►
From YouTube: TAG Security Supply Chain WG 2021-12-02
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
Pretty
good,
pretty
good
got
to
see
so
my
brother's
been
out
traveling
in
an
rv
for
the
past
several
months,
so
got
to
see
him
for
the
first
time.
In
a
while
that
was
nice,
my
parents
were
there
overall,
pretty
good
how
about
you?
How
was
your
thanksgiving.
A
B
Mostly
that
that
secure
software
factory
thing,
which
you
know
at
some
point,
we
we
would
like
to
officially
announce
still
waiting
on
internal
folks
to
sort
of
give
the
okay.
But
we
have
a
lot
of
stuff
in
there
if
you're
interested
in
checking
some
of
it
out.
B
Yeah,
you
know
we're
using
qlang
to
sort
of
configure
all
the
different
pieces,
and
so
that,
like
things
like
hey
keys,
that
are
used
by
tasks
can
also
be
given
to
kyvrono
in
the
same
sort
of
you
know,
you
could
just
sort
of
say:
hey
when
I
deploy
the
secure
software
factory,
I'm
deploying
it
out
as,
like
you
know,
one
configuration
and
it'll
automatically
sort
of
you
know
we're
generating
good
interfaces
for
these
things
and
yeah
yeah.
B
So
that's
that's
a
lot
of
it
also
looking
at
at
some
point
started
talking
with
santiago
and
some
of
the
other
folks
like
jacques
around
that
that
idea
of
the
universal
asset
graph
or
the
hyper
graph
like
just
this
idea
of
hey
google,
has
a
a
massive
database
with
all
the
the
information
regarding
every
application
and
where
it's
installed
and
and
metadata
regarding
those
applications
and
the
scans,
you
know
against
them
and
whatever
it's
like,
how
can
you
do
the
same
sort
of
thing
right?
B
You
know
we
have
recore,
we
have
cosine
and
these
design
metadata.
But
how
can
you
you
can't
currently
run
queries
against
it.
So
is
there
something
out
there
that
you
know
we
can
start
to
build
to
help
to
answer
the
questions
of
not
just
did
somebody
sign
off
on
this?
It's
okay,
somebody
signed
off
that
the
s-bomb
is
correct
or
whatever,
but
hey
now
that
I've
installed
this.
Can
I
go
back
and
transitively
figure
out
all
the
things
that
are
going
on
and
did
other
people
do
it
and
so
on
and
so
forth,
yeah.
A
Same
sort
of
usual
stuff,
a
lot
of
tech
time
related
things,
so
we
got
like
the
new
salsa
apartments
format
into
chain.
So
I'm
hoping
to
do
a
release
today
and
yeah.
Hopefully
we
can
like
you,
can
kind
of
converge
on
that
have
like
a
proposal
for
actually
like
properly
integrating
spire
into
tecton.
So
hopefully
that
will
get
merged
by
the
end
of
the
year
and
then
we'll
probably
work
on
it
next
quarter
and
then
generally
just
like
planning
for
2022
and
seeing
what
we're
going
to
be
doing.
B
Share
this
so
brendan
did
say
that
was
supposed
to
be
somebody
demoing
today,
potentially
from
amazon
regarding
some
supply
chain,
stuff
they're
doing
but
trying
to
make
sure
that
there
still
isn't
confusion
around
the
times,
because,
as
far
as
I
knew
it
was
just
for
two
weeks
there
was
like
some.
You
know
with
like
some
time
zone
differences
and
whatever.
B
B
Marina,
how
about
yourself
anything
interesting,
you've
been
working
on
in
the
supply
chain,
space.
A
Yeah,
let's
see
I've
been
doing
a
bunch
with
the
kind
of
tough
and
nerdy
v2
work,
basically
trying
to
work
on
getting
tough
metadata
onto
registries,
so
you
can
do
kind
of
native
verification
of
all
that
stuff.
So
that's
coming
along.
Nothing
really!
You
know
nothing
quite
finished,
but
there's
a
lot.
You
know
some
stuff
happening
there
and
then.
A
I
think
I
think
nothing
else
like
noteworthy
just
a
few,
a
lot
of
stuff
on
tough
and
updates,
but
I
don't
know
that
we
need
to
get
into
all
of
that.
So.
B
Cool
definitely
interested
in
when
the
tough
stuff,
tough
in
the
registry
sort
of
stuff
lands
love
to
to
to
see
it.
Do
you
have.
B
Cool
yeah,
yeah
yeah,
I
was
gonna,
say
if
there's
any
pr's
or
anything
or
like
any
sort
of
enhancement
proposal
stuff
feel
free
to
sort
of
link
it
in
the
chat.
B
Hi
hector,
it's
gonna,
be
a
probably
a
quiet
one
today,
but
just
wanted
to
link
this
again.
You
know
feel
free
to
you
know,
put
your
attendance
in
here.
It's
gonna
be
probably
a
quick
one.
Today
I
don't
anticipate
it
being
more
than
a
few
more
minutes
unless
a
bunch
of
other
folks
arrive
just
sort
of
giving
some
updates
not
a
whole
lot
updates
from
the
this
actual.
B
You
know
the
work
that
this
group
is
doing,
because
we're
still
waiting
on
the
technical
writers
from
the
cncf
to
clear
through
some
things.
It
sounds
like
it
might
still
take
a
couple
more
weeks
because
of
the
holidays
and
everything
else.
A
lot
of
folks
are
off
a
lot
of
folks.
Are
you
know
yes,
so
most
likely
either
by
you
know
around
christmas
new
year's
time,
we'll
we'll
send
out
a
sort
of.
B
B
That
will
we'll
be
doing
that
and
then,
besides,
that
we're
just
kind
of
chatting
about
like
if
there's
anything
else
in
the
software,
the
supply
chain,
space
security
space
that
any
of
us
have
been
sort
of
working
on.
A
All
right,
thanks
for
the
great
summary
thank
you
I
just
came
to
to
catch
up
on
whatever
was
going
on
yeah.
Thank
you.
A
Sure,
let's
see
yeah.
B
Cool
brendan,
did
you
want
to
do
you
have
any
updates
on
any
of
the
software
supply
chain
stuff.
A
B
B
Yeah,
so
it
sounds
like
some
of
that.
I
know
the
stuff
that
I'm
very
interested
in
is
some
of
the
whatchamacallit.
The
the
two
main
things
that
it
sounds
like
are
still
worked
on,
but
but
they're
moving
along
is
getting
chains
to
sort
of,
or
I'd
rather
actually
just
say
more
techn,
more
generally
to
to
generate
in
total
layouts
automatically,
as
well
as
the
the
chains
plus.
B
You
know,
spire
sort
of
integration
work
because
that's
going
to
open
up
a
whole
lot
of
things
cool
and
then,
as
I
mentioned,
to
priya,
but
we're
you
know
working
on
this
secure
software
factory
thing.
It's
not
officially
announced
or
anything
like
that.
This
is
just
some
of
the
stuff
that
we're
we're
sort
of
poking
around
we're,
still
trying
to
kind
of
get
the
approvals
to
sort
of
make
a
big
announcement
about
it.
B
But
this
is
some
stuff
that
we're
working
on
with
regards
to
sort
of
taking
all
the
different
pieces
like
the
tecton
and
kyverno
and
and.
B
The
configuration
for
them
in
the
policy
around
them
and
and
and
how
to
sort
of
generate
interfaces
behind
these
things
so
that
they
can
sort
of
generate
you
know,
attestations,
show
that
they
are
salsa
compliant
and
and
all
that
good
stuff.
B
All
right
cool,
so
I
believe
at
least
according
to
brendan
alum.
Next
week
we
will
be
having
oh
okay
I'll.
Let
treepod
join,
give
an
update,
but
I
believe
next
week
somebody
from
amazon
who's
going
to
be
giving
a
talk
about
some
of
the
supply
chain,
stuff
that
they're
doing
there
cool
hi,
sripod,
so
yeah,
it's
gonna,
be
probably
a
short
one.
This
week,
just
sort
of
giving
any
update.
B
A
Yeah
so
few
things
that
we're
working
on
is
one
was
the
s
bomb
generations.
So
there
was
one
tool
that
we
recently
open
source
that
captures
basically
all
these
bomb
generations.
Today
they
rely
on
what
package
managers
can
discover
right
what
you
can
discover
with
people,
what
you
can
discover
that
so,
but
if
you
are
bringing
in
dependencies
through
like
wget
or
call
or
targe
or
gz,
make
make
install
those
are
not
captured,
so
we
basically
open
source.
A
Let
me
put
the
link
in
here
and
we're
basically
just
working
on
adding
this
a
few
things
in
here:
yeah
and
yeah,
I'm
discussing
with
jim
baguaria
from
kiwano
on
how
we
can
basically
include
the
support
for
admission
controllers
for
takedown
pipelines.
A
So
there
was
one
admission
controller
that
we
are
building,
so
we
are
looking
to
basically
say:
okay
if
we
can
build
it
as
a
part
of
kiwano
policy
yeah.
I
think
that's
pretty
much
what
I
don't
have
any
everybody.
B
Cool
yeah,
so
I
think
next
week
is
going
to
be
a
presentation
from
the
amazon
folks,
but
I
don't
know
how
long
that's
that's
going
to
take
but
yeah.
It
could
definitely
sort
of
tentatively
put
you
on
for
next
week.
If
not,
then
then,
whenever
the
next
meeting
is
I
it's,
I
don't
remember
exactly
when
the
holidays
are
because
I
know
there's
probably
a
few
weeks
where
most
folks
are
are
out.
B
There's
a
couple
of
different
things
that
are
going
on
and
I
think
we
need
to
sort
of
chat
with
the
leads
like
you
know,
brendan
and
and
and
also
andres,
is
the
the
lead
specifically
for
this
project,
but,
like
I
think
that
there's
gonna
be
some
discussion
about
some
of
this
there's
also
discussion
about
how
to
work
with
openssf
and
some
of
the
other
sort
of
linux
foundation
groups
and
how
to
split
up
some
of
that
work
right,
because
I
think
there's
going
to
be
there's.
B
You
know
some
content
that
I'm
not
concerned,
but
we
don't.
You
know,
there's
going
to
be
certain
things
that
we're
going
to
be
very
focused
on
because
we're
cloud
native
computing
foundation,
so
it's
gonna,
be
very
focused
on
cloud
native
and
there's
gonna
be
more
generic
sorts
of
things
that
are
probably
gonna,
be
more
of
a
focus
from
the
perspective
of
the
you
know
for
just
generally,
like
hey,
open
source
security
which
may
fall
more
under
the
open
ssf.
B
So
I
believe,
there's
going
to
be
some
discussions
happening
in
the
coming
weeks,
between
open
ssf,
leads
and
and
and
cncf
leads
to
kind
of
figure
out
like
what
makes
sense
to
collaborate
on
what
makes
sense
for
cncf
to
take
what
makes
sense
for
openssf
to
take.
So
that's
and
then
I
think
some
of
the
stuff
that
will
come
out
of
that
is.
You
know
things
to
work
on
as
kind
of
this
next
phase.
You
know
my
my
personal
opinion
is
yeah.
B
I
think
we
want
to
turn
that
document
into
a
living
sort
of
architecture,
because
this
isn't
you
know
this,
isn't
something
like
you
know
the
gang
of
four
book
where,
like
things
are
all
relatively
set
in
stone,
you
know
nobody's
really
coming
up
with
totally
new.
You
know
software
times,
you
know
every
every
few
days
it's
like,
whereas
with
the
software
supply
chain
stuff,
you
know,
new
features
are
coming
out
daily
new
ways
of
approaching
are
coming
out.
B
You
know
weekly
there's,
you
know
if
you
look
at
any
of
the
stuff,
that's
obviously
even
in
the
paper
that
there's
a
lot
of
stuff
in
there
that's
fairly
contentious,
and
so
some
of
this
stuff
is
still
sort
of
being
figured
out.
So
I
think
some
of
that's
going
to
end
up
causing
the
document
to
become
somewhat
of
a
living
document,
and
then
I
think
the
you
know
I
would
definitely
push
for
next
steps
to
start
figuring
out.
B
You
know:
can
we
write
code
that
does
some
that
does
these
things
that
we
talked
about
in
the
reference
architecture
right
you
know,
I.
I
know
that
you
know
I've
already
posted
here
a
few
times,
but
the
things
that
we're
working
on
in
the
open
source
space
is
this
sort
of
thing
we
you
know,
hopefully
in
the
coming
weeks,
we'll
sort
of
make
a
big
announcement
about
it.
But
regardless,
like
it's,
you
know
we're.
B
You
know
we're
looking
to
work
with
folks
on
some
of
that,
and
I
hope
this
group
also
looks
at
like
hey.
How
can
we
start
to
whether
it
is
work
with
the
other
open
source
tools
to
build?
Some
of
the
features
that
we
need
or
otherwise
build
a
a
sort
of
implementation
of
this
thing,
I
think,
is
going
to
be
like
really
important,
because
you
know
one
of
the
things
that
outside
of
like
this
group
of
you,
know,
experts
here,
a
lot
of
folks.
B
I've
been
talking
to
have
been
sort
of
commenting
that,
like
oh
supply
chain,
60,
seems
really
hard
like
this.
Isn't
you
know
I
can't
just
spin
up?
You
know
I
have
a
jenkins.
I
can't
just
install
a
jenkins
plug-in
that
does
the
supply
chain
security
stuff
for
me,
and
so
on
that
I
think
we
need
to
start
to
show.
You
know
it's
what's
what
do
they
say
with
the
kubernetes
stuff,
like
you
know,
is
kubernetes
boring
yet
is
supply
chain
security
boring?
Yet
no,
we
need
to.
B
B
I
think
I
would
definitely
push
for
next
year
to,
in
the
very
least,
start
writing
code
for
this
sort
of
stuff
or
and
and
writing
code
that,
like
ties,
the
things
that
folks
are
doing
together,
whether
it's
like
you
know,
tough
or
or
you
know,
sig
store,
or
you
know
the
stuff
that,
like
tekton
and
chains,
is
doing
with
spire
and
so
on
and
so
forth,
and
getting
it
to
actually
tie
it
all
together,
so
that
you
can,
you
know,
show
it
off
and
and
sort
of
have
some
of
the
you
know
you
can
make
a
claim
that
hey,
we
are
pretty
sure
this
thing
did
not
get
compromised
because
we're
doing
all
these
things
we're
signing
them
the
right
way
we're
following
all
the
best
practices
in
the
best
practices
document
we're
following
how
the
reference
architecture
says
it
should
be
built
and
and
so
on.
B
And
I
believe
also
in
the
coming
weeks
that
some
of
the
knicks
folks
are
going
to
probably
give
a
demo
about
some
of
the
things
with
regards
to
sort
of
how
nics
handles
supply
chain
security,
and
you
know
in
particular
how
nics
does
stuff
like
hey.
They
build
a
merkle
tree
of
all
the
dependencies
up
to
what
they
call
the
stage
zero
builder,
which
allows
them
to
then
say
hey.
B
We
know,
literally
all
the
source
code
of
everything,
that's
included
in
our
environment
at
any
time
right,
because
we
could
always
go
back
and
look
through
the
tree
of
the
merkle
tree
and
and
know
exactly
all
the
dependencies
and
those
dependencies
and
so
on
and
so
forth.
All
the
way
back
up
the
chain
to
what
they
call
like
the
stage
zero
builder,
which
is
like
a
minimal.
You
know
compiler,
which
then
compile
the
other
stuff
that
they
need.
B
You
know
like
gcc
and
everything
else,
and
you
know
how
maybe
some
of
those
techniques
can
be
adopted
by
other
projects
to
start
to.
You
know
figure
out,
what's
what's
in
your
supply
chain,
so
like
what
you
were
mentioning
tripod
like
hey.
If,
if
you're
w
getting
something
like
what
are
the
concern,
you
know,
how
do
you
kind
of
figure
out
how
to
make
an
s-bomb
out
of
that
and-
and
then
you
know,
also
in
addition
to
that,
like
if
you're
w
getting
but
you're,
also
not
validating
the
hash
of
the
thing.
B
How
do
you
know
that,
like
if
I
run
the,
if
I
run
that
same
build
twice,
am
I
pulling
down
a
new
version
of
a
thing?
Did
somebody
swap
out
the
you
know
our
ball
or
whatever
that
I'm
downloading
there's
you
know,
there's
a
lot
of
concerns
there
and
nyx
has
some
interesting
ideas
around
that
around
sort
of
making
those
sorts
of
things
hermetic
enforcing
certain
things
like
hey.
If
you
were
to
use
wget
like
you,
would
have
to
validate
the
hash.
B
Otherwise,
your
build
wouldn't
be
hermetic,
those
sorts
of
things
so
so
that
I
think
that's
probably
not
gonna
happen
until
next
year,
but
there's
some
interesting
stuff
that
they're
they're
working
on
there
and
there's
some
interesting
stuff
that
they're
working
on
with
getting
the
tooling
to
generate
salsa
providence
spec,
because
they
are
cur
because
they
already
build
the
entire
universe
and
they
have
a
tree
of
all
those
things.
They're
able
to
kind
of
say,
hey.
A
Came
up
in
some
of
the
other
discussions
in
other
communities.
There
are
like
we
are
talking
about
s-bomb
for
like
applications
right,
but
what
about
s-bomb
for
our
infrastructure
is
bomb
for
our
pipelines
and
stuff
right,
like
what
tasks
are
using.
What
images
are
using?
Do
you
need
to
account
for
that?
So
it's
not
going
to
be
in
the
cyclone
dates
and
spdas,
but
there
has
to
be
some
accounting
of
the
infrastructure
that
actually
build
your
application.
B
Yeah,
so
you
might
be
interested
in
discussions.
Some
of
us
might
start
happening
that
might
start
happening.
So
there's
there's
a
couple
of
things,
because
I
I
agree
with
you
about
that,
and
it's
not
it's
also,
not
just,
for
example,
the
s-bomb
itself.
It's
stuff
like
or
you
know
it's
not
even
just
some
of
those
things.
It's
it's
also
hey.
If
I
have
a
dependency
on
like
if
my
application
has
a
dependency
on
some
sas
service.
B
So
jacques
chester
has
that
that
article
around
the
universal
asset
graph,
which
pretty
interesting
thing
I
was
talking
with
santiago
earlier
this
week
on
stuff
like
what
he
called
hypergraph,
which
seems
like
a
similar
sort
of
concept
of
like
how
can
we
start
to
just
sort
of
associate
arbitrary
references
and
relationships
against
arbitrary
data
that
we
can
then
use
to
start
to
figure
out
the
dependencies
just
between
you
know,
systems
and
I'm
just
gonna
use
that
term
as
broadly
as
possible,
like
systems
could
be
software,
it
could
be,
it
could
be
infrastructure,
it
could
be.
B
You
know,
like
you
know
you
can
imagine
like
hey.
I
have
a
scan
report
and
I
want
my
scan
report
to
refer
to
a
specific
hash
of
a
thing
or
whatever.
I.
B
I
definitely
think
that
there's
there's
stuff
on
that
front,
and
so
some
of
that
discussion
is
starting
to
happen
of
like
what
sorts
of
things
can
we
do
at
a
at
a
very,
very
high
level
right,
because
not
just
thinking
about
hey
do
we
need
something
like
an
infrastructure
bill
of
materials
or
a
service
of
materials
or
whatever,
but
by
kind
of
thinking
about
how
do
we,
at
a
at
a
very
high
level,
start
to
think
about?
B
B
Are
they
signing
that
and
including
it
somewhere,
and
can
I
go
and
figure
out
that,
yes,
this
thing
sort
of
referred
to
it
and
yaya
and
that
I
can
go
in
say
you
know,
did
somebody
do
a
security
scan
against
this
package
within
the
last
week
and
the
same
thing
with
all
of
its
dependencies
and
so
on?
I
think
that
is
going
to
be
a
very,
very
difficult
problem
to
solve
and
one
that
I
think
we're
starting
to
have
some
initial
discussions
on,
but
it's
gonna,
it's
gonna,
probably
take
some
time.
B
Sure,
yeah
yeah,
it's
very
very
early
on
I'm,
mostly
just
trying
to
figure
out
who,
in
the
who
who
in
the
community,
is
interested
in
having
these
discussions
and
then
we
can
start
having
having
them.
A
Is
this
also
related
to
the
conversations
about
whether
the
attestations
will
be
part
or
reference
in
a
small
file?
I
remember
having
these
discussions.
You
know
where
was
it,
but
there
were
people,
I
don't
know
if
it
was
cold,
but
he
mentioned
that.
Perhaps
attestation
should
be
included
on
the
small
fight.
B
Yeah,
so
this
is
where
there
there's
some
interesting
debate.
This
is
one
of
the
things
that
we
want
to
have
that
debate
around
is
the
way
that
right.
B
The
way
that
folks
are
mostly
doing
it
today
is
that
people
are
making
claims
on
the
s-bomb
file
itself
and
sort
of
making
a
broad
claim
about
the
s-bomb
file
and
then
within
the
s-bomb
file,
they're,
not
really
making
claims
on
what
the
dependencies
are
doing
or
anything
like
that,
and
so
you
yourself
have
to
sort
of
transitively
go
through
and
figure
some
of
that
sort
of
stuff
out.
It
is
worthwhile
to
you
know,
figure
some
of
that
figure,
some
of
that
stuff
out.
B
So
so
what
we
have
to
do
in
in
the
future
is
sort
of
figure
out.
Some
of
those
details
like
like
does
it
make
sense?
You
know
to
sort
of
individually
attest
every
dependency,
and
then
you
know
like
you
can
go
up
and
down
a
chain.
You
know,
as
did
you
need
to
right
at
at
some
point,
are
you
testing
the
the
processor
or
whatever
right?
B
So
so
that's
a
an
interesting
thing,
and
so
on
on
that
front,
I
think
the
big
thing
is
is
we're
trying
to,
I
think,
separate
out
the
data
from
the
attestation
right
where
you
can
go
and
let's
say:
hey,
I'm
going
to
follow
this
dependency
and
I'm
going
to
pull
down
the
s-bomb
for
that
dependency.
But
I'm
going
to
expect
a
separate
attestation
for
that.
I'm
not
going
to
say
that
hey
this
high-level
s-bomb
is
attesting
to
the
security
everything
it's
going
to
be.
You
know,
and
this
is
is
a
big
debate.
B
Also
around
salsa
is
like
how
much
is
salsa,
for
example
like
a
salsa
at
a
station.
How
much
is
it
claiming
like
is
it
you
know
it's
by?
What
we've
defined
in
there
is
is
that
it's
definitely
not
claiming
anything
on
its
dependencies,
but
what
counts
as
a
dependency
like
you
know,
if
I
package
manager
and
I'm
if
I'm
a
debian
package
manager
and
I'm
pulling
down
gcc
and
and
I'm
compiling
gcc
myself
to
distribute
with
debian
well,
is
the
debian
package
manager
responsible
for
upstream
dcc
code.
B
You
know
those
are
some
of
the
questions
and
then
you
have
you
know
cases
like
red
hat
where
red
hat
is
introducing
their
own
matches,
and
so
all
these
things
kind
of
complicate
the
issue,
and
I
think
we
do
need
to
have
some
sort
of
discussions
either
in
the
existing
groups
and
preferably
in
the
existing
groups.
B
I
I
think
we
don't
need
more,
you
know
more
committees
and
and
working
groups
than
we
already
have,
but
I
think
we
do
need
to
sit
down
and
have
some
of
those
discussions
answer
your
question.
B
Looks
like
we
have
somebody
new
faisal.
Sorry,
if
I
pronounce
your
name.
C
Yep,
I'm
faisal,
I'm
not
new.
I've
been
in
the
calls
before,
but
but
yeah
just
just
kind
of
silently
listening,
I
think
a
test
regarding
a
test
station.
I
just
had
one
comment
right.
I
think
I
am
I'm
seeing
right
now,
because
I
work
mostly
in
the
field
right
for
enterprise
customers
and
also
for
for
small
to
medium-sized
customers
as
well,
sometimes
until
the
issue
of
attestation
is
coming
up,
but
I
think
different
people
have
different
definition
or
understanding
based
on
their
own
domains,
right
what
they
are
doing.
C
For
example,
you
were
talking
about
debian
right,
I'm
sure.
If
you
will
go
for
risk
five
meetings,
they
will
be
talking
about
a
test
station
at
the
firmware
level.
Right.
If
you
go
in
the
open
source
community,
they
will
be
talking
something
else.
I
think
we
need
we
need
to
in.
In
my
view,
at
a
high
level,
we
need
a
document
or
we
need
a
source
where
we
can
clearly
define
what
a
test
station
is,
what
are
the
different
use
cases
there
and
and
what
people
are
exploring
right
now.
C
This
is
just
my
general
comment.
It's
not
regarding
what
you
were
discussing
before,
but
but
but
I
think
we
need
more
info
on
that,
because
what
I
have
observed
is
different.
People
are
talking
different
things.
They
have
their
own
context.
They
want
to
solve
that
problem
differently,
based
on
their
scope
right
so
so
having
an
overview
would
be
good
unless
it
already
exists-
and
I
haven't
seen
it
or
something
like
that.
B
Yeah,
so
on
on
that
front,
I
don't
think
we
have
like
clear
as
like
a
community,
clear
definitions
of
like
who
is
responsible
for
what
right
now,
but
within
you
know,
salsa,
providence,
spec
and
some
of
these
other
things.
B
The
things
that
are
coming
out
of
it
is
is
stuff
like
what
what
claims
are
being
made
in
an
attestation
and
that
that
sort
of
stuff,
I
think
you're,
naturally
going
to
see
as
time
goes
on
folks,
will
be
making
claims
that
you
know
make
sense
for
them,
and
you
might
have
you
know
third-party
auditors
or
whatever,
to
certify
those
claims
in
some
way.
B
But
you
know,
I
think,
yeah.
The
big
thing
now
is,
you
know
just
because
somebody
has
signed
a
thing.
What
does
that
mean?
That's
why
we
have
like
sort
of
attestations
which
are
kind
of
coming
in
hey.
I
am
signing
that
I
generated,
for
example,
like
I
might
be
signing
the
fact
that
I
generated
an
s-bomb,
and
I
am
saying
this
to
the
best
of
my
knowledge
is
accurate
right
and
if
it
turns
out
it's
not
accurate,
then
you
can
go
back
and
be
like.
Well.
B
Maybe
I
don't
trust
this
person
who's
signing
it
anymore,
that's
kind
of
the
the
the
way
that
things
I
think
are
going
and
so
you'll
see
stuff.
Like
you
know,
a
builder
is
sort
of
going
to
be
signing
that.
Yes,
I
built
this
thing
and
based
on
how
I
built
it,
I
am
assuming
nothing
got
compromised
and
I
think
the
thing
that
you'll
start
to
see
is
is
is
will
start
to
probably
apply,
and
this
is
once
again.
This
is
just
my
opinion
here.
B
Other
folks
can
chime
in
we'll
start
to
see
at
a
station
like
we'll
start
to
see
like
a
segregation
of
duties
around
these
things
in
a
way
that
sort
of
makes
sense
right,
because
if
you
start
to
see
attestations
coming
from
a
single
identity
right
that
are
saying,
oh,
I
pulled
down
the
code.
I
pulled
down
the
dependencies,
I
built
it
all.
I
pushed
to
the
artifact
repository.
I
did
all
these
different
things
and
I
am
claiming
everything's
good.
B
You
might
say:
well
that's
a
really
broad
set
of
claims.
I
might
be
a
little
worried
about
that
compared
to
something
like
hey.
You
know
if
you're
using
let's
say,
spire
and
and
those
sorts
of
things
you're
saying
you
know
I
have
one
a
particular
set
of
like
one
particular
task
that
pulls
down
the
source
code,
another
test
that
pulls
down
the
dependencies.
B
Another
task
that
builds
it
another
task
that
goes
out
and
publish
it.
You
know
publishes
it
some
other
tasks
and
potentially
even
in
in
separate
sort
of
security,
domains
that
are
going
out
and
you
know
scanning
it
and
doing
whatever
and
those
sorts
of
things.
Might
you
know
you
might
say?
Okay
now,
I
feel
significantly
more
comfortable
about
the
things
that
are
being
made
there
but
yeah.
B
I
think
right
now,
there's
not
a
great
there's,
not
great
definitions
around
who
should
be
doing
what
you
know
what
identities
and
I'm
using
that
term
very
broadly
there.
What
identity
should
be
performing
and
attesting
to
what
things.
C
It
answers
my
question
right,
but
but
but
again
just
like
you
were
explaining
everything
right
you,
you
are
you're
talking
about
mostly
the
software
and
the
dependencies
which
are
in
open
source
domain
right,
but
how
people
to
build
internal
softwares,
they
are
generally
different.
They
do
not
have
those
dependencies
clearly
defined.
Today
the
processes
are
missing.
C
If
you
go
to
a
risk,
five
meeting
right,
which
is
which
the
folks
who
are
dealing
with
the
firmware
level
attestation
of
different
things
right,
they
have
their
own
ideas
here
right.
The
process
is
right.
Yes,
you
are
claiming
something
somebody
will
sign
it,
and
then
you
will
kind
of
verify
it
that
okay,
these
I
trusted.
So
that
thing
is
clear
to
everybody,
but
I
think
there
are
different
use
cases
here.
Firmware
people
want
to
operationalize
this
thing
differently.
C
The
idea
would
be
that
let's
identify
these
domains
right
because
supply
chain
when
we
talk
about
supply
chain
security.
My
issue
is
that
that
we
shouldn't
focus
too
much
on
open
source.
A
lot
of
people
do
develop
open
source,
but
in-house
development
exist,
and
it
is
a
fact
and
in
all
in
big
enterprises,
they
all
are
leveraging
open
source,
but
they
are
also
developing
a
lot
of
their
own
softwares,
how
they
promote
stuff
from
from
from
one
environment
to
another
environment.
C
It's
it's
very
convoluted
space
right
now,
it's
not
not
as
simple
as
as
it
might
look
right.
So
so,
just
just
what
wanted
to
give
my
feedback
and
that's
why
I
do
come
to
these
these
meetings
as
well,
just
to
listen
in
where
the
community
is
going,
but
but
yeah
there
are
other
things
as
well
outside
which
which
might
influence
this
thing.
B
Yeah,
no,
and
and
and
on
that
front
I
know
that
we
are
very
interested
like
if
you
know
folks,
in
the
firmware
the
hardware
sort
of
space
and
how
they're
viewing
some
of
these
things,
we
would
love
to
have
chats
with
them,
because
at
some
point
we
would
like
to
you
know,
begin
to
root
the
trust
further
and
further
into
hardware
as
much
as
is
possible,
because
that
becomes
a
little
bit
easier
to
kind
of
manage
and
and
we're
interested
in.
B
Seeing
how
other
folks
are,
you
know
approaching
the
problem
as
well,
and
we
also
want
to
make
sure
that
you
know,
given
that
this
is
supply
chain
is
such
a
holistic
problem.
You
know
because
you're
talking
about
it's,
not
just
the
software,
I
built
it's
the
software
that
the
things
I
depend
on
built
and
it's
those
things
and
it's
my
operating
system
and
it's
not
just
my
operating
system.
B
But
it's
it's
the
hardware
I'm
using
and
the
hardware
that
I'm
I'm
you
know
building
on
right,
because
because,
if,
if
it
turns
out
you
know
if
intel
was
backdoored
where
it's
you
know,
none
of
what
we're
doing
here
matters,
but
I
think
those
sorts
of
things
are
our
conversations.
We
definitely
want
to
have
just
to
make
sure
that
largely
you
know
we
don't
necessarily
all
need
to
be
in
lockstep,
but
are
we
more
or
less
moving
in
similar
directions?
B
I
think
that's.
You
know
very
important
to
us.
If
you
know
anybody,
if
there's
anybody
that
you
think
we
should
be
talking
to
if
there's
any
groups,
if
there's
somebody
you
think
hey
in
in
a
meeting,
you
know
the
next
few
weeks.
I
know
it's
the
holidays,
everything
but
or
next
month
or
whatever,
who
might
want
to
give
in
a
little
presentation
of
how
firmware
providers
are
approaching
the
supply
chain
problem.
We
would
love
to
hear
them.
C
Yep,
so
so
I
do
not
know
about
the
vendors
whether
they
would
want
to
open
up
their
process,
but
certainly
I'm
I'm
also
looking
for
this
confidential
computing
and
risk
five
meetings,
because,
what's
happening
in,
for
example,
trust
execution,
environment
or
tpm
level
right.
Those
are
some
interesting
developments
as
well
again.
Root
of
trust
is
a
thing
whenever
people
are
talking
about
root
of
trust,
ideally
they
are
going
for
hsms
and
that
that
that
is
already
there.
C
It's
established
thing
people
use
it
today
in
enterprises,
but
again
there
are
developments
around
tpm,
t,
trust
execution
environments.
Can
we
leverage
them
and
whether
it
makes
sense
to
leverage
them
or
not.
Right
in
this
case
is,
is
another
open
question
right,
so
yeah,
okay,
just
here
to
to
listen
to
your
view
as
well
that
okay,
what
you
guys
are
thinking
in
terms
of
open
source,
yeah.
B
Yeah,
so
I
think
on
that
agree
with
you
there
and
then,
if
anybody
else
has
any
opinions
feel
free
to
chime
in
I,
I
think
the
thing
that
you
know
we're
interested
in
and
because
some
of
the
stuff
that
we've
been
working
with
is
we
have
been
working
with
some
of
the
folks
like
spire,
is
getting
tpm
integration
support.
B
You
know
some
of
the
other
things
we're
doing
are
getting
ppm
integration
support
so
that
we
can
start
signing
with
the
hardware
and
stuff
like
that,
so
that
you
know
you
can
have
make
it
very
easy
to
to.
You
know,
add
up
to
signing
with
a
key
that's
stored
in
software.
You
know
like
sort
of
memory
you
know
like
you,
could
have
a
tpm
sign
some
of
that
stuff.
B
The
thing
that
I
actually
I
think
you
know,
and
I've
had
a
couple
of
conversations
with
intel
and
a
few
other
folks
is
I'm
not
you
know,
I
don't
think
anybody
here
at
least
is
asking
for
like
hey,
we
want
all
the
vendors
to
sort
of
open
up
how
they're
doing
stuff
at
a
hardware
level
as
much
as
start
to
provide
similar
to
how
there's
the
tpm
spec
right
start
to
provide
better
apis
in
how
somebody
would
integrate.
B
You
know
how
we
would
integrate
with
some
of
these
things,
because
you
know,
as
folks
have
sort
of
said
multiple
times,
I
think,
is
the
the
tpm
specs
the
way
that
they're,
you
know
designed
the
fact
that
there's
so
many
optional
components
and
you
know
lots
of
differences
between
the
different
things.
It's
become
kind
of
an
invitation,
headache
for
a
lot
of
folks,
but
on
that
front
I
think
it's
more
of
the
the
the
generic
like.
B
Are
we
all
applying
similar
sorts
of
rules?
Can
we
build?
You
know
whether
it's
an
ieee
iso,
whatever
standards
around
some
of
these
things?
Can
we
start
to
devel
provide
community
standards
around
some
of
these
things
so
that
when
people
are
building
the
software?
B
On
top
of
all
this,
that
we
can
be,
you
know
we
can
be
fairly
consistent?
I
think
that's
kind
of
a
big
thing
and
which
is
one
of
the
reasons
why
we
want
to.
You
know
collaborate
with
some
of
these
folks.
C
Okay,
yep
good
to
know
if
anybody,
if
any
opportunity
comes
I'll,
possibly
we
will
bring
folks
here
right
so
but
yeah,
it's
it's
good
to
know
in
general,
as
well,
what's
happening
in
the
community
and
yeah,
just
like
you
said
tpm
right
tpm
should
you
should
generate
the
key
and
basically
then
sign
that
thing
right,
but
but
who
is
generating
that
key
right?
C
C
So
who
is
providing
these
keys
right?
If
I
am
the
person
who
can
manage
everything
right,
so
I
manage
everything
right.
I
can
sign
things
as
well
for
you.
If
it's
my
key,
I
will
generate
those
keys
on
the
fly
as
well.
So
so
a
lot
of
open
questions
exist
in
terms
of
root
of
trust
as
well.
I
think
yeah
again
this
we
need
to
find
out
yes,
attestation
set
of
claims.
Somebody
needs
to
sign
somebody
needs
to
verify,
but
how
to
operationalize
this
thing
right.
That
is
that's
for.
C
B
Yeah
yeah,
it
makes
makes
sense.
Yeah
I
mean
these
are
and
this
these
are
why
we
want
to
have
those
conversations
with
some
of
those
folks
and
yeah.
To
be
blunt,
what
I
will
say
is
if,
if
some
of
the
security
vendors
do
not
start,
you
know
and
hardware
vendors
do
not
start
collaborating
more.
I
have
a
feeling,
the
you
know
in
the
open
source
space,
a
lot
of
the
other
source
things
that
we're
doing.
B
We
will
adopt
those
that
are
willing
to
sort
of
collaborate
in
the
open
source
space.
I
mean
I
to
be
clear.
I
get
that
like
a
lot
of
vendors
are
not
going
to
obviously
want
to
expose
intellectual
property
and
those
sorts
of
things,
but
it's
more
around.
You
know,
I
think
what
you're
saying
right,
it's
like
how
should
people
be
applying
these
rules
and
and
how
do?
B
How
can
we
start
to
do
some
of
these
things
in
a
way
that
that
you
know
makes
sense
and-
and
we
would
love
to
kind
of
also,
you
know
get
more
input
from
you
know
the
hardware
folks
so
that
when
we,
you
know
as
an
example
right,
we
didn't
really
talk
too
much
about
tpm
or
hardware
at
a
station
hardware-based
data
station
in
the
whiteball.
B
Sorry
in
the
reference
architecture,
because
there
weren't
really
a
lot
of
folks
from
the
hardware
side
who
who
are
available,
who
who
wanted
to
collaborate
but
in
the
future.
Obviously
we
want
to
kind
of
make
sure
that
that
we
can
collaborate
with
the
hardware
folks.
B
All
right
cool,
so
yeah
next
week,
once
again
we'll
be
having,
I
believe,
an
amazon
presentation
on
some
of
the
supply
chain,
stuff
they're
doing
also
in
the
upcoming
weeks.
B
For
anybody
who
missed
it,
you
know,
will
most
likely
have
the
the
paper,
the
the
sorry,
the
reference
architecture
document,
the
draft
finalized
by
the
by
the
cncf,
the
technical
writers,
are
cleaning
some
stuff
up
and
then
that'll
go
out,
for
you
know,
request
for
comment
and
then
also
in
the
next
couple
of
weeks,
we'll
start
to
re-evaluate
what
the
next
steps
for
for
this
working
group
are
going
to
be
for
for
next
year.
B
All
right,
everybody
have
a
have
a
good
have
a
good
week.