 So I guess one of the chairs are here and We're all just kind of sitting on the call waiting for something to happen. Does that sound right to everyone else? Sounds about right. Mm-hmm But I'm sure all of us can probably figure out how to run the call Sounds like if we have a volunteer Should we wait a couple of minutes more million to one no time Well, we may be able to make it quick. So Okay, we all have things to do too. So that's true I'll start the the getting the document together. It doesn't look like anyone had signed up to run the call this week either Maybe we can Do you want me to? No, it's not that useful. I was gonna propose starting on the updates But that's fine. If we don't have um If we don't have anyone to scribe or anywhere to put the scribe notes, it might also be slightly premature Yeah, I can take scribes if you guys are gonna drive the meeting. Okay, ask here great Okay, so I guess maybe we will start with updates then is that okay works for me All right, I'll go first. I've been working on due diligence and other documents related to Things with tough and to a much lesser extent in total Which Santiago will talk about with that but Yeah, I've been going through that part of the process which isn't as well specified as I'd like and what actually seems to happen in Prague in practice seems to be quite different than the documentation So I'm hoping those sorts of things will Will settle over time That's it for me In the list So we just did our Falco incubation review with the CNC off yesterday It looks like JJ and Dan are on the call now Yeah I'm sorry for the delay my prior meeting got What I'm but looks like capo's your learning the show As part of our incubation review, Joe Beta is going to be looking at doing the due diligence and then I think he's going to be reaching out to sick security and just getting sick security thoughts on the FALCO presentation or the proposal. I'll drop a link as soon as I can in the, sorry, Ash for messing you up, but I dropped a link in the document. I'll drop it in the chat as well for our proposal. I'd love to hear any of the community thoughts or ideas around our proposal and just the growth of the project and other things like that as well. So it's Emily, no real updates. We are still waiting on the floor plan for the room layout for sick security day. Yeah, and registration is back open for that. So if you haven't gotten in, I suggest you do it ASAP. How many, how many places have we got now? How much more? I think we have maybe like depending upon how many cleared off the wait list, I would probably say like 25, but I'll ask and I'll ask and I'm going to answer. 20, 25 seems accurate. Michael, can you hear, okay, don't leave me again. Yep, Dan. So congratulations on a great presentation yesterday. I thought it went really well. Excited to have Joe and Gates there and also really excited to see, you know, this will kind of be one of the first proof points where, you know, the TOC is going through a process, looking to document the process and, you know, potentially engage and choose where to engage the SIGs. That's great. You know, the sort of interesting discussion that we didn't have an opportunity to dive into yesterday at the TOC meeting was, you know, kind of the delta between OPA and runtime policy interface. But remember the, you know, is that something that, you know, you want to go in deeper? Yeah, I just love to get your thoughts on that and whether that's worth exploring or if that's just sort of an internal implementation detail that you view as something, you know, specific to PAPA. I think it's more of just something that's more specific to FALCO and it's almost a way of creating an API for FALCO and exposing it through what we call the runtime policy interface and kind of creating this reference architecture API for twist locks and aquas and stock rocks and FALCO and Cystic Secure and, you know, the three other or four other projects in the, or products in this space so that there's like a common API to configure each one of those tools and so that you can then start getting into this idea of having some hierarchical model around how you apply runtime policy inside of your cluster and you have either a CRD or it's a Kubernetes API directly that you would hit to configure cluster level policies to configure namespace level policies to configure deployment level policies that more focus on configuring these these underlying runtime engines than what OPA does around helping you make decisions as developers are interacting with Kubernetes and the cluster and deploying software and other things like that as well. So it's a it's a little bit of a different space. Got it. Yeah, I'd be happy to in a future call talk about RPI and our thoughts and motivation on that. Yeah, I was going to ask you. I mean, it'll be good if we can open up an issue and pick up a date where we can talk about it. I'm curious myself about it. Yeah. Okay. I dropped a link into the chat and I'll make sure that we add an item and the agenda. Appreciate it. Yeah, thanks. All right. Back to updates, I guess. So we haven't set up an agenda for today's meeting. So we'll get an update and then we'll we'll keep the agenda open in terms of like what people want to talk about unless somebody already has an agenda planned. There is no discussion of agenda before you got on the call. I think you're just starting to do the updates. So I think we want to run through those real quick. I have a potential major topic. If I can propose something, I'll hop on down the next. All right. Okay. I have an update about the supply chain security project. I made the first PR of the sources catalog. I think Brendan took a look at it, but I would like it more than I thought that people could look at it. Like China. Something about that I also started digging into was the security hub. From Palco, because I think some of the resources can be adopted or moved over or shared or. Or just my like general collaboration. I think it's a good idea to have a link between those projects. The link of the PR. If you can. So who's next on the update? Probably me. This is Amy. We have the updates for the security. David's already happened in there and. As you all know. Pretty much it from my side. Awesome. Next one on the list. For me. Yes. I think Dan covered a little bit on RPA. We had a meeting with the journalists earlier today. So. Like what Dan said, like we have. We are working through a process in terms of like, how do. How to go engage with, say, in them. In project onboarding. So that's going to be an evolving process, but I think we are getting some clarity there. The other thing that came up about was the RPA. Which I think could be. I'd be interested in learning a little bit more. And I think it's useful for the community. For the group to. Know a little bit more about which I think. Michael's taking a lead on that. So. Yeah, that's mostly what I had from my state on updates. No updates from me this week. Just wanted to get some. Information about the OPA assessment PR. What's the status on that? It's been around 22 days since it's been open. Do we want to close on that? Are there more comments? So if you guys have any thoughts on that, that'll be really appreciated. Yep. I think I went over that a little bit and made few comments. But nothing major. Yeah. I'd encourage. Everyone else to probably give them about a week until. Next Wednesday. And I would just close it. Sounds good. Thanks. Awesome. All right. So that's. So I was going to do a check in, but I turned it into a. A general topic. Cool for it. Cool for it. Yeah. I think we're done with the check in. So. Take it up. Dan. Great. So coming out of this discussion. And, you know. With with our POC representatives listen Joe. And, you know, just, just beginning to explore what the interface is. And we have a lot of people who listen to. And, you know, just, just beginning to explore what the interaction. You know, patterns and eventually potentially policy. You know, we, we'd want to see happen with. With the six. So I think. You know, really. You know, useful thing to define. You know, our, you know, what, what are the things that, you know, if. You know, to see member like Joe. Were to, you know, ask for guidance. Or, you know, should they engage with. Security. You know, if we had sort of pre-package. Three, three to five questions. Let's start with three. Three questions that we would want to. To ask a project to, you know, to decide if we want to spend time with them. You know, what would those questions be? And. You know, that way we, we would. You'll be able to, you know, Joe's plugged in with us. So it's a natural fit. You know, assuming in the next iteration. It's not Joe. It's not someone that's, that's our, you know, to see representatives and we would still want that engagement and having to set an expectation that, you know, we're, you know, going to partner with, with our TOC members to deliver. Subject matter expertise and, you know, potentially engage folks in our processes, like the assessment. I just wanted to open the floor on that. You know, first, I guess we could start with is, is defining a few questions, you know, viable. Does anyone have any questions about the, the process or the interaction? And, or, you know, a proposal of what. That those questions may be. Yeah. So I just threw in the channel or I'm sorry, in the zoom chat. I'm sorry. A link to the CNCS talks due diligence template. It's my understanding that this whole document doesn't necessarily need to be filled out, but the reviewers use it as a thing to guide the questions that they asked to make sure that the project is of suitable. Completeness. To be considered for the next level. So this might give you a good. Jumping off point. To kind of think about what are the questions from the security perspective that we're most interested in. Out of this long list. I think about what are the questions from a security perspective that we're most interested in. Out of this long list. Speaking of the due diligence template. Is it documented how it is used. Within the. Within the process of reviewing. Talk. No, it's not. It's. So this is essentially what Joe would then go and take. And do use to do research and to ask questions about Falco. Himself. And then he goes back to the TOC and says, yes, I believe that the, what Falco has proposed meets our criteria. And then I've went through and done the due diligence and I'm comfortable with the project. But I don't believe it's like. My understanding in Amy correct. The projects don't have to fill out this and answer all of these questions in order to be considered to move to the next level. This is just kind of guidance that's given to the reviewer. So. For incubation, I believe that's correct for graduation. It's much more focused on being able to be complete. Okay. Okay. I believe it would be good to have that. I don't have that word of text saying that's what needs to happen somewhere. I may have missed it, but I, I recently read through most of those documents. I didn't find exactly what purpose. And as someone who just went through. Being asked to go to, or asking to go to incubation. I agree with that sentiment. It's, it's hard to understand. And then even when I think to Dan's point, which is a great reason for him to bring this up, it's like when Joe goes and asks sick security to take a look, what does that mean? Right. Six securities perspective, which I honestly don't feel like I have a good answer for that. I also feel. We, uh, danger, uh, running in circles because my understanding is that the security assessment was serving similar purpose. Uh, and it was, it's documented as they should provide a recommendation. Right. Right. Yeah. That's a great point. So, um, you know, the assessment process is applicable and, you know, capabilities that were, uh, you're bringing to, um, these processes that hasn't existed in the past. And, um, you know, the thing that I don't want to do right now is, you know, especially since we have a volunteer group that is, uh, you know, supporting this is, um, you know, advocate for an explicit mandate. Right. You know, I think we're still in that discovery phase of how we work together, how we set expectations, um, you know, how we deliver on resourcing that, um, you know, what happens when, uh, you know, things get, uh, to, there's too many projects, uh, you know, that exceed our, uh, volunteer capacity. How do we deal with that? Uh, what's the interplay between an assessment, uh, and a formal, um, security audit. So, you know, there's a, there's a lot to, um, to sort of tease out. And, you know, I do think that one of the, um, the questions could be like, have you signed up for security assessment? Right. Do you think that your, uh, team would benefit from, you know, an in-depth look, uh, in collaboration with, with security? That's the, the, you know, the sort of, uh, questions that, that, you know, we can, uh, put forth to, to, to Joe and subsequently the TLC members to begin to define what we expect and what we want. Um, and in, uh, this engagement and do you just sort of negotiate? Yeah. And I, um, so like each respect, my understanding is each respective SIG would go and be asked to take a look at a project that follows under the purview of that. So like, um, since Falk was a security tool, they're asking SIG security. Now SIG security would be asked to do an assessment on a tool that's not necessarily a security tool because they do the security assessments, right? Um, but I think we could probably come up with a generic list of questions that the SIG should be asking, whether if you're SIG security or SIG, I don't know, authorization, I can't think of another SIG name. Storage is a good example. So we have something in, in our, uh, you know, sort of operating, uh, mindset to, to, uh, you know, use counterpoint, uh, storage to SIG storage and, uh, key cloak, uh, has a, um, you know, data storage that, you know, it relies on internally and, you know, it's just a relational database. Uh, it doesn't have a storage abstraction. Um, so, you know, that would be an issue. Yeah. Yeah. Yeah. Um, but I think we could ask questions around, like, you know, does this project participate in the community? Are they bringing things forward? Uh, is the project seen within, you know, SIG security as a well-known project that's used? Um, is it. Technologically sound by, um, by members of, of that respective group, right? And kind of like more generic questions rather than. Like explicit metrics. Yeah. This is not assessment level questions. This is just, uh, engagement level. Uh, you know, should, should we, uh, you know, engage or, um, you know, is, uh, you know, given that, um, you know, there, there's a security component to this. Um, you know, we would explicitly, you know, like to, you know, just assess that and, um, you know, think that this, you know, interacts with or conflicts with, uh, you know, XYZ component in the ecosystem. Does that, does that, uh, make sense? I mean, part, part of what we're also sort of, you know, the meta challenge that we're grappling with is the TOC is, um, you know, taking their process, uh, and trying to make it a bit formal along the way, right? So there's formalization that's happening at that level. And, you know, we have, uh, been formalizing and, uh, you know, making our own processes more robust. Uh, and, you know, now it's time to sort of, you know, negotiate some of that fit up. Uh, it does make sense to me. Uh, I just, uh, I just think we can make the most out of, uh, the resources that we overfield in security so as to provide, uh, information that they can use to make their positions. Uh, and I think, uh, we work very hard in figuring out what the self assessment should look like. So I think we can somewhat reuse some of that work. Yeah. And I think we should also, um, you know, continue to use this opportunity to, uh, you know, formalize, uh, and, you know, grow understanding of how, um, you know, we schedule and, uh, you know, fit in assessments, you know, the full, the full process. So security assessments aren't required for incubation, but they're required for graduation. Is that right? Yes, that is correct. So, um, what if we came up with like, uh, to Santiago's point that he just made, um, what if we came up with like, uh, what are the 10 questions from that a serious security assessment? Or there's obviously a lot more than 10, but like what's the minimum things you need to do from security perspectives point of view to move into incubation, right? And that would be a very easy thing. And they, you know, it doesn't have to be binding. Um, but like this is, these are the minimum recommended best practices and those kind of become the questions that we ask. But I thought Ben's, uh, a suggestion was more along the lines of, of basically, you know, baiting or inducing the, the projects to actually engage with us. So it should be like three questions that are interesting for them that they say, oh, maybe I should talk to these guys. And then we can go into the detail and give them the whole suite of questions. But what are kind of the three, uh, questions that a project should ask themselves, whether that makes them realize that maybe they should talk to us. And I actually don't know what those would be, but I think that could be interesting. We can go on this path. But my view is, is that. The point of the self assessment and the other things around this were to get the information we need to do an assessment. And I think the, like to understand the security of the system. And I think that the, um, just, just ultimately, um, going and trying to distill it down in a different way, um, especially if it's something we're trying to get some uniformity in across projects may not make a lot of sense. That was one of the kind of issues we realized when we started to put the assessment together is, is that, um, you know, like you're just going to have very different security perspective, depending on what the project is, cause cloud native is so broad. So we, we can sort of, you know, try this, but the three questions I would list, if I had to list them is, you know, did you talk to the security, the security group? Did you do a security self assessment? What do the six security groups say in response in their, in their review? Um, but maybe that's just me. I mean, yeah, I tend to agree. We, we, we've come up with this process that we, we think is a good one. And, uh, I mean, and I think we need the TSE to agree with us that it's the right thing for projects to do. And I don't think it's even, it's not at the moment, even compulsory for graduating projects. So at the moment it's, it just seems a bit that they're not, they seem to like it when we presented the open one, but I don't feel we've got a formal buy-in for it at the moment. Which is what we're negotiating, right? And this is the opportunity to begin to negotiate and formalize that. Um, and, you know, they, um, up until, you know, this past year, there was kind of an open question of whether, you know, SIGs and working groups would even be a thing, uh, at the CNCF level and, you know, sort of minimizing that. And now, um, you know, SIGs, uh, you know, kind of turn the corner and they are, you know, serving as a density of subject matter expertise. Um, and, you know, the, the, the state of the universe and the system has evolved. Uh, so, you know, we can begin to, um, to help formalize and participate in that process. Um, Michael, you know, I think there might be, you know, an interesting, uh, you know, exploration for us to assess here where, you know, Falco, given all of the, you know, work that you have to do with incubation, um, you know, we decided to, um, you know, make the choice of not doing the, the, uh, the security assessment since it was not compulsory. Right. Um, and, you know, if it were compulsory, um, would you have made the same decision? Probably not. Right. Um, yeah. Yeah. I mean, we would have to do it if it was compulsory, right? Sure. Um, you know, and, uh, you know, what, what, what were the, what are the factors that, you know, led you to make that decision? Um, so I'm not operating on assumptions. You know. Um, we just didn't have the bandwidth given the timeline of what our meeting was. And of course we're wanting to try and get the incubation vote done before. Cucon. So it's, it's a timing. Yeah. Yeah. Totally reasonable. Right. And, you know, Sorry. I think it says something. No good. I don't mean this as, as like a, uh, I'm not trying to fire a shot at Falco here. I'm trying to shot at the TOC. Let me just say this ahead of time. But to me, if the TOC says, well, you know, um, we, we would rather like, you know, it just takes too long to figure out if something's secure and that's just, you know, you know, stopping us from putting things into the incubation phase. That to me is a big problem and it's exactly the wrong message to send. I would think that, you know, if we're trying to align, uh, people like Falco and others to be more secure, if the TOC cares at all about security, that's supposed to be something that's aspire to, which I think is one of their goals, the projects, then instead, um, they should really be pushing us to expeditiously do an assessment of Falco and viewing that as a way to get Falco in faster rather than slower. Yeah. I agree. Sort of a fast track process a carrot for projects who do it. Yeah. And, you know, quite honestly, like if they would have told us, like the requirement to get in is to do the security assessment and then, you know, these three other, the other criteria like healthy number of commits, three end users of product and production of note. And I forget the other two requirements. I mean, if security assessment was one of those things, we would have shifted time to go and do that. But the problem is, is like the, the requirements are somewhat big and opaque and opinionistic. So like we spend instead of spending time doing the security assessment, we spent time basically putting together a pitch deck for lack of a better word, trying to make our case. You know what I mean? And if the, if the requirements were much less opaque and opinionistic, then we could, we could just make sure that we're, if we meet these very opinionated requirements, I can, I don't have to spend time selling it and, and worry about it being a subjective process. And when it's a subjective process, I'm going to go spend all my time making the sale versus making sure I hit the metrics. Right. Which is, you know, which is kind of the jumping off point for me, you know, and, you know, making sure that the TOC members are armed with like things that they need to, you know, ask the things rather than it just being a subjective question that comes to us. And like at a high level, it could be subjective or it could be formal. I would like to, you know, ensure that there's some level of consistency. There's some level of, you know, breadcrumbs that we, you know, leave both the project and our members and, you know, that we're evolving, you know, we can change this over time, but we, you know, we should be evolving, you know, that process rather than just having it be. Yeah. Right. And one other thing I want to just add in here is if you want to look at a project that took the exact opposite approach, you should look it in TOTO. But within TOTO, we spent a tremendous amount of time doing the security assessment and going through that process and going through it in detail and getting everybody to get on this group, I think to be very excited about it as evidenced by Santiago now going and, you know, doing all the software supply chain work here and all the other stuff like that. I think, you know, really that project went way above and beyond on the security side. But then when we went to present to the TOC, you know, we spent a few days and put the deck together and did things like that, but we really got hammered and it got added into Sandbox instead of incubation where we had kind of thought we were going to be added in. So, so far the kind of message from the TOC is pitch deck is more important than substance. At least that's that's a message that I've heard and I think is the wrong message. Right on. Yeah. I guess like I would put it a different way. It was like making your cases more important than the objective data. So some context and some discussions that are going on around that itself is, I mean, TOC is well aware of lack of clarity and the need to be need to be providing clarity to to intake project rate. And one of the things that we were talking about earlier earlier today was an iterative way to frame the questions where the inputs that are given from Six Security is relevant and useful for TOC to make a decision. So it becomes a little bit more substance driven than pitch deck driven, so to speak. So, so there is an awareness to that process or lack of process there and then awareness to be able to gain more insights and information to make an informed decision. So it will be useful for us like what Dan started mentioning to frame those kinds of questions that both we should be asking TOC and TOC should be asking us that's like highly specific, highly relevant from coming from Six Security that will be useful in evaluating the project. And there is a fair amount of understanding that it's going to be an evolving set of questions. It's not going to stop at three or five questions. But it'll be useful as a group for us to say like these are the things I think we should be evaluating part of a security assessment or taking a security project into CNCF. And this is our data gathering process. So let's say as simple as fitment. Fitment in terms of like what are the use cases that a project solves and how it solves the use cases and how does a project fit into the landscape that we are thinking about and this is the input to TOC itself would be a super useful data for TOC to make decisions. And I'd like us to hone in on that and add more to it as a group. What about the non-security? You specifically said security projects there. But the non-security projects are also important because they're even less likely to think about security issues in many cases. No, that's a great question because the contrary of that is like one of the projects that they were evaluating the security projects that they were evaluating, they'd have to, I mean it could be nicer to get six storages input on that to say like is the storage abstracted enough that you could swap out storage or is it like highly contained that it's not quote unquote cloud native, right? So in similar ways, I think any of the non-security projects will have a component of security all the way to the extent of oh this is Prometheus it doesn't have security or security is not its concern and that being established itself will be a useful stuff. But I don't know how to, I mean at this point I'm considering the amount of work that we have. I'll leave it up to TOC to call it out in terms of like this project looks and feels something that I want an input from security and then we'll take it up to say okay let's take a look at it, right? And if the project is proactive and it wants to pass it by security to get inputs, which I would hope eventually we'd get to that state, then there'll be a super welcome change as well. But that's a good point, yeah, in terms of why non-security and why, I mean it's obvious in terms of like a security project yes it makes sense. Non-security project it does make sense but it becomes like somewhat on a neat basis. Does it make sense? Just in C. Which Justin, since you're ambiguous I'll jump in here. I want to say that I think all projects philosophically I think all projects should have some security review. I think the days when we say that a project doesn't have to worry about security, I think that's like a laughable statement and I'm not trying to call Prometheus out by name but I think it's laughable in 2019 for any project to say that security isn't a concern. So even if all we say is there are some rough edges, beware, don't use it in these terrible ways or for the thing you're likely to use it for it's secure enough for these reasons and you can do your own risk assessment and figure out if you need to be more concerned than we were when we did our assessment, that I think would be helpful. I agree. How can we get those concerns to the TOC? It seems like they think of us in a similar way as storage and we think we are more like a horizontal I guess. In that it affects all projects and not just security projects. I guess storage is specifically engaged in storage related projects. I think you can clearly say this is not a storage project for some of them. I'm pretty sure if we bring this up to TOC saying we want to take a smell test on every project that comes in, TOC would be happily saying yes. Maybe we should to cap this point. I think we should pitch in and give our thoughts on those projects. I'd be happy to bring it up or if you want to bring it up with TOC that will be okay as well. I'm in the middle of a bunch of other discussions with them about the tough things and stuff like that. That may muddy the water a bit. It's probably one of the chairs to bring it up. I don't really care who. I'll drop a note. I'll keep the team informed. Do we have any other topic that we want to cover? We can give 15 minutes back to everyone's life. Dan, any closing thoughts? Awesome. Thank you all. Cheers, everyone. Bye.