►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
We
chatted
IBM,
slash,
boxboat
right,
acquired
I,
feel
graced
by
your
presence
here,
I'm
wondering
how
many
PRS
you're
opening
up
during
the
meeting.
A
Nothing
currently
I'm
I'm
poking
at
trust.
The
problem
that
I'm
currently
encountering
is
I'm
working
with
open
rewrite
and
open
rewrite,
doesn't
have
a
good
way
of
globally
filtering
and
the
thing
that
I
need
to
deal
with
is
I.
Don't
want
to
generate
pull
requests
if
the
change
is
only
going
to
be
made
against
I,
don't
want
to
make
a
change
if
it's
only
getting
made
against
tests
right,
you
want
to
make
it
if
it's
only.
A
It
was
going
to
run
against
tests
and
production
code
and
so
I'm,
trying
to
I'm
chewing
on
a
problem
with
the
modern
team
about
trying
to
add
a
feature
that
lets
you
filter
out
says.
If
this
change
is
going
to
make
a
change
to
production
code,
you
can
also
change
tests,
but
if
you're
only
going
to
change
tests,
don't
change
anything
yep,
yep,
yeah,
so
yeah.
Once
we
get
that
figured
out,
we
can
do
more
pull
request
generation.
B
C
C
My
agenda
item
is
only
going
to
be
a
few
minutes,
just
sort
of,
and
actually
it's
it's
great
that
we
have
Jonathan
on,
because
I
might
have
some
questions
because
I
I
don't
know
Jonathan
what
what
how
deep
you
are
in
in
the
Sterling
tool
chain
conversations,
but
that's
been
coming
up
a
lot
with
regards
to
also
Fresca
nope.
Oh
okay,
no
problem
I
only
know
I
mean
I,
know
that
actually
I
know
some
of
the
folks
on
this
call.
I
know:
Jonathan
Meadows
is
in
some
of
those
conversations.
C
D
C
Okay,
we
can
probably
get
started
here
just
as
a
reminder.
This
meeting
is
being
recorded,
it'll
be
uploaded
to
YouTube
shortly
after,
and
your
participation
in
this
meeting
is
an
agreement
to
abide
by
the
open,
ssf
code
of
conduct
before
getting
started
with
any
agenda
items.
Is
there
anybody
new
to
the
meeting
who
wants
to
introduce
themselves.
E
Hi
I'm
John
from
VMware
I've
worked
with
many
of
the
folks
on
this
call
in
other
supply
chain
related
working
groups,
or
things
like
that.
There
is
a
proliferation
of
them,
so
super
interested
to
learn
more
about
this
and
see
if
there's
anywhere
I
can
help
out.
C
All
right,
so
we
can
get
into
the
get
into
it.
So
the
only
agenda
item
for
today
was
so
just
as
a
reminder
for
some
of
the
stuff
that
we're
looking
to
to
get
done
for
the
the
upcoming
year.
C
For
for
folks
who
who
are
new
or
who
haven't
attended
the
last
couple
of
meetings,
one
of
the
things
is,
we
want
to
kind
of
integrate
that
pipeline
framework
using
queue
I
was
supposed
to
have.
Actually,
actually
we
got
a
shout
out.
I
believe
was
it
last
week.
Is
that
right,
Brad
yeah.
C
I
was
supposed
to
have
a
a
meeting
with
with
what's
his
name,
Paul
right,
that's
his
name.
I
was
supposed
to
have
a
meeting
with
Paul
on
Monday,
but
I
had
a
fever,
so
I
couldn't
so
I
pushed
it
back
to
Friday,
but
he
could
be
having
a
meeting
with
him
to
see.
If
there
are
some
ways
we
can
kind
of
collaborate
a
little
bit,
there's
definitely
areas
we
need
to.
C
You
know,
there's
I'm,
not
an
expert
in
queue,
and
we
would
love
to
kind
of
like
see
if
they
can
help
us
out
a
little
bit
with
with
some
of
that.
So
that's
one
of
the
big
things.
Another
big
thing
is
just
which
is
a
lot
of
this
comes
from
the
last
meeting
is
stuff
like
the
release,
you
know
what
it,
what
even
is
a
release
of
Fresca.
Look,
like
you
know,
are
we
talking
about
a
Helm
chart?
Are
we
talking
about
some
other
sort
of
releaseable
thing?
C
Are
we
talking
about?
You
know
a
self-deployable
set
of
VMS
I.
Don't
know
like
what?
What
would
it
something
like
a
release
of
Fresco
look
like
so
just
as
a
reminder.
Those
are
some
things
that
we're
still
trying
to
kind
of
figure
out.
We'll
probably
you
know,
I,
don't
know.
I
know
a
lot
of
folks
here.
C
I
have
a
lot
of
other
priorities
so,
like
some
of
these
features
are
maybe
not
the
number
one
thing
so
just
but
I
know
those
are
some
things
we're
trying
to
kind
of
figure
out
and
that's
why
I'm
gonna
reach
out
to
the
Q
folks
internally
at
kusari,
we're
working
on
some
potentially
Deployable
things
and
and
if
it
makes
sense
we're
going
to
definitely
going
to
open
source
it
we're
working
on
a
few
things
on
that
front
and
then
cool.
C
So
so
that's
that
so
the
only
thing-
and
this
is
just
from
my
end,
just
some
follow-ups
from
cloud
native
security
con
so
I
was
at
the
openssf
booth
for
a
few
hours
talking
to
folks
about
stuff
like
salsa
about
stuff,
like
you
know,
some
of
the
some
of
the
various
projects
that
we're
working
on
the
open,
ssf
as
well
as
Fresca,
and
so
there
was
some
interesting
things
there.
C
So,
just
as
a
reminder,
right,
like
you
know,
I,
don't
want
to
say
that
that
that
that
Fresca
is
dead
by
any
means.
But
obviously
there
is
a
lot
of
concern
from
folks
about
like
Hey.
How
do
I
adopt
Fresca
when
I
could
just
adopt
something,
let's
say
GitHub
actions
or
or
how
would
I
move
off
of
a
Jenkins?
C
There
seemed
to
be
increasing
interest
from
folks
around
that,
like
quote-unquote
Easy
Button,
you
know
a
lot
of
folks
are
like
hey,
yeah
I
have
a
Jenkins,
but
thinking
about
how
I
have
that
Jenkins
run
a
secure,
build,
you
know,
develop.
You
know,
integrate
with,
let's
say
score
card
integrate
with
salsa
integrate
with
generating
an
s-bomb
integrate
with
various
like
SCA
scans
or
whatever
is,
is
a
nightmare,
managing
it
at
a
much
larger
scale,
and
so
there
was
interesting.
There
was
some
interest
at
potentially
something
like.
C
If
you
know,
Jenkins
could
trigger
Fresca,
where
Fresca
just
does
the
secure
pieces
of
the
build.
There
seemed
to
be
some
interest
there
or
the
same
thing
from
the
GitHub
side
like
if
GitHub
could
trigger
the
secure
side
of
the
build
via
something
like
Fresca
I
once
again,
I,
don't
know.
C
C
The
governing
board
voted
on
a
new
direction
of
the
open
ssf
for
2023
and
that
direction
included
this
idea
of
trying
to
have
an
end-to-end
tool
chain
from
let's
say,
development
through
to
production,
a
set
of
tools
configured
in
a
particular
way
that
you
think,
could
you
know
secure
the
sdlc
secure
the
supply
chain
secure.
You
know,
General,
whatever,
like
just
secure,
I,
take
right.
C
I
recognize
that
that's
that's
a
very,
very
large
ask,
but
there's
definitely
areas
where
I
can
imagine.
If
somebody
were
to
come
in
and
say
well,
we
use
vs
code
plus
these
plugins
configured
these
ways
and
we
think
it's
pretty
reasonable.
C
It's
not
necessarily
something
that
could
be
used
out
of
the
box
per
se,
but
maybe
gets
folks
much
much
closer
there,
which
seems
to
be
a
a
big
open
question,
because
a
lot
of
folks
really
are
not
familiar
with
a
lot
of
you
know.
Organizations
are
really
struggling
to
kind
of
have
that
secure,
General
sdlc
flow.
Even
if
it's
not
perfect,
you
know
even
just
so
some
of
the
basics
of
like
Hey.
C
How
do
we
prevent
developers
from
just
downloading
random
malware
off
the
internet
right
that
sort
of
thing
and
and
in
ways
that
are
not
like
lock
everything
down
and
then
nobody
gets
anything
done.
C
I
think
that's
kind
of
the
balance
that
folks
are
trying
to
kind
of
make,
and
then
also
you
know
some
of
the
stuff
that
we're
seeing
already
in
the
open
source
space
is.
We
are
starting
to
see.
C
I
saw
a
couple
of
projects,
I
can't
remember
any
of
them
off
the
top
of
my
head
that
are
trying
to
do
like
open
source
SCA,
whereas
before
we
mostly
saw
only
closed
source,
and
so
there's
some
folks
that
do
seem
interested
in
just
at
least
showing
that,
as
you
know,
what
we're
calling
not
not
a
once
again,
it's
like
a
demonstrative
example.
It's
not
intended
to
be
the
only
example.
It's
not
intended
to
be
also
just
purely
the
you
know
like
it's
supposed
to
be
something
that
hey.
C
So
there
was
some
before
actually
I
move
any
further.
Any
questions
on
that,
and
once
again
this
is
my
understanding
of
this
I
know.
This
is
very,
very
early,
I
know,
there's
some
conversations
between
folks,
like
Brian,
bellendorf
and
and
Jonathan
Meadows
and
and
and
some
of
the
folks
in
the
attack
and.
C
Okay,
if
there's
no
questions
on
that,
what
are
the
things
that
Brian
had
brought
up
at
Cloud
native
security
con?
Is
he
thought
that,
in
the
very
least,
what
the
approach
that
Fresca
has
taken
right,
which
is
Fresco
you
know,
is
not
just
some
go
code
or
something
like
that?
It's
not
just
a
tool.
We
wrote
ourselves.
It's
we
took
a
bunch
of
different
open
source
tools
off
the
shelf
and
then
developed
a
bunch
of
configuration
to
help.
Tie
it
all
together.
C
Now
great,
like
some
of
this
glue
code,
is
you
know
not
exactly
the
most?
It's
brittle
right,
you
know
it's,
it's
not
the
it's
not
the
most
anyway.
He
had
brought
up
that.
He
thought
that
that
was
a
pretty
reasonable,
like
approach
to
the
problem,
and
he
might
look
at
something
like
fresca,
at
least
the
approach
that
Fresca
has
taken
as
a
similar
approach
for
something
like
the
Sterling
tool
chain,
and
you
know
how
do
we
go
and
sort
of
say?
C
Like
the
you
know,
the
at
least
in
my
opinion,
I
think.
The
key
piece
here
for
something
like
this
early
tool
chain
is
not
necessarily
what
tools
we're
using
per
se.
It's
the
glue
code
that
ties
all
the
things
together
to
make
it
easy
to
use
right,
because
you
know
today
I,
you
know
we
can
all
say
like
okay
yeah,
you
should
be
using
vs
code.
These
plugins,
you
should
be
using.
C
You,
know,
Sig,
store
and
and
be
signing
in
these
ways,
and
you
should
be
you
know
you
should
have
an
emission
controller
that
checks
for
these
things,
yeah
yeah,
but
like
actually
tying
it
all
together,
so
that
you
don't
constantly
go
wait
a
second.
Why
is
it
not
working
or
or
why?
Why
did
this
admission?
You
know
policy
fail.
I
thought
I
was
using
the
right
key
or
whatever
making
sure
that
all
those
things
are
tied
together.
C
Well
is
really
the
hard
part,
the
thing
that
I
had
brought
up
to
to
Brian,
which
is
I,
think
one
of
the
big
challenges
within
our
group
here
is
that
using
writing
the
glue
code
and
writing
whether
that
glue
code
is
stuff
like
Q
or
whether
it
is
like.
We
write
some
go
code
to
help
tie
it
together.
C
Writing
that
glue
code
is
not
the
the
cool
thing
right
like
most
most
devs,
when
they
kind
of
look
at
like
what
they
want
to
work
on
from
an
open
source
perspective.
They're,
not
thinking
like
yeah
I,
want
to
write
a
bunch
of
glue
code
to
integrate
a
bunch
of
tools.
I
didn't
write
together,
they're,
mostly
thinking
about
hey
I,
want
to
I,
want
to
work
on
Sig
store
because
I
want
to
work
on
the
the
future
of
signing
I
want
to
work
on.
C
You
know,
I
want
to
work
on.
You
know
this
admission
controller
because
it's
like
I'm
protecting
you
know.
Kubernetes
I
want
to
work
on
this
this
and
this,
whereas
some
of
these
other
things
like,
for
example,
Fresca
is
like
hey
if
it
was
a
its
own
CI
tool
written
in,
go
rust,
python,
whatever
people
might
be
a
little
bit
more
interested,
but
given
that
it's
its
own
little
thing
and
it's
like.
C
Oh
sorry,
it's
it's
all
like
a
set
of
things
combined
together
and
it's
all
tied
together
with
glue
code,
and
it's
like
that
sort
of
thing.
I
I,
which
I
totally
get
is
not
the
most
for
a
lot
of
folks
is
not
necessarily
the
most
interesting
thing.
F
A
lot
of
time
on
building
Fresca
I
mean
I
agree
in
the
sense
that
I
don't
find
it
not
that
I
don't
find
it
not
interesting.
I
mean
I.
Do
a
lot
of
integration
in
my
career,
but
yeah
I
would
agree
that
before
four
more
senior
death.
E
I
I
do
think
there
are
some
genre
of
people
that
that
really
enjoy
this
stuff,
though,
if
you
were
to
take
this
and
present
at
like
a
maybe
like
a
devops
days
or
something
instead
of
a
cloud
native,
something
like
you
might
have
a
ton
of
people
that
were
super
excited
to
get
involved,
and
that's
one
of
the
difficulties
with
the
cloud
native
Community
is
it's.
It
is
heavily
biased
towards
building.
You
know,
people
who
build
new
stuff
and
they're
less
interested
in
like
to
me
this.
E
This
work
is
super
important,
though,
because
it's
like
no
matter
how
cool
a
six
door
is,
if
you
can't
use
it,
if
it
doesn't
integrate
with
all
the
other
stuff
out
there,
it
is
still
it's
worthless
and
so
I
I
think
a
lot
of
us
represent
companies
or
interests
of
like
people
want
to
use
everything
like
no
matter
what
tool
or
integration
we
build,
we'll,
go
and
and
take
it
to
a
customer,
and
they
will
say
well
here's
this
other
thing
you've
never
heard
of
before.
E
How
does
this
fit
in
and
how
does
this
plug
in
so
I
I,
don't
know,
maybe
we're
all
here,
because
we're
interested,
but.
F
I
think
if
we
approach
like
the
folks
working
more
on
like
an
infrastructure
side,
maybe
I
mean
that's
more.
You
know
close
to
what
what
the
expertise
are
right
like
say,
a
cluster
at
me,
I
mean
they're
gonna
work
on
like
install
various
controller
for
various
reasons.
Like
you
know,
storage
load,
balancer
scalar,
although
scale
you
know
that
kind
of
thing,
and
you
know
deploying
like
the
like
a
controller-
and
you
know
tying
all
these,
like
secret
management
system
together
for
like
a
secure,
build
system,
I
think
maybe
closer.
C
Yeah
yeah,
that
that
makes
sense
that
I
I,
actually
hadn't
considered
that
and
I
think
that
you,
you
brought
up
a
good
point
there
John
about
hey,
maybe
bringing
in
a
different
audience
into
the
conversation,
might
help
out
as
well,
because
once
again,
I
my
background
is
in
that
devops
space
and
so
for
me.
I
find
this
interesting.
I
find
it
challenging
and
I
find
that
some
of
the
elements
of
of
it
are
can
be
a
bit
frustrating
like,
for
example,
creating
a
a
generic
enough
interface
into
something
like
Fresca.
C
That
most
folks
can
just
use.
It
is
is
an
interesting
challenge
that
often
gets
very
frustrating
because
of
the
way
that
kubernetes
and
and
and
a
lot
of
those
those
components
work,
but
but
I
think
you
bring
up
a
a
very
good
point
there
and
it's
probably
worthwhile
to
reach
out
to
some
of
those
folks
and
and
see
if
we
can
show
off
some
of
this
stuff,
because
I
I
do
think
one
of
the
other
things
that
was
brought
up
at
Cloud
native
security.
C
Con
was
a
few
folks
reached
out
to
me
and
they're,
just
like
oh
you're,
doing
stuff
with
you
know
Fresca
and
advice,
but
they
asked
me
what
Fresca
was
and
I
said.
Oh
well,
Fresca
is
stuff
like
it's
cert
manager
and
it's
you
know,
tecton
and
tecton
chains
and
and
it's
spiffy
Spire
that
are
integrated
in
together
and
yeah
yeah,
and
they
said
oh
yeah
like
that,
takes
forever
to
set
up
and
I
said,
oh
well,
we
actually
have
it
pretty.
C
Well,
you
know,
at
least
with
some
of
the
stuff
that
we're
building
and
plus
you
know,
obviously,
the
make
file
like
at
least
from
a
Dev
perspective.
It's
actually
pretty
trivial
to
get
spun
up.
It's
not
perfect,
but
it's
it's
pretty
easy
to
get
spun
up
and
they
didn't
believe
me
they're
like
it
takes
us
so
long
to
get.
C
You
know
and
I
said
if
you're
talking
about
an
existing
environment,
yes,
integrating
like
integrating,
let's
say
Fresca
with
your
existing
Spire
is
probably
a
headache,
but
if
you're
using
Aspire,
specifically
for
Fresca,
it's
not
that
bad.
If
you're,
you
know,
if
you're
using
a
whole
new
cert
manager
and
yeah
yeah,
it's
not
that
bad,
but
a
lot
of
folks
I
think
weren't.
Actually,
all
that
convinced,
because
I
think
they
they
are
so
used
to
the
pain
of
trying
to
integrate
all
this
stuff.
C
So
I
also
wonder
at
some
point
if
it
doesn't
make
sense
to
have
a
little
bit
of
that
flashy
demo
that
you
know
just
to
show
like
I
I,
get
that
with
some
of
this.
It's
it's
not
the
easiest,
because
it's
like
it
takes
15
minutes
to
set
up.
Maybe
we
show
off
a
demo
and
fast
forward
up
to
where
we
can
start
using
it,
but
showing
that
like
hey
here
is
you
know
like
here's
the
make
file
or
here's
a
Helm
chart
or
here's?
C
You
know
some
script
that
can
automatically
install
everything
I
think
would
be,
would
be
useful.
A
C
So
yeah
that
so
I
have
a
follow-up
to
reach
out
to
the
devops
days,
folks
see
if
they
would
be
interested
in
some
of
the
stuff
that
we're
doing
with
Fresca
one
of
the
other
follow-ups
which
I'm
still
trying
to
figure
out
more
from
from
the
attack
is
what
what
is
the
status
of
the
Sterling
tool
chain
and
what,
where
are
those
conversations
going
to
start
to
happen?
So
how
can
we
be
like
this?
You
know
the
folks
who
are
contributors
and
maintainers
of
Fresca.
How
can
they?
C
How
can
we
get
a
bit
more
involved
and
and
see
what
we
can?
We
can
do
on
that
front
because
I,
you
know
once
again
like
I.
Don't,
like
you
know,
I
don't
want
this
to
die
in
the
vine
if
possible
and
then
to
be
clear,
it
could
just
be
end
up
being
like
hey.
This
is
a
reasonable
example
and,
and
that's
all
it
is
or
it
could
be
something
that's
a
bit
more.
C
You
know
a
bit
more
impactful
to
certain
folks
and
I'd
be
interested
in
kind
of
figuring.
Some
of
that
out
once
again,
I
think
a
lot
of
the
feedback.
C
I've
gotten
from
Folks
at
places
like
cnscon,
were
that
moving
off
like
if
it's
a
Greenfield
environment
and
a
few
folks
had
reached
out
to
me
about
Greenfield
environments,
and
they
said
yeah.
If
it's
a
Greenfield
environment
for
us
is
great
right,
because
I
get
to
just
start
using
something
new
and
I
can
use
this.
If
I
already
have
10
000
builds
in
Jenkins.
How
do
I
move
off
of
those
10
000
builds.
C
The
thing
that
I
found
interesting,
though,
is
in
those
conversations
with
folks,
and
these
are
folks,
mostly
in
very
very
large
Banks
like
City,
but
this
is
these
are
folks
what
other
Banks,
as
well
as
very
folks
who
work
at
very,
very
large
organizations,
some
of
them
with
three
letters
and
the
folks
who
were
there
were
also
saying
that
for
them
you
know
they
have
a
big.
C
They
have
a
big
issue,
which
is
also
one
of
the
common
issues
that
freshly
is
trying
to
solve,
which
is,
they
have,
let's
say,
a
Jenkins
that
Jenkins
has
10
000
or
several
thousand
jobs
that
are
all
manually
configured
in
some
way,
even
if
they
are
like
Jenkins
files,
they're
10,
000,
Jenkins
files
and
anytime,
they
have
to
go
and
say,
okay.
Well,
we
have
this
new
security
scan.
That
needs
to
be
integrated
great.
Now
we
need
to
change
10
000
Jenkins
files,
whereas
Fresca
right
is
one
of
the
things
that's
trying
to
say.
C
C
This
is
what
is
not
allowed,
and
here
is
a
security
scan
that
needs
to
be
run
across
all
jobs
or
here's
all
a
security
scan
that
needs
to
be
run
across
all
jobs
that
are
tagged
with
go
or
pipeline
or
python,
or
that
are
tagged
with
you
know,
sensitive
or
whatever
I
think
those
sorts
of
things
are
are
things
that
are
are
still
valuable
and
I
wonder
if
there
are
areas
that
we
can
still
help
enable
those
folks-
or
you
know
once
again,
I-
don't
want
us
to
get
into
the
the
job
of
saying:
hey,
here's
how
you
would
move
off
of
a
Jenkins
or
whatever
I.
C
Don't
want
to
do
that,
but
I
do
think
that
there
might
be
some
value
there
where
it
might
be
like
hey.
We
can't,
let's
say
help
you
out
in
all
those
places,
but
we
can
help
you
out
with
the
secure
piece
right
where,
when
you
run
your
secure
Jenkins
step
of
like
I
want
to
build,
generate
an
s-bomb
generate
salsa.
You
know
yeah
yeah
great,
we
we,
you
know
it
calls
out
to
something
like
a
Fresca,
maybe
that's
valuable.
C
Maybe
it's
not
but
I
think
it's
worthwhile
to
reach
out
to
a
few
folks
and
I
was
gonna
reach
out
to
a
few,
the
folks
from
the
CNS
con
and
see
if
they
wanted
to
maybe
join
one
of
these
meetings
and
kind
of
talk
through
some
of
their
use
cases
and-
and
we
can
kind
of
go
through.
C
Okay,
so
that's
that
and
before
getting
to
the
kubecon
EU
security
Village,
one
quick
thing
because
I
forgot
I
was
talking
to
one
of
the
spire
maintainers
who
is
working
right
now
on
doing
so.
The
work
that
that
parth
and
and
Brendan
Lum
worked
on
for
now
over
a
year
trying
to
get
some
of
that
stuff
migrate,
integrated
into
getting
Spire
integrated
into
chains.
C
There's
some
work,
that's
actually
been
done
from
the
other
way,
so
to
have
spire.
Sorry,
sorry
so
I
should
say
to
have
chains
integrate
with
Spire,
so
that
chains
can
actually
you
know
a
test,
Aspire
and
pull
stuff
out
of
you
know,
you
know
what
I
mean
the
there's.
C
Some
one
of
the
maintainers
Daniel
over
at
CNS
con
was
talking
about
how
they've
been
working
on
some
stuff
from
the
other
way
around
of
having
Spire
be
able
to
provide
credentials
for
change,
to
use
as
I
believe
that
was
the
the
case,
but
to
to
just
sort
of
do
it
the
other
way
around
anyway.
C
That
seemed
interesting
and-
and
they
wanted
to
also
maybe
once
we
have
a
better
sort
of
thing
there,
like
maybe
in
the
fall
or
whatever,
give
a
demo
at
at
kubecon,
showing
off
sort
of
integration,
the
two-way
integration
between
chains
and
spire
and
Spire
into
chains,
so
that
we
could
use
the
secrets
coming
from
the
the
short-lived
Secrets
coming
from
spire
and
then
also
show
it.
The
other
way
around
to
show
that
chains
can
sort
of
say:
hey
I
noticed
that
this
build
got
compromised,
yeah,
yeah,.
D
So
wait,
maybe
I
don't
understand
like
how
does
that?
What
does
that
mean
other
way
around,
like
I.
D
Think
some
of
the
work
that
you
know
bmh
did
also
like
in
terms
of
getting
it,
so
it
does
get
credentials
so
that
it
can't
authenticate
into
like,
let's
say,
Vault
or
something.
D
C
Was
different,
I
believe
this
is
to
give
Spire
to
give
I
I,
don't
remember
if
it
was
with
something
like
a
a
trusted
time,
stamping
service
or
what?
But
there
was
a
way
to
sort
of
integrate.
The
other
way
around
I
I'll
have
to
I'll,
have
to
Ping
David
it
and
sorry
Daniel,
and
and
have
him
maybe
talk
a
little
bit
about
what
they've
been
working
on.
B
D
B
D
B
Have
to
ask
Dave,
yeah
I
think
the
other
way
you
could
the
other
way
you
could
take
this.
You
could
take
Spire
with
its
oidc
topology
in
there
and
use
that
with
something,
like
the
sake
store
design
where
say,
store
authentic
case.
You've
got
this
spire
identity
and
uses
that
for
pushing
stuff
up
to
falsio
and
all
that
yeah.
E
B
B
C
Yeah
I
mean
I
think
either
way.
I'll
ask
Daniel
because
he's
been
working
on
some
cool
stuff,
Aspire
I'll
I'll
ask
him
what
that?
Actually,
what
that
means,
because
once
again,
I'm,
not
a
Spire
expert,
so
I
I
might
be
misrepresenting
what
he
he
told
me
and
I
don't
want
to
do
that
cool.
So
next,
up
on
the
agenda
is
the
kubecon
EU
security
Village.
E
Yeah
so
I
put
this
on
there,
I
don't
know.
If
anybody
here
is
involved
in
that
or
not
I,
don't
know
if
you
are,
but
the
idea,
rather
than
having
a
co-located
security
day
at
kubecon,
is
going
to
be
this
security
Village
throughout
the
entire
length
of
the
the
conference
and
have
a
dedicated
space
because
of
the
size
of
the
convention
center,
which
is
awesome.
E
I
I
was
thinking
that
having
some
sort
of
like
Hands-On
lab
that
would
deal
with
Fresca
would
be
super
interesting
to
folks
who
are
there
it's
something
that
we
could.
You
know
from
the
sound
of
it
mostly
just
run
on
people's
laptops
when
they
show
up
and
be
able
to
kind
of
walk
through
it.
I
think
it
would
be
a
great
way
to
get
some
user
feedback
about
this,
as
well
of
like
a
little
bit
like
deeper
conversations
of
what
about
this
works
for
you.
What
about?
E
It
doesn't
work
for
you
and
that
could
easily
feed
into
something
like
the
Sterling
tool
chain
or
something
else
I'm
also
selfishly
looking
for
a
way
to
like
to
fund
and
justify
my
own
trip
there.
So
I'm
I'm
very
interested
in
and
you
know
what
we
could
do
to
to
help
out.
Another
tax
security
folks
are
are
heavily
involved
in
that
so.
C
Yeah
I
could
provide
a
little
input
there
and
once
again,
this
is
where
I
I've
been
pushing
on
openssf
and
cncf
and
and
the
related
orgs
to
to
be
a
bit
more
Cooperative.
The
volunteers
obviously
are
I
just
know
that
I
I
always
find
it
funny
that,
like
oh
openssf,
has
to
pay
for
its
own
way
to
to
to
to
keep
calm
and
and
stuff
like
that.
C
So
I
know
that
so
there's
a
couple
of
follow-up
talks,
I
believe
either
later
today
or
tomorrow,
I'll
have
to
check
my
schedule
on
some
of
the
village
stuff.
So
right
now
the
Village
we
have
tech
security
has
a
reasonable
amount
of
space
in
a
big
hallway
between
two
major
areas.
C
I'm,
not
sure.
If
folks
are
familiar
with
that
that
space,
but
pretty
much
the
space
is
kind
of
really
spread
out.
It's
almost
like
a
college
campus
a
little
bit.
That's
how
like
the
the
conference
center
is
set
up
and
so
we're
in
a
large,
heavily
trafficked
area,
and
so
there's
a
couple
things
one
is
tag.
Security
will
have
you
know
their
own
track
that
they
get
to
put
on
as
they
see
fit.
So
that
would
be
stuff
mostly
related
to
things
like
you
know.
C
The
secure
software
Factory
reference
architecture,
which
of
course
Fresca
is
a
an
implementation
of
there-
is
a
you
know,
stuff
like
the
the
white
paper
and
all
that
good
stuff,
and
so
then
there
is
also
going
to
be
like
a
whole
bunch
of
booths
that
they're
setting
up
in
a
village
similar
to
something
like
Defcon
or
was
it
Defcon
or
black
hat
one
of
the.
C
Whichever
is
the
one
that
with
the
villages
they're
gonna
have
stuff
set
up
like
that,
and
the
idea
here
would
be
that
tag
security
can
put
on
stuff,
like
you
know,
larger
scale
things.
So
this
is
stuff
like
you
know,
hey
come
join
us
as
we
hack
into
kubernetes
or
come
join
us
as
we
show
you
know
like
a
Hands-On
demo
of
like
preventing.
You
know,
attacks
using
an
emission
controller
or,
or
you
know
those
sorts
of
things,
and
so
that's
an
area
where
something
like
Fresca
could
come
in
right.
C
I
think
that
kind
of
probably
makes
a
lot
of
sense.
That's
something
I
could
probably
bring
up
to
that
to
the
group
to
sort
of
say:
hey
we're
doing
this
stuff
with
the
secure
software
Factory.
If
we're
already
going
to
be
talking
about
that,
it'd
be
great
to
be
able
to
say,
hey,
there's,
there's
it's
not
under
the
cncf,
but
it's
under
the
LF
umbrella.
C
This
thing
called
Fresca
would
folks
want
to
actually
see
how
this
works
and
and
and
how
it's
important
and
what
sorts
of
things
it
does
in
a
very
Hands-On
way,
and
also
you
know
something
that
you
know
based
on
what
we
currently
have
now
with
the
make
file
and
everything
else,
people
can
get
this
up
and
running
on
their
local
laptops
as
long
as
they
have
enough
memory
within
you
know
like
10
minutes
or
so
right,
which
which
could
be
really
cool
yeah.
Thanks
for
the
suggestion
there
yeah.
E
And
I
I
don't
know
if
the
security
Village
conversations
already
have
enough
folks
or
not,
but
I'm
happy
to
join
those
calls.
If,
if
I
can
help.
C
Sure
I'll
ask
I,
guess:
I
I
would
just
say
feel
free
to
go
into
tag
security
and
just
ask
and
say:
hey
I
hear,
there's
a
bunch
of
stuff
with
you
know,
I
hear,
there's
a
bunch
of
stuff
with
this,
whatever
like
it
or
you
know,
are
folks
interested
in
in
you
know
more
folk.
You
know
whatever,
anyway,
sorry.
C
Yeah,
that's
a
good
suggestion,
also
as
a
reminder,
so
open
source
Summit.
This
call
for
papers
is
closed,
but
I
believe
soon
open
ssf
days
call
for
papers
is
going
to
open
up.
They
just
need
to
get
the
attack
to
to
agree
on
something
I,
don't
know
what,
but
they
they
need
to
get
the
tag
to
agree
on
something
and
then
once
they
do
it'll
that
that
should
go
live
anyway.
C
Yeah,
if
there's
nothing
else,
does
anybody
else
have
any
other
agenda
items
anything
else
they
wanted
to
bring
up.
C
Yeah,
if
there's
nothing
else,
then
I'll
see
you
all
in
two
weeks.