►
From YouTube: ROS 2 Security Working Group (11 Apr 2023)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
C
C
A
B
A
very
quick
update
on
that
subject
because
on
the
last
working
group
that
I
was
not
here,
but
apparently
it
was
advice
for
us
to
open
up
a
request,
enhancement
proposal.
So
we
did
that.
Unfortunately,
no
one
from
osrf
or
osir
C
have
reviewed
it.
So
I,
don't
know
if
it's
going
to
freeze
was
yesterday,
so
I
actually
don't
know
if
it's
going
to
make
it
to
iron
or
not.
I
asked
the
guys
at
intrinsic
whether
they
will
consider
it
but
they're
not
responding
to
my
message.
D
B
D
B
A
B
B
D
A
B
C
A
C
D
B
B
B
First
of
all,
you
need
to
run
the
docker
containers
with
with
the
host
IPC
mode
or
the
shared
IPC
mode,
so
that
so
they
shared
a
memory
map
files,
and
then
there
is
one
caveat.
That
is,
if
you
run
all
your
containers
with
root
permissions,
the
files
that
they
will
create
will
have
a
root
broadcast
users
group.
And
then,
if
you
go
in
your
host
and
launch
a
subscriber,
you
will
not
be
able
to
receive
data,
because
you
will
not
have
permission
it
will
it
will.
B
You
know,
decide
that
it
needs
to
communicate
through
share
memory,
because
you
know
it
can
access
the
share
memory,
but
then
it
will.
It
will
not
have
access
and
that's
something
that
we
plan
on
fixing.
You
know
try
to
see
if
we
have
the
correct
permissions
to
open
the
file,
and
else
you
know
fall
back
to
the
UDP.
B
D
B
Exactly
yes,
you
can
it's
something
that
we
plan
on
fixing
at
some
at
some
point
between
here
and
June,
I!
Guess
because
it
it's
really
a
matter
of
you
know,
trying
to
access
the
file
and
then,
if
it
you
know,
doesn't
if
we
don't
have
the
right
permission.
So,
instead
of
you
know,
using
share
memory
then
fall
back
to
GDP
if
possible.
A
B
D
B
No,
but
it's
it's
actually
the
same
things
right,
because
it
will
try
to
access
to
the
share
memory
file.
It's
not
there.
Then
it
will
fall
back
to
share
members
into
the
unity,
so
it's
actually
the
same
fix,
but
the
problem
is
that
if
you,
if
you
do
yeah,
the
host
is
identified
by
the
the
hash
on
the
interfaces
on
the
on
the
interfaces.
Oh,
okay,
that's
why?
B
B
E
Yeah
I
know
some
people
prefer,
because
it
doesn't
need
to
the
demon,
is
not
rootless
or
is
it
does
not
require
root.
So
we're
doing
a
little
bit
of
work,
trying
to
work
with
people
here
doing
deployments
and
working
with
containers
and
I
know
a
few
people
have
mentioned
the
preference
trees
in
part
one
because
of
just
because
they
don't
feel
comfortable
running
a
demo
just
because
curious
to
see
if
anyone
else
had
used
it.
D
D
D
The
Ross
images
right
now
are
kind
of
like
they
don't
change
the
user
or
anything,
and
if
we
did
that,
probably
break
a
lot
of
things.
If
you're,
using
kind
of
like
official
Library
images
in
podman,
do
you
have
to
add
more
layers
in
the
directive
to
kind
of
downgrade
the
the
user
or
this
podman
kind
of
seamlessly
use
the
root
account
in
the
container?
That's
not
really
rude
outside
the
runtime.
E
Yeah,
to
be
honest,
I
haven't
dived
deeply
in
it
and
I'm
not
building
a
robotics
application,
I
just
from
initial
conversations
with
people
that
they
had
mentioned,
like
the
possibility
of
using
it
rather
than
than
that,
going
with
Docker.
So
I
don't
have
experience
a
person
if
deploying
like
everyone
else,
application
with
or
running
it
with
podman,
but
I
do
like
anecdotally,
I've
heard
people
using
it.
D
Yeah,
the
dev
container
stuff
is
mainly
just
for
development.
I
have
yet
to
catch
up
on
the
kubernet
activity.
On
the
the
Ross
discourse,
it
seems
like
there's
a
lot
of
there's
a
active
sub
community
that
are
interested
in
orchestrating
raw
space
applications
using
kubernetes
yeah,
pretty
pretty
tricky,
because
because
isn't
it
doesn't
like
the
default
kubernet
network
drivers
not
support
UDP
multicasting.
Is
that
like
a
barrier
for
discovery.
B
B
D
B
Difficult
to
configure
yeah
right,
yeah
I,
understand
that
part
yeah
yeah,
it's
kind
of
difficult
to
configure
that
so
the
DDS
router
does
not
super
security.
Actually,
then,
when
you
use
security,
then
what
we
would
recommend
is
probably
htcp
transport
as
well.
Yes,
and
then
it
becomes.
You
know
some
configuration
Nightmare
on
the
fastidious
side.
That's
actually
one
of
the
things
that
we
are
exploring
right
now.
B
You
know
what
what
are
the
possibilities
to
to
go
with
end-to-end
encryption
on
the
way
to
the
cloud
in
in
an
easy
manner,
so
to
say,
because
the
problem
is
that
you
cannot
put
a
relay
like
the
router
in
the
middle,
which
enables
security
because
actually
the
DDS
security
standard,
the
discovery
is
completely
encrypted.
Also
they
are
the
rtjs
feather
is
also
encrypted,
so
you
cannot
route
it
right.
B
The
problem
is
for
the
difficult
man
algorithm
the
packets
there
on
the
specification.
It's
a
specific.
You
know
it
explicitly
says
that
the
complete
rtps
datagram
is
encrypted,
so
you
cannot
see
the
RCBS
header
and
thus
the
router
cannot
route
it
to
wherever
it
needs
to
go
right.
You
need
to
know
where
it
goes.
When
you
send
it,
so
it's
meant
so
that
part
of
the
security
handshake
you
you
need
to
do
it
to
do
it
peer-to-peer
directly.
You
cannot
have
anyone
and.
A
B
No
everything,
except
for
that,
that's
the
thing
that
the
spec
is
very
specific
about
it.
You
know
if
we
we
could
have
some.
You
know
extension
to
disable
that
encryption
right
of
the
on
the
PF
changes
there,
but
then
you
know
kind
of
a
security
vulnerability.
That's
why
it's
the
other
way
it
could
be
done.
We
just
don't
have
it
from
the
specification,
it
just
didn't!
Consider
it.
B
A
B
And
then
the
only
thing
you
can
do
right
now
with
fastidious
is
set
initial
tips
right
that
there
is,
we
say
them,
TCP
transport,
because
we
support
the
service
name,
indication
annotations
on
on
the
TCP
transport.
So
then,
what
you
can
do
is
on
the
on
the
cloud
you
can
deploy
a
server
or
service
entry
point.
You
know
that
has
many
different
Services
behind
and
then
you
communicate.
B
You
only
need
to
know
about
the
entry
point
and
then
you
specify
to
which
server
you
want
to
communicate,
which
service
you
want
to
communicate
with
the
name
right
instead
of
you
know
needing
to
know
where
every
node
on
the
cloud
is.
You
know
where
the
entry
point
to
the
to
the
cloud
is
and
then
from
there
with
the
with
the
service
name.
D
B
The
thing
is
for
that.
You
would
need
one
DDS
participant
to
communicate
externally
and
one
DDS
participant
for
the
internal
topics
right
and
that
translate
into
different
contexts
so,
principally,
could
be
done.
You
could
have
a
context
that
you
use
you
know
and
then
the
entities
in
that
context
you
use
to
communicate
with
the
outside
or
also
with
the
outside,
and
then
you
could
have
a
context
which
is
only
for
the
local
area
network
communications.
D
B
Okay,
the
main
things
yeah
it's
on
the
r2b
as
a
specification,
but
it's
not
the
other
yes
inspect,
or
something
about
that.
Yes,
I'm,
not
mistaken,
so
I
think
there
is
nothing
about
the
main
tax
on
the
VBS
specification.
It's
only
on
their.
The
rtps
specification
already
supports,
certainly
not
over
intact,
but
it's
not
clear
how
DDS
should
use
that.