►
From YouTube: ROS 2 Security Working Group (11 Apr 2023)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
C
Sorry
about
that,
so
welcome
all
to
the
April
meeting.
It's
good
to
have
you
all
here.
Let
me
share
the
agenda
on
the
chat,
so
we
all
have
it.
C
This
is
the
regular
link
where
we
plan
our
meetings
for
all
of
you
who
are
new
to
the
group
today,
it's
always
the
same
length,
but
that
is
where
you
come
and
see
what
we're
going
to
to
discuss
that
day
for
the
next
meeting,
and
you
can
propose
any
topics
you,
like
anything,
that
you've
been
working
on
any
sort
of
topic
that
is
relevant
to
the
group
that
you
like
to
bring
up.
C
A
C
Next
time,
so
if
everybody
is
okay
with
it,
it's
not
specific
opposition,
then
we
consider
them
approve.
B
A
very
quick
update
on
that
subject
because
on
the
last
working
group
that
I
was
not
here,
but
apparently
it
was
advice
for
us
to
open
up
a
request,
enhancement
proposal.
So
we
did
that.
Unfortunately,
no
one
from
osrf
or
osir
C
have
reviewed
it.
So
I,
don't
know
if
it's
going
to
freeze
was
yesterday,
so
I
actually
don't
know
if
it's
going
to
make
it
to
iron
or
not.
I
asked
the
guys
at
intrinsic
whether
they
will
consider
it
but
they're
not
responding
to
my
message.
B
So
but
it's
really
no
update
from
our
site
other
than
we
open
the
grip,
as
requested.
B
I'm
gonna
I
think
reference
as
well.
There
developers-
and
they
just
didn't
answer
to
my
message.
D
B
D
I
I'll
I'll,
just
reread
the
the
rep
and
and
I,
can
get
my
approval,
but
I
don't
have
merch
privileges.
B
Bigger
company
just
being
instead.
D
B
D
See
I
see
yeah
just
a
minute
assistant.
A
B
D
Was
this
announced
also
in
the
Ross
discourse
web
form?
Usually
a
lot
of
reps
or
announced
there
to
get
attention?
I
know,
Tully
is
kind
of
the
same
with
making
sure
that
was
like
those
from.
A
B
If
I
just
realized,
I
was
not
on
the
March
security
working
group
meeting
and
I'm,
realizing
that
from
February
we
had
opened
up
fix
for
the
chain
of
trust
vulnerability.
If
you
remember
it's
just
saying
that
it's
already.
C
D
Anyone's
familiar
with
security,
ramifications
of
using
Dev
containers,
or
maybe
just
Docker
in
general,
I'm
trying
to
get
back
into.
D
Set
up
and
I'd
like
to
see
how
feasible
rootless
containers
are
for.
C
D
Think
there's
some
fairly
heavy-handed
permissions
or
resource
requirements
that
would
be
needed
for
optimal,
like
Ross
use
cases
like
shared
memory,
access
or
inter-process
Communications.
D
B
B
Yes,
all
that
all
that
works,
Docker
containers
intra
process
will
always
work
for
the
share
memory
mechanisms
there.
There
are
some
habits.
B
First
of
all,
you
need
to
run
the
docker
containers
with
with
the
host
IPC
mode
or
the
shared
IPC
mode,
so
that
so
they
shared
a
memory
map
files,
and
then
there
is
one
caveat.
That
is,
if
you
run
all
your
containers
with
root
permissions,
the
files
that
they
will
create
will
have
a
root
broadcast
users
group.
And
then,
if
you
go
in
your
host
and
launch
a
subscriber,
you
will
not
be
able
to
receive
data,
because
you
will
not
have
permission
it
will
it
will.
B
You
know,
decide
that
it
needs
to
communicate
through
share
memory,
because
you
know
it
can
access
the
share
memory,
but
then
it
will.
It
will
not
have
access
and
that's
something
that
we
plan
on
fixing.
You
know
try
to
see
if
we
have
the
correct
permissions
to
open
the
file,
and
else
you
know
fall
back
to
the
UDP.
B
D
And
that's
and
that's
General.
If
I
was
using
multiple
DDS
participants
on
a
single
host
over
across
different
Unix
users,.
B
B
Exactly
yes,
you
can
it's
something
that
we
plan
on
fixing
at
some
at
some
point
between
here
and
June,
I!
Guess
because
it
it's
really
a
matter
of
you
know,
trying
to
access
the
file
and
then,
if
it
you
know,
doesn't
if
we
don't
have
the
right
permission.
So,
instead
of
you
know,
using
share
memory
then
fall
back
to
GDP
if
possible.
D
Another
issue,
I
remember,
is
like
if
you're
trying
to
be
conservative
and
you're
network
access,
like
let's
say
you
want
to
use
a
software-defined
network
to
isolate
all
the
containers.
A
B
D
It
default
to
the
bridge
or
something
yeah
and
then
what
it's
going
to
do
is
all
the
containers
might
spawn.
I
forget
the
the
the
the
the
exact
setup,
but
there's
an
issue
based
on
on
on
how
the
guid
is
generated,
yeah
that.
B
No,
but
it's
it's
actually
the
same
things
right,
because
it
will
try
to
access
to
the
share
memory
file.
It's
not
there.
Then
it
will
fall
back
to
share
members
into
the
unity,
so
it's
actually
the
same
fix,
but
the
problem
is
that
if
you,
if
you
do
yeah,
the
host
is
identified
by
the
the
hash
on
the
interfaces
on
the
on
the
interfaces.
Oh,
okay,
that's
why?
B
When
you,
when
you
share,
you
know
the
the
network
of
the
host
with
all
the
containers
and
all
of
them
being
there
on
the
same
device
and
then
you
need
to
do
then
IPC
shared
or
host
between
them
for
communication
to
work
right
now,
yeah
yeah
other
than
that
everything
works
out
and
with
security
as
well
I
mean
the
guys
they
are
deploying
with
secure
with
the
Astros
and
containers
everywhere.
B
B
E
Yeah
I
know
some
people
prefer,
because
it
doesn't
need
to
the
demon,
is
not
rootless
or
is
it
does
not
require
root.
So
we're
doing
a
little
bit
of
work,
trying
to
work
with
people
here
doing
deployments
and
working
with
containers
and
I
know
a
few
people
have
mentioned
the
preference
trees
in
part
one
because
of
just
because
they
don't
feel
comfortable
running
a
demo
just
because
curious
to
see
if
anyone
else
had
used
it.
D
I
haven't
used
podman,
but
there's
also
I,
think
bit
aside
from
pogman
and
Docker
there's
another
alternative.
That
I
think
one
of
the
most
active
Ross
users
in
their
Community
kind
of
favors
forget
what
it's
called
with
Skype
C
or
something.
D
But
it's
another
rootless
alternative
and
it's
interchangeable
that
you
can
like
I
guess
like
Pac-Man,
you
can
use
Docker
images,
but
then
the
runtime
is
like
managed
by
their
own.
D
D
So
it's
I
think
what
a
lot
of
people
are
just
going
to
go
into
the
flow
but
yeah.
It's
kind
of
annoying
that
you
know
the
Docker
rootless,
isn't
quite
as
simple
or
it's
not
default
and
there's
a
lot
of
like
legacy,
images
and
stuff
like
that.
That
kind
of
assume
root.
D
The
Ross
images
right
now
are
kind
of
like
they
don't
change
the
user
or
anything,
and
if
we
did
that,
probably
break
a
lot
of
things.
If
you're,
using
kind
of
like
official
Library
images
in
podman,
do
you
have
to
add
more
layers
in
the
directive
to
kind
of
downgrade
the
the
user
or
this
podman
kind
of
seamlessly
use
the
root
account
in
the
container?
That's
not
really
rude
outside
the
runtime.
E
Yeah,
to
be
honest,
I
haven't
dived
deeply
in
it
and
I'm
not
building
a
robotics
application,
I
just
from
initial
conversations
with
people
that
they
had
mentioned,
like
the
possibility
of
using
it
rather
than
than
that,
going
with
Docker.
So
I
don't
have
experience
a
person
if
deploying
like
everyone
else,
application
with
or
running
it
with
podman,
but
I
do
like
anecdotally,
I've
heard
people
using
it.
D
Yeah,
the
dev
container
stuff
is
mainly
just
for
development.
I
have
yet
to
catch
up
on
the
kubernet
activity.
On
the
the
Ross
discourse,
it
seems
like
there's
a
lot
of
there's
a
active
sub
community
that
are
interested
in
orchestrating
raw
space
applications
using
kubernetes
yeah,
pretty
pretty
tricky,
because
because
isn't
it
doesn't
like
the
default
kubernet
network
drivers
not
support
UDP
multicasting.
Is
that
like
a
barrier
for
discovery.
B
Yep,
that's
actually
part
of
the
reason
where
we
have
the
idea
why
we
have
the
DDS
router
it's
exactly
for
the
well.
It
started
for
the
cloud
use
case
of
TDS
I'm,
not
the
expert
here
in
that,
but
that's
what
we
are
using
on
the
on
the
kubernetes
deployments.
B
It
works
with
Ross
too,
as
well.
We
have
some
some
clients
user,
using
it
with
ros2
all
right
yeah,
but
basically
anyway,
once
you
enable
rush
to
security.
It's
in
that
point-to-point
communication
anyway,.
D
The
DDS
standard
does
support
multicast
with
security,
and
that,
like
it,
keeps
multiple
cache
keys.
B
Difficult
to
configure
yeah
right,
yeah
I,
understand
that
part
yeah
yeah,
it's
kind
of
difficult
to
configure
that
so
the
DDS
router
does
not
super
security.
Actually,
then,
when
you
use
security,
then
what
we
would
recommend
is
probably
htcp
transport
as
well.
Yes,
and
then
it
becomes.
You
know
some
configuration
Nightmare
on
the
fastidious
side.
That's
actually
one
of
the
things
that
we
are
exploring
right
now.
B
You
know
what
what
are
the
possibilities
to
to
go
with
end-to-end
encryption
on
the
way
to
the
cloud
in
in
an
easy
manner,
so
to
say,
because
the
problem
is
that
you
cannot
put
a
relay
like
the
router
in
the
middle,
which
enables
security
because
actually
the
DDS
security
standard,
the
discovery
is
completely
encrypted.
Also
they
are
the
rtjs
feather
is
also
encrypted,
so
you
cannot
route
it
right.
D
There's,
in
addition
to
the
read
and
write
permission,
there's
also
a
relay
permission
in
the
DDS
security,
spec
ifically
being
able
to
read
the
data
but
not
modify
it.
B
The
problem
is
for
the
difficult
man
algorithm
the
packets
there
on
the
specification.
It's
a
specific.
You
know
it
explicitly
says
that
the
complete
rtps
datagram
is
encrypted,
so
you
cannot
see
the
RCBS
header
and
thus
the
router
cannot
route
it
to
wherever
it
needs
to
go
right.
You
need
to
know
where
it
goes.
When
you
send
it,
so
it's
meant
so
that
part
of
the
security
handshake
you
you
need
to
do
it
to
do
it
peer-to-peer
directly.
You
cannot
have
anyone
and.
A
D
How
about
if,
if
the
customer
or
the
user,
if
the
use
case
was
lacks
enough,
could
they
could
they
get
away
with
changing
the
governance
configuration
to
have
the
discovery
traffic
unencrypted,
but
still
have
the
no.
B
No
everything,
except
for
that,
that's
the
thing
that
the
spec
is
very
specific
about
it.
You
know
if
we
we
could
have
some.
You
know
extension
to
disable
that
encryption
right
of
the
on
the
PF
changes
there,
but
then
you
know
kind
of
a
security
vulnerability.
That's
why
it's
the
other
way
it
could
be
done.
We
just
don't
have
it
from
the
specification,
it
just
didn't!
Consider
it.
B
A
B
And
then
the
only
thing
you
can
do
right
now
with
fastidious
is
set
initial
tips
right
that
there
is,
we
say
them,
TCP
transport,
because
we
support
the
service
name,
indication
annotations
on
on
the
TCP
transport.
So
then,
what
you
can
do
is
on
the
on
the
cloud
you
can
deploy
a
server
or
service
entry
point.
You
know
that
has
many
different
Services
behind
and
then
you
communicate.
B
You
only
need
to
know
about
the
entry
point
and
then
you
specify
to
which
server
you
want
to
communicate,
which
service
you
want
to
communicate
with
the
name
right
instead
of
you
know
needing
to
know
where
every
node
on
the
cloud
is.
You
know
where
the
entry
point
to
the
to
the
cloud
is
and
then
from
there
with
the
with
the
service
name.
D
Is
is
the
the
rather
than
fairly
dynamic,
because,
like
this
is
something
you
could
do
for
multi-robot
systems
where
it's
because
it
seems
like
Ross,
has
always
had
it
like
sort
of
difficulty
in
coordinating
or
formulating
multi-robot
systems
like.
D
B
The
thing
is
for
that.
You
would
need
one
DDS
participant
to
communicate
externally
and
one
DDS
participant
for
the
internal
topics
right
and
that
translate
into
different
contexts
so,
principally,
could
be
done.
You
could
have
a
context
that
you
use
you
know
and
then
the
entities
in
that
context
you
use
to
communicate
with
the
outside
or
also
with
the
outside,
and
then
you
could
have
a
context
which
is
only
for
the
local
area
network
communications.
D
Yeah
and
then
they
could
be
put
across
different
domains.
I
recall
something
that
might
be
was
in.
The
works
of
the
OMG
group
was
like
domain
names
or
domain
text.
B
Okay,
the
main
things
yeah
it's
on
the
r2b
as
a
specification,
but
it's
not
the
other
yes
inspect,
or
something
about
that.
Yes,
I'm,
not
mistaken,
so
I
think
there
is
nothing
about
the
main
tax
on
the
VBS
specification.
It's
only
on
their.
The
rtps
specification
already
supports,
certainly
not
over
intact,
but
it's
not
clear
how
DDS
should
use
that.
D
Maybe
maybe
we
can
adjourn,
but
maybe
we'll
just
remember
if
you
guys
want
to
review
and
approve
the
the
rep
2015
and
maybe
they'll
get
the
others.