►
From YouTube: Software Supply Chain SIG Meeting - Mar 10, 2022
Description
For more Continuous Delivery Foundation content, check out our blog: https://cd.foundation/blog/
B
I
was
planning
to
ping
you
and
mary
on
slack,
because
I
included
your
prs
in
the
in
one
of
under
one
of
topics
to
make
sure
we
now
work
with
your
documents
rather
than
us,
creating
our
own
document.
B
A
B
B
B
So
as
I
was
saying,
this
is
the
very
first
meeting
for
the
sikh
so
welcome
everyone,
and
here
is
the
agenda
and
we
have
five
slides
to
get
the
conversation
started,
but
before
we
move
to
slides,
perhaps
you
can
walk
through
the
agenda
and,
please
feel
free
to
add
any
topic
you
want
to
discuss.
B
So
the
first
topic
is
welcome
and
introductions,
and
then
we
can
talk
about
what
is
so
special
of
software
supply
chain,
and
why?
Because
we
had
received
a
few
comments
about
sick
when
we
proposed
it
first
time.
So
we
can
talk
about
why
we
have
this
sick
and
what
intent
to
do
with
the
sick
and
the
approach
we
could
take
within
the
sick,
based
on
how
the
other
six
within
cd
foundation
is
operating
and
then
reminder
about
logistics.
B
Seeing
you
all
here
is
great,
because
then
logistics
part
seems
to
work,
because
you
found
the
meeting
document
and
resuming
and
so
on,
and
then
talking
about
the
roadmap.
We
could
perhaps
start
working
on,
and
I
stole
this
from
tracy
miranda
with
it.
B
The
roadmap
for
the
cd
interview
last
year,
like
that
approach
about
how
we
can
create
the
roadmap
for
the
seek
five
initial
topics
for
the
sig
road
map,
and
perhaps
what
we
are
going
to
do
within
the
siege
and
knowledge
transfer,
is
one
of
the
key
things
which
worked
pretty
well
with
seed,
intolerability
and
other
things
by
getting
people
from
different
communities,
projects
presenting
to
seek
to
increase
awareness
and
knowledge
about
other
initiatives
going
on
other
communities
at
topic
about
next
meeting
of
the
sikh,
because
it
falls
between
this
summer
time
change,
which
always
cause
some
kind
of
confusion
and
hassle
and
then
open
discussion.
B
I
also
contribute
to
cd
foundation
and
other
communities
taking
part
in
different
special
telescopes,
such
as
special
transcript
interoperability,
and
here
too,
contribute
to
improving
the
state
of
software
supply
chain
within
the
foundation
and
elsewhere.
And
that's
me
so.
The
next
person
I
see
in
the
list
zoom
list
is
terry.
F
Yeah,
so
I
I
here
because
I'm
interested
in
making
sure
that
we
keep
aligned
across
the
various
special
interest
groups-
we've
got
going
at
the
moment
and
that
we
start
to
develop
this
subject
in
the
best
practices.
Work
that
we're
doing.
B
Thanks,
terry-
and
I
I
see
you
next
yeah.
D
Hello
there,
so
these
are
on.
I
work
for
story
brands.
Many
of
you
may
not
know
for
the
company,
it's
one
of
the
biggest
banks
in
norway.
D
I
have
a
background
in
the
developments
and
software
supply
chains,
but
for
the
past
six
years
I've
been
working
with
public
cloud,
so
I
thought
I
can
contribute
to
this
group
around
cloud
cloud
to
topics
and
so
on.
So
I'm
looking
forward
to
start
and
see
how
it
goes
here.
C
Hey
yeah,
I'm
anne
marie
fred
from
red
hat
and
I'm
an
architect
in
the
developer
tools
group
there
and
one
of
the
things
we're
working
on
now
are
some
exemplary
pipelines
to
help
customers
adopt
devsecops,
and
I
also
have
a
background
for
the
past
few
years
of
of
doing
devsecops
implementation
at
ibm
using
continuous
delivery,
so
hoping
to
keep
us
in
sync
with
what
other
people
are
doing.
G
G
H
Yeah
hi
everybody
general
I'm
new
to
cdf,
but
I've
been
contributing
to
or
have
been
around
various
other
communities,
openstack
a
couple
of
telco
specific,
open
source
communities
like
linux
foundation,
networking
and
I'm
also
working
at
ericsson,
so
kind
of
a
colleague
of
party.
H
Currently
I'm
focusing
mostly
on
openssf
thinking
about
what
we
will
do
in
openssf
from
the
company
perspective
and
obviously
there
are
connections
to
this
sig
and
I'd
like
to
make
use
that
like
we
have
good
alignment
and
basically
make
use
of,
for
instance,
openness
have
results
in
this
sake,
put
then
concepts
and
so
on
to
the
test
and
ideally,
feedback
results.
Our
experiences
with
these
things
back
to
the
corresponding
openness
of
working
groups
and
projects,
and
so
on.
So
that's
my
my
intention.
I
Hi
all
I'm
cara
de
la
marque,
I
work
at
the
cdf
as
an
ecosystem
advocate
and
I'm
co-chair
of
the
interoperability
sig,
which
fatty
was
also
an
amazing,
fantastic,
wonderful,
co-chair
of
and
really
excited
to
be
joining
you
all
today.
For
this
I
think
this
is
a
great
initiative
and
fantastic
to
bring
it
to
the
cdf.
So
thank
you,
fatih
and
I'll.
Just
give
a
pitch
for
the
interoperability
say,
because
you're
might
very
well
be
interested
melissa.
I
Mckay
is
our
new
co-chair
she's
going
to
be
amazing,
and
we
have
had
really
interesting
discussions
from
anne-marie
fred
recently
on
pipeline
step
stages
and
we're
also
discussing
different
sort
of
guards
within
ci
cd
pipeline,
so
do
join
us
we're
on
the
cdf
calendar.
E
Thank
you,
so
I'm
leora,
I'm
from
radat,
I'm
a
product
owner
in
the
rivas
organization,
part
of
raw,
which
is
the
red
dead
in-vehicle
operating
system
and
I'm
responsible
to
build
the
supply
chain
for
the
product.
The
product
doesn't
exist,
yet
it's
just
in
the
making
in
the
oven.
As
we
say,
the
architecture
of
the
supply
chain
is
currently
based
on
openshift,
which
is
kubernetes.
E
We
are
using
tecton
as
our
orchestrator
pipelines,
orchestrator
and
all
kinds
of
new
tooling
that
we
are
investigating
in
order
to
have
like
something
more
reliable,
more
a
k8
native
and
probably
to
introduce
some
more
innovation
in
our
supply
chains.
So
that's
what
I'm
doing
in
the
past
four
years,
the
product.
B
J
K
Hi
I'm
melissa
mckay
and
first
of
all,
I
see
some
crossover
with
some
folks
in
this
zig
interoperability
group,
which
is
pretty
exciting.
I'm
co-chair
along
with
cara
on
that
group,
so
nice
to
see
you
here
as
well.
I
chose
to
be
the
the
the
cdf's
technical
oversight
committee
sponsor
for
this
group
excited
to
see
where
it
goes.
I
currently
am
employed
by
jfrog.
I've
been
a
developer
advocate
with
them
for
two
years
now.
K
Prior
to
that,
I
was
a
developer
involved
in
you
know
various
different
projects
all
the
way
from
intern
to
principal
engineer
on
different
different
things,
so
my
focus
a
lot
has
been
on
community
in
the
past,
making
sure
that
you
know
we
get
our
conversations
out
there
with
the
actual
developers.
So
I
definitely
approach
things
closer
to
that
end
of
the
spectrum
as
far
as
supply
chain.
K
I
have
both
a
professional
and
personal
interest
in
that,
just
with
my
own
experiences
that
I've
had
in
the
past,
and
also
just
the
fact
that
a
lot
of
our
commercial
products
like
to
integrate
with
open
source
tools,
and
we
want
to
make
sure
that
we
leave
that
door
open
for
the
community
as
well.
So
thank
you
fati
for
putting
this
group
together,
because
I'm
really
excited
what
we
come
out
with
thanks.
L
Yeah
first
of
all,
well
said
melissa.
I
don't
want
to
go
after
you,
hi
everybody,
I'm
tracy,
I
used
to
work
at
the
cdf,
but
as
of
earlier
this
year,
I
joined
a
startup
called
chainguard
which
focuses
on
supply
chain
security,
particularly
for
cloud
and
container
based
technology,
and
there
I
do
a
lot
of
work
with
open
source
projects
and
in
particular,
I'm
just
getting
up
to
speed
with
the
the
sig
store
project.
B
B
So,
as
I
noted
at
the
beginning,
we
have
few
slides
to
get
the
conversation
going.
Perhaps
you
know
understand
like
why
this
six
sig
x
is
and
how
we
can
contribute
to
our
overall
efforts
to
produce
change
and.
B
Like
we
didn't
collapse
within
the
sikh
or
within
the
sig
name,
and
that
was
a
conscious
decision,
because
there
are
many
other
topics
that
help
us
to
improve.
The
state
of
software
supply
chain
and
security
is
one
of
them,
perhaps
some
of
the
most
critical
ones.
But
there
are
a
few
other
topics,
and
this
slide
attempts
to
you
know
give
a
high
level
of
what
this
seek
is
and
why
this
is
cdx
is
and
just
make
sure
I'm
not
going
to
do
like
representation
here.
It's
just,
you
know,
get
conversation
style.
B
Let's,
please
just
speak
up,
and
we
can
you
know
talk
about
those
things
as
well,
so
the
six
software
supply
chain
is
very
highlighted,
like
I
think
this
seek
actually
originates
from,
especially
in
terms
of
interoperability,
like
some
other
seeks,
like
c
events,
because
since
the
sig
interval
that
was
formed
about
two
years
ago,
we
start
talking
about
gender
interval
topics
and
we
start
focusing
on
different
topics
such
as
events
and
standardized
metadata
and
others,
and
all
the
time
like
many
other
people
on
this
planet.
B
We
start
talking
about
software
supply
chain
aspects
as
well,
and
that
kind
of
made
us
realize
that
maybe
we
should
take
it
more
focused
approached
software
supply
chain,
because
the
topic
is
critical.
Many
other
communities,
organizations,
including
government
organizations,
are
talking
about
this
topic
and
within
cd
foundation.
We
don't
have
a
group
that
looks
after
this
topic.
B
Specifically
in
the
past,
we
had
a
special
facebook
called
specialized
group
security,
and
that
group
has
been
archived
and
again,
there
is
no
group
looking
at
this
topic
and
it
was
like
discussed
under
best
practices
and
intervality,
and
that
kind
of
makes
it
difficult
to.
You
know
focus
on
various
topics
within
supply
chain
topic.
That's
why
we
went
and
proposed
this
seek
to
give
it
others,
including
yora,
for
example,
to
see
if
we
have
interest
to
take
this
topic
forward
under
its
own
special
intelligence
group.
B
I
think
this
is
key
because,
like
gicd
is
a
critical
topic
for
any
organization
community
out
there
and,
as
I
mentioned
to
tracy
in
the
past
like
a
month
ago,
seeing
formation
was
pretty
good,
but
I
missed
the
callout
to
see
icd
in
the
first
blog
post,
open,
sf
published
and
this
diagram,
because
various
stages
within
the
pipeline
was
highlighted
there,
but
ci
cd
wasn't
called
out,
and
that
gave
me
the
urge
okay.
B
We
need
to
do
something
here
to
make
sure
that
ci
cd
aspects
are
not
missed
when
different
organizations,
communities
talk
about
software
supply
chain
and
that's
kind
of
how
this
idea
to
form
the
sikh
came
to
life
first
time,
and
the
other
reason
is
that
aaron
talks
about
improving
the
state
of
software
by
chain,
but
the
focus
on
the
cicd
ecosystem
itself
or
the
production
systems
in
general.
B
It's
not
there.
You
know
we
must
secure
the
projects
we
are
developing.
We
must
secure
the
products
we
are
developing,
but
what
about
actual
systems
that
help
us
to
bring
those
things
to
life?
Those
are
software
systems
that
are
like
pecton,
jenkins,
jenkins,
x,
spinnaker
and
others.
What
about
securing
the
actual
ci
cd,
some
stem
cells?
So
this
could
be
another
topic
this
sequel
could
come
with
because
we
are
all
practitioners,
ci
cd
practitioners,
and
we
could
help
other
communities
from
this
perspective
as
well.
B
So
this
makes
two
high-level
topics:
network
software
supply
chain
from
cft
perspective,
plus
looking
at
cicd
systems
themselves
and
improving
them
to
help
us
with
you
know,
securing
or
making
sure
our
systems
are
compliant
secure
and
so
on
and
other
aspects
highlighted
is
like
contribution
again
going
back
to
terry
what
you
just
said.
We
need
to
make
sure
that
we
don't
duplicate
efforts
like
if
we
identify
something.
B
If
another
group
is
working
on
that
topic,
such
as
special
interest
group
interview
within
cd
foundation
or
open
ssf,
we
should
look
for
synergists
to
tolerate
across
different
communities,
different
groups.
So
we
go
there
and
contribute
those
efforts
like
than
us
trying
to
do
things
ourselves
alone.
B
And
finally,
as
I
mentioned,
we
had
a
special
interest
group
security
and
we
need
to
look
at
the
work
they
have
done
there
and
perhaps
incorporate
that
work
to
our
group's
work
going
forward.
So
that
is
what
is
special
interest
software
supply
chain.
And
why-
and
I
want
to
stop
here
and
give
all
of
you
a
chance
to
you
know,
share
your
thoughts
around
to
seek
and
if
you
know,
additional
ideas
or
disagree
with
any
of
things
written
on
this
slide.
D
I
also
would
like
to
add:
there
is
now
everybody
is
talking
about
cloud
native
and
the
actually
developers
are
responsible
for
creating
their
own
infrastructure,
using
infrastructure,
school
and
so
on.
So
that
is,
I
think,
one
thing
that
we
can
also
consider
here,
cloud
native
as
aspects
how
to
how
how
it
integrates
with
software
software
supply
chains
and
how
to
secure
that,
maybe
in
the
long
term.
E
Could
we
just
generate
a
discussion
over
the
topics
that
you're
raising,
because
I
I'm
very
interested,
for
instance,
terry?
If
what
you've
mentioned
about
the
integrating
mallops
into
the
supply
chain?
What
did
you
had
in
mind
when
you
look?
What
is
there
and
I'm
not
saying
that
there
is
no
connection,
but
I'm
just
interested
to
understand
that?
Where
do
you
see
that
fits
together.
F
So
when
we
talk
about
the
software
supply
chain,
we
need
to
be
looking
forwards
and
understanding
that
that
supply
chain
is
actually
going
to
be
a
combination
of
conventional
and
machine
learning
based
assets
and
dependencies,
and
that
we
we've
got
a
big
challenge
ahead
of
us
over
the
next
few
years
to
better
integrate
our
capability.
E
I'm
trying
to
understand:
look
I'm
going
to
to
simple
use
cases
with
your
permission,
just
to
to
figure
out
like
what
you're
trying
to
to
explain
here.
So,
let's,
for
instance,
we
have
a
supply
chain,
a
pipeline,
that
is,
that
is
required
to
build
100,
artifacts,
okay
and
do
something
and
test,
of
course,
deploy
them
and
test
them
and
so
forth.
And
would
you
do
you
think
that
we
can
use
ml
ops
in
order
to
to
connect
this
into
the
supply
chain?
E
F
So
it's
it's
taking
the
the
cicd
pipeline
and
extending
it
to
include
all
of
the
machine
learning,
training
and
production
deployment
that
you're
doing.
B
E
I
personally
interested
in
how
to
build
new
supply
chains
that
are
based
on
and
on
cloud
native.
Like
you
know,
in
cloud
native,
I
think
that
the
han
mentioned
that
right,
if
I'm
not
mistaken,
replicating
what
you've
said
before.
I
think
this
is
a
major
interest
of
mine
right
now
and
for
of
course,
for
my
project,
but
I
think
that
it
might
interest
others
as
well,
what
kind
of
tooling,
to
use
how
to
connect
the
bits
between
the
connect,
the
dots
between
the
various
tools.
E
We
have
a
lot
of
challenges
in
our
team
with
the
with
the
tooling
that
the
open
source
tooling,
that
you
are
currently
out
there.
Maybe
there
are
other
tools
that
provide
a
better
way
better
approach,
and
you
know
to
be
like
a
place
where
we
can
brainstorm
together
and
then
to
help
each
other
to
take
decisions
on
which
approach
to
take
that.
That's
what
I
what
I
would
like
to
get
out
of
the
sig
as
well.
I
don't
know
if
it's
like
you
know
the
main
target,
but
maybe,
as
a
underway
target.
B
L
So
one
thing
I
was
going
to
add
just
to
to
that
point:
there
is
a
really
excellent
white
paper,
the
cncf
put
out
in
this
area,
around
kind
of
cloud
native
technologies
and
security
and
building
on
that
paper,
some
folks
at
city
and
a
few
others.
Well
actually,
city
plus
some
folks
in
cncf,
are
putting
together
a
reference
architecture
and
there's
a
project
called
the
secure
supply.
L
What
is
it
secure?
Supply
factory,
which
is,
I
recommend,
checking
out
or
maybe
you
can
even
get
the
city
folks
to
come
and
demo
it,
because
I
think
it
takes
you
down
that
route
quite
nicely.
B
B
And
just
I
think
this
yeah
this
is
the
paper
you
mentioned.
I
think
tracy.
This
tax
secured
software
supply
chain
based
practices
and
I
put
the
links
to
secure
software
factory
website,
github
and
rfc,
which
is
current,
which
is
still
open.
I
think
so
you
can
go
there
and
comment,
ask
questions
and
all
those
things:
okay,.
F
F
One
one
other
thing
that
I'll
just
mention
in
a
parallel
existence.
I
also
work
on
the
irds
roadmap,
which
is
the
ieee
roadmap
for
the
semiconductor
industry
and
I'm
involved
in
the
factory
integration
and
supply
chain
chapters
of
that
roadmap.
F
B
A
B
B
I
I
would
just
add
that
for
improving
the
security
of
the
individual
ci
cd
tools
themselves,
especially
the
ones
that
are
part
of
the
cdf,
this
is
an
important
area
of
work
for
the
cdf
and
we
should
definitely
have
them
involved.
You
know:
project
leads
from
the
various
tools,
be
involved
with
this
and
liaise
with
them.
B
A
B
L
Yeah
one
other
suggestion,
yeah
so
related
to
the
best
practices
work
this
that
the
sig
looking
at,
putting
together
best
practices
for
continuous
delivery,
and
one
aspect
of
that
will
be
supply
chain
security.
L
I
think
the
salsa
model
from
openssf
is
a
really
good
capability
model,
but
one
place
where
maybe
we
could
add
value
is
looking
at
that
model
and
applying
it
to
various
open
source
tools.
L
So,
like
sort
of
highlighting
what
features
of
the
tools
let
you
get
to
which
cells
are
level
like
I've
heard
you
know,
maybe
you
can't
use
github
actions
to
get
to
salsa
level,
four,
because
it
doesn't
support,
build
step,
attestations,
so
helping
people
kind
of
map
build
tools
to
salsa
levels.
I
think,
would
be
pretty
cool.
M
Yeah,
for
what
it's
worth
and
on
tecton's
side,
we
have
a
new
working
group
that
we
started
like
a
month
ago,
and
we
are
focusing
on
this.
So
both
saying
what
kind
of
features
do
we
need
in
tecton
to
make
our
users
able
to
be
comply
with
salsa,
as
well
as
making
decks
on
itself
compliant
with
salsa
levels,
so
making
sure
that
we
build
tecton?
We
release
that
act
on
itself
in
a
way
that
is
such
a
compliant
yeah.
A
A
B
Talcia,
murray,
andrea,
so
how
we
can
do
this
and
other
things
perhaps
and
again
this
is
like
an
open
conversation.
Just
to
you
know
talking
about
some
ideas
we
had
when
we
start
thinking
about
the
sick.
So
we
didn't
see
specialties
group
interval.
Tv
didn't
have
too
much
opportunity
to
take
a
practice-oriented
approach,
but
then
specialized
group
events
took
a
practice
oriented
approach
by
directly
bringing
up
a
proof
of
concept,
which
I
like
a
lot
because
talking
about
concepts-
and
you
know
taking
discussions.
B
So
this
is
again
stolen
from
house,
especially
facebook
events
approach
to
their
work
and
one
of
the
key
things
for
this
could
perhaps
be
taking
a
practice
oriented
approach
and
you
know,
establish
proof
of
concepts
by
using
open
source
technologies
like
some
of
them
are
referred
here
already
like
secure
software
factory,
which
uses
spectrum
cd
projects
such
as
tecton,
cd
pipelines,
tecton
cd
chains,
as
well
as
six
store
and
many
other
cool
technologies
to
see
how
such
software
supply
chains
established.
B
So
this
is
kind
of
a
proposal
to
the
seat,
to
you
know,
think
about
what
kind
of
proof
of
concept
we
want
to
have,
and
you
know
what
kind
of
pipelines
we
could
establish
what
kind
of
pipeline
stages
we
should
have
to
try
it
out
to
improve
the
you
know,
security
of
our
supply
software
supply
chain,
or
you
know,
be
compliant
and
so
on.
So
this
is
one
of
the
things
in
addition
to
having
conversations
or
having
brainstorming
around
current
or
future
topics,
and
you
know
to
play
with
things
together
form
our
own
thinking
about.
B
B
B
We
should
also
reach
out
to
other
communities
like
open
ssf,
to
see
what
they
are
doing
and
enlightenment
our
group
to
talk
about
what
they
are
doing
that,
because,
if
you
look
at
openssf
there
is
a
workgroup
called
the
security,
tooling
workflow
fighting
or
software
supply
chain
integrity,
and
they
are
all
relate
to
what
we
will
be
discussing
with
this.
So
the
collaboration
is
another
key
aspect.
We
could
perhaps
take
into
account
when
we
work
with
the
sikh
in
addition
to
what
we
discussed
like
brainstorming.
H
Yeah,
as
I
already
mentioned,
I
think
in
my
introduction.
That's
that's
exactly
what
I'd
be
interested
in
and
as
also
was
mentioned
before
it
only
like
experience,
allows
you
to
kind
of
could
give
good
feedback
to
you
to
those
other
projects
and
they
might
value
if
we
put
things
into
practice
and
and
try
them
in
different
combination
and
context,
so
that
they
also
get
feedback
in
terms
of
the
concepts
actually
make
sense
and
work
in
practice,
and
so
on
so
yeah
again
with
mainly,
we
can
open
ssf
focus
from
my
side.
F
So
there's
one
thing
that
I
think
might
be
helpful
to
flag
out
here
and
that
is
that
open
source
software
supply
chain
is
a
special
case
of
the
overall
supply
chain
problem
space
and
and
that's
probably
quite
significant
to
what
we're
doing,
because
there
are
a
lot
of
things
that
we'll
be
thinking
about,
that
we
can
propose
that
will
work
effectively
in
a
fully
open
source
supply
chain,
but
which
won't
work
in
a
commercial
environment,
and
so
we'll
we'll
probably
need
to
keep
reminding
ourselves
that
there's
there's
a
bigger
challenge
where
you
start
to
come
across
supply
chain
relationships
between
commercial
entities,
where
the
things
that
they're
sharing
have
an
intellectual
property
perspective
and
there's
a
there's,
a
commercial
reason
to
avoid
doing
some
of
the
things
that
would
naturally
optimize
a
supply
chain
for
a
single
goal
like
security.
F
So
so
we
will
probably
need
to
keep
thinking
about
some
of
these
challenges
and
look
at
how
we
can
help
to
contribute
in
those
areas,
because
actually
this
is
one
of
the
biggest
challenges.
I'm
working
with
at
the
moment
in
in
other
fields.
F
F
And
therefore
you
can't
get
easy
access
to
the
full
picture
of
all
the
activities.
That's
going
on
in
your
full
supply
chain,
because
nobody
wants
to
share
so
in
in
in
the
irds
roadmap,
we've
identified
the
need
for
a
set
of
standards
for
a
commercial
data
sharing
and
information
sharing
and
and
information
processing
sharing
that
can
span
across
multiple
organizations
while
addressing
the
individual
concerns
about
protecting
ip
and
not
leaking
data
and
all
the
rest
of
this
stuff.
So.
F
Well,
it
depends,
I
mean
the
people
who
are
using
the
open
source
are
the
people
who
work
for
those
organizations,
and
so,
if
we're
going
to
continue
to
make
relevant
tools
and
and
define
relevant
best
practice,
we
need
to
understand
the
needs
and
concerns
of
those
end.
Customers
or
else
we'll
only
be
building
tools
that
are
relevant
to
other
open
source
projects,
but
we'll
and
we'll
drift
slowly
away
from
from
mainstream
relevance.
L
Yeah,
I
think
my
perspective
is
like
most
companies
are
basing
a
lot
of
their
infrastructure
on
open
source
anyway,
and
they
need
those
specific
solutions
to
manage
the
open
source
supply
chains
and
that's
a
huge
enough
challenge
in
itself
and
any
solutions
that
come
up
there
will,
you
know,
probably
have
a
reasonable
kind
of
transference
to
to
other
areas
like
even
take
something
like
salsa
levels.
You
can
apply
that
to
open
source
projects
or
proprietary,
but
I
think
trying
to
specifically
solve
problems
between
proprietary
data
and
things
is
yeah.
L
It's
I
don't
know
it
just
feels
beyond
the
scope
of
what
we
can
do
as
a
group.
F
Well,
I
think
it's
certainly
something
that
we
we
need
to
be
aware
of,
because
it
is
the
largest
challenge
in
in
that
space,
and
so,
if,
if
we,
if
we
want
to
define
best
practice
in
that
area,
we
can't
ignore
it.
We
we
have
to
we
have
to,
at
the
very
least,
be
able
to
explain
why
you
can't
use
our
solutions
under
those
circumstances.
F
B
So
I
guess
this
going
back
to
six
approach,
factory
approach
and
collaboration
got
some.
You
know
support,
so
I
think
we
need
to
sort
out
some
environment
details
about
our
infrastructure
details
about
the
potential
prop
we
will
be
bringing,
but
we
first
need
to
identify
what
we
should
base
our
coke
on.
So
we'll
talk
about
this
topic
once
we
you
know,
look
at
some
of
the
projects
referred
during
to
previous
conversations
and
then
talk
about
how
to
start.
B
So
the
next
topic
is
logistics.
Again
this
is
kind
of
a
reminder
of
what
is
list
on
the
meeting
document.
So
we
have
the
github
repository
available
under
cd
foundation
organization
and
it
is
currently
pretty
empty
because
it's
new
it
just
goes
like
the
readme,
which
was
like
something
you
already
took
a
look
when
we
proposed
the
sikh-
and
this
needs
to
be
updated
with
the
logistics
and
so
on,
and
we
have
two
documents
here.
B
One
of
them
is
this
meeting
statement
and
the
other
ones
presentation
stuff
and
limiting
certainly
is
the
documents
we
are
editing
on
hack
md,
which
will
include
your
names
and
we
use
hack
md
for
collaborative
editing,
and
these
documents
are
not
directly
updated
within
git
reports.
How
can
we
push
a
stem
there?
Another
document
is
presentations,
md,
which
we
will
talk
about.
When
we
come
to
a
knowledge
sharing
document,
we
have
a
slack
channel
or
day-to-day
communication.
B
We
got
a
mail
list
for
ourselves
and
this
mail
is,
it
will
probably
be
a
low
traffic,
but
we
will
be
sending
me
meeting
agenda
meeting
minutes
and
anything
that
requires
no
some
attention
and
we
can
also
have
conversations
using
main
list
as
well.
So
please
subscribe
to
the
mail
list
on
groups.io
this
cd
foundation
and
if
you
go
there,
this
is
the
mail
list,
and
I
just
did
some
hello
world
mail.
There
send
the
agenda
there,
so
you
can
get
notifications.
B
Additionally,
we
will
send
the
meeting
invites
to
this
mail
list.
So
if
you
want
to
get
your
get
them
meeting
invites
for
c
in
your
mailbox,
you
will
get
them.
If
you
subscribe
to
the
mailing
list
as
well
and
yeah
seek
meetings,
we
will
be
meeting
every
second
and
fourth
thursday
of
each
month
during
winter
time.
B
B
He
helps
us
keeping
the
usual
time
for
our
own
time
zones
and
we
are
meeting
on
zoom
at
the
moment,
but
cdf
is
working
on
looking
at
baby
for
community
meetings
and
depending
on
how
things
go
with
baby,
we
may
switch
baby,
but
you
will
feel
about
the
change
if
it
happens
in
advance.
B
So
you
can
prepare
yourself
for
it
and
submitting
agenda
minutes
that
will
document
this
document
we
have
been
looking
and
then
the
other
good
link
is
cd
foundation
public
calendar,
because
you
can
see
all
the
meetings
at
one
place
by
using
this
link,
and
you
can
also
subscribe
to
this
calendar.
So
you
can
see
meeting
invites
directly
on
your
google
calendar.
For
example,
as
you
see,
we
have
priority
events
best
practices
that
our
site
community,
ambassador
chinese,
localization.
All
the
meetings
listed
here.
B
B
I
think
this
approached
road
maps
like
looking
at
current
topics,
writing
down
some
near-term
topics
and
adding
some
future
topics
search
interwove
pretty
well-
and
this
is
a
proposed
approach
to
creating
roadmap.
Obviously
we
don't
have
to
follow
this,
but
this
is
a
practice
we
followed
in
the
past
and
then
taking
this
approach.
We
can
perhaps
start
populating
some
of
the
earlier
initial
topics.
We
may
want
to
look
at
within
our
sikh
again,
taking
example
from
special
terrorist
group
in
terrible
durability.
B
Most
things
we
have
been
following
within
the
special
interest
group
interval
is
to
start
transferring
knowledge
about
different
projects
or
initiatives.
But
this
time
we
can
perhaps
look
at
technologies
projects
in
software
supply
chain
and
some
of
them
are
already
managed
like
secure
software,
factory,
tecton,
cd
chains
and
so
on.
So
this
could
be.
B
F
So
it's
it's.
It's
useful
to
aggregate
those
three
three
things
and
publish
them,
because
it
makes
it
very
easy
for
people
to
quickly
get
a
picture
of
all
of
the
major
challenges
that
exist
in
a
problem
space
and
then
see
what
technologies
fall
out,
the
back
of
that,
what
things
already
exist
and
what
things
are
needed
to
be
built
in
order
to
solve
those
problems.
F
So
there's
an
example
with
the
mlops
roadmap.
You
can
see
how
that's
structured
in
those
three
phases
and
how
we
we
start
with
the
overview
picture
of
all
the
challenges
is,
and
then
we
expand
on
the
implications
of
those
challenges
and
what
what
we
can
can't
do
off
the
back
of
them
right
now,
and
then
you
have
the
choice
to
actually
maintain
a
timeline
of.
You
know,
what's
possible
right
now.
What
we
think
is
going
to
be
possible
in
the
near
future
and
what
we're
going
to
have
to
build
towards
in
the
longer
term,.
B
B
Okay,
by
the
way
the
meetings
are
automatically
recorded
and
they
will
be
uploaded
to
youtube.
So
if
you
missed
any
discussion-
or
if
you
want
to
you
know-
recap
what
we
discussed,
you
can
always
go
back
to
youtube,
they
should
become
available.
Recordings
will
become
available
in
few
days
time
under
cd
foundation
channel
on
youtube.
B
So
some
of
the
initial
topics
is
like
again
time.
Noise
is
a
key
thing
like
we
face
this
everywhere.
When
we
talk
about
intervals,
we
talk
about
events
or
other
things.
Terminology
topic
comes
up
always
so
this
could
be
a
you
know,
topic
to
start
thinking
about
as
near
term
or
current
topic
in
our
roadmap
ingesting
and
handling
materials,
open
source
like
introducing,
storing
provisioning,
consuming
open
source
components,
especially
dependencies
and
so
on,
could
be
a
topic,
and
since
we
are
working
with
an
open
source,
it
makes
you
know
even
more.
B
You
know
sense
to
talk
about
these
aspects.
Source
code,
analysis
scanning,
like
for
nervous,
license,
malware
scanning,
artifact
builds
more,
and
the
other
thing
I
want
to
highlight
here
is
unfortunately
I'm
mary
left.
She
started
a
really
important
and
extensive
work
with
inspiration.
Telescope
interoperability
documenting
like
terminology
for
pipeline
stages,
and
if
you
look
at
the
document,
you
will
notice
she
talks
about
some
stages
that
are
critical
for
software
supply
chain
as
well.
So
we
could
perhaps
look
at
this
document
and
see
what
of
those
stages.
B
You
may
need
to
react
to
those
disclose
vulnerabilities
and
upgrade
your
services
running
production
and
vice
versa.
So,
again
everything
you
see
on
this
slide
and
perhaps
earlier
it's
like
there
are
proposals,
and
we
will
talk
more
about
these
things
if
they
are
the
right
way
to
work
with
different
topics
or
establish
pogs.
So
sorry,
I
am
getting
it
faster
because
we
have
five
minutes
left
and
knowledge
transfer.
B
So,
as
I
mentioned,
I
already
reached
out
to
michael
who
is
member
of
cncf
tax
security,
and
he
is
one
of
the
main
people
behind
segregated
software
factory.
Please
correct
me
tracy
if
I'm
wrong
and
he
accept
to
you,
know
our
invitation
and
he
will
join
one
of
the
upcoming
meetings
to
talk
about
your
software
factory
talk
about
what
they
are
doing
with.
B
You
know
their
white
paper
and
perhaps
do
a
demo,
and
that
presentation
and
demo
will
take
probably
place
probably
beginning
of
april,
because
the
fate
of
our
next
meeting
is
questionable
because
it
falls
in
between
these
summer
time
changes
but
yeah.
We
will
send
notification
about
that
on
selection
like
mail
list
in
advance,
so
you
can
adjust
yourselves
and
the
other
thing
I've
done
thanks
to
andrea
is
I
reached
out
to
priya
from
techno
cd
and
she
will
like
she
knows,
tecton
cd
chains
inside
out.
B
M
Yeah,
so
priya
knows
that
on
trains
very,
very
well
he's
one
of
the
maintainer
and
co-developers.
So
looking
forward
to
representation
in
terms
of
tactum
cd,
we
sign
tecton
releases
through
tecton
chains.
If
that's
what
you
yeah
referring
to.
Yes,.
A
B
So
they
can
talk
about
what
they
are
doing
there
and
potato
initiative
they
have
in
addition
to
project
presentations
like
any
of
us
in
this
meeting
or
anyone
joins
later
on,
like
we
are
not
limited,
limited
to
project
presentations
like
if
you
have
a
topic,
you
want
to
discuss.
Just
add
that
topic
to
agenda
and
you
know,
come
and
talk
about
it
and
hear
what
others
think
about
the
specific
topic
and
demos.
B
Yes,
especially
if
we
bring
up
a
poke,
we
should
be
doing
demos
on
regular
basis
as
based
on
what
we
are
running
with
within
the
pork,
and
the
last
slide
is
references
of
all
those
things
mentioned.
Perhaps
we
can
add
more
links
here,
based
on
what
we
discussed.
We
have
one
minute
left.
Anyone
wants
to
say
something.
B
F
Just
so
quickly,
yes,
it
strikes
me
that,
unlike
some
of
the
the
other
work
groups,
we've
got
going
on
this.
The
topic
area
is
very
heavily
policy
driven
rather
than
developer
driven,
and
so
we
probably
need
to
think
about
our
audience
and
make
sure
that
we're
we're
phrasing
things
and
documenting
things
in
in
a
way
that
clearly
addresses
the
the
important
decision
makers
in
in
this
field.
F
So
we
we
need
to
be
thinking
about
that
bigger
picture
of
who
is
actually
interested
in.
You
know
the
open
source
licensing
problem
and
what's
the
perspective
that
they
need
to
understand
rather.
A
F
B
Yeah,
this
is
yeah
thanks
for
highlighting
this
criteria.
I
think
this
is
key,
but
yeah
perhaps
we
can
add
this
as
one
of
the
you
know,
topics
we
can
start
thinking
about
like
what
who
are
our
decision
makers
and
what
kind
of
you
know
messaging
we
want
to
give
but
yeah,
so
we
are
top
of
our
in
order
to
respect
everyone's
time.
I
will
shut
up
now
so
again
welcome
everyone
thanks
a
lot
for
joining
the
very
first
meeting
and
then
we'll
see
where
we
end
up
our
time.