►
From YouTube: Package: Think BIG (with the Secure group) 04-08-20
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
But
yeah
go
ahead
record.
Thank
you.
Everyone
for
joining.
This
is
our
monthly
sync
big
session
for
package,
and
today
we
have
a
few
extra
people
from
the
secure
team
joining
us
as
well.
So
today
will
be
going
to
be
agenda
and
it
looks
like
ian.
Has
the
first
item?
Do
you
want,
hopefully,
his
audios
working.
B
If
you
remember
way
back
to
January,
so
we
have
Nicole
and
Kyle
and
Fabian
and
Philippe,
which
is
even
more
people
than
I
thought,
so
I'm
even
more
excited
now
a
little
bit
we're
going
to
dive
into
some
places
where
secure
in
package
and
kind
of
overlap
and
I'm
really
glad
to
see
what
they
are.
But
first
I,
of
course,
selfishly
want
to
talk
about
research,
so
we're
gonna
admit
that
first
first
big
thing
the
dog
to
be
done.
B
The
survey,
then
we
all
works
on
that
is
out
in
the
wild
users-
are
actually
filling
it
out,
we're
starting
to
get
responses.
It's
a
little
bit
slow,
which
a
lot
of
us
have
kind
of
been
considering
with
respondents
in
general,
but
luckily
it's
moving
forward
and
I
think
it's
going
to
be
in
the
newsletter
in
April,
which
will
really
help
us
get
some
results.
I
would
really
like
to
wrap
it
up
by
the
end
of
April.
B
The
other
big
news
for
research
is
we
just
completed
today
the
solution,
validation
for
the
new
container
registry,
UI
I'm
really
excited
about
that
I.
Think
Nico
is
also
pretty
excited
to
be
able
to
ramp
up
that
UI.
So
here's
a
quick
overview.
We
had
six
interviews.
Twelve
unique
insights
came
out
of
these
interviews
and
overall,
the
solution
is
validated
almost
all
the
data
we
presented.
All
of
the
ideas
we've
put
forward,
we're
immediately
and
pretty
and
neatly
understood
by
our
users.
B
That's
really
really
powerful
special
thanks
to
David
drom
Nico
and
they
all
came
in
very
last-minute
for
interviews
and
observed.
So
they
got
some
face
time
with
our
users
to
see
how
they'll
actually
think
about
it.
I'm
always
excited
to
see
that
I
hope
they
enjoyed
that
as
well.
Some
high-level
insights,
the
left-side
navigation
that
I
proposed,
was
really
well
received.
B
We
had
changed
the
dialogue
from
this
package
to
say
package
and
registries
and
then
add
additionally,
the
package
registry
and
container
registry,
without
even
being
prompted
almost
all
of
the
users
piped
up
and
said
this
makes
so
much
more
sense.
It
would
be
easier
to
find
my
container
registries
because
of
it.
That's
a
really
big
things:
that's
the
global
or
the
global
project
navigation,
so
making
a
change
like
that
requires
some
solid
validation,
the
merge
requests
and
the
pipeline
and
the
commit
data
were
all
also
really
positively
received.
B
We
had
a
little
bit
of
confusion
and
how
they're
implemented
in
the
UI,
but
I
got
really
great
feedback,
but
the
idea
of
us,
including
that
is
going
to
enable
our
users
several
of
them
even
said
my
first
step
when
I'm
troubleshooting
a
tag
related
issue
is
that
I'm
gonna
go
try
to
find
where
it
came
from,
and
so
you
just
connected
me
right
away.
So
we're
really
gonna
impact
users
that
are
having
issues
and
be
able
to
move
forward.
B
This
is
a
big
prop
to
Niko.
He
proposed
that
we
split
the
image
repository
and
the
list
of
tags
inside
of
that
image.
Repository
users
loved
it.
They
thought
it
made
total
sense.
Their
ability,
differentiated
details
of
the
image
repository
from
the
tags
themselves
really
helped
them
kind
of
filter
out
what
was
going
on
where
they
were
having
a
struggle
before
this
next
insight
is
the
one
that
made
me
laugh
the
hardest.
B
None
of
our
users
use
the
same
language,
twice:
images,
containers
and
tags
all
got
interchanged
and
the
one
that
gets
me
is
everything
as
an
image.
You
see
the
image,
the
most
recently
published
images,
and
then
you
see
the
bunch
of
images
that
have
other
tags,
and
then
you
load
the
image
repository
of
you
and
those
are
all
images
too.
So
everything
is
an
image.
They
also
like
to
call
them
containers,
and
then
they
quickly
switch
back
to
images.
So
my
takeaway
is
to
our
users.
B
Inside
of
the
tag,
and
basically
just
said,
there
was
a
warning
flag
and
then
a
message
and
said:
hey,
we
think
we
found
something
here
you
go,
no
user
was
even
confused
by
that
they
weren't
thrown
off
by
it.
It
made
total
sense
to
them.
One
even
said
to
like
oh
da.
This
is
exactly
what
it
should
be
kind
of
moments,
which
is
perfect
is
that's.
Why
we're
talking
to
everyone
on
secure?
So
we
have
some
user
validation
that
this
connection
really
does
make
sense.
B
I'm
really
excited
the
next
step,
for
the
container
UI
is
to
partner
with
nico
in
the
front
end
and
figure
out
how
we're
going
to
break
it
apart,
work
through
some
technical
restrictions
and
really
start
improving
that
experience
for
our
users
and
with
a
very
long-winded
hit,
a
hope,
review.
I
think
soon
has
the
next
point.
A
C
C
So
right
now
we're
trying
to
work
through
people,
not
knowing
that
they're
or
knowing
if
they
are,
are
not
scanning
their
images
and
I.
Don't
know
if
you've
had
a
chance
to
talk
with
the
compliance
group
at
all,
but
the
compliance
group
for
some
companies.
They
need
to
have
specific
measures
in
place
such
as.
Are
you
doing
these
certain
security
scans,
or
are
you
doing
security
scans
to
be
able
to
pass
compliance
audits?
So
this
isn't
just
a
security
thing.
C
C
C
Yeah
this
one
is
make
explicit
on
the
security
configuration
page
which,
if
I
wonder
over
here
and
go
to
configuration
and
pop
that
in
a
new
tab,
you
know
make
it
clear
that
you've
got
this
stuff
turned
on.
But,
as
you
can
see,
it's
kind
of
nestled
over
over
in
here
so
I
was
wondering.
Is
that
anything
anyone
has
ever
mentioned
to
any
of
y'all
like
being
able
to
maybe
put
this
little?
You
know
you've
got
container
scanning
on
or
not
yet
configured,
maybe
right
where
they're
storing
their
items.
D
C
C
If
I
pop
into
here
right
now,
we
tell
you
kind
of
here's,
your
component
and
if
it's
got
vulnerabilities
or
not
so
that's
sort
of
what
I'm
seeing
in
my
head.
But
that's
just
because
this
exists.
This
obviously
maybe
isn't
the
best
way
to
do
that.
But
you
know
it's
like
here's,
your
component
and
here's
your
vulnerabilities
for
it,
and
that
might
be
interesting
if
that
was
something
I.
B
Everyone
see
my
nice
little
design,
yep
yep
what
we
pose.
This
is
actually
when
the
test
came
from.
So
it's
a
really
great
example.
This
is
a
specific
tag
existing
inside
an
image
repository
in
the
container
registry
at
the
base
default
list
view,
which
kind
of
looks
like
this.
We
just
give
a
warning
flag.
The
idea
was
that
we
would
give
a
tooltip.
B
They
came
up
and
said
you
know,
Boehner
ability
detected
where
I'm
not
quite
sure
what
the
language
would
be,
but
we
would
want
to
stay
consistent
with
what
you
all
are
using
and
then,
if
a
user
expanded
the
details,
we
give
them
kind
of
a
synopsis
of
whatever
that
vulnerability
was
and
then
direct
them
to
the
scanning
page.
All
the
users
felt
really
comfortable.
Two
of
them
even
said
that
if
we
included
more
information
than
that
it
was
just
kind
of
busy
the
page,
it
felt
natural
for
them
to
go
to
the
secure
area.
B
I
think
we
could.
This
is
the
proposed
kind
of
container
registry
page,
which
is
the
one
that
you
had
pulled
up
before.
We
could
show
and
say
that
this
image
repository
may
be
using
an
icon
or
not
quite
sure
how
we
could
show
this
image
repository
is
getting
scanned,
and
so
they
can
look
at
the
individual
tags
and
know
that
they're
either.
You
know,
maybe
when
we
say
a
past,
everything
is
good
or
we
only
when
there's
a
warning.
You
know
something
like
that.
B
C
One
of
the
two
engineers
can
probably
answer
this
better
than
me,
but
my
understanding
is,
if
I
include
it
in
something
that
I'm
going
to
do
as
part
of
my
project
pipeline,
then
it's
gonna
get
scanned.
So
if
there
were
something
that
was
not
included,
it
wouldn't
be,
and
then
there's
also
a
catch
right
now
of
we
can't
scan
multiple
images
at
once,
but
we
do
have
a
patch
that
are
coming
for
that.
C
However,
there
are
discussions
of
some
of
the
open
source,
tooling
components
going
down
to
core,
but
that
would
only
be
the
scans
themselves
any
of
our
stuff
like
we
have
something
suggested
solutions
where,
when
we
find
your
image
is
an
older
image,
we're
like
hey,
you
should
update
this
new
image.
Click
this
and
we'll
make
the
mr
for
you
a
lot
of
that
functionality
is
going
to
remain
in
pagers,
but
there's
there's
a
stroke
on
there,
because
the
datas
is
tbp.
G
C
A
C
A
C
C
So
right
now
we
have
dependency
vulnerability,
information
reported
on
certain
package
managers
and
we
also
have
license
information
reported
on
certain
package
managers.
Again
we're
running
them
right
now,
via
pipelines,
but
I
think
we
had
there's
a
backlog
issue
somewhere
Phillipe,
you
might,
you
might
recall
it
better
than
me,
but
I
think
we're
thinking.
B
So
that's
something
that
they
do
want
to
see
in
our
UI.
So
that
can
be
a
great
place
of
connection.
I've
also
heard
from
DevOps
engineers,
with
the
focus
on
package
say
that
they'd
like
to
know
they'd
like
to
be
able
to
blacklist
that's
a
bad
phrase.
They
would
like
to
have
a
list
that
you
cannot
use
of
packages
and
to
scan
that
automatically
as
we.
B
C
B
A
Okay,
yeah
I
think
there's
some
crossover
for
us
to,
because
we
hear
some
of
that
block.
We
called
a
block
list
and
we
were
calling
it
approved
and
banned.
So
so
I,
like
your
terminology
better,
and
we
have
some
crossover
there,
because
we
have
this
category
the
dependency
firewall
and
we
hear
people
want
to
add
these
block
lists
so
that
that
could
be
a
future
area
for
crossover
as
well.
I
was
hoping
we
could
also
review
Kyle's
issue
about
update,
auto
updating.
When
there
are
vulnerabilities
detected
I
thought
that
was
a
really
cool
issue
too.
D
Yeah
sure
this
is
so.
This
is
just
based
on
the
upcoming
suggested
solution.
Feature
that
we
have
in
this
will
affect
container
scanning
again,
that's
the
prerequisite
of
it
being
that
it's
configured
correctly,
but
if
it
is,
this
will
then
be
seen.
These
results
can
be
seen
on
the
dashboard
on
the
security
dashboard
at
both.
D
The
group
and
project
level
and
it'll
automatically
create
an
auto
fix,
merge
request
with
the
fix
by
our
new
gate,
lab
security,
but
actually
so
the
suggestion
that
we
were
making
here
that
relates
to
this
is-
and
it's
still
a
question.
I
did
put
some
early
ideation
based
on
what
ian
was
testing
is
on
where
the
tags
are
is
showing
that
vulnerabilities
have
been
detected
and
suggested
which
requests
with
solutions
exist.
D
So
if
they
click
that
they
would
land
on
the
merge
request
list
with
a
with
the
label,
either
this
or
the
author,
which
would
be
to
get
lab
security
by,
and
this
would
be
the
list
of
those
automatically
created
fixes
that
are
ready
for
them.
This
is
important
because
these
merge
requests
are
getting
created
and
we
want
to
have
these
call
to
actions.
We
are
available,
so
the
other
call-to-action
that
we
would
see
is
gonna
be
on
the
security
dashboard
and
there
really
isn't
another
place
that
this
is
yet.
D
So
we
want
to
get
better
at
communicating
when
you
submerge
request
exists
because
we're
not
at
the
moment
we
don't
have
email
sent
or
we're
not
sending
other
alerts
or
to
dues
or
anything.
So
this
would
be
the
only
one,
and
if
this
was
valuable,
if
Facebook,
based
on
what
you
also
know
user
research
I'd
imagine
it
might
be
that
hopefully
there's
a
call
to
action.
We
get
them
to
those
merchants
request
to
look
at
this
merge
request
and
and
start
acting
on
them.
C
A
I
had
a
question
about
because
I
think
we
talked
about
kicking
off
automated
merge
requests
when
the
package
or
the
image
has
been
updated
upstream
as
well.
So,
if
you're
pulling
an
image
like
and
there
it
changed
on
whatever,
wherever
you're
pulling
from
upstream
automatically
submit
emerge,
requests
to
rebuild
it.
Could
we
piggyback
off
of
that
functionality
for
it
for
our
own
purposes,
for
those
sorts
of
changes.
C
Possibly
so
the
way
that
we're
doing
it
right
now
is
obviously
when
we
detect
it
in
the
pipeline.
We
create
the
mr
using
the
bot,
but
I
would
definitely
I'll
try
and
hunt
down
a
couple
of
the
bot
issues
and
everything
if
you
all
want
to
like,
follow
along
and
make
recommendations
to
make
it
a
little
bit
more
generic.
So
you
can
reel
Everage
that
bot
for
updates,
and
you
know
what
we're
doing
that
would
be
awesome.
I.
A
Know
Nick
brought
that
up
a
few
months
ago
actually,
and
we
were
talking
about
using
renovate
bot
or
something
like
that-
auto
update
NPM
packages,
so
that
would
be
really
cool
if
we
could
see
that
through
how?
How
is
the
best
way
for
us?
Is
it
the
best
way
to
jump
into
that
issue
that
we're
looking
at
now.
C
That
was
security
by
I,
don't
and
then
also
there's
another
group
working
on
a
bot
to
make
API
keys.
So
there's
a
channel
and
slack
can
I
find
it
if
I
can't
find
it
project
access
tokens
and
they're
also
planning
to
use
a
bot,
so
at
least
I,
if
you
all,
haven't
created
a
bot
before
we're
hanging
out
in
that
channel
to
watch
that
experience
and
learn
from
that
experience.
When
we
go
make
our
bot.
Hopefully
it
goes
a
little
smoother.
A
And
just
to
quickly
on
some
of
that
earlier
suggestions
we
made
about
just
having
whether
or
not
container
scanning
is
turned
on
or
and
having
the
vulnerability,
even
just
that
the
little
warning
symbol.
What's
the
complexity
of
implementing
that
on
the
on
our
container
registry?
Is
that
something
that's
relatively
straightforward
to
add
because
it
exists
somewhere
else
or
is
it
a
bit
more
complicated.
C
Slightly
more
complicated
that
enabled
and
not
I
think
it's
not
that
complicated.
You
can
just
real
Everage.
The
same
query
we're
using
to
populate
that
right
now,
but
the
if
our
particular
one
has
a
vulnerability.
We'd
probably
want
to
create
an
issue
and
have
that
discussed
because
right
now
we
use
JSON
artifacts
to
store
a
lot
of
our
data,
and
so
it's
not
like
a
straightforward
API
or
anything.
At
this
point.
F
I'm
wondering
where
do
you
think
is
the
the
right
place
to
make
users
aware
of
you
know
this
type
of
scanning
and
these
other
types
of
possible
features
that
go
along
with
it
if
they
start
using
a
container
registry-
and
you
know
they're
on
that
registry
list
page
and
maybe
none
of
those
things
are
turned
on
yet
so
they
don't
see
the
vulnerability
warning
flag
like
where
would
be
the
right
place
to
add
that
information?
That's
not
like
in
a
nagging
way
of
like
hey
there's.
This
thing,
I
mean.
C
My
honest
opinion
is
like
if
there
were
a
small
area
of
extras,
I
have
no
idea
what
it
would
be
called.
We
can
figure
that
out
but
like
in
extras
anything
that
is
related
to,
but
not
directly.
Just
give
a
quick
like
summary
of
yes,
no,
like
you
were
saying,
keep
it
really
simple:
don't
try
and
necessarily
sell
them
on
it
or
anything,
just
be
like
hey
here's
extra
features
related
to
dependencies.
C
C
Also
getting
out
of
the
product
and
I
think
that
could
also
dovetail
into
that
work
where
we're
showing
our
users,
here's
some
value
that
you
have,
that
you
haven't
leveraged
yet
and
then
be
able
to
send
them
to
additional
information
on
just
the
little
yes,
those
because
I'm
a
feeling
across
the
different
stages,
there's
a
ton
of
things
that
are
interrelated
and
it's
just
like
you're,
not
you're,
not
using
it.
Did
you
know
that
it's
an
option
you've
paid
for
what.
F
C
Right
now,
I'd
say
Docs
until
we
get
Kyle's
modification
to
make
our
configuration
page
friendlier
once
we've
once
we've
made
the
page
a
little
friendlier
I
think
we
could
send
it
them
there,
but
right
now,
like
you
can't
directly
click
to
turn
it
on.
You
have
to
update
your
settings,
yeah
Mille,
and
so
it
would
be
frustrating
and
not
valuable
to
send
them
to
that
page
today,
but
give
us
a
little
bit
and
my
opinion
of
that
would
flip.
H
H
We
have
a
lot
of
customers
asking
for
more
security
commands
extra
and
the
recurrent
topic.
Is
we
don't
want
you
mind
being
bored
at
any
point?
You
notice
servers
to
be
deployed
and
not
being
accessible
by
anyone.
You
want
to
fight
on
to
run
and
Edie
one,
and
only
way
to
do
both
things
and
this
context.
H
So
there
are
like
rough
years
or
treaties
that
could
be
used
for
binary
utilisation
so
that
we
can
sign
the
image
and
that's
metadata
to
be
image
directly,
like
a
number
of
critical
vulnerabilities,
for
example,
and
proven
to
deploy
based
on
that,
we
could
reduce
that
vui
directly
back
in
the
register.
If
I
had
the
opportunity
to
see
that
an
image
has
been
created
by
a
pipeline,
it's
science,
the
signature
is
the
right.
One
on
here
is
all
the
metadata
that
we
have
added
during
that
pipeline
run.
H
C
H
C
C
H
C
Just
trying
to
think
if
there
should
be
a
way
like,
let's
say
we
put
up
a
rule
that
says
you
can
only
have
the
images
that
are
already
in
here.
You
can
already
have
the
packages
that
are
already
in
here
yeah.
Would
it
be
valuable
for
a
developer
to
be
able
to
request
something
and
have
that
workflow
go
to
someone
and
be
like
somebody's
requested,
this
we're
not
giving
it
to
them
yet,
but
they've
requested
it.
Do
you
want
to
approve
it.
H
C
So
there
is
a
workflow,
and
maybe
if
we
did
that
workflow
that
would
be
and
value-add.
So
it's
like
we've
restricted,
so
they
can
only
have
these,
but
they
could
put
in
some
kind
of
request
that
goes
to
user
XYZ
or
something
I'm
just
trying
to
think
about
like
the
whole
workflow
of
like
it
would
be
frustrating
to
someone
to
be
like
well.
These
are
my
only
options,
but
I
need
X
and
I
can't
find
it.
C
H
My
wildest
dreams,
we
would
have
a
team
like
the
venerable
to
research
thing
that
we
have
in
secure
auditing
all
the
packages.
The
top
100
packages,
for
example,
for
NPM
for
a
revealer
and
other
for
their
languages,
put
a
stamp
on
it,
like
it's
good
to
go.
It's
green
and
automatically
for
package
managers
so
or
package
registries
and
get
lab
with
this
packages,
and
there
would
be
pre-approved,
and
you
could
change
that.
You
could
approve
more
packages
by
an,
but
at
least
you
would
have
at
least
that
is
get
lab,
approved.
H
I
know
it's
a
lot
of
work,
but
if
you
think
about
how
we
would
do
that,
it's
a
lot
of
work
at
the
beginning,
because
we
would
have
to
assess
a
lot
of
packages
at
once,
but
once
we
have
done
that
we
only
have
to
assess
their
does
the
diffs
between
the
versions.
It's
not
too
much
work,
I,
think
and
there's
a
lot
of
value.
We
wanted
to
do
that
in
journalism,
because
we
had
a
lot
of
customers
asking
for
this
kind
of
data
and
there's
value
beyond
this.
H
We
can
actually
sell
that
service
could
be
bought
off
into
metal
or
whatever,
but
there
is
valuable
is
having
someone
that
is
able
to
say
it's
good
to
go
and
imagine
that
all
of
her
customers
are
doing
that
currently
one
by
one
and
if
we
have
customer
ABC
a
is
going
to
do
an
assessment.
Bees
need
to
do
the
same
assessment
and
C
is
going
to
do
the
same.
We're
replicating
this
I
thought
by
the
number
of
customers
that
we
have
doesn't
make
any
sense
to
me.
H
So
we
think
could
have
something
that
could
be
centralized
and
maybe
customers
could
contribute
in
some
way
that
they
could
add
some
more
packages
to
be
stopped,
Android
or
something
that
could
have
some
value
as
well.
But
if
we
think
about
all
this
chain
and
we
switch
gears
mahat
under
the
container
or
a
topic
inland
area
and
the
package,
the
way
we
consume
package,
it's
already,
what
solar
type
is
providing
the
Nexus
it's
ready,
but
algae
factory
is
providing
I,
can't
wait
to
have
agates
on
dependencies
and
all
the
components
that
you
are
using.
H
So
we
need
to
get
better
on
this
right.
Now
it's
not
because
we're
just
saying
there
is
something
that
might
be
wrong
with
your
package,
but
there
is
nothing
preventing
you
from
using
that
package.
We
can
bypass
that
very
easy.
The
same
goes
for
the
continent.
Imagining
the
Arts
and
I
know
it's
reek
of
it,
so
maybe
we
should
can
be
posed
to
recording
just
for
one
minute,
because
we
have
a
security
issue.
That
I
would
like
to
mention.
C
B
They
would
like
for
their
demo,
ops
team
to
be
able
to
say,
hey
all
of
the
organization
use
this
base
image
and
things
like
that
and
be
able
to
clearly
indicate
what
they
say
is
approved
and
safe
and
ready
to
use
and
what
could
possibly
still
be
vulnerable.
So
you
can
look
at
that
from
both
directions.
A
I
was
just
had
a
clarification
question,
because
some
of
what
we
were
talking
about
is
signing
packages
like
using
content,
trust
or
or
notary,
and
it's
happening
within
the
organ
in
our
customers
organization,
and
then
we
also
mentioned
maybe
get
lab,
would
sign
off
and
approve
and
provide
certain
approved
images
or
packages
as
well
is
that
is
it
two-sided
is
a
good
lab
says
these?
Are?
These
are
good
lab,
verified
images
that
you
could
use
to
get
started,
building
a
ruby,
app
or
doing
or
building
an
o
tab
and
then
separately.
C
C
You
know
internally,
we
might
say
enough
for
other
ones.
Separately
of
this
is
preferential
versus
sign-off.
On
separate
runs
of
this
is
the
gate
lab
official
image.
If
you
want
to
do
the
official
thing,
the
official
way
so
I
think
there's,
there's
all
different
kinds
of
sign.
Offs
and
we'd
have
to
eventually
dig
into
the
nuance
of
that,
because
some
companies
are
gonna
kick
like,
say:
I
won
all
three.
C
These
are
gonna,
be
like
just
I,
don't
want
Fulmer
abilities,
another
ones
are
gonna,
be
like
no
I
need
to
use
only
official
whatever
so,
depending
on
the
customer,
depending
on
their
intended
purpose.
I
think
it's
going
to
be
like.
Does
the
internet
say
it's
bad
versus
does
get
website.
This
is
a
hundred
percent.
The
thing
I
should
be
using.
A
Okay,
yeah,
because
I
do
hear
often
about
like
I
just
heard
yesterday
from
on
Twitter's
people
are
asking
about
implementing
tough
for
pi
PI,
which
book
it's
like
their
version
of
content.
Signing
so
I
do
hear
that
often
it's
kind
of
been
pushing
us
towards
inner
sourcing
versus
open
sourcing,
and
so
instead
of
saying
these
are
like.
These
are
approved
images
that
have
been
verified
by
gitlab.
We
would
empower
our
customers
to
do
that
themselves.
We
would
they
would
say
these
are
the
approved
images
to
peruse
throughout
the
company
I.
C
C
C
I
may
have
a
team
and
I
may
want
to
say:
I
approve
these
or
I
may
be
like
I'm,
installing
omnibus
and
I
only
want
to
use
ones
that
get
lab
signed
off
on.
In
order
to
do
my,
how
many
of
us
so
I
think
we
have
to
have
all
the
flavors
unfortunately,
and
we
can
start
with
one
and
then
as
we
hear
feedback,
we
can
decide
what
to
do
next.
C
I
think
that
gets
into
compliance,
because
you
know,
let's
put
the
gate,
love
signing
ones
off
as
like
over
here
and,
let's
just
do
the
sign
verification
is
here.
That's
probably
a
good
starter,
because
a
lot
of
companies
may
be
like
how
do
I
know.
I
got
the
right
one
and
I
think
that
would
help
use
them.
Quick.
E
Quick
interjection
you're
running
up
on
time,
we're
coming
pretty
close
to
the
end,
and
there
are
a
few
other
comments
in
the
document
in
the
agenda.
I
don't
know
if
people
feel
like
it's
worth
covering
the
rest
of
those
comments,
or
they
just
want
to
start
to
get
out
wrapping
up
by
the
right.
Well,
this
conversation,
thank
you
so
much!
That's
it
for
me,.
I
Was
just
a
comment
on
you
need
to
sign
container
images,
so
that's
something
that
we
can
look
in
future,
using
either
notary
or
contrast
from
on
docker,
but
now
is
not
really
possible
because
we
can
through
something
like
freezing
tags,
and
we
won't
be
able
to
do
that
and
really
whoever
might
like
a
lot
of
ice
for
the
photon
registry.
So
that's
postponed,
I
think
I
think
it
would
be
useful
to
tweet
the
comment
from
Miko.
So
the
last
one.
G
C
So
the
answer
is
that
API
is
gonna,
be
it's
complicated
and
it's
not
necessarily
gonna
get
you
exactly
what
you
want.
/
thank
/
everything
but
I
think
creating
I
see
kind
of
three
one.
Really
quick
win
one
potentially
soon
quick
thing
is:
first,
can
we
just
tell
people
figure
out
where
to
tell
people
like
you
are
scanning
your
images
in
this
project
or
not?
It
might
be
really
quick
and
easy.
It
shouldn't
be
hard
and
I.
Think
the
next
thing
is:
let's
have
an
issue
where
we
discuss.
C
How
do
we
get
any
of
the
scan
information
that
we
have
or
any
of
the
vole
information
we
have
exposed
in,
like
the
cool
thing
that
the
users
were
seeing,
you
know
work
that
into
there
and
I
know
Kyle's
got
that
one
mock
and
like
discuss
like
what
do
we?
Maybe
we
need
to
do
to
make
that
easier
on
y'all
or
what
can
you
all
do
with
what
we've
got
today
and
and
take
that
as
our
next
one.
G
Will
it
be
valuable,
for
example,
since
it
seems
from
the
documentation
what
we
can
do
is
that
to
eat
the
API
for
the
project
filter
for
container
registry?
If
there
is
any
entry
put
a
banner
and
say
hey,
something
here
went
wrong:
go
to
your
security,
dashboard
and
check.
This
could
be
a
first
step
meeting.
C
J
C
J
C
That's
definitely
step
one
and
then
step
two
is
let's
figure
out
how
to
get
some
bold
information.
That's
not
misleading
and
I
can
create
those
two
issues
on
my
back
line
unless
y'all
want
to
do
it
there,
and
we
could
just
have
that
discussion
of
how
do
we
give
you
that
or
how
do
we
make
that
available
to
y'all
to
pull
well.
A
We
have
the
issue
Kyle
created.
We
could
take
that
it's
just
a
question
of
I
think
we
could
prioritize
it.
It
might
give
us
some
like
I
mean
I
could
ask
the
TA
sure
that's
the
team,
but
it
might
give
us
a
fret.
We
might
have
a
fresh
set
of
eyes
and
we
might
look
at
it
differently
or
think
about
the
problem
a
little
bit
differently
and
that
could
be
nice.
B
All
right
and
take
this
little
bit
of
a
pause
just
a
few
minutes
before
we
wrap
up
and
pride
myself
on
wrapping
up
on
time.
This
is
maybe
the
second
time
that's
ever
happens,
but
thank
you
so
much
all
of
our
wonderful
guests
for
coming
and
talking
with
us
during
our
think
big
I
hope
you
found
it
to
be
valuable
and
we'll
get
some
new
features
and
new
experiences
for
our
users
that
they
will
like
and
appreciate.
B
I
know
on
our
side
that
we've
heard
that
they
really
want
to
see
more
how
stable
house
take
us
to
cure
my
packages
in
containers.
So
this
is
a
good
conversation.
This
was
the
first
time
that
we're
testing
whether
having
someone
from
another
stage
come
and
join
the
think
big
as
a
productive
endeavor.
So,
of
course,
I
will
be
creating
a
retro
issue,
waited
everyone
that
I
know.
What's
your
favorite
thing
in
the
world
to
do,
but
a
lot
of
good
couple
of
questions
about
was
this
helpful?
B
Would
you
want
to
do
it
again
stuff
like
that
to
see
if
we
should,
you
know,
make
this
a
regular
breakfast
or
if
this
is
a
1-1
good
time,
and
that's
all
we
need
unless
anyone
has
any
final
thoughts
to
share
I,
just
want
to
say
one
last
time.
Thank
you
all.
So
much
I
always
appreciate
you
coming
and
talking
about
users
and
experiences
and
ways
that
we
can
enable
them
better.