Counting down for CRA - updates and expectations
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 131 | |
| Author | ||
| Contributors | ||
| License | CC Attribution - NonCommercial - ShareAlike 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this | |
| Identifiers | 10.5446/69415 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
00:00
Green's functionExact sequenceIndian Remote SensingBoss CorporationTexture mappingDecision tree learningView (database)Proper mapPoint (geometry)Computer animationLecture/ConferenceMeeting/Interview
00:26
CybersexTime zoneTexture mappingCybersexRevision controlMultiplication signComputer animation
01:13
Open sourceSoftwareOpen setComputer animation
02:08
Open sourceCodeCombinational logicSound effectGoodness of fitRevision controlSoftwareSoftware maintenanceSelf-organizationRight angleMathematicsComputer animation
03:22
SoftwareOpen sourceFreewareTerm (mathematics)Design by contractCodeComputer animation
04:09
Latent heatElement (mathematics)Product (business)Digital signalBasis <Mathematik>SoftwareOpen sourceOpen sourceWeb pageSoftwareTerm (mathematics)Self-organizationComputer animation
05:16
Element (mathematics)SoftwareOpen sourceProduct (business)Operator (mathematics)Phase transitionFinitary relationSoftware developerDesign by contractService (economics)Open sourceMereologyWeb pageSelf-organizationRepository (publishing)SoftwareCodeOpen setComputer animation
06:36
RankingOpen sourceTouchscreenMultiplication signPresentation of a groupFlowchartSoftwareOpen setMereologyOpen sourceBitDataflowComputer animation
07:19
Open sourceRight angleTouch typingSoftwareCategory of being1 (number)MathematicsBitComputer animation
07:54
Open sourceTime zoneVulnerability (computing)AuthorizationTraffic reportingBitIncidence algebraTouch typingInformation securityCyberneticsComputer animation
08:34
SoftwareCyberneticsElectronic mailing listInformation securityComputer animation
09:26
Time zoneSinc functionOpen setInformation securityCyberneticsOpen sourceLoginComputer animation
09:53
Type theory1 (number)Information securityCodeComputer virusDegree (graph theory)Software developerCyberneticsComputer animation
11:15
Vulnerability (computing)Subject indexingLibrary (computing)MultiplicationTraffic reportingDecision theoryWhiteboardInformationstheorieShooting methodPatch (Unix)Instance (computer science)AuthorizationMultiplication signComputer animation
12:12
Radical (chemistry)BitTraffic reportingArithmetic meanVulnerability (computing)Computer virusComputer animation
12:57
Successive over-relaxationTime zoneProcess (computing)Traffic reportingVulnerability (computing)Open sourceLibrary (computing)Level (video gaming)CodeComputer animation
13:28
outputProcedural programmingTraffic reportingPatch (Unix)Different (Kate Ryan album)Information securityInterface (computing)Vulnerability (computing)Computer animation
14:10
Open sourceCyberneticsInformation securityGroup actionFunctional (mathematics)Latent heatCollaborationismVulnerability (computing)DatabaseQuicksortSpeech synthesisSoftwareMereologyComputer animation
15:41
Open setOpen sourceStandard deviationIncidence algebraProcess (computing)Formal languageComputer-assisted translationSound effectMereologyData conversionNational Institute of Standards and TechnologyComputer animation
16:36
Projective planeIncidence algebraOpen sourceCyberneticsSoftwareOpen setoutputComputer animation
17:41
Operations support systemDesign of experimentsMathematicsComputer animation
18:06
Time zoneInformation securityExpert systemConfiguration spaceSoftware developerCodeSelf-organizationComputer animation
18:48
Time zoneSoftware maintenanceLibrary (computing)Expert systemDrop (liquid)PlanningGoodness of fitBootingEmailData conversionType theoryInformation securityInheritance (object-oriented programming)SoftwareComputer animation
20:00
Time zoneInformation securityMeasurementEmailTraffic reportingMoment (mathematics)Content (media)Vulnerability (computing)Projective planeInformation securityComputing platformSoftwareBitBuildingState of matterBlock (periodic table)Computer animation
21:00
Open sourceRevision controlVulnerability (computing)Virtual machineInformationstheorieDatabaseLoginFile formatComputer animation
21:34
Time zoneInformation securityDifferent (Kate Ryan album)Expert systemOpen setSoftware developerComputer configurationMultiplication signGoodness of fitMereologyLevel (video gaming)Right angleTouch typingShared memoryBlogComputer animation
22:50
Connected spaceDesign of experimentsObject-oriented analysis and designLength of stayBlogRight angleComputer animation
23:17
Personal area networkVariancePerfect groupGroup actionTouch typingInformation securityMeeting/InterviewLecture/ConferencePanel painting
23:47
Single sign-onECosRouter (computing)Design of experimentsFinite-state machineSoftware developerDesign by contractMathematicsOpen sourceService (economics)Independence (probability theory)Library (computing)Level (video gaming)Operator (mathematics)Different (Kate Ryan album)Template (C++)Instance (computer science)Information securityBitSoftware maintenanceProjective planeAuthorizationDependent and independent variablesEmailPosition operatorData conversionType theoryContent (media)Multiplication signProduct (business)FreewareWritingLengthRegulator geneLecture/ConferenceMeeting/InterviewComputer animation
Transcript: English(auto-generated)
00:04
First of all, disclaimer, we are lawyers, so if your company is, you know, struggling with it, have questions about CRA, don't take our talk as a legal advice, you know, talk to a proper lawyer, but today we're just going to talk about, like, in the community's point of view.
00:26
So, first of all, what is CRA, well, the Cyber Resilient Act, but what is Cyber Resilient Act? So, it actually has been, well, like, we have been discussing about it for years now, because it has been proposed in fall 2022, and so the version that has been proposed
00:47
is actually quite different from what the version has been, you know, voted on earlier this year, and so you may think that, oh yeah, do we have to change things immediately right now? Well, it actually takes some time for it to be adopted by the council,
01:03
and we are thinking it may be, like, something from three to five years, but why we're talking about it is because it's always good to be prepared and understand what's going on. So, because the CRA is a European legislation, so it's like other European legislation,
01:22
the aim of it is to try to protect all the consumers in the EU, or generally, like, European consumers, and also it's trying to protect the European industry. So, although at the beginning, when CRA got proposed, there was some kind of misunderstanding about open source,
01:42
for example, there was some misunderstanding that, oh, is open source software just kind of some American companies try to, like, make more money and, like, you know, use it as a gimmick and things like that. So, because we are, like, an open source community, we understand what open source is, we have already, like, you know, have a lot of discussion with the EU parliament members
02:04
and trying to convey them, like, what open source really is, and we have overcome that. So, like I said before, the text that got proposed is very different from what the text has been voted on. So, yeah, like, the PSF and also other organisations, we have tried very hard to make sure that the, you know,
02:26
the version that got finalised won't have a chilling effect on the community. We love our community, we want to protect it. And so, what we're trying to do is, like, to change what, you know, what we kind of, you know,
02:46
kind of confusing, like, you know, kind of combining. So, for example, if you are providing open source software, it's kind of not separate from any, like, selling software. So, it's not very good because, for example, like, if you are an open source maintainer, right,
03:05
you're providing open source code to other people to use for free, and it could actually give you extra liability for it with the old text. So, it's kind of something that we kind of want to change that.
03:22
So, now with the new text, so what has changed? So, there's actually a new term that has been created. So, this is open source steward. So, what is open source steward? It's a cool name, but, so what it means is just that, like, this actually is a term for entities
03:42
that is, like, providing the open source software, open source code, not for selling, it's for free. So, there's, like, no, you know, contract or money that, like, you know, there's no buying and selling kind of involved.
04:02
So, it kind of make it different from, you know, selling a software. So, this is kind of one of the thing in the CRA that's kind of, like, trying to... Page 76. Page 76 if you have to, you can flip it to page 76 if you have the CRA with you right now.
04:22
I recommend it if you are suffering with jet lag, having trouble sleeping, it's quite, there's many more pages. Yeah, so, under that, so, a lot of non-profit open source organization, including the PSF, but also our friends like Rust Software Foundation, Eclipse Foundation and Apache Software Foundation,
04:43
we will probably fall under this open source steward term, which is a good thing because with this new text and it kind of show that now the legislation is actually understand how open source work
05:02
and it also value the open source community and open source software is actually a very beneficial thing for the whole ecosystem, for the industry, so it's good. And this is page 10, if you now flip through page 10, if you're having problems sleeping.
05:25
And now, because of that, the development and the supply of open source software has been separated and so, but does it mean that, like, oh, you can only do either one of them?
05:41
No, actually there are actually organizations or entities that are doing both. For example, I guess everybody know what GitHub is. So, for example, GitHub, you know, people will be uploading, you know, their open source software, open source code on GitHub, they may even like have their release, you know, put it on GitHub.
06:02
Those, if it's like a public repository, it's open for all, you don't have to sign a contract or buy something from GitHub to use it, then that is the steward part, it's the development of the software. But if your company actually is using some service that GitHub provides, you have a contract with them that like you're paying for them, for the service,
06:23
then that is a supply of some software that GitHub provides. So GitHub is doing both and so it's like kind of not mutually exclusive, you can only do one of them. So this is a screen caption that I got from the presentation that was done at FOSTAM this year
06:43
from the European Parliament members. So it's kind of very nice because it's kind of like a flow chart, you can see where the activity that you're doing is in scope of the CRA. So any activity could be the activity that you do like as a hobby
07:00
or if this is the activity that you do in your company so you can see whether it's in scope. If it's in scope, is it a manufacturer, does it fall under the umbrella of manufacturer or does it fall under the umbrella of the open source software steward part? So now I would move on to let Deb tell you a little bit about Python and open source.
07:24
Yeah, so as Chuck said, the open source steward category, which is a brand new legal definition, separates the activity of developing software and just offering it for free and supplying software under contractual obligation where money changes hands.
07:42
So CPython and PyPI, no one's ever paid for Python or a package, right? So we fall squarely into that open source steward definition, which is great because it comes with a much lighter touch obligation. So, hold on, I want to make sure I have my notes.
08:03
Well, so in short, we have to have a public cybersecurity policy which would be willing to cooperate with market surveillance authorities and be reasonably responsive to industry and vulnerability reports, incident and vulnerability reports.
08:20
And so this is pretty light touch. This is stuff that we're mostly doing anyway. We're just kind of working on professionalizing a little bit how we do that and making it more clear and transparent. So the Python industry on the other hand, so how many people work at a company that writes Python?
08:42
And they pay you with money? And you get customers? Right, okay, so you will fall into that supply side and will be subject to all the much larger list of obligations. We're very keenly aware of that. And so we're working to make sure that we're providing the tools
09:04
that you need to kind of like, hey, what's going on with Python? Do you have a software bill of materials? We do now. So like all the kinds of questions that like the consumers of Python are going to have, we're trying to kind of set up so we have one answer to the questions that you'll likely have
09:22
as you work through your company's compliance with the CRA. So Python and cybersecurity, like we have been looking at this topic like kind of the entire industry has been looking at cybersecurity since Log4j happened.
09:41
Very kind of famous, whoops, where people had to go to the White House and talk about what are you all doing over there about security and open source? Lots of interest, lots of excitement. It means that there was also some dollars for cybersecurity. So we were able to hire Seth and Mike to work at the PSF.
10:03
They're great. They're not here so you can clap or not, they won't know. Okay, I'll tell them you clapped. So Seth was hired as like a security developer in residence to look at the entire ecosystem, both sides of the house,
10:21
CPython and PyPI and kind of look at like where is there room for improvement, where is the low hanging fruit and then what do we need to put in place to kind of like build out an even better, more long lasting approach to security. Mike, who likes to call himself the code gardener, works on the PyPI side of the house and so he's tasked
10:42
with looking at the kinds of things that we get a lot like on the PyPI side. There's like name squatting, there's like people putting up junk or spam or viruses and things like that, like things that we don't want on PyPI. So he's looking at handling all of those kinds of requests
11:04
and issues and then to the degree that it's possible, automating or making it shorter to deal with each of the types of issues, the ones that we get more often. So the other thing is that we are now a CV numbering authority.
11:21
So that means instead of either tweeting or sending a note to like our entire board or grousing about a security vulnerability on LinkedIn, you actually go to a specific place and officially log your vulnerabilities and then we log them.
11:40
You can also see if it's already been logged, which is a great idea because we don't need multiples of the same report. And so this is like an index that is like industry wide. Anyone can take a look at it, it's public and anyone can interact with it and make decisions based on what's going on with the vulnerabilities this week. So if your company, for instance, you see like whoo, shoot,
12:03
we use that library all the time. Maybe we want to put that launch a week out until we get to apply a patch, now you can have that information. And so common vulnerability exposures, it's just like these can be any kinds of things just to say we haven't been getting
12:20
like zillions of them before. Like in the last year we've gotten like 12 credible reports. But as pythons use and popularity increases and I don't know who writes viruses and stuff like that has more to do, they must be increasing as well. Like we expect to see more activity.
12:42
There's also a little bit of a thing where if you don't give people a place to report, then it's like cool, no reports. That's not, that doesn't mean no problems. So we may see a little bit of an uptick now that we have said here's where you do the reports. Another thing, so we're doing this at Python.
13:03
Seth has been scrupulously documenting his processes. So like if you work in another foundation or another code base or on one of the larger libraries and you're like how can we become a CNA and make sure that people know where to report vulnerabilities to us, he documented that whole process
13:21
so anyone else in the open source ecosystem can use that as like a roadmap. So let's see. So what about Python companies? Like I said, we welcome your vulnerability reports. We welcome your patches if you have them. We'd certainly like to have that kind of relationship.
13:43
And you know, and we're aware that your burden under the CRA as a company is going to be higher. And so we welcome your input on how we can make the interface with the security procedures that we have at Python more usable for you. What we don't welcome is making 4,000 different security
14:03
procedures for each company. So input and then we will put it into the overall solution. We also, speaking of open source collaboration, so a lot of the entities that we worked with on changing the text for the CRA to something
14:22
that was more favorable for open source communities were like, okay, well the thing passed, now what? So we joined a working group. It's housed at the Eclipse Foundation. It has all of our buddies like you said, Apache Software Foundation, Rust.
14:40
There's like 17 in there. I'm not going to list them all. But we're going to be working on open source cybersecurity specifications. So instead of having a bespoke special thing that you do with Python and then a different thing you do at Rust and then yet a different thing that you do when you go over to Apache, you will have like hopefully kind of common things like, oh, I plug in and I use
15:03
this API to query the vulnerability database and then I do this and it's like the same approximate functions within each part of the ecosystem so that everyone's kind of expecting the same thing. One of the things that I think can cause security to sort of fail
15:23
is if you like are looking for a step and it's not there. So like if everything is as expected you're less likely to be like, whoops, never thought of looking there. So we're working to kind of create common best practices across the industry with our colleagues at other orgs.
15:43
We're going to continue working on legislation. Open Forum Europe did a fantastic job herding all the cats and making sure that an open source voice was part of the parliamentarian process to get the language changed in the CRA. We're going to be continuing to work with them on issues
16:01
that affect open source in Europe. And so there's already a couple things. There's a NIST which is an updated bill to look at how cyber incident reporting happens. We're going to be, we're talking with them about some, there's like a recurring conversation about standards essential patents and whether that could create a chilling effect on open source usage
16:23
and things like that. So, you know, maybe a future talk will be one of those topics or maybe we'll manage to get them to stop legislating bad ideas. We'll be back. The other thing that we're doing is we co-founded the Open Policy Alliance
16:41
which is housed at the Open Source Initiative. This is a US initiative to look at US policy. One of the things you may not know is that Europe and US like kind of pay attention to each other's legislation on certain things. Some stuff they're like, no, no, no, they're doing it wrong. We're not interested. But like it turns out that US politicians
17:01
and European politicians share a generally shallow understanding of software and so they're happy to copy each other's work on a lot of these things. So, on the Open Policy Alliance, we've already worked with our colleagues over there to respond to CERCEA
17:20
which is a cyber incident reporting kind of, it's draft legislation. It has a lot of gaps. Anyway, we are making sure that there is a voice for open source community-driven projects to be heard and make sure that legislation doesn't happen without our input.
17:42
So, community support. Are we at you now? Yes, OK. I was like, oh, I feel like I'm talking. Cool, yeah. Thank you. Thank you for talking for so many explanations. So, yeah, first of all, community support, we are here together as a community. Like that's why people love Python.
18:00
We have a very good community. So, how we can support each other and help each other to overcome this crucial change. So, individuals, there are some recommendations. So, I guess all of us here are Python users or to be Python users. So, I know that is a very common thing for developers
18:21
to not care about security because it's not that fun. You know, it's not like, oh, I'm writing some code. But start to create a culture of security, especially like in your organization that you're working in. Have someone to be the champion to like be the person who, you know, are the expert, a little expert of security and take care of like make sure that the team is using
18:42
like best practices and also configuration and set up all the tools that can help you and the company. For maintainers, so we are here to help. As the Python Software Foundation, we really want to help all our like, you know, Python package maintainers to kind of fulfill their role
19:01
in making sure that, you know, to like fulfill the CRA and like to make sure that the library is secure for the users. But we don't have a secure plan that we can announce to you yet. But if you are a package maintainer, if you have any ideas that like how we can help to, you know, like loosen your burden,
19:20
then please contact us. You can always email us, email the board or like, you know, just let us know. We are happy to think about like, you know, keep the conversation. I would also just add that we're not expecting every package maintainer to become a security expert. So we're looking at tooling and solutions that you can just kind of drop in.
19:42
So like we're not going to be doing a boot camp that everyone on PyPI has to attend. It's going to be more like please download this thing and add reproducibility. Please, we're trying to make it super, super easy type of thing. Or like a documentation and they just follow the steps and then you're good.
20:00
So another thing that you could do at the moment, because, you know, that is the future, but at the moment you can already start doing some measures to help secure your project. For example, you know, find a trusted platform to publish your software, you know, like, you know, GitHub, the famous one, and of course there's others like GitLab, Google Cloud Build and ActiveStage.
20:23
Don't go to like set up your own. It's a bit, you know, tricky. Also, enable private vulnerability reporting. Like we are already doing it for CPython. So create a security policy so when the users like kind of discover a problem,
20:40
they know what to do. Also, PyPI blog, now there's like lots of great content in it. You know, there's like new feature, new tools that you can use like, you know, have a look there. Also, well, Seth is very happy for you to get involved and talk to him about it. So that's his email. So if you have questions, you can ask him.
21:02
And also, like Deb just mentioned, now we are CNA, now we have, we can issue the CVEs. So all of those like logs, like what happened in the past, like whether the version you're using is affected. All of this information is actually put in an advisory database. So all the information now like we are kind of compatible
21:23
with the open source vulnerability database, so OSV. It's a machine readable format, so it's very easy if you want to automate some of your pipeline. So that's the way to go for you. So last, I will let Deb tell you how to support us, support the PSF.
21:42
Okay. So security work is expensive. It turns out they have a lot of options that are not working for a nonprofit, like good security experts. So if you work at a company that part of your business relies on Python and PyPI being like a safe place that's responsive
22:04
to the changing security landscape, you should consider sponsoring the PSF. We would love that. We have a lot of different options, like you don't necessarily have to be like a Google or Bloomberg level sponsor. We have some more modest options for you.
22:23
And I hear that folks that sponsor have an easier time finding Python developers for their Python openings. So there's a little sugar in there for you as well. And then, you know, of course if you're not in a place to do that right now, like feel free to, you know, think about it,
22:41
share this opportunity with other people, and do all of the things that Chuck mentioned about staying in touch, and especially like following the PyPI blog. Yeah. Stay connected is what I said. Whoops. But I think we're at the end. We didn't talk about the clock, but this is, that's the clock.
23:02
Yeah. Have you seen that clock? Nope. It's here. It's here. We used the clock. Yeah, you need to go and see. That's the astronomical clock in front. Yeah. All right. Thank you. We're going to let people clap. We have five minutes. Perfect. Yeah.
23:20
Questions? We have five minutes for questions. And then, of course, this is how you get in touch with Shukri online if you want to ask a question later or a question that you don't want to ask in front of the group because, you know, security. All right. Everyone feels like they know everything
23:41
they need to know about the CRA? Okay. I thought they just needed a nudge. Hello? Yeah. I would like to ask about, because you said that if you just publish a library, let's say, on GitHub, you don't take any money for it, that you are not covered by this regulation.
24:02
But if you are a company that does sell some Python product and you use this library that someone else published as a dependency, then are you also liable for the content of that library that you used?
24:21
Are you taking money for packaging that library with a product? Well, just for the purpose of the question, let's say that I am taking money for it. Yeah. Yeah, you should, if you're taking money for something, you should probably know what's in it. And I say that generally, but also the CRA wants you to do that too. And so it really does separate the activities of supplying software,
24:46
like with a contractual obligation, and just developing and just throwing it over the fence for free. So the act of supplying with a contract for money invokes that liability. So I would say if you are using and depending on a library
25:03
that's on PyPI, you should make friends with the author and maintainer of that library. Make sure that you're helping them stay up to date and stay responsive on security stuff. Again, not legal advice, just kind of like what I would do if I were in your position. Okay, thank you.
25:25
So with things like the trusted publishing, the things that maintainers need to do to adopt best security practices, and I know that individually they're easy, but there is, it's difficult for,
25:41
most maintainers just want to write cool Python things. Yeah. Is there any work to lower the bar to just make it obvious, easy templates, that kind of thing? That's definitely the kind of thing that we're considering when we're looking at the PyPI side. So, because it's just such a vast breadth of different sizes of projects
26:03
with different levels of maintainership and different levels of responsiveness. And so templates are one of those types of things that we're definitely considering. If you have something in mind for a package or a couple of packages that you run that you'd like to suggest that you think would help people get to,
26:20
like easily get to another place, email me or email Seth or email us both if you like and say like, hey, this seems like a pain in the butt, if you all made it easier, like I would do it. And we'll see if we can build it. Thanks. Thank you. Hi, thanks so much for your talk. I've got two questions, but please feel free to ignore one
26:42
if we're caught on time. So one is, like you said, like the main consideration is does money exchange hands? Yeah. Like if you're a supplier. Are there accommodations for startups, independent developers that just don't have the money to, you know, to invest in that security apparatus?
27:01
Yeah, and that is unfortunate. I do think that one of the things that is like an outfall of the CRA is that smaller entities might want to like coalesce and share some of that liability in common. Again, that's like a recommendation for a for-profit, but it is tricky.
27:21
And so, and there may be emerging, again, this is like, woo, looking at the future. There may be emerging like some kinds of best practices for startups to like, you know, keep their stuff on the development side until like they hit a certain spot and then can, you know, and feel like they have enough,
27:41
you know, kind of resources to contend with the liability that is incurred on the supply side. Thank you. I know you're not a liar, but do you know how they define money changes hands? Like for example, if someone gives you a $1 donation on GitHub,
28:01
does that mean that you're being paid and now you have to do all the heavy lifting? I mean, so that probably gets to the larger legal question of liability. So like if I was paying you like half a million dollars a year to manage my Red Hat instance, and then you screwed it up, like what liability, like what do you owe me?
28:20
Probably at least like some large percentage of my half million dollars back. If you gave me a dollar and I gave you maybe only like 75 cents worth of value, then the liability might be a lot less. Again, not a lawyer, but I think there might be some kind of idea there on, you know,
28:41
like having the liability be like commensurate with like what the service is. So like, you know, and then... Also, I guess the question does... Yeah, I also wouldn't run a million dollar business on a $1 contract. No, I meant also like are donations considered money change exchange? No, not unless they are like managed and specific,
29:04
like and then they're not really donations. Like if I said like, you can have the Python for like $2,000, wink, wink, as a donation, then, you know, eventually that would like kind of bubble up and it would be like, hey, that's not really a donation anymore. So it is a little bit new territory
29:21
and there is some idea, like one of the questions that we grappled with was like what is a nonprofit, which is why we ended up with the activity thing instead. There was a pretty problematic and they were like, well, nonprofits just have to like spend more money than they bring in every year. I don't know if you understand how salaries
29:40
or budgets work, but a nonprofit that spends more money than it brings in every year is not going to last very long. So this was like an actual proposal in, you know, like, oh, we can fix your open source nonprofit problem, you just have to lose money every year. I'm like, no, that's not going to work.
30:00
So that's why the better conversation evolved around separating the activity of supply and development. We surely must be at the end of our time. We'll be on the hall and... Yeah, or e-mail. Thank you so much.