►
From YouTube: CNCF SIG-Security Meeting - 2019-08-28
Description
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
B
Three
BEC
cents
for
first
meeting
and
I'd
still
will
look
for
another
scribe.
Ash
awesome,
alright,
we're
good
there.
So
if
you
are
new
to
the
meeting
today,
we
have
minutes
and
I
will
go
through
and
around
our
entire
list
of
folks
here
and
invite
anybody
who
has
any
check-ins
from
their
other
working
groups
or
just
general
later
activities.
Working
group
activities
like
activities
to
check-in
and
I
use
the
e
the
attendance
list
and
in
our
minutes
to
to
go
through
that.
B
So
if
you
want
to
be
called
upon,
add
your
name
there.
If
you
don't
want
to
be
called
upon
all
right,
I'll
go
ahead
and
kick
that
off
so
this
past
week
we
the
the
co-chairs,
been
working
on
getting
things
set
up
for
Cuba
on
North
America.
We
have
you
know
the
the
sort
of
standard
sessions
that
we
normally
been
doing,
the
intro
and
deep
dive.
B
You
know
we're
looking
at
having
Sarah
Allen,
you
know
go
through
our
intro
in
this
section
in
this
iteration
and
we've
had
a
lot
of
success
in
recruiting
new
members
through
these
sessions
so
they're,
you
know
very
valuable,
and
that
would
be
in
addition
to
our
dedicated
day.
So
you
know
the
intros
is
related
outreach
and
we're
gonna
be
focusing
the
efforts
of
our
deep
died
this
time
in
giving
the
the
first
view
of
kind
of
the
the
cloud
native
security
landscape.
That's
what
we're
targeting
for
the
deep
dive
so
very
excited
about
that.
B
C
B
C
What
if
it's
the
other
way
around,
and
how
does
that
change
the
way
we
manage
security,
and
it's
not
just
a
cloud
native
thing,
of
course,
but
it's
a
good
heuristic
for
thinking
through
some
of
the
security
issues
that
we
face,
which,
in
less
than
the
standards,
where
tends
to
be
relegated
to
a
conversation
around
the
supply
chain
and
I,
think
that's
kind
of
a
lame
way
of
looking
at
this.
That
the
problem
really
is
deeper
than
that.
C
The
connectivity
to
the
repos
and
in
the
public
communities
are
is
more
more
direct
than
that,
and
the
other
thing
is
it's
kind
of
related
to.
That
is
the
dual
responsibilities
that
employees
have
to
their.
What
we
call
the
day
job
in
this
community
and
the
open
source
community.
Don't
always,
you
know,
offer
and
operate
in
a
congruent
way
and
that's
something
that
we
could
probably
address
in
a
longer
tournament
in
this
group.
So
both
these
topics
are
outside
the
scope
of
Cuba
and
so
on,
but
might
be
worth
you
know
a
recurring
reset.
B
B
Know
I,
don't
know
what
the
right
forum
is,
but
you
know
I
I
do
know
that
if
that
forum
exists
in
you
know
in
directly
in
this
sort
of
a
forum
that
we,
you
know,
we
anchor
in
a
bias.
That
is,
you
know,
completely
embedded
in
that
open
source
environment,
whereas
you
know
a
lot
of
the
you
know,
the
interests
are
not
necessarily
you
know
purely
open
source.
B
B
B
D
So
quick
update
on
six
security
day
from
what
I
know.
I
missed
our
call
yesterday,
but
the
website
is
officially
done.
That's
pretty
exciting
and
we've
got
the
minimum
requirements
for
sponsorship
covered,
but
you
know
the
more.
The
merrier
means
we
get
more
bells
and
whistles
and
have
more
fun
as
far
as
the
supply
chain,
ticket
update,
John
and
sorry,
Jonathan,
Meadows
and
Santiago
met
just
before
this
and
weren't
able
to
make
it
today
and
they
tossed
around
a
couple
of
ideas.
D
E
F
Learn:
I
guess
for
me:
I,
don't
have
anything
particular
to
so
I.
Don't
have
any
particular
update
for
this
group,
but
I
could
again
say
that
I'm
working
on
clear
and
that's
a
security,
vulnerability,
scanner
for
docker
images
and
yep
I'm,
adding
support
for
a
photon
always
and
if
somebody
has
experience
with
it,
I
will
be
glad
to
chat
with
you
and
speak
about
this
issue.
F
A
Hey
everyone,
I
I,
will
try
to
keep
this
as
quick
as
possible.
I
joined
sis
take
a
couple
weeks
ago:
I'm
going
to
be
working
on
Falco
a
lot
which
means
I'm
going
to
want
to
get
involved
with
security,
so
nice
to
meet
everyone
I'm
here
to
help.
Let
me
know
what
I
can
do
to
make
easier
and
in
general,
I'm
just
excited
about
security
and
kubernetes.
So
I,
imagine
we'll
see
a
lot
of
issues
and
commentary
for
me,
starting
to
pop
up
around
the
kubernetes
ecosystem.
A
Regarding
security
in
general,
Falco
is
going
to
be
the
one
thing
that
I
am
focusing
on
making.
As
upstream
as
possible,
I
wrote
a
blog.
It
came
out
yesterday
there's
a
link
in
the
notes
there
if
folks
want
to
get
involved.
That
has
all
of
the
that's
like
the
source
of
truth,
with
pointers
to
all
of
the
resources.
If
you
want
to
start
joining,
Falbo
calls
and
again
having
sponsorship
here
from
the
sink
would
be
helpful.
A
As
far
as
kubernetes
concretely
is
concerned,
we
have
a
branch
that
we're
we're
working
on
682
in
Falco
that
deals
with
pod
security
policy
in
kubernetes,
using
Falco
as
sort
of
a
controller
or
an
operator
to
enforce
PSP.
So,
if
you're
interested
in
that
feel
free
to
check
it
out,
the
question
I
have
for
the
cig
is:
if
we
wanted
to
propose
a
change,
what
is
the
best
way
to
go
about
bringing
that
up
in
this
form
in
this
video
a.
B
So
real
quick
and
if
this
goes
long,
a
bunch
of
the
agenda,
you
know
six
security
is
CN,
CF
and
and
kubernetes.
So
we
explicitly
do
not.
You
know,
focus
explicitly
Kerber
Nettie's
were
we
roll
up?
You
know
kubernetes
and
all
of
the
related
cloud
native
ecosystem,
so
the
CNCs
adopted
the
kubernetes
sig
terminology.
When
we
landed
the
working
group,
we
went
from
CN
CF
working
groups,
which
did
you
know,
have
a
little
bit
more
of
a
mental
separation
from
kubernetes
SIG's.
Now
we
are
seeing
CF
SIG's.
B
A
B
You
know
the
policy
working
group
that
joined
us
and-
and
that
is
an
overlap
between
the
kubernetes
policy
working
group-
and
you
know
our
efforts,
so
we
bridge
to
those
working
groups-
and
you
know-
have
a
number
of
the
kubernetes
things
that
we
actively
track
and
you
know,
have
readouts
and
report
outs
from.
But
you
know
we
are,
you
know
partnering
with
with
those
sorts
of
SIG's.
There's
no
oversight
or
you
know
we're
seeing
CF
anything.
That's
kubernetes
related
is
independent.
Okay,.
G
A
The
only
other
update
I
have
is
I,
and
this
is
this
is
yet
to
be
fleshed
out.
This
is
the
reason
I
asked
about
proposing
changes,
starting
to
think
about,
and
talk
about,
adding
secure
to
a
number
of
cloud
native
CN
CF
tools
such
as
cops,
Cuba,
corn,
cube
admin,
cluster
cuddle,
cube
spray,
you
and
what
that
looks
like
and
what
that
means
for
everyone
so
starting
to
come
up
on
my
end
with.
If,
in
a
perfect
world,
we
have
secure
what
would
that
imply
and
how
would
the
cig
advertise
that
great.
B
Yeah,
secure
by
default
or
secure
default
would
absolutely
be
something
that
you
know.
We
as
a
cig
are
focused
on
and
interested
in,
advocating
for
and
exploring
that
the
techniques
where
we
collectively
can
and
can
you
know,
establish
a
good
baseline,
not
you
know
OpenShift
it
and
leave
it.
Oh,
the
vendors
will
figure
it
out
and
you
know
that'll
be
all
roses
at
the
end
of
the
rainbow,
but
you
know
advocating
for
how
we,
you
know:
align
security
as
the
default
up
front.
Okay,
no.
J
Couples
can
you
hear
me?
Yes,
okay,
all
right,
sorry,
my
yeah,
my
browser
crashed
again
so
I'm
calling
it
yeah.
So
this
week
we've
been
doing
quite
a
lot
with
in
toto.
We
have
some
exciting
things
to
talk
about,
but
I
won't
kind
of
still
Santiago's
thunder
on
that,
but
some
other
big
big
adoption
things
going
on
there
so
expect
to
hear
more
soon.
You
know.
B
I
This
is
just
my
second
time
joining.
One
of
these
calls
some
Jill,
still
kind
of
figuring
out
how
we
can
integrate
with
the
group,
but
I
work
for
NCC
group
and
I
run
a
practice
there.
That's
focused
on
containerization
and
orchestration
stuff,
so
you'll
see
me
see
kind
of
our
team
members
that
are
jumping
on
this
call,
trying
to
fit
in
and
see
where
we
might
be
able
to
help.
You
know
really
wherever
you
guys
need
what
you
know:
some
open
source
projects,
whatever
whatever
we
can
do.
B
I
Yeah,
that's
a
good
question
is
like
by
by
day,
you
know,
as
somebody
mentioned
before,
what
we
normally
do
is
security
audits,
but
kind
of
our
goal
is
to
go
out
in
the
community
and
see
where
we
can't
start
doing
some
influencing
of
making
things
secure
by
default.
And
how
can
we
lock
things
down
in
the
beginning?
So
that's
kind
of
why
we're
here
now
great.
B
Well,
I
mean
you
know
one
way
for
you
to
drive
that
influence
is
you
know
also
to
see
the
assessment
process
that
we're
doing
so
participating
in
that
you
know,
sharing
your
insight
into
that
process.
You
know
that
were
leveraging
to
support
the
the
TOC
of
the
cloud
computing
foundation
you
know
is
is
one
of
those
directions.
So
if
you
want
to
sort
of
short-circuits
some
things
that
there
there's
a
great
opportunity
to
leverage
your
skillset
and
influence,
how
were
how
were
communicating
to
projects
coming
into
the
CAF?
I
B
K
Hi
so
I
work
on
the
open
policy
agents.
Last
week,
I
was
at
the
open
source
summit,
presenting
oppa
and
kubernetes,
of
course,
and
so
just
Justin
I'll
be
looking
at
the
open,
Essman
dock
and
hopefully
have
all
the
issues
addressed
by
tonight.
So
what's
the
I
just
wanted
to
know
what's
the
process
for
next
week,
so
the
TOC
update
to
about
this
assessment
so
I
don't
have
any
idea
about
that.
Yet
yeah.
J
I,
don't
think
we
do
either
right.
We
proposed
this,
and
this
will
be
the
first
time
we're
we're
going
through
and
providing
this
but
I.
Imagine
it'll
be
something
like
a
one
ish
minute,
one
presentation
with
one
slide
or
so
and
I
think
it
will
be
someone
from
six
security
presenting
and
just
basically
summarizing.
What's
in
the
document
that
has
our
findings
like
our
summary
of
it:
okay.
J
You
so
are
it's
important
to
do
both
documents,
because
they
both
may
be
looked
at
well,
one
that
we
produce
is
the
one
that
I
think
we'll
be
presenting
effectively
to
the
TOC
to
say
this
is
what
we
thought
and
then,
if
you
disagree
with
anything,
we're
saying
then
saying
that
in
you
know
like
like
making
that
clear,
so
that
we're
kind
of
in
consensus
about
this
live
is
good
too.
Oh,
so.
J
G
Tada
hey:
this
is
the
first
time
in
this
group,
the
Year
briefly
about
myself
of
a
long
Cisco
I
led
a
project
in
OpenStack
as
a
PTO.
I
ran
an
orchestration
project,
but
my
current
interests,
then
some
of
the
initiative
that
we
are
doing
essentially
bootstrapping
and
effort
are
on
security
and
cloud
native
enrollment,
and
this
will
involve
things
around
audit
compliance,
security
component,
orchestration
I'm
here
to
kind
of
see
how
things
are
introduced
myself.
B
L
L
I'm
also
joining
here
for
the
first
time
and
I'm
curious
about
the
things
that
are
going
on
in
this
group.
I
am
right
now
I'm
a
PhD
student
in
Mac,
Planck
Institute
for
software
systems
in
Germany,
and
my
my
interests
are
in
system
security.
I
came
to
know
about
this
group
while
talking
to
Justin
I
use
Nick
security
a
couple
of
weeks
ago.
L
So
I've
done
some
work
on
designing
policy
compliance
solutions
for
database
about
the
applications
and
also
for
some
distributed
applications,
primarily
confidentiality
policies
and
stuff
and
kind
of
curious
about
what
needs
to
be
done
as
the
the
general
landscape
of
application
programming
model
sort
of
evenly
hardware
changes,
particularly
in
the
data
center
environment
like
the
serverless
computing
and
all
these
things.
Oh,
it's
going
to
change.
L
You
know
what
we
need
to
do
in
terms
of
also
ensuring
security,
while
these
applications
are
being
designed
so
and
also
I'm
curious
about
what
are
the
policies
that
really
people
need
to.
You
need
to
enforce
in
the
systems
and
to
protect
data.
So
that's
one
of
the
things
that
I'm
interested
in
and
more
recently,
I've
also
been
working.
Doing
some
work
on
side-channel,
specifically
looking
at
that
word
side
channels
in
the
cloud
so
yeah
and
here
I'm,
trying
to
understand
mostly
about
the
policies
and
stuff
which
are
worrying
about
this
meeting.
F
Who
me
yeah
I
think
I
did
before
Oh.
M
A
lot
recently
are
known
for
mobile
app
dependencies,
so
you
know
Ruby
Python,
NPM
packages,
things
like
that
and
we
have
in
the
neighborhood
of
like
1,400
repositories
like
we're
pretty
prolific
and
creating
10,
because
we
have
a
lot
of
churn
in
our
projects
and
so
I've
been
thinking
about
a
lot.
It's
thinking
a
lot
about
how
to
outsource,
manage
those
at
scale
and
keep
on
top
of
upgrading
and
making
sure
things
are
deployed
in
timely
fashion.
That
kind
of
thing
so
I
can
go
into
that
more
detail.
B
B
O
O
B
H
Can
we
minimize
our
footprint
of
what
we
ship
inside
of
these
container
images
so
that
Falco
doesn't
become
a
point
of
attack,
especially
since
we
run
Falco
as
privileged
container
as
well
so
I've
been
working
on
that
I've
had
some
pretty
good
results,
gotten
our
container
images
down
to
about
3.6
percent
of
what
they
were
so
like
750
Meg's
226
Meg's.
But
you
can
imagine
that
all
for
everything
that
we've
been
able
to
work
out.
So
that's
been
my
primary
focus
as
well
as
the
six
security
day,
but
Emily's
already
updated
us
on
that.
P
H
B
N
B
Perfect,
we
got
through
attendance
right
at
the
half
hour.
Wonderful,
all
right,
so
Robert
I
have
a
follow-up
on
our
agenda
from
envoy
last
week,
but
maybe
you
know
better
if
we
kick
things
off
with
the
kubernetes
policy
working
group
efforts
and
connecting
connecting
the
dots
there
too,
you
know
what
the
the
policy
working
group
as
it
relates
to
CN
CF
is
doing
well
speaking.
O
O
So
my
particular
focus
of
the
last
month
or
so
has
been
stretching
out
this
discussion
on
formal
verification
policy
and
that's
in
the
PR
here
this
week,
the
specific
use
cases
there
are
many
and
buried
it
benefit
from
the
more
feedback,
but
the
one
that's
kind
of
the
low-hanging
fruit
and
obvious,
because
it's
already
been
done
in
the
public
is
kind
of
replicating
something
like
a
zelkova
zero
source
entry
capability
for
kubernetes,
so
it
could
easily
be
expanded
beyond
just
proven
use
the
project
into
validating
other
policies.
For
me,
so
that's
that's.
O
B
And
just
for
our
context,
since
you
know,
is
from
Cooper
e-cig,
you
know
is
I'd
love
to
see
a
little
bit
more
alignment
and
support
from
that
sig.
Is
that
something
that
that
you
think
you
can
you
know
bring
bring
to
this
PR
is?
Is
Hannibal
gonna,
you
know,
I
see
him
mentioned,
but
I
don't
see
him
as
a
reviewer
or
plus
wanting
things
there.
I.
B
Again,
thank
you.
Midnight
join
us,
you
know,
I,
don't
necessarily
expect
you
know
to
come
present
show
like
happy
to
have
you
you
proxy
that
and
represent
the
the
efforts
there,
but
you
know,
since
you
know,
he's
been
spearheading
that
that
effort
I
just
wanted
to
you
know
Sammy
check
that
we're
all
you
know
in
line,
and
you
know
that
those
efforts
you
know
from
that
that
working
group
are,
you
know,
supporting
these
efforts.
O
O
O
B
B
O
D
O
One-Time
event
and
then
be
lined
up
on
a
extended
period
of
time
that
all
of
these
types
of
issues
that
we
see
coming,
they
remind
us
that
the
assessment
really
is
just
a
point
of
time.
That
has
a
very
short
shelf
life.
And
then,
if
we
don't
have
some
sort
of
defined
routine
for
the
freshmen
on
some.
O
Say
the
concrete.
The
fact
of
that
was
this
issue
that
I've
been
putting
thoughts
around
what
should
be
the
formal
life
cycle,
the
official
life
cycle
assessment
so
yearly.
The
review
right
every
two
years
should
be
really
what's:
what's
the
thinking
there,
she
reduced
risk
assessment,
the
prioritization
I've
dumped
my
thoughts
into
the
issue
and
I
think
I
put
a
mark
down
document
attached
to
that.
That's
just
like
my
straw,
man,
please,
everybody
should
tell
me,
feel
free
to
suggest.
B
And
the
the
sort
of
preventative
behavior
is
moving
away
from
you
know,
relying
on
those
formal
definitions
to
you
know
just
observing
behavior,
so
I'm
intrigued
in
that
you
know
in
the
change
of
how
we're
defending
ourselves
and
how
we're
assessing
you
know
the
the
threats
in
the
system.
If
that
influences,
you
know,
should
influence
our
behavior
on.
You
know,
assessments
and
you
know
deep
analysis.
B
O
O
And
you
know
so,
the
consumer
of
this
information
are
our
security
assessments.
My
use
the
assessment
as
an
excuse
analysis.
So
that's
true
I
think
just
putting
a
tag
on
it
that
says
hey.
This
is
a
shelf
life.
Life
is
I'm,
not
saying
we
have
to
use
a
definition,
but
just
noting
that
when
we
publish
this.
B
B
Bridge
foundry
of
rails,
foundry,
and
so
many
other,
you
know
foundries
communities
of
practice
efforts
and
you
know,
through
that
experience,
Sara's
had
a
lot
of
success
and
making
sure
that
everyone
has
a
good
understanding
of
what
are
the
various
formal
roles.
You
know
one
of
the
one
of
the
roles
that
we
are
are
exploring
as
a
formal
role
for
this
particular
group.
Since
we
meet
every
week
is
the
role
of
a
meeting
facilitator.
B
So
you
know
that's
something
that
you
know
I've
one
of
the
major
contributors
to,
and
you
know
leading
up
those
efforts,
it's
something
that
I
enjoy
a
lot,
but
you
know
it
is
you
know
a
solid
hour
and
a
half
block
that
you
know
I
have
to
to
make
sure
that
I
protect
to
make
sure
that
we,
you
know,
go
through
and
you
know,
run
run
a
good
meeting.
Everyone
is,
you
know
filtered,
and
you
know
we
have
a
good
use
of
time.
B
B
G
J
B
Or
so
maybe
a
little
bit
longer
as
a
working
group
and
we're
ratified
as
a
sake
earlier
this
year
and
our
size
and
responsibilities
are
continuing
to
grow,
and
you
know
our
current
co-chairs
are
definitely
you
know
putting
in
a
lot
of
work.
We
typically,
you
know
work
on
security
anywhere
between
you
know
three
to
ten
hours
a
week,
and
you
know
the
the
meeting
block
at
times
you
know
becomes
a
bit
of
a
challenge
so.
G
B
So
if
you
haven't
seen
our
you
know
our
roles
document
and
some
of
the
interesting
details
in
it,
we
leveraging
get
up
settings
to
to
you
know
to
leverage
a
bit
more
deeply.
You
know
the
assignment
of
capabilities
and
you
know
have
you
know,
documented
in
the
settings
llamo
file
in
the
dot
github
directory,
some
of
the
some
of
the
the
capabilities,
and
we
have
details
in
in
the
document
as
well.
B
This
enables
us
to
you
know,
assign
specific
privileges
to
you,
know
triage
team
to
our
security
assessment
team
and
security
reviewers,
and
you
know
right
now.
We
have
Sarah
myself
and
JJ
as
our
meeting
facilitators
and
you
know
we're
defining.
You
know
the
the
folks
that
you
know
have
the
context
to
you
know,
run
these
meetings.
As
you
know,
someone
who
has
you
know
one
of
the
other
roles.
So
you
know
if
you
are
currently
in
an
existing
team.
You
know
that
would
be.
B
You
know,
kind
of
an
easy
on
road
to
you
know
taking
up
this
meaning
facilitator
role
if
you're
interested
and
it
as
well.
You
know
we
define,
you
know
an
opportunity,
it's
sort
of
opt
in
if
an
individual,
you
know
has,
you
know,
made
significant
contributions
and
that
you
know
addresses
individuals
like
Jerry
Jennings,
who
you
know
done
a
lot
of
work
with
the
the
working
group
worked
on
landscape
landed.
You
know
that
major
effort
around
the
landscape,
but
you
know
that
works
existed
before
the
other
definition
of
these.
These
current
roles.
B
All
right
facilitation
role
is
meeting
facilitators
and
you
know
at
a
high
level.
It's
you
know
Genda
and
are
you
know
going
through
our
weekly
cadence,
getting
everybody
introduced,
getting
check-ins
from
partner
working
groups
and
going
through
the
agenda
and
looking
for
folks
that
have
regular
attendance
and
you
participated
as
a
scribe
yeah
but
you're
basically
you're
familiar
with
our.
You
know
normal
process,
and
we
want
to
make
sure
that
you're,
you
know
if
you're
stepping
up
to
join
and
participate
in
this.
B
J
J
So
the
preparing
meeting
notes
with
template
and
agenda
the
agenda
preparation
part
is
a
little
something
that
I
think
the
chairs
probably
should
be
doing,
except
for
in
extreme
circumstances,
yep,
certainly
adjusting
the
agenda
on
the
fly,
as
somebody
discusses.
Something
makes
sense,
but
in
general
the
rest
of
it
is
is
just
kind
of
run.
A
meeting
and
I
think
that
that
you
know
I'd
be
happy
to
do
and
I'm
and
I'm
sure.
A
lot
of
us
could
do
that
very
well.
This.
B
Is
a
great
call
out
there
Justin,
you
know
we
almost
you
know.
I
was
advocating
for
breaking
out
that
particular
capacity
into
a
separate
role,
and
you
know
in
the
end
we
opted
in
this
initial
proposal
to
keep
it
as
simple
as
possible,
and
you
know
a
singular
role,
but
I
agree
that
expectation,
especially
in
the
near
term.
You
know
both
Sarah
and
I
have
been.
You
know,
working
at
techniques
to
make
sure
that
the
you
know
set
up
time
in
getting
meetings.
B
You
know
lined
up
and
the
week
over
week
you
know
running
and
planning
of
meetings.
Is
you
know
something
we're
planning
out
over
a
longer
period
of
time
and
certain
teeing
up
in
this
document?
So
I
agree
with
that
assessment.
You
know
you
know
we
will
need
to
continue
to
to
drive
that,
and
you
know
that
there
there's.
B
There
there
you
know
we're
exploring
some
additional
roles
that
could
potentially
take
on
some
of
the
project
management
sort
of
capacities,
but
there's
no,
there
aren't
any
real
project
managers
like
there's.
No,
you
know
folks
waiting
roles,
so
you
know
defining
those
ahead
of
time
before
we
have.
You
know
actual
folks
that
that
are
participating
in
this
sig.
You
know,
looking
for
those
sorts
of
responsibilities,
you
know
seems
premature.
B
Great,
so
in
September
you
know
where
we're
gonna
explore
piloting
piloting
some
of
this
meeting
facilitation
just
to
get
a
better
sense
of
that
and
then
after
September
we're
going
to
to
explore.
You
know
what
what
you
know
a
more
formal
schedule,
so
you
know
Justin.
You
know
if
there's
a
week
in
September
that
you're
particularly
interested
in
you're,
raising
your
hand
for
that
you
don't
have
other
responsibilities.
B
J
B
Great
I
think
as
it
stands
they
you
know,
the
rules
of
engagement
may
not
quite
be
met
since
you're
brand
new,
so
we're
gonna
have
to
you
know
test
that
water.
But
you
know
awesome
appreciate
that
and
I
know
you're
very
experienced
and
you
know
doing
this
sort
of
open
source,
so
I
will
coordinate
with
you
too
and
the
chairs
to
make
sure
that
that
we
do
the
you
know,
testing
process
the
right
way
and
appreciate
that
yeah.
K
B
O
We
could
take
it
offline,
but
I
think
there
was
some
discussion
on
the
slack
Channel
about
firming
up,
but
the
next
assessment
is
what
the
schedule
looks
like
who's
involved
happy
to
take
that
offline
I
think
folks
want
to
participate,
absolutely
travel
and
speak
for
myself.
So
if
there's
any
noted,
that's.
J
J
J
Maybe
my
audio
is
bad
here,
because
I'm
all
called
in
in
this
weird
way.
Do
you
want
to
just
bless
where
we're
at
like
what
we're
planning
on
for
the
assessments
like
where,
where
we're
at
and
what
would
be
next,
oh
well,.
O
O
H
You
know
for
security
assessment,
it's
Chris,
Chris,
isn't
familiar
with
the
assessment
process,
so
would
someone
mind
dropping
a
link
into
that
so
that
we
can
I'm
guessing
that
we
should
be
ready
within
a
couple
of
weeks,
but
I
want
Chris
to
make
the
decision.
So
we
need
to
know
what
all
that
entails.