 Hey, good morning Andy good. Good afternoon. Good morning. Yeah, that's right. That's right All right about that. No, yes. Good day. It's a perfectly appropriate. I should know by now. Oh It's all right. I'm just uh Bemoaning the loss of a day, you know, just just one of those I'm all too familiar with that recently Hi Alex. I think we're gonna get John today John has um He was vaccinated, which is a good thing. He told me but he's taken a bit of a knock from it. So I messaged him an hour ago about great. Like I'll I'll I'll run today if if he can't make it But he said you could make it said you'd be fine. That's far more recent information than I had then Okay, hopefully hopefully you can show That I was finally able to get my first shot on Tuesday awesome whereabouts I live in california so I had I did I volunteered to get it though you can I'm not officially able to get it for another actually yesterday. They opened up to everybody so In the ek we're right now ages 45 and above Not so well under the bus because of course Fresh and useful Yes. Yes. He's clearly 25 Um That's crazy. Okay, so it's not even open to everybody in the uk I don't know why because we always hear about how advanced you guys were with with roll out I figured it's been graded going down from so that all um all high vulnerability high vulnerability That's not a threat assessment. Um all highly vulnerable people Um have been vaccinated ages 18 and above Um, and then they just worked it down care home workers public. I'll say public servants public facing Well, that's that's that's that's good. It's I'm just surprised that they they aren't exposed to everybody now We're having demand issues here. I mean, there's a few swaths of the population who don't want to get it One of so we've got a 90 vaccine uptake rate, which is insane. That's super high and um I don't know one of my friends on um um Well, a guy called eric johnson at sands who uh is in iowa said Oh, basically had no visibility of this when I was talking to him about this the other day But we've had this max like almost a vaccine war going on with like uk european union And it's just been so uncouth. I think it's a gentle way of putting it Right. Well, the us will very soon have a lot to just give out here. Take it. Nobody wants it here Uh A third uh at the place I was volunteering on tuesday a third of people didn't show because of the news around johnson and johnson So there's going to be a lot of people who are turned off I mean just It feels a little bit misleading because statistically It's such a it's a rounding error, but I I appreciate the danger of giving it to everybody, but Yeah, that is nuts. All right. Maybe we won't get john after all She's just probably plowing to this or emily. Emily would be another person to be useful I think ultimately at this point. Uh, there's emily look at Summons I invoked Hi, emily I heard my name being called to cost The world that's that's how zoom works now. It's a new feature Just call out the people I'm not surprised. How's it going? It's been a week. Alex is like everything's great Uh I don't think we won't get john should we should we go through the the comments today emily? How many how many weeks of open comment do we get for this piece? We only get two Um, so next week I think is when it's supposed to be closed down locked down for many further comments Um, so let's go through The ones that we have outstanding that kind of need a group decision. Does somebody want to drive that? Yeah, I can I can I can I can I can I can okay one moment to Make this look professional All right sharing screen So first slide All right, can you all see? Yep, we're good. I'd like to try to like make decisions relatively quick on some of these things That way we can get through them all because I've got to get off in like 30 minutes. Yeah Okay, great. Um Do we just want to go from the top down? Is there any particular? I know I know Cole brought up the whole There's a new commenter two days ago who had a bunch of controversial stuff Um, but if people don't respond for instance, I you know, uh Alex here Brought up the whole like conflating of zero trust. I'm not personally I I don't I don't want to I don't think this is a decent suggestion It's my thing here. Can I just end it? Let's not use zero trust in another I don't think it adds anything. I don't think we need to coin another term. Can I just check? Yeah, it's not zero trust at all by come accept the definitions. Yeah, sorry. Sorry Alex. Uh, all right It is worth calling this the precent principle. So I'm looking for headings to put my back pocket and I'm translating it as Oh boy. He's branding our our paper And he's starting like six startups there. I think the point we want to get buzzword bingo Let's let's get names to things. Uh, I think the point we want to get across for trust. We need data that can be as Yeah, let's just uh, no, let's not call it anything. Is that not okay and move on? Yeah, okay. Sorry Uh Emily, what about this other document needs to be restructured? Um, that's an action item after Okay, I'll hold on to that Uh, what do you think about this? I I keep seeing it. I think it's a it's a Ad references to hardening techniques Was this done? Is it in the appendix? Let's look. Let's go to the appendix Um, let's see prayer appendix containers Base container images. It does not look like it Um, I will make a comment and reach out to Mike, okay, that needs to be resolved or we have to remove this sentence Yes, yeah Uh, let's resolve by next week, I guess seven days Yep, if it's not resolved by then delete the sentence Oh also Just real quick ping him on slack because I feel like that I I hate these, uh announcements Hey All right, cool, um next Alex looks like Uh, uh, okay, uh personally identifying the trend. Oh, yeah, okay, so This was just in a response to that comment about I guess we can go with Yeah, I feel like most people In our world probably know what pii phi stand for But if we wanted to make sure we included the explanation, I just put it in there Yep, include the explanation If we reuse the abbreviation later throughout the document we have to first introduce it I don't believe we do Uh Simon message him It looks like it's further down Like next page Yeah, great Awesome. Thanks, Alex handling that. Yeah Okay Great. Okay. These are the these are the meaty ones. Alex. What do you got here? um So if you wanted to potentially split this between Agent authentication versus human user authentication, and I I was just saying I think in the introduction, I'm not sure Yeah, we're talking it's a summary level Thanksion matters that much at this point in the pair in the document, but You know, whatever we want to do I I wonder if the substance of this argument is that software entities should be required to mutually authenticate That is not necessarily I mean There are authentication mechanisms like other than mtls, right? So I think we should keep it high level if you are going too much with the User authentication service authentication secure other than you know, we have to do a lot Yeah Yeah, I I actually agree with your point here and that and that's I'm good with that. I I think this is should I put a comment? Is it easier to do a quick rewrite and simply state that mutual authentication of identities Should occur before interacting at any stage That way we're not being explicit on user or software as independent entity objects So just take out Let me just make sure I know what you mean But I don't think we use secure authentication that it's not just limited to mutual authentication I believe we want to avoid a weak authentication, right? So there are several weak indications in a both user and service authentication spectrum I mean mtls is a kind of a secure authentication, but it's not necessarily The best authentication mechanism out there, right? So what do you think about the wording strong? Strongly authenticate And then it's just lost I Yeah, I Is the I don't think I don't think anybody's Unless we were gonna go deep into what mutual authentication means later. I don't think it matters that much We could just say authenticate Yeah, well So the reason why I I'm I want to stick mutual authentication in is because there are still a lot of organizations That have like they do authentication, but they do not do mutual authentication And if we don't call that out as mutual authentication being And being encompassed within a secure authentication practice They're going to continue to get away with it. I mean they are anyways unless they read the paper But if there's a way that we can just slightly tweak that To include mutual Emily the the following are the indications we are discussing later, right? So one is a SSH and another is a token based authentication So they don't have to mutually authenticate that is a challenge that like a client don't have to authenticate the server there or You know, most of the case server is authenticating the client only so That will be the challenge we might have like if you will put a you know, mutual authentication The following are the indications, you know, we may have to rewrite those things, right? So that's my thought Is SSH is the idea of mutual SSH authentication the acceptance of the the ID that the author to think that the fingerprint of the server you're connecting to And is is using tls to authenticate with a token Saying that we've authenticated the server because we verified the tls certificate. Is that the level we're thinking Emily? So go ahead. Yeah So that tls itself don't have to be mtls, right? It can be one way tls And if it's one way tls the client is authenticating, but they're also verifying the certificate of the server I guess we're going to weed straight away here, but I'm just I don't quite understand also I'll go ahead Emily I was going to say I want to avoid any presumption that one way tls is acceptable There are occasions where it is But there are a lot of instances, especially in the supply chain where having two way tls is critical And I'm not sure the best way to present those exceptions early on right because this is Let's like this particular paragraph is is still our introduction. It's pretty We're not getting too much into the weeds here Right I think we can keep it in my opinion. We can keep it like that, but you know It's an it's an interesting idea if you want to explain and you know some of the indication mechanisms we are Yeah, that Would it be easier to add a footnote to the end of that sentence and say This is further the disgust for different areas later through the paper I think the thing that just made it clear for me Emily is when you said specifically in the supply chain and then I've looked at the sentence and it has The final clause being the supply chain. Maybe if we just refactor it For any stage of the supply chain users and software entities should be required to mutually authenticate Just move this Yeah, it's just changing the object of the sentence Well, I I'm reframing it. I I get your all's issues. I don't think it matters I don't think we're addressing Justin's comment at all because Justin really doesn't care about about the mutual aspect and go ahead Yeah, please go ahead and Make the change He really just cares about the fact that we're we're we're using the term user and software entities as if it's the same yeah Which I would just go the cheat route and just take out user and software and just say entities But uh, I also I kind of agree with you Alex that in an introduction who cares We're not like I Unfortunately coals I think it would be more confusing in fact to go to split it out into user authentication versus workload at the station If anything, I would be like Why here? Let's do this later Well, and I think we we do make those distinctions pretty clearly in a lot of the recommendations later in the paper So I don't know that it's worth muddying the waters in the introduction I'm I'm 100 with you For interacting at any says I should meet with I could write any prior to interaction Sounds good. That's uh, that's a politically I should have probably commented on that just said nope I think you can get it back I was gonna say you can get it back with that button next to share It's not gone forever Does that work? With the footnote and the rewrite Yeah, all right, let's accept a memo resolve and move on beautiful accept Resolved Okay, cool. Let's keep going Another just in cormac I think it was a good idea to add something about verifying the signatures Verifying the signatures currently a lot more people sign get commits than actually have any verification workflow And while that has some benefits and forensic situations, it doesn't That's that's a footnote later on I wrote it. It's about Merging where do you have that footnote? Yes, it's there. Okay. I'm just gonna say addressed in footnote 17 Yeah, that's what is yeah, so can we link back to that? uh footnote 17 Here just to make it a little bit more explicit Sure, is it going to mess with things that we're we're doing the actual footnote declaration later Is that Well, we can add a footnote and copy and paste the same thing twice Genius, all right And then do you want it at the end of the the page or do we I'll do it you do it? That way you guys can move on But I'm going to Go ahead and end this I think adding the footnote more than helps sound good fun Okay This is old. This is not from the review period, but that is not probably clear out. What are you? Uh Yeah, just cleared out Alex added so it just needs resolved Uh, yeah Done perfect 16 Okay, so are we also going to keep 18? Yeah, it's relevant. We'll just keep it twice Okay, great. Um I think we should uh change that sentence to the next page, right? Can you scroll up? Just Richard where yeah, we're we're we're too I hope a matter. That's uh That the heading is one page and content is another page, right? So wait I'm sorry. Let's go down The slow. Yeah, I think Automator software security scanning and testing the heading is in one page That the footer if you're just above the footer scroll Oh, that's just uh you're talking about here. Yeah, that gets fixed. It gets fixed But not yeah, you can't really do anything about it. Unfortunately It's google docs at their finest Yeah Um, okay, we have this media that was just recently reopened three days ago. Okay, so it was resolved Wow, he he did not like that. I didn't read it that way. No need to reopen Okay closing again There were suggested changes. Are we accepting them? From from him No for this one right here because they were linked Oh, I thought this had to do with the adjusting cormac piece Maybe Well, let's just accept them Okay. Yeah, I'm good with I I saw this Beautiful I wonder if I was going to say signed hash, but now that's totology. Sorry carry on All right I think it can be just read the last one. Yeah Just read the last one This proposed language the document should we wait for Robert to get back? Yeah, I think we are waiting on proper How do you uh, if someone three days ago If someone can ping Robert to get the adjusted language, um, is he is he in here on slack? I don't know he authenticated with the google doc. So if you Assign it to him. Yeah, he's here on slack Okay, cool If he doesn't fix it We're deleting the comment Wait, is that is it fixed? No stand by there's the text is read We just put that. Yeah, that's the dressing is coming. I believe Oh, okay. Well So it's from somebody else Yeah, just sold one right so he agree Alex So it looks like This is still outstanding I think Robert is outstanding, but Alex. I think he's okay to Uh, he accept But call has What what is this hold on I need to read this Mm-hmm. I'm 100% recall on that that statement I wonder if that flies in the face of the github tokens as somebody calls out in the in the next section because that's exactly what um Alexander Bartman Beto says in the comment below actually It it's the implication that it's an admittedly less secure option to frequently rotate access tokens I think less secure is loaded because that's comparing tls to ssh. They both share some of the same ciphers anyway And the access token can be scoped differently. So I think it's so So complex and people can argue from both sides Maybe another option Yeah admittedly less secured is the passive aggressive Uh On the end of thals used to use frequently rotated access tokens um option of repairing Contested option of varying security concern is frequently rotated access Sounds so uh, that's such a euphemism. Uh It addresses it and we're calling out that we know that there are Politics in that sure. It's like emacs versus men Yeah Yep, I'm okay with this. I I think this is great. It's important to note the problem with tokens Exposing credentials to Out of band I believe is hyphenated Maybe no, we have to check on that I think as soon as andy finises says that it's we accept them all and move on Yeah, all this green and red is christmas over here. Yeah, right Okay So that there's another mild contention here tokens should only be used if they're short lived and issued out of band Again, those get have personal access tokens Yeah, not short lived In the next section we're uh use of short lived uh credentials, so we call Personal access token users, yeah Do you think this wording should only be used? Um should stay or should change finnard? I think the man I think man in the middle is just one of the many attacks, right? I think yeah actually Exposed to many other attacks, right? Yeah, yeah, so I added tokens in this context should only be used if they are short lived So we're specifically talking about this area and not discussing them later on right Two items down we do have I think you know, it was just saying we have another recommendation that touches on this I'm wondering if we need this paragraph here or if we're yeah That is the gist of this accent or that paragraph use short lived to temporal credentials. Oh, it's so close You're 100 right more details in just 20 seconds of reading Sound good Looks great. Yep. All right. I accept all the things. Oh, man Gonna need to get osha in here for all this clicking. I'll get an injury And then that I'm gonna like his his his statement there It should resolve both of those comments just mark them resolved Done if Cole gets upset he can come back in a comment again Uh-oh vendors should be required. No reason why I ask it present for moderate risk categories Um, I thought uh, john did this john. Yeah, john split this out. So this is actually That's fun. Yeah fun. Bye. Bye I do wonder about that one. Um Justin is one of our one of the two sign-off people on this Okay, and um, and he's uh, I mean just in case people don't know him. Uh, he's the cto of docker and I probably has a reasonable view on this I I don't know how we can actually enforce vendors to to do this and uh Enforcing vendors to do something is not currently our problem Yeah And and Justin's also our talk liaison. So he's gonna Review it again and double check on his commentary. And if something's an issue, I'm sure I will hear about it But but I mean, is it wrong though? Andy to say that in high secure high-risk in categories you would require your vendors to provide you that as bomb It's it's laudable, but only A form one has the has the ability to do that. Maybe No, no, you can always ask and they can say no Yeah, you can say They are asking their vendors to provide as bomb or I provide discount for the risk and the u.s. Government is bringing up the You know the law so building so I think that's true. Yeah, get more common and just like everyone should provide Cool maybe more common soon More just in comments Uh, Alex we have this whole section Right, I think this is going to be as soon as we update this graphic or do whatever we're going to do here That's just going to all disappear. So I don't know. We need to spend a lot of time on it. Wait, what what? What's wrong with the graphic? There's no commentary about something being wrong That's not the graphic We wanted to create a new graphic that illustrates or that eliminates this paragraph here Yeah, I like the graphic. We like the graphic Why didn't anybody tell me you wanted another one? So what is the ask? Nope So at the moxie facts at work at gmail.com Yeah, that's so annoying that it pulls your your personal contacts rather than all the people who've been part of this document Sorry, um, I will Yeah, that's also not working Fox fox At work at work At gmail.com like that. Yep add people to this discussion send them an email. All right Let's do that. Let's see if that works. There you go. Yay So you want to you want a graphic to replace all that text? Yeah, I thought that's what the above one was supposed to be Well, let's just let's you have bill tools You have the workers the pipeline orchestrator is there The build infrastructure the source code repository artifact repository and the signing infrastructure I mean, it's a pretty big graphic that is shrunk down to be tiny Right, right. Do they need labeled? That might be it because I think the problem is is this list here I think we agreed that which you can't label it, right? There's no way you'd have text the right size to do that I guess you could you could put little numbers and then we could have you'd be surprised I'll figure it out. I mean, but the the the key thing here. I think we discussed that like listing this just look um It just yeah, it felt like well, why is the graphic even there a few people have to read this these two paragraphs and See how these these pieces here. Also, it's not clear at all how they communicate with each other It's just a list. I we could add anything to it So I will um, I will work on grouping Or making identifying groups for each of the things Alex it just might not be today I mean You think that solves it Um And then we appreciate everything There will disappear. Yep. Yeah, we won't need this Okay, I need to jump off. You all are doing great. Keep up the good work. Be aggressive Thanks Cheers have a good day. Thanks a bunch audience. Uh, all right This Yeah, this this section caused me some uh, Sort of contact cognitive dissonance because it's really focused on loading And what this whole comment breaks down into is vms versus containers Yep My instinct would actually be to defocus on vms a bit, but there is this annoying middle ground where People want to refresh the whole build environment and have VM-based infrastructure we contain us in So that's as far as I go Yeah um To Blake's main concern here His issue was mostly the fact that we're We're conflating that Images or stages and workers context um The wording of this document is such that each stage is discarded Well, each worker has a single stage and and that one-to-one then discarding relationship It's practically it's untrue frankly. It's um It just it costs a lot. Doesn't it in shipping data or in compute. So sure I didn't yeah, I should have waited earlier I mean, I think we're we're putting it out there. There was the ideal Andy like that's the whole that's the whole Yeah, clearly in practice Not easy to do not likely to to happen, but uh the idea is that this is What we'd recommend for the most secure of environments, right? Um Here we go. Let's if we're not going to aggressively answer this one I do kind of want to bring Blake back into this um Let me go ahead and message him Just real quick And then let's move on to the next Robert van Voorhees Ah, yeah, what do you uh, I yet again brought him up here Do we really need to expand on open s cap? Pretty old school and standard I just I just we don't we don't do that for any of the other tools really we don't go into what git lab is We don't you know Why would we do it for some tools and not others the idea was that this is a tool that satisfies the need Here at it. Here's here's the name of it So do you think I should I give him a couple more days. It's been four days. He's gotten the email I think we still we we do it aggressively I I agree. We haven't expounded other things Yeah, we don't I don't see us needing. All right Justin citation needed. Uh, he thinks it's Wikipedia Uh So there is some evidence of this in um in platform one again in in the iron bank containers Um, I I can I'll respond to him there Okay, if you could I wrote this section. Yeah All right pinged like Thanks for handling that one. Andy. Let's keep going Whole swaths of the document without any, um This is rather old. Yeah, this is now two weeks old I think this needs to clarify. Are we talking about pinning? Should we change the heading? I feel like I remember us In a working session actually working on exactly this issue So I'm not sure if we still had work to do or if we can just clear it out Recording hashes of any remote data for verification during the build process should be done pinning specific versions. It's right there I don't think we need to update the I don't think we need to change the hedging I think that that's that's ridiculous Updated vital bugs blah blah blah blah. Yeah, I I'm is anybody else think we don't address pinning Yeah, I think it's good good done. Sorry, Cole. I don't think we need to update the hedging. It doesn't make any sense Uh, yeah, what's up with this? Anod Sorry, uh, you can close it. Uh, sorry. I had to jump out Hey, good news everybody Blake says we can just approve everything Thanks, Blake cool Awesome. Vinod that sounds aggressive All right. We're back to Justin Cormack um I don't like this term Oh, I'm kind of with them functionaries. What does that mean? um It's waiting for Justin's feedback for an automated process, right? So Yeah Yeah, I'm I'm kind of with Justin the automated processes though definitely puts in context Um, I I think function is is unique to in toto and frankly causes people That keep us in cognitive distance Can we just say signed by authorized entities or something along that line and replace? Yeah. Yeah, the the magical entity I mean that's fine Just should I just replace this? And an entity can be either a human or an automated browser Yeah, yeah, I authorized entities just just solves it. I think Yeah function is really languishes Yeah, I don't like it much in a toto either I did just entities Look at that I'm kind of with Justin on that that uh, I don't know if Mike ends or to update I already went to Mike. Um, I'm going to keep that in there because it is supposed to replace holder Emily thinks that needs to be expanded as of February 17th. I'm not sure if it's expanded or not That's true. We don't know. Um, any of the core concepts of supply chain security can be applied to Um That I think that is expanded here, right? We go through. Yeah, I think it might be Check it. I like the word nuanced. All right. Um, I think that's that. Oh damn. Um I have barely looked at the this is the this is our This has become a little bit of a vendor shootoff, hasn't it? Uh, really? Yeah, but you can just it didn't look like this when it began and uh Perhaps unsurprising. I think unavoidable Yeah, minimum we are doing for them, right? Like we don't allow the vendor to be in the front pages. So true. Yeah. Yeah, it's also isn't also a snapshot in time Good point. Yeah Um, they're not actually aligned though. I notice Yeah, to be honest, it's so complicated. Someone does go multiple things and they won't necessarily fit in one category. So Oh, yeah, I feel like the formatting if that's what you're worried about, uh, and This needs to all be done differently. I will reject myself I mean just in general somebody Get some fancier tables here Um, but should we assign somebody to do to to to look at this and make sure it's consistent and make sense I I did add some of them, but I will also check a double check again. I'm not sure if they are the original link How does the cncf do this so that it doesn't end up being oh man It's gonna need review, isn't it because are they going to allow? Have we gonna need to form a committee? Urgence committee formation Uh, all right. I mean in I'm gonna I'm gonna ignore these for now Who would own who would own the whole part about open source tools? I I can help. Yeah I will help Andy then so Andy's the primary question Well played sir Uh Yet again, uh, what is the how would I actually I guess this is a landscape review Oh, yeah, sorry. I didn't realize Mostly mostly I just want to know what your email address is. Oh, um, just at subliminal S. U. P. L. Limino, uh, okay. That's no good at gmail Uh, obviously that's not worked here though has it. Oh, yeah No, no, but is that how it's yes. Okay, as long as it's spelled and then venad Uh, do you want me to just do uh venad? Sorry venad at what? Okay, you're just venad at awasploward. Yeah Trick. Yeah, lucky. All right. Let's do this comment Cool. Okay. Um I feel like this is this is solid. We went through all the major comments about the actual meat and potatoes um Emily's got a little bit of work on the the actual Uh document and then definitely something for what we just discussed here Uh, does anybody else have anything to bring up or do we get 15 minutes back on our friday? I wonder because i've been scant in attendance What is the expectation of this group and frankly, um, what can I pick up because I haven't picked up a number of things over the past few weeks so Uh, like I said right now, it's still another week of comment. Um, I think andy For your sake anybody who you can get this in front of to give us more feedback I am still Personally, I'm surprised nobody's called out any of the recommendations as off or you know, I I like that justin justin's the really the first and I mean, I guess there were a couple of others. Uh, who who gave kind of subjective comments Uh, but I think we should look more for that at this point rather than the whole, you know You didn't explain this enough or you didn't I would love to see does this actually make sense? Are these consumable? Ideas are these like could you could you take them? um, yeah Yeah, it's better to address them before publishing otherwise it there will be twitter warfare and I really do feel like with the way I we should think about this is like For some of us, it's ironic because it very well could be your boss is working on this Uh, but imagine that your boss stumbles upon this white paper reads it and is like You know sends it to you and says go do this at our at your company Like how many how many what the fucks that will never happen here? Would you have yeah my my kind of thinking on this whole idea is like I We should probably have that conversation What the fucks for paragraph? Yeah, yeah, exactly. I I I'll be honest for a lot of this, uh You know, we all know what the reality of of working somewhere that isn't even close to this transition looks like How do you how do you make that incremental step based upon that? And and I do think that there needs to be a secondary piece of work. I think the Strong point that light Yeah, a blog post or something that that Is and and makes their recommendation And an adoption guide ultimately Yeah Sorry In that uh comment that's way up at the top There's there's some link that she has to another document and I think that was intended to be the starting of a Either an implementation guide or series of blog posts or something this one Yeah Um, I don't know that anyone's really got anything with it since she started it But I think that's what it was meant to be. Oh, it's my favorite. It's just a bulleted list Cool I love it the fox says Yeah Nice, um, yeah, I do, uh I just I I should review this Because this is this is how I'd want to ingest it. I know I'm I'm lazy. I don't like words So, okay, um, but yeah, other than that andy and and alex I mean, uh, do you see anything that we need to put our effort to thankfully I can't draw so I can't do that graphic I mean, I I think just getting a bigger audience is the is the way that we're going to make sure that we were on the right track here but otherwise is it This might be some self aggrandizing, but it reads really well now um I think it reads well the I I do like our format for how we do the recommendations. I think it's easy to read Um, you know, I know that there's a whole scrubbing aspect when they get the formatting Uh, and they make it more appealing but I mean, this is this is it's solid I think maybe it's also good to share the link with the people who has a bit controversial opinions or thoughts against the model like So we can capture them early then it like so Yeah I have a bunch of crusty devops people that I sent it to After asking Emily. So I'm I'm I'm ready to get it torn apart. That's kind of my My goal right now But yeah, I mean Oh, guys, even though they don't agree with the most of the things what we are saying, but It is what it is I guess Andy it's 415. You can have a beer. Oh, yes. Yes. Uh, it's it's a local brewery. So it hasn't traveled far I'm thinking of the planets at all times I mean this week, so I apologize because I've stolen the 15 minutes from everybody The last thing I wonder is Uh, I would have by default sent this to to Maya at github, but she is no longer there Has this gone into anybody at Microsoft or github who will have opinions? I guess if they're on the cncf mailing list Oh, that's true. It went to the technical oversight committee. Didn't it hit that as well Maybe that's one for john. I'm sure he's got machinations and has Already shared with the some open up sauce of guys also like Perfect It is I do I do I am surprised at how few comments we've gotten on that though I think it's monster, you know, it's it's a huge document. I think it's That's why I told people I was like even if you just pick one section just pick a section I don't care. Just pick a section and don't do any more than that Yeah, you're gonna be a crowd day. Sorry. Yeah, and and is that like uh, is that maybe Something I mean yet again, that could be something the blog post tackles Uh, but I I I do kind of see the same thing Andy where I'd be like if somebody gave me 52 pages I'd probably also be like, well I better really care about software supply chain I'm not reading 52 pages of this on my own But that's uh, that's why maybe a condensed recommendation list would be good. Um, and even then for for The cncf Maybe there needs to be a stronger. Please You know spend some time reading this and figuring it out But should we um, I know it went out on the mailing list should we just drop the link into some slack channels and see that gather some other people I I wonder I I wonder if it's part of that presentation We can say we're looking for reviews on the build chain the recommendations code So and maybe people will just focus into a part that piques their interest Yeah, that would be that'd be just picking. Hey, you know Every single developer could learn something from reading the securing the source code I mean, that's that's the one i'm gonna go with in terms of being like, hey, here you go Don't worry about the securing materials piece, but yeah, I I think that's the way to do it Make it more approachable Also sounds less like, uh, you know, if you say tell people to just read it That's not actionable or really interesting read this whole document You know, but if you say hey, can you tell me of whether or not you agree about the recommendations for securing source code or securing materials? That's much more actionable and much more like Okay Yeah, anybody anybody who wants to Uh to share I I did reach out to Emily to make sure that was okay It's not internal at all. So cool We'll try to do that Andy maybe maybe a certain Uh employer, uh, we can we can put it in front of people from that that employer See if they have they have time on fridays to do it. Yeah, right Um, yeah, I uh, yes. Yes, of course cool Awesome. Well that that look seven minutes seven minutes back in your life Excellent much appreciates Hey talks. Thanks for the nod. Thanks Andy. Have a good rest of your day. Have a great weekend. Cheers. Have a great weekend yourselves Thanks. Bye