►
From YouTube: Software Supply Chain SIG Meeting - Feb 9, 2023
Description
For more Continuous Delivery Foundation content, check out our blog: https://cd.foundation/blog/
A
Was
formed
August,
2021
or
sometime
during
2021,
and
because
of
kovic
the
progress
there
wasn't
much
progress
at
that
point
in
time
and
around
like
October,
9
or
December
2021.
They
started
being
more
active
around
this
and
they
started
pushing
topic
out
and
then
one
of
the
blog
posts
they
published.
This
was
October.
2021
was
this
with
this
diagram.
A
So
you
see
this
diagram
talks
about
like
dropper,
Source
builds
package,
consumer
and
so
on,
and
there
is
like
one
two,
three,
four
five
up:
twenty
one
different
things:
they
highlight
your
projects
if
you
see
that
way
and
I
failed
to
see
enough
emphasis
on
content,
integration
and
continuous
delivery
on
this
blog
post
and
on
this
diagram
and
projects
and
CD
Foundation
as
well,
I
was
like
okay,
so
first
watching
is
pretty
critical.
A
All
these
activities
like
build
stuff
and
all
those
things
are
pretty
important,
but
what
about
quantization
continues
everywhere,
like
the
cicd
projects,
they
orchestrate
all
these
different
crcd
phases,
for
example,
and
that
actually
triggered
the
conversation
within
CDF
and
that's
around
the
time
I
reached
out
to
you
when
you're
asking
like
okay,
should
we
form
a
sufficient
risk
within
the
CDF
will
contribute
what
opennessf
is
doing?
A
From
cicd
perspective,
because
we
have
the
practitioners
we
have
the
projects
and
the
lack
of
focus
or
lack
of
emphasis
of
Diddy
could
perhaps
be
accommodated
if
we
start
discussing
this
topic
within
the
CD
Foundation,
without
going
into
too
much
details
and
without
duplicating
to
work,
the
openness
self
is
doing
so
that
was
the
purpose
of
this
sick.
A
Look
at
what
is
happening
with
an
openness
we
didn't
see
ncf
in
other
communities
and
see
how
we
can
contribute
this
effort
based
on
what
we
are
doing
within
the
state
foundation
in
our
projects
and
what
our
contributors
within
the
CDF
has
been
discussing
because
they
deal
with
these
topics
within
their
organizations
because
they
are
practitioners,
maybe
of
this
crcd
systems
they
maintain
them.
They
hook
in
new
tools,
they
Implement
some
Security
checks
and
so
on.
So
that
was
the
purpose
of
this
seek.
As
Laura
mentioned,
we
had
quite
loss
of
activity.
A
A
We
didn't
actually
continue
to
discuss,
continuing
discussion
around
the
roadmap
and
that's
kind
of
contributed
to
why
we
are
well.
We
are
today
like
we
don't
have
road
map,
so
we
don't
have
clearly.
You
know
goals
for
the
city
what
we
are
trying
to,
but
thankfully
David
you
were
one
of
the
people
who
actually
came
with
a
clear
idea:
supply
chain
security
model.
That
was
really
cool
idea
and
then
that
group
started
doing
its
work
separately.
So
we
kind
of
lost
connection
to
those
discussions
within
the
city.
So
that's
where
we
are.
A
B
That's
certainly
helpful
for
me
in
in
sort
of
backfilling
I
I
do
one
I
did
want
to
bring
kind
of
an
update
back
here
with
regard
to
the
supply
chain,
maturity,
metrics
conversations,
but
that's
a
specific
topic,
as
opposed
to
this
broad
topic
of
of
you
know:
Sig
Direction,
which
I
think
deserves
its
own
attention.
B
On
the
other
hand,
if
if,
if
the
attention
of
the
Sig
is
well,
we
should
be
talking
about
this
supply
chain
maturity,
and
that's
that
should
be
where
our
roadmap
is
being
set.
Then
perhaps
the
right
thing
is
to
Pivot
over
to
that
conversation.
Now.
A
I
think
that
topic
deserves
to
be
in
the
roadmap,
for
the
sake,
one
of
the
topics,
because
you
are
already
working
with
that
and
I
I've,
been
part
of
some
of
the
meetings,
the
best
practice
meetings,
I
didn't
document
you
created
David.
That
document
used
during
the
conversations
in
the
best
practices
as
well.
So
if
it
makes
sense
like
bringing
that
topic
back
to
six
offers
by
Chain
I'm
making
that
part
of
the
roadmap,
that
would
be
a
great
thing
to
do
so.
Yeah
I
think
the
topic
is
like
both
the
Spy
chain.
A
Maturity
model
plus
Sig
road
map
would
make
sense
to
me
and
the
other
discussions
we
had
like
again
Brett,
you
mentioned
the
event
usage
within
SAS
and
that
are
having
some
conversations
that
aren't
like,
but
we
can
contribute
to
cg1c
device
from
software
supply
chain
aspects
for
those
who
directly
be
included
in
the
road
micrography
want
to
discuss
that.
So
we
have
two
topics
at
least
to
include
in
our
roadmap.
B
So
let
me
Let
me,
let
me
put
on
the
table
because
this
is
part
of
what
I
wanted
on
the
agenda
today
anyway.
So
let
me
just
bring
an
update
back
here
with
regard
to
the
the
maturity
metrics
what's
been
going
on
in
that
work
stream,
and
perhaps
that
will
provide
some
input
into
this
conversation
around
a
roadmap.
So
basically,
we've
had
I,
don't
know
somewhere
between
three
and
a
half
a
dozen
meetings
over
there.
B
The
net
result
is
the
document
that
I've
linked
here
in
our
in
our
agenda.
If
you
don't
have
hack,
MD,
open
I'll
just
quickly
share
the
link
here
for
convenience.
B
So
if
you
don't
have
today's
agenda
open
there,
it
is-
and
there
is
a
link
in
there
to
the
document
that
I
will
call
the
work
product
of
that
work
stream.
That
is
a
little
bit
of
an
exaggeration
and
the
reason
I
say
that
is
and
I
don't
mean
this.
As
a
as
a
pat
on
my
own
back
90,
oh
I,
apologize
that
you
don't
have
access.
Okay,
I'm
gonna
deal
with
that
asynchronously.
Sorry
90
of
the
work
in
there.
B
Probably
more
is
actually
just
me:
I
was
I
was
hoping.
This
was
going
to
be
a
you
know,
Community
effort.
There
were
some
comments
and
suggestions
here
and
there
from
a
couple
of
people
at
a
couple
of
companies,
but
by
and
large
it
was,
it
was
received
very
passively
in
the
community.
A
lot
of
people
expressed
interest,
a
few
people.
Very
few
people
got
actively
involved
even
in
terms
of
making
suggestions.
B
There
are
I,
don't
know
fewer
than
six
fewer
than
a
half
a
dozen
people
actually
even
made
suggestions
into
that
final
doc.
Because
of
that
number,
that's
sort
of
piece
number
one.
So
I
wanted
to
bring
that
doc
back
here,
because
I
want
to
kind
of
report
on
it
and
that's
where
it
is
I
think
the
right
direction
for
that
Doc
is
to
include
this.
Those
metrics
in
the
best
practices
piece
of
the
CDF
website
that
I
would
call
still
under
development.
B
It
has
a
whole
section
there
on
sort
of
how
to
assess
the
maturity
of
your
CI
CD
and
how
to
sort
of
up
level
and
what
your
next
steps
might
be
and
so
on,
and
this
this
doc
captures
an
awful
lot
of
information
that
I
think
could
help
guide
that
section.
Having
said
that,
I
don't
want
to
continue
to
drive
solo
here
for
two
reasons,
one
of
them
being
that
I'm
sure
everyone
has
seen
that
Google
has
announced
layoffs.
B
We
are
more
resource
constrained
right
now
at
Google
than
than
we
have
been
in
recent
past,
and
so
we're
refocusing
it
and
trying
to
narrow
Focus
to
to
a
smaller
set
of
priorities.
I
want
to
reclaim
the
time
I
have
been
putting
into
that
Doc
in
that
effort.
B
B
B
C
So
I'm
still
waiting
on
access
to
the
dock,
but
I
hear
you
dude
and
I
would
like
to
apologize
for
not
participating
more.
My
company,
much
like
your
company,
is
resource
constrained
and
I
have
a
huge
amount
of
new.
C
We
took
on
a
security
posture
for
the
pipeline
and
the
product,
and
so
I've
got
this
huge
security
thing
running
around
now.
That's
beating
me
in
the
head
and
I've
got
compliance
coming
down
because
we're
trying
to
get
bedramp
certified
so
I'm
getting
you
know.
I
ran
out
of
time,
so
we
talked
about
the
the
holiday
and
then,
for
you
know,
most
people
was
a
holiday
for
me
it
was
like,
oh
god,
I've
got
all
this
stuff.
C
I
have
to
do
but
I'm
trying
to
carve
out
time
to
come
help
with
this
sig
again
and
now
you
know
we're
in
February
now
I
have
a
little
bit
better
idea.
What
I'm
going
to
be
doing
the
next.
You
know
three
to
four
months,
so
I'm
trying
to
carve
out
time
to
come
help
and
hang
out
with
the
team,
and
you
know
you
guys
so
one
question
I
had
is:
is
this
doc?
C
Better
served
in
a
get
repo
where
we
can
do
pull
requests
against
it,
possibly
the
I,
because
I
feel
bad,
that
I
wasn't
able
to
contribute
to
this,
but
I
feel
like
this
document
would
help
us
with
compliance
right
where
I
could
go
to
my
compliance
team
and
tell
them
hey
look.
This
is
our
CI
CD
maturity
level
right,
I've
been
getting
requests
for.
Is
the
new
pipeline
going
to
be
able
to
do
this?
Is
the
next
generation
of
the
pipeline
able
to
do
this?
C
And
frankly,
if
I
had
some
Doc
that
was
like
Hey
look.
This
is
what
the
community
thinks,
and
this
is
where
we're
headed
so
I'd
appreciate
that
I
don't
know
if
any
of
that
was
helpful,
but
yeah.
B
Yeah,
that's
really
helpful
and
to
be
clear,
I'm
sure
everybody's
got
their
resource
constraints
for
why
they,
you
know
weren't
more
active
in
creating
this
and
that's
that's
all
fine
I'm
happy
to
sort
of
as
a
handoff
step
convert
this
into
a
you
know:
GitHub
markdown,
markdown
file,
repo,
for
you
know
for
collaboration
there
and
take
it
out
of
Doc
form
it
does
it
I
mean
I'll,
be
frank:
does
it
so
maybe
that
enables
more
collaboration?
B
C
If
we
put
it
in
the
GitHub
repo,
so
we
put
it
in
the
docs
in
the
in
the
Sig
software
supply
chain,
folder
I
don't
have
to
go,
ask
we
don't
have
to
go,
ask
for
access
to
it
right
and
not
that
I.
Don't
think
we
shouldn't
I'm,
just
saying
that
like
I,
don't
think
there's
anything
in
here
that
is
like
I'm
looking
through
it
right
now.
I,
don't
think!
There's
anything
in
here.
C
We've
either
done
are
doing
or
increasing
efforts
on
right,
so
I
think
it'd
be
well
served
to
be
in
the
GitHub
in
the
GitHub
repo
in
the
docs
and
then
I
would
share
it
with
people
in
my
company
easier,
and
we
have
a
open
source
initiative
that
we
are
supposed
to
well.
I
mean
to
be
transparent.
C
You
know
we're
a
40
year
old
proprietary
company
that
sells
analytics
software
and
we
haven't
exactly
been
the
best
open
source
contributors
and
to
guys
like
me,
that
have
come
into
the
company
from
the
open
source.
Community
want
to
help
improve
that,
and
we
have
an
initiative
to
do
that.
So
I've
got
guys
to
be
interested
in
this,
including
my
compliance
team,
which
might
be
good
or
bad.
That's
why
we
have
pull
requests.
B
C
D
C
Right
we
call
it
at
my
company,
we
call
it
digging
dishes
right
and
if
I
look
for
guys
who
don't
mind,
digging
ditches
right,
because
it's
not
all
sexy
right,
it's
all,
not
all
hot
rust
code.
That's
you
know
doing
some
wasm
stuff
right.
A
lot
of
it
is
hard
work
and
documentation.
So
yeah
now
get
it.
C
Let's
get
it
into
the
GitHub
and
then
I
encourage
all
of
us
to
share
it
with
with
our
teammates
friends
in
the
open
source,
Community
and
then
you
know
we
should
even
so
I've
got
I've
got
two
talks
coming
up
at
the
Raleigh
devops
days
in
April,
and
so
that's
another
thing
we
could
do
to
socialize.
Some
of
these
things
is
bring
them
up
during
our
talks.
C
B
Okay,
so
that
gives
us
some
AIS
for
this
Doc
in
particular
and
I.
Think
unless
someone
wants
to
take
the
counter
side,
Counterpoint
I
think
what
I'm
hearing
is.
We
think
this
stock
has
value
for
Community
ownership
by
the
Sig.
That's
great!
That
gives
us
sort
of
one
one
roadmap
area:
I,
don't
know!
There's
a
roadmap
item
without
you
know,
sort
of
further
action
items
around
that
to
to
step
back
from
sort
of
my
specific
agenda
to
to
fatis
a
broader
question.
C
So
one
of
the
things
that
you
that
was
going
on
right
before
we
kind
of
broke
for
holidays
was
the
the
example
pipeline
thing.
C
I
forgot
what
it
was
called,
but
Fresca
or
whatever
it
was
where
they
were
going
through
and
like,
and
we
had
some
opposition
because
we
didn't
want
to
have
any
bias
towards
certain
products
like
you
know
certain
Technologies,
but
we
wanted
to
have
an
example
and
I
thought
we
were
working
on
a
this
is
best
practice
for
supply
chain
thing.
C
Is
that
something
we
wanted
to
bring
back,
bring
back
up
focus
on
again
for
a
little
bit
more
I,
don't
know
some
of
my
interests
tend
to
overlap
the
events
Sig
so
but
I
mean
we
are
the
supply
chain.
Sig.
A
I
think
the
trust
I
think
it
definitely
makes
sense
to
look
at
it
because
it
has
like
it
uses
some
of
our
projects,
but
it
doesn't
have
Focus
around
interrogative.
So
we
can
take
that
and
we
can
perhaps
brought
our
thinking
when
it
comes
to
event.
Types
of
writing
and
found
with
some
kind
of
you
know,
idea.
Okay,
how
this
stress,
Cut
Thing,
could
be
made
more
interpretable
those
things
within
the
Fresca
and
pass
that
back
to
Iran's.
Stick
saying
these
are
the
things
we
identified
based
on
our
conversations
within
our
sick.
A
What
do
you
think
about
this
books
because
I
think
it
is
in
their
roadmap
or
it
was
in
their
heads
and
sticky
events?
They
think,
but
they
don't
have
enough
time
on
people
to
look
at
these
aspects
where
I
can
take
the
first
as
the
Practical
thing
and
start
poking
it
and
identify
things
from
there,
which
kind
of
makes
like
Bridges
these
different
topics
within
the
potential
Sig
roadmap.
These
six
road
maps,
because
Iran's
is
one
of
topics.
A
C
Okay,
yeah
that
we
could
do
that
we
could
take
the
Fresca
and
and
apply
this
six
Focus
to
it
right.
So
that
makes
sense
the
thing
that
a
couple
of
things
how
do
I
get
so
like
security
is
all
I've
been
talking
about
for
two
years
with
my
supply
chain
to
the
point
where
I'm
sick
of
it
I
would
love
to
get
back
to
talking
about
the
fact.
It's
event
driven-
and
it's
awesome
right,
but
all
you
can
talk
about-
is
security
so
to
swing
that
around.
C
Maybe
we
should
have
some
some
best
practice.
Some
security
piece
to
this
today
as
well,
because
I
mean
securing
the
supply
chain.
Is
everybody
like
even
people
who
don't
know
what
the
heck
they're
doing
they're
talking
about
it?
So
that
might
be
something
else
that
we'd
be
interested
in
and
I'm?
Fine.
If
everybody
says
you
know,
shut
up,
Smitty
I'm,
tired
of
listening
to
you,
but
security
definitely
feels
like
something
we
should
be
able
to
talk
about
in
some
concept.
Maybe.
B
A
That
is
archives
that
that
is
like.
That
was
one
of
the
original
figs
and
all
those
people
they
are
in
open
and
stuff
now,
so
we
should
probably
archive
the
select
Channel
and
the
repo
as
well.
B
Okay,
so
so
it
really
I
think
what
I'm
hearing
there
is
and
and
I
agree
Brett
that
security
is
a
Hot
Topic
I
mean
everybody's
talking
about
it
and
so
fatigue.
What
I'm,
what
I'm
hearing
there
I
think
is
that
that
the
existence
of
that
Sig
should
basically
be
shut
down
and
and
the
the
agenda
and
road
map
around
that
should
be
folded
into
here.
Yeah.
A
That
was
one
of
the
things
in
this
six
read
me
as
well:
the
proposters,
whatever
produced
by
that's
it
or
incorporate
their
work
into
this
city
as
well,
because,
like
that
focuses
on
security
and
the
purpose
of
naming,
this
thing
is
to
look
at
more
stuff
than
it
does
security.
You
know
right
right.
B
E
So
back
to
to
my
original
speech,
as
I
said,
my
knowledge
in
security
is,
is
I,
wouldn't
say
non-existing,
but
it
would
I
would
say
that
this
is
not
my.
My
expertise
in,
but
I
could
bring
to
the
table
all
kinds
of
questions
that
are
that
the
team
that
I'm
working
with
are
challenged
with
they're,
probably
small
carbons,
they're,
not
that
you
know
like
not
looking
at
from
the
20
000
miles
overview
of
supply,
chain
and
cacd.
But
you
know
like
day-to-day
problems
that
are
that
are
related
to
cicd
and
supply
chain
and
security.
E
Of
course,
and
I
actually
have
like
one
example
from
last
week
that
we
we
are
debating
and
we
don't
have
an
agreement
on
what
should
we
do
and
I
would
definitely
like
to
hear
folks
here
that,
are,
you
know
more
knowledgeable
than
I
and
more
experienced
from
from
the
security
point
of
view
and
to
hear
your
thoughts
and
I
would
like
this
stick
also
to
be
a
place
where
we
can
bring
those
kind
of
questions
and
to
hear
thoughts
of
others.
Would
that
work
for
the
rest
of
the
guys
here.
C
I'm,
more
than
happy
to
share
my
knowledge
of
pain
and
misery
working
in
this
space.
B
E
B
B
C
I'm
willing
to
answer
whenever
but
I
want
to
make
sure
that
the
the
two
things
that
I
worry
about
is
that
I
will
we
talk
about
road
map
and
focus
is
I
think
we
should
keep
our
roadmap
in
Focus,
concise
and
not
look
too
far
ahead
because,
like
I
do
that
at
work
all
the
time
we
have
this
huge
road
map
and
I'm
like
okay.
What
are
we
not
getting
done
this
year
chunk?
C
Sorry,
if
you
put
my
dogs
barking
in
the
background
but
yeah
and
then
so
I'm
more
than
happy
to
do,
question
and
answers
and
I'm
also
happy
that
like
if,
if
we
want
to
have
people,
come
to
this
sig
and
say:
hey
I,
don't
want
to
do
this
in
the
Sig,
but
can
we
set
up
a
meeting?
You
know
outside
of
the
Sig
and
I
I'm
more
than
happy
to
come
and
talk
about
the
stupid
things
I've
done
over
the
years
and
how
I've
fixed
them
and
how
I
have
not
fixed
them.
If.
C
B
To
sort
of
step
back
to
this
roadmap
question
again,
I
think
what
I'm,
what
I'm
gathering
so
far
from
this
conversation,
is
there's
sort
of
a
standard,
a
standing
agenda
for
this
sig,
which
effectively
has
two
broad
topics.
The
first
topic
is
around
security,
and
the
second
topic
is
around
maturity,
they're,
obviously
related,
but
in
both
cases
we
want
a
standing
agenda
for
both
presentation
of
best
practices
as
well.
As
you
know,
sort
of
problem
statements
and
and
discussions
around
specific
aspects
in
either
of
them.
I
I.
B
D
Foreign
yeah
I
know
sorry,
I've
been
primarily
listening
and
also
came
into
priority.
Just
listen,
plus
I
got
kind
of
distracted
by
colleagues
so
that
okay,
that's
okay.
You
still
know
that
like
I,
don't
the
thing
is
I've
been
thinking.
Well,
we
we
had
a
call
the
other
day
and
I.
Don't
want
to
derail
this
discussion
about
defining
the
scope
of
this
thing
by
bringing
in
different
perspectives
or
different
things.
D
That
can
also
be
done
just
for
for
the
other
two
on
the
call
I
was
wondering
if
we
should
have
in
the
to-do
group
of
the
Linux
Foundation,
a
more
ospo
focused
group
of
people
that
are
taking
material
out
of
various
communities
regarding
security,
just
like
CDF
and
others,
and
then
compile
that
with
an
ospo
open
source
program,
office
Focus-
and
this
is
what
I
discussed
with
with
David
the
other
day.
D
C
I'm
up
for
whatever
you
know,
we
do
have
a
slack
Channel
we
can
discuss.
You
know
what
we
want
to
do
outside
of
this
sig
and
other
cigs
I'm
all
for
more
contributions
to
the
Linux
foundation
and
stuff
like
that.
So
anything
you
know
again.
I'm
resource
constrained,
much
like
David
I,
have
an
email
standing
now
about
how
I'm
going
to
prevent
developers
from
deploying
stuff.
C
Without
permission.
It's
just
wonderful,
because
you
know
we've
never
really
done
that
before,
because
we
kind
of
trust
our
developers
and
now
we
can't.
C
Yeah,
if
you,
if
you
understand
that
email
that
I'm
talking
about
that,
is
waiting
for
me
when
I
get
off
this
call,
you
understand
my
time
constraints
but
yeah,
no
I'm,
all
for
it.
Whatever
I
can
I
mean
it'd,
be
interesting.
B
George
should
we
perhaps
you
know
I
highlighted
two
standing
agenda
items.
Maybe
there's
a
third
one
which
is
around
ospo,
and
you
know
the
interactions
I
mean
we're
all
working
at
companies
that
are
that
have
I'll
call
a
love-hate
relationship
with
open
source
right,
we're
all
contributing
we're
all
using
it.
We
all
spend
some
time
contributed
and
contributing
to
it
and
I'm
going
to
bet
that
in
all
of
our
companies
we
had
questioned
around.
What's
the
value
of
you
contributing
all
our
work
to
open
source,
yeah
or.
C
Yeah,
let's
I'm
all
for
that
being
the
third
topic
of
this,
because
the
supply
chain,
the
David-
you
probably
run
into
this
a
lot.
C
We
constantly
have
this
not
invented
hair
syndrome,
problem
and
there's
the
is
there
an
open
source
tool
that
does
this
right
and
then
I
go
and
find
the
open
source
tool
and
then
I
have
to
beat
it
with
a
hammer
until
it's
a
tiny
silver
ball,
so
that
it
works
for
my
stuff
and
it
no
longer
resembles
the
open
source
product
that
it
was
or
do
I,
not
waste
time
beating
on
that
open
source
product
and
do
I
just
go
write
it
myself
and
don't
open
source
it,
and
so
this
is
a
problem.
C
We've
had
for
a
long
time,
and
these
are
things
that
if
we
could
get
some
guidelines,
some
help
something
you
can
take
to
your
management
chain
and
go
look.
This
is
why
open
sourcing,
this
cool
thing
we're
doing
is
important
right.
It's
not
part
of
our
product.
We
sell
to
our
customers.
It
is
not.
You
know
it.
The
community
would
like
to
see
this
right.
C
Those
type
of
things
are:
are
things
that
I
deal
with
every
day,
I
mean
I've,
got
I
presented
in
the
events
thing
about
my
event,
driven
software,
that
I've
wrote
to
drive
our
CI
CD
so
fast
that
people
freak
out
and
ask
me
to
stop
it,
and
then
the
first
question
out
of
everybody's
mouth
was
is
when
you
can
open
source
this,
and
so
it
took
me
a
year
to
get
it
on
the
roadmap
and
we're
going
to
try
and
open
source
it
this
year
right.
C
But
if
we
could
have
just
started
open
source
and
if
I'd
had
some
way
to
go
here,
look
this
is
what
the
community
says.
The
value
is
of
us,
starting
with
this
as
open
source
I
would
like
to
I
would
gladly
contribute
to
anything
we
can
do
like
that.
Is
that
kind
of
what
we're
at
what
we're
talking
about,
or
am
I
like
misguided.
B
D
Yeah,
okay
sounds
sounds
good
and
cool,
but
yes
exactly
you
summarized
it
quite
well
interesting
to
hear
that
it's
not
just
our
company
suffering
from
the
not
invented
here
syndrome.
C
Yeah
I
got
40
years
have
not
invented
here.
I.
C
C
B
If
you
read
the
Google
software
engineering
book,
it
talks
about
our
internal
mono
repo
and
it
was.
E
B
C
Because
I'm
I'm
stuck
with
Garrett
inside
and
then
we're
trying
to
move
to
GitHub
now
so
I've
got
a
PBS,
gitlab
and
Garrett
and
the
only
thing
I'm
missing
is
subversion
of
material.
But.
C
Yeah,
no
I
I
think
we
should
start
a
comedy
Sig
based
on
the
stuff
that
we
see
at
our
companies.
I
I
blame
a
running
joke
too
David
at
our
place
is
that
we've
got
so.
We
have
Gradle
and
we
have
Mage
that
we
use
for
go
and
we
have
make
files
running
around
and
we've
got
some
other.
C
You
know
CI
tools,
but
every
time
somebody
says,
what
are
we
going
to
replace
them
with
basil
is
what
we
say,
and
so
yeah
and
I
believe
that's
Google's
fault,
and
we
all
look
at
it
about
five
minutes
ago.
No,
no
just.
B
No
basil
is
really
hard
to
adopt
if
you
can
get
there.
It
is
astoundingly
good.
I
mean
right.
I
could
tell
you
stories
about
the
value
of
that
of
Basil.
So
that's.
C
C
C
B
Security
yeah,
maybe.
C
Just
told
you
guys,
I've
got,
you
know
four
scms
we're
trying
to
get
rid
of
all
of
them
and
go
to
GitHub
Enterprise,
so
that
Microsoft
can
have
a
lot
of
money.
The
that's
the
type
of
stuff
we
would
talk
about
in
maturity.
Right
definitely.
B
E
C
E
Okay,
I,
don't
know
if
you
know
it's
an
Israeli
company
I'm
just
like
proud
that
I'm
Israeli
yeah,
but
it's
unrelated,
it's
just
a
off
topic
and
okay,
one
of
our
pipelines
is
supposed
to
to
have
an
image
that
the
artifactory
is
installed
there
or
actually
the
the
CLI
of
artifactory
needs
to
be
installed
there
and
in
order
to
install
the
CLI
there
is
a
gpg
key.
There
is
a
you
know.
E
E
I
I
I,
wonder
like
I,
had
multiple
discussions
about
whether
this
is
the
the
best
practice
to
do
that
or
not.
What
are
the
implications?
I've
talked
with
security,
guys
I've
talked
with
folks
that
are
in
the
industry
in
you
know
in
my
area
of
colleagues
that
are
not
from
Reddit
and
they
all
have
different
opinions
of
how
to
to
use
that
again.
I'm,
not
an
expert
in
gpg,
nor
insecurity,
but
in
I
have
like
my
gut
feeling
says
that
this
is
the
wrong
things
to
do.
E
E
B
Back
off
for
my
statement,
so
what
you're,
what
you're
getting
into
here,
at
least
here's
what
this
is,
what
I'm
hearing
you're
getting
into
what
I?
What
we
when
we
turn
the
key
distribution
problem,
which
is
you
need
to
verify
some
product
and
you
need
a
key
to
do
the
verification
and
now
the
question
is:
how
do
you
know
that
you
can
trust
the
key?
How
does
the
key
get
distributed
in
a
trusted
way?
B
You
know
the
most
trusted
way
would
be
Leora
for
you
and
I
to
meet
in
person
to
check
each
other's
passports.
For
me
to
hand
you
my
public
key
for
you
to
take
my
public
key
and
encrypt
it
with
your
private
key
and
now
you've
got
a
secure
copy
of
my
public
key
right
and
now
you
know
repeat:
add-in,
fanatum
and
and
you've
you've
got
all
your
public
Keys
certified.
That's
obviously
not
realistic.
B
B
So
as
an
example,
if
I
decide
I
trust
GitHub,
then
if
your
public
key
is
in
GitHub
and
I,
decide
that
I
trust
the
commit
history
for
that
key,
then
I
trust
the
public
key
from
GitHub
and
can
use
it
to
verify
any
work
product
that
you
give
me
that
that
public
key
can
verify
but
notice
that
there
were
some
big
ifs
in
there
around
my
route
of
trust
and
my
root
of
trust
is
not
simply
a
question
of
do
I
trust.
B
The
person
who
committed
this
to
the
GitHub
repo
I
know
if
you've
seen
I've
got
a
repo
in
GitHub
that,
where
I
demonstrate
how
easy
it
is
to
make
a
fake
commit
history,
it's
trivial
in
GitHub
to
make
a
completely
forged,
commit
history,
but
I'm
also
asking
the
question
of
well:
do
I
trust
the
engineers
at
GitHub
that
they're
not
changing
this
stuff.
What
about
the
hardware
that
GitHub
runs
on
so
I
have
to
at
some
point
declare
this
is
my
route
of
trust
and
I?
Don't
dig
down
any
further.
B
In
other
words,
I
have
to
make
some
declaration
about
my
leaf
nodes
where
I'm
going
to
stop
for
most
people.
Those
are
not.
You
know
that
doesn't
mean
walking
to
the
very
end
Leaf
nodes
right.
It
means
stopping
somewhere
along
the
way
you
know
in
terms
of
certificates
on
the
web
and
the
way
you
use
your
browser.
Your
browser
comes
with
a
set
of
certificates
installed
for
most
people.
B
Those
are
the
leaf
notes
that
they
stop
at,
but
you
could
ask
the
question
of:
do
you
trust
them,
and
are
you
going
to
stop
there
right?
Do
you
want
to
do
further
verification
than
that?
So
how
do
you
answer
the
question
of
what
are
my
leaf
nodes,
or
what
have
my
root
of
trust
becomes?
A
question
is
well.
C
I
liked
I
liked
the
description
I
liked
it
it's
better
than
I
would
have
said
so.
I
will
add
my
two
cents,
so
we're
moving
to
GitHub
I,
don't
like
public
keys
or
any
key
in
a
git
repos
I
posted
the
get
leaks.
We
have
that
in
our
linters
that
run
in
the
in
the
pull
requests
so
that
you
we
at
least
try
and
find
these
things
to
flag
them
to
David's
point.
If
you're
going
to
trust,
Microsoft
and
GitHub
and
the
hardware
they
run
on
and
the
software
they
write.
C
Okay,
so
let's
say
we
stop
there
and
say:
okay,
we
trust
GitHub
enough
to
put
our
public
key
in
there,
because
this
is
you
know
public
key.
Then
I
would
say
that
what's
the
security
practice
on
that
repository
right.
So
if
you
lock
that
repository
down
where
only
the
robot
can
get
to
that
repository
right,
that
is
checking
doing
the
work
to
check
the
to
check
the
the
CLI.
C
You
can
definitely
go
that
route
now.
My
question
to
you
is:
is
that
you
could
have
created
a
repo
that
has
the
CI
that
does
the
pulling
of
the
code
pulling
the
CLI
down
right
and
in
that
repo
you
could
set
that
secret.
You
can
set
that
gpg
key
as
a
secret
in
GitHub,
and
then
you
are
as
long
as
you
trust,
Microsoft
and
GitHub
you're
even
more
secure
now,
because
no
one
can
go
mess
with
that,
except
org,
admins
right
or
the
repo
admin,
depending
on
what
level
you
put
Secret
at.
C
So
that
would
be
a
case.
It's
kind
of
like
kubernetes
right.
So
the
the
case
where
you
put
your
secrets
in
the
kubernetes
secrets
and
you're
trusting
the
kubernetes
is
secure
right
for
a
public
key
for
jfrog.
E
E
C
E
It's
like
just
a
second
and
the.
The
second
question
is
the
eventually
in
order
for
for
the
gpg
key
to
land
in
my
git
repo,
a
human
Okay
needs
to
go
to
that
the
same
website
to
download
the
the
the
gpg
key
and
to
push
that
to
git
okay.
This
is
a
manual
Intervention
which,
in
my
gut
feeling,
I'm
losing
the
chain
of
custody
here
between
the
website,
the
jfrog
website
and
the
the
git
people.
E
E
Nothing
is
is
established
there
right,
but
if
I'm
doing
when
I'm
building
my
my
container
image-
and
actually
you
know
eventually
I'm
pushing
it
to
registry
and
stuff
like
that,
I
have
a
log
that
shows
what
I've
done
and
I
can
even
Define
like
a
extremely
high
level
of
verbosity
to
the
downloading
of
the
of
the
gpg
key
and
the
package.
E
If
I
want
to
right
like
from
which
IP
address
I've
downloaded
that
and
it
it
hap,
it's
happening
by
an
automation
right,
so
everything
that
is
done
between
you
know
this
file
in
transition
is
something
that
is
logged
in
the
log
file
and
I
can
see
and
I
can
validate
what
happened,
and
there
is
no
human
in
the
in
the
middle.
No
man
in
the
middle
that
can,
you
know,
enter
something
that
is
malicious.
C
So
this
brings
up
provenance
and
if
you
one
of
the
things
that
I
read
about
Providence,
that
I've
stuck
with
me,
is
that
Providence
should
be
machine
generated
and
not
being
able
to
be
falsified.
D
C
Our
company
and
basically
we
were
at
the
board
yesterday
planning
and
we
had
a
sticky
note-
and
it
said
third
party
automation,
onboarding,
automation,
right,
and
so
you
turn
the
the
process
of
onboarding
third-party
Utilities
in
and
you
automate
it
so
that
you
generate
provenance
as
you're
onboarding
them
right
and
then
you
put
the
stuff
in
a
secure.
C
Well,
I
will
say
registry,
but
you
understand
like
a
secure
place,
and
so
once
the
provenance
is
generated
and
you
put
the
the
third
party
piece
in
a
secure
place,
your
CI
only
pulls
it
from
that
place.
It
doesn't
pull
it
from
jprog
every
time
where
there's
a
chance
of
a
man
in
the
middle
attack
right
or
of
something
being
falsified.
I'm
not
saying
that's
easy,
I'm,
just
saying
that
that's
what
we
are
planning
on
doing
in
the
coming
here:
no
more
curl
pipe
bash
stuff
off
the
internet.
B
B
So,
okay,
if
I,
if
I,
if
I,
give
you
my
work
product
and
I,
give
you
a
provenance
that
goes
with
it.
You
need
to
be
able
to
verify
that
that
provenance
is
real.
B
B
I
then
revoke
your
ability
to
verify
the
provenance,
and
now
I
can
deny
that
I
had
anything
to
do
with
the
malicious
product
that
you
go
and
deploy.
So
you
go
deploy
my
work
product
in
production.
Bad
things
happen.
You
go!
Follow
your
audit
Trail
to
figure
out
who
made
this.
You
can't
figure
it
out!
I've
been
able
to
repudiate.
B
Okay,
okay,
so
I
can
I
can
deny
any
association
with
the
work
product.
This
gets
into
details
of
key
signing
and
all
kinds
of
esoteric
fun,
but
non-falsifiable
and
and
non-reputiatable
like
there's
a
better
word,
there's
a
better
word
than
that
and
I
can't
come
up
with
this.
It
can't
be
repudiated
is
what
I'm
trying
to
say,
but
I.
There
is
a
better
word
and
I
can't
think
of
it
at
any
rate.
B
So
that's
sort
of
piece
number
one
piece
number:
two,
the
reason
not
to
keep
your
public
key
in
jfrog
alongside
the
artifact
is
now.
If
I
can,
if
I
have
admin
in
jfrog
I
also
have
admin
over
the
public
key.
So
as
a
single
administrator
I
can
falsify
the
artifact
to
end
falsify
the
key
in
one
step
in
jfrog.
If
you
have
the
key
in
GitHub
or
some
other
location
and
the
artifact
in
jfrog,
and
no
one
person
has
administrative
authority
over
both
I.
Now
can't
do
that
alone.
B
I
need
a
second
party
to
collaborate
with
me,
so
that
adds
some
security
now,
as
you
pointed
out,
Leora
and
you're
100
correct.
Doesn't
that
also
increase?
My
risk
now
I
have
to
trust
two
locations,
and
the
answer
is
again:
you
have
you
always
have
to
balance
risks.
Yes,
it
increases
your
attack
surface.
On
the
other
hand,
your
attacker
has
to
hit
two
places
right
and
be
able
to
to
make
changes
in
both
of
them.
B
The
other
thing
I'll
call
out
is
there
are
other
techniques
here.
If
you
look
at
Google's
sorry,
this
is
meant
to
be
an
advertisement.
It's
just
meant
to
be
a
description
of
an
alternative
approach.
If
you
look
at
Google's
KMS
in
our
Cloud,
offering
our
key
management
system,
no
human,
can
it
even
download
the
private
key.
B
The
private
key
is
maintained
in
the
cloud
and
you
basically
can
use
commands
to
sign
artifacts,
and
so
you
you-
and
it
also
has
built-in
key
rotation
so
that
if
the
key
rotates
every
30
days-
and
it
knows
that
an
artifact
signed
during
this
time
frame
should
have
been
signed
with
this
version
of
the
key
and
a
artific
artifact
sign
during
the
next
time
frame.
So
you
think
about
your
artifacts
that
you
deploy
to
production.
B
Some
artifacts
sit
in
production
for
six
months
and
some
are
replaced
every
week
and
you
have
to
be
able
to
verify
both.
So
what
KMS
lets
you
do?
Is
it
lets
you
point
at
a
key
in
a
key
ring
that
and
the
key
has
different
versions.
You
don't
have
to
point
it,
though
you
can
point
at
the
version
of
the
key
if
you
want,
but
you
can
point
that
the
key
itself
and
not
at
the
version
and
it
uses
the
right
version
for
the
particular
artifact,
which
is
actually
pretty
cool.
B
What
this
enables,
among
other
things,
is,
if
version
three
of
the
key
gets
compromised.
Somehow
I
can
revoke
version
three
and
everything
else
that
has
been
signed
with
that
key
with
a
different
version
is
still
valid.
It
only
revokes
the
key
against
version
three,
which
is
actually
pretty
cool,
so
I,
don't
know
I
I
can't
imagine.
B
Google
is
the
only
product
out
there
that
offers
that
it
is
the
only
one
I
know
about,
but
you
know
the
feature
is
out
in
public,
so
I'm
sure
other
people,
if
they
don't
have
it
already,
are,
are
looking
to
develop
similar
things.
But
key
rotation
also
needs
to
be
part
of
the
security
story.
There.
E
Yeah
interesting,
thank
you.
Thank
you
for
your
feedback,
I!
Really
it's
in
how
they
say
the
English
I
need
to
think
of
the
word.
I
I
will
find
it
eventually.
I
can't
find
the
the
right
word
right
now
to
to
express
my
my
thought.
Sorry,
I.
C
Lot
so
in
in
to
be
clear
that
all
of
us
have
this
problem,
so
You're
Not
Alone
and
a
lot
of
the
solutions
that
I've
seen
recently
are
nascent,
and
how
do
you
put
it?
The
this
space
I
described
it
as
this
so
I
was
I,
was
working
with
the
in
Toto
project
on
trying
to
use
their
tools
to
do.
Providence
and
they've
got
a
spec
and
they've
got
some
tooling
to
do
this.
C
C
We
haven't
all
solved
this
security
dilemma
yet
and
then
like
if
Google
would
have
open
sourced
that
KMS
stuff
we'd
be
a
lot
closer
because
that
stuff's
awesome,
but
not
all
of
us,
are
in
gks.
Some
of
us
are
slaves
to
Microsoft
and
Azure.
C
Okay,
if
you
guys
don't
know
I
work
for
SAS
Institute
and
we're
in
based
out
of
Cary
North
Carolina,
not
that
it
matters
just
that
I
have
a
I,
did
a
bunch
of
Open
Source
I
worked
in
startups
and
then
I
worked
for
IBM
and
I'd
worked
for
a
startup
and
I'd
go
back
to
IBM
and
I'd
work
for
a
startup
and
then
I'd
work
for
another
startup,
and
then
the
last
startup
I
worked
for
got
bought
by
fast
and
now
I
play
soccer
every
day
at
lunch
and
I
refuse
to
quit
and
go
back
to
startups,
but
anyway,
so
yeah.
C
We
all
have
this
problem
and
we
all
have
this
discussion
and
the
our
discussion
at
our
in
my
group
always
ends
with
key
Management's
hard.
Is
that
that's.
C
B
Yeah
I
mean
Key.
Management
is
a
big
and
not
well-solved
problem
in
most
spaces.
Today,
I
call
that
spiffy
and
Spire
I
don't
know
if
others
are
familiar
in
the
open
source
space
they're
trying
to
deal
with
this
and
they've
got
pretty
good,
if
not
quite
yet
complete
Solutions
I
will
call
it
I
think
they'll
get
to
a
complete
solution.
Yeah
everyone
comes
up
for
us
when
we
talk
about
in
Toto
and
salsa
and
provenance
right,
yeah.
C
I
do
have
on
my
roadmap
this
year
to
help
contribute
to
in
Toto
among
the
900
other
things
on
my
roadmap
for
this
year.
So
any
other
we're
almost
at
time
any
other
quick
things
we
want
to
shout
out
about,
or
anything
I
hope
to
make
the
next
meeting
and
continue
to
make
the
meetings
for
the
rest
of
the
year.
So.
B
So
I'm
going
to
take
the
AI
here
to
to
sort
of
generate
our
standing
agenda
and
to
post
that
out
into
the
slack
channel,
so
people
kind
of
know
what
to
expect
from
from
this
Sig
meeting
going
forward,
and
hopefully
we
will
generate
some
interest
and
have
some
more.
This
was
an
interesting
conversation.
I'd
love
to
have
more
interesting
ones
like
this
one
yeah
yeah.
This
was
fun.
B
C
C
There's
some
really
cool
stuff,
but
I
also
was
glad
we
made
it
to
the
whole
meeting
without
talking
about
blockchain.
Thank
you.