►
B
A
A
C
A
C
C
Off
and
all
right,
what
I
should
say
here
is
is
want
folks
to
interrupt
me.
So
please,
as
I'm
going
through
if
they're
things
that
are
not
clear.
Ask
questions,
also
I'm
going
to
be
leaning
on
folks
who,
like
you
know,
are
not
familiar
with,
let's
say
Fresca,
who
maybe
want
to
understand
more
details,
and
we
can
kind
of
go
in
there
and
there's
a
lot
of
other
things
like
if
there
are
things
here
around.
You
know
diagrams
or
anything
like
that.
C
We
have
built
out
a
bunch
of
diagrams
over
the
the
the
past
year
or
so
that
we
that
we've
done
this,
so
there's
definitely
a
lot
there
that
we
can
include
either
in
this
thing
or
link
to
it
or
whatever.
So
so,
there's
a
lot
of
stuff
that
that
is,
there
I
think
the
the
problem
has
been
that
we
just
haven't
organized
it
in
a
way
to
make
it
easily
consumable
for
somebody
who
is,
let's
say
new
and
who
just
wants
to
understand
it
cool.
C
A
C
One
of
the
things
that
sort
of
came
up
was
you
know
when
I,
you
know,
I
know
that
a
lot
of
folks
have
been
re-prioritized
or
you
know,
they're.
Just
a
lot
of
us
are
not
as
able
to
sort
of
commit
as
much
time
to
Fresca
lately
and
because
of
that,
Fresca
is
sort
of
just
you
know.
I,
don't
want
to
say
it's
it's
completely
abandoned,
but
but
it's
it's.
C
You
know
we
definitely
need
more
folks
on
it
in
order
to
ensure
the
health
of
it,
and
we
want
to
make
sure
that
it's
it's
you
know
as
several
different.
You
know,
organizations
several
different.
You
know,
groups
of
folks
who
maybe
want
to
contribute,
can
definitely
help
out
and
and
so
on.
Yeah
John
yeah,
it's
it's
stalled,
yeah,
that's
actually
a
good
good
good
word.
It's
it's
been
stalled,
so
that's
kind
of
the
the
high
level
goal
for
what
this.
C
C
You
know
we
see
a
lot
of.
We
see
a
lot
of
presentations
with
Fresca.
Actually
in
the
presentation
you
know
there
was
there
was
there
was
a
couple
from
I
think
oh
wasp
had
one
with
Cyclone,
DX
and
and
Fresca
was
in
there.
There
was
a
few
that
had
you
know
Fresca
in
there
and
lots
of
different
places,
and
the
the
thing
here
is
is
how
can
we
get
those
folks
who
are
talking
about
Fresca?
Can
we
get
some
of
those
folks
actually
in
here,
maybe
with
hands
on
keyboard?
C
Cool
so
the
high
level
and
I'm
not
going
to
read
through
everything
but
I'll,
just
kind
of
give
you
the
high
level
stuff
and
feel
free
to
add
comments
and
and
read
through
the
draft
of
this
thing,
as
and
and
yeah
feel
free
to
add
notes
in
here
and
comments
and
whatever,
especially
folks
who,
who
are
not
super
familiar
with
Fresca.
If
anything
is
not
clear,
please
please
add
something
there.
C
So,
just
as
a
reminder
here,
like
you
know
like
for
for
folks
like
Fresca,
is
you
know
it's
for
us
like?
The
big
thing
is
the
build
piece
of
supply
chain
security
is
one
of
the
most
critical
pieces,
at
least
in
our
opinion
right.
The
folks
who
are
working
on
Fresca
and
the
reason
being
right
is
you
take
a
bunch
of
untrusted
source
code,
often
untrusted
dependencies
and
so
on.
C
Do
a
bunch
of
compilation,
building
yayada
and
then
you
have
an
artifact
at
the
end,
and
if
that
build
process
is
gets
compromised,
you
pull
in
bad
source
code.
You
pull
in
bad
dependencies.
The
build
process
itself
is
compromised
in
something
like
a
Sunburst,
solar,
wind
style
attack
or
whatever
you
end
up
with
potentially
malicious
software,
and
not
just
malicious
software,
but
you
end
up
with
a
potentially
a
system
like
a
build
system,
a
CI
system
that
is
producing
only
malicious
software.
So
every
time
you
run
a
new,
build
you're
deploying
something
new.
C
You
know
you,
it's
not
just
a
one-time
pay.
Somebody
got
into
our
Network,
it's
they're.
Now
in
our
Network
they
have
access
to
our
build
system
and
they're
they're.
You
know
just
using
that
to
to
generate
all
sorts
of
bad
stuff
anyway.
Okay,
so
that's
why
we
are
looking
at
something
like
Fresca
like
there's,
there's
a
there's,
a
problem
there
Fresca
was
also
inspired
by
the
cncf
secure
software
Factory
reference
architecture,
which
is
you
know,
and
for
disclosure.
C
I
was
one
of
the
leads
on
that
project
at
the
cncf,
and
so
that
was
an
architecture
for
how
would
you
secure
a
build
at
a
high
level?
And
then
Fresca
is
an
is
an
implementation
of
that
architecture?
And
it's
trying
to
do
things
like
follow.
You
know,
security.
You
know
best
practices
that
are
established
through
things
like
salsa,
and
you
know
trying
to
follow
that
architecture.
C
C
Oh
I
yeah,
so
some
of
this
still
needs
to
be,
but
anyway
the
the
so.
The
goal
here
is
to
sort
of
enable
Security
on
the
build,
and
then
we
plan
to
do
that
by
following
a
couple
of
principles
right,
we
want
to
follow
existing
framework
architecture
standards
and
breast
best
practices.
These
are
things
like
you
know:
s2c2f
salsa.
C
And
you
know,
we
also
want
to
leverage
existing
and
tools
and
components
before
writing
our
own,
like
a
key
piece
of
Fresca
here,
is
we're
not
we're
not
trying
to
create
a
complete.
You
know,
let's
say
CI
system.
You
know
where
something
like
tecton
or
Jenkins
or
GitHub
actions.
We
don't
want
to
rewrite
that
sort
of
thing
from
scratch.
We
want
to
leverage
stuff
like
tecton,
to
build
out
a
system
like
this
right.
We
don't
want
to
write
our
own.
C
We
think
that
a
lot
of
these
tools
that
already
exist
they
just
need
to
have
some
additional
wrappers
around
them,
some
additional
supporting
components,
and
then
we
also
want
to
make
sure
that
security
is
enforced
by
Design
as
opposed
to
opt-in.
One
of
the
big
things
you
know
you
see
in
a
lot
of
build
systems
is
yeah.
If
somebody
adds
all
these
steps,
it
makes
the
build
more
secure,
but
in
a
lot
of
ways
the
the
build
systems
allow
them
to
leave
that
out.
C
They
can
just
sort
of
delete
those
steps
and
unless
you're
auditing,
that's
just
you
know,
those
steps
don't
run
you're.
Potentially
you
know
leaving
stuff
out,
and
so
then
the
the
basic
idea
right
is
to
say.
Actually
this
system
enforces
the
running
of
some
of
those
security
steps.
You
don't
get
to
opt
out.
It's
secure
by
Design
John.
A
D
Automated
then
remoted,
so
it's
just
reading
through
the
doc
I'm,
not
I'm,
not
sure
when
the
best
time
is
to
jump
in
with
my
feedback,
so
I'm
just
going
to
jump
in
now,
yeah
go
ahead.
So
a
lot
of
this
to
me
reads
like
a
set
of
like
architecture,
design,
principles
of
Fresca,
and
it's
it's
describe
to
me.
It's.
It
feels
like
it's
more
describing
how
is
Fresca
than
than
like
a,
and
maybe
this
is
just
a
separate
section
for
like
why
is
Fresca
and
I
think
there.
D
D
You
know
especially
like
demonstrating
here's
how
you
could
do
salsa,
3
on-prem
or
something
like
that
like
it's,
it's
it's
one
thing
to
do:
salsa,
3,
with
a
GitHub
actions
workflow
and
the
salsa
verifier,
and
all
that
sort
of
stuff.
It's
in
it's
very
different
to
do
this
in
a
large
Enterprise
in
your
own
data,
centers
and-
and
so
I
think,
like
that
to
me,
is
more
of
the
the
questions
I
have
and
the
like.
D
The
if
I'm
interested
enough
in
the
why
I'll
dive
in
more
into
the
how
and
the
like
the
exactly
what
is
a
I,
don't
know
if
that
makes
sense
and
I
don't
know.
If
that,
like
would
be
helpful
in
and
bring
more
people
or
I
think
it
also
could
help
with
the
like
the
the
positioning
working
group
in
terms
of
like.
Can
we
position
this
relative
to
salsa
and
also
us
to
SCF
or
whatever?
The
other
thing
is,
but
yeah.
C
No
no,
this
is
this
is
great
because,
once
again,
like
those
of
us
who've
been
deep
in
Fresca
are
like
hey.
We
think
that
this
is
cool,
because
we
think
that
you
know
there's
now
a
secure,
build
system,
but
I
think
the
you
know
the
problem
that
we've
had
is
like
yeah,
but
what
does
the
rest
of
the
world
want
like,
even
though
you
know
obviously
some
of
this
stuff?
C
And-
and
we
saw
this
with
the
announcement
that,
when
you
know
City
sort
of
had
contributed
this
to
the
open
ssf
we
saw
stuff
like
you
know,
hey,
you
know,
City
found
this
to
be
valuable
because
you
know
they're
seeing
how
this
sort
of
you
know
they
wanted
to
show
how
this
sort
of
thing
works
and
so
on.
But
but
how
could
the
rest
of
the
world
see
that
this
is?
Is
valuable
and
I?
Think
it
just.
You
know
what
is
I
think
that's
where
we're
trying
to
kind
of
figure.
C
That
out
is
like
what
are
really
the
needs
here
for
folks
like
and,
and
it's
also
something
that
we're
trying
to
kind
of
dive
into
a
little
bit
right.
Is
we
keep
seeing
Fresca
show
up
in
things,
but
we
don't
know
why,
like?
Why
are
our
folks
like
so,
for
example,
right
there's,
a
lot
of
folks
from
the
salsa
side
who
are
like
hey
Fresca?
Is
we
think,
a
big
potential
component
here
like
okay?
Well
well?
Why?
C
D
D
They
can
learn
from
it
and
they
can
learn
from
this
like
this
is
as
close
to
a
real
world
example
without
like
someone
open
sourcing,
their
entire
Enterprise
in
a
set
of
like
infrastructure
and
cicd
pipelines,
which
is
never
going
to
happen
to
to
like
getting
a
a
look
behind
the
curtain
and
so
I
think
that's
like
another
great
selling
point
of
of
this,
and
it's
once
again
like
this
is
super
awkward
for
me.
I'm,
not
a
product
manager.
I!
Don't
normally
speak
like
these
like
this.
C
A
E
Yeah
so
I
guess
a
couple
of
things
right,
so
I
I
can
take
that
city
has
a
an
idea
of
Fresca
and
it's
Houston
and
relevance
and
and
the
organization
I
mean
I
I
get
that
part,
but
but
I
think
when
it
comes
to
understanding,
especially
from
a
supply
chain,
Integrity
working
group
thought
process
and
how
we're
positioning.
That's,
who
c2f,
salsa
and
Fresca
together
and
putting
Fresca
in
that
in
that
mode.
The
the
relevance
is
in
the
the
tooling
around
securing
the
build
pipeline.
Now,
that's
at
a
that.
E
That's
at
a
a
conceptual
level
from
from
the
the
yourself
and
the
other
and
the
other
folks
in
the
car,
from
kasari
from
where
Fresca
originates.
What
was
the
original
intents
on
a
design
and
development
of
Fresca
and
then
let's
lead
with
that
lead
with
lead
with
the
original
intent
and
and
of
course,
since
this
is
towards
finding
individuals
to
contribute
and
put
hands
on
keyboard.
E
Let's
follow
that
up
with
a
call
to
action,
I
mean
there's
got
to
I
I,
don't
want
to
see
this
further
stalled
or
abandoned,
or
anything
like
that.
But
there
needs
to
be
a
call
to
action,
that's
rooted
in
originally.
It
was
designed
for
these
things,
and
this
is
the
relevance
because
of
the
work
that
we're
doing
on
these
two
items
right.
So
if
we're
positioning
it
next
to
salsa
and
s2c2f,
and
we're
saying
that
these
Frameworks
are
Frameworks
that
we're
marching
into
the
future
with
this
is
going
to
Aid
those.
E
By
being
that
that
middle
piece
that
says
these
pipelines
can
be
secured
using
Fresca.
And
this
is
why
now
I'm
not
saying
that
there's
not
going
to
be
other
tools
that
get
developed
or
that
have
not
been
or
that
are
already
developed.
That
do
the
same
thing.
But
what
I'm
saying
is
if,
if
the,
if
this
is
the
anchor
to
those
two
Frameworks
that
we're
sitting
here,
marching
towards
legitimate
specification,
then
then
let's
do
that
and
let's
be
let
that
be.
The
stake
that
we're
driving
into
the
ground
I
mean
I.
E
E
If
it
is,
we
use
it
if
it's
not,
we
use
a
different
tool,
but
the
first
thought
should
be:
is
this
applicable,
but
that
can
only
happen
once
that
that
real
printing
together
occurs
and
then
by
and
then
by.
Then
you
get
the
people
with
the
Hands-On
keyboard,
they
come
and
say:
hey,
let's,
let's
go
in
and
let's
build
this
out
right
I
mean
that's,
that's
my
two
cents
on
it
anyways
trying
to
think
you
know,
building
up
inside
to
say,
hey!
C
Oh
yeah,
no,
that
was
super
useful
and
I
I.
Think
yeah
if
I
were
to
take
a
step
back
to
kind
of
talk
a
little
bit
of
where
Fresca
came
from
and
and
once
again
you
know
like
I
think
this
is
useful
because,
as
somebody
who's
been
so
deep
in
Fresca,
it's
like
I
forget
that
not
everybody
understands
where
it
came
from,
and
then
also
that
helps
me
understand
like
what
was
yeah.
What
was
the
original
reason
why
we
created
it?
It's
funny.
C
C
If
you
start
to
add
in
these
additional
pieces
right,
you
know,
if
you
add,
in
tecton,
plus
tecton
chains,
plus
key
Verno,
as
as
policy
management
plus,
you
know
some
of
these
other
pieces.
That
sort
of
thing
would
then
get
caught
right,
because
we're
actually
looking
at
you
know
is
this
thing
signed.
Is
this
thing
approved
for
use
and
then
you
start
to
see
stuff
like
wait
a
second.
C
This
hasn't
been
approved
for
use
and
stuff,
like
that,
so
that's
kind
of
where
that
originally
came
from
as
an
initial
demo
and
then
enough
people
at
that
that
conference
were
like
hey.
Is
that
an
actual
thing
that
we
can
use
and
start
looking
at?
And
so
that's
kind
of
where
Fresca
came
out
of
that
was
a
bunch
of
people
started
asking
for
the
that
demo
code
started
asking
for
like?
B
Yeah
I
don't
mean
to
derail
you,
but
you
know
I,
think.
One
thing
that
seems
to
be
you
know,
source
of
confusion
to
me,
is
that
Tech
time
is
not
a
build
system
right,
it's
a
workflow
framework.
Essentially,
and
it's
it's
a
bit
like
what
you
know.
We
have
GitHub
actions
and
you
can
do
all
sorts
of
things
with
it,
and
so
you
know
you
need
to
go
an
extra
step
to
actually
build
a
build
system
with
it.
B
That
would
be
secure
and
you
know,
comply
with
with
salsa
I,
always
think
as
Fresca
as
some
kind
of
a
simple
implementation
of
salsa,
and
you
know
I'm
careful
not
to
say
a
reference
because,
at
least
for
me
reference
implementation
as
a
very
specific
meaning,
but
I
think
it
can
be
presented
as
a
sample
implementation.
This
is
an
example
of
how
you
can
Implement
salsa.
C
As
a
as
a
note
is
each
of
the
individual
components
are
designed
for
flexibility,
whereas
presca
is
designed
for
security
right
so
like
stuff,
like
kiverno,
tecton,
tecton
chains
and
so
on.
Are
each
designed
hey
because
there's
lots
of
different
use
cases.
Busca
is
designed
for
a
specific
use
case
which
is
secure
build.
C
We
want
to
provide
some
flexibility
within
that
use
case,
but
we
don't
want
to
say
Fresca
should
you
know,
whereas
tecton
can
be
used
for
all
sorts
of
different
things
and
key
Verno
right
kiverno
can
be
used
for
all
sorts
of
different
things.
We
don't
want
to
say
that
kiverno,
you
know
nobody's
going
to
say:
kuberno
is
designed
purely
for
enforcing
policy
on
the
build.
No
it's
enforced
for
policy
on
all
these
different
elements
in
kubernetes,
whereas
kiverno
inside
of
Fresca
is
intended
purely
for
the
build
and
I
I.
C
Think
I
like
that
I
I,
like
that
a
lot
as
well
as
just
that
sort
of
you
know.
Obviously
you
need
to
Workshop
it
a
little
bit,
but
that
sort
of
this
idea
of
that
you
know
all
these
different
things
we
have
are
designed
for
flexibility
on
their
own,
but
within
Fresca
it's
Fresca
itself
is
designed
for
security
and
that's
kind
of
where
yeah.
D
C
C
You
know
what
they
need
at
the
same
time,
the
more
flexibility,
the
more
areas
where
we're
not
getting
across
the
security
thing
that
we
want
to
get
across,
but
I
I
know.
That's
also
one
of
the
reasons
why
the
Sterling
tool
chain
there's
been
so
many
discussions
and
and
and
I
would
say
arguments
but
but
he
did
heated
debate
about
like
what
does
that
actually
mean
in
this
context,
so
I'm
interested
in
in
folks
thoughts
on
that.
D
C
C
The
idea
here
is
Fresca
comes
in
as
a
way
of
saying
you
have.
You
know
you
have
your
build
needs.
You
want
to
be
able
to
kind
of
come
in
and
you
want
to
layer
on.
You
want
to
layer
on
these
other
pieces
like
S2,
c2f
and
salsa
to
kind
of
say
now.
This
is
what
that
like.
This
is
what
the
the
example
of
that
thing
looks
like
I.
Think
this
sort
of
thing
is
is
something
that
is
yeah.
C
C
First
is
why
is
Fresca
right?
What
was
the
reasoning
behind
building
this
out
and
you
know,
and
then
the
second
piece
is,
you
know
what
is
Fresca
today
and
then
what
is
Prescott
tomorrow,
I
think
is,
is
kind
of
a
thing
that
we're
trying
to
get
out.
There
is
like
hey.
This
is
like
we
built
out
Fresca
to
do
this
stuff.
This
is
what
Fresca
has
become
today:
we're
looking
to
evolve
Fresca
over
time
into
whatever
folks
need
Brendan.
C
We
have
a
way
to
sort
of
enforce
that
are
these
things
compliant
with
s2c2f,
right
and
assuming
they
are
okay,
you're
allowed
to
now
build,
but
the
idea
would
be
that.
Actually
you
know
this
sort
of
stuff
is
not
compliant
with
the
organization's
policy
or
whatever
you're
not
allowed
to
build
now.
I
think
that
the
I
think
the
problem
here
with
some
of
that
is
is
that
interesting
work
for
a
contributor,
I,
don't
know.
C
Yeah,
so
that's
actually
a
thing
as
John
had
mentioned
like
yeah.
These
are
things
I,
think
that,
like
this
is
maybe
something
that
we
can
ask
others
to
to
help
out
with
is
like
developing
some
of
these
policies
and
just
hey
this
just
fits
in
right.
Do
you
have
a
policy
that
you
know
looks
for
openss,
scorecard
and
and
I
think
that
there's
going
to
be
a
set
of
folks,
I
think
this
is
the
thing
that
John
had
mentioned
as
well.
C
There's
going
to
be
a
set
of
folks
who
might
find
that
work
interesting
who
are
along
the
lines
of
like
devsecops,
devops
sorts
of
folks
and
then
you're
going
to
have
folks
who
are
going
to
say
I,
don't
want
to
do
that.
I
would
much
rather
I,
be
the
one
who
wants
to
let's
say,
write
up
the
CLI
tool
that
takes
those
policies
and
applies
them
or
whatever,
like
I,
want
to
write
that
like
and
I
I
think
that
might
be
something
at
the
same
time.
C
I
also
I
also
recognize
the
chance
that
a
lot
of
folks
are
like
this
is
why
the
McKenzies
of
the
world
get
paid.
All
this
money
to
do
the
you
know
and
I
know
not
just
you
know
McKenzie,
but,
like
all
the
the
consultancies
of
the
world,
get
paid
all
the
money
to
go
in
and
do
a
lot
of
that
like
glue
work
that
that
a
lot
of
other
folks
don't
want
to
do.
F
John
the
reason
I'll
just
finish
my
point
and
then
we'll
pass
over
John
the
the
reason
that
it
gets.
My
attention
is
that
the
typical
way
that
I
feel
like
I've
seen
these
set
up
when
you're
trying
to
do
some
kind
of
artifact
ingestion
is
that
you're
spinning
up
a
whole
artifactory
server.
That's
going
through
that,
there's
a
process
to
ingesting
data
into
that
Art,
Factory
server
and
then
you're
limiting
network
connectivity
from
your
build
server
to
only
talk
to
that
Art,
Factory
server
and
so
I'm.
D
I
do
think
that
there's,
like
maybe
there's
already
a
missing
piece
as
I
like
think
through
this,
this
three
Circles
of
like
the
fourth
circle
of
the
actual
application
you're
trying
to
put
through
this,
because
that
includes
the
dependencies,
the
code
that
you
write,
there's
a
draft
blog
article
for
salsa,
explaining
the
separation
of
like
source
and
build
and
I
think
about
that
when
I,
when
I
think
about
Fresca
as
well.
In
terms
of
like
no
matter
how
good
your
supply
chain
is
in
your
pipelines
and
everything
else
like.
D
C
Yeah
so
yeah
I
think
to
provide
a
little
bit
of
context
there,
also
on
the
build
versus
Source
stuff.
Given
that
I'm
the
one
who
also
wrote
that
as
well,
is
yeah
I
think
the
thing
is
into
I
think
it
also
maybe
addresses
a
little
bit
of
Brendan's.
Point
is:
maybe
the
focus
just
needs
to
be
on
that
interface
and
making
that
interface
really
clear.
C
So
the
idea
should
be
the
interface
is
like
kiverno
might
just
be,
like
hey
I'm,
expecting
everything
that
comes
in
like
like
I'm
gonna
pull
something
from
this
network
location,
but
in
order
to
ensure
that
it
is
S2,
c2f
compliant
I'm,
expecting
it
to
be
signed
with
this
key
or
something
like
that
or
I'm.
Expecting
this
metadata
to
come
along
with
all
the
artifacts,
because
once
again,
I
think
the
idea
here
is,
is
we
don't
want
to
have?
C
We
don't
want
to
have
where
it
doesn't
make
sense
Fresca
to,
in
addition,
take
on
all
this
extra
stuff,
but
you
want
to
essentially
in
the
zero
trust
sense.
Re-Verify
right,
like
you,
want
to
just
say:
hey
I'm,
expecting
this
thing
to
have
this
identity
and
if
I
try
to
pull
these
artifacts
down
and
all
of
a
sudden,
it
doesn't
have
those
identities
associated
with
it.
Then
we're
just
going
to
fail
the
build
and
just
sort
of
say:
hey,
look,
I'm
expecting
an
s2c2f
compliant
artifact
and
I'm.
C
Not
getting
that
and
that's
that's
just
it.
The
other
thing
I
think
which
is
just
if
Fresca
is
successful.
I
think
one
of
the
things
that
has
been
brought
up
by
a
few
folks
is
folks
have
said
not
necessarily
that
Fresca
itself
is
a
is
the
Sterling
tool
Chain
by
any
means,
but
they
could
see
something
like
Fresca
fitting
in
to
a
build
element
of
that
Sterling
tool
chain
right
where
you
might
say
a
Fresca
compliant
sorry,
a
S2,
c2f
compliant
artifact
server
is
one
piece.
C
C
F
I'm
kind
of
leaning
towards
the
ladder,
because,
when
I
think
of
the
former
trying
to
set
up
some
kind
of
interface
of
here's,
just
how
you
request
any
invest2,
c2f
compliant
artifact,
immediately
thinking
that
that
means
that
we're
going
to
have
some
kind
of
network
proxy
in
there.
And
you
say
all
the
requests
have
to
go
through
the
network
proxy
and
then
that
proxy
has
to
do
all
that
validation
for
the
Upstream
go
Library
the
Upstream
pip
Library,
the
Upstream
npm
library,
and
there
there
are
too
many
others.
F
It's
going
to
be
an
unlimited
process
that
you
get
into,
and
so
it
feels
a
whole
lot
better.
If
we
say
here's,
just
what
an
artifact
repository
looks
like
and
we
spin
up
the
secure,
build
server,
someone
else,
spins
up
the
secure
artifact
server
and
it's
up
to
the
end
user
to
make
sure
that
the
build
server
can
only
talk
to
the
artifact
server.
C
Also
externally,
like
you
know,
there's
there's
going
to
be
certain
elements
that
are
that
are
applicable
purely
to
the
build
but
like
once
again,
I
can
imagine
a
world
that
says
that
something
has
signed
off,
that
a
that
an
artifact
is
s2c2f
compliant
and
then
the
idea
would
be
that
Fresca
just
goes
and
says:
Fresca
has
been
told,
s2c2f
compliant
artifacts
are
signed
with
this
key.
Let's
just
keep
it
simple
for
now:
Okay
cool,
so
anytime
it
downloads
dependency.
C
It
should
be
validating
that
it's
been
signed
with
that
key
and
assuming
it
has
been,
then
we
assume
it's
s2c2f
compliant,
and
so
that
means
like
hey.
If
you
know
something
tries
to
and
and
I
know,
there's
like
you
know
once
again,
I
think
the
idea
here
is,
is
you
know
it?
It's
always
going
to
be
I,
think
a
combination
of
network
controls
and
then
what
happens?
If
you
know
DNS
has
been
messed
with
and
you're
now
pointing
to
something
else.
F
C
Oh
yeah
yeah,
so
so
so
once
again,
I
think
the
the
idea
here
is
not
to
necessarily
put
the
burden
on
Fresca
to
do
it
as
much
as
like
I
guess,
maybe
enable
it
right
like
the
idea
here
is
to
say:
if
you
have
s2c2f,
you
should
be
able
to
have
the
capability
to
well
yeah
I.
Actually
so
so
I
I
would
just
maybe
I
think
I
I
get
your
point.
C
I
think
maybe
table
that
for
now
and
say
hey
if
we
ever
get
to
that,
we
can
have
the
discussion
but
I
think
if
we
are
having
that
discussion,
we've
already
solved
a
million
other
problems
and
and
because
I
can
imagine
you
know
that
sort
of
thing
once
again
is
just
something
like
the
Sterling
tool
chain.
Right
where
you
know
Fresca
is,
is
perhaps
aware
of
hey
when
I
downloaded
depend
or
or
a
Fresca
step
right
like
a
Fresca,
build
step
could
be
aware.
C
Like
you
know,
this
is
the
the
the
secure
S2,
c2f,
compliant
or
s2c2f
aware
build
steps
so
up
for
Pep,
and
so
it
knows
when
I
download
it
takes
in.
Let's
say
you
know
an
identifier
for
where
you
know
what
sort
of
identity
should
be
signing
all
these
things
and
anyway,
I
don't
want
to
go
too
deep
into
the
rabbit
hole
there,
but
I
I
think
that
that's
that's!
That's
Still
Still
valuable!
There.
F
Yeah,
it's
I
I
realize
it's
a
huge
rabbit
hole
and
that's
where
I'm
trying
to
say,
let's,
let's
not
jump
into
that
rabbit
hole
just
yet
seeing
how
complicated
it
is
and
Jay
feel
free
to
jump
in
if
we're
over
conflating
some
of
the
challenges
here.
But
when
I
look
at
the
last
picture,
we
were
looking
at
I'm
thinking.
Fresco
might
not
be
in
the
middle
of
the
picture.
It
might
just
be
on
the
left
side
of
the
picture
and
that's
that's
all.
E
No
no
I
mean
like
like
first
of
all,
I
love,
I
love.
The
conversation
I
mean
I,
love
the
the
back
and
forth
and
I
love.
The
Forward
Thinking
thought
about
this
too,
and
and
I'm
getting
I,
get
to
learn
something
because
that
first
glance
of
Fresca
when
I
when
I
looked
into
Fresca
and
of
course,
I've
been
coming
to
memes,
but
when
I
went
on
to
the
to
the
to
the
website
and
I
really
read
into
it.
E
I
looked
at
this
as
being
sort
of
like
the
the
you
know
you
you
start
off
with
with
f2c2f
and
you're
in
and
you're,
injecting
and
you're
you're.
No,
you
got
the
dependency
management
and
you're
really
trying
to
verify
that.
You
know
the
place
where
you're
getting
stuff
from
is
is
a
good
place
and
you
you
know,
you're
going
through
all
those
steps.
You
know
I
mean
and
then
you
go
into
the
build
Pipeline
and
then
it's
about
securing
that
build
pipeline
in
such
a
way
that
it
does
those
checks.
E
It
says
upon
entering
the
bill
pipeline.
These
things
need
to
be
verified
all
the
way
throughout.
Until
the
end
of
that
build
pipeline,
where
you
get
into
the
salsa
territory,
where
it
might
do
an
additional
check
to
say
okay
now
that
you're
getting
ready
to
go
into
this,
are
these
things
ready
to
go
in
front
of
salsa
for
sausage
right,
so
that
that's
so
that
was
my
thought
upon
and
and
of
course,
using
that
as
an
automated
tool.
E
That
does
that
right,
you
got
to
build
those
parameters,
but
that
was
my
thought
about
Fresca
originally,
so
I
looked
at
that
as
going
from
end
to
end
in
the
bill.
Probably
that's
why
and
that's
why
I
originally
said:
look
if,
if
we're,
if
we're
we're
positioning
these
three
together
and
I'm,
looking
at
this
saying,
I
think
that's
phenomenal.
E
Let's
do
it,
but
let's
be
Concrete
in
that,
because
in
my
mind,
only
through
that
are
you
going
to
get
both
people
who
want
to
improve
upon
it
and
those
same
people
will
generally
become
the
adopters
right,
so
so
that
that
would
that
would
that
was
my
my
hell.
You
could
build
training
around
this
right,
so
you
can
build
a
training
environment
where
you
have
like
right
now.
We're
developing
training
for
us
to
c2f,
so
you
can
build
that
training.
E
On
that
end,
you
could
build
training
around
how
to
use
Fresca
to
do
those
checks.
You
could
build
training
around
how
to
do
those
checks
at
the
end,
you
could
build
training
around
how
to
then
conduct
you
know,
do
salsa
at
the
end.
Right
so
I
mean
like
that
was
that's
my
mindset
when
I
think
about
this
at
a
macro
level,
but
this
conversation
says
well.
Maybe
you
know.
E
Maybe
it
is
more
towards
the
front
until
we
and
I
say
maybe
towards
the
front
until
we
completely
develop
the
back,
because
we're
still
looking
at
it's
also
1.0
and
and
we're
still
looking
at
source
Integrity
in
salsa
as
well.
So
salsa
is
going
to
eventually
cover
Source
Integrity.
Well,
what
does
that
look
like
against
fresca
at
that
point
right
because
now
we're
back
to
the
left
side
again.
C
Yeah
yeah
that
that
definitely
makes
sense
so
I
think,
since
we
have
10
minutes,
left
I
think
the
the
question
I
have
is
just
what
do
you
think
since
I'm
I'm
gonna
lead
the
charge
on
this?
What
what
do
you
think
I
should
do?
What
do
folks
think
I
should
do
to
kind
of
do
this?
Do
they
think
that
I,
you
know,
should
I
rewrite
this
article
to
focus
a
little
bit
more
on
the?
Why
is
Fresca
what
like?
C
E
Well,
I
I
definitely
think
well.
I.
Definitely
think
that
this
we
we
think
about
what
we
want
to
do
here
and
then
we
bring
it
back
before
the
positioning
before
the
positioning
group.
So
positioning
group
can
help
write
this
stuff
out.
I
mean
like
I,
I
I
mean
I
I
use,
let's
use
all
the
features
right,
all
the
features
of
the
working
group
and
and
but
but
ultimately,
you
know
what
was
the
original
intent
and
then
what
is
our
thoughts
for
scale?
Where
are
our
scale
of
what
are
our
thoughts
on
scaling
right?
E
E
You
know
you
got
I
mean
I,
hate,
saying
hearts
and
minds,
but
you
got
to
get
into
the
hearts
and
minds,
but
that
can
only
be
done
through
those
that
that
are
passionate
about
s2c2f,
passionate
about
salsa
and,
of
course,
if
the
ultimate
vision
is
to
have
Fresca
as
that
third
piece
right
in
the
middle.
That
does
that
in
the
end
that
ties
it
all
together,
then
let
that
be
the
vision,
let
that
be
the
passion
and
then
let
those
that
are
on
both
sides
and
then
we
can
say
hey.
E
We
got
engineers
in
this
or
we
got
Engineers
now
or
come
in,
let's
put
our
hands
on
it
and
let's
build
out
these
things,
both
in
concept
and
design
for
what
it
is
and
then,
let's
think
about
what
it
can
be.
Let's
think
about
how
this
scale's
going
forward.
Let
that
imagination
run
wild,
but
that
could
only
happen
when
you're,
when
you're
tight-knit
on
on
an
original
intent,
which
is
which.
E
Saying
all
this
stuff
and
I
guess
in
my
mind
of
an
article,
that's
probably
something
I
would
want
to
read,
not
being
a
Hands-On
keyboard
person,
but
knows
a
lot
of
Hands-On
keyboard
people.
That
would
be
something
I
want
to
read
to
say
hey.
This
is
what
we're
trying
to
do.
You
think
you
want
to
come
in
and
and
put
your
hands
on
and
touch
it
a
little
bit.
E
You
know,
I
mean
and
and
they'll
be
more
willing
to
do
that,
based
on
an
intent
rather
than
me
saying,
hey,
there's
this
cool
thing
Fresca,
it's
supposed
to
be
real
good
for
supply
chain
security.
Maybe
we
ought
to
give
it
a
look.
No,
no!
No!
That's
not
just
be
very
exact
in
our
approach
and
and
I.
Think
that
that's
what
that's
what
my
mindset
is
saying.
F
F
I'd
I'd
love
to
use
a
perpetual
motion
machine
to
solve
the
world
energy
problems.
That
would
be
awesome
and
we
can
probably
get
a
whole
bunch
go
behind
that
solution
say
that's
a
great
thing
to
implement,
but
at
the
end
of
the
day,
if
you
can't
build
it,
then
it
doesn't
help
us
and
so
I
want
to
make
sure
that
what
we're
proposing
we
can
actually
create,
and
so
we
have
some
kind
of
rough
idea.
What
the
design
would
look
like
and
then
go
out
and
get
some
people
do
it.
C
Yeah
yeah,
that
makes
sense
and
I
think
the
you
know,
I
know
we
we
and
I
know
down
here
I
kind
of
had
some
of
the
stuff
that
I
think
it
was
what
was
sort
of
the
goal
like
a
bit
more
of
the
concrete.
What
what
are
what
is
Fresca
trying
to
do
and
to
kind
of
just
and
feel
free
to
read
through
some
of
it
down
there,
but
the
the
idea
of
right
was
to
be
an
implementation
of
the
secure
software
Factory
reference
architecture
which
like
to
be
clear
here.
C
It
just
means
hey
we
want
to.
We
want
to
secure
the
build.
We
want
to
be
able
to
run
a
secure,
build
where
we're
protected
against
classes
of
attacks,
and
you
know
I'm
not
going
to
go
too
deep
into
what
those
class
of
attacks
are.
But
basically
it's
like
you
want
to
protect
against
developers,
not
running
the
right
steps
like
if
you
should
be
running
an
Xbox.
C
If
you
should
be
generating
an
s-bomb,
it
automatically
generates
an
s
bomb,
and
if
you
try
to
work
around
that,
it
doesn't
work
right,
like
that's
the
sort
of
thing
there,
the
the
second
piece
being
hey,
you
want
to
protect
against
work
attacks
against
the
the
actual
orchestration
of
workloads
right.
You
know
this
is
stuff
like
Smithy
Spire
right,
where
you
want
to
make
sure
that
hey.
C
If,
if
a,
if
a
administrator
on
the
your
kubernetes
cluster
or
your
infrastructure,
tries
to
mess
with
the
builds,
it
should
get
caught
right
and
then
finally,
you
want
to
have
something
like
ebpf
style
stuff
to
essentially
make
sure
that
the
workloads
as
they're
running
are
they
doing
something
very
obviously
suspicious
right,
I
think
those
are
kind
of
the
three
high-level
practical
things
we
want
to
do
and
then
well,
how
do
we
achieve
that?
Well,
we
could
follow
salsa.
C
C
They
they
want
two
things
right:
they
want
the
flexibility
when
they
need
it
and
they
don't
want
to
do
the
thing
if
they
don't
have
to
right.
They
want
to
write
the
code.
If
you
tell
them
like
you
know,
one
of
the
problems
with
some
of
the
secure
build
stuff
is,
if
you
tell
a
developer,
oh,
you
need
to
generate
an
s-bomb
and
they're
like
how
do
I
do
that
now.
You're
telling
me
I
need
to
learn
this
new
tool
about
generating
s-bombs
and
that's
kind
of
I.
C
D
D
You're,
like
you're,
getting
very,
very
close
to
an
area
of
thought,
I've
been
having
lately,
which
is
the
like
the
unspoken
problem
with
supply
chain
security
is
it's
still
security
and
like
security,
never
gets
prioritized
and
never
gets
funded.
All
like
all
these
other
problems
that
the
rest
of
the
security
world
has
known
for
so
long
and
they
they've,
like
they've,
been
they've
gotten
through
the
hype
cycle
that
like
and
now
I
think
we're
starting
to
get
to
that
point.
D
At
the
same
time,
doing
everything
you
just
described
for
the
developers
without
them
having
to
think
about
it
can
deliver
a
whole
different
set
of
business
value
for
organizations
where
they
like.
They
need
to
understand
that
better
and
I've
been
trying
to
think
about
this
for
our
our
supply
chain
working
group
as
well
too,
of,
like
you
know,
can
you
get
to
production
faster
because
of
this?
Like?
Can
you
write
code
faster
iterate
on
your
Clips,
faster.
C
Oh
yeah,
yeah.
Sorry,
sorry,
the
thing
that
immediately
comes
to
mind
that
I
think
we
had
as
one
of
a
core
goal
or
as
a
secondary
goal
here
is
like
folks,
should
think
of
this,
like
libraries
and
Frameworks
in
the
software
sense.
Right,
like
you
know
you,
when
somebody
uses
react
right,
they
know
they
have
to
like
understand,
react
but
they're
not
going
in
and
having
to
understand
all
the
different
elements
of
the
Dom
react
handles
that
right.
C
React
is
handling
the
Dom,
the
the
actual
Dom
for
you
or
or
you
know,
whatever
you're
using
it's
like
hey,
it's
an
abstraction
here.
It's
handling
all
that
for
you
and
so
the
it's
the
same
thing.
When
a
developer
comes
in
and
says
I
don't
want
to
have
to
think
about
s-bomb
great
you
don't
we've
thought
about
s-bomb.
C
C
There
is
Fresca
itself,
which
is
a
suite
of
build
tools,
configured
to
operate
securely
right,
and
then
there
is
something
that
you
want
to
layer
on
top
of
Fresca
to
make
sure
that
what
is
actually
being
run
inside
of
Fresca
is
also
meets.
Those
security
needs
right.
Like
I,
anybody
can
generate
an
s-bomb.
C
The
problem
is:
can
you
generate
an
s-bomb
in
a
way
that
you
are
convinced
that
that
s-bomb,
you
know
like
if
I
generate
an
s-bomb
on
my
local
workstation
I
could
send
you
whatever
and-
and
you
know,
you'd
have
no
idea,
but
if
I
generate
an
s-bomb
in
a
secure,
build
system.
You're
like
great
I,
am
pretty
sure
in
the
very
least
that
that
s-bomb
hasn't
been
compromised
right,
that
that
s-bomb
wasn't
generated
by
something
malicious.
It
was
generated
by
this
source.
D
So
yeah
100
agree
with
all
that,
but
for
for
me,
I'm
trying
to
think
of
this
like
I,
like
the
library
analogy,
but
rather
than
a
library
for
an
s-bomb
or
the
specific,
like
tool.
Think
of
it
as
a
library
for
your
Change
review
board,
you
don't
have
to
spend
as
much
time
sitting
around
waiting
for
some
manual
approval
here
is
the
attestation
and
the
proof
that,
like
your
organization,
can
trust
this
and
push
it
to
prod
or
whatever
else
you
need
to
do.
C
Yep
and
so
I
know
we're
at
time
and
I
don't
want
to
hold
people.
I
can
stay
on
for
a
few
more
minutes
if
folks
wanted
to
chat
but
but
feel
free
to
to
drop
off.
If
anybody
has,
if,
if
anybody
needs
to
but
yeah
I
mean
I,
think
the
thing
for
me
and
I
I
100
agree
there
right
because,
as
somebody
who's
worked
in
Banks
before
right,
the
problem
is
always
the
Change
review
board.
C
Here's
generally,
probably
what
supply
chain
security
looks
like
from
an
end-to-end
standpoint
like
you
want
to
secure
developer
writing
code
through
to
production,
there's
a
lot
of
different
tools.
There
Fresca
fits
in,
let's
say
a
build
element,
but
there's
also
something
that's
at
the
top,
which
is
the
holistic
sort
of
policy
that
the
organization
comes
in
and
says
what
should
be
of
you
know
what
should
happen
before
this
thing
ends
up
in
production
right
or
actually,
as
it
goes
through
each
stage
and
gets
gated
right.
The
same
way.
C
You
want
to
say,
like
a
developer,
should
not
be
able
to
download
malware
directly
to
their
Workstation,
write
some
code
and
then
push
that
code
out
to
you
know
something
right.
That's
not
the
the
the
the
bill
doesn't
take
care
of
that,
but
there
should
be
something
that
goes
and
says:
hey
I
noticed
you,
you
did
something
really
weird
or
I
noticed
that
your
laptop
somehow
is
logged
in
at
like
3
A.M
halfway
across
the
world.
C
What's
going
on,
you
know,
like
there's
those
sorts
of
things
that
I
think
organizations
want
to
have
and
the
way
that
they're
currently
doing
it
is
via
manual
workflows,
right,
they're,
just
kind
of
coming
in
and
saying
hey
is
this
thing
like?
Did
this
go
through
this
approval?
Did
this
person
you
know
check
all
the
boxes?
Do
you
have
the
IP
addresses
for
the
firewall
rules
in
this
document?
C
Anyway,
I
know
we're
at
time,
but
I
I
definitely
get
a
ping.
A
bunch
of
you
on
on,
on
slack
with
additional
questions,
I
think
I'm
gonna
continue
to
write
up
some
of
this
stuff.
Please
please,
please
folks,
add
comments
to
this
document.
Add
things
including
I,
would
totally
rewrite
it.
Focusing
on
this.
That
is
totally
okay.