►
B
Finish
getting
my
coffee
here.
A
B
A
Had
two
layers:
first,
oh
God,
the
one
in
the
middle
Winnipeg
wasn't
bad
at
all,
because
I
was
looking
at
it
saying:
okay,
where
do
I
gotta
go
from
like
what
gate
am
I
landing
at
the
gate.
Do
I
have
to
go
to
I
was
looking
up
in
the
little
app
and
it
was
like
gate
11
to
gate
11.
like
oh
same
plane,
so
I
just
got
off
real
quick
use.
A
The
bathroom
grab
a
sandwich
got
right
back
in
line
and
get
back
on
again,
so
that
wasn't
bad
at
all
and
then
customs
in
Toronto,
again
yeah
Ken
Houston
doing
all
my
Customs
check
there
because
they
do
it.
The
US
side
is
in
the
Toronto
Airport.
C
Still,
nothing
I'm
already
told
some
of
the
folks
yesterday,
like
I'm,
pretty
much
calling
this
the
last
meeting,
I'm
gonna
like
unless
somebody
kind
of
comes
in
and
picks
it
up.
You
know
I
I,
don't
think
this
is
a
good
use
of
everybody's
time.
We
we
have
the
same
sort
of
three
conversations
every
every
two
weeks,
so
you
know
some
interesting
stuff
from
open
source.
C
Summit
was
parents
out
once
again,
a
bunch
of
people
are
looking
at
Fresca,
but
nobody
is
really
talking
about
it,
contributing
to
it
even
discussing
their
use
cases
a
lot
of
folks
sound
like
they.
They
who
are
doing
that
or
at
large
Enterprises
they're,
not
at
Liberty
to
actually
talk
about
presca,
which
is
a
disappointment,
but
you
know
I,
just
wanna
I'm
not
gonna
call
out
names,
but
you
know
there's
a
lot
of
folks
who
are
who
are
saying.
C
We
should
still
work
on
Fresca,
but
they
are
themselves,
are
not
contributing
time
or
or
resources
to
Fresca,
so
yeah
I'm
willing
to
call
it
a
wash
and
and
move
on
to
other
things.
C
C
Yeah
yeah
no
yeah
same
I
mean
like
I'm,
not
gonna,
say
hey,
let's
all
abandon
it,
but
I,
don't
think
the
the
even
the
every
other
week
sort
of
meeting
some
folks
are
asking
for.
You
know:
hey,
has
Fresca
thought
about
going
in
a
different
direction
and
I
think
you
know
we're
more
than
comfortable
with
going
in
a
different
direction,
but
we
need
folks
to
actually
show
up
and
and
help
steer
what
that
direction
might
be,
but
yeah
at
least
until
then.
C
A
So
before
we
make
that
jump,
Sonny
I
see
you
showed
up
what
direction
would
you
like
to
see
us
take
this
or
you
just
attending,
to
see
where
we're
at
well.
C
Well,
no
I
mean
you
still
want
to
hear
your
personal
opinion.
I
know,
you've
yeah
spoken
to
me
a
few
times
about
and
I
think
actually
I
think
we're
all
on
the
same
page
that
people
are
not
moving
off
their
CI
systems
and
to
be
clear.
I.
C
Think
that,
like
folks,
who
have
used
like
I,
don't
know
if
they're
they're
allowed
to
disclose,
but
like
there
was
a
company
at
open
source
Summit
that
had
said
yeah
we've
been
looking
at
using
Fresca,
not
Fresca
itself,
but
we
looked
at
Fresca
and
we
looked
at
the
architecture.
We
tried
to
follow
the
architecture
for
what
we
were
building
internally
and
so
like,
because
we
couldn't.
C
You
know
we
had
all
this
Legacy
stuff,
so
we
couldn't
immediately
shift
over
to
Spooky
spire
and
all
these
other
things,
but
we
still
had
a
lot
of
other
stuff
that
was
able
to
help
us
hit
those
same
sort
of
boxes
and
I
I,
and
that
was
super
useful,
so
they
so
that
was
interesting.
The
the
other
thing
I
know
you
and
I
had
sort
of
talked
about
this
as
well,
and
a
few
other
folks
is
like.
C
C
Does
it
make
more
sense
for
it
to
be
something
like
a
secure,
Builder
whatever
that
may
be,
that
that
secure
Builder
can
plug
into
your
Tech
tons
your
Jenkins,
your
whatevers
and
it
being
sort
of
a
secure,
build
step
that
itself
takes
care
of
the
salsa
and
everything
else,
and
then
we
say:
hey,
look
we're
not
here
to
secure
CI
we're
here
to
secure
specifically
the
build.
You
know,
specifically
packaging
and
and
maybe
a
couple
other
things
like
generating
of
s-bomb,
and
you
know
that
Builder
right
like
based
on
the
salsa
spec.
C
That
should
be
fine
as
long
as
that,
Builder
itself
is
not
under,
like
can't
be
influenced
by
the
build.
As
long
as
that,
Builder
can't
be
influenced
by
the
build,
and
you
know
we
have
reasonable
security
controls
around
it.
You
know
whether
it's
like
I
think
some
of
the
discussions
being
brought
up.
Are
you
know,
long
term
sure
something
like
trusted
execution,
environment,
yeah
yeah,
but
in
short
term,
maybe
something
like
a
micro
VM,
something
like
firecracker.
C
Something
like
you
know,
Kata
containers,
something
like
I,
don't
know
like
there's
a
bunch
of
different
options
out
there,
but
anyway,
once
again,
I
guess
what
is
the.
C
Yeah
yeah,
so
Nitro
Enclave
is
similar
to
like
the
trusted
execution,
environment,
sgx
and
some
of
these
other
things
that
AMD
and
Intel
have
so
that's
the
thing
there
right
is
all
of
them
are
kind
of,
and
this
is
like
some
of
the
conversations
I've
been
having
is
a
lot
of
them,
are.
C
Like
the
document
like
there's,
not
really
abstract
libraries
for
like
here's,
how
you
run
in
the
trust,
execution,
environment,
it's
like.
Oh
here's,
a
500,
page,
spec
doc,
read
through
how
the
hardware
works,
and
you
know,
learn
what
registers
you
need
to
be.
You
know
like
there's
that
sort
of
thing
and
like
there's
a
couple
of
libraries
that
are
at
the
low
level.
C
That
say
you
know
yeah
here's
how
to
set
stuff
up,
but
it's
not
really
like
an
abstract.
Here's
how
you
run.
C
You
know
a
VM
right,
that's
where
stuff
like
project
Oak,
which
is
something
that's
being
built
out
by
Google
does
this
is
where
some
of
the
confidential
container
stuff
comes
in
and
and
so
on,
and
so
I
think,
like
that
sort
of
and
and
every
time
I've
had
the
conversations
with
the
confidential
containers
and
some
other
folks
is
like
it
always
feels
like
between
6
and
18
months
off.
C
You
know
and
I
think
it
is
coming
just
to
be
clear,
but
with
that
you
know,
comes
a
lot
of
other
things.
Right
like
running
in
trusted
execution
environment
is
significantly
slower
than
running
outside,
but,
for
example,
for
most
folks
I.
Think
for,
like
hey
here's
like
the
core
piece
of
my
my
you
know,
my
business
I
want
to
make
sure
it
runs
securely.
C
I'm,
okay,
with
let's
say
it,
taking
twice
as
long
to
build
right
because
they
were
saying
like
I
mean
it,
it
depends,
but
people
were
saying
it's
anywhere
from
40
slower
on.
You
know
in
in
sort
of
these
sorts
of
use.
Cases
to
you
know:
4X,
lower
and
Depends
right,
like
if
you're
talking
about
hey
this
build
takes
an
hour,
okay,
one
to
four
hours,
a
little
ridiculous,
hey
if
a
build
takes
five
minutes.
C
Five
to
you
know,
20
minutes
is
still
bad
but
like
if
you're
talking
about
I
ran
this
build
in
our
CI
system
cool,
it's
cool,
it's
good.
Let's
do
the
official
build
and
then
that
takes
20
minutes,
yeah,
it's
probably
okay
and
I'm
sure
that'll
improve
over
time
as
well,
but
yeah
at
least
for
right
now.
I
think
you
know-
and
this
is
some
of
the
conversations
you
know
had
with
with
Brendan
as
well-
is
like:
does
it
make
sense?
C
Does
it
make
a
lot
of
sense
just
to
kind
of
maybe
take
a
step
back
and
keep
it
simple
and
just
sort
of
say,
there's
a
lot
of
stuff
from
the
the
perspective
of
firecracker
and
other
micro,
VMS
and
similar
sorts
of
things
and
just
sort
of
like
I
think
the
thing
that
people
more
if
we
take
a
step
back,
I,
think
the
thing
that
folks
are
looking
for
is
that
abstraction
and
yeah
the
abstraction
eventually
one
day
could
be.
C
You
know
it
abstracts
away
the
trusted
execution,
environment
and
so
on,
but
it
could
just
also
be
for
a
short
period
of
time.
It
abstracts
away
some
controls
and
some
like
stuff
around
running
in
a
container
with
no
network
access
right,
like
I,
think
there's
that's
at
least
the
feeling
I
get,
but
anyway,
I
know
I
also
cut
off
Sunny.
There.
D
I
I
will
say
for
Fresca
I
mean
you
hit,
you
hit
the
point
and
we
talk
about
it.
Multiple
time
right
is,
it
is
the
adoption
and
people
need
to
get
out
of
their
CI
and
I
also
feel
like
the
more
I
work
with
like
GitHub
action,
nowaday
like
unless
you're
like
a
Enterprise,
your
bank,
you
can't
use
GitHub
a
lot
of
people,
get
that
checkbox
checked
already
like
there's,
not
much
of
an
incentive
for
them
to
hey.
D
I'm
gonna
build
this
system
just
to
get
yourselves
a
three,
for
example,
and
then
for
the
for
the
bank,
I
mean
you
know
how
it
is.
You
never
get
them
to
get.
You
know
adoption
in
a
short
period
of
time
for
for
something
like
Fresco
and
by
the
time
they
adopt
it.
Maybe
all
the
other
csci
system
that
they
are
using
right
now
would
have
that
capability,
yeah,
that
that
I
mean
that's,
how
it'll
get
it
it's
difficult.
It's
but
I
do
say.
D
C
C
If
the
we
know-
and
we
know
this
right-
if,
if
the
way
that
people
have
built
their
CI
systems,
didn't
like
weren't
weren't
done
at
least
with
some
of
the
initial
stuff
done
right
in
the
first
place
like
if
you've
completely
coupled
your
build
into
the
CI
system,
you've
done
it
wrong,
but
also
like
I
recognize
that
that
makes
it
much
harder
to
also
move
off
and
I.
Think
a
lot
of
folks
have
coupled
a
lot
of
the
way
that
they
they're,
you
know
yeah.
C
D
As
well,
I
mean
you're
talking
about
the
like.
Well,
some
organization,
you
have
an
entire
team
like
running
that
CI
system
for
you
and
you
know
what
do
you
expect
them
to
kind
of
move
up?
What
are
they
going
to
do
right?
D
Photo
security
concern
I
mean
just
you
know,
for
those
executive,
you
know
in
those
organizations
I
don't
think
the
incentive
is.
Is
you
know
strong
enough
to
to
take
those
actions
they
could?
But
you
know
it's
going
to
take
ages
and
a
lot
of
effort,
and
that
needs
to
be
yeah.
A
C
Yeah
yeah
and
I
I
think
you
know
and
I
think
it's
one
of
the.
It
would
not
surprise
me
if
making
Jenkins
more
modular
and
componentized
was
not
a
priority
for
that,
because
hey
by
making
it
easier
to
get
off
of
you
know,
I
I
I.
You
know
because
I
think
when
it
comes
to
a
lot
of
the
stuff
I
know
like
there's
a
lot
of
great.
You
know
there's
a
lot
of
great
plugins
for
Jenkins,
but
it
it
it
all
feels
very
much
like
based
on
and
to
be
clear
here.
C
C
You
know
are
still
there
today
and
you
know
that's
why
I
think
like
for
for
newer
sorts
of
systems
I
would
recommend
highly
against
folks
using
Jenkins.
But
you
know:
I
I
know
that
sort
of
thing
was
also
discussed,
like
literally
at
open
source
Summit
during
the
panel
someone
you
know
was
like
Hey.
This
Fresca
thing,
you're
telling
me
I,
need
to
use
tecton
tecton
chains.
C
All
these
different
components,
isn't
there
just
like
a
GitHub
action
or
like
a
Jenkins,
plugin
and
I
was
like
well,
okay
hold
on
take
a
step
back.
You
know
yes
like
the
idea
here
is
not
to
say
that
Fresca
is
something
that
is
easy
to
adopt
and
just
for
everybody.
C
The
other
thing
that
folks
had
suggested
at
open
source
Summit
is,
if
we
did
want
to
push
this
and
open
ssf
seem
to
be
open
to
the
idea
of
running
Fresca
as
a
component
in
the
cloud.
Let's
say
and
start
rebuilding
like
start
rebuilding,
let's
say:
I,
don't
know
six
store
or
whatever
using
something
like
Fresca
to
sort
of
be
like
hey.
Here
is
a
a
Fresca
that
is
built
in
a
super,
secure,
I'm.
Sorry,
here's
a
you
know
a
six
door.
C
Here's
a
Linux
kernel,
here's
a
whatever
built
in
a
super
secure
environment.
So
that's
one
thing:
the
other
thing
was
a
lot
of
folks
were
just
sort
of
saying
yep.
Can
we
just
get
a
secure,
Builder
I?
Think
you
know
what
are
the
problems
with
even
getting
a
Jenkins
plug-in
for
salsa?
Is
you
can
get
Jenkins
one
and
probably
Jenkins?
C
Oh
sorry,
that's
also
one
and
probably
salsa
two
in
Jenkins
using
a
plug-in,
but
once
you
get
to
salsa
three
most
likely,
not
because
of
all
sorts
of
ways
that,
like
how
jenkins's
internals
worked,
making
it
very
difficult
to
make
the
Providence
something
that
is
only
being
read
in
by
the
control
plane-
and
you
know,
there's
probably
a
bunch
of
stuff
there,
so
I
I
think
that
sort
of
thing
is
is
maybe
something
that
we,
you
know.
I
know
something
I'm
looking
at
is
this
idea
of?
C
Can
we
just
create
up
a
secure,
build
abstraction
and
right
now
fill
it
in
with
something
like
a
container
that
is,
you
know,
minimal,
with
some
security
controls
to
ensure
that
you
know
Hey
like
the
build
piece
itself
is
not
Network.
Like
you
know,
you
can't
use
the
network
and
just
sort
of
saying
yeah,
it's
not
going
to
be
for
every
single
build.
C
If
you're,
you
know,
if
you're
using
an
npm,
build
that
in
the
middle
of
the
normal,
build
it
reaches
out
to
the
internet,
to
pull
down
I,
don't
know
Graphics
or
something
like
that.
Sorry,
that's
not
gonna
work.
Please
make
that
part
of
like
the
separate
pull-down
source
and
dependency
step,
not
part
of
the
actual
packaging
step,
because
a
lot
of
folks
I
know
like
the
the
problem
has
been
like
they.
They
don't
have
a
good
way
of
splitting
up
source
and
dependencies.
The
build
and
and
the
packaging.
B
C
Anything
else
any
other
thoughts.
If,
if
folks
were
to
say,
like
just
hypothetically,
let's
say
we
were
to
start
moving
in
that
direction
of
a
secure.
Builder.
Do
folks
think
that
that's
something
reasonable
do
folks
think
like
like
there's
enough
secure,
build
tools
out
there
that
we
should
just
sort
of
adopt,
because
I
I'm
also
like,
if
somebody
can
point
me
in
the
direction
of
something
that
is
generic
and
extensible.
C
A
That
sorry
does
this,
but
it's
it's
been
on
my
list.
It's
been
a
long
to-do
list
of
mine
to
do,
but
I've
got
my
ideas
for
how
I
do
it
I
know.
You've
got
some
different
ideas
for
how
you
want
to
do
it,
and
maybe
it's
the
case
of
everybody
throws
something
out
and
we
see
what
spaghetti
sticks
on
the
wall.
C
But
I
do
think
that
I
I
do
wonder
if,
if
at
some
level
there
is
something
akin
to
a
okay,
the
secure
build
obstruction,
interface
right
or
something
like
that,
you
know
you
know
where,
where
the
idea
here
is
like
what
are
or
even
just
like
to
take
a
step
back,
not
talking
about
a
10-page
white
paper
but
like
if
I
were
to
write
up
like
two
pages
of
if
I'm
a
build.
C
What
are
the
things
I'm
most
concerned
with
and
a
lot
of
it
is
I'm
most
concerned
with
pulling
down
Source
independencies
in
a
way
that
is
olated
and
secure
like
as
in
isolated,
secure,
and
that
whatever
is
doing
the
that
has
been
what's
the
word
minimized
or
sorry,
I
saw
that
have
too
much
coffee.
This
one
you're.
C
No,
no,
so
actually
the
thing
I'm
trying
to
say
is
when
constructing
something
that
is
hermetic
right,
you
want
to
say
the
build
itself
should
be
hermetic
like
the
actual
packaging
building
step
right
that
that
I
think
needs
to
be
hermetic.
The
problem
is,
how
do
you
make
it
hermetic
right?
How
do
you
give
something?
How
do
you
give
a
build
all
of
its
source
independencies
and
there's
a
couple
of
different
ways
of.
C
A
I
had
gone
through
some
of
that
before
and
yeah
one
of
the
challenges
when
I
started,
recording
all
the
network
traffic
was
great.
You
record
everything
you
did
in
one
place,
but
now,
when
you
replay
it
somewhere
else,
how
do
you
know
the
thing
to
record
in
the
first
place
was
actually
good
and
you
didn't
record
a
malicious
build.
C
Yeah
yeah,
so
so
on
that
front,
I'm,
a
little
less
worried
like
I,
think
as
time
goes
on
and
we
build
more
controls
and
like
this
is
where
I
think
you
know
once
again,
I
think
salt,
where
salsa
came
up
with
a
really
good
idea
right,
was
separate
out,
build
security
from
what
you're
actually
pulling
in
as
Source
independencies
right,
because,
like
yes,
Source
independencies
means
that
the
build
could
be
potentially
building
something
malicious,
but
at
least
you
can
like,
if
you
know
that
your
build
security
is
pretty
good.
C
You
know
that
it
wasn't
like
a
solarwinds
of
somebody
compromised
the
build
system
and
is
now
Reba.
You
know
I
mean
like
is.
If
you
can
start
to
isolate
the
different
pieces
and
say
hey,
we
did
a
bunch
of
testing
on
the
source.
So
we
know
it's
not
the
source.
We
did
a
bunch
of
tests.
You
know
we
did
a
bunch
of
controls
on
the
build,
so
we're
pretty
sure
it's
not
the
build,
but
the
dependencies
we
don't
do
a
whole
lot
on.
So
let's
really
look
at
the
dependencies.
C
That
seems
to
be
the
most
likely
culprit.
That's
not
to
say
Obviously
right,
like
any
of
these
things
right,
you
know
State
actors
and
all
that
you
know
they'll
find
a
way,
but
but
you
know
the
idea
here
at
least
making
it
much
more
expensive
and
then
also
making
it
easier
to
know.
What's
the
thing
I
should
be
looking
at
when
something
does
go
wrong.
I
think
is,
is
good
but
like
like
to
kind
of
go
back
to
the
thing
I
had
built
when
I
worked
at
a
hedge
fund.
C
Was
we
didn't
trust,
kubernetes
and
I
know
I've
talked
to
most
folks
about
this
right.
We
didn't
trust
kubernetes.
This
is
before
kubernetes
had
a
lot
of
security
features,
and
a
lot
of
folks
are
still
like.
Don't
trust,
kubernetes
and
a
lot
of
folks
are
still
learning
the
containers.
The
container
in
and
of
itself
is
not
a
security
boundary
yada,
yada
yada.
A
C
Else
is
going
on.
Have
you
ever
seen
the
that
that
it's
not
really
a
vulnerability
per
se?
It's
just
a
an
issue
with
how
Linux
handles
shell
and
if
you
run
a
container
via
the
shell,
the
container
can
send
commands
back
up
to
the
Shell.
C
Pretty
much
there's
like
a
way
that
you
can
when
exiting
from
a
container-
and
this
is
just
like
you
talk
about
like
Linux
namespaces
and
all
that
good
stuff,
so
not
running
on
a
container
runtime.
So
this
is
stuff
like
systemd
and
spawn,
and
that
kind
of
thing,
if
you
let's
say,
run
that
container
via
a
shell.
The
problem
is
the
the
output
gets
the
the
you
can
send
output
back
as
the
exit.
So
you
can
pretty
much
say
like
I,
can't
remember
exactly
how
this
worked,
but
you
could
pipe.
C
C
So
you
could
go
in
like
you
know,
and-
and
some
folks
had
had
done,
that
sort
of
stuff
as
ways
of
because
like
if
you
were
running
the
system,
DN
spawn
containers
as
root-
and
you
know
yada,
you
could
do
a
whole
bunch
of
stuff
there.
It's
not
just
system
DN
spawn,
but
just
anything
that
used
just
namespaces
and
and
that
sort
of
thing,
because
when
you
did
what's
it
like.
C
C
And
a
center
yeah
yeah,
the
the
if
the
container
itself,
if
the
namespace,
whatever
process
was
in
there,
returned
something
it
gets
executed
in
the
Shell,
which
was
really
weird,
and
it
was
one
of
those
things
where
they're
just
like
yeah
like
based
on
the
way
all
this
works
in
Linux.
It's
just.
It's
not
fixable,
because
it's
just
a
like
a
key.
C
You
know,
but
anyway,
the
way
that
we
had
built
a
lot
of
the
stuff
at
the
hedge
fund
was
you
had
one
container
or
one
system,
DN
spawn
container,
that
downloaded
source
independencies
and
to
be
clear.
The
source
of
dependencies
were
all
content
addressable
through
a
nice
little
thing
called
NYX,
but
but
it
I
think
that
sort
of
thing
is,
is
you
know
neither
here
nor
there
we
could
do
whatever,
but
it
would
it
had
a
right
only
sort
of
file
system
that
it
would
write
everything
to
a.
C
We
would
write
everything
to
like
a
amount
and
then
that
container
only
had
essentially
you
know,
Pearl
or
whatever
right
it
didn't
have
anything.
You
know
it
had
a
couple
of
tools
to
just
download
the
source
and
dependencies.
It
had
no,
it
had
no
binaries
for
GCC
Lipsy.
You
know
nothing
that
could
run
the
actual
compilation.
C
Okay,
it
had
a
lot
more
build
tools
on
there,
but
those
build
tool
like,
but
it
did
not
have
access
to
the
network,
and
then
we
were
also
using
ebpf
style
monitoring
to
say,
like
hey,
make
sure
that,
even
if
it
tries
to
make
a
sys
call
to
the
network,
don't
just
deny
it
record
that,
because
I
want
to
know
that
the
build
tool
tried
to
like
reach
out
to
the
internet,
we
did
some
stuff
there.
We
ran
the
build.
C
It
then
wrote
the
output
to
a
separate
mount
and
oh
the
other
thing
I
should
said
like
and
I'll
I'll.
Sorry
I'll
finish
it
and
then
I'll
go
back
and
then
the
final
thing
it
did
was
this.
The
third
thing
would
go
and
publish
the
package,
but
the
thing
was
the
first
step
right.
We
had
actually
a
trusted
control
plane
where
the
trusted
control
plane
was
the
output
of
the
first
thing
got
recorded
and
signed
and
then
uploaded
to
our
Merkle
tray.
C
The
second
thing
got
built,
and
you
know,
signed,
got
uploaded
to
a
miracle
tree.
The
third
thing
the
package
actually
got
signed
off
by
the
actual
packaging
yeah.
Sorry,
not
the
package,
the
upload
sort
of
thing
and
then
got
pushed
out,
and
then
that
also
got
recorded
and
if
any,
at
any
point
the
hashes
didn't
line
up.
You
do
something
was
wrong.
The
Merkle
tree
wouldn't
resolve
correctly
and
you
knew
like
hey
somebody
built
something
and
and
yeah.
C
Anyway,
I'm
not
saying
that
that
sort
of
thing
is
is
something
that
is
important
for
everybody,
but
I.
Think
like
a
simple
thing
that
does
that,
maybe
is,
is
reasonable
enough
I,
don't
know
if
build
packs
can
do
that
or
or
something
else
like
that
that
can
just
sort
of
make
that
multi-step
thing
where,
like
once
again,
the
idea
here
being
there's
a
trusted
control
plane
being
this
build
orchestration
right,
but
the
build
orchestration
is
super
simple
right.
That
code
can
be
audited.
It's
probably
going
to
be.
A
I,
don't
want
to
know
how
many
lines
of
code,
something
like
Bill
kit
is
today
depends
on
depends
on
what
your,
what
you
define
as
your
orchestration
layer
and
the
bill
between
itself.
B
A
Own
leaning
is
that
maybe
it
would
go
toward
like
our
rootless
container
environment
and
you
would
you
basically
spin
up
inside
of
a
container
another
container
runtime
doing
whatever
your
build
stuff
is.
So
it's
like
isolation
inside
of
whatever
the
CI
isolation
is,
but
that
gets
complicated,
really
quickly.
C
Yeah,
yeah
and
and
I
think
that's
kind
of
why
I
I
want
us
to
like
if
we
were
to
kind
of
go
along
with
this
I
would
much
rather
focus
on,
or
at
least
at
the
the
beginning,
just
sort
of
saying
what
does
a
secure
build.
C
Generally
look
like
and,
like
you
know,
come
up
with
some
ideas
because,
like
once
again,
my
idea
like
that
sort
of
three-stage
thing
is
one
idea,
there's
other
ones
and
just
kind
of
go
through
what
some
of
that
might
look
like
at
an
abstraction
layer
and
say:
okay
great.
This
seems
like
the
most
extensible
and
easiest
one
to
implement
and
let's
let's
go
and
then
like,
we
can
actually
look
at
the
different
potential
implementation,
because
yeah
I
was
also
looking
at.
C
You
know,
running
nested
containers
right
or
you
know,
because
I
think
folks
are
gonna
want
that
more
than
they're
gonna
want
Jenkins
calls
out
to
some
other
service,
which
runs
the
that
particular
build
like
it's.
A
B
C
Yes,
so
there's
a
couple
of
things
there
right,
so
the
isolated,
ephemeral
requirements
coming
from
salsa
is
largely
just
different,
builds
can't
affect
each
other
in
time
or
space
right.
You
know
like
they
can't.
You
know
two
concurrent
builds
can't
you
know
affect
each
other's
resources
and
it
yeah
yeah,
and
then
you
know,
which
is
like
the
thing
that.
A
A
A
C
So
you
talk
about
like
the
actual
isolated,
build
itself.
A
You
know
I'd
have
to
go,
look
through
all
the
requirements
again,
but
I'm,
just
kind
of
thinking
through
them
and
just
I'm
trying
to
go
through
the
scenario
in
my
head
of
saying.
Are
we
forced
down
the
path
that
if
you
built
a
secure
Builder
that
could
run
an
ACI
environment?
Are
we
forced
into
a
nested
container
scenario,
or
is
there
some
kind
of
design
that
could
be
set
up
where
you're
still
salsa
compliant
and
running
everything
in
there?
Just
like
a
Java
build
or
something
else,
there's
Albert
and
Jerry?
C
C
I
think
leads
up
to
a
lot
of
folks
to
just
be
like
great
I
could
do
something
that
follows
the
letter
of
the
law,
but
maybe
not
the
spirit
of
the
law,
which
is
stuff
I'm
dealing
with
a
lot,
but
the
the
thing
is
they
call
it
the
trusted,
control
plane
or
you
know
the
trusted
build
control
plane,
and
the
idea
here
is
just
can
you
if,
if
you
were
to
call
that
nested
container
The
Trusted
control
plane
great,
if
you
were
to
call
something
else,
The
Trusted
control
plane,
but
the
the
the
the
properties
of
The
Trusted
control
plane
are
pretty
much.
C
The
trusted
control
plane
is
the
thing
that
orchestrates
the
builds
and
makes
sure
that
the
builds
are
isolated
from
each
other.
So
if
that
parent
container,
is
you
know
if
that
top
level
container
is
the
trusted
control
plane,
it
itself
is,
gets
spun
up
and
you're
doing
the
right
things
from
let's
say
a
security
perspective
to
make
sure
that
every
time
you
spit,
because
this
is
also
another
thing
that
salsa
can't
handle
right
now
is
a
lot
of
folks
would
argue.
C
C
It's
now,
a
new
hosted
Builder
every
single
time
that
container
spins,
up,
which
you
know
just
to
be
clear,
I
I'm
trying
to
for
like
something
like
a
salsa
1.1
could
get
them
to
sort
of
clarify
some
of
those
things,
so
that
folks
recognize
that
the
software
itself
and
can
be
like
can
hit-
let's
say
some
of
the
salsa
conformance
without
the
runtime
piece,
and
then
you
could
say
the
run
time
of
the
you
know.
Control
plane
here
is
like
that
attestation.
C
That's
because
it's
being
run
by
you
know,
let's
say
my
secure,
Jenkins
or
whatever,
because
you
still
obviously
want
to
have
like
you're
still
going
to
need
to
have
at
some
level
if
you're,
let's
say
running
it
through
Jenkins.
If
Jenkins
has
access
to
the
underlying
resources,
Jenkins
will
have
access
to
some
level
mess
with
whatever's
happening,
which
is
also
why
something
like
the
nested
container
stuff.
C
You
know,
I
think
that
if
you
do
the
right
things
from
like
a
you
know,
Jenkins
even
doesn't
have
root
access
necessarily
on
some
of
the
resources.
You
might
be.
Okay,
you
know
I,
don't
know,
but
anyway,
I
I
think
the
nested
container
thing
is
something
to
look
at.
You
know,
I
think
the
other
option
right.
C
You
know-
and
this
is
the
thing
I
was
saying
before-
is
and
it's
less
ideal,
because
people
are
not
going
to
want
to
run
a
persistent
thing
that
just
runs
orchestrated
builds,
but
you
know
you
could
have
a
very
thin
API
right
that
just
all
it
does
is
it
listens
to
these
things
and
then
runs
those
things
in
the
isolated
Network
in
the
you
know,
super
contained
thing
that
obviously
comes
with
like
now.
You've
taken
something
that's
just
like
a
couple
of
containers
and
now
you've
said
no.
Now
it's
a
full
API.
A
A
There's
already
a
client
running
that
packages
up
all
of
the
contacts,
the
build
context,
ships
it
off
to
the
container
server
to
build
it.
It
takes
the
whole
context
and
everything
else
does
its
whole
build
and
spits
back.
Okay,
here's
your
container
image,
so
it's
already
built
into
the
architecture
a
lot
of.
What's
going
on,
you
just
be
potentially
hijacking
some
of
that
to
say
Hey.
You
know,
instead
of
sending
your
context
off
to
the
docker
engine,
to
build,
send
it
off
to
the
secure
build
engine
to
build.
C
Yeah,
so
so
this
is
actually
something
that
I've
been
trying
to.
Also
read
up
on
and-
and
some
folks
might
know
more
than
you
know,
probably
know
more
than
me
and
and
is
I
was
looking
at
because
with
container
D
you
could
have
plugins
that
are
supposed
to
help
with
potentially
this
sort
of
scenario
like
that's
why
I
was
looking
at
like
you.
Can
you
know
the
Kata
containers
right?
There
is
like
a
Kata
plug-in
for
some
of
these
things.
C
The
problem
is
I've,
never
been
able
to
get
any
of
them
to
work
right
partially
because
I
believe
a
lot
of
the
stuff
like
Kata
containers
just
do
not
work
on
Mac
right
like
it.
Even
if
you
had
like
lima
and
Colima
they're
like
no.
No,
we
are
expecting
certain
key
things
at
the
x86
64
level.
Not
at
the
you
know,
arm.
You
know
kind
of
architecture,
level.
C
Yeah
yeah,
no,
no,
no!
No!
No!
No!
No
just
to
be
clear.
I
I've
actually
been
joking
with
some
folks
about.
You
know.
You
know
nowadays,
with
how
things
have
been
going.
Everybody
has
an
EXT.
Sorry,
everybody
has
a
Linux
distribution,
but
I
do
think
it's
worth
exploring
more
I
do
Wonder.
C
It
sounds
to
me
and
and
once
again,
I
don't
want
to
take
this
meeting
up.
You
know
like
I'd,
much
rather
just
sort
of
say.
Well,
no
I
know
I
I'm
willing
to
take
this
Literal
time
right
now,
but
I
mean
if
we
were
to
kind
of
go
back.
C
I
would
much
rather,
let's
say,
get
a
group
of
five
or
six
like-minded
individuals
and
sit
down
and
just
like
sketch
out
what
this
thing
might
look
like
if
folks
were
like
interested
right
like
if
folks
were
not
interested,
I
could
go
and
just
sort
of
hack
on
it
myself
and
and
and
do
it
but
I
I
would,
like
you
know
five
or
six
folks
who
are
hands
on
keyboard
sorts
of
folks
who
can
kind
of
come
in
and
say,
hey
here's
the
thing
that
we
looked
at
you
know:
here's
what
we
think
needs
to
happen
and
then
maybe
try
to
pull
in
you
know
like
I,
spoke
to
the
project
Oak
folks
a
couple
of
weeks
ago.
C
They
seem
very
interested
in
this
use
case.
The
problem
is,
you
know,
with
what
they're
trying
to
do
they're
very
much
like
no,
no
we're
100
secure
we're
doing
everything
in
the
trusted
execution
environment.
The
problem
is
getting
a
Linux
kernel
running
in
the
trusted
execution.
C
Environment
is
very
non-trivial,
but
they're
doing
actually
a
lot
of
cool
stuff
where
they're-
and
this
is
something
that
I
think
we
should
also
consider
just
from
the
conceptual
level
they're
doing
this
thing
of
like
very
minimal
bios,
very
minimal,
firmware,
very
minimal,
like
bootloader,
very
minimal
kernel,
and
then
those
things
begin
to
load
like
they're,
like
we're
willing
to
take
the
performance
cost
of
like
running
lots
of
things
that
just
sort
of
called
each
other
at
and
each
one
has
a
little
bit
more
and
a
little
bit
more
and
a
little
bit
more
we're
in
exchange
for
like
ridiculous
amounts
of
security,
and
so
they
have
something
they
call
like
the
stage
zero
bootloader
or
something
like
that,
which
is
like
hyper
minimal
and
like
some
of
these
things,
like
can't
even
call
like
a
you
know.
C
I
can't
remember
you
know
it's
like
some
of
these
are
like
ring
negative,
five
or
whatever
it
is.
It's
like
some
of
these
things
like
the
way
that
they
work.
It
can
only
run
like
at
very,
very
specific
areas,
but
like
a
lot
of
this
stuff,
it's
like
it
can't
call
directly
into
a
Linux
kernel
and
load
a
Linux
kernel,
It's
like
because
there's
just
not
enough
there.
So
you
have
to
do
all
this
different
stuff
and
then
it
can
go
in
and
load.
C
C
If
we,
if
we
think
about
it
and
say
hey
what
is
like,
what
are
we
trying
to
do
well
as
much
as
we
can?
We
want
to
sort
of
make
it
so
this
is
not
a
generic
like
the
the
key
thing
here
and
I
think
it's
like
if
I
were
to
and
I'm
gonna
just
start
writing
up
some
stuff
in
a
Google
doc
and
then
share
it
with
folks
here
and
probably
share
it
with
some
other
folks
is
and
and
to
be
clear,
like
from
the
five
or
six
people
who
we're
gonna
bring
in.
C
We
get
to
decide
either.
Not
like
somebody
come
in
from
the
outside
and
be
like
yeah,
but
have
you
thought
about
this
use
case?
That's
not
within
the
scope
of
what
we
originally
thought
of
like
no
sorry,
the
thing
I
wanted
to
bring
up
was
I.
Do
think
we
want
to
State
like
like
some
key
principles,
the
key
principles
being
this
is
not
a
generic
workload
orchestrator.
C
That
is
like
very
key
here
right
like
maybe,
if
you
squint,
oh
sure
it
could
probably
run
things
other
than
secure
builds
I,
don't
care
the
intention
here.
It's
in
it
is
going
to
be
keyed
into
running,
secure,
builds,
that's
it
and
running,
secure
builds
that
can
be
salsa
compliant,
and
you
know
you
know,
I
think
a
few
other
things
like
hit
it
generate.
C
Yeah
for
us
right
now,
I
think
guac
is
most
of
kusari
and
whatnot
are
are
still
very,
very
focused
on
guac,
but
we're
hoping
in
the
coming
months
once
that
begins
to
blow
up
a
little
bit
more
and
we
get
more
maintainer.
You
know
contributors
and
maintainers
to
guac,
we'll
have
more
time
to
focus
on
stuff
like
secure
build,
because
you
know
a
lot
of
folks
are
still
like:
hey
Prescott
itself.
C
Maybe
was
not
the
thing,
but
you
know
a
lot
of
folks
are
still
asking
for
you
know
open
source
Summit
rate.
A
ton
of
folks
were
like
okay
cool,
but
I
don't
want
to
use
like
I,
don't
want
to
use
SAS
great,
so
you
didn't
want
to
use
the
GitHub
stuff.
Is
there
something
else
that
is
as
simple
as
the
GitHub
stuff
and
I
like
that?
C
You
know
the
the
idea
of
that
reusable
workflow
that
they
have
and
I
also
think
that
there's
areas
where
whatever
this
Builder
could
be,
could
be
that,
like
mythical,
you
know
salsa
four
plus
kind
of
thing
where
it
is
hermetic
it
is,
you
know,
reproducible
once
we
bring
that
back
in
and
one
of
the
things
I
need
to,
because
I
just
saw
some
stuff
come
up.
A
I
was
very
confused
there
for
a
second,
because
when
you
first
said,
I
was
assuming
that
it
was
salsa
applied
to
some.
No
no
project
becoming
sub-modules
or
something
like
that
and
I
was
I
was
not
falling
at
all
until
I
realized.
Now
you're
talking
about
salsa
itself,
they're
just
trying
to
split
up.
C
C
I
I,
just
really
maybe
it's
just
me.
Who's
who's
had
been
traumatized
by
sub-modules
in
the
past.
A
They
can
be
a
bit
of
a
pain.
It
depends
on
how
how
you
use
them.
Yeah
I,
try
to
get
away
from
when
I
can.
C
A
C
Yeah
yeah
I
know
actually
in
in
a
very
previous
life,
and
they
might
have
fixed
this,
but
we
had
a
spiraling
sub-module
problem.
I,
don't
know
if
you've
ever
seen.
This
of
you
have
a
gitsub
module
that
called
the
GitHub
module.
They
call
the
git
the
module
that
called
the
first
gets
a
module,
but
an
older
version
of
the
gets
up
module.
C
What
the
heck
is
going
on
here
and
it
was
like
it
just
kept
recursively
calling
it
like
it,
kept
going
back
and
back
in
time,
and
it
also
led
to
all
sorts
of
other
issues
right
because,
like
oh,
we
were
using
it
for
for
stuff
like
ansible
and
Chef.
So
we
had
like,
we
were
like
wait
a
second.
Why
is?
Why?
Are
we
using
the
chef
thing
like
we
fixed
that
bug
what's
going
on
and
we
found
out
that
like?
No,
no,
you
don't
understand
like
this.
C
This,
like
Chef,
cookbook
or
module,
or
whatever
Chef
module,
called
this
older
Chef
module,
which
called
the
first
an
older
version
of
the
first
sub
module
which
had
the
bug
in
it
and
you're
like
anyway.
That's
and-
and
maybe
people
can
use
it
correctly,
but
I've
I've.
C
B
C
It
it,
you
know,
I'm,
just
going
to
take
a
look,
and
you
know
like
the
idea
here,
I'm
going
to
take
a
look
at
I,
know
it's
completely
unrelated
to
Fresca,
but.
C
It
like
looking
at
the
sub
module
right
the
the
idea
behind
a
gitsub
module.
Is
you
also
want
to
pull
down
the
history
of
that
thing
that
you're
pulling
in
right?
It
is
like
you
were
pulling
in
a
separate
git
tree
and
you're
sort
of
conceptually
saying
that
might
get
tree.
Has
this
pointer
to
this
other
get
tree
right,
and
so,
if
we're
just
saying
pulling
in
the
content,
why
are
we
not
just
then,
during
that
content
and
saying,
but
anyway,
I'll
take
a
I'll.
Take
a
closer
look
here.
B
C
The
website
is
the
canonical
representation
of
the
salsa
spec,
which
is
a
a
problem
for
a
few
different
reasons,
and
it's
the
same
thing
that
we're
obviously
dealing
with
the
spdx3
stuff
is
we're
trying
to
push
like
you
want
to
update
the
website.
So
people
can
see
like
the
draft
immediately
at
the
same
time
like
a
release
of
1.0
is
probably
the
the
thing
where
you
can
vendor
that.
C
But
when
you're,
when
you're
like
when,
when
everybody's
making
a
minor
update
here
and
there,
it's
a
little
bit
harder
because
you
just
want
to
be
like
hey
I-
want
to
pull
whatever's
on
Main,
no
I
I'm,
pretty
sure
you
could
probably
just
do
that
as
part
of
the
build,
as
opposed
to
doing
the
git
sub
modules.
You
just
say
and
I
think.
The
thing
too
is
is
they're
trying
to
avoid
the
thing
of
people
having
to
pull
down
like
when
I
do
a
git
clone.
C
They
just
want
to
pull
down
multiple
repos
at
the
same
time,
while
also
still
being
able
to
kind
of
I,
don't
know,
I,
don't
know.
I'm
gonna
have
to
read
up
on
this
a
little
bit
more
it
it
feels
like
it.
It
feels
like
a
whole
lot
of
stuff
to
fix
a
very
simple
problem
that
yeah
anyway,
so
anyway,
I
know
Brendan.
C
You
said
you
know
you'll
look
at
this
much
more
detail
in
three
months,
but
is
it
all
right
if,
like
let's
say
a
handful
of
us
started
poking
around
with
stuff
on
a
Google
doc
and
just
sort
of
shared
it
with
you
and
to
get
your
feedback.
C
A
It
and
when
you
say
end
it,
this
is
the
official
ending
we're
going
to
go
into
the
calendar
and
pull
this.
C
C
Yep,
at
least
for
now,
I'm
just
gonna
say:
hey
look.
This
is
it's
not
really
worth
the
folks
time
because
we've
been
having
the
same
five
conversations
and
it's
not
to
say
that
we're
we're
suspending
it,
but
we're
gonna
reevaluate
and
bring
it
back,
maybe
in
the
future.
A
I
would
just
say
the
meeting
isn't
needed.
Yes,
the
project
is
still
going
to
continue.
Async,
yep
I
think
that's
something
openssf
doesn't
do
well,
which
is
to
bring
a
project
on
and
just
say
look
the
project
can
do
its
thing.
They.
C
Yeah,
it
was
funny
because
when
we
first
started
the
meeting
it
took
me
like
a
month
and
a
half
to
get
open
ssf
to
actually
correctly
create
the
meeting,
and
it
should
be
fun
it'll
be
funny
if
they
push
back
against
like
canceling.
The
meeting
but
yeah
so
I
mean
with
some
of
that
said,
like
you
know,
a
bunch
of
the
folks
at
open,
ssf
like
David,
wheeler
and
Jonathan
weisich,
have
all
sort
of
expressed
interest
in
helping
with
something
like
Fresca,
I,
think
they've,
all
sort
of
said.
C
Hey
look,
and
this
is
something
I
can
push.
Asynchronously
I,
just
don't
have
a
ton
of
time
is,
is
running,
something
like
you
know,
Sig
store
or
whatever
inside
of
Fresca
to
build
it
to
show
it
could
be
salsa
level
three
and
yayada,
but
we'd
also
need
I.
Think
you
know
a
handful
of
extra
Hands-On
keyboard
here
and
I
know.
As
we
can
see
a
bunch
of
the
other
maintainers
of
of
Fresca.
You
know
are
unable
to
actually
join
and
you
know
on
a
regular
basis
and
yeah
yada.
So.