►
Description
A continued conversation with the RedHat Emporous team on integrating Ortelius with the Emporous DB.
A
C
So
there's
nothing
in
here
that
I'm
going
to
show
that's
like,
even
though
I
I,
it's
my
slide.
Deck
and
and
Andrew's
slide
deck.
Who
is
he
wasn't
on
the
call
last
time
so
Andrew
Andrew
blocks
with
us
today
he's
he
helped
me
create
this
deck
Andrew?
Did
you
we've
done
introductions
last
time
you
wanna
say
something
about
yourself.
C
Or
not,
that's
good,
too.
Okay,
let's
see.
D
So
I
could
not
get
myself
off
new
guys,
I'm.
So
sorry,
I
said
Zoom
was
being
said.
Hey
everyone,
sorry
about
that.
My
name
is
Andy
block
I'm,
a
distinguist
architect
on
the
red
hat
side,
I've
been
working
with
Jay
to
help
kind
of
bring
more
visibility,
alignment
and
an
understanding
of
what
Emporia
is
looking
to
do
within
red
hat
and
in
the
community.
So
I've
been
working
on
efforts
both
within
red
hat,
but
also
really
promoting
it
out
in
the
community.
This
is
everything
from
website
that
we
we
built,
but
also
developer,
advocacy.
C
So
I
had
been
given
a
direction
that
we
needed
to
be
able
to
generate
reports
on
deployments
and
products
about
open
cves
on
s-bombs
salsa
information.
Ssml
is
like
our
Red
Hats
version
of
salsa
and
adherence
to
a
variety
of
compliance
standards
and
I
realized.
If
we
had
that
type
of
information
or
reports,
it
would
also
help
in
aiding
CDE
remediation
and
support
policy
enforcement.
C
So
I'm
gonna
do
just
a
quick
review
of
of
that's
kind
of
how
we
got.
That
was
the
the
impetus
for
how
we
got
here
so
we're
gonna
do
a
quick
review
of
and
chorus
again.
So
it's
think
think
Emporium
when
you're
saying
it
not
like
empress
and
it's
Greek
for
merchants
or
Traders,
and
let's
see
so,
we
we
can
use
emporis
backed
by
any
type
of
oci
registry.
C
That's
V,
1.1,
compliant
to
store
a
variety
of
information
and
but
that
type
of
radical
change,
maybe
not
everybody's
ready
for
immediately
so
trying
to
meet
content
and
people's
appetite
for
change.
At
the
moment,
we
could
store
CDE
information,
trustee
data
and
containers
in
the
oci
repository,
but
we
could
link
to
using
a
package
URL
to
other
types
of
artifacts,
for
our
trustee
information
to
to
you
know,
bring
those
two
together,
so
I
I
want
to
do.
C
You
know
somewhat
of
a
demo,
for
you
guys
today
we're
gonna
go
use
case
and
then
demo,
and
maybe
some
follow-up
use
cases
for
the
same
demo
and
then
repeat
that
again.
So
the
the
first
use
case
here
would
be
for
software.
Developers
adds
us
just
so.
I
want
to
set
policies
to
prevent
teams
in
my
organization
organization,
from
using
untrustworthy
libraries
and
packages,
and
imports
can
enforce
these
or
it
can
provide
data
to
enforce
these
policies
and
prevent
a
user
from
installing
something
that
they
probably
shouldn't
install.
C
So
this
this
would
be
the
case
for
Pips
Maven
libraries,
yum
Etc,
and
we're
going
to
do
a
demo
now
of
a
pip
plug-in
that
will
that
illustrates
this.
So,
instead
of
doing
a
I'm
gonna
do
a
recording.
C
So,
first
we're
going
to
start
with
an
open
oci
registry
and
we're
going
to
pushed
a
bunch
of
of
Pips
up
into
the
oci
Repository.
C
C
And
we
use
yaml
config
similar
to
what
you
would
see
in
kubernetes
to
to
configure
and
and
control
what
gets
passed
in.
C
This
is
actually
kind
of
a
a
low
level
looking
at
the
plumbing
part
of
this,
so
different
clients
could
integrate
to
use
the
the
API
that
we
have
to.
You
know
push
their
their
metadata
up
as
they
as
they
like.
A
C
We
also
have
a
fuse
driver
that
allows
you
to
mount
information.
That's
that's
in
emporis,
so
that
you
can
look
at
it
as
a
file
system
as
well.
C
But
you
can
see
the
metadata
coming
up
there
through
the
file
system,
attributes.
C
That
part
makes
sense
where
we're
we're
not
creating
a
pip
index
and
storing
it
in
in
Porous
that
that
is
generated
on
the
on
the
fly.
So
you
can
add
add
new
Pips
and
you
don't
have
to
or
if
you
were,
you
know
using
it
for
an
RPM,
a
young
repo.
You
wouldn't
have
to
do
a
rebuild
the
the
RPM
index.
So
all
this
type
of
stuff
can
be
generated
on
the
Fly.
B
So
how
would
a
developer
as
this
creating
a
python
module
upload
it
to
the
registry
where
they
still
do
like
a
twine
upload
or
they
do?
You
have
a
wrapper
for
that?
They
would
run.
F
C
A
F
You
can
use
twine
if
there
is
a
translation
layer
right
now.
The
translation
layer
is
the
shell
script
just
shown
at
the
beginning.
That
builds
the
the
repository
from
the
wheel
files,
but
the
yeah,
the
the
point.
Translation
layer
doesn't
exist
yet,
but
it
does
use
the
regular
kind
of
like
simple
python
index
apis.
So
it's
probably
not
that
much
extra
effort
to
implement.
B
Right:
okay
and
then
at
what
point,
is
the
s-bomb
generated
for
those
modules
that
are
in
the
registry?
Is
it
when
they're
loaded
or
on
the
Fly.
F
In
this
specific
demo,
that's
not
implemented
we've
kind
of
got
separate,
piecemeal
demos
that
we
intend
to
combined
together
in
a
more
Unified
package,
but
the
s-bomb
stuff,
when
combined
with
this,
would
be
generated
on
the
fly
as
as
requested
and
the
information
used
to
generate
it
can
be
populated
at
at
any
time,
and
the
generated
spawn
stuff
would
just
be
used
from
the
data
existing
in
Porous.
F
C
Hold
On
Let's:
let's
choose
some
different
words,
maybe
so
the
the
generation
versus
aggregation.
So
we
we
for
the
the
PIP
when
you're
publishing
the
PIP.
That's
that's
when
the
F-bomb
should
be
should
be
the
s-bomb
information.
Probably
mini
s-bombs
is
our
approach
that
is
in
small,
would
be
published
and
then,
when
you
want
an
s-bomb,
you
know
you,
you
you're,
you
can
request
it
in
whatever
format
you
want.
C
So
if
you
say,
I
wanted
an
spdx,
we'll
look
at
what
you
requested
for
and
we'll
go
grab
all
the
mini,
s-bombs
and
aggregate
them
together
and
translate
it
into
the
format
that
you
requested.
Okay,.
C
On
the
publisher
yeah,
when
you're
publishing
the
PIP
you,
you
should
have
the
the
s-bomb
information,
then
because
that's
we
store
it
together
and
it's
signed.
So
we
don't
we
don't
if
you,
if
you
stored
something
without
s-bomb,
it
gets
signed,
and
you
can't
you
can't
add
s-bomb
stuff
later,
because
it's
already
it's
already
signed
and
has
a
a
digest.
So
that
would
change
the
digest.
C
If
you
add
other
information
and
it's
immutable,
so
you
would
have
to
publish
a
whole
new,
a
whole
new
version
and
and
then
you
could,
you
know,
marry
some
some
s-bomb
information
with
your
your
artifact.
B
B
So
how
does
this
differ
than
well
on
the
signature
side,
Sig
stores,
doing
a
bunch
of
signing
so
like
for
a
ruby
gems
package,
they're
going
through
and
signing
the
the
gem
with
Sig
store?
How
does
that
work
with
this.
C
Well,
six
stores
its
own
thing
and
the
ruby
gems
are
a
separate
thing
and
then
you
have
to
you
have
to
link
them
right
right.
Okay,
here
they're,
it's
all
stored
in
the
it's
either
all
sort
in
the
same
place
or
there's
a
p
or
L
back
to
to
where
the
the
Ruby
gym
is.
So
we
we
offer
a
path
forward
to
eventually
storing
everything
together
as
well.
We
we
support
user
defined
schemas
for
additional
metadata
to
be
published
at
the
time
of
generating
a
pip.
C
If
they're
a
you
know,
they
have
their
internal
software
department
and
they
want
to
add
extra
metadata
in
their
pipeline.
They
can
do
that
and
then
it
would
be
signed
with
the
the
artifact
that
they're
publishing
or
if
they're,
if,
if
the
artifacts
already
exists,
it's
got
its
s-bomb
information
and
they
have
more
metadata
that
they
want
to
link
to
it.
We
can
use
a
refers
API
to
to
link
to
the
artifact
and
their
their
metadata
can
itself
just
be
signed.
C
Yes,
okay,
Luke
Luke
Heinz
is
is
working
with
us
on
Imports
as
well.
Foreign
yeah.
B
Yeah
I
know
him
and
I
can't
think
of
his
name.
Now,
let's
start
at
six
store
and
chain
guard
anyways.
C
B
C
Jen,
do
we
I,
don't
think
we
have
that
exactly
yet?
Do
we.
B
If
we
wanted
to
use
emporis
with
our
own
metadata-
and
we
want
to
associate
additional
schema
metadata
to
an
s-bomb-
is
that
API
available.
G
And
it's
a
prototype,
we
don't
have
like
complex
metadata
yet,
but
we're
adding
that
so
it's
really
only
Primitives
you
can
have
so
that
might
not
be
helpful
at
this
point
because
I'm
sure
you
guys
have
like
complex
structures
in
your
metadata,
but
that
should
be
added
pretty
soon.
B
Yeah
most
of
our
our
metadata
is
going
to
be
like
a
service
owner
and
the
service
owner
is
going
to
have
an
email,
a
name,
a
phone
number
which
are
all
strings.
So
it's
not
like
a
really
overly
complicated.
You
know
schema
that
we
would
be
adding.
G
Right
I
think
our
end
goal
is
to
just
be
really
basic
and
support
like
any
Json
schema
since
manifest
or
short
and
Json.
Anyway.
It
makes
it
pretty
helpful.
B
A
C
Gonna
turn
constraints
I'm
gonna
skip
to
next
use
case
that
is,
has
is
paired
with
a
demo.
So,
as
a
user
given
I
have
a
CDE
I
want
to
see
all
contents
that
I
own,
that
is
affected
by
the
CDE,
so
that
I
can
put
together
an
impact
analysis
report
and
start
remediation
plans.
C
A
C
Don't
know
how
are
you,
okay,
sorry,
I
can
go
faster
this
time,
so
demo
objectives,
we're
gonna,
discover
existing
application
within
a
course.
Then
we're
going
to
run
that
guy
we're
gonna,
publish
some
updates
and
also
publish
a
CDE
and
then
discover
those
cves
and
discover
what
applications
are
linked
to
that
CDE
by
way
of
a
a
granular
artifact.
C
So
we're
again
using
yaml
like
you,
would
be
familiar
with
with
Cube,
cuddle
or
or
OC.
C
We
found
our
our
container
and
now
we're
going
to
run
it,
so
this
is
plug-in
for
containerd.
That
now
can
talk
to
import
us,
and
so
we
have
the
the
that
application
up
and
running.
C
So
it's
it's
remember.
This
is
a
lot
of
the
the
plumbing
behind
the
scenes
that
we're
showing
how
this
would
work,
but
a
a
better
ux
would
need
to
be
put
on
this
and
it
would
be
you
know,
specific
to
like
podman
or
or
whatnot.
C
So
this
is
remember
again.
This
is
low
level
Plumbing
that
we're
showing
here,
but
it
it
is
the
same
old,
familiar
build,
publish,
run
or
build
push
workflow.
C
A
little
silly,
but
we're
going
to
now
show
the
the
cve
information.
We
know
what
the
the
cve
ID
is
we're
going
to
search
now
for
that,
so
we
can
get
more
information
and
what
it
links
to.
C
Now
we
can
see
it
links
to
two
different
applications,
hello
world
and
therefore
also.
C
C
So
does
that
make
sense
how
we
were
able
to
to
publish
the
CDE
and
it
links
to
already
published
artifacts
in
the
OCR
repository
so.
C
So
the
CDE
effects
this
version
of
hello
world
and
this
version
of
hello
world.
So
when
the
cve
is
published,
you
have
to
say
what
granular
artifact
that
it
that
it
affects.
So
this
is
this
is
inside
of
hello
world.
This
is
an
artifact
inside
of
hello
world,
so
so.
E
A
G
On
that
instance,
is
is
really
like
we're
saying:
that's
like
a
developer
decision
like
I
as
the
hey
World
developer,
knew
I
had
a
dependency,
it
could
even
be
like
say:
I
was
building
a
terraform
module
and
I
needed.
Another
module
and
I
and
I
knew
I
was
gonna
have
to
pull
that
down.
Then
I
could
link
it
and
create
that
relationship.
E
C
Yes
see
it,
it's
a
clear.
So
instead
of
you
can
do
a
query
that
says:
there's
index
manifests
and
then
there's
artifact
manifest,
so
the
index
manifest
links
to
artifacts
manifest,
and
this
cve
links
to
artifact
manifest.
So
you
want
to
know
the
index
manifests
that
are
linked
to
artifact,
manifests
that
have
that
cve
also
linked
to
them.
So
there's
a
there's,
a
new
search
API
that
we
we
would.
We
want
added
to
the
OCR
spec
to
allow
us
to
do
those
types
of
of
searches,
foreign.
E
The
type
of
search
that
says,
if
I
have
two,
if
I'm
hello,
world
and
I'm
dependent
upon
hayworld,
that,
if
hay
world
will
tell
me
if
I,
have
an
issue.
C
Well,
first,
it
would
be
show
me:
the
index
manifests
that
linked
to
an
artifact
manifest.
That
is
also
linked
to
this
specific
cve.
E
A
C
Yes
and
then
you
can,
you
can
expand
it
from
there
so
like
what
other,
what
other
index
manifests
linked
to
this
index,
manifest
the
one
that
we
just
found,
so
you
can
keep
keep
going
up,
so
you
can
say
so.
The
index
manifests
at
that
level
would
be
like
a
component
and
then
that
component
could
be
used
in
several
different
products
and
that
product
could
be
used
in
a
platform
or
different.
You
know
things
of
that
nature,
so
you
can.
C
You
can
Traverse
that
dag
to
find
all
the
the
affected
index
manifest
in
the
repo.
E
C
If
we
have
the
cve
and
we
search
for
the
artifacts
that
are
affected
by
the
cve
and
then
the
index
manifest
here
in
RPM
and
I'm
an
image
also
an
image,
we
can
that's
how
we
would
find
that
say
this
image
or
this
RPM
are
affected
by
this
CDE.
Then
you
could
take
it
a
step
further
and
say
this
being
more
generic.
C
Now
this
component,
or
maybe
that's
a
image
or
an
RPM
Etc-
are
also
affected
by
an
artifact
and
therefore
they
they
also
roll
up
into
this
product,
which
is
also
an
index
manifest.
So
you
can
keep
that
that
chain
of
index
manifests
you
can
you
can
search
for
all
of
those?
As
a
in
your
query,.
A
C
A
A
C
So
then,
then
it
becomes
about
the
the
search
endpoint
to
be
able
to
to
link
those
those
things
together
and
I.
B
A
Yeah,
so
there
would
be
a
data
store
which
at
the
moment,
I
don't
see
in
this
diagram
and
well
you
know
control
flows.
That
sort
of
thing.
C
Let's
see
so
the
oci
spec
and
how
it's
implemented
so
we're
just
proposing
a
new
endpoint
that
offer.
You
know
that
you
can
query
and,
and
these
types
of
ways
how
that
is
implemented
behind
the
scenes
is,
is
up
to
each
oci
repository
implementation.
C
So
is
the
diagram
that
you're
looking
for
actually
part
of
the
oci.
However,
you
would
implement
it.
However,
you
know
Quay
implements
it
or
or
that
or
Docker
Hub.
Those
aren't
those
the
architectural
diagram
that
you're
asking
for.
Isn't
that
a
an
oci
implementation
detail
or
am
I
a
misunderstanding?
C
C
So
enforce
is
going
to
use
that
that
search
engine
or
that
that
search
endpoint
excuse
me
to
provide
the
information
that
is
being
asked
by
whoever's,
calling
them
for
us
when
they're
doing
when
they're
they're
asking
for
show
me
this
or
show
me
that,
okay,
so
how
how
it
stored
in
the
in
the
background,
you
know
that
it
implemented
it
just
we.
We
just
need
it
to
look
like
this
when
we're
asking
for
it.
How
would
that
how
it's
actually
stored
in
the
background?
C
I,
don't
know
that
we'll
we'll
see
how
that
you
know
that's
an
implementation
D
is
held
for
for
those
oci
registrations.
B
So
with
what
we're
looking
at
here
and
the
this
aggregation
that
we're
looking
at
is
the
result
of
a
hitting
a
search
endpoint.
Is
that
correct.
C
No,
this
is
how
we
publish
it.
So
this
is.
This
is
how
you
you
would,
when
you're
publishing
the
product,
that's
a
an
index
manifest
you
would
you
would
link
it
to
the
components
that
make
up
the
product,
so
these
these
links
would
be
done
by
Digest.
B
C
We
have
a
when
we
were
doing
our
demo
there.
We
have
a
modified
version
of
the
go
oci
registry-
oh
Alex,
isn't
here
Jen,
that's
that's
the
the
cncf,
so
registry.
Is
that
correct.
G
That's
correct:
we
would
still
need
to
do
some
sort
of
oci
extension
sort
of
do
a
write-out
of
that,
and
that
might
be
what
you're
looking
for
that.
Just
to
tell
you
what
the
expected
inputs
and
outputs
so
yeah,
that's
that's
not
finished
yet.
B
C
B
C
Yeah,
the
the
reason
or
the
the
point
of
showing
it
of
showing
this
is.
We
there's
no
relationship
which,
like
the
container,
doesn't
include
this
RPM,
but
the
container
does
include
article
share
artifacts
with
the
RPM
shares
and
like
they
both
contain
those
common
artifacts.
So
when
you're
building
your
your
s-bomb
for
a
a
consumer,
the
the
s-bomb
for
the
container
and
the
s-bomb
for
the
RPM
would
be
generated
by
all
the
mini
s-bombs
here.
So
there
was
when
it's
stored
in
the
oci
repository.
C
These
artifacts
are
only
stored
once,
but
they
are
linked
to
by
both.
You
know
they
can
be
linked
to
by
multiple
index,
manifests.
B
B
Just
to
jump
I
don't
know
how
much
time
we
have
left
here,
just
to
jump
topics
a
little
bit.
What
is
I
take
it
to
to
make
all
this.
The
oci
registry
run
is
going
to
be
pretty
much
a
standard
oci
installation
is.
Is
that
the
like
you're
saying
the
cncf
go
registry
is
one
to
look
at
and
how
it
would
be
implemented
at
a
customer
site.
C
We
well,
let's
see
so
we
modified
and
a
a
the
the
cncf
go
registry,
so
we
have
a
fork
of
it
and
I
think
the
way
it's
done
was
mostly
for
experience
sake
for
us
to
produce
demos,
showing
you
know
like
a
minimum
plausible
type
thing.
So
it's
it's.
The
way
we
did
it
I
wouldn't
say
is
it
was
for
expedience.
B
Okay,
but
if
we
wanted
to
to
understand
so,
let's
say
or
to
use
oci
registry,
as
for
lack
of
better
word,
it's
it's
database
in
order
to
get
understand
the
implementation
needs
we'd.
Look
at
how
an
oci
registry
is
being
implemented
at
inside
of
a
company.
Is
that
a
correct
assumption.
B
Okay,
so
I
am
a
MasterCard
and
I
want
to
have
my
internal
software
be
published
to
and
track
through
emporis
in
ortilius.
B
What
would
I
need
to
do
to
track
my
internal
software
and
track
the
open
source
software
that
I'm
consuming?
From
being
you
know,
internal
to
my
company
as
MasterCard.
C
So
ortilius
right
now,
you
guys
have
documents
for
like
this
is
how
these
are
the
things
that
you
would
need
to
do
in
your
pipeline.
Mr
Mrs
customer
to
push
things
through
ortelius
for
us
to
be
able
to
to
then
do
all
the
the
nice
things
that
we
do
later
on
for
you
to
manage
your
your
your
deployments
and
your
applications.
So
right
now
your
your
microservices
talk
to
a
postgres
database,
correct,
correct.
B
And
that
postgres
database
would
be
internal
to
the
customers
environment
there
and
we
would
be
pulling
things
from
an
external
postgres
environment
as
well
to
aggregate
together.
C
Oci
repository
that
would
implementation
that
will
work
with
Imports.
So
it's
up
to
the
right
version,
whatever
like
that,
then
I
in
Porsche
would
need
to
be
deployed.
You
know,
maybe
it
came
with
that
oci
repository
or
or
didn't,
but
your
microservices
I
would
suggest
that
you,
you
change
your
micro
services
to
points
to
Imports
or
or
you
know.
That
would
be
a
first
step
and
then
you
guys
can
look
at
later
on.
Do
you
wanna?
B
B
And
is
emporis
able
to
aggregate
across
multiple
oci
Registries,
then.
C
Yes,
well
so.
B
If
I
have
one
that's
being
run
by
the
C,
the
CDF,
that
is
oci
registry
of
all
of
the
yes.
D
C
We
we,
we
don't
have
a
plan
to
release
that,
yet
we're
we're
at
the
point
of
like
should
should
will
this.
Do
we
have
enough
people
that
would
help
us
build
this?
You
know
we're
we're.
D
Doing
a
lot
of
efforts
in
the
community
so
we're
obviously
Red
Hat,
being
Community
First
working
to
build
out
what
the
community
is
going
to
look
like
around
this
and
then
based
upon
that.
Hopefully
you
know
we'll
be
able
to
you
know,
get
more
contributions
and
add
in
all
the
features
and
put
a
timeline
together,
but
yeah
we're
working
on
the
community
enablement
as
well.
Okay,.
B
And
then
on
the
has
it
been
decided
whether
you're
going
to
request
the
oci
spec
changes,
or
is
it
just
going
to
be
extending
the
existing
oci
spec?
Has
that
been
figured
out
yet?
C
G
Yeah
the
what
I
would
say
up
there
is
not
fully
vetted
in
fact
this
week
we're
looking
to
kind
of
fully
vet
our
approach,
but
I.
Think
at
this
point
we
would
like
to
possibly
make
changes
to
the
oci
image
spec
pretty
generic
changes,
and
then
our
approach
is
to
do
a
distribution,
spec
extension.
C
G
I
would
say
yes,
because
what
they
see
right
now
wouldn't
be
is,
is
most
likely
not
going
to
be
our
Final
Approach
I
would
say.
A
C
So
we
got
like
12
minutes,
left,
I.
Think.
E
C
E
So
we
could
have
time
to
kind
of
digest
what
we've
learned
today
and
I
I
would
very
much
like
to
have
more
of
a
if
this
is
something
that
we
think
that
we
could
do
some
proper
integration
with
and
it,
and
it
makes
sense
to
have
more
of
a
discussion
about
what
what
benefits
we're,
bringing
to
the
table,
what
benefits
you're
bringing
to
the
table
and
what
is
a
you
know,
what
does
it
go
to
market
strategy
actually
look
like
as
the
two
of
us
working
together
to
solve,
because
we
have
very
aligned
goals,
I
think
we're
taking
it
on
somewhat
differently,
but
our,
but
the
all
the
end
goals
are
are
very
aligned
and
there
are
some
things
that
we
do
very
much
similar.
E
So
I
think
that
that
would
that's
probably
what
we
should
do
next
is
make
sure
that
we
don't
have
any
questions
for
each
other
and
and
have
that
discussion
of
what
an
integration
would
look
like
and
who
are
we
bringing
that
integration
to
and
Andy?
Did
you
get
a
chance
to
see
the
recorded
version?
Yes,.
D
E
Okay,
is
there
any
point
in
time
that
you
think
it
would
be
beneficial
for
him
to
be
on
that
call.
C
I
don't
know,
let
me
think
about
that.
Okay,.
C
I
I
Daniel
Messer
joined
the
call
also
he
he
leads
up
Quay
The
Quay
project,
so
I
I
think
he
he
would
foreign
be
good
to
have
involved
as
well
from
having
an
oci
registry
that
that
can
lead
by
implementing
these
proposed
changes
before
they're
necessarily
accepted
by
the
oci
steering
committee.
E
And
Daniel:
did
you
get
a
chance
to
look
at
to
see
the
video
or
do?
Is
there
any?
Is
there
any
clarifications
that
you
need
from
the
ortilia
side.
E
Okay,
well
Andrew
or
Daniel.
If
you
want
us
to
get
on
a
30-minute,
quick
call
to
catch
you
up,
we're
happy
to
do
that.
I
always
find
it's
easier
to
get
everybody
on
the
same
page
as
we
move
forward
than
to
try
to
get
somebody
caught
up
later.
B
And
I
I
have
one
more
technical
question:
is
it
possible
to
have
in
the
oci
registry.
B
Be
yes:
okay,
because
I'm
just
thinking
the
path
to
adoption,
there
will
be
cases
where
things
would
still
end
up
in
Pi
Pi,
but
not
in
the
oci
registry,
for
example,
for
some
customers.
C
So
that
that's
one
of
the
changes
to
the
Manifest
that
we're
looking
for
so
the
the
artifact
manifest
instead
of
having,
instead
of
having
a
blob
used
in
it
to
store,
say
a
jar
file
right,
we
would
and
instead
use
a
package
URL
to
point
to
where
that
artifact
is
located.
Okay,.
B
C
E
Well:
okay,
everybody.
Thank
you
so
much
for
spending
an
hour
with
us
and
talking
about
this
really
geeky
stuff.
E
Away
this
last
hour,
you
tell
about
cves
and
s-bombs
and
aggregating
data,
but
I
know
it's
going
to
be
important
for
companies
as
they
move
forward,
especially
as
they
really
build
out
microservices.
That's
when
that
really
they
start
really
struggling,
so
I
sent
a
invite
out.
You
should
get
it
everybody
on
the
current.
Invite
would
have
gotten
it
for
next
Tuesday
from
at
10
o'clock.
Just
so
that,
just
so
you
know
we
do
have
our
Community
Toc
meeting
at
nine.
So
if
we
jump
on
a
little
late,
we
apologize
ahead
of
time.
E
I'll,
send
everybody
on
this
list
the
the
recording
the
link
to
the
recording
as
well.