 Hey, Michael. Hey, how's it going? It's going okay. I uh, I came into this like two minutes early And I noticed that the recording button is just always on like sitting here thinking like is Emily getting this this video of me and just posting it on the internet Mr. Julian dawdling on zoom for two minutes Going through some of the edits now that state of the art is separated by hyphens Who I will be back in a second. I'm just gonna pour myself a little bit more coffee. Not a problem Make sure to clock out Hey, Alex Can you actually hear Alex and Think you're on mute. Oh There you go Hey, Alex, I'm like we're gonna need a Higher definition camera so that we can further evaluate the shelf behind you for what's on their book wise and and board game wise, of course Oh, I see you have terror mystica down in the far right. That's a good one. I guess this is This is it. I can't hear you. I'm you do now Whoops. No, I'm you to myself. Oops. Sorry about that. Um, yeah, no, uh, yeah terror mystica is a good one That's one of my favorites. Yeah The successor is is better. Oh, yeah, yeah, I haven't been able to find it in stock anymore Project it's literally the name of our our Wi-Fi at our household. My wife and I love it like we played it too much Anyway, okay enough with with CNCF board game working group and Back, I'll just go ahead and share my screen. We'll start going through edits This is the last week. Am I right on this? Alex, this is the final week. Yeah, and therefore Yeah This is it. I believe cool. Okay. I figured that's why Cole went through and I don't know if you've seen it's like Uh, there's there's many many many gram radical. Yeah, I learned What's hyphenate I do not Is it okay? Can I contest this very first comment is high profile really hyphenated? Can I really can I just Google that and just be like, yeah, look, I had to do it for state of the art I was like, no, there's no way Okay, so high profile No, okay, high profile high is oh no My life is shattered. I Mean, I'm okay with that and Alex your comment The He was deleting it and I didn't realize Yeah, he literally wouldn't hyphenated a bunch of stuff, so Yeah Things that I guess he got out of his dictionary at the source. All right Other parts of the stock we use a space instead of a height for key rotation. Yeah, I never is key rotation hyphenated Don't tell me that one Google doesn't think it is. I don't think it is it wouldn't make sense Yeah, no, no, not at all. Nope. Sorry. Sorry cold X We're just checking the SEO right like Maybe we need to check in camera dictionary or something yeah, but not you're you're in the UK Please please tell us about the correct English. We need that It's not ours either all right It's a further hard these materials that is suggested that source materials and I have fun. Sure. Yeah That's that comment stays for now Okay Supplies chain security is a developing over NASA. I love the use of the word NASA. It's so good We're existing information is often focused on singular independent. I'm okay with that. I mean, I think it's I think this is is a little bit too Yeah You wouldn't know that this refers to supply chain security So I I can I can buy coals change And so you Alex Alex it could you have the ability to just if you want if you see something that Cole says like that Especially grammatical things or clarity sort of stuff. Why don't we just accept them? I? Actually don't have the ability to accept anymore. I'm not on the educators list. So Can I just change that for you? So Alex are you agreeing that that needs to be deleted Yes. Yeah, I'm saying I think we should just drop that I do kind of then wonder about the The the ominous a more holistic approach is needed comment. I mean I Think that's the kind of summary of the entire paper, but I'm good with it. Yeah, I guess it says that right after That's the paper. It's a holistic approach to software supply chain security keen and with a Additionally anyone with it with a with an interest in supply chain security can further stock okay cool Think John's good John would be angry about the loss of the flowery language. I Did reach out to Mike and he said he said that he would He'd be on top of this so he said he'd have time middle of this week I'll reach out to him again, and if not, we'll just get well We'll just inside of our dealer generalize it for example some security breaches Yeah, let's take out might that's we don't want to do say might The entire Gaining access yep gaining over getting sure additional For another yeah, yep. Yep greed Alex that's a great space Mm-hmm. Mm-hmm additional other threat Excellent. All right. This is recent Build really to continuous integration continuous delivery step should all be automated through a pipeline. Oh, by the way, John is gonna join here in a minute He's just wrangling Hey Tim, I didn't see you join snuck in there Hey This recommendation feels like a summary of much of the rest of the paper beyond source code section Do we need this here? I do agree and I think we we said this to Yeah, yeah, I mean the entire thing is about pipeline defined as code. So yeah, I I want a hundred percent agree Personally, I think we could we could drop this recommendation because we're gonna right talk about this in so many other ways But and it's brought up in the introduction. I mean, it's literally highlighted if you didn't read anything Yeah, no, and it has nothing to do with source code Why is it in this first code section? I I 100% agree. I don't know what this is. I Almost feels like these are separate comments, I Think that that is Cole assuming we're keeping that recommendation saying it shouldn't just be for high Everybody should be automating and then sure. I think Emily was just responding to Cole. So Two questions, I guess that we have there with it one is are we keeping this one and the second is if we keep it Do we change the the No, I mean I'm gonna recommend to delete it Uh, just just real quick. So The reason why I had written that and I maybe put it in the wrong spot there was Emily said it wasn't clear that Whether or not we were making an actual recommendation to automate all steps as part of the build And making sure that that was clear to folks God damn it. No, I know it's you wrote it. I Mean that I would delete it. I'm just kidding. No, no, no, no, no to be clear Like I might not have put that in the right place, but if you go back in the slack a little bit One of I do remember this from last this was last week, right? You you wrote it like partially on the call Yeah, yeah, where where Emily was just essentially saying that she felt that and I sort of agreed Where the idea is we should be definitely recommending that all steps as part of a build should be Automated outside of like any manual sign-offs code reviews those sorts of things You know the thing that we wanted to sort of if the if you wanted a specific example that she called out was We don't want to do Manual hash validation like somebody going and saying yep this checks some relates to that one. Yeah, that's good We want to make sure that all that sort of stuff is automated Yeah, the only thing is that that goes above all the sections like it doesn't it doesn't fit into source code, right? That's that's kind of my I think that's what we're saying here Mike I totally agree. I totally agree. And I think that Emily has a good point But where does that go? If you all are Look and see if I can find a better spot for it. I feel like we Get close to this to saying exactly this in the introduction Maybe we need to spell it out more and then we definitely have some other places where we get close to it And maybe need to spell it out more. So let me see if I can find a better spot for it and I'll move it and then we can Somebody can sign off on where I've moved it to Okay, but I won't waste the rest of our time on this call trying to find that spot She did a footnote fix perfect. I think she's fixed this more or less I think they're still kind of redundant, but I think it works. So Is and not is not considered except for contributions of that potential cause creators are advised Okay, okay. I'll take it. This is similar. This is similar to like the code owners use of the code owners project or Which is I think further down, right? Yeah Yeah to find individuals. It's this. Yeah, that's what you're saying Yeah, the exact same. It's just Yeah, maybe it's more granular. I'm not sure All right And footnote cool, I think I'll take that you got a good LG TM from Cole there Author party artifacts open-source Libraries and any other dependencies should be verified as part of the continuous integration pipeline. Just don't go check something. Yep. Yeah, I can agree anybody Nope All right now more grammar policing with Cole a Generated sbom provides that. Yeah, that's fine. I think speaking In the present rather than mm-hmm. Yeah, that's fine can To ensure ooh, okay Before allowing software dependencies into the system, they should be scanned and evaluated to ensure the level of the vulnerabilities they bring Well, that's an interesting one. I'm gonna give the floor to Vinod Level of vulnerabilities is a question. We do know that there are cases where you can have contextual Levels of vulnerabilities, right? You can have no vulnerabilities that you're accepting in your environment doesn't make sense Even without the word level of and and I'm just kidding putting Vinod on the spot Tim Mike any Alex. Do you have any? So he's asking to remove the level of vulnerability Yeah, essentially say ensure the vulnerabilities themselves are within risk limits not the level of as if there is like a threshold which I think In some cases there is a threshold of vulnerabilities that you can allow. I mean I mean, I think it sounds like saying Basically the same thing with fewer words Our abilities bring in our within the risk limits is the same thing as saying the level of them is acceptable That that that makes sense. That's fine. That's that's I'm not I'm maybe reading into it too much Delete there's a bunch of these where I just moved the link from the text down here. Yeah, got it. Cool. I see it Let's see. I didn't actually take a minute to look at this Oh, that looks good You can kind of see it makes it makes it significantly clearer. Good job Emily. I Would never do that my the letters would run off the page. Are we just gonna ignore Justin Cormack's? Oh, I guess Cole got to it. Oh Moving components, there you are. Yeah, I I'm staying out of this Yeah, I Yeah, I'm on the thought that if it doesn't need to be there it shouldn't be there And there's threats that we don't know about things and if they're not there, we don't have to worry about those threats Right Yeah, that that was I'll also my line and that is a hill. I'm willing to die on Honestly, you know that I know one of the big things that the you know people bring up about for example like Unicernals right like oh Unicernals are safe because if you don't allow networking or whatever I like you can't compromise the network if you don't allow networking You don't you can't compromise like a text editor if you don't have the text editor installed on there, right? Yeah, I think I think the point to where we talk about the attack factor of automated attacking automated attacks mitigating that Makes it a Makes it valid Right, so we found it mitigates Automated attack the tax by removing components that are those automated attack rely on therefore it makes an effective control Okay, so how many people's responses does it take to overwrite one response one comment from Justin Kormack? I think I think everybody's kind of in unison here Well, there's this guy I think but when I read his comment, I wasn't sure that he was actually disagreeing with Yeah, and they do do that at the iron bank. I have I can show y'all a documentation About minimizing it and pulling stuff out. That's true Yeah, I mean, I I think From the arguments for the variety of voices here. I'm good with checking this and keeping it in Yeah, I think it can reopen if it just it's the last week I'm gonna say I'm just gonna put enough evidence Provided Statement will stay Sorry, Justin You'll receive the airplane all of a sudden Docker stops working for me The Docker have don't have this UBI concept You've been rate-limited That's fine awesome Alex. I see the links are going out of the footnote Call you missed our going over your grammar grammar fixings. Oh, I'm sorry Something got messed up in the dock and I think I made some changes that I didn't want to so I apologize if there's some issues No, it's it's fine so far. Everything's been good Especially ruining my life with high-profile All right, delete link. Yeah, this is all good Alex. If this is the bulk of this we're in a good place Okay, we have We have these two as well. Nobody's responded those I guess it's actually this week. So this is fresh Encrypt artifacts before distribution Might be worth laying out use cases where encryption of container images is likely to be relevant Standard practices for most containerized environments as to what's storing secrets in the image. Yep So whilst ensuring integrity is important confidential, you know image is less of a concern Yeah, so this is saying we are recommending in high security environments to client-side encrypt the actual image Is that the the debate up here? Yeah, does that do anything I Mean I kind of agree with them Yeah, it's a base image that doesn't have secrets and so why why does that matter? They don't I've never seen an image Encrypted I Don't know that it that gives you any sort of like a verification, right? If you want to hide the materials of the image Well, yeah, sure encrypt it, but does that increase your security? Yeah, and is it something you'd recommend to be a common practice? Probably not I Think if you want to verify it, right? You verify the hash of there or the shot of some of that image or artifact And then you know it's what you know it is encryption Is to keep it secret? Yeah Here if it's secret Does anybody know who originally wrote this assurance or know the tricks inside of Google Docs to see that it's that sounds like it may have come from I feel like I remember this being a Brand-in-lum edition, but I am not sure of that Okay From the Deode team did they have any use case? Oh Yeah So let's look at the art. Let's look at the language of it, right? The contents of the artifact can be protected by encrypted it So that doesn't increase security of it Did this ensure as the contents of the artifact remain confidential and transit at rest until it's consumed? Are we trying to write a paper about keeping things confidential? Right, right. This might be your your 100% correct This would be like if if confidentiality was your utmost concern This is certainly a recommendation, but are we doing you right? Are we talking about keeping everything as confidential as possible? I don't think so. No, that's extraneous and it's it's out of scope for this paper in my opinion Anybody on the call speak up in favor of keeping this in just gone We'll go ahead Only authorized. Yes. Yeah, we do because that this makes no sense in context. Is that correct? Right, it's not a lot of the viewing of use of or use of an artifact to be tied to a key held from particular distribution infrastructure At that point we have nothing in the encryption section, which means the entire section goes away mm-hmm Okay, I'm gonna make a comment then just a just to Man, I can't type this one. Yeah, we talk about we talk about signing a lot, right? We don't talk about encryption Okay We're back to Alex's link footnoting So rewarding to click the check mark. Thank you Alex. That was really fun the other day I'm glad you guys joined my twitch stream I think that you should give permission to Alex to I think so too. I Okay, okay And we're already down to the glossary. I know you had you set up Alex a separate message in the slack channel about the glossary Yeah, I summarized it here, but but basically I think that So there's a lot of gaps in the glossary most of these terms we either use once or not at all and I'm not really sure why we need to find them here My suggestion is just dump the glossary rather than waste time trying to finish it I'm 100% with you. Is it normal to have a glossary in a Tech paper like this unless it's for tool for Terms that exist nowhere else. Do our users have Google? They sure do Yeah, can we just put I mean Yeah Yeah, we got pretty good footnotes, I think and we expand things inside the paper And our end users have access to reference materials. I I agree and we don't need to define personas if you don't it If you can't effectively Recognize the personas that are part of the the software supply chain work probably not a good paper for you Yeah, I think it was a really good exercise to organize this paper, right? so Just literally all this does anybody see anything retribute like worth keeping in the software sources and software groups Alex. Hi yet again. I Think yeah software groups. I believe We had a discussion in the beginning like in a first party second party that party to make it to see if all people don't understand like You know, it's somebody Google it and it's again the SCM and I'll be the first party Right, right. I totally agree. I Is this something new we're defining software groups? Does this exist anywhere in literature? Maybe as an appendix Those exact terms are More important thing, are we gonna be setting down this is a are we gonna define this In this paper and then what's funny is we'll define it, but we won't reference it anywhere. Do we reference? Like we Explain about procuring and everything so that's why we decide to explain it a little bit more But I don't know it's the standard terms used or someone in the group define all these terms. So maybe Yeah We change into a footnote Yeah, we could just wait what if we just add it into the there is no other appendix items are there Nope, there's just a gloss for the the container one Should we do appendix to software groups? Yeah, I don't know what kind of header this is looks like title Yeah, it's good stuff. It seems like it is definition Right, so we need to definitely talk about it. All right. Let's get back up Do you think sources and groups I should keep? Yeah, yeah, I think so as well set them about the proper titles Get rid of that I also like course idea Alex Food not right like that that might help while reading this some of the terminologies, right? It's probably worth us checking whether or not we we actually reference them And should it be instead of software groups? Should it be software? software context software Doesn't matter I'm gonna mark that as resolved Alex is that good No, we still didn't get trying to join message in here in a second All right So can we recommend just for This all goes yeah Yeah, all right Let's just to cover ourselves look for the word glossary Make sure oh Let's pay for leverages several. Yeah, that's Oh, that's now in our appendix, right, right Oh Look no more reference to glossary there's no glossary anymore All right, okay So What's going on with this is this gonna become become its own separate document. Is that the idea? I think Alex or somebody mentioned to put it in the landscape or right, or I don't know who yeah the suggestion is To move so I put this in this other document that Emily has that is gonna turn into the the evaluation framework But the suggestion is to eventually merge it all into The cloud native security map That is already underway. Yeah, should I Call any to even look at these comments or do you think those should be considered as part of? that discussion and I think if you will remove it, I think it's better like a so let me move from this to the Best in suggestion for it, you know the container industry and things I have not spent any time looking at the appendix for this containers Alex I just looked at the hour or so ago. So that was my first time reading through this section care I don't want to read with you on the call. That's not fun Um, do you find it useful Cole? No, I find what useful the I'm sorry. That wasn't cold. That was Alex who was talking. I'm sorry Alex Do you find did you find reading this actually helpful? the the base container images Appendix, I think there's some material in here that we don't have in other places that probably will be useful to people So I think it's worth keeping the appendix Do we actually call out the appendix in the paper? For appendix C That's within that product. That's within that paper Tilt some techniques to harden these capabilities. See Should I specify this to be appendix section one container base images and that's it Mm-hmm. So really very few references to use the appendix All right, I'll spend a little bit of time going through appendix one and seeing and Alex I'll Click the checkmark a million times I might ask John to just give you the ability to go prove your changes It's just I trust your grammar there Anything else anybody sees let's see. I can try to give you you all back 25 minutes of your life Just want to clarify for it. So we are moving that table from this paper right like yeah, yeah Yeah, who's facilitating that I left it in there only because When I copied and pasted it over the comments didn't come with it So if any of those comments left in that table are things we want to deal with Someone needs to go those kind of an equivalent comment in the new document So somebody wants to just take a look at those and say oh, yeah This is still open for discussion and then make a note of that in the new document Then we can clear it out But I didn't want to I didn't want to delete it permanently and lose all those comments if they were still things that we cared about in those can we start a deadline for like End of day Monday for getting the comments out of here cleared and deleting this entire section I'll if you want I can slack I can I can ping everybody who has a comment the most recent cometer Alex, I mean You know, there's not that many people it looks like mostly Yeah, it looks like mostly Magnolil Logan is the only one who really needs to go in and Make sure they get ported over But not I'm gonna pin you as well because I think making sure this paper gets the goods put over correctly It's good Yeah, I don't know that's another That's kind of an Emily question the prior art I I assume I mean it's just like a references section ultimately Okay, I'll ping Emily and ask her as well in the in the channel What is this section referred to as by us? This is the open source tools and project Mac thing all right Cool in terms of Let's see Emily had a bunch of Items that need that need gone over Yeah shared responsibility existing corrections need resolved that regarding the automated assurance add moderate and close it Yeah, that's what we just talked about HQs Yep, we kind of tackled all those Yep, okay I Truly think getting through this Alex If we get through the appendix on containers and we make sure that it's relevant to the rest of the paper There's and Alex if you can if this this is probably the last of the actual meat and potatoes in the paper that needs to be satisfied I'm gonna go ahead and I'm gonna Go ahead and hit contain on this I'm gonna ping Mike ends are privately and just be like hey, can you check the can you do a review of the appendix? I mean what I don't see anything else for us to to work towards Do we need this as well? This needs to be satisfied Yeah Accept it sure awesome, okay Yeah, yeah, this is this is really close. I mean Cool, let's let's I'll try to get through the container appendix part today Everybody else 20 minutes back in your life I'll work via Emily and John in terms of if we need to have anything ad hoc and tell them but This is likely close to being pushed off That's pretty cool. Yeah, it's awesome Super exciting so Cool everybody. Thank you so much for all the work you've done Thank you for the reviewing anything you see see something say something just just put it in the dock We can still review comments. It's not published yet And thanks a bunch. Have a great weekend