 Welcome everyone. Do we know who the meeting facilitator for this week is? It's me. Okay great. I'm just gonna give people a few more minutes to come on. It's a very small group so far. Hey Jenny. Hey. How are you? Good. How are you? Good. So if you haven't already put yourself in the agenda to indicate that you've attended, please do that now. Just put the link to the meeting minutes in the chat. I also need two people to volunteer as scribes still. So if you're interested and willing to do that, please add yourself to the doc as well. I'll scribe but I'm gonna have to drop off early so definitely need another. So a second scribe is critical. So can anyone else who's here volunteer to be the second scribe especially for the latter part of the meeting? Thank you Ash. All right so we should probably get started. So I think everybody is busy adding themselves to the attendance but if you haven't yet please do. Are we still going around to do stand up for everyone to have a chance to say what's going on with them? My understanding is that policy hasn't officially changed yet but there's a desire to do so. Yeah I saw some conversations about that but we're still going to do it today. Yeah we'll still do it today. Like what Justin said there's a conversation I think we need to decide on that soon. All right well Justin you're on the top of the attendance list. Do you want to give your update? Sure presented tough for graduation and the TFC meeting yesterday. It had actually surprisingly many questions about obtain related to that. I'm also going to be giving a talk at a Kubernetes meetup in New York City about sick security later this month. So I don't yet really know what I'll say other than the sorts of things that were said during the intro and deep dive sick security meetings at the last big CNCF event. So if anyone has suggestions feel free to reach out to me and I can try to work them into my talk. Sounds good Brandon you're next. Hi yeah so I was just going through last week a bunch of issues in PR it seems like identified two of them which seem like they're ready probably if we have some time today we can discuss a little bit maybe we can start merging them in. Also I opened a proposal to update the initial landing page. I want to get some feedback on what we think is important information like right now the meeting times and meeting links are all buried behind the member list. So this is a hard to get to so if we have time as well I'd like to get some feedback in that. Okay if you want to just add those items to the end of the agenda so we can put them if we have time that it'll be easier to track that we want to be sure to talk about those. All right. Thank you. Bruce. Hi there yeah my name is Bruce McAfee I work at Trend Micro. I am a dev manager so I run a couple of teams that do container security one for static you know docker image scanning and one for container runtime protection and yeah so Trend Micro is just interested in you know kind of getting involved with CNCF a little more and yeah so we just like to know you know what initiatives are out there and and yeah contribute if we can. All right thank you. I'm the next person and I don't have anything significant to update. It's been a little bit since I've been able to attend and I'm in the process of changing my role so that I'll have more time to attend regularly so it's a little bit slow going but hopefully soon that'll start to flip for me. Mark you're up next. Hi everybody uh nothing too much new here I'm going to promote my my talk I'll put this into the chat I'm going to be in Washington unless my company talks me out of going to talk about DevSecOps and in particular the use of ontologies to support that. I only mentioned it in this context because I steal some good ideas from other people in this meeting so that's it for me. Thank you. Martin do you have an update? Hello uh well I'm interested in well I don't have enough dates but I want to bring two topics um I have issues about them the first one is I didn't understand um in the beginning you mentioned that you will do something in a different way but it's not yet decided. Does that mean is that for the chickens? Yeah so so there's been some discussion about whether we should still go around to everybody who's attending and and do stand up to the way that we're doing right now. Okay uh yeah that's one of the topics and the other one is um I've I've shown interest before uh in the assessments uh into uh to participate in an assessment I saw that um in one PR which which is already merged I am uh as one of the volunteers for the FALCO assessment. If there is any information for uh I don't know deadlines or where when are we going to start and so on how it will be interesting for me. Uh I would is that not available in the issue itself? Uh I don't see any I see to do this but I don't see any um I don't know deadlines or any information when are we going to start? I might even just if I were you add the comment to that effect to the issue to see if the people who are following have any information about that. I just wanted to use that opportunity if there is somebody who knows in person. Sure I'll uh I'll take a look at it and uh follow up with any additional information that I could get from there. This is JJ. Thank you. Right and I think in general we're we're basically ready to start um assuming you know but I think we're also still trying to get the full cadre of people from RN to do the assessment on our side. So um I can prod and try to make that happen a little faster but uh those on the call that are interested should also uh jump in. Did we get uh go ahead our feedback from the DOC about this yet? I think my understanding is is that Sarah's reaching out to um to Liz and others but when we were given an initial list of projects to look at Falco was on it so it would be I think very strange for them to say here's the list of five projects we want you to look at and then for us to come and say okay well we're starting on the you know a third project from that list and then to say whoa what's going on here. So I feel like um it's we're very safe in going ahead and progressing. All right yeah sounds good. All right JJ you're next. Yeah so um I uh I don't have much of an update. Six security day I think we've got uh we've got decent number of submissions and we are going through the review of the talks. Um so it should uh should get announced soon. The CFP closed as of Monday I think so there's no more submissions left. As far as uh this topic is concerned I just wanted to bring it to team's attention that there has been some confusion in terms of uh how the how we pick up projects for review and uh we are gonna we are seeking clarification with Joe and Liz on that to basically have clear guidelines in terms of like how we pick projects. Mainly projects around like the ones that are in CNCF it's pretty clear the ones that are coming into CNCF should it go to TOC first before it comes to us or are we okay just picking it up or without TOC asking us to. It's a question that we want to get clarifications on that's for the rest of the team and uh yeah and there is a work with Howard on trying to get the policy uh working groups artifacts into our repo so I'll work with them offline to basically merge all that dark end so it'll be useful for the rest of the team to be able to discover those docs in our repo. There's an existing PR that I'm working on uh that I think Sarah commented on it I'll be working on working on working on that uh which people are um I'll be happy people jump in and comment on that as well if there is any comments on that so that's about it from me. Okay thank you uh Ash you're next. So I'm working with Justin, Robert and Sarah on the review comments for the OPA assessment and we plan to get it in this Friday so yeah we've been working on those comments that's it. Okay thank you TK. I don't have anything new. Thanks. Okay Amy the next one on the list is sorry coming off of me out. Hi. Yep. Yep just tapping on be able like you know uh watch over stuff here. I'm the program manager at CNCF so that's why I don't say very much. I've been like hi hello friends that's okay I'll take it. Good fun thank you. Robert. Hi yes uh participating in the OPA comments and helping close that out is best I can help and then open the issue for starting the FALCO assessment recognizing that we're still waiting on guidance from TOC and whatnot but at least to have something to track status. Okay that's the end of the attendance list in the document so if I didn't call your name please add yourself to the doc I linked to it in the chat. Does anybody else have an update that they would like to give? I had a quick question about the FALCO assessment. Go ahead. So should we just add ourselves as reviewers or are there like a set number of reviewers already for each project? I don't think there's a set number if Justin's on the call or Brandon I think you had opinion on kind of a target number. Yeah we'd like there to be fourish reviewers and so if we had a situation where there's three who really know a project well and have done assessments before we'd probably go ahead um and if we have people that want to kind of learn and cut their teeth then having five or maybe even six is sort of okay but um at least right now we're looking at something on the order of four. Okay all right. Do you count uh do you count the leader of the assessment in this number? Yes. Okay thank you. Because uh currently I'm I I don't have a lot of experience with FALCO specifically but I am in the assessment is that a problem or like I could spend time to get in and get to know the project and that's why I'm asking for the start of the assessment but if that's a problem I don't know I'll speak from my perspective since I have the only experience I had with FALCO prior to reviewing the code uh was just you know cystic uh and in general you know just some kind of webinar exposure to it so um I'm I'm happy to have anyone who has the security background is willing to spend you know a little bit of time coming up to speed on the project either by uh my methodology code review or by operationally installing and playing around with it just to get to a bit of that said I'm I'm attending a cystic training event Thursday in San Francisco I'm happy to give a dump and and I can contribute it here or contribute it somewhere offline uh for those who want to review that material um so that might be also a useful resource. That will be awesome. Yeah let's hold off on any further FALCO questions because we do have an agenda item for it later so if there's more that needs to be discussed we can talk about it when we get to that. The next uh item on the agenda is to do a check-in with any partner SIGs or working groups that are here today so is anybody here from Kubernetes SIG off who would like to give an update or the policy working group the security audit working group or the NIST big data working group? That's a new from NIST. Okay can you give a quick update on policy? Sure I think I did uh early on in the call I don't know. I think there is a PR uh that's pending. I'm sorry I just went. Yeah so there's a PR that's pending that I'm reviewing and then I'm gonna work with the power to merge all the artifacts that they have in uh Google Docs into our repo so that it's discoverable by people um so they have they've done uh they've done some really good work in terms of producing a policy white paper uh there is also compliance uh tooling that they are trying to work on which I think would benefit a lot from some of us getting involved in it so so that's a currency and I'll keep you posted and watch out for issues on uh GitHub. There is a call today at four I believe four Pacific. All right anything else from SIGs or other working groups sounds like no so the next thing is something that came in the last meeting I think about the subject matter expert page so issue 115 discussion discusses it and it looks like we may need a volunteer to take the lead on it. I don't know if anybody else has more context for what in particular the discussion needs to be about today but if anybody does it wasn't at the last meeting so I don't know what in particular needs to be followed up on just that it looks like it needs a volunteer so I'm going to take that as nobody's quite sure uh what's needed there maybe it's something that um Sarah is doing JJ I don't know if you know you also created the issue. I am on the phone so that I wasn't commenting much but if you can pass down the issue then I'll comment on the issue after the call. Okay I just pasted it in the chat. Yeah thanks Jerry. Thank you all right the next item that's on the agenda is to follow up on some PRs so the first one is number 246 which is how we use cases for the platform implementer persona. Yeah so um there was like one of the two PRs that I found which seemed like they seemed mostly completed um I think we just won additional set of eyes um so one the first one is for the actually um maybe I'll share my screen and then we can just accept it. Okay. All right do you see my the issue? Yep. Okay so this one was for the cloud platform uh implementer persona I think this um is owned by Christian Kemper. I don't think he's on the call today though so um it looks good I reviewed it it was good um JJ else because you're the owner of the file I think um if you have any comments on it or if people on this call want to review it um I'm thinking that maybe we can look at trying to merge this soon because it's been open for a while and I don't think there's any additional unresolved comments on this. So I'm just going to paste the link in the chat so that people can add their review if they want. Yeah so this was basically um I think the this came from a discussion um within Google and also within another a few organizations said this this platform implementer we just really in charge of setting up all the cognitive platforms and then each individual cluster has his own operators so um so Christian did add one of these and also based on his feedback from speaking to a few internal folks at Google I think um it is pretty much um similar to the rest of the document with a focus on really creating the high-level policies for every individual cluster. Okay so do we have documented the process for how things get approved and merged? Yeah I believe the process is um like the RGTM and then the also one of the owners of the file reviews it as well. So I think the owner of this file is J.J. so um Yeah I can take a look at it after this call but if the general thing is if there is enough reviews and we have addressed the comments on that I would just wait for a day and this is good work so I would just push it merge it and when you're okay let me know if you expect comments from any specific person then we can try to tag them and then see if we could get comments but otherwise I would just go ahead and merge it. Okay yeah I'll let you take a look through it and then maybe just just put a comment that you if they can look at it and then we can merge it. Okay so if you want to add any other comments on this it's good idea to look at it in the next day it sounds like before it gets merged. Yeah I'll I'll budget at the end of the week so we don't have to rush. Okay and the same for the other issue 236. Yeah this one is pretty much um this one has a few unresolved comments though so uh but I think the author I've tried to ping him once or twice but he doesn't seem to be responding to that. What's the author on the call? I think it's Aaron. Aaron's old man. Let's see it on the attendee list I don't think he's here so yeah I think the the general consensus the last time we discussed this is a lot of the changes are good and I think we should keep it. So I maybe the thing we should do now is we can probably merge this and then I'll create a new PR from this. With some of the changes? Yeah with some of the changes and then pull out the discussion from that because I don't think that if um if Aaron is in that to modify the branch I don't think we can actually make changes to it. Do you want to create a separate PR that's based off of this with the changes that you were suggesting for people to review since it looks like it's been kind of a while and Aaron hasn't come back to editing. I'll do that I'll create a new PR and then we'll just take the description from that. JJ is there a way to close the existing PR? I don't know if that's something on me. I think I can do that. I have the triartro so I can do stuff with PR. Yeah that sounds good I think it probably makes sense given the length of time. I don't know if anybody disagrees please speak up but give me the amount of time that it's been and Aaron hasn't come back in to edit it that we just copied into another branch and make the edits that we want. Sounds good and if you're unable to do that you can just escalate to the chairs to go and close. I'm sure we can close. And then maybe it makes sense to just touch base again on this one at the next meeting so that if people want to provide feedback on the PR that you open there's an opportunity for them to get that link at the meeting and add their comments rather than getting this merged in the next couple of days. Does that make sense? Yeah sounds good. Okay thank you very much. So I think that takes care of the follow-up that we need to do for PRs at this meeting unless anybody else is aware of something that's worth discussing. All right so the next item is feedback on the SIGS README. Yeah that's me again. Okay yeah so I was thinking about just reorganizing the README page. If you have any feedback I was thinking the main things I was thinking about is to move the meeting times up and provide the link to the meeting documents with the meeting time and also to add a new section for new members because we have the new addition for the new members page so I think we can also add that in. Sorry I was just going to say I wonder if it would help to have an index even. Yeah that's a good idea let me write that down. So I created an issue let me put it in the doc so if there's any feedback on this we can do add it to the issue. It's issue 271. Okay. Yeah that's all that I have for that. Ben this is Dan. Yeah I created most of that README because I wonder now that we're on to regular cadence and we have kind of a core meeting doc how useful it is to maintain that list of meeting dates you know that that as we were establishing ourselves and trying to line folks to our cadence you know I thought was really important and it was a you know one of the ways that I would signal while we're having a meeting if we're not having a meeting you know let's go to the line there but now that we're you know fully realized CNTF SIG you know we would meet every week at this time and you know these are the meeting notes so that that's the section where we maintain you know the history of our meetings may not have you know the same meaning now. Yeah I always support your monthly PRs to add the funny meetings. There's also a way in Markdown where you can make a collapsible section so you could have if you if you felt like there was any value in having the links to individual meetings you could make it collapsible so at least it's not taking up so much of the README. Nice. Yeah but at this point I actually question whether it's useful to anybody or useful to anybody that is going back and trying to get a sense of whether we met or not on a particular date. Like I struggle to see a utility for that list of dates. Yeah awesome. This is Amy I'll step in for a moment here it's sometimes helpful to be able to find things like much further back say like you know three years from now we might actually want some of this information. I can't come up with a reason exactly right now but I also can't see a reason to be able to get rid of it if we already have it. Which is why it's stuck around you know I definitely agree that the utility of our archive minutes is something you know I'll lay down on that you know defend that so you know that that's the utility that that link you know provides today is it links back to on this day here is the minutes associated with that. I think the question is how available does this need to be when you're trying to be able to find the current meeting minutes correct? Right definitely. Okay then I'm going to track my comments about like we should we'll figure it out right and I think we can we can you know take care of most of that with you know Brenda is proposing of like here's the meeting time end date and minutes go and moving that up. Yeah that makes sense okay. I agree with this we don't need to to paste a link for every single meeting it doesn't make sense it just requires work. So there's the the issue that's linked in the meeting minutes if you want to add more comments on that if you have other ideas about a good way to organize it please feel free to add your thoughts on that issue and at some point we'll turn that into a PR. The last item that we have on the agenda is about the Felco security assessment so there's some conversation that started about that a little bit ago if we want to pick up or I'm not sure what specifically we want to cover about that but I'll leave that to the people who would like to talk about it. I don't have a particular I didn't put the agenda item on but I'm happy to just brief hasn't been much changed from last week other than as I noted we created a an issue to track status and Kristen or Chris Nova replied that she is in contact with the team to try to assess when they would be ready and propose a date to start but don't have that date as of yet. Anybody else have anything that they want to talk about questions thoughts? Yeah I just wanted to since we I caught at the tail end of check-ins discussion around prioritization and guidance from the TOC so you know at present the guidance from the our TOC representatives is you know keep on going document your process and you know no objections so they're not blocking us but we haven't you know yet fully ratified you know the coordinated expression of you know how we manage and triage that but you know city-state everyone's happy with that and you know the only sort of overarching guidance that we have there is you know preference preference to CNCF projects. So Dan this did come up in discussions with the father team and may be relevant to other project teams as we go forward. It was kind of the ask of whether the assessment was required by CNCF or the TOC and I guess the answer is currently no. Do you have any visibility as to whether that will change or is that the intent? Right so I think we may be conflating two different types of security assessments and how the TOC is going to manage that right. You know there's at a certain level you know full compliance security review that projects have to go through. You know the assessment is not a replacement for that though you know as we've you know set it up we do think that it is a on-ramp to that that could be useful. It's definitely not established as a gate to that assessment. It's a you know we have presented it as an accelerator as a help and we bring our subject matter expertise to you know help ensure that we are supporting a secure cloud native ecosystem. Great thanks for the clarification. I think we've kind of reached the end of the agenda unless anybody else has an item that they wanted to talk about today. Is there anything else that we should cover today? Well I I've bring this up before and I hope that I am not annoying or something but I saw that I saw that I'm in as a security reviewer of Falco. I'm excited as a security reviewer from one of the PRs which was merged and in this PR the idea of observer or internal role was removed. It's hard to say but we discussed that it's a useful thing to have and I wanted to ask maybe broadly again do you guys think this is a good idea to have such a role and if that can we discuss this a little more or can we at least speak about it or maybe you think that we don't have a good security assessment workflow that so maybe it's hard to have to have a good documentation about this right now. So I think I think we have an issue open discussing that right. Which one was that? Yeah there is 256 but so I just wanted to ask because there are two or three people who I saw that there were their reactions. I wanted to ask maybe Dan or somebody from the chairs and somebody who is somebody else besides the people who comment on the issue. Like let me understand the question a little bit like are you is it to create an extra role? Sorry I didn't catch the question. The question is that there is no explanation do we have something like an internal role? Do we expect the people in the security assessments to be security engineers with a lot of experience or is there and the idea that there will be somebody who an intern basically in the security assessment? Yeah so I think we have the so I assume that you're talking about something that's similar to the guide that we have for security assessment right? Well basically it's a simple document or a simple section in one of the documents explaining what is expected from an intern in the security this would be great. I don't because I don't know what's do we have such a role and if so what are the expectations? So role clarification itself we are working through to create a little bit more clarity, create a little bit more roles considering the amount of work that coming our way. It'll be useful to partition work so the short answer to that is it's a work in progress so be happy to hear your inputs and feedback in terms of how to structure that and we'd be happy to collaborate on that but if there isn't already an issue I'd open an issue I'll open an issue to say what we are thinking about in terms of roles between Dan, Sarah and myself. There is already an open issue I just want okay if there is a discussion which is maybe outside of the selection or somewhere I will be glad to participate. Yeah okay let me pull you in into so we haven't had outside discussion yet but it is an ongoing discussion on that issue itself but let's collaborate on that to create a little bit more clarity on that role I'd be happy to take the help on that. Thank you. So there is any assessments directory in the repository so in the in the read me in that directory there's a process that talks about each security assessment having a project lead and security reviewers and other members of the SIG participating and security or viewers links to another document that defines that role and the required qualifications so that may be a useful resource too which doesn't just say that that's a static document I think you know if there's things that merit revising in that that's something that the group would be open to yeah they get how the shoes are the right way to work through that. Martin this is Dan uh you know there's there's something that you know you may be encountering here where the team the assessment team is still getting up to speed and sort of hitting the rhythm and you know hasn't sort of gotten to optimal state um having uh and and uh you know the the the delta between an observer and an intern for me as an engineering manager is vast uh an observer is an individual that is going to watch they're going to learn and they're going to be autonomous uh an intern is someone who um is uh you know basically apprenticing to learn an effort and if you have an intern or or someone who is uh you know coming and joining and learning the system then uh you know the the core working team um you know has to make a commitment to ensure that individual is uh you know doing effective work and they have to you know kind of double their efforts you know doing the assessment working through that and making sure that the new individual is uh getting up to to speed um so uh you know conflating those two concepts may uh be slowing down uh you know this discussion it would be useful to uh under to understand maybe and to clarify what do we expect more uh do we expect observers or interns so yeah that that's that's a big question and uh we can comment that on the on the issue on the issue great I think there's more going to be more willingness right now to um to embrace observers and uh you know someone who's going to participate but that that is also uh you know starting with that observer state uh could be a great way to uh you know then get invited uh to participate and have someone you know take on uh of uh mentorship capacity to ensure that the uh new participant is uh able to be a be effective in learning I agree are there any things that we should also talk about related to this recent topic or do we have any other topics that we want to talk about before we get off the call I want to talk about how to talk to it go ahead I just have a very basic questions on this I've been looking at this and hearing all this comments and analysis and all those things the question that I have in my mind is um at the end of the security assessment uh complete completion rather um what would they do with that what what is the actual um benefit out of that thing and what's the motivation for them to go through this I didn't that didn't mean to silence everybody by but I'm just basically asking just you know let's say I'm an ABC company and I'm working on some security product and I do have a serious interest to the uh to be compliant with the native uh you know cloud native applications and such and so forth I go through this and uh is there a certificate that are going to be issued that is going to be you know recognizable in the industry community in some ways or is that some sort of a um uh you know parametric measure for example that okay well if you pass this one then you go to the next stage and then you go to the next stage and so forth I mean it's not clear to me exactly against what we are assessing this so I'm just noticing that Justin isn't on the call anymore TK I feel like he probably is maybe the person who is best suited to respond to this question uh so it might be worth waiting until next week to raise it when he's on the call because he's officially the facilitator for these security assessments okay um it might be that there's not a much of an answer right now because he's not here and neither is Justin Kormak who's listed as the um one of the security reviewers so we just may not have the expertise on this call to answer while yeah and I just you know touch on the high level it's yeah yeah we're uh you know serving uh you know the CNCF um that sort of official capacity we're a um you know an expertise body uh and not a issuing body or an entity that that um you know can uh back and validate things at a certain level um so uh the CNCF does have some programs that it is able to um you know provide access station about uh you know the state of uh you know it's projects uh and um you know anything at the level of certification uh you know producing a document or um you know having an outcome in that that capacity um would have to be through uh the the CNCF and what is that what is that CNCF mechanism so if I want to get a certificate for my project what is that mechanism um oh god the um the gold silver status of the projects right yeah I mean you can become a member of the the CNCF with your project um so you know this is uh project based and not corporate based and um I don't know that beyond kubernetes certification um right this is the kubernetes certification project um that the CNCF has uh developed any uh other um certification um and access station uh products yeah so go ahead oh I'm sorry I just for that was a good question but on the follow up what I was thinking is so that means there was no actual agreement through our TOC for example with the CNCF that um our security assessment will be somehow linked with those certification process that CNCF follows at this point I mean we are doing these things on our own and the CNCF has not quite uh either blessed us or no no it's just that that um it's an all sort of business step that uh you know you're you're reaching for um I don't think is is something that this SIG will ever be um be doing and that that would be a program of the CNCF okay I would just but I would just say that I think it's important to make that clear because as folks go through the process or choose not to go through the product because I mean OPA just went through the process I'm not sure if they were aware that that there was no expectation that the assessment was not a a requirement of the CNCF or was going to be required at some point and then similarly Falco like I said has asked similar questions so I certainly don't want to mislead anyone if they're asking if it's going to be required what's what's the benefit to them of doing it I don't I don't I'm not hearing that there is a particular benefit to doing it oh and I'm not asserting that at all uh but I'm not saying that what I'm saying is that we're not going to be uh providing a security at the station um you know from a working group but we do we give a report to this POC correct because that's what there's a report there's a guidance there's an advisory uh but an at the station and an official seal and an approval that that's something that um you know a working group is um you know not authorized even to to provide that's going to be you know tied to programs that the the CNCF provides but then wouldn't you agree that at least we being as a authorized working group on the security under CNCF we should be aiming for or at some point I don't know when we should be aiming for to become some sort of a accreditation type of body that which either endorses certain guidelines or provides some sort of a certification as such on behalf of CNCF so that there is motivation in the industry to participate in this type of assessment process or to be evaluated through our uh process the first part yes the the first part of like uh ratifying the uh the criteria yes um you know becoming a uh an entity that um you know does that work that that's work that's you know and I uh you know fundamentally believe that individuals participating in that should get compensated for that work uh and that we should not have that be uh you know a product of um you know an expert forum like this you're absolutely right actually the last part that you just made the comment that was actually on my mind that was wondering about even on this security assessment 80 hours 40 hours whatever for the lead or the assessors and such you know how are that being motivated and who would be providing those I'd like to speak to that because there's someone who's volunteered without any expectation of compensation knowing that it would require having paid for security reviews in the past having been compensated for security reviews in the past knowing the amount of work soberly involved I felt that it was an important contribution to the open source community so my expectation was far more motivated around putting forth a process that was part of the cncf uh community as securing the infrastructure and the and the projects that cncf puts their name behind that the community puts their faith in based on that open source model so open source not just being code but open source being processed being being uh confidence being due diligence etc whereas today yes I can I can take my commercial product and I can go hire a firm to do code reviews and security designer use or to write code or to review code etc but I can also choose open source and I can choose to a community that vets that open source so I my my expectation was that the assessment work we are doing if not a you know a seal of approval or a you know a tangible certificate was at least going to mature into a cncf process that would give the community reasonable expectation that just the project had been reviewed by the community to consume that information on their own as educated users whether that was sufficient and they desired some other total view by commerciality or if that was now the project now that's that's a good point but I think the demarcation line over there is the on the open source you may not necessarily have a serious commitment to take some responsibility of endorsing something on behalf of certain uh thing I could be wrong but I think there is you know without being compensated the volunteer probably may not be in that position to make that kind of commitment I mean I mean kudos to you and and many others you know I have volunteered also myself and many things but but I kind of stand to feel that it is difficult to enforce is a time commitment or an effort commitment with a specific hard date to get something done on on those type of things but it's a very good noble effort there is no question but I'm not taking any credits away from the folks that are want to do it and also participate I'm just wondering what we should be doing in here I think what I'm hearing from Dan is that we don't have a we are not making commitment but we're encouraging I guess to we're supporting open source so like these are open that we can provide an open source assurance we are providing support and guidance on the required journey and we're you know working now with this the TOC to you know to spine and structure better those expectations you know and the the full CNCF products have certain security requirements those who have gone through that process have seen that and especially the the triangulations of individuals that are in our community who happen to also be security experts you know they understand that the the you know commercial security assessment and the ecosystem participation and involvement that is intrinsic and open source you know don't necessarily overlap and you know I see the effort that we're putting in place you know serving that gap that is open source and supporting a secure by default community and helping ensure that those individuals you know have actually vetted understand what the challenges are and understand you know they're connecting into an ecosystem and are not like most commercial efforts you know a isolated island but wouldn't it be easier though to as an open source community as you said to establish or create among us a set of clear guidelines for the people to be compliant and then living up to them how they assess themselves against that so that's really in my thinking I feel that's what we're working towards you know since this is you know an evolving ecosystem I don't know that is well-defined and as we've collaborated with other more institutional bodies you know I've that that personal assessment has only been reinforced and you know that goes back to my defense work in the early 2000s. So Tika I would compare this to say the CII initiative so they they publish a set of guidelines for their badging program bronze silver gold and it's completely voluntary for the projects to fill things out and and submit you know whether they're in compliance or not and whereas I see the assessment process here is taking that one step further to have an independent body review information submitted by the project and then actually check is that information accurate as a crack was a complete just just as a a checksum to that on a couple of the projects that had submitted CII submissions I just did a naive cross check to what they had submitted and for the most part everything was fine but I found some omissions things that were submitted that weren't actually present by by accident or by omission and and some things that were in fact incorrect so I think self-assessment is is and having a guideline like the CII has is a useful prerequisite but I think having an active assessment adds value above and beyond that and whether that's compensated or volunteer or or not I think it for it to have any benefit and I'm speaking in the benefit the kind of the practical benefit Dan of you know a project has limited cycles there may be a commercial entity behind it there may be project manager behind it they've got to make a time between do we allocate resources to this thing or not and if they don't have a concrete connection to the CNCF to do this thing it might be a theoretical value in the security sense but is it a practical value if they then also have to go through some other process that's all I that's data points I'm getting from actual conversation um I'll just I'll just submit that to the to the group and you know I think it's an important discussion to carry forward true and I think we're reaching to the end obviously just quickly though and whenever you do something as an independent body you it's not a casual thing so I think there is a responsibility of liability as well I mean you take some certain kind of responsibility to stand behind that statement of assessment and and like it's not clear to me uh how we are doing it that's all I agree and I think that that is you know in part uh you know also driving efforts like the subject matter expert uh initiative where we're you know establishing some of that authority right it sounds like we could maybe continue this at the next meeting sounds like there's a lot of stuff to talk about here um but we are past time now so thank you everybody for joining today I don't know if you had you said you had a closing comment you wanted to say oh I just wanted to thank you Jeremy great to see you and uh great job thanks everybody see you next time dance comment yeah thanks bye