►
From YouTube: Ortelius and RedHat Discussion Jan. 3rd 2023
Description
The Ortelius and RedHat teams sit together to discuss collaboration on a central repository and evidence store. Details of RedHat's direction for Emporous and potential integration with Ortelius are the focus.
A
B
Okay,
super
so
I'll
just
go
ahead
and
introduce
myself
so
I'm
Tracy
Reagan
I'm,
the
CEO
of
what
I
like
to
call
the
little
company
that
could
called
deploy
hub.
B
We
started
thinking
about
what
an
Evidence
store
looks
like
quite
some
time
ago,
starting
with
the
concept
of
tracking
deployments
across
many
different
tools
and
being
able
to
see
what
an
inventory
looks
like
and
then
we
began
to
understand
that
we
needed
to
add
additional
metadata
about
that
inventory
and
that's
how
we
started:
building
ortilius
and
or
what
I
like
to
call
our
evidence
store
I'm,
also
on
the
board
of
the
open
source
security
Foundation
as
a
member
rep
I'm.
B
Also
on
the
technology
oversight
committee
for
the
continuous
delivery
foundation
and
have
a
very,
very
strong
background
and
I
would
what
we
got.
We
call
it
now.
Devops
I'd
like
to
call
it
life
cycle
management,
I'm,
I'm,
not
new,
to
open
source
I,
helped
start
the
eclipse
Foundation
way
back
when
I
was
one
of
the
first
five
on
that
board.
So
I
have
done
a
lot
of
work
with
open
source
foundations
and
I.
B
Am
the
community
manager
for
the
artillius
project,
so
open
source
is
a
love
that
I
have
and
I
continue
doing
it
Steve?
Why
don't
you
introduce
yourself
so.
C
Steve
Taylor
I'm,
the
CTO
of
deploy
Hub
and
one
of
the
main
contributors
to
the
artillius
project.
I
also
work
in
another
open
source
project
called
Persia,
which
is
a
bill
consensus
Network
for
handling
some
of
the
supply
chain,
issues
on
the
build
side,
so
that
is,
and
also
I,
am
kind
of
leading
up.
The
the
our
blockchain
piece
through
the
xrpl
grant
that
we
got
from
Ripple
for
the
artillius
project.
C
So
as
part
of
our
our
we've
started
it
in
kind
of
on
the
map
to
finish
this
year,
is
our
integration
to
provide
an
immutable
Ledger
using
blockchain
technology.
D
Awesome
hi
everyone.
My
name
is
Sasha
I'm
based
in
Cape
Town,
South,
Africa
I'm,
a
consultant
for
a
German
company
called
Cube
visor,
where
we
specialize
in
migrating
Legacy
applications
to
microservices
and
I.
Think
I've
been
with
what
two
distance
has
started,
and
that's
my
first
and
only
open
source
project
and
I,
don't
think
I'll
go
anywhere
else.
As
long
as
they'll
have
me.
If.
E
Hey
I'm
serious,
well,
I
work
at
Red,
Hat,
Latin,
America
I've
been
like
around
10
years
as
a
consultant
and
now
as
an
architect
like
two
years
ago,
I
think
I
received
like
a
I,
think
it
was
like
a
tweet
about
ortillas
being
a
joining
the
the
goldenetic
foundation
like
an
inclusion
project
and
I
said
hey.
E
This
looks
fun,
I
just
jump
in
present
myself
since
then,
I'm
being
maybe
not
so
active
like
a
contributor,
but
having
sharing
practicing
helping
to
move
out
in
the
in
the
containing
space
to
a
mentoring
presentation.
E
It's
a
really
I,
don't
know
diverse
Community
I
really
enjoyed
it.
There
are
people
all
over
the
world
since
then,
until
today
and
I
try
to
stay
involved
help
when
I
can
yeah.
That's
me:
I
work
well
in
Latin
America
as
an
architect
application
develop
architect,
so
I
try
to
share
in
both
side
and
help
each
other.
B
A
Sure
so
I
was
invited
to
run
for
position
on
the
ortelius
governing
board
and
about
a
year
and
a
half
ago,
so
I'm
a
member
of
that
governing
board
my
day.
Job
at
Red
Hat
is
I'm
the
integration
architect
for
Studio
or
stone
soup,
or
whatever
we're
calling
it
these
days,
which
is
a
product
around
deployment
automation
as
well
as
secure
supply
chain.
So
that's
what
my
day
job
is
at
Red
Hat.
F
Day,
job
I
tend
to
avoid
jobs
as
much
as
I,
possibly
can
long
career
of
as
an
architect,
the
last
20
years
or
so
at
IBM.
These
days,
in
addition
to
supporting
the
Tracy
Steve
and
the
artillius
board,
I'm
on
the
board
of
a
couple
of
small
companies
and
active
in
open
source
standards,
mostly
around
cyber
security.
B
And
just
so,
you
all
know
before
we
kind
of
rounded
our
year
up,
Tony
did
provide
us
a
list
of
additional
what
you
guys
might
consider,
attributes
or
metadata
for
what
we
call
components
and
we're
looking
at
starting
to
build
some
of
that
into
the
product
in
2023.
I
think
it
was
timely
that
he
presented
that
information,
because
we
had
this
meeting
as
a
follow-up
and
we'd
love
to
get
your
feedback
on
that
as
well.
G
Right
we,
we
actually
recently
moved
from
North
American
public
sales
in
Red
Hat.
We
were
an
engineering
team
working
out
of
sales,
so
that's
kind
of
weird,
but
we've
we've
migrated
to
product
security,
so
I'm,
my
skip
boss
is
Vince,
stannon
and
I.
G
I
believe
you
guys
know
each
other
and
what
we
do
over
here
so
far
is
kind
of
loosely
defined,
and
we
like
to
take
advantage
of
not
having
things
well
defined
like
that,
so
that
we
can
create
opportunities
like
this,
so
Alex
I
believe
described
this
idea
that
he's
had
here
for
emporis
used
to
be
called
uor
I
believe
he
called
it
a
fever
dream.
G
He
was
working
too
much
I
think
and
then
the
rest
of
the
team
helped
him
make
that
a
reality
and
I've
been
running
around
internally
in
Red
Hat
selling
it
to
everybody.
I
can
in
Red
Hat
to
create
a
community
and
get
somebody
some
other
team
in
product
engineering
to
own
this,
so
that
product
security
isn't
writing
tools
for
themselves.
G
So
Stone
Soup
For
example:
I've
worked
with
the
the
hack
BS
guys.
That's
the
pipeline
portion
of
stone
soup
and
they're
they're
they're
in
favor
of
of
using
this,
so
we're
there's
a
bunch
of
other
teams
as
well
that
are
in
favor
of
using
this.
But
it's
it's.
G
H
H
Worked
with
under
well
under
jave
in
in
North
America
public
sector
sales,
where
we
were
trying
to
streamline
the
Administration
or
the
administrative
process
of
of
openshift
in
an
air
gap,
environment
or
air
gapped
environments,
so
kubernetes
in
an
air
gap
containers
all
those
things
and
that's
and
that
work
directly
fed
into
the
work
of
unemporous.
H
And,
let's
see
aside
from
that,
yeah
I'll
just
leave
it
there.
It's
nice
to
meet
everybody.
I
Yep,
can
everyone
hear
me,
okay,
similar
to
Alex
new
to
the
project
team
at
Red,
Hat,
I'm,
a
senior
product
security
engineer,
I
spent
the
last
year
and
a
half
working
on
disconnected
tooling
for
openshift
and
I've
been
working
in
open
source
with
open
source
software
for
about
the
last
three
years,
particularly
in
the
containers?
Kubernetes
space?
And
yes,
the
disconnected
work
led
me
to
be
a
contributor
to
the
imporce
project.
B
D
J
You
want
to
go
sure
hello.
Can
you
hear
me
yep
yep,
awesome,
hey
Samuel,
Walker,
we're
not
I've
been
here
for
I,
mean
I.
Think
he's
coming
up
on
three
years.
I
started
as
a
consultant
here.
So
I
wasn't
always
an
engineer.
J
Working
with
just
general
setups
of
openshift
for
customers
moved
over
to
engineering,
helped
with
the
OC
mirror
project,
which
was
the
kind
of
disconnected
tooling
that
was
used
a
little
bit
and
as
well
as
the
new
and
porous
setup
which
I'm
mainly
doing
examples
and
demos
for
and
kind
of
contributing
here
or
there
as
much
as
I
can
so.
B
K
I
am
yet
another
developer
on
Jay's
team
I've
been
supporting
the
same
projects
that
my
all
my
other
teammates
have
mentioned,
and
I'm
happy
to
happy
to
learn
about
about
everything
you
guys
have
to
talk
about.
B
I
think
that
does
it
for
intros
right,
yeah
super.
Well,
it's
awesome
to
have
so
many
people
on
this
call.
This
is
in
you
know,
I
think
that
we
all
have
stumbled
across
an
area
that
is
underserved
in
terms
of
pulling
all
this
data
together.
It
becomes
even
more
and
more
critical,
as
you
point
out
in
your
document
around
being
able
to
track
cves
and
what
we
like
to
say
is
answering
the
question:
what
where
is
log4j
running?
B
B
Let
me
see
we
just
did
our
kind
of
our
our
holiday
last
of
the
end
of
the
year
holiday
gathering.
So
artillius
has
been
part
of
the
continuous
delivery
Foundation
since
December
of
2019..
So
technically
we
are
two
years
old.
B
We
have
254
Google
group
members.
We
have
we're
followed
by
718
LinkedIn
folks.
We
have
264
GitHub
stars
with
115
GitHub
Forks,
our
Oktoberfest.
We
did
24
pull
requests
which
we
were
proud
of,
because
that
can
be
a
heart.
That's
like
herding
cats
and
overall
in
2022,
we
had
230
203
total
pull
requests
from
our
community.
B
We
do
have
a
governing
board.
We
are.
We
have
put
these
basic
structures
together
in
order
to
be
ready
to
become
an
incubating
project.
I
mean
sorry
A
graduated
project,
which
for
us
just
means
adoption.
We
have
all
the
other
pieces
together
to
to
continue
moving
this
product
forward.
Brian
Dawson
is
part
also
part
of
our
our
governing
board,
as
well
as
utkar
Sharma
and
Siddharth
Parikh
from
NatWest
group,
and
they
could
not
join
today,
but
I'm
I
know
that
they
would
have
liked
to
be
here.
B
Ortilius,
the
name
ortilius
comes
from
Abraham
ortilius.
You
have
a
boat
as
part
of
your
image.
Well,
we
saw
that
same.
We
saw
this
in
terms
of
maps.
Abraham
artillius
was
the
first
person
to
consolidate
maps
of
the
world
and
in
I
believe
it
was
1570.
He
created
the
first
world
atlas
and
when
we
started
looking
at
this
problem,
we
thought
that
was
an
appropriate
kind
of
icon
for
us
or
till
Abraham
ortilius.
B
B
I
really
would
like
us
to
go
over
your
document
and
I'm
going
to
pass
this
over
to
Jay
and
Steve
to
really
discuss,
but
I
want
to
want
to
indicate
that
when
we
look
at
the
goals
here
being
able
to
generate
these
reports,
we
see
reports
as
being
needed
to
be
generated
at
what
we
call
a
component
or
a
logical
application.
Level
cve
remediation
the
ability
to
understand
what
your
vulnerabilities
are
at
any
point
in
time
and
support
policy,
and
for
enforcement.
B
We
really
are
building
a
data
lake
so
that
something
like
you
could
start
building
out
your
your
own
policies
around
how
you
want
to
see
this
information
flow
so
in
terms
of
our
goals,
I
feel
like
we
are
very,
very
strongly
aligned,
but
there
are
some
differences
in
how
we're
getting
there
and
I'm
hoping
that
we
can
just
talk
through
that.
B
So
we
understand
where
you're
coming
from,
and
you
can
understand
why
we
made
the
decisions
that
we
we
made,
that
may
have
taken
a
bit
of
a
diversion
from
the
direction
that
you're
going
so
in
terms
of
your
use
cases,
Steve
I'm,
going
to
go
ahead
and
hand
this
off
to
you.
B
We
had
quite
a
discussion
about
this,
so
I'm
going
to
hand
this
use
case
section
off
to
you
in
terms
of
the
questions
we
need
to
ask
in
in
in
terms
of
where
your
head
is
and
where
you're,
where
you're
going.
C
So,
as
I
was
reading
through
your
your
document,
it,
it
kind
of
seems,
like
you,
have
a
two-fold
type
of
solution
that
your
or
yeah
a
solution
that
you're
trying
to
to
achieve
the
first
one
being
a
an
oci
registry
for
everything
and
the
second
one
is
as
a
as
a
result
of
having
a
a
registry
for
everything
that
you're
able
to
then
gather
metadata
about.
What's
in
that
registry.
Is
that
the
the
correct
way
of
thinking
about
it.
G
So
so
it's
you
know
like
a
smart,
proxy
or
service
layer
in
front
of
an
oci
registry,
and
if
we
repurpose
that's
the
nice
term,
if
we
repurpose
the
constructs
that
they
have
in
ocai
right
now,
we
can.
We
can
do
most
of
this.
G
If
we're
we're
trying
to
figure
out,
can
we
do
it
better
with
extensions
or
do
we
would
we
rather
propose
some
additions
to
the
oci
standards
so
that
like,
for
example,
the
the
searching
and
the
being
able
to
register
these
different
documents,
these
different
pieces
of
of
metadata
would
be,
which
is
the
best
approach.
We've
we've
started
some
discussion
with
the
the
oci
steering
committee,
but
that's
like
the
very
beginning
stages
there.
G
C
Now,
on
the
once,
something
is
published,
our
tools
like
Maven
and
pip
going
to
consume.
What's
in
the
registry
on
the
you
know,
so
you
have
the
the
two
sides
once
the
publishing
side,
one's
the
consuming
side
are.
Are
those
tools
going
to
be
then
able
to
look
at
the
registry
and
consume?
What's
in
it.
G
So,
let's
see,
let's
go
Advance
some
slides
ahead
to
it
may
be
like
10
10,
slides,
there's
going
to
be
a
bunch
of
slides
ahead.
Yeah
keep
going
past,
it'll
be
the
next
section.
So
there's
the
section
change
so
keep
going,
keep
going
and
no
no
keep
yeah
it'll.
It's
it's
quite
a
ways
down.
Maybe
six
more
foreign.
B
G
Here
we
go
so
so
to
answer
their
question.
It
depends
on
the
the
user's
appetite
for
change,
so
in
general
people
don't,
like
change.
I've,
been
a
change
agent
most
of
my
career,
so
some
people
will
want
to
do
this
right
away
all
right,
so
there
would
be
plugins
that
you
could
have
for
Maven
package
managers.
G
You
know
language
specific
package
managers
like
pip
or
npm
and
so
on.
So
if
you
have
a
plug-in
we
we
have
a
demo
available
for
python,
where
we
have
a
plug-in
for
for
pip
and
you
would
be
able
to
make
use
of
the
metadata.
That's
in,
and
imports
backed
oci
registry
to
you
could
ask:
are
there
I'll
click
on
Maven,
because
Maven
does
generally
doesn't
use
ranges
for
a
you
know
what
dependencies
they
use?
They
they
tend
to.
G
Those
youth
developers
tend
to
specify
exactly
the
the
version.
So
you
could
ask
what
what
recall
cves
are
open
against
that
project
so
that
that
you
could
also
Define
in
the
the
plug-in
Palm
XML
that
you
want
to
fail,
builds
for
open,
cves
of
severity
greater
than
x.
You
could
also.
So
that's
that's
the
easy
stuff
cdes,
but
whatever
metadata
you
have
in
associated
with
those
artifacts,
you
can
also
be
creative
in
writing
policies
to
to
enforce
through
the
plugin.
G
So
it
really
comes
down
to
like
we
want
to
publish
and
then
we
want
to
be
able
to
have
policy
enforcement
engines
in
a
variety
of
different
places.
So
you
can
you
can
do
that
on
the
developer
desktop
you
can
do
that.
You
should
be
able
to
do
that
in
the
build
pipeline.
You
should
be
able
to
do
that
publishing
to
your
whatever
your
your
output
of
let's
say
it's
a
container
publishing
to
your
container
to
a
a
registry.
There
could
be
policies
there,
promoting
it
from
one
registry
to
another.
G
There
could
be
policies
enforced
there,
deploying
it
there
could
be
policies
and
Floors
forced
there
and
then
monitoring
after
afterwards,
there
can
meet
policies
enforce
there.
G
C
B
B
Adoption
has
always
been
it's
our
biggest
concern
and
making
sure
that
we
are
fitting
into
the
tools
that
the
pipelines
are
already
consuming,
because
it's
really
hard
to
get
people
to
change.
As
you
just
pointed
out
now,
Red
Hat
has
more
influence,
so
you
might
be
able
to
have
a
a
better
ability
to
influence
that
change,
but
ortelius
as
an
open
source
project.
We
knew
it
couldn't
so
for
the
most
part.
What
we
are
doing
is
we
are
referencing
data
and
pulling
that
those
that
those
reference
points
into
our
Central
evidence
store.
C
Yeah
so,
for
example,
and
I
don't
know
if
it's
been
if
they've
gotten
this
far,
but
let's
say
you
do
a
build,
and
during
that
build
it's
been
signed
with
Sig
store
and
published
to
you
know
wherever
it
goes
for
us,
it's
just
from
the
or
to
this
point
of
view,
that
is
just
data
that
we
Federate
in
saying
this
is
where
that
artifact
lives
and
the
associated
metadata
that's
along
with
it.
So
the
Sig
store
information.
C
You
know
all
those
gory
details
is
something
that
we
would
Federate
into
a
a
way
to
associate
that
to
that
version
of
that
artifact.
Now
one
of
the
things
that
we
have
on
like
I
said
what
we're
working
on
is
at
backing
these.
We
call
them
components
just
as
a
generic
term,
so
whatever
the
artifact
is
whether
it's
Maven
or
python
doesn't
really
matter.
We
call
them
components
in
our
world
in
versions
of
components.
C
C
So
we
can
then
have
an
immutable
view
of
that
version
and
be
able
to
search
that
information
as
well
in
the
immutable
Ledger.
So
that's
some
of
the
stuff
that
we're
we're
looking
at,
but
we
like.
B
Tracy,
what
are
the
reasons
we
did
went
down
that
that
road,
though,
is
because
the
an
amazing
amount
of
data
that
there
is
in
s-box
and
for
every
single
change
you
make
and-
and
we
have
the
we
also
have
the
concept
of
a
logical
application,
and
if
we
get
time
we
can
show
you
what
that
is.
B
But
there's
a
lot
of
data
that's
being
stored
here
and
that's
why
we
decided
to
start
looking
at
the
blockchain
technology
and
applied
for
the
the
grant
so
that
we
could
actually
do
some
interesting
research
on
it.
We
haven't.
We
haven't
committed
to
that,
but
we
are
definitely
looking
at
using
that
as
a
way
to
manage
a
lot
of
data
and
track
differences.
C
And
one
of
the
things
that
we've
kind
of
recognized
when
we
start
federating
all
this
data
together,
there's
a
huge
amount
of
redundancy
that
you
get.
So
if
you
just
take
a
look
at
the
Apache
2
license,
you
know
there
are
so
many
projects
out
there
that
reference
or
use
the
Apache
2
license.
And
if
you
look
at
the
s-bomb
data
for
a
lot
of
the
way
that's
stored
in
the
s-bomb
it's
being
redundant.
So
you
end
up
wasting
all
all
this
data
storage
just
because
you're
referencing,
an
Apache
2
license.
C
So
we've
been
doing
a
bunch
of
normalization
on
the
data
to
help
reduce
the
redundancy
on
the
storage
back
end
I.
We
were
talking
to
the
folks
at
arm
Armory,
oh
last
year,
and
they
started
doing
s-bombs
against
the
official
Docker
images
and
they
said
within
two
weeks
of
just
doing
the
s-bomb
on
the
the
17
000
tags
out
there
for
the
official
Docker
images.
They
had
three
Giga
worth
of
s-bomb
data
in
in
just
two
weeks
and
nothing's
really
changing
over
that.
C
You
know
you
get
parts
of
it
changes,
but
not
not
everything,
not
every
s-bomb
changes.
A
spell
a
hundred
percent,
so
that's
one
of
the
things
that
we've
been
looking
at
when
we
started
federating
the
data
together.
At
that
point,.
H
Yeah
well
so
so
hearing
hearing
some
what
the
the
dialogue
here
is
interesting,
there's
there's
a
really
so
much
overlap
with
what
you're
talking
about
with
the
even
even
how
you
you're,
using
leveraging
the
blockchain
to
record
we.
We
have
something
similar,
but
instead
of
blockchain,
it's
it's
this,
the
oci's,
dag
that
we're
leveraging
for
the
in
I
think
in
a
similar
way
that
you
that
you've
described
and
and
in
this
idea
of
like
logical
applications
like
it's
been
mentioned,
JJ
at
one
point.
H
It
had
mentioned
container
images
and
it
was
an
internal
presentation
that
was
the
source
of
of
this
of
this
presentation
that
we're
looking
at
here
when
we,
when
we
actually
published
The
Container
image
of
the
air
quoting
container
image
here,
because
what
it
actually
was
was
just
the
the
atomic
components
of
of
what
would
be
inside
of
the
container
image.
H
And
then
we
we
shove
those
into
a
true
root
and
then
and
then
ran
those
with
container
D
and
run
C,
and
all
that
so
and
that
kind
of
like
when
you
said
when
I
heard
logical
application,
that's
kind
of
like
where
I
went.
You
know
it's
it's
all
tied
together
with
metadata.
At
that
point,
it
really
changes
the
nature
of
what
an
application
or
container
image
is
yeah.
C
Exactly
and
when
you
look
at
when
we
talk
about
s-bombs
that
there
are
many
different
levels
of
s-bombs,
like
you
said,
if
you
have
a
if
you're
going
to
create
a
jar
file
using
Maven
you're
going
to
have
a
s-bomb
for
that
jar
file,
you
know
that
jar
and
its
dependence
jar
files
that
you're
going
to
have
so
you're
gonna
have
an
s-bomb
at
that
level.
C
And
then,
when,
like
you
said,
when
you
get
up
to
the
container
level,
your
container
is
going
to
have
runtime
best
bombs,
so
your
RPMs
and
package
dependencies
at
the
OS
level
and
then
you're
going
to
have
your
jar
file
dependencies
and
so
on.
So
you
end
up
with
these
these
nested
s-bombs
and
then,
when
you
go
up
to
the
next
level
of
a
microservice
application
that
is
dependent
upon,
you
know,
200
microservices
that
are
running
in
containers.
B
Which
we
can
we
can,
we
can
show
you
in
just
a
minute
if
we
have
the
time
to
do
that
on.
B
G
Can
so
did
I,
don't
know
if
this
slide
make
made
sense
to
you
guys
where
you,
the
RPM,
is
the
index
manifest
here,
but
you
could.
This
is
traditionally
how
a
container
would
be
would
be
built
right.
So
you've
got
your
you've
got
your
index
manifest
and
that's
gonna,
that's
gonna
be
linked
to
other
artifact
manifests
and
normally
for
how
oci,
storage
and
most
other
artifact
storage
repositories.
G
Work
is
they're,
opaque,
so
they're,
the
the
layers
of
a
container
are
opaque
and-
and
we
want
to
change
that,
so
we
want
to
store
this
would
be
jar
file.
The
artifact
manifest
would
would
contain
HR
file
if
it
was
a
fat
jar
file,
it
even
gets
exploded.
So
there's
there's
granular
artifacts
and
then
you
have
many
s-bombs
attached
to
those.
So
you
can.
If
we
go
down
to
a
more
complex
example
on
slide
25.,
you
can
see
how
the
these
things
start
to
pull
together.
G
So
if
you
were
trying
to
pull
together
an
s-bomb,
the
you
could
you're,
not
storing
duplicative
information
between
those
shared
artifacts
to
build
in
an
s-bomb
for
an
image
or
the
RPM.
It's
simply
gather
all
the
mini
s-bombs
aggregate
them
together
and
offer
them
to
to
who
so
even
more
complex
examples.
If
you
go
to
slide
27
I,
think
yeah,
so
you
can
there's
software
inventories
and
then
one
down
I
think
you
get
into
logical
groupings
any
any.
Well,
let's
see
components
from
where
components
can
be
like.
G
If
an
image
is
a
component,
then
it
breaks
down
into
other
artifacts
and
then
components
can
go
up
into
products.
Products
could
expand
out
into
platforms
whatever
type
of
of
organization
you
want,
and
that's
just
us
thinking
about
how
to
do
software.
These
types
of
how
you
organize
things
could
also
be
used
by
I'll.
Give
an
example
of
like
a
hospital
to
say
this
is
where
we're
keeping
these.
You
know
the
the
what
What's
that
I
can't
remember
the
name
of
thing
there.
G
You
have
an
IV,
yeah,
IV
pump,
so
an
IV
pump
where
those
machines
are
located
at
in
the
hospital
and
so
like
which
ones
are
being
used,
which
ones
aren't
being
used,
which
one
could
be
updated
remotely
which
one
you
know
all
sorts
of
the
the
inventory
of
how
it's
being
used
becomes
important
and
they
can
store
that
information
in
here
as
well
to
be
able
to
to
help
manage
that.
So
it's
it's
not
just
how
we
could
use
these
things
to
tell
a
a
customer.
G
Could
Define
arbitrary
aggregations
to
help
them
manage
their
their
environments?.
C
Yeah-
and
this
is
this-
is
exactly
how
the
ortelius
side
thinks
of
it,
except
that
instead
of
product,
we
use
application
or
logical
application.
C
We've
we've
had
this
debate
over
the
years
of
changing
it
from
from
application
over
to
product.
It's
just
one
of
those
debates
that
we
never
never
could
get
consensus
on.
C
But,
like
you
said,
a
component
can
be
anything
whether
it's
going
to
be.
We
could
have
test
case
components,
we
could
have
database
components,
you
could
have
artifact
components
of
of
like
a
jar
or
a
python
module
or
containers
as
container
images
as
a
component.
So.
B
C
B
C
And
and
where
to
go,
get
it
so
one
of
the
views
that
we
took
in
the
artillius
world
was
we're
not
going
to
be
a
new
registry,
we're
going
to
going
to
point
to
the
existing
Registries
that
are
out
there,
whether
it's
gonna
be
Maven
or
jfrog
or
sonotype.
As
a
as
a
registry
for
the
Java
artifacts,
or
if
it's
going
to
come
from,
you
know,
somebody's
desktop.
It
doesn't
really
matter
to
us.
C
G
So
the
the
if
it
says
now
this
is
where
we
think
we
can
people
would
would
be
willing
to
adopt
this
much
today
and
then
the
ones
that
have
a
different
watch
pointing
to
the
Future
are
it's
too
much
change
for
today,
but
people
could
could
go
there
over
time,
so
using
a
Purl.
G
They
could
Point,
as
in
the
example
here
point
at
a
jar
file
over
in
Maven,
Central
or
point
at
a
python
Library
over
in
Pi
Pi
or
you
know,
list
goes
on,
so
we
we
want
to
be
able
to
do
both
so.
B
This
is
where
we
are
at
right
now,
so
I
think
unless
there's
other
questions
about
Steve
that
you
might
have
about
this
I
think
this
would
be
a
good
juncture
to
go
ahead
and
give
a
we
have.
20
minutes
left
give
a
10
minute
tour
of
what
we've
already
done.
Yep.
H
Can
I
have
a
can
I
just
interject
before
you?
Do
that
sure?
It's
not
really
conveyed
in
this
in
this
brief
here.
But
if
you
look
at
the
larger
body
of
of
work
that
I
think
we've
we've
done
around
around
emporis
there's.
This
idea,
where
you
have
Imports
can
consume
any
schema.
So
you
have
a
schema
with
artillius.
It's
you've
defined.
It's
you
know
references
all
these
Concepts
and
I
was
just
gonna.
H
I
thought
maybe
it'd
be
helpful
as
you're
as
you're
going
over
the
ortelius
approach.
One
of
the
interesting
things
I
think
that
could
be
kept
in
mind
here.
Is
this
idea
that
the
ortilia
schema
or
what
was
the
guac
guacs?
Is
it
osv
or
any
any
schema
could
be
registered
within
porous
and
then
and
then
and
then
easily
managed
after
it's
registered?
H
So
when
you
as
you're
kind
of
going
through
this
next
10
minutes
of
the
artillius
approach,
I
think
there
is
a
site,
a
company
idea
that
that
schema
or
any
schema
could
be
could
be
also
expressed
with
importers
in
the
same
way
in
using
the
native
oci
components.
G
G
C
And
and
a
lot
of
our
our
schemas
that
we
have
are
how
are
are
mainly
dependency
relationships,
you
know.
So
when
you
normalize
the
data
and
you
start
breaking
apart,
you
know
you
have
this.
This
specific
jar
file,
for
example,
this
jar
file,
has
this
metadata
attached
to
it.
This
metadata
is
actually
broken
up
into
smaller
pieces
that
is
referenced
elsewhere,
such
as
the
licenses,
the
location,
you
know,
cve
data
is
actually
pointed
to
in
real
time.
C
You
know
the
type
of
thing,
because
you
don't
want
to
lock
in
your
cve
data
because
it
could
change.
Somebody
could
find
a
new
cve
for
that
particular
jar
file
to
today
or
tomorrow,
and
you
don't
want
to
have
that
that
static,
cve
data
in
there.
Let
me
share
my
screen
and
I
will
keep
that
in
mind
as
I
walk
through
this
and
kind
of
show.
B
It
says,
deploy
Hub
up
here,
that
is
our
book
stable.
This
is
basically
ortilius
with
a
deploy,
Hub
logo
on
it,
because
we
do
host
it.
The
it's
not
being
hosted
at
the
Linux
Foundation
right
now.
Ortelius
does
not.
We
would
like
that
to
happen.
We're
hoping
that
they
will.
B
We
can
get
some
funds
from
the
CD
Foundation
to
host
it,
but
we
were
hosting
it
and
it
started
to
get
a
little
bit
more
expensive
than
we
wanted
so
right
now,
artillius
is
pretty
much
kind
of
an
on-prem
install,
so
we're
only
showing
you
what
artillius
does
we're
not
going
to
show
you
what
deployethub
does.
C
So,
like
we
were
talking
about
the
the
components
we
we
view
everything
as
a
component.
These
are
happen
to
be
Docker
images
and
one
of
the
things
that
we
do
is
in
the
your
pipeline
anytime.
You
build
something,
a
new
version
of
the
image.
We
want
to
capture
that
information
about
that
image
that
was
produced
by
the
build
pipeline.
Even
if
it
doesn't
go
to
production.
C
We
want
to
make
sure
that
everything
is
is
available
if
somebody
needs
it
at
some
point.
So
some
of
the
the
information
that
we
capture
is
like
who
is
the
owner
of
the
container?
Is
there
a
slack
Channel
out
there
that
the
sres
are
the
release
team
can
manage?
You
know
they
want
to
reach
out
to
the
developers.
C
You
know:
what's
the
pager
Duty
information
for
the
call
Downs
sheet
other
things?
Where
was
it
built?
This
one
happened
to
be
built
on
a
circle:
CI,
there's
the
the
digest
and
stuff
like
that
was
there?
Is
there
a
Helm
chart,
that's
being
used
to
deploy
it,
those
type
of
things,
the
git
repo,
the
Shaws,
which
branch
it
came
from
those
type
of
things
and
then
also
on
the
other
side.
You
know
what
what
type
is
it?
Is
it
a
container?
Is
it
a
jar
file?
C
You
know
we
we
can
and
people
can
create
their
own
types
to
categorize.
The
information
other
things
that
we
pick
up
out
of
that
is
that
we
persist
on
our
side.
Is
the
readme,
the
Swagger
information,
because
this
could
change
over
time
and
one
of
the
things
that
as
developers
may
change,
you
know
one
of
the
end
points
they
may
go
ahead
and
change.
C
You
know
the
the
URL
here,
so
they
may
break
backward
compatibility
or
may
I
add
new
functionality
and
because
we're
versioning
all
this
information,
we
can
actually
diff
and
show
how
API
endpoints
are
changing
over
time
and
then
we
get
into
the
fun
stuff,
because
this
is
a
Docker
image.
We
pulled
the
s-bomb,
so
these
are
the
packages
that
are
actually
in
storage
installed.
This
is
a
python
based
microservice,
so
you
can
see.
C
Flask
is
here
the
database
connection,
and
then
we
also
found,
because
we
have
this
list
of
the
packages
that
this
version
of
the
containers
dependent
upon.
We
go
out
to
osv
Dev
and
check
to
see
what
the
cves
are
at
runtime.
C
So,
when
I
pull
this
up
and
view
this,
this
is
where
we
go
pull
the
package
information
I
mean
the
cve
information
and
then
we
get
into
more
fun
details
who's
consuming
this
the
list
of
applications
that
are
actually
consuming
this
version,
and
we
can
see
that
a
graphical
view
as
well,
so
we
actually
have
two
different
application
versions
consuming
this
particular
microservice.
C
C
So
if
we
take
a
look
at
from
the
other
point
of
view,
if
we
go
up
to
an
application
and
like
this
week
we
were
talking
about
a
product,
we
call
them
applications
on
our
side.
So
we're
going
to
look
at
a
version
of
the
application
and
see
how
that
application
is
pulling
in
all
of
its
logical
dependencies.
C
So
at
this
level
this
application
has
because
of
the
microservice
based
application,
has
about
15
20
services
that
it's
bringing
in.
So
this
is
where
we
start
doing
the
aggregation
level
and
we're
going
out
and
getting
the
the
cves
now
to
find
out
what
crossed
all
the
different
components
that
we
have,
which
ones
are
giving
us
the
highest
level
of
vulnerability.
C
So
we
can
actually
see
that
we
have
a
node.js
dependency
that
has
a
high
vulnerability
that
we
need
to
take
a
look
at,
so
it
doesn't
matter
to
the
type
like
you
were
talking
about
Alex.
You
know
the
type
is
kind
of
irrelevant.
C
We
just
need
to
know
that
we
have
a
dependency
and
that
dependency
has
a
CBE
on
it,
and
then
here
we
can
see
that
the
it's
the
total
aggregation
of
all
the
the
the
different
s-bombs
are
rolled
up
to
the
high
level
at
that
point,
and
then
this
is
the
graphical
representation
of
it.
So
if
I
actually
zoom
in
a
little
bit,
we
can
actually
see
all
the
dependencies
that
this
mean
application.
C
You
want
to
be
able
to
see
which
version
of
a
particular
artifact
that
you're
consuming,
because
today
this
version
of
the
artifact
we
have
these
cves.
Now,
if
I
look
at
the
next
version,
they've
the
developers
may
have
already
fixed
it.
So
we
want
to
version
everything.
Every
single
change
gets
versioned
and
that's
where
the
The
blockchain
Ledger
comes
into
play
at
that
level
as
well
other
things,
let
me
go
back
up
to
the
high
level
like
Tracy
said.
C
We
all
want
to
know
about
log4j
so
because
we
have
all
the
dependencies
in
the
relationships
stored.
We
can
just
say
give
me
all
the
dependencies
and
I
can
get
a
list
of
all
the
the
which
packages
that
are
which
components
are
consuming,
which
version
of
of
a
a
particular
library.
At
that
point,
so
this
is,
we
can
see
that
there's
log
for
JS
view
is
being
consumed
in
multiple
applications
across
multiple
components
at
that
level.
C
So
answering
that
question
is
very
easy
for
us
to
look
at
so
I'm
just
going
to
stop
there
since
we
just
hit,
we
have
about
10
minutes
left
and
we
can
dive
into.
You
know
the
Gory
details
whenever
you
want.
G
Sure,
when
I
I
think
it
was
in
yeah,
it
was
just
before
Thanksgiving
I
gave
our
proposal
to
Vince
and
Vince
asked
me.
You
know
how
is
this
different
from
well?
He
asked
me
ahead
of
time
to
be
prepared
to
answer.
How
is
this
different
than
or
Tillis
so
a
week
before
that
meeting
with
him
the
the
team?
Here
we
went
through
what
ortilius
is
and-
and
you
know,
the
documentation
and
reading
the
code
and
I
believe
it.
G
If
you
guys
wanted
to
use
emporis
it
would
it
would
simply
replace
your
your
postgres
database
is
what
it
would
would
do,
so
you
wouldn't
have
to
manage
a
postgres
database.
You
would
at
a
customer
site,
they
would
have.
They
would
have
some
type
of
oci
registry
already.
So
that's
that's
what
you
where
you
would
end
up,
storing
things.
G
So
why
is
why
do
I
I
think
that's
helpful,
because
then
it's
one
less
thing
that
that
has
to
be
managed
by
somebody,
but
also
you,
you
get
a
little
closer
to
things
being
stored
together
in
one
repo,
and
why
is
that
important?
Because,
right
now
you
have
to
go
to
a
bunch
of
different
places.
You
have
to
go
out
to
Sig
store
to
do
this.
You
have
to
go.
G
You
have
to
go
all
sorts
of
different
places
to
gather
this
information
and
and
then,
if
you,
if
we
get
the
the
community
being
it
being
comfortable
with
this
type
of
thing,
so
my
ambition
is
to
have
this.
G
This
type
of
thing
replace
Maven,
Central
and
replace
Pai
pi
and
those
types
of
things,
because
they
don't
have
great
answers
right
now,
for
how
they're
there
there's
going
to
be
a
bunch
of
language,
specific
Solutions,
it
seems
right
now
is
to
track
the
communities
on
for
how
they're
each
going
to
solve
how
we
we
address
this
same
problem
and
we
could
offer
instead
a
unified
way
that
solves
it
for
all
languages.
G
And
at
that
point,
when
you
have
your
your
s-bomb
information
and
the
artifact
when
they're
stored
together,
the
whole
thing
gets
signed.
So
it's
not
I.
Have
my
artifact
and
I
have
my
trusty
information
about
that
artifact
stored
separately
and
I
have
to
do
some
verification
as
a
client
to
validate
that.
You
know
this
this
trusty
information
and
that
artifact
go
together.
It's
actually
turned
around
and
and
put
on
the
publisher
to
publish
those
things
together,
so
that
trust
becomes
implicit
at
that
at
that
point.
So.
C
Yeah
definitely
and
I
could
I
could
definitely
see
how
we
can
utilize,
like
you
said,
replace
our
postgres
database
with
emporis
to
pull
from
that
that
type
of
information
and
aggregate
it
together.
One
of
the
things
that
we
are
looking
at
as
part
of
our
blockchain
implementation
is
actually
implementing
a
graph
database
to
help
with
the
dependency
management
just
to
be
able
to
Traverse
the
the
millions
of
relationships.
If
you
look
at
the
open
source
world
that
need
to
be
managed
at
that
level.
Also.
C
On
that
note,
we
are
also
taking
a
view
that
there
will
be
a
like
I
said,
a
kind
of
a
a
public
registry,
that's
out
there
and
then
also
your
private
one.
That
needs
to
be
Federated
together,
so
as
an
as
an
open
source.
If
I'm
the
developer
Vlog
for
Jay
I
can't
necessarily
see
who's
consuming
me
in
in
the
in
a
a
private.
C
You
know
company
doesn't
want
to
show
that
they're
exposing
that
these
are
my
list
of
points
that
you
can
attack
me
at,
but
vice
versa,
when
I'm
inside
of
a
a
corporation
I
can
look
out
and
see
and
consume
all
that
information
to
aggregate
it
together
from
that
Viewpoint
to
see
where
my
exposures
lie
at
that
level.
So
that's
one
of
the
things
that
we're
working
on
at
the
is
federating
from
two
different
viewpoints.
G
H
I
just
wanted
to
I
just
wanted
to
very
quickly
one
of
the
things
that
we
put
quite
a
bit
of
work
into
with
it
with
Imports
early
on
well
recently,
before
the
holiday
break.
Actually
was
this
idea
of
a
decentralized
service?
So
you
could
you
could
query,
for
example
like
quay.io
or
something
or
you
could
even
query
your
internal
registry,
and
then
you
would.
You
would
also
be
discovering
content
and
I'm
just
using
this
as
an
example,
but
like
Docker
hub.
H
So
when
you,
when
you
query,
Quay
you're
you're,
also
discovering,
if
there's
pointers
to
you,
know
other
content
across
registry,
so
that
was
that
was
a
a
big
Focus
was
was
a
decentralization
aspect
and
I
just
wanted
to
say
which
very
quickly-
and
this
is
outside
the
context
of
I-
think
what
the
Red
Hats
primary
right
now
is.
What
we're
what
we've
been
talking
about,
but
this
idea
of
schema
registration,
extensibility
also
applies
to
a
website,
could
also
be
an
idea
of
like
a
package.
H
Another
type
of
package
like
you
could
have
all
the
web
elements
in
the
website
signed.
So
not
only
is
your
TLS
session
encrypted,
but
also
you
have
all
all
your
web
elements
that
are
being
rendered
or
signed,
and
then
also
this
applies
to
AI
models
as
well,
and
I
think
that
the
AI
ml
Ops
is
an
emerging
security
consideration.
That's
odd
issues,
I
just
I
just
wanted
to
get
that
out
before
the
end
of
the
meeting.
G
No,
it's
not
worse.
I
I,
I
think
we're
I'm
I'll
save
mine
for
next
time.
B
And
I
definitely
think
I
would
love
to
see
what
you
guys
have
where
you
are
at
in
your
process
and
really
have
maybe
a
little
deeper
discussion
up
once
we've
gone
back
to
our
camps
and
thought
about
what
we've
learned
today.
C
Yeah
I
definitely
to
see
how,
where
you're,
at
and
more
about
the
schema
that
you're
talking
about
Alex
and
how
that
could
come
into
play.
H
Yeah,
definitely
because
when
you
talk
about
blockchain
and
I'm
thinking
to
myself
well
with
this
importance
API
we
can.
We
could
render
like
a
like
a
recour
service
too
behind,
because
this
API,
if
you
have
whatever
schema
you're
feeding
into
it,
it
can
just
render
you
know,
render
the
contents
of
whatever
the
schema
is.
So
if
it
was
recore
or
some
blockchain
or
whatever
it
is
I
I
think
I
think
there's
a
potential
there.
C
Yeah,
so
right
now,
our
our
implementation
is
to
utilize
the
ipfs,
because
that
gives
us
an
immutable
place
to
kind
of
shove.
Our
Json,
you
know
with
the
dependencies
in
it
and
stuff
like
that,
and
the
blockchain
just
records
that
this
is
where
you
go,
find
this
data
in
the
ipfs
world.
Now
the
blockchain
could
point
over
to
Emperors
to
gather
that
immutable
data
over
there.
So
for
us
it
doesn't
really
matter
it's
here
there,
nor
there
where
it's
stored.
C
It's
just
you
know
how
do
you
get
to
it
and
and
on
your
side,
you're
doing
an
immutable
versioning
of
this
of
this
data
is
that
correct.
H
G
I
I
Yeah,
it's
a
Cisco
registry.
They
just
put
in
a
search
extension
which
is
similar
to
what
we
wanted
to
do,
but
it
doesn't
have
all
the
additional
metadata
it
just
searches
like
what
what
layers
are
on
this
manifest
or
or
what?
How
big
is
this
manifest
and
all
that
good
stuff?
That's
already
inside
the
oci,
manifests
okay.
C
B
Well,
thank
you
all
for
jumping
in
on
this
first
full
day
of
work
for
2023.
B
Same
time
Tuesday
the
10th,
then
we've
met
at
10
o'clock.
We
have
a
general.
We
have
a
general
community
meeting
at
that
time,
but
we
could
do
10
30.