►
From YouTube: CNCF Security TAG Regular Meeting - 2021-08-11
Description
CNCF Security TAG Regular Meeting - 2021-08-11
A
A
We
also
have
an
issue
in
for
argo
to
complete
a
security
review
of
the
project.
Let's
see
here,
I
think
those
are
the
most
recent
issues
that
we
have.
There
are
several
other
issues
within
the
repository
when
the
triage
team
meets
again
we'll
go
through
and
provide
a
quick
update
on
all
of
those,
but
in
the
meantime
everyone
is
obviously
encouraged
to
go
through
and
provide
updates
or
provide
comments
on
things
that
are
of
interest
to
them.
C
C
The
initial
work
was
done
by
some
google
folks,
but
it's
now
part
of
the
open,
ssf
and
they're
looking
to
kind
of
get
increased
community
engagement
in
order
to
sort
of
you
know
make
sure
that
it's
not
just
google
is
working
on
it
and
there's
so
that
initial
meeting
went
fairly
well.
There
are
some
initial
folks
who
are
now
part
of
a
steering
committee.
I'm
part
of
now
that
that
that
initial
steering
committee,
it's
unclear
exactly
what
that's
gonna.
C
What's
that
gonna
look
like,
but
just
wanted
to
kind
of
bring
that
up
so
cncf
now
has
some
representation
there.
I'm
also
willing
to
hand
that
representation
off
to
to
somebody
else
as
well,
but
just
wanted
to
kind
of
bring
bring
that
up,
because
I
know
in
this
conversation
as
well
as
some
of
the
stuff
with
the
supply
chain
security
working
group.
There
were
some
concerns
originally
like.
C
C
Sure
so
there
is
an
open,
ssf
slack.
There
is
also
the
github
and
I
will
post
both
of
those
inside
the
meeting
notes
in
a
in
a
second
here
but
yeah.
The
the
there
is
the
github,
and
there
is
the
open,
ssf
slack
and
the
salsa
channel
in
that
slack.
That
seems
to
be
the
currently
the
best
way
to
get
engaged.
A
D
Yes,
can
you
hear
me?
I
was
trying
to
speak
earlier,
okay,
cool
all
right.
I
can
share
my
screen
if
people
are
interested
to
discuss
more
but
we'll
go
through
quickly,
both
the
issues
we
discussed
about
secure
by
default,
and
what
does
that
mean
to
the
community
maybe
two
three
meetings
ago
and
the
idea
was
to
break
out
for
a
dedicated
session
with
somebody
presenting
on
the
topic
and
using
that
as
a
baseline
for
the
discussion.
D
D
D
That
will
be
nine
months
more.
So
I
think
we
are
halfway
where
we
can
start
thinking
about
version
two.
We
have
had
good
feedback
from
the
survey.
We
have
made
a
lot
of
other
work
and
progress
on
map,
lexicon,
supply,
chain,
white
paper
policy,
white
paper,
service,
serverless
white
paper,
and
there
have
been
some
new
threats
that
have
come
into
the
community,
also,
which
have
gained
more
focus
like
supply,
chain,
ransomware
and
other
things.
So
with
all
of
that,
it
seemed
like
we
could
potentially
create
a
newer
version.
D
I
have
added
tentative
schedule
of
when
maybe
we
can
plan
on
getting
the
first
draft,
then
reviews
and
final
publishing
around
may.
So
I
am
assuming
all
the
people
who
sub
worked
on.
The
first
version
would
be
interested,
but
if
they,
if
you
weren't
part
of
that
and
want
to
contribute
to
version,
two
you're
also
welcome.
B
I
did
there
was
a
scheduling
conflict
and
we
weren't
able
to
put
on
our
usual
tuesday
meeting.
The
original
plan
was
to
conduct
the
meeting
tuesday
and
then
tuesday
of
next
week
would
pretty
much
be,
I
believe,
rob
and
brandon
putting
together
a
final
presentation
for
the
tag
security
team.
So
I'm
trying
to
see
if
we
can
get
a
meeting
going
before
end
of
week
to
keep
to
that
approximate
schedule.
If
not,
then
maybe
we'll
just
end
up
pushing
it
out
a
week
and
doing
our
final
meeting
this
coming
tuesday.
E
Oh
yes,
emily.
I
wanted
to
have
a
brief
conversation
here.
I've
tried
to
attend
apac
meetings
a
couple
of
times,
but
it
seems
like
the
meeting
doesn't
happen
and
when
I
reached
out
to
folks
in
apac
region,
they
said
they
attend
this
meeting,
so
I
still
think
we
should
have
that
meeting
because
that
we
could
potentially
get
more
participants
and
volunteers
in
that
region.
So
what
I'm
going
to
do
is
I'm
going
to
create
a
doodle?
I
know
there
are
some
conflicts
between
india,
time
versus
australia,
time
and
other
areas.
E
So
if
people
can
respond
back
to
that
doodle
and
provide
a
time
frame
that
works
for
them,
then
we
can
set
up
an
initial
meeting
and
discuss
initiatives
we
want
to
take
over
in
that
group
right
and
deliver
some
value
and
some
of
the
projects.
Out
of
that
I
know
it
makes
sense
to
have
overlap
right.
Sometimes
you
want
to
attend
u.s
meetings
as
well,
but
at
the
same
time
having
more
focused
discussions
and
work
projects
will
help
us
as
well.
E
A
A
Yeah,
so
the
micro
survey
was
a
request
from
the
cnc
app
to
put
together
a
focused
survey
on
cloud
native
security,
explicitly
so
separate
from
the
cloud
native
security
white
paper
and
getting
feedback
on
the
paper.
This
is
more
for
is
the
security
technical
advisory
group
visible
amongst
end
users
and
abundance
amongst
the
community,
so
do
people
know
that
we
exist?
A
If
you
haven't
responded
to
the
survey
or
you
haven't
retweeted
it
or
shared
it,
please
do
so
having
the
most
amount
of
feedback
on
that
survey
would
significantly
help
us.
We
also
have
use
cases
and
industry
types
within
our
repository
or
use
cases
and
personas
within
the
repository
that
are
in
strong
need
of
an
update,
and
we
could
potentially
use
the
results
of
the
micro
survey
and
the
cloud
native
security
paper
survey
to
help
finalize
that
or
update
it
and
drive
more
thoughtful
project
engagement
to
understand
who
we're
really
making
these
things
for.
D
A
It
was
sent
out
to
the
cloud
native
security
mailing
list
and
it
was
on
twitter
a
while.
I
believe
we
posted
it
in
the
channel,
but
I
cannot
recall
offhand.
We
can
certainly
repost
it
in
the
channel,
so
folks
are
aware
that
it
exists
and
if
you
are
not
part
of
the
cloud
native
security
mailing
list,
please
go
ahead
and
sign
up
for
that.