►
From YouTube: SIG Interoperability Meeting - Nov 18, 2021
Description
For more Continuous Delivery Foundation content, check out our blog: https://cd.foundation/blog/
A
A
C
Yeah,
no
he's
he's
very
well
connected.
I
think
he
knows
everybody
yeah.
A
A
B
B
Things
have
changed
since,
but
yeah
happy
to
be
here.
I
hope
some
of
it
it's
going
to
feel
a
little
repetitive
if
you
watch
that
talk,
but
I
wanted
to
cover
the
essentially
the.
B
Yeah
all
the
background
around
each
other
and
then
then
elaborate
a
little
bit
on
what
I
think
is
relevant
for
the
signature
verbally
group.
A
A
So
we
made
noise
about
this
presentation
and
like,
and
we
normally
have
like-
maybe
up
to
10
people
regulars.
Maybe
they
may
join
slowly.
So
let
me
try
sharing
my
screen
and
we
start
with
the
earlier
agenda
topics
and
when
we
reached
your
presentation,
san
diego
others
will
also
have
joined
us.
A
So
today's
agenda-
it
was
kept
short
to
give
more
time
to
in
total
presentation
from
santiago,
and
then
we
can
have
an
open
conversation
in
total
and
how
we
can
collaborate
from
cicd
perspective.
A
Then
we,
as
I'm
reminded
again,
we
changed
the
meeting
time
recently,
and
this
is
the
new
time
or
the
first
meeting
for
new
time
after
this
summertime,
like
thingy
happened
and
then,
as
you
know,
we
started
updating
our
sig
into
the
road
map
because
things
have
happened
since
we
released
the
first
version
and.
B
A
B
A
And
then
I
have
an
additional
topic
or
question
about
cisq.
I'm
sure
you
all
are
aware
of
the
formation
of
open
ssh
for
launch
of
open
ssf.
Maybe
you
can
share
your
opinion
about
open,
ssf,
the
cisq
and
the
broader
collaboration
in
software
supply
chain,
where
we
should
be
looking
because
things
are
a
bit
confusing.
A
C
B
So
the
cisq's
autopilot
materials
project
this
actually
started
with
with
k
king,
I
always
confused
kk
k
williams
from
nick
yeah,
so
she-
and
this
is
almost
a
precursor
of
scam,
which
is,
I
think
now
the
like.
Microsoft
endorsed
approach
to
supply
chain
security.
B
Essentially,
it
started
as
a
project
on
trying
to
identify
tool-to-tools
sort
of
build
materials
exchanges
so
how
to
have
a
say,
a
ci
cd
pipeline
share
software
builder
materials
that
can
be
passed
forward
to
say
a
packaging
infrastructure
or
a
repository.
That's
going
to
be
delivered
software
now.
My
understanding
is
that
this
was
an
effort
that
started
probably
around
2019
or
so
and
since
it
has
been
essentially
split
and
merged
into
other
efforts.
B
So
essentially
how?
How
do
we
identify?
What
are
we
going
to
be
sharing
and
passing
forward
assessment
information,
then?
Well
that
essentially
meant
they
merged
the
community
with
stdx
and
then
how
to
write
tooling,
that
can
understand
the
small
semantics
and
and
like
the
tool
to
tool.
Part
of
the
csq
was
essentially
moved
over
to
what
now
is
scam.
It
went
a
couple
of
hops
between
communities,
but
now
it's
a
it's
scam.
It's
that's
a
supply
chain,
integrity
model.
I
think
that's
what
it
stands
for.
B
I
think
it's
on
the
github
repo
of
the
github
organization
for
microsoft.
That's
the
one.
B
So
that's
that's,
essentially
the
philosophical
successor
of
what
the
siskiyou.
B
B
I
don't
know
the
correct
term
is
certification,
but
it's
now
encoded
as
an
iso
standard
right,
so
everybody
can
look
at
it
and
and
have
some
confidence
that
people
will
know
what
you're
talking
about
now
part
of
what
a
part
of
the
question
around
supply
chain,
integrity
in
general
becomes
well.
How
can
you
actually
interpret
this?
How
do
you?
How
can
you
write
policy?
B
How
do
you
know
that
you're
getting
the
right
as
well
from
the
right
party?
That's
that's
something
that
I'll
dive
a
little
bit
on
the
on
my
talk,
but
that's
that's
essentially
what
happened
to
it?
I
wouldn't
suggest
looking
too
much
there
anymore.
If
you
look
actually
look
at
the
at
the
list
of
people
that
you
had
there
just
a
second
ago,
for
example,
k
williams,
microsoft,
bob
martin
are
now
like
on
skin.
B
My
understanding
is
that
bill.
Curtis
is
also
around
all
of
this
efforts.
If
you
look
at
the
rest
of
the
people,
most
of
them
will
be
related
to
like
ancillary
projects
that
now
essentially
relate
to
either
spdx
or
skin
or
somewhere
around
there.
B
B
But
yeah
it
is.
It
is
a
an
interesting
space
to
be
in
because
there's
a
lot
of
movement,
mostly
because
there's
so
much
well,
there's
so
much
need
for
it.
But
at
the
same
time,
that
makes
it
have
a
lot
of
energy.
So
two
years-
and
I
think,
there's
been
five
six
different
names
and
definitions
to
like
the
project.
But
it's
a
lot
of
the
same
people
just
identifying
how
to
better
leverage
and
grow
a
community.
A
A
Okay,
so
moving
on
so
matthew
to
richard
kate,
stewart
and
matthew
is
not
with
us
today,
so
we
keep
it
open.
The
next
action
item
was
on
me
and
I
considered
this
as
done,
but
to
speak
with
santiago,
so
that
is
kind
of
a
good
thing
to
close
action
items
yeah
the
road
map.
So
we
started
updating
that
and
sent
a
notification
to
mail
list
and
unfortunately,
we
haven't
got
too
much
input
from
commit,
but
we
will
continue
pushing
that.
A
D
Yes
and
we're
more
than
welcome
to
do
so,
the
the
last
end
user
council
of
the
year
is:
is
you
fatty
presenting
so.
B
A
A
Okay,
but
I
keep
this
open,
so
we
don't
forget
about
this
afternoon
here,
because
now
we
are
coming
to
christmas.
You
know
period
and
whatever
so
it's
yeah.
I
keep
that
open
cool,
so
we
have
two
action
items
closed,
which
is
good
and
then
we
can
move
to
the
next
topic,
which
is
the
reminder
on
the
new
meeting
time
again
like
I
don't
know
if
one
of
the
reasons
why
we
have
so
few
in
this
meeting.
A
So
if
you
could
look
at
my
proposal
about
what
to
do
with
events,
because
events
was
one
of
the
items
under
our
roadmap
and
now
we
have
the
sig
events
in
place
and
see
the
events
creation
in
the
pipeline.
A
Maybe,
as
I
recommended
here,
we
drop
that
item
from
our
roadmap
as
the
thing
we
have
done,
and
then
we
kind
of
refer
to
it
as
an
item.
We
should
keep
close
collaboration
with
sig
events,
so
we
don't
completely,
you
know,
drop
it
from
our
roadmap,
but
turn
it
to
something
that
is
driven
by
cig
events
and
cb
ones,
and
we
need
to
keep
that
in
mind
when
we
work
with
these
internal
topics.
A
Yes,
so
yeah,
and
obviously,
since
you
are
here
that
is
not
limited
to
like
like
please
look
at
whatever
commands,
there
are,
and
some
updates
and
you
know
add
other
items
that
comes
to
your
mind,
for
example,
this
supply
chain.
We
have
it
there
and
then
I
mean
wrote
a
policy
driven
cd
as
well
as
a
candidate
top
item.
So
if
you
have
other
things
in
your
mind,
that
would
be
good
to
include
in
the
world
my
four
discussion
as
well.
A
Any,
I
think,
that's
maybe
santiago,
since
you
are
kind
of
looking
at
things
from
a
with
our
site
like
when
you
think
about
this
cicd
tools
like
orchestration
tools
or
the
pipelines
themselves,
and
interactions
between
the
different
phases
within
the
pipe
lines
or
the
tools
that
are
not
traditionally
seen
as
pipeline
technologies
like
what
is
your
thinking,
because
you
mentioned
few
things
when
you
are
talking
about
cis
ci
sq,
like
total
two
exchange
of
s
bombs
among
pipelines,
build
twos
and
so
on.
B
Catches
me
a
little
bit
of
card.
I
wasn't
trying
to
think
for
that.
I
actually
well
from
the
document
that
I
saw
something
that
I
would
like
to
to
to
hear
about,
or
maybe
see
it
describe,
is
an
apologies.
B
I
take
security,
like
that's
the
zero
thing
to
think
about
the
there
was
a
mention
of
policy
driven,
and
then
there
was
a
mention
of
the
security
aspects
of
policy
trading
and
part
of
a
and
I'll
talk
a
little
bit
about
it
on
the
total
talk
but
part
of
what
it
in
total
or
generally,
a
lot
of
the
security
tools
are
trying
to
do
is
turning
things
of
questions
of
security
into
questions
of
compliance.
B
So
I
am
interested
in
hearing
a
little
bit
about
what
policy
driven,
ci
or
cde
really
would
mean
for
like
the
compliance
angle
and
like
the
security
aspect
or
or
whether
they
all
start
this
exact
same
thing.
It's
just
a
matter
of
like
you
have
a
security
policy
that
goes
beyond
certain
aspects
of
security.
A
Yeah,
I
think
that
yeah,
because,
like
okay,
I
think
this
is
a
topic.
We
start
talking
about
around
end
of
2020
or
something,
and
since
we
look
at
things
from
cicd,
pipeline,
orchestrators
or
tooling,
perspective
are
how
to
say,
maybe
I
shouldn't
say
are,
but
my
focus
or
interest
was
more
in
how
the
interactions
between
different
policy
frameworks
and
orchestration
tools
could
be
achieved
like
open
policy
agent
or
something
else
coming
from
rancher
or
open
rancher.
I
think
there
are
different
police
frameworks.
A
B
A
A
Let's
assume
you
have
a
feature
in
your
product
and
that
feature
requires
access
to
some
user
data,
and
that
is
actually
not
a
lot
to
be
done
in
eu,
for
example,
because
gdpr,
but
developers
may
not
be
aware
of
this,
and
then
police
framework
should
enable
organization
for
such
policies
to
be
enforced
depending
on
what
region
that
product
is
rolled
out
and
those
policies
could
and
should
perhaps
be
entered
by
the
people.
Who
knows
these
things,
not
developers
per
se,
but
the
people
who
actually
know
legal
aspects.
A
So
that
is
another
aspect
we
looked
and
the
other
aspect
could
perhaps
be
sales
aspects
like
as
a
developer.
I
want
my
stuff
to
be
in
the
production
as
fast
as
possible,
but
tomorrow
is
back
black
friday,
which
is
fine
for
me,
because
I
trust
my
thing
works,
but
the
sales
organization
may
say
we
trust
you,
but
don't
break
our
stuff
just
before
black
friday,
so
we
block
any
deployments
to
production
and
that
could
be
enforced
by
you
know,
police
frameworks
and
how
those
interactions
would
happen
between
the
orchestration
tools
and
the
post
framework.
A
I
see,
but
yeah
security
is
like
one
of
the
obvious
and
critical
aspects
on
policy
enforcement
because
we
all
come
from
like
cdf
has
members
from
fintech
or
web
scale
and
they
have
different.
You
know
things
they
consider
as
important
like.
If
you
look
at
calco,
we
have
like
yeah,
we
have
overlapping
concerns,
but
there
are
other
concerns
like
type
of
industry
might
care,
and
we
try
to
you
know,
collect
these
things
together
and
see:
okay,
how
this
can
be
achieved.
A
But
yeah,
then
you
showing
interest
to
policy
driven
city
means
like
we
have
some
meaningful
things
in
our
roadmap,
not
focused
on
security
itself,
but
actually
enabling
people
to
enforce
security
policies
in
a
more
simpler
way.
Perhaps.
B
B
Yeah
is
this
document
something
I
could
like
comment
on?
Yes,.
A
Definitely
let
me
put
the
link
to
chat
and
I
think
yeah
yeah.
A
Yeah,
that
would
be
great
like
something
yeah
commentary.
This,
like
the
document
is
like
we
haven't
updated
it
really.
We
just
we're
looking
what
we
should
be
updating,
so
this
is
pretty
like
almost
same
version
as
our
current
roadmap,
and
we
are
talking
about
what
we
should
drop,
what
we
should
consider
has
done
and
what
we
should
be
focusing
in
next
year
and
in
future,
so
anything
you
can
put
what
we
value.
A
B
Okay,
so
do
you
see
your
document?
Yes,
do
you
see
my
slides?
Yes,
okay!
So
now
I
know
here.
Do
you
see
my
flash
take
two?
Yes
great,
fantastic,
okay,
so
hello,
I
am
going
to
be
talking
about
in
total.
I
hope
I'm
in
the
right
room.
This
is
the
cdfc
interpretability
call
I'll
be
talking
a
little
bit
of
background
first
I'll,
be
sharing
essentially
how
the
problem
came
out
to
be
maybe
for
us
on
the
post,
solarwinds
era.
B
This
is
a
little
clearer,
but
I'll
just
try
to
build
up
into
what
essentially
made
in
total
exists,
and
then
I
wanted
to
talk
a
little
bit
about
what
I
think
it
may
be.
The
interesting
bits
of
the
whole
total
community
for,
like
this
interpreter
really
saying
inside
of
the
cdf,
so.
B
So,
let's
just
get
started
the
way
that
I
usually
talk
about
software
supply
chains
and
then
is
first
by
starting
with
an
actual
supply
chain
and
their
compromises.
How
do
they
actually
get
packed?
Now?
A
concept?
That's
very
central-
and
this
is
probably
familiar
to
you,
because
you're
working
the
cdf,
you
understand
that
eventually
leading
up
to
a
delivery
is
important.
B
Supply
chains
are
characterized
by
their
end
product.
This
is
what
they're
meant
to
be,
for
they
are
delivering
a
good
or
something
to
somebody
now
to
just
make
it
an
easy.
A
quick
metaphor:
a
product
could
be
a
tiny
little
bottle.
It
could
be
something
that
you're
taking
for
a
headache
now
to
get
this
10-0
bottle
all
the
way
to
the
hands
of
you
or
to
a
pharmacy
or
counter.
B
It
actually
went
through
a
series
of
processing
steps
in
which
they
acquired
source
materials,
raw
materials
like
a
carcinoma
or
whatever,
and
then
they
started
packing
it
and
transforming
it
and
eventually
putting
it
into
a
bottle
and
then
sealing
that
bottle
and
then
shipping
it
over
to
god
knows
where.
So
you
can
actually
go
to
your
local
pharmacy
and
consume
your
tylenol
whenever
you
have
a
headache
now
supply
chain.
Compromises
are
something
that
we
are
very
very
naturally
left
to
understand.
Somebody
can
break
into
the
physical
supply
chain
and
cause
damage.
B
I
actually
picked
a
model
of
tylenol
because
there's
a
very,
very
gruesome,
historical
event
that
happened
in
1980s,
where
somebody
walked
into
a
pharmacy
opened
a
bunch
of
terminal
bottles
and
then
sneaked
cyanide
on
them,
then
put
them
back
into
the
counter,
and
I
think
more
than
a
couple
thousand
people
died,
which
is
incredibly
sad,
but
this
is
the
precedent
that
we
have
to
actually
many
of
the
security
properties
we
see
in
a
timeline
model.
We,
for
example,
have
lot
numbers
that
can
help
us
recall.
B
Whenever
we
see
a
quality
product
being
shipped
to
users.
We
have
an
expiration
date,
so
we
know
that
we're
getting.
We
are
getting
something
fresh,
so
it's
not
stale
and
it
still
works.
We
also
have
a
temper
proof
seal.
This
is
an
actual
direct
consequence
of
the
titanal
murderers
that
now
we
have
a
way
of
knowing
that
the
delivery
pipeline
from
the
pharmacy
all
the
way
back
into
the
manufacturing
facility
that
made
the
titan
all
didn't,
have
any
sort
of
tampering
with
the
product
we're
about
to
consume.
B
Now,
I'm
going
to
step
back
and,
let's
think
about
what
can
happen
in
the
very
very
similar
way,
with
a
with
the
chicago
title
of
murders
in
the
software
and
the
software
that
we
make
every
day.
So
this
is
a
very
cartoonish
supply
chain.
Let's
forget
about
the
title:
let's
forget
about
all
that
this
is
essentially
what
we
may
be
doing
on
a
side
project
or
even
on
a
more
mature
pipeline
in
which
we
take
some
source
code.
We
may
be
putting
it
on
github
or
private
source
code
hosting.
B
We
may
have
a
testing
pipeline.
That's
branching
out
that
essentially
tells
us
whether
they
trust
something.
We
may
even
include
that
into
a
build
system
or
a
more
mature
like
a
pipeline
manager
like
techcom,
so
it's
all
abstracted
out
as
a
single
step.
It
eventually
may
make
it
into
a
package
repository.
So
that
users
can
go
and
same
way
that
they
go
to
a
pharmacy
and
they
can
consume,
or
can
this
case
a
dating
package,
so
github
techton
debian
package.
B
Now
I
want
to
be
here
telling
you
that
all
of
this
works
very
well
and
nothing
bad
happens.
Actually,
attackers
can
break
into
the
software
supply
chains
in
many
many
various
ways.
This
is
an
example
that
I
really
like
bringing
up.
There
was
a
hacker
that
broke
into
the
version
control
system
of
the
juniper
firewalls
and
changed
the
random
number
generation
routine
in
such
a
way
that
they
could
decrypt
every
single
vpn
traffic
of
this
particular
version
of
the
juniper
firewalls.
This
was.
D
B
In
2015.
people
even
thought
it
was
the
nsa.
It
was
that
devastating
that
we
were
thinking
about
state
agents
causing
this
sort
of
damage,
and,
of
course,
this
is
not
trying
to
say
that
only
juniper
gets
hacked
in
the
source
code.
There's
been
instances
that
date
back
all
the
way
to
20
years
back,
causing
a
lot
of
different
degrees
of
impact
to
everyday
users.
B
Of
course,
this
is
not
isolated.
Source
code.
Build
systems
have
been
hacked
an
example
that
I
like
a
lot
is
somebody
made
a
malicious
version
of
xcode
that
eventually
infected
angry
birds
and
then
angry
birds
was
trying
to
steal
people's
credit
cards
all
throughout
the
world.
We
didn't
hear
a
lot
about
this
because
it
was
stealing
chinese
credit
cards,
so
it
was
a
bigger
boss
over
there,
but
this
is
the
impact
right.
Suddenly,
a
single
build
of
angry
birds
makes
it
into
every
single
user
of
embers.
B
Of
course
again,
this
is
not
trying
to
say
anything
about
apple
or
anything
about
angry
birds.
It's
just
it
happens
over
and
over
and
over
and
well
more
programmers
were
good
at
interpolating.
You
wouldn't
be
surprised
if
I
told
you
that
that
hackers
also
break
into
the
packaging
infrastructure.
We
just
had
this
recent
discovery
of
a
npm
flaw
that
allowed
people
to
write
packages
into
different
registers.
B
The
one
that
I
like
to
bring
up
is
the
phpmyadmin
package
that
was
corrupted
in
only
a
mirror
in
the
south
korean
era.
The
consequence
of
this
is
that
the
hackers
were
able
to
hack
a
particular
population,
in
this
case
south
korea.
It
doesn't
take
a
lot
of
imagination
to
to
think
that
this
is
probably
the
north
korean
government
or
any
any
of
the
like
political
enemies
of
south
korea
trying
to
hack
into
the
machines
of
the
south
korean
government.
B
This,
for
example,
happened
with
operation
aurora,
where
people
were
targeting
high
profile
high
profile
companies
by
targeting
other
high
profile
companies,
and,
of
course
again,
this
is
not
trying
to
say
this
is
exclusive
to
the
south
korean
example.
Rather,
it
just
happens
over
and
over
again
and
part
of
the
reason
why
I
was
asking
about
compliance
and
security
is
because
sometimes
these
things
are
very
very
intertwined.
B
You
may
have
things
that
are
not
on
the
modification
pipeline
say.
In
this
case
I
drew
the
testing
and
essentially
a
compliance
step
as
a
fan
out
something
that
doesn't
eventually
make
it
into
the
product
itself.
But
we
start
we,
we
introduce
questions
about
compliance,
an
example
that
I
like
to
bring
up,
and
I
don't
know
what
my
screen
is
doing,
putting
it
all
the
way
there,
but
back
then,
and
when
windows
7
was
still
a
thing
and
the
windows
did
any
tpms.
B
It
so
happened
that
windows
7
pushed
out
an
update
that
breaked
everybody's
computers,
everybody
that
installed
that
update
their
computer
was
fully
bricked.
People
thought
that
it
was
actually
an
attack,
the
consequence
of
malware.
Then
microsoft
did
a
very
thorough
investigation
internally
trying
to
identify
what
exactly
will
happen,
and
it
just
happened
that
whoever
was
supposed
to
be
testing
the
patch
for
windows.
B
7
did
not
test
the
patch
for
windows,
7.,
something
about
compliance,
becomes
a
highly
highly
impactful,
essentially,
software
supply
chain
effect,
and
again
this
is
not
to
say
that
this
only
happens
to
windows.
This
has
happened
to
and
it
happens
widely
in
the
open
source
world.
I
won't
be
surprised
if
it's
happening
to
anybody
out
there
in
the
industry.
This
is
partly
why
we're
trying
to
answer
these
questions
now,
so
stopping
for
a
bit
something
that
seemed
a
little
bit
too
simplistic.
B
I
already
showed
you
more
than
30
different
types
of
compromises
on
source
code,
build
pipelines,
packaging
testing.
I
took
delivery
of
drawing
what
is
eight
different
devils
in
which
essentially
things
can
go
wrong,
and
I
would
wager
that
in
six
out
of
those
eight,
the
system
becomes
fully
compromised.
If
anybody
breaks
into
this
so
well,
how
do
we
fix
this?
Actually,
let's
yeah,
I
I
jumped
a
little
bit.
This
is,
of
course
the
stakes
are
high.
B
We
have
now
now
it's
two
years
old,
but
back
then
they're
on,
like
early
2020
before
the
election,
people
were
starting
to
ask
themselves
what
are
the
consequences
of
the
software
supply
chain
in
the
upcoming
presidential
election,
and
this
is
not
something
about
where
you
get
the
capacitors
from
this
is
something
about.
Where
do
you
get
the
software
in
where
well,
democracy
is
starting
to
be
at
stake
and,
of
course,
well
not
to
say
solarwinds,
the
largest
and
most
sophisticated
cyber
attacking
ever
according
to
bradsmith.
B
And
well,
it's
making
a
nature
states
in
like
essentially
highly
highly
sensitive
situations
to
reconsider
the
cyber
security.
That's
the
stakes
of
software
supply
chains.
It's
even
got
to
the
point
that
people
are
starting
to
think.
Maybe
we
cannot
build
systems
to
solve
the
problem,
but
rather
just
turning
to
into
the
insurers
to
assume
the
damage
and
try
to
recover
from
a
loss.
B
Now,
let's,
let's
think
as
technologies,
and
let's
try
to
fix
this.
Essentially
what
we
need
to
protect
any
chain
is
to
first
make
strong
links
and
then
link
them
together.
It
is
really
not
much
more
complicated
than
that,
so
we
know
that
there's
ways
to
build
strong
links.
This
is
probably
something
that
you're
familiar
with.
You
can
use
many
cryptographic
techniques
to
protect
the
version
control
system.
This
is
actual
work
that
I
did
15
to
protect
version
control
systems
you
can
sign
commits
you
can
sign
push
certificates.
B
You
know
that
you
can
use
different
mechanisms,
say
a
techno
pipeline
manager
to
authenticate
the
workers
to
do
to
make
sure
that
everything
is
done
correctly
and
that
no
hackers
brought
into
the
version
into
the
build
system
and
well,
you
can
do
the
same
in
the
packaging.
You
can
do
the
same
in
the
ci.
B
So
looking
back
and
the
image
with
eight
little
devils,
we,
we
can't
remove
the
devils
that
are
standing
on
the
on
the
step
itself
in
the
in.
B
Themselves,
but
we
still
have
a
question
about
well:
how
do
we
know
that
things
are
passed
to
each
other
properly
and
that
there's
compliance
so
that
there's
a
reasonable
exchange
of
information
between
each
other
so
that
we
know
that
things
were
followed
through
the
letter
and
that
everybody
is
behaving
properly
within
the
supply
chain?
B
This
again,
it's
nothing
new!
It's
a
it's
a
it's
something!
That's
very
evocative,
but
that's
why
we
hear
builds
on
materials
right
when
you
get
pieces
from,
I
don't
know
from
a
vendor
to
build
a
car,
then
you
make
sure
that
they
give
you
the
right
pieces
and
that
the
vendor
didn't
do
anything
wrong,
and
this
is
exactly
what
this
is
all
about.
B
So,
to
do
that,
we
are
going
to
sorry
for
the
academic
diversion
we're
going
to
build
a
system
that
allows
us
to
have
compromised
resilience,
essentially
assume
that
some
steps
will
be
compromised
and
then
we're
going
to
build
a
way
to
connect
everything
together
by
creating
an
all-encompassing
system,
an
overlay
that
allows
us
to
describe
the
whole
supply
chain,
not
only
individual
steps
and
to
top
the
challenge
we
want
to
make
it
expressive
enough,
so
that
we
can
describe
every
single
supply
chain,
and
I
think
this
is
this-
is
going
to
be
interesting,
especially
for
sick
interoperability
in
which
well,
we
really
want
to
make
everything
collaborate
with
each
other
in
meaningful
ways.
B
B
B
So
that
say,
if
we
know
that
data
is
compromised,
we
have
assurance
that
well,
the
critical
path
doesn't
compromise
itself
and
that
we
can
still
trust
the
final
product.
We
can
also
recover
from
a
compromise.
By
doing
this
sort
of
role
separation,
we
can
say:
hey,
you
know
what
they
you're
not
doing
things
right:
let's,
let's
bring
ad
on
board,
let's
start
trusting
ada,
and
then
we
recover
from
a
partially
compromised
scenario
to
a
fully
trusted
supply
chain.
Again,
we
also
want
to
build
a
system.
That's
too
agnostic
and
again.
B
I
think
this
is
very
important
for
for
sig
interoperability,
because
we
know
that
while
a
lot
of
people
like
to
use
tekton,
there's
another
cdf
project,
that's
also
very
widely
popular,
that's
jenkins,
and
we
want
to
make
sure
that
we
can
still
describe
these
two
supply
chains
between
each
other
and
that
we
can
still
use
the
same
semantics
to
describe
the
operations
done
by
both
of
them,
so
that
the
if
we
were
able
to
ever
to
change
a
tool
or
just
describe
a
different
supply
chain,
we
can
use
the
same
code.
B
Build
package
semantics
or
anything
really
that
we
want
to
do.
This-
allows
us
to
build
an
all-encompassing
system
to,
and
I'm
going
to
use
a
very
silly
metaphor,
but
just
to
just
drag
the
point
home.
We
know
that
the
supply
chains
of
today
are
not
supply
chains
of
tomorrow.
They
may
have
different
steps.
Different
operations
done
into
that.
So
imagine
that
tomorrow
the
linux
foundation
came
up
with
a
new
soft
foundation.
B
B
We
want
to
be
able
to
make
sure
that
the
authenticated,
keystroke
foundation
can
communicate
information
to
the
source
code
and
eventually
communicate
information
to
a
build
system,
and
imagine
that
somebody
finds
a
way
to
essentially
run
over
the
whole
authenticated
keystroke
foundation
and
comes
up
with
a
hypno
attack
so
that
this
comes
out
in
a
new
vice
article
in
2022,
so
that
people
are
tricked
into
writing
malicious
malicious
code
and
that,
in
order
to
protect
that,
we
came
up
with
ways
to
measure
people's
awful
ways
and
make
sure
that
they're
not
hypnotized
in
the
right
code.
B
So
by
doing
this,
by
having
this
sort
of
expressive
dual
diagnostic
mechanism,
we
are
able
to
represent
all
of
the
supply
chains
that
that
are
out
there.
Not
only
the
ones
that
are
cloud
native,
not
only
the
ones
that
are
fully
open
source
projects.
But
rather
everything
out
there,
this
is
part
of
a
challenge
that
we
face.
That's
in
total
team
because
we
know
that
deviant
packaging
looks
very
different.
B
Little
bit
a
little
bit
in
a
little
bit
in
which
they're
using
hardware
tokens
to
authenticate
every
single
line
of
code
that
the
developers
on
the
new
york
times,
building
where
the
data
that
our
offices
are
and
eventually
make
it
to
to
say,
I
think
twitter
is
still
using
datadog
the
twitter
infrastructure.
B
So
you
know
that
there
is
a
tamper-proof
paper
trail
from
the
developers
all
the
way
to
the
infrastructure
of
all
of
these
very,
very
solid
for
projects.
B
So
I'm
going
to
explain
a
little
bit
of
the
architecture
of
how
can
we
achieve
this?
This
is
going
to
perhaps
not
be
very
surprising
to
everybody.
The
idea
is
very
simple.
The
what
we
want
to
do
is
to
verifiably
define
the
steps
on
software
supply
chain
say
this
is
what
we
expect
to
happen
earlier
in
the
in
the
meeting.
We
were
talking
about
gdpr.
Well,
if
somebody
needs
to
check
for
gdpr
compliance,
we
want
to
say
hey.
There
needs
to
be
a
step
on
the
supply
chain
for
gdpr
compliance
checks.
B
Then
we
want
to
verifiably
define
the
authorized
factors.
We
know
that
certain
actors
are
expected
to
perform
certain
operations
and
we
want
them
to
do
that
operation
and
nobody
else,
and
then
we
want
to
provide
a
tight
binding
of
the
artifacts
as
they
flow
through
the
chain.
This
is
the
built-in
chain,
part
of
the
software
supply
chain.
B
To
do
this,
we
first
created
a
type
of
policy,
and
this
this
can
actually
be
transpiled
throughout
the
project,
but
the
basic
idea
is
that
inside
of
this
policy,
you
say
exactly
those
things.
These
are
the
steps
that
need
to
happen.
These
are
the
people
that
need
to
carry
those
steps.
B
This
is
the
things
that
they're
consuming
and
producing,
and
this
is
how
it
all
connects
to
each
other.
With
this,
then,
you
can
start
providing
this
artifact
flow
integrity
property
that
that
is
what
we're
trying
to
achieve
on
the
software
supply
chain
security
world.
B
B
Now
this
policy
describes
what
needs
to
happen,
so
the
other
bit
that
we
need
to
use
is
a
a
way
to
track
what
happened
so
that
we
know
that
what
happened
is
what
needed
to
happen.
This
other
bit
is
done
with
a
type
of
metadata,
complete
link
aptly
named
for
the
supply
chain.
B
And
there's
many
tools,
but
perhaps
the
one
that's
the
most
agnostic
is
called
in
total
wrong,
you're,
essentially
running
total
and
tell
it
hey,
do
this
thing
and
just
make
sure
you
track
everything
that
happened
and
eventually
create
this
little?
I
don't
know
my
pointer
is
visible
with
this
little
attestation,
so
that
you
know
well.
Whoever
was
in
charge
of
developing
source
code
is
able
to
attest
in
a
in
total
link
to
what
they
did
now
at
the
end,
then
it
becomes
an
easy
question.
B
Do
I
have
do
I
have
the
final
product
say
my
bottle
of
time
law
or
my
italian
package?
Do
I
have
a
policy
that
tells
me
how
this
should
have
been
made.
Imagine
this
like
a
again
a
description
of
all
of
the
supply
chain
and
eventually
do
I
have
enough
evidence
to
to
be
sure
that
this
was
actually
done,
how
it
was
meant
to
be
done,
and
if
I
have
all
of
those
things,
then
I
can
actually
trust
the
product.
B
If
you
are
like
into
the
academic
bits
of
this,
this
becomes
a
question
of
graphics
or
morphism.
Essentially,
essentially,
you
treat
the
graph
out
of
your
policy
and
then
you
try
to
match
that
graph
with
with
the
graph
that
comes
from
from
the
app
stations.
B
Now
I'm
going
to
just
quickly
close
over
the
security
analysis,
the
basic
idea
is
well,
you
are
able
to
say,
I
trust,
whoever
told
me
this
policy
was
performed
and
then
there's
nothing.
That's
either
knocked
on
or
don't
that
shouldn't
have
been
done.
Then
I
know
that
the
individuals
that
carry
out
their
operations
should
be
trusted
or
should
be,
should
be
the
ones
that
should
be
carrying
out
these
operations,
and
then
I
know
that
nothing
has
been
tampered
in
the
way.
B
D
B
We
see
a
lot
is
that
we
are
actually
very,
very
well
adopted,
widespread
in
different
places.
Most
of
it
is
through
datadog
datadoctor
integration
in
which,
essentially,
they
authenticate
every
single
change
or
every
single
plugin
that
they
include
into
their
agent
by
using
intel.
This
is
what
I
was
describing
just
a
second
ago.
They
have
a
very,
very
cool
blog
post
about
it,
but
essentially
their
ci
cd
system
plus
their
developers.
B
They
all
create
that
stations
of
what
they're
doing
and
then
the
agent
before
installing
any
any
integration,
any
plug-in
they
go
back
and
actually
walk
back
the
deeper
trail,
all
the
way
to
the
developers
that
wrote
the
code.
So
they
know
that
every
single
thing
that
they
got
comes
from
the
right
source
code
was
written
by
developers
in
the
datadog
office,
building
using
hardware
tokens
to
authenticate
the
reaction.
B
Now.
This
is
all
the
background
about
zentoto
essentially-
and
I
wanted
to
contextualize
this,
because
we
want
to
also
be
able
to
provide
this
information
in
a
way
that's
easier
to
write
policy
around.
B
So
what
we're
trying
to
get
at
to
in
the
in
total
community
right
now
is
to
define
what
we
call
the
lingua
franca
of
in
total
operations.
Essentially
what
you,
what
is
done
in
the
supply
chain,
and
how
is
it
usually
done-
and
this
is
something
we're
trying
to
gather
input
from
different
communities-
say
like
the
computer,
integration,
community
or
the
source
code
or
like
or
say
the
like,
the
service
mesh
community
right.
The
way
that
it
used
to
be
is
that
in
total
links
were
essentially
for
main
fields.
B
They
were
materials,
things
that
were
used
products,
things
that
were
produced
environment
where
the
thing
was
made
and
by
products
things
that
you
don't
want
people
to
use
right
things
that
you
did
that
created,
but
you
don't
want
them
to
be
used
or
passed
forward
now.
This
is
this
is
a
little
problematic.
We
found
out
after
after
a
little
bit
of
time,
because
sometimes
there's
a
little
bit
of
overlap
between
these
things
and
also
because
it
is
not
entirely
clear
to
people
what
is
a
material
sometimes
and
what
is
an
environment,
for
example.
B
B
So
even
though
this
allowed
us
a
very
like
agnostic,
very
opaque
way
of
describing
your
operations
and
writing
policy
around
it,
the
honors
fell
on
the
people
that
were
verifying
and
driving
agreement
between
the
ones
that
were
creating
the
stations.
The
internal
links
and
the
ones
that
were
verifying
them
became
became
harder
to
do
so.
What
we're
trying
to
or
what
we're
trying
to
do
now
is
to
provide
a
more
like
expressive
granularity.
I
called
it
so.
Suppliers,
people
that
generate
evidence
can
allow
verifiers
to
know
how
to
verify
the
evidence
better.
B
So
suppliers
can
know
how
to
properly
fill
all
fields.
They
know
what
a
material
actually
is
and
verifiers
can
know
what
to
expect
in
the
materials
field,
and
then
suppliers
can
also
extend
say,
say:
they're
using
tecton
and
tecton
has
its
own.
Like
specific
semantics
that
are
extending
the
the
regular
ci
operations,
then
you
may
want
to
append
that
to
the
existing
in
total
links,
rather
than
just
letting
people
figure
it
out.
B
This
also
allows
verifiers
to
say,
write
common
policies,
for
example
we're
talking
about
ddpr,
then
you
could
say:
hey,
I'm
expecting
a
a
link
that
represents
a
gdpr
check
over
my
infrastructure
or
verifiers
can
also
know
hey.
This
is
a
like
a
ci
type.
I
maybe
don't.
I
may
not
know
all
of
techno
specifics,
but
I
can
verify
it
as
a
ci
as
a
like
arc
archetype
to
do
this.
This
is
something
that
actually
was
very
inspired
by
jeff's
taps
and
pets,
and
so
on.
B
We
defined
this
in
total
enhancements
ips
in
particular
the
one
that
I
think
is
of
interest
for
sigma
interval.
Reality
is
the
i6
which
is
essentially
describing
this
way
of
creating
generalized
link
formats
right
now.
What
we
have
is
the
ci
providence,
slash,
salsa,
providence
type.
This
is
actually
something
that
can
be
used
today
with
tech
time
chains.
This
is
something
you
can
enable
in
tech
on
it
starts
creating
a
ci
prominence
type.
B
You
can
also
you
can
also
create
internal
app
stations
for
speedpack
documents
to
essentially
sign
them,
or
you
can
fall
back
into
the
classic
intelli
link.
B
D
B
B
Does
it
follow
into
any
of
the
buckets
that
exist,
or
can
I
create
my
own
bucket
for
them
and
ideally,
we'll
then
create
these
common
archetypes
for
different
types
of
things
that
you
can
do
in
the
in
the
supply
chain,
but
you
can
also
transfer
this
information
back
into
your
community,
so
this
is
exactly
what
I
think
happened
with
a
change
proponents
type
in
which
they
said
hey.
This
is
what
change
does
that
would
discuss
things
around
and
they
were
like
hey.
This
looks
like
what
we
want
to
do
now.
B
A
Oh,
I
have
few
questions
I
actually.
I
think
I
followed
examples
in
your
repo.
I
think
this
ali
spoke.
If
I
remember
correctly,
you
had
some
example
code
and
some
I
don't
exactly
remember
how
was
it,
but
I
followed
this,
which
is
great,
but
then
I
started
googling.
How
can
I
you
know,
try
this
out
more
easily,
because
you
know
we
doing
things.
A
B
Little
bit
of
an
update,
I'll
say
that
yeah.
That
was
my
question
mike.
Yes,
that's
actually
something
that
we
are
looking
at
in
the
near
term.
Let
me
pull
up
on,
so
we
actually
rewrote
the
java
implementation
to
include
this.
The
same
as
a
technical
predicate.
This
was
merged
very
very
very
recently.
It
was
a
lot
of
work
by
this
engineer
at
google
yeah.
So
this
is.
B
This
is
the
one
so
now
this
this
is
on
the
java
library
and
the
jenkins
plugin
itself
is
an
integration
of
this
java
library.
It
essentially
wraps
it
around.
We
now
that
this
is
merged,
and
again
this
was
merged
like
yeah
15
days
ago.
We
want
to
start
updating
the
jenkins
plugin
to
allow
you
to
create
this
sort
of
provenance.
B
B
They
may
enrich
it
with
like
their
own
semantics,
but
the
overlay
should
be
as
common
as
possible
so
that
you
can
write
policy
around
it
in
an
agnostic
way.
A
Yeah,
because
exactly
the
keyword
like,
I
think
you
mentioned
this
agnostic
way
in
during
your
presentation,
is
that
because,
like
I
want
to,
you
know,
give
it
a
try
and
compare
how
this
intertw
behaves
or
what
you
get
when
you
run
something
on
tecton
and
when
you
run
something
on
jenkins
and
like
find
similarities,
because
like
in
that,
we
are
talking
about
like
how
the
you
know.
The
pipeline
technologies
we
use
could
interact
with
frameworks
like
in
total
and.
B
A
Could
be
you
know
how
to
say,
let's
say
you
want
to
change
your
orchestra
from
a
to
b
and
but
you
don't
want
to
lose
everything
you
have
done
with
your
right
tool
a
when
you
move
to
tool
b
so
as
little
disruptive
as
possible
because,
like
in
the
end,
you
are
orchestration
some
activities
and
what
orchestrates?
That
is.
Yes,
it
is
important,
but
what
is
important
is
the
activity
itself
like
running
in
total.
B
Right
yeah,
no,
I
I
that
is
my
goal.
I
I
will
say
it's
sometimes
a
little
hard
when
it
comes
to,
and
this
is
why
we
have
this
cape
hatch,
because
you
will
see
that
sometimes
tecton
has
its.
I
don't
know
its
own
semantic
right
like
we
have
this
thing
that
nobody
else
does.
B
This
is
like
our
differentiator
well
answer
everything
that,
like
that
all
tools
need
to
answer
and
then
add
your
own
like
special
special
stuff,
but
if,
if
it
is
common,
it's
almost
like
a
like
there's
a
super
class
for
all
of
them,
and
if
they
all
talk
that
language,
then
you
can.
B
You
should
be
not
too
troubled
to
change
between
them,
and
that
is
again
my
goal
and
that's
what
what
we're
trying
to
do
in
the
community
to
have
this
accession?
I
should
change
the
paint
once
there's
a
station,
a
repository
in
which
essentially,
people
can
define
different
types
of
statements
or
different
types.
For
again,
this
provenance
type
would
be
very
good
for
ci
cd
systems
and
all
of
them
could
could
produce
essentially
the
same
type.
B
That
is
what
I'm
trying
to
to
field
to
allow
different
projects
to
have
yeah.
Essentially
this
single
source
of
truth.
So
they
know
how
to
communicate
information
to
down
streams
about
what
they're
doing
another
project
that
you
may
be
interested
into.
Looking
at,
it's
builder
be
it's.
This
is
more
on
the
open
source
community.
But
if
you
go
to
say
this
is
rebuilder
d
rebuilding
all
of
the
oxygen
x
packages-
oh
wait!
This
is
not
updated.
This
is
another
instance
of
the
same.
B
You
can
actually
click
on
the
little
total
link
and
you
get
this
provenance
predicate
again.
This
is
important
because
then
you
may
want
to
have
agreement
not
only
with
this
ci
cd
pipeline
managers,
but
with
other
projects
that
are
like
more
on
the
open
source,
community,
linux,
distro,
world
style,
stuff
things,
and
this
becomes
particularly
important
when
you're
starting
to
see
that
say
these
things
are
built
and
then
stick
into
a
darker
container
that
then
used
by
a
tecton
chains.
B
Payload
right,
you
want
to
be
able
to
walk
all
the
way
down
and
say:
hey
are
all
of
these
dependencies
built
in
a
way
that
matches
my
policy.
B
I
don't
know
if
you
saw
that's
why
my
backup's
live
is
it's
insecure
troubles
all
the
way
down,
because
you
need
to
continue
going
down.
A
Okay,
so
my
question
is
about
something
we
discussed
when
you
were
talking
about
the
cisq
like
an
spdx,
you
know
spdx
becoming
an
iso
standard
in
september,
or
something
made
things
interesting,
and
some
communities
already
started,
adopting
spdx
to
generate
s-bombs
and
in
perfect
world
everybody
generates
spawns
as
part
of
their
release
process
and
they
dump
them
next
to
the
other
artifacts
they
are
producing
like
shazams
or
actual
tables
or
whatever,
and
that's
I
think
that
will
like
more
common.
This
will
hopefully
adopt
that
making
life
of
all
of
us
better.
A
So
what
is
your
opinion
about
something
like
in
total
attestation
like
how
you
do
this
on
arch
by
the
way?
Thanks
for
ash,
I
am
like
I'm
fan
of
arch
linux,
but
what
is
your
thoughts
on
like
something
like
this
becoming
mainstream
and
all
the
communities
doing
this
like
built
into
their
way
of
working
like
it's
not
like,
adding
it
after
the
fact,
but
building
that
right
from
the
very
beginning.
B
B
So
it's
almost
like
a
disaggregated
s-bond
now
in
an
ideal
world,
I
think
that
the
total
information
would
be
useful
for
producing
an
s-bomb
at
the
point
of
release.
You
could
say:
hey.
I
have
all
of
this
evidence,
I'm
going
to
like
start
digging
about
it
and
eventually
producing
this
one
that
somebody
can
easily
determine
things
about.
B
My
vision
is
that
you
will
see
a
mix
and
match
of
both
cases
depending
on
your
use,
and
my
hope
is
that
you
will
actually
be
able
to
also
secure
spdx
documents
within
total
as
well,
so
that
you
can
aggregate
those
pdx
documents
in
the
same
way
that
you
aggregate
different
pieces
of
evidence,
because
in
reality-
and
I
mean
this
happens
in
arts
right-
not
everybody
does
everything
and
there
is
different,
different
sorts
of
sources
of
truth,
but
I,
for
example,
maintain
the
docker
image
and
the
people
that
maintain
the
docker
image.
B
This
is
also
why
I
want
to
to
allow
for
people
to
represent
different
operations
within
a
chain
rather
than
having
this
sort
of
big
stamp
process,
which
you
finally
roll
out
in
s
bomb
again.
I
think
both
of
them
have
their
value
and
I
think
they
can
help
each
other
very
well.
I
don't
know
if
I
went
on
a
tangent.
A
I
have
lots
of
questions
and
I
will
probably
have
even
more,
but
I
don't
want
to
take
you
more
of
your
time,
so
would
that
be
okay?
We
like
reach
out
to
you
on
slack
or
something
like
when
we,
you
know
continue
our
discussions
with
the
music
or
we
do
our
own.
You
know
continue
trying
in
total
and
see
how
this
fits
into
our
workflows.
So
I
hope
you
don't
mind
us.
B
I
I
would
love
it,
and
actually
I
feel
that
particularly
the
projects
in
the
cdf
are
perhaps
the
like.
If
we
manage
those
we'll
be
in
a
way
better
position
like
supply,
chain
security,
wise,
then,
if
we
manage
anything
else,
perhaps
the
next
big
thing
is
a
github
or
something
like
that
adopting
it.
But
but
I
I
see
this,
and
this
is
why
I
wrote
the
plot
the
james's
plugin
back
then
I
was
like
well,
people
are
using
jet
games
and
a
way
to
generate
evidence
about
this
very
very
mission.
B
Critical
step
is,
is
so
important.
A
B
Happy
to
help
and
happy
to
also
figure
out
ways
to
make
things
happen
in
a
more
seamless
way,
also
like
point
people
in
the
total
community
to
like
sig
interpretability
here
at
the
cef
or
or
just
find
find
strategies
to
make
make
all
of
this
happen.
A
So
we
are
two
minutes
over
time.
So
thanks
us
for
this
scented,
we
really
appreciate
it
and
yeah.
We
definitely
continue
talking
and
we'll
definitely
disturb
you
coming
days,
weeks
months
and
happy
happy
to
help
with
that
again,
thanks,
cara,
mathias
and
emil
who
left
for
joining
and
talk
to
you
next
time
have
a
nice
rest
of
day.
Thank
you
very
much.
Thank.