 Good morning. Is this thing on? It is. Brandon's going to lead the meeting. He'll be here shortly, I think. I'm going to just put the notes in the chat. No, sorry, I got some issues with your computer joining Zoom. I just put the notes in the chat so people could add themselves in attendance. Hi, long time no see. Hey, Justin, do you know if Santiago is able to join us today? Yeah, I'm not aware of Santiago being available or not today. There's a bunch of stuff going on, so it's kind of hectic. Okay, yep. Thanks for having me, sir. Yeah, in fact, I'm going to have to drop off in a few minutes myself anyway because of the conflict that I have, unfortunately. Okay. Maybe we should ask if Justin has any particular agenda items that he wants to speak to? I mean, I guess what I'll say is tough is now up for vote for graduation. So, plus ones are appreciated. If anyone has a chance to vote on that, I will, I guess, post it in the, if I can find the link here, I'll post it in the... Yeah, I could put it in the meeting notes. I have a question that has reared up in my life recently, that is kind of tough, adjacent, which is whether we know if, is anybody giving any thought to the signing disconnect between cryo land and docker land? Oh, that's, that's something that I, within IVM we're discussing, especially now, since we have the predicament of having both solutions we have to look at. That, some trade-offs, I, I think, I'm not sure just in comments on the call. Can you, I just added myself as scribe, can you repeat the question? Because I wasn't thinking to write it down. The question was whether anybody is giving any thought or has any ideas about the disconnect in signing approaches between docker land in tough notary and cryo land with GPG signing? Yeah, so I think that, yeah, go ahead, Justin. No, I was just gonna say that's like a long inflammatory discussion that I don't have a lot of time to get into, but we, this actually, if you're gonna be at KubeCon next week, we'd love to sit and, and have a chat with you about it. And we do talk about this. I, I am, I would love to. We are, you know, we went from our version three to version four in September, we went from docker to cryo more, yeah, docker to cryo, honestly, to be honest, more, more abruptly than I would have wished. I had an engineering schedule gun to my head that said, oh, you want to continue and deprecate docker instead of dropping it wholesale. That's another four months, thanks. So things got kind of out of hand and we are now facing the idea that our private registry story is not terrific. And in moving ahead, you know, there are, there are really two three choices for us to work with. And one of them does what we need. The other one may be preferable in some ways, but doesn't. And would love to see, would love to discuss, see if there's a way forward. And yes, indeed, it's an inflammatory subject. So I will be. Okay, sounds good. So we'll, let's, yeah, let's talk. I'll, I'll send you a private message here with my. Yeah, Roger, which company or organization will you form again? Tusa. Sorry? Tusa. Tusa, okay. Yeah. Yeah, I just said I've been interested in that as well. I think I guess like just in comment because I think there's some discussion going on the OCI weekly meetings sometimes. So, yeah. Okay. So, sorry for the door. Okay. Yeah. So if you, if anyone hasn't signed in yet, please add yourself to the Google Docs. And then I think we'll start off with the, just going around. So, let's start, we already talked, Justin, do you have anything else or was that, what's that? That's, that's I think the main thing. I guess there's a few other things related to tough integration to Python and stuff within Toto and things like that. But I, in the interest of time, I'll just leave those aside. Okay. All right. Nick, Sarah? I'll leave my, all my updates on the agenda. So, I put a bunch of things on the agenda in terms of like what's been going on at GitHub. I haven't been present at meetings, but I've been trying to be consistent about looking at GitHub PRs. Also, if somebody who's not Brendan can be subscribed because he's facilitating the meeting would be great to have another scribe. All right. Roger. Thank you, Ash. Is that unfortunately I'm on my phone, which makes that kind of a pain. So, do you want to give a brief kind of, oh, yeah, yeah, why have you been up to what? That was my hard describe. I, let's see. So, as I said, we've had a recent release. We are working through both some issues that twist lock runs have turned up recently. And working on the internal negotiation between our corporate security engineering team and our containers team, which used to have two security guys embedded in it to figure out how we're going to work with them going forward. Now, at the same time, I talked about this a while back, but I would like to be able to be more involved in assessments. So, I will get on that now that the release that took a year and a quarter to get out the door is out and we're on a regular quarterly release cycle. I should be able to do that. Great. And if, since you'll be a KubeCon, I think we're going to, we're going to have a in-person meetup. So, we'll figure that out. Yeah, awesome. Thanks, Roger. Next is me. So, I think most of the stuff that I have is in the agenda. So, I have a request, so we created an issue for trying to organize an in-person meetup at KubeCon San Diego. So, if you're going to be there, do put a note in there that you're going to be there so that we can coordinate something maybe we'll have dinner on the Tuesday or something because I think Wednesday is the KubeCon party and then Monday is the speakers event. Yeah. So, if you could, I put the link into the issue in the agenda so if you'll be there, let us know. All right. Anjo, and Anjo. Hi, thanks. So, this is only my second time. Unfortunately, it was a few months because I had a meeting. So, I worked at Intel Labs in the data center security team and we're interested in all sorts of security questions around cloud data centers. And in particular, I'm working on functionalized server security and compartmentalization of, you know, security sensitive things. Just here to listen in and see what problems are. Oh, yeah. Great. Thanks, Anjo. Frederick. Hello. So, I'm new to this particular community looking to learn what you're all are doing and eventually I, in the future time, I'd like to talk about potentially some integrations I've been looking at with Spici, Spire and an open policy agent together and to see if it makes any sense to try to integrate any of that stuff in to some of the stuff that's still we're all working on here. But I want to learn first before I propose anything. So, I don't have anything else. If you're working, what are you working on right now? Okay. So, I work on two things. One of them is I work on, I'm the co-founder and maintainer of Network Service Mesh and I also work at a healthcare company that does artificial intelligence, but we do all of our work on Kubernetes. And so, we have PII and potentially PHI that we have to defend. So, the second reason I'm here is to try to work out like, what are the best strats or what are people doing now? Like, what's coming down the pipeline so that I can make sure that we integrate our stuff into it and mitigate the threats as well. So, I'm not looking for support in this area. I have groups I can approach and pay, but I do want to know what's coming down the pipeline, which I believe this is the appropriate group. Okay, great. Welcome, Patrick. Thank you. All right, Martin. Martin, we can hear you. Oh, it's typed in no updates. Oh. No, it's in the note. All right, Amy, I just saw you all at KubeCon. So, I'm guessing no updates as well. Okay. Very no updates, no updates from Ash. Michael. Hi, all. So, we've got the cloud native security day or the sixth security day on Monday. I'm going to say the last time I know got a registration count of last week before we closed it, we were at 175. So, we should have a pretty good turnout there. We worked with Emily from the CNCF to figure out what we're going to do from a space perspective. And we actually have four separate rooms for breakout room for the open spaces. And then we have the main ballroom where the talks will be held. And then we can do two open spaces in that space as well. So, we have a nice set of area for us to all spread out. And then we can have these conversations without having to talk over one another and everything like that. So, pretty excited about that. And the CNCF has been extremely helpful in getting those things ready. On the Falco side, we're expecting that a vote gets called today for considering Falco for incubation. We've went through all the due diligence. And that is an email that was sent recently to the TOC mailing list around Falco and the growth of the project over the last year. So, we're looking forward to that. So, if you see that come across, then you have thoughts. Please, plus one it if you can. For sure you support otherwise. And then the Falco team has an offsite. I'm actually out in Reno getting ready to head over to Tahoe to have an offsite before KubeCon where we're going to do some planning. And then also, Sarah, I know you asked about the security assessment. So, I'll make sure that I bring that up with the rest of the team and get that on our plan for the next quarter or so. And we should hopefully get that done now that we're through incubation. Great. That's all from me. All right. No updates from Ben. Christian. Find the unmute button. I talked to the team that is working on our internal role recommender, which is something that came up in last week's call that people want to know how they can do least privilege and ask them if they could give us a presentation. They're not quite ready to do that. But at some point we might be able to give a presentation here. Okay. Yeah, sounds good. But I'll write that down as a note in the future meetings. Yeah, exactly. If you guys want to look at it, it's called role recommender, I think. So, if you look for Google role recommender or something, you will be able to find it. It's in public data at the moment. But it's not a secret I can talk about. All right. Great. All right. Then no updates. So, I think that's it for send-ups. Let me just check with the mock. Hey, no updates. I'm just going to mention the NIST adversarial terminology report that I think it's probably closing for comment this week. But something we might think about is automating the machine, either machine learning based or manual test automation as part of one of our recommendations down the road. It's sort of a framework for doing that in that NIST paper. No other updates. Do you think it would be something that you could talk about like one of the sessions in the future? Sure. Sure, if there's interest, it's kind of in the weeds, but yeah, I could give an overview. All right. Awesome. All right. I think that's it for send-ups, check-ins, sake-off policy workgroup. Any workgroups or updates? All right. That's the medium of this done. So, first thing on the agenda, I think we have a PR purchase on the update of the code of conduct. I think Sarah just merged this in. Yeah, I can go over it if I think this is it. Sure, because I think Emily drafted this. This came up in conversation and Emily took the lead on writing down what, you know, sort of basically like we do go through these security assessments and how we wanted to write down what we many of us feel is that, of course, we would be careful with draft information and we talked about it in meetings, but we didn't really have it written down. So, one aspect of it that came up was talking about just sort of how we deal with the group in general. And so, we decided to add to our code of conduct that she originally talked about like ethical conduct and then various folks chimed in. Thank you for how do we word that, right? And what does that mean exactly? And we are all here. Most of us are here because our company is paying our salary to participate in this. So, we, you know, we are benefiting our company in some way, but what we decided to do is point to the mission and charter, which talks about making cloud native security like reducing risk in general. And that we, everything we do is open source. And it's designed to be for the equal benefit of the whole community. So, sure, we, you know, if we can benefit our companies to be more safe, that is great, but that, you know, the information is for us all. Are there any questions about that? So, then the other part of it is, you know, also kind of an important detail where the draft assessments really clearly are some stuff that we have questions about. And just because there's a question doesn't mean it's a problem. And just because there's an assertion in a draft assessment doesn't mean it's true. And so, we want the security reviewers and the people doing self-assessments to feel comfortable like, you know, discussing things, asserting things, and then coming to a conclusion about whether something is worrisome or not and fact checking as part of the process. And so, I think it's really great to have that written down. And then there's another kind of assertion that we've talked about where the assessments are to help people evaluate whether this project is right for them and their risk profile. It's not an assertion of like, yay, secure, not secure, right? Security is not binary. It depends on context. So, yeah, so I wanted everybody to be aware of these. And as newcomers come into the group, if people have confusions about what exactly we're doing here, that hopefully will help. Great. Many questions on that. I guess, is there something that the CNCF kind of would also want to say about that eventually, about, you know, how often these things are reviewed? Does it, like, does that actually provide, like, what does the security assessment kind of provide for the CNCF project? I remember we were talking about that at some point. So, we do have a, it's actually on my machine to make it a PR. We have an issue about the talks about how we are, like, sort of the process for going through security reviews. And it might be good if I can, I'll look for it and add it to the agenda if we have time to go through that, because I think it'd be good to chat about it if it hasn't been talked about. But basically, we're committed to doing annual reviews, which could be as easy as an asynchronous, hey, has anything changed? No, the feature set's identical. Here's the progress. Then one of the reasons we're trying to be rigorous about having actual GitHub issues for everything that's raised in the assessment is that if there are no new features in a year, we could just go through the open issues and be like, oh, these are resolved. We have nothing new here, and we don't have to do a full assessment. And that over time, as things graduate, you know, I think a lot of projects will end up with it just being like a quick check-in rather than as significant as a first review. All right, cool. Okay, let's move on to the next item, which is the supply chain catalog. I think I want to talk a little bit about this, but I don't think Santiago is around. So I've reviewed the Misha on my screen. So I've reviewed the files that he's put in. I think everything looks good so far. Is there anything else that we're waiting on this? Or I suppose you just added some comments here. Well, yeah, I just went through it and found some broken links. That's really a minor. But yeah, maybe you can show in the view. Like if you view the root, read me. Oh, sorry, wrong button. Actually, maybe, I don't know if there's a button to open it so that the links work. Yeah, I don't know how that works. So does anyone know if we can just go into the, I guess I can go into the branch. Give me a second. I think it's this one. Yes, yeah. So this is where it will be. And so one of the things that I think is really neat about this is that it came out of the security assessment for Intodo. There was great discussion of like, they're not saying that they do every single possible thing in the whole software supply chain. And there are things that are outside of the scope of what Intodo does. And they had collected all of these compromises. And so there's enthusiasm from various people in the group to catalog the compromises and determine whether there are gaps of things that or what the gaps are. And also kind of develop vocabulary around these kind of threats because there are different classes of threats here. And so there's a catalog here and this is a first step. And then the idea is that we would generate additional information for that root read me if we go back to that, Brendan. Where there's like on mitigating vulnerabilities is like not much information. And we're not going to hold the pull request until that's filled out, even though there's been some discussion. There's some ideas so that Santiago can submit the compromise catalog. And then others can chime in with additional information or, you know, categorizing this. And so I think this is kind of like an exciting addition to our repository and creates a way for, you know, us to kind of knowledge share across the group. All right. Let me start the sharing. Any questions on supply chain stuff? Okay. So I found the other, what's it, the issue for the security assessment guidelines, if you want me to dive into that. Okay. Yeah. Let's go into that. So here we have, this is as a doc that Liz and Joe reviewed and it was kind of, you know, and came out of a bunch of discussions with the, like how does the TOC's directives, right, map to what we're doing. And so we already had this security assessment facilitator. And then we have an assessment queue, which is actually called an assessment matrix right now. One of the things that I've been meaning to like write up or talk about is some of the stuff in here is a little like redundant with stuff that's inside the issue. So I was thinking maybe if we don't have, like, either we should track the project contacts here or in the issue right now, we're doing it in both. And so we should figure that out. But maybe somebody can make a note of that as an action item to sort that out. And then I'm the named chair who provides official oversight of the security assessment initiative so that my responsibility is that if there's any questions about prioritization or process that need to be raised to the TOC level, I would bring that up in meetings with Joe and Liz and also kind of provide a little oversight. And so what I've been doing is if I'm actually a security reviewer, I tap JJ to be the person who does the like sort of chair review. But generally there's like sort of an extra process review that happens to make sure that we're communicating effectively the different things. And then we set up these preconditions that either the project is a CNCF project or there's some kind of assertion that this project is cloud native. And so that we don't get caught into the weeds of reviewing every security related thing in the world. And then the key precondition is that the project itself wants to be involved and has identified the project lead in a written self assessment. And there's some discussion about like on one of the issues about how much should the TOC be encouraging projects to do this, and should they have said that FALCO should have done the assessment before incubation and so forth. And I think one of the things that we've talked a little sort of more in smaller groups about is that we really want to be confident that we can execute on an assessment. And like our target is I think Justin, I don't know if Justin's still here. He's been very focused on keeping our target at three weeks, which we haven't yet achieved. So we want to be able to say, okay, project, if you prepare a self assessment, as soon as that hits the ground, as long as we know it's coming and you're in the queue, we can go start to finish three weeks or whatever it is, right? If it ends up being three and a half weeks or four weeks, we just need it to be a bounded amount of time. And so we're still in the phase where we kind of want projects that are willing to make up the process with us, right? And, you know, we have two so far that have done that. And once we get through five, then we can kind of move towards kind of more, you know, kind of more at a heartbeat of having people come through the system. So priorities, we came up with these kind of four priorities, right? So top priority is sort of happens rarely, but the TOC can at any time say, I want SIG Security to do a review of this particular project, or I think you should adjust your priority queue. That they won't interrupt an ongoing assessment. So whatever the TOC says we should do, we would never interrupt an ongoing assessment. We finish it according to our process. If it were to be paused, right, then we might take the next thing in the queue. And so any TOC request would be next in the queue, whatever that is. And then we have the next priority is anything that we reviewed before, if it needs attention, we make sure that we do that in a timely manner. And that one of the things that we talked about very early on is if something's already been audited, that it would be this assessment is less important than something that hasn't been assessed or audited. However, within a year of the audit, we do want to go through an assessment because what we're finding is that it provides a different kind of value than an audit. And they're intended in some future date when we get this whole, you know, when we prime the pump and get the system going, normally we anticipate there would be an assessment early in the sort of sandbox incubation stage. And then the audit would happen in the incubation stage. And then the assessment information would be a good thing to give the auditors to, you know, to get, to kick off the process. But, you know, it'll be like things happen in order because audits existed before assessments. And then, so then there's the, where we are at now is that like most of our attention is CNCF projects that request a review, right? And so, or, you know, I wanted to kind of add in anybody in the SIG if you're like, hey, here's a CNCF project, which would be great to review. Like, you know, now is a good time to kind of informally encourage people to participate with us because it is like a little more of a, you know, process that projects have to be willing to, you know, kind of work with us to define the process, which could be exciting to some. I think some of the security related process have been, you know, they've been really great to work with and have been willing to contribute because they're members of the group. And that generally, if something is further, you know, in its higher, like more mature graduation stage that like, you know, graduated projects would take precedence over incubation, incubation projects would take precedence over sandbox in general. And then non-CNCF projects that request a review or are invited, right? So we, all of our projects, like just because it's not a CNCF project doesn't mean it isn't important to our cloud native ecosystem. And that at our discretion, we can say, okay, here's something that's important to the ecosystem. Maybe it's a dependency of a lot of our projects. Maybe it's something that everybody deploys and just, you know, happened to be a mature project, not related to the CNCF. Then we, you know, could definitely evaluate those as well. And then here's the note that people questioned, there was a question about, which is that the we'll review assessed projects annually. Well, it seems like we've so far been successfully completing 80% of the work in three weeks now. So I'm just wondering if there's something that we have to consider for in the case where the TOC wants us to do something, but the project is not ready to do an assessment? Well, I think that's where the, if the project hasn't done an assessment we don't start. They could be at the top of our queue, but it's like waiting on them. And then we'll start another thing. Right, so if we don't have any, like right now, we don't have a project to assess, right? So we're anticipating that Falco comes in. But if, you know, depending on Falco's timing, which Michael's going to let us know, or the Falco team's going to let us know, like if they say, okay, we're going to be ready at the end of January and another project that's further down on the list says, hey, I've got my self-assessment ready. We could fit it in there. And so the more we get into the swing of this, we should be able to make that kind of easier to project manage, I think. Any other questions, observations? Okay. Could you put the link to the document if you're ready? I did. I didn't title it. Here it's this one. Oops, this was supposed to be down here, sorry. So we already talked about the tough stuff. So if there's some more questions on that, I think I'm going to spend a little bit of time. Sarah, do you want to go? I think I'm going through these slides really briefly. Yes, that would be great. Okay, let me share my screen. All right. So Sarah and I will be doing the session on the sick security intro next week. So we've been working on the slides. I think most of it seems to be kind of just updating whatever that was already there, originally put together by Sarah, Dan and JJ, and making updates to it. So I think most of the overview and things like that hasn't changed. I think, Sarah, you've been updating the timeline. Yeah, I was kind of curious what people thought should be significant. The timeline didn't have anything from the last six months. I was looking at squishing this more so that there would be a couple of sort of more options, maybe putting the whole safe era into one little arrow and then giving more space for our different things. So basically, I was thinking like, there's the assessments, there's the policy teams, what's that thing? So I think perhaps more than asserting, we began doing assessments. The thing that I would consider to be at this level of completion and relevance is completing the assessment process. That is an epic amount of work that we went through and created and the individual assessments are less relevant, I think, compared to that work and highlighting that here. I like that. So we also have a couple of things, like the policy stuff, the CNC of security day, the supply chain catalog. I'm not sure how we can categorize that. I think the supply chain catalog is also worthy of mention. Is somebody taking notes on this? I'm going to change this to anybody can comment right now so that I can drop it in. I'm taking notes on the PowerPoint side as well. Okay, super. I think the other thing that is maybe worth noting and I think also because this is the intro session to have people come in is when we started having meeting facilitators and the roles for members to get involved. Because we had the initial governance in May when we were kind of accepted as a SIG. And then I think there was August, September kind of broadening of the roles for the SIG, which I think is a nice welcoming thing to say. Yeah, maybe we can add like a few like a hundred member mark or something if we have something 50 member mark. I think we're at 53 still. Oh, look at this. Nice chart. Yeah, before I get to that, I guess anything else. Yeah, I wrote a nice bash one line for that. Nice. Can you check that in? Yeah, it's not the best code. Just want to put it out there. Full request there for. Yeah, so yeah, I basically did like a small graph from like member growth for every month, which I think happens to kind of coincide with like every KubeCon. You get to spike. So yeah, hopefully after this we'll see another spike over there. Nice. Yeah, and you know, I think that maps all the way back to the beginning because like the very beginning was kind of an initial sort of explosion out of KubeCon. Yeah. After this was. Or cloud native con. Right. So we're not Kubernetes centric. Yeah, so I wasn't sure I may have jumped forward a bit too fast. But then you had the things that we had ideas of here. Oh yeah, maybe the landscape actually when the draft landscape got in, I think that's like there have been some good PRs by the way, people who might be interested in participating asynchronously. There's some good discussion around nudging the categories around. And I think that that's kind of a good aspect of our process to, you know, it was very controversial. We decided to just do something and get it in there. And then we've had time to kind of, we jiggered the categories as we learn together. So displaying a start to end timeline with a high level overview. I think makes sense for the introduction. You may not need to you know, in subsequent slides, as you sort of, you know, add landscape and other things like that. You may want to just sort of add a list of those and, you know, types on them rather than trying to make the metaphor of this timeline. You know, hang everything off of. Yeah, I just think we should have significant like I'm not right now the timeline shows. We have a lot of stuff about how the group is organized, which I think was appropriate for, you know, our first year where, you know, the content was less surfaced. It was more about getting the group together. Do I keep going, Brendan? Yeah. So I think this is the landscape side. I probably have to go update this again. And then the categories. So this is, I think pretty much the same as the last time, security assessments, updated to have these completed. I guess I can probably add the Falco stuff. I think it's pretty much, we're pretty confident about that that's being the next one, right? Yeah. And might be good to in this intro, like explain the, if it's not coming, like the explain that we, that we're the process where we're, we don't pick up an assessment to the self assessment and that we would welcome projects that are interested in helping, you know, participating because I think that we're consistently gated on the self assessment starting. And so this might be just a good place to describe that, you know. Right. So that people know that they're getting into, like this is like a, you know, a welcoming come join us in process definition a little bit. Rather than an all out, please come be reviewed by us. It's going to be a process. We've got it totally down, right? So should we, should we, I'm thinking whether we should add like a couple of points to say, like, here's generally what the process looks like. Oh yeah. Yeah, maybe go over that outline. And there's actually a open PR with the life cycle. Is Justin still here? No, I don't think so. Good question about the emojis, like, why is the thinking face? Oh, I guess it was like when it was still not completed. So I guess we can remove it. We can make that a smiley emoji. Yeah, that's what I thought, right? It's a happy process. It needs to have like the, like, high five. We'll, we'll, we'll put the chocolate. Yeah, leave them. See who notices. It should be fun. Or no, this is like all ready for your, you to think about. I think, yeah, I guess on this side, well, we can also talk a little bit about, I don't know where we were on having kind of like apprenticeship or like the interns or observers. I think we decided that they were additional reviewers. Okay. That's, I sense that's not very defining. I guess we'll leave that on. Maybe we can try to get that defined. Okay. Because yeah, the reviewer has some, you know, like we, or maybe we can just talk about it. Because I think it's sort of like, it's in the words, but not particularly clear where, you know, the security, to be a security reviewer, you must have been a security reviewer, right? Like there's like this little bit of a chicken and egg thing that we resolve by saying, well, if you don't have, like we just try to make sure that we have at least, you know, in our group of three, that we have a certain set of experience. And then we can have additional reviewers, you know, the team can be bigger than that. And so I think that that would be a good thing to talk about. You know, maybe link to the criteria for security reviewer, but okay. Because yeah, I think people, there's lots of people who would like to get this experience. And this, you know, cube counts a great time to let people know that's a thing. Yeah, I think there was some concerns about that. And the requirements were a bit specific, a bit strict, I think. Especially for those that don't generally work in the have to do security reviews or audits. So I think, well, so far, while it's hard to get the team together, we seem to have quite a few volunteers with experience. And then I think the high bar of experience is mitigated by allowing people to gain the experience through doing these reviews. So, so we decided to sort of, like they, it's actually an open issue on the assessment process that we're going to officially look at that after we've done five. Okay. I think that it could be a lot that we can think for the security reviewer thing. When you have three experience security reviewers or you will tell me what number is needed, you can just allow for one observer or no observer, but like an intern or something like this. So I think it's not so complicated to define something like this. And it's maybe good to discuss a little more in the future. Yeah, Martin, I remember we were having the discussions about this the last time, right? No, yeah, I don't mean now. I don't mean future after, you know, when there were, when there are other assessments coming, it's good to invite others. That's what I meant. I think we are going to be out of time soon. So I'm just going to go to the next few slides. So this slide I put in, I haven't put in details yet, I got to take that out from the slide. I think I want to mention the CFCF security day over here just put the public information that Amy sent me. I think it'd be great to take some photos on Monday and stick in. That's a great idea. So we should try to think about, I meant to mention that, is Michael still here? Amy, like please help us remember to take photos, day of Monday. Yeah, we'll see what we can do as far as being able to get something to you quickly. But we... No, but I mean just like us all to take photos for you, Brandon. Also, do we have like a hashtag? CN security, is that what we're going with? Craspandas. Craspandas. Oh! No, it doesn't. No, secret agents. Yeah, when do we get the stickers for our logo? Do we have that? I mean, I would just go with CFCF security, don't use a dash, because that breaks some hashtagging. It works on some platforms, among others. All right. Play it simple. Yeah. And also at the slide over here for the supply chain stuff, I'm hoping that we can merge this before we talk about it. I think that... Yeah, Santiago said that we're working on time. I caught those broken links at the last minute, but he's psyched to try to get that merged in this week. So at the slide here to kind of talk a little bit, I crawled through the bunch of meeting notes to find kind of a few topics that we have. I'm not sure whether this is something that we... If you guys remember anything else to add to it, whether we're going to present it in a different way. Well, I think it would be good to link to, now we have in our issue template for people to propose a presentation. So we could link to that issue template somehow. And so, and maybe we didn't do as many presentations in the last six months, or like in the last, since last KubeCon, as we did before that. So it might be good to maybe even go back a ways and highlight some of the presentations that we've done in before that. And I have like a whole list because we were going to do that microsite that isn't done yet. I keep planning to do it. And now I have to watch the impeachment hearing. So sticking up a lot of my time. Lessons in American democracy. Yeah, if you have done this, I think it'll be really helpful. I was basically reading through every meeting and trying to figure out which ones are presentations and which ones one. I will find it. There, I have profound respect for your priorities. I think what's up, it's just like coming up over here. We just got to change this a little bit. I guess we will add the microsite since that's what seems to be coming up next, right? Yeah, so like I think the white paper is, so there's like this new thing that's come up from the TOC. I mean, it's not really that new, but for a long time, there's been discussions about instead of just prioritizing whoever comes to the TOC to prioritize what gaps there actually are. And a bunch of our charter is actually about addressing gaps in the landscape. And so that might be a good thing to kind of add in here, even though it's like, we haven't really figured out a methodology to do it. Like if that's some of the discussion that I think we have to have come later. But I do think like the supply chain thing is a good example of like sort of just discovering a gap, articulating it, and then we have a process like I wouldn't expect. I wouldn't be surprised if we find or create a project based on the gaps in the supply chain landscape, right? Or find something that's missing, right? And the sort of like the threat modeling is like kind of an educational gap that we're all talking about a little bit. So maybe we can just put that in as like identified gaps in the landscape. So this is interesting, because I think there was issues that were open that really talked about, will sick security backup a particular project? Because it thinks that it's a good security project. Because I'm not sure whether there's a distinction between backing up a particular project or just like saying that, okay, here's a gap and I think we need to do something about this particular issue. So I think that like... That's the one. I think this is a bigger conversation, right? And because I think that like we do want to do... Dan, are you meant to be muted? Can I...? Oh, I think she's in a little bit over. Do it, do it. Can I mute him? I'm sorry. Yes, please. Okay, I can't, I don't think I have control of that. Yeah. All right, now he's muted. So I think that like there's been a lot of enthusiasm for best practices, right? And the line between promoting a project and saying it's the best practice to use a project is a little bit blurry to me. But we don't want to like exclude the option that there may be other ways to do something, right? And so I think that's just... We have to kind of work through when, you know, we want to promote something as a best practice but not... But like somehow figure out how to welcome other approaches to whatever the best practices are that we state, right? So I think we'll have to work through that as we figure out things that we want to advise that people do. So I'm not married to this, but one approach to take with that is to point to one of the NIST... I know Justin doesn't like this, but one of the NIST topics, and then you can list the projects after that and that way you're not identifying a particular solution. Yeah, I think we can dedicate some time, especially to this. I think that's... This topic has been a couple of years ago. Yeah, maybe we can schedule a topic post-cube phone so that people know what's coming up. Ooh, nice. What do you think? Right, yeah, riding that wave of activation and participation. Good. Come show us your things. Good. Yeah, so maybe we can chat about that, Brendan. Yeah. Before, offline of this meeting, we'll coordinate how to invite people to give presentations, and maybe we can work on having some agenda items immediately after cube phone so people have... And you know that things are more structured when we are likely to have a large influx of new people. Yeah, I agree. Yeah, let's chat about that offline. I think we are almost out of time as well. Yeah, so I guess before we end the call, is there anything that anyone wants to bring it for, like, if we want to talk about... I guess we don't have a meeting next week, right? We should make sure that we cancel it. Amy, can you take it off the agenda? Yep, doing so now. Because we usually don't have one during cube phone. Thank you. So, how are we going to think about dinner next week in person? Is there... Yeah, that's the issue. If you could comment on it, we should... I'm thinking it's going to be both likely on Tuesday because there's other stuff on the other days. So, Amy, are you going to comment on the Slack channel? The final decision is made. What's the plan then? So, let me paste the issue to you and then put your name down just so that we have something to look back on too. I'm afraid it may get lost in the Slack channel. Yeah, I'll post something in the channel and then we can follow up on that in the issue. Okay. All right, then I think we are just 2pm up. So, thank you, everyone. Thanks, everybody. You're welcome. Thanks, Brandon. Okay, bye-bye. Thanks, everybody.