►
From YouTube: Supply Chain Integrity WG (July 5, 2023)
Description
Agenda: https://docs.google.com/document/d/1xPs2sSbH3I9Ich7OyLOzl85oJshnK8Q6WoAgREE5-zA
B
B
C
A
You
might
that
reminds
me.
I
know
someone
had
mentioned
and
I
I
tried
to
fix
it
in
the
calendar.
Invite
that
the
meeting
notes
were
old.
D
Yeah
because
I'm
I'm
looking
at
this
one,
but
this
might
actually
be
old-
it's
yeah,
the
calendar
stuff
is
such
a
nightmare.
Yeah.
A
A
A
B
C
E
So
happy
quiet
week
for
those
in
the
US
who
are
some
of
whom
are
blessed
with
a
three-day
week
and
a
four
day
weekend.
This
is
the
way
our
work
week
should
be
designed,
I
think
when
we
come
to
redesign
the
U.S
work
week
when
I'm
president,
my
starting
point
will
be
a
three-day
work
week.
I.
E
Okay,
so
please
add
yourself
to
the
the
attendees
list
in
the
in
the
the
agenda
document
and
we
will
get
started
in
about
one
minute.
I
was
welcoming
new
friends,
and
then
we
can
work
our
way
down
the
agenda
and
I
want
to
start
off
by
actually
saying
thank
you
to
Mr
Liebman
for
sharing.
Last
last
time's
meeting
I
was
out
on
vacation
and
it
was
extremely
relaxing
and
very
nice
to
know
that
things
were
so
superbly
covered.
While
I
was
gone.
E
Okay,
1005.:
well,
it's
something
o5
depending
on
where
you
are
we're
going
to
we're
going
to
get
start
by
welcoming
new
friends.
This
is
a
chance
for
anyone
who's
new
to
the
group.
If
you
wish
to
there's
no
obligation.
E
But
if
you
wish
to
introduce
yourself
say
hi,
it's
always
a
little
bit
about
what
you're
hoping
to
get
from
this
group
who
you
work
for
and
if
there's
anything
you'd
like
to
add
to
the
agenda,
while
you're
here
go
ahead
and
I
will
pause
and
let
any
new
friends
introduce
themselves.
C
E
That
is
just
fine.
We
don't
have
any
new
friends.
I
want
to
introduce
themselves
no
problem,
so
we
can
get
started
with
the
agenda.
I'm
actually
going
to
do
a
little
bit
of
reordering
here.
Let's
move
guac
up
I
think
we
talked
about
this
a
little
bit
less
time.
I
wasn't
here,
I'd
love
to
get
Mike.
If
you
could
give
us
a
readout
one,
so
I
there
are
two
parts
to
this.
That
I
understand
it.
E
Like
part
number
one
is
hey,
there's
donating
what
you
know
the
best
code
in
guacam,
so
that
you're,
bringing
guac
into
ssf
requires
a
an
LF
legal
review
and
trademarks
and
all
kinds
of
legal
stuff.
Just
in
terms
of
the
mechanics
of
bringing
in
the
darkness
and
stuff
at
all
and
I.
Understand
that
that's
in
process,
one
of
the
things
I
I,
don't
have
a
great
understanding
for
at
the
moment
is:
is
there
stuff
which
this
working
group
supply
chain?
E
Integrity
working
group
specifically
needs
to
do
to
to
bring
guac
in
like
do
we
need
to
take
a
vote,
or
is
that
part
taken
care
of
so.
D
I
think
that
there's
like
I
I,
found
myself
a
little
confused
in
some
of
the
documents
where
it
it
seems
like
they
want
you
to
say
what
working
group
you
plan
to
fall
under
before
you
enter
openssf,
but
the
way
that
it
kind
of
is
worded
is
like
you
need
to
go
to
the
attack
first
to
get
accepted,
but
if
and
then
you
go
to
a
working
group
to
then
get
in
there,
but
the
documentation
says
what
working
group
do
you
plan
to
be
a
part
of
and
I
so
I
don't
know
if
it's
just
like
a
you
know,
the
idea
is
you
go
to
a
working
group,
they
say
yeah
that
seems
pretty
reasonable
and
then
you
go
to
the
attack.
D
The
tack
then
approves,
and
then
you
go
to
the
working
group
for
a
final
vote.
I'm
not
100.
Sure
on
that.
I
do
believe
that
the
idea
is
to
get
consensus
from
the
working
group
that
it
is
worthwhile
to
be
accepted,
but
I'm
not
exactly
sure
what
the
the
exact
timeline
is
there
Arno
do
you
have
any
sort
of
details?
Well,.
F
So,
no
so
I
think
the
reality
is
what
you
describe
and
and
I
don't
think
we
have
enough
experience
to
know
the
exact
process.
I'm,
not
surprised
the
the
process
has
barely
been
used
so
far.
It
was
developed
about
a
year
ago
and
we're
still
trying
to
you
know
figure
out
what
it
means.
I
think
you
know
both
cases
can
happen.
Actually
you
may
face
a
case
where
somebody
says
hey:
we
have
this
project
there's
enough
interest.
F
We
think
it
should
come
to
open
ssf,
but
we
don't
know
where
to
go
and
they
go
first
to
the
attack
and
then
the
attack
might
have
recommendations
on
where
to
go,
but
I
think
in
this
case
it
makes
sense
to
come
with
the
recommendation.
With
the
from
the
working
group
saying
this
working
group.
We
talked
to,
they
accept
us.
So
this
is
the
proposal
that
you
put
before
the
attack.
E
Got
it
that
that
makes
sense,
so
I
think
I
recall
some
of
this.
You
know
we
have
some
similar
ambiguity
when
s2c2f
came
in
and
there
was
there
was
I
I.
Remember,
s2c2f
was
in
high
demand
across
a
number
of
working
groups,
including
end
users,
I
think
maybe
best
practices
and
supply
chain
Integrity,
and
so
there
was
there
was
even
contention
for
for
what
working
group
that
would
end
up
in.
E
It
seems
to
me
like,
as
I,
understand
it
in
my
correctly,
if
I'm
wrong,
like
work,
has
a
desire
to
to
join
the
sea
working
group
C,
it's
the
greatest
Synergy
there
I,
you
know
my
take
is
yes,
it
seems
to
me
to
be
a
great
fit
if
I'm
looking
back
at
their
Vision
doc,
which
we've
been
working
on
for
the
the
last
six
months.
You
know
one
of
the
you
know
one
of
the
top
level
elements
of
the
vision
was
Upstream
security
practices
universally
valuable
by
a
downstream
automation.
E
So
it
seems
to
me
that
guac
is
an
example
of
that
Downstream
automation,
looking
to
evaluate
Upstream
security
posture,
better
part
of
what
block
is
doing,
and
so
it
seems
to
me
that
the
guac
is
a
great
fit
within
the
SEI
working
in
group
Vision,
but
I'd
love
to
hear
from
from
others
if
they
have
more
on
that
or
objections
or
ideas
for
for
work.
What
might,
alternatively,
belong
in
over
ssf.
E
Okay,
unless
everyone's
got
objections,
I'm
going
to
note
no
objections
in
the
notes,
so
we
have
an
audit.
We've
got
a
plus
one
from
Melba.
E
I
mean
it,
it
feels
to
me
like,
like
this,
isn't
going.
This
isn't
an
especially
controversial
ad
I
think
what
is
a
great
fit
into
the
portfolio
actually,
and
it's
been
really
really
encouraging,
seeing
them
out
of
attraction
that
guac
has
in
the
community.
Thank
you,
Arno.
E
So
I
think
you
know,
I
will
do
another
call
for
you
know,
objections
comments,
anything
I'll
do
that
on
the
mailing
list
and
in
the
slack
for
completeness,
but
unless
there
are
objections
or
strong
feelings
against
this
idea,
I
think
we
can
consider
that
that
guac
is
a
good
fit
for
sea.
Oh
no!
Go
ahead!
Yeah.
F
D
Yeah
so
I
mean
I
think
there's
a
lot
of
different
groups
that
could
potentially
fall
under.
So,
for
example,
there
is
the
well,
it
depends
on
the
scope.
A
little
bit.
I
think
this
one
is
probably
the
one
where
it
like.
If
we
have
the
Venn
diagram,
it
overlaps
with
stuff
under
this
group
a
little
bit
more
than
some
of
the
other
groups.
But
there
is
like
the
securing
software
repos
group
because
hey
that's
kind
of
doing
a
lot
of
stuff
on
on.
D
There's
there's
also
the
security
tooling
group
for
obvious
reason,
but
this
particular
tool
feels
a
little
bit
broader
than
some
of
the
security
tools
that
they're
kind
of
focused
on
which
are
kind
of
more,
at
least
from
what
I've
seen
a
little
bit
kind
of
more
on
the
actual
active
security
scanning
and
that
kind
of
thing,
and
then
there's
also
potentially
the
securing
critical
projects,
just
because
one
of
the
pitches
as
well
for
guac
is
to
have
a
public
service
eventually
similar
to
something
like
depths.dev,
osv,
Sig
store
itself
and
and
those
sorts
of
things.
D
But
it
seemed
like
this
group
seemed
to
be
where.
D
There
was
more
overlap
in
the
sense
of
like
the
idea
behind.
Guac
right
is
to
sort
of
work
with
your
s-bombs
work,
with
salsa
attestations
potentially
be
used
as
a
way
to
prove
s2c2f.
You
know
conformance
and
things
like
that.
F
Thank
you
for
entertaining
my
question
because
I
can
tell
you
I
I,
understand
the
argument
you
made
for
each
of
those,
but
I
think
SCI
is
better
than
any
one
of
those
yeah
I
think
it's
it's
a
great
exercise
because
it
makes
me
feel
like
okay.
This
is
not
just
a
fluke,
we're
not
saying
oh
yeah,
this
one.
Why
not
I
actually
think
I,
don't
know
how
other
feels,
but
other
people
feel,
but
I
think
this
is
better.
So
thanks,
yeah.
D
And-
and
we
did
a
little
bit
of
a
road
show
to
a
couple
of
the
other
groups
as
well:
I'm
blanking
on
all
of
them,
but
we
went
to
the
end
user,
working
group
and
some
others
just
to
kind
of
talk
about
what
we're
doing
and
just
kind
of
you
know
feel
out
a
little
bit
of
this,
and
you
know
we.
We
know
that
also
at
some
level
the
there's
a
lot
of
overlap
between
the
groups,
but
this
one
seemed
to
be
the
the
best
fit.
E
That's
awesome,
okay,
so
I
think
on
on
this
front,
I
think
there's
this.
Those
next
actions
in
two
streams
stream
number
one
is
Mike.
I'm
assuming
you'll
continue
to
press
through
the
LF
process,
your
trade
back
to
IP,
all
that
kind
of
stuff
I'm
done
in
the
code.
E
I
will
you
know,
cross
the
t's
and
Dot
the
eyes
on
just
making
sure
that
we've
surveyed
maximally
so
for
feedback
and
people's
opinions
on
this
I'll?
Go
to
the
mailing
list
and
slack
I
put
in
notes
where
we're
at
today
with
this
group,
but
I
want
to
make
sure
that
we're
maximally,
inclusive
and
really
hear
from
everyone
who
has
an
opinion
on
this
so
I'll.
E
Take
that
up
and
awesome
I
mean
I,
I
I
think
it
will
I
think
it'll
be
a
great
fit
and
I
mean,
as
you
know,
Mike
I'm,
a
big
four
fan
of
guac
and
I.
Think
it's
got
a
wonderful
future.
So
next
item
I
had
on
the
agenda
was
we
have
a?
We
have
a
quarterly
review
with
the
TAC
next
week.
This
is
snuck
up
on
us
all.
E
E
Oops
and
I'll
probably
use
the
same
overall
structure
and
I'll
share
it
out,
but
as
I'm
putting
that
kind
of
that
draft
together
are
there
any
headlines
or
items
which
people
want
to
make
sure
are
included.
As
we
talk
to
the
tech,
Melba
go
ahead.
A
We
need
to
put
it
in
front
of
the
attack
and
I
do
have
a
GitHub
issue
in
the
repo
Associated
to
that.
So
I
think
it's
ready,
I,
think
to
to
review
with
attack.
E
Got
it
and
I
sent
the
so
about
a
month
ago
we
actually
do
store,
went
on
vacation
I
sent
the
the
shot
of
the
kind
of
the
vision
document
that
we
have
to
the
attack.
I
know
at
least
one
person
looked
at
it
because
Crow
jumped
into
the
document
added
a
couple
of
comments.
Apart
from
that,
I
didn't
get
anything
back
from
the
tech,
but
yes,
I'd,
like
to
take
that,
and
and
and
put
that
probably
up
front
in
the
deck
is
something
that
we
want.
E
Action
from
them
on
is
is
formal
thumbs
up
that
you
know
they've
at
least
scanned
the
thing
and
they
think
it's
reasonable,
and
then
we
can
move
forward
under
the
Aegis
of
attack.
Appreciation
of
that
thing
on
salsa
I
want
to
talk
about.
You
know
1.0,
where
we
are
futures
which
will
be
build
level
four
and
other
tracks,
so
I
think
there's
there's
kind
of
a
vertical
and
a
horizontal
expansion
of
salsa,
which
we
can
imagine
over
time.
E
I
think
Chris
kui
is
looking
already
at
build
L4.
We
may
even
have
a
draft
for
for
what
that
may
look
like,
or
the
beginnings
of
a
PR,
so
I
want
to
paint
that
picture
for
salsa
for
S2
c2f
J.
E
E
G
The
Sig
and
I
have
a
discussion
of
monster
Sig
as
well
to
see
exactly
what
kind
of
content
goes
in
it,
but
but
I
definitely
would
love
a
of
a
slide
there,
though,
to
put
some
input.
E
Got
it
okay,
guac
I,
have
I,
think
they're
all
in
raw
materials.
I
need
you
to
work
from,
but
Mike
I'll
I'll
tag
you
in
this
slide,
so
you
can
take
a
look
at
that
as
as
a
guac
rep.
E
The
only
other
thing
we
we
might
want
to
talk
about
to
the
tech
with
about
this
working
group
is
Fresca.
Do
we
have
anything
we
want
to
say
I
had
I
confess
like
molestown,
we
spoke
Mike
I,
think
we
were
struggling
with
with
resourcing
in
terms
of
we
had
lots
of
ideas,
but
in
terms
of
like
hands
on
keyboards
people
writing
code.
We
were
a
little
late
on
that
front.
Is
that
still
the
case.
D
A
little
bit,
and
after
some
conversations
at
stuff
like
the
open
source,
Summit
and
some
other
things,
a
lot
of
the
feedback
we
had
gotten-
and
this
is
just
generally
from
folks
who
have
been
looking
at
Fresca
and-
and
these
are
folks,
some
of
the
folks
have
been
on
this
call
as
well
is,
is
you
know?
Fresca
is
a
pretty
good.
D
You
know,
example
of
an
implementation
of
an
architecture,
but
as
far
as
like
an
actual
tool
that
people
would
deploy
and
would
want
to
use
in
a
really
kind
of
ongoing
basis.
That's
probably
not
the
case,
and
so
with
that
said,
right
like
there
could
still
be
opportunities
for
Fresca.
You
know
once
every
few
weeks
somebody
pings
me
about
like
hey
I,
was
checking
out
this
thing
with
Fresca,
but,
like
we
haven't
really
gotten
a
lot
of
traction
on
it.
D
You
know
and
and
which
you
know,
I
I-
think
a
bunch
of
us
would
be
interested
in,
but
yeah
I,
don't
think.
There's
really
been
much
movement
on
on
that
end.
You
know
outside
of
obviously
keeping
things
up
to
date
and
that
sort
of
thing.
E
D
You
think
about
that,
so
I
wouldn't
say
the
basis.
What
I
think
is
what
I
would
imagine
is
if
we
take
the
Sterling
tool
chain
as
an
architecture.
The
Sterling
tool,
Chain
by
an
architecture
I
mean
like
an
actual
high
level
design
right.
You
know
something
like
Busca
could
be
an
implementation.
At
the
you
know
an
implementation
of
the
the
build
capability
right.
D
It
could
be
an
implementation
of
that
build
capability
and,
like
an
example,
implementation
and
I
think
the
things
that-
and
this
is
actually
some
of
the
stuff
that
I
I
was
going
to
talk
about
in
in
my
thing
after
Melba's,
which
is
like
I,
think
the
need
for
something
like
Fresca
is
a
lot
more
is
a
lot
better
when
we
have
better
apis
around
how
we
built
a
lot
of
the
stuff
out,
but
I
think
it
I
think
it's
still
useful
because
it
also
the
thing
I've
been
using
it
for
in
the
Sterling
tool
chain.
E
Absolutely
and
I
mean
it
kind
of
feels
like,
and
some
of
this
is
you
know,
work
I
have
ongoing
in
the
the
Google
open
source
security
team
space
as
well.
It's
trying
to
think
of
what
what's
yeah.
What's
what's
that
kind
of
concept
level
articulation
of
the
sdlc,
where
you
can
say
Okay
I,
want
to
you
know
plug
in
a
different
build
here.
E
We
have
a
number
of
ideas
of
how
you
might
run
a
tool
chain
left
or
right,
but
then,
once
you
look
at
wanting
to
swap
different
Technologies
into
each
capability
spot
and
that's
when
to
your
point,
we're
like
or
what
are
the
apis
and
how
do
I
discover
this
also
Providence,
and
where
is
this
thing
stored
and
is
it
aside
car
or
you
know,
we
have
all
those
types
of
problems,
I
think
so
this?
This
is
great.
E
This
gives
me
raw
materials
to
to
do
a
Fresca
slide
too,
so
in
hopefully
by
the
end
of
tomorrow.
I'll
circulate
a
draft
deck.
If
folks,
just
look
at
that,
Jay
I'll
tag
you
in
it
as
well
for
stc-12
Content,
and
we
can
take
forward
the
tech
review
there
and
with
that
Melba
you're
up
I
know.
You've
got
to
go
a
half
past,
so
I
want
to
give
you
your
seven
minutes.
I.
A
I
do
thank
you.
Let
me
share
screen,
so
we
already
talked
about
the
the
charter,
but
what
I
wanted
to
do
was
give
an
update
on
the
repo
I
did
update
the
repo
quite
a
bit.
Removing
old
branches,
closing
old
issues.
A
I
did
update
the
charter,
and
then
there
are
new
new
issues
in
here
and
I've
labeled,
some
based
off
the
positioning
Sig
I'm
working
with
Jennifer
Bligh
to
figure
out
how
could
LF
or
open
ssf
help
us
with
some
of
the
stuff
in
terms
of
the
not
necessarily
identifying
the
content
but
helping
with
like
editing
and
actually
publishing
or
setting
up
webinars
Etc,
but
did
did
want
to
give
a
heads
up
on
that
and
for
some
reason,
I,
even
though
I
was
able
to
edit
this
two
weeks
ago.
A
I
cannot
edit
and
I
created.
This
calendar.
Invite
I
can't
edit
the
calendar.
Invite
anymore,
which
is
fantastic,
so
I
can't
fix
that.
But
apparently
one
of
the
docs
is
is
not
correct
in
the
meeting.
Invite,
so
I'll
have
to
talk
to
operations,
to
figure
out
why
I
can't
edit
my
own
calendar,
invite
but
yeah
there.
There
are
a
few.
This
one
is
assigned
to
you
and
Jay,
because
I
can't
attend
the
tech
meetings.
A
I
always
have
a
conflict
and
then
the
rest
are
what
we
have
and
plan
for
the
positioning
Sig
coming
up
again.
That's
it.
E
That's
great,
thank
you.
Mother
and
thanks
I
mean
it's
I,
appreciate
the
work
that
you're
done,
creating
with
the
branches
and
closing
the
old
issues
and
doing
the
charter,
and
so
on.
It's
it's
valuable,
but
that
goes
unmentioned.
I,
don't
notice
too
much.
So
thank
you
for
that.
It's
definitely
appreciated
and
then
Jen
Bly
in
terms
of
like
does,
does
Jennifer,
have
resources
to
help
with
copy
editing,
and
you
know,
building
content
or
is
she
just
kind
of
opener
since
I've
come
say
how
should
I
think
about
Jen's
role.
A
C
C
A
A
An
edit,
and
so
she
said
that
they
were
discussing
having
that
talent
in
their
staff
and
they
don't
in
terms
of
video
editing
capability
so
that
she's
going
to
bring
it
up
at
the
next
staff
meeting
on
the
side.
We're
going
to
have
a
conversation
of
what
they
could
potentially
help
with.
So
I'm
gonna
talk
to
her
about
what
we're
looking
to
do
to
see
if
they
could
assist
but
I'm,
not
sure.
As
of
yet.
C
E
Okay,
taking
a
note
of
that,
that's
super
helpful
yeah
I
mean
it
seems
to
me
that
I
mean
a
big
part
of
what
open
ssf
needs
to
be
doing,
is
marketing
itself
and
awareness
and
advocacy,
and
if
content
production
is
not
cool
to
that
I
don't
know
what
it
is
like.
E
It
feels
to
me
that
content
production
should
almost
be
one
of
the
core
competencies
of
open
ssf
in
terms
of
across
all
modalities
or
tick
tocks
or
whatever
so
I,
I,
hope,
I,
hope
Jennifer
manages
to
find
skills
that
we
can
tap
into
and
that'll
be
kind
of
awesome
to
have
that
upgrade
thanks.
Melba.
H
E
Over
to
you
at
SCI,
API
I
want
to
hear
more.
D
Yeah
well,
actually,
right
before
that,
I
did
what
I
also
comment
that
you
know
I
think
the
the
ls
does
seem
pretty
interested
from
what
I've
been
talking.
You
know
also
about
the
sort
of
whether
it's
micro,
video
content
and
yayada
and
I
think
they
might
even
be
willing
to
if
poking
them
to
maybe
even
pay.
Just
an
external
company
to.
B
D
You
know,
especially
given
that
I
believe
some
of
it
can
be
tied
back
to
pulling
in
more
end
users
as
paying
members,
so
I
think
that
that's
a
thing
that
that
they're
looking
for
but
yeah
so
anyway,
so
one
of
the
things
I
think
that
had
got
broadened
up
it's
nothing
necessarily.
We
need
to
you
know,
act
on
right
now,
but
it's
something
that
I
believe
some
folks
have
been
starting
to
talk
about.
D
As
far
as
the
Sterling
tool
chain
and
similar
sorts
of
initiatives
is-
and
it's
also
been
a
bit
of
a
concern-
is
a
lot
of
folks
are
like
hey.
It's
great
that
there's
all
this
you
know
like
salsa,
for
example,
has
a
salsa
has
a.
D
Providence
type,
you
know
a
metadata
document,
but
the
thing
that
people
are
saying
is
like
hey,
depending
on
what
Builder
I
use,
I
have
a
different
way
of
consuming
it
and
and
those
sorts
of
things,
and
so
I
think
books
are
starting
to,
like
folks,
have
been
starting
to
ask
about
stuff
like
how
do
I
consume
this
stuff?
How
is
how
do
I
start
consuming
these
things?
From,
like
a
library
perspective?
D
Is
there
a
consistent
sort
of
apis
when
we
look
at
something
like
a
sterling
tool
chain,
standpoint
of
like
the
supply
chain,
Integrity
piece
of
like
Hey?
How
do
I
know
that
I'm?
You
know
you
know
conformant
with
S2
c2f
in
an
automated
way
and
and
those
sorts
of
things
and
then
also
with
stuff
like
guac
coming
down
the
line,
guac
wants
to
be
able
to
just
sort
of
say:
I
don't
want
to
have
to
you
know
in
guac.
We
don't
want
to
have
to
create
like
well.
D
D
Are
there
apis
around
this
I
know
this
discussion
about
the
same
thing
with
from
the
Vex
standpoint:
how
do
we
distribute
Vex,
but
one
of
the
things
you
know
so
that's
that's
I,
think
I
think
that
folks
are
starting
to
talk
about,
and
it's
not
necessarily
a
literal
API
at
this
very
second,
but
you
know
some
folks
have
been
poking
around
with
the
idea
of
using
stuff
like
open,
API.
D
F
Yeah
I
was
wondering
I
mean
Mike.
Did
you
look
into
CD
CD
events?
So
City
events
is
a
is
kind
of
like
a
it's
for
it's
from
the
a
sister
project,
the
Linux
Foundation,
the
CD
Foundation,
which
focuses
on
continuous
delivery,
and
they
have
developed
a
specification
for
events
related
to
to
to
the
the
build
and
the
continuous
delivery,
and
they
are
actually
started
getting
the
momentum
among
tool
developers
to
get
support
for
CD
events
built
into
the
different
tools.
D
Yes
and
and
I
think
actually
yeah,
that's
definitely
where
I
think
it
should
end
up
like
as
far
as
the
common
language,
but
yeah
yeah
I
have
looked
at
it
in
fact,
actually
poking
around
with
some
of
the
stuff
in
there
to
sort
of
build
a
POC
tools
that
are
hopefully
in
the
coming
weeks
or
coming
months.
D
I
can
demo
to
this
group
it'll
be
an
open
source
thing,
but
yeah
the
the
idea
would
be,
and
I
believe
that
also
they
want
to
do
the
same
thing
with
Sterling
or
hopefully
with
Sterling
tool
chain
is,
is
to
sort
of
say
what,
if
the
API
for
all
the
security
stuff
was
just
CD
events,
so
that
you
get
in
stuff
like
somebody
makes
a
commit,
that's
a
CD
event.
D
You
know
somebody
runs
a
build,
that's
a
CD
event
and
part
of
that
CD
event
of
the
output
of
that
build
could
be
here's
a
collection
of
metadata
documents,
and
here
are
the
metadata
document
types.
So
it
should
give
you
a
salsa
document
and
you
can
go,
and
you
know
be
like
okay.
Well,
since
I
have
a
salsa
document,
ingester
I
should
just
be
able
to
pull
anything
using
that
which
I
think
is,
is
super
super
valuable
and
so
yeah
yeah
definitely
poking
around
with
it.
D
It
probably
needs
a
little
bit
like
there's.
Probably
gonna
need
to
be
some
stuff.
Some
changes,
but
yes,
I'm,
very
looking
forward
to
really
diving
in
deep
with
that
one
all.
I
F
D
Yeah
and
for
folks
who
aren't
familiar,
it's
essentially
like
it's
like
a
subset
of
cloud
events.
So
it's
like
Cloud
events
that
have
a
scheme
you
know
have
been
structured
specifically
for
sort
of
sdlc
hype.
Events
so
builds
permits,
deployments
that
kind
of
thing
and
there's
also
discussion
about
either
to
create
something
like
security
events
or
to
like
which
would
be
itself
a
subset
of
cloud
events
or
to
say
that
CD
events
themselves,
there
might
be
a
like
a
category
of
CD
events
being
something
like
security
events.
F
D
F
F
Of
the
names
you
mentioned,
they're
your
the
problem
is,
they
often
are
specific
to
one
programming
language
and,
in
this
case,
I
think
one
of
the
biggest
challenge
we
have
with
the
Sterling
tool
journey
is
to
make
something-
that's
broadly
applicable
across
all
the
different.
You
know,
programming,
languages
and
environments.
So
I
think
this
one
is
that
Advantage,
but
thanks.
E
One
of
the
questions
I
had
on
on
this
Mike
was
I
mean
so
in
talking
with
you
with
Brandon
and
others.
You
know
one
of
the
things
we're
looking
at
is
you
know,
hey
at
a
given
point
in
the
sdlc.
You
want
to.
E
You
know,
gather
intelligence
about
upstream,
and
that
applies
to
artifacts,
so
hey
I
want
to
look
at
Salt's,
Providence
or
S
farm
I
want
to
look
at
you
know
when
this
build
occurred
or
what
artifacts
went
into
that
build
like
some
of
the
things
I
may
want
to
be
interested
in
Upstream
of
me
includes
things
like
I
maintain
was
added
to
this
open
source
project.
That's
a
relevant.
You
know
a
relevant
event
to
me.
Assessment
security.
E
There
or
you
know
maybe
a
maintainer
wasn't
out
of
the
project,
but
maybe
the
email
domain
of
one
of
the
exchange
expired
and
was
re-registered
right,
which
is
some
kind
of
identity.
Takeover
risk
like
to
see
the
events
or
does.
Does
your
consideration
of
this
space
like
include
those
type
of
events
as
well?
The
kind
of
Project
Specific
events
rather
than
CD
specific
events.
H
D
A
high
level,
yes
I,
think
I
also
have
some
open
questions
as
to
whether
or
not
like.
If
you
look
at
since
CD
events
itself
is
like
a
it,
it's
sort
of
a
schema
on
top
of
Cloud
events.
D
I
would
need
to
kind
of
take
a
closer
look
to
kind
of
see.
Would
it
support
that
because,
like
you
know,
Cloud
events
itself
is
supposed
to
be
very,
very
broad?
It's
just
kind
of
like
any
sort
of
event
you
might
think
of
which
of
course
leads.
You
know,
because
there's
there's
the
balance
right.
It's
if
you
go
so
broad,
it
becomes
very
difficult
because
all
the
various
tools
will
need
to
implement
all
you
know
every
you
know
you
lose.
E
D
Lot
of
the
interop,
because
every
single
client
will
have
to
say
well
I
support
this
type
of
message,
but
not
that
one
and
so
on
and
so
forth,
right,
whereas
CD
events
being
a
subset,
okay,
cool.
This
is
a
very
structured
set
of
like
10,
Things,
I
support
or
whatever
with
that
said,
I
think
it's
probably
worthwhile
to,
and
this
is
some
stuff
that
I
know
that
they're
I
think
interested.
D
In
last
time,
I
went
to
to
the
their
group,
which
has
been
a
while,
but
they're
they're
interested
in
some
of
it.
D
E
Take
a
closer
look
at
CD
events:
I've
not
looked
at
it
closely
in
a
while
and
I.
Think
to
you
I
mean
your
point
is
a
good
one
right,
but
I
think
there's
a
in
any
other
aspect.
There's
going
to
be
some
balance
struck
between
syntax
and
semantics
right.
Do
we
Define
an
abstract
syntax
which
can
encode
any
possible
events
but
like
that
remains
unspecified,
or
do
we
say
we're
gonna?
E
You
know
specify
these
23,
this
enumeration
of
23,
known
event,
types
and
here's
how
they're
described
and
somewhere
in
there
is
a
balance
and
I.
Don't
know
where
CD
event
is
today.
I,
don't
know
enough
about
it.
To
be
honest,.
D
Yeah
and
and
I
think,
because
at
the
end
of
the
day,
we
do
want
to
support
all
of
that
right
and
whether
or
not
some
of
these
things
is
like
a
subset
of
CD
events
or
a
sub
like
I.
Imagine,
it
would
probably
just
be
another
type
of
cloud
event.
Whether
or
not
it's
a
type
of
CD
event
or
a
type
of
cloud
event
is,
is
a
different
sort
of
story.
Right
I
would
say
most
likely.
D
It
would
probably
be
a
CD
event,
and
you
know
we
might
just
say
that
you
know
here
are
categories
of
CD
events,
because,
like
the
thing
right,
the
that
is,
you
know
the
biggest
challenge.
I
think
right
now
that
we're
running
into
with
some
of
the
salsa
tools
is
salsa.
There's
it's
very
Broad
in
how
you
might
be
able
to
build
this
to
build
a
salsa
Builder
right.
D
It's
very
broad,
there's
outside
of
just
sort
of
saying
here
is
the
structure
of
how
it
gets
built
of
the
the
document,
the
actual
metadata
document-
there's
not
a
lot
in
in
terms
of
like
here's,
how
you
should
build
it,
here's
how
you
should
integrate
it!
Blah
blah,
and,
and
so
when
it
comes
to
like
and
then
also
when
it
comes
to
those
Builders
right,
there's
currently
no
standardization
around
distribution.
You
know
in
certain
cases
the
Builder
pushes
it.
D
You
know
in
the
case
of
the
GitHub
stuff,
the
Builder
will
push
it
as
a
part
of
the
release,
we'll
push
it
as
an
artifact.
That
is
part
of
that
release.
In
the
case
of
tecton.
It
can
push
it
to
the
oci
image.
It
can
push
it
to
mongodb
and
other
document
databases.
It
can
push
it
as
an
annotation
to
to
the
kubernetes
cluster
and,
at
the
end
of
the
day,
though,
like
those
are
all
sort
of
very
different
ways
of
of
doing
it,
and
is
there
like
something
like?
D
D
So
it
could
get
pushed
to
something
as
a
CD
event,
or
it
could
push
the
CD
event
to
a
log
stream,
and
then
you
know
subscribers
on
that
log
screen
stream
can
then
push
do
whatever
they
want
to
it
right,
I
think,
there's
there's
a
lot
of,
and
once
again
these
also
come
with
their
own
trade-offs
right,
one
is
a
little
simpler.
The
other
one
you
know
requires
somebody
to
have
an
event
based.
You
know,
setup.
B
E
That
makes
sense
I.
Is
there
anything
that
you'd
like
this
group
to
help
with
or
dig
into
or
bring
to
next
time's
meeting
or
or
bring
to
you
on
this.
D
I
think
the
the
big
things
I
would,
you
know,
besides
obviously
I
think
some
of
the
stuff
that's
happening
in
the
Sterling
tool
chain,
which
is
trying
to
figure
this
out
at
a
very,
very,
very
broad
level
of,
like
you
know,
with
the
idea
of
the
city.
My
understanding
from
the
Sterling
tool
chain
side
is:
if
we
end
up
going
this
route,
what
would
happen
is
at
the
entire
sdlc
would
have
a
set
of
CD
events
or
similar.
D
D
Not
tracking
what
everybody
downloads,
but,
but
like
okay,
you
know,
okay,
that
that
gets
that
becomes
a
CD
event.
Somebody
pushing
out
their
code
becomes
a
CD
event.
They'll
go
the
code,
getting
put
you
know,
built
gets,
you
know,
becomes
a
CD
event
and,
and
all
those
you
know
things
you
described
of
hey
a
new
person
gets
added
to
a
project.
D
It
gets
scanned,
it
generates
an
s-bomb.
All
these
things
would
probably
be
events,
so
I
think
the
the
things
that
I
think
I
know
would
help
me
with
some
of
the
stuff
that
we're
looking
at
and
doing
is,
is
really
trying
to
understand
like
what
are
the
things
that
people
are
looking
for
for
here
like
like
what
are
their
big?
What
are
the?
What
is
the
biggest
concern
like?
Even
if
it's
you
know,
I,
don't
necessarily
need
to
think
that
it
has
to
be
a
particular
event
at
this
point.
D
But
if
somebody
said
hey,
my
biggest
issue
is
I.
Don't
know
like
from
a
supply
chain,
Integrity
standpoint
like
oh,
when
I
download
a
dependency
I,
don't
know
where
it
came
from.
Oh
okay,
cool,
that's
probably
maybe
the
number
one
security
you
know
event
or
you
know
in
in
terms
of
this
particular
group.
D
What
I
look
at,
for
example,
salsa
and
s2c2f
I'm,
looking
at
like
how
do
I
bridge
the
gap
there
and
some
of
it
could
be?
If
you
know
we
start
to
talk
about
s2c2f
and
S,
having
S2
c2f,
you
know
being
able
to
say
hey
the
tools
use
something
like
CD
events.
Great
I
can
prove
s2c2f
conformance
because
I'm
getting
all
the
right
events
right.
E
That
makes
sense.
Yeah
that's
interesting,
yes,
I
mean
until
like.
We
need
to
think
through,
like
kind
of
what
is
the
what's
the
attestation
format
first,
is
you
definitely
need
to
look
like
and
how
to
regenerate
that
automatically
and
whether
the
trust
anchors
need
to
be
for
the
for
that
attestation,
but
to
your
point,
like
you
could
imagine
you
know,
being
able
to
validate
the
correct
stream
of
events
happened?
It
wasn't
just
that
like
important
dependency,
but
then
I
saw
the
vulnerability
scan
happen.
Then
I
saw
the
s-bomb
being
stored.
E
H
Yeah,
when
I
think
to
the
challenge,
though,
I
see
the
other
side
of
this,
which
is
that
sure
we
want
to
have
the
attestations
and
someone
watching
and
make
sure
that
everything
happened
right.
But
the
other
side
is
that
we
actually
want
to
know
that
our
pipeline
isn't
vulnerable
to
someone
merging
a
merge
request
with
only
one
approver
on
it.
And
so
it's
not
enough
just
to
get
a
report
that
hey
someone
pushed
that
up
there,
and
there
was
only
one
approval
on
the
merge
request.
F
I
think
that's
true,
but
at
least
at
the
organization
level
you
can
then
enforce
some
policies
that
check
that
you
know
all
the
the
right
things
have
happened
in
the
right
order
and
so
on
so
yeah
it
may
not
scale
to
the
whole
industry.
You
still
ex
you
know,
depend
on
other
pieces
in
the
chain
to
to
do
the
right
thing
or
the
parties,
but
at
least
at
your
level
you
can
do
better
than
if
you
don't
have
that
kind
of
system.
So
yeah.
H
I
was
gonna,
say
it's
getting
the
vendor
buy-in
on
some
of
those
things
like.
Are
you
going
to
get
a
CD
event
out
of
git
lab
when
someone
does
a
merger
you're
going
to
get
a
CD
event
out
of
some
security
scanner
that
says,
hey
I
did
an
ingestion
on
this
open
source
thing
into
this
repo
here.
So
now
you
know,
that's
been
pulled
in
correctly.
It's
it's
gonna,
be
a
lot
of
work
to
make
that
happen.
E
I
I
agree:
I
mean
at
a
super
high
level
like
I,
began
to
conceptualize
this
as
kind
of
a
what
we
need
is
almost
a
supply
chain
control,
plane
right
where
hey
we
and
the
supply
chain
control
blend,
you
could
imagine
being
like
kind
of
there's
a
metadata
substrate
that
each
actor
in
a
supply
chain
is
publishing
data
into
that
substrate
and
then
at
any
point
in
the
supply
chain.
You
can
pull
data
from
the
metadata
substrate
and
evaluate
it.
For
some.
E
I
want
to
continue
the
process
to
the
right
of
this
thing,
based
on
what
I'm,
seeing
in
metadata
today
and
that
metadata
could
be
social
provenance
or
S
forms
or
s2c
to
have
attestations
or
the
right
sequence
of
CD
events
or
whatever
it
may
be,
but
at
least
conceptually
having
this
idea
that
this
is
a
pledge
and
control
plane
in
that
you
know,
there's
a
metadata
substrate,
where
each
actor
in
the
supply
chain
can
push
data
in
there,
and
it
can
also
read
data
out
in
order
to
be
a
value,
create
them
and
actuate
policy,
I,
say
a
very
hand:
wavy
product
management
level
implementing
it
is
a
simple
matter
of
coding.
E
H
D
Yeah
yeah
so
yeah,
that's
actually
one
of
the
things
that
longer
term
we're
looking
to
also
bake
into
something
like
guac
right,
so
the
idea
would
be.
D
The
stream
would
obviously
have
to
come
in
via
some
sort
of
event
bus,
but
the
the
the
idea
would
be
that
all
of
those
you
know
where
the
idea
is
is
guac
would
potentially
be
that
data
plane
or
walk
in
a
combination
of
things,
because
the
thing
that
folks
are
looking
at
right
is
is
that
you
need
to
have
you
know
one
of
the
biggest
things
you
know.
One
of
the
biggest
questions
that's
been
asked
is
like
okay
where's,
the
data
right.
You
know,
if
you
don't
have
the
data.
D
How
are
you
making
these
supply
chain
decisions
and
a
lot
of
times?
You
know
the
data
doesn't
exist,
and
so
that's
a
big
concern
and
then
addition
to
that
yeah.
The
supply
chain
control
plane,
which
my
company
is
also
working
on
and
and
I,
think
the
thing
for
it
is
we're,
looking
actually
hoping
right
for
the
Sterling
tool
chain
to
also
describe
the
API
of
what
this
control
plane
might
look
like,
and
then
you
know,
different
vendors
could
Implement
that
the
way
they
see
fit.
D
The
reason
why
I
say
that
is
just
it's
very
difficult
to
you
know
today.
Right
like
the
thing
that
you
want.
Is
you
want
to
have
a
a
unified
view
into
this
thing?
Right
you
want
to.
You
want
to
have
a
unified,
View
and
control
against
it
right.
D
The
big
question
that
people
say
is
like
oh
I'm
I
have
an
agent
on
there
on
every
developer's
workstation,
but
the
policy
that's
baked
into
the
agent
is
very
different
than
the
policy
that
happens
at
build
time
or
ingestion
time
or
run
time
and
there's
no
like
overall
arching
like
policy
that
says
hey
in
Dev
environments.
You
should
be
doing
this
in
production
environments.
You
should
be
doing
that
in
you
know,
on
a
developer's
workstation.
D
You
should
be
doing
this
other
thing,
and
so
a
lot
of
all
of
that
information
gets
lost
and,
and
the
policy
is
often
inconsistent.
I
I
didn't
take
up
too
much
time,
but
yeah
I
could
absolutely
either
me
or
one
of
my
collaborators
I
think
they're
familiar
to
miss
folks
here,
Santiago,
the
sort
of
lead
of
in
Toto
is
is
on
that
project
and
a
few
other
folks
involved
with
guac
yeah,
so
it'd
be
great
to
get
the
feedback
from
from
this
group
and
see
how
we
can
honestly
just
work
with
the
community
on
this,
because
ultimately
I
think
that
that
would
be
our
goal
to
somehow
contribute
some
features
back
to
to
guac
or
or
yeah
just
some
general
work,
probably
with
with
this
community.
I
So
yeah
I
can
talk
to
one
of
them
and
see
if
we
can
line
up
some
kind
of
demo
or
presentation
or
something.
E
That
would
be
awesome,
so
what
I'll
do
I
said
with
your
permission,
is
I,
will
kind
of
propose
an
agenda
item
for
this
time.
Tag
you
in
that,
if
you
can
bring
it
next
time
great,
if
you
need
another
a
month
or
something
that
that's
great
but
I'd
love
to,
have
you
bring
it
to
this
group,
make
it
all
look
at
it.
Thank
you,
yeah.
D
Yeah,
so
one
of
the
things
I
actually
wanted
to
also
throw
out
there
as
I
know,
one
of
the
biggest
challenges
and
I'd
love
to
hear
folks.
D
Thoughts
like
Marcela
and
other
people
is
like
one
of
the
biggest
challenges
with
something
like
this
being
a
control,
plane
is
usually
I
would
say
most
organizations
some,
obviously
very,
very
large
organizations
might
have
multiple
sdlcs,
but
most
organizations
I
think
have
one
stlc,
whereas
a
lot
of
organizations
can
have
multiple,
for
example,
runtime
environments
with
their
own
control
planes
and
yada
yada.
So
I'm
curious.
D
You
know
when
it
comes
to
something
like
this.
It's
like
when
you
think
about,
like
a
supply
chain,
control,
plane,
you're
thinking
about
controlling
from
as
far
left
of
the
developer,
as
you
can
in
the
case
of
Open
Source,
it's
just
where
they
push
the
code,
but
in
the
case
of
like
an
organization,
an
employee
or
whatever,
you
might
even
be
controlling
their
their
workstation
and
then
as
far
right
as
potentially
run
time,
because
you
want
to
validate
that.
D
The
only
things
that
are
running
in
production
environments
are
the
things
that
went
through
your
you
know:
supply
chain,
control,
plane,
and
so
that's
a
whole
lot
of
stuff,
which
I
know
is
also
one
of
the
problems
with
a
little
bit
of
the
Sterling
tool
chain.
Is
that
if
you
look
at
it
right,
the
Sterling
tool
chain
is
kind
of,
like
all
software
development
from
end
to
end
is
is
kind
of
a
very
broad
scope,
so
I'm
curious.
What
folks
thoughts
are
on
like
do
folks
agree
with
that.
D
Do
folks
think
that's
kind
of
like.
If
so,
you
know,
is
that
something
that
people
feel
as
attractable
practical,
tractable
problem
yeah.
E
You
know
it
feels
to
me
it
feels
to
be
very
difficult,
ambitious,
but
probably
the
right
thing
for
us
to
be
looking
at,
like
it's,
not
a
problem
that
we're
going
to
get
a
solution
for
this
year
or
even
next
year,
but
I
feel
like
at
least
if
we
can
align
today
the
people
who
are
working
in
this
area
lying
conceptually
on
hey.
We
all
have
in
our
heads
this
similar
kind
of
breakdown,
the
problem
where
we
think
of
you
know
metadata
fabric.
We
think
of
you
know
the
sdlc
looking
like
this.
E
We
think
of
you
know
the
need
for
a
control
plane,
we
think
of
like
how
do
we
evaluate
and
actuate
policy,
and
how
do
we
push
that
as
far
left
as
possible,
at
least
if
we
agree
and
kind
of
can
get
alignment
on
the
way
to
conceptualize
the
problem,
and
at
least
that'll
keep
us
moving
in
more
or
less
the
same
direction,
even
as
over
the
next
two
three
five
years,
it's
going
to
take
us
to
kind
of
more
deeply
specify
this
thing
and
work
out
all
the
Kinks
and
figure
out
exactly
what
we
need.
E
I
feel
like
we're
at
the
stage
of
you
know,
get
Gathering
kind
of
broad
alignment
on
what
is
this
basically
look
like
it
can
have
a
boxes
and
arrows
level
right
and
then
okay,
once
we're
all
agreed
on
what
the
boxes
and
arrows
are.
We
can
then
begin
to
open
each
individual
box
look
at
what
needs
to
go
inside
there
and
what
is
the
API
need
to
look
at
and
so
on.
E
So
I
think
you
know
I
agree
with
you
that
it
feels
massive
and
yeah,
not
something
which
which
lends
itself
well
to
someone
saying.
Oh
well,
I've
got
a
two-page
on
this.
I
have
a
solution
already,
but
I
I
feel
like
a
two-pager
on
this
is
the
shape
of
the
problem,
we're
all
roughly
agreed
on
that
and
we're
all
roughly
agreed
on
the
kinds
of
capabilities
we
need
to
bring
to
bear
to
work
on
this
problem.
E
Now
we
can
work
it
one
by
one
specifying
this
capability
isn't
going
into
the
next
level
for
detail,
but
I
I,
yeah
I
realize
that
I
have
a
product
person's
bias,
I'm,
not
a
technology
person's
bias
or
at
least
know
that
not
a
program
is
biased.
G
What
would
that
look
like
I
mean
like
what
would
that
look
like
from
like
how
would
we
parse
that
out,
I
guess
God,
this
seems
like
a
control.
Plane
would
be
like
a
very
large
Endeavor
to
take
over,
especially
when
you
need
to
have
you
you
would
need
to.
You
would
need
this
first
survey
different
different
orgs,
different
Industries
different.
G
You
know
who
who's
doing
what
where
and
then
like
decide.
Well
how
you
know,
how
would
we,
as
a
this.
G
I
guess
a
middle,
a
place
where
a
place
where,
where
people
would
come
to
get
guidance
or
two
lives
but
but
considered
a
universal
entity
creating
this.
Wouldn't
that
look
different
for
different
organizations
for
different
Industries
and
then
how
would
we
tackle
that
broadly
here.
E
So
I
guess
I
I,
think
of
it
at
this
level,
Jay
right
that,
like
I,
think
that
this
diagram,
which
I'm
showing
here
I,
hope
you
can
see
my
screen
at
a
squint
I
think
this
is
applicable
to
almost
every
organization,
like
I,
think
every
organization
more
or
less
as
an
sdlc,
which
look
kind
of
like
this,
where
you
have
Upstream
Supply
and
you
have
a
you-
know
a
process
taking
things
from
left
to
right
over
to
production
at
the
right
and
I.
Think
every
organization
has
you
know
some
concept
of
source
management.
E
Every
organization
has
some
content
to
build
or
release
management
or
every
organization
of
sufficient
maturity
and
I.
Think
once
you
have
this
idea
of
hey,
what's
the
supply
chain
control
plane,
look
like
you
begin
to
do
things
like
this.
Where
hey
you
know,
build
produces
assigned
Providence
pushes
that
into
your
metadata
fabric.
That
then,
is
then
verified
and
evaluated
and
actuated
as
policy
at
some
point
to
the
right.
What
does
it.
G
Yeah
I
agree,
I
agree
with
this
like,
but,
for
instance,
right
we're
getting
ready
to
produce
a
a
follow-up
paper
for
the
for
the
for
the
for
the
White
House
to
talk
about
where
we're
at
now,
with
the
mobilization
plan
right,
for
instance,
now
this
control
plane
will
look
a
lot
different
or
how
you
operate,
the
control,
plane,
I
guess
or
what
type
of
controls
you
put
around
metadata
and
the
test
stations
will
look
a
lot
different
and
in
the
federal
government
than
it
does
in
the
the
private
sector
How
would?
G
How
would
we
are
I
mean
we
can
articulate
that
I,
guess
and
and
and
and
and
block
form?
We
could
say
that
right,
but
then,
when
we're
when
we're
doing
stuff,
that's
going
that
we're
asking
potentially
to
be
asking
for
funding
or
potentially
going
to
be
asking
for
some
level
or
potentially
be
asking
for
participation
in.
We
may
not
necessarily
have
a
read
on
the
right
tools
or
technology.
That's
required
at
that
level
to
facilitate
properly
safeguarding
the
metadata
and
attestations
for
the
public
sector.
E
E
At
least
we
can
start
to
talk
the
same
language
about
what
role
in
the
overall
logical
View,
and
these
Technologies
are
taking
so
I
mean
I,
agree
with
you
that
I
don't
think
like
I,
don't
want
to
get
to
the
level
or
I,
don't
think
we're
near
getting
to
the
level
of
having
this
diagram,
where
each
box
has
a
product
name
or
a
technology
name
in
it.
It's
because
there's
always
going
to
be
there's
always
going
to
be
dozens
of
possibles
in
each
boxes,
but
at
least
we
can
conceptualize.
E
Well,
what
are
you
using
for
release
management?
What
are
you
using
for
ingestion
management?
Are
you
using
this?
Okay,
great,
so
I
I,
when,
when
you
say
you're
using
system
X
for
ingestion
control,
I
know
that
system
X
is
reading
from
the
supply
chain,
the
metadata?
It's
evaluating
policies,
it's
actuating
policies.
It's
then
writing
attestation
about
what
it
did
to
the
control
plane
for
subsequent
Downstream
evaluation
and
so
on,
and
it's
kind
of
it's
technology
independent.
But
at
least
we
can
start
talking
about
the
capabilities
in
the
same
language.
If
that
makes
sense,
yeah.
E
E
Looking
at
some
of
your
supply
chain,
control,
plane,
Concepts
supply,
chain
control,
plane,
Dr
susian
in
some
kind
of
way,
but
it
would
be
great
to
have
you
bring
that
and
we
could
all
take
a
look
at
it
and
we
can
dive
a
little
bit
further
into
this
before
we
break
in
the
next
few
minutes.
Is
there
anything
else
anyone
wants
to
bring
up
foreign.