►
From YouTube: Securing Software Repositories (July 13, 2022)
C
A
C
It's
funny
trishank,
you
talk
about
it
being
apac
friendly,
I
would
say
it's
more
pac-friendly
than
a
friendly.
C
So
far
I
see
more
faces
than
names
in
the
docs
whoops.
That's
not
what
I
wanted
to
do.
Sorry
folks
can
check
their
name
into
the
notes.
So
we
know
it's
here
if
we
need
to
ask
them
questions
later.
It's
very
helpful.
B
C
Yeah
there's
some
some
overlap
there
with
the
the
rather
more
cryptic
one
that
I
had
for
heart
for
ipa.
Yours
is
probably
better
for
future
readers.
C
All
right,
let's
kick
it
off!
Dustin
is
out
this
week,
so
I'm
filling
in
to
chair
the
first
thing
we'd
like
to
do
in
these
meetings
is
to
welcome
new
faces.
So
if
there's
anybody,
who's
new
or
who's
been
here
before
but
hasn't
had
a
chance
to
introduce
themselves,
please
raise
your
hand
and
introduce
yourself.
A
I'll
introduce
myself,
you
know
hall,
I
work
for
lockheed
martin
and
there's
a
little
devsecops
organization
and
we're
doing
a
lot
of
work
with
secure
supply,
chain
management
and
doing
a
lot
of
work
with
cyclone
dx
right
now
and
I
figured
we
should
be
a
little
more
involved
here.
So
just
listening
in
for
the
first
time.
E
I'll
reintroduce
myself
really
quickly,
because
I
I
don't
think
I've
been
active
since
one
of
the
earlier
first
organization
calls
but
tim
over
with
the
drupal
association
and
generally
connected
to
sort
of
the
php
ecosystem
in
the
area
and
back
to
sort
of
listen
in
some
more
and
maybe
share
a
little
bit
about
what
we're
working
towards
for
our
tough
implementation,
which
I'll
probably
just
throw
over
in
the
chat
as
well.
A
D
Sure
why
not,
since
this
is
my
first
apac
friendly
session,
I
am
trishank,
I'm
a
staff
security
engineer
here
at
datadog
and
I
work
on
tough
and
dodo
salsa,
six
stores
so
nice
to
work
with
everyone
else
here.
D
F
C
All
right,
I
should
probably
share
my
screen,
so
you
folks
can
see
the
notes
as
I
move
around
them.
So
that's
our
welcomes.
Thank
you,
everybody
for
introducing
yourselves,
and
hopefully
I
haven't,
missed
anybody.
I've
got
the
first
item
I
wanted
to.
C
I
don't
know
if
you
want
to
technically
call
this
bragging,
but
I
wanted
to
draw
people's
attention
to
something
I
failed
to
link
to,
which
is
the
ruby
shield
announcement
from
ruby
central,
which
is
a
an
organization
that
supports
the
development
of
ruby
and
and
most
particularly
supports
the
rubygems,
bundler
and
rubygems.org
efforts
and
ruby
shield
is
an
announcement
that
shopify
will
enter
a
partnership
to
provide
engineering
support,
but
also-
and
this
is
sort
of
like
the
fancy
headline-
a
million
dollars
of
four
years
in
support
as
well,
to
help
the
organization
to
be
able
to
plan
reliably
over
a
longer
time
frame.
C
Speaking
for
myself,
I'm
hopeful
that
this
will
start
something
of
a
wave
for
other
ecosystems
as
well.
You
know
we
we
all
sort
of
struggle
with
having
bandwidth
to
work
on
the
many
many
many
many
many
things
that
need
to
be
done.
So
this
was
our
photo
shopify
and
I'm
hoping
that
other
folks
will
step
up
in
in
other
communities
as
well
to
to
match
that
kind
of
a
commitment.
B
C
Okay,
all
right,
let's
move
on
to
a
less
cheerful
topic.
I
don't
know
if
anybody
here
today
is
a
pipeyi
contributor,
I'm
having
trouble
seeing
faces,
because
the
way
that
sharescreen
works
on
a
tiny
laptop
screen.
But
of
course,
as
many
of
us
saw
there
was
some.
C
I
don't
know
controversy
about
the
announcement
that
ipr
made,
that
they
are
introducing
a
policy
of
required
mfa
for
anyone
in
anyone
who
is
the.
I
think
the
term
is
maintainer
in
pipi
of
a
package
in
the
one
percent
of
most
downloaded
packages.
This
is
comparable
to
policies
that
are
being
rolled
out
by
npm,
where
it's
the
top
500
packages
and
rubygems,
where
it's
the
top
100
packages
that
are
being
required.
Pipi
went
with
a
percentage-based
approach,
which
is
interesting.
C
There
were
some
some
folks
who
didn't
like
that,
and
it
got
a
little
heated
in
places.
I
think
the
point
that
that
david
has
added
to
the
agenda
is
is
something
I
wanted
to
point
out,
which
is
that
the
open,
ssf
technical
advisory
council
committee
it
changes
depending
on
who
you
ask
has
you
know,
noticed
this
and
is
preparing
sort
of
like
a
statement
of
support,
basically
saying
we
think
that
the
mfa
rollout
is
great.
C
E
Just
as
a
clarifying
question,
I
don't,
I
don't
want
to
necessarily
rehash
the
whole
conversation
on
the
comments
of
y
combinator
or
anything
like
that,
but
was
part
of
the
is
part
of
the
objection
it
sounds
like
one
of
the
objections
is
sort
of
some
form
of
a
slippery
slope.
Argument
about
increasing
requirements
is,
is
any
of
it
just
related
to
access
to
mfa
devices
right?
Is
it
the
kind
of
thing
where
organizations
like
yubikey
or
similar
could
be
engaged
with
to
be
like
hey?
E
C
It's
interesting,
you
should
say
that
so
I'm
just
going
to
steal
david's
thunder.
I
reckon
there's
there's
two
things
here:
one
is
piperi.
Did
supply
vouchers
for
for
mfa,
keys
supplied
by
google,
the
titan
keys,
so
they've
they've
got
a
few
thousand
of
those
available.
In
fact,
they
supply
two
keys
at
a
time
to
ensure
you
have
a
backup
key,
which
is
very
sensible.
C
We
also
within
the
open
ssf,
had
the
great
mfa
distribution
where
google
and
github
respectively,
provided
vouchers
for
a
couple.
I
think
it's
a
couple
of
thousand
keys
is
that
right,
david.
B
Wait
for
well
for
the
great
mfa
distribution
project.
I
think
we
we
had
a
thousand,
we
didn't
distribute
all
of
them,
because
not
all
projects
wanted-
or
you
know
some
projects-
don't
have
that
many
maintainers,
but
we
did
distribute
a
large
a
number.
A
large
number
of
keys.
C
C
Yeah
yeah,
so
I
think
I
think
I
think
to
your
point,
the
the
I'm
sorry
time
zones
are
fun.
I
think
it's
a
great
idea
and
I
think
we
should
encourage
more
of
those
distributions,
especially
amongst
other
ecosystems,
to
to
ensure
that
folks
have
that.
So
at
the
moment
I
can
speak
for
rubygems.
We
don't
have
web
authent
support,
it's
something
that
we're
working
on.
C
So
it's
still
totp
application
on
the
phone
based,
but
for
pi
pr
they
already
had
web
auth
and
support.
So
a
lot
of
sense
to
have
powered
by
tokens.
The
next
person
on
my
list
is
trishank.
D
Hi
thanks
yeah.
This
is
controversy,
maybe
surprising
in
some
some
aspects.
No,
but
at
the
risk
of
politicizing
it
a
little
bit.
I
feel
it's
a
little
bit
like
kind
of
like
vaccines.
People
don't
like
to
be
told
what
to
do.
Maybe
this
a
little
bit.
I
don't
want
to
speak
for
people
who
objections
to
this
requirement.
Generally,
I'm
in
favor
of
mfa.
Personally,
I
don't
think
it's
difficult
to
use.
D
I
have
one
key
for
work,
one
key
for
my
personal
use,
but
I
feel
people
feel
like
they're
being
told
what
to
do,
especially
when
they're
volunteers,
what
they
see
what
they
perceive
I'm
guessing
here.
It's
pure
speculation
on
my
part.
They
are
doing
this
in
their
own
personal
time
and
they,
I
guess
don't
appreciate
you
know
being
told.
Oh,
hey,
you're,
suddenly
a
critical
open
source
project.
We
need
you
to
do
this
this
and
this
so
I
can.
I
can
see
both
sides.
Sorry
go
ahead.
C
I'm
sorry
I
was
the
cat
came
in
like
ever
reading.
D
Okay,
so
yeah,
I
can
see
both
sides
of
the
argument.
Generally,
I
think
I'm
I'm
in
favor
of
this,
and
you
know
we
even
wrote
a
paper
that
I
think
I
mentioned
about
before-
investigating
the
impact
of
policies
like
this,
but
one
comment
I
want
to
make
here
is
that
well
two.
Actually
one
is
that
you
know
if
we
have
things
like
canary
rollouts,
even
for
our
software,
maybe
we
should
have
canary
rollout
for
things
as
big
and
impactful
as
mfa.
D
Even
if
it's
a
few
hundred
people,
I
don't
think
we
should
underestimate
the
impact
of
you
know
turning
it
on
at
once,
and
I
don't
think
that
was
the
plan
here.
I
don't
think
so,
but
you
know
maybe
better
communications
there.
Perhaps
the
other
thing
is.
This
is
a
bit
of
a
crazy
idea,
but
I've
been
thinking
about
this
recently
over
the
weekend.
D
Maybe
at
some
point-
and
I
think
yeah,
just
maybe
a
thing
for
the
open
ssf-
is
that
it
might
be
at
some
point
worth
thinking
about
adopting
some
of
this
critical
but
small
and
underfunded
open
source
projects
if
the
requirements
become
too
much.
For
example,
again,
that's
a
crazy
while
the
field
thought
out
there,
but
something
I
just
wanted
to
mention
anyway.
Go
ahead.
C
I
think
the
software
can
conservancy
do
something
like
that.
Adoption
process
and
david,
I
see.
You've,
got
your
hand
up.
B
Yeah,
my
brain
can
only
handle
so
many
comments
at
one
time,
but
let
me
I'll
quickly
come
on
the
last.
The
underfunded
projects
I
mean
absolutely
that's
I
mean
alpha
megan
in
particular-
is
specifically
focused
on
these.
That
sort
of
things
and
other
things
are
folks,
are
too,
I
think
you're
actually
right.
I
mean
the
original
poster
actually
said
that
you
know
that
who
got
all
this
going.
You
know
actually
said
that
hey
2fa
is
actually
perfectly
reasonable
requirement
there.
B
That
person's
worry
was
very
much
the
hey.
What
else
you're
going
to
make
me
do
not
the
not
the
2fa
itself,
and
I
will
note
I
I
put
in
this
list,
because
I
I
think
a
lot
of
these
things
are
being
seen
in
isolation.
Well,
the
pi
pi.
They
really
are
trying
to
start
small,
because
their
goal
is
to
do
this
across
all
of
pipe.
I,
the
one
percent
means
they're
skipping
the
99
they
intend
to
get
to.
B
If
you
look
at
the
notes,
I
included
here,
I
think
most
folks
are
not
aware.
They
only
see
one
ecosystem.
I
mean
this
is,
I
think,
there's
a
problem.
The
problem
of
the
highly
split
up
nature
of
most
open
source
software
communities-
you
know
the
pi
pi
folks-
probably
never
hear
about
ruby,
gems
and
in
many
ways
vice
versa,
and
so
I
think
a
lot
of
folks
aren't
aware
that
ipi
is
doing
something
like
this
ruby,
gems,
npm.
B
C
So
it's
it's
interesting.
If,
if
I
sort
of
follow
those
comments,
I
can't
project
the
argument
that
it's
an
imposition
on
maintainers
out
of
hand
in
the
sense
that
it's
like
some
sort
of
categorical
or
epistemically
incorrect
argument.
If
I'm
fancy
the
way
I've
been
looking
at,
this
is
as
a
utilitarian
calculus.
C
So
if
you,
if
you
take
a
very
unromantic
utilitarian
calculus
view
of
the
ethics
of
the
situation,
then
unfortunately
we
have
to
on
the
balance
of
rights
and
interests.
I
think
I
come
down
on
the
side
of
the
users,
which
means
enforcing
mfa,
there's
also
a
the
related
argument,
which
I
think
is
technically
separate,
which
is
what
obligations
do
maintainers
have
often
missing
from
that
conversation
is
also
like
what
obligations
do
the
repositories
have
and
what
is
the
contractual
agreement
between
them?
You
know
from
the
maintainers
view
it's
like.
C
I
gave
a
license,
which
said
I
give
you
no
guarantees
or
promises
beyond
that.
You
can
use
the
software
if
you
want,
but
the
point
is
that,
like
the
repository
arguably
doesn't
owe
you
anything
either
it's
still
a
volunteer
service.
It
still
has
its
own
rights
and
ability
to
set
terms
of
service.
C
C
B
I
was
going
to
try
to
respond.
Remember
my
my
brain
is
limited,
so
I
can't
remember
all
the
comments
backwards,
but
I
I
do
think
actually
the
the
the
you
know,
people
don't
want
to
be
told.
What
to
do,
I
think
is
absolutely
at
least
it's
hard
to
summarize.
You
know
a
massive
discussion,
because
different
people
have
different
motivations,
but
I
think
that
is
at
least
one
of
the
issues,
and
so
I
and
jack
I
agree
with
you.
B
There's
there's
trades
and
and
different
different
people
with
different
situations
that
make
this
complicate
this
discussion
more
complex.
That's
it.
A
So
I
admittedly
have
missed
a
lot
of
this
discussion,
but
reading
armin's,
a
post
that
was
linked.
His
point
isn't
that
mfa
is
a
problem,
in
fact,
and
I
wonder
if
he
would
have
been
less
upset
if
we
had
made
it
clear
we're
starting
with
the
one
percent,
but
we
will
eventually
be
requiring
this
for
everyone
breaking
up
jacob
sorry.
I
wish
I
could
do
anything
about
that.
Yeah
and
the
other
thought
is
his
objection.
A
Is
your
argument
that
there
are
more
customers
they're
more
users
than
there
are
maintainers
and
the
consequences
to
users
are
much
higher,
also
applies
to
slas
and
required
maintenance
and
globally
burning
out.
Our
maintainers
is
the
correct
thing
to
do
for
world
health,
but
it's
not
a
good
policy
for
us
to
be
pushing,
and
so,
when
you
say,
you're
so
important
that
that
you
no
longer
decide
how
you
participate.
That
is
a
if
that
is
a
problematic
line
according
to
arm
and
logic.
B
A
I
don't
know
how
clear
the
original
post
was,
but
armin
is
responding
to
the
fact
that
he
was
declared
a
critical
dependency
yeah
he's
pretty
clear
in
his
post
that
he's
not
responding
to
mfa
as
a
particular
demand.
He
agrees
with
that
he's,
responding
to
being
declared
critical
and
therefore
having
different
rules.
G
Sorry
I
was
on
the
impression
that
the
post
and
it's
interesting
that
we
all
actually
picked
up
on
different
parts
of
the
post
right
and
I
sort
of
almost
read
that
post
as
sort
of
trying
to
talk
about
actually
the
fact
that
consumers
of
open
source
have
sort
of
been
ignoring
the
problem
of
of
vetting
and
reviewing
dependencies
right
and
and
sort
of,
instead
of
sort
of
blindly
buying
bumping
versions
up
and
just
accepting
whatever
is
in
upstream.
G
There
is
no
process
of
tooling
to
sort
of
actually
sort
of
do
it
intentionally
and
review
with
how
practical
that
is
et
cetera,
et
cetera.
We
can
sort
of
argue
about
that,
but
there's
sort
of
an
interesting
argument
of
sort
of
shared
load
in
this
specific
case
where
whether
the
burden
of
that
is
disrepaired
by
the
developers,
as
opposed
to
being
shared
by
also
consumers
right
and.
C
That
would
be
the
reference
to
cargo
vet.
I
believe
we
actually.
Interestingly,
the
last
session,
we
had
a
presentation
on
coco
for
folks
who
we're
unable
to
attend
is
worth.
I
believe
we.
C
Recording
up
worth
tracking
now
is
very
interesting.
I
don't
see
them
like.
I
think,
a
lot
of
difficulties
in
discussions
about
security,
counter
measures
or
risk
countermeasures
tends
to
come
down
to
people.
C
Thinking
that
you
can
only
have
one
like
it
feels
as
though
people
feel
that
there's
a
limited
number
that
you
know
that
you
can
use.
I
don't
agree.
I
think
cargo
vet
is
a
great
idea,
I'm
looking
forward
to
seeing
how
it
goes
in
the
cargo
ecosystem
and
like
what
dynamics
arise
and
what
works
well
and
what
doesn't
because
off
the
top
of
my
head.
It
looks
great-
and
I
want
to
you-
know.
F
C
Form,
that's
somewhat
compatible,
so
it's
easy
to
do
cross
ecosystem
comparisons.
I
had
a
second
point
which
has
now
escaped
me.
I'm
sure
it
was
great
but
yeah.
I
I
think
it's
an
interesting
place.
I
guess
what
I
was
I
was
hoping
to
do
today,
except
for
myself
with
my
original
cryptic
comment
of
you
know:
love
for
pi,
pi
maintainers
was
just
to
sort
of
say
like.
C
We're
with
you,
like,
we
think
you're
on
the
right
track.
There's
there's
reasons
to
discuss
it
and
there
are
fair
debates
to
be
had,
but,
generally
speaking,
we're
with
you.
Certainly
those
of
us
who
are
in
ruby
james
land
obviously
agree,
and
I
know
that
folks
in
npm
obviously
agree
because
we're
all
rolling
out
those
similar
policies.
C
I
was
surprised
at
first
that
pipi
seemed
to
cop
so
so
much
when
everyone
else
has
sort
of
been
allowed
to
slip
past
without
too
much
controversy.
Then
I
crunch
the
numbers-
and
I
realize
it's
a
it's-
an
orders
of
magnitude
thing
like
for
ruby.
It's
a
about
100
100
dependencies
for
npm
is
500
and
for
pi
pi
they're
talking
about
4
000
people.
So
it's
it's
a
different
order
of
magnitude.
B
C
Yeah,
so
it
just
it
just
it
just
shook
out
that
way,
and
it,
I
think,
we'll
face
similar
discussions.
As
we
roll
things
out,
we
had
someone
in
ruby
gems,
who
was
who
did
show
up
to
give
feedback,
which
was
not
in
favor
I'll
put
it
that
way.
C
So
I'm
cognizant
that
we
have
other
items
on
the
agenda.
Is
there
anything
else
we'd
like
to
do
with
this?
I
I
don't
think
that
we
got
to
a
sort
of
a
consensus
that
we
want
to
do
anything
like
a
statement
or
anything
like
that.
I
would
propose
that
we
be
prepared
to
piggyback
on
the
tax
statement.
C
C
B
What
I
hear
is
what
I
suggested
said:
if
you
are
interested
in
particular,
you
have
some
points
you'd
like
to
make.
Why
don't
you
email,
joshua
locked?
I
think
that's
who
it
is
right,
unlocked
directly
if
you
need
I'll,
be
happy
to
share
offline
the
email
and
if
you
don't
already
have
that
and
I'll
just
go
go
that
way,
because
then
we
don't
have
to
try
to
do
the
back
and
forth
stuff,
because
I
think
there's
a
goal
getting
that
something
out
sooner.
C
Yeah,
I
would,
I
would
like
us
to
get
that
out
sooner
mostly,
it
would
just
be
nice
if
we
also
said
you
know
technical
advisory
council
and
securing
software
repo's
working
group,
okay,
so
I'll.
Basically,
I
think
once
we
have
a
draft
we'll
send
it
to
the
mailing
list
and
if
there's
no
particularly
strong
objection,
we
can,
we
can
add
a
name
to
that.
B
Okay,
if
you're
gonna
do
that
jack,
I
I
suggest
you
email
monsieur
losses
of
that.
Yes,
so
that
he's
aware
of
that.
C
Can
you
send
me
that
email
then
I
will
indeed
yes,
sweet,
okay,
so
the
next
on
the
agenda
zach
on
behalf
of
sterling
green
talking
about
the
glossary
work,
that's
been
sort
of
in
the
works.
F
I
have
to
unmute
yeah
yeah,
okay
cool,
so
yeah,
so
sterling
started
this
document
a
month
or
two
ago.
F
Basically,
with
the
goal
of
saying
we
come
to
these
meetings
and
then
someone
says
repository
and
someone
else
says
registry
and
someone
says
package
and
someone
says
artifact
and
they
all
kind
of
mean
similar
things,
but
often
not
quite
the
same
thing,
and
these
are
often
quite
different
across
ecosystems,
and
I
think
if
I,
if
I
can
pick
on
java
for
a
moment,
sterling's
particularly
sensitive
to
it,
because
the
java
ecosystem
has
a
lot
of
terminology,
that's
pretty
unique
to
it
and
not
shared
with
a
lot
of
everyone
else,
whereas
everyone
else-
and
this
is
maybe
better-
maybe
worse-
uses
the
same
words
to
mean
very
slightly
different
things.
F
But
this
is
something
I
think
that
is
worth
addressing
if
we're
gonna
have
productive
conversations
in
this
group,
especially
productive,
technical
conversations
in
this
group-
and
I
think,
a
good
first
step
at
this
as
proposed
by
sterling-
is
to
basically
yeah.
That's
is
to
basically
allow
people
to
comment
from
various
repositories
send
information
to
sterling
on
on.
Basically,
what
do
we
call?
These
things
in
your
ecosystem
and
then
hopefully
we
can
at
least
have
a
table
for
translation.
If
not
agree
on
some
some
ecosystem
neutral
terminology.
F
I
see
a
comment
in
the
doc
about
the
sharing
settings.
I
don't
believe
that
I
have
access
to
expand
those,
but
I
will
email
sterling
and
see
if
he
can
update
the
link
sharing
settings.
G
I
think
the
only
comment
there
would
be
that
salsa
is
sort
of
actually
sort
of
going
through
the
same
thing,
also
trying
to
figure
out
the
correct
terminology
to
use
for
the
artifacts
and
other
things
so
be
sort
of
interesting.
If
there
is
a
bit
of
alignment
there
between
the
two
and
reuse
to
make
sure
that
so
cause
also
sort
of
an
interesting
part
of
all
of
that
right
and
I'll
link.
Here,
the
at
least
the
current
version
of
that.
C
C
That
would
that
would
reveal
that,
where
we
work
in
different
groups
rather
than
being
a
hive
mind,
okay,
next
is
tim,
wanted
to
talk
about
the
tough
implementation,
that's
being
funded
by
the
drupal
association.
E
Yeah,
so
I
know
in
general,
the
kind
of
scope
and
purpose
of
this
sort
of
working
group
is
less
about
specific
tools
and
more
about
kind
of
policies,
procedures
and
sort
of
sharing
common
problems,
but
I
did
want
to
just
pass
along
as
something
that
folks
might
want
to
investigate.
A
new
implementation.
We've
been
funding
for
sort
of
the
server
side
of
our
kind
of
tough
signing
process
in
the
drupal
ecosystem.
E
We
sort
of
centrally
manage
the
the
packaging
of
all
of
our
repositories
and
things
like
that,
and
so
we're
integrating
our
sort
of
tough
signing
process
into
our
packaging
pipeline
system
and
it's
been
made
generically
to
hopefully
be
useful
in
other
use
cases,
and
just
in
the
interest
of
sharing,
I
wanted
to
pass
it
on
so
there's
some
useful
material
in
the
documentation
page
that
I
linked
there
and,
in
particular,
there's
also
a
section
linked
off
that
first
page
called
tough
for
humans,
which
might
be
useful
if
you're
having
conversations
about
sort
of
what
that
system
is
and
why
it's
important
and
why
you're
implementing
it
within
your
own
ecosystem?
E
C
Very
cool,
I'm
glad
to
see
this
happening.
I
think
tough
is
a
fantastic
design
and
we
struggled
to
decide
which
sort
of
angle
we
wanted
to
follow
in
the
work
we're
doing
on
river
jams
as
to
where
to
prioritize
stuff
in
the
menu
of
possibilities
and
potential
options.
E
Yeah
for
us
within
the
drupal
ecosystem,
specifically,
we
decided
that
well
actually,
before
we
had
decided
on
tough
specifically,
we
decided
that
something
like
tough,
was
going
to
be
a
hard
requirement
in
terms
of
supply
chain
security
before
we
implement
automated
updates
or
within
application,
module
installers
and
things
like
that,
within
the
software
ecosystem
in
general,
and
so
from
there,
we
were
like
okay,
what
sort
of
minimum
level
of
of
security
practices
that
we
want
in
place
before
we
allow
those
sorts
of
those
sorts
of
software
installation
interactions
in
our
systems,
and
you
know
we
settled
on
deciding
okay,
we
want
a
robust
implementation
of
tough
and
yeah
trishank,
and
I
worked
together
early
on
in
this
process
when
we
were
first
figuring
out
what
to
do
so.
C
Yeah,
I'm
really
pleased
to
see
this.
I'm
I'm
looking
forward
to
tough
sort
of
rolling
across
multiple
ecosystems.
C
C
It
can
be
managed
on
your
behalf
by
the
by
the
six
story
group,
which
have
a
pretty
a
reasonably
well-oiled
key
rotation
sort
of
process.
Now.
E
Yeah,
I
think
we
read
some
initial.
I
think
we
read
some
initial
information
about
that,
but
I
haven't
revisited
that
in
a
while,
so
I
think
I
I
should
take
take
another
look
for
sure.
It's.
C
A
Yeah,
I
think,
there's
some
initial
design
documentation
for
that,
but
it
hasn't
actually
been
used
in
practice.
Yet
so,
if
you're
interested
in
being
a
test
case,
for
that,
definitely
let
me
know-
and
we
can
we
can
chat
about
that.
E
Okay
sounds
good.
I
may
reach
out
and
slack
afterwards.
C
E
C
C
Yeah,
absolutely
okay.
Well,
thank
you
for
that
update.
That
was.
That
was
good.
That
was
a
great
topic.
I
don't
see
any
more
topics
on
the
agenda
at
this
point.
We
have
sort
of
three
options
here.
One
is
someone
else
has
something:
that's
you
know
burning
a
hole
in
their
head
and
that
they
need
to
share
urgently.
C
If
you
do
put
your
hand
up-
and
we
can
talk
about
that
now,
if
you
don't,
the
next
option
is
that
we
return
to
another
agenda
item,
although
I
think
we
recently
talked
about
ipr,
which
is
the
obvious
contender
and
the
last
one
is
that
we
get
back
25
minutes
of
our
time.
C
C
C
Yeah
cool
in
that
case,
thank
you,
everybody
for
a
great
meeting
today.
The
action
items
I'm
taking
is
that
I
need
to
talk
to
joshua
locke
and
to
share
with
the
mailing
list
when
we
have
a
drive
statement
and
to
see
if
there
are
any
hard
objections
to
putting
an
into
it.
As
a
group.
C
So
probably
the
problem
is
already
on
you
yeah,
you
got
the
hard
one.
Okay
folks
have
a
great
day
or
great
evening.
We'll
see
you
again
soon.