►
Description
For more Continuous Delivery Foundation content, check out our blog: https://cd.foundation/blog/
A
Thanks
for
joining
us,
hello,
so
yeah,
we
can
slowly
get
started
and
others
could
join
on
the
way
yeah.
So,
first
of
all
thanks
everyone
for
joining
the
meeting-
and
I
believe
some
of
you
took
part
in
taking
our
site
committee
meeting
as
well
on
tuesday
and
the
project
persia
was
discussed
there
as
well,
and
actually
I
got
to
know
sundhindra
thanks
to
melissa
on.
A
So
let's
have
the
presentation
from
sudhindra
and
hopefully
a
demo,
and
then
we
can
use
the
rest
of
the
meeting
for
open
conversation
about
how
we
can
collaborate
on
software
supply
chain
together
and
look
for
you
know,
potential
opportunities
per
year
as
well.
So
I
will
stop
sharing
so
feel
free
to
start.
Okay,.
B
Thank
you
for
having
me
here.
I
will
share
a
slight
deck.
Are
you
able
to
see
my
my
slide
diapers
here?
Securing
oh,
it's
just
supply
chain.
Yes,.
C
B
Okay,
okay,
so
this
is
a
project
that
we
have
been
working
on
at
jfrog.
We
kicked
it
off
six
months
seven
months
ago
and
we
have
been.
We
have
been
since
talking
about
this
and
sharing
our
ideas,
and
now
now
we
get
get
a
chance
to
talk
to
you
and
see
what
you
think
about
it
and
see
what
your
feedback
on
this
is.
So
my
name
is
a
little
bit
about
myself.
B
My
name
is
sudeen
rao
I
am
at
jfrog
I
I
did
a
lot
of
what
you
call
what
we
called
as
partnership
integrations
and
through
through
collaboration
with
steve
steven
chain.
We
sort
of
kicked
off
this
idea
about
persia.
We
saw
some
gaps
in
the
open
source
supply
chain
and
and
possible
solutions.
So
here
is
here
is
what
we
think
about
it
and
what
we
are
doing.
B
Okay.
So
if
you
look
at
the
current
state
of
supply
chain,
it
is,
it
is
pretty
grim
and
when
I,
when
I
say
supply
chain,
this,
this
supply
chain
also
has
its
challenges
given
given
what
happened
in
the
last
two
years,
but
we
are
not
going
to
talk
about
this
supply
chain.
B
We
are
going
to
talk
about
the
supply
chain
that
affects
what
we
do,
which
is
the
software
supply
chain,
and-
and
if
you,
if
you
are
in
the
software,
well
you
you
must
have
heard
about
the
solarwinds
software
attack
that
happened
and
that
keeps
on
that
keeps
people
on
their
toes
even
today.
That
also
has
triggered
an
action
from
the
federal
government
in
the
of
the
united
states
to
to
bring
together
people
who
are,
who
are
experts
in
this
field
to
actually
solve
this
problem?
B
Well,
so
this
is
the
problem.
We
are
going
to
talk
about
some
examples
of
what
has
happened
in
the
past.
B
I
don't
know
if
how
many
of
you
remember
the
famous
equifax
data
breach,
and
this
happened
because
they
did
not
keep
their
apache
struts
up
to
date,
so
a
vulnerability
vulnerability
was
exploited
and
that
has
exp
that
has
exposed
millions
of
users
of
personal
data,
credit
card
information,
etc,
etc.
Even
today,
I
I
know
of
people
who
receive
mortgage
or
work
all
kinds
of
information
based
on
their
data
that
may
have
been
breached
during
this
attack.
So
this
still,
this
still
affects
and
hurts
people.
B
Another
example
which
is
very
recent,
is
the
lock
4g
lock,
4g
vulnerability,
lock
for
work
for
shell,
which
which
has
been
in
production
for
many
many
years
and
and
this
vulnerability
has
affected
many
many
installed
systems,
and
if
you
are,
if
you
are
in
this
field,
you
see
how
many
people
actually
are
burned
by
this
in
terms
of
producing
the
fixes,
putting
patching
the
fixes
in
time
and
so
on.
So
every
time
we
don't
do
the
right
thing
for
our
open
source
software,
it
hurts
us
really
really
badly.
B
Another
example
very
recent
may
may
time
frame.
This
happened
with
the
rust
community,
and
this
is
this
is
a
typo
squatting
attack.
But
these
kinds
of
malicious
attacks
happen
on
the
on
the
software
supply
chain
which
affect
the
open
source
systems
and
and
then
they
affect
install
basis.
B
And
here
is
a
recipe
of
how
a
hacker
can
actually
masquerade.
Somebody
somebody's
you
know
expired
domain
and
and
take
over
their
their
maintainer
credentials
and
then
and
then
cause
you
know,
cause
damage.
So
every
aspect
of
this
supply
chain
needs
to
be
secured,
and,
and
if
you
look
at
a
look
at
how
we
do
it,
we
don't
have,
we
don't
have
a
good
plan
and
whatever
I
shared
so
far,
it's
just
the
tip
of
the
iceberg.
B
There
are
many
many
vulnerabilities
which
we
don't
talk
about
as
much
which
don't
get
enough
press
which
don't
which
are
which
are
which
kind
of
are
hiding
because
they
are
not
being
exploited
today
and,
and
all
of
them
are
how
they,
how
they
are.
You
know
exploiting
the
open
source
side
of
things.
So
what
are
we
going
to
do
about
this?
B
We
and
and
when
we
use
this
open
source
software?
Currently,
our
our
knee-jerk
reaction
is.
Has
it
come
from
these?
You
know
central
repositories
that
we
have
implicitly
trust,
but
that
is
not
enough.
There
have
been
situations
when
these
these
central
repositories
have
been
unavailable
for
hours
together.
Thus
stopping
just
pass
through
production,
there
have
been
attacks
that
that
have,
you
know,
put
this
trust,
a
question,
a
question.
This
trust
like.
Should
we
even
blindly
trust
this?
B
B
So,
given
all
that
current
state
of
affairs
is
that
we
are
picking
software
that
you
find
on
the
sidewalk
and
sticking
it
into
our
production
system,
that
is
the
state
of
affairs.
We
are
living
in
right,
which
is
pretty
grim
and
we
need.
We
need
to
do
something
about
it
to
to
seek
to
provide
the
trust
that
is
missing
to
to
secure
the
software
supply
chain.
B
So
some
work
that
has
happened
in
the
past
in
in
the
very
recent
actually
after
the
solar
news
attack-
and
all
of
that
is
this-
is
this
emphasis
on
building
software
bill
of
materials.
There
is
also
a
white
house
executive
order,
which
says:
you
know
we
need.
We
need
tools
and
technologies
so
that
this
becomes
easy.
B
This
becomes
transparent,
and
this
is
here,
is
a
blog
that
that
talks
about
the
software
bill
of
materials
there
is,
there
are
research
groups
that
are
working
on
actually
putting
putting
a
framework
in
place,
and
one
of
the
frameworks
you
might
find
in
literature
is
the
salsa
framework
where,
where
they're
talking
about
in
details,
how
the
software
supply
chain
can
be
hacked,
what
are
the
areas
that
need
attention
how
they
are
exploited?
B
What
do
you
need
to
reinforce,
etcetera,
etcetera
and
here
are
here,
are
like
the
eight
nine
gates
which
you
know
or
attack
vectors
in
this
very
simple
cd
flow
and,
if
you're
doing
real
software
development,
you
know
that
the
ac,
a
typical
cd
flow,
is
much
more
complicated
than
this.
It
has
much
more
air
levers
and
inner
out
gates
which,
which
means
that
there
are
more
attack,
vectors
and
more
more
places
that
that
an
attack
can
happen
right
at
jfrog.
B
We
talk
about
this
vision
that
you
know
we
we
we
need
to
be
in
the
future
where,
where
software
is
liquid
and
to
make
that
possible,
we
need
we
need.
We
need
a
supply
chain.
That
is
automated.
That
can
be
implicitly
trusted
and
that
that
is
always
available
that
you
can
depend
on.
You
should
not
need
to.
You
know,
stop
your
flow
to
production,
because
one
one
element
of
that
supply
chain
is
is
broken
down
down,
not
available,
etc,
etc.
B
Right,
so
that
is
what
will
relieve
us
from
from
the
daily
drudgery
of
figuring
out,
where
this
needs
to
be
deployed,
how
it
needs
to
be
deployed,
etc.
So
we
need
something
that
that
allows
that
automation.
B
So
allow
us
to
present
persia
and-
and
we
are
calling
calling
this
project
which
will
which
will
provide
you
a
consensus
based,
build
network.
It
will
provide
you
a
provenance
log
and
it
will
provide
you
the
decentralization
which
is
currently
missing
so
that
you,
you
can
depend
on
it.
B
Let's
dig
a
little
deeper
into
into
these
right
and
what
we
intend
to
do
is
provide
a
a
network
of
of
system
which
is
secure
by
design
which
is
reliable
and
which
is
open,
which
is
built
in
open
source
and
built
in.
You
know,
in
a
way
that
that
is
not
governed
by
the
just
one
organization
right,
and
that
is
what
will
bring.
The
trust
is
what
we
feel,
and
that
is
what
will
make
it
automatically
trusted.
B
Here
is
a
little
bit
about.
You
know
how
the
word
persia
came
into
me
and
why
we
thought
that
is
a
good
good
idea
to
use
for
this
project.
So
again
in
ancient
greek
warfare.
They
use
this
technique
of
communicating
via
a
set
of
torches
to
signal
of
impending
dangers,
and
it
is
a
decentralized
distributed
communication
mechanism
and
we
thought
that,
since
we
are
building
something
that
is
decentralized,
that
is
a
good
metaphor
to
call
this
project.
So
that's
where
persia
comes
about.
B
If
you
wanted
to
learn
more
I'll,
send
this
this
presentation
along
and
you
will
have
the
links,
so
you
can
learn
more
about
it.
B
Yeah,
so
how
does
persia
look
like
persia?
The
basis
of
persia
is
first,
is
it
needs
to
be
a
distribution
network
and
not
a
central
location,
because
central
locations
are
prone
to
single
point
of
failures,
so
we
we
plan.
We
are.
We
are
leveraging
peer-to-peer
technology
so
that
computers
can
connect
to
each
other
and
have
that
resilience
across
the
network.
B
Using
peer-to-peer
technology
allows
for
high
availability,
because
multiple
peers
can
stream
that
that
same
software
to
you
faster,
think,
think
bit
torrent
or
similar
technologies
right
and
and
thus
you
will
get
a
higher
throughput,
so
we
are
looking
at
persia
as
the
decentralized
package
registry.
So
when
you
connect
to
it,
you
have
you,
have
the
power
of
this
whole
network
to
back
you
with
whatever
you
are
trying
to
build.
B
Persia
will
also
contain
a
consensus
based
build
network
today.
What
happens
is
that
a
open
source
developer
tells
us
that
they
have
built
a
binary
and
committed
it
to
npm
or
ruby
gems
or
maven,
central
or
whatnot,
and
it
is
based
on
a
certain
git
shock
and
they
might
tell
us
using
some
some
mechanism,
which
is
not
provable.
It
doesn't
tell
us
that
this
binary
has
been
produced
by
this
git
shop
for
sure
there
is
no
one-to-one
link.
If
you,
if
you
reflect
on
what
happens
in
in
in-house
software
development.
B
Actually
you
know
the
developer,
who
has
built
it.
The
developer
also
gives
you
the
whole
cd
pipeline
that
the
software
has
gone
through,
and
hence
you
trust
the
binary
that
has
come
out
on
the
other
side
and
that
you
that
you
can
deploy
that
trust
is
missing.
So
persia
is
working
to
provide
that
trust.
So
what
what
perceive
will
do
is
it
will
ask
the
open
source
developer
to
give
us
a
commit
hash,
and
then
persia
will
randomly
pick
some
nodes
on
the
network
to
build
them.
B
Build
the
binary
independently
and
multiple
nodes
on
the
network
will
build
that
independently
and
and
then
verify
it
that
the
result
was
the
same,
so
that
so
that
then
that
can
be
actually
used
for
for
downloads.
So
that's
what
persia
will
provide.
It
will
build
a
consensus
network
which
will
make
sure
that
all
this
that
the
binary
is
is
built
from
asia,
that
the
open
source
developer
is
claiming.
B
So
there
will
be
this
this,
you
know,
trust
automatically
built
because
now
you
know
where
it
came
from
where
your,
where
your
open
source
library
came
from
here,
I,
like
an
analogy.
One
of
my
colleagues
bill
manning,
is
using
to
describe
open
source
supply
chain.
He
talks
about
a
cake.
So
when
you
are
making
a
cake
in
the
recipe
you
want
to
pick
elements
or
ingredients,
and
you
know
you
want
to
know
where
they
came
from.
You
want
organic
things
or
you
want.
B
You
know:
free
range,
free
range,
animal
products
and
so
on
right.
We
need
that
same
trust
to
be
to
be
put
in
this
software,
because
this
software
potentially
is
going
to
also
be
part
of
some
healthcare
product
that
you're,
using
and
and
so
on.
Right.
So
we
need.
We
need
that
emphasis,
and
that
is
what
is
missing
and
that's
what
persia
wants
to
bring
bring
the
transparency
so
that
you
can.
B
You
can
eat
that
cake
and
knowing
where,
where
it
was
built,
where
the
parts
of
it
came
from
per
se
will
also
have
something
what
we
are
calling
as
a
provenance
log.
Today,
when
we
look
at
open
source
library,
we
we
can't
ask
these
questions
where
it
came
from
who
built
this.
Was
this
really
built
by
the
open
source
developer
or
was
there
a
malicious
person
coming
in
between
and
pushing
pushing
final
binaries,
which
happened
in
the
case
of
open
solvents
right?
We
don't
have.
B
We
don't,
have
a
place
to
go
and
ask
these
questions
if
you
want
to
build
a
build,
a
software
bomb
today,
it
is
a
month,
many
month,
long
process.
I
used
to
work
on
a
kubernetes
product
for
which
we
actually
built
the
kubernetes
binary
in
three
months,
because
we
have
we
have
to
keep
up
to
date
with
the
with
with
the
kubernetes
releases,
but
then
it
took
us
three
more
months
to
actually
build
the
supply,
the
the
s-bomb,
because
it
was
a
manual
hugely
manual
process.
B
So
we
want
to
get
rid
of
that
manual
process.
So
per
se,
will
provide
this
prominence
log
where
you
can
ask
this
question,
give
me
the
list
of
dependencies
and
their
transitive
dependencies
and
so
on.
Right
and
then
percy
will
also
record.
You
know
if
there
are
vulnerabilities
discovered.
What
is
the
link
between
the
previous
version,
the
vulnerability
and
the
next
version,
and
so
on,
so
that
you
can
make
decisions
based
on
that
currently
today?
What
happens?
Is
the
release
manager
basically
actively
looks
at
that?
B
Does
a
manual
process
of
thinking
and
then
does
it
with
this
process.
What,
if
we
have?
We
had
that
information
baked
in
into
this
log,
where
you
know,
okay,
this
vulnerability
has
been
fixed
in
this
version.
It's
ready
to
be
deployed.
You
can
just
run
it
through
your
cd
pipeline.
If
nothing
fails,
you
can
just
deploy
it
and
and
remove
the
human
element
right
and
personally,
the
provenance
log
will
provide
all
this
information
and
and
and
also
provide
you
know
ways
for
you
to
build.
B
On
top
of
that,
so
you
you
can
build
automation
that
suits
your
organization
or
the
way
you
build
software,
so
that
so
that
you
can
make
the
put
those
decisions
in
place
so
and
essentially
what
we
want
to
ensure
is
persia
is
really
easy
to
install
and
use
so
that
you
can,
you
don't
have
to
change
the
way
you
are
building
software
today,
but
still
persia
provides
you.
B
The
the
added
benefit
that
persei
is
promising,
so
you
can
use
the
persia,
so
persia
will
come
with
a
its
own
command
line
interface,
so
you
can
use
the
persian
command
line
interface
to
interact
with
the
provenance
log,
to
ask
questions
to
fetch
images.
Look
at
the
image
look
at
look
at
the
binaries
and
so
on
right,
but
it
will
also
provide
integration.
B
So
we
have
built
one
integration
with
docker
where,
where
you
can
continue
to
run
the
docker
commands,
but
persia
will
will
act
as
a
as
a
proxy
layer
between
docker
and
and
your
ci
cd
system,
so
that
you
don't
need
to
change
any
of
your
docker
commands
and
still
get
the
benefit
from
persia.
Persia
will
give
you
the
benefits
of
downloads
via
peer-to-peer
and
and
verification
and
the
providence
log.
So
that
is
our.
That
is
our
main
goal
and
we
have
we
do
have.
B
Actually
I
do
have
a
demo
and
I
I'll
do
something
better
than
that.
We
have
this
demo.
I
have
a.
I
have
a
youtube
recording
of
it,
but
I
won't.
I
won't
be
labeled
here
for
the
demo,
but
I'll
tell
you
what
the
demo
is
about
on
the
web
on
our
website.
We
also
have
the
script
that
allows
you
to
run
the
demo,
so
you
can
experience
persia
and
and
give
us
feedback
on
what
you
think
and
I'll
leave
links
for
all
this
here.
B
But
basically,
what
we
have
built
so
far
is
is
the
docker
integration
where,
when
you
pull
a
docker
image,
you
get
you
get
the
docker
images
via
persia
and
have
the
benefit
of
not
traversing
the
network.
B
Right
and
also,
let's
say
you,
you
yeah,
you
are
downloading
large
binaries
you'll
have
the
benefit
of
just
downloading
it
from
it
from
the
persian
world
and
without
changing
your
ci
system.
The
one
thing
that
we
learned
when
we
were
thinking
about
it
and
thinking
through
the
design
process
and
talking
to
talking
to
our
users
is
that
there
are
many
many.
There
are
many
many
more
lines
of
code
that
you
would
have
to
change.
B
If
you
were
to
ask
people
to
change
their
ci
systems
right,
so
we
want
to
avoid
that,
and
I
have
have
people
still
continue
to
use,
docker
pull
or
go,
update
and
and
similar
commands.
So
we'll
build
integrations
in
that
in
that
way,
so
that
it's
transparent,
yeah
here
is
a
demo
link
and
I'll
share
that
with
you
and
okay.
And
then
I
want
to
talk
a
little
bit
about
the
the
architecture.
B
What
and
what
it
will
contain
and
then
maybe
I'll
give
you
some
stats
about
where
this
project
is
and
then
we'll
open
for
questions.
So
essentially,
persia
will
come
come
with
with
its
own.
What
we
are
calling
it
as
persian
node,
so
you
install
the
persian
node
and
it
will
have.
It
will
have
the
ability
to
integrate.
B
With
with
all
these
language
platforms,
we
have
started
with
docker,
because
when
we
started
we
looked
at
we
we
looked
at
the
landscape
and
found
out
that
you
know,
regardless
of
your
language,
use,
you're,
probably
using
docker,
and
that's
probably
where
we
should
start
so
that
we
can
get
get
a
meaningful
impactful
software
out
there
and
get
feedback
from
the
from
the
community
and
also
docker,
who
was
our
first
partner,
was
really
you
know,
excited
about
doing
this
and
they
gave
us
all
the
you
know:
technology
help
that
we
needed.
B
So
what
we
have
is
is
the
docker
integration.
We
are
now
building
the
java
integration,
which
we
contain
maven
and
gradle
and
those
and
so
on,
we'll
we'll
start
building
integrations
for
other
languages.
B
Having
said
that,
we
are
not
the
experts
in
all
these
languages,
the
ones
I
mentioned
docker
we
have
help
from
rocker,
conan
jfrog
maintains
it.
So
we
we
sort
of
know
how
how
to
support
the
c
plus
plus
community,
but
for
all
the
others.
We
are
looking
from
here
for
help
from
the
community
right
and
we
want
it
to
be
driven
by
the
community.
B
To
tell
us
whether
you
know
the
apis
that
we
are
building
are
sufficient
or
they
need
to
be
modified
or
and
how
how
that
needs
to
be
done
and
how
it
will
will
it
work
with
with
systems
that
are
vastly
different,
like
maven,
ecosystem
works
differently
than
go
ecosystem
versus
ruby
ecosystem
and
so
on.
Right
and
we
can,
we
can
do
our
best
guess
work,
but
we
would
like
help
from
the
community
and
that's
what
we
are
engaging
with
different
communities
and
talking
to
different
organizations
to
sort
of
contribute
to
this.
B
My
sorry,
my
okay,
when
we
looked
at
persia
people
asked
us
about
you
know
what
what
is
that?
What
is
the
security
model?
How
do
we
know
what
we
are
building
is
trustworthy
and
how
do
we?
How
do
we
enforce
that
so
we'll
so
there
are.
There
are
technologies
that
allow
for
reproducibility
and
that's
what
we
will
leverage
when
the
language
allows
that
and
a
simple
network
consensus
would
be
enough.
B
In
that
case,
when
we
have,
when
we
have
an
unreproducible,
build
a
situation
in
case
of
java
c,
plus
pluses,
etc,
we
rely
and
docker.
Also
we
will
rely
on
the
trusted
registry.
We
will
build
the
same
and
then
verify
with
the
trusted
registry,
whether
the
binaries
match
and
and
that's
how
that's,
how
we
will
ensure
that
that
there
is
enough
trust.
Also,
if
there's
a
question
about
how
do
we
take
in
open
source
libraries
so
that
they
are
built
right?
B
So
that's
how
we
ensure
that
what
comes
in
is
good
and
that's
how
we
ensure
that
what
what
we
are
actually
committing
to
what
we
call
the
persian
network
is
trustworthy
here
here
is
how
we're
going
to
get
started.
You
can
install
persia.
There
are
some
persia
commands
you
can
use.
It
is
pretty
what
you
call
simple
right
now,
which
tells
you
the
state
of
node,
whether
you're
connected
to
peers-
and
it
tells
you
how
many
pairs
you
have
connected
and
on
your
ci
system.
B
The
big
thing
is,
you
don't
have
to
change
anything
on
your
css.
You
don't
have
to
install
anything.
You
continue
to
do
docker
pull,
but
when
a
docker
pull
happens,
then
it
automatically
goes
through
the
persian
node.
What
you
need
to
do
is
a
configuration
change
where
your
docker
docker
client
connects
to
the
persian
node
instead
of
going
doc
directly
to
docker,
and
there
are
instructions
in
in
the
demo
script
as
well.
B
A
little
bit
of
about
what
is
inside,
we,
we
are
building
all
this
in
rust,
because
we
want
to
support
multiple
operating
systems
that
we
want
to
engage
as
much
as
the
community,
with
various
various
various
flavors
of
linux
or
unix
and
windows
as
well.
B
We
have
we
are
relying
on.
We
are
using
open
source
software
already.
We
are
using
p2p,
which
is
part
of
ipfs,
which
is
another
project
which
which
has
done
a
good
job
in
distributing
files
on
a
large
network
and
and
we
are
using
the
rust
implementation.
In
fact,
we
have
actually
discovered
a
few
things
in
that
trust
implementation
and
have
made
comments
back.
So
we
don't
want
to
keep
things
that
we
discover
to
ourselves.
We
want
to
give
it
back
to
the
community.
B
We
are
using
an
immutable
ledger
to
store
store
our
provenance
log,
and
we
have.
We
have
chosen
a
open
source,
blockchain
implementation
called
lf
to
help
to
help
us
with
the
consensus
on
that.
So
what
we
are
working
on-
and
we
are-
we
have
we
presented
this
at
at
a
recent
event
where
we,
where
we
shared,
that
we
are
building
a
providence
log
that
will
allow
you
to
do
a
lot
of
this
automation.
B
We
are
also
building
a
the
ability
to
stream
large
binaries
over
the
over
the
peer-to-peer
network,
so
that
you
know
you
can
you
can
get
multiple
pieces
of
the
binary
stream
to
you
and
and
thus
have
higher
throughput,
and
then
we
are
also
building
the
infrastructure
that
will
help
you
do
the
build
part
of
it.
The
consensus
build
part
of
it
here
is
how
we
started
and
where
we
are.
If
you
want
to
find
us,
we
have
we
are
on.
B
We
are
on
the
openness
of
slack
when
we
started,
we
are
aiming
to
build
a
mvp
or
the
first
release
sometime
this
summer
early
summer,
we're
already
collaborating
with
with
projects.
We
have
individual
contributors
as
well
as
contributors
from
different
orgs.
We
are
also
engaged
with
projects
that
are
working
in
the
similar
field.
Like
six
store,
you
may
have
heard
or
not,
or
no
tribute
to
v2,
where
we
want
to
integrate
with
them
instead
of
rebuilding.
That
here
is
what
we
have
done.
We
have
since
the
beginning.
B
We
have
had
all
the
all
everything
that
we
are
doing
in
public.
We
we
have
a
google
drive
which
is
shared
with
with
you.
When
you
join,
we
have
public
meetings,
they
are
all
recorded,
you
can
join,
you
can
listen
to
them
and
and
give
us
feedback.
We
are
running
it
as
a
typical
agile
project,
so
you
can
join
our
daily
stand-up
or
you
know
our
retrospective
or
our
sprint
planning
to
find
out.
What's
going
on.
B
We
also
have
community
face
face-based
meetings
every
two
weeks
to
talk
about
where
the
architecture
is
going
or
where
the
project
is
going
in
general,
etc.
We
are
also
engaging
with
the
community
via
various
you
know,
meetups
and-
and
discussions
like
this-
to
to
engage,
get
feedback
and
and
move
forward.
B
So
if
you
would
like
to
get
involved,
first
thing
go
to
our
website.
First,
air.io
really
easy
to
remember,
give
us
feedback
either.
You
know,
give
us
give
us
on
the
twitter
handle,
go
to
our
github,
give
us
feedback.
There
join
any
of
the
team
meetings
and
if
nothing
else,
you
know
tell
your
friends
that
we
have
this
project
going
on
and
we
are
looking
for
people
to
get
involved
so
to
to
summarize,
you
know,
supply
chain
attacks
are
still
still
here
before
and
after
covet,
they
are
still
active.
B
The
hackers
are
still
active.
Nsa
nsa
is
still
worried
about
the
severity
of
these
attacks
and
we
need
to
do
something
about
it,
and
persia
is
trying.
Persia
is
one
effort
which
is
trying
to
make
to
change
how
we
build
open
source
software.
So
please
join
us.
C
So
I
so
I
just
had
you
know
like
one
question,
so
if
I
have
you
know,
like
my
images
in
say,
you
know
like
amazon,
will
this
also
work
like
it
seems
like
it
works
mostly
with
docker
hub
or
maybe
with
you
know,
like
artifactory
store,
I
mean
so
like
that's
that's
like
that
is
the
one
question
I
have.
B
So
so
the
one
so
what
persia
has
built
is
built
for
open
source
and
we
want
to
so
I
I
think
when
you
say
aws
ecr,
it
is
not
the
open
source
ones
right,
it
is.
It
is
the
ones
that
are
built
by
you.
So
on
docker
hub,
we
are
only
only
pulling
the
images
that
docker
themselves
have
certified
and
verified,
and
that's
that's
how
we
maintain
the
trust,
so
anything
that
is
open
source
that
has
been
again
built
by
docker
and
published
under
the
under
the
default.
B
Namespace
is
what
you
will
have
available
with
persia.
Persia
will
not
be
able
to
integrate
or
pull
images
from
something
that
is
closed
source,
because
one
thing
that
persia
needs
is
the
is
the
git
sha
of
of
of
the
source
so
that
you
can
pull
it
and
build
it
independently.
C
B
C
Sorry
go
ahead:
yeah
does
that
make
sense,
yeah
yeah,
so
you
know,
like
amazon,
also
has
a
public.
You
know
like
gallery
today
where
we
can
also
store.
You
know
like
open
source.
D
C
A
D
Yeah
yeah.
Let
me
let
me
try
to
answer
the
question,
and
so
I
I
think
that,
like
the
way
of
thinking
about
this
is
what
the
the
backing
store
for
persia
is
a
a
verified,
build
from
source
farm
for
open
source
projects.
D
So
you
can't
upload
anything
to
the
persian
network.
Like
you
can't
push
images
into
the
perseid
network,
you
can
only
pull
images
which
were
built
by
the
persian
network
from
the
peer-to-peer
system.
D
So,
even
if
you
have
an
open
ecr
you
could
you
could
pull
things
from
perseid
down
into
your
ecr
instance,
and
you
know,
carry
the
signatures
with
them.
If
you
wanted
to
redistribute
them
via
container
registry,
but
if
you've
pushed
images
into
a
into
a
like,
for
example,
ecr,
even
if
you
built
them
yourselves
from
open
source,
the
the
guarantee
on
percy
is
everything
coming
from
the
persei
network
is
built
by
this
distributed,
verified,
build
from
source
infrastructure.
D
And
it's
not
jfrog
specific,
so
all
the
member
companies
will
be
running
an
instance
of
this,
so
jfrog
docker,
deploy
hub
is
also
a
member
company.
Oracle
is
a
member
company
future
way.
Who's
is
one
of
the
cdf
sponsors
and
also
huawei,
and
we're
welcome
and
we
want
more
people
to
to
join
the
project
and
and
also
run
this
infrastructure,
but
as
a
as
an
end
user,
using
it
you're
you're,
relying
upon
the
builds
of
open
source
projects
from
these
companies
to
be
built,
verified
and
that's
the
the
provenance
and
the
like.
B
Hey
brett,
I
read
your
question
is:
is
there
plans
for
kubernetes
support?
Can
you
say
more?
What
do
you
mean
by?
Is
it
other
than
pulling
images
for
kubernetes
or.
E
Yeah
well,
okay,
so
we
don't
use
docker
we're
phasing
docker
out
of
our
pipeline,
everything's
gonna
be
kubernetes
and
so
docker
pull
while
that's
great.
It
doesn't
help
us.
So
I'm
trying
to
figure
out
where
this
fits
in
my
pipeline,
and
so
what
I
heard
was
is
that
it's
only
for
open
source
images
right
so
now,
you're
telling
now
it
sounds
like
these
would
be
my
base
images
right.
So
engine
x,
you
know
whatever
I'm
pulling
down
that
I
would
normally
get
from
docker.
I
o
the
docker
hub.
E
We
don't
in
the
future
we!
So
we
try
not
to
pull
images
from
docker
hub
because
they
rate
limit
on
us
and
it
breaks
our
cicd
pipeline.
So
we
pull
the
images
from
docker
hub,
scan
them
and
stick
them
in
a
private
registry.
So
what
I'm
hearing
is
that
what
I
would
do
with
persia
is.
I
would
use
persia
to
pull
these
images
from
the
persian
network,
scan
them
and
then
put
them
in
my
private
repo
and
I'd
have
a
much
better
feeling
about
the
the
authenticity
of
the
image.
D
Yeah
does
that
sound
about
right,
yeah?
So
to
answer
your
initial
question
like
yes,
there
is
plans
to
to
include
cube
control
and
other
kubernetes
tools
to
add
first
class
persia
support
for
them
on.
Unlike
the
use
case
scenario,
I
think
you
got
that
accurately.
So,
first,
when
you
pull
things
off
the
persian
network,
obviously
you're
not
rate
limited
at
all,
and
so
that's
you
don't
run
into
the
same
issues
you
hit
with,
for
example,
pulling
from
docker
hub.
D
It
still
is
a
best
practice
to
especially
if
you're,
using
it
for
builds
or
an
enterprise
system
to
pull
it
into
your
own
repository
manager,
and
we
have
a
command
line
tool
for
persia
where
you
can
directly
buildings
from
the
network,
put
them
in
a
local
folder
kind
of
do
what
you
want
to
with
peer-to-peer
images.
So
you
could
do
your
own
integration
via
the
the
persia
command
line
tool
or
for
repository
managers
which
support
it.
D
E
Okay,
so
yeah,
I
mean
we're
in
the
process
of
I'm
in
the
process
of
implementing
salsa
in
our
pipeline
and
we're
shooting
for
level
four.
So
we're
talking
sign
provenance,
zero
trust.
So
I
I'm
gonna,
pull
the
images
down
scan
them.
E
You
know
create
signed
provenance
for
them
and
stick
them
in
my
registry
and
then
I'm
not
going
to
use
them
unless
I
can
verify
that
they're
signed
even
internally,
so
that's
kind
of
what
we're
up
to
so.
I
was
trying
to
see
where
this
fits
in.
So
it
sounds
like
I
use
this
for
populating.
My
internal
repo
yeah.
D
Exactly
and
I
I
think,
you're
the
the
guarantee
you're
getting
by
by
pulling
it
off
the
person
network
in
general.
We're
working
on
phase
two
of
this
architecture
now
is
like,
in
the
case
of
docker
official
images
employing
from
docker
hub
you're,
basically
trusting
docker
as
the
only
one
who's
built
and
verified
these
and
yeah.
D
So
we
we
in
general,
we
think
you,
you
shouldn't
you
shouldn't
trust
us,
you
shouldn't
trust
jfrog,
you
shouldn't
trust
docker,
but
you
should
trust
the
aggregation
of
many
different
companies
which
are
building
and
verifying
the
same
image.
And,
yes,
you
know
some
large
companies,
like
you
know,
google,
microsoft
and
others
have
their
own
internal,
build
from
source
farms
where
they
they
they
do
this,
and
they,
of
course,
only
trust
themselves.
D
But
we
we
think
that
this
sort
of
infrastructure
should
just
be
free
available
and
something
that
all
companies
can
rely
upon.
If
it's
a
shared
infrastructure,
where
it
has
a
a
trust
model
where
you're
not
relying
upon
a
single
entity
but
you're,
relying
upon
the
majority
of
the
consensus
of
all
the
companies
involved,.
E
Now
it's
one
of
those
ones
where
you
know
I
have
to
have
all
these
priorities
to
keep
getting
pushed
on
me
and
I
got
to
get
all
this
stuff
done
and
the
twin
pipeline
sounds
like
a
nice
to
have
and
it's
a
lot
of
compute,
but
I'm.
I
appreciate
the
idea
here
and.
D
Yeah-
and
so
I
think,
the
other
thing
which
which
will
come
out
of
this,
which
should
be
helpful
to
you
as
well,
is
we
we
plan
all
this
a
to
be
built
on
cd
technology,
cd
foundation,
technologies
like
techton
and
cd
events
and
on
all
open
source
and
b.
I
think
it
should
also,
especially
our
build
pipeline
portion
of
the
project
should
serve
as
a
great
reference
architecture.
F
D
B
E
Cool
yeah,
no,
you
know,
I
don't
trust
anybody
anymore
so
and
the
more
the
more
I've
read
the
suspect,
more
paranoid.
I
get,
and
I
haven't
done
anything
to
talk
about
security
since
january
and
I
quit
being
an
assist
admin
because
I
was
tired
of
security
and
I
went
in
the
development
now
here.
I
am
15
years
later
right
back
where
I
was
worried
about
security
all
the
time
so.
A
A
It
would
make
a
lot
of
sense
to
look
at
persia
to
see
like
how
we
can.
You
know
collaborate
on
that
more
concrete
approach
to
these
things,
because,
when
you
put
persia
in
this
type
of
you
know
pipeline
using
different
cdf
technologies,
like
you
mentioned
still,
that
may
make
it
easier
to
grasp
the
details
and
the
benefits
of
the
project,
and
that
could
also
perhaps
become
input
to
reference
architecture.
You
mentioned.
D
Yeah,
okay,
so
andrew's
wondering
if
percy
can
also
validate
open
source
projects
that
aren't
built
into
images
like
libraries.
So
we
we're
planning
support
for
a
bunch
of
different
programming
languages
and
the
intermediate
build
artifacts
so
with
with
oracle's
our
partner.
D
One
of
the
first
targets
is
going
to
be
the
java
ecosystem,
we're
working
with
their
build
from
source
team
and
they're
they're
interested
to
build
as
much
of
the
java
ecosystem
that
we
can
reproduce
and
verify
as
possible
so
that
they
can
use
it
both
for
their
internal
purposes,
but
also
open
up
to
the
world
and
have
a
more
secure
source.
Repository
for
for
java.
Jars
same
applies
to
javascript,
to
at
pi
pi
to
to
go
and
to
rust,
of
course,
because
we're
building
on
top
of
rust.
D
Now
that
said,
student
intervention
just
a
little
bit
earlier,
so
we
we're
going
to
build
out
as
many
validators
as
we
can
and
work
with
the
open
source
community
on
these.
But
we,
this
is
an
area
we
need
help
with
for
folks
who
are
experts
in
different
language
communities
and
and
are
interested
to
to
build
a
a
an
integration
point
into
into
different
ecosystems.
D
So
I
was
chatting
with
terry
from
sci
code
yesterday
and
he's
interested
in
specifically
doing
something
in
the
pi
pi
space,
because
that's
that's
an
area
which
he's
very
passionate
about,
and
we,
I
think
we
are
looking
for
folks
who
are
like
super
passionate
about
a
particular
ecosystem
to
be
either
our
advocate
or
to
to
take
a
pass
at
doing
an
implementation
of
an
api
for
a
language,
specific
library.
But
from
a
persia
architecture
standpoint
we
can
store
different
artifact
types
from
different
languages,
but
we
want
to
do.
D
F
Yeah,
okay,
thanks!
I
sorry
did
you
were
you
gonna
say
something
else
yeah
I
I
asked
because
sass
is
majority
a
go
shop
and
I've
noticed
that
one
of
the
things
that
scares
me
even
more
than
pulling
random
images
off
of
docker
is
you
know,
finding
an
open
source
library.
That's
like
man,
this
thing's
really
useful.
I'm
gonna
throw
this
in
and
use
it,
and
I
haven't
read
every
last
line
of
code.
D
Yeah
yeah
so
so
go
go
is
one
of
the
ecosystems
that
we're
planning
to
support.
I
I
think
that
it,
it
is
something
we
actually
use
quite
a
bit
at
jfrog,
so
like
x-ray,
a
lot
of
our
products
are
written
in
golang.
D
We
we
chose
rust
for
this
project
because
we
wanted
to
make
sure
that
we'd
have
more
ability
to
do
code,
code,
verification
and
reason
about
the
security
of
the
system,
and
I
think,
in
terms
of
like
modern
languages,
which
are
very
security,
focused
rust
is
kind
of
leading
the
edge,
but
I
mean
goes
a
great
language
as
well,
and
that
was
would
have
been
our
second
choice
for
this
implementation.
E
So
we've
got
a
bunch
of
we've,
got
a
bunch
of
npm
crud
running
around
and
I
think,
like
in
the
grand
scheme
of
things,
the
scariest
language
that
pulls
random
packages
in
off
the
internet
has
gotten
to
be
npm
so,
and
I
think
it
was
on
the
list.
Is
that
going
to
be
support.
D
Yeah
yeah,
we
will
support
npm.
Now,
speaking
of
security
exploits
most
of
the
security
exploits,
are
our
research
team
finds
are
in
npm
and
there's
there's
multiple
levels
of
of
issues
there?
So
it's
very
easy
to
upload
things
with
no
verification.
D
So
it
is
very
vulnerable
to
to
typo
squatting
attacks
to
dependency
injection
attacks
because
they
they
they
do
zero
verification
of
of
your
your
namespace
that
you're
uploading
to-
and
it's
very
easy-
you
know
you
think
you
know
javascript
is-
is
just
text,
but
it's
very
easy
to
obfuscate
the
code
and
hide
malicious
libraries
which
are
impossible
to
reverse
engineer.
E
D
D
It
should
be
easy
to
set
up
and
configure
to
pull
from
persia,
and
you
could
still
pull
images
from
other
sources,
but
at
least
the
ones
you
know
pull
from
persia.
You
know
the
the
provenance.
You
know
that
they're
that
exactly
what
you're
getting
is
what
you
would
get
if
you
built
it
off
source
yourself.
E
Right,
okay,
artifactory
cloud,
so
we've
been
talking
about
going
to
artifactory
cloud.
I
don't
want
to
turn
this
into
a
jfrog
meeting,
but
are
you
guys
gonna
have
a
way
for
perseus
to
integrate
into
your
your
cloud,
offering.
D
B
And
I
wanted
to
just
make
a
comment
because
earlier
also
ankit
mentioned,
you
know
your
your
your
jfrog,
so
artifactory
integration
is
obvious.
One
thing
I
want
to
highlight
is
artifactory
is
meant
for
you
to
do
run
your
business
right,
but
what
we
notice
is
that
we
don't
have
the
same
emphasis
that
we
have
for
in
what
homegrown
software
for
open
source,
and
that
is
what
persia
is
trying
to
fix.
B
As
jfrog,
we
will
bring
everything
that
we
know
about
efficiently,
storing
artifacts
and
you
know,
indexing
them
and
doing
all
the
kinds
of
cool
things
that
we
are
doing
in
terms
of
storing
and
retrieving
artifacts.
But
this
is
not
meant
to
default
to
artifactory
or
anything
like
that.
This
is
meant
to
solve
a
problem
for
the
open
source
community
and
which
is
why
you'll
see
that
you
know
we
integrate
with
docker,
because
that
is
what
is
most
used
and
so
on,
and
its
emphasis
is
on
open
source.
Artifactory
focuses
more
on.
E
Right,
we
use
artifactory
to
store
our
onboarded
third-party
libraries,
which
a
lot
of
them
are
open
source.
So
that's
why
I
was
going
down
that
route.
I'm
just.
E
Get
trying
to
figure
out
how
this
thing's
gonna
fit
into
our
pipelines,
because
you
know
we're
not
producing
open
source
software.
We're
producing.
You
know
a
product
that
we
sell,
but
we
use
open
source
software,
so
yeah,
I'm
just
trying
to
figure
out
where
we're
gonna
stick.
This
thing.
B
One
of
the
one
of
the
ways
this
might
might
get
used
in
your
your
system
is,
if
you,
if
you
are
to,
were
to
run
a
small
set
of
persian
nodes,
and
if
you
are
downloading
the
same
things
over
and
over,
you
could
now
rely
on
your
set
of
persia
nodes
to
get
the
throughput
that
you
need
without
having
to
go
all
the
way
across
the
network
and
when
a
new
library
comes,
then
you
can
do
that.
Think
about.
B
B
Now
let
us
know
if
you
have
any
other
questions
offline,
I'll
I'll.
I
put
the
presentation
link
on
the
hack
md,
which
has
all
our
contact
information
as
well.
A
Like
we
give
action
items
to
whoever
joins
to
our
fig
meetings,
can
I
do
the.
A
Now,
if
you
go
to
the
repository
I
linked
on
the
chat,
there
is
a
presentations
repository
on
github
under
cd
foundation.
We
store
all
the
presentations
we
get
from
projects
there.
I
will
create
a
folder
there
for
spy
chain
and
send
the
mail
to
you.
So
if
you
could
export
your
slides
in
pdf.
B
A
Thanks
and
one
last
question
follow-up
of
technology
community
meeting
discussion,
steve
taylor,
mentioned
that
you
are
thinking
of
proposing
persia
yes
by
opening
a
pull
request.
So.
A
So
we
should
monitor
the
tlc
report
to
see
yeah.
D
Yeah
so
so
we're
working
we're
working
on
putting
the
pull
requests
in.
I
think
what
we
can
do
is
send
a
an
email
out
to
the
to
the
talk
mailing
list
to
let
folks
know
when
the
poll
request
is
available.
Maybe
use
that
as
a
thread
to
answer
any
questions
that
folks
have
about
it
and
if,
if
we
get
good
alignment
and
folks
are
in
agreement,
then
you
know
ask
folks
to
approve
the
pr.
D
A
E
A
Okay,
thanks
a
lot
for
this
steve
presenting
this,
it
looks
very
interesting.
I
actually
installed
the
project
and
tried
that,
and
I
I
think
that
was
something
I
mentioned
to
one
of
the
comic
members
as
well
like
we
were
looking
for
something
like
that
last
year,
when
docker
hub
introduced
rate
limiting
and.
A
A
So
with
that
the
next
three
things
of
our
six
should
be
on
july
14th,
but
usually
we
take
a
break
for
six
meetings,
not
just
hours,
but
other
successes
are
during
july
because
people
go
for
summer
holidays.
So
I
will
send
notifications
on
mail
list
and
slack
about
the
next
meeting.
If
we
are
having
the
meeting
on
july
14th
or
not
and
depending
on
the
response-
and
we
can
cancel
those
meetings-
and
we
come
in
after
that
at
a
later
date.
A
But
again
everyone,
please
look
at
qrc
reports
start
watching
the
jose
repo
to
see
when
persia
pr
heat
start.
Also,
please
subscribe
to
your's
email
list
if
you
want
to
get
notified
via
mail
as
well,
and
with
that,
thank
you
again,
everyone
for
joining
and
if
you
are
taking
time
off
very
nice
summer
whole
day.
If
not,
then
we
talk
to
we
see
each
other
in
few
weeks.
Fine,
thank
you.