 Hello. Hey, Mark. How are you done? Oh good. I'm trying to figure out how to two time the meetings now. It would be ugly. Yeah, I think those are going to be shot meeting today. I don't think we have anything on the agenda. Everyone. I'm going to post the meeting notes. Yeah. So go ahead and fill in attendance. I think that this meeting today should be a pretty short one. We don't have anything much on the agenda. So I think what we're going to do is we are going to just do check-ins. I think I see a couple of new people here so we can do some introductions and then we just kind of just go around a couple of things. Magna, do you have, do you want to put down a quick announcement of the block? Is that out yet? Sorry. I don't know. It should be. I was away so it should be released at 8 p.m. PT and 11, 11 a.m. EDT I think. Oh, it's 8 p.m. I thought it was 8 a.m. for some reason. Oh, it's out. It's out. Yeah. Sorry, sorry. Yeah, it's 8 a.m. Yeah, yeah. Let me see. Thanks, Matt, for helping this work. So yeah, I'm going to start off with kind of just going around. Before that, just the usual, you know, this is a recorded meeting. This is my CNCF, so the usual CNCF guidelines apply. All right, so just going around. Let's see. No updates. Marlo, you have a question about SMI? Sorry, it's sending my mute button. Yeah, so summarily I've been going to the SMI community meetings, which also coincide with these ones. They're here every other week. And their meetings, they were so SMI is service mesh interface. And the reason that they're interesting is that everyone is running their own service meshes and Istio seems to be riveted in various places. And if you're trying to run a particular version of Istio, you often can't because it's riveted to various products. So I'm pushing for SMI in Kubeflow, but when I went and looked at the SMI adapter, it was version 131, which is not currently Istio. So Kubeflow is currently updating to 19. And the SMI community is updating to their adapter to 19, which makes it easier to do that sort of port and potentially run whatever the service mesh you want to run on. And there's still the authentication piece that Istio has. So SMI has a new dir to get open. And I don't really know where the community to ask I've put in chat, and where they're trying to figure out what the interest is in separating out the security of Istio or service mesh versus the functionality. So if anyone would like to go and add things to the ticket or express interest, that would be helpful, especially since I would like to see those two pieces separated. Just a quick clarification is this SMI working group, CNCF working group? It is a CNCF working group. SMI-IO. It was initially being pushed with LingerD, their interest fell off. And so the majority of the people currently working there are open service mesh. Okay. So you're specifically looking for authentication contributions, right? Either contributions or to help them go forward with this particular GitHub issue and what they're supposed to do there. And part of it is they don't really know how because they're not security people. So they don't know what that looks like. Yeah, I see a couple of mentions of Spiffy. I think quite a few people within our community are involved with that. Yeah, and they currently do not work with Spiffy Inspire or the SMI. So if we want that there, there needs to be a little bit of work. Okay. I think we usually have a couple of folks on the call that are involved with Spiffy Inspire. I think what I can do is maybe I'll tag a couple of them on the issue. And then they can kind of follow up there as well. And Brandon, I'm interested in working on that. So I'll add stuff to GitHub as well. Awesome. And if you know anyone interested also on other service meshes that are interested in contributing, that would also be useful because I don't want it to become an echo chamber. Awesome. Thanks, Manu. Let's see. Martin. Talk about issue 256. Yes, but first little context. So I have been looking into security access working group and the issues that the working group has created. And one of them was about getting more reviews for security assessments. And when I read it, I just remember the one old issue that was that seems to be closed when because I had a period, a couple of months when I was not able to attend on the meetings. And I just wanted to, you know, to bring the discussion table and to hear. To hear the opinion of the different people here. So the issue is about the idea to have more. How can I say more low level row into the assessments. And my idea was to, to be able to advertise the security assessments towards more junior developers and people who maybe I'm not sure if there are any in the group or if there are people who are new to security in this group, I'm not sure. And that was one of my assumptions that I don't know how, how many how experienced and who joins who joins the meetings. But my idea was to somehow make it more accessible to people with maybe no or a little security experience. And as I see it as a way to a way to get more people involved in the security assessments. And of course, I called I called this role something like a trainee or I know if you should call it internal something but the idea is to have someone. My idea was to have someone from the other reviewers who is willing to answer your questions if you have more questions, because when you don't know much about security, you will need to ask somebody who is more knowledgeable. And I, I expect, I, yeah, I expect that this role will be something like it's an optional role. And if somebody wants to volunteer in that role, you should find the sponsor you should find a mentor who is willing to help you in the assessment. And if there's somebody who is taking that responsibility, then you can be become a trainee or something. And after you have successfully finished a couple of those or, I don't know, one or two, you can even, yeah, you can join as a full, yeah, as a full reviewer. Yeah, I think that's that's, I see you've already also posted inside the issue for 47, which is about getting new reviewers. I think we kind of talked about a little bit about this a while back, like you said. We've had kind of, we had a couple of people just like what we did last time was we said, okay, here's a review channel, you know, you can, you can stick your head in, you can like listen to the meetings, if you're not participating, but at least, you know, see how it goes. It sounds like what you are proposing is something a bit more directed kind of a cross section of mentorship and also maybe some resources as well. Yeah, I mean, I don't expect to. Yeah, it will be useful to get somebody to point you to the resources because to the right resources. Right. So, as I said, I bring this up because I know it was discussed a while back but again, I didn't have the opportunity to join them for a while. This is something that you think that you'd be able to kind of propose like if a proposal say like maybe we have a mental role and then observe a role. Well, yeah, but the issue is closed and I just want to hear others opinion before proposing that I mean that was my idea because I looked back into the discussion when on the meeting when it was closed, then I think it was done. I'm not one of the six chairs had mentioned that probably it's better to, it's better to promote joining as a regular reviewer, instead of joining as observer or trainee or how, however we are going to call it. But my point is, because we don't know how experienced developers are here on this channel, there could be really on on each of the reviews, there could be. There could be developers who are experienced and don't mean are no know what they're doing, but also you don't you can end up in the situation when you have a couple of trainees let's say or a couple of people who don't who are not actually knowledgeable enough. And that will be a way this will be this will be a way to start as a little more if I'm not sure just start a little. Yeah, yeah, to be more to be more confident in what you're doing. Become more confident. Any comments, suggestions. I'll chime in because I was on the on this ticket. I think, you know, initially the observer role and kind of internment was all kind of wrapped up into the notion of doing an assessment versus what we currently have as a review. As a review where we're essentially passively ingesting materials and then kind of engaging a conversation about the design. I don't think it I don't think the skill bars as high versus when you're engaging in an assessment. You're kind of naturally, you know, just human nature of putting yourself in a more defensive position as the as the project so you kind of want folks who can go to the top with the developers on particular issues, whether they're friendly suggestions or actual criticisms. The skill requirements are higher. So, I don't know if there's really a place for it in the new process for reviewing because that to me seems like a more passive role. Yeah, probably I had to. I had to read a little bit more about a new process before but yeah, I'll read more about the new process and see if there is a place for some like this or no. I guess just to punctuate that it should the bar for reviewers should allow pretty much anyone who has an interest to productively participate without any real training or mentorship I guess is my point. So to also kind of add to that. I think a while ago we were talking about, you know, we had this issue where we had a bunch of different issues, a bunch of different things that required people and then we had a bunch of new people that came in. And then we couldn't really like, there wasn't there isn't a good way for people to match like a lot of people comments like was that the work on what should we do. We were considering also, you know, we'll have a new member process where they'll fill out the forms to say, okay, are they experiencing security? What are they looking to do and you know, hopefully, you know, we can have a list of people from there and then we can say, okay, yeah, you should check out, you know, be, be a security maybe in this case be a review of mental like be a observer in a review. Yep, I understand your point and yeah, as I said, I will read again on your process and familiarize myself with it. And we'll see and we'll comment if I have something. Thank you. All right. So moving along. Next we have. I'm going to pronounce this wrong. It's not in newness. Thanks. Yeah, no worries. So yeah, actually I'm a new contributor I just, you know, checked out, I guess, one of the messages on LinkedIn. And I'm a bit involved with the Kubernetes community, you know, making full requests, participating really strategies and stuff. And yeah, I hopped on to the security and, you know, I'm finding my way through the good first issues. I guess that was just a topic that was being discussed by Martin, maybe. Maybe I can be a test subject for this, for this, you know, this experiment. So yeah, really looking forward to participate and attend meetings and maybe, you know, contribute my way. Yeah. So, thanks. Awesome. Welcome. Let's see. Okay, Michael, do you want to take the mic to talk about the blog post? Sure. Yeah, no problem. So yeah, I added the blog post to the chat there. I just released it today, just a few hours ago. This is the blog post announcing the cloud native security day right for for the keep calling you 2021 that's going to happen on May 4 this year. And we announced about that we're going to have a CTF and also that we're going to have a live stream during the CTF where we're going to invite some guest interviewers. Right. So, for example, here, some names that are already confirmed are least rice, bread, gizman, tab, the stable, and Rory McCoonie and David McKay. So those are people that are knowledgeable about Kubernetes cloud native and security, and we're going to invite them to talk about the challenges during the CTF and how they would go about solving them and ask about any tools or anything that they would we use to solve those challenges without giving too much away. So we already have that book during the during the event on on the Twitch stream on the cloud native foundation stream on Twitch, and we have two separate times loss that we're going to do that. And yeah, at the end, I just mentioned about the price that we got from that second right about the security team and everything that that Brandon has a picture there holding the prize. Do you have the trophy there, Brandon? Yeah, one second. Yeah, sure. I would like to see it. But yeah, so that's that's what we have for for now. And I think Andy has some updates for the CTF as well. Oh, nice. Looks pretty. It's my fingerprints. Yeah, it's really heavy. It was like, I think this thing's like two pounds or something. So yeah, we're working on the challenge and I'll let Andy talk about that. Awesome. Um, so, so, yeah, since we're talking about this, maybe we'll come back to you Robert later for the for the college student. Andy, do you want to talk about CTF? That's a cool thing. Thanks Magno. Yeah, congratulations on the security prize as well testament to all the effort that a lot of people put in so good work. Yeah, the we're well underway with preparation. We have a little bit of marketing blurb to give you a taster. Delve deeper into the dark and mysterious world of Kubernetes security exploits a supply chain attack, of course, and start your journey deep inside the target infrastructure. Exploit your position to hunt and collect the flags and hopefully learn something new and Riley amusing along the way. So we have a theme where the we're modeling it on what's happened of course in in the major kind of internet melting security problems we've seen in the last four or so months. But we're still in the weeds of defining these scenarios. So if anybody has something that they think would be a great learning outcome for attendees, or that they think is a particularly difficult thing to do. Because really the scope here is all the way from beginners will look I guess the second part of the marketing blurb is everybody is welcome from beginner to hardened veteran. And really we want a learning path taking people from relatively easy stuff at the beginning that's maybe self evidence through to something at the end that is a piece de resistance kind of territory. So welcome any contribution if anybody has something in particular that they think would be useful. And yeah please do, please do join the day as well if you want to play on on the fourth of May. Thank you. Awesome. Thanks Andy. All right. And Robert to talk about the custodian review. Yeah, I think I see I could fill his own so he can, he can jump in as well so custodian is now reengaged and finishing what started under the assessment framework. The question is, they've done a ton of work putting together the their document under that initial framework, are we now under the new framework where what kind of a reset do we need to do. And then, you know, we would need a couple more reviewers because all the folks who are available. You know, may or may not be available so we need some additional reviewers to sign on. So Brandon from a from and what is your suggestion on next step for for them. So, um, how many reviewers that you have signed up right now. Well right now, as far as I know it's just me, because they, they just reengaged the last week or well a couple weeks ago Liz on the custodian side started reviewing the Google Doc from 2020 so in the last couple weeks they've, they've finished reviewing that Google Doc, but all of the commitments we had on the ticket go back to July of last year so I'm presuming I, you know, nobody is currently actively signed on as a reviewer. But if anybody on this call who was signed on just wants to, you know, chime in and say yes they're still on or comment on the ticket, either way. Can you can paste the link to the ticket again in the chat. So that folks in this call can take a look at it. But yeah I think this may be also a good opportunity to kind of, you know, for those that are new and want to check it out. Usually we have maybe three to four reviewers. But, you know, depending on the amount of interest that we get, you know, maybe we can, we can test out some of this new learning systems that we want to take a look at as well. This should be a good one for those who are interested to start because Kapil and team have been a really thorough job on their kind of self assessment Google Doc. So it's got a lot of detail in there. It's been been thoroughly reviewed by other folks. Initially, so I think Justin was on a couple of calls with Kapil and myself early on so it's a fairly mature document at this point. I'm going to also mark that the one on the issue is, you know, needs help that we can. So one thing that I think would be something that you could do is try and send the six security mailing list. In the email we got quite a lot of response from that where we did it for the white people and the security map so that could be a place to try and reach out. Okay, we'll do. Yeah. And so just so I understand the new process. Really the next step is, we just need to translate their self assessment doc into the markdown document that you guys have defined is that correct. I think there shouldn't be that much. It's, it's, I think it's small for renaming of sections and then there's like one or two sections which are in addition to that but I think other than that I don't think there's too much that should be changed. Okay. Yep. If it's to if you find there's too much work I think it's because this is kind of like the transition process like this was defined before. I like to use the old template as well. But if you can use a new one that would be better, but if it's too much effort then don't worry about it. Okay, I think that's probably just a function of how many volunteers we get and break it up into small enough parts should hopefully it won't be too much. Again, I think all the source material that we need is there for sure. They've done a good job on the custodian side, giving us lots of good data. So now it's just massaging it into this new format. Okay. Awesome. Thanks Robert. And that's the fault we have Frederick. I just wanted to make a minor mention in the CNCF talk mailing list. I put a link in the mailing in the in the documents. But in short, one of the things that we could help give guidance on for projects is how to help with vulnerability. With vulnerability metrics because what's in the pack what's happening is that many of the metrics are using are not really usable like saying here are all vulnerabilities of Kubernetes since the start of time. Versus here's how many we've discovered in the given period of time here's how many we fixed in a given period of time. And the general state of health would be useful but even that still misses the mark so it would be good to get a few people who are experienced and how to and how to set up this messaging so that we could make sure that the information that is relevant and useful for developers gets pushed out, but also in a way that doesn't make it look to the community that things are much more dire than they than they actually are. I put a link to the mailing thread or to the mailing list thread, or specifically to the message that they called it out from from Liz Rice but there's a whole thread there that's been going on for a while that would be good to get some people the way in on. Other than that just wanted to raise that. Awesome. Yeah, that's that's an interesting topic of discussion. I think we had super also come a couple weeks back to talk about the, the new system. Yeah, I mean, I think this is a general thing about vulnerability management across the board right I mean I hold my hands up here I work for Snake, and that that vulnerability data is coming from us I've seen that thread. I don't really want to wade into it because it's like full of controversy and but but also you know some of that some of that stuff is presentational to do with how the Linux Foundation is consuming the data coming back from sneak. So yeah. The information I think is good, like we need to have more of this type of information out, but I think there's two, there's multiple audiences and so I think if we were to have some guidance that we can present to projects like, here's how you tell your developers as to how the stats are like we're seeing more vulnerabilities come in. Best case scenario you can link them to actual commits, though, I don't know how feasible that is, but I bet at the same time here's how your message to your community has to actual actual impact and here's a mitigation to the impact and to get that transparency Well yeah I mean if you're if you're consuming sneak, you know, it through the sneak UI, you get a whole bunch more remediation stuff in there right and and you get a lot more detail on the on the prioritization stuff. I'm going to say I haven't looked too much about what the, how the Linux Foundation stuff is is presenting it other than following that that thread. I know there are also discussions going on between the Linux Foundation and asked about how they could better present that data. Yeah, and it's just guidance, I think is the primary thing like there's there's no perfect answer so anything that can help them towards not only better messaging but also more meaningful data, because like it's clear there's some very rich data that's there. And if it's locked away and in behind poorly designed. And I'm not suggesting guys are the guys who designed the, the actual metrics that the presentation of the metrics is just poorly designed presentation of the metrics can sometimes be worse than. Yeah, yeah. The next position is that we would agree with that, you know, I mean we haven't, we're not in in the it's consuming us downstream. So, exactly so yeah if you have any resources or anything like that you can point towards this to say hey here's some recommendations on ways you can get more meaningful input because at the end of the day metrics are about changing behaviors, and they can change them negatively and negatively and what I worry about is that this decide the current setup may have more negative impact than positive impact and is not actionable, and if you can get down to the point where they're actionable, or the story in a more clear way like if we're seeing like over time that we're seeing more vulnerabilities that are directly like that the code scanner itself is catching in the actual commits. Then this tells a story and there's multiple interpretations of it but it's more detailed than you know we're flying blind and versus the current set of metrics which it's hard to tell how I use how useful they are so anyways yeah I just wanted to make sure that this is something that we can get some people to possibly if it's in something you're all interested in that we can, it's an area that I think we can. We can provide it with a little bit of effort provide some decent guidance that helps move the needle towards a better place. Oh, sorry just quick logistics around now you there. I'm here Brandon. Yeah, I messaged you on site I actually have to have to drop. Can you take over for presentation. Sure one second. Sorry, I have to drop urgent. Okay, no discussion. Sorry about this. No, thank you. Thank you run. So we can continue folks. Any other comments on the vulnerabilities and metrics. Hello. Can you guys hear me. I think you lack of an answer is the answer. Thank you. Okay. How do we add any actions on this vulnerability conversation that we need to take up as a team. I mean if you want to have a conversation I'm happy to jump in. I think it's a vulnerability management and assessment is not a dark art, but it's certainly. It's a difficult job because it requires so much knowledge of what those security things are. And yeah, I had to jump in and provide a perspective. If that's conversation. So should we set up a offline conversation like a small working group to talk about vulnerability management then is that the action. I'll make an error that. Okay, I'm happy to take part in that in that discussion from a sneak perspective. Sure, I'll include you. I don't know who was described earlier, who was taking notes. Me. Okay, we can add that to the note that'd be great. I'd be happy to, to provide information from a consumer's perspective as well. This is Frederick counts. I can help as well. Hang on wait a second need to catch up here. No problem. I'm adding the names here so you can get those from there. If we got Magno, Andrew, we volunteering there. Frederick as well. Great. We went from no one to a good eight, nine individuals. Yeah, that's a pretty good sized small working group and there could be some good deliverable that can come out of that that we can publish as well. Matt, I also just put a note on that on the chat if you can add in as well. Yeah, I'm getting there. I'm just catching up. Right, I think I've captured everyone. Wonderful. And do we need to create an issue for this. I think it'll be good to have an issue so we can track progress. I'll create an issue. So do we have any other topics for today to discuss anyone has any additional comments or items. This is fine. I did have a question. So I was trying to finish up going through the the native security map vanilla document. I noticed I mean it's it's trivial I think but I don't just bring it up to see what other individuals thoughts are so as I was going through the document and notice there's a slight flow break on the topics. So as an example, I noticed how we have static code analysis and desk. Some are very further down on the list. I think as part of, I think it was part of the distribution even just general recall but it was after, you know, building an image. And I was just wondering, should we have it more tailored towards what a normal pipeline would be so when you're reading this, you understand at what junction they should introduce a static code analysis and desk versus, you know you now have an image of a static test, you know all the different stages and just to make it a little bit better aligned. Yeah, that makes sense. But as you're aware we are doing your retrospective right now and we are gathering feedback on how what we can improve in the paper. So if you would like to send that feedback to the person who's getting it. I wish to juggler is his name. I can put his name here. So in the feedback so if you provide the feedback then I think in the next version we can take that up. Okay, and update the paper, because there's more work to be done obviously that was done in a very short timeline and we just published the paper, because we wanted to announce that at the cube con and have something out there. But of course there's a lot of native security you can write books on it right. There's a lot of a lot of scope for improvement there. So there is a blog post as well and there's a survey being sent out by Pushkar will be gathering all the feedback and then we can consolidate all the feedback and release the next version, when we have all the updates up. Thank you. Nobody's at all. Any other topics that we want to bring up today. Sorry, I kind of had to jump in so I'm not very prepared with the agenda items. But I thought we had very small agenda today with the conversation was great. So thank you all for attending today if you don't have any other items to address. And we'll talk to you next week. Have a great day.