►
From YouTube: 2019.08.12 - Weekly Secure stage meeting
Description
Weekly meeting of GitLab employees in the Secure stage.
A
C
A
B
B
B
You
had
a
good
weekend,
yeah,
so
we'll
go
ahead
and
we'll
kick
things
off,
as
we
have
been
doing
recently
with
so
going
through
some
announcements
so
see,
Olivier
is
not
here
at
the
moment,
so
I'll
go
ahead
and
cover
his
points,
so
group
project
organization
work
that
he
is
doing
for
as
far
as
organizing
issues
around
projects
and
groups
is
so,
please
take
a
look
at
what
he
is,
what
he
is
posted
with
it
within
the
announcements
section
and
also
labeled
migrations
are
now
done.
You
can
see
the
EMR
that
he's
posted
there.
B
From
my
perspective
things
worth
celebrating,
we
had
two
p1s
one
bugs
gets
the
security
dashboard.
Those
got
closed
out
this
past
week
with
final
memoirs
going
through.
So
that
is
good
to
see
I'm
grateful
for
that,
and
so,
let's
make
sure
that,
let's,
let's
poke
at
it
in
production,
let's,
let's
see
versus
we
expect
it-
and
the
final
note
is
for
me-
is
last
Thursday.
There
was
a
brown-bag
session
on
CD
and
code
freeze.
We
will
do
it
as
requested
from
that
session.
B
There
will
be
a
follow
on
one
aiming
for
later
this
week,
so
we
can
continue
that
conversation.
It
is
uploaded.
Please
set
the
private.
That
means
you
need
to
be
a
so
you
can't
just
be
on
your
personal
account
to
see
it
with.
That
being
said,
let's
go
ahead
and
dive
in
on
the
agenda.
Unless
there's
any
questions
on
on
those
announcements.
B
Okay,
so
Victor
pinged
me
before
this
meeting,
saying
he
wasn't
feeling
well
wasn't
gonna
make
it
make
this
convo
make
this
particular
meeting,
so
I
will
cover
for
him.
So
there's
so
we're
doing
a
lot
of
work
around
fingerprints
and
he's
got
a
lot
of
questions
here
around
how
we're
dealing
with
regressions
I
will
not
read
everything
that
he
has
posted
so
but
I'll
throw
it
up
here
for
feedback
commentary
and
questions.
B
B
D
Since
I
have
the
one
comment
on
there,
I
will
just
verbalize
that
so
yeah.
We
need
to
figure
this
out
because,
anytime
we
update
a
project
fingerprint,
which
is
calculated
from
like
a
variety
of
unique
fields,
including
like
line
number
and
things
it
will
change
and
every
feedback
associated
with
that
vulnerability.
It's
like
a
distance
or
an
issue
will
disappear
short
term.
There's
a
reason
we
you
have
the
outlet
designation
on
interactive
ulnar
abilities.
So,
at
least
in
my
opinion,
we
can
probably
just
lose
that
feedback,
but
long
term.
D
That's
not
a
good
strategy,
and
so
we
should
come
up
with
a
migration
plan.
I
think
I
decide
an
issue
about
this
like
Thursday,
but
we
should
look
at
a
some
kind
of
strategy.
That
kind
of
like
a
green
blue
strategy,
where
we
give
you
an
old
fingerprint,
a
new
fingerprint
and
provide
some
mechanism
for
updating
them
within
the
core
app
winner.
Analyzer
changes
I'll,
try
and
find
that
issue
and
tag
it
here,
but
I
do
think.
This
is
something
that
would
probably
should
have
a
longer
meeting
and
discussion
about.
B
I
am
a
sign
on
this
item
is
to
go
ahead
and
start
a
conversation
with
p.m.
about
it.
If
we're
going
to
be
introducing
changes
that
will
cause
that
will
lead
to
the
perception
of
data
loss
that
we
need
to
start
communicating
that
so
that
out
and
so
I
want
to
make
sure
that
that
that
we
don't
get,
we
don't
surprise
people
and
therefore
get
some
negative
feedback
cycle
come
in
our
direction,
so
heard
a
need
for
a
longer
conversation.
We
don't
have
everybody
present
for
that
conversation.
I,
think
p.m.
B
D
No
kind
of
it's
it's
something
that
we
are
considering,
but
it's
not
directly
related.
D
The
thing
with
first
class
vulnerabilities
is
we're
kind
of
coming
down
with
what
an
MVC
for
that
would
look
like,
because
this
is
an
epic
level
task.
It
has
like
a
lot
of
components
across
all
of
our
issues
for
lack
of
a
better
word,
so
it
I
think
it's
worth
considering,
but
it
wouldn't
quite
change
things
because
well,
there
are
first-class
vulnerabilities.
There
are
still
going
to
be
occurrences
or
findings
and
those
are
what
we
need
to
uniquely
identify.
So
that
includes
like
I'm
lying
number
one.
D
E
D
B
Alright
I'll
keep
going
is
apparently
I
am
the
stand
and
presenter
for
every
single
item
on
the
agenda
today.
Alright
Tom,
it's
there
is
an
item
from
him
that
is
worth
that.
We
need
to
be
paying
attention
to,
because
this
will
have
impacts
on
us.
So
there's
a
request
to
graph
QL
put
graph
QL
on
all
our
api's
or,
as
I,
would
put
in
my
head
last
night
graph,
QL,
all
the
things.
B
We
need
to
pay
attention
to
this
and
we
need
to
start
thinking
through
what
the
impacts
might
be.
Please
contribute
to
this
particular,
mr
and
think,
through
where
those
impacts
might
be
to
delivery.
This
is
I
am
NOT.
Reading
this
as
a
commitment
that
we
have
yet,
however,
it
has
been
deemed
that
having
a
stable
graph
QL
API
is
a
differentiator
for
gitlab.
So
let's
sum
I
don't
know
that.
My
impression
of
this
is
that
this
is
coming.
It's
a
question
to
win,
but
we
need
to
make
sure
that
we
have.
C
All
right,
I'd
sort
of
quick
question:
do
you
know
at
what
level
this
is
coming
in
I
mean
just
to
kind
of
gauge?
How
much
of
a
company-wide
commitment
is
it
like?
Is
it
initiative
just
from
front
end,
or
is
it
coming
from
director
front
in
terms
of
like
beyond
that?
Just
that
an
engineer
director
like
I,
don't
know.
D
B
B
All
right,
I'm
gonna,
keep
moving
on
all
right
from
Olivier,
so
this
is
something
that
was
beginning
to
be
discussed.
Friday
the
there
is
now
an
epoch
that
has
been
stood
up
to
introduce
application
limits
throughout
the
back
end,
and
so
that
is
an
epoch.
And
then
there
is
going
to
be
issues
that
are
spun
off
on
a
per
stage
level.
B
We
need
to
participate
in
this
one,
because
what
this
is
what
this
is,
what
this
is
trying
to
address
is
one
of
the
underlying
pain
points
that
has
introduced
the
on-call
rotation
for
back
in
engineers,
so
the
what
we
want
to
do
is-
and
everyone
can
read
this-
is
make
sure
that
a
single
actions,
that
is
whether
it
is
a
unintentional
or
malicious-
it
doesn't
effectively
DDoS
us
or
das
ourselves.
So,
let's
what
we
can't,
what
application
limits
we
can
introduce
with
insecure
features
is
an
important
conversation.
B
B
B
All
right
we're
quite
a
bunch
this
morning,
wha
rescue
me
this
morning.
C
Oh
I,
just
looked
at
this
you're
real,
quick
I
guess
there
was
a
comment
made
about
making.
Maybe
this
is
a
confidential
issue
which
makes
senses
we're
pretty
much
listening.
What
we
know
would
probably
us
you
know
in
terms
of
hitting
an
end
point
or
doing
something
too
often
so
I
think
that
was
a
good
point
to
bring
up.
It
is
confidential.
B
All
right
next,
one
speaking
of
on-call
rotation
schedules
open
for
the
rest
of
the
year.
Please
volunteer.
The
way
that
this
is
working
is
that
the
the
the
e/m
that
is
assigned
to
be
the
coordinator
for
a
given
months
prior
to
the
month
starting,
is
looking
on
the
making
sure
that
the
on-call
rotation
is
filled
for
a
given
for
the
month
of
a
or
the
coordinator,
and
if
not,
it
is
filling
out.
The
is
filling
up
the
schedule,
so
please
volunteer,
as
it
wishes
better
than
to
have
a
shift
assigned.
B
So,
let's
so
Jim
calling
that
out
in
case
you
were
not
aware
of
it,
and
this
is
for
just
back
into
engineers
that
have
been
here
over
three
months.
It's
been
here
over
three
months.
I
will
call
out,
though,
that
the
schedule
goes
through
December,
so
everyone
on
this
call
and
in
this
stage
will
be,
but
in
every
backing
engineer
that
is
in
this
section
on
this
call
to
debted.
That
is
that
is
knows
of
this
meeting
today
qualifies
for
this
before
the
end
of
the
year.
B
Am
not
aware
of
one,
but
that
is
a
good
question,
so
the
my
I
will
tell
you
what
my
expectation
is.
My
expectation
is
that
when
an
escalation
comes
to
you-
and
there
is
a
there-
is
it
see
me-
there
is
an
escalation
path
and
responsibilities
that
has
been
outlined
within
the
handbook
for
those
of
the
individuals
that
are
individual.
That
happens
to
be
on
call
at
the
time
as
to
what
they
were
expected
to
do
and
and
how
they're
expected
to
be
made
and
make
themselves
available.
B
Experts
for
the
area,
that's
causing
the
impacts,
so
I'm,
not
anticipating
this
as
someone
that
will
be
put
on
the
hook
or
and
look
unless
they
have
direct
expert
knowledge
on
what
they
are
dealing
with
I'm,
expecting
it
to
be
more
of
a
routing
for
identification
and
routing
function
than
anything
else.
That's
my
expectations.
I
need
to
do
more
reading
on
this
on
the
subject
area
myself,
so
I
am
I,
am
speaking
at
the
boundaries
of
my
knowledge,
but
that's
that's
a
that
is
a
good
question.
As
far
as
level
setting
expectations.
F
B
B
Alright
last
item
on
so
I,
so
this
was
this
was
worth
this
was
mentioned
during
the
Brown
Bag
session
last
week
and
now
there's
an
issue
to
help
correct,
collect
them.
I'm
looking
for
reference
issues,
I'm
looking
for
reference
issues
that
have
that
have
been
own
implementation
times
and
and
the
times
that
I'm
looking
for
are
put
in
the
issue
themselves.
So
what
this
is
to
do
is
to
help
with
sizing
during
a
backlog,
grooming
exercise,
so
we
can
get
to
a
relative
grooming.
B
We
can
get
to
a
relative
sizing
cadence
to
to
aid
with
this
particular
career.
This
particular
part
of
that
exercise,
if
you
have
any
of
you
know
how
many
of
that
meet
these
particular
sizes,
please
please
contribute
that
would
be
very
beneficial
towards
that
and
that's
the
entire
agenda
for
today.
Does
anyone
have
any
late
additions,
questions,
comments,
criticisms,
concerns
or
complaints
other
than
those
are
not
in
alphabetical
order?.