►
B
B
C
B
F
C
Okay,
so
I
rewrote
the
document.
It's
now
about
two
pages,
long,
more
or
less.
You
know
the
intro
two
paragraphs
here
are
just
an
introduction
to
the
why
we
built
Fresca.
So
a
lot
of
it
comes
down
to
you
know
there
was
a
lot
of
stuff
coming
out
about
supply
chain.
You
know
software
supply
chain
security.
You
know
about
two
years
ago
things
were,
you
know
we
had
the
solarwind
Sunburst
attack.
C
Cicd
systems
were
more
or
less
just
open
and
developers
could
just
run
whatever,
and
as
long
as
they
compiled,
that
sort
of
thing
would
go
into
production
and
people
were
saying-
hey.
That's
that's,
probably
not
not
a
a
great
idea,
especially
given
that
a
lot
of
these
systems.
You
know
it
was
very
easy
to
reveal
the
secret
keys
that
were
used
for
signing
and
all
that
that
good
stuff,
you
know,
then
the
second
paragraph
just
sort
of
says
Hey.
So
that's
why
we
built
Fresca.
C
C
You
know
like
spire
and
tecton,
and
and
all
these
other
things
that
that
could
make
a
secure
build
and
there
were
like
a
lot
of
demos
around
it,
but
nothing
that
really
sort
of
tied
all
those
pieces
together
and
so
Fresca
sort
of
emerged
out
of
that
of
hey.
Why
don't
we
actually
start
to
tie
all
those
pieces
together
into
one
more
like
cohesive
system,
so
that
you
know,
for
example,
right?
C
You
know
we
use
tecton
with
spiffy
Spire
in
order
to
we
use
tecton
with
spiffy
Spire
in
in
order
to
you
know,
apply
spiffy
workload,
identities
to
what's
actually
hap.
You
know
the
bills
that
are
actually
happening
within
tecton,
which
means
that
if
an
administrator
of
the
you
know
the
kubernetes
cluster,
that
tecton's
running
in
messes
with
some
of
the
jobs
or
something
else,
methods
with
some
of
the
jobs
that
are
running
you
know,
spiffy,
the
spiffy
identities
would
no
longer
be
valid.
C
Folks,
like
B,
Mitch
and
and
parth
know
a
lot
more
about
like
the
details,
exactly
how
that
works.
But
but
generally
you
know
those
workload
identities.
You
know
we
get
the
we
get
protection
against
stuff,
like
jobs,
trying
to
mess
with
other
jobs
because
of
you
know,
permissions
whatever
or
or
administrators
of
the
cluster,
or
you
know,
admins
of
like
Fresca
itself,
from
being
able
to
mess
with
jobs
that
are
running
within
Fresca
the
goal
of
Fresca.
C
C
C
C
We
want
to
you
know,
leverage
existing
tools
and
components,
and
then
we
want
to
have
Securities
enforced
by
Design
as
opposed
to
sort
of
opt-in,
which
is
the
way
that
it
works
with
a
lot
of
the
the
existing
systems
is,
it
was
very
much
an
opt-in.
Like
you
turn
on
this
security
scan.
You
turn
on
the
security
feature
you
you
know
as
opposed
to
the
goal.
You
know.
C
One
of
the
ideas
behind
Fresco
was
that
it
it's
there
to
it's
there
by
default
right,
and
so
it
does
this
by
being
primarily
two
things
right.
A
suite
of
build
pipeline
like
a
bunch
of
different
tools
that
are
configured
to
operate
securely
and
then
actually
probably
add
in
there
operate
securely
and
run,
builds
securely
right
and
then
it's
a
set
of
build
pipeline,
abstractions
and
definitions
with
security
guard
rails.
Ensuring
old,
builds,
follow
supply,
chain
security,
best
practices
right.
So
the
abstraction
here
is
hey.
C
I
have
a
go,
build
great,
you
have
a
go
build,
but
that
go.
Build
itself
consists
of
this.
You
know
a
go
security,
linting
staff,
a
a
you
know,
a
go
generate,
s-bomb,
step
and
and
so
on
right
and
what
is
Fresca
today.
So
Fresca
is
a
bunch
of
different
components.
Right,
like
it's
tecton
tecton
chains,
buyer
keeperno,
six-door,
Vault,
insert
manager
as
long
as
as
well
as
some
Q
code
that
helps
wrap
the
pieces
together.
C
This
allows
it
to
be
compliant
with
you
know:
salsa
and
the
cncf,
secure
software
Factory
reference
architecture,
and
then
tomorrow
you
know
the.
What
could
you
know
for
us
could
be
right?
Well,
Fresca,
you
know,
could
have
an
easier
deployment.
Fresco
could
have
a
better
pipeline
extractions.
Press
kit
could
have
us,
you
know
a
Fresca
CLI
tool.
That
makes
a
lot
of
this
sort
of
stuff
easier
to
do,
and
so
then
you
know
the
rest
is
just
kind
of
like
a
call
to
action,
just
sort
of
saying
hey.
Who
do
we
need?
C
Well,
we
mostly
need
two.
Two
main
two
sets
of
folks
like
one
is
Hands-On
keyboard
Engineers,
who
can
help
contribute
to
the
features
and
functionality
of
you
know,
Fresca
and
then
the
other
one
is
end
users
for
for
their
use,
cases
which
that
I
think
is
probably
maybe
the
more
important
one
to
sort
of
talk
through
here.
But
the
basic
idea
right
is,
we
kind
of
have
a
a
bit
of
a
a
scenario
where
you
know
when
talking
to
some
end
users.
They
have
found
value
in
Fresca.
C
That
seems
a
little
less
likely
at
this
point,
and
so
the
idea
is
like
we
need
to
just
kind
of
get
more
use
cases
from
folks
to
understand
like
hey.
What
are
the
concerns
that
they
have
with
their
build,
or
do
they
not
have
concerns
with
their
build
and
and
their
comfortable
sort
of
running?
You
know
Jenkins,
because
I
know,
one
of
the
things
in
some
of
the
conversations
I've
had
is
largely,
even
though
folks
do
think
that
build
security
is
important.
C
They
don't
believe
build
security
to
be
important
enough
to
really
make
the
changes
that
would
be
required
to
have
to
have
secure
bills
right-
and
this
includes
you
know
these.
This
is
also
some
of
the
feedback
folks
have
given
on
Fresca
is
just
hey.
It's
great
that
that
we
want
to
build
more
securely.
I,
don't
have
the
the
budget
to
do
so
so
anyway,
I
think
that's
kind
of
that.
That's
really
about
it.
There
I
just
wanted
to
kind
of
go
over
it.
One.
Last
time.
G
Awesome
I,
I,
love,
I,
love,
the
updates,
I
love
the
like
the
structure
and
the
flow
of
it.
Now
it's
it
got
me
thinking
about
a
couple
of
things
that
I
don't
I,
don't
know
that
they're
necessarily
it's
always
hard
with
things
like
this
right.
It's
like
you,
start
pulling
on
the
string
and
it's
like
a
tangled
mess
of
spaghetti
of
like
there's
so
much
more.
G
But
let
me
just
say
what
I'm
trying
to
say
the
the
Community
aspect
of
this
is
one
that
I
hadn't
thought
about
as
much
before
and
the
the
idea
of
like
what
Fresca
is
trying
to
achieve
or
I
think
was
it
like
when
we
start
talking
about
like
helping
people,
understand,
supply
chain,
security
and
learning
and
having
an
example
and
practicing
like
there's
a
lot
more.
We
could
do
in
that
space
without
changing
anything
about
Fresca
today,
like
just
using
Fresco.
G
Just
building
out
more
examples
and
I
think
that
that
is
like
a
really
big
opportunity
and
it's
a
slightly
different
type
of
opportunity
like
we
could.
We
can
solicit
different
people
to
come
and
contribute
to
that
like
I.
Look
at
just
as
an
example
chain,
Guard
Academy
right,
like
they
have
a
huge
library
of
things
for
people
to
help
like
learn
about
supply,
chain,
security
and
I.
G
Think
that
when
I
look
at
openssf-
and
this
is
kind
of
like
like
a
supply
chain-
Integrity
positioning
thought
process,
I'm
I'm
having
right
now,
which
is
which
is
the
like,
there's
so
many
Deep
In
The,
Weeds
working
groups
and
parts
of
this
of
life.
You
want
to
know
every
little
detail
of
salsa
and
you
want
to
help
design
and
build
the
next
version
of
the
spec.
That's
awesome!
You
should
absolutely
join
the
self-suspect
meeting
or
the
s2c2f
like
you're,
really
interested
in
how
to
secure
the
consume
open
source.
G
But
then
there's
like
there's
still.
A
lot
of
people
went
through
like
how
do
I
secure
software
supply
chain,
they're,
like
they
don't
even
know
or
to
Michael,
like
I
I
use
my
little
Psalm
Emoji.
We
think
it's
too
expensive
to
implement
a
secure
software
supply
chain
like
that.
Just
makes
me
cry
like
it
makes
me
so
sad
that
that
people-
people
like
put
that
second
so
like,
can
we
or
is
there
interest
in
building
a
community
around
secure
software
supply,
chain
practices
and
principles?
G
G
C
So
so
you
know
that
was
kind
of
one
of
the
reasons
for
you
know,
Fresca,
that
that
was
one
of
the
reasons
why
there
was
interest
in
Fresco
when
we
had
originally
contributed
right.
You
know
when
City
had
contributed
it
to
to
open.
Ssf
was
openssf
had
a
lot
of
stuff
like
salsa
and
and
some
of
these
other
like
things
around,
you
know,
security.
C
You
know,
supply
chain,
compromise
and
best
practices
and
those
sorts
of
things,
and
so
the
idea
was
Fresca
could
be
an
implementation
of
these
various
practices
and
and
to
be
clear,
I
think
this
is
still
an
indicator
of
other
concerns
that
that
we
have
as
well,
which
is
and
I
don't
want
to
be
all
Doom
and
Gloom
by
any
mean
I,
just
think
that
as
a
as
a
community,
we
just
need
to
do
a
better
job.
Is
a
lot
of
folks
are
like
hey
yep,
you
know,
there's
a
lot
of
best
practices.
C
I
must
be
doing
all
these
different
things,
but
if
you
talk
about
you
know
to
to
the
average
person-
and
you
say:
hey
I'm
already
thinking
about
SQL
injections,
I'm
already
thinking
about
all
these
different
things
and
now
you're
saying
I
need
to
think
about
the
secure
build.
You
know,
that's
not
going
to
happen.
C
So
that's
kind
of
I
think
the
the
thing
that's
sort
of
coming
out
of
a
lot
of
it,
which
is
just
it's
less
about
the
the
best
practices
and
it's
more
about.
How
do
you
make
those
best
practices,
just
something
that
the
other
person
doesn't
have
to
think
about
right?
You
know
the
idea
right
behind
something
like
a
Fresca
is
Fresca
is
just
you
just
say:
hey
I'm
a
go
build
and
we
just
build
it
securely.
We
get
your
gear
I
spawn.
C
D
So
I
had
a
different
comment,
which
is
you
know,
I
think
I
I
think
the
paper
looks
good
I
mean
overall
I
think
it.
It
covers
what
you
you
want,
and
so
you
know
I
think
that's
pretty
good.
The
the
the
the
the
comment
I
have
is
I
think
you
need
to
add
a
few
more
links.
It's
pretty
basic,
but
you
know
you
can't
expect
people
to
know
similarity
with
s2c2f
or
even
South.
D
Side
is
and
I
think
when
you
talk
about
the
build
part,
which
is
what
Fresca
is
is
focusing
on,
it
would
be
useful
to
refer
to
maybe
what's
in
salsa,
you
know
the
threat
model
with
the
pipeline
so
that
people
can
see
what
peace
you're
talking
about
in
the
supply
chain.
You
know
again,
if
we
are
talking
about
people
like
John
was
referring
to
where
you
know
they're,
not
necessarily
completely.
You
know,
embedded
into
this
as
we
are
and
they've
heard
about
supply,
chain
security
and
they're
like
okay.
D
D
C
E
E
C
E
C
C
D
Unfortunately,
that's
a
common
problem
that
you
find
in
the
course
you
know
a
lot
of
Open
Source
projects
that
are
looking
for
more
help.
There
is
no
magic
bullet,
I
think
he
you
know,
generally
speaking,
is
making
sure
people
know
about
it
and
that
you're
looking
for
help
and
I
think
as
you
get
more
users,
there's
a
at
least
a
portion
of
those
you
know
of
the
users
that
there
will
be
that
we
love
some
desires
that
are
not
met
and
maybe
they'll
be
able
to.
D
C
Well,
yeah
I
mean
I
think
that
still
ties
back
into
the
like
hey.
What
do
we
see?
I'm,
sorry,
Fresca,
being
right
and-
and
this
is
you
know
stuff-
that,
like
I
agree
with
with
what
Jonathan's
comments
that
he
made
was
it
yesterday
at
was
that
salsa?
But
one
of
the
meetings
there's
also
positioning
meeting
I
believe
which
is
just
you
know,
I
know,
there's
some
disagreement.
C
I
know
that
there's
some
folks
right,
like
there's
the
thing
I
noticed
about
Fresca
is
Fresca
seems
to
be
popular
as
a
learning
tool
among
large
Enterprises,
because
a
lot
of
large
Enterprises
say
hey
like
I'm
on
Jenkins,
but
I
know:
I
need
to
move
off
of
it
because
of
this
out
of
the
other
thing
or
I.
I'm
already
have
a
tecton,
but
I
have
no
idea
how
I'm
supposed
to
secure
it.
Oh
cool
I
can
look
at
some
of
this
stuff
and
hey
you're
using
kiverno,
but
I
could
probably
have
my
folks.
C
You
know
look
at
OPA
instead
of
right.
You
know
or
you're
looking
at
spiffy
Spire
I
can't
get
that
installed,
but
maybe
I
can
do
this
this
and
this
as
mitigating
controls
against
that
that
sort
of
process,
and
that
has
proven
to
be
valuable
for
some
folks
but
kind
of
moving
forward.
Like
hey,
is
there
what?
What
can
you
know?
What
do
I
think
the
thing
that
I'm
still
trying
to
kind
of
go
through
is
you
know
before
we
even
kind
of
get
contributions
like
hey
who's
using
Fresca
or
who?
C
C
C
You
know
like
I
I,
my
build
container
didn't
contain.
You
know
a
you
know,
vulnerabilities
that
my
you
know.
I
ran
my
build
like
I
want
to
run,
hermetic
builds,
but
I
don't
want
to
have
to
you
know,
do
a
ton
of
work
and
effort
to
to
make
that
hermetic
and
I
want
to
do
this.
That
and
the
other
thing
to
secure
those
things
and
like
you,
don't
necessarily
need
tecton
for
that
right.
You
just
need
to
have
do
a
whole
bunch
of
magic
with
stuff.
C
Like
you
know,
you
know,
I
mean
I,
remember
back
in
the
day
right
using
BSD
jails
and
those
sorts
of
things
of
why
you
would
you
know,
do
some
of
that
stuff.
But
you
know
some
folks
have
talked
about
that.
Some
folks
have
said:
hey.
You
know
we'd
love
to
see
Fresca
extend
into
other
parts
and
just
be
a
representative
example,
but
once
again,
I
think
I
I
would
love
to
hear
from
from
actual
potential
end
users
of
of
Fresca
or
or
what
they
would
love
to
see
from
from
Fresca.
G
G
But
if
nothing
else
we
could
like,
we
could
sit
down
and
try
and
like
interview
people
or
like
just
try
and
like
bring
it
up
with
everybody
and
be
those
I
I,
don't
feel
bad
about
doing
it
for
an
open
source
project.
I
feel
really
obnoxious.
If
I
was
like
pitching
my
proprietary
vendor
vendor
product
to
everybody
but,
like
you
know,
taking
Fresca
and
basically
just
pitching
it
to
yeah
like
because
I
definitely
hear
hear
your
point.
G
You
also
said
like
I
I
have
personally
I
will
admit:
I
have
not
opened
any
issues
or
submitted
any
code
to
Fresca
I've
I've
run
some
of
the
samples
and
demos
and
things
like
that.
But
I
think
that's
that's
the
direction
I'm
interested
in
separate
from
that
there
is
I've
been
spending
in
some
groups.
Internally
have
been
spending
some
time.
G
So
sign
me
up
and
also
the
other
thing
Michael
I'm
curious
for
for
your
perspective,
of
like
I
I
know
you
are.
You
have
a
lot
of
other
stuff
going
on
like
if
you
need
help
facilitating
this
meeting,
or
anything
else
like
I
can
help
with
that,
as
well,
too,
of
like
just
trying
to
help
keep
beating
the
drum
until
we
can
try
and
like
Drive
some,
hopefully,
some
some
organic
adoption
of
these
things.
D
G
G
C
Yeah
I
think
that's
useful
and
and
I
see
actually
rule
has
some
pretty
good
feedback
in
in
the
chat
as
well.
Around
sort
of
saying,
you
know,
I
think
I
think
that's
a
thing
that
you
know
so.
There's
two
separate
problems:
I
think
maybe
the
audience
within
here
has
been
very
focused
on
sort
of
thinking
about
it,
as
developers
and
and
I.
Think.
A
lot
of
it
is
because
openness
and
I
think
John
you
had
mentioned.
C
You
know
we
should
probably
talk
at
like
a
devops
day
or
something
like
that,
because
there's
going
to
be
a
set
of
folks
who
they
are
responsible
for
and
Enterprises
CI
CD
right,
you
know
they.
You
know
you
usually
don't
see
development
teams,
spinning
up
their
own
Jenkins
they're,
required
to
write
a
Jenkins
file
or
something
like
that,
but
they're
not
spinning
up
their
own
Jenkins.
C
They
might
need
to
write
like
their
own
GitHub
action
or
whatever,
but
they're
not
like
deploying
out
the
GitHub
themselves
and
and
so
on
and
I
think
that
sort
of
thing
you
know
finding
that
audience
as
well
is
going
to
be
useful
because
for
a
lot
of
those
folks
I
know
like
you
know,
and
a
lot
of
this
is
is
coming
from
my
biases,
having
lived
in
mostly
the
devops
workspace.
Most
of
my
career
is,
you
know.
C
Most
of
my
time
was
spent
with
stuff,
like
you
know,
puppet
and
Chef
and
ansible
and
terraform,
and
those
sorts
of
things
and
like
trying
to
make
sure
that
I
could
deploy
out.
You
know
tools
that
that
developers
would
then
use
to
run
CI
CD,
so
you
know
stuff
like
Jenkins
and
and
and
things
like
that,
and
then
also
configuring
Jenkins
to
be
secure
and
and
and
doing
all
that
work
and
I
know
like
if
I
had
something
like
Fresca
back
in
the
day.
C
C
You
know
I've
worked
at
places
that
have
had
to
you
know
they
manually
audit.
All
the
images
used
in
their
builds
like
every
you
know,
month
to
say,
hey.
You
got
to
update
that
right,
whereas
the
idea
behind
Fresca
right
is:
oh,
okay,
cool,
you
just
sort
of
add
some
of
that
into
policy,
and
it
goes
away
right.
Like
you
add
some
of
that
into
policy,
and
it
goes
oh
yeah,
you
can't
run
this
build
anymore.
C
You
know
because
you're
using
an
older
version
of
this,
this
build
tool
and
the
idea
would
be
Fresca
could
automatically
update
it
or
you
know
in
cases
where
it
can't.
You
know
it
would
just
tell
you
hey
this.
This
needs
to
be
updated,
or
this
needs
to
be
fixed
to
something
else,
and
so
the
idea
was
to
try
and
make
it
super
simple
for,
for
you
know,
developers
and
to
to
use
as
well
as
make
it
easier
for
devops
to
sort
of
build
and
operate
or
Implement
and
operate.
C
And
then
to
the
other
thing
you
had
mentioned,
yeah
I
think
it
still
would
be
useful
to
just
really
kind
of
dive
in
and
figure
out.
You
know
like
if
we
were
to
rebuild
this
again.
I
would
probably
have
taken
a
bit
of
a
different
direction
to
kind
of
Echo
a
little
bit
of
like
I.
Think
Fresca
itself
is
still
important.
I.
Just
think
that
one
of
the
things
is
perhaps
Fresca
is
a
solution
for
people.
It's
it's
a
solution.
C
That's
like
the
one
person
who
had
spoken
to
us
about
this
had
described
it
as
Fresca.
Is
the
concept
car
right?
It's
it.
You
know,
there's
a
ton
of
features
on
it
that
eventually
will
end
up
in
other
systems
further
down
the
line,
but
you
don't
have
many
people
buying
the
concept
car
right
you,
you
know
a
couple
of
the
things
might
end
up
in
something
like
a
Supercar
or
whatever
and
you're
gonna
have
a
handful
of
folks
who
want
that.
C
C
In
my
you
know,
my
existing
workflow
or
I
want
it
to
be
straightforward
and
simple
enough
that
I'm
not
Reinventing
the
my
entire
world
to
adopt
this,
this
random
thing,
whereas,
and
so
if
I
were
to
redo
it
again,
my
two
cents
is
I
would
focus
purely
on
the
build
piece
for
a
bit
right
and
say:
hey,
look,
there's
a
lot
of
steps
you
can
do.
Those
steps
are
going
to
be
potentially
insecure,
but
you
might
not
necessarily
care
right,
you
might
say,
hey
the
thing
that
generates
the
s-bomb.
C
The
compilation
step
the
step
that
takes
a
bunch
of
code
and
transforms
it
into
a
binary
package
that
I
want
to
make
sure,
is
super
secure
and
maybe
focus
more
on
something
that
could
integrate
with
Jenkins
and
all
these
other
tools
would
be
where
you
would
want
to
do
that,
and
so,
like
I
can
say,
like
literally
what
I
had
done
at
a
previous
job
was
I
built
a
a
build
system
that
could
only
run
three
things
right.
Oh
so
it
only
ran
a
build.
C
You
know
everything
was
super
isolated.
We
had
tons
of
network
controls
yayada,
and
so,
if
you
could
I
think
from
what
people
have
said
is
if
you
could
package
that
up
and
just
sort
of
say,
I
give
you
go
code
and
the
output
is
secure.
Go
you
know
as
a
secure
go
binary
that
that
would
be
great.
That
seems
to
be
the
thing
that
that
folks
say,
and
then
they
say
like
I,
would
love
to
be
able
to
do
that.
C
You
know
from
from
you
know
the
developer,
who
doesn't
have
to
think
about
it,
or
even
you
know,
you
know,
the
devops
person
now
doesn't
have
to
deploy
a
whole
new
CI
system.
You
know,
especially
if
you
have
Legacy
systems
with
you
know
thousands.
You
know.
I've
worked
at
places
that
had
tens
of
thousands
of
Jenkins
builds.
C
C
That
could
be
mostly
automated
dealing
with
the
the
knock-on
effects
of
moving
that
all
over
is
is
always
a
is
a
is
always
a
bit
of
a
mess
so
I
like
if
I
were
to
redo
it
again,
that's
I
think
how
I
would
probably
redo
it,
but
but
that's
just
my
my
two
cents,
so
I
would
love
to
hear
other
folks
feedback
and
I.
Think
Brendan
Mitchell
also
has
similar
thoughts
around
there
with
stuff
like
build
kit
and
and
so
on.
A
C
Yeah
yeah
no
problem
no
I
was
just
saying
like
I
was
just
saying
how
if
I
were
to
redo
this
again,
I
would
focus
more
just
purely
on
the
secure
build
element
and
make
that
more
integrated
with
whatever
somebody's
CI
system
is
I.
Think
the
the
idea
here
is
still
like
right.
Fresca
could
quite
easily
be
something
that
somebody
just
sort
of
calls
right.
Like
hey.
My
GitHub
action
calls
into
my
into
a
Fresca
and
it
runs
the
secure
builds
pieces.
C
You
know
the
other
stuff,
like
my
QA
and
everything
else
that
is
hooked
in
through
my
Jenkins
pipelines,
yeah
that
still
runs
through
Jenkins,
but
but
the
actual
sort
of
you
know
secure
elements
happen
within
us,
presca
I
think
is
still
potentially
you
know,
there's
still
some
value
there,
but
I
think
the
thing
that
that
the
core
piece
of
it
is
just
people
want
to
be
able
to
say:
hey,
I
just
ran
this
step
and
it
ran
it
securely.
I
did
not
have
to
think
about
how
to
run
it
securely
I.
C
Just
you
know,
and
it
plugged
into
my
existing
CI
system
right
I
was
able
to
just
sort
of
say,
as
opposed
to
saying,
hey
tecton
run
this
build
image,
and
this
build
command
right
and
thinking
that,
like,
oh
actually,
I
need
to
go
and
do
this
to
secure
it
and
I
need
to
run
this.
This
and
this
I
need
to
run
Spire
blah
blah
I
want
to
be
able
to
just
say,
hey
tecton,
can
you
call
to
the
secure,
build
piece.
A
C
Yeah
and
I
think
there's
there's
some
actually
some
interesting
folks
doing
some
work
on
that
now,
like,
for
example,
for
the
Knicks
and
Nyx
OS
stuff,
there's
trustex,
where
they
run
the
same
Nicks
they
run.
Various
Nix
builds
across
multiple
implementation,
well,
not
implementations,
and
that,
of
course
also
leads
to
other
things
of
like
because
it's
not
just
about
separate
trust
domains.
C
In
my
off
hours
is
just
the
you
know,
rebuilding
sort
of
what
I
had
built
at
another
place,
using
like
rust
and
just
sort
of
saying,
hey.
Let
me
create
something
that
uses
namespaces
isolates
everything
right
like
has
a
builder
that,
like
not
just
it
wouldn't
run
in
kubernetes.
The
idea
would
be
would
just
run
on
a
VM,
and
you
know
you
know
the
the
security
elements
there
are
still.
C
You
would
have
to
think
through
you.
You
still
have
to
think
through
stuff.
Like
you
know,
how
do
you
secure
the
VM
but
the,
but
the
basic
idea
right
would
be
hey
I,
deploy
out
this
super
simple
Bill,
like
this
super
simple
Builder,
that
it's
a
it's
a
system
that
only
builds
that's
all.
It
does,
and
you
just
sort
of
say,
hey
great,
like
like
just
to
kind
of
go
back
to
the
thing
I
built
previously.
C
Is
that
essentially
it
was
a
container
orchestrator
running
on
a
very
secure
server,
but
the
container
orchestrator
was
not
a
generalized
container.
Orchestrator
like
a
kubernetes
It
could
only
run
builds.
That's
it
that's
it.
It
could
run
those
three
steps
and
if
you
told
it
to
do
anything
else,
it
just
broke.
A
Yeah
I
also
looked
or
like
the
projects,
the
salsa
GitHub
generator
and
how
they've
designed
some
of
their
work
and
they've
moved
a
lot
of
that
efforts
directly
into
GitHub,
mostly
because
gaps
provided
some
Assurance
that's
there,
but
by
running
it
in
their
environment
within
VMS,
are
dedicated
to
just
things.
They're
working
within
the
pipeline.
G
We
can
create
attestations
out
with
this
build
or
like
we
can
create
an
s-bomb,
but
it's
like
it's
signed,
or
it's
not
signed,
or
it's
in
a
different
format
or
here's
an
entirely
new
framework
for
attestations,
that's
different
than
everything
else
that
exists
and
there's
like
folks
in
the
internal
Community
or
the
tough
Community
like
seeing
a
lot
of
these
things
and
we're
all
running
really
fast,
which
is
great,
but
sometimes
I,
always
ask
the
question
of
like.
Are
we
Running,
With
Scissors,
in
which
case
it's
like?
G
G
We
need
some,
and
it's
also
done
a
good
job
of
picking
I
think
in
Toto
for
that
model,
helping
to
demonstrate
that
and
and
the
requirements
of
compatibility
like
if
we
decided
we
wanted
to
to
introduce
a
new
build
tool,
and
this
is
that,
like
the
like,
the
the
the
the
push
in
the
pull
between
the
ideas
of
make
all
of
the
tools
that
people
use
in
their
CI,
CD
pipelines
more
secure.
So
there's
a
lot
of
tools,
people
use
in
their
CI
CD
pipelines
or
there's
the.
G
How
do
we
wrap
all
of
this
Tooling
in
a
way
such
that
we
can
up
level
the
attestations
or
the
the
security
in
a
way
that
offers
some
guarantees?
But
you
in
that
case
you're
always
playing
to
the
lowest
common
denominator.
You
never
have
the
specific
details
and
like,
and
even
with
the
salsa
in
the
build
provenance
like
you
have
to
draw
the
line
somewhere
between
what
you
require.
G
B
C
G
C
So
it
does
sound
like-
and
this
is
kind
of
I-
think
one
of
the
things
that
that
kind
of
came
out
of
our
you
know
when,
when
building
Fresca
internally,
what
was
sort
of
the
the
impetus
there
was?
Was
we,
you
know
we
pretty
much
were
given
wide
latitude
to
sort
of
say,
look
in
turn,
you
know,
there's
a
lot
of
stuff.
That's
going
on!
That's
a
huge
mess.
Can
you
show
people
like
what
is
that
that,
like
North
Star?
What
is
that?
C
C
You
know
security
teams
to
go
back
internally
to
say:
hey,
build
team
you're
not
doing
these
things
so
you're
not
like
there's
a
lot
of
questions
about
whether
or
not
this
thing
is
going
to
be
safe
or
secure,
and
so
that
was
then
used.
As
you
know,
a
mechanism
to
then
drive
some
of
the
change
that
was
required
internally
because
we
could
go
and
say
You're
vulnerable
to
you
know
like
without
spiffy
Spire
right
I
can
go.
You
know,
you're
an
admin
on
that
kubernetes
cluster.
C
Where
hey
like
we
were
looking
at
what
what
sorts
of
things
would
you
do
if
you
were
to
do
this
in
a
cloud
native,
build
capacity
right,
you
know
we
just
want
to
kind
of
you
run
a
building
kubernetes.
What
are
the
the
the
security
properties
you
want
to
have
there,
that
sort
of
stuff
kind
of
came
together
and,
and
so
I
think
that
that's
so
I
guess
the
the
idea
here
is
like
hey,
does
Fresca
still
remain,
like
I
think
the
open
questions
are
still
does.
C
Fresca
still
remain
as
that
that
that
sort
of
shining
example
not
really
sort
of
the
thing
that
that,
like
we
don't
expect
people
to
just
sort
of
take
it
right
like
and
just
sort
of
consume
it
wholesale.
Or
do
we
want
to
kind
of
focus
more
on
some
practical
elements
there
and
actually
one
of
the
people
I
wanted
to
get
some
input
from,
because
you
know
works
at
openssf.
E
C
H
H
Feedback
is
to
go
and
implement
the
stuff
yourself
and
like
go,
try
to
apply
it
to
an
actual
project,
and
then
you
learn
all
the
pain
points.
It's
like
you
only
learn
about
how
it
actually,
like
you
know,
rubber
meets
the
road
when
you're
actually
driving
the
car.
So
you
know
like
being
willing
to
you,
know
great.
H
You
can
Implement
these
things
and
come
up
with
these
ideas
but
like
if
you
and
you
can
have
all
this
infrastructure
but
like
you,
have
to
actually
go,
throw
it
at
some
projects
and
like
realize
what
the
pain
points
are,
so
that
you
can.
You
know
you
can
say
okay,
this
doesn't
work
like
this
is
not
even
possible
to
implement
something
like
that.
There's
some
specifications
that
I've
been
working
with
the
within
the
open,
SF
and
I'm,
like
you,
there's,
no
there's!
No
and
like
you
want
this
specification
field
to
get
filled
out.
H
Because
because
every
single,
if
you're,
publishing
an
s-bomb
and
you're
doing
it
in
a
way,
that's
like
normally
publishing
a
package,
every
single
s-bomb
will
be
published
at
a
different
URL
because
it's
versioned
right
like
so.
You
can't
give
a
URL
for
give
me
where
your
s-bombs
are,
because
that
doesn't
exist.
There's
no
single
URL
for
that
right.
H
C
Yeah
so
I,
actually
that
that
kind
of
brings
me
to
another
reason
the
why
we
had
built
Fresca.
The
way
we
had
was
to
also
sort
of
highlight
the
gaps,
right
was
to
say:
hey,
actually,
there's
a
bunch
of
open
questions
around
this
thing,
and
in
fact
we
can't
you
know,
do
some
of
the
things
that
we
want
to
do
in
the
space
like
comply
with
certain.
You
know,
standards
best
practices
until
we
have
an
answer
for
that
thing.
C
You
know
because
I
think
that
that's
that's
actually
a
really
great
point
right,
where
we
have
a
good
s-bomb
distribution
story
for
oci,
because
it's
just
simple
to
keep
it
inside
the
same
repo
that
we
keep
the
images
and
with
the
Manifest
and
everything
else
stuff
that
that
is.
Has
it
fully
been
released
yet
or
still
still,
but
anyway,
I
think
that
sort
of
stuff
it
has
been
also
super
valuable,
so
anyway,
I
I
will
I
know
we're
at
time.