►
From YouTube: sig-auth bi-weekly meeting 20200722
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
A
A
Yeah,
so
I
think
I
personally
would
be
happy
in
either
of
these
or
the
technically.
The
third
option,
which
James
suggested,
which
was
in
both
places
I,
know
I,
would
feel
like
there
needs
to
be
a
pretty
strong
reason
if
you
want
to
specify
the
same
thing,
multiple
places
and
you
take
the
minimum
or
something
it's
a
little
hard
to
reason
about.
C
So
today,
if
a
signer
sees
a
request
for
a
cert
and
it
has
its
own
duration
configured
so
it
says,
is
you
search
for
a
year
and
it's
written
to
the
existing
API
and
then
in
the
next
release?
We
add
a
way
for
a
client
to
say:
I
would
like
a
cert
ballad,
for
it
sounded
like
what
you
were
suggesting
is
if
the
seiner
tribes
to
issue
that
search
for
a
year,
we
would
reject
that
issuance
and
that's
not
backwards.
Commanded
well.
A
C
A
D
C
Basically,
if
we
only
have
the
spec
and
the
signer
aspects,
then
you
have
to
bake
all
policy
that
knows
about
particular
requesters
into
the
signer.
That
was
my
only
thinking
of
letting
that
be
part
of
the
approval
process
that
seemed
the
approver
seems
more
likely
to
be
doing
things
specific
to
the
requester,
since
it's
presumably
making
sure
the
requester
should
be
allowed
to
have
this
cert.
So
I.
A
F
B
C
After
another
juror
duration,
and
not
after
him,
whatever
yeah
like.
C
C
B
A
B
A
C
A
C
Mean
the
flags
that
we
passed
to
the
signer
today
are
duration
plugs
because
that's
how
it
makes
sense
to
Express
like
how
long
do
you
want
to
issue
search
for
like
how
long
should
they
be
valid,
I
think
something
similar
for
the
clients
perspective
makes
sense
that
also
from
a
client's
perspective
that
lets
them,
formulate
the
csr
they're
going
to
request
and
not
have
to
tweak
it
to
like
bump
the
time.
Every
time
they
submit
that
request.
C
C
B
B
B
E
A
A
A
G
Yeah
there
we
go
I
might
think
about
a
shadow
now
hi
I'm
Jay,
Beale
I'm,
one
of
the
leads
of
the
security
audit,
working,
Burke
and
I'm
here
to
talk
to
you
all
about
our
about
our
request
to
turn
into
a
fake
security.
So
what
you're
this
is
perfect.
I
can
mow.
I
can
share
my
screen
or,
if
you
want
to
keep
that,
if
you
want
to
keep
the
the
Charter
up,
that
sounds
that'd
be
perfect,
which
would
you
would
you
like
what
you
want
me
to
share?
G
G
Isn't
that
great
for
the
recording
you
know
to
where
he's
talking
thanks
ed,
so
so
I'm
here
to
basically
talk
about
about
the
I
think
you
are
probably
familiar
with
the
third-party
the
security
audit
working
group.
We've
run.
We
ran
a
the
first
security
audit
of
kerbin
at
ease
and
that
that
included,
building
up
a
threat
model.
So
a
number
of
number
of
people
in
this
call
were
donated
their
time
and
helped
with
that
threat
model,
and
we
really
really
appreciate
it.
G
We
found
we
found
a
lot
out
of
doing
the
security
audits
and
we
realized
that
there
was
that
there
was
more.
There
was
certainly
more
for
us
to
do
more
to
be
done
outside
of
just
carrying
in
bugs
and
saying
hey.
These
are
the
these
are.
These
are
vulnerabilities
that
can
go
into
the
you
know
the
PSC
you'll
start
managing
announcing
and
fixing.
G
So
we've
had
we've
had
wire
conversations
and
had
a
good
number
of
people
join
in
and
a
lot
of
that.
A
lot
of
that
energy
started
when
we
gave
a
talk
at
coupon,
and
we
just
had
a
lot
of
security.
Folks
were
saying
like
how
do
I,
how
do
I
get
involved?
I
I'm,
you
know
in
regular
how
do
I
get
involved
if
I'm
not
looking
to
write
code
right
now.
So,
as
we
talked,
we
have
a
pretty
wide
group
and
there's
a
there's.
G
A
letter
attached
and
kind
of
just
talks
about
some
of
the
different.
Some
of
them
are
people
outside
of
the
folks
that
have
been
on
the
security,
our
working
group
to
start
who've,
you
know
signed
the
letter
and
you
know,
are
part
of
this
effort.
So
I'm,
just
gonna
kind
of
tell
you
a
little
bit,
you
know
I
know
you
can
all
read,
but
I'm
gonna
tell
you
a
little
bit
about
about.
G
What's
in
this
charter
and
and
then
let
us
let
us
discuss
so,
we've
talked
we
have
actually
four
members
of
the
product
security
committee
have
helped
build
this
Charter
and,
and
so
we've
had
a
lot
of
talks
about
what
we
can
do
on
what
we
can
take
on
to
do
either
for
or
with
PSC
and
so
part
of
the
the
early
conversations
was
the
public
bugs
the
ones
that
aren't
the
ones
that
aren't
embargoed.
We
can
help
with
that.
We
can
talk,
we
can
help
set,
how
the
private
fix
and
release
process
is
set
up.
G
G
What's
the
what's
the
criteria
in
the
process
for
supporting
could
any
sub
projects
the
examples
we
decided
there
were
dashboard
and
genetic
ingress,
the
nginx
ingress
and
cops
installer
next
part
of
this
is
actually
the
biggest,
and
the
thing
I'd
like
to
look
like
to
really
share
is
the
idea
of
the
idea
of
our
proposal
for
six
security
is
very
focused
on
cross-cutting
or
not
focused
on
code
ownership,
so
security
community
management
outreach.
The
idea
is,
we've
talked
to
you
know
some
of
the
folks
who
we
talked
to
you.
G
Sorry
I'm,
just
apparently
I'm
nervous,
so
we're
gonna,
we're
we.
One
of
the
things
we
want
to
do
is
just
is:
is
help
handle
the
questions
that
come
in
from
any
experienced
users.
You
know
whether
that's
directly
in
the
saiga
to
the
SIG's
or
serving
as
a
kind
of
you
know,
cash
for
the
okay.
Before
you
go
and
before
you
go
in
and
ask
those
questions
of
the
cygnets
have
to
answer
them.
G
The
security
audits
is
that
that
kind
of
activity
brings
a
lot
of
interest
from
traditional
InfoSec
people
and,
and
so
our
hope
is
that
we
can
basically
give
them
a
place
to
a
place,
to
talk
a
place,
to
ask
questions,
to
get
routed
to
SIG's
or
to
just
or
to
help
with
the
things
that
aren't
that
aren't,
specifically
writing
code
or
writing.
Docs,
so
I
think
I'll
think
that's.
That's
honestly.
One
of
the
biggest
parts
of
this
is
is
that
outreach
work
and
community
management.
G
Let's
see
the
next.
The
next
couple
so
horizontal
security
documentation.
This
is
something
we're
really
that
I'm
really
proud
of
that
I'm
really
excited
about,
and
that
is
there
are
two
things
in
here
that
are
really
important.
One
is
the
threat
model,
it's
basically
keeping
that
threat,
modeling
process
going
and
the
other
is
basically
security.
G
You
see
I
asked
they're,
really
excited
about
doing
that
through
github
and
doing
that
in
the
communities
project
and
thus
giving
the
kerbin
at
ease
project
a
lot
more
ability
to
influence
the
CIS
guide,
because
if
there
is
an
official
kubernetes
guide,
then-
and
the
CIS
guide
will
definitely
will
definitely
be
Wow
to
reuse,
word
influenced
so
so
we'd.
Also,
there
were
some
there
a
couple
folks
who
were
working
on
the
security
docs
on
the
on
the
security
docs
sub
project.
Under
the
under
cig
Doc's.
G
It
was
starting
to
sputter
out
a
little
bit
and
they
were
really
excited
actually
about
getting
about
making
this
a
sub
project
of
the
state
security
because
in
their
mind,
it's
a
heck
of
a
lot
easier
to
to
find
security.
People
who
can
write
and
to
find
documentation.
People
who
have
security
as
a
matter
as
a
subject
matter,
expertise,
and
so
that's
the
other
big
part
of
that
horizontal
security,
documentation
and
then
the
last
parts,
the
security
audit
that
we've
been
doing
already
and
basically
we're
we're.
G
G
You
know
kind
of
the
influence
that
community
at
large
they're
still
learning
and
they're
still
trying
to
figure
out
how
they
can
they're
trying
to
figure
out
how
they
can
help
they're,
also
trying
to
figure
out
how
they
can
wrap
their
brain
around
it
and
I
think
we're
gonna
I
think
the
coronaries
projects
is
going
to
see
a
ton
of
them
coming,
as
you
know,
as
a
lot
of
the
good
talks
happen
at
the
at
the
mainstream
security
conferences.
So
that's
the
that's.
G
G
Do
do
hopefully
a
little
bit
better
than
just
posting
on
your
mailing
list.
Come
help.
You
know
come
on
talk
to
the
group,
so
you've
got
a
couple
people
here
besides
me
who
are
you
know
who
worked
on
this
charter?
One
is
one's
Micah
and
Tim's
been
here
as
Tim's
been
here
as
well.
I
think
the
other
thing
I
want
to
highlight
is
people
have
asked.
Well
wait
if
there's
another
sig
is
that
another
meeting
that
the
people
at
single
off
have
to
come
have
to
go
to
and
I.
G
We
wanted
to
be
really
clear
that
we're
no,
you
don't
have
to
come
to
our
meetings,
we're
not
getting
another
meeting.
Our
job
will
be
to
come
to
you.
Our
job
will
be
to
come
to
you
if,
if
somebody
starts
a
conversation
about
making
a
different
default
in
code-
and
that's
it's
time
for
us
to
go
and
talk
to
so
off
about
what
that
you
know
about
the
arguments
pro
and
pro
it
against.
G
G
I
think
I
didn't
cover
the
status,
cope,
section
I
think
it's
actually
really
important.
So,
first
and
foremost,
we
don't
expect
to
own
any
of
the
kubernetes
project.
Sorry
any
of
the
any
of
the
code
that
goes
into
a
running
cluster.
If
we
have
code
it
may
be
for
may
be,
for
helping
manage
the
vulnerability,
announcements,
management
process
it
might
be,
but
it's
it's
not!
It's
not
going
to
be
a
code
that
goes
in
a
cluster.
G
Sorry,
it's
not
gonna
code.
That's
that's
required
in
order
to
run
a
cluster.
Another
example
would
be
that
if
we
were
to
say
create
a
score,
a
benchmarking
tool
that
checked
against
the
context
hardening
guide.
You
know
these
are
the
things
you
got.
These
are
the
things
that
you
that
you
don't
have.
That
would
be
code
we
might
own.
There
are
I
think
that
Tim
Micah
can
talk
to
you
about
some
of
the
other
examples.
G
A
Okay,
really
happy
to
stop
monologuing,
so
I,
see
that,
like
out
of
scope
is
like
cloud
providers
specific
or
distribution,
specific
hardening
guides,
I,
guess
like
as
an
individual.
You
know
it
was
like
if
I
was
near
Nettie's
and
I
wanted
to
like
make
sure
my
crew
Bernays
was
hardened
like
I,
could
certainly
follow
a
guide
and
try
to
look
very
carefully.
Make
sure
you
know,
let's
pretend
I
don't
want
to
buy
something
I
just
want
to
run
dirt
right.
A
How
would
I
know
that
I
was
successful
in
my
heartening,
like
part
of
the
reason
people
like
lean
on
this
bit
right
here?
Is
it's
someone
else's
problem,
I
paid
them
to
assure
you
that
the
hardening
has
been
done
so,
like
I,
understand
that
you
guys
don't
want
to
own
code?
Would
you
is
like
I,
don't
know
test
harness
code?
Is
that
like?
Does
that
count
as
code?
Could
you
have
like
a
run,
this
little
sweet
against
your
cluster
and
it
will
echo
back
if
you
want
I.
Think.
G
That
likely
the
kind
of
code.
We
would
want
more
that
we
would
want
to
own
I
think
that
I
think
that
in
getting
in
getting
the
the
benchmarks
that
have
happened
outside
with
CIS
or
with
other
groups
to
you
know
to
actually
have
something
in
the
kubernetes
project.
I
think
that
it's
very
very
naturally,
you
know
it's
very
very
naturally
gonna,
be
that
there's
that
there's
then
and
open
source,
there's
open
source
code
to
check
to
check
against
a
doc,
and
you
know
I
think
an
easy
way
to
say
it.
E
G
Tool
for
checking
you
know
a
one
of
the
open
source
tools
for
checking
against
that
benchmark,
not
to
sign
her
up
for
more
work,
but
I
think
that
the
folks
that
are
writing
a
hardened
guide
are
maybe
especially
interested
in
there
being
a
tool.
I
know
that
I'll
be
very
interested.
I
I
wrote,
the
CI
I
wrote
C
is,
is
original
Linux
and
UNIX
auditing
tools
that
are
good
that
audited
each
of
the
unis
ease.
This
was
a
long
time
ago.
G
I
there's
a
certain
there's,
a
certain
extent
to
which
I
can
speak
for
a
group
and
a
certain
extent
to
which
I'm
you
know
you
have
to
realize
you
get
into
my
first
into
my
personal
opinion.
So
I
want
to
I
want
to
now
say
that
we're
headed
a
bit
into
my
personal
opinion
and
I
may
be
pretty
outspoken
at
times,
but
I
don't
want
to
make
any
promises
for
anyone
in
that
way.
So
I
I
would
say
so.
You've
got
you've
got.
If
you
had
cloud
privada
can
wait.
G
C
C
It
was
hard
for
me
to
tell
sort
of
how
deep
that
was
intended
to
be
like.
Is
that
down
to
sort
of
the
operating
system
level
like
if
you're
running
this
operating
system?
You
really
need
to
set
this
control
and
turn
off
this
thing
and
turn
on
this
networking
thing
and
turn
off
that
firewall
thing
like
is
it?
Are
you
envisioning
something
all
the
way
down
to
the
OS
level?
I,
don't
know
yeah.
G
I
mean
I
I
I
want
to
say
I.
Don't
imagine
that,
however,
if
I
think
about
you
know,
if
I
think
about
I'm
just
trying
to
come
up
with
a
good
example,
but
it's
you
know
if
you
get
into
if
you
get
into
into
admission
control
and
there
are
their
settings,
you're
you're,
suggesting
you'll
start
to
get
into
the
you
may
end
up
outside
of
urban
Eddie's
an
example.
You
know
I'm
trying
to
think
of
a
decent
example,
kind
of
like
the.
G
I
have
that
this
is
my
opinion.
We
Timur
Michael,
please
conflict
yeah,
no,
like
you've.
Just
named
a
couple.
You've
just
named
a
couple
really
clear.
You
know
clear
ones
that
that
I
think
make
it
into
any
hardening
guide
right.
So
it's
hard
to
talk
about
I
mean
in
my
mind
it's
hard
to
talk
about
heart
and
kubernetes,
without
ending
up
in
kind
of
a
full
gambit
of
you
know
the
pod
security
policy
of
the
you
know
of
admission
control
in
general
and
so
yeah.
G
If
there's,
if
there
is
a,
if
there's
an
OS
setting
or
a
container
runtime
setting,
that
has
to
be
set
in
order
to
permit
that
in
order
to
permit
admission
control
and
some
you
know
in
somewhat
granular
Mission
Control
recommendations,
then
yeah
I
think
we
have
to
comment
on
it.
I
have
to
write
them
have
to
write
a
how-to
on
it.
I
think.
C
This
sort
of
three
different
types
of
settings
that
it
couldn't
kind
of
come
into
play
there.
One
is
what
David
just
mentioned.
It's
like
there's
a
feature
that
kubernetes
can
take
an
advantage
of
if
it's
enabled
in
the
kernel.
So
we
might
say,
like
you
know
you
need
to
you,
can
choose
between
selinux
or
a
farmer.
C
You
know
if
you
have
user
name,
spaces
enabled,
and
we
don't
do
anything
with
it.
Unfortunately,
but
maybe
something
so
this
kind
of
like
features
we
can
take
advantage
of
then
there's
features
that
kind
of
have
more
interaction
or
implications
of
with
kubernetes
I
can't
remember
exactly
what
it
was,
but
there
is
a
recent
vulnerability
around
I
see
the
six.
G
C
G
C
Also,
as
a
more
meta
comment,
this
is
a
proposal
around
starting
up
a
kind
of
new
sub
community
to
talk
about
these
sorts
of
questions
and
to
figure
these
things
out
and
so
I.
Imagine
like
that'll,
be
part
of
SIG's
security.
Sub-Project,
sorry,
security,
doc
sub-project
is
defining
what's
in
scope
for
the
docs,
so
we're
sort
of
laying
out
kind
of
the
broad
scope
here,
but
then
I
would
expect
a
lot
more
discussion
to
happen.
C
Yeah
I,
I
think
the
thing
I'm
trying
to
figure
out
is
if,
if
this
is
a
sig
that
is
primarily
oriented
around
like
discussion
and
best
practices
and
communication
and
like
documenting
parking
guides
and
coming
up
with
maybe
tests
to
verify,
you
follow
the
hardened
guide,
but
it
doesn't
actually
own
the
code
that
a
lot
of
those
things
depend
on
I'm.
Just
trying
to
imagine
how
those
discussions
like
if
a
discussion
happens
and
consensus
emerges
but
then
like
at
what
point
are
the
the
various
teams,
sig
node
or
sig
off
or
API
machinery?
C
B
C
No
not
not
to
discourage
the
goal.
Okay,
I
think
the
things
that
are
called
out
here
are
things
that
have
either
been
neglected
or
haven't
been
coordinated,
well,
I'm,
just
trying
to
think
practically
like
what
would
this
look
like
what
it
look
like?
Here's,
a
list
of
topics
we
want
to
tackle
and
we'll
set
up
a
particular
meeting
where
we're
gonna
talk
through
this
and
make
sure
the
right
people
are
there
as
part
of
that.
C
But
what
I
want
to
avoid
is
like
six
security
becoming
like
someone
assumes
oh,
but
we
talked
about
it
in
six
security
and
no
one
voiced
opposition,
so
everybody
must
agree
like
this
is
the
way
and
then,
like
all
the
various
people
who
are
actually
responsible
for
making
it
happen
or
like
wait,
what
I
didn't
even
know.
This
meeting
was
happening
like.
G
I
would
I
would
say
so.
Tim
I
hope
you'll
help
me
out
here,
if
I,
if
I
flounder
in
this
in
this
question,
but
in
my
mind,
until
the
until
the
relevant
SIG's
that
own
the
code
are
involved.
In
the
conversation,
the
conversation
isn't
finished
right.
It's
kind
of
the
some
part
of
this
is
listen.
Every
bit
of,
like
we've,
we've
looked
at
to
hardening
guides
who've
written
the
kubernetes
official.
You
know
we
think
we
should
bring
to
the
official
heart
and
covered
ad
targeting
guide
that
you
should
do
X
well
gosh.
G
You
know
that
one
of
the
very
next
questions
that
anybody'd
have
is
well.
Why
isn't
this
the
default?
And
you
know
of
course,
part
of
what
we're
gonna
do
is
say:
dude
changing
defaults
is
a
lot
harder
than
you
know
a
lot
harder
than
you
think.
But
another
part
is
it's
time
for
us
to
it's
time
for
us
to
come
to
which
of
the
two
each
of
the
relevant
SIG's
and
say
this
is
what's
this
is
what's
getting
talked
about.
This
is
what's
happening,
the
hardening
guides.
G
You
know
what's
the
first,
what
do
you
see
is
the
you
know
what's
going
to
break
and
we
try
to
we
try
to
do
that
when
people
try
to
set
that
setting.
You
know
we've
seen
we
can
think
of
this,
but
you're
right,
as
you
say,
you're,
writing
the
you're
writing
code
and
planning
the
code
and
then
and
then
second
hey.
G
E
G
Man,
I
think
we
can
save
you
a
lot
of
effort.
I
think
we
can
save
you.
A
lot
of
you
know,
like
imagine,
imagine
that
conversations
finish,
but
we
what's
come
out
of
that
conversation.
Is
you
can't
do
that
it
will
break
X?
Once
that's
been
done,
we
could
handle
that
question
like
we
can
handle
that
debate
six
months
later,
when
somebody
we
knew
people,
don't
look
at
it
and
say,
but
but
why
aren't
you
doing
accidents
it?
It's
know
who
x
sig
office
told
us
this,
because
I
know
that's.
C
Two
things
I'd
like
to
add
to
that
one
Jay
mentioned
this
earlier,
but
we
really
see
it
as
part
of
the
responsibility
of
SIG's
security
to
reach
out
to
the
other
SIG's
and
so
to
show
up
at
Sig
note
and
say,
like
hey,
we're
working
on
this
hardening
guide.
Here's
some
of
the
things
that
we've
thought
of
like
is
there
stuff
we're
missing?
Is
there?
Are
there
issues
with
this
and
and
get
input
from
the
other
sig
communities?
And
then
the
other
piece
of
it
is
just
kind
of
from
a
pragmatic
standpoint.
C
These
discussions
are
already
happening
and
they're
happening
outside
of
the
kubernetes
community.
Today,
they're
happening
in
well
outside
of
the
you
know:
sig
community,
Carranza's,
broader
community,
but
like
this
is
already
happening
through
the
CIS
project
and
in
kind
of
like
hallway
tracks
and
other
discussions.
There
isn't
a
clear
gathering
point
for
these
within
the
kubernetes
community,
and
so
the
idea
is
to
kind
of
like
bring
that
into
the
sort
of
official
communities
community
structure
and
then
also
encourage
that
outreach
to
the
other
SIG's
through
that
process.
C
One
thought
I
just
had
that
Mike,
the
a
doesn't
need
to
go
in
the
chart
or
anything,
but
just
a
way
of
thinking
about
it.
If,
if
there's
a
change
that
someone
wants
to
propose
like
actually
going
through
the
process,
at
least
in
the
like,
this
is
what
I
don't
want
to
do
and
why,
like
there's
a
lot
of
stuff
in
that
template,
like
don't
worry
about
the
rest
of
the
template,
but
this
is
what
I
want
to
do
and
why
and
identifying
the
sig
or
SIG's
that
would
be
involved
in
that.
C
That
would
probably
be
a
good
thing
to
get
used
to
doing,
especially
for
something
like
SIG's
security,
which
is
almost
exclusively
in
that
sort
of
communication
and
coordination
role,
and
what
that
lets
us
do
is
avoid
sort
of
lengthy
discussions
and
debates
and
consensus
building
before
the
actual
stakeholders
are
really
involved.
So
it
identifies
like
what
do
you
want?
Why
do
you
want
to
do
it?
Who
are
the
things
that
need
to
be
involved,
and
it
like?
C
Writing,
is
a
really
good
exercise,
make
sure
you
figure
out
what
you
really
mean,
and
it
also
gives
us
sort
of
a
place
of
record
where,
if
what
you
want
to
do
and
why
isn't
gonna
work,
we
can
document
that
and
then
decline
the
cap
like
what
that's
not
something.
We
really
do.
It's
technically
part
of
the
cap
process,
but
I
think
that
would
be
really
useful
to
sort
of
get
a
written
history
of
here
are
things
people
wanted
to
do
and
why
and
why
it
was
declined.
G
I
think
it's
really
great.
It
also
means
that
you
know
that
that
caching
function
to
it
also
means
that
when
the
third
cap
comes
in,
on
the
same
on
very
much
the
same
thing,
I
swear
as
you
get
more
as
you
get
more
info.
Sec
people
coming
to
coming
to
the
project
they're
going
to
you're
gonna,
get
a
bunch
of
repeat-
and
you
can
say
you
know,
let's
reference
this.
What's
reference
this
one
yeah.
C
So
my
mic
feedback
on
this
is
that
I
think
these
areas
are
underserved
today,
I'm
happy
to
see
someone
paying
attention
to
them.
I
know
how
much
overhead
there
is
in
sort
of
a
cig
structure,
and
so
one
of
the
questions
that
I
asked
the
folks
proposing
this
was
do.
Do
you
are
you
concerned
about
that
overhead
as
long
as
the
people
who
would
be
bearing
the
brunt
of
that
overhead
feel
like
it's
worth?
C
It
I,
don't
particularly
object,
but
I
just
wanted
to
call
call
that
out
as
a
consideration
and
then
the
other
thing
that
I
think
there
will
be
some
confusion
over
is
just
the
name
I
think
people
will
associate
SIG's
security
with
like
this
sig
has
the
final
say
on
everything
security
related
like
they
can.
You
know
dictate
whatever
whatever
and
I
I
I
see
that
it's
baked
into
the
Charter
like
it's
clear,
but
people
won't
read
the
Charter
they'll
hear
oh
six
security.
Six
security
said
this
isn't
okay,
therefore,
so
it.
E
G
I
so
I
will
I
will
promise.
I
will
promise
you
both
that
I
will
write
something
that
I
will
submit
a
pull
request
on
our
readme.
We
actually
should
we
be
accepted
that
specifically
says
that
we're
not
the
decision-making
body
and
and
talks
about
the
and
talks
about
the
six
in
the
governance
structure
because
we
may
be,
we
may
often
be
for
security.
The
first
place
people
go
when
they
have
something
to
say,
and
that
means
we're
going
to
be.
G
That
means
that
we're
gonna,
we're
gonna,
have
an
education
mission
and
part
of
it
like
we're.
Gonna
have
an
education
mission
to
tell
them
well
hey.
This
is
what
this
is.
This
is
what
the
cap
is.
This
is
what
the
cap
process
is.
Here's
how
you
can
create
a
cap
here,
so
you
can
look
at
the
ones
that
already
exist,
so
you're
not
suggesting
so
you're,
not
necessarily
suggesting
something.
That's
already
been
done
without
reading
everything
that's
gone
into.
Why
or
why?
That's
not
happening
and
trying
to
remember
what
the
that
was.
G
Kind
of
a
two
part
was
kind
of
two
parts
to
the
the
the
overhead
of
the
overhead
of
managing
a
stake,
so
I
can
I
can
speak
for
the
for
the
people
who
are
involved
in
this,
especially
for
the
especially
for
the
leads
on
the
on
the
security
audit
working
group.
Our
working
group
has
been
a
heck
of
a
lot
of
work
and
and
we're
really-
and
we
are
so-
we
feel
like
we
have
a
pretty
good
picture
of
that
overhead
and
willing
to
do
it.
G
The
nice,
the
cool
things
been,
but
there's
been
enough
energy
that
has
come
out
of
the
community
so
far
that
were
we're
not
short
on
people
who
want
to
help
and
are
long
and
who
are
willing
to
help
shoulder
that
that
overhead
side
there's
one
thing:
I
didn't
I
didn't
speak
about
him
here.
It's
not
really
all
that
written
into
our
Charter,
but
it's
but
it's
implied,
and
that
was
in.
Can
we
scroll
up
just
slightly.
G
That's
in
that
security,
community
management
and
and
that
security,
outreach
and
and
what's
called
outreach.
We
also
that's
part
of
what
we're
gonna.
That
part
of
what
we'll
be
seeing
is
some
of
the
incoming
some
of
the
incoming
conversations
with
people
who
aren't
looking
to
immediately
contribute
to
the
project,
but
at
least,
but
if
want
to
get
conversation
started
about.
G
You
know
whether
it's
been
the
most
most
recent
vulnerability
in
kubernetes
or
or
some
other
security
matter,
and
you
know
we
at
one
point
we
had
in
our
charter
like
ok,
we'll
we'll
we'll
take.
We
just
cleared
it
out
of
the
bolts
to
make
the
shorter
shorter,
but
you
know
we'll
take
incoming
incoming
questions
from
press
and
public
about
cornetti
security,
and
you
know
obviously
a
lot
of
those
go
to
the
PSC.
G
But
you
know
one
of
the
people
who's
on
the
Charter
one
of
he
was
on
this
he's
off
who's
who's
signed
her
letter
and
worked
on
the
Charter
here
is
I
was
Ian
who's,
just
really
clear
with
us
and
said:
listen
if
you,
if
you
think
you
can
walk
away
from
having
to
from
having
to
be
in
an
incoming.
You
know
an
incoming
channel
for
press
or
public
questions.
G
Yeah
you're,
probably
you
know
we're
probably
wrong
and
part
of
what
they
said
was
you
know
right
now
on
security,
the
reporters
basically
to
call
the
people
on
the
PSC
who
were
part
of
announcing
a
vulnerability
or
they
call
the
three
or
four
people
they
know
and
and
so
ian
is
in
part
of
her
group
and
IANS
handling,
I
would
say:
Ian's
kinda,
like
a
ton
of
our
a
ton
of
the
incoming
public
and
press
inquiries.
So
maybe
this
will
help
spread
that
effort
around.
B
Well
I'll,
say:
I
was
glad
to
see
that
the
Charter
was
very
clear.
That
ownership
for
the
code
stayed
with
the
SIG's
that
they'd
be
contacted
about
the
security
documentation
that
you
would
find
them.
That's
all
good.
Had
one
minor
comment
about
the
out
of
scope.
Section
I
would
really
like
to
see
for
each
of
the
things
that
are
out
of
scope
who
actually
owns
them.
Sure
you
did
it
for
some
of
them,
but
not
for
all,
and
if
we
don't
have
owners
for
things
that
are
out
of
scope,
I
would
worry
about
scope,
creep.
G
That
I
think
one
thing
I'm
noting
is
there's
not
perhaps
when
we
copied
this
from
Google
Drive
to
to
to
github
to
markdown.
We
didn't
end
up
indenting
some
of
these
balls
that
are
invented,
editing,
Google
Drive,
so
like
the
embargoed
vulnerability
management
bug,
bounties
mission
triage
non-public
vulnerability,
collection,
disclosure,
those
are
all
meant
to
be
indented
under
the
bullet
of
private
vulnerability
response
that
ends
with
a
colon.
G
So
it's
meant
to
be
a
list
and
I
think
that's
our
I'm,
just
gonna
call
that
our
typo
and
not
indenting
it
and
then
I
think
the
only
other.
The
only
other
things
that
are
don't
have
something
listed.
We
better
fix
that
so
any
projects
outside
of
the
criminales
project
that
maybe
we're
maybe
we're
referring
that
CNCs
take
security
or
cloud
providers
specific
or
distributor
specific
hardening
guides.
We
talked
about
how
that's
soft,
but
that
would
probably
be
C
or
you
know,
see
your
distributor
or
cloud
provider
and
then
recommendations,
endorsements
being
out
of
scope.
E
G
A
Since
we
only
have
a
few
minutes
left
is
there
from
any
of
the
state
moves
or
really
anyone
on
the
call,
and
is
there
any
concerns
you're
just
moving
forward
I
think
we've
talked
about
it
and
passed.
Some
I
think
I
generally
agree
with
Jordan
that
this
is
a
good
idea
and
someone
should
hopefully
own
this
I
do
I
am
wary
about
the
name.
C
Both
documenting
it
and
acting
on
it
so
making
sure
that,
not
only
as
a
document
of
the
leak
if
decisions
need
to
be
made,
it
needs
to
go
through
this
process
like
you
need
to
propose
a
specific
thing
and
get
the
ready
groups
involved,
but
then
actually
sticking
to
that
and
and
saying
like.
If
someone
wants
to
make
a
proposal,
that's
great
like
we
can
help,
you
find
the
right
people
to
get
involved
and
start
working
through
that
so
yeah
and
it
sounds
like
the
people
leading.
This
are
committed
to
doing
that.
A
C
I
know
I
mean
I,
don't
think
that
belongs
in
the
Charter.
The
Charter
is
clear
about
like
this
is
what
this
group
does,
and
this
is
what
doesn't
do
I
think
going
through
the
proposed
motivated
and
relevancy
bits
of
the
kept
template
would
be
a
great
way
to
like
execute
that
redirecting
a
specific
proposal
to
the
right
groups,
but
that
doesn't
belong
in
the
Charter.
That's
an
implementation
details,
I.
G
Think
we
can
create
some
some
documentation
that
even
takes
an
example
I'm
not
promising
to
do
that
right
now,
but
I
think
that
we
can
absolutely
create
some
documentation.
That
creates
an
example
because
that's
gonna
save
us
a
lot
of
effort
and
also
I
hope
continue
develop
the
trust
that
it
sounds
like
you're
expressing
for
our
work
during.
Oh.