►
Description
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
Deep Dive: SAFE BoF- Jeyappragash Jeyakeerthi, padme.io & Dan Shaw, danshaw, LLC
The charter of the working group is to reduce risk that applications expose end user data or allow other unintended access. Distributed deployments across heterogeneous infrastructure are increasingly common for cloud native applications. The working group sees common need patterns in cloud-native application architecture to improve the security of the systems. Without common ways to programatically ensure consistent policy, it is increasingly difficult to evaluate system architecture security at scale. We propose that the creation of open source libraries that enable interoperability across software and providers will enable the adoption of common protocols for access control. This will in turn accelerate the adoption of cloud-native application development models, as well as streamline operations for both cloud and traditional infrastructure.
To learn more: https://sched.co/GrdR
A
As
always,
you
know,
wonderful
to
sort
of
you
know,
grow
and
build
your
relationships
and
been
you
know,
find
new
new
folks
who
are
interested
in
collaborating
in
the
cloud
native
security
space,
so
yeah
thanks
for
joining
there.
Today's
session
we
went
through
on
Tuesday,
you
know
touching
on.
You
know
the
the
mission
and
objectives,
and
you
know
various
yeah
cornerstone
aspects
of
the
cig
and
why
we're
we're
here
today,
I
wanted
to
go
a
little
bit
deeper
into
a
couple
of
our.
A
You
know,
key
key
projects
that
we're
doing-
and
you
know,
I'm,
going
to
share
the
floor
with
Santiago
and
Gerry
Jennings,
who
are
gonna
share
some
of
the
the
work
outputs
that
we've
been
working
towards
as
a
group.
So
in
terms
of
our
key
working
group
initiatives,
we
have
three
major
initiatives
that
were
collaborating
on
right
now:
the
landscape.
So,
if
you
think
of
the
CNCs
landscape,
that's
definitely
an
inspiration,
though
you
know
we're
trying
to
get
that
out
of
that
pure
framing
around
your
projects
and
really
you
know,
distill
those.
A
You
know
the
concepts
down
into
something
that
we
can.
You
know
all
leverage,
even
if
you
aren't
directly
you
know
pulling
in
one
of
those.
You
know
particular
solutions.
You
know
the
cloud
native
security
landscape
is
more
than
just
the
the
projects,
so
you
know
we're
looking
for
the
best
ways
to
to
get
into
that
and
and
Jerry
well
we'll
put
a
go
deeper
into
that
discussion.
A
Then
you
know
one
of
the
great
things
that
we
have
as
a
working
group
is
relationships
with
folks
across
the
industry,
where
you
know
we
have
folks,
you
know
in
their
work
responsibilities.
Dealing
with
you
know
the
heavy
burden
of
compliance,
and
you
know
aligning
to
standards.
We
have
a
few
individuals
who
are
a
part
of
the
the
work
that's
going
on
and
NIST,
and
it's
really
fantastic
to
you
know
have
that
you
kind
of
that
leading
edge
vendor
perspective
of
the
cloud,
Davi
ecosystem
or
all
you're.
A
Looking
to
lift
our
infrastructure
into
you
know,
cloud
managed
space,
but
also
you
know
dealing
with
the
reality
of
you
know
many
institutions
that
have
a
significant
investment
into
infrastructure
that
they
they're
needing
needing
to
pull
forward,
and
you
know
last,
but
at
least
we
were
working
with
the
TOC
to
provide.
You
know
security,
audit
guidelines.
You
know
basically
the
first
passes.
A
It
relates
to
the
community
perspective
and
a
peer
review,
and
when,
when
a
project
comes
into
the
this,
the
CN
CF,
you
know
as
we
bring
bring
projects
into
in
more
of
a
graduation
phase.
They're,
you
know
or
there's
some
formal,
formal
security
work
that
that
happens,
but
the
safe
working
group
is
stepping
up
to
be.
They
are
first
and
foremost
the
community
with
the
community,
where
you
know,
if
you're
grappling
with
and
trying
to
understand,
you
know
where
you
fit
in
the
cloud
native
security
or
ecosystem,
we're.
A
You
know,
peers
that
are
working
together
and
you
know,
since
any
of
us
have
had
the
opportunity
to
sort
of
work
through
that
process,
we
can
be
of
assistance
to
you
know
the
the
projects
that
are
going
through.
That
process,
so
I'm
gonna
go
slightly
out
of
order,
since
we
have
Santiago
who
has
to
jump-
and
you
know
split
his
time
with
another
session-
that
this
is
happening
at
the
same
time.
So
I'm
actually
gonna
stop.
A
You
know
in
it
start
at
the
bottom
here
and
you
know,
work
through
some
of
those
issues
and
what
I
would
like
to
share
is
you
know
one
of
these
key
projects
that
we've
evaluated
inside
of
safe,
the
in
toto
project,
which
you
know
represents.
You
know
a
baseline
that
we're
working
on
the
security
audit
guidelines
from
a
prime
example
of
you
know,
peers
and
folks
in
the
security
space
that
are,
you
know,
looking
for
input
and
a
perfect
fit
for
us
as
a
community.
B
Basically
in
your
software
supply
chain,
you
would
usually
have
a
lot
of
good
point
solutions
that
protect
you
from
getting
compromised
on.
For
example,
a
version
control
system
or
you
have
a
secret
infrastructure
in
your
CI
system,
protects
your
secrets
from
being
leaked
or
you
have
a
binary
authorization
and
binary
signing
on
your
build
and
your
packaging
infrastructure.
But
there's
a
but
there's
a
whole
of
questions
that
aren't
answered
when
you
just
look
at
point
solution.
So
supply
chain
is
a
chain
and
chain
store
only
as
strong
as
their
weakest
link.
B
For
example,
if
you
have
a
checkout
face
on
the
version
control
system,
is
the
code
checked
out
checked
out
by
the
right
party
and
is
the
commits
sign,
or
is
that
tag
the
right
tag,
and
is
that
the
tag
that's
being
checked
in
into
the
CI
system
and
the
test
run
against?
Or
is
that
another
tag?
And
it's
not
the
same
tag
that's
being
used
in
the
build
system
and
it's
a
output
of
the
build
system,
the
one
that's
actually
packaged
into
a
into
a
package?
B
B
We
also
list
what
kind
of
artifacts
are
being
produced
by
each
of
the
steps,
and
then
we
interconnect
them
together.
In
the
example
that
I
just
told
we
kind
of
make
a
graph
that
shows
the
flow
between
every
single
actor
in
the
supply
chain.
And
finally,
we
sign
it.
So
you
know
the
actual
layout
is
the
one
produced
by
the
person
who
is
authorized
to
say
how
this
actual
piece
of
product
piece
of
software
should
be
produced
and
and
well
now
you
know
what
needs
to
happen.
On
the.
B
Finally,
you
can
get
all
this
lay
out
this
pieces
of
link
metadata
and
your
actual
final
product
in
some
sort
of
software
bill
of
materials
that
you
can
verify
before
you
actually
deploy
it
now,
I'm
not
going
to
go
into
much
detail
on.
How
does
the
syntax
work
it's
pretty
much
like
firewall
for
artifacts,
that's
cryptographically
strong!
It
can
actually
make
sure
that
every
single
artifact
goes
through
I.
Think
it's
more
descriptive
if
I
jump
into
a
demo
and
we
go
through
it.
Is
this
font
the
right
size
awesome?
C
B
B
Now
it
was
created
I'm,
going
to
jump
into
another
screen
and
I'm
going
to
show
you
pretty
much
what's
inside
of
it
it's
what
you
expect,
there's
steps
being
defined
in
a
list
there's
a
bunch
of
public
public
keys
that
are
used
to
authenticate
every
single
functionary
that
needs
to
perform
an
operation
in
the
supply
chain,
and
then
you
have
a
bunch
of
rules
firewall
that
essentially
describe
what
can
happen
when
the
supply
chain
is
performed.
Well,
it's
carried
out
in
this
case.
B
For
example,
there's
a
there's,
a
functionary,
Bob,
I'm,
sorry
I'm,
an
academic,
so
I
choose
Alison
Bob
for
all
of
my
examples.
Well
clone
a
repository
and
then
this
same
functionary
will
update
the
version
of
Fudo
py
artifact,
which
is
like
our
product.
Then
another
function
area,
which
is
our
pill
farm,
we'll
package
everything
into
a
tar.gz
file.
It
could
be
a
package,
it
could
be
a
container.
It
can
be
anything
that
you
would
like
to
use
which
it's
allowed
here
and
finally,
it
will
all
float
into
the
user.
B
Who
will
verify
that
everything
every
single
operation
that
was
performed
was
actually
performed
by
the
right
person
and
everything
happened
according
to
the
plan.
So
in
this
example,
we
cloned
the
clutter
repository.
This
is
the
first
step.
We
use
the
total
tooling
to
wrap
everything
in
the
execution
and
start
tracking
all
of
the
artifacts
that
started
floating
around
and
we
will
track
how
they
were
before
anything
happened
and
how
they
are
after
everything
happened.
B
The
next
step
was
Bob
will
update
the
version,
the
version
in
the
in
the
script
before
sending
it
over
to
the
packager.
We
will
wrap
the
same
in
this
case.
We've
wrapped
echo,
but
if
you
want
to
wrap
them
or
you
want
to
wrap
a
whole
IDE
or
like
your
image,
editor
anything
of
that
sort,
it
will
be
completely
agnostic
to
the
tool
and
it
will
track
the
changes.
I
want
to
stop
here
and
show
you
what
the
piece
of
link
metadata
looks
like.
If
we
look
at
the.
B
Functionary
Bob,
he
had
a
clump
piece
of
link
metadata
that
has
a
material
and
it's
hash
that
was
created
as
a
product.
Sorry,
as
another
material
is
a
product
of
food
up,
you
I
remember
this
hash
because
it
will
be
repeated
in
the
other
piece
of
link
metadata
that
I'm
going
to
show
right
now,
which
is.
B
Updating
the
version
this
is
being
recorded
and
updating
the
version
as
a
material,
and
then
a
different
hash
is
going
to
be
shown
as
a
product
of
the
updated
version
control.
The
version
of
the
of
the
software
then
we're
going
to
let
Carl
perform
the
shipping
and
the
packaging
of
our
demo
project,
and
if
we
actually
jump
into
into
this
piece
of
link
metadata,
you
will
notice
that
well,
it
is
there
and
that
there's
also
a
new
hash
for
a
for
the
tar
GC.
B
B
B
B
B
The
this
can't
stop,
for
example,
cases
that
we've
seen
like
Microsoft
by
accident,
published
development
version
of
their
software.
Well,
if
that,
if
that
wasn't
signed
by
the
right
person,
it
shouldn't
have
gone
through
every
single
operation
in
the
version
control
system
can
be
tracked.
This
way
and
you
can
actually
enforce
things
like-
is
every
single
commit
not
only
signed
by
the
right
person,
but
has
it
been
reviewed
by
someone?
There's
there
an
attestation
for
this,
or
is
the
CI
system
reporting
a
failure?
Why
is
the
software
being
shipped?
B
This
in
total
has
been
used
in
data
dock
to
supply
the
supply
chain
for
their
agent
integrations,
and
it's
actually
pretty
cool.
They
have
every
single
developer
has
a
Yubikey
and
they
sign
touching
the
juubi
key
and
whenever
you
get
the
software
or
any
any
type
of
agent
integration
that
you
use
will
be
authenticated
by
one
of
their
trusted
developers.
Using
a
hardware
token,
even
if
you
compromise
their
build
farm
or
you
compromise
their
delivery
infrastructure,
you're
sure
that
every
single
line
was
written
by
a
data
dog
developer.
A
Yeah
said
an
antenna
has
really
been.
You
know
one
of
those
those
perfect
use
cases
for
safe,
yes,
I
was
really
looking
forward
to
sharing
that,
and
you
know
it's
been
been.
This
collaboration
touch
point
with
the
TOC,
where
we're
learning
how
we
can
you
know,
add
value
and
support
the
needs
of
of
the
TOC.
D
Of
of
what
to
look
for
in
terms
of
security,
the
the
categories
that
are
there
now
are
very
broad.
They
did
change
them
in
the
last
few
months,
but
the
one
big
bucket
category
that
a
lot
of
the
security
related
projects
go
into
is
called
security
and
compliance,
and
it's
one
big
bucket
for
a
lot
of
things,
and
so
we
started
to
look
at
if
we
could
find
a
way
to
sensibly
redefine
what
some
categories
and
sub-categories
would
look
like.
D
That
would
give
people
a
better
sense
of
how,
in
practice,
you
actually
think
about
security
from
thinking
about
starting
to
build
an
app
to
actually
deploying
it
to
production.
So
there
is
an
open
github
issue
in
the
safe
working
group.
Github
repository
and
I
expect
that
by
the
end
of
this
week,
early
next
week,
I'm
actually
going
to
have
a
PR
up
with
the
draft
landscape
that
we've
been
working
on.
D
We
had
an
initial
draft.
I've
talked
about
it
at
several
safe
working
group
meetings
and
we've
gotten
feedback
I've
reached
out
to
people
in
some
of
the
sandbox
and
incubating
projects
and
CNC
F
and
gotten
some
feedback
from
them.
But
we're
at
a
point
where
we
really
want
to
start
to
hear
from
end
users,
and
so
we've
been
starting
to
think
about
formalizing,
the
draft,
adding
it
to
the
github
repository
and
maybe
starting
to
craft
a
survey
to
talk
to
the
CNC
F
end
user
community.
If
that's
possible
and
see,
does
this
resonate
with
them?
D
Are
there
holes
that
are
you
know
glaringly
obvious?
Are
there
things
that
just
aren't
worded
quite
realistically
for
how
things
are
being
done
in
practice
at
their
organizations
and
just
also
sort
of
just
to
ask
in
general
what
people
are
doing?
I
have
a
sense
of
it.
I
have
my
own
experience,
but
to
be
more
representative
of
what
goes
on
throughout
the
industry,
we'd
like
to
ask
people
directly.
So
that
being
said,
I'm
just
going
to
briefly
go
through
the
draft
document,
that's
available.
D
If
linked
in
the
github
issue,
I'm
in
the
process
of
moving
this
into
to
get
her
repository
itself.
It
starts
out
with
some
motivation
for
why
we
started
this
project
and
sort
of
our
reasoning
for
taking
the
tack
that
we've
taken
with
it.
We've
done
some
recent
work
to
sort
of
rework
the
categories
and
a
way
that
makes
sense,
but
let's
just
go
through
them
really
quickly.
So
the
first
phase
is
app
definition
and
development
and
there's
a
few
categories
in
there.
D
The
first
is
static
code
analysis,
which
is
like
just
actually
looking
at
the
code
and
doing
things
like
pen
testing
to
see
if
there's
vulnerabilities
in
the
code
itself.
The
second
is
dependency
analysis,
which
encompasses
both
things
like
image,
scan
scanning
and
checking
the
open,
the
operating
system,
open
source,
I,
almost
said
and
checking
you
know,
libraries
that
are
included
as
dependencies
to
make
sure
that
they're
all
up-to-date
and
don't
have
serious
vulnerabilities
and
there's
another
category
for
pipeline
security
testing.
D
The
second
category
is
pretty
broad
one,
so
I
I'm
kind
of
anticipating
some
more
feedback
around
this,
and
maybe
some
insight
into
how
to
break
it
down
better,
but
right
now
we're
calling
it
identity
and
access
control.
The
first
piece
is
identity
and
it's
things
like
LDAP
octa
spiffy,
so
encompassing
both
the
identity
of
humans
and
machines.
D
D
All
the
way
down
to
things
like
Network
policy
service
access,
which
is
really
focused
on
making
sure
that
the
machines
or
applications
or
services
that
are
deployed
only
access,
the
resources
that
they've
been
explicitly
privileged
to
and
I've.
We
originally
had
key
and
certificate
management
and
provisioning,
but
we've
moved
it
here,
because
the
keys
and
certificates
are
often
the
things
that
are
actually
providing
the
identity
to
the
applications
and
services
and
there's
things
like
key
rotation
and
things
like
that
that
come
into
play
that
aren't
just
happening
at
the
provisioning
stage.
D
D
D
We
have
automation
and
configuration
compliance,
so
things
that
just
check
that
you're
doing
what
you're
supposed
to
be
doing
secure
container
registries,
that
do
things
like
image
signing
and
the
last
category
is
runtime
observability
and
analysis.
So
there's
active
and
passive
protection
of
the
container
runtime,
any
kind
of
threat,
analytics
or
auditing
that
you
would
do,
and
real-time
monitoring
for
intrusion,
detection
and
so
on.
D
So
if
you're
interested
in
this
still
obviously
open
for
feedback
in
this
document,
we're
going
to
be
opening
up
a
PR
soon
with
the
this
initial
draft
and
crafting
survey
to
validate
its
contents,
so
I'd
be
happy
if
you
were
interested
to
get
involved
in
any
way.
At
this
point,
though,
I'd
like
to
just
ask
if
there
are
any
questions
that
people
have.
D
C
A
Yeah,
that
seems
to
be
a
split
we're
either
folks,
you
know
really
go
and
you
know
make
an
effort
to
protect
that
or
it's
wide
open
and
far
too
many
organizations
are
in.
You
know
wide
open.
Yes,
we're
protecting
from.
You
know
undesired
external
access,
but
you
know
not
necessarily
you
know
the
vector
where
you
know
that
it's
easiest
like
the
insider
is,
you
know
potentially
far
easier.
A
D
C
D
E
E
I
guess
that
lines
I'm
sure
people
heard
about
all
those
regulations
for
privacy,
I,
don't
know
I
mean
we
probably
won't
solve
whole
problem,
but
what
a
vehicle
thinking
to
look
at
those
regulations
and
translate
some
of
the
concept
into
something
that
we
should
support.
I'm,
not
an
expert
but
I.
Just
you
know
somebody.
E
D
D
F
D
If
that
could
be
one
of
the
sub
projects,
so
we
have
a
compliance
related
project
that
we
haven't
talked
about
yet,
but
I
think
you're
planning
to
talk
about
that
next,
so
whether
that
makes
sense
as
part
of
that
project
or
whether
we
would
maybe
even
have
an
additional
project
to
talk
about
privacy
as
a
standalone.
It
seems
to
me,
like
it
merits
its
own
discussion.
It.
A
A
You
know
early
discussions
in
organizations
and
then
you
know
privacy
is
that
you
know
the
bastard
stepchild
of
that
process
and
you
know
get
it
getting
to
that
stage
is
definitely
a
level
of
maturity
that
you
know
many
organizations
kind
of
hope
they
aspire
to
get
to
that.
At
that
point,
I
don't
know
if
we
can
find
an
owner
I'd
love
to
to
see
us
really
embrace
that
I.
D
G
Have
we
looked
into
threat,
modeling,
looking
into
ways
of
codifying
attack
graphs,
it's
very
like
an
organization
to
some
of
you
think
about
it.
Netflix
is
what
are
the
things
that
we're
trying
to
protect
and
how
an
attacker
might
move
to
our
environment
to
get
to
those
things,
and
then
that
can
inform
what
kind
of
obstacles
we
put
in
their
way.
What
kind
of
controls
we
put?
D
D
B
D
Like
it's
indicative
of
the
fact
that
we
probably
should
have
a
broader
discussion
about
it,
so
you
know
come
to
our
meetings
and
and
talk
about
it
more
with
us,
because
I
think
that
that's
great,
but
to
your
first
point,
the
threat
modeling
that
I
think
was
related
to
what
the
in
toto
group
had
going
right,
and
we
didn't
get
to
talk
about
that.
Much
and
maybe
Dan.
It
would
be
good
to
go
back
to
that
for
a
minute,
and
just
talk
about
that
aspect
of
you.
A
D
A
A
The
omnipresent
new
potential
vectors
that
we're
introducing
every
day
so
that
that's
a
really
interesting
lens
to
that
threat.
Modeling
of
you
know
there
are
a
certain
number
of
things
that
yes,
we
do
need
to
pay
attention
to,
but
you
know
I
think
we're
increasingly
getting
to
a
point
where
the
baseline
is
that
you're,
always
in
threat
and
mitigation
mode,
and
you
know
dealing
with
you-
know
permutations
and
unknowns,
and
there
there
isn't
a
static
list
of
you
know.
Just
just
one
can
I
hand
this
to
you.
A
You
know
just
wasn't
we
weren't
ready
for
it.
So
this
you
know
this
is
one
of
our
big
oceans
that
were
we're
boiling
and
already
here
you
know
each
time
you
kind
of
boil
things
down.
You
know
you
can
find
these.
These
category
is
that
you
know,
if
you
could,
you
know
deep
dive
into
that.
You
know
you
dude,
you
know
end
up
spending
a
considerable
amount
of
time
and
effort,
so
you
know
I'm
excited
to
get
to
that.
A
Get
to
that
part
of
the
other
security
landscape
and
yeah
I
think
it'll
inform
you
know
very,
very
much
the
the
the
other
components
of
of
what
we're
doing.
I
I
see
that
as
a
fantastic
opportunity-
and
you
know
if
you
have
folks
on
your
team
or
individuals
who
you
think
might
be
good
clobber
is
on
that
I'd
love
to
have
their
their
perspective.
A
G
A
A
The
the
reality
is,
you
know
everything
is
moving.
You
know
in
emerging
technologies
really
fast,
and
you
know
we're
desperately
trying
to
to
coalesce
in
the
line
around
and
figure
out
where
we
need
to
align,
and
you
know
for
me
you're
bringing
bringing
standards
and
standards
iodization
into
you
know.
What
we're
doing
is
is
a
great
way
that,
at
the
very
least
keep
that
as
an
objective.
You
know
we
in
in
some
cases
you
have
no
longer,
you
know
want
to
prioritize.
A
But
you
know
those
even
beyond
the
work
that
we
do
in
open
source
and
reference
implementations
when
we
can
actually
get
things
to
level
of
you
know
putting
into
the
standard,
then
you
know
the
entire
ecosystem
benefits
and
we
can.
We
can
bring
that
out.
You
know
from
from
the
the
feedback
that
we've
gotten
from
our
members
that
are
involved
in
the
standards
process.
Folks
in
standards
world
have,
you
know
kind
of
the
opposite
challenge
that
we
have
in
the
CTF.
They
need
vendors.
A
A
You
know
institutional
folks,
and
you
know
folks
in
the
in
you
know
the
the
research
world,
and
so
you
know,
beginning
to
distill
down
what
are
you
have
some
of
those
those
compliance,
compliance
efforts
that
you
know
folks
need
to
be
a
lining
to
and
how
we
can
feed
those
back
out.
You
know
one
of
the
big
things
that
the
CN
CF
continuous
assert
is
that
it's
not
a
standards
body
and
I
rolled
my
eyes.
A
You
know
every
time
I
hear
that
too,
because
you
know
we
are
getting
to
a
point
where
they're
some
of
the
projects
and
some
of
the
things
are
at
this.
You
know
reference
level
and
you
know
if
we
don't,
if
you
don't,
you
know,
do
they
put
the
additional
pressure
of
you
know
lining
the
the
understanding
that
we're
doing
and
this
cloud
ecosystem
back
out
to
that
world.
Then
you
know
my
biggest
concern.
A
So
you
know
in
particular,
we
have
our
individuals
that
are
working
with
with
NIST
and
then
Andrew
Weiss
who's
spearheading.
This
effort
is
at
docker
and
Andrew
heads
up
the
the
government
services
group
for
for
docker.
So
you
know
the
the
institutional
folks
have
to
deal
with.
You
know
these
standards
every
day,
and
you
know
it's
been
great
to
to
bring
that
perspective.
In
this
ball,
so
that's
the
high-level
discussion
of
what
what
I
have
to
share
today
with
everybody
I'm
happen
to
open
the
floor
to
any
other
topics
of
discussion.
A
I
invite
everyone
to
join
us.
We
meet
every
Friday
at
11
a.m.
Pacific
time
and
you
can
find
links
to
our
zoom
and
github
on
CN
security
and
a
security
repo
and
safe,
and
you
know
on
the
cloud
native
slack:
we
have
the
safe,
WG,
Kat
and
Sarah
Allen.
They
are
following
our
discussion
around
the
intro
has
created
a
mailing
list,
so
I'll
I'll
share
some
of
that
tomorrow.
In
the
in
the
session
tomorrow,
we're
gonna
have
a
fairly
light
duty
session.
A
A
lot
of
people
are
gonna,
be
travelling
and
won't
be
around,
but
you
know:
we've
had
so
many
great
discussions
this
week.
I
wanted
to.
You
know
at
least
get
together.
You
know
capture
some
of
the
action
items
and
you
know
get
those
while
they're
still
fresh
in
our
minds
before
we,
you
know
get
back
at
it.
F
A
Have
not
so
the
what's
happening
right
now
with
with
what's
begun
to
be
called
cigs?
Is
you
know
the
TOC
as
they
were
ratifying
us?
You
know
decided
that
in
order
to
sort
of
scale
themselves,
they
needed
to,
you
know,
really
understand
how
they
were
delegating
Authority,
and
you
know
that's
kicked
off
an
entire
discussion
and
process.
So
you
know
we're
very
much
the
guinea
pig
in
that
process,
and
you
know
it's
been
good.
It's
been,
you
know
a
constructive
discussion
about
now
where
things
are
going
forward.
A
A
If
you
go
to
the
the
repo
you
know,
all
our
meeting
notes
are
published
and
and
with
the
recordings
of
our
sessions
are
published
in
Docs,
so
just
scroll
down
to
the
bottom
and
clicked
it
through
to
the
meeting
notes
and
you'll,
be
able
to
link
from
there
to
the
categories
and
SIG's
discussions
and
calls
for
feedback.
That's
happening
right
now.
Yeah
we're
checking
out-
and
you
know,
especially
if
you're
thinking
about
exploring
you
know
any
other
working
groups
or
you
know
plugging
in
there.