 Hi, this is Anil Bhatia and today we have with us once again, Keri Stewart, senior director of strategic programs at Linux Foundation. The NCC group recently evaluated, you know, ZIFRS security. Can you talk about, you know, what kind of, what was the outcome of that evaluation and, you know, what's going on in the whole community based on that? Sure, happy to. We're very thankful for the NCC group for the work that they did and helping us to get Zephyr hardened further. In some senses, when it first hit us, it was sort of like, okay, they're taking it seriously now. Awesome. And the reason they were doing this is because their customers are asking for it. You know, they've got, you know, people who are very interested in Zephyr and so they would decided to invest the research, the time during the research to see what they could find. And the fact that we're good enough to critique now is a nice positive for the project. No question. What it did, up till this point, we had been getting some, you know, vulnerabilities that researchers had noticed in certain areas and they'd tell us about we'd issued CDEs. So we had a process down. But suddenly being hit with the whole bulk of those like that, it was like, okay, time to up our game, guys. And so what we've done is we really didn't, we found out we didn't have a good way of letting people who have products with Zephyr based on them know about our vulnerabilities and what we wanted to be able to do is make it clear that if people have products and they have them out in the market and that they want to know if there's a vulnerability, we just added a new web page so they know how to register and they can let us know to contact them. The challenge of embedded is you don't quite know where the software is. We've got a lot of people downloading Zephyr, we've got a lot of people using Zephyr. We're seeing, you know, people upstreaming things all the time but we don't know where the products are. You know, it's all word of mouth to a large extent. There's no tracers or anything else. You don't want to do that in an embedded space on IoT. Battery life is important. And so it's pretty key for figuring out how do we let people who want to be notified know. And we'd registered as a CNA, you know, with MITRE several years ago now and we've been, we can assign CVE numbers in the project. But what we didn't have was a good way of reaching out to people beyond our membership under embargo so that we can let, give them time to mediate any issues that we're fixing. So we've changing our policies. It's gone from a 60-day embargo window to a 90-day embargo window. The first 30 days, we're working internally to get the team to fix the issues and then we've got a 60-day window for our people who do products to basically remediate in the field if necessary. So, you know, joining, you know, getting ourselves useful for product makers was one of the big focuses this year. Since Zephyr's LTS release was made last year, can you talk about, you know, the new releases, especially from the security perspective, because I think the latest version is what, 2.3.0? Yeah, 2.3.0. And then we also have 1.14.2. 1.14 is our LTS, our LTS-1, as we say, and we put an update out to it with the security fixes. And, you know, a long-term stable like the Linux kernel does is has security fixes and bug fixes backported into it so that people can build products on it and keep it active over time without as much change in the interfaces and everything else that we're doing in the mainline development tree. And what we've just done with the 2.3. And so 2.3.0 has a lot of new features in it and we've got all these vulnerabilities remediated. And we... And there's a really good blog post I'll highly recommend you to take a look at to find the details. Carl was the release manager this year and he did an awesome job for this release of documenting, you know, some of the new features and there's a lot more coming up down the road. So the community right now is working. We've adopted new set of coding guidelines for the project. And we will be working on that so we can get ourselves ready for going after safety certifications next year. So there's a lot of motion. There's a lot of code in motion right now but there's a lot of new features being added every day. It's great. We talked about the tech part of Zephyr. I also talked a bit about the community side of it. Can you talk about how the community is growing new use cases? We've just added two new members into Zephyr. We've got Teenage Engineering has just joined us and Laird Connectivity has just joined us. And it's really, you know, cool to start seeing these products coming out from these, you know, some rather interesting technologies and products that are showing up. And so I'm really looking forward to being able to have blog posts about them. One of them I just learned about earlier this week from Laird Connectivity is basically a device, a small device running Zephyr that you can use for basically monitoring distance without recording other information. So in our days of COVID we need to start figuring out technology assists to help us keep the risk down and so Laird Connectivity has a new device. You should be seeing a blog post about that or at least some links very shortly. And there's also two other devices that are with Zephyr that are out there. So Intolinium has a device that you basically put on your shoe for in the factories that's doing the distancing. And then the other one that's there is the Distancer from Vitech. So we're seeing, you know, a lot of innovation happening very quickly in Zephyr and that's really a Zephyr's strength is it's got a very solid code base and there's another innovation on top. Yeah, I mean, I think because of COVID-19 a lot of, you know, a lot of how do I say it? It is creating a new set of challenges and then suddenly we are trying to solve those problems using it. But what is interesting is that once we are through when I have no idea the cases are going up and the governments are like trying to say that nothing is happening. But whenever a lot of solutions that come out at this time are going to change the way we build things around it because suddenly we have a lot of limitations, we have a lot of restrictions, we have to do away with whatever we have resources we have and also because of remote working, you cannot go to your data center, you cannot go to a factory even if the people are. So it's going to change a lot of things. So what do you think will the role, you know, Zephyr based or other ideas or what role is going to be the embedded or edge competing is going to play in the way we build our infrastructure and use these technologies? Well, I think they offer interesting opportunities. Some of the technologies that are being looked at for monitoring for instance are have we have to distance monitoring, contact tracing, things like that. We can either do it very manually or we can start to take advantage of the technology infrastructures to do so. But people may not want to have a device effectively monitoring them all the time and every signal around them. They may just want to know exactly where they are. So that's potentially some degree of control over what's being sent into the tracing and tracking. That's one of those these sorts of technologies I think will be helping us improve things over time. I think they offer there's a lot of knowledge that we're getting out of these and we can optimize information and the RTOS and the sensors are discrete functionality and are improving how do we look at things. Those are sort of what's immediately on the top of my mind right now. I think if I think a little bit longer I'll come up with a lot of other things but that's a good question. We really our video conferencing technologies right now are going to improve by the end of the year. There's no question of it. One of the things that was served kind of fun is I was May and I were chatting with a company that's going to be having a virtual conference virtual trade show floor and how we're going to set up virtual booths and talking about Zephyr and then start getting these types of interactions happening that we used to have in person but at least do it in a more safe way until we get better solutions out there for the virus. There are so many innovative people in the community or I mean not in the world that they will be doing a lot of things. Now there are a lot of people who are Zephyr member but they're also a lot they're using the project but you're not even aware of them. So how yeah so while they can freely use the project but when it comes to security how do you ensure that irrespective of if somebody is a member or interacting with you or not to make sure that whatever devices they're running on safer are still secure. We've got a lot of testing we do a lot of testing with Zephyr there's a tremendous amount of test infrastructure there's you know the whole regression infrastructure we work to various thresholds of quality levels and we've got a lot of expertise publicly documented all of our best practices so we're confident enough and we want to be critiqued if we're wrong tell us you know the security team is top notch group of people I'm really so proud to be able to work with them they do a really good job of caring about the issues as well as finding them and debugging them and making sure anything that comes up gets solved. You know in that sense there's a lot of really great people working on Zephyr and it makes it a really fun community to work with no question. In fact it's growing fast actually we're now over 700 contributors into the project based on the stats from last week and it's like wow it's moving and people are finding it useful for what they want to do and they care about security and they know we care about security and if they have products and they don't want to be visible any other way then just please register on the page that lets us know about them and that they've got a public product out there that it uses Zephyr and we'll cross check with them and then we'll add them to the list so they can be notified about the embargoes. Thank you so much for taking your time out and talking to me today about these projects.