►
From YouTube: sig-auth bi-weekly meeting 20200520
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
Necessary
the
idea
started
right
after
Jay
and
I
gave
a
talk
at
last.
You've
gone
about
the
audit.
No,
we
positioned
the
presentation
very
much
as
a
call
to
action.
We
were
asking
the
community
to
help
get
involved
and
facilitate
addressing
not
just
like
the
one-off,
bugs
that
we
found,
but
the
more
systemic
issues
that
were
spotlighted
by
the
audit
and
instead
of
getting
like
a
couple
people.
B
We
got
dozens
of
people
who
wanted
to
contribute
to
the
security
of
crannies
and
the
working
group
just
did
not
have
the
framework
or
the
manpower
to
channel
that
in
a
good
way,
and
then
that
idea,
development
talking
to
Tim
and
others
about
how
we
could
channel
all
that
energy
productively
and
what
aspects
of
creative
security
weren't
being
addressed
in
a
cohesive
way
from
the
current
organization
and
from
that
came.
The
idea
to
security,
which
were
learning
was
not
an
original
thought,
one
that
keeps
coming
up
again
and
again.
B
So
the
goal
is
to
form
a
group
of
people
that
would
act
as
the
umbrella
organization
for
the
working
group
as
it
currently
sits,
which
is
centered
around
just
running
audits
and
getting
that
feedback
back
to
the
community.
And
then,
under
that
new
umbrella,
we
would
have
room
for
other
initiatives,
things
that
are
spun
out
of
the
of
the
audits,
as
well
as
other
tasks
that
exists.
B
C
Came
up,
we've
often
had
cases
where
lots
of
people
expressed
an
interest
in
like
hey
hope.
This
gets
done
or
hey
be
really.
Cool
I
would
use
this
if
it
existed,
but
those
people
often
aren't
there
one
month,
two
month,
three
months
later,
the
people
that
expressed
interest
I'm
curious
are
like.
Are
they
still
engaged?
Are
they
still
trying
to
push
forward
on
this
of
their
own
volition
or
they.
B
A
Would
caveat
that
with
a
few
of
them
have
been
helping
out
or
a
few
people
who
aren't
involved
in
a
sing-off
or
the
working
group
have
been
helping
out
with
developing
in
charter?
That's
cold
water
I'm,
not
sure
who
else
has
participated
in
that
and
then
the
other
thing
I
would
add,
is
there's
it's
we're
sort
of
talking
about
seeding,
SIG's
security
with
existing
projects.
A
So
the
three
and
you
already
talked
about
the
audit
working
group,
but
there's
also
the
security
process
working
group
which
isn't
actually
a
thing
but
basically
putting
parts
of
the
public
parts
of
the
product.
Security,
Committee
and
mica
has
expressed
interesting
kind
of
leading
that
effort,
and
then
the
third
project
that
we
would
come
under
the
umbrella
is
the
security
Doc's,
which
is
currently
a
sub-project
of
cig.
Doc's,
I'm
gonna,
move
six
security,
and
so
there's
already
people
who
are
involved
in
that
project.
That
would
yeah.
D
A
little
bit
there,
so
the
one
of
the
things
that's
one
of
the
things,
that's
exciting
for
the
folks
that
were
working
on
security
documentation
out
of
cig
docks
is
honestly
that
they
can
get
a
if
they
are
looking
at
a
security
audience.
Looking
for
writers,
it's
a
whole
lot
easier
to
find
and
to
find
in
lead
writers
from
a
from
a
security.
D
The
thing
that
gets
held
up
like
time
and
time
again
by
companies
as
what
their
standards
gonna
be
for
how
to
harden
this,
a
kubernetes,
cluster
and
and
I
think
we
all
might
have
different
opinions,
more
complex
opinions
about
the
benchmark,
but
the
two
people
leading
the
benchmark,
work
Liz.
You
know
Liz
and
Rory.
D
Don't
have
a
whole
lot
of
leverage
to
push
back
and
say.
Listen.
The
open
source
project
is
actually
a
lot
more
mature
than
a
lot
of
things
that
get
benchmarks
for
it
and
similarly
for
them
that
was
huge.
Also
because
again
they
could
Marshall.
They
could
marshal
people
a
lot
more
easily.
They
could
find
people
to
help
collaborate
on
the
benchmark
and
marshal
those
people
a
lot
more
easily
from
within
the
coop
attendees
org
than
from
when
within
the
CIS,
org
and
CIS
is
a
web
app.
D
D
Think
that's
partly
what
I
wanted
to
what
I
wanted
to
contribute
to
that
to
the
pitch
as
it
were,
is
that
this
kind
of
there's
excitement
and
people
want
to
participate
on
security
on
security
process
or
on
improving
security
and
the
product
or
improve,
or
around
giving
people
more
guidance
and
more
kinds
of
Doc's
about
how
to
do
security,
and
you
know,
or
about
you
know,
responding
you
know
are
about
doing.
What's
you
know,
what's
done
on
the
slack
channel
on
the
mailing
list
by
doing
that
kind
of
outreach,
and
so
that's
that's.
D
A
big
part
of
our
focus
for
for
creating
the
ia
for
creating
a
security.
Sig
is
basically
one
of
those.
If
you
build
it,
they
will
come.
We
already
know,
though,
we
already
know,
though
common
response
to
calls
to
call
to
action.
But
if
you
build
it
they
will
come
so,
let's
you
know.
So,
let's
give
them
a
framework
from
from
within
which
to
the
comment,
support.
B
So
to
summarise:
David
already
the
15
people
we're
20
25
people,
they
came
initially,
some
of
them
stuck
around,
but
also
as
we've
started.
This
conversation
other
more
established
contributors
to
the
project
have
also
shown
up
with
context.
They'd
like
under
the
umbrella
I
think
it's
kind
of
two
products
you're
worried
about
what
we
build
it
and
then
no
one
comes.
C
C
Dewar's
I,
don't
know
like
a
more
polite
way.
Definitely
don't
phrase
it
as
doers
or
no
more
play
way
to
say
it,
but
I
think
those
are
the
kinds
of
people
we
want
to
collect
and
I.
Don't
know,
that's
why
I
was
asking
so
you
know
a
movement
of
Doc's
from
from
one
state
to
another:
it's
not
a
net
game,
but
I.
Wouldn't
you
know
if
it
existed?
Okay,
but
the
the
other
people
coming
in
to
work
on
the
benchmarks
right.
B
D
So
what
I
was
gonna
hit
was
it
seemed
like
your
question
was
partly
like
your
question,
like
your
first
question
was
about?
Will
they
stay
and
your
second
question
was,
like
you
know,
listen
if
you're,
just
if
you're
just
shuffling,
if
you're
just
shuffling
things
around
like
where's
the
game,
it's
kind
of
like
you
shuffling
some
you're
moving
some
leaders
from
one
place
to
another
and
giving
them
a
place
where
they,
where
they
have
better
access
to
the
people
like
attracting
people
to
collaborate
on
a
CIS
benchmark.
D
D
Kubernetes
is
at
least
at
this
point-
can
attract
people
a
lot
more.
You
know
kind
of
contract
and
gather
people
who
want
to
work
on
a
benchmark
a
lot
more
easily
than
the
CIA
asked
and
really
since
the
CIS
is
way
of
doing
it,
has
such
a
high
barrier
to
entry
high
barrier
to
entry
just
leg
up,
you
have
to
go
and
get
an
account
on
their
platform
and
their
platforms,
a
pain
in
the
butt
and
we've
got
something.
That's
a
lot
more
scalable
I
mean.
D
D
B
We
have
the
human
power.
We've
actually
also
got
a
different,
my
new
interest
from
start
talking
about
six
security.
What
I
was
saying
before
we
got
in
that
channel
was
we've
all
pretty
early
identified
that
we
had
to
find
our
place
in
between,
say,
goth
and
CN
CF,
six
security
in
a
way
where
the
lines
are
clean
and
helpful
Mike
introduced
in
early
requirement,
which
was
he
didn't,
go
to
two
meetings.
I
did
reject
that,
but
other
than
that
I
do
think.
B
A
Maybe
maybe
you'd
be
helpful
just
to
kind
of
picture
or
describe
from
the
point
of
view
of
someone
sitting
in
an
existing
sig
like
sig
off.
Has
its
components
in
signo
de
has
the
cubelet
and
sig
scheduling
has
whatever,
like
from
the
point
of
view
of
one
of
those
owners,
because
I
agree
with
Mike
I,
don't
want
to
go
to
another
meeting
like
what?
What
are
the?
A
What
are
the
points
of
engagement
like
when,
when
would
I
reach
out
to
this
group
of
people
win
with
those
people
will
reach
out
to
me
like
what
what
would
be
helpful?
How
about
the
groups
help
each
other
and
how
will
the
groups
and
not
getting
to
this
way
but
sort
of
like
put
checks
on
each
other,
and
so.
B
My
vision
for
that
is
that
the
group
doesn't
put
any
code
at
least
initially
I,
can't
think
of
an
argument
currently
for
software.
Maybe
glue
code,
some
Sunday
in
the
future,
but
I,
don't
I,
don't
see
that
biggest
value
I
think
is
going
to
be
the
the
six
security
group
reaching
out
to
sig
note
and
sig
off
and
other
component
order
is
to
say
they
identified
systemic
issues
across
the
board,
and
these
are
the
kinds
of
changes
we
need
to
implement
across
multiple
six,
here's
why
etc.
A
Same
way,
prioritization
of
horizontals,
like
that,
like
yeah
I,
mean
I'm
just
trying
to
usually
when
things
like
that
happen.
Nobody
disagrees
that,
like
the
current
state
is
ideal
or
is
not
ideal,
and
it
comes
down
to
like
priority
like
well,
this
thing's
on
fire
and
acting's
on
fire
and
here's
a
slow-burning
fire.
That's
been
there
for
five
years
like
how
do
these
things
prioritize
against
it,
and
so,
when
a
horizontal
is
like
we've
identified
this
and
we
should
improve
it.
How
does
that
work,
if,
like
there,
aren't
bodies
to
improve
it
in
most
SIG's?
B
We
have
none
of
which
I've
moved
awesome,
great,
basically
yeah
so,
and
one
of
the
things
that's
absent
is
someone
to
drive
it
like
actually
everyday
turned
out
to
be
like
everything.
These
are
important
things
to
do
and
if
there
is
a
body
of
people
who
want
to
contribute,
there's
no
umbrella
for
them
to
say,
like
I'm.
B
Looking
at
these
horizontals
ballistically,
let
me
go
submit
individual
PRS
to
individual
components
to
start
moving
it
like
I,
don't
know
where
that
person
comes
from
right
now,
they're,
they
don't
have
a
place
to
be
I,
guess
you
could
be
a
self-starter
and
just
like
look
at
the
list
and
start
submitting
caps
and
pull
requests,
but
most
people
don't
work
that
way.
Most
people
need
someone
to
tell
them
what
to
do.
Okay,
at
least
that's
my
philosophy,
I
would
say
if
there's
a
counterpoint,
MJ
feel
free.
D
I
think
I
can't
disagree
with
her
and
I
think
that's
where
it
is
I
think
it's
literally
it's
it's
literally
having
someone
to
help.
Do
that
I,
don't
know
what
else
to
call
it,
except
for
that
that
p.m.
type
role
like
define
what
you
know.
What
is
it
where?
What
is
it
we
need
to?
What
is
it
we
need
to
get
done?
Who
wants
to
work
on
it?
Is
it
still
moving?
D
If
it's
not
moving,
can
we
find
someone
else
who
can
keep
it
moving
and
humans
talk
to
about
what
it
should
look
like,
so
that
we
are
so
that
when
we
are
presenting
a
you
know,
so
we
are
when
we
are
kicking
in
a
pull
request:
it's
not
it's!
Not
in
a
vacuum!
You're
getting
you
know,
signal
off
who's,
getting
something
that
they
that
they've
heard
about
and
like
by
the
time
that
somebody's
writing
code
I.
E
B
C
C
A
I
honestly
think
that
this
is
where
the
like
I
think,
there's
some
value
in
just
having
a
cig
called
sig
security
with
a
regular
meeting
schedule
that
people
can
show
up
to
say
I'm
interested
in
security.
I'm,
not
I'm
kind
of
new
to
kubernetes,
like
I,
want
to
contribute,
help
me
get
started
and
it
might
be
hard.
It's
gonna
be
harder
for
that
person
to
pick
a
random
issue
on
github
and
go
into
that.
A
It's
gonna
be
harder
for
them
to
start
showing
up
the
signal
and
try
and
navigate
signal
and
also
figuring
out
where
the
security
holes
are
and
yeah
I
think
that
even
if
they're
not
contributing
directly
through
SIG's
security
but
sort
of
like
show
up
to
six
security
figure
out
the
path
forward
and
then
get
sort
of
directed
to
okay.
Now
you're
gonna
work
on
this,
but
in
order
to
make
progress,
you
need
to
go
and
show
up
at
Sigma
and
work
with
the
signal.
Maintainer
is
to
kind
of
get
this
thrill.
I.
Think.
B
B
Add
that
a
meeting
you
show
up
to
every
week,
where
we,
you
know,
present
the
list
of
stuff
that
we're
course
almost
if
you
want
to
call
them
that
or
systemic
security
issues
that
we
want
to
address
to
be
like
who
can
pick
this
up
and
run
with
it
well
and
that
there's
gonna
be
people
who
have
been
in
the
pundit
for
a
while
there
and
I
mean
to
be
like.
Oh,
you
got
to
talk
to
Jordan
for
that
Mike
for
that,
because
they
definitely
can
help.
You
drive
back
I
yeah.
A
A
But
like
this
thing
and
that's
like
need
to
agree,
it's
like
alright
well
now,
I
need
to
present
two
meetings
like
it,
the
leaders
together
and
reading
this.
It
seems
like
basically
everything
this
does
is
going
to
touch
like
be
crossing
which
I
cringed,
just
like
I
clap
cross,
like
the
more
know,
is
there
are
nimesh
the
harder
everything
is,
but
at
the
same
time
like
this,
is
very
cross-cutting,
so
I'm
just
trying
to
I'm
trying
to
picture
like
what
what
it
would
actually
look
like
in
practice.
B
B
There's,
no,
there's
no
operating
mechanism
for
what
to
do
with
the
findings
other
than
the
Box
like
we
found
bugs,
and
we
like
push
the
bugs
at
people.
But
if
it's
an
ongoing
project
like
we
copy
paste
code,
all
over
the
place
like
who's,
gonna
I'm,
sorry
I
really
have
to
run.
Okay.
If
you
want
a
big
followup
with
me,
I'm
sorry
that
this
timeslot
got
cannibalized
by
my
other
job.
Hit
me
up.
I'm
definitely
available
to
keep
working
on
this
I
can.
D
A
A
Speaking
the
docs
like
the
different
areas
like
handling
vulnerability
reports
and
like
yes,
that
that
is
a
thing
that
needs
to
be
done
and
we
could
do
a
better
job
at
document
like
doing
better
at
documenting
like
how
do
hardened
clusters.
And
how
do
you
do
stuff
across
components
like
what
does
it
look
like
holistically?
Yes,
that
is
a
thing
that
needs
to
be
done
and
taking
the
things
that
were
found
from
the
audit
and
staying
on
top
of
like.
Are
they
getting
attention
and
like
I?
A
Don't
disagree
that
those
are
things
need
to
be
done?
It's
hard
for
me
to
see
why
those
are
like
cig
level,
especially
if
there's
no
code
ownership
and
basically
all
of
the
work
is
in
sort
of
organizing
and
collaborating
with
others.
Things
like
that
sounds
like
a
working
group
to
me.
I
also
look
at
sort
of
the
overhead
that
comes
with
a
sig
like
you
need
structural
overhead,
and
you
need
two
sig
meetings.
Instead
of
just
here's,
here's
some
project
and
work
that
needs
to
be
done.
Those
do
the
work.
A
It's
like
you
need,
I,
don't
know
so
just
I
like
I.
Don't
disagree
with
the
areas
that
need
attention
I'm,
just
trying
to
figure
out
the
most
efficient
way
to
organize
that
just
to
clarify.
Are
you
objecting
to
the
like
the
follow-ups
for
me
on
it
being
or
this
like
kind
of
security
horizontals
as
being
part
of
the
Charter,
or
are
you
objecting
to
kind
of
the
whole?
A
All
of
these
things
being
tied
together
into
a
sig
at
all,
I
have
a
hard
time
understanding
what
it
means
for
I.
Think
I
made
that
coming
for,
like
advocacy
to
be
in
scope
like
normally
write
as
Sega's
like
sig
node,
like
we
own
the
couplet.
If
you
want
to
change
the
cubelet,
you
gotta
talk
to
sig
note
and
like
say
Goths
like
we
go
and
the
authentication
authorizers
like
for
this.
It's
like.
A
A
It
owns
more
policies,
I
think
encode,
but
it
does
have
like
distinct
artifacts
that
it
owns,
and
so
at
least
there
it's
like
well,
this
markdown
document
and
this
CI
test
enforced.
These
invariants
on
our
API
and
Digger
architecture
owns
those,
and
if
you
want
to
change
that
policy
or
you
want
to
break
those
invariants
like
you
got
to
go.
A
And
cig
architecture
is
sort
of
explicitly
not
an
umbrella
but
sort
of
a
meeting.
Point
sig
like
if
this
sig
had
some
ideas
and
kind
of
came
up
with
some
best
practices,
and
this
one
had
sound
like
that's
a
point
where
we
share
those
and
try
to
get
consistency
across
things.
So
I
I'm,
not
sure
I
would
treat
sake.
Architecture
as
normative
for
other
sig
as
a
counterpoint,
I
would
look
at
like
sig
usability
as
a
sig
I
struggle
to
understand
the
purpose
of
or
like
what.
What
do
they?
A
D
Mean
so
we
know
that
we
haven't
written
this
and
Aaron
may
have
misstated
a
little
bit.
We
do
envision
that
we're
going
to
moon
code.
We
don't
envision
that
we're
going
to
and
cluster
code.
We
don't
envision
that
we're
going
to
as
an
example
we're
not
going
to
write
our
own.
You
know
we're
not
going
to.
We
don't
envision
that
we're
going
to
be
owning
an
emission
control
or
two
or
or
such,
but
we
do
like.
D
We
know
that
we'll
we'll
own
code
to
to
help
manage
to
help
management
triage
and
test
the
vulnerabilities
that
come
in.
We
know
that,
like
there's
a
whole
bunch
right
now,
we'll
get
stung
in
the
PSC
as
I
understand.
To
the
extent
that
exonerated
it's
someone
will
have
a
tool
they
paid
for
themselves,
yeah
examples
of
code
that
I
could
see
us
as
we
get
motion
we
get
more
mature.
D
We
end
up
with
you,
know:
testing,
sweet,
I'm,
sorry
to
tear
up
just
kind
of
throw
wondering
you
know
as
we
get
more
mature
and
we
end
up
getting
a
you
know.
We
end
up
saying:
okay,
we've
done
enough.
We've
done
enough
audits
to
know
that
we
should
be
fuzzing,
so
we've
got
a
fuzzing
framework
set
up
here.
It's
here's.
Its
configuration
here
are
the
tests.
You
know
here
are
the
inputs
that
go
into
that
fuzzing
framework.
A
A
A
A
A
I,
look
at
the
the
security
process,
stuff
that
that
seems
like
a
chunk
of
work
that
you
know
couldn't
get
going
and
operate
and
yeah
it
doesn't
mean
used
to
do
like
the
horizontal
documentation
like
that
seems
super
useful.
The
efforts
to
improve
security
related
default
settings
is
probably
the
one
that
I
have
the
hardest
time.
Envisioning.
How
that.
A
A
Yeah
so
of
the
things
that
are
listed
in
scope,
the
security
process
having
a
dedicated
group
to
work
on
that
sounds
good,
horizontal
security,
dog
nation
having
a
dedicated
group
to
work
on.
That
seems
good.
The
next
one
I'm
fuzzy
on
what
it
would
actually
look
like
to
have
a
dedicated
group
working
on
that,
given
most
of
the
work
would
be
in
individual
SIG's.
A
D
Can
speak
to
that
example?
So
we
have
the
audit.
The
auto
results
that
we
got
back
came
in
basically
two
forms
one
would
be
vulnerabilities
that
were
clearly
a
CBE.
It
can
run.
You
run
it
through
the
PSC
and
you
know
and
it'll
get
addressed
that
way
and
and
then
there
were
other
findings
that
were
less
okay,
that's
a
clear
to-do
item.
You
know
what
do
I
do
so,
the
one
there
was
hey.
We've
got
code
all
over
kubernetes
that
creates
TLS
connections.
D
D
Was
that
was
that
was
out
of
the
trail
of
it?
It
was
actually
two
firms,
oddly,
but
yeah.
I
was
trail
bits.
Mccrady's
trail
of
bits
wrote
that
I
think
trail
of
bits
wrote
that
one
and
it's
raitis
might
might
have
also
written
it
as
well.
That,
like
you've,
got
a
ton
of
you've,
got
a
ton
of
place
where
you're
doing
where
you
are,
where
you
shouldn't
TLS
connections
and
some
of
them.
D
Like
just
people
are
writing
code,
but
I
realize
the
codes
already
there
there's,
not
a
common
library.
You
know
that
needs
someone
to
I
need
someone
to
say:
okay,
you
know
that
something
needs
someone
I'm
trying
to
put
it
in
words
there
and
we
have
used
that
needs
someone
to
say:
okay,
there's
a
thing
that
needs
doing.
We
got
to
figure
out
like
we
got
to
figure
out
what
needs
doing.
What's
the
scope
of
that
and
and
then
who
can
we
talk
to
like?
Is
that
going
to
hit
for
SIG's
internship,
some.
C
C
An
objective
it
would
be
an
anti
goal,
but
it
is
ends
up
frequently
in
cases
where
code
ownership
isn't
clear
right
and
so
in
areas
today,
where
code
ownership
isn't
clear
between,
say,
API
machinery
and
off
or
rely
an
API
machinery,
you
can
end
up
in
cases
where
the
two
SIG's
are
like.
Don't
do
that
yeah
guys
like,
but
I
really
want
to
do
this
and
how.
D
C
Of
sig
a
owns
library
and
sig
be
used
as
a
library
and
so
who's
right
about
what
that
library
should
do
or
there's
a
different
stance
on
how
how
an
objective
works
out
right,
like
it's
very
important
to
you.
But
it's
not
important
to
me
or
the
other
way
around
very
important
to
me
and
not
important
to
you
and
and
some
of
the
phrasing
here
doesn't
make
it
obvious
what
sig
Security's
role
in
situation
would
be.
D
D
Very,
very,
very
few
information
security
professionals
have
gotten
into
kubernetes
gotten,
and
more
of
them
are
going
to
be
coming
and
honestly,
part
of
our
thought
here
was
to
give
them
a
way
in
which
to
contribute,
rather
than
to
either
walk
in
and
say.
This
is
too
complex
and
walk
back
out
or
or
to
walk
in
and
just
start.
You
know
and
I,
don't
know
what
the
other
one
would
be,
or
otherwise
they
asked
it
was
kind
of
the
give
them
an
Avenue
I.
D
Don't
imagine
like
I
haven't
imagined
that
as
saying
security
would
somehow
own
those
decisions,
it
doesn't
make
any
sense
and
honestly
anybody
who's
done
the
CIO.
So
a
role
or
any
of
the
you
know
any
kind
of
security
management
role.
Snows,
you
don't
get
to
do
anything
by
Fiat.
You
can
try.
You
know
you
can
be
given
the
authority
to
do
something
by
Fiat,
but
people
will
go
around.
You
like
people
find
a
way
to
to
evade
so
I
yeah,
I.
Guess
what.
A
There
was
one
that
identified
that
you
could
to
keep
litany
API
server,
let
you
turn
on
any
cipher.
That
goes
supports.
Basically,
so
by
default
we
use
the
default
go
ciphers,
which
other,
like
turn
off
really
awful
ones,
but
like
we
surfaced
whatever
ciphers
to
billing
standard
library
supports
and
you
can
independent
one
and
that
got
flagged
in
the
security
audit,
because
a
cluster
administrator
could
opt
in
to
using
ciphers
that
were
considered,
unsecured
and
so
there's
been
a
couple.
D
Got
a
lot
of
ways:
I
mean
Jordan,
I.
Think
in
a
lot
of
ways
a
sig
would
serve
to
slow
that
person
down
like
somebody
comes
in
and
says
we
have
to
change
that.
We
have
to
make
it
so
that
that
non
default
value
isn't
even
an
option.
We
can't
we
can't
allow
someone
to
you
know
we're
selling
a
gun,
but
you
can't
allow
anyone
pointed
at
their
foot.
D
You
know
and
I
think
that,
and
you
know,
I
could
be
speaking
out
of
air
and
I
could
be
totally
wrong,
but
my
thought
is
that
would
be.
You
know
that
we'd
say:
listen.
We
have
enough.
We
we
have
enough
experience
knowing
that,
even
when
you,
when
you
take
functionality
away
from
people
that
that
will
often
cause
them
to
just
stay
behind
on
an
unsupported
version
just
to
maintain
the
functionality
they
were
using.
D
So
you
know
I
recommend
you
know
get
you
really
excited
I'd
recommend
that
you
push
for
us
to
put
it
in
a
put
in
a
message
that
says
you
know
put
something
in
documentation
that
says
you
really
might
not
all
might
not
want
to
do
this
because
of
X
put
something
potentially.
If
you
really
feel
strongly
about
it
in
the
in
code
that
says
you're
doing
X,
you
can
do
X.
You
may
not
want
to
do
X
because
of
blah
blah
blah,
but
that
way
you're
not
taking
anything
away
from
anybody.
D
A
Six
security
is
saying,
like
your
best
practices
and
we've
decided.
This
is
this:
is
our
goal
and
now
we're
gonna
kind
of
spawn
10
issues
and
like
fan-out
contributions
to
SIG's,
and
that's
where,
like
by
the
time
the
cig
individual
SIG's
to
you
like
I'm
the
code
get
involved.
It's
like
the
task
is
clear.
A
The
vision
has
been
set
like
this
is
what
we
need
to
do,
and
this
is
kind
of
where
it's
actually
like
do
I
need
to
go
to
another
meeting
like
if,
if
the
six
security
meetings
are
where
these
discussions
are
happening
and
we're
saying
like
does
this
make
sense,
or
if
that
makes
sense,
is
this
a
thing
that
needs
to
be
done
or
not
I
mean
it
doesn't
need
to
be
done
and
how
probably
high
priority?
Is
it
like?
A
If
that's
where
those
discussions
are
happening,
then
it's
generally
better
to
be
involved
earlier
on
to
kind
of
say
all
right?
Well,
that's
important.
That's
not
so
important,
but
at
the
same
time
like
if,
if
the
folks
who
are
really
enthusiastic
about
this,
but
maybe
don't
have
all
the
context
of
like
we
do
this
for
compatibility
or
we
do
this
to
give
people
options,
let's
set
good
defaults
or
whatever
it
is.
If
they
don't
have
that
context
and
they're
sort
of
often
six
security,
saying
like
best
practices
like
clearly,
we
shouldn't
allow
these
things.
A
These
are
terrible
ideas.
People
shouldn't
be
doing
this
and
then
the
first
time,
people
who
have
more
context
on
the
individual
areas
get
involved
as
once
they've
sort
of
been
given
their
marching
orders
and
headed
out
to
contribute
like
a
PR,
shows
up
breaking
compatibility
in
order
to
serve
best
practices
like
yeah
I'm,
just
trying
to
envision
like
how
is
how
are
these
interactions
gonna
go
and
is
this
structure
the
best
way
to
do
complicate
can
I
jump
in
here.
I
I
agree
with
all
of
your
concerns.
A
I
think
that
SIG's
security
should
not
be
making
these
decisions
like
60,
you
might
say,
okay.
This
has
been
identified
as
a
concern
figure
out
who
owns
that
code
and
go
and
have
a
conversation
with
them,
and
so
people
shouldn't
need
to
come
to
six
security
to
make
decisions,
I
mean.
Maybe
if
you
want
to
come
and
advocate
for,
like
you
know,
if
say
God
says:
ok,
we
have
this
new
thing
and
it
really
needs
to
be
documented
as
a
best
practice.
A
Then
maybe
you
could
come
to
six
security
and
say
we
want
to
add
this
to
the
benchmark
or
whatever,
but
for
like
the
the
things
you
were
just
talking
about,
Jordan
I
think
someone
from
six
security
should
go
to
the
respective
sig.
That
owns
the
piece
in
this
case.
I
think
it
would
be
maybe
API
machinery
or
cigars
and
if
they
get
if
they
get
that
answer
like
this
is
for
compatibility.
Then
we
say:
ok,
now
we
have
the
answer.
A
C
There
are
likely
to
be
lots
of
opinions
there.
That
actually
seems
like
a
really
good
idea
for
a
general
working
group
to
me
right,
like
I,
think
about
who
I
want
to
be
involved.
I
would
want
someone
from
API
machinery
who
understands
exposure
on
the
server
and
what
options
there
I
prevent
it.
I
would
want
someone
from
sig
note
who
understands
stuff
that
I
don't
understand
the.
C
With
magic,
APIs
but
and
then
I'd
want,
you
know
someone
from
that
makes
sense
right
and
it's
like,
let's
say
I
want
these
people
together
do
I
think
all
those
people
are
joining.
You
say
or
do
I
think
I
would
want
to
create
a
working
group
for
the
purpose
where
people
from
those
SIG's
are
requested.
A
Of
the
working
group
is
their
the
way
the
governance
documents
are
written
today
is
that
they
do
not
own
any
artifacts
and
they're
temporary.
That
was
part
of
the
original
motivation
for
transferring
the
audit
working
group
to
the
sig
is
that
they
want
the
audit
to
be.
You
know
like
recurring,
regular
thing,
and
so
it
doesn't
make
sense
for
a
working
group
to
own
that
indefinitely.
D
D
The
way
our
working
group
worked
is
that
it
did
have
a
weekly
or
does
have
a
weekly
meeting,
but
the
hardening
guide
won't
need
a
weekly
meeting.
You
know
for
that
effort.
It's
you
know
for
that
effort
to
the
extent
that
they
do
get
to
the
extent
that
you
get
on
on
zoomer
on
the
phone,
it
would
have
you
it's
gone.
You
got
to
think
it's
only.
You
know
once
a
month
to
shout.
You
know
to
shout
at
each
other
emergency.
D
C
D
I
think,
if
you
don't
just
practically
for
this
and
I'm
and
I'm,
really
hoping
I'm,
not
shooting
myself
in
the
foot
but
I
think
from
a
practical
perspective.
If
you
don't
get
Liz
and
Rory
involved
in
that
group,
if
you
don't
get,
the
existing
CIS
leads
involved
in
that
group
you're
going
to
keep
having
you're
going
to
have
to
keep
out
in
the
situation
we
have
now
where
you
know
where.
C
A
Have
today
yeah,
so
we
have
six
today,
I
think
see
I'm
got
disbanded,
but
they
used
to
do
this.
Sig
Docs.
Does
this
occasional
ASIC
release?
Does
this
where
they
will
have
an
ambassador
that
shows
up
to
another
six
meeting
were
send
something
to
the
mailing
list
like
fYI.
This
is
something
you
need
to
be
aware
of.
The
way
I
would
like
to
see
this
working
is
that
sig
Security
owns
the
hardening
guide
and
they
send
ambassadors
to
various
sig.
So,
like
hey
sig
note,
we've
written
up
the
note
section
of
the
hardening
guide.
A
We'd
really
like
you
to
take
a
look
at
it
and
we'd
love
your
feedback
on
it.
It
should,
in
my
opinion,
it
should
not
be
signals
responsibility
to
show
up
to
six
security
with
suggestions
or
like
their
piece
of
the
hardening
guide
and
should
go
the
other
direction,
but
also
since
we're
almost
out
of
time.
A
And
there's
a
little
bit
of
like
that's
kind
of
a
little
bit
of
more
of
a
PM
role,
perhaps
another
place
that
another
source
for
these
kinds
of
things
would
be
a
vulnerability
that
comes
into
the
product
security
committee.
Where
we
say
we
can't
really
fix
this
in
private
we're
going
to
or
it's
a
not
a
big
enough
issue
to
deal
with
as
a
vulnerability.
We're
just
trying
to
hunt
it
to
the
public
forum.
A
E
E
D
C
A
A
I
said
those
three,
those
first
three
well
they're,
not
the
first
three
but
those
three
areas
like
the
vulnerability
response,
managing
a
lot
of
stuff
and
putting
together
hardened
guides.
Those
seem
very
focused
and
I
agree.
There's
a
big
need
for
those
things:
I
I,
look
at
the
overhead
of
a
cig
and
I'm,
not
sure
it's
worth
it,
but
if
I'm,
not
the
one
funding
the
running
the
meetings
and
other
people
want
to
I,
don't
particularly
object.
C
D
C
Say
that
personally,
given
a
name
of
sig
security,
vxv,
anyone
on
the
outside
and
and
most
people
on
the
inside
would
be
very
surprised
if
a
sig
security
lacked
the
authority
to
make
a
change.
Even
after
we
complete
this,
it's
still
going
to
be
very
surprising
to
people
if
that
continues
to
remain
the
case.
It.
D
A
People
to
the
project
and
I
think
that
there's
value
in
having
having
six
security
be
an
entry
point
for
those
people,
and
it's
going
to
be
it's
going
to
be
the
responsibility
of
the
six
security
chairs
or
owners.
To
say,
like
we're,
super
excited
that
you're
interested
in
this.
You
should
go
to
start
showing
up
to
sig
note
because
they're,
the
ones
that
own
this
code
and
I
think
there's
value
in
having
that.
Like
kind
of
routing.