►
From YouTube: CNCF SIG Security 2021-03-24
Description
CNCF SIG Security 2021-03-24
C
B
D
A
So
go
ahead
and
fill
in
attendance.
I
think
that
this
meeting
today
should
be
a
pretty
short
one.
We
don't
have
anything
much
on
the
journey,
so
I
think
what
we're
going
to
do
is
we
are
going
to
just
do
check-ins.
I
think
I
see
a
couple
possibly
new
people
here,
so
we
can
do
some
introductions
and
then.
E
A
A
Magna
do
you
have
do
you
want
to
put
down
a
quick
announcement
of
the
block?
Is
that
all
good.
F
F
A
Thanks
matt
for
helping
this
work
so
yeah,
that's
I'm
gonna
start
off
with
kind
of
just
going
around
before
that.
Just
the
usual.
You
know
this
is
a
recorded
meeting.
It's
covered
by
cncf,
so
the
usual
cncf
conduct
guideline
supply
all
right.
So
just
going
around,
let's
see
no
updates
marlo!
You
have
a
question
about
smi.
E
Sorry
is
finding
my
mute
button
yeah,
so
summarily
I've
been
going
to
the
smith
community
meetings,
which
also
coincide
with
these
ones.
So
I'm
here
every
other
week
and
their
meetings
they
were
so
smi
is
service,
mesh
interface
and
the
reason
that
they're
interesting
is
that
everyone
is
running
their
own
service
meshes
and
istio
seems
to
be
riveted
in
various
places
and
if
you're
trying
to
run
a
particular
version
of
istio,
you
often
can't
because
it's
riveted
to
various
products,
and
so
I've
been
pushing
for
smi
in
kubeflow.
E
But
when
I
went
and
looked
at
the
smi
adapter,
it
was
version
one
three
one
which
is
not
the
current
stu,
so
cube
flow
is
currently
updating
to
one
nine
and
the
smi
community
is
updating
to
their
adapter
to
one
nine,
which
makes
it
easier
to
do
that
sort
of
port
and
potentially
run
whatever
the
service
mesh
you
wanna
run
on,
but
there's
still
the
authentication
piece
that
istio
has
so
smi
has
a
new
jira
ticket
open,
and
I
they
don't
really
know
where
the
community
to
ask
I've
put
in
chat
where
they're
trying
to
figure
out
what
the
interest
is
in
separating
out
the
security
part
of
istio
or
service
mesh
versus
the
functionality.
A
A
A
Okay,
so
you're
specifically
looking
for
authentication
contributions
right,
usa,.
E
A
Yeah,
I
see
a
couple
mentions
of
spiffy
swifty
spy
and
I
think
quite
a
few
people
within
our
company
involved
with
that
so
yeah.
E
A
Okay,
I
think
we
usually
have
a
couple
of
folks
on
the
call
that
are
involved
with
inspire.
G
E
All
right,
and
if
you
know
anyone
interested
also
on
other
service
meshes
that
are
interested
in
contributing.
That
would
also
be
useful
because
I
don't
want
it
to
become
an
echo
chamber.
A
Awesome
thanks
father,
let's
see.
A
Next
up,
martin
gonna
talk
about
issue
256.
C
Yes,
but
first
little
context,
so
I
have
been
looking
into
security
security
assets,
working
group
and
the
issues
that
the
working
group
has
created
and
one
of
them
was
about
getting
more
reviews
for
security
assessments,
and
when
I
read
it,
I
just
remember
the
one
old
issue
that
was
that
seems
to
be
closed.
C
C
How
can
I
say,
more
low-level
role
into
the
assessments
and
my
idea
was
to
to
be
able
to
advertise
the
security
assessments
towards
more
junior
developers
and
people
who,
maybe
I'm
not
sure
if
there
are,
if
there
are
any
in
the
group
or
if
there
are
people
who
are
new
to
security
in
this
group.
I'm
not
sure-
and
that
was
my
one
of
my
assumptions-
that
I
don't
know
how
how
many,
how
experienced
and
who
joins,
who
joins
the
meetings.
C
But
my
idea
was
to
somehow
make
it
more
accessible
to
people
with
maybe
no
or
a
little
security
experience
and,
as
I
see
it
as
a
way
to
a
way
to
get
more
people
involved
in
the
security
assessments
and
of
course,
I
call
that
I
called
this
role,
something
like
a
trainee
or
I
know
if
you
should
call
it
the
intern
or
something.
But
the
idea
is
to
have
someone.
C
My
idea
was
to
have
someone
from
the
other
reviewers
who
is
willing
to
answer
your
questions.
If
you
have
more
questions,
because
when
you
don't
know
how
much
about
security
you
need
to
ask
somebody
who
is
more
knowledgeable,
and
I
I
expect
I
yeah,
I
expect
that
this
role
will
be
something
like
it's
an
optional
role
and
if
somebody
wants
to
volunteer
in
that
role,
you
should
find
the
sponsor.
C
You
should
find
a
mentor
who
is
willing
to
help
you
in
the
assessment,
and
if
there
is
somebody
who
is
taking
that
responsibility,
then
you
can
be
become
a
trainer
or
something.
And
after
you
have
successfully
finished
a
couple
of
those
or
I
don't
know
how
one
or
two
you
can.
Even
yeah
you
can
join
as
a
for
yeah.
It's
a
food
reviewer.
A
Yeah,
I
think
that's
that's.
I
see
you've
already
also
posted
inside
the
issue
447,
which
is
bucketing
new
reviewers.
A
I
think
we
we
kind
of
talked
about
a
little
bit
about
this,
a
while
back,
like
you
said,
and
I
don't
think
we
we've
had
kind
of
we.
We
had
a
couple
people
just
like
what
we
did
last
time
was.
We
said:
okay,
here's
a
review
channel.
You
know
you,
can
you
can
stick
your
head
in?
You
can
like
listen
to
the
meetings
if
you're
not
participating,
but
at
least
you
know
see
how
it
goes.
A
C
C
A
Is
this
something
that
you
think
that
you'll
be
able
to
kind
of
propose
like
if
a
proposal
say
like?
Maybe
you
have
a
mental
role
and
then
observe
it
wrong?.
C
Well,
yeah,
but
the
issue
is
closed
and
I
just
want
to
hear
others
opinion
before
from
proposing
that
I
mean
that
was
my
idea,
because
I
looked
back
into
the
discussion
when
on
the
meeting
when
it
was
closed
and
I
think
it
was
done
yeah.
I
know
one
of
the
six
chairs
had
mentioned
that,
probably
it's
better
to
it's
better
to
promote
joining
as
a
regular,
the
viewer
instead
of
joining
as
observer
or
trainee,
or
how.
However,
we
are
going
to
call
it.
C
But
my
point
is
because
we
don't
know
how
experienced
developers
are
here
on
this
channel.
There
could
be
really
on
on
each
of
the
reviews
there
could
be.
There
could
be
developers
who
are
experienced
and
don't
I
mean,
are
not
know
what
they're
doing,
but
also
you
don't
you.
You
can
end
up
in
the
situation
when
you
have
a
couple
of
trainees,
let's
say
or
a
couple
of
people
who
don't
who
are
not
actually
knowledgeable
enough,
and
that
will
be
a
way
this
little
role.
C
Will
this
role
will
be
a
way
to
start
as
a
little
more,
if
you're
not
sure,
just
start
a
little
yeah.
B
I'll
chime
in
because
I
was
on
the
on
this
ticket-
I
I
I
think
you
know
initially,
the
observer
role
and
kind
of
internment
was
all
kind
of
wrapped
up
into
the
notion
of
doing
an
assessment
versus
what
we
currently
have
as
a
review.
B
I
think
as
a
review,
where
we're
essentially
passively
ingesting
materials
and
then
kind
of
engaging
in
a
conversation
about
the
design.
I
don't
think
it.
I
don't
think
the
skill
bar
is
as
high
versus
when
you're
engaging
in
an
assessment,
you're
you're
kind
of
naturally
you
know
just
human
nature,
putting
yourself
in
a
more
defensive
position
as
the
as
the
project.
So
you
kind
of
want
folks
who
can
go
to
tech
with
the
developers
on
particular
issues,
whether
they're,
you
know
friendly
suggestions
or
actual
criticisms.
C
C
B
A
So
so,
to
also
kind
of
add,
after
that,
I
think,
a
while
ago
we
were
talking
about
yeah.
We
had
this
issue
here.
We
had
a
bunch
of
different
issues.
We
had
a
bunch
of
different
things
that
required
people,
and
then
we
had
a
bunch
of
new
people
that
came
in
and
then
we
couldn't
really
like
there
wasn't.
There
isn't
a
good
way
for
people
to
match
like
a
lot
of
people.
Comments
like
what
is
that
to
work
on
what
should
we
do?
A
A
What
are
they
looking
to
do
and
you
know
hopefully
you
know
we
can
have
a
list
of
people
from
there
and
then
we
can
say:
okay,
yeah,
you
should
check
out,
you
know,
be
be
a
security.
Maybe
in
this
case,
be
a
reveal
mentor
or
be
like
be
a
observer
in
the
review.
C
A
All
right
so
moving
along
next,
we
have
I'm
going
to
pronounce
this
wrong.
Slug
newness.
I
Yeah,
it's
leading
thanks,
yeah
no
worries
so
yeah.
Actually,
I'm
a
new
contributor,
I
just
you
know,
checked
out.
I
guess
one
of
the
messages
on
linkedin
and
I'm
a
bit
involved
with
the
kubernetes
community.
You
know
making
full
requests,
participating,
release,
triages
and
stuff
and
yeah.
I
hopped
on
to
the
seek
security,
and
you
know
I'm
finding
my
way
through
the
good
first
issues.
I
guess
that
was
just
a
topic
that
was
being
discussed
by
martin.
I
Maybe
maybe
I
can
be
a
test
subject
for
this
for
this.
You
know
this
experiment,
so
yeah
really
looking
forward
to
participate
and
attend
meetings,
and
maybe
you
know,
contribute
my
way
yeah.
So
thanks
awesome
welcome.
A
All
right,
let's
see:
okay
magnolia,
do
you
wanna,
take
the
mic
to
talk
about
the
blog
post.
F
Sure
yeah
no
problem
so
yeah,
I
added
the
blog
post
to
the
chat
there.
We
just
released
it
today
just
a
few
hours
ago.
This
is
the
blog
post,
announcing
the
cloud
native
security
day
right
for
for
the
cubecon
eu
2021.
That's
gonna
happen
on
may
4th
this
year
and
we
announced
about
that
we're
going
to
have
a
ctf
and
also
that
we're
going
to
have
a
live
stream
during
the
ctf,
where
we're
going
to
invite
some
guest
interviewers
right.
F
So,
for
example,
here
some
names
that
are
already
confirmed
are
liz
rice,
brad,
gizman,
tabitha,
sabo
and
rory
mccooney
and
david
mckay.
So
those
are
people
that
are
knowledgeable
about
kubernetes
cloud
native
and
security
and
we're
going
to
invite
them
to
talk
about
the
challenges
during
the
ctf
and
how
they
would
go
about
solving
them
and
ask
about
any
tools
or
anything
that
they
would
use
to
to
solve
those
challenges
without
giving
too
much
away.
F
So
we
already
have
that
book
during
the
during
the
event
on
on
the
twitch
stream
on
the
cloud
native
foundation
stream
on
twitch,
and
we
have
two
separate
time
slots,
so
we're
gonna
do
that
and
yeah
at
the
end.
I
just
mentioned
about
the
the
the
prize
that
we
we
got
from
devsecond
right
about
the
security
team
and
everything
that
that
brandon
has
a
picture
there
holding
the
the
prize.
Do
you
have
the
trophy
there
brandon
yeah.
F
F
A
Awesome
so
so
yeah
since
we're
talking
about
this,
maybe
we'll
we'll
come
back
to
you
rather
later
for
the
for
the
custodian
andy.
Do
you
wanna
talk
about
ceo.
J
Yeah
sure
thing
thanks:
magno
yeah,
congratulations
on
the
security
prize
as
well
testament
to
all
the
effort
that
a
lot
of
people
put
in
so
good
work,
yeah
the
we're
well
underway
with
preparation.
J
So
we
have
a
theme
where
the
we're
modeling
it
on
what's
happened,
of
course
in
in
the
major
kind
of
internet
melting
security
problems,
we've
seen
in
the
last
four
or
so
months,
but
we're
still
in
the
weeds
of
defining
these
scenarios.
So
if
anybody
has
something
that
they
think
would
be
a
great
learning
outcome
for
attendees
or
that
they
think
is
a
particularly
difficult
thing
to
do,
because
really
the
scope
here
is
all
the
way
from
beginners.
J
We
look,
I
guess
the
second
part
of
the
marketing
blurb
is
everybody
is
welcome
from
beginner
to
hardened
veteran
and
really
we
want
a
learning
path,
taking
people
from
relatively
easy
stuff
at
the
beginning,
that's
maybe
self-evident
through
to
something
at
the
end,
that
is
a
piece,
the
resistance
kind
of
territory
so
welcome
any
contribution.
If
anybody
has
something
in
particular
that
they
think
would
be
useful
and
yeah,
please
do
please
do
join
the
day
as
well.
If
you
want
to
play
on
on
the
4th
of
may,
thank
you.
A
All
right
and
robert
to
talk
about
custodian
review.
B
Yeah-
and
I
think
I
see
capillazone
so
he
can,
he
can
jump
in
as
well.
So
custodian
is
now
re-engaged
in
finishing
what
started
under
the
assessment
framework.
B
So
I
guess
the
question
is:
they've
done
a
ton
of
work,
putting
together
the
the
their
document
under
that
initial
framework.
Are
we
now
under
the
new
framework
where
what
kind
of
a
reset
do
we
need
to
do?
And
then
you
know
we
we
would
need
a
couple
more
reviewers,
because
all
the
folks
who
were
available
last
year
are,
you
know,
may
or
may
not
be
available.
So
we
need
some
additional
reviewers
to
sign
on.
B
So
brandon
from
from
what
is
your
suggestion
on
next
step?
For
for
them.
A
So
how
many
reviewers
are
there?
Do
you
have
signed
up
right
now.
B
Well
right
now,
as
far
as
I
know,
it's
just
me
because
they
they
just
re-engaged
last
week
or
well
a
couple
weeks
ago,
liz
on
the
custodian
side
started
reviewing
the
google
doc
from
2020.
So
in
the
last
couple
weeks,
they've
finished
reviewing
that
google
doc,
but
all
of
the
commitments
we
had
on
the
ticket
go
back
to
you
know
july
of
last
year.
So
I'm
presuming
I
you
know
nobody
is
currently
actively
signed
on
as
a
reviewer.
B
A
Yeah,
I
think,
can
you
clean
paste
the
link
to
the
the
ticket
again
in
the
chat,
so
that
folks,
in
this
call,
can
take
a
look
at
that,
but
yeah?
I
think
this
may
be
also
a
good
opportunity
to
kind
of
you
know
for
those
that
are
new
and
want
to
check
it
out.
Usually
we
have
maybe
three
to
four
reviewers,
but
you
know,
depending
on
the
amount
of
interest
that
we
get
you
know,
maybe
we
can.
B
Well,
this
should
be
a
good
one
for
for
those
who
are
interested
to
start,
because
kapil
and
team
have
done
a
really
thorough
job
on
their
kind
of
self-assessment,
google
doc.
So
it's
got
a
lot
of
detail
in
there.
It's
been
been
thoroughly
reviewed
by
other
folks
initially,
so
I
think
justin
was
on
a
couple
of
calls
with
capilla
myself
early
on.
So
it's
it's
a
fairly
mature
document.
At
this
point.
A
Right,
I'm
gonna
also
mock
that
the
one
the
the
issue
is,
you
know,
needs
help,
and
then
we
can
so
one
thing
that
I
think
would
be
something
that
you
could
do
is
try
and
send
the
security
mailing
this
an
email.
We
got
quite
a
lot
of
response
from
that,
where
we
did
it
for
the
white
paper
and
the
security
map,
so
that
could
be
a
place
to
to
try
and
reach
out.
B
A
Yep,
I
think
there
shouldn't
be
that
much
it's
it's.
I
think
it's
small
for
renaming
all
sections
and
then
there's
like
one
or
two
sections
which
are
in
addition
to
that,
but
I
think
other
than
that.
I
don't
think,
there's
too
much
that
should
be
changed.
A
Okay,
yep!
If
it's
too,
if
you
find
there's
too
much
work,
I
think
it's
because
this
is
kind
of
like
the
transition
process
like
this
was
defined
before.
I
think
it
would
be
fine
to
use
the
old
template
as
well,
but
if
you
can
use
a
new
one
that
would
be.
That
would
be
better.
But
if
it's
too
much
effort,
then
don't
worry
about
it.
B
Okay,
I
think
that's
probably
just
a
function
of
how
many
volunteers
we
get
and
if
we
can
break
it
up
into
small
enough
parts,
it
should
hopefully
won't
be
too
much.
There's
def
again,
I
think
all
the
source
material
that
we
need
is
there
for
sure,
like
I
said,
they've
done
a
good
job
on
the
custodian
side,
giving
us
lots
of
good
data.
So
now
it's
just
massaging
it
into
this
new
format.
A
Okay,
I
think
awesome
thanks
robert
and
last
of
all,
we
have
frederick.
K
You
know
I
just
wanted
to
make
a
minor
mention
in
the
cncf
talk
mailing
list.
I
put
a
link
in
the
mailing
in
the
in
the
documents,
but
in
short,
one
of
the
things
that
we
could
help
give
guidance
on
for
projects
is
how
to
help
with
vulnerability
with
vulnerability.
K
Metrics,
because,
what's
in
the
pack
what's
happening,
is
that
many
of
the
metrics
are
using
are
not
really
usable
like
saying
here
are
all
the
vulnerabilities
of
kubernetes
since
the
start
of
time
versus
here's?
How
many
we've
discovered
in
a
given
period
of
time?
Here's
how
many
we
fixed
in
a
given
period
of
time
and
the
general
state
of
health
would
be
useful,
but
even
that
still
misses
the
mark.
K
So
it
would
be
good
to
get
a
few
people
who
are
experienced
and
how
to
and
how
to
set
up
this
messaging
so
that
we
could
make
sure
that
the
information
that
is
relevant
and
useful
for
developers
gets
pushed
out,
but
also
in
a
way
that
doesn't
make
it
look
to
the
community
that
things
are
much
more
dire
than
they
than
they
actually
are.
K
So
I
put
a
link
to
the
mailing
thread
or
to
the
mailing
list
thread
or
specifically
to
the
message
that
they
called
it
out
from
from
liz
rice,
but
there's
a
whole
thread
there
that
that's
been
going
on
for
a
while.
That
would
be
good
to
get
some
people
to
weigh
in
on
other
than
that.
Just
wanted
to
raise
that.
A
Awesome
yeah,
that's
that's
an
interesting
topic
of
discussion.
I
think
we
had
supra
also
come
a
couple
weeks
back
to
talk
about
the
the
the
new
system.
L
Yeah
I
mean
I,
I
think
this
is
a
general
thing
about
vulnerability
management
across
the
board.
Right
I
mean
I
hold
my
hands
up
here.
I
work
for
snake
and
that
that
vulnerability
data
is
coming
from
us.
I've
seen
that
thread.
I
don't
really
want
to
wade
into
it,
because
it's
like
full
of
controversy
and
but
but
also
you
know,
some
of
the
some
of
that
stuff
is
presentational
to
do
with
how
the
linux
foundation
is
consuming.
The
data
coming
back
from
snake,
so
yeah.
K
Seeing
more
vulnerabilities
come
in
best
case
scenario,
you
could
link
them
to
actual
commits,
though
I
don't
know
how
feasible
that
is,
but
but,
at
the
same
time,
here's
how
your
message
to
your
community
has
to
actual
actual
impact
and
here's
mitigation
due
to
the
impact
and
to
get
that
transparency
there
well.
L
Yeah
I
mean,
if
you're,
if
you're,
if
you're
consuming
sneak,
you
know
it
through
the
sneak
ui,
you
get
a
whole
bunch
more
remediation
stuff
in
there
right
and,
and
you
get
a
lot
more
detail
on
the
on
the
prioritization
stuff.
I
have
to
say
I
haven't
looked
too
much
about
the
what
the
how
the
linux
foundation
stuff
is
is
presenting
it
other
than
following
that
that
thread.
I
know
there
are
also
discussions
going
on
between
the
linux
foundation
and
us
about
how
they
could
better
present
that
data.
K
Yeah
and
so
if
yeah
and
it's
it's
just
guidance,
I
think,
is
the
primary
thing
like
there's
no
perfect
answer
so
anything
that
can
help
them
towards
not
only
better
messaging
but
also
more
meaningful
data,
because,
like
it's,
it's
clear,
there's
some
very
rich
data,
that's
there
and
if
it's
locked
away
and
and
behind
poorly
designed-
and
I'm
not
suggesting
you
guys-
are
the
guys
who
designed
the
the
actual
metrics
that
the
presentation
of
the
metrics
is
just
a
poorly
designed
presentation
of
the
metrics
can
sometimes
be
worse
than
that
yeah.
L
K
Yeah
exactly
so,
if
yeah,
if
you
have
any
resources
or
anything
like
that,
you
can
point
towards
this
to
say:
hey
here's,
some
recommendations
on
ways.
You
can
get
more
meaningful
input
because,
at
the
end
of
the
day,
metrics
are
about
changing
behaviors
and
they
can
change
them
positively
and
negatively.
K
And
what
I
worry
about
is
that
this
this
type,
the
current
setup,
may
have
more
negative
impact
than
positive
impact
and
is
not
actionable,
and
it
can
get
down
to
the
point
where
they're,
actionable
or
and
helps
tell
the
story
in
a
more
clear
way
like
if
we're
seeing
like
over
time
that
we're
seeing
more
vulnerabilities
that
are
directly
like
that,
the
code
scanner
itself
is
catching
in
the
actual
commits.
K
Then
this
this
tells
a
story
and
there's
multiple
interpretations
of
it,
but
it's
more
detailed
than
you
know
we're
flying
blind
and
versus
the
current
set
of
metrics,
which
it's
hard
to
tell
how
how
used
how
useful
they
are.
So
anyways
yeah
just
wanted
to
make
sure
that
this
is
something
that
we
can
get
some
people
to.
Possibly,
if
it's
something
you're
all
interested
in
that
we
can
it's
an
area
that
I
think
we
can.
K
We
can
provide
with
a
little
bit
of
effort
to
provide
some
decent
guidance
to
help
move
the
needle
towards
a
better.
A
Place
cool
sorry,
just
quick
logistics
all
right
now,
you're
there.
A
H
H
K
I
don't
know,
I
think
a
lack
of
of
answer
is
the
answer.
H
Okay,
how
do
we
are
there
any
actions
on
this?
One
ability
conversation
that
we
need
to
take
up
as
a.
J
Team
I
mean
if
people
want
to
have
a
conversation,
I'm
happy
to
jump
in.
I
I
think
it's
vulnerability.
Management
and
assessment
is
not
a
dark
art,
but
it's
certainly
it's
a
difficult
job
because
it
requires
so
much
knowledge
of
what
those
security
things
are
and
yeah.
I
I
have
to
jump
in
and
kind
of
provide
a
perspective.
J
If,
if
that's
a
conversation,
we
want
to
have.
H
Sure
matt
I'll
include
you,
I
don't
know
who
was
described
earlier,
who
was
taking
notes.
L
K
Be
great,
have
you
if
you'd
like
to
add
me
as
well
I'd,
be
happy
to
to
provide
information
from
a
consumer's
perspective
as
well?
This
is
a
frederick
counts,
k-a-u-t-z.
M
H
Yeah
that
that's
a
pretty
good
sized
small
working
group-
and
there
could
be
some
good
deliverable
that
can
come
out
of
that-
that
we
can
publish
as
well
so
yeah.
M
Matt,
I
also
just
put
a
note
on
that
on
the
chat,
if
you
can
add
me
as
well.
L
H
Wonderful
and
do
we
need
to
create
an
issue
for
this.
I
think
it'll
be
good
to
have
an
issue,
so
we
can
track
progress
so
I'll
create
an.
H
M
Or
agenda
items-
and
this
is
biome-
I
did
have
a
a
question,
so
I
was
trying
to
finish
up
going
through
the
native
security
map,
vanilla
document-
and
I
noticed
I
mean
it's-
it's
trivial
I
think,
but
I
I'm
gonna
just
bring
it
up
to
see
what
other
individuals
thoughts
are.
So
as
as
I
was
going
through,
the
document,
I
noticed
there's
a
slight
flow
break
on
the
topics.
So
as
an
example,
I
noticed
how
we
have
static
code,
analysis
and
das
somewhere
very
further
down
in
the
list.
M
I
think
it's
part
of
I
think
it
was
part
of
distribution,
even
I'm
just
general
recall,
but
it
was
after
you
know,
building
an
image
and
I
was
just
wondering:
should
we
have
it
more
tailored
towards
what
our
normal
pipeline
would
be
so
when,
when,
as
you're
reading
this
they
understand
at
what
junction
they
should
introduce
a
static
code,
analysis
and
data
versus
you
know,
you
now
have
an
image.
You
now
have
a
manifest.
You
know
all
the
different
stages
and
just
to
make
it
a
little
bit
better.
H
Yeah,
that
makes
sense,
but
as
you're
aware,
we
are
doing
your
retrospective
right
now
and
we
are
gathering
feedback
on
how
what
we
can
improve
in
the
paper.
So
if
you
would
like
to
send
that
feedback
to
the
person
who's
gathering
it,
I
I
juggle
is
his
name.
H
I
can
put
his
name
here:
he's
gathering
the
feedback.
So
if
you
provide
the
feedback,
then
I
think
in
the
next
version
we
can
take
that
up,
okay
and
update
the
paper,
because
there's
more
work
to
be
done.
Obviously
that
was
done
in
a
very
short
timeline
and
we
just
published
the
paper,
because
we
wanted
to
announce
that
at
the
cubecon
and
have
something
out
there,
but
of
course
there's
cloud
native
security.
You
can
write
books
on
it
right,
so
there's
a
lot
of
a
lot
of
scope
for
improvement
there.
H
So
there
is
a
blog
post
as
well
and
there's
a
survey
being
sent
out
by
pushkar
who
will
be
gathering
all
the
feedback,
and
then
we
can
consolidate
all
that
feedback
and
release
the
next
version.
When
we
have
all
the
updates
up.
H
Sorry,
I
kind
of
had
to
jump
in
so
I'm
not
very
prepared
with
the
agenda
items,
but
I
thought
we
had
very
small
agenda
today,
but
the
conversation
was
great.
So
thank
you
all
for
attending
today.
If
you
don't
have
any
other
items
to
address
and
we'll
talk
to
you
next
week.