►
From YouTube: CHAOSS Risk Working Group November 17, 2022
Description
Links to minutes from this meeting are on https://chaoss.community/participate.
A
A
A
I
I
always
want
to
put
an
extra
s
in
there,
ossf
scorecard
and
dashboard
summary,
and
what
we
would
like
to
see
in
a
risk
metrics
model,
so
metrics
models
are
groupings
of
existing
chaos
metrics
in
a
single
view,
so
that
you
can
get
that
perspective
on
on
risk,
metrics,
and
so
one
question
is
what
would
if
we
were
to
put
together
a
sort
of
a
panel
of
the
key
things
that
people
look
at
when
they're
looking
at
risk
a
metric
model?
A
Because
I
think
I
think
something
happens
where
you
pop
up
as
as
the
host.
Oh
okay,.
B
All
right,
I'm,
failing
to
sneak
in
yeah,
so
I
I
hear
you're
talking
about
Dash,
scorecards
and
dashboards
and
so
on.
Right.
A
A
And
so
just
to
I'm,
gonna
go
back
to
the
list,
but
I'll
also
share
this
link.
These
are
the
the
ones
in
green.
Are
the
ones
that
we've
already
released
and
I'll
put
this
in
chat
so
that
people
can
browse
that
while
I
take
notes
over
in
the
minutes.
A
These
are
the
metrics
that
we
have
released
that
address
various
aspects
of
risk
and
it's
we're
not
constrained
by
the
metrics
that
we've
already
created
when
we
think
about
what
what
we
would
want
in
a
in
a
risk,
dashboard
and
I
think
I,
know
David,
and
that's
why
I
was
hoping
you'd
be
here.
There
is
also
a
dashboard
effort
underway,
Within,
ossf
and
I.
Don't
know
if
there's
a
screenshot
or
a
design
for
that
that
we
might
look
at.
B
A
No,
no!
No!
No!
It's
the
I'm
asking
if
there
is
like
a
screenshot
that
we
could
look
at
for
that
that
ossf
dashboard
no.
A
That
would
be
I
mean
like
we're
not
looking
to
yeah.
Prototype
would
be
great
because.
B
I
think
it
would
I
mean
frankly
all
right.
Let
me
I
I
can
do
you
better,
because
I
can
actually
link
you
to
the
website
all
right,
so
you
had
mentioned
something
else
that
you
were
going
to
bring
up
yeah
the
chaos
list.
B
Chaos,
which
is
that,
can
you
throw
that
link
in
the
list
on
the
notes
for
today
I
want
to
make
sure
that
that
actually
gets
into
the
thoughts
document.
So
we
actually
have
like
bi-directional
communication
here.
A
Yeah,
okay,
the
now.
B
If
you,
if
you
want,
if
you
don't
mind
me
stealing
your
screen
for
a
moment,
I.
A
B
A
Merry
blessing
just
to
give
you
a
little
bit
of
context,
the
open,
ssf
part
of
the
Linux
Foundation
is
actively
working
on
security
topics
and
those
are
they
overlap
to
some
extent,
with
the
work
that
we're
doing
in
risk
and
so
David's
going
to
share
some
of
the
work
of
that
project
within
the
Linux
Foundation.
Okay,.
B
So
up
and
I
see
Kate
two
hi
Kate,
so
yeah,
okay,
but
I
I'm,
just
very
blessed
and
blessing.
Your
your
screen
is
very
dark.
So
this
that
I
don't
know
what
that
background
is
she's.
A
B
B
Anyway,
I
just
yeah
I,
don't
know
if
I've
met
I
I
just
noticed
you
because
most
of
you
are
are
I,
recognize
you
for
many
times,
but
Merry
blessing
and
renisha
I.
Don't
think
I
do
so.
It's
a
pleasure
to
meet
you
you've.
A
B
Okay,
well,
it's
it's
an
experience.
D
A
World
is
working
on
that
part
of
the
park
right.
B
Now,
yeah
but
I
think,
isn't
it
The
Condemned
part
of
the
park?
No,
no!
It's
the
new
part.
Oh
the
new
park,
all
right,
while
I'm
stalling
I,
think
I
have
managed
to
find
the
share.
My
screen
button.
B
The
eight
gazillion
windows
and
tabs
and
other
nonsense
Okay,
so
so
what
you're
seeing
here
is
a
prototype.
This
is
not
a
final
work,
but
let
me
give
you
the
context
here:
openssf
has
various
projects
to
try
to
get
some
metrics
about
open
source
software
with
the
goal
of
helping
well
at
least
two
groups
of
people.
One
is
I'm
thinking
about
bringing
this
open
source.
Software
should
I
and
the
other
is
I've
already
got
this
open
source
software
in
my
stack
somewhere.
Should
I
worry?
Okay?
B
So
now
we
already
have
a
project
called
scorecards
that
tries
to
do
a
quick.
You
know
zero
through
ten
estimation,
but
and
so
if,
if
you
just
want
the
push,
the
button
get
the
instant
metric
estimation
yeah,
it's
only
an
estimate,
but
it's
an
estimate.
It's
also
not
visual.
You
know,
I
mean
you
know.
Zero
to
ten
I
mean.
B
B
So
what
you're
seeing
right
here
is
a
prototype
of
what's
open
source
security,
metrics,
okay,
it's
a
project
of
one
of
the
open,
ssf
working
groups
and
what
I'm
getting
what
you
see
in
the
first
screen
is
hey.
What
do
you
want
to
know
about,
and
then
you
type
stuff
in
okay
and
then
you
can
type
in
various
searches
for
Simplicity
I'm,
going
to
click
on
one
that
I
already
know
about
that
and
I
know
exists,
namely
kubernetes,
which
will
basically
just
make
a
request
for
that
particular
package.
Url,
okay,
you'll.
A
E
Are
all
of
the
metrics
I
guess
the
security
metrics
that
could
be
searched
for
in
that
box?
They
are
part
of
the
scorecard,
or
is
this
scorecard
a
subset
like.
B
Is
its
own
thing
scorecard
is
a
separate
project.
Dashboard
is
an
effort
to
combine
various
data
sources,
including
scorecards,
including
best
practices,
including
what
something
called
criticality
which
really
focuses
on.
You
know
how
busy
it
is,
and
you
know
it's
just
some
other
data
as
well
as,
for
example,
if
there's
a
known,
Security
review,
we
pull
that
into
okay.
So
this
is
the
you
know.
Scorecards
is
the
I
need
an
answer
and
I
want
it
in
less
than
30
seconds.
Okay,
dashboard
is
the
I
want
a
little
more
detail.
B
I
have
five
to
two
five
minutes
to
30
minutes:
I.
Don't
have
you
know
five
years,
okay,
so
a
little
bit
of
a
deep
dive,
but
not
too
much,
and
this
is
primarily
because
of
scaling.
You
know
if
you
only
used
one
open
source
software
project
and
it
was
super
critical
to
your
business.
You
could
no
doubt
really
go
deep,
but
most
projects
use
a
lot.
Most
organizations
use
a
lot
more
than
one
open
source
software
project.
B
So
you
know
how
do
we
get
a
little
more
detail
than
what
scorecards
does
scorecards?
Does
the
quick,
quick
and
quick
analysis?
It's
great
for
that
and
you
know,
works
on
anything
on
GitHub
we're
hoping
to
eventually
expand
it
Beyond
GitHub,
but
this
is
the
slightly
deeper
dive.
Okay,
yeah.
A
B
I
set
the
context,
so
you
know
the
child
a
lot
of
people
get
confused
between
scorecards
and
dashboard
because
in
some
sense,
they're
kind
of
tackling
the
similar
problem,
but
with
a
slightly
different
goal
in
mind:
okay
and
dashboard
and
loads
in
the
current
draft.
One
loads
in
scorecards
as
a
key
data
source
and
I
would
expect
the
final
one
to
do
that.
So
this
is
a
prototype.
It's
not
the
not
the
final
thing,
but
basically
you
enter
in
a
package
URL
or
or
a
name,
and
it
tells
you
a
little
bit
about
it.
B
You
know
what
is
this
thing
well.
Kubernetes
is
an
open
source
project.
Here's
their
standard
description
license
this
particular
project.
We
we
don't
know
of
any
Security
reviews
that
doesn't
mean
it
doesn't
exist.
It
just
don't
means
that
we
in
our
data
set,
don't
have
one.
We
actually
have
a
related
project
called
Security
reviews,
which
is
basically
a
database
of
every
Security
review
of
an
open
source
software
project.
B
We
can
find
okay,
okay,
so
if,
if
we,
if
we
knew
one,
it
would
be
there
and
then
it
basically
tries
to
grab
some
numbers
and
some
other
data
with
the
goal
here
of
trying
to
give.
You
know
some
of
the
key
data
points
more
than
just
a
number,
but
not
too
deep,
and
that's
going
to
be
really.
The
argument
for
dashboard
is:
how
do
we
provide
some
enough
data
to
be
interesting
but
not
overwhelm
people
and
by
risk
we're
looking
at
the
security
risk
of
this
thing?
A
So
you
can
ask
a
question:
David!
Oh
I
bet
you
can
so
so
this
this
clearly
is
useful
for
folks
who
are
familiar
with
open
source
when
I
talk
with,
for
example,
funders
who
are
looking
at
funding
critical
infrastructure
projects
and
organizations
that
are
not
technology
companies,
but
use
a
lot
of
open
source
and
want
to
understand
these.
These
properties
of
the
things
in
their
world
there's
a
lower
level
of
context
and
understanding
about
what
all
these
things
mean
and
I'm
I'm
wondering
if
it.
A
On
yes,
yes,
of
course
it
does
yeah
could
there,
you
know
one
suggestion
I
would
have
have
is
if,
behind
each
of
these
colored
bars,
there
could
be
a
context
or
an
explanation
of
what
it
is
that
that
this
represents
and
how
open
source
companies
are
open.
Source
professionals
interpret
it
and
I.
C
A
scorecard
metric,
you
can
go
to
the
scorecard
repository
and
see
how
everything
is
defined.
It
doesn't
quite
have
the
next
level
of
contextual
details,
but
you
can
find
how
all
these
numbers
are
calculated
where
in
this
I
think
I
wouldn't
want
to
mess
up
the
UI.
So
either
it's
a
hover
over
or
you
have
a
documentation
a
page.
And
then,
if
you
do
that,
then
you
can
build
on
the
contextual
component
foreign,
so
I
didn't
know
what
the
plan
was
for.
B
A
A
B
Right
so
so
let
me
respond
in
actually
two
different
I
guess,
frankly,
oppositional
not
oppositional,
but-
and
let
me
let
me
make
a
point
and
then
exactly
the
opposite
point.
This
is
this
will
seem
weird,
but
I
think
it'll
make
sense
as
soon
as
I
say
it.
So
the
first
part
is
I,
actually
completely
agree
with
you
adding
more
data
about
information
about
what
it
means.
I
think
a
hover
over
is
actually
perfect,
maybe
with
a
little
indicator
that
there
is
a
place
to
hover
over.
But
you
know
discoverability
of
what
it
means.
B
I
think
is
helpful.
There
was
also
the
goal
of
this
green
yellow
red
stuff,
which,
even
if
you
don't
know
what
they
are,
if
you
see
green,
obviously,
it's
probably
better.
It's
not
just
green,
it's
green
and
X.
So
even
if
you're
colorblind,
you
can
still
see
which
ones
are,
you
know
either
we
don't
know
or
that
looks
good
or
that
looks
not
good.
B
So
that's
a
little
bit
of
an
effort
towards
that,
but
I
actually
completely
agree
with
you
having
you
know,
being
able
to
hover
or
suck
click
or
something
else
to
explain
not
just
what
it's
measuring,
but
why
it's
important
I
think
would
be
that's
great
feedback.
Hey.
You
know
what
I
can
do
something
really
clever
and
amazing.
You
can
even
watch
me,
do
it,
which
is
I'm
gonna,
make
him
a
little.
My
notes
notes
for.
B
B
Users
who
aren't
as
technical
now
now
that
I've
made
that
point,
because
I
actually
agree
with
you
you're
going
to
have
some
users
that
are
measuring
less
technical
I
did
learn
earlier
this
year,
when
I
was
invited
to
the
White
House
I
was
pretty
cool.
We
didn't
get
to
actually
get
in
the
white
house
that
was
kind
of
a
bummer
thanks,
kovid.
B
Yes,
you
are
exactly
correct:
Jim
zemlin
flew
out
from
California
to
DC
to
be
in
an
in-person
meeting
at
the
White
House
and
then
after
he
arrived,
they
told
him
nah.
We
take
it
back,
so
that
was
kind
of
that
was
kind
of
lame
all
right.
So,
but
but
here's
the
thing
in
the
preps
for
that
meeting
we
met
with
some
of
the
support
staff
for
the
executive
branch.
I
mean
bear.
B
B
Actually
Ukraine
did
impede
follow-on
work
because
the
U.S
government
would
and
the
Au
you
know.
Basically
many
countries
suddenly
got
involved
in
things
that
weren't
open
sources
offered
security
are.
Are
we
surprised,
but
getting
back
to
my
point
when
we
went
to
talk
to
several
executive
staff,
I
was
prepared
to
give
the
explanation
of
what's
open
source
software
and,
frankly,
if
necessary.
What's
software
because
in
the
past
I've
had
to
do
that
and.
A
B
Up
and
and
we
you
know,
but
you
know,
but
when
we
went
over
and
talked
to
some
folks,
we
talked
to
something
one
of
the
key
shaking
people
who
support
staff
who
really
was
under,
who
was
clearly
very
heavily
involved
in
this.
You
know,
I
won't
give
this
person's
name,
although
you
can
find
it
on
the
internet,
basically
we're
just
okay
trying
to
figure
out.
Okay,
hey
tell
us
a
little
bit
of
a
background.
Well,
I
used
to
run
the
Chrome
browser,
Security
Group,.
B
Okay,
you
know
instead
of
hey,
we
have
to
explain
software
and
open
source
software.
Oh
no,
they
have
you
know
now.
This
doesn't
mean
that
every
single
person
in
the
executive
branch
is
out
there
writing
code
every
day.
That's
not
what
I'm
claiming,
but
what
I'm
claiming
is
that
over
the
last
few
decades,
the
expertise
and
knowledge,
and
at
least
some
parts
of
some
governments
has
really
increased
over
the
years
and
I
think
I
can
make.
A
good
case
is
why,
which
is
increasingly
the
worlds
depending
on
automation.
Automation
depends
on
software.
B
Software
depends
on
open
source
software.
That
doesn't
mean
everybody
gets
it,
but
there
are
more
people
than
you
might
think
who
have
more
knowledge
than
you
might
think
in
even
upper
echelons
of
at
least
some
governments,
so,
but
that,
having
said
all
that,
your
statement
about
hey
helping
folks
who
are
less
familiar
with
this
great
idea
and
I
think
a
hover
over
text
or
something
similar
is.
C
C
If
you're,
looking
at
like
I,
I
truncated
it
on
my
tiny
window,
so
I
could
do
this
side
by
side
and
explore.
Oh.
B
Okay,
yeah
all.
A
B
Yeah,
what
you're
seeing
is
a
quick
whip
up
using
grafana
to
yank
in
a
whole
bunch
of
data,
but
you're
right
I
mean
I
mean.
Basically,
this
is
a
quick
whip
up
and
the
idea
was
basically
hey.
Can
we
come
up
with
some
and
I
think
the
original
notion
was
was
that
we
were
going
to
try
to.
You
know,
make
adjustments
and
changes
to
this
to
kind
of
figure
out
what
we're
going,
what
we
want,
but
after
whipping
this
up,
I
think
the
realization
was.
Oh
user
interface
is
hard.
B
Maybe
we
should
pick
it
up,
which
I
mean
that's
actually
not
a
surprise
to
anybody.
Maybe
we
should
bring
in
some
people
where
they've
they're
willing
to
dedicate
the
time
to
it.
It's
not
even
so
much
that
it
couldn't
be
done.
It's
just.
It
takes
a
lot
of
time.
It's.
B
A
B
B
Thank
you
and
if
you
want
to
say,
hey,
it's
not
perfect.
Yes,
it's
software,
nothing's,
perfect,
but
I
I
also
agree
with
you
that
you
know
they've.
A
lot
of
their
stuff
has
far
better
UI
experiences
than
software.
B
A
A
B
No
I
think
that's
true
too.
So,
in
any
case,
the
my
point
here
basically
is
yeah
I'm
sure
the
actual
metrics
will
change.
Maybe
presentation
will
change
quite
a
bit,
but
the
goal
is
to
provide
data.
To
give,
for
example,
I
mean
here's
some
wrap
ups
here,
yo.
Basically,
oh
I
think
the
problem
here.
Okay,
I
know
what
the
problem
is
here:
it's
okay,
it's
a
mock-up
yeah,
it's
a
it's
a
mock-up
and
recently
the
scorecards
folks
changed
the
API
to
acquire
their
data.
B
So
some
of
the
data
we
have
is
no
longer
up
to
date
for
scorecards
haven't
changed
the
badge
apis
so
that
one's
still
valid
you
know,
and
so
basically,
what
you're
finding
is
hey
kubernetes
is
doing
static
analysis
but
as
far
as
we
know,
they're
not
doing
Dynamic
analysis
and
we
don't
know
if
they're
requiring
to
2fa.
We
just
don't
have
that
data.
B
So
you
know-
and
so
hey
that
suggests
to
me
that
they're
doing
some
things
well,
there's
some
areas
to
be
either
improved
or
we
don't
know-
and
maybe
that's
something
to
investigate
further
okay,
but
they
do
have
a
vulnerability
reporting
process.
They
certainly
do
they
have
folks
who
know
how
to
design
they've
got
lots
of
contributors,
and
it's
been
around
long
enough
for
thoughts
of
contributors,
that
it
suggests
that
it's
more
likely
to
keep
going.
B
Yeah
yeah
and
to
be
fair,
really,
the
goal
was
primarily
security
related
metrics,
but
you
know
acknowledging
that
other
I
mean
there
are
things
that
aren't
strictly
security.
That
I
think
are
are
helpful
indicators,
I
would
say
it
was
sustainment
being
one
and
Kate
will
probably
appreciate
this,
but
licensing
not
so
much
which
license
you
choose,
but
that
you
choose
a
license
and
tell
people
what
it
is.
There's
a
non-trivial
number
of
people
who
think
they're
releasing
open
source
software
who
have
not
put
in
a
license
and
therefore,
from
a
legal
point
of
view.
B
It's
way
too
dangerous
I
mean
as
far
as
the
as
far
as
most
countries
law
is
concerned.
You
have
not
released
open
source
software
because
it
does
not
meet
the
requirements
so.
B
D
B
A
B
Okay,
Kate's
May
disagree
with
me,
but
I'm
gonna
claim
not
okay.
Now,
for.
A
B
If
there's
no
license
statement
about
the
software
anywhere,
then
the
default
laws
for
your
country
kick
in,
which
in
every
country
I'm
aware
of,
is
not
open
source
software
there
may
be
a
country
somewhere,
but
I
doubt
it,
and
so
you
know
a
lot
of
people
think
that,
oh,
if
I,
post
on
the
internet
laws
don't
apply
boy,
are
you
going
to
be
surprised
and
so,
as
a
security
indicator,
the
folks?
There
are
a
lot
of
folks
who
don't
include
licenses
at
the
per
file
level
and
I.
B
B
You're,
not
paying
attention
to
the
basics
and
lots
of
other
developers
are
not
going
to
be
willing
to
work
with
you.
They're
not
going
to
be
willing
to
contribute
in.
B
To
there
that's
right,
that's
right,
hey
you
have,
do
you
have
a
license
file
I
mean
technically
you
can.
You
can
put
in
a
readme
but
I
think
it's
a
terrible
idea,
because
then
it
can't
be
found
automatically
put
it
in
a
license.
File
license
dot,
something
or
license
no
extension,
and
now
at
least
we
know
what
the
license
is.
It's
really
important
to
have
a
license.
C
B
It
really
is
focusing
on
security.
It's
really
focused
on
security
risk,
but
bleeding
into
other
areas.
Under
the
assumption
and
I
think
this
is.
This
is
an
assumption,
but
I
think
it's
a
fair
one
that
they're
what
you're
looking
for
is
indicators
and,
while
licensing
technically
isn't
a
security
measurement
directly,
it's
an
indicator
of
failure
to
pay
attention
and
also
a
likelihood
of
causing
systemic
failure
to
the
project.
Well,.
C
And
therefore,
at
security
point,
then
we
I
don't
know
then
I
just
feel
like.
It
has
to
be
acknowledged
that
this
is
a
security
view
of
risk,
because
I
think
from
a
company
consumption
perspective,
if
they're
weighing
whether
or
not
to
use
something
I
would
say,
licensing
risk
might
supersede
it
depending
on
what
they're
using
sure.
B
B
It's
it
in
the
they
have
a
concise
guide
for
evaluating
open
source
software
that
they've
released,
and
one
of
the
points
is
licensing.
You
know
in
particular.
Do
they
have
a
license
statement
at
all
or
not
because
if
they
don't?
Oh,
my
gosh
now
I
I,
you
know
I'll
totally
agree
with
Kate
that
a
per
file
licensing
is
much
better,
a
big
thing,
but
because
so
many
projects
don't
do
it.
It's
a
little
unfair.
I
won't
say
unfair.
B
Image,
oh
man
calling
names
how's
this.
It
is
it's
a
prototype
there
we
go
yeah
as
far
as
as
far
as
the
metric
goes,
the
one
that
worries
best
the
most
is
no
license
at
all,
and
then
yes,
they
will
be
much
better
if
they
have
profile.
C
I
have
a
another
topic
question
here.
Looking
at
it,
I
noticed
the
seems
to
be
more
project
operational
versus
individual
version,
answers.
C
B
Funny
you
should
mention
that
that's
actually
a
significant
discussion
on
on
the
dashboard
thing,
the
and
the
the
reality
is
that
some
metrics
are
are
perversion.
Some
are
per
project.
Some
are
even
per
organization,
because
there's
a
number
of
organizations
that
have
lots
of
projects
and
really
your
metrics-
are
against
the
whole
org
right
now
we're
having
arguments
about
that,
because
because,
on
the
one
hand,
I
think
everybody
wants
everything
and,
on
the
other
hand
there
there
is
a
need
for
a
minimum,
viable
product
project.
C
C
If
there's
this
because
it
does
seem
like
some
of
these
metrics
are
tied
a
specific
version
then,
if
below
like
it,
could
be
like
I
kind
of
visualize
it
here's
the
project
metric
and
then
version
specific
metrics,
where
you
could
pick
a
version
and
then
have
it
populate
for
that
and
that
way.
You're
looking
at
the
exact
release,
you'd
be
using
and
there's
no
but
I
feel
like
I
would
hate
to
see
someone
use
this
and
then
I
mean
you
would
hope
they
would
recognize
that
different
versions
are
in
different
places.
Yeah.
E
B
B
That
I
think
it's
very
very
important,
but
it's
not
clear
that
we
need
to
add
to
that
space
and
in
fact,
Brian
Fox
had
an
interesting
presentation.
Kate
I,
don't
know
if
you
saw
it
I
mean
it's
a
certain
type
report.
B
You
know
something
95.5
of
the
vulnerable
components
that
they're
finding
are
actually
have
a
fixed
version.
If
Only
They
had
uploaded
up
updated
to
the
fixed
version.
Instead,
yeah
and
some
versions
may
have
different
licenses
that
that's
true
and
and
again
now.
The
question
is
I
and
I
think
even
at
the
file
level
right
now
we
don't
care
what
the
license
is.
We
just
want
to
make
sure
that
we
know
what
it
is
and
that's
an
open
source
license
if
you're
claiming
it's
open
source
software,
but
you
know
like
that.
B
We
don't
we
don't
have
any
negative
feelings
about
the
GPL.
If
you're
bringing
the
Linux
kernel,
it's
GPL
version,
two,
that's
fine!
It's
very
clearly
stated
overall
and
certain
files
actually
have
additional
licenses.
That's
one
of
the
fun
things,
so
you
know
and
that's
an
advantage
of
doing
per
file,
but
the
key
thing
really
I
think
is:
it
has
a
license
at
all
and
I
haven't
seen
what
the
numbers
are
now
I
think
it's
gone
down
a
little
bit,
but
I
think
it's
still
a
problem.
C
I've
also
seen
like
for
lack
of
a
better
term
s-bombs
for
licenses,
just
in
terms
of
like,
what's
in
US
you're,
not
just
listening
at
all
the
software
components,
but
specifically
just
what
all
the
licenses
are
within
whatever
you're
using
I.
B
I
believe
Kate
can
help
you
identifying
s-bomb
that
can
include
licensing
material.
F
B
You
need
more
than
green,
yellow
red
I.
Think
here.
C
I
got
muted
by
the
host,
I
was
gonna,
say
I,
don't
again
don't
want
to
over
all
so
I'm,
really
interesting,
you're
trying
to
get
something.
That's
easy
to
use
and
to
view,
but
be
to
your
point
on.
This
is
only
gonna
that.
A
C
Information
I
would
love
to
see
Source
page
because
there
are
so
many
other
places
that
you
can
get
more
detailed
information
when
you
do
need
and
so
like
versus
bloating.
This
dashboard
just
say:
hey:
there
are
other
things
available
to
you
and
just
point
to
them.
It
gets
super
simple
and
it
can
be,
can
be
crowdsourced
and
updated.
So,
like
I
would
love
to
like
I,
don't
know
again,
I,
don't
know
what
this
is
going
to
look
like
seems.
D
B
B
C
The
bloat,
because
I
think
there's
always
going
to
be
people
that
are
like
what
about
this
other
thing.
What
about
like
but
like
I,
want
to
keep
doing
to
you
right
now,
but
saying
like.
We
have
great
other
tools
for
this.
So
let's
just
say
what
this
does
and
make
sure
that
those
tools
are
discoverable
so
that
you're,
not
you're,
not
bloating
yeah.
B
I
I
I,
don't
think
this
is
going
to
replace
grimoire
labs.
For
example,
I
mean
this.
Is
you
know
this
is
trying
to
give
that
higher
level
view
of
somebody
who
has
a
few
minutes
to
spend,
and
you
know
linking
off
to
things
that
give
you
more
information,
I
think
is
a
great
idea.
B
B
Well,
all
right,
the
dashboard
itself
doesn't
exist.
I
think
you
know
for
the
Prototype
yeah
for
the
Prototype
I
think
you
can
actually
ask
for
that
data
as
a
Json
file.
I
I
stopped
sharing,
but
I
guess
I
could
go
back
and
share
again.
I.
C
Don't
know
I
feel
like
there's
again
a
huge
proliferation
of
dashboards,
so
I
like
to
see
time
periods
very
upfront
and
Center
just
so
like
when
people
are
looking
at
it.
They
know
when
this
was
taken,
because
if
it's
a
snapshot
from
last
year,
maybe
maybe
we
need
to
look
again
kind
of
thing
or
like
yeah.
B
I
I
I
would
expect
it
to
be
updated
on
a
weekly
or
daily
basis
and
not
not
a
it
could,
in
theory,
do
an
instantaneous,
but
then
cash
it,
but
I
I
think
we're
going
to
want
to
have
not
old.
For
that
very
reason,
wait.
B
B
Mine
yeah
yeah
now
to
be
fair,
I,
think
the
recording
here,
it's
not
when
it
was
acquired.
This
is
when
it
acquired
a
passing
badge
from
the
open,
ssf,
best
practices
batch
program
and
it's
a
little
bit
of
a
mislead,
because
when
the
best
practices
badge
program
was
created,
we
actually
worked
with
a
couple
projects
that
we
were
thought
of
as
North
Stars.
You
know
basically
hey.
B
We
need
to
be
able
to
handle
projects
like
this,
and
so
we
interacted
with
the
Linux
kernel
kubernetes
curl
couple
other
projects
like
that
to
basically
you
know
kind
of
make
sure
you
know
hey
you've
a
lot.
You
know
we
want
to
make
sure
the
badging
process
appropriately
handles
your
kind
of
project.
B
F
Point
yeah
it
it
will
expire
like
not
so
much
expire,
so
much
as
if
you've
changed
sites
and
things
like
that,
it
will
fail.
There's
an
automatic
scanning
going
on
for
some
of
the
properties.
Okay,.
B
But
not
for,
but
not
for
many,
and
so
it's
something
we'd
like
to
improve.
F
B
B
If
you
look
at
the
best
practices
badge,
though
it's
very
project
oriented,
not
version
oriented,
so
it's
very
much
as
focused
on
things
like
do
you
have
static
analysis
tools,
you
know,
do
you
have
do
you?
Are
you
using
strong
crypto
in
various
ways
you
know?
Do
your
people
know
how
to
develop
secure
software?
Do
you
have
2fa
tokens
and
it's
the
sort
of
thing
that
once
you
get
it's
I
mean
it's
possible
to
lose,
but
most
of
those
are
sustained
once
you
get
to
that
point,
they
tend
to
sustain.
D
B
Yeah
and
and
that's
my
intent
because
of
course
you
know
real.
Realistically,
most
software,
that's
constantly
coming
up
with
new
versions,
and
we
don't
want
to
have
to
Value.
You
want
to
make
sure
that
they
can
be
agile
and
keep
making
new
versions
and
not
have
to
fill
in.
C
B
As
that's
great,
this
one
is
yeah.
This
one
is
very
much
focused
at
the
project
level,
whether
or
not
the
the
the
the
next
iteration
as
you
will,
or
or
the
the
the
official
dashboard
first
version
will
I
don't
know.
B
Is
that
that's
one
of
the
arguments
I
think
it
would
be
okay
for
it
not
to
have
perversion
some
because
I
mean
if
for
the
per
version
date
for
not
the
perversion,
not
the
for
the
data
for
a
version,
there's
already
a
lot
of
tools
that
will
tell
you,
hey,
you're,
behind,
go
update
and
that
I
think
for
a
lot
of
folks
is
the
key
measurement
is:
are
you?
Is
this
known
vulnerable
or
not?
If
it's
not
vulnerable
well,
go
go
update.
B
Yeah
so
I
guess
I'm
gonna
we're
running
out
of
time,
so
I
guess
I'm
gonna
appeal
to
everybody
here,
which
is
you
know
the
there's,
still
decisions
to
be
made
in
terms
of
which
metrics
I
mean
we.
We
showed
this
this
quick,
quick
thing,
but
I
think
the
argument
now
is
trying
to
figure
out
which
met
you
know.
There
are
many
ways
you
can
measure
stuff
which
metrics
matter
that
impact
security
and
obviously
it
doesn't
have
to
be
direct.
It
can
be
an
indirect
indicator,
indeed
they're,
all
indirect
indicators
right
now,
nothing.
B
C
D
D
B
Think
I
I,
don't
know
I
think
you're
the
host,
but
it's
fine,
okay,
so
maybe
I
should
just
ask.
Is
there
any
I
think
we're
at
time?
So
is
there
anything
else
that
we
need
to
deal
with
in
these?
The
last
few
seconds.
C
C
Conversations
there
was
sort
of
this.
How
much
do
we
want
to
look
more
broadly
at
risk
versus
just
security,
knowing
that
this
is
focused
more
in
security?
There
are
there
any
other
things
that
should
be
a
part
of
that
high
level,
View
and
so
I
think
I'm
happy
to
spend
a
little
bit
of
time
offline.
To
look
at
that
because
I
know
you
have
a
meeting
tomorrow,
so
we're.
D
B
Well,
I
I,
don't
think
we're
we're
not
violently
opposed
to
a
whole
new
metric
or
a
few
whole
new
metrics,
if
they
add
value
so,
but
but
I
think
the
the
goal
here
is
not
to
present
someone
with
a
thousand
metrics.
That's
not
the
goal.
The
goal
is:
try
trying
to
come
up
with
that
somewhere
between
it's
not
just
one
measure
metric,
not
a
million.
It's
a
relatively
small
set
where
I
can
get
a
quick,
because
no
one
number
captures
everything
yeah
there.
C
Were
more
on
the
list
like
I
feel
like
looking
at
this
like
the
big
ones?
That's
arson
missing
to
me
that
I
think
were
in
that
big
list
that
you
had
drafted
or,
like
the
meantime,
to
response
rates
or
bug
fix
rates
and
not
all
like.
We
already
talked
about
this.
Not
all
security
vulnerabilities
are
tagged
or
exposed,
so
looking
at
resolution
rates
around
security
issues
specifically,
is
sometimes
untenable,
but
we
could
look
at
bug
and
fix
and
responsivity
around
bugs
and
issues
as
a
way
to
indicate.
B
C
Tends
to
release
every
five
years
metric.
You
have
did
this
again
in
the
active
commits
as
part
of
scorecard,
but
it
doesn't
have
any
sort
of
responsibility
rate.
It's
just
is
it
active
and
that
could
be
like
all
commits
on
documentation.
We
actually
don't
know
what
the
commits
are
for.
So
that's
just
one
thought.
B
And
so
so,
basically
we're
out
right
now
appealing
to
for,
for
you
know,
for
those
of
you,
like
you,
Sophia
and
and
well
everybody
here,
basically,
there's
lots
of
metrics
of
the
ones
that
people
have
have
dreamed
up,
which
ones
are
the
most
useful
in
terms
of
raising
up
and
showing
on
a
dashboard
to
help
people
make
those
I
need
to
make
a
decision.
I
have
more
than
two
seconds
I
don't
have
a
year.
C
Okay,
well,
thanks
for
sharing
this
I
appreciate
the
time.