 So, if you haven't heard of Ortelius before, we are a unified catalog of what I'd like to call supply chain evidence. We're incubating project at the CD Foundation and, you know, our mission really is to make supply chain and microservices a lot easier. We're just going to go through this agenda. We have some time to kind of really dig in to some of the work that we're doing. I'm Tracy Reagan. I am the, I would call myself the community organizer. I'm going to cover working groups, recognition program, and what we call our summit. Steve Taylor is going to review some of the architecture that we're working on. And then we're going to introduce Andy Block and The Emporist Project, which we did an announcement yesterday about The Emporist Project becoming a sub-project to Ortelius. So, Ortelius is all about gathering data around supply chain evidence. You know, ultimately our dream is to have so much data that we can actually start doing some intelligence processing. You can't do AI without data, so we can never build an AI system around DevOps without data. So, we want to pull the data in so that this kind of information can start being leveraged and used to build smarter systems. And what happens is that we're pulling the data in from every workflow and in a microservices environment, every container has a workflow. So, because we're decoupling what we have done in the past from a model of the microservice architecture, this kind of data becomes even more distributed and locked in these containers. Ortelius addresses this log visibility. It really addresses the question that 65 to 80 percent of the companies are asking, and that is show me the logs, show me the SBOM, show me the CVEs. I need to have this data exposed. We would love to have more people as contributors. We'd love to have more enterprise companies telling us what they are facing when it comes to finding this data and putting it to work. So, become a contributor. If you've ever thought about joining an open source community, I can tell you Ortelius is a fun one to join. We have a really, really great time. And it really will help you improve your coding skills. We're doing microservices. We're doing blockchain. It helps you build your brand. Simon Safter, who is a CDF contributor. Sasha Wharton was, hadn't done anything in open source. And there he is up there. He has been, he'll tell you how much he's learned through this process. We do have a recognition program, Grima Bajpai, who is at the conference. She built this for us. We have three groups. We have ambassadors. We have champions, and we have the all important legend. Ambassadors are individuals who do outreach for us. Champions are contributors and legends are awarded for work in both. And we have our leaderboard, Brad McCoy, Utkar Sharma, and Sergio Canales. They are all on the leaderboard for champions and legends. We have our every six months, we do this crazy thing. It's really cheesy. It is fun. It's called our visionary summit. And we do have some amazing presentations. So I don't want to say it's too cheesy. But we do it on Twitch. We play games. We show videos of aliens. So we make it as fun as possible, and we do lightning talks. We first start with our beer and donuts. And the beer and donuts means we have people from all over the world. So it's at night, and some people are in the morning. We do our awards, and then we have keynotes that speak live. And then after that, we jump over to Twitch, and we show all of our recordings, and we play games, and we have a great time. So if you've never presented before, this is a really good place to learn to present. If you have some really important stuff that you want to get out, something on your mind is a good place to present. If you've learned something that you want to share, this is a good place to present. And one of the things that this, even though it's like Trace says, cheesy, it helps when you are able to show recordings of yourself giving these 10-minute lightning talks. We post them out to YouTube and stuff like that. We were able to actually take one of our members who did a lightning talk, and then the following year, they were able to present at KubeCon. And that actually helped them get their KubeCon spot by having that out there underneath an open source project. So it's one of those things, just come and hang out. It's super simple. I mean, I'll say it right now. I'm newer to this community. In my short time working with Tracey, Steve, and the entire community, it's certainly a unique community in a good way, in a very good way. And especially if you're getting into open source and you're just getting off the ground, it's a good opportunity to use this as a venue to kind of build your brand. Yeah, we are one of the only open source communities at the CDF that's not being ran by what I call a giant. It's not a Google project. It's not a Netflix project. It is truly a community project. And we have people from South Africa, from Chile, from Guyana, from Pakistan, from India, from Turkey. So we really are a diverse community from Australia and New Zealand. There is challenges in doing that because of the time zones, but we do our best that we can to accommodate everyone. So it's an interesting community to be on because of the fact that we really are a true open source organization that we built from a really a grassroots perspective. And we've taken people that have never done a Git commit and been able to work with them and help build out our developer guides and stuff like that to actually help them do their first commit. And even if it's just for documentation change, you'd be surprised on how terrified people are to commit something and do their first PR. It is one of the scariest things in the world to some of these folks to be able to do that. And we'll help walk you through doing that. And we're the kind of philosophy is you can't break it. So don't worry about it. We can always undo something. And- And people even fail fast. Yeah, fail fast. Hey Steve, I'm gonna hand this over to you. All right, I got my, okay. I'm gonna put this over here, Beth for Sasha. I may get a feedback when we turn this one off. So one of the things that we have here for the architecture is our current architecture, if I can resume in on this. So one of the things with Ortelius is the original architecture. It ended up being a monolith that we started with. So basically a job by application running in Tomcat. And as we got new requirements from our community, those new features were actually put into microservices. And as part of that, we did it for two purposes. One, to move away from the monolith into the microservice world for maintenance. So the second part was the smaller pieces, the smaller microservices gave the developers a confined area to work on without being overly complicated at that level. So that's where we originally started out with. And this is kind of like the architecture diagram of what we have going on in the monolith. So it's a monolith, I think like eight microservices at this point. We did get a grant from Ripple. And let me see if I can find the next page. So we did get a grant from Ripple. And it's the XRPL project. So we are actually, our new release is gonna be based on blockchain and you actually use in the blockchain part, the ledger part of the blockchain. And the reason why that's important is because we wanna keep track of everything in an immutable fashion. So every time we create a new build and you create a new Docker image, for example, all that metadata around that has to be immutable. And we're gonna push that into the blockchain and see if a historical perspective was happening in your organization. As part of that, we're actually gonna use NFT storage, which is IPFS under the covers and Filecoin to do long-term persistence of all this metadata. One of the challenging things that we ran across is the amount of redundant data that's out there. If you think about an Sbom, if you look at an Sbom, every single package in the Sbom references a license file. It also includes the whole license file in Sbom. So instead of duplicating that into storage, we've gone through a normalization process that we're only gonna store things once at part of that process. And with Emporus, we're gonna be taking those schemas that we have and pushing them into the Emporus registry at that level as well. So because we got this grant, we actually have bounties out there. Tracy said we have our recognition program, but also because we have some money floating around. Wasn't a lot, it was $75,000, but we actually are able to, we were one of the first organizations within the Linux Foundation to get into what's called the GitHub Sponsorship Program. So GitHub actually allows you to now pay people through their interface. And you'll see, it's a confusing, it just went GA less than a month ago, but we're in part of the beta program of it. The terminology is very confusing. And just reach out to me because it's a little, they have a sponsorship program, but they look at it from both sides, whether you're a project sponsoring somebody or if you're a developer sponsoring a project. So the terminology gets mixed in their world and it's a little bit tricky to get set up, but we are able to pave people throughout the world. So we're actually paying folks in South Africa, Ghana, Pakistan and stuff like that. And in the States, behind the scenes, it uses Stripe for the payment as part of the process. So if you go out to our repo, the way we've organized everything in Ortelius is the Ortelius repo, the main repo is where we have all of our issues. So if you're looking for something, look in that repository. And you can see here, we've actually tagged things for a bounty. Basically, we've broken it down and the bounty is into 15 minute increments and we'll say, okay, this is gonna take two hours so it's a bounty of eight. And that's gonna be equivalent, but basically, I can't remember what I think, it's $55 an hour or $65 an hour that you get paid. Not bad, but we go through it and do that and as part of the process, after the PR gets merged, reviewed, the team signs off whether you get paid or not. So it's not up to me, it's up to the team to decide whether you can get paid as part of that process. So check that out. And we're constantly adding stuff to that so it will change as we go through and keep on doing the development. And as part of that, we're going to be bringing in, like I said, the Emporus sub-project and Andy is gonna talk to you about exactly what that is and some of the vision that we have between Ortelius and Emporus. All yours, Andy. All right, all yours. All right, everyone. So we know that Ortelius is really meant to be able to collect all of our supply chain assets, but one of the hardest part, you know, you talk about data. First of all, we have this large amount of data, but where is that data coming from? How do we discover it? Where is it, how do we relate to it? Is it manual? Do we need to actually perform some manual actions to collect this data? Or can we provide or make use of a facility to help us better organize and understand what's in our entire supply chain ecosystem? And that's really what the Emporus project is meant to do is to help satisfy not only this use case, but to be able to provide a way to be able to organize different, disparate types of data. And this project makes use of a concept called OCI artifacts. How many of you have ever heard of OCI artifacts? Raise your hand. All right, we'll have a little bit of a one-on-one really fast. No problem. How many of you use container images? Did you know that you can put other things in a container registry like Docker Hub and Quay and GitHub Container Registry aside from container images? And what can you put in there? Helm charts, wasm modules, even binary files. Anything. So what we're doing is we're tapping into that ecosystem and being able to be able to store and add metadata to these artifacts and then be able to aggregate the data together. And then this project started out out of a bunch of us at Red Hat, so Red Hat are here. And we wanted to not only provide a capability for the community because Red Hat, being good stewards in the community, we wanna be able to make it easier to find data. Data is the hardest thing out there. Aside from just collecting it, how do we actually make use of it? I do a lot of work in the supply chain space and right now, S-bombs are all the thing. But how you actually use an S-bomb? Nobody really knows it, we don't know how to make it. How does she use it? It's like using as a hardest part. What Emporos provides us an opportunity to do is to add additional metadata to various parts of our supply chain assets, everything from S-bombs, container images, anything that you have as part of your secure software supply chain, you can add associations to it through metadata that's stored on these artifacts. And Emporos provides a number of capabilities to help you understand where they come from and what's part of them. So some of the capabilities that are provided by Emporos is the ability to make use of enhanced metadata. I wanna go ahead and tag some specific information on my artifacts, so if I have a container image, I might wanna add a couple additional values. In the OCI community, these are enabled through annotations. So like Helm charts of annotations, Kubernetes manifests of annotations, you can put annotations on these OCI artifacts and then Emporos will make use of the existing Docker API. I know of Docker, not everyone uses Docker, right? Docker, you could use Cryo, you could use anything you want, but in the end, they're still using the Docker API. Docker created many years of the V2 API. And the work that not only myself, but others in the community have done around OCI have been really focusing on how we make life easier when working with OCI artifacts. OCI artifacts is still very, very young, so it's coming along. There's a new specification in OCI that's actually gonna make it a little easier to work with artifacts. It's currently in release candidate, hopefully it'll get to a GA soon. Community's getting, you know, community with a lot of good and ambitions. There's some controversy, so we're just going over and doting the I's and crossing the T's. In addition, instead of having to go ahead and talk to all your different disparate sources for your supply chain assets, Emporos makes use of a single API that you can call and it's able to understand all these different disparate components. And that makes it easier for you to manage your entire software supply chain. The relationships is very important, so it understands through these annotations all the different relationships that you have within your different supply chain assets. Doesn't espon relate to a container image, does one relate to the other. What Emporos provides is that single API for you to then manage your entire fleet of software assets. And it really is, the most important thing is just providing visibility. I work with organizations across the globe and I work with individuals, not only from deep in the tech, but also at the C level. And as much as I love tech, the C levels don't necessarily love to see all the ones and zeros. They want to see pretty pictures. And what this will provide is the ability to provide new understanding about what's in your entire software supply chain. So this is just a brief introduction of what Emporos can at least provide from its inherent capabilities. And by joining the Ortillas Projects, we're able to then join forces to provide new sets of capabilities to be able to then make your software supply chain provenance even stronger. Any questions I want to, I know obviously we kind of flew through that, but at least those on the Emporos project are thrilled to be able to join this community. In just our short amount of time we've been welcomed with open arms. Honestly, it's kind of scary, but in a good way. I love when the community is just open to be able to see new contributions, new ways of working, and just being able to see how we can work together to really emphasize the security and capabilities that we're able to provide. So thanks again, Tracy, Steve, and the entire community. You guys joined our community calls and it's like, oh my goodness gracious. You're excited. That's a good thing. That's a good thing. Really appreciate it and thank you very much in looking forward to a lot of fun together. Any quick question about Emporos? Yeah, sure. Is it a federated type of viewpoint or is it more like Docker Hub, a single type of access point? So you will go through a single point to start out with, but it can go ahead and talk to other components because you add the additional metadata of where that source happens to be located. Got it. So I can say, okay, my collection is gonna be stored within Docker Hub, for example. It can talk to Quay, it can go ahead and talk to other APIs. Obviously it's something you can communicate with it, but aside from that, yes. Got it. I have a set of some other objects. I have that set of things. How do I get that into Emporos? Or what is the best? So we have a binary that allows you to then use that to create this, what we have right now called the collection, which allows you to create these relationships to these different components. So we have a CLI-based tool that helps build that graph out. So if I go by my thing, maybe the CLI tool will kind of convert it into... Exactly, and that's how we currently have it. And we're obviously very, very new. This is a very new project. And being able to look at new use cases, especially around you have some little work that you have all done here as part of this. Being able to see how we can take the work that we've done thus far and really start to broaden its sets of capabilities. Right now, simple see a command line tool that helps build that out. I always struggle, because when everything is compared to Kubernetes, I love Kubernetes. Kubernetes is kind of the bread and butter of distributed computing today, but many organizations I work with don't have Kubernetes. But what do they typically have, though? Most people, most organizations have a container registry of some sort, whether it be a dedicated one, either a harbor, a quay, you name it, or they're gonna use a tool like JFunk Artifactory, Nexus, that has that capability built in. They can usually enable that and they can then make use of these OCI artifacts. Because most container registries today support OCI artifacts. I can't think of anyone that don't support it in some form or another. Some do only allow certain types of OCI artifacts. For example, a quay, Pudda IO only accepts, I think, five or six different types. I think there was a sort of thing. It still is. So this Pudda IO is still limited if you have the on-premise version, you can customize it. Docker hubs the same way, it only has a certain set as well. But the idea is that making use of these OCI artifacts, I see it actually expanding to be more mainstream. No, please. And I think of this the wrong way, we have processes on the board. Yeah. Something that models a VM, something that models a process, running on that VM, something that models an application running on that VM, something that models a user, and so on and so forth. Would that be the right data to store in the forest or not? No, no, right now we're just focused on files, so certain files, so it could be like an S-bomb, for example, it could be a container image, and then being able to associate metadata to that. That could be something down the road that we could look into, but right now that's not what the current capabilities are. Yes. So we're nothing's inherent to it, but you can't apply the same type of modeling to it. So looking at like salsa, not only salsa, but like intodo attestations, that's another thing you can apply to some of this metadata. Yeah, so think of it as a place that we'll be able to take the supply chain information that we gather and put it somewhere so we can then query it down the road. We just wanna be able to provide a way that you can then expand it later on. You build this collection, and then from that you're able to then associate all your different components that are part of your software supply chain. So like in the ArcGIS world, one of the important parts is like the provenance, the signatures, all that information that you want to be able to use. So when you do download an artifact, you can look at and do the verification at that point. So you have to know where things came from, how they're assigned, those type of things so you can actually do something with it. Once again, we're just getting started. We're excited about it because we did like the first step by joining the Artelus community. We're able to then reach the next level for us to be able to kind of expand. We have a lot of ideas, but we haven't gotten a chance to actually execute upon them and by joining forces, we're able to see some of the work that you have done in the community thus far and see how we can then supercharge each other's initiatives. So I should reach out to me. I'm happy to answer anything. If you wanna obviously go through more of the community channel to see even better so we can have the entire community part of it, but at least reach out to me if you ever wanna have a chat. So in Artelus, our main programming languages with the new blockchain stuff I was talking about, that's we're gonna be implementing that and go. We did try Python, but a lot of the libraries that we needed around IPFS just didn't exist and we didn't feel like rewriting them. So we actually did a pivot over to Golang. Like I said, the front end is gonna be in, camera's gonna be Svelte or Riot.js, one of those two frameworks that we're gonna be using for the front end part. So mainly JavaScript. We do have a bunch of DevOps pieces. So we have all our GitHub actions, our Docker stuff. Like I said earlier, one of my other sessions, we run everything on Azure Kubernetes. We have documentation, testing that needs to happen. And you guys are in, you have a Go-Wrestling. We're Golang based. You're Golang as well. So if you don't have any experience in Golang, reach out to us, we'll help teach you. Sasha, who's on the Zoom from South Africa, he's been doing a bunch of our DevOps stuff around Terraform, our home charts, things like that. We've built out, Sasha built out Ortelius in a box. So how do you get up and going on running on Clined or Killer Coda on those fronts? So we're looking at taking the, now it's official. We're gonna be working on standing up and porous as well under one of those platforms so people can kick the tires and help us contribute. It will not be long before you can get your hands on it. I promise. We promise. So is the blockchain gonna? Yeah, so in Ortelius, everything is a pointer basically. There are very few artifacts that we actually do store. So when we talk about a version of a component, a version of a component could reference a Docker image. It could reference a JAR file or war file. That's often artifactory, for example. Because of that model, we can just point to other things. And one of the things we'd be pointing to is the OCI registry on where to find things. And that's the beauty of it is, we're not trying to reinvent the wheel, but we wanna put all the links together to let you navigate how something, this artifact, what do you know about it? Well, I know it's sitting over in Porus, and I know the signature is in todo, in todo. And it was signed over, or the providence is coming from this Git repo in this build system. So all that information is being linked together so you can actually navigate and do something with it. Now that's where the fun part comes from. Once we get this basic data collection out there at scale, now we can start doing OPA and AI against all that data to make decisions and make the DevOps process intelligent. So right now, the DevOps pipeline is not very smart. You say go, it says, okay, I'll go. We gotta put the checks and balances in place to make it intelligent and allow it to actually get to the point where it can actually self heal when a pipeline breaks. How do I go, I went through Argo, I got to the point of it failed on the blue green, now what, what do we do from there? Who do I talk to? Do we let it sit there in the blue status for a couple hours, or do we need to back this thing out really quick? That type of thing, those type of scenarios will come about with the data that we're collecting and being able to act upon them automatically. Any questions? I know we're kind of just rambling here. That's me. And rambling's a good thing though. It gets food for thought, right? Yeah. Okay, so I'm gonna see how many developers join. You know you want to, we have candy. So like Tracy said, we have our visionary summit coming up the 16th, or seven? Week from Friday. Week from Friday. So you can actually find us on Twitch or just go out to the, like I was saying in one of our previous meetings, all of our stuff, all of our meetings and stuff are out on the CDF events calendar. So if you go out to the CDF website and you go to the shared calendar, you'll see all of our meeting time slots out there. So for Atilius, today, what was today, Tuesday? Yeah. Today we had our outreach meeting. Oh yeah, that was yesterday. So yesterday we had our outreach meeting. We're supposed to have an architecture meeting this Thursday, but I'm flying. So we're gonna probably, we may postpone that. Otherwise, Ukar from India will run that one. And then the following Monday, we're gonna have our general meeting for Atilius. And then you guys are on Wednesdays. Yeah, we're Wednesday at 2 p.m. Eastern. Yeah. So we're gonna be working with the Emporus Group as well, getting everything restructured. We're, we try to be time zone friendly. For a point, we did have Australia on Thursday afternoons here in the States. And we're working, we're gonna come back after this whole thing here at Open SSF. I'm an open source summit and talk to Brad who's down in Australia to see if we can get that meeting back up and going again. So we try to be time zone friendly. We are in Discord versus Slack. So take that, we find it a lot easier to communicate on Discord. Anything else I forgot? All right, well thank you all for coming. Like I said, I expect about a dozen people to be added to the repo here with their permissions. So please come join us. And if you have any questions, we'll be around to chat about the project. And anything else? Thank you.