►
From YouTube: Supply Chain Integrity WG (July 5, 2023)
Description
Agenda: https://docs.google.com/document/d/1xPs2sSbH3I9Ich7OyLOzl85oJshnK8Q6WoAgREE5-zA
B
B
C
A
D
A
A
A
B
C
E
E
Okay,
so
please
add
yourself
to
the
the
attendees
list
in
the
in
the
the
agenda
document
and
we
will
get
started
in
about
one
minute.
I
was
welcoming
new
friends,
and
then
we
can
work
our
way
down
the
agenda
and
I
want
to
start
off
by
actually
saying
thank
you
to
Mr
Liebman
for
sharing.
Last
last
time's
meeting
I
was
out
on
vacation
and
it
was
extremely
relaxing
and
very
nice
to
know
that
things
were
so
superbly
covered.
While
I
was
gone.
E
C
E
That
is
just
fine.
We
don't
have
any
new
friends.
I
want
to
introduce
themselves
no
problem,
so
we
can
get
started
with
the
agenda.
I'm
actually
going
to
do
a
little
bit
of
reordering
here.
Let's
move
guac
up
I
think
we
talked
about
this
a
little
bit
less
time.
I
wasn't
here,
I'd
love
to
get
Mike.
If
you
could
give
us
a
readout
one,
so
I
there
are
two
parts
to
this.
That
I
understand
it.
E
Like
part
number
one
is
hey,
there's
donating
what
you
know
the
best
code
in
guacam,
so
that
you're,
bringing
guac
into
ssf
requires
a
an
LF
legal
review
and
trademarks
and
all
kinds
of
legal
stuff.
Just
in
terms
of
the
mechanics
of
bringing
in
the
darkness
and
stuff
at
all
and
I.
Understand
that
that's
in
process,
one
of
the
things
I
I,
don't
have
a
great
understanding
for
at
the
moment
is:
is
there
stuff
which
this
working
group
supply
chain?
D
The
tack
then
approves,
and
then
you
go
to
the
working
group
for
a
final
vote.
I'm
not
100.
Sure
on
that.
I
do
believe
that
the
idea
is
to
get
consensus
from
the
working
group
that
it
is
worthwhile
to
be
accepted,
but
I'm
not
exactly
sure
what
the
the
exact
timeline
is
there
Arno
do
you
have
any
sort
of
details?
Well,.
F
So,
no
so
I
think
the
reality
is
what
you
describe
and
and
I
don't
think
we
have
enough
experience
to
know
the
exact
process.
I'm,
not
surprised
the
the
process
has
barely
been
used
so
far.
It
was
developed
about
a
year
ago
and
we're
still
trying
to
you
know
figure
out
what
it
means.
I
think
you
know
both
cases
can
happen.
Actually
you
may
face
a
case
where
somebody
says
hey:
we
have
this
project
there's
enough
interest.
F
We
think
it
should
come
to
open
ssf,
but
we
don't
know
where
to
go
and
they
go
first
to
the
attack
and
then
the
attack
might
have
recommendations
on
where
to
go,
but
I
think
in
this
case
it
makes
sense
to
come
with
the
recommendation.
With
the
from
the
working
group
saying
this
working
group.
We
talked
to,
they
accept
us.
So
this
is
the
proposal
that
you
put
before
the
attack.
E
Got
it
that
that
makes
sense,
so
I
think
I
recall
some
of
this.
You
know
we
have
some
similar
ambiguity
when
s2c2f
came
in
and
there
was
there
was
I
I.
Remember,
s2c2f
was
in
high
demand
across
a
number
of
working
groups,
including
end
users,
I
think
maybe
best
practices
and
supply
chain
Integrity,
and
so
there
was
there
was
even
contention
for
for
what
working
group
that
would
end
up
in.
E
It
seems
to
me
like,
as
I,
understand
it
in
my
correctly,
if
I'm
wrong,
like
work,
has
a
desire
to
to
join
the
sea
working
group
C,
it's
the
greatest
Synergy
there
I,
you
know
my
take
is
yes,
it
seems
to
me
to
be
a
great
fit
if
I'm
looking
back
at
their
Vision
doc,
which
we've
been
working
on
for
the
the
last
six
months.
You
know
one
of
the
you
know
one
of
the
top
level
elements
of
the
vision
was
Upstream
security
practices
universally
valuable
by
a
downstream
automation.
E
So
it
seems
to
me
that
guac
is
an
example
of
that
Downstream
automation,
looking
to
evaluate
Upstream
security
posture,
better
part
of
what
block
is
doing,
and
so
it
seems
to
me
that
the
guac
is
a
great
fit
within
the
SEI
working
in
group
Vision,
but
I'd
love
to
hear
from
from
others
if
they
have
more
on
that
or
objections
or
ideas
for
for
work.
What
might,
alternatively,
belong
in
over
ssf.
E
E
E
So
I
think
you
know,
I
will
do
another
call
for
you
know,
objections
comments,
anything
I'll
do
that
on
the
mailing
list
and
in
the
slack
for
completeness,
but
unless
there
are
objections
or
strong
feelings
against
this
idea,
I
think
we
can
consider
that
that
guac
is
a
good
fit
for
sea.
Oh
no!
Go
ahead!
Yeah.
F
D
Yeah
so
I
mean
I
think
there's
a
lot
of
different
groups
that
could
potentially
fall
under.
So,
for
example,
there
is
the
well,
it
depends
on
the
scope.
A
little
bit.
I
think
this
one
is
probably
the
one
where
it
like.
If
we
have
the
Venn
diagram,
it
overlaps
with
stuff
under
this
group
a
little
bit
more
than
some
of
the
other
groups.
But
there
is
like
the
securing
software
repos
group
because
hey
that's
kind
of
doing
a
lot
of
stuff
on
on.
D
F
Thank
you
for
entertaining
my
question
because
I
can
tell
you
I
I,
understand
the
argument
you
made
for
each
of
those,
but
I
think
SCI
is
better
than
any
one
of
those
yeah
I
think
it's
it's
a
great
exercise
because
it
makes
me
feel
like
okay.
This
is
not
just
a
fluke,
we're
not
saying
oh
yeah,
this
one.
Why
not
I
actually
think
I,
don't
know
how
other
feels,
but
other
people
feel,
but
I
think
this
is
better.
So
thanks,
yeah.
D
And-
and
we
did
a
little
bit
of
a
road
show
to
a
couple
of
the
other
groups
as
well:
I'm
blanking
on
all
of
them,
but
we
went
to
the
end
user,
working
group
and
some
others
just
to
kind
of
talk
about
what
we're
doing
and
just
kind
of
you
know
feel
out
a
little
bit
of
this,
and
you
know
we.
We
know
that
also
at
some
level
the
there's
a
lot
of
overlap
between
the
groups,
but
this
one
seemed
to
be
the
the
best
fit.
E
E
I
will
you
know,
cross
the
t's
and
Dot
the
eyes
on
just
making
sure
that
we've
surveyed
maximally
so
for
feedback
and
people's
opinions
on
this
I'll?
Go
to
the
mailing
list
and
slack
I
put
in
notes
where
we're
at
today
with
this
group,
but
I
want
to
make
sure
that
we're
maximally,
inclusive
and
really
hear
from
everyone
who
has
an
opinion
on
this
so
I'll.
E
Take
that
up
and
awesome
I
mean
I,
I
I
think
it
will
I
think
it'll
be
a
great
fit
and
I
mean,
as
you
know,
Mike
I'm,
a
big
four
fan
of
guac
and
I.
Think
it's
got
a
wonderful
future.
So
next
item
I
had
on
the
agenda
was
we
have
a?
We
have
a
quarterly
review
with
the
TAC
next
week.
This
is
snuck
up
on
us
all.
E
A
E
Got
it
and
I
sent
the
so
about
a
month
ago
we
actually
do
store,
went
on
vacation
I
sent
the
the
shot
of
the
kind
of
the
vision
document
that
we
have
to
the
attack.
I
know
at
least
one
person
looked
at
it
because
Crow
jumped
into
the
document
added
a
couple
of
comments.
Apart
from
that,
I
didn't
get
anything
back
from
the
tech,
but
yes,
I'd,
like
to
take
that,
and
and
and
put
that
probably
up
front
in
the
deck
is
something
that
we
want.
E
Action
from
them
on
is
is
formal
thumbs
up
that
you
know
they've
at
least
scanned
the
thing
and
they
think
it's
reasonable,
and
then
we
can
move
forward
under
the
Aegis
of
attack.
Appreciation
of
that
thing
on
salsa
I
want
to
talk
about.
You
know
1.0,
where
we
are
futures
which
will
be
build
level
four
and
other
tracks,
so
I
think
there's
there's
kind
of
a
vertical
and
a
horizontal
expansion
of
salsa,
which
we
can
imagine
over
time.
E
E
E
E
E
The
only
other
thing
we
we
might
want
to
talk
about
to
the
tech
with
about
this
working
group
is
Fresca.
Do
we
have
anything
we
want
to
say
I
had
I
confess
like
molestown,
we
spoke
Mike
I,
think
we
were
struggling
with
with
resourcing
in
terms
of
we
had
lots
of
ideas,
but
in
terms
of
like
hands
on
keyboards
people
writing
code.
We
were
a
little
late
on
that
front.
Is
that
still
the
case.
D
A
little
bit,
and
after
some
conversations
at
stuff
like
the
open
source,
Summit
and
some
other
things,
a
lot
of
the
feedback
we
had
gotten-
and
this
is
just
generally
from
folks
who
have
been
looking
at
Fresca
and-
and
these
are
folks,
some
of
the
folks
have
been
on
this
call
as
well
is,
is
you
know?
Fresca
is
a
pretty
good.
D
You
know,
example
of
an
implementation
of
an
architecture,
but
as
far
as
like
an
actual
tool
that
people
would
deploy
and
would
want
to
use
in
a
really
kind
of
ongoing
basis.
That's
probably
not
the
case,
and
so
with
that
said,
right
like
there
could
still
be
opportunities
for
Fresca.
You
know
once
every
few
weeks
somebody
pings
me
about
like
hey
I,
was
checking
out
this
thing
with
Fresca,
but,
like
we
haven't
really
gotten
a
lot
of
traction
on
it.
D
E
D
You
think
about
that,
so
I
wouldn't
say
the
basis.
What
I
think
is
what
I
would
imagine
is
if
we
take
the
Sterling
tool
chain
as
an
architecture.
The
Sterling
tool,
Chain
by
an
architecture
I
mean
like
an
actual
high
level
design
right.
You
know
something
like
Busca
could
be
an
implementation.
At
the
you
know
an
implementation
of
the
the
build
capability
right.
E
Absolutely
and
I
mean
it
kind
of
feels
like,
and
some
of
this
is
you
know,
work
I
have
ongoing
in
the
the
Google
open
source
security
team
space
as
well.
It's
trying
to
think
of
what
what's
yeah.
What's
what's
that
kind
of
concept
level
articulation
of
the
sdlc,
where
you
can
say
Okay
I,
want
to
you
know
plug
in
a
different
build
here.
E
We
have
a
number
of
ideas
of
how
you
might
run
a
tool
chain
left
or
right,
but
then,
once
you
look
at
wanting
to
swap
different
Technologies
into
each
capability
spot
and
that's
when
to
your
point,
we're
like
or
what
are
the
apis
and
how
do
I
discover
this
also
Providence,
and
where
is
this
thing
stored
and
is
it
aside
car
or
you
know,
we
have
all
those
types
of
problems,
I
think
so
this?
This
is
great.
E
This
gives
me
raw
materials
to
to
do
a
Fresca
slide
too,
so
in
hopefully
by
the
end
of
tomorrow.
I'll
circulate
a
draft
deck.
If
folks,
just
look
at
that,
Jay
I'll
tag
you
in
it
as
well
for
stc-12
Content,
and
we
can
take
forward
the
tech
review
there
and
with
that
Melba
you're
up
I
know.
You've
got
to
go
a
half
past,
so
I
want
to
give
you
your
seven
minutes.
I.
A
A
I
cannot
edit
and
I
created.
This
calendar.
Invite
I
can't
edit
the
calendar.
Invite
anymore,
which
is
fantastic,
so
I
can't
fix
that.
But
apparently
one
of
the
docs
is
is
not
correct
in
the
meeting.
Invite,
so
I'll
have
to
talk
to
operations,
to
figure
out
why
I
can't
edit
my
own
calendar,
invite
but
yeah
there.
There
are
a
few.
This
one
is
assigned
to
you
and
Jay,
because
I
can't
attend
the
tech
meetings.
A
E
That's
great,
thank
you.
Mother
and
thanks
I
mean
it's
I,
appreciate
the
work
that
you're
done,
creating
with
the
branches
and
closing
the
old
issues
and
doing
the
charter,
and
so
on.
It's
it's
valuable,
but
that
goes
unmentioned.
I,
don't
notice
too
much.
So
thank
you
for
that.
It's
definitely
appreciated
and
then
Jen
Bly
in
terms
of
like
does,
does
Jennifer,
have
resources
to
help
with
copy
editing,
and
you
know,
building
content
or
is
she
just
kind
of
opener
since
I've
come
say
how
should
I
think
about
Jen's
role.
A
C
C
A
A
An
edit,
and
so
she
said
that
they
were
discussing
having
that
talent
in
their
staff
and
they
don't
in
terms
of
video
editing
capability
so
that
she's
going
to
bring
it
up
at
the
next
staff
meeting
on
the
side.
We're
going
to
have
a
conversation
of
what
they
could
potentially
help
with.
So
I'm
gonna
talk
to
her
about
what
we're
looking
to
do
to
see
if
they
could
assist
but
I'm,
not
sure.
As
of
yet.
C
E
H
D
Yeah
well,
actually,
right
before
that,
I
did
what
I
also
comment
that
you
know
I
think
the
the
ls
does
seem
pretty
interested
from
what
I've
been
talking.
You
know
also
about
the
sort
of
whether
it's
micro,
video
content
and
yayada
and
I
think
they
might
even
be
willing
to
if
poking
them
to
maybe
even
pay.
Just
an
external
company
to.
B
D
You
know,
especially
given
that
I
believe
some
of
it
can
be
tied
back
to
pulling
in
more
end
users
as
paying
members,
so
I
think
that
that's
a
thing
that
that
they're
looking
for
but
yeah
so
anyway,
so
one
of
the
things
I
think
that
had
got
broadened
up
it's
nothing
necessarily.
We
need
to
you
know,
act
on
right
now,
but
it's
something
that
I
believe
some
folks
have
been
starting
to
talk
about.
D
D
Providence
type,
you
know
a
metadata
document,
but
the
thing
that
people
are
saying
is
like
hey,
depending
on
what
Builder
I
use,
I
have
a
different
way
of
consuming
it
and
and
those
sorts
of
things,
and
so
I
think
books
are
starting
to,
like
folks,
have
been
starting
to
ask
about
stuff
like
how
do
I
consume
this
stuff?
How
is
how
do
I
start
consuming
these
things?
From,
like
a
library
perspective?
D
Is
there
a
consistent
sort
of
apis
when
we
look
at
something
like
a
sterling
tool
chain,
standpoint
of
like
the
supply
chain,
Integrity
piece
of
like
Hey?
How
do
I
know
that
I'm?
You
know
you
know
conformant
with
S2
c2f
in
an
automated
way
and
and
those
sorts
of
things
and
then
also
with
stuff
like
guac
coming
down
the
line,
guac
wants
to
be
able
to
just
sort
of
say:
I
don't
want
to
have
to
you
know
in
guac.
We
don't
want
to
have
to
create
like
well.
D
D
F
Yeah
I
was
wondering
I
mean
Mike.
Did
you
look
into
CD
CD
events?
So
City
events
is
a
is
kind
of
like
a
it's
for
it's
from
the
a
sister
project,
the
Linux
Foundation,
the
CD
Foundation,
which
focuses
on
continuous
delivery,
and
they
have
developed
a
specification
for
events
related
to
to
to
the
the
build
and
the
continuous
delivery,
and
they
are
actually
started
getting
the
momentum
among
tool
developers
to
get
support
for
CD
events
built
into
the
different
tools.
D
You
know
somebody
runs
a
build,
that's
a
CD
event
and
part
of
that
CD
event
of
the
output
of
that
build
could
be
here's
a
collection
of
metadata
documents,
and
here
are
the
metadata
document
types.
So
it
should
give
you
a
salsa
document
and
you
can
go,
and
you
know
be
like
okay.
Well,
since
I
have
a
salsa
document,
ingester
I
should
just
be
able
to
pull
anything
using
that
which
I
think
is,
is
super
super
valuable
and
so
yeah
yeah
definitely
poking
around
with
it.
D
I
F
D
Yeah
and
for
folks
who
aren't
familiar,
it's
essentially
like
it's
like
a
subset
of
cloud
events.
So
it's
like
Cloud
events
that
have
a
scheme
you
know
have
been
structured
specifically
for
sort
of
sdlc
hype.
Events
so
builds
permits,
deployments
that
kind
of
thing
and
there's
also
discussion
about
either
to
create
something
like
security
events
or
to
like
which
would
be
itself
a
subset
of
cloud
events
or
to
say
that
CD
events
themselves,
there
might
be
a
like
a
category
of
CD
events
being
something
like
security
events.
F
D
F
F
Of
the
names
you
mentioned,
they're
your
the
problem
is,
they
often
are
specific
to
one
programming
language
and,
in
this
case,
I
think
one
of
the
biggest
challenge
we
have
with
the
Sterling
tool
journey
is
to
make
something-
that's
broadly
applicable
across
all
the
different.
You
know,
programming,
languages
and
environments.
So
I
think
this
one
is
that
Advantage,
but
thanks.
E
E
You
know,
gather
intelligence
about
upstream,
and
that
applies
to
artifacts,
so
hey
I
want
to
look
at
Salt's,
Providence
or
S
farm
I
want
to
look
at
you
know
when
this
build
occurred
or
what
artifacts
went
into
that
build
like
some
of
the
things
I
may
want
to
be
interested
in
Upstream
of
me
includes
things
like
I
maintain
was
added
to
this
open
source
project.
That's
a
relevant.
You
know
a
relevant
event
to
me.
Assessment
security.
E
There
or
you
know
maybe
a
maintainer
wasn't
out
of
the
project,
but
maybe
the
email
domain
of
one
of
the
exchange
expired
and
was
re-registered
right,
which
is
some
kind
of
identity.
Takeover
risk
like
to
see
the
events
or
does.
Does
your
consideration
of
this
space
like
include
those
type
of
events
as
well?
The
kind
of
Project
Specific
events
rather
than
CD
specific
events.
H
D
D
I
would
need
to
kind
of
take
a
closer
look
to
kind
of
see.
Would
it
support
that
because,
like
you
know,
Cloud
events
itself
is
supposed
to
be
very,
very
broad?
It's
just
kind
of
like
any
sort
of
event
you
might
think
of
which
of
course
leads.
You
know,
because
there's
there's
the
balance
right.
It's
if
you
go
so
broad,
it
becomes
very
difficult
because
all
the
various
tools
will
need
to
implement
all
you
know
every
you
know
you
lose.
E
D
Lot
of
the
interop,
because
every
single
client
will
have
to
say
well
I
support
this
type
of
message,
but
not
that
one
and
so
on
and
so
forth,
right,
whereas
CD
events
being
a
subset,
okay,
cool.
This
is
a
very
structured
set
of
like
10,
Things,
I
support
or
whatever
with
that
said,
I
think
it's
probably
worthwhile
to,
and
this
is
some
stuff
that
I
know
that
they're
I
think
interested.
D
E
Take
a
closer
look
at
CD
events:
I've
not
looked
at
it
closely
in
a
while
and
I.
Think
to
you
I
mean
your
point
is
a
good
one
right,
but
I
think
there's
a
in
any
other
aspect.
There's
going
to
be
some
balance
struck
between
syntax
and
semantics
right.
Do
we
Define
an
abstract
syntax
which
can
encode
any
possible
events
but
like
that
remains
unspecified,
or
do
we
say
we're
gonna?
E
D
Yeah
and
and
I
think,
because
at
the
end
of
the
day,
we
do
want
to
support
all
of
that
right
and
whether
or
not
some
of
these
things
is
like
a
subset
of
CD
events
or
a
sub
like
I.
Imagine,
it
would
probably
just
be
another
type
of
cloud
event.
Whether
or
not
it's
a
type
of
CD
event
or
a
type
of
cloud
event
is,
is
a
different
sort
of
story.
Right
I
would
say
most
likely.
D
It
would
probably
be
a
CD
event,
and
you
know
we
might
just
say
that
you
know
here
are
categories
of
CD
events,
because,
like
the
thing
right,
the
that
is,
you
know
the
biggest
challenge.
I
think
right
now
that
we're
running
into
with
some
of
the
salsa
tools
is
salsa.
There's
it's
very
Broad
in
how
you
might
be
able
to
build
this
to
build
a
salsa
Builder
right.
D
It's
very
broad,
there's
outside
of
just
sort
of
saying
here
is
the
structure
of
how
it
gets
built
of
the
the
document,
the
actual
metadata
document-
there's
not
a
lot
in
in
terms
of
like
here's,
how
you
should
build
it,
here's
how
you
should
integrate
it!
Blah
blah,
and,
and
so
when
it
comes
to
like
and
then
also
when
it
comes
to
those
Builders
right,
there's
currently
no
standardization
around
distribution.
You
know
in
certain
cases
the
Builder
pushes
it.
D
You
know
in
the
case
of
the
GitHub
stuff,
the
Builder
will
push
it
as
a
part
of
the
release,
we'll
push
it
as
an
artifact.
That
is
part
of
that
release.
In
the
case
of
tecton.
It
can
push
it
to
the
oci
image.
It
can
push
it
to
mongodb
and
other
document
databases.
It
can
push
it
as
an
annotation
to
to
the
kubernetes
cluster
and,
at
the
end
of
the
day,
though,
like
those
are
all
sort
of
very
different
ways
of
of
doing
it,
and
is
there
like
something
like?
D
D
So
it
could
get
pushed
to
something
as
a
CD
event,
or
it
could
push
the
CD
event
to
a
log
stream,
and
then
you
know
subscribers
on
that
log
screen
stream
can
then
push
do
whatever
they
want
to
it
right,
I
think,
there's
there's
a
lot
of,
and
once
again
these
also
come
with
their
own
trade-offs
right,
one
is
a
little
simpler.
The
other
one
you
know
requires
somebody
to
have
an
event
based.
You
know,
setup.
B
E
D
I
think
the
the
big
things
I
would,
you
know,
besides
obviously
I
think
some
of
the
stuff
that's
happening
in
the
Sterling
tool
chain,
which
is
trying
to
figure
this
out
at
a
very,
very,
very
broad
level
of,
like
you
know,
with
the
idea
of
the
city.
My
understanding
from
the
Sterling
tool
chain
side
is:
if
we
end
up
going
this
route,
what
would
happen
is
at
the
entire
sdlc
would
have
a
set
of
CD
events
or
similar.
D
D
Not
tracking
what
everybody
downloads,
but,
but
like
okay,
you
know,
okay,
that
that
gets
that
becomes
a
CD
event.
Somebody
pushing
out
their
code
becomes
a
CD
event.
They'll
go
the
code,
getting
put
you
know,
built
gets,
you
know,
becomes
a
CD
event
and,
and
all
those
you
know
things
you
described
of
hey
a
new
person
gets
added
to
a
project.
D
It
gets
scanned,
it
generates
an
s-bomb.
All
these
things
would
probably
be
events,
so
I
think
the
the
things
that
I
think
I
know
would
help
me
with
some
of
the
stuff
that
we're
looking
at
and
doing
is,
is
really
trying
to
understand
like
what
are
the
things
that
people
are
looking
for
for
here
like
like
what
are
their
big?
What
are
the?
What
is
the
biggest
concern
like?
Even
if
it's
you
know,
I,
don't
necessarily
need
to
think
that
it
has
to
be
a
particular
event
at
this
point.
D
But
if
somebody
said
hey,
my
biggest
issue
is
I.
Don't
know
like
from
a
supply
chain,
Integrity
standpoint
like
oh,
when
I
download
a
dependency
I,
don't
know
where
it
came
from.
Oh
okay,
cool,
that's
probably
maybe
the
number
one
security
you
know
event
or
you
know
in
in
terms
of
this
particular
group.
D
What
I
look
at,
for
example,
salsa
and
s2c2f
I'm,
looking
at
like
how
do
I
bridge
the
gap
there
and
some
of
it
could
be?
If
you
know
we
start
to
talk
about
s2c2f
and
S,
having
S2
c2f,
you
know
being
able
to
say
hey
the
tools
use
something
like
CD
events.
Great
I
can
prove
s2c2f
conformance
because
I'm
getting
all
the
right
events
right.
E
That
makes
sense.
Yeah
that's
interesting,
yes,
I
mean
until
like.
We
need
to
think
through,
like
kind
of
what
is
the
what's
the
attestation
format
first,
is
you
definitely
need
to
look
like
and
how
to
regenerate
that
automatically
and
whether
the
trust
anchors
need
to
be
for
the
for
that
attestation,
but
to
your
point,
like
you
could
imagine
you
know,
being
able
to
validate
the
correct
stream
of
events
happened?
It
wasn't
just
that
like
important
dependency,
but
then
I
saw
the
vulnerability
scan
happen.
Then
I
saw
the
s-bomb
being
stored.
E
H
Yeah,
when
I
think
to
the
challenge,
though,
I
see
the
other
side
of
this,
which
is
that
sure
we
want
to
have
the
attestations
and
someone
watching
and
make
sure
that
everything
happened
right.
But
the
other
side
is
that
we
actually
want
to
know
that
our
pipeline
isn't
vulnerable
to
someone
merging
a
merge
request
with
only
one
approver
on
it.
And
so
it's
not
enough
just
to
get
a
report
that
hey
someone
pushed
that
up
there,
and
there
was
only
one
approval
on
the
merge
request.
F
I
think
that's
true,
but
at
least
at
the
organization
level
you
can
then
enforce
some
policies
that
check
that
you
know
all
the
the
right
things
have
happened
in
the
right
order
and
so
on
so
yeah
it
may
not
scale
to
the
whole
industry.
You
still
ex
you
know,
depend
on
other
pieces
in
the
chain
to
to
do
the
right
thing
or
the
parties,
but
at
least
at
your
level
you
can
do
better
than
if
you
don't
have
that
kind
of
system.
So
yeah.
H
I
was
gonna,
say
it's
getting
the
vendor
buy-in
on
some
of
those
things
like.
Are
you
going
to
get
a
CD
event
out
of
git
lab
when
someone
does
a
merger
you're
going
to
get
a
CD
event
out
of
some
security
scanner
that
says,
hey
I
did
an
ingestion
on
this
open
source
thing
into
this
repo
here.
So
now
you
know,
that's
been
pulled
in
correctly.
It's
it's
gonna,
be
a
lot
of
work
to
make
that
happen.
E
I
I
agree:
I
mean
at
a
super
high
level
like
I,
began
to
conceptualize
this
as
kind
of
a
what
we
need
is
almost
a
supply
chain
control,
plane
right
where
hey
we
and
the
supply
chain
control
blend,
you
could
imagine
being
like
kind
of
there's
a
metadata
substrate
that
each
actor
in
a
supply
chain
is
publishing
data
into
that
substrate
and
then
at
any
point
in
the
supply
chain.
You
can
pull
data
from
the
metadata
substrate
and
evaluate
it.
For
some.
H
D
The
stream
would
obviously
have
to
come
in
via
some
sort
of
event
bus,
but
the
the
the
idea
would
be
that
all
of
those
you
know
where
the
idea
is
is
guac
would
potentially
be
that
data
plane
or
walk
in
a
combination
of
things,
because
the
thing
that
folks
are
looking
at
right
is
is
that
you
need
to
have
you
know
one
of
the
biggest
things
you
know.
One
of
the
biggest
questions
that's
been
asked
is
like
okay
where's,
the
data
right.
You
know,
if
you
don't
have
the
data.
D
How
are
you
making
these
supply
chain
decisions
and
a
lot
of
times?
You
know
the
data
doesn't
exist,
and
so
that's
a
big
concern
and
then
addition
to
that
yeah.
The
supply
chain
control
plane,
which
my
company
is
also
working
on
and
and
I,
think
the
thing
for
it
is
we're,
looking
actually
hoping
right
for
the
Sterling
tool
chain
to
also
describe
the
API
of
what
this
control
plane
might
look
like,
and
then
you
know,
different
vendors
could
Implement
that
the
way
they
see
fit.
D
D
The
big
question
that
people
say
is
like
oh
I'm
I
have
an
agent
on
there
on
every
developer's
workstation,
but
the
policy
that's
baked
into
the
agent
is
very
different
than
the
policy
that
happens
at
build
time
or
ingestion
time
or
run
time
and
there's
no
like
overall
arching
like
policy
that
says
hey
in
Dev
environments.
You
should
be
doing
this
in
production
environments.
You
should
be
doing
that
in
you
know,
on
a
developer's
workstation.
E
That
would
be
awesome,
so
what
I'll
do
I
said
with
your
permission,
is
I,
will
kind
of
propose
an
agenda
item
for
this
time.
Tag
you
in
that,
if
you
can
bring
it
next
time
great,
if
you
need
another
a
month
or
something
that
that's
great
but
I'd
love
to,
have
you
bring
it
to
this
group,
make
it
all
look
at
it.
Thank
you,
yeah.
D
Thoughts
like
Marcela
and
other
people
is
like
one
of
the
biggest
challenges
with
something
like
this
being
a
control,
plane
is
usually
I
would
say
most
organizations
some,
obviously
very,
very
large
organizations
might
have
multiple
sdlcs,
but
most
organizations
I
think
have
one
stlc,
whereas
a
lot
of
organizations
can
have
multiple,
for
example,
runtime
environments
with
their
own
control
planes
and
yada
yada.
So
I'm
curious.
D
You
know
when
it
comes
to
something
like
this.
It's
like
when
you
think
about,
like
a
supply
chain,
control,
plane,
you're
thinking
about
controlling
from
as
far
left
of
the
developer,
as
you
can
in
the
case
of
Open
Source,
it's
just
where
they
push
the
code,
but
in
the
case
of
like
an
organization,
an
employee
or
whatever,
you
might
even
be
controlling
their
their
workstation
and
then
as
far
right
as
potentially
run
time,
because
you
want
to
validate
that.
D
The
only
things
that
are
running
in
production
environments
are
the
things
that
went
through
your
you
know:
supply
chain,
control,
plane,
and
so
that's
a
whole
lot
of
stuff,
which
I
know
is
also
one
of
the
problems
with
a
little
bit
of
the
Sterling
tool
chain.
Is
that
if
you
look
at
it
right,
the
Sterling
tool
chain
is
kind
of,
like
all
software
development
from
end
to
end
is
is
kind
of
a
very
broad
scope,
so
I'm
curious.
What
folks
thoughts
are
on
like
do
folks
agree
with
that.
D
E
You
know
it
feels
to
me
it
feels
to
be
very
difficult,
ambitious,
but
probably
the
right
thing
for
us
to
be
looking
at,
like
it's,
not
a
problem
that
we're
going
to
get
a
solution
for
this
year
or
even
next
year,
but
I
feel
like
at
least
if
we
can
align
today
the
people
who
are
working
in
this
area
lying
conceptually
on
hey.
We
all
have
in
our
heads
this
similar
kind
of
breakdown,
the
problem
where
we
think
of
you
know
metadata
fabric.
We
think
of
you
know
the
sdlc
looking
like
this.
E
I
feel
like
we're
at
the
stage
of
you
know,
get
Gathering
kind
of
broad
alignment
on
what
is
this
basically
look
like
it
can
have
a
boxes
and
arrows
level
right
and
then
okay,
once
we're
all
agreed
on
what
the
boxes
and
arrows
are.
We
can
then
begin
to
open
each
individual
box
look
at
what
needs
to
go
inside
there
and
what
is
the
API
need
to
look
at
and
so
on.
E
So
I
think
you
know
I
agree
with
you
that
it
feels
massive
and
yeah,
not
something
which
which
lends
itself
well
to
someone
saying.
Oh
well,
I've
got
a
two-page
on
this.
I
have
a
solution
already,
but
I
I
feel
like
a
two-pager
on
this
is
the
shape
of
the
problem,
we're
all
roughly
agreed
on
that
and
we're
all
roughly
agreed
on
the
kinds
of
capabilities
we
need
to
bring
to
bear
to
work
on
this
problem.
G
What
would
that
look
like
I
mean
like
what
would
that
look
like
from
like
how
would
we
parse
that
out,
I
guess
God,
this
seems
like
a
control.
Plane
would
be
like
a
very
large
Endeavor
to
take
over,
especially
when
you
need
to
have
you
you
would
need
to.
You
would
need
this
first
survey
different
different
orgs,
different
Industries
different.
G
G
E
So
I
guess
I
I,
think
of
it
at
this
level,
Jay
right
that,
like
I,
think
that
this
diagram,
which
I'm
showing
here
I,
hope
you
can
see
my
screen
at
a
squint
I
think
this
is
applicable
to
almost
every
organization,
like
I,
think
every
organization
more
or
less
as
an
sdlc,
which
look
kind
of
like
this,
where
you
have
Upstream
Supply
and
you
have
a
you-
know
a
process
taking
things
from
left
to
right
over
to
production
at
the
right
and
I.
Think
every
organization
has
you
know
some
concept
of
source
management.
E
Every
organization
has
some
content
to
build
or
release
management
or
every
organization
of
sufficient
maturity
and
I.
Think
once
you
have
this
idea
of
hey,
what's
the
supply
chain
control
plane,
look
like
you
begin
to
do
things
like
this.
Where
hey
you
know,
build
produces
assigned
Providence
pushes
that
into
your
metadata
fabric.
That
then,
is
then
verified
and
evaluated
and
actuated
as
policy
at
some
point
to
the
right.
What
does
it.
G
How
would
we
are
I
mean
we
can
articulate
that
I,
guess
and
and
and
and
and
block
form?
We
could
say
that
right,
but
then,
when
we're
when
we're
doing
stuff,
that's
going
that
we're
asking
potentially
to
be
asking
for
funding
or
potentially
going
to
be
asking
for
some
level
or
potentially
be
asking
for
participation
in.
We
may
not
necessarily
have
a
read
on
the
right
tools
or
technology.
That's
required
at
that
level
to
facilitate
properly
safeguarding
the
metadata
and
attestations
for
the
public
sector.
E
E
At
least
we
can
start
to
talk
the
same
language
about
what
role
in
the
overall
logical
View,
and
these
Technologies
are
taking
so
I
mean
I,
agree
with
you
that
I
don't
think
like
I,
don't
want
to
get
to
the
level
or
I,
don't
think
we're
near
getting
to
the
level
of
having
this
diagram,
where
each
box
has
a
product
name
or
a
technology
name
in
it.
It's
because
there's
always
going
to
be
there's
always
going
to
be
dozens
of
possibles
in
each
boxes,
but
at
least
we
can
conceptualize.
E
Well,
what
are
you
using
for
release
management?
What
are
you
using
for
ingestion
management?
Are
you
using
this?
Okay,
great,
so
I
I,
when,
when
you
say
you're
using
system
X
for
ingestion
control,
I
know
that
system
X
is
reading
from
the
supply
chain,
the
metadata?
It's
evaluating
policies,
it's
actuating
policies.
It's
then
writing
attestation
about
what
it
did
to
the
control
plane
for
subsequent
Downstream
evaluation
and
so
on,
and
it's
kind
of
it's
technology
independent.
But
at
least
we
can
start
talking
about
the
capabilities
in
the
same
language.
If
that
makes
sense,
yeah.
E
Looking
at
some
of
your
supply
chain,
control,
plane,
Concepts
supply,
chain
control,
plane,
Dr
susian
in
some
kind
of
way,
but
it
would
be
great
to
have
you
bring
that
and
we
could
all
take
a
look
at
it
and
we
can
dive
a
little
bit
further
into
this
before
we
break
in
the
next
few
minutes.
Is
there
anything
else
anyone
wants
to
bring
up
foreign.