►
From YouTube: TAG Security Supply Chain WG 2021-09-30
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
C
I
might
be
I'll
be
listening,
but
I
might
be
in
and
out
just
because
spilled
something
on
my
keyboard
and
so
have
to.
I
just
fixed
it
all,
but
I
think
I
need
to
now
put
in
all
the
screws
again,
so
I
might
be
a
little
preoccupied
there.
A
You
see
a
lot
of
repeated
keys.
D
E
F
A
But
the
date,
the
first,
the
first
probably
15-20,
minutes.
C
I
can
also
give
a
little
bit
of
an
update
on
the
example
stuff
as
well.
A
All
right
so
agenda
building
so
currently
based
on
chit
chat
in
the
past
five
minutes.
I
think
we
have
the
usual
check-in
on
status
on
the
reference
architecture.
A
A
A
A
A
You
know
this
is
one
of
the
projects
that
we
are
kind
of
highlighting
in
the
the
sessions
at
kubecon,
and
we
want
to
make
sure
that,
when
folks
that
see,
this
at
kubecon
want
to
come
and
contribute
that
they
have
kind
of
a
good
base
to
contribute.
They
know
kind
of
what
is
wanted
at
this
final
time
in
this
project,
what
kind
of
expertise
is
required
and
so
on
so
far
how
to
contribute?
A
So
I
think
the
main
things
content
points
that
we
want
to
get
to
put
in
this
issue.
Is
you
know
one?
A
What
is
what
do
we
need
contributions
for?
The
second
thing
is:
are
there
any
gaps
that
we
need?
Specific
skill
sets
that
we
need
contributions
for,
and
I
think
the
third
and
final
thing
is
to
kind
of
add
a
few
teasers
about
future
work
that
you
know
once
we
have
on
the
initial
draft.
You
know
we
talked
about
in
the
past
about
exploring
other
areas,
there's
the
whole
like
going
to
implementation,
and
things
like
that,
so
I
think
you
know
that's
kind
of
like
abroad.
A
Here
are
some
other
things
that
the
working
group
wouldn't
be
working
on,
and
so
please
join
if
you're
interested
in
you
know
participating
in
the
conversation
yeah.
So
I
wanted
to
open
up
to
the
comments
about.
You
know
things
that
we
need
probably
contributions
for
maybe
we
need
certain
forms
of
particular
expertise,
some
ideas
to
work
on
the
future.
You
know,
I
think,
let's
do
this
free
form
and
hopefully,
at
the
end
of
this
we
can
kind
of
collect
these
things
in
some
ways.
In
the
issue.
C
Yeah,
I
I
definitely
think
everything
you
said
there
makes
sense
to
me
and-
and
I
think
one
of
the
things
is
from
my
perspective
and
it's
sort
of
a
broader
sort
of
thing
is,
it
would
be,
I
think,
nice
to
get
some
differing
like
what
let
me
take
a
step
back.
So
so
we
have
talked
about
what
sorts
of
the
general
high-level
concepts
we've
talked
about.
Also
potential
implementations,
or
you
know
like
hey.
C
If
we
use
this
tool,
this
is
perhaps
how
you
would
do
it,
but
I
think
it
is
worthwhile
to
build
some
additional
sort
of
consensus
around
some
of
that,
especially
around
the
differing
tools
like
as
an
example
yesterday
was
a
steve
lasker.
C
I
believe
his
name
was,
you
know,
showed
off
how
how
some
notary
and
aorus
stuff
all
works
together,
and
it
largely
seems
sort
of
in
line
with
how
a
lot
of
folks
are
are
approaching
the
problem,
including,
for
example,
the
six
store,
folks
and
and
and
the
you
know,
other
folks
with
that
are
using
sort
of
the
more
google
sort
of
stack
and
so
on.
But
I
think
it
would
probably
be
useful
for
us
to
maybe
get
some
additional.
C
We
you
know.
Obviously
we
want
to
be
as
generic
as
possible,
but
we
also
want
to
make
sure
that
you
know
if
all
the
tool
vendors
are
all
you
know
are
not
vendors,
but
if
all
the
tool
projects
are
going
in
different
directions,
we
do
want
to
make
sure
like
we
have
a
better
understanding
of
what
that
means.
For
us.
A
Okay,
that
sounds
good,
so
I
it
sounds
like
this
is
we
want
to
be
able
to
solicit
participation
from
other
projects
that
are
orthogonal
as
well,
as
I
think
the
other
part
of
this
is
to
make
sure
that
we
are
kind
of
going
the
same
direction
right
or
at
least
making
the
same
assumptions.
C
C
So
so
the
stuff
that
I'm
at
least
concerned
about
is
just
in
anything
we're
doing.
Is
it
going
to
be,
I
guess,
with
all
the
plan,
changes
that
have
been
happening
to
oci
the
stuff
that
has
just
recently
been
sort
of
accepted,
and
you
know
yes,
the
tooling
hasn't
adopted
all
of
it
yet,
but
are
we
doing
anything
that
that
precludes
us
from
you
know
that
stops
us
from
eventually
adopting
any
of
those
things.
B
I
don't
think
that
we
are.
If,
if
that's
a
concern
you
have
or
is
the
concern
advert
like
or
making
it
clear
to
potential
users
contributors
interested
parties
that
this
is
in
line
with
oci's
path,.
C
Yeah,
so
actually
part
of
it
is
literally
from
my
ignorance
as
well.
Is
I
don't
I
honestly,
like
you
know,
I
I'm
seeing
a
lot
of
these
things
and
from
my
naive
looking
at
it,
I
don't
think
we're
doing
anything,
but
I
would
love
to
hear
more
from
other
folks
just
to
make
sure
hey
like
if,
if,
if
there
is
something
in
the
document
that
somebody
goes
and
says,
oh,
that's
really
out
of
line
with
what
you
know
they're
going
to
be
implement.
C
You
know
what
the
something's
coming
in
in
oci
or
something
that
you
know
just
going
to
throw
something
out
there
like,
oh,
you
know,
did
you
see
the
ntia
draft
for
s-bombs
or
whatever
it's
like?
Oh
okay,
we
didn't
realize
that,
like
you
know,
we
should
should
we
be
involved
in
those
conversations
and
so
on,
so
that
that
was
just
it
is
just
like
yeah.
You
know.
We
should
just
make
sure
that
it's
very
clear.
G
G
There
was
other
thing
that
I
wanted
to
basically
just
bring
in
so
there
was
a
csa
release,
this
serverless
security,
article
or
white
paper.
Recently,
I
was
reading
it,
and
one
thing
I
found
missing
in
our
white
paper
is
the
discussion
around
how
whatever
controls
or
whatever
recommendations
we
are
making
how
where
they
are
going
to
help
them
right.
Are
they
going
to
help
them
protect
against
what
scenarios
in
that
serverless?
I
found
that
they
had
clearly
mentioned.
G
If
you
do
this,
this
will
allow
you
to
prevent
attacks
like
this
or
some
compromises
like
this.
So
maybe,
if
we
should
have
that
discussion,
because
I
don't
think
we
have
any
discussion
around
security
attacks
or
what
are
what
possibilities
are
there?
If
we
don't
do
this,
so
anyone
has
any
thoughts.
C
Yeah
agreed-
and
I
think
one
of
the
things
that
we
were
looking
at
was
you
know,
for
example,
salsa
just
because
it's
one
of
the
few
actual
sort
of
specs
around
it,
a
bunch
of
the
folks
on
this
call
are
definitely
involved
in
in
that
as
well,
including
myself.
C
I
do
think
that
we
should,
because,
even
as
that's,
I
think
it's
v
0.1,
not
you
know
very,
very
much
early
on,
like
they're,
considering
a
very
alpha
right
now
with
with
stuff
going
to
be
changing.
I
I
totally
agree,
though,
because
I
think
the
thing
here
that
we
want
to
there's
like
two
things
we
want
to
make
sure
of
is
one.
Is
we
want
to
give
folks
the
holistic
picture
right?
C
We
want
to
say:
hey,
look,
you
know
if
you
just
use,
you
know
as
an
example,
if
you
just
use
in
total,
but
you're
not
validating
what
in
toto
right
is,
is
actually
running
well,
you're,
not
actually
getting
a
whole
lot
and
vice
versa,
right
if
you're,
if
you're
validating
what
the
individual
steps
are
doing
but
you're
not
validating
that
the
output
of
one
step
is
what
the
next
step
used.
C
Then
you're
also,
you
know
not
getting
a
lot
of
value
there,
and
so
we
want
to
make
sure
that
there's
like
inevitably
some
baseline.
We
need
to
kind
of
set
and
say:
hey,
assuming
you
hit
this
baseline,
here's
the
things
that
you
know
you're
going
to
get
and
then
above
that
baseline,
if
you're
doing
these
things
here
are
those
extra
here's.
That
here
are
the
extra
sorts
of
here's,
the
sets
of
attacks
that
we
believe
are
mitigating
against.
C
You
know
I
don't
know
how
we
and
I
and
to
be
clear,
I'm
not
like
a
threat
model
or
anything
like
that,
but
I
do
think
it's
worthwhile
to
talk
about.
You
know
what
level
of
sophisticated
threat
actor
and
so
on
that
that
we're
talking
about
here
right,
like
I,
don't
think,
there's
anything
we're
saying:
that's
gonna
prevent
a
a
sophisticated
state
actor
who
has
already
compromised
the
linux
kernel
from
you
know
from
owning
you,
but
I
do
think
we
can
say
hey
this.
Would
you
know
prevent
these
sorts
of
attacks?
E
A
Okay,
so
I
think
I've
three
brought
points
of
our
inclusion
of
other
other
things
like
oci,
although
this
doesn't
seem
to
be
as
much
concerned
here,
the
stuff
on
serverless.
I
kind
of
thought
about
it
as
use
case,
specific
implications,
so
maybe
use
case
use
case
analysis
for
use
of
the
reference
architecture
and
the
last
one
was
trap.
Modeling
and
you
know
what
are
the
considerations
reference
architecture?
A
What
does
the
use
of
the
reference
architecture
mean?
Or
what
does
it
get
you?
You
notice
that
multi-stage
approach
running
things
out
and
things
like
that
before
we
add
anything
else
on
the
first
point
of
bringing
in
other
technologies
that
we
may
want
to
make
sure
we
have
alignment
with
or
we
want
to
make
sure
that
they
do
have
a
voice
or
influence
in
the
reference
architecture.
C
So,
from
my
perspective,
I
think
that
there
is-
and
I-
and
actually
this
is
up
for
debate-
is-
does
anyone
think
we
are
saying
anything
or
making
any
sort
of
opinion
based
on
s-bomb
that
we
think
that
we
need
to
bring
in
folks
either
from
the
spdx
or
cyclone
dx
or
s-wit
or
anything
else,
or
do
you
think
that
our
stuff
is?
Is
generic
enough
that
it?
You
know
we
could
easily
adopt
any
of
that
and,
and
it
wouldn't
stop
us
from
doing
anything
else,.
B
I
think
in
general
it's
pretty
well
written
to
be
vague
about
specific
implementations,
I
think
not
just
for
spdx
or
whatever
the
s
palm
format
is,
but
also
like
it
doesn't
actually
mention
oci.
It
doesn't
actually
mention
you
know,
registries
when
it's
not
an
important
thing,
it
doesn't
actually
mention
any
specific
implementation
of
how
how
or
where
your
signatures
are
written.
So
I
think
all
of
that
is
very
good
for
making
a
reference
architecture
that
does
not
make
specific
implementation
guidance
about
these
things.
Well
done,
I
think
it's.
B
I
think
it's
a
good,
a
good
way
to
write
this
so
that
it's
as
non-controversial
as
possible.
C
Yep,
that
makes
sense,
actually
one
thing
that
I
just
realized
as
a
quick
aside
here,
given
that
the
sort
of
demo
I
had
given
last
week
and
and
the
way
that
both
the
the
notary
and
oris
folks
and
the
six
store
folks
and
a
lot
of
the
other
folks
are
taking
a
lot
of
things
that
the
way
that
a
lot
of
folks
are
starting
to
push
a
lot
of
the
supply
chain.
Stuff
is
in
stuff
like
including
these
metadata
and
attestations,
alongside
the
repo,
the
actual
image
repo.
C
So
like
stuff,
like
you
know,
as
other
tags
or
whatever
inside
of
the
actual
to
live
inside
of
the
actual
oci
registry,
do
we
do?
We
feel
comfortable
also
stating
that,
as
a
as
an
opinion
like
saying,
hey,
look
right
now
we're
focused
on
the
cloud
native
stuff
and
because
we're
focused
on
a
lot
of
the
cloud
native
stuff.
C
We're
saying
yes
store
your
s-bomb
alongside
your
image
store
your
you
know
inside
the
the
registry,
rather
than
saying
hey,
it
should
be
stored
inside
of
some
other
metadata
store,
some
other
database
or
whatever.
I
just
asking
because,
like
I
found
it
to
be
very,
very
easy
to
do
it,
the
storing
it
in
the
other
way-
and
I
just
you
know,
but
I
also
recognize
that
that's
a
very
big
decision.
D
C
H
Think
I
think
it
makes
a
lot
of
sense
to
put
it
inside
the
registry
and
I
think
that's
where
a
lot
of
the
community
is
going
to
is
to
put
this
on
the
registry.
The
question
I
wanted
to
throw
out
there
was
chatting
with
some
of
the
ntoto
folks
this
past
week
of.
Does
it
make
sense
to
send
attestations
out
to
inclines?
Does
it
make
sense
to
only
send
them
this
final
signatures?
How
do
we
eliminate
kind
of
a
single
point
of
compromise
in
in
lot
of
risk?
A
C
Yeah,
I
think,
there's
a
couple
of
things.
You
know
if
we
go
all
the
way
to
the
right.
It
is
policy
as
like
a
mission
control
right,
and
so
that's
how
how
we're
using
it
in
the
demo
and
the
examples
is
literally
showing
like
hey,
I
have
an
attestation
and
then
also
the
thing
that
we
found
to
be
very
useful
was
and
to
be
clear.
I
like
I
don't
want
you
know.
This
is
just
my
opinion
about
it.
C
So
if
other
folks
have
other
opinions
like,
I
don't
want
it
to
come
off
as
as
a
unilateral
decision.
But
the
thing
that
I
am
I
am
sort
of
curious
about
is
yeah,
like
the
thing
that
we've
done
is.
C
C
You
know,
yes,
the
attestation,
that
I
have
an
s
bomb
right
and
some
some
additional
stuff
there,
that
the
s
bomb
has
been
scanned
for
no
vulnerabilities
right.
That's
not
at
the
station
the
material
that
proves
that
at
a
station
is
also
stored
as
an
object
in
the
registry,
and
so
that's
all
the
way
to
the
right
and
then
the
other
things
that
we've
been
exploring
is
exploring
stuff
like.
H
Yeah,
that's
right
for
for
me,
the
place
the
questions
come
in
play
is,
if
you're,
building
all
these
attestations
of
okay.
I
ran
all
these
steps
to
the
end
users
that
are
receiving
these
secure
artifacts.
Do
they
care
about
that
level
of
granularity,
or
do
they
just
want
to
know
hey?
This
is
a
sign
that
came
from
the
approved
vendor,
and
that
was
all
they
cared
about,
and
so
I'm
I'm
kind
of
focusing
on
where's
the
right
level
of
you
know
what
kind
of
attestation
security
signature
or
whatever
we're
going
to
give
these
artifacts.
H
The
person
that
verifies
that
later
on
down
the
road-
well,
that's
now
expired.
Singing
trill
is
only
accessible
within
the
spire
environment.
You
can't
even
get
in
there
to
get
some
of
those
details,
so
I'm
trying
to
sort
out
where
it
makes
the
most
sense
to
get
the
value
out
of
here.
Then
you
just
want
go
ahead.
Brandon.
A
Yeah,
so
I
think
this
is
good
discussions
since
this
this
meeting
is
kind
of.
I
don't
want
to
derail
this
meeting.
I
know
we
really
wanted
to
talk
about
progress
on
white
paper
and
kind
of
working
on
that.
So
I
put
in
the
the
the
meeting
doc
notes.
You
know
this
would
be
a
good
time
for
anyone.
If
there's
like
anything
that
you
wanna,
you
know
you're
passionate
about
you
wanna
kind
of
see
in
the
future
in
the
work
put
it
all
there.
A
You
know
michael
michael
and
I
will
be
going
to
the
crown
centers.
I
said
kind
of
put
it
into
issue
format
with
andrus,
and
then
we
will
share
with
the
group
again
to
kind
of
get
another.
I
I
would
worry
that
if
we
do
that
right
now
at
this
point
we
would
scope
creep
the
whole
thing
rather
than
what
we
read
last
time.
That
would
make
it
in
right.
We
can
yeah.
I
can
delete
that
in
a
minute
I
have
seen
matt
moore
try
to
go
off
mute
a
few
times
so
yeah.
I
don't
know
if
you
still
have
the
train
of
thought
of
what
he
wanted
to
say,
but.
F
I
I
was
just
going
to
chime
in
on
this
sort
of
storage.
Medium
thing
I
mean
I,
I
don't
know
that
it
makes
sense
to
be
prescriptive
in
the
doc
about
that
folks
store
it
in
the
same
medium.
I
think
I
think
that
you
know
it
makes
sense
and
will
probably
manifest
that
way,
mostly
because
you
know
in
terms
of
like
what
storage
mediums
are
available
and
accessible
to
policy
systems,
and
you
know
if
you're
talking
about
policy
on
containers.
F
Well,
you
have
a
container
registry
available
because
you're
consuming
containers,
so
it's
sort
of
a
lowest
common
denominator
thing
that's
available
that
can
serve.
You
know,
blobs
of
information,
so
it's
very
convenient
but
like,
and
I
suspect,
because
of
that
convenience,
a
lot
of
folks
will
use
it,
but
like
it's
by
no
means
the
only
right
answer,
and
so
I
I
don't
know
that
it
makes
sense
to
be
prescriptive
about
it,
and
you
know
it
to
be
fair.
A
lot
of
folks
well
a
lot.
There
are
folks
out
there.
F
There
exist
folks,
who
are
using
container
registries
to
store
the
container
metadata,
but
are
using
a
separate
repo
for
the
signatures
versus
the
artifacts
themselves,
specifically
to
sort
of
separate
access
control
around
those
two
things.
So,
even
if
you
were
using
the
same
sort
of
medium,
you
might
be
using
sort
of
separate
partitions
of
that
medium
and
so
there's.
F
I
think
many
many
many
ways
to
hold
it,
and
I
think
you
know
by
no
means
have
we
seen
the
end
of
it,
but
I
think
that
it
will
often
make
sense
to
piggyback
on
the
same
or
similar
medium
to
the
one
you
were
signing
when
you
can
get
away
with
that.
F
They
some
some
folks
do
that.
I
I
don't
know
that
we
even
need
to
sort
of
advocate
one
way
or
the
other
there,
but
there
are
there
are
reasons
you
may
want
to
sort
of
partition
access
control
across
those
two
things,
but.
F
Instance,
where
you
know
something
like
oci
might
not
be
involved,
is
something
like
storing
source
right.
How
do
you
deal
with
storing
sort
of
signatures
and
attestations
when
you
know
you're
talking
about
stuff?
In
terms
of
you
know,
a
gate.
Repo
sign
commits
are
nice,
but
they
can't
store
the
full
breadth
of
things
that
we
might
want
to
sort
of
claim
about
a
particular
source
commit,
and
things
like
that.
So
so
it
just
to
sort
of
counterbalance
a
focus
on
things
like
oci
right.
F
I
think
there
it
may
make
sense
to
try
and
find
things
to
piggyback
on
in
in
terms
of
the
get
medium
as
well,
because
it's
convenient
it's
there.
But
you
know
if
someone
wanted
to
use
another
storage
system
like
say
you
know
graffias
or
something
like
that,
that
you
know
has
a
way
of
referencing
things
in
your
medium
right.
That's
another
way
of
doing
it
is
perfectly
valid.
If
you
can
sort
of
you
know,
do
all
of
the
things
that
are
sort
of
described
at
a
high
level
in
the
doc.
F
You
know
to
jason's
point
right.
I
think
the
doc's
done
a
really
good
job
of
staying
very
abstract,
and
I
think
that's
fine,
but
like
when
we're
pointing
to
examples.
It's
gonna
be
really
easy
to
find
examples
where
folks
are
doing
what
we've.
What
we've
been
talking.
I
F
A
Before
we
before
we
continue,
I
just
wanna
wanna,
keep
levels,
keep
in
mind
that
we
were
having
this
discussion
kind
of
just
as
a
opportunity
to
kind
of
answer.
Some
of
the
questions
that
we
may
have
that
you
know
because
of
coupon
coming
up
where
we
have
a
huge,
we
will
have
some
publicity
on
the
work
we
can
get.
Some
answers,
questions
answered
again.
You
know
we've
kind
of
talked
a
lot
about
some
technical
detail.
I
want
to
make
sure
we're
not
this
like
interested
we're,
not
distracting
away
from
yeah.
I
A
I
While
you're
still
here,
I
know
you
open
up
a
ticket
with
the
cncf
service
desk
for
illustrations,
did
they
ever
acknowledge
that
or
should
I
try
to
jump
back
in
and
do
that?
Do
those
myself
for
fun.
A
So
so
I
think
I
was
waiting
on
so
we
had
two
illustrations
right.
We
had
one
which
was
the
high
level
six
things
the
three
rows,
and
then
we
had
one
on
the
reference
architecture.
A
I
think
I
was
waiting
for
the
reference
architecture,
one
to
be
kind
of
fleshed
out
a
little
bit
more
because
you
know
it's
difficult
for
them
to
for
us
to
engage
them
and
then
try
and
engage
the
same
team
again
to
kind
of
edit
the
work.
So
if
we
can
get
more,
I
know
there
were
a
lot
of
comments
on
that
particular
reference
architecture
diagram.
If
we
can
kind
of
flash
it
out
a
little
bit
more,
I
can
ping
them
again
on
that.
I
F
J
Hey
so
maybe
tying
back
to
some
of
the
previous
conversation,
but
also
taking
a
step
back
towards
towards
other
things.
I
wonder
if
there's
a
like
a
an
intent
of
the
supply
chain,
that's
conveyed
at
all
in
in
the
document.
J
In
terms
of
like
there's
a
lot
of
perspective,
I
think
from
people
building
upstream
open
source
components
resulting
in
an
artifact
that's
distributed
to
someone
to
consume
elsewhere,
and
that's
like
the
beginning
to
the
end
of
a
supply
chain
versus
a
large
enterprise
that
is
producing
a
whole
bunch
of
artifacts
internally
and
maybe
like
that,
would
lead
to
an
opinion
about
whether
or
not
to
use
a
centralized
metadata
store
versus
attaching
artifacts.
J
You
know
individually
to
to
a
registry
or
something
like
that.
So
there's
like
there's
an
intent
behind
the
transportability
versus
the
centralization
that
may
be
different
depending
on
your
purpose,
and
I
don't
know
if,
if
that's
worth
getting
into
like
super
complicated
and
there's
a
lot
there,
so.
C
Yeah,
so
I
don't
know
about
anybody
else
and
I
apologize
that
doesn't
actually
like
outside
of
you
know:
web
applications
for
use
like
we
don't
actually
distribute
software,
we
don't
do
any
of
that
sort
of
stuff,
and
so
for
us
we
definitely
do
have
that
perspective.
C
I
think
we
we
want
to
keep
some
of
this.
You
know
generic
and
from
our
perspective,
I
think
you
know
I
don't
want
to
go
too
deep
in
this
conversation,
but
you
know
for
us
a
lot
of
it's
just
about
who
do
we
trust
more
than
necessarily
like
the
more
transparency
we
can
get?
Obviously
the
better.
We
would
love
to
be
able
to
say
you
know
every
vendor
gives
us
their
s-bomb.
So
if
we
ever
need
to
go
back
and
say,
oh
this
vendor
tool,
it
now
has
this
vulnerability
in
it.
C
We
know
it
has
a
vendor
vulnerability
in
it
and
so
on
and
so
forth.
That's
important
to
us,
but
if
they
work
you
know,
but
we
are
also
potentially
okay
with
stuff
like
hey.
They
signed
it
with
their
key.
We
trust
them
they're,
a
big
vendor
or
they're
a
vendor
and
they
have
had
their
process
audited
right
such
that
we
and
we
trust
the
auditor
that
has
done
that
certification
process
so
yeah.
So
that's
kind
of
my
my
quick
perspective,
there's
obviously
a
lot
more
there.
I
G
Yeah,
I
think
we
can
just
have
the
this.
Is
this
one
fundamental
discussions
right
whenever
we
are
proposing
some
security
control
or
some
type
based
practices?
You
can
just
refer
it
to
maybe
salsa
model
or
just
refer
them
to
one
of
the
possible
scenarios.
Attack
scenarios
we
probably
don't
want
to
get
into
the
actual
this
is
this
will
be
preventing,
let's
say,
solar
wind.
It
would
have,
instead
of
getting
into
that,
you
can
just
be
abstract
that
it
will
prevent
in
any
malicious
intrusion
into
your
pipelines
and
stuff
like
that.
E
I
I
I
think
we
want
to
recommend
salsa
level
four
across
the
board,
but
I
don't
think
you
can
quite
get
there
today
yeah
a
lot
of
what
we're
recommending,
if,
if
you're,
not
putting
like
spire
in
a
different
trust
made
for
your
signing
of
provenance,
all
of
it
is
still
salsa
level.
2.
C
Yeah,
so
on
that
front,
at
least
from
my
my
perspective,
I
think
the
thing
is
is
we're
trying
to
say
assuming
you're
following
the
architecture
right
and
you're
following
the
rules
as
outlined
in
the
architecture
you
should
be
able
to
achieve,
your
artifacts
should
be
able
to
achieve
salsa
level
x.
That,
like
you
know,
so
it
goes
through
this
process,
and
you
know,
given
that
we
are
saying
you
should
you
know
you
must
do
these
things
to
follow
the
architecture.
Then
your
your
artifact
should
be
this
salsa
level.
E
That
makes
sense,
I
mean,
I
definitely
think
it's
reasonable
for
us
to
at
least
say
like
oh,
like
you
should
you
can
achieve
salsa
too,
like
I
do
think.
That's
like
that's
a
very
reasonable
level.
I
don't
really
know
of
any
real
world
examples
that
are
at
three
or
four
right
now.
That's
just
me.
Maybe
I'm
missing
something.
C
Yeah,
well,
I
I'm
familiar
with
a
few
at
a
in
a
previous
life
that
had
gone
that
sort
of
direction,
but
it
was
always
for
like
something
super
specific.
It
was
like
a
very
minor
set
of
like
hey.
This
is
our
crown
jewels,
our
core
library,
for
all
this
additional
functionality.
C
You
know
we
had
multiple
party
security
review.
Multiple
party
code
review,
multiple
party.
You
know
we
were
do
enforcing
that,
the
it
was
reproducible
and
the
whole
nine
yards,
but
I
I
don't
think
we
would
yeah.
D
If
I
can
find
my
mute
button
yeah,
I
I
mean
so
I
I
agree
that
I
think
we
should
have
some
sort
of
like
I,
I
think
particularly
right
now.
Salsa
is
getting
a
lot
of
traction
on
the
out
in
the
community.
A
lot
of
people
are
looking
at
it.
I
think
it
makes
sense
for
us
to
say
you
know.
This
is
something
that
everybody
is
is
or
not,
not
everybody,
but
a
lot
of
people
are
becoming
familiar
with.
We
think
that
if
you
do
this,
you
achieve
level
x.
D
I
Yeah,
I
think
that's
what
I
was
trying
to
suggest,
rather
than
spending
time
time
to
thread
modeling
and
like
achieving
well
well.
What
is
it
that
were
three
even
thread
modeling
for
is
saying?
Well,
let's
try
to
map
this
to
salsa
levels,
because
I
don't
think
we
know
we
presume
at
best
we
could
do
two.
I
C
Yeah
makes
sense
to
me,
and
I
think,
based
on
what
we've
shown
and
in
fact,
actually
since
a
lot
of
the
stuff
from
looking
at
stuff
like
tecton
and
chains,
and
just
that
general
approach
of
the
problem,
I
think
we're
a
little
bit
past
two
assuming
we're
doing
all
the
right
things,
because
if
you
literally
just
go
to
the
site,
it's
we
have
provenance
available.
Yes,
either
it
would
be
stored
in
some
database
or
stored
in
oci
or
whatever
it's
authenticated
right.
C
We
are
signing
it
and
you
know
we're
generating.
You
know.
All
this
sort
of
stuff
is
generated
by
an
actual
build
service
right,
because
we
are
saying
you
need
to
use
a
cicd
service
and
you
know
there's
a
couple
of
other
things
in
there,
but
I'm
not
going
to
go
too
deep
into
them,
but
there's
a
couple
other
things
in
there
and
that's
all
of
salsa,
2
and
then
salsa
3
is
some
additional
things
that
I
think
we're
also
adding
in
there.
G
It
doesn't
really
are
directly
related
to
this.
It
was
just.
I
was
mentioning
that
I
was
reading
this
csa.
I
recently
published
a
white
paper
around
serverless
security
and
there
they
have
basically
talk
about
this
thing
like
whenever
they
propose
something
they
are
telling.
This
would
help
you
how
that
would
help
you
achieve
some
of
the
compliance
and
regulatory
requirement
and
trade
modeling
and
everything.
So
I'm
just
referring.
We
should
have
the
similar
modeling
here,
so
it
doesn't
really
relate
to
serverless
directly.
I
E
At
least
for
tech
time,
like
I
think,
part
of
a
big
part
of
getting
to
salsa
3
is
like
the
spire
integration,
because
that
would
allow
for
the
non-falsifiable
provenance,
which
is
a
requirement
of
salsa
3.,
I'm
working
on
like
a
proposal
for
it,
but
it
probably
will
take
a
while
to
get
in
there.
This
way
involves
making
changes
to
a
couple
different
tools.
B
I
I
F
I
it's
a
level
of
abstraction
question
right,
so
I
mean
to
some
extent
it
just
means
that
the
vendor
who's
providing
you
that
abstraction
is
in
your
chain
of
trust
right.
So
I
don't
know,
I
I
mean
yeah,
you
probably
have
to
trust
amazon
or
google
or
whoever
you're.
You
know
buying
some
of
that
stuff
from
anyways,
but
you
know
you're
also
trusting
more
of
those
products,
teams
and
blah
blah
blah
blah
security
for
this
products,
but.
E
K
E
They
are
level
three
then
you're,
also
level
three.
You
are
kind
of
inheriting
that
level
of
assurance
from
the
provider.
I
F
E
I
E
I
Because
I
heard
from
brandon
of
like,
let's
include
the
serverless
stuff,
but
I'm
trying
to
cut
down
scope
rather
than
increase
the
scope,
michael
I'll
defer
to
you
like.
If
anyone
wants
to
give
it
a
spin
of
like
oh
this,
these
things
could
be
like
serverless
platforms
like
don't,
don't
think
that,
because
it's
serverless,
it's
any
more
secure.
If
it's
like
an
insecure
serverless
offer
right.
C
Yeah
and
I
think
what
both
brendan
mitchell
and
jason
are
talking
about
in
the
chat
here
yeah.
I
I
think
at
the
end
of
the
day,
I
think
the
big
thing
is
is
ephemeral
seems
to
be
an
important
piece
here
right.
It's
it's
the
fact
that
we're
you
know,
ostensibly
starting
from
like
a
clean
slate.
C
Each
time
we're
we're
doing
that,
which
I
think
is,
is
the
more
important
thing
and
I
think
actually,
the
ephemeral
piece
is
the
piece
that's
in
salsa
for
salsa
level,
three
right
so
like
they
defined
the
ephemeral
environment
as
the
build
service
ensured
that
the
build
steps
ran
in
a
thermal
in
femoral
environment
such
as
a
container
or
vm
provisioned
solely
for
this
build
and
not
reused
from
a
prior
build
right.
C
That
to
me
seems
like
a
reasonable
goal
and
is
also
one
of
the
things
that's
also
already
included
in
the
white
paper
for
the
best
practices,
and
I
think
it's
also
like
we
might
not
explicitly
call
it
out.
If
we
don't
like
we,
we
maybe
should
explicitly
call
it
out
in
the
architecture,
but
it
like,
we
do
essentially
say
hey.
Your
builds
should
be.
If
we
don't.
I
G
Just
thinking
out
loud-
and
I
mean
the
takedown
pipeline-
is
a
kind
of
serverless
right,
our
task
executes
when
and
the
ephemeral
they
execute
the
finish
and
they
don't.
Basically,
they
are
not
long
lived.
F
So
I
mean
jason
had
a
point
about
or
well
he
was
plus
wanting
a
point.
I
I
see
in
chat
about
serverless,
not
necessarily
meaning
ephemeral.
Right,
so
I
mean
there's
a
whole
bunch
of
different
sort
of
categories
of
that
right.
So
I
just
want
to
make
sure
we
we're
using
the
term
to
mean
what
we
same
definition
of
you
know
that
thing
right.
So
you
know,
if
I'm
running,
say
a
serverless
function
right
even
with
concur.
F
Maybe
I
have
concurrency
control,
so
each
sort
of
instance
is
only
receiving
a
single
request
at
a
time
right,
like
in
an
abstraction
like
lambda
or
quadrant
or
app
engine
or
whatever
right.
The
same
instance
will
be
reused
from
one
request
to
a
subsequent
request
right.
So
that's
one
potential.
F
You
know
characterization
of
it
right
which
I
think
what
michael
was
saying
was.
We
probably
don't
want.
E
F
F
So
what
things
like
tecton-
and
you
know
some
other
things
we're
doing.
Are
you
know
techton
right,
like
you
can
see
it
spin
up
a
pod,
then
the
pod
goes
away.
So
you
know
it's
not
reusing
that
it
is
reusing
host
machines.
So
you
know
again,
it
sort
of
depends
on
sort
of
what
the
you
know.
Abstraction
is
that's,
being
surfaced
and
sort
of
how
you
want
to
dissect
some
of
that.
F
But
but
yeah
I
mean
I,
I
would
think
of
something
like
the
tekton
api
as
presenting
a
sort
of
serverless
build
abstraction
to
folks
right.
But
you
know
it
if
you,
as
with
any
serverless
abstraction,
if
you
peel
behind
it
right,
there
are
things
below
it
that
involve
servers
and
blah
blah
blah,
and
then
those
will
get
reused
and.
K
C
So
I
think
that
there's
like
actually
maybe
you
know
another
question
here,
which
is
just
I
if
I
was
attacking
this
I'd-
probably
attack
it
at
the
kubernetes
level
right
because
the
the
idea
here
is,
if
I
somehow
have
access
in
tecton
to
mess
with
something
that
probably
means.
C
I
don't
know
but
like
that's
kind
of
where
you
know,
and
I
think
that
we
just
need
to
be
clear-
that,
like
look
all
of
these
things
involve
us,
you
need
to
place
some
level
of
trust
in
each
of
these
pieces,
and
so
as
an
example
right.
I
think
the
thing
that
we
just
need
to
call
out
is
because
we
are
calling
this
out
as
cloud
native.
C
C
I
C
I
Like
we
have
a
position,
shabbat
sorry,
I
see
your
hand
race,
but
I
before
we
go
off,
I
I
wanna
try
to
agree
who's
on
the
hook.
For
what,
from
this
point
forward,
who's
gonna
be
doing
what
over
the
next
week.
I
Alex
and
michael
house
how's
the
progress
you
guys
made
well,
is
there
any
progress
in
the
stuff
you
guys
are
going
to
start
prototyping
alex
you
shared
your
doc.
Did
you
get
any
feedback
on
it.
C
Yeah,
I
didn't
I've
been
really
busy
past
few
days.
Luckily,
with
a
combination
of
both
internal
stuff
for
better
or
worse,
the
the
demo
that
I
showed
off
was
was
taken
very
well
both
externally
and
internally,
and
so
I
got
stuck
doing
some
of
that
and
then
there
were
some
other
external
things
I
had
to
take
care
of,
but
so
I.
C
I'm
trying
to
think
yeah.
I
I
think
at
this
point.
I
just
need
to
sit
down
with
alex
for
an
hour
and
then
I
will
know
what
I
need
to
what
I
will
need
help
with,
but
I
am
available
rested
rest
of
actually
I
will
double
check
and
I
will
sync
up
with
alex.
B
I
think
I
think
I
promised
you
last
week
and
edit
to
the
reference
architecture
doc
and
I
still
don't
have
comment
or
suggest
or
edit
capabilities
on
it.
I
don't
know
if
I
need
to
join
a
join
a
list.
I
Or
something
I'm
not
the
doc
owner,
I
believe
michael,
is
the
doc
owner
yeah.
E
I
E
A
I
Yeah,
well,
I
I
presume
next
week
is
only
going
to
be
this
year
for
anyone,
so
we're
at
a
point
that
we
feel
like
hey,
we're
all
gassed
out:
we're
not
going
to
be
able
to
do
x-ray
at
this
point-
let's,
let's
call
it
so
and
try
to
polish
and
trim
and
make
it
presentable
rather
than
that
extra
stuff.
John
shell.
J
Sorry
kid
home
from
daycare
with
covid
quarantine.
So
I'm
I'm
pretty
much
busy
dealing
with
that
and
vmworld
and
kubecon
and.
I
Okay,
matt
moore.
I
Yeah
figured
anything
you'd
like
to
see
here
that
you
don't
quite
see
it
or
you
feel
like
this
thing.
Isn't
a
good
good
place
make.
F
E
A
K
Howdy
hey:
this
is
my
first
time
calling
in
so
I
I
am
continuing
to
do
just
working
on
cosign
that'll
be
my
contribution.
I
To
this
right,
thank
you,
amazing
yeah,
and
if
you
can
give
give
the
whole
thing
a
once-over,
end-to-end
we'd
like
to
start
off
with
feedback
and
commentary
from
folks
who've
been
participating,
at
least
once
in
the
group
before
we
put
it
out
to
the
outside
world,
axel
you're
you're.
The
powerhouse
of
this
group
man,
like
you,
silently,
knock
him
thanks
throughout
the
week,
while
we're
all
like
busy
offering
other
things.
B
Yeah,
I
know
I've
got
a
weird
my
microphone
since
my
last
update
now
is
a
three-state
thing
it's
off
off
and
on
instead
of
off
and
on
which
is
a
bit
confusing
yeah
tomorrow's
friday,
no
meetings
so
I'm
hoping
to
have
another
read
through
the
document
and
try
and
sort
of
find
little
places
to
provide
input
or
you
know
add
in
stuff.
That's
missing
happy
to
be.
I
know,
michael
you
were
talking
about.
B
You
know
getting
together
with
other
people
to
to
discuss
I'm
happy
to
be
to
try
and
be
part
of
that
conversation
and
sort
of
hopefully
provide
helpful
input,
but
yeah.
That's
that's
pretty
much.
It.
H
I
did
once
through
a
couple
tweaks
in
there.
I
think
between
now
and
next
week
is
probably
busy
for
me,
but
if
there's
anything
specific
feel
free
to
shout
out.
A
I
E
Sure
is
it
better
now
or.
E
E
Yeah,
I
I
have
some
bandwidth
and
I
can
probably
review
the
document
and
add
some
comments
or
if,
if
I
see
anything
missing,
I
can
make
notes
and
start
working
on
that
yeah.
I
Yeah
yeah
make
make
suggestions
directly,
particularly
at
this
point,
if
it's,
if
it's
like
around
polish
making
things
that
are,
things,
are
crisp.
D
I'm
good
yeah,
but
yeah
as
far
as
the
document,
I'm
happy
to
take
a
look
at
any
particular
sections
that
folks
need
more
review
or
especially
anything
that
there's
a
couple
sections
I've
been.
We
need
to
take
a
look
at,
but
if
there's
anything
else
just
let
me
know
yeah.
I
have
a
tiny
bit
of
time
this
week,
but
probably
not
time
to
review
the
whole
thing,
so
cool
yeah.
I
Okay,
so,
as
folks
are
reviewing,
if
you
see
something
that
needs
attention,
but
you
kind
can't
quite
jump
in
tag
marina
to
give
her
a
little
bit
more
of
like
focused
areas,
shrew
pot.
G
Yeah
I
signed
up
for
this
admission
controller
section,
so
maybe
I'll
spend
some
time
next
few
days
to
basically
wrap
that
up.
I
I
I've
been
slacking
on
that
and
we
punted
to
cncf
but
looks
like
they're
not
going
to
come
through
so
I'll
get
on
that
feel
free
to
like
annoy
me
with
it
like
ask
me,
like
dude,
remember
what
he
said
during
the
meeting
where's
that
it's
been
one
hour
haven't
we
made
any
progress,
that's
been
an
hour
where
it's
at
I'm
joking,
oh
I'm
on
top
of
it
I'll
get
it
done,
put
it
in
yeah.
What's
that
anything
else,
anyone
wants
to
discuss
michael
wrap
us
up.
E
C
No,
I
think,
just
if
anybody
needs
me,
I'm
actually.
I
I
have
now
officially
freed
up
so
so
I'm
I'm
available,
at
least
until
kubecon.
I
C
So,
as
I
said,
yeah
I,
my
literal
calendar,
frees
up
at
1
30
p.m.
Eastern
time
today.
I
D
I
have
another
thing
at
12
30,
but
then
I'm
free
anytime
after
one
eastern.
So
I'm
good,
I'm
good
with
michael's
130
and
on.
B
I'm
trying
to
convert
in
my
head
into
english
time,
so
I
think
one
12
30
is
5
30.
Here
I
think
1
30
is
6
30.
yeah.
I
could
be
available
at
6
30..
I
can't
be
available
in
the
next
half
hour.
I
need
to
get
this
cat
home,
but
yeah
otherwise
I'll
yeah,
just
ping
me
on
the
chat,
michael
on
slack
and
I'll,
try
and
enjoy
whatever,
whatever
you're
doing.