►
From YouTube: CHAOSS.Common.April.20.2019
Description
CHAOSS.Common.April.20.2019
A
So
Georg
is
recording
if
I
had
to
guess
somebody
who
pushed
the
button.
I
have
a
few
things
for
folks.
So,
let's
see
our
google
season
of
docks
was
not
accepted,
so
this
was
the
one
where
we
were
taking
a
look
Georg.
If
you
recall,
we
were
looking
at
trying
to
improve
documentation,
so
I
got
an
email,
and
this
is
the
first
year
on
the
pilot
program
for
Google
season
of
box
and
they
had
over
200
applications
and
they
accepted
55
zero
this
year,
so
I
think
they're
just
trying
to
run
it
tightly
so
anyway.
A
That
is
that
please
keep
them
a
google
Summer
of
Code
students
are
on
this
call.
So,
but
the
google
Summer
of
Code,
like
final
request
for
for
students
kind
of
to
fill
the
slots,
is
tomorrow
so
but
I
think
that's
fairly
well
moving
along
fairly
well.
So
that's
number
two
any
questions
on
the
Google
things
for
me.
So
far,
all
right,
I.
A
B
A
A
What
that
day
would
look
like
and
I,
don't
I,
don't
know
what
a
day
is:
I
don't
know
if
a
day
is
four
hours
or
a
day
is
eight
hours
and
so
more
to
come
a
little
bit
on
that.
So
just
putting
that
out
there
and
then
why
not
outreach
things
today
and
then
the
fourth
thing
was
the
community
bridge
application
that
was
in
and
I
took
all
the
feedback
from
Sarah
had
given
quite
a
bit
of
feedback
and
that.
A
Accepted
I
got
an
email
that
said
it's
accepted
more
to
come
shortly.
So
that's
good
and
I'll
share
that
with
everybody
once
we
get
officially
into
the
community
bridge
morgue
site,
so
slowly,
but
surely
moving
forward
on
that.
One
and
I
think
remember
how
I'm
I'm
really
not
100%
sure
what's
going
on
with
community
bridge,
but
hopefully
things
will
reveal
themselves
as
as
we
move
forward
with
that.
So
that's
good
news
and
then
my
fifth
thing
I,
don't
know
how
you're
doing
on
notes.
You
need
to
get
y'all
good
and
then
the
fifth
thing
was.
A
A
So
just
suffice
it
to
say
for
everybody:
who's,
not
helping
organize
we're
doing
a
chaos
con
in
San
Diego
the
day
before
the
opens
were
summit,
North
America
and
that's
it
so
we
just
have
to.
We
have
been
organizing
committee
just
willing
to
put
our
heads
together
to
think
about
what
that
day
would
look
like,
so
that's
it
so
we're
just
rying
to
find
a
time.
So
those
are
my
five
quick
hits
season
attacks,
summary
code,
Grace
Hopper,
the
other
one
community
bridge
and
the
chaos
condom.
A
This
seems
to
be
something
that
we're
doing
a
little
bit
more,
which
is
on
the
outreach
side
of
things
and
I'm
happy
to
keep
that
ball
rolling,
so
I
was
hoping
Sean
are
you
on
I'm
here,
Sean
is
here
so
I
was
hoping
Sean
that
my
one
agenda
item
is
that
you
could
give
people
kind
of
an
update
as
to
what's
happening
with
risk
these
days,
because
we've
had
fairly
small
group
of
people
and
it's
own.
It
feels
like
it's
starting
to
kind
of
get
some
momentum.
I
think
it
is
yeah.
D
Are
a
couple
of
threads
that
are
happening
with
risk
right
now
and
let
me
just
note
spring
yesterday:
the
the
first
thread
is:
we've
had
a
lot
of
expresar
security
safety,
critical
systems
and
how
we
address
those
questions
with
both
metrics
and
possibly
other
other
mechanisms.
Just
give
me
one,
since
there
is
there's
no
sir
yesterday
I
just
so
the
first.
The
first
thing
is
that
there
are
some
things
related
to
risk
that
are
interesting
both
to
other
working
groups,
so
understanding
the
sustainability
of
the
communities
is
something
risk
is
interested
in.
D
They
call
that
business.
You
know,
risk
the
risk
that
the
project
will
stop
to
stop
existing
and
then,
when
the
project
stops
existing
we
will
no
longer
have
support,
and
so
that's
a
concern
in
there's
also
sort
of
wish
to
explicitly
Express
in
some
way
projects
intended
support
window
for
a
particular
release.
So
in
some
cases
like
the
supper
project,
they
will
state
explicitly
how
long
the
release
is
going
to
be
supported
for,
and
there
are,
these
I
guess.
A
D
A
D
Yes,
so
thinking
about
it
so
to
find
them,
for
example,
at
hospital
or
analytical
Center
and
I'm,
using
open
source
and
I'm
choosing
the
open
source
packages.
Knowing
that
the
version
that
I
choose,
which
I
may
create
dependencies
on
will
be
supported
by
the
community
for
X
period
of
time.
Sustaining
that,
if
that
policy
explicitly
is
something
that
is
that's
a
great
interest
in
the
risk
in
the
risk
of
community.
How.
D
Data
in
some,
in
some
cases,
the
project's
state
that
somewhere,
but
not
in
a
specified
file,
so
one
of
the
recommendations
for
that
sort
of
metric
would
be
either
that
we
possibly
included
in
badging.
You
know
I'll
talk
about
badging
with
it.
In
the
end,
the
other
way
would
be
that
we
have
some
kind
of
filed
like
a
dot
support
file,
there's
nothing
that
would
indicate
the
general
support
horizon
policy
for
a
project.
So
when
there's
a
formal
release,
it's
going
to
be
supported
for
x
periods
of
periods
of
time.
I'm.
D
Yeah
and
I
and
I
think
so:
that's
that's
the
in
the
in
the
there's
a
producer,
there's
what
I
call
the
project
itself.
So
the
project
is
producing
software
or
one-dimension,
and
then
the
consumers
who
are
using
that
software
it
would
be
another
dimension
law.
In
some
cases,
many
cases
the
other
projects
or
the
places
that
are
open-source
workers
consumed,
is
in
other
open-source
projects,
but
there
are
in
the
medical
economy
and
in
safety
critical
systems.
There
are
end
users
that
are
corporations
to
incorporate
their
software
or
open-source
software
into
a
environment.
D
I
call
that
the
consumer
side
versus
the
producer
side-
another
word
that's
come
up
in
the
risk
discussion-
is
to
refer
that
as
operations.
So,
if
you
think
about
the
Equifax
breach
the
issue,
there
was
open
source
operations
and
a
disconnection
between
the
community
and
the
patch
of
struts,
so
knowing
helping
helping
organizations
that
are
not
open,
source
contributors
or
technology
companies
consume
open
source
in
a
way
where
they
have
some
mechanisms,
metrics
or
practices
that
they
can
use
to
understand
where
they
sit
with
regards
to
being
up-to-date
I
think
is
that's
a
conversation.
A
D
D
What
that
means,
and
then
how
we
interpret,
that
is
something
that
probably
has
to
be
negotiated
in
the
context
of
the
fact
that
there
are
frequent
new
releases
and
helping
to
educate
folks
who
are
not
open,
source
active
but
use
these.
These
are
products
on
how
to
keep
their
patching
current
so
that
they
are
that
that
the
procurement
question
isn't
really
relevant.
It's
I,
don't
think
the
procurement
question
is
relevant
for
them
for
the
money
folks
and
the
legal
folks
making
the
vacants
that
are
to
be
good
decisions
and
the
the
security
patching.
D
A
D
C
D
C
D
I
think
the
other
thing
is
giving
the
IT
folks
inside
of
those
organizations
tools
to
maintain
awareness,
and
there
are
vendors
like
Black
Duck,
who
do
things
like
this
already
and
then
we
kind
of
talked
about
open
source.
So
that's
kind
of
that
part
of
the
discussion.
Okay
and
then
I
mean
it
was
a
lot,
but
maybe
just
the
most
significant
other
discussion.
I
think
people
would
be
interested
in
is
for
safety
critical
systems.
D
Ecosystems
that
are
concerned
about
risk
are
handled
to
some
extent
by
badging,
which
is
already
part
of
the
Linux
Foundation's
a
separate
program
outside
of
chaos,
and
we
talked
about
yesterday
and
it's
come
up
before
Jessica.
It's
really
kind
of
kept
this.
This
separation
between
the
vehicle
consuming
and
producing
open
source
in
front
of
us
from
the
very
beginning
she's
with
the
Linux
Foundation
I,
don't
know
if
she's
on
the
coffee
as
I'm.
Looking
at
my
notes
so
that
so
the
badging
is
all
many
of
you
may
now
have
a
set
of
criteria.
D
To
silver
and
gold
there's
additional
boxes
that
you
need
to
check
off
and
for
risk
some
of
the
but
and
you
can
show
your
progress
towards
silver
or
gold
by
percentage
for
risk.
There
are
some
discreet
line
items
that
probably
we
would
say:
okay,
well
we're
gonna.
We
might
provide
a
metric
about
whether
this
line
item
is
checked
and
we
might
provide
a
very
piece
of
metric
definition
that
verifies
the
that
Fox
is
actually
checked.
You
know
it
me,
but
it
makes
sense
to
try
to
have.
A
Chaos
and
or
auger
ended,
or
room
or
lab,
try
to
go
through
the
badging
process.
Yeah,
okay,
I
think
I.
Think
that
would
make
it
ton
of
sense
right
well,
just
cuz.
It
would
do
a
couple
of
things
one.
It
was
obviously
like
set
us
up
against
the
badging
process
and
it
would
probably
help
reveal
like,
what's
in
the
badging
process,
yeah
for
sure
yeah.
D
And
there's
there's
I
think
there's
some
elements
in
the
badging
process.
We're
gonna
try
to
get
Devi
or
alcohol
okay
person
responsible
for
the
badging
program,
yes,
and
some
things
like
I
think
it
was.
Fifty
percent
of
code
needs
to
be
covered
by
testing,
there's
the
gold
badge
level
and
for
safety,
critical
systems,
that's
gotta,
be
a
hundred
percent
or
pretty
I
mean
pretty
darn
close
to
it.
Safety
do
critical
systems.
Are
they
generally
deterministic
in
the
sense
that
you
can
get
close
to
100
percent
coverage?
Okay,.
C
D
A
In
my
mind,
I,
don't
know
what
other
people
think,
but
because,
like
the
way
that
a
can
structure
for
the
cast
project
is
structured,
we
have
the
metrics
component,
which
is
kind
of
technology
agnostic
right
and
then
we
have
to
open-source
more
than
two
but
pieces
of
open-source
technology
that
play
a
role.
Obviously
in
the
deployment
of
those
metrics.
D
Have
to
deal
with
solve
software
specifically
in
under
the
Kaos
project,
the
work,
the
repositories
that
are
badged,
have
software,
so
I
think.
If
we
had
augur
and
more
lab,
which
are
the
two
active
piece
of
software
badged,
then
we
could
and
I
have
to
look
into
it.
I'm,
not
an
expert,
but
I
would
think
that
that
we
can
check
all
the
boxes
to
get
all
of
Kaos
badged.
If
the
pieces
of
us
that
were
software
were
patched,
it
seems
like.
D
B
Lot
of
the
projects
are
doing
that
hyper
nature
and
some
of
the
other
big
ones
is
they
get
a
badge
for
individual
sub
projects.
So
the
way
that
that
would
apply
to
us
is
grimlock
would
get
its
own
badge.
Karger
would
get
its
own
badge
and
then
we
as
Kaos
can
still-
or
you
know,
I-
don't
think
we
have
to
do
it
at
the
workgroup
level,
but
the
chaos
metric
side
can
get
its
own
batch.
B
So
we
have
three
badges
and
for
the
metric
side,
because
we
don't
have
a
software
artifacts,
some
of
the
metrics
just
don't
apply
and
we
can
just
say
not
applicable.
Okay,
there's
still
a
lot
of
good
criteria
that
are
about
the
governance
and
how
the
project
is
set
up.
That
I
know
we
do
a
lot
of
the
things
already,
but
there
might
be
a
few
criteria
that
we
can
actually
improve
on.
Okay,
so
do
you
think.
A
A
That
counts
it's
more
than
I've
done
so
so
maybe
we
can
put
like
the
first
or
the
first
small
note
in
the
notes,
I'm
sure
you're
doing
that.
But
yes,
there
it's
happening
and
in
really
again
from
my
perspective,
it's
two
things.
One
is
that
it
I
think
the
badging
is
important
for
the
projects
in
general
and
then,
if
risk
is
gonna,
be
using
anything
out
of
badging
I
think
this
will
shed
light
on.
What's
in
there
to
be
used,
so
I'd
be
cool
all
right,
great
anything
else.
Shawn
Grovyle.
D
D
So
if
we
start
just
do
things
like
provide
metrics
related
to
dependencies
and
security,
patching
and
process,
for
example,
we
can
either
give
a
false
sense
of
security
that
that
a
project
is
secure
or
we
can
motivate
people
to
sort
of
go
through
the
motions
of
checking
those
boxes.
So
there's
a
sir
and
understanding
that
if
we
create
metrics
and
risks
that
are
directly
related
to
security,
to
be
careful
about
just
not
motivating
behavior
that
doesn't
actually
improve
security,
say
that
again.
D
Well,
for
example,
if
we,
if
we
were
to
say
instrument
or
create
a
metric,
that
said
for
all
for
all
the
pull
requests
or
contributions
of
code
on
this
project
go
through
two
reviews
before
they're
merged
and
then
that
we
use
to
indicate
for
the
approxi
for
some
sense
of
oversight
and
process
existing
in
an
open-source
project
and
started
using
that
as
a
metric,
then
with
that
could
potentially
motivate
those
projects
to
simply
create
those
steps
in
their
repositories
and
about
really
doing
in
an
authentic
reviewing
nicely.
D
D
A
Good
well
are
the
I
think
you
did
post
it
I
think
we'll
start
recording
those
meetings.
If
that's
all
right
with
you,
I,
don't
think.
We've
been
yeah
lately,
yeah,
of
course,
okay,
someone's
good
anything
else,
Shawn,
no,
okay,
cool!
Thank
you.
That
was
that
was
good.
I
just
want
to
kind
of
get
that
yes,
I.
Think
all
groups
now
are
often
running.
We
have
no
more
capacity
for
any
other
groups.
So
that's
it!
You
know.
If
anybody
wants
a
metric
could
find
a
home
shall
be
no
more
working.
A
B
B
B
A
B
A
A
A
A
Be
there
next
week,
sorry
I
hit
I
had
a
final.
E
A
B
B
A
C
Silence
well,
I'll
speak
up
very
quickly
with
with
value
a
reminder
to
everybody
calls
every
Friday
morning.
We've
had
really
nice
turnout.
Last
week
we
had
a
new
person
turn
up
and
in
Johann
lineker
who's,
a
who's,
a
PhD
candidate
in
Sweden
who's,
looking
at
open
source
value,
he's
going
to
be
doctor
known
as
dr.
value
once
he
graduates.
D
C
We
are
getting
close
to
having
a
working
instance
of
value
metrics
based
on
auger,
very
excited
about
that.
Maybe
we'll
get
that
this
week
or
next
week,
and
the
only
thing
that
we're
doing
is,
you
are
thinking
a
little
bit
about
grants
and
I'm
doing
a
some
exploration
to
see
if
we
can
reach
out
and
get
some
grant
money
to
help
our
activity
with
the
value
group.
F
D
A
A
A
A
A
It's
not
critical
that
you
know
everything
that
you're
thinking
about
needs
to
be
released.
I,
think
the
goals
on
the
release
is
that
you
identify
the
focus
areas
with
the
goals,
questions
and
metrics
and
then
provide
details
on
the
metrics.
So
there's
detail
on
the
metrics
that
are
actually
being
released.
A
B
A
B
A
Okay,
cool
got
that
in
there
alright.
Well,
if
all
folks
are
good
I'm
good,
the
remaining
agenda
this
week
is
there
is
there's
no
evolution.
Meeting
this
week.
If
I
recall,
Kahneman
has
one
as
Don
pointed
out,
and
Andy
has
one
or
I
should
say
value
has
one
as
Andy
pointed
out,
okay,
cool
all
right.
If
there's
nothing
else,
I
am
good.
I
assume
everybody
else
is
good,
we're
good.
All
right
have
a
great
week.
Everybody
use
you
right.
Thank
you.