 Good day Ray. Oh, how are you? Pretty good. Yep. Pretty good. Is my audio coming through well enough? Yes. Thanks. Good day Brandon, Matt, Dan. Hello. Hello. Brandon, are you aware of the tracking issues where we said we would go through five assessments before we made it official? Yeah, let me put it up for a second. By the way, Matthew, thanks so much for helping to facilitate the meetings. If you want to take a break from it, I can facilitate some meetings as well, if you'd like. Thank you, Brandon. I'm happy to continue to do so so long as it's they're helpful when they're getting something done. If we feel it'd be better to sort of rotate it just so people see more than one face all the time. I'm happy to do that too. We'll just rotate every week or flip a coin at random based on who's free and that works fine by me either which way. I'd love to see someone else besides just myself come through and kind of ratify some of the facilitation process that you put in place. It's great to continue on. I'd love to see Brandon or someone else come in, go through the process, get feedback and kind of do some some better work there. Maybe I can prioritize this week now that we've got Harbor out the door or landing the facilitator guidelines and we can choose a meeting in the future that I mean, Brandon, it's good time for Brandon. I should put together the facilitator guidelines. I recall now it meant to put together a forward post and put that in the documentation still haven't done it. Actually, I'll supplement that, Dan. So if we have light for more an embedded security background and bit of pentesting that sort of stuff, if someone were to say do more than say facilitating but be able to provide some answers to the actual real questions, are there different meetings or leadership meetings or just reviews one should take part in so that rather than guide, you know, the facilitator or guide the meeting by a sort of a formula, actually have concrete answers to actual security slash leadership questions. What does one do take part in security reviews? Join some additional separate meetings that are destroyed from this or what's the way forward with that? So there are three other sort of primary workflows. The co-chairs meet regularly when everybody's healthy and available. We usually have a weekly cadence and we'll meet either Sunday evening or Monday evening and sort of coordinate at a high level and work towards any of our sort of longer term goals. Then the co-chairs and the tech leads just started last Wednesday, a bi-weekly meeting amongst ourselves and then there are the individual assessment flows. The formalization of our tech leads is, you know, something that just recently happened. So I think what the opportunity, you know, to sort of expand from, you know, those sort of existing pillars towards, you know, new activity streams would be if any of the chairs or the tech leads wanted to, you know, set up a breakout and, you know, Brandon's probably the best person to partner with on this and maybe go through, do some issue triage and, you know, work on that. You know, that's an area of need. There's no formal definition around that yet. It's largely been, you know, the tech leads stepping in and, you know, taking care of it and, you know, the co-chairs ratifying things and proposing things. So, you know, that's kind of the landscape and, you know, it's always great to, you know, get more help and, you know, the, you know, CNTF, chop wood, carry water. Now, that's a great opportunity right there. I reached out to you specifically or Brandon, for example. I was thinking I could just reach out via Slack after this meeting and this resonates with the question another attendee had just the other week and that was how do we sort of join in, like, for example, on a review, even if we're just an observer so that way we can sort of learn at the first time and not ask silly questions or slow down other people by treating it like an academic training exercise rather than what it is a security review. Should I just reach out via Slack and take it from there? Just to get like the meeting invites, which ones are appropriate for me to join that sort of thing? Yeah, I would say also, like, I feel like we initially started kind of, the initial idea was most of the communication would be in the issue seven cells, but it seems like over the course of the past year, there seems to be like a huge explosion of the number of issues. So it's becoming a bit difficult to track. I mean, a ton of people have different ideas and stuff like that. So yeah, maybe it sounds like, like, like we can do some maybe have a label on certain assessments. Yeah. And, you know, Brandon, just referring on our last, you know, tech leads and co-chair meeting, there's definitely an opportunity right now to ramp up our coordination with Amy and, you know, the CNTF team. And, you know, that area above me on just working out of issues, but, you know, tracing the issues that are outside of the, you know, security repo and building a bit more shared understanding and maybe a little bit of process around how we coordinate there. You know, it's an open opportunity that I feel like we're iterating towards, but we definitely don't have, you know, sort of shared understanding of, you know, how it works and how it should work really important. Gotcha. Well, at the very least, I'll definitely be reaching out to both of you via Slack afterwards to see you up again. All right. So I think we have enough time for everyone to help on board with that critical mass. I'm just going to quickly go through the attendance and I'll just paste the attendance link here in the chats in case people that joined after I first pasted it did not see it. But there you can go in and put your name and there's instructions above. If there are any new attendees that haven't been on one of these calls before, please feel free to just put that in brackets beside your name and later on we'll open up a window for new attendees to introduce themselves. Okay. In terms of what we have here. You know what? I'll go through the new attendees at the end just because I see a lot of names popping up here. We'll go through SIGs first. Actually, first, I don't know why I always delays each time scribes. Is there anyone that would like to volunteer to be scribes or meeting minute takers for today? I think there's an update from a few people. Agreed. Yeah. Yeah. I was going to go with the Wallace Loffers since there's a SIG recommendation there and then just go through the rest in the order in which I see them. Okay. Oh, sorry, please go ahead. So, yesterday at the TOC meeting, it kind of changed a lot because there was a new sandbox proposal, which is kind of like another matter. And so I'm bringing it up partially because I have stuck at this because I proposed Kiko. I want to kind of like take a sound aside the new sandbox proposal because, okay, let's assume for this proposal that I change submission of Kiko from sandbox to incubation and then the change of the process doesn't apply. But in general, there is this requirement or strong suggestion to obtain a recommendation from SIGS when you apply to CNCF. I know the struggle because like SIG security, there is a certain bandwidth limitation to the proper project assessments and you do need to prioritize current CNCF projects while there is a steady flow of the requests on top of them. So it's pretty much hard to do a proper assessment for anyone asking because they want to be considered for CNCF, which is kind of where Kiklog has been. So I kind of wonder like what does the SIG recommendation for TOC really mean? Is it mean because I made like a proper security assessment for Kiklog request with all the write-up and so on. But at the same time, there is nothing written there that that's exactly what this meant. And so I know it's bandwidth wise, it's hard to expect SIG security right now to do a proper assessment. At the same time, being realistic, is there any process towards actually having the recommendation and some software review or not? I'm kind of both asking for myself and stating the problem in general. Like it's not only about Kiklog, but it would be good for me to have an answer. Great. So let me separate a bit the sandbox proposal changes and Kiklog. Kiklog, DEX, and a couple other projects are in our queue. I've unfortunately, both of my co-chairs, Sarah Allen, is sick and JJ is stuck in India. So kind of at the top of the food chain, I have a bit of a leadership and bandwidth organizational challenge right now. So getting through that and I apologize for any delays that's created on your end. Brandon was with the new proposal, proposing that we potentially lighten up how we approach folks going into sandbox and make that much more of a self-assessment, less of a guided process. We have kind of one core well-oiled process with the security assessment, which is a different workflow, different concept than what you'll get with a formal security organization. We're not going through and going to provide you with penetration tests and all of the artifacts that you would get from a paid $20,000 investment into getting a proper security assessment. What we provide is in a community of experts, we help you prepare in your journey through the CNCF to sort of partner, coordinate with all the other projects, and make sure that you have clear talking points and coordination points around your security parameters. So our security assessment is a bit of a different beast that has a similarly named referring to it, but having gone through and work with a number of projects, including security products, everyone's come through the security assessment journey and been wow, that was a journey, but also feeling way more prepared to address all of the concerns. That's my high-level thoughts on that. My blocker right now is really scheduling and getting you all into the hopper, and once we start the process, it's fairly labor-intensive, but we do have a well-established process that we'll guide you through, and a number of team members that are happy to sort of step in. So you're located at the top right now. That was not my question, so I do understand the current. I was looking at the current assessment process, and I did the proper application. I was looking at the previous one, so I do understand the difference between assessment and the output, and I'm kind of like, what's the security approach here? And I think that's a good approach. My question is, okay, say a project applies to incubation, let's not mess up with sound box right now. So, and TOC wants, okay, we want Six Security recommendation for this project. Does recommendation from Six Security actually involves making a proper security assessment according to Six Security assessment process, or is a review for recommendation a lighter one? Yes. By default, it's an assessment. You would have to really convince one of the chairs that, one, we have sufficient context to accurately and fully communicate due diligence, and, you know, so, you know, the assessment process really serves as our indoctrination, and, you know, the best way that we currently have to work with you and distribute, you know, workload, and come to a shared understanding decision. Yeah, I want to add one more thing to this, which is that really, Zoom is having a lot of problems as I've been complaining about on the security and tech lead, so hopefully we can move to different conferencing in the future. But anyway, the thing I was going to say is that oftentimes the project gets a lot out of the assessment by going through the process with us, which can in some cases be things that we don't necessarily point out. So it's almost like, you know, you hear of the people that say, well, I went to the psychologist and they didn't really help me. All they did was have me talk, and then I helped myself. And, you know, so there is an aspect of that to it, too, where it's something where the process of you going through a process about reasoning about the things you have to to give us that information has, in many cases, caused projects to find serious security issues in things they're doing. Just to clear out, yeah, I totally recognize it. Like, even without getting to CNCF, I would love to get your assessment, well, assessment from security for the project. So I see all the values. What I'm raising is purely a process or bandwidth issue. So my concern is essentially following catch 22 situation, where to move forward with incubation process, let's say, I'm being asked by TOC to get a recommendation from security, which is a security assessment. But then six security having a bandwidth capabilities, like it has, will struggle to actually process the assessment because there will be more priority, higher priority projects in the queue. I don't current situation is special with COVID, no, no, no, deny, like, we just need to go past that. But in general, like, you know, when few projects apply, while you still have a backlog of our CNCF projects, which are higher importance, wouldn't it not put the new projects in a block position? If we run into that situation, then that's a situation that we'll have to deal with. We're not in that situation now, for sure. We had Harvard come along. I think they were the most recent project to do a self assessment. And they just powered through and completed everything. And, you know, we did an assessment of them in quite quick order. The projects that you might see in a queue, if you look online, a lot of those projects are have had situations where, for instance, they were very actively doing things. And then, you know, COVID hit and everybody started to do social distancing. And the person who was working on it all of a sudden had different priorities. And basically said, like, hey, from the project side, we can't do anything. I'm not aware of a project that is like waiting on us to do anything at this point. I think that was like, so Kiko, initially, we started this process. And then there was a there was this change in the TOC's view on Kiko initially as a sandbox. So I think we had a team together, then we decided to move the focus to, I think it was like a spiffy spire or cargo studio or something like that. Yeah, but then I think the thing was now with there was kind of like an influx of new projects. And then there was it wasn't quite clearly, to me, which projects were requested by the TOC to be reviewed by us. So I think there was kind of like a bit of miscommunication or these like delayed communication around that. Yeah, I think I think you answered my question. You know, I applied. I created the submission I think a month ago with the whole self assessment write up. I'm not complaining because I know the current struggle. So, you know, I'll patient the weight. It's a bit exceptional, but I'm just kind of like raising the concern. Is it the proper approach? Okay, so with the new processes and absolutely ping ping us ping me on on slack add something to the issue itself. If you're waiting on us and the TOC has approved it, then that's our fault. But my understanding is that that generally isn't the case. Yeah, there is a bit of, you know, I was, I recognize there was a bit of uncertainty. Like, are you supposed to come to COC with recommendation? Or do I need to come to TOC and one of I need to have like at least one sponsor and then this sposo sponsor needs to go to you kind of like, okay, please take a look at this project. If that's the case that, yeah, maybe I should take us to back and get someone from TOC to we approach you that, you know, people should be investigated. Because I kind of like went all in, I created issue there, I created, well, I created request there and I created request with security. So maybe that's the miscommunication and misunderstanding. Oh, good. You know, just sort of in the interest of, you know, looking toward the future, but you know, the in the next month, you know, how, how is your schedule and your team schedule looking now, does it look like, you know, that there's an opportunity, opportunity to work through the assessment process? Yeah, we can schedule you up. I can. Cool. Great. Well, I have to, you know, triage, you know, keep closed decks and I think one more project in terms of, you know, what we begin to slot in and, you know, honestly showing up at meetings and advocating for your project and beginning to coordinate with our assessment leaders is the best way for me to, you know, to push that forward. So, you know, thank you for showing up. Thank you for, you know, sharing your experience and your concerns. And, you know, I'll try to get that unblock and, you know, beyond that also be working with Amy to make sure that we're, you know, working out the kinks in this new pivot towards, you know, making sure that the things are, you know, since we're, you know, critical path now, you know, I need to make sure that we're, you know, aligning and communicating on those coordination points a bit more. Thanks for sharing this. Okay. Thank you. We'll move on to the next 10 D with an update here and I believe that's Brandon. Good day, Brandon. Again. Hey, yeah, what I want to talk about is kind of where they kind of talked about it. But I created a PR to put on the read me page some indication of how do I go about submitting a request for sick review. But given that things have changed over the past two days, I think I probably have to review the band and we have to discuss it to really figure out how we want that process to be. Okay. Thank you, Brandon. I'd also like to say that if we are moving ahead with key cloak, now that I'm like I see the issue, I'm looking at the issue here, we desperately need folks to volunteer to be security reviewers for key cloak. So I will post the issue in our Slack right now, in our Slack channel, but I would greatly appreciate people reaching out and saying, yes, I can participate in this. You don't have to have done an assessment before to participate. But if you might be tapped to be the lead security reviewer, then you would have had to have done a prior assessment. So please volunteer. It's a good way to get some experience doing something that is obviously a really important part of our community and a really important part of judging the security of products and projects everywhere. If the opportunity permits, could you please copy paste a hot link from Slack into the Zoom chat here just so people want to go straight to the, let's say, if you start a new thread on it, get a hot link to the thread, people can jump onto that from a link in the chat. Awesome. Thank you. I can't. I'm called in, unfortunately. Okay. I see one there. I believe Krishan Sharma provided one. Thank you, Krishan. Yeah, sure. I'm also trying to log in and trying to contribute, so it would be good for Steph for me as well. Thank you. Thank you. Okay. In that case, I'll move on to the next item. Let's see. Brandon, no update, no update, no update. We have Justin Capos. Were you able to get in through Zoom or did they blacklist you for number 376? I don't really know what the problem is. Honestly, I registered Zoom SUPs as my username and some other things like that, but this same ID and everything works on every other Zoom call I get randomly invited to, which I get invited to them, I don't know, a couple times a day. So I don't really know why, but for the last two weeks, I've been unable to dial in. I am not installing and have never installed and will not install the Zoom client due to all the security issues and oversight they've had. And the error method seems to indicate there's some problem with the client, which is strange because it's obviously not installed. So I don't know what's going on, but I would, I had brought up the issue weeks ago, and there'd been a lot of, I think, positive mentions that we should maybe move away from Zoom. And I'd like to just renew that now that I am able to actually, in some limited form, be able to call in, but it's unfortunate not being able to see who's speaking or any, you know, or things like that, which I feel is a big hindrance. Right. Amy, have you first asked? I'm sorry about that, Nancy. Amy, have you had to reconfigure any of the sort of convenience links? No, you all are exactly as you were. So I'm not really sure why that's actually going on, but I see questions in chat about alternatives to Zoom. So happy to be able to hear. Right. Yeah, I mean, you know, getting, getting to the alternative and working through all the issues, you know, I'm happy to have that be, you know, longer running workflow. You know, the easiest, you know, the easiest sort of incremental move right now is, you know, making sure that the web links work and have whatever password or whatever, you know, the new Zoom policies require, you know, connected up. So, you know, Justin, I think, you know, including a link to the, you know, web client and, you know, maybe a note as to why we recommend the web client, you know, will be great. And, you know, I'm happy this, this link is, you know, the, whatever, the meeting ID, main meeting, default meeting ID, I believe, you know, for security. So, you know, we can test it out at any point. I believe that, you know, it'll automatically get recorded and posted to YouTube when we do. So, there's that. But, you know, Justin, if you have time and want to test things out, I'm happy to hop on sometime later this week. Okay. Yeah, maybe we'll do that and try to see if we can figure out what the heck is going on with this. Right. Just get you, you know, logged in and figure out, you know, there's some really goofy steps that, you know, I was reading about in terms of logging on with the web client, where you have to sort of dodge and weave all the attempts that Zoom is trying to get you to shuttle you towards the desktop client. But it sounds like it's not that. I do all those meetings. So, in this case, all the time weaving ends up in an error code 3000. Okay, so put the issue, issue link and then now put it in the minutes on the running the Zoom in the VM. I'll add actually the other week I proposed putting together some images. It doesn't seem too hard to set it up in a Docker container for Linux, even though it's a graphical application Zoom, but then it's a container. So, Windows users, I think you can use Linux on Windows, but not Windows on Linux, but there's some headaches involved. And then I looked at VM based approaches and the only Windows VMs that I could find are like these Microsoft Edge ones that expire after 90 days and are more or less meant for Windows web app testing rather than recreating every X days as a instant messaging client thing. So, I don't know if it's violating the spirit of the license there. So, the ultimate solution I arrived at was Linux virtual machine and Linux in general without starting a flame work. So, if we wanted to prepackage them, that's I think the only medium I'd recommend because the second way of more than one image. Why is it Ubuntu? Why isn't it Fedora? Or can you help me debug products? No, no, we're not Zoom support. So, I'm happy to still put together a Linux VM image and maybe some, maybe like a vagrant build script to recreate it if anyone thinks there's merit to that. Like as an interim slash stopgap solution. Well, throw this out there. Is it? So, go ahead. Could you say that I think anybody who's going to want to install the VM will probably just want to do their own OS install because it's like once you just do a basic install of a distro with a browser, then Zoom will probably just forcibly install that client and do everything for you. I think, I don't know, because like I would want to do it myself. I'm actually already running virtual machines for other things and I sort of don't have enough memory left to run to yet another virtual machine to just handle Zoom. So, like when I have to do that for WebEx, for instance, I have to shut down a bunch of other stuff and it's just a pain in the ass. So, I really don't want to be in that situation for Zoom if I can avoid it. I think of it. I'm probably preaching to a rather elite audience of people are already aware of and concerned about the security implications. Chances are they can install VM storage back up or something. But I thought I'd throw it up. Would it be just busy workers? Is there any merit in throwing together, like maybe the term would be meta assessment, like some sort of short report that says, here's the clients we considered, here's the security, here's the usability, here's the practicality. And if we decide to move away from Zoom, we have that. Like, does that need to be formal or clinical? Should we make something like that or just say, no, let's just use tool XYZ, change our YouTube upload scripts and be done with it? No, I think there's merit in that. I think who I created a while ago that I think someone said that they had put in the chat there, talking about looking at alternatives to Zoom. That's exactly what we really should do. And so, anybody just kind of starting to add the things that they've noticed in their thoughts and because, you know, I'm also, some of the usability things, I'm not as certain, like if Google has a way to let you automatically record meetings. But I know that they've recently, with the way they're doing like the new Google Meet thing, they're making it a lot more like Zoom in terms of security and ease of access. And they don't require any browser support, I think, or anything other than your browser. They don't require you to install things unless maybe you do some kind of desktop sharing or something. I don't even know if then, if you need to. But you certainly don't need to for a normal call. Yeah, but some of the other offerings, you know, the pros and cons. And then one other thing is, if we're going to do that kind of comparison, are there any things that we have to sort of, for the sake of responsible disclosure, keep a lid on? Like, for example, if I just took a bunch of chat client apps right now and through LDD and strings and such had it and found certain library statically linked, that should never be statically linked. Can we put stuff out there? Or does that count as irresponsible or premature disclosure? Like, do we have to keep parts of this thing sort of non-public? I don't believe that's happened in the past with this group. And Dan, you can correct me as far as like, I don't think there's ever been an issue because it's always been known that this meeting is public and available and not necessarily like the place to bring up anything. Yeah, I see nodding. Yeah, I'm not worried about, well, I am worried about disclosure. I think it's an important consideration, but this form is a public form. And it should not be considered a, you know, a private form where you can disclose, you know, any, you know, security concerns like that, and would advise anyone who has that to, you know, reach out to any of the chairs or the tech leads and, you know, schedule an offline conversation. Got it. I recall the topic along those lines popped up last time, just why I'm getting rid of it by the book. You bet. Back to you, Justin. Sorry, yeah. All done? All right. Thank you, Justin. All right. On the next update here, let's see, Justin. I have one from Mano Veliketti. If I got that correct, please correct me if I got that out. Yeah, Mano. Yeah. Do you have an update there on number 314? So, no, I just started scoping it out. I'll update the ticket with more information, but yeah, I've been away for a while. I just wanted to just talk to everyone quickly. I traveled out of the country and got stuck and recently came back, but I'll be joining the meetings more frequently. Good to be back. Okay. Thank you. All right. Now, I don't believe there are any updates, but we do have a few, I think, new attendees here. So, I'll just quickly call out your name. If you don't want to be called out, you can just ping me or raise hand via chat or just quickly say no update via voice and we'll skip on to the next. So, first here I see in my list is Matt Hamilton. Good day, Matt. Hi. I'm Matt Hamilton. I am a principal security researcher at Soluble. Prior to Soluble, I worked at Bishop Fox as a penetration tester specializing in web applications and Kubernetes cluster security. I'm here just to watch and see what's going on. As it relates to this group, I recently disclosed a few issues to the Argo project and I'm currently working on disclosing issues to another CNCF project. But for now, before I get into it, I'm just here to watch. Welcome. Thanks for joining us. All right. And we have one more new attendee, Chen Zhiyi. Chen Zhiyi. This is Chen. I worked at Uber as a full-time software engineer. I mainly work on like the authentication and authorization solutions for internal Uber security. I joined Uber like one year ago. Before that, I worked at VMware. I worked at VMware as engineer. We provide our Kubernetes as solutions, which was named as Tanzu Mission Console. I'm kind of like a heads-up background, like goal-line programming and Kubernetes and authentication. A long, long time ago, I worked at Samsung Smart TV, provided like a system-never security arm transfer for their Samsung Smart TV. But that's a really long time ago. So I'm joining this group and try to watch and learn how you guys deal with CNCF securities. Thank you, Chen. Okay. Moving along with the discussions here, I believe that covers check-ins and new attendees. I have this item here that was thrown under presentations, but I believe it may have already been covered by Bolesla. Is that correct? The title was... Yeah, I think I was on the... Yeah, I think we talked about that. Okay. So you've already covered a few items that had PRs noted with them, such as 3.1.4 and 3.7.6. So those are all done. Are there any other PRs that anyone would like to bring up? So, Dan, I posted the issue on the third five assessments for you to get it. Thanks, Brendan. Yeah, I went through that. We could take a check off Arbor, thankfully. That was great. And we were perilously close to pushing past our initial five. I do feel like we could potentially short-circuit this. And with the proposal in place, it's a good time to advocate for the introduction of a security assessment as this is all changing. So why don't we add this as an item of discussion for next week's chair and tech lead meeting? And we'll talk through whether we want to push now and get the security in front of everybody. I think we're ready. So that's what I think. Does it work? Yep, it sounds good. Okay, with that then we've covered all. What's very good? No, I was just going to ask, is anyone that... I saw the issue with Parsec. Is there anyone from Parsec that's here? Or anyone that knows some of Parsec? I think it could be an interesting presentation for our coming meeting. Okay, I'll try and read it. The activity around it? That'd be fantastic, Brendan, if you could, you know, invite them. Yeah. Okay, with that. I believe Chase had a comment that he was trying to jump in on. That's very considering me. I wasn't pushing it. The gist is I was unclear if it was on the table for a smaller assessment or something slightly a kilter for application for sandbox or whatever versus, you know, pursuing graduation. It seems like the advantage of doing the same assessment early and late is not to compare. And maybe the detriment is that it's a little top-heavy slash maybe it's a different audience, the assessment, the bigger assessment, so to speak. I just wasn't sure where that landed. I read through the sandbox proposal stuff and it's kind of unclear to me what the whole thing is about, but that's sort of a question, sort of a statement. Everyone's happy with the current security assessment and that's going to be the assessment that applies to sandboxing? Is that the end state? No. Well, you know, currently that's kind of, you know, the way that that's, you know, the vectors pointed. Brendan is proposing that we kind of ratchet down the approval and assessment team process with sandbox and turn that into a bit more of a self-assessment. You know, you've gotten a sense of the journey that you'll go through with assessment partners as you approach incubation or graduation. And, you know, we already have an expectation with the assessment that there's an annual renewal. So, you know, that's going to, you know, whenever you sort of get on the train, you're going to be, you know, kind of in a train workflow. So, you know, the delta that is, you know, kind of initial discussions on the table is, you know, what if we, you know, made, you know, the sandbox side of things just a little bit easier, you know, both on our side in terms of, you know, level of effort and then, you know, it's a bit more of a check-boxing exercise on, you know, the other team side. Though, you know, I think that if you're, you know, really, you know, stopping and thinking about it, it might be a little bit more than, you know, just a check box and we'll have to also see, you know, once we, you know, put out a proposal to do, you know, just on your own, you know, whether we actually are able to, you know, let folks, you know, work independently and not get pulled into, you know, basically, you know, having to allocate the level of time and effort that that we'd have on a full system for, you know, one person. Yeah, and I think according to the new proposal, which I don't know when it's going to actually take effect or how many changes it's going to be, but with the new sandbox proposal, actually six are not involved until the incubation process. So this definitely will make things simpler, at least for the sandboxing process, for us to not have the requirement and not have that kind of that huge hurdle to actually do assessment. Yeah, I'm not sure if anyone knows what kind of the timeline of that is or is it already in effect. Okay, thank you. Yeah, I mean, thoughts on that are essentially if there's no preview, so to speak, then they get pretty far down the line and get in the face with a 10 ton hammer. That's it. That's a negative. Yeah, right. And in another world in my life, we have two sort of assessments, one we call a security preview, where the P and review is product or process. I don't remember what the three P's are, but anyway, we have a security preview, and then we also have a security readiness review. Right. And readiness review is basically we're shooting you out the door, and you should have pen and paper and code review and all that jazz where I say preview could be partially conceptual, you know, there's at least POC, there's it's got legs, but whatever, but we kind of treat them, you know, one is more consultative and hey, by the way, you know, once you step into the ring, you're going to take a left jab and a right jab. So it makes sense to me to to have the two things be related as one as part of the same continuum, but not the exact same thing. So that's just a thought. Okay, concluding that till our hard stop about nine minutes from now, it's an open floor. So anyone's free to chime in, I'll just throw one thing out there. And that was on the facilitator stuff. For now, how about whoever puts their name there before say, Tuesday evening, we'll just go with that. And I'll happily grab it. If I can, I'm usually able to reserve this time slot. And if not, I'll be sure to get down heads up the day before and that should cover our bases in the general sense. Because yeah, if other people want to step up and get to know this and be involved more, I don't want to impede new people from also taking a swing at it. Um, you know, Matthew, rather than putting in DMs, you know, it'd be more convenient for me if you dropped into security. That way, you know, if I don't happen to see, you know, the Slack notification, you know, maybe if Brandon's online or, you know, whoever else is available to facilitate, you know, that individual could raise their hand. Is that okay? Gotcha. I'll, I'll default to hold this time slot unless there's a major emergency. And other than that, I'll ping to seek security. I'm generally able to set this time slot aside. Yeah, if you could open the PR and then we can try and follow your new guidelines to make sure it's consistent. Sure thing. Thank you. And I'll add that to the little updates to the readme markdown file on the the roles page. I've been meaning to do that for a while now. I really should get around to that. Does anyone else have any topics they want to bring up in the seven minutes we have left? Okay, looks like that's a wrap. Have a great week everyone and stay healthy. All right. All right. Thank you. Thanks everyone. Have a good one.