►
From YouTube: Kubernetes SIG Security Community Gathering 20201005
Description
Kubernetes SIG Security Community Gathering 20201005
A
So
it
looks
like
looks
like
we've
got
a
lot
of
people
filtering
in
we'll,
give
it
one
more
minute
and
then
we'll
say:
hi.
C
A
All
right,
hey,
so
thank
you
all
for
coming
to
kubernetes
six
security
community
gathering.
I
think
the
the
first
thing
that
we
all
do
is
go
around
the
room
and
give
everybody
a
chance
to
say
hello,
introduce
yourself
real
briefly
and
talk
about
you
know:
what
is
your
involvement
with
kubernetes?
What
would
you
like
to
see
from
this
sig?
A
So
I
will.
I
will
get
started
with
that:
hey
I'm
tabitha
sable
use
she
and
they
to
address
me.
My
involvement
with
kubernetes
security
is
that
I
have
had
a
good
time
with
giving
some
presentations
doing
some
community
outreach
talking
about
things
at
you
know,
conferences
on
twitter.
Things
like
that,
and
what
I
really
want
to
see
from
this
sig
is
to
provide
a
home
inside
kubernetes
for
the
community,
which
already
exists
to
achieve
its
goals.
D
Thank
you
and
my
son,
who
was
using
this
for
school,
has
his
name
on
it,
so
I
will
put
money
on
it
and
hi.
My
name
is
ian
goldwater
and
I
am
the
new
co-chair
of
kubernetes
security
with
tabitha.
Who
just
spoke,
my
pronouns.
Are
they
them?
D
A
E
Hey
everyone
brad
eastman,
similar
to
tabitha,
I
think
in
terms
of
community
involvement
and
talks
and
all
that
good
stuff.
It's
great,
seeing
a
lot
of
faces
hope
to
get
to
meet
you
in
person
someday
very
soon,
but
only
when
it's
safe.
E
I
just
want
to
be
a
part
of
this
sort
of
now
and
early,
but
realistically,
in
a
couple
months,
I'll
probably
hopefully
have
a
little
bit
more
time
to
dedicate
so
just
want
to
get
my
feet
in
and
you
know
be
a
part
of
it
as
early
as
I
can,
but
time
involvement
starting
around
the
new
year.
Probably
so,
just
meeting
all
of
you.
F
Hello,
everyone
yeah
hi,
so
yeah,
my
name
is
peter
benjamin,
my
pronouns.
Are
he
or
they
and
I'm
a
former
I'm
a
co-lead
of
the
former
sick
dog
security
that
has
now
joined
this
security
music
security
group?
So
I'm
really
looking
forward
to
kind
of
improve
improve
the
community
in
this
area.
G
Sorry
I
was
on
mute,
I'm
I
actually
work
with
benjamin
hello,
benjamin
and
the
peter
benjamin
anyway.
I
this
caught
my
eye.
Just
in
the
last
day
I,
and
so
I'm
not
sure
exactly
what
I'll
you
know
be
able
to
contribute.
I
have
a
lot
of
background
in
security,
cryptography
network
security,
and
so
I'm
hoping
to
be
a
contributing
member
of
this
community
here.
H
I
Evening,
all
so,
I'm
rory
mckeon,
I'm
a
security
consultant
pen
tester.
I've
done
a
lot
of
work
in
containers
over
the
last
couple
of
years.
I
guess
for
this.
My
primary
focus
is:
there's
a
kind
of
suggested
sub
project
around
a
hardening
guide
and
that's
been
kind
of
like
where
I
was
expecting
to
kind
of
like
fully
put
most
of
my
effort
anyway.
B
Hi,
my
name
is
tahir,
I
guess
my
pronouns.
Are
he
him
or
you
know
whatever,
I'm
not
picky
the.
B
I
am
coming
to
this
from
the
perspective
that
I'm
on
the
gk
security
team.
So
I'd
like
to
get
involved
with
upstream
security
as
well,
and
I
believe
I
would
be
becoming
an
associate
member
of
the
psce
very
soon.
So
that's
kind
of
going
to
be
my
big
contribution
to
security.
F
J
Hi,
patrick
romberg,
he
him
I'm
also
on
the
gke
security
team,
but
I'm
coming
at
it
from
a
background
of
analysis
and
tooling
and
in
fact
hopefully
getting
in
today
before
the
freeze
is
kept
1933,
which
is
in
response
to
last
summer's
audit
stuff.
K
Yeah,
my
name
is
matt,
he
him
and
I'm
coming
to
this.
I
guess
what
I'm
hoping
to
get
out
of
it
is
to
help
build
the
community.
You
know
help
provide,
you
know
general,
like
you
know,
support
and
organization,
as
it
makes
sense
and
just
bring.
I
have
a
lot
of
security
expertise
relatively
new
to
the
kubernetes
ecosystem,
but
I've
been
around
security
for
a
long
time,
so
hoping
to
provide
expertise,
as
I
can.
L
Hi
there
I'm
tim
bannister,
my
pronouns
are
part
of
speech.
That's
all
important
right
now,
I'm
an
infrastructure
consultant
in
the
united
kingdom
and
I
also
contribute
to
sig
docs
and
if,
if
you're,
looking
at
an
issue
against
the
website,
repo
saying
we
should
document
how
to
do
this
securely.
There's
like
a
reasonable
chance,
I
filed
it.
A
M
Hey
everybody,
I'm
duffy
cooley
of
him,
I'm
I
do
a
lot
of
public
speaking
and
actually
also
help
a
lot
of
people
out
kind
of
in
time,
within
the
kubernetes
slack
and
within
the
community
in
general.
Helping
people
understand
the
security
service
of
kubernetes
and
containers
and
all
those
things
I'll
probably
continue
to
do
that
stuff.
So
I'm
very
interested
in
helping
sort
of
an
advocacy
role,
making
sure
that
people
are
under
understand
what
we're
doing
here
and
that
kind
of
help
people
consume
it.
However,
that
works
out.
N
Hey
everyone
mike
foster.
He
him
I've
been
in
kubernetes
for
a
little
over
four
years
now,
recently
just
kind
of
making
more
of
a
jump
into
security,
basically
just
whole
life
cycle
security,
so
looking
to
be
more
involved
in
the
community.
Learn
from
you
guys,
work
with
documentation,
work
with
community
involvement,
different
cncf
objectives
and
certifications
as
well.
O
A
Thank
you
very
much.
Joyce.
P
Hi,
my
name
is
joyce.
My
friends
are
her.
I
started
getting
involved
with
the
kubernetes
community
a
couple
weeks
ago.
I
started
getting
interested
in
security
a
few
months
ago,
so
I'm
just
here
to
get
involved
and
learn
stuff.
Q
Hey
my
name
is
abaya
and
my
pronouns
are
he
and
her?
I
mean
he
and
him
so.
I
just
joined
the
amazon
eks
team
a
couple
of
months
ago
and
I'm
just
a
starting
engineer
like
at
the
bottom
of
the
ladder.
So
security
has
always
been
one
of
my
passions,
so
I
did
the
ceh
certified
ethical
hacker
certification,
as
well
as
a
couple
of
internships
in
the
security
field.
Q
So
I
want
to
bring,
I
want
to
you
know,
apply
that
security
to
the
kubernetes
ecosystem
and
kind
of
get
involved
and
learn
a
lot
of
stuff
from
the
experts.
So
that's
why
I'm
here
yeah.
R
Hello,
I'm
ann
bertuccio.
I
use
she
and
her
and
I'm
a
manager
of
the
security
program
within
google's
open
source
office.
So
I
kind
of
come
in
and
out
upstream
bounce
around
do
various
things
with
the
upstream
security
community.
I
would
really
like
to
see
the
work
and
ideas
that
have
happened
in
this
group,
and
that
will
happen
in
this
group.
Reach
places
outside
of
security.
So
I
think
the
kubernetes
community
is
enormous.
There's
brilliant
people
here
and
I
want
to
make
sure
that
work
reaches
far
and
wide.
C
Hi
I'm
aaron.
Last
year
I
helped
lead
the
period
audit
that
kind
of
started
the
conversation
around
should
security
exist.
So
I
guess
my
initial
hopes
for
this
are
around
merging
the
greater
security
community
that
I
owe
a
lot
to
with
the
kubernetes
community,
which
is
newer
to
me.
I've
only
been
around
for
a
couple
of
years.
C
S
Hi,
I
am
a
pm
on
the
gk
security
analyst
team,
I'm
hoping
just
to
elevate
the
awareness
of
gk's
of
kubernetes
security.
I
should
say
and
see
how
seek
security
evolves.
T
U
Hi
tim
alplayer:
he
him
I've
been
involved
in
kubernetes
security
for
about
five
years
and
I'm
also
a
co-chair
on
sig
auth,
so
I
hope
to
kind
of
bring
some
of
the
bridge
some
of
the
gap
between
sig
off
and
security,
and
I
also
participate
in
the
product
security
committee.
So
I'm
really
excited
about
getting
more
involvement
with
that
process.
I
think
I'll
talk
about
that.
A
little
more
later
and
yeah
pretty
excited
what
this
community
can
offer.
V
Hey,
my
name
is
so
I
have
been
involved
with
security
during
it's
been
over
five
six
years
and
then
I
took
a
detour
in
my
career.
Then
now
I
do
kubernetes.
I've
been
involved
the
community
for
over
a
couple
I
should
take
around
couple
of
years,
and
my
primary
focus
is
to
contribute
to
dogs,
community
environment
and
learn
and
see
how
I
can
contribute
back
to
sex
security.
W
Hello,
I'm
theo
comas.
He
him
I've
been
involved
with
coordinator
securities
for
about
three
four
years
in
my
job
of
I'm
leaving
the
security
team
in
a
software
company
using
kubernetes
in
a
fintech
product,
and
I
would
like
to
get
involved
more
with
the
sick
in
terms
of
outreach,
advocacy
and
whatever
I
can
help
to
provide
an
additional
perspective
to
the
problems
that
the
sick
is
trying
to
solve.
Y
Hi,
hello,
everyone,
my
name
is,
you
can
just
miss
him
and
I
have
kubernetes
release
manager
associates
in
sick
release
and
currently
I
have
under
my
charge
a
tiny
project
to
disclose
to
include
cve
information
and
there
it
is
that's
fine.
A
Let's
see,
we've
got
sea
chat
for
intro
for
blake,
we'll
circle.
Back
to
that
we
know.
Z
Hi
this
is
winong,
I'm
from
aks,
and
I
am
involved
in
many
security
features
indicate
so
just
trying
to
see
what
we
can,
what
we
can
contribute
to
the.
AA
Hey
I'm
micah,
I'm
a
engineer
on
working
in
kas,
I'm
also
on
the
product
security
committee.
AA
Glad
to
see
everybody
here
for
this,
I'm
looking,
I'm
I'm
very
much
looking
to
get
involved
in
the
release,
side
of
things
or
or
the
security
relief
side
of
things
and
coordination,
coordination
with
the
psc
and
then
the
release
procedures.
AB
Uttar
utkars,
yes,
hello.
I
am
at
karsh
a
20
year
undergraduate
student
and
I'm
a
debian
core
developer
and
I
help
maintain.
I
mean
I'm
help
trans
issues
and
fix
cves
for
communities
downstream.
That
is
in
debian
and
I'm
here
to
hang
around
know
more
about
upstream
therapy
and
maybe
help
bridge
the
upstream
and
downstream
maintenance.
A
AC
Hi,
I'm
cj
cullen
he
him
working
at
google
on
gpe
member
of
the
product
security
committee,
similar
to
what
tim
kind
of
already
mentioned,
I'm
excited
to
elevate
some
of
the
you
know,
non-sensitive
stuff
that
we
deal
with
and
some
of
the
decisions
about
how
our
process
works,
handling
that
in
a
more
community
driven
way.
AD
Hi,
I'm
craig
my
pronouns.
Are
he
him
and
I'm
also
on
the
psc
informally,
on
the
security
audit
working
group
share
some
of
the
the
same
goals
as
some
of
the
other
pse
and
security
audit
members
that
have
already
shared.
AE
Hi,
I'm
joel
smith.
I
work
for
red
hat
kubernetes
developer
and
also
work
on
sorry,
the
product
security
committee,
and
I
also
worked
with
craig
on
the
security
audit
working
group
first
on
the
first
audit.
So
yeah,
that's
about
it!
For
me,.
A
All
right,
thank
you
all
very
much
for
sharing
what
has
brought
you
here
and
what
we
can
have
some
ideas
for
moving
forward
with.
And
can
you
talk
a
bit
about
sort
of
the
history
of
how
we
got
here
and
say
hello
to
everybody
for
us.
D
Sure,
hello,
everybody
welcome
to
the
six
security
community
kickoff
meeting
sig
security
is
a
brand
new
sig
and
because
it
is
a
brand
new
sig,
we
are
wanting
to
get
lots
of
input
from
the
community
about
what
they
want
it
to
be
and
what
and
how
people
want
to
be
involved.
So
thank
all
of
you
for
coming
and
for
getting
to
share
and
do
cool
stuff
with
us.
D
Sig
security
started
out
as
the
security
audit
working
group
and
then
I
think,
as
people
got
done
with
the
third
party
security
audit,
they
realized
that
there
were
other
things
that
might
be
useful
to
be
done
with
kubernetes
security
and
wrote
a
charter
up
for
it
and
got
it
approved
as
an
official
sig.
D
At
this
point,
the
founding
chairs
of
stick
security
have
decided
that
they
want
to
open
it
up
to
be
more
of
a
community
effort
and
have
given
the
chairship
to
us
and
so
tabby-
and
I
are
the
chairs,
basically
as
community
builders,
to
help
build
community
around
this
and
to
make
it
into
the
more
open
community
effort
that
I
think
we
want
it
to
be
so
yep.
That's
how
we
got
here.
D
D
Sig
security
is
responsible
for
what
the
current
status
of
those
things
are
and
because
the
charter
is
a
document
that
is
open
to
being
revised
as
people
decide
what
they
want
this
thing
to
be,
then
we
want
to
talk
about
the
areas
of
interest
that
people
have
expressed
and
discuss
how
people
want
to
be
involved
and
what
we
want
that
to
look
like
so
from
here.
I'm
going
to
hand
it
back
to
cabbie
to
talk
about
the
current
status
of
things,
all
right.
A
So
we
have
a.
We
have
the
charter
which
talks
about
scope
and
areas
of
responsibility
around
vulnerability
management
process
like
collaborating
with
the
psc,
collaborating
with
you
know,
with
the
community
around
there,
with
dealing
with
documentation
horizontally
horizontally,
cross-cutting
documentation
for
security
related
documentation
that
deals
with
you
know
areas
across
cigs
dealing
with
the
ongoing
responsibilities
for
the
security
audit
it'll
be
it'll,
be
good
to
have
a
regular
security
audit.
A
In
you
know,
regular
third-party
security,
audit
of
kubernetes
and
so
having
a
home
for
that
in
a
cig
is,
is
part
of
what's
in
these
areas
of
responsibilities
and
doing
more
community
outreach
and
making
sure
that,
within
the
upstream
kubernetes
community
that
there
is
like
within
the
project
that
there's
a
place
for
the
wonderful
existing
kubernetes
security
community
to
have
a
home.
That's
officially
within
the
project,
a
lot
of
what's
in
the
a
lot
of
the
community
spaces
right
now
are
outside
of
kubernetes
as
a
project,
and
so
you
know
part
of
this.
A
This
area
of
responsibility
is
to
provide
a
home
for
that.
So
so
that's!
What's
in
the
that's,
what's
in
the
charter
as
far
as
where
our
responsibilities
are
now,
but
you
know,
let's,
let's
talk
more
about
the
areas
that
we
have
established
interest
around
ian.
Do
you
want
to
take
that.
D
The
areas
of
interest,
as
far
as
I
can
tell-
and
people
can
feel
free
to
jump
in
after
this.
If
I
have
missed
anything
that
people
have
expressed
interest
in
sick
security,
doing
or
doing
themselves
are
improvements
to
tooling
improvements
to
box,
which
may
be
the
purview
of
formerly
known
as
sig
security
docs,
which
I
believe
is
has
a
home
in
us
now
in
advocacy
and
community
building,
which
can
look
like
outreach
to
the
external
security
community
tabby.
You
might
want
to
meet
that
really
loud
mechanical
keyboard.
D
Please,
and
thank
you.
I
love
you,
though,
the
external
community
that
around
security
internally
within
kubernetes
to
different
stage,
as
well
as
the
psc
flow
bridges
between
those
and
as
ann
said,
reaching
far
and
wide
I'm
talking
about
kubernetes
security
hardening
to
everybody.
Next
up
was
actually
the
hardening
guide,
which
I
think
rory
expressed
interest
in,
and
I
think
there
was
general
expressed
interest.
D
Also,
building
bridges
between
upstream
and
downstream
security,
hardening
and
maintenance
people
also
expressed
interest
in
learning
and
in
sort
of
general
hackery
things
whatever
that
might
look
like,
and
that
I'm
up
for
interesting
ideas
for
and
yep
and
that
and
exists
and
in
being
involved
in
existing
sub
projects
such
as
the
security
audit.
Is
there
anything
that
I'm
missing
people
can
feel
free
to
holler?
I
will
stop
talking
for
a
minute
and
if
we
know
that
those
are
the
case,
how
do
people?
D
L
Ian
there
is
a
thing
that
I
think
we
might
mention
the
the
upcoming
security
qualification.
That's
a
sort
of
a
side
interest
of
mine
is
anyone
else
interested
in
that.
E
C
E
Yes,
I
can
get
anybody
who
wants
to
to
talk
to
the
right
folks.
I
can
get
you
in
touch
with
them.
If
that's
something
you
want
or
if
you
want
to
talk
about
like
outreach
to
the
community
to
get
ready
for
to
prepare
for
it.
I
know
it's
not
officially
announced
and
I'm
going
to
defer
to
the
to
those
official
folks
when
they
do
that.
But
if
you
want,
I
can
put
you
in
touch
with
folks.
M
There
is
actually
a
prep
channel
already
in
cubeslack
for
that.
D
Okay,
so
I
think
there
was
going
to
be
a
part
in
here
where
people
talked
about
the
existing
things
that
were
happening
and
about
their
part
in
it,
which
I
think
got
skipped
over
where
I
think
people
were
going
to
talk
from
and
about
the
psc
and
from
and
about
the
security
audit.
So
I'm
actually
going
to
go
back
in
the
agenda
to
that,
because
that
was
going
to
happen.
If
people
want
to
do
that.
A
Yeah
tim,
would
you
like
to
talk
about
the
psc
outreach
aspect
of
things.
U
U
So
primarily
that
means
these
days
that
we
triage
vulnerability.
Reports
coming
in
through
the
hacker
one
bug,
bounty
I'll,
add
links
to
all
these
things
afterwards,
but
yeah.
So
the
psc
members.
U
We
have
like
a
one-week
kind
of
on-call
rotation
where
we're
responsible
for
sort
of
doing
an
initial
assessment
of
the
vulnerabilities
and
if
they
look
legitimate,
we
then
typically
pull
in
some
subject
matter:
experts
from
the
community
and
depending
on
the
severity
we'll
take
different
paths
to
respond
to
them
and
kind
of
ultimately
make
sure
that
that
gets
patched
in
a
way
that
is
the
safest
for
the
community.
U
So
the
the
product
security
committee
by
necessity
needs
to
be
a
sort
of
small
closed
group
when
we're
triaging
vulnerabilities
before
they
go
public,
but
we'd
really
want
to
get
more
community
involvement
around
all
of
the
pieces
of
the
vulnerability
management
process
that
don't
that
don't
need
to
be
private.
U
So
that
includes
kind
of
things
like
defining
the
scope
of
the
bug,
bounty,
defining
timelines
for
vulnerability
response.
So,
for
instance,
how
much
time
we
give
the
distributors
list
that
gets
sort
of
a
pre-notification
of
embargoed
issues.
How
far
in
advance.
We
give
those
notifications
how
we
might
handle
critical
versus
low
severity
issues
differently.
U
All
these
sorts
of
questions
that
have
sort
of
been
decided
by
the
psc
by
default
in
the
past
and
we'd
really
like
to
to
get
more
involvement
from
people
who
are
actually
affected
by
the
decisions
we
make
around
these
yeah.
Are
there
any
questions
about
that?
Do
the
other
psc
members
have
anything
to.
AE
Add
all
right,
I
have
one
thing
to
add
another
interest
that
psc
has
is
finding
a
community
of
people
who
are
willing
to
help
us
handle
some
of
the
lower
severity.
One
did
you
mention
that?
Maybe
you
did
anyway,
that's
something
that's
interesting
and
interesting
to
the
psc,
too,
is
just
to
provide
a
larger
community
of
people
who
can
help
with
ones
that
that
don't
need
to
be
handled
necessarily
in
private.
A
All
right,
thank
you
very
much.
If
anybody
has
anything
else
to
say
about
product
security
committee
outreach,
otherwise
I
will
ask
aaron.
Do
you
wanna
talk
at
all
about
the
the
third
party
security
audit.
C
Sure
I'd
love
to
so
a
year
ago,
a
little
more
than
a
year
ago.
Actually,
at
this
point,
we
we
ran
third-party
security
out
of
the
greatest
code
base.
C
We
went
through
the
process
of
writing
an
rfp,
selecting
a
vendor,
getting
funding
and
then
helping
guide
those
auditors
through
the
complexities
of
the
kubernetes
project
itself
and
introducing
them
to
all
of
the
right
people
to
get
the
data
they
needed
to
build
out
the
threat
model
to
do
the
rapid
risk
assessments
and
then
to
actually
audit
the
code
that
resulted
in
a
handful
of
interesting
code
bugs,
but
also
some
larger,
systemic,
more
more
complex
issues
that
we
couldn't
just
patch
like
call
a
cve
and
patch,
and
we
we
tried
with
some
success
and
some
not
success
to
get
those
ideas
out
into
the
community
and
ask
for
help
addressing
those
those
systemic
issues.
C
We
are
ready
to
do
it
again.
We've
written
the
rfp
for
the
next
iteration
we're
looking
to
be
a
little
more
open.
We
sort
of
knew
what
we
were
doing
last
time,
but
by
and
large
didn't
know
what
it
would
be
like
to
run
an
audit
against
against
kubernetes
we're
a
little
more
confident
this
time.
C
So
we
want
to
open
it
up
to
the
rfp
publicly
and
just
invite
any
any
vendor
to
write
a
proposal
to
be
the
next
auditor
for
communities,
and
once
we
kick
that
off
very
soon,
then
it
will
go
through
the
same
process
again
the
guiding
them
through
all
the
different
aspects
of
of
the
code
base
and
introducing
them
to
the
right
people
I'm
looking
for.
I
think
we
could.
We
can
use
more
help
this
time.
That's
one
of
the
reasons
that
kind
of
called
the
question.
C
Should
there
be
a
larger
security
there's
a
it
was
a
very
insular
group
last
time
we
did
this
and
we
were
still
trying
to
strike
the
balance
between
closed
secret
kind
of
like
the
psc,
because
we
did
end
up
handling
a
lot
of
pre-disclosure
vulnerabilities
and
getting
more
community
involvement.
C
L
A
All
right,
thank
you
very
much,
and
do
you
do
you
want
to
kind
of
go
through
some
of
these
identified
areas
of
of
interest
and
open
it
up
to
everybody
to
talk
about?
You
know
what
they
think
they
could
do
around
that
area.
D
Yes,
what
I
am
doing
right
this
second,
I'm
putting
this
in
the
notes
and
everybody
can
look
at
it-
is
making
a
spreadsheet.
That,
basically,
is
like
please.
I
know
everybody
wrote
their
name
on
this
document,
but
if
you
want
to
add
yourself
and
your
contact
info
and
like
what
you
want
to
be
involved
to
this
spreadsheet
doesn't
have
to
be
right.
D
D
It
is,
and
let
me
know
if
that
doesn't
work
so
while
while
we're
all
talking,
feel
free
to
add
yourself
to
that,
because
that
might
help
automate
this
a
little
bit.
If
we
were
in
a
physical
room,
I
would
probably
do
breakout
rooms
at
this
point
to
be
like
okay,
you
know
of
these
areas
of
interest.
What
do
people
want
to
be
involved
in
but
because
I
think,
there's
some
overlap
and
because
I
think
we
have
23
minutes,
I'm
not
entirely
sure
how
to
virtually
do
that.
D
So,
generally
speaking,
again,
areas
of
interest
are
improvements
to
documentation
and
tooling
community
building
and
advocacy,
both
externally
and
internally,
bridge
building
with
other
sigs
and
the
psc
bridge,
building
between
upstream
and
downstream
and
security,
audit
and
general
learning
and
goodness.
So
I
think
peter.
Are
you
online.
D
Do
you
want
to
speak
to
what
was
sig
doc
security
for
a
minute
and
talk
about
how
people
can
get
involved
with
documentation
stuff?
And
while
I
take
that
minute,
to
figure
out
how
to
organize
this
into
something
like
breakouts.
F
We
identified
there's
a
need
from
the
in
the
community
that
security
docs
obviously
have
room
for
improvement,
and
so
the
the
the
that
kind
of
that
stick
was
born
out
of
out
of
that
discovery
and
out
of
that
need
about
a
year
ago.
I'd
say-
and
I
was
the
co-lead
of
that
sick
with
my
friend
seth
mccombs
and.
F
For
for
obviously,
for
various
reasons
between
the
pandemic
and
a
few
other
things,
life
changes,
we
were
not
able
to
make
as
much
progress
as
we
would
have
liked,
and
so
I'm
really
interested
in
I'm
really
excited
about
this
sig,
as
there
is
a
renewed
of
focus
and
interest
on
this
area
as
well
and
in
terms
of
the
process.
F
I
don't
know
if
I've
thought
like
I
don't
know
if
there
is
a
clear
process
as
of
yet
so
I'm
looking
to
I'm
looking
for
you
know
collaborators
contributors
to
help
help
us
figure
out
figure
that
what
that
looks
like
define
a
process.
A
Thank
you
for
for
sharing
a
little
bit
around
that
peter.
Can
you
tell
us
like
what
is
the
the
current
formal
status
of
sig
security
docs
is
that
is
that
a
sig
has
that
been
rolled
up
into
into
something
else.
F
Yeah
so
as
in
the
forming
early
forming
stages
of
this
security,
seth
and
my
software
were
approached
by
you-
know
the
the
former
chairs,
who
have
handed
off
a
char
share
ship
to
to
you,
tabitha
and
ian,
and
they
gauged
our
interest.
If
we
wanted
to
join
security
as
part
of
kind
of
like
us,
a
sub,
you
know
sub
project.
F
Project,
exactly
and
and
so
yeah
we
seth
and
I
at
the
time,
agreed
that
that
would
be
the
best
home
for
for
this
effort.
Moving
forward.
C
I
don't
want
to
interrupt
if
we
can
stay
on
this
topic,
but
I'd
like
to
add
to
the
agenda.
I
have
just
kind
of
logistical
questions
about
how
subprojects
work
and
I
don't
fully
understand
it.
So
if
we
could
maybe
add
that
to
the
agenda,
that
would
be
useful
to
me.
C
Well,
if
we're
gonna
break
out
into
breakouts,
which
is
where
I
kind
of
see
this
going
and
we're
going
to
be
discussing
these
individual
focus
areas
that
we've
talked
about,
I
foresee
some
of
the
questions
being
like
the
operating
mechanisms
for
these
groups
like
how
are
we
going
to
go
about
achieving
our
goals?
C
What
is
that
going
to
look
like
mechanically,
and
I
feel
like
a
lot
of
the
questions
in
a
lot
of
those
breakouts-
will
be
kind
of
the
same,
and
maybe
we
could
address
them
before
we
break
out
I'm
open
to
being
wrong
here,
but
that's
something
I
kind
of
predict.
D
Tabby,
do
you
want
to
speak
to
that
for
a
minute?
Also,
do
you
technically
know
how
to
make
breakout
rooms,
because
I'm
not
actually
sure
that
I
do.
D
D
A
Yeah
technically
subgroups
have
a
lot
of
flexibility
to
define
their
own
working
conditions.
So
you
know
some
subgroups
will
have
their
own
separate
meetings
that
have
their
own
separate
schedule
and
take
care
of
their.
You
know
take
care
of
their
things
that
way
and
then
just
come
and
report
progress
back
at
generalized
sig
meetings.
A
You
know
others
may
be
able
to
work
completely
independently
and
asynchronously.
You
know
by
doing
git
commits
or
whatever
so
so.
Subgroups
can
really
do
whichever
one
of
those
two
things
is
most
effective
for
them.
So
for,
like
the
security
audit,
you
know
it
seems
that
having
a
subgroup
that
meets
regularly
and
basically
acts
like
a
tiny
sig
would
be
the
way
to
go,
but
for
other
subgroups,
like
the
you
know,
inclusion
of
the
former
sig
security
docs
as
a
subgroup.
A
You
know
it
consists
mostly
of
a
place
to
put
the
list
of
people
who
can
approve
prs
to
different
parts
of
different
get
repos,
and
you
know
the
the
actual
operation
of
that
subgroup
can
take
place
totally
without
meetings.
So
I
think
that,
somewhere
on
that
gamut,
whatever
works
best
for
the
people
in
a
different
subgroup,
is
going
to
be
just
fine.
A
So
we
can
go
from
the
interest
that
is
being
expressed
here
that
people
are
putting
into
the
into
the
spreadsheet,
and
I
would
expect
to
distill
a
list
of
of
potential
subgroups
out
of
there
based
on
talking
to
the
people
that
have
those
those
interests
and
you
know
which
ones
have
somebody
who
wants
to
sign
up
to
be
a
tech
lead
and
make
that
sub
group
happen.
And
then
you
know
for
those
people
happy
to
provide.
You
know
resources
to
make
that
happen.
Ian
more
to
say
on
that.
D
Yeah,
okay,
so
just
a
couple
of
procedural
things,
more
than
more
to
say
on
that
in
particular,
but
to
to
go
off
of
the
thing
you
just
said
a
it
seems
like
and
hey
we're
new
to
this,
like
that
that
we
had
to
set
breakout
rooms
as
a
setting
in
advance
that
we
did
not
do,
because
we
did
not
know
that.
D
That
was
a
thing
that
we
had
to
do
so,
since
we
are
all
new
and
learning
together,
just
gonna
own
that
so
it
seems
like
breakouts
are
not
going
to
be
a
thing.
We're
going
to
do.
However,
things
that
I
would
like
to
know
include,
because
I
would
like
for
people
to
be
able
to
and
next
time
we
know
that
that's
a
thing
that
we
have
to
set
so
next
time.
D
That
is
going
to
be
a
thing
that
we
set
and
we
hope
that
you
come
back
but
like
how
do
people
want
this
group
to
meet
as
a
larger
thing?
Do
people
want
this
group
to
meet
at
all?
Do
people
want
this
group
to
have
meetings
that
are
bi-weekly
or
weekly?
Do
people
want
this
thing
to
have
office
hours,
or
do
they
want
it
to
be
like
a
discord
server
like
what
are
people
looking
for
and
that's
the
thing.
D
I
think
that
I
would
like
to
know
for
just
future
planning
and
also
who
is
interested
in
being
tech
leads
or
like
playing
more
of
an
involved
role
like
who
has
the
bandwidth
and
the
interest
for
that.
D
I
would
also
like
to
know
that,
because
that
would
be
useful
to
know
in
terms
of
figuring
out
how
we
are
going
to
scope
this
thing,
because
these
areas
of
interest,
ultimately
what
the
idea
is
that
they
become,
is
that
they,
our
charter,
reflects
what
community
interest
and
involvement
is
going
to
be,
and
the
membership
in
also
reflects
what
community
and
interest
and
involvement
is
going
to
be
and
that's
up
to
everybody
it
isn't
up
to
us.
I
think
that
it's
it's
up
to
all
of
you.
So
what
are
people
interested
in?
V
Up
so
why
this
is
avita
here
I
would.
I
have
some
bandwidth
to
do
some
other
dogs
related
work,
so
I
could
step
up
as
a
lead.
I
haven't
done
that
before
this
is
the
first
time
I'm
doing
so.
Yes,
I
would
take
any
advices
and
stuff,
but
yes
sign
me
up
for
that.
V
A
L
One
thing
I
would
I
got
reminded
of
by
a
sig
doc's
chair
is
that
you
can
have
tech
leads,
but
you
can
also
have,
I
think,
they're
called
admin
leads
like
you
can
appoint
people
who
are
like
these
people
are
going
to
help
with
the
the
chopping
water
and
carrying
wood
sort
of
tasks,
and
if
we
want
to
do
that
and
if
anyone's
got
the
cycles
or
the
inclination
to
do
that,
it
could
be
really
useful.
With
a
group
of
this
size.
L
Whatever
the
group
wants
really
it's
a
fairly
broad
definition
of
like
essentially
the
permissions
model
lets
you
say
you
can
have
an
admin
person.
Another
tech
lead
then
we're
doing
more,
like
organizing
meetings.
D
I'm
going
to
throw
the
question
also
back
to
what
do
literally
logistically.
What
do
people
want
this
group
to
look
like
because
it
as
as
said
co-jared,
it's
actually
really
important
to
know
if
people
don't
want
to
have
meetings
at
all
so
that
we
stop
bothering
you
about
going
so
if
people
would
like
to
just
you
know
you
can
throw
into
the
chat
if
you
don't
want
to
speak
up
like
that's
okay,
but
I
would
really
really
like
to
know
what
kind
of
interest
and
or
bandwidth
people
have
in
like
what
they
want.
C
I
can
speak
to
that.
I
don't
want
to
feel
like
I'm
talking
too
much,
but
I
will
contribute
my
opinion
and
we
can
feel
like
a
straw
man.
I
I
like
the
idea
of
the
larger
group
meeting
about
twice
a
month.
C
C
I
would
probably,
depending
on
the
the
state
of
our
of
our
subproject
change
our
individual
meeting
cadence
based
off
of
how
much
work
we
have
to
do
so,
there's
probably
a
long
period
of
time
where
I
can
just
alternate
weeks
like
I
have
a
sub
project
on
every
other
week,
and
then
I
have
a
larger
sig
meeting
every
other
week
and
that
cadence
would
work
really
well
for
me
personally.
A
Any
anybody
else
you
know
if
we
assumed,
for
the
sake
of
argument
that
we
were
all
going
to
be
in
the
same
place
at
the
same
time.
Two
weeks
from
now
is
like
how
many
people
would
absolutely
love
that
how
many
people
would
find
that
that
wouldn't
like
help
them
contribute
to
kubernetes
at
all.
A
And
we
have,
we
have
all
the
flexibility
to
to
get
ourselves
together
in
whatever
way
and
to
whatever
extent
is
going
to
is
going
to
work
for
everybody.
This
could
be
completely
asynchronous.
We
could
have
a
meeting.
A
D
I
am
seeing
both
people
saying
two
weeks
out
loud
and
people
writing
monthly
in
the
chat,
although
I
have
definitely
not
heard
from
everybody
and
would
love
to
hear
from
more
people
so
that
we
have
more
of
a
representative
idea
of
what
it
is
that
people
are
thinking
and
again
like
this,
doesn't
have
to
be
a
huge
deal.
You
can
totally
just
like
type
a
number
into
the
chat.
If
you
want
to
what
I
would
like.
D
It
seems
like,
like
some
people
like
monthly,
what
I
think
I
would
personally
like
to
propose-
and
I
would
like
to
see
how
people
feel
about
this
is
that,
even
if
it
becomes
monthly,
because
I
think
there
is
some
interest
in
sub
projects
and
some
coalescing
that
needs
to
be
done
and
maybe
a
breakout
room,
radio
button
that
needs
to
happen
in
order
to
help
that,
along
that
our
next
meeting
be
in
two
weeks
and
then
after
that
it
might
go
to
monthly,
depending
on
what
the
sub
projects
do.
D
But
I
think
that
will
give
us
a
couple
of
weeks
to
like
get
those
sub
projects
and
they're
who
wants
to
be
involved
in
them
kind
of
together
and
if
they
aren't
totally
together,
then
we
don't
have
to
wait
a
month
in
order
for
those
breakout
rooms
to
happen.
Does
that
work
for
people
that
gives
up?
That
gives
folks
a
little
bit
of
time
to
like
talk
to
their
friends
and
convince
them
to
come
to
the
next
meeting
to
go
to
the
breakout
room.
Also.
C
B
I
had
a
question
about
that:
may
feed
into
the
cadence
is
sig
security,
going
to
start
having
issues
assigned
to
it
that
it
owns.
If
so,
some
cadence
needs
to
be
set
up
for
sweeping
the
backlog.
A
It
will
end
up
having
issues
naturally
assigned
to
it,
based
on
what
the
subgroups
that
emerge
own,
and
so
you
know,
depending
on
what
subgroups
there
are
then
yeah
a
subgroup
that
has
a
lot
of
issues
assigned
to
it
will
you
know,
naturally
need
to
establish
its
own
cadence
to
do
that
which
wouldn't
necessarily
require
getting
everybody
in
the
cigar
into
a
room,
but
it's
a
it's
a
good
point
and
yeah.
B
D
And
and
we're
we're
all
starting
and
learning
this
together,
you
know,
so
we
really
appreciate
the
input
from
people
who
have
experience
with
the
way
that
other
cigs
do
things,
because
we
have.
This
is
the
first
time
we're
cheering
so.
U
I
just
wanted
to
share
a
couple
things
that
I
feel
like
have
worked
well
from
sigoth
with
respect
to
community
meetings.
One
is
that
we
never
where
we
try
not
to
make
final
decisions
in
the
meeting.
We
recognize
that
people
have
conflicts
and
sometimes
the
time
zone
doesn't
work
for
folks
and,
and
so
not
everyone
can
always
be
at
the
meeting.
So
when
a
decision
is
made,
we
always
follow
up
with.
U
An
email
to
the
mailing
list
asking
for
more
feedback,
or
sometimes
just
right
on
the
pr.
If
that's
what
we're
discussing
so,
I
feel
like
that's,
worked
well
also
just
having
the
meeting
time
as
something
that
when
issues
do
come
up,
for
instance,
if
there's
a
pr
that
is
getting
a
lot
of
discussion
on
it.
Sometimes
it
can
be
really
helpful
to
just
have
a
place
to
go.
U
Have
that
higher
bandwidth
communication,
and
so
if
someone
is
seeing
some
issue
that
they
want
to
discuss
or
maybe
something
that
you
just
want
to
get
more
feedback
on,
they
can
bring.
They
can
just
add
that
to
the
agenda
for
sigoth,
and
then
we
will
address
that
in
the
bi-weekly
meeting
and
as
and
the
chairs,
some
sometimes
do
a
little
curation
of
that.
U
But
I've
found
that
very
helpful
for
getting
my
own
prs
and
proposals
through.
G
D
As
just
as
as
procedural
chair
things
generally
speaking
and
and
you
can
raise
your
hand
or
or
react
or
whatever
you
want
or
or
stick
in
a
why
in
the
chat,
does
this
time
work
for
people
for
meetings
generally
speaking,
is
this?
Is
this
an
okay
time
to
say
that
we
want
to
reconvene.
D
Okay,
I
would
like
to
propose,
because
I
want
to
be
respectful
of
everybody's
time
that-
and
we
have
three
minutes
left-
I
believe,
on
the
calendar
that
we
meet
here
again
in
two
weeks
that
the
folks
who
expressed
areas
of
interest-
and
if
this
isn't
currently
reflected
in
the
agenda
doc,
I
am
happy
to
help
reflect
it.
I
that
those
folks
who
have
expressed
similar
interests
talk
to
one
another,
if
possible,
to
one
another.
D
I
will
harass
you
in
exactly
two
weeks
same
place
and
time
to
go
into
a
breakout
room
and
talk
amongst
yourselves
and
then
I
think
we
can
kind
of
figure
out
how
to
divide
up
work
from
there
if
that
works.
For
folks,
I
really
want
to
express
a
lot
of
appreciation
for
all
of
you
and
the
fact
that
you
took
time
out
of
your
day
to
come
here
honestly.
Thank
you
so
much
yeah.
Thank
you.
This
you
all
are
awesome.
D
A
Yeah,
if,
if
security
becomes
the
greatest
thing,
that
will
be
because
it's
a
space
for
all
of
these
people
to
express
their
awesomeness.
So
thank
you
all
for
for
your
faith,
to
invest
an
hour
in
coming
and
and
talking
to
us,
go
and
make
group
dms
on
kubernetes
slack
or
whatever
is
the
easiest
way
for
you
all
to
get
in
touch
with
each
other,
and
we
will
have
some
more
procedural
help
in
place
like
in
terms
of
breakout
rooms
and
things
like
that
for
everybody
to
get
together
in
a
fortnight.