►
From YouTube: CNCF Security TAG Meeting 2021-05-12
Description
CNCF Security TAG Meeting 2021-05-12
C
A
B
Yeah,
that
sounds
good.
Let
me
at
the
naming
item
first,
it
will
probably
be.
A
A
A
B
At
some
point,
oh
I'm
sweet
yeah.
We
have
our
agenda
for
agenda
today.
Andres
has
been
on
me
about
this,
so
maybe
you
know
at
some
point.
If
we
will
do
a
cncf,
you
know
we
do
a
stand-up
comedy
it's
actually
music
session,
maybe
and
maybe.
C
B
All
right,
I
think
we
have
more
people
joining
in,
is
gonna
post.
This
we
do
need
one
or
two
scraps.
So
if
anyone
wants
to
sign
up,
that
would
be
great.
B
Okay,
I
just
saw
someone
adding
an
item.
Oh
I
see
multiple
people
adding
items
yeah
if
you
could
be
your
name.
It's
like
that'd
be
great.
C
B
Okay,
so
I
think
we
have
a
good
number
of
people
in
here
already
so
just
to
start
off
again,
this
meeting
is
is
being
recorded
and
you
know
all
the
usual
cncf
toc,
oh
sorry,
guidelines
and
and
call
the
contact
apply
so
hi
everyone,
and
I
think
we
we
may
have
like
a
couple
new
faces
here
from
kubecon,
so
hi
my
name
is
brandon
and
I
think
maybe
we
can
do
kind
of
like
a
a
check-in
big
go
by
so
I'm
gonna
post
the
the
document
link.
B
These
are
the
minutes
of
the
meeting.
What
I
should
do
is
you
should
ensure
that
you
have
your
name
down
in
the
attendance
and
if
you
you
have
update,
you
can
just
put
something
there
cool,
so
we're
going
to
start
with
just
brief.
Check-Ins
looks
like
the
first
item
here
is
andrew.
C
Yes,
indeed,
thank
you
very
much
to
everybody
who
played
contributed,
arranged
facilitated
all
the
meetings
for
keepercon
ctf.
It
went
down
acceptably
nothing
burned.
Apart
from
perhaps
the
major
silicon
we
had
two
and
a
half
thousand
vms
over
the
course.
Today.
C
Nobody
got
all
the
flags
and
I
will
run
through
the
whole
thing
end
to
end
on
on
dave,
mckay's
raw
code
clustered
thing
tomorrow.
So
probably
a
bit
of
timing
in
the
speed
runs
trying
to
get
through
a
demo.
Everything
was
a
little
bit
compressed
in
terms
of
time,
so
I
will
do
it
at
a
more
verbose
attempt
tomorrow.
B
Awesome,
could
you
post
a
link
to
that
or
like
some
schedule
in
the
chat
and
then
we'll
put
in
the
doc
awesome
so
before
we
start
with
rob?
I
see
you
have
an
item
there,
but
I
think
we
already
have
a
gender
item
for
it
right.
So
we
will.
We
will
get
to
that.
B
All
right,
I
guess
if
and
if
you,
if
you
want
also
all
your
mic,
isn't
working
just
feel
free
to
like
put
it
in
the
chat
to
just
have
a
child,
don't
say
hi
all
right.
So,
let's
get
started
with
the
agenda.
We
have
a
very
packed
agenda.
We
have
like
seven
items
or
something
so
we're
gonna
first
check
in
with
the
the
the
sick
working
groups
apac
getting
so
from
the
apex
side.
Do
we
have
any
updates
all
from
the
policy
book
group
and
I
win
this
counter
box.
B
D
Well
then,
just
a
quick
five
second
update
we,
we
did
have
a
call
this
morning.
8
a.m
is
our
usual
call
time.
We
did
discuss
the
the
difference
between
the
this
tag,
security
policy
team
and
then
there's
a
kubernetes
policy
work
group,
so
we're
sorting
out
all
that
governance
stuff.
So,
if
anybody's
interested
feel
free
to
review
the
google
doc
and
the
pr
is
listed
on
that
google
doc.
B
B
All
right,
so,
let's
get
to
the
next
item
then,
actually
before
there
any
any
updates
anyone
from
the
apex
site
that's
on
today.
A
A
So
welcome
everybody
to
the
security
tag
during
kubecon,
it
was
announced
that
the
cigs
would
all
be
renamed
to
tags.
A
couple
of
quick
notes
about
that.
There
is
some
legacy
terminology
within
the
repository
that,
as
we
have
time
and
as
people
have
energy,
please
go
through
and
update
it,
but
a
couple
of
notes
about
those
changes
for
informal
and
internal
communications.
It
is
requested
that
we
can
refer
to
ourselves
as
stag,
but
for
public
awareness
and
events
such
as
public
content
on
the
repo
we
refer
to
ourselves
as
security
tag.
A
The
reason
for
this
is
so
that
we
do
not
confuse
our
audience
or
potential
members
and
the
public
with
storage
tag,
who
also
has
rights
to
the
same
acronym.
So
just
a
quick
update
about
that,
and
also
there
are
going
to
be
some
more
changes
that
are
coming
down
associated
with
the
administration
of
the
tag.
The
chairs
have
a
little
bit
more
work
picked
up
for
for
us,
but
that's
to
help
the
cncf
serve
us
better.
B
Cool
thanks,
emily
and
daniel.
Thank
you
for
signing
up
and
subscribe
and
helping
us
grab
today.
So
the
next
item
is
on
the
triage
team,
and
so
this
is.
This
is
something
that
emily
I
discussed
a
little
bit
before,
and
the
idea
is
to
get
kind
of
reorganize
how
we
are
doing
triage
of
the
issues
and
kind
of
talk
a
little
bit
more
about
how
we
can
continue
this.
So
so,
historically,
it's
been
kind
of
enemy.
Let
me
bring
up
the
triage
font.
This
is
a.
B
So
traditionally
we
had
kind
of
a
triage
team
which
was
pretty
much
jazz
and
teals,
and
the
idea
is,
you
know
we
had
all
these
things
that
kept
track
of
move
things
around
and
then
try
to
figure
it
out.
So
I
think
there
are.
B
There
are
two
things
that
we
we
want
to
do
here
and
maybe
emily
can
chime
in,
but
I
think
the
the
two
goals
that
we
have
is
to
one
is
to
reorganize
it
so
that
it
would
work
better
with
you
know
the
roadmap
of
the
roadmap
bot
that
we
have
and
the
project
spot
that
we
have
today
and
the
other
the
other
goal
that
we're
trying
to
achieve
is
to
get
more
people.
B
A
Yeah,
so
a
lot
of
what's
been
going
on
is
through
the
roadmap
planning
we
discovered,
as
chairs
and
as
tech
leads,
that
we
are
leaving
work
on
the
table.
We
are
not
finding
it,
and
a
lot
of
that
has
to
do
with
some
of
the
great
suggestions
that
are
coming
from
the
community
are
not
getting
the
level
of
visibility
that
we
would
like
them
to,
and
that's
because
the
tag
leadership
team
is
a
little
bit
short-staffed.
We
all
have
full-time
jobs.
A
A
So
what
we're
looking
for
is
to
expand
that
triage
capability
to
the
community
a
little
bit
more.
There
is
a
triage
channel
that
we
have
it's
like
tag
security
triage,
I
believe,
and
we're
looking
to
get
more
community
involvement
to
help
us
look
at
some
of
these
issues
that
we
have
coming
up,
determine
whether
or
not
they
should
go
on
the
agenda
for
community
discussion
to
see
if
they're
worth
pursuing
or
kind
of
ping.
The
chairs
and
the
tech
leads
that
hey
this
needs.
B
That
will
take
a
while
for
the
muscle
memory
to
go
away,
yeah
yeah,
so
I
I
think
that
we
will
apolofize
is
just
like
you
know,
going
through
the
issues
looking
at
things
and
using
using
judgment
to
kind
of
figure
out
whether
this
you
know
maybe
needs
a
bit
more
review.
Maybe
it's
good
to
merge
and
things
like
that,
and
also
I
think
that
we
want
to
define
this
a
little
bit
more,
so
that
more
members
can
come
in
as
well.
A
So
a
lot
of
this
for
those
of
you
that
are
new
and
you're,
you
kind
of
want
to
stretch
in
your
professional
chats.
This
is
a
good
opportunity
to
like
stretch
into
a
little
bit
more
of
project
management
or
open
source
management,
because
this
is
really
the
bread
and
butter
of
successful
open
source
efforts
is.
How
do
we
manage
our
issues
and
how
do
we
put
work
on
the
docket
to
be
performed?
A
This
is
also
a
good
opportunity
for
you
to
have
better
visibility
across
all
the
streams
of
work
that
go
on
within
the
sig
and
understanding
kind
of
where
that
community
direction
is
so,
if
you're
looking
more
across
cloud
native
security
architectures
into
the
next
horizon
of
what
is
the
community
concerned
about?
This
is
a
good
opportunity
to
give
you
a
certain
level
of
visibility
that
you
would
not
otherwise.
B
Get
and
so
I
guess,
to
wrap
up
if
you're
interested,
we
will
put
the
link
to
the
the
channel
and
the
chat
and
please
join,
and
we
will
you
know,
start
getting
this
getting
this
moving
forward
excited
about
all
the
issues
that
we
have.
We
we
we
are
in
a
unique
situation.
We
have
that
we
have
a
lot
of
issues
compared
to
the
compared
to
some
other
groups.
A
B
All
right
any
questions
about
triage.
B
Okay,
if
not,
let's
move
on
to
the
next
item,
which
is
the
very
exciting
supply
chain
document.
Jonathan,
are
you.
C
A
So
quick
update
on
the
supply
chain
document
so
we're
waiting
on
final
concurrence
from
liz
rice,
who
is
one
of
our
top
liaisons,
so,
typically
with
papers,
we
get
our
talk
liaison
concurrence
before
we
contact
the
cncf
to
do
an
official
publication
on
it.
So
we
are,
I
believe,
all
of
the
comments
have
been
submitted
and
remediated
or
adjudicated
so
we're
just
waiting
on
final
confirmation,
and
then
we
will
fire
it
off
to
the
cncf.
A
So
there
are
some
references
within
that
a
lot
of
if
you're
familiar
with
the
dod
software
factory
and
some
of
that
work
that
was
presented
in
the
community
or
some
of
the
blogs
and
articles
that
already
exist.
A
lot
of
the
lessons
learned
in
a
lot
of
the
core
components
of
that
have
been
pulled
into
the
supply
chain
document
and
either
expanded
or
abstracted
for
industry
and
public
community,
as
well
as
government
and
academia.
So
there's
a
lot
of
crosstalk
between
them.
B
Yeah
and
I'm
gonna
drop
a
link
to
the
draft
and
the
the
chat
as
well.
So
if
you
are,
if
you
want
to
take
a
look
through,
this
is
this
is
public.
B
Cool,
so
looking
forward
to
that
and
nixon
to
this,
we
have
the
nuts
foundation
energy
meeting
on
critical
infrastructure.
Cole.
Are
you
on.
F
Yeah
yeah,
I'm
on
so
real
quick.
I
had
a
really
great
call
with
shulie
goodman
of
the
linux
foundation,
energy,
and
you
know
talking
about
how
you
know:
we've
used
identity
in
some
of
these
infrastructure
projects,
so
we
are
meeting
next
thursday
to
discuss.
You
know
how
to
secure
critical
infrastructure
as
it
starts
to
move
to
more
of
a
cloud
native
type
of
environment
right
all
these.
F
These
are
all
just
like
little
iot
devices
connected
to
pipelines,
electrical
grids
et
cetera,
right,
so
pulled
in
some
a
couple
members
from
the
the
spire
community.
But
if
anyone.
F
In
joining
that,
and
maybe
providing
some
input
on
how
to
move
forward,
send
me
a
dm
on
on
slack
and
I'll
get
you
an
invite.
F
Articles
about
it
right
now
with
the
colonial
pipelines
attack
so
trying
to
do
something
there
with
that
with
that
incident,.
B
Awesome,
do
you
think
you
could
kind
of
post
the
blocks
and,
if
they're
published,
can
you
post
a
link
to
them
with
the
in
the
chat
post.
F
B
To
what
the
blog
that
you
talked
about,.
F
Oh
yeah
I'll
throw
a
couple
links
in
there.
There's
there's
one
guy
tom
aldrich,
I
think,
is
how
you
pronounce
his
name.
But
anyways
he's
got
a
pretty
good
one
about
some
of
the
issues
involved
with
security,
ot
networks
and
why
they
actually
have
to
be
connected
to
these
admin
networks.
A
There's
a
lot
of
really
interesting,
pre-existing
knowledge
in
that
space,
as
well
just
in
general
about
scada
systems,
particularly
the
attacks
that
happened
in
the
early
2000s
and
that
are
regularly
ongoing.
So
if
anybody
is
interested
in
researching
or
learning
about
that
further,
let
me
know
I
have
access
to
a
bunch
of
links
and
articles
from
work
that
I've
done
for
a
talk.
I
have
coming
up.
B
All
right,
so
any
any
quick
comments,
any
any
more
questions
before
we
move
forward.
F
I'll
I'll
just
go
ahead.
Let
me
kill
take
this
one.
D
So
with
the
kind
of
the
work
that
cole
and
I
have
been
doing
on
in
toto,
we
are
trying
to
get
things
signed
with
short-lived
keys
and
I
guess
I
was
just
kind
of
looking
for
an
appeal
to
anyone
who
may
have
experience
with
trusted
time,
stamping
and
rfc
3161
and
potentially
implementing
that.
As
far
as
I
know,
rfc
3161,
which
is
trusted
time
stamping
in
the
protocol.
But
it
doesn't
really
specify
any
standard
transports.
F
So
I
had
a
lot
of
context
too.
This
is
this
is
with
our
in
total
goaling
fork.
One
of
the
issues
that
we
have
is
with
those
short-lived
keys.
We
need
some
way
to
assert
that
that
we
sign
that
metadata
within
the
validity
time
of
those
keys.
So
I
think,
looking
at
rfc
3161
might
be
a
way
to
do
that.
So
looking
for
you
know
any
input
from
the
community
on
how
to
possibly
handle
some
of
those
those
things
you
know,
I
think
tough,
is
an
additional
way
forward
on
that
as
well.
B
Yeah,
I
was
thinking
about
just
in
capitals
or
santiago,
because
they're
working
a
lot
on
tough.
A
Yeah,
I
mean
I'm
not
either
of
them,
but
I
do
just
do
some
work
on
tough
as
well
and
it
doesn't
use
the
rfc.
C
Can
provide
a
similar
time,
stamping
mechanism.
F
Yeah
I
mean,
should
we
should
we
break
this
off?
I
mean
I
would
like
to
kind
of
discuss
this
a
little
bit
further.
I
know
this
media's
kind
of
packed,
I
know
mikhail,
would
too
is
there?
Can
we
can
we
link
up
in
slack
and
maybe
find
a
time
next
week
to
go
into
a
little
bit
more
deeper
technical
discussion.
F
A
F
Great
okay
and
just
just
hit
me
up
in
slack
if
anyone
else
is
interested
in
that
and
we'll
find
a
time
that
works
for
everyone.
B
Yeah,
I
I
also
recommend
just
creating
an
issue
for
the
discussion,
just
in
case
folks,
that
know
on
the
call
wanna
also
jump
on
okay,
perfect.
Also,
I'm
not
sure
whether
this
is
relevant,
but
so
I
know
six
star
has
an
implementation
of
for
show
which
does
like
it's
not
really
time
stamping,
but
they
they
kind
of
mint,
shot,
dev
keys
for
developers
to
sign
artifacts,
and
things
like
that.
I
don't
think
it's
direct
information,
rfc
I'll,
put
the
link
in
the
chat.
B
Okay,
next
on
the
agenda,
we
have
top
studio
robert,
yes,.
D
So
a
cloud
custodian
has
been
waiting
for
what
I
guess
we'll
call
the
joint
review
these
days
and
leading
up
to
this
kapil,
I
think,
is
on
the
call
as
well
has
provided
us
a
very
good,
in-depth
security
overview
chase,
who,
I
think
is
also
on
the
call
has
been
reviewing
that
as
well
and
we
have
another
volunteer
ricardo
who
I
don't
see
on.
D
I
think
he's
out
of
cern,
but
amy
had
asked
kind
of
as
a
process
point
of
order
that
they
submit
their
incubation
to
cpr,
which
they
have
and
to
peel.
You
feel
free
to
jump
in
if
you
want
to
give
any
color
commentary
around
that.
So
that's.
E
Why
they
just
put
the
world
in
the
precove
it
didn't
post
covet,
and
this
has
all
been
going
on
pre-coded
with
the
arts.
So
ricardo
is
our
top
sponsor
and
we've
been
meeting
with
him
regularly,
but
we're
on
our
third
process
so
to
speak.
E
With
regards
to
cncf,
I
believe
now
the
the
talk
sponsor
has
a
lot
of
the
due
diligence
effort
and
it's
supposed
to
delegate
back
to
sorry
the
tag
to
try
to
keep
all
my
names
straight
and
my
legs
straight
on
meetings
and
so
robert's
been
leading
a
lot
on
from
the
same
perspective
and
sorry
tag
perspective,
and
now
I'm
trying
to
like
like
give
a
chance
for
those
two
to
meet,
but
with
regards
to
the
meaning
the
presentation
itself
we're
happy
to
get
one
we
have
given
one
almost
18
months
ago.
E
B
So
is
this:
are
you
putting
it's
called
custody
out
for
incubation
or
graduation.
B
Would
I
think
this
was,
I
think,
based
on
what
we
talked
about
in
the
talk
call,
they
will
kind
of
determine
what
the
ask
is
for
the
six,
and
so
he
I
think
that
we
can
probably
if
he
pings
he
like
one
of
the
the
chess,
I
think
maybe
you
can
have
a
discussion
of
what
is
required.
The
review
is
definitely
going
to
be
like
the
base
of
the
recommendations.
E
All
right,
sorry,
so
sorry,
apologies,
ricardo
is
new
to
the
talk
so
and
this
process
is
also
new.
So
who
is
a
good
guide
post
for
him
that
we
can
like
to
understand
what
the
current
process
is
and
and
the
if
he
has
questions
per
se,
we've
been
trying
to
do
our
own
research
to
help
them
in
that
process,
so
also
trying
to
understand
what
the
best
way
to
go
about
it
is.
A
So
I
want
to
disentangle
stuff
because
of
my
brain
they're,
a
little
mixed.
So
there's
two
things
going
on:
there's
the
pr
for
incubation,
which
requires
a
form
of
due
diligence
review,
and
then
there
is
an
existing
issue
within
the
tags
repo
to
perform
a
security
review
of
cloud
custodian,
that
security
review
started
pre
pandemic
and
has
been
on
hold,
while
we
close
out
the
build
packs
review,
but
traditionally
in
the
tag
processes
and
within
the
talk
processes.
A
E
Now
that
we've
got
this,
we
started
this
process
to
go
in
the
sandbox
and
we're
in
sandbox
and
we've
continued
to
try
to
engage.
I
think
part
of
the
delays
have
actually
been
on
the
project
side.
We
have
dedicated
folks
now
that
are
engaged
on
that
front
and
robert's
been
great
to
work
with
from
the
six
tag
side,
but
the
I
think
the
question
is
is
what
is
the
question?
The
question
is,
I
think,
we're
related
to
the
presentation
and
dewey.
A
So
traditionally,
the
presentation
can
happen
at
two
points,
just
as
a
general
awareness
for
the
tag
members
of
what
the
project
is
and
what
it
does
with
the
security
focus,
but
there's
also
generally
one
at
the
end
of
a
joint
review
that
goes
through
the
joint
review
and
highlights
some
of
the
key
findings,
discoveries
and
recommendations
that
come
out
of
it.
A
But
it's
entirely
on
the
project.
Considering
that
we
haven't
completed
the
joint
review
for
cloud
custodian
and
you
do
have,
it
looks
like
some
joint
reviewers
on
the
issue.
If
you
want
to
do
a
refresher
on
what
cloud
custodian
is
because
it's
been
18
months
and
the
world
has
almost
fallen
apart.
In
that
time,
we
have
new
members.
That
would
certainly
be
appreciated.
A
Yep
and
for
presentations,
because
you
already
have
an
issue
for
the
project,
I
would
just
recommend
doing
a
comment
on
that
with
when
you
would
like
to
do
the
presentation
and
then
we
can
add
it
to
the
agenda.
E
Sounds
good
we'll
look
at
the
future
agenda
and
see
that
where
we
can
schedule.
B
Yeah-
and
I
I
think
that
probably
another
thing
on
top
of
that
and
emily
grabbed
me
if
I
wrong-
is
that
I
think,
based
on
the
content
of
the
due
diligence
document,
if
ricardo
could
tell
the
chairs
like
where
that
requires
any
action
for
us
for
the
dtop,
I
think
we
can
help.
E
Yeah
so
right
now,
from
a
dilemma's
perspective
with
regards
to
the
top
dd,
with
regards
to
incubation,
we're
leading
in
through
various
user
production
users
right
now,.
E
And
maybe
I
need
to
re-review
the
current
incubation
spec
with
regards
to
dd
as
emily
suggested.
These
are
two
separate
things
with
regards
to
a
security,
sorry,
tag,
security
review
and
the
talk
td,
but
there's
a
lot
of
overlap
with
regards
to
the
talk
sponsored
doesn't
delegating
to
the
to
the
tag
with
regards
to
that
dd
work,
and
it's
a
little
bit
unclear
to
me
where.
D
D
So
that's
why
I
wanted
to
get
this
on
the
agenda.
So
what
is
our
next
step
as
the
tag
reviewer.
A
So
I've
pinged
amy
to
provide
some
clarification
about
what
those
expectations
look
like.
With
regard
to
the
tag,
the
joint
review
and
the
due
diligence,
I
can
also
mention
about
some
general
confusion
with
the
talk
sponsor
about
that
process
as
well,
because
I
think,
I
think
we're
all
kind
of
like
I
don't
know,
and
I
can
post
back
to
the
channel.
I
think
I
might
not
be
on
the
channel
for
the
assessment,
but
I
can
post
back
to
the
channel
with
what
the
recommendations
come
out
with.
E
For
the
talk
sponsor,
I
would
highly
recommend
some
form
of
mentoring
like
we're,
trying
to
provide
that,
but,
like
I
think,
from
a
general
health
of
the
process
itself,
I
think
that
would
be
useful.
B
Yeah,
I
think
traditionally
for
the
the
due
diligence
side.
We
require
a
chair
signal,
so
that
is
something
that,
like
my
perspective
of
it
is
you
know,
treat
the
the
reviews
review
once
it's
done,
then
we
can
talk
about
due
diligence
and
then
due
diligence
is
just
going
to
draw
on
the
content
of
the
review
and
from
the
recommendation
of
the.
B
Thanks
robert
and
phil,
I
think
the
last
item
that
we
have
is
on
the
policy.
I
think
I
run
out
yeah
now.
G
They
are
looking
for
a
wider
feedback
from
the
security
team
and
the
security
tag.
I
should
say
so.
If
you
could,
please
go
through
the
table
of
contents
and
if
you
think
there
is
something
we
need
to
add,
or
that
is
missing
that
will
help
build
end-to-end
policy
management.
White
paper
that'll
be
great.
You
can
just
comment
in
the
paper
itself
and
then
we
can
discuss
it
in
our
working
group
session
next
time
and
appropriately.
Add
it
into
the
sections,
as
well
as
the
subsections.
B
How
do
we,
how
should
we
review
this.
G
Right
now,
it's
just
table
of
contents
right,
if
you
think
from
a
policy
perspective
and
security,
I
mean.
Obviously,
this
group
is
all
about
security
and
there
are
security
policies
as
well
as
security
controls
in
the
policies
that
we
need
to
address
as
well.
We
tried
to
incorporate
that
as
detective
controls,
as
well
as
enforcement
controls,
but
if
there
is
anything
missing,
we
want
to
get
a
wider
set
of
eyes
on
it
and
get
your
feedback
as
well.
B
Okay,
so
how?
How
would
one
provide
feedback.
G
G
C
C
B
So
do
you
have
any
other
items
to
talk
about
today,
any
discussion,
things
that
anyone
wants
to
bring
up.
A
Yes,
I
have
another
one
that
I
forgot
to
mention
earlier,
so
it
was
brought
to
our
attention
that
our
repository
does
not
bear
the
correct
ip
license
in
accordance
with
the
cncf
guidelines.
Everybody
loves
license,
so
there
is
an
active
pr
to
change
it
from
apache
2.0
to
creative
commons
by
4.0.
A
A
E
Do
you
have
any
variants
of
creative
commons
which
one
are
we
talking
about.
A
B
It's
if
you
look
in
the
pr
there's
it's
it's
in
the.
If
it's
pr
number
six
one
nine,
I
don't
think
anything.
B
It
would
be
if
anything
like
it's
going
from
least
restrictive
to
619.
C
So
can
I
make
a
call
back
real,
quick,
sorry
to
be
the
guy
at
the
end,
with
the
cloud
custodian
thing,
I
think
I've
put
a
few
things
together
for
myself,
so
I
just
want
to
reflect
it
back
with
which
is
when
we
spoke
with
ricardo
yesterday
he
seemed
unclear
that
we
had
dueling
documents.
We
have
the
kind
of
historic
cloud
custodian
assessment
from
the
tag
and
then
there's
the
incubation
documentation,
and
I
don't
think
that
he
was
kind
of
understanding
the
distinction
there,
either
that
we've
defined
here.
C
But
if
I
understand
correctly,
the
incubation
process
needs
a
toc
sign
off
and
there's
discretion
there
for
them
to
like
whether
or
not
to
request
some
level
formal
assessment
or
whatever
and
separately,
the
kind
of
long
drag
for
the
cloud
custodian
review
that
could
that
may
or
may
not
happen.
Is
that
correct,
depending
on
sort
of
what
the
purview
is
of
the
toc
person
to
sign
off
so.
E
Thank
you
for
bringing
that
up.
I
have
a
lot
of
confusion
here
as
well
at
least
regards
to
the
talking
commission
requests.
I
try
to
normalize
to
what
was
already
there
for
the
sorry,
the
most
recent
request.
What
was
already
there
as
far
as
incubating
as
far
as
the
talk,
my
understanding
is
for
a
security-related
project
that
it
is
necessary
and
I'm
just
stating
this
for
feedback
as
well,
because
I
also
want
to
get
clarity
on
this
also
unclear,
based
on
what
historical
versus
current.
A
Yep,
so
a
couple
of
things
we're
going
to
assist
ricardo,
we're
being
tagged.
Security
in
some
capacity
is
going
to
reach
out
and
ensure
that
they
have
the
right
partnership
to
move
forward.
As
far
as
that
presentation
goes,
let's
go
ahead
and
get
that
on
the
books.
That
way
it
can
be
done,
and
you
can
have
that
part
of
the
incubation
requirements
checked
off
and
then
the
next
question
is
really
around
that
due
diligence
document.
A
E
Itself,
there's
not
a
whole
lot.
That's
changed
in
the
last
18
months
as
far
as
focus
area
coverage,
etc.
So
I
understand
it's
definitely
useful
to
re-present
it
for
our
current
audience
but
content-wise.
I
don't
know
that,
there's
a
whole
lot,
that's
changed,
or
even
and
user
production.
Usage-Wise
though
there's
all
I
mean
it's
grown,
but
like
from
a
baseline
of
incubation
or
research
from
a
tech
security
perspective,
the
family.
B
I
think
perhaps
for
that
we
can
bundle
together
that
presentation,
which
would
be
kind
of
a
short
reintroduction,
together
with
the
security
review
kind
of
results,
and
then
that
could
be
considered
as
the
presentation
for
the
project.
B
I
mean
it's
part
of
the
review
process
right,
so
no
matter
what
is
going
to
happen,
so
I
don't
think
we're
doing
anything
like
like
extra
and
like
there
isn't
really
additional
vagina.
C
D
Yep,
I'm
I'm
gonna
just
continue.
Reading
the
google
doc
and
and
the
markdown
format-
and
you
know
answer
questions
if
I
can
ask
questions
if
I
can
and
then
emily
amy
I'm
gonna
be
waiting
for
the
official
green
light.
C
B
Awesome
so
we've
made
it
to
the
end
of
our
long
agenda
today.
So
is
there
anything
else
that
we
want
to
talk
about?
B
A
So
I
have
another
request
for
everyone.
If
you
could
take
some
time
and
look
through
the
repo
find
anything
that's
outstanding,
such
as
the
sig
to
tag
and
open
a
pr
on
it.
That
would
be
lovely
as
well
as
review
some
of
the
ongoing
issues
that
we
have.
There
was
a
lot
of
interest
in
completing
some
of
them.
We
want
to
be
able
to
queue
up
next
big
projects
moving
forward
and
there's
a
lot
of
open
prs
and
the
tech
leads,
and
the
co-chairs
are
not
the
only
ones
that
enjoy
reviewing
them.
A
I'm
sure
you
all
would
love
to
review
them
and
provide
your
two
cents.
You
are
part
of
this
community.
We
want
to
hear
your
voices
and
we
want
to
know
what
it
is
that
you
all
want
and
where
you
want
to
move
to,
and
one
of
the
best
ways
to
do.
That
is
to
be
able
to
contribute
through
comments
on
prs,
as
well
as
generating
prs
yourselves.
B
Awesome
all
right,
if
not
it's
good,
to
see
everyone
after
cubecon
and
we'll
see
you
next
week
have
a
good.