 Hello. So my name is Elio Castro. I'm working from Kariads Volkswagen company, like chains always remember there, but we are basically the software division of the Volkswagen company there and I was talking about something that we have been talking in open source tooling group about 80 years now. I think that since I joined it there this is basically the same talk that we evolve in from time to time there. Then I glad that Philippe passed to me. Philippe was not able to come here and then there you go. What are you talking about this? What is open source automation there? It's mostly automation. It's not only open source. It's exactly what everyone is doing. What are you talking about here now? It's about we're talking about tools. We're talking about trends. We're talking about insights. That's exactly the things that is happening right now. It's happening since long time, but it's happening again right now because it's changing all evolving there. It's all the time. So this whole credit goes by the open source tooling group because we've been working for a long time. This is not a work of one single hand. This is the work for several hands from several years. We are just improving what we're talking about. Okay. Why open source compliance tooling there? As I said that, it's dog-fooding, eating exactly what we do there. We've been doing there. This is as free as freedom. Never ask it anything about to anyone. Never actually try to sell anything. It's mostly because we have a necessity. We made it this and we created this time. Why that's exactly the right size enable with the key to right size automations for the open chain. The tools itself growing for a long time as independent tools there. We are separating things from the scanning part for cataloging and software, editage. Everything was growing independently, but why is growing this way? It's growing this way because at a certain point in the time, there's non-tools available. No commercial tools, no open source tools. It's basically a necessity that's starting to appear inside companies there. So this is started inside companies to be created there. And then the trends. So what is about in this range? So Philip said to us from Philip from scan code said that is supposed to be the third wave of this one. I disagree a little bit. So of course I remixed the talk about this. That is about another wave and another, another, another, next, next. Because one thing happens to the other. So the first one that I changed a little bit, that's because the first one is inner source. This happens inside the companies, doing a tool that doing necessities. You can look in for exactly the first light and SW-360 born inside LG and Siemens, because they needed something that doesn't exist in the market. You can, you can think in about the scanning tools that at some point doesn't exist anywhere, but someone asked about what is having there, like a scan code or tools for orchestration like ORT that born inside here because doesn't have anything there. The second one was the commercial applications. You can see a lot of commercial tools that understand that necessity existed there and jump on those things and starting to provide S-bombs or some way to scanning, some way to catalog the software, good or bad, but that's it. The third wave was exactly when we started a few years ago talking about compliance and legal. Just remember this is before the whole talking about vulnerabilities scan, supply chain wars. This is the first thing that coming before. And the next wave is about application security there because the bridge is coming between the both two. So we can now see that compliance and legal tools crossing borders with application security and vulnerability tools and the resulting documents usually provide both information. So we have a single data. So that's something that is a trendy thing. And the next one, security of course, S-bombs and everywhere and both for what? That's exactly a good question because most of the people are producing now because someone is requesting a document. Someone said to the someone that the S-bombs existing Bureau of Materials, someone said the Bureau of Materials can be software Bureau of Materials. Someone said this could be a text document, but barely few people can actually connect everything as exactly what is in software Bureau of Materials. What is the content of this? What is there? So there's a lot of things that few can process then there. Then license compliant is not yet solved. That's true because we'll never be actually solved. Think about two groups of lawyers and try to make them agree with each other. It's obvious. It's different for everyone. It's the decisions is completely simple and different. So what happens there? We still a lot of work of automation to generate there. We don't have a requirements for a logical steps for automation. So everyone at this exactly moment right now, it's starting to write different pipelines away automations because people say, we're been using automation on let's say GitHub, GitLab, for a while everyone understand that's not true. We are basically right now cracking the code about what automation is for general things. Every time and every day even people say we are using Docker almost 10 years and still have people asking how to do something there inside automation. And we are at the same stage for the license because it's more complex than simple automating that build your code, generate a binary and release. So that's orchestration for many tools like ORT. We even need to orchestrate ORT inside the whole pipeline that using multiple tools. So that's the next step. Open data and data sharing will happen. And in two levels, it's not single open source like, oh, every data goes to open source everyone using the same. No, because this is actually the difference between the open source tooling itself and the resulting data. The data is the thing that is proprietary from the company. This is the actually matters. The tool that you are using is irrelevant as long that the data is protected. But there's data that can be shared and common as open source. It doesn't matter which company you are. Everyone is still using the same G-Lib, C, the same Z-Lib. Z-Lib, quote, is the same for everyone. So why companies think this is the proprietary data? It's an open source library. Everyone is using. Everyone is discounted. So that's the reason that existing projects like clearly defined in the DOS a lot, we have a peer reviewed for plenty of people to do in this. Just to say, if anyone wants to interrupt me every time, please raise their hands and let's do it. So that's exactly the last sentence, as I said. Everyone wants this, but everyone wants to control it. Why? Why we want to control open source information that is available to everyone? You don't have this special in your case. And that is costly. It costs money. It costs time. And maybe you are just doing wrong. And that's the last point, centralized or decentralized. I can tell you later about that the probably going is like have a decentralized, centralized model. Yes, sound wrong, but I will explain this later then. Okay. So this is exactly very curious point. And nobody asked this before. This is a very good that Philip put there. Software health quality sustainability is not there yet, but the moment that we start and everyone can answer there, the moment that we start to put in the legal information documents, they even not completely write other things. Someone jumps from your company says that, but can you see how is the quality development other things? This is the small question that is sounds completely disconnected, but lead to this. That's what will happen there. It's an is next trendy thing. This is you coming to you doesn't ask that I can have a simple example for sustainability that comes from our industry in a special auto automotive. So that's one in Europe. We have one European law called the UNCE 155. It means that it's for security itself. We need to keep the software in house and provided during the time that the product is on the market. The product in the case of the car means that at any point any auditor want to comes to us there in the timeline of the car is the is available on the market. You have to have the source code. Then you can say, okay, but I'm using open source. I have a link it in my S bomb pointing to the internet there, the original codes. Is anyone here can guarantee that the same URL, the same website and the same source code will be in the next 10 years. That's in the internet. No, you can't. So it means that we need to take care about sustainability. We need to take care about what we have in control of everything there. This is something that will come to everyone. So false do I web applications are still bad. Let me see. Yes, every single application that's we don't have a kind of counterparts. We don't have some kind of dashboard to control all the things. And we are replicating and duplicating our work in several places and tools still not even doing yet. So this is is a very key point that we need to do. This is analysis of build will display source only scans. That's that's a curious thing because right on the last two months, one word pops every time when this is talking about. Can you say what Shane? Yes, you see, this is the boring talk. Yep. But on this lowly analysis of the building manners, which think that your people are talking and asking about the last two months? Yeah. So yeah, the second thing is that everyone is asking. Oh, can you use AI to do that? Yeah, we we can't. Sorry, it's AI is limited even this today. No, this is. And Felipe already explained it does talks about this a very detailed spot how actually this we can have limitation on the region of AI and you can have really, really bad understanding what is the result of this thing. So it's very dangerous now. And dependency track is not yet so favorable. And someone with his hands, but we have package managers. We understand package managers are the thing. Yes, we understand package managers. We can understand everything about Gradle builds or Python. But let's say that large companies like SpaceX using something called Basil or Android is moving to Basil. Basil is mostly a completely new build system that doesn't have a formal package manager, meaning that we don't have an appropriate understanding of the back of the dependency. And if you use in C++ environment like 99% of the embedded words now rest, of course, but no, we don't have it unless you actually spend time writing Conan packages that people sometimes don't like it. Or you have an artificial synthetic packages like SPDX, but we don't have dependency tracking there. There's a question that we need to do analysis of source codes. And we cannot go to the last level of binary parts because the binary lies to you. Doesn't matter what this you can go as far as possible in the binaries there. But you can have optimizations other things that not tells everything to you. We don't even don't tell exactly how actually your dependencies for build other things. And a very good example. And that's a very key important thing today about binaries is Docker. Docker itself you try to scan in the binary. And there's a lot of vendors and everyone says that you can do everything is scanning there and you can get information view of materials. No, you can't. You can actually picking things from the outside. There's we need to treat the Docker itself as the source origin like Docker file and analyze one top of other layers instead of going to the binary because the binary will give you the wrong answer for this one. We can lie a lot of this. So the things about is there is lonely. The dependencies moving. That's the binary together with the source code. Then you can have the results of these things. That's bring. Okay. Moving there. Best tools are free. Open source there. Yes. Well, it's it's not it's not because we are doing this tools. It's just because we started this tools and we know what they're actually doing. And this and it was never guided for a direct commercial interest. So we're actually thinking right. But it's hard. It's really, really hard. So we are doing exactly most of everything there. But this is the issues that it's far to be ready. We have duplications of the tools and we need a lot of work yet because just right now we are cracking everything. It's we simply don't know yet about everything. There's too much things that we didn't know until actually start to appear that companies needs or everyone needs. But we are getting there. So we have most of the things but still still not ready. We're far from there. So poor data quality. That's something that is everyone is suffering there. So yeah, vulnerability and package databases are the new rush. And everyone is trying to do in something. And this is exactly the dangerous problem. We are not guiding for anything because we are not having this anything. So everyone is trying whatever they think that they can do providing with same data, everything there. And simply we don't have the clear right answer. It's a dangerous moment about the poor data quality. The trends right now is how to refine this. So that's a say that's coming from this. One of the things this is created by an XB is package URL that's automatically become adopted. And why for that? It's because we really, really didn't have any way to express a proper way from the package. We created some crazy numbers about every company is trying to say, Oh, the version is this way or the other way. And nobody before that's coming with a simple solution for this. So now it's becoming a standard in the way that you can adopt it everywhere. And it's pretty much much simple there. But this is one of the things that explain the trends about exactly what we needed and goals there. Is it so badly needed? It's so simple. That's a small idea. And this is coming later. So this is coming. That's I ask it about when talking about this. Company is actually talking about projects for companies. Don't talk about components company. Don't talk about specific package theirs. This is just a part of entire project. That's a lot of information. But we don't have a way to actually single project ID. And this is actually something that we are asking there. Even that you consider that your company has some kind of different project. You every company has suppliers, suppliers has other suppliers. And we simply cannot trucking down this in simple way. So every single company creates their own method or some way or some product in database or even created for multiple different departments inside the company that don't talk with each other because companies are big. Then in the end, the projects are never had the same trucking number, same origin. So we need this there. And you need to create that. And package URL provided the way to prove that components packages can be done in this way. So why not we just elevate this for the level of projects inside? So insights, share the data. This is pure open source tooling group. We always talk about sharing the data. We're not talking about sharing your company's secret data or confidential data. We're talking about sharing exactly what everyone's sharing is open source there. The quality, coming back to the previous slide, the quality of the data, the quality of what you're producing, it comes from several factors, including the ones that's peer review. We cannot do it peer review inside your company because simply people don't care. If one is doing, why they are spending time with others to do it? So it means that you need to rely somewhere else or trust completely in one single peer review for yourself. And thinking about this is not a project that open source compliance is not appealing to a regular open source developers. It's appealing to basically companies. It means that the only way to actually have this peer review is with other companies, even your competitors. So what has prevented us to do it and to do in sharing data of the open source information there? So this is exactly what the things there is. If you want everyone wants to share the data and reuse the data, means clearly define it or also lots, speed up, origin, license review. So who thinks that reducing times of lawyers costs is good? Everyone, right? And then avoiding redoing scans. So how much you can reduce about to avoiding a lot of things that you're redoing and redoing every time? Sometimes twice, three times in the same company. That's exactly the question. It's hard to overcome lawyer's objection to share a data. Yeah, this is our job. This is like even the guy that is frantic typing there. See, he has using shop GPT. Yeah, okay. So the thing is that it's our job to actually go and try to explain and teach the lawyers about this detail. It's not easy. I've been doing a lot of times there. I finally reach our lawyers there and my company there. And I'm happy that one of them knows how to code and free BSD, so it helps a lot. But then how we can trust about the standard scan and curations. It's everything about peer review. We're not talking that I would trust any information for the other company, but I can have in the several peer created reviews of several companies. And I can say that this looks like the same. This is something there. So we can actually start to trust better your code because several other people arrive on the same conclusion that you even being a different company. It means that you're not wrong about that, but while you're doing this correct there. And what the motivation and easy for public data sharing. Yes, it's pretty obvious there. Well, let's say that on the next slide, we're talking about one important thing. That's where we go there. But imagine that if everyone can actually make it this data, share it for the open source part. What can you do with this data? So we open the data there and then free as open license there and then open community created false package has a knowledge base. Wait, we have a knowledge base. What is knowledge base can provide? Imagine that companies are asking about the snippet scan. And then usually there's several companies selling to you a snippet scan database. We do it better. And what happens if you actually have every single open source software that we use completely share it data and open theirs. Instantly in a matter of days, we could have the completely open source Internet's database in the some way completely ready to do a snippet scan without asking anyone. Every company builds thousands of softwares every day there. If you're doing one single time and then make it share it. We instantly can have an a secure peer reviewed snippet scan database everywhere for everyone. And you don't need any more redoing these things because it's the same software as long that you have the proper protocol that so. And then there's the last one thing there's centralized approach doesn't work. Yes, this is correct to be to share out of date and lack of trust centralized control. That's correct. But as long that the information that is coming, it's shared there. We can replicate for everyone. It means that we just created a replication database that we can create can be provided. That's why is the model for decentralized centralized and works. So this is something that I added there's normalized normalized the data. And so it's been working in a white paper for a long time there and made the drafts available today about single source of true. The data need to follow some standards, but we cannot simply go to XKCD and says, oh, I have a standard that we will make everything. Okay. And then you can create another standard in the pile of this. This doesn't work and the logical data should be common for everyone but agnostic. We cannot tell to the to the to company what to do, but you say that this is actually the type of data that you need to do how to do it. It's completely different. It's up to you. But we just say that this way. So this decentralizing the data at the point that you have a gateway, a common gateway that says we want to retrieve the packages. If you want to retrieve the packages from your Oracle database from your postgres database for your object component or whatever system that's inside behind. You don't care. You ask it about getting information. And that's exactly what you want to get away from this. So we give the liberty for the side of development to choose exactly how we want to do it there. We will give the liberty for the owner of that how actually want to keep this on their side. We just say that this is the gateway use the gateway and then you choose this ones. We are not blocking. This is exactly one of the key points. This was difficult today. We're doing we're not blocking anyone to do it exactly what they want. And we're not blocking any existing application today to change it for a new standard. No. It's create a formalized gateway that is it's can be adaptable for anyone as long that everyone's communicate. So every application can communicate to this gateway. It don't need to know anything about elsewhere. We don't need to even make all applications understand each other. It's it's a heavily complex thing. But it's the only way that you can create an official data leg for this. So license is different of security. This is the one problem that is we are in funding very well. So when we started this once the whole CV and vulnerability scans and supply chain attacks other things didn't exist. We are talking both of legally parts and how actually you have legal part to deliver the product all things and then boom. Supply chain becomes a trendy thing and becomes the more important. And then suddenly that's things like open SSF become a big monster that eats everything. And then false projects that's doing different documentation for this simply. It's not there yet. So we slowly have a lot of projects that work when it's completely vulnerability scan. We can see things like dependency track. You can see things like a lot of databases for for vulnerability there. And we have CV is two versions of CV is nomenclatures. We still not enough for there because people simply not assigned numbers. There is still there a mess. And then is the same tools for everything. Every time is exactly we are doing exactly the same thing. But the users difference there. And then was the stock in the beginning. We have expectations of convergence when it happens. It's already happening there. But this is a chaotic part. And this is really simply cannot say when this actually we got in the right path. So this is until the advice to us post theirs handle both domains and adapt your language to its constituent persona. We're talking different for different people here. And it's difficult. It's really difficult because their division of every time for these things is very centered focus there. So every time some people talk it talks about their domain there and as a separate things. And we saw that is already not anymore separated. We have everything related to project right now only the most important things is compliance license and now security there. But pretty sure that we something else will come in that when you crack at this once. So it's it's something difficult to do. So license compatibility. This is difficult. That's everyone knows about the matrix that's coming from there. That's matrix coming from Osado matrix that's coming from license to be and that's flicked everything your mind. That's first of things. The interpretation of a license is already different for the companies. Every company takes the interpretation differently. Every lawyer team taking interpretation differently. And now we need tools that actually adapt interpretations of then of compatibility license. There's some clear cases that for example Eclipse Foundation showing exactly where Eclipse license is compatible with partial other things. But we are talking about 200 300 different licenses there. It simply cannot be passing not a I can do that. I can create new license of course out of the box. But it's simply lawyers language there. That's need to be safe. How this actually adapted a simple example and how is public domain source code is per viewer here in North America and in European Union. It's completely different. They treat the code different. So it's in the Europe public public domain is basically a mine field. Here is completely accepted as use it and completely not. But there we go. It's it's simply there. So what you know this details about this explains mostly about how this things is done. So we have tools we have a common agreement for this and how it goes. We're trying to for on the open source tooling on false then we're trying to talk in a way that you can make it this tools talking to each other there and starting to use in a common sense. But this is difficult. And this is something that I honestly this my personal opinion there will hardly be achieved because it would be completely completely something related to the company this decisions. It will become your open source handbook and points. We have tools that can help you to get in there. But the exactly decisions about compatibility will come from your legal team. And inside snippet measure is exactly what I said before. If you actually this lot of database do you need this huge databases you need to pay there. You need to actually put in this time and cash to actually store huge amount of data. You know that is nipped database. It's a lot of big than simply license is coming there. And this is a big question there that some companies are completely fine to to to feel free and relax to pay in someone else to actually test your schools. But it's not true. We do. We never know about exactly this. So there we go this domains are abandoned by commercial vendors. So for example, everyone using the sneak there and had spun off false ID to use their one. So synopsis mostly abundant protects and it goes and goes and goes. We cannot. It's simple that one is becoming not viable in the commercial viability dies. The companies of course jump for the next trend next wave. And we becomes in their hands or there because open source. But then it comes the next question the preferred one a GI artificial general intelligence. We're not there and artificial general intelligence. But make snippets more relevant to use less at the same time because oh, I saw this I saw that they created snippet I saw this in their code it match looks like there. Can you honestly say let's simple things I as a long time developer there's a smaller 20 20 years working in open source. You I cannot say kind of someone come to you this is snippet code is problematic because these are that say how you can tell to me that the snippet code is problematic without telling me the origin and why it becomes this. This is problematic and why actually you reusing this with this license is problematic. It simply don't tell you is the show you are you the show to you that you're using something and then it purely speculative you simply don't simply decided to do OK you are using this but we are fine. How you are fine or we are not fine because they're using GPF how you know usually we don't have this information that is not. Well for matter because it's different for everyone it's always different there. So code matching can can speed up the analysis yeah find the big rocks first we have some things like match code that is appearing right now it's coming with vulnerable codes. And maybe this is could be a good idea to think about it create an a global matching snippet scan database that becoming open source standard. It's an idea. So as bombs as bombs and everywhere that's mostly the views of material there that the quality not much. Yes sorry. Yeah this is mostly correct on this thing so yeah. It's responsible for the license back. Yeah but this is completely corrected the bad actors doesn't care about that. This is mostly and I raise another another problem on this case is specific. When it seems as this information is not completely reliable when they got this one you have you got the false sense of security there. And usually this information rich known developer people first and they say OK we saw this one it's OK it's fine and let's go there. It's not it's not the technical guy is not the one that really developed the codes. And usually the let's be honest we are far far away from the developers on our companies when they reach the part of we are starting to do in the snippet scan or scan the code. We are the guys that are not the developers of the application and everything so it's it's a huge burden for us to actually go into understand everything. We need to understand the whole code of the company and of course this is impossible. You can you can be the super programmer we never understand the entire code there doesn't exist this person doesn't exist. So this is the some point that we need to involve more people and and companies don't want to companies don't want to talk to the other why I want to waste time of my development team to do this analysis. And then it passed by there so this information is completely dangerous. It's your correct. Yeah. Yeah. I think we can do an a very interesting reference for this. An example how actually not the snippet itself but quality of code and and is evolved. It's a very good and bad example. It's a Linux kernel code since the beginning there because it hire a key of how it goes. There's depending how the goals and the code and the layers are are merged up and up. People gets angry and angry and more angry until reached Linux turbo and angry to say it's about the how the things is completely sorry for the shit and goes goes down to fix theirs. So it's barely difficult to actually merge something that is really bad because has peer reviews by pyramid there. But it's it's a very hard case there to know days today we cannot do in review code is too much is really too much and we don't have one single person to go in there. And that's why you're trying to automate and then it goes in this level. So going back to us bumps. Yeah. That's, you know, we can create this bomb directly from repository from GitHub. We don't know about the data quality. Let's go in a different way. We can generate this bond for almost every single commercial tool and false compliance tools today. Every single one because companies saying to them, we need an S bomb. And everyone even don't understand exactly what they're producing are doing that. So if you go to your, let's say, your software package management repository, it generates for you their components and S bomb. And if you go to your software editor software or your proprietary scanner scanner, it generates us bombs. You know that the quality of data is good because every single one still to you that, oh, we generated that is very good. No, sorry, not it's 99% of the time the resulting S bombs doesn't pass for even the SSPD X or the Cyclone DX validation methods. And why is that is because it's incomplete. It's because it's inaccurate because you don't have all the data there's no single application can produce all the data necessary to have a completely well formed S bomb. We need several steps. That's why automation there. So that's this is this is test actually existed two out of 50. This is made by Thomas team Bella two out of 50 plus softers are effective and generate effective consuming S bombs. It means that everyone is providing you today at least for more than 50 different applications. A bad S bomb. And that just says and the company says, we are conformant. We're generated as bombs. Sorry. No, if you please tell me why you actually did they and then the answer that I don't know. Simple. That's so overengineer and under specification. This is a lot of talk that's just happened everywhere. And it says ignore the SPD X and cyclone DX field and browse package URL. This is pure Philip idea there. But the thing is that I would say I will go there in the same way. Please ignore the fight between S bomb formats because the data to generate this format is the same. So make your data better. If you want to generate some output is up to you. But the data is the same for both is the same component is the same project is the same dependencies, everything. If you write an A, B or C format, who cares? The data is important. So if the bomb is just a reporting format, but they need to fix. Yeah, exactly. And that's the key. Yeah. So this is one thing that is really we are really missing in the spines that we don't have a composition part. So it's it's okay for several tools writing the S bombs part there. But then after you get all the results, why not to get a better composition on those ones. And then the thing that the thing is that no one actually says how this composition should be done. Let's say for example, that's a we going back to the to the very, very far someone's light eating in our own dog foods. Remember that today we have two ways to validate as PDX as official as PDX. There's we have both Python and Java there. And the both ones are not working exactly the same each other. They're close enough. But then how you tell which one is valid because it's coming from the same. Yeah. So the thing is that it's it's becoming difficult there. We have we need to do validation. This is in my in my in my company. Now one thing that we really go into the pipeline and we will say that when everyone provides as an SPDX document, the first thing that they enter in the pipeline is a validation. If it's not valid, we block it, say goodbye, go back and make it right. Because of this way we can actually guarantee at least valid. Again, pay attention to this. We are validated and say they're improving the quality. We not say that information inside is right. We don't know how to say it. We can allow you can have a small that is lying information. But the first the first starting point is theirs. Yes, this one is validated. It doesn't mean that information is correct. So we still need to analyze this file later. It's just one thing is get the right file. Other things that really valid file different things. So and follow up on collaborations and opportunities. Yeah, we have we need collaborations between all the open source tools. So we're talking about today. And it's possibly if you can talk with false lightings because SW 60 project that the work is basically the same. It's direct competitor about false light, but we're treating the same things. Same regular data. Other things different approaches. So it's one kind of collaboration. We already talk on the open source tooling project there about flictosado where mine collaboration is goes to one single one. In fact, everyone trying to do three times those things. Create a live inventory of false tools and their capabilities. That's the one that we're trying to work if you ever want to watch the false light morning presentation. This is the famous famous map of all the open source tooling that we made long time ago there. But we still don't have a live representation for this. We are lacking this and I think we lack we lack people to do that. Everyone is so busy to do this one. It's complex to do share approach. This is already started and a very, very good example. I can go for the RT community. If you look in there, for example, there's a share approach on how to do the automation of completely RT. It's public. They did it on GitLab. They did how to do it in GitHub. They show it how to do in Jenkins. If you actually start to share more of this, it make automation very easy for everyone and make components part. We need to share there. This defined standards came up for two to two technical scan data sharing. This is a really key things. This is, as I said before, a single source of true is the one that we actually think. Data exchange exchange and create data. Please looking for clear defined and also a lot projects. That's one idea. Again, we are not saying that everything is to be the fact or become perfect there. But we pretty much have an understanding of how it goes. If you find something better, let's go there. But let's go in the common thing that can everyone share. Credits, of course. Special thanks to Philippe because we're supposed to be here, but he's not able. Ask me to do the talk. The content is CC by SA, so you can reuse the content everywhere. This content has been shared and remixed since ever on the last seven years there. It just improved it. Seven years ago, we don't have security vulnerabilities. Now it's trendy parts and it goes away. Thank you. I talk a lot. Sorry. Yeah.