 All right, so we've got a short time here, so we'll just get started. So this year we got a new logo. For long time ago, we did have logo back with Novel, and we dropped them. That didn't come out with when we came out of Novel. And we kind of picked up the mascot, which we inherited from Immunix a long time ago, and we're kind of using that. But that's not the best logo for desktops and stuff, and Noah Wiley did some work, and we got a nice new logo out of it, and so we're all happy with that. We transitioned from Launchpad to GitLab. The transition between from BZR to Git was a bit of a pain, but not too bad. We still are stuck on Launchpad for some of the bugs and translations, but mostly we're on GitLab now. We also transitioned from our custom MediWiki, MediaWiki, whatever, to the GitLab Wiki. That was a bit of a pain. There was a whole bunch of scripts written to and conversions done to convert MediaWiki down to the GitLab markdown, and there's still several things broken from that. We're slowly working our way through and finding them, but what can you do? With that, we also did the work to get the CII Best Practice badge for AppArmor. A lot of that came from actually moving to GitLab, because then we automatically picked up HTTPS and several other things that it's needed for it, and then it was mostly just updating documentation and a few other, making sure our license is all complied and everything was in place. So it's a really good plug for the CII Best Practices project should be on there if they can. Upstreaming. We upstreamed everything this year, finished upstreaming except for the Mbuntu Delta, except for the AFUNIX Fine Grain Mediation. That's waiting and getting a little bit of revision as we are now also working on fine grain network mediation, and so we want to make sure everything works together and is nice with it. So we did get a few other things up there, though. We got the SECIDs up, finally, support for SECIDs, which is a precursor for networking, but it's also allowed us to get an audit filter support for an audit rule filtering. So we just support the subject role right now, but hey, that's great. We did get the base socket mediation in in 4.17, so this isn't fine grain network mediation. This is just, no, you can't use packet, AF packet, stuff like that. We picked up a little bit of IMA integration, and there are plans for more, so right now we can do some profile attachment based on the IMA measurement. So you can't, you can't transition to this. You can't run this executable, basically, or you can run this executable, but you'll get different confinement based on whether the IMA signature matches or not. And we, with that, we also improved some of the attachment resolution, so it doesn't really change anything except for the fact in the past that when we had a conflict, you would just be denied, right? And that's still the case, but we have a smaller window on what those conflicts are. And we picked up a no-new-proofs subset test, which doesn't get us all the way on supporting no-new-proofs the way we want, but it lets us track when no-new-proofs was set so that we can say, yes, this set of policy is a subset of that policy, and so we can always maintain that no-new-proofs guarantee and still do certain policy transitions without breaking things. 414 we had of a bit of a hiccup or a flame, maybe. So this delayed a few things and a few plans, and it enabled us, actually it was good in a way, because it enabled us to focus on some things that had been really hurting and needing attention for a long time. So we got a bit of a new direction out of this and paused some of the upstream stuff that we wanted to do, and so what happened with 414 is we first tried pushing the networking socket mediation patch, and it broke some kernel devs. So what happened here is, app armor originally, what was going on in user space is, we had basically two modes. You could, as a distro, pin your policy to a specific ABI, or you could have it open in, say, a dev mode type thing, so if your kernel ABI would be used and anything missing in policy would get denied, and then you could get those back as bug reports and throw stuff in. Hello, breaking kernel devs. So this is, to fix this, we needed to change some things, and there's a whole bunch of ancillary work around this. So basically all we had to do from this point of view is policy now gets the ABI that it was written for attached to it. It's not a big deal, you know, that's great and everything, but what else do we have to actually do to fix some other problems around this? Well, we had a single policy binary policy cache, and so if you were switching kernels, that had to be invalidated and then recompiled, and we're doing that at boot time, which is a real problem. It was a lot of issues, especially, well, I mean, we could do some NET RAM FS policy and stuff, but it was a pain in the butt, right? And we're working towards being able to do more of that. So what we did is we now have basically a per kernel policy cache, so you can install these things, you can actually pre-ship the policies with each kernel if you want as a distro, and to also support that, we now also support policy cache overlays, and so you could have a local cache for local changes and have an RO image that you're shipping stuff in as well. That's the big stuff that's actually landed. We have a whole bunch of stuff that's work in progress right now. So we've done a whole bunch of internal cleanups, reworking the early policy load. One of the goals is to be able to get system D directly calling into libapp armor to load it, instead of doing the extra call out to the parser right now to do it. Making it easier to put policy in NET RAM FS. We've got fine-grade network mediation coming with support for IP tables and stuff. There's a certain little mount rework going around that's requiring some work, and there is also work on missing mediation like keys and eye octals. We are also doing a whole bunch of work around improving our internal auditing, so we want to get our audit data structures off the stack, and then we also want to be able to do some additional caching and grouping, and a large part of this comes to our complain or learning mode stuff. So we can generate a flood of logs, and so part of that is we want to be able to reduce those, we want to be able to group them, again reducing amount of data being done, and we also want to be able to selectively say, are we going to actually send this to the audit subsystem, or are we going to allow a daemon to register and send it directly to that daemon? Again, it's not going to audit subsystem at all. We're getting it out of the way. We do have some further attachment conditionals we're playing with, so we have the IMA that I mentioned, but there's also some stuff around users that a lot of people really want for some role-based policy stuff. There's extended conditionals and extra permissions breaking things down better. They're actually broken down in the kernel, but they're not in user space, and so getting that impedance mismatch fixed. Then there's a whole bunch of work around policy namespaces, so internally scope and view work, that's again to help, that's the last piece we need to finish up, well not the last piece, but one of the big pieces that we have to finish up before we can open our policy to users and applications so that they can load their own policy. That's the goal anyways, and delegation, we keep starting on it and it never gets done, which is the last big piece of our mediation model that just hasn't hit yet, but we have been working on it. That's it for the year. Hope that's fit, yeah, not too bad. Any questions? All right.