►
From YouTube: SIG Interoperability Meeting - Oct. 6 2022
Description
For more Continuous Delivery Foundation content, check out our blog: https://cd.foundation/blog/
A
A
I've
I'm,
starting
to
commute
into
the
office
and
the
downside
to
that
is
I,
have
not
developed
my
systems
and
so
I've
forgotten.
My
badge,
okay
in
our
lobby,.
A
B
Part
southern
part
close
to
Mannheim.
You
know:
Manheim
Heidelberg,
okay,
cool.
A
Is
it
starting
to
look
dreary
there
now
or
what's
the
weather
like.
A
A
B
B
A
A
B
B
B
C
Awesome,
yes,
okay!
So
let
me
get
started
so
actually
real,
quick
before
I
bring
this
up.
C
D
C
Sure
no
I
was
just
going
to
walk
through
the
the
diagram,
like
the
architecture,
kind
of
thing,
just.
B
To
show
off
what
it
was
and
I
have
it
here:
okay,
yes,
there
we
go.
C
Perfect
so
before
I
kind
of
went
into
the
demo
itself,
I
kind
of
wanted
to
talk
about
like
what
we're
trying
to
build
out
here
for
presca.
So
this
is
based
off
these
the
cncf
reference
architecture
for
the
secure
supply
chain.
C
So
what
we
try
to
do
is
Implement
all
the
different
components
that
were
there
that
was
recommended
by
that
white
paper.
So,
for
example,
there's
a
central
build
environment
right,
so
this
is
going
to
be
in
this
case
we're
using
tecton
tecton
pipelines.
The
pipeline
Observer
we're
using
protect
on
chains.
We
have
workload
and
node
navigation
with
an
identity
service
right,
so
that's
kind
of
going
to
be
coming
from
Aspire
admission.
Controller
right
here
is
going
to
be
kyberno
and
so
forth.
C
Right,
so
what
we
try
to
do
is
we
tried
to
glue
everything
together?
So
what
Fresca
is
is
like
it's.
We
try
to
make
it
so
that
it's
seamless
for
the
developers
so
as
they're
actually
going
through,
and
you
know
trying
to
build
out
their
the
different
projects,
we're
trying
to
make
it
so
that
the
security
aspect
of
it
is
kind
of
given
to
them
right
so
that
they
they
don't
have
to
actually
think
about
it.
C
Basically
kind
of
follow
their
normal
routine
of
hey
I
push
some
code
into
my
git
repository
and
it's
you
know
it
does
this
thing:
I
get
an
artifact
or
an
image
at
the
end
of
it
right.
But
what
happens
in
between
all
of
this
right
is
you're,
getting
all
that
security
you're.
C
Getting
that
whole
the
tamper
proof
you're,
getting
the
you
know
the
attestations
generated
automatically
you're,
getting
all
that
kind
of
information
created
for
you
and
getting
all
the
security
kind
of
built
in
all
without
the
developer,
having
to
do
anything
or
think
about
anything,
so
that
that
was
our
goal
is
to
make
sure
that
we
kind
of
make
it
so
that
it's
kind
of
seamless
for
the
developers-
and
we
can
you
know
easily-
they
can
do
their
work.
C
So
what
I'll
show
here
is
I'll
show
off
the
different
pieces
and
I'll
kind
of
walk
through
those
I'll
show
you
a
quick
demo
and
the
things
that
it
kind
of
protects
against.
So
the
first
thing
I
kind
of
I'll
show
off
is
in
terms
of
like
what
the
bad
things
are
right.
So,
for
example,
you
know
like
is
there
a
question.
B
D
Hey
part
I
was
just
gonna,
let's
just
quickly,
I
think
or
Orient
a
little
bit
so
so
before
we
get
into
those
sorts
of
problems
that
it's
protecting
against.
Ultimately,
at
the
highest
level,
Fresca
is
doing
I.
Think
two
big
things.
D
One
is
just
a
set
of
build
pipelines,
visibility
and
tools
to
to
be
secure
in
your
in
your
development
of
trying
to
provide,
and
it's
trying
to
provide
a
set
of
guard
rails
and
abstractions
to
make
sure
that
you
stay
that
way
right.
So
that's
really
the
ultimate
goal
that
it's
trying
to
hit
be
secure
in
your
build
and
don't
let
you
do
insecure
things
all
with
the
fundamental
purpose
to
to
to
not
get
in
the
way
of
the
developer
and
not
have
this
be
a
thing
that
they're
constantly
worried
about.
D
So
it's
trying
to
do
those
things
in
an
easy,
easy
way.
So,
when
part
of
this
jumping
in
to
talk
about
some
of
the
bad
things
can
happen,
this
is
where
you
start
to
hear
or
I'm
sure.
You're
all
are
familiar
with
this.
Having
been
in
this,
these
sorts
of
meetings,
all
the
sorts
of
supply
chain
tags
that
can
that
can
occur,
it's
ultimately
trying
to
make
it
easy
to
prevent
those
kinds
of
certain
certain
categories
of
those
things
from
occurring
or
allow
you
to
react
quickly
when
they
do
hope
that
made
sense.
C
Yeah
yeah,
so
so,
like
you
know,
like
Tim,
is
saying
we
we
try
to
make
it
so
that
we
kind
of
abstract
out
all
those
complexities
right,
so
we're
using
Q
to
kind
of
abstract
out
that
layer
so
that
you
know
the
developers
can
just
give.
You
know
provide
some
kind
of
configuration
and
then
you
know
the
rest
of
it's
kind
of
taken
care
of
right
because
of
the
Guard
barrels
are
in
place.
It's
going
to
automatically
have
them
flow
through
a
specific
pipeline.
That's
you
know.
C
C
Okay,
so
what
I'm
going
to
show
off
so
real,
quick
in
terms
of
the
different
components
right
we
talked
about
tecton
pipelines.
Is
it's
the
actual
build
environment?
Technon
changes
that
pipeline
Observer?
We
have
the
Spire
agents
running
here.
Spire
server,
Inspire
agent,
I,
won't
go
into
too
much
detail
exactly
how
Spire
Aspire
is
working
in
this
case.
If
you
know,
if
you're
interested
I
can
talk
about
it
more
later
on,
but
basically
that's
the
one,
that's
kind
of
giving
that
short-lived
certificates
in
order
for
it
to
allow
to
identify.
C
If
you
know
as
the
build
is
going
through
the
pipeline,
has
it
been
tampered
with
right?
It
has
that
ability
to
check
to
see
that
the
results
are
the
way
they're
supposed
to
be
at
the
same
time.
You
know
the
artifact
you
want
it
to
be
created
at
the
end
is
the
one
that
got
created
right,
so
you
have
complete
trust
in
your
pipeline.
So
that's
what
Spire
is
allowing
you
to
do
along
with
tecton
chains
and
along
with
pipeline,
so
it's
all
kind
of
integrated
all
together.
C
We
also
have
qyburner
running
here,
which
is
that
emission
controller
piece.
So
this
is
the
one
that's
checking
to
make
sure
that
you
know
they're
at
a
station's
Association
with
the
images
you're
pulling
in.
Are
they
signed
assigned
with
proper
signatures
that
you
trust
and
so
forth
right?
C
So
all
these
pieces
are
all
kind
of
working
together
to
make
sure
that
what
you,
when
you
ingest
something
and
what
you
when
you
output,
something
that's
all
trusted
and
finally,
a
volt
is
also
in
here
and
that's
going
to
be
used
for
your
long-term
signing
keys
right.
So
Aspire
is
the
short-term
signing
key
vault
is
the
one.
That's
storing
your
long
term,
you're
signing
your
actual
signing
keys
right.
That's
going
to
assign
your
artifacts
at
the
end,
so
chains
actually
is
automatically
integrated
with
Vault.
C
So
it
has
the
ability
to
actually
authenticate
two
vaults,
you
know
and
using
a
translator
plug-in
and
it
actually
signs
the
artifact
and
publishes
to
you
know
a
registry
okay.
C
So
the
first
thing
I'll
kind
of
show
off
here
is
so
and
hope
this
all
works
because
I
have
not
tested
this
in
a
while.
C
So
first
thing
I'm
going
to
show
off
is
like
how
does
this
kind
of
look
in
terms
of
running?
You
know
like
an
unsigned,
what's
going
to
happen
if
I,
if
I
try
to
create
an
unsigned
image,
so
what
I'm
doing
here
is
I'm
just
running
build
packs
locally
and
what
I'm
doing
I'm
pushing
it
to
ECR,
and
this
is
basically
like,
for
example,
I
didn't
go
through
the
proper
procedures
of
creating
an
image
right.
I
didn't
go
through
my
Fresca
right,
I
didn't
go
through
Fresca
and
I
built
something.
C
What
would
happen
What
would
the
would
the
policy
manager
admission
controller
catch
this
and
not
allow
it
to
run
in
a
production
environment?
So
that's
what
I'm
trying
to
show
here
is
that
it's
going
to
once
it
does
this.
It's
going
to
show
that,
oh
because
it's
not
properly
signed
because
it
does
not
have
any
attestations
associated
with
it.
It's
not
going
to
be
allowed
to
run
in
that
environment.
D
D
Idea,
making
sense
want
us
to
dig
into
anything
else,
while
this
is
cooking
in
the
background.
C
So
the
attestations
get
so
Kyle
Bruno
has
the
ability
to
pull
them
down
from
oci,
so
they're
stored
in
oci,
with,
along
with
the
image.
D
Got
it
thank
you
yeah.
So
that's
part
of
what
the
the
the
pipelines
are
doing
is
that
as
they're
building
generating
all
the
attestations
generating
this
one
signing
that
all
publishing
that
into
occi
alongside
the
the
artifacts
and
then
the
the
governor
policies
are
basically
set
up
to
to
look
to
go,
pull
those
down,
look
for
those
inspect
them
and
then
just
ensure
that
everything's
matched
up.
D
So
if
your
signatures
are
not
matching
up
or
your
hashes
aren't
matching
up
or
anything
isn't
quite
right,
Kevin
will
stop
that
from
running
and
again
those
policies
are
editable,
but
this
one
that
he's
showing
there
is
basically
just
saying
that
hey
that
has
to
have
that
signature
from
let's
say
that
that
only
the
build
pipeline
can
actually
provide
you
so
that
you
can't
do
something
like
squat
on
the
repository
and
just
upload
another
copy
of
a
similarly
named
image.
B
A
Yeah,
you
said
that
you're
using
other
attestations
and
not
just
container
signing
yes,
are
those
also
getting
stored
alongside
the
container.
C
Correct,
yes,
so
the
signature
as
a
signature
and
as
well
as
the
attestation
is
both
stored
along
with
the
image
in
oci
and
I.
We
can
I
can
show
that
off
in
the
USA.
Actually,
there's
been
a
PR
and
an
update
to
the
oci
spec
I
think
it's
as
it
has
the
ability
now
to
differentiate
between,
like
a
signature,
object
versus
like
an
annistation
object.
C
So
before
you
know
we
were,
it
was
going
off
of
the
you
know
like
what
is
it
but
again,
if
it's
a
DOT
signature
or
dot
attestation,
that's
what
it's
kind
of
going
off
to
searching
for
that
kind
of
an
object
in
the
ocracy.
Now
it's
made
official
and
I
think
that
should
be
done
by
the
end
of
the
year
so
that
it
has
that
ability
so
that
it
can
actually
it's
an
actual
signature
object
and
actual
manifestation
object.
That's
in
the
ocean
offer
industry,
so
you
can
actually
query
for
that.
C
Yeah
so
right
here
so
kind
of
showing
kind
of
kind
of
what
Tim
was
saying
right
so
kyverno
has
the
ability
to
have
the
policies
in
place
right
in
this
case.
Presca
has
a
lot
of
policies
built
in
and
that's
what
we
we
want
right.
We
want
to
make
sure
it's
very
easy,
So
based
off
like
what
information
you
provide.
C
You
know,
basically,
through
that
abstraction
level,
we
create
the
policies
for
you
and
they
get
it
kind
of
placed
in
here,
and
you
can
see
that
the
right,
the
signature
is
no
longer
valid
because
there's
no
signature
at
all
associated
with
this,
because
I
built
this
manually
at
the
same
time
there's
no
attestation
associated
with
it.
So
now
it's
going
to
deny
this
for
money
in
a
production
environment
and
similarly,
if
you're
running
this
in
you
know
another
cluster,
you
could
do
something
similar.
C
Okay,
so
the
next
piece
I
wanted
to
show
is
the
piece
where
I
like
I
so
I'm,
a
malicious
admin
in
my
kubernetes
cluster
and
I
want
to
sabotage
the
build
as
it's
running.
So
if
you
remember,
I
spoke
about
spire
and
it
has
the
ability
to
do
the
shortlisted,
certificates
and
signing.
So
that
gives
us
the
ability
to
check
if
something
has
been
tampered
with
right.
So
what
I'm
going
to
this
kind
of
a
short
demo
here
is
what
I'm
going
to
show
is.
C
As
the
pipeline
is
running,
and
it's
this
long
running
task
sort
you
can,
for
example,
you
can
imagine
a
pipeline,
that's
you
know,
taking
maybe
let's
say
a
minute
or
so
to
complete,
or
you
know,
lessen
that
and
some
kind
of
an
automated
process,
or
you
know
someone
manually
comes
in
and
tries
to
modify
something
like.
Oh
I
I
see
that
you're
using
you
know
Alpine
image
or
something
right
for
your
to
build
this
image.
C
I
want
to
change
that
with
you
know,
Alpine
also,
but
something
something
else
that
I
incorporated
into
this
Alpine
image.
I
want
to
use
that
instead.
So
as
the
pipeline
is
running,
I
want
to
change
the
image,
that's
actually
going
to
be
used
to
build
the
artifact,
and
so
what
this
does
is
what
this
is
going
to
show
is
that
that
Fresco
will
catch
that
from
happening.
So
as
it's
actually
running
it's
going
to
catch
that,
oh
something
has
changed
right.
Something
has
changed
in
my
task
run
or
pipeline
one.
C
Something
has
changed
so
now
it's
going
to
invalidate
the
whole.
It's
going
to
invalidate
the
whole
pipeline
so
down
here.
You
see
what
happened
as
it
was
running.
You
get
an
internal
error
saying
that
the
task
run
status,
condition
is
not
verified,
so
aspired
could
not
verify
the
results
and
also
can
verify
the
condition.
So
I
won't
go
into
create
like
much
detail
into
exactly
Aspire
and
tecton
chains
and
tecton
pipelines
kind
of
all
work
together.
C
That's
a
whole
separate
discussion
that
I
can
I
can
go
much
deeper
into,
but
just
just
a
real
quick
overview
is
like.
Yes,
it's
checking
to
see
if
the
task
runs
themselves,
the
task
runs
are
assigned.
So
if,
as
as
results
are
created
between
tasks,
those
are
also
signed.
As
they're
passed
between
tasks
at
the
same
time,
the
status
of
the
the
overall
password
is
also
being
verified,
so
for
so
down
here,
if
I
look
so
initially
so
my
so
I'll
show
here
is
so
the
the
long
run.
C
So
the
long-running
task
was
very,
very
simple
and
all
it
was
doing
was
running
the
hello
world,
but
it
was
using
Ubuntu
in
this
image.
So,
if
I
scroll
up
here
now,
it
got
changed
to
not
open
two
right.
So
as
it
was
running
I,
you
know
my
script
kind
of
went
and
modified
the
image
to
be
something
different
and
because
it
changed
Midway
through
the
pipeline
run
right,
Spire,
Spire,
cut
this
buyer
necton
chains
and
pipelines
caught
this
as
being
something
nefarious
and
saying
like
well.
This
is
not
expected.
C
C
C
Usually,
so
it
retried
three
times
to
sign
the
image
right,
but
because
it
was
invalidated
because
it
said
oh
well,
this
I
can't
trust
this
artifact,
so
it
didn't
sign
the
image
so,
for
example,
if
I,
if
I
try
to
even
if
it
created
some
kind
of
an
image,
for
example
like
if
it
even
if
this
passed
and
it
created
some
kind
of
image
and
pushed
it
to
oci,
it
would
not
have
a
signature
associated
with
it.
C
C
Awesome
yeah,
so
if
you're
interested
more
I
can
I
can
we
can
you
know
in
a
later
meeting
or
something
we
can
go
deeper
into
the
whole
Spire
tecton
integration,
but
I'll
keep
moving
for
now.
C
Okay,
so
now
these
are
all
the
bad
things
right.
These
are
the
things
that
are
protected
against.
What
would
a
normal
operation?
Look
like
you
know:
I'm
a
developer
I
just
want
to
push
my
code
right,
I
I,
don't
care
about
what's
happening
in
the
background.
I!
Don't
want
I,
don't
care
about
security.
I
want
to
make
it
to
be
easy
and
painless
for
me.
So
how
does
that
work?
How
does
the
actual
good
scenario
kind
of
work
now
right?
C
So
what
I'm
going
to
do
is
I'm
going
to
trigger
a
build
in
GitHub,
so
all
I'm
doing
is
just
creating
a
new
pull
request
and
what
that
does
is
that's
going
to
trigger
an
event
in
in
Fresca.
So
what
this
is
going
to
do
is
I'm
just
watching
for
it
now.
So
it's
going
to
it's
going
to
trigger
the
pipeline
to
run
basically,
so
the
pipeline
has
already
been
defined.
There's
some
trigger
sets.
So
there's
a
web
hook,
I
created
in
GitHub.
C
So
what
this
does
is
that
it
you
know
it
initiates
that
pipeline.
It
feeds
it
in
some
initial
environment
variables.
You
know
what
kind
of
ref
what
kind
of
commit
is
using
and
so
forth
right
and
then
it's
going
to
launch
the
build.
So
it's
going
to
do
you
know
good
clone.
You
know
it
does
a
variety
of
things.
It's
going
to
build.
It's
going
to
do.
You
can
do
unit
testing
right,
you
create
the
actual,
build
we'll,
create
the
s-bomb
and
so
forth.
C
All
that
kind
of
stuff
is
all
contained
within
the
pipeline
and
at
the
end,
because
it's
going
to
be
right
because
nothing
tampered
with
it,
because
I
can
verify
all
the
results
and
so
forth
change
is
going
to
come
along
and
do
the
signing
it's
going
to
assign
it
create
the
attestation
for
it
and
then
push
all
that
stuff
into
an
oci
registry.
For
me,.
D
D
While
that's
clicking
one
of
the
things
we
thought
would
be
interesting
for
for
this
group
is
really
what
Fresca
is
doing
is
tying
together
a
whole
bunch
of
things
right.
It's
really
trying
to
make
stuff
play
together
and
we're
using
q-ling
to
to
do
a
lot
of
that
abstraction
for
you.
D
So
it's
trying
to
make
it
so
you
don't
have
to
be
an
expert
in
spire
and
tecton
and
chains
and
all
those
things
that
can
be
a
little
bit
gnarly
to
wire
up
yourself
so
that
it's
consumable
for
a
normal
developer.
Who
doesn't?
Who
just
wants
the
nice
things
but
doesn't
have
to
be
an
expert
in
them
right.
D
So
that's
really
where
we
thought
that
might
be
an
interesting
angle,
so
you
can
see
as
a
Dev
you're.
Just
you
know,
following
a
normal
Dev
flow.
You
don't
have
to
be
concerned
about
this
at
the
details.
C
Right
Okay
so
does
pipeline
completed
so
I'm
going
to
verify
right,
I'm
going
to
verify
that
everything
looks
good
and
you
know,
and
that
I
have
the
proper
signatures,
so
we
are
using.
C
So
let
me
shoot
up
here,
real
quick,
so
this
is
just
the
pipeline
results.
I
just
want
to
show
this
real
quick.
You
know
what
a
good
use
case
would
look
like
so
up
here.
If
you
remember
in
the
bad
use
case
where
I
you
know
modified
that
image
to
be
not
Ubuntu,
this
failed
completely
right.
So
now
it's
saying
well,
the
task.
Run
results
are
all
verified
right,
they're
all
successively
signed
and
verified
against
Spire.
So
that's
that's
what
this
is
showing
and
then
up
here.
C
You
see
that
there's
another
annotation
for
the
status
again,
it's
not
it's
not
showing
any
kind
of
Errors.
So
that
means
that
you
know
it
expected.
Everything
went
as
expected
and
nothing
kind
of
interfered
with
the
actual,
build
the
build
process
and
then
scrolling
up
here
you
see
tecton
chains.
C
Finally,
right
because
again
it
does
some
kind
of
it
does
verification
to
check
to
see
that
did
anything
appear.
Everything
looks
good,
then
it's
going
to
do.
Okay,
I
signed
it
right
using
that
the
key
that
I
have
involved
right.
It
has
the
ability
to
automatically
log
into
Vault,
vs
fire
right
yeah
and
then
use
a
transitive
plugin
to
create
to
sign
an
artifact
as
well
as
create
the
address
station.
So
these
are
the
two
things
that
you
see
here.
C
So
change
has
the
ability
to
actually
append
the
payload
right,
which
is
the
attestation
object
itself,
as
well
as
a
signature
to
The
annotation
in
the
kubernetes
object
at
the
same
time,
I'll
push
it
up
to
oci,
so
it
did
both
in
this
case.
So
that's
a
lot
to
show
there
and
then
I
think
you
were.
You
know
the
first
question
in
terms
of
oh.
What
does
this
look
like
in
terms
of
oci
right
if
I
scroll
down
here,
you
can
see
that
there
is
there's
an
image
right.
C
This
is
the
image
that
we
created,
which
is
the
the
commit
hash
of
the
the
git
repo
as
well
as
you
can
see,
the
dot
DT
is
that
that's
the
added
station
and
the
signature,
so
you
can
see
I
I
run
this
multiple
times,
so
there's
a
bunch
bunch
of
them
in
here.
So
that's
what
this
is
so
there's
the
attestation
signature
student
associated
with
it
and
here's
that
bad
python,
one
that
I
made
initially
before
right,
which
I
didn't
sign.
C
So
that's
that's
in
here
also
and
then
coming
down
here
we
can
use
cosine
to
validate
that
everything
is
is
signed,
so
cosine
kind
of
goes
in
and
validates
the
signatures,
and
you
can
see
that
verification
was
done
to
that
image.
You
can
see
that's
the
same
image
tag
up
here
for
that
python,
Hello
World,
so
it's
PSI,
it
verifies
the
signature.
At
the
same
time,
it
verifies
that
the
attestation
is
also
assigned.
So
that's
what
all
that
information
is
down
here
so.
Lastly,
what
is
this
payload?
C
Actually
look
like
right.
It's
gonna!
This
is
a
bunch
of
a
bunch
of
Basics
before
encoded
information.
So
if
we
take
a
look
at
this,
what
is
basically
is
is
that
is
creating
that
cell
status
station
right.
So
it's
creating
a
salsa
salsa
station
and
you
know
what
was
the
actual.
What
was
the
name
of
the
image
that
got
created
was
a
hash
and
then
what
is
the
different
parameters
and
build
steps
that
I
kind
of
went
through,
and
so
we
can
use
this
information
and
feed
it
into.
C
You
know
other
tools
that
I
can
actually
ingest
this
information
and
give
us
a
bigger
picture
and
exactly
what's
happening
at
the
same
time.
Right
kyberno,
the
dimension
controller
is
actually
looking
at
this
information
and
validating
it
right.
So
you
can
validate
yes,
there's
annotation
associated
with
it.
You
can
actually
check
specific
properties.
I
want
to
be
like.
Oh
I
want
to
check
to
see
that
it
got
built
by
tecton
chains
right.
It
got
signed
by
tekton
chains.
C
If
it's
been
signed
by
something
else,
another
Builder
that
I
I
don't
expect
to
be
in
my
environment
right
then
I'm
going
to
invalidate
that
also
so
I'm
not
going
to
allow
that
to
run
in
my
production
environment.
So
it
has
the
ability
to
check
various
components
or
various
pieces
of
the
United
Station
also.
C
So
this
is
the
salsa
at
a
station
that
gets
generated
by
chains.
The
other
thing
we're
trying
to
work
on
that
I'm
working
on
getting
it
implemented
is
also
creating
a
runtime
at
a
station
and
I
don't
have
this
in
the
demo
at
this
point.
But
basically
what
this
would
do
is
create
another
attestation,
apart
from
the
cell
status
station,
it
would
be
another
run
time
at
a
station
which
uses
ebpf
right.
So
you
can
see
exactly
what
happened
at
runtime.
For
your
actual
build
right.
C
You
can
see
the
different
processes
of
that
rant.
Did
it
try
to
connect
to
the
internet
right
if
I,
if
I
see
that
it's
trying
to
connect
to
the
internet,
then
I
don't
expect
that
then
I
want
to
Cache
that
so
it
it's
going
to
give
you
that
kind
of
information
in
an
understation
format
and
again
you
can
ask
have
kyverno
check
for
that
kind
of
information.
You
know
if
I
didn't
expect
it
to
ever
reach
out
to
the
internet
and
see
a
call.
C
You
know
TCP
connect
or
something
being
made
in
my
attestation,
then
I
know
something
went
wrong
right
then
I
can
just
again,
I
can
I'd
be
like
Oh
I'm,
not
gonna.
Allow
this
to
run
because
I
see
a
TCP
call.
You
know
TCP
connect
called
being
made,
which
should
not
have
happened
right.
So
you
can.
You
can
verify
those
kind
of
things
again.
C
All
this
information
we,
our
goal,
is
going
to
push
it
into
another
tool
that
we're
trying
to
work
on
is
called
clock
so
that
we
can
actually
have
a
visualization
and
make
you
know,
make
better
decisions
on
what
we
want
to
push
into
a
production
environment.
A
A
The
other
one
is
about
what
happens
in
production
in
case
I
forget,
so
you
have
a
bunch
of
different
attestations
there
for
the.
C
A
C
Yes
and
they're
based
off
the
digest
right,
so
it's
based
off
the
material
associated
with
the
digest
of
the
actual
build
of
this
actual
image
and
that's
how
it
Associates
with
the
attestation
and
signatures.
So
that's
how
it
knows
like,
oh,
even
if
I
have
so,
for
example,
I
rebuilt.
This
I
rebuilt
this
to
the
exact
same
tag
right
and
but
I.
Don't
include
a
signature
in
attestation.
B
C
So
when
you
create
the
image
right,
it
creates
a
digest
in
terms
of
what
the
layers
and
everything
that
I
use
to
create
the
actual
image
right.
That's
what
that
is.
E
Go
ahead,
oh
I
was
gonna,
say
and,
and
some
of
that's
going
to
change
now
that
the
the
oci
distribution
and
image
spec
changes
have
come
through.
So
some
of
this
stuff
will
actually
be
encoded
in
the
Manifest
of
the
oci
itself,
so
it'll
make
it
a
little
a
lot
easier
to
not
have
to
you
know
right
now:
Sig
store
has
to
name
it.
Essentially,
you
know
the
the
digest
digest.att,
because
there's
not
a
great
way
to
you
know
in
oci
to
sort
of
say,
hey.
E
This
is
an
attestation
associated
with
this
layer
or
a
signature
associated
with
this
layer,
but
in
the
future
that
will
all
sort
of
be
encoded
more
in
in
the
in
the
oci
Manifest.
A
The
runtime,
the
production,
runtime
question
was
or
the
stuff
that
Fresca
does.
Is
that
basically,
does
it
stop
when
it
hits
production?
Do
you
do
this,
like
the
system
stopped
hearing,
or
do
we
like
periodically
recheck
the
attestations
or
is
there
a
way
to
I?
Don't
know,
do
things
along
that
axis.
E
Oh
yeah
yeah,
so
yeah
I
could
I
could
talk
to
that
a
little
bit.
So
ideally,
you
know,
as
this
sort
of
continues
to
progress.
We
see
that
sort
of
thing
being
kind
of
like
the
Google
style.
Binary
authorization
model
so
like
Fresca
right
now
is,
is
very
much
focused
on
Purely
the
build
piece
and
then
the
idea
would
be
you
know.
When
you
go
to
production,
you
say
hey:
does
it
have
a
salsa
attestation?
Does
it
have
a
run?
You
know?
Does
it
have
a
runtime
off
at
a
station?
E
Does
it
have
all
these
other
things?
If
it
does
we're
going
to
give
it?
You
know
and
no
vulnerabilities
that
have
an
s-bomb
an
assigned
s-bomb
and
all
that
good
stuff,
and
if
the
answer
is
yes,
it
would
get.
You
know
some
sort
of
stamp
there's
a
few
reasons
for
that.
One
reason
is
just
doing
the
ongoing
like.
If
you
have
to
say
hey.
E
Let
me
look
at
the
s-bomb
every
single
time,
the
image
any
single
time,
the
workload
scales
up
or
scales
down
or
whatever
that
can
get
quite
expensive,
but
there's
also
other
things
that
you
want
to
do
as
well,
which
is
like
I,
want
to
add
a
snapshot
in
time,
be
able
to
say,
I
looked
at
the
list
of
cves
ones
that
don't
have
vexes
or
whatever.
E
This
is
what
I
saw,
and
so
it's
we
saw
no
known
cves
or
whatever
it's
good
to
go
for
two
weeks
and
then,
if
two
weeks
later,
you
know,
there's
known
cves,
you
need
to
you
know
readdress
it.
So
that's
kind
of
where
we
also
sort
of
are
looking
at
a
couple
of
different
groups
and
working
with
them
to
see
what
we
can
do
from
that
sort
of
binary
authorization.
E
Piece
that
you
know
you
can
almost
have
it
automatically
re-uh
re-sign
off
production
authorization
and
then,
if
it
can't
it
would
essentially
alert
the
build
system
and
potentially
trigger
a
new
build
trigger
stuff.
Like
oh,
okay,
well,
there's
a
known,
cve
and
either
inform
somebody
that
you
know
they
need
to
fix
this
or
if
it's
something
as
simple
as
like
yeah,
this
could
be
a
dependabot
kind
of
fix.
E
Then
you
know
maybe
try
that
out,
like
try
out,
tell
Fresca
to
build
against
a
newer
version
of
a
dependency
and
if
everything
looks
good
again
great,
you
know,
but
at
least
for
the
time
being,
we
probably
anticipate
that
being
at
least
somewhat
manual,
where
folks
will
have
to
go
in
and
say
you
know,
they'll
at
least
get
alerted
that
hey
something
has
gone
wrong
and
then
they'll
have
to
make
those
updates
in
order
to
sort
of
keep
that
authorization
going.
C
Yeah
I
mean
I.
Think
if
there's
interest,
I
can
speak
more
about
it
later
in
terms
of
the
the
Spire
components
and
how
they
kind
of
talk
together,
we
did
a
whole
open
source.
Summit
talk
on
just
that
piece.
So
it's
that's.
Why
I
didn't
want
to
bring
it
up
here,
because
it's
a
very
it's
it's
by
itself.
It's
going
to
take
another
like
40
minutes
to
talk.
C
It's
a
very
involved
conversation
there's
a
lot
of
stuff
going
on
behind
the
scenes,
but
that's
a
good
part
about
Fresca
right
is
that
everything
is
behind
the
scenes
and
you
don't
have
to
care
about
it
right.
It's
going
to
do
all
the
registration
and
everything
for
you
right,
so
the
signing
short
term,
the
short-term
keys
and
throwing
the
short-term
Keys
away
and
everything
it's
going
to
do
everything
for
you,
so
yeah.
E
Yeah,
and-
and
just
a
couple
of
things
to
highlight
there
is-
is
some
of
this
stuff
will
also
change,
as
some
of
the
things
come
out
of
the
CD
Foundation
right,
where
we're
keeping
an
eye
on
you
know
the
supply
chain
secure
the
supply
chain,
maturity
model,
we're
keeping
an
eye
on
also
stuff
like
CD
events.
Cd
events
could
potentially
also
make
stuff
like
Fresca
significant
and
be
more
pluggable,
where
the
idea
would
be
fresh.
You
know,
potentially
we
we
see
a
future
where
Fresca
could
be
more
of
the
abstraction
layer.
E
That
then
sort
of
you
know
knows
how
to
deal
with
the
different
events
and
ensuring
that
those
events
are
coming
in
securely.
Ensuring
that
you
know
if
an
event
gets
sent
out
to
trigger
a
potential
build,
you
know,
is
the
thing
that's
actually
running
that
build
done
in
a
way
that
would,
you
know
is
salsa
compliant
is
potentially
you
know,
cncf
best
practices,
compliance,
Ed,
Foundation,
compliant
and
so
on.
E
We
don't
need
to
have
all
those
attestations
necessarily
and
we
don't
need
to
go
through
all
those
checks,
especially
if
some
of
those
checks
might
take
a
while
or
they're
expensive
or
whatever,
but
at
least
when,
when
you're
ready
to
go
into
production,
you
know,
did
all
those
things
actually
happen
where
they,
orchestrated
by
something
that
we
trust,
did
they
did
the
workloads
actually
happen
in
the
way
that
we
trust
or
do?
We
also
know
that
you
know
a
a
did.
E
A
administrator
of
any
of
these
things
right,
like
the
stuff
that
that
parth
had
shown
off
a
little
bit
with
the
the
spiffy
Spire
stuff
is
like
that
would
detect
if
a
you
know,
administrator
with
authorization
messed
with
a
build
right,
which
is,
is
one
of
the
the
key
things
and
one
of
the
things
that
folks
have
brought
up
a
few
times
with
the
supply
chain
attacks?
Is
that
a
lot
of
times?
E
It's
either,
you
know
an
internal
actor
who
makes
a
mistake
and
leaves
something
open
or
they
they
actually
are
a
bad
actor.
They
you
know
they
go,
they
become
malicious
and
they
do
something
nefarious
and
that
becomes
very,
very
hard
to
detect
because
hey
this
is
a
person
who
has
admin
access
or
privileged
access
to
a
system.
E
The
Spire
stuff
can
detect
that,
and
then
also
you
know
with
the
stuff
that
parth
was
mentioning
about.
Eventually,
the
workload
the
runtime
attestations
is.
Some
of
that
stuff
is
also
like.
If
somebody
has
access
to
the
internals
of
the
build
or
has
access
at
the
host
level
at
some
level,
they've
compromised
the
host.
E
D
That
covers
it
for
for
Fresca
again,
if
you
want
to
follow
up
the
we
can
link
the
repo
or
for
feel
free
to
Ping
us
on
slack
or
happy
to
chat
about
this.
Whenever
anybody
is
curious,.
B
D
A
Perfect,
well
thanks,
so
much
for
for
taking
the
time
to
chat
with
us
today.
Thank
you,
yeah.
In
two
weeks
from
now
on,
the
20th
we're
gonna
be
hearing
from
Cuba
Bella,
which
is
a
cncf
project
around
making
hybrid
multi-cloud
environments
deploying
there
much
easier
and
nice
which,
as
someone
who
lives
on-prem.
B
That
is
I'm
excited.
A
Yeah
and
I
don't
think
we
have
any
outstanding
accidents
that
I'm,
aware
of
Melissa
and
so
I
think
it's
I
think
folks
get
a
15-minute
refund
on
the
rest
of
their
day
and
hope.
Everyone
has
a
as
a
good
remainder
of
of
your
date,
I
think
at
which
I'm
here.
B
Thank
you
thank
you
for
allowing
us
to
present
here
appreciate
it.
Thank
you
very
much.
We'll
get
this
posted
up
on
the
YouTube
channel
as
well,
so
you'll
be
able
to
reference
it.
If
anyone
else
is
interested
and
I,
don't
know
we'll
do
some
tweeting
about
it
too.
I
find
this
really
intriguing
and
very
important
work
being
done,
especially
with
supply
chain
issues
and
on
the
developer
side
of
things.
I
totally
understand
the
overwhelming
amount
of
information
you
need
to
know
to
protect
everything
all
the
way
through.
So
this
is
awesome.