►
From YouTube: CHAOSS Risk Working Group 5-27-21
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Oh
I'm
beginning
recording
welcome
to
the
risk
meeting
may
27th
whatever
year
it
happens
to
be.
I
think
it's
21
still,
but
I
need
some
evidence.
A
A
B
A
A
So
I'm
actually
gonna
like,
and
I
just
deleted
everything.
A
Yeah,
all
right,
I'm
just
all
right.
Sorry,
everybody!
I
I
thought
I
did
this
at
the
end.
I
always
do
this
at
the
end
of
the
meeting,
but
apparently
I
didn't
last
time
arfon
welcome.
I
will
let
you
michael
was
here
and
I'm
just
I
wanted
to
respect
your
time
and
let
you
know
today
we're
probably
going
to
focus
more
pretty
explicitly
on
our
proposals
for
oss
summit,
north
america
and
ospo
con.
C
A
Oh
okay,
all
right,
excellent,
excellent!
I
I
know
okay,
great
perfect,
that's
that's
good
news,
then.
D
A
I
know
yeah
we've
we've
been
having
some
good
conversations
with
some
of
your
friends
over
there
get
up.
I.
A
You've
been
talking
surveys,
yeah,
yeah,
yeah,
it's
it's
like
rock
star
city
over
there,
all
right,
so
I'm
gonna
copy
our
notes
from.
A
That
has
the
talk
ideas,
so
I
went
through
like
a
fake
creation
for
oss
summit,
north
america
and
really
at
the
end
of
the
day,
we
need
the
people
and
the
abstract
and
the
title
for
each
of
these
and
the
rest
of
it
is
just
filler
and
and
so
these
we
had
this
document
and
then
the
large.
The
more
expansive
set
of
notes
that
are
available
in.
A
In
in
the
meeting
minutes
so
for
regular
talk
idea
this
this
was
really.
This
is
focused
on
sort
of
the
dependencies
of
risk
that
we
encountered
in
the
course
of
doing
our
work
here
and
this
complex
matrix,
and
I
think
so,
there's
that's
one
idea.
A
The
other
was
sort
of
there's
no
abstract
yet
for
not
the
best
or
only
ideas,
it's
kind
of
like
the
david
wheeler
idea,
and
then
there
was
a
type
of
dependencies
idea
and
then
also
something
we
call
tooling
salad,
things
that
are
kind
of
a
just,
a
review
of
the
different
tools
that
could
this
might
be
a
separate
talk.
A
A
Michael
was
here
I'm
not
here
twice.
I
swear,
I
think
bernard's
on
vacation.
A
Appreciate
that
tornadoes
we
have
a
slight
chance
of
tornadoes
here
today,
so.
A
Should
know
more
about
that
in
a
couple
hours
so
yeah,
this
was
the.
This
is
the
link
to
the
drafts.
A
A
Sophia,
can
you
remind
me
which,
which
one
of
these
ideas
was
the
pen
was
this?
The
panel
discussion
idea
like
just
to
discuss
the
different
types
of
dependencies
that
people
encounter.
B
Maybe
I
feel
like
in
my
head
panels
are
served
better
when
you're
talking
about
your
own
unique
experiences
yeah.
So
the
idea
that
we're
all
dealing
with
dependencies
in
different
kinds
of
roles,
not
just
say
software
development.
A
A
Jeez
yeah
I
like
yeah,
I
am
not
proposing
an
all-male
panel.
That's
a
meme,
as
I'm
sure
you're
aware.
B
A
Yeah
well
yeah,
and
so
the
like
people,
who
I
would
love
to
have
on
this
panel,
would
be
like
you
and
kate
and
arfan
and
dwayne
o'brien,
like
that,
would
be
like
the
dream
team
for
a
panel
discussion,
because
you
bring
you
each
have
a
very
different
perspective
and
I'm
sure
I
can
talk
kate
into
it
as
long
as
she's
not
conflicted,
I'm
sure
I
can
talk
kate
into
it.
This
is
being
recorded,
so
she
can
watch
this
later.
Arfan
do
you
feel?
Would
you
like
to
be
on
a
panel.
D
So
I
I
would
love
for
that
to
be
somebody
from
github,
I'm
not
sure
honestly,
like
I'm
the
right
person
just
because
I
think
there's
such
relative
depth,
like
elsewhere
in
the
business
there's
folks,
that
just
like
build
products
based
on
dependencies
and
like
I
I
don't
do
that,
even
though
so
so
I'm
I'm
a
little
cautious,
but
only
because
I
think
there's
people
who
are
much
better
placed
so
maybe
if,
if
we
can
maybe
as
a
like
blood
oath
or
something
I
can
go
and
like
chase
a
couple
of
people
after
the
call
today,
I
have
to
go
in
like
18
minutes
anyway.
F
D
Today,
that's
all
right:
man,
I've
been
in
many
boring
meetings
today.
This
is
not
awesome,
but
I'm
about
to
go
into
another
one.
Maybe
I
could
introduce.
Maybe
I
could
send
a
couple
of
emails,
try
and
get
some
traction
on
this,
because
I
would
love
for
the
to
be
somebody
who's
doing
like
some
really
deep,
deep
stuff
like
github
on
this.
So
I
think
that's
something.
A
Yeah
and
we
have
until
the
13th
of
june.
Okay,
so
I
mean
technically,
we
have
another
meeting,
but
I
don't
want
to
wait
until.
E
A
F
B
The
title
could
be
something
like
what
do
dependencies
mean
for
you
and
then
for
different
roles
for
different
companies
or
organizations
discussing
the
role
of
dependencies
with,
and
I
don't
know
just
like
different
ways-
that
tracking
monitoring
and
knowing
what
they
are
impact,
the
decisions
you
make
how
this,
how
the
data
is
used
where
it
comes
from,
like
I
just
feel
like.
There's,
there's
so
many
different
angles
here.
B
A
Who
me
yes,
yeah,
I
can
moderate
for
sure
I'm
good
at
that
actually,
and
for
those
I
just
don't
know
for
those
of
you
who
don't
know.
Arfan
is
like
the
reason,
chaos
or
like
help
matt,
and
I
conceptualize
chaos
way
before
it
actually
became
a
thing
over
dinner
in
2015
in
copenhagen.
A
A
E
D
A
Yeah
yeah
so
affordable
panelists
with
responsibility
for
dependency
management.
A
A
So
with
responsibility
is
like,
like
nobody's
responsible
for
managing
all
the
dependencies
right.
The
way
I
meant
that
was
more
like
well.
A
B
That,
like
out
how
maybe
that's
our
first
opener
for
this
panel,
is
just
how
broad
is
this.
I'm
trying
to
understand
if
there
are
clear
delineations
in
ownership
and
responsibility,
or
how
do
you
designate
ownership
and
responsibility
across
something
that
is
so
complex,
like
it's
in
its
nature,
is
dependent
on
other
teams,
like,
I
think
like
when
I
look
at
a
series
of
dependencies.
Part
of
it
is
just
hey.
Does
anyone
know
someone
on
this
team?
B
Because
if
we
change
this
thing,
they're
going
to
lose
part
of
the
thing
that
they
depend
on
so
like
it's
more
about
like
internal
like
seeing
where
we
overlap
with
each
other,
but
no
one
really
is
looking
at
it
comprehensively,
because
it's
just
too
big
yeah,
at
least
that's
our
problem.
Maybe
if
you're
smaller
sorry,
our
friend
you're,
going
to
say
something.
D
D
B
F
B
Of
it
and
depending
on
how
much
time
you've
allotted
in
your
script,
you
can
see
more
of
it,
but
it's
it's
not
particularly
granular
and
how
how
things
are
associated
so
there's
some
controls
over
how
you
can
look
at
stuff.
But
it's
just
it's
almost
too
big,
like
I
think,
if
you
look.
F
B
Context
of
a
project,
then
you
can
think
about
all
the
dependency
against
that
project.
But
if
you're
looking
at
like
the
many-to-many
problem,
then
that's
untenable.
So
I
would
say
that
we
do
have
some
ability
to
look
at
figuring
out
all
the
things
that
are
dependent
on
independent
of
a
thing
and
then
we
can
see
as
big
as
we
allow
for
our
script
to
handle.
But
it's
it's
just
basically
a
huge
graph,
so
it
just
keeps
going
out
yeah.
D
B
D
B
B
B
So,
like
I
I
don't
know,
I'd
be
curious
to
see
how
other
companies
have
have
tried
to
do
this,
whether
or
not
there's
some
sort
of
like
we've
talked
a
lot
about
s
bonds,
but
if
there's
some
other
kinds
of
template
or
say
build
requirements
that
you
can
use
internally
as
your
own
system
of
record.
B
B
I'd
also
be
interested
to
know
the
nuances
of
how
information
around
dependencies
is
used
outside
of
a
corporate
context
like
I
think
one
of
the
practical
ones
that
we
have
is
especially
in
open
source
and
maybe
in
some
more
recent
news.
There's
been
things
like
like
license
changes
where
suddenly,
you
have
to
realize
understand
where,
where
and
how
things
are
entrenched
in
your
systems
that
so
like,
basically,
an
event
could
cause
you
to
have
to
go.
B
B
Yeah-
and
I
know
there's
some
at
least
I
think
open
ssf
has
been
thinking
about
this,
but
sort
of
large-scale
many-to-many
mappings
to
look
at
ecosystem
concentration
points
and
major
vulnerabilities
for
maybe
like
for
larger
swaths
of
the
industry.
So
knowing
how
like
particularly
popular
projects
that
are
cross-referenced
in
many
places,
that
if
there
are
issues
with
those
they'd,
have
a
larger
impact
than
other
projects,
so
using
sort
of
large-scale
many-to-many
mappings
to
identify
major
risk
points
throughout
the
open
source
supply
chain.
B
A
B
Well,
I
mean,
I
think
that
it
would.
It
would
impact
different
people
in
different
ways.
So
I
think
this
is
really
calling
out
the
need
for
our
panelists
to
have
a
few
different
perspectives,
because
now
I'm
thinking
about
the
osi
folks
or
no,
the
sustained
folks
that
were
talking
about
this
from
a
funding
perspective.
They
look
at
who,
who
they're
going
to
give
money
to
and
something
like
a
comprehensive
view
of
very
entrenched
projects
that
have
large
dependencies
on
them
and
that
say,
have
any
sort
of
sustainability
risks.
B
I
want
to
say
that
the
brick
company
was
looking
at
that
as
well.
We
met
with
emilia
yeah,
but
they
were
looking
at
it
from
a
vulnerability
analysis
standpoint,
but
also
because
of
that
they
were
looking
at
comprehensive
levels
of
multiple
customers
and
all
the
things
that
they
use.
So
they
had
a
sort
of
objective
third-party
view
of
popular
things
and
how
often
they
were
cited
across
different
kinds
of
organizations.
B
I'll
check
with
my
pr
team
just
to
make
sure
nobody's
going
to
get
upset
about
it.
Maybe.
B
Someone
else
again,
who
might
have
a
better
view
of
this.
We
have
a
team
that
maintains
a
couple
of
our
data
sets
that
might
be
interesting
to
pull
in.
I
don't
know
if
they'd
want
to
participate,
but
I
can
always
send
out
some
feelers,
because
I'm
I'm
kind
of
like
a
I'm
more
of
a
user
than
a
builder
internally
of
these
kinds
of
things.
I.
A
The
monorail
is
I've,
never
heard
of
a
monorepo,
so
I
confess
that
just
getting
my
head
around
that
is,
we
can't
hear
your
phone.
I
don't
know.
D
No,
no
I'm!
I
was
pausing
for
a
fact,
the
I
I
know
a
lot
about
modern
repose,
because
github's
not
got
very
good
support
for
them.
So,
but
some
not
like
some
companies
with
very
large
code
bases.
This
is
a
deliberate
decision
they
make
because
it
reduces
the
integration
costs
of
between
engineering
teams
right,
because,
basically,
you
run
your
tests
and,
like
your
dependency,
they're
all
smashed
into
like
basically
the
same
repos
that
you
just
like
all
the
code
that
you
depend
on
to
deliver
your
client
app
or
like.
D
A
A
Did
we
I'm
losing
my
mind
here?
Did
we
have
a
fourth
person
name?
Oh
dwayne?
I
would
love
to
get
dwayne
o'brien.
I
don't
know
if
he
is
because
he's
definitely
managing
a
unique
challenge
with
heavy
reliance
on
dependencies.
D
A
E
A
A
B
G
G
Decide
what
subtopic
or
or
topic
that
this
belongs
under,
which
I
listed
in
the
chat,
but
it's
also
on
that
page.
That's
a
question.
They
ask
on
the
when
you
submit
your
proposal
so.
A
Yeah
because
they
they've
merged
the
events.
Now
I
don't
know
if
anybody
else
noticed
they
used
to
be
like
a
month
apart
and
now,
spokane
was
going
to
be
in
seattle,
and
this
was
going
to
be
in
ireland.
Was
it.
B
A
Dublin
yeah
so
yeah
they've
merged
the
events,
so
I
think
so.
This
is
still
a
bit
fluid.
I
think
that
I'm.
B
B
Yeah,
but
I
do
like
the
angle
for
dependability
because
I
think
there
is
sort
of
a
that
angle
to
it,
but
I
would
say
it's
probably
most
relevant
for
ospo
yeah.
Okay,
I
see
a
doggy
ear.
A
Who
else
would
you
be
talking
to
what
call
these
again
key
topic
area.
D
A
E
D
A
A
D
A
Yeah
yeah
there's
it's
screen.
A
And
cool
all
right,
all
right
talk
to
you
later,
our
friend
yeah,
see
you
take
care
bye.
B
B
If
we
were
going
to
help
you
edit
it,
where
should
we
do
that?
Oh.
A
Right
edit
edit
it
in
this
document
here
you
know
I
just
the
notes
will
help
me
remember
what
needs
to
be
submitted.
A
Is
the
thing
worth
measuring
and
I
think
this
is
another
idea
that
we
thought
was
possibly
a
panel,
but
we
weren't
sure
so
this
all
right,
this
one
seems
more
instructively
written.
A
A
Correct
yeah,
it's
really,
it
really
is.
I
would
yeah,
I
think
that's
a
really
good
summary
is
that
this
is.
A
B
C
A
B
F
B
C
C
B
I
have
seen
talks
like
that
before,
so
that
wouldn't
necessarily
be
new,
so
I
guess
what
about
this
is
new.
I
guess
it's
more
than
to.
A
A
Took
a
lot
of
discussion
to
get
us
there,
you
know
we
had.
We
have
a
group
of
you
know
a
group
of
fairly
experienced
open
source
people.
B
B
I
feel
like
the
ideal
format
for
a
session
like
that
would
be
a
discussion,
but
that's
not
an
option
for
this
event
where
it's
like,
there's
partial
presentation
and
then,
if
we're
talking
about
how
we
achieved
common
language,
then
the
hope
is
also
does.
Is
this
common
language
resonating
with
you?
Can
we
get
feedback
on
that,
because
I
think
that
would
be
a
really
productive
session
or
could
be?
I
mean
it
could
also
blow
things
up,
but
it
if
it's
completely
one-sided,
then
we
don't
get
the
reaction
of.
B
A
A
You
know,
spend
10
minutes,
like
you
know,
are
we
right?
What
is
missing?
How
are
we
looking
at
this?
What
is
what
is
missing?
What
is
not
your
same
understanding?
What
requires
further
explanation,
yeah,
I
feel
like
we
could
propose
something
like
that
or
propose
the
talk
as
a
talk
and
just
do
that.
B
B
A
A
I
agree
I
agree
I
made
a.
I
made
a
comment
that
I
thought
the
risk
group
had
a
lot
to
share.
B
B
B
This
could
be
a
really
fun
interactive
session,
just
trying
to
figure
out
how
to
how
to
split
everything
up
and
what
are
the
common
languages
that
we
want
to
use,
and
then,
on
top
of
that,
these
are
the
the
metrics
that
we
recommended,
but
is
that
actually
the
most
important
for
everyone
here
or
are
there
others
that
could
challenge
it?
So
I
would
I
would
love
to
do
that
as
a
chaos
con
session.
B
I
think
assuming
that's
in
person,
and
that
gives
us
also
more
flexibility
on
timing,
because
we're
not
trying
to
meet
the
cfp
deadline,
but
I
think
it
might
I'm
worried
about
it
being
generally
helpful
in
sort
of
a
one-to-many
pre-recorded
session.
As
a
topic
like
this
yeah.
A
It
would
have
to
be
very
well
produced
to
be
because
it's
it's
a
lot,
so
this
would
be
I'm
just
gonna
say.
A
A
I
don't
know
if
you've
seen
this.
It's
like
obs.
A
A
It
a
couple
of
times,
for
course,
videos
I
haven't
tried
it
for
something
like
this
yet
but
yeah
you
can.
You
can
spend
a
lot
of
time
energy
producing
things
like
this,
so
but
I
do
think
that
this
one,
if
it's
virtual,
this
will
have
to
be
really
well
produced.
B
A
F
A
I
mean
I
thought
when
we
talked
about
the
last
time.
Other
people
were
like
yeah.
This
is
kind
of
the
inventory,
so
with
nine
minutes
left
abstract.
A
A
A
B
I
mean
there's
always
a
category
of
like
what
is.
It
is
a
like
a
in
terms
of
the
file
type
or
category,
but
I
don't
even
know
if
we
want
to
get
there
in
this,
because
I
think
that
can
be
too
broad.
B
But
I
was
thinking
of
so
if
the
focus
is
on
understanding
the
minimum,
viable
metrics
or
product
metrics.
Sorry,
I'm
struggling
with
the
word
product
here
because
we're
not
actually
talking
about
a
product
but
metrics.
B
B
Is
it
on
or
of
are
we
talking
about
looking
at
transitive
dependencies?
We
can
talk
about
that
idea
of
breadth
and
depth
and
then
how
we
might
use
those
kinds
of
contexts
to
assign
relative
like
well
for
allow
others
to
assign
relative
risk
to
what
those
things
could
mean.
So
basically
saying
these
are
the
kind
of
kind
of
dependencies
we're
looking
at
the
kind
of
context
and
variables
that
can
change
how
you
measure
them
and
then
what
could
those
measurements
mean
for
you?
So
basically,
it's
a
little
bit
more
of
a
practical
approach.
B
B
That
there
are
many
people
working
on
this
problem
of
measurement
and
visibility,
and
maybe
we
we
can
give
them
a
little
credit
on
just
saying
exists.
This
is
a
very
popular
line
of
thinking.
What
we're
trying
to
do
is
create
again
common
language
framework
for
an
mvp
of
of
this.
So
I
think
that
that
sounds
like
an
interesting
talk
to
me.
A
C
A
A
E
A
A
H
B
A
B
A
B
Well,
I'd
say:
maybe,
given
that
we
don't
have
everyone
on
the
call
today,
we
could
pose
this
description
back
to
listserv,
okay
and
just
say
we
we
put
this
together
based
on
some
of
the
conversations,
I
guess
just
summarizing
what
we
covered
today.
We,
these
are
the
two
talks
that
we're
leaning
towards
submitting
these.
Are
the
tentative
speakers
panelists,
the
third
one
we
might.
We
would
consider,
but
I
think
I
get
my
back
recommendation.
I
think
that
better
fits
better
and
it's
chaos.
Con
yeah.
C
B
Given
that
it's
a
little
bit
more
free
form
and
would
benefit
from
a
discussion
and
then
because
I
think
that
if
we
have
our
descriptions
generally
ready,
it's
easier
for
folks
to
say
yay,
nay,
here's
how
I
would
tweak
it
yep
versus,
I
don't
want
to
assign
anyone
something
and
then
they're
like.
I
don't
want
to
do
that,
but
I'd
rather
be
a
volunteer,
absolutely
dictatorship.
A
Yep,
I
agree,
so
I
think
I
think
in
very
unconventional
minutes
and
let's,
if
you
do
any
editing,
do
it
in
the
other
document.
This
is
just
for
the
minutes.
A
Yeah
and
so
like.
Basically,
this
is
what
we've
discussed
and
it's
just
gonna
not
follow
the
standard
format
and
that's
too
bad
straps.
A
A
G
The
website
says:
hyatt
regency
in
seattle,
oh
so,
and
and
matt
submitted
a
thing
because
you
could
request
a
room
from
them
straight
up
from
from
the
linux
foundation,
so
he
filled
out
a
form
to
try
to
get
us
a
room.
So
we
could
officially
be
a
part
of
the
conference
after
or
before
so.
A
A
So
I
don't
know
where
this
is
in
a
map.
Anyway,
we
gotta
go,
but
it's
right
there
right
in
the
middle.
B
A
A
So,
thank
you
all
very
much
appreciate
everybody
digging
in
and
helping
to
flush
out
these
ideas
today,
and
I
will
talk
to
everyone
soon.
Happy.