►
Description
In this call, MarkM and Mathieu deliver a new understanding about how Records and Tuples should be new language primitives, how this will interact with the evolution of SES to accommodate them, and the constraints on the design that are sufficient to preserve confinement invariants.
A
All
right
welcome
to
the
cess
meeting,
we're
resuming
our
conversation
on
records
and
tuples
and
we've
had
since
our.
Since
we
last
spoke.
We
we
were
stuck
on
the
matter
of
which
of
the
bad
options
we
were
on
the
table
and
on
the
work
side.
Mark
and
matthew
have
been
working
hard
to
figure
out
a
way
to
to
move
forward
so
mark.
Let's
take
it
away
so.
B
Okay,
so
I'll
get
I'll
I'll
actually
do
it
sort
of
from
my
subjective
point
of
view
on
the
record
now
and
then
and
then
we
can
proceed
from
there.
So
I
was
objecting
to
records
and
tuples
as
primitives
because
of
old
code
that
would
check
for
for
primitive
and
then
say.
Well,
if
it's
a
primitive,
it's
it's
fine.
There
can't
be
any
hidden
authority
here.
Let
it
through
and
matthew,
had
previously
raised
the
thing
about.
B
We
simply
stop
testing
for
deep
primitiveness
in
the
old
ways.
Part
of
the
records
and
tuples
proposal
is
to
provide
a
new
predicate,
which
is
needed
anyway,
for
is
this
deeply
primitive,
which
you
can't
tell
by
just
type
of
or
using
the
object,
constructor
so
every
place
that
that's
that
maintains
ses
needs
to
know.
If
something
is
primitive,
it
would
switch
to
the
new
primitive
and
only
after
it
successfully
switches
everything
over
to
the
new
primitive.
B
Would
we
stop
censoring
the
box
constructor,
and
at
that
point
we
can
accept
the
new
language
with
records
and
tuples
and
with
box
and
without
the
security
danger
so,
and
I
think
that
case
splitting
not
only
applied
one
of
the
things
I
was
very
worried
about
is
we
know
that
cess
essentially
has
been.
You
know.
The
core
assess
has
been
reinvented
several
times,
so
we
should
presume
today
that
it's
also
still
reinvented
several
times
by
people
out
there
in
the
wild
that
we
don't
know
about.
B
I
keep
coming
across
academic
papers
that
try
to
secure
javascript
and
that
rediscover
elements
of
sas
on
their
own
or
or
partially
cite
us
and
then
rediscover
other
things.
I
know
that
the
history
of
salesforce
was
caridi,
was
kind
of
reinventing
cess
just
from
the
enablers
in
javascript,
without
knowing
about
ocap
theory
just
from
from
what
it's,
what
it
seemed
like
was
possible.
B
So
the
reason
I'm
still
okay
under
that
scenario
is
anything
that
is
successfully
securing
javascript
in
assess
like
way,
must
already
have
a
white
listing
mechanism
like
this,
because
there's
enough
dangerous
other
things
that
come
in
that
need
to
be
removed
because
they're
not
on
the
white
list,
so
anything,
that's
that's
successfully.
Securing
javascript
in
a
cess-like
way
must
already
have
a
white
listing
mechanism
like
this.
So
I
think
the
same
case
splitting
applies.
C
C
C
Yeah
so
same
domain
iframe,
I'm
assuming
that
when
you
create
a
realm
in
same
domain
iframe,
I
don't
know
if
you're
censoring
all
the
apis,
all
the
globals
of
that
iframe
and
if
you
would
be
removing
the
box
constructor
in
them.
I
don't
know
if
you
ever
have
a
case
where
you
need
to
put
a
membrane
between
the
incubator,
realm
and
a
created
realm,
and
in
that
case,
is
it
possible
for
the
incubator
realm
to
create
boxes
and
pass
them
to
a
created
realm.
B
B
C
D
The
the
case
that
is
a
a
a
little
more
tricky
is
that,
assuming
that
you
could
access
the
box
prototype
method
from
the
other
rom
to
try
to
unbox
the
thing
on
the
other
end.
That
case
is
impossible,
because
when
you
create
a
membrane
and
you
try
to
access
the
box
in
one
side,
it
will
map
that
box
to
the
other
side.
So.
C
I
think
I
was
not
clear
enough
on
the
context
here.
I
I
entirely
agree.
So
this
is
what
this
is.
The
reason
I
I
said
to
be
entirely
safe.
Having
unbox
check
the
realm,
where
the
box
was
created
would
guarantee
that
the
multi-realm
use
case
like
that
would
never
be.
There
would
never
be
a
problem.
However,
this
is
a
contentious
point.
This
is
something
jordan
is
pushing
back
against
and
he
would
like
the
unbox
to
behave
to
not
do
a
realm
check.
C
D
Don't
think
so?
Okay,
I
don't
think
so
push
back
on
that
to
two
main
reasons:
the
the
one
what
you
mentioned
before,
like
we
are
in
that
scenario.
We
have
that
scenario
where,
if
the
thing
is
a
primitive,
we
don't
know
we
just
blindly
give
it
to
the
other
guy
and
the
other
guy
might
try
to
access
the
box
to
fail.
But
the
secondary
reason,
I
think,
is
more
important
is
to
have
some
coherence
with
the
shadow
realm.
D
D
Yeah
same
same
origin,
yeah,
okay,
yeah!
It's
just
that
you,
you
might
register
like
the
case
of
web
components
like
you
might
register
components
in
different
documents
and
you
might
be
able
to
instantiate
it
and
move
them
around.
But
when
you
move
them
around,
like
you
create
an
element
from
an
iframe
and
then
you
move
it
to
the
main
window,
and
this
element
now
will
do
some.
Creation
of
other
elements
is
no
longer
tied
to
the
old
iframe
anymore.
D
It's
remapped
to
the
iphone
that
received
the
thing.
So
there's
some
some
precedent
there
in
terms
of
oh,
you
must
have
the
thing
on
the
other
side
in
order
to
do
something
with
it,
which
I
think
is
fine,
but
the
the
fatal
one
is
like.
If
we
allow
that,
then
it's
just
simply
going
to
be
brock
and
foreshadow
shadow
realm,
because
in
the
shadow
round
you
never
will
be
able
to
do
that,
and
you
will
be
like
what's
going
on
here,
like
there's
a
reason
to
have
that.
D
D
B
B
So
if,
if
the
ability
to
unbox
is
local
to
a
protection
domain,
something
that's
seen
as
useful
that
you
can't
unbox
after
it's
passed
through
another
protection
domain,
then
if
we
put
the
unboxing
operation
on
the
constructor,
then
cess
can
treat
the
box
constructor
the
way
it
treats
the
date
constructor
or
the
function
constructor
as
local
to
a
compartment.
I
already
saw
on
the
thread
that
people
seem
to
that.
Mostly
people
seem
okay
with
box
dot
d
ref,
rather
than
putting
it
on
the
prototype.
People
seem
okay
with
that.
D
B
B
Within
one
realm,
but
between
different
compartments,
let's
take
the
the
date.
Constructor
is
the
the
simplest
clearest
example,
which
is
in
the
start.
Compartment
you've
got
a
fully
powerful
date,
constructor
that
still
has
date.now
on
it
as
a
static
in
other
compartments.
You
have
a
safe
date,
constructor
that
you
from
which
you
cannot
find
the
current
time.
However,
both
of
them
point
to
the
same
date,
dot
prototype
instance.
Instances
created
by
any
of
them
are
instances
that
inherit
from
the
same
date.prototype.
B
Furthermore,
the
construct,
the
the
the
inert
constructor
pattern
or
the
safe
constructor
pattern,
as
is
that
from
any
of
these
constructors,
if
you
say
date,
dot
prototype,
dot,
constructor,
the
shared
prototypes
dot,
constructor
property
only
points
back
at
the
safe
date,
so
I
so
the
the
and
and
and
for
some
things
like
function
where
there
is
no
safe
one
to
be
generally
shared,
because
the
entire
concept
of
function
is
specific
to
a
global.
Because
of
scoping,
we
put
a
inert.
B
B
They
can
have
different
dref
behaviors
as
statics
on
the
box
constructor,
but
box
dot.
Prototype
leads
to
the
same
shared
prototype
where
the
prototype
itself
has
no
draft
behavior.
So
it
should
have
no
draft
method
and
the
prototypes
dot.
Constructor
property
points
back
at
a
box,
constructor
that
is
safely
shared
and
the
only
way
to
make
it
safely
shared
across.
All
these
compartments
is
to
is,
for
its
dref
to
never
deref
anything,
because
it
has
to
be
shared
between
different
protection
domains.
D
B
But
if
you're
going
to
have
the
primitives
behavior
differ
between
realms,
then
it
then
people
will
come
to
expect
that
that
and
and
if
you're
doing
that,
in
a
way
that
people
can
use
that
to
treat
realms
as
a
protection
domain.
So
they
can
count
on
the
box
being
underefficable
from
within
a
non-origin
protection
domain.
B
C
I
mean
you
could
make
both
work,
but
conceptually
so
I
I
want
to
say
quickly,
I
I
agree
and
mark.
Actually
we
don't
you
don't
contradict
something
you
don't
reconstruct
something
we
agreed
upon
earlier
because
earlier,
when
we
discussed
this,
the
original
idea
was
to
have
books
being
equal
and
not
realm
specific
here
at
this
point,
since
they
would
only
be
able
to
contain
objects
they
to
do
to
perform
this
check.
C
B
Points
back
at
a
safe
date
that
everyone
shares
likewise
function.prototype.constructor
points
back
at
a
safe,
shareable
function,
constructor
and
the
function
constructor
is
in
order
to
be
safe
and
shareable.
That
one
has
to
only
throw
so
you
have
to
so.
The
constraint
is:
what
is
it
that
is
safe
and
compartment
independent
and
it's
okay?
If
it's
not
very
useful,
because
nobody
looks
up
the
useful
one
by
following
the
dot
constructor
property,
making
the
dot
constructor
property
lead
to
something
that's
much
less
useful.
B
B
Refuses
to
dereference
any
box,
and
as
I'm
saying
this,
I
realized
it
could
actually
be
more
permissive
than
that.
It
could
just
be
that
every
box
constructor
only
derefs
boxes,
that
it
constructs,
which
you
could
keep
track
of
with
a
weak
map
and
then
even
the
shared
one,
so
that
that's
a
possibility
for
making
it
more
permissive,
as
I'm
saying
this
out
loud,
I'm
uncomfortable
with
it,
but
even
if
it
can't
de-ref
anything,
nobody
will
care
because
nobody
finds
these
things
by
following
the
dot
constructor
property.
B
Oh,
the
object
wrapper.
That's
fine!
That's
fine,
leaving
leaving
the
the
value
of
on
the
prototype,
because
that
will
be
the
case
across.
Let's
bring
it
back
to
what
we're
generalizing
from.
If
you
create
an
object,
wrapper
on
a
primitive
in
one
realm,
including
an
object
wrapper
of
a
record
or
a
box,
and
you
pass
that
to
another
realm
and
in
the
other
realm
you,
you
do
a
box.prototype.valueof.call.
B
D
Yeah
nikola,
that's
what
what
I
was
saying
before,
like
in
a
real
case,
there's
another
way.
You
have
a
membrane
that
brings
some
guarantees
there.
You
will
never
be
able
to
get
your
hands
on
that
other
box,
prototype
or
box
method
from
the
other
from
the
other
name
in
space,
because
it
will
be
remapped
to
your
local
one
and
it
will
continue
to
throw.
E
What's
what
are
the
possibilities
of
iframe
based
systems,
not
sanitizing
the
global
as
well,
because
I
understand
you
know
the
separation
of
object
graph.
Does
that
pretty
much
always
go
hand
in
hand
with
reducing
access
to
powerful
things
like
date
and
fetch,
or
could
there
be
quite
legitimately,
people
that
are
purely
doing
object,
graph
separation,
but
no
other
security.
C
D
No,
I
I
think
I
would
say
that
keeping
the
separation
between
a
same
domain,
iframe
and
then
main
window
or
multiple
saying
the
mining
frame
is
very
very
hard.
We
haven't
found
very,
very
little
code
that
can
actually
keep
that
separation
very
clean,
and
the
objective
here
is
that
the
box
doesn't
introduce
a
new
thing
that
might
hinder
that.
D
But
again
it's
just
really
really
difficult
to
have
that
that
separation,
when
it
comes
to
errors
and
throws,
and
things
like
that,
like
people
do
crazy
things.
So
I
think
the
answer
to
that
is
we
don't
know
if
there
is
anything
out
there
in
the
world.
I
doubt
it
that
there
is
something
out
there
in
the
world
that
is
very
well
though,
and
implement,
and
then
that
has
a
clear
separation
and
it
never
leaks
anything,
and
it's
just
very
hard
to
think
about
something
like
that
in
a
same
domain
scenario,.
B
C
C
So
as
for
basically,
it
allows
you
to
pass
a
record
through
and
rely
on,
the
identity
of
the
of
the
record
through
basically
create
the
proxies
on
the
other
side
for
the
content
of
the
box
and
and
replace
them.
So
so
I
I
did
a
mental
exercise
like
few
days
ago,
and
I
looked
at
how
kerdi
and
implemented
ireland
I
it's
it's
beautiful
engineering,
it's
really
hard
to
understand
and
and
that
one
is
not.
C
I
I
looked
at
how
box
and
how
box
and
records
could
be
supported
through
that,
if
you
assume
identity
being
able
to
put
in
weak
map
and
assume
that
you
can
pass
them
through
and
and
it's
actually
fairly
easy
to
add
support
without
too
much
performance
impact.
You
can
just
pass
the
record
through
and
pass
instruction
on
on
on
for
each
content
of
the
box.
Basically,
a
deep.
C
But
since
you
don't
have
an
identity
to
do
that
again,
I'm
not
sure
what
you
can
do.
You
can't
put
those
symbols
in
in
there,
so
I'm
not
sure
how
you
can
easily
identify
where
the
holes
were
and
to
reconstruct
the
record.
On
the
other
side,
it
makes
it
really
much
harder
to
reason
about
for
the
memory.
D
I
I
I
thought
I
was
I
was
I
was
reading
your
comment.
I
was
trying
to
reason
about
this
clearly
more
advanced
mechanics
that
we
could
do
and
I
want
to
specify.
There
are
two
ways
in
which
I
see
using
records
in
a
in
a
membrane
on
top
of
of
a
shadow
realm.
The
first
one
is
to
use
it
as
an
internal
artifact
to
communicate
between
the
two
sides
of
the
membrane,
because
you
can
give
them
something
and
then
they
can
send
back
that
thing.
D
D
So
that's
just
a
very
clear
to
me
at
this
point
that
it
will
help
a
lot
right
now
we're
using
the
the
tracks
with
the
functions
and
the
callable
functions
that
put
something
in
memory
in
one
side
of
the
mem
and
the
membrane
and
on
the
other
side.
So
you
can
recollect
what
the
other
side
is
saying
about
the
objects
that
you
that
you
control,
so
we
could
do
a
lot
easier
with
boxes
through
records
on
on
the
internal
mechanics
of
the
membrane.
D
The
second
one
is:
how
can
we
efficiently
create
a
record
on
the
other
side
that
has
the
proper
boxes
and
where
those
boxes
will
have
a
proxy
of
the
value
on
the
other
side,
on
the
box
on
the
other
side,
and-
and
it
seems
that
the
the
ideas
that
you
brought
up
made
me
think
a
little
bit
more
and
the
way
we
do
it
for
objects.
Today
is
all
lazy.
D
So
I'm
just
going
to
give
you
I'm
going
to
give
the
other
side
a
reference
to
an
object,
I'm
giving
you
the
metadata
of
that
object
and
on
the
other
side,
you
create
a
proxy
and
if
the
other
side
ever
interact
with
that
proxy,
then
you
go
through
the
membrane
again
and
you
ask
what
exactly
is
the
other
side
trying
to
do
so
you
ask
for
that
particular
piece,
and
then
you
reconstruct
the
object
from
that
point
of
view.
In
the
case
of
the
record
we
could
we
could.
D
We
could
do
a
lot
better
by
saying
I'm
going
to
give
you
a
record,
you
must
do
something
on
the
other
side
to
reconstruct
the
record
on
the
other
side,
and
I
don't
have
to
do
any
ahead
of
time
processing
here.
I'm
just
going
to
give
you
the
record
on
the
other
side
will
say:
okay,
I
got
the
record.
Let
me
see
there
are
boxes
on
it.
Let
me
loop
through
those
boxes.
Let
me
ask
for
each
of
these
individual
boxes.
D
Can
you
give
me
a
proxy
of
what
is
inside
the
box
on
the
other
side,
and
is
it
single
pass?
If
we
have
the
mechanic,
the
mechanics
for
that,
it
would
be
a
single
pass
just
to
reconstruct
a
new
record
by
replacing
the
boxes
on
it,
and
if
we
can
optimize
that
in
the
engine
that
would
be
pretty
cool
because
you
just
simply
look
through
it
change
it
produce
a
new
record
with
the
new
boxes,
you're
done
and-
and
that
seems
very
elegant
to
me.
I
hope
I
hope
that
we
can
get
to
that
point.
B
So
after
this
conversation,
the
assumption
that
I'm
inclined
towards
is
that
until
we
tried
someone
should
try,
the
experiment
be
wonderful.
If
somebody
would
try
the
experiment,
but
I'm
not
volunteering,
to
write
a
a
membrane
on
top
of
a
callable
boundary
under
each
of
these
engineering
assumptions
and
seeing
how
much
pain
there
actually
is.
If
we
don't
allow
boxes
to
pass
through
the
caldwell
boundary,
but
so
first
of
all,
that
would
be
wonderful.
Somebody
did
that,
but
I'm
not
volunteering.
B
In
the
absence
of
anybody
trying
the
experiment,
I'm
not
inclined
to
introduce
a
hazard.
Even
if
I
agree
it's
not
a
vulnerability,
I'm
not
inclined
to
make
boxes
pass
through.
The
call
will
boundary
in
the
absence
of
an
experiment
showing
that
it's
substantially
more
painful,
to
construct
a
membrane.
D
So
I
pasted
it
in
the
link
there.
This
is,
in
my
opinion.
Obviously
I
have
worked
on
it.
In
my
opinion,
this
is
the
most
advanced
neo-membrane
implementation
that
we
have
done.
What
material?
What
you
we
saw
in
in
the
iran
is
kind
of
a
dummy
version
of
these,
and
if
you
spend
time
on
it-
and
we
have
a
few
folks,
rick
and
jd
and
myself
mostly
working
on
this
particular
file
this.
D
If
it
feels
to
me
that
with
the
identity
issue-
and
I
know
it
is
an
issue
because
daniel
raised
that
issue-
these
are
incoherence
between
what
the
requirement
tuple
will
will
do.
If
we
allow
boxes
to
be
passed
through
the
callable
membrane,
the
callable
boundary
versus
what
happened
with
the
functions
today
that
are
wrapped
and
then
when
they
come
back,
they
are
wrap
again.
So
they
don't
preserve
the
identity.
D
B
C
F
D
B
D
D
F
D
B
D
B
D
Which
is
using
the
the
new
predicate
to
check
if
the
thing
has
the
boxes
and
then
do
the
extra
exercise
of
reconstructing
a
record
that
has
different
boxes
on
it
and
having
the
proper
mapping
between
the
two
sides
of
the
membrane.
So
if
it
comes
back,
it
comes
back
at
the
arena
record,
not
as
the
record
on
the
other
side.
D
Yeah,
I
think
it's
going
to
just
be
a
problem
for
for
for
adoption
and
record
tuples.
If
you
just
simply
block
that,
I
I
don't
see
any
problem
with
letting
them
pass
through
the
callable
boundary,
and
I
see
some
benefits
that,
from
my
point
of
view,
are
important
for
implementation
of
membrane,
but
also
for
the
you
to
speed
up
the
process
of
of
of
communicating
between
the
two
sides
of
the
membrane
for
users.
C
D
And,
and
and
and
and
again
it's
you
you're,
so
it's
right,
it's
not
really
about
membranes,
it's
just
any
kind
of
protocol
that
you
want
to
implement
and
that's
why
I
was
talking
about
the
using
this
mechanism
as
an
artifact
to
do
the
communication
between
the
two
sides.
So
if
you
had
to
build
your
own,
let's
say
you,
you
have
a
plugin
system.
D
C
C
B
B
D
Sorry,
instead
of
that
thing
that
that
you
mentioned,
which
is
I
I
give
you
this
box
to
the
other
side,
you
send
me
back
whenever
you
want
to
do
an
operation.
On
top
of
that
update
you,
don't
you
don't
have
access
to
the
object?
You
only
have
access
to
the
record.
That
represents
the
object
internally
and,
and
so
you
do
operations
on
the
other
side
and
anytime
that
you
have
to
do
an
operation.
On
top
of
that
object,
you
send
me
that
object
back
and
I
unbox
it
and
use
it.
D
Do
the
operation,
whether
that's
a
get
or
a
set
or
where
it
has
or
a
defined
property
or
whatever
it
is,
and
I
return
the
result
back
that
that
simplifies
the
thing
right
now.
What
we
do
is
different.
We
give
you
a
function,
you
give
me
a
function
back.
That
function
has
no
identity.
I
need
to
call
it.
It
set
something
globally.
Yeah
on
the
scope.
I
take
that
thing
that
I
have
in
the
scope
and
I
use
it
as
the
mapping
between
the
function
and
the
identity
wrapping
that
function.
B
Okay,
so
let
me
just
make
sure
I'm
getting
the
punch
line
here
accurately
if
we
introduce
boxes
and
have
them
pass
through
the
cauldron
boundary,
as
we
talked
about
that
building
a
membrane
using
the
box
encoding
just
for
normal
objects
in
order
to
get
a
membrane
across
the
coral
boundary.
Using
this
as
the
encoding
for
communicating
across
the
coral
boundary
means
that,
for
normal
purposes,
membranes
become
much
cheaper
and
more
straightforward.
Even
when
there's
no
records
and
tuples
and
boxes
involved
in
what
we're
sending
across.
B
E
E
If
I
get
two
records
passed
across
a
callable
boundary,
they
have
boxes
in
them,
and
I
now
want
to
compare
if
they're
equal
engines
going
to
have
any
issues
with
the
fact
that
we're
trying
to
compare
things
as
in
like
could
either
side
of
this
different
realm,
be
in
a
different
address,
space
or
anything
and
they're,
going
to
be
confused.
Trying
to
compare
these
things
or
not,.
E
C
In
a
scary
dimension
like
we're
not
introducing
anything
new,
the
the
object.
Graphs
like
themselves
are
isolated
for
shadow
realm,
but
the
linkage
between
the
two
is
not
you
can
already
reference
indirectly,
through
a
wrapped
function,
an
object
from
one
side
to
another.
It's
just
you
have
that
you
have
that,
like
boundary
of
the
wrap
function
here,
the
boundary
would
be
different.
It
would
be
the
box.
E
D
E
If
boxes
can
go
across
a
callable
boundary
that
strengthens
the
argument
about
weak
maps,
because
one
objection
to
putting
them
in
a
weak
map
is
you
can
just
emulate
that,
because
you
can
unbox
the
box
use
a
like
a
finalization
registry
and
kind
of
emulate
weak
behavior.
But
if
the
other
side
can't
unbox
a
box,
the
only
way
they
can
hold
it
weekly
is
if
it's
natively
supported
directly.
E
F
Okay,
so
I
think
we
now
all
agree
that
record
support
doubles
and
boxes
can
be
primitives
and
the.
So
this
is
good.
We
didn't
really
talk
about
the
ability
of
putting
primitives
instead
of
boxes.
I
think
we
mostly
all
agree
that
we
can
disallow
primitives,
but
we
can
talk
about
this
again
if
needed,
we
are
still
discussing
about
what
to
do
with
boxes
that
cross
crosstalk
that
go
from
one
run
to
the
other
they
shouldn't
be
allowed
to
be.
B
F
C
D
I
think
the
going
in
in
the
opposite
direction
and
letting
records
to
be
unboxed
from
another
realm
will
again
just
get
a
different
set
of
people,
a
different
group
to
object
to
I'm
talking
specifically
about
google
positions
and
I'm
not
introducing
any
new
api
that
allow
this
kind
of
intertwined
object.
Graph
between
roms.
E
B
E
D
B
C
Exactly
yeah
and
that
that's
kind
of
was,
I
was
like
if
we
could
make
this
check
instead
of
being
from
where
the
box
functions
and
constructors
were
constructed.
But
if
we
could
make
those
sensitive
to
where
they're
called
from,
I
think
it
would
alleviate
all
the
problems,
but
that
would
be
probably
very
bad
in
a
lot
of
other
yeah.
That's.
E
B
A
Yeah
all
right.
Well,
I
think
that
that's
that's
that's
good
for
this
week.
I
think
this
is
excellent
progress
this
week
and
and
we
have
a
pretty
clear
idea
of
what
the
what
the,
what
the
next
actions
are
for
this
topic.
So
thank
you,
everyone
for
joining
us
for
this
meeting
this
week,
I'm
going
to
pause
about
stop,
recording.