►
From YouTube: CHAOSS Risk Working Group 6-10-21
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
Now
the
next
does
anyone
else
have
any
other.
What
I
was
thinking
we
could
start
doing
is
actually
working
on
the
metrics
for
risk.
B
A
B
Doing
well,
how
are
you
doing
I'm
I'm
feeling
overwhelmed,
but
why
dave
why
david
there's.
B
A
E
A
I've
heard
of
it,
but
I
don't
honestly
know
with
certainty
what
it
is
like.
I
know
it's
google's.
A
D
It's
an
aggregate
dependency
mapper,
so,
instead
of
looking
at
any
of
the
ones
that
are
focused
on
specific
package
managers,
it
goes
it
combines
them
and
it
combines
them
with
vulnerability
reporting,
so
I've
known
about
it
for
a
while,
but
I
couldn't
talk
about
it
until
now,
when
we
were
like,
maybe
like
two
months
ago,
we
were
talking
about
available
tools.
Oh.
D
F
B
I
was
thinking
of
the
chaos
working
group
notes,
but
I
mean
that
was.
A
B
G
Sophia,
I
I
have
a
couple
questions
on
on
that
one
on
on
depth:
dev,
because,
as
soon
as
I
saw
it,
I
dropped
it
in
the
link
to
drop
the
link
in
our
team
chat,
because
we,
you
know,
are
so
deep
in
some
of
this
analysis
as
well,
and
it
covers
some
of
the
some
of
the
ground
that
libraries
I
o
covered,
but
different
ground
and
some
of
the
ground,
some
other
tools
cover
and
different
ground.
G
Okay-
and
it
was,
it
was
interesting
to
me
to
see
it
launch
with
sort
of
limited
package
support,
given
there's
a
number
of
tools
out
there
that
have
have
already
sort
of
covered
the
ground
unpacking.
These
package
manifests
and
sort
of
drilling
into
it.
So
is
there
anything
you
can
you
can
say
to
that
or
any
insight
you
can
give
us
there.
D
Not
that's
that
helpful
when
I
I've
interacted
with
that
team,
I
wasn't
a
part
of
this
project.
I
met
with
them
a
few
times
just
get
a
sense
of
what
they
were
building,
what
they
ended
up.
Building
wasn't
even
the
same
thing
that
I
saw
four
months
ago.
I
think
they
were
kind
of
just
playing
around
with
what
what
the
white
space
was.
I
know
they've
been
working
on
it
for
a
long
time,
so
I
know
they're
trying
to
get
as
much
in
there
as
possible.
D
So
there
are
some
that
were
just
easier
to
hook
in
than
others
that
were
not,
but
in
terms
of
the
level
of
comprehensiveness
and
what
was
left
out
and
why
I'm
not
I'm.
I
can
ask
if
there
are
specific
things
on
the
roadmap.
I
don't
know.
What's
I
don't
know
what's
in
plate.
E
D
We
had
some
positivity
in
the
sense
that
there
was
a
lot
of
consensus,
that
dependency
mapping
is
hard
being
able
to
enumerate
the
extended
list
of
dependency,
trees
and
transitive
dependencies,
and
so
there
was
positivity
in
response
to
trying
to
make
that
more
accessible
or
just
calling
into
question
the
importance
of
it
and
mechanisms
to
do
it,
even
if
this
isn't
necessarily
a
tool
to
do
it
with.
So.
In
that
sense,
there
are,
there
was
a
positive
reaction.
D
I
must
also
know
on
the
pr
team,
I'm
assuming
they
they
know
more
than
I
do.
But
I
do
know
this
is
a
a
fairly
long
time
coming.
They've
been
building
this
thing
for
a
few
years,
so
this
was
I'm
guessing
that
they
have
more
to
come.
I
still
don't
quite
know
what
the
scary
little
creature
mascot
means,
but
I
didn't
want
to
ask
that
as
well,
because
I'm
just
curious.
D
Yeah,
but
I
I
will
ask
about
apis,
because
I
think
that
that's
relevant
to
trying
to
understand
the
extensibility
of
what
they
built,
but
just
ping
me
if
you,
if
you
have
other
questions-
and
I
can-
I
can
see
what
we're
allowed
to
talk
about
at
this
stage,
I
mean
I'm
assuming
now
it's
a
public
project,
so
they
should
be
more
forthcoming
with
information.
A
A
Yeah,
I
don't
see
how
to
get
to
the
github
repository
weird.
B
A
A
B
I
know
what's
what's
amusing
is,
if
you,
if
you
basically
they've
yanked
in
the
open,
ssf
scorecard
and,
of
course,.
B
Notice,
oh
look,
ci
best
practices
is
on
there.
Oh,
is
it
awesome,
oh
yeah,
but
if
it's
there,
so
you
know
if
you,
if
you
here,
let
me
paste
in
the
a
link
to
the
kubernetes
data.
I
think
that's
that's
a
useful
sample
example.
D
B
A
A
B
Finds
now
whether
well
well,
if
you
click
on
it,
it
it
has
a
list.
So.
B
Yeah
yeah
they're
all
it
looks
like
everything
I
I
mean
I'd
have
to
read
through,
but
it
looks
like
it's
all
within
the
docker
image
and
you
know
that
that
actually
now
see,
I'm
not
so
sure
the
elastic
search
isn't
pinned,
but
the
ones
where
there's
a
variable.
A
B
B
B
A
B
A
Well,
that's
exciting.
I
mean
it's
certainly
another
place
to
look,
and
there
is
some
really
interesting
analysis
here.
D
Talking
about
scary
graphs,
yeah,
do
I
get
there.
D
Shoot
I
found
it
before
there's
a
way
to
visualize
this
as
a
graph
when
you're
in
the
dependencies.
If
you
click
on
scroll
up
the
top
bar
dependencies,
you're
viewing
it
as
a
table,
you
can
also
view
it
as
a
graph.
It's
a
bit
terrifying,
and
it
reminds
me
oh
wow,
terrifying
view,
but
we
had
initially
for
those
that
are
relatively
new.
B
Yeah
yep,
I
would
call
it
terrifying,
I
would
call
it
incomprehensible.
The
word
used
second
yeah,
oh
and-
and
I
will
say
now,
although
it's
not
exactly
the
same
view,
we
I
tried
to
do.
B
B
I
mean
at
that
point
you
really
end
up
with
just
making
a
lis
yeah
like
this,
a
simple
text
list
which
is
okay.
I
mean
it
works,
but
you.
C
B
E
B
D
Let's
just
say
I
did
like
how
they
also
have
forward
and
backward
in
terms
of
dependencies
and
dependence,
where
a
lot
of
I
haven't
really
seen
a
lot
of
dependency
analysis.
That
also
has
a
few.
B
B
But
you
know
they
show
the
graphs.
As
far
as
I
can
tell
the
showing
the
graphs
is
to
show
wow.
We
have
a
lot
of
data,
you
know
they.
The
analysis
is
you
focus
on
specific
things
and
then
you
use
code
to
find
the
patterns.
You
don't
actually
try
to
look
at
these
graphs
for
insight.
I
just
don't
think
people
can
do
that.
E
But
what
is
a
filter.
A
A
C
F
A
Yeah,
okay,
anything
else.
We
need
to
probably
talk
about
there.
No,
I
thought
today.
Maybe
we
could
work
a
little
bit
on
some
of
our
metrics
and
up.
So,
if
I'm
remembering
from
our
discussions,
I
think
maybe
there
is
some
translation
that
didn't
get
from
our
minimum
viable
product.
So
we
have
repository
dependency
enumeration
and
we
have
upstream.
A
Are
we
just?
Are
we
keeping
separate
metrics
for
upstream
and
downstream,
because
I
know
we
have
them,
but
I
I
remember
a
discussion
where
we
talked
about
just
having
dependencies
our
upstream
and
downstream
was
a
would
be
a
filter
on
it
and
it
would
just
be
one
metric.
Does
anyone
want
to
what
do
people
think.
E
A
So
we
have
in
our
minimum
viable
products,
minimum
viable
products,
we
have
dependency,
enumeration
range,
libyars,
known
vulnerabilities,
scorecards,
etc.
But
when
we-
and
I
remember
saying
that
I
remember
a
conversation
about
dependencies
being
just
dependencies
with
upstream
and
downstream
being
filters
on
dependencies.
H
D
D
So
I
think
that
it's
a
different
kind
of
risk,
communication
and
choice
in
terms
of
how
you
would
use
that
information,
so
I
feel
like
it's
that
warrants
it
to
be
separate.
A
I
certainly
understand
I
understand
like
is
so
dependencies
are
places
upstream
independence
or
places
downstream,
or
can
you
have
upstream
dependence
and
dependencies
because
it
feels
like
dependence
and
dependencies
are
opposite
sides
of
the
same
direct
of
the
same
flow
or
opposite
streams
of
the
same
flow,
and
it
feels
like
dependence
and
dependencies
are
the
same
upstream
and
downstream
is
all
right.
So
I'm
a
little
confused.
B
A
A
B
A
A
Yeah,
that's
so
I
added
I.
I
made
this
downstream
codependencies
with
dependents
in
parentheses,
and
then
I
made
this
upstream
code
dependencies
with
dependencies
in
parentheses,
but
those
those
two
could
be
just
dependents
and
dependencies,
and
we
could
be
specific
in
the
description
about
the
inclusion
of
upstream
downstream.
That's
the
same
thing.
H
I
think
going
back
to
david's
analogy
of
the
river
I
think
upstream
and
downstream,
pretty
well
understood.
I
give
you
if
I
just
did
a
quick
search
and
you
see
lots
of
people
saying
what
is
the
difference
between
upstream
and
downstream
dependencies.
So
I
guess,
there's
some
confusion,
so
maybe
how
you
have
upstream
codependencies
dependencies
and
then
downstream
codependencies
dependence
yeah.
H
A
A
B
A
B
In
fact,
the
old
versions
of
the
fourth
programming
language
they
would,
you
could
have
any
the
variables
they
didn't
care
after
the
first.
A
B
A
A
A
A
D
D
Yeah
I
mean
I
don't
know
if
we
want
to
get
rid
of
it
permanently,
but
it's
not
going
to
be
released
by
it.
So
we
might
want
to
not
say
defined
as
but
say
we've
like
scoped
that
as
a
separate
metric
to
be
its
assassin
a
later
something
way
to
allude
to
it,
because
I
think
that
statement
is
still
relevant
to
say
that
we're
not
looking
at
the
the
infrastructure
dependencies
and
we
consider
that
a
separate
category.
B
G
B
G
A
A
You
know
fortran
compiler,
so
there's
all
these
dependencies
on
compilers
that
haven't
been
updated
yet
so
I
can
run
my
software
on
any
version
of
ubuntu
or
fedora,
but
there's
sort
of
an
implicit
lag,
because
I
use
machine
learning
in
the
python
upgrade,
but
that
is
also
tied
to
the
linux
platform,
because
ubuntu
still
doesn't
distribute
python39
on
its
long-term
support
platforms,
because
tensorflow
and
pytorch
and
all
those
other
libraries
don't
yet
support
python.
3.9.
A
Although
that
seems
to
be
changing
in
the
past
few
weeks,
I
think
very
very
soon.
Do
you
see
my
point
like
it's
it's?
I
can
always
run
it
on
the
linux
versions,
but
there's
a
python
explicit
requirement
that
has
to
be
in
a
certain
range
like
forever
right
now,
it's
up
to
three,
where
you
support
up
through
38.x
and
once
pi
torch
and
tensorflow
support.
Three
nine
will
support
three
nine.
B
All
right
so
but
see
it's
not
even
clear
that
so
much
interpretive
language,
it's
really
the
run
time
are
we,
including
the
run
time.
G
B
Less
so
for
python
there
are,
there
are
significant,
see
python's
the
most
popular,
but
it's
not
certainly
not
the
only
one
same
for
ruby.
There
are
there's
a
a
common
most
common
implementation,
but
there
are
others.
That's
not
true.
For
some
other
languages,
though
you
know
there
are
languages
c,
being
one,
for
example,
where
you
absolutely
might
use
different
compilers.
A
Okay
c,
yes,
c
is
an
example
where,
if
like,
if
I
can't
find
a
distribution
for
the
combination
of
different
dependencies,
I
have
oftentimes
pi
pi
is
going
to
pull
down
the
source
code
for
that
library
and
compile
it
and
see
during
my
install
so
things
that
are
compiled
and
c
do
seem
to
they
exist
in
that
form,
so
that
you
can
overcome
other
dependencies.
It
seems
is
that
fair.
B
F
F
A
B
B
Language,
libraries,
just
like
python,
has
a
batteries
included
construct
right.
So
you
know
if
you
import
of
a
library,
technically
that's
a
dependency
right,
but
if
you're
importing
re
in
python
right.
B
B
A
E
B
By
implication,
would
freeze
not
just
the
runtime
but
also
the
libraries
from
the
language
yeah.
So
if
you
tell
it
you're
going
to
run
in
python
3.8
and
you
you
use
vnv
or
something
else
to
switch
to
that
rbemv
in
the
ruby
world,
that'll
switch
both
the
runtime
and
the
default
language.
Libraries.
A
B
B
A
B
Those
that's
those
are
called
virtual
environments.
I
will.
B
In
python,
I
will
give
you
a
link
in
there:
okay,
typically
controlled,
typically
often
controlled
by
virtual
environments,.
A
B
Is
the
selection
of
it,
though,
is
absolutely
controlled:
eg
v-e-n-v
in
python?
Okay,
then
there's
tools
like
rbe
and
v
and
there's
there's
two
of
them
in
in
the
ruby
ruby.
Of
course,
there
are
there's
11
in
the
r
world.
H
B
H
B
That's
right
so
rb
env
in
ruby.
G
So
to
to,
but
to
follow
up,
I
am
not
currently
aware.
Even
these
things
aside,
sean,
I
think
I'm
answering
your
question
here
of
a
standard
way
that
this
information
is
included
as
part
of
a
project
right
like
there's,
not
a
a
correlating
manifest
that
is
typically
shipped
in
a
project
that
you
can
inspect
and
get
this
information
you
can
get
at
it
on
an
environment
by
environment
basis,
but
like
not
that
I've
encountered
and
and
sophia
this
is
sort
of
related
to
the
conversation.
Oh
that's.
B
It
that's
that
that
is
a
language,
specific
question
right,
I
you
know
so,
for
example,
in
ruby,
it's
actually
pretty
straightforward,
you're
supposed
to
put
that
in
dot,
ruby
dash
version
and
a
file,
and
then
you're
done.
Typically,
that's
reference
from
the
file
called
gem
file,
which
is
your
list.
It's
the
unlocked
list
of
libraries
or
gemfile.lock,
which
is
the
locked
list.
C
B
And
then
you're
done
so
there
so
within
the
ruby
ecosystem.
B
G
B
And-
and
it
kind
of
makes
sense
that
it
would
be
language
specific,
I
think
we
could
make
a
very
good
case
that
languages
which
don't
have
such
a
system
should
have
start.
I
should
switch
and
start
having
one
exactly.
G
And-
and
this
is
this
is
sort
of
the
like-
I
don't
think
it's
that
different
from
package
manifests
that
are
all
language
specific
anyway,
but
the
conventions
have
converts
across
language
ecosystems
that
you
include
them
in
the
wreath
right.
One
of
the
things
that
we
did
to
get
at
some
of
this
information
for
the
purposes
of
mariner
and
doing
our
own
analysis
is,
is
for
the
python
project.
We
have.
G
You
know
a
script
that
you
can
run
in
the
environment,
that
just
exports
some
of
those
standard
variables
and
then
like
a
custom
little
bit
of
code
to
consume
them,
but
in
terms
of
trying
to
figure
out
how
to
stack
the
importance
of
those
against
the
importance
of
package
level
dependencies
that
are
included
all
over
the
place.
G
A
A
Yeah
well
and
pi,
pi
pi
actually
has
started
to
increase
the
logic
for
its
refusal
to
compile
incompatible,
libraries
or
dependencies.
It
used
to
just
compile
it
straight
up
with
no
questions
and
over
the
last
six
months
to
a
year,
and
especially
in
the
last
six
weeks
about
four
to
six
weeks,
I've
seen
my
pie
pie,
build
failures,
increase
dramatically
so
they're
starting
to
break
more
and
more
stuff.
If
you
have
incompatible
libraries
in
your
build
right,
which
is
nice.
A
B
A
Right
sometimes
I
wonder
honestly
it's
like,
and
I
have
no
way
to
like,
dig
deep
and
check
that.
But
sometimes
I
do
wonder.
G
Yeah
I
was,
I
was
gonna
tap
sophia
on
the
on
on
the
shoulder
there,
because
we
had
a
conversation
a
while
back
that
that
was
a
little
related
to
this
and
and
one
of
the
things
that
we're
going
to
do
but
haven't
done
yet
is-
is
attempt
to
crawl
through
the
container
registry
that
we
have
and
see
what
we
can
get
out
of
that
it's
going
to
give
us
some
of
these
things,
but
it's
obviously
not
going
to
give
us
everything
and
sophie.
I
didn't
know
if
you
had
any
any
other
insights.
C
D
No
yeah,
I'm
just
trying
to
think
of
other
ways
that,
like
our,
we
can
generalize
this
because
I
feel
like
we
are
getting
really
specific,
but
it
it's
hard
to
not
get
specific
when
things
are
not
organized
or
architected.
In
the
same
way,
and
of
course,
as
we're
talking
about
pi
pi,
I
went
back
to
the
infrastructure
combat
because
they
had
a
major
outage
this
week
because
of
fastly,
so
pi
pi's
infrastructure
was
down.
So
yeah
is.
A
B
B
D
Yeah
I
was
trying
to
remember
that
twain,
because
we
were
talking
about
other
ways
where
you,
these
kinds
of
things
might
be
enumerated
and
it
might
involve
going
a
level
below.
I
mean
you're,
talking
about
container
registries
versus
just
things
that
are
declared.
B
B
A
B
A
Okay,
which.
D
A
A
Transitive
two
plus
is
indirect,
so
it's
like
everything
your
direct
dependencies
depend
on
and
I
guess
the
second
one
number
two
would
be.
I
have
a
dependency,
that's
direct,
and
it
has
these
other
dependencies
that
my
main
program
doesn't
have,
and
those
would
be
the
second
order
dependencies
and
presumably
you
could
have
third.
Fourth
fifth
order.
I
think
you
get
over
90
of
what
you're
needing
to
get
from
the
first
two
orders.
A
It
it's
a
little
like,
I
hope
you
you're
good
at
algebra,
right,
you're,
good
at
abstract,
thinking
and
math
right.
Well,
because
this
is
abstract
thinking
and
if
you,
you
know,
you're,
not
really
smart
at
math,
maybe
you
won't
get
it.
I
don't
know.
So
it
does.
Look
it's
hard
to
understand.
I
agree
with
you.
I
was
trying
to
agree
with
you
and
be
funny.
At
the
same
time,
I
failed
on
one
of
those
counts.
No.
D
D
A
Tree
exactly
think
show
the
tree
I'm
just
making
a
comment
because
technically
we're
a
minute
over,
but
I
think
we've
done
a
good
job
of
this
metric
is
nearly
ready
to
go.
Does
anyone
want
to
take
it
to
do
to
flesh
it
out.
D
D
A
I'm
in
the
slack
I
don't
know
arfan
and
duane.
Are
you
in
the
chaos.
F
A
Australia,
all
right
and
I'll
invite
you
to
the
slack
in
general
duane.
If
you
just.
I
should
just
use
your
indeed
address,
or
is
there
a
different
address?
You
prefer.
G
G
A
B
A
F
Just
put
in
the
in.
B
A
B
F
A
A
A
B
F
A
A
C
Then
why
don't
you
just
add
once.
A
A
G
Yeah
also
guys.