►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
A
A
A
So
we
don't
really
have
any
demos
lined
up
for
today
I
contacted
a
few
people
and
basically
yeah
they're,
just
a
couple
of
issues
that
I
want
to
discuss
and
then
go
from
there
and
by
the
way
the
harvard
team
has
been
working
on
a
book
for
on
harvard.
So
it's
we're
working
on
the
on
the
chinese
version.
First,
it's
with
a
publishing
house,
that's
very
well
respected
in
china
and
has
a
lot
of
reach
in
the
open
source
community.
A
A
A
So
the
first
one
is
the
you
know.
We
talked
about
this
in
the
previous
call.
We
want
to
enable
a
special
class
of
robot
accounts.
We
might
call
these
service
accounts
or
something
else
that
can
be
used
by
scanners,
like
hackle
security
csp,
you
know,
there's
a
special
class
of
scanners
that
can't
leverage
the
current
robot
accounts.
A
So
I
just
wanted
to
update
everyone
on
the
progress
here.
Basically,
we
had
to
work
with
daniel
pakik
from
aqua
security,
and
you
know
so.
We
will
create
a
solution
around
a
special
class
of
robot
accounts,
with
pull
permissions,
be
able
to
list
the
repositories
and
scope
to
the
system
level.
So
we
have
access
to
all
the
projects
in
harvard,
so
this
will
be
created,
possibly
within
the
interrogation
service
or
maybe
under
the
system
administration
tab
only
accessible
to
system
admins.
A
So
we
had,
we
had
thought
about.
Possibly
you
know,
re-architecting
the
the
current
robot
accounts
for
its
purpose,
but
it's
it's
much
larger
body
of
work
that
was
to
think
about
so
we're
using
jwts
as
a
token
back
end.
We
might
look
into
something
else,
it's
more
dynamic,
so
this
is
basically
just
a
solution
to
hold
us
over
until
we
can,
you
know
work
on
something,
that's
more
sustainable
for
a
long
term.
C
Yeah,
I
know
we'll
be
definitely
looking
for
some
of
your
help
as
well
here
daniel
to
help
us
kind
of
drive
some
of
this,
but
I
think
that
you
know
with
a
two
two
and
a
half
two
month
release
like
for
development.
Only
right
we'll
have
about
two
months.
It
should
be
doable.
I
I
you
know
alex
and
you
can
work
on
which
components
you
might
be
able
to
work
on
and
and
so,
but
I
think
it's
doable
like
I
mean
it's,
it's
a
high
priority
item.
It's
important
to
you.
It's
important
to
us.
A
Okay
yeah,
so
we
can
chat,
offline
I'll,
draw
up
a
simple
prd
and
go
from
there.
So
that's
the
first
issue.
I
want
to
talk
about
the
second
one
is
so
you
know
where
we
came
across
this
several
times
where,
when
we
do
an
image
scan,
you
get
a
severity
of
unknown
and
right
now
these
are
being
treated
as
the
most
critical
vulnerabilities.
So
it's
blocking
polls
across
the
board,
so
whatever
security
or
whatever
severity,
you've
configured
in
your
deployment
policy.
A
If
there's
any
and
know
it's
blocking
the
image
pool
completely,
because
it's
treating
it
as
critical
or
maybe
even
something
higher
than
critical-
and
you
know
my
first
reaction
was
that
it
doesn't
really
make
sense-
or
at
least,
if
that's
the
behavior
we
want
to
go
with.
Then
we
should
change
the
word
unknown
to
something
else.
A
B
Yeah,
I
can
comment
on
that
because
we
discussed
it
with
stephen
yesterday
on
on
slack,
and
this
is
I
started
thinking.
Yes,
I
tend
to
agree
that
we
should
not
block
pulling
images
with
the
unknown
severity
and
this
is
not
like.
I
would
not
consider
this
anom
as
the
bargain
scanner.
You
know,
mapping
the
severity,
the
quantitative
severity
of
a
given
vulnerability,
but
rather
what
typically
happens
is
that
the
cve
identifier
is
reserved
and
then
it's
get
it
gets
updated.
B
So
usually
the
high
severity
cvs
are
getting
very
quickly
updated,
so
it's
very
unlikely
to
get
unknown
severities,
but
there
are
cases
where
the
scanner
can
detect
it
and
it's
like
it's.
It's
not
promptly
updated,
so
we
might
end
up
with
the
unknown.
So
it's
in
a
sense
that
you
know
some
companies
might
be
really
strict
and
say
all
right.
We
don't
allow
unknown
vulnerabilities,
but
for
some
others
they
simply
say
we
don't
care.
So
maybe
we
could
also
think
about
like
a
system
level
configuration
which
allows
you
to
choose.
B
Do
you
want
this
unknown
severity
to
block
the
pool
or
not,
because
this
would
be,
I
would
say,
the
most
flexible
approach?
If
not,
I
agree
it
should
be
treated
as
as
low
severity.
But
the
truth
is
it's
you
don't
really
know
it
can
end
up
as
a
high
or
low.
Sometimes
vendor
do
challenge
the
severity
and
say
no,
it
should
be
higher
or
it
should
be
lower.
B
I
hope
it
makes
sense,
but
that's
a
very
good
point
to
discuss
and
think
how
we
should
do
that
in
3v,
for
example,
we
couldn't
decide
and
that's
why
we
let
a
user
to
specify
whether
he
wants
to
display
unknown
severities
or
only
critical
and
high
and
medium
etc.
A
Got
it
that
makes
sense,
I
guess
just
speaking
for
trivia
alone.
Would
it
be
fair
to
say
that
the
the
the
most
severe
and
most
critical
vulnerability
vulnerabilities
are
usually
flagged
down,
and
so
the
unknowns
would
more
likely
tend
to
be
the
the
less
severe
ones?
Is
that
a
generalization
we're
going
to
make
here.
B
And
as
a
workaround
for
those
who
use
hardware
and
3d
now
there
is
environment
variables
which
allows
you
to
specify
like
a
filter
which
vulnerabilities
you
want
3v
scanner
to
show.
So
if
you
change
this
and
by
default,
we
show
all
of
that
like
a
critical,
high,
medium
low
and
unknown.
If
you
remove
the
unknown
vulnerability
from
the
from
the
list
in
your
deployment,
you
won't
be
blocked
simply
by
this
case.
A
This
yeah,
I
just
think
the
word
unknown-
is
it's
open
interpretation
and
sometimes
it
you
know.
I
think
it
it's
uncommon
on
the
scanner
vendor
and
to
provide
a
better
definition
for
it.
So
for
me,
as
a
user,
if
it's
unknown,
then
I
think
it's
sort
of
the
failure
of
the
scanner
to
properly
identify
the
severity
of
the
vulnerability,
but
you
know
it's.
I
can
also
see
the
other
argument
that
if
something
is
unknown,
then
it's
basically
on
it's
unsafe
right
from
a
security
standpoint.
C
C
So
the
onus
is
on
some,
the
folks
that
create
the
cvs
to
basically
say
hey,
you
know,
use
the
proper
scoring
mechanism
and
score
this
when
the
cv
is
not
scored
when
the
scanner
can
assess
the
score.
In
my
mind,
I
don't
consider
that
to
be
critical.
C
D
Misunderstanding
the
severity
here
or
no,
it
used
for
our
money
check
policy,
as
it
says
no
relation
to
the
scanner
anymore.
I
don't
think
you
can
cite
a
different
policy
against
the
different
scanners.
This
is
the
severity
here
we
used
to.
You
know,
use
the
interceptor
of
the
vulnerability
check.
We
interpret
the
unknown
as
the
highest,
not
the
scanner
themselves.
C
Yeah
yeah:
that's
how
we
interpret
the
policy.
That's
what
I
meant
stephen
that
we
could
actually
define
how
that
policy
is
interpreted
and
yeah
doing
it,
for
scanner
doesn't
make
sense.
You're
right.
This
has
to
be
on
a
global
hardware
policy,
yeah
yeah,
global.
E
But
maybe
maybe
yeah
yeah,
maybe
that's
part
of
the
you
know
security
policy
per
project
level
right
when
product
admin
decide.
I
want
to
block
all
the
critical
because
different
products
and
me
have
different
ideas
regarding
how
they
want
to
tighten
the
control
or
the
level
of
security.
So
maybe,
if
we
want
anything
to
be
configurable
in
my
opinion,
we
should
put
that
in
a
project
level.
E
D
But
I
want
to
mention
yeah
daniel
said
daniel
johnson's
side.
It's
it's
about.
You
know
there
is
a
all
purpose
proposal
we
are
discussing
the
in
that
proposal.
I
think
you
can
cite
your
own
severity
policy,
not
just
based
on
severity.
You
can
focus
on
cve
or
something
else,
but
currently
we
only
need
to
decide
how
we
interpret
the
unknown
right.
We
do
not
need
to
set
support
a
self-defense
policy
right.
E
It's
not
self-defined
policy,
it's
it's
just
add
more
attribute
to
our
existing
policy
right.
We
have
a
policy
say
to
block
severity
at
a
certain
level
and
we
just
add
another
review
too.
D
Yeah,
but
the
first
for
for
the
other
normal
here
have
the
you
know
corrector
order
of
priority
right.
I
think
only
not
to
you
know
on
the
uncertain
parties
are
knowing
how
to
integrate.
You
know.
Maybe
we
can
add
a
you
know
more
configuration
to
let
the
user
decide
if
our
noise
or
even
or
it
can
be
ignored.
E
Yeah
that
can
be
different
per
project
and
because
we
allow
the
admin
to
define
right,
yeah,
yeah
yeah,
I
think
we
already
interpreted
you
can
consider
that,
because
it's
unknown
and
also
to
hover
is
unknown.
So
I
think
if
you
wanna
make
it
more
flexible
to
the
user,
let
user
decide.
That's
where
we
should
pull
this
attribute
in
the
part.
C
B
C
C
Yeah,
if
there's
any,
if
there's
any
telemetry
on
that,
that'd,
be
very
good,
because
we
can
apply
a
similar
policy
here
right.
So
I
know
you
let
them
decide
and
that's
what
we
could
do
here,
but
it'd
be
good
to
know
like
what
do
they
usually
decide?
If
99
of
them
choose
one
thing,
then
maybe
that's
our
keys
or
sensible
default
yeah
by
the
way
do
not
violate
aqua's
internal
private
data.
Only
answer,
if
you
can.
B
Yeah-
and
I
I
will
just
share
this
privately
with
you
just
as
a
hint
for
the
design,
I
can
definitely
check,
because
indeed
we
don't
have
to
reinvent
the
wheel
here
with
the
security
practitioners
that
you
know
already.
Probably
they
dealt
with
unknown
issues.
A
Okay
yep,
so
let's
fall
off
here.
The
next
one
is
so
sorry
daniel.
These
are
all
security
related.
So
I
want
to
get
these
out
of
the
way.
First,
we
found
I'm
not
sure
if
this
is
bug
or
just
a
one-off,
but
there
is
unknown
os.
I've
come
across
these
personally
when
I
try
to
run
trivia
on
just
some
very
standard,
docker
images
that
pull
from
docker
hub,
so
just
running
on
my
mac.
B
B
On
that
quickly,
I'm
like
baking
a
pr
for
this-
it's
already
open
few
minutes
ago.
Indeed,
that
was
the
issue
in
the
in
the
3v06,
so
the
version
that
we
shipped
with
hardware
2.0.
Unfortunately,
we
had
a
bag
for
scratch,
images
and
slim
image,
basically,
all
the
images
for
which
we
cannot
detect
the
underlying
operating
system
or
the
package
manager.
B
We
were
returning
a
non-zero
exit
code
right,
whereas
instead
of
like
a
displaying
no
vulnerabilities
with
some
warning,
it's
fixed
in
3v07,
so
I
had
to
bump
up
the
version
of
3d
in
the
adapter
in
in
the
hardware.
So
once
we
merge
the
pr
a
link
to
this
issue,
hopefully
in
2.01,
there's
gonna
well,
not.
Hopefully
it
must
go
away
this.
This
error,
because
I
know
that
scratch
images
are
very
popular
and
we
also
also
advise
using
as
many
more
images
as
possible.
So
3b
cannot
fail
here.
A
Got
it
yeah?
I
think
let's
aim
for
that
in
2.0.1,
because
you
know
a
lot
of
a
lot
of
people
have
downloaded
2.0
and
we
made
trippy
the
default
scanner
for
harvard.
So
I
think
people
are
going
to
use
that
scanning
capability
and
looking
forward
to
it.
So
I
think
2.0.1
is
a
good
goal
here.
A
Thank
you
next
one
this
is.
This
came
out
of
a
a
complaint
or
a
vulnerability
that
a
an
open
source
user
emails
about,
which
is
you
know
the
there's,
a
there's
a
test
button
in
a
lot
of
places
in
the
harbor
you
on,
for
example,
when
you're
configuring
a
replication
endpoint
when
you're
configuring
a
web
hook,
it
might
be
something
else
that
I'm
not
well
it's
escaping
right
now,
but
essentially
the
test
button
is
open
to
port
scanning
so
that
that's
a
security
attack.
A
I'm
not
really
sure
of
the
extent
of
you
know
the
damage
they
can
do
through
report
scanning,
but
you
know
we
have
consulted
with
internal
security
teams.
We
haven't,
we
have
interacted
with
the
user
and
you
know
it
feels
like.
A
Technically,
I
guess
the
project
shouldn't
have
the
ability
to
do
this,
so
I
just
want
to
see
if
anyone
has
any
strong
opinions
on
this,
because
you
know
internally,
we've
come
we've
pretty
much
come
to
the
conclusion
that
at
the
very
least,
we're
gonna
make
it
configurable,
but
most
likely
we'll
just
get
rid
of
it
and
then,
if
people
feel
very
strongly
about
it
where
they
want
this
feature,
because
I
think
there
is
utility
in
being
able
to
hit
test
button
to
see
that
your
endpoint
is
being
configured
correctly.
A
B
That's
interesting,
I
I
need
to
like
think
about
it
with,
like
our
security
researchers
team,
to
see,
because
for
me
I
somehow
can
feel
what
was
the
intention
of
someone
who
opened
this
or
writes
this
issue,
but
on
the
other
hand,
I
see,
as
you
said,
lots
of
benefits
of
you
know.
We
are
integrating
with
registry
endpoints
with
scanner
adapters.
E
Let
me
clarify
sorry,
let
me
clarify,
I
think
I
think
we
should
add
more
information
in
this
usual
alex.
We
are
disabling
testing
or
you're
you're
saying
we
need
to
disable
all
test
connections,
but
I
believe
the
the
the
one
that
we
receive
complaint
is
only
webhook.
E
The
reason
is
that
the
way
webhook
tests
a
connection
is
different
from
others.
It's
case
by
case,
but
the
the
one
for
testing
web
hook
can
be
leveraged
as
a
pro
scanner,
but
for
like
replication,
registry
or
scanner
is
much
much
lower
risk
because
it's
essentially
calling
an
http
api
and
waiting
for
a
response,
but
for
a
web
hook
it
just
tried
to
establish
a
tcp
connection.
E
C
C
C
A
Okay,
the
last
one
that
I
wanted
to
talk
about
is
this
type
retention.
So
basically
you
know
the
user.
A
It
feels
like
he's
the
first
time
user
of
the
tag
retention
feature
and
he
had
configured
some
type
of
retention
policies,
and
I
guess
the
behavior
was
not
what
he
expected,
and
so
I
double
checked
that
you
know
there
was
not
a
bug.
It's
just
I
I.
I
can
see
the
this
point
that
you
know
it's
not
very
intuitive
in
terms
of
how
it's
the
policies
being
interpreted.
So
basically
he
had
connect.
A
He
had
configured
a
policy
to
exclude
a
certain
tag,
so
master
master
with
a
wild
card
and
because
he
had
put
this
in
the
exclude,
this
was
deleted
to
his
surprise
because
he
was
interpreting
the
exclude
us.
As
being
you
know,
these
tanks
should
be
excluded
from
the
tag
retention
policy
altogether.
So
you
know
it
took
me
a
while
to
recall
this,
which
speaks
volume
about
our
design.
Here.
I
think,
basically,
you
exclude
here.
A
So
it's
not
excluded
from
type
retention
execution,
it's
excluded
from
retention
altogether,
and
so
you
know
we
had
a
little
back
and
forth
and
he
understands
how
it
works,
but
he's
not
completely
convinced
that
the
language
or
the
ui
is
the
you
know
the
optimal
design
here.
I
think
I
agree
with
him.
A
A
I
mean
only
from
hypertension.
Is
that
there's
no
possibility
that
hypertension
will
be
the
image
right,
so
I
don't
know
I
I
mean
I
definitely
see
his
confusion
and
I
see
his
point,
but
you
know,
while
we
were
designing
this
feature,
we
had
always
been
lots
of
discussions
back
and
forth,
and
this
was
at
the
time
it
felt
like
the
best
way
to
do
it.
A
A
Attention,
so
I
don't
know
if
stephen
or
daniel
has
any
opinions,
because
I
think
we
have
a
lot
lots
of
conversations
on
how
to
how
we
design
this.
A
F
Yeah,
like
maybe,
we
can
take
a
look
offline
on
this
issue.
Yeah.
G
Yeah,
so
I'm
going
to
keep
some
update
about
the
book
that
we're
writing.
We
have
been
invited
by
a
publisher
in
china
to
write
a
book
on
harbor
so
because
the
there's
a
huge
demand
in
the
community
for
reference
book,
so
some
some
of
our
contributors
and
maintainers
took
up
this
task
and
start
writing
the
content
of
the
book.
G
G
So
right
now
we
are.
We
are
soliciting
feedback
from
our
users
about
harbor
and
what
they
want
to
know,
for
example,
some
maybe
some
unsaid
secret
or
maybe
some
undocumented
details.
G
So
as
long
as
the
users
are
interested,
then
they
can
send
us
the
feedbacks
and
or
emails
about
what
they
want
to
see
on
the
book
right
now
so
far,
we
have
already
got
some
feedback
from
the
users
about
what
they
want
to
see
like
like
the
api
and
also
like
the
a
few
other
things
that
I
think
is
not
only
interesting
to
to
the
authors
that
are
writing
the
books,
but
also
for
our
developer.
That
can
continue
to
improve
or
enhance
the
features
of
the
of
the
project.
G
So
it
will
be
a
reference
book
that
hopefully
will
be
helpful
to
the
overall
community,
and
I
know
the
many
users
that
are
highly
anticipating
this
book.
So
if
this
is
good
properly,
then
we
can
translate
it
in
english
later.
So
that's
the
current
status.
G
Yeah
I
forgot
to
man,
I
forgot
to
mention
his
face
of
2.0.
It
will
cover
all
the
new
features
that
we
have,
especially
the
most
exciting
the
the
oci
artifacts.
So
I
think
I
think
everybody
will
be
interested
in
how
we
can
make
use
of
it.
So
that
would
be
interesting
part
of
the
book
too
yeah.
C
Very
nice,
this
is
super
exciting
and
obviously
we
can't
wait
to
see
it
and
possibly
translate
it
in
other
in
other
languages
as
well.
If
you
guys
have
the
table
of
content
in
english,
we
could
definitely
take
a
look
at
that
and
maybe
suggest
some
of
the
additional
areas
that
you
might
be
able
to
pro
based
on
what
you
said
earlier
henry,
but
if
in
chinese,
obviously
we
can't
comment
on
that.
G
C
All
kidding,
as
I
have
asked
the
school
where
my
kids
go
multiple
years
ago,
like
I
think,
was
five
years
ago.
I
seriously
asked
them.
Chinese
should
be
an
offered
language
here.
You
know
like
the
globalization
of
software.
I
wanted
my
kids
to
learn
chinese
and
they
laughed
at
me,
and
I
said
like
this
super
important.
Why
should
they
learn
spanish?
A
Okay,
so
that's
all
I
have
for
today.
Does
anyone
have
any
questions
comments.
C
F
Sending
all
the
messages
and
so
yeah
people
can
join
to
do
a
vote
for
the
graduation
voting.
F
C
Can
vote
so
anybody?
That's
using
harborough
has
an
opinion
on
harvard's
qualifications
for
graduation
can
vote
now.
We
don't
want
to
put
any
like
you
know
if
someone
thinks
that
harbor
should
graduate
in
cncf
for
whatever
reason,
because
they
like
the
functionality
because
they're
a
user,
because
their
organization
uses
it
because
of
any
other
reason
they
can
vote,
it
will
be
a
non-binding
vote,
but
it
will
be
a
show
of
support.
C
C
No,
not
the
not
that
15
people
that
are
contributing
to
harbor
themselves,
like,
for
example,
you
henry
me
danielle
daniel
p,
daniel
jay
stephen,
like
we're
not
going
to
vote
it's
okay,
it's
our
project!
So
we're
not.
G
B
C
G
C
Everybody
bye
bye
for
me.
Thank
you,
bye-bye.