►
From YouTube: CHAOSS Risk Working Group December 1, 2022
Description
Links to minutes from this meeting are on https://chaoss.community/participate.
A
This
will
be
our
last
risk
meeting
for
this
year
and
chaos
is
taking
time
off
until
early
January
just
for
our
mental
well-being,
as
it
were,
try
to
give
people
some
holiday
time
and
whatnot,
one
of
the
things
I
brought
up
for
to
the
top
because
we
didn't
get
to
it
last
time
was
I
had
a
conversation
with
David
wheeler
at
the
member
Summit
and
I
thought
it
you
know
like-
and
this
is
part
of
what
we've
we've
talked
about
this
before
on
this
group.
A
What
is
our
intersection
with
OSS,
f
or
or
they
call
it
somewhere
else,
something
else
ossf
they
call
it
ossf,
but
I've
heard
it
called
like
something
not
entirely
acronymic
any
open,
ssf
open
ssf,
that's
the
yeah!
A
Thank
you,
renisha
I
I
knew
there
was
like
another
thing
that
David
called
it,
but
I
can
remember
what
it
was
and
the
idea
of
just
you
know
trying
to
identify
what
are
the
concerns
that
people
have
around
risk
in
their
in
their
environments
right
now,
without
the
assumption
that
I
mean,
perhaps
with
some
questions
making
you
know
being
directly
about
security,
but
I.
A
Think
security
is,
of
course,
getting
a
lot
of
attention
right
now,
but
there
is
also
there
are
also
other
risk
factors
and
trying
to
get
some
kind
of
a
survey
of
people
put
together,
and
my
thought
was
a
contributor
survey
and
maybe
separately
an
aspo
survey,
and
this
is
just
riffing
off
a
brief
conversation
that
David
and
I
had
the
last
time,
but
I
mean
like
the
Linux
Foundation
has
done
surveys
of
its
membership
before
and
made
them
widely
available,
and
they
have
teams
of
people
like
in
the
Linux
research
group
who
I
whom
I
think
would
help
us
put
this
together,
yeah
but
I,
don't
know
if
others
think
this
is
a
good
idea
or
if
this
is
just
crap,
David,
wheeler
and
I
talked
about.
B
Oh
I
mean
I'd
love
to
get
a
sense
for
what
your
goals
would
be
for
these
things,
I
I
run
a
lot
of
surveys
and
I'm.
Also
very
cognizant
of
survey
fatigue.
That's
happening
especially
now
that
there
is
an
LF
research
group
and
there
are
more
surveys,
there's
just
more
surveys
in
general,
so
I
don't
want
to
necessarily
add
to
the
fire.
B
If
it's
separate
from
that,
then
then
I
would
love
to
work
with
the
LF.
Just
because
they'll
have
a
better
sense
of
scheduling
as
well
as
potentially
aligned
initiatives.
B
A
A
Yeah
I
think
I
think
I
think
I
think
reaching
out
to
Hillary
and
seeing
if
that's
aligned
with
anything
she's
working
on
as
a
a
reasonable,
reasonable
first
step,
I
I.
Think
when
does
the
annual
to
do
group
survey
go
out
is?
Is
that
already
done
for,
like
the
next
12
months
already.
B
A
B
I
I
think
it
just
won't
work
for
you,
it's
an
internal
link
because
that
was
attached
to
my
thing.
So
there
we
go.
B
B
You
I
posted
the
wrong
one.
It
looks
like
I
found
the
recruiting
email,
the
last
time,
I
reviewed
it.
There
were
no
risk.
Questions
like
they
seem
to
be
more
focused
on
maturity,
function,
priority
goals
and
like
organizational
context,
so
like
I,
don't
like
I'm
curious
again,
like
I
feel
like
I,
want
to
come
back
to
the
original
question,
which
is
when
you
chat
about
this
with
David.
Was
there
a
specific
goal,
you're
trying
to
achieve
through
a
survey.
A
Yeah
I
am
the
go.
The
goal
that
we
were
trying
to
achieve
is
like
we
we
talked
about.
You
know
the
open
ssf.
It
has
a
very
specific
focus
and
that
there
are
many
other
flavors
of
risk
and
because
of
the
software
supply
chain,
security
concerns
security,
as
a
risk
factor
has
gotten
a
lot
of
public
attention
and
I.
A
Think
we've
done
I
think
we've
done
a
good
work
in
this
group,
particularly
around
our
identification
of
different
dependencies
and
Licensing
risks
that
that
we've
characterized
the
other
kinds
of
risks
that
exist
in
open
source
work.
A
Well,
I
think
my
the
intention
from
my
perspective
is
to
to
see
if
there
perhaps
exists
a
resource,
in
which
case
we
wouldn't
need
to
do
a
survey
or,
if
there's
another
survey,
that
we
can
tack
on
to
where
we
can
get
some
feedback
from
people
and
and
probably
as
I,
think
about
it.
I
put
contributors
on
there,
but
I'm
I'm,
probably
I.
A
Think
in
my
own
mind
more
concerned
with
you
know
what
are
the
concerns
that
ospo's
have
with
regards
to
risk
and
what
are
the
concerns
that
and
I
think
I
would
separate.
Ospo's
and
really
LF
members,
who
are
a
combination
of
people
with
different
levels
of
leadership
and
responsibility
and
people
with
contributing
focus,
is.
A
So
like
what
are
their
concerns
about
risk
in
general,
because
I
think
the
the
firms
producing
technology
and
producing
open
source
is
part
of
their
business
model
have
different
interests
than
a
firm
that
might
consume
a
lot
of
open
source,
which
is
where
I
think
there
are
an
increasing
number
of
hospitals,
so
I
think
the
idea
of
an
ospo.
This
is
just
my
perception
and
tell
me
if
I'm
off,
I,
suppose
I
think
originated
from
technology
companies
who
produce
a
lot
of
Open,
Source
software
and
I.
C
I
can
only
speak
from
the
perspective
of
working
at
a
place.
That
is
we're
not.
We
don't
produce
a
lot
of
projects
that
are
open
source,
but
we
use
a
lot
of
Open
Source
packages
and
platforms
and
building
and
frequently
the
questions
we
get
with.
Regards
to
open
source
metrics
are
around
should
I.
How
can
I
evaluate
this?
C
This
thing
should
I,
you
know,
should
I
adopt
it.
Can
you
recommend
some
guard
rails
or
you
know,
metrics
I
should
look
out
for,
should
I
move
away
from
this
thing
because
it
might
be
deprecated
and
we
are
very
interested
in
these
sorts
of
risk.
Metrics
from
a
perspective
of
this
is
something
that
is
maintainable
and
I
can
rely
on
for
the
long
term.
B
So
that
does
seem
a
line
to
what
the
wrist
dashboard
is
trying
to
achieve.
I
will
say
having
been
to
a
couple
of
their
meetings,
it
is
really
trying
to
Center
on
security,
which
I
know.
At
the
beginning,
there
was
some
debate
of
a
broader
interpretation
of
risk
versus
just
security,
and
the
broader
interpretation
would
include
more
of
the.
B
How
is
this
being
maintained,
metrics
in
terms
of
say,
population,
distribution,
retention,
growth
and
kind
of
understanding,
the
health
of
the
community
versus
just
the
health
of
the
project
and
the
I
mean
they're
interrelated
clearly,
but
the
the
metrics
that
I
saw
that
were
bubbling
toward
the
top
of
that
were
some
of
the
more
established
security,
focused
ones
like
scorecard
best
practice.
B
Some
of
there's,
like
a
light
version
of
that,
but
I
almost
think
that
that's
it's
I
mean
that's
aligned
to
the
open
ssf
a
bit
more
is
to
have
more
of
a
security
lens
where
I
think
in
terms
of
the
questions
you
listed,
I
wrote
those
in
the
notes.
Renisha
I
do
think
that
their
goal
is
to
help
people
make
those
calls
in
terms
of
see.
B
Looking
at
the
the
security
badging
program,
there
were
more
assessment,
questions
that
related
to
practices
that
were
supported
by
the
community
versus
the
current
state
of
that
project,
because
there
was
a
big
debate
of
this
seems
more
project-centric
versus
version
Centric,
so
is
this
version.
B
Secure
is
a
different
question
than
is
this
project
actively
using
best
practices,
and
so
it's
more
geared
toward
the
sort
of
long-term
evaluation
of
whether
or
not
this
project
is
going
to
keep
working
for
you
versus
whether
or
not
this
package
is
working
for
you
kind
of
thing,
so
I
think
in
that
regard,
we
are
going
to
have
more
overlap
with
that
group.
If
those
are
the
focus
areas
that
we
settle
in
on
Sean
I
know
you're
looking
at
the
older
doc,
they
were
working
from
a
mock-up.
B
B
A
C
You're,
looking
for
the
dashboard
right,
I
think
it's
metrics
that
openssf.org
IA
patient.
Thank
you
yeah.
Thank
you.
B
It
isn't
it
doesn't.
I
was
one
of
the
pieces
of
feedback
I
gave
to
them
last
week
or
two
weeks
ago,
because
they're
one
of
the
like
I,
looked
at
the
kubernetes
dashboard.
One
thing
is
recorded
monthly
and
a
lot.
One
of
them
is
recorded
in
2017.,
so
clearly
not
up
to
date
by
this,
because
that
was
the
data
that
it
had
access
to.
B
A
B
I
feel
like
Sean,
the
more
you're
talking
about
this.
The
more
I
see
some
overlap
with
the
meeting
we
had
a
few
hours
ago
with
the
ospo,
because
if
it
is
osmocentric
in
terms
of
how
osmospher
thinking
about
risk
renisha,
we
just
have
the
newly
formed,
also
working
group,
which
we're
trying
to
have
more
connectivity
between
the
to-do
group
and
I.
B
Think
that
that
working
group
was
created
mostly
as
a
way
to
figure
out
how
to
work
with
the
to-do
group
as
well
in
terms
of
creating
things
that
were
both
useful
for
us
both.
But
as
well
as
how
do
we
work
with
to
do
between
chaos
and
to
do
and
on
the
things
that
we
came
to
was
trying
to
understand
how
we
can
sort
of
socialize
ideas
and
get
feedback
from
the
to-do
Community
as
a
way
to
that?
If
our
proposals
are
actually
applicable
to.
C
B
Broad
audience
versus
just
the
people
that
join
our
meetings,
so
I
think
I,
don't
know.
Sean
I
feel
like
this
would
put
in
that
category
of
whether
or
not
like,
coming
back
to
your
first
question
of
how
to
get
more
questions
or
feedback
like
I.
Think,
if
anything
we
could
try
to,
we
haven't
really
developed
a
mechanism.
Yet
we
were
mostly
talking
about
ways
to
do
that
and
I
think
this.
B
Specifically
because
I
do
think
in
terms
of
the
relationship
to
ospo
osbos
and
risk
assessments,
the
open
ssf
one
I
think
I
mean
I've
been
joining
some
of
their
calls,
but
I
think
at
this
point
they
have
a
pretty
clear
directive
that
I
think
we're
there
to
get
feedback
on
metrics,
so
I'm
happy
to
keep
doing
that.
B
Microsoft
GitHub
Amazon,
but
like
mostly
people
from
hospitals
but
I,
know
like
Ashley
Wolf
from
GitHub
does
do
a
lot
of
to-do
group
work,
so
she
was
kind
of
serving,
as
our
to-do
group
liaison
in
terms
of
saying,
sharing
a
little
bit
more
about
their
structure
and
ways
and
groups
that
are
easy,
like
more
easier
to
engage
with
versus.
Just
like
posting
in
the
General's
lack
of
1800
people.
C
B
Yes,
those
are
three
different
things
that
they've
created
their
scorecard:
the
best
practices,
badge
program
and
project
criticality,
which
were
three
separate
initiatives
that
came
through
the
open
ssf.
As
far
as
I
understand
it.
B
A
A
A
One
way
to
think
about
this
relation,
so
getting
the
so
this
I
guess,
let
me
stay
on
one
Topic
at
a
time:
getting
feedback
from
diaspo
working
groups
around
risk
related
things,
I
think
you
know,
like
I,
suggested
in
the
aspo
meeting.
We
we
just
want
to
get
a
general
idea
of
what
their
concerns
are
and
what
they're
trying
to
measure
right
now,
but
now
sitting
in
the
risk
meeting.
I.
A
A
Make
I
mean
there
they've
done
it
already.
A
A
Sharing
something
like
here's
an
example
of
the
open,
ssf
dashboard
for
security,
and
here
are
some
examples
of
chaos.
Metrics
that
address
things
like
licensing
and
dependencies.
A
B
A
So
maybe
there
would
be
a
question
like
if
you
had
this
yeah
like
if
you
had
this
and
then
if
you
had
license
as
bombs
and
other
things
which
of
those
things
are
the
most
valuable
to
you.
C
This
is
a
lot
of
information
on
the
dashboard
it's
great,
but
someone
who
sees
is
just
going
to
say
yes,
I,
find
all
of
it
useful
and
maybe
understanding
what
they're
using
get
for
can
help
us
figure
out
the
gaps.
So
you
know
you
have
a
question
about
maybe
longevity
long
term
worth
is
the
project
still
active?
That's
like
one
of
the
the
things
they
want
to
attract.
How
would
you
do
that
with
this
dashboard
and
which
metrics
would
they
pull
out
and
maybe
what
else
is
missing?
C
Maybe
it
shows
I
think
it
showed
monthly
Cadence
for
that
first
bar,
but
maybe
they
wanted
something
a
little
bit
more,
the
yearly
Cadence
or
something
like
that,
but
I
think
talking
through
their
use
cases
of
questions
they
want
to
answer
tied
to
the
metrics.
Can
you
get
that
from
the
metrics
that
are
available?
What
else
would
you
like
to
see
to
answer
that
question?
Would
build
a
complete
picture,
I
think
for
us.
B
You
can
look
at
how
they're
counting
it,
but
it's
a
very
myopic
view
of
how
to
count
it
and
it's
like
if
you,
if
that
really
is
the
most
important
thing
for
you
of
whether
or
not
this
project
is
being
actively
maintained,
then
you
subtract
a
few
more
things
and
so
I
think
I
kind
of
like
the
idea
of
instead
focusing
it
on
like
the
the
actual.
The
thing
you're
trying
to
address
from
a
risk
perspective
versus
the
dashboard
I
think
is,
is
just
kind
of
like
it's.
B
B
I
mean
I.
Also
see
this
missing
things
as
well
or
things
that
we
don't
really
care
about.
Like
do
we
care
about
Watchers?
No,
it's
just
that
was
just
part
of
the
the
criticality
score,
because
that's
looking
at
industry
relevance
not
necessarily
like
relevance
to
you
and
so
I
think
that
this
kind
of
I,
like
that
they're
trying
to
reuse
things
that
they've
already
made
and
that
people
use
already.
B
So
I
think
I,
like
the
idea
of
maybe
starting
with
those
questions
and
then
I
think
I
know
strong.
At
least
in
our
last
meeting.
We
were
talking
about
how
we
would
approach
a
risk
model
and
I.
Think
that
is,
is
more
aligned
to
the
model.
Like
the
more
well-rounded
view
of
what
risk
is,
regardless
of
what
metrics
we
have
already,
how
we
start
framing
risk
and
the
questions
that
we
would
want
to
know.
B
B
I
have
a
big
slide
in
there.
That's
just
like
this
is
not
a
security
talk
I'm,
mostly
there's
enough
that
materials
around
security
assessments
and
topics
that
are
focused
on
security,
that
this
is
meant
to
address
the
other
elements
of
risk
associated
with
using
and
engaging
in
open
source.
So.
A
I'm
just
noticing
manisha's
post
from
seven
minutes
ago
about
the
so
is
open
S.
So
the
the
best
practices
core
infrastructure
program.
C
You
had
questions
about
the
what
were
the
best
practice
badging
that
second
section
that's.
A
Because
I
did
I
went
through
the
cncf
best
practices
badge
for
auger
like
years
ago,
yeah,
okay,
it's
now
OS
open,
ssf,
best
practices
passing
so
I
I
did
this
in
20.
You
know
geez
three
years
ago
when
it
was
called
something
else.
A
A
Of
these
specific
categories,
but
you
can
see
you
know
where
we're
badged
at
passing,.
A
And
there
are
in,
in
my
work
with
with
auger
I
can
say
like
when
a
company
gives
me
10,
000,
repos
or
3
000,
repos
or
whatever
to
scan.
Very.
Very
few
projects
have
been
through
this
badging
program,
like
the
percentage
is
less
than
one
percent
of
of
Any
Given
firms,
projects
of
concern.
A
So
it's
not
a
criticism.
It's
it's
just
this
looks
great,
but
the
number
of
projects
that
have
been
unbadged
is
very
small.
A
Okay,
it's
well
it's
about
twice
what
it
was
the
last
time.
I
looked,
it's
5285.
Total
projects
have
gone
through
it.
A
Which
is,
you
know,
obviously
not
a.
A
C
Question
as
a
like
a
project
maintainer
or
tributor
owner,
what
do
I
get
out
of
silver
gold?
I
forget
the
other
tier
badge.
A
Does
that
give
me
more
adapters,
it's
a
it's
a
signal
that
you
care
about
security,
so
I'll
be
curious
if
the
badge
oh
yeah
so
like
I,
never
even
noticed
that
this
changed
from
to
open
ssf,
best
practices,
but
yeah
we
have
the
badge
in
our
readme,
so
it.
A
It
gives
me
I
suppose
it
gives
somebody
who
might
consider
using
this
project
some
level
that
at
least
the
project
maintainers
care
enough
about
getting
the
badge
I,
don't
know
what
it
means
beyond
that,
because
the
percentage
of
projects
badged
is
relatively
small,
so
I
think
it's
a
it's
a
good
thing
that
a
project
is
badged
if
it
is,
but
in
most
cases
they
the
project,
the
maintainers
don't
go
through
the
and
it's
it
takes
like
two
hours
to
go
through
the
form.
B
I
mean
I
think
from
The
Case
of
the
company
evaluation
I
think
seeing
a
signal
that
the
maintainer
cares
is
typically
positive
in
the
sense
of
I
feel
like
even
unrest.
We
had
looked
at
other
indicators
that
things
were
being
well
maintained
like
how
quickly
our
bugs
or
defects
being
resolved,
because
we
couldn't
look
at
security,
so
we
were
looking
at
more
action-based
indicators
versus
this
is
more
activity-based
indicator.
B
I,
guess:
that's
not
really
a
great
way
to
split
them,
but
more
like
this
is
something
that
maintainers
can
proactively
do
to
Showcase
their
commitment
to
ensuring
that
this
project
is
up
to
best
practice
standards.
However,
they
are
I.
Think
the
fact
that
it
isn't
renewed
or
needed
to
be
renewed
is
somewhat
like
it's
one
of
those
things
where,
like
maybe
this
past
five
years
ago,
but
is
it
still
passing
like
I?
B
Don't
quite
know
what
that
process
is
so
I
think
that's
my
that's
my
skepticism
toward
it,
because
I
think
as
an
original
signal.
It
makes
sense
to
me,
but
these
other
all
these
other
metrics
are
based
on
real-time
data
in
a
way
that
can
help
you
make
an
assessment
based
on
what's
happening
right
now
in
the
current
group
of
people.
A
A
C
A
So
so
I
don't
know
I'm
not
like,
in
my
mind,
I'm
like
okay.
These
are
very
useful
in
some
way.
We
should
catalog
them
as
a
Json
risk
factors
and
Chaos,
or
have
pointers
to
these
tools
in
chaos,
perhaps
in
the
form,
for
example,
of
a
metric
that
talks
about
the
project
criticality,
the
best
practices
badge
which
we
actually
do
have
a
metric
for.
It's
just
not
called
the
ossf
best
practices,
badge
anymore
and
and
point
people
to
ossf
scorecard
and
have
like.
A
So
since
we're
kind
of
a
taxonomy
of
metrics,
it
might
make
sense
to
reference
these
things
that
OS,
open
ssf
has
developed
as
as
useful
indicators
like
a
kind
of
a
endorsement
like
this.
You
know
if
you're
evaluating
risk
the
and
we've
already
done
this
for
the
best
practices
program.
We
have
a
metric
for
that.
These
are
some
other
things
that
would
be
useful
for
you
to
understand,
and
then
somebody
who's.
Looking
for
an
overall
taxonomy,
which
is
you
know,
kind
of
what
chaos
has
been
and
I
think
continues
to
be.
B
I
mean
I,
don't
think
it's
a
bad
thing
to
have
cross-referenced
existing,
tooling
and
approaches.
I
think
something
like
Risk
is
very
subjective.
So
having
General
tools
available
is
just
one
point
of
commonality.
I
think
the
flavor
that
we
would
add
is
that
this
is
just
one
example
and
that
you
might
want
to
tweak
these
things
to
your
own
cases.
I
do
think.
B
Think
that's
I
mean
that's
how
they
describe
it.
It's
just
it's
a
tool,
so
you
can
use
the
tool,
but
you
can
also
make
it
work
for
you
in
ways
that
I
think
I'm
not
sure
how
many
people
actually
take
that
next
step.
I
think
a
lot
of
people
probably
just
start
with.
What's
in
there,
because
it's
a
starting
point.
B
B
Well,
I
think
is
separate
from
say
the
goal
of
that
dashboard,
which
again
is
if
we
think
about
it
as
helping
someone
make
a
call
in
the
moment,
but
I
think
I,
don't
know,
I
think
coming
back
to
what
we
would
want
to
do
within
chaos.
I'd
love
to
have
a
broader
view
with
it,
because
I
don't
think
that
there
are
more
risks
and
considerations
that
haven't
been
showcased
in
there.
Oh.
A
Yeah,
no,
like
the
I,
think
the
things
that
we
like
I
said
earlier:
I
think
the
ones
that
come
to
mind
because
I
are
licensing
and
and
a
production
of
an
s-bomb
and
there's
one
other
one.
Oh
dependencies
in
other
work
we
did
around
dependencies.
I
still
think
is
pretty
relevant.
So.
B
I
mean
just
to
go
off
of
the
Lioness
and
Center
Station
in
Dublin.
Why
is
this
biggest
concern
with
the
Linux
kernel?
Is
that
there's
going
to
be
a
toxic
personality
that
kicks
out
a
bunch
of
people
based
on
their
actions
alone?
I'm,
not
sure
how
you
quantify
that,
but
just
thinking
about
what
potentially
could
cause
this
project
to
fail,
and
that
was
the
thing
that
he
was
primarily
concerned
about.
C
B
But
it's
just
an
example
of
like
that's,
not
something
that's
in
here
and
it's
not
necessarily
something
that
you're
going
to
see
in
any
of
these
types
of
dashboards
like
you
can
see
that
they
have
a
code
of
conduct.
I!
Think
that's
in
I'm,
assuming
that's
one
of
the
best
practices
one.
It.
A
B
You
could
say
like
retention
or
what's
the
word,
exfiltration
people
and
people
leave
yeah.
B
C
B
A
There's
a
there's
a
lot
missing
in
I
agree
and
we're
at
the
end
of
time
and
I
have
to
go
teach
a
class
so.
A
Yeah
well,
if,
if
I
may
decide
to
reach
out
to
David
and
Hillary
and
the
working
group
for
ospo's
and
see,
if
sort
of
start
to
frame
these
questions,
asynchronously
right
sure
and
you're
also
you're
all
welcome
to
do
that
as
well.
I'm.
Just
stating
my
intention,
but
someone
else
doesn't
perfectly.
B
B
In
this
forum,
so
I
have
a
session
next
week.
That's
assuming
a
much
smaller
event,
so
I'm
hoping
that
people
just
tell
me
what
they
think
afterward
yeah.