 Anyone want to see the back of my monitor? Yeah, Anisha, I wasn't quite sure if you had a stream deck and that was like a different camera angle you had set up. I don't have a stand. This is like right behind the monitor. I see that. Can tell from there that the cables will plug. All your monitor wouldn't work otherwise. This is true. The cables in good state. It's not peeled off. I guess everyone's looking at the document. Do any of you know if Jonathan is planning to join? Yeah. I just bring him in internal chat and say, I'm not sure if he's a PC. So he seems like a way, but I also bring him in the sickness. So let's see. Okay. While we wait, how's everyone feeling in regard in regards to where we're at? Where it comes apart. Not maybe since you're just in the microphone. Yeah, so sorry. I didn't have a chance to go through recently all the documents, but we still have some areas which need to, which needs some more content regarding this. Okay, sorry, I think we have more content. Maybe I need to read the recent document. I'm not in a good state to come in now. We'll just continue going through the list. Alex, how are you? I'm all right. How's everybody else. So I think the, the first thing that I would point to is, we have sort of a philosophical discussion about the executive summary and whether or not it should be in bullet list form or paragraph form. So if we have feelings about that and come to a decision, basically all of those changes can either be accepted or rejected depending on which way we want to go with that. Which of the two are inclined towards what's your position to start off. I I think that I don't know I don't have a strong feeling on this. I think that it's probably easier to read in a bullet form for someone who's interested in standing this to get a summary of what the paper is about. But it is. But I don't know, I don't have strong opinions on this I'm just sort of relaying the state of the of the field, I guess. Yeah, perhaps the, there's the middle ground, a hybrid of the two. And some bullet points but just enough of both and not too much of either. Who else has opinions on this. Michael Marina face off go. Yeah. I think we should decide that if we are writing it for C level or executives in general that people at C level or director level. Then I should, I think we should use more of a paragraph approach right a short executive summary, which basically tells the problems that we are trying to address and basically just say okay. If you read this paper, you will have some information about it because it basically the focus should be on what problem we are trying to address. And then we kind of say okay if you're more interested go ahead read the paper right. If our audience is more technical in nature like an administrator like some sort of, I mean, I mean, you guys know what I'm talking about right there. There is a second tier right that that is more technical in nature. If we are trying to address them. Then we can, I'm in favor of including bullet points. This is my past experience but but yeah, this is my observation we have to target the audience and then focus on either the problem for executives and then solution kind of thing for for the middle tier if the intent for the paper is to to focus on middle tier. Yeah, for points. I'm, I'm going to spitball here but I presume people who come across the document on their own, either because they were Googling about cloud native security or they follow the authors online or they follow cloud native foundation. Perhaps they're going to be somewhat technical. I'm trying to think, how would this arrive at the hands or like the eyes for that matter of of an executive or the sea level suite. Maybe through someone in the organization, passing it on to them as a package part of like the approval of something, or would this folks also possibly arrive at the document on their own. Presumably it's going to be more like we have a bunch of different roles represented on on the group that's produced this more like our peers in other places, but I don't know. I think that the target of the rest of the document seems to mostly be kind of engineers or people who would be making like making the technical decisions. So maybe something. So I actually think that bullets would be okay just to kind of give a really quick summary we can skim through to the parts that matter to you, but I can see the argument for paragraphs as well I don't have a strong preference but I do like the idea of bullets as a summary. So my two cents on is just, I don't want to say it's like completely bike shedding but I think like, I feel like, regardless, if somebody's going to be reading it. If generally the content in the summary is at that sort of the level we want it. I don't think it necessarily really matters. If anything's more than the substance. So right now, are the bullet points a suggestion to be added or a suggestion to to be removed. Looks like to be. So right now the so it was originally written in bullet point form. And then, and I think that the two people who I think have the strongest feelings about this are both not on the call but but Emily created a suggested version of it that incorporates all that same material into paragraph form and then her suggested deletion of the bullets. So everything is still there in both forms. And if we can just decide which way we want to go and clear out all the suggestions with, regardless of which direction. If we have both as it will be a duplicate. Okay. Yeah, I think that Emily suggestions in the paragraphs are essentially rephrasing and duplicating what's in the bullet points. It's in a slightly shorter form. Maybe slightly more. The bullet points may spell things out a little bit more. But it's, yeah, they're pretty, they're pretty much duplicative each other. Okay. Yeah, my, my usual problem with anything written is that there's typically just too many words to it, even if it's a white paper. I like the bullet points, whichever like you can, you can vote it. So if I was inclining towards the bullet points, I wouldn't discard the other content, I would, I would put it into an abstract that links to this document or something, or a little teaser. So I'll put a, I'll put a thread in slack, and we can all chime in and vote, and then we can clear those suggestions out based on that. Sound good. Yeah, thanks for bringing this one up. Michael. What's up. How are you. All right. Cool. Where's your mind at regarding the paper. Um, it's it's hard for me to really gauge this is my first sort of white paper I've participated in so since I was thinking at it, you know, I think, like, last I read it this was around, I guess, Sunday of around Sunday. I mean, largely I think we have a lot of the content. I think the things are mostly just like the things from my perspective are just a handful of, you know, oh, this, this content still good but maybe it belongs in a different spot. Not really about it, but I think in general the content seems good, the general flow of it seems good I just think that in certain cases, it can be a little it's, I found that it was a little confusing and this is just more of a general thing, not any specific examples but like, Hey, does it make sense to kind of provide this recommendation here or somewhere else. That was about it. I think it's a little bit of a shuffling, perhaps. Yeah, yeah. Okay. Yeah, and feel free wherever you have an opinion to do that. Like, we, we still have time to do that. We're trying to almost get over the finish line but like after that point and printing something out or post editing, it's, it's harder so right now is to have time. I think we, things are meeting your expectations regarding like what you had in mind when you came in at it. Well, yeah, I mean, I definitely think so and I also think that there's a lot of stuff in here that I myself had never considered that I'm like oh that's actually good stuff I hadn't considered myself. Gotcha. I have Marina next to my list. Marina, how are you. Yeah, I have, I didn't have a chance to go over the full document this past week, but I think that some of the sections near the end. I still have I think more comments and stuff, and stuff near the beginning that you know at some point we should go through but I think overall I think the content is mostly in place. As everyone else has said it's kind of a matter of making it flow correctly. So fine tooth comb, perhaps makes complete sense of Emily made the suggestion of having three people focus, like they're on divided attention on making sure of that flow, and like a consistent narrative voice. If there are questions that are left behind or comments that are left behind that's, that's also a good opportunity like people taking that task to go through those. So, if the team is a little bit blocked or unclear on how to answer something. We can leave it for those folks to make a determination. If they have interest in taking up on that to go at it. I don't want to like well and tell anyone to go for that. Thank you, Misha. Yeah, so I filled in appendix one for containers. I think Faisal is the only one that gave feedback in that area. And I think Mike answer also needs to give feedback and the Andy Martin as well but I haven't heard from those folks. Content is more or less in place probably need to make it flow. As usual, there may be some, there may be some pushback against some of the recommendations that I have in there. So I would encourage folks to take a look. One more question I have about the document. Is there a way to refer to other areas in the document. Like internal links, do we have that we should have the ability to hyperlink sections so let me go ahead and add a table of contents. Any time that can give us some of the hyperlinks, and we we were used that throughout the document. The CMCF team during the post edit would make sure that whatever format PDF or HTML that those links are followed. But they would need to know what we want links so yeah thanks for bringing that up on the appendix on containers what kind of feedback are you looking for. Thank you for talking about that. The feedback. Just in general, whether folks agree or disagree with the recommendations. I over my experience with talking to folks about this there are some people who feel like it's going too far. You know, there are places where nobody. People say that this isn't an issue. So, one of the, for example, one of the recommendations I give is pulled by digest only. And don't rely on the tags. So that may rub some folks the wrong way I mean, I'm not sure but this is this is to maintain build reproducibility and to be able to audit better. So yeah. We want to spend like five to minutes doing a group of read out of this, or do we want to go on to the list, what the folks want to do does anyone feel strongly about this, or we want Nisha to put it in chat and we we go back and revisit the section and do that. Yeah, as you say like you want to thumbs up from people or you want like perhaps other recommendations included or perhaps a recommendation is too strong perhaps generalize it. Maybe easier. Maybe the place with the most contention is the multi stage Docker builds. Because there's recommendations online that say to leverage multi stage Docker builds and I've said if you're going to use multi stage Docker builds be careful and propagate. You know, environment variables, argue build arguments, and the image digest that were used at each of the intermediate stages. Totally. It also feels like there's room to talk about build packs. Oh, build packs. The thing with build packs is that the build pipeline itself is managed by several suppliers. And each of those suppliers may be doing different types of auditing on their, you know, build pipeline and the final build packs that they deliver so that that is going to be a harder thing to give recommendations on. So I expect that the folks, the suppliers of the build packs would follow the build worker recommendations previously listed and previously talked about in the white people, or perhaps less recommendations specific but maybe the OCI image spec. Like Docker file doesn't do everything that the OCI image spec recommends around security. And I think that's what gave birth to cloud native build packs. No, I, my understanding is that because Docker file is a leaky abstraction. It's difficult to update a Docker for a container image built out of a Docker file or it's difficult to, you know, keep track of what exactly happened. And I think like the thing about build packs is that because of the build packs specification it is easy to like the rebase or update the lower level dependencies. There happens to be an updated build pack. But again, the update, it requires that you trust the whole build pipeline, including all of the build pipelines that other suppliers are providing. Not sure what the auditing aspect of it is. Perhaps I can put some information about it. If one were to use that framework to create build packs. Okay. Yeah, maybe, maybe there's growing a line of, well, a, a like, entirely first party supply chain versus like having first, second, third party and having multi stage builds. Yeah, it's very difficult for an end user to glean any information about the supply chain in any of these situations. So really, so it's especially hard for the cloud native build packs folks to provide that information as well. And that said, they're making improvements in the way they report these kinds of metadata and auditing the pipelines. So, I mean, that may change later that's basically why I didn't put anything, anything about that in there, because it's kind of, it's in progress. Well, and in general, there's great technology but it's so hard to operationalize and consume. And that's, that's a big thing of the paper right like are we meeting people where they're at like, what can they make the most out of their existing infrastructure tooling versus steer them to use like new breakthrough technologies that are not quite fully productionized, or quite fully like made easy for large enterprises, and people would not have a lot of technical jobs. Cool. I'll pause there. Let's put this one. Sorry, muted myself. Nisha, let's put this one in the chat and Yeah, great discussion. I think that that must have fostered I have a quick question to Nisha. I'm sorry to interrupt. Nisha, have you wrote that generate an immutable as well as the court or is it someone else. Sorry, I didn't understand. Can you repeat that the generate an immutable as well as the court section. Is that something you have ordered or is someone else someone else had written that. Okay, but yeah, I think that's all. It's fleshed out over there they do mention as bomb format cyclone DX and SPDX. So, yeah. Specifically, with regards to containers and as bombs. Is there something you're looking for over there. There was a recommendation in the end like saying that the You know, SPDX 3M sync glued and everything like that, but from my understanding, Expedious 3 is not available yet. So I don't know who exactly wrote or suggest that so I don't know if we should include something which are not available now, or is that something you have added or is someone else do you know that I remember putting that I remember putting that in a comment I don't think it's in the document. It is in the document as previous three include all as bombs they call the using profile and everything. Yeah, there is a Okay, well, I get to move it. Yeah, yeah. So it's kind of recommending one over another but it's not really, I mean, please correct me if I'm wrong like he says previous three is available now or do you know when it is going to be released or anything like that. Yeah, it's not available now, I'm still working on it. I don't really know when it's going to be available. But that's a that's a good point that we shouldn't really put something in the document that isn't available so I can correct that. Okay, thank you. Yeah, I will add comment. Just want to make sure that I know that. Thank you. See, call and Magnum the call had seen before but going through the previous list of the idea. How are you. What's going on. Pretty good. So I didn't get a lot of chance to look at the document as a whole I was kind of skimming through it I did leave a couple of comments now about some of the pipeline stuff but I think they're minor things. And I think. I also mentioned that the end of the document still needs a little bit. It still has a bunch of things that need to be resolved for that. I think we get to that. But yeah, I think overall, it's looking pretty good. The content makes sense I did actually learn a fair bit as I was, you know, reading through some sections. So, yeah. Having two PhD students or experts on the subject, say that learning, you don't hear much of that from people in the industry so we're actually learning a lot from you guys so thanks for being here and contributing. I'm happy to be here. Yeah, I just, you know, I'm joining today. There has been a busy week for me so I haven't had a chance to go through the document again this week. I should have some time this weekend and then Monday and Tuesday to go through and help out where I can. The weather is improving. I'd expect to be wakeboarding on the lake and use. Yeah, pretty, pretty soon man. It's, it's warming up. We've got to get rid of this rain, another 10 degrees and I'll be good. Nice, nice. Magno. Hi. Yeah, I'm just listening I need to go back to the document and read through it again. It's been a while also. I had a few sections under my name so I'll just check if those someone had pick up those if not then I'll work on it this weekend. Sweet. Cool. So, just to gather and collect thoughts. Alex thanks for opening up the vote on the slack channel. If folks could chime in there that would be really good so we can get over that one. And we know which way to go. Next up would be, well, let's try to go through outstanding documents, we can do that I can share my screen and we can, we can work through this bottom up, or we can divide and conquer. So, ahead of that, if you feel you have a particular inclination or feel very energized around time this up. Start to finish. If you like to do that, it would be great to have you speak up or raise your hand be looking roughly for for three people could be more. I see Alex Floyd Marshall. Thank you. Well, hey, guys. I'm, I am curious do we want folks who are who have already contributed to be one of these three reviewers or should we get outsiders. Do we have outsiders is actually maybe the first question. Is there somebody we could rope into this. Thinking we could benefit from from someone who hasn't been close to it, and is looking at it with fresh ice. Yeah, I probably have blinders. Okay, not to say Alex Alex is like I just volunteered retrieve way to throw that in the trash. I'm good if it's us initially I do think it would be good to have outsiders as well read it just to see. I mean I think I think actually if we start today just identifying three people and I'll gladly stand up to be that one of those reviewers I don't I don't mind that at all and just read it from top to bottom and and give some like make sure that it's sensible I'm down for that but I think we should in addition have people outside read it. And we will see NCF will will give their editing team the paper and they are. Even before that what if we can get like just one external person to read it now, give us a like really fast feedback so that we can see if there's something completely lost on Alex me, john whoever ends up being one of the full readers is that possible. Like writers for different open source projects that might have the cycles today, let me do that anyone else in mind. Feel free to also share with them. Yeah, I can, I can maybe rope. I have a couple folks I could see if I could put this on the weekend reading list. Okay, fantastic. Yeah, and like if you're taking this up like really, really look for like that consistent like narrative like that one voice. Make sure that like expressions jargon tone, etc. Marina, I've heard from you some some things that made me think you'd want to take up and part of that. I don't want to like throw you at it, but is happy to help out with that. Yeah. Awesome. And if there's any others do not feel any restraint we don't need to cap this a three three is a good working number, but feel free to reach out to this folks if you want to assist with that as well. Awesome, so we can check mark that one. What else. Let's go. Coming back. Are we coming back to appendix one. Yeah. So, first off, before, before locking it to this three people, I think we're going to need to push out the schedule for a week, because there's, there's plenty of comments. There's your appendix one. And there's some other things here and there that are not quite there like to, to Michael's point and like reshuffling of things before like the team of three do their do their run through. Let's see one sec. I'm not neglecting you. You're the first comment bottom up. And we'll revisit this as part of the discussion. But that's okay. I mean, I'm just wondering whether I should stay on the meeting or go off and continue to work on it. I need to do that because some of the stuff is in bullet points, like containers as build workers and the build scripts that use containers. Yeah. You know what, how about I do that, like, we can, we can leave a appendix one and then I'll work on it some more. And maybe come back next week and take a look at it. Do you have, do you have any open questions for the team or requests for assistance that will equip you better to work on this or are you feel pretty good on working about funding around it some more. So I would like the folks who created the build workers stuff to take a look at containers as built workers. Other than that, I think I'm pretty okay with it. Mike and so expressed interest in looking at these recommendations. But yeah, maybe maybe it'll maybe he'll get to it, you know, much much later so. No, I actually, I should actually address Faisal's comment here. So Faisal asked whether we should include example Docker files that follow these. What's the groups. Feelings about that. I think we can link the GitHub file right in the appendix maybe something like that hyperlinked any open source GitHub projects follow any of these recommendations. Yeah, the problem with examples that I see that if we link it, then we need to make sure that they are up to date. And also people are just going to copy and use it just like on GitHub at Stack Overflow. So we're kind of responsible for that recommendation so I'm not sure if that would be a good idea. No, I was recommending more like a create a personal project and we can't guarantee to change something in the future right so maybe you can have an example project or something like and they put that reference thing so you have a guarantee that you are not going to change anything right so. Was there wasn't there an effort, Vinod to do exactly that as part of this white paper to have something that we can point to as being like this just takes our white paper and applies the practices that we recommend. Is that it was I do seem to recall I don't know if that effort got lost or if it's, you know, I remember we talked about it at least initially. Yeah, I don't. Be a great proof of concept. I mean, I'm reading a passing reference to something like that and one of the, it's maybe an introduction or something so so it was, I think it was definitely in mind when the project was started but I haven't heard anything about it since. It's a great idea, we can host it in the six security repo and make it like either companion references or something like that. The challenges, like we all want like we all think it's great challenges like getting someone to commit to do it and produce it and have someone else review it. Yeah, we have, we have like internal to the company we have examples. That's okay because you know we know where we know what our pipeline looks like we can be able to you know provide examples, but if you were to do. If you were to do the put something out there in the public. I don't really know how that information is going to be used or abused. I don't want to take responsibility for that. I had a bent on this a couple of, like, actually when I first started getting involved here. It happened to correlate when the time where I hadn't visited flask and in like years and I wanted to see what the 2021 way of doing flash development worked and I was like, maybe I can use this. It's just a simple credit there's nothing special about it and I was like maybe I can use this to show off those pipeline pieces the actual software supply chain, you know, features that I don't get to work with all normally. You know, I could, I could just, I could, I could take off. The cookie cutter already is containerized the entire thing is very straightforward. It doesn't matter what the app does we don't even have to the functionality doesn't matter it's really are we doing the proper things in the pipeline that that, you know, the cookie cutter comes with all unit testing. I think would be adding would be the container specific, you know, security, like, signing the, and then going through and like showing the different configurations for working in GitHub. And I, I hate providing screenshots as documentation of that. Unfortunately, when we're talking about project level things like this. How else would you demonstrate it unless you give somebody access to the project which we're not going to do for everybody reads the paper. And maybe this is a secondary blog post or something that comes out later I think that I don't think we should conflict that with the actual white paper I don't think that's normal. Let's make it a stretch goal if anyone has time, like, drop like sanitize something out and share it be a screenshot or an actual template be awesome. I'll try to get something. You're the man. Thank you. Nisha, how, how are you feeling do you have other open questions before we move further up. No, I think I'm good now. This is awesome by the way. Thank you very much. So, what are we adding. So I'm going to drop thanks everyone for the conversation and support. Fantastic and you know where to find us if anything. I started a thread on the slack channel, and I tagged you on. So, feel free to comment there if you could bounce ideas off with someone and we're looking for very specific feedback. Thanks. Take care everyone. See you later. Faso this seems like a formatting comment. Let that thinking. I don't know if it's a good ease of everyone's time that I just go comment by comment. But maybe we all want to break out and do that, like, try to take five comments each, at least that can be resolved. Some of them are are going to be more than just clicking the check box right and might require some, some actual editing. Can I resolve my comments. Say that again. Can I resolve my comments I mean I will have to edit it right so. Yes, the one I was discussing with Nisha about SPDX right so I put it as a comment maybe I will go and edit it instead of leaving it as a comment. Go for it. Yeah, I can use that. Richard, would it be now that we not mentions SPDX would it be good to like do that sample and SPDX format. Yeah, probably yeah that's. I don't see a problem with that. And because you're going to you're going to use that as a reference right but not is that the whole idea. Can you repeat that Richard sorry. Sorry with your, let me just make sure I'm getting your your request here. We do want to have an example with SPDX as the the actual like display format so that we have something to refer to is that the question. You know, so sorry, I think it's before we join so there was a line couple of lines that are offering about SPDS three which is not ready yet like so it is kind of recommending experience over cyclone saying that SPDS three even future will have something like this. So I discussed with Nisha and she agreed that we can remove it because it's not the current state of SPDX so that's what I was saying. Yeah, so that's that gets to the question of like do we recommend. You know it's just like linking to a GitHub project at that point if we specify a particular version or tool to go with because it dates us real fast. Right. Yeah. Whereas the whole idea that we're trying to get across is to use the general concept and then as of 2021 today you know SPDX three is a good example of, you know where you should strive to be. Is it fine to just get away with that or recopying out? Not really, so SPDS three as a standard is not released yet and they don't have plans to release anytime soon. So I think that is the reason like, you know, it's better to remove a particular line. It's just a recommending one or another saying that future it might happen but we are not sure it is going to happen in that in the future standard. I think we shouldn't do that right like unless it is not. Yeah, okay. Yeah, I agree with that. Richard to your question. Yeah, that's what I was trying to hint at with not talking about SPDX and like thinking, well, what are the facts of any and what formats. One thing to show a sample config of a Docker file or template of a Docker file, but an SPDX is more something you can actually export share publish. And we can do like we don't need to like go like and to end as scenario for the paper but like maybe people don't know what an SPDX file is. Yeah. All right, do we have any actual artifacts as part of this paper where it shows just even an idea. I don't see any in the document but I don't know if there are some referenced where it's like this is what that spawn looks like this is what you know, just just even even looking at the configuration settings I mean yet again I don't want this to be screenshot documentation style but it does help to paint the picture a little bit about what you would expect to see. We have hyperlinked both in SPDX and Cyclone in the footer right so but you know those standards have both optional and mandatory things right in the spec right so it is very difficult to, you know, put one form or another like that's my thought like maybe, you know, we just direct read up to go and read the spec and understand what is in the spec. Looking more. I get it. I think I think both is probably good right. A representation of what the practical implementation looks like and then also go read up on the spec and why this matters. Yeah, yeah, we can, we can definitely link something I thought yeah but yeah, we need to. Yeah, same on the discussion with Nisha you know like the OCI spec like got together six years ago and saw a number of deficiencies and like Docker images. And in the runtime and they proposed a better way of doing that that has been somewhat realized through build packs but like and as things continue to evolve, like we want to people to know of the better ways right or like the place we're trying to arrive. So, should we should we leave a conclusion of like hey keep an eye on the development of this things that are still being advanced, like watch out for SPDX version three. And well near term notary to I see question marks and people's faces. Like what's this guy talking about Richard. No, sorry, I ended up I got distracted by another that was my question mark face. An email came across I'm sorry Andres. Should we leave like forward looking statements of like hey, keep your keep your eye on this particular standard. There's a new ref underway that is going to. My thoughts around that right like we are betting on something we don't control and we can't guarantee right we don't know if notary V2 will come out or SPDS 3 will come out right like there are risk related to that I don't know if we should like, you know, come something direct somebody saying that watch out this but you know, if there is some level of assurance yes I think we should definitely have that level of assurance that you know something will come out. I think better not to direct people in that direction. It's hard to sell roadmap right because there's no guarantees those things like there's so many factors that those projects may not get around certain things like let's hope not but maybe say that Well, there are there like active improvements to like just like state of the art or like state of the art for software supply chain is evolving. I think it's fine to put in more for I mean I think we we are already mentioning a lot of current projects and and standards like, you know in total and notary and and and to us. And, you know, we're, you know, those things are going to change to as the paper evolves and as or as time goes by. So I don't know I think it's fine to. I think I think if you know if we're saying we're looking for, you know, keep an eye out for this project to come out with this new feature set of features. If anything that may provide a little extra push behind some of those projects I would think. Totally. One thing, one thing I'm particularly energized about that I don't feel that I can actually write about it because I don't know any implementation for it but is is the use of secure and class or virtual secure and class so you can sign in keys never leave the machine and do like multi secure computation of things and have like any signature threshold you want that and like the different building blocks exist like you have to ease you have BSE and you could you could do those things type to runners but I just don't know something to reference for it. So things will converge over time, but not quite there yet. And also we need to consider that you know different kind of right I mean if you guys notice the recent six store right like they have an approach without even focusing on the long live private keys right like they just use a short live signing stuff and binding the signature to an identity of a developer or something like that so that there can be different methods and different ways to do the stuff like yeah. Yeah, and like what sex store I think you could like really enhance that with multi party computation like no one no one really has the keys because like what sex stores place and trust is like proof of you having your email. And I hope they built like enough into Google off that you can have MFA but if someone has your email, I'm like, well, it's a public ledger so if there's a compromise, it's going to be pretty obvious. And there's like a point in time, but you want to you want to avoid getting to the compromise in first place rather than saying oh it's it's all transparent. We know when it happens. Cool, so I'm rambling. We have five minutes to go. I will, I will push out the schedule for a week. So, while we haven't kicked off to like Richard Alex Marina going and and to and start familiarizing with like the bulk of the content as you might have be peeking into particular sections. I, as I said I will try to get some tech riders who haven't seen this before. Richard if you could like reach out to your folks as well that'd be awesome. Anything else before we go that anyone has. Yeah, so I have a thought on restricting the editing capability at this stage like I think we shouldn't allow some random anonymous people to come and edit right like I think we are almost near to the completion phase maybe. And I think I should also discuss with the job because I think he's the author of the document right like currently anyone with the link candidate maybe we can restrict at this point on the working group members only and if someone want to have any taxes they can request for the taxes or something. I don't know. Or, you know, maybe we can leave the comment and other things as for everybody with the link but just editing. It is very difficult to, you know, track who actually edited stuff and to find out on the details or at least for me I don't know Google Docs that well so I don't know you guys thought like let me just say back to you what I think I understood you're saying you would like to restrict access to the document. Just participated on it so far. You wouldn't like other people coming in at this point and doing any work. So, but not I'm not I'm not when I talk about getting external folks to do this I'm not saying they'd come in and and put comments in our Google Doc in fact I would actually export a PDF and be like hey read this and tell me doesn't make sense to you are you offended like give me your, you know, back I'm not. I'm not I don't want. We can't do editing by committee. Public document now anybody I could just pass the link to anybody and think I'm in there on it but I mean. No, that's not when I say have somebody external read it, it wouldn't be find the grammar issues it'd be does this have, you know, cohesive vision. I would want to do my initial review first to I think I, if I see massive, you know, if I feel confused by it clearly I'm not going to go and and try to get somebody else to try to sit through it. Yeah, thanks. Sorry, sorry to interrupt. I think I didn't explain what I want to say and clearly like the current permission of the document right if anyone with the link can go and add themselves as an editor and the Okay, so that means anyone can come and join it make it very difficult to keep track of who who edited and anonymous edit and things like there are so many problems like that but you know I was just saying about that editing capability but we can still leave the comments and then you know other options that are like comments. And viewer for public right like anyone can come and comment it instead of editing the document right like that that's what I was thinking like it should be restricted or should we just leave it like a as of now and So you're talking about Google Docs lack of audit capabilities or tracing who changed something and you feel there are particular sections of the text that you would like them to remain as they are. And if someone changes them you would like to know who did that and why. Yeah, I mean, there can even people just find this link randomly, you know, I mean they might be expecting that this is initial stage of the document and they may come and add whole bunch of things like a hundred page or something like that like That's what I was trying to avoid maybe we need to make sure that they will come through the slack channels and meetings or at least they will have some contest before going and jumping into editing right like a. So I think that that's what I was trying to avoid I'd like people last minute, you know, coming in the editing whole bunch of stuff right so. So I think it's time to make a copy, but still the version control in there that that exists we can roll back to the current state of we see changes introduced we don't like. And there will be the history of who did it. We, we can make the recommendation to Jonathan, I don't know if I have ownership of the dock to like change the sharing rights. Yeah, I don't. So, and it's already late in the UK I dad we're going to grab him before Monday, though he might check slack. Yeah, feel free to feel free to address that with him, I would, I wouldn't tighten it too much. This is like an open collaborative knowledge production thing, but thank you. Oh, Jonathan. I'm sorry. We just summoned you. We were saying your name. Sometimes it works. What can I say, it's like, all you need to do is just shout in the zoom. I'm always there day or night. So John we were talking about the permission of the document at the stage right like a, I was proposing should we leave it like a edit anyone with the access link at this point of this document because you know even someone might find this link somewhere in in online or in their chat and they may be thinking that it might be the initial state of the document and come and add a bunch of things. Maybe we can add all the working group members as a default editors or if someone need a new editing problem, we can invite base we can add them or and leave the comments and the view to public right so anyone can come and, you know, suggest something or things like that that's what I was asking the working group members opinion. Yeah, any thoughts on that. I'm fine with that, but how have people seen this working in the past at this particular stage. And as you've, when you were doing the other work. Is that, you know, this around this point, do you get to the same thing. I was pretty kept on the wrap so like those who didn't know that the work was going on. I don't know where to find the link right. I think our, our eco chamber of six security is the extent that that folks know about this we haven't necessarily publicly advertised about it. I think the concern comes from we suggested running it by final readers and getting their input. I think there's value in that at the same time. Well, authors might want to protect like the integrity of their content and not have someone with no context or family already come and like scratch the text apart. Right. So, like, we want to have version control understand why they did it. Why is it what is that they're suggesting, but I think like to to be not point like we can just sit tell people hey if you're going to make edits. Don't make edits directly, like leave comments leave suggestions, or make a copy of the doc work off in that copy and then we can compare one to the other. So, there are work arounds. Richard, am I, am I voicing the defense correctly. Am I am I not misrepresenting. No, I think I think you know that I think that's that's that's in line with what I was what I was imagining. Okay. We know how do you feel so we, it's fine if we leave it open and make it very like direct anyone editing. How about we change the contributing piece. It's there's the contributing bold item. Maybe we change the verbiage around that. Fair. And, and we're over time but Jonathan I can I can give you a run through of what we did over the last hour. There, there are a few outstanding sections that still require work. We're going to continue pushing out the schedule a week, particularly the appendix on containers glossaries and complete content needs to be shuffled around. We did get three people to sign up Marina Richard and Alex to give it the start through finish calm and like give it a consistent voice. I'm sorry it's just done on me we're now late only. I was wondering if daylight savings got you on this one John the light bulb moment has just gone off. Sorry we're late. Hello, how are you doing. Did you have a good meeting. We had an excellent meeting. Excellent. Time space is always eventually consistent across the mansion. There you go. There you go. Okay, apologies for that. I'm very fortunate. Well the good news is I've got another hour with a couple of the teams continue on I guess. I'm sorry. And so let me let me change the contribution thing so that's fair enough. But how did you get on over the last hour. I'll let other folks speak to it. Right. Alex. We, I think, I think we've, we've done well. We have a poll in the slide channel on whether to go bullet points or paragraphs for the executive summary. So feel free to chime in there and, and that will resolve basically all of those suggestions and comments in the executive summary and one else move once we make a decision on that. There's still, there's still quite a lot of comments in the in the dark. One of the things we were going to do is go or I was going to do is go through from sort of midway down and start, start finishing them off or except in rejecting kind of en masse. Right. And where we're each going to try to tackle a few of those, ideally five each to divide and conquer and like, don't leave it all on you. Yeah. Some of those comments require more than check or X. Yeah. Yeah. Yeah. Yeah, I think there was a couple where last week we were talking about actually adding data to the appendix and one of the things that we'd suggest it was like, there's a fairly significant chunk of additional content you want to write. Okay. Let's sort of update that document appropriately, but if you want to take it and add that that a massive additional content take it to an appendix. You can get that in time great if you don't then you know it's perhaps or an additional version or a reference to an external document so that you don't end up, you know rewriting half the document right in the middle of it at this point. Yeah, one, one other thing that came up is we talked initially about providing resources and references to config files manifests. With appendix one that isn't containers, it talks about Docker files. We had a discussion of whether build packs should fit in there and there's some, some contention around well how, how reproducible, how, how effectively can you achieve reproducible results across multi stage built with either of these things. There's that part but then the other part is, should we be providing a Docker file here should we providing an SPD x file to show what an actual bomb is and provide provide like the look and feel for it. Yeah, he's going to try to do that best effort. It is a stretch assignment, we could, we could create a repo under CNCF slash security for like any material to the white paper. But yeah, we did market as like hey, we don't need to get to this. It'll be really nice to have. Yeah, material right. I was just reading also through Emily's suggestions on the single voice narrative. Was that discussed about getting a couple of volunteers to go through. Yeah. Have we in we've identified those volunteers or. Yes. I know you mentioned. I'm sure yeah I volunteered to be one of the people. Yeah. Cool. Okay. Cool. All right. Good. Okay, cool. I guess you it's already over time right so I'm going to go through the bad the back end of the document. And probably reach out to a couple of the other guys as well and usefully use the rest of that hour and update calendars and such. Okay. Yeah, overall, overall everyone expressed feeling content with the state of things, like people are happy content and not content. Let me let me be. English is my second language full disclosure. I think I think we have a huge amount of good detail in here it just needs it just needs a chunk of polishing I think and and editing. And I think I think we'll get there. Yeah. Okay, cool. Between reshuffling and yeah one or two passes. Yeah, we'll get us there. Yeah, we got the softness, which you don't want a super fluffy white paper with with zero technical substance to it. Exactly. All right, good. This is the fastest meeting I've had a week. I hope the rest of your week goes as well. Indeed. All right. Anything else we need to cover. It sounds like you already have. Nope. All right. I know how do we turn the white paper into like a ultimate hacking championship as an area. I don't know. I think, yeah, we'll have to figure out I think we have some scenarios on supply chain already that Andrew wrote. But yeah, we can think about it so that we can promote that as well during the city. Cool. Awesome. Addie and from, from your perspective, like how, how does well, how well does this stack rank against the academic paper? Does it meet, is it like rigor is enough or you think like this would totally fall flat from like peer review scrutiny in academia. Aditya for Marina. I actually don't know how it would, how that would work at all. I think Marina's probably a better person to answer that. I'm kind of new to the whole academic scene. Yeah, I think it's just a different format really. But I think that like content wise, I think it would be, it would be good. It's just the, the structure and format and all those things that are different, different styles. Yeah, we would need to like repurpose to farewell that. Yeah, I think we need a lot, a lot more reference to backup the paper or the academia and stuff. Yeah, the content columns and have the little diagrams and paragraphs. That's pretty cool getting the graphics in right that's pretty awesome. Yeah, totally. Cool. Catch you all next week, I guess, right. And perhaps more in the chat. All right, thanks everyone. Thanks. Thanks. No sweat about it. Hopefully the annoying part is not like the the awkward social circle that I was doing. No, it's all good. It's all good because we were, we were quite a few of us were stuck in another call actually was about similar sort of topics. So we should have an hour to focus on this is quite decent. And I think a couple of people have actually reached out to me to say again over the weekend they're going to be focusing on it which is, which is reasonable. So I think, I think we've got a lot of good content in there I do think it needs some pretty heavy editing. So we'll definitely shoot through that. So that's reasonable. Yeah, one thing I added hope to to see more of it be incorporated as nascent and emerging technologies, but seems to the consensus was like well let's talk about try to prove in and what's either openly available or commercially available. Like we talked about like virtual secure enclaves and like using like multi party computation for like signature thresholds. And all those things like even like talk about SPD xp3 notary b2, but we did discuss that right right at one of the early stages. And I think one of the things that we start to split out was look we can go into the future state. But then it gets into more of a more of a debate and more of a sort of an awareness campaign about some of the new technologies that are coming online where in which, which we would be good to do. Right. And especially if we identify gaps in the current infrastructure. But I think one of the benefits of doing a paper like this is that look, there isn't anywhere else where it actually strings together that level of advice and guidance that gives you that real clear kind of what to do just today. Right. And I think that was, you know, a lot of a lot of us thought that look at least if we can focus on what we're trying to do today, or what's, what's capable of being doing just sort of on the edge perhaps a little bit close to some new functionality but not bleeding edge, then at least we have a artifact that someone can pick up and actually use. And then you know we do this and then perhaps we go on, you know we want to do the architecture and implementation and such. We also have the ability to, you know, reference this article with that right, you know, phase two of this could be fixing gap a gap be and do some really cool sort of research type capabilities. I think a lot of us are sort of chomping at the bit to really go out and and get some of the new cool technology after completing this this this document. Yeah, it's, it's a slippery slope with like future areas as by nature it's speculative right you're speculating road maps and availabilities of things. Yeah, maybe there's like an addendum. I can try to take a step at that saying, hey, at the time of this writing there's there's proposals right there's RFCs. Yeah, I spec that was written six years ago. And a lot of those capabilities haven't been realized or quite manifested but these are the things to watch over time, not an exclusive list. There are more, but from our vantage point and CNCF these are the projects that we track. It's reasonable right I mean, yeah, I think fair enough, as long as you know we caveat that with at the moment and dot dot dot right but I think that could be good to sort of seed some of those conversations. But I think that's definitely one that we were going to start opening up a lot of debate about how we can put this stuff stuff together. Yeah. Yeah, we can then do that software supply chain 2030 the future. So we're still going to be tackling this for a while right. So it's a good start. All right, excellent. Cool all right well. Thanks thanks for sharing the call and and going through it I'll, I'll watch the video and spend some time with a couple of guys getting together and we'll go through this doc today. Fantastic. All right man. Bye.