►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Hey
everybody
give
me
one
second
to.
B
C
A
A
Feel
free
to
put
your
name
in
attendance
in
the
the
meeting
notes,
Here.
D
Also,
just
as
a
reminder,
we
don't
really
still
have
much
of
an
agenda.
I
think
there's
still
a
lot
of
discussion
about
like
hey,
where
does
Fresca
fit
in
to
some
of
the
different
initiatives
that
are
coming
out
of
openssf
out
of
the
supply
chain.
Integrity
working
group.
Oh,
is
that
not
the
right
link.
A
D
We
can
get
started
so
just
as
a
reminder.
The
this
meeting
is
being
recorded,
it'll
be
uploaded
to
YouTube
shortly
after
and
anything
and
your
participation
in
this
meeting
is
an
agreement
to
abide
by
the
the
open,
ssf
code
of
conduct
cool.
So
there's
not
really
much
of
oh,
so
I
saw
this
one
piece
of
the
agenda
and
we
can
get
into
a
few
other
things
after
so
there
is
a
pull
request.
D
Let's
see!
Oh
yes,
this
is
the
switching
to
policy
controller
yeah,
so
I'm,
okay
with
or
sorry
I
want
to
hand
it
over
to
you
Brandon
to
explain
a
little
bit
about
the
the
problem
while
you're
looking
at
it
and
so
on.
I.
B
Figured
since
this
was
a
double
extra
large
PR
I
should
probably
at
least
take
a
couple
minutes
to
give
a
quick
rundown
yeah,
the
Big
Challenge
I,
ran
into
with
kuberno
a
while
back
was
that
trying
to
a
coupe
cuddle
apply
with
that
no
longer
works
and
they
just
I
think
the
size,
their
annotation
screw
a
little
too
large.
So
it
just
doesn't
work
for
that.
I,
don't
know
what
the
process
is
to
do.
An
update.
I
know
what
the
process
is
to
deploy,
which
is.
B
Do
a
group
cuddle
create
that'll
work
but
I,
don't
think
they've
got
documented.
If
you
had
an
existing
version
of
keeperno
installed
the
right
way,
you
do
it
other
than
to
delete
and
reinstall,
which
I'm
not
a
big
fan
of
for
something,
that's
enforcing
your
security,
so
the
pr
out
there
switching
to
policy
controller,
that's
under
the
six
door
project
and
that
since
we're
using
cosign
for
it,
it
kind
of
felt
like
it
made
sense
to
use
the
same
safe
store
project
to
sign
and
to
verify
the
signatures.
B
C
So
I
haven't
looked
at
the
pr
so
far,
I
apologize.
If
there's
a
stupid
question,
but
like
does
it
does
it
also
do
what
key
Bruno
is
doing
in
terms
of
like
you
know
and
I
think
it
could
inspect
attestations
right.
B
C
Okay
and
I
think
key
Bruno
had
the
actual
ability
to
like
parse
through
the
actual
Lata
station
right
to
see
if
it
contains
specific
fields
and
everything
not
sure.
If
that's.
B
B
C
D
So
I
also
wonder
like
because
I
know
we
had
sort
of
discussed
this
sort
of
thing
in
the
past
and
and
I
think
when
it
comes
to
the
policy
stuff.
That's
probably
one
of
the
things
that's
most
easily
pluggable
potentially
I
mean
I.
Think
that
obviously
comes
with
its
own
can
of
worms
plugging
any
of
this
sort
of
stuff,
because
you
still
have
to
you
know,
go
to
the
different.
D
Let's
say
languages
whatever,
but
I
would
also
be
curious,
just
to
kind
of
like
know
like
does
it
make
sense
for
for
us,
given
that
we
do
have
like
the
folks
on
this
call
have
a
reasonable
relationship
with
the
kiverno
maintainers,
just
to
kind
of
say,
like
Hey
look.
D
D
That's
maybe
a
bit
simpler,
especially
given
that,
like
we're
trying
to
kind
of
make
this
whole
thing
as
simple
as
humanly
possible,
but
at
least
highlight
to
them
like
hey,
here's,
an
issue
and
we're
not
sure
like
how
other
folks
who
are
using
this,
you
know
is
if
the
I
doubt
that
at
least
long
term,
it's
going
to
be
sustainable
to
delete
everything,
including
you
know,
any
security
rules
and
whatever
and
then
say:
okay,
we're
going
to
redeploy
everything
every
time
we
do
an
upgrade
of
of
the
actual
admission
controller.
B
Yeah
they've
got
their
install
instructions
and
they
have
this
called
out
for
various
things.
So
it
seems
like
it's
just
part
of
their
design,
they're
expecting
everybody
to
go
through
that,
and
it's
not
necessarily
the
late
part.
But
if
you're
installing
with
certain
tools
they
have
to
set
certain
Flags,
so
it
doesn't
create
rather
than
apply,
and
it's
just
I
think
it's
just
part
of
their
design.
Right
now,
yeah.
D
I
know
that
with
there
is
a
way
in
using
Cube
cuddle
right
where
you
can
do
the
sort
of
In-Place
thing
where
you're
not
actually
keeping
track
of
the
other.
So
like
the
annotations,
don't
actually
get
that
large.
It
comes
with
its
own
set
of
trade-off
right
like
where
it's
like
you're
doing
as
opposed
to
a
server
site
apply
or
something
like
that.
B
B
And
we
can
also
change
it
to
be
the
default,
but
we
could
also
make
it
just
an
option.
Let
people
pick
which
Mission
Control
they
want
to
use.
D
Yeah
yeah,
obviously
that
complicates
stuff
for
us.
If
we
build.
B
D
I
mean
with
that
said,
I
think
you
know,
there's
I
think
it's
worthwhile
like
as
we
try
to
bring
on
more
maintainers
as
well,
just
to
kind
of
see
what
folks
are
you
know,
because
a
lot
of
folks
have
also
said
hey.
Why
are
you
not
using
oppa
and
you
know,
hey,
we
actually
tried
to
use
Opa
and
there
were
some
issues.
We
ran
into
like
to
be
clear.
D
There's
certain
things
that
work,
certain
things
that
didn't
work,
and
so
we
were
like
hey
keeperno-
is
just
kind
of
the
simpler
option
to
start
off
with
so
I.
Think,
there's
like
a
lot
of
different
ways
for
us
to
kind
of
go
with
this
I
just
I'd
be
interested
in
seeing
what
you
know
use
cases
there
might
be
and
just
sort
of
saying,
hey
we're
willing
to
kind
of
go
with
whatever
Direction
the
the
users
want,
including
multiple
options.
D
We
just
also
need
to
understand
what
those
use
cases
are
as
well
as
who
is
who
is
willing
to
actually
help
out
here
in
in
implementing
and
maintaining
it.
C
A
D
I
I
think
it's
still
worthwhile
to
also
reach
out
to
the
the
kuberno
folks,
just
to
say,
hey
we're
running
into
some
issues.
We're
looking
at
a
couple
of
different
options
would
love
to
kind
of
chat
through
some
of
that.
D
Is
a
few
of
us
in
the
salsa
positioning
group?
This
is
the
salsa
positioning
group
has
is
starting
to
try
and
write
up
some
blog
articles
as
well
as
they've
submitted
some
talks
or
we've
I'm.
D
Also
part
of
that
group,
but
we've
submitted
some
talks
and
so
on
and
and
one
of
the
things
that
that
was
brought
up
was
maybe
increased
collaboration
between
Fresca,
salsa
and
S2
c2f
to
sort
of
show
what
that
full
sort
of
loop
could
look
like
with
for
folks
who
are
not
familiar
with
salsa
and
S2
c2f
like
salsa,
is
sort
of
a
production
side
attestation
right
saying
you
know,
we
don't
believe
the
build
has
been
tampered.
D
So
it's
a
provenance
kind
of
attestation
so
and
that's
what
Fresca
is
trying
to
do.
Fresca
is
trying
to
say,
hey
based
on
everything
we're
we
see.
We
believe
that
the
source
code
led
to
these
this
artifact
and
we
believe
nothing's
been
tampered.
Not
that,
like
you,
didn't
pull
in
a
bad
dependency
per
se,
but
that
if
you
did
pull
in
a
bad
dependency,
and
you
ran
a
scan
that
we
actually
believe
that
you
ran
a
scan
that
included
that
you
know
bad
dependency.
D
You
know
scanning
that
bad
dependency
or
whatever,
as
opposed
to
you,
know
what
we
saw
in
a
couple
of
like
Ci
compromises
where
it's
like.
Actually,
you
didn't
scan
any
of
the
right
things.
The
scanner
was
pointed
to
something
completely
different,
the
and
it
built
something
behind
the
scenes
and
deployed
something
that
is
different
from
what
you
actually
thought
you
built
and
you
got
the
logs
for
and
so
on,
which
is
kind
of
more.
D
What
we
saw
with
like
solar
winds,
attacks
where,
like
dependencies
were
swapped
out
in
the
in
right
as
the
the
build
process
was
happening.
So
that's,
and
so
that's
on
the
production
side.
And
then
the
idea
would
be
then,
as
S2
c2f
is
being
fleshed
out
as
well
is
s2c2f
is
supposed
to
be
more
on
the
consumption
side.
What
sorts
of
things
can
you
do
to
sort
of
protect
when
you're
consuming
software,
so
the
consuming
software
might
be
hey?
D
Make
sure
that
you
are
looking
at
these
sorts
of
things
and
and
and
and
so
on,
and
so
that's
something
that
potentially
also
Fresca
could
fit
in
from
when
we
are
looking
at
pulling
in
source
code
and
dependencies
so
that
we
can
say
hey,
let's
follow
the
S2
c2f
practices
that
might
be
something
like
you
know,
ensure
that
all
dependencies
have
Saul's
attestations
or
ensure
that
all
dependencies
have
s-bombs
and
so
on
and
so
forth
or
or
so
on,
and
then
we
can
have
Fresca
sort
of
implement
those
rules
on
the
actual
consumption
side
from
the
the
pipelines
we
build
and
yeah.
D
So
there's
some
discussion.
So
there's
going
to
be
some
talk,
some
blog
articles
just
want
to
give
folks
a
heads
up,
also
it
for
folks
who
I
know.
We
all
have
way
too
many
meetings.
But
if
folks
are
interested,
there
is
the
s
to
c2f
meeting
which
I
believe
Jay.
Is
it
every
week
or
every
other
week.
E
As
2c2f
I
believe
is
every
week
now
and
I
know
which
I
know
we're
thinking
about
moving
to
every
other
week.
You
know
what
don't
quote
me
on
that.
Give
me
one
second
give
me
one
second
I,
think
I
think
it
might
be
I
think
it
might
be
every
other
week.
I
know
we
had
it.
We
had
it
every
every
week
and
then
I
think
we
may
have
moved
to
Terraria.
Give
me
one
second.
D
Cool
and
I
just
saw
at
least
so
I'm
on
Eastern
time,
so
it's
3,
P.M
Eastern
Time
on
Tuesdays
every
other
week,
so
it
would
be,
for
example,
the
28th
is,
is
one
of
those
and
so
there's
some
interesting
work
happening
on
that
end,
around
sort
of
like
best
practices
and
and
first
not
just
best
practice,
but
like
how
practices
were
sort
of
like
ingesting
dependencies.
D
You
know
the
consumption
of
supply
chain
side,
some
of
it
focused
obviously
on
like
run
time
and
that
sort
of
thing
some
of
it
also
potentially
on
you
know,
could
include
other
things
like
you
know,
hey
when
you're
looking
at
actually
ingesting
software
from
the
build
side
like
what
should
that
look
like,
and
how
can
you
you
know
protect
against
from
you
know,
obviously
downloading
something
from
like
malware.com
or
something
like
that.
D
I
think
that
and
I
think
encoding
that
into
something
like
Fresca
would
be
potentially
useful
or
allowing
folks
to
encode
that
easily
in
Fresca
would
be
useful
so
that
folks
have
that
ability
to
kind
of
you
know
not
just
secure
the
Providence
of
the
build,
but
also
secure,
like
you
know,
make
sure
that
they're
not
ingesting
something
silly,
all
right
cool.
D
So
that's
some
stuff.
That's
going
to
be
coming
up,
trying
to
think
what
else
there
is
so
next
week
this
this
week's
meeting
for
the
cncf's
rather
for
the
kubecon
security
Village
I
got
pushed
to
next
week,
but
we're
going
to
be
talking
about
some
stuff
to
figure
out
like
hey,
you
know,
Cloud
native
security
is
quite
large
like
can
we
just
make
sure
that
you
know
if
we
could?
D
Could
we
demo
off
Fresca
in
there
I
think
you
weren't,
even
talking
about
that
John,
which
I
I
think
would
be
a
really
cool
thing,
is
to
sort
of
sit.
Somebody
down.
Have
them
run
their
build
through
something
like
Fresca
and
show
them
hey.
Here's
how
you
can
kind
of
generate
salsa
attestations
when
you
can't
use
something
like
simple.
D
Like
a
GitHub
thing,
where
you
do
want
to
have
some
of
those
additional
security,
when
you
run
it
internally
and
you
want
to
be
able
to
do
stuff,
like
you
know,
spiffy
Spire
workload,
identities,
you
know
and
and
ebpf,
and
all
that
good
stuff.
D
D
Oh
so,
if,
if,
if
folks
know,
people
who
who
are
looking
to
sort
of
contribute
to
a
project-
and
it's
not
like
your
average
sort
of
go
sort
of
project
or
whatever
you
know
normal
source
code
sort
of
project,
something
that's
more
like
using
kubernetes
using
languages
like
you,
we're
definitely
looking
for
more
folks
to
sort
of
contribute.
D
D
And
the
same
thing
goes
for
folks
who
are
looking,
who
might
know.
People
who
are
you
know
who
can
come
in
with?
Let's
say
their
use
cases
so
that
we
can
better
understand
like?
Are
we
building
something
that
nobody's
going
to
use?
Are
we
building
something
that
actually,
you
know
folks
have
seemed
interested
in?
D
You
know
at
cnscon
there
were
especially
at
larger
Enterprises
that
that
can't
just
use
something
like
GitHub
actions
and
they
expect
to
have
something
like
a
framework
by
which
they
can
or
sorry
a
set
of
standards
and
best
practices,
and
that
sort
of
thing
by
which
they
sort
of
Define
their
Pipelines.
D
So,
like
the
sort
of
thing
where
you
know
all
go,
pipelines
must
include
this
Vera
code
step
or
something
like
that.
I
don't
know,
and
and
so
they
want
to
make
sure
that
they
can
enforce
that.
D
You
know
folks
seemed
interested
in
that
when
it
comes
to
Fresca,
because,
like
that
sort
of
thing
is
not
the
easiest
thing
to
to
sort
of
encode
in
a
lot
of
the
other
CI
tools,
but
a
lot
of
folks
obviously
are
still
sort
of
using
Jenkins
and
and
so
on,
and
that
sort
of
thing
is
not
the
easiest
thing
to
move
off
of
so
yeah,
just
kind
of
looking
at
also
you
know.
D
Other
folks
have
come
up
with
had
come
to
us
with
a
couple
ideas
around
just
saying:
hey:
does
it
make
sense
for
Fresca
just
to
be
the
secure
Builder
piece
like
as
in
it's
something
that
Jenkins
GitHub
actions
and
other
things
can
call
that
just
spin
up
a
secure,
isolated
environment
for
running
the
build?
And
then
once
the
build
is
done,
you
know
GitHub
actions
or
your
Jenkins
can
do
the
other
things
like.
You
know,
integration
tests
and
yayada,
and
so
it
would
just
be
a
call,
an
API
call
to
a
separate
system.
D
Some
folks
have
just
talked
about
that,
but
I
think
we're
definitely
looking
for
other
folks
to
come
in
provide
their
use
cases.
Okay,.
C
A
Yep,
okay,
we
can
end
early,
see
you
all
in
a
couple
of
weeks.