 Any volunteer bribes. We are going to have a working session to just carry over things that we didn't get to the last time. We have a bunch of a little backlog of activities. Apologies for not getting through all the PRs. But we're, as some of you have seen on Slack, still working through scaling our GitHub processes so that we can be responsive as a group. So, please add yourself to the attendance. I will drop the meeting notes in the chat. I have some volunteers to take notes. We have two, for those of you who are new, we have two people take notes so that you don't have to worry about catching every word. They're more just the important things are people mentioned links in the chat that we have kind of reminders of things and capture action items. But then we have two people so people can help each other and one person feel free to talk. And then the other person can write down what they say. Thank you, Jerry, and Nadir, if I'm pronouncing your name right. So let's just, since we have a lot of things to chat about and we've got a big set of people here why don't we just launch into check-ins. So we also for the new folks we, and almost every meeting except when we have like a presentation, sometimes we skip it but at least every other week we try to have it check-ins where we sort of like an agile stand up where you can share what's been going on with you, particularly security related things. It's also a place where if you're involved in other groups or you just hear about interesting things going on with security, feel free to share because we all like to hear about where many of us work in different domains or just hear different things. So my name is Sarah Allen. I'll kick it off. I'm one of the co-chairs of the CNCF special interest group on security. Thank you for coming. We are, as of two weeks ago we got voted in as an official SIG to the CNCF. So some of our processes we are still wrangling and we favor action in getting things done. So what might look less organized to some of you who might be newer to agile process is actually an intentional open source process. So we welcome anyone. If you see something that like looks odd or is misspelled or you think could be more clear please make a PR or open an issue if it's just like this is confusing and it's in the repo what the heck's going on here. Because we aspire to make it so that this meeting is optional, particularly to be friendly to people in other time zones but also as our group go grows, we can't scale to have everybody present all the time. And we really, really value the people who are scrubbing in and doing deep dives on various things. And we would like to grow to the point where everybody doesn't have to be in every meeting to know what's going on, but we're not quite there yet. So please shout out, ask questions. Thank you, Michael for calling me out for not being responsive. Yeah, that is never intentional. And we want to be intentional about being inclusive so. So that's my to basically my big contribution for the last week is to create I broke out a couple of extra chats. So there is now a channel on slack for to coordinate the microsite that Michael's volunteer to do and he can talk a little bit more about that. And also, I got as far as opening up some new issues to help with our triage. I didn't get a point to actually doing PR so feel free to jump into the triage channel. If you have good GitHub foo and would like to help with just logistics because we could we would be accelerated if we did that so that's that's my check it. Let's just go down the list as in the attendance lots with you chime in. Of course, hi my name is lots. I work as a platform engineer for a small FinTech startup. And at the moment I'm basically here to listen and learn and formulate questions that I might have. So, I'm the big peaker for everything that's going on. Thank you. Michael. Which one. Oh, Michael hasn't lost. I'm looking after continuous security at AWS. Excellent. And you want to talk about the microsite. Just so people may not be following it first or. Oh, why don't I add that to the agenda. Good idea. And then next up is Daniel. Hi, my name is Daniel is Europe. I'm a security engineer. And hopefully in a week or two with security assessment of Falco. I already spoke to Justin covers. Jerry, welcome back. Hello, spend a few meetings since I've been able to join. Glad to be back. Not a whole lot to report. I've just been working hard on a project for my company. I work as an engineering manager at cyber arc. So yeah, happy to be back and able to help more. Jerry, Nadir. Nadir. Hi. And what's to pronounce your name again, please. I think I pronounced it right. So it's fine, Billy. So I'm a field engineer at VMware. Most recently, we've been doing some stuff upstream in communities around security CIS benchmarks been chatting a lot with Liz recently. So that's why I'm here essentially. Great. Amy. I'm going to mute and I'll turn on my camera so you can see my lovely house painting project behind me. I am the program manager at C and CF. And my focus is right now being able to help build out SIGs and security is part of that. So hello friends. Thank you, Amy. Sure. Amy's been working behind the scenes to help us glue together our processes. All the things. Yeah. Great. Hey, smart. And yeah, just working here. Let's meet other smart people and knowing what's going on in security world. My, my day job involves work in Francisco and working on security products. And I like to play around with open source. Security projects. The one I'm currently working and playing around with this. By Aqua. So. Looking to hear more from other people. Super. Yes. Can you hear me? Yeah. Okay. All right. I don't have a lot to report. I missed, I guess, two meetings because somehow I fell through the calendar invite. I wasn't sure if everybody was in vacation or what was happening, but glad to be back. So I'm going to be trying to catch up as much as I can, I guess on this and hopefully update later. Well, you didn't miss a lot. We've been doing a lot of logistics and hopefully that's reflected in the repo. Thank you. Glad you're back. Sorry for this process. Justin. Hi, I am, I've been working a lot wrapping things up with a couple of different assessments from both directions as everybody I think is aware. And I am at S car actually right now so I'm only going to be in a little part of this meeting about an automotive conference. I'm talking with some of the folks that are using the automotive version of top obtain. So I will be mostly out, but wanted to say at least say hi. Great. I just put a agenda item at the top for that includes you so we'll get to that Brandon Brandon. Hey, Brandon. I'm in IBM research is a software engineer working on security. I guess, maybe like this weekend next week I'm really going to be preparing for Q con China. So, if you're going to be dead. Let me know I think we can try and figure out something we can be put in that like we did a docker fun. I think that'd be nice. So yeah so add if you're if you're at this meeting and you're going to be trying to put your names in the agenda. I also make an issue for that Brandon. If there isn't one already. Yeah, I'll get on that. And yeah, paste it in so that people who are remote can join in later I go. Hello. Hello everyone. I'm one of the maintainer of Falco and we're working as you probably already know on the security assessment and since I'm at conference now in San Jose really velocity. So if I were to come in and say hello, I probably not able to stay all the time in this chapter. Anyway, thanks for checking in. And then I think Mark under words stepped in above, but I missed you in the check ins, Mark. Yeah, I think that's interesting to read about. Xavier Stevens, if I'm saying that. Xavier, yeah. Yeah. I'm a systems engineer with some security background. Currently working on close source stuff so I. You can contribute general knowledge. Yeah. I know how that goes. Michael Ducey. Hi, I'm one of the Falco leads. I realized I didn't open an issue on the six security day. But I've talked some more with our internal marketing team so we should probably get on a call Sarah with them and start ironing that out. That would be great. Um, so yeah, so you open up an issue. I'm not going to direct if I'm unresponsive DM me anytime I'm more responsive to direct at mentions. So, so let's dive in. So anybody who's new PR yourself as a member, your participation either here or via GitHub counts you as a member. I wanted to do a quick update. We synced up with Liz on the TOC. I let her know that the in total assessment is like it's ready. We're just like wrangling the documents and checking our eyes and dotting our teas and she would like to queue up a presentation of the assessment process before queuing up the in total presentation that includes our assessment. And so she's, you know, we've got to check with the schedule, but Justin, I wanted to see if you were up for participating in or giving that presentation, which she said, maybe, you know, maybe on the 24th, but we can kind of work on the schedule outline offline. But yeah, I guess that would be fine. We are slated right now for to talk to give a talk in the CNC of TOC meeting on the ninth on July 9. Okay, then so the 24th works to describe all that would be perfect. Then they'll hear about an overview of the process before hearing the outcome of the process. I think I can make it work. It doesn't really work, but I can make it work. Thank you. And then have someone else get all the credit. Okay. Yeah, I think, you know, any of us who've been involved can probably give the presentation but since you're stepping up to be the facilitator role, it would be great if you got some of the glory for all this hard work. Fabulous. So then I wanted to make sure that have time for the roadmap. I'm going to we had, I sort of sought some advice and Dan and JJ and I met who you didn't put yourself. Can I say one more thing while we're on the assessment? Please. So we are about to finish the in total and really the OPA assessment is also done. I'm just sort of waiting on them to confirm that what we've written is okay. And so both of those processes are basically complete, which means that it's time to start the process anew with other projects. And we've had a few projects mentioned and I want to know from the Falco folks since they're here. This is a project that we're interested in doing an assessment for it. You seem quite interested in having an assessment done. Do you feel that in something like a few weeks, you would be ready with the assessment document? Or do you feel it's going to take a month or more and therefore we might talk with another community? Hmm. I'm thinking it's going to be a month or more just given my gut feeling on where we're at with workload for Leo and Lorenzo right now. And finding them time and then we have two weeks where we're have the cure 53 people and which was something that we kind of already had in flight for them to do the security audit. But I'm thinking it will let you chime in since it's your time, but I'm guessing it's going to be a month or more. If you're having a cure 53 assessment already done it makes what we're doing less helpful. It's still useful. It's still a good step. It's still interesting information that other people can look at in a much easier and broader way than what they'll get out of cure 53. But presumably their process will include a lot of this stuff, even if it's not documented in the same way based on, you know, like we had a cure 53 assessment of tough done. And they basically said, you know, the report was basically here are the security issues and oh yeah, the design, which was, you know, they always have to say they found something, but it was like, well, we found a part of the spec that someone might have implemented wrong, but no one actually did. And yeah, the design looks solid. That was basically what they said. Yeah, so that doesn't really help people understand when they should use tough or how they should use it or what tough protects against and so on, which is what we're doing. Yeah, yeah, okay. Yeah, and I'm, I'm, if you think both are both useful exercises, I'm happy to do. We're happy to do both. We were just to give you a little bit of history we had a, we saw that OPA when they did their presentation around moving into incubation that they had a security assessment done. And this was back in February, I want to say, on one of the talk calls. And so I had reached out to Chris to inquire about the security audit that they had done through cure 53 and we kind of spun up that process. And now, based upon cure 53 schedule they're finally able to get us in their get us in their queue. So we this was something that we've had in flight for several months now at this point. Yeah, it in a perfect world. We'd have the assessment done first because we could also tell them like these are the three things we want to make sure you look at. Okay. And they to be, you know, they're a great team and maybe they'll see that also but at least having outside people that know the cloud native space, maybe in a different way. And a slightly different perspective might also help them to steer their efforts better. Okay. I understand also if, if this is going to happen in two weeks and you're on their calendar, then that's where you are. Yeah. Yeah. Okay. Well, let us know if you want to delay the security assessment then and anything we need to do around that. Or the cure 53 audit. No, the assessment. We, yeah, we're ready when you're ready, I think, but just let us know when that is so we get the team together and get the people spun up. Okay. So self assessment that you prepare that kicks off our process. And right now we would rather not do two in parallel. So if you're going to be ready sooner, right, then we can, we want to we've got you chewed up. Okay, earmark you to be have the opportunity next. But if you're like it's going to be a while, then we'll put somebody else in the middle. So if you can just let me and Leo confirm with Lorenzo, and we'll have an answer for you. Okay, and then anybody on from a candidate project that wants to be next we've had a few other projects that have been talked about but does anyone want to speak up for a project. And just for context. I'm going to share my screen so that people can follow along with GitHub. We have where tracking this set of assessments. Can we see that now. No. So here I can you see you see issue 167. Yeah, so open and total are basically done falco key cloak and harbor. Are I think the other projects that we had been eyeing. So anyone from key cloak or harbor on. Not directly but I could put in touch with those people. Yeah, I think we have an email thread. So I think key cloak. I'm in touch with harbor. Justin, are you already in touch with harbor. I'm not. I will volunteer. So we're also trying to spread out who leads what and who does what I will volunteer to be involved in the harbor assessment. We want people to do to these. And then I guess. Try to wrangle people for falco key cloak. Harbor elsewhere. So there's going to start to be emails or discussions here about who and we've already had, you know, some people that have been kind enough like Daniel has been kind enough to volunteer to participate in the falco assessment and so on. So we can, we can start getting those teams together. We have a key cloak. Oh, so they're the kind of progress. Okay, yeah. Do we want to add names to this ticket, or how, where do we want to put those. I think that's up to you, Justin, to determine. Fine. So if people want to just chime in on this issue, because I don't, then we don't have to spend time chattering about get have IDs or which it would be great to just say like, Hi, I volunteer and Michael if you wouldn't mind. I don't know your GitHub ID to say, you'll follow up on the falco scheduling. That would be great. Thanks, Sarah. We have what the responsibilities are of individuals that are involved in assessments documented. So we have what we have is in security assessments. We have the guide of there we go back here. Sorry. So we have the project lead, which is the person from the project. We have a bad link. But it is in the directory, I think. So we have the project lead who's the person from the project. And if somebody in the meeting would fix that or write a bug, that would be great. I won't forget, or at least put in the notes. I don't know if you can see the verb and link there, but the project lead is the person from the project to identifies and self identifies and says, I will be the security point person for the security assessment. And then the security reviewers are, this is like what we drafted as what their qualifications are. And then the process identifies there's one lead reviewer, which is somebody who has done a security review before. So we're bootstrapping this by having a bunch of us do the first two reviews. And then the idea is that somebody who was in that team up for that they did the first two reviews is then the lead on one of the next reviews and then we rotate until we have a big team that has done have this experience. Does that answer your question Jerry. It's Emily actually but yeah, sorry. I just wanted to make sure that that was already covered. I know that there's still an outstanding pull request for an update to the security assessment data gathering ticket format that we have. But I wasn't sure if that where we were at with getting that stuff kicked off. Yeah, so I think that what is not documented is what we're just talking about which is like, how do people say I would like to help. And how do we, you know, like right now we're tracking which assessments are queued up here but we don't have yet identified like exactly how do we say who is working on one thing and manage that. So I'm looking to like kind of Justin to codify that but I think he, you know, like if there's any suggestions. You know, about like, where we like it's just a logistical comment on the pull request and I put two things in there as examples I volunteered myself for something explain what role I'd have. I've listed that someone else expressed interest in there. So feel free to do the same. I think we don't have to worry. You know, we're, we're going to end up with somewhere between six to eight little comments under here and so it's not going to be hard for us to aggregate if we had a thousand people wanting to chime in. We might need a more formal voting process or something but yeah, just just add a comment just pop into the issue out of comment and this is the issue you're talking about issue on 76 pull request 182 167. No, sorry, the, not the pull request, but the issue. Oh, I see. Okay. So this is the issue. Issue 167. Okay. So this is, yeah, so chiming in here to say what who's willing to help. So I volunteered and I volunteered someone else who reached out to me and then I'm imagining that others like Brandon will go and just comment on their also and say hey I want to be on key cloak and whatever else. All right, sounds great. Does that answer your question Emily. Yeah, I'll probably submit another ticket and pull request to update some of the docs then. That'd be great. Thank you. Beginner eyes or new fresher eyes are super helpful. And I did it. Sorry. I was just going to say I locked an issue for the broken links. Thanks. It's linked to in the notes. All right. The other comments questions on security assessments. So now back to our agenda. So the to the TOC updates. Security assessments. So on the roadmap back to some logistical process stuff. I don't think I heard Robert here, Robert did some very nice suggestions on the roadmap which actually then kind of caused the like, how are we wrangling this this roadmap is still be safe working group roadmap that we put together. So a year ago when we were just kind of trying to discover the landscape and discover what it is like put more clear definitions about what do we mean by cloud native security. And from that, we now have personas in the personas and use cases in the repo we have some draft categories with landscape we have had intermittent active discussions about different ways to ratify those and we had a number of presentations that will talk a little bit about the microsite which is going to surface some of the work that this group has done over the last year and a half. And so actually, these sections are really done. And then we, I think we have a lot more crisp ideas about what to do that is, you know, kind of overlapping with sections three and four. And since originally putting together this were this very high level roadmap. We then also define this governance process and I want to kind of go through it at a high level and sort of chat about some ideas that JJ and Dan and I had about like how to move forward with the roadmap, following this process that we defined. So, the process that we defined to when JJ and Dan and I started this we really wanted it to be a an opportunity for us all to discover what are common best practices and discover where there are differences without being contentious. So we wanted to not dictate like any one of us could have like without a security white paper, but none of we all acknowledge that there may be differing opinions amongst the group, and wanted to not get embroiled in some of the things that we'd seen happen in other working groups which is prolonged discussions about what's correct. So instead we said well whenever anything's different we will, when there's when there's debate, we will invite people who have problems and challenges or solutions to present to us and kind of tease out what is actually happening. And that we wanted to allow the what's important to come from the group itself. We wanted to do this kind of allowing what's important to come from the group itself that Rachel Myers and JJ work together on this governance model, where we define this process, where the idea is that anyone in the group can create an issue. And the intent to which we have followed, not rigorously is that, but we'd like to follow more rigorously in the future is that that issue where you outline the problem to be solved, and what's going to be the impact of our as a group solving that issue. And what's the scope of the work to figure this out. And then, rather than just working on it to bring it to the group and be like okay I, I'd like to collaborate on this. And then we can talk about it where we can say like, this isn't really a cloud native thing it's an interesting security thing but not us right or we can say like, Oh, a whole bunch of people are interested in this and let's have it be a group thing. And so, and the key thing that we wanted to make sure that we do is to have a definition of done how do we know that this thing is done and we, you know we sort of discovered this over time or like okay we're going to this landscape thing like when, when did we check it in and you know who's the arbiter of this group and so, having done some of these activities we realize that the more that we can upfront say, I'm volunteering to do a thing. And this is how it comes to a close, even if what I'm doing is the first phase of a thing or draft of a thing or whatever. So that people can kind of more independently go forth with a small group. And then, as we have formalized our group as part of the CNCF. Now as co chairs we're really representatives of the TOC where we are looking to do the work of technical oversight of the cloud native foundation projects. And so we want to kind of we want to have to kind of trickle down that you know, sort of, it's a two way authority it's both they're kind of asking delegating things to us and asking us to shepherd this understanding of cloud native security and then also we act as, you know, we figure it we communicate with our TOC lay asons and then they decide when things need to be brought up to the wider TOC. And what I'm seeing with the technical oversight committee meetings which I think is really great is a lot of people are participating in those meetings because they're a great forum to learn about different projects and what's going on in the cloud native community so it's not just these group of people that's the technical oversight committee but that forum of having kind of a clearing house for what is hot and what is important and what is critical to get done to grow the cloud native ecosystem. So, so the, so then we have this process where okay chair or technical lead right now we don't have any technical leads but we wanted to kind of bootstrap this process and so all the co chairs are acting as technical leads right now. So, one of us will take responsibility which means that we're kind of double checking that once started this thing is going to finish, or along with whoever takes this initiative, the responsibility for if it's languishing. We either recruit new people to take it over or decide we're going to just close it for an hour, you know, make it an active so that the group is actually working on things that everybody's working on, and there's a lot of clutter, which there is right now, but that's why we're trying to follow the process more. And so then there's a proposal and then we either accepted or close it. And so we could refine this a little more to be like well maybe things can float as proposals for a while, right, maybe we queue them up. And so the idea is really that like, we have these proposals and then we as a group decide to how to queue things up in the roadmap. And that there's a lot of things that are work in progress right now that aren't necessarily visible to the whole group we've been talking a lot about security assessment so that's not the only thing going on. There's a lot of things have less structure to them. So we thought we could follow this structure and catalog what's happening and then as a group we can say okay there's other proposals. Maybe there's something that was started last year that's languishing that is less important than some new proposal, or, or what have you and create more visibility and organize it in a roadmap. And then I've sort of talked a little bit about this of active projects right to just, you know, like, we're trying to formalize how we track these things make it visible. And then, and that generally we, we should we keep working on things until there's consensus like I talked about like you know we wrote down a process for a vote. But generally we've been able to come to like we've been a resolve objections and so forth, without doing that kind of a formal vote, because particularly in the domain of security. I think it's high value to explain. If there's a dissenting voice that feels like things should be different I think it's upon us to explain why that's not a security flaw in everything we're doing that somebody is dissenting but at least in generally in coming to agreement and how to explain a difference that has historically resolved differences but we have the vote here just in case you know something comes up and we can't come to agreement. So, so that's the process let me just pause a minute to see if there are questions about this process or comments. So, Sarah, is this are these proposals basically as a proposals for security solutions, or are these actually identifying some security issues that we need to address as a part of the milestones on the roadmap. So these are, these are basically anything that is like the work of the group, right. Like if it is this would be, I think, so every issue that is yeah so I'm not like anything that's on the road so basically the proposal that JJ came up with that I really liked is that a proposal on the roadmap should be a proposal, or a request for a proposal, right if we don't have a proposal now and we're like, we've talked about doing this we really want to do it, we don't have a proposal then it would be like we at this point in the roadmap we would like a proposal to do this, whatever it is. And that there might be some things that are proposals that don't make it onto the roadmap because we don't have bandwidth for it. And then we can, as we get further through the roadmap and that gives space for these proposals, because we don't we as a group we want to make sure that we have. We either have a structure like the security assessments where we're like, okay, we don't need the whole group to meet and review every security assessment. We have a process where we make sure that there's a subgroup that's reviewing each other and everybody has an opportunity for to review. Some things can go under that kind of a structure, but then other things that are less repeatable. Maybe we feel like we need to have working group meetings and so there's a certain throughput that we have an opportunity to have into, you know, until unless we can create a structure around it. Does that make sense. So this probably leads me to believe that we are also adjusting the scope of this whole SIG group as we consider the different proposals, right. The scope is not hard bounded at this very moment. Is that true. So yes, the scope is really defined in our charter, right, which we can amend if it's not quite correct, but we went through a bunch of wordsmithing on this, which is very broad, right. The charter is basically like, we want to make things safe and cloud things, bad land to be very precise, right. And so that could be, we could all work full time on this and done ever. So, so yeah, so the scope is really broad, but we want to sequence things. So we're completing stuff. So yeah, so let me give you an example that I came across and I was I post that I think to the community of a couple of weeks ago or maybe a week ago about the edge that is being, you know, on many people's mind but has not been quite an established platform at this moment if I say so. And I know in the LF, meaning Linux Foundation that has the project called LF edge. And I was trying to bring that to our attention but when I talked to some of their reps in a conference recently, they have indicated that they have not actually addressed the security issue of the edge. And since they are our, you know, kind of a sister organization, I guess within the CNCF, or within the LF, the Linux Foundation, I wonder if there is, you know, more people here would consider bringing in the security issue of the edge in this scope in some time in the future in the roadmap or something or is this totally inappropriate. I was trying to get some, you know, some feeling from the community here to see if this is something we should be considering or should not be considering. So I think, like, I'm, I think that would be like a really interesting topic to talk about. And like that's where having, so there's a couple of different ways to approach that kind of a question. And I'm going to treat it as a category, because we're focusing on process this week, which is that we have some activities like we want to make a general white paper on cloud native security and we've said that that we define that as inclusive of privacy and policy and a number of concerns, which all affect security, right, but are sort of separate domains. And in the process of that white paper, we hope to more clearly describe what we mean by cloud native security, and that will help with those bounds so it could fall into there where we're like, let's have a paragraph on the edge and what does it mean and we can discuss whether it's included or excluded right so some of questions like that could be addressed within something we're planning on doing. And the other thing is we can just have a proposal for a discussion like or proposal for a presentation where we say one of these edge vendors, or somebody who has a deployment, which is a cloud deployment that includes edge concerns, gives a presentation of what they're talking about. And then we as a community learn more about what we as an industry mean by edge because I that particular issue. I have heard it defined as cloud and this is the first time I've actually heard it defined as not cloud so like, I think it deserves its own like sort of exploration. But we as a community need to allocate some time periodically to like, what are the bounds of what do we mean by cloud native, which we spend a lot of time to come up with this charter but I think that the cloud is still evolving Does that answer your question enough for now. Yeah, I think I get the sentiment here if that's that's I think you're valid. You know just valid I guess common there because I don't think the world knows exactly where the cloud ends and where the edge begins. So it's kind of one of those things but I wonder, would it be appropriate for us to connect with this edge community within the Linux Foundation and ask them if they would be interested in providing some presentation to our sessions or anything like that. How do you feel about it. Well, I think that that's where like what what what I want to do with this roadmap exercise is get more visibility into like what's our backlog. And I know we have a couple of, like, you know, somebody who attended Qcon volunteer to present their deployment as a use case. That's the only one spring into mind but I want to make sure that we don't have that we would be able to say, we're going to have a gap in our meeting agenda in August or something whereas right now right this second. We don't have that forecast because we're in the mid we we don't haven't formalized our roadmap and taking a look at it so I think the particular outreach. Let's wait a few weeks until we have like our 2019 map out and then we can be like where are the gaps and then we can discuss like it doesn't feel like we should have a breakout group for that. Or do we want to queue it up for when there's a hole in the presentation schedule. Does that make sense. Yes, sounds good. Okay, great and thanks for bringing that up to us. So, so basically, the idea is that we refactor this roadmap so that that they're it that we start with a PR or Google Doc. That is a list of proposals that we like dig through our open issues that Brandon has so nicely curated and labeled, and we figure out which ones are actually in progress from people who've been around for a while, and we make sure that they're in this proposal format. And then we're like, this is what our roadmap would be if we didn't intervene, because this is what people are already working on, and then have a discussion so that we are starting from creating visibility into what people are working on. And then there might be some things that we people want to put more effort into if they actually knew they were happening, and then other things which, you know, like seem urgent. And then we can also talk about like, do we want to make sure we have a presentation once a month or, you know, do we want to have more breakout meetings if there's more that people have enthusiasm for doing that don't fit in a weekly meeting cadence. I mean we already have a breakout group for policy that we're working on having more better cross times and communication about. So what if, and then with that I was thinking that maybe we refactor this so that it's like at the bottom and a list of accomplishments, so that we have like a little history of like, oh look at what we've already done so that new folks can see that we've done some things. And then as we go through the roadmap in the future will be able to take things and move them from the roadmap into the accomplishments, and we'll have kind of a running thing. What do people think is if you think that would work you have better ideas suggestions. It sounds like you're wanting to turn the roadmap into a project schedule that we can track ethics and initiatives that the work that the group is working on, and then show completion against those items, right. Yeah, pretty much and also just make roadmap more concrete right it's but it's okay if the roadmap has things that aren't yet written up as issues, right. But that it would evolve into something that creates transparency that isn't just a static roadmap that becomes obsolete until we have a meeting about it. Got it. Is there a vetting process for items that become issues that and we need to evaluate getting them on to the roadmap. Um, I think what I'm proposing is that this moment in time this next and weeks of time, the thing where we actually create a process for betting things and we followed the prep we have a process defined right but we haven't really exercised it. We've done it informally we'll talk about things will be like oh yeah let's do that. Um, and then they those things have issues, but we did not went out sort of strictly following this like, you know the where I had it up before the like the governance process and as reflected in like if you look at the issues they don't all have the things that are described here, which has caused like some of them, they're just old before this existed right and some of them we just didn't do. And then we've run into like, okay, so how are we wrapping this thing up right awkwardness. And so, basically it would be like let's reverse engineer and make sure that everything in process like is actually following our documentive process. And then sort of see where we're at and also be will loop in Liz and Joe who are to see liaisons, so that if the TOC wants to say okay this is what you're doing wait a second, what about this thing right. So that we know everybody the group and the TOC can all give feedback and see what we're planning. And then we can also like if there's a lot of enthusiasm, like I said, that for things that don't fit in our roadmap, then we can talk about rejiggering our structure to make that work. That makes sense. I'm game for that. Awesome. Other folks. So, I think so then I propose the next steps is that me or somebody opens a issue for refactoring just refactoring the roadmap to have the what's done. I don't know who's been around for a while can help that you know, but we have an issue to say that we're going to do that. And then that the triage team, which anybody is welcome to join that channel and help. The next step is to actually document this triage role. So we're actually like this is I think I put this at the next yeah so we have, we have a little logistical challenge where what we want to do what we just would we talked about doing but we think that's really important is that we would have people who can who have who tag issues and like basically clean up the GitHub issues and look at things that are coming in and make comments and like kind of help with the influx of issues and PR and review things and tag things and curate them in advance of meetings and kind of raise things to be talked about. So, Brandon volunteered to do that generally, and Justin's focusing on things that are related to the security assessment and Howard is focusing on things related to policy. So, we have in theory. And that the idea is that they would buy their role. We thought we could actually have a GitHub permission that allowed that level of authority right without full access to the repo. Turns out, that's not really a thing so. So what we have is. I'm ultra source me and JJ and Dan is just a ought to be on this list are admins of the repo. And then, Justin, Brandon, and Howard have full right access, which is more than their roles, right. Allow for, but then I propose that we just like, let's trust them. And if like somebody in this triage role ends up doing something. If they're bad actor will just remove them. Those of you who know GitHub also realize that anybody with push access can actually make themselves an admin and do things. But, but we have enough people would like you know copies of this thing that I think I tend to like to run open source with like sort of, if somebody's been active and you extend trust and then you can like always revoke it. So, so that seems to I said that many, many weeks ago and nobody's objected so I'm going with that. So, but I would like to actually we're having this will just if I don't know why Howard can't actually do labels so we're in a little bit of like debugging this thing and then so I want to like write down what this triage role is. Until we actually write it down and practice it a little while and make sure that GitHub would like all the things are hooked up. Not to broaden it, but then what we, you know, like if we what we could do is, you know, like create more compartments where other people sort of shepherd other parts of what we're doing. And then I went ahead, when we were very involved in, like, sort of setting up the security assessment process, and I created this this template so in GitHub, you can create a template for an issue type. What's nice about this is it automatically assigns the label. So if we have a type of issue that we know that people make the like, and I think I wrote up an issue that we should have a proposal one right so proposals are supposed to have XYZ. We make a little template, people remember to fill in those things, it automatically gets labeled proposal. So then we sort of kind of streamline this thing. And then, unfortunately, because we have only one of these, when you go and you create a new issue here, which I didn't, it's sort of an unanticipated UI thing so right now if you create a new issue. It's sort of like, oh, all I can do is a security assessment. I didn't quite realize it was going to show up this way. But the idea is you could be like in the future we would have like a security assessment type of issue we'd have a proposal type of issue which hopefully we can link to the process MD. And we could have like a presentation like if you want to propose a presentation. And those can be streamlined in terms of creating tags. So, so that's that just kind of where we are if it would be great if anybody who feels like submitting templates and helping us to, you know, just kind of set up the workflow and GitHub so that's kind of slowing us down a little bit and just ask everybody's patients, hopefully we can sort that out within the next week. And everybody, I don't know, like not everybody is like lives and breathes get help so I wanted to kind of go through that, especially because we're sort of partially implemented GitHub workflow here. Any questions about the no question is done here. If you have a question probably somebody else is worrying about it so please ask questions if you to kind of just have GitHub questions about how we're using this tool. So, um, Michael, can I tap you to talk about the microsites and to have volunteered to spearhead this and it will use our new triage approach idea. Right. So, I'm trying to summarize it because we don't really have a lot of time but the biggest ask, I guess, is to our CNCF around the infrastructure bit at least that is what what I plan to look after in the first place like there are obviously a lot of, you know, content related issues and I encourage everyone who wants to contribute to that to jump on the let me look it up. What is it called the security dash web channel so we have a dedicated channel there and if you want to, you know, help out or whatever please please jump on that channel. And I guess the infrastructure bit is straightforward. Once we have decided where we want to do it right like the actual place like Natalie five for example. There are other things like picking the right Hugo template and not. But I guess for now, if I understood you correctly, we want to focus on the content and get something minimal up and running soon, or, like, maybe up until next week, and then build it out from there. Did I capture that correctly, our most recent discussion. So we're going to kind of like we've got a whole bunch of questions open to the CNCF about like, where does this go and do you have any guidelines and what's the URL and like all those things are like the different people were answering those or finding the people right and help desk and whatever. So now that's like going to take a week or two. And in parallel. So the idea is we would start this repo with the presentation that we've had with will be on YouTube will have transcripts. And so there's some that you know in this thread there's like some ideas about like well what if we have like the animal metadata on the transcripts and you know pointed to the video this way. And then Michael, you know, Michael and I are both familiar with this tool static site generator called Hugo that you know like just kind of play around with putting the metadata so we have some indexes. And then we, we have a volunteer that I have to track down their email, who comes more from the marketing curating words side of the house. Who I think who I hope will help us with kind of like, you know, basically taking content from I figure we we have a lot of content here and our turner. We have a lot of words that we need to make into like, like, we could just dig some of this, like, in my what my dream is that day to day we can just edit mark down in the repo and those edits show up on the website as appropriate. And that does work very like, yeah, you can exactly do that. So I think the only thing we really need to decide and I don't know if we wanted to that now or probably that dedicated channel there. Where do we do it like in a branch and on that repo or a new repo. And where do we run it like, for example, Netlify and if we don't have a beautiful URL right now. It has some Netlify whatever temporary URL that's also fine at least it's something that we can look at and say, yeah, that's that's how it's supposed to be and then we could take it from there. At least that would be my, my suggestion that we have something at least that people can look at and say, yep, that's nice or something's missing. So the idea is that this subgroup that Michael is volunteered to lead would kind of like work on its own and get to some proposal and bring it back to the working group for feedback and then anybody can chime in asynchronously for feedback in the meantime. But the end that that group would come up with like some sort of plan with checkpoints right so we want to have Liz and Joe approved something, but not every PR right so the group will come up with the group might just be Michael and me, but everybody's welcome come on in the water's fun. And then the other kind of triage related thing Michael is that the, whereas the issue, the issue that has all the checkboxes, Michael would turn into sub issues, and with the label, and then volunteer to curate because there's going to be like lots of little issues right when once we get into like making a website, and that those we should just label all the same so that they're sort of separate from other things like security assessment things which are very different character of issue assessment so that we'll have like, basically sub teams working on labels of like these bigger projects or ongoing things like, I think, having a web presence and a microsite, it will like, like the assert security assessments will periodically have some work associated with it, but the but unlike the security assessments which regularly have big bursts of work. I, we anticipate the microsite will have a big burst of work and then like not much work until somebody gets enthusiastic about creating a new section. And in case people are wondering why we were using labels there very simply because GitHub doesn't allow us to, you know, divide a certain issue into certain tasks so we, you know, there's not you can't like in cheer or whatever I have an umbrella issue that has all these tasks so that's why we're using labels there. That's the reason. Alright, so we have last few minutes. Let me see what else is. We didn't get to the container security book. Do you want to just mention that and people can chime if it was on slack a while ago. Yeah, I started the whole thing and if you want to take a look at it, it's essentially community driven and, you know, feel free, a couple of folks have commented on that I just put it here on slack and link from it from the cool and if you would put add a link to the notes and people can chime in on that. Just have a look at it and maybe raise issues on GitHub that would be appreciated and we can talk about it next week. And I also wanted to call out for volunteers who might who want, like if I could, in my dreams I would have a lead who would curate this new roadmap that is a set of proposals and bring it back to the group. So, if there is somebody who is willing or excited to do that. So, you know, there's a lot of curation and listing, ideally somebody who's been around for a little while, but, you know, like it's it's sort of digging through the proposals and, and I'm happy to work with that person if you're new work, just DM me. It would be great to have a little more bandwidth to put together that set of things and also just have another perspective. But then the idea is that's not a decider group that is just like curating things and then anybody who has an issue. Another thing that if anybody has GitHub foo. I am trying to figure out how to assign what other I don't know the GitHub rules wise I can assign issues to some people and not others. It doesn't seem to be restricted to people with right access to the repo and so I mystified how you get on that list. So, you can only assign people with their member of the CNCF organization. Oh, so there's people who are org members and repo members. Yeah. So there might be some way to add somebody as a repo member, like maybe if I add them as read access so I'm going to play around a little bit more, because I'd like to be able to assign issues to people without giving them full right access so that we can be a little more like, yes, go forth new person and do a thing. Without like, oh yes and you can accidentally obliterate our whole repo like, you know, maybe it's a collaborator in the settings of the repo, you can add people as collaborators and give them that level of access. Okay, cool. So, okay, so it's 11 o'clock. Thank you all for your patience with this bookkeeping meeting really appreciate feedback and and we'll see if like we try to queue up more of a meeting next time. We're going to offline a bunch of different ideas have been proposed for things. So, so we'll try to get that set up before next week so people know in advance, what we're doing at this meeting so appreciate everybody's patients and participation in curating the repo and hang in there and anybody who can scrub it in the next week. Huge help. Thanks everybody. Thank you.