►
From YouTube: ROS 2 Security Working Group (2020-03-10)
Description
Meeting notes: http://wiki.ros.org/ROS2/WorkingGroups/Security
A
B
And
relatively
long
discussion
me
and
me
Kyle,
first
kind
of
came
up
with
that
idea
of
like
transitioning
using
namespaces
and
their
names
to
help
int
Co
and
what
context
load,
but
as
William
down
lik
down
below
it
kind
of
points
out
that
that
that
relationship
is
kind
of
non-existent,
that
that
that
contexts
are
sort
of
allocated
over
to
nodes.
And
then
the
context
remains
ignorant
or
unaware
what
namespaces
the
notes
are
under
or
whatnot.
So
that
relationship
breaks
down.
If
you
have
multiple
contexts.
But
let's.
C
B
So
maybe
get
to
that,
but
the
as
far
they'd
start
that
from
this
section
header,
you
can
kind
of
see
the
general
gist
and
that
I
contexts
are
something
that
you
would
be
allocated
like.
You
might
have
multiple
contexts,
instances
per
process
and
like
it
could
be
the
case
that
your
processes
may
be
a
bridging
process.
It.
B
So
that's
that's
sort
of
been
resolved,
but
then
the
choice,
unlike
how
the
user,
you
know
context,
is
a
collection
of
permissions
and
so
how
you,
the
user,
wants
to
change
the
fidelity
or
the
granularity
of
how
those
permissions
get
distributed
is
sort
of
up
to
them.
You
know
they
could
have
a
every
process
that
they
launched
its
its
own
context.
So
maybe
they
configure
the
launch
file.
So,
even
that,
if
you
have
multiple
talkers
with
different
names
with
you,
multiple
talkers,
they
load
different
contexts.
That's
or
they
could
have
it.
B
C
there's
the
other
design,
doc
that
touches
on
context
and
so
access
control.
Some
of
the
adjacent
changes
we've
done
that
you
see
and
the
policy
schema,
is
that
we've
introduced
its
context
of
this.
These
tags
of
contexts
in
the
policy
document
that
the
context
really
just
encapsulates
profiles
and
then
we've
added
a
ability
to
have
a
metadata
tag
that
might
help
users
that
would
be
like
where
you
describe
and
like
maybe
what
domain
this
particular
profile
could
be
attributed
to.
The
profiles
could
be
a
treated
multi,
bridging
case
and
the
wrong
link.
B
B
Then
we
change
like
the
environment,
variable
it's
not
no
directory
its
context
directory,
so
that
allows
you
to
have
like
these
different
levels
of
control
and
what
gets
loaded
at
runtime.
You
specify
the
same
kind
of
security
root
directory,
which
would
point
where
you
have
all
the
contexts
and
your
file
system
and
then
at
runtime.
You
would
use
like
a
context
argument:
raus
argh.
You
specify
the
fully
qualified
context
path.
What
want
what
the
particular
security
attributes!
B
B
Yep,
okay
and
then
we've
had
some
discussion
on
whether
the
lookup
strategy
is
still
meaningful,
like
the
the
whole
idea
of
having
exact
or
prefix
lookup
strategies.
That
kind
of
is
helpful
when
the
RCL
was
looking
up.
These
no
directories
based
on
its
node
name
and
the
node
name
could
be
dynamic.
It
had
some
garbage
at
the
very
end,
like
you
know,
the
ross
tooling
right
in
order
present
unique
yeah
in
order
they
had
them
in
unique.
B
D
B
So
if
you,
if
you
had
one
context
in
particular
context,
path
and
your
context
directory
or
your
root
directory-
and
you
told
launch
to
have
these
two
processes,
these
two
single
node
processes
to
load
the
same
context
that
would
work,
it
was
just
the
the
context
instances
within
each
process.
We
just
haven't
happened
to
spin
up
participe
Deus
participants
with
the
same
privileges
once
to.
D
C
Is
the
same
thing
as
if
you're
running
tutorials,
today
she's
running
tutorials,
both
of
them
are
going
to
use
the
same
identity
and
the
same
set
of
Commission
files,
and
so
on
should
like
today's
it'll
be
the
same
thing.
That's
a
new
thing
with
lounge,
like
all
launch,
does,
is
like
pass
it
to
the
Susie.
The
key
table
saying
hey
use
that
command
line
argument
and
what
the
command
line
argument
is
says:
go
in
that
directory
to
pick
up
your
stuff,
and
so
they
would
both
be
using
the
same
set
of
permissions
in
the
cages.
C
A
B
C
Situation,
wait
was
also
where,
until
so
I'm
I
was
also
like
in
favor
of
getting
rid
of
it,
mostly
because
it
also
introduces
the
dependency
on
a
package
that
is
not
necessary.
Is
that,
like
foolproof,
let's
say,
and
so
I
I
never
did
the
package
itself,
but
like
I
know,
at
least
like
they've,
had
like
a
lot
of
warnings
and
you're
like
raising
some
flags
in
some
tools,
so.
B
D
B
All
right
in
the
design,
doc,
I
also
added
some
examples-
are
like
these
kind
of
relationships.
How
the
subscriber
variables
and
runtime
arts
exist
all
right
and
then
the
meat
of
the
document,
the
boss
to
security
context.
Yeah
we
touched
on
the
introduction
and
the
concepts
is
some
slight
changes
of
the
police
board
like
I'm.
Anything
like
that,
just
to
make
sure
that
everything's
might
be
flat
and
like
yeah.
B
Yes,
we
certificate
is
already
name
contact
and
we
kind
of
divide,
our
all
the
context
or
in
the
context
is
context
folder.
So
that's
probably
where
you
would
set
your
your
route
and
that's
environment
variable
is
to
the
there's
key
store
private,
where
you
put
all
the
private
material
that
you
maybe
want
to
redact
after
you
publish
or
two
artists,
then
you
have
to
public.
If
you
could
just
leave
in
place.
One
thing
is
we.
B
B
At
runtime,
so
this
is
what
I
think
we
still
haven't
reached
a
consensus
or
a
debate,
so
I
was
still
leaning
towards
that
II.
If
you
make
an
element
in
a
Russ
lunch
file
and
you
specify
the
context
as
unqualified,
so
it's
just
like
context
equals
food,
not
/foo,
just
food.
What
does
that
get
resolved
to
I
was
thinking.
It
might
be
helpful
if
that
gets
resolved
to
with
you
scope
of
the
name,
the
name
space
in
the
scope
of
the
file
of
the
lunch
file.
B
That
way
you
can
allow
to
nest
certain
launch
files
and
certain
you
know,
node
specific
processes,
you
launch
are
still
loading
your
own
kind
of
unique
context,
because
the
namespace
still
lends
it.
The
hierarchy
of
the
namespace
still
lends
itself
well
and
having
a
means
of
separating
context,
so
they
don't
collide
with
each
other.
You
need
some
way
of
organizing
all
your
context
within
your
within
your
context
route.
So
they
don't
overlap.
B
Simple
means
is
to
kind
of
associate
with
a
relative
namespace.
The
other
thing
is
that
you
menu
when
you
have
to
move
you
change
your
namespace
of
a
node
I
get
design
time.
You
say:
I'm,
gonna
change
the
push
namespace
in
my
launch
file.
That's
going
to
change
the
inherit
permissions
that
that
node
is
going
to
require
so
to
kind
of
make
that
relationship
clear
of
this
inner
dependency.
B
That
would
might
help
to
explain
that
oh
you're
gonna
also
have
to
change
the
context
path,
but
this
is
just
more
of
a
convention
that
maybe
Ross
launched
with
help
afford.
By
doing
this,
introspective
launch
run
because,
like
our
CL
is
not
going
to
be
aware
of
namespaces
or
node
names,
so
Solange
could
resolve
what
relative
context
paths
get
mapped
to
you
where
it
provides
the
context
arc
through
the
process.
D
That
seems
to
work
hand
in
hand
with
Ted.
Are
you
darn
it?
That
seems
to
go
hand
in
hand
with
the
investigation
we've
been
doing
and
tying
no
DL
Ross
launch
right
where
if
we
can
get
the
context,
paths
like
we're
gonna
we're
gonna
need
that
at
some
point
in
order
to
actually
make
any
sort
of
key
story,
and
so
you,
you
and
Ted
should
probably
talk
about
where
that
actually
ends
up
going
in
I
think
we
can
probably
work
together
on
that.
D
C
C
And
if
you
make
it
absolute,
so
if
you
write
a
reading,
slash
it
gonna
be
absolute
and
if
you
use
kind
of
like
in
rows,
one
likes
to
make
it
too
private.
What
we
call
private
in
verse,
one
which
is
data
using
a
tilde,
then
it's
gonna
be
like
node
name,
space,
fully
expanded
flesh,
Pradesh
topic
name.
D
B
B
B
So
this
is
why
I
was
thinking
that,
let's
say
the
case,
the
user
doesn't
push
the
namespace,
he
doesn't
provide
a
they
don't
provide
a
node
namespace
attribute
a
name
attribute
context,
but
the
heart
code
is
ham.
Then
maybe
the
context
did
resolve
to
him
and
I
think
this
is
where
we
were
kind
of
circling
back
like
oh,
maybe
it
makes
sense
to
have
context
default,
node
name
then.
C
B
You
had
by
default
all
these
nodes
without
any
they're
all
just
hanging
out
in
the
root
namespace
at
least
they
wouldn't
by
default
load,
try
and
load
all
the
same
context,
but
that's
like
the
behavior,
whether
we
want
it
or
not,
whether
they
provide
a
bar
as
a
namespace
and
default
of
our
hand.
They
specify
a
node
name.
Obviously
the
hard
code
doesn't
matter
if
they
specify
a
fully
qualified
name
space,
the
push
namespace
doesn't
matter,
they
specify
a
node
context,
then
the
node
name,
wouldn't
matter
they
specify
a
fully-qualified
context.
B
B
Why
I
was
thinking
and
just
maybe
using
the
scope
of
whatever
node
element
was
specified
in
that
way,
it
would
still
be
pushing
push
bowl
within
the
composable
launch
file,
but
still
kind
of
a
very
regular
pattern,
and
the
idea
is
like
maybe
once
we
get
also
a
composable
know,
are
composable
tags.
So,
like
you,
you
specify
a
container
in
your
launch
file
and
then
you
attach
nodes
to
the
container.
C
D
The
that
does
that
imply
that
there
is
no
just
just
to
clarify
that
I
mean
that
all
sounds
neat.
Does
that
imply
that
there's
no
way
to
actually
do
the
absolute
context
then,
like
that
example,
you
had
there
were
none
of
the
other
items
matter.
Often,
or
am
I
misunderstanding,
what
you
were
saying
there.
B
Is
being
able
to
specify
the
fully
qualified
context
path
in
the
launc
file?
I,
don't
think
it's
an
issue
in
in
any
regards,
because
that
can
be
straightforwardly
just
passed.
Rcl
you
had
the
context
there's
Ross
launched
in
if
it's
fully
qualified
they
wouldn't
have
to
have
any
kind
of
resolving
at
all.
Okay,
so
those
things
where
it's,
where
that's
relative,
we're
like
there
isn't
a
leading
slash.
A
A
question
for
for
everybody,
though,
we've
gone
over
on
this
topic,
we
can
keep
going
on
if
people
are,
if
we,
if
we
want
to
extend
the
meeting
by
a
few
minutes
today,
they're
okay
with
that
cuz,
this
seems
pretty
interesting.
Yep,
okay,.
B
A
B
B
D
B
D
B
D
Have
one
question
that
does
relate
to
that:
I
lost
it,
but
where
you
were
talking
about
how
the
environment
variable
interacts
with
oh
here
we
go
they
and
in
Ross
to
DDS
security.
How
the
environment
variable
interacts
with
the
with
the
command
line
flag.
I
want
to
clarify
these.
Does
the
specifying
the
environment
variable
override
the
context
given
into
the
CLI
or.
D
B
And
then,
and
then
that
allows
you
to
specify
there's
context
if
you
specify
the
route,
but
if
you
specify,
if
you,
if
you
export
the
route
and
you
specify
a
context
but
you've
also
expects
exported
the
Confraternity
in
the
context
directory,
which
is
not
it's
not
fully
qualified
by
context,
but
is
a
file
system
path.
So
if
you
specify
that
that
overrides
everything
that
allows
you
to
like
I
want
to
run
this
whole
launch
file
under
this
one
context,
because
I'm
debugging,
the
country,
okay,.
B
Well,
well,
whether
I
think
Ross
launch
picks
up
in
the
environment.
Variable
I,
don't
think
it
matters
I
think
it
would
yeah
Russ
launch
could
be
ignorant
of
what
the
security
context
directory
is
secure,
collects
root.
Is
it
just
passes
what
it
resolves
to
the
context,
but
RC
always
ignore
the
context.
Argot
context,
Directory
environment
variable
is
that
right.
D
So
my
point
is,
that
seems
a
little
backwards
to
me
like,
like
I,
would
want
them
local
change
to
be
the
one
that
affects
everything
else
and
the
context
seems
most
local
to
me,
except
for
the
fact
that
I
think
in
most
cases
that's
actually
going
to
be
hidden
by
Russ
launch.
Is
that
correct
and
and
what
the
user
is
actually
setting?
Is
the
context
directory
to
do
this.
B
Yeah
I
think
this
is
really
similar
to
like
we
had
with
aq
passing
the
Q
West
options
is
like
this
ambiguity
on
these
levels.
I
think
it's
still
necessary
in
that.
Like
you
know
you,
you
said
the
you
said
the
route,
so
you
can
change
what
key
story
you
want.
You
can
set
the
Arg
to
specify
what
context
you
want
and
then
you
can
override
all
of
that
using
an
environment
variable
that
so.
C
Does
what
I
have
today
as
well,
which
is
kind
of
what
we
have
today,
because
same
thing
that
today
default?
The
change
of
context
was
like
impossible
to
decide
something
at
the
scale
of
a
large
file
or
an
entire
system,
and
so
the
only
way
to
actually
do
that
was
to
do
that
with
the
override
environment.
Variable
and
yes,
Kyle,
as
you
said,
like
the
command
line
argument,
is
what
lounge
is
gonna,
be
using
to
pass
things
down.
C
D
B
B
B
C
This
one
is
harder,
but
Russian
we
can
discuss
it
offline,
but
we
need
to
go
back
to
what
we
were
doing
and
we
were
like
passing
discovery
data,
because
we
need
a
way
to
specify
in
a
policy
file
or
purely
D
s
topic
and
not
the
rest
of
it,
because
apparently
this
is
a
purely
dias
topic.
It's
not
mango.
B
B
C
A
E
Sure,
real,
quick
just
a
few
seconds
actually
so
that
happened
last
week
was
a
pretty
nice
experience.
I
must
say
we
had
a
full
room
in
the
first
session,
which
would
be
organized
and
then
the
second
one
we
held
disseminated,
and
it's
also
quite
filled
that
we
had
praying
nine
speakers.
We've
managed
to
get
some
recordings.
E
E
Pretty
nice
experience
and
I
look
forward
to
you.
Do
it
again,
maybe
next
time
we
can
join
together,
most
of
us,
hopefully
with
with
more
time
this
this
time.
Actually
we
were
quite
late
ourselves,
but
nevertheless,
let's
see
what
comes
afterwards
so
yeah
feel
free
to
reach
out
if
there's
something
that's
mistaken
or
any
follow-ups
happy
to
do
so
another
than
that
yeah.
E
The
overall
positive
input
we
got
from
it
is
that
there
is
lots
of
interest
in
the
community
and
the
robotics
community
for
security.
Several
groups,
companies
and
individuals
approached
and
asked
about
the
status
of
support
for
security,
both
at
the
communication
systems
level
in
verse.
Two
so
I
forwarded
them
to
the
ongoing
discussions
and
notes
we've
been
putting
together
in
the
meetings
and
minutes.
E
A
We
can't
Michael
because
I'm
saying
your
name
wrong.
Tell
us
about
the
get
some
comments
about
static,
now's
tools
for
Faraz.
You
know
I
think
I
mentioned
earlier.
We
are
using
Coverity
to
cover
a
lot
of
the
Raw's
packages,
but
there's
a
lot
of
things
like
python,
black,
etc.
We
should
totally
work
that
stuff
into
our
into
our
CI
CD.
But
I
spoke
for
you.
So
let
you
speak
for
yourself.
Yeah.
C
E
That's
a
super
nice
interesting,
totally
supported.
Actually
I
may
be
directed
to
you
Joe,
you
mentioned
you
guys
are
using
Coverity
I
have
not
write
that
one
I
actually
just
recently
noted
that
it
is
available
for
open
source
project.
It
wasn't
aware
of
that.
I
thought
it
was
just
aa
proprietary
tool
that
you
could
use
used
by
by
licensing
it.
Do
you
guys
have
an
intuition
on
what's
on
bits?
Essentially,
how
does
it
compare
to
other
existing
open
source
tools.
A
You
know
I
find
that
it
keeps
state
DEP,
so,
okay,
so
the
open
source.
One.
That's
that
you
can
say
that
the
open
source
dekes
there's
a
cloud
one.
You
can
use
this
free
for
open
source
projects
and
that's
very
nice.
We
have
the
on-prem
version
because
we
want
to
work
it
into
our
CI
CD
and
you
just
use.
We
want
that
a
little
easier
use
of
it.
It
I
like
that.
It
keeps
state
I,
think
it
does
that
better
than
other
tools
out
there.
A
It
is
not
perfect
like
it
doesn't,
handle
go
right
now,
but
I
think
it
does
a
very
good
job
at
see.
It
does
okay
at
Python,
but
it's
one
of
the
better
tools
that
when
we
did
a
competitive
analysis
last
year
and
that's
what
we
ended
up
with
it
is
the
on
frame
one.
It's
like
it's
reasonably
priced
about,
$1,200,
a
named
user,
I
think
or
maybe
$2,000
a
named
user.
It's
not
in
pot,
it's
not
prohibitive,
but
it's
not
free.
C
And
so
just
to
jump
in
real,
quick,
we
don't
necessary
have
to
like
free
disguises
now
I
just
wanted
to
like
sleep.
It's
like
is
the
ID
and
see
if
there
was
interest
and
then,
if
you
want,
we
can
actually
say
that
either
a
different
like
channel
for
like
discussing
and
putting
resources
in
together
on
like
experience
or
we
can
just
discuss
it
on
matrix
and
just
come
up
with
like
a
list
of
things,
we
could
do
either
at
the
I
men's
league
level,
which
is
adding
different
intervals.
C
A
D
Already
in
order
to
go
over
again
but
III,
agree,
I,
think
good,
I
I
think
there
are
definitely
written
blenders
to
be
written.
A
couple
of
tools,
Victor
mentioned
on
the
quality
levels.
Pr
I
had
never
heard
him
so
I
very
curious
to
write.
I
meant
linters
for
that
we
did
one
for
my
PI
and
it's
not
too
bad,
but
yeah
I.
Think
let's
carry
on
this
conversation
matrix
so
cool,
okay,.
B
B
C
B
E
Are
they're
working,
yeah
they're,
the
sauce
I
know,
I
did
participate
in
few
meetings
and
I
think
I'm
Dre
I
mentioned
also
in
this
course
that
they
had
a
preliminary
port
of
arrows
choose
this
to
his
group
in
in
Portugal,
are
supporting
and
creating
I,
don't
know
beyond
that
line
of
work.
If
there's
much
more
going
on
also
I
do
recall
that
I
think
they
were
requesting
for
a
new
lead,
so
yeah
I.
D
D
Keep
this
quick,
sorry
for
running
over
I
just
wanted
to.
Let
everyone
know
that
that,
as
of
just
a
couple
days
ago,
where
were
the
official
that
the
working
group
is
the
official
maintainer
of
the
s2
project,
we're
still
we're
still
working
out
the
you
know
the
organizational
aspects
of
that,
but
expect
to
see
some
some
coming
chatter
in
matrix.
Regarding
that
right,
but
I
guess
that's
all
I
really
need
to
say,
but
that's
awesome.