►
From YouTube: ROS 2 Security Working Group (12 Jul 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Okay,
we're
starting
to
record
hi
everyone,
it's
good
to
be
here
to
have
you
all
the
security
committee
so
to
get
started.
I
just
want
to
ask
all
of
you
to
approve
agree
to
merge
the
last
meeting
minutes
from
june
they're
already
linking
the
agenda
and
they've
been
pushed
to
github.
A
Okay
sounds
good,
so
with
that,
let
me
show
you
again
the
agenda
link
on
the
chat
in
case
you
don't
have
it
at
hand.
A
Basically,
I
proposed
to
discuss
to
get
back
to
discussing
the
idea
of
collaborating
on
a
paper
on
astros
2
for
the
journal
of
open
source
software,
which
is
something
that
we
discussed
back
in
april.
I
believe
in
one
of
the
meetings
and
just
throw
it
out
there.
I
linked
the
requirements
that
they
have
for
submissions.
D
D
So
there's
the
paper
that
victor
I,
john
luca
and
mikhail,
have
have
submitted
to
iros
that
was
accepted.
We
just
have
a
little
bit
of
feedback,
but
there's
just
plenty
of
room
for
for
for
extensions.
I
think
it.
It
honestly
need
a
bit
more
if,
if
we're
gonna
make
a
a
journal,
so
we'll
have
to
put
all
our
heads
together
to
add
more
of
a
contribution
to
and
act
as
a
journal
article
in
the
in
the
paper
does
when
there
are
submission
on
the.
D
They
have
some
future
work
points
that
would
be
potentially
worthwhile
and
expending
specifically
like
incorporating
canonical's
work
and
the
no
no
dl
directly
into
the
policy
generation
pipeline,
or,
I
think,
some
of
more
ephemeral
bits
and
I'm
trying
to
tackle
like
if
you
really
want
to
approach
security
from
a
more
rigorous
standpoint,
addressing
some
of
ross's,
the
ross
ecosystems,
more
broader
pitfalls
or
or
common
design
patterns
that
are
sort
of
anti-patterns
and
security.
D
I'm
particularly
like
transforms,
if
you
have
transforms
they
have
coming
with
the
various
sources:
levels
of
of
integrity
or
confidentiality,
the
alts
or
you
just
got
submerged
into
one
monolithic
topic
and
it'd,
be
kind
of
hard
to
work
with
that.
If,
if
you
had
like
some
kind
of
security
compliance
restrictions,
you
had
to
follow
but
yeah
that
I
think
I
think
joss
would
be
a
great
venue,
particularly
for
our
subject
in,
like
software
engineering
and
open
source.
A
Yeah,
so
looking
at
the
approach
that
they
take
to
accept
papers
was
just
and
really
we
seem
to
check
all
the
boxes.
With
this
first,
two,
some
of
the
authors
have
to
be
major
contributors
to
the
software
you're
presenting
they're,
usually
very
short
papers.
A
I
just
shared
a
link
to
one
about
lost
control
and
really
just
presents
the
projects,
so
it
could
be
something
similar,
but
it
does
seem
like
there
has
to
be
some
connection
to
research,
so
something
that
can
be
easily
applied
in
research
efforts,
which
I
mean
there
are
many
many
efforts
from
security
for
robotics
in
general.
So
that
is
something
we
can
highlight
that
esros
2
can
easily
be
used
in
a
research
setting.
A
D
I
think
jazz
would
be
good
another
one.
I've
I've
I've
submitted
to
was
razz
the
robotic
automation
society
journal,
but
I
think
that
they
prefer
a
little
more
like
application
based
so
something
less
software
and
more
something
like
a
demo
or
an
algorithm
or
that
you've
applied.
D
So
if
we
gathered
maybe
several
use
cases,
so
one
thing
is
in
particular
during
a
roscon.
We
should
try
and
reach
out
to
see
how
much
in
the
community
have
have
tried
using
sros.
Are
they
using
secure
dds
of
any
applications?
Are
there
any
pitfalls
sort
of
a
survey?
And
if,
if
we
get
anyone's
any
industrial
partners,
that.
A
So
yeah,
basically
two
different
directions
we
can
take
just
present
presenting
the
project
like
this,
like
the
roth
control
paper
will
be
very
simple:
just
presentation
of
the
software
versus
yeah,
maybe
including
a
demo
some
code,
to
offer
an
example,
promote
research,
etc.
A
But
I
guess
I
was
thinking
of
this
is
a
project
that
we
could
start
working
on
immediately
yeah
before
the
word.
D
Yeah,
if
you
want
to
start
immediately,
the
survey
route
always
takes
a
little
bit
longer.
You
know
you're,
reaching
out
to
people
contacting
waiting
to
get
feedback,
whereas,
if
you're
writing
about
what
you
have
that's
like,
you
can
start
immediately.
A
Okay,
anyone
else's
feedback
on
I
mean
I
haven't
reading
papers
in
a
long
time
now,
so
that's
I'm
not
that
experienced
in
choosing.
I
guess
a
journal
at
the
moment.
D
Yeah
I'd
be
well
roger
adam.
Do
you
guys
also
have
any
experience
in
writing
academic
or
academic
submissions
or
technical
conferences.
B
Yeah,
I
will
say
I
have
not.
I
don't
have
a
huge
amount
of
experience
there.
I
I
have
contributed
to
some
papers
in
the
past
and
I
mean
honestly
I
would
be
happy
to
try
to
help
out
over
here,
despite
having
hung
around
here.
I
still
feel
like.
I
don't
have
quite
the
innate
domain
knowledge
that
I
would
like
to
have,
but
if
there's
a
way
that
I
can
contribute
and
help
move
it
forward,
I'd
be
happy
to
do
so.
E
Yeah
I
said
I
I
don't
really
have
that
kind
of
experience,
I'm
here
kind
of
from
the
dds
security
perspective,
since
I'm
on
that
revision
task
force
with
option
management
group
so
wanting
to
see
how
the
dds
security
specifications
are
used
and
what's
working.
What's
not
working.
B
B
It's
government
related,
so
I'm
not
sure
how
easy
or
difficult
it
would
be
to
take
direct
contributions
out
of
that,
but
there
might
at
least
be
some
feedback
or
things
that
would
be
interesting
and
potentially
useful
that
I
could
go
solicit.
If
we
can,
you
know
focus
that.
D
E
Yeah
I
work
for
a
company
called
object,
computing
and
so
we're
the
maintainers
behind
opendds,
open
source,
dds
implementation,
which
includes
tds
security
and
we're
a
member
organization
of
the
object.
E
D
Have
has
there
been
it's
been
a
while,
since
I
checked
the
rmw
client
layers,
has
there
been
an
rnw
implementation
yet
for
open
ddos.
E
There's
some
work
in
progress
on
it,
but
not.
I
don't
think
anything
that
anyone
is
using
I'd
be
happy
to
help
revive
efforts.
There.
D
I
I'm
just
like
you
know.
One
thing
we've
always
wrestled
with,
especially
with
mikael
is
the
getting
the
devil
in
the
details,
with
the
specific
format
of
of
the
security
credentials
and
and
enabling
such
the
features
through
the
rmw
layer.
And
then
you
try
and
test
it
like.
Well,
it
works
between
vendor
a
and
vendor
a
and
you
try
on
vendor,
b
and
vendor
b
and
then
vendor
a
and
vendor
b
work
and
then
vendor
b
and
render
a
doesn't
work.
E
Right
so
another
hat
that
I
wear
is
I'm
involved
in
the
omg's
dds
foundation.
So
we're
we're
interested
in
getting
those
kinds
of
experiences
of
of
what's
happening
out
in
the
world,
with
the
dds
implementations
and
helping
out
where
we
can.
D
I
I
know
there
was
a
there's,
a
github
repos
somewhere,
that's
sort
of
been
the
maybe
it's
under
the
object
management
group,
but
the
it's
a
collection
of
all
the
talker
listener,
demos
or
whatever,
but
with
all
the
various
vendors.
So
it
has
like
the
mid
files
that
you
can
make
the
the
demo
application
for
every
vendor
and
then
using
the
security
credentials
and
kind
of
double
check
on
whether
there's
sort
of
a
unit
test
with
all
the
vendors
either
intercompatible,
but
it
hasn't
been
updated.
D
Yeah
last
I
checked
it
was
last
year
that
seemed
kind
of
dormant
are
is
that
is
that.
E
A
link
in
the
chat,
I
think
that
it's
probably
something,
as
I
was
saying
like
it's
a
it's
good,
to
collect
feedback
on
it
like
if,
if
you'd
like
to
see
something
tested
there,
that's
not.
You
can
certainly
put
a
message
in
that.
You
know.
I
don't
know
if
issues
are
enabled
that
github
repository,
but
there.
E
It
looks
like
they
are.
If
not,
you
could
always.
You
know,
reach
out
by
email
too,
and
we
can
get
things
updated
in
there.
D
So
sorry
that
was
a
little
aside.
So
do
we
have
one
that
have
any
action
items
for
working
towards
journal
submission,
like
I
said
I
think
jaws
is
fine.
I,
though
I'll,
have
to
look
at
the
fine
print
of
what
you
were
looking
at.
A
Well,
I
think
action
items
just
yet.
Basically,
just
taking
this
back
up
and
see
if
we'll
be
interested
in
doing
this,
I
think
channel
of
open
source
software
is
kind
of
a
low-hanging
fruit.
In
that
it
will
be
a
presentation
of
a
software
project.
That's
already
been
done,
there's
no
much
more
work
than
that
in
bow.
I
think,
and
it
is
good
to
promote,
I
think,
yeah.
It's
rows
too.
C
So
the
goal
may
be
to
make
a
point
how
it's
sitting,
as
for
us
too
at
the
moment,
something
like
that.
That's
your
idea,
francia.
C
To
say-
and
you
know,
give
a
statement
of
the
position
where
as
ross
2
is
at
the
moment-
something
like
that,
because
I
was
just
reviewing
the
the
paper
you
you
shared
in
the
chat
and
for
the
what's
called
the
rust
control.
They
were
just
doing
this
kind
of
summary
and
presentation
of
the
packages
and
the
functionality
you
want
to
do
something
similar
to.
As
for
us
too,
that's
the
goal.
A
C
I
think
that
could
be
interesting
also
because
we
can
find
the
gap
identify
in
which
direction
we
should
go.
That
was
the
original
goal
of
the
paper
we
we
submitted
at
iros
and
I
I
would
love
to
continue
the
discussion
also
at
roskin,
for
with
other
guys
as
rafim
was
suggesting.
I
think
it
could
be
an
interesting
thing
to
do
and
a
good,
a
good
starting
point
for
other
revolutions,
that
the
that's
ross
2
actually
is
in
need
of.
D
C
Out
of
the
I
missed
the
point,
I
don't
know.
D
I
I
just
looked
at
the
the
the
example
of
paper
ross
control
and
it's
like:
okay,
yeah,
that's
that's
much
shorter
than
I
was
thinking.
Our
current
paper
is
longer
than
it's
just
a
conference
paper.
So
so
maybe
do
they
have
different
tracks
of
the
journal
like
what
based
on.
Are
you
just
making
an
entry
in
the
journal
for
a
particular
project
versus.
D
D
I
guess
I'll
just
have
to
read:
read
some
of
the
various
options
that
joss
has
for
submission.
A
Yeah,
basically,
the
research
component
is
mentioned
in
the
requirement,
but
I
guess,
as
I
said,
I'm
not
too
sure,
but
I
think
this
is
the
kind
of
software
that
could
easily
be
applied
in
research
to
in
research
for
robotic
security
of
robots
in
ross.
A
D
A
D
If,
if
we
just
want
to
follow
ross
controls
example,
then
yeah,
the
bars
is
it's
much
more
moderate.
D
So
yeah
I'd
start
with
starting
a
repo
on
the
community
working
group,
getting
the
latex
template
out
and
we
can
just
start
smashing
pull
requests
on
adding
particular
content.
D
I
think
we
we
can
pull
a
lot
of
the
citations
we've
already
kind
of
focused
on
from
our
existing
astrox
paper
and.
D
Is
that
something
yeah
you'd
be
able
to
do
to
open
up
a
repo?
The
start,
the
latex
taper.
D
A
Again,
it's
the
first
time,
I'm,
I
guess,
collaborating
on
a
paper
and
like
oh,
no
github,
repo.
B
B
It
was
interesting
noticing
in
their
one
point.
They
also
commented
that
it's
okay
to
have
the
repo
when
you
submit
it,
be
on
a
branch
that
never
gets
merged
to
master.
So
I
mean
theoretically,
you
could
even
just
put
that
in
a
branch
on
the
existing
repo
rather
than
spinning
a
new
one
up.
B
D
I
I
I
guess
that's
if,
if
that's
what
they
want,
then
then
we
can.
We
can
follow
that.
Are
these?
Are
these
submissions
lively?
Do
that
do
they
evolve?
Do
they
have
a
sort
of
a
life
cycle?
People
like
periodically
update
that
like
if
it
was
a
an
archive
draft
or
is
this
like
a
one-time
submission
and
then
it's
dated
and
then
I'm
just
curious.
A
So,
basically,
that
here's
a
submission
form
doesn't
say
anything
about
life
cycle
like
specific
submission
dates,.
D
Yeah,
it's
it's
an
open
journal,
so
it
doesn't
have
like
a
periodic
review
cycle.
But
I
was
wondering
if
the
submissions
are
treated
as
live
documents,
but
I'm
guessing
they're,
probably
just
archived,
and
if
you
want
to
make
a
new
division,
you
just
make
a
new
submission.
D
A
Okay
sounds
good
and
I,
like
all
the
other
ideas
as
well
of
gathering
feedback
from
anyone
who's
using
srs2
or
has
tried
to
use
it
or
will
want
to
use
it
that
can
fit
any
any
other
ideas
and
other
projects.
I
think.
D
Sounds
good
any
other
agenda
items.
A
D
Just
as
a
general
nose
me
and
john
luca
are
looking
into
methodologies
for
information
flow
control,
so
you
know
in
sros
right
now
we
have
and
with
security
bs
we
we
pretty
much
have
a
means
of
of
enforcing
access
control,
but
from
a
confidentiality
integrity
standpoint
when
you
want
to
get
a
little
more
advanced
and
using
the
access
control
to
preserve
or
isolate
and
segment
subsystems
in
your
larger
application
that
can
get
a
little
bit
difficult
to
manually
audit
or
track
down
the
implicit
flows
of
information
between
that
goes
across
your
information,
your
computation
graph.
D
So
we've
we've
been
looking
into
sort
of
formal
methods
for
information,
flow
control
and
we'll
report
back
if
that
bears
any
fruit,
but
we're
about
knee
deep
and
lambda
calculus
and
fighting
our
way
out
through
the
weeds.
So
that's
just
something
that
personal
report.
If
any
other
people
have
you
know
certain
subject,
areas
of
in
ross
and
security,
you
guys
are
also
looking
in
feel
free
to
do
a
report.
That's
something
that
the
navigation
group
does
is
like
towards
the
end
of
every
meeting.
B
Nothing
that
I
am
well
versed
enough
to
speak
up
on.
You
know
I.
I
know
that
we've
got,
you
know
guys
who
are
working
on
figuring
out
how
to
improve
security,
and
you
know,
apply
some
of
the
esros
stuff
to
some
vehicle
applications,
but
I'm
just
not
deep
enough
in
the
weeds
to
actually
be
able
to
talk
intelligently
about
it.
E
I
guess
in
a
way
I
I
spoke
on
a
little
bit
before
so
maybe
out
of
order
of
what
you
planned
for
the
agenda,
but
yeah.
That's
what
I'm
interested
in
the
applications
of
dds
security.
Both
you
know
as
a
as
a
spec
and
as
software.
D
Related
to
a
previous
discussion
we've
had
with
the
working
group
is
particularly
with
the
size
of
the
computation
graphs
that
we're
dealing
with
in
ross.
I
think,
from
a
dbs
perspective,
it's
sort
of
been
seen
as
abnormal
and
like
how
large
or
our
pub
sub
networks
are.
Another
thing
is
and
how
raw's
topics
they
manifest
to
dds
topics
or,
like
you
know,
an
action
maps
to
two
services
and
two
topics
and
each
service
also
maps
to
two
dds
topics.
So
you
can
see
the
combinatorics
kind
of
explode.
D
One
thing
when
we
encountered
last
year
with
s
ross
was,
if
you
try
to
even
like
do
the
minimal
navigation
demo,
you
end
up
where
the
xml
payload
exceeds
the
size
of
the
udp
packet.
Xml
sign
token
will
exceed
the
size
of
a
udp
packet,
and
so
you
can't
necessarily
transmit
it
over
during
the
initial
handshake.
D
The
for
the
discovery
protocol-
and
that
was
a
bit
of
a
a
larger
limit
that
I
think
is
is
is
more
with
respect
to
necessarily
the
dd
aspect
than
than
roz
and
we've
we've
had
to
try
a
couple
work
arounds
so
either
by
stripping
the
white
spaces
from
the
tokens
before
we
apply
the
signature
or
allowing
more
use
of
wild
liberal
wild
cards
in
terms
of
permission.
D
So,
rather
than
being
the
minimal
spanning
we
kind
of
just
wipe,
we
use
the
posix
expressions
for
prefix
matching
of
name
spaces
and
ross
rather
than
exact
topic
names
were.
Were
you
made
made
aware
of
that
prior
or
I
can
also
reference
you
to.
I
think
some
earlier
discussions
on
github.
E
Yeah,
if
you
have
a
link
to
those
that
would
be
good,
I
I
aware,
in
the
more
general
sense
of
the
issue
with
the
very
large
xml
permissions,
you
know
becoming
a
problem,
and
that
is
definitely
something
that
the
object
management
group
is
looking
at
for
future
specifications.
So
I
don't
know
if
there's
anything
you
know
concrete
for
it
yet.
D
Yeah
we
I
think
I
was
talking
with
gerardo
from
rti,
we
kind
of
came
and
prosima.
We
came
up
kind
of
two
potential
ways
is
we
could
either
again
strip
that
strip
the
white
spaces
or
use
compression
algorithm?
You
know
it's
just
it's
just
a
long
string.
So
there's
plenty
of
repeats,
so
you
could
use
a
you.
Could
you
could
sign
the
com,
the
compressed
binary
and
then
send
that
over
the
wire,
though
I
think
that
was
a
bit
of
a
workaround
and.
D
And
it's
no
longer
as
transparent
the
last
the
one
I
I
kind
of
recommend
is:
if
there's
some
way,
we
can
rearrange
the
protocol
where
the
the
permission
tokens
are
exchanged
after
a
secure
channel
is
established
rather
than
broadcasting
them
in
that.
D
From
a
confidentiality
standpoint,
the
broadcasting
of
one's
own
permissions
can
itself
leak
what
your
capabilities
are
within
the
network.
So
we
have
an
earlier
paper
that
I
can.
I
can
post
again
on
using
this
exact
traffic
to
analyze
security,
ds
networks,
for
if
you,
if
you're
an
attacker
you're
trying
to
prioritize
which
elements
on
the
network
you
want
to
attack
even
if
everything's
encrypted,
you
can
use
the
permission,
tokens
that
are
transmitting
clear
text
to
piece
together.
D
D
I
think
it
might
have
been
in
the
invite
for
this
meeting.
Click
on
your
calendar
yeah.
It's
like
a
little
description,
yeah.
D
A
We
can
keep
talking
on
the
metrics
chats
if
you
get
to
send
your
email
addresses,
I
guess
to
share
the
reaper
with
you
or
I
could
just
make
it
public
and
share
it.
It's
a
link
on
the
chat.
I
guess.
E
D
Okay,
yeah,
I
guess
I
have
to
update
that.
There's
someone
else
on,
I'm
not
on
my
same
computer.
Someone
else
want
to
share
the
exact
room
link.
So
previously
I
thought
communities
were
gonna,
be
longer
lived,
so
I
had
made.
Thank
you.
So
that's
a
matrix
I
o
so
matrix.
D
I
o
is
the
is
the
sort
of
the
chat
back
end
and
then
various
people
can
provide
front
ends
like
the
front-end
client,
the
biggest
one
used
to
be
called
riot
riot.iiio,
and
then
they
recently
renamed
themselves.
What
was
the
renaming
element?
Yes,
so
they
renamed
themselves
to
element
and
sort
of
all
the
the
means
of
of
orchestrating
multiple
rooms,
kind
of
got
deprecated
from,
I
guess
communities
to
whatever
new,
and
I
have
to
update
all
those
links.
Okay,
thank
you
for
the
reminder.
D
All
right
great
great,
so
so
go
ahead
and
introduce
yourself
on
the
the
matrix
room.
So
I
know
your
your
id
and
I'll
drop.
Also
the
the
link
to
the
the
dds
security
paper
in
the
discussion
on
tokens.
A
Okay,
so
we're
almost
at
the
end
of
the
time
yeah,
please
join
the
matrix,
chat
adam
and
like
there's,
I
guess
the
space
where
we
can
continue
any
conversations
like
everybody
watching
the
group
at
least
sometimes
is
in
the
chat.
A
Okay,
so
that's
it!
I
will
see
you
all
actually,
usually
in
august
the
meeting
is
cancelled
because
it's
a
summer
break,
or
at
least
that's
what
I've
heard
from
past
years,
because
a
lot
of
people
are
on
vacation
and
it's
yeah.
We
might
take
the
summer
break
next
month
from
the
meetings.
B
I
will
just
make
note
that
I
think
I
probably
tend
to
miss
about
half
of
the
meetings
that
are
at
this
time.
It's
interesting
because
I've
got
client
meetings
where,
alternating
weeks
it
starts
at
either
11
o'clock,
local
time
or
12
o'clock
local
time
and
on
the
ones
where
the
alternating
weeks
line
up
with
the
first
and
third
or
whatever
it
is
we're
doing
with
this.
I
end
up
having
to
do
that
one
instead,
so
it's
it's
kind
of
an
unfortunate
interplay
between
you
know
every
other
week
versus
second
and.
B
B
Okay,
so
yeah,
if
I
miss
this
time
slot
periodically
that's
what's
going
on.
A
But
yeah
we
can
also
communicate
on
the
magic
stats
very
easily.
I
mean
more
dynamically.