►
From YouTube: CNCF SIG Security 2020-06-24
Description
CNCF SIG Security 2020-06-24
A
A
B
B
I'm
actually
able
to
connect
this
way.
Amy
yeah
I
had
a
meet
all
the
settings
because
she's
like
no
there's
I'm,
not
blocking
anybody,
but
apparently
that
fixed
it
for
some
weird
reason.
A
Okay,
so
we're
gonna
go
ahead
and
get
started.
So
as
a
reminder,
please
add
yourself
to
the
attendance
list
that
is
below
on
the
meeting
notes
if
you
have
any
updates
or
no
updates
be
sure
to
put
that
in
parentheses,
after
your
name,
if
you
have
any
special
issues
or
tickets
use,
you'd
like
to
address
also
put
them
next
to
your
name.
We
don't
have
a
robust
agenda
for
today's
meeting,
so
it
will
likely
go
pretty
quickly.
A
C
So
this
is
the
new
kind
of
lightweight
process.
That
sandbox
is
you
know.
Project
should
be
able
to
get
in
the
sandbox
if
they're,
appropriate
and
fulfill
the
right
requirements
much
more
easily,
so
they
could
well
be
more
coming
up.
I
think
caboose
also
applied,
but
had
some
minor
Tony
calluses
probably
come
up
for
a
reapplication
soon,
but
it's
very
good
that
we've
got
three.
You
know
threes
three
more
security
projects
in
the
CNC
F,
because
which
is
this
very
great
news.
A
D
D
E
Alright,
hello,
everybody,
let's
see
here.
Let
me
just
share
my
screen
right.
There
is
a
flurry
of
some
activity
I'm
trying
to
like
my
computers,
but
having
anyone
near
me.
I
was
having
major
technical
issues
here.
Let's
see
here,
if
I
can
go
here,
alright,
alright,
if
everyone
can
hear
me
I
think
we
had
some
folks
coming
in
here
and
I.
Think
I
just
want
to
just
like
leave
it
open
and
as
long
as
everybody
is
good
with
what
it
is
here.
I
don't
know
what
the
right
format
is.
E
E
So
I
think
we
already
reviewed
some
stuff
that
was
put
in
there
and
I
just
I'm,
assuming
that
everyone
was
good
with
what
he
had
suggested.
I
think
it
was
the
first
six
and
so
then
there's
some
if
everyone's
good
with
that
we're
just
gonna
say:
that's,
that's
good
I,
don't
know
how
a
market
here
just
say:
it's!
E
So
I
think
maybe
let's
do.
The
first
thing
is
whoever
added
stuff
from
the
last
time
just
walk
it
through,
because
I'm
gonna
assume
everything
was.
Everyone
was
good
with
what
happened
laughs
last
week
and
they
were
just
walk
through.
What's
here
and
I
think
the
question
had
been
well,
you
know,
are
there
recommendations
that
can
fit
that
don't
fit
within
this,
and
rather
you
just
have
the
discussion
out
in
the
open.
So
maybe
we
just
start
with
the
items
who
added
these
items
here.
I
think
we
did
so
Santiago.
B
B
What
are
you
saying
in
I
wanted
to
make
I
wanted
to
also
ask
about
the
categorization
of
recommended
and
mandatory,
because
I
when,
when
I
went
to
look
at
this
I
actually
had
an
older
version
of
this
document.
Somehow
and
I
was
looking
through
some
of
the
things
before
that
were
listed
as
mandatory
or
recommended,
and
I
tried
to
use
my
intuition
about
what
was
meant
by
this
in
assigning
those
labels
down
below.
B
But
my
my
general
intuition
is
is
that
things
that
are
important
for
security
and
not
onerous
would
tend
to
receive
the
mandatory
label
and
things
that
were
either
onerous,
or
maybe
you
know
like
one
could
see
not
using
in
certain
circumstances
would
receive
the
recommended
label.
Is
that
my
right
way
of
thinking
about
it?
You.
E
Know
that's
a
good
question.
I
think
with
all
these
things.
It's
it's!
It's
not
a
clear
state
machine.
That's
I!
Don't
really
know
I!
Think.
What's
your
best,
sorry
I!
What's
your
best
guess,
I
think
everyone
kind
of
has
their
a
thing.
I
think
unless
there's
a
the
way,
I
trust
your
judgment
on
this
one
I
think
there
isn't
one
there
wasn't
a
hardened
definition.
E
B
E
B
So
so
these
basics
steps
here,
151
and
152
basically
deal
with
the
process
of
getting
like
information
about
what
has
actually
happened.
When
you
make
your
software,
so
the
first
one
151
basically
says
as
you're
going
to
the
process
of
making
your
software,
you
should
keep
a
cryptographically
signed
record
of
this.
In
other
words
like
it
shouldn't
be,
and
then
like
golden
plates
fall
from
the
sky
that
contained
my
software.
B
So
the
idea
here
is,
is
that
151
kind
of
gives
you
the
ability
when
something
goes
wrong
to
figure
out
what
went
wrong
and
to
know
that
in
a
state
where
an
attacker
may
have
had
access
to
some
of
your
signing,
keys
and
152
is
a
process
where
you
actually
verify
this
automatically
before
you
release
your
software,
which
I
I
kind
of
hesitated,
I,
don't
know
if
others
have
thoughts
on
whether
that
should
be
a
mandatory
or
recommended
step.
It's
not
a
crazy
hard
step,
but
I
I
also
didn't
want
to
kind
of
over.
E
Yeah
I
would
love
some
concurs.
I've
been
pushing
sort
of
on
the
side
with
the
folks,
but
with
here
and
then
the
finance
groups
of
a
financial
company.
That's
doing
this
that
this
is
a
mandatory
mandatory
thing,
but
I
think
everyone
here
has
to
agree
to
it
like
like.
This
is
the
reason
why
I
was
very
much
advocating
Justins
and
Santiago's
involvement
that
this
is
an
area
I
feel
we
really
should
lean
into,
but
I
think
the
group
needs
to
get
concurrence.
F
Yeah
I'll
say
on
my
side:
I
was
hesitant
to
put
it
as
mandatory,
mostly
because
I
wanted
to
be
a
biased
and
some
somebody
could
work
some
days.
So
to
me,
it's
easy
to
go
and
say
hey.
You
should
really
do
this.
Everybody
should
do
it,
but
I
don't
know
if
somebody
who's
an
outsider.
It's
in
a
different
different
niche
of
the
security
space
things
differently,
so
I
I
didn't
feel
that
I
was
like
rides.
Making
that
call
I
would.
G
G
B
Referring
to
actually
that's
a
great
transition
hold
on
so
I'm
gonna,
so
I
have
because
we
seem
to
get
consensus
at
least
loose
consensus.
We
couldn't
Olie
revisit
this,
but
just
for
the
moment,
it's
like
the
the
the
votes
are
tilting
towards
mandatory,
so
I'm
going
to
move
at
mandatory
for
a
moment,
and
we
can
come
back
and
change
that
that's
actually
153
what
I
or
is
it
one
yeah
one?
Fifty
three?
Yes,.
H
I
I
We've
given
a
lot
of
latitude
in
this
space
over
the
past
decade
to
like
the
general
affordance
for
legacy,
ite
systems
and
processes
and
yeah
son
pull
a
band-aid
off.
This
document
will
exist.
You
know
5
10
about
20
years.
So
if
we're
going
to
set
it
in
the
right
direction,
we
should
probably
you
know,
go
ahead
and
go
all
the
way
to
mandatory.
Could
you
touch
no
foundational
to
actually
being
able
to
say
anything
about
the?
You
know
the
quality
of
your
stack?
I
B
J
I
actually
like
the
mandatory
on
this
one
as
well,
because
the
analogy
is
rpms
right
now
or
they'd
be
in
packages.
If
you
were-
and
you
know,
we
can
download
these
from
different
repos.
But
then
you
have
the
option
to
omit
the
hash
checks.
If
you
will,
but
with
containers,
it
becomes
even
more
important
because
arguably
your
developers
could
be
cooling
containers
in
so
many
different
places
and
there's
absolutely
no
way
to
keep
track
of
that's
right.
I,
agree
as
well,
and
so.
A
Somebody
that's
implemented
stakes
in
the
past
when
we're
going
through
and
reviewing
a
sting
to
make
a
determination
about
what
will
or
will
not
occur.
Obviously,
the
mandatory
items
have
to
exist,
but
typically
the
recommendations
never
do
an
even
sell.
When
we
go
through
and
have
assessments,
we
have
to
provide
reasonable
justification
for
any
mandatory
items
that
cannot
be
configured
due
to
a
technical
limitation
of
the
environment
or
some
other
fancy
reason
and
recommendations.
A
A
B
That's
good
to
know
so
yeah
these
I
feel
very,
very,
very
comfortable
with
mandatory
on
all
the
things
marked
mandatory
and
I'm
kind
of
thinking.
These
need
to
possibly
change.
But
let
me
let
me
talk
through
these
steps.
So
all
right,
so
we
already
talked
about
signing
the
container
registry,
so
154
is
provide
replay
protection.
Basically,
what
you
want
to
do
is
you
want
to
make
it
so
that
a
bad
guy
who
breaks
into
your
registry,
you
can't
go
and
cause
you
to
install
valid
but
outdated
images.
B
If
a
registry
is
broken
into,
you
want
it
to
have
a
mechanism
for
getting
back
to
a
secure
state
so
that
that,
basically
it's
you
don't
end
up
in
the
situation
that
I'm
not
going
to
name
individual
Linux
distributions
or
organizations
because
there's
a
lot
of
them.
I
can
name
and
I
don't
want
to
pick
on
anybody
unfairly.
But
it's
very
common
that,
after
a
compromise,
the
people
say
oh
well,
key
are
key.
B
X
got
compromised
that
you
trusted,
so
we're
gonna,
give
you
a
new
key
to
trust
and
it's
key
y,
and
the
way
you
know
key
Y
is
good
is
because
it's
signed
with
key
X.
That
was
compromised.
So
the
big
problem.
There
is
obviously
that
the
bad
guys
have
key
X
as
well,
so
they
could
sign
and
do
whatever
they
wanted
and
give
you
any
new
key.
B
So
you
have
to
hope
you
happen
to
randomly
get
it
from
the
right
party
and
so
having
a
mechanism
to
actually
go
and
securely
recover
from
a
compromise
is
really
really
really
important
as
well,
and
then
the
final
step
156,
is
basically
when
a
registry
is
broken
into
the
damage
from
such
an
attack
should
be
limited.
So
even
if
I
go
and
I
break
into
a
registry,
I
shouldn't
be
able
to
like
produce
arbitrary
images
that
are
trusted
by
people
coming
to
that
registry.
B
I
shouldn't
be
able
to
just
like
cause
people
coming
to
me
to
just
install
anything.
I
say,
which
I
think
is
is
super
self-explanatory
as
why
that's
mandatory
and
why
that's
important,
but
it's
something
that
surprisingly,
isn't
always
universal.
So
I
would
does
anybody
any
questions
about
those
before
we
talk
about
recommended
mandatory.
Anything
like
that
I.
E
Do
I
don't
know
if
this
I
brought
this
up
last
time
and
I,
don't
know
if
is
getting
too
pedantic,
but
I
am
trying
structure
so
that
the
language
looks
like
it's
testable
and
automatable.
So
the
155
I'm
not
really
clear
how
someone
like
evaluates.
Yes,
this
passes
and
then
what's
the
remediation
like
I
see,
this
is
mine.
E
G
G
G
G
K
These
things,
don't
all
have
to
be
supported
out
of
the
box
by
dollar
distribution,
exactly
to
be
able
to
to
deploy
it.
You
know
if
somebody
wasn't
running
a
distribution
at
all,
but
just
downloading
the
binaries
from
upstream
and
building
their
own
deployment
tooling
around
it.
For
example,
they
would
get
nothing
out
of
the
box.
They
would
have
to
build
everything,
but
as
long
as
they
built
it
in
line
with
all
of
the
mandatory
items
on
the
stig,
then
they
would
be
in
the
clear
so
that
could
be
a
differentiator
for
different
distributions.
K
C
But
I
think
I
mean
what's
in
the
scope
of
a
given.
Is
distribution
is
very
variable
and,
like
both
of
these
things
are
outside
I
mean
that
the
kubernetes
per
se
doesn't
have
a
registry,
so
I
think
I
think
a
lot
of
these
things,
you're
going
to
have
to
be
I
mean
you're.
Gonna
have
the
scope,
however,
you
define
it
will
be
outside
some
people's
products
right.
G
If
you're
going
after
a
I'm,
gonna
be
Stig's,
certified
and
I'm
gonna
be
published
on
dissa,
then
yeah.
Those
things
have
to
be
part
of
your
product.
They,
those
have
to
be
included
in
order
to
pass
that
sting
certification,
all
those
requirements
so
yeah.
It's
it's
a
very
careful
selection
here
of
what
needs
to
be
as
as
far
as
mandatory
in
that
particular
list.
As
far
as
stig
certifications
go.
D
So
sorry
I
hate
him.
This
might
be
too
early
to
ask
a
question
as
a
new
member,
but
just
wanted
to
check
with
from
your
perspective,
is
there
any
kind
of
priority
list
from
DoD
where
they
care
about
a
specific
category
of
threats
more
compared
to
others,
because
that
could
allow
us
to
decide
battle
from
beauty's
perspective?
What
would
be
mandatory
for
them
versus
recommended?
No.
E
They
actually
did
not
so
they
had
a
list.
I
shared
in
kind
of
the
Dex
I
think
there's
links
to
those
in
the
doc
that
you
can
find
in
the
slack
channel,
but
they
actually
did
not
want
to
limit
scope
of
suggestions
that
were
not
and
lot
of
those
things
are
just
sort
of
what
you
would
expect
to
see.
So
I
think
their
goal
is
not
because
it
becomes
sort
of
a
paradox
if
they
say
well.
These
are
things
that
we
think
are
important
and
they
miss
something.
So
that's
sort
of
sort
of
funny.
H
E
End
up
they
hardening
their
own
blind
spots
versus
they're,
saying
we
want
the
recommendation
for
a
secure
container
and
then
it's
sort
of
DevOps
to
deploy
that
the
whole
built
the
whole
thing
and
what
is
the
recommendation
and
so
I
think
that's
the
spirit
in
which
to
take.
It
is
if
they
had
to
automate
a
checklist,
that's
secure
and
then
the
use
cases.
This
thing
is
securing
nuclear
weapons.
So
if
you
guys
have
had
your
sort
of
disposal,
you
know
that
the
recommendations
here
are
things
that
people
who
are
designing
deploying
sort
of
software.
E
B
B
My
proposed
rating
for
these
two-
we
can
argue
if
that's
the
wrong
direction
to
go,
but
I
do
think
you
really
do
care.
You
don't
want
somebody
to
make
arbitrary.
You
know
you
want
to
be
able
to
recover,
as
if
someone
is
able
to
get
in
recover
in
a
secure
way,
rather
than
just
hope
and
rely.
They
get
the
right
key.
Somehow
I
think
you
don't
want
them
to
replay
old,
vulnerable
versions
of
things
both
of
those
I
think
would
be.
B
A
Perhaps
this'll
help
when
we
go
through
and
we
make
a
determination
about
whether
or
not
we
find
a
particular
application
software
product
whatever
it
is
as
acceptable
for
an
operational
deployment.
The
things
that
we
look
at
are
we
assign
security
controls
to
this
thing
because
it
needs
to
be
secured,
and
then
we
make
a
determination
about
the
security
controls
that
were
assigned
were
they
met?
Are
they
operating
as
intended
and
the
ones
that
were
not
met?
A
That
we
said
we're
mandatory
is
the
fact
that
they're
not
met
and
the
justification
provided
enough,
like
compensated
for
in
a
manner
that
it
buys
down
the
risk
of
this
particular
threat,
and
this
particular
likelihood
from
bringing
down
everything
so
like
in
the
context
of
some
of
these
things
that
we're
talking
about
being
mandatory.
If
somebody
had
a
very
good
reason
that
they
couldn't
implement
it.
Does
this
threat
the
likelihood
of
that
threat
being
able
to
execute
the
fact
that
this
thing
is
not
mandatory?
A
Is
that
considered
acceptable
to
us,
so
the
the
concept
of
threat
and
risk
all
happened
after
the
security
controls
and
those
mandatory
or
those
recommended
recommended
things
are
applied
to
an
information
system.
So
what
we're
trying
to
do
is
we're
trying
to
create
a
baseline
for
like
this
is
what
we
want
everyone
to
strive
towards,
and
there
are
some
things
that
realistically
they
gotta
happen.
A
No
matter
what
and
less
like
you
have
this
really
crazy
edge
case
where
performance
is
a
huge
deal
and
you've
got
nanoseconds
of
response
and
implementing
this
mandatory
thing
means
that
we
lose
that
that
time
and
that
that's
really
where
the
difference
is.
We
want
stuff,
that's
mandatory,
because
we
want
that
80
to
90
percent
of
folks
that
aren't
those
edge
cases
no
kidding
actually
do
it
and
the
ones
where
we
really
need
to
have
that
consideration
about
threat
and
risk.
A
E
Yeah
yeah
I,
agree,
I.
Think
the
other
thing
also
is
you
know
we
remove
or
we
envision
that
it's
not
even
though
we're
not
recommending
a
specific
implementation.
The
spirit
of
this
is
much.
If
not
all
of
this
is
an
automated
check.
That's
why
I
keep
kind
of
pushing
back
like
if
it's
automating
they
said
this
is
a
way
to
do
it.
E
This
is
how
you
attest,
but
then
you
kind
of
take
that
oh
well,
this
is
you
know
it's
fuzzy
or
it's
gonna
take
a
long
time
to
implement,
and
then
we
compromise
like,
like
Emily,
said
you
know,
speed
for
security,
but
the
closer
it
looks
like
well.
I
can
just
tech
for
this,
and
if
it
fails,
here's
the
remediation
I
think
that
that
helps
in
relate
to
that.
E
That's
so,
for
example,
again
not
sure
if
it's
nitpicking,
but
you
know
if
it's
just
because
the
metadata
is
signed
it
you
know
alone,
doesn't
check
for
replay,
so
it
could
be
mandatory,
is
assigned
and
then
recommended.
Is
it's
checking
against
a
manifest
of
the
latest
date,
or
something
like
that
like
like
that?
That's
kind
of
where
I
see
an
example
like
that
alone
doesn't
really
technically
stop
or
even
check
for
a
met
for
a
replay
is
just
like
you
said
you
could
have
assigned
outdated
image
and
you're
not
checking
for
it.
M
E
B
Any
any
feedback
like
that
or
things
like
that,
I'm
really
happy
to
go
and
work
with
you
to
tweak
this
I
feel
like
we
may
or
may
not
need
to
wordsmith
it
in
this
meeting.
I
want
to
make
sure
we're
not
just
kind
of
monopolizing.
E
And
then,
if
things
that
don't
fit
I,
even
though
we
had
this,
this
was
just
a
way
to
get
us
going.
Cuz
I
knew
it
was
kind
of
hard
when
it
was
vague.
You
know,
if
you
you
know
when
I
I
mentioned
this
last
time
and
then
Nicolas.
He
just
said
you
know
what,
while
the
recommendation
is
just
as
they
can't,
nothing
can
be
mandated
they're
open,
have
language
and
sure
people
understand
it
pull,
and
then
this
also
extended
later
in
the
dialogue,
run
hey.
If
somebody
has
a
reference,
design,
architecture
and
I
know
I.
E
Think
last
I
think
Emily
says
she's
working
on
an
effort
to
do
that.
I
think
we
should
just
include
it
like
the
worst.
They
can
do
is
say
it's
they
don't
pull
it
into
their
final.
Stick
at
this
point,
but
at
least
it's
in
the
repo,
and
they
know
this
is
a
point
of
view
of
the
CNCs
sig
and
whether
to
take
it
or
not.
They
don't
but
I,
don't
know
if
that's,
if
there's
an
existing
artifact
already
around
reference
design,
I
don't
see
a
downside
of
including
it
outside
of
this
spreadsheet.
E
So
as
an
example,
even
though
we
want
to
be
vendor
agnostic,
they're
open
to
open
source
products,
so
if
the
the
items
over
here,
we
had
a
reference
document
again,
it
doesn't
have
to
you
know
boil
boil
the
ocean,
it
could
just
talk
a
little
bit
about
how
in
toto
does.
Does
that
and
same
with
any
other
other
thing
like
I.
E
Don't
want
us
to
be
limited,
this
I
limited
scope
because
it
would
helped
us
move
faster,
but
if
you're
hitting
up
against
the
form
factory
isn't
allowing
to
communicate,
we
can
certainly
have
a
dot
MD
file.
That's
we
push
into
our
thing
and
let
them
hash
out
they
include
or
not.
I,
don't
want
us
to
limit
ourselves
on.
This
form
factor
is
one
kind
of
gather,
there's
a
best
practice.
You
feel
we
should
include
it
gets
pushed
in
and
then
that
let
them
sort
it
out.
I
I
Tim
I
have
one
last
level
sort
of
request
for
you.
You
know,
as
you
land
the
plane
with
this.
You
know
one
of
the
things
that
I'd
like
to
see
TV
here
D,
you
know
servant
in
the
capacity
with
the
CN
CF
is
you
know
how
we
participate
in
sustaining
these
relationships?
We
have
a
number
of
working
groups
and
seek
representation
from
folks
like
misc,
and
you
know,
I've
tried
to
you
know,
maintain
those
relationships
over
time.
I
So
you
know
I'd,
love
to
you,
know,
I,
don't
know
if
we
sync
up
offline
and
you
know,
and
you
discuss
the
final
artifacts
or
if
in
this
sort
of
markdown
you
just
you
know,
point
here's
you
know
here
are
the
relevant
working
groups.
You
know,
and
you
know
what
we're
working
on
please
come
and
you
know
both
share
and
request
feedback.
Yeah.
E
No
I
I'm
glad
to
do
that.
I
think
we
should
have
a
read
me
about
the
org
reference
implementation
or
any
other
things,
because
you
know
this
is
their
form
factors,
so
the
more
that
we
define
it
and
I'd
have
said,
and
they
are
open
to
it.
Just
haven't
had
time
to
get
organized
around
it
to
start
doing
briefing,
so
they
have
briefings
with
them
and
they
said
that
he
invited
me
to
present
in
the
business.
E
What
I
would
like
to
do
is
find
a
couple
of
projects,
the
only
one
that
I'm
not
familiar
with
that
he's
44
minute
that
he
said
that's
a
good
candidate,
for
example,
is
the
in
toto
tough
and
then
just
bring
the
team
on
and
then
in
a
brief
and
that's
to
you
know,
100
or
so
folks,
within
the
DoD,
and
anybody
else
has
a
open
source
project.
I.
Think
that's
a
good
way
to
do
that.
E
So
so,
how
about
you
and
I
sync
offline
about
those
but
as
I
said
that
that
that's
kind
of
the
spirit
that
we
wanted
to
do
it?
Here's
this
thing:
let's
expand
the
scope
by
briefing
them
so
they're,
aware
of
what
it
is
and
then
that
way
they
know
about
the
project
and
then
the
working
groups-
and
it's
just
a
beast.
As
you
probably
know,
the
number
of
people
who
are
involved
on
their
side
and
I
think
the
more
surface
area
we
can
present
for
them
to
grab.
I
E
I
I
I'm,
confident
that
a
in
toto
tough,
you
know
kind
of
overview
is
something
that
we
could.
You
know
pretend
to
the
land
you
know
early
and
then
you
know
that
would
be
a
builder
into
you
know.
Probably
the
subsequent
touch
point
would
be
you
know
when
we
feel
comfortable
just
to
begin
sharing
the
landscape
work
that
Justin
and
Brandon
are
working
on.
You
know
and
bringing
ill
and
actually
going
doing
some
foot
work
and
sharing
that
out.
Yeah.
E
B
Just
want
to
say
one
quick
thing,
so
I
had
been
thinking
about
going
and
trying
to
see
like
what
we
could
do
off
the
shelf
to
actually
put
together
something
that
had
all
the
record.
All
the
mandatory
requirements
here,
I'm
also
very
likely
to
be
teaching
a
class
in
the
fall
where
I
can
potentially
get
a
bunch
of
students
to
do
that.
So
we
can
get
for
people
that
don't
have
this
to
understand
what
the
usability
or
other
problems
might
be.
B
A
A
D
And
then,
just
also
it's
seven
in
here
yeah
great
idea,
I
was
planning
to,
but
as
part
of
your
curriculum
I
believe
you
will
have
some
kind
of
blueprint
or
reference
architecture
or
some
kind
of
references
for
the
developers
or
people
or
organization
who
are
trying
to
build
something
in
the
Kuban.
It
is
well.
Maybe
they
can,
they
can
use.
You
know
other
guide
as
for
reference
when
it
comes
to
six
security,
with
controls
and
stuff
yeah.
B
B
Okay
and
I
just
want
to
say
that
I,
when
looking
at
this
from
this
context,
there's
some
items
here
that
I
also
will
have
to
discuss
like
just
sort
of
like,
for
instance,
just
wrote,
35
says
blog
everything
blog
everything
is
stored
outside
of
the
cluster,
including
kubernetes
events
like
I,
don't
know
how
to
test
something
like
that.
You
know
what
I
mean.
Oh
like.
How
do
you.
B
E
B
E
So
here
was
my
thought:
I
think
came
from
last
week
was
I
think
we
do
our
thing
to
set
the
exam
all
as
already
seated
with
Nikolas
and
company
hey
some
of
these
things
up
at
the
top,
don't
seem
like
they
fit,
and
the
suggestion
was
okay.
Let's
not
bog
down
the
suggestions,
and
maybe
it's
a
another
pass
within.
E
You
know
the
DoD
to
like
make
this
truly
like,
like
this
came
back
from
some
news,
Nicholas
sort
of
saying
we
really
need
to
make
this
look
more
automated
to
a
test
for
its
success
and
whether
it's
remediated
so
I
think
we
just
focus
on
our
stuff.
Like
the
ciencia
stuff
and
say
this
is
what
we've
come
up
with
and
then
use
that
to
guide
and
then
get
done.
E
E
E
So
the
last
thing
is,
you
know:
Friday,
it's
gonna
be
locked
and
I'm
gonna
push
it
what's
the
approval
process.
So
I
can
say
this
that
I'm
submitting
has
the
blessing
of
the
sig
like
at
this
point.
If
they're
just
changes
that
Justin
makes
and
or
anybody
else
kind
of
does,
can
we
re
assume
you
know
that's
fine
by
whatever?
Is
there
as
Friday's
approved
or
like?
What's
the
thing
like
everyone's
kind
of
looked
at
it
in
this,
it's
current
state
and
I'm,
assuming
everyone,
the
cousins,
no
one's
raising
anything.
A
A
A
Right
so
quick
reminder:
if
you
have
comments
on
any
part
of
the
document,
please
comment
on
the
ticket
on
the
document
or
in
the
DoD
deck
channel,
make
sure
you
call
attention
to
Tim,
so
you
can
see
it.
Alright.
Next
I
got
mark
Underwood
added
something
last
minute,
Metron
mark.
Are
you
ready
to
talk
about
this
yeah.
H
H
F
A
E
Sure,
absolutely
so,
we
are
beginning
to
allow
time
from
the
Linux
Foundation
side
a
way
to
make
the
recurring
meetings.
The
committee's
the
zooms
use
a
single
sign-on
for
security
and
I
wanted
to
kind
of
raise
this.
If
there
are
any
objections,
the
date
hasn't
been
set,
but
we
are
gonna,
send
out
a
notification
next
week
mid
next
week
that
these
are
gonna
start
being
rolled
out
for
certain
types
of
access,
so
I
guess
this
team
doesn't
use,
for
example,
the
mailing
list,
but
a
lot
of
other
programs.
It's
that's
the
one.
N
Onenote
Tim
we've
we've
actually
turned
the
authentication
off
on
this
particular
meeting
just
for
Justin
Kappos
this
time
and
it
seems
to
be
working
so
Justin.
This
is
probably
something
you
want
to
be
interested
in
yeah.
B
E
N
E
E
L
A
H
A
We
need
to
ensure
that
all
of
the
products
that
we're
looking
at
using
whatever
they
are,
are
fully
accessible
to
diverse
community,
so
provided
that
it
works
for
Justin.
We
need
to
make
sure
that
we're
meeting
the
accessibility
requirements
as
well
as
making
it
very
easy
for
anybody
that
goes
to
a
conference
or
has
a
colleague
that
mentioned
us
to
them.
They
can
very
easily
get
in
and
have
conversations
without
jumping
through
a
whole
bunch
of
Hoops
creating
a
bunch
of
different
accounts.
So
that
is
my
primary
concern.
How.
A
E
A
Recommend
reaching
out
to
a
couple
of
other
SIG's
and
letting
them
know
that
you're
looking
for
individuals
that
have
potential
accessibility
problems
or
some
or
think
about
it.
From
the
perspective
of
somebody
that
is
brand-new
to
open
source
software,
has
a
security
background
and
is
never
done
development
in
their
life.
How
on?
How
would
they
participate
or
observe
these
kinds
of
active?
These
yeah.
E
The
only
thing
I
can
you
know
is
we
looked
at
what
happens
to
have
China
access,
but
we
are
using
standard,
SSO
design
patterns,
so
I
think
the
only
thing
that
I
could
think
of
is,
if
there's
something
particular
about
the
browser
something's
happening
on
the
Dom
something's
in
the
meeting.
Perhaps
even
the
network
level
that
happened
with
Justin
and
those
are
the
things
that
we're
just
I
think
we're
gonna.
We
can't
a
priori
figure
out
all
the
unknown
edge
cases.
E
A
So
that's
everything
we
have
on
the
agenda
this
week
right
now.
We
do
not
have
a
facilitator
for
next
week.
So
if
you
are
interested
in
facilitating,
go
ahead
and
drop
it
in
the
channel
and
one
of
the
technical
leads
or
chairs
will
reach
out
to
you,
and
if
you
have
any
proposed
agenda
topics,
you
can
still
comment
on
them
in
the
meeting
notes
for
the
next
meetings.
So
thank
you,
everybody
for
participating.
We
look
forward
to
seeing
you
next
time.
Thank.