►
From YouTube: CHAOSS Risk Working Group 4-29-21
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
right
so
welcome
to
the
risk
meeting
thursday
april
29th
2021.,
hello,
sophie
welcome
just
getting
started,
so
you
missed
nothing
or
I
guess
you
missed
the
banter
prior
to
the
actual
meeting.
I.
B
A
Okay,
now
I'm
I'm
hearing
phantom
music
too,
like
a
lot
and
it's
like
when
I'm
not
on
a
call
a
lot
of
times.
Unless
I'm
writing,
I
a
lot
of
work
I
do
I
can
I
do
it
listening
to
music,
like
especially
the
technical
work,
and
so
like
I
was
like,
am
I
if
I
just
been
listening
to
so
much
more
music
during
the
pandemic,
that
I
have
this,
this
problem
that
I'm
hearing
ghost
music
or
or
is
this
a
thing?
Is
this
like
an
affliction?
A
A
My
personal
affliction
was
that
I
listened
to
the
genesis
song
abba
cab,
which
you
may
or
may
not
recall
or
know
about,
but
it's
very
addictive.
It's
like
an
ear
worm
and
I
it
was
in
my
head
for
two
days
after
I
heard
it
could
I
couldn't
go.
I
could
go
name
without
being
triggered
to
hear
abba
cab.
So
I'm
not
sure
my
first,
but
I
know
dwayne.
Oh
david
you're,
here
perfect
all
right,
so
so
so
here
so
here's
the
I
was
talking
to
wayne
o'brien
at
indeed
about.
We
were
like
okay.
A
A
Yeah,
well
so
what
I
was
expecting
or
hoping
to
find
was
an
open
source
tool
that
would
scan
multiple
languages
for
their
various
types
of
dependencies
and
how
they
could
be
embedded.
You
know
dwayne
and
I
both
thought.
Well,
surely
somebody
has
done
that
before
and
we
thought
maybe
we
misunderstood
some
of
what
you
were
trying
to
explain
about
the
existing
tool
sets
or
maybe
what
we
were
at.
We
weren't
asking
the
question
clear
enough
about
what
kind
of
tools
we
desire.
B
C
Today,
perhaps
tomorrow
never
mind
omnipotent,
so,
but
the
ones
that
I
found
were
specific
to
specific
language
sets.
So
if
you
were
going
to
do
it
for
multiple
language
sets,
what
you
have
to
do
is
install
and
run
multiple
tools,
one
that
tells
you
about
the
about
the
totals
for
ruby
one
for
the
totals
of
python
one
for
the
totals
of
javascript.
C
I
I
I'm
almost
using
those
interchangeably,
so
node
slash,
javascript
right
so
yeah.
So
I
I
think,
if
you
want
to
summarize
it
across
multiple
ecosystems,
sounds
like
a
good
idea.
Yeah
right
now!
Well,
yeah!
I
don't,
I
don't
think,
there's
well!
You
know
what
I
mean.
We
can
go
look
at
this
at,
but
I.
A
So
that's
that's!
Okay.
We
can
search
for
multiple
tools.
We
can
search
like
libya
or
ruby.
Libya
or
python
live
your
javascript.
A
C
Don't
don't
be
too
impressed,
my
my
all,
if
you
found
more
than
one
oh
yeah,.
A
C
A
C
B
C
B
A
A
C
The
only
approach
you
know,
the
the
tools
are
ecos
system,
specific.
E
C
So
so
to
do
totals
across
ecosystems.
Oh
I'm
trying
to.
D
A
Yeah
but
I've
done
like
when
I
find
a
tool,
I
don't
rewrite
it
like
it
like.
We
count
labor
hours
and
total
lines
of
code
and
language
distribution
in
augur
using
a
go
tool.
You
know
we
just
wrapped
it
in
python
and
call
it
from
python.
That's
perfect!.
C
A
I
think
we
would,
from
a
tooling
perspective,
just
do
the
same
thing
here:
okay,
somebody's
built
these
tools
and
we'll
go
through
and
run
each
of
them
for
each
repo
and
gather
some
of
that
data,
so
that
we
can
start
looking
at
okay.
That
is
where
that
is
what
dwayne
and
I
wanted
to
clarify.
Thank
you.
E
A
B
Might
be
coming,
but
it's
from
where
it's
recorded.
So
I'm
not
going
to
say.
D
Yeah,
okay,
but.
B
It's
more
that
I'd
say
like
the
debrix
tool
which
they
they're
potentially
going
to
open
source
parts
of
it
like
they
think.
G
B
Yeah,
so
they
they
built
this
giant
model
that
ingests
open
source
vulnerabilities
and
various
categories
of
vulnerabilities
and
risks
and
models
them
to
help
people
understand
all
the
various
types
of
issues
and
things
to
track
on
the
projects
they
use
and
one
of
the
things
that
they
mention
is
say
age
of
license.
So
I
know
that
there
are
aggregator
tools
like
that
that
have
this
as
a
piece
of
it,
but
I
haven't
seen
a
lot
that
it's
its
own
thing
versus
being
part
of
a
bigger
tool.
B
A
Of
course
yeah,
I
sort
of
get
that
I
do
get
it
I
mean,
and
and
once
you
have
a
tool
and
you've
built
the
there's,
a
lot
that
goes
into
doing
this
work,
so
it's
not
like
they
won't
have
jobs
if
they
open
source.
It.
B
A
So
the
use
case
all
right,
so
I'm
typing
this
because
it's
easier
for
me,
so
I
wanted
to
make
it
in
the
minutes,
but
so
what
dwayne
and
I
are
trying
to
do-
is
accumulate
these
dependencies
for
as
many
languages
as
we
can
across
some
collection
of
repositories.
So
we're
not
thinking
about
this
at
the
repository
level,
we're
thinking
about
it
as
like
an
ospo,
and
I
have
a
thousand
repositories
that
I'm
looking
over.
A
I
would
like
to
know
how
many
of
those
like
of
all
those
repositories,
what
are
the
five
dependencies
I
have
that
are
the
oldest
across
that
that
collection
and
to
ask
the
question
that
way,
because
then
I
can
start
to
think
about.
Where
am
I
going
to
direct
my
resources
and
I
think
anyone,
that's
managing
a
product
portfolio
or
a
project
portfolio
in
an
open
source
company
probably
has
some
of
the
same
questions
like
in
my
product
line.
A
A
A
Yeah
there's
a
lot
of
that,
so
the
other
next
thing
I
had
on
the
agenda
is,
I
mean
I
think
this
group
has
done
a
lot
of
thinking
about
well
dependencies
vulnerabilities,
and
so
I
think
I
think
we
have
some
things
that
we
could
contribute
to
either
and
or
or
both
ospo
con,
and
what
I
understand
to
be
open
source
summit
europe
in
seattle
for
this
year
they
have
the
same
deadline
in
june,
so.
A
The
deadlines
are
both
june
13th.
I
think.
B
H
H
Yeah,
like
they
have
given
those
list
of
options,
like
maybe
community
or
you
know,
different
list
of
options,
so
they're
saying
if
you
feel
it,
my
talk
is
matching
with
between
two
or
three
just
pick,
one,
because
reviewers
are
aware
of
it.
That's
what
they
have
mentioned
in
that
okay.
A
Does
does
anybody
want
to
try
to
like
like
work
on
something
I
think
dependencies
probably
has
a
couple
of
flavors
like
if
I
go
back
through
our
notes,
I
think
there's
our
discussion
of
these
different.
A
A
And
then
this
needs
and
motivations
work.
You
know,
there's
just
a
lot
that
there's
a
lot
of
context
that
we
can
put
around
these
questions
and
we've
we've
identified
personas
and
developers
and
questions,
and
so
I
think
some
of
this
could
be
aggregated
like
help
other
people
sort
through
what
is
what
was
even
for
us.
A
G
B
It
just
because
I
know
that
the
issues
that
I
deal
with
right
are
different,
yeah,
I'm
coming
in
from
a
different
scale
in
history,
where
maybe
we
have
issues
and
things
that
are
pressing
for
us
that
are
less
relevant
to
other
kinds
of
companies
or
maybe
just
the
priorities
are
in
different
places.
So
I'm
happy
to
support
it.
I
don't
think
I
should
drive
it
just
because
it's
hard
to
figure
out
what
bias
I'm
coming
in
from.
E
C
A
C
A
D
A
I'll
say
I
had
moderna
and
I
was
I
was
knocked
out
for
36
hours
on
the
second
shot
like
okay,
I
didn't
I
wasn't
sick.
I
was
just
I
felt
like
I
weighed
10
000
pounds
like
I
was
just
like
physically
immobile,
like
I
just
like
felt
so
happy.
I
just
felt
like
I
couldn't
lift
my
body,
but
I
didn't
feel
anything
else.
It's
just
really.
A
It's
okay.
I
would
I
would
say
this
is
open
to
all
and.
C
A
B
Gonna
have
an
idea
that
fear
may
not
be
realizable
by
the
time
we
give
the
talk.
So
this
is
the
caveat,
but
I
think
which
would
be
interesting.
Is
we
kind
of
spent
a
lot
of
the
upper
time
providing
more
of
exhaustive
framework
and
view
of
things,
and
now
we've
been
kind
of
working
through
how?
If
and
how
we
would
measure
things
and
then
I
think,
there's
always
the
third
piece,
which
is
what
is
the
relative
impact
of
measuring
that
thing?
B
So
not
that
we
can
actually
provide
a
view.
Can
you
give
me
those
three
again
they're
sort
of
like
what
to
measure
how
to
measure
it,
and
what
does
that
measurement
mean
view
that
I
think
it
would
be
fascinating
if
we
could
kind
of
present
that
process
with
at
the
end,
saying
now
that
we've
done
that
for
three
things?
B
What
did
that
actually
change
or
could
change
for
someone
like,
because
you're
able
to
say
if
you
focus
on
something
like
libyars,
that
you're
reducing
risk
by
finding
things
that
are
outdated,
not
supported
or
areas
of
investment,
so
kind
of
like
connecting
that
back
to
what
you
would
do
with
it?
But
I
think,
because
kind
of
the
hardest
part
is
is
all
the
things
together.
B
I
feel
like
it's
sort
of
because
of
such
an
overwhelming
space
that
I
think
there
could
be
value
in
in
kind
of
that,
that
progression
of
how
to
isolate
something,
how
to
actually
find
out
how
to
measure
it.
And
then
how
do
you
apply
that
measurement
over
time?
And
is
this
actually
a
thing
you
should
be
measuring?
B
C
Yeah,
I
I
I
I
if
somebody
had
pointed
a
gun
to
me
and
said:
hey
david
you've
got
to
present
on
this.
I
would
probably
present
on
something
I
would
call.
My
initial
thought
is
I'd.
Call
it
a
metric
sampler,
no
claim
that
this
is
the
full
set
of
all
metrics
that
you
would
want.
But
here
are
some
metrics.
You
might
want
to
think
about
metrics
sampler,
you
know.
C
So
basically
you
know
not
trying
to
claim
it's
the
best
or
the
only,
but
here
are
some
and
then
we
don't
need
to
make
the
argument
why
these
are
the
best,
because,
frankly,
I'm
not
so
sure
we
have
no
idea.
H
E
C
I
keep
mentioning
you
know,
because
I'm
trying
to
get
people
to
talk
to
each
other
lfx
is
working
on
lfx
insights,
which
is
more
metrics,
metrics,
open,
ssf.org,
also
working
on
metrics,
so
everybody
has
different
focuses
and
of
course
we
got
the
github
get
lab
stats
statistics.
What.
A
Oh
okay,
oh,
oh,
okay,
good,
all
right!
All
right,
yeah
other
group
spell
effects
and
science
metrics.
I
think
that
we've
been
to
the
metrics
oss
site
before
and,
of
course,
the
at
least
my
right
now
github
lets
me
see
things
in
a
repo
which
is
great
super
useful.
A
If
I'm
running
a
repo
or
a
small
set
of
repos
and
where
obviously
it
becomes
a
bigger,
I
mean
the
reason
we
build
tools
and
we
try
to
define
these
metrics
is
because
most
of
us
are
thinking
across
this
large
collection
of
repositories
of
some
shape
and
size
and
the
tools
don't
go
far
enough
for
that.
Large
review.
H
You
know
going
to
the
sofia's
perspective
on
these
like
five
points.
What
is
it
that
we
want
to
measure
how
to
measure
and
what
what
we
take
away?
I
feel
like
in
this
group.
We
are
as
like
at
this
stage
what
to
measure
the
stage
I'm
still
feeling
like
we
are
trying
to
explore
what
the
major,
how
is
not
even
they
started,
I
guess
maybe
sean
has
started
in
the
augur
I
don't
know
yeah
I
mean
I
think,
from
this
group
perspective
I
feel
like
we
are
still
at
what
to
measure.
A
A
So
I
think
I
think
we
have
we
got
that
far
and
how
to
measure
it.
That's
those
are
kind
of
some
that
is
some
duane's,
and
my
question
at
the
beginning
is
really
very
much
about
how
to
measure
it
like
okay
as
a
practical
matter.
We
want
to
actually
do
this
because
we
have
one
possibly
two
or
possibly
zero.
We
don't
know
yet.
Google
summer
of
code
students
will
be
focused
on
building
the.
A
How
for
this
working
group,
or
at
least
building
like
examples
of
things
that
we
would
like
that,
don't
yet
exist,
and-
and
so
I
think
we
have
so-
we
potentially
will
have
some
resources
that
we
need.
E
C
A
Yeah
yeah,
we
say
this
over
over
again
and
I
think
it
takes
new
people
new
to
chaos
a
little
while
to
understand
what
we
mean
by
that
context.
Is
a
squishy
word.
It's
it's
not
very
specific,
but
it's
basic
this.
The
group
of
stuff
that
you're
working
with
these
metrics
will
you'll
interpret
them
based
on
what
you
know
about
that
collection
of
stuff
and
the
people
around
it.
C
I
don't
think
context
is
wrong,
but
it
is
awful.
Squishy
yeah
would
purpose
be
clearer.
Do
you
mean
something.
A
That's
fair,
I
I
agree.
I
think
when
I,
when
I
I
actually
so
sometimes
to
figure
out
what
the
goals
and
priorities
are.
I
have
a
bunch
of
questions
like
does.
My
first
question
is
okay,
libya.
This
looks
really
promising
as
a
as
a
metric.
That
will
tell
me
something
in
a
kind
of
an
aggregated
way,
so
I
don't
have
to
deal
with
all
of
the
detail
but
it'll,
and
so,
if
I
run
libya
against
everything,
do
I
get
that
insight
like?
Does
it
help
me
make
priorities?
A
Does
it
help
me
see
like
big
differences
between
parts
of
my
my
world,
that
you
know?
Okay,
there's,
obviously,
some
correction
required
on
this
dependency
or
or
this
repo
has
a
lot
of
old
stuff.
We
should
probably
deal
with
that.
I
I
will,
or
do
I
not
get
that.
C
Right,
I
think
it
very
much
does
depend
on
again
your
goal.
I
think,
for
a
developer
that
just
the
libyar
count
isn't
enough.
You
know
what
I
typ
when
I'm
a
developer.
You
know
what
I
look
as
I
draw
one
level
down
short.
Tell
me:
what's
oldest
yeah,
so
we
just
we,
you
still
get
from
the
libyars.
It's
just
that
one
level
down,
whereas
if
I
were
not
developing,
I
just
want
to
get
a
sense
of
how
bad
they
are.
I
might
look
at
the
sort
or
I
might
look
at
the
number,
but.
A
Okay,
we
have
okay,
we're
30
minutes
after
these
are
some
really
great
ideas
and
we
have
some
time
and
we
have
like
five.
I
guess
four,
four
four,
I
mean
I
think
these
are
four
ways
of
possibly
shaping
and
shuffling
different
ideas,
but
maybe,
as
a
action
item
I
can
take
and
maybe
even
odd
you
want
to
join
me-
can
maybe
would
you
maybe
you
and
I
can
arrive
at
a
sort
of
a
set
of
two
or
three
paragraphs
to
orient
specific
talks.
E
Yeah,
okay,.
A
B
A
E
B
But
the
the
I
really
bad
at
titles,
but
I'm
calling
it
a
beginner's
guide
to
open
source
analytics.
I
also
propose
it
to
ato,
but
basically
just
like
I'm
an
analyst,
I
started
working
with
open
source
data,
maybe
about
a
year
ago
and
here's
all
the
weirdness
that
I
found.
You
can't
just
treat
this
like
any
other
operational
data.
There's
a
lot
of
funkiness
like
I'm
working
with
the
data
set
right
now.
That
has
three
different
versions
and
none
of
them
agree
coming.
A
E
C
Hey
sophia,
a
quick
suggestion:
don't
call
it
open
source
data
for
a
lot
of
folks.
That
means
data
that's
available
to
the
public,
possibly
for
a
fee,
open
source
software
data
open
for
software.
A
C
B
B
That
is
that's
great
feedback
thanks
because
I
also
had
a
section
in
there
on
just
sort
of
the
ethical
implications
of
using
this
data,
which
is
assuming
that
it's
open
source
does
not
imply
just
kind
of
public
for
use.
But
that's
that's
still
in
this
segment
versus
talking
about
something
totally
different.
So.
B
Not
into
sort
of
the
the
reuse
of
it
were
your
sort
of
platform
agreement
of
how
say
github
is
collecting
using
your
information,
but
that's
kind
of
where,
where
the
policy
stops
so
depending
on
how
you
extract
that
information,
how
you
use
it
and
essentially
it's
kind
of
a
call
to
action
to
what
we
did
as
a
chaos
project
to
develop
more
of
an
explicit
guide
on
data
handling
policies
around
how
we
treat
your
information
because
a
lot
of
projects
don't
do
that.
B
And
so
I
think
it's
more
just
to
point
out
the
ambiguity
that
this
is
not
stated
anywhere
and
that
just
because
there
isn't
a
policy
doesn't
mean
there
shouldn't.
Be
we're
not
talking
about
risk
anymore.
So
I
I
wanna.
No.
A
Around
the
use
of
this
data
is
it's
not
well
enough,
reasoned
about
as
often
yeah.
B
G
A
I
understand
that
completely.
So
all
right,
we've
got
some
great
talk
ideas.
We
did
great
talk
about
ethics
third
week
in
a
row.
I
have
involved
one
of
those
far.
H
Less
intense
than
the
other
two
sean
for
the
talk
we
need
just
abstract
for
the
talk
so.
A
I
think
I
think
our
goal
for
the
next
meeting
is
just
one
paragraph
like
just
to
essentially
like
just
flesh
out,
or
maybe
it's
an
outline,
but
this
is
to
flesh
out
some
either
pieces
either
one
of
these
ideas,
as
they
are
or
pieces
that
we
reinterpret
in
different
ways
from
just
like.
If
we
each
give
it
like
an
hour.
I
think
we
can
reason
through
this
between
now
and
over
the
next
two
weeks.
I
think
we
can
find
the
time,
so
we
have
13
minutes
left
and
yeah.
So
yash
is
new.
A
He
hasn't
been
to
this
working
group
before,
but
I've
been
in
four
other
working
groups
where
he's
presented
this,
and
so
I'm
going
to
brief
this
discussion
by
saying
that
our
ideas
are
that
we
would
have
a
basically
each
repository
inside
of
chaos
would
have
a
contributing
document
and
a
code
of
conduct
document,
but
that
those
two
documents
would
point
to
a
standard
chaos
document
for
each
of
those
two
things
and
then
the
readme
could
potentially
be
different
for
each
working
group,
but
we'd
like
it
to
follow
a
common
structure,
and
this
is
the
structure.
A
A
Okay,
josh
did
you
want
to
say
anything
else
about
it?
No,
no
thanks
a
lot
all
right,
yeah
and
I'm
so
I'm
sorry.
I
sort
of
like
we've
had
long
conversations
in
a
few
working
groups
about
this,
and
so
it's
like
I
just
didn't-
want
to
go
down
that
road
again,
because
my
own
experience
with
it,
I
thought
I
could
summarize
it
more
effectively
than
just
you
know
repeating
the
conversation.
So
that's
what
I
did.
A
A
No
that's
I.
I
appreciate
that.
I
just
want
to
make
sure
it
wasn't
also
an
additional
agenda
item,
so
we
had
some
metrics
that
we
were
working
out.
A
Look
apparently,
we
had
some
discussion
about
the
dependency
session
at
aspocon
last
time
that
I'll
just
like
carry
up
here.
Tab.
H
Over
yeah,
that's
the
notes.
What
I
recalled
from
the
last
meeting
matt
proposed
that
we
should
have.
A
A
At
top,
I
think,
there's
I
think,
there's
still
talks.
I
spoke
okay,
all
right
and
you
know
I
think
I
think
I
think
the
last
meeting
was
maybe
the
one
where
I
don't
know
I
was.
There
was
some
home
discombobulation,
so
I
maybe
missed
this.
A
Yeah,
these
are
all
really
good
points.
I
I
don't
think
a
panel
is
a
bad
idea
or
wrong
right
at
all.
I
also
think
we
have
a
lot
that
we've
muddled
through
that
can
be
shared,
and
I
don't
necessarily
think
that,
like
the
d
modeling,
the
muddling
and
the
d
modeling
that
we
did
is
something
that
it,
I
think,
would
be
helpful
to
a
lot
of
people
if
we
just
shared
that
yeah
and
some
of
the
other
ideas,
I
think,
are
really
strong
as
well
so.
B
E
B
Okay,
that's
where
the
panel
shines
is
that
you
have
people
from
different
backgrounds
that
can
show
you
how
these
things
mean
very
different
things
for
different
people,
whereas
I
think
a
regular
presentation
is
better
suited
to
establish
this
is
the
framework
or
this
is
how
we
try
to
organize
this
hairy
massive
tangled
ideas,
so
that,
hopefully
you
have
some
more
to
start
with,
or
maybe
you
throw
it
out
and
start
again
but
like
it's.
It
can
be
a
hard
discussion
to
begin
right.
A
I
I
yeah
that's
a
really
good
way
of
like
I'm,
never
going
to
put
it
quite
that
well,
actually
so,
and
I
think
david's
proposed
to
talk
somewhere
in
the
middle
of
that
the
the
sampler
is
kind
of
like
somewhere
in
between
a
panel
and
a
defined
talk.
It's
like
explicitly
undefined,
perhaps
inviting
discussion
at
the
end.
C
F
C
A
A
B
Was
gonna
say
I've
been
on
one
where
this
one
poor
guy
just
really
didn't
interject
well,
and
I
just
felt
bad
because
the
rest
of
the
three
people
were
very
comfortable
just
jumping
in
and
sharing
things,
and
he
just
sat
there
and
didn't
say
anything
the
whole
time.
So
I
just
feel
like
it's
also
a
if
you
don't
have
the
level
of
rapport
with
people
and
you're
not
comfortable
just
yeah.
Now
it
doesn't.
B
C
A
You
know,
because
the
other
two
panelists
are
probably
just
so
engaged
in
their
own
perspectives,
that
they
didn't
even
notice
until
after
the
talk
that
the
third
person
never
said
a
word,
you
know,
because
when
you're
up
there
on
in
the
spotlight
you're
like
you're,
not
that
helpful,
I
think
it's
helpful
facilitator
so
and
oh
see,
there's
always
dev
stats.
B
E
C
No
research,
well,
okay,
the
linux
foundation
has
hired
a
research
person,
her
name's
hillary,
and
I
know
that
we're
also
bringing
in
somebody
else
who
is
specifically
I'm
told,
has
some
background
in
devops
and
metrics
in
measurement,
but
that's
not
public
yet
so
I
can't
identify
the
person
is.