►
From YouTube: CNCF Security TAG Supply Chain WG 2021-06-04
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
A
A
A
D
E
D
A
D
D
Robert
and
pop
are
are
on
the
other
one.
Oh
no.
A
E
A
D
B
I
just
gave
the
link
under
so
because
we
were
both
in
the
wrong
zoom.
D
Okay,
emily,
where
did
you
all
leave
off
from?
I
read
your
meetings
from
last
week.
Your
meeting
notes
where
the
deal
leave
off
and
you
want
to
pick
up.
A
So
it
was
super
lightweight.
Last
week
it
was
more
about.
We
need
to
figure
out
what
our
next
steps
are.
We
need
to
define
what
our
next
deliverable
is,
and
what
does
that
look
like
and
folks
should
come
prepared
with
ideas
for
what
that
is.
A
There
was
also
feedback
that
we
got
from
clint
giller
about
some
small
tweaks
that
could
potentially
be
done,
such
as
providing
assurance
categories
against
the
checklist
that
we
put
together.
So
if
someone
was
interested
in
tackling
that,
that
would
be
much
appreciated,
but
other
than
that
it's
come
with
ideas,
so
we
can
decide
what
the
next
thing
is,
and
it
sounds
like
brandon
and
a
few
others
from
the
group
that
have
been
talking
out
of
band
are
excited
to
come
to
present
their
idea.
E
All
right
yeah,
so
so
so
I
met
up
with
a
couple
other
folks,
and
then
we
were
basically
a
bunch
of
documents
and
circulating
around.
So
I
decided
you
know,
that's,
let's
get
everyone
in
the
room
to
have
a
chat
about
it.
So
apparently
there
have
been
multiple
efforts
to
do.
Secure
software
factory
and
people
have
been
having
multiple
implementations
and
designs.
E
So
this
the
folks
that
I
was
talking
to
was
jonathan
meadows,
who
was
doing
this
for
for
on
behalf
of
city
for
their
infrastructure
that
they
will
want
to
have
a
reference
architecture
from
then
laurent
also
has
a
proposal
that
I
put
in
the
issue.
Answer
is
a
very
detailed
one
and
I
think
the
discus
the
autonomous
discussion
is
that
both
implementers
are
kind
of
at
the
same
stage
of
figuring
things
out,
but
they
wanted
to
bring
folks
from
the
other
community.
E
So
so
the
main
technologies
that
they
were
looking
at
were
techton
for
the
the
cia.
We
have
tough
in
total
and
six
star,
and
these
were
kind
of
like
the
things
that
it
was.
The
discussion
was
around.
E
Obviously,
the
the
end
goal
is
to
say
here's
a
reference
architecture
and
has
some
sort
of
open
source
implementation
that
we
can
point
to
to
say,
like
you
know,
if
we
really
want
to
take
a
look
at
this
and
then
use
all
these
open
source
tools
and
implement
something
similar
kind
of,
I
guess
you
could
say
this
is,
if
you
see
in
any
of
like
the
nes
in
dutch
industry
reports,
it's
something
like
that,
like
here's,
a
reference
architecture,
here's
what
we
did-
here's,
maybe
a
quick
demo
of
how
it
works
and
really,
I
think,
the
the
what
we
were
talking
about
was
maybe
a
a
group
of
implementers
coming
together
to
work
towards
like
one
generic
solution
and
then
writing
a
reference
architecture
from
that.
E
Yeah
so
so
I
think
the
idea
was
to
kind
of
keep
it
technical.
Keep
it
focused,
keep
it
within
a
you
know,
have
frequent
meetings
to
kind
of
almost
like
a
a
sprint
right.
Yeah
yeah.
D
D
Some
of
these
efforts
have
different
goals.
So
I'd
like
to
check
with
the
team
that
we
don't
feel
that
we're
being
pulled
in
in
different
directions.
I
don't
think
that
we
are
personally
and
that
we're
still
doing
what
we
got
together
and
have
the
energy
and
the
desire
to
accomplish
and
we're
not
suddenly
doing
something
else,
because
others
are
as
well
then
when,
when
we
talk
about
a
generic
solution,
one
one
trade-off
is
well
the
the
reference
architecture
that's
being
discussed
and
the
projects
involved
are
somewhat
opinionated
or
could
be
perceived
as
opinionated.
D
B
And
make
it
almost
like
a
proposed
solution
and
then
have
it,
the
doctor
be
almost
open-ended
where
somebody
could
take
other
components,
but
the
key
high-level
aspects
of
this
should
be.
What
are
we
trying
to
accomplish
from
the
software
supply
chain
perspective
and,
and
then,
but
this
like,
I
believe
that
there
should
be
a
group.
That's
almost
like
a
swat
team
that
is
literally
just
focused
on
the
actual
mechanics
of
this
versus
the
you
know
in
in
in,
in
tandem
with,
like
an
overarching
dock
of
some
sort.
D
E
Yeah,
so
I
think
that
there
are
two
aspects
of
this
right,
so
so,
if
if
you
looked
at
the
like
the
then
this
irs
and
stuff,
like
that
really
half
the
document
is
about
introducing
the
problem.
C
E
Sure
that
we
we
set
the
stage
and
making
it
clear
that
this
is
a
implementation,
not
the
implementation,
and
you
know
just
break
it
like
you
said,
breaking
down
the
components
top
about
like.
Oh,
what
here
are
the
different
things,
and
here
are
examples
of
certain
things,
so
I
would
say
even
like
this
could
end
up
being.
You
know
we
have
to
implement
this
work
on
this.
E
By
the
same
time,
we
have
maybe
a
potentially
slightly
bigger
group
of
people
working
on
like
the
problem
safe
and
the
the
layout,
the
the
reference
architecture
portion
of
it
right.
As
long
as
just
alignment
between
the
groups.
D
That's
fine
yeah,
ideally
if
the
implementers
can
self-organize
and
they're
really
clear
what
they're
setting
out
to
accomplish
great.
But
if
someone
needs
someone
else
to
come
up
with
a
kanban
board,
so
they
can
burn
through
that
board
and
we're
gonna
have
people
of
different
levels
wanting
to
pitch
in
right.
So
we
might
get
a
couple
of
junior
guys
that
are
really
eager
to
to
write
code,
so
we
should
make
it
accessible.
C
E
B
D
B
I
think
we
have
to
be
cognizant
of
where
the
end.
The
end
goal
is
the
short
term
goal
and
the
end
end
goal
is
right
and
I
feel,
like
short
short
term,
it's
have
a
get
repo
with
some
type
of
reference
architecture
somebody
can
take
and
then
iterate
on
top
of
which
again
it
will
be
somewhat
opinionated,
because
this
is,
you
know,
I
think,
to
a
certain
degree,
but
it
should
be
okay.
Now
you
can
go
and
take
this
and
do
other
things
if
you
need
to.
C
I
agree,
I
think
that
I
think
the
the
hardest
thing
right
now
with
that
paper
is
that
it's
just
for
a
lot
of
people
based
upon
where
they
work.
It's
a
totally
foreign
concept
right.
You
can't,
you
can't
interact
with
it.
Even
michael,
and
I
were
talking
the
other
day
michael.
Did
we
ever
figure
out?
What's
the
open
source
alternative
for
artifactory
for
for
an
artifact
store,
we
don't
like
what
would
we
recognize?
I
was
thinking
about
that
too.
C
If
we
were
to
do
a
reference
architecture
for
other
people
to
to
pull
in
what
would
you
use
to
represent
that
piece
that
people
could
actually
access?
These
are?
These
are
the
sort
of
questions
that
we
should
probably
start
answering
now
you
know
like
what.
What
would
you
want
to
see?
I
could
think
of.
C
C
It's
making
it
publicly
accessible,
it's
the
the
hard
part
yep.
So.
F
Yeah
there's
two
things
I
just
wanted
to
bring
up
real
quick,
so
one
was,
I
think,
at
a
high
level.
It's
like
hey.
We
should
probably
keep
looking
at
some
of
the
prior
art
like
I
know
the
dod
has
done.
F
A
lot
of
work
on
software
factory
could
prove
useful
just
to
sort
of
look
at
how
they've
sort
of
pushed
some
stuff
and
then
the
second,
I
think,
is
it
ties
into
what
richard
was
saying
is
more
about
like
a
practical
concern
as
well
as,
unlike
a
lot
of
the
other
software,
where
it's
just
like
oh
yeah,
if
you're
running
you
know
kind
or
another
kubernetes
cluster
locally,
you
can
kind
of
do
some
dev
work.
Yeah
software
factory
is
quite
large.
It
consists
of
a
lot
of
you
know:
big
infrastructure
components.
F
I
I
think
it's
also
one
of
the
early
things
we're
going
to
need
to
solve
is
like
how
are
we
going
to
be
doing
dev
on
this?
How
are
we
going
to
be?
You
know
because
it
does
require
a
lot
of
infrastructure
to
sort
of
run,
an
artifact
repository,
a
kubernetes
cluster,
a
build
system
and
all
the
things
you
would
expect
to
be
part
of
a
software
factory.
E
So
I
kind
of
wish
jonathan
or
dan
was
here
to
kind
of
talk
about
the
scope
of
it,
but
I
think
I
think
probably
this.
This
is
a
good
time
for
them.
Yeah
well,.
D
I
I
I
think,
we're
teasing
out
principles
we
want
to
arrive
upon
for
that
architecture
like
how
extensible
do
we
want
to
make
this
right?
Is
it
something
that
we're
going
to
provide
an
sdk
for
the
software
factory
or
we're
just
like
stitching
and
gluing
together
existing
things
and
saying,
like
oh,
go,
use,
harbor
go
use,
tacton
go,
go.
E
I
think
that's
I
feel
like
that
is
kind
of
a
question
of
where
things
are
and
how
developed
things
are,
because
you
know,
as
with
a
lot
of
reference,
it's
just
let's
say
like
eighty
percent
of
it
is.
You
know
easy
to
do
like
like
michael
michael
saying,
right,
kubernetes,
cluster,
but
things
there
and
then
certain
things
are
like
very
involved.
You
know
so
then,
so
the
reference
architectures
that
talk
about
how
we
route
our
trust.
You
know
you
need
a
tpm.
E
You
need
all
this
hardware
specialized
hardware
and
I
feel
like
I'm,
not
sure
whether
we
can
have
a
whether
we
can
just
talk
about
this,
like
I
feel
like
there
needs
to
be
implementation,
details
that
that
come
into
this
discussion
in
order
for
it
to
make
a
bit
more
sense,
can.
B
We
make
that,
maybe
I'm
sorry,
okay,
can
we
make
that
maybe
some
a
deliverable
as
part
of
the
you
know,
obviously
part
of
the
the
group
would
have
to
do-
is
one
come
up
with
minimum
spec
to
come
up
with,
like
you
know
what
is
required
for
initial
spec
and
then
growing
from
a
scale
perspective,
but
we
need
to
get
that
initial
spec
out
the
door
right.
B
That's
the
thing
like
we
can
deliberate
over
this
forever
but,
like
I
feel
like
we
get
it
out
there
and
then
we
kind
of
just
iterate
and
right,
that's
the
beauty
of
of
git.
I
guess
right.
We
can
sit
here
and
pr
the
out
of
this
until
we're
at
a
point
where
we
love
it
right,
I'm
so
I'm
so
eloquent
this
morning.
Aren't
I
not
sorry.
E
Yeah,
so
I
think
we
should
definitely
have
the
just
go
the
scope,
discussion
right
and
then
I
think
it
should
be,
but
I
feel
like
the
implementer
should
be
here
for
it
to
tell
us
what's
feasible
and
what's
not.
D
Let's,
let's
run
it,
let's
run
it
as
a
as
a
software
project.
You
know
and
like
jonathan
is
one
of
the
leads
for
this
group
dan
is
not
a
member
of
the
group
would
be
fantastic
to
work
with
them,
but
I
don't
want
to
outsource
decision
making
to
people
who
are
not
on
the
call
I
want.
I
really
want
to
see
the
folks
here
to
step
up
and
be
participating
of
it
rather
than
us
doing
raw
augmentation
for
other
people
in
their
projects.
E
Yeah,
no,
I
I
agree,
and
I
think
that
that
was
the
main
reason
kind
of
us
asking
them
to
come
to
the
community.
I
I
think
it's
more
of
a
scheduling
problem
right
now
that
they're
not
here,
so
I
think
we
can
probably
resolve
that
yeah.
D
That's
fair
and
yeah
the
more
the
merrier,
but
it's
good
if,
like
we
also
give
sure
I'm
sure
dan
is
going
to
have
like
really
firm
architectural
opinions,
but
we
also
want
to
capture
the
wants
of
others
if
we
want
to
make
this
general
generalizable
and
applicable
to
everyone
and
not
just
the
most
burning
pain,
points
and
use
cases
of
a
particular
organization,
and
the
other
part
is
you
said
yes,
80
is
easy,
but
that
20
those
gaps.
D
If,
if
we
want
to
determine
doses
well,
those
are
opportunity,
costs
we're
not
going
to
focus
on
that
or
we're
going
to
state.
Hey
80
is
easy.
Anyone
can
figure
it
out
we're
going
to
focus
on
building
the
20,
that's
not
there,
and
how
do
you
assemble
that
crew?
That's
going
to
build
it?
How
who
writes
the
spec,
who
reviews
the
spec?
D
D
A
A
A
A
So
I
think,
for
the
purposes
of
discussion,
ticket
679
is
the
most
appropriate
and
we
can
tailor
it
and
adjust
it
accordingly.
Based
off
of
the
scope
requirements
defined
by
this
group,.
D
A
I
think
that
should
be
better
as
a
pr
to
the
repo
as
an
ongoing
project.
That
way
those
those
individuals
have
been
identified,
and
we
can
provide
a
read
me
within
the
repo
about
planning,
because
there
is
a
supply
supply
chain
security
folder
now
in
the
repository,
and
we
need
to
be
able
to
update
the
owners
of
that,
so
that
jonathan
can
also
contribute
and
merge
prs
and
a
few
others.
D
Out
the
administrative
part
richard,
you
went
off,
mute
and
wanted
to
say
something.
C
A
C
No,
I
think,
that's
a
it's
a
solid
next
step,
I
I
I
you
know,
and
it
would
be,
would
it
be
the
same
working
group
this
would
it
would
be
just
this?
We
just
changed
to
how
we
actually
interact.
Is
that
the
idea
and.
C
E
It
is
really
dependent
on
the
people
leading
the
project,
so
I
think
we
leave
that
up.
You
know
to
in
this
case
it
will
be
between
you
know,
andreas
and
I
and
jonathan,
and
whoever
whoever
decides
to
kind
of
want
to
take
up
a
bigger
role.
I
think
whatever
works
between
them,
we
usually
find
out
what's
best.
C
B
E
C
We
have
one
tool:
we
have
zoom,
okay,
cool.
C
Hey,
I'm
I'm
all
on
board.
I
am.
I
am
curious,
and
this
would
be
like
my
first
thing.
I'd
want
to
see
is,
or
just
in
general,
what
would
be
the
gaps
we'll
be
missing
to
actually
make
a
solid
implementation
of
this
because,
like
I
was
saying
like,
I
can
already
see
a
couple
things
that
I
just
wouldn't
be
able
to
answer
for
today.
If
I
wanted
to
write
a
solid,
you
know
reference
implementation
for
it.
Do
we
only
do
open
source
tools?
C
Is
that
like
what
are
the
constraints
as
well
on
this
on
this
project?
I
know
these
are
probably
more
implementation
discussions
that
will
have
to
come
later,
but
it'd
be
a
good
thing.
Probably
to
have
people
start
brewing.
These
ideas.
E
Yeah,
I
know
with
like
the
other
stuff
that
we
are
doing
with
the
cognitive
security
map
as
well
for
areas
in
which
are
pretty
mature.
We
we
try
and
just
provide
the
open
source
tooling
for
areas
which
don't
necessarily
make
that
much
sense
as
like
open
source
projects.
E
So,
for
example,
one
of
the
things
that
that
we
had
in
the
cloud
native
security
map
was
like
ddos
production
and
there
isn't
a
open
source
project
that
does
the
protection,
because
it's
infrastructure
based
so
for
that
we
we
defer
to
kind
of
like
here
some
services
or
here
some
companies
or
methods
to
protect
against
it.
So
I
think
that
is
some
flexibility,
but
there
is
always
like
a
a
tendency
to
favor
open
source
like
for
the
open
source
projects,
yeah,
okay,.
A
C
A
Yes,
and
just
so
everybody
knows,
the
cncf
and
the
linux
foundation
actively
seek
out
gaps
within
the
ecosystem
and
the
community,
so
that
they
can
be
aware
of
new
and
upcoming
projects
that
they
can
kind
of
help,
support
that
fill
that
gap
or
perhaps
kind
of
put
a
bug
and
a
couple
of
key
players
in
the
field's
ears.
So
they
can
go
through
and
start
doing.
Development.
C
Cool
awesome:
what
are
the
next
steps
got?
Two
minutes.
Do
we
have
two
minutes
or
we
have
30
minutes
yeah.
A
A
B
We
need
to
identify
a
software
team
lead
like
basically
the
for
the
actual
like
where
the
rubber
meets
the
road.
The
the
document
like
it
feel
like
it
feels
like
again.
Dan
and
john
meadow
should
be
around
at
least
to
kind
of
define
like
that
high
level,
but
we
need
somebody.
That's
the
kind
of
the
rubber
meets
the
road
project
management
of
the
of
this
reference
architecture,
deployment.