 All right, we'll give it a couple of minutes. I'm going to be the facilitator today. It's funny you put that in there, Dan. I was actually thinking about Sarah. I was wondering what's going on with Sarah. I think I'm going to be in a moment. I think I'm going to be. By the way, Danny, you sound like you're underwater. Yeah, your voice is really low. Ran out of battery on one, and then you put it in the other. Yeah, sometimes you get the thought that it just connects to the one, and then if you take it out and put it in, it detects like it kind of resets. Yeah. All right. I think we'll go ahead and get started. I'm going to be the facilitator today. Let's make sure everybody puts their name in the attendance in the meeting notes, in the Google Doc. If you don't have the link, it's in the chat. Just going to go down the agenda. I guess Brandon is going to be described today. Let's see. Anything specifically that anybody wanted to talk about and looks like Dan, you've got an update on Sarah. We can go ahead and start with that. Yeah. Anybody? I can. You sound a little bit like you're still underwater maybe a little bit, but I can make out what you're saying. I reconnected, disconnected, reconnected. Sounds like it didn't do much to improve the situation. I'll keep it brief. So I had the opportunity to have Sarah this week. She is still pretty much in sort of breast mode, heavy mental lifting. And she's a programmer or programmer. So that's her core work is largely out of the question. And she's been kind of re-adapting her day-to-day to focus on more physical activity and sort of managing general health through that and getting in. She's still in Boston, still working through it. But overall, good spirits and doing OK. Good. Well, I'm rooting for. That's hard to go through. Change. Good. Thanks for the update on that. That's awesome. Yeah, thank you. It's like everybody's getting their attendance in there. Looks like there's not seeing any other updates. So a quick update actually. That's a small one. So we've been chatting with Amy and getting transcriptions of the meetings. So I think the idea is Zoom has this really nice transcript, which tells you per user transcription. So it has the name as long as as well as what people are saying. So it's likely that we'll try and figure out a way that we can add this to the repo. And then basically the job of the scribe is going to become more of like a action items note taker. And just like big agenda items. So I think the scribe is going to be simplified a lot more in the future. And also I think even also created the PR to add the scribe role into as one of the roles. And then she's done a good job in describing what it will be. OK, so yeah, thanks for that update, Brandon. No other updates from anybody else. I did want to see if there was any other updates on any issues or PRs that anybody wants to discuss. Kind of the ongoing one that we've been discussing the past few weeks has been around the DevSecOps, the DoD stuff. Any updates there that want to be, anybody want to share? I think there was something on the hands on security testing for security assessments. I think Matt put in something there. OK. I'm not sure whether he's on the call. Maybe we can talk a bit of that. Yeah, I'm here, but I don't know if there's anything to discuss. There was one person who commented on the ticket that they were able to participate in that group. And I think we're still waiting for one more person to make that three. I know of one person who I can drag into it if nobody else signs up to get us to three, but I don't want to row people in if I don't have to, if we can get one more person. Sorry, I missed the thread. What do you need, Matt? There's a GitHub ticket in sick security to find people to volunteer during sick security reviews to perform hands-on light penetration testing of applications. And so we're looking for people to volunteer for that group to, again, it's going to be basically no more additional time or anything than the regular sick security reviews. But this is just volunteering for the hands-on part of it. And we need three people in that group to start that. We have two. Yeah, you know, I'd be interested, but I hate to be somebody who doesn't show up because of a scheduled meeting and the day job. And then, you know, it's one short. So I think I'm a bad choice. We don't get it. If we don't get anyone soon, then I'll rope some people in. Okay. Yeah, likewise, ping me if you have trouble and maybe I can get somebody else from my organization who's not over-committed to do it. Okay. A great experience for a junior person. Yep. Yeah, no, that's, that is awesome. Yeah, if you have the time and you've got the talent to be able to contribute there, that's awesome. I'm just going through the issues list right now. Looks like that there have been any recent updates. Any of those? Okay. Did we have any, let's see. What's on our presentation list for upcoming presentations? I see from seven days ago, there was this check-off. Yeah, we have check-off currently planned for next week. Oh, that's next week. Okay. Yep. Oh yeah, July, July, got it. Okay. Excellent. Look at that. This is Vinay here. If we have a presentation next week, is that going to take the whole time? There was something that I've been working on in terms of a reference architecture for DevSecOps and CI CD that I've been wanting to bring. So hopefully it's close to where I wanted that it captures the entire ecosystem, et cetera, that I'd like to present. Is that a possibility or I can always wait for two weeks out? I think it would be better if we do it two weeks out and then at least we have time for question and comments for both the presentations. Thanks. Any other issues that we might want to talk about? Today, are any new ones that you might want to bring up? So I think, I don't know if we reached this part of the schedule yet, but I added an item there to talk briefly about Sandbox project security assessments. And the basic thing I wanted to discuss with this is one thing that occurred fairly recently is we had, when the Sandbox process changed, it's now a very lightweight process where a bunch of projects basically just get tossed into one box by the TOC. And what it used to be is it used to be a slower process where we would actually weigh in before a project made it into Sandbox and that's now changed. But what's happened is that we had a bunch of projects that were looking for security assessments and now all of those projects that we're trying to like at the process of entering into Sandbox and looking for security assessment effectively had their assessment closed. And first of all, I want to say like my personal opinion and then we as a group should maybe discuss and decide if we want something different. But in my view, we absolutely should be promoting that projects that are in Sandbox received a security assessment. My view is that projects that are going up for incubation or going up for graduation are probably more important to review and so would have higher priority but we're not at a state now where we're so overwhelmed that we can't do more assessments. And certainly any project that goes up for incubation should have already had a security assessment from our group. So I think that we should make sure that the message that we're giving is clear that we do want projects when they enter in Sandbox to be ready or be prepared or be thinking about starting that process really as soon as they can. It's not something that they need to wait until they do incubation review or graduation review to do. So I made that statement as a statement of fact but I just wanna say that's my opinion and I'm curious if any others agree or disagree. No, absolutely. I think that just because projects are not, I mean, because there's no necessary sort of dealings before Sandbox, I think it's very important that at Sandbox projects do present to seek security and to introduce themselves when they've joined if they haven't before. And the assessment is valuable for them and joining Sandbox is a good point to start thinking about these things if they haven't thought about them before or get extra help. Now they've joined the community and I think it will be really good to engage with all, especially the security projects but also other projects that at this point when they've now they've joined. Justin, what do you think about having it not be a gate but an invitation? Does that change in your mind? So once a group was in the Sandbox they could get accepted into Sandbox rather than in incubation and graduation we're proposing more of a gate to acceptance but in Sandbox what we could consider doing is not saying in order to join you have to do the thing but like as you're joining come start your journey. I think that's effectively what we have now because we're not a gating function to entrance into Sandbox anymore and we weren't really a gating function before this in practice. So effectively the reality is that the earliest we can do something is encourage projects that are in Sandbox to come to us ahead of time rather than waiting until incubation which is what I'm proposing. So we're aligned, great. Who's making those invitations to whoever's in Sandbox? There hasn't been a formal process for this yet because it's just sort of happened. The changes happened recently. The thing that has happened also recently that I wanted to be sure we're not doing which is I think some projects were getting the message that they didn't need to worry about an assessment because they'd made it into Sandbox. And that I think happened in part because some tickets were being closed for projects that had made it in because originally the ticket was opened as in order to get into Sandbox, do this like you need to do this assessment but it shouldn't be a even though that's no longer a gating mechanism, closing that ticket is I think the wrong way to say it. It's the way to say, hey, you should now start doing this because you're in Sandbox. Yeah, I agree with that. I think also like it seems like the, at least the document that talks about the new Sandbox process seems to indicate that really what it is, it's an incubation incubator. So it's getting projects really to hit the incubation. But we're on that actually. So I had a chat with the checkup speaker and he mentioned that they are also actually trying to move to incubation. So I'll drop him a message to open a security assessment. I think that should, I'm not sure where they are on timeline but I think they'll talk about that next week a little bit. And there's a comment in the chat about Cloudcast ID and wanting to move forward with the assessment as well. Yes, we should reopen the issue there. Absolutely, very strongly supportive of that. And we have the capacity now to be doing more than we are. And we'd like to, and actually, as we do more of these, we end up getting more capacity usually because new reviewers become experienced and are ready to go. So we could easily be doing more than just the one assessment we have in the process now. At least for Cassodi, I think there was a bandwidth issue on the project side, but that has been resolved. So we have capacity now. We're actively working on it. Awesome. Any more to discuss on the security assessments? Dine, you wanted to talk about the DevSecOps reference presenting that on July 15th. Yeah, I can wait for two weeks out, Cameron. All right, rather prefer to, it's not 100% as yet. Just a few more things I'd like to add before I present it. Sure, yeah. Thank you. There's a question from Mark Underwood about, there's anybody that's working with the open telemetry group and certainly not. Well, I may dip my toes in there. Here's why it's of interest to me. The mapping of the semantics that that protocol, air quotes protocol is using, don't map very cleanly to the security world, then it has things like buckets and triggers and that sort of thing from the IT world more abstractly. So I'm trying to figure out a way that we can do this as we consider what we would like to see for telemetry coming from open source projects. That's it. Okay. Is that something that you want to explore yourself, Mark? With that to you. Yeah, I can't really commit anyone else here to it. I, it seems like a natural connection, but maybe the more sensible thing is to, let the people that have more bandwidth to pursue this, to get in the weeds with the Prometheus people and see where that fits into the projects that come through here. But those of you that are doing the reviews, are you poking around to see what kind of telemetry is coming out of the projects that come to you? Obviously you must, right? So authentication, failures, things like that. Maybe I'm wording the question poorly. Do you know anyone that's part of the open telemetry group? That you think would, do you think that it'll be interesting to maybe see whether we can do a, whether they can come here and present a bit of what they have? I could ask him, sir. That'd be a really good start, actually. Okay. They might need us more than the other way around, I think. That's just not somewhere, I guess. Yeah. Okay, we'll do. I'll put that in the notes. All right, thanks. Is there any current assessments going on now that we need some help with currently? See, we've got Key Cloak. We've got Quay. We've got Cloud-Native Build Packs. Has some of these already begun or what's the status with some of those? Do we need more help on any of those? From the assessment process? Yeah, exactly. But what we're waiting on is, we're always, as far as I'm aware, always blocked on projects. I don't think there's an assessment that's going on now where we just haven't been able to get the team together. But that being said, if anybody on this call thinks I'm wrong or thinks, well, that's sort of true, but the team wasn't really together and so we didn't get things together from our side. Then please let me know and I will push and put that together. But I think we've been fortunate that we have a pretty good group of people that all are excited to do these things now. So as far as I'm aware, there isn't a holdup on our end. All three of those are applying for incubation. Okay. So it's probably worth at least asking them again at this point if they're registered before incubation. Definitely a good point there. Maybe we can reach out to each one of those projects and kind of see where things are sitting. So we can re-engage and get those finished up. Is the goal that we've finished those before they meet the incubation? I think at least from our perspective and the community we've been talking about here is we believe that, you know, like we're advising the TOC. So it's not our place to say to the TOC like you shouldn't put a project in this place because we haven't done our role. But the process is supposed to be that every project goes through our process that needs to be as deemed by the TOC. So the TOC gets more complete information about what they need to do. Like so they can make the most informed decision effectively. That's right. Yeah, in my mind I, yeah, making sure that those are done before incubation is achieved is, that'd be, you know, an important milestone, especially for giving that information back to the TOC. Okay. Any other issues that need to be discussed? Not seeing anything else in the agenda and nothing else from the attendance list? Anything else that anybody wanted to discuss? Otherwise, I think we're done. I think you can call it. I think you can call it. All right. I will be sending out a, anyone who's interested in cloud custodian participating in that assessment, please mention it. There are people who signed up, but this was a long time ago and a lot of those people, like for instance, Sarah Allen have had things happen and their ability to participate has perhaps changed. So it's almost like it's a fresh assessment we're being asked to do and please comment on there. Okay. Yes, and we have already created things like the cloud custodian black assessment room and other things like that, but we'll also have to shift that around and invite all the right people and things like that. So please do comment on the issue which was posted, I think in the channel here or we'll be in the notes. Cool. Well, everybody have a great fourth of July weekend and we'll see you back here next week. Thanks as well. Thanks everyone. Thanks Cameron. You're welcome. Thanks everyone. Thanks Cameron.