►
From YouTube: TAG Security Supply Chain WG 2021-11-11
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Yeah,
I
don't
know
if,
what's
going
on
with
the
meetings,
I
just
sent
a
ping
to
to
the
leads
to
the
to
the
tag
leads
just
being
like
hey.
What's
up
with
the
the
meeting
invites.
C
A
A
Yeah
yeah
yeah,
at
least
this
part
of
it.
I
believe
the
next
sort
of
step
is
to
turn
it
a
into
a
living
document
and
b.
I
think
the
thing
was
start
writing
some
code
around
seeing
how
we
can
you
know,
support
all
the
various
use
cases
and
whatever
and
kind
of
create
that
you
know
prototype
implementation,
which
you
know
brendan
myself
and
some
other
folks
have
been
doing
as
as
well.
But
you
know,
obviously
it's
only
based
on
what
we
know
and
what
we're
familiar
with.
A
So,
if
there's
folks
who
are
saying
like
hey,
it
would
be
great
if
we
looked
at
jenkins
x
or
looked
at
this
thing,
or
that
thing
you
know,
I
think
that'd
be
useful
as
well,
but
yeah,
I'm
seeing
if,
if
brendan
lum
or.
A
Or
andres
or
anybody
else
is
joining
pop
said
he
has
to
take
off.
He
has
a
bit
of
a
family
thing,
so
he's
not
going
to
be
around
either.
A
A
A
All
right,
okay,
I
guess
we
can
probably
get
started
as
people
roll
in
they'll
roll
in.
So
just
as
a
reminder,
this
meeting
is
recorded
and
will
be
uploaded
to
youtube
at
some
point
after
after
the
meeting,
and
that
also,
your
participation
here
is,
you
know,
must
abide
by
the
cncf's
code
of
conduct
all
right.
B
D
A
Yeah
yeah,
I
mean
I'm
largely
off
other
than
a
few
other
meetings.
A
Yeah
yeah,
so
just
a
couple
of
so
let
me
I'll
post
the
the
working
group
notes
and
we
can
get
go
in
here.
A
All
right-
and
we
can
talk
about
discussion
as
well
so
updates
are.
There
is
a
ticket
with
the
cncf
on
getting
technical
writers
to
start
looking
through
the
document
cleaning
up
typos,
making
some
of
the
language
a
little
bit
more
consistent
and
so
on.
Andres
and
some
of
those
folks
have
a
lot
more
information
and
insight
onto
to
that.
A
And
so
I
believe
in
the
next
couple
of
weeks,
at
least
from
the
last
update
from
andres-
oh
there
he
is,
he
can
probably
talk
to
it
a
little
bit
more
than
I
can,
but
I
know
that
we
have
a
ticket
open
to
sort
of
get
them
to
start
cleaning
up
the
dock
and
generate
a
a
pdf
for
for
a
community
comment
and
yeah
andres.
Do
you
have
anything
on
that
front
to
to
add
on.
C
A
Just
put
that
in
the
out
for
the
folks
who
are
just
joining
again,
here's
the
google
doc
feel
free
to
put
your
attendance
and
and
anything
on
there.
So
as
far
as
oh.
A
As
far
as
obviously,
I
think,
as
we
mentioned
the
last
few
weeks,
you
know
largely
the
the
content
of
the
doc
is-
is
finished
at
this
point.
It's
just
you
know,
opening
up
for
community
review
and
those
sorts
of
things
and
then
based
on
you,
know
some
of
the
previous
conversations
over
the
past
few
weeks.
The
idea
was,
you
know,
if
possible.
A
After
you
know
this
first
version
of
it
to
make
it
a
bit
of
a
living
document,
because
we
sort
of
all
acknowledge
that
the
supply
chain
security
space
is
changing
not
just
on.
You
know
very,
very
fast,
where,
like
some
of
the
things
that
you
know,
weren't
true
yesterday
are
now
true
today,
or
vice
versa,
and
things
that
were
just
completely
missing
in
the
community,
you
know
are
coming
up
pretty
fast,
so
it'll
probably
become
something
like
a
living
document
and
then
some
of
the
other
stuff
was.
A
You
know
next
steps
around
a
prototype
implementation
or
that
sort
of
thing
but
yeah
beyond
that.
I
don't
think
there
was
really
much
in
the
way
of
updates.
Does
anybody
else
have
any
sort
of
updates
on
any
of
these
things?
I
know
that
the
you
know
beyond
the
dock,
I
guess.
C
Just
the
one
last
thing
on
the
dock
you
might
have
questions
is
why
wouldn't
we
just
make
the
dock,
as
is
available
for
public
comment,
and
the
thinking
is
so
so
we
get
quality
feedback
and
not
like
hey.
You
have
a
typo
here,
or
you
missed
a
space
here,
so
we
have
professional
proofreaders
editors
clean
it
up
for
us
and
that
we
can
that
way
present
it
get
structured
feedback
against
the
content
and,
let's
say
the
substance
of
the
doc,
more
less
so
about
the
the
format,
the
writing,
the
grammar,
etc.
B
A
Anybody
else
any
other
sort
of
any
other
updates
in
in
the
sort
of
supply
chain
security,
space.
A
Yeah
as
far
as
the
dock
is
concerned,
I
don't
think
so.
I
know,
probably
after
the
dock
goes
out,
we're
gonna
start
talking
a
bit
more
about.
You
know
next
steps
and
and
those
sorts
of
things
for
for
the
group,
because
obviously,
there's
still
a
whole
lot
of
work
that
can
still
be
done
in
the
space.
I
know
that
you
know
most
folks
are
aware
of
hey,
like
brendan
myself
and
a
few
other
folks
who
have
been
doing
some
stuff
on
city.
A
Had
kind
of
you
know
taken
what
was
already
in
the
draft
for
the
reference
architecture
and
started
to
build
out
a
prototype
implementation
sort
of
built
on
top
of
a
lot
of
the
demos
that,
like
priya,
had
given
dan
lorenz,
had
given
some
other
folks
and
sort
of
like
kind
of
taking
all
the
pieces
and
putting
everything
together
into
something
like
you
know,
tecton
plus
chains,
plus
kyverno,
plus
the
you
know,
all
those
things.
A
But
you
know
I
don't
know
andres
like
what
the
what
the
thing
there
is.
If
we
wanted
to
say
hey
look,
how
can
we
make
something
like
that
into
a
official
cncf
project
underneath
the
cncf
or
a
repo
that
lives
underneath
the
security
tag,
or
something
like
that.
C
Yeah
brandon,
I
had
a
series
of
conversations
about
it
yesterday.
I
think
it's
it's
still
an
ongoing
discussion.
We
we
want
to
do
several
things
from
from
this
group
right
number
one.
We
probably
want
to
qualify
whether
this
code
constitutes
the
initial
part
of
a
reference
implementation
like
the
third
third
stage
of
of
this
work
stream
or
if
it's,
if
it's
some
examples
and
companion
code
to
the
reference
architecture,
but
not
quite
the
the
implementation
yet,
and
it's
more
just
references
now
thinking
of
well
what's
what's
the
best
way
to.
C
Protect
this
code
from
well
make
making
sure
that
it
can
be
sustained,
making
sure
that
the
authors
and
contributors
can
continue
to
evolve
it
and
that
it
is
protected
from
like
copyright.
It
is
protected
from
from
licensing
issues
and
we
haven't
quite
yet
arrived
at
that
there's
like
different
arguments
of
well.
If,
if
we
just
hosted
on
well,
there's
two
concerns:
one
concern
stems
from
tax
security
is
attempting
to
organize
a
lot
a
lot
of
the
content
it
produces
from
a
microsite.
So
there's
a
desire
to
consolidate
everything
and
have
it
left
on.
C
Let
have
all
content
and
artifacts
produced
from
tax
security
efforts
be
on
their
cncf,
slash,
slash,
tax
security
now,
as
that
starts
to
grow
in
into
a
project
which,
like
any
open
source
project,
and
it
has
the
semblance
that
that
it
might,
the
toc
might
come
around
and
say,
hey
why?
Why
did
you
kind
of
like
watch
it
into
a
sig?
You
need
to
put
this
through
due
diligence,
formal.
C
C
Where
are
we
going
to
get
give
this
an
earn
a
shot
to
grow
as
a
project?
Let's
start
it
off
as
a
project,
let
let's
make
sure,
like
you,
have
a
good
skeleton
right
now,
let's,
let's
go
over
the
governance,
let's
make
those
of
the
authors
who
are
interested
and
can
commit
to
maintaining
this
code
over
the
foreseeable
future.
C
Let's
do
that,
let's
dot
all
the
I's
cross,
all
the
teas
to
prepare
to
to
submit
this
for
intake,
if
that's
the
decision
of
the
group
or
host
it
under
somewhere
else,
in
order
for
like
conflict
mediation
and
like
avoiding
avoiding
any
sort
of
issues,
do
we
want
to
have
a
steering
committee,
given
that
it's
actually
born
as
a
as
a
effort
of
cncf
tag?
Maybe
a
good
middle
ground
is
like
well
we're
hosting
this.
C
C
They
they
don't
get
involved
and
in
the
like
administrative
tasks
of
managing
a
github
organization
or
a
github
repository.
The
only
thing
that
they
ask
is
that
they
have
admin
rights,
should
any
conflict
ever
arise
from
from
other
administrators,
so
we
could
do
that
from
like
we
can
do
it.
C
Do
this
right
now
add
them
and
give
them
the
heads
up
as
we
like
clean
things
up
and
get
them
up
to
shape,
but
all
of
this
is
recognizing
that
we
all
only
have
so
much
attention
bandwidth
and
we're
working
on
a
number
of
things
like
it's
gonna
take
some
like
undivided
attention
to
to
produce
something
that
meets
the
bar
and
it's
really
structured
and
organized,
and
yet
we
we
should
probably
figure
out
realistically
what
would
be
the
timeline
to
do
that
over?
C
A
Yeah
that
that
that
all
makes
sense-
and
if
there's
anything
from
my
end,
that
that
you
need
any
help
with
I'm
definitely
around
to
to
sort
of
help
with
that
as
well.
From
our
end,
right,
like
you
know,
for
from
my
end,
you
know
one
of
the
goals
I
have
in
sort
of
contributing
to
this
thing
right
is:
is
we
want
to
get
the
community
aligned
to
at
least
a
I
like
folks,
relatively
along
a
certain
path?
A
You
know
nobody,
we
don't
have
to
all
sort
of
do
the
same
exact
stuff,
but
by
showing
some
sort
of
canonical
examples
and
getting
folks
to
sort
of
you
know
view
this
as
like.
Oh
this,
this
is
a
way
that
we
can
sort
of
build.
You
know
artifacts
with
with
a
high
level
of
sort
of
you
know,
authenticity,
integrity
and
so
on.
It
helps
out
with
the
sort
of
broader
goals
of
you
know:
how
do
we?
A
How
does
a
company
you
know
or
how
does
anybody
start
to
make
sense
of
their
supply
chain?
And
so,
if
you
start
to
sort
of
say,
hey,
here's,
a
a
here's,
a
architectural
pattern
and
then
I
reference
implementation
of
that
that
pattern.
That
shows
how
you
build
artifacts
the
right
way.
A
Then
you
know
that
helps
out
because
to
take
a
step
back,
I
think
one
of
the
things
that
has
been
discussed
also
at
some
of
the
salsa
meetings
is,
you
know,
they're
looking
for
stuff
like
this
right
as
a
way
of
saying.
Oh,
if
you
build
your
artifacts
like
this,
you
know,
and
you
start
generating
those
attestations.
A
A
I
guess
my
two
cents
is
just
even
if
we
could
do
it
in
parallel
right,
like
I
have
no
problem
with
the
you
know,
working
at
a
bank
with
bureaucracy,
but
you
know,
I
think
the
thing
is
just.
Will
the
bureaucracy
block
us
from
still
continuing
the
work
until
it's
over
right
like
if,
if
it's
something
like
hey
as
soon
as
we
start
this
process,
we
have
to
sort
of
lock
it
for
a
few
months.
While
everything
gets
sorted
out,
that's
going
to
be,
I
think,
an
issue.
B
I
I
think
you
all
know
my
take
on
this.
It's
I
think
I
think
we
need
to
get
something
out
there
and
I
totally
agree
in
terms
of
the
parallel
aspect
of
you
know:
kind
of
died
in
the
eyes
and
across
the
t's.
I
know
where
andreas
is
coming
from
as
well
right.
We
should.
We
should
have
that
level
of
kind
of
you
know
not
governance,
but
maybe
that
is
what
we're
calling
it
here
to
be
able
to,
like
you
know,
have
more
people
get
involved
and
and
and
steer
this
as
necessary.
A
Yep,
I
agree
too
right
like
I,
I
we
want
to
make
sure
for
my
end,
right,
like
yeah,
we
want
governance
around
this
thing,
especially
right.
It's
it's
all.
It's
it's
a
eating,
our
own
dog
food
thing
right
like
where
we
in
this
in
the
reference
architecture.
We
have
cited
all
these
different
things
that
we
want
to
do
and
if
we
don't,
if
we
don't
start
applying
our
own
policies
like,
for
example
around
you
know,
two-person
code
review
and
those
sorts
of
things
we
look
like
you
know,
clowns
well,.
B
We've
also
talked
about
this
ad
nauseam
in
terms
of
like
this
is
the
first
iteration
right
and
like
these,
these
processes
in
general,
as
we
all
know,
are
still
in
flux
and
they're
growing
and
that
you
know
until
you
know
so.
This
is
our
kind
of
again
this
line
in
the
sand
and
steve.
I
see
you
have
a
comment
in
in
the
channel.
Maybe
if
you
want
to
kind
of
talk
through
that,
so
that
we're
all
kind
of
on
the
same
page
love
to
hear
from
you,
but.
D
Yeah,
I
just
you,
know
bureaucracy,
I
you
know
I
get
it.
You
know,
there's
it's
always
a
challenge,
especially
in
large
groups.
So
I
I'm
hoping
that
isn't
really
as
much
the
problem
as
opposed
to
you
know.
Are
we
building
something
that
has
a
security
model
we
believe
in
like
and
I'm
not
you
know,
I'm
not
even
making
points
about
hacks
to
learn
like
we
have.
D
We
always
want
to
put
things
in
place
just
to
learn,
and
then,
if
we
like
that
pattern,
we
can
go
back
and
reinforce
it,
but
I
I
that
I
you
know
and
that
it
means
getting
something
out.
Quick
and
learning.
D
D
Concern
around
how
much
is
being
put
into
something
and
are
we
really
capturing
the
end
and
requirements
of
what
we're
trying
to
achieve
and
identifying
the
weak
spots?
What
we
learned
we
want
to
go
fix
as
opposed
to.
Let's
get
something
call
it
done
and
think
that
this
is
you
know
the
hacks
are
the.
B
Yeah,
I
don't
think
we've
ever
said,
though
one
one
thing
I'll
say
here
is,
I
don't
think.
We've
ever
said
that
this
is
done.
It's
always.
We
said
it's
our
kind
of
the
take.
As
of
this
point,
I
totally
agree
with
you
totally
agree
with
you.
It's
like
yeah
yeah.
You
know,
we
can't
say
this
is
the
definitive.
You
know
software
supply
chain
guide
for
everybody.
We
just
have
to
say
this
is
kind
of
the
first
bb1
aspect
of
this
sorry
andres.
I
cut
you
off
go
ahead,
but
you're
gonna
say
something.
C
C
C
C
Does
the
link
there
point
to
code
examples
on
the
cncf
tax
security
repository,
or
does
it
point
to
the
github
organization?
The
repository
we've
started
for
this
thing
and,
if
so
well,
how
is
that
a?
Is
that
an
independent,
open
source
project?
Is
it
part
of
a
foundation
like
pop
you?
You
know
this
from
falco
intake
and
moving
through
the
motions
is
hard
steve
you.
You
know
this
from
for
many
steering
committees
and
different
bodies
that
there's
there's
bureaucracy
to
to
pay
upfront,
and
it's
it's
good
bureaucracy
right.
C
You
want
to
make
sure
that
you
want
to
be
somewhat
loyally
and
judicious
to
make
sure
that
that
things
are
set
up
and
in
a
way
that
people
can
can
come
in
and
and
collaborate,
and
that
there's,
like
not
a
whole
lot
left
to
interpretation
of
what
are
the
processes
and
procedures.
But
writing
those
processes
and
procedures
takes
takes
time
right
and
you
can
get
away
with.
Having
that
be
somewhat
lighter
weight
than
than
is
with
some
bodies.
B
Is
is
that
aspect
part
of
this
working
group
right?
I
don't
want
to
scope
creep.
What
the
aspects
of
this
group
are
to
do
right.
The
aspects
of
this
group
are
just
to
create
that
first
iteration
of
doc
right
and
then
I
totally
agree
with
you
again.
100
agree
with
you.
We
just
have
to
figure
out
like
what,
in
what
context
are
we
you
know?
Is
this
going
to
be
a
specific
project
after
the
once
we
get
this
iteration
out
there
and
this
being
the
impetus
for
that?
C
You
come
from
about
it.
Yeah
yeah
and
again
is.
Is
this
things
that
yeah?
I
don't
think
it's
it's
behind
the
scenes.
It's
all
these
other
concerns
that
well
we
we
all
work
in
open
source
here
that
we
know
come
come
with
the
territory
right
and
it's
things
that
we
we
should
be
thinking
about
and
working
on,
there's
there's
a
lot
of
prior
art
and
things
we
can
reference
to
make
this
there's
not
a
whole
lot
of
writing.
It's
just
deciding
hey.
How
are
we
going
to
license
this
thing?
C
How
how
are
we
going
to
set
up
governance
for
it?
So
it's
not
in
a
direction
that
people
can
just
think
about
the
actual,
interesting
things
and
not
this
boring
stuff.
D
I
just
I
I
hear
us
being
a
little
abstract
and
dancing
around
whatever
the
elephant
in
the
room.
Is
I'm
not
even
sure
what
it
is,
but
just
in
the
sense
of
governance
and
some
of
the
other
stuff,
I
I
can
tell
you
getting
a
stuff
buttoned
up
early
is
something
you
probably
want
to
do.
It
threw
us
off
for
about
six
months
with
the
notary
stuff,
because
we
were
just
trying
to
execute
and
we
left
some
pieces
open
and
it
really
caused
a
lot
of
problems.
D
B
Think
we're
talking
about
our
own
individual
projects
that
we've
all
worked
on
to
you
know
like
andres,
with
spiffy
and
in
all
the
other
things
he's
done
in
his
career
me
with
falco
that
kind
of
thing.
So
it's
it's
making
sure
that
we
set
ourselves
up
for
success
as
we're
doing
here,
but
also
the
train
is
already
in
motion
to
a
certain
degree,
like
largely
in
motion
so
and
and
again
the
task
of
this
group,
and
please
michael
andres.
B
Please
make
sure
I'm
on
task
here
is
sure
we
had
first
iteration
of
our
software
supply
chain
kind
of
reference
architecture
which
I
believe
we're
in
a
good
place.
Yep.
C
C
D
I'll,
throw
up
prototypes
are
are
good,
we
should
do
you
know.
Prototypes
are
always
going
to
go,
validate
something,
but
prototypes
are
discounted
as
to
anything
that
can
be
viewed
as
useful.
So
if
it
isn't
prototype
phase,
because
you
want
to
come
something
better,
then
that's
the
right
label.
If
you
think
it's
like
a
stage
to
a
release,
then
you
know
I
would
vote
for
something
a
little
bit
more
stable
draft
or
you
know
alpha.
You
know
pre-release,
something
like
that
is
great.
D
I
I
did
want
to
just,
but
I
had
wanted
to
build
one
thing
because
pop
you
mentioned
something
around
like
each
project
and
I
I
I've
actually
been
at
microsoft
a
long
time
now,
it's
kind
of
weird,
but
you
know
one
of
the
things
we
talked
about
as
pm's
is:
you've
got
to
be
willing
to
cut
your
own
feature
like
it's,
not
about
passion
for
a
particular
thing.
It's
what
is
the
end
goal,
and
I
just
I
I
want.
I
wonder
worry
sometimes
is
it
about
hey?
D
A
Yeah,
so
so,
from
my
perspective,
I
think
there's
there's
a
couple
of
different
things
going
on.
So
the
first
thing
is,
I
think,
like
a
problem
statement
which
is
there's
a
lot
of
different
tools
in
the
supply
chain:
space,
whether
it
comes
to
how
we
sign
things
or
how
we
provide
identity
or
how
we
provide
reasonable
ci.
You
know
like
reasonable
ci
and
those
sorts
of
things,
and
I
I
think
what
what
has
happened
is
like
you
know
what
was
kind
of
brought
up
is.
A
No
one
really
has
has
done
a
whole
lot
to
sort
of
tie
everything
together
into
something
that
is
kind
of
like
end
to
end
where
they,
you
know,
the
idea
is
like
hey
as
long
as
you
have
an
artifact
repository
and
as
long
as
you
have
a
source
code
repository
everything
in
the
middle
will,
you
know,
will
tie
everything
together
for
you
and
I
think,
that's
kind
of
what
the
purpose
of
of
this
project
is
is
to
kind
of
say.
A
Okay,
cool
here
is
a
here,
is
essentially
ci
cd,
stuff
plus
ways
for
us
to
look
at
the
policy
and
yaya
and
and
ways
to
sort
of
provide
standards
around
the
actual
pipelines
themselves
and
so
on
and
so
forth.
So
such
that
we're
building
stuff
in
a
way
that
we
can
have
certain
security.
You
know
increased
confidence
around
security,
authenticity,
integrity,
those
kinds
of
things,
so
that's
the
purpose
of
it.
Now
I
think,
there's
there's
a
bunch
of
things
that
kind
of
make
this
a
non-trivial
problem.
A
The
biggest
one,
I
would
say
is
you
know
the
features
that
are
coming
out
of
folks,
like
you
know,
notary
folks,
like
tecton
chains
or
kyverno,
is
you
know
the
things
around
the
supply
chain
space
that
didn't
exist
yesterday
now
exist
today,
and
so
we
need
to
kind
of
keep
up
to
date
with
with
all
of
those
those
things
as
well,
and
so
that's
that
was
the
purpose
of
the
project
is
to
start
to
really
like
start
to
tie
all
these
things
together,
figure
out
where
the
gaps
are
today
in
some
of
the
tools
to
say,
hey
this,
this
tool,
like
as
an
example,
you
know,
kyverno,
didn't,
have
the
ability
to
check
for
attestations
a
few
weeks
ago.
A
They
now
do
and-
and
so
that
was
you
know,
came
out
of
a
lot
of
the
work
from
groups
like
ours,
and
so
that
that's
one
thing
and
then
the
second
thing
is
eventually
over
time.
As
things
get
more
stabilized,
we
can
easily
sort
of
say
here
is
a
canonical
example,
or
maybe
a
full-fledged
platform
or
whatever.
A
That
is
all
these
tools
combined
that
that
people
can
use.
You
know,
probably
not
it's
not
going
to
be
an
out
of
the
box
solution
that
everybody
can
just
sort
of
use.
I'm
not
you
know,
I
don't
you
know
whatever,
but
I
think
the
thing
that
I
keep
seeing
in
the
community
from
like
outside
of
the
group
you
know
and
outside
of
the
experts
is
nobody
even
knows
where
to
get
started,
and
I
think
this
is
a
thing
that
hey
this
is
where
you
can
get
started.
A
I
think
to
to
the
other
points
that
everybody
has
brought
up.
Is
we
just
need
to
be
very
careful
in
how
we
we
put
it
out
there
and
we
make
sure
that
folks
get.
You
know,
because
I've
been
asked
before
right
is
just
where's,
the
salsa
tool
like
where's
the
tool
that
just
builds
the
salsa
and
you're
like
that's,
not
no,
no
hold
on
take
a
step
back.
A
You
know
this
is
what
we're
trying
to
do
you
know
and
so
on,
and
I
think
we
just
need
to
be
clear
on
on
what
this
actually,
what
this
actually
is
and-
and
I
agree
with
with
steve
about
you-
know
it's
very
easy
to
say:
hey
this
is
a
prototype
and
then
everybody
goes
okay
and
they
ignore
it.
You
know
so
so,
but
with
that
said,
I
do
think
like
at
least
my
goal
with
writing.
Some
of
this
code
is
to
a
show
to
the
community.
A
How
it
could
be
done
and
b
is
to
also
get
other
folks
in
the
community
to
start
like
poking
around
with
this,
like
I,
I
don't
know
if
this
is
going
to
end
up
becoming
a
real
thing,
that
people
can
just
sort
of
use
out
of
the
box,
but
if
folks
can
just
start
using
and
start
even
identifying
the
gaps
in
the
supply
chain
space
today,
I
think
that's
already
a
pretty
good
goal.
B
That
to
me
is
the
focus
of
our
mission.
Here
is
to
get
that
into
folks
hands
to
be
able
to
say
this
is
what
the
you
know
and
again
whatever
that
number
is,
if
it's,
if
it
is
prototype
or
whatever,
then
we've
always
talked
about
this
iterate
iterative
process
right.
Well,
maybe
we'll
see
other
tools
that
come
in
or
we'll
see.
Other
things.
Oh
yeah,
you
know
I've
kind
of
implemented
this,
and
that
to
me,
is
how
you
innovate.
B
Yeah,
I'm
sorry
go
ahead.
You
can
say
something
david.
I
apologize!
No,
no,
no
problem
yeah,
so
I
I
think
you
know
I
I
think
it's
critical
you
know
putting
out
something
is
great
as
long
as
there's
not
an
assumption
that
it
will
stick
there
forever.
I
think.
That's
that's
the
key.
It's
okay
to
come
up
with
hey
best
effort.
Currently
this
will
get
you
started
and
there's
a
whole
bunch
of
things
coming
down
the
pike.
B
I
know
a
number
of
you
already
are
aware
of
the
number
of
things
coming
down
the
page,
so
I'm
expecting
that
there's
going
to
need
to
be
changes
and
that's
okay,.
D
B
As
there's
an
acknowledgement
that
there
will
be
changes
and
that's
okay,
I
think
that's
what
andre
maybe
andres
I
want
to
paraphrase,
but
I
think
that
andres
is
looking
for
is
like
okay,
who's,
gonna
who's
gonna,
like
kind
of
not
own
that
but
kind
of
administrate
and
governance.
As
these
things,
you
know
continue
to
happen
right
totally
agree.
I
think
we
do
need
that,
and
it's
just
you
know
again
it's
that
catch
22
situations
like
to
get
something
out
there
for
us
to
iterate
on
and
then
to
have
governance
on
top
of
it.
A
C
C
We
don't
know
if,
if
any
of
us
are
here
to
stick
like
bride
and
die
with
the
project
because
we
might
get
our
like
life
situations
might
change
her
job,
our
employment
might
change
for
the
time
being.
We
we,
the
authors
of
this
thing,
want
to
start
a
project
we're
working
on
this.
In
this
repository
we
have
a
lot
of
clearance
to
say,
hey.
This
is
a
cross
industry
project.
We
have
people
from
the
open
sf
who
are
apart
from
this.
C
We
have
people
from
cncf
tax
security
was
gracious
to
host
the
production
of
the
of
the
architecture
that
informed
the
direction
of
this
this
project.
We
can
do
all
of
that,
but
at
one
point
we
need
to
say
what
we're
doing
at
the
time
that
this
this
gets
published
and
there's
a
link
to
the
code.
We
have
to
call
that
code,
something
we
have
some
room
to
decide
so
take
some
time
to
think
about
it,
and
we
can
talk
about
it
again
next
week
see
what
you're
all
leaning
towards.
A
And
and
just
as
a
fyi
yeah,
the
brendan
myself
and
some
of
the
other
folks
are
updating
the
code
pretty
heavily
on
an
on
an
ongoing
basis
where
yeah
like
even
as
a
reminder,
you
know
like
the
code
was
more
or
less
just
some
examples
and
some
demos
that
just
were
all
strung
together
and
now
we
have
sort
of
baked
it
into
a
mechanism
where
we
are
sort
of
you
know,
vendoring
stuff,
we're
applying.
A
You
know
the
right
sorts
of
practices,
we're
sort
of
using
sort
of
like
stuff
like,
or
we
would
like
to
start
to
adopt
practices
like
the
open,
ssf,
scorecard
practices
and
and
and
some
of
those
things,
and
so
we
are
doing
also
a
lot
of
the
the
cleanup
of
of
the
code
on
on
that
front
as
well.
A
Yeah
yeah
and
I
think
it's
pretty
it's
in
a
pretty
reasonable
spot,
where
you
know
we
have
already
like
an
example.
Like
you
know,
here's
how
you
can
sort
of
create
a
you
know
using
build
pack,
you
can
create
a
docker,
you
know
or
sorry
say,
say
a
container
image
that
has
salsa
attestations
and
yaya.
A
A
We
do
want
to
make
sure
that
we
have
lots
of
different
folks
from
different
groups,
contributing
back
providing
input
and
so
on
and
another
thing
that
that
is
worthwhile
to
probably
point
out
is
you
know
there
are
some
folks
from
some
different
companies
who
are
outside
completely
outside
of
this
group,
who
have
started
to
ask
questions
about
that
repo
and
are
wondering
like
hey.
What's
what's
the
deal?
How
can
I
contribute?
A
Is
this
something
that
I
can
just
start
to
use,
and
I
think
we
just
need
to
be
clear
on
hey
what
the
state
of
it,
what
the
state
of
it
is
what
the
goal
actually
is
going
to
be.
You
know
short
medium
long-term
goals
are
and
then
yeah
how
we
can
get
other
folks
involved.
D
I
think
that
I'm
just
at
the
having
when
see
people
start
getting
involved,
they're
trying
to
know
where
they
can,
what
they
can
get
involved
in
what
the
goals
are
and
how
they
could
help.
So,
I
think,
writing
some
of
those
goals
down.
Maybe
these
are
written
down.
What
are
the
goals
and
requirements
that
we're
trying
to
achieve
like
that
for
the
indiana,
and
where
can
people
pick
up
and
grab
something
for
that
particular
element
like
for
me?
D
I'm
more
focused
on
the
distribution
and
consumption
angle,
so
I
really
want
to
understand
like
how
could
we
plug
into
the
creation
components
so
that
when
they're
distributed
and
consumed
and
validated
that
there's
enough
there
to
have
some
validation
around?
So
I
think
that
helps
understand
where
people
can
jump
in
and
where
they
can
fit
in
like
is.
D
B
A
Yeah
and-
and
on
that
front,
I
think
one
of
the
other
things
that
I
think
is
is
one
of
the
other
things
that
we
want
to
show
off
with
a
little
bit
of
this
right
is,
and
I
don't
know
exactly
if
it's
going
to
fit
directly
into
the
project,
I
think
it
actually
probably
would
fit
directly
into
this
project.
A
Is:
is
those
sort
of
thing
like
of
test
cases
of
supply,
chain
compromises
and
showing
how
this
sort
of
thing
protects
against
it,
because
that's
one
of
the
things
that,
as
part
of
the
demos
we
had
given,
one
of
the
things
that
we
showed
was
like
hey
here
is:
what
happens
if
there's
a
bad
compiler
and
here's
how
it
would
get
caught?
Here's
you
know,
here's
what
happens
when
you
know
the
code,
you
know
gets
pulled
from
a
place.
It
wasn't
supposed
to
be.
A
You
know
and
here's
how
we
would
then
see
that
in
this
sort
of
project-
and
I
think
that
that's
another
thing
that
we're
we're
really
looking
for
because,
like
at
the
end
of
it
right,
we
want
to
be
able
to
say
here's
a
whole
set
of
example,
supply
chain
sorts
of
attacks
and
here's
how
this
thing
would,
then
you
know
protect
against
it.
C
C
A
So,
based
on
my
conversations
with
a
few
folks
who
had
just
sort
of
come
across
the
project
and
started
asking
me
questions
about
it
was
it
sounds
like
it's
it's
a
little
of
both
right
one.
Is
it's
going
to
be
a
way
of
just
hey?
Here's
how
you
can
sort
of
set
this
up
right
as
something
that
you
can
just
sort
of
deploy
out
there?
A
It's
not
going
to
fit
everybody's
needs,
but
this
plus
the
reference
architecture,
plus
the
best
practices
document,
is
sort
of
makes
up
sort
of
the
equivalent
of
like
the
kubernetes
the
hard
way
right.
You
know
it's
like
that's
reference
architecture,
sorry
supply
chain
security.
The
hard
way
is
the
docs
we
wrote
and
then,
if
you
have
a
simple
use
case,
you
can
sort
of
use
this
but
recognize
that
you're
probably
going
to
need
to
customize
it
a
lot
if
you're
going
to
deploy
it
to
your
own
production
repository.
A
A
You
know
the
same
thing
with
you
know
any
of
the
any
of
the
sort
of
cncf
tools
right.
You
know
they
they
a
lot
of
them
work
out
of
the
box,
but
you
know
if
you're
there's
a
very
you're
gonna,
you're
gonna
run
it
and
configure
it
completely
differently,
depending
on
whether
or
not
you're
a
multinational
bank
or
you're.
Just
you
know
a
startup
with
you
know
two
engineers.
C
E
So
I'll
go
first
right,
I
mean
right
now,
I'm
I'll
give
my
comments
right.
So
so
I
think
the
current
landscape.
If
you
look
in
terms
of
cloud
native
security,
it's
it's
rapidly
changing
right.
I
mean
not
in
not
only
in
the
open
source
community,
but
we
have
a
lot
of
vendors
as
well.
Enterprise
vendors
who
have
come
in
this
is
space
and
and
and
the
whole
whole
thing
is
kind
of
very
fluctuate.
Right
I
mean
it's.
It's
moving
right.
There
are
a
lot
of
moving
pieces
right
now.
E
E
So
now
the
number
one
step
is:
people
want
to
get
educated
right
like
okay,
what
what
it
means
when
somebody
says
that
okay,
we
are
going
to
kind
of
secure
the
supply
chain,
and
once
you
have
educated
them
in
in
a
more
methodical
manner,
then
you
have
to
kind
of
educate
them
that
okay,
what
are
the
tools
available?
What
are
the
different
options
and
right
now,
when
we
are
talking
about
traditional
systems?
E
It's
one
thing,
but
for
example,
if
we
talk
about
containers
there
are
I
mean,
there's
no
tree
out
there,
there's
cosine
out
there.
There
is
actually,
if
you
look
at
podman
as
well,
there
is
they
have
gpg
key
sign.
I
mean
I
have
particular
interest
in
signing
and
verification,
but
but
there
are
a
lot
of
competition
and
a
lot
of
moving
pieces.
E
This
is
what
you
need
to
make
to
make
it
accomplish
right.
But,
as
I
said
right
now,
I
am
in
this
whole
thing
kind
of
I'm
in
observation
phase.
I
mean
like
where
things
turn
right,
because
a
lot
of
movement
is
happening.
I
was
at
kubecon
as
well.
E
So
so,
if
you
look
at
the
vendor
what
they
are
offering
a
lot
of
competing
ideas,
lot
of
things,
a
lot
of
discussion
about
policy
management,
but
but
nobody
has
a
clear
idea
this,
at
least
this
is
the
this
is
the
thing
that
I
got
when
I
discussed
things
with
other
folks
at
kubecon
and
also
I
went
when
I
went
to
different
vendors.
E
People
are
exploring
right
now,
yeah,
so
so
nothing
probably
nothing
major
to
add
right
now,
but
yeah.
B
Yeah,
I
guess
one
one
kind
of
comment.
No,
you
don't
know
that's
what
this
is
so
when
we
were
initially
writing
the
this,
the
supply
chain,
security
document-
and
we
really
scoped
it
down
to
this
kind
of
build
process,
step
of
the
supply
chain
and
well.
I
think
it's
definitely
important
that
we
can
create
a
proof
of
concept
of
that
and
write
up
the
code,
so
people
can
use
it
and
reference
it.
B
I
do
worry
a
bit
that
if
we
shift
the
focus
too
much
to
that,
we
won't
have
a
chance
to
go
through,
and
you
know
talk
about
the
other
pieces
of
the
supply
chain
that
we
haven't
yet
specified
in
in
this
document,
and
I
think,
as
far
as
like
a
cncf
working
group
working
on
this,
I
think
that's
one
of
the
places
where
you
can
have
the
most
impact
right.
Everybody
has
their
code
that
they're
running
and
that's
all
great
and
there's
lots
of
projects
that
are
working
on
that.
B
But
I
think
that
what
this
group
can
really
do
is
kind
of
create.
You
know
overall
standards
and
define
best
practices,
and
so
I
want
to
make
sure
that
we
don't
kind
of
lose
track
of
that
as
we
move
forward
with
this
as
well.
So.
B
Yeah
there
was
a
whole
out
of
scope
section
because
we
really
we
scoped
it
down
directly
to
just
the
build
system.
This
build
factory
piece
of
the
supply
chain.
I
think
security
distribution
is
entirely
missing
from
that,
as
well
as
the
stuff
before
the
build
like
securing
your
source
code
and
all
those
other
pieces
yeah,
and
I
think,
there's
a
list
of
that.
I
think
in
the
out
of
scope.
Section
of
the
dock,
which
I
think
is
is
great
for
you
know
for
focusing
this
document.
B
I
mean,
if
you
look
at
it
from
a
press
perspective,
I'm
kind
of
thinking
it
was
like
you
get
this
document
and
said
look.
This
is
something
now
that
we've
created
create.
We
we've
created
a
project
on
top
of,
obviously
a
working
group.
That's
going
to
continue
to
iterate
on
this.
I
think
that's
actually
a
really
good
thing.
So
people
understand
that
it's
not
just
hey
we're
going
to
throw
the
stock
over
the
over
the
moat
and
you're
on
your
own.
So
that's.
I
think
we
need
to
do
a
little
a
little
bit
of
that.
B
D
I
I
was
trying
to
struggle
with
what
was
articulated,
because
I
thought
I
was
hearing
marina
say:
let's
make
sure
we're
covering
you
know
an
end
to
end.
You
know,
and
for
me,
like,
I
think
about
the
distribution
and
consumption
focus
is
good,
but
sometimes
you
kind
of
need
to
do
that
thin
paint
across
the
indent.
You
see
if
you
really
like
the
way
this
is
being
built.
C
Let's,
let's
move
on
to
pre,
I
think
yeah
focus
is
super
important,
so
marina,
100,
1,
000.
B
Yeah,
I
actually
don't
have
too
much
to
add
here.
I
was
kind
of
gonna
make
the
same
point
that
marina
made.
I
think
somebody
was
just
asking
me
yesterday
about
like
securing
your
version
control
system
and
like
if
that's
mentioned
in
the
dock-
and
I
was
like
oh
that's
kind
of
like
before
what
the
doc
talks
about,
but
like
definitely
an
important
piece
of
the
supply
chain.
Yeah,
nothing
really
big
to
add
kind
of
just
a
plus
one
to
what
she
already
said.
A
Yeah,
it's
real
quickly.
I
think
it's.
It's
also
probably
worth
noting
that
you
know
there's
a
bunch
of
topics
that
we
discussed
in
the
best
practices
document
and
then,
as
we
sort
of
narrowed
the
scope
a
little
bit
on
the
reference
architecture,
we
sort
of
completely
sort
of
said:
hey,
look
this
it'll,
take
too
long
to
kind
of
you
know,
talk
about
all
the
stuff
around
source
code,
source
code,
securing
and
yayada.
So
we
said:
hey,
that's
not
out
of
scope
for
at
least
for
the
v1
of
the
dock.
E
E
So
just
can
I
share
the
white
paper
and
then
just
wanted
to
identify,
which
section
is
what
was
it
yeah?
I
may
be
looking
at
a
different
dock.
I
guess
I
don't
know
so.
Just
a
sec.
B
E
E
C
Yeah,
so
the
mapping
the
mapping
is
if,
if
the
architecture
should
expand
equally
or
maybe
not
equally,
but
should
expand
in
all
these
areas
that
we
call
in
this
best
practices
we're
only
really
expanding
on
the
best
practices
around
building,
but
not
not
the
other
parts.
So
we
don't
need.
We
don't
need
to
try
to
get
this
done
in
seven
minutes.
I
think
everyone's
taking
the
holiday
today
yeah,
but
yeah,
let's
face
it.
Yeah
totally
be
good
to
to
have
a
a
mapping
and
writing
of
what's
missing.
E
E
A
No,
no,
nothing
really
on
my
front
outside
of
you
know,
if
anybody
has
any
thoughts
or
whatever
about
some
of
that,
that
code
or
whatever
all
years,
feel
free
to
to
open
up
issues
and
as
we're
sort
of
going
through,
whatever
it
takes
to,
as
we
mentioned
like
whether
it
becomes
something
official
or
not
official,
whatever.
I'm
definitely
still
interested
in
kind
of
getting
folks
thoughts
on
on
that
as
well.
C
Cool
and
and
on
the
of
the
outstanding
decisions
on
how
we
proceed
I'll
I'll,
probably
just
open
a
poll
in
the
author's
channel
see
which,
which
way
you
guys
are
leaning
towards,
and
none
of
these
decisions
are
permanent
like,
fortunately
we
can,
we
can
move
code
around
pretty
easily.
We
can
mirror
repositories,
we
can
reference
one
thing
from
one
place
to
the
other.