►
From YouTube: CNCF SIG-Security Meeting - 2019-06-12
Description
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
A
Any
volunteers
bribe
we
are
gonna,
have
a
working
session
to
just
carry
over
things
that
we
didn't
get
to
do
last
time,
bunch
of
it'll
backlog
of
activities-
apologies
for
not
getting
through
all
the
PRS,
but
we're
some
of
you
have
seen
on
slack
still
working
through
scaling
our
github
processes
so
that
we
can
be
responsive
as
a
group
and
so
so
yeah.
So
please
add
yourself
to
the
attendance
I
will
drop
the
meeting
notes
in
the
chat.
B
A
Have
some
volunteers
to
take
notes?
We
have
two
for
those
of
you
who
are
new.
We
have
two
people
take
notes
so
that
you
don't
have
to
worry
about
catching
every
word,
they're
more
just
the
important
things
our
people
mentioned
links
in
the
chat
that
we
have
kind
of
reminders
of
things
and
capture
action
items.
A
But
then
we
have
two
people,
so
people
can
help
each
other
and
one
person
can
feel
free
to
talk
and
then
the
other
person
can
write
down
what
they
say:
Thank,
You,
Gerry,
and
not
here
if
I'm
pronouncing
your
name
right.
So,
let's
just
since
we
have
a
lot
of
things
to
chat
about,
and
we've
got
a
big
set
of
people
here.
Why
don't
we
just
launch
in
to
check-in?
A
So
we
also
for
the
new
folks
we
an
almost
every
meeting,
except
when
we
have
like
a
presentation.
Sometimes
we
skip
it,
but
at
least
every
other
week
we
try
to
have
it
check-ins,
where
we
it's
sort
of
like
an
agile
stand-up,
where
you
can
share,
what's
been
going
on
with
you,
particularly
security,
related
things.
A
It's
also
a
place
where
you
know
if
you're
involved
in
other
groups-
or
you
just
hear
about
interesting
things
going
on
with
security,
feel
free
to
share,
because
we
all
like
to
hear
about
where
many
of
us
work
in
different
domains
or
just
your
different
things.
So
my
name
is
Sarah
Allen
I'll,
kick
it
off
I'm
one
of
the
co-chairs
of
the
NCS
special
interest
group
on
security.
Thank
you
for
coming.
We
are
as
of
two
weeks
ago,
we
got
voted
in
as
an
official
sig
to
the
scenes.
A
A
A
So
there
is
now
a
a
channel
on
slack
for
to
coordinate
the
micro
site
that
Michaels
volunteered
to
do,
and
he
can
talk
a
little
bit
more
about
that
and
also
I
got
as
far
as
opening
up
some
new
issues
to
help
with
our
triage
I
didn't
get
a
point
to
actually
doing
PR
so
feel
free
to
jump
into
the
triage
channel.
If
you
have
good
github
foo
and
would
like
to
help
with
just
some
logistics,
because
we
could
we
would
be
accelerated
if
you
did
that.
So
that's
some!
That's
my
jacket.
C
E
F
G
A
H
H
I
A
J
A
L
Brandon
I'm
in
IBM
research
as
a
software
engineer,
working
on
security,
related
stuff,
I
guess,
maybe
like
this
weekend
next
week,
I'm
really
gonna
be
preparing
on
China.
So
if
you're
gonna
be
dead,
let
me
know
I
think
we
can
try
and
figure
out
something
become
me
put
in
there
like
we
did
it
I
think
that'd
be
nice,
so.
N
O
O
P
A
So
yeah,
so
you
know,
but
I'm
new
here,
take
me
out
on
that
I'm
unresponsive.
Dm
me
anytime,
I'm,
more
responsive
to
director
at
mentions.
A
So
so,
let's
dive
in
so
anybody
who's
new
PR
yourself
as
a
member.
Your
participation,
either
here
or
by
a
github
account
to
as
a
member
and
then
I
wanted
to
do
a
quick
update.
We
synced
up
with
Liz
on
the
TOC
I
get
I.
Let
her
know
that
the
in
toto
assessment
is
like
it's
ready
just
like
wrangling
the
documents
and
checking
our
eyes
and
dotting
our
T's,
and
she
would
like
to
queue
up
a
presentation
of
the
assessment
process
before
queuing
up
the
in
toto
presentation.
That
includes
our
assessment
and
so
she's.
A
K
A
J
A
Yeah
I
think
you
know
any
of
us
who've
been
involved,
can
probably
give
the
presentation,
but
it
since
you're
stepping
up
to
be
the
facilitator
role.
It
would
be
great
if
you
got
some
of
the
glory
for
all
this
hard
work
fabulous.
So
then
I
wanted
to
make
sure
that
have
time
for
the
road
map
I'm
going.
So
we
had
I
sort
of
sought
some
advice
and
Dan
and
JJ
and
I
met.
Who
you
didn't
put
yourself.
K
Oh
can
I
say
one
more
thing
while
we're
on
the
assessment
please.
So
we
are
about
to
finish
the
in
toto
and
really
the
opah
assessment
is
also
done.
I'm
just
sort
of
waiting
on
them
to
confirm
that
what
we've
written
is
ok,
and
so
both
of
those
processes
are
basically
complete,
which
means
that
it's
time
to
start
the
process
anew
with
other
projects
and
we've
had
a
few
projects
mentioned
and
I
want
to
know
from
the
Falco
folks
since
they're
here.
K
This
is
a
project
that
very
interested
in
doing
an
assessment
for
it.
So
you
seem
quite
interested
in
having
an
assessment
on
or
do
you
feel
that
in
something
like
a
few
weeks,
you
would
be
ready
with
the
assessment
document,
or
do
you
feel
it's
going
to
take
a
month
or
more
and
therefore
we
might
talk
with
another
community.
P
I'm
thinking
it's
going
to
be
a
month
or
more
just
given
my
gut
feeling
on
where
we're
at
with
workload
for
Leo
and
Lorenzo
right
now
and
finding
them
time,
and
then
we
have
two
weeks
where
we
have
the
cure
53
people
in
which
was
something
that
we
kind
of
already
had
in
flight
for
them
to
do
the
security
on
it
mm-hmm
but
I'm
thinking
it
Leo
I'll.
Let
you
chime
in
since
it's
your
time
but
I'm
guessing
it's
gonna
be
a
month
or
more.
K
If
you're
having
a
cure,
53
assessment
already
done,
it
makes
what
we're
doing
less
helpful.
It's
still
useful,
it's
still
a
good
step.
It's
still
interesting
information
that
other
people
can
look
at
in
a
much
easier
and
broader
way
than
what
they'll
get
out
of
here.
53,
but
presumably
their
process
will
include
a
lot
of
this
stuff.
Even
if
it's
not
documented
we're
gonna
see
based
on
it.
You
know,
like
we
had
a
cure,
53
assessment
of
tough
done,
and
they
basically
said
you
know.
K
The
report
was
basically
here
are
the
security
issues
and
oh
yeah,
the
design
which
was
you
know
they
always
have
to
say
they
found
something,
but
it
was
like.
Well,
we
found
a
part
of
the
spec
that
someone
might
have
implemented
wrong,
but
no
one
actually
did
and
yeah
the
design
looks
solid.
That
was
basically
what
they
said.
You
know
so
that
doesn't
really
help
people
understand
when
they
should
use,
tell
for
how
they
should
use
it
or
what
tuff
protects
against
and
so
on,
which
is
what
we're
doing
yeah.
P
P
We
saw
that
oppa
when
they
did
their
presentation
around
moving
into
incubation,
that
they
had
a
security
assessment
done,
and
this
was
back
in
February
I
want
to
say
on
one
of
the
talk
halls
and
so
I
had
reached
out
to
Chris
to
inquire
about
the
security
audit
that
they
had
done
through
cure,
53
and,
and
we
kind
of
spun
up
that
process
and
now
based
upon
cure,
53
scheduled
they're.
Finally
able
to
get
us
in
there
get
us
in
there
q,
so
we
this
was
something
that
we've
had
in
flight
for
several
months
now.
K
You
know,
they're
a
great
team
and
maybe
they'll
see
that
also,
but
at
least
having
outside
people
that
know
the
cloud
native
space,
maybe
in
a
different
way,
and
a
slightly
different
perspective
might
also
help
them
to
steer
their
efforts
better
okay,
I
understand,
also,
if,
if
this
is
gonna
happen
in
two
weeks
and
you're
on
their
calendar,
then
that's
where
you
are
yeah
yeah,
okay,
well,.
K
A
Self
assessment
that
you
prepare
that
kicks
off
our
process
and
right
now
we
would
rather
not
do
to
in
parallel.
So
if
you're
gonna
be
ready
sooner
right,
then
we
can.
We
want
to
we've
got
you
chewed
up.
We
earmarks
you
to
be
had
the
opportunity
next,
but
if
you're
like
it's
gonna,
be
a
while,
then
we'll
put
somebody
else
in
the
middle.
So
let.
K
A
K
A
K
Not
I
will
volunteer
so
we're
also
trying
to
spread
out
who
leads
what
and
who
does
what
I
will
volunteer
to
be
involved
in
the
harbor
assessment.
We
want
people
to
do
to
these
and
then
I
guess
yeah
we'll
try
to
wrangle
people
for
Falco,
he
cloak
harbor
elsewhere.
So
there's
gonna
start
to
be
emails
or
discussions
here
about
who
and
we've
already
had.
K
K
A
A
We
have
a
bad
link,
but
it
is
in
the
directory
I
think
so
we
have
the
project
lead
who's
the
person
from
the
project.
If
somebody
in
the
meeting
would
fix
that
or
write
a
bug,
that
would
be
great.
That
I
won't
forget,
or
at
least
put
in
the
notes
on
the
broken
link
there.
But
the
project
lead
is
the
person
from
the
project
who
identifies
and
self
identifies
and
says:
I
will
be
the
security
point
person
for
this
security
assessment
and
then
the
security
reviewers
are.
A
This
is
like
what
we
drafted
as
what
their
qualifications
are,
and
then
the
process
identifies
there's
one
lead
reviewer,
which
is
somebody
who
has
done
a
security
review
before
and
we
are
so
we're
bootstrapping
this
by
having
a
bunch
of
us,
do
the
first
two
reviews
and
then
the
idea
is
that
somebody
who
was
in
that
team
of
four
that
they
did
the
first
two
reviews
is
then
the
lead
one
of
the
next
reviews,
and
then
we
rotate
until
we
have
a
big
team
that
has
done
had
this
experience.
Does
that
answer
your
question?
A
Q
A
So
I
think
that
what
is
not
documented
is
what
we
were
just
talking
about,
which
is
like
how
do
people
say?
I
would
like
to
help
and
how
do
we?
You
know
like
right
now
we
are
tracking
which
assessments
are
cued
up
here,
but
we
don't
have
yet
identified
like
exactly.
How
do
we
say
who
is
working
on
what
thing
and
manage
that
so
I'm,
looking
to
like
kind
of
Justin
to
codify
that,
but
I
think
he
you
know
like
if
there's
any
suggestions
you
know
about
like?
Where
do
we
like?
It's
just
a
logistical.
K
Right,
I,
just
a
comment
on
the
pull
request
and
I
put
two
things
in
there
as
examples
I
volunteered
myself
for
something
explain
what
role
I'd
have
and
I
also
listed
that
someone
else
expressed
interest
in
there
so
feel
free
to
do
the
same.
I
think
we
don't
have
to
worry.
You
know
we're
we're
gonna
end
up
with
somewhere
between
six
to
eight
little
comments
under
here,
and
so
it's
not
gonna
be
hard
for
us
to
aggregate.
K
A
K
E
A
R
A
So
on
the
roadmap
back
to
of
some
logistical
process,
though
I
don't
think
I
heard
Robert
here,
Robert
did
some
very
nice
suggestions
on
the
roadmap,
which
actually
then
kind
of
caused
the
lake.
How
are
we
wrangling
this?
This
roadmap
is
still
be
safe,
working
group
roadmap
that
we
put
together
over
a
year
ago,
when
we
were
just
kind
of
trying
to
discover
the
landscape
and
discover
what
it
is
like
put
more
clear
definitions
about.
A
A
We
have
had
intermittent
active
discussions
at
different
ways
to
ratify
those,
and
we
had
a
number
of
presentations
that
will
talk
a
little
bit
about
the
microsites,
which
is
going
to
surface
some
of
the
the
work
that
this
group
has
done
over
the
last
year
and
a
half,
and
so
actually
these
sections
are
really
done,
and
then
we
I
think
we
have
a
lot
more
crisp
ideas
about
what
to
do.
That
is,
you
know,
kind
of
overlapping,
with
sections
3,
&,
4
and
since
originally
putting
together
this
work,
this
very
I
road
map.
A
We
then
also
defined
this
governance
process
and
I
want
to
kind
of
go
through
it
at
a
high
level
and
sort
of
chat
about
some
ideas
that
JJ
and
Dan
and
I
had
about
like
how
to
move
forward
with
the
roadmap
following
this
process
that
we
defined
so
the
process
that
we
defined.
So
when
JJ
and
Dan
and
I
started
this,
we
really
wanted
it
to
be
a
an
opportunity
for
us
all
to
discover
what
our
common
best
practices
and
discover
where
there
are
differences
without
being
contentious.
So
we
wanted
to
not
dictate
like
any.
A
One
of
us
could
have
like
whipped
out
a
security
white
paper,
but
none
of
we
all
acknowledge
that
there
may
be
differing
opinions
amongst
the
group
and
wanted
to
not
get
embroiled
and
some
of
the
things
that
we'd
seen
happen
in
other
working
groups,
which
is
prolonged
discussions
about
what's
correct.
So
instead
we
said
well,
whenever
anything's
different,
we
will
weather
when
there's
debate.
A
We
will
invite
people
who
have
problems
and
challenges
or
solutions
to
present
to
us
and
kind
of
tease
out
what
is
actually
happening
and
that
we
wanted
to
allow
the
what's
important
to
come
from
the
group
itself.
And
so
it's
really.
This
kind
of
allowing
what's
important
to
come
from.
The
group
itself
led
Rachel,
Meyers
and
JJ
work
together
on
this
governance
model,
where
we
define
this
process,
where
the
idea
is
that
anyone
in
the
group
can
create
an
issue
and
the
intent
which
we
have
followed
not
rigorously.
A
Is
that
but
we'd
like
to
follow
more
rigorously
in
the
future.
Is
that
that
issue
where
you
outline
the
problem
to
be
solved
and
what's
going
to
be
an
impact
of
our
as
a
group
solving
that
problem?
And
what's
the
scope
of
the
work
to
figure
this
out
and
then,
rather
than
just
working
on
it,
to
bring
it
to
the
group
and
be
like
okay,
I
I'd
like
to
collaborate
on
this?
And
then
we
can
talk
about
it.
A
Where
we
can
say
like
this
is
a
really
a
cloud
native
thing:
it's
an
interesting
security
thing,
but
not
us
right
or
we
can
say
like
Oh
a
whole
bunch
of
people
are
interested
in
this,
and
let's
have
it
be
a
group
thing
and,
and
so,
and
the
key
thing
that
we
wanted
to
make
sure
that
we
do
is
to
have
a
definition
of
done.
How
do
we
know
that
this
thing
is
done,
and
we,
you
know,
we
sort
of
discovered
this
over
time
or
we're
like
okay,
we're
going
to
this
landscape
thing
like?
A
Like
representatives
of
the
TOC,
where
we
are
looking
to
do
the
work
of
technical
oversight
of
the
cloud
native
foundation
projects-
and
so
we
want
to
kind
of-
we
want
to
have
to
kind
of
trickle
down
that
you
know
sort
of
it's
a
two-way
Authority.
It's
both
there
kind
of
ask
delegating
things
to
us
and
asking
us
to
Shepherd
this
understanding
of
cloud
native
security
and
then
also
we
act.
A
You
know
make
it
inactive
so
that
the
group
is
actually
working
on
things
that
everybody
is
working
on
and
there
isn't
a
lot
of
clutter,
which
there
is
right
now,
but
that's
why
we're
trying
to
follow
process
more
and
so
then
there's
a
proposal
and
then
we
either
accept
it
or
close
it
and
I
think
we
could
refine
this
a
little
more
to
be
like
well.
Maybe
things
can
float
as
proposals
for
awhile
right?
A
Maybe
we
queue
them
up,
and
so
the
idea
is
really
that,
like
we
have
these
proposals
and
then
we
as
a
group,
decide
to
how
to
queue
things
up
in
the
roadmap
and
then
there's
a
lot
of
things
that
are
work
in
progress
right
now
that
aren't
necessarily
visible
to
the
whole
group.
We've
been
talking
a
lot
about
security
assessments,
but
that's
not
the
only
thing
going
on
and
then
other
things
have
less
structure
to
them.
A
So
we
thought
we
could
follow
this
structure
and
catalog
what's
happening
and
then,
as
a
group
we
can
say:
okay,
there's
other
proposals,
maybe
there's
something
that
was
started
last
year.
That's
languishing!
That
is
less
important
than
some
new
proposal
or
or
what
have
you
and
create
more
visibility
and
organize
it
in
a
roadmap,
and
so
then
I
sort
of
talked
a
little
bit
about
this.
An
active
projects
right
to
just
you
know
like
we're,
trying
to
formalize
how
we
track
these
things,
make
it
visible
and
then,
and
that
generally
we
we
should.
A
We
keep
working
on
things
until
there's
consensus,
like
I
talked
about,
like
you
know,
we
wrote
down
a
process
for
a
vote,
but
generally
we've
been
able
to
come
to
against,
like
we've
been
with
resolve
objections
so
forth
without
doing
that
kind
of
a
formal
vote,
because,
particularly
in
the
domain
of
security,
I
think
it's
high.
You
need
to
explain
if
there's
a
dissenting
voice
that
feels
like
things
should
be
different.
I
think
it's
upon
us
to
explain
why
that's
not
a
security
flaw
in
everything,
we're
doing
that.
A
J
A
Are
these
are
basically
anything
that
is
like
the
work
of
the
group
right
like
if
it
is?
This
would
be
I
think
so
that's
also
every
issue
that
is
yeah,
so
I
had
no
like
anything,
that's
on
the
road.
So
basically
the
proposal
that
JJ
came
up
with
that
I
really
liked
is
that
anything
on
the
roadmap
should
be
a
proposal
or
an
a
request
for
a
proposal.
But
if
we
don't
have
a
proposal
now
we're
like
we've
talked
about
doing
this,
we
really
want
to
do
it.
A
We
don't
have
a
proposal,
then
it
would
be
like
we
at
this
point
in
the
roadmap.
We
would
like
a
proposal
to
do
this,
whatever
it
is,
and
then
there
may
be
some
things
that
are
proposals
that
don't
make
it
onto
the
roadmap,
because
we
don't
have
bandwidth
for
it
and
then
we
can,
as
we
get
further
through
the
roadmap,
then
that
gives
space
for
these
proposals
because
we
don't
we
as
a
group.
We
want
to
make
sure
that
we
have.
A
We
either
have
a
structure
like
the
security
assessments
where
we're
like.
Okay,
we
don't
need
the
whole
group
to
meet
and
review
every
security
assessment.
We
have
a
process
where
we
make
sure
that
there's
a
sub
group,
that's
reviewing
each
other
and
everybody
has
an
opportunity
for
to
review
some
things
can
go
under
that
kind
of
a
structure,
but
then
other
things
that
are
less
repeatable.
J
A
J
Yeah,
so
let
me
give
you
an
example
that
I
came
across
and
I
was
I
post,
that
I
think
to
the
community
a
couple
of
weeks
ago
or
maybe
a
week
ago
about
the
edge.
That
is
being
you
know
on
many
people's
mind,
but
has
not
been
quite
an
established
platform
at
this
moment,
if
I
say
so
and
I
know
in
the
LF
meaning
Linux
condition
that
has
the
project
left
edge
and
I
was
trying
to
bring
that
to
our
attention.
J
But
when
I
talked
to
some
of
their
reps
in
a
conference
recently,
they
have
indicated
that
they
have
not
actually
addressed
the
security
issue
of
the
edge
and
since
they
are
hours,
you
know
kind
of
a
sister
organization,
I
guess
within
the
CNC
f
LF
its
foundation.
I
wonder
if
there
is
you
know
more
people
here
would
consider
bringing
in
the
security
issue
of
the
edge
in
this
scope
in
some
time
in
the
future,
the
roadmap
or
something
or
is
this
totally
inappropriate.
I
was
trying
to
get
some.
A
And
in
the
process
of
that
white
paper.
We
hope
to
more
clearly
describe
what
we
mean
by
cloud
native
security,
and
that
will
help
with
those
bounds.
So
it
could
fall
into
there
where
we're
like.
Let's
have
a
paragraph
on
the
edge
and
what
does
it
mean
and
we
can
discuss
whether
it's
included
or
excluded
right.
So
some
of
questions
like
that
could
be
addressed
within
something
we're
planning
on
doing
and
the
other
thing
is.
A
We
could
just
have
a
proposal
for
a
discussion
like
or
a
proposal
for
a
presentation
where
we
say
so
one
of
these
edge
vendors
or
somebody
who
has
a
deployment,
which
is
a
cloud
deployment
that
includes
edge
concerns,
gives
a
presentation
of
what
they're
talking
about
and
then
we
as
a
community,
learn
more
about
what
we,
as
an
industry,
mean
by
edge
because
I.
That's
that
particular
issue.
I
have
heard
it
defined
as
cloud,
and
this
is
the
first
time
I've
actually
heard
of
defined.
A
J
I
think
I
get
the
sentiment
here.
If
that's
that
setting
you're
valid,
you
know
just
valid
I
guess
comment
there,
because
I
don't
think
the
world
knows
exactly
where
the
cloud
ends
and
where
the
edge
begins.
So
it's
kind
of
one
of
those
things,
but
would
it
be
appropriate
for
us
to
connect
with
this
edge
community?
We
didn't
learn
Linux
Foundation
and
ask
them
if
they
would
be
interested
in
providing
some
presentation
to
our
sessions
or
anything.
How
do
you
feel
about
it?
Well,.
A
I
think
that
that's
where,
like
what
what
what
I
want
to
do
with
this
roadmap
exercise,
is
get
more
visibility
into
like.
What's
our
backlog
and
I
know,
we
have
a
couple
of
likes,
you
know
somebody
who
attended
to
come
volunteered
to
present
their
deployment
as
a
use
case.
That's
the
only
ones
bringing
to
mine,
but
I
want
to
make
sure
that
we
don't
have
that.
We
would
be
able
to
say
we're
going
to
have
a
gap
in
our
meeting
agenda
in
August
or
something,
whereas
right
now
right
this.
A
Second,
we
don't
have
that
forecast
because
we're
in
the
mid
the
week
we
don't
haven't
formalized
our
roadmap
and
taking
a
look
at
it.
So
I
think
the
particular
outreach.
Let's
wait
a
few
weeks
until
we
have
like
our
2019
mapped
out
and
then
we
can
be
like.
Where
are
the
gaps,
and
then
we
can
discuss
like
is,
does
it
feel
like
we
should
have
a
breakout
for
that
or
do
we
want
to
queue
it
up
for
when
there's
a
hole
in
the
presentation
schedule?
Does
it
make
sense
yeah?
It
sounds
good.
A
They
actually
knew
they
were
happening
and
then
other
things
which
you
know
like
seem
urgent,
and
then
we
can
also
talk
about
like
do.
We
want
to
make
sure
we
have
a
presentation
once
a
month
or
you
know,
do
we
want
to
have
more
breakout
meetings
if
there's
more
that
people
have
enthusiasm
for
doing
that.
Don't
fit
you
know,
weekly
meeting
kings
I
mean.
Q
A
Pretty
much,
and
also
just
make
roadmap
more
concrete
right,
it's,
but
it's
okay!
If
the
roadmap
has
things
that
aren't
yet
written
up
as
issues
right,
but
that
it
would
evolve
into
something
that
creates
transparency
that
isn't
just
a
static
roadmap
that
becomes
obsolete
until
we
have
a
meeting
about
it.
Q
A
Think
what
what
I'm
proposing
is
that
this
moment
in
time,
this
next
and
weeks
of
time,
the
thing
where
we
actually
create
a
process
for
vetting
things
and
we
followed
the
prep.
We
have
a
process
to
find
right,
but
we
haven't
really
exercised
it.
We've
done
it
informally,
we'll
talk
about
things,
they'll
be
like
oh
yeah.
A
Let's
do
that
and
then
they,
those
things
have
issues,
but
we
we've
not
we're
not
sort
of
strictly
following
this,
like
you
know
the
where
I
had
it
before
they're
like
the
governance
process
and
as
reflected
in
like,
if
you
look
at
the
issues,
they
don't
all
have
the
things
that
are
described
here,
which
is
caused
like
some
of
them
they're
just
old.
Before
this
existed
right
and
some
of
them
we
just
didn't,
do
and
then
we've
run
into
like
okay.
A
So
how
are
we
wrapping
this
thing
up,
right,
awkwardness,
and
so
basically
it
would
be
like,
let's
reverse
engineer
and
make
sure
that
everything
in
process
like
is
actually
following
our
document
process
and
then
sort
of
see
where
we're
at
and
also
be
we'll
loop
in
Liz
and
Joe,
who
are
toc
liaisons.
So
that
if
the
TOC
wants
to
say
okay,
this
is
what
you're
doing
wait
a
second.
A
What
about
this
thing
right
so
that
you
know
everybody
in
the
group
and
the
TOC
can
all
give
feedback
and
see
what
we're
planning
and
then
we
can
also
like
if
there's
a
lot
of
enthusiasm
like
I,
said
that
for
things
that
don't
in
our
roadmap,
then
we
can
talk
about
rejiggering
our
structure
to
make
that
work.
Alright,.
A
A
A
Maybe
somebody
who's
been
around
for
a
while
can
help
that
you
know,
but
we
have
an
issue
to
say
that
we're
going
to
do
that
and
then
that
the
triage
team,
which
anybody
who's
welcome
to
join
that
channel
and
help
the
the
next
step
is
to
actually
document
this
triage
role.
So
we're
actually
like
this
is
I.
Think
I
put
this
at
the
next
yeah.
So
we
have.
We
have
a
little
logistical
challenge
where
what
we
want
to
do.
A
That,
generally
and
Justins,
focusing
on
things
that
are
related
to
the
security
assessment
and
howard,
is
focusing
on
things
related
to
policy,
and
so
we
have
in
theory
and
that
the
idea
is
that
they
would,
by
their
role,
we
thought
we
could
actually
have
a
github
permission
that
allowed
that
level
of
authority
right
without
full
access
to
the
repo
turns
out.
It's
not
really
a
thing.
So
so
what
we
have
is
I'm,
ultra
Soros
me
and
JJ,
and
on
a
Dan
is
just
a
ought
to
be
on
this
list.
A
Our
admins
of
the
repo
and
then
Justin
Brandon
and
Howard
have
full
right
access,
which
is
more
than
their
roles
we
allow
for,
but
then
I
propose
that
we
just
like,
let's
trust
them,
and
if,
like
somebody
in
this
triage
role,
ends
up
doing
something
if
they're
bad
actor,
we'll
just
remove
them.
Those
of
you
who
know
github
also
realize
that
anybody
with
which
access
can
actually
make
themselves
an
admin
and
do
whole
script
things,
but,
but
we
have
enough
people
would
like.
A
A
So,
but
I
would
like
to
actually
we're
having
this
logistic
I.
Don't
know
why
Howard
can't
actually
do
labels
so
we're
in
a
little
bit
of
like
debugging
this
thing
and
then
so.
I
want
to
like
write
down
what
this
riaj
role
is
until
we
actually
write
it
down
and
practice
a
little
while
make
sure
that
github,
but,
like
all
the
things,
are
hooked
up
not
to
broaden
it.
A
But
then
what
we
could
you
know
like
if
we,
what
we
could
do
is
you
know
like
create
more
compartments
where
other
people
sort
of
shepherd
other
parts
of
what
we're
doing
and
then
I
went
ahead
when
we
were
very
involved
in
like
sort
of
setting
up
the
security
assessment
process
and
I
created
this
this
template.
So
in
github
you
can
create
a
template
for
an
issue
type.
What's
nice
about
this,
is
it
automatically
assigns
the
label?
A
So
if
we
have
a
type
of
issue
that
we
know
that
people
make
these
like
and
I,
think
I
wrote
up
an
issue
that
we
should
have
a
proposal,
one
right.
So
proposals
are
supposed
to
have
XYZ.
We
make
a
little
template.
People
remember
to
fill
in
those
things.
It
automatically
gets
a
label
proposal.
So
then
we
sort
of
kind
of
streamlined
this
thing
and
then
unfortunate,
because
we
have
only
one
of
these
when
you
go
and
you
create
a
new
issue
here,
which
I
didn't
is
sort
of
an
unanticipated
UI
thing.
A
So
right
now,
if
you
create
a
new
issue,
it's
sort
of
like
oh
all,
I
can
do
as
a
security
assessment.
I
didn't
quite
realize
it
was
going
to
show
up
this
way,
but
the
idea
is
you
could
like
in
the
future.
We
would
have
like
a
security
assessment
type
of
issue.
We'd
have
a
proposal
type
of
issue
which
hopefully
we
can
link
to
the
process
MD,
and
we
could
have
like
a
presentation
like
if
you
want
to
propose
a
presentation
and
that
and
those
can
be
streamlined
in
terms
of
creating
tags.
A
So
so
that's
that's
just
kind
of
where
we
are.
If
it
would
be
great,
if
anybody
who
feels
like
submitting
templates
and
helping
us
do,
you
know
just
kind
of
setup,
the
workflow
and
github.
So
that's
kind
of
slowing
us
down
a
little
bit
and
just
ask
everybody's
patience.
Hopefully
we
can
sort
that
out
within
the
next
week.
Does
that
all
make
sense
to
everybody?
I
don't
know
and
like
not,
everybody
is
like
lives
and
briefs
kit
helps
so
I
wanted
to
kind
of
go
through
that,
especially
because
we're
sort
of
partially
implemented
github
workflow.
A
D
So
I'm
trying
to
summarize
it
because
we
don't
really
have
a
lot
of
time,
but
the
the
the
biggest
ask
I
guess
is
towards
ciencia
around
the
infrastructure,
but
at
least
that
is
what
what
I
plan
to
look
after
in
the
first
place
like
there
are
obviously
a
lot
of
you
know:
content
related
issues
and
I
encourage
everyone
who
wants
to
contribute
to
that
to
jump
on
D.
Let
me
look
it
up.
What
is
it
called
the.
D
Once
we
have
decided
where
we
want
to
do
it
right,
like
the
the
actual
place
like
Natalie
5,
for
example,
other
things
like
picking
the
right,
you
go
template
and
but
I
guess.
For
now,
if
I
understood,
if
cook
your
gonna
focus
on
the
content
and
get
something
many
more
up
and
running
soon,
maybe
up
until
next
week
and
then
build
it
out
from
there
did
I
capture
that
correctly.
Our
most
recent
discussion
yeah
so.
A
We're
gonna
kind
of
like
we've
got
a
whole
bunch
of
questions
up
into
the
CN
CF
about
like.
Where
does
this
go
and
do
you
have
any
guidelines
and
what's
the
URL
and
like
all
those
things,
I
like
different
people
were
answering
those
will
finding
the
people
right
helpdesk
and
whatever
so
they'll.
That's
like
gonna
take
a
week
or
two
and
in
parallel
they.
So
the
idea
is.
We
would
start
this
repo
with
the
presentations
that
we've
have.
A
We
well
they'll,
be
on
YouTube,
we'll
have
trans,
and
so
there's
some
that
you
know
in
this
thread.
There's
like
some
ideas
about
like
well
what
if
we
had
like
the
ammo
metadata
on
the
transcripts-
and
you
know
pointing
to
the
video
this
way
and
then
Michael,
you
know,
Michael
and
I
are
both
familiar
with
this
tool:
static
site,
generator
called
Hugo
that
you
know
like
just
let
it
play
around
with
putting
the
metadata.
A
So
we
have
some
indexes
and
then
we
we
have
a
volunteer
that
I
have
to
track
down
their
email,
who
comes
more
from
the
marketing
curating
words
side
of
the
house,
who
I
think
who
I
hope
will
help
us
with
kind
of
like
you
know,
basically
taking
content
from
I
figure.
We
we
have
a
lot
of
content
here
and
our
term.
We
have
a
lot
of
words
that
we
need
to
make
into
like,
like
we
could
just
dick
some
of
this
like
in.
D
Does
work
very
like
yeah,
you
can
expect
to
do
that.
So
I
think
the
only
thing
we
really
need
to
decide.
I,
don't
know
if
we
wanted
about
an
hour,
probably
that
dedicated
Chandler,
and
where
did
we
do
it
like
in
a
branch
on
that
repo
or
a
new
repo,
and
where
do
we
run
it
like,
for
example,
Natalie
notify
and
if
we
don't
have
a
beautiful
URL
right
now
you
know
it
has
some
notify
whatever
temporary
URL.
D
That's
also
fine,
at
least
it's
something
that
we
can
look
at
and
say:
yeah,
that's
that's
how
it's
supposed
to
be,
and
then
we
could
take
it
from
there.
At
least
that
would
be
my
my
suggestion.
We
have
something
at
least
people
can
look
at
it
and
say:
yep,
that's
nice
or
something's
missing,
right.
A
A
A
It
will
like,
like
the
assert
security
assessments,
will
periodically
have
some
work
associated
with
them.
But
but
unlike
the
security
assessments,
which
regularly
have
big
bursts
of
work,
I
anticipate
the
microsite
will
have
a
big
burst
of
work
and
then
like
not
much
work
until
somebody
gets
enthusiastic
about
creating
a
new
section,
I
mean.
D
People
are
wondering
what
we
were
using
labels
they're
very
simple,
because
github
doesn't
allow
us
to.
You
know,
divide
a
certain
issue
into
certain
tasks,
so
we
you
know,
then
it
is
not
you
come
like
in
chair
or
whatever
I
have
an
umbrella
issue
that
has
all
these
tasks.
So
that's
why
we
use
some
labels
there.
That's
the
reason.
A
D
D
A
I
also
wanted
to
call
out
for
volunteers
who
might
who
want
like
if,
if
I
could
in
my
dreams,
I
would
have
a
lead
who
would
curate
this
new
roadmap.
That
is
a
set
of
proposals
and
bring
it
back
to
the
group.
So
if
there
is
somebody
who
is
willing
or
excited
to
do
that,
sub,
curation
and
listing,
ideally
somebody
who's
been
around
for
a
little
while,
but
you
know
like
it's:
it's
sort
of
digging
through
the
proposals
and
and
I'm
happy
to
work
with
that
person.
If
you're
in
you
were.
A
Just
DME
because
like
I
could
just
it
would
be
great
to
have
a
little
more
bandwidth
to
put
together
that
set
of
things
and
also
just
have
another
perspective.
But
then
the
idea
is
that's
not
a
decider
group.
That
is
just
like
curating
things,
and
then
anybody
who
has
an
issue.
Another
thing
that
if
anybody
has
github
foo,
I
am
trying
to
figure
out
how
to
assign
what
other.
I
don't
know
that
github
rules,
wise
I,
can
assign
issues
to
some
people
and
not
others.
A
A
Though
members
yeah
okay,
so
there
might
be
some
way
to
add
somebody
as
a
repo
member,
like
maybe,
if
I
add
them
as
read
access.
So
I'm
gonna
play
around
a
little
bit
more
because
I'd
like
to
be
able
to
assign
issues
to
people
without
giving
them
a
full
ride
access
so
that
we
can
be
a
little
more
like
yes,
so
forth
new
person
and
do
a
thing
without
like
oh,
yes,
and
you
can
accidentally
obliterate
our
whole
repo.
Like
you
know,
a.
E
A
Cool,
so,
okay,
so
it's
11
o'clock!
Thank
you
all
for
your
patience
with
this
bookkeeping
meeting,
really
appreciate
feedback
and
and
we'll
see
it
like.
We
try
to
cue
up
more
of
a
meeting
next
time.
We
have
a
offline.
A
bunch
of
different
ideas
have
been
proposed
for
things,
so
so
we'll
try
to
get
that
set
up
before
next
week.
So
people
know
in
advance
what
we're
doing
at
this
meeting
so
appreciate
everybody's
patience
and
participation
in
curating,
the
repo
and
hang
in
there,
and
anybody
who
can
scrub
it
in
the
next
week.