►
From YouTube: CHAOSS Risk Working Group 8-19-21
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
A
B
A
So
this
one
here,
this
dependency,
how
many
times
is
a
single
dependency
referenced
is
one
that
ospos
care
a
lot
about.
So
if,
if
I
have
a
left,
let's
say
I
have
11
000
projects
in
my
ecosystem,
which
is
a
real
example,
and
each
of
them
has
a
dependency.
It
would
be
good
to
know
which
of
those
those
dependencies
are
most
prevalent
in
that
ecosystem
of
11
000
projects,
in
other
words,
not
just
by
individual
project,
which
we
can
get
at
the
repository
level,
but
also
across
an
ecosystem.
A
So
it
would
be
kind
of
a
derivative
of
like
it
might
include,
for
example,
how
many
projects
is
it
a
dependency
for
and
of
those
projects?
How
many
fi,
how
many
files
and
that
that
project
is
it
used
in,
and
so
we
could
sort
of
rank
order
which
dependencies
we
depend
on
the
most
in
our
ecosystem.
C
So
I
think
you're
what
you're
talking
around
is
something
that
we
maybe
talked
about
a
few
meetings
ago.
I
think,
was
the
last
one
which
was
trying
to
figure
out
how
to
add
or
encourage
context
in
these
metrics
or
as
a
metric.
That
would
capture
context
whether
or
not
it
was
either
repetition
of
the
same
thing
where
you
know
that
that
thing
has
a
greater
impact
to
your
code
than
something
else
or
what
area
of
the
code
is
is?
Are
you
dependent
on?
C
C
I
saw
all
of
that
as
sort
of
add-on
metrics
to
the
core
metric
yeah,
I'm
not
quite
sure
what
the
best
format
for
something
would
be
like
that,
because
I
don't
like
sharing
like
six
contextually
additional
metrics
isn't
like
if
it's
all
kind
of
building
on
the
same
concept
versus
metrics
that
help
to
provide
more
context
around
the
central
dependency
metric
and
understanding.
Now
you
counted
your
dependencies,
how
do
you
know
which
one
of
them
you
should
actually
care
about
or
addressed
first
or
know
about
more.
C
A
We
would
use
that
we
would
use,
for
example,
an
aggregation
of
the
existing
metric
downstream
dependencies
that
we
just
released
to
get
to
that
end.
Point.
C
B
And-
and
one
challenge
here
is
who
is
the
wii,
so
you
mentioned
ospos
for
a
given
organization.
This
can
be
useful,
but
it's
really
for
that
one
organization.
Obviously
different
organizations
will
have
different
ones.
B
This
one
you're
talking
about
requires
looking
across
all
projects
for
some
set,
whereas
libya's
really
isn't
it's
a
very,
very
it's
not,
and
it's
not
counting
existence.
It's
actually
drilling
into
timeliness.
A
B
So,
if
we're
looking
for
something
different,
I
think
libya's
is
much
more
different
than
trying
to
enumerate
now.
As
far
as
this
going
back
to
this
thing,
dependencies
relied
on,
which
is
really
just
it's
really
actually
the
other
direction.
It's
not
so
much
dependent
dependencies.
It's
dependents.
B
B
D
Our
question
is
what
project
and
libraries
does
my
project
depend
on
in
that
I
got
a
list
and
a
filter
can
be
okay
from
this
list.
How
many,
which
one
is
very
critical
to
me,
on
which
my
ten
or
thousand
project
depends,
so
it's
just
a
filter
to
that
existing
metric,
okay,.
B
Yeah
now,
if
you
want
to
look
at
things
further,
you
can
look
at
the
census,
2
preliminary
work
and
the
harvard
work
where
they've
done
this.
Although
the
challenge
there
is
important
to
who
so,
for
example,
for
harvard
they've
been
actually
working
for
years
with
sca
supply,
I
don't
know
suppliers
tool
makers
who
are
trying
to
filter
out
the
you
know
that
top
level
to
figure
out
what's
important
and
then
go
backwards
right.
D
B
To
do
by
the
way.
A
Okay,
so
going
back
to
to
this
list
here,
this
might
be
a
derivative,
a
filter
on
number
one
yeah.
B
C
B
Well,
if
it's
only
within
a
project,
I
don't
care.
I
don't
see
why
I
care,
I
don't
care,
let
me
just
let
me
just
let
me
start
with
it
with
the
with
the
strong
statement.
Let's
see
if
I
can
buy
it
after
we
talk,
but
let's
say,
okay,
library,
a
library,
a
is
used
in
b
and
c
and
d
uses,
b
and
c
okay.
So
that
means
that
library
a
is
brought
in
twice.
B
B
B
Care
in
a
broad
cosmic
sense
of
something
can
matter
because
b
and
c
might
bring
in
different
versions,
but
for
the
most
part
I
just
want
to
make
sure
that
project
a
is
doing
a
decent
job
and
if
the
real
problem
is
I'm
not
keeping
them
up
to
date,
I
mean
you
know,
but
you
know,
if
there's
a
vulnerability
in
a
then
there's
a
vulnerability
in
a
and
it
doesn't
matter
how
many
times
I
brought
it
in.
I
still
have
a
problem.
A
B
But
how
many
times
across
a
an
organization
or
an
ecosystem,
something
is
used
can
matter,
but
then
we
have
the
additional
complications
and
sophia.
I
know
we've
talked
about
this
before,
where
it's
not
just
really
is
someone
using.
It
is
someone
bringing
it
in,
but
is
anyone
using
that
thing?
B
You
know,
because
if
b
uses
a
but
no
one
uses
b,
we
still
don't
care
or
people
used
to
use
b,
but
now
they
don't
need
more
or
even
more
common
situation
b
used
to
depend
on
a
but
the
current
version
of
b
b
stopped
using
a
a
long
time
ago,
and
so,
if
you
ignore
versions,
yes,
there
was
a
dependency.
But
as
soon
as
you
look
at
versions,
you
know
we
just
don't
care
anymore.
A
A
Yeah
now
I'm
so
confused.
So
if
you.
A
C
B
B
B
I
I
think,
and
there's
only
limited
time,
so
I
think
we
want
to
emphasize
metrics
that
are
especially
useful
for
whatever
our
stakeholders
are
and
now
we're
asking
who
the
stakeholders
are.
But
that
does
seem
like
the
right
question
to
ask.
You
know
what
what
are
the
important
message
metrics?
Well,
I
don't
know
what
are
you
trying
to
measure
if,
if
it
doesn't,
my
theory
is
if
you're
not
driving
a
decision?
Let's
stop,
I
don't
care,
you
know.
If,
if
a
metric,
it
reveals
some
fact
about
the
universe.
B
Facts
of
the
universe
are
easy
to
create
right
any
any.
You
can
always
create
another
fact.
You
know
I
I
ate
this
breakfast
today.
Another
fact
has
been
added
to
the
universe
and
no
one
cares.
B
I
see
the
company
use
case
and
certainly
the
lf
and
the
open
ssf
they
want
to
identify
critical
projects
and
actually
the
us
government
too,.
B
Right
but
but
you
know
in
that
case
critical
projects,
what
what
they
depend
on
is
actually
a
very
small
part,
possibly
an
irrelevant
part.
What
matters
is
the
use
case
and
then
you
work
backwards.
B
Now
the
problem
is,
if
you
identify
critical,
you
know
at
any
management
for
a
golf
course.
That's
just
the
same
as
a
nuclear
weapon.
No,
it's
not.
We
all
know
better,
but
they're,
trying
to
make
things
simple.
I
think
that's
a
mistake
on
their
part,
but
that's
okay.
I
mean
that's.
I
understand
why
they
did
it,
but
you
know,
but
I
think
it
is
fair
to
say
that
it's
much
more
than
just
lots
of
people
use
it
it's
the
context
of
use.
B
You
know,
what's
it
being
used
for
what
does
it
do
and
that's
a
whole
lot
more
than
just
counting
up.
I
I
don't
see
being
able
to
do
that.
I
think
the
metric
supports
once
you
figure
out
where
you
start,
but
that's
why
harvard,
for
example,
is
going
going
to
sca's
because
you
don't
know
where
the
top
is
just
tracking
dependency
trials.
A
So
if
I'm
looking
at
this,
libya
of
dependencies
seems
like
it
or
or
downstream
dependencies
seem.
D
No,
it
was
not
limited
to
the
counts.
The
question
in
that
was
like
what
are
the
libraries
and
codes
and
versions
I'm
dependent
on
it's
not
just
about
the
counts.
B
D
D
B
A
B
B
B
A
A
B
B
B
The
the
the
first
question
is
how
many
people,
without
stats
stats
classes,
know
what
a
median
is.
I
know
it's
the
line
be
in
the
road
right.
C
Actually,
I'm
working
on
a
metrics
presentation
right
now
and
we
lean
to
use
median
on
all
of
them
talking
about
open
source
because
the
distribution
can
be
so
wild.
So
if
you're
showing
an
average,
the
recommendation
is
to
also
show
the
distribution
if
you're
not
showing,
if
you're,
only
picking
one
number,
it
should
be
median.
B
Yeah,
although,
though,
to
be
fair,
I
I
actually
argue
often
for
average
for
the
same
reason:
here's
the
problem
sophia
it
let's.
If
you
take
a
set-
and
it's
not
normal,
but
it's
tail,
which
is
often
the
problem.
The
average
will
tell
you.
Let's
say
that
you
have
50
zeros
and
a
300
okay,
the
median
zero.
B
C
B
Right,
that's
right,
but
I'm
arguing
for
an
average
instead
of
the
median
specifically
because
it
warns
you
or
and
now,
if
you
get
three
numbers
I
would
put
both
median
and
average
and
when
they're
a
big
difference.
I
worry
because
that
tells
me
do.
I
have
a
big
tail
up
at
the
two,
but
that's
why
she
said.
B
C
C
B
Right
right,
whereas
I
think
for
libya's,
the
advantage
of
average
is,
if
there's
a
couple
that
keep
getting
older
and
older,
you
start
to
notice
it
true.
B
You
want
exactly
exactly
my
point
for
for
that.
You
want
it
skewed
for
big
numbers
and
you
know
maybe
there's
a
justification.
I
I
work
on
a
project
where
we
intentionally
use
an
older
version
because
they
switched
to
a
proprietary
license
and
the
older
version's
just
fine.
It's
used
during
tests.
It's
not
during
production,
don't
care
so.
C
Let
me
know
if
my
background
noise
gets
too
crazy,
there's
something
crazy
happening
in
my
street
right
now,
which
is
why
my
cat
is
monitoring.
It
he's
just
like
staring
out
the
window,
but
if
it
gets
too
loud,
let
me
know
and
I'll
move
to
a
different
room.
A
I
I
have
my
noise
suppression
set
to
medium
for
what
it's
worth.
A
So
I
think
I'm
hearing
libya's
would
be
a
good
metric
to
spend
some
time
working
on.
B
B
So
you
know
basically
reasonable
benefit.
Small
amount
of
input.
You
know,
cost
benefit
is
justifiable.
Now
you
know
the
nod
has
the
good
point
that
there
are
many
different
potential
stakeholders
here.
So
you
know
I'm
I'm
assuming.
This
is
much
more
that
I'm
a
project
give
me
some
metrics
to
kind
of
either
I'm
a
project
or
I'm
thinking
about.
I'm
someone
outside
thinking
of
using
a
project
give
me
some
quick
stats
to
give
me
an
idea
of
how
you
know
of
of
the
risk
of
this
thing.
B
A
B
D
B
D
B
Cox
paper:
let's
see
2015,
I
will
copy
and
paste
the
url.
A
I
mean
there
are
two:
there
are
two
questions
that
I
mean
age
in
time
like
lib
years
obviously
implies
time
and
that
that's
an
important
question.
But
there
are
some
libraries.
The
most
recent
example
I
can
think
of
is
unicorn
that
that
had
its
last
release
in
2019
and
just
did
its
current
release,
so
that
would
show
up
as
two
two
lib
years
old,
but
it's
really
only
one
one:
release
behind
right.
B
B
Oh
okay!
Well,
first
of
all,
I
I
have
snuck
in
the
into
our
notes
the
the
link
to
the
research
paper,
and
I
guess
I
should
probably
also
link
to
the
the
website
right.
That.
B
A
B
Okay,
here's
the
problem
most
recent
is
not
always
the
version
you
want
to
be
using,
let's
see
here,
so
they
they
went.
A
C
There's
a
there's,
a
research
paper
that
I
can
try
to
track
down.
That
actually
shows
a
very
nice
statistical
confirmation
that
the
newest
one
is
not
the
most
stable.
They
do
like
look
over
long
term
projects.
That
say
which
version
is
actually
the
most
stable
in
and
on
average,
and
it's
usually
not
the
most.
So
we
can
reference
third
party
research
if
we
want
to
and
because
best
is,
is
subjective,
but
it
isn't
in
the
context
of
what
you're
talking
about
right.
B
Yeah
the
the
problem,
of
course
you
know,
there's
multitudinous
problems.
I
mentioned
the
other
way.
You
know
I
I
what
I
have
done
when
I
would
use
this.
Is
I
assume
that
the
best
is
the
most
current
release
and
less
told
otherwise.
B
B
B
Yes,
yes,
totally
get
well
welcome
to
windows
and
welcome
to
a
lot
of
software
long
before
windows
and
the
iphone
which
have
the
same
problem.
You
never
you
know,
never
download
the
newest
version
of
the
software
well,.
A
Like
anything,
anything
in
the
machine
learning
ecosystem
is
the
latest
released
is
usually
not
the
best,
because
it's
incompatible
with
a
lot
of
other
things,
including
operating
system,
libraries
that
are
available
so,
for
example,
even
even
with
something
like
tensorflow,
which
is
widely
used.
The
appropriate
best
release
on
ubuntu
is
different
than
the
appropriate
best
release
for
a
mac.
B
A
B
B
B
It's
an
utter
disregard
for
the
needs
of
users
who,
by
the
way,
has
probably
spent
hundreds
of
billions
of
dollars.
Upgrading.
A
A
C
D
Yeah
please!
Yes,
I
was
thinking
keeping
the
question
is:
what
is
the
age
of
your
recent
dependent?
What
is
the
age
of
your
dependency,
then
in
description
we
can
cover
these
averages
total
each
or
recent
age
things
in
the
description
right.
A
C
B
C
B
A
A
A
Yeah,
I
use
it
yeah,
I
use
it
with
my
children,
but
only
because
they
can't
figure
out
what
I
mean
and
I
get
to
move
the
definition
as
I
choose.
A
A
I,
like
current
stable.
I
like
that
idea
a
lot
because
like
for
example,
in
pi
pi,
they
actually
will
label
them
if
you
just
scan
the
pi
pi
directory.
Sometimes
the
most
recent
release
has
an
rc1
rc2
after
it.
So
that's
not
what
you
want
right.
So
if
you
look
for
the
most
current
stable
release,
I
think
that
is
a
good
way
of
putting
it
and
just
just
remind
so
there's
seven
minutes.
Let's
see
if
we
can.
A
D
If
we
are
adding
a
note
with
the
median,
then
average
needs
a
note
too,
but
these
are
the
common,
like
understandable
terms
for
media
issues
with
the
median
and
average.
D
D
D
C
So
I
guess
so
if
more
numbers
is
better
because
then,
if
you're
tracking,
three
metrics
versus
one,
you
can
get
a
sense
immediately,
what's
happening
yeah,
your
total
is
massive
and
then
your
average
is
thai.
But
then
your
total
is
massive
and
your
average
is
low.
That
means
a
lot
of
them
are
old
versus
one
of
them
is
very
old.
B
E
B
B
Why
is
it
using?
You
know,
version
0.1
of
that.
B
Yeah
now
I
will
say
that
the
open
ssf
folks
they've
been
having
discussions
and
it's
not
clear,
and
I
went
back
to
the
folks
who
wrote
the
paper
and
they
also
didn't
have
a
good
idea
of
you.
Give
me
a
number
is
one
thing,
but
what's
the
right
number
you
know,
do
I
want
less
than
a
year
total?
Do
I
want
less
than
two
months
average?
B
A
I
didn't
write
smaller
is
better.
I
didn't
include
the
smallers
better,
but
I
I
did
say
that
the
objective
is
libyars
is
a
good
heuristic
for
choosing
what
dependencies
to
look
more
closely
at
right.
You
know
I
have.
A
If
I
have
an
if
I've
like
an
11
000
project
ecosystem,
libya
is
an
excellent
heuristic
for
the
dependencies
in
that
ecosystem,
so
that
I
I
know
where
to
to
look
first,
the
older
ones,
that's
one
heuristic
that
I
would
use,
because,
obviously
I
can't
closely
examine
every
dependency
routinely.
I
need.
I
need
to
pick
the
most
important
things
right.
C
Anything
in
typical
project
governance,
literature,
documentation,
commitment
that
would
prescribe
any
sort
of
commitment
around
backwards.
Compatibility
versus
just
assumed
that
the
technical
committee
makes
a
decision
per
the
evolution
of
the
project
as
in
is
there
any
commitment
to
backers
compatibility
that
can
be
attributed
to
a
certain
kind
of
project.
A
D
C
Yeah,
so
it's
just,
it
was
that's
fine,
then,
which
is
kind
of
what
I
assumed.
I
just
know
that
in
the
context
of
companies
and
products
there
are
sometimes
there
are
certain
things
that
have
explicit
statements
that
say
this
will
always
be
backwards
compatible
because.
B
I
will
argue
it's
one
of
the
reasons
why
so
many
people
use
it
yeah
it.
Basically
people
are
well,
they
have
have
made
it
very
clear,
it's
safe
to
build
applications
here
and
in
fact
I
would
argue
even
further.
That's
why
the
container
ecosystem
has
grown
so
well,
because
you
know
lots
of
things
can
break,
but
we
know
the
kernel.
Interface
is
safe
and
so.
C
For
project
cases
I
was
thinking
what
are
the
things
that
would
make
this
number
less
of
an
issue,
and
it
could
say
the
project
is
the
latest,
colonel
and
they've
committed
to
make
sure
that
nothing
is
breaking?
I
mean
you're,
still
risking
the
vulnerability
piece
or
other
issues
developing
but
you're.
Never
having
that
backwards
compatibility
issue,
that's
going
to
increase
with
anything.
A
B
A
D
A
A
B
That's
right
and,
and
you
end
up
with
situations
where
entire
ecosystems
cannot
change
again
because
of
the
well
all
we
have
to
do
is
change
simultaneously.
Oh,
no
one
can
do
that
right.
A
So
so
one
one
question
we're
at
two
minutes
over
and
it's
partly
my
responsibility
too.
A
Okay,
yeah
yeah.
I
noticed.
B
A
F
C
A
Okay,
perfect,
so
we'll
move
we'll
move
this
so
the
two
meeting
two
weeks
from
now
we
won't
have,
which
will
probably
be
convenient
because
I
believe
that
will
be
the
week
coming
off
labor
day
anyway,
but
we'll
meet
next
week.
A
B
Okay
and
I
would
suggest,
as
a
homework
assignment
at
least
go
read
that
paper
from
from
from
the
the
other
eric
okay,
you
know.
Obviously
you
know
things
have
changed
a
little
bit
since,
but
and
not
everybody
does
what
the
paper
says,
but
I
think
it's
useful
context
anyway.