►
From YouTube: CNCF Security TAG Regular Meeting 2021-11-17
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
It's
annoying.
Let's
try.
B
To
the
selecting
meeting
notes,
please
put
the
name
in,
we
are
looking
for
someone
to
help
subscribe.
So
if
you
can
subscribe,
that
would
be
awesome.
B
All
right,
so
I'm
going
to
start
with
the
descended
by
the
trade,
hello.
Everyone
reminder
that
this
meeting
is
being
recorded.
I
will
be
posted
to
youtube
participation
of
these
meetings,
disagreement
to
the
cncf
and
cloud
music
security
code
of
conduct,
which
can
be
found,
the
repos
I'll
need
this.
One
person
to
volunteer
subscribe,
just
to
take
note
of
the
action
items
and
next
steps,
but
everything's
gonna
be
recorded
and
for
folks
on
the
call,
please
include
your
name
and
your
organizations
in
the
meeting
notes
cool.
B
I
think
this
is
gonna,
be
a
fairly
sharp
meeting.
So
before
I
go
ahead,
I
see
that
michael
has
an
update.
Does
anyone
else
have
any
agenda
items
that
they
want
to
talk
about
today
or
introduce,
and
then
I
can
add
that
to
the
agenda.
B
All
right,
if
not,
let's
get
started,
it'll,
be
a
quick
one
today,
okay,
so
I
don't
think
we
have
any
new
members.
Let
me
just
be
sure
yeah.
I
think
I've
seen
everyone
here
before.
B
Okay
updates,
no
tlc
meaning
since
so
we
are
good.
So
let's
do
a
quick
update
on
projects,
so
we
have
michael.
Do
you
wanna
give
a
update
on
the
ssf.
A
Sure
so
the
ssf,
the
white
paper,
the
draft
is,
is
done.
We
are,
we
have
a
ticket
open
with
the
cncf
itself,
for
some
technical
writers
to
clean
some
things
up
and
produce
a
pdf
out
of
it,
so
that
we
can
then
share
with
the
rest
of
the
the
community
for
comment.
A
I
don't
know
exactly
how
long
that
that
usually
takes,
but
once
that
you
know
once
that's
done,
we
will
be
sharing
the
pdf
with
the
the
rest
of
the
community
and
then
is
probably
in
the
next
few
weeks.
We're
gonna
start
discussing
we're
already
discussing
rather
next
steps
right
like
once
the
draft
is
out.
You
know
what
what
are
the
next
things
for
the
group.
Do
we
want
to
spin
down
the
group,
those
sorts
of
things
yeah?
That's
the
update
on
that
thing.
A
I
also
have
a
a
minor
update
or
minor
sort
of
question.
I
guess
regarding
some
of
the
salsa
stuff
that
had
come
up
in
an
open,
ssf
meeting
right
before
this,
which
is
they
are
doing.
They
are
looking
at
also
their
own
sort
of
open
source
compromise
list,
similar
to
what
we
have
here
at
the
security
tag,
and
they
said
hey
if
we
would
rather
not
duplicate
it,
but
they
also
notice
that
it
hasn't
been
updated
in
a
while.
So
they're
like
what
you
know
should
you
know,
should
we
keep
ours
up
today?
A
Should
we
just
use
anyway,
there's
some
conversation
about
how
we
want
to
do
that,
and
obviously
their
list
of
compromises
is
a
little
bit
more
focused
on.
You
know
how
it
affects
the
supply
chain.
B
I
I
think
you
know
our
hours
is
currently
community
driven,
I
think
if,
if
they
do
have
cycles
and
wanna
work
together
on
this,
we
can
hold
something
out.
Maybe
you
can
kind
of
change
the
templating
a
bit
to
add
a
few
more
details
that
they
would
like
to
encapsulate
as
well,
but
yeah,
I
I
think
maybe
we
can.
We
can
set
up
a
conversation
with
them
figure
out
how
we
can
kind
of
combine
these
efforts.
A
Sure
sure
yeah
yep
sounds
good
awesome.
B
Thanks,
michael
okay,
I
think
we
push
card.
Do
you
want
to
give
a
quick
update
on
white
paper.
C
Yes,
can
everyone
hear
me
all
right
cool,
so
we
just
met
before
this
meeting.
We
had
about
12
people
joining
in
and
there
are
30
plus
people
who
have
showed
interest
in
the
linked
issue,
so
things
are
looking
great.
So
far
we
are
going
to
decide
and
finalize
the
scope
by
end
of
this
year,
and
the
idea
is
each
of
the
deliverables
in
the
issue
will
become
their
own
individual
github
issues,
and
then
people
can
assign
it
to
themselves
and
start
working
on
it.
C
Only
one
may
be
quick
question
for
brandon
and
pls
is
the
label
for
the
issue?
Right
now
is
still
proposal
and
long-term
planning.
Should
we
maybe
change
that
now
or
it's
still?
Okay,.
C
B
I
can
move
that
to
a
project.
I
think
we've
we've
done
the
necessary
steps
to
classify
that
as
a
project.
Now.
C
Okay,
cool
perfect!
Thank
you
so
for
folks
who
couldn't
join
the
meeting,
we'll
have
a
recording
uploaded
soon,
but
if
you
have
questions
or
want
to
know,
what's
going
on,
keep
track
of
the
tax
security
white
paper
channel
on
slack
and
we'll
keep
updating
with
the
latest
things
going
on
on
that
channel.
B
Awesome,
can
you
post
a
link
to
the
issue
in
the
chat
for
those
that
may
be
interested.
B
Okay,
cool:
do
you
have
any
updates
from
any
other
project
groups?
Audio
serverless
security
panels,
go
to
views
controls,
cognitive
security
map.
B
Okay,
all
right,
I
have
some
updates
from
some
of
these
things,
so
audio
is
pretty
much
wrapping
up.
Sarah
sarah
allen
has
is
back
in
business
and
she
will
be
one
of
the
first
testers
for
the
the
audio
version
of
the
white
paper.
B
So
that's
what's
going
on
with
the
audio
and
also
we
have
four
security
reviews.
We
have
argo,
that's
kicking
off,
I
believe
john
kinsella
and
matthew
garcia
guesser
will
be
the
colleagues
for
that
review.
B
B
Cool,
if
not
that
we
should
be
good
with
those
updates
frederick.
I
see
your
your
agenda
item
we'll
get
to
that
shortly.
Other
check-ins
should
be
good,
so
one
thing
that
I
was
talking
to
we're
talking
to
the
toc:
they
brought
up
this
project
called
meta
meta
target
on
betah
nomi
target.
We
don't
know
how
to
pronounce
it,
but
this
is
something
that
they
they
highlighted
to
us
that
came
into
sandbox
application,
which
is
pretty
interesting.
B
I
think
we
want
to
kind
of
share
this
in
the
group
see
what
the
folks
find
this
interesting
want
to
contribute
to
this,
and
hopefully
we
will
have
a
presentation
soon
that
the
the
maintenance
can
come
and
talk
about
the
project
a
bit
more,
but
essentially,
it
seems,
like
you
know,
ability
to
do
a
single
single
line,
just
install
a
vulnerable
kubernetes
discusser
that
is
vulnerable
to
the
runty,
exploit,
for
example,
right
and
then
you
can
play
around
with
your
cvs
from
there.
B
Cool,
if
not
frederick,
do
you
want
to
talk
a
little
bit
about
the
s-bomb
stuff?
I
see
you
have
in
the
agenda.
D
So
let
me
tell
you
what
I
did
in
in
short,
so
I
took
two
tools
that
one
of
them
is
for
generating
s-bombs
in
the
cyclone
dx
based
off
of
go
code
and
the
second
one
was
an
spdx
tool
which
also
generates
an
spxs
bomb
which
handles
multiple
languages,
but
I
only
focused
on
go.
D
I
ran
them
against
the
same
project,
then
I
did
a
analysis
on
the
output
and
the
analysis
resulted
in
two
blog
posts
which
are
linked
in
the
in
the
agenda.
So
if
you
are
interested
in
knowing
what
a
s
bomb
looks
like
and
what
type
of
information
you
may
typically
see,
you
can
take
a
look
at
that,
and
one
caveat
is
that
both
of
these
tools
are
still
early
in
their
development.
D
So
there's
a
lot
of
growth
here
and
they
also
do
not
make
full
use
of
the
spec
of
the
specification
and
in
fact
you
may
not
even
want
to
make
full
use
of
the
specification
because
of
the
verbosity
in
some
scenarios.
So
sometimes
you
may
have
to
make
decisions
on
what
type
of
things
you
want
or
or
don't
want
within
it,
and
these
authors
have
to
make
some
decisions
on
that.
D
B
Awesome
thanks
frederick,
you
can
do
you
want
to
post
these
links
in
the
chat
as
well,
so
that
folks
can
easily
get
it.
B
All
right,
if
not
this,
this
any
any
other
topics,
I
want
to
pick
up.
B
Oh,
I
noticed
we
have
a
someone
that
joined,
I'm
not
sure
whether
you're
new,
but
did
you
want
to
introduce
yourself
I'll
test.
E
Hi
everyone
altas
here,
so
I
was
a
part
of
this
group
a
while
back,
but
had
to
step
away
due
to
some
other
commitments,
but
I'm
back
in
once
again
and
I'm
really
looking
forward
to
seeing
what
I
can
do
to
contribute.
I
extensively
collaborate
with
a
lot
of
other
working
groups,
so
yeah
kudos
well
done
to
the
work
that's
been
done
here.
Thanks.
B
Awesome
and
I'll
just
say,
if
you
don't
mind,
look
at
these
like
mentioning
some
other
working
groups
that
you
work
with
yeah.
E
Sure
so
there
are
so
I
do
some
stuff
with
the
open
group,
some
stuff
with
safe
code.
I
did
some
stuff
with
ieee
oasis,
object,
management
group
and
it's
interesting
to
see
how
each
each
community
is
kind
of
doing
things
from
their
perspective
and
I'm
hoping
that
there
might
be
opportunities
to
invite.
E
And
you
know
to
kind
of
look
at
what
some
other
groups
are
doing
and
invite
sort
of
participation
just
to
get
some
some
different
perspectives
on
things
now
so
far,
when
I've
had
conversations
and
invited
folks
or
at
least
approach
them,
there's
been
tremendous
openness
and
willingness,
especially
when
we
deal
with
cloud
and
security,
and
things
like
that.
So
I
think
it'll
be
really
helpful.
So
and
there
are
many
many
use
cases,
zero
trust
and
security
and
development
and
devops-
and
you
know.
B
Awesome,
that's
that's
a
long
list
upgrade
groups
to
work
with.
Do
you
mind
sharing,
maybe
I'll
pick.
Are
you
on
slack?
I
can
ping
you.
After
this
we
do
have
a
a
related
groups,
page
that
we
there's
like
members
who
are
kind
of
like
quoting
positions
or
like
participants
actively
participating
in
other
groups.
So
it's
a
good
way
for
folks
that
you
know
may
be
interested
in
collaborations
to
like
come
to
the
community
and
then
they
can
reach
out
to
you
as
well.
E
Yeah
yeah
absolutely
brandon
or
someone.
Could
you
just
put
a
link
in
the
chat
to
today's
agenda?
Sorry,
I
was
doing
some
stuff
with
nist
private.
Prior
to
this.
B
B
Right
welcome
back
I'll
test
yeah
and
thanks
fish,
careful
for
adding
the
thing
there
cool.
If
not,
I
guess
this
is.
This
will
be
a
a
short
meeting
since
you
know
we
kind
of
expect
a
lot
more.
E
B
The
end
of
the
year,
most
likely
we
will
be
canceling
next
week's
meeting
because
thanksgiving,
so
the
next
meeting
again
should
be
on
the
1st
of
december,
any
last
last
minute
topics
that
we
want
to
talk
about.
If
not,
we
can
close
up
the
call.