 And Brandon, how are you? Good, good. Did you move? Yeah, I did. Quite a while, actually, last year. This is the first time I'm seeing a new space. It's probably my camera being, like, different. Like, my camera being turned, usually, like, that way. I love the Star Wars story. Yeah, I used to use my MacBook, but I got, like, a camera on my display, so it's easier. Maybe that's why it looks different. Yeah. But that's the same room when I've been for last four months, I guess. Yeah, so I'll need, like, a five minutes for update on that, on that item. Okay. Are you, is this something that you're, I know, like, Vinay Arjun created that issue. Are you working with him or is this something that you're kind of just picked up? No, I just picked up. I'm working on it because if I see, like, lots of intersection. I've been, like, talking about that score card from SSF. For a while. Yeah. It seems to be like this is what we need to start with the easiest one. Yeah, that's, we'll, we'll have some discussion around that. After we cover the main, we have one main topic today, so I'm, I'm not worried about. Yeah, yeah, so it's, it's not like, if you have time, I can give an update and ask a few questions, sir. Because I need to figure out where to find the date, some data. Okay. Since it's a short one, maybe we'll just do it and start then. Yep. Again, do it this way. Everyone, I'm going to face the link to the meeting notes and the chat. Please go in and put your name down. We'll give it a couple, couple of minutes. Andrews to see the weather's nice out for you. That's right. Oh, that's in your office, man. Is that the Vega mansion? Is that the, the West Wing? Public space. I'd wear sunglasses when he takes meetings now. That's how it is, man. I like it. It's a good move. I haven't left this basement about six months. I don't even know what some looks like. All right, so a couple of things. We'll wait a couple more minutes. Okay, so I'm going to face the link to the meeting notes again. There we go. And let's get started. So, I see we have a new scribe bot. Tim is testing a new scribe bot for us. Let's see how that works. So, before we start again, just quick reminder. This is under the adhering to the code of conduct for CNCF, so the general rules and guidelines apply. And of course, again, this meeting is recorded and will be published to you later. So today we have one main agenda item. We'll be going through some of the work that we've done for the cloud native security map, which is a branch of the cloud native security. But before that, let's go to, let's kind of do a check in. Let's see here. So, I think we have a couple updates. Tim, are you there do you want to talk a little bit about the transcription service that you're testing. Thanks Brandon. Several months back, I had heard you guys were, you know, having someone take notes and then upload it and there was a GitHub issue related. How can you simplify that. So I went back into my basement and started to evaluate how can we, you know, enable that. And so I'm now testing something that I wanted to then show back and then get feedback on and so essentially what it would do is it would do a transcription. It records the video. It allows you to search snippets of the actual transcription. You can see the screen transcription play real time. You can highlight it. And then as you if you highlight it then it can pull those highlights, believe together. So I wanted to kind of like test that out and then see what the value, you know, was is it useful to save you guys time and what the use cases were and stuff like that. Oh, this is awesome. I'm looking at it right now. Oh, are you okay cool. Yeah, I'll actually a little bit of an agenda. Okay, thanks Brandon. Yeah, so, you know, just testing it out I vetted it out on some of my own meetings but figured you guys have been the first one that kind of raised your hand. I raised your hand that said this is something that would be helpful because it did a couple of things of my understands right a it may lessen the load on a potential scribe be we may it may we may try to help automate the pushing of it from one place to either YouTube or we already have the recording and then you can just link to it automatically I need to flush out your workflows for that. At some point would like to learn a little bit more what like what's the why you record them what's the biggest pain around them what's the biggest benefit you want to get out for it for your community stuff like that so I can get beyond oh it's just transcript I want to get at the, the why like what why it matters to you guys I can really hone this down. Yeah, I think it's kind of the main two things is one like getting someone to kind of take some scribe, scribing some notes during the meeting. We used to have an issue with getting consistent scribes. Another one is actually being able to search true and find the things within like past meetings. Okay, great. Perfect use case is what I was thinking. Yeah, I think the biggest the biggest value from for me, when I go through meetings which I do not attend. It is an easy way to distill what's been happening what's important because you can just go through like one hour of reporting sometimes yeah. Okay, cool. Tim will it make Andre's jokes funnier. That's the question. Do we have that out on we've added that to the platform. If you wanted to fake it you could highlight it and then say it's funny and then vote on it I think there's a way to use comic sans that's the question. Brandon Wander may ask he direct. Okay, unfortunately, no. The real test is will will be able to parse the gibberish or not. Yeah, I mean people talking at the same time. Yeah, so actually that is interesting we, we did test the ability to do speaker identification. Does it. Well, rather than relying on AI, it actually just looks at who's physically speaking, and then pulls that track and then as the title so I think it's been pretty good about the overlapping and then speaker assignment because it's not trying to use an AI tool we looked at a bunch of ways to do with AI it just that's a very hard problem to solve. Let's run it for GPT tree to get like really distilled notes of that. Yes, yes that's another one that I'm looking at see how do we do the note the note taking solution on that is is tough but we're thinking maybe if it's people highlight stuff that might be a way to get something with a little bit higher fidelity. And if you look into the who's I think it's in the chat, maybe maybe it's only the admin can see it but I think when we add them in. This is the moderator then you can see so in real time people can actually look at this and if there's something interesting they can literally highlight the transcript. Okay yeah I think I think we have to play around with this. Cool. All right thanks everybody. All right. Let's see no updates. So I think before we jump to our main agenda item. I think either I wanted to give an update on issue 496. Yeah, I've been looking into issue 496 on a github which is project to create an automated security framework to evaluate CNCF projects. It seems like from the notes and some offline discussion. There, there is a tool already from open source security foundation called a squirt card which is basically pull all their required data and do specific checks this could be extended but I think it's at this point it's pretty comprehensive. So compared to what we can build from scratch so rather than building something it's better to reuse it. They tried to do run it basically through some number of open source repositories not CNCF related just run them and there is some public data but it. It's been updated for a while so my initial thoughts was just to kind of use it and create a pipeline, but to fit a pipeline with the data. I need to get this repository is like CNCF repositories. Any good source of this like does anybody know where to get it. I thought maybe to use I don't know cloud native security landscape, but I don't know if it has like direct links to Rappos. Have you seen the notes foundation security dashboard. Yeah, yeah I think I've seen it I don't remember if it has like links to repositories or it has a links to the project itself like I think the one I've seen has like links to projects. So I looking for something similar to that I said this, I think it was something a little bit different. A little bit different in terms of the project might have a multiple repositories right. So if you want to do this, which we want to include. And what would be the source of this data right because if you look into CNCF landscape there is like hundreds of projects, and if each of them have like few repositories it's like a few hundreds so I thought there might be data already somewhere that's pre populated. And the same like when you guys working on security related a landscape it is also links to projects, but if we can use it has a starting point for getting links to repositories that matter, then we can include it and I can just basically feed all this data and kind of experimented with the dashboards with this data but it's, it's kind of pretty interesting information in there, in terms of like, I know, 99% of not signing at all, like, nothing. And don't care much so probably can look into this data in future and see what we can improve and working with CNCF on that. So what I hear is, it's like a best practices batch app that rather than being a self assertion of sure we signed this thing or we don't sign this thing it's actually a tool that does automated checks for a rubric of security things. And yeah and provide like basically information in terms of if you don't have it what you can do to enable this using like let's say github. Okay. Yeah, that's interesting. So, I think and like the scope of everything an assessment entails. It could help alleviate part of it, but it's not going to be the entire assessment right because the focus of the audits and assessments are less. Well, we do do a number of checks of yes the project follow secure development practices but it's more about, hey, this are the set of considerations once you deploy this at runtime, depending how you set it up. No software is going to be intrinsically secure. And these are the compensating mechanisms or the compensating controls you should enable or the questions you should be asking of how this project interoperates with other things in the ecosystem. It does do anything related to audit for sure. So it does specific checks I can send a link to a to a chat. You guys can click on it. And it's basically simple things that you can derive and understand from any github repository light has nothing to do with audit it just like maybe one part of it do you follow the best security practices for for open source that's recommended. So it does one that things, but it gives a pretty good overview in terms of how their projects being run in terms of following these best practices. So it's like does not require doing manual things so I remember we had a discussion here one day about check for security policy. So like one of the tracks implemented by the tool is checking for security policy. What is signed inside that policy is completely different like this is something that needs to be reviewed by human, but at least you can use it as an easy way to understand whether there is some scene or not. Yeah, whether that's something is make sense it's much more complicated or implement automatically. It would be interesting to test of take like the security policy for the project like I presume this is going to look for like a security dot md file and the repository and some projects might have it and the governance dot md or might have it somewhere else. Yeah, so it's it's it's pretty easy to extend in terms of like what to what this tool needs to check like we can easily add like whatever checks the need on top of it but at this point I feel what they have is enough for like initial run and understanding where we are and implementing all this automation and kind of have this comprehensive view the only the only question would be like where to get data for this is it like manual still work needs to be done or something that's already exist. So if you ever come across like list of repositories for specific projects. Please go to that ticket and put it there and I'll take care of it. Yeah, the the other challenge of considering we're doing the build packs assessment right now is projects that have a spec and have a runtime implementation. Spiffy is another example, like, you're going to run this against spiffy and it's not going to pass any of the checks, because it's just standards, right. Yeah, yeah, absolutely. Yeah, that's why I'm talking about what repositories matter like spiffy itself has like bunch of projects. And this projects a matter for for these rather than just spiffy that's just basically contains bunch of md files. Totally. Yeah, it sounds it can be useful. It'd be a matter of well, what's the, what's, how do we amass the activation energy required for either us to introduce it as a soft requirement and assessments for the TOC to ask during sandbox and take or incubation due diligence, or something that yeah becomes a mandate at a higher level. Yeah, maybe since they have also like need to collect like from the projects not just like projects usually contains bunch of repositories so maybe since you have need to collect also like what repositories are really matter from this project or not like there would be like 10 for 20 or 30 under one project but only like 5% of them really matters. Totally. It would also be good to, to help maintainers understand what is it that they get in return, other than just additional friction and having to put in this thing and take, take six store like it's it's having a lot of traction considering how relatively short time it's been since it was open sourced, but it solves a real problem, a real pain point for how to sign releases so it looks like a new project is onboarded every day, because people understand what they get out of six store and the transparency letter out of record. More than well we're bringing in more more overhead around checks and policies but it's not really alleviating any of our pain points and it's more for others. Awesome. Cameron, did you want to add something I thought I saw you wanting to say something just now. No, no. All right. Thanks, Eli, if you could kind of maybe put down your ass in the issue. So that, you know, those are not part of this meeting can do that. And maybe, you know, probably after we get some feedback we can also lie interested, you know, we can bring this to TLC see whether they can help with this. Cool. So, make that back to the meeting notes. We have no other updates today so we're going to go straight ahead to our main agenda item. And thanks Alex for helping describe. All right, so today we wanted to give a sneak preview into the world that we've been doing with the calm native security map. To provide a little bit background for those who are not familiar with this project. This is based on the great work done with the cognitive security white paper. So, the idea the white paper is a cave. It was a way to cover the different concepts of cognitive security, and to introduce those concepts. When we were doing the white paper intentionally left it on a very high level, we didn't want to include any projects we didn't want to be have any things implementation specific. And so, one of the things that we want to do with that is to provide a document that has also a bit more of a practitioner's perspective to it. This was initially called the landscape right landscape where we had a bunch of projects a bunch of categories. But we figured out that, you know, having a bunch of categories and having a bunch of projects doesn't isn't really that helpful. It's very difficult for someone to go in and figure out what other projects that they need to do something. So we started off the cloud native security map. And so So this is what we have now so this we started this a while ago, a little bit was like content creation, but the idea is, you know, we have to create a website or results that people could navigate easily. So the idea is this the cognitive security map. And the idea is you could go into like different sections of it to check out, you know, what's relevant to you or can just go through the document. So the idea is, for example, if you go to distribute and say artifacts and images and sign trust and integrity. Right. So what we have here is kind of like the general concept this is from the white paper. So on top of that, what's being added to this website is one of the sub projects. So the idea is you could link to different projects which may be relevant let's say, as a practitioner you say I'll know if the men signing trust integrity. Okay, then now I can take a look at these projects which are relevant to me. And on top of that we also have these examples added to kind of illustrate, you know, what are the type of controls you want to, you want to do, you know, what may be a way that you implement that. Right. So for example, I was signed the image manifest with the trust. You want to attach metadata for the image such as a S bomb to it. And they can make policy decisions on it. So it's like more, more implementation examples of implementation steps to implement a security control. We intend to intentionally say upfront that it's not a checklist, because obviously different different organizations have different requirements. It's different, but this is kind of general guide into what what are some things that you could do. So the initial scope of this really was to to go one step further to say that okay, now I'm looking at signing trust integrity. I in the distribute stage, right, technically, whenever I perform a task like signing. I want to perform a verification on the runtime. Right. So there is also a section for example, I think it's here where it's something like that image trust and content production. The idea is that we would have some additional links over here. This is still something that not part of the initial prototype but there will have been links here to say like, okay, if you're into my thing, signing trust integrity. What are the some of the other areas that you may want to consider next or you may want to think about when you're implementing this. So, yeah, the initial goal was to have kind of like a visual map of it right so this is a initial prototype where it's kind of the sidebar. It's a more of a traditional document. So, what we are doing now is we are taking all the content that the committee has worked on, and we are putting in this website. So, and I'm going to paste it in here, so that everyone can take a look as well. But the idea is, you know, we would pop play all these things. We are all not all the content and this is final we are still reviewing it and making sure that, you know, the projects we put in there. Kind of projects with a certain quality right we don't want to put we want to make sure that, you know, some of these projects are not, you know, somebody's weekend project, for example, that isn't being made today at all. So that's what this what this document is really about. We are still developing this. We still need a bit more content. So if you hit this contribute button here, you'll see we have a list of contributors here. And there are some of the some things that we still need help on. We are still building up the site. So if you're interested in like development, you can put your comment, put a comment on this issue. As you can see, you know, things like highlight the links. So that you can still do better than the website. If not other than that we still have some gaps in content that we want to help fill. So the idea we're looking for projects examples and links because you know the general concept of all being taken from the white paper. So the way you can do that is a mountain has set this up really nicely for us is that you can just all the different topics that you see here, actually map on to a mock down power and get up. Right. So, let's say if you hit like code review here. So this is part of the website that's being deployed and then you have. This is a core review page. So if I modify something and add projects here it would show up on the website itself. So, for example, like go back here. They contribute. So I say I want to add something to on the modify. For review page. Maybe get up. So this is just quick example you just create a PR for this and say update code review. So what happens is, we will review all the changes that are being done here. And you know, once this is much in the bottle pick it up and then it will update the website automatically. So this is the quick update for the security man any comments question but looking for a lot of feedback on what are some things that we can do do better. What are some things that people want to see on the website as well. And then a quick question and this may have been answered already I only just managed to join this meeting from another meeting. We are in the project section and we are only listing out the open source projects not the commercial ones that we put in the original doc. Yeah, so right now you don't see it here but that's actually invisible commands the commercial projects. I'm still evaluating what we want to do with the commercial projects I think that is, is a little bit of a sensitive topic. I appreciate that I mean, I guess from the snake perspectives kind of a difficult one I mean like we look at that section we're looking at now right the snake CLI is open source but clearly it's got a service on the back end right. Yeah, so. I think, I think there, there, there will be room probably to have some have some projects be commercial in specific cases I think I was having conversation with with Matt plan and then he said something like, you know for availability for the dust protection for example. You're not going to find a solution which isn't commercial. Yeah. Yeah. So I think we are so in those discussions. It's not off the table. I think if we think that there is value in it. I think we should put it there. I think also, you know, a lot of a lot of these concepts also some of them translate to, you know, coffee just right so if this is something that's already ended up at the cloud. The best, the best action forward for a developer would be probably to use the cloud service instead of trying to grow their own service anyway. Matt that that is still kind of the topic of discussion right now. Yeah, so we will see where we are on that but right now we are still, we're going to put everything over first and then we're going to figure it out. And then we have to probably talk to the TLC about this as well. One sounds like the discussion to be had is whether the map is exclusively open source or not, because if it's cloud native it should be a matter of answering is this solution cloud native or not. And point it out, we can draw a distinction, put a caveat of hey, these are commercial solutions that might have some open source or are built around open source. And we can yes put like open source solutions first or like add an appendix that well helps people and shed slide of, hey, this is the software that exists that is cloud native whether it's open source or not. Yeah, I think we will have like a huge disclaimer somewhere and we don't we don't necessarily but not necessarily saying that these are like to go to commercial projects and also like the process of which these commercial projects should show up here is by basically whoever wants to come in and add at the project right I think we need to have some problems around it. As long as we have that we should be given enough information for people to make a decision. Okay. So, Yeah, one one added thought there is, if someone has a problem and they're looking for a solution. They might ask themselves well does matter to me that it's open source or not sure preferably it should be, but if I'm trying to solve for something and I'm not aware that I'd be hard. I would have to have lived under a rock not to know that snake is out there and it's great. But in case I didn't know it's like, oh, let me let me go click on this thing and I can consume it as a service. The Linux Foundation's own scanning stuff is sneaking the back end. Yeah, I think this is like a problem that also like not foundation realizes right right and that's just a reason to tell FX security thing which is like people don't necessarily have a like smaller organizations so necessarily have a way to figure out why and how they should handle the risk of open source projects. Yeah, so I mean if that is clearly defined and I'm sorry to interrupt you but if it's like basically there are the projects out there from an open source perspective that may handle the situation but then also here's commercial ones that may handle, you know, those as well. I think it's it's almost like an ala cart menu you look at and you choose the one that's going to be the best solution for you and here's the ones that are kind of on this list. But it's the hard thing is if it's just going to be a set of tools. We're not making any back to square one again. Exactly. We're not like six security should be the one saying these are the things that we think are the top three or something like that. And I know that's going to be really hard to do. Yeah, that sounds like a fun. You know that that's that's taking that fight even deeper but I hear you but at the end of the day like if we have a distinction is all I'm saying open source projects versus commercial. They have the decision to go, I where they need to at the end of the day everybody's happy I think but if we don't if we disclaimer don't have that. It's, I think it's, it's not serving the community well. The other thing when we talk about community. It's largely people who do open source and they're often just heads down maintaining their project. And they might have not used snake because they think well, we might we don't have the budget for this shirts. It's a great enterprise product but we can't afford it ourselves. I saw that snake is great for open source projects, and a lot of people don't know that hey, if you're open source. Yeah, exactly. So, um, make people aware of that. What if it's a scenario beyond the people in the community but if it's something where somebody is looking at the security map as an entry way in, you know where you know look a lot of a lot of people know what cloud native is right but there's folks that obviously are trying to get immersed in this with what this is the entry way and are we saying, you know, we have we're saying we're only going to limit it to one or the other that's, that's the thing that I'm kind of like, let's Well, I think there's an interesting point here about, you know, there's, there's probably, you know, certain certain aspects of security tooling where there may be a benefit to you paying for something right where there's a deeper. There's a, you know, because it costs, you know, it costs a vendor money to actually build up databases and stuff, you know, there's a probably a class of things like scanning Kubernetes Jamal right for common mistakes where in some ways the value that you're going to get from a commercial offering in that space is going to be very similar to the value you're going to get from open source offerings in the space right because everybody's going to come up with basically the same, the same stuff. But then there are other areas of security where you might benefit from someone having a deeper, you know, and I'm not saying this from the sneak perspective I mean I'm thinking about things like runtime as well you know stuff where there is more, more complicated, you know, data involved. Yeah, it does. It does sound like kind of, I think we have to figure out what is the goal of how we're going to do some projects and really how far we can take it between like, how usable it is to, you know, trying to avoid like the king One thing I was going to say is that I think that if you're doing, if we do commercial, then we have to be very clear with their criteria, because every vendor will want on the list. They will want to be on categories as they can be. And so we need to have like clear written criteria so there's no questions or favoritism or anything like that. And everyone's clear is like, yes, you're in these categories for these things and here's how you get there. So because otherwise I can see this being like, you know, every single vendor who does cloud native is going to want to be in every single category. And that's just going to reduce the value because then it was like, well, everyone's everywhere. Yeah, I think we want this document to be useful. And we need to make sure that we, you know, we have it in a place that like people can look at this and clearly know what are the things that they have on the on the list here, but I'm sorry, Ash, go ahead. No, I already makes a good point like having a clear defined criteria for both the open source as well as the commercial projects, make it as transparent as possible. So there's no questions about it. I think that's something they're going to work on. Yeah, and actually going to be working on that like having a proper gating criteria for both the commercial and the open source. Yeah. So an important thing as well is I think we also need to define the different types of users that we need to target like as a developer, I can this certainly helps but if I'm the architect of a system or I'm info sector trying to come up with a compliance strategy around how to enable developers to do their work, or if I'm on the operation side and various roles there as well, like these security checks may turn into checkbox do you have something there and there may be a whole set of things that they want to focus on there, the fact that you're using dependent bot or something else that they don't really care which one you use as long as you use an approved one, and they have other things that they want to focus their time on so I think we should come up with some with some users that we want to target as part of the as part of the map. I want to cover some of the comments in the chat. I want to take some good questions as well. I like this actually asking about, what does the CNCF do for the other landscape in terms of projects, and I think that's, that's actually a good question. Do we have anyone. They include everything, everything. Okay. It's more like an astral map of the universe than a landscape. Yeah, Tim did you say you're working on some. Yeah. This is actually useful and it's good timing because I'm trying to figure out what the roadmap is for things that we provide to open source through LFX and I think in some ways there we can abstract away sort of the decisions are like, you know, for as someone mentioned already we use sneak and we're looking at other commercial but then we've already done the pre vetting, and people won't have the question oldest be expensive because it'll be done through LFX. So what would be helpful for me is as I build the roadmap is to understand well, what are the problems you want to solve and then we'll go off and figure out with your guidance like check out these vendors and then we're going through with the vendors and like, okay, we want this available for open source we wanted to, you know, go through our control panel the LFX project control center. We want to make sure it's still usable for developers and then someone mentioned you know the personas want to bet that out. So what would be helpful, I think is you started to do it a little bit with the examples was sort of like I started by, what's the type of vulnerabilities that people care about that we will then say okay we're going to find what the right tooling is. And then what we can do is we can then abstract away some of that and put into LFX, and then people won't have to go through. They can still use their own choice but we'll have vetted it out it'll be easier to instrument based on your projects the cost will be covered if you're a member of the. I mean all those things we can kind of take the lift off of the project TSCs. But I don't know the scope of the kinds of problems, how far people want to go, like for example, I saw here listed was sassed, but the people want to consider dast but then now you've got to develop the run be able to run the runtime and then you've got to be dramatic this part of your CI CD. And, you know, we're not able to generalize that completely and not everything has a runtime and so I sort of paused on do I really want to go down that path like I think I can share my roadmap or we can start with like what are the set of problems you want to solve like I started to look at what was the low hang fruit, like dependency scanning checking for the vulnerability database of things that are known. Like kind of basic basic stuff and I'm trying to get a feel how far this roadmap goes that we want to try to do. I think an interesting place to go to as well as you know the infrastructure side. So being able to run for example like CIS benchmark so like some kind of compliance scans against infrastructure. Yeah, I mean there's going to be a whole different thing and then it's going to open up a lot of costs of which I don't know whether it's going to be sustainable to manage as well. Yeah, so I think those are the things that I want to kind of get a feel for from this group since we're literally talking about it. And then things kind of can scan off like I was just meeting with like I guess CNCF uses source graph and I met with the CTO yesterday and we're like, it seems like, you know, someone else would have they wanted a project one have tighter controls over what security concerns they had rather than just relying on a black quasi black box, you know, volume database, they build their own patterns and we use that so I think that that's kind of where I would like to. I'd like to, I like to hear and I can share like these are the problems I'm thinking of solving but then we can go off and take your suggestions on you know do we want to have a way so that OSS fuzz is really easy you just put in your repo set it up and then it'll run like that. And then you can go into your recommendations on, but whether it's open source or commercial. But but I'm at a phase where I'm literally was working yesterday on with the roadmap of problems we wanted to solve and I'd love your, your input how wide or how deep. Do we need to go is it more shallow and what's the most common. You raise a great point I think framing it at what are the set of problems is the most useful and making it a scenario driven like as technologists we're often subject to like marketing myopia. And we forget that people don't don't want the quarter inch drill, they don't care about the features on the drill. They care about a quarter inch hole. So what are the tools and yeah obviously you might want to ask well, what's the difference between a regular drill and electrical drill or like a hammer drill. Right. So depending on the trolley, like the material you're drilling through you might use one of the other right. Exactly. Sounds like the decision making criteria rather than being an exhaustive list of all the software that whether it's open source is like hey if if this is your risk profile and these are the requirements of your organization. Right, you should consider software that checks this this list. Exactly. And that's what I love to hear where how far we is the interest like you can go through the whole supply chain up to you know do people care about the binaries about the packages do they want to have a hash insurance, you know signature, all the way up to, you know, the commits like there's so many different ways you could go. I'd love to kind of like put that in and I can either next time, share this is the things that I put you guys and say yeah we don't care about this or you know go into the supply chain all that packages is not interesting, but we only care about x, you know that that that I think would help us frame the scope of the problem. Yeah, I think that's great Tim do maybe do you want to present a little bit of what you have one of the sessions. Yeah, sure. I'll try to do it either maybe next week I mean I'm literally in the middle of like putting it it'll be very like half baked because I'm kind of keep the funnel open, but maybe this would be a good time for me to actually get it out of my head and in front of experience practitioners that would be awesome. I think that I think that's that's something that we all couldn't be excited about awesome great super. I see Dan pop just dropped and I was ready to deliver a joke. Don't make that get in your way man bad for him. This is your show. This is what I heard from my daughter the other day, do you know why the computer married the Wi Fi. Why, they had a good connection. Dad jokes. Yeah, you know the describe me I think that's that's a good action item to highlight. I think it made it made the cut. It made the cut. We'll see. Alright, so what I guess we don't have anything else on today's agenda. How do you want to do a shout out on cognitive security day Andrews how's that going I'll be registration so open. Is registration still open for cognitive security day. Yeah. I think there might even be a day off the event. Not exactly sure but yeah, it's it's trending up asymptotically we have a bunch of people signed up and we have a great content line lined up. Most of the recordings are due this week. So I know folks are working on that. I'm working along with a tie on doing the opening and closing. I know we have of the program committee but yeah, pretty much about smooth sailing. Awesome. Yeah. Keep calm talks we're also do Monday at midnight so I hope for this present thing, you got your talks in. Awesome. Any other thoughts going around if not weekend. Okay, awesome. Have a good week and see you next week. There's hope.