►
From YouTube: Kubernetes SIG Security 20220224
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
I'm
tabitha,
I'm
one
of
the
co-chairs,
and
I
like
to
hack
things
and
make
friends
and
hack
things
with
my
friends
and
that's
primarily.
What
I
do
here
is
help
us
all
to
hold
this
space
together,
so
that
we
can
help
each
other
to
improve
security
of
kubernetes
as
a
project
kubernetes
as
a
software
artifact
that
we
ship
and
make
scaffolding
so
that
users
can
can
keep
themselves
safer.
A
We'll
do
lightweight
introductions
around
if
you
have
been
here
a
lot
or
if
you're
brand
new.
If
you
want
to
speak
up-
and
after
everybody
has
said
hello
that
wants
to
then
we'll
move
on
to
talking
about
things,
hello.
C
All
right
I'll
go,
I'm
ray,
I
was
the
123
release,
lead,
I'm
also
the
separate
the
sub
project
owner
for
the
third
party
audits
for
security.
Also,
the
signox
co-chair.
E
Seems
like
folks
are
just
jumping
in
so
I
will
hi
I'm
mala
dewberry,
I
hail
from
the
boston
area.
I
am
also
super
curious
about
kubernetes
security
and
I'm
just
super
happy
and
excited
to
be
here
and
to
learn
from
you
folks.
Thank
you.
F
Hey
I'm
rory,
I
work
for
oppa.
I
do
theatre
security
stuff
in
a
variety
of
places.
G
Hi,
I'm
mohit,
I
do
kubernetes
degree
stuff
at
f-secure.
I
I'm
eric,
I
am
a
dev
advocate
at
sneak
and
a
doctor
captain
and
I
do
all
sorts
of
stuff.
K
Hello,
I
am
security
engineer
at
french
company.
M
I
am
frederick
ehim.
I
am
working
on
zero
trust
strategy
over
at
anthem
and
I
also
participate
in
the
the
security
tag
at
the
cncf.
A
A
I
think
that's
like
actually
darn
near
everybody,
so
usually
we
usually
we
hear
from
folks
about
what
has
been
going
on
in
the
subgroups
and
ray.
Would
you
like
to?
Would
you
like
to
tell
us
about
the
audit.
C
Yeah,
so
I
wasn't
here
for
the
last
meeting,
but
I
did
put
in
the
notes
that
it
was
announced
that
the
rfp
decision,
vendor
announcement
is
now
public.
So
ncc
group
is
the
vendor
for
the
2021.
C
Now
2022
third-party
security
audits
did
put
a
link
to
that
to
that
to
that
decision
in
the
in
the
docs
there
a
few
other
things
as
well.
So
so
I
I
one
thing
is:
I
would
talk
to
contributex
marketing
about
publishing
a
blog
to
the
contributor
site
that
the
security
audits
will
take
place
this
year.
A
few
things
about
this
is
that
I
would
prefer
to
have
any
communication
about
a
third
party
security
audit
start
from
the
project
itself
versus
you
know,
instead
of
instead
of
the
vendor.
C
So
so
maybe
we
could
publish
this
to
the
to
the
contributor
site
to
that,
a
blog
that
a
security
audit
will
take
place
this
year,
highlighting
the
scope
of
the
of
the
audit,
putting
a
link
to
the
rfp
and
links
to
the
vendor
announcement
as
well,
and
that's
also
put
in
additional
announcements
just
because
we
would
probably
need
to
round
up
some
subject
matter.
Experts
beyond
specific
domains
with
with
the
scope
of
the
audits,
so
I'll,
probably
announce
this
as
well.
C
At
the
chairs
and
tech
leads
meeting
and
the
march
march
kubernetes
community
meeting
as
well.
The
cube
the
community
meeting
has
started
back
up
again.
The
first,
the
one
in
sex
six
months
was
like
was
this
past
february,
so
I'll
make
now
I'll
make
another
announcement
in
march.
A
D
A
Yeah
same
there,
anybody
anybody
have
further
things
that
they
that
they
want
to
say
or
that
they'd
like
to
ask
about
with
audit
or
we'll
move
on
to
the
next
group.
A
All
right,
docs,
no
news
from
docs
right
now,
tooling,
pushkin.
D
Yes,
a
couple
of
updates:
we,
we
got
some
very
good
feedback
from
sig
gates,
infra,
sick
testing,
sick
dogs
on
the
cape
looks
like
there
is
an
alternative
design
coming
in,
which
will
merge
couple
of
approaches
that
we
have
been
discussing.
D
So
I
have
some
updates
to
do
to
make
on
the
pr
and
once
those
are
in,
I
think
we
should
be
able
to
merge
it
with
implemented
tag,
if
I'm
understanding
the
kep
pro
implementable,
implementable,
yes
and
then,
after
that,
we
can
start
implementing
it
with
set
of
github
issues,
and
then
there
will
be
good
opportunity
for
everyone
to
contribute.
So
look
look
out
for
that
in
the
next
meeting
and
second.
D
Yes,
really
looking
forward
to
this,
let's
see
how
it
goes.
Second,
one
is:
we
have
a
new
contributor
who
submitted
a
pr
just
last
night
on
a
good
first
issue
of
basically
having
a
git
ignore
file
for
our
repo
okay
security.
So
it
looks
good
to
me.
I
just
need
an
approve
from
sig
security
leads
alias,
so
that
would
be
the
chairs
and
then
we'll
have
that
burst
and
we'll
have
one
happy
new
contributor.
A
Awesome,
thank
you
for
calling
that
out.
We
will.
We
will
have
a
look
at
that
at
our
at
our
soonest
opportunity.
D
Maybe
I'll
go
next,
but
before
I
go
next,
somebody
please
ask
me
a
question
on
seek
security
tooling,
because
this
is
something
I'm
trying
out
instead
of
saying,
if
you
have
any
questions,
I
just
want
to
end
it
by
asking
someone
to
ask
me
a
question.
B
I
love
this.
I
just
wanted
to
say
that
first,
okay,
what
would
you
like
to
say
to
new
contributors
who
are
wondering
how
to
plug
in
to
efforts
like
security,
tooling,.
D
Yes,
so
if
you
want
to
get
started
on
what
we
are
doing,
I
think
the
best
thing
is
getting
on
sick
security,
tooling
slack
right
now
and
just
looking
at
stuff,
that's
being
discussed,
see
if
anything
interests
you
and
always
ask
a
question
and
be
sure
as
a
guarantee
from
my
side
that
we,
you
wouldn't
be.
You
would
always
get
a
kind
and
reasonable
response.
So
start
with
the
question
expect
a
good
response
and
then
we
can
go
from
there.
E
Is
slack
also
a
good
place
like?
Are
there
pinned
like
links
to
just
like
other
docs
and
stuff
to
get
like
kind
of
history
on
like
what
the
progression
has
been.
D
Yes,
there
are
a
few
pinned
slack
messages
on
the
channel.
There
is
a
lot
of
good
info
on
the
meeting
minutes
page
the
first
page
of
meeting
minutes.
So
there
are
some
links
to
the
last
talk.
We
had
for
security,
some
links
to
the
project
tracker
that
we
have
so
that
will
give
a
good
idea
about.
What's
going
on
in
all
the
different
sub
projects.
B
Awesome,
thank
you.
Slack
is
also
a
good
place
for
the
sig
security
docs
channel
and
just
the
plain
sig
security
channel
and
kubernetes
slack.
There's
lots
of
good
stuff
there
too,
and
good
people
there
awesome
thanks.
D
Okay,
so
next
one
is
security
self-assessments,
so
we
are
very
close.
I
have
the
hack
md
ready
to
submit
a
pr
for
cluster
api,
but
before
that
I
just
realized
we
need
to
do
some
prerequisites,
so
I
thought
might
be
good
to
discuss
it
in
the
meeting
today.
D
So
typically
for
folks
who
are
new
or
unaware
of
how
sub
projects
work,
there
is
a
huge
six
dot
yaml
file
in
k
community
that
tracks
all
the
sub
projects
across
different
sigs,
and
if
you
want
a
new
sub
project,
you
update
that
and
then
that
allows
us
everyone
to
review.
If
the
sub
project
is
needed
and
then
the
subproject
gets
added.
D
So
because
this
was
really
our
first
assessment,
we
didn't
officially
create
a
sub
project,
but
now
that
it's
pretty
much
done
and
we've
gone
through
the
entire
process
of
full
assessment,
more
or
less
it.
It
made
sense
to
me
to
maybe
officially
have
a
sub
project
called,
seek
security
assess,
and
then
that
would
also
allow
us
to
have
a
directory
in
our
k6
security
repo
with
similar
to
the
other
sub
projects.
B
Not
actually
commenting
upon
the
idea
itself,
but
I
think
assessments
might
be
clearer
than
or
like
self-assessments
or
something
like
that,
rather
than
assess,
because
ss
a
is
a
bad
homonym
and
b.
Just
generally,
I
think,
is
less
clear
as
to
what
it
would
be.
So
that's
only
a
name
comment,
not
an
idea
comment,
but
just
that
on
top.
D
Yeah
fair,
fair
point:
we
tax
security
has
moved
on
to
reviews
instead
of
assessments
just
for
the
sake
of
it
being
smaller
and
shorter.
So
we
could
also
try
that.
B
A
B
I
wonder
if
self
ought
to
be
in
it
because
it
otherwise
it
sounds
like
we're
assessing
it.
I
think
maybe.
D
When
an
assessment
happens,
there
is
a
conflict
of
interest
disclosure,
that's
written
down,
where
it's
basically
assumed
that
somebody
who
is
reviewing
it
is
not
also
the
belongs
to
the
same
company
as
the
project
or
doesn't
have
a
significant
stake
in
what
they
are
reviewing
and
it
going
getting
better
so
and
the
other
piece
was
because
we
are
under
the
same
project
umbrella
and
both
the
sigs
are
still
kubernetes.
D
A
G
A
Yeah,
I
think
that's
I
think
that
makes
sense
like
whatever
whatever
works
and
like
is
good
and
is
good
and
clear
to
people
to
kind
of
to
kind
of
add
a
little
bit
to
this.
A
My
point
of
view
on
this
is
that
I
love
the
way
that
we
as
a
sig,
which
is
literally
a
special
interest
group.
It
is
a
group
of
people
who
share
a
special
interest.
That's
us
we're
here,
because
we
care
we're
here,
because
we
can
be.
A
I
I
love
that
as
a
sig,
there
was
a
a
need
for
help
with
doing
a
self-assessment
with
with
this
project
with
cluster
api,
and
we
said
cool.
That
is
a
thing
that
we
can
help
with.
A
We
will
help
with
that
and
now,
since
that
seems
to
a
have
gone
well
b,
have
have
a
well
of
future
interest
and
and
c
now
have
have
a
historical
example
that
people
can
follow
to
try
to
make
the
next
one
easier
and
better
than
this
first
one
was
like
I
like
that
as
a
process
for
the
genesis
of
a
of
a
sub
project
like
the
subproject
grows
from
the
fact
that
it
is
needed
like
like
the
sub
project
exists
because
it
exists,
like
y'all,
been
doing
the
work
and
and
since
the
work
is
good
and
since
the
work
is
ongoing,
then
I
think
it
makes
sense
to
reflect
that
in
the
like
kubernetes
sort
of
management
structure,
so
that
that
way
you
can
you
all
can
get
the
credit
that
you
deserve
for
the
work
that
you
have
been
doing.
A
One
thing
that
is
needed
for
a
sub
project
that
is
a
sub
project.
I'm
going
to
use
the
kubernetes
word,
even
though
I
don't
especially
like
it
like
it
will
need
a
sub
project
owner.
I
like
to
I
like
to
say
it
we'll
need
a
subproject
leader
like
right.
Now,
we've
got,
we've
got
pushkar
doing
doing
tooling.
We've
got
ray
with
the
audit
group.
A
We've
got
zavita
with
docs,
so
I
think
that
could
be
a
good
opportunity
for
somebody
who
wants
to
try
to
lead
something
and
has
not
necessarily
led
something
before,
because
we
already
did
it
self-organizing.
So
this
is.
This
is
a
place
where
somebody
can
somebody
can
step
up
if
they
are
interested
in
doing
it
and
know
that
there
are
a
lot
of
more
experienced
folks
who
who
have
your
back
and
want
to
want
to
see
you
win
at
that.
So
that's
that's.
A
D
And
shout
out
any
questions
that
you
have
now
we
happy
to
discuss
it
also,
if
you
have
not
sure
whether
this
is
a
good
time
and
place
to
discuss,
want
to
discuss
something
in
private,
how
the
whole
process
was
what
it
would
entail
as
being
a
sub
project
owner.
I'm
sure,
like
me,
ray
savita
either
of
us
and
the
chairs
would
be
happy
to
answer
that
and
also
guide
you
in
the
beginning.
D
If,
if
you,
if
you
need
help,
so
please
do
it,
we
would
rather
have
four
owners
for
four
sub
projects
versus
either
one
of
us
just
doing
double
duty,
because
it
gives
an
opportunity
for
folks
to
assume
that
leadership.
Rule.
B
E
D
Yeah,
I
definitely
I
think,
that's
worth
discussing
so
happy
to
chat
with
you
later.
F
D
D
Yeah,
I
agree
so
for
now
looks
like
as
a
next
step,
based
on
the
discussion.
D
It
might
be
worth
creating
starting
to
create
prs
for
creation
of
the
sub
project
and
based
on
what
I
hear,
maybe
in
in
a
week
or
so
we
can
decide
what
the
owner's
file
would
look
like
based
on
who
wants
to
own
that
sub
project
and
then
once
the
sub
project
is
created,
the
directory
in
our
repo
is
created
and
the
owner's
file
is
created
I'll,
follow
it
up
with
a
pr
of
the
self-assessment
that
sounds
good
to
everyone.
A
B
A
All
right
I
mean
I'm,
I'm
I'm
here
for
all
of
us,
so
here
is
a
thing
which
actually
I
put
on
the
agenda:
coupe
control,
coupe
control,
debug,
node,
so
coupe
control
debug
was
the
is
the
the
the
cli
part
of
ephemeral
containers
and
you
can
say
you
know
coupe
control,
debug
pod
and
you
pass
some
arguments
and
then
it
adds
an
ephemeral
container
into
that
pod,
and
it
does
the
thing
that
you
wanted
and
as
part
of
as
part
of
that,
they
also
added
this
coop
ctl
debug
node,
which
is
a
friendly
rapper
around
the
fact
that
you
can
do
node
maintenance
by
running
a
super
powerful
pod
that
doesn't
really
have
containment.
A
You
know,
because
a
container
a
container
is
really
only
a
container
in
our
mind,
and
so
you
know
you
can
you
can
run
containers
that,
let
you
do
essentially
everything
that
you
could
do
by
sshing
into
the
node,
and
that
is
a
way
that
some
folks
prefer
to
when
they
have
to
manually
touch
things
on
the
node.
That
is
a
way
that
some
folks
prefer
to
do
it,
and
so
it's
a
it's.
A
friendly
wrapper
around
that,
so
you
don't
have
to
go
and
like
copy
paste.
A
A
If
you
have
a
writable
host
path,
mount
of
slash,
you
can
go
and
become
anything
you
want
on
the
note
you
know
you
can
you
know
overwrite
the
shadow
file
to
to
add
change
roots
password
or
you
know
any
number
of
other
things
that
mean
that
you
can
do
anything
that
you
want
on
the
node.
But
the
exact
details
of
how
the
kubectl
debug
node
container
is
implemented
has
caused
some
confusion
for
some
folks,
and
so
I
basically
just
wanted
to
bring
that
to
everyone's
attention.
A
A
These
are
its
limitations,
it
could
be,
you
know,
taken
to
to
sig
cli
and
you
know
asked
how
they
would
feel
about,
say,
adding
also
privileged
security
context
to
that
pod,
to
make
it
more
like
what
other
folks
would
expect,
based
on
the
way
that
it's
the
way
that
it's
described,
there's
a
lot
of
things
that
could
be
done
here
and
mostly,
I
wanted
to
bring
it
to
everyone's
attention
and
see
what
happened
when
I
did
so
so,
like
I'm
gonna
throw
this,
I'm
gonna,
throw
this
ball
out
into
the
room
and
see
where
it
bounces.
L
So
I'm
familiar
with
control
or
coupe
cto
or
cube
cuddle
debug
and
then
using
a
container
that
gets
added
to
an
existing
pod,
and
then
you
have
to
basically
delete
the
pod
to
get
rid
of
that
container.
For
what
I
can
tell
you
can
even
copy
and
share
and
process
namespaces
when
you
do
debug
node.
Does
it
create
the
pod
for
you
or
do
you
still
have
to
pick
a
pod,
because
I
don't
see
where
that's
documented?
Maybe
I'm
missing
something.
A
It
creates
a
it
creates
a
pod
for
you.
I
think
the
exact
detail
of
that
is
not
not
well
spelled
out,
but
when
you
do
coupe
ctl
debug
node,
whatever,
then
it's
very
similar
to,
if
you
did
coupe
ctl
run
and
you
pass
some
arguments
to
include
certain
host
path,
mounts
and
certain
host
name
spaces
and
things
like
that
and
then,
when
you're
done
with
that
session.
L
I
guess
container
images
based
on
what
you
wanted
to
put
into
that
pod
at
the
time
that
you
executed
this
command.
I
mean
it
may
be
that
you
have
an
you
know
like
a
a
container
that
initializes
does
what
it
needs
to
automatically
and
then
it's
done
or
you
can
have
one
that
you
want
to
go
into.
You
know
an
exec
into
or
something
is
that
what
we're
talking
about
here
is
it
similar
to.
A
Yeah
yeah,
it's
it's!
It's
exactly
like
that.
You
know,
except
that,
instead
of
making
those
choices
about
how
you
want
to
interact
with
the
processes
and
resources
inside
of
a
workload
pod,
you
are
making
those
choices
about
how
you
want
to
interact
with
the
resources
and
processes
as
viewed
from
the
host
you
know
so,
like
you
can
coop
ctl,
debug
node
and
pass
in
your
favorite
os
base
image.
A
A
So
yeah,
if
anybody
anybody
has
any
thoughts
about
that
now
now
is
now,
is
our
time
for
this,
otherwise
I'll
I'll
also
bring
it
up
in
slack.
You
know
this
is
this
is
a
thing
where
it
could
be.
It
could
be
improved
in
any
number
of
ways,
and
you
know,
based
on
how
folks
feel
about
it
and
and
and
who
wants
to
go
and
talk
with
you
know,
talk
with
signo
talk
with
six
cli.
B
For
the
record,
if,
if
you
are
somebody
who
can't
make
it
to
this
meeting
and
is
watching
this
recording
later
or
if
you
are
somebody
who
is
at
this
meeting
and
is
an
introvert
or
needs
a
little
bit
of
extra
time
to
process
things,
it
is
always
okay
and
good
and
encouraged
to
bring
comments,
thoughts,
questions
whatever
ideas
and
dislike,
because
not
everybody
needs
to
be
put
on
the
spot.
All
the
time
so
feel
always
feel
free
to
come.
Do
that.
That
is
always
a
good
thing
to
do.
A
K
Just
have
a
question
tabitha
with
this
functionality,
with
the
cube,
ctl,
debug
node,
you,
you
have
to
choose
one
node
or
you
can
just
like
you.
K
Yeah,
okay,
because
I
use
a
smaller
shell
tool
by
graphs
on
github,
which
was
a
name
cubside,
nutshell,
which
is
a
small
script,
and
I
used
it
to
modify
if
I
modified
it
to
like
pop
on
a
random
node.
If
you
have
some
something
right
to
create
a
pod-
and
it
was
very
interesting
that
it
it's
now
integrated
into
a
good
detail
directly.
So.
K
A
Slightly
slightly
different,
slightly
different
interface,
slightly
different
user
stories,
but
but
yeah
very,
very
similar,
a
lot
of
inspiration
there.
As
far
as
I
know,.
H
Thanks,
I
know
we
spoke
before
about
adding
a
list
of
our
back
verbs
for
things
that
are
like.
I
know
rory,
and
I
mentioned
the
node
proxy
and
so
on
and
possibly
collecting
a
list
of
hey.
These
are
super
dangerous
permissions
to
be
giving
out.
Is
this
something
that
we
should
possibly
consider
for
that
as
well
in
terms
of
I'd,
have
no
idea
how
the
r
back
for
this
is
going
to
work
yet,
but
do
we
need
to
be?
G
A
Now
that,
for
that
particular
question,
a
this
is
the
place
to
bring
up
the
question
of,
should
we
go
to
a
bigger
scope.
This
is
exactly.
This
is
exactly
the
place
to
bring
up
that
question.
So
thank
you
for
that
and
for
for
this
particular
feature,
they
talk
about
that
in
pretty
good
detail
in
the
cap
where
coupe
ctl,
debug
node
specifically,
is
not
really
part
of
the
api
in
in
a
first-class
way.
A
It's
it's
a
convenience
wrapper
around
the
fact
that
if
you
create
a
pod,
you
can,
but
you
know
you
can
bypass
the
scheduler
by
putting
the
correct
annotation
for
the
pod
that
you
want
to
target
and
and
so
on,
and
they
they
call
those
things
out
in
the
cap
where
this
was
added
that,
because
this
is
built
out
of
those
same
lower
level
pieces
that
already
existed
that
it
they
like
that,
it
was
believed
it
did
not
entail.
Any
additional
are
back
additional
warnings.
H
Sense,
I
guess
I
had
images
of
it
being
implemented
differently
and
I
should
have
read
the
ket
better.
I
just
had
an
image
of
like
debug,
suddenly
becoming
a
verb
and
being
thrown
about
quite
happily,
rather
than,
as
you
say,
just
a
convenience
wrapper
around,
creating
something
that
you
could
do
anyway.
A
Well
and
like
what
I'm
saying
here
is
based
on
my
understanding
of
it,
which
is
based
on
you
know,
I
spent
an
hour
so
familiarizing
it
familiarizing
myself
with
it
in
between
reading
the
issue
and
deciding
that
it
was
a
good
thing
to
bring
here
for
for
community
involvement
and
consumption.
So
you
know,
I'm
not,
I'm
not
a
deep
expert
on
this
on
this
either,
but
that's
my
understanding
of
it
and
so
like
to
really
get
the
details
of
it.
A
All
right,
rory
tell
us
about
tell
us
about
container
scanning.
What
did
you
find
here
so.
F
This
is
just
one
I
actually
got
it
from
an
ex
colleague
of
mine
who's,
a
pen
tester,
and
he
said
I
was
doing
container
vulnerability
scanning
on
this
image
grafana,
which
is
based
on
grafana
834.
Why
am
I
not
seeing
grafana
834
cvs
come
back
from
the
scanner?
I
was
like,
oh
good
question.
Why
and
I
just
stick
around,
and
this
is
where
I
am
so
far.
It's
like
I'm
having
a
look
at
it.
F
Basically,
so
container
vulnerability,
scanners
and
s-bomb
tools
tend
to
build
up
a
list
of
packages
based
on
either
operating
system
packages,
so
like
alpine
packages
debian
and
then
also
programming
language
packages,
ruby
go
mod
wherever
else.
If
a
piece
of
software
is
not
installed
using
either
of
those
two
mechanisms,
how
do
they
tell
what's
ins
the
software
is
and
what
version
it
is
and
the
answer
seems
to
be.
There
is
no
good
way
of
doing
that.
F
So,
for
example,
grafana
is
a
grow
program.
The
things
that
are
in
its
go,
mod
file
can
be
scanned
for
grafana
itself
doesn't
turn
up.
So
it
means
that
people
are
building
up
a
library
of
all
the
programs
installed
in
their
environment
and
they're,
relying
on
s-bomb,
tooling
they're,
going
to
miss
the
things
that
are
the
main
programs
inside
the
various
container
images,
and
they
can
manually
add
that,
but
they
have
to
know,
there's
a
problem.
They
have
to
know
it's
missing.
F
I
had
a
little
look
around
to
see
if
this
is.
This
is
obviously
like
all
things
this
has
come
up
before
and
I
asked
tepee
who
writes
trivia
and
he
said
yep
he's
raised
it
before
and
there's
a
lot
of
discussion
which
I
put
in
that
hackmd,
going
back
to
2020
of
people
looking
at
things,
there's
also
an
idea
that
oci
in
the
oci
image
spec,
you
can
add
annotations
and
there
is
an
annotation
for
software
version.
F
So
in
theory
someone
could
add
the
annotation
for
software
version
and
say
I'll
record
the
package
name
and
the
version
in
annotations,
and
then
the
scanning
tools
need
to
know
that
that's
there
and
everyone
needs
to
know
to
do
it.
So
it's
just
one
of
those
things
where
it's
like.
Oh,
this
is
weird.
I
don't
know
how
this
works
and
I
thought
it
might
be
interesting
for
people
because
it
was
interesting
to
me.
I
was
like.
F
Oh,
I
don't
understand
quite
how
that
works
and
let
me
look,
and
so,
as
I
always
do
to
hack
md,
to
say
this
is
what
I
found
so
far.
If
anyone
has
other
ideas
very
interested
to
hear
them,
because
I've
not
yet
found
a
good
answer
and
I'm
sure
someone
else
must
have
like
be
working
on
this
and
actually
have
a
better
answer
than
what
I've
been
so
far.
A
I'd
encourage
you
frederick
to
to
to
speak
up.
Oh.
M
So
in
there's
a
couple
of
things,
though,
this
will
only
help
you
go,
but
in
the
new
1.18,
that's
due
out
that
estimated
at
the
end
of
this
month
is
going
to
start
recording
a
lot
of
information
about
what
packages
go
into
a
go
application
inside
of
a
metadata
or
for
anything
that
you
build
so
it'll
actually
kill
all
of
your
your
modules
and
everything
that
was
used
and
all
of
their
sub
dependencies,
including
their
hashed
versions,
at
least
from
one
last.
M
I
checked
into
and
embed
them
into
it,
so
you
could
actually
look
at
the
exact
things
that
were
they
were
brought
in
and
you
should
also
be
able
to
tell
whether
or
not
those
things
were
modified
because
it
actually
ties
it
to
the
git
version.
That's
there
and
it'll
look
to
see.
If
is
there
anything,
that's
been
modified
in
that
as
well.
M
To
give
you
a
little
bit
more
insight
as
well,
I
on
the
the
second
one
I
one
thing
I
was
like
here
with
one
of
your
comments
was
you
did
a
scam
on
it
sounded
like
your
final
binary
itself.
You
were
able
to
yeah.
F
F
It'll
find
the
modules
inside
because
it
could
look
inside
the
go
binary,
but
what
it
won't
find
is
the
version
of
grafana,
because
the
only
place
that
exists
is
in
them
is
in
the
tag
and
tags
are
not
things
that
anyone
would
rely
on
because
tags
are
mutable
state
but
inside
the
binary
it
records
all
its
modules,
but
it
doesn't
require
record
the
version
of
what
called
the
main
program.
I'm
just
calling.
I
can't
think
of
a
better
term.
It
must
be
a
better
term.
F
The
thing
that's
the
main
program,
the
thing
that
is
like
the
top
level.
It
has
all
the
modules,
but
it
doesn't
have.
What
is
the
version
of
that
top
level
thing?
That's
the
bit.
I
can't
find
like
a
standard
way
of
recording.
M
F
And
also
go
have
a
solution,
then
other
ecosystems
can
maybe
think
about
that,
because
you
can
say
here's
how
I
go
solve
this
problem
generically.
If
it's
like
any
programming
language,
I
was
thinking
oci
annotations
is
not
a
bad
way,
but
the
question
would
be
how
to
we.
It
would
need
to
be
publicized.
This
was
something
people
should
do,
because,
obviously
I
haven't,
if
you're,
if
we're
talking
about
container
image
scanning
the
one
thing
that's
common
should
be
the
low
ci
spec,
more
or
less.
M
Well,
if
you
want
to
thank
me,
I'm
happy
to
look
into
this
with
you
as
well,
because
I'm
very
curious.
D
One
thing
I've
seen
in
and
that
has
its
own
disadvantages-
is
some
scanners
do
binary
analysis
where
they
try
to
look
for
words
instead
of
some
structured
way
of
getting
information.
So
when
you
do
like
a
hex
analysis
on
the
text,
you'll
find
something
like
grafana
written
somewhere,
because
it's
obviously.
D
A
D
F
Yeah,
I
think,
you're
right.
I
heard
that
some
scanner
did
that
scanning.
I
was
like
yeah
and
it's
just
I
can
see
why
they
did
that
because,
like
there
isn't
a
standard
way
and
if
I'm
a
programmer,
I'm
told
to
solve
the
problem.
Yep,
that's
that's
an
answer,
but
it's
not
a
good
way.
It's
just
the
only
way
it's
available
so
yeah
that
makes
sense.
A
Well
and
like
within
the
within
the
world
of
vulnerability
scanners,
there's
the
cpe
database
of
this,
like
structured
naming
convention
of
like
company
name,
colon
software
application
package,
colon,
like
version
numbers-
and
you
know
you,
you
see
that
as
a
standardized
reference
for
software
packages
in
things
like
you
know
in
things
like
like
openvas
tests,
in
like
things
like
nessus
tests
whatever.
But
then
that
isn't
a
complete
solution
either,
because
that
is
essentially
saying
we
will
establish
a
central,
authoritative
database
of
every
piece
of
software.
A
Yeah
but
yeah
this.
This
feels
like
a
thing
where,
for
the
use
case
for
container
image
scanning,
something
could
could
emerge
as
as
a
as
a
as
a
de
facto
standard
could
emerge
as
a
convention
like
I
don't
know
if,
if
certain
building,
if
certain
building
tools
started
shipping
a
feature
to
make
it
easier
to
or
even
to
automatically
inject
those
annotations,
then
more
people
would
be
injecting
those
annotations
without
even
necessarily
knowing
to
put
effort
into
it
or
if
certain
container
vulnerability,
scanning
tools
started.
M
F
F
I
have
a
slack
okay,
I
found
some
stuff,
but
they
might
seem
like
if
they've
got
slack
there
might
be
somewhere
to
ask,
but
it's
a
tricky
one,
because
I
was
like
this
doesn't
belong
to
any
one
project
or
group,
it's
kind
of
spammy,
it's
kind
of
container
vulnerability
scanning,
but
it's
not
like.
I
couldn't
say
it's.
Definitely,
this
person
they're
the
right
person.
A
A
F
That's
the
way
the
tooling's
being
built
like
if
I'm
a
consumer,
I'm
not
sure
the
message
I'm
hearing
right
now
is
these
things
are
just
a
first
pass.
Please
don't
rely
on
them
for
being
complete.
You
need
to
go
and
add
stuff.
I
think
a
lot
of
tools
are
being
sold
as
run
this
create
an
s
bomb
boom.
You've
got
an
s
bomb
well,.
A
Yeah
you
have
an
s
bomb
and,
and
so
yeah.
If
the
message
there
is
missing
of
you
have
an
s
bomb,
it
is
as
trustworthy
as
the
information
and
heuristics
that
went
into
its
creation.
Like
yeah,
I
don't
know,
I
have
a
math
degree,
and
so
I
think
that
about
literally
everything,
but
but
not
everybody,
not
everybody.
Has
that
point
of
view.
F
Yeah,
I
think
that's
it
because
I
think
it's
like
this
little
black
box.
At
the
moment
people
say:
oh
I've
just
been
told
that
I
run
this
thing
and
it
generates
the
s
pop
and
then
I
assign
it
to
my
package
and
I
distribute
it,
and
then
everyone
has
s
bonds.
We
have
s
bombs
everywhere,
but
it's
like
you
just
put
the
nail
in
the
head:
they're
only
reliable
as
the
techniques
that
were
used
to
generate
them
and
those
techniques
are
not,
as
in
this
case,
they're
not
going
to
be
perfect
or
they're
very
unlikely.
A
And,
like
that's
okay
like
if
everybody
had
s-bombs
that
were
accurate
but
incomplete,
then
the
world
is
a
better
place
than
nobody
having
s-bombs,
but
depending
on
how
you
want
to
consume
those
s-bombs.
If
you
want
to
use
those
s-bombs
for
things
where
they
are
only
useful,
if
they
are
guaranteed
complete,
then
that's
like
a
far
more
difficult
bar
for
an
s-bomb
to
cross.
A
M
M
But
even
if
you
do
it
at
build
time,
there's
also
a
difference
between
the
build
tool
itself,
giving
you
that
information
versus
the
versus
the
build
orchestrator
trying
to
give
you
the
information.
So
the
build
tool
will
give
you
more
information
than
the
build
orchestrator
and
the
build
orchestrator
will
give
you
more
information
than
doing
a
post
build
scan.
So
it's
like
different
in
different
levels
that
you
have
to
ask.
Where
was
this
thing
generated.
F
M
Yeah,
that's
why
like,
if
the
go
build
tool,
gives
me
the
information
in
go
in
18.
If
I'm
thinking
properly
there,
then
it's
like
that.
I'm
expecting
that
to
be
very
high
quality
but
doing
a
scan
after
the
fact.
That's
not
to
say
that
scans
after
the
fact
are
not
useful,
because
even
if
you
have
the
information
from
a
build
tool
as
a
consumer
or
as
a
qa,
I
can
use
those
to
validate
the
the
s-bombs
and
if
it's
putting
out
different
information,
then
at
least
gives
me
something
to
to
go
and
inspect.
M
But
I,
but
I
would
definitely
look
at
where
the
source,
who
is
producing
the
the
information
and
how
close
is
it
to
to
the
initial
source
of
the
inputs.
D
F
F
M
Don't
ignore
the
environment
like.
I
can
then
see
create
a
macro
for
maine
that
replaces
main
with
something
else.
Your
build
system
looks
fantastic.
You
get
an
s
bomb
that
has
nothing
to
do
with.
What's
actually
running.
F
F
F
A
Maybe
that
isn't
what
you
want,
but
it
gets
into
a
place
of
having
far
lower
signal-to-noise
ratios
like
what
like
what
pushkar
was
saying
before,
and
so
it's
like
for
these
package
managers,
the
os
package
manager,
the
language
runtime
package
manager
when
it
exists,
then
at
least
you
know
that
those
data
are
of
a
certain
level
of
quality
because
they
are
they're
how
the
packages
got
there
or
they're.
A
How
the
you
know
they're
how
the
they're,
how
the
packages
got
built
in
at
build
time
but
like
just
to
just
just
to
to
stir
the
pot
a
little
bit.
You
know
I
make
a
container
image.
I
do
an
os
install
using
app
or
apk,
or
whatever
of
some
software
package
sudo
and
then
drop
in
another
layer,
a
pseudo
binary.
That
is
a
completely
different
version
like
with
a
back
door
in
it
or
or
an
older
version,
with
a
vulnerability
or
whatever
these
tools.
A
Don't
know
that
because
these
you
know,
because
these
tools
know
what
they
know
and
what
they
know
is
what
the
package
manager
says
and
the
package
manager
says
it's
a
good
version
and-
and
I
don't
say
that
to
prove
that
these
tools
are
useless.
But
I
really
just
say
that
to
stir
the
pot
a
little
more
that
like
using
tools
that
are
imperfect,
is
necessary.
That's
how
we
move
the
world
forward,
but
also,
if
we
don't
understand,
what's
imperfect
about
them,
then
we
can
hurt
ourselves.
B
Just
last
thing,
the
every
sig
every
year
gets
to
do
an
annual
report
in
kubernetes
land
talking
about
how
the
years
went,
projects
that
we're
working
on
just
sort
of
kind
of
talking
about
the
state
of
the
sig
and
deadline.
For
that
one
is
coming
up
so
tabitha
and
I
are
going
to
be
working
on
that
coming
up,
and
I
just
wanted
to
give
everybody
the
heads
up
that
we're
doing
that.
B
B
Also
we're
going
to
be
releasing
it
for
comment,
probably
by
the
probably
around
the
weekend,
so
just
like
heads
up
on
that
we're
going
to
be
doing
that.
If
you
have
thoughts
or
comments
about
it
or
ideas,
we
would
love
to
hear
about
them
and
that's
about
it.
B
A
It's
it's!
It's
a
it's
a
very
good
time.
It's
a
lot
of
it's
a
lot
of
difficult
like
emotional
work
of
like
what
is
the
sig.
Well
like.
How
do
we
speak?
How
do
we
speak
positively
about
the
way
that
we
create
this
space
for
ourselves
and
then
what
we,
what
we
do
to
improve
the
world
by
having
this
space
so
like.
B
Yeah
well,
tabby
is
speaking
for
herself
because
it
just
had
me
saying
this
and
me
being
like.
Of
course,
we
speak
positively,
it's
amazing
omg,
and
then
we
go
back
and
forth
about
it.
So
if
people
have
yeah
thoughts
about
that
stuff
like
that
and
want
to
contribute
to
that
process,
we're
gonna
be
naval,
gazing,
a
bunch
in
the
next
few
days.
We
would
love
to
hear
it
big
puffy
hearts
to
everybody.
I
Yeah
related
kind
of
so
kubecon
valencia
is
gonna,
be
the
first
one
I
get
to
attend
in
person.
It
looks
like
90
chance
I'll
be
able
to
travel
for
it.
I.
I
Crossed
for
you,
what
are
we
doing
related
to
that,
or
do
we
have
a
session
for
our
sig
do
wha?
How
does
this
work?
I've
never
been
to
a
kubecon
in
person
before
so.
A
A
If
anybody
is
not
familiar
with
that
acronym,
thank
you
thank
you,
and
in
general
it
is
good
form
for
a
sig
to
respond
to
that
cfp
at
least
once
a
year
and
and
generally
every
kubecon
to
have
a
hey.
This
is
us.
This
is
what
we
do.
This
is
what's
been
going
on:
here's
how
you
can
here's,
how
you
can
come
in
and
be
friends
with
us
if
that's
interesting
to
you
kind
of
session,
and
we
have
one
of
those
proposals
in
we
have
not
yet
heard
back
on
that
proposal.
A
Generally,
the
acceptance
rate
for
the
maintainer
track
cfp
is
very
high,
because
that's
why
they
have
the
maintainer
track
is
to
make
room
for
as
many
projects
in.
However,
you
want
to
define
project
as
possible
to
share
themselves
with
the
audience
at
kubecon.
So
that's
that's
one
thing
that
we
have,
which
has
definite
plans.
B
Just
to
be
a,
but
also
because
it's
true
the
maintainer
track
acceptance
rate
used
to
be
much
higher,
and
now
it
is
high
for
six.
However,
if
you
are
a
non-sig
cncf
project
who
is
submitting
to
the
maintainer
track,
of
which
there
are
more
all
the
time,
it
is
not
necessarily
as
high
depending
on
where
you
are
in
the
cncf
process.
A
And-
and
there
has
been
a
process
change
around
that
recently-
where
I
think
that
sandbox
projects
yeah
no
longer
are
allowed
to
submit
to
maintainer
track.
I
don't
remember
the
details
because
I
I
read
them,
but
I
did
not
study
them
because
they
they
did
not
affect
me
directly
anyway.
B
A
Yeah,
I
mean
any
any
last
thoughts.
Anything
that
somebody
wished
they
had
brought
up.
Slack
is
open
24
7,
but
this
is
our
space.
B
A
Yeah,
thank
you
so
much
as
always.
It's
great
to
see
you
and
yeah
slack
is
open,
24
hours
and
otherwise
we'll
see
you
later
have.