►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
B
30
to
like
10
p.m,
one
day,
but
not
all
of
it
was
the
the
workshop
like
the
last
like
you
know,
between
like
six
and
ten
p.m
was
like
dinner
and
and
but
we
were
still
chatting
over,
like
you
know,
a
lot
of
stuff,
so
that
was
one
day
and
then
the
next
day
it
was
like
10
a.m.
To
what
was
it?
It
was
still
like:
10
10
a.m,
to
like
6
p.m,
or
so
that's.
B
C
Yeah
and
while
we're
waiting
some
more
for
some
more
folks
feel
free
to
add
your.
D
A
All
right
for
folks
who
are
joining
now
just
feel
free
to
put
attendance
in
a
meeting.
B
All
right,
we
can
sort.
C
Of
just
a
reminder,
one
more
time,
if
folks
best
folks
for
joining
in
feel.
C
Here
and
let
me
also
make
sure
I
have
the
Fresco.
A
Pipeline
Library,
stuff,
open.
C
B
So
we
can
get
started
so
just
as
a
reminder
to
folks.
This
meeting
is
being
recorded,
it'll
be
uploaded
to
YouTube.
Shortly
after
and
also
your
participation
in
this
meeting
is
an
agreement
to
abide
by
the
open,
ssf
code.
C
Agenda
is
there
anybody
who
is
new
to.
F
I
could
start.
This
is
my
first
meeting
so
hey
I'm,
Zach,
zacchianish,
I'm
part
of
IBM
working
with
Brandon
on
the
city
project
and
see
some
other
city
folks
on
here
as
well,
so
nice
to
meet
you
nice
to.
A
All
right,
so
we
can
get
into
it.
B
So
I
know
there's
been
you
know
between
like
I
guess,
beginning
of
December
till
now,
there's
been
a
lot
of
different.
You
know,
planning
meetings
and
yeah
yeah
that
folks
have
been
sort
of
pulled
into
so
I
know.
We
haven't
had
too
much
regular
attendance
to
this
meeting
but
hoping
moving
forward.
We
can.
We
can
do
that,
so
the
agenda
item
I
have
for
this
week,
but
also
open
to
other
agenda
items.
B
If
folks
have
anything
is
kind
of
talking
over
a
little
bit
of
the
high
level
2023
roadmap
items
that
we
wanted
to
sort
of
focus
on,
and
some
of
this
is
is
in
line.
C
With
with,
with.
B
Like
the
Sterling
tool
chain,
integration
coming
from
the
governing
board-
and
actually
some
of
the
folks
over
at
City
might
have
some
more
Insight
onto
some
of
that,
because
I
know
that
John
is,
is
heavily
invested
in
the
Sterling
tool
chain.
Stuff!
That's
coming
out
of
openssf
cool!
So
before
getting
into
like
details
on
the
roadmap,
does
anybody
have
any
sort
of
General
questions
comments?
Anything
like
that.
G
G
G
A
G
B
Hey,
that's
something
that
we're
looking
to
actually
catch
the
stuff
like
walk
is
to
say:
hey
somebody
updated
a
release
without
actually
updating
the
version
number
or
the
hash.
You
know
or-
or
you
know,
yeah
pretty
much
that
sort
of
thing,
because
it
is
quite
annoying
cool,
yeah
yeah
that
that
sounds
good
and
actually
one
of
the
I
know.
B
One
of
the
ticket
items
we
have
is
well
not
quite
that,
but
related,
which
is
one
of
the
things
I
think
we
would
like
to
see
for
2023
is
a
is
a
better
way
of
updating
the
hashes
of
images
as
things
get
updated
for,
like
pipelines
and
for
tasks
and
so
on.
I
know
that
doesn't
really
affect
this
thing,
because
this
was
sort
of
a
version
like
the
the
hash
change
without
the
version
actually
changing.
B
Is
gonna
do
so
the
other
big
one
actually
before
getting
into
pipeline
framework
and
Library,
which
I
think
is
going
to
be?
The
big
ticket
item
I
wanted
to
talk
briefly
a
bit
about
some
of
the
talks
and
the
Sterling
tool
chain
stuff
for
folks
who
are
maybe
not
super
familiar.
B
So
salsa
is
looking
to
give
a
couple
of
talks
and
they're
viewing
sort
of
Fresca,
given
that's
part
of
the
supply
chain,
Integrity
working
group,
as
kind
of
like
a
a
sort
of
key
piece
of
of
some
of
that
so
they're
looking
to
give
some
talk
to
open
source,
Summit
and
some
other
places
soon
like
something
like
because
there's
also
the
well
Jay's
dot
here
today,
but
there's
the
S2
c2f
right,
which
is
this
standard,
that's
similar
to
salsa,
but
it's
more
on
the
consumption
side.
B
So
it's
more
like
here
is
a
set
of
standards
and
policies
for
consuming
artifacts,
whereas
salsa
is
more
of
here's,
a
set
of
standards
and
policies
and
whatever
for
producing
artifacts
and
so
they're
looking
to
sort
of
combine
where
we
can
right,
s2c2f,
salsa
and
then
Fresca
as
sort
of
a
way
of
doing
it
and
start
giving
talks
around
that
and
so
they're
interested
in
folks
who
might
be
willing
to
to
help
out
with
that
as
well
as
just
folks
who
maybe
just
want
to
get
involved.
B
So
just
keep
that
in
mind
so
that
the
idea
here
would
be
I
you
might
think
through
is
like
Fresca
might
be
a
thing
that,
let's
say,
consumes
as
to
c2f
like
artifacts
that
are
compliant
with
it
like
dependencies
and
whatnot,
does
a
bunch
of
building
and
then
produces
salsa
compliant
artifacts
on
the
outside.
So
that's
that's
something!
B
That's
kind
of,
and
that's
also
a
big
push
as
part
of
the
salsa
1.0
release,
as
well
as
part
of
some
of
the
guidance
coming
from
the
governing
board
and
the
tech
which
is
just
like
hey.
We
want
to
start
showing
off
actual
implementation
stuff
on
some
of
these
things
and
actually
those
implementation
things
being
part
of
the
open
ssf
itself.
So
this
is
stuff,
like
Fresca
being
potentially
a
secure,
build
tool
that
people
can
use.
B
So
that's
actually
also
another
thing
for
potentially
maybe
having
actually
a
release
this
year
might
be
nice
to,
even
if
it's
like
a
Beta
release
and
not
a
full
like
1.0
sort
of
hard
and
release
I
think
we're
looking
to
kind
of
have
something
like
a
pretty
soon,
at
least
maybe
have
something
like
a
v0.1,
because
another
thing
that
came
up
in
a
couple
of
other
General
open
ssf
meetings
is
people
are
sort
of
looking
at
Fresca
and
going
well.
Is
there
a
release
of
this
thing?
B
How
do
I
actually
do
this?
Even
if
it's
you
know,
even
if
we
say
it's
an
alpha
release,
it's
not
intended
for
production.
B
People
just
don't
know
how
to
look
at
it
yet
so
that
that's
another
thing
that
I
think
we
want
to
kind
of
get
done
this
year
is
start
creating
something
like
a
release
process
tied
to
that
I
think
is
the
dependabot
ability
to
update
versions
of
things
and
that's
both
on
the
components
we're
actually
pushing
out.
I
know
that
Tim
has
done
some
work
on
the
vendor
me
stuff,
which
then
I
know
is
now
part
of
the
the
build
Tech
work
itself.
B
So
I'd
be
curious.
If
folks
have
any
thoughts
on
that.
B
Do
people
think
that
we
are,
we
will
be
in
some
some
some
kind
of
releasable
State
in
let's
say
the
like
the
by
the
summer,
like
not
necessarily
saying
production
release
but
being
able
to
kind
of
say
you
run
this
command
and
you
can
deploy
at
least
the
standard
Fresca,
not
necessarily
a
highly
customizable
one,
but
by
by
the
summer.
E
Yeah
I
think
the
the
issue
with
Frisk
has
always
been.
What
exactly
is
a
release
of
Fresca
exactly
because
the
the
way
that
we
put
it
the
way
that
it's
set
up
on
GitHub
right
now
is
really
more
for
users
of
Fresca
to
get
it
running
or
sorry
developers
of
Fresca
to
get
it
running
as
opposed
to
what
somebody
would
actually
consume.
E
So
I
think.
If,
if
we,
you
know,
maybe
sought
a
demo
of
some
of
the
stuff
that
Sonny's
been
working
on
in
terms
of
you
know
splitting
out
splitting
it
splitting
up
Fresca
into
effectively
the
two
distinct
kinds
of
clusters
and
what
would
be
a
more
representative
environment
than
releasing
the
actual
pipeline
piece
of
Fresca
I.
Think
is
something
that
we
could
definitely
do
by
Summer.
E
Releasing
what
we
have
right
now,
I'm,
not
even
sure,
is
a
is
a
thing
that
we
would
want
want
to
do
because
I,
don't
think,
that's
really
how
folks
would
even
use
it
if
that
makes
any
sense.
B
Yeah,
so
that
that
definitely
makes
sense
and
I
think
so
it's
as
as
a
big
goal
there
I
think
is.
We
need
to
first,
you
know,
defining
what
a
release
of
Fresca
even
is
I
think
is
something
that
we'd
want
to
do
and
I
think
yeah.
B
We
would
be
interested
in
seeing
a
demo
from
from
sunny
on
some
of
the
stuff
he's
been
working
on,
because
I
think
you
know
kind
of
going
back
to
sort
of
the
principles
in
the
in
the
readme
right
like
Fresca
is
you
know
a
set
of
components
that
are
open
source
components
that
are
configured
to
operate
securely
right
with
you
know,
recognizing
that
secured
you
know.
Security
means
lots
of
different
things,
but
just
generally
like
in
the
general
sort
of
sense
of
like
yeah.
B
You
know
maybe
not
being
able
to
compromise
everything,
and-
and
also
we
do
have
some
folks
who
are
working
on
a
threat
model
on
Fresca
soon,
but
I
think
that
sort
of
thing
is
is
something
that
were
interested
in,
maybe
locking
down
a
bit
more
to
say,
yep
and
that's
the
principles.
And
then
this
is
how
we're
actually
hitting
you
know
the
sort
of
goals
defined
there
and
then
separately
the
you
know,
Fresca
being
like
a
space,
an
easy
set
of
abstractions
that
as
an
end
user
right.
B
B
Is
the
key
Verno
policy
that
I'm
associating
with
this
build
and
here's
the
you
know
here
is
some
information
regarding,
like
you
know
the
what's,
it
called
secrets
and
and
config
maps,
and
and
all
that
good
stuff
like
it,
should
just
be
something
that
is
kind
of
like
all
one
holistic
package,
while
remaining
relatively
flexible.
So,
if
folks
need
to
add
and
change
stuff,
they
should
be
able
to.
F
B
Yeah
so
I
think
that
actually
ties
literally
into
the
next
thing
I
wanted
to
talk
about,
which
is
the
sort
of
Fresca
pipeline
at
framework
and
Library,
and
so
give
me
one
second
and
I'll
share
my
screen,
and
a
lot
of
this
is
obviously
built
on
the
work
that
that
Brad
has
mostly
done
and
so
there's
two
pieces.
B
One
is
we
want
to
make
that
that
command
line
wrapper
as
simple
as
possible
right,
because
we
don't
want
to
end
up
creating
something
that
becomes
so
tied
into
how
how
a
lot
of
that
sort
of
stuff
works.
So
that's
kind
of
where
the
cue
stuff
comes
in
and
I'll
show
off
the
queue
stuff,
and
then
we
can
talk
a
little
bit
about
how
that
might
interact.
A
Me
share
my
screen
here
this
one.
Yes,.
A
Okay
actually
delete
this
for
now,
because
it's
not
working.
B
And
just
as
an
FYI,
the
folks
also
from
Q
are
interested
in,
maybe
in
the
next
couple
weeks,
maybe
showing
up
to
the
next
meeting
or
something
like
that,
because
they're
very
interested
in
in
seeing
what
they
could
also
do
to
see
how
like
what
are
we
struggling
with
and
so
on.
But
let
me
just
show
you
like
what
this
might
look
like,
potentially
as
an
end
user.
Once
again,
this
is
purely
a
POC.
This
is
not
intended
to
be.
B
So
you
might
imagine
somebody
has
you
know
a
project
that
looks
like
this
right,
where
in
fact,
I
shouldn't
be
expand.
This
a
little
bit
where
you
know
they
just
say
like
hey
my
project
name.
Is
this
my
build
type?
B
Is
this
let's
say
and
here's
where
my
repository
lives
and
they
want
to
be
able
to
go
and
deploy
a
Fresca,
Pipeline
and
everything
else
like
the
policies
associated
with
that
pipeline,
yeah
they're,
like
I'm,
an
end
user
I,
don't
care
right,
I,
just
I
I
like
if
my
org
has
a
bunch
of
stuff,
that's
great
I
just
want
to
use
that
stuff
and
as
folks
who've
known
you
know,
who've
worked
at
like
very
large
Enterprises
before
usually
it's
like,
you
must
follow
all
the
rules,
and
you
must
know
what
all
those
rules
are
and
Implement
all
the
rules
yourself,
and
so
that's
kind
of
where
this
comes
in,
and
this
is
also
where
something
like
this
would
probably
be
wrapped
by
the
command
line
tool,
but
for
now
we're
just
using
Q
directly
just
to
kind
of
show
off
some
stuff.
B
B
B
And
the
thing
that's
you
know
you
can
do
is
at
every
level.
You
can
sort
of
say.
Let's
say
at
the
org
level,
the
org
has
a
set
of
constraints
and
then
a
department
in
an
org
can
have
a
set
of
constraints
and
once
again
this
is
all
very
flexible
to
whatever
the
end
user
needs,
but
we'll
obviously
have
some
defaults
here.
But
the
basic
idea
is
like:
if
a
department
has
additional
constraints,
those
constraints
have
to
be
additional,
like
a
department
can't
say
as
an
example
and
I'll
show
this
in
a
second
like.
B
If,
let's
say
the
org
says,
we
only
support
python
go
and
rust.
If
somebody
comes
in
with
C
plus
plus
a
department
says:
hey,
we
support,
C
plus
plus
sorry
the
org
doesn't
support
C
plus
plus.
We
don't
allow
that
right
and
and
that's
kind
of
a
simple
example,
but
you
could
imagine
like
policy,
and
you
could
imagine
naming
schemes
and
all
that
sort
of
stuff
being
generated
here
so
you'll
see
here
at
the
team
level,
There's
a
constraint
on
build
type
to
go
and
build
packs.
B
So
that
means,
if
I
switch
this
to
go
and
run
the
same
thing.
You
know
it
now
gets
the
go
pipeline
associated
with
the
project.
But
if
I
go
in
and
I
were
to
say,
like
I,
don't
know,
I
want
to
use
the
python
Builder,
and
this
is
also
where
the
command
line
would
come
in
to
help
with
some
of
the
error
handling,
but
pretty
much.
This
is
just
saying:
hey.
B
There
is
a
conflict
here,
because
you
set
up
a
constraint
that
says
either
build
packs
or
go,
and
you
gave
me
python
right
and
the
command
line
here
would
create
better
end
user
sort
of
error
messages.
But
this
this
is
kind
of
the
thing
that
you
know
is
is
allowed
and
what
is
it
isn't
allowed
right,
and
so
the
other
thing
here
right
is
so.
If
I
push
this
back
to
build
packs-
and
let's
say
you
know-
I
removed
build
tax.
That
would
no
longer
work
as
well.
B
The
other
things
here
are,
you
know
you
can
potentially
inject
additional
sort
of
constraints
or
whatever
additional
resources
into
the
kubernetes
that
we're
using
for
Q,
also
via
the
same
sort
of
mechanism.
So
here
we've
just
decide
defined.
A
almost
like
Q
doesn't
have
functions,
but
something
similar
to
a
function
in
Q
that
allows
us
to
say:
hey,
I
want
to
create
a
policy,
a
key
verto
policy
in
this
case
it's
a
giverno
image
policy
and
it's
called
baz
and
I'm.
B
But
if
you
look
up
here
and
if
I
go
over
here,
there
is
sort
of
it
generated
the
the
this
policy
here
and
if
I
were
to
create
a
new
policy
and
so
on
that
that
could
go
in
there
as
well,
and
also
you
can
see
here,
there's
like
a
couple
of
extra
sort
of
values
here,
like
the
team
right
and
the
department
has
its
own
sort
of
value
and
then
the
org
here
has
a
bunch
of
information
on
its
constraints.
B
So
here
there's
a
bunch
of
policies
that
are
associated
with
at
the
org
level,
but
because
we
don't
restrict
it
at
the
lower
levels.
We
can
say
Okay
a
department
is
allowed
to
create
additional
policies,
but
they
can't
delete
the
orgs
policies
right.
They
could
say
hey,
we
are,
you
know
we
have
additional
stuff
and
so
on
and
then
over
here
here's
the
like
complete
list
of
allowed
builds.
B
This
will
work,
but
as
soon
as
I
were
to
go
and
change
this
to
python,
it's
going
to
go
and
say
hey.
This
is
not
an
element
of
the
it's
pretty
much
just
sort
of
saying
hey.
This
is
not
an
element
of
that
that
list
so
there's
no,
even
though
it's
technically
allowed.
B
There
is
nothing
at
the
org
level
to
actually
support
that.
So
that's
another
sort
of
thing
there.
In
addition
to
that,
we
can
set
up
stuff
like
naming
schemes
as
part
of
this,
so
that
you
know
an
individual
organization
can
come
in
and
say
great.
All
of
my
images
that
are
built
should
look
in
the
form
of
org--department-team
Dash
project
and,
if
I
look
at
this
here,
you
can
see
it
creates
images
in
that
sort
of
form
here
of
like
ttl.sh,
which
is
the
default
as
part
which
I'll
show
you.
B
What
that
looks
like
in
the
library
in
a
second,
but
it's
org
x,
dash
Department,
Y,
dash
team,
Z,
Dash
Foo
right
and
where
Foo
only
had
to
say,
what's
my
project
name
Foo
and
you
know
some
of
us
who've
worked
in
banks
have
known
like.
Sometimes
there
is
a
naming
scheme
out
there,
you're
not
told
what
that
naming
scheme
is,
and
you
just
kind
of
have
somebody
go
and
say
like
no.
B
No
you
have
to
it
is
you
know
the
first
letter
of
of
the
office
you
work
out
of
plus
the
you
know
and
there's
a
lot
of
this
sort
of
stuff,
whereas
here
the
idea
is
like
we
want
to
make
that
auto-generated,
where
somebody
can
Define
that
policy
and
the
you
know
this
automatically
fills
in
the
blanks
for
you,
and
so
a
lot
of
this
stuff
right
is
is
built
on
top
of
of
what
Brad
had
built
and
also
once
again,
a
lot
of
things.
B
I'm
doing
in
here
are
probably
not
two
best
practices
I'm
still
trying
to
figure
some
of
that
out
myself,
but
to
now
go
to
into
sort
of
this
is
what
like
live.
Configuration
might
look
like
right,
so
this
is
what
you
know.
An
actual
organization's
configuration
might
look
like
okay,
what
about
the
actual
like
helper
functions
and
the
library
piece
of
it?
B
Well,
that's
where
you
know,
and
I'm
trying
to
kind
of
emulate
go
style
packaging
for
now,
but
obviously
this
could
change
or
whatever,
but
we
have
stuff
like
here
is
the
build
tax
pipeline
right
and
a
lot
of
this
stuff.
For
folks
who
are
not
super
familiar
with
q
and
I'm
not
going
to
get
too
deep
into
it,
is
you
can
import
stuff
into
queue
directly?
B
So
if
you
have
some
yaml,
you
could
just
do
Q
import
that
yaml
and
it
will
convert
it
into
queue
and
then
using
some
of
the
other
Q
functions.
You
can
actually
turn
some
of
these
things
into
automatically
into
schemas,
so
it
can,
let's
say
for
example,
say
well.
This
is
a
string.
I
know
this
is
a
string,
so
you
know
I
can
just
sort
of
create
a
schema
out
of
that.
B
You
know.
There's
some
things
in
here,
just
to
kind
of
give
you
an
idea
of,
like
this
defaults
to
the
example
build
packs,
but
anybody
can
put
in
any
string
right.
So
if
somebody
does
not
put
in
the
name
of
an
image,
it's
a
falsely
example
build
packs
stuff
like
that,
and
then
the
other
thing
here.
That's
kind
of
neat
about
how
you
could
do
this
in
queue.
Is
you
can
test
a
lot
of
stuff
in
queue
by
just
sort
of
creating
of
you
know
a
folder
called
test.
B
Let's
say
part
of
the
same
package
and
you
just
if
you
would
think
Paula
in
here
you
would
then
you.
A
Can
then
test
it
test
that
out
so
catalog
pipelines
build
packs
test?
So
if
I
were
to
do
qeval.
B
It
you
know
if,
let's
say
I
change
this
from
this
to
let's
say
a
number:
it
will
now.
C
Actually,
it's
I
think
I
need
to
do
to
apply
here.
Yeah.
B
Here
we
go
found
in
in
want,
you
know
so,
and
some
in
once
again
the
the
I
one
thing
I
will
say
is
the
error.
Messages
in
queue
are
not
great
here,
but
anyway,
if
I
go
over
to
the
go
one
here,
this
is
what
the
go
one
looks
like
and
then
the
other
thing
that
we're
trying
to
kind
of
start
to
Define
is
we're
trying
to
Define
like
standards.
B
So
if
I
go
over
to
the
Fresca
package
or
on
the
Fresca
pipeline
package,
here
you
can
see
we
can
define
a.
We
can
define
a
pipeline
any
way
we
want
right.
So
in
this
we
can
define
a
pipeline
and
if
I
look
at
the
pipeline
for
a
second,
a
pipeline
is
a
set
of
tasks
assigned
in
a
certain.
B
You
know,
structure
and
the
tasks
are
some
pre-built
tasks,
plus
some
build
tasks,
plus
some
post
build
tasks
and
for
right
now,
I've
left
it
pretty
simple
here,
where
the
only
requirement
is
that
all
all
pipelines
must
start
with
the
official
Fresca
clone
task
right
or
a
subset
of
that
test.
B
Sorry,
a
a
sort
of
not
a
subset,
but
a
further
constraint
of
that
task.
Right.
It
has
to
like
match
the
Fresca
clone
task
schema,
and
so
you
might
imagine
right,
like
as
we're
building
something
out
a
secure
pipeline
task
or
sorry
secure
pipeline
might
include
tasks
that
hit
certain
requirements
like
you
must
include
an
s-bomb
generation
task.
B
You
must
include,
you
know
a
secure,
publishing
task
and
whatever
right,
but
because
of
this,
this
sort
of
makes
it
very
easy
for
folks
who
are,
let's
say,
building
their
own
pipelines
to
sort
of
generate
whatever
they
want.
So,
if
I
look
here
right,
a
a
pipeline
input
is
relatively
simple
and
once
again
for
most
folks,
they
don't
have
to
look
at
this.
B
This
is
mostly
for
folks
who
are
developing
on
Fresca
itself
or
for
people
who
want
to
generate
some
custom
pipeline
type
for
their
specific
need,
but
the
inputs
here
are
just
like
they
look.
You
know
like
you
would
call
a
function
or
something
and
just
sort
of
say
hey.
This
is
a
test
pipeline
test
image,
yeah.
B
There's
a
bunch
of
stuff
that
it
it
it
deploys
and,
and
so
on
so
actually
before
kind
of
continuing
do
folks
wanted
to
kind
of
like
is
there
anything
does
this
seem
like
what
we
should
be
doing?
Do
folks
have
kind
of
a
different
opinion
curious
to
hear
like
feedback?
If
this
seems
like
something
we
should
be
focused
on.
G
I
think
the
general
idea
is
good.
The
part
that
I
struggle
with
is
basically
redefining
the
whole
test
catalog
and
that
kind
of
stuff,
and
how
do
you?
B
Yeah
I
I
think
on
that
front
we're
trying
to
kind
of
figure
out
as
much
as
possible.
We
want
to
just
sort
of
pull
stuff
directly
from
tecton,
but
we
also
like
some
of
the
stuff
that
I
think
we've
been
noticing
is.
We
might
not
want
to
just
pull
whatever
from
tecton
if,
if
some
of
the
folks
will
just
sort
of
update
a
thing
and
not
do
the
release
and
and
some
of
the
other
stuff
there
I
think
like
I
think
we
might
want
to
do
something
like
that,
but
there's
two
pieces.
B
One
is
obviously
we
need
more
support
on
this,
because
I
think
this
is
beyond
just
like,
like
two
or
three
of
us
kind
of
like
maintaining
that
catalog
I
think
we
would
need
to
have
something
a
bit
more
robust,
but
I
think
we
would
also
want
to
make
sure
that
you
know
we
would
obviously
want
to
coordinate
with
the
tecton
folks
to
say:
hey
look.
B
We
noticed
this
issue
with
the
thing
and
we
want
to
include
it
or
not
include
or
whatever,
but
the
other
thing
I
think
that
might
be
useful
from
the
Fresca
side
is
I.
Think
our
catalog,
if
we
had
one,
would
be
significantly
smaller
right.
We
just
sort
of
say
yep
because
of
how
things
are
looking
right
like
we
are
going
to
support,
you
know:
go
we're
going
to
support
python.
If
somebody
wants
to
add
let's
say:
Java
support.
B
Okay,
great,
you
can
add
Java
support,
but
I
think
the
other
thing
too,
is
we're
not
looking
to
kind
of
support
like
every
different
thing
under
the
sun.
We're
looking
to
say
here
is
like
a
secure
clone
task
right
and
so
we're
not
going
to
support
every
cloning
task,
where
this
is
just
going
to
support
this
secure
one
and
if
folks
want
to
come
in
and
build
their
own,
we
can
definitely
do
that
and
I
think
some
of
the
other
stuff
that
kind
of
makes
this
nice
is.
B
We
can
Define
right
like
we
can
Define
what
a
Fresca
task
is,
and
once
again
this
is
obviously
just
super.
You
know
trivial.
This
is
just
based
on
like
how
we
import
from
you
know
for
folks
who
are
also
not
super
familiar
with
q.
B
Q
can
automatically
support
sorry,
kubernetes
resources
and
custom
resources,
so
you
can
just
actually
include
custom
resources
like
you
would,
let's
say
a
go
package
and
it
automatically
is
able
to.
Then
you
can
then
feed
in
and
it
can
match
against
that
schema.
So
you
know
you
can
go
and
say
hey.
This
is
what
you
know
just
as
an
example.
B
This
is
what
a
pipeline
you
know
a
tecton
pipeline
task
looks
like
and
if
somebody
were
to
come
in
and
put
in
a
value
that
doesn't
match
a
pipeline,
you
know
a
tecton
pipeline
task
that
is
no
longer
valid
and
when
you
know
quote-unquote
compile
that
kind
of
thing
yeah,
you
would
get
an
error
out
of
that,
but
because
of
that,
it
lets
us
go
back
and
generate
stuff
like
like.
B
This
is
what
a
Fresca
task
looks
like,
and
a
Fresca
task
could
potentially
consist
of
these
particular
things,
and
so
you
must,
in
order
to
be
a
a
task.
You
must
have
these
things,
and
so
some
of
the
things
that
we
might
be
able
to
do,
for
example,
is
say:
all
tasks
must
have
images
with
pin
hashes.
We
do
not
allow
folks
to
just
sort
of
pin
to
a
tag
you
must
pin
to
a
hash
and
we
can
actually
enforce
that
at
this
level.
B
So,
if
somebody
comes
in
with
hey,
I
want
to
generate
a
new
Fresca
task
and
they
just
pin
via
the
you
know
the
version.
Sorry
that
doesn't
you
know
that
doesn't
match
the
constraints.
It
won't
work.
B
E
Sorry
I
couldn't
find
my
mute
button.
Yeah,
so
Brad
I
hear
the
concern.
Is
there?
Is
there
a
different
approach?
You
would
take
or
any
way
to
avoid
that
issue
because
yeah
I
know
you
don't
want
to
be.
It's
definitely
a
risk.
G
G
You
know
a
process
say
at
you
know
at
the
time
that
we
produce
the
frisker
release
whatever
that
is
to
for
us
to
automatically
do
that
right,
based
on
which
version
of
that
get
clone
test
that
we're
using
and
then
also
to
I.
Think
Mike
talked
about
it
a
little
bit,
but
at
least
having
a
mechanism
for
other
people
to
add
their
their
own
particular
flavor,
of
whatever
task
that
is
right
to
get
clone
task
or
whatever,
and
making
that
easy.
G
I
will
say
that
some
of
the
newer
versions,
the
new
version
of
Q,
is
going
to
make
it
a
little
bit
easier
to
determine
what
gets
evaluated
during
when
you're
doing
the
queue
evaluation
and
not
be
so
strictly
hierarchical
and
further
going
to
doing
it.
Doing
the
evaluation
within
go
sort
of
opens
some
more
doors
on
what?
What
sort
of
labors
of
the
constraints
that
you
want
to
pull
in
and
you
want?
You
won't
be
sort
of
stuck
to
this.
G
You
know
you
have
to
have
you
know
certain
constraints
at
the
the
top
level
directory
some
at
the
mid-level
directory,
and
then
you
know
some
of
the
lower
level
directory.
You
can
sort
of
pull
in
sort
of
mix-ins
as
it
will
from
you
know,
you
could
have
like
command
line
options
say
I
want
to
include
you
know
some.
You
know
host
builds
test
like
this
or
some
constraint
like
that,
and
it
would.
G
B
Sounds
great
because
I
know
one
of
the
things
based
on
I
know.
B
You
know
I
think
that
that'll
help
out
and
then
also
yeah,
there's
a
lot
of
yeah.
Do
you
know
if,
when
they're
supposed
to
release,
that
is,
it
is
Q
0.5
or
something?
Because
I
saw
a
couple
of.
G
Them
yeah
I
was
hoping
it
was
going
to
be
soon.
There's
a
community
call
next
Tuesday
I
believe
so
I'm
hoping
to
get
some
more
details
about
that.
It
sounded
like
it
was
close
at
the
last
Community
call,
which
was
late,
ish,
November,
I,
think.
D
B
Yeah,
the
other
thing
I
did
like,
and-
and
maybe
even
the
mix-ins
would
probably
help
here
with
some
of
the
testing
to
be
able
to
sort
of
mock
stuff
out
and
and
and
so
on,
is
is
I.
Do
like
sort
of
like
the
the
the
idea
of,
if,
if
you
can
sort
of
verify
like
because,
like
one
of
the
other
things
that
that
is
very
confusing
about
Q
is
like
sometimes
it
can
be
very
difficult
to
know
like.
B
Why
am
I
not
getting
concrete
values
for
everything,
and
this
sort
of
thing
helps
out
with
some
of
those
tests.
It's
still
not
perfect,
but
yeah,
but
as
an
example
here
for
like
the
like
a
pipeline,
you
know
somebody
who
wants
to
just
include
the
Fresca
build
tax
task
into
their
pipeline.
B
It's
just
as
something
something
as
simple
as
hey:
I
have
a
list
of
build
tasks
and
I
just
include
this
one,
and
because
this
one,
you
know
because
this
Fresca
build
test
task,
is
an
official
task
right
like
it
meets
that
those
constraints
defined
by
the
Fresca
task.
Yep
that's
valid
right,
and
so,
if
somebody
were
to
come
in
with
like
a
task
that
you
know
doesn't
meet
those
requirements,
it
wouldn't
work
which
is
which
is
great,
yeah
I.
Think
the
the
concerns
from
our
end
is
is
always
like.
B
B
You
know
I
think
because
from
from
our
end
from
folks
who
seem
to
be,
you
know
reaching
out
in
the
the
slack
chat
or
or
even
just
you
know,
asking
to
have
some
some
chats
about
some
stuff
who
are
looking
at
this.
You
know
they
did
say:
hey
like
nobody
wants
to
move
off
of
their
CI
system
right,
because
everybody
has
too
much
complexity
there,
but
a
lot
of
folks
are
looking
at
something
like
a
Fresca
as
either
for
Greenfield
environments
of
like
great
I.
B
Don't
need
to
use
the
old
stuff,
and
this
thing
just
generates
us
bombs
for
me
and
and
handles
a
lot
of
the
the
heavy
security
stuff.
That's
that's
pretty
big
and
then
the
other
thing
I
think
folks
are
have
been
interested
in
is
also
sort
of
just
sort
of
that
General
easy
button
and
the
ability
here
right
where
I
don't
think
we
want
to
push
for
this
right,
but
some
folks
have
said:
hey
could
I
make
this
just
take
over
the
build
scan
Etc
tests,
but
Mike
Jenkins
still
handles
the
QA
pipeline
right.
B
I
think
folks
have
sort
of
seemed
interested
in
doing
that,
and
it's
not
necessarily
that
I
recommend
it.
But
if
that's
the
way
folks
are
going
to
go,
that
might
still
be
relatively
reasonable,
because
I
think
the
thing
that
folks
are
recognizing
is
if
they
have
to
generate
s-bombs
on
their
own
and
enforce
that
and
do
all
the
various
security
scans
and
make
sure
that
the
s-bombs
get
published
all
the
right
places
and
the
things
have
the
salsa
attestations
and
so
on.
I
think
they've.
E
The
other
question
I
have
on
on
this
whole
thing
is:
who
exactly
is
the
user
for
something
like
the
command
line
like
who's
doing
it,
because
I
think
the
the
one
thing
I
want
to
make
sure
that
we're
that
we're
that
we're
clearing
is
I,
don't
imagine
or
again
well.
This
is
this
is
a
question.
It's
a
poorly
phrased
question,
but
you
know
I,
don't
imagine.
E
A
developer
is
likely
to
be
using
a
cue
like
a
Fresca
command
line
that
frequently
or
if
they
are
or
probably
missing,
something
or
or
probably
targeting
the
wrong
level.
E
G
G
It
more
as
a
sort
of
onboarding
the
the
project
or
whatever,
to
the
build
infrastructure
right.
So
more
of
a
more
of
a
one-time
thing
to
say:
okay,
this
is
my
project.
I
want
you
to
set
up
a
pipeline
to
monitor
it
and
build
it
when
it
changes
through
it
and
not
necessarily
having
the
developer
initiating
the
the
pipelines
themselves
after
they
make
changes
to
their
project
right.
Does
that
make
sense?
G
E
G
The
the
pipeline
in
the
the
overall
Factory,
if
you
will
right
for
their
particular
project
and
then
after
that,
it's
you
know,
maybe
some
if
there's
monitoring
or
you
know
other
interrogation
right
tools
that
you
want
to
do
sort
of
like
the
the
tecton
CLI
stuff
right
right.
E
To
a
certain
extent,
yeah
I
guess
my
my
question.
That
was
even
even
in
a
place
like
not
to
list
any
specific
tools
that
anybody's
using
but,
like
you
know,
even
in
somewhere,
it's
more
like
city,
you
there's
I,
think
oftentimes
you're
likely
to
still
have
even
another
more
abstracted
interface
or
way
to
submit
requests
that
folks
typically
use.
E
So
it
seemed
likely
to
me
that
this
would
still
kind
of
even
still
be
abstracted
away
from
the
onboarding
stuff,
because
that
would
you'd
be
four
and
cities
not
alone
in
this.
A
lot
of
folks
have
a
thing
that
they
have
to
use
to
onboard
do
stuff.
You
know
like
when
I
want
to
submit
a
request
for
something
I
go
to
this
site
and
I
fill
in
some
things,
and
then
that
submits
a
ticket
and
on
the
back
end
it
might
even
just
call
this,
but
I
I
can't
find
that
many
folks.
E
Yet
who
would
actually
hit
the
butt
like
press,
the
buttons
directly?
It
seems
like
often
there's
still
going
to
be
a
thing
in
front
of
it,
which
that
might
be
too
pedantic
of
a
distinction,
but
I
didn't
imagine.
E
Yet,
even
in
that
case
that
it
would
be
very
often
that
someone
would
actually
run
it
as
a
Dev
or
I
couldn't
find
it,
but
again
I
could
be
missing
something
I'm,
not
speaking
to
the
same
kind
of
folks
that
you're
speaking
to
so
I
I
still
think,
like
I
still
think
that
this
is
incredibly
valuable
even
for
that
activity,
because
that
part
is
still
really
hard.
E
B
Yeah
yeah,
I
I
think,
like
whatever
the
command
line
tool
ends
up
being
it's
more
of
the
API
into
Fresca,
even
if
it's
the
deployment
API.
In
addition
to
other
things
as
well,
I
think
one
of
the
things
that
that
I
know
folks
have
expressed
concern
about
right
is
devs,
do
not
want
a
difference
between
what
they're
running
locally
and
what
they're
running
in
CI
as
much
as
is
possible
Right,
because
they
they
don't
want
to
kind
of
find
out
like
wait.
B
B
How
is
this
my
fault,
you
know,
there's
that
sort
of
thing
seeing
and
and
so
I
know
one
of
the
things
that
that,
like
if
I
look
at
tools
like
Co
and
some
of
the
other
ones
right
is
a
lot
of
devs
are
very
interested
in
that
ability
to
just
sort
of
say,
great
I
run
this
once
it's
the
same
thing
that
runs
in
the
actual,
build
and
yayada,
and
so
like
I'm,
almost
getting
100
of
the
identical
stuff
between
the
two.
B
That's
just
not
you
know
once
again
I'm
not
saying
that.
There's
a
easy
way
to
do
this,
but
I
know
some
folks
have
have
discussed
like.
Could
you
run
the
same,
builds
that
are
running
in
Fresca
as
a
full-fledged
thing?
Could
you
run
that
locally
and
I
mean
the
answer?
To
some
extent,
is
yes,
if
you
have
mini
Cube
and
yeah,
but
could
we
make
that
also
easy,
so
that
folks
know
that,
like
you
know
before
they
get
to
the
full-fledged
Fresca
that
actually
the
way
they've
structured?
B
This
thing
the
s-bomb
stuff
is
going
to
fail
because
not
because,
like
the
s-bomb
step
is
broken,
but
because
the
way
they've
developed
their
code,
it
just
makes
the
the
s-bomb
stuff
break
or
whatever
I
think
that
that's
something
that
we
we
need
to
kind
of
figure
out
to
make
it
as
easy
as
possible,
because
yeah
I
think
to
Tim's
Point.
Nobody
actually
wants
to
use
any
tool
right,
like
no
tool,
is
better
than
a
tool,
because
now
it's
another
thing
I
need
to
think
about.
B
But
if
so,
if
you
can
sort
of
say
hey
as
a
developer,
I
don't
need
to
touch
this,
except
in
this
case.
I
think
they'd
be
much
happier,
and
that
includes
developers
who
are
working
on
building
out
Fresca
itself
right,
like
I,
think
we
can
imagine,
there's
probably
from
an
API
standpoint
folks
who
are
building
out
a
Fresca
deployment
and
building
out
their
own
stuff.
B
They're
going
to
want
to
be
able
to
say,
hey,
you
know,
Fresca
new
Pipeline
and
it
generates
a
new
pipeline
in
the
catalog
or
Fresca
new
task
and
and
generates
a
task
that
automatically
hits
all
the
basics
and
then
using
a
couple
of
you
know.
Usually
a
couple
of
basic
commands
can,
let's
say
generate
one
that
you
know
includes
this
command
or
that
command
without
actually
having
to
go
into
the
queue
itself.
I
I
I
was
wondering,
as
you
kind
of
as
folks
kind
of
asked,
these
questions
right
and
the
target
audience,
and
all
that
I
mean
this
is
a
very
implementation,
specific
kind
of
question
and
I
guess
highly
dependent
on
now
that
CI
engine
is
tagged
on.
Is
that?
Can
we
build
some
of
those
things
to
a
native
kind
of
CLD,
so,
like
I,
mean
there's
nothing
too
new
to
learn,
but
then
I.
B
Yeah
so
I
know
a
while
back.
We
looked
at
both
operators
and
controllers,
as
potentially
some
way
to
do
this
and
I
know.
One
of
the
problems
became
like
when
you
have
a
bunch
of
custom
resource
definitions
with
them
themselves,
their
own
operators
and
controllers,
and
then
you
have
another
one
that
tries
to
like.
B
E
Yeah,
but,
but
to
that
point,
I
think
back
from
the
back
to
kind
of
the
beginning
of
the
conversation
like
what
exactly
is
a
Fresca
release,
I
think
in
doing
a
lot
of
the
work
we
did
realize
that
things
like
you
know,
cert
manager,
evolved
and
a
lot
of
the
key
management
pieces
are
probably
not
part
of
a
Fresca
deployment,
given
that
they
likely
have
that
already.
E
Somehow
you
know
so
so
you
can,
you
know
people
might
want
to
use
KMS
or
or
or
maybe
they
already
have
their
vault,
and
it's
not
not
likely
something
that
they're
going
to
want
out
of
the
box
anyway.
That
is
where
a
lot
of
the
complications
were,
because
even
you
know,
Brendan's
probably
familiar
with
this
too
right,
like
installing
cert
manager
in
abstracting
away,
like
the
install
of
a
lot
of
those
other
components
through
your
own.
E
Forces
you
to
try
to
reinvent
how
they
do
the
install
and
that's
not
really
something
that
you
really
want
to
be
touching,
but
the
other
pieces
are
far
more
far
simpler,
so
it
might
be,
it
might
be,
it
might
be
doable
if
you
can,
like
I
said,
and
it's
probably
worth
following
up
on
the
next
one.
E
If
Sonny
gives
a
demo
on
what
he's
been
doing,
but
like
yeah,
cleaving,
Fresca
kind
of
in
half
and
saying
the
deployment,
the
Deployable
piece
is
the
top
part
pipeline
Spire
Asian
things
like
that
like
that,
that
might
be,
that
might
be
doable.
It
might
be
worth
revisiting.
E
G
So
another
thing
is
that
I
think
I
think
there
was
some
initial
hope
that
dagger
was
going
to
be
sort
of
that.
That
thing
that
you're
talking
about
Sonny,
where
they're
going
to
have
some
sort
of
abstract
sort
of
build
pipeline
definition
and
then
from
from
that
be
able
to
generate
that
for
different
sorts
of
environments.
G
Whether
that's
you
know
GitHub
or
you
know,
tecton
or
whatever,
but
it
I
I
think
there's
still
a
lot
of
value
to
be
gained
from
or
gems
that
they
have
in
in
how
they've
done
things,
but
they
basically
set
up
their
own
sort
of
build
infrastructure
that
they
that
they
use
right
to
do
their
builds,
and
they
can.
They
can
sort
of
wedge
that
inside
of
inside
of
tech,
it
can
run
inside
of
tecton.
It
can
run
inside
of
GitHub
actions.
They
can
run
inside
of
of
other
things,
but
it's
it.
G
B
Yeah,
the
the
dagger
stuff
is,
is
pretty
interesting.
What
they've
been
doing,
but
I
also
know
that,
like
they've
actually
been
trying
to
take
a
step
away
from
Q,
because
I
think
they
recognize
that
at
least
for
what
they
were
trying
to
do.
B
It's
quite
difficult
to
kind
of
get
some
of
the
stuff
done,
and
so
they've
switched
to
sort
of
more
like
here's,
how
to
build
pipelines
using
let's
say
a
python
API
or
go
API,
and
that
kind
of
thing
I
know
that
what
they've
set
up,
which
is
which
is
interesting,
is
they're
using
graphql
behind
the
scenes
as
their
actual
model,
so
that
you
can
say
like
hey.
This
is
a
this
sort
of
command
or
whatever
and
then
based
on
different
contexts.
B
It
could
say
well,
I,
know
locally
I,
just
run
this
command
or
locally
I
run
this
command
in
a
container
remotely
I
run
this
command
in
a
VM
or
whatever,
or
you
know,
I
I
think
there's
some
interesting
stuff
that
they've
done
there
I
think.
The
the
challenges,
though,
is
how
do
you
like
guarantee
that's
done
safely
and
securely
is,
is
a
whole
other
thing.
I
think
from
a
Simplicity
standpoint
that
I
think
they've
gotten
that
thing
and
I
think
that
would
be
something
interesting
to
maybe
see.
B
If
there's
some
overlap,
some
areas
we
can
collaborate
on,
because
I
think
they've
they've
done
some
interesting
stuff
there
and
they've
solved
like
the
Simplicity
problem
right.
Oh
hey,
I
ran
this
locally
and
I
ran
it
externally
and
it
runs
the
same.
B
The
problem
is
just
yeah,
but
can
you
define
a
set
of
constraints,
and
can
you
sort
of
say
that
no
a
developer
can't
come
in
and
just
say,
run
RMR
slash
on.
You
know
the
CI
box,
like
that's
what
I
I
couldn't
seem
to
find
there,
whereas
I
I
think
with
what
we're
trying
to
do
with
Fresca
is
like
the
idea
should
be
yes,
this
should
be
a
secure,
build
that
that
matches
all
that.
H
D
H
I
think
we
can
have
that
as
part
of
the
you
know,
the
pr
like
have
an
automated
check
to
see
that
it
evaluates
to
the
Fresco
policies
under
Fresca
task
and
matches
everything,
and
then
it's
allowed
in
kind
of
thing,
so
as
you're
building
it
out
via
the
CI,
then
once
you
push
it
in
it
kind
of
double
checks
that
everything
looks
good
in
terms
of
it
matches
the
policies
that
have
been
set
up
or
the
you
know
what
the
Fresca
task
defines
definition.
H
H
H
B
Yeah
and
I
I
think
one
of
the
things
we'd
also
want
to
kind
of
figure
out
soon
is
maybe
via
a
survey
or
some
sort
of
marketing
Outreach
through
the
openssf
like
are
folks
sort
of
you
know
how
how
interested
are
folks
in
something
like
Fresca
is
Fresca
always
going
to
just
be
more
of
like
a
hey
here's
a
POC
around
some
of
the
stuff,
but
are
folks
actually
interested
in
using
Fresca
as
an
actual
tool
for
secure
builds.
B
You
know
because
I
I
know
from
the
salsa
side,
and
some
other
sides,
like
a
lot
of
folks,
are
very
interested
in
what
Fresca
is
attempting
to
do,
but
I
think
when
it
comes
to
you
know,
who
are
the
actual
folks
who
are
potentially
adopters
of
Fresca
I,
think
we'd
be
interested
in
seeing
some
more
of
that.
So
if,
if
folks
know
folks
who
are
interested
or
whatever,
we
definitely
also
want
to
hear
some
more
feedback
from
them.
I
I
I
mean
yeah,
their
definition
of
what
I
want
may
be
different
than
this
and
the
definition
of
security
in
a
way
what
they
want
to
control
may
be
different
as
well
like,
although
fundamentally
yeah,
you're
cloning,
a
thing
that
can
be
common
enough
for
everybody
but
like
beyond
that,
yeah
I
can
see
some.
You
know,
preferences
difference.
B
Right
cool,
any
other
questions,
thoughts.
Things
folks
wanted
to
bring
up.
H
But
I
just
want
to
give
an
update
for
the
tecton
stuff.
It
is
moving
forward,
so
this
guy
named
prakash
he's
pushing
the
PRS
forward
for
us
on
the
techton
side
on
the
Techno
pipelines
and
chains
for
the
Spire
work,
so
that
is
moving
along.
This
is
taking
a
long
time
still
yeah.
There's
a
lot
a
lot
of
comments
and
everything
so
yeah.
B
I
wonder
if
that's
something
we
can
bring
up
to
some
of
the
CD
Foundation,
because
at
this
point
it's
it's
actually
over
like
it's
over
a
year
since
this
work
started,
and
there
was
a
lot
of
pushback
from
the
tecton
side
on
on
on
some
of
this
so
yeah.
Let
me
reach
out
to
some
of
the
folks
on
on
that
on
the
techton
site,
as
well,
just
kind
of
say,
hey
look,
I
know
David
was
like
yeah.
This
is
definitely
a
priority
and
I
know
that
it's
moving
along,
but
it's
like.
B
H
That
is
also
going
to
be
released
as
an
alpha
right,
so
it's
not
like
it's
enabled
by
default.
You
have
to
fit
like
actually
enable
it
and
set
it
up
and
so
forth.
So
it's
not
like
it's
going
to
break
functionality
out
of
the
box
or
something
so
yeah.
It's
not
it's
not
going
to
be
a
full-fledged
release
of
it.
Anyways
until
it's
been
tested
and
all
that
kind
of
stuff
trying
to
lose
that
Alpha.
So.
H
But
yeah
so
that's
moving
along
and
then
the
runtime
attestations
I
think
Brad
attended
it
last
time,
yeah
we're
going
to
do
the
the
we're
gonna
push
the
attestation
forward.
So
there's
a
meeting
after
this
for
the
Toto
and
we're
going
to
push
the
runtime
out
of
stations
in
into
as
a
0.1,
so
I'm
gonna
get
that
push
forward,
and
then
we
can
always
make
revisions
on
it
as
we
as
we
see,
fits
at
the
same
time.