 Okay. And while we're getting started. Thank you. Brandon and Dan and others for reading our charter. It's very exciting. It says probably nothing that everybody hasn't read before. But we are going through the process of formalizing our governance docs according to how the DOC wanted to see them written. So there's a pull request out there for the charter that folks can take a look at. And I'm going to address the open questions and see if we can get that sent over to Liz for this week. Yeah, it's looking good, Sarah. Thanks for pulling that together. I know, you know, I personally feel like I've, you know, gone through that and, you know, written that and, you know, done that probably six, seven times last year and a half. But, you know, each time we iterate over it, it gets better and better. So, yeah, I'm really happy with, you know, how that's stepping up. But Dan, if you'll facilitate, I'm happy to scrap. Okay, great. One of the scrap. We have somebody else too. Great. All right. So let's go ahead and get started. You know, I know there was a bunch of activity last week, so we'll go into that. But, you know, let's go around the room and, you know, just check in. You know, I've had, you know, really just insanely busy beginning of May. And my availability has been pretty challenged. So, you know, really appreciate all of the effort that Sarah's been able to take up and drive things forward. It's been an opportune time for me to have that support and really appreciate it. Sarah, do you want to go next? Sure. So I have mostly been doing this administration. I did go to the Internet Identity Workshop, which is why I missed our last session. And that was probably there's a lot of the notes to be interesting to folks here. There's a lot of talk about self-sovereign identity. This is a question of user identity thing. And there was somebody there from the Linux Foundation who felt that this was going, that using self-sovereign identity because it allows you to just get an identity without implying that the user, you know, is bold into one or more of his companies, then sort of helps with, and the way that they have these identity documents that are attached to your identity. Kind of unlocks the get commit signing. So he's been working on, and I guess there's a group of people now working on how can we, in a resilient way, sign commits and have a commit history that is verifiable. And so there's group talking about that, which I think is very related to some of our work. It's, you know, like we've talked about it being a dependency for in Toto, not necessarily a dependency, but like one of those things it probably should be doing. And so anyhow, the Internet Identity stuff was pretty interesting. And I can also drop, I'll drop in the notes, they're very good about keeping notes. It's an unconference that happens twice a year. So, and then Justin Cormack and I have been meeting to go through the in Toto assessment with the goal of writing up a summary, which then unearthed more open questions. And thank you Brandon, who has joined our security assessment team, and is kind of helping us that that stuff, and you know, kick the tires and try to figure out how to be articulate this format of what we want to say. And, and we just had a meeting with Santiago and Justin Kappos to kind of go through the open questions that we unearthed. And so, so that security assessment team also let Justin Kappos talk about that. I asked, even though we haven't been voted in as co-chairs, I'm sort of, we're all acting as if, I mean, we're still the safe working group, I guess. Right. So I asked Justin if he would facilitate the security assessment. Awesome. He agreed to do that, but I wanted to bring that to the group and let people know that I asked him to step into that role. Great. And then I opened up a bunch of issues with kind of things that are we're doing that aren't PRs. That's kind of my law. Wonderful. Robert, I think if you're on the phone. What is it star six to unmute. I can also unmute you. I'll skip over Robert for a second. And we go down to the next. Ash. Hi, so I've been working on the opa write up assessment. And I submitted a draft for that. Justin had some questions, which I tried to cover in the doc itself. So, if you guys have any questions, so let me know. And yeah, let's go from there. Great. We'll probably have a little bit more discussion on that as an agenda item. But I want to send it to check Ash. Would you think we'll be ready for, for next week? Can I put it on the schedule? Yeah, we can put it for next Wednesday. Yep. Awesome. Fantastic. Thank you. Yeah, sure. Um, Justin. Yeah, I've mostly been busy with the, um, with the assessments that were discussed, both, uh, getting things together with opa and also responding to the in Toto things. Um, there has also been a bunch of, uh, standards discussion around things. How do you do specs? And also I triply is to standardization of obtain is proceeding, which is a tough variant. So I actually presented in their member meeting about, um, some things related to that. So, yep. Awesome. Thanks, Justin. Brendan. I also just, and I put in a, I put in a, a, um, a status for you, which is the whiteboard stuff that you did around the process, which I stuck into an open issue. So. Okay. Great. All right. So yeah, um, mostly I was a doctor con and then we, we met up, um, um, with Sarah just in capital stress and calm. I can talk about the security assessment stuff. Um, so pretty much whatever Sarah, Sarah and Justin said just now. Great. Great. Okay. And Robert. Hi, can you guys hear me now? Yes. Oh, fantastic. I'm in a pretty loud location. So I'll probably go on mute. You bet. Anyway. I've just been reviewing the open docs and submitting some comments as well as putting some thoughts on issues on how to structure kind of the assessment review. And it was good meeting folks up in San Francisco. Right on. Yeah. Uh, uh, you know, I think that, that transitions into, uh, you know, in the, in the, in the, in the opening session, in the learningrлng class. Um, Uh, Do you want to kick off some of that? Well, actually it wasn't at the doctor con. Just the, uh, just the meet up at the bar after. So other than who are actually at Dr. That'd be probably better for them. Yeah. So I can share a little bit about the doctor from my side. Um, so I, I, Netflix did one on what they use for security. There was Justin Kappos did one on the integrity pipeline, which you can probably talk more about. I did one on the encrypted containers. And there were a couple other security talks, you know, tangentially around a student thing like that. I spoke to a couple of people around it seemed like there was a big theme around auditors not knowing how to do security audits for container platforms. Yeah, and so it seems like they spend a lot of time just trying to explain to them how it works and what they should be looking out for. And it's taking a lot of them because they keep changing auditors every time they send an audit. Yeah. But other than that, I think that's a good conference and meeting up to get dinner was really great. I enjoyed that. Right on. Was the security assessment challenges a end user challenge? Or is that also so, you know, Docker has product offering around that. But are people doing that product offering and looking for independent solutions? Even in the auditing challenges? Right, right. The docker's having or the folks in the docker. This one is, yeah, so the people I believe that are behind on this are the people that are coming from the next side. Okay. And it's not so much about the solutions they do is kind of like how they audit the process, what the evidence that they need to collect. Right. Okay. These things are not clear to them. And so that's a huge learning curve for the auditors. Got it. Yeah. Is there anybody, you know, that ecosystem around NIST is an area that I'm particularly interested in finding collaborators. Was there anyone there that we could potentially invite to the SIG? Let me check through my contact list. I think there was someone that I talked to. One guy was from Equifax. Another one was from a company which is kind of like Venmo. And someone from FID, the other thing. Let me dig up those names and I'll send them a point at the dishes as well. Great. Great. Yeah. And, you know, just looking for the right contacts that can carry back that challenge and see if we can partner with them to get them the insight that they're looking for and to help coalesce. So, you know, if NIST is coalescing around a standard, you know, we're coalescing around some behavior, then, you know, we can share and compare notes and, you know, work toward, you know, that broader understanding of how we're solving this in the cloud-native ecosystem. Yeah. Sounds good. Justin, anything else that you wanted to add about your sessions or about DockerCon? Anything else on DockerCon that you... Yeah. I attended the open source sessions. And so that was like it was a packed room. And there were four different sessions about different open source solutions. And we heard from Santiago about Intodo. And so that was great presentation. And OPA, I think that was like the best explanation of what OPA does in policy that I've ever heard. Nice. So I think they've really come a long way and it's really in more active use. So those were the two... There were two others. Brandon or Justin, do you remember what they were or anybody else who was there? Well, one of them was supposed to be Justin Cormac, but he had to run, I think. Oh, I know one. One of them was that I thought was interesting is the fellow from Netflix did... Is proposing that there be a bounty that is a security bounty where everybody gets together and creates an easy way for people to kind of have some kind of hosted, containerized solution that people can hack at. So... Like a customer's lab for containers. Exactly. Nice. I'll think up the link because I tweeted it. But that seemed like... I don't know if anybody else has any thoughts about that. But I thought that was neat. Yeah. I like that a lot. Yeah. His name is Michael Wardrop and his talk was also quite interesting for those who didn't attend it. So when they put the recordings up, I think it's probably worth a look at. I think I was also muted before when you'd asked me about things with DockerCon because I think... So I also talked to some people to tap them on the shoulder for future security assessments. And so we'll see how that goes. But there are at least some people that seem quite interested in potentially participating. Wonderful. Great. What do you think of the caps to the container exercise? Is it going to bear any meaningful fruit worth our attention or let it play out in the ecosystem? I think one thing it's hard to do is to set it up in a realistic enough way. And so I'll be very interested to see... I think it's good. I mean, I think it's a target people should shoot at. And it's sort of about time. But I also... You know, like let's say that someone goes and they set up Prometheus in a wildly insecure way because maybe Prometheus doesn't think security is part of what their project is supposed to be doing for some reason. Then, you know, I don't think they're going to be paying out bug bounties for that, even though you may see insecure Prometheus setups all over the place incognitive. So I don't really know. It's a little tricky. Right. Yeah, what this could... You know, the opportunities for attack vectors, you know, probably not necessarily straight down the middle, of course. And, you know, how this would differ from, you know, a research activity, a targeted research activity that would be tied to a particular deployment environment. You know, I think the potential variance in deployment environment is going to be, you know, the most compelling, you know, framing for this. And it's going to change the outcomes greatly. Based on how that's set up. How, you know, how that would be, you know, set up in a neutral way, you know, would be challenging. And, you know, I'm not sure, for example, if, you know, Netflix would feel uncomfortable in completely replicating their operating environment, right? And adding the layers that, you know, they would have to their environment. Yeah, so it's a question about whether it be realistic. Right. However, Netflix might be interested in, oh, I have this set of dependencies. Let me combine them together and point a whole bunch of, you know, hackers at it to see if they can find things so that I at least know that those are vetted. So I think that was kind of the idea to just like take a bunch of things that are commonly used together in the wild, right? And funded by companies who, you know, that can either put in dollars for the bounties or engineers to help set up this infrastructure. And then they would have like their dependencies a little pre-vetted. Of course, there was like some, I think there was some discussion about, like, well, it's sort of, however you set up that container is then maybe different from. Yeah, yeah. I think that's the biggest challenge to, you know, to getting this into a viable space where folks are like, OK, yeah, like, you know, even just investing money, you know, into the bounty, I would see that as a gating challenge for establishing that. Yeah. Well, so we'll see what they do. So I think it's a kind of thing to keep an eye on. So as people hear about it, great tech updates. Got it. So, you know, Dr. Khan, you know, we're keeping it on our, you know, list list of events to to go in and and and draw in folks in the cloud data ecosystem. How big was it this year? You know, I'm not I'm asking this completely irrelevant to that last statement. About 3,000 people attended. OK. So then I thought I would talk a little bit about the security assessment. We talked about it and Justin, please chime in. But basically what we kicked off really are we have this team of four of us who are going to do like sort of tag team this set of assessments. And we kind of looked at like, how many are we doing? Are we kicking off a process to do every project? And that would be a lot of work. And so we looked at this set of them. Spiffy, Spire, Open Policy Agents, Notary, Tough and Falco were the ones that were called out in the CNCF TOC docs around the security sake. So these are the ones that they are calling out as ones that we need to be particularly mindful of. But it turns out that most of these have actually are waved through the process. And Justin Capos has already reviewed Spiffy and Spire before we formalized the process. And really the process is based on his experience with those reviews. And then Notary and Tough have been through the auditing process, which is much more rigorous. And then we made this list of ones that are particular assessment candidates. Where like we, I mean, actually, OPA is already started now. And then maybe Falco and Key Cloak has expressed an interest in it. And Falco is another one where, you know, it's on the list. It hasn't had an assessment. So what we were thinking is maybe we reach out to them and if they're eager to do it, great, we start. If they're not, then we go to the next person on our list. And our thinking is that Justin suggested that we would have a resilient group if we had 10 security reviewers, which I think sounds great, because then no single person is overwhelmed with the amount of work it is. And any individual security review isn't that much work. It's a commitment, but for a very focused amount of time. And so with the idea being we wanted to do a specific set of these before you reflected back on the process. So we're capturing all these process improvement ideas and suggestions. And in the notes I linked, I have a tag in GitHub, which is now called Security Assess, it's called assessment dash process. Which is for all the different things that we've collected. And unless something's getting in our way, we're not going to actually make process improvements until we've done a set of these, and we've said six or eight. So it turns out with 10 people and a particular rotation that we drew on the whiteboard or Justin drew on the whiteboard. Then we can get through five assessments. So we kind of pick that number as we will do five assessments and then we'll have a retrospective. And so that means that, so what I was thinking of doing is basically writing up our team currently and then allowing people to PR themselves in as volunteers as our team expands. And so we want to make sure that every team of three for these next five has at least one person who's been involved in these assessments before. So one of this group of four of us and at least one person who it has done a audit before. Right. And those could be the same people or not. Because I think everybody except me has done audits before. I've been the recipient of audits many times. Got it. Little point of process. Robert, when you get a second, would you mind muting your phone? Sorry, just waiting for a moment to step in there. Thank you so much. All right. Justin Kapos, did I miss anything? Do you want to chime in there on the. I think that sounds good. I think one thing we also discussed a bit about was how this process actually goes early on. Some of this were kind of inventing as it goes, but there was at least a thought about timelines in terms of what the person, you know, having someone who's the lead for it. Take a quick read over the document, try to get clarifications within a day or so. Ash, I think, probably got more clarifications from me than he expected. And I think also that it's a little unrealistic with what we were originally thinking to think that us getting them feedback like that in two days means they're just going to be able to turn that around right away. So, but as long as our part of the process and our part of the delay isn't more than two weeks, I think that's a pretty. We're still getting people through this process pretty quickly, which is one of my bigger concerns is that we're we don't want things to just drag on. Right. And I also put just put in the notes just and I made a issue template with a checklist of the things that we talked about. Awesome. So then we could just have this template and make it to go through things off. So, so yeah. And so I thought we could use that for OPA and in total and we can make sure in total we're kind of back checking but we make sure we can help. Thanks. Do we, you know, and we probably don't know this, but do we have a sense of what the timeline for that those 10 projects might be? Sorry, we said five assessments. I think that, I mean, it depends a little bit on how quickly we get them, but I think it takes maybe three weeks calendar time to do them. And I'm also very leery of having these happen in an overlapping way until we have a lot more certainty. And I think like one thing really to Ash's credit is Ash has been very responsive. And I can certainly imagine a scenario where we go and we start an assessment for a group and it takes them two weeks to do the stuff that Ash did in a few days. So, I don't know, but at least for these initial projects, I hope we can pick people that will be receptive and get through this in a couple months. So, you know, at a high level, it'll probably take us in terms of runtime, you know, through the end of the year. I hope not that long to do the five, but I could see happening if we have a lot of delays. Right. Yeah, just give it to pad in some, you know, latency. So, you know, we have an opportunity to present some of our findings at KubeCon North America. Right. So that is running from November 18th through 21st. I think that would be a great opportunity to sort of share out what we're doing by landing as many as possible. Right. I think we should shoot for, you know, all five. You know, we have two under our belt. So, you know, that would probably give us, you know, being pessimistic, you know, three new ones, two old ones, you know, a body of five to choose from there. And, you know, I think that's going to be really, really interesting and a great opportunity to potentially, you know, bring some of the projects on stage. Can we get a spot during the keynote to talk about this? I was thinking the same thing. That would be, yeah, it'd be really interesting, you know, getting this to a level of, you know, to get to land the keynote position. I would say that the biggest gate is going to be the TOC and their buy-in. So, you know, if we can get a intermediate presentation to the TOC, it proves to them that we're delivering significant value and have them be the champion for us being, you know, at KubeCon. Then, you know, that's how I see us being able to get on the keynote stage. But I think the message is the right one, right? You know, and the message, you know, with that would be, you know, security is a first-class concern in cloud native, right? I also think from their standpoint, just if they're really trying to have this delegated model with these official groups, then they want to, I think, highlight that these groups are first-class delegated, you know, things. So, I would think they should be very happy to have this happen. Yeah. Yeah, I think that's, you know, a great discussion to tee up now with Chris A and, you know, just align with him on, you know, what messages that they're looking for at KubeCon North America. And, you know, I think there's something there that fits. I don't know that, you know, in terms of expectations, I would expect it to be, you know, more of a 15-minute presentation than a longer thing. We'd get, you know, 15 minutes in the sun on the keynote stage and then probably, you know, the longer session where we, you know, do the deeper dive. I also think that we still have some work to do on crafting, like, what it is that on helping the TOC kind of under, like, craft a message around this, right? Right. Because, you know, like, there are things that I'm here, like I had a great conversation with Liz where there are things that people ask me that she's like, no, why would you be doing that? And I'm like, because people are asking me to do it, right? And they're not always voices from the TOC. Sometimes they're, you know, companies that are involved in the CNCF. They're, you know, what's called these end-user companies. And it's everything from, you know, a fairly naive stance of saying, oh, can I look to the CNCF to say, yes, this project's secure, right? Like, nobody wants to, like, yeah, it's a binary. That's the truth, right? All the way to the other end of the spectrum where it's just like, oh, well, we're just providing some information and we're not making any assurance. We're not saying anything, really. Other than, here are some docs. Here are some pointers. You judge what you will, right? And then most people are in the middle somewhere where it's like, well, at the diff, as somebody goes from sandbox to incubation to graduation, they have a different level of maturity. And we are saying some stuff about that. But that middle ground and articulating, like helping the TOC reason about what is it that the kinds of things, right, that maybe, you know, what companies want to hear, what open source projects feel comfortable asserting, what is, you know, what would be the strongest thing that is reasonable for a foundation to assert. You know, I think that's the kind of thing you want to go into a keynote with. Because I think right now, there isn't a unified sense of what it is that the TOC wants to be able to assert about a security this year. Right. I think where what I've heard there at is any sort of process that is better than we're at right now. And I don't think anybody wants to keynote. Yeah, now we have a not sucky process. Right. So, so that's where like it's really can we work with Liz and Joe, and the prepare our materials, such that there is an alignment about what the TOC is comfortable serving. And that's, I think that sort of non deterministic timeline, but I think the more that we are aligned right because we have stakeholders from a lot of different companies and a lot of different projects, the more that we can kind of represent, you know, a diverse group of security experts all think that this set set of things is reasonable to say, then that can speed up that process. This might be an opportunity to engage Sarah Conway, you know, runs marketing for the CNCF aligning with whatever marketing message that they're considering for you know, 2019 2020 and you know, helping the TOC, you know, understand what what, you know, their opportunities to influence that could be one of the ways that we get there. So, I think to get all this setup and stacked in the right way to land that for KubeCon in November. I think we need to select the next project very carefully and look for, you know, something that's going to you know, really, you know, in total, you know, obviously has their act together. You know, OPA is just such a well known quantity in the ecosystem. I'm going to wade right into it Prometheus. Well, I think they've already had it. Okay, yeah, they're graduated. But we do have to resolve that open question, right? I don't know if people, everybody's been on the Slack channel. Justin Cormack, do you want to talk a little bit about the Prometheus audit that you read? Yeah, so the most of the security audits have been relatively straightforward and issues have been found and resolved. Prometheus was much more problematic than that because it ended in an entire disagreement about what the security scape for the project was between the assessors and Prometheus. And the compromise has been a small documentation change and all the findings from the report otherwise reject it. And that's not terribly satisfactory, I don't think, because there shouldn't be such a gap between what a project thinks and what an external security assessor thinks. And it's definitely a surprise, potentially for users. And I think we need to find out more about, I mean, we've certainly had some users surprised about this, but that shouldn't be, I mean, we shouldn't be going into security reviews with that much of a difference between expectations. And that's the kind of key area with that one. Yeah, I read that. It was very interesting. Thank you for pointing that out, by the way. I was actually pretty shocked. Was that review done before they received graduated status or after? Because it just kind of boggles my mind that the TOC would have voted to... I'm actually not 100% sure if it was before or after. I think it might have been before, but I couldn't confirm that right now. I mean, Prometheus effectively, at least according to the assessment which, albeit it was written by the Cure 53 folks that did the... It was sort of their take on it, was basically they have a very non-standard security model where they don't view security as their problem. It's effectively like the one line summary of what they effectively said about Prometheus. So if we're making recommendations to the TOC, I would think we as a group would almost certainly have recommended, hey, there's some really serious problems with Prometheus. From a security standpoint, I don't know, I mean, should they just have a big warning on the front page of the project when you install it? Should you have to use dash dash insecure to add it to your Docker file? I don't know. Like a dash dash insecure. So, that seems like a political minefield. So maybe not that one. Well, I think that we have to... Luckily, we wouldn't need to assess it for a year. Because the process that we've discussed and it's not completely written down, working on getting all the issues in, is that there would be an assessment from our group which is not an audit. And then later, when they're in incubating stage, there would be an audit. And then we would do some kind of yearly refresh where, which may be as simple as, hey, project, has anything changed? Please update your thing, except pull request, right? It could be very minor, right? Or it could be like, oh my gosh, they've completely changed something, right? Like let's have another review. And so, and that our focus would be to make sure that we've done that for all the things that provide security. And then maybe a few other projects that we think are big security influencers in some way, or set precedent in some way. And so, we have another year. Right. That's good. Responsible for that. But I think it's a great test case because part of this came up. Because I was saying to Justin Cormack, well, how it's going to be, it's sort of an outlier case that we would really have a disagreement. I think, you know, maybe we would flag something that the project hadn't considered. Maybe they'd go back and look at that and do some homework, or we'd say it's okay for sandbox, but they should really put it on their roadmap. And Justin was like, well, actually. And so I think that this is a great opportunity for us to, you know, highlight it, right? How would we, how do we think about this? And Justin Capo has pointed out is we don't have to be, it's okay for us to be divided. It's okay for, you know, people within this group to say, well, actually, I think that's fine. As long as there's a, you know, appropriate documentation and other people to say, no, that's not fine. But I think it would be great to, at this point, it might have to be after KubeCon, but like to schedule a discussion, right? Where we, everybody gets a chance to read this on it. And we say, okay, well, if we were faced with this, how do we, what do we think as a group, right? Or as individuals, as what are the trade-offs, what are the ways to deal with this? Because I don't think Prometheus is alone amongst open source projects and having that stance. And, you know, personally, I think if you have a, you know, have a JSON parsing library, I'm not sure it needs to have that much in it, right? But if it's something that normally is running with an open connection to the internet, I have a different opinion. And so I think like teasing that apart amongst ourselves and then coming with something more nuanced that's more and as if, right, rather than calling out Prometheus specifically. And I think talking to users as well, because how, you know, are people using, are people finding this a problem in practice or not? Are there common mitigations or not? Are people concerned or not? These are kind of important questions as well, you know, is there something else they're using to fix this problem in conjunction with Prometheus? Sir, I just want to, you know, for bookkeeping and follow-up, when you say after KubeCon, are you considering after KubeCon Barcelona in May? Yeah, I was just thinking that I think Barcelona is like in two weeks. Right, right. Next week we're hearing from Ash and then probably, so I'm just saying from a scheduling standpoint, like we should, you know, early in June, I think it would be good to give everybody a reminder to read this and then like have a discussion. And then, and maybe we could, you know, we can decide if we can offline kind of brainstorm how to frame that, like, do we invite some Prometheus users or do we have a, do we talk about it more in the abstract and what's a good way to frame that? Right. So we end up with something where it would help us deal with such a situation if it were to happen again with another project. Because I think that's what we want to, like, that's what I want to have that we end up when we have completed all the security assessment docs and we've done five of these that any group of three experts could go through this without running into political line lines. Right. Or if they run into something, there would be, we would say, okay, well, if you run into something where you have a strong disagreement with the project, well, then this is what you do. You can talk to the co-chairs or we bring it up in a group meeting or, like, we kind of navigate how would we handle such a situation. Because I think that before we have just like, oh, three random volunteers, go forth, follow these docs. It's good to think through, like, well, what if it didn't go smoothly? And I think that that's a framing that we can bring to the Prometheus team. Justin Cormack, did you get a sense that the Prometheus team got super defensive? Are we going to have to sort of have to talk them back off a cliff? No, I don't think, I mean, I think the conversations happened in largely in private, so I don't think we have to do it. But I don't think it was about being defensive. It was really just, I think they just don't want that to be in scale because they don't want to work on that problem. They want to work on the problem they're trying to solve, which is about using metrics effectively and not about securing metrics, I guess. But sometimes you can't work on one problem without working on another one. Right. Sometimes you can. I mean, I think, you know. That's a lot of possible resolutions. Sure. Okay. Yeah, so, you know, if, if we can have a conversation with the Prometheus team, just to discuss, you know, how would we handle it? What are some of the things that we're looking at and have a conversation with them now? That would give them potentially a year before they're coming to us. Right. So we can have a, you know, initial conversation and, you know, have the shared outcome, you know, be, you know, what would you expect when it comes up to your time? And, you know, we can also look for opportunities in this because we have tended to index on groups that, you know, think of security first. We can, you know, use this as an opportunity to, you know, take the complete opposite attack where we have a group that is, like, not at all thinking of that and look at ways that we can, you know, in our, you know, that landscape view or, you know, are there tooling that, you know, can help them get to, you know, an expectation of security as a sensible default? Although I think that the other tack that is to have that conversation in the abstract before we have it with Prometheus. Okay. Because I think that there, we should sketch out when, you know, like, we should, like, have the discussion of what, like, I think in Toto has done a good job of saying, here is a thing that we don't do. You know, you should do that. Before you use in Toto, right? Right. And so, I think we should have a discussion of like, is that okay? You know, in that case, I think we're converging to it, that is okay, right? Like, so, could this be addressed with documentation or must they go build something? Or maybe our group knows something that could be a little more plug and play that we put front and center or could bundle with them or, like, I don't know what. And under what, what types of projects would we find this to be? Something important. But because I think that, like, talking about it more in the abstract, like, I'm at least interested in that conversation. Right. Right. Okay. I mean, I'm going to be from the same point of view that security audit was basically a waste of money. Right. Right. And there's actually a cost to doing this way. For sure. I have to practice it while we don't do security. Not our problem, right? Right. Okay. Thanks. For sure. Okay. That's exactly the kind of thing that I think these assessments can flesh out, right? Right. All right. So, again, I think that's going to, you know, we're going to have to just spend some time really sort of assessing the next, next assessment assessment. Like, I think we need to invite Falco because they're on the CNC. We can check in with Liz and see if she, that list was just, I don't think that list was come up with randomly. But they are like one of the things that were listed that the security, you know, shepherding. And I don't think to my knowledge they haven't done an audit or had an assessment. So I think an outreach to them because they're on the list, right? And, and then key, I think the other one is key cloak, which seems like a, there are incoming project that has requested an assessment. And so I think those seem like valid. Next ones and then we just have to brainstorm what would be the fifth or the sixth. If it turns out Falco is not quite ready for one in this time. Right. We had Michael Ducey come and present back in April of 2018 on Falco. We'll have to review that. Right. I'll drop the link into the chat. So yeah, carrying forward Falco, you know, would be, would be interesting. You know, I expect Falco and key cloak just by the name key cloak sounds like they, you know, they're looking in the security space and they're going to have security mindedness front and center. So looking for the opportunities that where, you know, folks, you know, maybe be delivering a solution that's not, you know, security centric, you know, would be good to begin to frame that discussion with permissive. But Falco, Falco makes a lot of sense. And, you know, I think that's a good place for us to start with the next, the next assessment. And, you know, I would expect that, you know, Falco, you know, we would have both in total, you know, the two assessments in total and OPA that we can package up into presentation that we're sharing at TOC meeting and, you know, potentially, you know, list out the shortlist of these five assessments. That would be, you know, something valuable for the TOC. Okay. So we have an action item over the coming week to kick off the presentation. You know, just given that future target of presenting to the TOC, what do you think if, you know, we anchor our, you know, on Barcelona around some of this, you know, assessment work rather than, you know, rehashing, you know, do you think that would be a good presentation to share, you know, in Barcelona and then, you know, follow up as part of the TOC meeting? So we're working out looking some of that. I mean, for the, so we have a intro presentation and we have a deep dive. And then Justin Cormack has another presentation about the security assessment process, which I don't know whether you're going to cover what you did before we, you served your process into this. I haven't, I think, I mean, I'm, I can definitely, I can't remember exactly how it fits timing wise in terms of the, our sessions, because I can definitely refer to, I definitely want to validate a bit, but if there's, if I can point people at a session that's coming up or rather than one that just matters. Yeah, can you drop your session into the, it's two o'clock. But from a content perspective, I think that like, we can have the SIG talk more about like the meta process, right? Like how we're picking projects and like our security assessment team and kind of have a call for like, hey, if this is the kind of thing you do or want to learn how to do, come join our team. And then I think that we should, we need to mention like the policy work and the landscape work and the different projects for the like intro thing, I think. And then the deep dive, Justin Kapos is going to talk about, I guess, the security assessment stuff and Howard is going to present something about policy. Great. But we probably should come up with some slides soon. Right. And, you know, I would also, you know, take the opportunity to leverage some of the sort of shared content between the three, right? Absolutely. Like, I don't think we need to feel like we need to, you know, create, you know, unique novel content for each one that they're, you know, all engagement points. You know, this is one of the, you know, most visible activities that we have. And, you know, with that, the policy white paper. And, you know, if we have, you know, some, I think the other white paper is probably too early to even, you know, bring it into the discussion. You know, I think what we have is an outline. Right. I think we can refine a little bit. We're going to have a white paper that covers these things. Nice. Okay. Right. Like we, we have a very rough one that like, we're just going to, I'll need to chime in a little bit after we get this assessment stuff out of the underway. But, but yeah, we basically where, if we can nail the charter this week, which I think we're on track for at least our part of it will be, we'll be like, yeah, we're just responding to feedback. Then, JJ can, I can, can like kind of refocus on the white paper to the point of, and then we can, you know, get everybody's feedback on an outline. And that kind of scope, it addresses kind of, it's sort of analogous to the charter. And it's another way of looking at this bill for the group. I think it's more interesting to read. Okay. So you could tee up in, you know, we could talk to Sarah's point about the meta. And then, you know, you would be able to, we would be able to tee up, you know, if you want to, you know, deep dive into the actual output of the assessment and how that works. Come to justice. Talk for that. That's great. So, you know, I think amongst the presentations, we're going to have, you know, a slide or so about, you know, our chartering as security and, you know, a brief mention of the history. We'll tee up the, the, the white paper. And, you know, I think we can have sort of in the intro, the same sort of rundown, charter, white paper, policy, white paper. And then security assessment and then, you know, go a little bit deeper in the deep dive. You go deeper in the policy, go deeper in the assessment. Same basics. It's definitely. Okay. I think we're probably out of time. Anything else that we, yes, we are at a time. Thank you for the call out. Is there anything else that we should be. Discussing. Right, right. I think what we should do is. Through our open issues and see if there's anything. You know what this is a good opportunity for, you know, as we present assessment. This could be a moment where we can call to action. Folks to. You know, to join us for these assessments. Yeah, exactly. Well, I think that like what I'd like is, and if anybody can help with this and thanks Brendan for chiming in on the repo. Like our repo and the issues list should be the place that people can say, I want to help with this. It should be really accessible for people to know what it is. This group is doing. Who is leading what, you know, what things are underway and have things in a state where they don't have to be finished, but it has to be like, oh, I could review that or this is not being worked on. Great. And so if we can think about ways that we can arrange the issues should be appropriately tagged. What have you. And link from the read me. I think that'd be great. Great. Yeah. Okay. That's a, that's a, you know, ending slide there. Right. Submit an issue in the repo. We'd love to have an assessment. We'd love to have you join us. In our sessions. Cool. Great. Good stuff. All right. Well, we'll get you lined up for next week. Sarah, you mentioned someone else might have a presentation with that. I want to make sure I land that in the agenda. Well, so OPA is just, wait, no, sorry. Was there anything besides OPA? I think we need to get. In total done. Okay. On the schedule that we think that we can achieve. Before we get talked to somebody else. Okay. Cause right now we have been, we haven't not yet landed a single assessment. So let's not pipeline them at the risk of. Not effectively executing. So can we, can we stagger. You know, next week. OPA presentation. And so in total follow up, or do we have to do in total? I don't think we need to have any more meetings about in total. Okay. Like if it turns out that, you know, Liz and Joe open up a bunch of questions. It caused us to have like some new content. This group hasn't discussed before. Then maybe we'd schedule something. But right now I think that. You know, we'll just go through and we'll do an async, right? We'll have. You know, we'll have like little light sharing here as long as there isn't anything, anything that's radically new. But you know, that could come up. But I think right now they've done the presentation, at least once probably a couple of times. And then we'll surf around on the overview. Additional material. Great. All right. So OPA is. You know, the primary activity will be focusing our time on that and, you know, follow up discussion and making sure we have, you know, my worry was, you know, making sure we had enough time to provide feedback and, you know, do that during the session. Yeah. I think that we should be like, I think. At least for starters, we should give a whole session where the presentation is designed to kind of queue up the conversation. And everybody who's attending is encouraged to like, we hope that most, if not all of the group has read the, the doc, the write up before. So that we all have a fruitful conversation. Great. All right. We have a game plan. See you all. You know, this time. Same time. Next Wednesday. The 15. Right here. Hi. Thanks everybody. Take care. Okay.