 So I'll give a brief on what happened in the TOC call yesterday. We just gave a status update to the TOC call, highlighting the members that we have and the affiliations that have with the activities that we are doing in terms of, in terms of assessments and then the governance structure that we've created and stuff. So that's what happened yesterday, but it's too big for me to fill in Dan's shoe. So I'm just going to yield to Cormac. Hey, Justin, welcome. Do you want to take over and run the meeting? Justin isn't aligned up until next week. Okay. Okay, so I'd have to run this this time. All right, so let's do chicken, Justin. You seem to be first on my list anyway, but I seem to be picking up new. The temperature is, see, lost my activity. Okay. Is that, who is that? Is that Justin Capose in Santiago or Justin Cormac? Who do you want to go first? Justin Cormac seems to be the first on my list. I don't have much to report, I've been on holiday, but I'm looking forward to working with the piece we're going to do around the stuff with Santiago on supply chain security, which we're going to start this week, which I'm looking forward to. But apart from that, I don't have much to report. Perfect. The next step on my list is Garotir. I don't know how do you... Garotir. Garotir. Garotir. Oh, yeah, the R is part of my second name. So yeah, Garot, product sneak. This last week, I've actually mainly been on holiday, which has been very nice, but it didn't mean I did not do anything related to security of any strike. Seems like a fun holiday, but obviously it was missing order on security. Yeah, it was nice to miss out on security for a week. Back to things now. Joshua Locke. Yeah, I don't really have anything to share. I've just turned up this week because I'm interested in supply chain security and stuff. Perfect. More? Goldbug? Yeah, hi everyone. Nothing to share or report. I'm actually... I think it's the first or second time I'm joining you guys. Yeah, but happy to learn and see how can I contribute, you know, mostly around areas of identity and access, which is where I come from. Nice, nice, nice. Thanks, Densha. So we've got confirmation this week that we have our sessions at KubeCon. So in addition to secure today, we'll have the traditional sort of intro and deep dive sessions that we've been doing. And productive, you know, and many of you joined us following this session. So keep on plugging away at those. And I think we're going to try to take a slightly different tack this time around and actually really present different things in the intro and deep dive. So we'll work on that as it comes up to the event. Hi. Chris, welcome. I think that's me. Yeah, yeah. Okay. Mostly just continuing our work in Falco and getting it ready for our goal of proposing it to get moved to incubation around October. Once we hit our one year mark, we've brought in three different outside repositories toward to the GitHub org. And we're going to start putting together some demos of a couple of new tools and how to use Falco and Kubernetes and what the end to end user story is going to look like. So folks are interested in a demo either here or just to check it out online. We're happy to help. The one action item I had from last week was to follow up regarding some questions about us here in the SIG. Do you see is the one who has the more information on that? I don't think he could join the call today. So we're going to push that one off until next week. And hopefully we'll have more information for folks then. Perfect. Yeah. Seems like something that seems like that something that we should consider for a demo in this group. Some point. I would at least get an issue for that and see if we could slaughter at some point. Okay. If you create an issue, feel free to tag me. At Chris dash Nova. And yeah, we can put some stuff together. Awesome. Next up Roger. Roger K. Oh, if you're speaking, you're in mute. Yeah, just now talking, not just moving my lips. Yeah. It's, um, we're, we at Suza are heads down in a release now. We're doing our. Gold master candidate this week. Talk about language that persists from. You know, that's about as relevant as, um, dialing the phone is gold master, I think these days, but, um, you know, I think we have a big change in this release for us has been, uh, Incorporating psyllium and moving to, um, You know, strong communities network security and security policies. And so I've been spending a lot of time playing evangelist in house for that. And starting to do, uh, I think that we'll probably focus on, um, Kubernetes network security. Nice. Thank you. Martin. Hello for me. Uh, I don't have much to update. I'll continue my work on Claire. I already shared with you guys for what is the project about. So if you have any, it's a static analysis for containers for security vulnerabilities in them. But yeah. That's for me. And also I'm interested to, um, I, I, I shared this, uh, in, in an issue, uh, about the observer or slash internal role in the security assessment. So I will be interested to discuss this topic. Oh, perfect. Yeah. Um, just in capos and just in Kormack, as your go to person for that. Um, Jenkin, Jenkin. Joe. Do you want to go next? Yeah. Hi, that's me. Um, I'm the first time to this meeting. So I work at, um, Welcome. I work at by dance and we're a heavy, uh, I'm a nice user and adopting all of, uh, other CNC components such as baby's fire. So I work on production and the next as management. So I thought it'd be interesting, uh, helpful for me to join the meeting to understand the roadmap for the, the community security features for those kind of platforms. Perfect. Awesome. Um, yeah, if you, if you've not counted yourself as contributed, uh, there is GitHub as a friend page need me. Uh, so if you want to go add yourself, uh, then you can start contributing. Great. Thank you. Thank you. Hayden. Hey there. I haven't been doing anything specifically related to the working group, but I work for TTS and the federal government. Um, and I've been interested in hearing about the clutching stuff. What's TTS. Uh, so TTS is, uh, the technology transformation services. So we run a lot of government-wide programs. And, uh, search.gov and login.gov and cloud.gov, et cetera. And then do a lot of work sort of modernizing technology with other agencies that are used to work here. Yeah. Hi, Hayden. Hi. So reach out to me if you're interested in hearing more. Mark, Mark Manning. Yeah. Good to have you here. Mark, do you want to go next? Mark M. Yeah. Can you hear me now? Yep. Yep. Sorry. So, um, my name is Mark. I'm from a NCC group and I'm still trying to, uh, determine where to kind of fit in and contribute. Uh, some of my, uh, coworkers, um, I'm doing security related audits is usually our background. Um, so we've been listening to your direction to go into some of the, uh, threat modeling projects that I think you're currently working on. We're going to see if we contribute there. We're also doing some, uh, public fuzzing projects, uh, that we, uh, like some partnership in the next couple of weeks. Anyways, interested in that type of thing. Please reach out. He has a contributor. Uh, I'd suggest doing that. And while doing that, uh, we haven't followed that before, but, uh, that's a thing in terms of like, which, which area you're interested in. If you could note, note that and, uh, I'll be helpful for the rest of the team to tag you. So Christian Lassina. Hi there. Can you hear me? Okay. There we go. Uh, well, I'm just the, I'm filling in from my colleague here, Ray, who usually attends this meeting and, uh, actually I did attend a couple of, uh, meetings ago and the supply chain stuff actually caught my ear and raised a few years on my, at my, uh, at my companies, um, in my company's team. So I wanted to see if there were any updates on that. And otherwise I just wanted to keep Ray abreast of any updates in the SIG. Yep. Perfect. Yeah. Yeah. Thanks for joining. Thank you. Jonathan Midos. Hi, this is Jonathan Midos. Um, I put together a couple of my thoughts on the software supply chain and the SDL. See work. It's really important to us, um, and I sent it through and had a quick chat with Santiago. Uh, so really interested in the, in this piece of the working group for this weekend. Perfect. Thank you. Yeah. Santiago and tapos. Uh, hello. So I'm Santiago speaking through a, uh, Justin's computer. Um, Keep going. I'm trying to take camera. Yeah. So I'm mostly, uh, interested in, uh, having this meeting move, uh, forward with the software supply chain security, uh, project that we, uh, we've been talking about. Um, and yeah, I'm really excited to hear what everybody thinks. And I'm hoping we, uh, leave the meeting with a specific path forward. Probably we can merge the proposal and start getting things going. Okay. Great. And, uh, I guess my updates this week. So I had a chat with Sarah over the weekend. Thank you, Sarah for doing that about some of the OPA assessment. We've had some back and forth on that. Um, I found some folks that are actually real world supply chain folks that deal with manufacturing and stuff that are actually quite interested in using in total. So, um, we'll see how that works in their process. So, um, I guess that one of the lessons from that is, is that, uh, if we build something good from a security standpoint, um, though the real world and real people actually may want to apply it to whatever things they're doing in that case too. Um, we finally just got the in total logo. Um, I think finally approved like Chris A. So we're going to have a new logo up soon. Um, and, uh, our secure systems live is an official Debian package and unstable. And we should have in total and tough, uh, in there. If not at the end of this week, then, uh, before the next meeting. Perfect. Thank you. Brandon. Hi. Um, yeah. Yeah. So I've mostly been on vacation as well last week. So not too much update on my side. Thanks. Thank you. Ricardo. Yeah. Uh, Ricardo and I worked for rack and 10. Um, this is the first time I attended this meeting. Um, so. Welcome. There's a couple of items and agenda that Brandon actually put up and in contact with them. So, um, just want to hear about that. And, um, yeah, hopefully I can learn something and, you know, I'm glad to hear how I can contribute myself too. So. Thank you. Mark. Mark. Everybody. I'll keep it short. So nothing new to report. I usually represent things going on with this today. Um, so, um, I'm just, um, Um, I think it's a public document released on cyber resilience. It does occur to me. We might be kind of slacking in our group dealing with resilience issues. So maybe that's just the tip of the hat to that one. And, uh, reminder, I also work at a fintech. So we're interested in supply chain related stuff. And, uh, Justin, the people in the, in the MRP world where I came from decades ago, I've been working with the software and materials to that as a time phase, uh, configuration management tool that they use for that. So, and when you figure that out, sell it to Boeing. That's it for me. Perfect. Thank you. Christian. Christian. Hey, I'm Christian. I work for Google's cloud security team. Um, nothing big new to report. We have an ongoing discussion internally about a machine that's a little meta data format that captures some of the software supply chain stuff. So mostly to figure out if there's any, if you find a security problem, if you, that you can trace that to affected, uh, uh, you know, and end products, right? So, um, I've asked them to make that, bring that into shape that maybe we can, uh, bring that to this group at some point. So I'm figuring out how to do that. Fantastic. Yeah. Thank you. Um, Sarah. Hello. I've been traveling. Can you hear me? Yep. Yep. Yep. Um, catching up on some GitHub PR. So I meant to reach out to the triage group and I didn't, um, I added to an action item of this meeting. Um, if anybody's up for doing a final review of the meeting facilitator role, we came up with some preconditions. So particularly people who have helped that as scribes or played some kind of leadership role in group or newcomers to read, to review that. And, um, it's already been sort of in principle approved, but I added some kind of, uh, catch up process things. So it would love somebody's review on that. Also, um, caught up on the, uh, last action item from that's on our side from the in Toto assessment. Um, the discussion today is what we're doing is a SIG to, um, kind of look at supply chain attacks in general that Santiago is leading. And then we had this other action item that we were going to, we recommended to the CMCF that, um, perhaps they could identify a UX researcher to figure out, um, you know, kind of whether there are, um, speed bumps in adoption of in Toto, or if the project should do something, if the focus should be on companies adopting, or perhaps there's some dependency, um, that would be more fruitful for, um, in Toto to spend effort on. So, um, I added that to the notes. Um, feel free to click on links and, um, chime in or review or whatever. So. Oh, also I've been chatting with Jonathan Meadows about presenting next week, um, about, uh, the security, uh, the training he's got going on. So I think I'm going to pencil that in because we haven't gotten a, um, I don't know if we finalize that, but. I'm putting that into the planned meetings proposal. Perfect. Perfect. Perfect. Yeah. Is there should we get an issue for that? Or. Is that going to be tracked as a doc outside? Let me see if there's an issue for that. If not, I'll ask. Thank you for. Amy. It's having trouble coming off mute. Howdy. Um, I am here to be able to help. Questions around any of the security data stuff that's happening at San Diego and any other kind of CNC stuff running around. Hi. Thank you. Yeah. Yeah. So security is going to be fun. I mean, like a lot of heavy lifting is done by me, Emily. And, uh, most of Michael Ducey and, uh, Michael Ducey. Yeah. You may not be on the call. Yep. So might be useful after we finish the rounds, then might be useful for you to give a little bit of an update on that. So who else is there's a call in user two. Yeah. Yeah. And a six five zero six four, four, four eight. Two seven eight. It's Emily Fox. I'm on the call. Um, Sorry about that. So quick updates, uh, the cube con notifications went out. So, uh, we're encouraging everybody to post, um, in their very social media sites that they can recycle their accounts. So, um, we're encouraging everybody to post, um, and to send your message to the cube con and cloud native con talks to security day. So right now what we're trying to do is, um, drive up CFP submissions, make people aware of it. Um, there are still sponsorships available, which just means that we get a nicer security day. Um, the website is available. It has all the content talks about open spaces. Um, right now we're just trying to drive more CFP traffic so that there's more than just a couple to look at. We've got five that have been submitted eight that were in draft as of yesterday. So we're hoping to get a lot more. Um, if you know anybody in the security space that has a good idea or you've overheard them talking about a really good thing relevant to cloud native security, um, encourage them to submit it as a CFP, maybe do a co presentation as well. Um, that's all I have for updates. Um, I would encourage, uh, some of the CNC of security projects to, uh, Advertise about this in their forum, uh, in whatever form that they have, but I know we have spiffy, we have, uh, as well. So I think we should probably use those channels to advertise. So I can personally reach out to both of them or, um, and then, uh, give them an, uh, Ask of, uh, Promoting it within the community. Cool. So, um, question about, I mean, it's already on the agenda, but, um, regarding the six security, um, summit, uh, is that an independent event? Or did you also get a pass? If you're a speaker of that event, can you pass to KubeCon? So I can speak to that right now. No, if that is an issue and you weren't accepted speaker, reach out to me. Okay. Cool. Thank you. Thanks Amy. Um, so I am. Uh, for this month, I think I'm going to try and facilitate. Sarah and Dan has been helping out facilitate this for quite some time. Um, I'm still kind of fit into their shoes and each of their shoes are, it's way bigger than mine. Uh, but I'm going to, uh, As a catch up and I say, uh, trying to get the agenda squared away for the next meeting. Um, for this meeting is there, uh, I'd like to keep this as an open agenda. Unless there is this prior agenda that's set already. Dan. Uh, if you can comment on it, that'll be useful. Good. Uh, so, uh, today we're, uh, uh, slighted to have, uh, discussion around, uh, split chain. Okay. Are you able to take that off today? Or, I know you're all, uh, uh, fighting over Justin's computer. No, uh, you're one. I've been relegated to the, to the floor. Yeah. So, uh, I'm often having the proposal, uh, and I think there was some hesitation by, uh, Justin Cormack about it. Um, I also made with the Jonathan. I think, uh, also the Fox, I think it's Emily Fox, uh, took a look at the, the meeting notes that we have prepared and, uh, my understanding is that, uh, timeline wise, we can probably start the proposal, uh, uh, as a repository in which we take the existing, in totals, blight chain compromises list and start enriching it with, uh, with content, uh, regarding certain types of compromises and then organically grow it into like a guide that people can, uh, actually refer to. And, uh, eventually try to answer questions about what's the best way for, uh, users to consult this, uh, resource and use it to tighten their security process, which I think that's the end goal. Um, I don't know if, uh, I misquoted you, Justin Cormack. I don't know if, uh, I don't know what you think. I mean, I think that sounds reasonable, I think. Um, I think it would be helpful if we're clear about who the audience for this is up front and, um, and what kind of, what kind of maintenance we're going to do over it, whether if this is a one-off thing, or whether we're going to maintain it on an ongoing basis and those kinds of practical things and how long, you know, we can just spend on what kind of, what, you know, an outline of what we actually want to produce. Right. So, uh, I feel we can elaborate a little bit on the document that already Jonathan and Emily helped me prepare. Uh, but the audience is, uh, as far as I understand this and the consensus is we are trying to help, uh, developers, cloud native application developers and software engineers to tighten their software supply chain, uh, in terms of security. So, uh, with that in mind, I think, uh, we pretty much want to like compile a list of recommendations and case studies and, uh, and probably the future, future like a scanning tools and things like this. Um, my, my hope is that we can probably start with something small that doesn't require a lot of time. And as we see whether it has some success or not, we, uh, we can increase the scope and the reach of the project. So Santiago, you mentioned there was a document that you started. I don't do. Is that something you want to share here or. I think there was some, um, some interesting discussion on the thread that was, um, because originally it was focused on this catalog. And then there was some discussion about kind of taking slightly different approaches. And I'm just kind of curious where you're at with that. Right. This is a thing from Mod. No, no. Well, the catalog is something we would be moving over because I think that will help us make foundation. Oh, it's like Google Doc. It's that Google Doc. Yeah. I posted it on the six security chat. On the channel. Sorry. Slack or the chat channels. Yeah. Uh, probably a reply to just the format. Because there. All right. So I'll post it both places. I'll post it. More obviously there. And I'll post it here. Thanks for having him caught up. And then everybody can. So it's editable by everybody. Just, uh, just a word of warning. But, uh, basically the idea that I was having is we moved the catalog and from the catalog, we derive like a list of priorities that we can write recommendations about. And, uh, the, the reason why I think the catalog is important, even if it's not completely comprehensive is that I think it drives a sense of reality and why, and the sense of urgency. And I think it will make people understand why, uh, software supply chain security is important and why they need to follow these practices. Uh, which I think it's, uh, it's part of the battle that we're having that a lot of people are a little bit skeptical about this problem. I think a big bit of this is, is raising people's awareness, actual issue. I think everyone in this call realizes it is an issue, but I wonder, and I get mixed feedback from others when I'm talking to people about supply chain security. And I think with that, that catalog that Santiago is proposing, and other examples of this issue, I think one outcome of this sort of mini project would be to focus on raising people's awareness. Then based upon that, we can look at providing best practice guidance, um, of how, um, you know, focusing on an audience of software engineers, um, and cloud native developers that can actually fix that issue or start to mitigate some of those concerns. But to me, my, my personal thing would be awareness and then an ability to, uh, fix that. Yeah. I think it's pretty good nowadays, uh, at least in, uh, developer circles. One of the problems is we get these big splashy headlines that say there was a supply chain compromise and then very little insight into what the compromise was, which is why the catalog will be so beneficial. Um, and a lot of the supply chain compromises we're seeing, uh, well, several of them end up being, you know, rudimentary user blunders. Uh, we use the same password everywhere and it got, uh, scraped and, um, so I've got nine Ruby gems that are published under my account or whatever, but then there are the problems which are, um, different and, uh, where it's easy to work on a technical solution beyond just, um, you know, telling everyone to use 2FA or whatever. So, um, I think the catalog, that's why I'm really interested in the catalogs, try and get a better understanding of, um, the variety of the attacks and the different attacks beyond just account compromise. I also really liked it. The idea of having the catalog segregated into group to categories, right? Different types of threats so that. Then also if it's, you know, if it's listed by, um, chronologically, then it sort of implies that we're trying to write down every single one there ever was, but cat, putting them in categories then makes it more feel like there are examples. And. I don't necessarily want to sign up for keeping it fresh with every single possible thing that happened, but, um, good examples of each category, I think would be a great goal to have. Yeah, not so yeah, I agree because then you can have examples of things that would mitigate that type of thing. Alongside the example and things like that as well. Right. I like that idea. Really, I was just coming through the doc. A quick one thing that I would suggest I'd also suggest that leave us a comment in the doc as well as to. Document non goals. I see like goals and activities are documented, but. Non goals are not. Right. Yeah. I think, I think that's, I think that's a valid point. And I think we can, uh, Like from the conversation, we can pretty much extrapolate, uh, certain, uh, But, uh, what I'm thinking is, uh, I feel there's a little bit of consensus on, well, we will take this catalog, put it into categories, then use these categories to drive recommendations for best practices. And, uh, And I feel that if, uh, if we are like on same boat in that department, we could probably move on to a more formal proposal. Um, In which, we actually have like a project that organically grows. Um, It feels that I'm brushing, but I'm also a little bit afraid of like, uh, circling a little bit too much on the issue. And then eventually not having a, an actual thing we can contribute out there. Well, um, JJ wasn't here when we talked this initially, but this is, this was a proposal. We all agreed to do it. So there's no, this isn't, this discussion is not a gate to any action. This is, a discussion with the group to help the initiative move forward by pulling on the wisdom of the, the team here. So, um, so yeah, so I think we're, um, you know, like, I think we're trying to refine and capture and help, but not, um, creating any sort of gate here. And I love the idea of coming up with a first iteration that's small and tight and effective, even if it doesn't do everything we possibly want. And then we can add additional issues for improvements we'd like to, um, implement. I mean, I think, yeah, if it's going to be for raising awareness and as well, I think making it short and readable so no more than, I know, six pages or something in that someone could circulate as a PDF say, or actually be really helpful in that, rather than something that's, it feels like a, a catalog and say something that you could, you could pass around to people and point at them and email them or whatever that they could just to understand the problem. Yeah. If you can encourage a community to maintain a catalog, you can use that as a data source for other things. People who are talking about these things don't have to keep talking about the same compromise that was made in 2000. 11. They can, you know, refer to something more recent in the same domain or. Yeah. Right. That's my hope with a organically growing a community. Like everybody can, I don't know, spend five minutes reading the news and then going like, Oh, well, I just found this software spliting compromise. And I think it relates to this other one. Why don't we keep it around as a reference? Yeah. Yeah. Yeah. It feels like this can help with wider, wider education efforts of the group as well. Like not strictly related to supply and compromise, but choosing, say in open source dependencies is obviously a problem from the fact that when Ruby gems had multiple compromises a couple of weeks ago, it turned out that like 1200 people were downloading a gem that had only existed for a couple of weeks. I mean, you know, use this as motivation to drive other education efforts. Is, is motivation the main sticking point? I mean, or, or is it just like knowing what the, like the latter is, I guess, what I'm more interested in. I mean, you know, I mean, I mean, I mean, I mean, I mean, I mean, like the latter is, I guess, what I'm more interested in for, especially I think all of us here are sort of like bought in, but I haven't so much gotten as much pushback as like knowing what the like lowest left solve to, you know, each sort of category or each sort of, I'm thinking that visually of like, what are the different segments of a delivery process that, that these attack, like what are all the attack factors basically, and then what's the easiest like mitigation for each. I feel that that's on scope. I feel that we probably would defer that a little bit for a second iteration, but some of them are like immediate, right? When we find a bunch of compromises of certain nature and we go, and we know that the solution is so we can pretty much point to the right place. I feel that the catalog will help us also prioritize which, which solutions we want to be more clear about and more upfront about integrating. So the question about the catalog that you're producing seems like a fatty, like moderate technical document that I'm assuming like developers and, and maybe about managers is security. Is it possible to also, I don't know whether this would mean scope, but if I kind of like executive level, something that like executives could use. I think it cut off a little bit on my side. Could you repeat? So I just wondering with the, like what level of technicality would the document be with the, is it going to be written very technical? Or is it going to be also accessible to business executives? What's the audience here? Just kind of getting into that. So my, my understanding, and I think we can also discuss this, but was that we probably want to target like developer slash DevOps and your audience. Those are the ones that can make the decisions. If you want to make like a separate track in which we can also give them resources to convince their project managers or so. Well, we can also do that, but I, I don't know how broad we want to be on this first situation. Well, it sounded like the, the beginning, like, you know, when the awareness goal, this is why everyone needs to be concerned about the supply chain. So it sounded like from the way you were discussing it, Santiago, that the, like maybe the first page or the first half page would be the kind of thing that you could give executives, right? Like this is why, this is why me as a developer or, you know, my team should be spending a little time on this, right? Copy paste abstract. Um, and then the, then, then people can dig into the, the meat of it. Who are actually going to do the mitigations. Right. And then you can abstract maybe. Sorry, Jonathan, didn't hear you. Sorry, Dan. I think you started that sort of security and your engineering level and provide a reasonable amount of detail so that then someone can abstract it and provide it to the senior management. That would be a useful, useful place to go in. And then you've got enough detail and you can subsequently abstract it. Cause when I talked to a lot of people in different industries within the financial industry, it's at that level that, that the awareness isn't quite universally distributed. Um, and as long as you get that level of detail, then perhaps we could have one page or someone, even the other engineers could abstract that up. Right. And now I think this is a great opportunity. Uh, you know, if we get the core resource to, uh, you know, that level of utility, um, to, you know, delegate the extended activity to the CNCF, right? That translation, you know, to kind of the business stakeholders seems like a, you know, great opportunity to, to partner with the, you know, the broader CNCF bring in some, you know, marketing tech writer support and, you know, extend, uh, you know, the work that they can't do the, the, you know, the technical, uh, you know, efforts that, that we, uh, can provide, uh, but they can do some of the, you know, polished translating and, uh, you know, mapping back to that. That's a good point. Uh, I would also, uh, I mean, crowd sourcing is a, it's a great way. Uh, I'm, it might also be useful for us to think through, if it does have to go through a curation process, or if it's like, uh, what gets submitted is what gets seen. Uh, in other words, do we need is, is anyone concerned enough to raise their hands for like, I'll moderate this so that there is quality check in this or do we just trust in terms of posting? Cause I heard like someone say that, uh, it'll be a nice way. I think it's, it was San Diego, San Diego. So he was saying like, it'll be useful for somebody to come in and post, uh, the ones that they see online. Uh, so I would, yeah. What, what do you, what do you think? What are your thoughts on that? So, um, I, I don't know how explicitly implicit this is, but I, uh, my understanding is that I would be the one that will probably make sure that the project stays alive and that there's no like, uh, on, uh, unexpected changes that the community doesn't agree on. Uh, I don't mean to say, uh, I never want to take care of her life, but more of a, like a guy that's keeping an eye on it and making sure that everybody is on board with the direction that this is going. Perfect. Okay. Yeah. And I also just posted in the notes and in the chat, um, the, this sort of this action item proposal came out of, um, the noticing that there was that in Toto had collected this supply chain compromises list. So if people have enthusiasm to point out supply chain attacks that aren't on this list, right? So we could use this, you know, where it is, you know, as a, the plan was to use that as a starting point and, um, and then, uh, and then Santiago agreed to take the lead to curate it and drive the initiative forward for the benevolent dictator slash leader for the duration of the project, which is relatively short, but important and corralling a bunch of people who have enthusiastically agreed to help. Excellent. Excellent. Yeah. Thank you. Yeah. So the next steps on this is to, uh, I mean, like what said, I was saying, not to get on us and get to the next stage of getting a proposal out and we do have, I mean, I know I'm not on the laptop, but I think that is that we have laid out a process for, um, how to make this a project. Uh, so that's, that has already happened. Yeah. Okay. This is, it's, it's, it's, uh, the title still said proposal, but it was already labeled as a project. So like, I think that, um, and sorry if we, you know, our, our transfer chair didn't communicate that well, but, um, but since I was able to join today, um, Santiago, maybe you can first chime in and say if you need anything to move forward, it sounds like it's not. And then I think also a lot of people came to this meeting because they're curious or interested and, and we could also use some, a little bit of time for people to chime in with questions or things they want to contribute with effort. Yep. Yep. Sorry. Apologies for, uh, not being coordinated, but, uh, yeah, anybody who wants to chime in, uh, cool. That is a, otherwise we could talk a little bit about Emily and Amy are there anything that we want to bring up to the steam for Michael joined as well. Uh, anything that you want to talk. Yeah. There was one thing that came out of the CNCF meeting yesterday, which was that Liz said that she was going, what was going to ask all the six to provide some kind of gap analysis or project analysis of space and at some point fairly soon. And so there, there will be a requirement for us to do that at some point soon. That'd be a formal ask. Correct. I think it's still in the talks and discussions in terms of, yeah, but it sounded like it might happen fairly soon. Correct. Correct. Yeah. Uh, we need to follow through with Liz, Liz and Joe on that to see, uh, because there is a whole bunch of qualification criteria. What if there is overlap? How much of overlap is considered an okay overlap? Uh, kind of questions that may arise in terms of, uh, picking and choosing different of the gaps. So, uh, we've got some clarity. We're talking about CNCF project gaps. Yeah. Yeah. Yeah. There was, there was talk about the system is in general that CNCF might help close. Yeah. Yeah. So can you clarify a little bit? Cause I, I unfortunately had to miss the meeting yesterday. Oh, okay. Okay. Yeah. Let me summarize that for the benefit of the entire team. So, uh, there is a thread that's going on. Uh, um, I think it's also an email thread anyways, but, uh, Liz brought up a point about, uh, not randomly accepting projects to CNCF, but being able to like, uh, we can choose projects or even to some extent go and look for projects that actually fill in gaps in the CNCF landscape, uh, what we considered as landscape, right? So, uh, that translates to security as well. Uh, in terms of like, what do we, what do we consider this landscape? Where are the gaps there? Are there any projects out there that fill the gap is something that was encouraged by Liz to, uh, and the TOC in general for us to consider? Um, it is still, uh, very much, uh, taught in progress. Uh, and, uh, I think that needs to be a little bit more, uh, definition or criteria in terms of like how we go about, uh, looking at it, but I think it's, it's a really good, uh, suggestion and an idea, um, it forces in both ways in terms of like, uh, getting a land, landscape that's understandable and applicable and useful for the end users and also be able to like, uh, relate to the projects within the scope of a landscape so that people can choose those projects for their, uh, users can choose those projects for their benefit. So, um, so that was, um, yeah, that was a context. Oh, thank you JJ for that summary and, um, I'm actually really excited to like hear that being, um, discussed at the TOC level because I think that a lot of the motivation, at least that I've heard individually from people to come to this group is because they see a gap, right? Or they see, you know, issues where, or speed bumps, um, you know, in the, in, or they're building things themselves that they wonder, why am I building this? There ought to be a thing. And, um, and why I'm really excited about this, um, supply chain initiative that Santiago is spearheading is, it was it precisely that kind of a gap that led to us wanting to do kind of a bottoms up approach on the supply chain thing because we agreed that we, even though that the, on some edges to in Toto and we're like, well, we're not sure that, you know, we totally respect that in Toto can't solve every single supply chain attack in the world. And then we're like, ooh, what happens when you get to the edge there? There are some things there aren't, you know, easy to, like, you know, there may not be easily referenceable solutions there. So, um, so we're, we've been doing that from kind of a bottoms up approach, um, through the security assessments work kind of early days there. And so, um, it's really, I think from my perspective, wonderful to hear the TOC talking about that as well. Absolutely. I think it is, uh, yeah, it's useful for the general sense of community and security specifically, like you pointed out. In that spirit, I think if anybody has any opinion, thoughts and suggestions, whether you want to raise it here, whether you want to raise it as an issue and some proposed things, um, not projects in general, but like things that are, uh, that we think are gaps, that will be useful to curate that information. Um, or if you want to reach out to me personally as well, that's fine too, like a new one of us. Um, I also want to point out, I think you mentioned you, maybe weren't on a computer, JJ, the, um, Aiden, who's, um, knew the group mentioned that he's worked, I don't know whether, um, I haven't had chance to look at it, but maybe Aiden could, had identified something that he's working on, that we could talk about, whether that's appropriate for this group, or whether it's just a, hey, I'm working on this if anybody's interested. Sounds good, yeah. Let's do that. We have eight more minutes. Aiden? Uh, yeah, sounds good. I'll be fast about it. So, we, I, I manage a number of large, well, a number of good organizations with large number repositories, like probably 1300, 1400, something like that. And for a lot of them, they are not maintained, as you can imagine. And so, I've been doing some work around automating like the archiving of repositories, um, with the goal that, uh, they're on github.com and so, uh, using the relative new github.com feature to, you know, automate pull requests for upgrading, like dependencies on, you know, would be JavaScript, Python, et cetera, projects, which are most languages we use. So, this is more application level concerns, but it's something I've been thinking about sort of at scale, and I've been working on an NPM package to do that automation. So, if you're interested, I put the link in, I think the agenda, I'll bring it down to the notes, but, you know, just reach out to me if you're interested in collaborating, using it, we're only using it right now, so I'd be interested in getting someone else to try it. Happy to answer questions or see the rest of the time. Perfect, perfect, yeah. Nope, uh, that was useful. Thank you so much for that, and, uh, yeah, please do put it in the notes, uh, so that it's useful for others to track. Um, and like I said, anybody who's joining and you would like to contribute, uh, let's just make sure you do a PR on the front page of CN Security GitHub, so that we'll be able to reach out to you for any help or when you start contributing, we'll know who's. Thank you. We also have an open pull request for a new member's page, so if you're a new member, you can check out that PR and chime in while it's in process, and soon ish, we'll have a new member's page. So it has some, like, kind of pointers and tips about where to start, you know, working with the working group. Thank you so much. Yeah, I mean, uh, if you have a few minutes and if Amy and, uh, Emily, uh, has anything to talk about or Michael do see join. So, uh, if you want to check in and then give a given update on, uh, CN Security Day, that'll be useful. Yeah, uh, I joined when Emily was actually given an update, so I'm not sure what she had actually said. Um, but sponsorship looks good. Uh, we need more CFP responses, but that's, um, we're trying to get an engine going around that and to get a program that's going to be better. Awesome. Next Friday, there was a question earlier in the chat around, uh, who should, people reach out to about sponsorship? Me. Open me over on Slack. Okay. Pretty easy to find. Just don't buy another diamond sponsorship. Hey, you know, if we can, the more the merrier, clearly. I know, but you're selling time on our agenda. No, I know that's, that's really the challenge. It's kind of like, oh, yikes. Um, and being able to actually make sure that we've got space for everybody is going to be fun. So, yeah. Yeah. Yeah. Yeah. Yeah. And, uh, the channel dashboard isn't shared with everybody. Maybe a read only version if we could share it with everybody so that people can look up the status would be. I don't know if that's available. Um, Yeah. Yeah. Yeah. Which dashboard are we talking about? Uh, the cello board. Oh, yeah. That was easy. I'll put it in the chat. Perfect. That's. That's awesome. Yeah. There it is. Cool. Uh, anything from. You Dan, Sarah, the ways we can, uh, Give back three minutes to the steam. I had a question. Yeah. Actually, I have, I talked to a couple of people. They asked, um, on their talks, uh, also in a coupon is that kind of a blocker for the six security day on the two separate things. They are separate things. Uh, so you could submit the same talk to. Both of you. Want to. What do you mean to separate things? I guess is kind of my thought that you have to be registered for coupon to go to any of the days you were on that. And then these are just add-ons for that day. Um, which cost a nominal fee. Just to help us get the room and everything like that. So you do have to be registered for coupon. Uh, if you got rejected to coupon, then I encourage you to submit your talk to the cloud native security day. Um, So what I, um, so what I've, um, people have asked me is, uh, if they have a talk that's accepted or for example, wait, let's start for coupon. Um, if that talk is included in coupon, does it mean that they can't present at six security day? I think it would happen. I would just submit and we will solve this problem as it comes up. I would love this problem. Well, I don't know that we want to encourage everyone with a security focused talk at cube con to submit it also to six security day. Well, people have already been notified. So people are either accepted, waitlisted or rejected at this point. Well, the question is if you were accepted, should you know, the question was if you were waitlisted. Yeah. Oh, I'm sorry. I'm sorry. If you're waitlisted and you're interested in possibly sending also speaking or speaking instead at this six security day, please go ahead and submit. And then we can make, we can work with the CNCF people to make that decision on the back end, whether we slotted into six security day or whether they slotted into the main agenda. Right. Is that acceptable Amy? As I come off, yes, that is absolutely accessible. Please, please submit early and often, basically. If you're waitlisted, please submit. And then you can work it out. If you've got any other questions, we have a channel over on Slack for six security events. You can also come to me and I'm happy to be able to help answer questions. Awesome. All right. Yep. That was useful. Thanks team. See you all next week. All right. Good to see you all. Thanks to you. Thanks all. Thank you.