►
From YouTube: CNCF SIG Security 2020-05-06
Description
CNCF SIG Security 2020-05-06
C
C
C
C
C
Brendan,
do
you?
Are
you
aware
of
the
tracking
issues
that
where
we
said
we
would
go
through
five
assessments
before
we
made
it
official.
D
D
By
the
way,
I
know
matthew
thanks
so
much
for
for
helping
to
facilitate
the
meetings.
If
you
want
to
take
a
break
from
it,
I
can
foster
data
meetings
as
well.
If
you'd
like.
A
Thank
you
brandon.
I'm
happy
to
continue
to
do
so
so
long
as
it's
they're
helpful
when
they're
getting
something
done.
If
we
feel
it'd
be
better
to
sort
of
rotate
it
just
so
people
see
more
than
one
face
all
the
time.
I'm
happy
to
do
that
too,
we'll
just
rotate
every
week
or
flip
a
coin
at
random
based
on
who's
free
and
that
that
works
fine
by
me
either
which
way.
C
I'd
love
to
see
you
know
someone
else
besides,
just
myself
come
through
and
kind
of
ratify
some
of
the
facilitation
process
that
you
put
in
place.
So
I
I
think,
that's
you
know
it's
great
to
continue
on
I'd
love
to
you,
know,
see
you
know
brandon
or
someone
else
you
know
come
in,
go
through
the
process,
get
feedback
and
kind
of
do
some
some
better
work
there.
C
Maybe
I
can
prioritize
this
week
now
that
we've
got
harbor
out
the
door
landing
the
facilitator
guidelines,
and
we
can,
you
know,
choose
a
meeting
in
the
future
that
my
friends,
it's
a
good
time
for
men.
A
I
should
put
together
the
facilitator
guidelines.
I
recall
now
it
meant
to
put
together
a
pull
request
and
put
that
in
the
documentation
still
haven't
done.
It
actually
supplement
that
dan
so,
for
example,
for
more
embedded
security
background
and
bit
of
pen
testing
that
sort
of
stuff,
if
someone
were
to
say,
do
more
than
say,
facilitating,
but
be
able
to
provide
some
answers
to
the
actual
real
questions.
A
Are
there
different
meetings
or
leadership
meetings
or
just
reviews?
One
should
take
part
in
so
that,
rather
than
guide,
you
know
the
facilitator
role
guide.
The
meeting
by
sort
of
a
formula
actually
have
concrete
answers
to
actual
security,
slash
leadership
questions.
A
C
So
there
there
are
three
other
sort
of
primary
workflows:
the
the
co-chairs
meet
regularly
when
everybody's
healthy
and
available.
C
We
usually
have
a
weekly
cadence
and
we'll
meet
either
sunday
evening
or
monday
evening,
and
sort
of
coordinate
at
a
high
level
and
and
work
towards
any
of
our
sort
of
longer
term
goals.
C
Then
the
co-chairs
and
the
tech
leads
just
started
last
wednesday,
a
bi-weekly
meeting
of
amongst
ourselves,
and
then
there
are
the
individual
assessment
flows.
The
formalization
of
our
tech
leads.
Is
you
know
something
that
that
just
recently
happened?
So
I
I
think,
what
the
opportunity
you
know
to
sort
of
expand
from
you
know
those
sort
of
existing
pillars
towards
you
know.
New
activity
streams
would
be
if
any
of
the
chairs
or
the
tech
leads
wanted
to.
C
You
know,
set
up
a
a
breakout,
and
you
know
brent
is
probably
the
the
the
best
person
to
partner
with
on
this
and
maybe
go
through.
Do
some
issue
triage
and
you
know
work
on
that.
You
know
that
that's
an
area
of
need,
there's
no
formal
definition
around
that.
Yet
it's
it's
largely
been.
You
know
the
tech
lead
stepping
in
and
you
know
taking
care
of
it
and,
and
you
know
the
the
co-chairs
to
ratifying
things
and
and
proposing
things.
C
A
I
reach
out
to
you
specifically
or
brandon,
for
example.
I
was
thinking
I
could
just
reach
out
via
slack
after
this
meeting
and
it
this
resonates
with
the
question.
Another
attendee
had
just
the
other
week,
and
that
was
how
do
we
sort
of
join
in
like,
for
example,
on
a
review,
even
if
we're
just
an
observer.
So
that
way
we
can
sort
of
learn
it
the
first
time
and
not
ask
silly
questions
or
slow
down
other
people
by
treating
it
like
an
academic
training
exercise
rather
than
what
it
is.
A
security
review.
E
A
D
Yeah,
I
would
say
also
like
I
feel,
like
we
initially
started.
Kind
of
the
initial
idea
was
most
of
the
communication
would
be
in
the
issues
themselves,
but
it
seems
like
over
the
course
of
the
past
year.
There
seems
to
be
like
a
huge
explosion
of
the
number
of
issues,
so
it's
becoming
a
bit
difficult
to
track.
I
mean
a
ton
of
people,
have
different
ideas
and
stuff
like
that,
so
so
yeah,
maybe
it
sounds
like
like
like
we
can
do
some
maybe
have
a
label
on
certain
assessments.
C
Yeah
and-
and
you
know,
brandon
just
ripping
on
our
last-
you
know
tech,
lead
and
co-chair
meeting.
C
There's,
definitely
a
an
opportunity
right
now
to
sort
of
ramp
up
our
coordination
with
amy,
and
you
know
the
cncf
team,
and
you
know
that
that
area
you
know
above
me
on
you
know
just
just
working
out
of
issues,
but
you
know
tracing
the
issues,
issues
that
are
outside
of
the
you
know:
security,
repo
and
building
a
bit
more
shared
understanding,
and
maybe
a
little
bit
of
process
around
how
we
coordinate
there.
C
You
know
it's
a
it's
an
open
opportunity
that
I
I
feel
like
we're
iterating
towards
that.
But
we
definitely
don't
have
you
know,
sort
of
a
shared
understanding
of
you
know
how
how
it
works
and
how
it
should
work
moving
forward.
A
Yeah
sure,
well,
at
the
very
least,
I'll
definitely
be
reaching
out
to
both
uv
slack
afterwards
to
tee
up
again
all
right.
So
I
think
we
have
enough
time
for
everyone
to
hop
on
board.
We've
got
critical
mass,
I'm
just
going
to
quickly
go
through
the
attendance
and
I'll
just
paste.
The
attendance
link
here
in
the
chat
in
case
people
that
joined
after
I
first
pasted.
A
Okay
in
terms
of
what
we
have
here,
you
know
what
I'll
go
through
the
new
attendees
at
the
end.
Just
because
I
see
a
lot
of
names
popping
up
here,
we'll
go
through
sigs
first
actually,
for
I
don't
know
why
I
always
delays
each
time.
Scribes
is
there
anyone
that
would
like
to
volunteer
to
be
scribes
or
meeting
minute
takers
for
today.
D
I
think
there's
a
update
from
a
few
people.
A
Agreed
yeah
yeah.
I
was
going
to
go
with
the
bullets
since
there's
a
sig
recommendation
there
and
then
just
go
through
the
rest
in
the
order
in
which
I
see
them.
A
C
F
Oh
sorry,
please
go
ahead
so
yesterday
at
the
toc
meeting
it
kind
of
changed
a
lot,
because
there
is
a
new
sandbox
proposal
which
is
kind
of
like
another
matter,
and
so
I'm
bringing
it
up
partially
because
I
have
stacked
this
because
I
propose
key
cloak.
F
I
want
to
kind
of
like
take
a
sound
aside,
the
new
sandbox
proposal,
because,
okay,
let's
assume
for
the
for
for
for
this
purposes,
that
I
change
submission
of
keycode
from
sandbox
to
incubation
and
then
the
change
of
the
process
doesn't
apply.
F
But
in
general
there
is
this
requirement
or
strong
suggestion,
suggestion
to
obtain
a
recommendation
from
six
when
you
apply
to
cncf,
I
I
know
the
struggle
because,
like
six
security,
there
is
a
there
is
a
certain
bandwidth
limitation
to
the
proper
project
assessments
and
you
do
need
to
prioritize
currency
of
projects.
F
While
there
is
a
steady
flow
of
the
requests
on
top
of
those.
So
it's
pretty
much
hard
to
do
a
proper
assessment
for
anyone
asking
because
they
want
to
be
considered
for
cncf,
which
is
kind
of
where
key
cloak
has
been.
So
I
kind
of
wonder
like
what
does
the
sig
recommendation
for
toc
really
mean?
F
Is
it
mean
because
I
made
like
a
proper
security
assessment
for
key
clock
request
with
hold
the
write-up,
but
so
long,
but
at
the
same
time
there
is
nothing
written
there
that
that's
that's
exactly
what
is
meant,
and
so
I
know
it's
boundary
wise.
It's
hard
to
expect
security
right
now
to
do
a
proper
assessment.
F
At
the
same
time
you
know
being
realistic.
Is
there
any
process
towards
actually
having
the
recommendation
and
some
software
review
or
not.
C
Great,
so
let
me
separate
a
bit
the
you
know
the
sandbox
proposal,
changes
and
ski
globe.
You
know
key
cloak
decks
and
a
couple
other
projects
are
in
our
queue.
You
know
I've,
unfortunately,
both
of
my
co-chairs.
Sarah
allen
is
sick
and
jj
is
stuck
in
india,
so
you
know
kind
of
at
the
the
top
of
the
food
chain.
C
I
have
a
bit
of
a
you,
know,
leadership
and
bandwidth
organizational
challenge
right
now,
so
getting
through
that
and
I
apologize,
you
know
for
any
delays
that
that's
created
on
your
end.
You
know
where
brandon
was
was
with
the
new
proposal.
You
know
proposing
that
we,
you
know
potentially
lighten
up
how
we
approach
folks
going
into
sandbox,
and
you
know
make
that
you
know
much
more
of
a
self-assessment.
You
know
less
of
a
a
guided
process.
C
We
have
you
know
kind
of
one
core.
You
know
well
oiled
process
with
the
security
assessment,
which
is
a
different
workflow
different
concept
than
you
know.
What
you'll
get
with
a
formal
security
organization
we're
not
going
through
and
going
to
provide
you
with.
You
know
penetration
tests
and-
and
you
know
all
of
the
artifacts
that
you
would
get
from
you
know
paid
you
know,
twenty
thousand
dollar
investment
into
you
know
getting
a
proper
security
assessment.
C
You
know
what
we
provide
is
you
know
in
a
community
of
experts.
We
help
you
prepare
in
your
journey
through
the
cncf
to
you,
know,
sort
of
partner,
coordinate
with
all
the
other
projects
and
make
sure
that
you
have
clear
talking
points
and
coordination
points
around
your
your
security
parameters.
So
it's
a
bit.
You
know
our
security
assessments
a
bit
of
a
different
beast.
C
You
know
that,
has
you
know
a
similarly,
you
know
named
named,
you
know
referring
to
it,
but
you
know
having
having
gone
through
and
you
know,
work
with.
You
know
a
number
of
projects,
including
you
know,
security
products,
everyone's
come
through
the
the
security
assessment
journey
and
been
like
wow.
That
was
a
journey,
but
also
you
know
feeling
way
more
prepared
to.
You
know
address
all
of
the
concerns,
so
you
know
that.
That's
that's
my
high
level.
C
Thoughts
on
that.
You
know
the
my
blocker
right
now
is,
you
know,
really
scheduling
and
you
know
getting
you
all
into
the
you
know
the
hopper
and
once
we
once
we
start
the
process.
You
know
it's
it's
fairly,
it's
well,
it's
very
labor
intensive,
but
you
know
we
do.
A
C
A
a
well-established
process
that
you
know
we'll
guide
you
through
and
a
number
of
team
members
that
that
they
are
happy
to
sort
of
step
in
so
you're
dated
at
the
top
right
now.
F
I
I
guess
that
was
not
my
question,
so
I
I
do
understand.
Currently,
I
was
looking
at
the
current
assessment
process
and
I
did
the
proper
application.
I
was
looking
at
the
previous
one,
so
I
I
do
understand
that
the
difference
between
assessment
and
the
all
that
you
know
kind
of
like
what's
basic
security
approach
here
and
I
think
that's
that's
a
good
approach.
My
question
is
okay,
say
a
project
applies
to
incubation.
Let's
not
mess
up
with
sandbox
right
now
so
and
toc
was
okay
and
we
want
seek
security
recommendation
for
this
project.
F
C
F
C
Default,
it's
it's
a
it's
an
assessment.
You
know
you
would
have
to
really
convince
one
of
the
chairs,
the
one
we
have
sufficient
context
to.
You
know
accurately
and
fully
communicate
due
diligence,
and
you
know
so.
C
G
Yeah,
I
want
to
one
more
thing
to
this,
which
is
that
really
composting?
Yes,
zoom
is
having
a
lot
of
problems
as
I've
been
complaining
about
on
the
security
and
tech
lead.
G
Hopefully
we
can
move
to
different
conferencing
in
the
future,
but
anyway
the
the
thing
I
was
going
to
say
is:
is
that
oftentimes
the
project
gets
a
lot
out
of
the
assessment
by
going
through
the
process
with
us,
which
can
in
some
cases
be
things
that
we
don't
necessarily
point
out.
G
So
it's
almost
like
you
know
you
you
hear
of
the
people
that
say
well.
I
went
to
the
psychologist
and
didn't
really
help
me.
All
they
did
was
have
me
talk,
and
then
I
helped
myself
and
you
know
so.
There
is
an
aspect
of
that
to
it
too,
where
it's
something
where
the
process
of
you
going
through
a
process
about
reasoning
about
the
things
you
have
to
to
give
us
that
information
has,
in
many
cases,
cause
projects
to
find
serious
security
issues
in
things
they're
doing.
F
Just
to
clear
out
yeah,
I
totally
recognize
it
and
like
even
without
getting
to
cncf.
I
would
love
to
get
your
assessment
well
assessment
from
security
for
the
project,
so
I'm
not.
Quite
I
see
all
the
values.
What
I'm
raising
is
purely
a
process
or
bandwidth
issue.
F
So
my
concern
is
essentially
following
catch-22
situation:
where
to
move
forward
with
incubation
process,
let's
say
I'm
being
asked
by
toc
to
get
a
recommendation
from
seek
security,
which
is
a
security
assessment,
but
then
six
security
having
a
bandwidth
capabilities
like
it
has,
will
struggle
to
actually
pro
process
the
assessment,
because
there
will
be
more
priority
higher
priority
projects
in
the
queue
I
know.
Current
situation
is
special.
We've
covered
no,
no,
no
deny
like.
G
G
G
If
you
look
online,
a
lot
of
those
projects
are
have
had
situations
where,
for
instance,
they
were
very
actively
doing
things
and
then
you
know
covid
hit
and
everybody
started
to
do
social
distancing
and
the
person
who
was
working
on
it
all
of
a
sudden
had
different
priorities
and
basically
said
like
hey
from
the
project
side.
We
can't
do
anything,
I'm
not
aware
of
a
project
that
is
like
waiting
on
us
to
do
anything
at
this
point.
G
D
I
think
that
was
like
so
so
key
cook.
Initially
we
started
this
process
and
then
there
was
a
there
was
this
change
in
on
the
tlc's
view
on
key
club,
initially
as
a
sandbox,
so
I
think
we
had
a
team
together.
Then
we
decided
to
move
to
focus
to.
D
There
was
kind
of
like
an
influx
of
new
projects,
and
then
there
was,
it
wasn't
quite
clearly
to
me
which
projects
were
requested
by
the
dlc
to
be
reviewed
by
us.
So
I
think
that
was
kind
of
like
a
bit
of
miscommunication.
F
Yeah,
I
think
I
think
you
answered
my
questions.
You
know
I
I
applied.
I
created
the
the
submission
I
think
month
ago,
with
the
whole
surface,
this
one
write
up,
I'm
not
complaining,
because
I
I
I
know
the
current
struggles,
so
you
know
I
I'll
patient.
Wait.
F
It's
a
bit
exceptional,
but
yeah,
just
kind
of
like
raising
the
concern.
Is
it
the
proper
approach?
Okay,
so.
F
Yeah
there
is
a
bit
of
you
know,
there's
I
I
recognize
there's
a
bit
of
uncertainty
like
are
you
supposed
to
come
to
coc
with
recommendation
or
do
I
need
to
come
to
toc?
And
one
of
I
need
to
have
like
at
least
one
sponsor,
and
then
this
sponsor
needs
to
go
to
you
kind
of
like
okay.
Please
take
a
look
at
this
project.
C
Oh
good,
you
know
just
sort
of
in
the
interest
of
you
know.
Looking
toward
the
you
know,
the
future
bundle
you
know
the
in
in
the
next
month.
You
know
how
how's
your
schedule
and
your
team
schedule.
Looking
now.
Does
it
look
like
you
know,
there's
an
opportune
opportunity
to
work
through
the
assessment
process.
C
C
I
come
from
school
great.
Well,
I
I
have
to
you
know
triage,
you
know
key
poke
decks
and
I
think
one
more
project
in
terms
of
you
know
what
we
begin
to
slot
in,
and
you
know
honestly
showing
up
at
meetings,
and
you
know
advocating
for
your
project
and
you
know,
beginning
to
coordinate
with
our
assessment
leaders
is
the
best
way
for
me
to
you
know
to
push
that
forward.
So
you
know
thank
you
for
showing
up.
C
Thank
you,
for
you
know,
sharing
your
experience
and
your
concerns,
and
you
know
I'll
I'll
try
to
get
that
unblock,
and
you
know
beyond
that
also
be
working
with
amy
to
to
make
sure
that
we're
you
know
working
out
the
kinks
in
this
new
pivot,
towards
you
know,
making
sure
that
the
things
are
you
know
since
we're
you
know
critical
path.
Now
you
know
I
I
need
to
make
sure
that
we're
you
know
aligning
and
communicating
on
on
the
those
coordination
points
a
bit
more.
D
Hey
yeah,
what
I
wanted
to
talk
about
is
kind
of
we
already
kind
of
talked
about
it,
but
I
created
a
pr
to
put
on
the
readme
page
some
indication
of
how
do
I
go
about
submitting
a
request
for
sick
review,
but
given
that
things
have
changed
over
the
past
two
days,
I
think
I
prior
to
review
and
then
we
have
to
discuss
it
to
really
figure
out
what
we
want
their
process
to
be.
G
Okay,
thank
you
brandon.
I
I'd
also
like
to
say
that,
if,
if
we
are
moving
ahead
with
key
cloak
now
that
I'm
like,
I
see
the
issue,
I'm
looking
at
the
issue
here,
we
desperately
need
folks
to
volunteer
to
be
security
reviewers
for
key
globe.
G
So
I
will
post
the
issue
in
our
slack
right
now
in
our
slack
channel,
but
I
would
greatly
appreciate
people
reaching
out
and
saying
yes,
I
can
participate
in
this.
G
You
don't
have
to
have
done
an
assessment
before
to
participate,
but
if
you
might
be
tapped
for
to
be
the
lead
security
reviewer,
then
you
would
have
had
to
have
done
a
a
prior
assessment.
So
you
know
please
volunteer
it's
a
good
way
to
get
some
experience.
Doing
something
you
know
that
you
know
is,
is
obviously
a
really
important
part
of
our
community
and
a
really
important
important
part
of
judging
the
security
of
products
and
projects
everywhere.
A
G
G
I'm
yeah,
I'm
called
in
unfortunately,.
B
Yeah
sure
I'm
also
trying
to
log
in
and
trying
to
contribute
so
would
be
a
good
first
step
for
me
as
well.
Thank
you.
A
Thank
you.
Okay.
In
that
case,
I'll
move
on
to
the
next
item
see
brandon
no
update,
no
update,
no
update,
we
have
justin
capos.
Were
you
able
to
get
in
through
zoom
or
did
they
blacklist
you
for
number
376.
G
I
don't
really
know
what
the
what
the
problem
is.
Honestly,
I
I
registered
like
zoom
sucks
as
my
username
and
some
other
things
like
that,
but
this
same
id
and
everything
works
on
every
other
zoom
call
I
get
randomly
invited
to
which
I
get
invited
to
them.
I
don't
know
a
couple
times
a
day,
so
I
don't
really
know
why.
G
So
I
don't
know
what's
going
on,
but
I
would
I
had
brought
up
the
issue
weeks
ago
and
there'd
been
a
lot
of.
I
think
positive
mentions
that
we
should
maybe
move
away
from
zoom
and
I'd
like
to
just
renew
that
now
that
I
am
able
to
actually
in
some
limited
form,
be
able
to
call
in,
but
it's
unfortunate
not
being
able
to
see
who's
speaking
or
any
you
know,
or
things
like
that,
which
I
feel
is
a
big
hindrance.
C
Right,
I
was
gonna,
have
one
amy?
Have
you
first
got
I'm
sorry
about
that
amy?
Have
you
had
to
reconfigure
any
of
the
sort
of
convenience
links?
No.
H
Exactly
as
you
were,
so
I'm
not
really
sure
why
that's
actually
going
on.
But
I
see
questions
in
chad
about
alternatives
to
zoom
so
happy
to
be
able
to
hear.
C
Right
yeah,
I
mean
you
know
getting
getting
to
the
alternative
and
working
through
all
the
issues.
You
know
I'm
happy
to
have
that,
be
you
know
longer
running
workflow.
You
know
the
the
easiest,
the
easiest
sort
of
incremental
move
right
now
is:
you
know,
making
sure
that
the
web
links
work
and
have
whatever
password
or
whatever
you
know
the
new
zoom
policies
require.
C
You
know,
connect
it
up,
so
you
know
justin.
I
I
think
you
know,
including
a
link
to
the
you
know.
Web
client
and
you
know
maybe
a
a
note
as
to
why
we
recommend
the
web
client.
You
know
will
be
great,
and
you
know
I'm
happy
this.
This
link
is,
you
know
the
the
whatever
is
the
meeting
id
main
meeting
default
meeting
id?
C
I
believe
you
know
for
security,
so
you
know
we
can
test
it
out
at
any
point,
I
believe
that
you
know
it'll
automatically
get
recorded
and
posted
to
youtube
when
we
do
so
there's
that,
but
you
know
justin.
If
you
have
time
wanna
test
things
out,
I'm
happy
to
hop
on
sometime
later
this
week.
G
Okay,
yeah,
maybe
we'll
do
that
and
try
to
see
if
we
can
figure
out
what
the
heck
is
going
on
with
this.
C
Right
just
get
you,
you
know
logged
in
and
figure
out.
You
know,
there's
some
really
goofy
steps
that
you
know
I
was
reading
about
in
in
terms
of
logging
on
with
the
web
client,
where
you
have
to
sort
of
dodge
and
weave
all
the
attempts
that
zoom
is
trying
to
get
you
to
shuttle
you
towards
the
desktop
client.
C
But
it
sounds
like
it's
not
that
that's
involving
these.
A
It
doesn't
seem
too
hard
to
set
it
up
in
a
docker
container
for
linux,
even
though
it's
a
graphical
application
zoom.
But
then
it's
a
container
so
windows
users.
Well,
I
think
you
can
use
linux
on
windows,
but
not
windows
on
linux,
but
there's
some
headaches
involved,
and
then
I
looked
at
vm
based
approaches
and
the
only
windows
vms
that
I
could
find
are
like
these
microsoft
edge
ones
that
expire
after
90
days
and
are
more
or
less
meant
for
windows
web
app
testing,
rather
than
recreating
every
x
days
as
a
instant
messaging
client
thing.
A
So
I
don't
know
if
it's
violating
the
spirit
of
the
license
there.
So
the
ultimate
solution
I
arrived
at
was
linux
virtual
machine
and
linux
in
general,
without
starting
a
flamework.
So
if
we
wanted
to
prepackage
them,
that's
I
think
the
only
medium
I'd
recommend,
because
the
second
we
have
more
than
one
image.
Why
is
it
ubuntu?
Why
isn't
it
fedora?
Or
can
you
help
me
debug
problem
xyz?
No,
no!
We're
not
zoom
support,
so
I'm
happy
to
still
put
together
a
linux.
A
Vm
image-
and
maybe
some
maybe
like
a
vagrant,
build
script
to
recreate
it.
If
anyone
thinks
there's
merit
to
that,
like
is
an
interim
stopgap
solution,
oh
throw
that.
G
I
think
anybody
who's
who's
gonna
want
to
install
the
vm
will
probably
just
want
to
do
their
own
os
install
because
it's
like
once
you
just
do
a
basic
install
of
a
distro
with
a
browser.
Then
zoom
will
probably
just
forcibly
install
that
client
and
do
everything
for
you.
G
I
I
think
I
I
don't
know
I
don't
because
like
I
would
want
to
do
it
myself,
I'm
actually
already
running
virtual
machines
for
other
things,
and
I
sort
of
don't
have
enough
memory
left
to
run
to
yet
another
virtual
machine
to
just
handle
zoom
so
like
when
I
have
to
do
that
for
webex.
For
instance,
I
have
to
shut
down
a
bunch
of
other
stuff
and
it's
just
a
pain
in
the
ass.
A
A
Would
it
be
just
busy
work
or
is
there
any
merit
and
throwing
together
like
a
maybe
the
term
would
be
meta
assessment
like
some
sort
of
short
report
that
says:
here's
the
clients,
we
considered,
here's,
the
security,
here's,
the
usability,
here's
the
practicality
and
if
we
decide
to
move
away
from
zoom
we
have
that
like
does
that
need
to
be
formal
or
clinical?
Should
we
make
something
like
that
or
just
say:
no,
let's
just
use
tool,
xyz
change
our
youtube
upload
scripts
and
be
done
with
it.
G
No,
I
I
think,
there's
merit
in
that.
I
think
I
created
a
while
ago
that
I
think
someone
said
that
they
had
put
in
the
chat
there
talking
about
looking
at
alternatives
to
zoom.
That's
exactly
what
we
really
should
do,
and
so
you
know
anybody
just
kind
of
starting
to
add
the
things
that
they've
noticed
and
their
thoughts
and
because
you
know,
I'm
also
some
of
the
usability
things
I'm
not
as
as
certain
like.
G
If
google
has
a
way
to
let
you
automatically
record
meetings,
but
I
know
that
they've
recently,
with
with
the
way
they're
doing
like
the
new
google
meet
thing,
they're,
making
it
a
lot
more
like
zoom
in
terms
of
security
and
ease
of
access,
and
they
don't
require
any
browser,
support,
I
think
or
anything
other
than
your
your
browser.
They
don't
require
you
to
install
things.
Unless
maybe
you
do
some
kind
of
desktop
sharing
or
something
I
don't
even
know.
G
If,
then,
if
you
need
to,
but
you
certainly
don't
need
to
for
a
normal
call
yeah,
but
some
of
the
other
offerings.
You
know
the
pros
and
cons.
A
And
then
one
other
thing
is:
if
we're
going
to
do
that
kind
of
comparison,
are
there
any
things
that
we
have
to
sort
of
for
the
sake
of
responsible
disclosure
to
keep
a
lid
on
like,
for
example,
if
I
just
took
a
bunch
of
chat,
client
apps
right
now
and
through
ldd
and
strings
and
such
at
it
and
found
a
certain
library,
statically
linked
that
should
never
be
statically
linked.
Can
we
put
stuff
out
there?
H
C
Yeah,
I'm
I'm
not
worried
about.
Well,
I
am
worried
about
disclosure.
I
think
it's
an
important
consideration,
but
this
forum
is
a
public
forum
and
it
should
not
be
considered
a
you
know,
a
private
forum
where
you
can
disclose
you
know
any
any.
You
know
security
concerns
like
that
and
would
advise
anyone
who
has
that
to
you
know
reach
out
to
any
of
the
chairs
or
or
the
tech
leads,
and
you
know
schedule
an
offline
conversation.
C
G
A
I
So
no
I
I
just
I
just
started
scoping
it
out
I'll
update
the
ticket
with
more
information,
but
yeah
I've
been
away
for
a
while.
I
just
want
to
just
talk
to
everyone
quickly.
I
traveled
out
of
the
country
and
got
stuck
and
recently
came
back
but
I'll
be
joining
the
meetings
more
more
frequently.
A
Okay,
thank
you
all
right
now.
I
don't
believe
there
are
any
updates,
but
we
do
have
a
few.
I
think
new
attendees
here
so
I'll
just
quickly
call
out
your
name.
If
you
don't
want
to
be
called
out,
you
can
just
ping
me
or
raise
hand
via
chat
or
just
quickly
say
no
update
via
voice
and
we'll
skip
on
to
the
next.
So
first
year
I
see
in
my
list
is
matt
hamilton
good
day,
matt.
E
E
J
J
I
joined
uber
like
one
years
ago
before
that
I
worked
at
vmware.
I
worked
at
vmware
as
a
engineer.
We
provided
our
kubernetes
solutions,
which,
which
was
named
as
tanzu
mission
consul
like
you,
I'm
kind
of
like
a
healthy
background
like
a
goal
line,
programming
and
kubernetes
and
authentication.
J
Long
long
time
ago
I
worked
at
samsung
smart
tv
provided
like
a
system,
never
security
and
hostile
for
the
on
for
their
samsung
smart
tv,
but
that
that's
a
really
long
time
ago.
So
I'm
joined
this
group
and
try
to
watch
and
learn
how
you
guys
are
dealing
with
cncf
for
securities.
A
A
The
title
was
it
to:
let's
see.
A
D
So
dan,
I
posted
the
the
issue
on
the
first
five
assessments
for
you
to
get
it.
C
Thanks
brandon
yeah,
I
went
through
that
we
could
check
off
harbor.
Thankfully
that
was
great
and
you
know
we
are
perilously
close
to
you
know
pushing
past
our
initial
five
yeah.
I
do
feel
like
we,
we
could
potentially
short-circuit
this
and
you
know
with
the
proposal
in
place.
You
know
it's
a
good
time
to
you
know
advocate,
for
you
know
the
introduction
of
a
security
assessment.
You
know,
as
this
is
all
changing,
so
you
know
why
don't
we
add
this?
C
As
you
know,
an
item,
a
discussion
for
next
week's
chair
and
tech
lead
meeting
and
you
know
we'll
talk
through.
You
know
whether
we
want
to
push
now
and
you
know,
get
get
security.
You
know
in
front
of
everybody.
No,
I
I,
I
think
we're
we're
we're
ready.
So
you
know
that
that's
what
I
think
good
work
yep.
That
sounds
good.
D
No,
I
was
just
gonna
ask:
is
anyone
that
I
saw
the
the
issue
with
parsec?
Is
there
anyone
from
parsec
that's
here
or
anyone
that
knows
some
of
the
past
tech?
I
think
it
could
be
an
interesting
presentation
for
upcoming
meetings.
C
K
I
was
unclear
if
it
was
on
the
table
for
a
smaller
assessment
or
something
slightly
a
kilter
for
application
for
sandbox
or
whatever
versus
you
know
pursuing
graduation.
It's
so
it
seems
like
the
advantage
of
doing
the
same
assessment.
Early
and
late
is
night
to
compare,
and
maybe
the
detriment
is
that
it's
a
little
top
heavy
slash.
K
Maybe
it's
a
different
audience:
the
assessment,
the
bigger
assessment
so
to
speak.
I
just
wasn't
sure
where
that
landed.
I
read
through
the
sandbox
proposal
stuff
and
it's
kind
of
unclear
to
me
what
the
whole
thing
is
about,
but
that's
sort
of
a
question
sort
of
a
statement,
everyone's
happy
with
the
current
security
assessment
and
that's
going
to
be
the
assessment
that
applies
to
sandboxing.
Is
that
the
end
state.
C
C
You
know
you
you've,
you
know
gotten
a
sense
of
the
journey
that
you'll
go
through
with
assessment
partners.
As
you
approach,
incubation
or
graduation,
and
you
know
we
already
have
an
expectation
with
the
attestment
that
there's
an
annual
renewal.
So
you
know
that's
gonna,
you
know
what,
whenever
you
sort
of
get
on
the
train,
you're
going
to
be,
you
know
kind
of
in
a
in
a
trained
workflow,
so
you
know
the
the
the
delta
that
is,
you
know,
kind
of
in
this
in
initial
discussions
on
the
table.
C
Is
you
know
what?
If
we
we,
you
know
made?
You
know
the
sandbox
out
of
things
just
a
little
bit
easier.
You
know
both
on
our
side
in
terms
of
you
know,
level
of
effort,
and
then
you
know
it's
a
bit
more
of
a
a
check.
Boxing
exercise
on.
You
know
the
other
team
side,
though
you
know
I.
I
think
that
if
you're,
you
know
you're
really,
you
know
stopping
and
thinking
about
it.
C
It
might
be
a
little
bit
more
than
you
know,
just
a
a
checkpoint
and
a
checkbox
and
we'll
have
to
also
see
you
know.
Once
we
put
out
a
proposal
to
to
do,
you
know
just
you're
on
your
own,
you
know
how
whether
we
actually
are
able
to
you
know
let
folks
you
know,
work
independently
and
not
get
pulled
into
you
know.
Basically,
you
know
having
to
to
allocate
the
the
level
of
time
and
effort
that
that
we'd
have
on
a
full
assessment.
D
Yeah
and-
and
I
think,
according
to
the
new
proposal-
which
I
don't
know
when
it's
gonna
actually
take
effect
on
how
many
changes
are
gonna
be,
but
with
the
new
sandbox
proposal,
actually,
six
are
not
involved
until
the
incubation
process,
so
this
definitely
will
will
make
things
simpler,
at
least
for
the
sandboxing
process.
For
us
to
not
have
the
requirement
and
not
have
that
kind
of
that,
the
huge
hotel
I
want
to
actually
do
assessment
yeah,
I'm
not
sure.
K
Okay,
thank
you
yeah.
I
I
mean
thoughts
on
that
are
essentially,
if
there's
no
preview
so
to
speak,
then
they
get
pretty
far
down
the
line
and
get
hit
in
the
face
with
a
10-ton
hammer.
That's
it
that's
a
negative
right
and
in
another
world
in
my
life
we
have
two
sort
of
assessments,
one
we
call
a
security
preview
where
the
the
pe
and
review
is
product
or
process.
K
I
don't
remember
what
the
three
ps
are,
but
anyway
we
have
a
security
preview
and
then
we
also
have
a
security
readiness
review
right
and
readiness
reviews.
Basically
we're
shooting
you
out
the
door,
and
you
should
have
pen
to
paper
and
code
review
and
all
that
jazz,
whereas
a
preview
could
be
partially
conceptual.
You
know
there's
at
least
poc
there's
there's
it's
got
legs
but
whatever,
but
we
kind
of
treat
them.
K
A
Thought
fantastic:
okay,
concluding
that
until
our
hard
stop
about
nine
minutes
from
now,
it's
an
open
floor,
so
anyone's
free
to
chime
in
I'll
just
throw
one
thing
out
there,
and
that
was
on
the
facilitator
stuff
for
now
how
about
whoever
puts
their
name
there
before
say
tuesday
evening,
we'll
just
go
with
that
and
I'll
happily
grab
it.
C
You
know
matthew
rather
than
putting
in
dms.
You
know
it'd
be
more
convenient
for
me
if
you
dropped
it
into
think
security.
That
way,
you
know,
if
I
don't
happen
to
see,
you
know
the
slack
notification
you
know,
maybe
if
brandon's
online
or
you
know,
whoever
else
is
available
to
facilitate.
You
know
that
individual
could
could
raise
their
hand.
C
A
Gotcha
I'll
I'll
default
to
the
oldest
time
slot
unless
there's
a
major
emergency
and
other
than
that
I'll
ping
to
seek
security
to
give
ahead,
I'm
generally
able
to
set
this
time
slot
aside.
D
Yeah,
if
you
could
open
the
pr
and
then
at
least
we
can
try
and
follow
your
new
guidelines
to
make
sure
it's
consistent.
A
Okay
and
I'll
add
that
to
the
little
updates
to
the
readme
markdown
file
on
the
the
roles
page,
I've
been
meaning
to
do
that
for
a
while.
Now
I
really
should
get
around
to
that.