►
From YouTube: TAG Security Supply Chain WG 2021-10-21
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
To
join
I'm
sure
a
lot
of
folks
have
con
fatigue.
B
Here
I
believe,
pop.
B
Actually,
I
guess
we
can
probably
get
started.
I
am
probably
going
to
butcher
this,
but
yeah.
So
just
remember
that
you
know
your
participation
in
this.
You
know
you
need
to
abide
by
the
cncf's
code
of
conduct
and
also
that
this
meeting
is
recorded
and
will
be
uploaded
to
youtube
a
little
bit
after
we
close
out
the
meeting,
all
right
cool,
so
first
things.
First,
a
couple
of
quick
updates
based
on
the
kubecon
stuff
and
whatnot.
B
I
know
probably
a
lot
of
us
have
a
con
fatigue,
so
I
I'm
gonna,
try
and
keep
this
meeting
relatively
short
but
yeah.
So
we
get
you
know
at
supply
chain
security
con.
There
was
some
discussion
about
about
the
paper
at
cloud
native
security,
con
alex
and
priya
had
given
a
sort
of
an
introductory
sort
of
lightning
talk
about
the
the
draft
here
and
yeah
that
that
was.
B
You
know
a
lot
of
talk
about
the
salsa
stuff,
a
lot
of
talk
about
a
lot
of
different
other
things
related
to
what
we're
kind
of
talking
about
in
the
paper
cool.
So
I
know
that
we
sort
of
officially
announced
that
this
is
a
draft,
we're
looking
for
additional
feedback,
we're
looking
to
kind
of
clean
up
a
few,
a
few
final
topics,
so
I'm
gonna
just
we
should
probably
go
around
with
with
updates
on
stuff
that
we're
working
on.
B
I
can
go
quickly
first,
so
the
stuff
I'm
still
working
on
is
down
in
the
reference
implementation
side
of
the
the
paper
so
based
on
the
stuff
that
I
you
know
tim
and
I
had
demoed
at
at
cloud
native
security
con.
You
know
once
again
trying
to
keep
it
relatively
open-ended
and
generic
not
specific
to
what
exactly
what
we
showed
off
but
just
sort
of
showing
hey.
This
is
what
is
available.
B
Anybody
once
again
is
more
than
welcome
to
sort
of
put
in
their
feedback
if
they
think
that
something's
missing,
if
they
think
that
a
certain
tool,
maybe
isn't
a
good
fit,
feel
free
to
sort
of
you
know,
change
it
put
in
your
feedback
whatever,
but
they
just
wanted
to
kind
of
get
the
the
stuff
there,
I'm
so
that
we
at
least
have
something
that
we
can
then
kind
of
modify
and
work
off
of
and
so
yeah.
That's
the
oh
right.
Let
me
go
and
share
well.
B
B
Cool,
so
I
I
linked
both
of
those
cool.
So
do
we
want
to
go
around
and
just
any
updates
regarding
the
the
the
paper.
B
I
know
shripod
you
had
done
a
little
bit
of
you
added
a
couple
updates
on
the
emission
controller
stuff.
Do
you
want
to
talk
through
that.
A
A
A
Yeah,
so
this
is
basically
based
on
the
discussion
that
michael
you
and
me,
we
had
a
couple
of
weeks
kind
of
before
clip
code,
that
for
controller
we
can
talk
about
basically
at
multiple
levels.
One
is
our
constituent
element
of
the
software
ssf,
the
factory
itself.
They
are
signed,
they
are
secure,
so
we
can
trust
our
our
secure
factory
and
whatever
artifact
that
are
built
and
process
through
our
factory
and
then
the
second
one
is.
A
There
are
animation
checks
inside
our
pipelines,
our
secure
software
factory
that
will
check
for
whenever
a
user
instantiates
this
factory,
it
will
check
for
like
whether
your
base
images
are
signed.
They
are
coming
from
the
trusted
sources,
the
packages
or
the
dependencies
that
you
are
using
whether
they
are
coming
from
trusted
sources
they
are
signed,
so
we
can
think
of
basically
the
admission
checks
at
these
two
levels.
So
I
try
to
capture
that
in
the
document
so
feel,
free
to
see
and
communicate
any
feedback
on
that
yeah.
B
Cool
thanks,
yeah,
I
think
yeah.
I
think
to
your
point.
The
main
thing
is
is
just
I
think,
as
we
said
before,
you
know
outside
of
maybe
a
couple
of
hints
of
like
hey,
you
should
have
an
emission
controller,
that's
validating
the
attestations
and
signatures
outside
of
the
secure
software
factory
for
whatever
comes
out
of
the
secure
software
factory,
but
we
still
need
to
make
sure
that
whatever
running
in
the
secure
software
factory
is
you
know,
signed
has
valid
of
stations
or
whatever
right
cool
thanks.
A
Yeah,
sorry,
I
was
a
little
bit
late.
Are
we
just
talking
about
kukan.
B
Yeah,
so
we
were
talking
about
any
updates
once
again
great.
You
had
a
couple
of
demos
there,
but,
but
also
you
you
and
alex
had
given
a
talk
about
sort
of
officially
announcing.
I
guess
this
draft
of
the
reference
architecture
but
yeah
feel
free
to
anything
regarding
any
updates
regarding
anything
interesting
at
kubecon
or
regarding
the
white
paper.
Oh
sorry,
not
the
white
paper,
but
the
reference
architecture.
A
Oh
right,
nothing,
nothing
like
particular.
It
was
really
nice
to
meet
everyone
in
person.
I
think
people
are
excited
to
see
the
reference
architecture
yeah,
but
that's
pretty
much
it.
We
got
good
feedback
overall.
A
At
the
dock-
and
I
see
you
guys-
got
the
references
to
registries
in
there
so
just
trying
to
see
how
we
could
help
with
some
of
that.
We
did
ship
an
alpha
of
the
notation
libraries
yesterday,
so
we're
starting
to
get
that
stuff
kind
of
really
rolling,
and
hopefully
we'll
have
a
production
environment
for
even
the
reference
types
pretty
soon.
So
just
trying
to
get
a
sense
of
how
we
can
help
with
you
know
storing
that
graph
of
content
in
servers
and
services
that
customers
already
have.
A
Okay,
aditya
sure
I'm
actually
just
starting
to
take
a
look
at
the
prototype
stuff,
you've
added
to
the
bottom
of
the
document,
so
I
don't
really
have
a
lot
to
add
right
now,
but
yeah.
This
is
what
I'm
going
to
be
looking
at
tomorrow.
B
Awesome:
okay,
david
wheeler.
D
Hey
there,
I've
been
busy
on
lots
of
other
things,
so
I
haven't
had
much
chance
to
work
on
this
stuff
this
week.
This
this
period.
B
Yep
no
problem
yeah,
I'm
sure,
there's
a
million
things
going
on
you.
D
Had
a
crazy,
crazy
guy
telling
you
do
stuff
at
a
co-located
event
last
week
david.
That's
probably
why
right
so
I
mean
no,
I'm
sorry.
I
was
at
the
summit,
so
I'm
sure
yeah
yeah,
although
this
isn't
cncf
specific.
You
know
the
open
ssf
raised
10
million
dollars,
that's
which
is
a
big
change
from
zero,
so
or
near
zero.
So
we're
hoping
to
see
some
interesting
things
and
hopefully
more
collaboration
between
for
everybody
cool.
We
can
finally
afford
michael
lieberman
awesome
great.
It's
awesome.
B
Cool
okay
still
going
down
the
list
here,
dan
lorenz.
A
Hey
just
like
david,
it
was
pretty
busy.
B
Did
everybody
get
their
chain
guard
shirts.
A
B
Right,
cool,
marina.
A
Pretty
much
the
same
as
a
lot
of
folks,
I
was
at
coupon
last
week
chatting
with
people
about
this,
but
I
haven't
had
a
chance.
B
A
B
B
All
right,
cool,
craig,
angelic.
B
Cool,
do
you
do
you
want
to
introduce
yourself.
A
Sure
I'm
with
susa
came
over
when
susan
acquired.
C
Rancher
labs
I've
worked
on
rancher
for
quite
a
time
one
of
the
maintainers
of
k3s,
and
this
whole
area
is
something
we're
very
interested
in.
B
Cool
cool,
if
there's
anything
that
you're
interested
in
can
definitely
also
forward
you
some
old
meetings
where
we
might
have
given
some
more
interesting
demos,
or
you
know
once
I
guess
the
links
are
all
up
on
youtube.
I
know
a
lot
of
folks
on
this
call
have
given
some
pretty
interesting
demos
at
supply,
chain,
security,
con
or
software
supply
chain
security
con,
as
well
as
kubecon
data
security,
con
and
so
on,
and
so,
if
there's
anything
that
you're
interested
in
can
definitely
kind
of
forward.
D
A
C
A
B
Oh,
no,
no,
no
problem
any
any.
You
know
obviously
yeah
with
there's
a
million
meetings,
but
yeah
yeah
don't
worry
about
it.
Okay,
cool
brendan.
A
Yeah
so
other
than
trying
to
get
pop
to
get
more
into
the
salsa
scene
and
submitting
pr's
on
a
couple
of
the
signed
things,
nothing
update
on
the
white
paper
this
week,
but
anybody
sees
gaps
they
need
to
have
looked
at
or
something
like
that
feel
free
to
my
way.
B
Hola
all
right,
let
me
just
see
here:
okay,
tim.
A
Yeah,
so
I've
been
working
on
something
slightly
related
to
working
on
a
demo.
That's
more
consumable
for
non-supply
chain
security
engineers
we're
finding
a
lot
of
need
to
do
to
show
it
to
show
this
to
other
folks
who
will
get
it
seven
trying
to
make
a
similar
demo
that
we've
been
shown
off
but
more
easily
digestible
form
of
like
a
web
page
kind
of
a
thing
that
folks
can
understand.
E
A
Then,
if
there's
anything
that
that,
now
that
my
internal
work
is
falling
down
a
little
bit
or
lightening
up,
I
have
much
more
time
to
commit
to
this.
If
there's
any
sections
I
can
take
feel
free
to
throw
them
at
me.
B
Awesome,
oh
so
yeah
jason,
just
joined
jason.
Do.
B
Give
your
do
you
want
to
give
any
update
either
on
anything
regarding
the
paper
or
regarding
kubecon,
any
of
the
other
related
stuff,
that's
going
on
with
supply
chain
these
days.
A
I
don't
have
any
updates
on
the
on
the
paper
I
haven't.
I
haven't
honestly
looked
at
it
since
before
kubecon,
but
kubecon
was
very
fun
and
also
aside
from
that
very
useful
to
talk
to
people
yourself
included
and
many
of
the
other
people
here
about
what
they're,
what
they're
doing
and
what
they're
excited
about.
I
don't
know
what
you
were
talking
about
before,
so
I
don't
know
if
this
is
off
topic,
but
yeah.
A
It
was
really
nice
to
sort
of
actually
talk
to
people
about
what
they're
doing,
with
tecton
and
with
chains
and
with
you
know
all
of
all
of
this
stuff,
whatever
it
is,.
B
Yeah,
no,
no,
definitely
not
off
topic.
I
know
a
lot
of
the
folks
on
this
call
were
at
cubecon
in
person
and
if
not
in
cubecon
in
person
definitely
saw
a
few
folks
on
the
slack
kind
of
chatting
about
different
interesting
talks,
so
yeah
cool.
So
now
that
we've
gone
around,
I
think
actually
so
there's
there's
two
things,
but
I
want
to
kind
of
defer
first
to
anybody
else
who
has
any
other
sort
of
specific
topics
they
might
want
to
bring
up
or
anything
that
they
want
to.
B
You
know
show
off
any
questions
concerns
any
big
sort
of
topics
that,
from
their
perspective,
they
wanted
to
talk
about.
With
regards
to
the
work
that
we're
doing
reference,
architecture
or
just
sort
of
related,
otherwise,
there's
two
specific
sort
of
topics
I
wanted
to
get
into.
B
Okay,
so
I
guess
yeah,
so
the
the
main
one,
which
is
something
that
came
out
of
cloud
native
security
con
the
big
one
before
getting
into
some
of
the
stuff
with
the
paper
is
multiple
people.
In
the
slack
during
the
software
supply
chain
security
con,
it's
a
tongue
twister.
There
say
that
five
times
fast,
the
one
of
the
things
that
was
brought
up
multiple
times
in
the
slack
as
something
that
we
should
probably
discuss
is:
how
do
we
make
this
more?
How
do
we?
B
How
do
we
start
to
bring
people
along,
make
it
easier
for
them
to
consume,
because
a
big
thing
that
was
brought
up
multiple
times
was
hey.
This
all
seems
very
complicated
and,
if
I
need
to
you
know
have
done
all
of
these
millions
of
things
beforehand.
How
do
I
sort
of
include
this?
A
lot
of
folks
were
sort
of
asking
to
some
extent.
B
How
do
I
include
this
as
just
a
next
step
in
my
jenkins
sort
of
workflow
right,
those
sorts
of
things,
and
I
think
we
need
to
be
very
clear
about
hey
either.
Perhaps
this
is
the
sort
of
route
to
there
or
you
know.
We
don't
really
need
to
go
into
hyper
specifics,
but
we
need
to
kind
of
be
clear
about.
B
You
know
some
general
things
or
we
need
to
say:
hey
look,
sorry,
you
know
the
the
old
school
way
of
doing
it
is
just
fundamentally
incompatible
with
supply,
chain
security
and
we're
not
even
gonna
kind
of
try
and
address
that
and
we're
going
to
say
yes,
this
is
you
know
you
work
at
an
enterprise.
This
is
gonna,
cost
you
some
money
to
kind
of
move
over
to
doing
these
new
sorts
of
practices.
I
just
think
we
need
to
kind
of
be
clear
about
that
right.
B
You
know
very
quickly
about
how
we
want
to
sort
of
address
that,
because
once
again
we
don't
want
to
broaden
the
scope
of
the
paper
too
much.
But
if
somebody
thinks
like
yeah,
we
can
provide
some
highlights.
Then
yeah
tree
shock.
A
A
B
A
Yeah
the
phrasing
I've
been
going
with
is
that
to
me
it
seems
like
this
is
actually
a
pretty
complicated
thing
for
people
implement.
It's
not
super
straightforward,
but
that's
what
we're
looking
for
the
help
from
the
community
owners
and
try
to
turn
this
into
something
that
people
can
take
and
use,
and
so
that's
where
that's
we
need
the
input.
That's
we
need
the
extra
hands
to
help
out
jason
yeah.
A
I'm
not
I'm
not
sure
that
it
should
go
into
the
dock
because
I
think
to
trishank's
point
like
just
it
has
the
risk
of
taking
it
wildly
off
off
topic
and,
of
course,
but
and
expanding
the
scope
and
everything.
But
I
think
it
would
be
immensely
useful
to
have
at
least
some
notes
and
at
most
some
some
blog
post
or
walkthrough
or
or
you
know
it
doesn't
even
have
to
be
official
guidance.
A
It
could
be
one
of
the
people
hearing
my
voice,
writing
it
like
looking
into
it
and
writing
it
down,
but
like
and
also
not
to
call
out
jenkins
specifically
but
like
these
are
the
salsa
levels
you
could
theoretically
hit
with
jenkins.
This
is
the
this
is
where
it
tops
out.
This
is
where
you
know:
if
you
did
everything
right
and
everything
right
is
described
as
abcde
you
top
out
at
1.5,
and
if
you
use
github
actions,
you
can
do
these
five
things
and
you
can
get
to
2.1.
You
know
something
like
that.
A
I
think
that
would
be
immensely
useful
for
giving
people
well.
I
must
be
useful
for
a
lot
of
things
if
they
are
tied
to
github
actions,
if
they
are
tied
to
a
specific
thing,
they
could
say:
okay,
here's
a
roadmap
for
here's,
the
best
we
can
do-
and
I
can
take
that
you
know
up
the
chain
and
say
cncf
says
this-
is
the
best
you
can
do
or
or
michael
lieberman
says
that
this
is
the
best
you
can
do.
We
should
do
those
or
we
can
only
get
to
with
all
this
effort.
A
We
can
only
get
to
2.1
on
this.
We
need
four
for
whatever
other
executive
mandate,
so
we
need
to
switch,
and
so
those
are
two
things
and
the
third
is.
A
This
would
also
give
some
guidance
to
jenkins
and
github
actions
and
circle
ci,
and
you
know
name
30
other
things
to
say
like
oh,
we
we
top
out
at
this
because
we
don't
have
ephemeral,
build
environments
because
we
don't
have
the
ability
to
do
all
this
other
stuff.
So
I
think
it
would
be
useful
immensely
for
somebody
to
write
that.
I
assume
everyone
has
plenty
of
free
time
to
go,
go
ahead
and
do
this,
so
I
look
forward
to
reading
it
whenever
somebody
writes
it.
B
Cool
before
I
get
into
what
I
was
going
to
talk
about
steve.
A
C
A
Started,
maybe
you
can
map
back
to
the
salsa
levels
right
like
if
you
do
just
this
without
running
all
these
services?
This
is
the
benefit
you
get
and
then,
as
you
like
more,
you
do
the
next
step
right.
So
it's
they
start
to
chew
off
pieces
that
they
like
the
taste
of
and
they
keep
on
eating.
More
of
the
whole
thing.
B
So,
based
on
what
I'm
about
to
actually
bring
up
here,
so
this
is
sort
of
related
to.
I
think
I
think
that
would
be
useful
is
to-
and
I
don't
want
to
go
too
deep
into
a
million
different
things
here.
B
B
The
the
thing
here
is
so
there's
a
cartographos
working
group
and
one
of
the
things
that
they're
responsible
for
is
they're.
They
are
responsible
for
building
out
a
journey
map
of
cloud
native
maturity.
You
know,
so
it's
not
exactly
a
maturity
model,
it's
more
of
sort
of
a
journey
into
some
of
these
things,
and
one
of
the
things
that
they
sort
of
brought
up
is
almost
like:
hey
here's,
the
different
levels
of
your
and
and
the
proper
you
know
like
if
you're
a
level
five.
B
That
means
you
have
multiple
distributed:
kubernetes
clusters
and
you're
able
to
do
all
these
things,
and
you
have
essentially
enterprise
level
support
of
your
whether
you
run
it
yourself
or
you
you're
using
you
know
a
cloud
offering
or
whatever
you
know,
some
of
those
things
right,
and
so
one
of
the
things
that
we
had
I
discussed
with
the
cartographers
working
group
is:
it
would
be
really
good
and
the
book
that
I
sort
of
posted
there.
B
The
last
couple
of
pages
do
go
into
some
supply
chain
security,
stuff,
which
is
and
simon
who
wrote
it.
You
know
I
I
gave
him
a
couple
of
hints
on
on
how
to
sort
of
do
that,
but
the
basic
idea
is,
we
would
love
to
kind
of
talk
through.
What
is
that
like?
What
are
the
things
that
we
should
be
talking
about?
When
saying?
What
is
the
bare
minimum?
B
You
need
to
start
adopting
this
reference
architecture
because,
yes,
there's
going
to
be
certain
things,
you
could
start
today
as
long
as
you
are
doing
certain
things
right
like
we
we're
going
to
say,
hey,
look,
we're
talking
purely
about
cloud
native
tools,
we're
talking
purely
about
the
cloud
native
space.
If
you
want
to
kind
of
you
know,
get
some
general
ideas:
here's
our
white
paper,
here's
a
couple
other
things
you
might
want
to
look
at,
but
we're
kind
of
just
putting
that
out
there
and
then
we
might
say:
okay
cool.
B
Now
you
want
to
do
the
cloud
native
supply
chain.
Security
thing
here
are
things
that
you
might
need
to
start.
Look.
You
know
here's
where
you
might
need
to
be
in
your
cartographos
journey
in
order
to
start
doing
some
of
these,
and
the
reason
why
I
I
bring
that
up
is
like
I
think
people
are
gonna
start
asking.
B
Okay,
you
know
I
spun
up
my
first
kubernetes
cluster.
How
do
I
fix
my
supply
chain
and
you're
like
well
hold
on?
You
might
need
to
be
a
little
bit
more
mature
before
doing
some
of
that,
you
know
you,
and
so
just
wanted
to
kind
of
throw
throw
some
of
that
out.
There
want
to
get
folks
thoughts
about
starting
to
think
about
looking
through
the
reference
architecture.
B
How
mature
do
people
think
that
this
thing,
you
know
even
components
of
that
thing
might
have
to
how
mature
the
person
who
is
deploying
this
might
have
to
be
in
their
sort
of
journey
right?
This
is
probably
not
you
know
your
first
kubernetes
adventure
right
is
going
to
be
setting
up
a
completely
secure
supply
chain
because
of
all
the
things
that
it
it
involves
in
mission
controllers.
It
involves,
you
know,
minimum
privilege
and
so
on
and
so
forth.
A
Yeah
so
something
just
occurred
to
me.
I
guess
I
guess:
what's
the
vision
for
this
working
group,
should
it
be
that
you
know
right
now,
you
still
have
to
do
a
few
things
manually,
but
if
we
do
this
right,
if
we
play
our
cards
right
in
the
future,
you'll
just
plug
in
cncf
technologies,
like
I
don't
know,
techdon
and
just
get
stuff
out
of
the
box
for
free.
D
You
know,
I
think
originally
it
was
just
to
put
a
line
in
the
sand
as
of
right
now
on
a
v1
of
over
reference
architecture.
So
I'm
sorry,
michael,
if
I
can
just
jump
in
here,
so
you
know
again,
it's
like
to
build
this
basis
for
it,
but
it's
iterative
right
so,
like
you
said
we
can
plug
things
in
it,
but
right
now
we
literally
don't
have
a
line
in
stand
for
somebody
new
in
software
supply
chain
to
say:
okay,
this
is
the
basis
we
can
start
from
right.
So
that's
so
you
know.
D
I
agree
with
that.
Just
how
we're
gonna
execute
that
at
this
point
I
think
we've
we
have
like
this
basis
document.
I
think
we
just
have
to
agree.
Okay.
This
is
our
v1,
get
this
out
there
and
then
have
folks
iterate,
like
you,
shashank
or
like
craig
or
whomever
or
alaska,
or
whomever.
A
Yeah,
I
was
talking
about
this
reference
architecture
with
someone
and
how
hard
it
is
to
put
together
and
it's
a
great
reference
architecture,
because
it's
the
state
of
the
world
today,
but
all
the
maintainers
of
these
projects
should
also
look
at
this
as
a
friction
log
right.
This
is
this
is
how
hard
it
is
to
put
something
great
together,
and
it's
not
something
we
should
all
be
proud
of,
yet
until
it's
easy.
B
Yeah
and
it's
something
just
to
to
to
make
sure
that,
for
I
know
a
lot
of
folks
who
are
relatively
new
to
the
group
or
who
have
missed
some
meetings
and
whatever
one
of
the
things
that
was
brought
up
was,
like
you
know,
a
lot
of
the
stuff
that
we've
even
put
in
the
reference
architecture
or
the
reference
implementation
right.
The
the
prototype
implementation
that
we're
talking
about
some
of
those
features
did
not
exist
a
few
weeks
ago
right.
B
Some
of
the
features
that
we
still
need
are
probably
coming
in
a
few
days
a
few
weeks
right.
So
so
that's
definitely
something
that
you
know.
We've
highlighted
throughout
the
dock
that
you
know
hey.
Look
this
stuff
is
very
raw.
There's
a
lot
of
things
that
you
know
this
is
you
know
to
what
you
said
dan?
This
is
the
state
of
the
world
today
this
is
yeah
and
so
just
need
to
make
sure
that
that's
clear,
and
we
also
make
sure
that
it's
clear
to
the
audience
right.
B
If
this
is,
you
know
your
first
foray
into
cloud
native,
this
probably
isn't
going
to
work
for
you
yet
and
we
do
need
to
work
both
with
the
opens
the
rest
of
the
open
source
community,
the
folks
who
are
working
on
these
tools,
long
term
to
make
that
better
and
make
it
so
that
at
one
you
know.
Obviously
the
idea
in
the
future
would
be.
I
don't
know
like
a
helm
chart
or
something
like
that
that
can
deploy
all
these
various
things
and
all
you
need
to
do.
B
Is
you
know
you
bring
your
keys
or
you
have
some
sort
of
key
signing
ceremony,
and
then
you
know
it
helps
manage
the
rest
of
it.
That
would
be
obviously
an
ideal
sort
of
situation,
but
it's
going
to
be
a
long
road
until
then,
and
there's
going
to
be
some
manual
stuff,
you
have
to
do
and
there's
going
to
be
certain
things
that
you
have
to
recognize
just
aren't
supported,
and
so
you
need
to
have
mitigating
controls
you
need
to
have.
Perhaps
you
know
runtime
monitoring
and
those
sorts
of
things.
B
You
know-
and
we
just
need
to
be
clear
on
that,
but
anyway,
I
just
wanted
to
kind
of
highlight
that,
as
just
as
we're
kind
of
finishing
up
this
draft
of
where
people
think
of
like
how
mature
does
the
audience
have
to
be,
I
just
want
to
make
sure
that
you
know
we
kind
of
think
about
that,
and
it
might
be
useful
to
kind
of
get
the
cartographos
folks
involved,
because
then
we
could
just
point
at
hey.
B
You
can't
even
start
your
supply
chain
journey
at
least
right
now,
with
the
way
things
are
until
your
level,
three
maturity
right,
that's
what
we're
kind
of
saying,
and
so
then
that
helps
them
say:
okay,
looking
at
the
cartographic
maturity
model
or
journey
model,
you
know
it
just
helps.
I
think
folks
kind
of
baseline
that.
A
That
all
that
makes
sense
thanks
you.
Having
said
all
that
I
mean
I,
I
do
see
an
argument
for
hey.
You
really
can't
start
this
until
you're
like
level
three
or
whatever,
I'm
not
sure
whether
we're
talking
about
salsa
or
some
other
level.
But
do
you
think
that
might
be
relatively
easy
things
we
might
be
able
to
point
folks
at
quick
wins.
You
know
salsa
level,
one
that
sort
of
thing.
B
Yeah,
I
think
the
reference
architecture
highlights
some
of
those
things
and
I
think
it
might
be
worthwhile
to
to
highlight
a
few
things
of
hey
look
these,
but
I
want
us
to
be
careful
because
I
think,
as
we've
sort
of
talked
about
in
the
past,
one
of
the
problems
is
because
supply
chain
is
so
holistic.
It's
very
easy
to
give
people
the
wrong
idea
that,
if
you're
not
looking
here
but
you're
looking
and
all
these
other
places-
that's
still
you
know,
there's
still
the
potential
to
be.
B
You
know,
that's
the
your
weakest
link,
and
maybe
you
just
need
to
be
aware
of
it.
I
think
we
can
kind
of
highlight
a
couple
of
those,
but
I
think
the
thing
that
we're
trying
to
really
push
is
that
end-to-end
sort
of
thing,
and
we
recognize
that
you
we
do
need
to
draw
that
line
in
the
sand
as
dan
said
of
hey.
If
you're
not
doing
some
of
these
things,
you
might
not
be
getting
as
much
benefit,
but
we've
we
could
still
highlight
a
few
things
of
like
if
you
can't
do
anything
else.
D
Call
we
are
going
to
call
that
on
the
dock,
right,
we're
going
to
say
this
is
basically
at
this
point
please
iterate
as
necessary.
This
is
a
living
breathing.
You
know
document
that
people
can
iterate
to
then
we'll
have
one
1.1
of
this
document,
but,
like
again,
I
think
every
week
we're
having
the
same
discussion
about
what
is
the
stock
and
yeah.
D
B
Yep
and
yep
yeah
I
agree
and,
and
so
with
that
said,
I
think,
outside
of
just
highlighting
that.
B
Highlighting
like
hey
look,
this
is
sort
of
where
we
expect
you
to
be
at.
I
think
the
rest
is
something
like
yeah,
maybe
a
1.1
of
that
dock.
As
we
go
back
and
say:
okay,
here's
the
things
that
you
know
whatever
so,
okay
cool.
So
now
that
that's
been
been
highlighted,
I
think
the
next
step
is.
I
just
wanted
to
kind
of
go
through
a
couple
of
topics
on
the
actual
paper.
B
Here
and
I'll
I'll
just
wanted
to
make
sure
that
we
we
have
some
of
that
sorted
out,
just
wanted
to
make
sure
that
with
folks
you
know,
I
don't
want
it.
I
don't
want
folks
to
kind
of
think
that
you
know
hey.
B
I
didn't
realize
that
that
had
gotten
updated
or
whatever
so
the
the
main
things-
and
this
is
where
so
one
of
the
big
ones
that
tree
pod
is
still
you
know
he
flushed
out
a
little
bit
could
probably
use
some
additional
feedback,
and
so
on
is
the
emission
controller
for
the
secure
software
factory
itself.
So,
as
a
reminder,
we
we
stated
that
the
production
admission
controller,
so
that
means
the
emission
control
into
like
what
we
would
consider
production
itself.
B
So,
like
hey,
are
we
validating
that
whatever
has
gone
through
the
secure
software
right,
that's
sort
of
more
or
less
out
of
scope,
but
there
are
some
elements
here
for
regarding
the
actual
mission
controller
for
the
secure
soft
factor,
software
factory
itself
like
how
do
we
main?
How
do
we
make
sure
that
the
search
that
the
secure
software
factory
is
only
running
images
that
are
approved
to
run
in
the
secure
software
factory
so
approved
builder
images
approved,
like
let's
say,
for
example,
tekton
right?
If
are
the
techton
images
signed
by
the
tecton
key?
B
Are
you
know
whatever
else
signed
by
whoever
else's
keys?
Are
they
you
know
validated,
you
know,
do
they
have
their
own
attestations
and
so
on?
To
make
sure
that
you
know
hey
our
secure
software
factory
is
sort
of
useless
if
we're
not
securing
the
secure
software
factory.
So
that's
one
area
wanted
to
make
sure
that
we
kind
of
get
some
additional
feedback
on
and
then
so
any
thoughts
on
that.
B
Right
once
again
feel
free
to
you
know,
put
thoughts
in
the
doc
and
and
whatnot
and
then
finally
the
the
other
one,
which
I
just
wanted
to
make
sure.
Because
I
know
I
wrote
a
bunch
of
stuff
before
kubecon
on
this
hey
michael.
D
Can
you
go
back
up
to
the
matrix
up
there?
That's
like
ocean
yeah,
so
shank
remember,
you
were
saying
earlier
about,
like
hey,
we
should
plug
in
different
technologies.
This
is
why
I
put
this
matrix
in
here,
because
any
reference
architecture
right
has
the
time-
and
you
know
the
point
in
time-
aspect
of
it
right
just
for
people
to
get
enacted
here,
but
like
there's
sources
here,
that
we
can
plug
in
different
things
right
so
in
the
future
right
we
can
just
add
different.
D
You
know
things
and
maybe
make
this
matrix,
something
that
could
be
like
a
standalone
like
info
info
guide.
You
know
what
I
mean:
there's
definitely
logic
behind
that
piece
of
it,
but
like
as
michael
said,
then
you
get
into
the
actual
guts
of
the
operation
right
so,
like
folks,
are
going
to
look
at
this
and
say:
okay
like
how
do
I
do
that,
like
what
it
what
it?
What
do
I
need
to
do
and
then
the?
How
do
I
need
to
do
it
right?
So
that's
kind
of
why
we
we
did
this.
D
B
Muted,
sorry
about
that,
I
clicked
something
and
lost
my
spot
there,
but
yeah
yeah
so,
and
then
on
that
same
sort
of
note,
so
start
writing
up
a
prototype
reference
implementation
now
to
be
clear,
anything
that
is
left
out
of
here
is
not
on
purpose
right.
This
is
purely
just
so
I
know
most
of
you
have
seen
the
demo
that
tim
and
I
had
given-
or
just
I
had
given
at
some
of
the
various
supply
chain
meetings
over
the
past
few
months.
B
It's
more
or
less
based
on
that,
and
so
just
and
the
code
is
right
now
all
open
source
and
whatever.
I
think
that
this
should
obviously
be
at
some
point.
B
An
actual
cncf
thing
so
once
again
just
want
to
be
clear
anything
any
decisions
made
here
is
just
because
myself
and
my
team
are
familiar
with
the
tool
or
or
it
was
just
what
we
could
get
working
or
it
was
just
based
on
the
time
we
had
so
don't
think
that
anything
in
here
is
a
specific
decision
that
is
set
in
stone
and
like
hey.
Why
did
you
use
this
tool
and
not
that
tool?
You
know,
I
don't
think
we.
D
B
Okay:
okay,
just
we've
gotten
a
lot
of
feedback
recently
that
some
folks
had
felt
like
certain
technologies
were
specifically.
D
B
This
out
there,
okay
cool,
so
here's
the
components
as
they
are,
it's
more
or
less
based
off
of
the
thing.
You
know
it's
all
sort
of
open
source
once
again
this
code
here
at
some
point
I
don't
know
why
is
github
down.
A
B
B
Getting
500s
anyway,
so
this
is
just
some
examples
here.
Most
of
the
stuff
is
under
okay,
hopefully
well
worst
comes
to
worst.
The
code
is
is
under
here
feel
free
to
use
it,
as
you
see,
fit,
feel
free
to
poke
around
with
it.
You
know
I
based
this
piece
of
that
based
on
that
feel
free
to
kind
of
go
through.
You
know
add
your
own
sort
of
input
here
at
some
point.
B
I
know
this
is
something
that
want
to
talk
with
some
of
the
other
cncf
folks
on
hey.
Could
we
just
either
either
take
the
code
that
we
have
already?
You
know
that
is
external
from
the
cncf
and
sort
of
donate
it
bring
it
in,
or
should
we
just
sort
of
rewrite
it
based
on
what
work
it
doesn't
matter,
but
this
is
something
that
we
should
kind
of
look
through,
but
I
am
very
much
looking
for
feedback
on
this
section,
because
this
is
the
sort
of
you
know.
B
So
you
know
there
are
certain
things
in
here
that
are
already
need
to
be
potentially
changed
before,
like
an
official
release,
but
generally
this
is.
This
is
just
what
I
threw
out.
There
want
to
get
feedback
on
it.
B
And
any
thoughts
on
that.
B
Sharing
well
that's
all
I
had
as
far
as
topx.
B
B
I
believe,
based
on
what
andres
was
saying
is
we
do
want
to
get
like
a
full-fledged
draft
finalized
in
the
next
like
two
weeks.
So,
if
there's
anything.
D
D
The
holidays,
so
then
we
don't
just
come
back
to.
Oh,
we
have
to
start
this
over
again
right,
I
mean,
let's,
let's
all
be
honest
with
each
other
right
so
yeah.
So
I
think,
that's
probably
why
we
want
to
I
and
I
think,
we're
like
what
90
percent
there
right
pretty
much
have
to
just
dot
the
eyes
across
the
or
the
lowercase
j's.
I
guess.
B
Yeah
yeah-
and
I
think
you
know,
there's
certain
sections
that
probably
just
need
to
be
slightly
reorganized
and
I
think
it's,
I
think,
we're
reaching
the
point
where
it's
almost
more
of
just
a
formatting
thing.
I
think
there's
like
two
or
three
final
little
topics
that
we
want
to
just
make
sure
get
clarified
and
that
that's
why
I
really
want
to
start
looking
through
it,
because
I'm
sure
there's
probably
going
to
be
a
handful
of
things
that
we
might
be
missing.
D
Yeah,
I'm
wondering
I
I
work
a
lot
with
the
open
ssf
folks,
I'm
wondering
if
should
point
this.
D
This
draft
on
the
google
docs
over
to
the
open,
ssf
best
practices
working
group
see
if
they've
got
any
thoughts
comments
with
the
disclaimer
david
that,
like
we
have
two
weeks,
meaning
like
we,
you
know
what
I
mean
like.
We
have
a
two
two
week
kind
of
review
period,
we're
not
going
longer
than
that.
D
Andres
welcome
just
kind
of
talking
about
that
in
the
eyes
and
I'm
not
trying
to
be
a
dick
there,
david
and
just
kind
of
like
just
you
know
wanting
to
make
sure
that
we
don't
have
way
too
many
chefs
in
the
kitchen
to
be
able
to
save
like
we
get
this
document
out
unless
there's
something
that
somebody
on
the
open,
fc
side
says,
is
absolutely
necessary
for
us
to
redo.
B
Oops
forgot
that
yeah
that
was
posted
my
dad.
It's
all
right.
A
B
Sorry
about
that,
so
I
guess
to
give:
does
anybody
have
anything
else?
Otherwise
I
can
catch
andres
and
on
up
on
on
some
of
the
stuff.
B
It
is
being
recorded,
yeah
yeah,
yep
yep,
it
is
yeah.
I
double
checked
yeah,
I
double
checked
it's
good
yeah
yep
and
I
went
through
the
whole
a
spiel
that
that
that
this
you
know,
abide
by
the
cncf
code
of
conduct
and
that
the
meeting
is
is
recorded
and
will
be
uploaded
to
youtube
so
yeah.
So
the
main
things
you
know
just
wanted
to
make
sure
was:
hey
anything
cool
from
kubecon.
B
That
folks
wanted
to
talk
about
or
any
of
the
related
co-located
events
that
folks
wanted
to
kind
of
chat
through,
especially
specifically
regarding
supply
chain
security,
definitely
enjoyed
getting
to
meet
a
lot
of
you
in
person,
which
you
know,
especially
after
two
years
mostly
indoors
was
was
nice,
and
then
we
went
over
a
couple
of
topics
regarding
the
what
you
would
call
it
just
regarding
some
some
open
stuff.
Regarding
like,
for
example,
hey,
can
we
get
some
additional
clarification
on
the
emission
controller
piece?
B
Can
we
get
a
few
other
things
here
and
there
can
we
also
get
some
eyes
on
the
prototype
implementation
stuff
that
I
wrote
and
then
just
wanted
to
see
if
one
of
the
things
that
we
can
start
to
do
is
once
we
start
to
sort
out
like
you
know,
we
say:
hey,
you
know,
we've
already
sort
of
said:
here's
the
here's,
the.
B
The
whatchamacallit
here,
here's
what
we
have
and
then
looking
at
this
document.
What
what
sort
of
audience
should
we
be
saying?
Hey,
look
for
now.
We
recognize
that
the
supply
chain
security
space
is
hard.
It's
not
going
to
be
trivial.
This
is
not
going
to
be
something
that
everybody's
going
to
be
able
to
just
pick
up
day,
one,
maybe
something
like
the
cartographos
working
group
like
hey.
Can
we
say
we
you
know
generally,
we
think
that
you
should
be
at
this
level
of
your
cartographos
journey
right.
B
So
for
those
who
don't
know
there's
just
like,
I
think
it's
like
level
one
to
level
five
on
the
cardographos
journey.
Maybe
just
saying
like
we,
we,
you
know
we're
making
a
call
and
saying
most
likely
the
intended
audience
is
for
those
who
are
at
level
two
or
level
three
before
you
start
looking
at
this
sort
of
reference
architecture,
if
it's
before
that,
we
just
don't
think
you
know
you
might
be
able
to
sort
of
implement
this.
B
Yet
because
of
you
know
the
things
you
might
have
already
had
to
consider
so
just
want
to
kind
of
get.
So
those
are
the
the
the
the
pretty
the
big
topics,
anything
else
I
missed
from
anybody.
E
E
B
I
think
the
main
feedback
is:
is
there
anything
folks
think
I'm
missing?
Is
there
anything
folks
think
that
is
hey
here's
a
specific
gap,
anything
that
folks
think
that,
like
you
know,
oh
actually,
I
really
am
like
opposed
to
doing
it.
B
That
way,
because
I
think
here's
the
problems,
I
think
we
should
do
it
this
way,
because
I
you
know
to
be
clear
here,
I
I
recognize
that
a
lot
of
this
is
still
very
poc,
as
I
kind
of
mentioned
a
little
bit
earlier,
a
lot
of
the
features
and
functionality
right
that
are
in
that
prototype
implementation
are
things
that
didn't
exist
before
you
know
like
less
than
a
month
ago,
and
so
and
in
fact,
some
of
the
things
I
even
put
in
there
like
kyvon,
both
kyverno
and
gatekeeper,
both
released
features
in
the
middle
of
kubecon.
B
That
change
how
I
would
probably
have
done
some
of
the
stuff
in
there.
So
just
I
think
it
is
one
of
those
things
where
I
we
just
need
to
be
clear
of,
like
hey.
Look,
recognize
that
that
some
of
the
stuff
in
here
might
is
very
much
like
fluid
because
of
how
quickly
the
space
is
moving.
E
Yeah
now,
if
you
look
at
the
delta
between
what
priya
did
all
the
initial
groundwork
done
by
the
techcon
team
who
like
when
we
started
this
group
to
where
we're
at
now,
like
it's
a
huge
progress
that
that's
been
made
like,
there's,
there's
a
lot
of
pieces
here
that
didn't
exist.
This
might
be
a
huge
ask,
but
if
you're
able
to
if
you're
able
to
scrub
your
demo
a
little
bit
and
share
it
with
others
and
have
people
run
it
and
we
could
check
in
that
code
as
part
of
this
yeah.
B
Yeah
we're
we're.
Definitely
you
know
down
to
kind
of
yeah
cncf,
you
know,
take
the
code
and
kind
of
move
along
with
it
and
in
fact,
actually
you
know
after
some
of
the
demos
we
had
given
at
cubeconom,
some
folks
have
been
reaching
out
to
me
about
hey
you
know:
can
you
walk
me
through
how
this
demo
works
and
and
yeah
yeah,
and
I
think
you
know
there's
a
lot
of
good
stuff
on
that
front.
B
That
you
know
folks
are
folks
are
now
seeing
that
this
is
a
real,
culturally,
a
real
thing,
as
opposed
to
it,
just
being
purely
like
there's
a
lot
of
good
work
in
different
spaces,
but
one
of
the
things
I
know
we
from
the
cloud
native
security
con.
You
know
in
the
slack
that
was
consistently
brought
up
was
wow.
This
seems
to
be
hard.
This
seems
like
how
do
we
get
this
running?
You
know
how.
How
can
folks
get
this
running
and
I
think
the
doc
is
going
to
say,
hey
look.
B
This
is
the
maturity
model
you.
This
is
the
maturity
you
should
have,
but
then,
in
addition
to
that,
we
could
also
show
off-
and
here
is
a
general
n10
demo-
that
you
will
still
need
to
know
a
lot
about
how
these
pieces
work
to
get
the
most
out
of
it.
But
you
know
as
long
as
you're
at
a
certain
level
of
maturity,
you
should
be
able
to
follow
this.
No
problem.
E
D
I
think
there
should
be
a
diagram.
The
diagram
should
kind
of
illustrate.
There
should
be
an
illustration
first
right,
because
people
like
pictures
right
and
so
I
I
agree
that
should
be
the
case
but
like
again
so
something
that's,
we
should
did
we
ever
talk
to
by
the
way.
Did
we
ever
talk
to
the
the
cncf
folks
to
kind
of
take
the
reference
architecture
and
pretty
it
up
a
little
bit?
Did
we
ever
go
that
route?
I
forgot
where
we
were
okay,
there's.
B
E
B
Yeah
actually
related
to
the
cardo
graphos.
B
Children's
book
the
admiral
bash's
island
adventure
book-
I
can't
remember
who
it
was
I'll-
have
to
kind
of
go
back
but
they've
reached
out
to
say:
hey.
Does
somebody
want
to
have
a
cncf
supply
chain?
And
I
said
let's
wait
till
after
the
reference
architecture,
but
they're
like
do
you
want
to
you
know.
Do
some
of
you
us
want
to
write
a
children's
book
on
walking
people
through
supply
chain
security.
D
You
wouldn't
be
the
first
there's
a
coloring
book
for
essie
linux.
A
E
B
I
was
just
throwing
that
out
there
yeah,
no,
no
to
be
clear,
I'm
saying:
let's
once
we're
finished
with
this,
I
I
pretty
much
told
everybody
who
was
asking
about
like
what
are
the
next
steps
with
this
thing?
Well,
why
don't
we
finish
the
draft
first
and
then
we'll
talk
about
any
potential
next
steps.
A
Yeah
andres,
I
think
I
think
like
it
will
never
be
done
it's
moving
so
fast.
It
will
never
be
done.
The
question
is
not:
when
is
it
done?
The
question
is:
when
is
it
done
enough
or
worthwhile
to
put
out
now
and
I
think
to
dan's
point?
It
is
worthwhile
to
put
out
now
like
as
soon
as
possible.
It
will
obviously
become
out
of
date,
30
seconds
after
it
is
released
and
that
there
no
amount
of
updating
will
ever
fix
that
so.
D
And
when
we
promote
it,
I
think
or
excuse
me
when
we
kind
of
extend
the
top
to
our
networks
and
say
look.
This
is
our
line
in
the
sand.
Everyone
please
iterate
on
it
like
that.
That
to
me
is,
I
think,
the
the
beauty
of
this,
because
people
will
look
at
and
go.
Oh
well,
you
know
they
didn't
think
about
this.
Let
me
you
know
and
that's
where
invite
them
to
the
group
and
say:
let's
go,
let's
keep
on.
You
know
iterating
on
it
as
possible
right
so
right.
D
You
missed
the
first
player,
andre
sweet.
We
have
work,
I
think
we're
giving
it
next
two
weeks
right,
so
I
think
david
said
he
was
going
to
have
the
open,
ssf
folks
take
a
look
at
it
and
I
think
it's
basically
like
you
know,
because
because
we
we
have
the
you
know
the
break.
We
want
to
try
to
get
this
done
like
we
talked
about
before,
like
the
holidays,
so
we
can,
you
know,
come
back
to
whatever
the
responses
to
it
are
so.
D
B
Yeah,
so
the
only
other
thing
I
was
just
going
to
add
on
there,
which
is
just
a
real,
quick
thing,
because
just
like
as
a
as
a
point
of
maybe
in
the
future
of
of
some
of
the
stuff
that
we
want
to
do
right,
because
I
agree
with
everything
that
andres
and
dan
have
said,
and
one
thing
that
I
noticed
that
seems
to
have
been
working
really
well
for
the
salsa
working
groups
that
are
part
of
the
open
ssf
is
that
sort
of
like
they
recognize
how
things
are
moving.
B
So
it's
like
they
have
v
0.1
and
then,
two
weeks
later
they
have
v,
0.2
and
they're.
Just
kind
of
saying
look.
This
thing
is
going
to
be
very
a
living
thing.
I
don't
know
if
we
want
to
go
that
route,
but
it
might
be
something
that,
after
we're
done
with
the
draft,
we
might
want
to
start
considering.
B
More
or
less,
I
think,
there's
just
a
couple
of
things
that
need
to
be
sorted
out
with
the
emission
controller
piece.
There
might
be
one
or
two
things
we
might
want
to
just
fix
up
with
the
the
reference
implementation
and
then
any
diagrams
and
those
sorts
of
things.
E
B
Yes,
so
the
mission
controller
piece
and
then
there's
the
just
like
some
additional
thoughts
about
the
reference
implementation
like,
and
I
think
at
this
point
it
should
be
either
quit
real.
Quick,
like
hey,
just
highlight
this
in
the
reference
implementation
or
it
should
be,
there's
a
gap
missing
there
and
it's
you
know
larger
than
a
breadbox,
so
we
should
call
it
out
as
we
recognize
that
the
the
prototype
implementation
has
this
gap.
It
was
not
addressed
right
now
and
just
kind
of
call
that
out.
D
E
D
Then
and
then
and
again,
if
anyone
wants
to
suggest
certain
things,
please
join
us.
You
know
in
the
group,
so
this
also
should
be
some
type
of
recruitment
document
as
well.
You
know
enrollment
document
for
for
tag
security
right
for
this
working
group.
D
Yeah
yeah
we
should.
We
should
definitely
open
that
up
with
that.
This
is
as
of
this
date,
as
jason
said
earlier.
You
know
if
there's
anything
you'd
like
to
suggest
here.
This
is
a
working
breathing
document.
This
is
iteration
1.0.
B
Yeah
yeah,
I
I
do
think
it's
funny.
I
was
just
about
to
say,
like
almost
one
of
the
things
that
we
want
to
highlight
is
some
of
these
known
gaps
might
be
filled
by
the
time
that
this
is
released
just
because
of
how
quickly
some
of
the
features
and
integrations
and
so
on
and
so
forth,
are
being
pushed
out.
B
A
Hello,
sorry
I
turned
out,
I
was.
I
was
watching
the
supply
chain
conference
last
week
and
heard
about
your
working
group
and
thought
I'd
come
and
check
you
out.
A
Sure
I'm
a
gcp
security
architect.
I
work
for
pa
consulting
in
the
uk.
I've
been
interested
in
financial
services
and
supply
chain
security.
B
Well
glad
to
have
you
on
board
and-
and
let
me
once
again
post
the
links
to
the
the
the
meeting
notes,
as
well
as
our
reference
architecture
and,
as
you
probably
heard
you
know,
we
are
looking
to
get
feedback
on
it,
but
be
quick
about
that
feedback
and
then,
obviously,
over
time
you
know
we'll
continue
to
iterate
there'll
be
a
lot
more
stuff
on
there
and
you
know
so
on
and
so
forth.
You
know
glad
to
have
you.
Have
you
on
board
all
right?
B
Another
person
who
joined
deepak.
Do
you
wanna
give
an
update
or
introduce
yourself.
A
Hi,
my
name
is
deepak
ketwal.
I
am
chief
architect
at
the
ukg.
A
So
this
is
my
first
meeting
and
we
are
doing
lot
of
migration
offered
from
the
on-premise
kubernetes
to
the
gcp,
so
very
much
interested
in
understanding
the
cncf
open
source
community
and
what
we
can
leverage
so
very
excited
to
be
part
of
cncf,
community
and
understanding
and
how
we
can
contribute
as
well
glad.
B
To
have
you
on
board
as
well,
and
just
as
so
as
a
reminder
yeah,
this
is
the
supply
chain.
The
the
software
supply
chain,
security,
stuff
and
the
documents
for
it
are
posted
in
the
chat
feel
free
to
take
a
look,
and
you
know,
provide
any
feedback.
E
We
we're
looking
for
like
any
any
any
oversight
or
any
glaring
like
mistakes
of
omissions.
We
might
have
made
a
type
of
contribution
we're
looking
at
this
point,
for
we
are
also
going
to
be
shuffling
some
of
the
content
around.
We
might
open
up
with
the
conclusion
which
right
now
is
part
of
the
appendix
the
prototype
ref
for
the
reference
architecture.
A
Yeah,
I
I
I
like
that
idea.
I
don't
have
any
stronger
opinion
than
the
tweet
I
I
posted
a
link
to
which
is
like
this
is
not
a
ted
talk.
We
don't
need
to
build
up
a
big
like
sense
of
like
purpose
people.
I
think
people
especially
now
understand
supply
chain.
Security
is
important.
B
Yeah,
so
one
thing
I
would
say,
which
I
don't
wanna
like
among
this
group
and
among
most
engineers,
I
think
they
recognize
one
of
the
things
I
think
that
kind
of
came
out
of
also
some
of
the
stuff
in
supply
chain
security.
B
Con
was
just
how
few
folks
really
understand
the
scope
of
the
problem
still
both
at
to
some
extent
at
the
executive
level,
that's
sort
of
outside
of
our
purview,
but
also
even
among
the
engineers
who
are
just
like
what
does
that
actually
mean
for
me
and
you're
like?
Actually,
it
means
you
know.
Today
you
have
tomorrow,
your
company
goes
out
of
business
because
they
completely
got
pwned
and
there's
no
way
to
roll.
You
know
there's
no
way
to
figure
out
exactly
what
what's
what
went
wrong.
E
Definitely
we
should
try
to
convey
that
within
the
summary
of
it,
like
the
relevance
of
it
and
applicability
to
everyone's
responsibility
right
to
try
to
channel
jason
hall.
I'm
not
sure
I
can
paraphrase
it
too
well,
but
we're
doing
some
constraining
of
of
the
scope
right
and
the
scope
naturally
is
going
to
evolve
like
state
of
technology
is,
is
going
to
evolve,
so
we're
we're
capturing
like
snapshot
and
time
what
we
know
and
how
to
best
address
what
we
know.
E
But
there's
going
to
be
again
some
some
things
that
we
didn't
manage
to
get
to
we're
going
to
try
to
declare
those
up
front.
We
don't
want
this
to
become
dated.
E
B
B
Today
so
oh.
B
D
That
it
was
not
going
ahead,
so
I
was
like
okay,
great
great
I'll,
wait
until
five
o'clock
yeah,
okay,
no
probs,
well,
cool
I'll.
D
D
Not
much
on
my
end,
I
I
did
some
stuff
last
week
for
six
store
for
kubecon
like
a
getting
started
guide,
not
really
super
relevant
to
this
group.
I
guess
I
mean,
except
for
those
you
know,
I
mean
it's
somewhere
along
the
line.
It
is
a
little
bit
but
yeah,
no,
nothing
much
otherwise.
On
my
end,
nothing
on
our
on
the
group's
actual
work.
E
E
Has
had
a
chance
to
go
over
michael's
prototyping
section,
that's
been
added,
since
we
last
met
michael,
is
currently
looking
for
feedback
on
it
once
again.
We're
thinking
moving
further
this
section
further
up
or
like
out
of
an
appendix
and
right
into
the
main
body
of
the
document,
so
you
could
give
that
to
answer
or
twice
over,
be
really
beneficial.
B
Yeah,
just
as
yeah
the
the
very
quick
thing
is
just
like
yep.
We
already
said
that
the
emission
controller
for
production
is
more
or
less
out
of
scope.
Outside
of
saying
you
should
have
an
emission
controller.
That
you
know
is
validating
that
what
comes
out
of
the
secure
factory
has
been
signed
in
yaya,
but
then
there's
also
the
you
know.
B
The
the
other
thing
which
is
just
have
have
in
mission
control
within
the
secure
software
factory
so
that
whatever
you're
using
right,
whatever
your
ci
cd,
is
using,
and
I'm
just
going
to
use
the
example
that
I've
done
in
the
prototype
implementation,
but
like
hey,
validate
that
the
sig
store
images
are
signed
by
the
six
store
key
validate
that
the
techton
images
are
signed
by
the
tekton
key
validate
that
any
builders
are
signed
by
either
your
key
or
you
know
a
key
that
you
trust
and
valid.
B
You
know,
and
if
you
want
to
you,
know,
validate
the
you
know
any
sort
of
salsa,
attestations
or
similar
that
that
you
would
want
on
those
those
images
and
then,
while
also,
I
think,
highlighting
there
might
be
a
gap
today
in
stuff.
Like
admission
control
for
tecton
tasks,
because
rather
in
the
sort
of
broader
tooling
space,
like
that,
the
solarwinds
folks
have
written
some
stuff.
But
it
seems
like
it's
all
custom
internal
code,
but
it
might
still
be
just
sort
of
useful,
just
kind
of
say,
hey
and
you
should
be.
B
B
A
B
So
many
so
many
of
these
terms
are
all
overloaded
by
a
million
different
folks,
because
you
also
have
the
dod
definition
of
software
factory,
which
is
like,
like
literally
like.
Oh,
these
are
are
locations
where
software
is
written
and,
and
the
tooling
that
they've
used
to
sort
of
you
know
write
that
software.
D
B
B
So
what
you're
saying
is
we
should
have
we
need
to
have
an
abstract,
secure
software
factor,
software
factory,
but.
A
B
D
Should
we,
I
mean
sorry
if
this
isn't
the
thing
I
haven't
looked
at
in
a
bit,
should
we
maybe
just
address
that
fact?
You
know
that
this
term
has
been
used
multiple
times
over
the
past,
and
you
know
we
are
aware
that
and
people
have
come
at
it
with
various
definitions,
but
but
you
know
this
is
what
we're
using,
and
this
is
why
we're
using
it.
Maybe.
E
Yeah,
I
think
I
think
we
have
some
of
that
language
on
the
supply
chain.
Best
practices
saying
hey.
We
borrowed
this
from
the
latest
interpretation
from
the
united
states
air
force
platform,
one
this
traces
back
to
this
paper
published
in
1974
from
from
microsoft.
A
Rather
than
to
maybe
debate
the
the
word
itself
just
like
in
the
first
introduction
section,
we
call
out
we're
building
on
the
supply
chain,
best
practices,
white
paper
that
has
a
definition
of
a
software
supply
chain.
We
should
probably
just
reintroduce
that
same
definition
just
like
this
is
what
we're
talking
about.
It
doesn't
really
matter
like
what
the
I
don't
care.
What
the
word
is
yeah.
B
Yeah
agree,
I
mean
if
we
do
like
the
the
I
do
like
secure,
regardless
of
the
other
terms
for
secure
software
factory.
I
do
like
just
the
general
term
of
it's
a
factory
which
means
it's
a
set
of
tools
that
maybe
go
beyond
just
continuous
integration.
Continuous
delivery
continue,
you
know,
building
and
yayata.
It's
like
a
set
of
all
these
things
that
you,
you
know.
Oh
you
go
into
the
secure
software
factory.
You
do
some
stuff
and
the
output
of
that
secure
software
factory
is
secure
software.
B
That's
what
comes
to
my
mind,
but
if
there
is
a
better
term
for
it,
I
am
you
know,
especially
if
that
term
is
already
overloaded
in
a
million
other
places,
I'm
totally
okay,
like
I'm,
not
one
to
really
care
much
about
the
specifics
there.
As
long
as
that,
the
term
is
clear
and
we
you
know
in
the
community
we're
not
confusing
people.
E
It's
a
useful
concept,
I
think,
however
like
but
the
understanding
of
people
having
factory
is
very
much
stated
and
the
industrial
revolution
right.
It's
not
like
modern
world
just
in
time,
manufacturing,
3d
printers
like
geographically
dispersed
to
just
ship
things
to
whoever
did
local
rather
than
like.
Oh,
we
we
have
like
fixed
foxconn
china
and
that's
the
factory
and
then.
D
But
I
think,
what's
powerful
in
in
the
software
factory
term
is,
is
the
chain
of
assembly.
I
think
that's
what
comes
to
mind
for
a
lot
of
people,
and
so
that's
what
we're,
because
a
big
part
of
what
we're
talking
about
is
you
know
the
build
the
build
which
is
really
the
assembly
line,
so
I
think
that's
where
it
works
quite
well.
However,
I
do
have
a
small
problem
with
or
small.
B
Yeah,
so
so
what
I
should
say
there-
and
I
think
this
is
where
maybe
the
salsa
stuff
also
comes
into
play
right
right.
It's
security
levels
for
software
artifacts,
and
so
it's
almost
like
there
is
a
level
of
security
that
we
are
attesting
to
based
on
what
we
have
as
long
as
you're
following
the
reference
architecture,
yeah
yeah,
and
to
be
clear,
we
recognize
that
calling
anything
secure
is
is
fundamentally,
you
know
problematic,.
D
That
there
is,
there
is
like
a
bit
of
a
trick.
Out
of
that
is
instead
of
saying
secure
software
supply
chain,
it's
software
supply,
chain
security,
and
you
just
you're
talking
about
you,
know,
property
of
it
versus
the
actual
state
like
you're,
not
saying
it's
like
you're,
just
going
you're
saying
something
about
the
security
of
it
or
you
know,
you're,
making
an
effort
in
that
that
dimension.
You
know
it's
a
bit
of
a.
D
D
No
worries
I
mean
I
don't
want
to
go
on
and
on
about
this
I
think
we
all
are
well
aware
of.
You
know
the
limits
of
what
you're
saying
and
I
think
it's
it's
a
very
good
point
of
saying
you
know
if
you
follow
these
steps
and
these
approaches-
and
you
know
you
follow
basically
the
requirements,
you
will
have
some
level
of
guarantee
and
that's
really
what
we're
saying.
B
I
I
think,
that's
exactly
the
sort
of
thing
that
we
would
love
to
be
able
to
talk
through,
and
then
you
know,
because
I
think,
especially
with
with
salsa
and
a
lot
of
these
other
things
becoming.
B
You
know,
salsa
being
a
real
thing
and
and
salt
somewhere
kubecon
folks
were
very
you
know,
I'm
sure
folks
are
very
interested
in
understanding.
Okay.
Now,
how
do
we
kind
of?
B
How
do
I
baseline
my
understanding
here
right
and
it's
say:
hey,
there's
reference
architecture
we
think
based
on
these
properties.
Right
like
the
output
here
is,
is
salsa
2.,
which
I
mean
that's
just
my
basic
super
basic
assessment
is,
is
pretty
much
as
long
as
you're
following
these
things.
It
should
be
salsa
2,
it's
almost
also
3,
but
there's
a
couple
of
things
that
are
missing
that
are
features
and
integrations
that
just
don't
aren't
ready
yet
yeah
and
so
yeah,
just
just
but
yeah.
B
I
agree
the
the
thing
that
I
I'm
also
worried
about
which
thing
that
came
out
of
this
cloud
native
security
con,
but
that
this
is
just
something
that's
out
of
the
scope
for
this,
but
I
just
want
to
kind
of
highlight
which
is
just
there's
still
a
lot
of
folks
who
are
just
like
hey.
I
keep
hearing
supply
chain
security
as
being
a
big
problem,
and
I
keep
seeing
demos
and,
like
I
can't
sign
all
my
stuff.
I
can't
do
all
these
things.
I
can't
blah
blah
blah
and
it's
like
okay.
A
B
E
B
Yeah,
well,
I
I
think
if
we
do
go
with
the,
I
would
say
we
should
do
the
cloud
native
reference
art
because
and
or
we
might
also
want
to
say
a
cloud
native
reference
architecture
just
to
make
sure
that
it
is
crystal
clear
in
the
thing
that
it's
like.
Oh,
this
is
not
the
reference
architecture.
If
you
have
a
bunch
of
you
know
hardware
with
with
running
jenkins
and
that
that
hardware
is
not
ephemeral
and
yayada
and
so
on
and
so
forth.
E
E
B
Yeah
pretty
much
yeah
so
so
I
have
it
highlighted
in
the
reference
implementation
piece,
the
pro
or
the
prototype
implementation
piece,
but
I
think
we
need
to
just
call
it
out
so
to
be
clear.
Sripod
has
done
some
of
this,
and
so
we
just
need
to
get
kind
of
get
some
additional
feedback
and
clean
up
some
of
that
a
little
bit.
So
it's
just
very,
very
clear
on
on
the
sorts
of
things
that
we're
looking
for,
but
yeah.
I
think
you
could
probably
just
do
admission
controller.
A
E
Okay,
brandon
is
out
of
office
this
week,
I'll
follow
up
with
the
cncf
on
the
status
of
that
diagram,
redesign.
B
Yeah,
the
other
one
I,
what
was
it
called
pie
diagram
or
something
like
that
yeah.
It
was
one
of
those
honestly,
it's
it's
kind,
so
I
am
not
an
expert
in
either
uml-based
sorts
of
things
or
any
of
these
other
ones
like
I
am
also
some
of
the
stuff
probably
has
to
be
modified
after
some
additional
thoughts
right
based
on
the
reference
implementation.
I'm
down
to
have
a
like.
You
know
a
one
or
two
hour
working
session,
just
to
kind
of
like
go
through
an
actual
diagram.
E
E
B
What
wait
what
about
my?
I
have
a
few
folks,
probably
on
my
side,
who
I
can
work
with
on
on
that.
E
E
C
I
don't
know
I
did
not
award
that
that
can
totally
be
changed.
I
was
thinking
like
you
know
the
difference
between
if
we
start
caring
about
the
providence
from
the
point
at
which
a
developer
commits
to
a
pipe
and
a
pipeline
gets
triggered
or
if
we're
also
looking
at,
like
you
know,
was
this
commit
signed
and
so
we're
looking
at
sort
of
the
developer
identity
before
that
or
like
you
know,
at
what
point
in
the
chain
do
we
actually
start
recording
the
data?
C
If
that
makes
sense,
and
that's
that's
kind
of
what
I
was
trying
to
say
there?
But
if
someone
can
word
that
better,
please
go
for
it.
A
I'd
say
begins
to
be
recorded.
A
E
E
B
Yeah
I
mean
yeah
right
now,
I
would
say
outside
of
some
poc
work,
that
a
handful
of
us
have
done,
nobody's
really
done
s
bomb
and
mission
controller
sort
of
stuff.
B
The
thing
that
has
been
done
right
now-
and
this
is
the
some
of
the
stuff
was
released
last
week,
while
we
were
all
kubecon
but
like
the
ability
to
sort
of
validate
attestation
the
ability
to
validate
signatures
of
of
some
of
the
images,
as
part
of
you
know,
so,
that's
stuff,
like
connoisseur,
kyverno,
oppa,.
E
B
Yep,
and
so
the
only
thing
that
is,
you
know,
maybe
just
say
I
don't
know
how
we
want
to
say,
like
your
own
cust,
you
might
need
to
write
your
own
custom
code
as
it
stands
today.
To
do
some
of
this.
E
B
Yeah,
that's
where
I
want
additional
feedback.
Oh
I
might.
I
must
have
not
clicked
the
comment
there.
I
was
going
to
edit
a
comment.
Just
saying:
hey
look.
I
think
this
needs
to
be.
We
need
to
take
a
look
at
this
a
little
bit
more.
I
think
the
idea.
B
B
There
is
also
there's
also
a
couple
other
things
like
which
are
kind
of
highlighted,
which
is
one
is,
I
think,
that's
where
the
pipeline
emission
controller
dependency
emission
controller
and
build
emission
controller
sort
of
come
in,
I'm
not
exactly
sure
what
the
bet
the
dependency.
B
Oh,
I
know
now
remember.
Maybe
that's
so
the
the
things
that
to
get
across
here
are
we
want
to
make
sure
that,
like
there
should
be
an
emission
controller
for
something
like
techton
such
that
somebody
can't
just
push
a
random
tecton
task
and
have
it
go
through
our
whole
process
right,
because
then
that
techton
task
could
do
something
bad
that'd
be
a
problem.
B
There
should
be
a
mission
controller
for
the
secure
software
factory
itself.
Right
like
are
we
ensuring
that
we're
running
approved,
approved
tecton
images
approved
whatever
else
that
we
have
in
there
right
and
then
the
final
one
is
in
the
build.
We
want
to
validate
that,
whatever
we're
building
right.
C
So
this
may
be
the
way
of
saying
this,
there's
at
least
three
kinds
of
inputs
that
we
want
the
emission
controller
to
be
looking
at
there's
the
the
input
that
is,
the
the
components
of
the
pipeline
itself,
so
the
the
the
tecton
container,
the
whatever
that
is
actually
running
the
jobs,
there's
the
the
input
that
is
the
pipeline.
The
task
definition
so
does
the
job
that
is
being
run,
meet
our
specifications
and
then
there's
the
input
of
like
the
that
third
container,
that
you're
trying.
B
So
agree
with
that,
I
think
the
the
thing
we
can
just
sort
of
be
very
clear
about
right,
because
I
think
that
there's
going
to
be
stuff
regarding
the
quality
and
certain
elements
of
an
individual
task
that
would
be
able
to
sort
of
say:
hey.
Yes,
like
you're
doing
the
right
sort
of
things.
I
think,
most
of
that
we
already
have
in
other
areas
of
the
paper,
which
is
like
make
sure
that
you're
doing
code
review
of
your
tasks
and
so
on
and
so
forth.
B
But
I
think
there's
an
element
here
which
is
just
more
of
the.
If
somebody
can
bypass
something
we
want
to
make
sure
that
only
approved
tasks
are
coming
in
and
you
can
have
some
additional
rules
right
that
are
validating
some
of
those
things.
But
I
think
the
key
here
is
that
you
know
only
approved
tasks
and
we
should
just
sort
of
leave
it
there,
because
you
know,
I
think,
there's
a
lot
more
details.
B
C
It's
it's
the
same
things
that
that
michael
was
listing.
Above,
I
think
I
I
was.
I
think
I
was
trying
to
figure
out,
because
we
were
all
stripping
on
the
the
idea
of
it
being
layers
or
levels,
and
I
was
saying
I
wonder
if
the
way
to
cast
it
is
as
the
inputs.
C
It's
the
same
ones.
That
michael
was
listing,
I
think
so
the
the
components
of
pipeline
itself
the
input
of
the
task
definition
and
then
I
think,
whatever
his
third
one
there,
the
the
the
what
is
being
built,
the
rust
container
in
his
example.
E
E
A
A
E
B
Good
question:
well,
I
think
maybe
it
might
make
sense
just
to
say
well,
you
know
I.
I
guess
this
is
part
of
the
like
thing
where,
where
we
just
want
to
kind
of
highlight
defined
by
user,
verify
the
pipeline,
oh
instantiate,
when
oh
yeah,
the
way
that
reads
is
more
of
like
when
a
pipeline
is
triggered.
E
Series
permission
checks.
E
C
C
C
C
A
B
Yeah
I
mean
I,
I
think
that's
going
to
be
at
this
point
very
hard,
like
I
don't
think,
anybody's
doing
a
we're,
not
verifying
open
source
package
dependencies
as
part
of
the
emission
controllers.
C
E
B
I
mean,
I
think
there
might
be
certain
things
like
so
as
an
example,
a
builder
image
right,
like
a
parent
image
that
I
might
be
building
off
of
that's
going
to
be
easy
to
do
admission
control
on.
But
if
I
say
hey
make
sure
I
don't
pull
this
bad
json,
not
js.
A
java
package
right
maven
package
is
I'm
not
sure
how
we
would
do
that
via
a
sort
of
normal
cloud
native
emission
controller.
C
Yeah,
I
think
in
my
head
the
way
that
I
imagine
this
working
you
know
in
in
some
future
state
where,
like
this
is
possible,
is
that
is
that
it's
it's
happening.
Sort
of
like
is
that
this
is
basically
a
recursive
process
right.
So
what
we've
said
about
the
final
artifact
that
we're
building
you
then
just
apply
that
to
a
previous
artifact.
That
is,
you
know,
dependency
x
and
then,
if
dependency
x
also
has
an
artifact
or
has
a
dependency.
C
Then
eventually
you
you,
you
recurse
this
same
process
to
you
know
the
previous
artifact,
that
is
dependency
y,
that's
going
to
be
ingested
by
dependency
x,
that's
going
to
be
adjusted
by
our
artifact.
So
that's
that's
like
in
my
head.
How
I
imagine
this
eventually
working
is
that
like
it's
it
just
kind
of
recursively
goes
deeper,
but
so
I
don't
know
that
there's
like
a
whole
lot
for
us
to
say,
if
that's
sort
of
the
dream
other
than
to
say
you
know
whatever
the
thing
is
that
you're
building
right
now?
C
These
are
the
steps
you
do
for
it
and
then,
if
someday
you
have,
the
capability
to
you
know
build
a
certain
set
of
your
dependencies
before
you
build
your
final
artifact,
then
you're
doing
the
same
process
but
you're
doing
it
for
those,
and
then
you
just
pass
those
in
to
the
next
stage.
If
that
makes
sense,.
E
E
E
C
C
I
can
take
a
look
at
this
at
some
point
if
you'd,
like,
I
think
probably
my
guess,
is-
I
think,
we've
circled
around
this
particular
question
in
several
meetings
now,
and
my
guess
is
that
this
is
just
multiple
iterations
of
right
trying
to
write
the
answer
to
this
question
and
they
can
probably
all
get
combined
together
somehow,
so
I
can
take
a
look
at
how
to
how
to
try
to
merge
some
of
these
things
and
trim
it
down.
Yeah.
E
B
Yeah
and
just
just,
but
just
make
it
clear
that
the
the
actual
production
in
mission
controller
is
out
of
scope.
Outside
of
you
should
be
doing
those
things.
E
E
E
E
D
B
Yeah
yeah,
and
I'm
I'm-
this
is
probably
one
of
my
still
key
priorities
here-
is
to
finish
up
whatever
needs
to
get
finished
up.
Oh
yeah,.
C
I've
gotta
drop
in
just
a
second
as
well,
but
I
will
keep
circling
back
at
this.
The
the
only
thing
that
I
have
really
added
to
this
is:
I
tried
to
outline
in
the
the
prototyping
section
farther
down
sort
of
the
skeleton
of
what
I
think
how
I
think
that
might
go.
C
I
think
you
went
past
it
there
yeah.
So
this
is
what
michael
put
in
and
I
put
in
there.
We
had
an
earlier
section
that
was
like
titled
the
prototype,
and
I
tried
to
put
a
skeleton
in
there
that
that
may
encompass
some
of
this
or
maybe
we,
you
know,
I
don't
know
just
one
idea
for
for
formatting
that
so
it's
a
little
farther
up
there.
E
B
And
then
this
is
probably
something
off
line,
but
you
and
I
andre-
should
I'm
not
sure
what
the
process
is.
If
we
wanted
to
go
and
take
that
that
demo
code,
I
have
and
start
to
make
it
into
something
real.
That's
you
know
an
actual
cncf
project.
B
Because
I
you
know
at
this
point,
I
think
you
know,
given
that
all
code
is
open
source,
it's
not
owned
by
my
company
or
anything
like
that-
it,
it
is
purely
just
you
know
and
in
fact
we're
using
lots
of
different
things
internally
for
various
reasons,
but
obviously
we
want
to
you
know
from
our
perspective,
the
more
folks
who
can
start
poking
around
with
this
sort
of
thing.
B
E
Totally
totally
yeah,
there's
there's
a
couple
approaches
there.
Let's
chat
about
those,
I
think
we
should
start
off
by
anonymizing
the
code,
just
making
sure
it's
or
well
it's
a
poc
coach.
So
we
can
start
off
with
that
and
from
that
build
up
so
to
to
try
to
have
a
quick
turnaround
on
like
this
that
we're
looking
here
like.
Do
you
guys
want
to
reconvene
sometime
later?
They
want
to
reconvene
tomorrow
and
do
like
what
we've
done
on
this
later.
B
Yeah,
I'm
down.
Let
me
just
double
check
what
my
schedule
looks
like.
E
All
right,
sleep
repeat
so
I
have.
I
have
all
this
time
to
work
on
this,
so
let
me
let
me
make
a
copy
of
the
doc
start,
making
that
restructure
and
yeah
hey
taylor
good
to
see
you
here.
E
A
I've
shared
it
with
several
people
already
so,
hopefully.
D
B
E
B
Yeah
have
some
cool
once
this
is
done,
have
some
additional
cool
things
to
show
off
that
or
maybe
up
to
and
including
salsa
4
coming
up
soon,
so
so
as
like,
obviously
not
out
of
scope
of
the
paper,
but
but
something
that
maybe
has
next
steps
for
the
group
that
we
can
start
poking
with
okay,
fantastic
yeah.