 Edan, if you don't mind, can we spend a couple of minutes early to talk a little bit about the Harbour Review and then I'll jump off and have a conflicting meeting. If that's okay, sorry to be hijacking part of the agenda. You're on mute. Hi, Michael. I'll take your answer on mute and I'll just say you said yes. You bet, I need to get everybody set up here and point me in the right direction, but yes, we get everything set up today. Michael, while I'm getting things configured, why don't you sort of tee up where you are and if you have any additional action items coming out of the assessment and then I can fill in the blanks on our end. Yeah, so essentially we have a PR that's basically ready and we want the leadership from the security to take a look at that and approve it. All the reviewers need to also approve it as well and that's really the last step in basically completing the Harbour Assessment. So I'm gonna put the PR. I'm putting it in chat here if you can add it to the agenda, that'd be great. Great. But essentially it includes three things. The PR includes the couple of images, it includes the assessment in Markdown which has been reviewed and 400 plus comments if not more were addressed and updated as part of this. So now it's the final thing. And then the last thing is the actual read me which is the assessment from the team of reviewers like Andres, Justin, Chase, Vinay, Robert and Martin as well. So this is really the last step. So we're asking Dan you specifically to take a look at that. You'll need to read the 40 page document. That's gonna take a while but read the assessment if you agree with it just approve the PR so we can merge it in. And once we do that, then the actual assessment of Harbour is complete and we can submit the formulation up to CNCF, TOC for proceeding with the Harbour graduation. When you say read the assessment just to clarify me and read the summary. Yeah, read the summary, the read me document in there. I believe that's the last step but anybody else have any other things that they think that we should be doing? No, just for me procedure perspective we are pretty much done once it's finally approved and merged them. So I think we're good. I think we need at least one chair approval, right? Right, yeah. And that'll, you know, at present that'll fall on me. You know, so. Dan, you broke up a little bit. I don't know if anybody else could hear you. Dealing with me, unfortunately, for better or worse and my being a bit overloaded. Great Michael, well, thank you so much. I appreciate your patience and you know, I'm gonna try to, you know, get that pushed out and you know, wrapped up and do you think you might be able to, it's only a one-page document. Do you think you might be able to read it today? I'm gonna try. Okay, all right, thank you. Yeah, just basically, I'm also being asked by the TOC in terms of one would be able to line this up and I'm hoping to get it and Amy's is on the call too. So I think the next step for Harvard is basically to put it up for a public vote. So, you know, trying to line up everything. Thank you, appreciate. Thank you all. Amy's been poking in part of me too. Thank you. Thank you so much. Now that Michael mentions that one question. Yes. As part of the bid for graduation, Michael has been requested by the TOC to produce a one or two liner from the SIG on the SIG's position. That obviously factoring the assessment but not sure whether I should be doing that since I led the assessment. Michael has asked me to fill out this document that has a template that the TOC created or if that should be a chair on behalf of the SIG. The question is who should the person be and if I should represent the SIG in making like a year here are concerns or there are no concerns and we're fine whether. I know typically the SIG does not get involved in saying yes, you should graduate or not, but it's sounds like they're expressively asking for that. Yeah, so essentially just to give a little more context. So the TOC is basically telling you, you looked at Harbor from a security standpoint. Do you feel it has what it takes to support its bid towards graduation? That that's essentially a question that's being asked. And which is above and beyond the assessment process, right, sort of outside of the our sort of standard processing and standard workflows of the assessment. Yeah, and you could actually reference the assessment and say, hey, we saw Harbor. There's a few areas that we think Harbor can improve. Here they are. We don't see any major concerns or we see major concerns up to you, whatever you want to say. I'm going with what the assessment writes, right? And then say, given the assessment and the time we spend with the Harbor, we see XYZ either support for graduation or not. I had a... Is that the usual case for other projects? Is there a precedent for any other projects? We are the first project that's trying to graduate that has been pushed through this process. Helm that started this graduation bid after Harbor was not asked to go through this process. Harbor has been the first project has been asked to go through four seeks and every seek put us through the ringer. Nobody as much as you guys, but I loved it. I'm gonna complain, it was great. You guys put the screws on me on this. So, but it was very valuable and it was a great exercise. But given that this is the first time we're doing this, you know, all the other seeks either get positive or neutral recommendations. So, be aware that whatever recommendation you make is not gonna be taken lightly by the TOC, but also make a recommendation that you feel comfortable with, right? Given the knowledge you have on Harbor and the things that we did during the review. But Dan, are you gonna provide that recommendation or do you wanna delegate that to Andres as the leader and the guy that worked with Harbor so far? You know, it's gonna be on me. So, I'll be drawing on Dustin and Andres in terms of, you know, their input. Since the bulk of, you know, my recommendation is going to be, you know, based on our assessment process. But, you know, that on this is on me with the support of my co-chairs. Okay, so I'll send you a Slack message on the CNCF Slack with the two things, the PR that you need to approve and then write the documentation. If you can get them done today, it will be incredible for us. It will kind of line up our timelines for moving Harbor ahead. Hey, Mike, this is Vinay here. I just thought about something. Maybe, you know, maybe it's a precedent and we could set and eating our dog food, best practices perspective. What are your thoughts on, you know, leveraging? Have we done like, you know, from a vulnerability perspective and all that? I had this thought while going through the assessment, but, you know, you said that the artifacts are like some container images, et cetera, right? You know, have they gone through some kind of a vulnerability scanning and do we know what the posture is? Do we understand the vulnerabilities that exist? How, what are the severities and how we should perceive those? And then it can only strengthen the argument that it's gone through a very good rigorous process as well and add to that. Any thoughts on that? So, there's a couple of different things that I'll try to outland them all one by one. So, Harbor went through a complete vulnerability testing by VMware in August of 2019. After that, in October of 2019, CNCF paid QR53 and they spent two weeks on Harbor doing vulnerability and penetration testing. And in both cases, we found a couple of issues. I think in the second case, it was three critical vulnerabilities. Sorry, one critical three high, we fixed them right away. Then we had one of our customers that's a Singapore government agency that chartered their own third-party security testing company and they did an in-depth security vulnerability testing on Harbor. No issues were found. There was no critical issues. And there's one issue that they want us to fix is a feature request that will enhance security but not a gap, but not a vulnerability per se. It's a feature request. And then we've talked to CNCF Chris, potentially down the line, maybe a month or two from now, who can use a six security assessment that we created, that 30-page document that has a lot of insight and a lot of details, and give it to a pen tester and tell them, given this heavy knowledge on Harbor, can you identify any ways you can break Harbor? A blast-reduced dog and all that stuff. Now, I don't want to make our graduation be tied to that. We already did three pen tests on Harbor and they were very extensive. But we want to do one more because now we have a document that helps kind of give someone... Basically, it's a hacking blueprint. If you wanted to hack Harbor, here's all the things that you protect and here's everything that you should really worry about. And the way I phrased it to Chris is, we have this document. Can we identify angles to attack Harbor using this assessment, right? So we're giving you the... We're not giving the keys to the kingdom, but we're giving you the blueprint of the kingdom. Can you figure out how to open some doors? I really, really don't want to say in the assessment, go ahead and do this before you graduate. That would really cripple us, right? That's something that we want to do because we think it's the right thing over time, but we already have three pen tests. If I can just make a historical comment separate from any concerns specifically about Harbor, when this whole SIG security assessment process was beginning, there was some pretty extensive discussion and you can probably find it if you scroll down in the notes about what the purpose of the SIG security assessment was. And at that time, as I recall, the drift of the conversation was that we're not here to say this product is secure because first off, that's not our jobs. And second off, that is such a temporally local state, even if it were to be true, but that rather the purpose of this assessment was to gauge more administrative information about a project, whether it has an approach to security that seems that will allow it to continue to adapt into the future, whether it seems to have been designed and implemented with thought given to security concerns and so on. And so if that is really the charter of this assessment process, then whether or not you go and do another pen test based on the process isn't really part of the scope, but the fact that you want to is certainly a good sign. Anybody else who was there at that time want to comment on that or alternately Dan, do you wanna put on your hat and speak to that? That's correct. And Matthew, I know we do need to let you go. So in terms of where we net out, I do think we want to encourage, continued a follow on assessment, but we're not going to have a recommendation that should be gating for graduation. Right? I believe that's where we are collectively aligned. So part of our posture is making sure and to tell us this point, making sure that we're supporting the community and that projects like Harbor basically have a partner in the CNTF to navigate the complex security landscape and deliver the best possible cognitive experience. Sounds good. Thank you. Well, I look forward to you, Dan. Thank you, Michael. For the PR and writing some of the details. Shouldn't take too long, but thank you for your time. I'll send you the, I already send you the method of some slack. Thank you all for your time on Harbor. Really appreciate it. I don't know if I'm gonna attend any more security meetings, maybe not for a while, but I really enjoyed your insight and thoughtfulness on both questions and design and recommendations. Appreciate it. We'll see you in the TLC meeting. All right, take care. All right, thank you. Matthew, is it gonna take over for Phil then? Thanks, Dan. Is my audio coming through? Great, thank you. Pardon everyone had to reinstall Zoom. That was a fun experiment at the last minute, unfortunately, in a VM. Yay. What, where did we leave off? Were we, we already finished the check-in and do we have any SIGs or working groups that need to check in? We didn't. So Mark under what I saw has a check-in and honestly, I was trying, we had a 20 minute, get Michael out the door to his double booking. So we also do need to kind of bootstrap and get scribes embedded in the process. So, you know, we should call out that as well. Sure, while we're on that topic then, is there anyone that would like to volunteer to take meeting minutes or take the role of a scribe today? Is it just free-form note-taking with the general gist? That's just however best feel to be done. Okay, thank you. Chase, all right, we got at least one for now. All right, so I'll move on then to the check-in there and just see who has updates. I'll start with the SIGs and working groups and I think the one we have is Mark. So Mark, good day. So this I'll keep short. The phase two of the big data working group of which the security subgroup is the relevant piece here is trying to formulate its next iteration which is a three year project. And the piece of this that I'm trying to help them formulate is supporting analytics as a service for computer security. Now, what that is is gathering telemetry from products like say Prometheus as a good use case that is coming through in aggregate, i.e. transformed by some algorithm. We used to call it ETL but let's call it fancy might have gone through some machine learning and maybe you're getting log results as opposed to individual data points. But we're trying to abstract this into a different kind of interface. So we're looking for some use cases and then to partner with an open source tool that would let us build a working platform that people could use for testing the reference architecture for that project. So I'll just leave it at this as a, there's two calls here. One is to help us formulate the use cases from a computer security point of view privacy as well. And then secondarily, some volunteers to help us stand up a suitable test environment that works with that. And we had separately planned to bring the cloud mesh team to do a presentation here, but that's an academic liaison and they're in finals, believe it or not at this point at University of Indiana. So we'll have to reschedule that until that's all over with. So that's it for now. Really no immediate action items by looking for volunteers to help us shape this program, which I think would be pretty novel for the security products. And of story. Thank you, Mike. Sorry, please go ahead. The obvious question is, how does one reach out to volunteer? Yeah, I'll put my contact information into the chat just ping me, that'll get you there. Thank you very much. Super. Thanks all. Are there any questions or comments for Mark? Okay, thank you, Mark. Okay, moving ahead, the agenda. I don't see any updates. So if anyone was missed and had an update or didn't get a chance to put your name here in the attendance, I'll make sure to double back at the end of the meeting. I don't see any presentations or PR slated. So I suspect this will be a bit shorter than usual. So I'd like to just throw one out there off the cuff sort of thing. And it was one that Justin Capo's brought up and it was 376 with respect to just security posture in Zoom. So I'm not gonna go into the broader topic of one versus another, how we do our whole workflow for uploading videos to YouTube. But I was wondering if it'd be appropriate to put up maybe some instructions on how to spin up a VM or container for both Windows host OSes and Linux host OSes. So if people feel that that's appropriate, here's a way you can containerize it and or throw it in a VM and just get it going really quickly. I tried out that Microsoft Internet Explorer test virtual machine image, but I don't know licensing for it as such that we can officially recommend download this 90 day free VM and use it for all of our official correspondence. I suspect that's going against the spirit of why it's being released. Does anyone have any strong opinions for against if we threw together a few ways for people to continue to use Zoom but in a container? I think that would at least tackle part of what was brought up in Justin's PR. Can you post a link to that PR in the chat if you have it? Cause I did a cursory search and didn't find it. Here, let's see if I, sure here, it's number 376. It should be I think third or fourth from the top of the issues. Here, let me get that now. Oh, I got it. I don't know how I missed it. Oh, good. Yeah, that's the ticket though. So I don't think that whatever posing addresses what Justin brought up, it's in the same spirit though. Here's how you throw it in a VM. And I'm wondering if sending that out if other people want to use it as appropriate or does that inadvertently make a statement if at all politicized? Like, is that something we'd want to steer away from by making a statement saying, you know, we only trust this if it's in a VM? No, I think it has, you know, you could think of the VM as being a cyber range, you know, a low budget cyber range. So if it's framed in that way, that's not a bad thing. I mean, I mean, on the other hand, in the apparently 20 days since Justin opened this issue, the news has been all filled with other similar tools having similar problems, which kind of makes it look more like it's just whoever people are focusing on finding issues in at the time and that this sort of software, which is complicated by its very nature and rushed to market by the forces that make it happen will all be kind of bad and that therefore singling out Zoom specifically may not actually be as good of an idea as it may have seen 20 days ago. Dave, you go. True, I don't intend to say it comes in and I'm not playing with anyone is, but since it's the de facto tool we're all using, I figured maybe if I put a certain spin on it saying, hey, here's how you can deploy quickly in a VM or a container for whatever reasons there may be, like I rather than be qualifying, it just presented as here, so you can get it going pretty quickly if you want to containerize it because you're, because one to say paranoid like me and runs everything in an isolated sandbox or something, I guess if I take the qualification out and don't try and specify why I'm doing it, just saying here it is, I figured that would be appropriate without making it look like security is taking a particular stance on it. I thought that might be the happy middle of the night. If this is a choice you wish to make, here is a method that has been used successfully kind of thing. Right. All yours. Okay. Yeah, I like this, like I mean, there are people that run Chrome or Firefox in the VM, right? So I don't think it's out of, out of the ordinary for someone in the security kind of space to create the script justice. So I don't, like as long as it's not, we don't say that it's not secure, therefore you should do this, just like it's bad yet. Okay. I feel that lines with what I'm going at, don't say why, but just say here's a nice little thing for convenience. And then I'm sure anyone that has any preexisting stance or opinionic and for what they want. That way we don't look like we're being mean to them and not to every other provider. Chase, you had a comment that I wanted to jump in. Yeah, yeah. I mean, no objection, but that's all sort of adjacent. So I think the original ticket, and I was trying to see if Justin is not on this call. So that's unfortunate. Some small amount of background color on Zoomverse. About two years ago, we moved to Zoom internally where I worked for a few things, partially because they have reasonable Linux support and we have a pretty hardcore contingent of, I won't ever install anything, not Debian users. And we picked apart their clients and came up with just all kinds of ungodly problems, mostly surrounded around embedded libraries that were years and years old. And then kind of the fallout from that. And of course you can use the browser version or whatever, but long story short, a couple of years ago, we prodded them with a pretty sharp stick and we're small potatoes, but have some notoriety. And so nobody wants to see their name in lights next to ours in a bad way. And we worked with them to fix those things. And then about a year later, we did another audit and it was the exact same shit, right? So they fixed the point in time stuff, but it's their release process, what have you that has the issue. There's no addressing it without working at their company and fixing CI or something. So they just don't have their shit together to be perfectly honest. And it is what it is. And right now we're working on an internal recommendation for our people and our stuff, because we have folks all over the globe, bunch of affiliates, all that. And we're essentially recommending that no one discuss anything sensitive over Zoom. We're not outright banning the clients, although that is the de facto. So I don't know that it's a case where it's a bunch of equals. I think Zoom in particular got wide adoption and a lot of cool features by cutting some corners. It's pretty obvious from a long-term mitigation with them and partnership in other places. And I can't share all that, but let me just say it's a mess. And I don't know what prevents us from using another tool. And I don't, it's fine. I have dispensation to use it for this either way, but if we were gonna move away from it, that seems like sort of what the task is getting at. And I guess we should just say no and that's okay. But I worry about incomplete guidance, right? Like here's how you run something in a VM or whatever, no rationale as to why. In general, bad information is almost always worse, or in general, incomplete information is always, almost always worse than no information when it comes to security, because people start making assumptions. So any, that's the thing I was gonna say. Thank you. I don't wanna mangle just entered Dan's words, but at least know that some of the reasons were that we already have the whole say work, end to end workflow in place. So the meetings are scheduled, they're automatically recorded and then uploaded to YouTube. And then I think the bigger thing is that the CNC app essentially chooses the tool that propagates down to all of the other SIGs and working groups. And I think one of the points Justin brought up is since we're SIG security, maybe we should try and push this change back upstream and see if we can propagate and spread that out based on a strong enough case. I think some of that might be in the ticket, but I'd have to read it, but that's as far as my review was on the topic. So there's at least a reason why we're using it, but I mean, it's the right one, but it is what it is. So the issue that Justin created already sort of establishes enough of the context of like, hey, SIG security is worried about this thing. Matthew, what you're proposing to lay out how you're potentially addressing, not Justin's broader suggestion to move away from the tool, but how to bring the tool basically protect ourselves a bit with some unknowns. That provides some context, but it won't actually give us, you get us to the next resolution point in terms of finding that resolution point. Cool, my goodness, like they're kind of in one of those scenarios where the current solution is suboptimal, but there's no breakout, better solution that is going to come in and do everything that we need. So we're still iterating towards what could be a recommendation to the CNTF on a path forward. So documenting how we're protecting ourselves, dealing with situation at present and doing what we can to move things forward. Meeting with the tech leads, I pushed back on switching over to Hangouts because I've had some issues where if the person who created the calendar event, it's so tied to Google Calendar, if the person that created the calendar event isn't on the call, that means that you've got to scramble and set up an entirely new meeting. So Hangouts is a great sort of semitable default when it's a small contingent of folks and very consistent participation, but we have an ongoing weekly meeting where we have folks coming in, coming out, different facilitators, different coordinators, different situations every week and replicating that is going to be a fair amount of effort. I have one thing to add on a related tool. The feature is quite a ways out, so I don't anticipate seeing it until at least a couple of years from now, but I think Signal is considering doing peer-to-peer distributed encrypted conversations and whatnot. So that'll be pretty interesting to see which way that goes. If they could de-couple it a little bit from having to have a phone or an account with it, then it might modernize secure communication somewhat similar to PureGuardian or PGP years back, just set up like public private keys, each conversation and then renew them and can't ask for much more and you take out the central servers, but again, it's way out there. I might contribute to it if I feel so qualified and so inclined. I'd just like to make a pitch right. So we have our forum, but as a SIG, it's a sort of a group in the CNCF. One of our duties is also to be transparent and share the work that we do. And the way we've got everything lined up is we've got recordings and that gets published out to YouTube. So peer-to-peer, the challenge with peer-to-peer is it ends up making that distribution and transparency opportunity a bit more challenging. I run a meetup here in San Francisco and we were sheltering in place and couldn't run our normal meetup and we did it virtually. And we had the jankiest system set up with OBS and we ended up having to let out who's running the Zoom client for everybody and who's doing the OBS stream out to YouTube. It was a mess. Sounds fun. I think your audio cut out for... I don't hear your audio coming through, Dan. Is it just me? No, I don't hear it. Yeah, sorry, Dan. For about the past 15 seconds, it does not appear that you're muted, but we don't hear any audio from you. Maybe it's the mic or something. Is that directed to me? There you go. Now we hear your voices. We lost a few seconds ago. I lost my headset. So I was trying to wrap up. Move on. So I don't know what got dropped, sorry. Okay, so here's that. Here I wanted to bring up the ad hoc. Oh, sorry, go ahead, Chase. I was just gonna reflect back. You were talking about kind of the pitfalls of trying the peer-to-peer route that was sort of the last break that we heard, I believe, so. Oh, so my closing comment is convenience is killing us. Could I say one last thing? And I'm sorry for talking so much before we move on. So maybe the only real concern I have here is if we were really to discover something that was a zero-day ask, right? And it's for some product that's out there in the wild in a bunch of places. This is not a medium that I would feel comfortable disclosing it in. So my thought is instead of documenting how to make this a little safer, let's just document what happens when we, because all of this should be considered publicary, it all gets uploaded, whatever, whatever. Maybe let's just document what we do in the case of non-public information and non-public disclosure. I think that might be the better compromise, I don't know. I like that position, Chase, because this is broadcast to YouTube every week. So this is not a forum for any responsible disclosure. On a related note, I've had this question for a while and I've been keeping to ask it. As a tame example, my five-year-old decided to make a little cameo not too long ago on the video stream. Who do we reach out to if we wanted to say cut or edit the YouTube videos that get auto-uploaded to the CNCF's page? Just if we need, you know, we realize oh, this probably shouldn't be in the recording going on YouTube. Yep, got you. It's cool. Thank you. Sorry, your audio is coming through, it's like modulated, like half a second of audio, half a second mute, like something's gating or square waving the audio. At least for me, if Mike is muted. Okay. If folks didn't get that, it's Amy would be the person. Thank you. Okay, there's no more PRs on the list. I'll just double-check in case anything's been added to the agenda, but no presentations, no additional PRs. So with that being the case. I thought Robert had a working group comment that... Yeah, I just, I think I missed the earlier opportunity but we did have our eight o'clock meeting this morning. We talked about a policy violation CRD proposal for capturing whether it's, you know, something like an OPA or Caberno or even, you know, other Falco or others that want to capture a standardized format of a policy violation. There's been a proposal to make a CRD for that. And then we just briefly kind of touched base with the gatekeeper folks who had a version of this conversation and we discussed kind of the pros and cons of CRDs versus native support. And essentially we're going to follow up if anyone's interested at the SIG-Auth meeting next at 11, they're going to talk about dynamic audit. So I think that will overlap as well. So we're, at some point, maybe we'll try to collect all these threads into a coherent proposal, but we're still trying to figure out if that's even possible. That was it. And just to clarify one thing, SIG-Auth is CNCF SIG-Auth or is that still Kubernetes? I think this is the Kubernetes SIG-Auth. Okay. Yeah, Kubernetes SIG-Auth, they're 11 o'clock to noon today, so right after this. And they have two discussions about dynamic audit proxy webhook design and dynamic webhook syncs with static policy. So there could be overlap. With that, we've got everything on the agenda, formal agenda of the way. I'm just going to open the floor and if there's anyone that I haven't called out or neglected to or if there's any new attendees today that'd like to introduce yourselves, now's your chance. Okay, looks like we're good for today then. Have a great rest of the day everyone and pardon for my delay earlier today. All good. Thanks. Thanks Matthew, thanks everyone. Take care. Bye-bye.