►
From YouTube: CNCF SIG-Security Meeting - 2019-05-29
Description
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
B
C
A
F
G
G
A
Thanks
Karthik,
so
so
yeah
we'll
start
with
I
think
that
we
don't
have
any
big
agenda
items
and
we
have
a
bunch
of
new
people.
So
let's
do
our
attendance
stand
up
and
that
is
where
we
each
say
our
name
and
a
little
bit
of
who
we
are
and
kind
of
what
we've
done
on
security
stuff
or
what
might
be
relevant
to
the
group
share
something
about
the
last
week.
A
So
I'll
dig
up
a
link
and
put
it
in
the
notes,
but
I'll
just
call
on
people,
because
I
think
the
order
is
sometimes
a
little
non-deterministic
so
and
Justin.
Why
don't
I
leave
you
for
last,
so
you
can
close
with
the
opah
stuff
and
I'm
going
to
pick
mark
under
word.
Cuz
you've
been
here
before,
and
you
can
kind
of
people
can
kind
of
hear
how
this
attendance
stand-up
thing
goes.
H
Hi
Oh,
how
are
things
hello?
As
you
said,
my
name
is
Zack
I
work
for
a
money
company
by
Green,
Energy,
Fund
and
I've
actually
been
sort
of
like,
but
they're,
mostly
assisting
out
in
cigs
in
kubernetes
playing
around
Docs,
and
we
have
kind
of
a
special
interest
in
security
in
our
company
and
working
with
Justin
Capo's,
and
he
suggested
that
I
join
and
Here.
I
am
so
hello.
I
I
F
F
We
had
a
lot
of
people
coming
up
to
us
talking
to
us
about
it
offered
to
contribute
to
the
project
and
other
things
like
that.
So
we
really
like
to
see
that
we're
really
feels
like
we're
building
a
project
that
people
are
interested
in
and
can
contribute
really
greatly
to
the
security
community
also
really
excited
that
six
security
is
finally
becoming
a
real
things
within
the
CNCs
I
feel
like
it's
something
that
we've
needed
for
a
long
time.
So
that's
also
great
to
see
and
I'll
have
my
comments
to
that.
Coc
threat
awesome.
A
F
Yeah
we're
we've
already
kind
of
agreed
to
with
Tier
53
around
picking
off
the
audit,
the
last
two
weeks,
the
security
on
it.
That's
a
CNC
I
was
funding
the
last
two
weeks
of
June,
so
whatever
we
need
to
do
with
the
six
security
group,
I
know
Lorenzo
and
Leonardo,
or
are
trying
to
put
those
things
in
place
to
do
the
assessment
and
other
things
like
that
as
well.
So
let
us
know
how
we
can
be
a
bum
or
what
we
need
to
do.
Brother,
great.
A
J
This
is
my
judge,
my
second
color,
so
for
the
assessment
me-
and
there
are
two
here-
have
been
working
on-
identifying
the
personas
that
needs
to
be
in
the
assessment
first
before
finding
she
really
didn't
want
to
open
empty
yes
in
the
one
that
just
in
calcified
would
rather
prefer
oppa
and
we're
trying
to
do
the
same
thing.
Then,
when
the
says
the
word,
the
template,
but
what
so
we
are
just
like
putting
all
of
that
together
and
you
know
pernicious
when
we
have
like
people
that
are
really
committing
to
be
like
that.
J
K
Time
here
and
I'm
glad
to
see
a
lot
of
places,
we
are
deal
together
in
Barcelona
and
as
learning
to
was
saying,
we
are
working
towards
that
security
assessment.
Falco
one
of
the
first
week
I
was
trying
to
get
the
place,
is
to
obtain
a
channel
box
a
challenge,
since
he
has
lack
for
skilled
assessment.
Since
it's
one
of
the
bullet
finds
and
then
we
Florence
or
already
seen.
We
are
working
together
to
identify
the
person
food
that
we
need
to
involve
on
our
side
elements
and
outside
for
the
assessment
it
speed.
It's
great.
L
G
Thank
you
very
well
yeah.
You
bet,
my
name
is
Karthik
I
work
at
Oracle,
I
have
done
a
bunch
of
like
random
stuff
around
auth
and
different
things,
and
did
them
up
space
I've
been
talking
about
humanity,
security,
it's
like
different
conferences
and
kind
of
wanted
to.
You
know,
join
this
thing
to
actually
help
would
like
some
of
the
core
stuff
in
there.
So,
yes,
just
looking
forward
to
interacting
with
everyone
and
taking
this
to
cool
new
places,
great.
N
Gosh
yeah
Joshua
I
awoke
at
VMware
and
the
episode
Technology
Center
was
AQ
Khan
last
week
and
met
some
of
the
folks
on
the
call
and
just
looking
for
ways
that
my
team
and
I
can
contribute
so
and
yeah
got
a
lot
of
experience
in
the
episodes
destroy
space
but
not
like
in
the
open
source
cloud
space.
So
looking
forward.
N
M
P
P
A
B
Hot
spot
decided
to
drop
me
right
when
I
started
talking
yeah,
yes,
so
I'm,
the
co-chair
of
the
NIST
big
data
working
group,
Security
and
Privacy
subgroup
interesting
thing
from
last
week.
I
want
to
share
with
the
group
is
we're
going
to
be
collaborating
with
the
hl7,
a
security
and
privacy
group
to
produce
a
working
document
to
crosswalk
between
these
two
standards
bodies.
So
I
don't
have
a
suspect
yet
who's
going
to
collaborate
with
me,
but
we're
putting
out
a
call
to
the
big
hl7
security
subgroup.
B
Those
have
you
not
familiar
with
hl7
it's
by
it's
a
kind
of
the
electronic
health
record
standard.
In
specifically,
this
is
the
fire
interface
was
their
newest
newest
technology.
They
have
a
premature
methodology
for
things
ranging
from
Providence
to
authentication
to
governance,
around
data
sharing,
that's
highly
granular,
so
looking
forward
to
that
and
I'll
and
I'll
share
back
to
this
group
as
we
move
along
with
that
we're
going
to
see
the
new
faces
by
the
way
hit
the
Betty.
A
Great
and
we've
got
drop
a
link
to
that.
If
it
hasn't
already
gotten
into
the
notes,
is
there.
A
D
Hi
I'm
Emily
Fox
I
work
for
the
National
Security
Agency
I
head
up,
Justin
Carmack
on
Twitter
after
his
presentation
at
cube
ton,
because
a
lot
of
the
stuff
that
you
guys
are
currently
working
on
are
figuring
out,
except
that
I'm
already
doing
so.
I
thought
I
would
chime
in
and
it's
this
where
I
can,
along
with
your
processes.
So
that's
about
it
fabulous.
A
E
Sure
I
can
do
that.
Okay,
so
I'm
Justin,
Kappas
I'm,
a
professor
at
NYU
I'm,
also
like
the
creator
and
maintainer
of
tough
and
one
of
the
co-creators
of
in
Toto
and
a
bunch
of
other
stuff,
like
this
and
I,
think
the
assessment
process
that
we
have
largely
came
out
of
an
assessment
that
I
did
for
spiffy
inspire
so
I've
been
doing
these
kinds
of
assessments
in
part.
E
In
my
role
at
the
University
working
with
a
lot
of
startups
and
groups
like
this
over
the
last
I,
don't
know
like
probably
six
seven
years
and
taking
ideas
from
that
and
experience
from
other
people
in
the
group.
We
wanted
to
have
a
more
standardized
method
for
doing
this
as
part
of
the
CAF
process.
So
I
will
post
a
couple
of
documents
here
into
the
into
the
chat
part
of
this.
So
Emily
apologies
for
this
I'll
send
them
to
you
in
a
moment
as
well,
but
the
documents
I'm
posting
here
are
two
example.
E
Now
you
see
my
inability
to
multitask
effectively
this
okay
so
effectively.
The
process
itself
that
we
go
through
is
that
the
the
project
comes
to
us
almost
to
have
sorry
so
the
goal
of
what
we're
trying
to
do
is
we
want
there
to
be
an
assessment
and
the
assessment
is
not
meant
to
be
the
same
as
like
a
code
audit,
the
assessment
is
meant
to
be
an
examination
to
understand
things
like.
Are
they
solving
a
problem
in
a
meaningful
way?
E
Are
they
likely
to
have
major
security
holes
in
the
way
that
they're
solving
things
is
there?
You
know
in
you
risk
the
project's
take
on
by
using
the
software
and
and
so
on.
So
it's
meant
to
be
not
not
like
a
code
audit,
but
it
probably
can
find
problems,
it's
sort
of
the
high
level
design
level
and
can
be
used
later
on,
so
we
can
point
out
to
auditors
or
others.
E
These
are
areas
we
think
are
especially
important
to
focus
on
and
also
gives
a
little
bit
of,
high-level
context
to
someone
who
wants
to
protect,
perhaps
use
the
project
so
that
they
have
some
understanding
of
the
potential
risks
or
other
security
mechanisms
that
are
needed,
or
you
know
more
than
just
you
would
get
from
a
marketing
blur
firm
projects
like
hey,
we
secure
X.
Well,
what
what
do
you
mean
by
secure?
You
know
that's
a
very
loaded
word
so,
as
part
of
this
process,
we've
gone
through
and
done
a
few
different
assessments.
E
E
This
is
a
document
that's
written
by
the
project
themselves,
that
is
sort
of
their
initial
gathering
of
information
that
we
need
in
order
to
do
a
meaningful
assessment,
and
this
gathering
of
information
explains
all
the
types
of
high-level
things
I
mentioned
before,
and
it
also
describes
just
sort
of
the
project's
view
of
itself
its
practices,
how
people
are
supposed
to
operate
the
project
and
use
it
in
native
context
and
and
also
things
around.
You
know,
for
instance,
the
development
and
security
issue,
reporting
mechanisms
and
stuff
like
that
for
the
project.
E
So
as
a
result
of
doing
this
assessment,
they
go,
they
provide
that
they
provided
to
whoever's
leading
the
security
assessment.
In
this
case
it
was,
it
was
me
and
then
I
respond
with
what
we
call
the
dumb
question
phase
and
the
dumb
question
phase
is
really
just
trying
to
get
clarifications
in
the
document.
E
So
that
a
reader
that
isn't
as
up
to
speed
on
the
project
or
maybe
is
up
to
speed
in
every
case
with
security,
has
an
actual
understanding
about
what
the
projects
trying
to
say
and
what
the
project
is
and-
and
you
know
what
the
document
means.
So
it's
in
part
it's
you
know
it's
some
low
level
stuff
like
getting
people
to
define
terms,
but
it's
also
getting
them
to
be
just
a
lot
clearer
about
what
they
mean
as
they
talk
through
different
aspects
of
what
their
project
does.
E
Following
this,
the
group
of
security
Assessors,
which
we
had
I,
think
four
participate
in
this
one
we
went
through
and
we
did
a
pretty
deep
dive
into
the
document.
I
think
we
say
it
takes
about
ten
hours
to
do
for
an
Assessor.
In
my
experience,
it
was
very
slightly
more
than
that,
but
not
substantially
more
I'd
actually
expected
leading
it.
E
It
would
take
me
a
lot
more,
but
it
maybe
was
fifteen
hours
or
something
like
that
and
based
on
that,
we
try
to
get
that
document
to
be
clarified
in
all
the
potential
security
issues
and
things
like
that
for
them
to
revise
the
document
in
a
in
a
meaningful
way.
That
explains
their
view
on
what
the
project
security
is
following
that
process,
we
also
as
the
cig
security
like
sub
team.
That's
doing
the
assessment
write
up
a
document.
That's
about
a
page.
E
You
see,
there's
a
document,
that's
a
little
more
than
a
page,
I
also
sent
that
goes
through
and
basically
describes
what
we
believe
the
project
security
sure
is,
and
you
know,
like
sort
of
what
are
the
benefits.
What
are
the
things
to
look
at
and
if
someone
like
the
TOC
we're
going
to
go
and
do
an
assessment,
what
would
the
TOC
perhaps
want
to
or
start
an
audit?
Well,
what
would
the
TSE
want
the
auditors
to
explore
and
what
priority
would
they
have
for
them
and
so
on?
E
And
as
these
this
one
and
the
in
toto
assessment,
I
think
the
in
toto
assessments
in
a
very
similar
state
where
we're
just
waiting
right
now
for
I,
don't
know
what,
but
the
opah
assessment
has
been
passed
back
to
the
OPA
team.
They're
going
to
look
over
our
assessment,
maybe
have
some
comments
or
questions
or
things
that
they'd
like
us
to
to
talk
about
here.
There
are
a
few
I
see
there
are
a
few
comments
and
things
in
here
as
well
for
areas
that
we
need
to
address.
Q
Q
C
Q
Q
E
Them
as
well,
but
there
are
a
pool
of
Assessors.
There
is
another
team,
that's
trail
of
bits
and
another
security
consultancy
that
I
don't
recall
the
name
of,
but
it
starts
with
an
A
and
so
they're
colloquially.
Their
assessments
are
colloquially
being
called
trail
of
whatever
the
a
name
is
so
there
are
two
Assessor
groups
now
tier
53
as
a
single
entity
and
the
trail
of
bits
plus
the
other
group,
and
you.
A
E
You
know
there's
some
value
in
in
having
that
context,
especially
for
projects
that
aren't
or
for
people
that
are
trying
to
decide
what
projects
they
might
want
to
adopt
and
don't
want
to
read
through
a
bunch
of
like.
Oh,
we
found
a
buffer
overflow
here
and
we
found
this
issue
there,
many
of
which
have
already
been
fixed.
E
D
Different
question-
and
it
might
not
have
been
clear
to
me
on
this
site
and
going
through
some
of
the
docs.
The
security
assessment
is
more
of
the
review
of
the
proposal,
template
that
they're
filling
out
submitting
an
issue
to
get
for,
and
that's
intended
to
be
prior
to
incubation
prior
to
entrance
into
the
incubation
phase.
Those
hands
yeah.
Is
that
correct?
A
Is
that
the
COC
will
ask
us
to
assess
some
projects
that
have
that
they
are
that
have
been
proposed
to
the
CNCs,
say
it's
the
NCA
whatever
level,
and
then
once
we've
done
an
assessment,
we
would
we
do
it
annually.
We
would
only
use
the
like
sort
of
sandbox
to
incubation
or
incubation
to
graduation
if,
if
there
were
some
things
flagged
that
we
said
well,
we'd
expect
this
to
be
fixed
in
certain
amount
of
time
or
something.
Then
the
TSE
might
ask
us
to
take
another
look
at
it,
regardless
of
the
annual
review
cycle.
D
A
D
J
E
A
D
That's
more
what
I
was
asking
it's
like:
how
young
is
this
process?
Where
does
it
need
to
go?
Do
you
have
stuff
already
written
down
and
documented
a
lot
of
what
you
guys
are
saying?
Are
things
like
it
kind
of
gets
that
but
I
wasn't
sure
it's
written
down
and
being
addressed
and
being
adhered
to
in
any
of
the
doc,
so.
A
So
yeah,
so
just
as
CSIS
in
history,
we
have
we
have
formalized
the
process
as
a
sig
that
was
gone
through
by
individuals
at
request
of
the
TOC
last
year,
so
like
so
basically
the
TOC
tapped.
You
know
like
Justin,
Kappas
and
just
McCormick
said
hey.
Can
you
take
a
look
at
these
project,
the
security
profile
of
these
projects
for
us
right
and
then,
and
then
we
at
we
thought?
Well,
we
wanted
to
do
that.
A
And
then
the
idea
is
that
we
will
add
new
people
into
the
group
and
we
will
have
a
different
group
of
three
or
four
do
the
assets'.
So
we
don't
wear
out
our
first
four
people,
all
right,
the
next
few,
so
that
we
end
up
cycling
in
and
expanding
to
a
team
of
ten
to
so
that
we
have
bandwidth
to
do
these
different
assessments
without
bringing
people
out
all.
A
And
thanks
for
asking
kind
of
forgot,
some
of
the
new
people
might
not
realize.
Yes,
we
just
started
this,
and
but
it's
a
yeah
and
I
think
that
the
key
thing
is
to
kind
of
attempt
to
reiterate
the
point
of
this:
is
that
the
it's
really
so
that
people
consuming
these
projects
might
like
even
know
do
I
want
to
read
the
audit
of
this?
A
What
what
things
would
I
look
at,
like
first
I
can
figure
out
whether
this
project
is
at
a
stage
and
this
product
does
what
I
think
it
does
or
might
hope
it
does,
or
maybe
it
doesn't
before
I
would
dive
deeper
into
it.
So
the
assumption
isn't
that
somebody
looks
at
our
assessment
and
says:
oh
now,
I
know
enough
to
use
this
project
and
integrated
and
deploy
to
production.
M
I,
don't
know
if
you
it
was
mentioned,
but
is
there
a
plan
to
include
like
security
best
practices
in
the
industry?
So,
for
example,
how
developers
are
developing
particular
application
and
their
assessment,
meaning
scanning
for
called
vulnerabilities
in
CI
CD
process
or
if
it
has
like
a
user
facing
interface
going
through
OS
checklist,
for
example
like
application,
security,
verification
standard,
or
something
like
that.
So.
A
We
have
we
have
sort
of.
We
asked
people
right
now
to
kind
of
report
on
their
where
they
are
on
the
CII
best
practices
list
and
then
we're
really
looking
to
the
right.
Now.
It's
this
self-assessment
because
we
are
not.
We
don't
have
believed
that
we
have
enough
context
to
put
forth
all
of
the
best
practices.
We
have
a
new
group
with
a
lot
of
different
opinions
and
we
don't
want
to
sort
of
set
the
bar
for
documentation
weirdly
high,
so
that
it's
too
hard
to
get
through.
E
I
think
a
way
to
say
it
is:
is
that,
like
what
Sarah
said
is
basically
right?
We
want
it
to
be
something
like
a
week
or
two
of
effort
for
the
projects,
like
all
told
like
and
one
engine,
one
to
two
engineer
weeks
of
effort
to
get
them
through
this
through
our
assessment,
and
so
we
do
recommend
exactly
the
types
of
things
that
you
say
here,
but
there's
not
in
this
assessment
process.
There's
not
like
a
real,
forcing
function
other
than
tell
us
where
you're
at
with
CII
best
practices.
E
We
are
also,
as
a
group,
there's
substantial
interests
for
creating
a
bunch
of
tooling
and
other
things
that
makes
it
easier
for
us
to
have
sort
of
best
practices
for
projects
overall
and-
and
you
know
perhaps
do
scanning
and
other
things
of
of
cloud
native
software,
but
that's
something
that
is
is
not
something
that
has
any
flesh
to
it
right
now.
It's
just
to
think
an
idea
that
several
new
group
had
that
I.
Imagine,
though,
will
pursue
and
flesh
out
over
the
next
few
months
also.
A
A
couple
of
other
people
have
volunteered
to
help
triage
these
things
so
that,
but
it
really
helps
to
have
other
people
chime
in
in
terms
of
you
know,
kind
of
putting
flesh
on
the
bones
of
the
future
stuff,
and
so
we
kind
of
queue
up
things
that
people
are
interested
in
working
on
on
the
future
through
github
issues.
So
definitely
welcome,
and
if
you
see,
if
you've
read
through
the
issues
and
you
don't
and
you
see,
and
you
have
a
question
or
concern
or
something
you
think
we
should
explore.
That's
not
an
issue
just
write.
A
A
We
are
it's
the
sort
of
leading
vetting
of
the
format
that
we're
still
going
through,
and
so
we've
gotten
to
it.
So
basically
to
answer
Justin's
question
of
where
we
are
is
the
process
was
a
little
interrupted
by
travel,
but
basically
we
want
to
the
the
summary
to
include
links
to
the
issues
rather
than
actually
having
any
issues
in
the
summary,
because
there's
a
bunch
of
things
that
we've
gone
back
and
forth
and
we're
like
they're,
not
things
that
would
they're
just
FYI.
These
are
things
that
need
to
be
done.
A
A
A
We
have
a
yellow
assessment
tag
and
you'll
see
that
we
have
two
in
process
in
toto
and
open
policy
agent,
and
then
this
shows
that
in
toto
is,
you
know,
like
it's
actually
they're,
both
nine
out
of
twelve
check
boxes
through
the
process,
so
this
provides
it
visibility.
So
if
you're
you
know
you're
the
project
or
you're
interested
in
where
we
are
in
the
process,
you
can
be
like
oh
look,
they're
kind
of
here
in
the
process
and
then
they're
the
slack
Channel
is
listed
in
here.
A
You
know
this
is
our
assessment
of
the
project
right
now
it's!
This
is
what
we
think
it
is
and
there's
some
open
questions
and
we're
editing
it.
So
you
know
there's
already
people
who've
you
know
jumped
in
in
our
various
slack
channels,
and
and
so
it's
a
the
kind
of
thing
where,
if
you're
very
interested,
you
are
welcome.
But
if
you
just
want
the
results,
wait
a
week
or
so
and
it'll
be
easier
to
consume.
Does
that
make
sense?
A
What
we've
come
up
with
as
a
way
like
this,
the
TOC
request
is
like
a
one
slide
summary
and
then
we've
come
to
the.
This
is
kind
of
a
short
form
of
the
one-page
one
to
two-page
document
that
Justin
went
through,
and
so
we
checked
in
with
everybody
that
like,
and
it's
just
on
me
I
was
gonna,
run
this
by
Liz
and
Joe
bata,
who
are
toc
liaisons
to
ask
them
like.
A
Is
this
the
format
that
you
want
so
that,
while
we're
going
through-
and
you
know,
you
notice,
there's
like
in
Ex
companies
and
n
issues-
and
there
are
links
here
that
don't
go
anywhere.
So
those
are
the
last
things
that
we're
doing,
because
we
kind
of
made
up
part
of
this
questions
after
the
initial
write
up
from
in
toto.
So
so
that's
why
that
the
data
is
a
little
like
backfilling,
based
on
what
we
question.
As
we
came
up
late
in
the
game.
A
So
so
yeah
so
I
don't
know
if
anybody
has
questions
or
comments
on
or
a
wrap
with
this.
A
And
so
the
idea
is
that,
typically,
the
assessment
will
happen
before
the
project
gives
a
presentation
to
the
CNCs
and
then
the
ideally
the
project
would
be
giving
a
presentation
and
include
this
slide,
that
the
project
would
communicate,
I.
Think
in
a
where
instance,
we
would
well,
we
hope,
I,
don't
know.
We
have
different
thoughts
on
whether
it's
rare,
but
in
some
instances
we
may
have
a
disagreement
with
the
project,
in
which
case
the
project
you
know
like.
Then
there
would
be
a
different
kind
of
discussion.
M
A
So
but
basically
the
idea
that
this
is
something
that
ideally
we
would
and
the
project
would
come
to
an
agreement
that,
like
this,
is
kind
of
what
we
all
think
that
the
project
security
profile
is
and
then
then
it's
something
that
is
at
the
TOC
zaption
presented
live
or
it
could
be.
Certainly
if
it's
part
of
an
annual
review
or
something
that
is
kind
of
not
queued
up
for
a
presentation
or
the
scene.
The
TOC
is
pretty
busy,
then
be
an
async
review,
so
that
Joe
and
and
this
will
kind
of
coordinate.
A
Exactly
so,
basically
we're
like
oh
there's,
this
thing
that
we
haven't
done
yet
that
we're
expecting
to
we're
expecting
that
in
toto
will
do.
But
we
don't
really
know
whether
it's
going
to
be
make
sense
for
projects
that
have
already
that
are
already
like
deep
in
the
CNCs,
and
it
may
be
more
like
real,
providing
information
that
hasn't
particularly
been
requested.
And
then
you
know
like
it's
sort
of
like.
A
A
E
I,
don't
have
anything
really
pressing
I
guess
there
been
I,
guess,
I.
Think
Emily
just
posted
a
question.
If
we
want
to
discuss
that
so
do
we
have
a
maturity,
measurement
indicator
for
consistency,
or
is
this
gut
wide
range
of
adopters
to
me
seems
it
could
be
kubernetes
size
of
adoptions
or
telepresence
size?
What
is
a
wide
range
I
think.
E
So
this
is
I.
Think
in
area
that
we
had
discussed
and
debated
a
lot.
I
was
actually
pretty
opposed
to
having
anything
related
to
adoption
in
here,
because
I
think
it
is
hard
to
quantify
it
and
it's
hard
in
some
cases
to
get
really
meaningful,
accurate
numbers
about
this.
So
I
don't
really
know
what
to
do
in
this
case.
E
I
would
be
very
happy
for
one
of
the
other
Assessors
to
propose
text
for
this
part
of
the
assessment
document,
and
we
could
discuss
this,
but
I
wrote
draft
text
as
I
was
just
trying
to
capture
everyone's
thoughts,
and
that
was
the
closest
I
could
get
to
being
specific,
which
you'll
notice
is
exceedingly
bei.
Yeah.
D
D
If
you
look
at
the
three
ways
of
DevOps,
are
they
stuck
in
the
first
way,
trying
to
figure
out
what
their
product
or
services
are
they
all
the
way
in
the
experimentation,
rapid
deployment,
automation
fail
fast
and
all
that
stuff,
not
maybe
a
better
thing
if
we're
trying
to
provide
maturity
of
a
particular
product
because
I
as
a
customer
trying
to
research
and
do
all
these
things
may
have
higher
confidence
in
an
application
that
has
a
higher
maturity
in
their
development
cycle
and
not
necessarily
care
so
much
about
user
adoption.
I.
A
Guess
I'd
be
interested
in
you
talking
a
little
bit
more
about
this
development
cycle
maturity,
the
three
stages
that
I
may
not
be
familiar
the
specific
three
stages,
but
when
I'm
evaluating
adopting
a
prod
whether
it's
used
indicates
a
certain
kind
of
maturity.
You
could
have
something
that
has
very
mature
software
development
practices
where
it
too
presents
itself
as
having
good
documents,
and
you
know,
like
all
sorts
of
things
that
make
it
seem,
really
polished,
but
it's
never
actually
been
used
in
production
and
that
doesn't.
A
D
And
and
that's
part
of
the
struggle
is,
when
you
start
talking
about
maturity,
either
development
or
end
user
adoption,
it's
always
like
a
snapshot
in
time
from
when
the
record
is
being
written,
so
I
think
if
you
were
to
include
it,
no
matter
what
definitely
publish
the
scale
at
which
you're
providing
that
ranking
value.
If
you're
going
to
do
one
the
other
or
both
of
them,
it
just
depends
because
anybody
can
go
to
github,
see
how
many
stars
and
sorts
and
like
active,
YouTube
community.
There
is,
but
that's
not
hard.
D
A
A
A
For
me,
a
big
differentiator,
whereas,
like
OPA
is
used
by
you
know,
you
know
like
X,
would
be
I'm
guessing
right,
dozens
or
maybe
hundreds
I,
don't
know,
but
it's
at
least
dozens,
which
is
very
different
from
three
and
but
you
might
look
at
it
and
say
well
those
three
that
you
know
that
are
being
you.
You
know
you
have
to
dive
in
there
right.
Like
dozens,
doesn't
it
doesn't.
It
just
means
like
do
I
look
at
this
more,
it's
not
supposed
to
be
a
yes,
no,
but
anyhow.
This
is.
D
A
I
think
yeah
actually
the
point
about
having
a
date
on
the
something
it's
really
important.
So
thank
you
and
that's
actually
in
my
dock,
so
I
won't
fix
that
so
Justin
a
we
only
have
a
few
more
minutes
and
I
wanted
to
check
in
with
Dan
to
see
if
he
has
anything
or
JJ
in
terms
of
forward-looking
stuff
before
next
meeting
excellent
dan
or
JJ.
Do
you
want
to
chime
in
a
little
anything
on
anything
we
need
to
cover
in
terms
of
plans
for
the
future.
R
Yeah
I'd
love
to
see
us
get
back
on
track
with
the
the
white
paper.
You
know
that
that's
the
biggest
sort
of
tracking
now
that
were
landed.
We
have
the
opportunity
to
request
those
resources
and
we
were,
you
know,
blocked
by
formal
ratification,
to
line
that
up
so.
A
Yeah
I'm
gonna
I'm
gonna
follow
on
that
with
Chris,
and
actually
maybe
we
could,
let's,
let's
talk
a
little
bit
I
think
we
need
to
like
it.
We
should
queue
up
a
meeting
in
the
upcoming
weeks
to
go
over
the
roadmap.
So
we've
had
we've
had
a
bunch
of
sort
of
small
group
conversations
about
the
roadmap
and
in
corralling
that
github
issues,
and
so
maybe
that
might
be
a
great
thing
to
queue
up
for
a
future
meeting.
Jj
is
there
anything
you
want
to
touch
on
nice.
F
A
Jj
so
let's
I
mean
so:
let's
not
dive
into
the
white
paper.
Let's
queue
up
the
roadmap
discussion
and
as
part
of
that
figure
out
how
we're
going
to
corral
the
white
paper
project
but
like
take
it
offline
because
you've
just
got
a
few
minutes,
but
thanks
for
mentioning
those
that
stuff
I
should
have
I,
didn't
think
to
talk
about
the
future
and
is
there
any
other?
Last
announcements
I
think
there.
Some
people
came
in
late,
so
I
want
to
give
a
minute.
If
anybody
has
anything
urgent
or
interesting.