►
From YouTube: 2020.03.16 - Secure Brainstorming
Description
License Compliance in air-gapped networks
A
There
are
you,
my
name
is
Judah
perfectly
I'm,
a
distinguished
engineer
for
secure
and
they
found-
and
this
is
the
brainstorming
session
on
the
license-
compliance
topic
in
their
gaps.
Environments.
The
idea
here
today
is
to
see
if
we
can
find
some
new
ideas
to
get
license
from
clients
more
target
compliant,
which
is
not
the
case
as
of
today.
A
So
it's
nothing
that
has
been
documented
so
far
or
named
or
anything,
but
we
need
to
start
putting
names
on
different
phases
at
different
stages
of
what
license
compliance
is
doing,
because
we
have
this
false
feeling
that
license
findings
just
be
one
thing,
whereas
under
the
hood
it
actually
does
maybe
four
different
steps,
maybe
more
than
that.
Not
so
sure
about
that.
The
kind
of
things
that
we
should
discuss
today
and,
of
course
these
names
are
completely
work
in
progress-
feel
free
to
use
any
other
game,
but
we
we
need
to
start
somewhere.
A
B
For
I
think
for
Java
and
some
other
like
support
the
language
is
incest
and
everything
that
is
supported
on
drugs.
You
need
to
compile
the
project
because
you're
analyzing
the
charros
files,
so
you
will
need
to
download
the
dependencies
unless
the
customer
is
customizing
a
job
so
that
it
provided
appearances
beforehand
to
the
job
itself,
but
I
think
we.
We
focused
a
lot
on
these
four
license
complaints,
but
this
is
actually
something
that
we
would
have
to
support
for
all
other
category
features.
A
Yeah,
that's
basically
the
idea
behind
creating
the
stages
so
that
we
can
have
a
better
overview
of
what
we
can
share
between
the
different
categories
that
we
have
insecure,
there's.
Obviously,
some
overlap
with
dependency
scanning,
where
we
do
exactly
the
same
fork
is
the
two
first
stages
where
we
analyze
in
the
node.
So
it's
the
first
stage
that
we
I
could
patent
on
a
single
stage.
B
B
Okay
I,
try
to
refrain
that.
So
when
you
want
to
generate
the
dependence
three
you
might
need
to
download
dependencies,
but
it's
not
obvious
always
the
case.
You
might
just
rely
on
some
manifest
file
which
is
available
locally,
but
in
case
you
need
to
download
them
and
the
problem
can
be
to
hold.
Are
you
able
to
reach
to
the
registries
or
not
and
the
case
when
you're
not
capable
because
you're
in
it
in
a
cave
environment?
This
is
something
this
is
a
problem
that
is
shared
with
the
other
categories.
B
A
Okay,
so
I
didn't,
and
we
obviously
won't
agree
on
that.
That's
why
I'm
saying
we
are.
There
is
some
overlap
between
license
compliance
and
different
scanning,
a
problem
such
as
you
said
when
we,
where
we
have
to
download
the
differences.
So
to
echo
my
comments
on
the
issue,
my
let
us
commence
because
I've
seen
what
Moe
did
in
the
past
weeks
wrong
vehicle
that
offline
registries.
C
A
C
This
problem
a
different
way
because,
like
okay,
so
if
we
like
level
set
where
we're
currently
at
the
current
assumption,
is
that,
in
order
to
determine
the
dependencies
and
versions
of
those
dependencies
and
then
also
any
software
licenses
associated
those
dependencies
says
we
have
to
install
packages.
That
is
the
current
direction
in
the
current
assumption,
whether
it's
pulling
it
from
public
registries
or
from
private
registries.
That's
the
baseline
assumption,
so
I'm
like
okay.
C
Well,
if
I'm
in
a
truly
air-gap
mode,
what
happens
in
a
world
where
I
can't
connect
outbound
network
connections,
so
I
started
with
a
different
starting
point
just
for
fun
as
an
experiment.
I'm
like
can
I
actually
build
an
offline
index
of
software
licenses
for
every
package,
slash
every
package
version
and
if
I
could?
What
would
that
look
like
how
much
disk
space
would
it
take.
C
So
if
I'm
in
a
like,
you
know
I'm
gonna,
say
era
gap
because
I
think
they're
realizing
it
means
different
things
to
different
people,
but
if
I'm
in
an
in
a
in
a
world
where
I
can't
make
out
connections
if
I
can
provide
you
with
an
environment,
in
this
case
a
docker
image
where,
in
that
environment,
in
already
knows
of
every
software
license
associated
with
every
public
package,
then
at
least
when
I
do
a
scan
of
that
project.
I
can
I
can
tell
okay
if
I
can
figure
out
what
dependencies
are.
C
What
we're
doing
is
we're
installing
the
packages
and
then
from
the
package
manager
tool.
We
ask
it.
Can
you
tell
me
what
packages
are
installed
and
what
versions
of
those
tools
and
that's
great,
because
the
package
managers
know
how
to
parse
the
manifest
file?
They
know
how
to
like
download
the
packages
they
can
as
their
schema
changes.
We
we
don't
have
to
deal
with
every
schema
change.
The
native
package
manager
can
do
that
across
different
major
versions
of
the
tooling.
Where
we
fall
apart
is
like
we
still
have
to
make
that
outbound
connection.
A
C
D
C
The
way
I
was
looking
at
this
problem
was
I
was
gonna,
do
a
code
to
walk
through
the
places
finder,
but
maybe
I'm
gonna
rewind
here
so
I'm
wanting
to
see
okay,
here's
here's
my
starting
point
can
I
just
use.
This
is
sort
of
like
my
whiteboard
for
now.
Okay,
so
assuming
that
I
can
determine
the
I,
can
parse
a
lock
file
right
I
mean
we've
got
Jim
file,
lock,
we've
got
pip
file
block
and
we've
got
Hamed
XML.
C
We've
got
some
lock
files
that
are
difficult
like
the
Gradle
ones,
I,
don't
know
what
to
do
there
exactly,
but
we
have
locked
files
and
for
the
most
part
we
know
how
to
parse,
lock
files
and
those
lock
files
gives
us
a
couple
pieces
of
information.
They
give
us
a
list
of
dependencies,
their
name
and
their
version
right
and
in
order
to
get
the
name
of
the
version
for
the
most
part
that
tells
us
what
dependencies
a
project
has.
C
What
it
doesn't
tell
us
is
like
what
is
the
software
license
associated
with
that
license
with
that
version
of
that
package,
name
and
version?
And
so
do
you
get
that
information?
We
ask
the
package
manager.
Can
you
tell
us,
in
the
case
of
gem
files
out
lock
in
the
actual
gemspec,
there
is
a
license
attribute
and
if
it's
defined
in
the
actual
license
attribute,
then
we
can
get
that
directly
from
disk.
If
it's
not,
then
we
have
to
do
an
API,
lookup
rubygems.org
and
there's
like
a
JSON
endpoint.
C
E
C
Why,
in
that
particular
case,
it
is
from
the
gem
spec.
There
is
an
additional
step,
so
the
API
would
match
the
gem
spec
itself,
but
the
the
thought
that
came
to
me
is
like
I'm
having
to
determine
this
every
single
time
that
I
install
rails
right
once
I've
installed
rails
once
rails,
50.0
and
I
determine
its
licenses.
C
Mit
do
can
I,
take
that
information
and
store
it
so
that
I
can
reuse
that
knowledge
for
future
scans
rather
than
having
to
recompute
it
every
time,
meaning
and
reinstalling
trails,
re
parsing,
the
rails,
gem
spec
file
and
re,
like
figuring
out
that
it's
MIT
the
way
I
looked
at
it's
like
okay,
yeah.
This
knowledge
exists.
What
if
I
were
to
build
an
offline
index
so
I
hadn't
index,
which,
let's
just
represent
as
a
CSV
file,
and
in
this
case
it's
just
the
package
name,
the
version
5.0
and
the
software
license
associated
with
it.
C
C
I
don't
have
to
go
reparse
the
gemspec
file,
because
I've
already
done
that
once
and
if
I
can
represent
this
information
in
a
small
enough
index
format
that
first
of
all
has
to
be
optimized
for
humans,
because
there's
going
to
be
errors
in
that
data,
so
humans
need
to
be
able
to
contribute,
and
then
second
optimize
for
machine.
So
we
can
actually
transport
it.
So
it's
small
enough
and
we
can
read
into
it
and
get
the
information
that
we
need
as
quickly
as
possible.
C
Then
I
save
myself
having
to
do
the
actual
package
install
step
plus
the
parsing
of
the
gem
specs
plus
determining
the
software
license
from
those
gem,
specs
and
I
can
enhance
on
like
today,
there's
actually
multiple
sources
of
information
for
this
license.
It
isn't
just
the
gem
spec,
but
we
can
also
actually
search
the
project
files
for
a
license
file
and
then
from
the
license
file
determine
what
the
license
is.
So
if
I
could
actually
take
that
parsing
and
that
knowledge,
instead
of
doing
it
at
scan
time,
do
an
offline
ahead
of
time.
C
In
this
index.
I
can
actually
improve
the
efficacy
of
that
index.
I
can
improve
the
scan
time
because
I
don't
have
to
download
packages.
I
don't
have
to
parse
those
packages.
I
just
take
the
data
that
I
have,
which
in
so
case
it's
just
the
gem
file,
lock
name
version,
go
look
it
up
in
the
index.
I'm
like
okay.
This
is
a
crazy
idea
mo.
Why
would
you
want
keep
like,
like
this
is
going
to
be
billions
of
bytes
of
data
right
to
store
this
much
information?
C
So
I
started
with
my
tracer
bullet
was
spandex,
so,
let's
just
take.
If
you
go
gem
install
spandex
today,
he
will
need
a
ruby,
and
this
is
my
tracer
bullet.
It
is
not
beautiful
code,
but
it
is
free
and
it's
opening
up
there
and
one
of
the
things
I
want
to
do
is
I
want
to
be
able
to
track
all
the
network
calls
so
to
do
that.
I
have
all
Network
calls
going
through
a
single
HTTP
client
and
that
client
allows
me
to
log
all
traffic
to
a
log
file
that
I
specify
so
I'm.
C
C
Spandex
is
at
this
point:
it's
going
to
go
parse
that
lock
file.
It
is
going
to
take
each
version
of
each
like
it's
going
to
determine
each
gem.
That's
in
that
lock
file
take
the
name
and
version
it's
going
to
check
in
offline
index,
which
I
haven't
shown
you
yet
which
is
stored
on
disk
and
see
if
I
have
an
own
license
for
that
offline
index.
If
it
doesn't
have
an
own
license
in
the
offline
index,
it
then
makes
a
call
to
the
rubygems
API
to
look
up
the
license
for
that
gem
at
scan
time.
C
So
it's
using
its
going
to
pull
what
it
comes
from
like
the
local
offline
cache
and
then
fall
back
to
the
network
to
actually
determine
the
information
it
couldn't
find
locally.
So
if
we
look
at
the
HTTP
log
we
can
see
this
is
every
Network
request
that
went
out
to
do
this
scan
in
this
case
most
of
the
gems
or
MIT
licenses.
Why
did
I
choose
JSON
I?
Don't
know
that
was
the
existing
report.
Format
and
I
thought
I'll
just
play
along
in
hindsight.
C
I,
probably
would
have
done
a
line-by-line
report,
which
is
easier
parts,
but
that's
that's
again.
This
is
just
an
experiment.
This
was
not.
This
is
not
production.
Ready,
I,
don't
think,
but
you
can
see
here
are
the
licenses
that
we
were
able
to
determine.
So
in
many
cases
it
was
MIT
some
Apache
thrift
we
weren't
able
to
determine.
So
this
is
something
that
we'd
have
to
go.
Look
at
the
project
source
code
and
see.
Is
there
a
license
file?
Why
didn't
they
specify
it
in
the
gemspec?
C
E
C
C
C
And
now
I'm
gonna
do
a
diff,
so
you're
gonna,
see
like
we're.
Gonna
I
expect
to
see
that
the
live
that
JSON
is
going
to
have
a
more
comprehensive
list
of
software
licenses
because
they
was
able
to
make
Network
calls
in
the
places
where
I
couldn't
find
the
license
in
the
offline
index,
and
but
let's
see
what
the
difference
is
and
and
that
difference
is
going
to
be
as
good
as
my
offline
index
as
as
complete
as
that
offline
index
can
be
so
now.
If
we
do
them
do.
C
Please
tell
me
to
stop
talking
if
I
just
took
too
much
of
air
time
here.
Okay,
so
first
one
ace,
rails,
AP
pin
see
on
the
right
hand,
side
we
were
able
to
determine
MIT,
left
hand,
side,
nothing--,
Acme
client
both
hit
hit
right.
This
was
in
the
index,
yay
right
hand,
side,
Apollo,
upload
server.
We
have
it
on
the
if
we
were
able
to
make
outbound
calls,
but
we
didn't
in
the
air-gap
note,
but
we
did
have
a
hit
on
the
Santa.
We
had
a
mess
on
a
batch
loader.
C
It
actually
works
better
because
it's
going
to
pull
the
data
that
it
has
local
first,
if
it
doesn't
have
it,
then
it
goes
out
to
the
internet
to
get
the
missing
information
and
I
would
love
to
take
that
missing
information
and
feed
it
back
into
the
index
by
some
route.
I
haven't
figured
a
power
okay.
So
let's
look
at
this
completely
unbiased
index.
B
Allocation
with
a
state
statement
that
this
would
be
a
constantly
moving
target
because
we
are
constantly
raising
new
version,
the
labor
software.
So
we
constantly
have
to
keep
track
of
those
new
versions
to
add
them
to
the
offline
index,
which
means
we
need
to
have
a
high
frequency
update
of
this
offline
index
to
provide
random
data
for
customers.
Absolutely.
C
So
right
now,
my
high
frequency
of
offline
index
is
one
day
now
that
high
frequency,
like
you,
get
a
better
value,
meaning
you
get
more
cache
hits
the
more
frequent
you
update
that
index,
however,
for
any
cache
misses,
you
can
still
go
get
that
missing
information
by
making
outbound
Network
calls.
So
the
level
of
accuracy
in
the
report
doesn't
increase
or
decrease
that
much
for
live
mode
when
you're
when
you're,
you
know,
you're
not
updating
the
index
as
often
now
with
this
scenario,
where
I'm
using
Postgres
here.
C
So
what
I
found
is
like
on
rubygems,
they
have
nightly
backups
of
the
rubygems
database,
and
so
what
this
does
is
on
a
cron.
It
pulls
down
the
latest
nightly
backup
it.
You
know,
attaches
a
Postgres
connection
to
that
backup
and
Infectious
out
all
the
ruby
gems
from
the
ruby
gems
table
and
builds
an
offline
index.
That
is
looks
like
this.
C
I,
take
the
name
of
the
JAMA
sha-256,
so
that
take
the
first
two
characters,
and
this
gives
me
approximately
256
data
files
that
I
can
put
the
data
in.
So
this
is
it
that's
I
mean
this
isn't
optimized
for
human
consumption,
not
for
machines,
and
if
we
actually
check
to
see
how
much
space
on
disk
does
this
take.
So
far,
it's
not
a
complete
index.
So
it's
not
going
to
be
representative
of
all
of
rubygems.
So
in
this
case
it's
five
megabytes
and
the
number
of
items
in
the
index
is
not
comprehensive.
C
So
we've
got
approximately
140
mm
so
because
I'm
only
doing
nightly,
diffs
and
I've
only
been
doing
this
for
a
few
weeks.
That's
the
number
of
records
that
I
have
in
the
database,
but
what
I
came
to
the
realization
is
I,
don't
actually
need
to
index
every
single
version
of
every
single
gem
and
this
actually
works
better,
because
this
is
only
indexing.
The
latest
versions
of
published
gems,
because
the
mission
of
our
team
is
to
keep
you
up
to
date
right.
We
want
to
give
you
like
tools
to
say.
C
This
is
why
you
should
update
to
the
latest
version
of
this
gem,
because
these
are
the
vulnerabilities
associated
with
it.
So
if
you're
on
version,
0.10
of
hibernate,
you've
probably
got
so
many
vulnerabilities
that
you
know
me
telling
you,
the
software
license.
Yeah
it's
going
to
be
more
expensive
because,
like
not
having
that
in
the
index,
is
fine
because
I
in
an
ideal
world,
we
don't
have
many
people
using
older
versions.
So
I
don't
know
if
this
actually
ever
needs
to
be
a
complete
index.
Okay
mo
that's
great
for
Ruby.
C
What
about
what
about
Java
I,
don't
know
about
Java,
but
I
can
tell
you
like
parsing
pom
files
that,
on
that
XML
is
a
another
solved
problem
and
maven
central
does
provide
like
an
offline
archive
that
you
can
download
when
I
last
looked
at
it.
It
was
something
like
600
megabytes
and
then,
when
you
expand
that
it
was
like
a
couple
of
gigs
so
being
able
to
like
unpack
that
and
just
take
the
software
licenses.
C
C
If
we
actually
take
that
and
drop
it
even
further
message,
pack
or
even
just
ship,
a
sequel
like
database
or
even
I
mean
like
I,
didn't
even
compress
those
files,
and
you
saw
how
many
times
it
said,
MIT
and
there's
tons
of
duplication
in
those
text
files
that
a
good
compression
algorithm
would
be
able
to
highly
compress
those
data
directories,
but
I
didn't
focus
on
that
for
now.
So
what
I
did
focus
on
is
copying
what
you
call
it
copying
the
ruby
advisory
database
spandex
index
update.
C
So
this
is
just
gonna
pull
the
latest
index
via
get
so
in
essence,
when
you're
building
the
docker
image.
If
this
were
a
solution
like
an
offline
in
offline
index,
if
we'd
be
like
it's
gonna,
take
a
lot
of
work
to
actually
build
the
index
and
keep
it
up-to-date,
improve
the
efficacy
of
it
and
then
figure
out
what
an
optimized
machine
version
is
for
the
scanners
are.
If,
if
we
did
choose
to
build
those
offline
index
and
try
to
manage
it,
it's
it's
a
bit
of
work
right.
C
So
each
package
manager
is
going
to
be
different
and
maybe
that's
not
going
to
be
a
comprehensive
list.
Maybe
you
don't
do
this
for
all
package
managers?
Maybe
you
just
do
this
for
specific
ones
like
the
top
two
or
three
that
we
care
about
it
would
at
least
get
you.
Some
depends
on
like
licenses
for
those
truly
air-gap
scenario,
but
then
it
also
improves
as
your
scan
time,
because
you've
got
some
of
that
information
already
pre
computed
and
allows
you
to
fall
back
to
making
Network
calls
for
the
missing
information.
C
C
E
C
That's
better
to
do
ahead
of
time,
not
at
scan
time
so
like
for,
like
so
in
the
case
of
the
new
get
one
I'm
finding
like
the
original
pages.
There's
so
many
misses
because
they
changed
the
respect
that
I'm
just
recording
it
in
a
new
get
that
unknown
file,
and
so
this
files
like
these
are
all
the
ones
that
I
need
to
go
like
figure
out
by
pulling
down
the
source
code,
doing
an
offline
analysis
of
the
license
file
once
I
figured
that
out
once
put
it
into
the
index.
C
A
E
E
E
E
C
C
Okay,
so
here
was
an
example
of
the
Gradle
package,
manager'
class
in
license
finder.
You
can
see
it's
using
to
download
licenses
tasks
which
has
to
be
installed
as
part
of
your
Gradle
build,
and
so
the
catch
here
is
like
where
this
command
is
happening.
We
have
to
convince
it
to
get
that
information
from
a
private
source
rather
than
you
know
the
public
sources
right.
C
E
C
Not
a
Java
person
but
I.
Okay.
Let's
look
at
the
Gradle
example
engine
tier
so
in
cradle
you
can
specify
repositories
in
your
build.gradle
great
and
so
there's
some
default
ones
like
maven,
central
J,
Center
Isis,
and
you
can
put
more
than
one
in
here
so
I've
seen
that
in
the
documentation,
so
I
think
the
next
thing
is
just
saying:
okay,
private,
you
know
whatever
that
repo
location
is
and
then
a
hijacking
or
removing
these
for
the
private
scenarios,
so
I
believe
so.
C
Okay,
I,
don't
know
for
sure
that
needs
investigation
and
it's
also
going
to
be
dependent
on
each
package
managers
ability
to,
but
so
far
what
I've
seen
like
Ruby,
we
already
know
you
just
specify
the
source.
Let
me
change
that.
You
know
the
Gradle
one
here
you
can,
it
looks
like
you
can
specify
the
default
ones.
Maven
central
J,
Center
and
I
haven't
checked
to
see
how
to
do
the
private
ones
palm.
Let's
go
back
to
you.
B
B
Example
from
says
it
is
really
pointing
at
this
like,
if
you
are
setting
multiple
registry,
for
example,
with
fallbacks
this.
This
logic
is
including
to
the
package
manager,
and
we
will
have
to
replicate
that
one
on
our
side
in
the
license
scanner
in
the
way
to
find
which
registry
to
point
at
find
the
license.
Information.
B
Oh
I,
see
we're
saying,
and
this
is
joining
my
next
command
and
the
dark,
which
is
the
alternate
option,
is
we
already
know
that
we
will
need
to
download
the
dependencies
to
build
a
project
anyway,
unless
the
project
is
built
outside
of
gitlab,
which
I
think
is
maybe
a
use
case.
We
might
agree
to
not
support
from
now,
but
if
we
need
to
build
a
project
within
gitlab,
we
need
to
download
the
dependencies.
So
we
are.
A
B
A
Don't
have
that
locally
that
would
be
available
directly
on
the
network.
So
that's
the
only
drawback
that
I
see
in
this
offline
index.
I
think
that
it
is
great
I,
just
wonder
if
we,
if
we
will
be
in
a
position
where
we
never
had
access
to
develop,
I
mean
I,
understand
that
there's
a
performance
kit.
By
doing
this,
this
recurrence
registry
is.
B
Can
have
some
replicate
of
extra
of
to
be
created
three
with
some
local
features
like,
for
example,
the
Kitab
packages
features.
They
could
replicate
the
API
to
download
the
dependencies
when
it
comes
to
building
the
project,
but
it
might
not
replicate
the
may
be
a
custom
API
that
provides
license
informations
yeah.
This
is
something
that
we
pointed
buy
more
and
so
as
you're
saying
more,
when
you
are
installing
Python
dependencies.
What
you
install
locally
doesn't
include
license
information.
You
have
to
always
reach
out
to
the
Python
registered.
You
get
the
license.
Data,
oh
I,
please.
B
C
G
To
try
and
avoid
to
call
out
a
customer
name,
but
there's
one
Python
customer
we
have
who
one
of
their
complaints
they
had
with
us
frequently
was
that
they
pre
compiled
everything
before
they
put
it
on
their
get
lab
instance,
and
so
there
could
be
situations
where
we're
not
using
a
on
local
area
network
registry
because
we're
getting
precompiled
stuff.
But
in
that
case
like
are
we
gonna
just
choke
on
it
anyway,
because
it
doesn't
have
the
expected
little
text
files
and
things.
We
need
well.
C
C
G
On
the
other
hand,
if
somebody
is
choosing
not
to
use
the
scanners
if
we
keep
by
default
having
them
all
in
the
default
package,
our
default
package
gets
bigger
and
blow
tier
for
things
that
people
aren't
using
so
having
some
kind
of
option
to
say,
I
want
all
of
the
secure
docker
images
versus
the
base
ones
versus
whatever
would
make
some
customers
happy,
because
then
they
could
save
there.
How
much
they're,
downloading
and
scanning
that's.
C
C
We
can
actually
just
install
the
Deb
files
with
you
know
these
indexes
or
the
tools
as
part
of
the
scan
step
without
having
to
reach
out,
because
my
assumption
there
is
like
yes,
you
can,
but
you
still
need
to
be
able
to.
You
know,
touch
your
local
self
installation
of
gate.
Lab
I
mean
you'd,
be
able
to
access
the
any
packages
that
we
ship
as
part
of
the
get
left.
I'm.
G
G
You
know
like
so
there's
a
bunch
of
what
I
believe
to
be
very
reasonable
assumptions
that
we
should
list
out
so
that
somebody
could
tell
us
if
they're
they've
got
some
other
scenario,
but
I
think
that's
perfectly
reasonable.
To
say,
like
your
runners,
your
you
know
get
lab
instance,
your
code
etc.
You
it
whether
or
not
they're
in
that
same
spot,
you
need
to
be
able
to
call
them
within
your
cluster.
G
Don't
think
we
can
rely
on
cloning
or
forking,
though,
because
sometimes
these
customers
need
to
be
able
to
do
a
download
command
on
one
machine
and
then
drag
those
files
and
contents
over
to
the
git
lab
limited
connectivity
instance
can
before
they
hit
their.
So
could
they
do
that
on
just
a
regular
computer
like
request
a
fork
if.
A
G
G
A
G
D
That's
the
script
that
we're
talking
about
that
doesn't
essentially
like
a
doctor,
save
a
CP
docker
load
into
the
environment.
So
that's
what
we've
been
talking
about
for
the
air-gap
thing,
so
that's
we
have
an
established
process
for
doing
that.
We
just
need
to
figure
out
how
to
recommend
something
like
that
to
customers.
B
B
We
can
but
I
think
it's
it's
the
same
thing.
It's
like
what
is
your
company's
way
to
install
and
dependencies,
and
we
provides
the
dependencies
and
it's
its
regular
doctor
images,
whatever
they
way
to
install
the
other
Deker
images
in
their
company.
They
can't
just
do
the
same
way
for
our
Deker
images.
A
B
C
B
Then
it
could
be
a
fullback
calling
because
we
are
a
treasure
to
find
one
solution
for
all
languages,
and
this
might
not
be
the
best
approach.
Maybe
we
could
have
dedicated
solution
for
a
I
mean,
for
example,
Python.
If,
if
we
have
no
local
licensed
meta
data
for
Python,
maybe
we
could
bring
an
index
for
Python
dependencies,
so
we
could
just
do
this
result.
B
A
That's
the
main
concern
I
love.
This
idea
of
you
know
friend
indexes,
but
we
are
making
a
lot
of
assumptions
on
the
network.
What
we
want
to
see
that
running,
yeah
I
think
the
next
step
really
would
be
to
gather
all
the
customers,
requirements
and
information
so
that
we
have
a
better
value
of
what
is
really
available
inside
this
kind
of
network
if
we
have
really
or
even
justify
conserver
so.
G
G
Respond
better
when
you
make
a
proposal
and
they
can
respond,
whether
you
guessed
correctly
or
incorrectly,
for
whatever
reason:
I
that
just
seems
to
go
well,
so
I
think.
If
we
wrote
out
you
know,
we
believe
that
it
is
probable.
This
is
the
configuration
we
have
access
to
a
package
registry,
bla
bla
bla
like
if
we
wrote
that
out
as
a
unit
and
I
could
have
the
Tam's
and
stuff
share
that
with
the
customers.
I
believe
we
would
get
a
higher
percentage
of
feedback
than
if
we
just
asked
them
about
hey.
G
Could
you
tell
us
if
you
use
X,
Y
or
Z
I
have
no
idea
why
that
just
seems
to
get
better
results.
So
if
we
can
make
a
little
statement
where
y'all
could
tell
me
like
this,
is
our
preferred
way
that
we'd
like
to
see
them
set
up
and
then
I
can
make
a
statement
saying
we
currently
believe
that
and
then
I
could
get
that
kicked
out.
Then
we
can
get
feedback
saying
yay,
nay
and
I
could
like
finish
it
with.
G
I
think
in
the
investigation
issue
we
have
for
trying
to
figure
out
a
solution.
We
might
want
to
put
a
comment
with
that
as
well
as
maybe
make
a
call
out
to
it
up
in
the
description
and
just
say:
hey
we've
had
internal
discussions.
We
believe
that
it's
reasonable.
You
know,
based
on
talking
to
people,
that
the
environments
are
set
up
like
XYZ
and
that
updates
could
be
gotten
through
a
or
B.
G
You
know,
we'd
love
for
you
to
let
your
Tam's
know
or
let
us
know
through
whatever
means,
if
this
is
an
incorrect
assumption,
because
we're
gonna
be
prioritizing
currently
x
and
y.
Until
you
tell
us
otherwise
and
then
I
can
send
that
comment
around
to
everybody
and
then,
if
we
want
to
like
draft
kick
that
around
in
like
a
Google
Doc,
so
we
can
all
tweak
it
to
make
sure
it's
clear
before
it
gets
pasted
in
there
just
to
save
shenanigans.
We
can
always
do
that.
C
A
B
Writing
up
some
conclusions
to
make
sure
we
agree
on
what
has
been
said
here
and
I've,
a
quick
summary
of
what
we're
aiming
to
the
world,
to
what
they're
going
to
do
sorry.
So
our
index
has
high
I
meant
discussed
but
might
still
be
useful
for
language
and
package
management
that
can
get
the
license
in
a
tie.
We
look
at
registries
our
downloaded
dependencies,
but
the
primary
way
to
address
I
get
support
would
be
tall
or
licensed
finder
to
be
configured
to,
although
calling
local
registry
is
instead
of
public
once
we
agree
with
this.
Yes,.
G
G
See
that's
what
I
said
if
we
just
say
like
we
believe
this
is
acceptable
and
then
we
like
phrase
it
together
and
be
like
after
brainstorming
so
easy.
They
will.
Let
us
know
if
we
are
incorrect.
We
just
need
to
say
we
believe
X
based
on
our
discussions
and
I'm
sure
we
will
hear
otherwise.
If
otherwise
is
the
case,
but.
A
G
B
G
So
I'm
hoping
that
Mr
I
booped
David
this
morning
and
Sam
I'm,
hoping
that
Mr
gets
put
public.
So
we
can
just
point
to
the
user
documentation
because
I
have
a
public
definition
of
that
once
that
gets
merged
and
so
I
am
hoping
it
gets
merged
soon.
So
we
can
all
just
point
they're
constantly,
instead
of
reiterating
like
one
single
source
of
truth,
but
it
doesn't
mean
to
us
and
we
can
fixing
that
Mr
or
making
newmars
against
it.
But
I
want
to
have
one
single
source
of
truth.
Could.
G
Assume
that
there
okay,
is
a
for
the
primary
language.
We're
looking
at
that.
There's
gonna
be
a
registry
that
they're
maintaining
that
you
can
get
to.
With
the
caveat
it
probably
is
gonna
have
some
CA
username/password
nonsense
going
on
so
I,
don't
know
if
you
want
to
make
that
like
a
second
issue
to
follow
up
on,
but
that
is
highly
probable
that
that's
gonna
be
the
case.
G
B
G
H
B
B
G
H
A
G
C
A
So
we're
saying
if
python
is
the
priority
and
we
need
something
up
and
running
really
quick
I,
remember
that
one
of
the
customers
replaced
our
license.
Finder
and
I
reserved
like
this,
which
doesn't
seem
to
require
a
network
connection
or
not
one
in
the
person
show
that
it's
worth
trying
and
the
good
part.
Is
this
too,
as
a
that
is
compatible
with
licensed
finder,
so
we
would
be
able
to
get
rid
the
results
directly
into
into
the
passers.
The
only
issue
that
we
have
is
we
don't
have
a
way
to
tell
licensed,
find
our
lessons.
G
C
G
C
G
I
As
long
as
we're
brainstorming,
I'd
like
to
upload
Philippe's
comment
regarding
having
a
repo
and
then
updating
from
the
repo
like
having
the
index
and
everything
because
I
think
good
lab,
we
offer
this
working
functionality
where
you
can
mirror
a
fork.
So
if
we're
okay
with
getting
stuff
from
the
internet
temporarily
like
intermittently,
then
if
we,
if
we
give
the
client
a
fork
of
our
index,
then
what
can
happen
is
we
can
create
a
CI
pipeline
on
their
side
that
they
can
intermittently
pull
the
fork
and
then
create
a
Mars?
I
I
C
A
All
right
that
was
great.
Thank
you,
everyone,
so
next
step
I'm
going
to
issue,
and
we
will
ask
the
customer
see
if
it's
a
good
fit
or
not.
I
will
probably
start
with
the
Google
Docs,
as
as
you
advice,
Nico,
so
that
we
can
share
before
recommending
all
right
thanks
everyone,
the
good
rest
of
your
day.