►
From YouTube: CNCF Envoy Community Meeting 2020-03-24
Description
CNCF Envoy Community Meeting 2020-03-24
https://docs.google.com/document/d/1Yc4zkV-A_cC_R3C0u6D15WQAsRSxADs8p2l8UMMa4P4/edit
The spreadsheet is at
https://docs.google.com/spreadsheets/d/1OYS9nU55ibLr4Z-io1esgKPO4FIoWsuOzKG60RxePO8/edit#gid=0
A
B
Let
me
let
me
find
it:
I
can
drop
it
in
the
chat
once
it
yeah
one
thing
that
would
be
helpful
with
his
fix
PR
I'm
guessing
for
the
last
few
months.
We've
had
quite
a
bit
of
regressions,
so
if
you're
able
to
actually
run
it
locally-
and
you
want
to
fix
some
of
the
master
regressions,
that
would
be
really
useful.
B
B
C
A
C
B
C
C
I
actually
edited
that
a
little
bit
and
yeah
looks
good
I.
Think
it's
a
really
nice
contribution.
I
think
the
IT
area
is
where
I
spoke
with
Michael
about
is
that
we
would
undertake
repository
locations
or
bzl
with
the
where
the
dependencies
are
being
used,
and
that
will
be.
He
says
you
just
metadata,
which
will
be
used
by
folks
who
are
doing
these
updates
in
future
and
that
will
obviously
appear
than
DIF
and
github
to
let
us
sort
of
get
a
better
picture
of.
C
You
know
how
important
this
dependency
update
is,
and
if
we
can
I
do
like
group
these
bumps,
so
that
you
know
we
can
just
deal
with
our
yeah,
all
those
big
old
time
ones
and
test
ones
just
get
them
out
of
the
way
we
can
focus
on
like
those
dependencies
which
are
actually
really
interesting
for
envoys
behavioral
and
security
properties.
Yeah
did.
B
A
A
C
C
B
C
Yeah,
the
thing
is:
if
we
scatter
this,
follow
across
the
trick,
I
mean
anything's
put,
it
doesn't
really
matter
like
with
tooling.
We
could
always
do
this,
but
it'll
be
nice.
It's
not
something.
A
single
pound
I
would
like
to
keep
maintaining
some
sort
of
single
pane
of
repositories,
and
me
it
easily
query
that
yeah.
B
D
B
C
Yeah,
it's
very
so
query
could
do
something
like
that.
I
want
again,
like
I,
think
I'm
fit
me
with
to
she's
a
little
more
sophisticated,
which
actually
includes
this
metadata
and
print
things
out
nicely
and
associates
them
with
extension
and
yeah
I
think
we
would
ultimately
need
something
a
bit
more
about
basil,
query
or
basil
queries
a
building
block
for
whatever
you
would
build.
Oh.
B
Sure,
yeah
I
guess
I
was
just
saying
that
I
think
whatever
we
should
do,
we
should
try
to
make
it
part
of
CI
so
that,
for
example
like
if
a
new
piece
of
code
uses
like
an
external
dependency,
that
we
didn't
know
that
it
uses
like,
we
should
make
sure
that
the
annotations
are
actually
up
up
to
date
like
if
it's
done
by
hand.
That
seems
very
fragile
I.
C
Agree
I
mean
right
now
that
I
had
is
that
this
is
a
to
applying
a
build
or
test
and
I,
don't
think
we
can.
We
can
possibly
feet
and
further
some
of
that
through
basil
magic,
but
it's
that's
probably
not
too
fragile.
Like
you
know,
if
dazzle
is
never
going
to
appear,
is
part
of
the
data
plane,
for
example,
and
yeah
rapid
Grayson
maze
coming
the
data
playing
some
of
the
time,
maybe
control
playing
the
others,
but
there's
relatively
few
external
dependencies
which
straddle
that
line
and
I
think
there's
ones.
C
B
B
A
C
C
So
yeah
so
anyway,
I
think
we
can
do
a
normal
death
and
then
another
thing
I
would
like
to
see
sort
of
out
of
it,
something
as
macro-
learns
about
today,
but
maybe
our
good
friends,
it's
a
Red
Hat
like
Kevin
and
some
of
Alcoa
know
about
this.
It's
a
CPE
so
apparently,
like
all
software
has
like
its
own
unique
identify
dislike
CVEs
I,
usually
identify
exploits
or
vulnerabilities
CPEs,
uniquely
identify
products.
C
So
if
we
could
include
the
CPEs
for
external
dependencies
there,
that
would
be
a
huge
solids
favor
for
at
least
us
at
Google
and
I'm.
Sure
other
folks
would
love
to
have
that
information
as
the
tag
along,
because
it
allows
you
to
then
knock
back
from
likely
a
stable
version
and
at
CPE
to
you
know
known
vulnerabilities
and
that
kind
of
thing.
Sorry.
C
C
C
This
is
something
like
random
repository
maintained
by
a
couple
of
people
and
there's
no
release
process,
and
we
just
have
some
shar
there
and
that
doesn't
really
facilitate
this
kind
of,
like
reasoning,
I
mean
particularly
as
we
scale
the
number
of
dependencies.
Ideally,
this
is
this
can
be
done
in
a
tool
based
way
or
through
you
know,
standard
notification
mechanisms
like
github
release,
Watchers
and
github
released.
There's
this
kind
of
thing,
so
this
is
kind
of
where
I
would
like
us
to
get
towards.
C
If
you
just
want
to
work
on
a
rolling
master
as
release
candidate,
you
could
do
something
like
that
with
the
right
version,
history
and
so
on,
but
I
don't
think
many
projects
really
practice
that
either
yeah.
This
is
kind
of
like
where
I
would
propose.
We
go
at
least
for
those
dependencies
which
are
actually
important
to
data
plane.
Behavior
yeah.
B
I
mean
this
sounds
fantastic.
I
I
think
that
anything
we
do
here
would
improve
the
security
posture.
My
only
concern
is
what
I
put
into
the
github
issue,
which
is
just
that
I
want
to
make
sure
that
if
we
specify
these
rules
or
what
we
expect
from
other
projects,
you
know
that
actually
makes
sense
and
they're
not
just
arbitrary,
because
it's
like
we
can.
C
Again,
if
all
they
did
was
cut
releases
and
maintained
a
version
history
between
them.
That
to
me,
he's
already
very
useful
in
being
able
to
start
to
reason
about
history
and
being
able
to
you
know
and
the
Sirian
there
just
puts
Fluvanna
in
the
version
history
I
mean
you
know,
we
want
them
to
actually
have
actively
maintained.
B
I
am
I,
am
a
hundred
percent
for
this
I
just
want
to
make
sure
that
if
we
do
this,
we
apply
this
across
all
projects
and
by
that
I
mean
that
we
have
a
bunch
of
Google
projects
here
in
Google's,
used
to
working
for
master
and
and
and
like
again,
I
mean
I
think
this
is
great.
But
if
we're
gonna
apply
this
like,
we
can't
say
that
Google
projects
don't
have
to
do
this
because
they're
used
to
going
from
master
or
something
like
that.
C
Places
where
we've
told
people
to
go
cut
a
separate
repository
because
we
want
to
put
in
their
main
envoy
one
and
that's
basically
where
they
are
and
I
think
it
would
be
nice.
If,
if
we
could
get
something
a
bit
more
sword
going
on
there
agree,
then
there
are
some
major
ones
which
I
think
caught
squats
taken
action,
ing,
better
job
on
with
cell
and
others
like
that,
and
you
know
cell
was
kind
of
like
yeah.
It
exists
internally
at
Google,
and
then
we
used
to
side
to
open
sausage.
B
And
again,
that
that
sounds
great,
like
I
know
that
for
some
of
these
dependencies
without
naming
names,
I
know
that
some
of
them
have
been
put
into
other
repos
to
avoid
our
extensive
code
reviews
so
which,
which
kind
of
defeats
the
purpose
of
what
we're
trying
to
achieve.
So,
you
know
like
we
should
just
make
sure
that
we
write
down
what
our
expectations
actually
are.
There.
C
Are
the
nice
things
is
if
we
could
do
what
you
say
at
the
beginning
and
start
to
associate
and
directly
the
extensions
with
Paula
trees
is
those
repositories
which
don't
have
released
maturity,
and
we
can
tag
that
against
a
bit
of
metadata
there.
We
can
then
automatically
enforce
that.
Hey
you
don't
get
famous.
You
know.
Are
these
super
secure
postures
because
it
turns
out,
you
know,
you're,
not
practicing.
You
know
and.
B
D
B
Bit
because
every
project
pretty
much
has
this
problem,
and
it's
even
worse
in
other
ecosystems
like
C++,
isn't
I
actually
think
quite
as
bad,
just
in
the
sense
that
there's
fewer
dependencies
more
software
tends
to
be
written
either
firm
standard
library.
If
you
look
at
something
like
go,
it's
basically
like
nodejs
I
mean
it's
like
these
projects,
pull
in
literally
like
hundreds
of
nested
dependencies,
so
keeping
track
of
that
is
very
complicated,
but
there
there
is
interest
in
trying
to
do
better
here.
B
B
So
there
is
something
called
sake:
security
and
sense
you
have.
There
are
people
that
focus
on
both
the
security
projects
and
just
general
security
posture
for
the
CN
CF
ecosystem.
I
doubt
about
this
issue
and
I
was
told
to
basically
open
an
an
issue
against
six
security,
and
one
of
the
things
that
we
might
consider
doing
is
you
or
I
are
both
of
us.
We
can
go
potentially
present
or
talk
about
it
at
a
six
security
meeting,
just
to
explain
some
of
the
problems
that
that
we're
having
and
maybe
see,
I
mean
I
again.
B
A
C
B
C
B
But
but
in
terms
of
near-term
stuff
I
mean
I,
I
love
the
idea
of
getting
this
spreadsheet
like
built
into
some
tool,
that's
actually
checked
in
CI
and
like
we
can
make
sure
that
the
annotations
are
correct
on
the
extensions
and
at
least
then
it
would
allow
us
to
understand
like
what
do
we
depend
on?
What
is
it
used
by?
You
can
imagine
that
now
that
we
have
all
these
annotations
around
you
know
is
an
extension
like
alpha.
What
is
the
extension
security
posture
like?
Maybe
we
have
different
rules
around?