►
From YouTube: CHAOSS.Risk.April.20.2020
Description
CHAOSS.Risk.April.20.2020
A
So
this
is
the
risk
working
group
meeting
on
April
20th.
We
will
meet
again
on
April
27th,
just
to
get
back
on
cycle
and
I
guess.
I'll
just
add
risk
meeting
dates
because,
as
I
went
through
rescheduling
the
risk
meetings
and
their
and
their
cycle
with
with
Easter
Monday,
we
run
up
against
the
Monday
of
Memorial
Day
weekend
in
the
US,
and
also
the
Monday
July
6th
of
July
4th
weekend
in
the
US
so
and
I
believe
we
run
up
against
whatever
Monday
precedes.
A
Whatever
formed
the
open
source
summit,
North
America
takes
so
there's
a
number
of
exceptions
through
the
summer,
for
the
time
and
and
in
sort
of
sequence
that
we've
chosen
and
I
thought
it
might
be
a
good
idea
to
think
about
look
about
look
to
consider
maybe
changing
our
cadence
and
try
to
avoid
holidays.
That
way,
that
might
be
the
easiest
thing
to
do.
I
will
throw
it
open
for.
A
C
D
A
D
A
D
Right
now,
I'm
just
worried
that
I'm
worried
that
that
Wednesday
is
it
I've
got
right
now,
a
that
time
is
looking
like
it's
gonna
work
for
Lisa
meeting,
okay
and
right
now
it's
open,
but
I'm
kind
of
worried.
My
Lisa
TSE
is
gonna,
be
maybe
ending
up
there.
Okay,
so
that's
kind
of,
on
the
other
hand,
would.
D
What
I'm
know
that
I'm
yeah
it
might
be,
that's
what
I'm
worrying
about
cuz.
Basically,
we've
got
people
from
Israel
yeah
moved
to
a
time
a
time
in
the
week
when
they
can
meet,
and
so
I
can
probably
I
could
probably
do
the
8:00
a.m.
but
realistically
Monday
really
is
a
better
day
for
me
or
Tuesday.
For
that
matter.
A
D
A
A
A
D
A
A
E
A
A
A
And
then
I,
don't
that
with?
If
there's
any
updates,
you
wanna
share
with
the
working
groups
about
the
chaos
community
manager
Matt.
At
this
time,
I'll
drop
out
of
sharing
to
keep
the
pull
out.
What
was
the
question?
I'm?
Sorry,
if
you
want
to
provide
any
working
group
risk
working
group
updates
regarding
the
community
manager
that
we
are
recruiting
to
work
with
chaos.
B
A
B
A
B
A
A
Don't
that
was
slack
or
something
else,
but
and
then
so
then,
in
the
discussion
of
the
2020
goals
and
in
the
past,
we've
discussed
testing,
safety-critical
systems,
ELISA
project,
octo
medical
devices
and
auto
grade
Linux,
and
we
reviewed
the
project
desk
octo
project
dashboard
last
week
and
I
confess
I
haven't
memorized
it.
So
let
me
just
share
that
briefly.
D
D
I'd
say
it's
more
like
Debian
face:
ok,
except
what
it
does
is
it
lets
people
create
their
own
distros,
so
they're
like
Debian,
let
you
know,
there's
a
bun
to
and
hold
you
other
things
have
been
created
from
Debian.
It's
served
a
fundament
like
you
know
it's
more
about
fundamental
technology
putting
pieces
together
that
people
can
build
things
from
ok.
A
C
A
It
sounded
like
a
maintenance
guy
who
is
Kenny
confused
about
what
pipe
to
fix,
but
I'm,
not
sure
so,
testing
safety,
critical
systems
I
think
it
would
be
great
if
we
could
get
a
little
bit
concrete
about
what
we
want
to
do,
and
only
because
testing
and
safety,
critical
systems
and
medical
devices
not
agreed.
Linux
present
not
only
metric
definition
challenges,
but
also,
in
many
cases,
language,
specific
technical
questions
that
need
to
be
looked
into
more
deeply
and-
and
so
with
that
in
mind,.
A
A
Is
I
mean
I
think
developing
metrics
for
testing
as
a
goal.
A
H
D
Well,
I
think
there's
there's
tools
like
code
like
misra
and
Coverity,
and
things
like
that
that
are
proprietary.
So
that
is
definitely
an
issue.
I
don't
know
if
we
can
do
too
much
there,
but
there's
things
like
stress
and
G
that
are
open
for
like
doing
external
side
of
things,
and
there
are
things
built
into
the
new
compiler
that
we
could
probably
look
at
em
gng,
next-generation,
okay,.
D
D
Actually,
stress
ng
is
a
dynamic
and
unique
compiler
trust
this
probably
static.
That's
our
bounds.
Checking
and
it's
well
less.
You
know
what
negating
warnings
but
I
think
there's
I
think
there's
other
static
analysis
techniques
out
there
mmm-hmm
their
serve
executed
through
compilers,
so
they
see
I
just
put
static
analysis
a
gentle
hand.
A
D
Yeah
they
they
basically
will
misra
the
standard
and
it's
applied
against
C
and
so
forth,
and
they've
got
variety
of
instances.
I
suspect,
there's
more
merging
things
like
static
and
dynamic
analysis
are
so
you
know
language,
independent
techniques
and
there's
languages
that
are
instances
of
inside
each
of
them
that
there's
tools,
I,
think
you're,
I,
think
probably
the
misra
and
the
Coverity,
or
both
static
checks.
Okay,
so
maybe
putting
mr.
A
From
your
experience
with
the
safety
critical
systems,
I
can't
seem
to
do
this
right
and
and
auto
grade
Linux
medical
device.
Medical
devices
is
where
Jessica
I
think
probably
helps
us
a
lot.
If
we
can
get
her
a
little
bit,
is
there
are
there
tools
that
are
commonly
in
use
in
those
projects
already
or
is
that
a
critical
gap
I.
D
A
C
D
One
option
is:
we've
just
finished,
deciding
annalisa
that
we're
gonna
move
our
may
workshop
to
be
virtual,
and
the
call
for
topics
is
open
right
now
and
to
present
there,
and
what
might
make
some
sense
is
to
basically
just
have
a
session
on
Q&A
session
about
okay,
what
are
risk
metrics
that
people
care
about
and
then
see?
Sir?
What's
a
reaction
we
get
from
that
community
directly
as
opposed
to
be
proxying
for
them,
but
that
way
maybe
serve
to
talk
about
the
risk.
A
D
I,
just
I
just
paste
it
out.
We
discussed
this
on
Friday.
We
couldn't
do
this
in
Frankfort,
so
we're
gonna.
Do
virtual
yeah,
like
I,
can
send
a
draft
of
illustrating
it
with
the
topics
of
metrics
and
put
you
once
you
see,
and
then
you
may
or
may
not
want
to
subscribe
to
the
mail
list
for
the
discussions
we're
trying
to
do
this
serve
like
we
did
with
the
kernel
community
before
we
get
to
maintain
her
stomach
things.
Get
talked
about
on
the
mail
lists.
Did.
D
They're
both
on
statics
they're,
both
static
analysis
techniques
and
they
tend
to
be
part
of
quality
management
systems,
which
is
one
of
the
things
the
safety
standards
is
calling
for.
Several
of
the
standards
call
for
is
okay.
What
is
the
quality
management?
That's
in
place
for
a
prop
for
your
system,
so
they
wanna
know
some
sort
of
QM
is
in
place
and
misra
and
Coverity
I
serve
acknowledged.
You
know
mister
scans
and
for
various
cancers.
I've
acknowledged
well,
Coverity
implements
misra,
okay,
so
misra
scans
are
acknowledged
as
a
way
of
demonstrating.
D
D
D
D
E
D
But
certainly
the
you
know:
how
can
we
measure
what
do
I
can
probably
get
a
separate
discussion
going
in
this
in
the
Zephyr
safety
community
in
this
effort
I
could
see.
If
we
can,
you
know,
have
you
guys,
come
and
chat
on
the
Zephyr
Safety
Committee
one
time
and
see
if
we
can
get.
You
know
what
ideas
two
dozen
brains
there,
but
what
metrics
makes
sense
to
people
that
they
want
to
start
looking
for
yeah.
D
You
hope
they
think
what
evidence
today,
what
people
want
to
be
collecting
as
they
go
along
to
help
prove
out
the
case
I'm
getting
the
safety
you
know,
experts
sort
of
weighing
in
on
that
might
be
might
be
some
interesting
insights,
hard
to
say
mm-hmm
and
I'd
say
also
in
the
dynamic
analysis.
A
surf
camp
is
like
the
regression
testing
and
all
the
testing
that
happens
against
the
kernel
that
any
type
of
regression
testing
might
be
useful.
A
A
D
D
A
I
think
I
think.
The
question
is
that
what
I
look
at
the
octo
dashboard
I
see
kinds
of
the
basic
activity
metrics
that
I
see
on
mature,
gia
and
augurs
dashboards
and
I
I
guess
exploring
if
there
are
metrics
with
the
two
Yocto
people
that
you
mentioned,
that
could
be
added
to
these
dashboards
to
provide
a
greater
utility
yeah.
D
E
A
E
D
G
A
I'll
just
make
that
a
certain
level
as
the
other
2020
goals
and
then
I
guess
I'll,
ask
I,
guess
I've
been
I'll.
Come
back
to
my
earlier
question
about
licensing,
we
have
released
a
number
of
licensing,
metrics,
committers,
best
practice,
badge
test
coverage,
licenses,
declared
OSI,
approved
licenses
and
license
coverage.
I
think
we
actually
have
some
tooling
around
those
that
are
that's
pretty
useful.
A
A
C
D
A
D
A
D
It
does
make
sense,
it's
a
question
of
you
know.
Do
you
have
it's
part
of
the
transparency
in
some
ways,
in
my
mind,
know,
do
you
know
which
one
you're
actually
using
and
you
know
do
we
have
do
we
have
coherency
among
subversions
that
are
being
used,
especially
in
things
like
a
container
space
mm-hmm?
D
B
A
A
And
it
becomes
fair
yeah,
it
becomes
really
clear
when
you
look
at
the
list
of
repositories
and
census
to
that
there
are.
There
are
multiple
ones,
multiple
libraries
that
are
in
the
census
share
repositories,
and
so
you
have
several
instances
of
a
republic,
a
half-dozen
repositories
that
exist
more
than
once,
because
more
than
one
library
is
in
them.
A
Jessica
I
discussed
that
it
would
be
great.
It
would
be
great
you
to
do
some
analysis
by
library
and
I
think
that
that
requires
where's,
a
conversation
about
what
the
subparts
okay
mark
yeah,
how
to
count
that
and
sort
of
indicate
the
hierarchy
that
really
exists
in
these
cases,
because
it
in
the
work
that
Matt
and
I
and
our
teams
have
done
with
libraries,
IO
and
libraries
security
managers
it
becomes.
A
You
know
it's
göran
solving
it
now
then
it'd
be
good
to
know
that
and
if
it
doesn't
weren't
solving
it.
Now
that
we
want,
but
if
it's
something
that's
a
priority
for
understanding
supply
chain
security,
then
it
sounds
like
it
might
be
worth
looking
into
solving
and
also
trying
to
define
metrics
that
are
below
the
repository
level.
A
A
The
list
of
things
that
we've
defined
and
in
terms
of
Licensing
I
think
we
moved
license
count
and
we
did
some
things
with
OSI
approved
licenses.
D
B
A
D
D
D
B
D
B
D
D
E
D
A
F
B
D
A
D
D
D
D
From
the
SPD
Exide,
one
of
the
things
we've
got
here
is
a
list
of
all
the
tools
and
I
was
putting
in
from
the
open
source
tools.
I
had
a
whole,
so
there's
a
classic
texana
me
here
and
I've
had
a
placeholder
to
see
about
whether
or
not
it
made
sense
to
add
augur.
But
that
sounds
like
it
does.
Yeah
go
back
up
the
texana
me
it's
slower
when
I'm
sharing,
obviously
I,
believe.
D
This
is
for
document
so
rather
than
a
license
list,
specifically:
okay,
okay
and
here's.
The
class
seriously
I'm
taxonomy
we're
working
towards
is
like
do
author
during
the
build.
No,
but
do
you
have
author
after
creation,
manual
or
audit
tool,
so
the
audit
tool
will
be
an
aspect
for
you
guys
from
the
do
socks
and
then
consume
I'll.
D
Give
you
a
diff
and
a
analyze
be
able
to
import
documentation
into
one
transform
its
translate
merge
into
integration
so
using
the
api's
and
so
forth,
support
using
other
tools
by
api's,
and
so,
for
instance,
here's
pathologies
right,
but
I
was
thinking.
I
think
it
might
make
sense
and
I
was
thinking
we
had
since
it
was
an
SP
x,
general,
yes,
mam
as
part
of
the
risk
metrics,
we
could
do
it
so
I
put
a
template
in
here.
For
you
are
you
comfortable
filling
it
out?
Shawn.
A
A
E
D
C
A
D
D
I
need
to
ask
him
about
that.
All
right.
D
Multiple
purposes,
actually,
this
is
being
created
as
part
of
the
NGA
work,
so
the
healthcare
folks
and
others
who
do
you
proof
of
concepts?
It's
a
set
of
resources
for
them
to
use
and
look
at
depending
on
what
they
want
to
try
and
do.
Okay,
we're
working
the
SPX
website,
I
wanna,
make
sure
this
is
more
visible
there
as
well,
so
there's
and
then
we're
doing
gap,
analysis
between
SPD
X
and
some
of
the
other
formats
for
exchanging
software
build
materials,
information,
and
so
this
is
another
way
of
their
ecosystem
pages
for
those
as
well.