 I will, I will also help if possible, but I'm not going to put my name under the scribes thing. Okay, great. I think that makes sense for our first meeting. And I still will look for another scribe ash awesome. Alright, we're good there. So if you are new to the meeting today, we have minutes and I will go through and around our entire list of folks here and invite anybody who has any check ins from their other working groups or just general related activities, working group activities, activities to check in and I use the the attendance list and in our minutes to to go through that. So if you want to be called upon add your name there if you don't want to be called upon. Alright, I'll go ahead and kick that off. So this past week we, the co chairs have been working on getting things set up for keep on North America, we have, you know, the sort of standard sessions that we've normally been doing the intro and deep dive. You know, we're looking at having Sarah Allen, you know, go through our intro in this section in this iteration and we've had a lot of success in recruiting new members, you know, through these sessions. So they're very valuable and that will be in addition to our dedicated day. So, you know, the intros is related to outreach and we're going to be focusing the efforts of our deep dive this time in giving the first view of kind of the cloud native security landscape. And, you know, that's what we're targeting for the deep dive. So very excited about that. Next. Mark, very calming looking away. Hey, no news here I just wanted to put out a an unwritten blog post thought which is that the design pattern for open source might turn the software development process upside down where we used to have 80% of the code written in house and 20% sitting in open source and five years from now what if it's the other way around and how does that change the way we manage security and it's not just a cloud native thing of course but it's a good heuristic for thinking through some of the security issues that we face which in most of the standards work tends to be relegated to conversation around the supply chain and I think that's kind of a lame way of looking at this that the problem really is deeper than that the connectivity to the repos and in the public communities are is more more direct than that and the other thing is is kind of related to that is the dual responsibilities that employees have to their what we call the day job in this community and the open source community don't always, you know, offer and operate in a congruent way, and that's something that we could probably address in a longer term in this group so both these topics are outside the scope of cube con so on but might be worth, you know, a recurring reset, you know, once in a while where we, you know, circle back in and cover this. Nice. Yeah, and beyond that mark I'd love to see, you know, us explore that possibly in a forum that is outside of, you know, the 501C6 initiatives that are directed towards and sort of built to influence the adoption of open source tech and kind of flip the table toward the needs of actually the companies. There's corporate interest there that, you know, actually have a meaningful place. Yeah. So when you say outside, what are you thinking? I don't know. I don't know what the right forum is, but, you know, I do know that if that forum exists in, you know, in directly in this sort of a forum that we, you know, we anchor in a bias that is, you know, completely embedded in that open source environment, whereas, you know, a lot of the, you know, the interest are not necessarily, you know, purely open source. It's just, you know, the fact that as you mentioned, we've moved from COTS to open source and there's a big, big difference in, you know, what we're thinking in, you know, and, you know, I agree that we aren't actually really dealing with that problem or that opportunity. Right. Great. Well, I do think that the anchor that we have for this forum for this SIG is the supply chain, but I do invite, you know, opportunities to, you know, look beyond the supply chain and look at the problem in a deeper capacity. Emily? So quick update on SIG Security Day from what I know I missed our call yesterday, but the website is officially done. That's pretty exciting. And we've got the minimum requirements for sponsorship covered, but, you know, the more the merrier means we get more bells and whistles and have more fun. As far as the supply chain ticket update, Jonathan Meadows and Santiago met just before this and weren't able to make it today. And they tossed around a couple of ideas. They've got a note stock going between them that I've reviewed and I'm working with them to try to get the ticket updated. That way we can continue to move forward. Their goal is to actually do a more formal kickoff and engagement in this meeting next week. That's all I have. Excellent. Thank you. Hillary? Yes, I joined for the first time with this group just a couple of weeks ago. So still, still pretty new and I was gone for a couple of weeks on vacation. So I'm pretty much just catching up. So no updates. Welcome back, Martin. Hi again for me. I don't have anything particular to to, I don't have any particular as an update for this group but I could again say that I'm working on Claire and that's a security vulnerability scanner for docker images. And yep, I'm adding support for Photon OS and if somebody has experience with it, I will be glad to chat with you and speak about this issue. Awesome. Martin, remind me again, is that for docker ink? It's not a no. I'm working at VMware. Okay. Thank you. John? Sorry about that. I'm kind of finding the mute button. Nothing to note at this time. Thank you. Chris. Hey everyone. I will try to keep this as quick as possible. Just a couple weeks ago, I'm going to be working on Falco a lot, which means I'm going to want to get involved with security. So nice to meet everyone. I'm here to help let me know what I can do to make everyone's life easier. And in general, I'm just excited about security and Kubernetes. So I imagine we'll see a lot of issues and commentary for me starting to pop up around the Kubernetes ecosystem regarding security. In general, Falco is going to be the one thing that I am focusing on making as upstream as possible. I wrote a blog. It came out yesterday. There's a link in the notes there. If folks want to get involved, that has all of the, that's like the source of truth with pointers to all of the resources if you want to start joining Falco calls. So that's a great sponsorship here from the SIG would be helpful. As far as Kubernetes concretely is concerned, we have a branch that we're working on 682 in Falco that deals with pod security policy in Kubernetes, using Falco as sort of a controller or an operator to enforce PSP. So if you're interested in that, feel free to check it out. The question I have for the SIG is, if we wanted to propose a change, what is the best way to go about bringing that up in this forum, this video a change to implementing a new API in the Kubernetes. Okay, so real quick. And if this goes along, I'll put a bunch of the agenda. SIG security is CNCF and not Kubernetes. So we explicitly do not focus explicitly on Kubernetes where we roll up, you know, Kubernetes and all of the related cloud native ecosystem. So the CNCF adopted the Kubernetes SIG terminology when we landed the working group, we went from CNCF working groups, which did, you know, have a little bit more of a mental separation from the Kubernetes SIGs. Now we are CNCF SIGs. So this is the safe, secure access for everyone working group, ratified and moving forward as SIG security and the CNCF. So what is our involvement with Kubernetes then? Do we go through SIG auth or how is that relationship handled? That relationship is partner. We have the policy working group that joined us and that is an overlap between the Kubernetes policy working group and our efforts. So we bridge to those working groups and, you know, have a number of the Kubernetes SIGs that we actively track and, you know, have readouts and report outs from. But, you know, we are, you know, partnering with those sorts of SIGs. There's no oversight or, you know, we're CNCF. Anything that's Kubernetes related is independent. Okay, cool. That answers a lot of my questions. Thank you for clarifying, Dan. Okay, the only other update I have is, and this is, this is yet to be fleshed out. This is the reason I asked about proposing changes. Starting to think about and talk about adding dash dash secure to a number of cloud native CNCF tools such as cops, cubicorn, cubadmin, cluster cuddle, cube spray, you name it. And what that looks like and what that means for everyone. So starting to come up on my end was, if in a perfect world we had dash dash secure, what would that imply and how would the SIG advertise that? Great. Yeah, so a secure by default or a secure default would absolutely be something that, you know, we as a SIG are focused on and interested in advocating for and exploring the techniques where we collectively can and can, you know, establish a good baseline, not, you know, open shift it and leave it to, oh, the vendors will figure it out. And, you know, that'll be all, you know, roses at the end of the rainbow. But, you know, advocating for how we, you know, align security as the default upfront. Okay. Awesome. No more updates. Justin? Can you hear me? Yes. Okay. All right. Sorry. My, yeah, my browser crashed again. So I'm calling in. Yeah, so this week, we've been doing quite a lot with Intodo. We have some exciting things to talk about, but I won't kind of still Santiago's thunder on that, but some other big, big options that have been going on there. So expect to hear more soon. If you don't, if you haven't heard already. Excellent. Mark Vanney. Hey, this is just my second time joining one of these calls, so I'm still still kind of figuring out how we can integrate with the group, but I work for NCC group and I run a practice there. That's focused on containerization and orchestration stuff. So you'll see kind of our team members that are jumping on this call trying to fit in and see where we might be able to help. You know, really wherever you guys need, what, you know, some open source projects, whatever, whatever we can do. So it's kind of my, my goal in a couple weeks here. Great. Do you have a heading of what sort of activities, you know, we have the security, you know, assessment groups, or, you know, more sort of policy, you know, directed efforts where we're influencing things like, you know, Chris is discussing, you know, any sort of bearings there yet. Yeah, yeah, that's a great question because like by, by day, you know, as somebody mentioned before, what we normally do is security audits. But kind of our goal is to go out in the community and see where we can start doing some influencing of making things secure by default and how can we lock things down in the beginning. So that's kind of why we're here now. Great. Well, I mean, you know, one way for you to drive that influence is, you know, also to see the assessment process that we're doing. So participating in that, you know, sharing your insight into that process, you know, that we're leveraging to support the, the TOC of the Cloud Native Computing Foundation, you know, is one of those directions. So if you want to sort of short circuit some things, there's a great opportunity to leverage your skill set and influence how we're, how we're communicating to projects coming into the CNCF. And, you know, then there's individuals like Mark Underwood and myself, who, you know, are here more for, you know, making sure that that adoption, you know, in the end, you know, aligns with our broader corporate needs and, you know, establishing the right practices to make that successful. Perfect. That's great to hear. I've got a couple of my teammates that are kind of watching your audit process now. So that's great to hear that you're in tune. Thanks a lot. Great. Ash. Hi, so I work on the Open Policy Agents. So last week I was at the Open Source Summit presenting OPA and Kubernetes, of course. And so, Justin, I'll be looking at the OPA assessment doc and hopefully have all the issues addressed by tonight. So what's the, I just wanted to know what's the process for next week. So the TOC update to about this assessment. So I don't have any idea about that yet. Yeah, I don't think we do either. We propose this and this will be the first time we're going through and providing this, but I imagine it'll be something like a one-ish minute one presentation with one slide or so. And I think it will be someone from security presenting and just basically summarizing what's in the document that has our findings, like our summary of it. Okay, but you still want me to update the OPA assessment doc, right? I want you, so it's important to do both documents because they both may be looked at. The one that we produce is the one that I think will be presenting effectively to the TOC to say this is what we thought. And then if you disagree with anything we're saying, then saying that in making that clear so that we're kind of in consensus about this slide is good too. Oh, so you want me to look at your recommendation doc, not the assessment doc, is it? Yeah, it's the one and a half pages document that has some comments and stuff like that in it. Okay, sounds good. I'll look at it tonight. Great, thanks. Siddharth? Hey, this is Sridharth. This is the first time in this group, last year. Briefly about myself. I have a long Cisco career. I led a project in OpenStack as a PTO, ran an orchestration project, but my current interest in some of the initiative that we are doing essentially bootstrapping an effort around security and cloud native environment. This will involve things around audit compliance, security, component orchestration. I'm here to kind of see how things are, introduce myself and also help out as we move on. Great, thank you Sriram. Asa? Hi. I'm also joining here for the first time. And I'm curious about the things that are going on in this group. I'm right now, I'm a PhD student in Mark Planck Institute for Software Systems in Germany. And my interests are in system security. I came to know about this group while talking to Justin at Newsnake Security a couple of weeks ago. I've done some work on designing policy compliance solutions for Database Back applications and also for some distributed applications, primarily confidentiality policies and stuff. I'm kind of curious about what needs to be done as the general landscape of application, programming model, sort of even the hardware changes, particularly in the data center environment like the serverless computing and all these things, how it's going to change. What we need to do in terms of also ensuring security while these applications are being designed. And also I'm curious about what are the policies that really people need to enforce in their systems and to protect data. So that's one of the things that I'm interested in and that I've worked on and will be working on. And more recently I've also been working, doing some work on side channels, specifically looking at network side channels in the cloud. So, yeah. And here I'm trying to understand mostly about the policies and stuff which I've been hearing about this meeting. Great. Welcome, Asta. Martin, I'm going to call on you to pick on you a bit and then ask you to move. You're fine, you're fine. And I forgot, I'm sorry if I was too loud. You're fine. Would you like to introduce yourself? Who, me? Yeah. I think I did before. Oh, sorry, Martin. Yes, you did. Okay, please mute. Aiden. Hey there. Can you hear me okay? Yes. This is, yeah, so it was my first time attending. I got invited by Sarah Allen, a co-worker. I work at the technology transformation services in the federal government in the U.S. And basically in the team that is involved with, you know, all cross cutting technology for organizations. It's, you know, 300 ish technologists. And so we run bug browning program and, you know, something that I've been thinking about a lot recently are, you know, vulnerable app dependencies. So, you know, Ruby, Python, you know, NPM packages, things like that. And we have in the neighborhood of like 1400 repositories, like we're pretty prolific and creating 10 because we have a lot of churn in our projects. And so I've been thinking about a lot, thinking a lot about how to sort of manage those at scale and keep on top of upgrading and making sure things are deployed in timely fashion and that kind of thing. So I can go into that more detail, if we like, but or if we reach out to me directly, but that's what I'm thinking about a lot right now. Awesome. I didn't have lines closely with the, you know, what Mark mentioned earlier, and, you know, abandonment of open source, a lot of pain there. Robert. Hi, yeah, I posted a link on the notes, but I've been working on the formal verification discussion policy workgroup so anyone interested please feedback and or collaboration is welcome. And love to see any input from the team. We're going to circle back once we get through check ins and, you know, make sure we give some of that some more time to that, because I want to make sure that that we're tuned in and supporting those efforts, especially since you know, we don't have, you know, direct attendance, but some of the members there. Awesome. Hi, I'm Michael Ducey. I'm one of the leads on the Falco project along with Chris. Main thing I've been focused on over the last week, which I'm going to write some design docs and the blog post about shortly is slimming down our container images and making sure that we only ship what we need. And like, really thinking about, can we minimize our footprint of what we ship inside of these container images so that Falco doesn't become a point of attack, especially since we run Falco is privileged container as well. So I've been working on that. I've had some pretty good results, gotten our container images down to about 3.6% of what they were. So that's been my primary focus, as well as the security day. But Emily's already updated us on that. Great way. Hi, this is Wei. I started to join this meeting several weeks, 13, several weeks ago. So I'm still new to the DC. And I work at, you know, I'm still new to the DC. And I work at Alibaba from China. And my interest focus on the community security and the service mesh security. This week, I don't have some specific, some special update relevant to the DC. And it's midnight here. So good evening, everyone. Well, it's midnight. Good morning, I guess. So, you know, at 3am, we go clubbing. That's that's that. All right. Let's see. I have a couple folks in this list. Sivi, do you want to check in and see you on the attendance list or to do anybody else? Hey, this is me. I'm in the car right now and driving so I won't be able to contribute as much. Oh, good. Thanks for joining us. Okay, anybody else that I missed. Through attendance right at the half hour. Wonderful. All right, so Robert, I have a follow up on our agenda from on boy last week, but maybe, you know, we better if we kick things off with the Kubernetes policy working group efforts and connecting connecting the dots there to what the the policy working group as it relates to CNCF is doing. Speaking broadly for the policy working group, essentially the discussions have been reviewing latest updates and network security issues. We sometimes talk about pods, good stuff, but again, we kind of defer that to just an update from sit off. We've had the gatekeeper folks on talking about open. So my particular focus of the last month or so has been fleshing out this discussion on formal verification around policy and that's in the PR here. This week, the specific use cases there are many and buried and could benefit from more feedback, but the one that's kind of the growing in fruit and obvious because it's already been done in the public clouds. It's kind of replicating something like a Zolkova or Tyros or sector capability for Kubernetes. Though it could easily be expanded beyond just Kubernetes project and into validating other policies. So that's that's the discussion I've been screaming has come to some concrete decision is a strong word that we focus on those those specific tools and trying to replicate that and open source CNCF. Great. And, you know, just for our context, since, you know, this is an effort from Kubernetes SIG, you know, is I'd love to see a little bit more alignment and support from that SIG is that something that you think you can, you know, bring bring to this PR is kind of, you know, I see him mentioned, but I don't see him as a reviewer or plus wanting things there. I don't know if you can attend this all in the sense of time zone. I can certainly discuss whether review and or contribute more to this. Is that what you were asking for? Yeah, I don't. Yeah, to your point. And again, thank you for saying up to midnight to join us. You know, I don't necessarily expect, you know, to come present show like happy to have you proxy that and represent the efforts there. But, you know, since, you know, he has been spearheading that that effort, I just want to, you know, send a check that we're all, you know, in line and, you know, that those efforts, you know, from that that working group are, you know, supporting the these efforts to PR PR PR participation from the Kubernetes SIG is all I'm asking for. Great. I think best vehicle for that is in the next fall. And we and we actually reduce the cadence down to every two weeks instead of every week. But I'll put on the agenda to kind of discuss alignment. Great. Let's get some feedback. Great. Like, you know, I'm happy to see us carry that forward. You know, I just like, you know, some of that alignment, you know, up front. So, you know, we're, we're all walking together. Thank you. So I have an agenda item, you know, to continue discussion around envoy. I know we packed it in at the very end of of of a couple weeks ago, after our presentation use case presentation. Do you want to, you know, dive further into that. I don't have any particular tactical updates on what the solution is effective and how things are going in the field. My point from the previous discussion just was essentially these assessments shouldn't be interpreted as a as a one time event that can then be lined up on an extended period of time. I think that all of these types of issues that we see coming across a lot of the day remind us that the assessment really is just a point in time that has a very short shelf life, and that if we don't have some sort of defined routine for freshmen on some I think we do everyone in the service. So the concrete effect of that was this issue that I've been putting thoughts around what should be the formal life cycle, the official life cycle of an assessment. So do you review it yearly? Do we review it every two years? Should we review it every week? What's the thinking there? Should we do some sort of risk assessment with prioritization? I've dumped my thoughts into the issue. And I think I put a markdown document attached to that. But that's just my straw man, please, everybody should comment and feel free to suggest alternative theories or reject anything I've said. And so much of the sort of preventative behavior is moving away from, you know, relying on those formal definitions to, you know, just observing behavior. So I'm intrigued in that, you know, in the change of how we're defending ourselves and how we're assessing, you know, the threats in the system. If that influences, you know, should influence our behavior on, you know, assessments and, you know, deep analysis, you know, of these things, you know, in general, I, you know, I think we probably want the, you know, desire to ramp up. But, you know, the trend is, you know, we don't have time increasingly to do that heavy hands on work. Yeah, I think I think the flip side of that is someone might take these assessments. So, you know, it might say, okay, you guys did an OPA assessment three years ago. OPA is 100% certified. I can just drop it in, no concerns. And I don't have to do any heavy lifting. I'm just checking on OPA. Yeah, yeah. Right. And, you know, so the consumer of this information, our security assessments might use the assessment as an excuse not to do any further analysis. So that's, I think, just putting a tag on it that says, hey, this is a shelf life. What that shelf life is, I'm not saying we have to use a particular definition, but just noting that when we publish these, hey, this really shouldn't be on a certain date. Okay, so a bit more tactical from an organizational perspective. Sarah Allen has been spearheading, you know, has an incredible background as CEO of the Bridge Foundry of Rails Foundry and so many other, you know, foundries, communities of practice efforts. And, you know, through that experience, you know, Sarah's had a lot of success in making sure that everyone has a good understanding of what are the various formal roles. You know, one of the roles that we are exploring as a formal role for this particular group since we meet every week is the role of a meeting facilitator. So, you know, that's something that, you know, I've been one of the major contributors to and, you know, leading up those efforts, something that enjoys a lot. But, you know, it is, you know, a solid hour and a half block that, you know, I have to make sure that I protect to make sure that we go through and, you know, run a good meeting. Everyone is, you know, feels heard and, you know, we have a good use of time. So, you know, one of the things that we've been exploring is, you know, what are the, you know, the kind of ladder to get there and how do we delegate that role and begin to, you know, formalize some more of the roles related to, you know, continue to support this as we, you know, we grow. You know, we've basically doubled in size since we were formerly ratified. We've been going now for about a year and a half or so, maybe a little bit longer as a working group. And, you know, we're ratified, as I said earlier this year, and our, you know, size and responsibilities are continuing to grow and, you know, our current co-chairs are definitely, you know, putting in a lot of work. We typically, you know, work on security anywhere between, you know, three to 10 hours a week. And, you know, the meeting block at times, you know, becomes a bit of a challenge. So, Sarah has the pull request 255 and pull this up. So, if you haven't seen our, you know, our roles document and some of the interesting details in it. You know, we were leveraging GitHub settings to, you know, to leverage a bit more deeply, you know, the assignment of capabilities and, you know, have, you know, documented in the settings YAML file in the doc GitHub directory. And, you know, some of the capabilities and we have, you know, details in the document as well. This enables us to, you know, assign specific privileges to, you know, Trios team to our security assessment team and security reviewers. And, you know, right now we have, you know, Sarah, myself and JJ as our meeting facilitators and, you know, we're defining, you know, the folks that, you know, have the context to, you know, run these meetings as, you know, someone who has, you know, one of the other roles. So, you know, if you are currently in an existing team, you know, that would be, you know, kind of an easy on-road to, you know, taking up this meeting facilitator role if you're interested. And as well, you know, we've defined, you know, an opportunity to sort of opt in if an individual, you know, has, you know, made significant contributions and that, you know, addresses individuals like Jerry Jennings who, you know, have done a lot of work with the working group, you know, worked on landscape, landed, you know, that major effort around the landscape. But, you know, that work existed before, you know, the definition of these current roles. That meeting facilitator, just pull that up in the next section. All right. Facilitation roles to the meeting facilitators and, you know, at a high level, it's, you know, agenda and are, you know, going through our weekly cadence, getting everybody introduced, getting check-ins from partner working groups and, you know, going through the agenda. And, you know, looking for folks that have regular attendance and you participated. You're basically, you know, familiar with our, you know, normal process and, you know, we want to make sure that you're, you know, if you're stepping up to join and participate in this particular role, you're well supported and, you know, you have a successful meeting and everyone else that's joining also does too. So, a pause now for feedback and, you know, I'd like to hear if that's interesting, especially, let's see, Justin and anyone else who has an existing role that's, you know, defined. Yeah, I mean, I'd be happy to do this. I've kind of like impromptu done this a few times when people have been late to join or whatever else. I think part of it that, so the preparing meeting notes with template and agenda, the agenda preparation part is a little something that I think the chairs probably should be doing except for an extreme circumstance. Certainly adjusting the agenda on the fly as somebody discusses something makes sense, but in general the rest of it is just kind of run a meeting and I think that, you know, I'd be happy to do it and I'm sure a lot of us could do that very well. That's a great, you know, call out there, Justin. You know, we, you know, almost, you know, I was advocating for breaking out that particular capacity into a separate role. And, you know, in the end we opted in this initial proposal to keep it as simple as possible and, you know, a singular role. But I agree that that expectation, especially in the near term, you know, both Sarah and I have been, you know, working at techniques to make sure that the, you know, set up time in getting meetings, you know, lined up in the week over week, you know, running and planning of meetings is, you know, something we're, we're, you know, planning out over a longer period of time and sort of team up in this document. So I agree with that assessment, you know, you know, we'll need to continue to drive that and, you know, there's, you know, we're exploring some additional roles that could potentially take on some of the project management sort of capacities, but there's no, there aren't any real project managers, like there's no, you know, folks waiting, you know, to take on, you know, set roles. So, you know, defining those ahead of time before we have, you know, actual folks that are participating in this thing, you know, looking for those sorts of responsibilities, you know, seems premature. Great. So in September, you know, we're going to explore piloting, piloting some of this meeting facilitation just to get a better sense of that. And then after September, we're going to explore, you know, what, what, you know, a more formal schedule. So, you know, Justin, you know, if there's a week in September that you're particularly interested in, you know, raising your hand for that you don't have other responsibilities, you know, as a presenter in probably be better. Then, you know, we'd love to sort of work with, with folks who want to explore, you know, doing this, this new role and get everyone signed up. Would the idea be that one of the existing chairs would also be on the call, perhaps to see how well this goes? That's right. In September, you know, the expectation is, you know, barring, extending, extenuating circumstances that, you know, every week, you know, the, you know, there would be a chair present and in general, you know, we would expect, you know, chairs to be present, you know, both JJ and Sarah are traveling today. I should call that out, but yes. Yeah, I don't have a problem with it. And, and right now it looks like most of September would be open if we want to pick a date, we can also do this asynchronously off the call. Great. Cool. Well, you know, maybe I'll wait a week and, you know, get everything set up in the first week in September and, you know, pencil you in for that second week. Does anyone else want to raise their hand to explore this role in September? Me. Hi, Chris. Yeah. I'll be happy to lead a few meetings. I'm not going to commit to doing every one of them, but I'm here to help. Okay, great. I think as it stands, they, you know, the rules of engagement may not quite be met since you're brand new, you know, so we're going to have to, you know, test that water. But, you know, awesome. Appreciate that. And I know you're very experienced in, you know, doing this sort of open source. So I will coordinate with you to, and the chairs to make sure that we do the, you know, test and process the right way. And appreciate that. Yeah, totally. Okay. And anybody else that covers the folks that are on this call that are, you know, meet the criteria, fun bit of internal process, but yeah, the, the week to week running and making sure that we have good solid meetings and good context on challenges. Great. Well, that brings me to the end of my agenda for the day. Any final words? Otherwise, we'll give you five more minutes back in your Wednesday. Well, we can take it offline, but I think there was some discussion on the slack channel about firming up what the next assessment is schedule looks like who's involved. So happy to take that offline. But I think folks who want to participate have some travel and commitments in September, October speaking for myself. No, that's a great topic. Do you want to, do you want to just, since you have it up, do you want to just discuss where we're at and what we think the options are. Yeah. I mean, that'll drive the agenda. So, you know, for the future sessions so great to line on that. Sorry, so was that a mask to me? Maybe my audio is bad here. I'm all called in this weird way. Do you want to just bless the where we're at, like what we're planning on for the assessments, like where we're at and what would be next. Oh, well, I mean, I think I'm asking the same thing but just looking at the assessment matrix that I put together. The discussion was keep up was supposed to be next at some point. There was a comment by Brandon some, some week or two ago about maybe keep up is not going to be. Falco is listed after keep up. There's actually a typo on this matrix. I'll fix that. After that, I think it was pretty much open ended. I've been in contact with some of the folks in the same, but we haven't discussed ready also schedule. So, yeah, I think it's really just is keep up next. Yes, no. If not, can Falco go in its place. And for both of those who have to firm up commitments from the volunteers. So, you know, bringing in, you know, feedback from our TLC representatives, you know, definitely a present preference to CNCF projects. So, you know, if if we use that as, you know, primary decision making lens, I think that would, you know, support your proposal that Falco go ahead of keep local in prioritization. And since we have some Falco folks is that is there a schedule time when you guys have a mile for when you might be available for that. Ready for that. Sorry, I was on the other line. Can you repeat the question? Yeah, if we if we slot you in as the next assessment project. Are you guys ready or not do you have any kind of sense of timeline when you might be for assessment of moving to incubation or what are we know for security assessment. Chris, Chris isn't familiar with the assessment process. So would someone mind dropping a link into that so that we can. I'm guessing that we should be ready within a couple of weeks, but I want Chris to make the decision. So we need to know what all that entails. So if you can get Chris, or maybe we can take it offline and we can talk about what all it entails and how much level effort on our part, it's going to take. Then we can see whether or not we were running or not. As an action item, should we follow up with a sigvi email after you're we figure out what all this is going to entail and we get a plan together. Yeah, I mean, I can, I can send out an email. I'll just volunteer the coordinate. This is Robert. Since I have Michael's email, Chris, I can get your email and then Who else should I see on the discussion. The six security mailing list. Okay, perfect. Thank you, Robert. And yeah, I think taking that offline and preparing everybody and you know, then we'll align on getting the agenda and scheduling it out probably sometimes in September. But I'm guessing it's going to work for us but let us just kind of come for a team. Great. Yeah, you know, no, no, no Russian pressure. And you know, if the timing doesn't work out Michael and Chris, you know, we'll work with you to schedule at the next useful opportunity. Okay. All right. Thanks everyone. Have a great week and see you next week. Thanks, Dan. Thanks all.