►
From YouTube: CHAOSS Risk Working Group 4-15-21
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Welcome
to
the
april
15
2021
risk
working
group
meeting.
We
have
some
metrics
in
progress
after
a
long
time
kind
of
working
our
way
towards
a
clear
picture
of
what
what
the
dependency
picture
would
be.
I
think
we've
identified
some
mvps,
and
that
is
largely
what
I
think
we're
looking
to
work
on
today,
but
I
before
I
just
kick
off
going
item
by
item,
I
thought
I
would
ask
if
there
is
anything
anyone
wants
to
bring
forward
as
a
agenda
item
that
is
not
enumerated.
A
B
Oh,
I
didn't
have
one
and
I
didn't
turn
off
my
mute
button
in
the
community
call
this
week
we
were
you
had
brought
up
if
you
want
to
do
a
dependency
session
at
one
of
the
upcoming
oss
or
ospo
con,
whatever
they're
calling
it.
B
A
The
mvp
these
are
the
mvps
that
we
identified
and
these
alone
in
addition
to
performing
pushing
forward
some
of
the
licensing
work
that
is
already
published
as
a
in
the
metrics
realm
these
these
kinds
of
things,
even
if
we
aren't
fully
developed
with
the
metrics,
I
think
they
constitute
a
pretty
complete
picture
of
a
first
order
of
things
that
we
might
any
ospo
would
need
to
do
comments
on
that
reflection.
E
C
C
Okay,
okay,
so
I
mean
I
will
describe
it
as
a
possible
measure
metric,
but
I
mean
it
doesn't
have
to
be,
but
basically,
ratio
of
unknown,
well
ratio
of
unknown
or
not
or
no
license
versus
total.
C
You
know
total
packages.
C
Yeah,
I
wouldn't
call
this
known
versus
unknown.
Maybe
we
can
call
this
the
the
un
unknown
rate
unknown
license
ratio.
A
A
C
C
Okay,
I
can't
explain
it
either,
but
it
does
seem
to
be
working.
So,
let's
move
on
okay.
So
basically
I
realize
this
is
something
different,
but
no,
but
I
to
me
if
we're
going
to
do
license
metrics,
that's
the
one
that
worries
me
most
an
uncommon
metric
license
might
be
fine
but
unknown
or
or
no
or
no
lice,
or
maybe
non-stated
unknown
or
no,
I
guess
not
stated
or.
A
So
this
would
be
in
the
case
of
an
example
over
here,
so
this
is
zephyr.
That
would
this
be
like
the
no
assertion.
C
I
don't
remember
what
no
assertion
is.
What
are
we
looking
at
here.
A
This
is
zephyr's
risk.
F
A
Os
health
is
augur
and
anybody
that
asks
for
an
instance
gets
one.
I
currently
have
four
instances
down
because
I
upgraded
the
server
and
something
horribly
wrong,
but
I'm
downloading
the
data
and
we'll
have
it
back
up
shortly.
Okay,.
A
C
Large
number
of
that's
a
ridiculously.
A
B
A
Yeah
and
that
that's
actually,
because
that's
so
like
normal
scans,
the
files
you're
saying
there
could
be
a
license
declaration
within
a
directory
that
would
cover
the
directory.
C
Well,
it
doesn't.
The
question
is:
can
you
find
the
license
that
applies?
It
doesn't
necessarily
have
to
be
with
any
file,
but
you
need
to
be
able
to
justify
okay,
so
we're
drilling
in
very
deeply
right
very
deeply.
Here
I
mean
we
can
come
back
to
this
I
mean
the
question
is
what
what
what
does
no
assertion
mean.
C
One
group
uses
and
I'll
note
that
one
group
uses
no
assertion
to
mean
they're.
They,
you
know
to
mean
they
don't
know,
there's
a
license,
but
they
don't
know
which
what
to
allocate
it
to.
A
C
There's
a
license,
but
it
doesn't
have
a
an
spdx
id
they
use.
None
when
there
is,
is
no
license
info
at
all.
C
And
I
wouldn't
be
at
all
surprised
if
that
other
thing
that
you're
pointing
to
can
you
or
is
that
that
ospo
com.
C
D
A
C
E
E
H
C
I
I
know
I'm
saying
unknown
and
unlicensed
and
unlicensed
okay
really
is
a
different
measure
than
the
uncommon.
G
C
All
right,
I
I
think
the
theory
here
was
that
if
you
didn't
know
what.
C
Yeah
I
mean
we
could
say
we
could
split
this
out
further
and
not
licensed
at
all.
It's
got
a
license,
but
we're
not
sure
what
it
is
and
then
uncommon.
All
those
are
risks.
Different
levels
of
risk
really.
G
C
Well,
that's
not
really
true,
because
you
may
know
for
sure.
H
E
C
Okay,
no
license
ratio.
I've
got
that
already.
H
C
Thought
yeah,
I
don't
think
so.
It's
not
do
we.
A
G
A
I've
been
doing,
ironically,
I've
been
doing
a
bunch
of
dependency
updates
with
auger
and
resolving
the
various
things
that
stop
working
when
we
upgrade
to
the
latest
dependencies.
So
maybe
just
a
byproduct
of
that
shocked.
If
it's
not
working
on
the
spdf
just
yesterday
and
there's
some
compiles
that
no
longer
work.
A
So
that
was
so.
The
idea
was
to
give
some
to
have
some
talks
at
osmocon,
and
I
suggested
that
we
had
done
a
lot
of
work
on
licensing
and
that
would
be
one
talk.
I
think
the
work
related
to
dependencies
is
more
even
more
current
and
significant,
and
what
would
we
cover
or
what
would
we
collectively
want
to
cover
in
a
spokane
talk
about
dependencies?
A
And
then
I
pointed
us
to
the
we
had
identified
seven
useful
minimum
viable
product
memory
rates
that
that
we
could
develop,
but
would
but
we've
also
had
much
richer
discussions.
So
there's
like
three
categories:
licensing,
we
kind
of
have
done
that.
There's
the
minimum
viable
product
for
dependency
checking
and
then
there's
all
of
the
discussion
that
we
have
had
on
the
complexity
of
dependencies
and
how
to
measure
them
and
how
they
work.
G
One
of
the
things
we
might
want
to
do
is
just
do
a
cross-check
against
is
risk.
So
since
we
risk
things,
synopsis
is
open
source.
The
risk
report
came
out
this
week.
Oh,
have
you
seen
that
yet
I
have
not
I'm
okay
I'll
put
the
link
to
it.
I
know
david
and
I've
seen
it
because
I've
been
playing,
but
what
they
did
is
they've
got
a
nice
little
graphic
at
the
start.
That
basically
puts
what
they
consider
the
risk
factors
in
place,
and
that
is
licensing
and
vulnerabilities.
G
So
licensing
made
its
way
back
onto
the
the
the
reports
again,
which
was
sort
of
amusing.
For
me,.
G
Well,
I
was
just
what
I
was
just
going
to
do.
Is
I
have
the
report
up
in
front
of
me.
I
was
just
going
to
quickly
do
a
quick
walk
through
with
people.
A
G
G
G
G
A
G
G
A
G
Right
exactly
and
then
they
sort
of
talk
about
licenses
and
they
talk
about
the
bill
materials
as
well
as
the
static
code
analysis.
So
what
I
thought
was
interesting
is
they
actually
broke
it
down
by
sector
yeah
this
one's
fun?
I
like
that.
I've
not
seen
this
before
I've
open
source
by
sector
that
was
cool.
C
G
C
Actually,
if
you
can
go
back,
go
back
before
before
you
hit
the
license,
if
you
go
back
up
a
little
bit,
let's
see
no,
the
previous,
let's
see
look
low
dash,
I
think,
is
whoops
on
the
vulnerability
once
not
that
one
now,
the
first
top
ten
vulnerabilities
yeah
one
I
they
don't
identify.
C
Yeah
low
dash,
the
funny
thing
about
that
one
is
that
this
is
lodash,
has
a
vulnerability.
It
was
fixed
in
2019..
The
vulnerability
was
found
in
29
of
the
2019
audits.
It
was
also
found
in
29
of
the
2020
audits,
which
means
basically,
nobody
is
updating
their
vulnerable
components.
C
A
Yeah
the
there's
actually,
I
know
I've
encountered
this
with
auger
that
there
are
plethora
of
libraries
that
depend
on
that
version
of
lowdash
and
the
updating
of
the
dependencies
has
been.
A
C
A
C
G
You
know
you
can
read
that,
but
the
fact
that
it
was
interesting
is
for
after
many
years
of
synopsis,
not
talking
about
licensing
at
all
because
of
the
s-bombs
starting
to
come
in
we're
starting
to
see
them
put
that
back
in
their
reports
as
a
risk
factor,
and
it
was
actually
improving.
Percentage
of
co-base
with
licensing
conflicts
has
gone
down
over
time.
G
A
A
A
A
C
G
Thank
you
anyhow
with
no
license
or
custom
license
and
that's
when
they
started
looking
at
that
here.
A
G
A
Yeah
so
that
I
I'll
mention,
while
we
talk
about
this,
that
we
have
potential,
there
are
three
students,
who've
expressed
an
interest
and
have
been
working
with
the
hackathons
and
workshops
that
I've
been
doing
for
augur
in
working
with
the
risk
working
group
to
develop
these
metrics.
That
we've
been
talking
about
cool,
and
so
we
may
be
able
to
really
get
to
some.
Some
of
the
detail.
That's
not
possible
on
a
report
of
this
level
and
start
talking
about
specific
issues
and
concerns.
G
G
G
G
A
Repos,
so
I
don't
know
what
this
restarted
in
ideas
page.
Thank
you.
Whoever
did
that
so
panel
discussion.
A
So
if
we
talk
about
dependencies
and
we
propose
a
panel
discussion
for
ospokan-
which
I
think
you
know
that's
an
excellent
idea-
I
would
really
like
to
ask
like
sophia
and
arpan
and
ape
and
david
and
now
anyone
else
is
interested.
But
I
think
you've
each
brought
different
perspectives
on
this.
And
if
nobody
asked
questions,
you
would
spend
an
hour
disagreeing
with
each
other,
and
I
think
that.
A
A
A
And
one
of
the
one
of
our
gsoc
proposals
actually
did
a
really
nice
job
of
summarizing
the
different
types
of
dependencies
that
exist.
I
don't
know
if
I'm
allowed
to
share
that
or
not
I
don't
know.
A
So,
oh
yeah,
oh
yeah,
I'm
not
sharing
anymore.
So
let
me
let
me
find
it
and
there
are
some
other
agenda
items
and
don't
we
want
to,
I
think
we've
so
do
we
think
there's
three
talks,
one
about
licensing,
one
about
our
minimum,
viable
products
and
one
about
like
a
panel
or
do
we
want
to
just
shoot
for
one
or
two
or
just
one.
A
Does
anyone
have
a
sense
of
whether
it's
going
to
be.
A
Like
yeah,
I
know
europe
has
been
a
little
bit.
Oh.
G
Yeah
I've
got
some
back
back.
Sorry.
G
A
G
A
This
actually
doesn't
disclose
who
it
is
so
they
explain
the
direct
dependencies
for
institute
dependencies,
interdependent
dependencies.
G
A
G
F
E
B
A
A
A
E
B
If
because
like,
because
we
were
spending
so
much
time,
noodling
on
how
to
define
each
of
these
elements,
if
this
was
another
proposal,
because
then
it's
if
these
are
known,
concepts
and
discussed
in
that
way
in
another
form,
that's
confirmation
for
us
that
we're
picking
the
right
terms
and
then
using
them
in
the
right
way.
If
they're
building
it
off
of
our
own
notes,
then
that's
not
really
confirmation,
but
has
its
own
bias.
A
Yeah,
so
I
don't
know
if
I
don't
know
if
the
students
on
this
call
or
can
make
any
comments
about
where
the
materials
from
and
if
it's
I
assume,
I
honestly
assume
it's
sort
of
derived
from
reviewing
our
notes
and
participating
in
their
meetings.
But
I
don't
know
that.
E
Since
the
g
song
is
not
officially
announced,
I
am
not
commenting
on
it.
A
Yeah-
and
I
don't
I
I
don't
know-
I
don't
know
what
the
copyright
provisions
are
around
sharing,
but
it's
a
nice
summary
and
we
have
it
in
our
pocket.
I
don't
know
if
it's
appropriate.
Can
anybody
advise
me
on
the
appropriateness
of
sharing
those
three
pages
of
the
proposal,
because
I
think
they
are
very
helpful.
G
Sharing
within
the
work
showing
within
the
project
I
think
is
expected.
Okay
is
my
read
on
it.
So
maybe
emailing
us
a
pdf
or
something
like
that
or
putting
a
link
to
the
pdf
and
some
you
know.
A
G
G
G
G
A
C
First,
there's
something
weird
going
on
here:
the
that
ratio
of
uncommon
metric
is
wiggled
around
here.
Somehow.
C
A
C
B
Yeah,
I
mean,
I
think
examples
are
always
fun.
So
if
we
want
to
pick
a
project,
it
has
to
be
a
messy
project
or
a
big
one
with
many
arms.
But
if
we're
going
to
be
presenting
on
these
kinds
of
dependencies
and
give
examples,
then
it
would
be
make
sense
to
be
consistent
in
that.
So
if
we
pick
a
project
and
then
try
to
attempt
to
measure
all
of
these
kinds
of
dependencies
and
basically
put
our
metrics
to
the
test,
that
could
be
kind
of
a
a
real
world
scenario.
A
A
B
Who
can
say
how
these
things
are
being
addressed
and
or
treated
because
then
there's
sort
of
the
the
risk
level.
So
the
story
is,
we
can
measure
all
these
things,
but
what
elements
make
it
more
or
less
risky
to
the
sustainability
of
the
project,
to
the
users,
the
project
contributors
and
then
you
have
a
story,
but
we
don't
have
a
story
unless
we
have
that
view
being
expressed.
A
But
I've
been
talking
with
some
of
the
automotive
grade
linux
folks
lately
and
I
think
they
have
a
story.
I
know
zephyr
has
a
story.
I
think
unicef
has
a
story
as
well.
A
Wow
so
there's
definitely
stories.
We
can
tell
along
these
lines
and
it's
just
I
suppose,
maybe
we
have
seven
minutes
left.
I
don't
know
if
we're
getting
a
conclusion,
but
maybe
an
agenda
item
for
next
week
is
to
sort
of
try
to.
Maybe
our
homework
is
to
try
to
determine.
F
F
A
Yeah
I
become
kind
of
a
statistician
in
the
terms
of
telling
the
story,
except
for
projects.
I've
worked
a
lot
with
like
zephyr,
bull
zappers,
you
know,
and
automotive
grade
likes
and
a
few
others
and
in
those
cases,
but
I've
worked
on
a
lot
of
cases
with
companies
that
have
a
lot
of
like
thousands
of
projects
and
and
then
those
those
become
less
stories
that
are
understandable
and
more
like
executive
level.
I
Are
interested
in
like
undocumented
dependencies
so
like
clone
detection
in
projects
so
where
you've
got
there's
a
dependency,
but
it's
not
expressed
anywhere.
I
ask
because
actually
I've
been
doing
some
work
on
that
recently,
using
the
special
type
like
content
hashes
like
ssd,
to
go.
Look
for
sequences
of
code
that
you
know
you
know
you've
got
a
dependency
like
in
the
source
code,
but
it's
just
not
actually
expressed
formally,
but
it
is
in
there.
Well,
I.
A
C
A
C
So
I
I
would
not
call
it
on,
whereas
an
undocumented
dependency
is
the
code's
getting
pulled
in
say
at
runtime,
but
your
tools
can't
tell
maybe,
for
example,
at
runtime.
It
figures
out
a
name
and
then
starts
calling
it,
but
there's
no
way
your
tools
could
figure
that
one
out
as
far
as
the
vendoring
stuff
goes,
there
are
some
companies
that
should
do.
That.
I
believe,
is
that
sonotype
can
actually
manage
to
do
that.
C
I
I
do
I
think
vendett
is
right.
I
was
thinking
I'd
forgotten
that,
like
when
we
think
about
dependencies
in
this
sense
we're
thinking
about
resolving
dependencies,
and
you
know
build
time
that
kind
of
thing,
but
I'm
just
especially
when
you
start
to
think
about
understanding
what
code
you
have
in
your
stack
and
so
like
license
compliance
and
all
that
kind
of
thing
it.
It's
sort
of
understanding
the
origin
of
the
code
and
rendering
workflows.
I
think.
I
E
I
A
standalone
is
that
it's
something
maybe
somebody's
injected
some
kind
of
vulnerability
into
a
build
process,
and
so
it's
an
and
so
it's
basically
a
see
a
seek
a
snippet
of
code
that
exists.
So
that's
like
a
security
version
of
this,
but
but
but
but
another
one
would
be.
I
copied
in
jquery
1.7
and
I
stripped
out
all
the
headers.
And
now
it's
in
my
software
now
I
have
code
vendored
vendored,
but
not
but
sort
of
by
hand-
and
I
was
just
thinking
about
that
those
kind
of
dependencies.
G
A
G
If
he's
speaking,
he's
speaking
muted,
then,
while
he's
not
we're
waiting
for
him,
I
just
want
to
bring
up
the
concept
of
a
build
dependency
and
you're
depending
on
a
certain
compiler
and
that's
not
necessarily
documented
in
your
dependency
trees,
but
you're
not
going
to
compile
unless
you're
using
gcc.
Something
like
that.
C
Well,
in
fact,
that's
a
an
active
topic
right
now,
where
the
linux
kernel
is
talking
about
supporting
rust,
but
there
are
architectures
which
the
rust
compilers
doesn't
support.
G
So
it
was
a
dependency
up
till
this
point
that
it
must
be
gcc.
Zephyr
is
going
through
the
same
sort
of
journey
as
well.
A
A
To
do
so,
and
maybe
we'll
try
to
lead
with
making
some
decisions
and
if
anyone
wants
to
start
the
application
process
feel
free
to
reach
out
to
those
in
this
group
and
and
start
it
up
between
now
and
two
weeks
from
now
and
but
we'll
try
to
get
maybe
trying
to
get
that
fleshed
out
and
submitted
in
our
next
media
internet
meeting
and
possibly
even
get
to
some
metrics
who
knows.
A
And
this
is
the
end
of
the
recording
and
the
end
of
the
meeting,
and
I
will
not
stop
sharing
my
receptor
in
the
screen
to
figure
out
what
to
stop.
On
mr
record.