►
From YouTube: ROS 2 Security Working Group (2020-05-26)
Description
Meeting notes: https://wiki.ros.org/ROS2/WorkingGroups/Security
B
Yeah
I
think
so
it's
a
follow-on
to
the
discussions
we
had
on
the
reps,
as
you
see
the
BGP
stern,
rep
2006,
and
there's
a
link
in
the
next
to
just
the
comments
on
that,
as
well
as
just
reviewing
some
other
past
meeting
minutes,
and
should
that
kind
of
spawned
a
big
discussion
on
a
couple
of
things.
One
of
the
first
ones
is
what's
the
overall
process
once
a
report
has
been
been
received,
so
the
VDP
is,
is
largely
geared
towards
the
outside
world:
finding
something
with
Ross.
B
C
Well,
the
the
biggest
challenge
that
I
see
is
you
know
compared
to
the
VIN
to
where
we
actually
have
the
ability
to
change
things
right.
The
biggest
challenge
that
Ross
has
is
that
it
it's
a
large
community
where
we
don't
actually
have
access
to
a
large
number
of
the
projects
that
are
actually
included
in
in
what
was
our
scope,
rip,
2005,
yeah
or
for
I,
get.
E
E
Yeah
so,
but
one
thing
that
we
can
keep
in
mind
is
that,
similarly
to
Debian,
Russ
has
like
most
of
the
raised.
Repositories
are
under
open,
robotics
control,
so
making
a
new
release
with
a
patch
can
always
be
done,
even
if
it's
not
back
merged
upstream
and
really
displays
a
maintainer
upstream,
not
things
that
it
should
be
the
default
case.
But
for
like
critical
things
that
cannot
move
forwards.
F
Totally
agree
with
McHale:
we
can
always
do
the
the
release,
but
we
I
will
say
first,
so
we
sort
of
have
a
little
bit
experienced,
not
obviously
exactly
what
security
stuff,
but
in
terms
of
doing
like
Ross
Wan
releases,
where
parts
of
the
sort
of
course
stack
aren't
directly
in
control
of
Oakland
robotics,
so
it
generally
works
out
well
for
contacting
the
maintainer
and
having
them
do
something
there.
Of
course,
you
know
it
just
turns
into
a
game
of
like
herding
cats
and
contacting
around
these
people
on
the
internet,
but
it
actually
works
surprisingly
well.
F
I
think
the
challenge
here.
The
additional
challenge
here
is
to
do
it
in
a
non
public
way.
So
I,
don't
I,
don't
have
any
particular
recommendations,
but
like
exactly
what
Michaela
said,
you
know
we
can
always
get
stuff
out.
I
suspect
that
for
most
things
that
they
should,
you
know
that
maintains
will
respond.
That
I
also
put
this
comment
in
the
in
Rupp
2006.
You
know
if
they
don't
respond
in
a
reasonable
man
time.
That
sort
of
seems
to
me
grounds
to
kick
them
out
of
rep
2005.
F
C
E
Mean
it
could
become
a
thing
in
like
we
could
also
put
that
as
a
requirement.
If
you
claim
very
chilling
or
something
you'll
have
to
least
one
maintainer
like
I,
don't
know,
you're
maintained
attack
should
be
a
safe
email
address
to
contact
on
like
maybe
it
could
be
a
thing
we
associate
with
the
security
part
of
the.
C
G
Be
plus
one
for
adding
into
the
XML
hi
everyone
by
the
way
sorry
I
Jane
wait.
So
so
one
thing
that
Chris
mentioned
that
caught
my
attention
is
he
mentioned
that
if
they
don't
respond
to
security
reports,
they
might
be
removed
from
read
2005,
and
that
implicitly
indicates
that
kind
of
like
connecting,
in
this
case,
quality
and
security,
which
is
something
that,
from
my
experience
so
far,
is
very
painful.
So
it
would
be
great
if
this
can
get
to
somewhere.
G
So
so,
can
you
actually
confirm
crease
that
from
open
robotics
perspective,
you
are
willing
to
make
a
relationship
between
rep,
2005
and
rep
2006,
which
I
know
there's
already
a
relationship
stronger,
one
in
terms
of
quality,
which
traditionally
is
related
to
safety
code?
Wise
is
now
going
to
have
also
a
relationship
to
security,
I.
C
F
Yeah
exactly
that,
that's
sort
of
my
thinking
is,
you
know,
I
added
some
language
in
rep
2005
to
say
that
these
packages
point
to
so
right
right.
Essentially,
the
chain
has
Rupp
2004,
more
or
less
defines
what
the
quality
levels
are
of.
2005
are
the
packages
that
accept
this
quality
level
on
Rupp
2006
rip
2005
points
throughout
2006,
as
this
is
what
we're
gonna
do
for
the
vulnerability
disclosure.
So
that's
the
the
chain
I
think
is
currently
in
place
or
will
be
in
place
once
we
merge
rip
2006
right,
but.
G
I
mean
I'm
not
arguing
with
what
Kyle
said.
However,
in
my
opinion,
there
is
a
difference
between
accepting
that
they
need
to
comply
with
the
VDP
and
I'm.
Basically
admitting
that
that's
everything
a
secured
package
needs
to
do,
which
I
think
it's
not
I
mean
besides
answering
to
vulnerability
reports,
there's
good
security
practices
that
essentially
code
should
follow.
F
C
E
E
So
maybe
the
link
later
would
be
done
by
linking
red
2005
to
words
of
Rosco
like
process,
because
Orosco
packages
processes-
and
it's
not
only
you-
should
have
static
analysis
like
you.
Should
at
least
pass
or
static
analyzes,
and
things
like
that,
so
there
could
be
a
way
to
link
what
is
in
red
2005
and
what
is
the
rust
to
recommend
instead
of
tools
to
use.
B
E
B
Keep
us
to
keep
us
moving
along
I
I'm
gonna
capture
that,
under
under
some
of
the
extra
guidance
that
we
need
to
provide
I,
think
we
agreed
that
there's
there's
a
number
of
different
security
things
aside
from
just
you
know,
responding
to
balls
or
things
we
need
to
do.
I.
Think
I,
just
I
want
to
bring
us
back
to
the
idea
that
we
get
a
report
in
you
know
we
get
an
email
in
somebody
has
says,
there's
a
bull.
We
got
to
find
the
maintainer
and
we
talked
a
bit
about
that.
B
Then
I
think
the
next
thing
we
got
to
do
is
we've
got
to
gather
information
that
maybe
before
after
we
find
the
maintainer
but
whoever's
triaging,
there
are
some
ideas
on
what
information
we
want
to
try
and
get
the
first
time
around.
Is
there
anything
else
that
that
you
want
to
add
about
that?
The
imagine
the
first
report
comes
in.
We
find
a
maintainer,
we
get
some
more
clarifying
information.
Is
there?
Is
there
something
else
that
we
need
to
do
before
we
hand
it
off
to
the
maintainer?
The.
A
G
Exactly
what
I
was
going
to
say
exactly
the
same,
we're
working
very
actively
on
these
guys,
it's
a
pain
in
the
ass.
It's
really
a
big
pain,
so
if
they
can,
if
we
can
somehow
and
increase,
probably,
is
the
right
guy
to
advise
what
they
use
internally
and
open
up
our
bodies.
But,
for
example,
we
use
docker
if
they
can
provide
us
that
docker
leaves
container
whatever
it
is,
doesn't
need
to
read.
Docker
can
be
a
snap
as
well,
but
whatever
so
that
it's
fast
to
reproduce.
The
flaw,
though,
significantly
accelerate.
A
But
it
seems
to
me
like
it
might
be
kind
of
heavy-handed
for
just
just
showing
either
the
two
lines
of
something
we
need
to
run
or
the
script
or
something
just
that
it
can't
just
say
this
is
this
exists?
It's
ok
well
show
us
how
to
reproduce
it
that's
kind
of
how
we
we
work
with
the
booty.
With
all
the
reports
we
get.
G
A
Course,
yeah
all
right
I
would
hope
you
do
that.
You
know
I
mean
we
kind
of
have
no
adverse
encodes.
Only
there's
only
so
many
supported
releases
of
rasa
at
one
time.
Then
we
know
what
version
should
be
on
there,
but
asking
for
a
version
number,
it's
kind
of
kind
of
par
for
the
course
with
CV
reporting.
B
So
that
sounds
great
I
think
if,
if
everybody's
in
agreement,
what
I'm
gonna
do
is
just
start
taking
this
again
the
downstream
process
of
how
we
process
an
inbound
report,
I'm
gonna,
sketch
that
up
into
a
Google
Doc
and
then
share
it
with
you
for
comment
so
that
we
can
add
in
you
know
any
more
thoughts
on
how
to
reach
maintain,
there's
any
thoughts
on
stuff.
We
want
to
ask
the
reporter,
for
you
know,
and
then
anything
else
that
we
haven't
covered,
but
it
gets.
You
gets
important.
D
B
B
I
think
there
there
needs
to
be
some
assessment
in
there
and
it
all
depends
on
the
receiving
team.
So
right
now,
there's
a
there's,
an
email
distribution
setup
for
the
alias
for
the
security
reporting,
alias
and
that'll
come
in.
So
a
few
folks
at
orl
come
in
to
Joe
and
myself
so
in
the
ability
that
we're
able
to
tell
this
is,
you
know,
high-priority
remote
code
execution
versus
you
know.
This
is
just
a
low
priority
border
case.
B
G
B
G
If
I
can
you're
right,
see
you're
saying
that
this
this
first
interaction
is
gonna,
be
done
by
open
robotics,
you
yourself
as
well
as
Joe.
Is
there
any
chance
anyone
else
can
participate
to
help
with
this
first
rewriting
or
this
is
gonna,
be
closed
and
if
so,
because
this
did
I,
don't
think
we
have
discussed
this
right.
Yeah.
B
Right
now,
it's
just
a
matter
of
maintaining
the
alias,
so
so
the
security.
What
is
it?
Security
it
up
in
robotic
store,
is
maintained
by
Chris.
You
know
he
requested
that
and
set
up
distributions.
We
wanted
at
least
at
least
one
or
two
folks,
outside
of
open
robotics
that
were
actively
in
security
working
group.
As
far
as
the
ongoing
membership
we
actually
hadn't
contemplated
that.
F
C
F
That's
totally
right
and
so
I
can
I
guess
I
would
say,
I
can
add
people
as
needed,
but
we
should
be
careful
about
who
we
add
in
general.
Not
you
know
so.
Basically,
what
I'm
looking
for
from
all
of
you
is
a
recommendation
on
how
we
determine
who
should
be
added
and
then
a
list
of
people
who
meet
that
requirement.
Who
should
be
added
essentially
right.
G
So
so
that
I
have
actually
a
pretty
strong
opinion,
which
is
that
I,
don't
think
only
one
external
organized
patient
should
be
added,
because
this
can
induce
biased
in
many
senses.
So
I
personally
would
feel
much
more
comfortable
if,
besides
canonical,
there
is
someone
else
from
other
organizations
and
other
persons,
particularly
I,
would
very
much
encourage
Ruffing
wide
and
make
I'll
our
get
us
to
be
over
there,
because,
frankly,
they
are
the
main
guys
behind
s4q.
G
If
they
want,
of
course,
and
also
frankly,
I
would
also
nominate
myself
from
idiot
robotics,
with
lots
of
heavy
lifting
on
rubber
burner
abilities
and,
as
I
said,
I
think
it's
best.
If
this
I
mean
I
agree
with
the
fact
that
not
everyone
can
just
join
the
security
working
group
and
right
away,
get
access
to
everything,
but
yeah
I
would
I.
Would
I
think
that
this
is
probably
the
best
first
approach.
But
of
course
this
is
just
my
biased,
Faline
yeah.
A
I
think
one
thing
we'd
have
to
do
is,
and
this
is
a
good
idea,
especially
someone
like
Ruffner
or
Mikael
on
this
or
yourself.
We
have
I
think
we
should
model
this
after
the
way.
The
open
source
security,
knowing
this
run
by
the
person
go,
doesn't
mean
because
we're
the
name
solar
designer
works,
and
basically,
if
you're
going
to
be
on
this
list,
you
have
to
give
back.
We
can
have
free
riders
who
are
just
there
to
get
early
information.
We
have
to
all
contribute
back.
A
E
E
The
tree
goes
along
what
I
was
about
to
say:
I
think
it's.
There
is
like
quite
some
responsibility
associated
with
it,
and
so
it's
also
matter
of
at
being
willing
to
commit
to
actually
like
spend
the
time
and
effort
to
help
triage
and
assess
and
everything
and
but
I
strongly
agree
that
it
was
a
bit
of
a
surprise
that
released
was
already
made
without,
like
the
rest
of
the
working
with
Nicole.
So
now
we
have
people
that
receive
these,
and
so
I
agree
with
fictel.
E
They
would
be
nice
to
discuss
it
early
and
and
I
wouldn't
nominate
myself,
because
I'm
not
sure
I
would
commit
HughesNet
tasks,
but
I
would
be
very,
very
interested
in
having
those
organisation
such
as
ideas
that
have
been
I,
think
reporting's
almost
and
assessing
the
most
robotics
vulnerabilities
over
or
all
and
so
I'm
strongly
supportive
of
having
causal
association
and
groups
in
Syria
sounds
like
a
good
idea.
Now.
A
B
Let
me
move
on
just
to
that
and
and
I'll
just
take
quick,
just
a
quick
comment
on
that
as
we're
going
through
the
VDP
one
of
the
questions
was
we
had
added
that
paragraph
in
it
said
we're
gonna
do
best
effort,
if,
even
if
it's
not
in
scope,
if
you
have
questions
or
something
like
that,
you
want
to
reach
out
to
us,
then
then
you
know
we
want
to
encourage
that.
But
then
that
came
up
with
issue.
B
How
do
we
want
the
public
to
interact
with
this
working
group,
and
the
thing
is
right
now
I
think
we
have
a
couple
of
different
ways:
we
we
have
the
matrix
firm,
which
seems
to
be
the
most
active
place.
We
had
the
security
working
group
meeting,
which
you
know
this
meaning
is
open
if
I
could
join
it
if
they
if
they
want,
although
that
may
sidetrack
us
from
our
normal
business,
we
have
our
public
facing
github
repo.
You
know,
Hank
err
where
we're
putting
more
things
in.
B
B
G
C
The
the
wiki
page
could
be
as
well
so
far
has
really
just
been
where
we
put
notes,
which
has
been
useful,
I
I
know,
a
number
of
us
have
been
editing
those
to
make
sure
they
reflect
reality,
and
so
that
that's
been
nice,
but
we
could
actually
add
a
bit
of
a
header
to
that
page,
and
you
know
I,
don't
really
have
strong
feelings.
The
community
doc
does
have
all
that
stuff
already,
but
it
hasn't
written,
really.
Ben
hasn't
really
been
published.
That
way.
I
guess
yeah.
E
It
hasn't
been
really
advertised,
but
I
I
would
cite
for
that,
because
the
goal
of
that
trini
was
actually
to
aggregate.
Also,
all
the
various
ways
to
contact
right,
exactly
group
and
and
I
would
actually
like
beam
against
using
the
Ross
wiki,
because
I
see
the
Ross
wiki
as
the
Ross
when
wiki
and
I'm
already
I
have
to
go
check
for
us
in
there.
So
so
I
understand
it's
it's
an
easy
way
to
extol
stuff,
but
I
would
not
advertise
it
because
I
think
it's
gonna
like
disappear.
Eventually,
yeah.
E
G
Yeah
though
one
thing
to
Heidelberg's
guys
is
that
I
think
the
real-time
working
group
just
had
a
request
to
create
and
copy
our
F
word
in
a
wiki,
so
especially
Sid
and
Kyle,
of
course,
and
the
rest
of
you
guys
from
from
canonical
I
think
it's
been
amazing
what
you've
been
doing
in
the
in
the
wiki
and
it's
it's
inspiring
other
group.
So
we
should
definitely
keep
up
with
that.
C
B
Alright,
so
then
I
think
the
only
thing
that
we
have
to
do
to
do
that
I'll-
probably
change
the
direction
from
the
open,
robotics
working
groups,
page
right
now
that
points
to
our
wiki.
So
also,
maybe
we
change
it
at
the
point
to
the
community
page
and
then
I'll
try
to
just
take
a
look
at
how
to
sync
everything
up
on
that.
I
need
to
add.
B
A
E
That
we
had
a
long
discussion
about
this,
the
content
of
this
tripe
itself
and
the
other
episode
she
did
with
it.
And
so
it's
just
wondering
if
we
want,
as
for
us
to
to
be
complying
with
it
and
and
if
so,
what
we.
What
are
we
aiming
for,
and
can
we
lay
out
the
groundwork
so
that
we
can
claim
a
quality
level?
So
the
main
question
is
like:
do
we
want,
as
for
us
to
to
declare
a
quality
level
and
based
on
that?
C
F
C
E
A
B
E
B
A
F
C
A
G
Definitely
would
work
otherwise,
if
you
guys
won't
regardless
of
whether
it's
this
year
or
next
year.
One
thing
we
could
do
as
a
group
is
maybe
coordinate
ourselves
and
just
just
file
a
speech-
that's
maybe
a
bit
longer,
but
that
joins
together
different
organizations
from
from
my
best
experience,
acting
as
a
reviewer
of
roschin
emissions.
This
was
quickly
nicely
considered,
so
so
this
is
also
an
idea,
but
but
nevertheless.