 By the way, what mic are you using? It's really clear. That's SM57. Oh, okay. I have one of those actually. I just can't be bothered to connect it to my laptop. Yeah, it's a bit of a hassle. Yeah. Once you've got it set up, it's like, Yeah. mic stand fixed there, always there. Alright, let me put the meaning notes in the chat. So if you've been signed in. Hello, everyone. Hello. Love your background, by the way. Is that the, it looks like the fields are Amsterdam. I think that's where I found it on unsplash. It was a good site to get free to use images. End up being good for zoom backgrounds. Awesome. All right. So for those who joined, I put in the meaning link in the chat. Please. Go in and put your attendance in. If we could, if anyone wants to volunteer for scribe. Okay, let me put it in again. Paul, are you on the line? Yeah, we just had an internal meeting. He might be writing a few minutes late. I'll pick him and see where he's at. This is Mark here from arm. Okay. Hey, Mark. Hello. Hi. He mentioned that he's having trouble logging in. Which is not new. Yeah, I think you need an account, but it's, you don't have to. There's no password. Okay. So I guess since we are waiting for Paul to do, to connect to zoom, um, that's, um, but you're some check-ins. I think we have a couple of new folks at the call. So if you want to do an introduction, that would be great. Um, please. Okay. This is Mark here. Mark me. I'm joining from arm. I'm part of the, uh, software ecosystem development group at arm. And I'm working with a number of collaborators in the industry around the project that's going to be pitched today. Paul is our technical lead on that project. Projects called Parsec. Justin Cormack is quite familiar with that project having, uh, been part of the founding group at Docker where. I originally started as well. So I've been at arm for about five weeks now. And I have a very good experience with this. I was at Docker working alongside Justin, uh, in a business development role. So happy to be here. And I actually hope to attend these sessions a little more in the future. Thank you. Well, thank you. So Wayne Haber. Um, in on one of the security teams at get lab. And actually similar to Mark, this is, this is one of my, this is my first meeting and I plan to attend future ones. I'm just, GitLab is really happy to take advantage of CNCF initiatives and we wanna give back as well. So I'm just kind of listening in today to learn. Great, thanks, Wayne. Guess I'll go next. I'm Jonathan Altman from Capital One. I am here to start getting up to speed on the security SIG and largely under the guise of working on cloud custodian. Awesome. Are you working, I think there was something on security assessments with that, but I'm not sure if it's just in cat boxes on, yeah. Yeah, still in the process. Okay, yeah, we'll figure it out. I know. Eventually. Yeah, and specifically one of the things I'm trying to work on is nailing down that security assessment documentation. Okay, yeah, great. I think Justin is overseeing that, but he has issues with joining Zoom or something again, so. Yes, I'm dialed in, so I would be muted. Okay. Did we have Howard yet? I'm gonna post in the meeting notes again for those that just joined in. Please put your name on the attendance and we're doing check-ins right now, so if you're new and want to introduce yourself, feel free to go ahead and thank you, Vinay, for volunteering to write for us. By the way, Mark, do you have a copy of the slides you think you'll be able to start off? I'll show you a little bit more for Howard. Yeah, that's a good question. I think there were some last-minute edits that Paul has. If not, I think the GitHub page has a lot of information as well. We could pull that up if it helps. Let me take a quick look here and see what I got. So next week is also gonna be a working session. I think we are gonna be talking about the security landscape too, and if you have any topics that you wanna discuss, just add them to the next week's agenda. I'm just coordinating with Paul. I might try to share the presentation and he'll dial in by phone. He's having a hard time. I guess the meeting's not letting him join in is what he's getting as a message. So he'll try dialing in, and if he does, we'll be able to run the slide deck from my PC. Okay. Is it trying to get in, but through the web client? I know Capos has had issues with the latest changes. So do you recommend that he downloads the client itself as opposed to trying to run from the web? I do. If you're okay with the security considerations that installing the Zoom client entails, that will definitely give you the best experience. And we do use that across the team too. That's what I had to do, Mark. This is Reid. I had to go through the web client. So arms in the midst of adopting Zoom for a lot of our activities and we're mid changeover. So the logins become a problem. But I could get in through the web client. Google Meet slash Hangouts is doing great, by the way. So I think I know there's been a lot of interest by different people to explore other options. So if anyone has time to start that process, I forget who it was who volunteered to do a little bit of a dive. Do you have another instance where it would have been nice to do that? Yeah, I think the only requirement for us is it has to have some YouTube upload integration or some process to do that. I was able to confirm with Amy, actually it's our favorite rabbit hole. So I was able to confirm with Amy that they're actually uploading the videos after they're just grabbing the recording and uploading it rather than the real-time streaming that the Node.js Foundation does. So all we need is an artifact, actually, that Amy can grab and upload to YouTube. Yeah, and it looks like Google Hangouts slash Meet has exactly the same thing. You said it has a functionality to do that as well. So I don't see a real, yeah. So I think we would be sad if we went with that option, although people have other suggestions, we could certainly do some quick assessment and pick something better. Possible feedback on using some of the Google tools is that some participants from some organizations may have trouble participating with that on their corporate accounts slash corporate laptops. Yeah, I mentioned this last, this underwent, I mentioned this last time that finance people are gonna block it because of DLP. So I don't think Google's the best option for this. I like the platform myself, but... Okay, well, we can have that discussion on the issue tracker. We need to do more than just, it shouldn't be one person pushing something, we should really try to lay out the pros and cons and like to collectively come to a reason decision about what to do, of which, I mean, an option is to stay where we are, but obviously it's frustrating for me to call in and try to attend a presentation that I'm not gonna be able to see the slides on. Yeah, I'll put the issue in the chat. Thanks Brandon. Go do the work. Yeah, he's trying to dial in now. He just sent me the deck. He's a bit disappointed, he's got animations and a slide deck. We're gonna have to figure out how to queue him up so we're in sync as he's talking through this. So Paul is suggesting that we consider rescheduling because his mobile device doesn't have enough power and he's gonna have to use his phone in an environment that's a little bit noisy. All this working from home, right? He's a bit, he's struggling right now trying to get everything lined up. He sent me the deck, but I haven't received it yet. So I don't know if it's too big, but he's frantically trying to set everything up. All those animations? Who knows? Wanted to make a good impression, see? All right, yeah, let's try reschedule this and then maybe we can try and work out the kinks of this before the next meeting. Okay, so I think we will convert this session to a working session. I know we didn't really have that much planned yet. So one thing I think can probably talk about is eating at you on the call. I was not sure whether maybe we can show a little bit about the security landscape stuff. On here, can you hear me okay? Yep, perfect. You want to pull that up or? Yeah, I can put that, just give me a second. I see someone joined, I'm not sure whether that's Paul. And I can add the link to the issue or kick up. Let me share my screen. And here, I can share the link on the issue as well too. All right. So this issue is on security landscape iteration two, security landscape two. So this is something that we started working on a while ago and more recently, after getting through some of the security assessments and sandbox projects, we decided to kind of jumpstart this again. So Justin, Yiling and myself are looking at security landscape too. And the idea here is to create a security landscape which we feel would provide more ease of use than what we have today. Today we have this of categories, we should say that okay, here are some things that like authorization, logging, monitoring. But it doesn't really provide many actionable items that people can use it and then apply it to their own security solutioning or their own architecture. So the idea here is to create somewhat of a set of processes that will map onto projects in the CNCF security landscape. And one example that we started with here is being able to do it on applications. So how do you create a cognitive application? So this goes to the pipeline flag. Okay, developers commit code for the threats while the preventions and mitigations and so on, right? And the other part of it that we think that is also equally important is how do you express this information? How do you make it easily digestible and interpretable? And so as part of this work is kind of creating an interface which makes it easy to navigate these items. So I have to download this, right? So you didn't put together this mock up and PowerPoint of example of what the landscape would look like. Do you want to take it from here? Yeah, you have to, did you download it? Yeah, I think this is it, right? Oops, okay. So this pretty much was trying to get an idea on when you said you wanted that to be interactive on what you mean, right? So that this is a prototype, I did that quickly in PowerPoint to show that that's kind of the user experience. Only the first two boxes clickable based on from the PowerPoint you have, Brandon. Okay. And if you click on that box, like click for more details and that shows up in that. And then if you click on the close box or you click on code review, you will go to code review. Cool, okay. So here if you go to code review and it will pop up the code review box, if you click on for more details it will pop up the detail for the code review. And so that's, I was wanting to make sure with a prototype that's the kind of user experience you're looking for and the interactiveness. Right, I think this is what we had in mind. So this is great. And I never knew you could do a lot of this in PowerPoint. The animation and transition in however is an easy quick way to kind of get a prototyping together and you don't have to mess with or designing it or all yet in web. You can even do a video clip within PowerPoint. I did one of my class project video via PowerPoint since I don't have those, you know, cause million dollar type of video editing stuff. All right, yeah. So this is great. I think it kind of like shows what kind of is envisioned by the landscape. And I think this is probably a good time to get some feedback from everyone about what do you think about this? What are some things that you think I would say, so number one, the clicking user experience, right? Second of it, you kind of have to do thing about how dynamic this is because building something like this pop a box and hiding and moving it based on where you click in a static HTML is not that hard. But if you're like all the boxes or this material gonna be changed frequently, then you will have to want to design a web app that is data driven and have a design agree funds separately from there. And then wherever data you plug in, there's much more upfront development. But then for the longer run, if you expect to like, for example, quickly add another box in this floor as an example, then you don't need to deal with the front end side of it. You can just add the data in the behind the scene. And then all of the data correlated for the pop up that it will show up and then also correlate to when you click for more details that pop up to show up. So I saw your PowerPoint and it was just have, I took this particular one to just show the clicking and interactiveness. But if you want to take this and make it into a fully functioning website, you kind of have to think about on, okay, how you plan to use it and how you plan to update it because it may be worthwhile to invest upfront on that development, separating your front end and your back end and have a data source, then start with like a static pages, then you later have to make a lot of changes. Just to, for example, I changed one data point or a single word, right? Yeah. Yeah, I agree on that. Especially when we start adding more boxes to the processes and having kind of more complex processes. Like, I think one thing that Justin was saying is that sometimes you could have loops for things that you have to do iteratively run. So having also that like, how do you kind of go back and forth? Like everything fits on the screen, I see here. How do you go back and forth? Between the processes, would there kind of just be a sliding window or something like that? I think that's something also that we can think about. So are there any thoughts on kind of this landscape versus the traditional several categories and projects on those categories? How big do you think this is going to be? I mean, how many things are there? What does it look like from a sort of top level view? Because I'm kind of curious as to how navigatable and understanding of it is once it's all done rather than a piece of it. So initially when we were kind of putting out the content, I think we came up with a few ideas, right? So I think there would be a couple. So I think there's two parts of it. One of it is there will be a couple processes, like how do you set up the infrastructure securely? And then one is how do you develop the app securely? And then one is maybe logging and monitoring and things like that. So one of it is that generally the processes would be categorized enough that you could probably zoom in and zoom out on different hierarchies. Another thing that we talked about is also being able to filter by a certain role. For example, if a particular role, say I'm a developer, I'm going to hit the filter by only developer roles and what it's going to do is just going to show me everything that's relevant to a developer. And then if I'm an operator, I'm only going to be able to see things that are relevant to operators. So I think the navigation is going to be a challenge. I don't think we have a good idea on what it's going to look like yet, just because it's hard to visualize. But I think that's definitely something that we will have to work on. Operator view, is that more of a challenge than a challenge? I think it's more of a challenge than a challenge. Operator view, is that more the CD aspect, the deployment aspect and then the post deployment steps? Yeah, exactly. So that would kind of be like a configuration of the cluster, configuration of a monitoring of the views and the cluster. I mean, these are not like we haven't really wrote down like what we think would be the filters and what they would look like. So I think a lot of this is still open to feedback, you know, whatever people would find useful. I will say that at a high level, our goal here is to organize this by the steps that are occurring in a normal like application deployment lifetime. And so if there's things that we're missing there or things that need to be expanded on or done differently there, that would be really helpful to see because that sort of like the organizing principle is to put things that way because then it's very easy to tell where security systems go because it either are or aren't used at different steps. So yeah. Yeah, and if you have any other comments we'll link the issue and feel free to comment on that. But Paul, I see you've managed to finally make it. Hi Brandon. I am so sorry to everyone for the hassle. I have no idea what happened but pretty much every way I tried to get into the Zoom meeting despite having joined this meeting before, despite having the clients on my machine, it was not letting me in. The route that eventually worked was signing in with Facebook, believe it or not. So it eventually let me in as a Facebook user but no other process worked. We have this problem but this is the first time that I've heard of it being like this direct. So, oh. But I am here. I know there has been talk of rescheduling because things were getting to truly desperate measures and I thought there was just no way for me to realistically do this and I hate missing people around but if you do still have space in the schedule I think I am now good to go. How long are you gonna take for this? I think it's kind of a matter of whether we can fit it in within half an hour and have time for questions. So it would probably be a stretch to do it within half an hour and have time for questions. I can try to speed up through some parts of it. We can give it a go and see how we go. Can I leave that up to you as chair? Yeah, I think it's probably gonna be better if we schedule another time, especially I think. I'm not sure if some people on the call that would have wanted to see the presentation have jumped off. Oh, I see, right, okay. Yes, in that case, no worries. I would be available next week if we can punt it to next week if there's nothing else. Yeah, I think next week should be fine. I don't think there's anything in the schedule right now, but I'll just check on that after this. Agreed on that quick. All right, so I think let's see whether there's any other issues to talk about. I think Emily and I were looking at some issues and marked some issues in GitHub to follow some of the good things that we feel like new members could take a look at. I think we will cover that in the next working session. I don't think that's really it. So I think if we understand any other things that people wanna talk about, we can probably end this call here today. All right, cool. So it seems that everyone gets half an hour back. Thank you, everybody. You're welcome. Thank you. Take care. Bye. Thank you. Bye-bye.