►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
Good
we'll
give
it
about
three
minutes
to
get
people
on
board
I
know,
because
we
have
the
two
meetings.
Yesterday,
A
lot
of
people
were
at
the
Tahoe
Summit,
and
so
most
of
them
are
traveling
today,
so
I
think
it's
going
to
be
very,
very
light
today,
but
I'm
gonna
bring
it
up
and
we
can
have
a
little
bit
of
a
discussion
around
this
3.0
section.
B
A
Who
joins
in
and
I
know
that
today
this
is
going
to
be
a
really
really
sort
of
Light
Group.
Just
because
we've
got
pretty
I
mean
most
people
are
on
traveling
at
this
moment
in
time,
but
yeah.
So
it's
really
interesting.
Right
now
we
have
been
working
on
enabling
security
for
the
entire
cncf
portfolio
and
Argo
got
to
100
compliance
on
security
through
the
metrics
that
we
were
using,
but
they
didn't
graduate
from
cncf,
because
their
threat
model
was
insufficient
and
what's
really
cool
and
fun
about
threat
models.
A
Is
that
it's
a
manual
process
you're
just
going
in
and
trying
to
figure
out
exactly
where
potential
unknown
threats
could
be.
So
it
very
much
is
going
to
be
a
story
narrative
because
there's
no
Automation
in
the
process
and
I
think
that
this
this
little
thing
this
whole
thing
is
great.
So
this
is
the
actual.
A
So
this
is
one
from
a
couple
of
years
ago
from
Los
Angeles.
This
is
the
latest
one
from
Detroit
two
weeks
ago
and
if
we
get
them
graduated
from
cncf,
they
said
they're
going
to
try
to
create
Argo
hats.
A
Is
very
motivating
to
me,
so
it's
a
cool
story,
but
what
it
allows
us
to
do
is
Define
and
teach
threat
modeling
for
an
open
source
ecosystem
and
explain
to
them
that
the
way
that
they
develop
their
architecture
models
has
to
be
a
what
we
would
call
capital
V,
verifiable
architecture
model.
So
I
don't
need
a
like
PNG
of
your
architecture
diagram.
What
I
need
are
a
bunch
of
connecting
yaml
files.
A
That
show
me
what
the
true
endpoints
are
that
connect
to
what
data
stores
that
connect
to
what
applications,
and
with
that
we
have
something
that
is
what
we
Define
as
interoperable
and
there's
a
very
small
but
potent
potentiality
that
if
we
create
threat
modeling
for
Argo,
so
here's
the
issue,
Argo
just
got
turned
down
from
cncf.
Graduation
and
they've
got
a
better
threat
model
than
some
of
the
graduated
projects,
meaning
that
they've
just
the
cncf,
has
stepped
up
their
expectations
for
security.
That
makes
sense
great,
but
they're,
dealing
with
unknown
expectations
on
that
side.
A
B
A
Seen
so
good
that
it
makes
us
redo
the
graduated
projects,
which
submitted
really
really
really
limited
threat
model,
because
right
now,
some
of
the
most
some
of
the
graduated
projects
are
genuinely
the
least
secure.
They
are
not
enabled
I
cannot
communicate
with
them
if
I
wanted
to
do
a
disclosed
vulnerability
or
an
undisclosed,
vulnerability,
more
more
likely,
but
yeah
I
think
it's
gonna
be
a
really
cool
story.
A
They're
really
responsive,
and
even
if
you
put
it
out
online
or
into
like
I,
would
love
a
physical
book
just
because
I've
got
all
my
silly
little
physical
books
over
here,
but
explaining
threat
modeling,
because
it's
the
only
process
left
in
cyber
security
that
is
not
ever
going
to
be
overwhelmed
by
automation.
It
is
your
last
chance
to
identify
as
a
human
being
thinking
about
the
security
of
your
system.
How
would
another
human
being
go
about
infiltrating
it,
because
hackers
are
always
smarter
than
us
right?
A
B
D
A
human
aspect
that
is
the
tricky
aspect
here,
is
something
that
is
hardly
you
know
a
capability
can
automate
yeah,
that's
where
the
human
aspect
of
this
is
interesting
and
and
well
when,
from
my
point
of
view
of
content,
but
also
like
being
able
to
help
like
with
that
threat,
modeling,
as
you
say,
and
having
like
that
case
study.
Oh
there,
you
know
the
kind
of
like
to
tie
in
a
story
on
that
yeah.
A
It's
a
case
study
it'll,
be
really
valuable.
The
Narrative
makes
a
lot
of
sense
from
a
story
element,
but
it
also
lets
us
write
a
story
that
Engineers
can
read
and
enjoy
and
then
understand.
These
are
the
processes
behind
manual
threat
auditing
and
you
will
die
without
it
and
I
will
die
without
it,
because
I
can't
run
an
ecosystem.
I
can't
live
on
an
ecosystem
unless
that
ecosystem
is
self-aware,
security
speaking
so
I
guess
we
can
keep
this
meeting.
A
I
was
hoping
to
keep
this
meeting
with
the
lack
of
attendance
this
week
to
about
15
minutes
and
I.
Do
have
to
say
that
on
the
rewards
and
incentives,
GitHub
I
have
not
made
a
huge
amount
of
progress
in
the
last
two
to
three
weeks,
because
I
have
been
traveling
almost
full
time,
but
I'll
just
put
into
our
quick
little
notes:
Here
a
link
to
the
GitHub
and
what
I
would
ask
right
now.
So
Eric
I'm
really
curious
for
these
rewards
and
incentives
that
we're
sitting
on
right
now.
A
It
still
looks
like
effectively
a
blank
page
only
because
I
haven't
moved
a
lot
of
the
recommendations
into
the
GitHub
which
I
will
do
on
Monday.
But
what
I'm
curious
about
is,
if
you
have
any
insight
or
limitations
that
you
want
to
discuss
in
advance.
These
are
the
two
things
that
I
will
sort
of
the
two
moments
of
progress
that
we've
had
from
these
one
through
three,
because
my
rewards
has
to
coordinate
with
implementation.
Otherwise
it
doesn't
exist.
A
A
A
So
I'm
waiting
from
them
and
I
need
to
hear
back
from
Eddie
on
my
team
about
how
mlh
conversations
went
this
last
week,
but
again
mlh
was
at
Tahoe,
so
we're
not
going
to
hear
from
them
until
about
Tuesday
next
week.
On
the
other
side
of
that,
we
had
a
good
ish
call
with
GitHub,
and
it
was
just
myself
and
David
wheeler
on
the
call
other
people
were
invited,
but
again
it's
Linux
Foundation
of
Open
Source
right,
so
we
showed
up
and
two
things,
I
think
were
important.
A
The
number
one
table
takeaway
was
that
GitHub
says
badges
are
a
waste
of
time.
They
don't
have
value
and
they're
not
worth
implementing
and
that's
their
View
and
I
didn't
hear
anything
Sideways
from
that.
No
one
was
interested
in
setting
up
another
badge,
however,
I
explained
to
them
on
the
other
side
that
we're
not
creating
badges
to
get
at
the
highest
level.
A
So
let
me
take
one
step
back
at
the
highest
level
for
genuinely
good
security
Engineers
who
can
patch
within
a
language
we
have
about
1
000
of
those
on
the
entire
globe.
A
A
It's
all
manual,
what
I'm
trying
to
get
GitHub
to
understand-
and
some
of
these
other
platforms
is
that
at
the
end
of
this
rewards
and
incentives,
what
we
need
to
do
is
to
be
able
to
have
a
badge,
a
recognition
and
identification
of
verification
where,
if
someone
submits
a
security
patch
or
recommendation
I
will
take
it
right
away.
I'm
trying
to
create
an
immune
system
where,
typically,
we've
focused
on
the
externalities
of
the
central
nervous
system.
Now
we
need
an
immune
system
and
CNC
and
cncf
in
the
central
nervous
system
of
this
of
this
process.
A
But
with
that
said
today,
I
was
hoping
to
come
back
to
you
with
about
three
hours
of
Labor,
around
3.0,
discussed
and
I.
Wasn't
able
to
do
that
because
I
had
to
re-record
my
auto
talk
twice
today,
however,
next
week,
I
have
an
entire
week
off
and
I've
put
Monday
through
Friday
on
this.
So
what
I
would
ask
from
everyone
on
this
call
right
now
is
that
we're
going
to
keep
this
short
we're
going
to
drop
it
in
three
minutes
on
the
expectation
that
you
can
spend
about
30
or
45
minutes
next
week.
A
It's
been
really
hard
to
put
together
until
we
get
the
Gap
analysis
done
for
implementation,
but
what
I
really
encourage
is
right
now
think
about
what
it
could
look
like
if
we
were
leaning
on
things
that
have
not
existed
yet
so
badges
do
not
work
well.
Verification
through
the
Linux
Foundation
does
work
well,
does
result
in
batching,
but
does
not
have
the
ability
to
stamp
someone
with
a
yes
I
will
take
your
PR
now.
I
will
take
your
patch
immediately
and
that
kind
of
immune
response
is
what
I'm
trying
to
get
us.
A
A
final
verification
for
so
I
guess:
I
just
talked
for
10
minutes
to
tell
you
I'm
very
stressed
about
the
three.
The
3.0
I
know
that
I've
got
about
five
to
seven
hours,
probably
left
on
pulling
this
through,
but
if
you
can
pay
attention
to
the
cncf,
no
or
the
ossf
slack
Channel
I'm,
going
to
open
up
discussions
there
and
on
issues
on
GitHub
in
the
next
two
to
three
work
days.
A
Make
sure
you
get
your
comments
in
because
that's
how
we're
going
to
get
this
done
on
the
other
side
for
any
of
the
other
sections
we
are
sitting
at
because
of
Thanksgiving
not
having
any
live
meetings
before
we
have
to
compile
this
and
thank
God.
It
doesn't
have
to
execute,
but
it
still
has
to
be
compiled.
A
So
I
guess
I'll
leave
that
there,
because
we
got
two
minutes:
I'll
open
up
the
floor.
If
no
one
has
anything
substantially
to
add
I'm
gonna
say
it's
like
after
6
p.m.
On
a
Friday
for
me
and
I've
had
a
hell
week,
so
I'm
gonna
set
this
down
for
the
weekend
and
come
into
it
with
full
power
on
Monday
and
I.
A
Want
you
to
look
at
the
changes
in
the
chain
lock,
changelog
and
I'll-
summarize
them
inside
of
the
slack,
but
let's
have
a
conversation
on
slack
around
issues
updates
and
make
sure
that
right
now,
my
only
concern
is
that,
like
I,
am
the
narrative
force
on
3.0
and
I'm
happy
to
be
that
I've
got
lots
of
ideas,
but
My
worry
is
that
sometimes
I'm,
not
the
smartest
person
in
the
room?
Now,
that's
only
like
20
to
40
percent
of
the
time.
A
The
majority
of
the
time
I
put
myself
in
rooms
where
people
call
me
an
expert,
but
this
I'm
not
an
expert
in
because
no
one's
done
this
before
and
that's
where
I'm
really
struggling,
because
we
we
have
some
badges,
they're
unsuccessful.
We
have
some
verifications,
they're
somewhat
successful,
so
stop
there
Eric.
What
was
that
say?
What
are
your
thoughts.
C
Yeah
I
mean
it's
I've
been
in
a
room
with
you.
I
got
lucky
enough
to
meet
you
a
couple
weeks
ago.
I
definitely
definitely
think
you,
you
fit
the
moniker
for
what
you'd
be
given
credit
for,
but
you
know
I've
been
pretty
busy
on
a
lot
of
other
tasks.
We
reordered
internally,
but
things
are
quieting
down.
C
So
if
you
have
explicit
need
help
above
and
beyond
just
kind
of
reviewing
what
you're
putting
together
but
there's
explicit
areas,
you
want
some
help
researching
or
getting
it
getting
it
up
and
going,
and
then
you
can
send
that
to
me
separately,
if
you
like,
I'm
happy
to
spend
more
time
on
this,
because
my
calendar
is
freeing
up
a
bit
so
I've
been
trying
to
trying
to
get
to
that
point,
but
haven't,
haven't,
got
there
until
now,
so
whatever
I
can
do
to
help
I'm
happy
to
do
it.
C
B
C
A
This
is
different.
It
has
to
be
validated
with
Linux
Foundation
right,
I
need
someone
who
I
can
validate,
has
sufficient
security
knowledge
in
a
specific
technical
stack
to
be
able
to
be
securely
aware
that
they're
making
a
good
patch?
So
what
I
was
trying
to
explain
to
them
was
that
they
have
a
very
feature
mindset
at
GitHub,
which
I
get
that's
great,
but
that's
the
problem.
A
If
you
do
not
understand
that,
it's
not
making
a
feature
request,
it's
not
submitting
a
PR.
That's
like
here's,
a
functionality
you
can
or
cannot
take
right.
There's,
not
an
arbitrary
decision
point.
When
someone
is
making
a
security
request
of
an
open
source
project,
it
has
to
be
coming
from
a
validated
Source.
In
order
for
us
to
be
able
to
ensure
that
a
maintainer
knows
it's
worth
their
time
and
right
now,
no
open
source,
no
open
source
ecosystem.
Has
that
verification
in
place.
A
We
have
a
couple
of
known
contributors
who
are
very
good
in
cyber
security
who
are
validated
by
their
name
and
handle
only
which
makes
us
particularly
open
to
malicious
injection
at
this
time,
because
if
there
are
seven
very
good
contributors
for
cyber
security,
those
seven
personas
are
what
I
would
Target
as
an
open
source
hacker
in
order
to
be
able
to
have
the
highest
surface
area
over
an
ecosystem
right.
So
we've
created
a
fragility
inside
of
the
system
that
I'd
like
to
remove
with
a
surface
area
report
of
who
is
and
who
is
not
validated.
A
That
is
my
end
goal
and
I
know
that
I've
said
that
for
months
and
I
have
not
created
a
real
plan
around
it.
The
major
blocker
for
that
right
now
was
deciding
who
our
first
Persona
would
be
and
what
our
first
training
would
be.
We
now
know
that
that's
going
to
be
for
appsec,
which
is
fine,
it's
important,
and
it's
also
done
so.
A
That's
also
very
important,
but
I
need
to
look
through
the
appsec
education
that
exists,
and
my
issue
is
that
I've
looked
into
it
a
little
bit
and
I'm
trying
to
create
a
generalizable
Persona
of
learner
scales
that
isn't
triaged
only
to
appsec.
A
So
that's
where
I'm
going
to
have
questions
Monday
and
Tuesday
of
next
week,
I'm
going
to
put
them
straight
into
that
slack.
I'm
gonna
raise
them
as
issues,
so
everyone
can
see
them
on
GitHub
and
I'll,
put
them
into
the
slack
as
well,
and
that's
what
I
want
I
just
want
a
narrative
communication
around
some
of
these
I
just
want
a
written
record
around
some
of
the
decision
points,
because
three
only
gets
enabled
in
year
two
and
we're
trying
to
enable
year
one
right
now.
A
So
some
of
these
things
are
subject
to
change
and
we
need
to
have
those
contingency
plans
in
place
because
December
1st
we're
submitting
this
and
we
need
it
to
be
actionable
and
actionable
with
contingencies.
I
can
write
I've
written
grants
before,
but
I
want
to
make
sure
that
all
opinions
are
encased
in
that,
because
we
have
a
really
unique
opportunity
for
this
year
to
budget
to
state
that
we
might
change
our
decisions
moving
forward,
which
I
think
is
incredibly
important
for
the
rewards
and
incentives,
because
those
are
continuously
changing
within
different
ecosystems.
A
So
I've
taken
up
20
minutes
of
everyone's
time
and
I
have
absolutely
nothing
Beyond,
adding
in
some
additional
like
a
link
to
a
Google
doc.
On
that,
that's
all
I've
done
the
last
two
days,
but
if,
if
so,
everyone
on
this
call
right
now,
if
you
can
spend
a
good
15
minutes
just
15
minutes,
because
there
aren't
a
lot
of
resources
out
there,
15
to
20
minutes
and
go
out
and
find
independently
for
myself
any
of
the
security
badges
that
you're
aware
of
any
of
the
security
certs.
A
That
you're
aware
of
that
have
one
or
multiple
levels.
I
have
my
own
list,
but
my
concern
is
that
I
have
not
reached
at
all.
So
if
you
can
send
me
any
links,
I'm
happy
for
repeat
links
that
gives
me
a
good
idea
of.
What's
really
out
there
and
I
will
add
those
in
to
the
module
one
of
the
assistant
State.
A
These
the
resources,
we're
aware
of
I'll
make
communication
around
GitHub
around
some
of
those
limitations,
because
here's
the
interop
that
we're
dealing
with
a
lot
of
the
Partnerships,
where
we'll
get
the
valuable
training
from
our
corporations,
corporations
who
have
no
incentive
to
participate
with
us
until
they
understand
what
the
rewards
and
incentive
structure
is.
So
the
carton
horse
issue
is
becoming
complicated
because
they
don't
know
why
they
would
get
involved
unless
they
would
have
to
pay
someone
at
the
end.
And,
yes
to
some
degree,
that's
true.
A
You
should
hire
people
to
do
your
labor,
but
we
need
to
make
clear
to
them.
Is
that
the
incentives
are
external
to
them,
they're
sitting
in
Linux
Foundation
they're
sitting
on
GitHub,
but
it
will
provide
them
security,
support
I'll,
leave
it
there
because
y'all,
it's
like
6
30
in
the
UK
and
I
have
done
a
lot
of
other
work
this
week
and
I'm
a
little
frazzled,
but
all
of
next
week,
I
have
the
week
off,
which
means
I'm
working
on
Linux
Foundation,
because
you
can't
get
fired
from
things.
B
B
Was
gonna
say
just
before
really
sorry,
I
literally
just
turned
up
so
I
forgotten.
This
meeting
was
there
so
just
as
a
quick
recap,
we're
looking
for
appsec
badges
app
set
search,
you
just
want
us
to
kind
of
put
them
in
the
slack
channel
right.
A
Yeah
so
I'll
start
a
quick
little
thread
on
the
like
stream,
one
of
the
ossf
page
and
just
say
all
right,
throw
me
any
badges
certs
that
you're
aware
of,
but
they
have
to
be-
and
this
is
the
problem
so
you're
not
going
to
find
many.
They
have
to
be
entirely
objectively
open
source.
So
it
can't
be
like
have
this
nice
Google
search
and
if
it
is,
do
label
it
as
such
and
I
think
you're
gonna
find
that
there's
almost
nothing
out
there.
A
A
A
My
final
note
here
is
like
rewards
and
incentives
is
really
about
observability
and
verification
and
I
think
that's
where
it's
getting
a
little
bit
challenging,
because
I
need
to
make
sure
that
when
I
say
verified,
it's
capital,
V
verified,
but
I
think
we've
gotten
to
a
very
good
place
on
the
step.
Two
of
this
enablement,
where
you
know
what
the
platform
looks
like.
We
know,
for
example,
that
we're
not
going
to
hold
certifications
on
the
platform
we're
going
to
hold
them
on
the
Linux
Foundation
platform.
A
With
that
in
place,
I
can
start
to
build
this
out,
but
I'm
gonna
keep
this
meeting
short,
because
I
am
just
like
I've
had
a
week,
I've.
B
A
A
long
week
and
I've
made
a
single
line
contribution
to
section
three
but
Monday
I'm
gonna
hit
this
and
what
I'd
love
from
you
all
is
on
that
little
thread
on
stream.
I'll
go
ahead
and
put
it
in
so
we
all
know
exactly
where
it
is.
A
All
right
so
I
put
it
straight
in
the
Stream
one
I
was
like
last
Quick
request.
Here's
what
you
can
get
to
me,
throw
that
to
me
and
I
will
build
a
little
right
because
we're
basically
doing
a
gap
analysis
of
like
why
badges
don't
work
and
a
gap
analysis
of
why
we
have
zero
training.
And
then
we
have
to
go
back
to
the
federal
government
and
say
like
thanks
for
asking
us
to
coordinate
resources.
A
But
there
are
no
resources
to
coordinate
so
we're
going
to
need
more
money
for
new
resources,
because
we
we,
quite
literally
in
the
Gap
analysis,
have
five
courses
that
we
can
use
openly
and
with
open,
Providence
five
in
the
world
and
that's
sad.
A
So
we're
really
gonna
have
to
build
out
a
lot
of
this
from
scratch.
So
if
you
have
anything-
and
also
do
tell
me,
if
you
find
anything,
you
think
has
been
working
particularly
well
in
community
groups,
I'm
going
to
put
out
another
call
on
the
Deborah
Collective
and
say
like
all
right.
What's
been
working
really
well
in
your
community
groups
and
Monday
Tuesday
of
next
week
fill
out
this
checklist
format
for
year,
one
but
I'm
like
at
the
edge
of
what
my
mind
can
do
for
the
week.
A
So
I'll,
let
you
all
go
with
35
extra
minutes,
because
I
will
not
be
productive
on
this
call,
but
find
me
on
GitHub
find
me
on
the
ossf
slack
and
help
me
with
some
of
these
resources
if,
if
they're
like,
if
they
seem,
if
it's
the
first
thing
you
find
on
the
Google
search
or
DuckDuckGo,
that's
fine
I
just
need
to
know
that
you're,
finding
resources
that
I'm
finding
or
something
else
as
long
as
I
know
that
I
haven't
missed
anything
I
think
the
answer
is:
there's
almost
nothing
valuable
out
there,
and
so
we
start
from
scratch
a
bit.
A
So
everything
thank
you
so
much
for
joining
in
on
the
call
and
good
wait.
Is
it
good
morning
for
you,
or
is
it
good
afternoon
still.
A
Well,
thanks
for
joining
in
I
know,
this
was
like.
We
knew
no
one
was
going
to
be
on
this
call
with
the
Tahoe
trip,
but
join
us
on
the
slack.
Let's
get
this
done,
async
and
just
a
reminder
to
everyone
on
the
call
like
December
1st.
This
gets
submitted
so
see
Rob's
panicking
as
he
should,
and
I
gotta
get.
This
section
done.
This
section's
on
me
I
know
that
so,
but
throw
me
any
resources.
You
got
and
we'll
be
good
to
go.
B
A
A
We
need
to
know
what
the
platform
looks
like,
and
incentives
and
rewards
really
if
I
can
just
get
best
practices
that
are
out
there
beyond
what
I
know
about
if
there's
anything
flashy
that
I
don't
know
about
I'd
love
to
know
now,
because
we
have
to
wrap
that
around
the
object
that
we're
producing
for
people
to
go,
get
training
around
and
so
far
we
don't
have
a
single
platform.
That's
excited
about
partnering
with
us,
because
we
only
have
ideas.
We
don't
have
architecture.
A
We
have
architecture
and
implementation
plan
which
we
should
have
shortly.
Partnerships
are
going
to
engage
more
fully,
it
is
possible-
and
this
is
why
we
have
to
keep
this
a
little
bit
fluid.
It
is
possible,
although
this
is
Corporation
driven,
not
open,
source
driven
for
sure
it's
possible
that
these
corporations
are
still
going
to
want
to
have
certifications
that
are
valid
only
for
their
technical
Stacks
right.
A
That's
why
they
put
out
this
open
source
training,
but
we
just
have
to
make
clear
to
them
that
if
they
provide
a
Content
or
verification,
it's
open
source
and
it's
global
and
that's
the
end
of
the
story.
Otherwise
we
can't
use
it.
So
it
makes
it
pretty
simple
all
right.
Well,
thank
you
for
letting
me
ramble
for
a
half
hour
and
stress
myself
out
a
little
bit
about
what
I
have
to
get
done,
but
it
ain't
getting
done
today.
A
It's
getting
done
on
Monday,
so
thank
y'all
so
much
but
check
out
the
GitHub
and
check
out
on
Monday
around
like
morning
time,
your
time
or
early
afternoon.
Your
time,
if
you
come
back
to
stream,
one
I'm
gonna
have
a
review
some
issues
that
I've
opened
get
that
discussion
going
because
there's
only
three
or
four
points
we
have
to
clarify
before
I
have
to
submit
for
Year
One.
A
So,
but
no
one
is
on
the
call
well,
most
of
the
people
are
on
the
call
that
are
useful,
and
thank
you
for
that.
But
some
of
the
people
that
are
on
this
call,
who
would
have
empathetical
opinions
to
me,
are
not
present.
So
I
want
to
make
sure
that
they
have
a
voice,
but
for
now
happy
Friday
I
will
be
in
touch
on
Monday.