►
B
D
A
A
E
Can
probably
get
started
here
just
a
reminder,
this
meeting
is
being
recorded,
it'll
be
uploaded
to
YouTube.
A
At
some
point
afterwards-
and
your
participation
in
this
meeting
is
an
agreement
to
abide
by
the
open,
ssf
code
of
conduct.
If
folks
have
agenda
items
that
they
wanted
to
add,
feel
free
to
add
it
to
the
Fresca
Community
notes
here
and
yeah
we
can
get
started.
E
Next
thing,
so
the
the
big
thing
I
think
I
wanted
to
sort
of.
E
Out
is
just
a
a
the
only
agenda
item.
I
have
so
I'm.
My
priorities
have
shifted
a
little
bit,
so
I
don't
have
as
much
time
to
focus
on
on
fresca,
at
least
for
the
next
several
months,
and
so
looking
for.
E
You
know
to
see
if
there's
there's
other
folks
who
want
to
volunteer
or
contribute
or
to
to
Fresca
or
what
what
folks
want
to
kind
of
see
out
of
Fresca,
and
then
we
can
kind
of
go
and
maybe
reach
out
to
some
of
the
folks
from
the
open,
ssf
and
see
if
there's
folks,
who
are
interested
in
you
know,
volunteering,
maintaining,
Fresca
and
and
so
on,
because
you
know
we
keep
hearing
I
keep
seeing
Fresca
in
demos
and
and
Fresca
in
in
presentations
around
some
stuff.
E
So
you
know
it
does
seem
like
people
are,
are
in
the
very
least
interested
in
some
of
the
stuff
that
Fresca
does.
But
we
haven't
really
seen
a
lot
of
interest
when
it
came
when
it
comes
to
some.
You
know,
like
actual
folks,
with
Hands-On
keyboard
time
to
do
stuff,
like
you
know,
implement
the
pipeline
framework
or
help
out
with
the
pipeline
framework.
E
You
know,
keep
things
updated
and
maintained,
and
all
that
good
stuff,
so
yeah
that
that's
my
my
Spiel
there.
So
if
the,
if
folks
know
it
folks,
know
people
who
want
to
contribute
or
or
or
maintain
the
project
and
and
would
be
interested
to,
you
know
definitely
like
I
know.
E
A
few
of
us
are
listed
as
maintainers
on
there,
but
I
just
want
to
kind
of
you
know
see
if
yeah,
if,
if
there's
additional
folks
out
there
who
are
interested
or
if
there's
things
that
we
can
do
to
help
attract
those
folks,
that
would
be
great
because
yeah,
if
folks
find
Fresca
useful,
they
would
love
to
kind
of
keep
it
going.
D
Yeah
I
think
that's
my
main
area
of
questioned
like
or
uncertainty.
I
guess
is
like
how
can
we
make
Fresca
useful?
D
You
know
initially
I
had
heard,
and
some
of
this
may
be
misperception
or
or
like
a
misunderstanding
on
my
part
of
of
the
intense
but
so
feel
free
to
correct
me
if
I'm
wrong,
but
I
had
seen
you
know,
Fresca
described
as
the
maybe
the
only
you
know,
Implement
reference
implementation
of
the
the
secure
software
Factory
and
I
was
wondering
if,
like
expanding
that
it
like
it
with
the
intent
of
allowing
end
users
to
adopt
Fresca
or
the
ideas
and
techniques
out
of
the
box
for
their
own
Supply
chains.
D
Whether
this
is
open
source
projects
or
maybe
not
as
much
open
source
projects
more
focused
on
like
Enterprise
customers,
because
it
does
a
lot
of
things
that
are
like
next
level.
Right
like
it
does
things
that
are
hard.
D
People
perceive
to
be
hard
and
like
there's
a
lot
of
value
in
that,
but
I'm
wondering
if
they're
like
how
practical
that
is
in
terms
of
like
it
will
and
see
any
Enterprise
really
take
this
thing
put
it
in
and,
like
you
said,
the
most
common
place
we've
seen
it
is
in
demos
like
it
and
but
maybe
that's
something
that
we
could
lean
into
like.
Can
we
try
and
leverage
this
in,
and
my
thought
was
like
with
the
the
expansion
of
the
side
positioning
group?
D
Yeah
so
so
like
that
was
just
some
of
my
ideas.
Coming
from,
like
my
my
bias,
perspective
of
VMware
I
have
to
to
figure
out
like.
Is
there
an
open
source
thing
from
VMware?
That
I
could
try
and
plug
in
here
to
justify
contributing
my
time
and
cartographer
is,
is
an
interesting,
open
source
project
from
my
perspective
that
that
I
would
be
curious
to
see
how
how
it
could
fit
in
here.
D
At
the
same
time,
I
want
to
make
sure
that
long
term.
It
makes
sense
that,
like
that,
the
project
is
going
to
keep
going
in
a
way
that
the
community
finds
useful.
So.
E
Cool
yeah
yeah.
No,
that
definitely
sounds
like
a
a
good
idea
there
and
let
me
actually
yeah
so
I
can
I
know
some
of
the
stuff
should
be
probably
recorded
in
the
GitHub
somewhere,
but
we
can
kind
of
put
it
in
here
and
then
maybe
open
up
a
PR
and
and
put
it
in
the
GitHub
as
well,
but
yeah
so
I
think
to
kind
of
go
through
at
a
high
level
again.
E
Based
on
the
conversations
you
know
some
some
conversations
we
had
and
I
think
I'm
paraphrasing
from
the
readme
a
little
bit,
but
so
like
Fresca
is
two
things
right.
E
You
know,
Fresca
is
a
what
what
do
we
call
it
hold
on?
Let
me
let
me
bring
this
up
in
the
GitHub.
A
E
So
I'm
just
gonna
post
it.
Actually,
this
is
in.
E
So
it's
two
things
and
I
posted
this,
both
in
the
the
document
there.
So
Fresca
is
a
suite
of
build
pipeline,
signing
visibility,
identity,
I,
should
policy,
Etc
tools,
design,
configurated
configure
to
operate
securely.
So
that
means
you
know
it's
the
infrastructure.
E
It's
a
set
of
build
pipeline,
abstractions
and
definitions
with
security
guard
rails,
ensuring
all
builds,
follow,
supply
chain,
best
practices,
so
that
and
then
this
is
you
know
the
software
right
where
you
know
there's
two
pieces:
one
is:
hey:
we've
configured
a
bunch
of
tools
to
operate
securely
right,
like
you
know,
this
is
stuff
like
techton,
tecton
chains,
spiffy,
Spire,
Vault
Etc,
and
then
it's
about
some
software
that
we're
writing
ourselves
to
help
ensure
that
the
operation
of
those
tools
is
done
in
a
way
where,
in
the
in
service
of
operating
secure,
builds
right
and
separately.
E
How
does
it
do
this?
Well,
it's
an
implementation
of
the
cncf,
secure
software,
Factory
ref
Arc.
A
You
know
plans
to
follow
other
Frameworks
as
well.
Like
s
was
it
the
S
SDF
S2
S2,
c2f
Etc.
E
So
right,
like
the
the
way
that
we're
I
think
the
the
goal
here
is
to
cut
like
essentially
be
the
shining
example
right.
We
don't
want
to
say
we
don't
want
to
say
the
the
reference
example
or
anything
like
that,
but
we
want
to
say
hey.
It
should
be
one
of
the
things
that,
like
people
can
look
at
and
go.
Oh
they've
done
this,
and
regardless
of
whether
or
not
somebody
uses
Fresca
itself,
they
should
be
able
to
go
and
look
at
what
Fresco's
doing
and
saying.
E
B
E
So
I
believe
this
is
where
so
that
there's
there's
a
couple
of
things
here
in
parth
I.
Don't
remember
exactly
if,
if,
if
the
reason
why
we
didn't
include
it
in
three
is
because
we're
still
waiting
for
the
workload
identity,
piece
from
spiffy
Spire
to
get
merged
Upstream
into
the
into
tecton
attacked
on
chains
or
if
there
was
like
a
couple
of
other
small
little
things
that
like
there
was
some
uncertainty,
because
I
think
with
the
workload
identities
be
a
spiffy
Spire,
it
should
be
saucer,
3,
Brendan
parth.
F
Yes,
yeah,
it
was
the
just
waiting
on
the
Upstream
tecton
work
to
get
merged
and
then
there'd
be
salsa
three,
so
that
that
is
taking
much
longer
than
expected.
So
it's
been
there
for
about
a
year
now.
So
it's
been,
it's
been
yeah.
We
were
done.
We
were
done
with
that
work.
Last
last
I
think
February
March,
so
it's
been
literally
a
year
now
since
and
it
still
hasn't
been
merged.
F
F
So
that
is
the
the
non-falsifiable
provenance
piece
so
that,
in
terms
of
that,
you
know
you
can't
so
it
you
know
it
checks
to
see
if
the
results
being
passed
between
tasks
cannot
be
modified.
If
the
task
itself
task,
the
task
run
itself
cannot
be
modified,
all
those
kind
of
things.
So
it
does
a
lot
of
those
using
a
short-lived
certificate
certificates
from
spiffy
Spire.
It
checks
all
those
values
and
ensures
that,
at
the
end,
when
it
signs,
when
tecton
chains
does
the
signature
that
nothing
has
changed.
F
F
So
there's
still
two
open
PR's
I
believe
that
still
have
to
be
emerged
on
the
tecton
side
and
then
another
PR
still
on
a
change
side.
Yes,
and
it's
just
I'm
pretty
sure
the
work
has
stagnated
again.
So.
B
F
Think
it's
I'm,
not
sure
I
mean
I,
think
it's,
maybe
the
lack
of
understanding
in
terms
of
how
Aspire
expire
kind
of
integrates
and
works,
and
the
thing
is,
is
that
it's,
even
if
you
merge
it
if
it
gets
merged
into
tecton,
it's
still
going
to
go
into
an
alpha
release.
So
it's
not
going
to
be
used
by
it
in
general
by
the
the
public
anyways.
F
So
I
I'm,
not
sure
why
they're
they're,
still,
you
know
they're
very
picky
and
hesitant
on
merging
it
for
I,
don't
know
what
the
reason
is,
but
yeah,
because
it'll
go
behind
an
alpha
flag
anyways.
So
it's
not
like
it's
going
to
go
full
on
production
interact
on
even
if
it
gets
merged
into
the
code
base,
so
you
have
to
opt
for
it
physically.
You
know
like
manually,
you
have
to
opt
for
it
in
multiple.
You
know
put
multiple
Flags
in
and
also
of
course,
you
have
to
have
your
own
Spire
server
running.
F
Otherwise
it
won't
work.
So
there's
a
lot
of
things
you
have
to
do
in
order
for
it
to
actually
function.
So
it's
not
breaking
any
existing
tecton
functionality.
So
I'm
not
sure.
E
Yeah
there's
a
couple
of
things
there
and
you
know
we
don't
have
all
the
background
into
all
the
stuff
with
tecton
and
from
our
perspective
the
tecton
stuff
has
been
notoriously
difficult
to
get
involved
in
they
have,
whereas
here
we
might
be
like
hey,
if
you,
if
you
contribute
and
attend
a
few
meetings
for
Fresca,
you
can
join,
you
become
a
Fresca,
maintainer
I
believe
it's
like
you
need
to
show
like
a
Year's
worth
of
like
significant
work
on
on
tecton
to
even
be
considered,
and
it
kind
of
leads
to
I.
E
Think
a
lot
of
confusion
on
that
there's
been,
you
know,
concerns
that
it's
mostly
you
know,
and
it's
not
necessarily.
None
of
this
is
to
knock
any
of
the
actual
people
working
on
the
project.
E
Just
to
be
clear,
it's
just
that
I
believe
tecton
is
mostly
you
know
some
folks
from
IBM
Red,
Hat
Google,
who
have
been
working
on
it
and
a
lot
of
folks
in
the
community
who
are
not
part
of
those
companies
have
found
it
a
little
difficult
to
kind
of
get
a
bit
more
involved,
and
so
things
that
don't
fall
under
the
the
you
know.
E
Some
of
the
priorities
they
already
have
listed
become
sort
of
like
they
get
put
on
the
back
burner
a
little
bit
at
least
what
we've
discovered
in
in
from
our
perspective,.
B
A
E
B
F
C
C
E
Yeah
and
and
from
our
perspective
as
well
as
it
just
seems
like
there's
a
lot
of
folks
who
have
a
million
priorities
on
their
plate
and
it
this
is
just
a
little
bit
of
a
lower
priority
and
I
think
some
of
it
is
also
potentially
because
some
of
the
folks
who
are
a
bit
more
involved
level
down
on
the
techton
side
aren't
familiar
with
like
because
I
remember.
Some
of
the
conversations
recently
in
techcon
has
also
been.
Do
we
need
salsa?
E
Couldn't
we
just
have
like
a
thing
that
just
does
this,
and
it's
like
well,
sauce
is
the
you
know
is
an
emerging
standard.
We
should
probably
support
it.
So
I
I
know
that
there's
there's
it's
it's
less
about.
You
know
anybody
specifically,
you
know
avoiding
it
and
more
just
like
with
a
million
priorities.
F
Oh
yeah,
sorry
I,
just
posted
in
chat,
I,
think
Brad
posted
something
else
too,
but
the
the
pipeline
yeah
or
yeah
the
pipeline
PR's.
Basically
so
there's
a
bunch
of
them
that
closed
so
they're
yeah.
There
have
been
multiple
PR's
and
then
currently
the
one.
That's
open,
I
think
it's
it's
been
open
three
weeks
ago,
but
it
looks
like
like
a
person
from
Google
named
prakash
was
actually
working
on
it
and
on
our
behalf
and
he
seems
to
have
stopped
at.
E
I
think
on
on
that
front,
you
know
we.
We
would
still
also
be
interested.
You
know
not
necessarily
interested
in
dropping
tecton
but
interested
in
like
hey.
What
can
we
do
in
the
future
to
also
be
better
contributors
back
to
techton,
so
that
some
of
this
stuff
like
because
because
I
think
the
thing
with
one
of
the
other
things
I
think
actually
I
forgot
about
to
go
back
to
the
goals
prior
to
the
Fresca?
E
Is
one
of
the
goals
and
priorities
is
to
fill
in
the
gaps
that
any
that
the
tools
don't
do
themselves
right?
So
you
can
imagine
right.
Like
the
you
know,
some
of
the
you
know
these
tools
themselves,
don't
automatically
generate
s-bombs,
but
we
can
have
the
glue
code
for
Fresca
essentially
say:
You
must
generate
an
s-bomb
as
part
of
your
project
and
and
we
can
enforce
that
largely
at
an
interface
level
right.
E
You
know
people
could
probably
still
find
ways
to
work
around
it,
but
as
long
as
you're
not
like
being
very
obviously
malicious,
it
would
you
would
automatically
get
an
s-bomb
and
so
I
think
some
of
those
things
are
also
in
there
as
well
of
like,
if
there's
a
feature
missing
in
techcon,
and
we
can
work
around
it.
E
We
can
put
that
in
Fresca
and
then
try
and
still
push
that
as
an
upstream
thing
back
into
back
into
tecton
and
and
similar
tools
like
whether
it's
like
Opa
or
key
Verna
or
or
you
know,
Vault
or
whatever.
E
So
I
guess
actually
one
of
the
things
that
it
might
be
worthwhile
is
do
folks
think
that
something
like
a
a
Fresco
Road
show
or
a
Fresca
like
you
know
something
like
a
big
sort
of
like
blog
or
or
something
like
that,
really
sort
of
describing
what
Fresca
is
and
why
we
believe
it
to
be
important
might
be
useful
to
to
folks
so
that
when
folks
kind
of
go
say,
hey
I,
keep
hearing
about
this
Fresca
thing.
E
But
then
I,
look
at
the
project
and
I
just
see
a
whole
bunch
of
stuff
in
there
and
I.
Don't
know
where
to
get
started.
Does
it
make
sense
to
to
have
something
like
that
to
I
I,
don't
know.
D
So
one
of
the
things
I've
been
struggling
with-
and
this
is
more
like
internally-
trying
to
build
features
and
products
that
have
supply
chain
security
functionality
in
it
is
conveying
not
the
like
the
what
we're
going
to
solve
for
the
problem,
but
the
why
we're
solving
it
like.
Why
is
it
in
like
we
all
agree
here?
Social
insecurities
is
important
and
we
can
like
point
to
specific.
You
know,
incidents
or
attacks.
D
So
you
know
we
have
the
whole
catalog
of
supply
chain
compromises,
but
just
like
security
is
still
a
hard
sell
in
a
lot
of
places,
and
so
that,
like
the
easiest
fallback
for
us,
is
to
do
things
like
you
know,
Dora
metrics
or
something
else
like
how.
D
How
how
can
we
leverage
tooling
like
this,
to
decrease
the
the
number
of
visits
to
A
Change
review
board
for
an
organization
or
like
the
increase
in
developer
velocity
or
the
the
reduction
of
you
know,
patches
or
things
you
have
to
do
after
you've
released
software,
because
we
all
know
it's
more
expensive
to
fix
them
at
the
end,
like
those
those
types
of
thing
and
I'm,
not
a
product
manager.
D
I
can't
like
figure
like
I,
can't
eloquently
describe
those
types
of
things,
but
that
resonates
with
the
people
I
talk
to
much
more
than
like.
We
want
to
get
to
salsa
level
four
and
they're
like
okay,
it's
a
it's
a
bunch
of
work
to
get
there
they're
like,
but
why
like?
Why
do
you
need
to
be
a
salsa
level,
four,
and
so
like
thinking
about
Fresca,
like
one
of
the
things
that
I
initially
wanted
to
do?
Looking
at
it
was
like
it's
it's
kind
of
it's.
D
It's
done
already
like
I,
can't
install
Fresca
and
then
demonstrate
a
supply
chain
compromise
and
then
like
make
some
change
to
Fresca
and
then
show
like
hey
now
we're
resilient
to
this
compromise
or
like
that
was
one
of
the
ideas
I
had
of
like.
Could
we
use
it
to
demonstrate
something
like
that
of
like
what
difference
does
this
make
and
so
like
I
think
we
could?
D
It
would
take
work
and
effort,
and
it
would
be
maybe
a
little
different
and
maybe
it
it
would
be
a
different
type
of
person
to
help
with
some
of
those
things
and
I
might
be
able
to
find
some
folks,
a
VMware
that
would
be
interested
in
helping
with
that
I.
Don't
know
if
that
makes
sense,
or
if
that
resonates
with
with
anyone
else
or.
E
E
We
gave
a
demo
myself
and
and
Tim
who's
not
on
this
call,
but
had
given
a
demo
when
we
were
still
at
City
at
supply
chain
security
con
a
few
years
ago.
I
think
it
was
in
LA
and
when
we
gave
that
demo
this
is
before
Fresco.
Our
demo
code
eventually
turned
into
what
what
Fresca
became,
and
it
was
with
a
lot
of
help
from
from
folks
on
this
call
like
like
Remy
and
and
Brendan
and
I.
E
Don't
think
Josh
is
on
this
call,
but
but
Josh
was
also
helping
out
with
with
a
lot
of
it
as
well,
and
so
one
of
the
cool
things
that
kind
of
we
got
out
of
it
was
this
sort
of
like
we
were
able
to
build
like
we
built
that
demo
that
you,
you
know,
you
sort
of
said
which
is
like
hey,
here's,
here's
something
I'm,
building
a
hello
world
program,
we
compile
it,
we
run
it.
E
It
says
goodbye
world,
that's
weird,
you
know
why
is
it
doing
that,
even
though
the
source
code
says
this,
but
it's
because
we
weren't
actually
tracking
stuff,
like
you
know,
even
just
doing
something
simple
like
salsa,
where
you
could
say
hey.
This
is
weird
the
the
thing
that
built.
This
is
not
the
same
thing
that
son
did
and
yeah
yeah
and
all
of
a
sudden,
hey,
I,
have
a
picture
as
to
what's
going
on
there
I
think
we
can
definitely
still
for
demo
purposes.
E
I
think
it
would
not
be
that
difficult
to
like
create
a
fork
of
Fresca
and
call
it
like.
You
know:
less
secure,
Fresca,
where
you
know
where
we
don't
actually
make
some
of
these
things
requirements
and
we
can
turn
off
some
of
those
knobs
and
be
able
to
say
hey.
E
We
ran
this
build
it's
claiming
to
create
yeah
diet,
Fresca.
Actually
it's
in
Fresco,
already
a
diet,
soda
I,
think
I
think
it's
already
zero
calories
or
something
like
that,
but
yeah
I
think
we
can.
We
can
probably
do
something
like
that
where-
and
let
me
actually
put
this
in
here-
you.
A
Know
create
demo.
E
Yeah
I
think
that
that
would
be
what
you
said.
I
think
would
would
be
useful
because
I
think
so
so
yeah
I
think
that
would
be
useful.
I
think
the
other
thing
that
that
I
know
some
folks
have
said
is
is,
and
it's
something
that
we
should
just
sort
of
maybe
think
through
how
we
wanna
work
inside
this
hold
on
this
case.
E
I
think
one
of
the
other
things
that
that's
interesting
about
that
is
or
that's
a
bit
of
a
challenge.
Right
is
a
lot
of
folks
say
they
sort
of
I,
don't
want
to
say
frustrated
like
Fresca,
you
know
is
more
is
like
is
more
than
the
sum
of
its
parts
right,
because
it's
also
how
all
the
different
pieces
are
fit
together.
But
a
lot
of
folks,
you
know
who
I
know
have
talked
to
us
previously
about
Fresca
is
like
cool.
E
Can
I
just
drop
in
Jenkins
instead
of
tecton,
and
it
opens
up
an
interesting
challenge,
which
is
most
folks,
are
using
tecton,
I'm,
sorry,
Jenkins,
GitHub
actions,
a
few
others.
Some
folks
who
need
you
know
who
are
using
stuff
like
openshift,
obviously
are
using.
You
know,
techton
or
using
openshift
pipelines,
which
is
based
on
techcon.
E
You
know
a
few
other
folks,
obviously
using
using
techcon
in
lots
of
different
areas.
The
problem
that
we
keep
running
into,
though
right
is,
is
nobody
wants
to
move
off
of
their
CI
system
because
they
kind
of
view
their
seat
they're
like
well.
It
took
us
three
or
four
years
to
do
this,
especially
in
you
know,
I've
worked
at
enough
Banks
to
know
that
a
lot
of
the
Jenkins
setups
there
are,
you
know
it.
E
They
have
a
team
of
five
or
six
folks
who
their
entire
job
is
to
make
sure
that
all
the
Jenkins
pipelines
all
follow
the
right
rules,
as
opposed
to
you
know
what
you
would
imagine
is
like
you
have
a
library
of
Jenkins
pipelines
and
you
just
get
to
use
those
Jenkin
Pipelines,
and
so
that
sort
of
thing
is
is,
is
a
challenge
to
then
tell
people
actually
throw
away
all
those
years
of
effort,
even
though
in
many
ways
I
think
it's
like
moving
from
a
very
heavily
manual
process
to
something
that
just
automatically
takes
care
of
all
of
it,
and
you
know
one
day
sunny
can
tell
you
the
the
stories
of
some
of
that
sort
of
stuff
I'm
taking
an
environment
that
had
you
know
something
like
you
know,
three
or
four
thousand
pipelines
that
were
all
manually
configured
and
transforming
it
into.
E
You
know
five
or
six
different
flavors
of
Pipeline
and
then
everything
else
just
is
the
inputs
into
those
in
those
things
which
is
sort
of
where
you
know,
Fresca
does
a
lot
of
this
stuff
as
well
I.
So
so
I
I
guess
that's
a
kind
of
another
open
question
which
is
you
know?
How
do
we
get
folks
to
either
like
I,
don't
want
to
say
people
should
be
moving
off
of
their
existing
CI
pipelines.
E
You
know
selenium
test
and
yeah
yeah,
it's
more
for
the
like.
No,
no
are
we
building
this
thing
securely
and
then
taking
that
secure,
artifact
now
go
do
whatever
else.
It
is
in
your
CI
to
to
to
sort
of
verify
that
it.
You
know
it
hits
whatever
else
you
need
in
your
process.
Could
tepton
still
do
that?
Absolutely,
but
you're,
not
you
know,
I
think
the
the
thing
that
I
want
we're
trying
to
I
think
drive
here.
E
Is
it's
more
about
that
building
of
the
artifact
and
the
thing
that
has
helped
me
a
lot
lately
in
some
of
the
conversations
we've
had
and
I
would
love
to
kind
of
get
some
feedback
on
this
is
we?
You
know
I've
been
sort
of
tell
when
I
talk
to
folks,
who
don't
understand
like
why,
like,
for
example,
why
is
salsa
doing?
Why
is
salsa
so
focused
on
the
build
right
now?
Why
are
they
not
focused
on
this?
That
and
the
other
thing,
and
it's
like
well?
E
No,
no
we
do
plan
to
the
problem
is
the
build,
is
the
piece
that
takes
a
bunch
of
untrusted
input
like
source
code
and
and
dependencies
and
then
packages
it
all
up
right.
You
know
whether
it's
compiles
builds
whatever
and
then
pushes
all
of
that
out
as
a
packaged.
Artifact
that
is
supposed
to
be
privileged
in
some
way
is
intended
to
run
in
other
environments.
E
So
it's
that
sort
of
transformation
step,
that's
really
where
so
much
can
go
wrong
and,
and
so
that
stuff
is,
is
where,
where
a
lot
can
go
wrong
and,
and
so
that
I
think
has
has
helped
out
with
when
folks
say,
hey,
why
is
the
build
so
important?
Well,
that's
why
and
it's
why?
E
If
you
look
at
stuff
like
the
the
Sunburst
solarwinds
attack
and
and
so
on,
it's
because,
like
it's
very
difficult
to
see
like
well
no,
my
source,
code's,
fine
yeah,
but
your
build
system
was
compromised
which
led
to
everything
that
was
going
through
that
build
system,
and
it's
it
is
that
bottleneck
where
everything
flows
through
that
same
system,
but
yeah,
I,
I,
don't
know
what
the
the
answer
is
to
getting
folks
to
move
off
of
their
Jenkins
or
or
for
for
situations
where
the
salsa,
like
GitHub
generator
for
GitHub
or
for
GitHub
actions,
doesn't
necessarily
fit
the
bill
and
they
need
to
run
something
else.
D
It
reminds
me
of
the
the
incrementally
adopting
six
star
blog
of,
like
maybe
there's
something
similar
here
like
a
story
to
tell
in
terms
of
the
like
exactly
what
you
just
described.
It
like
you
don't
need
everything
to
be
inside
of
Fresca.
This
is
how
you
you
layer
it
together
and
Larry
is
a
weird
word
to
describe.
Well,
you
just
think
it's
not
really
hilarious
like
what
were
we
being
correct,
like
making
a
basket
or
something
you're
threading
these
different
things
through
in
different
directions,
foreign.
E
Yeah
yeah
cool
anybody
else
have
any
thoughts
on
on
any
of
that
on
any
of
the
things
that
we
can
be
doing
there
I
know
also
just
generally
from
the
contributors
to
to
who
are
big
contributors
to
Fresca
I
Know
Myself
I'm,
getting
pulled
away
a
little
bit
so
I
don't
have
as
much
time
Hands-On
keyboard
to
focus
on
presca
for
a
while
and
I
know,
Brendan
as
well
and
I.
E
Believe
you
know,
I
don't
want
to
put
words
in
anybody's
mouth,
but
I
believe
that
some
of
the
folks
like
Brad
as
well,
are
not
you
know.
Fresca
is
not
as
big
high
of
a
priority
anymore
and
so
so
that
that's
just
something
else
that
we
just
need
to
kind
of
as
we're
kind
of
going
through,
which
is
also
one
of
the
other
reasons
why
we
want.
Obviously
more
contributors
is
not
that
like
hey,
we
don't
view
this
as
being
valuable.
E
It's
just
that
also
the
folks
who
still
do
find
it
valuable.
It's
just
hey
other
things
have
come
up
and
we
need
to
focus
a
little
bit
on
some
of
these
other
things
and
we
don't
want
to
just
sort
of
abandon
Fresca.
If
we
don't
have
to
we,
we
want
to
kind
of
see
who
else
in
the
community
could
help
out
there.
D
Yeah
I
threw
one
other
question
in
there
of
like
what
would
success.
Look
like
you
know,
as
as
we're
thinking
about
the
the
goals
and
the
direction
we
wanted
to
go
like
what
what
value
do
we
want
open,
ssf,
end
users
to
receive
from
the
project
such
that
that
it's
it's
worth
taking
the
time
to
continue
contributing
to
it.
E
So
there
was
two
things
that
we
were
talking
about
earlier
on
and
there
seemed
to
be
some
interest
in
from
openssf
was
one
was
potentially
to
have
certain
open
ssf
projects
run
as
a
Rebuilder
through
something
like
Fresca,
where
you
can
imagine
like
you
know,
just
just
throwing
it
out
there
like
something
like
Sig
store
or
whatever
could
run
through
Fresca
to
sort
of
say,
Hey.
E
You
know
you
know
it
doesn't
necessarily
you
know
whatever
just
the
basic
thing
right
there
being
Fresca
can
sort
of
show
off
stuff
like
hey,
and
if
we
ran
a
Fresca
service
under
open
ssf
to
rebuild
certain
open
source,
LF
sorts
of
projects,
and
then
we
can
show
off
stuff
like
hey
here's,
what
you
kind
of
get
out
of
this
and
you
get
like
complete
transparency
throughout
everything
right
where
you'd
be
able
to
see
all
the
different
workloads
workload
identities.
E
You
know
really
pushing
you
know
stuff
like
in
Toto
and
some
of
the
other
pieces
to
show
like
yep.
None
of
this
steps
were
broken
here.
We
can
show
that,
yes,
it
was
that,
like
the
this
scanning
step,
led
to
this
step,
led
to
this
step,
led
to
this
step
led
to
this
step
and
there's,
like
you
know,
pretty
rigorous
guarantees
cryptographically,
you
know
signed
across
the
across
each
of
those
things.
E
I
think
that
was
was
one
of
the
things
that
we
would
love
to
see
and
then
the
other
thing
is
just
you
know.
You
know
we
would
love
to
see,
I
think
two
other
things.
One
is
obviously
some
adoption
of
Fresca.
Among
you
know
some
folks
and
I
know
that
you
know
what
we've
seen
thus
far,
which
is
has
has
actually
been
some
successes.
We
have
seen
some
folks
say:
hey.
E
You
know
it's
like
hey,
we
don't
use
kiverno,
we
use
oppa
Okay
cool
so
that
that's
how
they
do
you
know
that
sort
of
stuff
or
hey
we
don't
use,
we
don't
use
hashicorp
Vault,
we
use
like
aws's
secret
manager,
but
since
you
showed
how
all
these
different
pieces
work,
it
wouldn't
be
that
difficult
to
go
in
and
build
our
own
sort
of
thing,
which
you
know
and-
and
the
problem
is
a
lot
of
those
folks
who
who
are
saying
that
are
also
they're,
not
really
able
to
contribute
back
to
open
source.
E
So
it's
not
the
easiest
thing
to
say
hey
now
we
have
a
plug-in
that
allows
you
to
swap
out
you
know:
Hachi
Corp,
Vault
or
Secrets
manager
or
whatever
other
tools
are
out
there
or
how
have
a
thing
that
says,
like
hey,
yeah,
here's,
here's
a
way
to
easily
sort
of
swap
out
kieverno
for
Opa
or
whatever.
E
All
right
so
I
believe
that's
it
as
far
as
the
agenda.
E
Does
anybody
have
anything
else
they
want
to
bring
up
on
this
topic.
Otherwise,
maybe
we
can
kind
of
just
come
away
with
like
a
little
bit
of
a
takeaway
of
like
what
is
the
next
step
to
be
like
what
are
the
things
that
we
should
try,
as
you
know,
to
sort
of
increase
engagement
in
in
all
that.
E
Right
so
I
added
a
takeaways
there
and
also
put
in
you
know,
honor
you
mentioned
you
follow
up
with
regarding
tecton.
E
Thanks
yeah
any
help
is
appreciated,
cool
anybody
else
with
anything
that
they
wanted
to.
You
know
so
my
takeaway
was
I,
was
gonna,
write
up
a
little
bit
of
the
what
and
why
of
Fresca,
and
then
we
can
kind
of
maybe
go
from
there.
A
E
Anybody
else
has
anything
else.
You
know
also
feel
free
to
ping
me
if
you,
if
you
think
of
something
that
you
want
to
work
on
regarding
Crisco
or
you
have
the
time
otherwise
yeah
we
can
and
like
15
minutes
or
so
early
and
I'll
see
you
all
in
two
weeks.