►
From YouTube: CHAOSS Asia-Pacific Community Call 2-10-21
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
Yeah
matt's
sharing
his
screen,
though
in
the
zoom
call.
So
maybe
we
can
work
from
that.
A
A
All
right,
I
can
see
it,
and
so
we
wanted
to
highlight
some
of
the
working
group
efforts
from
the
risk
working
group
here,
partly
because
I
think
the
the
central
focus
of
the
risk
working
group
has
pivoted
a
little
bit
towards
understanding
both
upstream
and
downstream
software
dependencies.
A
These
are
upstream
would
be
libraries
that
we
depend
on.
Is
that
right?
I
always
get
that
mixed
up,
basically,
libraries,
that
your
project
depends
on
and
understanding
an
enumeration
of
what
those
libraries
are.
What
what
other
software
is?
Is
it
that
your
software
depends
on
and
getting
an
understanding
of
the
health
and
sustainability
of
those
dependencies,
as
well
as
the
nested
depth
of
those
dependencies,
so
it
sort
of
turtles
all
the
way
down.
C
Yeah,
so
I
just
I
thought-
maybe
you
know
we
talked
about
this
in
this
call
before
and
just
whether
or
not
dependencies
are
an
issue
for
for
folks
say
at
huawei
or
on
this
call,
so
is
tracking
upstream
and
downstream
dependencies,
something
that
you
necessarily
care
about,
and
that
was
going
to
kind
of
lead
into
this
next
issue
on
the
agenda
and
how
much
we
want
to
work
on
that
here.
C
D
Okay
for
dependency-
I
I
guess,
there's
a
bunch
of
currently
we
saw
if
there's
any
c
cve
issue.
D
We
we
need
to
upgrade
the
third
party's
dependencies,
and
I
I
saw
a
lot
of
requests
recently,
and
especially
even
for
for
for
my
experience
is
that
look
that
we
we
get
the
the
feedback
and
need
to
check
the
the
third
dependency,
and
even
it
could
be
more
complicated
because
we
have
open
source
project
and
we
got
issue
which
is
complaining
about
to
the
cve,
but
it
it
looked
like
there's
a
dependence
dependency.
D
So
so
the
chinese
part
is
we
need
to
hunt
down
all
we
need
to
manage
the
to
find
out
the
key,
the
third
part
which
we
need
to
fix.
So
so
I
I
think
this
could
be.
D
A
dependency
management
issue:
it's
really
like
github,
provide
this
kind
of
service.
The
it's
looked
like
that.
There's
a
robot
will
check
your
the
project's
dependency
and
they
will
inform
you
if
there's
any
security
issues,
habits
and
in
most
cases
we
just
need
to
upgrade
the
third
parties,
but
we
need
to
get
to
to
to
get
the
information
and
do
the
actions.
D
So,
from
my
perspective,
I
think
the
metrics
here
could
be
how
much
cv
issue
we
we
found
and
how
many
projects
could
be
affected
will
be
affected
and
later
on,
how
much
projects
upgrade
the
the
dependencies.
So
this
is
a
roughly
I
have
I
I'm
sorry.
I
I
didn't
join
the
work
group
meeting,
so
I
I'm
not
sure
you
guys
already
know
about
that
or
if
there's
or
some
solutions,
yeah.
No.
This
is
this.
C
Is
this
is
great,
and
this
is
partly
why
we
have
the
asia
pacific
cult
to
help
kind
of
bridge
between
conversations
that
may
be
occurring
in
one
place,
just
so
we're
all
on
the
same
page,
so
cves
have
come
up
and
I
think
they've
sean.
Can
you
speak
a
little
bit
to
the
cve
discussions
that
have
been
occurring
at
all
in
the
risk
working
group
remind
me
what
cbe
is
the.
A
Vulnerabilities
yeah
yeah
so-
and
this
really
dovetails
with
some
of
the
work,
that's
being
done
in
security
right.
A
And
I
don't
know
if
getting
does
this,
but
github
provides
a
lot
of
that
information
now
automatically
they
scan.
They
scan
your
repository
and
identify
vulnerabilities
that
exist
in
your
code
automatically
for
you,
but
knowing
knowing
the
vulnerabilities
that
exist
is
something
that
we
would
integrate
with
the
dependencies
analysis.
A
So
if,
for
example,
we
understood
the
dependencies
that
are
declared
in
a
piece
of
software
or
at
a
certain
version
which
they
often
are
because
people
declare
the
version
that
they've
compiled
it
successfully
with
then
and
a
sort
of
a
an
add-on
to
the
identification
of
these
dependencies
would
be
to
compare
them
against
a
vulnerabilities
database
and
report.
Not
only
what
your
dependencies
are,
but
also
what
the
security
vulnerabilities
associated
with
those
dependencies
are,
and
that
would
be
a
reference
to
the
nist
database.
That
matt
alluded
to.
C
So
I
know
that
if
I
share
my
screen
here
again,
let's
see
how
to
do
this
again.
C
So
willem,
can
you
see
that
yeah,
okay
in
the
risk
working
group
these
are
so
this
is
the
spreadsheet
that
we
use
to
kind
of
track
metrics
that
we've
been
developing.
I
think
maybe
you've
seen
this
before.
Maybe
not.
C
C
That
would
be
at
least
how
we've
categorized
it
in
the
past,
you
can
see
that
we
have
actually
known
vulnerabilities,
is
probably
the
metric
that
you're
talking
about
which
would
be
associated
with
with
cves.
You
know
reported
cves,
so
this
is
something
that
we
could
start
working
on
kind
of
here
articulating.
What
this
metric
would
mean
like.
How
do
we
identify
vulnerabilities
in
in
software,
and
then
we
have
software
vulnerabilities?
C
A
I
think
I
think
software
vulnerabilities
might
be
things
that
are
not
necessarily
part
of
a
security
vulnerability
or
a
security
vulnerability.
That's
been
identified
that
hasn't
yet
made
this
database
or
wasn't
judged
to
be
significant
enough
for
the
database,
but
might
apply
to
a
particular
use
case.
So
the
company
is.
A
B
Could
it
hey
sean,
could
it
be
something
like
one
of
your
files
has
the
password
in
it
and
has
been
checked
into
github?
Yes,.
E
B
A
That
would
be
that'd
be
an
example,
although
github
now
complete
complete
after
the
stack
exchange
debacle
in
2019
github
now
automatically
erases
basically
invalidates
every
token
that
you
check
into
a
public
repository.
C
C
C
Okay,
who
had
mentioned
this
so
I'm
sorry,
sophia,
okay,
sophie
vargas,
gotcha.
Okay,
let
me
do
a
little
bit
of
searching
here,
but
I
think
there's
something
that
google
is
trying
to
do
to
improve
the
findability
of
cves.
I
think
right
now
your
desire
to
have
them
and
the
ability
to
find
them
is,
is
far
away.
I
think
it's
not,
and
so
I
think
google's
trying
to
to
bridge
that
gap,
and
it
might
be
something
that
sean
like
auger
kind
of
puts
on
a
road
map
down
the
road.
C
If
it
can
be
improved,
you
know
yeah,
all
right,
cool
I'll
do
a
little
bit
of
searching
here
in
just
a
second.
C
E
Hey
mike
yeah
yeah,
I'm
sorry
about
my
in
night,
I
mean
that
my
internet
is
not
so
good
enough,
so
I
think
in
dependence
area
we
should
matrix
from
three
three
three
aspect:
one
is
a
vulnerability
and
the
second
is
license.
You
know
the
we
want
to
because
the
dependency
they
have.
This
have
several
several
levels:
several
ways:
one
integrate
open
source
software
component,
integrate
in
another
component,
so
about
the
two
license
we
must
to.
E
We
want
to
to
check
the
compatibility
of
the
two
lessons
and
the
further
further
further
software
lessons
and
the
sound
software
lessons
between
them.
You
know,
I
think
it's
it's
difficult
for
for
us
to
do
this,
because
I
I
don't
know,
I
think
there
is
no
and
there's
and
there's
not
any
truth
about
the
license.
Compatibility
and
the
third
is
a
life
cycle
of
the
of
the
life
circle
of
the
component.
E
You
know
the
because
the
bottle
the
bottle
the
photo
like
the
software,
the
the
age
of
the
soviet,
is
very
old,
so
the
the
up
relax
they
like
the
owners.
You
know
owners
one
one,
only
one
honors
so
in
the
inside
of
the
component.
E
Maybe
this
is
the
commitment
released
several
years
ago
and
we
don't
know.
Is
there
anybody
to
maintain
the
software
in
overseas
community?
I
think
we
want
to.
I
think
we
can
matrix
the
the
life
cycle,
the
age
of
the
each
lay
of
the
dependency
yeah.
C
So
a
couple
of
comments,
and
maybe
a
question
too
so
license
compatibility.
So
we
do
have
metrics
right
now
and
tooling
that
can
not
perfectly
but
identify
the
licenses
that
are
evident
in
known
pieces
of
software
right.
So
it
doesn't
necessarily
tell
you
issues
of
compatibility,
but
it
tells
you
what
licenses
are
present.
E
E
I
think
we
can
metrics
the
fair,
the
fair
license
and
the
component
license,
but
some
lessons
they
told
us
you
needed
to
use
the
advertisement
in
in
it
and
distribute
when
you
distribute
some
lessons.
Ask
your
master
to
put
the
mining
yeah
yeah
yeah,
it's
not
a
compatibility
yeah.
I
think.
If
the
dependencies,
the
further
government
and
the
strong
complement
they
integrate
each
other,
I
think
the
best
company
competing
sorry
competitive
compatibility
is
is
the
issue
I
think
yeah
is.
C
C
C
B
I
have
I
have.
I
just
need
to
find
it
because
it's
been
a
couple
years
now,
but
phil
hack,
who
used
to
work
at
microsoft
and
then
worked
at
github
developed
a
really
great
tool,
but
I
have
to
find
it.
So
let
me
search
on
that
for
a
minute,
because.
C
D
And
you
have
actually,
we
have
three
catalog
license,
so
so
the
catalog
a
we
can
use
this
freely.
Just
like
a
previous,
the
psd
mit,
the
permissive
license.
The
catalog
b
is
more
like.
We
cannot
change
the
code,
but
we
can
use
the
binary
things,
such
as
eclipse
license
or
mozilla
license
for
the
lgpl.
D
Cannot
include
that's
dependency
in,
you
know
release
so
so
so,
as
I
mentioned,
and
we
we
we
try
to
figure
it
out,
but
normally
we
have
a
long
list
of
the
software,
the
third
party
dependencies
and
we
go
through
and
and
but
I
I
didn't
find
those
automatic
tools
to
do
that.
But
we
we
can
use
the
dependency
management
to
to
generate
the
third-party
dependency
and
then
we
can
inspect
the
the
dependency
list.
D
So
in
this
way
we
can
tell
if
this
subtractive
dependency
is
good
to
go
or
or
if
we
need
to
remove
it.
C
Okay,
so
what
you
hit
excuse
me,
so
what
you
had
described
as
kind
of
a
a
useless,
not
a
you,
know,
not
a
useless,
but
a
use
list
that
you
can
use
and
it
sounded
like.
It
was
basically
just
moving
from
permissive
to
to
copy
left
and
if
it's
permissive,
it's
okay
and
if
it's
copy
left
yeah
yeah
but
then
maybe
less
so.
D
Yeah
yeah,
the
the
perspective
we
have.
Is
we
because
apache
software
foundation's
project
to
use
the
rpg
license?
Yeah,
it's
a
permit.
This
permissive
license.
We
need
to
make
sure
the
downstream
users
can
still
use
this
permissive
software.
But
if
we,
if
the
projectors
use
a
gpr.
D
It
could
be
much
easier
for
them
to
choose
the
third
party
dependency.
The
license
compatibility
should
be
more
easier,
but
for
the
permissive
project
we
need
to
be
careful.
C
Okay,
so
I
know
that
auger
right
now,
one
of
the
parts
that
is
in
auger
is
kind
of
an
spdx
plug-in
and
it
can
do
it
could
do
discovery
kind
of
what
you're
talking
about
willem.
So
it
could
do
discovery
of
known
packages,
but
it
couldn't
answer
questions
of
compatibility
to
what
king
is
talking
about.
A
D
Yeah
I
just
like
at
least
like
this
than
the
blacklist
so
sure,
so,
if
there's
some
license,
we
are
not
allowed
to
use.
Maybe
the
two
can
sense,
the
warning
message
or
just
complaining
about
that.
C
Yeah,
so
we've
actually
so
yes,
there
would
have
to
be
some
tooling
that
would
be
built
around
the
output.
C
That
would
actually
warn
you
that
there's
something
wrong
or
something
to
take
a
closer
look
at,
but
I
know
that
the
component-
that's
in
auger,
the
spdx
component,
can
at
least
was
originally
built
to
kind
of
do
that,
to
not
only
do
the
scans,
but
then
like
stop
a
build
process
or
provide
an
email
that
says,
there's
an
issue
with
a
particular
license.
So
this
is
something
that
that
we
could
take
a
look
at,
but
again
that
won't
that
won't
do
compatibility
checking.
C
B
Great
tool,
though,
if
you're
looking
to
figure
out
what
kind
of
license
you
want
to
apply
to
your
software
package,
but
yeah,
it
doesn't
really
help
the
other
way.
B
C
It
doesn't
seem
like
such
an
overwhelming
tool
to
think
about
compatibility
checking
anyway,
okay,
so
so
we
do
have
metrics
that
are
based
on
licensing
already,
so
we
have
already
built
those
and,
like
I
said,
tooling,
is
moving
moving
that
way
as
well.
C
I
do
have
one
question,
so
this
is
my
question
then
I
guess,
and
we
can
talk
about
age
of
components
too,
how
at
huawei?
How
are
you
able
to
build
your
dependency
structure?
This
is
a
challenge.
So
how
do
you
know
what
upstream
packages
you
are
depending
on
like?
How
are
you
able
to
do
that
discovery
process.
E
Yeah,
you
know,
for
example,
the
different
languages
have
different
tools
of
of
the
dependency.
You
know,
for
example,
my
member
example
is
metal.
Metal
has
a
poem
palm
file,
so
we
can
analyze
it
and
it
is.
We
will
analyze
the
component
and
we
can
see
which
government,
okay.
E
Yes
after
we
know
each
component
we
can,
from
the
from
from
the
community,
find
out
the
license
of
the
component,
and
we
have
what
vulnerability
the
database
and
to
announce
the
our
product.
What
vulnerability
you
have
mentioned,
yeah.
C
Okay,
so
in
that
case,
just
pulling
off
of
the
pom
file,
yeah
and
then
kind
of
assembling
a
list
and
then
doing
license
and
vulnerability
or
essentially
building
the
dependency
tree
and
then
from
there.
You
could
ask
questions.
Okay,
yes,
are
there
other
other
situations
where
you
don't
have
a
pom
file
and
you're
able
to
do
this.
D
But
you
you
may
need
to
use
the
make
file
to
to
to
go
through
the
dependency.
I
I
think
we
need
to
have
a
matter
that
is
to
describe
or
or
just
help
us
to
imagine
to
to
to
know
about
the
third
part
dependency
and
then,
if
there's
one
validity
issue
come
out,
we
can
go
through
them
and
look
it
up,
and
I
I
think
we
we
are.
D
I
try
to
build
in
these
kinds
of
tools,
but
this
really
depends
it's
a
language
specifically.
D
C
D
Yeah,
it
could
be
better
if
we
have
a
net
rebuild,
but
you
couldn't
say
I
I'm
not
sure
if
we
already
have
that,
but
currently
I
I
I
can
see
I
I
I
got
some
measures
from
my
colleagues
and
they
just
inform
us
there's
a
one,
valid
quantity
issues
and
we
need
to
upgrade
the
third-party
dependency.
D
So
I
think
we
just
built
the
channel,
but
it's
more
like
a
human
human
work,
not
the
automatic
tools.
E
F
A
The
different
different
articulation
of
the
same
basic
questions:
okay,
that
that
you
know
we
all
of
the
all
of
this-
is
sort
of
under
the
broad
umbrella
of
dependencies
and
vulnerabilities
work,
which
is
so.
I
do
think
it's
related.
I
think
it's
articulated
a
little
bit
different
and
maybe
some
of
the
inner
sourcing
oriented
concerns
are
a
little
bit
different.
A
But
you
know
licensing
has
long
been
considered
a
risk
and
knowing
the
licensing
of
your
dependencies
is
a
natural.
A
We've
looked
at
a
number
of
pieces
of
software
that
do
the
discovery,
and
so
we
haven't
gotten
into
that
concrete
piece
of
how
so
I
would
put
that
under
the
heading
of
how
are
we
going
to
identify
these
things?
And
you
know
auger
has
some
ways
of
doing
it,
but
you
know
this
is
one
of
the
one
of
the
tricks
with
dependencies
in
our
discussions
and
one
of
the
reasons
our
discussion
of
them
went
on
for
a
couple
months.
C
A
Yeah,
oh
us
is
absolutely
part
of
our
I've
attended
a
couple
of
their
working
group
meetings.
Oast
has
definitely
come
up.
A
A
You
know,
including
things
like
libya.
You
know
like
how
old
is
my
oldest
dependency,
so
oasp
is,
I
would
cons.
I
think
the
work
that
they
are
doing
is
a
subset
of
where
we
will
eventually
end
up,
and
we
will
in
all
likelihood
unapologetically
leverage
some
of
the
work
that
they're
doing
and
build
chaos
metrics
around
them.
C
A
The
under
external
resources
on
this
page
are
some
of
the
tools
that
we've
talked
about
like
olo.
Where
is
this,
on
the
right
hand
like
scroll
down
under
project
classification,
if
you
keep
going
there's
a
heading
called
external
resources
and
I
don't
see
it
but
scroll
up
it's
above
leaders.
A
Like
I
mentioned
earlier,
does
some
notifications
now
jenkins
olo
olo's,
the
one
that
dave
wheelers
talked
about
a
good
deal,
so
there's
a
lot
of
there's
a
lot
of
tool
building
happening
in
this
space.
A
I
think
one
of
my
concerns,
which
I've
expressed
is
that
a
lot
of
the
tool
building
in
this
space
is
venture
capital
led
and
there's
oddly,
and
not
enough
not
a
lot
of
robust,
open
source
projects
outside
of
github
that
are
that
are
really
looking
at
this
vulnerability
space,
and
so
I
think,
there's
a
real
important
building
piece
that
chaos
and
other
enterprises
like
auger,
can
contribute
to
your
bit
or
grammar
lab
to
build
tools
that
are
more
open
source.
A
And
I
say
that
because
of
all
the
things
that
we've
built
and
that
gremore
lab
has
built.
This
is
not
the
hardest
technical
hill
to
climb.
A
C
Is
so
is,
is
there
some
some
way
that
in
the
chaos
project,
we
can
actually
start
making?
This
happen,
not
only
from
a
metrics
perspective,
because
we
can
define
the
metrics
right
like
we
need
to
understand
vulnerabilities
and
upstream
dependencies.
We
need
to
understand
licenses
and
we
need
to
understand
the
compatibility
of
licenses.
We
can
develop
those
metrics,
but
at
some
point
we
need
to
start
thinking
about
how
those
metrics
are
put
into
place.
You
know
just
like
the
classic
things
we
always
talk
about
right,
like
metrics
by
themselves
are
interesting
but
not
terribly
deployable.
A
I
think
one
way
to
do
it
would
be
to
you
know:
there's
I
guess,
there's
three
there's
three
options:
four
options,
maybe
option
one
would
be
we
we
get
some
financial
support
for
for
more
lab
to
try
to
implement
a
pile
out
of
this.
We
we
get
a
financial
support
for
augur
to
implement
a
pilot
of
something
like
this,
and
I
I
mentioned
financial
support
only
because,
although
it's
a
lower
level
of
difficulty,
it's
going
to
require
a
pretty
committed
developer
for
whoever
does
it.
A
A
A
fourth
option
would
be
is:
if
a
company
wants
to
take
this
on
as
an
open
source
endeavor,
they
could
then
open
source
it
and
we
could
leverage
it
so,
there's
there's
ways
to
get
this
done.
I
mean
when
I
look
at
the
agar
road
map
and
when
I
talk
to
georg
about
the
gremore
lab
horizon,
I
mean,
I
think
both
of
these
projects.
A
So
we
need
to
think
about
how
are
we
if
this
is
really
important,
and
I
think
it
is
we-
we
just
need
to
start
thinking
about
okay,
how
do
we
scale
chaos
and
the
software
component
of
chaos
to
address
these
concerns,
and
I
think
I
think
people
like
dave,
wheeler
and
kate,
stewart
and
sophia
vargas
would
be
good
sounding
boards
to
ask
about
this.
A
In
terms
you
know,
dave
dave's
advice
has
been
well
there's
so
much
venture
capital.
I
think
kate
and
sophia
are
more
interested
in
seeing
something
like
this
built
and
sophia.
Like
you
mentioned
earlier,
google
might
be
working
on
something
it's
just
not
been
clearly
defined
for
us
at
this
point.
A
So,
like
you,
I
mean
google's
kept
a
lot
of
stuff
internal
and,
I
think
they're
starting
to
open
source
it.
So
maybe
maybe
I
could
have
a
side
conversation
with
sophia
about
about
that.
I
can
take
that
as
a
to-do
just
to
sort
of
check
the
pulse
of
david,
sophia
and
kate
about
tool
building
in
this
space.
C
Yep
elizabeth,
do
you
have
thoughts
on
this
at
all
or.
B
I'm
just
listening
mostly
yeah.
It's
tricky
to
to
have
that
that
those
resources
to
develop
something
like
that.
I
don't
know
I
think
yeah.
I
like
the
idea
of
just
checking
with
others
in
the
risk
group
to
see
what
they
think
about
that
and
if
you
know,
because
we
don't
know
what
people
are
working
on
really
so.
C
Point
like
dependencies
is
the
start
and
then
enumerate
and
to
willem's
point
enumerating
the
cves,
the
licensing
and
then
also
kind
of
the
activity,
just
the
the
liveliness
of
the
projects
that
that
you're
also
relying
on
even
if
their
licenses
are
good
and
they
have
no
vulnerabilities
just
whether
or
not
that
project
is
sustainable
and
so
like.
The
demand
for
this
is
just
enormous.
C
Everybody
talks
about
this,
but
somehow
there
seems
to
be
a
gap
in
in
the
ability
to
get
this
into
practice
like
it
still
seems
very
manual.
Sometimes
it
still
seems-
and
I
don't
understand
why
that's
the
case
I
mean
I
guess
I
don't
mean
to
say,
like
the
gap
is.
A
A
But
the
other
piece
is
that
doing
this
well
requires
maintenance
of
a
data
set
a
curated
data
set,
so
we
can
start
with
nist,
but
this
won't
be
enough
to
capture
vulnerabilities
that
are
not
in
the
security
database.
So
they'll
need
to
be
an
ongoing
curation
of
a
data
set
which.
A
You
know
it's
something
that
could
be
a
community
effort,
but
then
there's
also,
as
dave
wheelers
mentioned
this
ethic
in
the
security
community,
where
there's
very
lot
of
thought
that
goes
into.
When
do
you
make
the?
When
do
you
make
the
existence
of
the
vulnerability
visibly
visible
publicly,
because
there's
a
a
tendency
in
the
security
community
to
want
to
have
it
fixed
before
or
want
to
know
what
the
fix
is
before
you
announce
it
publicly,
not
that
people
don't
know
about
it,
but
there's
this
gatekeeping
of
when
you
make
it
available.
B
C
Made
so
how
do
we,
based
on
what
willem
and
king,
have
brought
up
and
based
on?
What's
going
on
in
the
risk
working
group,
and
we
have
two
minutes
to
figure
this
out?
How
do
we
road
map
a
solution
to
this.
D
Right,
I,
I
don't
think,
though
we
can
come
out
to
the
solution
right
away,
but
I
think
this
could
be
a
interesting
topic
for
the
people
to
join,
and
I
I
think
this
could
be
a
bridge
to
help
us
to
outstand
the
issues
and
find
out
the
good
solution
and-
and
we
can
see
a
lot
of
other
projects-
also
interesting
about
that.
D
How
about
we
start
the
conversation
and
to
find
out
if
we
can
integrate
and
from
from
my
experience,
I
work
on
the
application
integration
business
for
a
while,
and
I
think,
if
we
can
talk
about,
can
come
out
api
or
some
things.
We
can
work
together
and
I
I
think
maybe
the
matrix
could
be
a
good
thing
for
the
dashboard
and
it
could
be
used
internally
and
to
to
help
the
hospital
or
or
the
medical
team
to
to
know
about
the
the
situation.
D
And
if
we
can
connect
to
the
other,
open
source
projects
or
some
kind
of
database.
D
Maybe
we
can
get
it
running
and
have
a
general
idea
of
this
kind
of
thing.
So
I
I
think
this
topic
could
be
open
for
a
while,
but
we
need
to
get
awareness
of
the
others.
Maybe
they
can
help
us
or
maybe
we
can
build
the
tool
ourselves
or
to
to
to
help
others,
but
I
think
this
could
be
a.
It
could
be
a
good
business,
especially
for
the
for
the
security
company.
E
E
Here,
can
you
see
my
screen?
Yes,
okay,
you
can
see
okay,
this
is
a
the
license
list,
so
I
now
I
focus
on
the
license
risk
these
days.
You
you
can
see
this.
This
table
is
a
license
list.
I
almost
gather
ser
70
70.
F
E
Here
yeah,
this
is
the
spdx
the
standard,
lessons
name
here
and
I
separated
it's
each
lesson
into
three:
three,
the
demo,
the
green
one
is
the
right.
You
have
the
right
to
commercial
use,
distribute
modified
kitchen
and
patent
use
and
private
use
the
second
one,
the
second
demo
the
sixth
domain
is
blue.
It
means
the
obligation
of
the
license.
You
know
you,
you
must
open
it.
You
know
disclose.
F
E
Note
notice
and
the
this
license
is
in
the
sas
in
the
you
can
say:
gpl
3.0
this
license.
You
must
open
your
software
source
code
and
the
last
is
the
limitation
of
the
license
in
the
right
right,
color,
the
abilities,
trademarks,
use
and
warranty.
Yes,
this
is
the
lessons
type.
You
can
say
it's
a
permissible
sas
cup
left
and
the
copy
copy
left,
weak
and
properly
left
strong,
and
this
is
free,
is-
is
maybe
approved
by
fsf
or
osi.
You
know
yeah.
This
is
a
list.
E
I
wanted
to
develop
a
tools
after
the
scan
and
told
the
each
developer
or
maintenance
of
the
repo.
What
is
your
right?
What's
your
obligation
and
what's
your
limitation
yeah
after
I
finish
this
table,
I
can
communicate
dedicated
to
chaos
project.
I
think
it
can
be
reached
the
argo
aguas
matrix
the
truth
yeah.
I
can
dedicate
it
to
yeah.