 If there's anyone that, you know, this is having a hiccup there. So I have a question about Chris A mentioning a security review group. Is that us? Are we a security review group now? That was Kubernetes. So the group that Chris was mentioning is a Kubernetes SIG. Ah, okay. Okay. Not a CNCF SIG. Right. So, you know, Security reviewers that help with the assessments. Yeah. Um, and, but yeah, that's normally referred to, we're trying to be consistent in our language of referring to it as assessments. Yeah. And, and, you know, that was, that was really, you know, why it's like paid special attention to it. It's like, what, what security? No, it's the Kubernetes. And, you know, like we've done with, um, you know, policy group and other groups, we want to, uh, you know, establish relationship, maintain, you know, especially with Kubernetes as, uh, you know, one of the key projects in, um, the CNCF, um, we want to make sure that we, we stay aligned with that. That's my objective. My concern was that we, we've done a, we discussed a lot of these secure about the security assessment. And that is not my primary security. And so if, if we are becoming a security review group, just stop. Got it. Right. Yep. No, we're not. Okay. All right. Well, uh, so, uh, I'm back this week, uh, chairing and, uh, um, I'll be chairing, um, throughout August, uh, chairing the meetings, uh, still chairing the groupie group. Uh, I've been tied up with some work stuff and, uh, as soon as we, we moved this to our 10 a.m. Pacific time, um, you know, the hordes came and, and that became a really tough time for me. So, um, I've been late duty during, um, meeting times the last, uh, month or so and, uh, really appreciate Sarah, um, carrying everything forward. And, uh, you know, excuse me today if, uh, um, you know, I'm connecting context and, you know, getting back up to speed. Um, you know, please, uh, smack me around and we'll get everything back on track. All right. So let's go and, uh, do check-ins. I can do that as, uh, my check-in and I will hand it off next to Justin. Okay. Great. Um, so, uh, this week, uh, we agreed to have in total join us a sandbox project. Um, I think that there still might be a step or so to have that happen, but, um, they've already asked us to transfer domains and do other stuff like that. So I guess that means that they're pretty confident it's going to go through. Um, there's been some discussion about notary, um, on the list, which I don't know if that's already on the agenda. If that's not, then I'd like to just say a word or two here and if we can decide if other people want to chime in, but I think the point to the agenda. So maybe you can do it then. Okay. All right. So we'll talk about that in a minute. Um, and I'd also like to make a, uh, a recommendation, a quick recommendation here as part of the check-in, which is that for the security assessments we're doing, we have some kind of forcing function date, like a date in which there's going to be a one slide presentation to the TOC because we're, um, in a state where we've got assessments that are basically done and just need, you know, there to be a forcing function to cause the last like couple hours of work to happen. Um, and by the way, I'm pointing the finger squarely at myself and, and a little less squarely at the, the OPA, um, folks there, but we really just need to round that off and having some kind of forcing function, I think is a necessity because we haven't been able to make it happen otherwise. I love that idea. Um, by the way, Justin, for the intro, um, did you mean to incubating or sound dogs? No, there was some resistance to have it go in immediately into incubating. Um, there's a thought that our adoption and governance, uh, those two things can be improved. And we didn't know what the vote would be if we pushed with incubation, but we basically knew it would pass in sandbox. And we've also been encouraged that we are very likely to, um, transition to incubating, uh, before KubeCon in November, assuming that we actually document our governance and adoption in a, in the way we should have, um, you know, uh, probably done before we put our proposal in. So, you know, since we don't have a formal process on that, um, on what? On landing a meeting with the, um, TOC. Well, I think we don't. However, we have documented that the TOC, we may do security assessments that are not a priority for the TOC because the TOC hasn't prioritized something and we think some projects, you know, it would be beneficial to the membership in the community. If we did a security assessment of a particular project, they may not. And particularly we're thinking about like we were, when I remember the conversation, it was like for the annual updates, like there's going to be some activities where it's just not going to matter. Um, and they're going to be like, we're busy this month, right? And they don't need a presentation. So, but I really think that putting a date on the ending of it. Um, and it was a forcing function for in Toto. I particularly like, particularly in getting me to finalize things, but also just, I think for everybody, oh, there's a meeting coming up. Everybody to get your stuff in. Um, we want this to be our landed before the meeting or, you know, whatever. Like that really helps. Um, I don't really like management by meeting, but I think a date is effective. The other thing is I think having that date will help people self-identify like, Oh, I have a vacation that two weeks, right? Sure. And so, um, I wonder, Justin, if you could just do a PR pres proposing where in the process we would set that date and how we would document it. And then I think it's non-controversial. And then we could run it by the TOC and say, Hey, Hey, do you want a presentation? And I think even if it's not in the main TOC meeting, but having there at least be us go to Liz or Joe or something like that and have to say something. I think that I think feels stronger than just there's some date, some arbitrary date. Oh, I like that. So like we would always present to Liz and Joe and sometimes to the whole TOC. Right. Yeah. So Sarah, before you jumped in, uh, you know, I was going to propose that, uh, Justin, uh, you know, kick off an email, uh, to, um, Liz and Joe to, uh, propose a date and, uh, see, see the chairs. Just so to get that process started. Wow. Particularly for OPA for the process in general. For the next, for the next step, since we don't have that, uh, and we want to, you know, uh, get that started. Um, you know, let's, let's ask for, uh, a, um, a meeting. And, uh, you know, uh, with the intent of getting, uh, the meeting together, uh, you know, letting them give the opportunity to land that in the TOC, uh, or, um, you know, if, uh, if they can't pull it all the way into the TOC based on their schedule to, um, you know, engage with them. Can we not do this? Can we not do this through GitHub issues? This is JJ. Sorry. I joined a little bit. So I think we eventually will be able to do it through GitHub issues, but ultimately we need to force a meeting with the, the TOC representatives and get through to the TOC. Um, so until we have the process with the TOC, uh, and, you know, we're PRing something to a TOC meeting. Um, you know, the, my big takeaway is, um, you know, the forcing function needs to be, uh, you know, a little bit more, uh, a little bit more of a, uh, completion to the TOC and, you know, final, uh, you know, read out there, uh, and not just, uh, you know, we're signed off. We're done. And, uh, you know, it stays in security. Yeah. And I think, I think the key thing is that it's not. For like, we're not forcing a meeting upon them. We are giving them an opportunity to hear our findings or choose to hear them asynchronously. Um, and we're not asking if Joe and Liz would, that we would appreciate a review with Joe and Liz that's live. And how do they want to handle that? Yep. But I think particularly like there's the process, right? That we want to propose going forward. And then there's like, Hey, we're almost done with SOPA assessment. Do you want to hear it at the TOC? You know, or how do you want to handle that? Yep. And that, I think they emailed because we don't have a process and we're about to wrap up an assessment. I like that suggestion from Dan. Great. All right. I'll send that off. Um, I'll work on it and send it off. JJ, does that make sense to you? Yeah. Yeah. All right. Let's continue to check in. We've got the number of folks still to go. Uh, Daniel. Uh, hi. So I just came back from a vacation and, uh, I'm still catching up with what happened and with, uh, Kubernetes review. So, uh, from now on, I'm going to go ahead and do that. Yeah. Yeah. Yeah. Yeah. Yeah. Excellent. Mark. Good to see you. Hey, everybody. Underwood with synchrony and NIST and whatever else, nothing really fancy this week. We're, uh, we're in the middle of a summer long project to try to figure out how to. Build models that work with the MITRE attack. Uh, frameworks. So people that are, you know, in the ontology space might be probably next, next calendar year. Um, probably end of next semester because I have an academic helping me with that. And the story. Good to know. Thanks Mark. Uh, Jonathan. Um, I presented the attack trees and threat model stuff that we've been working on, uh, to the financial services group and discuss with Cheryl where to host that in the interim. So we're looking at putting that in the financial services bucket. Um, and also, uh, discussed some of the security training, uh, material that we'd put together. Um, and did a bit of demonstration on that. Um, also had a conversation with Clyde Sipersad from the Linux foundation. Um, he's interested in, uh, putting together some container security training. Um, and I suggested he reach out to this forum to, uh, to make that request and perhaps get people involved. Um, if, uh, if that is really where he's looking to go. So I think he'll be in touch. Training on behalf of whom? The Linux foundation. Yeah. Yeah. The Linux foundation itself, I think they're looking at putting together a, um, uh, an additional container security training session encoded in, um, EDX or something along those lines. Any, any sort of, uh, constraints on the containers and what container tech. Um, very little initial information. I just asked him, but, um, I think, you know, it sounds like something that should be going towards the security sec. So, you know, maybe put something formal together and center an email to chairs and perhaps present it in this meeting, but it sounded like it was a similar intent to, I know that there's, um, I think it was Michael was putting together a book and there's been conversations about doing some additional training material. Sounds very similar. So perhaps they can connect the two together. Great. Thank you. Xavier. Yeah, I'm Xavier from VMware. I'm just here as an observer today. So I've missed the last couple of meetings, but I heard there's a good presentation, uh, from trailer bits a week or two ago. Great. Yeah. Yeah. Um, I created a PR for issue 226. That is the new members page. So. I feel free to take a look. Yeah. Whenever you folks are time. Awesome. Thank you. Hillary. Hey guys, my name is Hillary Bunson, um, director of products at stack rocks and, uh, this is my first time attending these meetings. So just looking for ways to get involved. Excellent. Welcome. Thank you. Brandon. Hey, um, so over the past week, I opened the PR for the conflict of interest for security assessments. I think there was some, um, discussion just in a few letters. So I put out a gender. Um, other than that, which is, um, that's my church. Much of you. Thanks. Awesome. Thanks. Ash. I'm nothing to update this week. I just had a clarifying question about the assessment matrix. If we have interest to add ourselves as a reviewer of to that matrix for certain projects, should we just open a new pull request? Or is there a different, um, way to do that? I think that's the current, um, way to do. We have an issue. So I think. I would say command the issue and then open up. It's currently how we're doing it. Okay. So there's no ordering to this, right? Like to these projects, it's not in any specific ordering of the next review. It's just random. I'm guessing. So, so we do have some, um, estimates on what the next projects are. So I think key cloak is the next one. Okay. And after that, it's going to be the Falco, depending on the, on the readiness, but I think currently that's. That's what we understand. Um, I think it's a little random right now because we're testing the process and we are, um, expecting that the, our TLC liaisons are going to give us some better, some more precise guidance about prioritization. Sounds good. Okay. Thank you. Christian. It's finally made some progress on one 65. I think was the issue. I have a pull request in, um, I got some comments back. Um, and I'm meeting with somebody in that role at Google on Friday. That can give me some insight into that. So this is the, uh, uh, use cases for the platform. In case people are not familiar with the numbers. Yeah. Sorry. I was muted. Um, I've been traveling. So I have been, um, a little bit absence. Um, and, um, um, catching up on PRs and really appreciate Dan stepping in to facilitate this month. Um, so, uh, we, it was one other thing that I've forgotten, but I think it will come up. Awesome. Martin. Hello for me again. Um, I'm more recent observer, uh, but in future, uh, when I finish with, uh, some other projects, I will be, I will glad that it, I want to join to help with whatever I can. Great. Yeah. Just, you know, as we do, we saw with the security assessments, you know, to raise your hand and, uh, um, you know, even if the, there's an area where, you know, there isn't currently organized activity. If you're like, there's a space in here that, you know, I'd like to, to explore and you want to raise your hand for that. Um, you know, please don't, don't limit yourself to, uh, only the current structure that we have. Thank you. Gareth. Uh, not directly, uh, on the thing, but it might be interesting once I can get some things ran up. Uh, I've been doing a lot of work this week, this week on researching serverless security. Um, uh, so I'm going to try and write a, but it's basically the work where I'm going to try, write up a bunch of stuff that I can share more broadly. Um, more related to the SIG, uh, I've been joining, uh, getting involved in setting up the, um, app delivery SIG, which has now got a charter up in front of the TOC, uh, some conversations around that. I explicitly added the, after some conversations, the security SIG in reference to that. Um, I think there's, uh, one of the things that that SIG is interested in doing is providing advice and guidance, um, on development practices. Uh, it would be very bad if the CNCF, uh, branded advice and guidance was, uh, fundamentally insecure. Uh, this SIG, obviously has a whole bunch of people, uh, that would act as a really good review of some of that guidance. Um, so I added something to that charter conversation that in attending that and this, that also kicked the conversation off the, the IPOS to the TOC list. I think Sarah responded as well, um, uh, about, like where we're publishing things. And I think both this SIG and the proposed app delivery one will be doing so. Um, it's probably worth having some standards and guidance around just being upfront about who we work for and who we are in our biases. They exist. That's fine. We're all trying to make things better at the same time as getting paid by someone. Um, but actually the more I think we can be transparent about that, the better. Um, so yeah, there's a conversation going on on the TOC mailing list about that at the moment. Great. Um, if I could just go back to the, the serverless, uh, it sounds like you've got a fairly broad scope, uh, the connecting the dots with, between serverless and security, are you also engaged in the, uh, serverless working group or is that still a thing? I'm not personally involved. I'm involved. I'm, and I'm not sure, uh, short version, uh, relatively sort of. Discrete research I was doing, uh, for work. Um, I think it's, I get, I'm going to die, but it's not interesting. I'm going to try to get a bunch of it sort of published in a public forum. Okay. Great. Yeah. Um, I'd love to connect the dots to that effort. Um, you know, with, with serverless as well. Um, but, uh, unfortunately dropped a bit off, uh, off my radar personally, um, to, to even, you know, sort of share back what, what's, what's, what's going on there to manage expectations on the other end. Um, but, uh, you know, Oh, of course there's the security lens. Uh, it'd be great if, uh, you know, we could connect that back, uh, to that group as well. Uh, so like you're doing with, with, you know, the app group, uh, uh, you know, the security context, uh, would roll into that as well. Just more work. Thanks. Good. Uh, Amy. Yeah. I can be super fast. Um, working on the CFP for the events work coming through. Um, uh, that is the October, sorry, November event. Um, I also added a note to the notary project piece down at the bottom that directly references Liz Rice's comments about we'll be doing a, uh, annual review for notary. And then after that, I think people will have much more information. So, um, happy to be able to take that as we get to that agenda item. So. Great. Cool. Thank you. Uh, JJ. Um, Yeah, I don't have much to update this week. Um, but I think I expect us to, uh, have somewhat of a traction on security day. For CNN's, uh, the N six security day, the coupon and, uh, Michael, Michael's leading the effort. Kind of help out on that. So we'll probably have some updates for next week. Great. I don't see Michael checked in. Did you see him on the list? Uh, so we'll throw him in at the fire here. Michael, do you want to check in? Yeah, sure. Uh, so JJ, Amy and I met yesterday. Um, we decided to push the date of the CFP back a little bit, because Amy, I'm sorry, Emily from the CNCF was on vacation and we weren't able to get out the CFP as quickly as we wanted to. There were a few other outstanding issues that we needed to resolve as a team. So I think we're going to have it close, uh, the Friday after coupon schedule is announced. And then that way we give the opportunity to people to recycle talks. Um, that's worked really well for the cloud native rejects conference. Um, so we're just trying to emulate, uh, what that successful conference is already doing. And then, uh, Amy is also going to work with the people in the CNCF, uh, to get the website up for, uh, the event as well. So we can start promoting it a little bit more. It's still working on that. Okay. Great. Continue. Uh, sorry. And then outside of that, uh, I've just been in Minneapolis, uh, over the last couple of days and did a, uh, a security workshop on Falco, uh, which was had about 80 people in it. So pretty well attended. That's it for me. Great. Um, so I think where there's a few other folks that, uh, I want to wrap up by the half hour here. Um, anyone else who wants to hop in, do a check in, if not, uh, we'll move forward with the agenda. All right. So let's go ahead and get into it. Uh, so we have three topics that we're going to cover. TLC call, uh, notary project and, uh, security assessments conflict of interest. Um, Ash is adding furiously to that. I guess we're taking notes. Sorry. Um, so TLC call, uh, unfortunately I couldn't make the, the call yesterday it was anyone able to, um, to, to join there. Uh, and, uh, would that you'd be willing to, to recap, uh, the events. Anything exciting happen? Do we all miss it? Um, I was on the call yesterday. Um, I think the, the, the main things that I ran by these relevant is they, they talked about the co-located events. So, um, the CNCF security there was part of that. Um, and then they talked about in total, um, status in terms of sandboxing and probably to move to incubating soon. Uh, I think of this and Michelle, who let us sponsor that. Um, and then we had quite a bit of discussion around the notary stuff, um, which I think the, we can, I guess we can talk more about that in the next part. Um, yeah, I think that was, um, the relevant stuff for the sake. Well, what about the, um, the app delivery? Um, I think the big was the discussion of that, Gareth. Were you there at the, on the call or? Uh, I wasn't on the call, unfortunately. Um, but yeah, Brandon, I'm just curious that maybe like SIG process. Was there anything broadly about SIGs? So we talked about the SIG stuff. Um, I think there was a, yeah, they mentioned that, um, there was going to be one more SIG that someone was going to look at. I think which is the ad delivery stuff that you just talked about, but, um, no one from the SIGs were on the call. So we just kind of glossed past that topic. This is Amy. I can speak towards some of this. Um, app delivery is currently taking another three to four weeks or so to be able to finalize. And, um, out of that call, the serverless working group will be, um, likely under the app delivery. The reason I'm saying likely is because again, it's not all approved, but that's kind of what we're moving from there. If you'd like, I am happy to be able to post these slides into the meeting notes. Would that be helpful? That would. Cool. Let me just do so. Cool. Uh, other notes in here around, um, notaries. That the, uh, primary reason to be able to have the, um, the TOC call on today's agenda. No, that was just, okay. That was just a separate thing. I just, I missed the meeting. And so I wanted to. Yeah. We reported on the TOC meeting. Um, so that's just a normal thing. Got it. Okay. Yeah. There's, there's slides. Um, uh, everything that was talked about is listed in the slides. Yeah. Yeah. Happy to help. Great. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. I'll be just continuing on my exploration of the, the serverless group. Yes. Are you engaged with, with Gareth in the app delivery group as well? I am. Um, at this point in time, I'm more engaging with Alexis and Michelle to be able to kind of get the charter together. Um, but if there's anything really particular, we can take it offline. Okay. Yeah. So, um, you know, I've been working on a couple of things there. Uh, and I lost that pulse. Uh, but it sounds like they're, they're, they're, you know, also just kind of finding their, their way and, and, um, in the world right now. Uh, so. Um, you know, that's all I wanted to see who the folks are that can, uh, you know, be, be sharing that context out. And, you know, if we had any, um, mechanism to support, you know, the work that Gareth was doing to make sure we connect the folks that are making any recommendations on security. Yeah. And I can just chime in a little bit, like, since I was involved in the serverless working group and, um, when we all decided to folks that we wanted a cloud event standard or specification, because we don't do standards, um, that, uh, the serverless working group decided that that would be the main thing the serverless working group did. And so for a long time, it was just a thing that the serverless working group was doing. Um, and so, uh, I made some comments on the app delivery proposal that my expectation was that the serverless working group would be then part of app delivery. Right. It would be subsumed by, or a subsidiary of, or something. And so, um, so I think that's still being considered. Um, so I think that's, I think it's, I think it's, I think it's, I think it's, I think it's, I think it's, I think it's, I think it's, I think it's, it's a, it's a, it's, it's a, it's a, it's a, it's a, it's a, it's a job or something. And so, um, so I think that's still being discussed about exactly how that works. But Gareth has come in and over the last few weeks, it's in the notes, like sort of chimed in on how we would work together. And I think it's very exciting to me to hear that, like, Oh, the app people do want to make sure that there are security recommendations in the app things, you know, got it great well I'm gonna pull up this this next one so we can all you know view it so proposal archived notary project sound like there's a lot more context around notary to sort of carry forward from the TOC does anyone want to sort of frame this and help us go through I think there's a couple ways to look at it and I'm trying to be as I given this is a recorded call that's gonna end up on YouTube I'll I'll say that this way so I think Charles Richard who I don't know has looked at some statistics and I think extrapolated quite a bit from them in a way that I think at least from my perspective is a reason why you don't just look at statistics because the the view is is that rocket as a project Chuck Zavoda yeah I don't I don't know who he is but the view is that rocket as a project hadn't been actively maintained it had a bunch of open security issues it had a bunch of problems with it so notary if you look at certain statistics doesn't isn't of course anywhere near as bad as rocket but looks closer to rocket than you know then like to Kubernetes or or other very healthy active projects but I think that doesn't really tell the right story as a couple of people argued below including myself you know when you have a project that's security sensitive and is very stable and you know we do not add features and things to tough very frequently we we do this you know very conservatively make changes to the toughs back and so as a result projects like notary are also tend to be very conservative about code changes and things they add and I think that you know just my personal opinion on this is that that things are being a bit conflated here that that there's too much that that the original poster put a little too much emphasis on that as myself Santiago Justin Cormack and I think someone else also posted below which ironically it's you know this is being used notary is being used in production by IBM and Red Hat so it's a little odd to say you know to say things like Docker's not supporting it or whatever else because obviously they're using it in production it's probably somewhere around 80% of that it the tough use in the cloud is via the notary project so it's a very very widely used piece of software that hasn't needed to change drastically and I think that the tea leaves are being misread for that reason yeah and so is there maybe a statistics missing right which is use of the project right if you just measure contribution there could be a project that is not used by anybody is lots of contribution lots of churn going on that doesn't help anybody right and this is kind of at the opposite side of the spectrum where there is a lot of use but you know the project is mature enough that you don't have to have work at the level of churn right there may be ongoing maintenance work maybe there needs to be a maintenance mode maintenance is kind of a bad word in circles but maintenance is the right thing you know they need to address TV so um so ironically that the person that opened this was I think he's from red hat so we we actually use the notary so I've been uses notary and but the only thing that I think there's some issues with which I think Justin has mentioned that they're working on fixing is kind of moving out some of the inactive maintenance to make room for me once so currently IBM what we do is we actually maintain our patches on notary so but I don't think this warrants a archiving of the project like that the uses is so white is the uses so white that I don't think like archiving it would be the reason the person who did the original posting also suggested that well maybe it should be moving to graduation and that I mean I think spent maybe too much time thinking talking about the the archiving part of it right and that the questioning it's but then you know also said well you know why is it incubating right and so I think that's I'm I'd be curious for the notary eyes notary people and it might be that you're doing exactly that which is making sure that you have enough active maintainers and have your governance in order before moving towards graduation but I'm just curious if those in the know could chime in on that I'm close to the know but I'm not really in the know I think that is part of it it's been there's there's this sort of supply chain thing that everybody wants to make sure works well and a lot of people are viewing this as a good opportunity to fix it so I think that's also made made a notary a little more along with some of the OCI stuff that was mentioned has has made them a little more conservative about things I would like to see more personally I would like to see more of IBM's involvement and you know that the sort of fork that's there I'd like to see a lot of those changes make their way over into notary personally but I also you know I understand that there's a bunch of different reasons and views and things like that about how this should all work so but it's certainly a project that has a lot of use has a lot of importance Martin can you go in here I'm sorry sorry thank you okay yeah but just to finish my sentence it's a project that I don't think has a desperate need for features from most of the adopters but like I said it would in some ways be nice to have some of the things that IBM has added be more widely available to other adopters of which there are quite a few if you go to the notary adopters list or the tough one yeah just and maybe we can open another conversation with just in comic as well and then maybe a book through the factors yeah in my sense we probably don't have to do much about it I think the thing that's really relevant here to the security group is I think we want to be a voice to perhaps say that that feature rate of addition is not necessarily a great metric for is this a good security project especially for security right because we're spending so much time aligning on you know spec and you know validating together that you know we are in fact you're producing something that's secure you know inherently you know the nature of security projects means that we we try not to you know move things a lot because you know that's how you introduce vulnerabilities exactly yeah so I think we just as a community should make sure that that voice is represented in meetings so you know if you are on a TOC call and no one else speaks up then this is your that that's your moment to step in and shine and you know say the SIG security party line if you so feel inclined to great so you know a couple things here you know since I you know tend to sort of enjoy the the people in politics side of things you know I would talk a lot of this up to you know collectively in the CNCF you know we have rocket and other projects that you know we're evaluating you know for archival you know we've been struggling with it you know extensive backlog of projects and you know this is probably just caught in the net of folks looking at you know what's out there and you know poking at it so you know I don't know that we necessarily need to to read too much into the fact that this was called out but I do think it's a great opportunity to do as Justin said you know emphasize you know our support for you know this project and in general for the the you know the fact that that good security projects are going to be less churning you know once once they get to a point of stability by by nature of how they so one one thing I'll add to that there's I mean I as far as notary is concerned I agree with the general sentiment that it is a used projects or should be it should be cared for but generalizing that security projects in general will have slow churn might be incorrect in the future I think more and more it's going to be the faster you do patches and faster you don't notice how the security is going to get maintained and I don't want us to make a general statement of like if it's a highly secure product it doesn't have much I think it's I think that people are trying to assert the negative which is just because it's not changing often it's bad let's just focus on that rather than generalizing that all security projects would basically be changing this right so I mean let's just wanted to throw it out there cuz yeah when we make a statement we do have to be sensitive well I think that actually this might be an opportunity for us it's come up I couldn't I did some maybe Brandon or somebody else can spot or Robert if it's on the call we had some different GitHub issues where people have recommended that we have like guidelines as a SIG like security guidelines and maybe this is like the first one right they're like well maybe those will come out of the assessment and we sort of were reluctant to just have that be like yeah let's just come up with a bunch of security guidelines out of you know thin air and there's a lot of prior work here but maybe we could come up with like like write this down we have our cloud native security philosophy right and part of that philosophy is that you know like metrics like that one should be thoughtful about metrics and that sometimes that change volume of change is not an indicator of success it is not you know and way to word it that is incident as for a security project volume of change is may or may not be correlated with success you know like frequency of change rate of change may or may not be correlated with awesomeness and if we could like maybe we can capture these things and then if something like this were to happen again we can just like link to it and then we don't have to be as much on the eye out because everybody will know this is our stance as a SIG and we can like just you know write it up as a simple statement and then maybe over time if there we have a few of them great you know which which ties into you know where I wanted to go with with this particular issue and see if we could drive it to closure you know one is this is a proposal to archive a project that you know we care about they have folks that are involved in but we actually don't have you know an explicit say in the archival of so like one of the the actions that you know we can take is that there's you know that we recommend no action if that was tied to a more formal PR and a statement that we're having maybe as a component that we'd like to include in the white paper JJ then you know that could be really compelling and you know if I don't know if we need to extend you know what we do with this particular PR to another repo that's my open question where would we sort of yeah I think being being a voice in the process of archival is a good idea especially if you're gonna be a voice in the process of incubation in even did we get a new job no I think we just said that when when something in general it's been talked about that when a project moves from one stage to another we might weigh in there isn't one of the other topics supply chain security and putting additional focus as a second supply chain security in potentially how we could use in total and notary perhaps provide some guidance on how they'd be used in addition to we shouldn't archive it perhaps but this is why we shouldn't archive it this is where it's used this is how important it is to the STLC in supply chain security notary and in total yeah I think you know I would definitely like to see that I think the next topic on the agenda may be related you know with regard to refusing oneself and you know since we do have members of that project you know represented here and taking on key responsibilities you know we need to make sure we we balance that right but you know definitely be a project that we supported in their life cycle and you know want us I want us to continue to support that and make sure that you know we're helping the best way for us to do that Jonathan would be to surface some of these youth cases at you know IBM Red Hat and others of how it's being done rather than advocating directly for the the project right let's be you know a supportive channel for you know real world usage regarding real world usage of this because I haven't worked with notary yet is it somehow monitored by maintainers for outdated dependencies vulnerabilities or maybe it's part of like I don't know fuzzing community for example what Google is doing for some open source projects if it is maybe this is one of the cases to like keep it okay this is still keeping a high quality of code and high standard of QA in general we do this for tough and we do it for in total I don't recall what tooling like how how the notary folks handle this I just know we get blasted a lot and I tend to tune this out I think that would be a good question like I if I were you just ping Justin Cormack on slack and ask him but I don't know the answer off hand okay maybe we should shift to the next topic because some so that we have 10 minutes for it because I think this has been a good conversation and I think the other than potentially making a PR which if somebody's inspired to summarize our philosophy to the repo I don't think we have more to do on this right yeah I'd like to you know drive that you know since the you know big big context security discussion I'd love to you know not just leave it hanging so JJ if you can take an action to you know PR something in and then we'll follow up next week with you know an action to carry it through to you know a PR on it another repo extra repo once we have it okay I'll take a stab at it yeah great all right next is here to rear conflict of interest Brendan you have point on this you want to set this up yeah let me share my screen so we talked about back I think about conflict of interest is the issue open and I finally got around into writing something for it so I've added a section of conflict of interest to the security reviewer guide and basically what I've done is so I bought some language from from Sarah's contribution for the TOC to basically talk about why we need this conflict of interest consideration and I've taken a initial draft of what the conflict of interest should look like so I kind of classified it into two types of conflicts one would be hard conflicts and soft conflicts how conflicts would mean that the the reviewer would not be able to review this project at all and soft conflicts would be the reviewer will not be able to be a project lead for the review but will be able to be a regular reviewer so right now what I have here is you know it's a hard conflict if you're the maintainer of the project all your direct report up and down of the meeting of the project all your being paid to work on the project and then for soft conflicts this seems to be up for discussion so over here what I've written down is things like if you are not necessarily working on the project but it's under the same company or maybe you use the project in your deployments and so on but you're not necessarily working on it or if your friends were maintenance and so on so the idea here really was to make sure we don't exclude too many people from being able to do the reviews I think this in my opinion depends on how much power the project lead has in terms of determining the outcome of the review so along these lines I think there was also a point that was brought up about you know what what's being practiced is an academic which is you can't be on the same part of the company organization and then that made me think about you know what about projects with open governance how do you determine whether someone is affiliated with the project or not I think you asked the reviewers to make it clear I mean that that's effectively what we do in academia is we have to also say things in addition to who we publish with or things like that that are measurable we also have to say oh yeah I I have a close personal relationship with this person because they were my office mate or I roomed with them in grad school or you know I hate their guts and so I can't be impartial can you scroll down because I think there's one that I think the personal financial interest that's direct I don't mean like you invested in like the Dow Jones industrial average and the company is a listed company there but I mean if you you know if you're somebody who like owns a bunch of stock in a company or you were your you know in something in some role like that that I feel starts to maybe cross a line yeah so so I was thinking about this in terms of like so I think I think Sarah brought up a point also like if you are employee of Google would that be a conflict or interest with Kubernetes and most I'm assuming most Google employees on Google stock right or I mean it more like you know if I have Google stock and I don't work for Google doesn't mean that I'm partial to Kubernetes like maybe because maybe Kubernetes and Google are entwined in their success in that particular instance I know like I was think I wouldn't have thought of it and being a conflict of interest right you know but and that's where you know the CNCF is working really hard to have the projects you know there's been discussion on the TOC about the projects not like they're real open source projects right the aspiration is that every project is a real open source project that is not controlled by a company right and so if we believe that's true then just because you have a financial interest in the company that was the primary sponsor of this project doesn't mean you necessarily have a financial interest like you know what I mean like I think we just have to somehow tease that apart right and we could start with I like the way that Justin starts with it like if you think you might have a conflict say so right but I think that like we could just make it be really clear and say if you own stock in any sponsor of the project then say so right like but it just it does seem like a little much because most people like maybe say if it's a public company it doesn't matter about a private company then if you own over X percent like I think there's a there's a standard that people use for like if you own more than 10 or 10 percent of a privately private company right that that's a trigger right so we should it's easier if you don't like now I have to check my portfolio like I think I think it's also different if it's a project that what we are that that is where what a company is about right so so if if open source project fails for Google it probably doesn't sway our ad business at all and I work for Google in case people don't know but the you know one of these smaller open source projects where it's a company that is funded on on supporting this open source project and you have stock in that company and you you know fail to disclose a security problem because of that because it would tank the company I think that is a harder thing it probably also violates various financial guidelines right so we don't have to worry about that too much it's inside our training at that point I think right but at some future point like it could be that you know imagine a future where Google is dominant in cloud and gets all of its you know the majority of its revenue by cloud and Kubernetes is a big part of that and a negative review you know like you could like that I think disclosure at that point is okay I think you have to close if you write blog entries about Google right if you own stock and things like that so I see that yeah and I think yeah I think the employee disclosure makes that clear enough I think it we wouldn't we don't have we can't figure out all of the possible situations and what I think is maybe just straight say we can write clearly for for some situations when when there is a problem but besides that's just right it's clearly that it will be discussed case by case so I think it's a good idea to write to write every single situation in this paper yeah so I was trying to find what a good balance for that was I think one of the things that Sarah wrote for the TOC regarding conflict of interest is you know you don't want it to be that undefined such that a chair or assessment need can intentionally block someone from performing a review yeah and I think particularly that was you know it came up because last week I was like saying that Brandon shouldn't lead the Falco assessment and then when Gareth posted on the list for the TOC I was I thought about it and I was like I actually personally think there's no conflict of interest and was I just one you know like just overburdening other people because Brandon was all willing to do it and two like just sort of you know with the serverless working group or like with some other chair make a different assessment and here am I like you know like Brandon's done some work on this and you know I mean like just sort of arbitrary I don't want to be making arbitrary judgments here and neither do I want to be like having a big meeting about it and generally this group I think wisely just is like well when there's doubt let's just not but then that can just like slow us down in stupid ways so that was really the Genesis of this like let's just write it down so that most of the time we can just be like okay check we're just following the rules because like we just want to do the right thing are we saying soft conflicts need to be disclosed and hard conflict disqualify you from doing a review yeah that's what the text says okay okay I didn't read the whole thing yet is something that right there the deltas are there but like if you go back and read to the document that's the yeah I've shot there right so the practical point is that like from this reading then Brandon could lead felt we'll know that you wouldn't lead Falco but you could be on the group yeah right well there's Kiko but I got the point okay oh sorry got confused I think the information and then having the chairs in make a decision in coordination with everybody seems like the thing we all seem to think it's a good idea so maybe we can move forward with that yeah like that yep and and I'm very happy with the direction here the only the only thing I want to call out is it seems like we don't have a process proposed yet for how we would handle a an exception where you know someone maybe has a soft conflict of interest and you know we wanted to sort of collectively you know recognize you know yes that that is a known but you know given you know some extenuating circumstance it is you know in the group's best interest that we move things forward and you know attach additional scrutiny to the effort well I think it's I think maybe Brandon can just clarify here but I think the intent is like if so we could just say that the soft conflicts we right now we're saying it can be documented but maybe we say that after the review team is determined and these things are declared then one of the chairs says okay approve and we're always the chairs are responsible for talking to each other and you know and getting feedback from the group or the TOC if like we feel like the guidelines aren't clear or something yeah maybe I'll write a paragraph or two just to document this sample process and see like you know how many chairs need to approve this yeah make it part of the template excellent super thank you so much thanks it's time for us to wrap it up thanks everybody and you know I'll be taking over you know chairing next week so if you have any suggestions for that you'd like we ever proposed presentation for next week with Sarah and make sure we have that presentation lined up okay thanks everyone