►
From YouTube: Supply Chain Integrity WG (February 16, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
People
one
more
call
to
sign
in
and
the
agenda
here
if
you
want
to
dropped
it
in
again.
A
C
Sorry
I
was
talking
away
and
I'm
mute
of
course,.
C
Good
day,
everyone,
I
think
the
read
me
down.
I
think
the
readme
topic
is
taken
care
of,
so
we
had
in
our
previous
meeting,
which
was
about
a
month
ago
we
had
discussed
a
readme
and
I'd
gotten
some
feedback
from
folks.
I
incorporated
that
feedback.
I
submitted
a
pull
request
and
it
was.
It
was
accepted
by
david
wheeler.
C
So
so
we
do
have
an
updated
one.
There
happy
you
know
if
there
are
any
more
comments
on
it,
why
you
know
we
can?
We
can
still
make
changes,
but
at
least
the
the
the
changes
we
discussed
a
month
ago
have
been
incorporated.
A
All
right
well
we're
good.
There
then
cool
all
right.
We
can
and
then
your
other
topic
is
move
to
the
next
yeah.
A
Yeah
awesome,
then,
all
right
we
can
start
out
with
a
presentation
from
cole
is
colon.
Yet
I
saw
mikhail
was
here.
E
E
No
worries
all
right,
so
my
name
is
mikhail.
You
all.
I
see
a
lot
of
familiar
faces
on
here,
so
I'm
assuming
some
of
you
know
me
most
of
you
are
probably
more
familiar
with
my
co-worker
cole
cole
and
I
started
testify
sec
late
last
year
to
kind
of
tackle
the
supply
chain
problem
in
a
way
we
think
is
fitting.
E
We
recently
released
our
open
source
project,
witness
late
last
or
not
late.
Last
month,
early
this
month
and
cole
asked
me
to
kind
of
just
come
on
and
and
tell
you
all
a
little
bit
about
it.
So
my
name
is
mikhail.
As
I
said,
I've
been
a
software
engineer
for
about
12
years
in
a
variety
of
different
industries,
wore
a
lot
of
different
hats
before
all
this
kind
of
found,
a
liking
for
the
high
compliance
stuff
and
the
supply
chain
security
side.
E
Late
last
year,
with
my
work
at
box
boat
and
the
us
air
force
platform,
one
box
got
acquired
by
ibm,
jumped
ship
and
started
to
testify
stuck
with
coal,
so
witness,
if
you
all,
I'm
I'm
sure,
I'm
preaching
to
the
choir
here
in
a
supply
chain
working
group.
So
I'm
sorry
if
this
is
all
kind
of
low
level-
or
you
know-
I
guess
high
level
for
you
guys
so
witness
is
a
open
source
plugable
framework
for
supply
chain
security.
It
collects
information
about
what
happened
where
it
happened,
how
it
happened
and
who
did
it?
E
We
are
big
on
using
open
source,
specs
and
standards,
so
we
can
interact
with
other
projects
and
I'll
kind
of
go
over
a
few
of
the
projects
that
we
work
with.
First
off
is
in
toto.
I'm
sure
many
people
here
are
familiar
with
in
toto.
Witness
is
actually
an
entotto
implementation,
so
we
took
the
spec.
We
used
the
work
that
has
been
done
in
ite
6,
which
is
doing
more
of
a
generalized
metadata
format,
and
we
kind
of
ran
with
that
as
our
spec,
and
this,
I
think,
is
really
good.
E
I
mean
techton
chains
uses
in
total
attestations,
there's
a
bunch
of
producers
of
these
attestations.
So
I
think,
by
contributing
and
committing
to
that
one
spec,
it
helps
out
everyone
and
it
ensures
that
whatever
policy
engine
or
whatever
attestations
story,
anyone
wants
to
use,
we
can
play
nicely
with
it.
We
also
contribute
openly
to
the
entono
project,
cole,
and
I
have
both
and
contributed
specifically
to
in
toto
goling
the
next
one
that
we
kind
of
work.
A
lot
with
is
the
spiffy
spire
project.
E
We
use
this
for
keyless
signatures
and
the
anistation
abilities
it
gives
us.
So
specifically,
this
is
really
good
for
machine
identity,
cosine
and
the
work
over
there.
That
six
store
is
all
doing
is
a
lot
better
for
more
of
like
the
human
identity
and
keyless
part
of
it,
but
for
running
in
a
ci
cd
process.
We
we
really
felt
like,
especially
for
some
of
our
on-prem
customers.
E
And
finally,
we
use
opa's
rego
policy
language
for
our
embedded
policy
link
language,
and
this
gives
us
a
lot
of
capabilities
of
different
things
that
we
can
do
and
enforce
during
policy
enforcement
time
and
to
kind
of
give
an
idea
of
the
holistic
overview
of
what
we're
kind
of
doing
here.
Again-
probably
not
news
to
anyone
here,
who's
familiar
with
entoto
or
any
of
the
work
going
into
this.
But
we
can
pull
different
attestations
from
say
a
cloud
instance
metadata
server
and
verify
the
cryptographic
document
that
provides
us.
E
So
we
can
get
information
about
what
cloud
infrastructure
this
ran
on.
We
can
do
that
with
tpms
for
bare
metal.
We
can
also
look
at
ci
cd
provider
jwts
and
and
verify
those
to
ensure
that
this
ran
and
on
the
specific
git
lab
project,
for
instance,
or
github
project
that
we
expected
it
to,
and
then
we
also
record
you
know,
file
metadata
source
files,
all
those
types
of
materials,
then
witness,
can
execute,
trace
and
observe
a
program
that
you
choose.
E
These
are
flat
files,
but
as
mentioned
since
they
are
in
total
annotations,
we
can
play
very
nicely
with
the
six
or
recore
project
and
then
an
example
of
kind
of
what
a
level
architecture
of
this
could
look
like
in
a
ci
cd
platform
is
at
each
step.
We
can
collect
different
attestations
store
those
back
into
record
for
those.
So
from
the
commit
step.
E
If
you
have
smart
cards
at
a
corporate
infrastructure,
any
sort
of
sas
scans
building
testing,
all
those
analytics
can
be
bundled
up
in
the
recore,
and
then
we
have
a
project
working
on
currently
called
judge,
which
is
kind
of
like
a
admission
controller
in
this
kubernetes
sense,
or
not
not
specific
to
kubernetes,
but
that
kind
of
executes
these
policies
that
can
be
created
out
of
banned
from
this
process.
So
in
a
more
corporate
environment,
maybe
you
have
a
sizzo
who
wants
to
say
that
these
things
have
to
happen
before
this
can
go
into
production?
E
E
But
what
we're
doing
in
this
particular
demo
is
building
two
java
projects,
one
that
has
a
known
vulnerable
version
of
the
log
for
j
stuff
that
happened
late
last
year
and
one
that
doesn't
and
we're
going
to
store
both
of
those
at
a
stations
for
those
artifacts
and
local
reefs
record
instances.
I'm
running
and
I'm
going
to
show
how
we
can
then
use
the
recoil
indexing
to
find
affected
artifacts
that
we
know
have
these
super
vulnerable
packages
in
them
as
dependencies
and
then
create
policy
to
prevent
that
from
executing
in
production.
E
E
And
you
can
see,
I
get
a
return
saying
I
have
an
jar
with
this
name
in
this
hash.
If
I
just.
E
So
this
is
kind
of
what
our
policy
looks
like
it
defines
which
attac
stations
excuse
me.
We
expect
to
be
in
that
collection
and
then
the
embedded
rego
is
here,
and
this
kind
of
allows
us
to
do
a
little
bit
more
robust
policy
enforcement.
E
So
if
I
just
on
base64
to
code
that
real
quick
for
the
specific
demo,
I'm
just
hard
coding
like
if
there's
a
dependency
that
was
picked
up
through
our
maven
a
tester
so
that
read
the
palm
xml
recorded
all
the
project
information,
I
recorded
the
dependencies
that
were
tracked
there
go
ahead
and
deny
that
due
to
the
vulnerable
log4j
and
that's
kind
of
the
message
that
will
get
presented
to
the
user
at
verification
time-
and
these
this
is,
you
know
not
exactly
a
great
example
of
a
policy
you
might
want
to
write.
E
And
if
I
run
my
verify
script,
which
I'll
show
real
quick
just
runs
witness
verify
on
my
jars.
So
this
will
automatically
talk
to
record
and
pull
the
relevant
attestations.
E
I
run
it
once
on
my
non-vulnerable
package
and
it
you
know,
passes
the
policy
and
then
my
second
one
fails
the
policy,
and
it
tells
me
because
of
that
vulnerable
log4j,
so
this
is
kind
of
where
we're
going
with
this.
We,
you
know,
are
trying
to
make
this
kind
of
a
plays
nicely
with
all
these
open
source
specs.
You
know
we,
it
really
kind
of
benefits
the
community
more.
When
we
can
all
talk
in
the
same
language,
you
know
say
you
want
to
use
a
different
policy
enforcement
tool.
That's
not
when
it's
verified.
E
We
still
are
just
in
total
at
a
stations
at
the
end
of
the
day
and
use
tools
that
we're
familiar
with
like
opa's
rego
is
fairly
popular
at
this
point,
so
it's
not
hard
to
write
these
policies.
The
only
thing
that
witness
constrains
on
is
that
we
just
have
a
return
value
called
deny.
That
is
an
array
of
strings.
E
E
All
right,
I
don't
hear
any
questions,
so
this
is
our
github
link
feel
free
to
check
us
out,
find
bugs
tell
us
about
it.
Tell
us
what
you
like
what
you
don't
like.
You
know
we
live
in
the
open
source,
so
we
really
love
the
feedback,
positive
or
negative.
H
Actually,
I
do
have
hopefully
a
quick
question.
I'm
just
curious
a
little
bit
more
about
how
your
story
like
what
exactly
are
you
storing
in
recore.
E
So
our
payloads
are
wrapped
signed
dsse
envelopes,
so
the
entire
payload
is
base64
encoded.
So
if
I
just
sorry,
I
gotta.
G
E
There
we
go
better,
so
this
is
what
we're
storing
in
in
recourse,
so
recore
has
an
at
a
station
store
available
to
it,
so
it's
dependent
on
file
size.
We
do
some
tracing
or
can
do
some
tracing.
It
didn't
happen
here
that
will
quickly
blow
up
our
attestation
file
size
and,
like
we,
I've
run
tracing
on
the
linux
kernel,
which
is
upwards
of
300
megs.
That's
not
going
to
go
in
a
public
record
instance
right.
E
E
E
I
don't
have
a
rig
sorry,
so
yeah,
that's
kind
of
what
it
looks
like
to
get
stored
in
record.
E
And
I
guess
I
can
show
kind
of
a
little
bit
more
about
what
these
data
stations
look
like.
So
these
are
the
entoto
subjects.
The
subjects
are,
what
record
itself
will
index
on
and
it
kind
of
is
the
high
level
way
to
describe
what
an
entitled
statement
is
about
for
right.
Now,
we're
appending
appending,
like
which
attestation
generated
the
subject
and
then
kind
of
a
descriptor
of
the
subject
itself.
E
So
our
products
are
anything
that
changed
during
the
command
that
we
witnessed
and
materials
would
be
source
files,
materials,
don't
typically
record
subjects
currently,
but
and
then
the
other
interesting
one
here
would
be
kind
of
our
maven
attester
logs
the
dependencies
that
we
care
about
and
that's
kind
of
how
we
do
that
reverse
searching
for
dependencies
in
the
record
instance,
and
then
the
attestations
themselves
are
just
json
documents
with
the
kind
of
type
information
and
as
well
as
the
annotation
body
itself,
so
for
our
maven
one
we
just
recorded
the
palm
to
xml
materials.
E
We
record
the
file
hashes
of
the
files
that
existed
on
disk
before
the
command
the
command
records,
the
command
that
ran
itself
in
a
standard
out
standard
error.
There
are
tracing
stuff
we
can
do
with
with
linux's
s
trace.
Currently,
our
our
p
trace.
Sorry,
not
s
trace.
We
use
p
trace
because
you
can,
if
you
own
the
process,
you
can
do
it
on
privileged.
You
don't
need
to
have
full
root
privileges
like
ebpf
or
anything,
and
then
products
are
any
files
that
changed
while
that
command
ran
or
were
created.
J
Thank
you.
I
I
was
wondering
to
what
extent
does
the
does
the
software
search
the
path
to
find?
What
has
changed?
Is
it
only
within
the
working
directory
when
the
command
is
run
or
is
it
the
whole
system.
E
So
right
now
it
is
the
working
directory.
You
can
specify
a
directory
at
runtime
if
you
need
something
that's
outside
of
your
working
directory
for
our
tracing
stuff.
E
What
we
do
is
look
at
every
file,
regardless
of
path
that
the
process
opens
and
record
hashes
at
that
point,
so
we
do
some
stuff
out
of
working
directory,
but
our
primary
collection
is
in
the
working
directory.
J
E
Yeah-
and
that
is
something
we're
also
working
on
refining,
but
we
kind
of
invested
a
little
bit
into
the
tracing
capabilities
for
that,
especially
when
we're
talking
about,
like
maybe
see,
see
things
that
may
pull
into
like
your
user
include
folders
that
they're
not
going
to
be
in
your
working
directory.
But
we
still
want
to
record
that
those
got
read
in
during
the
compilation
process.
K
I
wanted
to
understand
better
the
the
terminology
of
product
or
like
what
what
product
is
by
way
of
apology.
I'm
sorry
that
this
is
indirectly
self-promoting
an
article
I
wrote
about
a
while
ago,
where
I
talked
about
like
transformation
as
one
of
the
operations
on
assets,
and
I
was
wanted
to
make
sure
I
understood
what
what
product
was
or
how
it
works.
E
So
the
the
terminology-
we're
kind
of
using
here,
I
I
think,
is
consistent
with
the
entodo
terminology,
but
I've
kind
of
boiled
it
down
to
an
artifact
which
is
any
general
something
and
then
which
usually
comprises
of
materials
and
products
materials
are
in
this
case.
E
F
I
can
talk
a
little
bit
about
it
overall,
there's
not
a
lot
of
mystery
to
the
term
choice.
It's
just
input
and
output
is
a
incredibly
overloaded
term
in
software
and
there's
also,
you
will
actually
notice
this
happening
a
lot
when
people
say
well,
is
the
compiler
an
input
to
the
build
or
is
it?
F
What
is
it
and,
metaphorically
speaking,
we
borrowed
the
term
materials
and
products
from
like
regular
supply
chain
operations,
where
you
take
say
some
metal
and
a
hammer,
and
then
you
hit
it,
and
then
you
get
a
box
out
of
this.
The
hammer
would
be
your
compiler,
which
is
not
exactly
a
material.
It's
something
that
you're
using
as
a
tool,
so
you
can
distinguish
it
as
part
of
it
not
being
an
input,
but
rather
something
that
is
used
to
operate.
We
usually
record
this
thing
as
part
of
an
environmental
information.
F
It
can
be
either,
which
container
was
this
running
in
which
compiler
was
used?
The
combination
of
those
two,
but
the
things
that
were
actually
inputted
as
a
essentially
as
a
raw
material
to
to
produce
something
can
be
files
can
be
a
network.
Api
call
response.
Things
of
this
nature-
a
virus
list
device
definitions-
I
don't
know
a
linting
policy.
I
think
things
like
that.
F
A
There's
comments
here:
yeah,
it
just
seems
like
a
comment,
not
a
question
cool
all
right
up.
Next,
we
have
michael.
H
You're
here,
michael
yep
yep,
I'm
here
hello,
so
yeah
the
topic
quickly
for
today.
I
know
we
had
sort
of
discussed
this
briefly
back
in
january,
but
we
wanted
to
kind
of
sort
of
reiterate
our
sort
of
intention
to
contribute
the
ssf
to
this
working
group
and,
as
a
reminder,
you
know
the
ssf
is
sort
of
an
implementation
of
a
solstice
or
compliant
build
system.
It
is
using.
H
It
is
following
the
best
practices,
as
defined
by
the
cncf
paper,
and
it
also
is
an
implementation
of
the
reference
architecture.
That's
still
in
draft
form
coming
out
of
the
cncf,
and
so
we
wanted
to
sort
of
bring
up.
That
is
our
intention
to
sort
of
contribute
that
I
know
there
was
some
discussion
about.
You
know
just
making
sure
that
folks
knew
and
that
you
know
it
was
brought
to
this
group
officially.
H
You
need
me
to
do
you
want
me
to
bring
anything
else
on
that.
Do
you
want
me
to
bring
up
the
the
repo
or
anything.
A
L
While
you
do
that,
let
me
see
if
I
can
make
ask
you
to
multitask,
which
is
I
I
think.
If,
if,
if
the
goals
to
bring
in,
I
think
the
the
key
for
me
is,
I
don't
think
we
want
to
make
it
like.
This
is
the
one
true
way
things.
Oh.
K
L
L
H
Yeah
yeah,
to
clarify
here
we
view
this,
as
almost
like,
maybe
a
little
bit
more
than
a
prototype
implementation.
We
we
view
this
as
being
a
little
bit
more
than
a
prototype
implementation.
H
We
think
that
in
most
use
cases
this
is
something
that
folks
might
look
at
build
on
top
of,
and
that
sort
of
thing,
and
also
I
think
it's
it's
a
useful
learning
tool,
because
one
of
the
big
things
that
has
come
out
of
a
lot
of
the
discussions
is
people
are
sort
of
looking
at
all
the
different
pieces
of
like
hey
I'm
signing
stuff.
But
then
how
do
I
build
it
securely
and-
and
I
have
a
pipeline,
but
where
do
I
sign
it?
H
L
Is
worked
example
decent
because
I
I
understand
you're
worried
the
word.
Prototype
often
suggests
it's
not
really
for
ready
for
use,
and
I
don't
think
you
mean
that,
but
worked
example
to
me
implies
it's
not
the
only
way,
but
it
is
a
way
that
works,
and
if
you
got
a
better
phrase,
that's
that's
great.
I
just
we
need
to
somehow
move
between
a
prototype.
You
don't
want
to
use
and
the
one
true
way,
but
I
think
those
are
the
the
polls
we
were
trying
to
avoid.
H
M
Think
we
should
change
the
name.
I
I
think
I
like
david's
comments
about.
You
know
it's
it's
a
works
example,
but
we
definitely
you
know
we're
focusing
on
the
implementation
with
michael's
team,
as
opposed
to
the
naming,
so
definitely
up
for
any
suggestions
about
the
name.
But
I
do
david
to
your
point
like
the
idea,
but
it's
a
worked.
Example.
I
think
that
kind
of
highlights
what
we're
trying
to
do
here
right.
L
D
H
Yeah
yeah,
that's
that's
a
point
to
address
there,
which
is
is
a
lot
of
this
work
had
come
out
of,
like
hey
the
the
the
cncf
was
creating
the
secure
software
factory
reference
architecture,
and
this
is
sort
of
an
example
of
that
reference
architecture
implemented,
but
obviously
we
don't
want
it
to
have
it
confused
with
that.
You
know
directly.
We
want
it
to
be
like.
H
A
H
H
So
two,
by
default
quite
easily
three,
if
we
start
to
include
the
spiffy
spire
integration
work,
which
I
know
still
hasn't
been
fully
migrated
up
or
sorry
hasn't
been
fully
pushed
upstream
yet,
but
with
the
spiffy
spire
work
that
we
have
in
there.
We
think
that
we're
pretty
much
hitting
salsa
3
outside
of
anything
that's
specific
to
the
code.
Repos
like
two-person
code
review
like
there's,
currently
nothing
in
there
that
can
validate
two-person
code
review
inside
of
this,
and
then
also
you
know
we
are.
H
We
have
built
out
a
couple
of
examples
of
even
salsa,
four
right
showing
you
know
hey
if
you
are
using
tools
like
whether
it's
basil
or
nyx
or
in
certain
cases
like
build
packs
and
all
these
other
things.
If
you're
using
those
things
and
you're
getting
reproducible,
builds
then
you're.
You
know
you
might
be
as
high
as
salsa
level.
Four.
B
Another
thing
I
wanted
to
mention:
I'm
pretty
excited
about
this
project
because
it's
a
great
end-to-end
reference
implementation,
and
this
will
be
one
of
the
starting
examples
of
these
work
and
you
should
be
encouraging
more
of
these
examples
in
the
community
so
definitely
very
excited
to
have
it
part
of
the
supply
chain.
Working
group.
A
A
H
Yep,
so
I
know
we
have
the
demos,
but
I
just
want
to
kind
of
run
through
a
couple
of
the
diagrams
just
at
a
high
level
of
you
know
what
the
what
the,
what
a
secure
software
factory
is
so,
ideally
right,
the
secure
software
factory
is
more
or
less
you
know
a
hardened
ci
cd
system,
plus
some
associated
tooling,
it
sort
of
exists
in
a
larger.
H
You
know
set
of
tools
that
would
include
your
artifacts,
your
source
code
control
and
how
you're
handling
identity
and
those
sorts
of
things
some
of
these
doc.
Some
of
this
might
be
a
little
tiny
here.
H
Okay
cool,
let
me
see
if
I
can,
because
I
know
let's
see,
is
this
better.
H
Yes,
okay,
cool!
Let
me
just
talk
through
this
a
little
bit.
I
know
it's
a
lot
of
stuff
on
a
page
right
now,
but
the
the
basic
idea
right
is
is
the
secure
software,
for
you
know
the
what
we're
calling
the
secure
software
factory,
but
we'll
name
pending
the
the
idea
behind
a
lot
of
it
is.
Is
you
know
how
do
we
build
a
ci
cd
system
such
that
we're
doing
all
the
right
sorts
of
things
such
that
we're
hitting?
H
You
know
the
salsa
requirements,
we're
hitting
the
various
supply
chain
best
practices
from
you
know
various
groups
like
cncf
and
so
on,
and
so
the
idea
right
is,
is
you
know
we
need
to
have
some
sort
of
build
system
right,
something
that
runs
your
pipelines
and
and
so
on
and
whatever
is
running,
those
pipelines
needs
to
be
done
in
a
secure
way,
making
sure
that
the
right
identities
are
doing
performing
the
right
sorts
of
actions
so
that
you
can't
you
know,
spoof,
builds
and,
and
that
sort
of
thing
we
also
want
to
make
sure
whatever
we're
building
like.
H
However,
we're
building
it
right,
you
know
the
the
images
that
are
the
base.
Images
for
the
things
that
we're
building
right
is:
is
that
going
through
admission
control
right,
if
in
the
case
in
this
case,
we're
using
sort
of
tacton
as
one
of
the
the
tools
and
his
techton
right
is
the
images
that
techton
is
up
for
the
builds
right
are
those
approved
images
you
know
coming
from
us,
they
are
defined
by
the
right.
H
You
know,
folks,
do
they
have
the
right
attestations
associated
with
them
and
then
from
like
the
spiffy
spire
standpoint
right
is:
are
we
attesting
to
both
the
the
nodes
sink
loads
right?
Are
we
confident
that
nobody
has
come
in
and
you
know
spoofed
a
build
and
protect
on
yeah
yeah?
This
is
your
build
right.
You
know
these
are
the
sorts
of
things
that
that
are
pretty
big
concerns,
and
so
using
the
secure
software
factory,
we've
begun
to
sort
of
tie
all
these
pieces
together.
H
All
right-
and
let
me
move
on
to
the
next
diagram
here,
and
let
me
also
do
this
again
so
right,
so
this
is
more
or
less
what
a
build
potentially
looks
like
at
a
very
simple
level
right.
You
have
something
that
is
looking
at
what
the
pipeline
is
doing
right
in
this
case.
H
You
know
in
the
case
of
what
we're
the
the
current
implementation,
it's
it's
using
tecton
chains
and
it
sort
of
records
everything
that
the
builds
the
individual
build,
steps
are
doing
or
sorry
build
tasks
that
they
are
doing,
and
then
all
of
the
metadata
associated
with
those
tasks
are
being
uploaded
to
a
metadata
store
in
this
particular
case.
H
Right
now
you
know
we're
pushing
everything
to
oci,
but
you
could
just
as
easily
push
it
to
another
techton
chains
back
store
and
then
also
you
know
we
we
have
some
thoughts
around.
You
know
some
other
things
as
well,
but
the
basic
idea
right
is
just
you
know,
you're
running
through
a
normal
pipeline
and
it's
recording
everything
and
then
up
uploading,
all
the
attestations
associated
with
that
to
the
metadata
store
and
assuming
that
you're
following
all
the
right
best
practices
that
as
tied
together
through
the
the
software
factory.
H
You
know
we
can
make
at
least
some
hopefully
assumptions
or
not
assumptions,
but
we
have
increased
confidence
that
what
we
have
what's
kind
of
going
in
here
has
not
been
compromised
in
some
way,
or
we
can
at
least
you
know
know
where
to
look
and
yeah.
The
the
rest
is
is,
is
a
little
lower
level
but
yeah.
H
So
that's
pretty
much
at
the
high
level
there-
and
I
I
know
I
can
put
in
the
the
notes
for
the
meeting
you
know
of
one
of
the
previous
meetings
where
we
had
given
a
little
demo
in
a
deep
dive
of
this.
Any
questions.
F
I
may
have
a
question
that
may
have
been
asked
like
20
times
before
in
terms
of
this
referendum.
Reference
architecture
exists
as
a
like
batteries
included.
Plug-And-Play
thing
that
I
can
just
deploy,
or
is
this
just
like
the
document.
H
Oh,
no,
so
so
yeah
so
once
again,
we're
gonna
change
the
name
to
make
sure
that
it's
not
confused.
There
is
a
secure
software
factory
reference
architecture
document
and-
and
let
me
make
sure
I
share
my
screen
here
just
so.
There
is
the
reference
architecture
document
which
is
being
prepared
for
john
valencia
to
be
released
there,
but
this
is
sort
of
a
reference
implementation
based
on
that
what's
described
in
that
document,
so
that
document
is
very
high
level.
H
Just
so
you
know
you
need,
to
sort
of,
you
know,
have
key
distribution,
and-
and
you
know
you
need
to
sign
your
artifacts-
you
should
be
following
best
practices
like
you
know.
You
know
securing
your
builds,
making
sure
that
that
you
know
you're
not
giving
secrets
directly
into
the
build.
Those
are
things
that
you
see
in
salsa
and
then
this
specific
thing
is,
you
know
an
actual
sort
of
code,
implementation
of
that
and
so
right
now
it's
using
a
bunch
of
different
tools.
H
Some
of
those
tools
could
probably
be
swapped
out.
You
know
with
some
additional
features
right.
You
know
right
now
using
key
verno.
As
you
know,
the
emission
controller,
but
we've
also
seen
some
proofs
of
concept
of
just
saying,
hey
yeah.
We
can
swap
out
key
verno
with
opa
gatekeeper
whatever,
so
it
is
actually
sort
of
a
soup
to
nuts
example.
You
know,
I
wouldn't
say
it's
necessarily
hardened
for
production
use
cases
or
anybody
to
just
sort
of
take
it
whole
thing,
but
we
do
think
it's
in
a
good
spot.
H
Where
a
it's.
You
know
it's
something
that
from
a
dev
perspective,
you
just
run
a
single
command
and
as
long
it,
and
it
sets
everything
up
for
you
as
long
as
you
have
mini
cube,
installed
or
or
you
can
point
it
to
a
kubernetes
cluster
cool
and
it
installs
all
the
the
tools
it
itself
is
trying
to
follow
supply
chain
best
practices.
H
If
I
just
go
in
whoops,
not
there
here
right,
where
we're
actually
vendoring
the
tools
as
well
and
we're
actually
hash
validating
and
we're
applicable
if
those
the
tools
themselves
like,
for
example,
tekton
tecton
signs
all
of
its
releases
and
and
pushes
the
attestations
back
to
recore,
we
actually
validate
all
of
those
things
when
we
updated.
So
we're
still
trying
to
also
do
all
the
where,
where
possible,
right
now
follow
all
the
sidechain
best
practices
in
developing
the
secure
software
factory.
F
So
that
takes
me
to
my
follow-up
question.
I
think
it
was
like
almost
like
we
practiced
this.
Could
it
be
possible
to
think
about
a
future
in
which
we
have
somewhat
of
a
bootstrapping
tool
that
verifies
the
supply
chain
of
the
supply
chain?
Verification
framework
before
deployment.
H
Yeah
yeah,
so
that's
actually
something
that
we
are
looking
to
do
right.
So
to
some
extent
you
know
it
is
the
the
bottom
turtle
problem
right
is
is
how
recursive.
L
H
H
We
would
love
to
be
able
to
sign
the
releases
here
and
in
those
releases
have
you
know
an
s-bomb
right
of
hey
we're
using
this
version
of
let's
say
techton
this
version
of
keyboard,
those
sorts
of
things,
and
you
know
we
can
go,
and
you
know
push
that
out
to
wherever
and
then
have
folks
sort
of
validate
that
and
we
are
trying
to
keep
things
as
simple
as
possible
to
try
and
limit
how
you
know,
because
obviously
things
can
get
quite
complicated
and
the
more
complicated
it
is,
the
the
harder
it
is
to
sort
of
reason
about
what
it
might
actually
be
doing
at
install
time
so,
but
we
are
trying
to
to
do
that
sort
of
thing.
F
Yeah
I
I
agree.
This
was
more
of
like
a
thought,
academic
thought
type
of
question,
but
it
would
be
interesting
to
see
what
can
be
done
in
that
regard.
Right.
M
Yeah
we've
got
a
couple
of
things
that
we're
looking
at
in
the
area.
Central.
It
may
be
good
to
catch
up
about
it.
I
mean
things
like
where
you
can
validate
the
efficacy
of
those
controls
and
something
you
can
execute
locally
or
get
people
to
embed
within
their
supply
chains.
Certainly
something
we're
thinking
about.
F
Yeah
this
sounds
super
interesting
and
I,
I
think
part
of
a
part
of
what
I'm
trying
to
to
get
at
is.
This
could
be
also
something
that
a
supply
chain
monitor
could
essentially
pre-compute
for
somebody,
and
then
we
can
yeah.
F
C
Before
we
do
that,
john
sorry
to
interrupt
did
I
did
I
miss
what
the
next
step
was
for
the
secure
software
factory.
C
So
I
think
they're
making
a
proposal
that
it
that
it
joined,
openssf
and
and
become
part
of
this
working
group
is
there
we
talked
about
maybe
renaming.
C
A
C
H
Yeah,
no,
I
definitely
I
think
I
agree
with
you
dan
right.
I,
if
folks
have
thoughts
like
I'm
definitely
down
to
brainstorm,
I'm
not
great
at
naming
things
either.
Hence
why
I,
you
know
originally
called
it
secure
software
factories,
it's
like!
Oh
yeah,
it's
an
implementation
of
the
secure
software
factory
reference
architecture;
okay,
just
call
it
secure
software
factory
yeah!
H
I
I
I
think
I
I've
created
a
a
couple
of
really
bad
names
that
involve,
like
you
know,
starting
with
like
a
g,
and
you
know
call
it
like
generic
something
and
it's
guac
or
something
like
that.
But
I
I
think
I'm
I'm
I'm
open
to
better
names.
M
I
guess
the
bigger
next
step
is
just
confirmation
from
the
working
group.
This
is
of
interest
and
we're
happy
to
accept
it.
As
a
working
group
worked,
example
or
whatever
the
working
group
wants
to
refer
to
as.
A
There's
some
logistical
things
about
like
which
repo
to
put
it
under
that
kind
of
stuff
too,
do
you
have
thoughts
there,
michael,
like
which
github
org
or
anything
yeah?
No.
H
Don't
really
care,
I
think
you
know,
can
fall
under
the
open
sf
as
open
ssf.
If,
for
some
reason
that
can't
be,
you
know,
we
need
to
have
a
different
thing.
They
can
fall
under
a
different
thing.
A
Well,
yeah
that
that
works.
You
can
put
it
in
that
org.
If
I
think
the
general
guidance
is
yeah,
that's
easiest!
If
you
think
you're
going
to
have
like
a
million
small
repos
or
something
like
that
for
like
samples,
blah
blah
blah,
etc,
then
it
makes
sense
to
keep
a
separate
org.
We
have
one
like
that.
A
C
L
Okay,
so
I
think
there's
two
steps:
one
accept
into
working
group:
yes,
no
want
to
get
a
consensus
of
group
step.
Two
sounds
like
there's
some
questions
like
where
to
put
the
repo.
Maybe
it
needs
a
rename.
Maybe
we
need
to
figure
out
how
to
refer
to
it,
but
as
long
as
as
long
as
there's
a
general
agreement-
and
we
can
work
so
I
think
work
at
step-
one
is
it
accepted
into
this
working
group
and
then
step
two,
oh,
the
naming
fun.
I
don't
think
anybody.
C
So
so
what
is
our
our
process
for
accepting
new
projects
into
the
working
group?
I
don't
know
that
we've
been
formal
about
that
and
maybe
we
don't
need
to,
but.
L
Yeah,
I
think
in
general
it's
been
much
more
of
a
hey,
is
you
know
hey
just
they?
They
agree,
disagree
and
try
to
get
a
majority
consensus.
I
don't
think
we
need
to
do
like
vote
tallies.
Excuse
me,
as
far
as
I
know,
it's
not
but
more
than
that,
but
it
need,
but
it
does
need
to
be.
The
group
looked
at
it
and
decided.
Yes,
we
agreed
to
accept
it.
L
L
Are
the
lead?
Why
don't
you
call
for
a
your
objections
and
a
approvals?
I
suspect,
you're
getting
a
whole
lot
of
approvals.
A
M
L
L
L
L
Okay,
and
we
all
just
need
to
figure
out
what
how
to
describe
it,
yeah,
brainstorming
doc
for
the
name.
That
sounds
like
a
good
idea.
L
Somebody
want
to
make
a
doc
and
put
a
link
to
that
doc.
In
the
notes.
For
today,
we
could
also
send
out
their
request
on
the
mailing
list.
C
Do
you
have
a
michael
or
jonathan?
Do
you
guys
have
a
time
frame?
So
if
we,
if
we
said
we'd,
discuss
sort
of
finalize
the
name
and
any
remaining
details
at
our
next
meeting,
then.
M
Yep,
I
mean
we've,
obviously
with
with
being
a
major
bank,
it's
taken
some
time
to
get
to
this
fight
just
getting
through
all
our
internal
policies,
but
we
are
at
the
end
of
that.
We
have
the
appropriate
sign
up
to
do
that.
It's
really
just
yep
we're
pretty
much
good
to
go.
Frankly.
M
L
Yeah
and
you
know
what
I
would
say,
let's
strive
for
it
within
two
weeks
and
if
we
have,
if
the
bike
shedding
just
you
know,
takes
a
little
extra
time.
It's
okay,
but
you
know
that's,
but
I
do
agree,
let's,
let's
shoot
for
it
and
if
we,
if
we
don't
quite
get
it
we'll
at
least
hopefully
have
made
some
progress
down
to
a
short
list.
G
I
feel
like
I've
been
in
a
whole,
the
last
two
months
ever
since
the
new
year,
just
doing
work
related
things
very
specific
to
work,
and
it's
basically
like
detached
signatures
and
kind
of
like
a
a
process
for
like
a
user
experience
for
reviewing
code
from
a
secure
code,
review
perspective
having
some
kind
of
interface,
and
you
know
attesting
signing
that
review
and
publishing
it.
You
know
I'm
trying
to
get
him
into
the
in
toto
spec
space
and
kind
of
guide
him
in
that
direction,
but
he
has
a
lot
of
momentum.
G
He
has
a
lot
of
cool
involvement
with
people
from
the
sequoia
project,
which
is
basically
the
people
rewriting
you
know:
gnu
fiji
or
open
pg,
p,
spec
in
rust
and
and
yeah.
I
just
think
it
would
be
cool
to
introduce
him
to
to
you
all,
and
I
don't
know
if
this
is
the
right
working
group
or
if
there's
a
better
working
group.
I
can
make
a
mailing
list.
You
know
mail
too,
but
I
just
want
to
talk
to
humans
first
before
doing
that.
G
So
if
any
of
you
all
have
pointers
for
me,
that
would
be
great
and
I
can
kind
of
walk
through
what
the
project
is
doing.
If
you
guys
want
or
or
take
it
out
of
band.
G
Might
so
so
it's
basically
just
a
secure
code
review
and
then
you
perform
a
secure
code
review
on
a
code
base
or
on
some
section
of
code
in
a
code
base,
and
then
you
sign
that
review
and
publish
that
signed
attestation
somewhere,
and
so
it's
really
similar
to
the
intel
process.
But
you
know
so
I'm
trying
to
guide
him
to
to
build
that
out
as
part
of
the
the
experience
as
part
of
his
little
open
source
project.
G
But
I
would
also,
I
think,
there's
other
people
in
the
open
ssf
group
who
are
interested
in
standardizing
secure
code
review
as
part
of
like
the
the
pipeline
of
you
know
the
sdlc
pipeline
so
yeah,
that's
kind
of
a
shout
out
to
find
those
interested
people,
and
also
he
just
wants
to
talk
to
you
all
and
be
like
hey
I'm
working
on
this
thing.
This
is
a
huge
problem,
he's
actually
outsourcing
people
to
do
code
reviews
like
his
friends
and
colleagues.
G
We
have
a
little
group
and
he
kind
of
plucks
people
from
that
group
to
to
review
code
bases
and
whatnot,
and
so
it's
kind
of
turning
into
a
code
review
factory.
You
know
secure
code
review
factory
and
I
think,
there's
definitely
a
place
for
it
in
the
the
you
know:
supply
chain,
factory
space
here.
L
If,
if
I
can
jump
in
real
quick
john,
I
mean,
I
think,
there's
several
folks
who'd
be
interested
in
this
I
mean
obviously,
this
group's
interested
in
integrity.
The
security
threats
group
is
including
signing
things.
The
security
threats
group
is
trying
to
just
capture
a
little
database.
L
I
don't
want
you
to
recall
data
of
all
the
reviews
of
open
source
projects
we
can
find
so
at
least
getting
the
work
that
he's
done
recorded.
There
would
be
awesome.
They've
already
got
little
forms
you
can
fill
out
the
alpha
omega
phi.
Where
is
that
sorry,
security
threats?
Working
group
mike
scaveta
leads
that-
and
you
know,
as
far
as
the
doing
audits
of
project
alpha
omega,
which
is
about
to
have
a
web,
its
webinar
also
is
doing,
but
it's
doing
its
own
thing.
G
Yeah
yeah
yeah,
I
just
I
I
don't
know
what
what
meeting
he
should
come
talk
to.
First,
I
guess
that's
like
he's
asking
me
he's
like
which
one
and
I'm
like
honestly
they're,
all
kind
of
similar
and
they're
all
kind
of
different.
I'm
a
bad
like
maybe
two
months
ago,
I'd
be
like
this
one,
but
then
I
feel
like
I've
dropped
off
the
face
of
the
planet,
for
you
guys
for
the
last
two
months
and
I'm
like
I
don't
know
anymore.
G
G
I
have
a
whole,
like
I
dream
world,
where
open
ssf
only
uses
open
source
software,
but
that's
more
radical
than
I
want
to
pitch
to
you
all
formally
I'll,
just
pitch
it.
You
know
informally,
but
I
think
it
would
be
cool
to
to
do
that.
But
that's
like
separate,
you
know
diagonal
to
our
dreams
and
real.
J
And
I'll
I'll
back
up
your
informal
pitch,
the
spdx
working
group
has
a
great
success
with
using
jitsi,
which
is
yeah.
G
This
is
amazing,
that's
what
we
use.
We
use
matrix
for
chatting
element
and
we
used
to
see-
and
you
know
I
I'm
really
down
with
that,
but
maybe
we
can
make
sebastian
v
and
you
can
work
on
a
proposal
for
to
formalize
around
the
tooling.
We
use
you
know
because
it's
cool
like
and
it
defines
us
in
some
ways.
E
G
Great
yeah,
yeah
I'll
all
have
them
post
up
a
line
in
the
next
agenda
being
like
hey,
please
reserve
15
minutes
for
lance
vick
and
he
can
talk
about
this
gist
or
gist.
However,
you
pronounce
it
in
the
english
language
and
kind
of
the
motivations
behind
it
and
he'll
talk
about
cargo
crevice
stuff
too,
because
we've
been
in
this
story
since
since
event,
stream
really
woke
us
eventually
shook
us
hard
at
bitco.
G
We
were
very
scared,
and-
and
we
were
all
part
of
that
group
that
was
like
okay-
we
have
to
do
something,
and
so
we
spread
our
wings
and
we're
in
different
places
now
and
he's
in
a
really
cool
place
and
the
alpha
omega
people.
I
think,
would
really
like
to
talk
with
him
because
he's
basically
doing
the
the
alpha
part.
You
know
as
a
contractor
for
various
organizations
in
the
cryptocurrency
space
yeah.
K
I
wanted
to
place
into
the
recording
because
the
chat
doesn't
show
up
in
the
recording.
I
think
your
friend
should
look
at
in
total
attestation
issue
number.
Seventy
seven!
So
that's
it.
K
G
Yeah,
I,
if
you
see
my
comment
in
in
his
gist.
I
have
that
issue
there.
I'm
like
you,
should
look
at
this
because
they're
talking
specifically
about
this
policy
format
for
secure
code
reviews
yeah,
so
so
that
ball
is
rolling
and
I'm
getting
that
on
on
his
radar
and
you
know
yeah.
So
I
appreciate
you
commenting
on
that,
though,
because
I
did
some
digging
and
I'm,
like.
Oh
they've,
been
here
before
here's.
Let's
do
this,
you
know
I
I
want
to
steal
other
people's
work
here.
L
J
And
it's
it's
nice,
how
you
know
it
open
source
software
got
a
slow
start
with
the
remote
video
conferencing
and
stuff,
and
now
it's
overtaken
so
yeah,
at
least.
As
I
see
it,.
G
G
They
have
waiting
rooms
now
all
kinds
of
good
candy
for
us-
and
I
don't
know,
there's
other
things
like
google
is
another
like
system
that
is
pretty
proprietary
and
we
use
all
their
products
for
organization.
J
G
Yeah
there's
there's
there's
open,
there's
open
collaborative
software
for
for
e-notes
and.
G
J
I
don't,
I
don't
think
that
the
chat
is
recorded,
so
I
shall
put
my
matrix
address
in
there
and
you
can
contact
me
whenever
you
want.
L
I
will
quickly
note
that
the
lf
is,
I
believe,
working
the
tools.
Folks
are
working
on
setting
up
a
matrix
service,
so
that
may
be
available
soon.
I
don't.
I
haven't
checked
through
the
details,
but
you
know
if
you
want
to
use
a
different
tool.
Us
tool
sets
that's
great,
but
you
got
to
propose
it.
We
gotta
get
other
folks
on
board
and
with
that
I
gotta
run
to
another
meeting
so
take.
G
B
G
J
Yeah,
I
I
think
it's
just
as
well
that
element
have
put
a
lot
of
effort
into
making
the
interface
feel
familiar
for
those
with
who's
who
are
used
to
those
platforms.
G
H
J
Quaternion,
it's
the
kde,
matrix
client.
M
J
Cool,
it
doesn't
look
nearly
as
pretty
as
fluffy
chat
and
the
others,
but
it
works
and
it
works
very
reliably.
G
G
Yes,
yes,
yeah
yeah,
I
guess
it's
been
a
while,
since
I
used
kde
platforms,
anyways
I'll
reach
out
to
you
on
matrix,
I'm
I'm,
sadly
there
so
we'll
be
donald.
G
All
right
hop
up
to
another
meeting,
so
good
meeting
you
and
see
you
on
the
interwebs.
Likewise,
goodbye.