►
From YouTube: Supply Chain Integrity WG (July 12, 2023)
Description
Agenda: https://docs.google.com/document/d/1xPs2sSbH3I9Ich7OyLOzl85oJshnK8Q6WoAgREE5-zA
B
B
A
B
A
D
B
B
A
A
E
Yeah
I,
wasn't
there
I
didn't
read
the
I
did
read
the
notes
and
a
few
of
the
other
folks
who
were
there
largely
said,
like
the
supply
chain.
Integrity
stuff
is
good,
I,
think
the
which
is
one
of
the
comments
I
I
had
heard
from
folks,
but
it's
tangential
purely
to
this
is
they're
like
there's
so
much
stuff
in
the
open
ssf.
Now
that
they're,
really
it's
really
hard
to
sort
of
like
know
like
wait.
E
A
second
like
what
is
supply
chain
Integrity
working
group
working
on
that
makes
it
different
than
you
know
the
securing
you
know
critical
projects
working
group-
or
you
know
some
of
that
stuff,
which
I
think
is
that's
more
of
like
a
tack
problem
and
a
general
open,
ssf
problem
than
an
hour
problem.
Yeah.
A
A
There's
an
anonymous
wombat
and
then
Anonymous
Goose,
so
yeah
I
think
I
tried
to
read
through
the
notes,
but
it
didn't
really
say
anything.
It
just
said
you
know
the
FCI
working
group,
presentation
or
update,
and
then
I
gave
a
link
to
the
slides
which
we
read
ahead
of
time.
So
I
was
curious
about
the
any
of
the
conversations
that
were
happening
alive,
that
weren't
necessarily
captured
so,
but
it
seems,
like
you
know
they
weren't
anti.
What
we're
doing
otherwise
I
think
it
would
have
been
documented,
but
I
do
think.
A
There's
some
there's
some
working
groups
that
have
things
like
the
supply
chain
attack
framework
right.
Why
is
that
in
a
different
working
group?
Or
why
isn't
that
in
sci
working
group
right
so
that
that's
something
that
I've
been
noticing
like?
Okay,
well,
there's
a
whole
nother
group
that
has
supply
chain
attack
Frameworks
and
there
was
something
else
that
they
created.
That
said
supply
chain.
So
why
not
put
it
under
the
bigger
umbrella
of
supply,
chain,
integrity.
B
A
E
Or
yeah
I
was
actually
looking
to
maybe
get
a
call
with
omkar
just
to
kind
of
like
you
know.
This
is
just
more
of
like
from
a
personal
standpoint
of
like
hey,
you
know,
as
somebody
who
does
a
lot
of
stuff
in
the
openness
left.
Here's
just
some
general
thoughts,
here's
some
things,
I'm
saying
and
just
wanted
to
highlight
some
of
that,
but
yeah
I
think
the
the
main
things
are
great
like
which
I
think
is
is
something
I'm
hoping
comes
down.
Here
is
like
right.
E
E
E
Like
we
would
want,
at
some
level
the
attack
to
help
us
Define
our
scope,
right
like
we
want
to
Define
our
own
scope,
but
we
want
the
tech
to
at
least
say:
hey,
there's
a
little
bit
of
overlap
here
with
this
other
group,
and
that
makes
sense
just
stay
coordinated
with
that
group.
Right
like
that,
would
be
super
valuable
because
you
know,
as
we've
found
multiple
times
before
is
we
found
like
somebody
starts
doing
some
sort
of
threat
model
and
we're
like
wait
a
second.
E
A
A
A
A
So
it's
not
super
polished,
but
it's
better
than
us
doing
a
screen
share
right
and
recording
that
and
sending
it
off.
So
we
need
to
start
thinking
about
what
we
want.
I
know.
Institutional
trust
is
not
enough.
That
was
Marcella
that
wanted
to
work
through
that,
but
I'm
not
opposed
to
providing
feedback
for
either
of
these.
So
what
are
people's
thoughts
on
on
that.
E
E
Definitely,
we
should
have
some
of
these
things.
I
know
a
lot
of
folks
are
asking
for
something
like
some
webinars,
because
I
think
there's
like
a
little
bit
of
Beyond
The
Deep,
dive
and
salsa,
like
a
lot
of
folks,
are
asking
for
stuff,
like
they're,
really
asking
for
things
like
what
is
salsa.
Okay,
now
that
I
know
what
salsa
is.
Is
it
something
I
care
about
if
it
is
something
I
care
about?
Where
do
I
get
started
and
I
think
the
for
a
lot
of
folks?
E
E
I
think
over
time,
like
there's
a
separate
problem
in
some
of
the
things
that
I
think
we
had
discussed
as
well,
which
is
working
on
salsa
like
a
lot
of
folks.
There's
not
a
lot
of
tools
out
there
yet
right,
and
so
a
lot
of
folks
are
like
great.
But
how
do
I
do
this
on
Jenkins
right
and
the
problem
here
is,
like
you
know,
getting
a
bunch
of
volunteers
to
go
and
do
a
bunch
of
work
on
a
thing
that
maybe
they
don't
necessarily
really.
E
B
A
A
E
Yeah
yeah
so
well,
it's
so
there's
a
little
bit
of.
Why
do
I
care
about
salsa?
So
that's
one
thing
and
then
how
do
I
get
started
right?
Like
yeah,
you
know
a
basic
implementation
guide,
but
then
that
second
piece,
what
makes
it
that?
What
makes
that
a
little
complicated
is
everybody
has
different
needs
for
their
like
their
build
and
their
secure
build,
and
so
a
lot
of
folks
are
asking
stuff
like
hey
I
use
Jenkins.
E
How
do
I
do
this,
and
the
problem
that
we
found
is
even
though
a
lot
of
folks
are
asking
for
oh
we'd
love
to
have
a
salsa
implementation
guide
for
something
like
Jenkins.
You
know,
or
you
know,
team
City
great
who's
going
to
do
that
right,
like
a
lot
of
folks
right
now.
Are
you
know
if
there
is
somebody
in
the
community
who's
an
expert
in
Jenkins
and
would
be
willing
to
do
that
right?
E
E
A
A
So
we
could
potentially
do
it
internally.
We
can
do
like
LinkedIn.
We
can
do
the
any
any
slack
channel
on
open,
ssf
to
say,
hey
who's
interested
in
in
showing
this
off,
and
then
we
set
up
a
meeting
with
them
to
see.
If
it's
truly
what
we
think
it
is
right,
we
need
to
make
sure
they're
conforming
to
1.0
and
not
zero,
that
one
right
so
I
don't
know
what
thoughts
thoughts
on
the.
A
A
B
E
So
I
think
that
might
be
interesting
because
that's
actually
something
that
cncf
does
a
lot
with
their
like
people
will
often
record
videos
usually
for
stuff,
like
kubecon
of
like
what
are
like
the
latest
new
features
or
whatever
for
or
like
hey,
here's
a
new
project
and
what
what
is
the
scope
of
our
product?
What
is
our
goals
at
a
kind
of
like
you
know?
E
They
show
it
during
the
the
Keynotes
but
I
think
something
like
that
also
would
be
super
valuable,
just
to
kind
of
have
on
YouTube
as,
like
you
know,
for
folks
who
are
you
know
hey
once
again,
not
reading
or
whatever
or
just
you
know
like.
Where
do
I
get
start?
You
know
what
what
do
you
guys
do?
Oh,
okay,
cool!
You
know!
Here's!
Here's
that!
Here's
a
you
know
a
short
three
minute
YouTube
video
of
like
you
know
these
SEI
working
group.
E
A
A
So
what
else?
In
terms
of
because
the
use
cases?
What
we
want
to
be
careful
of
is
the
the
videos
not
being
too
long
so
are
we
gonna
have
to
break
it
up
into
different
stages?
It's
like
yes,
there's
a
how
to
get
started,
but
maybe
there's
a
how
to
get
started
a
b
and
c
for
each
of
these.
So
just
try
to
make
sure
that
we
again
think
of
the
micro
video
concept.
So
can
we
condense
the
how
to
get
started
in
five
minutes?
I'm,
not
sure
that
we
can.
A
B
A
E
A
E
E
It
is
sort
of
like
the
infrastructure
provider,
but
I
think
there's
going
to
be
so
actually
the
the
because
this
is
actually
something
that
came
up
a
few
times
in
some
of
the
conversations
is
that
like
there
is
some
overlap
between
producer
and
the
infrastructure
provider,
because
one
of
the
problems
is
like
hey.
If
you
have
a
company,
that's
not
going
to
be
using
a
service
like
so
they're,
not
going
to
be
using
GitHub
actions,
they're
going
to
be
using
their
own
thing,
then
they
are
both
producer
and
infrastructure
provider.
E
Unless
you
know,
depending
on
you
know
who
owns
the
stuff
internally,
you
know
you
might
have
a
different
department
owns
the
build
tool
itself
and
another
team
owns
the
usage
of
the
build
tool
because,
but
but
I
I
do
think
actually
at
some
level
actually
now
that
I
think
about
it,
the
infrastructure
provider,
because
the
infrastructure
provider
is
going
in
in
our
context,
right
I
believe,
is
not
just
purely
the
person
you
know.
So.
E
The
producer
in
this
context
is
the
person
who
is
writing
the
code
and
wants
to
use
a
salsa
build
right,
so
they
would
go
and
say:
okay,
I'm,
using
GitHub
actions
and
GitHub
actions
is,
is
also
conformant,
so
I
get
to
just
sort
of
use
that
and
I
get
salsa
provenance
right.
So
for
the
producer
and
there's
not
a
lot
of
stuff
there.
E
The
problem
comes
when
you
have
a
producer
who
also
runs
their
own
build
system
right,
so
I
think
that's
kind
of
where,
where
it
is
where
I
wouldn't
Focus
right
now,
at
least
on
the
infrastructure
provider,
who
is
the
like?
Okay,
you're
running
you
know,
you're
trying
to
develop
a
salsa
build
tool
as
a
service
like
I.
Don't
think
we
need
to
focus
too
much
on
that,
but
I
do
think
we
need
to
reach
out
to
folks
on
hey.
If
you
are,
you
know
running
a
build.
E
This
is
what
a
simple
build
looks
like
you
know
at
the
high
level
of
like
you
should
be:
securing
your
your
build
system,
whether
it
is
Jenkins
or
team,
City
or
GitHub
actions
or
whatever,
and
you
should
be
doing
these
things
and
then
you
should
be
generating
this
data
and
that's
kind
of
because
yeah
it's
gonna
be
super
easy.
If
it's
just
a
GitHub
actions
thing
right,
because
then
we
could
just
say
yeah,
you
use
GitHub
actions,
you
use
this
thing
and
you're
fine.
A
E
A
Right
now
we
know
we
can
do
a
salsa
build
with
GitHub
actions
right,
but
we
can't
just
go
Implement,
Jenkins
and
say
yeah.
We
can
do
a
salsa
build
with
Jenkins
I.
Don't
think
there
is
a
configuration
or
template
of
some
sort.
That
says,
if
you
use
this
you're
good
I
think
we
still
have
to
create
that
not
us,
but
in.
E
General,
yes,
yes,
yeah,
the
industry
or-
and
so
this
is
something
that
I
was
hoping
to
get
out
in
the
next
couple
of
weeks,
but
it
might
be
a
little
longer
now
was
so
I'm
working
on
a
tool
which
I
plan
to
open
source
that
would
just
sort
of
work
with
whatever
CI
tool
right,
which
would
split
up
CI
between
CI
and
the
build.
So
you
would
have
Jenkins
still
do
the
CI,
but
you
wouldn't
have
Jenkins
do
the
build.
E
E
Oh
sorry
go
ahead,
oh
so
yeah
because
I
think
the
thing
that
I
think
one
of
the
the
key
things
that
I
think
kind
of
comes
out
of
a
lot
of
the
the
issue
is
with
why
salsa
is
maybe
a
little
bit
more
complicated
for
certain
ecosystems
as
it
is
than
it
is
for
others
is
because
everybody
just
sort
of
loads
everything
into
just
purely
the
CI
and
like
okay,
my
you
know,
I
can't
move
off
of
Jenkins,
because
my
CI
system,
you
know
downloads
the
source
code
scans.
It
does
all
these
security
things.
E
So
that's
that's
one
of
the
the
key
goals.
I
have
and
I'm
mostly
done
with
something,
and
it's
also
mostly
done
with
something
that
would
allow
folks
to
plug
in
what
they
feel
is
comfortable,
whether
or
not
they
plug
in
a
container-based
build
or
they
plug
in
a
you
know,
secure
Enclave,
you
know
Intel
sgx,
you
know
super
secure,
build
or
they
plug
in.
You
know
just
a
VM
or
a
process
or
whatever.
E
E
So
if
they're,
like
hey
I,
want
to
add
this
new,
more
even
more
secure,
build,
great
salsa
consists
of
source
and
dependencies
as
inputs,
and
the
output
is
an
one
or
more
artifacts
and
a
salsa
attestation,
or
at
plus
other
things
like
an
s-bomb
or
whatever.
But
those
are
the
things
great.
As
long
as
I
have
an
API
like
as
long
as
you
sort
of
do
that
you
are
now
salsa
right
and,
and
then
it
becomes
whatever.
E
A
E
E
So
yeah
I
think
it.
It
does
two
things
one
is
you
need
to
sort
of
figure
out
like
if
you
use
a
service
or
something
like
that?
You
need
to
trust
with
you
know
which
service
do
I
trust
for
when
I'm
producing?
This
is
both
from
a
producer
and
a
consumer
standpoint
is
like
and
then
in
addition
that
you,
you
need
to
trust
whether
or
not
like
you
know,
especially
with
some
of
the
the
claims
of
like
hey
I,
ran
this
using
the
GitHub
actions,
Builder
great
well
when
I
consume
it.
E
Even
though
you're,
even
though
it's
salsa
I,
don't
trust
it.
You
know
or
whatever
right
I
think
that's.
Those
are
two
things
that
need
to
be
done
and
then
I
think
from
the
the
end
of
like
the
thing
I'm
building
as
well
is
like
yeah
different
folks
are
gonna,
say
different
things
right
where,
like
and
I,
think,
that's
kind
of.
Why?
E
When
thinking
about
the
build,
if
we
can
kind
of
keep
it
super
small
and
say
I
have
a
very
tiny
API,
that's
sort
of
like
a
Jenkins
itself,
but
all
it
can
do
is
run
salsa
builds.
So
you
don't
have
to
worry
about
like
well,
you
misconfigured
it,
and
so
it's
not
salsa
anymore.
It's
like
nope.
It
can
only
be
salsa
because
it's
only
configured
to
do
salsa.
So
if
you
tell
it
to
do
something
other
than
salsa,
it
just
won't
work
and
I.
Think
that
sort
of
thing
you
know
you
go
in.
E
You
say
great
now,
if
I
trust
that
you're
running
that
infrastructure
correctly
and
you're
not
lying
to
me
right,
because
anybody
could
lie
that
you
know
yeah
I'm
using
the
GitHub
actions
provider.
Are
you
really
or
are
you
using
something
that
looks
like
it
right?
It's
there's
lots
of
ways
to
sort
of
you
know
and
depending
on
you
know,
that's
where
some
of
the
other
trust
stuff,
like
the
anyway,
never
mind,
yeah
yeah,.
A
I
know
there's
a
institutional
trust
stuff
that
Marcelo
was
talking
about,
so
we
might
have
a
different
set
of
videos
about
trust
right,
and
so
we
can
handle
all
that.
But
at
least
you
know
we
might
say,
okay
for
this
demo
or
this
video,
you
have
to
assume
Trust
of
the
secure
Builder.
If
we're
gonna
use
your
ci2,
which
I
feel
like
by
the
time
we
do
release
this
video
it'll
be
available
so
that
we
could
show
something
like
this
off,
but
yeah
so
yeah.
This
is
some.
This
is
good
content.
A
A
E
We
might
wanna
like
at
a
very,
very
high
level,
just
sort
of
say:
yeah,
there's
also
going
to
be
VSA,
which
is
intended
to
be,
for
you
know,
consuming
elements
of
you
know
like
like
without
getting
into
too
many
details,
because
I
do
think
that
VSA
is
a
whole
other
set
of
things
that
take
some
time
to
to
rock
and
most
like
in,
and
the
other
problem,
too,
is
most
tools
right
now.
Don't
support
the
VSA.
A
E
E
That's
also
in
Toto
and
I
think
the
thing
that's
worth,
highlighting
at
least
on
a
high
level
is
we
don't
require
that
people
use
purely
in
total
attestations.
But
given
that
it's
the
thing,
it's
essentially
the
de
facto,
because
it's
what
we've
been
using,
that's
sort
of
where,
where
folks
have
been
focused
on
but
like
I,
think
it's
worth
at
least
highlighting
to
certain
folks,
like,
especially
if
you
have
large
organizations
that
are
like
look
I'm,
not
Distributing,
My,
Salsa
provenance
I'm
only
including
All,
My,
Salsa,
Providence,
internally
and
I'm.
E
A
E
E
What
is
the
subject
so
in
the
case
of
salsa
and
BSA,
it
would
be
like
here
is
the
thing
you
know:
here's
the
artifact
and
the
hash
of
the
artifact
that
I'm
talking
about
and
then
the
predicate.
In
this
case
the
predicate
would
be
either
VSA
or
salsa,
which
then
has
that
is
itself
like
a
specification
around.
Okay.
Here
are
the
the
the
the
keys
and
values
or
the
the
fields
of
the
document
of
that
I'm.
You
know
the
metadata
that
I'm
actually
expressing.
A
Okay
and
the
reason
why
I
ask
this
is
because
we
can
do
like
a
like
a
highlight
of
open,
ssf
yep
projects
to
do
the
verification
right,
and
so
we
can
do
a
quick
like
okay,
here,
six
store,
here's
in
Toto
and
then
we
have
salsa
prominence
right.
So
we
can
show
like
these
are
the
three
technologies
that
are
hooked
in
together
to
be
able
to
do
the
the
verifier,
so
that
could
be
kind
of
the
opening,
and
then
you
go
into
the
the
actual
use
case
scenario.
A
B
E
So
let's
just
assume
for
a
second
I.
Do
not
have
any
Builder
I
do
not
have
anything
I'm,
building
locally
right.
How
would
I
still
sort
of
generate
that
same
provenance
and
how
would
I
still
generate
it?
Just
let's
just
say
for
a
second
here
completely
manually,
so
that
somebody
who's
reading
through
this
goes
and
understands
the
concepts
of
like
oh
okay,
you're
filling
out
the
information
in
this
document,
then
you're
signing
that
document
and
then
you're
moving
that
document.
So
if
I'm
building
my
own
tool,
I
would
need
to
do
those
things.
E
I
would
need
to
pull
in
information
about
the
dependencies,
pull
in
information
about
the
source,
pull
in
information
about
the
build
command
and
then
run
that
in
a
secure
way
right
and
we're
not
going
to
talk
about
how
that
necessarily
gets
run
outside
of
like
here's,
maybe
a
shell
script,
just
to
kind
of
show
you
here's
it
actually
running
and
then
I
sign
that
document
and
then
I
publish
that
document.
So
somebody
who's
reading
through
this
can
go
and
understand.
Okay,
if
I
want
to
build
this
myself,
for
you
know
internal
CI
tool
X.
E
A
A
Yeah,
so
that
could
be
how
do
I
get
started?
Advanced,
basically
you're
rolling
up
your
sleeve
and
doing
it
all
on
your
own
okay,
so
I've
copied
that
and
I've
I
came
back
up
here,
because
I
was
thinking
well,
if
it's
just
salsa
in
this
part
and
again
this.
If
we
can
have
your
CI
tool,
we
can
mention
it
as
well.
A
If
there's
not
enough
for
the
opening,
we
can
also
talk
about
the
mobilization
plan
and
why
it's
also
or
or
link
back
to
the,
why
do
I
care
right,
but
I
do
think
we
should
have
like
a
opening
of
highlighting
something
at
the
beginning
to
set
the
stage
of
why
or
what
we're
we're
going
to
be
talking
about
Okay.
So
any
other
thoughts
from
folks
on
on
these
two
before
we
move
on
to
consumer.
C
No
one
thing
I
wanted
to
interject
on
Melba.
Is
you
know
you
you
keep
saying?
Oh?
Are
we
going
to
put
that
in
a
different
video?
A
lot
I
think
this
you
should.
You
know
you
should
kind
of
postpone
this
decision
process.
Look
at
the
kind
of
things
you
want
to
touch
on
and
then
maybe
it's
part
of
the
editing
afterwards.
A
Yeah,
no,
no,
that
that's
fair,
yeah
I
think
we're
we're
definitely
trying
to
keep
it
to
like
three
to
five
minutes.
We
want
these
to
be
micro,
videos,
so
I
think
yeah,
I
think
some
things
we
can
say
yeah.
This
has
to
be
a
different
video,
but
you,
you
know
you're
right,
like
some
of
this
stuff
right
here,
we
may
not
even
be
able
to
get
in
three
to
five.
A
D
C
B
E
E
So
you
end
up
with
both
the
long
form
content
for
folks
who
want
to
have
it
as
well
as
the
short
form
content
there,
so
that
you
know
you
get
it
in
multiple
different.
You
know
multiple
different
ways
where
it's
like
okay
yeah,
for
the
folks
who
just
want
to
bite
size
thing
great
here.
It
is
if,
for
folks
who
want
the
full
blast
of
like
here's,
an
hour-long
webinar
on
salsa,
you
can
also
consume
it
and
we
don't
have
to
let's
say,
remake
the
content
each
time
we
just
maybe
need
to.
E
E
A
Yeah
that
that's
a
good
point,
I'm
wondering
given
time
right.
I,
know
time
is
an
issue
if,
if
there's
like
an
hour-long,
video
and
I,
don't
know
that
we
even
have
a
time
to
do
an
hour-long
video
right.
We
we
have
three
minutes
like
okay.
Let's
just
do
this
little
piece
three
minutes,
but
to
like
set
up
the
whole
thing.
A
C
E
Yeah
and
I
think
this
is
is
highly
based
on
based
off
our
conversation
with
Jennifer
is
like.
If
openssf
could
provide
us
with
some
shares,
then
then
it
might
be
much
easier,
yeah
and
in
fact,
I
think
I,
probably
wanna.
If
we
could
get
an
editor
run,
the
idea
be
by
an
editor
and
say
hey.
We
would
love
to
sort
of
record
this
in
some
way
where
we
could
reuse
some
of
the
content
in
different
places
and
what's
the
best
way
to
do
that,
yeah.
A
Yeah
we
we
spoke
with
Jennifer
last
week,
they're
they're,
trying
to
hire
a
more
Advanced
video,
editing
person,
they're.
Even
thinking
about
you,
know
subcontracting
out
to
do
some
of
this
stuff,
including
like
webinars,
but
we
told
them.
We
don't
want
things
to
be.
We
don't
need
things
to
be
super
polished.
We
just
need
it
to
be
better
than
us
doing
a
screen
share,
and
so
she
thinks
that
they
would
be
able
to
help.
A
Yeah
and
I
as
I
posted
I
posted
this,
because
I
didn't
want
to
lose
sometimes
GitHub
or
reset
or
something
on
me
and
then
I
lose
everything
that
I
typed
up
so
I
posted
it
so
not
to
lose.
It
and
Josh
said
I
thought
about
this,
but
I
understand
why
we
need
to
postpone
it.
You
know:
should
we
focus
on
infrastructure,
infrastructure,
provider-centric
messaging?
To
start
it's
the
ideal
path
to
adoption
is
enabling
a
few
feature.
Your
existing,
tooling
and
infrastructure
has
implemented
so
thoughts
on
that.
D
A
C
B
B
A
E
Those
two
are
potentially
linked
because
the
producer
says:
hey:
I
want
to
provide
salsa
at
a
station,
so
I'm
gonna
either
build
infrastructure
or
use
an
infrastructure
provider
who
can
provide
salsa
attestations
and
then
a
consumer
is
going
to
say:
hey
I
want
to
use
salsa
I
mean
I,
want
to
use
salsa
backed
software,
so
I'm
going
to
go
and
pick
either
a
verification
service
or
a
verification
tool.
Most
likely.
You
know
to
sort
of
do
that
verification.
A
D
Yeah,
so
that's
the
consumer
role
itself
is
very
it's
awkwardly
defined
because
it's
the
part.
Reading
the
description
we've
got
a
party
that
uses
software
provided
by
producer
May
verify
Providence
for
the
software
they
consume.
We
delegate
yada
yada,
whereas
the
verifiers
saying
in
the
sample
case
it's
talking
about
business
software
ingestion
system
and
when
I
see
that
I'm
thinking.
Okay,
that's
that
kind
of
fits
it
on
that
one
side
to
me
when
I
look
at
that
example,
but.
A
D
B
D
B
A
New
project
right
think
of
a
brand
new
project.
It
doesn't
have
anything
right.
The
source
is
all
custom.
It's
not
relying
on
anything
outside
right
that
that
is
the
producer,
creating
that
software,
so
if
you,
if
it
doesn't
have
any
outside
dependencies
or
any
projects,
this
this
whole
process
could
be
the
producer
doing
this
to
generate
that
new
software.
B
C
D
C
A
Yeah
I
think
the
reason
why
it's
true
on
this
way
is
because
in
theory,
you
should
pull
your
dependencies
during
build,
not
necessarily
from
the
internet,
but
you
should
you:
shouldn't
necessarily
have
to
have
your
dependencies
in
the
source
file
sure,
but
you
wouldn't
actually
have
that
code
or
that
package
until
build
time.
I.
Think
that's
why
it's
built
this
way,
but.
C
D
D
A
B
A
A
A
B
C
I
can
always,
and
the
thing
is
the
thing
is
the
consumer
and
the
Very
fire
are
not
often,
you
know
exclusive
right.
It's
often
the
same
as
the
consumer.
You
want
the
consumer
to
act
as
the
fifth
guy
or
as
part
of
the
consumption
of
the
artifacts
they
want
to
use,
and
so
I
think
what
I
would
want
to
say.
But
the
consumer
is
mostly
already
addressed
in
the
verifier
part.