Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
CHAOSS / Risk Working Group / 9 Sep 2019
CHAOSS / Risk Working Group / 9 Sep 2019
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: CHAOSS.Risk.September.9.2019

Description

CHAOSS.Risk.September.9.2019

A

Go ahead, I am gonna, share a link that works and about its some of the work that Matt smelled. It ok, who actually coordinated on this quite a lot of weekend last week and it's it's working on one instance: the varsity, not another they're, exactly the same, so I think it's just a database thing that he's done differently. Okay, but I'll give you this league, this thing's.

B

Not working.

A

For me, and it's the example of just one and I'll share, so you can browse on your own arm, see my screen.

A

Okay, I see it but yep all right. So what Matt's done is for there's a group of 45 or so repos that are part of this effort project and there was a larger group of repos that are in test instance of otter that he's run auger. The auger has bomb over and I in there he's showing a couple of really I think important, interesting pieces of information.

A

One is I counted Forks by week, which this looks to me like he just might be wrong, but maybe he's doing wrong in points I doubt it's that low or he might not. You might not have a repo info. Actually that comes from a table that we might have populated in this database and then there's committers by week, which you can just see the number of people who are committing each week from 2015 through 2019 current time and then he's done a scanner that shows all the different licenses that are declared inside the product.

A

We're looking at with this. So for our tos effort shows, the total number of Forks is 1442 and it shows that its current status is CI, best practices, gold and that that status was last updated in Phoenix nation, February, 16 of 29. That's nice.

C

Yep.

A

There's a nice link to the best practices website which I walk IRAs with the other thing that he's done, that is really great. Is he's created a link for downloading a JSON version of the US bomb itself, so not sure.

A

It's I'm not sure I'm gonna sure difference between just because JSON is a lot work for Firefox.

C

From you just want to show that JSON file well.

A

Yeah but I want to show it made it in Firefox just a much better job.

A

Okay, chrome.

B

Distributive.

A

Law JSON structure, so you can see. So this is the idea to scan and then the idea that repo in our system- and it says total number files license clear- license files. There's 73 percent, license coverage in here and then this is uh weights great and yeah. Okay,.

C

They see.

A

Okay and then there's some license: information I, don't think that what I have right now, yet one who is going to provide a lot inventory of files, I think, but we have. We have a good deal of information about licenses creation packages and other basic s: pom s, P D, X D, that's in this in this file that can be downloaded directly from order.

C

So is that.

B

Is.

C

That a spam is it following s: PDX, it is supposed to be an SP x.

A

S Bob, yes, it is buddy, but one of the things that meant and I discussed- and you just may not have gotten to it. Yet it's including like there's that there was a full file that actually listed everything, including the contents of the package like the directory by directory contents. They see everything except relations, and this is like a lot. So it's I think it's a lot of useful information.

C

Yeah the relationships I, don't think those even need to be there. No, but but.

A

I think- and this is one of the questions that we had for for Jessica and Kate when they were I, missed him last time- is that I think in the conversations I've had with them? We talked about it, including more things but joy to get their feedback, so maybe I'll just send Kate early something both way out of the thing that works and.

C

Go from there I think so too, and I think they're, probably gonna care tremendously about how much.

C

Those specifications I just put in the chat and.

A

This yeah the specifications- these I, don't know the extent to it. I mean miners. Did you you know more than is the intent of the original Chuseok software was to provide a compliant document to these specifications right. So my sort of expectations that that is the case.

C

Yeah, the only reason that wouldn't be the case is if there were kind of changes that were being made to get it to work and auger. I can't imagine how those it'd be related, but there shouldn't be because I mean really literally.

A

There's a database be used as Postgres and it had the json data type so he's literally storing that JSON output from augur s bomb or formerly called designs. Okay,.

B

In.

A

That field, the only thing I can think of, is perhaps he hasn't yet completed. The act of making the entire s bomb, JSON, JSON fide okay and I- would need to talk to Matt about that. Okay, I can talk.

C

To I might see him this afternoon. Yeah yeah share this link with him. This this one's working and I have to talk to him.

A

About can you put that link in me badly yeah, we I had that link. Okay, I, don't like there's a separ is actually a separate instance, but for some reason and it's he.

C

And I just have to talk, I, don't know.

A

Where he's pulling the data from okay, I.

C

Don't I don't know that.

A

Yeah I see I set the pot because I think yeah I'm sure there's just something: someplace he'd put the data and I, don't know where that that is not enough database, where it's expecting it to be so. Okay, we'll figure that out, okay.

C

No, that's cool it's good stuff up there, yeah I hit you, though the forks by week looks funny. When you see fourteen hundred and forty two forks yeah.

A

No.

C

I think I think there's a I.

A

Know where that data comes from and I think a suspect, we just don't have the historical data gathering yeah I can look okay afterwards, the day yeah Matt, Snell and I used to set up a time to sort of figure out. What's going on. There is not working out, except for specific site which talks to a different data basically only got, except for a repose.

C

I'm kind of curious, so if I look at the risk metrics and the release.

C

This is under business, no I'll open factor, committers coverage license count okay, so this license count is in here yep.

A

I think s bomb as far as a metric that we released yeah.

C

Well, so actually license count license coverage licenses declared and Bill of Materials, so you have four of them in here in the in the file that you're showing Doran just in this interface that you're showing right here so I mean like you have license count on this page. Don't you have? We have license coverage license.

A

Declared I don't know, I mean what is license count I think we have an enumeration of all of the declared licenses yeah how many additional licenses did I suppose we could count that number I.

C

Think this is, we had this conversation earlier when I'm going what's the utility of license count, but it's there now is it.

A

Just it's.

C

Not a discrete field, it's just the list right. No, you just be like see that short name under licenses declared yeah. It would be counting those yeah right. That's my bot and then bill material, all right, so um cool.

A

He made a ton of progress and it's it's all in on earth. Now he and I have to first sort out deployment. Stop okay,.

C

So.

A

Like.

C

Why does it work around one and we should probably emit as far as a metric goes, we should probably release, makes me think for the risk for moving forward, articulate on transparency. The best practices tell me more about what you mean by that. Well so like, if I give you this list right here right, the actual metrics.

A

Looks a lot I'm trying to copy the link I'm sure my no longer sharing go.

C

You are still sharing a window. Is it the face? I see your ardor.

C

Everything and not really big cursor, okay.

A

Sorry I was in the wrong. I was also looking at it, but in a different browser and then see the green border around it. So I was like am I sharing so.

C

If we look at this, actually you provide committers mm-hmm, so you're actually hitting committers license count license coverage license, declared yep and then transparency, you actually that's scroll down a little tutorials yeah I was just saying that, looking at your interface to the auger interface or transparency, to go back to the metrics, yeah I think I'm, showing you metrics Dominic. No, no click on the metrics tab up at the top of this browser, this one there you go so under transparency, I think Bill of Materials. We should have CIA badge, no go back, go back.

A

Oh I see we should add.

C

Amen, we should add the CIA pads as isometric I agree for providing transparency like you've already done the work, it's kind of like what dawn is asking you to do with common right, like it's already done so yeah and I actually think we.

A

Have I think is I, think I. Think with the case of badging and I mean we didn't. We wanted to have a Congress I think we have a pretty good I. Remember I! Think we did a draft of it. Okay didn't release it because we hadn't had a chance to talk with date. Is a Dave Walker wheeler wheeler Dave wheeler, and we wanted to every wanted to yeah. We didn't write it out, and but we chose not to write it up, because we wouldn't we weren't able to circle back with Dave before okay before the.

C

Release and that should be a I think this should be on there I'm going to put a note, if you don't mind like put this on the roadmap.

A

Yeah, this should be the if I was to make a list of metrics in that are, should be on the roadmap. Certainly best CIA best practices should be there.

A

Tom, what else do you think like if you're looking at this list are there others that are that you think, would be good to make sure that we have sort of as part of the next release visitors? Don't.

B

Mean there's a lot actually like.

A

Lines of code issue average resolution time. You should open age, maybe issue valiums too. Clearly a lot of.

B

These we can actually already have the.

A

Data for.

B

And there's a lot there: I'd have to go through and look at yeah I.

A

Mean many of them don't have definitions yet, but I think I think we can go through and write out a lot of these.

C

So I mean.

A

I can.

C

You on the Hager roadmap is an awful factor on there.

A

Yeah it you know, on.

C

The on because I'm just thinking I mean if you would be the first working group I, think that would have one-to-one mapping straight correlation between what the work group, what the work group puts forward as metrics and what the tooling can deploy. You know what I mean, which would be fruitful yeah, which would be pretty cool, and then you would add CII, which you already have deployed and then.

C

So just look and see if elephant factors on there in the.

A

Park yeah I'm, looking at it right now, I don't have the word elephant hacker, okay on it, but I think there are places where.

B

When you measure the distribution right essentially, if the work.

A

Yeah I mean there's this group, we have measured elephant factor and I think we haven't deployed it. Yet is yeah elephant factor, others kind of elephant factor.

A

I'm going to add all risk metrics well.

C

That.

A

Would.

C

Also include test coverage.

A

You know the test, gardens and other testing ones. You in terms.

C

Of the test coverage was released by the risk working group in version one of the metrics.

A

Bridge.

A

There's another.

C

One that had tested.

A

It wasn't there hmm maybe.

A

I, don't see anything yeah, I guess code black city is.

A

Just one, but we can actually do that one so.

C

What, in terms of your Shawn, when you're looking at this list for you yeah, are there any and kind of in the augur space that appear to be more deployable than others, yeah.

A

Right so anything related to issues or code or code complexity. We have to finish and lines of code that we're working on that worker right now. That will gather that data. Well, let's just but let's put those two on the. If you are I mean and then anything related to issues, we have endpoints that you know, I would have to check what the endpoint does, but we can certainly the language declared is available. The language source proportion, it's a given of API call.

A

So there's a number of these that can be added, I mean maybe a name when is the next batch of releases or is it cosden yeah? So when does the draft due on that first of the year? Okay, so basically map all these augur. That's right! Yeah.

C

When I would I just in my list and list here, I put three just starting with three so on the the match on the Eiger roadmap is elephant factor and test coverage.

A

Yeah and I hadn't put complexity, cuz that comes for pretty okay. Is there another one that you wanted in there cute well I put lines of code: okay, good! That's! If we get code complexity, we get lines yep.

C

And so I'm thinking, can you see that document the working document you know the Google black air I just put it in the chat again.

A

Yes, okay, so.

C

This is completed in harder yep, and this is metric with no implementation.

A

Yep these three here at the bottom are on our roadmap and then why is it lines of code and code complexity? Actually all the ones are meeting on your list are in that and that go worker that were working on okay,.

C

So I guess the way I'm trying to write this ones is that these ones they're italics yeah. They need to have a metric written form and be deployed in higher right mm-hmm.

C

So that's why they appear in both lists right mmm and then there needs to be a metric made for the CI, a best practice best practice bed, because it's already completed an auger yeah.

A

And there's well there's a we listed it as a metric development. We've done no work on it, so if I was to think of.

A

Is it ready so code, complexity and lines of code are not defined, but they should be and the CII best practices bad should also be in. You know, in the next metrics release, yeah I'm completely the.

C

On board, then, for the version two, it would include three new metrics right, and the hope would be is that all of them are actually deployed in augur. Yeah.

A

It'd.

C

Be cool I think.

A

That's entirely lately: okay,.

C

Wait wait lately, actually all right, I'm, gonna drop off seven meeting at 1:30 yeah I do too tom. Is there anything that you wanted to add today.

B

Look look at the metrics. I was just curious if you guys had any plans to look at like mean time to repair a CDS identified for an open-source project. So from the time that the vulnerabilities identified to the time that the project's repaired I didn't know was that that's not a metric to come by, but I didn't know. If you guys had plans to look at that. The.

A

The issue open age is kind of our proxy for that so again, source when someone opens an issue. How long it takes that issue to get closed is a proxy for mean time to repair. I. Think the question is: are there? Are there things that open source projects that have to be repaired but never make it to an issue, I think so, and.

C

Those are things first, that are external, but that doesn't necessarily point to and publish the owner ability. No right.

A

Right now that yeah, the publishable vulnerabilities.

C

Nice it'd be nice. If the you could do a scan of the issue text to see if there's pointing to the NIST database, you know like somebody's like here. Is the publisher owner ability, know you've been right well and.

A

Github is getting better and better at making vulnerabilities.

A

They.

B

Are and that and I think they ought to open issues now to, depending on the the tool set, you can have the auto open, CBE issues for misc, but I didn't.

A

Yeah we are defended by and we use it keeps our requirements, files and everything up to date, like any security vulnerabilities that make it to github. We immediately get a pull request. We get a get over, you gives us I, think it does open an issue yeah. It opens an issue and then it gives me a button. I can click the Create a pull request to fix that yeah and yeah you. Usually it's not usually it's just literally updating one line in a required library file right.

B

Yeah, it's updating the version.

C

Why don't we clean? Maybe we can cause, we don't think I really have to. We.

B

Have to go yeah, let.

C

Me um for the next meeting: let's I'll take a look at. We can look at what might be available for that. Okay for that comment- and we could talk about this next time- yeah.

A

I, throw.

C

It on the dock kind of the meantime work to repair, okay, cool all right thanks.

A

Sam thanks Matt I will see you to weeks. Yeah, bye, okay, bye.