►
Description
For more Continuous Delivery Foundation content, check out our blog: https://cd.foundation/blog/
A
A
B
B
Is
there
anything
we'd
be
interested
in
this
in
this
sig
that'd
be
like
like
an
end-to-end
view,
maybe
or.
A
B
A
I
think
that
makes
a
lot
of
sense
like
if,
like
events,
topics
could
be
presented
there.
The
security
aspects
could
be
presented
here
like
it
may
increase
your
work,
but
you
can
repurpose
some
of
those
flies.
Perhaps
so
I
don't
think
you.
I
will
pick
you
on
slack
and
then
we
could
set
a
date
and
then
put
it
on
the
agenda
based
on
when
you
are
available.
B
Yeah
I'm
gonna
yeah.
I
can't
promise
you.
I
mean
I've
got
a
lot
of
stuff
at
work
on
my
plate,
but
I'm
gonna
try.
Well,
I
doubt
I'll
get
to
it
before
I
go
on
vacation,
so
it'll
be
probably
the
end
of
middle
close
to
the
end
of
september,
because
I'm
gonna
be
in
I'll,
be
in
portugal
for
two
weeks
coming
up
so.
A
Yeah
that
that
works
fine,
I
think,
yeah
yeah
end
of
september.
We
should
have
a
meeting
yes
like
22nd
of
september,
or
in
october,
like
we
can
discuss
that
one
slack.
Okay,.
B
A
What
works
for
you?
Okay,
I
see
most
people
join.
So
let
me
put
the
link
to
the
chat
and
share
my
screen
and
I
hope
you
can
see
my
screen
and
hack
any
document
as
usual.
If
you
could
record
your
participation
in
document
that
would
be
great
and
today
on
our
agenda,
we
have
an
action
item
from
our
previous
meeting
on
david.
Let
me
check
if
david
joined
david-
not
not
here
yet
I
will
ping
him
on
slack
and
then
the
next
topic
is
slide
chain.
A
Security
journey
for
jenkins
x
now
I'm
beyond,
and
we
will
have
presentation
from
osama
and
the
other
topic
like
stone
will
have
first
off
for
first
off
of
the
meeting
and
then
we'll
have
a
conversation
errands
by
chain
match
30
model
led
by
david
spandery.
A
C
Okay,
that's
good,
so
hello,
everyone
and
good
morning
I
am
assalam
alaikum
contributor
of
zinc
index.
Today
we
are
going
to
talk
about
the
gender
states.
What
is
the
promising
house
approaching
cicd
solution
and
about
our
journey
towards
supply
chain
security?
What
we
did
for
now
and
what
we
are
going
to
do
later
and
how
it's
going
to
be
very
useful
for
our
users,
so
our
agenda
for
today
is
we
talk
about
watching
six,
a
simple
introduction
about
its
features
and
how
it's
a
promising
cic
solution.
C
C
C
Okay,
first
of
all,
if
you
have
any
question
please
thank
me
anytime.
I
can
see
a
chat
because
of
the
shared
screen
so
feel
free
to
raise
your
hand
or
just
open
the
mic
and
say
your
questions.
C
We
are
a
cloud
native
solution
that
aims
to
provide
our
users
with
the
ability
to
build
ci
cd
systems
in
a
easy
way
or
our
past
ways
that
runs
natively
inside
your
cooperative
cluster
with
zynx.
You
don't
need
to
manage
an
external
service
server
to
manage
the
ci
cd
system
for
you,
it
also
run
in
the
in
the
next
cluster
itself.
It
has
its
own
crds
as
it
talks
to
the
api
server
and
starts
executing
its
pipeline
jobs
you
created
for
it.
C
We
are
built
above
we
leveraged
several
spectrum
pipelines,
which
is
another
cloud
native
cicd
orchestration
tool,
but
james
jinxx
aims
to
extend
their
reliability
and
ease
of
use
with
with
jinx
x.
We
enable
our
users
to
develop
cicd
solutions
without
the
need
to
have
a
separate
devops
team.
C
This
also
includes
a
set
of
different
features
like
multi-cluster,
githubs
and
secret
management,
and
chat
with
multi-cluster
githubs.
We
allow
get
to
be
the
single
source
of
rules
for
all
your
clusters
that
manage,
while
jxx
ticket
management
and
chat
ops
which
allow,
which
is
a
a
very
good
feature,
objects
that
allows
for
triggering
events
like
pipelines
or
testing
pull
requests
through
typing.
Certain
commands
in
the
in
support,
request,
chat,
and
all
of
this
is
integrated
natively
in
the
openness
cluster
you
use
short.
C
In
short,
we
you
focus
on
the
cried
in
the
great
code
and
we
focus
on
building
it
for
you
supply
chain
security
with
jinx
x,
as
we
are
an
all-in-one
solution
and
we
aim
to
be
an
end-to-end
solution
as
well.
We
realize
that
the
importance
of
supply
chain
security
in
the
current
in
the
current
era,
and
also
we
aim
to
provide
it
out
of
the
box
for
our
users,
so
not
only
to
secure
jinx
x
artifacts,
but
also
make
it
an
an
applicable
step
in
your
pipeline,
developed
using
jinx
x.
C
The
current
agenda
for
the
project
is
including
spawn
generation.
Spam
is
short
for
software
pull
of
materials,
which
is
a
great
way
for
detecting
vulnerabilities
and
protecting
against
outdated
softwares.
That
may
include
malwares.
Also,
it's
useful
for
licensed
compliance
for
more
than
one
purpose.
C
The
other
type
of
of
integration
we're
going
to
use
is
integration
with
stick
from
chains.
The
conscience
is
another
solution
from
tecton
that
aims
to
allow
for
cryptography
design,
artifacts
and
storing
them
in
a
more
convenient
way.
The
current,
stable,
finished
state
of
genetics
is
s-pawn
generation
support.
C
We
end
we
reach
the
test
that
you
can
generate
s
bombs
and
store
them
next
to
your
artifacts,
and
also
we
can
use
tools
like
glide
to
detect
our
vulnerabilities.
This
will
be
broken
next,
okay,
so
a
good
introduction.
What
is
form
it's
short
for
software
pull
of
materials,
which
is
a
formally
structured
list
of
components
used
to
identify
the
certain
components
built
this
software.
C
The
get
comments,
the
sha
all
of
this
is
included
inside
a
formally
structured
list
that
aims
to
be
machine
readable,
so
it
can
have
automated
checks
about
it
and
just
what
we
are
going
to
have
it
also
useful
in
ensuring
the
of
intensity
of
the
people
who
created
the
organizations
you
can
make
sure
which
one
created
the
software
use
is
already
an
authentic
software
or
it's
tampered
with
other
hack.
C
Okay,
one
of
the
investigations
we
made
was
talking
about
spawn
formats,
which
has
been
like
three
different
formats
as
spdx,
which
is
short
for
software
package,
that
exchange
and
the
cyclone
dx
and
swd
tags
x.
All
of
this
is
talked
about
this
strings
x,
blog
post.
We
will
share
with
you
the
slides
after
that,
and
you
can
refer
to
the
blog
post
on
zynx
website,
but
for
the
current
use
case
of
jinxx.
We
we
settle
down
to
use
the
software
package
that
exchange
it's
adopted
by
the
linux
foundation.
C
C
You
may
say
generation
you
may
see
generation
tools
that
include
those
fields
and
include
others
that
doesn't
exist,
maybe
one
of
the
essential
feats
one
of
the
essential
fields
that
must
be
included
in
all
tools.
It's
the
package
information
which
means
that,
with
every
battle
just
that's
used
inside
the
system
you
are
building,
it
should
have
a
metadata
about
the
creation
and
the
license
and
the
the
version
and
I
get
commit,
maybe
for
the
last
build.
C
Spdas
has
been
has
improved
continuously
to
meet
the
ntia
requirements
and
situations
until
the
latest
sbtx
version
2.2
we
spoke
about.
It-
supports
also
different
file
formats
like
json,
yml
and
xml,
and
there
is
you
can
view
like
different
examples
from
if
we
can
show
you
this.
Maybe
now.
C
This
is
maybe
a
json
file.
This
is
a
metadata.
We
spoke
about
the
document
creation
platform
and
the
packages
needs
included,
includes
this
package
with
spdx
id
the
reload
creation
and
all
these
things
so.
C
C
E
C
Can
you
see
this
now?
Yes,
yes,
yes,
okay!
So
this
is
the
fields
we
were
talking
about
in
spdtx
specifications.
It
includes
the
metadata
about
the
document
itself
and
the
software
is
created,
and
after
this
there
is
a
packages
object
which
includes
an
array
of
all
packages
or
a
list
of
four
packages.
It
includes
a
package
name
and
then
spdx
id
for
this.
The
download
creation
and
files
analyzed
okay.
So
anyone
have
questions
for
now.
C
Okay,
so
we
can
start
another
investigation
that
we
made
is
talking
about
s
palm
generation
tools.
What
are
the
tools
used
to
generate
this
port?
This?
These
forms,
so
s-bombs
are
aimed
to
include
all
packages.
So
if
it's
a
big
project
like
zxx,
it
will
may
contain,
like
hundreds
or
thousands
of
lines
of
code
or
of
documents,
so
it
has
to
be
generated
automatically
inside
you
see,
I
see
this
so
we
talked.
We
searched
for
several
open
source
tools
to
generate
response.
C
The
list
of
all
tools
we
investigated
is
written
inside
this
other
blog
post
by
xingx,
and
we
settled
down
on
using
these
three
tools.
First
of
all,
anchor
shift
shift
is
a
cli
tool
developed
by
anker
to
generate
s
pumps
from
different
artifacts.
It
can
generate
spawns
from
docker
images,
file
systems
and
also
the
binders.
C
It
supports
creating
s-poms
in
spd-x
or
cyclone
gx
and
json
format.
We
mentioned
earlier
that
for
zinc
x,
we
settled
on
using
spgx,
so
safe
was
a
very
good
choice
for
us.
After
that
we
decided
to
use
auras.
C
If
you,
if
you
che,
if
you
created
an
spom
for
container
images,
you
also
need
to
store
it
inside
the
inside
the
same
artifact
repository
you
are
using,
and
this
is
not
possible
in
the
usual
case,
because
there
are
documents,
not
local
images
and
a
hack,
for
this
would
be
like
to
build
a
local
image
and
store
it
inside
and
store
the
s
bomb
inside
it.
But
with
auras
for
us
is
a
cncf
sandbox
project.
C
It
supports
generate
installing
those
documents
or
or
any
non-pioneering
file
in
the
final
layer
of
an
oci
image
and
also
a
good
use
case
for
our
spawns,
which
can
be
generated
and
stored
in
the
same
place.
We
are
releasing
the
docker
images,
so
when
we
create
a
docker
image,
we
create
the
s
pawn
for
it
and
store
it
in
a
another
image,
oci
image
with
auras
and
we
push
them
together.
C
The
last
tool
we
use
for
for
spawns
is
right.
Drive
is
another
tool
developed
by
anchor
and
it
it's
used
for
vulnerability
detection
for
from
spawns,
so
how
we
are
gonna
use
sponge.
You
generate
this
and
if
this
all
the
packages
you
use
but
how
you
can
detect
the
vulnerabilities
and
how
you
can
use
this
in
supply
chain
security,
this
is
done
by
gripe.
It
scans
the
generators
from
s-bombs
for
general
images
and
other
file
systems.
C
C
C
This
is
jinx
x,
gxc
pipeline
channel
in
this
pipeline
catalog.
We
include
tasks
that
may
be
useful
to
our
users
to
include
in
their
pipeline
system.
So
if
we
go
first
to
supply
chain
security
folder,
we
have
this
task
html
with
this
task
for
tml.
We
we
have
two
steps.
Maybe
that
will
not
shift.
C
Okay,
that
we
added
another
step.
We
added
the
other
step
to
install
drive
or
to
generate
the
s-pom
document,
the
s-pom
documents
from
shifts,
and
we
use
auras
to
push
it
local
to
push
it
to
the
container
registry.
You
are
using
on
the
user
side.
You
can
reference
these
documents
like
here,
so
how
users
are
how
our
users
are
going
to
use
this
step
using
gx3
pipeline
catalog.
C
We
are
referring
to
their
pipeline
in
total
flight
housing
6.
This
release,
utml,
which
is
a
pipeline,
runs
when
at
least
is
triggered.
So
you
go
inside
the
step.
This
is
the
steps
field,
a
tasks
then
steps
with
you,
professor.
You
check
image,
we
use
jenkins
x,
gxc,
pipeline
catalog,
and
you
refer
to
the
path
of
this
of
this
task
tasks,
slash
supply,
chain
security
and
then
refer
to
the
name
of
the
task
itself
that
will
load
shift
with
this.
C
You
can
download
to
your
image
to
your
pipeline
and
upload
binaries
is
using
for
jinxx
upload
binaries
is
using
google
easily.
So
another
thing
we
want
to
talk
about
for
our
own
spawn
generation.
We
are
using
gorillazer,
which
is
this
gorillazone
btml,
and
here
we
specify
a
response
to
generate
from
archive
artifacts.
So
with
google
easer,
it's
it's
by
default,
supporting
generating
response,
but
it
also
requires
safe
to
be
installed.
C
So
if
you
can
sponse
yes,
this
way
from
go
releaser,
it
specifies
that
it
uses
as
a
default,
and
you
only
need
to
define
the
artifact
type
you
want
to
generate
response
from
after
this
I
mentioned
we
added
another
step
to
the
pipeline
catalogue
to
use
auras,
which
which
enables
us
to
push
the
s
poms
created
with
this,
the
accurate
response
to
the
container
registry.
C
So
if
you
use
this,
you
can
push
it
directly
to
the
to
the
container
registry
you
are
using.
At
the
end,
we
are
using
the
gripe
to
scan
the
generate
response
detected,
detect
the
vulnerable
vulnerable
dependencies.
C
This
is
still
our
work
in
progress
because
we
still
didn't
create
a
catalog
task
for
it,
but
it's
on
its
way.
C
So
an
example
for
this
will
be
like
this
is
an
s
bomb
example
generated
for
jinx
x
and
it's
using
spx
version.
C
C
If
you
want
to
know
about
know
more
about
the
spta
specifications,
we
also
attached
the
link
for
this
in
sptx
version.
2.2,
okay,
and
if
you
go
back
to
the
sponge
network
xx
refer
to
this
link
to
view
the
full
the
full
spawn,
and
it
appears
here
it
will
download
this
document.
For
you
see,
this
is
a
very
big
document
that
can
now
be
human
readable.
It
has
to
be
machine
learnable
to
generate
automatic
checks,
which
is
also
detected
by
gripe.
C
Okay,
here
in
scanning
response,
we
use
gripe
there
is.
This
is
a
an
example
of
comments
to
to
check
the
s
pawns
from
jinx
x.
If
we
pass
it
to
drive,
it
will
omit
you
the
vulnerable
packages,
that's
detected
with
the
liberty
and
the
installed
version
and
where
it's
fixed,
but
not.
This
is
just
a
note
that
this
is
an
issue
with
the
this
is
an
issue
with
drive
itself,
because
it
was
mentioning
our
own
version.
We
were
not
using.
We
were
not
using
this
one
level.
C
Pluto
path
to
go
client,
so
zynx
doesn't
have
vulnerable
stream
apart
from
gripe.
James
x
is
using
dependable
to
detect
the
vulnerabilities
in
its
defense.
So
this
is
another
layer
of
security
added
to
zynx
to
enable
more
vulnerabilities
detection.
C
Future
work
up
to
this
stage
is
create
a
pipeline.
Catalog
task
to
scan
sponsors
drive,
generate
s
bombs
for
docker
images
and
upload
them
using
auras.
C
For
now
also
jenkins
x
is
in
salsa
level
one
and
we
hope
to
achieve
salsa
level
two
by
the
end
of
this
year.
Maybe
so
tikton
integration
effect
on
change
integration.
It
will
enable
us
to
reach
salsa
level.
2.,
the
last
thing
we
need
to
do
for
now
is
approximate
implementation
of
the
cncf
secure
software
factory
using
jinxex.
With
this.
C
With
this
profile
implementation,
we
we
enable
our
users
to
check
if
they
are
really
salsa,
lady
or
they
are
able
to
set
up
jinxx
with
fast
and
that's
it.
For
now,
we
are
ready
to
hear
your
questions
and
comments.
B
Why
spdx
over
cyclone
dx,
particularly.
C
It's
actually
because
it's
more
verbose
for
us-
and
it's
it
includes-
is
a
comparison-
is
made
in
the
blog
post,
but
in
a
short
answer.
It's
more
verbose
for
us
and
more
suitable
for
our
use
case,
because
the
package,
information
and
file
information
is,
is
more
acceptable
to
gripe
and
great
for
vulnerable
protections.
D
So
so
you
know
like
the
reason
we
did.
That
was
because
shift
by
default
creates.
You
know,
like
s
form
in
you
know,
like
the
spdx,
you
know
the
json
like
format.
So
since
we
are
very
new
to
this,
we
wanted
to.
You
know,
stick
to
you
know
the
defaults
and
then
we
can
see
okay.
So
if
we
want
to
go
to
say
cyclone,
you
know
like
dx
in
the
future
we
can.
We
can
also
do
that,
but
that's
the
reason
so
cool.
D
B
Get
s
bombs
out
of
our
black
duck
scans,
so
I
appreciate
what
you
guys
have
gone
through
and
done
already.
It's
pretty
awesome.
Thank
you.
C
Yes,
we
aim
to
maybe,
after
we
are
finished
with
the
future
work,
we
may
go
get
back
to
you
with
another
presentation
about
how
how
we
integrated
with
spectrum
chains.
A
A
F
I
think
I
was
asked
to
if
I
could
share
more
detail
right.
I
was
asked
if
I
could
share
more
details
around
what
we
do
internally
at
google
compared
to
salsa,
and
I
looked
into
that
internally.
I
can't
share
more
details.
I
can't
share
the
schema.
What
I
can
say
is
that
what
you're
seeing
in
salsa
is
very
very
much
aligned
with
what
we
do
internally
at
google,
albeit
with
a
different
schema.
A
F
Sure
so,
to
be
clear,
this
is
intended
to
have
a
to
be
a
discussion
and
conversation.
This
is
not
a
presentation.
I
don't
have
anything
prepared.
There
is
a
link
in
the
agenda
back
to
a
slack
message
that
kind
of
brought
this
onto
the
agenda
as
well
as
an
oss
project
that
I
think
is
related.
F
So
we,
I
think,
broadly
speaking,
we're
seeing
developing
industry
alignment
around
salsa
as
a
standard
for
supply
chain
provenance,
and
I
thought
it
would
be
good
for
this
sink
to
kick
off
a
conversation
around
supply
chain
maturity,
so
salsa
covers
you
know
the
inputs
that
go
into
generating
your
artifacts
there's
also
significant
conversation
around
things
like
vulnerabilities
that
are
in
those
artifacts
and
tracing
those
sorts
of
things
with
s-bombs,
but
there
are
other
aspects
of
your
supply
chain
that
are
not
today
captured
by
salsa
as
an
example
of
this.
F
What's
your
test
coverage,
do
you
have
a
test
coverage,
a
code
coverage
standard
that
no
no
artifact
goes
to
production
without
a
code
coverage
of
x
percent
as
an
example
or
other
kinds
of
gates
that
may
need
to
be
passed.
Does
your
supply
chain
include
red
green
testing?
Do
you
have
a
canary
analysis
service
that
looks
at
a
new
canary?
Does
it
provide
automatic
rollback
if
there
are
new
problems
that
surface
in
production,
as
part
of
your
automated
rollout
or
is,
is
manual
intervention
required?
F
There
are
all
sorts
of
maturity
levels
and
I
I
would
like
to
propose
that,
just
as
we
have
an
industry
effort
around
aligning
on
salsa,
we
have
an
industry
effort
to
align
on
supply
chain
maturity
more
broadly
just
for
fun.
F
That
is,
of
course,
going
to
be
called
the
cold
health
project
score,
which
abbreviates
as
chips,
so
that
we
will
have
chips
and
salsa,
and,
having
said
that,
I'm
sure
this
this
proposal
will
be
we'll
get
significant
uptick
in
in
endorsement
and
excitement
from
everyone
in
the
room
by
way
of
prior
art.
I
will
lean
on
some
of
my
internal
google
experience.
You've
heard
me
before
talk
about
the
google
suite
book.
F
Where
we
talk
about
some
of
this,
we
have
all
sorts
of
project
health
metrics
that
we
watch
that
help
us
gauge
this
and
engage
the
health
and
maturity
of
a
project,
and
certainly
there
are
aspects
of
that
that
you
know
google
would
bring
bring
to
this
conversation.
If
people
are
interested
in
this,
so
that's
kind
of
my
introduction,
I'm
interested
in
hearing
from
others
yeah,
you
know
getting
a
sense
of
level
of
interest.
F
F
E
So
I
think
I
think
you
bring
up
a
great
point.
I
think
that
salsa
does
not
cover
everything,
and
so
I
think
one
of
the
things
that
we're
actually
looking
at
in
the
frescar
project
is
basically
having
runtime
attestation
is
also
created.
So,
for
example,
as
the
build
is
getting
built
out
right,
can
you
do
you
know
exactly
what
kind
of
what
the
process
is,
what
the
sys
calls
are
getting
are
getting
run
as
the
actual
as
the
actual
artifact
is
getting
run
right,
so
is
it
reaching
out
to
the
internet?
E
Do
you
expect
it
to
reach
out
to
the
internet
right?
So
are
you
so
capturing
that
kind
of
information
kind
of
gives
you
that
you
can
go
creating
a
separate?
You
know
creating
a
separate
attestation,
that's
separate
from
salsa.
You
have
a
salsa
attestation,
satisfaction
at
the
same
time.
You
have
like
a
run
time
at
a
station
getting
generated
and
you
can
go
back
to
and
refer.
Maybe
you
can
create
policies
based
off
that
newly
generated
attestation.
So
that's
that's.
E
The
other
thing
we're
looking
into
is
having
that
visibility
at
the
runtime
for
the
build
right
so
that
you
can
know
if
it's
reaching
out
to
the
internet.
You
know
if
it's
reaching
out
to
malware.com
for
some.
Whatever
reason
right,
you
don't
expect
that
to
happen.
Then
you
can
you.
Can
you
have
a
record
of
that
happening
and
you
can
go
trace
it
back.
F
Sorry
struggling
with
my
mute
there:
yes,
those
these
are
the
kinds
of
metrics
that
we're
thinking
about
that
go
beyond
just
the
supply
chain
and
into
from
the
supply
chain
all
the
way
through
to
operations.
E
Yeah,
I
think,
looking
into
like
ebpf
utilizing
ebpf
to
capture
those
kind
of
logs
and
creating
a
predicate
that
you
know
like
a
new
type
of
predicate
aside
from
salsa
that
people
can
standardize
and
people
can
use
and
start
capturing.
That
kind
of
information
also.
G
Listening
to
this,
the
examples
that
you
gave
david,
I
would
call
policies,
that's
what
I've
been
calling
them
internally
around
like
what
it
means
to
be
production,
ready
and
parse.
The
thing
that
you
mentioned
feels
like
a
an
accessory
metric
to
prove
your
salsa
level,
and
so
there's
like
an
interesting
hierarchy
of
the
validate
that
you
really
didn't
contact.
The
internet
feels
underneath
the
salsa.
Please
don't
contact
the
internet
to
be
salsa,
4.
G
F
Yeah
justin
at
google,
depending
on
the
the
project
involved,
these
may
or
may
not
be
policies,
we
start
with
them
as
measures
and
metrics,
and
so
we
have
so.
You
can
imagine
that
one
project
might
be
satisfied
with
a
project
health
score
of
two,
whereas
some
other
project
might
need
to
be
at
five
or
seven
or
whatever.
It
is,
and
we've
sort
of
got
a
whole
lot
of
different
metrics
and
different
projects,
decide
which
metrics
are
relevant
to
them
and
thereby
decide
which
policies
they
want
to
see
enforced.
F
E
And
I
agree
with
what
you
were
saying:
justin
like
it
is
definitely
like
it's
an
indicator
of
how
far
you
are
with
on
the
salsa
scale
right,
and
I
think
it's
it's
one
of
those
things
that
gives
you
more
information
that
gives
you
you
can
make
better
informed
decisions
like
hey.
Yes,
I
am
at
salsa
level
four,
because
my
runtime
attestation
is
also
proving
that
you
know
that
that
that
I
am
at
that
level.
G
F
Chip's
code
health
project
score,
but
that's
really
because
we
want
chips
and
salsa
or
salsa
and
chips
depending
on
your
point
of
view.
Yep.
G
F
Absolutely
chips:
we
do
this
kind
of
thing
in
in
some
of
our
google
cloud
products.
Absolutely
so
as
a
simple
example
of
that
can
any
single
engineer,
access,
user
user
data
in
this
application
or
is
user
data?
Does
user
data
require
multiple
approvals
in
order
to
gain
access?
Just
like
you
would
have
in
salsa?
Does
a
pr
require
require
approval,
require
multiple
approvals,
same
sorts
of
measures.
C
A
Yeah
an
example
f
from
past
experiences.
This
was
how
the
events
discussions
started
like
few
years
ago
under
suspicion,
rescue
interpretability
few
people
who
were
interested
to
work
on
events
in
a
more
focused
manner
created
the
work
stream
under
the
special
telescope
interviewed.
So
that
is
an
option
which
we
have
a
previous
experience
with
that.
A
So
if
you
want
david
and
if
others
are
interested,
you
could,
you
know,
form
a
work
stream
under
supply
chain
stick,
then
you
work
with
these
things
and
over
time
it
could,
you
know,
turn
into
its
own
project
or
what
they
were
like.
How
c
difference
was
created.
So
we
just
you,
know,
lead
the
topic
and
then
now
we
help
you
get
going.
F
Okay,
so
I
think
what
I'm
gonna
do
for
now
is
just
put
in
the
agenda
a
call
to
action.
Anyone
who's
interested
can
contact
me
on
slack
and
we'll
look
to
sort
of
get
a
first
meeting
of
interested
parties
and
and
and
figure
out
how
we
want
to
proceed
or
for
that
matter.
If
we
want
to
proceed
frankly,.
A
Yeah
we
have
some
like
justin,
ankit,
10,
part
and
brett,
so
you
have
four
contributors
already
signed
up.
A
Okay,
maybe
we
should
capture
this
in
our
document
so
and
I
can
type
please
ping
davids
on
slack
to
get
involved
in
the
further
discussions.
A
F
Actually
critical
item
I
just
realized,
I
failed
to
disclose
the
chip's
name
came
from
billy
lynch.
It
wasn't
mine,
that's
critical.
I
can't
take
credit
for
for
the
future.
F
A
Okay,
so
we
have
some
more
minutes
if
anyone
wants
to
bring
up
a
topic
out
of
you
know,
while
we
were
hearing
these
discussions,
sex
presentation
chips,
discussion,
please
just
we
have
some
more
time
to
have
the
topic
discussed.
G
I
have
a
more
maybe
more
tactical
question,
which
is
I'm
the
author
of
an
open
source
library
and
I'm
interested
in
providing
facilitating
a
more
supply
chain,
friendly,
open
source
ecosystem,
and
so
I
know
that
in
a
in
a
containerized
world,
you
can
upload
additional
metadata,
which
is
like
your
s-bomb
onto
the
container
artifact
itself
in
a
world
where
we
distribute
things
like
jars.
C
So
so,
which
we
reached
for
this
investigation
that
s
bombs
is
not
always
considered
as
a
metadata,
it's
just
a
whole
new
document.
Maybe
I
don't
know
if
it's
actually
can
be
uploaded
with
the
image
layer
as
a
separate
document,
but
if
it's
metadata
it
can
be
stored
in
the
same
image,
but
it's
not
specifically
admitted
that
it's
just
a
whole
separate
document
that
gets
that
we
want
to
be
uploaded
in
the
same
artifact
repository
okay.
So
it's
it's
not
just
it's
not
just
a
metadata.
C
It
can
be
considered
as
a
as
a
json
file.
Actually
spdx
solution
rate
is
spd-x,
json
format,
so
we
checked
and
we
searched
for
open
source
tools.
This
is
actually
a
tool
used
by
microsoft
or
us,
which
is,
we
spoke
about
earlier,
a
cncf
sent
project
sandbox
projects,
so
it
was,
and
we
tried
it
with
another
document,
and
it
worked
so
for
us.
C
So
this
is
why
we
didn't
store
it
in
metadata
format,
because
it's
it's
a
separate
document
and
the
also
you
can
like
you
want
to
upload
like
different
different
formats
of
the
same
spom.
How
you
can
do
this
is
a
metadata
if
we,
if
we
decided
to
generate
the
spdx
and
cycling
gx
and
sw
iet
tag,
I
think
storing
them
as
a
metadata.
That
may
be
a
broker
for
us.
I
don't
know
if
this
has
another
workaround
or
another
solution,
but
this
is
the
solution.
We
feel
more
convenient
for
our
use
case.
F
In
tecton
chains,
you
can
choose
your
storage
medium,
so
there
are
different
options
for
storing
a
database
for
storing
in
the
griff,
using
the
grapheous,
open
source
library,
so,
for
example,
on
google
cloud
platform
that
enables
you
to
store
in
something
called
artifact
analysis.
F
You
can
also
store
alongside
the
artifact
for
docker
containers
and
oci
bundles.
You
can
store
the
information
in
the
tecton
cluster.
Typically,
there
are
a
bunch
of
options
there
in
chains,
with
the
exception
of
oci
bundles,
to
store
alongside
the
artifact
itself.
Those
are
those
are
artifact,
agnostic,
they're,
simply
storage
locations.
The
approach
we're
doing
on
google
cloud
platform
is
that
this
information
should
all
be
centralized
and
therefore
it's
in
the
artifact
analysis
api.
F
One
of
the
things
to
be
to
consider
in
this
space
is
who
has
access
to
write
to
that
storage
or
delete
which
gets
to
issues
of
faking
the
information
and
or
repudiating
it.
D
A
Share,
okay,
I'll
take
this
as
no
so
before
we
end
our
meeting
today.
As
you
know,
we
meet
every
second
and
fourth
thursday
east.
Our
next
week
meeting
will
happen
on
august
8th
and
I
see
parts
you
added
the
first
presentation
to
our
presentation
backlog.
A
So
we
will
have
that
presentation
from
you,
your
demo,
perhaps
part
if
things
stay,
as
is
so
please
everyone
join
us
on
september,
8th
for
that
presentation
and
demo
as
well
and
reach
out
to
david
if
you
want
to
get
involved
in
this
chip's
work
as
well,
but
thanks
everyone
for
joining
today
and
we
see
each
other
in
two
weeks,
a
nice
rest
of
your
day.