►
From YouTube: Jun 8, 2023 - Ortelius Architecture Meeting
Description
Steve gave an update on the #Guac integration, work on #Emporous, and the new #CNCF Artifact working group that Alex Flom will be chairing. He also reminded everyone that there was a joint meeting with Fidelity around the ‘evidence store’ concept.
A
B
January
June,
8th,
I
I
was
just
thinking
because
Sasha
has
his
beanie
on
with
it
being
cold.
B
Yeah
June
8th
architecture,
meeting
I,
don't
have
a
lot
today.
I've
been
working
on
some
stuff
for
a
customer
this
week
around
our
dashboard,
and
then
we
do
have
a
meeting
with
Fidelity
I.
Think
I,
don't
know
if
everybody's
on
it
but
we're
gonna,
get
there
a
dive
into
their
evidence.
B
Store
Fidelity
was
the
company
that
wrote
a
white
paper
for
the
the
CD
foundation
around
what
they
got
going
on
as
an
end
user
on
their
pipeline
side
of
things
so
check
that
out
we'll
dive
deeper
into
once.
We
once
we
find
out
what
they're
up
to.
B
B
So
that's
going
to
be
happening
here
soon
and
on
my
to-do
list.
I
just
haven't
had
a
chance
to
get
to
is
updating
the
architecture
document
so
just
to
kind
of
bring
you
guys
up
to
speed.
B
We
trace
and
I
did
meet
with
the
cncf
working
group.
For
the
oci
Registries,
so
that
was
out
there
with
Andy
Alex.
Was
there
Chan
I
can't
remember
if
cat
was
there
or
not
I,
don't
think
cat
was
there,
but
basically
looking
at
what
needs
to
be
done
on
the
oci
registry
side
for
supporting
any
type
of
object
and
adding
the
search
capabilities
into
that.
B
So
that's
happening
on
that
front.
On
the
Persia
front,
Sasha
I'll,
as
soon
as
I
find
out
the
invite
for
that
I
will
send
you
the
invite
for
the
governing
board
thing.
It's
gonna
be
on
a
Friday
but
I
as
soon
as
I
find
out
from
Stephen
chin.
When
he's
planning
to
have
that
meeting.
I
will
get
that
off
to
you
on
the
Percy
front.
B
The
interesting
thing
on
because
they
are
an
artifact
repository
I,
think
they
I'm
gonna,
try
to
move
them
into
the
oci
registry
front
as
well,
so
we'll
be
able
to
merge
what's
going
on
with
Persia,
with
what's
going
on
with
emporis
and
then
ortillas
sitting
on
top
of
all
that
kind
of
collecting
all
the
data
together
to
visualize
all
that
information.
B
What
else
was
going
on?
We
had
a
meeting
with
yesterday
a
quick,
well
two
things:
on
the
open,
ssf
side.
We
have
briefed
krobe.
Who
is
the
head
of
the
the?
What
do
they
call?
It
is
a
attack
or
no
Tia.
B
So
the
attack,
so
we
kind
of
gave
krobe
a
quick
rundown
on
what
we
got
going
on
and
then
another
person
by
the
name
of
Sal.
Is
she
from
sonotype
or
is
she.
C
B
Fox
Brian
Fox's
gonna
be
on
our
our
ortelius
technology
committee,
so
we
brought
her
up
to
speed
and
it's
interesting.
Some
of
the
things
that
she
has
to
look
at
from
a
heavier
security
stands
yeah.
B
So
like
some
of
the
things
that
she
was
thinking
about,
that
we
may
need
to
address
once
we
get
some
data
in
our
system
is
being
able
to
take
all
the
s-bomb
and
all
the
data
that
we
have
go
through
and
figure
out
which
package
would
be
make
the
most
sense
from
a
security
standpoint
to
go
fix
because
it's
going
to
have
the
biggest
impact.
B
So,
if
you're
able
to
go
and
fix
one
package
in
your
in
your
application,
which
one
it
would
it
be
and
if,
when
you
do
that,
you
know
what
is
you
know,
it's
going
to
cut
your
you
know.
You
have
a
hundred
vulnerabilities
and
now
you
go
down
to
five
just
by
replacing
or
updating
one
package
so
that
type
of
data.
B
But
I
think
it's
a
the
data
that
we're
Gathering
will
help
drive
that
information
down
the
road
any.
B
Oh
yeah
I
forgot
about
clock,
so
we
did
meet
with
the
I,
can't
remember
his
name.
Brendan
Brendan.
C
Lind,
yes,
something
like
that:
I,
don't
know!
If
that
I
can't
remember.
B
The
guac
team,
basically
we
met
with
them
and
what
they
are
doing
is
taking
s-bombs
all
the
dependencies
and
s-bombs
and
doing
like
a
dependency
tree
graph
and
allowing
you
to
navigate
through
it.
So
one
of
the
things
in
artillius
that
we
don't
quite
do
yet
is
being
able
to
look
at
dependencies
of
dependencies
at
the
package
level.
We
take
the
initial
s-bomb,
that's
there
and
just
that's
kind
of
like
where
we
stop.
B
So
it
looks
like
there's
going
to
be
a
good
integration
point
between
our
s-bomb
data
and
guac,
that
does
the
recursive
package
dependency,
walking
and
we've
asked
Sasha
to
go
ahead
and
we'll
get
him
to
look
at
some
of
the
the
graphql
queries
or
endpoints
that
we
could
possibly
use
and
be
able
to
bring
that
data
into
ortelius.
B
It's
a
lot
of
data,
and
you
know
it
gets
into
that
whole
Netflix,
Death,
Star,
hairball,
looking
thing
yeah,
you
know
it's
hard
to
tell
how
good
that
stuff
is,
but
I
think
if
we
pair
up
that
data
with
what
we
have
in
artillius
at
our
what
we
are
describing
as
components
and
applications,
then
we'll
be
able
to
answer
the
question
that
Saul
was
asking
about.
B
If
I
go
and
fix
this
one
thing:
what's
the
ripple
effect
through
everything
else,
so
that
is
we're
going
to
be
connecting
the
pieces
together
here
pretty
soon,
it
looks
like
so
and
I
think
what
we'll
need
to,
and
also
that
kind
of
drives
the
AIML
question
down
the
road
as
well
in
order
to
figure
out
what
is
the
best,
your
best
bang
for
your
buck,
we'll
need
to
look
at.
B
You
know
running
some
model
against
the
data
all
the
way
through
the
guac
data
as
well
to
figure
out
that
bang
for
your
buck.
So
we
can
tell
people.
This
is
what
you
need
to
go
fix,
and
this
is
how
long
we
expect
it
to
take,
and
this
is
going
to
be
a
return
type
of
scenario,
so
fun
stuff,
a
lot
of
moving
pieces.
B
So
any
questions
go
ahead.
Of
course,.
A
Yeah
so,
while
like
refactoring
few
pieces
right
so
like
since
I'm
new
on
golang,
so
what
happened
like
like
I,
have
I
wrote
like
all
these
code
in
main
project,
okay
main
packages
and
when
I
was
refactoring,
so
I'm
facing
few
few
issues
there.
So
the
objects
are
not
referenced
properly,
due
to
some
reason
so
I'm.
Looking
at
those
the
other
issue
that
I
faced
was
so
right
now,
like
I,
have
implemented
nft
storage,
but
there
is
also
need
for
leisure
right.
Yes,.
B
And
we
will
it
I,
don't
know
if
the
Ledger
piece
will
be
in
that
same
microservice.
A
Yeah
and
there
is
like
no
SDK
provided
by
xrpl
yet
for
like
golang,
so
I
was
looking
at
the.
That
is
the
tough
part.
Actually
I
was
looking
at
like
what
alternatives.
Are
there
but
looks
like
we?
We
can
use
the
python
package
itself
because,
like
golang,
can
internally
support
python
as
well
right,
okay,
but
I,
don't
know
what
will
be,
like
implication
of
that
on
the
performance
or
other
things.
B
Right
so
on
The
Ledger
side.
Based
on
that,
what
you
just
told
us,
we
may
split
out
into
a
separate
microservice,
The
Ledger
piece
that
would
be
in
Python
just
to
make
our
lives
easier.
B
A
B
Yeah
yeah
exactly
so,
it
doesn't
necessarily
have
to
be
Atomic,
but
what
we
need
to
be
able
to
do
is,
like
you
said
last
time,
there's
gonna
be
a
lag
that
like
nft
storage,
may
be
down
for
a
couple
days
and
that
we
may
need
to
have
a
job
that
runs
like
every
half
hour.
That
goes
and
does
like
a
synchronized
or
if
we
go
to
put
things
into.
B
Nft
storage
and
nft
storage
is
down
that
we
just
queue
them
up
somehow
and
then
we'd
run
through
the
queue
periodically
to
get
things
in
sync,
so
I
think
on
the
that
abstraction
layer
it
doesn't
need
to
be
Atomic,
but
we
need
to
keep
track
of
the
Integrity
of
of
everything
where
everything
stands.
A
A
Like
how
yeah
that
makes
sense,
but
like
how
we
correlate
the
data
that
will
give
us
the
answer
right
like
like,
if
we
are
correcting
data
with
the
build
ID
or
some
other
processes
or
something
job
or
something
so
we'll
have
to
correlate
like
what
all
transactions
occurred.
As
part
of
that
build
right,.
A
B
Right
yeah,
so
we
have
to
look
at
it.
It
shouldn't
be
well
at
The,
Ledger
point
it
would.
That
would
affect
the
Ledger,
because
you'd
have
actually
multiple
Ledger
entries,
but
for
the
the
persistent
storage
it
wouldn't
matter,
because
all
of
the
the
data
would
be
the
same
Sid.
So.
B
Transaction
number
two
would
try
to
go,
put
the
same
Sid
back
out
into
nft
storage
and
it
would
already
exist.
So
it's
not
going
to
hurt
anything.
But
until
that's
your
point
of
view,
yes,
we
we
would
have
to
figure
out,
like
you
said
some
identifier.
A
Yeah
so
I'll
work
on
that
I'll
make
sure
that
is
ready
and
like
working
as
well,
and
the
other
thing
that
I
was
looking
at
was
the
killer
quota
integration.
A
B
Okay,
what
about
the
the
reusable
workflow
that
you
and
Arvin
were
working
on.
A
Yeah,
so
we
are
going
to
have
a
reusable
Workforce
right,
rather
than
the
concrete,
what
you
call
actions
right,
yeah.
So
one
thing
that
I
saw
as
like
best
practice.
A
There
need
not
to
be
like
they're
like
we
don't
need
to
create
multiple
repositories,
because
what
they
say,
these
reusable
workflows
will
lie
in
the
same
repositories
with
a
different
name,
because
that
will
lie
inside
dot,
GitHub
directory
itself.
So.
B
Go
ahead
and
move
them
into
the
the
dot
GitHub
repo
or
either
that
or
we
could
do
just
a
a
separate
repo.
That's
like.
B
B
We
had
a
separate
repo
I
think
what
we
should
create
is
like
a
tools
repo,
because
we're
going
to
have
other
things
that
we
want
like
I,
have
like
a
depend
about
script.
Arvin
has
his
dependent
Bots
script.
Sasha
has
some
I'm
sure
Sasha
has
a
few
helper
scripts
as
well
that
we
should
start
collecting
and
kind
of
layout
in
like
a
tools
repo
and
though
these
reusable
workflows,
I
think
would
be
a
good
place
to
put
into
the
tools
repo.
B
So
yeah
I
think
that
will
be
one
of
the
things
that
will.
If
we
put
all
the
reusable
workflows
there,
we
could
run
to
pen
about
against
it
and
hang
on
guys.
C
While
Steve
Jim
suffered
to
do
that,
I
just
want
to
report
that
we
now
have
an
official
Toc
individuals
on
the
TOC
include
two
heavyweights.
We
got
Brian
Fox,
who
was
the
co-founder
and
now
the
CTO
of
sonotype.
C
We
have
Vincent
Dannon
from
Red
Hat,
who
was
the
one
who
introduced
us
to
emporis.
We
have
garima
bajpai,
who
has
been
part
of
our
group
from
the
very
beginning,
so
I'm
super
happy
that
she
stepped
up.
Steve
will
be
there
and
then
Andy
Gardner
from
the
captain.
Folks
who
works
at
dynatrace,
so
I
think
we
have
a
really
good
team.
C
B
Awesome,
that's
gonna,
be
it's
gonna,
be
interesting,
and
if
and
like
we
keep
going,
the
more
we
find
from
other
other
working
groups
and
other
end
users
like
the
Fidelity
stuff,
the
more
things
that
we
can
collect
on.
What
we
need
to
do
definitely
helps
us,
get
get
more
focused
and
have
a
good
solution
that
can
be
well-rounded
for
people
to
use.
A
D
Nothing
that
you've
missed
I
just
wanted
to
get
a
bit
more
detail
on
the
on
the
front.
End
API
thing
for
salsa
using
guac
yeah
language.
Is
that,
like
an
o.js,
are
you
thinking
a
node.js
that
talks
to
the
API.
D
Yeah
well,
I've
got
the
GitHub
repo
yeah
yeah.
B
So
if
you
go
to
into
documentation
like
the
getting
started,
they'll
have
things
about
running
Docker
and
kubernetes,
so
you'll
be
able
to
to
stand
things
up.
I.
D
B
Don't
know
how
they
they
have
a
step
that
ingests
the
s-bombs.
So
one
of
the
things
to
make
guac
work
is
you
have
to
go
and
collect
all
these
s-bombs
and
upload
them
into
the
their
system.
B
So
one
of
the
things
I
from
our
meeting
I
could
tell
is
they
have
not?
It
does
not
appear
that
they've
looked
at
the
storage,
Implement
implementation.
You
know
what
I
mean.
C
B
It
hasn't
kicked
in
yet
yeah,
so
I
have
not
looked
at
their
database
back
end
and
how
they're
managing
that,
but
I,
think
one
of
the
things
that
we
may
need
to
do
for
on
the
Glock
side
is
provide
an
interface
between
their
stuff
in
our
database
to
be
able
to
suck
in
s-bombs
from
our
database
into
or
have
their
their
stuff
reference.
B
Our
database
put
it
that
way
to
for
the
s-bombs,
because
we're
we're
concerned
about
the
storage
implications
of
having
you
know
the
redundancy
and
the
s-bombs
so
I
think
down
the
road.
We'll
need
to
do
something
on
that
front,
but.
B
We
just
need
to
get
a
little
further
along
on
our
side
and
get
our
our
implementation
here.
Moving
along
and
getting
some
data
in
there
so
it'll
happen,
I
think
it's
just
gonna
be
a
timing
thing.
So.
C
C
We
will
need
to
do
some
more
calls
with
them,
though,
so
you
know
the
I
think
that
once
we
have
a
a
connection
to
their
dependency
graphs
and
we're
displaying
it
at
minimum
at
a
component
level
and
maybe
bringing
some
of
that
like
a
just
a
dependency
list
up
to
the
application
Level
and
on
packages
in
some
way,
we
need
to
really
think
through
that.
If
we
could
get
that
done,
then
we
could
show
them
what
we're
doing
and
I
think
they
may
give
up
on
trying
to
build
that
s-bomb.
B
Yeah,
so
to
answer
your
question:
Sasha
is
there
interface
that
they've
developed
is
a
graphql,
so
graphql
is
like
a
hybrid
API
type
of
thing,
so
I
believe
GitHub
uses
graphql
as
its
currently
query
language
as
well.
So
basically,
what
you're
going
to
need
to
do
is
query
their
database
using
their
graphql
endpoints
foreign.
B
Thing
a
node.js
or
you
know
how
or
I
I
know
they
built
a
a
command
line
as
well,
so
I
just
start
with
the
command
line
and
see
if,
if
their
graphql
can
just
kick
out,
some
Json
for
us
to
consume.
A
B
B
B
But
if
you
go
to
our
website
Arvin
you
can.
They
have
recorded
demos.
B
And
then
also
on
their
GitHub
repo,
you
can.
They
have
a
way
to
kind
of
bootstrap
and
the
suck
in
some
sample
data,
for
you
to
kind
of
play
around
with.
C
B
B
And
then,
once
we
figure
out
kind
of
the
format
of
the
data
that
we're
getting
back
from
guac,
then
we
can
figure
out
how
we
want
to
link
that,
together
into
our
UI,
whether
it's
just
going
to
be
a
list
like
Tracy
said
or
if
we're
actually
going
to
do
some
graphing
with
it.
The
graphs
that
they're
showing
in
their
in
their
demo
are
this
viz
GS
graphs
of
heart
Google
tree
nodes.
So
it's
not
anything,
not
anything.
We
haven't
done
before
so.
C
Know
the
data
helps
because
then
you
can
query
the
data
and
you
can
do
something
with
that
data,
but
it
has.
The
data
has
to
be
based
on
version,
so
the
graphs
are
cool
looking
and
we
can
certainly
bring
them
in
for
the
wow
factor,
but
I
feel
like
the
the
dependency
data
is
what
Saul
was
talking
about
in
terms
of,
and
we
already
have
some
of
that,
because
we
have
the
s-bombs
right
so
pulling
in
the
graphs
is
just
it
does
help
us
with
the
wow
factor.
B
And
the
well,
what
what
they
provide
is
an
s-bomb
of
a
s-bomb.
So
if
you
have
like,
for
example,
a
flask
package,
then
flask
is
dependent
upon
five
other
packages
and
then
those
five
packets
are
dependent
upon
100
other
packages
that
they're
they're.
They
cook
all
those
s-bombs
together.
B
D
B
C
Yeah
they
actually
quizzed
Steve
on
that
I
could
tell
that
they
were
thinking
about
it
and
I
was
like
man.
The
discussions
we've
had
on
Netflix
we've
been
there.
B
So
it
should
be
a
really
good
fit,
because
then
we
can
actually
like
we're
talking
about.
We
could
be
the
the
repository
of
the
s-bomb
data
and
they
just
point
to
our
database
to
do
their
traversals
through.
B
Good
overlap,
but
first
we
need
to
just
get
the
thing
based
a
basic
up
and
thing
up
and
running
see
what
their
CLI
does
and
go
from
there.
So
that's
your
marching
orders,
Sasha
and
Armin.
D
Thank
you
very
much
Steve
yeah,
so
I'm
thinking
of
go
because
I
like
the
fact
that
we're
using
going.
B
D
B
Yeah
and
I
found
I
was
thinking
about
this
the
other
day
how
to
describe
like
go
and
it's
kind
of
a
cross
between
and
Java
and
python.
B
B
It
has
our
object
class,
it
has
a
what
they
call
a
structure
and
then
you
could
tie
methods
to
that
structure,
but
the
structure
itself
doesn't
have
functions,
the
method
directly
embedded
into
it.
So
that's
where
it's
kind
of
kind
of
like
a
this
crisscross,
but
it's
workable.
B
And-
and
the
other
weird
thing
is
that
I
learned
when
I
was
implementing
our
you
know
translating
our
stuff
from
python
over
to
golang.
Was
you
want
to
live
by
their
directory
structure
and
how
they
lay
things
out
and
not
try
to
fit
it
into
something
that
you're
used
to
like
a
Java
class
structure,
or
you
know
like
one
of
the
weird
things
that
they
have
is
all
the
tests?
B
All
your
test
cases
are
in
the
same
directory
as
your
source
code,
and
they
say
that's
just
the
way
it
is.
You
don't
have
a
separate
directory
for
test
versus
your
main
code,
so
your
directory
ends
up
with
all
this
stuff
in
it,
but
it's
just
the
way
they
decided
to
implement
things.
If
you
try
to
move
things
around,
you
just
spend
too
much
time
banging
your
hand
against
the
wall.
D
D
B
Worries
thanks
anything
else.
B
B
Okay,
yeah
you're.
D
B
And
there's
some
stuff
that
we
have
to
pull
out
of
the
open
ssf
that
what
they're
considering
you
know,
check
boxes
for
being
having
a
secure
supply
chain.
So
we
have
to
go
over
there
and
steal
some
of
their
information
of
what
they
want
to
collect
and
same
thing
with
the
fidelity
thing
finding
out
what
they're
collecting
that
we
may
be
missing
right.
B
C
D
C
C
C
Okay,
Arvin
I,
just
sent
it
to
you,
I
think
I
just
sent
it
to
kind
of
the
frequent
flyers
on
the
architecture
call.
So
we
didn't
help
a
bunch
of
people
on
there.
C
Well,
you
know
it's
just
focuses
on
there:
yeah
I
thought
she's
gonna
be
there
and
of
course,
I
think
he
goes
by
gur.