►
From YouTube: CNCF Security TAG Supply Chain WG 2021-08-05
Description
CNCF Security TAG Supply Chain WG 2021-08-05
A
B
A
C
B
B
D
D
B
D
B
So
today,
so
I'm
gonna
quickly
go
through
what
the
plan
is
today
and
also
the
plan
is
going
forward
for
the
next
couple
weeks.
So
what's
gonna
happen
today
is
we
have
ava
that
will
will
be
spending
some
time
to
go
through
the
ssc
landscape
dock
that
she's
created
so
the
second
half?
We
will
be
going
into
the
breakout
sessions
again
continuing
what
we
started
with
last
week.
B
The
the
plan
for
this
really
is
that
we
think
that
we
are
in
a
really
good
spot,
with
all
the
ideas
and
all
the
content
that
you
know.
We
started
brainstorming
over
the
past
couple
weeks,
so
the
idea
is
that
we
are
going
to
be
closing
the
so
we
have
we
have
the
overall
outline.
We
have
the
overall
goals.
We
have
a
lot
of
content
about
people.
Thinking
about
what
leading
the
concerns
are,
what
they
think,
like
other
mean
important
action
stories.
B
B
So
that's
the
end,
if
you
want,
if
you
have
any
ideas
that
you
think
that
are
important
for
the
reference
architecture,
be
sure
to
get
all
those
things
in
by
the
by
next
week
by
the
meeting
next
week.
So
just
to
keep
that
in
mind,
so
we
will
start
with
the
ssc
landscape.
Ava.
Do
you
wanna
grab
the
mic.
A
E
Excuse
me,
as
I
have
dug
into
this,
I
found
some
externalities
that
are
not
technical,
but
that
are
affecting
the
way
some
groups
are
working
together.
I
pulled
that
out
into
a
separate
document.
It
may
or
may
not
be
interesting
to
folks.
I
don't
think
it's
relevant
to
the
work
here
and
then
this
is
sort
of
the
the
list
in
its
current
state.
I'm
looking
for
feedback
at
this
point
on
which
foundations
which
spaces
work
is
happening
in
there's
various
metadata
formats.
E
E
Obviously,
all
of
you
all
of
this
group
in
the
cmcf
there's
some
work
in
the
ccc
there's
some
work
in
the
open,
infra
foundation,
a
bunch
of
stuff
in
the
kernel,
all
the
reproducible
builds
work,
there's
been
a
little
bit
of
work.
This
is
what
I
was
just
learning
about
this
week
to
have
compilers
actually
generate
the
s-bomb
and
output
that
as
a
build
artifact.
E
E
E
I'm
not
going
to
walk
through
each
of
these,
but
please
continue
to
add
to
stuff
to
this
list.
If
there
are
projects
that
you're
aware
of
that
are
not
yet
listed
again,
my
goal
is
to
just
at
the
highest
level,
have
a
full
list
of
all
the
technical
work
related
to
open
source
software
supply
chain.
So
this
document
can
be
a
jumping
off
point
to
all
of
to
everywhere.
E
That
stuff
is
happening,
and
then
my
larger
sort
of
end
goal
of
this
is
to
begin
to
create
lexical
mappings
of
the
kind
of
work
that's
happening,
and
you
know
the
reference
architecture
you
all
have
built
is
a
great
view
on
that.
I've
also
built
one
based
on
signing
so
I'll,
pull
that
up
to
share
it
in
just
a
moment
to
get
that
tab
over
here.
C
E
E
Something
might
actually
generate
those
policies
to
be
applied
at
runtime
or
at
container
launch
time.
Each
of
those
tools
create
an
artifact
that
artifact
is
related
to
some
sort
of
an
object,
a
container,
a
binary.
Those
artifacts
need
to
adhere
to
some
standard
format,
there's
already
three
that
it
might.
E
There's
some
work
and
it's
called.
I
forget
what
the
acronym
skim
stands
for:
supply
chain
integrity,
something,
but
it's
like
another.
You
know
shared
merkle
tree
or
blockchain
for
storing
metadata
on
and
all
of
these
rely
on
identity
systems,
and
that
is
an
area
where
I
also
see
a
lot
changing.
It's
not
just
pgp
keys,
but
work
in
the
ccc
on
attestation
is
starting
to
bring
in
the
hardware
identity
as
another
layer
of
identity,
not
just
the
developer,
who
signed
it,
but
the
machine
on
which
it
was
built.
E
Was
it
a
secure
enclave
or
was
it
a
you
know
up
to
the
right
patch
level
of
firmware?
Can
you
attest
to
that
that
it
was
built
on
a
secure
server,
so
not
complete,
but
this
is
one
view
onto
that
space
and
what
I'm
hoping
to
do
over
the
next
couple
weeks
is
continue
to
build
other
perspectives
to
to
help
folks
understand,
not
just
the
process,
as
in
your
you
know,.
F
F
There's
areas
where
we
should
be
collaborating,
there's
areas
where
it
probably
makes
sense
where
we
don't
collaborate.
Yet
I
think
one
of
the
things
that
that
also
in
that
last
diagram
that
you
showed
that
I
think
at
least
myself
would
be
interested
in
in
seeing
what
other
groups
are
sort
of
discussing
specifically
around
vocabulary
right,
there's
a
lot
of
terms
being
thrown
around
like
attestation
versus
claim
versus
you
know,
artifact
versus
you
know,
content
or
whatever
else,
and
it
would
be
useful
to.
F
F
E
Nexus
of
people
to
say,
they're,
authoritative
on
that
and
just
borrow
their
definition
but
yeah.
I
think
that
I've
also
seen
a
lot
of
discussion
around
what
is
a
claim
versus
policy
versus
and
sort
of
some
folks
loosely
saying,
an
attested
document.
They
really
mean
it's
sort
of
notarized
it's
signed
and
asserted
that
it's
non-reputably
mine
or
whatever
so
yeah,
okay
I'll
start
on
a
taxonomy.
E
E
E
Whether
that's
through
intel,
sgx
or
through
amd
sev
or
ibm's
pef
right,
each
of
the
chip
manufacturers
are
making
new
technology
that
can
enable
this.
What
we
call
the
mode
3
isolation,
so
a
vm
that
is
isolated
from
the
host
operating
system
from
root
from
the
cloud
we're
getting
there
and
so
pulling
it
back
to
the
document
I
was
showing.
E
E
I
don't
think
anyone
has
that
today,
but
I
see
folks
working
on
that.
The
same
could
be
the
same
approach
could
be
used
to
verify
that
it
was
built
on
a
system
with
a
known
patch
level
or
a
known
good
state,
so
using
a
tpm
to
verify
the
firmware.
The
host
operating
system,
the
kernel
all
of
those
are,
are
known,
state
and
uncompromised.
E
A
B
So
that
we've
split
it
into
two
parts,
the
first
is
to
outline
what
would
be
in
the
reference
architecture,
and
then
the
second
part
would
be
the
development
of
it.
We
are
hoping
to.
Our
target
right
now
is
to
have
a
an
outline
that
will
be
good
enough
to
start
with
by
kubecon,
north
america
so
by
october.
B
B
You
know,
we've
tried
to
engage
some
of
these
folks
early
on,
but
because
there
isn't
much
of
a
scope
there,
it's
a
bit
difficult
and
also.
I
think
that
there
were
also
some
companies
that
were
doing
these
things
within
their
own,
their
own
organizations,
but
didn't
really
have
that
incentive
to
participate.
So
we're
hoping
that
this
document
will,
you
know,
bring
folks
together
as
well.
E
Once
this
document
feels
to
me
like
it
is
I'm
getting
diminishing
feedback,
I'm
probably
going
to
shift
to
a
little
bit
of
a
more
narrow
technical
focus.
My
hope
from
this
is
to
find
areas
where
there
is
duplication
or
whether
it
could
be
folks
could
rally
around
a
single
whether
it's
a
single
standard
or
a
single
tool.
E
B
E
G
I
have
a
quick
question
to
make
sure
I'm
getting
this
right,
so
I
never
thought
about
doing
that
at
compile
level.
I'm
quite
surprised
I
mean
I
found
it
really
cool.
I
just
never
thought
about
it.
I
I
just
want
to
make
sure
what
sounds
difficult
to
me
is
that
you
basically
need
everybody
to
sort
of
agree
on
an
s-bomb
format,
which
I
don't
think
we
have
yet.
Even
so
I
mean
it's.
It
probably
makes
a
lot
of
sense
to
lay
the
groundwork
to
build
the
idea
so
that
they'll
start
thinking.
G
G
C
A
F
E
F
You
probably
have
a
better
idea
than
I
do,
but
I've
actually
been
working
on
some
of
that
tooling,
on
on
the
side.
Right
now,
just
learning
a
lot
about
the
different
formats.
I
think
the
the
biggest
issue
I've
run
into
is
mostly
just
with
around
the
different
formats
all
seem
to
have
higher
priority
around
different
pieces
of
the
metadata.
Like
you
know,
cyclone
dx
is
very
focused
on
the
security
in
that
piece.
Spdx
is
still
very
much
focused
on
the
license
in
that
piece
and
they're.
F
They
are
currently
from
what
I
understand
like
I
have
written
up
some
poc
stuff
that
does
translate
it.
It's
just
the
problem
seems
to
be
even
though
there
are
mandatory
and
optional
fields.
Some
of
the
you
know,
spdx
really
says
yeah
the
the
license
is
optional,
but
we
really
really
prefer
you
had
it
and
cyclodx
says
the
same
thing
except
about
the
security
stuff,
cds
and
that
kind
of
thing
anyway.
Sorry.
E
G
C
E
E
A
F
A
Yeah
it
can
transfer,
but
you
know
the
the
challenge
is
that,
as
you
mentioned
michael,
it's
a
subset
of
data
right
like
so
you
will
you,
don't
you
can't
have
a
you,
will
lose
some
data
when
you
translate,
you
know
it's
all
specific
to
what
format
you
want,
what
type
of
data
you
want
to
keep,
but
there
is
a
option
to
transfer
from
cyclone
to
exchange
pdx
and
things
like
that.
Yeah.
B
Okay,
so
we
we're
kind
of
closing
in
on
the
first
half
of
the
call,
I
think,
there's
very
good
discussions
around
like
the
components
and
s-bomb
interchangeability,
so
I
I
like
to
I've
written
that
down
the
notes.
I'm
going
to
put
these
topics
as
future
topics
that
we
can
follow
up
on,
but
for
now
we
have
some
work
together.
So
thanks
so
much
ava
for
the
rancher.
I
think
this
was
really
helpful
and
that
was
very
good
discussion
that
came
out
of
it
so
yeah.
B
If
you,
I
will
copy
the
doc
imbus
document
into
the
beginning
notes
as
well.
I
think
it's
your
data.
So
if
you
have
anything
comment
on,
please
please
you
can
get
the
links
there,
all
right
so
coming
back
to
discussion.
So,
as
I
briefly
mentioned
earlier,
we
are
going
to
go
into
different
breakout
groups
again.
The
idea
is
that
this
will
be
kind
of
our
last
round
of
high
level
reference
architecture
reinstallment.
B
So
what's
going
to
happen,
is
we'll
do
the
same
thing
as
last
week,
we're
going
to
break
up
groups,
everyone
will
kind
of
start
bringing
something
about.
You
know
vital
importance
about
the
different
components
and
then
what's
going
to
happen,
is
a
few
of
us
and
we'll
get
together.
So
we
will.
We
are
looking
for
folks
that
are
willing,
so
there's
a
lot
of
work.
B
That
needs
to
be
done
in
terms
of
like
distilling
all
the
information
that
we
train
some
together
and
putting
it
into
kind
of
like
actionable
outline
actionable
reference
architecture
components.
So
we
we
will
be
looking
for
folks
that
will
be
willing
to
put
in
you
know
a
couple
hours
of
work
into
helping
us.
You
know
distill
all
this
information
and
write
it
down.
E
B
Then
we
will,
we
can
also
include
you
in
the
discussions
there,
so
we
have
three
breakout
rooms.
I
think
that's
kind
of
appropriate
for
the
number
of
people
that
we
have
so
before
we
go
ahead
and
go
into
different
groups.
Any
questions
about
you
know
the
the
the
current
plans
with
the
with
the
reference
architecture.
F
B
Right,
yeah
yeah
exactly
so
the
the
the
first
part
without
the
poc
is,
you
know
what
we
we
hope
to
get
ready
by
coupon,
and
you
know
the
rest
of
the
poc
will
move
along
with
it.
Obviously
I
don't
think
we're
expecting
that
to
be
done
by
tupac,
but
I
think
where
we
see
where
we
see
gaps,
we
would
have
to
go
back
to
the
architecture
document
again
to
start
like
modifying
it
and
adding
information
of
why
we're
using
certain
things
and
not
other
things
but
yeah.
D
B
Yeah
so
so
there
will
be
kind
of
like
here's.
Here's
what
you
need
to
do,
what
what
the
reference
architecture
can
do
and
then
for
each
of
like
the
different
components
of
it.
That
would
be
kind
of
like
yeah.
Some
of
the
two
links
that
you
can
do.
The
plc
will
use
this
particular
tool
out
of
this
set
of
tools,
and
for
these
reasons,
michael
does
since
that
probably
right
what
he
was
saying.