►
From YouTube: TAG Security Supply Chain WG 2022-01-27
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
There
we
go.
Oh.
C
B
C
All
right,
so
we
we
can
probably
get
started.
I
am
I
might
need
to,
depending
on
how
things
go,
I
need
to
hop
off
a
couple
of
folks
from
the
team
are
out
with
kovid,
so
kind
of
doing
a
lot
of
back
and
forth
internally
here
so
yeah.
Just
you
know.
Once
again,
you
know
your
participation
in
this
meeting
must
abide
by
the
cncf's
code
of
conduct.
C
C
I
know
a
lot
of
stuff
is
hey.
Hindsight
is
20
20.,
you
know,
celeste
had
a.
I
feel
like
a
lot
of
very
good
feedback
about
some
pretty
big
issues
within
the
dock,
all
of
which
I
think,
are
completely
fixable.
So
I
don't
think
it's
like
hey.
We
should
throw
out
the
whole
dock,
but
she
did.
You
know,
sort
of
bring
up
some
pretty
good
points
around
the
dock
is
quite
long.
C
I
think
it
would.
You
know
it
kind
of
kept
bouncing
back
and
forth
between
40
to
55
pages.
You
know
she
thinks
it's
much
better
suited
as
25
pages
or
less.
C
I
think
I
largely
agree
with
her
on
on
those
things
and
I
think,
based
on
some
of
her
feedback
that
maybe
even
some
of
the
stuff,
that's
in
that
document
can
be
split
off
into
sort
of
supplementary
materials.
Right
like
the
stuff,
the
you
know,
10
or
so
pages.
I
wrote,
for
you
know
what
we
called
like
the
secure
software
factory
implementation.
C
Maybe
doesn't
make
sense
to
have
that
in
that
document,
especially
if
the
idea
here
is
like
hey,
if
you're
an
engineer,
getting
started
if
you're
a
c-level
exec
here's
the
high-level
overview.
Okay.
Now
you
want
to
actually
implement
this
thing.
Okay,
here's
another
document.
You
should
take
a
look
at,
or
just
literally
put
it
in
an
appendix.
C
We
had
a
lot
of
different
people
contributing
in
a
lot
of
different
places
and
so
we're
repeating
ourselves
in
a
lot
of
different
areas
and
in
addition
to
that,
there's
a
lot
of
different
areas
where
we
sort
of
more
or
less
restated
the
best
practice
from
the
best
practices
guide
right.
You
know
so
there's
certain
things
about
signing
secrets,
and
so
we
more
or
less
just
sort
of
restated.
C
Here's
how
you
should
view
your
signing
secrets,
as
opposed
to
saying
here's,
how
signing
secrets
work
within
the
context
of
the
secure
software
factory
architecture,
and
if
you
want
to
understand
you,
know
the
best
practices
for
that
see
the
best
practices
guide
or
specifically
make
a
call
saying,
within
the
context
of
the
secure
software
factory,
use
this
best
practice
from
the
best
practices
guide
right.
We
feel
that
other
best
practices
might
not
work
right.
I
think
that
sort
of
thing
is
is
something
that
we
probably
just
need
to
clean
up
a
little
bit.
C
I
think
just
doing
those
things
we
cut
out-
probably
20
pages
from
the
doc
right
there,
just
just
doing
some
of
that
cleanup.
C
So
I
think
those
are
those
are
the
the
big
things
from
from
our
perspective
that
I
think
we
want
to.
We
want
to
get
done.
Questions
thoughts,
comments.
B
So
I
just
have
a
clarification:
just
want
to
make
sure
you're
when
you're
referring
to
kind
of
like
the
10
pages.
For
like
the
c
level,
you
mean
the
the
part
where
you
have
the
diagrams
and
then
you
talk
about
the
individual,
like
subsections
of
it,.
C
Oh
so
the
thing
that
celeste
had
brought
up
was
so
there
is
a
section
there
that
I
had
wrote
up
about
10
pages.
That
is
like
literally
the
implementation
details
of
the
secure
software
factory
and
she
recommended
either.
It
gets
pushed
obviously
significantly
further
at
the
end
or
just
get
removed
altogether,
because
she
was
like
hey.
If,
if
somebody
who
is
sort
of
new
to
this
sort
of
sees
this
they're
like
I
it's
all
you
know,
people
are
not
necessarily
going
to
be.
C
At
least
my
read
on
it
is
people
are
not
going
to
be
sure.
You
know
wait.
What
am
I
even
building
here
so
it
sounded
like
we
need
to
kind
of
clean
up
some
of
the
areas
so
that
it
becomes
a
little
bit
clearer
that
hey
this
section
is
more
of
the
the
c-suite
or
you
know
like
the
cso
level
or
the
you
know,
executive
level,
here's
sort
of
the
thing
that
hey
you're,
an
engineering
manager.
You
know
you
want
to
be
able
to
kind
of
build
this
thing.
C
What
are
sort
of
the
very
very
high
level
things
you're
trying
to
put
together
and
then
here
are
some
of
the
more
you
know
specifics
and
then
at
some
point
right,
maybe
in
supplementary
material.
Whatever
here
are
implementation,
details
and
there's
there's
areas
we
can
clean
up
there,
but
the
the
the
thing
that
she
had
mentioned
is
that
it
seems
like
we
kind
of
are
you
know
we
have
some
details
in
areas
that
are
maybe
more
high
level.
We
have.
C
You
know
some
high
level
guidance
in
areas
that
are
very
deep
in
the
implementation
details.
We
could
probably
clean
some
of
that
stuff
up
and
then
you
know
the
other
big
feedback
was
just
that.
It
sounds
like
throughout
the
doc.
We're
constantly
restating
the
same
best
practices
as
opposed
to
doing
something
more
like
hey
use,
this
best
practice
from
this
guide,
or
you
know,
and
here's
the
specific
best
practice
that
fits
within
the
context
of
the
secure
software
factory
or
when
approaching
this
problem
in
the
context
of
the
secure
software
factory.
D
D
Some
some
of
her
things
are
like
good,
valuable
feedback.
We
should
like
internalize
and
process,
but
we
might
wanna
like
she's,
also
leaving
her
job
moving
out.
We
might
get
a
review
from
the
second
technical
writer,
but
we
also
may
want
to
get
reviews
from
actual
engineers.
B
B
B
Yeah,
I
think,
there's
a
lot
of
like
better
points
about.
I
think
the
the
repetition
I
feel
like
definitely
is
a
thing
but
like
yeah
yeah,
we're
talking
about
the
same
stuff
and
different
names
or
in
different
ways,
and
maybe
some
of
the
stuff
can
be
consolidated.
But
I
think
like
like
with
like
interested
right
with
the
engineering
feedback.
B
I
think
you
know
the
the
opening
it
up
for
request
for
comments,
will
kind
of
get
us
more
of
the
feedback
and
then
I
think,
once
we
get
the
engineering
feedback
we
can
probably
we
will
be
required
to
go
through
a
technical
writer
review
again.
D
B
D
We
have
a
writing
assignment
and
we
turn
it
in,
and
the
teacher
gives
us
an
f.
We
can't
be
pissed
like
oh,
why
did
he
give
me
an
f
I
was
like.
Well
probably
I
need
to
like
do
better.
I
mean
yeah.
Look
where
I
could
have
proof,
but
we
cannot
like
defend
the
argument
of
like
yeah.
This
is
the
the
best
manuscript
I've
ever
written
when.
B
B
Part
that
may
be
maybe
useful.
At
least
this
is
what
I
got
from
it
is
like.
Maybe
you
had
to
be
a
bit
more
upfront
with
her
audience
at
the
at
the
start,.
B
Yeah,
I
also
want
to
entertain
the
idea
that
maybe
because,
if
we
want
to
make
the
prerequisite-
let's
say
the
supply
chain
white
paper-
then
it's
possible
that
we
can
move
some
stuff
there
as
well
and
think
about
kind
of,
like
updated
version
of
that.
If
there's
some
stuff
missing
there.
C
Yeah
yeah
agreed
and-
and
I
I
think
that
kind
of
also
ties
back
into
like
another
thing,
which
is
just
the
you
know.
What
we're
talking
about
is
not
like
some
ietf
or
ieee
standard
here
right,
we're
talking
about
something,
that's
very
much
like
a
living
breathing
thing
that
you
know
some
of
this.
You
know.
In
fact
I
was
looking
back
at
some
of
the
stuff
that
we
cited
in
the
supply
chain
stuff
where
hey
in
the
in
the
past
month.
C
Actually
some
of
these
things
are
all
you
know,
I
don't
say
completely
solved,
but
folks
have
done
a
lot
of
work
in
the
community
to
maybe
build
practices
around
these
things,
and
so
I
think
we
just
need
to
make
sure
that
folks
recognize
that
hey
this,
you
know-
and
I
think
we
have
done
some
of
that,
but
maybe
just
even
make
it
very
clear
at
the
very
top
like
hey
look.
Some
of
the
stuff
in
here
could
be
no
longer
accurate.
C
Just
because
of
very
much
the
you
know,
the
evolving
nature
of
the
space.
Also
hey
look.
This
is
not
intended
as
a
document,
for
you
know
the
cso
level.
This
is
intended
for
more
of
like
the
level
of
somebody
who
wants
to
become
a
subject
matter
expert
in
the
space
right.
C
You
know
who
wants
to
better,
engage
and
know
where
to
like
start
looking
right,
because
I
know
already
a
lot
of
folks
who
have
been
looking
at
the
draft
just
because
they've,
you
know
seen
the
draft
either
cited
somewhere,
because
I
think
matter
most
and
some
of
the
other
folks
have
cited
in
some
of
their
open
source
stuff.
C
C
You
know
and
they
read
this
document
and
they
are
getting
some
value
out
of
it,
but
I
think
that
we
could
be
a
little
bit
clearer.
I
think
the
big
things
you
know,
the
the
big
ticket
items
from
my
perspective
that
I
think
are
really
valuable
from
from
the
feedback
we've
gotten
is.
C
We
are
repeating
ourselves
in
a
bunch
of
different
places
and,
as
axel
mentioned,
a
lot
of
it's
just
because
you
know
this
wasn't
a
document
written
by
four
or
five
folks
sitting
around
the
table.
For
you
know
two
weeks
this
was
you
know
a
thousand
or
more
folks
over
several
months,
and
so
we
just
probably
need
to
make
sure
that
hey,
we
clear
it
up
clean
it
up
a
little
bit,
there's
a
few
areas
where
I
know
we're
starting
to
clean
it
up
around
hey.
C
What
do
we
mean
by
trust
in
this
context
or
trustworthiness,
or
what
do
we
mean
by
you
know,
identity
in
this
context
like
we
might
be
conflating
some
words
there.
D
C
C
You
want
the
implementation
go
here
or
moving
it
to
like
some
supplementary
material
that
we
just
put
somewhere
else,
and
we
kind
of
talk
about
that
later,
because
I
think
that
sort
of
just
immediately
takes
10
pages
out
of
the
meat
of
the
document,
which
you
know
whether,
however,
you
view
it,
I
think
kind
of
helps
folks
sort
of
see
that
this
is
more
of
the
focus
around
the
architecture.
So
I'm
cool
with
that.
C
I'm
also
going
back
over
the
document
and
starting
to
find
where
we
have
either
duplicated
ourselves
in
certain
areas
and
kind
of
saying.
Maybe
we
should
clean
some
of
this
stuff
up
or
also.
I
think
another
thing
that
that
I
I
agree
with
celeste
some
of
celeste
feedback
is.
Is
that
we're
using
a
lot
of
flowery
language?
C
You
know
just
sort
of
padding
padding
language
as
opposed
to
just
sort
of
getting
to
the
point
on
certain
things
and
then
saying
hey
if
you
want
more
details,
see
the
best
practices
document.
So
I'm
okay
with
kind
of
going
through
and
highlighting
some
of
those
areas.
D
C
Yep,
so
the
move
thing,
I
think,
is
something
that,
outside
of
a
conversation
here
right,
if
we
say
yeah,
let's
delete
it.
Let's
re,
let's
rethink
it,
especially
given
that
the
secure
software
factory
stuff
that
my
team
internally
has
been
working
on
and
that
we
are
donating
to
the
open
source
and
actually
the
announcement
should
go
out.
The
ninth,
hoping
that
sort
of
thing
is
the
the
the
implementation
details
and
and
the
I
feel
like
almost
on
that
end.
C
We
should
just
cite
the
readme
of
what
we
built
there
and
say:
hey.
You
want
more
details
check
out
the
readme
here,
which
kind
of
has
like
the
you
know.
We
have
a
lot
of
actual
implementation
diagrams
and
all
that
good
stuff
and
kind
of
saying,
hey,
let's,
let's
just
sort
of
take
that
out
of
the
document,
but
just
cite
that
so
that
I
think
if
we
make
that
decision,
that's
just
a
simple
one
and
then
the
other
ones
yeah.
C
It
is
a
bigger
thing,
but
I
know
from
our
end,
we
you
know
internally
right.
We
would
love
to
have
this
thing
go
out
so
that
folks
start
to.
You
know
right.
The
goal
here
is
is
to
get
folks
to
talk
more
about
supply
chain
security,
to
get
more
involved
in
supply
chain
security
to
start
adopting
some
of
these
practices,
so
that
everybody's,
better.
D
Yeah,
I
think
we
got
some
some
leeway
on.
How
do
we
ship
that
part,
whether
it's
within
the
same
document
or
we
put
a
reference
in
the
repository
or
we
make
it
a
separate
pdf,
but
we
check
it
into
the
same
repository.
D
C
Yeah,
so
on
that
end,
I'm
totally
cool
with,
maybe
being
my
stance,
I
think,
is
going
to
be
a
little
bit
prefer
to
remove
than
to
leave
in,
and
I
will
just
sort
of
take
that
sort
of
general
stance
in
my
head,
but
I
want
other
mentors
to
provide
their
feedback
just
to
kind
of
say,
hey
mike,
I
think
maybe
you're
being
a
little
too.
C
D
C
C
I
think
that
there
are
some
things
that
are
being
some
other
things
that
need
to
get
done.
Are,
I
think,
just
some
general
reorganization,
stuff
celeste
brought
up
a
couple
of
good
comments
about
hey.
It
seems
like
you're
sort
of
saying
the
same
thing
about
like
I
came
or
which
one
it
was.
C
One
other
thing
that
I
think
we
might
want
to
think
about
which
we
probably
want
to
think
at
a
high
level
a
little
bit
about
being
more
consistent
with
our
metaphors
and
analogies,
so
celeste
kind
of
said.
You
know
hey
you're
kind
of
using
a
factory
analogy
over
here,
but
then
you're
sort
of
talking
about
this
sort
of
like
brain
circulatory
backbone
analogy
over
here,
and
maybe
it
makes
sense
for
us
to
say,
hey
it's
factory.
C
Maybe
we
just
kind
of
try
and
stay
consistent
with
like
a
factory
analogy
and
like
I'm
kind
or
or
be
a
little
bit
clearer
of
hey,
defining
some
of
the
analogies
up
front
right
or
being
a
little
bit
more.
You
know
being
a
little
bit
more,
you
know,
so
I
think
on
there.
I
would
like
to
have
folks
kind
of
take
a
look.
Take
a
look
there
and
say:
hey
are
we?
C
A
Hi
this
is
axel.
I
don't
know
if
you
can
tell
me:
okay,
yep,
sorry,
it's
difficult
for
me
to
take
on
work
right
now,
but
I
was
just
going
to
say
it's
not
necessarily
a
problem
to
change
analogies
as
long
as
you're
clear
about
why
you're
doing
it
like
if
you
address
that,
then
the
reader's
like,
oh,
they
were
doing
this,
but
now
they're
doing
that.
I
understand
why,
because
in
this
context
you
know
the
other
analogy
would
break
down.
A
C
Yep,
I
agree
I
just
I
think
we
need
somebody
to
maybe
to
help
take
some
of
that,
like
clarification
on,
because
as
we're
going
through
the
document,
I
think
it's
just
you
know,
there's
a
you
know.
The
thing
that
I
think
kind
of
came
out
of
a
lot
of
the
feedback
is
there's
a
lot
of
good
information
here,
it's
just
structured
in
a
way
that
is
potentially
confusing
to
the
end
reader,
especially
folks
who
maybe
aren't
super
new.
You
know
who
are
relatively
new
to
the
topic.
B
Alternatively,
I
think
we
could
just
I
feel,
like
the
end
of
the
year,
so
analogies
also
kind
of
block
the
document
a
little
bit
more.
I
feel,
like
you,
know
the
sections
on
like
at
the
backbone
and
stuff
like
that.
I
think
we
just
go
with,
like
you
hear
other
foundational
components
and
stuff
like
that,
I
wouldn't
mind
like
going
through
taking
a
step
of
like
kind
of
streamlining
it
a
little
bit.
I
would
say
my
my
I
would
lean
towards
removing
energies
rather
than
like
trying
to
change
them.
D
That
point
who's
gonna
own,
taking
it
to
the
next.
Like
hey,
we
worked
on
the
feedback.
He
gave
us
here's
the
the
next
review
and
I'm
working
closer
with
like
having
a
tight
feedback
loop
with
the
whoever
cncf
makes
the
editor
or
we're
going
to
say,
hey,
we
feel
good.
We
did
this.
We're
opening
for
public
comment,
who's
doing
that.
B
B
So
I
think
we
only
have
a
few
chances
to
get
feedback
from
them.
So
I
think
we
want
to
make
sure
we
get
as
much
as
you
can
from
the
next
round.
Sure.
D
Yeah,
if
everyone's
cool
with
that
that
works,
what's
the
what's
the
acceptance
criteria,
we're
setting
ourselves,
what
are
we
mastering
against
when
are
we
gonna
do
that?
Is
it
when
michael
moves
out
that
stuff
and
excellent?
You
look
for
duplication
in
the
document
and
address
that
you
think
that
puts
us
in
good
shape
to
open
it
up
for
public
comment.
C
Yeah
yeah,
no,
I
think
I
think
one
pass-through
of
once
again,
not
we're
not
talking
about
any
major.
I
think
one
of
the
things
that
came
out
of
the
feedback
is
we're
not
lacking
in
good
content.
We're
just
sort
of
you
know
need
to
you
know.
It
just
seems
to
be
there's
some
areas
that
are
just
a
little
confusing
there's
some
areas
that
need
to
just
be
like
hey,
you're
kind
of
changing
levels.
So
it's
unclear
who
you're
talking
to
in
in
you
know
this
section.
C
C
I
think
we're
good
to
go,
but
that's
that's
just
you
know
my
opinion.
B
I
I
kind
of
think
that
I
know
this
wasn't
mentioned,
and
maybe
it's
not
it's
not
an
issue.
I
I
feel
like
there
is
a
little
bit
of
inconsistency
with
the
level
of
detail
of
different
different
components.
C
Don't
take
that
as
you
know,
take
that
as
we
are
purposefully
leaving
that
high
level
because
of
either
you
know
stuff
in
the
like
making
sure
that,
like
that,
I
think
trying
to
think
of
of
a
way
to
do
that
without
sort
of
hey.
You
know,
okay,.
D
B
Yeah,
so
I
think
another
thing
that
we
have
to
prepare
for
the
public
comment
as
well.
I
mean,
if
we
don't
do
this
now,
is
I
guess,
more
director
questions
of
what
kind
of
feedback
would
they
be
looking
for.
A
C
Yeah-
and
I
I
think
yeah
and
to
kind
of
add
on
to
that,
I
think
on
that
level.
There's.
Definitely
if
you,
if
you
follow
any
of
the
comments
from
you,
know,
obviously
newer
folks
who
are
asking
questions
in
the
group
and
asking
questions
in
similar
groups.
There
still
is
a
lot
of
confusion
about.
Where
do
I
even
get
started
with
this?
You
know
with
with
my
journey
here
and
I
think
you're
still,
you
know.
I
think
this
is
going
to
also
help
inform,
even
if
there
are
certain
things
where
you
say
yep.
D
A
Thanks,
I
think,
yeah.
I
think
I'm
planning
to
go
over
and
just
kind
of
take
a
look
at
the
rep
repetitiveness
issue,
because
I
think
I
I
don't
think
I've
read
through
the
whole
document
recently
it's
hard
for
me
to
give
too
much
insight
off
the
top
of
my
head,
but
I
definitely
want
to
take
another
look.
D
A
Yeah,
I
think
same
as
marina
right.
I
didn't
get
chance
to
go
through
it
recently.
I
was
trying
to
do
it
last
week,
but
yeah
I
got
pulled
into
something,
and
but
all
this
we
can.
I
plan
to
go
over
it
and
address
some
of
the
issues
that
we
discussed.
A
C
So
my
two
cents
on
it
is
if
it's
make
the
if
it's
like
a
quick
sort
of
clarification
like
oh
we're
using
word
x
here
pretty
consistently
and
then
we're
using
word
y
over
there
just
make
the
chains
change,
I'm
sort
of
making
some
big
comments
about
like
hey
this
section,
probably
can
we
can
just
remove
it
or
we
can
make
this
section
as
opposed
to
this.
C
Like
two
page
thing,
it
probably
makes
sense
to
just
make
it
two
paragraphs
because
we're
already
sort
of
restating
it
elsewhere
over
here,
that's
kind
of
where
I've
been
making
those
comments
like
any
sort
of
big
change.
I've
been
trying
to
make
the
comment,
and
then
I
wanna,
I
think
it
probably
makes
sense
for
us
to
go
into
the
slack
and
just
say
hey
before
I
make
this
big
change.
Can
you
look
at
this
comment
over
here,
but
anything
that
is
like
clarificati?
C
B
B
A
No,
I
think,
I'm
in
the
same
boat
as
marina
and
street
pad,
where
I
haven't
read
it
in
a
while.
I'm
also
realizing
now
that
I
recently
lost
access
to
my
old,
like
corp
email
address.
So
I
actually
can't
see
the
edits
at
the
moment,
but
I'll
probably
send
someone
who
has
like
owner
access
on
the
stock,
my
new
email
and
then
I
can
start
like
writing.
Making
some
changes.
C
Actually
that
reminds
me
in
case
you
you
it.
I
don't
know
if,
if
on
you've
registered
on
all
the
slacks,
with
that
same
email,
you'll
have
to
register.
A
A
A
To
do
this
again,
I
had
a
similar
problem
when
I
got
a
new
phone
and
I
realized
that
I
needed
to
change
or
get
a
brand
new
token
to
get
into
my
corporate
email
and
corporate
vpn.
I'm
like
okay,
I
got
a
new
phone,
but
I
can't
leave
the
leave
the
store
with
the
old
phone
because
they
want
to
do
a
trade
and
I'm,
like
I.
A
Do
so
whoops
I
forgot
to
I'll.
A
D
C
Yeah
yeah
yep,
I'm
I'm
on
board
for
for
all
that,
that's
one
of
my
this
is
one
of
my
primary
goals.
Even
for
my
day,
job
is
just
to
kind
of
try
and
get
this
sort
of
stuff
sorted
out.
The
big
things
that's.
C
Yeah
yeah
next
thursday
works
the
only
caveat
unless
the
other
half
of
my
team
also
catches,
covid,
in
which
case
that
you
know
I'll
keep
folks
informed.
D
B
I
was
so
confused
there
is.
There
is
a
few
open
items
on
making
some
of
the
diagrams
more
readable.
B
Yeah
yeah,
so
no
I'm
not
talking
about
that
one!
I'm
talking
about
the
one
below
the
one
that
michael
has
the
the
the
source
for
yeah
yeah.
I
think
that's
kind
of
more
of
a
layout,
a
layout
issue,
rather
than
like
all
like
a
density
of
information
issue
rather
than
a
design
issue,
because
there's
just
two
main
boxes
of
one
screen.
A
B
C
One
of
the
other
things
I
think
somebody
should
take
a
look
at
is
just
the
the
intro
section
make
sure
that
it
is
clear.
Consistent
has
the
intended
audience
says
what
is
in
the
document.
It
won't
be
in
the
document,
at
least
at
a
high
level,
because
I
know
that
one
of
the
other
really
big
things
there
was
like
hey
reading
through
the
intro.
I
don't
know
what
you're
telling
me
and
I
want
to
make
sure
that
it's
it's
it's
just
you
know
it's
clear.
A
C
Oh
yeah,
so
we're
talking
about
removing
there's
a
couple
of
sections
like
the
implementation
section,
probably
moving
it
into
its
own
supplemental
material
that
will
live
alongside
the
the
implementation
code
that
that
city
internally
has
written
up
and
we're
kind
of
going
to
be
making
an
announcement
about
in
a
couple
of
weeks
and
then
next
so
that
that's
one
of
the
that's
one
of
the
big
sections.
That's
about
10
pages
right
there.
C
There
were
some
other
things
just
around
which
some
of
the
other
folks
are
going
to
start.
Taking
a
look
at,
and
I'm
going
to
take
a
look
at
as
well
around
just
sort
of
highlighting
some
key
areas
where
it
does
seem
like
we're
either
repeating
ourselves
or
whatever.
It's
just
like.
The
a
lot
of
the
the
the
cutting
out
of
content
doesn't
actually
appear
to
be
cutting
out
of
actual
content.
It's
more
of
like
stop
repeating
ourselves.
D
Less
fluff,
more
substance,
that's
the
goal
we
people
will
lose.
You
know
the
endurance
to
go
drive
through
the
entire
reference
architecture
document.
If
we're
basically
boring
them
to
death.
Yeah
chances
are,
if
they're,
reading
this
they're
in
our
line
of
work
and
we're
they're
just
as
miserable
as
us
right.
They
have.
C
Yeah,
I
I
think
one
once
again,
one
of
the
big
one
of
the
big
ones,
which
I
totally
agreed
with
from
celeste,
which
was
one
of
the
ones
that
can
cut
down
a
lot
of
the
stuff
is,
it
makes
sense
for
us
to
go
through
and
are
we
essentially
just
restating
something?
That's
in
the
best
practices
document?
If
we
are,
let
us
just
cite
the
best
practices
document
or
specifically
say
you
know.
C
If
the
best
practices
document
lists
a
couple
of
different
recommendations
say
we
are
choosing
this
recommendation
because
it
works
within
the
context
of
the
secure
software
factory,
the
best
and
yeah.
You
know
yeah,
because
I
think
there
were
a
couple
of
sections
I
already
sort
of
looked
through
it
like,
even
though
it
has
really
good
information
on
signature
types
or
not
signature
types,
but
like
around
how
different
sorry,
different
key
types
and
and
secret
types
like
you
can
have
hsm.
C
You
can
have
blah
blah
like
a
lot
of
that
information
is
in
the
the
in
the
best
practices
document,
and
so
we
can
take
that
whole
section
out
and
just
say
you
know
you
should
be
using
signing
secrets
and
if
you
want
to
have
understand
best
practices
around
signing
secrets,
please
you
know
take
a
look
at
this
document.
Yeah.
A
D
Shoving
that
and
to
append
x
or
just
drawing
line
and
suddenly
making
a
headline
appendix
and
everything
below
below
it,
we
probably
want
to
make
it
a
separate
artifact
and
put
those
in
the
same
directory
as
supplemental
material
but
yep.
If
we're,
if
we're
doing
25
pages,
let's
do
25
pages,
not
still
50
pages,
but
like
half
of
it
is
appendix.
C
Yep,
I
agree
with
that,
and
I
think
that
what
you
just
said
also
opens
it
up,
where
I
think
the
general
suggestions
we're
talking
about
the
secure
software
factory
are
going
to
live
longer
than
the
specifics
of
the
like.
You
know,
oh,
you
should
be
using.
C
You
know,
because
I
think,
even
just
in
the
past
couple
of
months,
a
whole
bunch
of
stuff
has
changed
with
spiffy
right,
and
so,
if
we
recommend
you
know
some
of
that,
you
know
if
we
recommend
a
certain
tool
or-
or
we
say
hey
like
a
specific
detail
or
implementation
detail,
some
of
that
is
going
to
change,
and
so
I
think,
having
those
things
live
elsewhere,
where
those
could
get
updated
on
a
different
cadence
would
also
be
valuable.
D
C
Yeah
anybody
else
any.
I
know
some
folks
have
sort
of
come
in
a
little
late,
just
to
kind
of
give
a
little
bit
of
of
context
and
and
feedback
here.
So
we
are.
We
got
a
lot
of
good
feedback
from
celeste,
the
tech
writer.
You
know,
there's
some
pretty
big
changes,
we're
going
to
be
making
to
the
document
to
make
sure
that
it
is
clear.
C
You
know
who
the
intended
audience
is
that
when,
in
the
different
sections
we're
clear
about
you
know
what
level
of
detail
we're
talking
about
in
the
individual
section.
There's
a
couple
of
areas
where
it's
been
pointed
out.
That's
our
it's
been
pointed
out
in
a
couple
of
different
sections
that
our
there
doesn't
feel
like.
C
There's
a
unified
voice,
a
lot
of
that's
because
obviously
we
have
you
know
when
you
have
a
dozen
people
working
on
a
document
and
we're
not
all
you
know
it's
not
just
a
handful
of
people
sitting
around
the
table.
C
It's
gonna
be
a
bit
harder
to
have
that
initial
consistent
voice,
so
we're
gonna
be
doing
some
stuff
to
clean
up
that
we're
gonna
be
doing
some
work
to
clean
up
some
verbage
to
make
sure
that
we're
consistently
using
certain
terms
so
that
we're
not
confusing
the
reader
and
we're
also
going
to
be
removing
some
sections
that
you
know,
even
if
they're
valuable,
they
probably
aren't
valuable
within
the
context
of
what
we've
defined
the
document
to
be
they're.
Probably
it's
better
to
cite
that
cited
as
supplemental
material
that
lives
elsewhere.
C
And
yeah.
A
A
C
Oh,
and
and
for
ava's
question
I
would
say
right
now.
I
think
the
main
thing
is
just
it's.
The
group
that's
already
been
kind
of
like
so
this
thing
will
be
going
out
for
community
review
and
broader
community
review.
So
right
now
it's
mostly,
I
think,
and
I
don't
want
to
you
know,
impose
on
anybody
else
to
come
in,
and
you
know
at
the
11th
hour
and
like
hey,
can
you
you
know
come
in
and
totally
read
through
our
document
and
figure
out.
You
know
all
the
things
wrong
with
it.
C
So
on
that
note
you
know
I
don't
want
to
impose
on
anybody
else.
You
know
obviously
we're
always
looking
for
for
more
feedback,
but
I
think
if
it's
more
along
the
lines
of
hey,
you
know,
I
think
what
did
we
say
when
we
were
going
out
for
the
community
feedback?
It's
going
to
be
technical,
acumen
clarity.
It's.
D
Yeah,
if,
if
you're,
if
you're
going
to
give
it
a
review
or
give
input,
it's
going
to
be
very
much
along
the
lines
of
what
the
cncf
editorial
review
is
and
you're
going
to
be
like.
I
can't
even
read
this
we're
aware
of
that:
we're
going
to
work
on
addressing
that
problem
over
the
next
week.
So
we've
we've
identified
and
acknowledged
our
shortcomings
and
we're
gonna
we're
gonna
improve
that
and
from
there
on
it,
yeah
we're
gonna
need
your
review
and
input
from
that
point.
A
I
can
completely
appreciate
the
difference
between
an
editorial
review
and
a
technical
review,
so
if
you're
interested
in
technical
review,
I'm
happy
to
give
it
a
read,
share
with
a
couple
folks
quietly
and
see.
If
there's
you
know
technical
things
worth
changing,
adding
lighting
and
and
stay
away
from
any
editorial
commentary.
D
Let's,
let's
hang
tight
for
a
little
bit,
it'd
be
great
to
parallelize
that
but
we're
treading
water
as
this.
A
Totally
fair:
do
you
have
a
sense
of
when,
when
you'd
like
whether
it's
selective
or
more
broad
technical
input,
so
I
can
try
to
make
sure
there's
time
on
my
calendar.
C
Yep
anything
else,
otherwise
we
can
probably,
I
think,
we're
at
diminishing
returns,
at
least
talking
about
the
doc.
I
know
one
of
the
things
for
an
upcoming
meeting.
I
know
a
few
folks
have
brought
up
some
things
that
they
wanted
to
demo.
I
know
was
it,
you
know
cole
kennedy,
one
of
the
contributors
of
the
best
practices
document
has
been
working
on
some
tools.
I
think
he's
calling
witness
who
and
he
wants
to
sort
of
demo,
some
of
that
off
in
the
coming
weeks.
C
There's
a
few
other
people
who
want
to
demo
some
stuff.
I
know
we
probably
want
to
you
know
once
we
are
have
officially
announced
the
what
we're
calling
the
secure
software
factory,
but
we're
thinking
of
a
maybe
theater
name
to
not
confuse
it
with
the
the
reference
document.
You
know
as
a
you
know,
we
would
love
to
demo
some
of
that
sort
of
stuff
in
a
few
weeks
and
and
start
to
also
maybe
in
after
once
again.
C
I
don't
want
to
talk
too
much
about
next
steps
right
of
for
the
group,
because
I
want
to
focus
on
on
this,
but
you
know
once
this
sort
of
thing
does
go
after
the
sort
of
broader
community.
Maybe
we
we
spend
a
little
bit
of
time
chatting
about
next
steps.
For,
for
this
group,
sound
good.
B
C
Yeah
awesome
all
right
folks.
Any
other
final
questions
comments,
concerns
otherwise
I'll
give
everybody
back.
Nine
minutes.
A
So,
michael
click
on
sorry
yeah,
so
I
spoke
with
patrick
right
like
so
he's
also
interested
to
give
an
update
on
1.4
version
and
what
is
new
and
all
things.
But
the
big
challenge
is
that
he
lives
in
australia
so
that
time
I
think
it's
too
early
morning
for
him.
I
think
it's
kind
of
3
a.m
there.
So
so
he
told
like
something
like
9
00
pm
utc
time
or
something
like
that.
So
is
it
possible
to
schedule
a
surprise
session
or
how
you
want
to
have
it.
C
I'm
this
is
where
I'll
defer
to
the
other
folks.
Here
the
you
know
brendan
and
andres,
like
I,
I'm
okay
with
saying:
hey,
here's
a
one-off
meeting
to
help
out
somebody
who
wants
to
give
a
demo
who's
who's.
You
know
lives,
you
know
whatever.
It
is
12-hour
difference
or
something
like
that.
But
I
I
don't
know
what
all
the
the
mechanisms
to
kind
of
schedule.
A
thing
like
that
would
be.
C
Oh
yeah,
so
a
trick
from
cyclone
dx
wants
to
give
a
demo
about
the
new
1.4
thing,
but,
as
vanad
mentioned,
patrick
lives
in
australia,
and
so
this
would
be
like
this
sort
of
meeting
would
be
something
like
3am
for
him,
and
so
would
we
be
comfortable,
maybe
scheduling
a
you
know
separate
from
this
meeting
a
demo
at
some
point
at
something
like.
Was
it
9
p.m?
Utc,
which
is
wesley.
C
Which
is
4
p.m,
hour,
time
or
sorry,
my
time
in
in
eastern,
so
I
would,
I
would
definitely
be
fine
with
a
one-off
at
that
time.
B
Yeah,
we
we
just
need
to
create
a
zoom
link,
and
then
I
mean
we
can
use
the
same
one.
And
then
I
can.
A
A
C
Good
with
ending
it
so
yeah
I'll
be
on
the
slack.
If
folks
have
questions
comments,
thoughts,
I'm
probably
gonna,
be
probably
pinging
some
folks
in
slack.
Just
to
you
know,
triangulate,
you
know,
feedback
and
and
say
hey.
I
think
we,
you
know,
I
have
a
if,
if
there's
anything,
that's
big
that
I
want
to
get
more
people's
thoughts
on
I'll,
definitely
ping
it
in
the
chat
and
with.
A
B
Okay,
let
me
take
a
look
at
that,
then.
A
All
right,
okay,.