►
From YouTube: TAG Security Supply Chain WG 2022-02-03
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
B
I
cut
down
the
paper
from
like
52
pages
down
to
like
36
pages,
and
we
probably
just
want
to
cut
out
a
little
bit
more
there's
some
other
stuff
in
there
around
the
there's
some
areas
where
I
just
sort
of
deleted
the
whole
section,
but
I
wanted
to
double
check
with
folks
before
deleting
the
whole
section
I'm
like,
but
yeah
I'll,
give
it
a
couple
more
minutes
for
other
folks
to
join,
and
I
think
wanna
just
kind
of
go
through
get
some
second
and
third
opinions.
B
And
if
you
know
by
the
end
of
this
meeting,
you
know
we're
all
more
or
less
in
agreement,
then
you
know
we
can
cut
all
that
sort
of
stuff
out
and
then
just
kind
of
hand
it
over
once
again,
just
to
one
final
like
look
it
over.
Is
there
any
big
thing
isn't
to
be
completely
broken?
If
not,
you
know,
I
think
it's
it's
good
to
sort
of
be
released.
I
think
the
main
things
right
now
are
I'll.
Give
it
a
couple
minutes
before
you
know.
B
I
just
want
to
make
sure
give
it
a
few
minutes.
A
B
We
haven't,
but
no
we
haven't
so
so
the
last
time
it
seemed
like
this,
a
very
minor
plurality
or
whatever
of
folks
seem
to
prefer
this
time.
With
that
said,
I
am
going
to
do
a
reevaluation
of
just
the
the
doodle
just
to
go
through,
and
I
want
to
take
into
account.
B
First
and
foremost,
the
folks
who
have
contributed
to
the
group
contributed
to
the
paper
completed
to
a
bunch
of
this
stuff
when
thinking
in
changing
the
time,
because
I
don't
want
it
to
have
been
like
hey
yeah,
there's
a
bunch
of
other
folks
who
want
to
who
would
prefer
another
time
but
like
to
some
extent
hey.
I
do
want
to
provide
some
deference
to
the
folks
who
have
contributed
a
ton
like,
for
example,
like
andres
right.
He
he
helped
lead
this
thing.
He
can't
make
this
time
anymore.
B
It
would
be
a
big
shame
to
just
be
like
hey
andres.
I
know
you
still
want
to
contribute.
You
contributed
a
ton,
but
you
know
I
know
you
have
a
personal
engagement
at
this
time.
Every
time
you
know
sorry
we're
not
gonna,
you
know
we're
not
gonna
accommodate
you.
I
would
rather
say:
hey,
look
you've
done
a
you
know,
you
contributed
a
ton
here.
B
Maybe
it's
worth
just
saying
yep,
you
know,
let's,
let's
you
know
accommodate
you,
especially
that
sense
that
there
does
seem
to
be
a
good
deal
of
folks
who
want
to
accommodate
it.
What
I
will
say
also
is
that
I
might
not
be
able
to
start
making
this
time
as
well
as
it
sounds
like
the
the
cd
foundation's
end
user
council
is
now
at
this
time.
You
know,
I
don't
know,
there's
it
seems
it
seems
like
with
so
many
working
groups.
B
A
B
A
B
B
Also,
this
meeting
is
recorded
and
at
some
point
after
this
meeting
you
know
usually
hopefully,
within
a
few
days,
this
meeting
will
be
uploaded
to
to
youtube
for
others
to
kind
of
watch
all
right
first,
because
I'm
gonna
have
a
bunch
of
stuff
to
talk
about
I'll,
just
throw
it
over
to
we'll
go
down
the
list
on
folks
on
my
my
zoom
here
for
updates
alex.
Do
you
have
any
sort
of
updates?
B
One
second,
okay:
is
it
just.
A
That
better
yeah
yeah
much
better.
Okay,
sorry,
I
don't
know
what
that
was
about,
but
it
started
off
and.
A
Yeah
yeah,
so
I
did
a
pass
through
prior
to
last.
Was
it
last
week
or
two
weeks
ago?
Speeding,
I
don't
know
I
did.
I
did
a
pass
through
and
made
a
bunch
of
comments
and
I
think
we've
addressed
a
lot
of
those.
I
haven't
had
a
chance
to
do
a
second
read
through,
but
I
will.
A
I
know
that
there
is
an
objective
to
really
cut
down
the
page
count,
and
I
think
some
of
that
work
has
already
happened
and
I'll
do
a
read
through
thinking
about
that
too,
and
what
whether
there's
redundant
material
we
can
take
out
or
ways
that
we
can
reorganize
a
little
bit
of
it
to
condense.
So
I'll
do.
I
will
do
a
pass
through
that,
but
I
haven't
yet.
B
Cool
yeah,
we'll
we'll
actually
probably
do
that
pass
through
right
after
the
updates
from
everybody.
Next
up
on
my
list
brendan.
A
Yeah,
I'm
kind
of
in
the
same
boat
as
alex.
I
know
I
want
to
spend
some
time
go
through
the
documents
and
really
take
a
good,
read
and
see
how
I
can
help
you
clean
some
of
that
stuff
out
there,
but
just
haven't
had
the
time
yet
so
later
on
today
sounds
like
a
good
option:
cool
adidas,
I
was
a
I
was
able
to
make.
A
You
know,
go
through
about
like
the
first
half
of
the
document,
but
and
I
one
of
the
things
I
really
wanted
to
help
with
was
deduplication
with
the
earlier
white
paper
but
yeah.
So
I
think
it'd
be
great
to
be
able
to
get
some
of
that
done
during
this
call.
After
the
updates,
because
running
time
for
during
the
week
spring
talk
cool.
A
Yeah
kind
of
a
little
bit
similar
to
everybody
else.
I've
been
kind
of
starting
to
look
at
the
document,
but
haven't
finished
my
past
there's
probably
no
no,
like
particular
comments,
because
I
know
that
duplication
is
one
of
the
big
things
and
it's
hard
to
do
that
until
I've
read
the
whole
thing
so,
but
yeah
mostly
looks
good
overall,
though
so.
B
Cool,
so
I
saw
hector
join
so
hector.
We
just
got
going
through
some
quick
updates
before
we
kind
of
go
through
section
by
section
yeah,
so
hector
do
you
have
any
updates.
B
B
Okay,
so
I
you
know
it
has
been
one
of
my
primary
goals
to
make
sure
that
this
sort
of
thing
goes
through
and
that
we
can
sort
of
clean
it
up.
So
a
couple
of
big
things.
From
my
end,
I
deleted
the
prototype
implementation
thing
completely
from
the
document
outside
of
just
saying:
hey,
here's
where
to
go.
B
It
was
actually
somewhat
announced
today
that
you
know
we've
that
you
know
we're
going
to
be
donating
that
to
the
open
ssf
there
should
be
a
bigger
sort
of
announcement.
That's
going
on
with
that
later
on.
You
should
see
that
go
out
probably
next
week,
but
the
basic
idea
here
right
is
is
so
like
hey,
there's
a
bunch
of
details
in
there
they're,
mostly
implementation
details
doesn't
necessarily
make
sense,
remove
them.
B
We
can
refer
people
to
that
and
that
can
be
sort
of
also
the
living
code
and
living
document.
So
you
know,
if
folks
are
interested
in
hey
here's.
What
literally
this
you
know
what
something?
That's
based
on
this
document
looks
like
you
can
go
here.
You
can
look
at
the
document
on
how
it's
implemented,
why
it
was
implemented
and
so
on
over
there.
B
B
So
just
as
a
reminder
here,
I
I
cut
out
a
bunch
of
stuff,
so
it
took
it
down
from
52-ish
pages
down
to
like
36-ish
pages
a
lot
of
the
stuff
here
that
a
lot
of
other
stuff
here
is
this
page
count
is
also
not
exactly
correct,
because
there's
a
lot
of
sections
that,
if
you
notice
you
know,
I
might
have
cut
out
a
paragraph
here,
but
it's
like
well.
This
thing
was
already
pushed
on
the
next
line
anyway.
B
So
there's
some,
you
know,
there's
some
areas
here
that
I
sort
of
cut
out
a
couple
of
sentences,
but
you
know
like,
for
example,
the
architecture
prototype
here
right,
like
there's
a
whole
bunch
of
white
space,
because
you
know
this
section
because
of
the
way
that
we
set
up
the
sections
it
automatically
sort
of
puts
it
on
another
page,
I'm
just
sort
of
saying:
hey,
that's
fine!
For
now
you
know
when,
when
we
actually
format
the
paper,
we
can
sort
some
of
that
sort
of
stuff
out.
B
So
I
went
through
the
various
sections
deleted.
A
bunch
of
stuff
deleted.
Did
a
bunch
of
deduplication
referred
people
a
lot
of
times
to
hey?
B
If
you
want
to
know
more
about
how
you
should
be
signing
what
the
encryption
model
etc,
look
at
the
best
practices
paper
or
referring
to
other
cloud
native
security
papers.
So
on
that
front,
as
one
thing
and
I'll
just
add
this
as
notes
here-
and
I
will
just-
and
I
already
kind
of
cleaned
a
lot
of
that
up
so
I'll
just
prove
my
own
comment
there,
let
me
go
and
oh
there.
B
Citations
as
needed,
so
we
need
to
add
and
change
citations
as
needed.
So
like
these
are
you
know
most
of
the
stuff
is,
is
the
the
the
best
practices
white
paper
we
might
want
to
just
say
where
details
are
lacking?
Please
look
at
this
as
opposed
to
citing
it
in
every
single
location,
because
almost
every
section
is
like.
Please
see
the
you
know,
you
know,
please
see
the
security,
the
the
supply
chain,
security,
best
practices
on
how
you
should
be
storing
your
artifacts
on
how
you
should
be.
You
know
running.
B
B
So
that's
one
thing
that
we
need
to
just
sort
of
go
through
and
figure
out.
The
other
things
are.
We
might
want
to
clean
up
the
intro
a
little
bit
just
to
make
sure
certain
things
are
a
little
clearer.
I
don't
know,
I
think,
largely
the
thing
that
I
based
on
conversations
and
based
on
the
conversation
with
alex
and
previous
conversations,
the
past
few
weeks.
The
primary
goal
of
the
reference
architecture
here
is
to
highlight
the
gap
in
knowledge
around
provenance
right,
so
a
lot
of
other
papers.
B
Best
practices
guides
talk
about
how
to
do
security
scans.
How
to
you
know,
secure
your
code,
how
to
deal
with
bad
actors
in
general.
There's
a
lot
of
documentation
out
there
that
already
handles
that.
There's,
not
a
lot
of
documentation
out
there
that
says
hey
when
running
a
build.
You
should
be
tracing
providence
while
doing
all
the
other
stuff
right
doing
the
scans,
and
you
know
yeah,
I'm
not
going
to
talk
about
that.
B
There's
there's
not
a
lot
of
documentation
out
there
on
tracing
your
build
in
so
in
ways
that
you
can
have
a
you,
can
trust
the
integrity
of
it
and
so
on.
B
So
that's
the
highlight
of
this
paper,
and
so
that's
why
almost
every
section
you
know
seem-
and
I
think
going
through
it
by
and
large
every
section
really,
I
think,
hammers
at
home.
Now
it
hammers.
You
know
it,
it
highlights
the
fact
that
it
hire
is
sorry
it.
It
highlights
the
fact
that,
like,
for
example,
you
know
when
you're
pulling
from
artifact
repositories,
you
need
to
make
sure
you
know
where
you're
pulling
from
when
you
are
running
builds
right.
You
want
to
make
sure
that
step
a
led
to
step
b.
B
You
know,
and
all
these
things
combined
and
here's
how
we're
approaching
that
problem.
Here's
how
we're
approaching
you
know,
identity
and
signing.
Oh,
you
want
specifics
on
how
to
sign,
no
that
go
to
the
best
practices,
other
best
practices
paper,
and
you
know
so
on
and
so
forth.
But
you
want
to
understand
why
it's
important
and
how
you
need
to
make
sure
these
things
sort
of
interact
with
each
other
like
yes,
there
should
be
different
identities
for
the
thing
that
pulls
down
your
code
than
the
thing
that
actually
ran
your
build
long
term
right.
B
You
know
some
of
the
stuff,
maybe
you
know
short
term,
isn't
there
yet
yeah
yeah,
so
those
are
kind
of
the
the
things
that
were
kind
of
I
I
kind
of
went
through
and
did
so
once
again.
Let
me
do
this.
Intro
cleanup
probably
needs
to
get
done
because
there's
some
stuff
in
here
that
I
think
we
just
want
to.
We
might
want
to
just
highlight
one
or
two
more
times
like
yep
defense
in
depth,
sending
in
verification,
artifact,
metadata
analysis
and
automation,
and
that
leads
to
why
providence
is
super
important.
B
We
have
some
stuff
highlighted
here
that
are
just
sort
of
general
like
high
level
things,
and
you
know,
and
what
not
you
know:
hey
here's,
some
highlighting.
B
Okay,
yeah,
so
that
I'm
I'm
totally
cool
with
with
getting
rid
of
mozad
as
well.
I
think
the
problem
scope
is
where
I
feel
like
this
is
really
important
right.
The
thing
here
that
we're
trying
to
talk
about
is
hey.
We
need
to
do
providence,
verification,
we
need
to
do
trustworthiness
and
then
for
dependencies.
We
essentially
are
saying
you
need
to
do
that
recursively
as
much
as
possible
right
and
then
what
we're
trying
to
say
here
is
you
know
we
just
want
to
make
clear.
B
Is
that
trustworthiness
which
is
like
the
scans
and
everything
else?
That's
highlighted
in
a
million
other
documents
right.
You
know,
there's
a
million
documents
that
say
you
should
be
doing
sas
scans
and
dash
scans
and
source
code
linting
and
all
that
sort
of
good
stuff.
But
there's
really
not
many
documents
that
are
saying
you
should
be
tracing
your
build.
You
should
be
making
sure
that
you're
recording
every
time
you
pull
from
git
and
you're.
B
There's
not
a
lot
of
that,
and
so
we
want
to
make
sure
that
that
gets
highlighted-
and
I
kind
of
added
some
additional
stuff
here,
just
to
kind
of
really
highlight
that
which
is
you
know
it
helps
us
identify.
You
know
the
matrix
blah
blah.
You
know.
Trustworthiness
is
already
covered
by
other
security
practices
like
artifact,
scans
and
code
reviews
and
should
be
part
of
your
software
security
picture,
see
you
know
other
best
practices
documents.
This
could
be
cleaned
up.
You
know
a
lot
of
this.
B
B
Finally,
so
one
of
the
things
here
is
the
artifact
texture
prototype.
So
this
is
the
secure
software
factory,
which
is
this
repository
over
here.
That
code
is
under
you
know,
significant
development,
so
I
want
to
also
remove
a
lot
of
stuff
in
there,
because
a
lot
of
that
stuff
is
completely
out
of
date
anyway,
from
the
paper,
because
we've,
you
know
like
a
lot
of
stuff
around
spiffy
spire
integration
is
essentially
done
at
this
point,
a
lot
of
stuff
around
things
that
were
missing
from
admission
controllers.
B
You
know
that
the
team
that
at
city
has
worked
with
the
open
source
to
kind
of
get
some
of
those
features
built
into
tools
like
kiverno
and
gator
and
so
on,
and
so
here
we're
just
kind
of
saying
this
used
to
be
six
or
seven
pages
of
like
how
that
thing
was
built,
and
now
we're
saying
just
go
over
here.
If
you
want
to
understand
more
about
how
that's
built-
or
you
just
want
to
see
that
sort
of
thing,
then
finally,
you
know
we
now.
B
Finally,
the
next
section
the
secure
software
factory
right,
so
I
didn't
do
a
whole
lot
of
cleanup
here.
I
did
do
some
cleanup
here
on
on
the
component
sections
just
trying
to
kind
of
there
was
a
couple
of
areas
where
we
talked
a
lot
about
like
how
you
should
be
securing
kubernetes,
and
here
we're
just
saying
you
should
be
following
the
kubernetes.
B
You
know
hardening
guide
if
possible,
and
this
is
where
once
again
from
my
comment,
like
I
don't
know
exactly
what
hardening
guides
and
best
practices
guys
on
that
end,
we
want
to
highlight,
but
we
should
probably
cite
that,
if
possible-
or
at
the
you
know-
and
this
is
where
I'm
also
still
open-
is
if
at
the
top,
we
just
want
to
say
hey,
we
are,
we
are
not
getting
into
the
details
in
a
lot
of
areas
on
like
how
to
secure
certain
things
like
how
to
secure
your
kubernetes
and
blah
blah.
B
Please
refer
to
these
guides
for
that
and
we're
not
going
to
talk
about
it
again.
You
know
that
might
be
something
we
want
to
do,
but,
but
once
again
that's
you
know
whatever
so
a
lot
of
the
other
stuff.
I
you
know,
I
cleaned
up
a
couple
of
things
here
and
there
making
sure
that,
unless
it's
super
specific
to
the
provenance
piece
right,
like
I
think
you
know,
reproducible
and
hermetic
builds
like
hey.
By
doing
it.
B
This
way,
it
makes
it
easier
to
sort
of
say
I
trust
what
actually
happened
here
and
I
trust
the
integrity
of
what
that
happened.
There,
I
think,
is,
is
important,
but
beyond
some
of
those
other
things,
I
think
we
can
kind
of
you
know
mostly
just
refer
people
to
the
other
documents
so
like,
for
example,
policy
management
framework.
Here
right,
where
we're
trying
to
say
you
know.
B
What
else
so
most
of
the
other
stuff,
simple,
simple,
simple,
then
the
thing
here
when
talking
about
a
mission
controller
I
want
this
is
the
this
is
the
one
section
that
I
do
want
a
second
or
third
or
fourth
set
of
eyes
on.
So,
as
I
mentioned
in
the
comment
want
to
get
a
second
opinion
here,
but
most
of
the
content
here,
I
think,
is
described
a
bit
clearer,
the
ssf
functionality
section
and
want
to
make
sure
we
don't
duplicate
ourselves.
B
I
do
think
there's
a
lot
of
good
content
here,
some
of
which
is
subtle,
so
do
want
to
make
sure
it's
captured
somewhere,
like.
I
do
think
that
there's
information
here
that
I
want
to
make
sure
it's
captured,
but
there's
certain
things
in
here
that
feel
a
little
like
we're
diving,
really
deep
into
details
like
you
know
when
you
know
like.
B
I
think
this
is
important,
but
we
might
want
to
just
state
it
a
different
way
such
that
it's
just
more
straightforward
and
simpler,
like
hey
the
emission
controller,
uses
a
network
jail
to
enforce
an
odd.
You
know
admit
nothing
policy
like
maybe
we
just
say
if
you're,
following
best
practices,
you
know
we
are,
you
know
it's
deny
by
default,
then
allow
by
default.
You
know,
if
possible,
like
maybe
just
kind
of
leave
it
more
broad
and
then
just
highlight
specific
things,
but
I
want
to
get
another
set
of
eyes
here.
It's
just
that.
B
There's
a
lot
of
content
here
and
it
kind
of
goes
between
different
levels
like
we're
talking
about
emission
controllers
at
a
generic
level
and
then
we're
talking
very,
very,
very
specifically
on
certain
things,
and
so
we
might
just
want
to
reorganize
it
a
little
bit
where
the
specifics
go
into
the
the
next
section,
and
this
is
focused
purely
on
the
high
level
reason.
Maybe,
but
that's
the
main
section.
I
think
I
wanted
a
second
set
of
eyes
on
another
thing
which
I'm
maybe
after
re-reading
and
reorganizing.
B
This
comment
might
be
a
little
like
I
already
kind
of
removed
a
bunch
of
stuff
from
here.
So
this
might
no
longer
be
valuable,
but
I
still
get
another
set
of
folks
to
just
kind
of
read
through
some
of
this,
which
is
just
hey.
Can
we
just
make
sure,
for
example,
that
we're
not
going
too
deep
in
the
weeds
with
some
of
the
stuff,
because
I
know
that
in
the
source
code
section
we
did
originally
have
some
stuff
talking
about.
B
You
know
making
sure
you
know
people
can't
force
push
and
certain
other
things.
It's
like
you
know.
What
put
that
you
know.
A
lot
of
that
sort
of
stuff
is
is
cited
in
the
software
is
stated
in
the
best
practices
paper
right
and
general
sort
of
you
know,
follow
general
sorts
of
best
practices
for
source
code
control,
we're
not
going
to
get
into
every
detail
on
on
what
you
should
be
doing
here.
So
that's
some
of
that.
B
I
cleaned
up
some
of
these
other
things
regarding
sort
of
where
I
feel
like
user
credentials
and
cryptographic
material
kind
of
were
taught
saying
the
same
thing
in
different
ways
where
we're
trying
you
know
and
to
be
clear,
I
think
they
were.
They
are
very
different,
but
I
think
the
way
that
they
were
worded
was
maybe
a
little
confusing.
So
I
I
did
clear
a
little
bit
of
that
up,
while
also
saying
follow.
You
know
this.
The
best
practices
paper
again,
the
cryptographic
material,
one-
is
something
that
actually
this
is
where
I.
B
This
section
up-
I
do
want
other
folks
to
kind
of
read
through
this
section,
but
I
do
think,
given
the
nature
of
how
identities,
and
what
and
and
a
lot
of
this
stuff
is
all
set
up
in
order
to
do
it
the
right
way
in
a
secure
software
factory
model
you
do
need,
we
might
need
to
get
into
those
details.
B
But
once
again,
I
want
to
defer
to
others
to
kind
of
provide
some
of
that
yeah
then
most
of
the
other
stuff
seemed
I
cleaned
up
a
little
bit
but
seemed
okay
public
signing
keys.
This
is
where
I,
you
know,
I'm
not
sure
how
we
want
to
state
this
does.
Are
we
sort
of
restating
what
we
have
up
here
in
the
cryptographic
material
stuff,
and
we
just
maybe
want
to
have
a
sentence
or
two?
I
don't
know.
B
B
And
then
I
also
create
just
added
two
sentences
based
on
celeste's
feedback,
which
is
like
hey.
I
probably
should
have.
What
are
you
talking
about
in
the
functionality
and
it's
like
hey.
This
is
what
the
actions
that
are
taken
during
normal
operation,
but
I.
B
Just
put
that
most
of
the
other
stuff
in
here
I
couldn't
really
think
of
much.
We
might
want
to
sort
of
remove
from
here,
because
this
is
where
it
does
really
talk
about
specific
things.
I
added
a
couple
of
comments
like,
for
example,
we
use.
As
far
as
I
can
tell.
We
only
really
use
hermetic
here,
whereas
other
places
we're
talking
about
network
jail
and
we're
talking
about
reproducible.
B
Do
we
want
to
maybe
clarify
a
little
bit,
but
once
again
that
maybe
is
stuff
that
we
can
wait
till
after
we
release
this
document
for
broader
community
feedback?
I
don't
think
it's
it's.
It's
super
important
per
se,
then.
Finally,
there's
some
other
stuff
in
here
we
don't.
We
didn't
really
have
a
lot
in
the
future
work
section.
Do
we
just
want
to
delete
it?
B
I'm
sort
of
leaning
towards
yes
that,
like
there's
enough
stuff
just
now
going
on
in
the
community
like
outside
of
maybe
a
sentence
or
two
just
to
say,
hey,
look.
We
expect
this.
You
know
thing
to
evolve
here.
Are
some
groups
like
the
cncf,
the
open
ssf?
B
Maybe
some
other
open
groups
just
to
keep
be
aware
of,
but
beyond
that
it
just
seemed
like
there
wasn't
really
anything
going
on
in
that
section.
B
The
other
thing
is
from
what
celeste
had
mentioned,
which
I
I
agree
with
is
there's
a
lot
of
good
like
meat
on
like
specific
details
created
quite
succinctly.
It
feels
like
this
should
be.
Maybe
in
a
different
section-
I
don't
I
don't
know,
and
then
finally,
there
was
a
section
here
that
was
essentially
just
this
sort
of
table.
I
think
duplicated.
I
think
it
was
like
a
earlier
revision
of
that
table,
so
I
deleted
that.
B
And
then
here
I
I
don't
know
if
we
wanted
to
just
delete
this
image,
I'm
not
sure
where
it
was
supposed
to
live.
I
just
see
that
it's
it's
to
be
clear.
It's
a
good
image.
I
just
don't
know
like
based
on
now
how
the
document
is
sort
of
structured.
We
don't
really
even
talk
about
in
toto
too
much.
We
don't
even
talk
about
the
individual
tools
really
at
all
we're
talking
about
them
more
generically.
B
So
I
don't
know
if
we
want
to
kind
of
include
that
document
still
and
then.
Finally,
there
was
this
section,
which
still
seems
pretty
good,
as
in
the
appendix
as
like.
Hey
here
are
things
like
from,
like
almost
like
a
controls
perspective,
so
I
know
I
I
talked
through
a
whole
bunch
of
stuff,
but
just
wanted
to
just
go
through
all
the
stuff.
B
Over
the
past
few
days
I
kind
of
went
through
and
and
kind
of
cleaned
up
there
and
once
again
as
a
reminder,
this
is
mostly
to
kind
of
read
through
celeste
feedback.
You
know
she
was
like
hey
you
you're
at
50
pages,
at
probably
over
50
pages.
It
probably
makes
sense
to
be
no
more
than
you
know
about
25
pages
here.
I
think
we
cleaned
up
a
lot
of
content
that
we
actually
are
closer
to
25
pages
than
we
think
we
are
it's
just
that.
B
The
way
that
the
the
you
know,
the
the
page,
the
section
breaks
are
set
up.
There's
a
lot
of
content
in
here
that,
like
you
know,
there
would
used
to
be.
I
think,
a
few
more
paragraphs
here.
We
deleted
some
of
those-
I
think
you
know,
but
still
want
to
do
some
additional
cleanup
on
on
that
front,
while
still
be
providing
the
value
we
need.
B
Okay,
I
know
I
talked
a
lot
additional
thoughts.
Questions
concerns
anything
that
folks
think
I
deleted
that
should
not
have
been
deleted
or
things
that
folks
think.
Like
yeah
yeah,
we,
you
know
we
can
take
a
closer
look
at.
A
B
Cool
yeah
and,
and
just
as
a
a
reminder,
we
are
trying
to
kind
of
finish
it
up
as
much
as
possible,
like
other
than
like
hey
a
sentence
here,
a
sentence
there
by
end
of
today-
and
I
know
a
lot
of
people
might
be
busy,
but
just
want
to
make
sure
that
that
we
can
get
that
second
set
of
eyes
on
on
some
of
these
things,
and
if
you
know
I'm
gonna
once
again
do
another
pass
again
today
on
some
of
this,
I
think
we
might
even
you
know
once
again
as
sort
of
andres
mentioned
last
week.
B
You
know.
Celeste's
feedback
is
just
one
piece
of
feedback,
so
what
she
was
saying
in
there
like
some
of
it.
Maybe
we
want
to
take
with
a
grain
of
salt,
some
of
it
maybe
was
you
know
it
is
useful.
So
if
we
do
think
like
you
know
what
yeah
we
trimmed,
you
know
because
we've
already
trimmed
about
you
know
16
or
17
pages
of
this
thing
you
think,
oh
you
know
we
and
16
or
17
actual
pages
and
then
maybe
another
two
or
three
pages
of
actual
content
they're.
B
Just
in
the
section
breaks
and
we
think
like
hey,
we're
at
a
good
spot
or
we
only
think
another
couple
of
pages
could
be
cut
out.
I
think
I'm
also
okay
with
that.
Having
reread
it
because
I
think
my
rereading
of
of
it,
it
comes
off
significantly
more
over
the
past
like
week
or
so
becomes
it
has
become
significantly
more
readable.
It's
clearer
what
we're
trying
to
state
it's
clear
that
the
focus
here
is
provenance
and
then
at
the
high
level.
B
Here
is
the
general
tools
we
have
and
how
they
relate
to
establishing
and
tracing
that
providence
and
then
in
the
the
final
section,
under
the
secure
software
factory
components,
but
not
the
components,
sorry,
the
the
actions
so
under
the
stages
and
the
actions,
here's
how
those
here's,
how
we
take
those
components,
the
inputs
and
the
outputs
and
tie
them
all
together
to
do
the
right
things
to
trace
providence.
B
That's
I
think
it's
it's
it's
significantly
in
a
in
a
much
better
place
with
the
help
of
everybody
else
here
in
the
group
over
the
past
couple
of
weeks.
B
So
ava
has
a
question
paper:
are
you
drawing
a
distinction
between
encryption,
signing
and
identity
trustworthiness
so
one?
Yes,
one
distinction
we're
making.
So
regarding
encryption,
signing
and
identity,
that's
where
I
do
want
folks
to
go
through
and
do
a
little
bit
of
a
second
pass,
just
to
make
sure
that
that
that's
clear
and
to
be
clear.
B
That's
where
you
know
that
I'm
not
an
expert
on
that
end,
so
I'm
gonna
refer
to
others
for
that,
but
as
far
as
trustworthiness,
the
areas
that
we're
trying
to
sort
of
following
a
couple
of
the
definition
trustworthiness,
the
idea
here
is
we're
using
trustworthiness
as
like.
If
you
look
at
some
of
the
nist
definitions
and
and
similar,
it's
it's
around,
hey
is
this
thing
fit
for
a
purpose?
B
Is
this
thing
doing
what
we
expect
it
to
do
and
that
kind
of
definition
so
on
that
trustworthiness
idea
the
the
idea
here
is
it's
like
a
combination
of
all
those
things
right.
We
can
validate
trustworthiness
through
a
bunch
of
different
things,
but
here
we're
trying
to
kind
of
be
clear
that
the
sorts
of
trustworthiness
elements
that
we
are
not
focused
on
is
we're
not
focused
on
stuff
that
is
covered
in
depth
in
other
areas.
B
But
we're
not
going
to
get
into
the
details
that
like
when
building
out
a
secure
software
factory,
you
should
make
sure
you
have
a
sas
scan
and
a
desk,
and
this
we're
trying
to
say:
hey.
Our
focus
is
around
providence
and
integrity
and
tying
all
those
pieces
together.
Ava
does
that
answer
your
question.
B
Oh
sure,
yeah
yeah
there's
a
couple
of
areas
so
the
the
areas
in
particular.
I
think
that
are
important.
Let
me
go
back
through.
B
So
I
think
it's
kind
of
and
to
be
clear,
some
of
these
sections
you
might
want
to
rename
but
like,
for
example,
user
credentials
and
cryptographic
material
is
some
areas
where
you
know,
there's
there's
to
be
clear.
I
I'm
not
saying
that
the
same
thing,
but
there's
there
is
some
overlap
and
we
might
want
to
sort
of
say
here's
where
that
overlap
is
here's
where
they're
distinct
in
this
thing
and
then
there's
also,
there
was
a
there
was
something
somewhere.
B
Be
under
admission,
oh
yeah
and
then
under
the
admission
controller
section
two
we
do
talk
a
little
bit
about.
I
think
admitting
that
only
things
that
were
with
the
right
identity
or
I
might
have
reworded
that
already.
A
A
Principles,
I'm
looking
for
here
is
that
trustworthiness
should
not
be
tied
to
knowing
the
identity,
but
rather
that
the
identity
is
trustworthy
via
some
proof.
B
Right,
yeah,
yeah,
and
so
that's,
I
think,
where
we're
trying
to
also
yeah
draw
the
distinction
a
little
bit,
and
maybe
we
could
be
a
bit
clearer
in
the
introduction
that
you
know
the
source
of
it.
Trustworthiness
we're
talking
about
is
around
verification
of
stuff
like
providence
and,
and
you
know,
and
trusting
of
that
providence.
So
as
in
like
did
the
did.
The
right
people
run
the
right
steps
in
the
right
order,
that
kind
of
thing
and
then
we're
trying
to
sort
of
we're
and
we're
trying
to
make
that
distinct
or
sorry.
B
No
we're
not
trying
to
yes
we're,
not
we're
not
trying
to
get
into
that.
A
Great
so
the
other
thing
that
was
on
the
screen
a
minute
ago
was
talking
about
transmission
of
the
the
root
signing
key,
and
maybe
it's
in
a
different
section,
but
I'm
concerned
that
framing
the
pipeline
as
dependent
on
using
a
root
ca
does
not
account
for
pipelines
that
use
individually
owned
material
like
pgp
keys
or
ssh
keys
to
sign
content
yep.
B
So
that
might
be
one
of
my
I
might
have
inherently
deleted
like
let's
say
something
that
clarified
that,
but
I
so
I
agree
with
you
on
that,
and
we
just
need
to
be
clear
that,
like
hey,
you
know
if
you're
using
a
root
ca,
make
sure
that
you're
you're,
you
know
and
if
you're
you're
doing
another
model
right,
but
either
way.
I
think
the
thing
that
we're
trying
to
also
do
is
we're
trying
to
also
then
point
people
to
the
best
practices
guides
for
the
details
on,
of
course,.
A
Just
and
one
or
more
yeah,
we
need
to
be
mindful
not
to
exclude
models
that
are
in
widespread
use
today,
and
you
know
vetted
by
dod
and
trusted
from
from
this,
like
people
who
have
keys
sign
things.
B
Sure
and
yeah.
A
Right
there,
michael
yeah,
and
my
point
on
that,
when
looking
at
it
was
just
to
make
sure
that
we
link
whatever
the
trust
store,
is
the
users
may
have,
however,
they're
trusting
things
whether
it's
pgp,
ssh
x509,
however
they're
doing
it
linking
that
to
whatever
key
signed
it,
and
so,
if
there
is
a
key
chain
that
you
would
have
with
that
x59
just
to
specify
hey,
you
know
the
route
might
be
sent
separately,
but
the
key
chain
itself
is
going
to
be
needed
in
certain
situations.
A
B
Any
other
questions,
thoughts
on
that
or
or
on
any
of
the
other
sections
that
that
feel
like
either.
Maybe
you
know
need
to
need
to
still
be
go
through
with
a
fine-tooth
comb
and
rewrite
or
need
to
be
cleaned
up
at
all
other
than
obviously
what
we've
already
sort
of
commented
on.
B
Right
so
just
you
know
as
a
reminder,
I'm
planning
on
sending
this
out
to
the
cncf
for
for
just
sort
of
once
again,
another
sort
of
like
you
know,
transforming
it
into
sort
of
the
actual
document
for
for
broader
release
and
then
getting
additional
community
feedback
there.
B
So
if
there's
any
sort
of
big
things
make
sure
they
get
done
in
the
in
the
next
few
hours,
because
I
know
we
kind
of
talked
about
last
week
like
today
is
sort
of
the
day
we
wanted
to
make
sure
everything
was
done,
at
least
for
this
thing
right.
Obviously
we're
going
to
go
back
after
getting
community
feedback
and
so
on,
and
you
know,
tweak
some
things
and
make
sure
that
you
know
stuff
is
is
is
included.
B
Any
other
questions
comments
concerns.
Otherwise
we
can
end
it
like
20
minutes
early
or,
if
folks
wanted
to
stay
on
and
say,
hey,
let's
talk
through
this
section
or
something
that
I'm
also
available
to
do
that
as
well.
A
B
All
right
so
we'll
call
it
20
minutes
early
and-
and
you
know
see
all
next
week
and
hopefully
next
week,
we'll
be
talking
about
new
topics
or
or
you
know,
we'll
be
getting
feedback
from
other
folks.