►
From YouTube: CHAOSS Risk Working Group December 1, 2022
Description
Links to minutes from this meeting are on https://chaoss.community/participate.
B
Oh
I
mean
I'd
love
to
get
a
sense
for
what
your
goals
would
be
for
these
things,
I
I
run
a
lot
of
surveys
and
I'm.
Also
very
cognizant
of
survey
fatigue.
That's
happening
especially
now
that
there
is
an
LF
research
group
and
there
are
more
surveys,
there's
just
more
surveys
in
general,
so
I
don't
want
to
necessarily
add
to
the
fire.
B
B
A
A
B
A
B
B
B
You
I
posted
the
wrong
one.
It
looks
like
I
found
the
recruiting
email,
the
last
time,
I
reviewed
it.
There
were
no
risk.
Questions
like
they
seem
to
be
more
focused
on
maturity,
function,
priority
goals
and
like
organizational
context,
so
like
I,
don't
like
I'm
curious
again,
like
I
feel
like
I,
want
to
come
back
to
the
original
question,
which
is
when
you
chat
about
this
with
David.
Was
there
a
specific
goal,
you're
trying
to
achieve
through
a
survey.
A
Yeah
I
am
the
go.
The
goal
that
we
were
trying
to
achieve
is
like
we
we
talked
about.
You
know
the
open
ssf.
It
has
a
very
specific
focus
and
that
there
are
many
other
flavors
of
risk
and
because
of
the
software
supply
chain,
security
concerns
security,
as
a
risk
factor
has
gotten
a
lot
of
public
attention
and
I.
A
Well,
I
think
my
the
intention
from
my
perspective
is
to
to
see
if
there
perhaps
exists
a
resource,
in
which
case
we
wouldn't
need
to
do
a
survey
or,
if
there's
another
survey,
that
we
can
tack
on
to
where
we
can
get
some
feedback
from
people
and
and
probably
as
I,
think
about
it.
I
put
contributors
on
there,
but
I'm
I'm,
probably
I.
A
Think
in
my
own
mind
more
concerned
with
you
know
what
are
the
concerns
that
ospo's
have
with
regards
to
risk
and
what
are
the
concerns
that
and
I
think
I
would
separate.
Ospo's
and
really
LF
members,
who
are
a
combination
of
people
with
different
levels
of
leadership
and
responsibility
and
people
with
contributing
focus,
is.
A
So
like
what
are
their
concerns
about
risk
in
general,
because
I
think
the
the
firms
producing
technology
and
producing
open
source
is
part
of
their
business
model
have
different
interests
than
a
firm
that
might
consume
a
lot
of
open
source,
which
is
where
I
think
there
are
an
increasing
number
of
hospitals,
so
I
think
the
idea
of
an
ospo.
This
is
just
my
perception
and
tell
me
if
I'm
off,
I,
suppose
I
think
originated
from
technology
companies
who
produce
a
lot
of
Open,
Source
software
and
I.
C
I
can
only
speak
from
the
perspective
of
working
at
a
place.
That
is
we're
not.
We
don't
produce
a
lot
of
projects
that
are
open
source,
but
we
use
a
lot
of
Open
Source
packages
and
platforms
and
building
and
frequently
the
questions
we
get
with.
Regards
to
open
source
metrics
are
around
should
I.
How
can
I
evaluate
this?
C
This
thing
should
I,
you
know,
should
I
adopt
it.
Can
you
recommend
some
guard
rails
or
you
know,
metrics
I
should
look
out
for,
should
I
move
away
from
this
thing
because
it
might
be
deprecated
and
we
are
very
interested
in
these
sorts
of
risk.
Metrics
from
a
perspective
of
this
is
something
that
is
maintainable
and
I
can
rely
on
for
the
long
term.
B
So
that
does
seem
a
line
to
what
the
wrist
dashboard
is
trying
to
achieve.
I
will
say
having
been
to
a
couple
of
their
meetings,
it
is
really
trying
to
Center
on
security,
which
I
know.
At
the
beginning,
there
was
some
debate
of
a
broader
interpretation
of
risk
versus
just
security,
and
the
broader
interpretation
would
include
more
of
the.
B
Some
of
there's,
like
a
light
version
of
that,
but
I
almost
think
that
that's
it's
I
mean
that's
aligned
to
the
open
ssf
a
bit
more
is
to
have
more
of
a
security
lens
where
I
think
in
terms
of
the
questions
you
listed,
I
wrote
those
in
the
notes.
Renisha
I
do
think
that
their
goal
is
to
help
people
make
those
calls
in
terms
of
see.
B
Secure
is
a
different
question
than
is
this
project
actively
using
best
practices,
and
so
it's
more
geared
toward
the
sort
of
long-term
evaluation
of
whether
or
not
this
project
is
going
to
keep
working
for
you
versus
whether
or
not
this
package
is
working
for
you
kind
of
thing,
so
I
think
in
that
regard,
we
are
going
to
have
more
overlap
with
that
group.
If
those
are
the
focus
areas
that
we
settle
in
on
Sean
I
know
you're
looking
at
the
older
doc,
they
were
working
from
a
mock-up.
B
B
A
C
B
It
isn't
it
doesn't.
I
was
one
of
the
pieces
of
feedback
I
gave
to
them
last
week
or
two
weeks
ago,
because
they're
one
of
the
like
I,
looked
at
the
kubernetes
dashboard.
One
thing
is
recorded
monthly
and
a
lot.
One
of
them
is
recorded
in
2017.,
so
clearly
not
up
to
date
by
this,
because
that
was
the
data
that
it
had
access
to.
A
B
I
feel
like
Sean,
the
more
you're
talking
about
this.
The
more
I
see
some
overlap
with
the
meeting
we
had
a
few
hours
ago
with
the
ospo,
because
if
it
is
osmocentric
in
terms
of
how
osmospher
thinking
about
risk
renisha,
we
just
have
the
newly
formed,
also
working
group,
which
we're
trying
to
have
more
connectivity
between
the
to-do
group
and
I.
B
Think
that
that
working
group
was
created
mostly
as
a
way
to
figure
out
how
to
work
with
the
to-do
group
as
well
in
terms
of
creating
things
that
were
both
useful
for
us
both.
But
as
well
as
how
do
we
work
with
to
do
between
chaos
and
to
do
and
on
the
things
that
we
came
to
was
trying
to
understand
how
we
can
sort
of
socialize
ideas
and
get
feedback
from
the
to-do
Community
as
a
way
to
that?
If
our
proposals
are
actually
applicable
to.
C
B
Broad
audience
versus
just
the
people
that
join
our
meetings,
so
I
think
I,
don't
know.
Sean
I
feel
like
this
would
put
in
that
category
of
whether
or
not
like,
coming
back
to
your
first
question
of
how
to
get
more
questions
or
feedback
like
I.
Think,
if
anything
we
could
try
to,
we
haven't
really
developed
a
mechanism.
Yet
we
were
mostly
talking
about
ways
to
do
that
and
I
think
this.
B
Microsoft
GitHub
Amazon,
but
like
mostly
people
from
hospitals
but
I,
know
like
Ashley
Wolf
from
GitHub
does
do
a
lot
of
to-do
group
work,
so
she
was
kind
of
serving,
as
our
to-do
group
liaison
in
terms
of
saying,
sharing
a
little
bit
more
about
their
structure
and
ways
and
groups
that
are
easy,
like
more
easier
to
engage
with
versus.
Just
like
posting
in
the
General's
lack
of
1800
people.
C
B
B
A
A
A
One
way
to
think
about
this
relation,
so
getting
the
so
this
I
guess,
let
me
stay
on
one
Topic
at
a
time:
getting
feedback
from
diaspo
working
groups
around
risk
related
things,
I
think
you
know,
like
I,
suggested
in
the
aspo
meeting.
We
we
just
want
to
get
a
general
idea
of
what
their
concerns
are
and
what
they're
trying
to
measure
right
now,
but
now
sitting
in
the
risk
meeting.
I.
A
A
A
B
C
This
is
a
lot
of
information
on
the
dashboard
it's
great,
but
someone
who
sees
is
just
going
to
say
yes,
I,
find
all
of
it
useful
and
maybe
understanding
what
they're
using
get
for
can
help
us
figure
out
the
gaps.
So
you
know
you
have
a
question
about
maybe
longevity
long
term
worth
is
the
project
still
active?
That's
like
one
of
the
the
things
they
want
to
attract.
How
would
you
do
that
with
this
dashboard
and
which
metrics
would
they
pull
out
and
maybe
what
else
is
missing?
C
Maybe
it
shows
I
think
it
showed
monthly
Cadence
for
that
first
bar,
but
maybe
they
wanted
something
a
little
bit
more,
the
yearly
Cadence
or
something
like
that,
but
I
think
talking
through
their
use
cases
of
questions
they
want
to
answer
tied
to
the
metrics.
Can
you
get
that
from
the
metrics
that
are
available?
What
else
would
you
like
to
see
to
answer
that
question?
Would
build
a
complete
picture,
I
think
for
us.
B
You
can
look
at
how
they're
counting
it,
but
it's
a
very
myopic
view
of
how
to
count
it
and
it's
like
if
you,
if
that
really
is
the
most
important
thing
for
you
of
whether
or
not
this
project
is
being
actively
maintained,
then
you
subtract
a
few
more
things
and
so
I
think
I
kind
of
like
the
idea
of
instead
focusing
it
on
like
the
the
actual.
The
thing
you're
trying
to
address
from
a
risk
perspective
versus
the
dashboard
I
think
is,
is
just
kind
of
like
it's.
B
B
I
mean
I.
Also
see
this
missing
things
as
well
or
things
that
we
don't
really
care
about.
Like
do
we
care
about
Watchers?
No,
it's
just
that
was
just
part
of
the
the
criticality
score,
because
that's
looking
at
industry
relevance
not
necessarily
like
relevance
to
you
and
so
I
think
that
this
kind
of
I,
like
that
they're
trying
to
reuse
things
that
they've
already
made
and
that
people
use
already.
B
So
I
think
I,
like
the
idea
of
maybe
starting
with
those
questions
and
then
I
think
I
know
strong.
At
least
in
our
last
meeting.
We
were
talking
about
how
we
would
approach
a
risk
model
and
I.
Think
that
is,
is
more
aligned
to
the
model.
Like
the
more
well-rounded
view
of
what
risk
is,
regardless
of
what
metrics
we
have
already,
how
we
start
framing
risk
and
the
questions
that
we
would
want
to
know.
B
A
A
A
A
A
A
C
B
I
mean
I
think
from
The
Case
of
the
company
evaluation
I
think
seeing
a
signal
that
the
maintainer
cares
is
typically
positive
in
the
sense
of
I
feel
like
even
unrest.
We
had
looked
at
other
indicators
that
things
were
being
well
maintained
like
how
quickly
our
bugs
or
defects
being
resolved,
because
we
couldn't
look
at
security,
so
we
were
looking
at
more
action-based
indicators
versus
this
is
more
activity-based
indicator.
B
I,
guess:
that's
not
really
a
great
way
to
split
them,
but
more
like
this
is
something
that
maintainers
can
proactively
do
to
Showcase
their
commitment
to
ensuring
that
this
project
is
up
to
best
practice
standards.
However,
they
are
I.
Think
the
fact
that
it
isn't
renewed
or
needed
to
be
renewed
is
somewhat
like
it's
one
of
those
things
where,
like
maybe
this
past
five
years
ago,
but
is
it
still
passing
like
I?
B
Don't
quite
know
what
that
process
is
so
I
think
that's
my
that's
my
skepticism
toward
it,
because
I
think
as
an
original
signal.
It
makes
sense
to
me,
but
these
other
all
these
other
metrics
are
based
on
real-time
data
in
a
way
that
can
help
you
make
an
assessment
based
on
what's
happening
right
now
in
the
current
group
of
people.
A
C
A
So
so
I
don't
know
I'm
not
like,
in
my
mind,
I'm
like
okay.
These
are
very
useful
in
some
way.
We
should
catalog
them
as
a
Json
risk
factors
and
Chaos,
or
have
pointers
to
these
tools
in
chaos,
perhaps
in
the
form,
for
example,
of
a
metric
that
talks
about
the
project
criticality,
the
best
practices
badge
which
we
actually
do
have
a
metric
for.
It's
just
not
called
the
ossf
best
practices,
badge
anymore
and
and
point
people
to
ossf
scorecard
and
have
like.
A
So
since
we're
kind
of
a
taxonomy
of
metrics,
it
might
make
sense
to
reference
these
things
that
OS,
open
ssf
has
developed
as
as
useful
indicators
like
a
kind
of
a
endorsement
like
this.
You
know
if
you're
evaluating
risk
the
and
we've
already
done
this
for
the
best
practices
program.
We
have
a
metric
for
that.
These
are
some
other
things
that
would
be
useful
for
you
to
understand,
and
then
somebody
who's.
Looking
for
an
overall
taxonomy,
which
is
you
know,
kind
of
what
chaos
has
been
and
I
think
continues
to
be.
B
I
mean
I,
don't
think
it's
a
bad
thing
to
have
cross-referenced
existing,
tooling
and
approaches.
I
think
something
like
Risk
is
very
subjective.
So
having
General
tools
available
is
just
one
point
of
commonality.
I
think
the
flavor
that
we
would
add
is
that
this
is
just
one
example
and
that
you
might
want
to
tweak
these
things
to
your
own
cases.
I
do
think.
B
Think
that's
I
mean
that's
how
they
describe
it.
It's
just
it's
a
tool,
so
you
can
use
the
tool,
but
you
can
also
make
it
work
for
you
in
ways
that
I
think
I'm
not
sure
how
many
people
actually
take
that
next
step.
I
think
a
lot
of
people
probably
just
start
with.
What's
in
there,
because
it's
a
starting
point.
B
B
Well,
I
think
is
separate
from
say
the
goal
of
that
dashboard,
which
again
is
if
we
think
about
it
as
helping
someone
make
a
call
in
the
moment,
but
I
think
I,
don't
know,
I
think
coming
back
to
what
we
would
want
to
do
within
chaos.
I'd
love
to
have
a
broader
view
with
it,
because
I
don't
think
that
there
are
more
risks
and
considerations
that
haven't
been
showcased
in
there.
Oh.
A
B
I
mean
just
to
go
off
of
the
Lioness
and
Center
Station
in
Dublin.
Why
is
this
biggest
concern
with
the
Linux
kernel?
Is
that
there's
going
to
be
a
toxic
personality
that
kicks
out
a
bunch
of
people
based
on
their
actions
alone?
I'm,
not
sure
how
you
quantify
that,
but
just
thinking
about
what
potentially
could
cause
this
project
to
fail,
and
that
was
the
thing
that
he
was
primarily
concerned
about.