►
From YouTube: CHAOSS.Risk.September.9.2019
Description
CHAOSS.Risk.September.9.2019
A
Go
ahead,
I
am
gonna,
share
a
link
that
works
and
about
its
some
of
the
work
that
Matt
smelled.
It
ok,
who
actually
coordinated
on
this
quite
a
lot
of
weekend
last
week
and
it's
it's
working
on
one
instance:
the
varsity,
not
another
they're,
exactly
the
same,
so
I
think
it's
just
a
database
thing
that
he's
done
differently.
Okay,
but
I'll
give
you
this
league,
this
thing's.
A
Okay,
I
see
it
but
yep
all
right.
So
what
Matt's
done
is
for
there's
a
group
of
45
or
so
repos
that
are
part
of
this
effort
project
and
there
was
a
larger
group
of
repos
that
are
in
test
instance
of
otter
that
he's
run
auger.
The
auger
has
bomb
over
and
I
in
there
he's
showing
a
couple
of
really
I
think
important,
interesting
pieces
of
information.
A
One
is
I
counted
Forks
by
week,
which
this
looks
to
me
like
he
just
might
be
wrong,
but
maybe
he's
doing
wrong
in
points
I
doubt
it's
that
low
or
he
might
not.
You
might
not
have
a
repo
info.
Actually
that
comes
from
a
table
that
we
might
have
populated
in
this
database
and
then
there's
committers
by
week,
which
you
can
just
see
the
number
of
people
who
are
committing
each
week
from
2015
through
2019
current
time
and
then
he's
done
a
scanner
that
shows
all
the
different
licenses
that
are
declared
inside
the
product.
A
C
A
A
A
Okay
and
then
there's
some
license:
information
I,
don't
think
that
what
I
have
right
now,
yet
one
who
is
going
to
provide
a
lot
inventory
of
files,
I
think,
but
we
have.
We
have
a
good
deal
of
information
about
licenses
creation
packages
and
other
basic
s:
pom
s,
P
D,
X
D,
that's
in
this
in
this
file
that
can
be
downloaded
directly
from
order.
B
A
S
Bob,
yes,
it
is
buddy,
but
one
of
the
things
that
meant
and
I
discussed-
and
you
just
may
not
have
gotten
to
it.
Yet
it's
including
like
there's
that
there
was
a
full
file
that
actually
listed
everything,
including
the
contents
of
the
package
like
the
directory
by
directory
contents.
They
see
everything
except
relations,
and
this
is
like
a
lot.
So
it's
I
think
it's
a
lot
of
useful
information.
A
I
think-
and
this
is
one
of
the
questions
that
we
had
for
for
Jessica
and
Kate
when
they
were
I,
missed
him
last
time-
is
that
I
think
in
the
conversations
I've
had
with
them?
We
talked
about
it,
including
more
things
but
joy
to
get
their
feedback,
so
maybe
I'll
just
send
Kate
early
something
both
way
out
of
the
thing
that
works
and.
C
A
C
A
B
A
C
A
A
C
A
A
Know
where
that
data
comes
from
and
I
think
a
suspect,
we
just
don't
have
the
historical
data
gathering
yeah
I
can
look
okay
afterwards,
the
day
yeah
Matt,
Snell
and
I
used
to
set
up
a
time
to
sort
of
figure
out.
What's
going
on.
There
is
not
working
out,
except
for
specific
site
which
talks
to
a
different
data
basically
only
got,
except
for
a
repose.
C
Well,
so
actually
license
count
license
coverage
licenses
declared
and
Bill
of
Materials,
so
you
have
four
of
them
in
here
in
the
in
the
file
that
you're
showing
Doran
just
in
this
interface
that
you're
showing
right
here
so
I
mean
like
you
have
license
count
on
this
page.
Don't
you
have?
We
have
license
coverage
license.
C
A
C
A
C
Why
does
it
work
around
one
and
we
should
probably
emit
as
far
as
a
metric
goes,
we
should
probably
release,
makes
me
think
for
the
risk
for
moving
forward,
articulate
on
transparency.
The
best
practices
tell
me
more
about
what
you
mean
by
that.
Well
so
like,
if
I
give
you
this
list
right
here
right,
the
actual
metrics.
A
C
If
we
look
at
this,
actually
you
provide
committers
mm-hmm,
so
you're
actually
hitting
committers
license
count
license
coverage
license,
declared
yep
and
then
transparency,
you
actually
that's
scroll
down
a
little
tutorials
yeah
I
was
just
saying
that,
looking
at
your
interface
to
the
auger
interface
or
transparency,
to
go
back
to
the
metrics,
yeah
I
think
I'm,
showing
you
metrics
Dominic.
No,
no
click
on
the
metrics
tab
up
at
the
top
of
this
browser,
this
one
there
you
go
so
under
transparency,
I
think
Bill
of
Materials.
We
should
have
CIA
badge,
no
go
back,
go
back.
A
Have
I
think
is
I,
think
I.
Think
with
the
case
of
badging
and
I
mean
we
didn't.
We
wanted
to
have
a
Congress
I
think
we
have
a
pretty
good
I.
Remember
I!
Think
we
did
a
draft
of
it.
Okay
didn't
release
it
because
we
hadn't
had
a
chance
to
talk
with
date.
Is
a
Dave
Walker
wheeler
wheeler
Dave
wheeler,
and
we
wanted
to
every
wanted
to
yeah.
We
didn't
write
it
out,
and
but
we
chose
not
to
write
it
up,
because
we
wouldn't
we
weren't
able
to
circle
back
with
Dave
before
okay
before
the.
A
A
A
A
C
The
on
because
I'm
just
thinking
I
mean
if
you
would
be
the
first
working
group
I,
think
that
would
have
one-to-one
mapping
straight
correlation
between
what
the
work
group,
what
the
work
group
puts
forward
as
metrics
and
what
the
tooling
can
deploy.
You
know
what
I
mean,
which
would
be
fruitful
yeah,
which
would
be
pretty
cool,
and
then
you
would
add
CII,
which
you
already
have
deployed
and
then.
A
C
A
A
A
It
wasn't
there
maybe.
A
Right
so
anything
related
to
issues
or
code
or
code
complexity.
We
have
to
finish
and
lines
of
code
that
we're
working
on
that
worker
right
now.
That
will
gather
that
data.
Well,
let's
just
but
let's
put
those
two
on
the.
If
you
are
I
mean
and
then
anything
related
to
issues,
we
have
endpoints
that
you
know,
I
would
have
to
check
what
the
endpoint
does,
but
we
can
certainly
the
language
declared
is
available.
The
language
source
proportion,
it's
a
given
of
API
call.
A
A
A
C
C
So
that's
why
they
appear
in
both
lists
right
and
then
there
needs
to
be
a
metric
made
for
the
CI,
a
best
practice
best
practice
bed,
because
it's
already
completed
an
auger
yeah.
A
A
C
A
C
B
Look
look
at
the
metrics.
I
was
just
curious
if
you
guys
had
any
plans
to
look
at
like
mean
time
to
repair
a
CDS
identified
for
an
open-source
project.
So
from
the
time
that
the
vulnerabilities
identified
to
the
time
that
the
project's
repaired
I
didn't
know
was
that
that's
not
a
metric
to
come
by,
but
I
didn't
know.
If
you
guys
had
plans
to
look
at
that.
The.
A
The
issue
open
age
is
kind
of
our
proxy
for
that
so
again,
source
when
someone
opens
an
issue.
How
long
it
takes
that
issue
to
get
closed
is
a
proxy
for
mean
time
to
repair.
I.
Think
the
question
is:
are
there?
Are
there
things
that
open
source
projects
that
have
to
be
repaired
but
never
make
it
to
an
issue,
I
think
so,
and.
C
C
A
A
Yeah
we
are
defended
by
and
we
use
it
keeps
our
requirements,
files
and
everything
up
to
date,
like
any
security
vulnerabilities
that
make
it
to
github.
We
immediately
get
a
pull
request.
We
get
a
get
over,
you
gives
us
I,
think
it
does
open
an
issue
yeah.
It
opens
an
issue
and
then
it
gives
me
a
button.
I
can
click
the
Create
a
pull
request
to
fix
that
yeah
and
yeah
you.
Usually
it's
not
usually
it's
just
literally
updating
one
line
in
a
required
library
file
right.
C
Me
for
the
next
meeting:
let's
I'll
take
a
look
at.
We
can
look
at
what
might
be
available
for
that.
Okay
for
that
comment-
and
we
could
talk
about
this
next
time-
yeah.