►
From YouTube: Pipeline Security team meeting AMER 2023-04-13
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
All
right,
hello
there:
this
is
the
pipeline
security.
America's
group
call
for
April
13
2023.
B
I
have
myself
and
Miranda.
So
we'll
just
take
a
look
at
the
discussion
topics
in
our
agenda,
these
okay,
so
the
first
one
is
about
the
performance
issues
and
unlocking
the
pipelines
and
artifacts
I
don't
know
Miranda.
Have
you
had
a
chance
to
to
add
to
that.
B
B
Let's
we
just
need
to
pick
like
one
area
to
focus
on
like
I
know:
Secrets
management
can
be
very
loaded,
but
I
also
think
too,
when
we
think
about
Secrets
management
like
at
least
for
me,
I,
don't
know
about
everyone
else,
I
very
much,
naturally
like
think
about,
like
vaults
and
and
actual
Secrets
managers,
but
the
way
our
category
has
been
designed.
It's
not
just
the
secrets
managers,
it's
also
the
variables
it's
also.
B
It's
also
CI
job
token.
So
I
think
you
know
we
could.
We
could
make
a
a
case,
for
you
know
that
we've
accomplished
our
goal
by
having
a
quick
win
in
any
of
those
areas
because
yeah
that
was
definitely
a
struggle
for
me.
B
Yeah
and
so
I
was
having
this
conversation
with
Jackie
earlier
today,
and
one
of
the
things
is
it's
not
necessarily
like.
Oh
GitHub
is
doing
this
one
thing
and
therefore
like
we
have
to
like
do
it
or
do
it
better.
Like
the
specific
thing,
it's
really
about
the
problem
that
they're
solving.
So
if
there's
like
a
problem
that
we
can
solve
that,
maybe
GitHub
uses
its
actions
to
solve,
but
we're
like.
Oh
here's
like
another
way.
B
We
can
just
do
it
internally
to
our
product,
based
on
what
I'll
say
is
probably
more
of
like
the
git
lab
versus
GitHub
philosophy
around
cicd
right,
like
we
that
totally
be
acceptable,
as
well
as
part
of
like
the
thinking.
B
But
yeah
so
I
think
that's,
that's
all
I
had
around
that
and
then
the
other
thing
and
it
feels
a
little
scary
to
say
we're.
Gonna,
use,
Ai
and
machine
learning
for
Secrets
management.
B
But
that
is
something
to
think
about.
I
mean
honestly,
we
still
own
build
artifacts
right.
So
if
there's
something
that
we
think
we
can
AI
artifact
arter
right
like.
A
B
Still
own
it,
so
we
we
absolutely
can
put
in
ideas
for
gold
artifacts
as
well,
like
you
know,
I'm
thinking
out
loud,
like
maybe
some
sort
of
like
easy,
like
search
sort
mechanism
or
something
that
literally
just
thinking
out
loud.
A
Or
like
you,
you
deleted
this
artifact,
here's
all
of
the
ones
that
are
like
it.
Yeah.
B
Like
something
like
you
know,
like
oh
did
you
do
you
did
you
mean
to
delete
this
one
thing
maybe
or
like
yeah,
like
maybe
someone
just
seems
like
they're,
happily
going
along
and
just
bulk
deleting
and
bulk
deleting
and
not
necessarily
like
going
through
and
seeing
what
they
deleted
and
maybe
like?
Oh,
are
you
sure
you
wanted
to
leave
guardrails.
B
B
Are
done,
I
am
I
feel
like
it's
a
little
less
scary
to
do
it
in
Builder
facts
versus
scenery,.
A
A
Reads
through
your
CI
config
and
goes
hey,
you
use
this
10
times.
You
want
it
to
be
a
variable.
B
Okay,
I
know:
okay,
so
Albert
had
done
some
work
on
one
password.
B
I
think
this
started
with
the
quick
wins
I
know
there
was
some
some
stuff
that
he
had
put
in
there.
So
I
know,
like
he's,
definitely
going
more
into
the
broader
Secrets
manager,
but
yeah.
B
It
looks
like
he's
he's,
maybe
there's
something
here
that
could
also
be
done
like
incrementally,
like
I
looked
I
looked
at
GitHub
Secrets,
because
I
was
just
curious
and
then
it
like,
it
basically
says
it's
just
an
encrypted
variable
I'm
like
okay,
that's
fine
I'm
like
well,
we
encrypt
variables
too,
but
it
had
like
kind
of
like
the
same
disclaimers
of
like.
Oh,
you
know
like
if
you're,
not
careful,
someone
can
see.
A
B
Yeah
I
I
was
like
reading
it
as
like,
looking
at
their
documentation
and
I
was
like
this
sounds
fishy,
so
yeah
like
that
could
be
like
some
sort
of
like
interim
thing
that
we
offer,
and
so
we
have
like
a
full-blown
Secrets
manager.
B
B
Like
I
think,
there's
like
lessons
to
be
learned
with
one
password.
Maybe
some
potential
like
we
could
even
do
like
our
own,
like
prototyping
and
dog
fooding
right,
like
we
all
have
one
password,
yeah,
true
right.
So
like
there's
stuff
that
like
we
could
even
do
like
internally
as
a
team
to
dog
food.
B
I
know
oidc
is
like
super
duper
popular
yeah,
but
yeah
like
there
might
be
something
else
that
we
want
to
do,
or
some
potential
partnership
or
something
I,
don't
know
I'm
just
once
again
thinking
out
loud,
but
yeah.
Definitely
some
interesting
work
that
Albert's
done
I
haven't
had
a
lot
of
time
to
go
in
and
like
really
think
through
it.
B
So
it
also
looks
like
I've
been
like
doing
this
like
deep
cleaning
and
reorganizing.
B
It
looks
like
at
one
point:
there
was
a
discussion
around
using
vaults
or
offering
falls
through
yeah
loud
like
so.
We
wouldn't
create
our
own,
like
we
would
just
have
like
separate
fault
instances,
but
yeah.
So
it's
interesting
reading.
B
It
looks
like
that
that
path
has
been
explored
and
it
looks
like
it
was
found,
not
viable,
but
there's
definitely
quite
a
bit
of
information
in
there
as
to
like
why
they
came
to
that
conclusion.
So
good
reading,
cool.
A
B
B
It
was
like
you
know:
here's
the
uis
here
how
it's
How,
here's,
how
it
works
and
here's
how
to
like,
add
people
and
limit
their
their
scope
and
stuff
like
that,
so
that
was
it
was
really
nice
to
have
someone
walk
through
it
because
I
know
like
there's
documentation
out
there,
but
just
actually
seeing
someone
work
through
it
and
like
I,
think
there
was
like
a
there
was
one
moment
in
the
demo
where
the
guy
was
like
oops.
This
didn't
get
set
up
right.
B
So
it's
just
it's
nice
to
see
right
like
here's,
someone
who
does
it
fairly
frequently
and
can
still
mess
it
up
a
little
bit
so
like
we're
here.
Yeah
like
it,
doesn't
feel
so
much
more
like
I,
don't
know
like
real
human
and
gives
us
more
context
too
around
like
what
might
be
things
people
forget
and
then
maybe
we
can
like
fine-tune
their
UI
right
like
there's.
No
reason
why
we
have
to
like
redefine
all
of
it,
but
maybe
we
can
make
it
like.
Here's
a
gotcha.
B
Yep
so,
and
the
last
thing
was
deliverable
issues
while
folks
are
on
PTO
I
know,
especially
like
lately,
as
we
mentioned
the
very
beginning,
lots
of
folks
on
PTO.
It's
been
a
little
chaotic
in
that
regard
and
there's
been
a
lot
of
holidays.
B
B
B
We
have
a
situation
where,
like
our
Engineers
on
PTO,
but
then
when
they
return
the
maintainers
on
PTO
and
then
the
maintainer
returns
and
like
our
dri
once
again
went
on
PTO
right,
like
it
happens,
or
there's
public
holiday
for
like
three
out
of
five
days
or
something
yeah
and
so
I.
Think,
like
that's
something
like
Max
and
I
discussed
a
little
bit
in
our
one-on-ones,
because
we
do
have
a
couple
of
customers
who
are
like
dude.
You
said
that
was
gonna
be
done
in
like
15
8
and
it's
1511.
B
What's
going
on
yeah,
so
so
yeah
I've
had
a
few
awkward
phone
calls
yeah.
It
would
be
good
to
just
know
like
if
you
know
what
we
can
do
to
kind
of
continue
to
move
things
along
versus
having
a
bunch
of
half
done
things
we
could
have
like
some.
A
B
I
just
I
struggle,
because
in
from
a
planning
perspective,
we
take
into
account
people
go
on
vacation,
but
it's
still
difficult
right
like
if
we
have
issues
especially
that
have
a
higher
weight.
I
think
like
those
are
the
ones
where
it's
like.
Oh
no,
is
it
going
to
get
done
a
large.
B
B
B
But
maybe
more
collaborative
architecting.
B
B
I
feel
like
to
some
of
the
back
end
stuff
that
we
have
they're
like
they're,
very
specific,
exactly
that
makes
sense.
Yeah
knowledge,
yeah
I,
like
Albert's,
like
very
heavily
like
working
on,
like
the
the
number
calculation
piece
and
Eric's
working
on
something
that's
really
around
the
performance
and
like
even
has
all
these
security
issues.
I,
don't
know
how
he
does
it
right
but
like
because,
like
those
are
so
different
yeah
it
in
some
ways
feel
siled.
B
So
maybe
there's
something
we
can
do
around
that
I,
don't
know
I'm
just
thinking
about
ideas,
because
yeah
yeah
it
would
be
great
to
get
back
on
our
deliverables,
train,
yeah,.
B
Cool
did
you
have
anything
else?
You
wanted
to
add
to
the
agenda
for
discussion.
B
I
didn't
have
anything
else
either.
So
I
can
go
ahead
and
stop
this
recording
and
I'll
get
it
posted.