►
From YouTube: CNCF Security TAG Supply Chain WG 2021-08-05
Description
CNCF Security TAG Supply Chain WG 2021-08-05
A
B
A
C
C
Yeah,
so
on
on
zoom
under
the
old
client,
you
gotta
notice
that
the
session
was
being
recorded
and
that
you
could
leave
if
you
didn't
want
to
now
with
the
new
client
that
was
released,
there's
even
more
text
that
talks
about,
like
localized
recording,
is
available
for
any
participants
with
permissions.
B
B
B
D
B
The
document
to
the
content
for
what
you
worked
on
for
the
breakout
the
last
time.
D
Yeah
directly
into
the
oh,
this
is
meeting
notes:
yikes,
okay,
my
bad
put
it
in
the
meeting
notes,
I'll
move
it
to
the
main
dock.
Sorry.
B
D
Yeah,
I
added
some
things
to
the
verification,
as
well
as
runtime,
I'm
still
working
on
it
just
started
this
morning.
B
This
one,
it's
michael
on
it.
D
B
So
today,
so
I'm
gonna
quickly
go
through
what
the
plan
is
today
and
also
the
plan
is
going
forward
for
the
next
couple
weeks.
So
what's
gonna
happen
today
is
we
have
ava
that
will
will
be
spending
some
time
to
go
through
the
ssc
landscape
dock
that
she's
created
so
the
second
half?
We
will
be
going
into
the
breakout
sessions
again
continuing
what
we
started
with
last
week.
B
The
the
plan
for
this
really
is
that
we
think
that
we
are
in
a
really
good
spot,
with
all
the
ideas
and
all
the
content
that
you
know.
We
started
brainstorming
over
the
past
couple
weeks,
so
the
idea
is
that
we
are
going
to
be
closing
the
so
we
have
we
have
the
overall
outline.
We
have
the
overall
goals.
We
have
a
lot
of
content
about
people.
Thinking
about
what
leading
the
concerns
are,
what
they
think,
like
other
mean
important
action
stories.
B
So
what
we're
gonna
do
is
we
are
gonna
just
get
a
couple
folks.
Next
week
we're
just
gonna
run
through
all
the
information
we
have
and
kind
of
like
distill
it
into
a
good
outline
that
we
can
start
working
with.
B
So
that's
the
end,
if
you
want,
if
you
have
any
ideas
that
you
think
that
are
important
for
the
reference
architecture,
be
sure
to
get
all
those
things
in
by
the
by
next
week
by
the
meeting
next
week.
So
just
to
keep
that
in
mind,
so
we
will
start
with
the
ssc
landscape.
Ava.
Do
you
wanna
grab
the
mic.
A
E
Thank
you
should
I
share
my
screen,
or
these
folks
have
a
link
that
can
open
it
as
well.
E
Okay,
so
the
intent
behind
this
before
I
start
scrolling
through
it,
was
as
I've
jumped
into
working
on
software
supply
chain
and
open
source.
E
Excuse
me,
as
I
have
dug
into
this,
I
found
some
externalities
that
are
not
technical,
but
that
are
affecting
the
way
some
groups
are
working
together.
I
pulled
that
out
into
a
separate
document.
It
may
or
may
not
be
interesting
to
folks.
I
don't
think
it's
relevant
to
the
work
here
and
then
this
is
sort
of
the
the
list
in
its
current
state.
I'm
looking
for
feedback
at
this
point
on
which
foundations
which
spaces
work
is
happening
in
there's
various
metadata
formats.
E
There's
work
happening
in
the
oci,
that
should
probably
be
say,
notary
v2,
which
is
linked
later
down
the
open,
ssf.
Obviously,
some
work
in
the
cd
foundation,
the
idf
has
at
least
one-
and
I
think,
they're
preparing
to
create
a
second
different
working
group
related
to
some
of
the
space.
E
Obviously,
all
of
you
all
of
this
group
in
the
cmcf
there's
some
work
in
the
ccc
there's
some
work
in
the
open,
infra
foundation,
a
bunch
of
stuff
in
the
kernel,
all
the
reproducible
builds
work,
there's
been
a
little
bit
of
work.
This
is
what
I
was
just
learning
about
this
week
to
have
compilers
actually
generate
the
s-bomb
and
output
that
as
a
build
artifact.
E
E
E
I'm
not
going
to
walk
through
each
of
these,
but
please
continue
to
add
to
stuff
to
this
list.
If
there
are
projects
that
you're
aware
of
that
are
not
yet
listed
again,
my
goal
is
to
just
at
the
highest
level,
have
a
full
list
of
all
the
technical
work
related
to
open
source
software
supply
chain.
So
this
document
can
be
a
jumping
off
point
to
all
of
to
everywhere.
E
That
stuff
is
happening,
and
then
my
larger
sort
of
end
goal
of
this
is
to
begin
to
create
lexical
mappings
of
the
kind
of
work
that's
happening,
and
you
know
the
reference
architecture
you
all
have
built
is
a
great
view
on
that.
I've
also
built
one
based
on
signing
so
I'll,
pull
that
up
to
share
it
in
just
a
moment
to
get
that
tab
over
here.
C
E
Yes,
so
this
particular
view
on
signing
includes
some
projects
like
in
toto
notary,
sig
store
the
this
framework
says
man.
We
probably
have
tools
and
processes
that
do
builds.
We
need
like
in
toto
to
make
a
claim
that
a
build
was
made
following
some
policy.
E
Something
might
actually
generate
those
policies
to
be
applied
at
runtime
or
at
container
launch
time.
Each
of
those
tools
create
an
artifact
that
artifact
is
related
to
some
sort
of
an
object,
a
container,
a
binary.
Those
artifacts
need
to
adhere
to
some
standard
format,
there's
already
three
that
it
might.
E
There's
some
work
and
it's
called.
I
forget
what
the
acronym
skim
stands
for:
supply
chain
integrity,
something,
but
it's
like
another.
You
know
shared
merkle
tree
or
blockchain
for
storing
metadata
on
and
all
of
these
rely
on
identity
systems,
and
that
is
an
area
where
I
also
see
a
lot
changing.
It's
not
just
pgp
keys,
but
work
in
the
ccc
on
attestation
is
starting
to
bring
in
the
hardware
identity
as
another
layer
of
identity,
not
just
the
developer,
who
signed
it,
but
the
machine
on
which
it
was
built.
E
Was
it
a
secure
enclave
or
was
it
a
you
know
up
to
the
right
patch
level
of
firmware?
Can
you
attest
to
that
that
it
was
built
on
a
secure
server,
so
not
complete,
but
this
is
one
view
onto
that
space
and
what
I'm
hoping
to
do
over
the
next
couple
weeks
is
continue
to
build
other
perspectives
to
to
help
folks
understand,
not
just
the
process,
as
in
your
you
know,.
F
I
think
this
is
this
is
great
work.
I
I
think
many
of
us
in
the
group
have
run
into
similar
sorts
of
issues
where
there's
a
lot
of
folks
working
on
a
lot
of
different
things.
Some
related
some
unrelated
there's
a
lot
of
overlap
with
that
work.
F
There's
areas
where
we
should
be
collaborating,
there's
areas
where
it
probably
makes
sense
where
we
don't
collaborate.
Yet
I
think
one
of
the
things
that
that
also
in
that
last
diagram
that
you
showed
that
I
think
at
least
myself
would
be
interested
in
in
seeing
what
other
groups
are
sort
of
discussing
specifically
around
vocabulary
right,
there's
a
lot
of
terms
being
thrown
around
like
attestation
versus
claim
versus
you
know,
artifact
versus
you
know,
content
or
whatever
else,
and
it
would
be
useful
to.
F
I
think,
on
that
level,
at
least
in
the
community
start
to
yeah
yep
yeah.
I
think
I
think
it
would
be
useful
too,
to
help
figure
out
what
what
makes
sense
in
the
in
you
know
certain
areas,
especially
with
some
of
the
confusion.
I
think
one
of
the
biggest
ones
is
around
attestation.
F
E
Yeah,
I
can,
I
know
attestation
has
a
very
specific
definition
in
the
iedf
rats,
remote
attestation
and
forget
the
other
two,
some
a
t
specification,
but
so
I
have
been
working
a
lot
with
iotf
rats
folks
in
the
confidential
computing
consortium.
E
Nexus
of
people
to
say,
they're,
authoritative
on
that
and
just
borrow
their
definition
but
yeah.
I
think
that
I've
also
seen
a
lot
of
discussion
around
what
is
a
claim
versus
policy
versus
and
sort
of
some
folks
loosely
saying,
an
attested
document.
They
really
mean
it's
sort
of
notarized
it's
signed
and
asserted
that
it's
non-reputably
mine
or
whatever
so
yeah,
okay
I'll
start
on
a
taxonomy.
D
Hardware
trusted
modules
right.
E
E
E
Whether
that's
through
intel,
sgx
or
through
amd
sev
or
ibm's
pef
right,
each
of
the
chip
manufacturers
are
making
new
technology
that
can
enable
this.
What
we
call
the
mode
3
isolation,
so
a
vm
that
is
isolated
from
the
host
operating
system
from
root
from
the
cloud
we're
getting
there
and
so
pulling
it
back
to
the
document
I
was
showing.
E
E
I
don't
think
anyone
has
that
today,
but
I
see
folks
working
on
that.
The
same
could
be
the
same
approach
could
be
used
to
verify
that
it
was
built
on
a
system
with
a
known
patch
level
or
a
known
good
state,
so
using
a
tpm
to
verify
the
firmware.
The
host
operating
system,
the
kernel
all
of
those
are,
are
known,
state
and
uncompromised.
E
C
Do
you
have
a
timeline
that
you're
looking
to
listen
comments
and
additional
content
to
this
document?.
E
I
don't
have
a
sort
of
an
end
date
in
mind
since
I'm
not
planning
on
publishing
this
somewhere.
Yet
I
imagine
it
would
be
more
of
a
living
document
with
sort
of
a
an
asymptotic
approach
until
we
all
feel
like
yeah
there's,
we've
caught
everything.
A
B
Yeah-
and
I
think
what
we
are
doing
here
is,
you
know,
we'll
be
using
some
of
what
ava
has
as
well
as
referencing
the
document
you
know
this
is
in
the
development
of
the
reference
architecture,
yeah.
B
So
that
we've
split
it
into
two
parts,
the
first
is
to
outline
what
would
be
in
the
reference
architecture,
and
then
the
second
part
would
be
the
development
of
it.
We
are
hoping
to.
Our
target
right
now
is
to
have
a
an
outline
that
will
be
good
enough
to
start
with
by
kubecon,
north
america
so
by
october.
B
B
You
know,
we've
tried
to
engage
some
of
these
folks
early
on,
but
because
there
isn't
much
of
a
scope
there,
it's
a
bit
difficult
and
also.
I
think
that
there
were
also
some
companies
that
were
doing
these
things
within
their
own,
their
own
organizations,
but
didn't
really
have
that
incentive
to
participate.
So
we're
hoping
that
this
document
will,
you
know,
bring
folks
together
as
well.
E
Once
this
document
feels
to
me
like
it
is
I'm
getting
diminishing
feedback,
I'm
probably
going
to
shift
to
a
little
bit
of
a
more
narrow
technical
focus.
My
hope
from
this
is
to
find
areas
where
there
is
duplication
or
whether
it
could
be
folks
could
rally
around
a
single
whether
it's
a
single
standard
or
a
single
tool.
E
I
do
believe
attestation
and
identity
is
a
really
key
part
of
this,
like
a
hub.
If
you
will,
I
also
think
the
the
compiler
integration
is
another
hub
and
I'm
I'm
currently
pulling
on
that
thread.
B
I
think
that's
somewhere
that
we
have
a
bit
of
lacking
a
representation
on
this
stuff
unless
someone
correct
me,
but
I
think
it
will
be
helpful
as
well
to
maybe
if
we
could
get
someone
from
that
community,
if
you
can
kind
of
make
that
introduction
from.
B
E
Already
met
with
uh.net
compiler
leads
and
the
rust
community.
I've
got
feelers
out
to
go
and
dot
sorry
go
and
python,
but
if
any
of
you
are
connected
to
the
go
community
or
go
compiler
community,
I'd
love
that
that's
a
I
don't
have
strong
connections
there.
Yet.
G
I
have
a
quick
question
to
make
sure
I'm
getting
this
right,
so
I
never
thought
about
doing
that
at
compile
level.
I'm
quite
surprised
I
mean
I
found
it
really
cool.
I
just
never
thought
about
it.
I
I
just
want
to
make
sure
what
sounds
difficult
to
me
is
that
you
basically
need
everybody
to
sort
of
agree
on
an
s-bomb
format,
which
I
don't
think
we
have
yet.
Even
so
I
mean
it's.
It
probably
makes
a
lot
of
sense
to
lay
the
groundwork
to
build
the
idea
so
that
they'll
start
thinking.
G
G
C
So
one
of
the
problems
that
I've
heard
is
that
we're
not
we're
not
going
to
get
everybody
to
just
pick
one
across
the
community
because
there's
different
values
and
benefits
and
there
could
potentially
be
changes
to
any
of
those
formats
forthcoming
in
the
future
as
new
standards
come
out
and
we
refine
actually
what
we
care
about
within
an
s-bomb
where
there
is
a
known
problem,
space
of
being
able
to
translate
spdx
to
cyclone
dx
and
back
and
forth
to
swit,
because
certain,
like
we're,
asking
consumer
consuming
entities
of
the
s-bomb
to
be
able
to
take
whatever
format,
that's
being
presented
to
them
and
be
able
to
use
it.
C
F
E
F
You
probably
have
a
better
idea
than
I
do,
but
I've
actually
been
working
on
some
of
that
tooling,
on
on
the
side.
Right
now,
just
learning
a
lot
about
the
different
formats.
I
think
the
the
biggest
issue
I've
run
into
is
mostly
just
with
around
the
different
formats
all
seem
to
have
higher
priority
around
different
pieces
of
the
metadata.
Like
you
know,
cyclone
dx
is
very
focused
on
the
security
in
that
piece.
Spdx
is
still
very
much
focused
on
the
license
in
that
piece
and
they're.
F
They
are
currently
from
what
I
understand
like
I
have
written
up
some
poc
stuff
that
does
translate
it.
It's
just
the
problem
seems
to
be
even
though
there
are
mandatory
and
optional
fields.
Some
of
the
you
know,
spdx
really
says
yeah
the
the
license
is
optional,
but
we
really
really
prefer
you
had
it
and
cyclodx
says
the
same
thing
except
about
the
security
stuff,
cds
and
that
kind
of
thing
anyway.
Sorry.
E
G
C
E
E
A
F
A
Yeah
it
can
transfer,
but
you
know
the
the
challenge
is
that,
as
you
mentioned
michael,
it's
a
subset
of
data
right
like
so
you
will
you,
don't
you
can't
have
a
you,
will
lose
some
data
when
you
translate,
you
know
it's
all
specific
to
what
format
you
want,
what
type
of
data
you
want
to
keep,
but
there
is
a
option
to
transfer
from
cyclone
to
exchange
pdx
and
things
like
that.
Yeah.
B
Okay,
so
we
we're
kind
of
closing
in
on
the
first
half
of
the
call,
I
think,
there's
very
good
discussions
around
like
the
components
and
s-bomb
interchangeability,
so
I
I
like
to
I've
written
that
down
the
notes.
I'm
going
to
put
these
topics
as
future
topics
that
we
can
follow
up
on,
but
for
now
we
have
some
work
together.
So
thanks
so
much
ava
for
the
rancher.
I
think
this
was
really
helpful
and
that
was
very
good
discussion
that
came
out
of
it
so
yeah.
B
If
you,
I
will
copy
the
doc
imbus
document
into
the
beginning
notes
as
well.
I
think
it's
your
data.
So
if
you
have
anything
comment
on,
please
please
you
can
get
the
links
there,
all
right
so
coming
back
to
discussion.
So,
as
I
briefly
mentioned
earlier,
we
are
going
to
go
into
different
breakout
groups
again.
The
idea
is
that
this
will
be
kind
of
our
last
round
of
high
level
reference
architecture
reinstallment.
B
So
what's
going
to
happen,
is
we'll
do
the
same
thing
as
last
week,
we're
going
to
break
up
groups,
everyone
will
kind
of
start
bringing
something
about.
You
know
vital
importance
about
the
different
components
and
then
what's
going
to
happen,
is
a
few
of
us
and
we'll
get
together.
So
we
will.
We
are
looking
for
folks
that
are
willing,
so
there's
a
lot
of
work.
B
That
needs
to
be
done
in
terms
of
like
distilling
all
the
information
that
we
train
some
together
and
putting
it
into
kind
of
like
actionable
outline
actionable
reference
architecture
components.
So
we
we
will
be
looking
for
folks
that
will
be
willing
to
put
in
you
know
a
couple
hours
of
work
into
helping
us.
You
know
distill
all
this
information
and
write
it
down.
B
E
B
Then
we
will,
we
can
also
include
you
in
the
discussions
there,
so
we
have
three
breakout
rooms.
I
think
that's
kind
of
appropriate
for
the
number
of
people
that
we
have
so
before
we
go
ahead
and
go
into
different
groups.
Any
questions
about
you
know
the
the
the
current
plans
with
the
with
the
reference
architecture.
F
So
do
you
want
to
just
also
talk
a
little
bit
about
like
the
the
work
that
you
that
we
expect
sorry
to
take
a
step
back,
that?
What
is
the
you
know?
The
output
here
should
be.
F
You
know
at
first
something
like
a
diagram
sort
of
describing
what
the
individual
components
are
that
make
up
this
software
factory,
and
then
you
know
next
steps
would
then
be
something
like
like
an
actual
implementation,
or
you
know
a
reference
poc
implementation
of
what
that
looks
like.
B
Right,
yeah
yeah
exactly
so
the
the
the
first
part
without
the
poc
is,
you
know
what
we
we
hope
to
get
ready
by
coupon,
and
you
know
the
rest
of
the
poc
will
move
along
with
it.
Obviously
I
don't
think
we're
expecting
that
to
be
done
by
tupac,
but
I
think
where
we
see
where
we
see
gaps,
we
would
have
to
go
back
to
the
architecture
document
again
to
start
like
modifying
it
and
adding
information
of
why
we're
using
certain
things
and
not
other
things
but
yeah.
D
So
one
clarification
to
me
reference
architecture
is
a
generic
set
of
capabilities
that
you
need
right
and
then,
if
we
are
actually
mapping
tools
to
that
reference
architecture,
that
can
be
a
separate
diagram.
D
B
Yeah
so
so
there
will
be
kind
of
like
here's.
Here's
what
you
need
to
do,
what
what
the
reference
architecture
can
do
and
then
for
each
of
like
the
different
components
of
it.
That
would
be
kind
of
like
yeah.
Some
of
the
two
links
that
you
can
do.
The
plc
will
use
this
particular
tool
out
of
this
set
of
tools,
and
for
these
reasons,
michael
does
since
that
probably
right
what
he
was
saying.
F
B
Cool,
so
we
have
three
breakout
rooms
already.
Do
we
want
to
continue
with
the
providence
for
build
artifacts?
Michael
with
that
one
sure
yeah?
I
wrote
a
bunch
more
stuff.
Okay,
I'm
going
to
put
the
first.
You
want
to
take
the
first
room.
B
We
have
verification
of
inputs
and
outputs
and
consumption
by
architects
on
runtime.
Oh,
we
also
have
storage
and
distribution.
It's
angriest
yeah.
I
don't
think
it
is
right.
Who
was
it
in
that
group
last
time.
B
Yeah,
marina,
because
I
make
it
so
I'm
gonna
set
storage
and
distribution
as
the
second
breakup
group
brenda.
Can
you
help
kind
of
like
leave
the
discussion
there.
A
B
B
B
B
I
will
I'll
just
jump
between
rooms
and
then
I
will.
I
will
stay
in
the
one
where
I
think
we
are
lacking
people
cool.
So.
D
Did?
Okay,
I'm
gonna
start
start
the
other
zoom
I'll
have
to
drop
from
here.