►
From YouTube: ROS 2 Security Working Group (2021-02-09)
Description
Meeting minutes: https://github.com/ros-security/community/tree/master/meetings
A
And
record
it
so
first
question
just
like
to
get
approval
on
the
working
group
meeting
minutes
for
our
last
meeting,
which
was
the
demo
by
marco.
Does
anybody
have
any
remaining
comments
or
concerns
about
that.
A
A
All
right,
thank
you.
Next
thing
we
had
on
the
agenda,
ted
was
going
to
give
us
an
update
on
the
launch,
secure
features.
I
know
he's
been
doing
some
work
on
that.
So
it's
all
yours,
yeah.
C
So,
instead
of
adding
the
launch
secure
functionality
directly
into
ross
launch,
they
decided
that,
rather
than
introduce
the
dependency
on
no
dl
and
kind
of
you
know
clutch
this
whole
new
argument
and
s
ross
dependency
and
key
generation
code
into
the
roster
launch
stack
that
they
would
create
an
extension
system
for
us
to
launch
where
you
could
add
arbitrary
flags
to
it
and
with
that
inject
code
into
the
ros
launch
stack,
I
was
expecting
this
to
be
a
much
longer
term
project,
but
jeff
briggs
banged
it
out
got
it
done
and
currently
has
a
pull
request
up
for
the
extension
system
to
launch
ross,
which
is
the
package
that
implements
frosty
launch.
C
Along
with
that
there
is
the
separate
package.
Roster
launch,
underscore
security,
that's
the
proof
of
concept!
It's
my
original
implementation
of
the
secure
flag
as
a
standalone
package
that
injects
itself
using
their
plug-in
system.
C
And
yeah,
currently
it's
there's
a
pull
request
up
on
launch
underscore
ross
for
the
extension
system,
we'd
like
to
get
that
reviewed
and
merged
in
so
that
we
can
create
this
for
us
to
launch
security
package
on
our
own.
Do
you
have
links
ted
yeah?
Let
me
gather
them.
D
While
he's
doing
that
roger,
I
know
I
know
that
you've
been
working
on
on
some
designs
for
for
roster
launch
itself.
I
don't
know
if
this
slots
into
anything
you're
wanting
to
do,
but
it
really
does
open
up
a
whole
slate
of
new
possibilities.
E
Yeah,
I
actually,
I
definitely
want
to
take
a
look
at
this
and
see
where
that
is.
I
actually
think
I'm
getting
fairly
close,
I'm
getting
the
stuff.
I've
done
ready.
I've
gotten
through
the
hairiest
bits,
I'm
just
trying
to
tie
up
some
use
cases
and
got
a
couple
of
little
things
to
add.
C
Yeah,
so
the
first
one
is
this
pull
request
from
jeff
briggs
and
once
again,
if
we
could
get
some
reviews
on
this
going,
that
would
be
very
appreciated.
C
And
the
implementation,
we
probably
are
going
to
look
at
re-implementing
here,
just
cleaning
up
the
repo,
since
this
was
a
proof
of
concept
jeff
banged
out.
But
if
you
guys
want
to
see
the
security
extension.
B
C
That's
it
on
the
update
to
the
launch
ross,
secure
extension.
I
I.
D
C
Sure
and
yeah:
that's
it.
A
All
right,
so,
the
other
thing
that
I
had
on
the
on
the
agenda
was
just
to
follow
up
on
the
demos
that
we
had
last
two
meetings.
We
went
through,
move
it
and
then
the
robotics
middleware
framework-
and
you
know
all
that-
was
just
to
look
for
a
good
use
case
or
multiple
use
cases
on
implementing
security
on
a
real
world
system.
A
Two
reasons,
one
just
to
get
some
good
good
proof
of
concept,
some
demo
that
we
could
show
folks
how
it's
done
and
another
thing,
if
I
understand
it
right,
was
for
us
to
actually
prove
out
and
try
out
and
experiment
and
do
more
work
with
the
security
options,
get
more
granular
with
permissions
and
things
like
that,
and
then
for
my
part,
as
we
were
talking
about
both
movement
and
rmf,
we
it
hurt
opportunities.
A
I
think,
to
explore
some
of
the
features
that
we
really
want
to
dig
into
a
little
bit
more.
So
my
curiosity
is
where,
where
do
we
go
from
here
and
one
of
the
options
that
and
one
of
the
options
is
to
look
into
this
a
little
bit
more
into
you
know
and
to
pick
some
work
to
do
with
movement
or
rmf?
We
could
also
look
at
just
exploring
some
other
frameworks.
A
You
know
if
there's
something
else,
that's
come
up
since
then,
but
with
that
I'll,
throw
it
out
to
the
group.
What
do
you
think?
Where
do
you
want
to
go
from.
D
D
D
A
F
So
on,
on
the
rmf
side,
we
we
do
we
we
are
going
to
need
security,
so
we
do
have
cycles
to
to
spare
on
this.
So
from
our
side.
Well,
we
we
will
be
spending
time
on
on
having
secure
cross
running
along
with
adam.
A
F
A
Yeah
I
get
the
feeling
that
the
whole
certificate
chains
and
hierarchies
also
fits
in
with
your
concerns
about
hardware.
You
know
when
introducing
bogus
hardware
or
some
hardware
goes
missing,
or
you
lose
control
of
it.
I
understood
that
right.
F
Something
that
so
regarding
regarding
third
parties,
hardware,
one
of
our
concerns
is
if,
if
there's
ways
to
somehow
certify
that
certain
levels
of
security
on
third
party
systems,
once
once
you
get
into
multiple
robot
systems,
it
it
becomes,
and
then
we
we're
also
talking
about
like
multiple
vendors,
so
it
becomes,
I
feel
like
it.
It
becomes
very
tricky.
A
So
this
is
this
is
interesting,
I'll,
throw
this
I'll,
throw
the
same
question
out
to
the
group
in
a
very
different
way
here.
It
feels,
like
the
rmf
use
case,
has
a
lot
to
do
with
implementing
a
solid
certificate
hierarchy,
so
the
idea
of
having
a
ca
or
multiple
cas
intermediate
cas
that
are
trusted
trying
to
revoke
them.
The
idea
of,
maybe
even
you,
know,
seating,
some
of
that
to
a
vendor
or
middlewares,
and
so
on.
A
So
there's
a
lot
to
explore
there
I'll
contrast
that
a
lot
with
what
I,
what
seems
to
be
the
issue
with
move
it
where
they
are
looking
to
do
a
lot
more
of
the
granularity
of
allowing
certain
nodes
to
do
certain
things
have
read,
only
have
permissions
for
debugging
certain
nodes
without
you
know
other.
So
it's
a
lot
more
in
writing
the
actual
policy
files.
A
So
I
think
you
know
if
we
want
to
just
thinking
this
this
through,
it
seems
like
it
makes
sense
to
actually
potentially
work,
both
use
cases
with
just
a
different
focus
on
two
different
areas
that
I
think
we
want
to
spend
more
time
on.
So
any
reaction
to
that.
B
A
So
does
anybody
have
any
suggestions
on
that?
You
know
again
going
back
to
where
we
want
to
go
from
here.
Do
we
need
to
table
this
until
our
next
meeting
do
we,
you
know,
have
some
cycles
to
spend
on
you
know
working
on
rmf
or
I'm
working
on
move.
It.
A
So
I
know
from
for
for
myself,
you
know
I'm
digging
a
bit
into
movement,
move
it's
pretty
easy.
It
ended
up
pretty
easy
to
set
up
so
now
I
want
to
start
digging
into
applying
some
of
the
security
features
there
and
I
actually
do
have
meaning
potential
meetings
set
up
with
henning,
it's
probably
later
on
next
week.
So.
D
F
I
was
thinking,
maybe
I
can
try
to
come
up
with
like
a
walk
like
a
concrete
list
of
issues
and
then
maybe
we
can.
We
can
discuss
either
on
a
separate
meeting
or
maybe
a
next
meeting.
Yeah.
A
That
so
so
that
actually,
okay,
thanks
kyle,
that
that
helps
so
so,
let's
proceed
this
way,
then,
marco,
if
I
can
ask
you
to
tease
out
some
more
of
the
use
cases
and
then
we'll
put
that
on
the
agenda
for
our
next
meeting
to
actually
look
at
what
things
you
need
help
with
any
problems
you've
encountered
or
where
you
want
to
go
from
there,
and
maybe
we
can
prioritize
there,
yeah
we'll
be
able
to
prioritize
I'm
going
to
do
the
same
with
henning
I'll,
move
it
and
see
he.
A
He
actually,
after
our
meeting
he
reached
out
and
said
he
had
thought
of
some
more
specific
things.
They
wanted
to
do
so
I'll
reach
back
out
to
him
and
and
gather
that
and
bring
that
to
the
next
meeting
as
well.
A
All
right,
so
moving
on
the
only
other
thing
that
I
had
on
the
agenda
is,
we
did
have
our
open
quality
issues.
This
is
a
discussion
we've
had
and
towards
the
last
half
of
last
year
there
I
I
did
capture
them
in
a
kind
of
rough
summary
form
in
our
meeting
minutes
and
I'm
just
gonna
leave
them
there.
Just
to
you
know,
keep
them
in
front
of
us.
We
wanted
to
keep
them
in
front
of
us
to
see
if
we
could
continue
making
some
progress.
A
I
don't
know
a
lot
of
them
were
related
to
documentation,
if
you
recall,
so
I
don't
know
if
anybody's
had
a
chance
to
review
them
or
if
you
have
any
comments
or
anything
has
changed
since
the
last
time
we
looked
at
them.
B
A
Yeah
we
had
an
issue
with
before
we
could
declare
a
higher
quality
level.
We
needed
our
dependencies,
which
includes
rco
pi,
which
I
think
was
high.
D
A
All
right,
so,
let's
just
keep
that
in
mind.
If
you
have
an
opportunity
to
work
on
that,
that'd
be
great
as
well,
and
then
we
only
had
two
action
items
that
were
still
left
on
the
list.
One
was
had
to
do
with
our
test
failures,
and
one
of
them
was
was
actually
on.
Mine
was
to
draft
guidance
for
vendors
on
creating
a
vulnerability
disclosure
policy
simply
haven't
worked
on
that
because
I
haven't
seen
a
lot
of
I'll
have
a
need
for
it.
A
A
So
it
is
it's
it's
based
on
mitre
and
related
documents,
but
basically
the
the
original
document
was
written
so
that
the
public
anyone
pen,
testing
against
raws
or
anything
like
that
would
actually
have
a
place
where
they
could
find
a
little
bit
of
information
about
how
to
submit
a
vulnerability.
So
it's
written
for
the
non-braz
community,
the
external
community,
to
just
give
guidance
on
how
to
report
a
vulnerability,
yeah
and
kyle
linked
to
that
the
rep,
and
that
was
we
had
worked
on
that
before
you
joined
the
group.
I.
A
B
A
All
right,
so,
if
nobody
has
anything
else,
then
I'll
go
ahead
and
call
it,
and
we
will
see
you
next
time
and
and
marco
and
I
will
try
to
gather
some
more
detailed
requirements
about
movement
and
rmf
and
go
from
there.
If
you
have
anything,
of
course,
you
know
always
drop
it
in
matrix
at
any
time.