►
A
A
C
Zach
says
he's
reinstalling
Zoom,
so
he'll
be
here
in
a
minute
and
there
are
links
to
the
the
note
stock.
If
you
all
want
to
add
your
your
information
in
the
attendees
section.
B
B
Oh,
we
have
a
pretty
sparse
agenda,
though
the
item
that
is
on
it
I'm
excited
about.
So
if
any
folks
have
anything
else,
they
want
to
want
to.
Cover
updates
on
today
feel
free
to
drop
something
in
the
notes.
I
also
don't
see
action
items
from
last
meeting
which
I
I
had
to
miss.
Unfortunately,
so
if
there
was
action,
items
also
drop
those
in
the
in
the
agenda.
Otherwise
we
can
maybe
have
a
short
meeting.
B
B
Well,
following
the
the
same
heuristic
that
I
use
when
I'm
making
popcorn
in
the
microwave
I
think
it's
time
to
get
started
so
first
off
on
our
agenda
is
a
demo,
slash,
I,
guess
just
general
discussion
around
a
project
called
RS
tough
for
our
stuff,
I'm
sure
Kyra
is
going
to
tell
us
how
how
it's
canonically
pronounced,
but
basically
this
is
sort
of
like
a
almost
you
know,
service
that
runs
tough
for
you,
which
I
think
might
be
of
interest
to
a
lot
of
folks
in
this
group
who
are
interested
in
maybe
adding
something
like
tough
to
the
package
repositories
but
worried
about
sort
of
the
the
maintenance
and
management
burdens
of
that
so
Cairo.
A
So
the
the
usual
question
you
can
see
my
screen
right:
yeah,
yeah,
okay,
yeah.
First,
thank
you
for
just
invite
it's
great
to
be
here.
I
want
to
to
share
this
project.
It's
the
name
is
repository
sex
supportive,
but
we
call
it
our
stuff
or
our
stuff,
or
we
are
playing
with
that.
So
it's
nice.
A
This
this
is
the
idea
of
this
project
is
a
secure
content
download,
but
we
go
for
more
detail,
so
I
work
at
VMware,
I'm,
open
source
engineer
at
All,
Sport
and
today
what
I
plan
to
hear
it's
given
an
introduction,
a
bit
about
the
tough
and
the
motivation
for
this
product
and
then
I
I'll,
walk
through
the
project,
the
design
and
and
details.
I
will
share
also
use
case
for
our
stuff
and
having
time
we
go
for
this.
A
Our
stuff
demo
and
I
want
to
talk
about
the
project
in
general.
So
let's
get
started
so.
A
Yeah
I
would
try
to
give
an
introduction,
a
very
high
level
about
tough.date
framework
I'm
not
expecting
in
in
tough
I'm
approaching
tough
in
very
specific
level
and
the
specific
path.
So
why
but
I'm
comfortable
to
do
to
talk
about
stuff
here
we
have
a
lot
of
tough
experts
here
in
that
conf.
So
in
the
end,
if
someone
has
some
specific
question,
maybe
we
can
open
for
that
and
I
I
know
that
there
are
some
people
here
that
can
folks
here.
That
can
help
me
with
that.
A
So
so
the
the
plate
framework
has
hosted
by
Linux
Foundation.
It's
part
of
the
cncf,
and
this
product
starts
with
the
specification.
That
is
really
mattered.
Specification
and
the
stuff
is
used
by
a
large
company
like
Google
Amazon
data
dog
six
store.
A
A
How
tough
does
it
it's
by
the
metadata
structure
that
contain
roles
and
delegations
that
have
those
signatures
there
and,
for
example,
for
these
roles?
We
have
timestamp
that
give
the
freshness.
We
have
the
snapshot
that
guarantee
that
report
story
metadata
is
consistent
and
also
tough
helps
to
reduce
the
impact
if
we
want
of
the
keys
of
the
rolls
are
compromised
and
I
allow
very
quick
recovery
from
that.
A
When
we
talk
about
dot
signature,
the
verification
policies
is
needs
to
be
highlighted
here,
because
it
verifies.
The
signature
is
an
authorized
entity
and
also,
if
it
is
signatory,
is
still
valid.
So
but
I
don't
want
to
go
too
much
in
details
here
about
tough.
We
can
cover
it
more
in
the
end.
If
someone
want
to
discuss
about
this-
and
there
are
a
lot
of
good
documentation
and
presentation
blog
posts
where
you
can
get
more
about
stuff,
so.
A
To
explain
the
motivation
for
for
the
project
I
need
to
share
my
journey
about
stuff.
So
when
I
first
joined,
the
project
of
I
felt
very
lost
about
the
name
framework
when
I
went
to
the
website,
I
said
where
I
can
get
it
and
download
it
and
they
use
this
applied
in
my
environment
and
then
took
me
a
while
to
understand
that
the
F14
in
turf
was
in
the
specification
that
is
very
good
and
also
in
the
libraries
that
help
people
to
implement
those.
A
So
I
had
a
friend,
I
was
already
contributing
with
python
talk,
joined
the
community
and
the
friend
asking
me
some
how
they
could
protect
their
clients
because
they
have
this
idea
of
downloading
package
for
the
the
clients.
Actually,
they
have
like
a
system
update
that
the
platform
can
be,
has
a
kind
of
Life
Update
that,
but
he
was
really
looking
for
how
to
protect
this.
Then
I
shared
that
with
them,
and
it's
really
small
company
and
when
he
tried
to
go
to
the
specification,
try
to
implement
it.
A
He
made
a
project
plan
for
the
company
and
it
was
just
rejected
by
the
manager
because
they
need
a
lot
of
people
to
do
this
about
an
year
to
do
this,
to
implementation
everything
so
I
I
was
also
a
bit
frustrated
with
the
situation.
I
said.
Okay,
then
I
started
contributing
with
Pipi.
The
pep
458
I
have
a
pull
request
there
that
implements
talks
to
Pipi
when
I
was
working
with
that
I
said
well.
This
is
great
the
design
of
pep458
together
with
Turf,
it's
amazing.
It
could
be
used
for
more
people.
A
More
people
could
have
this
benefit
of
pep458
and
tough
in
a
easy
way
to
start
and
I
started
this
in
in
April
like
designing
how
it
could
be
done
and
also
to
to
be
able
to
test
some
stuff
related.
It's
not
good
to
use
this
stuff
forward,
but
yeah
I
was
starting
some
design
for
pep458
as
well
and
I.
I
start
this
product,
like
in
parallel
just
to
be
able
to
exercise
some
situations
that
Pipi
could
have
in
deploying
stuff
and
later
I.
A
Don't
know
if
he
uses
here,
but
you
see,
gave
a
talk
in
the
open
source
Summit
and
was
really
something
that
motivated
me.
I,
actually
I
felt
represented
there,
because
what
he
shared
was
exactly
my
thinking
that
report
stories
are
more
alike
than
they
are
different
and
a
lot
of
problems
are
are
shared
by
the
repository.
So
when
I
come
up
with
this
idea,
so
what
is
all
right?
Stuff
people
started,
so
we
try
to
implement
the
repository
with
the
tough
design
metadata
from
Turf
as
a
search
simple
like
that.
A
But
of
course
implementing.
This
is
not
easy.
We
are
facing
this
challenge
now
and
what
are
the
outcomes
of
this
product?
Actually
it's
to
enable
cooperations
project
teams
smaller
large,
to
implement
stuff
to
secure
the
content
delivery.
It
will
be
helping
the
security
supply
chain
in
general,
in
my
opinion,
so
and
another
another
thing
is
about
helping
the
tough
Community,
because
we
we
always
when
you
talk
about
repository.
A
We
don't
have
a
really
open
design
implemented
the
way
we
can
be
receive
some
ideas
or
how
is
it
a
good
way
to
implement
tough
so,
and
we
can
also
contribute
back
to
the
library
saying:
look.
We
need
to
change
this,
or
even
to
the
specification
say
we
are
facing
this
kind
of
problems
in
large
deployment
to
scale
how
we
can
implement
it
better.
So
this
is
the
the
whole
idea,
so
I'll
talk
about
the
Arts
of
design,
so
the
goal
here
for
our
our
stuff
is
to
be
easy
to
integrate.
A
So
we
want
to
integrate
itself
and
our
stuff
actually
along
the
Korean
tax
factory
production
system.
So
it
doesn't
matter
if
you
running
how
you
generate
the
art
attacks,
but
basically
it
will
cover
like
a
CI
CD
and
an
existence
or
a
distribution
platform
that
can
be
just
call
our
stuff
to
say.
Look
I
I
have
a
new
Target
to
the
metadata.
A
Please
add
it,
and
now
the
mechanism
behind
that
is
management
of
the
the
tough
metadata
will
be
done
by
our
store,
and
we
don't
want
to
also
change
the
way
that
people
exposure
they
expose.
Data
repository
doesn't
matter
if
they
ask
fact
in
the
end,
is
in
a
web
server,
A
J,
progax,
Factory
Docker
Hub
registry,
because
we
don't
take
care
of
this
layer.
We
just
take
care
of
the
the
tough
metadata
so.
A
Have
the
top
metadata
design,
but
it's
not
the
goal
here,
to
go
deep
on
that,
so
the
repository
and
and
the
metadata
it's
based
in
pep458
that
when
I
saw
it
I
I
I
I
felt
that
it
could
be
useful
for
many
people.
The
way
that
this
is
designed,
our
stuff
used.
Python.
Tough
python.
Tough
now
has
a
very
modern
and
reliable
metadata
management
for
for
stuff
and
really
we
want
to
implement
web
458
of
480.
A
That
is
the
end-to-end
signing
on
top
of
our
stuff,
and
we
have
a
lot
of
ideas
every
time
that
I
discuss
it
with
someone
will
come
up
with
ideas
so
about
the
the
service
design,
because
you
are
talking
that
we
provide
it
as
a
service.
So
to
deploy
our
stuff,
we
provide
containers
and
image
to
be
easy
to
deploy.
We
provide
management
to
CLI
to
manage
the
the
our
stuff
and
the
metadata
in
some
flows.
A
We
provide
an
API
integration,
which
means
that
cicd
can
be
integrated
or
any
kind
of
artifact
management
or
of
our
distribution
system
so
and
because
that
design
we
can
deploy
our
stuff
in
the
edge
in
clouds,
private
or
public,
and
one
thing
that
I
need
to
highlight
here
is
yeah.
We
also
have
they
scale
to
support
very
active
repository.
It
means
you
could
have
multiple
guys.
Multiple
workers,
that
are
the
components
for
the
our
stock
I,
will
cover
it
about
these
components.
A
A
The
work
is
where
the
knowledge
about
managing
the
metadata
backend
visit-
and
we
also
the
work,
also
do
integrate.
We
can
use
because
you
we
have
the
metadata.
We
need
to
store
the
metadata
in
some
place.
So
now
it
supports
a
local
fire
system,
but
we
want
to
support
also
SAS.
A
For
example,
object,
storage,
so
it
means
that
the
metadata
can
be
in
an
objective
storage
and
also
the
the
key
storage
interface,
because
that
design
of
the
metadata
you
require
some
online
keys
and
those
online
Keys
now
can
be
installed
in
in
the
local
fire
system.
But
this
is
we
use
more
for
developing,
but
we
want,
for
the
first
release,
also
support
at
least
one
or
two
SAS
Key
Management
Services.
So
it
means
that
those
online
Keys
could
be
in
that
place.
A
So
what
you
see
in
the
left
or
in
the
in
the
right
in
this
geogram
is
that
you
have
the
two
services
that
they
are
not
really
part
of
the
CI,
CD
or
or
your
build
system
actually
to
go
along
with
that
and
the
integration
is
done
by
API.
So
you
see
also
the
storage
sets
and
the
key
sets
that
what
the
worker
will
be
where
they
work
will
be
operating
the
metadata,
the
physical
metadata.
A
So,
as
you
see
also,
the
API
doesn't
have
knowledge
about
the.
A
The
worker
actually
consumed
from
this
broker
and
do
the
task
so
that
way
you
can
scale
and
have
multiple
workers
managing
that
metadata
and
the
metadata.
The
storage
needs
to
be
exposed
because
we
know
that
the
metadata
for
Turf
needs
to
be
exposed,
along
with
the
artifacts
that
you,
you
have
the
package
or
whatever.
So
talking
about
the
command
line.
A
A
So
if
you
have
one
key
compromises,
how
I
rotate
the
key,
so
you
can
use
the
the
CLI
to
do
this
kind
of
operations
and
one
thing
that
also
was
very
difficult
for
people
when
I
presented
tough,
how
I
create
the
first
initial
metadata
I
need
to
create
a
script,
how
I
do
the
ceremony,
so
we
are
creating
a
ceremony
process
inside
of
the
CLI
to
make
easy
for
who
want
to
implement
the
the
r
stuff
with
tough
metadata.
So
yeah
I
give
two
use
case
one.
A
The
first
one
is
the
CI
integration
and
our
demo
will
be
on
top
of
that
as
well.
So
you
have
usually
how
it
works.
You
have
your
boot
system,
VCI
CD,
so
you
just
integrate
it
to
your
CD
using
the
rest
API
the
token,
and
it
will,
when
you
have
a
new
release,
you
say
to
the
other
stuff
who
here's
information
about
my
new
package
and
it
will
manage
in
in
the
metadata.
A
The
same
I'll
give
an
example
like
a
pi
TI.
Imagine
that
Pipi
you
push
you
you
send
and
you
you
publish
some
new
package.
It
goes
use
some
twine
two
or
something
like
that.
It
goes
to
the
distribution
platform,
and
this
goes
to
the
today
storage,
where
you
can
download
the
the
arc
fact
so
in
that
layer.
Also,
you
add
the
calls
to
the
API.
A
You
can
integrate
this
API
with
the
web
UI
if
you
want
or
depending
on
how
is
your
process
so
I'll
I'll
give
the
demonstration,
basically
in
the
the
first
scenario
that
I
will
have
a
CI
running,
the
CI
will
run
the
checks
after
my
CD
will
ask
me
to
approval
to
approve
the
new
release
and
the
new
release
go
with
the
new
artifact
and
also
the
the
tough
metadata
will
be
dated.
So
what
I
will
be
using
in
that
demonstration
here?
A
My
art
stuff
is
deployed
in
Cloud.
Also
the
metadata
is
stored
in
Cloud.
It's
just
a
web
server
that
has
access
to
my
storage.
Git
will
be
my
my
GitHub
here
and
actions.
I
will
my
CI
CD
I
will
be
using
GitHub
actions
and
the
repository
where
my
Xbox
I
store.
It
will
be
the
the
GitHub
really
simple:
this
will
be
my
personal
GitHub
account
so
yeah,
so
here's
the
deployment
I
deployed
to
use
kubernetes
but
could
be
something
simpler
or
more
complex.
This
is
the
API
metadata
that
that
is
exposed.
A
Yeah
so
yeah
the
kubernetes,
the
kubernetes
and-
and
here
is
the
metadata,
the
Json
files
on
the
metadata.
So
the
next
step
I'm
showing
a
bit
of
the
CLI
I'm
generating
token.
So
here
again,
I'm
generating
I'm
talking
to
integrate
to
the
GitHub
actions.
I
generate
talking
just
with
right
scope,
so
it
can
GitHub
will
be
able
just
to
add
a
Target.
A
And
here
I'm
doing
the
integration
I'm,
adding
the
token
to
the
GitHub
actions
in
my
secrets:
I'm
not
showing
the
pipeline
now,
but
I'll
show
it
later
when
it
runs
so
I
show
it
at
once.
So
here's
the
someone
is:
releasing
a
new
version
of
a
package.
I
created
a
demo
package
here,
so
how
it's
done,
I
just
push
a
new
tag
and
it
will
trigger
my
CI
CD.
A
Okay,
when
it
pushed
to
my
CI
CD,
my
C
I
will
have
the
building
part.
Then
later
I
will
be
asked
to
approve
the
new
heli.
So
now
he's
waiting
for
my
approval,
yeah
I
approved
this
and
it
will
take
the
CD
that
you
will
run
together
with
our
stuff.
Sorry,
for
that.
E
A
Yeah,
so
here
it's
a:
where
is
my
integration?
Myci?
You
see
that
it's
just
calling
my
our
stuff
in
Cloud
giving
the
token
then
adding
the
information
about
the
targets
that
goes
to
the
metadata.
So
imagine
is
in
my
metadata.
You
can
see.
Also
it
was
added
the
new
demo
package.
He
leaves.
A
And
next
in
the
in
the
page,
you
can
see
the
the
leaves
as
well
so
next,
what
I
did
I
create
a
simple
client
of
part
of
imagine
that
this
kit
could
be
an
Opti
I'm
doing
Active
download
or
it
could
be
pip
download
something
so
I'm
downloading.
A
The
latest
version
from
my
repository
here.
You
see
that
I
don't
really
need
the
the
I'm
not
taking
care
of
the
the
file
but
I'm
taking
care
only
the
metadata.
The
file
is
still
in
the
GitHub
package
or
GitHub
releases.
A
So
then
I'll
make
the
demonstration
a
bit
more
interesting,
I'm
simulating
a
temperate
version.
Imagine
that
someone
found
that
he
has
access
to
Creator.
He
lives
in
the
to
the
GitHub
web
page,
but
of
course
it
will
not
trigger
my
CI
CD,
so
he
is
creating
a
fake
Heelys.
Here,
let's
say
someone
is
going
there
and
adding
a
higher
version
of
the
package
and
it
was
not
sorry
to
the
screens
are
switching
yeah.
He
created
the
temperature
one
added
a
malicious
package
and
publish
daily.
A
So
it
means
that
in
my
repository
in
the
GitHub
he
lives
he
was
able
to
add
something.
But
not
in
my
tough
metadata
because
he
didn't
use
my
CI
with
my
credentials
or
whatever
and
then
I
simulate
with
the
same
download
that
it
will
fail,
because
it
is
not
able
to
to
find
the
package
in
the
metadata
with
the
correct
signature,
only
the
hilly
space.
A
A
Where
you
can
know
more,
we
are
in
the
slack
we
have
a
select
channel
in
the
60
mcf
slack.
A
We
have
also
the
documentation
that
is
available,
but
if
you
have
a
really
specific
user
case,
I
would
love
to
talk
more
with
you
understand
more.
What?
If
the
API
is
the
flows?
Everything
fits
for
you
or
have
some
kind
of
feedback
or
ideas
how
you
can
play
with
our
stuff.
You
can
deploy
it
using
Docker
I'll
leave
here
the
link
where
you
have
the
instructions
how
to
deploy
it.
A
The
images
are
available
in
the
GitHub
registry,
but
I
would
like
to
say
also
if
you
don't
want
to
deploy
it,
but
you
want
to
just
start
checking
it.
I
have
a
deploy
in
the
in
the
cloud.
I
can
generate
a
token
for
someone.
Just
request
me
to
reach
me
out
and
I'll.
Give
you
a
token
that
you
can
play
with
that.
I
have
the
API
available
together
with
the
the
metadata
that.
A
B
I
I'd
be
more
mad
if,
if
we
had
more
on
the
agenda,
that
was
awesome.
Thank
you.
So
much
Cara
open
the
Florida
questions.
If
any,
if
anyone
has
any.
B
Okay,
I
I
do
have
one,
which
is
a
lot
of
the
the
sort
of
example.
You
know
deployments
and
demos
that
you
talked
about
using
CI
we're
using
sort
of
more
more
like
symmetric,
auth
options.
I
was
wondering
whether
you
had
considered
anything
like
support
for,
like,
for
instance,
GitHub
actions
has
an
oauth
identity
associated
with
with
each
job
that
runs
and
using
using
that
sort
of
thing
for
authentication
is.
E
B
Something
you've
consider
is
that
on
the
roadmap
feel
free
to
tell
me
that
doesn't
make
any
sense.
Also
yeah.
A
No
actually
I
discussed
it
before
with
some
folks,
and
actually
this
authentication
and
authorization
should
even
be
in
our
stuff
right
because
I
don't
care
about.
So
we
have
in
a
roadmap.
You
can
see
it
there.
We
have
a
feature
that
it's
the
possibility
to
someone
that
deploy
disable
the
authentication
and
authorization,
because
probably
you
want
to
use
something
more
powerful
in
the
front
like
a
an
API,
Gator
or
or
SSO
authentication,
you
have
a
complex
held
up
so
yeah.
A
This
will
be
there
for
people
that
can
to
be
used
to
someone
that
is
very
small
and
want
to
have
a
minimum
authentication
authorization.
To
be
honest,.
B
Cool
that
makes
sense,
yeah
and
I
can
see
opportunities
and
I
know
many
of
the
folks
working
on
this
are
acquainted
with
sing
store
for
so
for
for
potential
integration.
There.
That's
that's
one
nice
way
to
sort
of
turn
these
GitHub
oidc
identities
into
into
signatures
that
you
can
verify
X
externally,
if
I
I'm
in
the
I
just
joined
the
slack
channel
on
the
cncf
so
happy
to
follow
up
there
and
discuss
further
yeah
Jason
is
that
is
that
a
question.
C
Yeah
I
had
a
quick
question:
I,
maybe
a
clarification
I'm,
one
of
the
demos
you
showed
kind
of
separate
dealing
with
the
metadata
I
think
the
demo
pick
command
and
is
pointing
down
metadata,
but
not
the
actual
package
itself.
I,
don't
know
if
that's
something
unique
to
our
stuff
or
tough
in
general,
but
you
mentioned
several
times.
A
Yeah
I
am
okay
yeah,
it's
not
a
unique.
If
you
see
python
Turf,
the
NG
client.
Actually
you
say
where
your
effect,
when
we
in
the
top
metadata
just
to
take
care
of
the
path
plus
the
package,
so
we
will
retrieve
it
for
you
or.
G
A
I
say
something
wrong
here:
you
see
or
look
as
everyone
could.
D
I
think
if
I
add
something
I,
think,
oh
you
see,
you
raised
the
hand
formally
I.
Just
you
want
to
say
something:
go.
F
D
No
I
I
think
it's
it's
specific
for
tough
to
separate
the
artifacts
and
the
metadata
and
other
stuff
probably
amplifies
this
by
having
a
completely
separate
service
that
only
takes
care
of
the
metadata
and
proper
apis.
So
the
the
pr
that
Cairo
talked
about
initially
on
on
Warehouse
of
the
Pi
Pi
code,
basically
does
the
whole
metadata
handling
and
artifact
handling
in
the
same
code
base,
but
with
RS
tops.
You
have
a
clearer
separation
of
those
things.
D
F
I
had
a
question
that
kind
of
relates
to
the
earlier
Authentication
thing,
and
that's
just
a
bit
broader
says
the
problem
with
any
kind
of
kind
of
automated
and
online
signing
of
anything
kind
of.
Is
that
you
need.
F
F
A
To
be
honest,
not
much,
but
it's
something
that
I
I'm,
not
the
answer,
because
I
actually
maybe
I,
didn't
think
about
that.
Yet
because
I
don't
know
if
it
should
be
in
a
layer
before
sending
it
to
our
stuff,
because
it
depends
of
which
kind
of
repository
a
bit
you
know
or
how
you
provide
I
mean
it's
I,
see
it
more
as
a
flow
before
you
releasing
something
like
the
same
way
that
I
do
the
approval,
say:
okay,
here
I
approved
the
the
demo
package
version
103.,
so.
F
I
got
it
I
mean,
of
course,
that
then
means
that
the
CI
system
is
now
even
more
critical
because
you're
going
to
trust
the
CI
system,
so
it
kind
of
like.
If
you
had
your
checks
behind
the
the
wall
and
our
stuff
side,
then
they
might
kind
of
be
less
susceptible
to
you
know
the
CI
system
being
broken
into,
but
it's
not
an
easy,
easy
issue.
So
yeah,
it's
fine.
A
Yeah
also
for
distribution
system
like
let's
think
about
Pipi,
it
would
be
more
internal,
also
a
step
right
before
adding
a
package.
So
it's
a
bit
hard
to
cooperate
or
also
noise.
H
A
Actually,
you
define
it
in
your
client,
let's
say
that
you
are
changing
the
app
T
to
work
with,
or
let's
say
that
you
are
changing
people
to
work
with
the
tough
metadata
and
also
the
pipi.org
repository
where
the
packets
are
right.
So
when
you
create
your
clients,
your
pip
in
that
pip,
you
put
this
information.
Of
course
you
have.
Where
is
my
repository
for
the
art
facts
and
where
is
my
address
for
my
metadata
I.
Don't
know
if
I
answered
well.
H
B
Know
if
you're
someone,
if,
if
you
don't
mind
I,
can
I
can
take
a
stab
so
I
think
here
right.
The
the
important
thing
is
that
when
you
ask
tough
to
resolve
basically
a
package
by
its
name
like
that
package
name
has
to
be
canonical
and
what
you
get
out
of.
That
is
like
a
cryptographic
hash
of
that
package,
which
is
nice
because
that's
that's
going
to
be
safe.
B
So
as
long
as
the
thing
you
ultimately
get
matches
that
hash,
I
think
I
think
you're
in
good
shape,
and
you
can
do
that
either
indirectly
by
like
a
convention
where
I
take
this
package
name
that
I
just
looked
up
in
tough
and
I
just
hit.
You
know
ipi.org
packages
slash.
You
know,
Etc,
like
the
same
the
same
package
name.
B
If,
if
you
just
do
exactly
that,
you
you
should
wind
up
in
the
same
place,
I've
seen
other
repositories
either
propose
or
actually
sort
of
cut
out
this
middle
step
and
say:
okay,
you're
going
to
look
up
the
hash
here
and
then
we
have
this.
You
know
sort
of
content,
addressable
store
where
you're
just
going
to
query.
You
know
data.repository.com
for
the
hash
and
then
get
get
that
artifact
directly,
so
I
think
those
are
two
ways
you
can.
F
Well,
I
was
going
to
mentioned
that
this
is
kind
of
related
to
the
whole
Target
Discovery
aspect
of
tough
that
isn't
really
there,
like.
A
lot
of
people
are
finding
that
out
kind
of
the
hard
way
that
that
tough
doesn't
provide
this
kind
of
idea
of
looking
for
something.
Like
you
mentioned,
you
need
to
know
the
exact
identifier
for
whatever
you're
looking
for
as
long
as
you
know
that,
then
it
works,
but
it's
just
a
method
of
downloading
things
not
for
searching.
For
you
know,
packages.
C
A
quick
question
in
terms
of
the
presentation
you
just
gave:
is
it
possible
for
you
to
share
a
link
to
that
or
share
with
this
group.
A
G
B
B
All
right
well
thanks
again
Carol
that
was
super
interesting,
yeah,
I,
think
I
think
really
promising,
because
I
I
personally
am
excited
about
tough
as
a
as
a
sort
of
mechanism
to
be
put
in
place
on
a
lot
of
repositories
and
I.
Think
we've
we've
heard
over
and
over
again
that
there
are
a
lot
of
hurdles
to
actually
rolling
that
out.
So
if
we
can,
if
we
can
reduce
those
all
the
better
okay,
there's
not
a
lot
added
to
the
agenda.
B
Someone
suggested
to
me
that,
since
this
is
perhaps
the
first
time
that
many
many
folks
in
this
room
were
able
to
make
that
we
could,
we
could
start
with
I
guess
start,
but
what
we
get.
We
could
sort
of
welcome
everyone
with
with
sort
of
a
little
bit
of
background
on
this
group,
what
we've
been
up
to
so
far
how
it
works
Etc
in
case
this
is
your
first
time
at
this
meeting
I'm
happy
to
attempt
to
give
a
summary
of
the
history
that
is
totally
unprepared.
B
So,
if
I
get
anything
wrong
or
I'm
missing,
anything
feel
free
to
add
it
in
the
chat
or
or
holler.
So
this
is
the
openssf
securing
software
repositories
working
group.
What
does
that
mean?
It
means
that
we
get
a
bunch
of
people
in
a
room
and
talk
a
lot
about
how
to
make
you
know,
package
managers
and
repositories
more
secure
and
specifically
focusing
on
the
repository
angle.
B
So
you
know
I
think
things
like
Pi
Pi,
Maven
Central.
We
have
representation
from
cargo
OS
package
managers
I.
Think
someone
from
Gen
2
is
is
hung
out
every
once
in
a
while
someone,
some
more
experimental
stuff
which
is
cool.
Someone
like
NYX
or
the
there's
folks
working
on
webassembly
packages
or
I.
Guess
modules
is
the
actual
name
for
that,
but
any
any
any
case
where
you're
Distributing
software
and
one
other
potential
use
cases
is
sort
of
the
ml.
B
Community
has
their
analogs
of
these
repositories
as
well,
and
so
everyone
in
this
room
wants
to
make
those
safer,
I
think
the
best
way
we
can
do
that
is
to
sort
of
not
in
a
vacuum.
You
know
all
in
parallel
kind
of
try
to
figure
everything
out,
but
but
sort
of
learn
from
the
best
examples
of
of
other
folks
I.
B
Think
to
that
end,
I,
don't
know
that
this
group
can
can
or
should
take
credit,
but
but
during
its
lifetime
we
have
seen
some
really
cool
proposals
and
implementations
of
security
features.
B
E
B
What
that
could
look
like
I
believe
in
npm
the
an
RFC
for
package
signing
that
actually
looked
a
little
bit
like
what
was
in
the
example
where
you
have
in
the
CI
system.
Do
the
signing
and
not
the
maintainers
themselves,
that
proposal
for
npm
was
merged
recently
and
I
believe
that
effort
you
know,
is
underway,
I,
don't
I,
don't
have
the
details
of
development
there,
so
so
cool
stuff
like
that
learning
from
from
other
repositories,
yeah
in
terms
of
logistics.
We
have
this
meeting.
B
We
have
an
it's
going
to
be
every
four
weeks,
there's
another
meeting
every
on
the
alternate
two
weeks.
So
two
weeks
from
now
there
will
be
an
Asia
Pacific
friendly
meeting
time,
so
very,
very,
very
late
for
folks
in
emea
time
zones,
not
yeah
and
so
they're
all
recorded.
B
If
you
have
anything,
you
want
to
say,
feel
free
to
drop
stuff
in
the
notes
and-
and
someone
can
read
something
for
you,
but
there's
also
a
lot
of
asynchronous
communication.
A
lot
of
that
happens
in
slack
on
the
open,
ssf
Slack
and
the
securing
software
repositories
working
group,
or
maybe
it's
WG-
securing
software
repositories.
B
Something
like
that,
you'll
find
it
and
then
there's
an
email
list
too,
which
I
believe
is
I
can
drop
a
link
in
the
in
the
chat
here
less
traffic
on
the
email
list,
though
it's
encouraged,
if,
if
you're
interested
in
in
participating
in
conversations,
yeah
I,
think
that
covers
a
lot
of
what
we've
done
check
the
meeting
minutes.
We
have.
B
167
pages
of
meeting
minutes,
so,
if
you're
you're
looking
for
some
some
nice
speech
reading,
take
take
a
gander
at
those
but
feel
free
to
ask
too.
If
you
have
questions,
and
you
don't
want
to
read
through
167
Pages,
if
we've
ever
covered
something
before
what
are
our
oh
there's
a
charter,
the
charter
is
linked
from
the
slack
Channel.
E
B
B
Nothing
in
this
group
is
going
to
be
binding
of
anyone,
but
might
represent
sort
of
collective
wisdom,
and
that's
that's
kind
of
I
think
the
most
realistic
work
output
that
directly
comes
out
of
this
group,
but
I,
think
many
of
the
folks
involved
to
do
represent
actual
package
repositories
are
doing
way,
cooler
and
really
really
tangible
work,
outputs
which
we
love
to
hear
about
all
right.
Thanks
for
letting
me
ramble
anyone
else,
who's
been
here
for
a
while
have
anything
they
want
to
add
or
any
newcomers
have
any
questions.
B
I
Yeah
I
just
want
to
give
a
quick
update
on
the
the
survey
that
we
did
for
the
package
managers,
I
Linked
In.
The
notes
kind
of
like
a
few
takeaways
that
I
put
together
based
on
the
survey
results.
I
If
anyone
wants
to
object
data
background.
Sorry.
I
Yeah
so
I
think
a
while
back.
One
of
the
things
he
decided
to
do
is
to
kind
of
get
a
general
Sense
on
where
package
managers
were
with
their
supply
chain
security
and
security
stories
in
general.
I
You
know
this
covers
like
Integrity
the
code
signing
stuff,
malicious
packages,
authentication
and
MFA
all
the
way
to
like
security
testing
for
your
infrastructure
and
supply
chain
security
for
like
the
binaries,
he
releases
part
of
your
infrastructure,
so
part
of
this
was
to
understand
where
package
managers
are,
and
also
to
kind
of
drill
down
like
Hawaii
areas
in
which,
like
multiple
package
managers
are
like
looking
for
capabilities,
but
don't
really
have
a
solution,
and
hopefully
the
group
can
come
together
or
or
to
kind
of
develop
the
situations
together
or
create
shared
solutions
for
certain
problems
or
just
to
have
a
dialogue
around
all
this
right.
I
So
the
survey
basically
sent
out
was
like.
Oh,
are
you
protected
kids?
Do
you
have
MFA?
What
kind
of
MFA
do
you
have
or
if
you
don't,
are
you
interested
or
is
this
something
that
you're
not
located
Implement
at
all,
and
basically
we
send
out.
We
send
this
out
to
a
virtual
package
managers.
I
We
got
back
about
11,
including
you
know,
the
main,
the
main
languages
of
the
popular
languages,
so
we
had
like
Pi,
Pi,
ruby,
gems,
npm,
different
flavors
of
java
and
many
more
so
the
the
the
doc
that
I
have
in
that
is
kind
of
like
the
summary
of
results.
At
least
my
interpretation
of
it
I'm
not
sure
how
I
can
best
share
the
actual
data
with
folks
I
can
export
it
the
spreadsheet,
but
that's
not
super
readable.
I
But
let
me
do
that
and
I'll
edit.
The
notes
as
well.
I
Yeah
I
I
think
my
hope
here
is
to
like
get
a
little
bit
more
feedback,
see
whether
we
can
get
a
bunch
of
takeaways
and
maybe
half
this
be
put
on,
like
maybe
be
in
the
GitHub
repository,
and
then
we
can
possibly
like
have
a
blog
post
about
this.
B
Cool
thanks,
Brandon
and
sorry
I
didn't
mean
to
to
cut
you
off.
I
didn't
see
it
at
the
bottom
of
the
bottom
of
the
notes.
There's
one
more
item:
Joshua
can
I
ask
you
to
give
it
just
an
announcement
sure.
J
Yeah
I
just
wanted
to
share
the
packaging
con,
which
had
its
first
instance
in
2021,
is
going
to
happen
again
in
2023.
J
J
So
just
a
heads
up
when
you're
planning,
2023
talks,
I
guess.
B
Yeah
and
I
encourage
you
to
look
the
website.
I
believe
still
has
the
program
from
2021
a
lot
of
I
presume
to
most
of
the
folks
in
this
room
very,
very
interesting
content,
cool
stuff
around
you
know,
package
managers,
package
repositories
generally
and
specifically
on
security,
so
check
those
out,
I
think
they're
all
recorded
and
available
online
too.
G
Yes,
they
are
yeah
I'm
on
to
organizing
committee
for
packaging
comments.
If
anybody
wants
to
help
yeah,
the
cfp
should
be
coming
up,
probably
in
the
next
two
to
three
weeks.
That's
what
we're
aiming
for.
B
Oh
very
cool,
appreciate
your
work,
Chang
and
anyone
else
on
the
organizing
committee.
Putting
that
together,
yeah
you're
welcome
all
right.
Well,
then,
I
think
I
think
we
can
call
it
a
wrap
for
for
today,
thanks
again
Cairo
for
for
swinging
by
that
was
a
cool
demo.
You
know,
hopefully
we
can.
We
can
see
further
collaboration
and
use
of
that
project
in
the
future.