►
From YouTube: Cartographer Office Hours - Feb 7, 2023
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
right,
hello
and
welcome
this
is
the
first
office
hours
for
the
Cartographer
open
source
project
in
2023..
February
7th
you'll
have
to
excuse
me
I'm
doing
a
little
pinch.
Hitting
I
was
not
expecting
to
be
running
the
meeting
until
a
moment
or
two
ago
the
we
have
our
agenda
in
hack
MD
is
available.
A
I'll
drop
the
link
into
the
recording
I'm,
not
sure,
if
into
the
chat,
I'm,
not
sure
if
that'll
show
up
in
the
recording
or
not
and
I
yeah
in
terms
of
the
normal
process,
we'd
be
going
through
outstanding
rfcs
and
then
taking
any
discussion
topics.
Please,
if
you
have
anything
that
you'd
like
to
talk
about
drop
things
in
the
as
you
can
see,
the
rfc's
list
is
currently
empty.
A
A
I
guess,
oh
goodness,
it's
been
so
long
that
I,
don't
remember,
which
the
the
long
and
short
is
that
there
is
a
challenge
it
for
a
cartographer
to
determine
to
link
what
has
happened
early
in
the
supply
chain.
With
what
happens.
B
A
In
kubernetes,
of
course,
things
are
eventually
consistent,
and
so
we
can
give
the
guarantee
hey.
If
you
make
a
change
eventually,
the
system
will
become
consistent
with
that
change.
It'll
be
reflected
in
the
system
and
in
the
domain
that
we're
working
in
in
CI
CD.
A
We
often
want
to
give
more
information
to
users
such
as,
or
has
your
change
gotten
to
in
this
in
the
supply
chain
process
or
okay
right
now,
something's
delivered
to
prod,
which
chain
which
change
does
that
represent,
and
in
order
for
a
cartographer
to
report
that
information
it
either
needs
to
rely
on
the
components
that
are
being
Stamped,
Out
being
clever
or
conscientious
community
members
in
reporting,
hey,
here's
what
I've
done
or
it
needs
to
say,
I'm
not
going
to
put
new
work
into
a
component.
A
So
if
we
think
of
each
resource,
that's
stamped
out
as
a
as
a
step
or
a
stage
or
a
component
I'm
not
going
to
put
a
new
change
for
a
stage
until
that
stage
reports
that
it's
either
healthy
or
not
healthy.
So
you
may
remember
that
last
year,
one
of
the
improvements
that
we
made
was
the
healthiness
feature
where
users
can
tell
us
here's
how
to
know
if,
if
this
stage
has
kind
of
reached
a
state
of
at
rest,
and
so
with
that
knowledge
cartographer
then
can
say.
Oh,
this
is
a.
A
This
is
a
stage.
That's
currently
spinning.
It's
it's
not
yet
at
rest,
it's
not
in
a
good
or
a
bad
state,
so
I'm
not
going
to
update
it
with
any
new
information.
When
that
stage
does
reach
a
an
at
rest,
it
either
says
yep,
I'm,
good
or
no
I'm
bad.
Then
cartographer
can
say
all
right
great.
That
output
is
related
to
the
input
that
I
give
it,
and
now
I
can
read
that
I
can
propagate
it
forward
and
I
can
put
the
latest
change.
That
I
would
want
to
see.
A
I
can
update
this
object
now,
and
so
that's
something
that
has
that's
an
RC.
That's
been
in
the
in
the
works
for
a
while
and.
A
A
A
Is
that
that
the
proposal
was
written
a
while
ago.
So
I
personally
tell
you
I'm
like
sitting
with
beaded
breath
like
oh:
when
are
we
going
to
get
to
work
on
it?
A
I
will
pause
there
and
and
actually
ask
the
other
cartographer
engineer.
Sam.
Are
there
things
that
you
think
that
we
need
to
discuss
today,
I
think
things
that
you
would
want
to
put
in
front
of
users.
C
Definitely
one
of
the
things
that
we've
been
looking
at
you
know
I
mean
like
it's
been
quite
a
few
months
on
our
front.
Certainly,
we've
been
getting
a
lot
of
feedback
from
you
know,
users
internally
as
well,
and
definitely
one
of
the
things
that's
been
coming
up,
is
an
issue
of
like
scaling
performance.
C
What
happens
when
there's
like
hundreds
of
workloads,
those
sorts
of
things,
and
so
you
know
we
studied
the
metrics
and
we've
definitely
decided
that
you
know
we're
gonna
have
to
pretty
much
delve
into
enabling
concurrency,
and
so
we've
been
working
and
I.
Think
if
you've
like.
C
Think
it's
something
that
we're
likely
to
be
merging
soon
as
well,
and
you
know
I
think
one
of
the
things
we've
been
cautious
about
is
like
if
we
we
enable
cartographer
with
aggressive
concurrency
limits
out
of
the
box,
that
that
might
you
know,
cause
unexpected,
like
peaks
in
the
in
people's
loads
and
everything
so
I
think
we're
going
to
kind
of
tune
it
down
from.
C
What's
currently
in
the
pull
request
right
now,
which
I
think
is
like
10,
but
these
are
all
defaults
anyway
and
they're
all
overrideable
and
you
know
I
think
you
know,
that's
that's
something
that's
kind
of
in
front
and
center
for
me
lately,
another
one
is:
we've
been
looking
at
ways
to
try
and
avoid
the
kind
of
thrash
that
happens
if
cartographer
restarts
for
any
reason-
and
you
know
we
have
like
runnables
being
re-stamped,
but
that's
very
much
like
stuff
that
we've
just
been
like
actively
investigating
based
on
you
know,
let's
come
back
from
like
a
lot
of
you
know,
dog
fooding
and
you
know
user
feedback.
A
Yeah
so
that,
as
I
mentioned,
those
are
two
things
that
are
currently
in
the
works
under
consideration.
I'm
trying
to
drop
in
the
link
for
that.
Second,
one
that
Sam
just
described.
A
Yeah
part
of
office
hours
is
for
us
to
mention
here's
what
we've
been
working
on,
but
then
the
other
larger
part
is
to
hear
from
our
users
what
what's
been
going
on
with
them.
What
are
the?
What
are
the
pain
points
that
you're
feeling?
What
are
the
things
that
you
would
move
the
ball
the
most
for
you
in
terms
of
improving
the
product
before
I
jump
into
any
other
any
other
topics.
Let
me
make
sure
that
we
clear
the
board.
Are
there
any
thoughts
or
questions
about
artifact
tracing.
B
I
have
one
question
around
that
there
are
three
rfcs
in
the
RFC
board
on
GitHub,
and
you
mentioned
the
health
rules
based
basically
like
is
that
the
path
that
it
seems
we're
going
down
from
because
there
was
correlation
rules,
there
was
based
off
of
correlating
outputs,
and
then
there
was
the
health
rules
has
like
that
decision
been
made
around
Health
rules
or
just
wondering
yeah.
A
Ultimately,
the
health
rules
is
necessary.
The
other
two
are
proposals
that
say
Hey
given
a
given
its
resource
that
works
in
XYZ
ways:
let's
Short
Circuit
the
health
rules
path
by
leveraging
this
behavior,
so
essentially
the
artifact.
The
health
rules
is
given
a
generic
controller.
Here's
what
we
do,
the
others
are
hey.
What?
If
we
assume
that
things
aren't
generic,
that
they
that
they
adhere
to
an
API
or
some
behavior
that
we
can
rely
upon.
A
Can
we
improve
the
performance
of
cartographer
and
so
I,
like
those
other
proposals
and
I'm
happy
to
see
them
move
forward,
but
ultimately,
I
would
I
would
argue
that
artifact
tracing
either
means
yes,
we're
doing
this
health
Rose
approach
or
no
we're
not
taking
Health
rules
like
no,
like,
ultimately
I,
say:
there's
no
Health,
there's
no
tracing
without
the
health
rules
approach.
B
Okay,
so
the
health
rules
is
the
generic
approach
and
then
there's
the
light.
We
have
special
casing
for
kpac
to
do
certain
things
within
cartographer.
We
would
have
a
special
casing
for
things,
possibly
through
the
other
two
that
can
short-circuit
that
to
make
it
work
better
with
different
resources.
But
Health
rules
is
the
generic
one.
Yeah,
okay,
cool.
A
And
in
terms
of
ordering
and
what
work
will
I
would
expect
to
get
done,
but
expect
the
generic
to
happen.
First.
E
Yeah,
so
we're
not
strictly
related
to
tracing,
but
I
know
there
was
a
roadmap
document
in
the
GitHub
repo
I
was
wondering,
if
it's
possible,
perhaps
to
update
it
and
include
this
information
about
the
rfcs.
That
will
be
done
at
some
point
like
the
artifact
tracing
just
for
yeah
visibility
and
interesting
information.
Yeah.
A
Yeah,
so
we
had
a
meeting
with
our
PM
just
yesterday
and
I
mentioned
to
them.
You
know
we've
seen
in
the
in
the
kubernetes
slack.
You
know
questions
about
hey,
what's
what's
on
the
roadmap,
and
so
I
I
brought
up
to
him
like
Hey
I've
kind
of
dropped
in
some
of
my
thoughts
at
times
and
rash
has
done
the
same.
A
Of
course,
the
you
know
the
the
product
manager
is
the
one
is
generally
the
one
who
owns
road
maps.
So
yes,
well
we
hear
you
there.
We
will
make
sure
to
to
make
that
more
available.
Make
that
more
transparent.
A
A
All
right
I'm
going
to
take
that
as
a
good
sign,
but
but
there
aren't
concerns
everybody's
like
yeah.
That's
a
great
idea
just
go.
Do.
F
A
We
had
a
Roman
vote
yesterday.
Remember
when
I
was
two
just
start
slowly
make
sure,
and
that
would
be
to
be
clear.
That
would
be
a
default
setting
in
the
supply
chain.
Choreographer
in
tap.
Of
course,
in
cartographer,
the
setting
would
be
whatever
the.
F
User
wanted
to
use
okay.
Okay
might
be
interesting
to
think
about
where
we
went
surface
that
setting
not
just
you
know,
having
it
stored
in
a
value
Spa
somewhere,
but
also
being
able
to
see
that
in
the
in
the
actual
UI.
If
anyone
is
is
in
there
and
having
that
understanding,
because
maybe
you
know
if
something
happens,
that
you
know
they're
above
that
threshold,
whatever
that
happens
to
be
set
to
right,
we
probably
would
want
some
type
of
error.
F
You
know
error
handling
around
that
as
well.
Right.
A
I
say
that
that
totally
makes
sense,
but
also
I'd
say
that
that
those
are
conversations
that
would
happen
separately
from
the
is
right.
We
start
off
as
like
hey.
This
is
the
office
hours
for
the
open
source,
cartographer
stuff,
and
so
those
are
just
conversations
for
the
VMware
code.
Source
Products.
F
A
No
worries,
but
none
of
us
have
been
to
one
in
a
while
so
you're
in
good
company,
okay,
I
I
think
that
we
we
give
time
for
questions
about
the
two
rfcs
that
we
put
forward.
John
I
see
here
that
you've
dropped
in
a
link.
A
I'm
gonna
follow
this
link
myself
to
artifact
signatures.
Providence
attestations.
Can
you
talk
to
yeah
I'm
gonna,
give
you
the
floor.
G
G
If
there
are
any
current
thoughts
on
on
these
ideas
in
general,
so
a
background
from
what
I'm
looking
at
I'm
working
with
the
security
tools
group
internally
in
thinking,
but
mostly
on
the
the
Upstream
open
source
side,
so
I'm
working
with
project
six
store
looking
at
stuff
with
openssf
and
some
other
areas
with
like
salsa
compliance,
and
things
like
that.
G
G
One
of
the
things
that
we're
trying
really
hard
to
avoid
is
having
to
build
specific
attestations
for
every
single
tool
that
exists,
because
there's
just
there's
too
many
of
them
and
our
customers
want
to
use
all
of
them.
So
if
we
think
of
building
a
a
supply
chain
supply
chain
with
something
like
vulnerability
scanning,
we
we
not
only
want
to
create
a
scan
report
as
a
part
of
the
process
to
you
know
to
do
a
vulnerability
scan,
but
we
also
want
to
attest
to
that
vulnerability
scanning.
G
We
want
to
say
it
was
run
by
a
version
of
this
tool
that
we
trust
it
was
run
in
an
environment
that
was
trusted.
At
the
same
time,
we
don't
want
to
have
to
do
that
for
gripe
directly
and
trivia
directly
and
scanner
XY
irz
directly.
Is
there
a
way
that
we
can
create
a
framework
to
to
allow
this
to
happen?
That
also
corresponds
with
the
model
inside
of
cartographer.
The
closest
example-
and
you
know,
Thomas
brings
this
up.
The
closest
parallel
example
would
probably
be
tecton
and
tecton
chains.
G
This
is
where
the
thing
I'm
most
curious
for
for
other
people's
thoughts,
because
I
don't
know
enough
about
this.
So
it's
just
like
tecton
is
not
a
choreographer.
It's
an
orchestrator.
It
understands
what
it's
doing
and
so
for
it
to
be
able
to
add
in
the
ability
to
test
to
the
specific
actions
that
are
taken
by
a
a
tecton
pipeline
is,
is
easier
to
understand
and
to
do
than
maybe
it
will
be
for
cartographer.
G
But
with
all
that
said,
I
mostly
don't
know
and
I'm
curious
to
hear
other
other
folks.
Thoughts.
A
Good
I
will
I
will
jump
in
and
say
that
I
guess
start
by
by
emphasizing
what
you
were
saying
at
the
end
there
John
my
yeah
my
default
assumption
that
I'm
happy
to
have
somebody
push
me
off
of
is
that,
at
the
end
of
the
day,
cartographer
is
by
using
custom
resources,
as
our
primitive
cartographer
is
unable
to
attest
to
anything
beyond
hey
I
I
created
this
object
on
the
cluster,
and
you
know
the
at
the
at
the
end
when
when
it
creates,
for
example,
let's
say
you
finish
by
creating
some
k-native
app,
the
Cartographer
could
attest
to
I
created
that
object
because,
based
on
some
objects
that
were
put
on
the
cluster
originally,
for
example,
a
workload,
but
then,
after
that,
a
number
of
other
objects
that
I
had
Stamped
Out,
say
a
flux.
A
Git
repository
object
gave
me
information
and
eyes
cartographer,
just
kind
of
have
to
trust
it.
Like
did
that
Flex
git
repository,
give
me
the
source
code
that
is
actually
supposed
to
be
there.
Cartographer
I,
don't
know
there
is
a
way
that
cartographer
can
attest
to
anything
beyond
like
I
created
this
object
and
I
trust.
A
This
object
because
that
that's
that's
what
my
template
has
the
now
one
thing
that
could
push
it
Beyond
is:
if
cartographers
specified
some
if
cartographer
specified
a
an
API
for
attestation
of
those
individual
pieces.
So
then
we
say:
oh
we're
not
going
to
rely
on
like
well
in
other
tools
like
we're
going
to
become
the
tool
that
you
have
to
report
to
the
I.
Think
that
is
technically
possible.
I've
always
questioned
if
we
are.
A
If
the
project
is
at
a
point
where
there's
just
frankly
enough
political
Capital
to
be
able
to
impose
that
upon
the
components
that
we
work
with,
could
we
go
to
flex
and
say
hey?
We
need
you
to
provide
some
attestation
information
and
create
a
working
group
to
to
do
that.
A
That's
not
something
that
we've
taken
on
yet
so
I'll
pause
there,
because
I
think
that
those
are
two
two
claims
that
I'm
interested
in
hearing
other
folks
in
the
community
respond
to
one
that
at
current
there's
a
lot
of
there's
a
lot
in
attestation
that
cartographer
simply
can't
know
and
two.
If
we
wanted
to
know
that,
we
would
need
to
be
creating
apis
in
partnership
with
those
those
resources
that
are
most
often
used
in
in
Supply
chains.
B
I
mean
I,
I
will
say,
I
think
the
same
issue
exists
in
tecton
Chains,
though,
because
tecton
chains
I
can
put
whatever
I
want
within
a
task.
So
yeah
I
can
say
that
I
trust
that
task,
but
that's
like
me
saying
that
I
trust
the
yaml
that
I'm
stamping
out
through
cartographer
through
a
cluster
image,
template
or
a
cluster
Source
template
I,
think
that
this
can
be
done
once
we
have
the
tracing
the
artifact
racing,
because
once
we
can
know
that
input
a
caused
output
B,
then
we
can
actually
start
to
attest.
B
E
Yeah
in
Factor
there's
this
yeah
basically
for
each
task.
They
consider
the
input
that
goes
into
the
task.
The
result
of
the
task,
like
the
output
that
is
produced
and
what
is
the
container
image
or
the
details
of
the
task.
So
just
the
specification,
then
the
container
image
inside
when
running
can
do
whatever.
E
But
of
course,
that's
very
specific
tool
specific.
But
in
the
final
attestation,
there's
only
input
output
and
what
was
the
specification
of
the
step,
so
I
guess
in
a
similar
way,
could
work
like
that
in
cartographer,
where,
instead
of
deploying
container
images,
we
stamp
resources
and
yeah.
For
that,
we
need
that
tracing
like
knowing
the
inputs,
the
outputs
and
the
template
from
which
that
output
was
produced.
Basically
after
stamping
the
resource,
if
it
makes
sense.
A
Yeah,
so
I
think
that
that
is
something
that's
definitely
on
our
roadmap.
The
one
piece
that
you
mentioned,
that
I
think
is
a
Step
Beyond.
What
we've
planned
so
far
or
thought
through
so
far
is
you
said
you
know,
tecton
chains
will
capture
what's
the
image
that
that
list
of
commands
is
running
within
and
I
think
the
equivalent
for
cartographer,
because
our
our
primitive
isn't
a
an
image
or
it's
neither
the
image
nor
that
bash
script.
A
It's
really
the
cluster
and
the
object
is
how
do
we
capture
the
controllers
that
are
like
the
controller
version?
That's
on
the
cluster.
That
is,
reconciling
a
given
object
that
we
Stamp
Out
and
I.
It
seems
approachable
from
a
high
level,
but
I
haven't
thought
through
what
would
be
necessary
to
capture
that
information.
A
Assume
it
that
it
matters,
if
you
it
would
matter
to
someone
at
some
point,
if
you're
using
Flex,
Source
controller
version,
24
version
versus
version
27.,.
B
C
F
A
Yeah,
so
that
brings
up
the
I
I,
often
I've
been
conceptualized
objects
and
the
reconciliation
that's
going
on.
As
you
know,
the
there's,
the
spec
there's
the
inputs
that
we
know
of,
and
then
there
are
quote-unquote
hidden
inputs
and
I
use.
It
I
use
two
examples,
one
that
you
just
used
Scott
for
kpac.
There
are
just
other
objects
on
the
cluster
whose
configuration
impacts.
What
will
be,
what
will
be
the
ultimate
output
on
your
kpac
image
object?
A
But
similarly,
if
you
just
think
of
a
git
repository
object,
you
stamp
it
out,
and
you
say:
hey
here-
are
the
inputs
that
I'm
going
to
give
you
it's
the
name
of
a
branch.
It's
the
it's!
The
address
of
a
repository
and
the
output
of
that
object
is
going
to
depend
not
just
on
the
version
of
flux,
but
also
like
what
are
the
input
like?
A
B
Specific
I
think
that
it
may
just
be
worth
saying
we
attest
to
the
process
of
a
supply
chain.
This
is
the
input
to
a
step.
This
is
the
output
to
a
step.
This
is
the
stack
of
that
step
that
existed
right
and
then
it's
not
the
highest
level
of
an
attestation
or
the
lowest
level.
However,
we
use
the
term,
but
it
is
attesting
to
what
cartographer
is
doing.
C
It's
like
how
much
of
a
torch
light.
Do
you
want
to
shine
on
this
and
if
we
just
want
to
decide
to
solve
what
we
know
and
then,
if
you
know
it,
because
it
kind
of
comes
like
a
platform
operator
problem
right
then
right,
how
do
you?
How
do
you
figure
out?
How
do
you
fill
in
all
these
other
empty
bits
of
the
Venn
diagram
right,
there's,
like
some
overlap
between
what
cartographer
can
attest
and
what
these
other
components
can
attest
or
could
potentially
attest?
C
I
should
say
right
that
would
make
up
like
you
know,
if.
E
Exactly
yeah
I
agree
like
that.
The
scope
is
important,
because
I
would
expect
other
tools
to
be
responsible
for
part
of
it,
like
I
would
expect
k-pak
to
provide
a
full
attestation
with
all
information
about
the
builders,
the
stack
all
the
build
blocks
used
and
all
of
that
by
itself
when
producing
the
image.
I
have
a
resident
issue
in
cable,
actually
I'm.
E
Looking
at
an
RFC
for
this
alsa
provenance
at
the
station
there,
so
yeah
I
agree
that
yeah
we
should
limit
the
scope
like
World
cartographer
knows,
can
be
attested,
but
then
specific
tools
like
kpac
then
should
do
something
themselves
for
all
the
details.
If,
if
needed
or
if
necessary
and
I
guess
it's
the
same
thing
with
tectum
chains
or
if
we
run
the
pack
image
I,
don't
think
that
the
other
station
contains
all
information
about
the
Builder
and
the
buildbacks
used.
E
C
I
think
it
read,
there's
a
difficulty
there
too
of
like
how
do
you
bind
the
attestations
that
are
occurring
right
in
any
given
instance
right
if
you
like,
look
at
what's
what's
currently
deployed
and
what's
currently
running
and
what
resources
are
Stamped,
Out
and
actually,
like
you
know,
properly
reconciled
on
a
cluster
and
then
how
can
you
then
say
like
well
if
I've
given
cartographers
at
a
station,
which
only
goes
up
to
a
certain
border
and
I,
had
these
other
attestations
on
these
other
components
which
tell
me
about
what
happened
internally
right,
there
still
needs
to
be
some
kind
of
knowledge
right
of
what
still
like
you
know
what
what
what
what
inputs
relate
to
that
attestation
that
that
thing's
talking
about
otherwise
it
feels
difficult
to
like
actually
draw
a
seal
around
all
these
things
and
say
that
these
you
know,
attestations
can
actually
be
collectively
added
together.
B
That's
where
I
think
possibly
sound
like
a
solution
there
could
be
just
like
we
have
like
Health
rules
in
different
fields
within
the
templates
themselves.
We
could
add
a
field
there.
Just
like
we
have
the
output
field
of
where
you're
going
to
find
the
image
on
the
Stamped
Out
resource.
On
what
field
in
the
resource
can
you
find
the
you
know
linked
to
the
attestation
and
within
our
attestation
we
could
add
a
link
there
saying
you
know,
tool,
specific
or
step-specific
annotation
or
internal
annotation
or
whatever
the
field
would
be
called
within
there
saying?
B
Okay,
if
you
want
to
look
at
the
attestation
of
flux
CD,
this
is
you
know
where
that
is.
If
you
want
to
look
at
kpac,
this
is
where
it
is.
Having
that
be
optional
makes
it.
So
we
can
support
any
crd
that
doesn't
do
attestations,
and
if
one
does,
we
can
that
way,
easily
enrich
the
Cartographer
one
simply
by
adding
in
an
optional
field,
in
the
the
templates
themselves,
possibly.
A
Yeah
I
think
that
approach
that
makes
total
sense
to
me
and
that
I
would
say
Thomas
when
I
was
when
you
were
describing
the
issue
that
you
had
opened
on
kpac.
That
is
what
I
had
envisioned
would
happen.
Was
that
on
the
kpac
image
object,
there
would
be
some
link
to
either
an
object
on
the
cluster
or
or
an
object
available
publicly
on
the
Internet
or
credentials
you
know
something
is
is:
is
the
description
that
I
just
gave
similar
to
what
you
had
intended.
E
E
But
then,
if
I'm,
a
consumer
and
I
got
this
oci
artifact
the
image
produced
by
kpac
as
part
of
the
supply
chain,
then
like
independently
I,
can
verify
the
attestation
regarding
just
the
image,
not
the
whole
supply
chain,
but
the
image
about
how
it
was
built,
all
the
materials
that
went
into
it
and
the
link
to
the
GitHub
repo
from
yeah,
where
the
source
code
comes
from.
E
So
there
are
these
these
two
different
levels
based
on
the
the
specific
need,
and
this
yeah
I,
like
the
proposal
from
Scott,
about
having
this
link,
also
that
you
can
navigate
from
the
supply
chain
to
the
specific
one
if
it
exists,
because
it
doesn't
always
make
sense
to
have
that
at
each
step.
But,
for
example,
for
kpac
yeah
they're.
It
really
does
make
sense.
B
What
I
would
expect
a
k-pak
do
in
the
end
is
they
will
use
the
coast
like
they
have
cosine
integration
today,
they'll
use
cosine
to
test
and
not
just
cosine
sine,
and
then
they
will
give
us
the
image
URI
of
the
oci
artifact
of
the
attestation
as
a
field
just
like.
We
have
latest
image
we'll
have
latest
attestation
right
or
whatever
or
latest.
E
B
A
Yes,
so
from
the
in
terms
of
the
there's
a
there's
a
bit
of
a
first
move
for
question,
you
know,
should
cartographer
go
out
and
create
this
attestation
reader
before
we
have
an
object.
Example
to
to
read
I.
Think
the
the
next
thing
I'd
be
most
interested
in
is
one.
Are
there
examples
already
existing
of
kubernetes
resources
where
they
they
do
work
and
they
are,
and
they
have
some
sort
of
attestation
currently
that
prior
work
would
be.
A
It
would
be
super
useful,
and
if
we
see
oh
yeah
here
are
three
examples
and
they
all
kind
of
work
the
same
way,
then
cartography
can
be
really
comfortable.
Just
saying
like
great
we'll,
we
will
make
sure
that
we
can
read
things
formatted
in
in
this
fashion.
A
If
there
are
examples
of
that,
I
suspect
we
would
probably
want
to
talk
with,
for
example,
the
kpac
team
and
discuss
like
what
do
you
envision
building
into
your
building
into
your
resources?
Let
us
know,
because
we
want
to
be
able
to
read
it
and
we
want
to
be
able
to
to
pass
that
on
to
our
users
to
consume,
but
all
of
that
makes
yeah
that
all
makes
total
sense
to
me.
B
The
only
one
I
know
that
does
it
today
is
tecton
and
the
only
one
I
know
that
doesn't
do
it
in
that
world
is,
are
the
workflows
so
not
a
project
to
look
at
and
a
project
to
look
at
because
and
Tech
time
is
used
a
lot
within
carto
right.
So
there
is
the
idea
of
how
they
do
chains
and
looking
at
how
chains
exports
that
information
may
be
worth
looking
at
when
the
RFC
for
kpac
gets
written
as
well
to
model.
B
After
how
Tech
time
chains
has
done
that
which
is
in
all
the
sessions,
I
was
at
a
Cubed
on
whatever
it
seems
to
be
the
standard
that
everyone
is
looking
at
for
the
implementation
or
it's
the
example
at
least
that's
being
thrown
around
a
lot
in
the
community
around
attestations
today,
in
you
know
different
tasks,
so
maybe
worth
looking
at
how
they
did
in
a
modeling
kpac
off
of
how
they
did
it.
If
it
makes
sense
and
then
utilizing
that
as
well
in
cartographer.
A
Yeah,
that's
cool.
That
sounds
like
some
to
do.
Items
for
our
team
is
to
take
a
look
at
taked
on
chains
and
see,
for
example,
I'm,
not
clear
yeah.
It's
the
chains
that
a
totally
separate
object
that
refers
to
your
pipeline
runs
or
do
your
pipeline
runs
refer
to
your
chains.
A
It's
important
for
me
to
know
cool
any
other
thoughts
on
this
issue
that
Thomas
hadrit
had
raised
and
John
pointed
us
to.
G
This
is
super
helpful
to
hear
that
conversation,
so
I
appreciate
the
feedback
from
all
of
you
and
feel
free
to
reach
out
to
you,
I
think.
If
there's
anything
I
can
do
to
help
in
the
space.
The
I
think
Thomas
mentioned
this,
that
the
ite6,
which
is
a
internal
proposal
for
in
Toto
for
Access
stations,
defines
a
pretty
well
in
general
format
for
capturing
the
attestations.
G
So
so,
hopefully,
that
part
is
a
solved
problem
and
there's
a
lot
of
tools
that
are
starting
to
build
in
in
support
for
a
testing
to
different
statements,
as
they
call
them
and
s-bombs
are
a
good
area
where
things
like
different
tools
that
generate
s-bombs
will
also
attest
to
that,
and
also
some
of
the
the
vulnerability
scanners.
So
there's
there's
I
can
point
you
at
a
quite
a
few
different
tools
and
I.
Think
on
the
build
front.
This
is
where
the
salsa
provenance
format
is
becoming.
G
More
is
kind
of
like
the
general
standard
for
what
that
should
look
like
I
think
Co
was
planning
on
implementing
something
that
would
generate
that
I,
don't
know
if
they
actually
have
or
not.
They
might
have
been
waiting
for
1.0,
but
I
can
help
find
something
that
builds
and
there's
the
the
salsa
GitHub
generator
that
Thomas
also
linked
to.
G
So
that's
a
GitHub
actions,
version
of
something
that
describes
that
that
Providence
as
well
so
on
the
the
lower
level
tooling
front
I,
can
help
find
anything
that
that
is
generating
those
infestations.
A
That
sounds
great
yeah.
We're
happy
to
have
you
both
kick
off
the
discussion
and
to.
A
Yeah
we
we
will
I'll.
Take
you
up
on
that.
Believe
me,
Thomas
I,
see,
we've
got
just
a
couple
more
minutes,
Thomas
I
see
you've
dropped
in
cartographer.
Cli
talk
to
us
about
it.
E
Yes,
so
yeah
there
was
a
quick
thought.
A
few
months
ago
the
tanzo
Community
Edition
project
was
retired
and
I
know
that,
like
several
examples,
around
cartographer
were
using
the
tanzu
CLI
that
was
distributed
via
the
tanso
Community
Edition
project.
Of
course,
it's
still
possible.
The
the
framework
and
the
CLI
apps
plug-in
to
work
with
cartographer
is
there
can
be
built
from
Source.
E
I
was
wondering
what
do
you
think
about
considering
a
CLI
for
cryptographer,
similar
to
what
Carvel
did
last
year
that
the
package
management
functionality
was
part
of
the
tanzu
CLI
one
of
the
plugins
there,
and
now
it's
its
own
CLI
that
also
evolved
to
have
more
functionality
on
the
author
authoring
side
of
packages
and
the
code
base
is
still
the
foundation
of
the
tanzo
CLI.
E
So
it's
not
a
duplication,
but
I
guess
he
made
a
lot
easier
in
the
open
source
space
to
get
more
involvement
and
more
or
simple
onboarding
experience,
because
yeah
it
was
easy
to
download
the
CLI
and
get
started
with
Carvel.
So
I
was
thinking
what
about
doing
something
similar
in
cartographer.
What
are
your
opinions
about
that.
D
B
B
Has
a
dependency
on
the
tanzu
config,
but
that
should
be
easy
to
remove.
I
would
think
they
have
the
same
issue
in
the
package,
one
where
they're,
depending
on
the
framework.
D
Yeah
I
would
I
would
definitely
I
I
know
that
Gareth
thought
he
might
be
able
to
make
it
today,
but
Gareth.
Our
technical
lead
for
our
program
is
also
thinking
along
those
lines,
so
there's
a
good
chance
and
definitely
bring
it
up
again,
because
I
also
wanted
to
add
some
extension
points
for
people
in
the
field.
One
of
the
things
I
would
like
as
a
way
to
get
a
a
reasonably
well
scrubbed
copy
of
everything.
The
workload
isn't
really
responsible
for.
D
E
E
Also
something
to
bootstrap
projects
or
new
templates
and
perhaps
integrate
the
cards
to
test
CLI
in
there
yeah,
so
yeah
yeah.
It's
interesting
that
yeah
you're
also
thinking
on
those
yeah
along
those
lines,
yeah.
D
E
B
D
D
B
B
Yeah,
it's
here,
I'm,
sending
the
link
now
in
the
chat,
that's
the
GitHub
for
it,
and
it's
literally
the
easiest
thing
in
the
world.
It's
it
just
spits
out
in
the
end
what
it
does
is
for
like
if
something
is
a
string,
it
also
spits
out
the
type
that
it
rep,
like
the
value
is
the
type
that
that
field
expects
to
get.
A
All
right:
well,
we
are
right
at
time,
I
want
to
say
one
a
big
thank
you
to
Sam
for
just
jumping
in
to
take
notes.
I'd
really
appreciate
it
yeah
it's
great
to
have
that
record.
Thank
you
as
well
to
all
of
the
of
the
external
folks
that
are
coming
to
join
this
conversation,
you
know,
is
someone
working
on
cartographer
day
in
and
day
out,
every
time
we
see
you
in
the
stock
channels
making
requests
or
asking
what's
going
on.
A
You
know
it's
just
like
another
reminder
like
hey
like
this
is
this:
is
something
of
value
that's
being
put
out
into
the
world
and
and
it's
being
used
to
create
value
for
others,
and
that's
just
great
so
thank
you
so
much
and
we
will
reward
you
by
scheduling
this
again.
We're
gonna
see
you
guys
in
a
month.
First.
D
A
I
keep
hearing
people
promoting
the
13-month
calendar
that
make
all
every
month
28
days,
I'm
like
it
does
sound
really
nice.