►
From YouTube: CNCF SIG-Security Meeting - 2018-10-12
Description
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
A
A
A
A
A
F
A
A
Entering
week,
I
have
news
on
the
job
front
that
I
will
probably
show
next
week,
but
the
search
is
done
not
just
before
and
beyond
that.
Coming
live
from
no
just
interactive
and
we're
doing
a
big
collaboration
event.
So
I
stolen
a
conference
room
and
hosting
from
here
I
wasn't
see
who's
up
next
Jerry
once
again
sure.
G
Hello,
everybody
I,
don't
have
too
much
to
say,
except
that
I
did
touch
base
with
my
cold.
You
see
this
week
and
he
and
I
are
both
kind
of
thinking
about
taking
a
step
back
to
reflect
on
all
the
comments
that
we've
received
about
the
suggested
security
subcategories
and
giving
it
another.
Look.
So
hopefully
we'll
be
able
do
that.
The
next
week's
before
the
next
meeting.
A
G
A
H
I
H
Back
safe
and
catching
up
on
things
and
I
did
review
the
governance,
PR
and
I
love.
It.
I
have
a
few
minor,
tweaks
and,
and
some
stuff
I
want
I,
get
back
and
propose
some
specific
words,
but
it
is
just
really
great
to
see
that
coming
together.
I
think
that
the
one
thing
that
I
don't
know
whether
people
want
to
add
isn't.
Are
we
gonna
talk
about
governance
system,
not.
H
B
I
I,
all
so
just
still
wait
for
some
additional
feedback
on
the
compliance
scoping
doc.
That's
out
there
in
eager
lives
and
I,
didn't
putting
together
some
additional
suggestions
in
there
that
I
had
it
today,
namely
around
IETF
and
other
standards
bodies,
and
how
they
can
potentially
relate
to
some
of
the
CNC,
a
project
landscape,
so
I'm
thinking,
spiffy,
tough
and
and
how
potentially
those
can
be
proposed
to
those
bodies
if
warranted
and
then
also
Dan
I,
sent
you
the
intros
to
dr.
I
A
B
I
A
C
Martin
welcome
hello.
Thank
you.
This
is
it's
my
first
time
on
a
call
I've
been
lurking
on
the
repo
for
a
few
weeks
now,
geez
myself,
I'm
Angie,
Martin
I
have
a
policy
called
control
plane
in
London
and
we're
focused
on
ultimately
container
and
Cuban
acid
security
engineering.
But
it's
basically
that
narrow
scope
is
almost
wider
when
you
consider
house
containing
get
P
pipeline,
etc.
C
So
we're
just
basically
doing
dev
SEC
ops
with
containers
focus
and
we've
been
working
with
Santiago
for
the
past
few
months
for
now
boiling
in
toto
with
with
a
web
facing
customer
anyway,
and
that
sort
of
bring
some
commercial
requirements
back
down
and
in
lovely
time,
everything's
going
very
nicely.
So
hello
I'm
very
pleased
to
be
here
and
hope.
You
awesome
welcome
and
Erica
I.
J
J
The
thing,
though,
that
I've
been
thinking
and
wondering
about
in
particular
for
the
kubernetes
case,
is
how
to
both
deal
with
concurrent,
seeing
or
concurrent
events
in
distributed
systems
and
whether
it
makes
sense
to
have
a
like
at
full
gates
at
certain
points,
or
what
does
that
mean
when
there
are
multiple
timelines
of
the
truth
going
on,
and
especially
also
what
that
means
more
like
attributing
actions
to
any
one
individual.
Should
we
look
at
ways
of
extending
that
thinking
about
it
more
comprehensively?
A
J
J
A
A
A
A
A
F
F
K
E
Hello
yeah
after
most
of
this
week,
I
just
the
kyrgyz
presentation.
Pretty
much
and
I
reviewed
a
little
bit
about
the
government's
documents,
mostly
through
inspiration,
because
we're
also
starting
to
like
get
a
more
formal
process
to
like
our
building
in
Toto
standards
and
tribution
guidelines
and.
L
A
I
A
A
I
A
A
G
I,
don't
think
that
there
there's
anything
new.
This
I'm
looking
for
feedback
on,
but
one
of
the
things
that
I'm
gonna
be
thinking
about
and
reflecting
on
the
next
week
is
whether
the
subcategories
are
well
named
and
I
suspect
that
it
would
be
helpful
to
get
the
perspectives
of
people
who
come
from
different
backgrounds.
On
that.
G
I
mean
that
could
potentially
use
improvements
to
that's
all
part
of
what
I'll
be
looking
at
in
the
next
week.
So
I
would
say
that
if
you
feel
like
you
could
offer
an
interesting
perspective
on
that
or
even
if
you
know,
you're
not
sure
if
your
perspective
would
be
interesting,
I
would
still
like
to
hear
from
you
that's
questions
yeah.
A
C
E
No
look,
good,
nope,
good,
okay,
great
take
away
so
just
to
give
some
context.
I.
Try
to
my
understanding
from
what
you
mentioned
last
week
is
that
the
CNC
application
process
was
changing
into
a
person
tation,
and
this
presentation
was
kind
of
the
first
draft
to
see
exactly
how
they
may
look
like
so
I.
Try
to
pretty
much
take
a
look
at
the
existing
TOC
guidelines
for
applications.
E
Try
to
massage
it
into
something
that
was
a
presentable
form
and
I
also
took
some
content.
That
I
had
there's
gonna,
be
a
little
demo
about
Python
reference
implementation.
But
let's
see,
let's
see
how
this
whole
thing
works
out.
So
yeah
I
think
everyone
here
already
knows
that
I'm
all
about
in
toto
and
like
I
would
say
longer
just
in
the
lead
signer
of
this
solution
and
I'm
going
to
talk
about
how
it
matches
the
cloud
native
landscape
and
how
it's
very
necessary
for
securing
the
next
generation
issues
now.
E
Well,
the
application
we
need
in
the
description
so
I
just
put
it's
lying
there
and
told
us
a
framework
because
courage,
supply
chains
in
and
out
of
the
cloud
most
of
current
cloud
native.
The
deployments
use
like
very
diverse,
very
configurable
graphs
of
nodes
that
interact
with
each
other
and
they
most
of
them
perform
operations
and
artifacts
to
either
do
quality
quality
assurance
like
a
marvelous
scanner
or
transformation,
say
the
docker
field
or
a
or
regular
build
or
a
limping
or
anything
like
this.
E
Now,
something
that
I
want
to
I
wanted
to
like
to
do
is
to
give
a
little
bit
more
of
background
to
as
to
what
this
means
in
terms
of
the
description
and
I'm
going
to
use
a
very
like
idealize
supply
chain
and
I'm,
going
to
walk
through
exactly
how
things
can
break
in
this
context.
Now
all
of
you
may
be
like
laugh
about
how
simple
this
is,
but
it's
a
pretty
much
like
a
very
verbal
application
that
you
may
check
into
github.
You
may
be
using
a
build
system.
E
E
E
You
can
also,
even
though
there's
point
solutions
we've
worked
in
this
I
made
some
just
to
give
to
like
increase
the
security
of
power
metadata
store
you
can
use
today,
and
most
of
you
guys
are
still
familiar
with
a
tough
which
is
a
solution
that
takes
care
of
what
would
be
this,
which
is
the
last
mile
of
software
delivery.
It
has
pretty
much
resulted
in
many
in
securing
many
things
that
you
guys
are
like
familiar
with.
E
You
may
recognize
it
all
going
there
and
yeah
like
all
of
this
is
good
news
if
you
secure
individual
aspects,
but
the
complete
problem
is
not
fixed.
There's
gaps
between
steps,
which
is
how
this
notes
interact
together
and
there's
also
a
matter
of
compliance
you
can
sometimes,
even
though
the
step
exists,
you
really
are
not
listening
to
what,
for
example,
security
scanners
telling
you.
So
what
in
total
is
all
about
is
to
secure
the
complete
supply
chain
in
toto,
it
means
as
a
whole
in
Latin,
and
it
is
not
a
coincidence.
E
Well,
you
really
want
to
do
a
holistic,
complete,
thorough
verification
of
the
supply
chain
as
a
whole.
In
key
points.
This
means
that
we
want
to
verify
all
the
fine
steps
of
the
software
supply
chain.
We
want
to
verify
Oh
luli
define
who
is
able
to
enter
to
perform
operations
in
the
supply
chain
and
which
operations
and
then
guarantee
that
everything
happens
to
how
this
definition
is
done
and
in
no
other
way.
So
to
do
this,
we
pretty
much
use
two
things:
the
layout
and
at
the
stations
and
forms
of
link
metadata
now
layout.
E
Here's
like
a
toy
version
of
it.
It's
pretty
much.
What
steps
exist
in
the
toy
example
that
I
showed
before?
Well,
we
have
a
version
control
system,
a
CIA
system.
We
had
a
build
server
and
we
have
a
packager.
It
also
tells
you
who's
able
to
do
what,
for
example,
of
all
this
song
be
able
to
interact
with
our
version
control
system
and
Dave,
who
is
the
owner
of
Travis?
Is
the
one
that's
performing
the
build
and
Karl
and
Erin
will
be
the
ones
that
build
and
package
the
final
application.
E
We
also
have
a
in
the
layout.
We
have
a
rules,
a
series
of
rules
to
find
how
these
artifacts
interrelated
to
each
other,
to
make
sure
that
all
of
the
artifact
flow
is
done
properly.
In
this
case,
we
know
that
the
sources
that
were
created
by
Bob
and
no
one
else
are
the
ones
that
we
need
to
either
to
check
down
the
CI
system
and
the
ones
that
are
needed
to
be
sent
over
to
the
to
the
build
server,
and
what
Carol
built
is
what
it's.
E
The
only
thing,
only
what
Carl
built
is
going
to
go
into
the
packaging
infrastructure,
and
it
also
has
a
signature
to
authenticate
who
created
this
layout.
In
this
case,
we
know
that
alice
is
the
owner,
or
this
C
cell
of
the
company
and
she's
the
one
that
says
exactly
how
the
software
is
built
and
that's
why
we
have
her
signature.
I
need
a
layout
file.
E
The
counterpart
of
the
layout
file,
the
other
yellow
piece
of
metadata,
is
what
we
called
links
and
links
are
essentially
at
the
stations
that
each
of
the
actors
that
were
the
selected
in
the
layout
create
every
time
they
perform
an
operation.
For
example,
Bob
created
the
created
the
source
code
or
checked
out
source
code.
He
will
report
in
a
link
what
was
in
the
version
control
system.
In
this
case,
you
will
see
in
the
bottom
left
that
it
says
foo
and
the
Spear
hash
of
foo.
E
So
that's
what
we're
going
to
use
to
link
things
together
and
finally,
once
we
have
all
of
the
links
and
layout
and
the
final
product,
we
bundle,
love
together
and
send
it
to
the
user.
This
can
be
a
package
manager.
This
can
be
a
an
admission
controller
in
the
case
of
cloud
or
it
can
be
just
general
audit
scanner
that
you
can
put
inside
of
your
container
extruder
to
like
continuously
verify
that
all
of
your
images
were
produced
properly.
E
E
E
B
E
So
so,
basically,
in
the
layout,
as
I
said,
it's
essentially
a
policy
that
you
define
for
your
supply
chain
and
everything
connects
together
in
this
case,
the
key
points
to
consider
steps.
What
are
the?
What
are,
what
are
the
steps
to
perform
functionaries,
which
are
the
people
that
operate
on
this
flight
chain
and
I'm
serious,
opposed
link?
The
steps
together,
there's
also
other
useful
information
like
an
expiration
date.
You
may
want
your
layout
to
expire,
so
you
can
take
the
policy
forceful.
E
We
every
couple
of
months,
for
example,
and
of
course
it
has
a
signature
of
the
whole
thing,
so
you
know
the
layout
just
entrusted
that
the
right
person
created
layout
inside
of
the
layout.
You
find
something
that
are
called
steps
or
step
definitions.
They
essentially
describe
who
is
able
to
perform
the
step,
and
it
contains
a
series
of
rules
that
will
limit
and
interconnect
steps
together.
For
example,
this
isn't
exactly
simple
rule.
It
says,
create
to
not
be
Y.
E
E
A
doctor
built
step
is
actually
building
a
doctor
image
with
this
tactic,
in
this
case,
of
course,
for
other
control
system,
there's
no
poo
and
then
there's
a
food,
and
you
want
to
like
ensure
that
this
happens.
Another
example
of
an
artifact
rule
is,
for
example,
match,
which
is
what
you
use
to
link
steps
together.
Matched
in
this
case
match
is
matching
boo,
not
divided.
That
was
created
on
the
tag
released
there.
So,
for
example,
this
was
done
in
the
build
in
the
build
step.
E
E
Another
like
interesting
element
inside
of
the
layout
is
what
we
call
inspections
so
far.
We
only
know
who
did
what
and
how
the
artifact
center
can
interconnect
together.
For
example,
you
may
want
to
know
if
your
CI
system
doesn't
have
any
instance
of
the
word
warning
inside
of
it
or
if
you
are
running
a
vulnerability
scanner,
and
you
want
to
like
verifiably,
ensure
that
there's
no
CBE's
with
a
CBE
and
I
forgot
the
acronym
a
score
higher
than
7.
E
You
can
pass
this
signed
push
certificates
forward
and
you
can
use
them
to,
for
example,
enforce
that
only
certain
people
merged
into
master
or
that
no
people
that
are
not
allowed
into
the
project
created
any
commits,
or
that
no
commits
are
inside.
That's
the
kind
of
information
that
you
would
verify
using
an
inspection
now
we're
going
to
the
fun
part,
the
demo.
E
Let
me
try
to
do
another
shuffle
this
work.
Awesome.
Is
this
one
size
good,
looked
a
little
small,
better,
better,
awesome,
okay!
So
in
this
demo
we're
essentially
going
to
follow
what
what
I
did
for
the
presentation.
I'll
essentially
use
the
total
Python
implementation
to
create
a
layout,
we'll
see
the
layout
together
and
then
we're
going
to
simulate
a
lot
of
functionaries
acting
through
the
supply
chain
until
we
have
to
application
step
and
we
can
verify-
and
we
can
see
that
everything
is
verified
proper.
E
So
remember,
Alice
is
the
one
that
creates
a
layout
she's
she's,
a
project
owner
I
made
a
helper
script
just
to.
E
Now
I
created
a
layout
file
just
to
give
a
little
bit
of
a
like
a
quick
guide
on.
What's
on
it,
you,
you
can
see
if
there's
a
bunch
of
rules
in
it
that
are
connecting
all
the
steps
together,
there's
a
bunch
of
public
keys
of
the
functionaries
that
are
saved
into
the
layout
and
if
you
see
there's
a
key
ID
field
here,
that's
the
key
ID
is
the
one
that
we
put
on
the
steps.
For
example.
This
is
a
step
and
that's
how
we
tell
that,
for
example,
this
packaging
step.
E
E
E
Check
out
the
repository
and
then
create
the
sign
up
station
of
that
specific
checkout.
So
in
this
case
we
created
this
piece
of
linked
metadata
when
we
run
git
checkout
that
created
an
attestation
of
the
operation
that
we
perform.
The
substation
is
this
pieces
of
link
metadata
are,
though,
what
we're
going
to
use
later
to
essentially
build
this
graph
and
verify
that
everything
is
proper.
E
E
E
Now,
as
you
guys
see
this,
this
new
piece
of
link
metadata
will
be
graded
by
recording
both
states.
It
originally
had
the
secure
hash
of
food
of
divide
that
was
checked
out
in
the
version
control
system
and
then,
as
a
product,
it
recorded
the
new,
secure
hash
of
the
food
of
UI.
This
is
how
we're
going
to
start
tracking
artifacts
how
as
stay
moving
like
now,
we're
going
to
move
to
the
last
for
the
last
step
in
the
supply
chain,
which
is
a
car.
E
E
E
E
Yeah
now
it
actually
run
of
them.
The
clump
step
but
I
perform
step
says
the
requester
existed
because
I
didn't
clean
up
properly
step
was
failing.
We
can
actually
see
that
the
return
value
is
now
zero.
Did
you
check
out
the
final
product?
The
old
version
of
the
link
metadata
as
a
return
value
was
128,
which
meant
up
in
step
had
failed.
E
E
B
E
No
we'll
use
the
latest
revocation
using
expiration
dates,
but
we
don't
have
an
explicit
mechanism,
something
that
I'll
talk
a
little
bit
in
the
roadmap
is
that
notary
and
tough,
for
example,
are
great
additions
for
handling
name
spacing
of
the
metadata
for
projects
and
for
explicitly
replicating
certain,
like
namespaces
within
the
supply
chain,
without
rotating
the
whole
whole
layout,
for
example.
Right
this.
B
Yeah,
there's
it
within
this
currently
in
todo
doesn't
have
a
separate
time
server
component.
But
if
you,
if
you
shipped
and
verified
in
todo
metadata
from
a
tough
repository
or
an
obtained
repository,
then
you
automatically
get
that
so
it's
not
sort
of
like
hoisted
into
the
system
as
a
separable
thing,
it's
in
toto
in
general
assumes
that
you
you
have
this
it
does.
There
are
wastes
like
you,
can
do
key
and
link,
revocation
and
stuff
like
that
in
in
toto,
but
no
there
isn't
a
separate,
explicit
time.
Server
like
there
is
with
nothing
yeah.
E
Something
to
up
to
that
is
that
the
toughening
Torah
are
very
like
metadata
friendly
doing
each
other's
one
of
the
one
of
the
integration
that
we
have
right
now,
they're,
actually
using
tough,
intelligent
together
and
we're
thinking
of
standardizing.
That
mechanism,
that's
a
way
to
just
like
get
the
complete
supply
chain
security
out
of
the
box.
I
So
this
is
good
stuff
thanks
for
taking
the
time
to
share
this.
Is
there
using
tono
to
validate
referential
integrity
between
artifacts,
so
you
mentioned
that
artifacts
can
really
be
anything
from
binaries
to
source
code
packages
and
whatnot.
But
let's
say
I
have
some
sort
of
artifact:
that's,
maybe
an
attestation
artifact
in
the
context
of
risk
management.
How
can
I
validate
that?
That
artifact
is
you
know
from
what
says
it's
from.
H
E
Let
me
see
if
I
understood
your
question
properly.
It's
something
that
we
do
have
is
the
concept
of
sub
layout,
so
you
can
essentially
part
of
your
supply
chain
steps,
be
part
of
a
third
party
supply
chain,
say
that
you're
using
a
couple
of
Debian
packages
in
your
daughter,
build
you
can
verify
that
those
Debian
packages
themselves
were
made
on
a
proper
supply
chain
layout
that
follow
the
best
practices
and
everything
within
it.
I
B
Think
there's
another
component
to
that
kind
of
comes
up
here,
which
is
that
you
can
also
interval
interrelate
aspects
of
how
your
other
things
got
built
and
how
they
work
together.
So,
for
instance,
if
you're
saying
you
know,
the
library
that
I'm
using
here
should
be
built
by
the
same
compiler
as
the
main
thing
as
the
main
project,
or
something
like
that
ya
know
also
validate,
can
verify
that
all
all
those
sorts
of
things
that
happen
so
all
those
all
those
sorts
of
things
like
this,
you
can
imagine
expressing
or
unexpressable
in
in
todo.
J
Another
question
real,
quick
related
how
to
sort
of
verify
the
information
flows
are
secure.
So
what
is
I
mean,
especially
in
situations
where
the
system
is
running
on
itself
or
triggering
the
other
actions?
Is
there
a
way
we
can
kind
of
incorporate
and
have
a
you
know?
Have
a
security
model
proven
security
model.
E
J
E
So
some
thing
that
we
do
have
in
the
metadata
is
right.
Now,
it's
kind
of
like
a
baker's
structure
is
environment,
information,
environment,
dictionary
that
you
can
expect
something
that
we've
been
like
tinkering
with,
and
we
don't
have
like
anything
formally
at
this
to,
for
example,
have
TPM
at
the
station's
inside
of
environment
dictionary
about
the
whole
whole
host
file
system,
integrity,
you
see,
might
secure
booth
or
something
I.
Don't
know.
If
this
is
answers,
your
question
or
did
I
call
in
another
line.
It.
J
B
I
will
quickly
say
that
we
have
a
very
detailed
analysis
like
like
on
the
level
of
what
we
did
for
talked
about.
Why
in
toto
is
secure,
including
you
know,
link
metadata,
tamp
rating
and
layout
tampering
and
other
things
like
that
and
what
scenarios
it
loses
security
and
to
what
degree
so
I
think
that
is
probably
closer
to
the
answer
to
your
question,
and
we
can
talk
more
about
that
later,
but
I
think
Santiago.
E
So
roadmap
thinks
that
we're
working
a
lot
on
now
getting
out
it's
trying
to
formalize
say
like
governance
documents,
which
is
like
a
how
to
attract
the
whole
community.
How
to
get
changes
in
I've
been
trying
to
get
the
I'm
thinking
of
like
adding
code
covenants
are
like
default
default
code
conduct
of
this
we're
also
working
on
cloud
native
enhancements.
We
don't
have
the
specification
at
your
I
artifact
definition,
but
it's
pretty
much
just
something
we
need
to
formalize.
E
E
We
also
something
that
we're
working
on
is
I.
We
want
to
integrate
entire
on
top
in
a
more
formal
way
and
probably
even
launched
service
using
Kofi
notary
to
provide
a
layout
registration
and
name
spacing
of
the
layouts.
You
could
essentially
like,
let's
encrypt,
but
for
your
artifact
layouts
and
then
some.
This
is
something
that
I
haven't
shared
with
the
team,
but
continues
metadata
verification.
You
could
use
it
in
the
cloud.
That's
a
container,
not
only
an
admission
controller,
but
as
a
continuous
verification.
Anytime.
E
You
revoke
a
piece
of
link
metadata,
you
could
pull
a
container
out
and
you
could
revoke
a
piece
of
link
metadata
if
I,
for
example,
redoing
a
CD
scanning
and
finding
that
there's
equal
ability
of
certain
three
and
we
vote
the
metadata
unless
it
comes
as
a
consequence,
essentially
for
any
unsafe
image
from
the
cloud.
I
know.
There's
similar
solutions.
Today's,
but
this
begins
the
like
a
very
like
simple,
elegant
automatic
way
to
do
things
on
your
cloud
native.
E
Also
thinking
of
adding
security
enhancements
and
formalizing
them
h7t
p.m.
support.
We
already
support
UV
keys
using
GPG
signatures,
but
we
probably
want
to
do
something
a
little
bit
more
like
on
a
general
grade,
not
only
of
the
like
RFC
for
4880.
We
also
want
to
have
a
cost
at
the
stations,
which
is
something
that
I,
just
like
mentioned,
using
like
the
DNS
to
authenticate
the
whole
host
and
provide
a
read
on
the
boxes
for
building
and
performing
steps
and
SDX
cloud
builders
would
be
something
that
I've
work
on.
E
B
E
Sorry
and
well,
we
have
a
couple
of
integrations
going
there.
Oh
there's
really
at
work.
There's
VSS
px,
already
a
Peter
we're
only
the
same
like
supply,
chain,
environment,
authentication,
artifact,
Nimoy
station
12
native,
our
artifact
recording
is
40s.
Then
this
is
like
the
big
integrations
that
we
have
right.
Now
we
have
a
on
the
bottom
right
there
very
homebrew
project
that
are
over
you
releasing
into
a
metadata.
Andrew
here
may
recognize
the
log
of
his
company
here
and
music.
A
we
also
are.
E
We
are
taking
care
of
the
producer
setup,
which
is
the
thing
that
I
spoke
about
and
I
already
I'm
an
arch
developer,
dude
by
the
way
I
use
arch
and-
and
we
also,
we
also
are
working
with
RFPs-
to
like
fix
this-
the
security
model
and
to
provide
us
with
a
transport
that
can
help
us
provides
more
cloud
native
metadata
transfer
between,
like
all
of
the
like
super
convoluted,
the
distributed
systems
that
are
in
the
cloud
there's
also
other
people
that
are
interested.
We
have
some
talks
with
docker.
E
We
have
some
integration
with
helpin
to
see
open,
build
system.
I
also
worked
with
the
variant
people
and
I,
don't
know
each
other.
Well,
we
spoke
with
gov,
ready
and
repeater
I
know
the
developer
of
repeater.
He
wants
to
like
say
we
merge
the
metadata,
but
there's
so
much
going
on.
That's
like
there's
only
so
much
things
you
can
focus
on.
At
the
same
time,
all
the
information
that
is
required
part
of
the
application.
We
have
a
temp,
the
tentative
sponsorship
from
Alexis
Richard
Saunders
like
no.
Yet
we
would
like
to
join
an
incubation.
E
We
have
in
total
entire
project,
sponsor
I,
really
don't
know
exactly.
What
was
this
I?
Don't
know
if
I
have
to
say
and
I
said,
Jeff
knew
probably
knows
better
and
the
license
is
Apache
actually
got
all
the
signatures
to
relicense
as
Apache
so
Monday.
We
work
we
used
to
e
MIT.
We
have
all
of
this
code
repository
spirits
puzzle.
Only
the
ones
that
have
a
star
are
not
a
patch,
but
they
can
be
changed
later,
actually
yeah
and
then
dependency
license
is
I.
Think
this
is
just
like
formalisms
that
we
need
to
go
through.
E
Go
through,
there's
a
bunch
of
dependencies
and
different
components
of
what
we've
released
this
our
communication
channels.
You
can
always
join
IRC
I'll,
be
there
the
cocoapods
developers,
you
can
join
our
mailing
list
and
you
can
I,
don't
know
how
it
works
on
flag,
but
we're.
Also
there
we
have
our
a
couple
of
websites
up.
You
can
use
our
time
tool
to
create
your
layouts
today.
We
actually
updated
it
to
the
latest
specifications
week
ago
and
will
usually
release
block
poster
out
in
photo
in
our
collapse.
E
Laughs
website
we
have
this
release
cannons.
We
are
very
like
bullet
to
semantic
versioning
I,
think
when
people
don't
do
it,
we
do
release
candidates,
these
candidates,
candidates,
monthly
or
sometimes
even
faster,
depending
if
it's
batteries
yet
with
a
major
feature
at
the
same
time,
and
we're
still
don't
know
when
to
release
the
major
version,
so
we
cannot
say
we're
like
timeline
for
each
major
version
to
be
released.
E
E
E
A
Really
Christian
will
put
this
into
the
minutes
if
you
just.
A
So
right
before
folks,
drop
I
want
to
make
sure
I
like
at
the
time
to
sort
of
see
if
we
can
do
some
triangulation
Andrew
in
the
safe
compliance
work
that
were
you
know
currently
scoping.
Is
there
anything
that
we
can
kind
of
leverage
in
toto
to
inform
where
we're
going
with
that
compliance
journey,
and
you
provide
additional
feedback
to
COC
to
Lexus
and
akin.
A
So
you
next
week,
we'll
have
Andrew
and
we'll
kick
off
some
of
the
discussion
around
the
safes
can
light
scoping.
You
know
once
again
we're
still
working
on
the
security
landscape
for
C&F,
landscape
and
association
with
the
CNCs
landscape,
and
if
you
have
some
time
over
the
weekend
or
next
week,
to
review
both
those
documents,
you
appreciate
the
attention
there
Santiago
and.
A
In
Tustin,
thank
you
so
much
for
joining
us
today.
This
was
fantastic
and
I
can
let
a
little
bit
of
overflow
time
if
folks
have
a
little
bit
more
discussion
that
wanted
to
have
around
this,
but
I
want
to
make
sure
we
wrap
up,
for
anyone
has
to
drop
any.
Are
there
any
further
questions
that
we
you
know
folks
would
like
it
to
get
into
before
we
wrap
up
there.
F
Because
Marc
I
just
put
this
on
the
agenda
for
a
future
conversation,
because
I
think
it
needs
more
than
three
minutes.
But
this
issue
of
metadata
management
is
is
a
thorny
one
and
the
the
FSIA
group,
which
is
a
finance
project
supported
by
DHS,
is
trying
to
use
a
metadata
model
to
I.
You
know
to
follow
provenance
for
data
and
you've
got
the
same
set
of
issues
there.
How
do
you
map
from
these
domain-specific
models
for
what's
in
the
metadata
to
things
that
are
interoperable
to
other
tools
like
even
in
the
in
the
NIST
stack?
F
How
do
you
you
know,
map
to
other
things
like
a
thread
representations
of
the
difference
between
a
policy
and
an
attribute,
and
even
the
name
of
an
application
that
might
show
up
on
an
alert
so
I
I?
Think
it's
not
fair
thing
to
ask
this
project
to
address
that,
but
maybe
there's
some.
You
know
groundbreaking
stuff.
We
can
do
by
trying
to
inject
some
kind
of
model-based
representation
at
the
ground
floor
of
a
project
like
this
right.
B
So
so,
we've
actually
thought
about
the
specific
issue
in
a
couple
different
contexts.
A
lot
in
our
philosophy
with
this
to
this
point
is
that
these
models
and
these
base
having
these
general
abstractions
are
not
yet
defined
and
rich
and
sort
of
static
enough
that
it
in
our
opinion,
it
makes
sense
at
this
time
to
invest
an
enormous
amount
of
effort
in
them.
B
So
instead,
what
we're
focused
on
it
through
the
actual
metadata
and
the
actual
cryptographically
verifiable
aspects
of
this
are
all
are
all
produced
in
a
way
that
is
verifiable
and
non-modifiable,
and
so
on
across
these
different
contexts.
So,
and
then
you
know
if
something
like
that
has
a
richer
model
like,
for
instance,
courteous
from
google
has
a
richer
model
for
some
of
these
aspects
of
things
in
the
cloud,
then
that
layer
is
perfectly
well
on
top
of
what
we're
doing,
and
now
we
provided
the
metadata.
They
can
actually
trust
we're.
J
Hitting
this
in
kubernetes
quite
directly,
where
there's
no
standardized
place
to
store
metadata
and
it's
kind
of
spread
out,
and
that
makes
interoperability
very
difficult.
There
are
like
annotations
on
the
objects
themselves,
but
those
have
no
access
control
separate
from
the
objects
themselves,
so
that
one's
a
very
complicated
one
is
that
there
needs
to
be
kind
of
almost
feel
specific
access
policies
per
thing
which
gets
that
multidimensionality
is
very
difficult
to
handle
and
what
you
want
to
know.
If
you
have
solution.
D
F
Mean
this
is
one
of
those
interdisciplinary
problems
right,
because
the
the
modeling
folks
have
solutions
for
this.
You
know
you
could
argue
that
schema.org
out
of
Google's
may
be
a
better
representation
that
you
could
do
reasoning
with
and
the
traditional
security
models
that
we
inherit
from
Active
Directory.
But
you
know
there's
a
lot
of
work
to
do
to
make
the
connections
there.