►
From YouTube: CHAOSS Risk Working Group 6-24-21
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
A
A
E
E
A
A
You
know
there's
various
criteria,
you
know
you
know.
Is
there
dependability
reliability?
Is
there
any?
You
know
how
flaky
is
the
project
in
some
ways
it's
a
functionality
and
you
know
to
the
extent
that
we
have
the
reliability
aspect
kicking
in
yeah,
okay,
that
could
be
coming
in
from
testing.
You
might
be
able
to
add
elements
of
that
from
testing
as
well.
I
don't
know,
but
you
know,
can
you
trust
it
to
stay
up
and
do
it
what
it
says
it's
going
to
do?
C
A
Relevant
all
respect:
just
can
you
put
the
link
to
the
slides
in
here
into
the
chat
again
because
I
came
in
late,
I'm
afraid
and
then
I'll
keep
an
eye
I'll
try
to
help
too.
While
we
see
if
we
can
get.
B
D
A
F
I'm
not
sure
if
this
fits
in
in
this
in
this
slide,
but
I
think
that
lack
of
diversity
in
the
contribution
team
is
an
issue,
because
if
you
have
people
from
underrepresented
backgrounds,
they're
going
to
be
more
easily
able
to
identify
abuse
vectors
that
could
potentially
harm
users
of
your
software.
So
I
don't
know
if
that
fits
in
here.
That's
maybe
people,
maybe
under
people
just
like
lack
of
diversity,.
D
C
A
C
Unfortunately,
I
know
no
norwegian,
so
I
have
nothing
useful
to
cut
reply.
I'm
excited
yeah,
so,
okay.
D
A
A
C
A
But
it's
also,
you
know,
it's
also
unique
identity
aspects
and
you.
I
A
Security
licensing
export
provenance
provenance
is
missing
because
that's
not
really
people
it's
more
who's
had
it
could
be
people,
but.
A
G
Did
you
guys
see
sean's
message
in
the
chat
to
around
security
to
look
at
slide?
Eight
okay
jump
to
slide
eight,
oh
okay,
which
one,
I
think
all
of
these
pedals
a
little
bit
more
developed.
D
I
feel
like
I
still
would
see
compliance
as
an
additional
more
than
I
look
at
it.
I
do
think
that
makes
the
privacy
comment
a
little
bit
more
ambiguous
as
to
it
does
it
sit
within
which
does
it
sit
within
like
it
we're
thinking
about
gdpr
compliance,
and
there
are
strong
privacy
implications
for
that,
but
as
well
as
security,
but
I
would
see
it
as
in
terms
of
the
body
that
you're
trying
to
be
compliant
with
for
lack
of
a
better
term
and
security
or
securing
the
user
information.
D
E
I
mean
maybe
compliance
is
compliance
with
the
rules
that
you
are
governed
by
regardless
of
domain,
and
so
in
the
context
of
gdpr
compliance
includes
whatever
gdpr
requires.
You
can
have
security
outside
of
compliance.
I
guess
you
could
have
privacy
outside
of
compliance
yeah,
I'm
sure
you
do
yeah.
C
And
you
can
have
insecurity
and
not
no
privacy
with
compliance.
It
very
much
depends
on
what
you're
complying
or
claim
you're
complaining
too.
E
C
E
D
B
C
Critical
infrastructure
is
not
a
new
construct.
This
goes
out.
D
D
D
C
Yeah,
if
you
don't
mind,
I,
I
actually
started
to
jump
ahead
to
slide
eight
category
of
risks,
and
you
know
it's
an
incredible
eye.
Chart
there's
no
way
you
can
fit
that
much
in
a
slide
and
I
didn't
see
granted.
I
can't
see
all
of
the
slide
I
didn't
see.
What
to
me
is
the
most
important
risk
from
a
security
perspective,
which
is
your
pen
depending
on
a
version
of
software
with
known
vulnerabilities,
I
mean,
I
would
probably
you
know
from
a
security
perspective.
That's
number
one.
C
The
other
ones
are
awful
important
too.
Depending
on
your
uses,
you
know
inadequate
tests
and
incompatible
licenses
are
a
big
deal
too,
but
there's
no
way
you
can
include
everything.
D
So
I
almost
see
this
as
like
a
like
a
two
by
two,
where
we
have
all
the
categories
in
the
left
hand,
column
and
then
across
the
top.
We
could
say
these
are.
These:
are
the
stakeholders
that
this
would
be
of
greatest
importance
to
or
just
like
who's,
whose
number
one
priority
is
this
and
recognizing
that
the
variance
across
all
the
categories.
C
Yeah,
it's
just
there's
just
two
and
there's
just
no
way.
You're
gonna
put
all
this
on
this
on
a
slide
or
two.
I
think
you're
gonna
have
to
pick
and
choose,
and
I'm
very
concerned
that
the
what
to
me
is
the
most
important
is
on
on
the
slide
so,
but
I
think
we're
gonna
have
to
pick
and
choose
what
are
the
top
things
like
you
know,
I
would
think,
like
those
risk
categories
are
probably
the
maybe
the
key
things
and
maybe
a
bullet
on
the
on
the
right
for
each
one.
C
You
know
like
for
security,
you
know
it
does
have
known
vulnerabilities
and
maybe
secondarily
are
they.
You
know
adequately
tested
or
maybe
put
that
in
its
own
category
of
quality
or
reliability.
C
A
C
B
Hear
can
you
hear
me
now
yeah,
I
can
hear
you.
Okay,
I
mean
yeah.
I
said
several
things
in
chat,
but
you
know
I
I
tried
to
decide.
You
know
if
I
was
concerned.
If
I
tried
to
do
this
in
a
document,
I
would
end
up
with
just
another
40
page
document
that
somebody
was
going
to
have
to
navigate
and
I
was
trying
trying
to
bring
it
up
a
level
what
I
could
do
between
now
and
the
next
time
we
meet
his
and
what
we
could
you
know.
B
C
B
G
I
just
think
it
would
be
useful
here
to
talk
about
what
the
like.
The
point
of
the
presentation
is
like
the
argument
and
to
start
there,
rather
than
diving
into.
B
I
B
C
Okay,
so
I
I
made
a
quick
attempt,
you
don't
have
to
accept
it
just
a
shot
at
it
on
slide
11..
I
have
no
religion
about
any
of
this.
Oh
good,
all
right!
Well,
so,
on
slide
11.
What
I
did
is
I
just
stole
a
few
of
the
categories
of
you
know
like
licensing
I
I
just
said
security.
C
You
know
and
just
a
few
questions,
what's
you
know
major
topics,
simple
questions
who
asked
those
questions
I
that
third
column?
I
think
that
many
cases
multiple
people
will
ask
those
questions.
So
maybe
we
can
just
say
if
you
care
about
x,
here's
some
things
you
might
try
to
answer
to
help.
You
answer
that
high
level
issue.
C
Instead
of
trying
to
make
that
three
column-
and
you
know
endless,
we
got
to
find
a
way
to
boil
this
down.
B
I
C
And
you
know
I
don't
mind
matrices
I've
great
I've
traded
many
in
my
time.
But
if
the
goal
here
is
a
presentation,
then
it's
just
not
that
that's
going
to
be
overwhelming.
Yeah.
B
B
At
this
point
I
mean,
ultimately,
I
think
some
kind
of
white
paper,
obviously
some
metrics
and
and
a
presentation
I
think,
will
be
helpful
but
yeah,
that's
my
those
are
my
thoughts
are
that
we
have
just
discussed
a
lot
of
things
that
have
become
currently
very
visible,
and
I
think
this
group
has
a
lot
to
share
but
hasn't
put
it
in
a
communicable
form.
Yet
so
that's
kind
of
where
we're
going
at
least
that's
the
idea
that
I
have
and
if
you
think
we
should
step
back
from
that
idea
and
lower
the
ambition
level.
B
G
I
still
am
struggling
with
like
what
what
are
the
the
broad,
the
breadth
of
general
learnings
and-
and
I
think
that
should
be
slide
two
or
three.
You
know
I'm
saying
like
we
should.
We
should
start
with
them
and
that's
a
conversation
that
I
think
would
be
valuable
for
us
to
have
right
now.
B
The
if
and
let
me
share
another
link-
this
is
the
this
is
you've
seen
this
before.
This
is
our
our
link
of
basically
that
lists
the
software
tools,
the
interested
parties,
the
organizations
that
are
also
working
on
this
problem,
like
ossf,
owasp,
oss,
fuzz,
google
just
released
depps.dev,
there's,
obviously
libraries.io
that
became
a
company
there.
B
So
there's
been
a
lot
of
people
working
in
this
space
from
different
perspectives
and
we've
taken
yes,
so
so,
okay,
some
kind
of
coherent
understanding
of
all
of
the
things
that
are
related
to
critical
infrastructure
risk,
not
so
much
a
library
but
to
try
to
because
I
I've
seen
connections,
for
example,
between
test
coverage
and
safety,
critical
systems
and
and
through
all
of
these
dependencies
seems
to
be
a
very
common
thread
and
there
are
different
dependency
technologies,
different
dependent
difference
organizations
looking
at
dependencies
that
take
different
perspectives,
and
I
don't
think,
there's
a
place
that
sort
of
explains
the
strengths
and
limitations
of
each
perspective
and
and
if
you're
it
takes
enough
brain
power
just
to
be
involved
in
one.
B
So
it's
it's
kind
of
that's.
So
the
goal
is,
I
think,
to
you
know
the
purpose
in
my
head,
and
maybe
somebody
can
help
me
out
and
tell
me
a
better
suggest.
A
better
purpose
is
to
make
all
of
these
interconnected
things,
and
you
know
artifacts
organizations
that
people
are
using
to
address
these
concerns
sort
of
coherent
in
a
general
sense,
and
I'm
I'm
curiou
michael
hasn't
said
much,
but
I
know
you
focus
on
a
lot
of
these
a
lot
of
these.
B
E
And,
and
and
each
each
sub
area
is
a
microcosm
of
complexity
and
and
it
just
kind
of
keeps
going
down
and
down
if,
if
the
goal
is
kind
of
a
coherent
story
of
like
of
like
you
know,
zoom
out,
50,
000,
feet
or
500
miles,
and
and
look
at
the
major
ways
that
different
aspects
of
the
ecosystem
interrelate
with
each
other,
like,
I
think,
there's
value
in
that.
E
I
think
there's
value
in
going
down
to
kind
of
in
every
level,
because
I
I
I
think
the
biggest
problem
is
that
all
these
things
have
been
created
and
and
evolved
kind
of
in
isolation.
So
there's
really
no
like
it.
E
You're
you're
you're
kind
of
seeing
seeing
the
end
product
of
just
natural
kind
of
evolution
here,
the
the
actual
audience
for
I
would
go
back
to
like
like
the
actual
audience.
What
are
they
coming
with?
What
do
they
need
to
know
like
what
are
like
the
three
things
that
they
can
take
away?.
C
I
I
have
a
pitch
for
you,
michael
because
I
think
you
know
I
think
you're
right,
the
hey,
you
need
a
short
list,
so
let
me
I
this
doesn't
mean
it's
right,
but
let
me
throw
this
on
the
table
here.
Number
one.
Increasingly,
software
is
being
made
of
reused
components
from
elsewhere.
C
You
know,
increasingly,
you
know
those
compute
you're
as
soon
as
you
open
up
software,
it's
in
fact
mostly
from
other
places,
therefore
dependencies
matter
for
almost
any
ility
or
anything
that
you
care
about
for
software
is
probably
affected
by
that,
because
that's
what
muslim
software
is
and
chaos
is
really
trying
to
focus
on
how
to
measure
this
to
make
decisions.
C
So
then
the
question
is:
what
are
the
decisions
you're
trying
to
make?
Presumably
you're
trying
to
answer
questions
like?
Is
this
secure
enough
security?
Is
this
safe
enough
safety?
Is
it
reliable
enough?
Let's
talk
about
testing,
and
so
you
end
up
with
how
do
I
measure
this
for
the
dependency
for
my
dependencies
because
they
are
increasingly
impacting
the
systems
I
either
build
or
rely
on.
E
C
C
But
I
I
think
that,
for
the
purposes
of
chaos,
where
they're
trying
to
do
measurements,
we
have
you
know
there
have
been
some
efforts
to
try
to
even
just
simply
measure
how
many
dependencies
you
have-
and
I
think
that
has
some
interest,
but
I
think
for
most
people,
whether
or
not
that's
100
or
200,
I
it
doesn't
matter
what
matters
is.
C
Is
my
results
secure
and
the
answer
is
well,
except
for
these
three,
where
there's
a
security
disaster
or
you
know,
or
from
a
safety
perspective,
you
can't
trust
this
thing
at
all
or
whatever
you
know.
So
I
think
you
really.
You
have
to
end
up
measuring
multiple,
multiple
ilities.
If
you
will,
because
most
people
have
multiple
abilities,
they
care
about.
E
Other
times
I
may
be
using
something
that
is
uns.
That
is
not
secure
and
my
result
is
unsecured.
How
do
I
build
a
trustworthy
machine
from
untrustworthy
parts,
and
I
guess:
can
I
measure
whether
or
not
I've
succeeded
in
that
without
setting
the
bar
to,
if
anything
that
I
use
anywhere
in
my
transitive
graph?
Has
any
vulnerabilities
then
stop
the
world,
because
my
thing
is
is
vulnerable
because
it's
not
how
do
you?
E
C
Needing
to
well,
I
I
think
you
end
up
with
a
combination
of
both
and
now
we're
getting
a
security
discussion,
whereas
you
know
one,
you
try
to
devise
your
software
so
that
a
vulnerability
is
not
the
end
of
the
world
or
a
mistake.
It's
not
the
end
of
the
world
hardening
and
least
privilege,
and
the
other
part
is-
and
this
is
where
chaos
I
think
comes
in-
is
the.
C
How
do
I
measure
what
I
have
so
I
can
force
more
rapid
updates,
because
I
can
turn
on
that
light,
faster
and
say:
hey
update,
because
the
you
know
if
it's
a
vulnerable
component,
but
wait
five
minutes
and
it's
updated.
Maybe
that
doesn't
matter
so
much
yep.
E
Yep,
yep
and-
and
I
think
the
the
the
analog
for
that
exists
in
licensing,
so
people
choose
how
to
integrate
I'm.
I
may
be
completely
wrong
in
this
assertion,
but
I
think
that
people
choose
how
they
integrate
with
things
like
gpl
components
in
a
way
that
is
compliant
with
licensing
because
they're
mitigating
licensing
risk,
you
know,
so
they
may
choose
a
different
integration
story.
You
know
as
as
as
a
result,
or
you
know,
or
testing.
E
C
Yeah,
and
also
I
I
would
I
try
to
word
this
carefully
because
for
a
lot
of
people
having
a
gpl
program
is
a
that's
great
love
it.
So
you
know,
if
that's
you
know,
it
really
depends
on
both
the
licenses
you're
combining
and
what
are
you
intending
to
produce
and
the
licensing
of
that
you
know.
Oh,
I
think
the
majority
of
tvs
have
linux
kernels
in
them,
gpl,
not
a
problem.
E
So
that
actually
reminded
so
back
to
the
flower
diagram
on
slide
two.
I
think
the
the
overlay
of
this
is
kind
of
the
evolving
threat
landscape
in
each
or
sorry,
just
let's
just
say
the
evolving
world
we
live
in
and
how
and
how
things
change
in
the
you
know.
You
know
there
are.
There
are
more
attackers
doing
more
interesting
things.
There's
fewer
borders,
there's
like
there's
a
whole
bunch
of
different
trajectories
that
evolve
this
over
time
and
the
importance
of
each
one.
So.
E
I
did
yeah
anytime,
we
can
use
words
like
landscape
that
no,
so
so,
like
you
know,
as
let's
say,
like
the
move
to
like
iot
or
just
cloud
infrastructure,
or
you
know
things
like
that-
introduce
risk
in
some
areas
and
it
reduces
risk
in
other
areas.
Things
like
you,
know
more
critical
infrastructure
using
open
source
software,
because
that's
just
how
they
have
to
do.
It
is
different
than
it
was
20
years
ago.
E
Right
probably-
and
you
know,
testing
there's
more
of
a
you
know,
micro,
you
know
very,
very
small
components
that
get
glued
together,
so
the
testing
is
different
because
there
is
no
end
to
end
until
you
assemble
them
all
together.
So
as
as
technology
evolves,
the
relative
importance
of
each
of
these
and
the
threats
against
security
or
testing-
or
you
know,
licensing
changes.
D
A
B
Let's
get
I,
we
only
have
a
few
minutes
left
and
I
really
I've
been
so
grateful.
You
tolerated
my
mobileness
here
and
I
think
it's
for
me.
It's
been
a
very
helpful
discussion.
I
hope
for
you,
it's
oriented
some
things
are
in
our
next
session.
We
can
let's
return
to
developing
the
metrics
that
we're
here
for
and
and
I'll
take
another
shot
at
this
and
email
it
around
over
the
course
of
the
next
week,
probably
in
both
narrative
and
powerpoint
form.
My
my
my
one
question.
B
Was
it's:
is
this.
B
Tragically,
tragically,
lost
my
thoughts.
Oh,
I
know
what
my
thought
was.
Here's
my
question.
I've
heard
a
lot
of
talk
lately
about
the
risks
of
open
source
software
and
in
my
personal
experience
and
opinion,
I
don't
see
it
as
being
any
lower
or
higher
than
proprietary
software,
and
there
seems
to
be
an
assumption
in
the
public
discourse
that
it
is
and
just
at
a
very
high
level.
B
B
Right
when
we
talk
about
critical
infrastructure
is
open
source
really
any
more
vulnerable
than
proprietary
software.
Really
it.
I
question
that,
and
but
not
if
you
could
stop
recording,
then
people
might
feel
more
free
and
to
answer.