 Hello. I made it. Hello. Oh, you said you're going to be late. Well, it's, if everything is perfect, I get here. But I'm at the library. So if the room hadn't been open, then I wouldn't. So. Yeah. So Jonathan can't make his day. He's run off his feet with his new job. But he said he can do the 22nd. Right. So I think there's been some interesting stuff on this black channel that maybe. People can talk about. I'll use the. I didn't set up the notes ahead of time. I can do that. I just have to be a little quiet so I can scribe if you can. Do check-ins and call for agenda meeting agenda making. Happy new year. Yeah. I think we had a good relaxing time. I just put the notes in the slack in the chat. So there was a new proposed. Check-in format. I don't know if you saw that. You work chicken. While people are arriving, maybe we could, I will share. Maybe before check-ins. We could have a little chat about this. What do you think, Justin? Yeah, we could do that. Yeah, I think we did that. We kind of did that last time, didn't we? We got people to always at least tried to try to do that where we got people to add themselves to the check-in list if they want to be on it. So we didn't go through everyone. So I think at the bottom, there's like a specific suggestion here from Andy Raptet from Martin. We should also have project leads introduce themselves. Should we put new second? It's kind of. Yeah. Yeah, should be then separate. Sorry, I was just going to go on. I was going to say, should we separate the attendance? Or do you want to just do that on the fly? Sorry, I don't quite follow. Okay, Justin, you want to talk this over? And I just have to be a little quiet because I'm in the library. So last time I got yelled at by speaking too loudly, even though I'm in a room, apparently sound carried. So you want to talk to, you know, just talk this over and talk about how you might do it. And then. Yeah, so I think if we, yeah, and I think if we ask people to. Yeah, so any. Are we, are we kind of quarrel now? Let me just, are we reasonable? Yeah, okay. So, um, yeah, so, so, yeah, so rather than going through everybody, asking them in turn, if they've got updates, we're just going to go through the categories of. Um, asking people who are new to the group and had to introduce themselves and people who have specific updates. If you could, um, first of all, please, everyone who's here, please put your name down on the attendance list at the top of the meeting notes. The meeting notes are in the, um, in the chat or in the, um, I'll just make sure they're in the, um, in the Slack channel as well. Um, so, yeah, so first of all, please put your name down in the attendance list if you're, if you're here. Um, and please also, um, if you want to, if you're new and wants to an intro or if you've got specific updates, please, um, indicate next to your name that you've got an update or either update on you. Um, so just to introduce myself, I'm Justin Cormack. I'm facilitating this meeting. Um, I work in security at Docker and I'm a military project maintainer. Um, I don't have any other specific updates except to say that Jonathan Meadows was going to speak today, but unfortunately due to having a new job, he can't, but he will be rescheduling to talk on the 22nd about the, um, security training for keeping those of his work that he did, um, last year and which has been open source. And so it's going to introduce us to that. So, um, please come on on 22nd if you were hoping to get that today and you didn't. Um, um, Boleslaw, if you're new, you say you're new. You'd like to introduce yourself. Sure. Can you hear me? Yeah. I'm not sure if you can see me. That's all right. Uh, yeah. I'm black. I work at Red Hat. Uh, so while I was actually the guy, uh, coming with the key clock proposal to go into sandbox, which I guess it's a bit of a hold right now. But anyway, I'm, uh, because I'm my field is security within Red Hat middleware group. I want to engage, uh, anyway in this, in this sick. So happy to be here. I managed to met some of you, uh, at the, uh, uh, KubeCon, uh, San Diego. It was awesome. Thanks. Excellent. Thank you. Yes. Um, what is actually the status of the key clock proposal? Status is because we didn't have, uh, the key clock proposal. Uh, the key clock proposal. Uh, the key clock proposal. Uh, the key clock proposal. Uh, uh, the PR was closed. Uh, it was kind of like driving. I do want to reapproach it again. Uh, I like to show that we, we address some of the feedback. But in any case, by the rules of the process. You need to have to assume to be free to see sponsor members. So, uh, you need to be, uh, finishing the duty end of January and there will be new elections soon. So I also think it's not the best moment to open it up. So I'll probably re-approach it February or March again. Okay. Yeah. Is there anyone else who's new? There's no one else who's marked themselves as new, but anyone else new who is here? Okay. Um, so, Sarah, you want to talk about your selection security? So just a little update, which might be interesting to the group. I've been learning about us election security because I have a, I live in the U S and vote and I'm a little concerned about, um, the fact that we don't have a process for that. Um, so there have, uh, I posted in the Slack channel, there was a hearing in November. Um, that I thought was pretty interesting. Um, there's a upcoming hearing tomorrow at I think 10 a.m. Eastern, um, which I'm planning to watch. Uh, so, and I'm curious if anyone happens to know how election security happens in other countries. Cause when I worked for the U S government doing, um, digital innovation, we learned a lot from the UK and other countries who were doing stuff online and open source. So if anybody lives in another country and happens to know about this, um, I'm curious. So I'm mostly learning about this as a citizen. Um, but also, you know, I think voices are who are smart and knowledgeable seem to be few informant between in this area, which is frightening. Um, the UK doesn't do any electronic voting at all. We'll have manual counting still. Um, you could learn from this. Um, but, um, I actually did have a conversation by Indian voting where they're going to do some trials soon. And I know it's some people who are going to be building voting machines for the trials and I will find out more soon. And I can put you in touch with them. Oh, that'd be really interesting. I think we might be going back to paper at the recommendation is to go back to paper ballots with optical, um, um, recognition and then, um, manual checks. But the key thing is to have an artifact that's human readable by the voter. It seems. Yeah. I mean, the UK, we don't even do obstacle reading. It's all done by humans. Um, which is and, um, but, um, yeah, it's a, it's a, I think there's a lot of other country. I don't know if anyone has experience with other countries. I think there's a lot of other countries that I know. Yeah. It's a little challenging in the U S because like voting is a, um, state's rights thing, right? Like states have their own governments and it's sort of more like the EU structurally from a government structure perspective, right? Except that it happened so long ago. We feel like we're one country, but we're not legally. So it's a little complicated, but if anybody's interested in it, even just like learning about it, I'm learning about it and, um, just I'll, I'll post things when I learn about them. So just thought it might be of interest to the group. Oh, and then, um, it was kind of a long time open, but the intake process for security assessments PR got merged. So we have a formal, um, like kind of blessed guidelines about priority of, um, security assessments, but mostly things are, um, you know, kind of like the process itself of writing the self-assessment. It seems to be queuing things up gradually. So I'll add a link to that when there's a break in the note taking or anybody feel free to chime in. I think we are, we don't have a second note taker. So we'd love some help on the note taking. Um, if no one else has any comments on voting, um, um, Emily and Michael, you both said you want to talk about security day and other things. So maybe you could want to both talk about security day first. Oh, um, I'll talk about security day. Yeah. We can just kind of gather us together. Um, so we had a meeting yesterday. So we're starting off, kicking off weekly calls of the team leads and the six security assessments. And then we're going to be talking to the chair, JJ who's, um, who's working on it. And really all that we're trying to do right now is we're trying to get the CFP opened up. So we're working with the CNC on that. Uh, and then the other thing is, uh, getting the website updated with content. Uh, one big question that we have, we have a lot of feedback from the retro, especially around format. Uh, and we need to, you know, we need to get the CFP updated. Um, we need to get the CFP updated. Um, because the space allocated to the program or to the event really will drive what we can do from a program perspective. So hopefully within the next couple of weeks, we can get that figured out, but the goal is to get the CFP kind of drafted and ready to go by next Tuesday. And then get the changes that we need to the website. Um, drafted and ready to go by hopefully next Tuesday. And then hopefully getting both of those published, uh, and out there. And then we can have a few of those, and we can get the CFP updated. Uh, so we can get the CFP to provide to the issue of the six security issue around this day and volunteer to help both in helping to organize the events and also reviewing. Um, reviewing the CFPs as well, uh, once, once we get those in. So thank you to the entire security group. Uh, most people who volunteer. And this is for Amsterdam or Selangor day? Yes. This is for Amsterdam. Yes. board. So you all can follow along as we work through our planning and for those of you that volunteered to help out with the organizational planning of it. Stay tuned, we will be working through what our schedule looks like and all the things that have to happen, okay? Yeah, and once we kind of figure out what are the dangling things that are left open, we can then better then start to see how much work we actually have to start pulling in additional volunteers. I know a lot of people volunteered to help, so thank you very much. Can we can we get a link to this this issue in the dock please? But Michael you also want to talk about Falco? Yes, the other thing was we've officially announced and some of you might have already seen it on the TLC mailing list and I'll let Chris chime in if she has anything else. Falco is officially in as part of the CNCF at the incubation level, so thank you for everyone who supported that and it's a very exciting time for the project and we're very excited for it. I'll just piggyback on that and say that from the security perspective, we kicked off the Falco assessment process this week, so I'm looking forward to getting that done. Cool. Chris, did you have anything to say about Falco? I think just echoing Ducey's sentiment here, just a lot of gratitude for everyone. We have a lot of work ahead of us for the project, just getting it to a healthy state. So if folks want to get involved, we're doing everything we can to make the process as open and it holds them as possible, so we love contributions from everyone here. What sort of contributions in particular are you looking for? I mean everything from helping out with the build infrastructure to writing software to just generally mangling things. One of the things we're working on right now is moving over to the CNCF Slack and we just need somebody to kind of help create some structure here and make this happen. So we do weekly calls every Wednesday morning and we would invite everyone here to come and join and just be involved. Yeah, and also one of the things that we're looking at is a lot of work around APIs and adding a lot of APIs into Falco and so if that's something that you have expertise in that would be another great thing to help out. Cool, thanks. Emily wants to talk about supply chain? Yeah, so there is an open PR to update the supply chain index and catalog and definitions. I'm working through that ticket right now, but I did want to highlight for everybody that the SIG security supply chain repo was actually called out in a medium article. I dropped that into the Slack channel, so that was a really big deal. Somebody is paying attention to some of the stuff that we're doing. So if anybody has questions, Santiago is kind of leading that effort, but there is a lot of things that are going on in supply chain. More people are paying attention to it, so I think in general we need help adding more events to that repository so people know what's going on, but also definitions of supply chain attack types. Those need to be fully flushed out. What's there is just an initial cut, so that's it. There was a conversation I saw about making it easier to kind of manage kind of sub-projects because it's in the main repo and we were being a bit not very good at merging things. I don't know what the whether there was any thoughts about how we should manage that. I was actually thinking that it would be great to make it. Once something is a sub-directory, we could say that that sub-directory has the owner and Brendan actually has a PR proposal out for making software support of that, but we already have that philosophically with the security assessments folder, and so that would just require adding something to governance that says that ongoing projects that have a sub-directory can with two-thirds chair approval or something, then be blessed. Santiago said he'd be happy to play that role on an ongoing basis to merge things or whatever. Emily, I don't know whether you want to participate in that, but we need a little tiny bit of process written up in my dreams that would be written up in a way that wasn't specific to the supply chain proposal so we could just do this whenever it seems fitting. That makes sense. Yeah, I think that would make life much easier for things that are, sorry, we don't bottleneck things. Does anybody feel inspired to write that up? I think if somebody put in a ticket to update that work because there is another, the roles and assessments guide for lead security reviewer and the dumb question phase also needs to be updated, so that's just general documentation updates. So if somebody were to submit a ticket for it, at least if we have some cycles, we can go ahead and update the documentation based off of the ticket. I'm happy to write one up specifically about ongoing projects. I don't know exactly what the, I'm not surprised. The documentation needs to be updated on security review rules, but I don't know the details there. So basically I'll volunteer to write a ticket that's specifically about project subfolder maintenance. Okay. And then maybe you could just file a ticket for the other thing. Yep. So just on the other thing, you mentioned the dumb question section of the security assessment lead. Since I'll be going through that with Falco, if there's particular information you wanted updated, assign that issue to me and I'll use myself as the guinea pig for that first rev of updates. That would be awesome. I don't know if I was busy doing the previous thing. What? Someone mentioned that there needs to be some clarity or some additions to the dumb question section of the security lead documentation. Okay. I'll write an action over that. That's literally where we're about to be for Falco. I'll volunteer to capture what we learn and put that in the documentation. Super, super. Really quick. Just a note on being inclusive and making sure that the SIG is catering to all. Is dumb the best word to use here? Definitely. Well, actually, it is, I would welcome another proposal. The idea is, this is, we don't know what your project is. You are describing it to us. So we are going to intentionally ask all of the questions that we think the rest of the reviewers will have. So it is a, you know, somebody wants to volunteer what that should be, but the whole goal of it is we are not asking security questions yet. We are asking clarifications. So, you know, could I suggest the word oblivious here? Or clarifying question. So why don't, yes. So Robert, why don't you take the ticket and we can argue about wording on the ticket. I mean, brainstorm wording on the ticket. I would love the idea to do something that Chris, I think you're, you're, you're objecting to the kind of the ADA connotation of dumb. Yeah. Just having some friends who are a little bit sensitive to that word. And I just think that we could, we could be a little more strategic about what our phrasing here. So, okay. Thank you, Michael. So the concern is that it's synonymous with not being able to speak, not that it is connoting lack of intelligence. Absolutely. Thank you. Just to go back in a couple of overlapping topics about the security day and the supply chain. And then I think there was some discussion a couple of sessions ago before the holiday break about doing kind of a red blue team exercise. So not sure if anyone's interested in kind of merging those three things together. So kind of a red, red blue supply chain attack exercise security day, but that would be something I'd be interested in, in making happen. Yeah, we're totally open to that. I think the only problem is space and room, and we got to get confirmation from the CNC of how much room we have to figure out what we can actually do content-wise. Would the thing to do there be to submit a proposal in the CFP? Or is it it's going to be something that's done separately from that? I think it wouldn't hurt, and Emily, please chime in. I think it wouldn't hurt to submit it via the CFP. That way we at least have all the material there and we can show it to the CNCF as what we want to do and have all of the kind of abstract and what the content's going to look like. And then we can work with them to see if they can get a space or not. Yeah, so we would like it to go through the CFP. I think that there is a potential because there have been a few people mention like a capture the flag activity or something to that effect. And if we get multiple submissions for it, it should still be subject to like which one is the most robust or most relevant and go through the same kind of review process, but it is still like Microsoft contingent upon space availability. So having it go through the CFP provides that standard framework for evaluation against everybody of like submissions. Who is our point of contact at the CNCF for this? That's me. Sorry, just coming in off of mute. We're actually getting rolling on this one next week, which is why we're kind of in the space of like, no, we will work on this next week. We've got Megan Lean on our end as well. We'll be working on this. I mean, who at the CNCF like, are we working directly with any CNCF employees? Hi, this is Amy. Good to see you all. Oh, hey, Amy. Okay, that clarifies it for me. Thanks. Sorry. So I'd say if there were if there were overlapping proposals for that same kind of idea, whether capture the flag or red blue exercise, I'd love to merge that in and just make the best of all proposals and consolidate that into one. It doesn't have to be my idea, for example. Yeah. Like I said, we're totally open to it. We got to figure out space. We got to figure out what the content we have available, and then we're more than willing to see if we can pull it off. So it's not a no. It's a we don't know, I guess. We everyone likes the idea though. Yep, got it. So I just it's a meta CFP for anyone else who was thinking about it just either add on the Google doc or slack me and I'm happy to add support to your existing idea or you can collaborate and merge a bunch of ideas together and then submit a single CFP, whichever works for anyone interested. Thanks, Robert. New people. I missed Alexander Peters. Maybe you haven't. So would you like to say introduce yourself? Yeah, sorry. I was a bit late, so I couldn't join from the beginning. Hello. Yeah, I'm go back and engineer and I work on some admission control at the moment and also work with K rails a bit. And so that that's why I found this special interest group. And I mean, I've been working with Kubernetes for some years now, but it's not that I got so involved deeply. So that's why I joined today. And I'm interested to learn a bit more and contribute more in the future. So thanks a lot. Thank you. Robert tonic is much as new on one of us, but not on the other one. I thought probably you had introduced yourself before, but maybe I'm No, I hadn't yet. Oh, okay. Okay. Yeah. So I am a security engineer at jail of bits. I worked on the Kubernetes and Roku suspense. I had met, I believe Sarah at keep con just passing and she mentioned that I should probably hop in and see what's going on. So figured out go ahead and do that. Okay. Are you working on any of other security assessments per CNCF at all? Okay. That being said, I don't know if that will change in the future. I'm not really sure as far as well. There was some conversation, there was some discussion about the Kubernetes is one becoming an ongoing or kind of periodic thing just because it's such a large thing. I don't know that I'm not involved in those processes. So that would be my manager. Right. Well, welcome anyway. Thank you. Have we got anyone else who hasn't done an update who would like to look like Mark Underwood? Okay. Yes, Mark. Yes. Yes, big data. Mark is okay. Mark is read only. So the nature in the document, but there's going to be a June workshop in Washington DC which people will be invited to. Okay. And anyone from the other active project leads? Who's here? Policy? Where can we find details on this workshop in DC? He says we will be invited. So I think hopefully that's them. Let's just take a note and let's follow up. Sorry, he says he's read only in this meeting. So maybe we could put an action for Mark to follow up with details. And the agenda and we can follow up next week. Have we got anyone else from any of the other working groups? Eric is on. Yeah, I don't have any particular updates since we haven't met yet for the new year. Are you having a meeting this afternoon for people who are maybe new to the team? Yes. We are having the meeting at, let's see what time would that be, in three hours or so? I believe it's 3pm Pacific time. And we now have it in the read me. We have an update to the read me where we have ongoing projects. So we have the policy team. This is actually 4pm Pacific. Does it? Yeah, I think we, it's very confusing because of daylight savings. I think we should just pin on UTC. I agree. I have it is three o'clock Pacific on my calendar. Yeah. Let's could you go quick PR and that's what I will do right now. Thank you. From the cloud custodian discussion at Erica, are we going to tackle that's put you on the spot, but whether you were going to leave cloud custodian or? Yeah, I am up for it. I have still even looking, I haven't like gotten going on that really. But if you all will have me, I would be honored. Well, sorry, what is that? The cloud custodian project is for undergoing the security review for its inception into the CNCF. Is that correct? So it's not, it doesn't block inception, but we want to kick off us. We want to queue up the security review because that'll feed into the process. So they were going to do a self assessment and then we're going to assemble a security review team. So I think there's an issue for that. If somebody could let me dig it up unless somebody has a handy. Yeah. And my recollection is before the break, several folks, myself included volunteered to participate, but no one could, none of us have the time to be lead on cloud custodian. Though I assured Erica that I would certainly help as I go through the Falco lead process, I will dump all the knowledge, capture her way and help her through that process. But I think we were the, the, the gap was that no one had raised their hand as lead and Erica valiantly said that she would, she would consider that. I might be able to lead that. Essentially. That would, yeah. I think we want to have somebody on the team. I mean, Robert will have, there'll be continuity from other things, from other, we need to make sure we have the continuity on the process. So Erica would be great to have the policy, somebody who's actively involved in the policy subgroup involved. So yeah, Justin, maybe you and Erica can chat offline and figure that out. I linked to the issue in the chat. Okay. I just found it too and stuck it. And, Robert, could you link to the, wasn't there the process part for this that got merged or part of it? There's an outline in the documentation about the duty lead. Yes. I will bring it up. Broken link. I can fix that. So this has the like details on the security reviewer and then the process, which, you know, we're still in our first five assessments where every time we do assessment, we update the process a little bit, but we're getting two very detailed refinements, which is so exciting. So this is the overall outline. Cloud custodian might be unique in that not only is it raising its hands for an assessment, but I think the idea is that it's also kind of looking for a home, whereas, you know, OPA and others and Falco already have a long-term home. Cloud custodian might need policy workgroup to, for lack of a better word, own it going forward. So that's just another orthogonal to assessment, but just a topic. What do you mean by own it exactly? Well, that's a good question. There's folks from the custodian team on, they can probably speak to that, but my, from a couple of weeks ago when we had a session policy workgroup call, I think that's what the ask was, is that they've been maintaining the project, but they'd love to home it somewhere. So just to add some clarity, a high skill from the Cloud custodian project, we are looking to incubate within CNCF is what our goal is around the assessment process itself. Okay. And that we put as a prerequisite as part of the new incubation sandbox process was to go through the SIG security assessment is my understanding. Okay, maybe I got some wise cross. Yeah, I think that the, there is this sense that each of the SIGs like has a set of projects that are like kind of under their domain, right? And so all of the security and policy focused projects are sort of like under our umbrella as SIG security where we pay special attention to them. And yet we want to make sure that each of the projects has its own team that is active, kind of independent of the rotating leadership of the SIG. So I think that that's kind of consistent with what's going on with, you know, other projects. And I think part of the exciting thing that I've heard that Cloud custodian is going through is being like primarily single vendor supported to being much more of a like moving to CNCF is much more of a multi-vendor thing, which I think it sounds like it's been happening, right? And now it's more of a decision to bless that. Is that a good description of it, Capital? I would say that, you know, we are already multi-vendor per se. We have been for a while. I think the, I think it's more that we've grown past the original sponsorship of custodian was by Capital One and they're no longer an active maintainer. They don't have any active maintainers currently. So we're looking to say what's a good sort of home for the project long term for it to continue to grow. You know, we're up to like 230 contributors. We have multiple cloud providers contributing code. And so it's trying to find a good neutral home for increased collaboration and community. Super. I think I'm in a quiet enough space that I can share an update on the GSE meeting from yesterday that fits in. Yep. Yeah, go on. So I shared our update yesterday. You know, drove into assessments, shared out the definitions that we're working in the, oh dear, what is it? The supply chain security. Supply chain, not offline attacks. Supply chain attacks. And, you know, got some, you know, good feedback. You know, the text around kind of the annual cycles around reviewing projects. It was a bit unclear. So we got some feedback on that. We'll clarify that. And also, you know, those parts of, you know, our workflows are really sort of future looking, right? We're refining in the, you know, phase three and four. And, you know, that, how that really fits in, you know, next year and beyond, you know, kind of need next year and beyond. But, you know, our definition of how we'll pick that up, you know, looks like it needs a little bit of feedback we had because of some time on discussion around that. Then, you know, kind of the backdrop to that is today there are, you know, quite a number of new SIGs, right? We kind of went through this process when we went from being a working group to a SIG of, oh my goodness, like, like we should be doing as few as possible SIGs. And, you know, now we're kind of on the other end of the spectrum where there's definitely a proliferation of SIGs and, you know, the beginnings of, you know, a bit of a pushback from projects where, you know, now that there are so many SIGs, you know, finding that home and having to go around and, you know, figure out where you belong is a bit cumbersome. So, you know, it's a nice ask to begin to, you know, explore how we improve that process and streamline that, you know, find the right balance between, you know, delegating and, you know, supporting the groups that are coming in without the context of, you know, knowing how everything is operating where they should go. Then, what else? Oh, the community group, you know, near and dear to my heart, the Kubernetes terrorist who leads the Kubernetes community, I believe, has a proposal basically to do a broader community initiative inside the CNCS and kick off a SIG there. I was a part of creating the community committee inside of the Node.js Foundation, so that's something near and dear to my heart, so I'm really happy to see, you know, the end-user, you know, really get added to the matrix of the, you know, groups that we're serving. Happy to answer questions. I also linked the slides from yesterday's meeting to the meeting notes. Yeah, it's mostly a SIG discussion yesterday. Yeah, so, yeah, because there was a discussion about how, about this kind of loose loose affiliation of projects to SIGs, they were some discussion about some projects fitting in multiple places and having to be, having to be shared. Right. I don't think we have a kind of official list of which projects we consider we own. Yes, we do. Oh, do we? We absolutely have that. So the projects, the initiative started, the SIG initiative started out with Quinton and Alexis looking at all the CNCF projects and dividing them into areas. And then with the concept that every project would be kind of slotted in to one and only one SIG, even though that there is overlap, there would be ownership by one. That was the initial concept, so that the SIGs would span the full space of cloud native. And that's in the TOC we put somewhere. And so we have, I set a list of projects that are like our projects. And those are the projects that like, when the security assessment thing, we talk about security providers versus projects that, of course, every project should have, almost every project, except like a project that is purely like a library that's used in the context of another service or something, should have some security concerns. And then other things like, it's like, well, is that storage or runtime when it does a little of both. But the original concept was that everything would be owned by one and only one SIG. But then, of course, other SIGs would participate and we coordinate. And then as the, this has all evolved, you know, and then there's been rotations off of the TOC, there's, now it's an open question of like, well, that was the original concept. Is that how it's playing out? Is that really how what we want to do? And there's redundancy in, from my perspective, and what's some of the process stuff that's happening across SIGs. But the TOC is sort of reluctant to tell, to be too top down about how the SIG should run themselves, because we do kind of different things and, you know, want to have too much like, there's like, we want there to be like oversight without slow down. And how do we do that? Because the TOC has been a bottleneck for a lot of things and they're sensitive to that, which is great that they're sensitive to that. Yet there's a lot of new SIGs that are, that where individuals were recruited to lead a SIG, and they're like, okay, what do I do? And, you know, we're hearing crickets on that. So, so it's just, I think there's a little discussion about what is the role of the SIG versus the TOC? What's the delegation? You know, what, you know, what are the checks and balances with oversights? How do we communicate? And there's an openness to maybe that first list isn't the be all and end all. And so, so I think that that's just an ongoing discovery as these SIGs get stood up. But I think right now, there is the number of SIGs is fewer than that initial list. I think the one on that initial list that isn't a SIG yet is observability, where they're looking for people to lead that SIG. Because it's felt that that's important. Yet there isn't a SIG around that yet. But some of the other SIGs are like, well, we have this really giant space that's been handed to us. Could we decide a narrower space? And so that's, and then okay, what happens to everything outside that space if the leaders decide on a narrower space? Do we recruit newly like, you know, how is that? How do we divide up the space, right? And handle new projects coming in and sorting them and making it so that everybody isn't doing everything. And things are logically spread out across people for efficiency. So that's kind of what's going on. But the good news is, Amy has just set up like a, now we have a Slack channel for the SIG chairs to talk to each other and the TOC. And we had a nice meeting at KubeCon in San Diego where the SIG chairs got together and kind of like shared what we're doing. And we've decided we're going to do that every KubeCon. So this is I think a positive sign, right, that we're talking amongst ourselves and sharing what we're doing. And the storage SIG is coming up with like a due diligence process that they're kind of working on where one of the things that, you know, like we may not do, depending on the speed at which new projects come in, we may not want like have the bandwidth to do a full security assessment for each project. And so there's a smaller due diligence phase potentially, right? So maybe like some of the things we've batted around is maybe we require a self assessment and we fill out some kind of due diligence template, right? Which includes things that are not directly related to the security of the project, but might be more related to stuff that we don't typically weigh in on, which is like how Native is it? How useful is it? How needed is it by the community, right? Do we do that? Does the TOC do that? There is some kind of vetting of the needfulness of this project, which happens in some, you know, kind of informal mysterious way right now. So yeah, I think it would, I think it would definitely make sense for us to at least collect some opinions on needfulness and present them as a coherent thing to the CNC ever other than them having to, you know, in a fairly public to the way, you know, do you want to submit something about what you think is a good idea as a SIG security member? Because you have an opinion on this. I think it would make sense because... Yeah, I think that... Because we're the sort of people who know people who ourselves need these things, you know. Yeah, I think that, I think people, I think some of the challenge with people in this group that I've heard is sometimes people feel like they can't speak for their company and so we want to figure out how to frame the opinions so that they are, you know, so that that gets met in some way, right? And then I think people are comfortable asserting that things are needed if they have data about that, but then people are a little uncomfortable saying that things are not needed, right? And so we're just trying to figure out how we can do this in a way that is transparent and provides useful information, yet, you know, people are comfortable feeling saying honest things about whatever's going on. But yeah, I think that part of the point of the SIGs is that we gather, you know, experts in a domain and we can all chime in and the TOC some years has a bunch of security experts, some years doesn't and they can't always control the expertise across the TOC. I think they make an effort to, but because there's voting and there's, you know, there's like a lot of different things to kind of take into account. They don't always have expertise in every single area. Yeah, I mean, security is a very big area. There are lots of, it's a very broad thing that you may be, even if you are someone on the TOC with security expertise, there's still maybe things you don't know anything about insecurity or not enough to give you any useful of any analysis. Have we got anyone else who would like to say anything? Is there anyone at all who have missed or didn't mark that I wanted to say something or suddenly thought of something they must say? Do we have a, are we queued up for next week? Because we were, we've kind of, we were going to have a presentation this week, January 15th was going to be a working meeting. I just wanted to, we don't have a meeting facilitator. Does anybody want to volunteer? Otherwise I'll rabble rouse. For those of you who are new, we have a role after you've been to a couple of meetings and served as a scribe a couple of times, then you too can be a meeting facilitator. And it's like super helpful to have members of the group volunteer to facilitate whatever, whatever's coming up. So, so I just wanted to make a plug for that. And you can, you too can read our exciting governance docs, which are a little lengthy, but the goal is to create enough process that people can just step in and do stuff without too much rigmarole, which seems to be working because we've got a lot of cool stuff going on. Sir, I'm happy to facilitate next week. This is juicy. Thank you, Michael. We can take up offline about agenda items in advance. Okay. Yeah. If you ever want to have any other agenda items, please add them or open an issue or bring us or any of those things. I'm still trying to chase the one that I put down, but I haven't got in touch with Steven yet. So I'm trying to get them. Yeah. And usually what we do when we have a working meeting session is like Brendan and me and like other people who do a lot of GitHub stuff will go through and see if there are GitHub issues that just need a little discussion and then we can close them. Sometimes it's hard to take these things to a close with entirely async discussion. So, so yeah, sometimes they benefit from some live discussion to to iron out the last little wrinkles and things or just to share some of the great work that's being done in terms of documenting practices. Okay, well, I think we're done then. Happy new year, everybody. Happy new year. Thank you. Happy new year. Happy new year.