►
From YouTube: Software Supply Chain SIG Meeting - Jan 12, 2023
Description
For more Continuous Delivery Foundation content, check out our blog: https://cd.foundation/blog/
B
Okay
yeah:
it's
somehow
ring
a
bell:
I
I've
seen
your
name
somewhere
before.
Certainly
I'm,.
B
No,
no,
no,
but
somewhere
on
the
internet,
maybe
or
maybe
going
just
going
through
the
the
meeting
minutes
of
the
of
this
call
I
mean
that
would
be
the
the
most
logical
thing:
yeah
I'm
I'm,
with
Erickson
I'm
in
the
Erickson
hospital,
so
a
former
colleague
of
Eric's
of
Ericsson,
yes,
sir,
no
fatty,
that's
what
I
wanted
to
say.
So
this
is
why
we
I
know
him
and
I've
way
too
few
times
attended.
B
This
call,
even
though
Fati
kind
of
invited
me
to
that
I'm,
currently
trying
to
focus
on
on
supply
chain
security,
trying
to
get
some
folks
internally
kind
of
like
going
I'm
spending
most
of
my
time
around
the
open
ssf,
though
like
at
least
trying
to
follow,
what's
happening
there.
B
But,
yes,
there
are
plenty
of
places
these
days
that
look
at
supply,
chain,
security
and
yeah.
It's
it's
hard
to
follow
all
of
them,
but
it's
always
interesting.
A
B
B
The
tecton
is
it's
a
fundamental
part
of
that
they
just.
B
C
B
For
some
time
has
been
a
part
of
it
that
now
it's
called
Fresca
I
think
right
to
make
it
a
bit
less
confusing.
A
Yeah,
it's
a
it's
interesting.
It's
interesting
topic,
I!
Actually,
my
own
knowledge
is
almost
zero
in
the
in
those
areas.
Right
now,
I,
don't
know
if
it's
related,
but
I
am
trying
to
right
now
working
on
how
to
connect
a
GitHub,
Runner
or
GitHub
actions
with
the
AWS
with
the
authentication.
Is
that
something
that
is
related
to
supply
chain
security
or
it's
unrelated
at
all?
What
do
you
think
George.
B
I
think
it
is
related,
so
many
things
are
related,
but
I
think
this
is
part
of
the
the
trustworthiness
of
your
the
build
process.
Right
so
like
on
that
level,
I
would
say
there
is
certainly
a
connection.
You
should
have
trust
in
your
build
environment
and
authenticating.
Your
Runners
that
you
connect
to
your
CI
pipeline
somehow
relates
to
that
I
would
say.
B
Your
feedback
well
or
as
a
kind
of
what
what
do
the
others
think
and
the
question
is
why
yes
well
this
is
this
a
topic
you'd
like
to
to
bring
up
here
on
this
call
I'm
just
curious
as
to
why
you
mentioned
that.
A
I'm
also
a
co-chair,
but
I
was
a
long
time
away
from
from
CDF
for
personal
reasons.
So
I'm
a
little
bit
out
of
sync
and
David
is
a
new
co-chair
and
I
I
had
hoped
that
he
will
join
and
will
lead
this
discussion.
So
I
don't
have
like
a
a
formal
agenda
right
now.
This
is
something
that
I
will
need
to
discuss
with
him
in
the
background,
but
maybe
we
can
do
a
round
table
and
maybe,
like
George
chief
mentions,
that
you
want
to
discuss
the
the
topic
of
supply
chain
security.
A
So
this
is
something
that
we
can
put
on
the
agenda
for
next
discussions,
or
we
can
do
a
discussion
here
as
well
during
this
meeting
and
just
to
collect
your
your
ideas,
because
we
don't
have
a
formal
agenda
I'm
just
trying
to
to
find
something
that
will
make
this
meeting
valuable
enough
for
all
of
us.
So
does
it
make
sense
to
do
around
the
table?
D
Sure
I
just
want
to
confirm
this.
Is
the
supply
chain
for
CDF
meeting
right
I'm,
not
in
the
wrong
one.
Okay,
perfect
yeah,
so
I've
been
I've,
been
in
this
meetings
in
the
past
I
think
we
did
did
a
couple
presentations,
so
hi
I'm,
parth
I
work
for
a
startup
as
a
supply
chain,
security,
startup,
called
kusari
and
we're
working
on
multiple
different
projects
in
the
open
source.
One
is
called
Fresca,
which
is
a
secure,
build
kind
of
kind
of
what
you
know.
D
What
George
was
mentioning
in
terms
of
like
how
supply
chain
security
is
is
looked
at
is
like.
Okay,
are
you
ensuring
that
your
build
process
is
secure
right,
so
we
handle
that
kind
of
stuff
and
then
also
another
big
project
called
guac,
which
is
more
on
the
observability
piece?
It's
like
okay.
Can
you
now
that
you
have
all
this
s-bombs
and
attestations
and
so
forth,
being
generated
during
your
build
process?
D
Can
you
actually
visualize
all
this
and
make
connections
and
and
utilize
that
all
this
metadata
to
make
policies
that
you
can
used
to
run
for
your
runtime
environment
in
the
future
right?
Can
you
make
sure
like
if
you're
running,
something
it
meets
all
the
criterias,
such
as
like
your
transiter
dependencies
or
your
direct
dependencies?
Don't
have
critical
cves
that
that
could
be
blocking
it.
It
has
proper
attestations
associated
with
it.
It's
signed
by
you,
know,
people
you
trust
or
organizations,
you
trust
and
so
forth.
D
So
that's
some
of
the
things
that
we're
working
on
so
last
time,
I
know
before
T
was
leading
is
like
I
did
show
off
Prescott,
so
I
would
be
happy.
You
know
during
the
next
meeting
or
so
forth,
to
show
off
guac
I,
don't
think
I
have
in
this
meeting.
So
if
people
are
interested,
I
can
show
that
piece
off.
D
D
So
I
am
in
Michigan
at
the
part
of
the
time
being
and
then
moving
back
to
the
east
coast.
So
it's
still
all
Eastern
Time,
Zone
and
yeah.
The
whole
company
is
basically
remote.
So
a
lot
of
us
are
like
all
over
the
place
like
my
co-founders,
are
in
Connecticut
New
York
and,
like
mostly
East
Coast,
based
at
this
point
but
yeah.
D
D
A
Okay
from
engineer
devops,
you
know
I'm
a
little
bit
confused
with
the
terminology
lately.
So
this
is
why
I've
asked
over
the
the
slack
Channel
my
question
because
I'm
a
bit
confused,
I,
don't
know
what
to
put
in
you
know
to
describe
to
my
colleagues
and
to
put
in
my
LinkedIn
it's
just
like
I,
don't
know
so,
okay,
so
we
want
to
discuss
and
and
to
present
the
supply
chain,
security
stuff,
other
any
other
topics
that
might
interest
you
in
your
line
of
work
and,
what's
you
know
like?
A
A
This
is
the
problem
right
that,
if
you're
working
with
a
certain
Cloud,
you
don't
want
to
share
your
creds
with
the
with
the
service
itself,
then
you
want
to
to
maintain
your
own
runners
in
your
Cloud
to
give
those
credentials,
you
know
they're
all
kinds,
I
I'm
working
with
AWS,
so
I
don't
know
if
you're
aware
of
of
this
technique
of
a
attaching
an
imro
to
an
instance
and
then,
if
you're
running
something
inside
of
this,
this
instance,
then
everything
that
is
all
the
authorization
that
is
provided
for
the
imro
is
immediately
adapted
by
the
the
workloads
that
are
running
inside
of
that
instance.
A
So
if
you're
hosting
your
Runners,
your
self-managed
Runners
on
top
of
inside
of
that
kind
of
an
instance,
then
you're
like
you,
don't
have
you
don't
need
to
distribute
credentials
and
to
use
them.
You
know
all
kinds
of
variables
inside
the
service
itself,
like
I,
don't
feel
comfortable
to
share
micro,
our
credentials,
and
it's
also
aesthetic
aesthetic
way.
So
if
there
is
a
leakage
in
order
to
do
a
rotation,
you
need
to
get
to
revoke
the
current
credentials.
A
D
A
D
So
what
we
do
is
that
we
have
our
own,
so
we
use
tecton
underneath
so
we
so
we
don't
have
to
deal
with
having
our
own
Runners.
So
we
can
control
the
whole
environment.
Basically
spin
up,
you
know
the
how
it
does
right,
it's
yeah
it
just
pits
up
it:
spins
up
the
ephemeral
environment
and
then
it
does
whatever
needs
to
and
destroys
everything
right.
D
D
We
use
a
like,
for
example,
we
use
Vault
or
or
other
you
know,
key
management
system
kind
of
thing
to
pull
in
the
keys
that
it
needs
at
the
time
that
it
needs
it,
and
then
we
actually
utilize
spiffy
spire
and
so
that
I'm
not
sure
if
you're
aware
of
what
that
project
is,
but
it's
another
open
source
project,
but
it
provides
short-lived
certificates
also,
so
it
has
the
ability
to
validate
using
oidc
to
validate
like
okay.
D
So,
for
example,
tecton
chains
needs
to
sign
something,
so
he
needs
to
pull
out
a
specific
key
from
From,
the
Vault
or
KMS.
It
can
authenticate
itself
using
this
shortlist
certificate
and
grab
this
public
key,
usually
and
then
actually
not
even
pull
out
the
actual
keys.
So
there's
another
plugin
called
transitive
transitive,
plugin
I.
Forget
that
exact
name
for
it,
but
that's
part
of
Vault,
so
that
what
happens
is
actually
the
key
never
actually
leaves
Vault
and
actually
uses
that
to
sign
sign
your
images
and
so
forth.
Whatever
kind
of
artifact
you
want.
D
So
that's
how
we
get
around
all
this,
so
we're
not
really
relying
on
like
IAM
policies
and
so
forth.
We're
kind
of
just
you
know:
you're
designing
shortlist
certificates
and
kind
of
just
managing
everything
ourselves
so
that
we
have
confidence
that
we're
not.
You
know.
We
have
confidence
that
we
can
keep
rotating
certificates
around
they're
short-lived,
even
if
they
get
if
they
get
stolen,
doesn't
matter
it's
invalidated
after
the
pipeline
is
kind
of
done,
running
kind
of
thing.
A
Interesting
thing:
one
of
the
topics,
one
of
the
topics
that
I've
noticed
in
my
team
about
detecton,
is
the
is
the
lack
of
interface
with
the
we
are
working
with
the
git
lab,
but
it's
I
think
it's
the
same
for
GitHub
as
well,
the
the
lack
of
integration
with
the
pr
or
Mr.
So
you
know
like
the
triggering
part
and
and
sharing
the
information
and
all
those
course
core
features
that
can
control
the
triggering
re-triggering
part
of
the
pipelines.
A
D
So
we're
that's
what
we're
trying
to
work
on
right
now
and
we're
trying
to
we're
solving
that
problem.
Basically,
so
we
can,
you
can
automatically
trigger
it.
You
can
automatically
trigger
it
based
on
your
PR
or
your.
You
know:
merger
Quest,
whatever
it
is,
and
it
will
automatically
pull
in
your
code
and
do
all
the
work
for
you
and
then
you
know,
give
you
some
kind
of
status
and
output
back
into
your
actual
issue
and
so
forth
and
block
it.
If
it's
you
know,
doesn't
work
and
all
that
kind
of
stuff.
A
A
In
order
for
to
have
permissions
to
query
the
Upstream
repo,
like
a
specific
service
account,
you
know
like
that,
have
permissions
on
on
the
app
stream
repo
so
that
when
you're
running
the
the
pipeline,
it's
it
has
the
permissions,
and
you
know
it's
like
a
little
bit.
The
user
experience.
Wasn't
that
great!
That's
right!
B
Right
that
the
kids
just
shot
up,
sorry
so
I
muted
and
we
got
on
mute
yeah.
That's
a
that's
a
tricky
question
with
a
very
hand-wavy
answer
from
my
end,
I'm
personally,
not
working
with
pipelines
myself
to
be
honest,
I'm
as
I'm
working
in
the
open
source
program
office
I'm
with
unfortunately
way
too
abstract,
sometimes
too,
mostly
to
actually
deal
with
that
across
Ericsson
I.
Guess
we
use
all
of
the
tools,
but
then
again
I
thought
he
might
be
the
still
based
on
his
prior
experience.
B
I
have
a
way
better,
Insight
being
a
former
cicd
pipe
CSD
expert
in
that
regard.
So
yeah
as
I
said
it's
it's
not
very
surprising
or
not
very
satisfying
answer
from.
From
my
end.
C
Yeah
I
can't
bother
him
yeah
Jenkins
speaker
because
they
are
I,
think
these
are
the
quantum
different
Publications
as
well
like
drinking
Spinnaker
and
I.
Think
Argo
is
that
as
well,
so
like
it's
pretty
similar
the
technology
stuck
used
for
pipeline
so
pretty
similar
to
other
organizations
the
biggest
difference.
That
is
what
actually
resulted
excellent
contribute
to
CDF.
C
Is
this
event
protocol,
which
has
been
developed
by
Erickson,
an
open
sourced
like
2016,
now
that
work
is
actually
done
like
that
experience
is
being
contributed
to
CDF
under
C
defense
project
events,
project
Sig
events
group?
So
because,
when
you
use
multiple
pipelines,
you
have
this
issue
with
interoperability
and
so
on,
and
that's
perhaps
the
higher
level
than
the
pipeline
engines
underneath.
So
that's
something
I
can
highlight
as
something
different
than
the
traditional
CI
CD
Pipelines.
A
Okay,
yeah:
are
there
any
other
topics
that
you
would
like
to
discuss
raised
to
suggest?
Do
you
want
to
suggest
what
do
we
want
to
achieve
or
what
will
be
our
goal
for
2023
in
this
sig
fatty
you,
you
probably
have
the
more
the
best
context
because
you've
you
were
the
chair.
The
co-chair,
like.
C
Yeah
I
think
we
start
discussing
what
should
we
be
doing
total
like
during
2022,
when
we
formed
was
sick
but
like
over
time,
we
didn't
do
like
I
also
am
personally
responsibility
and
do
a
good
job
to
create
some
kind
of
road
map.
Maybe
this
could
be
a
potential
topic
for
the
next
meeting,
saying:
okay,
we
have
this
seeking
place
for
about
a
year
now
and
there
are
lots
of
other
opportunities
and
communities
working
around
this
topic.
Like
openness,
fancy
and
CF.
Maybe
we
can
work
on
some
kind
of
road
map
as
sick
to
document.
C
What
we
want
to
achieve,
like
Parts
summarize
to
work
they've
been
doing
it.
You
know
Fresca
and
guac,
so
those
things
could
perhaps
be
referred
in
it.
So
we
avoids
duplicating
Air
Force
and
instead
use
those
things
as
a
basis,
because
that's
that
was
the
idea
when
we
first
formed
the
seat
last
year
as
well.
It
was
called
secure
software
Factory
at
that
time,
and
we
were
thinking
of
looking
into
secret
software
Factory
from
CD
perspective.
So
long
story
short
I
think
having
a
topic
to
discuss
what
to
do
to
2023.
A
Yeah
and
I
think
that
the
first,
maybe
from
my
point
of
view
and
I,
think
that
I
already
asked
that,
but
maybe
now
I
will
like
a
little
bit
like
ask
the
same
question
in
different
way
like
what
Georgian
and
birth.
What
would
do
you
want
to
achieve
in
this
sig
for
like
in
participating
in
in
those
meetings
or
any
effort
that
will
come
up
like
what
do
you
want
to
to
get
from?
A
D
I
think
personally,
I
think
I'm
interested
in
CD
events
right,
CD
events
and
Cloud
events
in
terms
of
how
that
all
kind
of
how
that
would
integrate
together
with
some
of
the
tools
that
were
how
you
know
that
are
being
used
in
supply,
chain
security
and
just
maybe
kind
of
fleshing
that
out
more.
A
C
Cd
ones
is
a
project
that
aims
to
create
event
specification
for
continuous
delivery,
I'm
there
for
current,
like
dating
focusing
on
the
basic
core
events,
content,
stickers
and
contents,
and
that
had
been
some
conversations
around
like
if
supply
chain
security
relates.
Events
could
be
created,
made
part
of
the
events
and
vice
versa,
type
of
discussion
so
yeah
apart
I,
think
that
is
a
good
topic
to
discuss
as
well.
Then
we
can
go
back
and
provide
feedback
to
project
and
perhaps
contribute
to
that
efforts
streaming.
These
things
to
see
the
events.
B
Yeah
I'd
be
so
as
I
said,
the
reason
what
baby
I
don't
know
if
I
mentioned
that
I'm
looking
at
this
supply
chain
security
topic
right
now
from
a
relatively
high
level
and
Broad
perspective,
and
my
primary
goal
is
to
build
a
good
understanding
of
what's
Happening
across
the
various
communities,
projects
and
initiatives
that
that
are
ongoing
and
just
to
add
to
the
to
the
proliferation
of
of
things.
B
What
I
have
in
mind
is
as
I'm
like
an
Hospital
person,
we
we
have
had
discussions
in
the
to-do
group
you
may
or
may
not
know,
which
is
like
a
Linux
Foundation
initiative
geared
towards
people
in
in
all
schools
and
open
source
program
offices,
wondering
like
how
the
to-do
group
can
Can
consume
the
good
information
and
solutions
that
are
being
developed
in
the
various
let's
say:
content
focused
or
solution,
focused
communities
like
CDF,
like
the
open,
ssf
and
other
places,
and
and
and
create
material
that
is
useful
for
Hospital
people
to
consume.
B
Because,
based
on
my
experience
when
I
look
at
at
that
problem,
so
to
say
there
is
there's
a
lot
going
on.
There's
a
lot
of
pressure
on
organizations
to
deliver
secure
software,
and
you
may
also
know
about
all
the
the
discussions
and
the
regulatory
discussions
around
okay.
B
Do
consumers
of
Open
Source
software,
like
the
large
companies
needed,
do
they
need
to
take
more
responsibility
to
support
the
sustainability
of
the
open
source
ecosystem
right
by
kind
of
contributing
more
to
the
projects,
helping
projects
to
helping
and
not
pushing,
not
demanding
but
helping
them
to
adopt
better
security,
posture
and
so
on
and
so
forth,
and
an
ospo
I
think
is
at
least
in
my
company
a
place
that
needs
to
realize
this
and
try
to
drive
this
down
into
the
organizations
into
the
development
organizations
that
do
not
necessarily
have
that
on
their
radar.
B
They
primarily
like
to
consume
open
source
leadership
and
and
push
out
projects.
So
that's
like
this,
as
I
said
the
very
broad
picture.
How
does
that
relate
to
this?
Well,
this
is
a
supply
chain
in
parenthesis.
Security
focused
group
with
a
specific
focus
on
CD,
and
that
is
very
important.
So
from
that
perspective,
I'd
be
interested
in
in
best
practices
in
references
I,
don't
want
to
necessarily
called
reference
architectures.
B
These
kind
of
things
but
stuff
that
is
valuable
to
kind
of
show
to
to
internal
folks
or
to
invite
them
to
kind
of
join
this
activity
and
kind
of
broaden
their
typically
very
much
internal
focused,
Horizon
and
kind
of
stop
them
from
building
their
own
solutions
to
the
problems
that
actually
everybody
has.
B
So
this
was
a
very
long
and
winding
answer
again,
but
it
kind
of
I
kind
of
tried
to
explain.
Hopefully
what
I
have
in
mind
in.
C
B
So
I
said
I'm
not
working
on
a
project,
specifically
myself,
not
something
like
that:
I'm
contributing
to
Fresco
or
anything.
So
from
that
perspective,
I'd
really
like
to
more
kind
of
help.
Those
organizations
to
work
together,
build
the
bridges
and
so
on
organizations,
meaning
different
communities
that
are
looking
at,
that
the
supply
chain
topic.
A
B
C
B
C
B
A
B
A
Yeah
on
the
country,
if
I
know
that
there
is
a
person
in
my
meetings
that
has
you
know
a
baby
but
bringing
on
to
the
meeting
I
want
to
see
you
know
I'm
such
a
person
I'm
like
a
mama
in
in
my
you
know,
I'm
already
a
grandma
by
the
way
so
I'm,
you
know,
my
material
feelings
are
overwhelming
me,
sometimes
yeah.
So
back
to
the
topic.
A
I
just
want
to
summarize
what
I
understood
from
you
guys
just
to
say
that
I'm
on
the
same
page
as
you
are
so
what
you're
saying
is:
let's
use
this
stage
to
flesh
out
other
Sikhs
that
are
working
around
this
those
kinds
of
topics
and
even
commercial
products-
commercial,
but
based
on
open
source,
if
I'm
not
mistaken,
if
we
think
that
we
need
to
shift
to
something
a
little
bit,
you
know
like
totally
commercial
I'm
I'm.
You
know
I'm
open
to
everything
that
that
can
be.
You
know.
A
D
So
there
are
documentations
made
by
like
the
cncf
and
so
forth
that
have
this
kind
of
purpose
in
terms
of
like
okay,
what
are
the
best
practices?
What
is
the
reference
architecture
for
supply,
chain,
security
and
so
forth?
That's
been
done
already
so
I.
Don't
think
that
would
be
valuable
to
do
another
one.
B
Well,
lovely
yeah
yeah
only
when
you're
on
the
other
side
of
the
screen,
I
know
she's
four
yeah
right
so
totally
agree
with
path.
So
there
is
so
two
things.
B
First
of
all,
yes,
I
would
like
to
get
some
good
documentation
out
that
is
kind
of
aligned,
I
think,
with
what
I
kind
of
hand
waved
as
a
goal
from
my
perspective,
but
again
we
should
not
duplicate
any
any
work
that
has
already
been
done
and
to
some
degree,
I
may
want
to
kind
of
focus
this
down
again
on
creating
material
that
can
be
used
in
yeah,
also
from
from
an
osbo
perspective.
B
Source
program
offers
that's
like
yeah
I'm,
sorry,
that's
like
so.
B
Our
Hospital
well
typically
in
an
open
source
program
office,
is
not
doing
product
development
as
such,
but
we
kind
of
oversee
how
Erickson
uses
open
source
software
internally
and
kind
of
what
we
do
externally.
And
so
this
is
why
I'm
I
kind
of
keep
myself
a
little
bit
more
abstract
from
from
product
development.
B
But
on
the
other
end,
as
I
said,
since
we
are
overseeing
how
we
work
with
open
source
software,
it
is
certainly
on
our
agenda
to
make
the
entire
company
more
aware
also
of
what's
happening
outside,
because
we
do
see
that,
especially
in
large
organizations
like
ours,
there's
always
a
tendency
to
just
try
to
solve
things
with,
let's
say
interval
approaches,
and
when
you
look
at
supply
chain
it's
by
design
a
distributed
process.
If
you
don't
solve
it
well,
but
just
looking
at
your
own,
your
own
company
good.
B
So
that's
that's
my
osmo
head
and
from
that
perspective,
I'm.
B
From
that
perspective,
this
group
would
provide
some
of
that
input
with
the
CD
flavor
to
let's
say
the
overalls,
a
picture
that
I'd
like
to
to
paint
again.
That's
just
a
high
level
plan,
yet
it's
not
not
at
all
fleshed
out,
but
that
kind
of
is
why
I'd
like
to
listen
into
what's
happening
here.
So,
as
I
said,
I'm,
probably
mostly
listening
in
and
trying
to
wrap
my
head
around
the
good
solutions
that
are
being
like
Fresco
and
others
that
are
being
discussed
and
presented
here.
B
B
A
No,
no,
no,
maybe
I'm
I'm!
My
hearing.
It
was
not
that
good
okay,
interesting
she's,
so
lovely
she's,
bored
I,
know
I
can
see
that.
So
maybe
we
can
wrap
up
right
now
and-
and
maybe
we
can
continue
the
discussion
offline
over
the
slack
Channel
just
to
to
make
that
a
little
bit
more
concrete
for
me
to
understand
what
what
I
can.
A
What
I
can
do
for
you
guys
if
I
can?
Okay
would
that
work
for
you?
Are
you
connected
to
the
sac
Channel
perfect?
So,
let's
play
for
today,
if
that's
okay
with
everybody
and
yeah,
thank
you
for
attending,
even
though
it
wasn't
easy
for
everyone,
it
was
challenging.
One
was
a
little
bit
ill
and
one
is
babysitting.
His
kids.