 Good day, everyone. Hey, good morning. Just want to confirm, is my mic coming through loud and clear? Yeah, for the most part. Thank you. Hey, hello, everybody. Good morning. So I just put the link to the attendance list for today into the group chat. So everyone can just check in the attendance there. Let us know if you have an update or not. If you're new or haven't joined these meetings before, you can just put no update next to your name in the attendance if you don't want to be pinged during the check-ins. Otherwise, if you're new or if you have something to bring up during the check-ins, feel free to mention that in the brackets to the right of your name in the attendance list. I'm not the only one. Good day to your, I guess, newest and youngest member field. Chase, we're able to hear your audio, by the way. Yeah, there's a hot mic. That happens a lot in this climate. Yeah, I'd be almost more surprised not to see it at this point, frankly. OK, I think we've got a few minutes to, we've already given enough time to hit critical mouse. So could I request any scribes, any volunteers, to take meeting minutes today? Let's see from. I'll do it. The link for attendance here, I'll paste. Oh, thank you. This is Vinay. Yeah. Vinay, all right. Great. Yeah. Thank you, Vinay. And do we have a second? We've got Vinay. And if anyone else wants to also take meeting minutes as best as you can, so much is better. Thank you. And sorry, Matthew, did you want me to take it in the notes in your table, right? If you find it's more helpful or if it works for you, great if it's slowing down or impeding note-taking. Feel free to just put them serial underneath. It's kind of an experiment right now, just because if we have two scribes, that might be easier to do it side by side instead of two serialized documents. But whatever works best for you. Sounds good. Thank you. Got your attendance check-in. Just see if anyone has any updates. So the points I have here, I have Michael, Michael, and noted Harbor. Will you be doing the presentation today, Michael? Yeah, so it's not necessarily a presentation, but we'll talk about the Harbor items. I mean, I have a presentation ready if you guys want to know more about Harbor, so that's not a problem. But I want to know what we need to do to figure out how to initiate the review from Six Security for Harbor's graduation bid. So if we have a lot of content ready for you guys, if you also want me to present, I can also have a PowerPoint deck. Sure. There's only one or two other updates and I believe it's one or two new members. So if it's all good with you, I'll just power through those other check-ins there and introduce the new members if they want. And then we'll go on to your update and then segue straight into your presentation if that works. Well, one thing I do want to mention here, so sorry, this is Justin Cappos. I'm the security assessment facilitator. Are we doing this? Are any of the chairs or anybody, I guess, Dan's on the call here, are we doing effectively an assessment as part of this or for Harbor or are we just, are we going through a different process? It sounds like Michael is way-finding and we're pre-assessment, correct me if I'm wrong, Michael. Yeah, I mean, I looked at the process that was on the ticket, sorry, on the issue type for the security assessment. So I was here maybe three weeks ago, so we talked about that at that time. We produced a documentation that was asked by Six Security and I guess now we're at the point where you guys can ask clarifying questions. You can do the initial review and this discussion and then someone, I assume, will be assigned to do a deep dive into Harbor. So we haven't gotten to that, who that person is yet. And I don't know what needs to happen before that happens, but from a Harbor standpoint, I'm OK to follow whatever process works for you. Yeah, it's just the reason why I'm bringing this up is because we, as far as I can tell, we don't have an issue for this. There's nothing in our queue to do an assessment. And I think it'd be great to hear about all of this and everything, but I also want to make sure that if because we're going to have to get a team together that's going to have to go through a bunch of this process and maybe Dan just posted something that made it clear that I'm wrong about this. No, no, there's just a recently created issue. So just looking at it. Got it. OK, so like the one issue hasn't been ingested yet. Got it. OK, so once we have like our leading security reviewer, our other security reviewers, all these other people, then we're going to have to go through a process that is going to have some similarities with what you're proposing to do today. So I'm just saying that I'm more bringing this up because I think it'd be very understandable if three weeks from now we asked you to go through effectively the same talk you went through today with some minor tweaks and you were like, hey, I think it'd be a very understandable reaction to be like, hey, we went through basically the same thing before. But the fact is that since we haven't had a chance to go through the document, we don't have lead security reviewers. We haven't done any of this stuff. We're sort of not prepared to ingest this presentation, have the intelligent questions and things that we'll need to have for that. So I'm very fond of being kind of an intro and for you to talk as much as you want. But we might need an additional step later and that we wouldn't need had this been done the other order. So where is hardware in the queue that you have right now adjusting today? So yeah. So there is a queue with security assessment queue. We have Spiffy Spire, Cloud Custodian, and Progress. A lot of this has changed slightly with the coronavirus changes that have happened recently. We have Dragon, Fly, and Falco that are technically further along. But once again, they may or may not be actually ready to progress. And in fact, you can go. I'll post this in chat in case anyone is interested. OK, thank you. So Dan just sent you a link to our queue. In a normal non-coronavirus, everything proceeding normally, everyone around sort of world, it's probably fairly likely that we would, in fact, have already completed the assessments that are in progress. And then you would go into the state where you're either in the block state because we don't have the right reviewers or whatever else, or you would be in the backlog. So it feels like you're trying to do this quickly, which obviously something that we would like to have happen to. And once it's to a state where there's nothing blocking, it moves into either backlog or in progress, depending on what's happening. But I think it should be a fairly, to give a more realistic answer, it should be a fairly fast process once we've identified the people and done everything else. But somehow I missed this initial issue. And so I haven't been aware, I haven't been wrangling people. Maybe that's part of what we can do on this call, too. If you'd like, is that after we have our facilitator go through and run the normal meeting, we could have a really brief harbor presentation, maybe like 15 minutes or so, just to give a flavor of the project. And then we can try to wrangle people to participate in the security assessment. And then the expectation would be in three, four weeks-ish, we might have you go through and do the actual real presentation. Yeah, absolutely. I wish I had known that, because I was here on the first week of March, I will put it in the queue right away, or at least create the issue then. We waited to create the issue until we completed the entire document that you guys were asking for. Justin, this is just a quick clarification. So this is Harvard trying to get a recommendation from Six Security for graduation. And I think we spoke about this couple of weeks ago. There's a distinction between that process and the security assessment process. And what I understood from Erica and Justin Kormak was that this is supposed to be a very lightweight process. So the project wouldn't necessarily go through the entire exhaustive security assessment. That's what I understood last time. So I'm just a bit confused. There's no official requirement present from Security for projects to go through security assessment for any particular status, because we haven't. Six Security has not made that requirement yet. But obviously, I mean, Harvard has said it would like to get through this process, and it would make sense to do it before graduation as part of the due diligence if they want to. If they don't want to, they could go ahead and try and get a graduation without doing that. I think there's an option. But I mean, I think it would, I mean, I still see it as being a valuable thing to do for the graduation process, if not required. I agree. I think it's going to be the most effective way for us to provide that due diligence and the most comprehensive way. But if Michael, if that ends up slowing or blocking your timeline, please feel free to identify that. And we will look for ways to unblock it with the consideration that JJ's sick and stuck in India, Sarah's sick and stuck in Boston. I'm doing OK now. Everyone's dealing with uncertainty and crisis. So we're not going to try to get in the way of things. But everyone's dealing with a Black Swan event that is making everything a bit harder. Yeah, I mean, I understand all the different things are happening. Ultimately, Harbour needs a thumbs up from Six Security for graduation. So whatever documentation or whatever process you guys want to follow in order for you guys to give the thumbs up, we can do that. I think it would be very useful for you guys to go through your Six Security items now. And then maybe after that, give me a few minutes to talk about what we've done for Harbour. And maybe that will make it clearer in terms of what process you feel should we follow to move to that. Thumbs up or thumbs down type of thing. OK, that's good. So just in business surrounding here, is it mandatory that if a project needs to be moved to a graduation, it has to go through our Six Security assessment? If so, do we have a clear cut requirement? What are what the process should look like so that vendors or solution providers who are trying to come in, they have a clear understanding that OK, I have like 10 steps that I have to strictly follow, whether it meets all the 10 or it didn't meet it. So is it something transparent to the vendor or the solution provider or who is building or engineers to? So I'll assume you mean me when you say Justin with this. So the short answer for what you're asking is no. It's not formally required. And in fact, we have intentionally in many cases here decided not to make a lot of this super, super formal at this point. Because we're still going through a process where we're trying to figure out what the formal process should precisely be. And so these first five security assessments that we're doing where there's a lot more latitude with the people doing the assessments than is likely to be the case for assessments that come later in the process. Because we don't want the last thing we want is there to be a bad process or a useless process or an honorous process for no good reason. So you're correct in saying if there's a one would be correcting and criticizing the process for not being formally specified. But I feel like that's a necessity at this point in order to stop us from being unnecessarily bureaucratic. So yeah, I'll say that. And then the chairs, I will also just say that they definitely have the latitude to look at a situation with something like Harbor and say, hey, this assessment process is going on too long and we can't get the right people and whatever else. And we don't think that's the right way to go. So but in my role, I'm just trying to get the people together to do the best assessments we can. And really, I think the end goal of where everyone realizes everyone seems to think we should be in the not too distant future is to really try to have everything have an assessment. So I would definitely agree that we should be looking at projects that are going to graduate and especially things that would have serious security ramifications if there's a problem and probably be weighing in with our thoughts as a group. Sure. Thank you. OK, with that said, then I believe we'll just wrap up the check-ins and then we'll set aside with 10, 15 minutes. Be good, Michael, for the presentation you have in mind or will that be deferred to another time? No, 10 minutes should be fine. Depending on the Q&A that you guys have, I think we should be good. 10, 15 minutes is great. Great. So I'll set a hard stop afterwards or 15 minutes for that and then we can wrap up with any PRs that require check-ins or chair approval. OK, so the only thing I have, I think as an extra update, we have a new member today, Payam. Do you want to take a second to introduce yourself? Sure. Good morning, everyone. My name is Payam. I come from the USB world as well as Enterprise World. I've done a lot of advanced networking and security with an infrastructure and application. And recently I'm the senior SaaS security architect at Infoblox, which is a EDA-based company. Yeah, I'm usually around. So if you guys need anything or have any questions, hit me up. Thank you. Thank you, Payam. And welcome. All right, then. Onto presentations, unless there's any topics anyone wants to bring in for check-in, I don't see any written down in the attendance. Hi, Jess. I want very small things, Justin. Go back there. I've agreed to do the TOC diligence for Spiffy's Bioprojects, so I'm going to be getting through that starting shortly. I think there's a one minor thing to wrap up in security, but otherwise it's ready for TOC diligence. OK. Thank you, Justin. All right, with that said, ask the mic your way, Michael. All right, cool. Let me share my screen as well. But essentially, let me give you, start a little bit, to talk about Harbor. So Harbor is a registry that's been incubating in CNCF for about a year and a half right now. And it started at VMware and donated to CNCF about 19 months ago. Excuse me. When we look at the Harbor from a high-level standpoint, it is really an artifact repository for all your cloud-native assets. So we enable users to secure their images with role-based access control. We enable users to scan images for vulnerabilities. And then we can sign images as trusted. We use Nodary for the signing of the images. And then for the scanning for vulnerabilities, up to the current version of Harbor, we have been shipping with Clare as the built-in batteries included of a vulnerability scanner. But with our previous release, Harbor 1.10, we added an extensible framework to be able to support any plug-up of scanner out there. So we started supporting Ankor Enterprise and Engine, as well as Trevi. And with the next release of Harbor that's coming up in April of 2020, we will ship with Trevi as the built-in batteries included vulnerability scanner. When we look at the key areas that Harbor enables, we enable security and compliance, performance, interoperability, to provide our users a consistent image management for Kubernetes. Kind of looking at, and I guess this works better if it's in present mode. Sorry about that, folks. When we're looking at why should people run their own registry? We have a few reasons. When you're looking at it from a security and compliance perspective, which is something that's very important to you, we enable them to have a comprehensive policy that can be applied across all the projects and all the images that they have under management. We enable them to have registry and data ownership, because you can install Harbor within your own data center or in the public cloud, but within your own account. And we enable you to have identity federation with built-in multi-tenancy. So you can have multiple federated identities brought into Harbor where Harbor owns the RBAC of the users, but you get to define the identity. So you can bring your LDAP accounts or your Active Directory accounts. Then kind of looking at some of the features that enable this, we have vulnerability scanning, like I mentioned earlier, using today Claire, Ankor, Trivi, Dusek. And really, yesterday, we started talking with Sysdig and the Sysdig vulnerability scanner will be enabled into Harbor within the next few weeks as well. We have the concept of CV exceptions. We allow a user to define exceptions for CVs. So for example, a CV was published yesterday and you haven't been able to patch all your images yet. Should you block your images from being pulled to a Kubernetes cluster? Maybe you want to add an exception that's time-bombed for the next two weeks so it gives you enough time to fix and patch your applications. We do image signing with Nodary. We enable you to define coders so you can control how much storage is being used. We have retention policies so you can expire images that are based on your compliance policy of your organization. And like I mentioned earlier, we have YDC and LDAP integration using our RBAC and CLI secrets. And the last thing, and this is kind of the multi-tenancy thing, is we allow you to isolate projects where the entire policy is applied on a per-project basis. So you can create a project for Pepsi and a project for Coke. Each of them have their own images and the developers and operators of these two projects can operate independently. At the infrastructure side, we allow you to deploy a harbor on an infrastructure whether it's private, public, hosted or edge. We allow you to have data locality so you can own your data and we're both Kubernetes and Docker compliant. At the scalability and control perspective, as a user you wanna have control access, you wanna control the access to your artifacts and you wanna replicate resources based on business needs. So harbor enables that by allowing you to not only have your artifacts to sit on your own infrastructure, but allows you to replicate to and from harbor by enabling you to create replication adapters to another harbor instance, Docker registry, Docker Hub, Huawei Cloud, AWS, Azure, GCP, Alibaba Cloud and we're expanding that list pretty much with every release. So harbor can plug and play with pretty much any other registry out there and we can push and pull from those registries to basically create what your harbor environment looks like. And from an automation extensibility standpoint, as a user when you're looking at the registry, you wanna basically install a registry that's plug and play with a lot of the existing investments that you have in infrastructure and services. And some of those things we already talked about, right? The identity federation, that's a big part of that. We have integration with syslog. We have webhooks, so you can do CI CD integration. We have full REST API that basically has 100% compatibility with all the actions you have in harbor and we also have robot accounts for automation. This is kind of our architecture slide. You can see some components are harbor and some of them are not, are basically dependent components. For example, we depend on, we have Postgres as our SQL database. We support block file and object storage. We have Redis for our key value storage. We have chart museum for help support. However, with harport 2.0 that ships next month, we're gonna be full OCI compliant. So you can see chart museum being phased out and OCI is how we're gonna manage all our artifacts. So we'll be able to manage TINA bundles, OPAs, Helm charts, container images, operators, all of them from harbor as OCI compliant files. And then we have notary for signing. The replication providers on the right is what I mentioned and then the scan providers today. This slide was created a few months ago and now we have Dusek and Sysdig will also be added here as well. I don't wanna go too much into the harbor project overview but we have lots of users, lots of product implementations, lots of contributing organizations. And if you kind of look at this, this is kind of our money slide where over 10,000 GitHub stars or close to 10,000 GitHub stars, 170 contributors, more than 10 maintainers, lots of Twitter followers, lots of blogs and webinars and action happening. And you can see that the project is in healthy state from the number of contributions and that steady stream of contributions over time. The extensibility I mentioned earlier on pluggable scanners, we have a fairly simple API that allows any other company to come in and implement it so that we enable our customers and our users to use a scanner of choice. If someone has made an investment in Agua or Anco or any other company, they can plug in their own scanner so they can integrate with the rest of their processes. We're gonna go through the roadmap that way into the interest of time, we have a tremendous number of customers that are using hardware in production and we have a lot of those testimonials in the document that we have prepared for you. So one last thing I wanna show you is the CNCF survey results that came in 2019. You can see the hardware is being used almost by a lot of, I believe there were 137 responses. Harbor is used almost like 30%, 35% in production by those users. So there's a tremendous customer base within the CNCF ecosystem already. Let me exit this really quickly and I'm gonna go to the... This is the issue that I filed on your repo. So I may have mistakenly this, I put project security delete, I put the security delete from the Harbor project. I'm assuming lead security reviewer, someone from your SIG, but we've created the draft document for this review and we already done the TLC presentation already in November of 2019. But kind of looking here at the document that we prepared for you. This is a document you guys can comment on it or read it. And you can see that I tried to create a good timeline of everything that you might have an interest in. We'll have overview background goals and history of Harbor, intended use cases, we'll have project design, run operations, configuration setup, compliance, then we'll have the security analysis vectors that you guys wanted, our security development practices that we have, roadmap as well as some items in the appendix. In addition to this, and this is reference in a couple of areas, we have the full blown document that we have used in our PR for Harbor graduation that has, it's like a 30 plus page document without pictures. With pictures is a lot bigger that contains the entire due diligence for Harbor. And this is also linked from your document, but this is the, like if you sometimes have linked to this, that includes all sorts of items here. Having said that, Harbor has undergone two security penetration reviews so far. One was in August of 2019 by VMware. So VMware paid and hired two, well, they're on a payroll, but we used two security engineers that basically battle tested Harbor. Then we went and got a CNCF sponsored review by cure 53. They identified about six issues. We fixed them all in the next subsequent review of Harbor. And so undergone two PEN tests so far. The second one by cure 53 was across 20 days. That's it. Did you guys have any other questions? I'll, I want to stay within my 10 minutes here. I think Michael is very distant. I've got a question about notary. What types of authentication and encryption are being used with that today? And do you plan on using things like GPG in the future to sign images as well? Or is it just all gonna be notary? So today's just notary, but with one of the things that we're looking into, notary has one big limitation. Like once you sign an image, the URI of the image is embedded into that signature. So the image now is not portable. Or if you port it, then you're losing the ability to enforce the signing. So notary V2 has requirements, including the ones from Harbor to make the signatures portable. So we haven't really looked into a different solution for signing today, but we're open if you guys have a specific recommendation that might work better for us to investigate it. Yeah, I think from a user perspective, I think what's being asked is looking into GPG signing of the images as well and having that support. Okay. Yeah, so we'll go through and I think it might be a good idea. Cameron, if you have interest, maybe you can join the assessment team. I can. Okay. One other thing I'd like to do is, I think one thing that's slightly off here a little bit on the issue that was opened. So first of all, so if Cameron, if you wanna go ahead and add yourself to the issue, you can just edit the issue at the top and say that you're willing to be, I guess, either an additional security reviewer or a lead security reviewer potentially, although this lead security reviewer folks are people that have done an assessment before. The TOC presentation that we're talking about here is actually the presentation of the completed assessment. So I'm gonna uncheck that box here. Yeah, no problem, Justin. All right. And I also, I'd be happy to be a security reviewer for the project, but the harder part has been recently getting someone who's able to lead. Is someone else on the call here has participated in this assessment and willing to do so? So I put my name there. I participated on a recent assessment, but not as a reviewer, but as the author of the assessment of the self-assessment. I can be part of the reviewer process. This is how I want to end here. Okay. So everyone I think should feel free to go in and add themselves here. Do you all have access or am I the only one who can edit this? I think everyone should be able to go in and edit this. Yeah, I was able to edit it and I'm assuming everybody should. Maybe it's just mine that hasn't. I will take a look. Okay, but what we'll do is we should all go through and edit this and add in ourselves if we're willing to be reviewers and then we'll have to go and see who's technically allowed. We have in the past had situations where we've kind of loosened it a little bit. So we'll have to discuss with the chairs and others and see what makes sense, like who's technically qualified and who isn't. But we should be able to hopefully get the team together fairly soon. And then once that happens, then the rest of the process should go fairly quickly. Especially given that you've provided a lot of information and it'll obviously take us a while to look through it and make sure that it's like, we're not missing something important, but in general, the place that's taken the longest time has been the organization doing the initial assessment in a reasonable way. Or at least that's been one of the biggest blockers. So the fact that you've already taken a good stab at it probably will make this process a lot faster. Yeah, sounds good. That's reasonable to me. And by the way, on the GPG signing, I want to add one more thing. We're a CNCF project and one of the key principles of CNCF is that if there is a CNCF project out there that potentially you can manage and build better synergies with, it's preferred. So with Nodori being another CNCF project that's basically part of the reason why we chose that as a project for doing our signatures, but we were looking to GPG as well. The last thing and there's something I forgot to mention earlier, in addition to the security reviews you had with the PEN testing, we also have a pretty well-defined security policy from Harbor that other projects have emulated as well and that's been battle tested we've issued like six or seven advisories already. We have a distributor's list. We have a good way for security researchers to find vulnerabilities and contact us and a few of them have used it already. So we've kind of ironed out that process months ago and it's been working very well for us. I don't know how important it is to you guys, but that's working very well. Great. So I want to call out everyone's been helpful and sort of piling on to enabling process and clarifying and making sure that the learning from Michael in facilitating the security assessment are well-documented and efficient. There's only one I call out, beyond the security assessment is that Harbor is in the process of graduating and Michael correct me if I'm wrong, you've already received due diligence from SIG Storage and SIG Runtime. Yeah, absolutely. So SIG Runtime gave a thumbs up for graduation. SIG Storage, everything was okay except one item and I'll explain it here. It probably doesn't affect you guys. Harbor has many components and if you saw in our architecture diagram, two of them was a home chart as well as the, sorry, two of them were Postgres database as well as the Redis. When we deploy Harbor out of the box using our home chart, we install a single instance of Redis and a single instance of Postgres. And the reason why we don't install them as HAs because there's lots of home charts out there available if you wanted to install it yourself either using the Redis operator or a Redis home chart and install it in an HA, we didn't feel like it was worthwhile for us to duplicate that investment. SIG Storage, some members felt that that was a blocker to them and some members said that's exactly how you should proceed. Batteries included a single instance but there are readily available home charts for doing an HA deployment. So SIG Storage did not give a recommendation for graduation because of that, they said up to the TOC to figure out if this is a blocker or not. But ultimately everything else was good storage except this one point. You got it. So the thing I want to clarify is that new diligence, those processes still largely ad hoc. SIG Security is one of the, we were the sort of original guinea pig of the SIG process. We've been around for the longest and have our own internal processes that we're formalizing and since we've been guinea pigging for so long, we do tend to reflect back into, all right, we're improving the process as we go along and inviting folks to participate in that. So as we kick this off, kick off the assessment, I think it'd be worthwhile for Michael and Justin and I'll invite Sarah if she's well enough to participate to just have a quick breakout meeting to level set on due diligence, manage expectations around the security assessment, length of time on that. And then subsequent to the assessment, we're gonna have an additional step as chairs to move forward or not on our due diligence and our recommendation to the TOC. Sounds good. Justin, I'll ping you offline. That way as you guys finalize the list of reviewers and reviewer helpers, then we can figure out next steps. Maybe we can create a small working group on Slack. Sure, yeah, and I will also say that we won't be, like we certainly out of the assessment wouldn't make a real negative recommendation for lacking something like we're choosing, signature algorithm X over CNIF project Y unless there's some major security reason to make that change. So we're not, it sounds like maybe some of the process you've seen other places where that's not our goal here. Our goal is really to just do a security threat assessment and to be as neutral about it as we can. Yeah, absolutely. And by the way, we like the process that we went through with you guys a lot as well because as I was going through the checklist and trying to think about this from a security standpoint, we didn't identify a CV in Harbor by going through it. So, and we're using it. I didn't call it out in the document to see if you guys see it as well. This is more of a catch the bug type of thing. I'm just kidding. We'll talk about it when we actually meet, but I'll tell you what we identified and how, but when you read my document, you will see it and you will ask and then I'll tell you, yes, we're fixing this and it'll be there in two weeks. Great. Nice. Okay. Thank you, Michael. All right, just going in here. We do not have any issues or PRs for discussion or any noted as requiring chair approval. Are there any PRs that anyone would like to bring up at this time? Okay, great. I'll get it. Oh, I sorry. So, before we get to Dan, I just really quickly say I just reposted the link to the issue here for anyone who had volunteered or was potentially interested in being a security reviewer. Please go and edit the area at the top and add your name and you'll see my name there. That's all. Is it constructive or okay if someone just added on just as say an observer, just engage in the discussions and see how it's done so they could maybe contribute to this one? Yeah, that's perfectly fine. Okay, thank you. Sorry, Justin, where are we going? Where do I add my name, for example? Oh, into the document? Search for my name where it says one more additional reviewers, one or more additional reviewers, which is near the top. Justin, are you gonna be the lead security reviewer because for you, I will probably put your name up on the previous item as the lead security review, right? And then everybody else would add themselves as additional. Well, one of the potential problems with that is we kind of need to get more people to do that and I've done that before, so we're trying to rotate that roll out too. If push comes to shove, things may have to happen, but ideally we would have someone else play that role. Got it. I don't have permissions to edit that. Yeah, I think that's the problem. So please go ahead and just add comments underneath. If you have comments underneath, then go ahead and do that and then I will add you. Awesome, thank you. And then the one thing that's there is, there's that sign off by two chairs on reviewer conflicts. I'm assuming none of you guys, whoever decides to do the review does not have a conflict with Harvard or VMware, right? Yeah, what will happen is, is that we all have to post a little statement in, basically saying we don't and then... Ah, okay, got it, got it. So it'll just be, you'll see a bunch of comments underneath there that say, no, you don't have any of these kind of conflicts. Got it, got it. Okay, I guess back to you, Dan. I have a question. I think we're going into Zoom limbo, can you hear me? Yep, your audio is coming through. Okay. So as we're going into the next month or so, this morning with Liz and Justin Cormack, our TOC liaison, we had a couple of items for feedback to the TOC, specifically, we're looking for, we're talking about Harvard as graduating. Earlier in the ingest process, we have projects coming in at Sandbox or incubating. So we're looking for more clarity on how we direct folks coming in, whether we encourage folks to start with just Sandbox and not push ahead, to incubating, or when it is appropriate for a new project coming into CNSF to peg in. A lot of that at work is getting put onto the things now. We're happy to do that, but we need guidance and we're particularly interested in looking for a robust, no, like how do we rapidly get folks to a decision point. As I'm looking at April, we're talking about potentially having a theme and might end up with all the craziness of coronavirus and COVID-19 fun. It might be more reasonable to peg it into May, but going through a thematic set of meetings where we're inviting projects CNSF and not around identity and really shipping from having ad hoc projects come and present as it rises to, in a particular period, we're diving deep on a topic and coalescing some of our context and information around that. So considering identity, if you, for that, I think we're going to be able to do that. I think we're going to be able to do that. I think we're going to be able to do that. I think we're going to be able to do that. For that initial wave and if you have any suggestions for projects or folks that you'd like to hear from, very interested in getting feedback on that. I'll create an issue around it. Okay, thank you, Dan. So it doesn't appear that there's any peers beyond for discussion or anything requiring chair approval. So at this point, let's just open the floor. If anyone has any questions or wants to address people on the call, now's your chance. So follow this is underwood, following up on Dan's solicitation there. So do we have a official liaison with distributed identity foundation? No, we don't. So Sarah's also been engaged in Boston and had plugged into that, but we definitely do not have someone on the inside of security that is interested in engaging there. There's a bit of a, you know, interesting sort of philosophical journey that I expect there where, you know, a lot of the larger sort of corporate, you know, side of things are less interesting. So, you know, finding sponsorship, you know, from a major corporation that is going to enable that is, you know, maybe not going to happen. So, you know, if you find somebody that's interested in and joining and participating, I'd love to, you know, to have, you know, more engagement and a counterbalance to, you know, our large corporate members. Got it. So I'll put this in the notes so that our note taker doesn't have to fill this out. So I only attended one meeting, but it's a Microsoft guy leading it. And he's extremely disciplined, almost to the brink of hostility to managing the time when they meet for an hour. They get a lot done in an hour. It is kind of blockchain centric, but they're holding that implementation design stuff at day at this point, then trying to work on a spec, which I think is going to be fruitful at some point. The NIST people are interested in this from a federation point of view. So I mentioned the liaison thing to them, which basically just meant they put it in the notes. That somebody thought that might be a good idea. Nothing official was set up, but, you know, I think it looks like this would be one of the useful things. And not because of who they are, but because of the people that are running the show. So I'll put in the notes. Great. Thank you, Mark. Yeah, I put a note for you to do that, Mark. Thank you for that. I'm curious. Do you can see there's a, there's a, there's a, you know, that Mark, thank you for that. I'm curious. Do you consider like I'm, I'm from VMware. And if I joined at the harbor assessment, do you consider this is a conflict because harbor is like, not a VMware project with the CNCF project? I don't know. Just curious. So we expect out the conflicts of our bag. It's in the security reviewer under the assessment guide. I think it's specified that that's a soft conflict. I believe that basically you just have to say that you're from VMware, but you don't directly want on the project and you would still be able to do the review. Thank you. Yeah. I believe the only blocker that a soft conflict is, is that you can't be a lead reviewer. It's my understanding. Yep. I think that's right. So is that a common criteria soft versus hard conflicts, hard conflicts, it's a no go versus soft just has to be noted or documented in events. Yeah. So, so we defined this in the, the assessment guide. I'm going to piece of Lincoln. Thinking through it. So basically, I think we defined that half conflicts. You can't be a lead reviewer, but soft conflicts, you can be a regular reviewer. Sorry for. Sorry, sorry, sorry. Okay. How complex you can be review or soft conflicts you can be a lead, you, you can't be a lead review. But you can be a regular versus lead reviewer on a soft conflict. Yes. Yeah. All right. We still have a four or five minutes, four heart stop. Are there any other topics anyone wants to raise? Okay. Thanks everyone for joining today. Stay healthy and have a great day. Thank you all. Thank you. Thank you for allowing us to come and talk to you guys. Have a great day. Good to have you. Okay. Thank you. Very interesting. Thanks everybody.