►
From YouTube: ROS 2 Security Working Group (11 Jan 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
So,
first
of
all,
we
have
the
minutes
for
the
last
meeting
december
meeting.
That's
that
are
on
github
and
the
review
would
be
much
appreciate,
appreciated
and
nothing
comes
up.
This
is
going
to
be
merged
very
quickly.
A
Right
next
on
the
agenda,
so
more
administrative
tasks,
we
have
a
few
membership
requests
and
that's
great
because
during
the
last
meeting
I
did
made
a
call
for
you
guys
to
apply
as
a
formal
member
of
this
working
group,
and
fortunately
none
of
you
did
apply
for
an
approval
position
and
and
that's
what
I'm
actually
looking
for
another
approver.
A
So
as
per
the
the
current
rule,
only
approvers
can
vote
for
new
members
and
new
projects
for
the
working
group.
So
what
I'm
gonna
do.
First
of
all,
I'm
gonna
accept
michael
miguel,
a
request
to
to
downgrade
his
membership.
A
B
I
I
was,
I
I
think
I
skimmed
the
the
the
governance
and
it's
like.
Okay,
it's
it's
it's
a
reviewer
or
nothing,
but
I
I
forgot
that
there
was
an
approver.
A
Yeah,
if
you,
if
you
could
update
your
request,
just
to
ask
for
approver
and
then.
A
You
and
me,
and
with
this
new
approval
board,
we
will
be
able
to
want
to
to
make
decisions
about
the
the
the
request.
A
Project
under
the
the
working
group
umbrella,
but
before
coming
to
that,
there
is
a
also
an
open
request
for
updating
the
the
template
for
proposing
projects
to
the
working
group.
A
B
C
So
one
quick
one,
quick
comment
regarding
regarding
the
new
instruction,
so
I
I
did
review
florencia's
per
request.
I'm
fully
okay
with
it,
the
requirements
specified
may
make
sense,
for
I
guess
most
of
the
projects
and
those
are
already
set
and
were
set
in
in
the
past.
I'm
just
saying
this
so
scotty
in
particular,
has
no
issues
whatsoever
with
with
meeting
these
requirements,
but
in
the
future
we
may
have
like
some
contributions
that
may
not
actually
fit
right
away
with
this
one.
C
So
do
we
have
any
mechanism
to
to
in
a
way
bypass
this
if
appropriate,
or
we
will
just
do
things
based
on
on
a
case
basis.
I'm
asking
this
because
in
the
past
we
raised
some
some
contributions
that
I
think
weren't
even
evaluated
upon
this
requirement.
So
I'm
just
wondering
how
are
we
going
to
proceed
with
this?
But
anyhow?
Maybe
let
me
take
a
step
back
on
this
and
and
just
let's,
let's
play
by
by
the
year.
C
I
guess
because
yeah
those
were
pass
requirements
now
we
have
or
past
attempts.
Now
we
have
new
ones,
so
yeah
I'll
update
it.
Nevertheless,
I'll
update
it
according
to
this
and
and
I'll
ping,
the
group
back
okay.
A
All
right,
please
do
so
just
for
a
bit
of
context.
The
requirements
we
are
talking
are
technical
requirements
such
as
that
the
proposed
project,
as
linters,
enabled
that
it
does
it
runs,
call
contest
successfully
and
that
it
has
a
test
coverage
greater
than
50
percent.
D
The
changes
that
we
propose
that
I
propose
to
the
to
the
template
only
have
to
do
with
the
extent
of
what
the
support
of
the
security
working
work
is
expected
just
to
have
more
clarity,
upfront
and
also
the
perfect
state.
The
time
that
it
is
being
proposed
to
the
group,
et
cetera,
just
supposed
to
build
on
the
description
section,
a
little
bit
more
more
detail.
D
C
It's
totally
okay,
yeah
I
mean
I,
I
think
so,
jeremy
just
hit
the
the.
The
point
I
was
wondering,
which
is
things
like
call
contest
call
contest,
is
not
something
that's
gonna
work
right
away
with
skappy
and
skype
extensions,
because
skype
is
an
external
project
which
is
not
ros
integrated,
but
it's
a
tool.
That's
going
to
be
helpful
for
assessing
roles
to
package
security,
so
an
overall
computational
graph
security.
So
so
things
like
those,
I
guess
need
to
be
discussed
now
on
on
a
case-by-case
basis.
As
you
said,
yeah,
that's.
B
I
mean
if
it's
a
if
it's
a
native
python
module
colton
should
be
able
to
pick
up
on
whatever
test
test.
Scaffolding
is
available
for
that
language.
A
All
right,
next
and
last
administrative
topic
to
explicit
the
rules
for
for
downgrading
a
member,
so
I
did
not
put
that
in
in
text,
but
I
did
put
some
thoughts
in
it.
I've
also
been
looking
for
for
common.
A
In
open
source
projects-
and
I
couldn't
really
find
one-
it
seems
to
be
a
again
case-by-case
basis.
What
I
would
propose-
and
I
will
open
a
request
so
that
we
can
all
discuss
it
again.
A
I
would
simply
propose
that
we
look
at
formally
downgrading
approvers,
because
that's
the
really
blocking
membership
position,
so
any
approval
that
does
not
show
any
activity
for
three
months
will
be
notified
formally
on
guitar
through
an
issue
that
is,
is
facing
a
downgrading,
and
if
there
are
no
answer
by
one
more
month,
then
it
will
be
that
person
will
be
automatically
downgraded
to
the
lowest
membership.
Member.
A
To
literally
erase
someone
from
the
membership,
but
maybe
there
is
a
case
for
it,
although
again
remember
it's
the
lowest
level
and
that
does
not
imply
any
voting
weight.
As
for
the
new
memberships
and
and
whatnot,
and
of
course,
another
mechanism
would
be
just
as
mikhail
did.
A
B
B
Straight
ways:
I've
I've
started
yeah
the
well.
We
already
have
the
the
navigation
too
sort
of
demo
for
the
security
working
group
that
I
linked
to
earlier.
I
started
before
holiday
break
on
a
replication
for
movie
tutorials.
B
It's
like
you
could
do
the
movie
tutorials,
enabling
security
that
I
I
had
a
lot
of
nuances
and
top
like
the
the
the
graph
interface
is
a
lot
more
messy
or
non-explicit
and
for
move
it
than
it
is
for
the
navigation
stack.
So
I
even
I
wasn't
able
to
get
it
completely
working
using
a
minimal
access
control
policy.
B
Of
course
you
can
disable
access,
control
and
just
use.
You
know
over
the
wire
encryption,
but
I
was
trying
to
go
the
full
gamut
and
I
don't
think
our
our
tooling
is
there
yet
specifically
like
the
the
discovery
like
it
can't
it's
not
picking
up
on
actions
or
some
parameter
topics
so
definitely
a
barrier
there.
B
A
A
It
right
if,
before
entering
the
the
technical
details,
I'd
like
to
have
a
more
general
discussion
about
what
are
our
objectives
with
with
this
project
and
what
what
the
implementation
could
look
like.
And
let
me
just
throw
a
couple
ideas
in
the
air.
A
A
This
will
be
very
compelling
because
we
can
showcase
the
security
features
both
in
simulation
and
on
an
actual
platform.
The
platform
is
well,
it's
not
cheap,
but
it's
fairly
inexpensive.
A
So
what
what
can
we
expect
in
in
locking
down
this
platform?
First
to
lock
down
a
lot
of
the
the
roscore
command
nodes?
A
A
One
last
thing
to
add,
and
then
I'll
give
you
the
floor.
There
is
roscomm
at
the
end
of
the
year.
It
would
be
super
cool
if
we,
if
we
set
this
as
our
deadline
for
this
project,
not
only
could
we
showcase
the
the
total
bot
four
with
security
enabled,
but
we
could
even
imagine
organizing
if
we
have
time
organizing
a
small
hackathon
capture
the
flag
like
event
during
cross
court,
so
basically
plug
your
turtle.4
to
the
wider
internet
and
ask
for
people
to
try
and
hack
it
or
whatnot.
C
I
mean,
I
think
it's
a
good
idea
overall,
like
the
plan
is,
is
interesting.
Marketing
wise.
However,
I
think
the
feasibility
of
of
going
for
such
a
new
platform
is,
I
think,
risky,
like
in
the
past.
We
worked
in
past
workshops.
We
gave
him
past
roscoe's
about
security
around
the
turtle.
C
One
three
which
is
kind
of
like
rock
solid
in
terms
of
both
simulation
and
hardware-
and
I
think,
like
most
of
the
people
or
groups,
have
a
third
level
three
around
and
if
not
I'm
sure
everyone
can
can
help
just
sending
one,
but
I'm
just
afraid
that
when
is
the
hardware
supposed
to
arrive
to
to
to
people
jeremy,
is
it
in
may
or
like
summer
and
there's
still
uncertainty
because
of
the
silicon
issues?
That's
right!
So
I'm
a
bit.
That's
my
only
concern,
but
I
think
it's
it's
nice.
C
On
the
other
hand,
as
far
as
I
know,
I
think
that
the
deal
is
that
our
robot
is
shipping
it
with
an
area
for
either
using
a
raspberry,
pi
or
different
sbcs
single
board
computers.
So
maybe
we
could
work
on
top
of
something
else
and
then
hook
it.
If
hardware
arrives.
A
Now
that
that's
right,
that's
a
very
legit
concern.
We
could
always
fall
back
to
the
turtle
box
3
because,
as
you
mentioned,
it
is
already
fairly
spread
around
the
world.
A
C
I
mean
the
cor.
The
core
roster
packages
for
the
robot
itself
should
be
significantly
different
right
because
one
is
for
the
drivers
that
correspond
with
the
boards
from
robotics
the
the
korean
company
behind
the
target
iii,
whereas
the
new
rust
drivers
would
need
to
be
produced
by
by
I
robot,
I
guess,
or
maybe
embed
as
part
of
the
hardware.
C
I
don't
really
know
I
mean
I
think
as
part
of
the
marketing
they
did,
that
they
said
that
it
was
going
to
publish
roster
topics
directly,
so
maybe
maybe
even
the
the
drivers
aren't
like
open
source.
I
don't
know
I
haven't
looked
at
it,
but
I'm
guessing
that
the
core
drivers
will
differ
but
you're
right
about
the
fact
that
navigation
is
navigation
and
that
should
remain
as
is.
C
But
I
guess
if,
if
we
were
to
make
like
a
ctf,
the
attack
vectors
should
consider
like,
like
the
whole
spectrum,
including,
of
course,
the
drivers
of
the
of
the
robot.
B
I'm
I'm
thinking
for
the
the
yeah.
If
we
cut,
we
should
play
around
with
considering
what
kind
of
a
capture
flag
scenarios
we
could
we
could
play
with.
One
is
I'm
thinking
like
you,
have
the
classic
robot
running
ross
or
clear
text,
but
behind
a
some
kind
of
gnat,
and
so
then
you,
you
kind
of
get
people
used
to
the
idea
of
like
well,
if
you're
able
to
punch
and
hold
through
the
gnat
to
like
some
other
embedded
device.
B
That's
a
that's
a
relay
for
you
to
affect
the
computation
graph.
Another
one
I
was
thinking
is
like
is
kind
of
a
little
more
playful
in
that
we
kind
of
ratchet
the
difficulty
where
the
goal
is
like
to
disable
the
robot
via
some
of
the
clear
text
topics
in
ross
and
then
as
they
they
show
that
they
demonstrate
that
hey,
we've
disabled
with
this
topic
and
then
we
we
then
introduce
s
ross
and
secure
that
particular
topic.
And
then
it
goes
the
next
bed
up.
B
A
Well
put
on
a
halt
because
of
the
pandemic.
Of
course,
what
what
we
had
envisioned
was
that
you
would
have
a
private
network
that,
on
which
the
robot
is
connected,
it
is
fully
secured
with
sros
2
and
basically,
you
have
x
amount
of
time
to
try
and
hack
it.
A
The
robot
would
perform
a
repetitive
task
and
your
goal
is
to
stop
that.
That's
or
stop
the
robot
in
any
way,
possibly
and
as
time
passes,
you
would
somewhat
decrease
the
difficulty
so
that
it's
still
in
your.
B
C
That's
that's
pretty
awesome,
that's
that's
super!
So
if
you
guys
can
share
that
so
that
we
can
have
a
look
that
that
would
be,
that
would
be
cool.
I
mean
what
one
like
on
cts.
I
also
did
like
past
work.
Like
a
few
years
ago,
we
we
launched
this
robotics
ctf
rctf
again,
I
can
try
and
find
it
it's
it's
disclosed
in
elias's,
github,
repo,
here's
the
link,
and
there
is,
if
you
search
around
in
the
repositories,
you
will
have
you'll
find
like
different
scenarios.
C
So
we
didn't
really
like
broke
our
our
minds.
We.
What
we
did
is
essentially
something
based
on
docker.
So
each
scenario
or
its
stage
is
a
docker
container
and
the
way
to
solve
it
is
essentially
to
crack
it.
It's
robotic-centric
and
it
also
allows
you
to
like
run
it
either
in
the
cloud,
and
we
had
like
some
infrastructure
to
deploy
different
containers
or
you
can
run
it
locally.
Just
with
your
usual
tools.
This
is
something
that
worked
in
the
past.
C
We
we
didn't
maintain
it
farther
because
of
the
resources
it
took
and
because
there
wasn't
really
so
many
people
like
willing
to
hack
robots
in
the
past.
Maybe
things
change
right
now,
but
the
odds
are
that,
like
really,
we
need
to
do
lots
of
work
to
raise
awareness,
I
think
still.
C
But
if
you
guys
have
something
around
these
lines,
we
can
give
it
a
try
and
maybe
grouply
try
to
disseminate
it,
but
but
yeah
just
sharing
my
past
experience
was
that
contributions
were
very
limited,
not
because
fantastic,
don't
really
like
robots.
They
do
just
because
I
guess
unfamiliarity
with
ross
and
and
yeah.
A
B
B
A
D
A
B
Yeah,
I
I
think
I
think
that
sounds
pretty
fun
and
the
one
the
one
bit
is.
After
doing
the
security
workshop
at
rosscon,
I
would
I
would
ask,
and
if,
if
there
was
other
venues
that
we'd
also
mind
like
there's
a
very
small
subset
of
of
ross
users
at
roscon,
even
though,
like
sraz
is
all
about
ross.
There's
not
so
many
security
mindset,
people
attending
roscon,
I
mean
there's
a
lot
of
industrial
engineers
and
maybe
some
academics.
You
know
they're
doing
stuff
about.
B
I
think
that's
good
for
the
educational
if
we
want
to
have
that
either
the
hackathon
or
like
a
capture
the
flag
event.
That
might
be
a
good.
B
We
might
want
to
go
to
like
a
pure
security
conference.
Instead.
A
But
all
right
see
you
later
ignore,
so,
yes,
the
definition
again,
we
need
to
set
this
up
and
and
showcasing
it.
That
was
gone
first
or
worse.
Word
we'll
see
how
everything
goes
well,
it
makes
sense
because
that
that's
ross
right,
but
then
yeah
nothing
prevents
us
from
widening
the
audience.
D
D
So
we
we
should
think
about
like
the
profile
of
ros
developers
attending
a
conference
and
then
are
they
going
to
stop
to
care
about
some
security
stuff?
Maybe
another
option
is
to
I.
I
don't
know
how
I
capture
the
flag
for
robotics
would
look
like,
but
some
of
them.
I
know
they
they're
just
online.
So
maybe
another
option
is
to
keep
it
online
for
for
a
few
weeks
months
before
roastcon
and
then
have
everyone
participating
and
then
show
the
results
on
on
roscon
itself,
or
even
have
it
also
available
at
roscon.
D
A
Absolutely-
and
that's
that's
what
I
was
mentioning
earlier,
if,
if
we
can
have
it
in
in
simulation
as
well
with
you
know,
simple
docker
images
to
to
ship,
then
we
can
ship
it
publicly
ahead
of
time
and
I've
have
people
train
on
these
on
this
simulation
on
those
images
and
then
the
actual
competition
would
be
held
during
roscon
and,
of
course,
the
the
profile
of
the
typical
roscon
attendee
is
not
pen,
testing
or
security
experts.
So
this
this
competition,
I
believe,
should
be
somehow
posted
on
on
internet.
A
So,
yes,
the
the
competition
should
be
hosted
online
as
well,
but
those
are
technical
details,
if
I
may
say
so-
and
I
do
have
a
couple
ideas
of
how
to
to
do
that.
But
I
don't
want
to
say
anything
yet
because
I
I
need
to
discuss
with
these
people
first
and
see
if
we
can,
if
we
can
get
some
partners
and
sponsors
on
board,
but
yeah.
D
D
So
I
think,
just
just
to
throw
an
idea
out
there
from
from
open
robotics
we
we're
working
on
this
multi-platform
framework
called
rmf
and
and
we're
very
interested
in
security.
So
maybe
this
is
an
opportunity
to
have.
I
think
it
would
be
very
interesting
if
you
can
do
you
can
have
a
look.
Let
me
find
just
for
the
guys
who
haven't
seen
it.
D
We
have
a
bunch
of
scenarios
already
with
a
bunch
of
robots,
so
I
think
it's
very
interesting.
If
we
could
do
the
and
maybe
we
can
even
have
some
resources
from
the
open
robotics
site,
so
we
have
scenarios
with
like
different,
like
hotels,
full
of
robots
and
airports
and
whatnot.
D
So
I
think
that
would
be
sort
of
fun
if
you
could,
if
you
could
play
around
with
those
scenarios
and
and
have
people
like
hack
the
robots
in
an
airport
or
or
you
have,
you
can
have
different
levels
like
the
airport
or
you
can
have
another
level
that
is
the
the
hospital
or
or
whatever
yeah.
I
think,
just
to
just
as
an
option.
A
A
B
How
how
far
are
they
at
least
with
the
the
simulation
assets?
There's
one
thing
that
kind
of
took
a
long
time
for
turtle
f3
to
kind
of
get
released
as
the
gazebo
plug-ins
and
then
a
lot
of
the
times
they're,
fairly
slow
and
releasing
into
the
next
distribution.
B
So
having
at
least
rolling
binaries
would
be
helps
simplify
a
lot
of
stuff.
A
A
A
All
right,
then,
what
I'm
gonna
do
with
that,
I'm
gonna
they
prove
the
ideas
into
a
google
document.
I'm
gonna
share
it
with
the
working
group
and
we
can
continue
the
discussion
offline
on
this
document,
and
I
do
hope
that
that
you're
gonna
help
in
shaping
this
document
and
shaping
this
id
so
that
I
can
start
knocking
on
those
as
soon
as
possible
and
that
we
can
actually
start
working
on
implementing
this
reference
robot
as
well.
A
A
All
right,
then,
let's
call
it,
let's
call
it
the
meeting.