►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
Right,
while
people
are
rolling
in
feel
free
to
put
your
name
on
the
attendees
list
and
oops
feel
free
to
put
your
name
on
the
attendees
list
and
if
there's
anything
on
the
agenda
that
you
wanted
to
add,
feel
free
to.
A
B
B
Anyway,
so
just
as
a
reminder,
this
meeting
is
being
recorded,
it'll
be
uploaded
to
YouTube
shortly
thereafter
and
also
this
meeting.
Your
participation
in
this
meeting
is
an
agreement
to
abide
by
the
open,
ssf
code
of
conduct
all.
A
B
So
we
don't
have
much
of
a
an
agenda
today,
because
I
know
a
lot
of
stuff
has
been
happening
with
with
Thanksgiving
and
in
in
the
US
and
so
but
anyway,
before
kind
of
getting
into
the
one
agenda
item
which
is
on
the
Fresca
pipeline
framework
and
other
folks
feel
free
to
add
stuff
there
and
also
feel
free
to
add
your
attendance
to
the
to
the
document.
A
B
So
we
can
get
started
actually
before
getting
into
the
Fresco
pipeline
framework.
Was
there
anything
any
other
sort
of
agenda
items
or
anything
else
that
folks
wanted
to
sort
of
bring
up
any
updates
or
anything
like
that?.
B
So
we
can
get
into
it,
so
the
Fresca
pipeline
framework,
which
I'll
I'll
share
some
stuff
shortly.
That's
what
I'm
going
to
be
talking
about
at
the
open
source,
Summit
Japan
next
week.
B
There
is
we'll
be
talking
about
the
Fresca
pipeline
framework
and
give
me
a
second
just
to
pull
up
a
couple
of
the
diagrams
here.
Still
finishing.
A
B
And
once
again,
these
slides
are
still
in
their
work
in
progress,
so
so
don't
over
index
on
them
too
much.
But
the
so
one
of
the
big
things
that
we
had
sort
of
been
discussing
in
the
Fresca
group
was
the
need
to
make
the
pipelines
sort
of
easier.
B
So
as
a
reminder
to
folks
who
are
not
super
familiar
with
not
super
familiar
with
with
how
Fresca
is
doing
some
of
these
things
today
is
we
are
using
Q
to
deploy
out
to
the
underlying
tools
that
make
up
Fresca
right
things
like
the
supporting
tools,
like
you
know,
tecton
tecton
chains,
hashicorp,
Vault,
and
a
bunch
of
these
other
tools,
and
one
of
the
things
there
rate
is
that's
been
brought
up
a
few
times.
B
Is
you
know,
if
folks
have,
let's
say,
just
a
tecton
or
some
other
CI
setup?
It
can
often
be
very
difficult
to
orchestrate
multiple
sort
of
kubernetes
resources
at
the
same
time
when
you're
running
like
a
pipeline
or
you're
deploying
a
new
pipeline,
so
that
was
sort
of
where
this
this
pipeline
framework
came
into
to
play,
and
so
actually,
if
I
go
back
a
slide
and
I
apologize
for
the
color
scheme,
I'll
get
to
try
and
fix
that.
B
But
the
idea
here
is
is
right.
If
you
look
at
stuff
like
salsa,
there's
a
lot
of
stuff,
that
is
it,
there
are
different
responsibilities
for
the
different
groups
within
sorry.
There's
different
responsibilities
based
on
the
build
service
versus
what
the
actual
user-defined
build
pipeline
is,
and
actually
let
me
just
right
like
stuff.
That's
in
blue
right,
like
the
fact
that
you
have
a
scripted
build
is
part
of
the
end
users
build
responsibility.
B
You
know
a
build
service
is
part
of
the
build
service
responsibility,
but
certain
things
like
build
as
code
is
kind
of
a
combination
of
the
responsibilities,
because
it's
one
is
the
build
service
needs
to
actually
be
able
to
look
at
that.
Build
this,
that
build
pipeline
as
code
and
be
able
to
interpret
it.
B
But
the
actual
end
user
needs
to
know
like
how
to
actually
write
that
thing
and
the
same
thing
when
it
goes
to
sort
of
like
the
provenance
pieces
right.
These
are
shared
responsibilities
right
because
you
know
you
need
to
be
able
to
enable
sort
of
functionality
to
actually
you
need
to
use
something.
The
end
user
needs
to
be
able
to
use
a
tool
that
generates
provenance,
but
also
needs
to
ensure
that
that
the
the
build
service
needs
to
actually
then
build
that
Providence.
B
So
there's
a
bunch
of
different
shared
responsibilities
here,
which
then
leads
to
why
you
might
want
to
use
something
like
a
framework
that
can
help
sort
of
abstract
away
a
lot
of
that
other
stuff
right,
because
today,
when
you
know
one
of
the
things
that's
come
up,
a
few
times
was
just
sort
of
just
using
tecton,
normally
or
just
tecton.
Plus
tecton
chains
is
as
soon
as
you
start
to
include
other
third,
like
external
Services.
B
It's
up
to
the
the
end
user,
to
figure
out
how
that's
going
to
work
and
figure
out
how
that's
going
to
get
set
up
when
a
new
pipeline
is
is,
is
loaded
in,
and
so
that's
kind
of
where
you
know.
Something
like
a
pipeline
framework
would
would
help
out
here
right
where
you
imagine
you
know
Fresca.
The
whole
point
of
Fresca
is
Fresca
is
not
just
tecton,
plus
tecton
chains
and
and
plus
Vault.
B
It's
two
main
things:
it's
a
build
service
that
is
configured
to
be
secure
to
be
secure,
and
then
it's
also
a
set
of
these
abstractions
on
top
of
it,
so
that
when
you
run
your
builds
right,
the
stuff
that
is
under
the
end,
user's
responsibility
right,
the
developer,
who's
deploying
their
you
know
who
wants
to
run
their
code?
Can't
do
bad
things
like
they
can't,
let's
say,
say
hey
if
an
s-bomb
step
is
required
to
actually
generate
an
s-bomb
and
your
pipeline
does
not
generate
an
s-bomb.
That's
not
a
valid
Fresca
pipeline.
B
That's
the
sort
of
thing
that
we're
trying
to
kind
of
go
through
here,
and
so
you
know
from
kind
of
going
from
the
top
down
right.
The
the
idea
here
is
the
stuff.
That's
in
green
is
stuff.
That's
under
Fresca's
responsibility
right,
so
we
want
to
have
a
shared
library
of
functionality,
like
you
know,
stuff
that
that,
like
here,
are
abstractions
to
sort
of
enforce
the
use
of
different
security
tools
or
different
security.
B
You
know
different
security
steps,
different
security
tasks,
those
sorts
of
things
then
the
Fresca
config
itself
is
stuff
like
here
are
the
secure
defaults.
So
this
is
like
the
Baseline
and
so
the
Baseline.
You
know-
and
we're
still
sort
of
thinking
through
this,
as
as
a
team
here
and
and
we're
obviously
interested
in
getting
more
feedback,
more
contributions
and
so
on,
but
the
basic
idea
behind
it
is,
you
know
you
might
imagine
there
might
be
a
baseline
template.
Sorry,
no
sorry,
a
baseline
pipeline
right.
B
That
itself
is
not
a
full-fledged
pipeline,
but
it's
essentially,
you
know
an
abstraction
that
says
all
pipelines
must
have
a
source
pull-down
step.
You
know
a
security
linting
step,
a
build
step,
a
security
scanning
step,
an
s
bomb
step
and
a
publishing
step
like
something
like
that
and
then
okay
cool.
B
Well,
then,
if
you
use
any
tasks
that
are
correctly
tagged
or
correctly
signed
off,
as
being
you
know,
an
appropriate
s-bomb
step
in
appropriate,
you
know
source
code
ingestion
step
or
whatever
you
get
to
use
that
inside
of
your
your
pipeline,
and
so
then
like
for
organizations
right
and
and
for
folks
who've
worked
at
large
organizations.
B
You
probably
know
what
I'm
talking
about
here
right,
where
an
organization
might
want
to
have
some
level
of
constraints
and
policy
and
governance
right,
so
an
organization
might
say:
hey
our
company,
only
you
know
buy
policy
right
now.
We
only
are
a
python
and
go
shop
right.
We
don't
support
rust.
We
don't
support
these
other
things.
B
So
if
somebody
comes
in
with
a
bunch
of
rust
builds
sorry,
that's
not
a
valid
pipeline,
and
then
you
know
an
individual
Department
might
want
to
further
constrain
right
for
its
own
governance
and
its
own
policy
right,
a
department
might
say:
hey,
actually
we're
only.
B
You
know
our
department,
only
rights
go,
and
so,
if
somebody
comes
in
with
something
else,
even
something
like
python,
that's
allowed
at
the
organization
level,
we
still
don't
want
to
allow
that
within
our
department
and
then
some
simpler
things
are
just
things
like
right.
You
can
imagine
a
naming
scheme
right,
an
organization
might
say:
hey,
all
of
our
pipelines
should
be
prefixed
with
org
X
and
then
the
department
might
say.
Okay,
then,
after
that
initial
thing
should
be
Dash,
Department,
X
or
Department.
You
know
whatever
and
then
team
and
project
and
so
on.
B
But
then
you
know
an
individual
team
might
say:
hey
we're
actually
only
running
on
go
118
and
above
right
we
require
generics
or
whatever,
okay
cool.
Your
team
can
then
constrain
that
and
then
the
idea
here
is.
We
want
to
make
it
as
simple
as
possible
for
the
actual
developer
to
say:
hey
I
just
want
to
fill
out
a
very
basic
yaml,
a
very
basic
tumult,
whatever
config
and
just
have
something
like.
Where
does
my
code
live?
What
is
the
email
address
of
where
reports
and
yeah
yeah
I
should
go
to
you
know?
B
What's
the
team
name
or
whatever?
What's
the
project
name
and
what
should
the
you
know
the
resultant
artifact
be
named
right.
Imagine
you
know,
there's
five
or
six
things
and
then,
if
those
five
are
six
six
things
are
sort
of
defined.
B
You
just
get
a
pipeline,
that's
based
on
not
quite
inheritance,
but
is
a
combination
of
sort
of
inheritance
and
composition
of
all
the
configuration,
that's
above
it
right
and
so
the
project
so
for
for
the
end
user
right,
the
end
user
shouldn't
need
to
necessarily
modify
a
whole
bunch
of
stuff
themselves
and
in
fact
you
probably
want
to
constrain
it,
where
you
only
want
to
give
end
users
a
few
things
for
and
once
again
this
is
purely
for
the
the
secure
pipeline
right
like
this
is
not
saying
like
hey.
B
B
You
know
sorry,
that's
more
of
a
consumption
framework,
but,
like
the
you
know,
all
the
things
that
we
need
for
to
sort
of
show
some
of
the
stuff
like
we
want
to
make
sure
that
that
folks
can't
break
that,
and
one
of
the
things
that
we've
been
seeing
a
lot
of
is
folks
have
been
able
to
break
it.
B
Folks,
you
know,
all
it
takes
right
is
with
even
some
of
the
GitHub
stuff
right
is,
is
for,
and
you
know,
an
admin
on
the
project
to
just
sort
of
remove
something
or
change
something
and
then
you're
not
exactly
sure
anymore.
Like
is
this?
Actually,
you
know
well-formed
salsa
or
is
it
you
know
nah?
So
so
that's
some
some
things
there
and
then
the
stuff.
On
the
left
hand,
side
are
the
security
constraints
and
infrastructure
constraints.
So
these
are
things
like
just
at
the
org
level.
B
That
might
be
some
additional
things
that
an
individual
Department
might
not
necessarily
Define,
but
like
a
separate
Department
like
your
security,
you
know,
Department
might
Define
certain
things
like
hey.
All
tasks
must
be
signed
or
I
only
allow
images
like
if
you
define
an
image
in
a
task.
It
must
come
from
our
internal
registry,
not
an
external
registry
right.
Things
like
that
that
you
might
want
to
Define
have
defined
at
every
level,
and
the
same
thing
goes
with
like
infrastructure
right
where
you
might
say,
hey
look.
B
Your
task
seems
to
indicate
that
it's
asking
for
a
billion
dollars
worth
of
infrastructure
per
build,
we're
not
going
to
allow
that
that
kind
of
thing,
so
that's
kind
of
where
you
know
abstractly
what
we're
trying
to
do
with
this
this
pipeline
framework
and
then
what
it
actually
does
here
at
a
level
down
right
is.
B
The
idea
here
is
to
eventually
have
something
like
a
Fresca
CLI
tool
that
can
deploy
into
Fresca,
which
would
take
this
configuration,
and
you
know,
generate
the
Deployable
yaml
and
so
right
now
we're
doing
this
with
some
Q
Q
Lang
the
language.
So
we're
currently
doing
that
and
I'll
show
off
what
some
of
that
looks
like
in
a
couple
of
seconds
here.
B
But
the
main
thing
is,
we
are
trying
to
take
all
of
that
configuration
and,
once
again
the
stuff
that's
in
green
would
be
owned
by
or
sorry
it's
under
the
responsibility
of
Fresca
itself
and
the
stuff.
That's
in
Orange
is
the
sort
of
organization,
or
you
know,
the
the
user
of
Fresca,
the
deployer
of
Fresca's
responsibility
right
where
you
you
can
imagine
here.
B
You
know
once
again
there's
a
shared
library
and
framework
that
sort
of
says:
here's
how
you
write
pipelines
and
we
are
taking
the
opinionated
stance
here
of
you
know:
here's
the
right
way
to
deploy
pipelines
right,
there's
a
lot
of
ways
to
sort
of
say,
generally
hear
the
best
practices,
but
we
wanted
to
say
here's
how
those
best
practices
are
actually
implemented
in
something
like
Fresca,
and
so,
if
you
know,
if
folks
need
something
super
custom
yeah,
you
know
right
now.
B
B
I
just
have
a
go,
build
that
uses,
build
packs,
can
I
just
run
that
and
run
that
securely
and
the
idea
yeah,
you
know
the
the
goal
here
is
should
be
you
know
yes,
and
so
we
ingest
the
shortest
shared
library
and
framework,
and
then
you
have
the
stuff
like
the
organization
config
and
upwards,
and
then
you
also
have
you
know
this
idea
of
you
know
vendored
dependencies
where
those
vendor
dependencies
could
be.
B
You
know
stuff,
like
Upstream
techton
tasks
from
the
tecton
catalog,
that
you
just
sort
of
included
in
your
local
library
that
then
can
get
used
by
your
Q
code
once
again,
I'll
show
that
in
a
second
and
then
all
of
this
sort
of
gets
ingested
into
the
Fresca
tooling,
which
right
now
is
just
some
Q
scripts,
but
all
of
that
Q
can
then
generate
multiple
kubernetes
yamls
and
then
generate
automatically
from
a
single
sort
of
pipeline
definition
generate
stuff
like
the
tasks
the
pipelines
stuff.
B
Like
you
know,
key
Verno
policies,
config
Maps,
you
know
monitoring
Secrets,
all
that
good
stuff,
parth.
C
Yeah
so
quick
question
for
the
organizational
config
and
user
config.
So
is
that
going
to
be
in
queue
itself
or
is
that
something
going
to
be
something
easier
for
the
you
know
for
the
the
user
itself
to
write
you
know,
is
it
a
yaml
or
what
kind
of
format
is.
B
That
in
so
most
likely
at
least
for
now
the-
and
this
is
once
again-
this
is
just
purely
the
POC
I've
been
sort
of
writing
up
and
right
now,
we've
been
using
Q
for
the
organizational
config
as
well
as
the
user
config
most
likely.
We
want
to
move
to
something
like
we
want
to
make
sure
that
the
user
config
like
if
a
developer
comes
in
if
they
just
want
to
use
just
the
normal
go
pipeline
that
either
the
organization
has
defined
or
Fresca
has
defined
itself
like.
B
If
your
organization
says,
hey
we're
just
going
to
use
all
the
Fresca
defaults
and
there's
a
Fresca
default,
secure
go
pipeline
that
does
salsa
and
does
all
that
you
know
generates
s-bombs
and
all
that
good
stuff,
hey
great
you
know,
all
you
need
is
to
just
to
fill
in
some
yaml
tumult,
something
like
that,
probably
yaml,
just
to
be
clear,
I
just
you
know,
but
I'm
open
to
us.
You
know
I,
think
we're
open
to
other
options.
B
However,
if
you
have
other
things
like
hey,
I
have
a
custom
naming
scheme
that
I
want
it
to
be
generated
by
the
cube
right,
then
yeah
you
can
do
it
via.
Then
you
would
have
to
use
Q.
We
want
to
still
make
it
simple
right.
We
don't
want
to
say
like
because
we
want
to
say
that
the
Baseline
that's
defined
by
Fresca
is
rigorous
enough.
That,
yes,
you
still
need
to
learn.
B
Q
to,
let's
say,
make
something
super
custom,
but
you're
not
going
to
have
to
shoot
yourself
in
the
foot,
understanding
all
the
intricacies
and
and
whatever
for
Q
in
most
cases,
but
the
the
idea
here
should
be
that
we
make
stuff
as
simple
as
possible,
where
even
if
you
have
to
dive
into
queue,
it
shouldn't
be
that
that
complicated
Brennan.
D
D
Downstream
from
that
in
terms
of
an
image
controller,
or
something
like
that,
that's
looking
at
did
I
get
assigned
s-bomb
from
this,
so
I'm
wondering
and
we
can
serve
both
sides
of
that.
D
B
Yeah,
actually
that
that's
a
good
point,
so
one
of
the
things
here
and
I
know
I.
Have
it
up
in
this
sort
of
diagram
right
was
the
idea
would
be
to
do
it
at
both
levels.
Right
one?
Is
you
sort
of
enforce
policy
at
deploy
time?
Like
almost
you
know,
I
know
it's
not.
Actually,
when
you
do
the
Q
stuff,
you're
not
actually
compiling,
but
it's
sort
of
like
hey
at
build
time
of
the
policy
right
when
the
policy
gets
transformed
from
Q
into
the
result
in
yaml.
B
One
of
the
things
that
we
also
want
to
make
sure
of
is
we
want
to
make
sure
that
hey
that
config,
that
you're
generating
should
have
all
the
right
hooks
to
automatically
generate
the
runtime
admission
policy
as
well,
so
you
get
it
both
ways
right
where
one
is
hey
as
a
developer,
who's
just
sort
of
writing
some
stuff.
B
I
want
to
be
able
to
sort
of
deploy
something
well,
no
because
the
the
pipeline,
you
know
the
policies
for
those
pipelines
should
have
already
been
configured
and
it
should
notice
like
wait.
A
second.
This
pipeline
doesn't
match
the
emission
control
piece
and
gets
blocked
there.
So
it
is
also
a
defense
in
depth
approach.
Does
that
make
sense.
C
Does
that
also
apply
to
the
build
images,
and
so
so
forth?
Right
you
want
to
enforce
like
hey
the
images
that
I'm
using
for
the
build
are
also
signed,
maybe
contain
an
s-bomb,
have
attestations
and
so
forth
right.
So
it's
not
just
during
the
going
to
production
or
something,
but
it's
actually
doing
the
build.
Also.
B
Yeah
so
I
think
the
thing
would
be
like
there's
certain
things
we
can
do
with
q
and
like
this
is
the
same
thing.
I
think
with
you
know,
if
you
look
at
like
TF
lint
and
some
of
these
other
various
like
security
tools
for
for
linting
infrastructure
as
code,
you
still
want
to
have
like
runtime
policy,
but
you
also
want
to
have
almost
like
you
know,
build
time
policy
so
that
you
can
tell
the
developer.
Hey.
B
Look
because
I
like
what
you
know
I
know
somebody
who's
who's
run
into
the
into
this
a
million
times
with
stuff
like
terraform
right
you,
you
run
a
terraform
deploy
right
because
the
terraform
plan
worked
and
yayada,
but
the
deploy
somehow
it
triggers
some
sort
of
like
weird
constraint,
really
really
deep
in
and
it's
like.
Oh
it
turns
out,
the
runtime
policy
doesn't
allow
you
to
run
this
sort
of
thing,
and
so
that
sort
of
thing
is
is
kind
of
what
we're
also
trying
to
protect
against
is
is
yeah.
B
We
want
to
make
it
simple
right
and
then
in
fact,
we
probably
also
want
to
have
in
this
sort
of
Fresca
tooling
set.
Like
things
that
can
help
help,
do
it
for
you
right,
because
I
can
imagine
a
world
right
where,
when
you're
running
the
build
locally,
you
might
be
using.
You
know
the
latest,
for
you
know
the
latest
tag
okay
great,
but
when
using
the
latest
tag
we
might
have
some
tooling
that
says
well
hold
on.
That's
not
going
to
be
allowed.
B
You
need
to
pin
to
a
hash,
but
do
you
want
to
pin
to
the
hash
right
now
right
and
we'll
sort
of
take
that
latest
and
replace
it
with?
You
know
whatever
right,
which
I
know
comes
with
its
own?
You
know
set
of
things
like
if
you
haven't
actually
scanned
that
image
or
whatever,
but
like
these
are
the
sorts
of
things
I
think
would
be
useful
or
things
like
in
the
Fresca
tooling.
B
That
might
say,
hey
look,
you
know,
we
checked
those
images
and
those
images
aren't
signed
right
so
before
like
this
would
not
like.
If
you
go
to
deploy
this
in,
it's
not
going
to
run
because
when
it
the
next
time
it
runs,
you
know
kiverno
or
whatever
policy
is
going
to
go
and
block
it
from
from
running.
B
Does
that
X?
Does
that
make
sense.
B
So
it
it
so
there's
two
pieces
to
it.
One
is
like
the
runtime
policy
at
least
there's
two
pieces
to
it.
There's
stuff
that's
going
to
be
at
deploy
time
like
there's
going
to
be
certain
things
that
you
can
actually
say.
B
Hey
I
expect
all
tecton
tasks
that
get
uploaded
to
look
like
this
and
if
it
doesn't
have
like
a
hash
at
the
end,
it's
not
pinned
to
a
hash
or
whatever
then
I'm
not
going
to
let
it
through
and
then
there's
also
going
to
be
stuff
at
the
pipeline
run
as
well,
that
as
different
resources
get
spun
up,
it
might
say:
hey
like
like,
so
certain
things
might
not
get
caught
at
least
based
on
the
different
features
of
the
different
policy
engines
like
it
might
get
caught
at
different
levels.
B
But
one
of
the
things
like
that
I
can
imagine
is
you
know
at
least
right
now,
something
like
you
deploy
in
without
a
hash.
Oh,
that
gets
blocked
by
even
when
you
try
to
deploy
the
the
task
in
or
you
try
to
deploy
the
pipeline
in
right,
there's,
no
hash,
Associated
or
so
no
digest
associated
with
that
image
or
whatever
you
haven't
pinned
to
the
digest.
But
then
I
can
imagine
when
you
go
to
do
the
actual
at
runtime
like
there's
a
lot
of
stuff
in
kieverno.
B
That
just
makes
it
very
easy
to
say:
hey
was
this
signed
with
Sig
store?
You
know,
buy
a
key
that
I
trust
and
if
so,
you
know
let
it
through
if
there's
no
key
associated
with
it
or
if
it's
not
signed
with
a
key
I
trust.
Don't
allow
this.
You
know
container
to
run
and
that's
more
of
the
like
the
actual
sort
of
like
the
the
pipeline
run
piece
that
it
would
block
it
at.
E
E
I'm,
just
don't
know
enough.
The
the
actual
flow
here
end
to
end
I'm,
just
thinking
a
scenario
whereby
you
have
a
policy
version.
One
now
and
you
have
everything
in
everything
is
compliant,
and
then
you
change
that
policy
to
version
two
and
somebody
we
run
the
pipeline.
That
was
previously
run,
I,
don't
I'm
just
thinking
like
scenario
does
that
version
two
get
enforced
and
therefore
you
have
a
compliance
bill
that
is
up
to
today
to
the
latest
policy
yeah.
B
I
I
think
that's
kind
of
where
we
need
to
do
some
thoughts
of
thinking
around
it,
because
that
that
is
something
that
we've
also
been
thinking
is
something
like
a
versioned
like
a
version
of
Fresca
Pipeline,
and
the
version
Fresca
pipeline
is
the
versioning
is
also
associated
with
the
general
governance
and
and
policy.
So
you
could
go
back
and
say:
hey
like
we've,
you
know.
B
Yes,
we've
we've
deployed
you've
deployed
V2
of
the
policy,
but
you're
still
running
the
V1
Pipeline
and
there
might
be
something
along,
and
this
is
where
some
stuff,
like
runtime
authorization,
might
come
into
play
of
hey
if,
like
the
way
that
we
probably
want
to
do
it,
and
if
this
is
going
to
take
some
thinking
is,
do
it
sort
of
like
how
Google
does
their
binary
authorization?
B
You
know
against
the
new
policy,
and
so
you
know
you
might
get
an
alert
to
say
hey.
You
need
to
rerun
this
against
that
new
thing.
B
B
Yes
and
and
reproducible
builds
and
immutable
pipelines
yeah,
so
so
the
idea
here
is
yeah.
We
do
want
to
make
these
pipelines
themselves
immutable,
and
we
also
recognize
that
when
it
comes
to
some
of
this
stuff
like
when
it
comes
to
reproducible
and
I,
think
that's,
oh,
no!
That's
not
in
I!
Think
I
took
it
out
here
because
in
that
requirements
being
removed,
but
anyway
they
yeah
reproducible
builds
is
also
important.
The
problem
is,
you
know,
reproducible
builds
is,
is
more
on
the
end
user
to
sort
of
give
yeah.
B
It's
a
shared
problem
to
to
the
point
where,
like
you
want
to
make
sure
you
have
an
environment
that
could
run
a
reproducible
build
at
the
same
time,
the
majority
of
the
burden
is
on
the
end
user
to
make
sure
that
their
code
is,
you
know,
doesn't
have
a
lot
of
random
stuff
in
there
and
time
stamps
and
so
on,
but
yeah
that's
kind
of
like
once
again
that's
the
ideal
and
for
cases
where
that
that's
happening
already
stuff,
like
you
know,
Fresca
just
makes
it
easy
to
say
Yep.
B
This
is,
reproducible
and
I
can
provide
you
the
provenance
to
say
that,
like
look
like
it
ran
in
this
ecosystem.
So
if
you
run
it
somewhere
else,
you
can
all-
and
you
know
you
run
in
a
different
ecosystem
or
whatever
you
have
an
idea
of
like
hey
if
it
doesn't
reproduce
on
a
different
ecosystem.
Okay,
well,
either,
and
it's
still
running
the
same
stuff.
You
know
the
idea
behind
Fresca
as
well
is
to
say,
hey
well,
Fresca
is
doing
more
or
less
the
right
things.
B
B
Cool,
so
let
me
see,
and
so
now
let
me
show
a
little
bit
of
the
Q
stuff.
B
And
once
again,
this
is
all
very
much
like
POC
at
this
point,
so
it's
not
really
intended
to
be.
A
Whoops,
that
was
not
what
I
wanted
to
do.
B
So
a
lot
of
this
is
familiar
to
some
folks,
who've
already
been
working
with
Fresca,
who
have
used
the
like
examples
and
just
to
kind
of
give
it
an
idea
here
of
what
it
currently
looks
today.
Just
in
the
examples
folder
right
is
I
might
have
a
build
packs.
B
B
You
know
dot
yaml
so
like
the
buildpacks.yaml
as
the
pipeline
task,
but
it
actually
gets
referred
to
in
the
queue
and
then
like
the
inputs
for
for
the
actual
pipeline
are
a
combination
of
things
that
could
be
generated
right
like
defaults
right,
so
you
can
imagine
for,
like
the
end
user,
hey
I
can
maybe
use
the
defaults
right
like
if
I,
if
I
don't
care
about
where
some
of
the
stuff
goes
or
some
of
the
naming
I'm
just
gonna
use
use
the
defaults
here,
and
so
this
gets
pulled
in.
B
But
the
idea
here
as
well
is
there's
also
a
bunch
of
stuff
in
the
examples.q
which
are
other
helpers
right,
so
hey
the
repository
for
where
you're
pushing
the
image
right.
So,
given
that
a
lot
of
this
stuff
is
is
still
you
know,
Dev
we
push
to
ttl.sh
for
a
lot
of
our
testing
and
demos
and
Dev
work
right.
B
You
know
for
for
the
dev
version,
for
the
like,
you
know
local
Dev
version
of
Fresca
we
use
gidea
for
to
to
actually
you
know
include
code,
so,
instead
of
needing
access
to
git
or
whatever
we'll
go
out
and
we'll
essentially,
you
know
clone
down
to
a
local
repository
which
makes
it
easier
to
do
stuff
like
test
out
the
tecton
triggers
and
those
sorts
of
things,
and
you
know
stuff
like
that.
The
other
things
that
like
in
the
examples
here
right,
is,
if
I
look
at.
B
Right
so
we
have
like
a
gripe
task.
That's
defined
pretty
much
completely
here
inside
of
Q
right,
and
this
allows
us
to
sort
of
parameterize
it
in
good
ways.
It
allows
us
to
also
share
a
lot
of
the
data
across
multiple
things
so
stuff,
like
data,
that's
defined
in
one
pipeline
can
be
referred
to
in
a
task
can
be
referred
to
in
a
config
map
can
be
referred
to
in
a
policy,
and
it
makes
it
really
nice
because,
like
normally
you'd
have
to
go
in,
and
you
know
there
are
different
various
kubernetes
config.
B
You
know
tools
out
there,
but
I
found
this
one
to
be
very,
very
useful
and
very
very
it's
not
the
easiest
to
use.
But
for
this
particular
use
case,
it
seems
to
be
really
nice
in
being
able
to
share
that
that
you
know
be
able
to
refer
to
different
variables
in
different
places.
In
order
to
be
able
to
do
things
like
not
quite
inheritance
but
more
like
you
know,
you
can
sort
of
take
something
that
is
at
a
at
a
like.
That
is
just
a
set
of
constraints.
B
Right,
like
you
might
say,
hey.
This
is
an
integer
and
then
you
might
say
hey
the
constraint
is
this:
integer
should
be
over
18
and
then
the
final
actual
sort
of
data
could
be
something
like
35
and
it's
like.
Oh,
yes,
that
matches
the
schema,
we're
going
to
let
that
go
through,
and
so
what's
also
nice
about
it
as
well,
is
if
I
actually
look
at
some
of
the
other
helpers
we
have
here
right.
B
Is
we
one
of
the
nice
things
about
Q
is
Q
can
actually
just
by
Def?
You
know
as
table
Stakes
here
in
in
what
in
its
functionality
it
can
actually
enforce
the
constraints
on
kubernetes
resources
and
custom
resources,
so
you
can
actually
say
like
well,
this
should
be
a
pipeline
run,
and
so
all
of
our
pipeline
runs
should
fill
out
the
the
boilerplate
around
API
version,
metadata
kind,
Etc
right
and
integrate
with
whatever
else
is
passed
in
right.
So
if
somebody
tries
to
override
the
API
version,
doesn't
isn't
allowed.
B
B
And
so
the
thing
here
right
is
is
this
would
still
not
get,
would
not
go
through
on
kubernetes
kubernetes
would
say:
hey
you
didn't
match
the
custom
resource
definition,
but
often
when
you're
deploying
out
like
20
or
30
yamls
at
once,
it
gets
really
confusing
as
to
what
exactly
what
went
wrong
where
and
this
helps
out
there-
and
so
you
know,
I'm
able
to
put
you
know,
we're
sorry
we're
able
to
pull
in
kiverno,
custom
resources,
General,
kubernetes
resources,
techton
customer
resources
and
so
on,
and
so
anytime,
there's
a
new
custom
resource
that
we
might
want
to
add,
because
we've
included
a
new
tool
inside
of
inside
of
inside
of
Fresca
that
just
kind
of
comes
in
here
and
we
get
that,
like
schema,
validation,
included,
and
so
then,
when
we
start
to
look
at
like
what
this
might
look.
B
Like
in
the
future,
as
we
start
to
build
this
as
as
an
actual
Library,
you
might
imagine
hey
the
Baseline,
you
know
there
might
be
a
baseline.
The
Baseline
here
might
be,
and
once
again,
I'm
still
working
on
getting
the
actual
pipeline
set
up
the
pipeline
scaffolding
setup
here,
but
you
can
imagine
here
like
okay.
Well,
all
pipelines
must
include
these
inputs
right
and
this
hashtag
just
means
it's
also
closed.
So
this
could
be
like
hey.
B
These
are
the
only
inputs
allowed
into
a
pipeline
or
you
can
go,
and
you
know
if
I
had
it
something
like
this,
it
means
like
hey.
You
can
include
additional
inputs
if
you
wanted
to
as
well,
but
the
thing
that's
nice
here
is
like
okay,
cool
I
know
that
these
are
the
inputs
that
must
be.
You
know
that
these
are
the
only
outputs
that
are
allowed
right
and,
if
I
go
into,
what
like
a
build,
packs
might
look
like
here.
B
Right
is
hey
I'm,
importing
elements
of
the
other,
like
helper
libraries
to
now
Define
what
my
my
pipeline
is
going
to
look
like
right
and
so
I'm
able
to
go
in
and
say:
okay.
Well,
I'm
going
to
override
and
once
again
we're
still
don't
over
index
on
the
syntax
right
now
we're
still
working
on
on
what
the
you
know,
making
the
syntax
much
much
easier.
But
the
idea
here
is
okay
great.
B
We
want
to
change
the
name
of
the
image,
to
example,
build
packs
like
that's
what
we
want
to
fill
in
right,
and
you
know
we
have
some
additional
sort
of
things
that
we
just
want
to
kind
of
create
for
here
and
then
okay,
then
this
is
what
what
comes
out
of
there
and
if
I
wanted
to
do.
B
Right,
if
I
did
q
that
right,
if
it
would
give
me
errors
if
it
had
any
issues,
but
I
can
do
like
a
q
eval,
which
exports
out
the
the
the
Json
output
here.
I'm.
B
Sorry,
not
the
Json
output,
the
queue
output
that
are
that
qeval
will
tell
you
like
whether
or
not
there
are
any
values
that
haven't
been
actually
realized
by
you
know
are
like
do
you
still
have
an
empty
string
in
here
right
like
I
can
go,
and
you
know
if
I
were
to
let's
say
comment
about
this
and
just
do.
A
B
I
might
have
broken
something,
but
yeah
I'll
fix
that
in
a
little
bit.
But
the
basic
idea
behind
it
is
is
this
lets
you
sort
of
go
in
and.
A
B
B
I,
don't
remember
the
exact
command
off
the
top
of
my
head,
but
there's
ways
to
go
in
and
say
like:
okay
great
like
if
you
know
a
parameter
is
missing.
This
will
tell
you
and
and
and
we'll
help
out
here
and
so
the
idea
of
longer
term
rate
is
so
we
have
using
Q.
We
have
the
ability
to
then
take
all
of
this
data
and
convert
it
into
into
yaml,
and
so,
if
I.
A
B
Well,
actually,
I'm
not
going
to
run
that
right
now
because
it
takes
a
little
while,
but
we
can
convert
it
into
the
actual
yaml
using
sort
of
Q
as
well.
And
so
then
you
just
get
a
bunch
of
q
that
you
can
then
pipe
into
and
if
I
look
actually
over
here,
you'll
see
one
of
the
commands
we
run.
B
B
Can
run
something
like
this
right
and
so
the
the
Q
command
running
apply
turns
it
into
yaml,
and
then
we
can
pipe
that
into
Cube.
Ctl
apply
to
actually
deploy
out
into
the
the
the
thing
there.
So
if
I
actually
I
don't
know
if
this
will
work
actually,
if
I
share,
if
I
stop
sharing
this
and
I
move
over
to
my
original.
A
A
B
A
A
Oh
sorry,
equals
so
and
I
do
apply.
Whoops
I
have
to
actually
go
into
this
command.
B
E
A
B
Great
you
can
see
it
generated
all
this
sort
of
actual
kubernetes
HTML
from
just
the
configuration
that's
defined
here,
because
it's
able
to
import
in
all
the
extra
stuff,
like
the
you
know,
other
external
yamls,
the
other
Q
stuff
and
so
on,
and
so
what
this
really
allows
us
to
do
as
well,
which
is
also
one
of
the
key
one
of
the
other
key
things
we
want
to
get
out
of
this
is
we
want
to
make
it
super
simple,
so
that
if
somebody
does
go
to
a
V2
of
a
thing
right,
one
of
the
things
we've
seen
a
million
times
before?
B
Is
you
go
to?
You
know
V2
of
a
pipe
of
a
pipeline
definition
right,
because
everybody
must
have
you
know
an
s-bomb
and
blah
blah
and
you
go
and
you
say
well
great
now
we
want
to
have
a
new.
You
know
whatever
a
new
sort
of
security
step,
but
then
you
have
to
go
and
sort
of
update.
You
know
a
thousand
other
pipelines
to
now
include
that
other
step,
whereas
here
the
idea
is
like
okay.
B
Well
now
you
just
Define
it
one
place,
and
then
you
just
deploy
it
out
everywhere,
and
so
that's
anyway.
That's
kind
of
one
of
the
big
things
that
we're
I
think
we
want
to
work
on
starting
next
year
in
Earnest,
because
we
believe
that
sort
of
thing
to
be.
You
know
really
important,
because
we
we
think
that
at
least
right
now
is
is
we
have.
B
We
have
a
lot
of
good
stuff
inside
of
tecton
itself,
with
spiffy
Spire
with
Vault,
with
all
the
other
components
that
running
this
thing
securely.
The
thing
that
we
keep
hearing
is,
as
people
are
trying
to
poke
around
with
this
and
saying
like
Okay,
what
happens
when
we
actually
want
to
make
Fresca
into
something?
That's
releasable.
Well,
it's
not
very
easy
to
use
for
the
end
user
like
creating
a
pipeline
right
now
means
you
have
to
write
a
lot
of
cue
or
you
need
to
create
all
of
those
individual.
B
B
If
you're,
let's
say
you
know,
you
know
somebody
who's
managing
some
of
the
pipelines,
okay,
cool
yeah.
Now
you
need
to
dive
into
queue
a
little
bit.
You
need
to
modify
some
things
here
and
there,
but
we
provide
helper
libraries
and
we
provide
enough
there
so
that
you
don't
you
know
inadvertently
shoot
yourself
in
the
foot
and
then.
Finally,
if
you're
like
also
a
developer
on
Fresca
itself,
right
and
Fresca
now
wants
to
include
some
new.
Like
hey,
we've
discovered,
hey,
there's
this
great,
you
know
we
want
to
you
know.
B
So
I
know
I
just
talked
a
lot,
but
any
questions,
comments,
thoughts.
A
B
Talking
about
yeah,
if
there's
nothing
else,
I,
don't
know
if
anybody's
going
to
be
out,
does
anybody
be
out
in
Japan
next
week.
E
D
I'll,
be
there
it'd
actually
be
great
to
to
hang
out
and
talk
more
about
this
yeah.
B
E
E
A
B
There,
okay,
great
yeah
and,
and
then
I'm,
not
sure
yet
so
I
will
probably
not
be
able
to
also
attend
any
of
the
meetings
until
the
new
year,
just
because
I'm
also
going
to
be
visiting
the
In-laws
in
in
the
Philippines
as
well
after
Japan,
so
I
I
won't
be
around.
So
if
other
folks
wanted
to
still,
you
know,
join,
feel
free
to
to
the
you
know:
parth
Brendan
Etc.
B
If
anyone
to
facilitate
the
meeting
but
yeah
I'll,
probably
I,
think
it'll
be
I,
think
either
10
or
11
p.m.
Over
there.
So
it'll
be
a
little
late.
E
So
Maya
I
don't
know
whether
this
is
the
right
like
Forum
all
the
time.
Considering
the
time
we
have
about,
like
our
attempt
to
package
Fresca
using
Helm
and
probably
ask
Brandon
for
his
input,
because
it
I
mean
I
see
a
lot
of
his
work
in
there
in
the
current
Professor
kind
of
set
up
scripts
and
stuff
foreign.
D
E
E
These
are
the
steps
that
you
want
to
run
and,
from
my
perspective,
I'll
get
like
the
current
Fresco
I
mean
there
are
a
lot
of
scripts
and
stuff
right
which
which
works
perfectly
but
like,
when
you
hand
it
to
a
to
an
end
user,
or
that
there
could
be
a
lot
of
moving
pieces
right
that
you
know
somebody
thinks
certain
things
starting
to
break.
You
know
that
kind
of
thing,
so
I
was
wondering
whether
we
can
or
assured
package
it
like
with
the
harm
chain,
for
example,
which
is
more
like
a
KD.
E
You
know
Common
right
like
for
as
far
as
like
package,
packaging,
stuff
and
I
know.
There
are
a
lot
of
like
interdependencies
between
stuff
and
therefore
we
need
to
do
a
lot
of
like
equipped
exact.
You
know
patches
I'm,
just
wondering
you
know
trying
to
get
your
get
your
input
around
like
what
do
you
think
about
that?
That
idea
of
packages
using
harm,
and
do
you
see
that
working
or
what
are
the
things
that
you
know
if
you
were
to
go
that
path
to
be
aware
of.
E
Right
yeah,
what
one
thing
I'm
trying
to
kind
of
get
around
that
is
like
using
like
the
life
cycle
of
Hope,
and
but
you
know
you
don't
need
those
as
much
and
then
starting
to
thinking
about,
like
you
know,
do
we
need
something:
I've
got
a
controller
or
like
a
post
deployment
kind
of
like
a
crime
job
like
pod.
That
does
something
like
that.
But
it's
getting
you
know
a
bit
intrusive
right
to
do.
People's
kind
of
runtime.
D
Yeah
and
we've
done
a
lot
of
patching
in
there
just
so
that
we
can
use
fendering
rather
than
trying
to
pull
down
someone
rather
than
maintain
our
own
Fork,
of
whatever
the
Upstream
repo
has
on
something,
and
so
it
there's
a
lot
of
things
get
complicated
when
you
try
to
move
it
into
a
home
chart
which
is
designed
to
really
do
that
in
a
whole
different
way.
It's
designing.
D
You
pull
the
whole
thing
in
your
template
out
all
your
changes
in
there
and
right
pass
them
as
values
where
the
decisions
we
made
was
because
we
didn't
have
help,
so
it
might
completely
redesign
how
some
of
those
decisions
were
made.
If
you
had
the
helm,
had
the
templating
and
weren't
depending
on
having
the
Upstream
yaml
file
vendored
in,
as
is
without
modifying
it.
D
E
I
guess
I
I
rather
new
to
Fresca,
and
you
know
you
obviously
know
a
lot
more
like
the
intricacy
between
components.
I
I
would
definitely
take
your
your
input
as
to
what
is
this
even
possible
or,
like
you
know,
as
a
rabbit
hole
that
we
go
down
with
we've
had
more
or
like,
or
what
other
Alternatives
or
framework
that
we
should
be
looking
at.
D
D
A
D
A
B
I,
probably
won't
see
you
guys
tell
you
folks,
till
the
new
year,
but
yeah
I'll
be
I'll
still
be
around
on
slack.
If
folks
have
any
questions
or
thoughts
or
anything
like
that,
just
might
be
a
little
slow
to
respond
depending
on
what
time
it
is
enjoy.