►
From YouTube: CNCF SIG Security 2020-09-23
Description
CNCF SIG Security 2020-09-23
A
C
Brandon,
do
you
have
justin's
slide
set
going
to
present.
A
Actually
going
to
present
them-
and
I
put
them
in-
I
copied
it
and
pasted
the
template,
which
is
a
little
different.
What
from
what
you
you
all
have
been
doing
for
a
slide,
so
you
might
have
to
update
the
little
blurb
I
put
in
there,
but
I
pasted
in
a
link
to
the
slides
and
then
I
can
also
present.
A
Yeah
and
what
I'm
gonna,
I'm
gonna,
try
to
keep
it
to
like
20
minutes
or
less
and
just
zip
through
things
and
then
hold
questions,
because
I
don't
know
what
people
are
going
to
want
more
and
less
about,
and
you
know
except
for,
like
I
mean
brandon,
please
interrupt
me
if
I
get
anything
wrong
early
or
leave
nothing
important
out,
because
I
and
I
took
justin's,
slides
and
then
added
some
links
and
pictures
diagrams.
A
B
C
C
D
B
C
C
Okay,
so
for
everyone
make
sure
that
you
add
yourself
to
the
attendance
list
if
you're
a
new
member
or
if
you
have
an
update,
provide
your
name
and
we
will
do
a
quick
round
robin
on
updates.
Before
we
get
to
our
presentation,
let's
go
ahead
and
get
started,
then
ash.
Do
you
have
an
update.
E
Yeah,
I
just
had
a
quick
update
on
the
key
club
assessment,
so
the
pr's
open
for
reviews
and
suggestions.
So
if
you
all
are
interested
in
adding
your
comments,
please
do
so.
I'm
gonna
paste
the
pr
link
in
the
chat
for
those
interested
and
yeah
feel
free
to
add
your
comments
and
yeah.
That's
pretty
much
it
that's
my
update.
C
All
right,
who
else
I
have
a
reminder
for
everybody
to
submit
cfps
for
cloud
native
security
day,
north
america,
2020
links
are
available
in
the
past
meeting,
notes
all
right
who's
next
brandon,
no
updates,
no
other
updates
from
anybody.
Any
new
members.
A
Can
you
see
a
perspective
on
security
assessments
yup
all
right,
so
justin
capos
prepared
most
of
these
slides,
but
it's
one
o'clock
in
the
morning
in
shanghai,
so
I
added
a
little
bit
of
color
and
links
and
diagrams
and
my
thoughts,
the
slides
and
volunteered
to
give
the
presentation
brendan
has
also
been
part
of
the
team
from
the
beginning
and
pre-reviewed
the
slides
and
might
chime
in
so
security
is
so.
A
This
is
supposed
to
sort
of
set
everybody's
context
about
what
the
heck
these
security
and
assessments
were
intended
to
be
and
like
where
we
are
now
and
then
there'll
be
a
discussion
which
emily
will
facilitate.
A
So
this
is
from
the
readme
security
assessments
are
a
collaborative
process
for
the
benefit
of
the
cloud
native
projects
themselves
and
prospective
users
by
creating
a
consistent
overview
of
the
project
and
its
risk
profile.
Justin
is
the
security
assessment
facilitator,
which
means
he
runs
the
process.
I
am
a
co-chair
for
each
ongoing
project.
At
six
security
we
have
a
co-chair
representative
so
that
I'm
responsible
for
like
communicating
to
the
toc
and
the
outside
world
who's
has
any
concerns
about
this
and
escalating
things
up
or
down.
A
You
know
I
don't
want
to
really
say
up
or
down
but
across
to
the
broader
organization
and
to
the
review
team,
and
vice
versa,
I'm
also
responsible
for
reviewing
every
for
generally
being
the
go-to
chair
for
a
review
of
security
assessments.
Although
jj
has
done
a
couple
either
when
I
served
as
a
reviewer
or
was
on
a
leave
of
absence
this
summer,
so
the
history
of
the
process
in
early
2019,
we
were
getting
requests
from
the
toc
for
evaluating
projects,
primarily
ones
that
had
not
yet
come
to
the
cncf
and
justin
capos.
A
Who
had
done
this
as
a
toc
contributor
previously
for
he'd
actually
done
it.
I
think
for
spiffy
inspire,
maybe
another.
He
did
a
first
cut
at
like
what
our
process
could
be,
that
a
any
number
of
people
could
follow,
and
so
we
generally
thought
this
was
a
good
idea.
We
liked
his
process,
but
the
pr
you
know
got
into
the
weeds
for
many
months.
A
A
While
there
were
many
ideas
that
would
be
improvements
to
that
we
put
those
on
the
table
and
that
we
would
do
five
reviews
and
then
review
what
works
and
what
doesn't
so.
We
merged
the
pr
in
early
may
with
a
number
of
open
issues,
and
I
linked
to
the
ones
that
were
open
at
that
time
in
case
anybody's
curious,
so
and
then
in
may,
justin
reviewed
the
what
we
were
doing
at
the
kubecon
session
and
then
up
now.
We
have
four
completed
and
a
couple
in
progress.
A
So
we,
even
though
we
haven't
done
f,
we
haven't
finished
five.
We
think
it's
long
overdue
to,
like
you
know,
do
our
first
five
process
improvement
thing.
So
this
is
the
sort
of
very
like
cheat
sheet
about
the
process.
We
identify
the
team,
both
project
lead
and
sig
security
has
a
few
reviewers.
A
The
private
project
lead
provides
a
draft
document.
What
we
call
a
self-evaluation
and
there's
an
outline
for
that?
There's
a
naive
question
phase,
where
the
lead
security,
reviewer
or
their
delegate
asks
clarifying
questions
so
that
you
know
we
have
a
complete
artifact
and
then
the
security
review
team
does
a
close
read
asks
questions
typically
comments
in
the
google
doc
request.
A
Revisions
usually
like
more
detail
on
this
item
confused
by
that
and
there's
a
back
and
forth
for
the
project
lead
and
then
there's
a
presentation
and
discussion
at
the
sig
security
meeting,
usually
some
further
revision
and
we
do
a
summary
assessment
where
it
takes
a
bit
of
work
to
get
on
one
slide.
An
overview
of
this
thing
that
seems
to
have
value
to
the
toc,
because
for
every
one
of
these
we've
actually
done
a
presentation,
and
that
seems
to
go
over
well.
A
So
when
we
to
get
unstuck,
we
all
met
together
at
dockercon
in
2019,
where
most
of
us
happen
to
be
there
who
were
kind
of
scrubbing
in
on
this
process,
and
we
came
up
with
this
timeline.
So
one
of
justin's
key
concerns,
which
I
thought
was
really
good,
is
that
we
should
have
like
these
things.
Shouldn't
stretch
on
take
forever,
we
should
be
able
to
somebody
signs
up
as
a
reviewer.
A
We
should
be
able
to
say
it's
going
to
take
this
much
calendar
time
and
this
many
hours
to
get
this
done,
and
maybe
it's
a
little
more
at
the
beginning,
but
we
should
be
able
to
get
a
reproducible
process.
So
we
realized
later
that
dumb
questions
was
an
appropriate
way
to
phrase
this,
but
the
idea
being
we'd
spent
a
couple
of
days
just
asking
these
naive
questions
of
like
wait.
A
A
How
are
we
going
to
like
make
this
work
without
like
incredibly
detailed
documentation
that
we
can't
agree
on
so
what
we
decided
to
do
is
we
would
start
with
the
four
of
us
who
were
then
justin
cormack
who's,
also
on
the
call
hi
justin
justin
capos,
who
was
actually
recused
himself
from
the
very
first
security
assessment,
because
it
was
in
toto
which
is
he's
a
contributor
to
and
then
brandon
lum
and
myself
were
the
team
and
then
the
idea
being
all
these
little
thoughts
were
at
every
step,
like
the
rows
are
different
security
reviews
and
we
would
ensure
that
at
least
one
person
was
consistent
from
a
prior
review.
A
So
we
could
get
to
the
point
where
a
future
requirement
of
security
assessments
is
that
you've
participated
in
a
prior
assessment.
But
how
do
you
bootstrap
that
so
one
of
the
things
that
I'm
super
excited
about
is
we
did
a
really
good
job
with
this?
I
think
and
I've
I'm
of
course,
speaking
from
perspective
of
having
participated
in
almost
every
review,
so
I'm
really
interested
in
hearing
other
people's
thoughts
on
how
it
went
for
them.
A
So
you
can
see
in
the
darker
colors
are
the
first
four
of
us
and
how
we
participate
in
different
reviews,
and
then
we
we
had
sort
of
a
challenge
as
we
broadened
the
number
of
reviews
and
we
had
multiple
reviews
kind
of
starting.
A
At
the
same
time-
and
I
I
remembered
that
robert
was
participating
in
an
earlier
review,
but
he
might
have
been
shadowing,
but
in
any
case
we
did
do
a
good
job
of
having
consistencies
and
we
decided
that
if
you
were
a
project
lead,
you
really
got
the
review
process
and
then
you
could
lead
a
review
and
it's
exciting
that
ash,
who
I
think
is
also
here.
Maybe
here
today.
Yes,
I
heard
you
announce
yourself,
is
you
know,
leading
a
review
now?
A
A
So
I'm
going
to
go
through
these
quickly
just
and
then
we
can
come
back
for
any
questions
if
or
points
of
discussion.
So
then
justin
I'll
just
you
know,
go
over
this
according
to
what
I've
heard
from
justin
and
what's
written
on
the
slide,
so
justin's
reporting.
What
seems
to
be
working
is
that
the
completed
assessments
are
valuable
to
the
projects.
It
scares
scales
fairly
well
and
seems
like
the
review,
is
not
too
burdensome
for
the
reviewers
and
both
the
project
and
the
assessors.
A
The
security
reviewers
get
to
explain
issues
in
their
own
words,
so
that
you
get
the
sort
of
perspective
on
security
from
different
voices.
What's
not
working
so
well
is
project
and
reviewers
tend
to
drop
in
and
drop
out.
He
has
a
question
about
toc
requirements
which
I'll
address
later
in
the
presentation,
and
assessments
vary
in
the
level
of
detail
and
the
type.
So
some
things
go
more
into
threat.
Modeling
some
have
more
user
guidance
review.
A
There's
been
some
that
have
had
a
lightweight
code,
so
there's
like
variability,
which
he
saw
as
something
that's,
not
working,
and
then
I'm
not
sure
that's
a
problem,
but
that's
just
me,
but
my
view.
I
generally
plus
one
to
all
justin's
comments
on.
A
What's
working,
I've
also
participated
in
hearing
from
the
toc
on
each
one
of
these
and
gotten
positive
feedback,
both
during
the
meetings
where
these
things
are
presents
and
offline
people
have
mentioned
to
me,
I
find
that
the
consistent
assessment
outline
means
that
doing
a
second
or
third
review
as
a
security
reviewer
makes
it
much
easier
to
like
just
go
through
and
do
the
review.
Also,
when
I
go
back
and
think,
oh
my
gosh,
what
was
that
project
exactly?
A
How
would
I
describe
it
to
somebody
like
it
make
reference
really
easy,
because
I
can
go
right
to
the
section.
I
don't
know
whether
it'll
be
interesting
to
see
whether
other
people
read
many
reviews.
Besides
the
co-chairs
of
six
security,
but
one
of
the
things
that's
working
is
we've
had,
and
you
know
we
at
the
very
beginning
were
like
well,
people
really
want
to
do
this.
You
know:
will
this
be
a
burden?
People
do
this
for
their
jobs.
Will
they
want
to
volunteer?
A
So
there's
been
an
a
you
know:
nice
number
of
interested
and
qualified
reviewers,
so
that's
been
good
to
see
and
then
the
project
board
I'll
talk
about
in
a
minute.
A
I
think
has
really
worked
for
me
in
terms
of
being
helping
that
communication
outward
inward,
so
not
working
so
much
the
lack
of
clarity
between
the
security
assessment
and
the
what
the
cnc
of
due
diligence,
some
of
that
has
been
their
process,
has
evolved.
So
we've
kind
of
had
to
absorb
a
little
bit
of
evolution
there.
A
That
hasn't
always
felt
so
great
to
the
projects,
but
we're
working
on
it
and
I'll
talk
about
that
more
in
a
bit
and
then
the
lack
of
consistent
execution,
some
of
the
sometimes
it's
individual
people
dropping
in
and
out
as
justin
mentioned,
and
sometimes
there's
been
process
confusion.
One
person
is
waiting
for
the
other
person
to
do
something
and
we're
just
like
wait.
It's
been
three
weeks
what's
going
on
or
a
month
and
a
half
so
so
I
think
there's
been
some
improvements
and
there
could
be
some
more
so.
B
I
wanted
to
just
go
ahead
and
kind
of
just
since
one
of
his
not
working
points
was
that,
like
there
was
like
a
different
different
assessments,
kind
of
looked
a
little
bit
different.
I
think
I
just
wanted
to
point
out.
Is
it's
not
that
you
know
some
assessments
were
lacking
in
certain
areas?
It's
just
that
some
projects
kind
of
already
had
prior
work
done
in
certain
areas,
so
they
just
like
had
a
much
more
expensive
amount
of
content
there.
So
I
I
think
it's
kind
of
like
every
year.
B
I
just
want
to
point
out
that
every
assessment
kind
of
met,
the
bar
in
which
we,
what
we
wanted
to
get
our
assessments,
is
just
that
some
of
them
went
a
bit.
You
know
went
a
bit
further
to
kind
of
show
a
little
bit
more.
A
That's
a
good
point
thanks,
so
I
just
want
to
point
out
for
people
who
haven't
been
here
since
the
very
beginning
or
maybe
have
forgotten,
because
it's
been
so
long
what
we've
done,
even
though
we
said
we're
going
to
hold
all
the
process,
improvements
to
the
end,
certain
things
that
were
getting
in
our
way
we
fixed
so
the
idea
of
having
one
of
the
reviewers.
A
Typically,
the
project,
the
security
review,
lead
to
review
the
self-assessment
and
really
go
through
it
in
detail
has
really,
I
think,
helped
because
one
is
like
you
get
this
sort
of
unfiltered,
unbiased.
Everybody
reads
the
same
thing
for
the
review
team
and
it's
also
easier
on
people's
time.
The
30
security
assessment
queue
that
I
mentioned.
I
put
a
little
picture
of
it
here.
Having
a
blocked
column
makes
it
clear
which
things
are
in
the
backlog,
meaning
they're.
A
We
don't
have
the
bandwidth
to
do
them
for
whatever
reason,
because
we've
been
trying
to
only
have
one
in
process
at
a
time,
but
we
sort
of
relax
that
lately
and
which
ones
are
blocked
because
they're
missing
a
component
and
typically
this
has
been
the
self-assessment
which
wasn't
clear
at
the
beginning
right.
It
wasn't
clear
that
that
would
be
the
time-consuming
bit
and-
and
I
think,
there's
process
improvements.
A
We
could
do
for
that
as
well
and
then
there's
a
done
column,
which
I
didn't
illustrate
because
it's
less
exciting,
although
I'm
super
excited
about
it
and
then
the
other
thing
is.
We
added
was
the
intake
process,
which
was
kind
of
started
before
this
assessment
queue
because
people
were
like
well,
I
don't
want
to
do
my
selfie
vowel.
A
If
I'm
going
to
be
like
sitting
there
waiting,
you
know
and
what's
going
to
decide
what,
if
we
have
two
projects
ready
at
the
same
time
and
only
one
review
team
again,
this
is
from
when
we
felt
like
the
review
team
was
a
scarce
resource
and
which,
right
you
know.
I
think
things
are
a
little
different
now,
but
it
was
a
healthy
process.
A
We
talked
it
over
with
our
toc
liaisons,
then
joe
betta
and
liz
rice
and-
and
you
know,
with
the
different
security
reviewers
and
then
we
presented
this
to
the
toc
brit
large,
and
you
know
we
sort
of
adopted
this
process,
which
it's
pretty
straightforward.
A
It's
just
prioritization,
mostly
we
do
it
on
our
own,
but
but
if
at
any
point
the
toc
is
like,
we
really
need
this
project
to
be
assessed.
They
can
preempt
that
and
add
it
in
the
queue.
So
the
idea
is
that
the
toc
won't
interrupt
a
review
in
progress,
but
they
can
bump
something
up
in
the
backlog.
A
A
So
the
other
thing
we
improved
is
the
conflict
of
interest
guideline
that
we
saw
that
in
you
know,
there
was
a
case
where
a
whole
project
was
stalled
because
we
were
like.
Is
this
a
conflict
of
interest?
A
And
you
know:
should
somebody
recuse
themselves
and
then
it
was
like
you
know
like
we,
no
need
waiting
will
be
kabits
about
it,
while
other
people,
you
know
other
things-
would
move
forward
without
discussion
of
something
that
was
maybe
as
significant.
So
I
wrote
up
something
at
the
toc
level.
Brendan
did
a
nice
pr.
We
actually
still
have
an
open
issue
where
things
need
to
be
clarified.
A
I
noticed
some
formatting
errors
this
morning,
so
some
of
these
improvements
are
very
much
still
in
process,
but
again
there
and
then
the
big
question
is
how
does
this
fit
in
with
the
security
assessment
stages?
So
in
the
last
I
don't
know
about
six
months
ago,
the
toc
did
some
work
on
really
clarifying
these
stages.
A
So
this
was
always
documented,
but
there
was
a
lot
of
confusion,
and
so
so
there's
this
due
diligence
that
the
teos,
the
technical
oversight
committee,
is
responsible
for
like
looking
at
the
project
and
saying:
should
it
be
part
of
the
cncf,
and
so
what
they're
communicating
here
is
that
the
majority
of
their
due
diligence,
the
really
thorough
review,
happens
before
incubation
and
there's
a
lower
bar
for
sandbox,
and
this
is
a
clarification
that
wasn't,
or
maybe
it's
not
clear
with.
A
It
seemed
to
be
inconsistent
for
those
of
us
who
aren't
you
know
in
every
tsc
meeting,
and
so
this
this
clarified
it
for
us
a
lot
which
was
great.
But
how
does
this
relate
to
our
assessments?
Well,
first,
before
we
get
to
the
assessments,
the
cncf
pays
for
a
third-party
security
audit,
which
is
like
some
traditional
security
audit,
with
like
penetration
testing
and
code
inspection
and
like
ticking
all
those
boxes
during
incubation
as
a
prerequisite
to
graduation.
A
So
that's
important
to
know
that
that
takes
place
and
has
taken
places
for
half
a
dozen
projects
and
there's
an
open
issue.
They're
supposed
to
be
listed
in
our
repo
and
we've
been
working
on
finding
them
collecting
them.
So
so
what
we've
agreed
on
so
far
last
year
with
chris
a
who
does
up
a
lot
of
the
operations
for
cncf.
A
Is
that
it
when,
when
a
new
project
requests
an
audit,
he
will
tell
them
that
they
need
to
do
their
security,
a
sig
security
assessment
first,
so
that
that
ends
up
being
a
feeder
for
the
audit.
It
should
make
it
so
that
the
money
spent
on
the
audit
can
be
more
efficient
right
because
they
can
take
that
as
an
input,
and
then
it
creates
a
little
pipeline.
A
So
the
sort
of
proposal
that
some
of
us
have
talked
about
is
that
we
could
make
it
so
that
the
self-assessment
is
a
prerequisite
for
incubation.
So
during
sandbox
phase,
all
projects
are
required
to
do
a
self-assessment
that
becomes
a
feeder
for
the
assessment,
which
would
then
be
something
that
is
required
for
at
graduation,
because
it's
a
precondition
to
the
audit
which
is
required
for
graduation.
So
that's
the
idea.
A
We
have
told
our
the
toc
liaisons
and
team
that
we're
not
going
to
propose
this
until
after
we
do
our
process
improvements
after
our
first
five.
So
while
we've
talked
about
this,
the
reason
it
isn't
inked
is
because
our
precondition
was
five
assessments
and
process
improvements,
and
then
this
and
some
other
things
whatever
we
determine.
So
I
think
that,
like
the
the
chairs
and
the
tl's
basically
are
like
well
we're
close
enough
we've
completed
four.
We
have
two
in
progress.
It's
long
overdue.
A
B
B
That
kind
of
what
are
the
details
that
they're
looking
for
the
toc
is
looking
for
to
the
sixth
to
to
about
the
project
and
we're
looking
to
the
questionnaire
when
we
were
creating
the
self-assessment
as
well,
and
also
trying
to
see
how
we
can
map
onto
those
details
so
that
it's
not
only
a
good
document
for
assessment,
but
also
we'll
cover
kind
of
like
the
main
points
that
the
tlc
is
looking
for
in
the
project.
A
Yeah,
that's
a
good
point.
Justin
we
have
projects
are
basic
for
everybody
who
haven't
been
in
the
weeds
here.
The
every
project
is
kind
of
categorized
with
one
sick,
and
so.
A
Oh
okay,
yeah,
so
we
get
sort
of
like
assigned
by
the
toc
here.
Are
the
projects
that
you
use
security
have
some
kind
of
oversight,
participation
with,
and
most
of
them
are
projects
that
serve
a
security
purpose.
What
we
need
with
the
assessments
called
the
security
providers
right,
they
provide
some
key
aspect
of
security,
and
so
one
of
the
you
know
sort
of
open
like
we
have
prioritized
those
projects
for
assessments
both
in
terms
of
our
outreach
and
in
terms
of
what
we
focus
on.
A
But
we
do
think
that
we've
said
that
we
want
the
assessments
to
be
done,
ideally
by
all
the
projects,
because
all
projects
have
a
security
aspect
right.
It
just
might
be
it's.
You
know
we
haven't
had
that
experience
yet
so
it
might
be
a
little
different.
You
know.
Maybe
it's
going
to
have
a
different
template.
Maybe
it's
not?
Maybe
it's
just
going
to
be
different
shape.
A
We
don't
know
so
I
guess
it'll
be
an
open
question
whether
the
self-assessment
will
be
required
or
maybe
that's
an
incubation
or
you
know
we'll
figure
it
out.
Thanks
justin.
A
Should
I
move
on
to
cormac
dustin
capos's
final
thoughts,
so
justin
kapos,
not
present,
says
he's
had
a
heavily
weighted
point
voice
on
how
getting
here,
which
has
been
wonderful
right
because
he's
like
driven
us
to
actually
do
stuff
and
many
people
have
this
experience.
So
he
encourages
sig
security
to
form
a
small
subgroup
and
and
actually
revive.
You
know,
do
this
formal
revision
of
the
process
or
propose
provisions
and
he
can
be
available
for
questions
and
opinions
and
to
participate.
A
C
28
minutes
brandon
and
justin,
cormack
and
justin
campos.
If
you're
watching
this
later
for
the
presentation,
I
think
it
did
an
excellent
job
capturing
a
lot
of
the
historical
knowledge
and
contacts
that
we
just
don't
have
anywhere
in
the
repo
and
the
small
in
instances
where
it
does
exist
would
be
very
hard
to
find.
C
So
we
wanted
to
kind
of
bring
this
up
and
present
it
to
everybody,
because
there's
been
a
lot
of
questions
about
how
we
do
these
security
evaluations
or
security
assessments
for
the
different
projects
that
are
presented
to
us
and
we've
gotten
to
the
point,
as
sarah
had
indicated,
where
we've
done
enough
of
them,
but
it
and
it's
gone
on
long
enough-
that
we
feel
like
we
have
a
much
better
understanding
of
where
process
improvements
need
to
occur.
Whether
or
not
we
actually
know
what
those
improvements
explicitly
need
to
be.
C
We
want
to
kind
of
cue
up
a
working
group,
hopefully
get
volunteers
from
the
community,
and
this
is
a
great
way
to
get
involved.
If
this
is
your
first
opportunity
to
start
contributing
to
the
sake
to
to
kind
of
look
at
the
way
that
we've
done
things
and
the
processes
that
we've
had
and
how
can
we
improve
them
and
make
them
better
not
only
for
members
of
the
city
but
also
for
the
projects
within
the
cncf
that
are
moving
through
these
different
cycles.
C
As
sarah
had
said
in
the
slide
deck,
we
talked
an
awful
lot
about,
self-assessments
being
that
at
pre-incubation,
some
point
at
the
sandboxing
stage,
which
would
be
ideal
and
helpful
for
a
lot
of
organ
a
lot
of
projects,
because
that
self-assessment,
it
kind
of
gets
them
in
more
of
the
security
development
mindset
about
what
it
is
that
their
project
is
doing
and
how
does
it
fit
from
a
security
perspective
within
the
rest
of
the
cncf,
as
well
as
focusing
on
their
own
development
practices?
C
So
that's
kind
of
like
the
background
for
why
we're
having
this
conversation
now
and
what
the
needs
of
the
sig
actually
are.
So
I
want
to
kind
of
open
it
up
to
any
questions
that
folks
may
have
for
the
tl's
or
the
co-chairs
or
anybody
else
with
the
history
on
this
and
then
hopefully
we
can
start
kind
of
teasing
out
the
working
group
and
a
little
bit
more
of
the
direction
for
that
to
take.
G
I
I
can
serve
the
fresh
experience
from
kiko
sites,
so
in
general
it
was.
It
was
good
and
worth
doing
like
the
outcome.
I
think,
has
a
lot
of
value,
even
as
a
reference
material
for
the
project
outside
of
getting
the
badge
of
you
know
getting
the
assessment,
I
think,
on
a
kind
of
like
what
could
be
improved.
It
has
been
time
intensive
on
the
project
side
and
I
think
I
was
wondering
is
it
a
barrier
for
for
some
of
the
project?
G
G
Then
you
know
kind
of
like
projects
with
good
community
but
more
targeted
contributions,
so
companies
showing
up
contributing
in
future,
but
not
really
stepping
up
to
do
something
more
and
then
some
projects
which
had
like
really
known
paid
like
all
of
the
maintainers,
are
doing
it
as
a
as
their
evening
or
kind
of
like
you
know,
being
engaged
outside
of
work
and
like
it.
It
wasn't
totally
like
few
days
of
real
work
to
work
on
on
the
self-assessment
part.
G
So
for
for
I
announced
some
projects,
which
has
this
kind
of
like
not
not
none
of
my
intenders
being
paid
to
to
to
work
on
the
project
and
they
have
aspirations
for
cncf
and
for
them.
I,
I
guess
it
would
be
a
hard
barrier
to
to
to
work
on
something
like
this
outside
of
the
working
hours
and
they
could
stall
so
this
and
what
was
kind
of
like
most
of
that,
it
would
be
worth
to
have
a
a
kind
of
like
time
frame.
So
it
starts
it
stops
and
like
we.
C
C
No
okay,
so
there's
currently
several
issues.
They
are
linked
from
the
september
17th
meeting,
which
brandon
I
don't
know
if
you've
pulled
them
up
yet,
but
we'd
like
to
try
to
get
a
group
of
volunteers
to
kind
of
work
on
refining
what
this
process
looks
like.
So
we
we
you've
heard
from
the
key
click
assessment
how
that
went.
We
have
plenty
of
other
videos
on
youtube
from
other
feedback
sessions
with
other
assessments
that
have
been
run
and
we've
also
got.
C
B
Yeah
and
just
to
kind
of
add
on
top
of
that,
so
I
think
what
we're
discussing
is
that
if
we
realize
that
you
know
that
that
that
there's
going
to
be
various
aspects
of
ways,
you
can
improve
the
process,
whether
it
maybe
you
know
some,
some
some
of
it
is
maybe
redefining
it
on
some
of
it.
Maybe
making
sure
that
how
to
improve
from
the
execution
and
from
kind
of
this
working
group,
we
may
split
them
into
slightly
smaller
groups
to
focus
on
whatever
people
are
interested
in.
A
Yeah,
I
was
thinking
that,
like
the
first
step
might
be
to
just
triage
things
into
like
there's
a
bucket
of
things
that
are,
this
isn't
clear.
I
don't
understand
this.
This
doesn't
make
sense
to
me
right
that
are
more
like
not.
This
doesn't
make
sense
to
me,
but
like
clearly,
it's
not
documented
well
right
in
certain
places
and
then
there's
other
issues
which
are
like
in
conflict
with
each
other.
A
A
What
do
we
think
you
know
and
and
then,
if
that
group
can
get
aligned
or
not
right,
at
least
tease
apart
the
big
questions
and
then
present
back
to
this
group
and
say:
okay,
we
considered
a
b
c
d
e
f
and
we
think
d
and
f
are
good
big
changes
or
we
considered
all
these
things,
and
actually
we
fundamentally
think
it's
reasonable
with
these
tweaks
or
whatever
right
and
then
go
forth
and
as
important
part
of
process
is
like
having
it
all
written
down.
Well,
so
that
people
don't
get
confused
in
the
future.
C
Yeah,
so
I
linked
the
issue
167,
which
is
the
source
issue
to
do
that.
First,
five
improvements
process.
So,
if
they're
and
it
looks
like
there's
quite
a
few
people
that
are
interested
in
contributing
to
this-
which
is
excellent,
happy
to
hear
that,
if
you
all
can
comment
on
the
ticket
that
way
we
we
know
who's
interested
in
joining
this
up
and
we'll
also
post
it
in
the
sixth
security
channel
as
well.
For
anybody,
that's
not
on
the
call
today
to
kind
of
start,
consolidating
that
sarah
do.
B
I
think
the
last
time
I
volunteered
to
kind
of
help
with
this.
D
The
totally
pragmatic
question
is:
is
this
nine
to
five
eastern
time
time,
block
kind
of
thing
or
how
does
how
do
the
meetings
operate?.
B
So,
for
the
working
group,
at
least
like
what
we've
done
with
the
other
projects
is,
depending
on
the
set
of
participants,
we'll
find
a
time
that
works
for
everyone.
A
C
Okay,
so
brandon's
gonna
facilitate
with
justin
and
sarah
helping
out
and
if
you
can
go
ahead
and
comment
on
the
issue
167,
which
is
linked
in
the
chat
that
way.
C
Okay,
that
went
really
quick.
Does
anybody
have
anything
else
about
the
assessments
process
that
they
want
to
bring
up
right.
B
Now
I
I
have
a
quick
question
for
for
justin
actually
do
we
are
we
seeing
a
need
to
present
assessment
to
the
clc.
F
I
good
question,
I'm
not
sure
at
this
point,
but
we
should
quite
possibly
yes,
okay,.
A
F
H
The
next
one
that's
likely
going
to
be
available
is
going
to
be
probably
later
in
october.
I
believe
yeah.
Let
me
go
back
and
look
at
a
calendar
here.
H
H
Yeah,
if
you
wouldn't
mind
being
able
to
put
this
into
your
normal,
like
updates
next
meeting
where
we
have
the
sig
updates
to
toc,
is
october
6th
and
you
are
all
about
to
get
pings
on
the
come
update,
your
slides,
so
yeah
that'd
be
super.
Thank
you
all
right.
G
A
There's
a
there's
a
one
slide:
it's
very
challenging
to
go
into
that
one
slide,
but
the
lead
security
is
responsible
for
creating
that
slide
and
then
the
presentation
like
half
the
slide
is
the
project
saying
their
thing
and
half
the
slide
is
what
the
sig
says
so,
depending
on
how
much
time
we're
allotted
one
person
might
give
the
whole
thing,
but
it's
important
that
a
person
from
the
project
and
a
person
from
the
review
team
be
there
in
case.
There's
questions
on
either.
B
Yeah,
let
me
try
and
bring
up
find
that
slide,
so
we
can
share
that
with
with
you.
C
Okay,
while
brandon
tries
to
do
that,
did
anybody
have
anything
else
they
wanted
to
cover.
A
I
have
an
announcement
go
ahead,
sir,
so
we
have
nominated
emily
as
a
new
co-chair
and
the
official
and
that's
been
that's
the
current
chairs,
including
dan.
His
official
term
has
ended.
We
have
a
little,
not
quite
overlap,
and
the
toc
liaisons
have
all
approved
this,
and
so
there
is
a
the
process.
Is
that
two-thirds
of
the
toc
needs
to
vote
on
any
sig
chair?
So
the
nomination
has
happened,
it's
linked
in
the
notes
and
in
the
slack
channel,
so
that
toc
generally
really
likes
it
when
the
community
says
stuff.
A
So
please,
you
know
specific
comments
are
welcome.
You
know
and-
and
you
know
chiming
in
on
the
thread-
I
think
you
might
have
to
be
a
member
like
sign
up
for
the
toc
list
to
come
in,
but
I
just
want
to
make
sure
everybody
was
aware
that
that's
in
process
yeah,
that's
my
announcement.
Oh
and
dan's
here
I
did
also
want
to
say
thank
you.
Dan
for
dan
was.
A
Chairs
of
what
was
originally
the
safe
working
group
secure
access
for
everyone,
or
something
like
that.
I
think
we
had
different
opinions
about
what
the
acronym
stood
for
and
then
it
became
sick
security
as
cncf
and
dan.
It
has
been.
I
didn't
know
dan
when
we
started
this
process,
so
it's
been
wonderful,
getting
to
know
you
and
working
with
you
and
thank
you
so
much.
C
C
H
Hey
emily,
I
will
change
the
calendar,
invite
to
reflect
the
new
passcode.