►
From YouTube: CDF SIG Best Practices - Aug 22, 2022
Description
For more Continuous Delivery Foundation content, check out our blog: https://cd.foundation/blog/
B
What
not
a
huge
amount
to
report
this
week,
I
have
added
some
more
detail
into
the
views
and
viewpoints.
So
hopefully
we
can
start
to
progress
that
a
little
bit
further.
Let
me
just
cut
across
and
show
you
what
I've
been
working
on.
B
So
I
have
filled
in
some
details
around
ceo
and
cto
roles.
B
Marketing
director
and
a
number
of
other
things
like
product
manager,
delivery
manager,
pda
roles,
so
all
of
these
now
have
some
content
in
them.
So
we're
starting
to
build
up
a
picture
of
the
you
know,
key
roles
and
responsibilities.
B
Now,
obviously,
there's
still
quite
a
lot
of
gaps
in
here,
both
in
terms
of
things
that
have
yet
to
be
filled
out
and
also,
I
think,
we're
probably
missing
a
few
stakeholder
roles
in
here
still.
B
Now,
in
in
terms
of
other
activities
and
then
in
involvement,
it
might
help
to
understand
what
people
are
interested
in
and
where
you
feel
you
might
be
able
to
contribute
on
on
this
piece
of
work,
so
feel
free
to
jump
in,
and
let
me
know
your
feelings
on
that.
C
Sure
I
can
go
so,
for
my
end,
I
think
my
background
is
significantly
more
sort
of
hands-on
keyboard
technical.
C
So
when
it
comes
to
sort
of
the
some
of
those
things,
I
think
I
would
like
I'd
be
interested
in
kind
of
doing
a
little
bit
of
that,
but
also,
I
think,
there's
a
few
things
in
there
that
I
saw
that
might
be
useful,
because
I
also
have
a
background
in
working
at
a
lot
of
banks
and
so
no
understanding
sort
of
compliance.
Audit
legal
requirements
is
also
really
good
from
the
cd
sort
of
perspective,
and
then
you
know
my
other
thing
more
from
the
technical
side
is.
B
Okay,
that
sounds
good
and
you
know
to
reiterate
what
we're
doing
here.
B
You
know:
we've
we've
had
a
lot
of
focus
on
the
on
the
pipeline
end
of
of
continuous
delivery,
but
but
actually
it's
really
important
to
know
what
you
should
be
putting
in
your
pipelines
and
so
having
that
understanding
at
an
organizational
level
makes
it
much
much
easier
to
have
conversations
about
continuous
delivery
in
the
context
of
a
business
and
be
able
to
show
where
it
adds
value
outside
of
just
the
engineering
team.
C
Yeah
agreed
on
that
that's
actually
separately,
something
that
that
also
very,
very
interested
in
is
like
that
sort
of
end-to-end
software
delivery,
life
cycle,
piece
of
that
sort
of
thing
of
like
what
goes
in
what
comes
out
and
not
just
purely
the
the
technical
side
of
it,
but
also
like.
Where
are
those
decisions
getting
logged,
and
you
know
like
the
thing
that
you
want
to
make
sure
of
right
is
just
as
an
example.
C
Nothing
with
a
an
incorrect
license
should
be
allowed
in
in
the
first
place
before
you
get.
You
know
like,
which
is
one
of
the
problems
right
is,
is
working
at
a
several
banks
that
sort
of
thing
gets
caught.
You
know
two
days
before
production,
you
go,
oh
wait,
there's
there's
some!
This
should
have
been
caught
earlier.
B
That
goes
into
a
aligning
the
market
positioning
of
a
suite
of
products
and
making
sure
that
you've
got
consistent
messaging
and
that
you're
using
terminology
in
the
same
way
that
your
branding
is
consistent
and
all
those
pieces
that
are
invisible
from
the
inside
but
actually
span
across
all
the
product
teams
at
a
higher
level
and
there's
a
bunch
of
that
which
it
it
can
be
included
in
the
governance
processes
of
your
continuous
delivery
approach.
B
So
this
is
the
the
first
cut
across
this
reference
architecture,
and
this
part
is
just
about
establishing
who
are
the
players
in
any
given
organization
in
in
terms
of
needing
a
stake
in
that
delivery
process
on
what
are
their
views
and
viewpoints?
How
how
are
they
seeing
the
problem
what's
important
to
them,
because
when
we
move
on
to
the
next
step,
we're
going
to
be
looking
at
their
individual
concerns
and
how
those
need
to
play
into
the
automation
that
we
start
to
build
in
order
to
get
a
successful,
overarching
process.
B
So,
michael
is:
is
there
anything
in
in
that
list
of
users
and
viewpoints
that
you
feel
you
you'd
be
comfortable
to
to
fill
out,
given
the
the
sort
of
reference
examples
that
we've
now
got
for
some
of
the
other
ones.
B
Yeah,
so
if,
if
you
were
going
to
pick
one
or
two
of
those
views
and
viewpoints
pages
to
actually
fill
out,
what
would
you
feel
comfortable
working
on.
C
So
I
could
probably
do
auditor
and
security
engineer
or
actually
security
engineer
already
done.
Oh
yeah,
so
auditor
and
security
engineer,
probably
the
two
that
I
could
probably
do:
okay,
great.
B
Yeah
feel
free
to
have
a
stab
at
those.
If
you,
if
you
read
through
the
other
ones,
you'll
see
I've,
I've
taken
a
sort
of
style
for
structuring
them,
so
the
the
first
part
is
a
sort
of
third-party
description
of
what
the
viewpoint
is,
you
know,
what
does
this
general
rule
do
and
then
the
second
part
is
written
from
the
perspective
of
the
person.
B
B
Okay,
well
happy
for
you
to
have
a
stab
at
those
you
can
you
can
clone
the
branch
and
put
a
pr
or
you
can
just
send
me
copies
of
the
documents.
If
you
don't
want
to
go
through
the
hoops
of
managing
that
way
and
I'll
add
them
in.
C
Cool
yeah,
no,
no
I'll
I'll!
I'm
going
to
fork
it
right
now
and
take
a
look
a
little
bit
later.
B
Okay,
anyone
else
interested
in
either
contributing
or
just
giving
us
a
feel
for
what
what
your
interests
are
and
what
you'd
like
to
see.
B
Okay,
no
volunteers,
all
right!
Well,
I
don't
have
anything
else
to
particularly
discuss
today.
So
does
anyone
else
have
anything
they
they
want
to
get
on
the
agenda.
C
So
not
for
this
week,
but
in
the
in
the
coming
weeks.
I
think
one
of
the
things
that
we
want
to
oh
yeah.
So
actually
I
can
talk
talk
about
the
thing
that
real
quickly
that
kara
just
posted
in
chat,
so
tim,
who
was
one
of
my
colleagues,
so
we
for
for
lance
for
the
issue.
243
one
of
the
things
was.
C
It
was
unclear
where
abstractions
falls
under
some
of
the
best
practices
and
some
of
these
other
things
that
are
kind
of
coming
out
right.
So
there
was
a
blog
article
by.
C
Let
me
remember
who
it
was
that's
on
the
cd
foundation
by
justin
from
ebay
regarding
sort
of
intent,
based
pipelines,
there's
some
stuff,
that's
sort
of
coming
out
like
there's
a
tool
from
openssf
which
the
disclosure
I'm
a
lead
on
called
fresca,
which
sort
of
takes
tekton
and
all
these
other
tools
and
sort
of
builds,
an
abstraction,
that's
sort
of
saying:
hey:
here's
how
this
is
techton,
here's
all
these
things
and
then
here's
a
way
that
you
can
only
run
it
securely
like
it
doesn't.
C
Let
you
do
the
bad
thing
and
there's
stuff
like
dagger
io,
there's
things
that
are
kind
of
coming
out,
there's
like
one
or
two
other
ones
that
I
saw
that
are
similar
to
sort
of
like
dagger,
which
is
trying
to
say
oh
ploy,
ghost
from
red
hat,
which
sort
of
says
you
could
use
jenkins.
You
could
use
tekton
whatever,
but
here's
a
higher
level
abstraction
that
generates
those
ci
tools
and
also
tries
to
do
that.
C
Sdlc
kind
of
thing
like
what
you're
sort
of
describing
here
is,
you
know,
here's
the
best
practices
and
how
do
we
codify
that,
as
essentially
an
abstraction,
so
whether
it's
people
or
people
process
or
literal
automation?
For
that
thing,
how
can
folks
like
what
does
that
look
like
from
the
cd
foundation
perspective?
Just
to
give
you
the
summary.
A
Thank
you,
michael.
That
is
really
helpful.
Do
you
mind
putting
the
name
of
the
other
tool
that
you
mentioned
the
red
hat
tool,
because
I'm
not
familiar
with
it
either
in
this
chat
or
on
that
that
issue
just
so,
I
can
keep
sure.
C
A
Do
it
both
okay,
thank
you
and
then
how
do
you
think
sort
of
hijacking
this
right
now,
but
since,
since
you've
been
so
cooperative
to
to
talk
more
about
it,
how
do
you
think
this
should
sort
of
be
encompassed
all
these
new
tools
that
are
coming
out
that
are
really
interesting?
We
should
have
them
on
the
landscape
like
how
how
best
to
place
that.
C
I'm
not
sure,
that's
that's.
One
of
the
reasons
why
we
wanted
to
reach
out
regarding
this
is
it's
almost
like
some
folks
are
looking
at
codifying
the
software
delivery
lifecycle
as
itself
sort
of
an
abstraction
you
can
imagine
like
similar
to
if
you,
if
you've
ever
used
tools
like
servicenow
right
servicenow
lets
you
sort
of
develop
a
workflow
for
when
you
know
somebody
when
a
new
project
gets
spun
up.
C
These
are
the
things
that
happen
and
they
get
you
know
a
budget
and
they
get
a
naming
scheme
and
all
that
great
stuff
and
then,
when
they
go
into
get
ready
to
do
development,
you
know
they
automatically
get
like
a
github
or
whatever,
like
you
know,
code
repositories
and
then
when
they
go
to
deploy
to
staging.
This
is
what
that
looks
like
and
so
on
and
so
forth,
and
some
of
the
things
that
are
starting
to
kind
of
come
out
of
this
is
how
do
we,
like
you
know?
C
Traditionally,
if
you
look
at
places
that
that
has
been
very
important,
so
in
regulated
industries
like
banking,
energy,
etc,
that
sort
of
process
is
often
very
much.
It's
a
lot
of
people,
a
lot
of
emails,
even
with
stuff
like
service.
C
Now
it's
still
like
somebody
clicks
a
button
to
approve
and
yaya,
but
what's
kind
of
coming
out
of
this
and
what's
coming
out
of
stuff
like
ploy
ghosts
what's
coming
out
of
stuff
like
fresca,
is
some
additional
sorts
of
tools
that
are
are
trying
to
say
what,
if
we
codified
all
this
based
on
some
of
these
new
things
that
are
coming
out
like
salsa
attestation.
C
So
what,
if
you
just
sort
of
said,
ncd
events
and
some
of
these
other
things
like
what,
if
you
said
well,
if
I
have
a
salsa
at
a
station
and
I
haven't
assigned
s-bomb-
and
I
have
these
other
metadata
things-
I
have
a
security
scan.
C
What,
if
you
just
sort
of
said
great,
it
checks
all
the
boxes
you
get
to
go
into
production
or
it
checks
all
the
boxes
which
allows
somebody
to
actually
click
the
button
to
send
it
to
production.
Those
sorts
of
things
of
like
codifying
that
at
some
level
is,
is
kind
of
where
that's
starting
to
to
go
and
I'm
not
sure
what
we're
calling
that.
But
that's
kind
of
the
way
that
we've
been
seeing
people
push.
B
Yeah-
and
I
I
think
this
is
quite
an
interesting
area
for
discussion,
because
it
it
really
touches
on
the
big
differences
between
the
cultures
of
the
two
different
types
of
organizations.
So
obviously
the
continuous
delivery
methodology
comes
from
that
lean
startup
model,
which
is
all
about
optimizing.
The
pace
at
which
you
can
do
experiments
in
real
world
environments.
B
Whereas
the
traditional
governance
processes
come
from
a
very
risk-averse
view
of
the
world
where
everything
is
forbidden,
unless
it's
explicitly
mandated
and
there's
not
necessarily
a
good
fit
of
continuous
delivery
to
the
latter
culture,
so
the
the
challenge
in
practice
is
that
most
of
the
benefits
of
continuous
delivery
come
from
the
overarching
business
methodology
that
allows
you
to
move
very
quickly.
B
So
it's
a
case
of
saying
we
expect
everything
to
blow
up
and
we
are
able
to
react
to
that
instantly.
Roll
something
back,
get
a
fix
in
place
and
roll
that
out
again
in
a
matter
of
hours
and
therefore
our
overall
business
exposure
is
actually
lower
than
in
a
situation
where
we've
been
very
risk-averse.
It
takes
us
six
months
to
deploy
something,
and
then
we
still
encounter
something
we
didn't
expect,
and
now
it's
going
to
take
us
a
year
to
get
a
fix
in
place
to
react
to
it.
B
So
I
I
think
there
is
certainly
more
to
be
done
within
the
best
practices
documentation
to
to
really
get
that
message
across
that
you
are
looking
at
two
opposite
positions
on
a
continuum,
and
whilst
there
is
some
wiggle
room
at
both
ends
of
that
continuum,
it's
very
hard
to
sit
in
the
middle
and-
and
so
there
is
a
significant
risk
of
trying
to
do
part
of
this
without
bringing
all
of
the
culture
that
comes
with
it.
C
Yeah
yeah,
that's
that
that
all
makes
sense
to
me.
I
I,
I
think,
that's
the
thing
that
we're
trying
to
also
get
across,
and
it's
something
that's
that's
coming
also
out
of,
I
think
a
little
bit
of
the
like
this.
This
space,
which
is
just
like
you're
you're,
also
starting
to
apply
zero
trust
rules
to
your
entire
sdlc.
C
Where
you're
saying
before
you,
you
were
doing
a
lot
of
just
different
things,
a
lot
of
very
risk-averse
things,
but
now
you're,
saying
hey,
you
can
actually
get
a
lot
of
lift
by
saying
who
is
who
is
actually
responsible
for
what
what
are
their?
You
know
what
we
trust
them
to
do
in
what
contexts
and
so
on.
To
then
be
able
to
sort
of
say
here
is
here's
how
we
can
safely
deliver
stuff?
B
Yeah
and
and
the
thing
that
we
need
to
keep
in
mind-
is
that
as
we're
trying
to
implement
that
it
needs
to
be
done
in
a
way
that
is
still
facilitating
the
very
rapid
experimentation
process
that
the
methodology
is
is
built
upon.
B
Because
if,
if
you
segment
too
much,
then
you're
going
back
to
a
situation
where
you
need
a
different
team
for
every
function.
Each
team
has
its
own
set
of
roles
and
then
suddenly
you're
back
into
dependency
management.
Hell
again,
because
you
you've
got
lots
of
teams
working
in
isolation
and
you
no
longer
have
a
product
team.
C
So
I
think
that
was
the
just
to
tie
that
back
yeah.
So
I
think
that's
the
majority
of
the
stuff
from
from
the
landscaping
side
is
just
like
hey
as
we
build
out
the
best
practices.
I
think
it's
it's
like
some
of
what
we
you
know
even
just
sort
of
looking
at
the
organization.
It's
like
how
do
you
you
know?
How
does
one
begin
to
like
look?
You
know
once
we
figure
that
sort
of
stuff
out.
C
The
deploy
ghost
one
in
in
in
particular
is
one
that
is
trying
to
say
hey.
I
can
say
that
any
piece
of
software
should
have
these
checks
by
these
people
in
these
order
and
and
so
on,.
B
You
are
splitting
the
world
up
into
the
development
team
and
everyone
else
and
the
development
team
is
saying
this
is
ready
to
go
and
everyone
else
is
saying:
no
isn't
because
we
haven't
even
looked
at
it
yet,
and
so
you
you
get
this
problem
that
there's
a
team.
That's
been
working
on
this
for
x
amount
of
time
and
nobody
else
has
been
paying
any
attention
and
then
you
want
to
put
it
live
and
then
suddenly
a
lot
of
people
will
say
no
not
until
we've,
given
it
some
attention.
B
B
Assuming
you've
been
engaged
at
the
right
points
in
the
process
early
on
and
have
validated
that
the
automated
testing
that
goes
goes
on
meets
your
needs
from
from
that
perspective,
there's
about
making
people
do
the
work
up
front
and
having
the
go
live,
be
a
fixed
point
in
time
that
that
people
don't
get
to
extend
beyond.
C
C
Yeah,
that
makes
sense
yeah.
C
I
think
the
only
other
thing
I
was
going
to
just
sort
of
add
is
for
for
fresco,
which
is
the
open
ssf
tool
is
we
are
trying
to
kind
of
take
a
piece
of
that
and
put
that
into
the
actual,
like
from
a
technical
perspective
and
we're
trying
to
be
very
broad
right
now,
because
we
are,
we
are
sort
of
looking
to
see
what
comes
out
of
a
combination
of
best
practices,
the
cd
events,
some
of
the
other
things
that
are
coming
out
of
this
supply
chain
stuff
from
from
cd.
C
We
want
to
see
what
comes
out
of
there,
but
the
thing
that
we
we
are
looking
to
do
is
we
already
have
some
mechanisms
to
help
enable
folks
to
assuming
they
can
take
that
approach
with
their
organization
right
of
of
sort
of
abstracting
that
stuff
and
taking
kind
of
that
like
it
reminds
me
a
lot
of
what
you
described
reminds
me
a
lot
of
at
least
reading
through
some
of
the
google
sre
book,
and
some
of
these
other
things
of
like
how
google
approaches
this
problem
of
it
being
a
lot
of
that
like
zero
trust
of
like
hey.
C
These
are
the
people
who
are
authorized
to
do
certain
things.
I
don't
you
know
it's
the
way
that
risk
calculations
are.
You
know,
done
a
little
bit
differently
where
it's
it's.
It
is
more
of
that.
C
I
I
it's
it's
significantly
more
of
a
like
it's
less
of
the
like
complete
risk,
averse
like
no.
No,
we
can't
have
anything
it's
more
of
like
no,
no
well,
let's
look
at
what
we're
trying
to
protect.
This
is
what
we're
trying
to
protect.
So
this
means
well,
if
it
costs
more
to
protect
that
thing
than
it
does,
of
the
the
cost
of
losing.
That
thing
like.
C
Are
we
really
actually
gaining
anything
in
in
stuff
along
those
lines
and
because,
like
the
things
that
we're
looking
to
sort
of
do
there
right
is,
is
make
sure
that
you
know
as
we
pull
in
software,
like
you
can
sort
of,
say,
here's
the
policy
for
pulling
in
software.
Here's
the
policy
for
licensing,
here's
the
policy
for
all
these
different
pieces,
and
so
at
the
end
of
the
build
you
also
get
some
additional
sort
of
checks,
like
the
inputs
of
the
build,
are
all
those
things.
B
B
Okay,
well,
I
think
we
can
certainly
do
more.
Some
of
that
is
going
to
come
out
naturally
as
part
of
the
next
few
stages
of
this
process.
Once
we
get
through
this
phase
and
we've
got
the
the
basic
details
there,
you
know
the
the
first
part
of
this.
C
Yeah
and
I
think
also
along
along
those
lines,
so
one
of
the
things
that's
coming
out
of
the
open
ssfs.
What
do
they
call
it
their?
Is
it
their
road
map
like
it's
there?
C
They
have
a
bunch
of
things
that
they're
trying
to
kind
of
hit
with
for
for
just
open
source
security,
and
one
of
the
things
I
think
we're
also
looking
at
is:
how
can
we
better
collaborate
with
the
other
linux
foundation
groups
like
the
cd
foundation,
to
say,
for
example,
if
we
take
that
reference
architecture,
that's
coming
out
of
that
way.
C
If
we
take
sort
of
the
the
cloud
native
build
practices
that
are
coming
out
of
the
cncf,
all
these
things
combine
them
into
something
that
then
the
open
ssf
can
start
to
really
push
for
others
to
really
start
to
address,
and
even
maybe
show
like
from
the
open
source
perspective
like
hey,
like
a
lot
of
what
you're
describing
makes
sense
for
also,
you
know
companies
of
any
size
right.
You
know,
smaller
companies
are
gonna
apply.
C
It
may
be
slightly
different
than
larger
companies,
but
I
think
one
of
the
other
things
that
that
folks
are
starting
to
ask
is
hey.
How
does
this
start
to
apply
to
open
source
projects
as
well,
and
that
maybe
don't
have
those
same
sorts
of
resources
and
potentially
can
the
open
ssf
come
in
and
say
well,
we'll
help
run
almost
like
a
sdlc
for
you
like
we'll
provide
resources
for
the
licensing
sorts
of
stuff,
we'll
provide
the
you
know
some
of
the
stuff
from
the
perspective
of
what
was
it?
C
What
was
the
other
thing
like
some
of
the
other
things
that
you
sort
of
listed
out
right,
like
security,
engineering
or
or
some
of
the
other
roles
there,
as
well
as
just
generally
like
the
stuff
that
isn't
you
know,
I
guess
open
source
sometimes
gets
a
bad
rep.
That
is
just
oh,
it's
only
hands
on
keyboard
and
how
do
we
make
sure
that
folks
also
recognize?
No,
no
we're
looking
at
this?
C
Also
from
the
perspective
of
how
do
we
enable
open
source
to
be
able
to
do
those
things
that
make
people
feel
more
comfortable
with
using
open
source
because
they
feel,
like
you
know,
it's
not
just
one
person
in
a
basement
somewhere,
writing
some
code
and
now
lots
of
people
you
know
rely
on
it.
Yeah.
B
But
that's
not
what
continuous
delivery
is
all
about.
Continuous
delivery
is
about
optimizing.
The
ability
of
an
organization
to
address
its
customers
needs
driven
by
the
customer,
not
by
the
organization,
so
so
that
there
tends
to
be
a
lot
of
anti
patterns
in
open
source
projects
that
don't
align
to
the
behaviors
that
you
should
be
doing
if
you're
actually
doing
continuous
delivery.
C
Yeah
that
I
think
that
so
that
actually
answers
a
lot
of
questions,
and
I
think
that
that's
actually
a
really
that's
a
really
really
really
good
point.
I
think
that
there's
there's
potentially
some
areas
where
I
do
think
the
linux
foundation
is
trying
to
take
a
little
bit
more
of
that
approach
where
they
are
trying
to
say,
hey
look.
C
How
do
we
become
a
bit
more
customer
focused
as
in
like
just
the
end
users
of
let's
say
kubernetes
or
something
like
that,
but
I
agree
with
you
that,
generally
that
that
does
not
fit.
For
you
know
the
hey,
I
I
wrote
a
little
library
for
myself
and
somebody
you
know,
and
now
it's
being
used
by
people
so
anyway,
thanks
for
that.
B
And
I
you
know,
that's
part
of
what
we're
looking
at
doing
now
within
the
cdf
is
taking
more
of
a
view
on
you
know
who
are
the
actual
customers
for
continuous
delivery
and
and
how
do
we
use
those
principles
to
improve
what
we
do
in
addressing
those
customer
needs?
B
So
it's
it's
becoming
much
more
a
case
of
applying
that
methodology
to
everything
the
foundation
is
doing
to
to
get
much
more
focused
on
what
the
customers
need
from
continuous
delivery,
and
I
think
that
opens
up
a
new
way
of
looking
at
open
source
in
that
it
provides
a
different
sort
of
demand
signal
for
open
source
projects,
because
it
it
says
you
know
here-
are
real
customers
with
real
problems,
and
those
customers
may
prefer
an
open
solution,
that's
built
to
standards
and
is
widely
adopted
rather
than
building
a
bespoke
solution,
so
they're
potentially
willing
to
fund
the
development
of
open
source
projects
as
a
way
of
getting
access
to
to
those
capabilities
in
the
form
of
tools.
B
B
A
Yeah,
I
think
that's
what
you're
saying
terrorist,
or
is
it
right
that
this
means
there
is
very
hard
to
make
one
one
solution
and
each
because
each
customer
will
have
big
yet
various
parts
in
their
technical
maturity,
and
so
it's
kind
of
very
hard
to
make
one
recipe
and
the
job
becomes
much
more
a
job
where
you
actually
need
to
go
in
and
talk
to
the
customer
understand
what
they're
doing
what
are
their
goals
and
all
this
before
you
try
to
give
them
a
tool.
B
C
Yeah,
I
really
like
what
you
said
there.
We
need
to
build
tools
that
are
teaching
systems
right.
It's
it's!
I
think.
That's
that's
really
important,
because
I
know
you
know
my
background.
Right
is
mostly
in
sort
of
the
hands-on
keyboard,
ci
cd
stuff,
with
like
inside
of
systems
like
jenkins,
tecton,
etc,
and
one
of
the
problems
is,
is
without
the
right
sorts
of
guardrails
around
some
of
that
sort
of
stuff.
It's
like.
C
Yes,
you
might
be
using
a
ci
or
cd
tool,
but
you're
not
actually
following
ci
or
cd
practices
and
you're,
not
you
know
doing
all
the
right
things
to
actually
get
you
the
benefits
out
of
them.
You
know,
and
it's
it's
like
you
need
those
guard
rails
to
help.
C
You
stay
focused
around
those
sorts
of
things,
while
still,
I
think,
allowing
the
flexibility
at
the
organizational
level
right,
because
every
organization
is
going
to
have
its
own
approaches
to
how
it
wants
to
deliver
products,
and
if
you
restrict
it
in
a
way
that
doesn't
allow
them
to
deliver
the
product
products
in
a
way
that
they
want
to
write,
while
still
following
those
rules,
they're
just
going
to
figure
out
a
way
to
work
around
it.
C
B
And
I
think
that's
where
something
like
jenkins
x
is
actually
quite
successful,
because
it's
easy
to
set
up
an
out
of
the
box
solution
and
and
use
quick
starts
to
build
projects
that
already
have
all
the
bits
in
place
that
you
need
and
then
you're,
starting
from
a
known
good
position
and
modifying
things
to
to
work
outwards
towards
where
you
need
to
be
and-
and
I
think
that
that
sort
of
on
rails
approach
is
very
valuable
when
you're
moving
into
an
area
where
there's
significant
conceptual
change
and
and
you
the
learning
curve,
is
pretty
much
vertical.
B
A
And
that's
definitely
true,
and
also
the
because
what
you
see
or
what
I
have
seen
is
that
the
difficulty
can
be
to
to
make
sure
that
they
are
actually
testing
things
properly.
They're
testing
the
correct
things
that
you
get
people
involved
that
need
to
need
to
make
their
say
on.
B
But
if
we
can
make
those
tools
align
to
the
patterns
and
get
some
interoperability
between
the
you
know,
the
naming
standards
and
the
approaches
at
some
level,
then
we're
we're
doing
a
lot
for
the
overall
cause
of
continuous
delivery
as
a
methodology,
but
still
giving
people
a
lot
of
freedom
to
to
take
a
set
of
tools
and
shape
them
to
exactly
what
they
need
from
them.
B
B
It's
machine
learning
its
semiconductors,
its
physical
hardware,
and
so,
if,
if
you
are
going
to
have
a
proper,
continuous
delivery
tool
set,
that
needs
to
be
able
to
treat
software
assets,
machine
learning
assets
and
the
semiconductor
assets
as
the
same
thing,
they
all
need
to
be
part
of
a
unified
product
delivery
process,
and
you
need
to
be
able
to
combine
all
those
assets
interlinked
into
a
defined
product
release.
B
And
certainly,
if
you
look
at
what's
going
on
in
some
of
the
larger
organizations,
especially
places
like
apple,
where
your
your
product
is
a
a
physical
object
with
a
huge
amount
of
software
behind
it,
you
need
to
very
closely
tie
those
things
together,
because
if,
if
you
allow
them
to
drift
too
far
apart,
you
you
end
up
with
something
that
looks
like
it's
very
unstable
and
unreliable
and
and
part
of
that
commercial
advantage.
That
apple
have
is
that
they're
extremely
good
at
managing
their
supply
chain
in
both
the
physical
and
the
software
space?
A
Some
of
the
comments
that
were
said
earlier
from
the
cf
perspective
security
is
very
important,
so
and
and
across
the
board,
for
enterprise
and
and
also
open
source
projects.
So
we
don't
think
that
you
know
like
from
how
we're
beginning
to
think
about
it.
It's
not
just
cd
is
not
just
primarily
concerned
with
the
door
metrics,
but
also
security
being
vital
and
that
maybe
for
open
source
projects,
the
door
metrics
are
less
relevant,
but
security
certainly
is
so
that's,
maybe
an
overlap.
A
A
very
strong
overlap
between
open
source
and
enterprise
products
that
concern
with
security.
B
So
does
anyone
else
have
anything
they
want
to
bring
up
that
in
the
last
few
minutes,.
C
So
no,
the
only
thing
I
was
just
gonna
sort
of
say
was
yeah,
I'm
gonna.
I
will
probably
open
up
a
pr
to
your
branch
with
some
stuff
regarding
audit
and
security
engineering
right.
Thank
you.
B
Okay
right
well,
thanks
everyone
that
was
another
useful
session,
and
I
look
forward
to
seeing
some
contributions
into
into
the
documentation
part.