►
From YouTube: ROS 2 Security Working Group (2020-06-09)
Description
Meeting notes: https://wiki.ros.org/ROS2/WorkingGroups/Security
A
So
I
don't
see
I,
don't
see
McHale
on
the
call
so
well,
but
maybe
we
can
cover
that
ourselves
for
it's
Ross,
we're
looking
for
a
level
to
compliance
with
rep
2004.
Has
everybody
visited
that
github
link
our
quality
level
I.
A
A
C
C
But
I
do
think
it's
something.
Do
we
need
to
move
toward?
I
am
actually
I
want
to
talk
about
documentation,
though,
like
with
that,
what
does
that
actually
look
like
for
us?
Does
that
look
like
a
bunch
of
markdown
files
in
the
Astros,
repo
or
or
actual
documentation
in
the
Ross
index,
like
like
what
yeah.
B
C
B
Specific
tutorials
there's
no
there's
no
documentation
specific
for
any
atrocity
package,
so
it's
always
like.
Where
do
we
decide
the
host
I'm
close
to
the
source
code
or
close
to
where
everything
else
Ross
to
it's
hosted
and
then
I
think
Kyle
brought
up
earlier
on
the
discourse
thread
and
like
how
are
we
gonna
version?
Yeah.
C
B
I
think
the
navigation
too,
so
we
could
look
at
how
the
navigation
to
who's
been
doing
that
I
kind
of
like
the
idea
of
like
hosting
the
docs
close
to
the
source.
Cuz
then,
like
you
know,
someone
comes
back
and
say
how
the
dashing
work.
We
can
just
point
them
at
the
dashing
branch
yeah.
That's
that's
true.
I.
C
C
Mean
I
I,
don't
think
the
documentation
for
us
trust.
You
would
be
anything
near
the
documentation
for
a
vacation,
but
given
that
they
have
another
repo
for
the
documentation,
I
assume
the
app
they
can
still
do.
You
know
branches
and
actually
matched
up
with
the
branches,
but
that
would
that
satisfy
your
desire
to
be
able
to
point
people
to
previous
versions
of
documentation
or
would
you
or
do
you
actually
have
a
preference
for
for
having
a
documentation
in
the
same
repo.
B
You
know
our
documentation.
Footprint
is
probably
pretty
small.
We
don't
need
like
fancy
figures
and
gifts
and
whatnot,
so
no
I
think
keeping
the
ducks
close.
Then
one
thing-
maybe
we
could
do
this
like
be
a
little
more
succinct.
Do
we
need
like
three
Forks
or
three
pages
of
Windows,
Mac
and
Linux?
Maybe
we
could
kind
of
unify
it,
makes
it
a
little
easier
to
maintain
an
edge
stuff
to
do.
C
But
it's
still
a
question
of
where
the
exported
Doc's
live,
I
mean
Jeremy,
I,
think
you're,
right
I
think
we
can
have
some
semester
off
to
tutorials
on
the
Ross
index,
but
then
any
sort
of
API
documentation.
You
know
that
that
type
of
thing
we
need
to
decide
where
that
type
of
thing
lives
and
I.
Don't
think,
there's
clear
guidance
for
that.
Yet
should
we
start
a
discourse
started
about
this
and
actually
ask
for
advice
and
we're
not
gonna
be
the
only
ones.
With
these
questions.
A
And
hopefully,
we're
soliciting
as
much
help
from
the
community
for
these
tutorials
as
well
I
mean
just
thinking
about
what
sort
of
sparked
this
the
s
rose
to
level
2
compliance
right.
That's
that's!
Gonna!
It's
gonna
be
a
significant
amount
of
work,
so
well,
I'll,
forget
I!
Think
no
one
person
can
probably
do
all
that
mitigation.
So
maybe
at
the
before
our
next
meeting,
we
can
break
that.
What
that
work
is
down
to
chunks
is
even
get
volunteers
to
start
start
contributing
to
that.
C
A
Okay,
so
so
for
the
next
call
we'll
have
some
action
items,
then
we
can
get
people
to
to
volunteer
for
those
okay
Sid.
That's
like
what
CPEs
for
all
Ross
active
releases.
E
Yes,
we
just
wanted
to
mention:
we've
requested
and
receive
CPGs
further
Ross
releases,
and
you
may
wonder
what
the
heck
that
means
so
CPEs
our
common
platform
enumerations.
What
stands
for?
Essentially
it's
a
unique
identifier
for
Ross
that
you
can
file
CVEs
against
and
also
the
whole
security
content,
automation
that
becomes
a
primary
key
for
for
Ross
software.
So
eventually
you
could
do
something
like.
How
would
you
discover
whether
or
not
roses
installed?
How
would
you
discover
which
version
of
bras
is
installed?
Things
like
that
I'll
tie
back
to
CPEs.
E
We
did
it
I
filed
for
the
CPS,
just
because
we
need
one
to
tie
the
CIS
security
benchmarks
to
and
also
because
I
wanted
to
tie
our
as
weave
report,
CD
East
to
be
able
to
tie
save
e's
to
specific
identifiers,
and
that
way
you
can
query
them
back
and
forth.
So
those
are
out
there.
They're
documented
in
well
reports,
handling
thing
and
yeah,
we'll
start
using
I
think
the
only
one
that
probably
would
use
more
than
anyone
else
is
alias
because
I
think
they
have
reported
some
CBE's.
E
E
A
E
Know
how
we
track
Thanks,
so
there's
a
cousin
over
there.
If
you
see
I
filed
them
as
the
vendor
is
open
to
robotics
and
the
software
is
robot
operating
system.
My
describe
it
to
nist,
that's
what
they
chose
and
then
for
version,
which
is
version
1
and
version
2,
and
then
the
melodic,
the
named
versions
as
the
distributions.
E
E
I'll
just
mention
these
as
I
was
going
through,
and
you
know
when
I
had
the
discussions
with
it
for
robotics
about
the
PDP,
went
back
through
some
world
notes,
and
we
had
lots
of
ideas
on
things
that
we
could
do
so
now
a
bit
is
going
through
them.
I
wonder
if
there
are
things
that
we
actually
want
to
do.
The
first
one
was
to
create
the
internal
to
Ron's
process.
E
What
we
do
longer
see
more
important
and
that's
the
linked
word
doc,
and
for
that
rather
than
discuss
that
here
I
think
we
probably
it
would
take
a
lot
of
time
to
discuss
it
here.
I
just
asked,
if
you
can
just
read
through
that,
it's
is
see
if
that
makes
sense
as
the
ways
that
the
community
will
handle
CBE's
when
they're
reported
to
us.
So
that's
a
draft
document
out
there
for
your
comment.
Think
of
it
as
a
whiteboard.
E
A
E
D
F
Joe
so
I
think
it
wasn't
myself
in
one
of
the
past
meetings,
who
kind
of
like
suggest
that
this
my
intention
was
that
it
would
be
very
helpful
to
at
least
have
a
series
of
use
cases
considering
real
robots
and
how
security
essentially
has
been
implemented
on
them,
adding
value
so
that
we
can
somehow
reason
about
different
processes.
So
my
idea
originally
was
to
select
a
number
of
different
use
cases.
F
A
F
So
I
guess
I
guess
the
rationale
is
the
raus.
Raus
is
essentially
a
framework
right
and,
and
too
many
out
there
might
be
difficult
to
see
the
impact
of
a
vulnerability
on
one
of
the
walls
components.
So
having
kind
of
like
well-defined
use,
cases
with
actual
results
might
actually
help
very
much
picture
the
value
of
why
people
should
be
using
as
first
you
against
not
using
it
at
all.
A
A
Obviously
it
would
help
people
to
have
some
cases
to
look
at
and
then
I
read
the
the
link
you
pointed
to
you
for
vdps
for
robotics,
and
this
strikes
a
chord
with
me
for
have
you
looked
at
the
SSV
see
from
cert,
it's
sort
of
a
more
I'll
say,
use
case
based
I'll,
say,
system
owner
based
approach
to
security,
as
opposed
to
the
the
security
say.
A
group
like
mitre
assigning
a
severity.
A
So
you
have
you
have
the
user
with
the
operator
having
input
on
how
you
how
you
respond
to
security
vulnerabilities,
but
it
might
be
worth
reading
that
or
folks
have
a
chance
after
this
call
to
read
both
of
these
links.
We
can
talk
about
it
again
later,
but
yeah
you're
definitely
applying
the
risk
framework
that
is
unique
to
robotics.
A
Things
that
are
moving
around
things
that
can
have
no
effect
in
the
physical
world
does
I
think
should
be
something
we
do
with
all
of
our
all
of
our
vulnerabilities
I
mean
you
could
probably
learn
some
things
from
other
folks
in
cyber
physical.
You
know
like
SCADA
and
industrial
IOT
as
well.
This
isn't
something
we
should
have
to
come
up
with
entirely
on
our
own.
F
Right,
thank
you
for
that.
I'll
go
through
that.
So
my
main
objective
by
bringing
this
into
is
because
we've
been
internally
doing
lots
of
thinking
about.
Essentially
what
do
we
extend
within
the
supply
chain
and
also
one
question
that
was
raised
internally
is:
where
does
the
Ross
security
working
or
extend
in
terms
of
are
we
are
we,
the
defenders,
we
researchers?
If
we
are
getting
reports,
probably
not?
How
are
we
going
to
essentially
interact
with
upstream
vendors
downstream
vendors,
so
it
does
feel
like
the
supply
chain
with
Ross
is
going
to
be
very,
very
difficult.
F
So
essentially,
these
are
some
thoughts,
but
I
do
really
think.
We
should
probably
consider
these
four
iterations
on
the
VDP,
so
I
just
I
just
wanted
to
ask
for
input
on.
How
does
the
rest
of
the
group
see
this
thing?
The
link
that
you
just
shared
Joe
is
a
great
winner,
so
I'll
go
through
that
any
further
input
is,
is
gonna,
be
very
helpful.
E
A
Talking
about
the
template,
sorry
I,
probably
tighter
than
that
said
you
put
that
one
in
there.
Do
you
care
to
you.
E
Know
just
as
we're
going
along,
we
were
debating
on
well.
What
do
we
do
for
what
I
do
and
in
this
similar
I
think
the
victors
comments?
What
do
we
do
when
somebody
reports
of
all
and
it's
not
a
Rose
Bowl?
It's
a
robot
ball
or
a
vendor-specific
ball
and
then
and
then
that
evolved
into
hey.
Maybe
we
should
do
a
help.
E
Robotics
firms
create
their
own
full
disclosure
policy,
given
that
a
lot
of
the
firms
are
new
to
the
space,
so
the
thought
was
I
think
that
we
were
going
to
create
some
sort
of
templates
that
you
know
hey.
You
know
I
bossanova,
maybe
they're
large,
but
someone
like
that
can
just
simply
apply
as
how
to
get
involved
in
their
specific
implementations,
reported.
A
F
F
C
E
F
E
C
C
G
E
G
Yeah,
my
feeling
is
that
maybe
we
could
just
like
if
we
provide
a
longer
VDP
kind
of
like
the
thought
process
like
just
give
some
guidelines
of
like
just
that's
how
we
came
up
with
our
and
then
people
can
use
that
as
a
reference
to
guide.
How
they
want
to
do
is
zero,
but
I'm
not
sure
we
could
that
give
different
feedback
to
different
vendors.
I
mean
I'm,
I
I,
don't
know
how
much
like
more
than
some
people
would
know
about
that.
G
H
Would
it
maybe
be
worth
you
know
just
because
I
mean
if
we've
literally
just
gone
through
the
process
of
developing
this
one
ourselves?
Wouldn't
it
make
most
sense
to
say:
okay,
this
one
is
the
template,
and
maybe
we
can
you
just
go
through
a
nanotech
if
you're
trying
to
do
your
own.
These
may
be
our
particular
areas
where
you
might
choose
to
do
something
different,
and
this
is
the
reason
why
we
chose
to
go
this
way
for
hours.
A
If
we
offer
it
up,
like
a
we've
done,
this
finish,
there's
a
lot
of
a
lot
of
robotics
companies
who
are
now
taking
security
seriously,
and
this
is
a
framework
you
can
use
for
creating
your
own,
so
we
can
put
it
up
on
our
wiki
I.
A
Think
that
a
lot
a
lot
of
value
plus
we
can
all
be
speaking
the
same
language
when
we're
coordinating,
because
I
think
what
we'll
see
honestly
are
a
lot
of
the
vulnerabilities,
not
really
that
are
gonna,
be
catchy
won't
be
from
the
Raw's
packages
himself,
but
actually
from
the
applications
people
have
built
on
top
of
it.
You
know,
like
your
first
time,
configuration
client
and
like
that,
it's
around
that
we're
gonna
see
the
vulnerabilities
and
things
like
that.
A
D
A
A
E
G
G
Cross-Reference
basically
like
right
now,
the
information
in
row
two
is
kind
of
disability.
In
two
places
there
is
a
rep
that
says
hey.
This
is
the
things
you
should
do
to
claim
the
quality
level,
and
then
there
is
a
developer
guide
that
says
in
the
case
of
rows,
to
calls
metric.
We
applied
to
that
specific
criteria.
Is
this
one
and
so
right
now?
G
C
G
List
that
I
could
be
from
the
reps.
Basically
in
the
issue
and
then
I
tick
boxes
and
put
rationale,
makes
the
way
I
wonder
we
could
take
them
and
then
I
made
just
a
table
below
to
have
a
like
an
easier
to
read
version
of
it.
But
I
didn't
cross-reference
that
with
like
the
rows
to
call
they
say
all
they
want
to
have
at
least
90
factors
and
coverage,
which
is
something
we
don't.
But
I
stick
the
bots
coverage
because
we
do
have
courage,
testing.
We
just
don't
match
the
run.
G
C
Yeah,
thank
you,
and
we
are
in
a
bit
of
a
unique
situation
where
we're
maintaining
a
core
package,
so
so
getting
the
quality
level
to
does
entail
two
different
things:
both
checking
quality
level,
two
as
well
as
actually
adhering
to
the
the
core
standards
for
quality
level.
Two,
which
is
it's
interesting
and.
G
G
C
G
D
C
G
Then
we
can
justify,
we
can
say,
like
okay
I
mean
we
can
say,
we
claim
this
level,
because
we
have
everything
and
genuine
we
can
prove
is
because
our
dependencies
can
prove
it,
but
like
we
can
still
like
justify
its
I
mean.
Maybe
it's
not
a
very
valid
level
to,
but
we
can
still
like
mega
have
to
get.
G
Yeah
for
sure
what
I
means
I
get
it,
it
doesn't
have
to
impact
too
much.
The
rest
of
the
work
I
think
like
adding
documentation
is
still
of
a
little
thing
and
the
fact
that
we
don't
have
one
like
it
is
either
shame
but
the
site
we
have
another
very
intensive
to
add
one
which
is
just
claim
numbers.
I
mean
it's
it's
better
than
no
incentive
so
which
is
there
I
think
as
a
data
that
they
do
it
all.