►
From YouTube: CDF SIG Events - Feb 27, 2023
Description
For more Continuous Delivery Foundation content, check out our blog: https://cd.foundation/blog/
A
A
B
B
B
D
A
A
You
know
when
we
looked
at
what
happens
in
other
groups,
I
thought
it
could
be
so
it's
a
book,
then
I
will
just
mention
the
city
of
awards,
so
I
assume
you're
all
aware
of
it,
but
just
a
reminder
there
to
nominate
people
and
then
some
adults,
upcoming
conferences,
and
here
we
have
jalander
as
well
connected.
A
F
A
That
different
Zoom
different
Zoom
meetings,
yeah
now,
okay,
so
please
sign
up
on
the
on
the
minutes.
No
action
items,
as
we
noted
from
last
week
last
meeting
two
weeks
ago,
one
mistake
but
from
other
groups
I
can
mention
in
the
City
events
work
group.
You
have
been
there
most
of
you
in
different
meetings.
A
A
A
Yeah
and
the
focus
on
the
first
one
will
be
on
the
incident
events
which
there
is
a
PR
for
which
is
well
not
done,
but
but
doesn't
lack
too
much.
I
would
say
so.
I
think
it
could
be
quite
soon
emerged
and
then
the
focus
for
the
coming
release.
After
that
there
would
be
about
connected
events
and
hopefully
supply
chain
events.
If
we
have
anything
there
and
I
guess
we
will
come
back
to
that
soon.
A
In
this
meeting
from
other
groups,
I
don't
know
if
there
is
much
to
say
from
the
TLC
group
that
is
valuable
to
us.
We
can
fill
in
patio
Andrea
if
you
have
anything
otherwise
I
think
we
can
yeah.
E
No,
maybe
you
just
quickly
that
we
have
like
project
presentation
to
let
you
see
scheduled.
So
there
is
a
table
in
the
DSC
meeting
notes
for
projects
to
present
and
a
status
update
to
the
TOC
and
I.
Think
there
is
a
the
first
presentation
was
in
in
December
By
Me
on
City
events,
and
there
is
one
scheduled
by
uml
I
believe
in
August.
Is
it.
A
Yeah
so
I
feel
like
I
can
share
that
response
here
as
well.
If
you're
interested
oops.
A
A
Since
we
are
some
more
event
oriented
people
here,
there
are
no
breath.
If
you
want
to.
C
B
So
for
the
supply
chain,
we
we
were
talking
about
how
we
can
contribute
the
CD
events
without
a
lot
of
overlap.
Right.
We
don't
want
to
go,
do
the
same
thing
you
guys
are
doing
over
in
the
other
Sig.
It
doesn't
make
any
sense,
but
we
want
to
be
able
to
contribute.
So
we
talked
about
that.
We
could
probably
contribute
types
of
events
and
descriptions
of
the
data
that
we
would
like
to
see
in
the
events,
and
a
couple
of
things
that
came
up
was
like.
B
We
talked
about
tracking
the
creation
of
s-bombs
as
an
event,
and
then
you
know
we
talked
about,
should
we
discover
cdes
as
events
and
then
what
we
would
do
is
is
that
we
would
describe
what
we
wanted.
What
these
events
should
look
like,
and
then
we
would
bring
them
back
to
the
city
events
group
and
let
them
help.
You
know,
flesh
out
what
that
data.
You
know
what
that
structure
looks
like
and
how
we
represent.
B
That,
obviously
you
know,
s-bombs
are,
can
be
huge
and
in
my
mind
you
want
the
events
to
have
just
enough
information,
so
you
can
go
find
the
reference
material.
So
in
you
know
like
the
way
we
do
it
here
at
SAS.
Now
is
we
we
audit
the
s-bomb
and
then
we
audit
the
s-bomb,
and
then
we
put
a
link
to
the
s-bomb.
So
there's
a
smaller
section
of
data
about
the
ashcom
to
describe
it
so
that
you
can
make
a
decision
on
whether
you
need
to
pull
it
or
not.
B
That
type
of
thing
we
do
the
same
thing
with
security
events,
so.
B
The
so
like
under
cves,
we
would,
when
we
run
a
scan.
We
are
now
auditing
the
scans,
so
we
get
an
event
to
the
scan
ran
and
then
that
event
triggers
the
audit
to
go
and.
B
B
B
Especially
when
we
get
around
sign
Providence-
and
you
know
we
start
getting
to
that
salsa
agenda-
there's
probably
some
stuff
to
be
done
around
you
know-
did
we
generate
sign
Providence
for
where
this
particular
you.
B
Yeah
yeah
we're
waiting
on
the
government
in
here
in
the
U.S
I
have
to
remember.
You
guys
are
all
over
the
place
here
in
the
US,
we're
waiting
on
the
government
to
give
us
the
minimum
standard
for
attestations.
They
were
supposed
to
have
them
in
January.
B
B
I,
don't
know
yet
because
they
haven't
given
us
yeah
because
they
haven't
given
us
the
minimum.
Okay.
A
B
So
if
you
go
with
signed
Providence
from
then
say
we
use
in
Toto's
standard
right.
It's
pretty
in-depth.
You
know,
you've
got
the
materials.
The
environment,
oh
God,
don't
need
to
go
back
to
my
presentation,
there's
four
things
that
they're
concerned
about
recording
information
about
in
the
signed
provenance,
and
then
you
you
know,
of
course
you
sign
it.
B
Will
a
natural
station
I,
don't
know
what
we're
gonna
be
required
here
in
the
US,
yet
so
yeah
be
interesting
to
figure
it
out,
like
the
customer,
so,
like
a
customer
probably
doesn't
need
to
know
the
commands
I
use
to
create
the
binary,
but
the
sign
Providence
should
have
the
commands
in
it,
so
that
when
we
try
to
do
the
reproducible
build,
we
pull
the
sign
provenance.
We
make
sure
that
we're
not
running
commands
that
don't
belong
right.
B
So
if
Iran
make
make
install
and
then
the
system
tries
to
run,
make
make
Foo
make
installed
and
I
come
to
a
hard
stop
right
in
in
the
process
and
throw
up
my
hands
with
a
flag
attestation
would
be.
You
know,
I've
got
this
document
that
says
this
binary.
Has
this
shot
some
and
I'm
attesting
to
the
fact
that
we
created
this
in
a
you
know:
hermetic
build
environment.
B
A
So
you
said
you
used
such
already
some
references
of
those
kinds
in
your
systems
today.
How
is
that?
How
is
that
timing?
That's
this
so.
B
So
we've
got
the
Avengers,
so
we've
got
an
event
driven
system.
That
is,
you
know.
Still
it's
still
proprietary
I
haven't
been
able
to
open
source
the
pieces
of
it.
I
need
to
open
source
yet,
but
basically
our
we.
We
throw
Json
on
a
capital,
bus
and
consume
it,
but
the
the
message
you
put
on
the
capital
bus
is
small
and
it
has
a
reference
back
to
what
we
call
a
receipt
which
is
in
a
database
with
a
draft
ql
front,
end
and
a
rest
run
in
and
then
so.
B
In
the
in
the
message
we
have
an
ID.
You
know
a
u-lit
that
lets
us
go
grab
that
receipt
out
of
the
database
and
so
and
then
go
comb
through
that
for
more
information
right
and
then
there's
an
envelope
on
the
front.
That
gives
you
a
way
to
tie
several
of
these
receipts
together.
So
we
call
it
an
nvrpp,
which
is
the
name
version,
release,
platform,
ID
and
package
right
and
those
five
things
are
used
to
track
every
event
that
happens
right
and
then
inside
of
that,
along
with
the
mbrp
there's
some
other.
B
You
know
creation
date
and
some
timestamp
info
and
then
there's
a
custom
payload
section
for
the
receipt
and
in
the
payload
section
we
have
a
cnab
bundle
right,
and
this
is
because
before
I
knew,
you
guys
were
working
on
this
and
then
so
we
did
the
cnap
bundle
and
then,
inside
of
this
evening,
there's
a
custom
section
that
you
can
put
all
kinds
of
random
data
in
the
idea
was
we
were
going
to
Leverage,
The,
cnap,
tooling,
to
help
replay
events
and
that
turned
out
to
be
a
ambitious
goal.
B
So
if
I'm,
if
I
ever
get
a
chance,
if
I
ever
have
to
get
decide
to
redesign
the
message
system,
you
know
I'll
just
adopt
this
cdfs
effect
that
we
are
working
on.
One
of
the
limits
we
had
was
that
our
internal
capital
defaulted
to
only
a
one
megabyte
message.
So
I
couldn't
put
everything
on
the
bus
right,
so
we,
but
then
we
put
a
one
megabyte
limit
on
our
receipts,
so
that
I
could
stream
the
receipts
onto
another
topic
so
that
they
could
be
ingested
into
a
data
Lake.
B
B
So,
but
now
we've
got
a
cloud
instance
of
Kafka
as
well
as
the
on-prem,
and
the
cloud
instance
can
handle
five
megabyte
messages
pretty
easily
and
so
now
I'm
starting
to
think
that
when
I
do
version
three
of
this
system,
that
I
could
do
a
much
a
bigger
message
that
had
a
lot
of
the
data
already
in
it,
so
that
I
didn't
have
to
go
pull
a
receipt
out
of
a
database
right.
You
know
that
extra
step
anyway,
just
some
stuff
on
that
we're.
A
Working
through
talking
about
interesting
there's
lots
of
questions
to
raise
the
I
guess
but
yeah,
but
how
many
like
how
many
events
per
per
minute
or
second,
do
you
send
in
your
system
then
without
even
then
it's
quite
substantial.
It's
nice.
A
B
B
B
B
A
B
It
out
of
the
database,
but
we
can't
delete
it
because
if
I
ever
wanted
to
go,
look
something
up
that
happened.
I
need
to
have
that
receipt
there,
and
then
the
receipts
are
tied
to
Gates,
which
the
gates
are
like.
If
I
have
a
gate,
it
represents
an
action.
So
if
I've
got
this
say,
I
was
running
a
build
right
and
I've
got
this
build
gate
and
I
put
receipts
in
it
all
the
time
for
different
mbrp's.
B
We
never
delete
receipts
and
then
there's
a
stage
wrapped
around
it
around
the
gates
that
triggers
once
all
the
gates
have
been
satisfied
with
a
true
statement
for
the
receipt
and
then
that
stage
fires
now
the
stages
can
be
disabled
and
enabled
because
they
grow
and
Shrink,
sometimes,
as
we
add
dates
and
remove
Gates,
and
so
that
part
got
pretty
interesting
where
it
became
to
the
point
where
we're
making
stages
pretty
much
dynamically
on
the
Fly,
based
on
what
dates
are
registered
or
what
things
were
to
get
you
all
complicated
real
fast.
A
Yeah
totally
understand
yeah,
so
anyway,
quite
big
events,
then
one
Meg
and
you
send
so
many.
It
will
be
a
lot
of
data.
Let's
say
yep.
D
A
B
So
the
the
the
event
would
reference
the
receipt
which
would
contain
the
reference
to
the
s-bomb.
B
Ideally
you
take
out
that
second
step,
but
the
problem
comes
back
to
what
we
talked
about,
where
the
I
got
to
keep
the
messages
small
and
then
the
messages
have
a
schema
and
we
don't
want
to
deviate
from
the
schema
ever
and
so,
but
receipts
can
have
this
custom
section
that
doesn't
have
a
schema
or
could
have
schema,
and
it
you
know
it
sprawls
right.
B
B
And
then
the
but
like
in
the
costume
section,
God
knows
you
know
if
it
fits,
you
can
put
it
in
there
and
then
you
know
as
long
as
it's
Json
now
the
first
thing
that
a
developer
will
try
to
do
on.
You
is
he'll,
try
to
base
64
something
and
shove
it
in
the
custom
section.
So
we
have.
C
B
So
we
pump
about
okay
during
the
load
tests.
We
were
doing
0.03
megabytes
per
second
worth
of
messages
and
consuming
about
0.05
megabytes,
so
I
mean,
like
I,
said
we
weren't
even
scratching
the
system
and
we
run
like
tons
of
stuff.
So
you
can't
find
the
exact
messages
per
minute
there
I
don't
know
why,
anyway,.
A
B
But
yeah
the
schema
is,
you
know,
open
API
for
I
mean
yeah.
The
the
schema
is
written
in
is
also
written
in
Json
and
then
there's
all
the
apis
in
the
system
are
documented
by
open,
API,
three
Docs.
D
A
B
B
A
B
So
so
one
of
the
one
of
the
things
we
did
is
the
whole
system
is
most
of
the
systems
written
and
go
and
I
got
in
a
our
I.T
Department,
wouldn't
let
us
deploy
into
their
kubernetes
environment
with
if
we
had
too
many
vulnerabilities
right
and
so
all
of
our
when
we
started
out
all
of
our
images
were
based
on
the
red
hat
uvi
image,
which
has
some
vulnerabilities
in
it,
and
they
didn't
particularly
want
me
to
deploy
that
on
their
stuff.
B
So
I
got
mad
and
I
ripped
everything
out
and
went
with
scratch
containers
and
then
so,
when
we
got
the
scratch
containers
done,
we
started
baking
the
the
schema
into
the
go
binary
so
there
so
the
schema
for
for
like
stuff.
That's
not
configurable,
that's
baked
into
the
go
binaries
and
then,
when
you
create
a
gate,
and
you
want
to
put
a
schema
with
it
when
you
post
your
requests
to
the
service
to
create
the
gate,
you
send
the
schema
with
it
and
then
the
schema
will
get
applied
to
that
gate.
B
And
then
you
won't
be
able
to
post
a
receipt
that
doesn't
meet
the
schema
for
that
gate,
and
that
is
that's
kind
of
arbitrary,
like
that's
up
to
the
end
user,
to
you
know
craft
his
schema
and
post
it
to
the
gate,
yeah.
So.
A
Yeah
so
yeah
good
discussions,
I
guess
we
drift
away
from
the
subject
of
supply
chain
a
bit,
but
to
me
it's
interesting
in
a
way,
so
the
rest
of
you,
please
explain
if
you
have
any
questions
or
thoughts,
but
did
you
have
something
else
on
your
mind
there
from
the
supply
chain
perspective,
not.
B
Really
I
think
I
think
we
need
to
I
think
I
need
to
go
and
read
what
you
currently
have
and
then
see
what
other
ideas
I
could
come
up
with.
Yeah
like
this
is
my
first
time
back
to
the
Sig
events.
Since
we
went
on
break
so
I
definitely
should
read
what
you
guys
have
and
then
and
it's
in
CD
events
right,
not
the
same
events.
A
A
D
Okay,
so
yeah
like
I
need
to
live
in
three
minutes
for
our
meeting,
but
I
actually
will
send
the
pull
requests
for
the
software
supply
chain.
Broad
map,
as
we
discussed
last
week
and
I,
will
add
a
few
sentences
that
like
how
we
can
help
contribute
to
CD
runs
from
supply
chain
perspective.
So
please
keep
an
eye
on
software
explosion
sigrepo
and
comment
on
the
roadmap
to
see
if
it
makes
sense
like
one
of
the
things
I
plan
to
highlight,
that
is,
vocabulary
start
with
and
then
continue
iterating
it
over
time.
F
B
A
B
C
A
Yeah,
so
we
have,
this
scheme
must
well,
we
had
a
documentation
first
and
then
the
Json
scheme
must
adjacent
to
it
as
well.
So
the
documentation
talks
about
what
different
subjects
we
represent
in
our
events
and
their
different
predicates.
So
each
of
these
predicates
has
their
own
events,
so
a
build
can
be
installed,
queued,
started
or
finished,
for
example,
three
different
types
of
events
for
a
build
subject.
So
that's
how
you
read
this
table
of
events
right
yeah
and
then
the
schemas
are
in
the
Json
folder
receiver
folder
next
to
there
as
well.
A
Fast
and
fail
yeah,
okay,
yeah
yeah.
Well,
it's
well!
Maybe
we
call
it
success,
student
failure
or
something
like
that,
but
we
have
that
in
the
I
have
been
around
in
the
core
events.
We
have
them
in
the
Pipelines
finished
and
the
tasks
were
unfinished.
For
example,
we
have
some
yeah
outcome
which
can
be
success,
error
or
failure.
A
B
E
We
also
have
a
couple
of
PRS
open
now
on
the
spec
repo
and
for
incident
event
and
test
events.
E
So
I
mean
you,
if
you're
at
some
point
interested
in
doing
some
contribution
to
the
spec,
and
you
can
take
a
look
at
those
to
get
like
a
practical
examples.
What
kind
of
writings
you
you
need
to
do.
B
Yeah
one
of
the
things
that
we
do
is
and
I'm
going
to
use
the
term
X
unit
Loosely,
but
the
our
testers
output,
their
test
data
into
junit
or
X
unit,
and
then
we
have
what
we
call
an
X
unit
to
receipt
tool
that
picks
up
the
that
picks
up.
The
XML
evaluates
the
test,
Suites
and
then
tells
us
to
make
the
decision.
B
You
know
whether
it's
fox
or
fail
whether
the
test,
pops
or
failed
based
on
you
know
the
number
of
errors,
or
you
know,
failures
in
there,
and
so
that's
yeah.
I'm
I
have
some
ideas
on
test
device.
Then.
A
A
B
C
A
Okay,
so
there
you
have
three
different
subjects:
test
case
run
test
we
run
and
test
output
and
they
can
have
different
predicates.
The
key
would
finish,
started
and
finished.
Oh
sorry
finish
this
applicator,
but
still
start
to
finish,
and
then
the
test
outputs
could
be
published.
So
this
is
where,
like
no
distance,
that
stuff
can
be
notified
about
being
available.
A
Course,
of
course,
yes,
yes,
I
think
this
event
would
say
there
is
a
reference.
Oh
sorry,
whatever
you
can
look
at
it
in
the
pier,
so
there
should
be
references
to
urad
references
to
to
the
logs,
of
course,
and
so
I
guess
that's
one,
one
idea
where
we
reference
I'm
referencing
over
the
application
in
the
events.
A
So,
instead
of
including
a
lot
of
information
in
the
events,
we
reference
the
things
that
are
immutable,
at
least
if
there
is
mutable
information
that
is
like
status
or
something
in
in
the
system.
Then
it's
it's
suitable
to
put
into
the
event,
because
then
you
can
see
the
snapshot
of
what
that
data
looked
like
at
the
occurrence
of
the
event.
A
But
if
it's
immutable
data,
then
it's
it
makes
more
sense
to
reference
it.
Instead,
at
least
if
it's
large
data
in
topics
right,
good,
yeah,
I,
don't
know
if
we
can
kill
much
further
when
it
comes
to
the
software
supply
chain
like
event
types
and
data
types,
but
what
would
be
a
good
way
forward?
The
the
roadmap,
of
course,
for
the
social
supply
chain
is
one
thing,
but
it's
not
it's
not
so
much.
Hands-On,
of
course,
is
there
anything
Hands-On.
A
E
My
plan
for
for
this
kind
of
events
would
be
was
at
least
in
my
mind,
to
to
start
with,
with
tecton
as
a
source
of
generating
those
events,
mainly
because
we
we
haven't
tagged
on
a
component
called
tecton
chains,
which
is
basically
watching
task,
runs
in
pipeline
execution
and
creating
this
kind
of
thing.
So
it's
creating
at
the
stations
generating
the
s-bomb
for
you
in
some
cases,
and
also
signing
artifacts.
E
And
yeah
so
I
think
that
it's
in
I
had
this
use
case.
For
instance,
when
we,
when
we
do
a
text
on
release
and
the
artifacts
with
the
container
images
are
created,
then
one
could
start
and
create
the
release
notes,
but
because,
in
the
release
notes
we
also
want
to
include
the
record
recore,
so
the
six
star
uuid
from
the
transparent
log.
So
it's
best
to
wait
once
that
information,
so
the
profitance
is
uploading
in
the
artifact
side.
E
B
Yeah
we
do
that
so
our
for
the
you
know
you
dog,
food,
the
event
system
right
and
so
for
the
event
system.
We
have
a
set,
an
integration
Suite
that
runs
at
test
once
it
gets
promoted
to
test,
and
when
that
integration
Suite
passes
it
tests,
it
goes
and
it
kicks
off
another
Watcher
that
has
knows
what
has
been
updated
in
what
needs
to
be
updated
in
fraud
and
it
generates
the
release,
notes
and
creates
cheer
issues
for
all
of
the
things
that
need
to
be
released
in
the
prod
next
week.
B
And
it's
really
it's
pretty
helpful.
So
that's
a
really
good
scenario:
I
think
that
you
come
up
with.
C
E
So
what
I
could
do
I
could
either
create
a
separate
issue
for
this
I'll
link
it
to
the
original
issue
or
add
more
context
in
there
to
describe
this
in
in.
E
C
A
Think
we
can
stop
there.
The
idea
is
not
really
on
this
sync
meeting
to
go
into
any
very
deep
specification
discussions
or
protocol
11
protocols,
Theory
events,
discussions
because
that's
what
we
do
in
the
work
group
tomorrow
in
the
City
events
work
group:
it's
where
it's
more
of
a
higher
level,
a
bit
to
discuss
where
what
interface
is
just
I
mean.
Who
should
we
talk
to
and
who
should
we
bring
into
these
meetings?
A
Secondly,
the
way
I've
already
brought
that
up
now
and
what
happens
in
other
six,
so
I
think
we
can
go
on
in
the
meeting
now.
Yes,
mentioning,
then
repeating
I'm,
sure
you're
aware,
but
there
are
it's
a
new
new
year
for
rewards
you've,
seen
all
the
messages
on
the
stack
and
everywhere
else.
The
nomination
period
ends.
This
Friday
I
believe
it
is
yeah,
so
no
nominations
after
Friday
and
that's.
We
have
the
possibility
to
tend
to
nominate
people
for
the
top
level,
CDF
Awards
and
also
for
any
other
projects.
A
A
Then
I
just
mentioned
some
some
conferences
that
we
relate
to.
Somehow
you
mentioned
there
at
another
conference.
You
would
attend.
What
was
that
you
said.
B
That's
Raleigh,
devops.
That's
that's
a
local
thing
to
me
very
devops.
A
B
Yeah
Raleigh,
like
in
Raleigh
North
Carolina
like
right
down
the
road
from
my
house,
because
I'm
getting
I'm
having
trouble
with
travel
budget,
sure
yeah,
basically
you're,
not
interacting
with
customers
generating
Revenue
you're,
not
getting
money
to
travel
this
year.
So
I
will
pop
a
link
over
here,
though,.
B
Yeah
it's
April,
12th
and
13.
and
I
will
like
I
said.
I
will
definitely
try
and
you
know
gas
us
up.
You
know
who.
A
B
B
Yeah
I
mean
not
it's
not
like
Silicon
Valley
or
anything
like
that.
Right
I
mean
but,
like
we've
got
an
Intel
presence
here,
I,
don't
know
we'll
see
who
goes
I've
never
been
to
one
of
these
before,
but
it's
it
should
be
interesting.
A
couple
of
my
ex-co-workers
have
been
on
me
to
get
to
come
to
them
and
get
a
a
talk
going.
So
that's
what.
C
B
Yeah
I
had
a
talk
in
Nashville
as
well
the
national
devops
days,
but
I
had
to
cancel
it
because
when
they
dropped,
my
budget
for
travel,
I
and
I
started
looking
what
it
costs
for
a
hotel
room
in
Nashville,
North
Tennessee,
it
was
pretty
expensive.
I
was
like
just
not
gonna
fund
that
one
out
of
my
pocket
I
do
have
papers
in
for
the
cdcon,
so
we'll
see
how
that
goes.
B
Cfp's
already
closed,
but
it's
eighth
and
9th
of
May.
A
B
A
C
A
Nearby
I
think:
okay.
Well,
don't
spend
more
time
on
conferences,
I,
guess
anything
else.
We
should
bring
up
another
one.
B
C
A
Of
course,
of
course,
it's
open
for
anyone
and
the
time
stuff
is,
of
course
chosen
for
Asia
Pacific
people,
mostly
and
Australia
or
Australia,.
F
A
B
E
Yeah
we
we
do
alternate
at
a
time
to
like
we
have
every
other
week
on
Mondays,
it's
the
11
A.M
UTC,
which
is
very
early
for
you,
then,
and
other
weeks
so
like
the
next
is
a
March,
the
7th
we
have
it
at
4,
P.M,
UTC,
yeah,.