
there's
like
a
formal
process
to
adding
a
bigger
component
like
that-
and
I
plan
on
starting
it,
but
it
definitely
will
take
a
while
to
get
like
approval
from
all
the
right
people.
G
Oh
yeah,
so
one
thing
that
wasn't
in
my
demo
was
was
the
spire
stuff
specif
specifically
because
of
some
of
those
issues
like
some
of
it.
There.
Actually,
I
think,
is
one
or
two
areas
where
spire
is
being
used,
but
a
lot
of
areas.
It's
just
using
the
the
long-lived
signing
keys
as
it
stands
today.
B
G
Forward
yeah,
no,
I'm
definitely
down
to
you
know.
Maybe
after
this
call
out
of
band
talk
with
alex,
you
know
we
can
talk
a
little
bit
about
some
of
the
details
of
how
to
get
into
writing
definitely
on
board.
To
kind
of
you
know
record
some
record
some,
like
actual
demos
of
the
actual
thing,
and
you
can
record.
B
Clip
it
so
that's
fairly
straightforward
sure
we
can
do
some
post
edit,
like
we
can.
We
can
even
just
like,
have
you
use
ascii
cinema
to
record
your
terminal.
B
To
like
well
for
the
virtual
studio
stuff
we
could
just,
we
could
just
include
the
files
or
or
like
the
snippet
of
the
file.
People
can
expand
it
and
we
check
in
those
into
the
repo.
G
Yeah,
that's
definitely
something
I
can
look
at.
You
know
I
think
the
majority
of
stuff
I'm
gonna,
be
doing
over
the
next
couple
of
days.
Myself
is
one
of
its
cleaning
up
the
demo
to
to
make
it
also
a
little
bit
more
right,
like
largely
all
the
scripts.
Are
there
where
people
can
build
the
stuff?
The
problem
is
obviously
some
of
it's
using
my
ghcr
repo.
You
know
I
want
to
be
able
to
allow
folks
to
sort
of
inject
their
own.
G
You
know
whatever
their
own
repo
and
it
should
automatically
just
swap
out
everything
that
they
need
to
do
and
will
automatically
build
all
the
things
that
they
need
to
to
sort
of
run.
That
demo,
that's
obviously
gonna
just
take
a
couple
hours
to
kind
of
sort
out,
yeah,
but
yeah
beyond
that.
You
know
I
am
you
know
down
for
whatever.
I
think
the
only
thing
is.
G
I
have
a
couple
of
things
later
today
and
tomorrow
morning
internally,
but
then
a
lot
of
it's
going
to
be
kubecon,
prep
and
similar
for
the
next
couple
of
weeks.
For
me,
so
yeah.
B
Same
for
a
lot
of
us,
you
know
one
thing
with
with
demos
like
sometimes
we
we
do
like
this
progressive
build
up
of
like
hey.
Let
me
let
me
give
you
the
overview
of
these
for
the
parts
and
then
like
people
get
like.
They
are
not
necessarily
aware
of
like
where
you're
leading
them
towards,
like
I've,
seen
people
like
flip
the
script
and
do
like
the
payoff
first.
B
So
if,
without
any
explanation
you
show
like
hey,
I've
run
a
pipeline
and
this
thing
didn't
get
admitted
because
it
was
inside
or
it
wasn't,
and
then
you
backtrack
from
there.
We
could
take
that
approach
right
and
do
it
in
reverse
as
well.
I
think
you
you
hit
you
hit
all
the
things
in
the
demo.
You
did.
The
one
thing
is
well
I've
because
we
ran
over
the
meeting.
I
get
sidetracked
and
I
feel
like
it
was
a
little
bit
lengthy,
but
we
could
probably
shorten
it
by
reversing
it.
If.
G
That
helps,
obviously
you
do
whatever
works
for
yeah,
yeah
and
yeah
I'll
I'll.
Do
a
couple
of
more
dry
runs
and
I've
been
giving
this
demo
to
a
lot
of
different
folks
at
a
lot
of
different
different
levels.
So
I
think
yeah
like
there's.
G
Definitely
you
know
we
can
be
a
as
a
high
level
or
as
low
level
as
we
need
right
like
for
you,
folks,
right,
I'm
keeping
it
fairly
low
level
on
in
the
actual
sort
of
like
hey
this
line
in
the
code,
where
we
don't
necessarily
have
to
to
go
that
that
deep,
we
can
literally
show
hey.
You
know
here
is
a
config.
G
You
can
refer
to
the
config
over
here
to
if
you
want
to
follow
along
and
don't
have
to
kind
of
go
through
each
line,
but
as
long
as
folks
understand
generally
like
oh,
you
know,
I
understand
emission
controllers
and
I
can
see
that
yes,
you're,
calling
that
out
as
you're
verifying
the
image
and
you're
calling
this
out
as
these
things.
If
they
can
follow
along,
we
don't
necessarily
need
to
go
hyper
deep
into
it
either.
100.
B
If
you
watch
the
recording
like,
I
think
we
have
a
pretty
good
approach
or
like
we
have
a
good
plan
on
how
we
want
to
close
up
the
paper
like
we're,
not
adding
anything,
any
extra
content
to
any
of
the
initial
sections,
some
things
that
need
to
be
tightened
up
through
the
like
middle
sections
of
the
document
and
then
well,
you
and
alex,
are
on
point
on
the
on
the
prototype
of
pre-alex.
Anything
I
I
didn't
convey-
or
I
am
not
possibly
like
it
might
be
oversimplifying.
B
Is
that
a
thumbs
up
or
that's
like
you're
racing
it
like
actually
brandon?
I
I
want
you
guys
to
like
also
be
able
to
roll
your
sleeves
and
get
action,
because
I
know
you've
been
super
eager
to
get
into
actual
architecture
and
prototyping
so
link
up
to
to
these
guys.
I'm
sure
you
have
like
a
lot
of
thoughts
and
well
I've
seen
a
pretty
solid
perspective,
so
stack
teammate
a
dts
same
mar.
I
haven't
heard
from
you,
but
welcome
board
to
the
team.
Hopefully
you
found
this
worthwhile.
G
G
Could
you
show
some
of
this
to
some
folks
who
are
generally
associated
with
the
regulators,
because
they're
they're
interested
in
you
know
better
understanding
like
what
you
know?
It's
it's
one
thing
to
say:
hey
you
guys.
You
know
everybody
needs
to
start
thinking
about
their
supply
chain
security.
It's
another
thing
to
say
this
is
what
that
actually
means
right.
Like
you
know,
it's
it's
about
doing
these
things
in
such
a
way
where
we
are
sort
of
validating,
like
you
know,
with
a
lot
of
the
stuff
that
we've
shown
right.
G
If
I
pull
out,
if
you
know,
for
example,
somebody
compromised
gcr,
but
they
don't
have
techton
signing
keys,
it'll
still
it
that
will
prop
up
here
right-
and
this
is,
I
think
it
also
does
highlight
some
of
the
stuff
regarding
the
signing.
Keys
right
now
are
really
really
critical
to
to
protect
and
there's
things
that
still
need
to
be
done
along
those
lines
and
then
there's
other
things.
That
obviously
need
to
be
done
with
regards
to
hey.
G
If
we
want
to
trust
you,
we
need
to
start
trusting
the
fact
that
you're
doing
all
the
right
things,
because
you
know
to
some
extent,
if
you,
if
you
say
hey
like
tekton
recently,
did
we're
salsa
2
compliant
right
cool.
I
can
check
that
attestation.
I
can
validate
it.
I
can
validate
the
signatures
and,
on
my
own
stuff,
be
saying
yep
you're
allowed
in
my
environment
right
that
sort
of
stuff
is
is,
is,
I
think,
the
stuff
that
that
they
want
to
start
seeing
right
and
in
fact.
G
Exactly
right
and
already
obviously,
some
folks
are
talking
about
from,
like
the
consultancies,
they're
saying,
hey,
we'll,
come
in
and
talk
to
to
vendors,
and
maybe
do
like
a
third
party
audit
and
certification
process.
Saying
look
we
recognize
you
do
not
want
to
tell
us
all
of
your
build
commands
all
of
your
blah
blah
and
expose
that
to
the
world.
G
But
you
know
we
trusted
this
third
party
auditor
to
come
in,
validate
all
that
and
then
they
have
some
sort
of
signing
attestation
saying
yes,
I
am
signing
that
internally
they
are
doing
all
the
right
stuff
right.
These
are
the
so
you
know
all
sorts
of
stuff
that
we
want
to
be
able
to
do
and
and
and
and
whatnot
yeah.
B
I've
I've
seen
I've
seen
kpmg's
risk
unit
start
to
dabble
in
that
by
the
way
I
I
got
introduced
to
scott
sorovich
yesterday
to
show
some
stuff
I've
been
doing
in
the
product
side
around
four
months.
Yeah,
it's
in
cool,
it's
all
converging.
G
Yup
yep
and
I'm
supposed
to
have
a
call
with
him
later,
but
he's
he's
been
quite
busy
and
on
vacation
so
we'll
see
if
we
do
have
the
call.
I
want
to
show
him
some
of
this
stuff
as
something
to
also
demo
to
the
fsug
as
well,
and
also
some
of
this
stuff
is
stuff
that
the
fsug
will
be
probably
citing
in
the
white
paper.
We're
writing
up
right.
We're
trying
to
write
up
something
that's
kind
of
along
the
lines
of
so
you
want.
You
want
banks
to
adopt
cloud
native
here.
G
Are
the
sorts
of
questions
we're
going
to
ask,
and
some
of
those
questions
are
things
like
you
know:
what
is
your
r
back?
What
is
your
this?
That
and
the
other
thing,
and
so
when
it
comes
to
even
the
services
that
we
want
to
use
internally
yeah
as
some
of
the
stuff
that
we
want
to
use
internally
here
is
going
to
be
a
problem.
G
You
know
because
to
be
clear,
like
you
know,
I
can't
get
into
details
on
this
call,
but
I
can
say
a
lot
of
this
stuff
that
I
showed
off
in
the
open
source
world.
G
We
can't
just
sort
of
take
that
in
internally
and
there's
a
lot
of
various
reasons.
Why,
but
like
the
sorts
of
things
that
we're
trying
to
do
is
show
sort
of
a
a
from
a
almost
like
a
questionnaire
perspective
and
then
eventually
a
white
paper
perspective
of
what
is
your
r
back?
What
is
your
log
retention?
What
is
your
data
retention?
How
do
people
you
know?
G
What
is
your
data
segregation
model
right
like
if,
if
certain
things
are
flowing
through
here
that
we
view,
as
being
you
know,
publicly
identifiable
information,
there's
going
to
be
significantly
harder
controls
that
you'll
need
to
pass?
And
you
know
all
those
sorts
of
things
that
need
to
be
sorted
out.
E
B
Are
right,
cool
sounds
like
we
could
all
use
some
time
and,
like
regain
our,
what
I
don't
know
balance
like
I
don't
know
like.
B
B
Yeah,
what's
the
principle
of
like
time
will
will
expand
or
contract
for
the
amount
of
work
you
need
to
get
done.
Yeah.