►
From YouTube: ROS 2 Security Working Group (2020-11-10)
Description
Meeting notes: https://wiki.ros.org/ROS2/WorkingGroups/Security
A
Should
be
being
recorded
now
so
the
agenda
I'll
supposed
to
link
to
that
again,
just
so
that
everybody
has
it.
I
added
a
few
things
to
the
agenda.
Yeah
feel
free
to
just
shout
out.
If
there's
something
else,
you
want
to
talk
about.
There's
one
bug
report
that
was
filed
against
destroys2.
A
I
don't
know
if
everybody
saw
that
I
think
mikael
was
working,
that
one
miguel.
Are
you
good?
Do
you
have
what
you
need,
or
do
you
need
anything
else
from
the
group.
B
No,
it's
good.
It's
it's
fixed,
just
waiting
for
release
on
their
side.
A
Okay,
all
right
thanks
so
much
for
handling
that
so
the
next
thing
I
just
wanted
to
cover.
Briefly,
if
you
recall
this
summer,
we
had
talked
about
the
vault
remediation
procedure
and
we've
gone
through
a
a
document,
a
google
doc
and
made
some
comments
on
it
and
reviewed
it,
and
that
sat
for
a
while.
I
actually
had
the
opportunity
to
work
through
a
vole.
This
is,
it
was
actually
in
raw's
one,
but
it
was
a
cve.
A
It
was
a
integer
overflow
issue
in
raw's
com
and
raw's
one
and
I
figured
it'd,
be
a
good
opportunity
to
try
out
the
procedure
and
everything
seemed
to
work.
Fine,
not
a
lot
of
urgency,
as
you
can
imagine,
but
it
just
you
know,
given
the
way
the
community
works,
it
was
real
easy
to
kind
of
work
through.
So
I
took
all
that
fed
that
back
into
the
document
that
we
would
work
with
and
then
posted
a
pull
request
up
to
the
community
page.
A
So
if
you
have
a
few
minutes,
if
you
can
take
a
look
at
that
pull
request
and
add
any
comments
on
it,
and
my
thinking
was
that
we
would
end
up
just
leaving
it
on
the
community
page
and
link
to
it
or
the
community's
github
site
link
to
it
as
we
need
to.
I
don't
think
it
needs
to
be
much
more
public
than
that
right
now,
but
again,
that's
primarily
as
a
tool
for
the
folks
that
are
on
the
security
distribution
list
for
how
to
how
to
handle
their
reports
when
they
come
in.
A
All
right
I'll
take
that
as
no
and
move
on
and
again
yeah.
If
you
get
a
chance
to
review
that
it'd
be
great
to
see
if
you
any
feedback
you
have
so.
The
next
thing
that
I
had
added
to
the
agenda
was
the
ongoing
discussion
about
how
to
configure
bras
without
a
file
system.
In
particular,
you
know
from
from
our
standpoint
it
was
the
security
bits,
as
we
were
talking
about
it
last
time
around.
A
A
A
I
think
people
are
open
to
it,
but
I
don't
see
anybody
actually
wanting
to
push
it
forward.
So
I'm
looking
for
you
to
say
where,
where
you
want
to
go
from
here,
do
you
want
me
to
set
up
a
meeting
with
the
folks
we've
gathered,
which
would
probably
mostly
just
be
the
security
working
group?
A
No,
so
I've
reached
out
to
them
in
their
was
it
they
have
a
slack
channel.
I
got
one
person
that
was
interested
from
ipresima,
but
I
haven't
followed
up
with
that.
I
was
looking
for
trolling
for
some
more
folks
to
get
interested
and
posted
out
the
discourse
who.
B
D
So
sorry,
yeah
yeah,
I
think
I
think
francisca
the
one
who
is
who
is.
D
With
all
these
issues,
I
mean
for
what
I
know,
because
I
I
was,
I
was
talking
with
them
after
our
last
meeting
and
for
what
they
told
me.
They
are
indeed
interested
in
collaboration
or
in
at
least
in
having
some
some
medium
in
order
to
exchange
some
impressions
about
about
the
issue
and
on
helping
us
figure
out
what
are
the
possibilities,
so
I
don't
know
if
you
said
are
looking
for
anyone
else
who
may
be
interested
or
not,
but
if
there
is,
if
no
one
else
seems
to
be
really.
D
A
And
the
the
post
was
actually
the
micro
raws,
so
the
raw's
embedded
working
group
just
points
everything
to
the
to
the
micro
raw
slack
channel.
So
that's
where
I
kind
of
called
out
for
folks
so
I'll
go
ahead
and
just
follow
up
on
this
course
and
just
call
for
dates.
If
that
works
with
everybody
and
try
to
coordinate
something.
A
B
I
think,
if
that,
when
that
meeting
is,
is
set,
it
would
be
good
to
also
like
update
the
discourse
thread.
It's
it's
still
a
pretty
niche
issue
because,
like
basically,
the
original
report
was
also
from
the
micro
rust
folks,
and
so
so
I
think,
like
the
two
main
parties
involved
in
this
would
be
the
security
working
open,
the
embedded
one,
but
if
we
actually
make
a
meeting
would
be
good
to
like
give
it
more
visibility
and
discourse.
B
A
All
right
so
I'll
do
that
I'll
schedule
that
out
and
then,
if
you
see
it,
show
up
on
discourse,
if
you
can,
you
know
do
anything
to
promote
it.
That'd
be
great
I'll
schedule
that,
probably
for
about
two
weeks
out
or
so
to
just
to
make
sure
in
case
yeah,
so
we've
got
time
coordinated.
A
E
E
But
we
know
that-
and
you
know
that's
a
necessary
workaround
to
you-
know,
get
launch
secure
up
and
running.
C
Are
there
any
active
links
to
that
like
agenda?
It
just
doesn't
have
link
anything.
B
I
guess
what
topic
that's
not
in
there,
and
I
don't
know
if
it
was
discussed
last
meeting
because
I
missed
it-
was
about
the
permissions
file
and
the
size
of
the
permissions
file.
I
remember,
like
kyle
mentioned,
that
he
would
like
take
an
action
item
and
like
and
pratify
or
uglify.
I
don't
know
what
would
be
the
right
word
with
the
xml
files
and
the
sine
xml
files.
I
haven't
seen
any
issue
on
extras
2,
for
that.
A
So
it
was
not
discussed
unless
I
missed
it,
as
I
was
paying
attention
at
our
last
meeting.
I
didn't
know
that
kyle
has
done
any
work
on
it
and
he's
been
kind
of
busy
just
keeping
keeping
up
after
joe
left.
So
I
can
follow
up
with
him
about
that.
Anybody
else
have
any
other
thoughts
about.
A
You
know:
compressing
the
not
compressing
but
amplifying
the
permissions
files
and
whatnot.
C
I
I
just
scream
inside
I
wish
we
didn't
have
to
do
it.
B
No-
and
so
I
I
considered
like
I
mean
I,
especially
if
katie's
busy,
we
don't
necessarily
like-
have
to
get
him
involved
like
in
a
sense
that,
like
it
seems
like
a
very
simple
thing
to
do,
I
guess
the
only
question
that
would
be
like
around
that
is
like.
Do
we
actually
compress
every
s
like
compress
amplify
every
s9
sign
file,
or
do
we
want
to
have
this
like,
especially
for
permissions
file?
B
Basically,
do
we
want
to
have
specific
logic
in
the
code
to
apply
this
or
we
can
do
it
in
a
generic
way,
because
we
have
basically
one
code
pass
for
all
xml
files
that
get
signed,
they're
generated.
C
With
with.
D
C
But
actually
it
might
be
easier
to
do
in
python,
but
yeah
it's.
It's
certainly
can
be
kept
to
the
left
very
last
stages
and
then
optional
by
the
user.
I.
B
I
would
do
on
by
default,
but
apply
it
only
to
the
signed
files
and
not
the
xml
files,
and
I
would
assume
that
if
users
want
to
check
what's
in
their
keystore
or
whatever,
they
would
just
look
at
the
xml
files,
because
it's
just
like
you
would
have
like,
I
don't
know-
color
like
syntax,
highlighting
and
whatever,
which
you
wouldn't
have
on
the
p7s
file.
B
B
B
A
Okay,
so
I
got
that
I
got
you
down
as
the
as
an
action
item
there
to
open
the
issue.
Did
I
get
that.
A
Okay,
all
right
thanks
does
anybody.
C
B
A
couple
of
things
I
haven't
tried
recently,
but
that
I
would
be
pretty
interested
in,
is
getting
estrus
2,
2
and
like
getting
the
quality
level
stuff
going
and
another
thing
that,
like
kyle,
has
been
working
on
a
bit
back
was
to
like
stabilize
a
bit
the
api
to
like
basically
actually
follow
sender
with
a
major
version
for
for
extras
2,
because
that's
also
like
related
to
what
the
quality
levels
require
and
so
basically
decide
what
api
you
want
to
expose
in
galactic
and
and
kind
of.
C
So
the
our
current
consumer
republic,
api
is
most
likely
going
to
be
or
the
soonest
one
is
the
launch
stuff.
B
Yeah,
actually
it's
a
non-steph,
maybe
that's
another
action.
I
like
another
discussion
item
but
like
the
changes
are
unnecessary
for
that
have
been
merged
and
released
in
rowing,
so
they
will
make
it
into
galactic,
even
if
we
do
nothing,
but
it's
still
like
we're
at
0.10
right
now,.
C
B
I
think
it
was
rcl
and
I
mean
both
but
like
one
being
like
an
implication
for
the
other.
I
think
also
python
stack
didn't
get
like
much
love
in
general,
but
also
the
quality
level
stuff.
And-
and
so
I
don't
know
if
that
moved
recently,
because
I
didn't-
I
didn't
look
more
closely,
but
I
think
one
like
in
general,
we
have
like
few
users
and
most
of
our
users
are
getting
confused
because
we
have
little
documentations
and
not
that
many
tutorials.
B
So,
regardless
of
what
like
quality
level,
we
could
claim
at
the
end
of
the
day.
It
would
be
good
if
we,
if
we
could
like
make
progress
in
the
overall
area
of
like
documenting
our
code
and
and
like
all
these
parts
of
the
quality
levels
that
were
very
low
on.
C
I
think
presently
we
showcase
the
entire
cli
surface.
Is
there
something
specific
users
are
looking
for.
B
No,
I
think
it's
more
like,
like
in
general,
when
people
want
to
say:
okay,
let's
go
like
closer
to
see
how
it
works
and,
like
our
code,
doesn't
have
comments
in
it
like
our
features
are
not
very
well
documented.
We
we
have
like
a
simple
tutorial
that
kind
of
like
covers
here
most
of
the
cli.
I
don't
think
it
covers,
like
basically
runtime
introspection
of
a
system
that
gives
you
the
list
of
topics
or
anything,
and
I
think
it's
mostly
on
purpose
is
because
we're
not
very
satisfied
with
it.
B
B
It's
more
about
like
the
the
code.
The
code
itself
like
there
are
a
lot
of
things
that,
like
we
said,
we
would
do
and
then
like
didn't
have
time
to
do.
We
wanted
to
like
modernize
a
bit
the
code
like
properly
use
typing
my
pi
everywhere
using
pass
leave
everywhere
and
right
now,
we've
been
doing
small
incremental
changes,
which
is
like
progress,
but
we
didn't
make
like
as
much
progress
as
we
hoped
to
do
for
foxy
and
I
think
expected
to
do
by
galactic.
A
Can
you
think
of
any
way
that
we
can
just
build
that
punch
list?
It
sounds
like
you're
thinking
like
a
number
of
small
things,
as
opposed
to
you
know
one
or
two
large
things.
B
Yeah,
so
for
the
quality
level
itself,
there
is
an
issue
that
I
put
together
in
before
foxy
that
was
listed
listing
basically
what
we
were
complying
with
and
what
we
were.
Not.
I
just
drop
it
in
the
chat
right
here.
B
B
I
think
we
can
do
better,
not
only
for
like
that
specific
quality
level
claiming
thing,
but
just
in
general
it
would
be
good
and
then
I
think
we
could
collect
issues
for
smaller
things
like
yeah,
improving
like
giving
types
in
function,
signatures
or
migrating
to
password,
or
things
like
that.
We
could
collect
like
small
issues.
For
that,
I
don't
think
we
have
them
like.
We
have
some
for
this.
C
So
some
of
this
documentation
is
not
just
a
user
facing
tutorials.
It's
like
the
sphynx
docs
for
the
public
api.
B
B
The
the
missing,
like
the
the
main
part,
is
having
dog
blocks
for
all
our
functions,
explaining
what
they
do,
what
they
can
raise.
These
kind
of
things.
A
Would
it
be
worth
it
to
capture
that
as
part
of
the
notes
just
so
we
have
it
in
front
of
us
when
we,
you
know
when
we
meet
once
every
two
weeks
or
so?
A
B
I
think
I
think
having
them
as
like,
pending
pending
action
items
or
like
in
the
notes.
I
think
it's
a
it's
a
good
it's
a
good
way
because,
like
I
have
the
feeling
that
since
foxy,
everyone
involved
in
the
working
room
has
been
like
pretty
busy
and
so,
except
from
like
looking
at
the
agenda
and
attending
meetings.
We
have
like
fairly
little
time
to
to
work
on
things.
So
that's
a
good
way
to
keep
it
at
the
front
of
our
mind,
for
whenever
we
have
time.
A
Yeah.
Okay,
so
let
me
let
me
take
a
note,
then
I'll
I'll
take
the
stuff.
That's
in
the
quality
evaluations.
You
did
that
that
issue
and
I'll
roll
that
into
the
notes
with
the
action
items,
somehow
just
keep
it
in
front
of
us.
Every
time
we
meet
yeah
and
then
you
know,
when
we
have
a
few
minutes
extra,
we
could
talk.
Try
it.
You
know,
check
off
things
bit
by
bit.
So
are
there.
A
Yeah,
are
there
any
larger
things
I
know
last,
you
know
for
foxy,
there's
a
huge
re-engineering
for
the
enclave
issues.
There's
nothing
like
that
pending
for
g-turtle
right.
B
B
But
I'm
also
like
not
not
looking
at
the
signs
as
closely
as
before.
I
think,
like
the
only
couple
things
that
have
changed
is
like,
for
example,
I
merged
and
released
a
new
version
of
his
wrestler
enrolling
to
take
the
fact
that
the
parameter
event
topics
became
an
absolute
topic,
but
other
than
like
small
changes
like
that
in
like
common
interfaces,
I
I
didn't
see
anything
significant.
That
would
impact
the
security
side.
C
There
is
some
stuff,
like
maybe
like
we're
reaching
out
to
embedded
for
file
systemless
security
access.
One
thing
is,
we
may
wanna
cross
pollinate
a
little
bit
more
with
the
middleware
working
group
and
see
if
we
can
root
out
this
kind
of
paradigm
of
of
global
parameter
spaces
and
event,
topics
and
see
how
we
can
keep
the
computation
graph
still
a
little
bit
more
minimal.
C
B
Yeah,
I
guess
part
of
the
thing
is
that,
like
one
of
the,
like
part
of
the
reason
for
that
was
like
on
the
discord
thread
where
we
discussed
this?
Basically,
the
thing
we
were
complaining
about
were
qualified
as
bugs
that
should
be
fixed
in
roster.
B
But
I
don't
know
if
there
is
anyone
like
on
the
roster
core
side
of
things
working
to
address
those
we're
talking
about
like
service
clients
and
servers,
for
example,
as
well,
where,
like
nodes
need
like
parameters
like
access
to
every
parameter
service
in
both
direction,
and
things
like
that,
and
so
maybe
one
thing
we
could
do
is
try
to,
like.
B
C
C
So
maybe,
if
we
come
up
with
another
classic
robot
example
an
implementation
and
demonstrate
you
know
it's
it's
sort
of
impossible
to
isolate
these
two
subsystems
sufficiently.
Given
these
crosstalk
potential
and
requirements
inherent
of
the
current
setup
that
might
help
drive
home
the
what
needs
to
sort
of
be
solved
and
give
a
realistic
example
on
yeah.
If,
if
we
came
up
with
an
implementation,
it
would
solve
for
that.
B
Yeah
for
sure
I
loved
I
love
demonstrators
like
that's
just
the
best
way
to
like
and
dog
fooding
as
well,
and
just
to
see
like
how
our
own
system
works.
I
don't
know,
do
you
have
any
like
any?
I
know
you've
been
looking
at
ottawa
or
like
do
you
have
any
project
or
like
idea
of
demonstrators
that
we
could
do
in
simulation
that
could
allow
us
to
explore
all
these
aspects.
C
Yeah,
I've
been,
I
mean,
iterating
with
ottawa,
but
it's
their
whole
style.
Their
whole
stack
has
sort
of
been
in
flux
where
it's
sort
of
it's
sort
of
compatible
with
foxy
but
still
is
tied
to
dashing
and
the
lgb
simulator
is
changing
their
bridge
interfaces.
They
have
like
two
bridges,
one,
that's
shipped
by
lgb
and
one
that's
built
on
the
c-sharp
wrapper
of
art.
You
know
for
rcl
that
hasn't
been
open
source.
So
it's
it's
been
really
hard
to
get
the
entire
stack
running
for
like
say
their
demo.
B
Yeah,
that's
tricky,
I
don't
know
if
anyone
is
involved
with
other
working
groups
like
maybe,
if,
like
I
know
like
movie
two,
for
example,
I
had
been
trying
to
like
keep
up
with
recent
raster
releases.
Maybe
we
could
explore
a
manipulation
aspect,
something
that
has
like
navigation
and
manipulation
that
would
give
us
a
pretty
decent
sized
graph
to
explore.
C
Yeah
that
that
may
be
a
good
avenue,
they
have
a
certainly
a
complex
and
rich
enough
graph
and
it'd
still
be
sort
of
self-contained.
A
little
less
open
scope
is
autonomous,
driving,
but
more
well-defined.
Like
pick
and
place,
it
might
be
more
relatable
to
other
revises
that
commonly
use
ross
and
are
developers.
A
B
Yeah-
maybe
I
don't
know
if
it's
something
like
because
like
I
would,
I
would
love
to
work
on
this,
but
I
I
am
struggling
to
find
time
to
just
like
keep
up
with
maintenance.
B
But
is
it
something
that
like
as
as
a
working
group,
we
would
like
to
like
work
on
and
we
could
like
split
in
like
milestones
or
like
small
bits
and
pieces
here
and
there
to
have
maybe
a
demonstrator
like
not
for
roswell
this
year,
but
maybe
for
a
conference
or
for
an
online
workshop
or
something
like,
maybe
maybe
setting
a
goal
with
like
a
specific
place
to
demonstrate.
It
would
help
us
move
forward
on
that
front.
A
My
gut
feel
is
that
that
there's
a
good
chance
you'd
get
some
interest
out
of
the
movement
folks
and
the
reason
I
say
that
is
because
we've
seen
from
that
we've
seen
a
lot
of
interest
in
just
in
that
area
and
security
in
general.
I
think
I
think
they're
more
ready
for
it,
probably
than
the
auto
wear
is
so
so
I
wonder
if
that's
an
opportunity
for
a
collaboration
right,
that's
some
sort
of
joint
project.
Again,
I
think
they're
being
pushed
by
corporate
implementations
that
are
saying
hey.
We
want
to
see
security.
D
A
D
C
Move
it
is
that's
during
the
manipulation
working
group
is
that
correct
looks
like
the
next
one
is.
D
A
A
A
And
see
if
I
can
do
some
exploring
of
that.
So
if
we
do
the
idea
of
creating
a
demo,
a
use
case
somehow
related
to
move,
it
could
be
pretty
interesting.
So.
B
B
My
mic:
okay,
yeah
one
thing
that
just
popped
into
my
mind.
I
know
we
are
over
time,
so
I'll
be
very
short,
but
one
thing
I
explored
and
that
we
never
got
like
past.
The
prototype
stage
was
to
expose
the
ability
to
separately
like
sign
or
encrypt
different
topics
and
and
that's
something-
that's
currently
not
possible
in
stress
2
in
astros
2
right
now,
it's
just
like
encrypt
all
and
in
this
kind
of
application,
where
you
have
control
and
like
move
it
and
manipulators,
and
things
like
that.
B
A
Project,
that's
interesting,
cool
all
right,
so
I'm
going
to
try
and
capture
all
that
in
the
notes
and
then
I'll
push
that
out
to
you
and
as
michael
mentioned
we're
at
time.
So
I
guess
I'll
just
say:
hopefully
I'll
see
you
all
at
ross
world
on.
Was
it
thursday,
so
yeah.
Unless
anybody
else
does
anybody
else
have
anything
to
add
before
we
close.
C
There's
a
quick
comment
on
what
mako
said.
In
addition
to
extending
the
flexibility
of
sawing
in
the
crypt,
it
may
be
also
worth
exploring
different
setups
for
the
pki
or
the
the
certificate
authority,
so
that
we're
like
we
were
like
earlier.
C
We
had
this
idea
of
like
where
you
have
the
vendor
and
oem
key
material,
and
then
you
might
have
the
user,
and
then
you
might
have
some
overlap
in
the
graph
and
where
they
both
have
access
to,
but
you
can
still
separate
based
on
how
you're
muxing
your
certificate
authorities.
A
A
All
right
so
that'll
say
thanks
a
lot
for
joining
and
I'll
piss.
The
meeting
minutes
up
and
I'll
see
y'all
at
our
next
meeting
or
on
thursday.