►
From YouTube: CNCF TOC Meeting 2022-03-01
Description
CNCF TOC Meeting 2022-03-01
C
C
And
this
is
our
agenda
today
happy
to
be
able
to
take
other
items
as
well.
I
know
that
a
few
of
the
tags
aren't
presenting
today,
so
we
may
have
more
time
and
app
delivery
is
my
first
one
that
I'm
not
sure
about.
I'm
happy
to
be
able
to
like
have
somebody
mute
and
tell
me
things
from
tag
app
delivery.
C
D
Yeah
we've
had
a
lot
going
on
over
the
last
month,
or
so
one
of
the
things
that
we're
working
on
is
is
sort
of
a
pr
campaign
for
our
tag,
because
we
feel
like
we
have
a
lot
of
really
good
stuff.
We
have
how-to
documents,
we
have
templates
and
we
get
the
feeling
that
people
don't
really
know
that
we
have
them
and
we
also
need
people
to
help
us
continue
to
grow,
that
and
and
create
more
great
resources.
D
So
a
few
people,
so
catherine
paganini
in
particular
and
carolyn
bunslick,
have
been
working
on
a
blog
post
that
we're
going
to
outline
all
of
the
stuff
that
we've
done
and
then
we're
going
to
start
doing
some
more
to
promote
some
of
those
individual
resources
that
we've
been
putting
together.
So
look
for
that.
Coming
soon.
D
On
the
governance
side,
we've
had
there's
a
pr
out
there
to
add
values
to
some
of
the
governance
templates
and
to
add
a
readme
template.
That's
pending
tfc
wrap
approval,
we're
still
waiting
for
our
new
reps
to
be
assigned
because
we
had
sod
and
elena.
So
that
is
that's
just
on
hold
until
we
get
new
tag.
Reps
assigned
so
we'll,
hopefully
make
some
progress
on
that
one
and
then,
before
the
next
meeting
for
the
contributor
growth
working
group,
the
they've
been
working
on
a
really
kind
of
a
new
way
for
doing
the
templates.
D
So
for
the
templates,
what
we
had
been
doing
were
embedding
comments
in
the
markdown
files
and
we
were
getting
the
impression
that
people
didn't
really
notice
those
and
weren't
really
seeing
them.
So,
rather
than
embedding
the
comments
within
the
within
the
files,
we're
going
to
create
some
more
robust
how-to
pages
for
each
of
the
templates,
so
we're
working
that,
in
particular
on
the
the
readme
reviewing
dot.
Sorry,
the
reviewing
template
for
review.
D
I
see
a
comment
from
from
dims
about
unblocking.
I
think
you
actually
reviewed
that
that
template
and
said
it
was
good
but
you're,
not
our
official
rep.
So
we
weren't
sure
if
that
was
if
that
was
good.
So
if
we
can,
if
we
can
call
that
good
based
on
your
review,
I
think
we
can
get
that
one
merged.
I
think
they're,
I
think
they're
in
pretty
good
shape.
We.
C
C
C
E
D
I
will
I
will
do
that
today
or
tomorrow-
cool.
Thank
you,
oh
and
emily
said
that
they
would
take
a
look
at
it
today.
So
that's
good.
On
the
maintainer
circle
side,
paris
has
been
doing
some
great
planning,
so
she's
working
on
kind
of
a
six
month
plan
for
maintainer
circle,
so
those
are
also
looking
pretty
good.
D
We're
also
looking
at
adding
a
couple
of
things
to
the
contributor
strategy
tag,
so
one
is
mentorship,
so
this
is
something
that
a
few
people
have
already
been
working
on,
but
it
didn't
really
have
a
place
in
any
of
the
existing
tags.
So
I
think
we're
gonna
put
together
a
proposal
to
roll
this
into
the
internship
strategy
as
an
as
an
official
working
group,
to
give
it
a
little
bit
more
attention
and
structure.
So
look
for
that
coming
soon.
D
We
have
also
been
approached
by
a
group
who's
interested
in
doing
something
more
formal,
around
inclusiveness,
so
giving
a
place
for
women
non-binary
underrepresented
groups
to
have
a
place
where
they
can
work
together
on
things
like
talk
proposals
and
getting
visibility
and
conference
presentations
and
all
sorts
of
other
things.
So
we're
not
sure
exactly
what
that's
going
to
look
like,
but
we've
invited
them
to
discuss
it
at
our
next
tag.
Meeting
in
a
week
and
a
half
so
hopefully
you'll
be
seeing
that
as
well,
and
then
we
have
a
request
for
the
tsa.
D
D
We
leave
some
time
on
the
agenda
for
people
just
to
pop
in
and
ask
questions
or
they
can
reach
out
via
mailing
lists
or
or
on
slack.
So
we
really
want
to
encourage
you
to
make
sure
that
the
projects
know
that
we're
a
resource
for
them
and
we're
happy
to
help
them.
So
if
any
of
these
things
come
up
in
any
of
the
documents
that
you're
reviewing
or
the
discussions
you're
having
with
the
projects,
just
just
send
them
over
to
us
and
we'll
be
happy
to
help
any
questions
on
any
of
that.
E
D
C
What
what
I'm
thinking
about,
instead
of
being
able
to
say
at
sandbox
six
months
after
you've,
been
accepted,
the
sandbox,
where
you've
gotten
through
all
of
like
the
other
things
that
we
kind
of
like
the
onboarding
for
sandbox
projects,
has
a
lot
to
it.
I'd
rather
see
them
like
once
they've
gotten
kind
of
their
feet
into
them,
and
they
understand
like
what
all
of
the
pieces
are
then
being
able
to
come
and
actually
use
those
resources.
D
C
Can
script
these
things?
It's
fine,
yeah!
Okay,
all
right!
I
will
take
an
action
item
for
that
one
and
we'll
kind
of
like
I.
If
I
get
space
I
will
come
and
bring
it
to
your
next
contributor
strategy
meeting.
So
we
can
work
on
what
the
wording
needs
to
say.
Cool
yeah
that'd
be
great.
Thank
you
all
right,
awesome,
okay!
Yes,
that
is
fantastic!
Anything
else
on
the
contributor
strategy
side
of
the
house.
C
F
C
F
F
We
had
a
huge
influx
of
end
users,
which
is
super
nice.
I
we
still
don't
know
where
they
were
coming
from,
but
we
had
quite
the
influx,
so
that
was
good.
The
the
white
paper
is
still
a
little
bit
blocked
by
people
having
injuries
and
and
not
being
fully
fully
working.
No
other
updates.
As
of
right
now,.
G
Yeah
not
a
lot
of
updates
just
a
few,
so
we
had
a
few
presentations
from
from
a
couple
of
projects.
So
in
the
space
of
containers
and
runtimes,
we
do
have
a
presentation
in
our
next
meeting
from
enclave
era
containers.
This
is
a
take
on
confidential
computing
from
intel.
Then
the
dsx
team
so
excited
to
have
that
one
was
me,
is
a
web
assembly
wasn't
interpreter
and
we
reached
out
to
them,
and
hopefully
there
are
they'll,
have
a
presentation
in
our
in
our
meeting
and
in
terms
of
workloads.
G
This
project
allows
you
to
do
kubernetes
cluster
management
manage
workloads
across
multiple
kubernetes
clusters,
so
they
had
a
presentation
in
our
last
meeting
and
k
native
is
a
project
in
incubation
and
it's
out
for
vote.
I
believe
so
they
also
presented
in
in
our
meeting.
So
it's
glad
to
have
the
the
team
join
in
and
talk
about
the
progress
in
in
in
in
their
community
and
their
project,
and
also
we
have
qbert
and
incubations
out
for
vote,
and
basically
this
is
a
project
that
allows
you
to
run
kubernetes
virtual.
C
I
Hey,
hey
security
folks
have
been
treading
water
really
trying
to
stay
afloat,
with
the
very
unfortunate
set
of
events
and
tragic
events
that
have
been
going
on
on
top
of
well
recently.
As
you
are
well
aware,
we've
had
an
increased
number
of
vulnerabilities,
a
lot
of
incident
and
response
activities
and
in
our
respective
organizations,
but
despite
of
that,
well
we've
been
able
to
contribute
a
lot
of
what
we've
learned
and
capture
it
down.
Write
it
up
fee
updates
on
how
we've
revised
well,
our
outputs.
I
I
We've
done
a
follow-up
to
that
as
an
as
a
compliment
as
an
aide
to
help
folks
and
thinking
about
implementing
those
best
practices
how
to
go
about
it,
give
them
a
reference
to
sign
for
it,
the
corresponding
software
that
some
of
the
members
of
the
group
have
pieced
together
as
actual
reference
code,
is
going
to
be
donated
to
the
open
ssf
happy
to
share
a
link
to
that.
That's
under
the
github
of
github.com
secure
software
factory.
I
Moving
on
to
our
second
update
bullet
number
two,
we
have
also
produced
an
update,
we're
working
on
updating
the
the
cloud
native
security
white
paper.
We're
coming
up
pretty
close
on
on
having
that
completed.
That's
just
a
heads
up.
You
know
how
to
like
to
expect
it
and
help
circulate
it
create
awareness
of
it.
I
This
is
related
to
governance,
which
well
governance,
and
compliance
are
two
very
important
subjects
to
very
important
domains
that
go
hand
in
hand
with
security,
and
the
community
has
been
thinking
hard.
How
do
we
well
go
about
automating
much
in
the
spirit
of
like
reference,
architectures
and
securing
our
production
environment
securing
our
pipelines?
I
How
do
we
know
for
certain
that
our
governance
intent
our
policies
are
in
fact
being
met
and
that
we
can
reason
about
that
in
a
holistic
fashion?
We
can
reason
holistically
about
authorization.
We
can
reason
holistically
about
our
regulatory
objectives
and
that
in
turn
we
can
have
the
machine
be
interrogated
to
answer.
Questions
of
it
is
in
fact,
being
met
or
not.
I
We've
also
moving
away
from
this
update
on
to
the
next
one,
in
collaboration
with
other
groups,
kicked
off
the
global
security
vulnerability
summit.
I
haven't
personally
been
involved
in
this.
One
brandon
alum
is
here
with
us
today
has
and
can
speak
to
more
detail
to
that
the
guest
is
just
well.
What
do
you
have
here
in
the
bullet
points
facilitating
discussions,
gathering
the
community
to
tackle
vulnerability
management
and
how
to
aggregate
an
open
source
databases,
the
different
vulnerability
information,
brandon.
H
Yeah,
I
have
kind
of
been
been
working
on
this
a
bit
more.
Basically,
the
the
main
motivation
behind
this
is,
you
know,
with
things
like
cves
and
like
getting
those
registers
that
that's
out
of
many
problems,
two
which
kind
of
come
up.
One
of
them
is
like
there's
a
backup
cps
right
there,
a
lot
of
people
that
have
cvs
that
they
don't
necessarily
go
through
the
process
in
time,
and
there
is
kind
of
like
a
drift
between
what's
out
there
what's
in
the
cv
database.
H
So
one
of
the
things
that
we're
doing
is
to
bring
the
community
together
to
kind
of
discuss
about
things
figure
out.
What
is
a
solution
that
we
can
work
towards
in
the
future
or
some
areas
that
we
can
form
working
groups
around,
and
one
of
these
ideas
is
something
like
an
open
source
database
of
vulnerabilities,
something
like
gst,
something
along
the
lines
of
vex
the
vulnerability
exchange.
I
Yep,
well,
that's
your
update,
much
in
the
same
vein
as
as
I
open
up,
just
as
as
so
as
preoccupied
as
we
all
are.
I
would
remind
that
security
folks
are
are
out
in
the
forefront
of
a
lot
of
pressure.
Right
now
have
a
little
bit
mindfulness
and
compassion
of
these
folks
in
your
respective
teams
of
these
folks
in
our
ecosystem
that
have
a
lot
of
weight
on
their
shoulders
and
a
lot
of
pressure
right
now.
I
People
are
coming
to
us
on
well
helping
assess
their
security
postures
help
them
like
run
ramp
up
for
a
lot
of
cyber
activity
and
well
it's
it's
a
is
a
time
to
think
of
well
the
importance
and
relevance
of
security
so
just
to
bang
that
on
that,
a
little
bit
hoping
to
get
some
copy
there.
On
the
talk.
E
H
Yeah
so
back
a
couple
of
months,
emily
created
a
ticket
on
this,
and
we
saw
a
lot
of
people
that
were
interested
in
this
going
just
not
only
for
vendors
but,
like
you
know,
github
get
that
we're
gonna
get
a
couple
micro
folks.
Basically
there
is
a
lot
of
interest
to
discuss
about
this
topic,
so
on
that
front,
I
I
don't
think
we
are
too
worried
about
that
right.
H
Not
yet
we
are
going
to
so,
we
are
kind
of
like
figuring
out
the
logistics
of
the
event
within
this
week.
It
will
be
announced
next
week.
So
once
that's
out
we'll
start
outreach.
I
will
appreciate
if
there
are
anyone
that
you
you
can
think
of
that
may
be
interested
or
you
think
would
be
good
to
have
as
far
as
this
discussion,
please,
please
send
them
our
way.
E
Yeah,
I
think
so
far
people
have
been
aggregating
on
like
a
github
issue
of
some
kind,
and
everybody
was
saying
yes,
I'm
interested
kind
of
thing
there.
We
don't
know
where
to
send
people
to
at
this
point
right
like
so
when
you
have
the
logistics
figured
out.
I
think
you
know
the
date
time
emailing
list
or
something
like
that.
That
would
be
really
good.
H
Yeah,
so
just
just
a
heads
up
currently
being
discussed,
but
the
plan
is
to
host
this
during
alongside
the
open
source
summit,
which
is
in
june,
once
we
decide
everything
this
week
about
end
of
next
week
or
the
following
week.
The
website
should
be
up,
so
that
would
be
a
good
time
for
us
to
share
around
yeah.
H
I
This
is
a
finalized
details,
expect
to
hear
from
pushkar
most
likely,
who
conducts
a
lot
of
the
liaison
between
cncf
tax
security
and
kubernetes
security,
but
between
him
and
brandon.
Whatever
is
not
on
the
website,
they
they
should
provide
it
like
some
level
of
reach
out
and
additional
information.
Yeah.
C
J
From
a
from
a
tag
storage
point
of
view,
I've
put
the
link
in
there
for
the
for
the
project,
update
presentation
and
we
we
think
we're
done
from
from
a
due
diligence
review.
But
we
need
somebody
and
we
need
this-
the
sponsor
to
have
a
look
and
adjust
your
view
and
see
if
there's
there's
anything
else,
so
so
we're
kind
of
waiting
for
next
steps
from
from
toc
on
this
one,
but
then
it
should
be
able
to
go
for
for
a
db
process.
J
The
open
ebs
is
going
is
also
going
through
a
set
of
changes
there.
There
were
a
number
of
a
number
of
discussions
around
the
licensing
and
trademarks,
and
things
like
that
which
I
think,
which
have
now
been
completely
resolved
and
we've
had
a
discussion
with
the
team
last
week
around
next
steps
because
and
my
data,
who
used
to
be
the
the
owner
or
or
the
main
main
maintainer
of
the
open
ebs
project
has
been
acquired
by
datacore.
J
J
The
the
current
repos,
which
parts
of
the
projects
are
going
forward
and
and
things
like
that,
and
and
we
can
make
a
call
at
that
point
as
to
whether
we
want
to
progress
with
the
due
diligence
and
for
the
move
from
sandbox
to
incubation
and
so
I'll
reach
out
to
aaron.
Who
I
believe
is,
is
our
liaison
at
this
point
and
and
and
invite
you
to
that.
To
that
call
the
curve
storage
system,
I
believe
we
we
had
that.
I
gave
this
update
last
time,
but
just
double
checking.
J
If
there
was
anything
else
that
was
needed.
There
was
a
question
from
the
tlc
around
whether
it's,
whether
the
curve
search
system
should
move
forward
into
sandboxing,
and
our
recommendation
is
yes,
it
should
move
into
sandbox
in
terms
of
in
terms
of
the
the
white
papers
that
we've
been
working
on
the
climate
disaster
recovery,
that's
that's
completed
and
we
publish
that
in
our
repo
today.
J
J
C
C
C
We've
got
some
updates
in
here
that
did
not
make
it
into
the
deck
because
they
happened
in
like
the
minutes
before
we
have
both
cert
manager
and
kyverno
moving
into
sponsors,
both
dimms
and
ricardo
roca
have
taken
those
on.
So
thank
you
very
much.
Projects
moving
around
and
open
ebs
is
now
on
the
list
of
like
something
waiting
for
sponsors.
B
C
K
There
we
go;
no,
it
wasn't.
It
was
a
hardware,
it
was
a
hardware
problem.
So
yes,
so
we've
done
the
first
round.
I've
done
a
thorough
review
of
the
the
submission
and
have
given
the
first
round
of
feedback
to
the
captain
folks
and
they
are
working
on
adding
some
things
to
the
due
diligence
document
and
I'm
also
starting
to
gather
people
to
interview.
So
it's
in
progress.
Finally,.
C
K
native
k
native
is
currently
in
voting.
All
is
well
there
backstage.
Similarly,
in
voting,
I
do
not
have
dave
on
the
line
to
be
able
to
chat
about
artifact
hub
and
aaron
is
similar
than
not
here
so
key
club,
we'll
have
to
wait
until
next
time,
but
we
are
still
keeping
an
eye
on
them
and
yeah
spiffy
spire,
as
we
did
in
our
last
meeting,
they
are
justin.
Cormac
is
pairing
with
emily,
fox
and
dave.
So
that's
kind
of
our
update
from
all
of
that
questions
comments
anything
else.
C
C
C
Hold
on
I've
got
that
in
a
different
screen
in
here,
but
timing
for
that
one
is
going
to
be.
We
are
currently
in
our
qualification
period.
The
qualification
period
will
close
march
8th
at
noon,
pacific
and
then
from
there.
The
vote
will
open
and
we've
got
a
8th
through
the
15th
vote
and
that
vote
happens
through
the
toc
directly
right
now
we're
in
our
two-week
qualification
period
mandated
by
the
charter.
E
Sounds
good,
so
I
just
had
one
more
thing
crossed
my
mind
when
we
were
looking
through.
I
think
there
was
one
of
the
tags
had
a
request
for
additional
tls
roles
are
open
kind
of
thing.
I
forget
exactly
which
one
it
was
the
opportunities
of
our
next
one.
Eight
slide.
Eight,
I
think
yeah
see
there
the
last
one.
So
can
we
do
something
on
email
or
twitter,
or
something
like
that
too?
To
show
highlight
that
you
know
there
are
tags
that
are
looking
for
people.
C
Yeah
well,
I
believe
this
might
actually
have
been
an
old
update
as
well
from
tag
observability.
The
way
that
this
has
worked
in
the
past
is
people
have
have
stood
and
the
tags
have
basically
kind
of
like
decided
amongst
themselves
and
then
presented
at
toc.
But
there's
there's
really
nothing.
That
says
that
we
couldn't
actually
establish
more
policy
around
how
we
do
that
kind
of
outreach,
so
yeah
yeah,
no,
I'm
actually
gonna
pass
back
to
richie,
because
this
is
kind
of
like
that
area.
But
unless
there's
nothing
to
say
here.
C
G
G
J
C
J
C
C
C
A
So
we
just
went
through
the
maintainer
track
and
reviewed
it.
It
looks
like
almost
every
single
tag
has
a
submission
that
has
some
level
of
content
about.
What's
going
on
with
it,
it's
entirely
up
to
the
tags
and
whoever
is
presenting.
We
require
the
co-chairs
to
actually
do
the
submission,
but
it
can
really
be
anybody
from
the
tag
that
does
the
final
presentation
to
highlight
with
the
needs
of
the
group,
and
this
is
really
their
opportunity
and
platform
to
get
some
more
contributions.
A
So,
if
contributor
strategy
has
recommendations
to
kind
of
not
only
help
projects
but
potentially
help
tags
get
more
contributions
from
the
community
as
well
as
some
more
of
those
technical
leadership
roles,
because
that
is
something
that
is
always
problematic
in
open
source
communities,
especially
for
leading
these
projects
that
are
not
code,
they're,
not
hands-on,
keyboard
kind
of
work.
That
would
be
highly
recommended
and
might
be
something
that's
worth,
highlighting
to
kind
of
drive
more
of
that
community
involvement.
I
So
we
are
very
receptive
of
anyone
willing
to
avail
themselves
to
pitch
in
in
a
substantial
matter,
more
than
just
hey,
coming
to
passively
listen
on
a
meeting
and
get
the
updates
ways
that
they
can
actively
contribute
and
not
just
the
low-hanging
fruit
but
sure
they
can
start
there.
Certainly
like.
I
I
don't
want
to
discourage
that,
but
people
who
are
willing
to
take
an
issue
and
drive
it
from
the
onset
and
definition
of
that
problem
to
the
completion
of
whatever
that
work
stream
may
be
so
yeah
we're
attack
security,
and
I
would
say,
speaking
for
every
other
tag,
ways
that
we
can
send
the
message
that
hey,
we
are
actively
looking
for
more
participants.
More
contributors
would
would
like
go
long
ways
and
making
sure
that
sometimes
people
are
discouraged
by
either
bystander
effect
of
oh
they're.
I
A
So
I
just
want
to
add,
on
top
of
that,
this
has
been
a
systemic
problem,
especially
within
security,
tech
and
I'm
sure
other
tags
have
felt
it.
We've
tried
to
codify
set
a
little
bit
more
clarity
in
what
those
expectations
for
those
various
roles
within
the
security
tag
are
as
well
as
a
community
nomination
process.
Around
tech
leads
where
we've
tried
to
be
more
transparent
and
describing
the
the
values
and
the
work,
ethics
and
the
responsibilities
that
we're
kind
of
expecting
out
of
that
role.
A
F
G
Yeah,
so
one
question
that
I
have
for
the
new
toc
members
is:
I
think
that
the
tag
security
tag
is
actually
more
mature
than
some
of
the
other
tags,
and
I
see
a
lot
of
the
definitions
are
in
their
their
github
repo.
So
I
wonder
if
that
can
actually
be
something
that
could
be
transferred
over
to
the
toc
or
merge
with
some
of
the
stuff
in
the
in
the
tlc
repo
and
and
become
more
of
a
process
across
all
the
tags.
I
Yeah
we've
seen
some
some
response
from
folks
of
oh
I'm
asking
how
I
can
get
involved
and
you're
you're,
showing
me
this
long
text,
and
this
is
long
to
read
it.
It
kind
of
filters
out
people
who
are
actually
willing
to
learn
like
assimilate.
How
is
it
that
we
work?
So
it's
actually
been
really
fruitful.
I
know
like
well.
E
Yeah
one
way
to
look
at
this
address
is
like:
where
is
the
natural
pipeline
for
people
to
get
into
tags,
and
for
me
it
seems
like
it's.
The
projects
that
you
oversee
and
the
end
users
that
use
those
projects
right
so
having
good
lines
of
communication
with
those
two
groups
from
the
tags
seems
like
the
best
way
to,
because
they'll
be
naturally
affiliated
with
the
specific
tag
right.
That's
why
I
was
asking
about,
like?
Are
there
communication
mechanisms
that
you
all
are
using
or
finding
value
in
to
target
those
two
groups.
I
I
I
definitely
see
value.
I
know.
Contributor
strategy
has
codified
and
like
integrated
a
lot
of
long
term
discussions
around
the
subject,
they've
been
thinking
really
hard
and
long
about
it,
pointing
out
what
emily's
saying
in
the
chat
is
just
that
it
might
be
specific
to
to
security.
A
lot
of
the
folks
we
attract
are
security
professionals
that
may
not
necessarily
know
how
to
become
like
go
through
the
maintainer
ranks
of
a
project
and
they're
more
gravitating
towards
security
advisory.
I
So
I
don't
know
that
there's
certainly
there's
cross-pollination
and
like
similar
journeys
and
trajectories
of
people
coming
from
interest
of
a
project
or
a
community
day
or
kubecon
versus,
like
other
people
like
and
security,
going
from
infosec
to
cloud
native
and
up
level
of
leveling
their
skills.
We
might
have
like
different
funnels
there,
but
there's
there's
parallels
for
sure.
A
It
was
just
a
reiteration
of
what
andres
already
covered
the
security
tag.
It
there's
a
lot
of
work
that
can
potentially
be
reused
and
expanded
across
the
tags.
However,
we've
always
been
slightly
different
in
where
we're
getting
a
lot
of
our
con,
our
contributions
from
and
that's
because
during
cubecon-
and
we
talk
about
security
reviews,
there's
always
somebody
who's
had
perc7
is
like
you're
doing
security
reviews
at
like
volunteer
base.
That's
insane,
usually
it's
everybody's,
doing
security
audits
and
then
having
the
conversation
about
what
it
is
that
we're
actually
doing
within
the
group.
L
That
wasn't
that
was
it:
okay,
okay,
that
was
it
yeah
cause
like
I
don't
I
don't
think
you
know.
Security
reviewers
need
to
necessarily
come
through
normal
project
contribution
channels.
Obviously
it's
nice
when
they
do,
but
not
everybody
has
the
time
and
I've
been
in
a
couple
of
projects
where
we
just
got
basically
the
cncf
security
review
and
it
was
just
enormously
valuable
because
you
know
maintainer
time
is
so
scarce
and
they
don't
necessarily
have
time
to
look
for
every
possible
security
issue.
So
it's
just
terrifically
valuable
service.
I
E
Then
one
last
thing
that
I
had
was,
if
we
do
have
a
toc,
has
a
contributors.md
which
has
a
list
of
people
and
people
just
create
prs
for
themselves
in
there
to
add
themselves,
and
so
maybe
it
could
be.
We
can
reach
out
to
these
people
and
see
if
they
will,
they
want
to
associate
themselves
with
a
specific
tag
and
essentially
wind
down
this
contributors.md,
because
I
don't
think
it's
doing
much.
What
do
you
think?
What
do
you
all
think.
C
Amy,
I
mean
yes,
it
is
kind
of
a
historical
artifact.
That
part
is
true:
it
predates
all
of
the
tags
and
sigs
my
thinking
from
a
point
of
not
to
be
able
to
lose.
Any
of
that
is
to
be
able
to
kind
of
focus
on
like
I
think
it's
fine
to
be
able
to
have
that
list
of
toc
contributors,
but
I
think
it's
also
like,
maybe
being
able
to
have
like
the
tags,
have
their
own
contributor
lists
as
well
to
be
able
to
say
hey.
C
A
Actually
have
something
to
say
about
that,
so
there
we've,
we
within
security
tag,
have
had
extensive
conversations
about
our
contributor
and
our
member
list
and
the
value
that
it
is
providing
the
community
and
one
of
the
decisions
that
the
group
has
made
is
to
wipe
the
member
list
and
the
reason.
Why
is
because,
from
a
security
perspective
and
generally
from
a
community
perspective,
not
everybody
knows
how
to
do
a
commit
or
to
submit
a
pr,
and
there
are
a
lot
of
contributions
to
the
work
of
our
group
that
happen
outside
of
the
repository.
A
So
it's
one
of
those
that
we
want
the
work
of
the
group
to
be
able
to
speak
for
itself.
So
we've
we've
established
guidelines
associated
with
some
of
our
paper
publication
processes
around.
How
do
we
define
authorship,
contribute
contributions
and
reviewers,
making
sure
that
those
are
publicly
aware
making
sure
that
folks
are
tagging
themselves
on
the
issue
that
we're
tagging
them
with
their
github
handles
because
that's
an
easier
level
of
interaction
than
actually
doing
a
git
clone
on
the
repo?
So
we've
had
a
lot
of
discussions
about
it.
C
Maybe
I
don't
know
if
we're
there,
yet
simply
because
it
doesn't
sound
like
we
have
a
good
enough
mechanism
for
people
to
be
able
to
say.
Yes,
I'm
part
of
like
this
particular
tag
or
something,
and
there
isn't
a
way
to
be
able
to
like
kind
of
like
seamlessly,
like
kind
of
move
that
through
and
emily's
back
again
come
on
in.
A
So
there's
actually
an
open
issue
with
the
cncf
about
how
do
we
recognize
individuals
that
have
done
some
form
of
contribution
to
a
particular
group?
And
there
is
there-
was
some
initial
badging
associated
with
linkedin
profiles
for
folks
that
were
on
the
cfp
committee
or
the
program
committee
for
cloud
native
security
con,
and
we
were
looking
to
kind
of
tap
into
that
for
our
community
members
that
have
actually
participated
in
a
security
review
through
potentially
a
github
profile
badge
the
way
that
there's
the
arctic
vault
badging
associated
with
projects.
A
So
that's
an
open
ask
we've.
I
think
it's
been
almost
two
years
now
that
it's
been
open.
I'd
really
like
to
see
more
work
done
in
that
space
for
how
we
can
identify
individuals
that
have
done
a
contribution
either
currently
in
the
past
or
a
specific
style
of
contribution,
whereas
security
reviews
are
very
different
than
just
participation
in
the
group.
C
Actually
part
of
the
reason
that
I'm
holding
on
this
is
not
because
it's
a
good
idea
or
like
any
of
that,
I
know
that
dave
had
some
strong
feelings
about
how
this
should
actually
work
as
well.
So
my
feeling
is
that
we
don't
have
all
the
people
in
the
room
to
be
able
to
weigh
in
on
it.
I'm
perfectly
happy
to
be
able
to
take
this
like
a
an
agenda
item
on
a
further
meeting.
C
Okay.
So
what
do
you
mean?
Yeah?
It's
not
because
like
I
don't
think
that
we
don't
have
enough
people
here
for
like
this,
and
I
want
to
be
able
to
make
sure
that
we're
getting
the
voices
that
I
know
had
strong
opinions
about
it,
absolutely
both
okay,
I
will
put
it
on
a
future
agenda
item
and
that
sounds
perfectly
fine.