►
From YouTube: ROS 2 Security Working Group (14 Mar 2023)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
That
I
have
added
and
but
feel
free
to
bring
up
any
other
topics
during
the
meeting,
you're
not
required
to
propose
them
in
the
agenda
in
advance,
although
you're
always
welcome
to
so
one
quick
thing.
I
wanted
to
discuss
is
a
couple
of
element
wrappers
that
I've
developed
for
integrating
the
use
of
Bandits,
which
is
python
code
scanner.
You
may
be
familiar
with
it.
A
I'm
gonna
share
it
in
the
chat
as
well,
both
obviously
open
source
projects,
and
then
single
grip
is
an
engine
that
allows
you
to
use
a
number
of
different
rules
on
your
code
and
it
supports
different
languages,
including
Python
and
C
languages,
XML
Json,
and
so
the
proposal
leads
to
potentially
add
this
to
the
list
of
elements
lens
wrappers,
which
I'm
also
sharing
in
the
chats
you're,
probably
familiar
with
this,
this
Repository,
and
so
this
allows
you
to
run
this
this
tooling
very
easily
from
the
command
line
and
also
to
just
add
them
automatically
on
your
teammate.
A
You
have
to
make
lists
so
that
the
tests
run
automatically
when
you,
when
you
test
your
projects,
so
yeah
right
now
about
three
of
them
related
to
security,
exists.
Cpp
check
and
icos
and
I'm
in
Cobra
I,
don't
think
icos
uncover
are
actually
included
an
element
right
now,
but
you
can
find
this
video
to
check
one
in
there.
A
So
my
first
question
will
be
if
you
agree
that
this
these
wrappers
are
good
to
propose
to
live
in
their
Midland
repository
and
also
if
the
group
could
take
ownership,
potentially,
of
course,
there's
a
proposal
process
for
that.
A
request
process
for
the
group
to
sort
of
maintain
and
contribute
to
a
project.
If
that
is
something
of
Interest
to
you
all
as
well
yeah,
that's
what
I
wanted
to
share
with.
You
also
feel
free
to
review
them
to
sort
of
follow.
The
format
of
yeah
there's
already
exists.
A
B
Do
you
have
when
we're
when
we're
looking
over
the
repo?
Do
you
have
any
examples
that
we
can
apply
to
it's
like
this?
Is
the
failure
mode
you
see
you
change
the
source
code
here
and
or
or
check
out
this
Branch
apply
the
linter
and
you'll
see
the
fact
that
it
has
when
you're,
applying
it
to
an
example,
source
code.
A
I
did
not
include
a
demo
with
them,
but
I
guess
do
you
mean,
like
part
of
the
recommendation,
may
be
missing
as
to.
B
How
well
yeah
a
demo
is
just
like
all
I
was
looking
as
like
I
wanted
to
see
it
running
in
action
and
see
what
what
kind
of
UI
gets
the
feedback
or
to
the
user
or
that
what
it
reports
I'm,
not
familiar
with
Bandit.
So
I'm,
just
like
approaching
this
from
the
blue.
A
Yeah
sure
I
was
mostly
following
the
format
of
the
CPP
check
wrapper.
For
example,
it
doesn't
include
a
demo
neither
to
the
other
two
like
a
song
cobra,
so
I
didn't
but
you'll
be
interesting
in
a
documentation
page,
probably
that
we
included.
A
So
you
have
any
thoughts
on
should
this
I
mean
this
is
a
good
candidate
for
a
project
for
the
group
to
maintain
contribute
to.
B
A
B
'd
be
really
cool
to
get
this
Upstream
into
via
a
mint
org,
and
it
it
doesn't
take
too
much
maintenance
to
to
just
keep
it
in
support.
It's
like
it's
just
using
existing
libraries
and
binaries
right.
B
Were
were
there
any
nuances
you
had
to
do
when
you
were
applying
it
that
are
specific
to
Ross
like
curtailing
the
the
tool
to
navigate
the
the
Ross,
build
space
or
build
workspace,
or
was
that
fairly
straightforward
in
terms
of
just
like
having
it
interpret
the
rest
of
the
C
make
of
whatever
the
project
it's
ingesting?.
A
Let's
put
us
through
forward
in
terms
of
the
command
line
as
a
static
analysis
tool.
It
really
just
runs
off
on
all
your
your
code,
your
workspace,
so
the
default
behavior
is.
It
runs
on
recursively
on
your
current
directory,
but
there's
it
can
be
customized
to
exclude
certain
directories
or
just
include
some
of
them.
A
A
It
seems
that
they
all
output
an
X
unit
file
or
set
up
to
so
you
can
easily
output
X
units
I
guess
so
you
can
integrate
the
results.
Many
different
tools
at
the
moment.
By
default
they
are
output
in
XML,
but
they
they
can
do
any
other
see.
If
you
look
at
Main
here,
it's
a
two
say
itself
any
other
four
months,
because
I
know
sorry.
If
it's
rather
popular
too
and
for
example,
Sim
group
does
output.
Sorry
natively,
if
you
to
choose
to.
A
But
in
this
case,
there's
a
whole
like,
like
the
main
itself,
has
a
number
of
functions
to
transform
the
output
into
its
units.
B
In
the
for,
for
like
navigation
to
yeah,
we
we
mainly
use
a
x
unit
or
a
j
unit
into
like
the
original
Java
XML
test
format,
and
that
that's
because
it's
mainly
what
the
RCI
platform
kind
of
understands,
like
Circle,
CI
you're,
just
playing
XML
files,
and
it
assumes
that
it's
junit
and
when
it's
not
J
unit,
it
kind
of
gets
angry
at
you.
B
I
think
Travis
probably
does
a
similar
kind
of
ingestion
for
results,
though
it's
that
I
think
they
have
like
sort
of
a
hybrid
approach
where
they,
both
like
tracking
the
stdl,
STD
error
and
return
codes
for
all
return,
all
test
processes,
but
yeah,
it's
kind
of
nice.
Because
then
you
can
just
tell
Colton.
Hey
put
all
your
test
results
in
this
folder
and
whatever
lenters
you
have,
they
all
generate
their
files
there.
B
And
then,
when
you
look
at
your
CI
results,
it's
been
processed
and
curated
it'll
have
whatever
excerpt
extracted
from
the
XML
files.
It
makes
it
kind
of
easy
to
to.
A
That
makes
sense
and
probably
something
to
improve
already
it's
for
Bandits,
for
example,
it
does
not
have
J
unit
or
X
units
native
support,
so
integrating
that
sort
of
output
option
for
Sam
grab
Right
Now
the
default
is
a
junit.
It
does
have
two
units
output.
So
that's
what
it's
done,
but
is
there
a
difference
between
like
a
preference
to
use
x
unit
versus
string
in
it.
B
It's
an
X
units
or
like
the
modern,
equivalent
j
in
it.
J
units
are
like
this
undocumented
kind
of
standard,
and
that's
why
it's
all
really
weird
and
meta,
but
I.
Don't
quote
me
on
that.
B
Is
is
there
when
I,
when
I
made
a
coconut
extension,
I
submitted
a
ticket
to
the
golden
org
to
formally
request
a
adoption?
Is
there
something
we
need
to
continue
there?
So
we
could
get
some
folks.
B
Experts
to
to
review
and
and
bring
in
the
repo.
A
Okay,
so
what
do
you
suggest
that
I
should
request
a
review
from
directly.
B
I
can
I
can
drop
a
link
to
what
I
did
with
Culkin,
but
there's
the
there's,
the
a
mint
repo
organism
organization.
B
B
That's
probably
that's
that's
weird
yeah,
maybe
just
open
the
ticket
for
the
midline
I'm,
guessing
we'll,
eventually
just
merge
it
we'll
just
bring
open
the
repo
rather
than
necessarily
combining
the
code
into
the
repo
but
I'm,
not
sure.
Maybe,
however,
they
want
to
organized
their
their
source
code.
A
Yeah
feel
free
to
take
a
look.
If
you
have
any
any
other
comments
on
the
wrappers
themselves,.
B
The
testing
this
I
think
I'll,
try
running
it
against
nav2
and
see
what
it
generates.
Probably
a
whole
bunch
of
issues
that
we
find
the
navigation
to
repo.
A
It
was
great
yeah,
be
good
to
have
that.
That's
feedback
on
your
usage.
A
D
B
Yeah
the
currently
I
don't
know
if
we
have
another
middleware
like
rmw
option
that
has
security
features,
I
think
there's,
there's
talk
of
I
was
just
getting
a
Xeno
rmw
layer
which
would
be
nice
and
they
have
Xeno
supports
security
features
I'm
using
TLS
I
think
so
that
would
be
a
case
where
Ross
2
again
would
kind
of
it
could
be
helpful
in
terms
of
generalizing
and
generating
the
security
artifact
material
for
deployment,
but
yeah
that
is
sort
of
been
the
struggle
in
that
we've
only
had
secure
DDS
reference
examples
and
so
I
guess
sros2
is
still
pretty
heavily
biased
towards
BBS
and
that.
C
B
B
Something
there
for
Xeno
Ireland,
yeah
yeah,
there's
the
Xeno
project
or
z-e-n-o-h
dot
IO,
that's
their
main
website
and
they're
developed
by
the
same
kind
of
they're,
sponsored
by
eclipse
and
Zeta
scale,
the
same
Focus
behind
Cyclone
DDS,
so
just
paste
it
in
the
notes,
Here
and
so
I.
Think.
If
we
maybe
on
their
discourse,
they
have
a
Discord
server
which
they've
been
using
for
development,
and
so
maybe
the
most
up-to-date
commentary
on
on
that
those
developments
have
been.
Maybe
posted
there
I'm,
not
sure.
B
Where
they've
been
where
else
they've
been
publicly
discussed,
it's
it's
more
like
an
ephemeral.
It's
like
an
idea,
everyone's
had
it,
but
I'm,
not
sure.
If
it's
been
implemented
yet
I
I
haven't
been
keeping
the
up
on
the
state-of-the-art.
The
other
rmw
layers,
I
thought
we
had
one
from
Intel
for
whatever
iot
middleware
protocol
intel
was
kind
of
pushing
a
while
ago,
but
I'm
not
sure.
If
that
went
anywhere.
B
B
D
No
trust
trust
out
of
curiosity,
so
I
want
to
know
the
effort
what
it
takes
to
yeah
modify
as
for
us
to
support
something
different.
Basically,.
B
Currently,
because
of
DDS
permissions
and
all
that
stuff
was
heavily
ingrained
with
XML,
that's
for
us
who
uses
sort
of
XML
templates
to
generate
the
stuff.
So
when
we're
like
doing
translating
Ross
topics
to
DDS
topics,
then
that's
kind
of
a
simple
procedure
with
the
XML
template
with
the
templates
you
can
do
is
that
we
can
generate
like
from
permissions
that
are
expressed
in
XML
to
like
Json
or
to
text
or
email.
B
You
know,
because
that's
that's
just
a
simple
text
transform
the
XML
schemas
can
handle,
but
it
may
be
it'll.
It
might
also
be
worthwhile
and
reevaluating
our
translation
and
Generation
templating
stuff
if
we
want
to
make
that
just
pure
code
rather
than
XML
templates,
but
for
now
it's
kind
of
been
working
because
DDS
is
all
XML
okay,
so
that's
that's.
B
What's
doing
the
the
the
most
of
the
heavy
work
in
terms
of
translating
for
Access
for
the
for
the
access
control,
artifacts
for
General
crypto
like
handling
and
generating
key
material,
that's
all
pretty
kind
of
agnostic,
I
mean.
So
if
we,
if
Xeno
rmw,
comes
along
and
they
need
TLS
certificates,
you
know
that's
something.
That's
pretty
easy
to
extend
that's
Ross
too
already.
It's
just
we're
just
using
python
crypto
Library,
but
that's
that's
about
the
state
of
it
so
far,
but.
B
D
B
Well
I
mean
each
vendor
is
like
for
the
DDS
vendors.
They
kind
of
they're
all
using
I,
think
open
SSL,
but
they
might
like
build
against
different
versions
of
open
SSL
and
they
also
might
vendor
that
version
of
episode
cell,
like
they're
they're
shipping
it
by
open
SL
binaries
with
their
Library.
So
it's
not
even
maybe
using
this
as
an
open
SSL,
which
is
all
kind
of
care
about
so
like
I,
think
fast,
EDS
and
Cyclone.
They
build
against
the
system
of
an
SSL.
B
Rti
connects
we'll
ship
with
its
own
version,
and
so
but
I
mean
in
terms
of
crypto
they're,
all
using,
like
you
know,
x509
certs
and
pen
files.
So
that's
not
anything.
That's
specific
to
the
crypto
Library
whatnot.
D
But
there
is
no
other,
no
other
implementation
which
implements
or
utilizes
another
crypto
Library
or
everything
is
based
on
open
SSR.
B
There
is
the
Korean
DDS
vendor
that
they've
they've
been
they
haven't.
Oh,
they
also
have
an
rmw
layer.
So
g,
u
group
grun
grunge.cc.
B
B
So
it's
on.
It's
also
on
the
Ross
rmw
repo
list
so
lost
to
MW.
B
That's
the
ground
GDs
and
there
are,
there-
are
closed.
Source
DDS,
vendor
so
I'm,
not
sure
on
what
a
secured
crypto
Library.
B
D
B
The
past
month,
or
so
I
think
I
think
to
get
to
your
point.
If
there's,
if
we
ever
get
to
something,
that's
more
exotic
like
that's
using
dedicated
devices
for
holding
the
key
material
like
enclaves
or.
C
Well,
they
return
to
that.
Add
to
that
I
think
what
we
did
with
ibrahima
was
to
speak
ss11
addition
to
the
fast
EDS.
So
this
allows
you
to
use
any
sort
of
big
ss11
back
end,
but
I
think
it's
still.
The
solution
did
still
not
get
rid
of
the
open
SSL,
because
I
think
they
personally
used
open
SSL
there.
But
of
course
the
crypto
have
itself
happens
in
whatever
backend
you
choose,
but
yeah,
so
you
can
use
HSM
or
whatever
I'm
glad
you
want
with.
C
Does
include
specification
or
I'm
sorry
does
include
description
for
big
ss11
features,
but
but
fast
EDS
is
the
only
actual
implementation
that
I'm
aware
of
that
actually
implements.
B
The
design
PR
that
we
got
told
the
redirect
elsewhere,
but
I'll
wait
to
change
the
subject
and
until.