►
From YouTube: CHAOSS.Risk.August.12.2019
Description
CHAOSS.Risk.August.12.2019
A
Recording
okay,
so
the
first
item
today
is
just
sort
of
the
update
on
the
implementation
of
risk,
metrics
and
auger,
and
this
is
probably
all
of
yours.
First
look
at
the
new
auger
front-end,
which
is
running
on
my
machine
right
now.
I
haven't
fully
deployed
it
anywhere
yet,
but
I
will
today
be
gone.
You
can
see
the
total
number
of
current
Forks
there's
some
activity,
metrics,
which
we've
talked
about
as
being
interesting
from
a
risk
assessment.
B
C
D
C
A
C
C
Never
exists:
okay,
whatever
ever
is
it
the
only
the
only
argument,
I
think
for
licenses
concluded
if
you
ran
to
scanners,
crossed
it
and
came
up
with
MIT
for
the
same
light
or
for
the
same
file?
I
see,
and
are
you
heavily
some
confidence
that
found
the
exact
same
thing?
Maybe
we
should
just
go
ahead
and
conclude
yeah.
A
C
A
Well,
I
think
you
know
if
they're
it
Matt
I
mean
Matt
Snell.
Are
there
other
scanners
that
are
easily
plugged
in
that
I?
Don't
know
what
easily
means,
but
if
do
socks
could
run
a
different
scanner
and
produce
that
data
than
getting
the
data
from
two
scanners
is
than
something
we
have
infrastructure
to
display.
If
we
wanted
to
decide
that,
whereas
in
the
past
I
don't
think
you
had
a
way
to
sort
of
automatically
reconcile
all
that
pathology.
A
C
Then
there's
another
there's
actually
a
another
scanner
that
I
like
quite
a
bit:
it's
scan
code,
which
is
not
part
of
pathology,
but
it's
the
next
be
tool.
C
A
B
The
only
difference
that
I've
ever
seen
that
actually
has
anything
to
do
with
the
file,
but
no
mice
or
not
as
if
it's
declared
in
like
the
header
of
the
doc
of
the
file.
That's
all
I
can
the
only
difference.
I
really
noticed,
but
I
don't
know
if
that's
actually
a
like
correlation
causation
kind
of
thing.
So.
C
A
C
A
C
A
B
Also
about
the
Nommo
scanner
thing
it
looks
like
Nomos
is
like
integrated.
It's
the
only
scanner
for
do
socks
right
now,
there's
like
I'm
the
configure
finding
like
scan
and
almost
path
and
stuff
like
that.
So
we
need
to
actually
integrate
a
new
scanner
or
system
that
will
on
use
multiple
scanners
in
a
certain
way
like.
A
A
Thanks
yeah,
this
is
probably
everyone's.
First
look
at
it.
It's
actually.
One
of
my
first
looks
at
something:
that's
useful
in
it.
So
there's
a
lot
of
work
happening
on
this
part
right
now,
when
it
comes
to
fossil
adji,
I
know
we're
using
do
socks
and
we're
familiar
with
it.
Is
it
I
guess,
as
a
question
like
in
terms
of
scanning
is
what
is
the
trade-off
for
the
sort
of
the
decision
process?
A
Fuss
ology
acts
as
a
standalone
app
that
assembles
these
different
scanners
is,
is
the
aim
thing
of
using
do
sacks
to
provide
similar
information
with
a
separate
subset
of
scanners
or
just
in
terms
of
positioning
the
risk
metrics
that
we're
providing
with
this
kind
of
scanning
I'm
I'm,
curious,
Matt
and
Jessica?
What
I
mean
and
not
you?
You
know,
I'm
just
curious,
what
both
of
you
think
in
terms
of
the
utility
and
of
adding
additional
scanners
to
do
sacks
and
what
the
trade-off
of
Pathology
is
I.
D
Would
so
I'm
not
as
familiar
with
all
of
the
scanners,
as
you
all
are
in
fact,
like
I,
don't
know
what
is
covered
by
one
scan
are
not
covered
by
another
I
think.
For
me,
the
big
focus
is
on
for
the
risk
metrics
that
we
agreed
to
target
or
like
this
first
release
or
whatever,
whatever
scanners,
we
need
to
make
sure
that
we
have
those
metrics
available
in
through
the
augur
site
or
through
whatever
you
know.
I
have
worked,
I
can
people
to
get
to
them.
Yep.
C
Jessica,
for
you
like
know
most
can
capture
quite
a
bit.
We
found
it
to
be
kind
of
the
best
scanner,
at
least
back
in
the
day
when
we
were
first
doing
this
with
do
sacks,
but
it
certainly
does
miss
cases
that
other
scanners
can
pick
up,
so
the
fidelity
of
the
day
will
improve
with
additional
scanners.
So
you,
the
question
for
you,
is
like
no
most
obviously
provides
more
than
nothing.
D
It
was
the
way
the
way
that
I'm
looking
at
this
is
almost
like:
a
return
on
investment
type,
saying,
obviously
I'm,
not
the
one
having
to
figure
out
how
to
use
all
these
scanners
and
integrated
into
the
back-end
service,
and
so
for
me,
if
there
are
scanners
that
are
provided
that
can
provide
useful
information
but
they're
a
pain
in
the
ass
to
configure.
D
A
Well,
all
the
license
ones
are
available.
Committers,
we
have
the
data
elephant
factor,
we
have
the
data,
so
it's
just
implementing
the
api's.
We
did
the
license
ones
first,
because
frankly
they
were
the
easiest
api's
to
write
all
right.
Elephant
factor
and
committers
will
be
pretty
straightforward
as
well
Bill
of
Materials,
although
I
have
some
questions
about
like.
C
A
E
E
A
C
D
I
mean
the
way
that
we're
looking
at
this
right
now,
probably
suppose
ad
nauseam,
but
you
know,
essentially,
if
we
can
have
people
who
are
identifying
software
packages
that
they're
gonna
use
in
their
own
internal
products.
For
whatever
reason
I
mean
at
that
point,
that
you
know
they
should
be
keeping
track
of
their
own
self
revealed
materials
as
they
build
it.
But
it
sounds
like
this
could
also
be
used
to
develop
a
very
comprehensive
dependency
tree.
It'll.
C
D
D
So,
for
a
lot
of
the
things
we're
looking
at,
including
the
CI
badge,
the
chaos
metrics
themselves,
you
know
the
basic
idea
is
that
people
would
come
with
with
a
fully
fleshed-out
software
Bill
of
Materials,
but
that
for
one
thing,
that's
not
an
easy
question
for
a
lot
of
organizations
still
they're
either
stuck
with
commercial
tools
that
are
very
expensive
or
they
just
don't
have
access
to
anything.
And
so,
if
this
works-
and
this
is
it
and
I
guess,
the
next
question
I
would
have
is
like
what?
D
C
C
Just
cuz
you're,
not
gonna,
ask
people
to
go
to
a
web
interface
when
you're
doing
nightly
builds
so
do
sap
is
built
so
that
it
could
be
part
of
an
automated
build
system
and
it's
those
SPD
X
documents
that
are
really
what
we're
intended
to
capture
the
data
from
that
nightly.
Build
because
then
they're
pointing
to
us
like
a
we
can't
those
are
way
easier
to
scan
and
do
something
because
they're
they're
finalized
documents
so
and.
C
A
A
B
A
So
the
question
is
one
thing
the
database
could
do
is
if
the
scan
is
different
than
do,
Sox
enters
a
new
record,
and
so
we
could
produce
a
sort
of
a
change
record
over
time
on
multiple
do
Sox
scans
with
the
database
data.
One
question
I
have
is:
is
it
sensible
to
also
produce
the
to
share
through
auger
a
link
or
some
form
of
this
actual
I?
Think
it's
a
text
file
that
is
the
the
Bill
of
Materials
that
is
printed
out
in
the
example?
Is
that
right,
Matt
snow,
that
this
is
a
text
file?
A
A
D
D
If
it's
I
I
mean
if
it's
not
valid,
heroes
can
be
created
using
this
school
than
one
I
think
you
can
still
have
so
have
the
stopper
bilham
knows
build
materials
metric
be
like
a
yes
or
no
question
is
in
you
know
that
does
this
or
did
this
organization
or
did
whoever
came
up
with
this
piece
of
software
compiled
their
own
several
materials?
And
it's
so
here's
where
you
find
it
or
something
but
I,
I!
D
Think
if
you
can
generate
it,
then
the
question
of
whether
or
not
one
exists
becomes
less
of
a
priority,
because
then
you
can
just
if
the
answer's,
no,
you
can
just
make
it
or
you
can
just
make
it
anyway
and
then
compare
the
two
or
something
like
that.
But
I
didn't
I
mean
I'm,
just
I'm
actually
really
like
I'm
really
excited.
D
D
D
Are
we
to
the
point
with
at
least
the
seven
metrics
of
we've
identified-
we're-
maybe
not
right
at
this
moment,
but
when
the
website
goes
live
or
after
Kaos
con,
where,
if
I
come
to
the
augur
website,
with
my
list
of
let's
say
for
open
source
software
packages
that
I
want
to
get
metrics
on,
can
I
essentially
feed
package
one
to
augur
and
have
it
populate
the
metrics?
Are
we
not
there
yet?
You
have.
A
D
E
A
I,
haven't
everything
has
been
scanning
scan
at
this
point
from
repo
lists
that
people
provide
it's.
It's
not
out
of
the
question
that
I
would
I
would
say
it's.
It's
certainly
on
our
path
to
allow
people
to
put
in
a
repo
URL
and
do
all
of
the
work
of
generating
all
of
the
augur
statistics.
The
trick
there
is
that
people
kind
of
have
to
host
their
own
version
of
augur,
because
that
kind
of
exposes
our
hosting
environment
to
an
unbounded
right
set
of
possible
load
right.
A
A
I
have
no
I
mean
there
was
nothing
on
here
that
the
only
one
that
is
gonna
require
a
little
dancing
is
test
coverage,
so
we're
just
gonna
have
to
make
a
decision
about
which
languages
we
want
to
attack
first,
because
test
coverage
is
it's.
Those
kinds
of
tools
are
different
by
light
by
a
computing
language.
So
all.
D
B
A
D
A
D
Okay,
well
be
funding,
so
I
got
a
couple
things,
and
this
was
all
going
to
come
together.
Hopefully,
I,
don't
know
how
much
we've
talked
about
the
census
two
projects,
but
this
is
where
the
Linux
Foundation
is
working
with
Harvard
to
identify
the
world's
most
used
open-source
based
on
data
that
were
gathering
from
a
whole
variety
of
sources,
and
we've
started
identifying
like
the
top
100
200
open
source
packages
that
we
have
been
able
to
pull
out,
and
one
of
the
things
that
we
talked
about
recently
on.
That
is.
D
We
would
like
to
be
able
to
have
some
kind
of
way
to
make
essentially
value
judgments
on
how
healthy
that
open
source
software
is
well.
That's
the
chaos
project
yeah
and,
from
my
perspective,
that's
risk,
and
so,
for
example,
at
one
point
like
I
think
the
Linux
Foundation
is
probably
going
want
to
take
the
the
census
to
results
and
then
essentially
plug
them
into
auger,
so
that
we
would
have
all
of
those
really
pauses
that
all
of
them,
the
metrics
available
for
each
of
those
packages.
A
That's
easy:
if
you
have
those,
if
you
have
those
repositories,
we
can
just
do
that.
What
we
don't
I
think
the
piece
that
you're
like
so
one
of
the
things
that
the
KS
project
has
been
clear
about
is
not
deciding
for
people.
What
is
a
healthy
or
not
healthy,
project
and
auger
has
the
is,
is
taking
a
stance
that
we're
implementing
the
agnostic,
KS
metrics,
but
we
wanna.
A
This
fall
is
a
way
of
saying
similarity
between
different
projects
in
terms
of
the
number
of
committers,
the
number
of
issues,
different
statistics
that
make
the
project
similar
statistically
and
then
you're.
Looking
at
the
relative,
you
know
measurement
on
things
like
commits
committers
elephant
factor
within
that
set.
I
think-
and
I
think
that's
how
you
know-
you're
probably
gonna-
have
to
try
to
draw
conclusions
about
health
level,
because
I
you
know
for
a
lot
of
a
lot
of
products
are
just
different
than
you
know
so
different
than
each
other.
It.
C
C
D
Well
and
I
think
for
right
now,
like
we
there's
a
steering
committee
associated
with
the
census,
two
projects
that
I
think
would
probably
be
the
ones
sort
of
coming
up
with
the
parameters
for
project
health,
etc.
That
are
my
concern
or
the
thing
that
I'm
focused
on
right
now
is
just
having
the
the
metrics
available.
D
D
Yeah
inside
I
think
the
way
that
I'm
looking
at
this
is
it.
You
know
if
we,
if
the
Linux
Foundation
through
the
census,
two
projects
ends
up.
Let's
call
it
sponsoring
it's,
not
the
right
term,
but
I
think
it
sort
of
gets
at
what
I'm
getting
at.
If
we
sponsor
the
Kaos
project,
applying
the
metrics
to
these,
these
100
200
projects
that
we
identify
that's
going
to
be
a
pretty
robust
set,
especially
because
you
know
where
we
are
that's
based
on
a
large
data
pool
about
what
isn't
the
world's
most
open
source.
D
But
the
question
for
me
then
becomes
with
the
way
that
we're
envisioning
some
of
the
security
tooling
that
we're
looking
at
working.
We
do
have
a
capability
or
we
are
going
to
want
a
capability
where
people
can
come
to
the
project
with
a
list
and
somehow,
with
the
minimum
amount
of
effort
possible,
be
able
to
feed
repositories
to
it
and
get
back
the
metrics
and
so
I
think.
D
C
D
C
A
C
D
C
D
Know
but
I
mean
I
I
think
you
know
we
we
already
started
be
using
like
the
OpenSSL
one,
even
just
beyond
the
idea
of
being
like
here's
an
example
of
what
the
callus
metrics
can
provide
like
the
OpenSSL.
One
ended
up
back
answering
a
question
that
our
CEO
had
online
who's
been
working
on
open
ssl.
Recently
we're
like
oh
well
like
well,
we
just
happen
to
have
this
information
available.
We're
able
to
tell
him
just
based
on
that.
D
So
you
know
I
think
there's
a
value
to
the
Linux
Foundation
outside
of
even
just
the
project
in
and
of
itself.
So
I
think
that
that's
a
conversation
that
we're
very
willing
to
have
I
think
it's
just
for
us.
We
need
to
figure
out
what
exactly
that's
gonna
mean
and
how
exactly
that
would
work.
Okay,
I.
A
Think
David
wheeler,
actually
you
know
David
wheeler
talks
very
effectively,
but
he
did
mention
if
we
wanted
to
host
an
augur
instance
that
he
could
possibly
throw
some
hardware
at
it
and
I
have
I,
haven't
pursued
that
because
we
haven't
had
a
need
to.
But
if,
if
this
kind
of
Linux
Foundation
ranked
in
infrastructure,
something
you're
looking
at
David
may,
in
fact,
if
you
made
it
be
able
to
ask
him
and
he
may
be
able
to
say
yeah
because
it
doesn't
take
a
it
doesn't
take
you
know
it's
not
a
giant
resource
hog.
D
A
About
keeping
the
project's
updated
from
anytime
from
daily
overnight
or
weekly
overnight,
you're
gonna
go
get
the
new
poles
from
each
repository
and
calculate
the
statistics
again.
So
there's
a
this
kind
of
a
cyclical
depending
how
often
you
know
you
do
it
the
more
often
you
do
it
the
lower
the
load
is
when
you
do
do
it,
but
I
suspect
we
all
have
hardware
that
sits
twiddling
its
thumbs
at
night.
Yeah.
D
Yeah
I
think
it's
dual
I,
think
it
I,
don't
think
it's
gonna
be
an
impossible,
lift
or
even
necessarily
a
hugely
difficult
lift,
to
figure
out
how
to
had
a
host.
Something
like
that.
Just
cuz,
like
I,
said,
like
I,
think
the
values
been
made
pretty
clear
to
me
to
my
boss,
so
that
that's
how
the
problem
III
think
again,
it
just
comes
down
to
this
question
of
exactly
how
that
would
work
like
you
know,
is
it
are
you
gonna?
It
doesn't
make
sense.
D
I
think
it's
there
might
need
to
be
some
kind
of
plug-and-play
capability
that
we
can
control
or
somebody
can
control
where
you
know.
If
we
do
want
to
scan
a
new
repository,
I
don't
have
to
email,
your
email,
mat
or
somebody.
You
know,
I
can
just
point
the
tool
at
that
repository
yeah.
A
I
think
I
think
what
what
we
probably
I
mean.
That's
those
are
things
that
are
on
our
roadmap.
I
think
when
it
comes
to
actually
putting
this
live
in
a
production
environment
I
want
to
make
sure
that
we
have
a
person
who
understands
what's
happening
and
and
can
just
sort
of
administer
it
right
so
and
then
provide
feedback.
You
know
we've
gotten
a
couple
of
folks
using
it
pretty
heavily
and
we're
getting
pretty
regular
feedback
and
making
adjustments
based
on
that,
but
I
think.
Yes,
it's
like
a
it's
like
any
software
service.
A
We
haven't
packaged
it
yet
and
I
think
you
know
that
would
be
maybe
somewhere
where
you
have
someone
at
the
Linux
Foundation,
who
has
expertise
and
packaging,
something
for
distribution
to
a
server
which
would
put
it
in
the
ordinary
file
directory
structures
that
people
expect
things
to
be
in
then
I
think
it's
probably
easier
for
infrastructure
folks
to
to
manage.
Certainly
developers
can
install
it
and
run
it,
but
I
think
what
you're
talking
about
is
actually
making
it
a
piece
of
infrastructure,
yeah
and-
and
it's
that's
something
that's
something
to
do.
We
just
haven't.
D
Well,
I
think
for
now
I'm
just
something
to
keep
in
mind
like
I.
Think
that's
gonna
be
our
end
goal
or
something
like
that.
I,
don't
know
exactly
how
it
relates
to
community
bridge,
but
it
you
know,
I
think
we.
We
certainly
have
with
the
community
there's
platform
folks,
who
are
very
good
at
the
point
infrastructure
in
the
way
that
you're,
describing
and
so
probably
that's
working
with
this
foundation
would
yeah,
yeah,
yeah
and
so
I
think
we
can.
We
can
certainly
manage
that.
It's
just
gonna
be
a
question
of
what
is
it
possible?
D
It
sounds
like
the
answer
is
yes,
we're
just
not
quite
to
that
point
yet,
which
is
fine
right
and
so
I
think
you
know
I
I
dunno
pretty
much
for
a
guarantee
that
at
some
point
we
are
going
to
want
to
take
the
census
to
package
lists
that
we
come
up
with
and
run
that
through
augur
and
then,
where
that,
where
that
result
of
that
sit,
you
know,
that's
not
decided
yet,
but
I
assume
somewhere
at
the
LS
and
then
just
on
a
more
ongoing
basis,
so
that
people
can
use
this
as
a.
D
C
C
D
C
Then
then,
just
just
how
about
this?
Suffice
it
to
say
that
the
SPD
expec
is
super,
duper
long
and
complicated,
a
lot
of
like
detail
in
it,
and
what
you're
looking
at
here
is
relationships
between
elements,
the
within
an
SPD
X
document.
It
gets
really
really
detailed.
So
it's
great
information,
but
do
sacks
can't
do
like
this
kind
of
stuff.
Yet,
okay,
just
it's
more
of
an
FYI
yeah.
D
Yeah,
no
I
I
think
that's
fine,
and
actually
this
is
I,
don't
know,
I'm
sure
it's
come
up
in
conversation
to
what
extent
y'all
are
aware
of
the
several
materials
multi-stakeholder
process,
what's
happening
at
the
NTIA
okay,
essentially
it's
just
the
kind
of
States
government
I
mean
II
mean
back
when
I
worked
with
Congress
got
really
tired
of
everyone
talking
about
how
impossible
it
was
to
deploy
software
bill
of
materials,
and
we
essentially
told
them
to
suck
it
up
and
go
figure
it
out,
and
so
the
NTIA
processes
them
figuring
it
out
and
that's
ongoing,
but
I
think
the
bottom
line
that's
coming
out
of
that
is
people
are
trying
not
to
let
perfect,
be
the
enemy
of
the
good
and
they're
just
looking
for.
D
D
And
so
and
I
think
that's
what
I
mean
when
I
say
like
I
I'm,
not
bothered
by
the
fact
that
it
doesn't
produce
a
full
STD.
X
is
affected.
It
gets
even
that.
D
C
D
Which
is
I
get
and
like
I,
just
I
I
think
even
providing
let's
call
it.
The
basic
like
building
blocks
of
this
of
the
spec
I
think
is
it
even
gets
a
lot
of
companies
who
all
right?
Let
me
put
it
this
way.
My
experience
with
a
lot
of
companies,
especially
companies
who
aren't
software
companies
by
trade
like
they,
they
still
think
of
themselves
as
manufacturing
physical
products,
even
though
what
they
really
do
is
stick
software
in
physical
products.
D
They
all
might
have
to
think
about.
You
know,
do
I
want
to
use
SPD
X
or
do
I
want
to
use
some
other
format
they
just
want
to
be
like
I
want
to
generate
an
SM.
Where
is
the
button
that
I
press
to
generate
an
f-bomb,
and
it
seems
like
this?
It's
them
much
closer
to
that,
and
a
lot
of
the
other
tools
that
I've
seen,
which
is
I,
think
the
difference
between.
C
D
C
C
You
are
you
following
the
old
census
model
like
the
2016
stuff
that
came
out
of
the
CIA
I
census,
sir
yeah.
C
D
D
Well,
what
I'll
do
we
have?
Actually,
this
is
gonna
sound
super
strange.
If
we're,
if
let's
say
it's
a
if
the
wrist
part
of
the
call
is
done.
A
B
A
B
I've
got
the
beginnings
of
what
you're
talking
about
setting
up
infrastructure
and
being
able
to
scan
mass
amounts
and
like
print
mass
amounts.
I've
got
the
beginnings
of
that
infrastructure
under
scanner
tools.
I
can
go,
do
a
link
to
that
too,
but
it's
got
a
bunch
of
the
like
beginnings
of
something
that
would
be
larger
for
structure.