►
From YouTube: 2021-04-15 meeting
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
C
C
Okay,
well,
let's,
let's
dive
right
in
john.
D
D
Those
secrets
were
almost
certainly
exposed
to
the
attackers.
D
So
I
verified
in
opentsum
through
java
that
none
of
the
jobs,
job
steps
that
have
code
cover
in
them
use
any
exposing
environment
secrets
to
the
environment.
D
D
D
D
C
Yeah,
I'm
not
sure
if
travis
ci
was
working.
That
way,
I
feel,
like
the
secrets,
were
yeah.
I
don't
remember
now.
It's.
A
D
D
D
D
Anyway,
so
do
you
have
any
other
projects
around
that
might
have
code
cover,
something
to
take
a
look
at
or
someone
might
be
able
to
publish
things
to
your?
I
don't
know
your
maven
central
yeah.
I
guess
I
think
that's
probably
the
biggest
thing
is
they
like.
If
you,
for
example,
we
do
have
gpg
private
keys
in
our
secrets,
so
we
can
do
signing
and
if
those
got
exposed
and
obviously
we
would
absolutely
want
to
rotate
those.
But
I
don't
think
any
of
it
appears
to
be
relevant
for
public
telemetry.
D
D
I
so
I
just
as
a
note
I
updated
spring
cloud
sleuth
hotel
yesterday
to
use
1.1
definitely
changed
the
api
on
the
http
server,
tracer
and
client
tracers.
D
The
big
thing
was
that
most
of
the
callback
methods
now
take
a
span
builder
instead
of
a
span
and
spam
builder.
Doesn't
let
you
update
this
fan,
name
or
add
events
so,
and
those
are
two
things
that
sleuth
needed
to
be
able
to
do
so.
I
had
to
change
to
just
you
to
just
override
the
top
level.
Whatever
the
top
level
star
span
is
where
I
had
and
then
once
this
once
the
span
had
been
created,
I
could
pull
it
out
of
the
context
and
then
update
those
things,
but
it
did.
D
I
think
the
idea
was
that
events
occurred
during
the
lifetime
of
the
span,
not
when
you're
creating
them,
like
events
are
things
that
happen
during
their
events.
That
happened
during
the
span,
and
you
wouldn't
add
them
before
you
would
start
at
the
span.
C
E
Unfortunately,
because
spanning
extractor
is
just
like,
it's
analogous
to
just
passing
the
string
with
a
span
name
in
the
previous
tracer
api,
so
the
new
api
actually
doesn't
have
anything
right
now
for
updating
spam
names,
events
or
links,
and
I
I
think,
if
we
even
use
links
internally
in
some
instrumentations
in
our
generation.
D
So
well,
it's
not
when
starting
the
span
it
isn't
when
starting
this
man.
It's
that's
the
whole
point
is
I
had
to
put
it
in
starting
this
band,
so
I
could
have
the
span
completely
started
and
then
get
the
span
and
add
events
to
it.
Blue
supports
a
method
where
you
can
provide
arbitrary,
like
the
you
end,
user
can
provide
arbitrary
updaters
that
will
update
the
span
data
like
expand
names
and
do
do
things
to
the
span,
and
so
we
needed
a
place
to
put
that
into
the
callbacks.
B
E
B
We
didn't
think
that
tracers,
api
or
constructor
could
lead
to
their
breakage,
which
most
probably
means
that
we
will
not
think
about
in
the
future
as
well.
What
whenever
we
change
anything?
We
will
not
think
about
that,
and
that's
true,
I
I
don't
know
from
the
top
of
my
head.
What
actually
they
used?
We
changed
some
util
methods
and
bombs.
They
broke
so
go
ahead
and
if
I
click.
D
Put
a
link
in
there
if
you
want
to
do
that,
it
was
also
a
weird
thing
on
the
client
side
that
I
didn't
really
understand
that
I
will
ask
about
also,
but
you
can
see
here
so
here's
this
r
span,
this
server
request.
Parser,
is
something
that
the
users
can
provide
to
extend
instrumentation,
and
this
is
a
thing
that
allows
it
to
update
events
and
span
names
and
do
all
sorts
of
things
like
that.
D
D
So
I
unfortunately,
I
had
to
call
super
to
get
the
context
and
then
get
this
man
out
of
the
context,
which
is
a
little
bit.
I
mean
it
works,
but
it's
a
little
glitchy,
whereas
previously
there
was
a
method
that
just
had
the
span
after
it
had
been
created.
That
was
all
that,
for
this
is
why
this
would.
D
Anyway,
the
other
thing
was
this.
Well,
let
me
pick
it
up.
I
don't
remember
what
it's
called
off
top
of
my
head,
so
my
client
yeah
there's
net
peer
attributes,
so
the
client,
tracer,
http,
client,
sorry
http,
yeah,
http,
client
tracer
now
requires
these
net
peer
attributes
to
be
passed
into
them,
but
it
was
super
unclear
like
there's
no
documentation
about
what
you're
supposed
to
do
with
them
or
what
they're
supposed
to
be
used
for
or
why
we
now
have
to
pass
them
in
on
the
constructor.
B
So
I'm
thinking
that,
still
that
we
have
probably
to
test
our
changes
or
our
snapshots
with
the
spring
flows,
and
maybe
it's
we
can
start
working
backwards
from
there.
You
see
and
start
defining
what
parts
of
our
apis
we
at
last
should
start
stabilizing,
because
I
totally
understand
merchants
frustration
that
we
like
it's
april
already,
and
we
talk
about
stability
from
at
least
autumn,
like
half
a
half
a
year
already.
B
B
B
Well,
not
I
mean
we,
we
had
previous
what
was
the
before
tracers,
what
we
had,
then
we
had
those
specific
tracers.
Now
we
have
instrumenters
so
yeah
churn
is
very
high.
D
C
Instrumenters,
even
within
the
spacers,
so
there
were
a
couple
of
we
moved
everything
from
passing
around
spans
to
everything
passing
around
context,
so
that
was
a
big
great
edge
and
I
think
that's
sort
of
what
the
latest
one
that
john
was
dealing
with
was
now
that
everything
is
context
based
as
opposed
to
spam,
based.
C
B
B
B
D
D
D
Yeah
so
materials
please
reach
out.
If
you
have
questions
their
basis,
I
find
it
incredibly
confusing
and
their
testing
framework
is
even
more
confusing.
So,
okay,
please.
D
D
So
that's
a
little
bit
of
a
mess
but
yeah
I'm
happy
to
to
try
to
let
you
know
what's
going
on
or
try
to
explain
what
I've
figured
out
over
the
months
that
I've
been
putting
npr's
to
them.
E
Okay,
thank
you.
I'd
probably
try
doing
anything
with
this
tomorrow
and
in
case
of
any.
B
B
C
C
That
yeah
so
related
to
that
I
saw
a
merchant
posted
in
the
slack
today
about
roadmap
sort
of
basically,
you
know
trying
to
get.
I
think,
can
we
can
we
even
give
an
estimate
this
at
this
point
about
getting
to
a
one,
zero
stable,
and
so
I
know
that
just
like
we've
discussed
it
in
the
past
and
the
big
open
question
to
me
is
still
metrics
and
how
metrics
will
potentially
affect
the
api.
C
But
at
the
same
time,
if
we
do
with
the
instrumenters,
if
we
do
some
prototyping
and
feel
fairly
confident
that
we
can
we've
thought
about
metrics
inside
of
that
instrument
or
api
and
that
we
won't
have
to
break
you
know
I
mean
the
idea
is
with
the
start
and
end
that
we'll
be
able
to
handle
metrics
transparently
inside
of
there,
and
we
won't
need
extra
surface
api
surface.
C
B
C
It
can
that's
been
the
convention,
even
in
the
sdk
side.
Is
that
as
long
as
it
doesn't
expose
any
surface.
B
Okay,
so
it's
not
it's
not
like
api
dependency.
It's
implementation,
dependency.
C
D
C
Okay,
so
it
sounds
like
I
mean
I'll
discuss,
also.
C
B
C
I
I
have
a
good
degree
of
confidence
that
we
can
do
it
with.
You
know
hiding
metrics,
and
you
know
what
the
only
thing
we
might
once
we
add
metrics
we
might
find.
Oh,
we
need
to
pass
in.
We
need
some
overloads
that
pass
in
you
know
some
metric
dimensions
or
you
know
some
extra
metric
extractor,
but
I
think
that's
probably
doable
in
a
you
know,
backwards,
compatible
way
and
you're
right.
This
is
this
is
that's
key
that
we
we
should
be
able
to
prototype
some
basic
metrics
already.
B
Sprint
slews
currently
doesn't
use
any
metallic
related
data.
Definitely.
B
My
pull
request
about
extension
proof
of
concept,
suddenly
stopped
working
on
my
machine
as
well.
I
I
am
100
sure
that
I
get.
I
got
it
working
on
my
machine,
but
today
it
doesn't
anymore.
I
don't
understand
why
so
it's
yeah
classification
legend
is
just
yeah,
hey,
that's
class
loading
and
how
exactly
bytebody
is
using
that
I
I
felt
that
I
started
to
understand
that,
but
well
today,
everything
fell
apart.
C
Cool
for
I
did
want
to
call
out
a
couple.
Well,
actually,
if
you
haven't
seen,
we
have,
I
don't
even
know
how
to
get
to
it.
Docs
writing
contributing
writing
instrumentation
module.
C
Yes,
this
is
an
amazing
doc
for
new
contributors
and
not
new
contributors
goes
through.
You
know
really
detailed
how
to
write
instrumentation,
what
all
the
different
parts
mean
a
lot
of
the
magic
behind
explaining
a
lot
of
the
magic,
that's
in
the
instrument
or
classes.
So
thank
you,
matthias.
E
Well,
what
blog
post,
I
don't
have
a.
I
don't
have.
D
C
B
Think
yeah,
so
where
to
put
that
blog
post,
that's
easy!
We
will
find
that
out,
but
looking
at
that
document
it
may
be
well.
You
just
take
that
document
convert
into
a
blog
post,
put
a
little
bit
bit.
Why?
Why
should
I
care
and
call
to
action?
Please
contribute
to
instrumentations
and
voila.
You
have
a
blog
post.
D
Also,
if
you
want
some
help
from
the
blog
post
or
person
that
splunk
reach
out
to
courtney
dan
and
she
is
very
excited
to
write
blog
posts
about
open
tournament.
So
if
you
give
her
content,
she
can
turn
it
into
something
official.
C
Yeah
I've
noticed
in
the
in
the
instrumentation
repo
right.
We,
we
all
kind
of
have
our
our
areas
like,
like
honorable
review,
all
the
the
the
library
stuff
and
I'll
review,
all
the
the
auto
and
the
auto
instrumentation
stuff
and
matthias
reviews.
Just
everything.
B
C
B
C
C
A
couple
of
bug
fixes
good
bug
fixes.
This
was
leading
to
stack
overflow,
which
is
pretty
bad.
This
was
leading
to
memory
problems.
We
were
adding
the
same
head,
the
trace
parent
header
over
and
over
and
over.
If
somebody
was
reusing,
the
request
object.
C
C
Let's
this
was
came
up
interesting.
We
got
a
user
submitted,
a
security
vulnerability
against
the
java
agent
because
we
used
an
older
version
of
neti,
not
the
very
latest
version
of
netbean.
C
But
what's
interesting
is
we
are
using
the
latest
version
of
grpc,
which
is
tied
to
that
the
version
of
midi
that
we're
using.
So
we
can't
really
bump
the
version
of
neti
on
its
own
without
grpc,
but
the
security
vulnerability
doesn't
affect
the
way
that
grpc
uses
neti
and
so
there's
no
security,
vulnerability
against
grpc
netty
shaded.
C
So
this
sort
of
gets
us
sort
of
works
around
now.
When
people
run
those
automated
security,
vulnerability
scans,
it
shouldn't
pop
up
and
nettie.
We
have
it
on
the
isolated
agent
class
path,
so
it's
not
exposed
to
the
application
anyway.
So
it
wasn't
a
real
vulnerability,
but
it
is
important
still,
even
if
it's
not
a
real
vulnerability
to
not
have
those
show
up
in
the
in
the
scans,
because
people
run
those
and
then
aren't
sure
what
it
means.
C
Generate
oh,
this
was
cool
too
more
muzzle,
more
mature,
muzzle
work,
muzzle
magic,
mateish,
muzzle
magic.
C
So
the
context
store
now
where
so
you
don't
need
to
write
all
of
these
methods
in
your
instrumentation
modules
anymore.
Basically
muzzle
will
automatically
scan
your
advice,
usages
and
build
this
for
you,
so
less
things.
Now
that
you
can
get
wrong
about
muzzle
still
plenty
of
things
you
can
get
wrong,
but
a
lot
like
the
main,
those
that
was
one
of
the
the
main
one
another
one
of
those
main
ones.
Along
with
the
helper
classes,
the
helper
classes
was
the
biggest
pain.
I
was
always
breaking
that.
C
Stop
me
if
I
skip
over
anything
important,
ooh,
libra
library,
instrumentation,
that's
pretty
cool
for
folks
and
and
for
the
spring
cloud
sleuth
also.
I
would
imagine
this
will
be
really
good.
So
now
we
have
like
grpc.
C
The
library
instrumentation
list
is
growing.
We
should
maintain
that
list
separately
somewhere.
A
No
good
call
out
yeah,
I
know
sorry,
I
was
just
thinking
instrumentation
general
term
right,
yeah
calling
out
library
would
be
good.
I
don't
know
that
it
needs
to
be
up
in
the
doc
site,
though.
D
C
Yeah,
oh
yeah.
We
actually
were
discussing
that
earlier
this
week
for
the
change
log,
we're
gonna,
break
the
change
log
into
two
pieces,
one
targeting
agent
users
and
one
targeting
instrumentation
or
no.
I
see
one
targeting
instrumentation
users,
which
that
would
include
both
library
and
agent
and
one
section:
that's
targeting
instrumentation
authors.
C
In
flight
is
adding
is
instrumenter
for
testing
out
instrumenter
for
messaging,
oh
yeah,
the
change
log.
I
need
to
get
I'll
get
back
to
this
today
finish
that
up
for
one
one:
zero.
C
And
that's
it
folks:
anybody
have
any
last
thoughts.