►
From YouTube: CNCF SIG Security 2021-04-21
Description
CNCF SIG Security 2021-04-21
A
A
Hi
everyone
for
those
that
just
joined
I'm
putting
in
the
google
doc.
Please
feel
free
to
go
in
put
your
name
down.
If
you
have
any
updates
or
you
want
to
share
with
a
group,
just
write
something
in
parentheses,
beside
your
name
and.
B
A
A
If
there
is
anyone
that
can
help
us
subscribe,
don't
have
to
be
too
detailed
kind
of
just
like
take
notes
on
what
sounds
like
action
items
that
would
be
appreciated.
Thank
you
again,
alex.
A
D
A
I
pasted
in
the
the
notes
again
please
but
then
yeah
yeah
name
and
the
attendances
and
if
you
have
any
updates,
put
an
inference
beside
today
we
have
a
pretty
packed
agenda.
We
have
several
discussion
topics
and
several
new
issues
and
and
updates
on
certain
projects.
A
So
let's
get
started
so
we're
gonna
go
do
a
round
of
check-in.
So
let's
see
no
updates.
Oh
before
we
get
started,
this
meeting
is
recorded
and
it
follows
that
here,
cncf
called
the
conduct
guidelines.
So
standard
rules
are
black
so
going
through
a
clcb
for
filling
in
the
list,
so
I
will
make
sure
I
swing
back.
To
do
another
check,
diego.
You
have
an
update
on
the
cloud
native
security
map.
A
I
didn't
really
have
agenda
item
of
this
right,
so
I
can
we
can
talk
about
it
then,
or
do
you
have
something
else?
That's
not
on
the
agenda.
No!
No,
but
I
can
talk
about.
A
I
I
mean
you're,
I
think
we
already
on
the
agenda
right,
so
so
we'll
look
at
that
later:
okay,
yeah!
Okay!
Don't
worry
about
that!
Now,
then,
all
right
next
up
mock
pci,
console,
update.
B
Hey
guys,
this
will
be
really
fast.
I
just
missed
a
few
meetings
back.
These
guy
council
is
writing
a
container
security,
best
practices
document
or
payment
into
pci's
payment
card
industry,
so
finance
centric,
but
this
is
really
just
best
practices
for
containers,
so
I'm
going
to
steal
stuff
from
our
own
white
papers
and
so
on.
So
if
people
want
to
be
party
to
that
and
help
me
write
paragraphs
to
that,
I'm
mainly
looking
at
the
icd
aspects
of
this.
A
Awesome
and
if
you
have
any
links,
please
add
them
to
the
document
and
chat.
E
The
stuff
in
I
actually
had
two
of
them,
so
lexicon
is
going
forward
doing
it.
The
team
is
doing
a
great
job
of
providing
some
of
those
definitions
for
terms
not
quite
ready
for
everyone
to
start
reviewing
it
yet,
but
they're
getting
closer.
The
other
one
was
a
quick
update
on
security,
plows
they've
reached
out
to
crossplane
and
artifact
hub
at
a
minimum.
Those
two,
but
I
believe,
there's
a
third
one
that
I'm
probably
forgetting
about
starting
conversations.
A
Awesome
is
there
any,
is
any
ask
for
any
volunteers
or
any
any
ways
to
contribute
there.
E
So
the
the
security
panels
is
just
limited
to
the
the
three
projects
currently
and
the
few
and
the
those
individuals
that
we
have
working
on
it.
This
is
to
test
our
engagement
early
with
sandbox
projects
to
determine
their
appetite
for
completing
a
self-assessment.
A
Cool
all
right
tim:
do
you
want
to
talk
a
little
bit
about
the
automatic
describe.
A
G
Okay
cool,
so
I
just
put
the
link
in
there
and
love
for
people
to
just
see.
How
does
it
work?
I
think
we're
getting
pretty
close
and
you
can
do
it
asynchronous.
G
You
have
to
do
it
now
pretty
close
to
like
starting
to
implement
this
so
that
you'd
be
able
to
access
this
the
scribe,
the
search,
I
think
one
of
the
cool
features
people
are
playing
around
with,
if
you
add,
plus
one
it
automatically
captures
that
snippet
and
puts
it
in
the
side,
but
we
don't
need
to
spend
time
on
it
right
now.
G
A
Awesome
thanks
tim
yeah,
it's
really
it's
a
really
cool
thing
and
yeah.
I
think
one
of
the
nice
features
if
you
go
to
the
site,
it's
like.
If
someone
in
the
chat
said
like
plus
one
something
or
like
this,
it
will
kind
of
try
and
detect
what
what's
important
and
action
items
and
kind
of
really.
A
Them
yeah
yeah
cool
thanks
tim
going
through
the
updates.
Here,
roberts
is
going
to
be
joining
late.
We
can
put
him
on
the
agenda
later,
ruggery,
okay,
so
your
update
was
covered
by
emily.
That's
all
good!
We
had
the
tlc
meeting
on
tuesday
andreas
and
I
would
have
to
kind
of
represent
the
sake
and
they
were
talking
about
incubation
processes
and
the
the
main
part
of
it
is
like
yeah
they're,
making
the
tlc
sponsor
own
the
entire
incubation
process.
C
Yeah
sorry,
I
was
just
typing
pasting:
the
pr
and
chat
for
those
interested
in
the
details,
but
the
gift
of
it
is
the
toc
is
trying
to
streamline
the
incubation
process
by
appointing
a
designated
talk
sponsor
upfront
so
rather
than
a
project
going
over
the
due
diligence
requirements
and
chasing
different
cigs
and
filling
out
the
stock
ahead
of
time.
They
would
first
find
someone
in
the
talk
to
sponsor
the
project
and
hand,
hold
them
and
direct
them
throughout
the
process.
C
So
from
a
security
perspective,
we
would
typically
either
hear
from
well
from
this
point
on
would
be
hearing
from
the
talk
liaison
or
from
the
talk
sponsor
for
the
project.
If
we
have
a
project
in
the
pipeline,
we
need
a
security
review
or
we
need
a
recommendation
rather
than
some
project
we
might
have
not
heard
of
coming
to
present
to
us.
First
try
to
get
buy-in
for
us
to
try
to
go,
sell
it
to
the
talk.
So
that's
the
summary
of
it.
A
Awesome
yeah
and
I
think
I
think,
trial
like
we
were
having
some
conversations
on
the
call
about
you
know
what
is
what
is
really
requested
of
the
sake,
and
I
think
this
acknowledge
that
sex
security
is
kind
of
a
special
case
in
which
our
recommendation
is
kind
of
a
little
bit
different
from
the
other
sex
brand.
It's
not
just
with
the
if
it's
within
the
ecosystem
and
it's
good
technology,
but
even
for
the
non-security
projects
we
we
do
also
need
to
provide
higher
federation
of
that.
E
And
to
quickly
add
on
to
that,
that
was
a
topic
of
conversation
today
with
the
talk,
liaisons,
liz
and
justin
that
they're
looking
at
ways
in
which
we
can
highlight
the
security
of
projects,
regardless
of
the
stage
that
they're
at
and
what
mechanisms
we
can
engage
with
them,
either
asynchronously
or
synchronously
to
improve
their
overall
security
posture.
C
Yeah
and
well,
the
other
thing
is,
it
was
typically
very
consuming
for
for
the
talk
to
have
the
entire
poc
on
the
call
listening
to
a
proposal
to
hear
out
things
that
they
could
have
read
through
the
red
redmi
file
of
readme
file
of
the
project,
so
also
moving
away
from
presentation
proposals
and
more
like
fleshed
out
written
proposals,
but
from
a
security
standpoint.
C
We
would
still
want
to
hear
presentations
throughout
assessment
processes,
because
it
helps
us
inform
the
assessment
and
a
lot
of
the
scenarios
in
which
a
project
might
be
the
point
so
yeah.
Well.
This
has
yet
to
be
merged.
We'll
learn
more
as
as
this
gets
implemented
and
we
go
through
it
awesome
see
how
much
changes.
A
Cool
all
right,
let's
get
to
the
agenda,
so
quick
announcement
before
we
get
to
tim
just
since
he
has
to
leave
a
little
early.
So
quick
reminder
cloud
native
security
today
is
made
of.
A
There
are
discount
coupons
that
have
been
sent
out
in
the
sick
mailing
list.
So
if
you
are
not
yet
subscribed
to
sick
mailing
list,
please
do
so
yeah.
So
there's
like
a,
I
think,
that's
a
20
discount
or
something
any
additional
notes
of
that
interest
in
emily.
Oh
that's
pretty
much!
It.
A
Awesome
all
right:
let's
hit
the
tim,
then
so
tim
presented
a
couple
weeks
back
and
then
this
is
a
follow-up.
I
I'm
gonna
pass
it
to
you
tim
to
kind
of
do
the
introduction.
G
Okay,
super
yeah
thanks,
so
I
it
seemed
like
a
good
time.
We
were
working
on
the
white
paper.
I
I
only
read
it
like
three
weeks
ago.
So
maybe
some
of
the
observations
are
not
germane
at
this
point,
but
I'm
also
coming
up
with
the
road
map
and
the
way
I
kind
of
like
think
about
roadmaps.
G
Is
I
like
to
write
out
like
a
blog
that
like
tells
the
overarching
story,
and
then
I
figure
out
kind
of
what
fits
into
it,
and
I
figured
this
is
like
a
really
good
group
for
us
to
figure
out.
G
It
just
makes
sense
and
the
the
difference
at
the
time
when
I
read
it,
but
it's
how
I
was
starting
up
my
blog
and
how
I
think,
through
the
road
map,
was
getting
a
handle
on
the
problem
space
and
seeing
well
what
what
seems
to
be
the
issues,
what
are
our
priority
and
then
for
this
group?
What
what
should
we
try
to
solve
for,
or
even
can
we
solve
for
them?
So
that's
what
I
wanted
to
like
get
some
feedback
on
really
quickly.
G
So
so
here's
how
I
started
was
thinking
you
know,
and
at
the
time
when
I
read
I
was
like
well,
it
would
help
to
understand
when
we
talk
about
supply
chain.
Where
are
the
problems
we
could
visualize?
I'm
not
saying
this
is
the
right
way.
I
liked
it
because
it
was
a
good
starting
point.
There's
lots
of
different
ways.
You
could
do
it,
but
it
does
start
to
put
into
context
okay.
G
There
are
lots
of
pieces
in
a
supply
chain
and
then
what
tend
to
be
the
attack
vectors
based
on
that
and
then
from
there
iterate,
because
I
think
last
time
we
started
to
go
down
into
the
tooling
tool
chain
discussion.
I
thought.
Oh,
it
might
be
better
to
start
hey,
let's
frame
it
as
what
the
problems
are,
and
then
we
can
iterate
on
tools
or
a
list
of
tools,
and
that
would
be
helpful
for
me
too.
G
In
my
own
mind,
what
is
the
range
of
the
attack
vectors,
and
so
this
is
a
bunch
of
different
sources
and
just
stuff
that
I
threw
in
there,
and
this
is
where
I
could
use
some
some
guidance,
but
you
can
kind
of
see
just
one
bucket
around
code
signing
like
that
seems
to
be
a
bucket
that
stands
alone,
but
there's
a
couple
of
different
ways:
people
access
it,
something
that
we
would
call.
I
think
the
term
is
pretty
good
distribution
vectors,
which
is
how
do
they
get
the
malware
to
be
distributed?
G
This
is
the
one
which
I
was
sort
of
pinging
on
a
little
bit
because
it
wasn't
really
covered
in
either
in
in
really
great
detail
in
many
of
the
sources
I've
read,
but
I've
been
thinking
about
a
lot
was
you
know
the
identity
problem,
which
is
you
know,
a
bad
actor,
unknown
actor
or
you
know
a
fraudulent
actor
and
kind
of
like
how
do
they?
A
H
A
Is
kind
of
like
the
the
the
the
end
goal.
A
G
Yeah,
so
the
end
goal
was,
I
wanted
to
figure
out.
What
do
we
want
to
do
in
terms
of
approaches
like
we
already
are
planning
on
rolling
out
some
kind
of
basic
vulnerability
detection
that
has
dependency
mapping?
That
seems
to
be
kind
of
well
defined,
and
I
wanted
to
see
what
else
is
is
is
next
like
the
next
thing
that
we
know
is
going
to
be
key,
a
key
key
scanning
for
keys
and
sort
of
kind
of
fits
somewhere
in
sci,
I
suppose
kind
of
sub
bullet.
G
But
some
of
the
things
I
was
getting
stuck
on
was
well.
Are
people
interested
in
you
know,
das,
there's
a
lot
of
complexity,
because
I
started
to
go
down
the
path
of
evaluating
a
dash
solution,
but
I
was
like
oh,
but
you
know,
everybody's
run.
Time
is
sort
of
different.
Do
people
want
to
bother
with
instrumenting
that
blah
blah
blah
sassed
fuzzing,
and
then
I
started
exploring
a
solution
around
code
search
which
was
more
initially
around
improving
productivity
for
developers.
G
So
it's
like
you
know,
imagine
it's
like
splunk
or
google,
but
for
your
code,
but
I
I
started
to
ask
the
the
the
creators
of
this
tool.
You
know.
Is
there
a
security
application
because
I
feel
sometimes
there's
issues
when
you
have
sort
of
these
vulnerability
databases,
whereas
people
who
are
close
to
the
code
may
start
to
think
through
what
the
vulnerability
patterns
are.
They
may
just
want
to
do
a
fast
search
in
real
time
or
build
out
their
own
libraries
on
their
own.
So
I
I
I
want
my
end
state.
G
Is
this
like?
What
do
you
guys
think
we
should
try
to
consider
making
a
standard
offering
that's
enabled
through
a
security
portal,
for
projects
to
ease
the
instrumentation
and
reporting,
but
before
I
could
get
to
the
tools
I
wanted
to
understand.
Well
what
are
meaningful
problems
and
then
we
can
kind
of
say
well
yeah.
Let's
try
to
explore
these
tools.
G
G
Host,
that's
correct,
that's
correct,
and
so
the
way
we've
been
doing
it
is
and
that's
why
the
tooling
discussion
will
be
in
fact
valuable
when
we
get
there
is,
and
one
of
the
things
I
had
heard
was:
oh
well,
there's
lots
of
different
tools.
I
have
to
pick
a
tool.
How
do
you
get
neutrality
so
we're
trying
to
take
that
out
by
saying:
okay,
we're
going
to
vet
vendor
a
work
out
some
arrangement
and
a
lot
of
times?
G
We
have
to
make
bespoke
arrangements
in
terms
of
billing
or
integrations
or
the
ux
to
solve
for
certain
things,
so
you
know
and
the
goal
would
be
okay
now
you
have
a
single
control
plane
that
you
could
then
govern
it
for
a
project
instrument.
Your
repos
and
you
know,
kind
of
simplify
and
not
have
people
have
to
go
and
search
a
vendor,
and
then
you
appear
poc
and
all
this
other
stuff.
I
G
No,
no,
I
I
definitely
want
to
open
up.
I've
tried
to
reach
out
to
open
ssf,
and
I
I
couldn't
get
clearly
how
far
along
the
tools
were,
whether
we
should
do
it
or
not,
and
so
I
figured
let
me
triangulate
by
having
you
know
a
different
set
of
practitioners,
some
that
you
guys
might
be
neutral,
whether
it's
from
open,
ssf
or
commercial
versus
they're
doing
it.
And
that
way
I
can
kind
of
harmonize
between
the
two.
G
I
Yeah,
so
that
they
are
going
beyond
sc
and
their
vulnerability
right,
so
they
are
also
considering
other
attributes
about
open
source
libraries,
securities
and
risk
like
they
do
have
a
package
feed
and
a
criticality
score.
There
are
multiple
tools
around
there
and
they
have
a
dashboard
where
they
calculate
all
these
metrics
and
give
you
some
level
of
score
for
the
for
an
open
source
package
right.
So
I
think
it's
good
to
consider
those
tools,
and
some
of
these
tools
are
not
necessarily
going
to
help
that
much
with
the
supply
chain
problem.
I
It
may
help
with
the
application
security
of
the
software
in
you
know,
building
inside
a
company
not
necessarily
a
supply
chain,
security,
specific
right
like
fast.
It
is
not
that
practical
to
scan
all
the
open
source
code
through
a
sas
like
I,
I
don't
know
how
many
companies
are
doing
that
and
even
yeah.
So
sca
itself
is
kind
of
a
limited
approach
for
open
source
security,
yeah.
G
Yeah,
that's
kind
of
what
I've
been
sensing
too,
but
I
couldn't
I
I
couldn't
tell
when
I
synced
up
with
david.
What's
the
status
on,
you
know,
release
and
is
it
working
and
is
the
metrics
well
defined
if
all
the
tools
from
so
on
the
extreme,
if
everything
from
openssf
will
fit
all
the
needs
and
requirements
from
a
group
like
this,
then
problem
solved
if
there's
a
gap
and
we
need
some
commercial
tool
then
or
other
tool,
then
I
would
like
to
understand
that
one
example,
for
example,
is
fuzzing.
G
So
when
I
would
talk
to
them,
they
said
well,
yeah,
you
know
open
open,
fuzz
is
available,
but
part
of
me
was
like,
but
even
if
it's
available,
how
easy
is
it
and
how
widespread
is
it
used
across
projects,
and
so
there
we
would
be
tackling
okay.
Maybe
we
have
a
control
plane,
which
is
makes
it
much
easier
for
everyone
to
run
code
against
open
fuzz.
If
that
isn't
done
or
you
know,
helps
them
to
record
the
the
output
or
select
what
the
library
is
used
like.
G
E
Is
is
there
a
path
or
a
mechanism
by
which,
as
the
sig
discovers
gaps
in
these
particular
areas,
that
we're
expected
to
engage
with
the
foundation
to
highlight
an
overwhelming
need
in
this
particular
area?
We
have
a
lot
of
projects
ongoing.
The
supply
chain.
Paper
is
one
of
them.
There's
the
map
and
as
some
of
the
sig
leadership
as
well
as
a
lot
of
the
sig
members
and
the
community
members
are
discussing
like
the
current
state
of
things.
Another
attack
just
happened.
E
What
what
do
we
do?
What
are
we
recommending
to
people
we're
slowly,
starting
to
realize
key
areas
such
as
the
ones
that
you
pointed
out,
for
which
there
is
a
lack
of
tooling
that's
available
to
the
community
and
we're
struggling
with?
Where
do
we?
Where
do
we
write
all
that
down
right
now?
That
looks
like
cards
in
our
repo,
but
is
there
a
path
by
which
we
can
engage
and
say
hey?
We
were
doing
x,
y
and
z.
G
That's
a
super
great
question
to
which
I
don't
have
an
answer
and
given
I
don't
have
an
answer,
we
could
you
know
co-create
it
here.
Like
you
know,
you
guys
are
the
most
active,
what's
useful
for
you.
I
I
actually
don't
have
it's
a
super
great
answer
and
I
think
having
a
solution
would
be
super.
I
I
don't
have
a
prescription
at
this
point.
So
what
what?
E
Cncf,
I
think
you
have
you've,
got
a
couple
of
areas
that
are
already
here
that
are
called
out
as
potential
problem
cases.
I
think
if
it's
intended
to
be
our
sig
ownership
of
those
problem,
areas
from
a
security
focus.
Remember
that
that's
kind
of
like
how
we're
scoped,
maybe
having
something
akin
to
this
listing
in
our
repo,
where
we
we've
particularly
called
out
problem
space
and
then
just
engaging
with
the
foundation
to
be
like
hey.
A
So
I
see,
I
know
the
at
least
the
tlc
has
asked
us
to
kind
of
engage
them
with
helping
to
identify
whether
maybe
not
really
get
well
gaps
in
terms
of
open
source
projects.
I
think
we
have
kind
of
that.
A
We
should
have
a
discussion
there
and
part
of
the
part
of
you
know
the
the
landscape
side.
Security
map
was
to
together
some
data.
So
I
think
that
what
you
laid
out
here
tim
is,
is
it's
a
probably
a
good
start
as
well.
D
A
Kind
of
have
a
discussion
around
this,
but
so
I
I
just
want
to
to
to
to
understand
so
you
that's.
A
I
think
that,
like
two
different
discussion
points,
one
of
them
is
discussing
what
are
some
things
that
we
need
to
do
to
enable,
like
maybe
invest
in
a
new
project,
to
enable
the
security
community
as
a
whole,
and
this
specific
problem
that
we
are
looking
at
here
is:
how
do
I
increase
the
security
of
open
source
projects
with
by
providing
a
service
right
just
to
make
sure
that
I'm
I'm
not
mixing
up?
G
Yeah,
I
I
that
sounds
right.
You
know
and-
and
I
I
tried
so
this
one-
I
started
from
scratch,
but
then
we
did
that
whole
exercise
for
the
dod
and
I
reached
back
to
them
and
say
hey:
what's
the
published
outcome
for
what
you
guys
did
they
didn't?
They
haven't
gotten
back
to
me,
the
two
folks
that
are
that
are
working
on
it.
So
I
you
know
we
could
always.
You
know
I
like
the
format
that
we
did
last
time
too,
as
a
spreadsheet,
and
you
know
that
was
super
valuable.
G
So
I'm
pretty
open
and
I
I'm
hearing
the
two
things.
One
is
what's
the
list
that
you
guys
are
like
this
one's,
probably
not
a
very
great
great
list,
because
I
just
pulled
it
out
of
my
whatever
kind
of
like
jamming
through
it
just
to
give
a
context,
but
you
guys
probably
know
a
lot
more
and
then,
like
you
said:
where
do
we
go
to
to
find
it?
So
I
I'm
open
to
what
they
think
the
form
fact
the
right
form
factor
is
meaning.
You
know
I
like
the
idea
of
a
repo.
G
G
C
C
G
And
in
some
ways,
you've
actually
stated
the
sub
problem,
which
we're
trying
to
solve
is
how
do
we
make
it
super
easy?
How
do
we
make
it
for
those
that
are
off
skeleton
crews
to
still
have
some
level
of
security
assurance,
and
so
that's,
like
the
hot,
the
higher
order
bit
question
is
okay.
What's
the
scope
of
the
problems
which
I'm
turning
to
you
know
you
guys
as
practitioners
what
it
is
and
then
the
product
aspect
is
okay.
How
do
we
enable
it
for
the
persona
of
someone
who
doesn't
really
have
time.
C
Yeah
and
like
take
flossing,
for
example,
I've
seen
maintainers
of
the
fostering
projects
or
the
creators
of
a
flossing
tool,
approach,
cncf
projects
and
say
hey,
we'll
help
you
implement
fussing
and
maintainers
like
don't,
have
actually
not
taken
those
offers,
even
though
they're
getting
it
from
the
expert
and
a
lot
of
it
is
well.
C
So
if
it
were
something
similar
to
the
cncf
service
desk
model,
where
the
elf
is
going
to
make
a
person
available
to
work
with
maintainers
and
help
them
expedite
all
the
due
diligence
to
be
able
to
like
the
problem
is
not
really
technology
right.
It's
it's
putting
it
yeah,
going
back
to
your
your
diagram
that,
like
even
system
design
stage
and
making
sure
that
well,
yes,
there's
there's
this
thing.
We
can
consume
as
a
service
great
tooling,
but
making
sure
you
can
handhold
the
project
maintainers
and
make
it,
and
even
do
it
for
them.
C
Just
like
do
that,
augmentation
for
them,
so
that
it's
not
additional
overhead
where
they
don't
understand
the
implications
of
well
how's.
This
going
to
change
our
build
pipeline
how's
this
going
to
change
the
threat
model
of
our
project
like
this.
This
is
going
to
uncover
stuff
that
we're
not
ready
to
talk
about
at
this
point,
etcetera,
etcetera.
A
From
you
yeah,
I
was
thinking
about
fuzzing
as
well.
I
was
thinking
about
you
know
the
kind
of
like
domain
knowledge
that
you
would
need
to
know
to
implement
a
fuzzer
yeah,
adapt
your
application,
but
like
if
it's
a
service
based
model,
you
know
at
all
yeah
it
could
be,
even
if,
like
just
open
source
tooling
right,
it
doesn't
have
to
be
a
service
we
could
just
like.
Oh,
we
do
a
security
process
for
you,
we'll
write
a
cicd
pipeline
for
you
or
something
like
that.
G
C
Like
you
even
take
like
running
the
web
infrastructure
for
web
pages
of
the
projects,
maintainers
are
not
doing
that
and
there's
been
like
some
shuffling
on
the
cncf
side,
where
the
people
that
helped
put
up
netlify
and
do
the
load
balancing
and
do
cloudflare
for
for
this
project
has
moved
on
and
now
like.
Maintainers
are
scrambling
because
they
haven't
dealt
with
this
stuff
before.
G
I
I'd
love
to
hear
those
use
cases
on
the
deployment
side,
and
maybe
that's
something
that
we
you
know
we
just
iterated
on
this,
so
I
just
wanted
to
kick
it
off.
It
seems
like
there's
some
things.
I
don't
have
answers
on
like
where
we
go
to
put
those
in
there
I'll
take
my
lead
from
you
guys.
I
think
it's
whatever
is
the
least
friction
for
you
that
gives
lowest
friction
and
highest
fidelity.
G
All
right,
well,
the
that's
it
for
me.
Maybe
what
we
do
is
I
kind
of
jump
to
another
meeting,
but
I
think
we
framed
it
and
then,
let's
see
what
maybe
happens
in
the
next
week
or
two
on
thoughts
that
we
come
out,
we
can.
We
also
have
the
slack
in
terms
of
what
you
guys
want
to
do
in
terms
of
the
repo
location
like
where
the
discussion
and
the
things
go,
and
I
think
that
seems
like
a
good
starting
point.
Does
that
sound
good.
A
Yep
thanks
so
much
tim.
A
Thank
you,
yeah
and
also,
I
think
I
will
open
up
an
issue
for
the
point
that
emily
brought
up
booth,
which
is
like
kind
of
looking
at
gaps
right.
I
think
I.
A
Great
great
awesome,
so
I
think
that
all
right
and
then
let
me
let
me
open
this
I'll
open
the
issue
for
10
minutes
fail,
so
that
we
can
at
least
get
the
tread
going
for
this
and
next
on
the
gender
item.
Is
you
emily?
So
oh
yeah.
E
Yes,
all
right,
let
me
go
up
and
figure
out
what
I'm
talking
about
meeting
summaries
first
and
foremost,
so
for
those
of
you
that
probably
already
know-
and
those
of
you
that
don't
six
security
is
considered
a
global
group,
a
global
community
spanning
multiple
time
zones
and
as
a
result
of
that
expansion
and
community
interest,
we
do
have
an
apac
region
being
that
occurs
where
they
have
lots
of
conversations.
They
are
active
community
members
and
they
are
engaged
in
these
discussions.
E
So
in
an
effort
to
ensure
that
the
work
that
they're
doing
as
part
of
the
sig
is
included
in
our
discussions,
I
have
made
an
adjustment
to
the
meeting
template
to
include
a
review
as
part
of
the
attendance
of
the
notes
that
came
from
the
last
meeting,
and
this
is
going
to
be
reflected
both
for
the
apac
region
as
well
as
this
region.
E
E
So
that's
the
first
item
and
then
the
second
one
is
inclusion,
language
changes.
This
is
issue
number
478.
It
was
originally
brought
up
by
andres
and
I
wanted
to
bring
this
back
to
the
community
as
something
that
I
think
we
can
actually
get
taken
care
of.
So
this
is
regarding
the
use
of
non-inclusive
terms
within
our
repository.
E
We
do
have
a
few
of
them
to
include
the
branching
schema
by
which
we
employ
within
the
sig.
So
what
this
is
is
it
would
entail
somebody
going
through
probably
gripping
through
all
of
our
files,
doing
changes
to
some
of
the
terminology,
as
well
as
a
decision
point
in
which
we
switch
over
from
the
master
branch
over
to
the
main.
E
A
This
awesome-
and
I
I
think
that
also
I'll
just
look
at
the
issue.
There's
a
link
and-
and
you
know,
there's
a
whole
discussion
thread
on
two
things
that
can
help
with
this
as
well.
A
E
J
In
terms
of
the
inclusive
naming
I
mean
it
was
in
the
new
york
times
recently
in
terms
of
like
the
crew
that
put
that
all
together
and
stuff
like
that,
I
think
it's
an
amazing
initiative
for
all
of
us
here
so
kind
of
like
putting
my
two
cents
in
here,
even
though
it's
unsolicited,
but
it's
it's
a
really
amazing
initiative.
They've
done
a
bunch
of
projects,
so
I
think,
would
be
awesome
whatever
I
can
do
to
contribute.
I'm
going
to
do
here.
J
K
D
A
Cool-
and
we
have
our
last
agenda
item
for
today,
which
is
project
criteria
for
the
same
project
and
the
cognitive
security
map,
diego
yeah.
D
No,
I
cannot
share
right
now,
anyway,
permissions.
Thank
you,
okay.
So
the
thing
is
that
I
think
most
of
you
know
that
we
have
been
working
for
a
while
in
the
cloud
native
security
map
I'm
going
to
put
in
the
chat
the
link
of
the
issue.
D
D
There
are
regular
releases-
and
there
are
active,
commits
in
the
in
the
last
six
months
and
it's
a
priority
if
it
can
be
a
cncf
project
or
linux
foundation
relationship,
so
that
this
is
a
discussion
from
the
rest
of
the
group
of
what
is
appropriate.
Any
other
suggestion.
What
is
important,
but
the
the
goal
is
to
always
provide
good
quality
projects
so
that
people
trust
this
resource.
A
Do
you
have
you
have
a
list
that
you
can
maybe
share
on
the
screen
and.
D
But
this
is
the
start
of
the
essentials
elements,
but
that's
why
we
wanted
to
bring
it
forward
if
somebody
has
some
objection,
suggestions
or
indications
of
a
good
reference
of
starting
filtering
projects.
A
So
so
part
of
this
is
kind
of
I
think
we
were
discussing.
This,
though,
is.
A
A
You
know,
why
is
this
guys
projecting
but
not
mine,
and
I
think
the
the
idea
is
to
make
it
as
objective
as
possible
and
to
have
a
criteria
that
I
think
covers
all
the
bases
that
that
people
should
care
about.
I
think
we
haven't
really
decided
on
exactly
what
the
we
have
this
scott
criteria,
but
I
think,
like
maybe
there
is
also
consideration
to
like
the
wait.
I
A
D
C
E
But
it's
the
not
necessarily
the
vendor
independence
portion
of
a
given
project,
but
more
about
the
project.
Continuity
success
that
that's,
I
believe,
the
right
way
to
to
say
that
if
somebody
inadvertently
becomes
unavailable
will
they
still
be
successful.
H
J
E
I
think
walking
that
line
between
allowing
users
to
be
more
informed
versus
actually
providing
a
grade
is
very
tricky.
I
think
that
a
lot
of
it
has
to
do
with
how
we
present
or
how
we
label
some
of
that.
E
So
if
the
intent
is
to
allow
a
user
to
make
a
more
informed
decision
about
this
being
100,
transparent
and
kind
of
the
things
that
we
would
be
concerned
with
where
we
evaluating
the
project,
I
think
I
think,
is
very
important
as
far
as
more
than
one
contributor
I
would
also
I
would
make
the
recommendation
that
it
should
be
more
than
two
burst
off,
because
they
could.
E
You
can
have
two
people
and
they
could
be
doing
awesome
and
amazing
work,
but
they
can
also
just
go
to
the
same
company
together
or
abandon
the
project
together
or
leave
that
one
person
overwhelmed
with
the
massive
amount
of
things.
To
that
end,
I
think
that
we
should
be
very
clear
and
upfront
about
like
what
what
kind
of
those
expectations
are
and
and
cite
that
principle
that
rory
eloquently
stated
for
us,
the
lottery
one
as
the
kind
of
the
reasoning
for
why
we're
looking
at
that
particularly.
D
Sounds
good
yeah
we
were
just
just
putting
this
for
debate
to
make
a
richer
decision.
A
A
We
were
also,
I
think,
thinking
about
is
you
know
whether
can
we
kind
of
make
whether
we
should
just
you
either
make
it
or
you
don't
any
under
this
or
not,
or
we
have
like
multiple
categories
of
projects
like
you
know,
obviously,
a
project
with
like
12
000
stars,
cncf,
graduated
project
and
then
yeah
project
from
from
that's
much
smaller
right
then
like
it's
there
do
you
want
to
make
the
distinction
between
those
two
things
and
then
that
also
becomes
a
tricky.
H
I
think
I
recall
in
the
cncf,
broad-based
landscape,
there's
something
about
you
know
open
source
projects
with
300
or
more
stars,
which
I
assume
is
sort
of
being
as
a
proxy
for
if
you've
got
300
or
more
stars,
there's
at
least
a
few
people
using
your
project.
D
E
Yeah,
the
other
problem
with
the
specific
github
stars
is
that
quickly
becomes
a
popularity
contest
and
we
would
like
to
avoid
that
at
all
costs.
So
it's
a
good
idea
and
if
we
figure
out
a
way
to
do
a
somewhat
accurate
measurement
about
the
use
of
a
project
across
industry,
that
would
go
a
long
way
to
helping
them
in
seeking
incubation
and
graduation
criteria,
because
that
highlights
project
maturity.
E
So
I
think
that
was
more
about
what
we're
looking
for
is
like
what
is
the
project
maturity?
How?
How
do
we
quantify
that
as
something-
and
maybe
maybe
that's
not
necessarily
a
fixing
a
numerical
value
for
assignment
but
showcasing
where
that
falls
on
that
chasm
chart?
Is
it
early
early
adopter?
Is
it
innovation?
Is
it
like?
E
L
Where
is
container
images
that
docker
hub?
No,
I
know
how
that,
because,
because
justin
carman
was
talking
about
it
today
on
twitter
but
but
yeah,
I
don't
think
for
where
it's
not
a
docker
image.
I
don't
know
if
they've
got
that.
A
J
One
I
just
put
in
channel
brendan
is:
is
one
that's
fairly
good
at
all
at
a
high
level,
it's
not
going
to
go
in
depth
right
in
terms
of
just
understanding
contributors
contributions
commits
repositories.
That
type
of
thing
I
just
found
out
about
this
like
two
weeks
ago,
and
you
know
like
it's
pretty
incredible,
like
you-
can
kind
of
see
an
overview
of
each
one
of
the
underlying
projects.
J
How
many
lines
of
codes
are
there,
but,
like
again,
it
doesn't
stick
to
a
specific
criteria,
but
I
would
assume
that
the
upper
like
line
of
these
of
okay
x
amount
of
lines
of
code
exomatic
contributors
would
would
be
something
that
would
be
something
that
precludes
them
or
adds
them
to
whatever
thing
we
have
here
and
again.
I
think
this
is
beta,
but
it's
been
super
useful
in
some
of
the
recent
pursuits.
I'm.
F
J
J
K
A
C
You
know
an
often
overlooked
file,
but
a
great
indicator
of
the
product.
Health
is
the
adopters
file.
If
there
are
public
adopters,
it's
one
to
look
at
and
encouraging
people
to
do
that.
Yes,
for
security
projects,
there's
a
lot
of
organizations
that
won't
publicly
state.
This
is
what
we
do,
but
well
there's
there's
other
signs
of
evidence.
Whether
product
is
well
adopted
or
not
versus
a
developer.
Spawn
up
200
000
bucks
to
go.
Do
a
git
cone
from
this
thing.
D
I
think
that's
what
all
these
things
make
it
a
little
bit
difficult
to
make
a
clear
cut
quickly.
E
E
C
C
C
D
D
A
Cool.
A
couple
minutes
left
any
other
topics
that
people
want
to
bring
up
any
other
things
that
people
want
to
maybe
suggest
for
next
week's
meeting,
and
next
week
is
next
week.
We
do
not
have
a
wait.