►
B
D
A
A
A
A
E
E
So
you
know
it
does
seem
like
people
are,
are
in
the
very
least
interested
in
some
of
the
stuff
that
Fresca
does.
But
we
haven't
really
seen
a
lot
of
interest
when
it
came
when
it
comes
to
some.
You
know,
like
actual
folks,
with
Hands-On
keyboard
time
to
do
stuff,
like
you
know,
implement
the
pipeline
framework
or
help
out
with
the
pipeline
framework.
E
A
D
D
D
People
perceive
to
be
hard
and
like
there's
a
lot
of
value
in
that,
but
I'm
wondering
if
they're
like
how
practical
that
is
in
terms
of
like
it
will
and
see
any
Enterprise
really
take
this
thing
put
it
in
and,
like
you
said,
the
most
common
place
we've
seen
it
is
in
demos
like
it
and
but
maybe
that's
something
that
we
could
lean
into
like.
Can
we
try
and
leverage
this
in,
and
my
thought
was
like
with
the
the
expansion
of
the
side
positioning
group?
D
Yeah
so
so
like
that
was
just
some
of
my
ideas.
Coming
from,
like
my
my
bias,
perspective
of
VMware
I
have
to
to
figure
out
like.
Is
there
an
open
source
thing
from
VMware?
That
I
could
try
and
plug
in
here
to
justify
contributing
my
time
and
cartographer
is,
is
an
interesting,
open
source
project
from
my
perspective
that
that
I
would
be
curious
to
see
how
how
it
could
fit
in
here.
D
E
Cool
yeah
yeah.
No,
that
definitely
sounds
like
a
a
good
idea
there
and
let
me
actually
yeah
so
I
can
I
know
some
of
the
stuff
should
be
probably
recorded
in
the
GitHub
somewhere,
but
we
can
kind
of
put
it
in
here
and
then
maybe
open
up
a
PR
and
and
put
it
in
the
GitHub
as
well,
but
yeah
so
I
think
to
kind
of
go
through
at
a
high
level
again.
A
E
E
So
right,
like
the
the
way
that
we're
I
think
the
the
goal
here
is
to
cut
like
essentially
be
the
shining
example
right.
We
don't
want
to
say
we
don't
want
to
say
the
the
reference
example
or
anything
like
that,
but
we
want
to
say
hey.
It
should
be
one
of
the
things
that,
like
people
can
look
at
and
go.
Oh
they've
done
this,
and
regardless
of
whether
or
not
somebody
uses
Fresca
itself,
they
should
be
able
to
go
and
look
at
what
Fresco's
doing
and
saying.
B
E
So
I
believe
this
is
where
so
that
there's
there's
a
couple
of
things
here
in
parth
I.
Don't
remember
exactly
if,
if,
if
the
reason
why
we
didn't
include
it
in
three
is
because
we're
still
waiting
for
the
workload
identity,
piece
from
spiffy
Spire
to
get
merged
Upstream
into
the
into
tecton
attacked
on
chains
or
if
there
was
like
a
couple
of
other
small
little
things
that
like
there
was
some
uncertainty,
because
I
think
with
the
workload
identities
be
a
spiffy
Spire,
it
should
be
saucer,
3,
Brendan
parth.
F
Yes,
yeah,
it
was
the
just
waiting
on
the
Upstream
tecton
work
to
get
merged
and
then
there'd
be
salsa
three,
so
that
that
is
taking
much
longer
than
expected.
So
it's
been
there
for
about
a
year
now.
So
it's
been,
it's
been
yeah.
We
were
done.
We
were
done
with
that
work.
Last
last
I
think
February
March,
so
it's
been
literally
a
year
now
since
and
it
still
hasn't
been
merged.
F
So
that
is
the
the
non-falsifiable
provenance
piece
so
that,
in
terms
of
that,
you
know
you
can't
so
it
you
know
it
checks
to
see
if
the
results
being
passed
between
tasks
cannot
be
modified.
If
the
task
itself
task,
the
task
run
itself
cannot
be
modified,
all
those
kind
of
things.
So
it
does
a
lot
of
those
using
a
short-lived
certificate
certificates
from
spiffy
Spire.
It
checks
all
those
values
and
ensures
that,
at
the
end,
when
it
signs,
when
tecton
chains
does
the
signature
that
nothing
has
changed.
F
F
B
F
Think
it's
I'm,
not
sure
I
mean
I,
think
it's,
maybe
the
lack
of
understanding
in
terms
of
how
Aspire
expire
kind
of
integrates
and
works,
and
the
thing
is,
is
that
it's,
even
if
you
merge
it
if
it
gets
merged
into
tecton,
it's
still
going
to
go
into
an
alpha
release.
So
it's
not
going
to
be
used
by
it
in
general
by
the
the
public
anyways.
F
So
I
I'm,
not
sure
why
they're
they're,
still,
you
know
they're
very
picky
and
hesitant
on
merging
it
for
I,
don't
know
what
the
reason
is,
but
yeah,
because
it'll
go
behind
an
alpha
flag
anyways.
So
it's
not
like
it's
going
to
go
full
on
production
interact
on
even
if
it
gets
merged
into
the
code
base,
so
you
have
to
opt
for
it
physically.
You
know
like
manually,
you
have
to
opt
for
it
in
multiple.
You
know
put
multiple
Flags
in
and
also
of
course,
you
have
to
have
your
own
Spire
server
running.
F
E
B
A
E
B
F
C
C
E
Yeah
and
and
from
our
perspective
as
well
as
it
just
seems
like
there's
a
lot
of
folks
who
have
a
million
priorities
on
their
plate
and
it
this
is
just
a
little
bit
of
a
lower
priority
and
I
think
some
of
it
is
also
potentially
because
some
of
the
folks
who
are
a
bit
more
involved
level
down
on
the
techton
side
aren't
familiar
with
like
because
I
remember.
Some
of
the
conversations
recently
in
techcon
has
also
been.
Do
we
need
salsa?
E
Couldn't
we
just
have
like
a
thing
that
just
does
this,
and
it's
like
well,
sauce
is
the
you
know
is
an
emerging
standard.
We
should
probably
support
it.
So
I
I
know
that
there's
there's
it's
it's
less
about.
You
know
anybody
specifically,
you
know
avoiding
it
and
more
just
like
with
a
million
priorities.
F
Oh
yeah,
sorry
I,
just
posted
in
chat,
I,
think
Brad
posted
something
else
too,
but
the
the
pipeline
yeah
or
yeah
the
pipeline
PR's.
Basically
so
there's
a
bunch
of
them
that
closed
so
they're
yeah.
There
have
been
multiple
PR's
and
then
currently
the
one.
That's
open,
I
think
it's
it's
been
open
three
weeks
ago,
but
it
looks
like
like
a
person
from
Google
named
prakash
was
actually
working
on
it
and
on
our
behalf
and
he
seems
to
have
stopped
at.
E
E
I
think
on
on
that
front,
you
know
we.
We
would
still
also
be
interested.
You
know
not
necessarily
interested
in
dropping
tecton
but
interested
in
like
hey.
What
can
we
do
in
the
future
to
also
be
better
contributors
back
to
techton,
so
that
some
of
this
stuff
like
because
because
I
think
the
thing
with
one
of
the
other
things
I
think
actually
I
forgot
about
to
go
back
to
the
goals
prior
to
the
Fresca?
E
Is
one
of
the
goals
and
priorities
is
to
fill
in
the
gaps
that
any
that
the
tools
don't
do
themselves
right?
So
you
can
imagine
right.
Like
the
you
know,
some
of
the
you
know
these
tools
themselves,
don't
automatically
generate
s-bombs,
but
we
can
have
the
glue
code
for
Fresca
essentially
say:
You
must
generate
an
s-bomb
as
part
of
your
project
and
and
we
can
enforce
that
largely
at
an
interface
level
right.
E
D
So
one
of
the
things
I've
been
struggling
with-
and
this
is
more
like
internally-
trying
to
build
features
and
products
that
have
supply
chain
security
functionality
in
it
is
conveying
not
the
like
the
what
we're
going
to
solve
for
the
problem,
but
the
why
we're
solving
it
like.
Why
is
it
in
like
we
all
agree
here?
Social
insecurities
is
important
and
we
can
like
point
to
specific.
You
know,
incidents
or
attacks.
D
I
can't
like
figure
like
I,
can't
eloquently
describe
those
types
of
things,
but
that
resonates
with
the
people
I
talk
to
much
more
than
like.
We
want
to
get
to
salsa
level
four
and
they're
like
okay,
it's
a
it's
a
bunch
of
work
to
get
there
they're
like,
but
why
like?
Why
do
you
need
to
be
a
salsa
level,
four,
and
so
like
thinking
about
Fresca,
like
one
of
the
things
that
I
initially
wanted
to
do?
Looking
at
it
was
like
it's
it's
kind
of
it's.
D
It's
done
already
like
I,
can't
install
Fresca
and
then
demonstrate
a
supply
chain
compromise
and
then
like
make
some
change
to
Fresca
and
then
show
like
hey
now
we're
resilient
to
this
compromise
or
like
that
was
one
of
the
ideas
I
had
of
like.
Could
we
use
it
to
demonstrate
something
like
that
of
like
what
difference
does
this
make
and
so
like
I
think
we
could?
D
It
would
take
work
and
effort,
and
it
would
be
maybe
a
little
different
and
maybe
it
it
would
be
a
different
type
of
person
to
help
with
some
of
those
things
and
I
might
be
able
to
find
some
folks,
a
VMware
that
would
be
interested
in
helping
with
that
I.
Don't
know
if
that
makes
sense,
or
if
that
resonates
with
with
anyone
else
or.
E
We
gave
a
demo
myself
and
and
Tim
who's
not
on
this
call,
but
had
given
a
demo
when
we
were
still
at
City
at
supply
chain
security
con
a
few
years
ago.
I
think
it
was
in
LA
and
when
we
gave
that
demo
this
is
before
Fresco.
Our
demo
code
eventually
turned
into
what
what
Fresca
became,
and
it
was
with
a
lot
of
help
from
from
folks
on
this
call
like
like
Remy
and
and
Brendan
and
I.
E
It
says
goodbye
world,
that's
weird,
you
know
why
is
it
doing
that,
even
though
the
source
code
says
this,
but
it's
because
we
weren't
actually
tracking
stuff,
like
you
know,
even
just
doing
something
simple
like
salsa,
where
you
could
say
hey.
This
is
weird
the
the
thing
that
built.
This
is
not
the
same
thing
that
son
did
and
yeah
yeah
and
all
of
a
sudden,
hey,
I,
have
a
picture
as
to
what's
going
on
there
I
think
we
can
definitely
still
for
demo
purposes.
E
E
E
Yeah
I
think
that
that
would
be
what
you
said.
I
think
would
would
be
useful
because
I
think
so
so
yeah
I
think
that
would
be
useful.
I
think
the
other
thing
that
that
I
know
some
folks
have
said
is
is,
and
it's
something
that
we
should
just
sort
of
maybe
think
through
how
we
wanna
work
inside
this
hold
on
this
case.
E
I
think
one
of
the
other
things
that
that's
interesting
about
that
is
or
that's
a
bit
of
a
challenge.
Right
is
a
lot
of
folks
say
they
sort
of
I,
don't
want
to
say
frustrated
like
Fresca,
you
know
is
more
is
like
is
more
than
the
sum
of
its
parts
right,
because
it's
also
how
all
the
different
pieces
are
fit
together.
But
a
lot
of
folks,
you
know
who
I
know
have
talked
to
us
previously
about
Fresca
is
like
cool.
E
Can
I
just
drop
in
Jenkins
instead
of
tecton,
and
it
opens
up
an
interesting
challenge,
which
is
most
folks,
are
using
tecton,
I'm,
sorry,
Jenkins,
GitHub
actions,
a
few
others.
Some
folks
who
need
you
know
who
are
using
stuff
like
openshift,
obviously
are
using.
You
know,
techton
or
using
openshift
pipelines,
which
is
based
on
techcon.
E
You
know
a
few
other
folks,
obviously
using
using
techcon
in
lots
of
different
areas.
The
problem
that
we
keep
running
into,
though
right
is,
is
nobody
wants
to
move
off
of
their
CI
system
because
they
kind
of
view
their
seat
they're
like
well.
It
took
us
three
or
four
years
to
do
this,
especially
in
you
know,
I've
worked
at
enough
Banks
to
know
that
a
lot
of
the
Jenkins
setups
there
are,
you
know
it.
E
You
know
five
or
six
different
flavors
of
Pipeline
and
then
everything
else
just
is
the
inputs
into
those
in
those
things
which
is
sort
of
where
you
know,
Fresca
does
a
lot
of
this
stuff
as
well
I.
So
so
I
I
guess
that's
a
kind
of
another
open
question
which
is
you
know?
How
do
we
get
folks
to
either
like
I,
don't
want
to
say
people
should
be
moving
off
of
their
existing
CI
pipelines.
E
You
know
selenium
test
and
yeah
yeah,
it's
more
for
the
like.
No,
no
are
we
building
this
thing
securely
and
then
taking
that
secure,
artifact
now
go
do
whatever
else.
It
is
in
your
CI
to
to
to
sort
of
verify
that
it.
You
know
it
hits
whatever
else
you
need
in
your
process.
Could
tepton
still
do
that?
Absolutely,
but
you're,
not
you
know,
I
think
the
the
thing
that
I
want
we're
trying
to
I
think
drive
here.
E
Is
it's
more
about
that
building
of
the
artifact
and
the
thing
that
has
helped
me
a
lot
lately
in
some
of
the
conversations
we've
had
and
I
would
love
to
kind
of
get
some
feedback
on
this
is
we?
You
know
I've
been
sort
of
tell
when
I
talk
to
folks,
who
don't
understand
like
why,
like,
for
example,
why
is
salsa
doing?
Why
is
salsa
so
focused
on
the
build
right
now?
Why
are
they
not
focused
on
this?
That
and
the
other
thing,
and
it's
like
well?
E
No,
no
we
do
plan
to
the
problem
is
the
build,
is
the
piece
that
takes
a
bunch
of
untrusted
input
like
source
code
and
and
dependencies
and
then
packages
it
all
up
right.
You
know
whether
it's
compiles
builds
whatever
and
then
pushes
all
of
that
out
as
a
packaged.
Artifact
that
is
supposed
to
be
privileged
in
some
way
is
intended
to
run
in
other
environments.
E
D
It
reminds
me
of
the
the
incrementally
adopting
six
star
blog
of,
like
maybe
there's
something
similar
here
like
a
story
to
tell
in
terms
of
the
like
exactly
what
you
just
described.
It
like
you
don't
need
everything
to
be
inside
of
Fresca.
This
is
how
you
you
layer
it
together
and
Larry
is
a
weird
word
to
describe.
Well,
you
just
think
it's
not
really
hilarious
like
what
were
we
being
correct,
like
making
a
basket
or
something
you're
threading
these
different
things
through
in
different
directions,
foreign.
E
Believe
you
know,
I
don't
want
to
put
words
in
anybody's
mouth,
but
I
believe
that
some
of
the
folks
like
Brad
as
well,
are
not
you
know.
Fresca
is
not
as
big
high
of
a
priority
anymore
and
so
so
that
that's
just
something
else
that
we
just
need
to
kind
of
as
we're
kind
of
going
through,
which
is
also
one
of
the
other
reasons
why
we
want.
Obviously
more
contributors
is
not
that
like
hey,
we
don't
view
this
as
being
valuable.
E
It's
just
that
also
the
folks
who
still
do
find
it
valuable.
It's
just
hey
other
things
have
come
up
and
we
need
to
focus
a
little
bit
on
some
of
these
other
things
and
we
don't
want
to
just
sort
of
abandon
Fresca.
If
we
don't
have
to
we,
we
want
to
kind
of
see
who
else
in
the
community
could
help
out
there.
D
Yeah
I
threw
one
other
question
in
there
of
like
what
would
success.
Look
like
you
know,
as
as
we're
thinking
about
the
the
goals
and
the
direction
we
wanted
to
go
like
what
what
value
do
we
want
open,
ssf,
end
users
to
receive
from
the
project
such
that
that
it's
it's
worth
taking
the
time
to
continue
contributing
to
it.
E
You
know
really
pushing
you
know
stuff
like
in
Toto
and
some
of
the
other
pieces
to
show
like
yep.
None
of
this
steps
were
broken
here.
We
can
show
that,
yes,
it
was
that,
like
the
this
scanning
step,
led
to
this
step,
led
to
this
step,
led
to
this
step
led
to
this
step
and
there's,
like
you
know,
pretty
rigorous
guarantees
cryptographically,
you
know
signed
across
the
across
each
of
those
things.
E
I
think
that
was
was
one
of
the
things
that
we
would
love
to
see
and
then
the
other
thing
is
just
you
know.
You
know
we
would
love
to
see,
I
think
two
other
things.
One
is
obviously
some
adoption
of
Fresca.
Among
you
know
some
folks
and
I
know
that
you
know
what
we've
seen
thus
far,
which
is
has
has
actually
been
some
successes.
We
have
seen
some
folks
say:
hey.