►
B
B
C
D
Hey
guys,
this
is
starting
to
look
like
familiar
faces.
Yeah.
C
Yeah
we'll
give
it
another
a
couple
minutes
and
then
maybe
call
it.
B
A
All
right,
at
least
Brad,
said
that
he
was
going
to
be
15
minutes
late,
so
I'm
guessing
I
have
something
going
on
that
side.
C
Give
me
just
a
second
here.
F
All
right
I
mean
it
does
look
like.
We
have
a
bit
of
a
quorum,
so
we
can
get
started
here
as.
C
A
reminder
this
meeting
is
being
recorded,
it'll
be
uploaded
to
YouTube.
Shortly
after
and.
F
F
For
folks
who
are
joining
feel
free
to
go
in
there
and
and
put
in
your
put
your.
C
We
don't
really
have
a
lot
on
the
agenda
other
than
just
kind
of
going
through
that
that
document
again,
and
let
me
actually
pull
that
up.
F
And
we
can,
because
we
do
want
to.
C
Kind
of
you
know
see
if
we
can
throw
this
out
there
see
if,
if
there
are
folks
who
are
interested
in
certain
elements
of
Fresca,
and
if
so
you
know
if
we
can
kind
of
get
some
some
folks
to
contribute,
you
know
just
as
a
reminder
yeah,
you
know
I've
been
getting
a
lot
of
folks
externally
who
seem
interested
in
learning
more
about
Fresca
joining
Fresca,
and
you
know
I'm
sure
everybody's
busy,
so
they've
been
unable
to
attend,
attend
this
meeting
or
or
look
at
the
the
GitHub
issues.
C
C
Okay,
so
I
rewrote
the
document.
It's
now
about
two
pages,
long,
more
or
less.
You
know
the
intro
two
paragraphs
here
are
just
an
introduction
to
the
why
we
built
Fresca.
So
a
lot
of
it
comes
down
to
you
know
there
was
a
lot
of
stuff
coming
out
about
supply
chain.
You
know
software
supply
chain
security.
You
know
about
two
years
ago
things
were,
you
know
we
had
the
solarwind
Sunburst
attack.
C
That
was
still
kind
of
you
know
that
had
blown
up,
we
were
having
stuff
like
various
other
attacks
throughout
throughout
this
time
were
blowing
up,
and
a
lot
of
folks
were
like
hey,
the
build
seems
to
be
very
important
and
nobody
seems
to
be
doing
a
lot
around
securing
the
build,
a
lot
of
talk
about
how
a
lot
of
folks
see
you
know.
C
Cicd
systems
were
more
or
less
just
open
and
developers
could
just
run
whatever,
and
as
long
as
they
compiled,
that
sort
of
thing
would
go
into
production
and
people
were
saying-
hey.
That's
that's,
probably
not
not
a
a
great
idea,
especially
given
that
a
lot
of
these
systems.
You
know
it
was
very
easy
to
reveal
the
secret
keys
that
were
used
for
signing
and
all
that
that
good
stuff,
you
know,
then
the
second
paragraph
just
sort
of
says
Hey.
So
that's
why
we
built
Fresca.
C
C
You
know
like
spire
and
tecton,
and
and
all
these
other
things
that
that
could
make
a
secure
build
and
there
were
like
a
lot
of
demos
around
it,
but
nothing
that
really
sort
of
tied
all
those
pieces
together
and
so
Fresca
sort
of
emerged
out
of
that
of
hey.
Why
don't
we
actually
start
to
tie
all
those
pieces
together
into
one
more
like
cohesive
system,
so
that
you
know,
for
example,
right?
C
You
know
we
use
tecton
with
spiffy
Spire
in
order
to
we
use
tecton
with
spiffy
Spire
in
in
order
to
you
know,
apply
spiffy
workload,
identities
to
what's
actually
hap.
You
know
the
bills
that
are
actually
happening
within
tecton,
which
means
that
if
an
administrator
of
the
you
know
the
kubernetes
cluster,
that
tecton's
running
in
messes
with
some
of
the
jobs
or
something
else,
methods
with
some
of
the
jobs
that
are
running
you
know,
spiffy,
the
spiffy
identities
would
no
longer
be
valid.
C
Folks,
like
B,
Mitch
and
and
parth
know
a
lot
more
about
like
the
details,
exactly
how
that
works.
But
but
generally
you
know
those
workload
identities.
You
know
we
get
the
we
get
protection
against
stuff,
like
jobs,
trying
to
mess
with
other
jobs
because
of
you
know,
permissions
whatever
or
or
administrators
of
the
cluster,
or
you
know,
admins
of
like
Fresca
itself,
from
being
able
to
mess
with
jobs
that
are
running
within
Fresca
the
goal
of
Fresca.
C
You
know
the
high
level
goal
was
you
know
we
want
to
help
secure
the
build
process
right,
that's
really
what
the
purpose
was
right.
We
were
looking
at
stuff
like
you
know
what
was
happening
in
solar
winds
and
like
okay.
What
can
we
do
to
help
secure
the
build
process?
C
Not
just
from
specifically
the
solar
winds
attack,
but
from
all
sorts
of
classes
of
attack
and
in
the
in
the
in
the
architectural
documents
we
get
a
little
bit
more
into
that,
but
basically
the
three
high-level
things
are
we
want
to
protect.
C
We
want
to
make
sure
that
only
jobs
that
are
running,
secure,
tasks
right
or
secure
sets
of
tasks
are
allowed
to
run
right.
So
if,
if
you
you're,
you
know,
if
you're,
if
you
were
required
to
generate
an
s-bomb,
you
don't
get
to
deploy
a
pipeline.
C
That
does
not
generate
an
s-bomb
that
kind
of
thing
and
if
you
are
required
to
run
certain
security
scans,
you
are
required
to
run
certain
security
scans,
protect
against
administrators
or
operators
within
the
build
itself,
as
within
the
within
Fresca
or
the
you
know,
the
build
system,
and
then
finally,
you
know
have
the
ability
to
have
the
ability
to
generate
like
or
the
ability
to
Monitor
and
protect
against,
like
threats
inside
the
build
itself
so
stuff,
like
the
builds
trying
to
reach
out
to
malware.com
that
kind
of
thing,
and
so
that's
kind
of
like
the
high
level
there
for
freskin
and
and
yeah.
C
So
we
are
following
sort
of
existing.
You
know,
sort
of
framework,
architecture,
standards
and
best
best
practices,
framework.
C
We
want
to
you
know,
leverage
existing
tools
and
components,
and
then
we
want
to
have
Securities
enforced
by
Design
as
opposed
to
sort
of
opt-in,
which
is
the
way
that
it
works
with
a
lot
of
the
the
existing
systems
is,
it
was
very
much
an
opt-in.
Like
you
turn
on
this
security
scan.
You
turn
on
the
security
feature
you
you
know
as
opposed
to
the
goal.
You
know.
C
One
of
the
ideas
behind
Fresco
was
that
it
it's
there
to
it's
there
by
default
right,
and
so
it
does
this
by
being
primarily
two
things
right.
A
suite
of
build
pipeline
like
a
bunch
of
different
tools
that
are
configured
to
operate
securely
and
then
actually
probably
add
in
there
operate
securely
and
run,
builds
securely
right
and
then
it's
a
set
of
build
pipeline,
abstractions
and
definitions
with
security
guard
rails.
Ensuring
old,
builds,
follow
supply,
chain
security,
best
practices
right.
So
the
abstraction
here
is
hey.
C
I
have
a
go,
build
great,
you
have
a
go
build,
but
that
go.
Build
itself
consists
of
this.
You
know
a
go
security,
linting
staff,
a
a
you
know,
a
go
generate,
s-bomb,
step
and
and
so
on
right
and
what
is
Fresca
today.
So
Fresca
is
a
bunch
of
different
components.
Right,
like
it's
tecton
tecton
chains,
buyer
keeperno,
six-door,
Vault,
insert
manager
as
long
as
as
well
as
some
Q
code
that
helps
wrap
the
pieces
together.
C
This
allows
it
to
be
compliant
with
you
know:
salsa
and
the
cncf,
secure
software
Factory
reference
architecture,
and
then
tomorrow
you
know
the.
What
could
you
know
for
us
could
be
right?
Well,
Fresca,
you
know,
could
have
an
easier
deployment.
Fresco
could
have
a
better
pipeline
extractions.
Press
kit
could
have
us,
you
know
a
Fresca
CLI
tool.
That
makes
a
lot
of
this
sort
of
stuff
easier
to
do,
and
so
then
you
know
the
rest
is
just
kind
of
like
a
call
to
action,
just
sort
of
saying
hey.
Who
do
we
need?
C
Well,
we
mostly
need
two.
Two
main
two
sets
of
folks
like
one
is
Hands-On
keyboard
Engineers,
who
can
help
contribute
to
the
features
and
functionality
of
you
know,
Fresca
and
then
the
other
one
is
end
users
for
for
their
use,
cases
which
that
I
think
is
probably
maybe
the
more
important
one
to
sort
of
talk
through
here.
But
the
basic
idea
right
is,
we
kind
of
have
a
a
bit
of
a
a
scenario
where
you
know
when
talking
to
some
end
users.
They
have
found
value
in
Fresca.
C
As
an
example,
just
sort
of
saying,
hey,
I,
looked
up
what
you
were
doing
with
spiffy
spire
and
blah
blah,
and
that
gave
me
an
idea
for
my
own
internal
implementation,
which
hey
that's
great
or
you
know,
but
if
it
comes
down
to
you
know,
do
folks
want
to
see
Fresca
actually
as
a
tool
that
they
can
deploy
or
like
a
system
that
they
can
deploy.
C
That
seems
a
little
less
likely
at
this
point,
and
so
the
idea
is
like
we
need
to
just
kind
of
get
more
use
cases
from
folks
to
understand
like
hey.
What
are
the
concerns
that
they
have
with
their
build,
or
do
they
not
have
concerns
with
their
build
and
and
their
comfortable
sort
of
running?
You
know
Jenkins,
because
I
know,
one
of
the
things
in
some
of
the
conversations
I've
had
is
largely,
even
though
folks
do
think
that
build
security
is
important.
C
They
don't
believe
build
security
to
be
important
enough
to
really
make
the
changes
that
would
be
required
to
have
to
have
secure
bills
right-
and
this
includes
you
know
these.
This
is
also
some
of
the
feedback
folks
have
given
on
Fresca
is
just
hey.
It's
great
that
that
we
want
to
build
more
securely.
I,
don't
have
the
the
budget
to
do
so
so
anyway,
I
think
that's
kind
of
that.
That's
really
about
it.
There
I
just
wanted
to
kind
of
go
over
it.
One.
Last
time.
G
Awesome
I,
I,
love,
I,
love,
the
updates,
I
love
the
like
the
structure
and
the
flow
of
it.
Now
it's
it
got
me
thinking
about
a
couple
of
things
that
I
don't
I,
don't
know
that
they're
necessarily
it's
always
hard
with
things
like
this
right.
It's
like
you,
start
pulling
on
the
string
and
it's
like
a
tangled
mess
of
spaghetti
of
like
there's
so
much
more.
G
We
could
do
and
like
there's
so
that's
kind
of
where
we
started
I
don't
want
to
I,
don't
want
to
push
back
towards
the
direct
the
direction
of
like
longer
or
more
content.
G
But
let
me
just
say
what
I'm
trying
to
say
the
the
Community
aspect
of
this
is
one
that
I
hadn't
thought
about
as
much
before
and
the
the
idea
of
like
what
Fresca
is
trying
to
achieve
or
I
think
was
it
like
when
we
start
talking
about
like
helping
people,
understand,
supply
chain,
security
and
learning
and
having
an
example
and
practicing
like
there's
a
lot
more.
We
could
do
in
that
space
without
changing
anything
about
Fresca
today,
like
just
using
Fresco.
G
Just
building
out
more
examples
and
I
think
that
that
is
like
a
really
big
opportunity
and
it's
a
slightly
different
type
of
opportunity
like
we
could.
We
can
solicit
different
people
to
come
and
contribute
to
that
like
I.
Look
at
just
as
an
example
chain,
Guard
Academy
right,
like
they
have
a
huge
library
of
things
for
people
to
help
like
learn
about
supply,
chain,
security
and
I.
G
Think
that
when
I
look
at
openssf-
and
this
is
kind
of
like
like
a
supply
chain-
Integrity
positioning
thought
process,
I'm
I'm
having
right
now,
which
is
which
is
the
like,
there's
so
many
Deep
In
The,
Weeds
working
groups
and
parts
of
this
of
life.
You
want
to
know
every
little
detail
of
salsa
and
you
want
to
help
design
and
build
the
next
version
of
the
spec.
That's
awesome!
You
should
absolutely
join
the
self-suspect
meeting
or
the
s2c2f
like
you're,
really
interested
in
how
to
secure
the
consume
open
source.
G
But
then
there's
like
there's
still.
A
lot
of
people
went
through
like
how
do
I
secure
software
supply
chain,
they're,
like
they
don't
even
know
or
to
Michael,
like
I
I
use
my
little
Psalm
Emoji.
We
think
it's
too
expensive
to
implement
a
secure
software
supply
chain
like
that.
Just
makes
me
cry
like
it
makes
me
so
sad
that
that
people-
people
like
put
that
second
so
like,
can
we
or
is
there
interest
in
building
a
community
around
secure
software
supply,
chain
practices
and
principles?
G
And
things
like
that
and
is
Fresca
like
there's
the
project.
But
is
there
a
broader
thing
for
the
community
there?
It
is
there
a
a
place
for
that.
Just
a
thought
and
an
idea
curious
for
other
folks
to
speak
back.
G
C
So
so
you
know
that
was
kind
of
one
of
the
reasons
for
you
know,
Fresca,
that
that
was
one
of
the
reasons
why
there
was
interest
in
Fresco
when
we
had
originally
contributed
right.
You
know
when
City
had
contributed
it
to
to
open.
Ssf
was
openssf
had
a
lot
of
stuff
like
salsa
and
and
some
of
these
other
like
things
around,
you
know,
security.
C
You
know,
supply
chain,
compromise
and
best
practices
and
those
sorts
of
things,
and
so
the
idea
was
Fresca
could
be
an
implementation
of
these
various
practices
and
and
to
be
clear,
I
think
this
is
still
an
indicator
of
other
concerns
that
that
we
have
as
well,
which
is
and
I
don't
want
to
be
all
Doom
and
Gloom
by
any
mean
I,
just
think
that
as
a
as
a
community,
we
just
need
to
do
a
better
job.
Is
a
lot
of
folks
are
like
hey
yep,
you
know,
there's
a
lot
of
best
practices.
C
You
still
haven't
done
enough
to
convince
me
that
I
should
be
doing
those
things
which,
which
seems
to
be
like
outside
of
like
like,
if
you
talk
about
you
know
and
I,
don't
want
to
go
down
that
rabbit
hole,
but
if
you
go,
if
you
talk
about
stuff
like
hey
I'm,
building
a
cyber
security
product,
absolutely
yeah,
this
is
what
I
should
be
doing.
C
I
must
be
doing
all
these
different
things,
but
if
you
talk
about
you
know
to
to
the
average
person-
and
you
say:
hey
I'm
already
thinking
about
SQL
injections,
I'm
already
thinking
about
all
these
different
things
and
now
you're
saying
I
need
to
think
about
the
secure
build.
You
know,
that's
not
going
to
happen.
C
So
that's
kind
of
I
think
the
the
thing
that's
sort
of
coming
out
of
a
lot
of
it,
which
is
just
it's
less
about
the
the
best
practices
and
it's
more
about.
How
do
you
make
those
best
practices,
just
something
that
the
other
person
doesn't
have
to
think
about
right?
You
know
the
idea
right
behind
something
like
a
Fresca
is
Fresca
is
just
you
just
say:
hey
I'm
a
go
build
and
we
just
build
it
securely.
We
get
your
gear
I
spawn.
C
C
Sorry
I
don't
know.
D
So
I
had
a
different
comment,
which
is
you
know,
I
think
I
I
think
the
paper
looks
good
I
mean
overall
I
think
it.
It
covers
what
you
you
want,
and
so
you
know
I
think
that's
pretty
good.
The
the
the
the
the
comment
I
have
is
I
think
you
need
to
add
a
few
more
links.
It's
pretty
basic,
but
you
know
you
can't
expect
people
to
know
similarity
with
s2c2f
or
even
South.
D
Side
is
and
I
think
when
you
talk
about
the
build
part,
which
is
what
Fresca
is
is
focusing
on,
it
would
be
useful
to
refer
to
maybe
what's
in
salsa,
you
know
the
threat
model
with
the
pipeline
so
that
people
can
see
what
peace
you're
talking
about
in
the
supply
chain.
You
know
again,
if
we
are
talking
about
people
like
John
was
referring
to
where
you
know
they're,
not
necessarily
completely.
You
know,
embedded
into
this
as
we
are
and
they've
heard
about
supply,
chain
security
and
they're
like
okay.
D
D
C
Yeah
that
that
helps
yeah,
I
think
but
yeah
I
mean
I.
Think
since
this
is
sort
of
you
know
more
or
less,
you
know
with
with
a
few
extra
sort
of
links
and
and
maybe
a
clarification.
Let
me
just
put
as
a
comment.
E
E
C
E
C
So
yeah
that
that
makes
sense
and
then
I
think
that
still
kind
of
ties
into
to
the
next
piece,
which
is
just
okay.
So
let's
say
that
we
we
throw
this
out
there.
C
The
thing
that
just
just
to
be
clear,
like
you
know
that
I'm
still
trying
to
kind
of
figure
out
is
how
do
we
begin
to
get
folks
in
right,
contributing
and
that
sort
of
thing
because
I,
you
know
I've
had
a
lot
of
folks
from
across
the
the
gamut
right,
multiple
folks,
not
just
yourself,
John
from
from
VMware
a
few
other
folks
from
from
a
bunch
of
different
companies
like,
like
even
you
know,
miter
and
some
other
places.
C
But
when
it's
come
to
sort
of,
say,
okay,
great,
let's
sit
down
and
start
contributing
there.
There
seems
to
be
a
lack
of
actual
folks
who,
let's
say,
know
a
lot
of
the
kubernetes
stuff
or
or
whatever
so
yeah
I
mean.
If
there's
suggestions
on
how
we
might
be
able
to
do
that
and
and
so
on,.
D
Unfortunately,
that's
a
common
problem
that
you
find
in
the
course
you
know
a
lot
of
Open
Source
projects
that
are
looking
for
more
help.
There
is
no
magic
bullet,
I
think
he
you
know,
generally
speaking,
is
making
sure
people
know
about
it
and
that
you're
looking
for
help
and
I
think
as
you
get
more
users,
there's
a
at
least
a
portion
of
those
you
know
of
the
users
that
there
will
be
that
we
love
some
desires
that
are
not
met
and
maybe
they'll
be
able
to.
D
C
Well,
yeah
I
mean
I
think
that
still
ties
back
into
the
like
hey.
What
do
we
see?
I'm,
sorry,
Fresca,
being
right
and-
and
this
is
you
know
stuff-
that,
like
I
agree
with
with
what
Jonathan's
comments
that
he
made
was
it
yesterday
at
was
that
salsa?
But
one
of
the
meetings
there's
also
positioning
meeting
I
believe
which
is
just
you
know,
I
know,
there's
some
disagreement.
C
I
know
that
there's
some
folks
right,
like
there's
the
thing
I
noticed
about
Fresca
is
Fresca
seems
to
be
popular
as
a
learning
tool
among
large
Enterprises,
because
a
lot
of
large
Enterprises
say
hey
like
I'm
on
Jenkins,
but
I
know:
I
need
to
move
off
of
it
because
of
this
out
of
the
other
thing
or
I.
I'm
already
have
a
tecton,
but
I
have
no
idea
how
I'm
supposed
to
secure
it.
Oh
cool
I
can
look
at
some
of
this
stuff
and
hey
you're
using
kiverno,
but
I
could
probably
have
my
folks.
C
You
know
look
at
OPA
instead
of
right.
You
know
or
you're
looking
at
spiffy
Spire
I
can't
get
that
installed,
but
maybe
I
can
do
this
this
and
this
as
mitigating
controls
against
that
that
sort
of
process,
and
that
has
proven
to
be
valuable
for
some
folks
but
kind
of
moving
forward.
Like
hey,
is
there
what?
What
can
you
know?
What
do
I
think
the
thing
that
I'm
still
trying
to
kind
of
go
through
is
you
know
before
we
even
kind
of
get
contributions
like
hey
who's
using
Fresca
or
who?
C
What
what
do
folks
actually
want
to
see
out
of
Fresca,
and
you
know
I
think
anything's
on
the
table
right
up
to
it,
including
hey.
Maybe
the
existing
Fresca
is
just
this
thing.
We
leave
it
out
there
and
then
we
focus
more
on
a
different
piece
right.
C
C
C
You
know
like
I
I,
my
build
container
didn't
contain.
You
know
a
you
know,
vulnerabilities
that
my
you
know.
I
ran
my
build
like
I
want
to
run,
hermetic
builds,
but
I
don't
want
to
have
to
you
know,
do
a
ton
of
work
and
effort
to
to
make
that
hermetic
and
I
want
to
do
this.
That
and
the
other
thing
to
secure
those
things
and
like
you,
don't
necessarily
need
tecton
for
that
right.
You
just
need
to
have
do
a
whole
bunch
of
magic
with
stuff.
C
Like
you
know,
you
know,
I
mean
I,
remember
back
in
the
day
right
using
BSD
jails
and
those
sorts
of
things
of
why
you
would
you
know,
do
some
of
that
stuff.
But
you
know
some
folks
have
talked
about
that.
Some
folks
have
said:
hey.
You
know
we'd
love
to
see
Fresca
extend
into
other
parts
and
just
be
a
representative
example,
but
once
again,
I
think
I
I
would
love
to
hear
from
from
actual
potential
end
users
of
of
Fresca
or
or
what
they
would
love
to
see
from
from
Fresca.
G
I
I
think
I
heard
one
of
the
other
groups
is
building
an
explicit
course
training
course
I,
don't
know
if
it's
a
S2
c2f
of
like
to
to
help
folks
understand
better
that
the
framework
and
things
like
that
I'm
I'm
wondering
if
there
would
be
utility
and
like
trying
to
have
a
like
a
formalized
course
with
Fresca,
and
if
we
could
we're
kind
of
like
the
timing
is
slightly
off
with
like
conference
like
it
would
be
great
to,
and
maybe
the
next
Target
would
be
like
cubecon,
which
gives
us
some
time
like
kubecon
in
the
US
so
like
Chicago
to
have
an
actual
Labs
like
a
lab
or
whatever.
G
What
do
they
call?
It
normally
like
a
workshop
type
event
where
we
could
try
and
physically
bring
people
together,
and
we
can
try
and
do
an
ad
hoc
version
of
this
at
the
the
security
Village
in
kubecon
EU.
But
we've
got
like
two
weeks
to
prepare
for
it.
G
But
if
nothing
else
we
could
like,
we
could
sit
down
and
try
and
like
interview
people
or
like
just
try
and
like
bring
it
up
with
everybody
and
be
those
I
I,
don't
feel
bad
about
doing
it
for
an
open
source
project.
I
feel
really
obnoxious.
If
I
was
like
pitching
my
proprietary
vendor
vendor
product
to
everybody
but,
like
you
know,
taking
Fresca
and
basically
just
pitching
it
to
yeah
like
because
I
definitely
hear
hear
your
point.
G
Michael
of
like
really
hearing
from
end
users
and
and
I
can
talk
for
all
the
time
that
we
have
about
like
what
I
think
they
want,
but
that's
very
different
than
like
actually
hearing
from
them,
and
so
it
would
be
really
interesting
to
have
a
way
and
I'm
saying
all
of
this
I'm
also
willing
to
to
do
some
of
the
work
on
that
so
I
know.
G
You
also
said
like
I
I
have
personally
I
will
admit:
I
have
not
opened
any
issues
or
submitted
any
code
to
Fresca
I've
I've
run
some
of
the
samples
and
demos
and
things
like
that.
But
I
think
that's
that's
the
direction
I'm
interested
in
separate
from
that
there
is
I've
been
spending
in
some
groups.
Internally
have
been
spending
some
time.
G
Thinking
about
some
of
these
other
problems,
which
is
the
like,
like
abstracting,
some
of
the
supply
chain,
concerns
from
the
build
mechanism
or
the
pipeline
mechanism
itself
of
like
how
do
we,
you
know,
like
the
most
obvious
example
and
there's
some
open
source
stuff
around
cartographer,
is
the
name
of
the
open
source
project
of
like
how
do
you
wrap
something
like
tecton
or
rap,
something
like
Jenkins
or
or
wrap
something
any
cicd
pipeline,
and
so
I
would
love
for
that
group
to
eventually
try
and
contribute
at
least
the
ideas
back
here,
but
I
think
that
having
that
run
in
the
background,
while
also
getting
more
end,
users
would
be
helpful.
G
So
sign
me
up
and
also
the
other
thing
Michael
I'm
curious
for
for
your
perspective,
of
like
I
I
know
you
are.
You
have
a
lot
of
other
stuff
going
on
like
if
you
need
help
facilitating
this
meeting,
or
anything
else
like
I
can
help
with
that,
as
well,
too,
of
like
just
trying
to
help
keep
beating
the
drum
until
we
can
try
and
like
Drive
some,
hopefully,
some
some
organic
adoption
of
these
things.
C
Yeah
yeah
I
think
that
that
would
that
that
could
definitely
help
there
and
I
think
would
appreciate
it.
D
G
G
Would
we
tell
people
to
just
go,
buy
some
vendor
solution
and
that
that
triggered
the
thought
in
my
head
of,
like
could
Fresca
in
some
ways
like
help
be
a
buyer's
guide
for
people
like
Gartner,
has
a
whole
new
category,
they're
they're,
they're,
building
out
for
the
cloud
native
security
platforms,
or
something
like
that
I
forget
exactly
what
it
was
called,
but
their
Cloud
native
application
protection
platforms
like
to
be
a
buyer's
guide
for
like
how
do
you
talk
to
your
vendors
and
not
let
them
bamboozle
you
with
here's
all
these,
like
Confluence
and
I've,
started
to
see
some
pushback
as
well
from
people
writing
articles,
and
things
like
that
about,
like
even
the
idea
of
secure
builds
of,
like
people
aren't
really
going
to
try
and
attack
your
CID
CD
systems
or
like
it's
too
expensive,
compared
to
all
the
other
like
low-hanging,
fruit
and
and
I.
G
C
Yeah
I
think
that's
useful
and
and
I
see
actually
rule
has
some
pretty
good
feedback
in
in
the
chat
as
well.
Around
sort
of
saying,
you
know,
I
think
I
think
that's
a
thing
that
you
know
so.
There's
two
separate
problems:
I
think
maybe
the
audience
within
here
has
been
very
focused
on
sort
of
thinking
about
it,
as
developers
and
and
I.
Think.
A
lot
of
it
is
because
openness
and
I
think
John
you
had
mentioned.
C
You
know
we
should
probably
talk
at
like
a
devops
day
or
something
like
that,
because
there's
going
to
be
a
set
of
folks
who
they
are
responsible
for
and
Enterprises
CI
CD
right,
you
know
they.
You
know
you
usually
don't
see
development
teams,
spinning
up
their
own
Jenkins
they're,
required
to
write
a
Jenkins
file
or
something
like
that,
but
they're
not
spinning
up
their
own
Jenkins.
C
They
might
need
to
write
like
their
own
GitHub
action
or
whatever,
but
they're
not
like
deploying
out
the
GitHub
themselves
and
and
so
on
and
I
think
that
sort
of
thing
you
know
finding
that
audience
as
well
is
going
to
be
useful
because
for
a
lot
of
those
folks
I
know
like
you
know,
and
a
lot
of
this
is
is
coming
from
my
biases,
having
lived
in
mostly
the
devops
workspace.
Most
of
my
career
is,
you
know.
C
Most
of
my
time
was
spent
with
stuff,
like
you
know,
puppet
and
Chef
and
ansible
and
terraform,
and
those
sorts
of
things
and
like
trying
to
make
sure
that
I
could
deploy
out.
You
know
tools
that
that
developers
would
then
use
to
run
CI
CD,
so
you
know
stuff
like
Jenkins
and
and
and
things
like
that,
and
then
also
configuring
Jenkins
to
be
secure
and
and
and
doing
all
that
work
and
I
know
like
if
I
had
something
like
Fresca
back
in
the
day.
C
C
You
know
I've
worked
at
places
that
have
had
to
you
know
they
manually
audit.
All
the
images
used
in
their
builds
like
every
you
know,
month
to
say,
hey.
You
got
to
update
that
right,
whereas
the
idea
behind
Fresca
right
is:
oh,
okay,
cool,
you
just
sort
of
add
some
of
that
into
policy,
and
it
goes
away
right.
Like
you
add
some
of
that
into
policy,
and
it
goes
oh
yeah,
you
can't
run
this
build
anymore.
C
You
know
because
you're
using
an
older
version
of
this,
this
build
tool
and
the
idea
would
be
Fresca
could
automatically
update
it
or
you
know
in
cases
where
it
can't.
You
know
it
would
just
tell
you
hey
this.
This
needs
to
be
updated,
or
this
needs
to
be
fixed
to
something
else,
and
so
the
idea
was
to
try
and
make
it
super
simple
for,
for
you
know,
developers
and
to
to
use
as
well
as
make
it
easier
for
devops
to
sort
of
build
and
operate
or
Implement
and
operate.
C
And
then
to
the
other
thing
you
had
mentioned,
yeah
I
think
it
still
would
be
useful
to
just
really
kind
of
dive
in
and
figure
out.
You
know
like
if
we
were
to
rebuild
this
again.
I
would
probably
have
taken
a
bit
of
a
different
direction
to
kind
of
Echo
a
little
bit
of
like
I.
Think
Fresca
itself
is
still
important.
I.
Just
think
that
one
of
the
things
is
perhaps
Fresca
is
a
solution
for
people.
It's
it's
a
solution.
C
That's
like
the
one
person
who
had
spoken
to
us
about
this
had
described
it
as
Fresca.
Is
the
concept
car
right?
It's
it.
You
know,
there's
a
ton
of
features
on
it
that
eventually
will
end
up
in
other
systems
further
down
the
line,
but
you
don't
have
many
people
buying
the
concept
car
right
you,
you
know
a
couple
of
the
things
might
end
up
in
something
like
a
Supercar
or
whatever
and
you're
gonna
have
a
handful
of
folks
who
want
that.
C
C
In
my
you
know,
my
existing
workflow
or
I
want
it
to
be
straightforward
and
simple
enough
that
I'm
not
Reinventing
the
my
entire
world
to
adopt
this,
this
random
thing,
whereas,
and
so
if
I
were
to
redo
it
again,
my
two
cents
is
I
would
focus
purely
on
the
build
piece
for
a
bit
right
and
say:
hey,
look,
there's
a
lot
of
steps
you
can
do.
Those
steps
are
going
to
be
potentially
insecure,
but
you
might
not
necessarily
care
right,
you
might
say,
hey
the
thing
that
generates
the
s-bomb.
C
The
compilation
step
the
step
that
takes
a
bunch
of
code
and
transforms
it
into
a
binary
package
that
I
want
to
make
sure,
is
super
secure
and
maybe
focus
more
on
something
that
could
integrate
with
Jenkins
and
all
these
other
tools
would
be
where
you
would
want
to
do
that,
and
so,
like
I
can
say,
like
literally
what
I
had
done
at
a
previous
job
was
I
built
a
a
build
system
that
could
only
run
three
things
right.
Oh
so
it
only
ran
a
build.
C
You
could
only
read
from
one
and
output
to
the
other
and
then
finally,
you
had
one
that
could
only
and
it
had
no
access
to
the
internet
and
it
literally
only
had
like
the
build
tool
that
is
literally
it
and
then
the
third
one,
which
is
essentially
the
same
as
the
first
it
just
had
a
you
know,
a
publishing
it
had
the
ability
to
publish
to
the
package
repository,
and
you
know
the
various
I.
C
You
know
we
had
various
IAM
permissions,
that
those
are
the
only
three
things
it
could
do
and
because
of
that,
you
know
we
felt
a
lot
more
comfortable,
that
the
build
itself
wasn't
compromised
right
or
if
the
build
was
compromised,
that
it
was
an
upstream
dependency
or
malicious
Source,
or
something
like
that,
as
opposed
to
the
build
system
itself,
because
the
build
was
happening
within
a
hermetic
sort
of
environment.
C
You
know
everything
was
super
isolated.
We
had
tons
of
network
controls
yayada,
and
so,
if
you
could
I
think
from
what
people
have
said
is
if
you
could
package
that
up
and
just
sort
of
say,
I
give
you
go
code
and
the
output
is
secure.
Go
you
know
as
a
secure
go
binary
that
that
would
be
great.
That
seems
to
be
the
thing
that
that
folks
say,
and
then
they
say
like
I,
would
love
to
be
able
to
do
that.
C
In
my
existing
CI
system,
I
like
I,
want
to
have
Jenkins
call
like
I
want
to
say:
hey
Jenkins
I
want
to
have
a
step
that
calls
the
secure,
Builder
or,
as
as
rule
said,
like
hey
I,
want
to
have
the
ability
to
say
Azure
devops,
you
know
here's
my
code
run
it
securely
right
and
that's
that's
it
and
take
out
the
rest
of
it.
C
You
know
from
from
you
know
the
developer,
who
doesn't
have
to
think
about
it,
or
even
you
know,
you
know,
the
devops
person
now
doesn't
have
to
deploy
a
whole
new
CI
system.
You
know,
especially
if
you
have
Legacy
systems
with
you
know
thousands.
You
know.
I've
worked
at
places
that
had
tens
of
thousands
of
Jenkins
builds.
C
You
know
now,
as
opposed
to
saying
hey.
We
need
to
migrate
those
tens
of
thousands
of
Jenkins
built
to
a
new
system,
even
if
it
is
a
relatively
straightforward
process.
C
That
could
be
mostly
automated
dealing
with
the
the
knock-on
effects
of
moving
that
all
over
is
is
always
a
is
a
is
always
a
bit
of
a
mess
so
I
like
if
I
were
to
redo
it
again,
that's
I
think
how
I
would
probably
redo
it,
but
but
that's
just
my
my
two
cents,
so
I
would
love
to
hear
other
folks
feedback
and
I.
Think
Brendan
Mitchell
also
has
similar
thoughts
around
there
with
stuff
like
build
kit
and
and
so
on.
A
C
Yeah
yeah
no
problem
no
I
was
just
saying
like
I
was
just
saying
how
if
I
were
to
redo
this
again,
I
would
focus
more
just
purely
on
the
secure
build
element
and
make
that
more
integrated
with
whatever
somebody's
CI
system
is
I.
Think
the
the
idea
here
is
still
like
right.
Fresca
could
quite
easily
be
something
that
somebody
just
sort
of
calls
right.
Like
hey.
My
GitHub
action
calls
into
my
into
a
Fresca
and
it
runs
the
secure
builds
pieces.
C
You
know
the
other
stuff,
like
my
QA
and
everything
else
that
is
hooked
in
through
my
Jenkins
pipelines,
yeah
that
still
runs
through
Jenkins,
but
but
the
actual
sort
of
you
know
secure
elements
happen
within
us,
presca
I
think
is
still
potentially
you
know,
there's
still
some
value
there,
but
I
think
the
thing
that
that
the
core
piece
of
it
is
just
people
want
to
be
able
to
say:
hey,
I
just
ran
this
step
and
it
ran
it
securely.
I
did
not
have
to
think
about
how
to
run
it
securely
I.
C
Just
you
know,
and
it
plugged
into
my
existing
CI
system
right
I
was
able
to
just
sort
of
say,
as
opposed
to
saying,
hey
tecton
run
this
build
image,
and
this
build
command
right
and
thinking
that,
like,
oh
actually,
I
need
to
go
and
do
this
to
secure
it
and
I
need
to
run
this.
This
and
this
I
need
to
run
Spire
blah
blah
I
want
to
be
able
to
just
say,
hey
tecton,
can
you
call
to
the
secure,
build
piece.
A
C
Yeah
and
I
think
there's
there's
some
actually
some
interesting
folks
doing
some
work
on
that
now,
like,
for
example,
for
the
Knicks
and
Nyx
OS
stuff,
there's
trustex,
where
they
run
the
same
Nicks
they
run.
Various
Nix
builds
across
multiple
implementation,
well,
not
implementations,
and
that,
of
course
also
leads
to
other
things
of
like
because
it's
not
just
about
separate
trust
domains.
C
It's
also
about,
like
you
probably
want
to
say,
hey
I
ran
this
one
on
Debian,
but
I
ran
this
one
on
you
know
like
red
hat
or,
or
you
know,
Arch
or
whatever
right
like
you
want
to
have
it
running
on
multiple
different
distributions
and
multiple
different
things,
because
you
want
to
say,
like
hey
great,
like
yeah
I'm,
running
different
versions
of
the
of
those
things
because
they're
they're
going
to
come
in
and
you
know
if,
if
it
turns
out,
you
know,
Debbie
inversion,
blah
is
compromised
and
you've
just
reproducibly.
C
You
know
compromised
your
stuff,
but
yeah
I
think
that
that
sort
of
stuff
that
that
sort
of
stuff,
I
think
is,
is
really
interesting
and
I
know
like
this
is
something
that
I've
been
poking
around
with.
C
In
my
off
hours
is
just
the
you
know,
rebuilding
sort
of
what
I
had
built
at
another
place,
using
like
rust
and
just
sort
of
saying,
hey.
Let
me
create
something
that
uses
namespaces
isolates
everything
right
like
has
a
builder
that,
like
not
just
it
wouldn't
run
in
kubernetes.
The
idea
would
be
would
just
run
on
a
VM,
and
you
know
you
know
the
the
security
elements
there
are
still.
C
You
would
have
to
think
through
you.
You
still
have
to
think
through
stuff.
Like
you
know,
how
do
you
secure
the
VM
but
the,
but
the
basic
idea
right
would
be
hey
I,
deploy
out
this
super
simple
Bill,
like
this
super
simple
Builder,
that
it's
a
it's
a
system
that
only
builds
that's
all.
It
does,
and
you
just
sort
of
say,
hey
great,
like
like
just
to
kind
of
go
back
to
the
thing
I
built
previously.
C
Is
that
essentially
it
was
a
container
orchestrator
running
on
a
very
secure
server,
but
the
container
orchestrator
was
not
a
generalized
container.
Orchestrator
like
a
kubernetes
It
could
only
run
builds.
That's
it
that's
it.
It
could
run
those
three
steps
and
if
you
told
it
to
do
anything
else,
it
just
broke.
A
Yeah
I
also
looked
or
like
the
projects,
the
salsa
GitHub
generator
and
how
they've
designed
some
of
their
work
and
they've
moved
a
lot
of
that
efforts
directly
into
GitHub,
mostly
because
gaps
provided
some
Assurance
that's
there,
but
by
running
it
in
their
environment
within
VMS,
are
dedicated
to
just
things.
They're
working
within
the
pipeline.
A
G
One
of
the
recurring
themes-
and
this
is
like
sometimes
I-
feel
too
much
like
preaching
to
the
choir
in
this
group
here,
but
like
one
of
the
recurring
themes,
I'm
seeing
more
and
more
often
as
Concepts
like
attestations,
get
broader
awareness
is
a
lot
of
people
are
running
towards
some
implementation
of,
like
hey
I,
mean
I
can
call
out
specific
people
if
we
want
to,
but
I,
don't
think
I
need
to
like.
G
We
can
create
attestations
out
with
this
build
or
like
we
can
create
an
s-bomb,
but
it's
like
it's
signed,
or
it's
not
signed,
or
it's
in
a
different
format
or
here's
an
entirely
new
framework
for
attestations,
that's
different
than
everything
else
that
exists
and
there's
like
folks
in
the
internal
Community
or
the
tough
Community
like
seeing
a
lot
of
these
things
and
we're
all
running
really
fast,
which
is
great,
but
sometimes
I,
always
ask
the
question
of
like.
Are
we
Running,
With
Scissors,
in
which
case
it's
like?
G
Maybe
less
grades
and
Fresca
can
be
really
helpful
at
showing
the
importance
of
of
the
interoperability
between
these
things.
I
feel
like.
We
need
to
create
these
attestations
in
a
consistent
way.
G
We
need
some,
and
it's
also
done
a
good
job
of
picking
I
think
in
Toto
for
that
model,
helping
to
demonstrate
that
and
and
the
requirements
of
compatibility
like
if
we
decided
we
wanted
to
to
introduce
a
new
build
tool,
and
this
is
that,
like
the
like,
the
the
the
the
push
in
the
pull
between
the
ideas
of
make
all
of
the
tools
that
people
use
in
their
CI,
CD
pipelines
more
secure.
So
there's
a
lot
of
tools,
people
use
in
their
CI
CD
pipelines
or
there's
the.
G
How
do
we
wrap
all
of
this
Tooling
in
a
way
such
that
we
can
up
level
the
attestations
or
the
the
security
in
a
way
that
offers
some
guarantees?
But
you
in
that
case
you're
always
playing
to
the
lowest
common
denominator.
You
never
have
the
specific
details
and
like,
and
even
with
the
salsa
in
the
build
provenance
like
you
have
to
draw
the
line
somewhere
between
what
you
require.
G
Everyone
to
report
out
versus
the
like
here
is
a
schema
that
people
can
Implement
in
in
the
way
that
they
choose
and
and
there's
still
a
like
a
downstream
effect
of
how
secure
the
supply
chain
is
because
of
what
someone
decides
to
put
there
having
Fresca
as
a
tool
to
like
sidestep
some
of
that
debate,
but
be
able
to
demonstrate
it
I
think
is,
is
helpful
of
like
hey
you,
and
this
probably
ties
back
into
like
the
education
piece
of.
G
Not
all
attestations
are
created,
equal,
not
all
s-bombs
are
created
equal,
not
all
Supply
chains
are
are
created
equal
and
how
do
we
help
people
understand
that
and
make
the
right
decisions
and
then
I
think
correspondingly
that
can
help
push
the
other
open
source
communities
and
vendors
and
things
implementing
Solutions
in
this
space
to
be
more
consistent
to
hopefully,
collaborate
more
like
this
is
super
idealistic.
G
It's
early
in
my
day.
Look
so
I
still
believe
this
stuff
at
the
end
of
the
day,
maybe
less
so
like
we
can
move
the
whole
industry
forward
towards
towards
that.
So
not
all
verifications
are
created.
Equal
I
see
a
question
mark
I.
Don't
think
that
they
are
depends
on
what
you're
verifying.
B
C
G
No,
that's
I.
I
completely
agree,
it's
like
you
know,
even
even
if
you
are
trying
to
measure
how
secure
your
supply
chain
is,
depending
on
how
you
measure
it
you're
going
to
get
different
results.
C
So
if
I
were
to
you
know,
since
we
have
like
seven
minutes
left
for
since
we
have
like
seven
minutes
left
if
I
had
to
take
some
of
the
takeaways
from
this
was
one
was,
you
know,
Ed
the
the
the
comments
in
here
just
sort
of
add
a
couple
of
links
as
well
as
just
sort
of
maybe
have
like
a
couple
more
sentences
just
about
what
the
build
itself
is
and
why
it's
important
to
sort
of
protect
and
then
next
steps.
C
So
it
does
sound
like-
and
this
is
kind
of
I-
think
one
of
the
things
that
that
kind
of
came
out
of
our
you
know
when,
when
building
Fresca
internally,
what
was
sort
of
the
the
impetus
there
was?
Was
we,
you
know
we
pretty
much
were
given
wide
latitude
to
sort
of
say,
look
in
turn,
you
know,
there's
a
lot
of
stuff.
That's
going
on!
That's
a
huge
mess.
Can
you
show
people
like
what
is
that
that,
like
North
Star?
What
is
that?
C
What
is
like
that
that
shining
example
of
what
it
could
look
like
right?
You
know
there's
lots
of
different
ways
it
could
look
like,
but
like
could
you
just
sort
of
just
go:
go
go
wild
with
it,
so
that,
like
one
of
the
reasons
was,
was
to
also
go
back,
and
some
of
this
was
then
taken
by.
C
You
know
security
teams
to
go
back
internally
to
say:
hey,
build
team
you're
not
doing
these
things
so
you're
not
like
there's
a
lot
of
questions
about
whether
or
not
this
thing
is
going
to
be
safe
or
secure,
and
so
that
was
then
used.
As
you
know,
a
mechanism
to
then
drive
some
of
the
change
that
was
required
internally
because
we
could
go
and
say
You're
vulnerable
to
you
know
like
without
spiffy
Spire
right
I
can
go.
You
know,
you're
an
admin
on
that
kubernetes
cluster.
C
You
can
go
and
mess
with
my
build
and
there's
very
little
I
can
see
about
you
know
that
would
tell
me
that
that
was
you
know
whether
or
not
that
happened
now
to
be
clear.
C
That's
specifically
for
kubernetes-based
sort
of
you
know:
tecton
build
systems,
whether
it's
you
know,
tecton
or
or
red,
hat
pipelines
or
or
similar
is
going
to
be
a
little
bit
different
with
some
of
the
different
build
systems,
that's
kind
of
where
some
of
that
came
out,
and
then
it
was
the
implementation
of
the
cncf
secure
software
Factory
reference
architecture
which
I
helped
lead
up
there.
C
Where
hey
like
we
were
looking
at
what
what
sorts
of
things
would
you
do
if
you
were
to
do
this
in
a
cloud
native,
build
capacity
right,
you
know
we
just
want
to
kind
of
you
run
a
building
kubernetes.
What
are
the
the
the
security
properties
you
want
to
have
there,
that
sort
of
stuff
kind
of
came
together
and,
and
so
I
think
that
that's
so
I
guess
the
the
idea
here
is
like
hey,
does
Fresca
still
remain,
like
I
think
the
open
questions
are
still
does.
C
Fresca
still
remain
as
that
that
that
sort
of
shining
example
not
really
sort
of
the
thing
that
that,
like
we
don't
expect
people
to
just
sort
of
take
it
right
like
and
just
sort
of
consume
it
wholesale.
Or
do
we
want
to
kind
of
focus
more
on
some
practical
elements
there
and
actually
one
of
the
people
I
wanted
to
get
some
input
from,
because
you
know
works
at
openssf.
E
C
Is
is
Jonathan
if
he
had
thoughts
on
like?
Where
would
where?
Where
do
you
think
we
could
get
the
most
lift
from
the
community
and
and
get
the
most
feedback
back
from
potential
sort
of
users.
F
H
Feedback
is
to
go
and
implement
the
stuff
yourself
and
like
go,
try
to
apply
it
to
an
actual
project,
and
then
you
learn
all
the
pain
points.
It's
like
you
only
learn
about
how
it
actually,
like
you
know,
rubber
meets
the
road
when
you're
actually
driving
the
car.
So
you
know
like
being
willing
to
you,
know
great.
H
You
can
Implement
these
things
and
come
up
with
these
ideas
but
like
if
you
and
you
can
have
all
this
infrastructure
but
like
you,
have
to
actually
go,
throw
it
at
some
projects
and
like
realize
what
the
pain
points
are,
so
that
you
can.
You
know
you
can
say
okay,
this
doesn't
work
like
this
is
not
even
possible
to
implement
something
like
that.
There's
some
specifications
that
I've
been
working
with
the
within
the
open,
SF
and
I'm,
like
you,
there's,
no
there's!
No
and
like
you
want
this
specification
field
to
get
filled
out.
H
Because
because
every
single,
if
you're,
publishing
an
s-bomb
and
you're
doing
it
in
a
way,
that's
like
normally
publishing
a
package,
every
single
s-bomb
will
be
published
at
a
different
URL
because
it's
versioned
right
like
so.
You
can't
give
a
URL
for
give
me
where
your
s-bombs
are,
because
that
doesn't
exist.
There's
no
single
URL
for
that
right.
H
C
Yeah
so
I,
actually
that
that
kind
of
brings
me
to
another
reason
the
why
we
had
built
Fresca.
The
way
we
had
was
to
also
sort
of
highlight
the
gaps,
right
was
to
say:
hey,
actually,
there's
a
bunch
of
open
questions
around
this
thing,
and
in
fact
we
can't
you
know,
do
some
of
the
things
that
we
want
to
do
in
the
space
like
comply
with
certain.
You
know,
standards
best
practices
until
we
have
an
answer
for
that
thing.
C
You
know
because
I
think
that
that's
that's
actually
a
really
great
point
right,
where
we
have
a
good
s-bomb
distribution
story
for
oci,
because
it's
just
simple
to
keep
it
inside
the
same
repo
that
we
keep
the
images
and
with
the
Manifest
and
everything
else
stuff
that
that
is.
Has
it
fully
been
released
yet
or
still
still,
but
anyway,
I
think
that
sort
of
stuff
it
has
been
also
super
valuable,
so
anyway,
I
I
will
I
know
we're
at
time.
C
So
I
will
finish
up
this
document.
I'm
gonna
probably
start
poking
folks
within
Fresca
chat
to
see
if
they
can
maybe
help
out
with
a
couple
of
things
here
and
there
provide
some
feedback
and
and
so
on.