►
From YouTube: CHAOSS Risk Working Group Meeting July 6, 2023
Description
Meeting summary is here: https://chaoss.discourse.group/t/risk-working-group-meeting-summary-july-6-2023/204
Meeting minutes are here: https://docs.google.com/document/d/1iqIMpLBwuKSnE0BbQTgbsb9Im87IoN7IUzukochClCw/edit?pli=1#heading=h.2q7ur1fn5iul
A
A
Putting
captions
on
now,
because
you
have
to
do
that
too,
and
so
good
to
see
you
Kate
Gary
good,
to
see
you
again:
hey
there,
hey
there
Sophie
of
course,
so
I
just
there's
a
few
things
we
were
talking
about
last
time.
I,
don't
know
where
this
is
in
the
where
your
item
is
in
the
agenda
Sophia
or
if
there's
anything
else
that
folks
want
to
talk
about.
I
wanted
to
bring
up
the
open,
ssf
risk
dashboard
effort,
because
that
was
brought
to
our
attention
by
David
wheeler.
A
In
the
last
meeting
and
I
know,
some
of
us
are
like
I've
signed
up
to
participate
in
that
discussion
and
I.
Think
Sophie
is
already
participating
in
that
discussion.
B
That's
okay,
PC
two
Fridays
from
now.
Is
it
not
this
Friday
the
following
Friday
that
I
can't
attend
they've
set
up
a
four
hour
meeting
to
basically
use
it
as
a
working
session
to
dig
into
all
the
details,
because
so
the
the
background
is
they
had
a
mock-up
David
put
together
a
mock-up
and
was
like?
Is
this
what
you
want?
How
do
we
iterate
on
this?
B
How
do
we
Design
This
for
the
right
people
and
then
I
missed
a
couple
meetings
and
I
came
back
and
they
had
brought
in
someone
to
actually
do
a
user
Journey
study
and
interview
a
bunch
of
people
and
say:
how
would
you
use
this?
What
are
you
looking
for
trying
to
identify,
personas
and
use
cases
and
how
that
would
align
so
much
more
like
ux
and
design
driven
approach
to
building
something
like
this
yeah.
B
Have
been
presenting
the
findings
from
those
discussions
and
starting
to
sketch
out
what
a
design
or
approach
would
be,
but
then,
at
the
end
of
the
last
meeting,
they're
sort
of
commentary
around
this
isn't
moving
fast
enough
and
they're
expecting
to
see
something
coming
out
of
it.
And
so
the
proposal
was
to
set
up
a
four
hour
meeting
instead
of
one
hour,
which
is
usually
the
Cadence
to
basically
work
the
Rua
mock-up
based
on
the
feedback
and
the
things
that
we
have.
B
I
think
that
the
goals
are
still
a
little
bit
murky,
because
they're
trying
to
get
something
done
quickly
and
I
think
they
did
that
approach.
And
then
they
did
the
design
approach
and
something
in
the
middle
is
going
to
happen.
But
I
just
want
to.
Let
you
know
that's
what
you're
walking
into
and
that's
why
it's
so
long,
they're,
usually
only
an
hour
long
but.
B
I'm
glad
you'll
be
there
because
I'll
be
a
fossee,
so
I
won't
be
able
to
participate
and
I
think
we
need
someone
with
a
metrics
brain
in
there,
because
we,
it
was
myself
and
Christine
Abernathy
that
have
more
of
the
at
least
some
exposure
to
chaos
and
metrics
and
stuff
like
that,
but
and
then
David.
But
then
it's
other
folks
from
the
open,
ssf,
so
I
think
someone
who's
thinking
more
about
application
of
metrics
and
practice
would
be
functionally
relevant
to
that
conversation.
B
Just
because
there
were
some
things
that
hadn't
been
considered
like
looking
at
the
metric
trending
over
time
and
how
that
would
be
implemented
in
a
dashboard,
so
yeah,
it's
I,
think
they're
gonna
make
something
it
seems
to
still
be
very
security,
oriented
with
acknowledgment
that
they
need
to
look
at
some
other
factors
that
are
more
community
and
population
related.
B
You
might
get
a
little
bit
squeamish
when
you
look
at
how
they've
actually
started
defining
metrics.
So
that's
I'm,
I'm,
looking
forward
to
other
chaos,
books,
participating.
C
B
They
haven't
even
selected
metrics,
yet
so
in
the
mock-up
he's
Michael
who's
been
leading
the
the
design
or
sort
of
the
research
discussions
has
suggested
a
few
ideas
or
metrics
Concepts,
not
even
specific
metrics,
so
they
haven't
even
gotten
to
the
specific
metric
or
definition.
Yet
so
I
think
that
that's
where
we
could
be
most
helpful
I
think
just
to
say
these
are
things
that
we
already
have
they've
already
been
defined,
and
so
we
know
it's
possible
and
so
I
think
it
sounds
like
they're
almost
there,
but
unfortunately,
I
can't
attend
so
so.
A
I'll
I'll
be
able
to
be
there
for
a
part
of
it,
but
I
don't
know
if
I
can
do
four
hours,
because
it's
the
day
before
my
mom's
80th
birthday
celebration
that
I'm
co-organizing
with
my
siblings
and
I'll
be
in
Wisconsin.
So
all
right!
Well,
I,
don't
know
if
I
can
drop
four
hours
in
the
middle
of
the
day
and
survive
my
family,
but
I'll
do
what
I
can.
C
A
A
Think
everyone,
if
you
don't
know,
metrics
models
are
basically
the
grouping
of
metrics
that
are
often
used
together
by
some
practitioner
in
a
way
that
makes
sense
so
most
of
the
things
that
our
metrics
models
have
Arisen
from
how
people
look
at
collections
of
metrics
together,
and
we
try
to
keep
it
around
five
give
or
take
metrics
at
the
most
in
a
particular
in
any
given
metrics
model.
Just
because
we've
tried
it
with
more
and
it
tends
to
get
unwieldy,
and
so
this
is.
A
These
are
the
thoughts
that
we
had
last
time
around.
Well,
what
what
would
be
the
introductory
risk,
metrics
models,
and
so
the
first
one
we
discussed
was
how
transparent
a
project
is,
and
there
are
some
sort
of
comments
around
there,
and
this
would
be
a
metric
that
doesn't
exist
yet,
as
far
as
I
know,
I
mean
I
can't
claim
to
have
committed
all
a
ish
metrics
to
the
memory
of
my
head,
but
I'm
pretty
sure
we
have
not
created
one
about
project
transparency.
A
We're
talking
about
here
so
I
think
I
think
it's
when
companies
decide
to
open
source
their
project
and
make
it
closed
source.
So
I
guess
this
that
particular
little
metric
in
there
is.
We
discussed
that
as
transparency
and
and
how
it
poses
risk
and
we're
not
sure
how
to
measure
that
I
do
think.
We
have
a
release.
Frequency
metric
and
I
do
think
we
have
documentation,
oriented
metrics.
B
So
yeah
I
think
just
kind
of
explain
this.
One
I
agree
with
you
Kate
that
there's
sort
of
a
few
contexts
on
how
we
can
think
about
transparency,
and
so
we
were
trying
to
essentially
suggest
a
few
depending
on
the
nature
of
the
project
like
maybe
one
would
be
just
again
like
documentation.
Is
your
governance
model,
public
and
sort
of
like?
How
do
you
make
decisions
in
a
project
and
is
all
of
that
public?
B
C
Doors
so
I
would
I
would
basically
say
that
the
risk
that's
there
is
the
contribution
policy
and
are
you
signing
effectively
an
API
such
that
the
things
are
aggregated
inside
that
account,
so
a
company
could
basically
take
control
of
it,
or
are
you
basically
letting
people
retain
their
copyrights
because
the
copyright
stuff
de-risks
my
mind,
basically
we're
changing
their
own
copyright
to
me,
distributed
copyright
Davis
the
licensing
changing
out
from
underneath
you,
because
things
going
private
again
inside
an
organization
is
a
a
function
of
you
know:
do
they
have
the
power
with
the
with
their
copyrights
and
the
licensing
to
do
so?
A
This
risk
isn't
moving
is
a
fast-moving
ecosystem.
B
Here,
because
I
was
thinking
about
this
from
sort
of
the
prominent
use
case
of
a
license
change
and
the
move
that
we
see
a
couple
of
organizations
going
to
sspl,
which
isn't
a
recognized
open
source
license,
but
in
the
most
recent
case,
I'm
thinking
about
Rel
we're
in
a
recorded
call,
but
it's
a
public
event
what
they
did
to
essentially
restrict
their
source
code
to
paying
customers
only
versus
releasing
it.
But
so
far
as
it's
been
described,
they're,
not
infringement
of
DPL,
because
they'll
still
submit
their
patches
of
stream
or
I.
B
Guess
initial
changes
upstream
or
whatever
the
like
I
need
to
know.
The
specifics
of
these
license
is
better,
but
from
what
I've
read
it
seems
like
it
isn't
infringing
upon
the
license,
but
there
definitely
seems
to
be
things
that
are
breaking
as
a
result
of
it,
and
so
that
in
spirit,
is
the
same
sort
of
thing
of
taking
something
like
closing
the
source
in
a
way
versus
having
that
totally
public
Source
but
I
think
that's.
It
is
a
slightly
nuanced
thing,
because
it's
not
changing
the
license.
It's
just
making
the
source
code
unavailable.
C
Well,
it's
not
the
source
code
for
say
the
source
code
is
still
available
with
all
the
Upstream
projects.
What's
missing
is
the
aggregation
that
they've
done
yes
and
that's
where
they've
added
value,
okay
and
so
they're.
Basically,
you
know:
I
have
not
had
a
chance
to
study
it.
I
have
been
traveling
and
I
catch,
I
catch
it
across
the
feed
and
go.
Oh
that's
going
to
make
things
interesting
for
a
bit.
A
So
is
what
they've
done
they're
using
a
GPL
project
and
they've
added
something
to
it.
I
guess
I'm
a
little
bit
confused,
because
I
thought
that
if
I
was
using
GPL
and
I
modified,
it
I
had
to
contribute
that
back
Upstream.
A
B
B
But
I
like
I'm,
just
thinking
about
in
terms
of
how,
how
we're
setting
up
this
metric
I
don't
even
know.
Maybe
this
is
a
test
case.
What
would
have
been
the
best
indicator
is
that
something
like
that
could
have
happened
and
I
think
I
keep
coming
back
to
Elephant
factor
in
terms
of
company
control
in
terms.
C
Of
how
many
people
yeah
I'm
I'm
I'm
lining
up
with
you
there,
it's
a
function
of
who
has
control
and
I
I'd,
say
just
more.
The
more
people
that
have
the
control
is
distributed
to
the
lower
the
risk.
B
I
agree,
and
so
like
the
other
ones
that
we
mentioned
we
talked
about,
could
be
suggestions
for
a
deeper
dive
on
this
if
you're
very
concerned,
or
want
to
do
something
more
robust,
but
I
think
if
we
need
something.
That's
a
lightweight
single
thing
to
point
to
that,
that
would
be
what
I'm
gravitating
toward.
A
C
The
code
is
open
source
and
they've
and
they're
keeping
it
open
source.
What
they're
doing,
though,
is
they
basically
add
patches?
They
curate,
they
all
con
certain
versions
and
everything
else.
So
all
the
upstreams
are
still
open
source,
but
their
instance
of
their
shipping
may
have
certain
patches
applied
to
it,
to
fix
bugs,
usually
and
that
the
question
is
what's
happening.
There.
C
It
you
can,
you
know
best.
Practice
is
as
soon
as
you
apply
it
in
your
own
thing.
You
want
to
put
it
Upstream,
so
you
don't
have
to
keep
maintaining
those
patches
right,
they're,
saying
they're
going
to
do
it,
but
it's
happening
at
a
different
pace.
A
C
So
it's
a
question
of
time
scales
and
you
know
what
they're
making
available
when
and
like
I
say:
I
really
haven't
studied
in
detail,
but
they
are,
they
add
value
and
that's
why
people
are
you
know
using
them
and
they're,
making
all
the
stuff
available
to
their
customers
and
everything
will
eventually
be
Upstream.
It's
just
a
question:
what
time
frame
does
that
match
your
understanding,
Sofia.
B
B
B
C
B
So
I'm
actually
curious.
Now,
if
this
is
going
to
happen
with
other
distros
like
openshift,
which
in
theory
has
a
similar
model
except
for
their
they've,
been
lumping
a
lot
more
stuff
into
it.
So
it's
not
just
one
project
anymore:
it's
not
just
a
distribution
of
kubernetes.
It
includes
little
things
from
the
the
rest
of
the
cncf
portfolio
to
offer
more
of
a
platform-based
tool,
but
they've
always
generally
kept
openshift
in
an
available
format,
because
that
has
been
their
model
of
operation
and
so
I
feel
like
it's.
B
A
This
sort
of
like
mind-blowing
for
me
very.
C
I
should
have
transparency
except
transparency
that
get
into
the
whole
dependency
information.
You
know
you
have
everything
you
need
to
build,
it
is
it
reproducible
is
it.
You
know,
I
think,
there's
other
dimensions
and
I
I'd
be
curious
to
hear
what
Dave
Wheeler's
perspective
is
on.
What
transparency
is
too
I.
A
So
I
guess
some
of
what
we
just
talked
about
gets
to
this
whole
point
here
about
trying
to
assess
this.
This
openness
versus
full
openness
and
the
Elephant
Factor
so
is
there?
Is
there
like
I
guess
elephant
factor
is
it
sounds
like
Low
Like
Elephant
factor
is
a
component
of
of
this,
like
it
kind
of
becomes
in
the
foreground,
then
right.
C
C
C
Yeah,
the
review
and
approver
list
and
like
I
say,
does
it
need
to
go
through
an
API
like
sorry
does
it
need
to
go
through
some
sort
of
contributor
agreement
before
it
gets
accepted
into
the
code
base?
And
it's
you
know
the
final
decision,
basically
a
corporation
or
is
it
a
Community
member,
that's
making
those
decisions.
C
I
know
the
policy
is
visible,
not
just
to
transparency
too.
Is
it
very
clear
how
your
contributions
accepted?
If
you
are
not
organization,
you
know
if
it's
an
organization
that
controls
the
main
part
of
the
code.
B
Well,
I
think
it
still
fits
under
transparent
governance,
I
think
what
what
we're
talking
about
and
I
guess
coming
back
to
the
original
question
is
we're
trying
to
describe
this
in
general
for
cases
that
apply
to
both
community-led
and
company-led
projects.
So
in
the
case
of
a
company-led
project,
then
that's
again
like
how
you
would
get
more
visibility
on
company's
specific
controls
that
could
lead
to
more
community-led
versus
company.
C
Like
like
so
another
example
is
yakto,
which
was
very
much
a
company-led
project
by
Intel
at
one
point
and
we've
transitioned
it
over
time
to
be
much
more
community-led
now,
and
you
know,
the
corporations
have
shifting
priorities
right
and
shifting
strategies,
and
so
the
question
is
how
resistant
you
know:
how
much
can
the
which
is
elephant
Factor?
How
much
can
the
project
survive
without
you
know,
if
a
company's
strategy
shifts,
can
the
project
still
survive?
C
A
Yeah
I'm
just
trying
to
I'm
trying
to
think
through
how
to
make
these.
This
is
a
metric
elephant
factor
is
a
metric.
So
that's
something
that
we
can
actually
point
to
some
of
these
other
items
under
here.
A
B
Well,
I
feel
I
see
the
the
sort
of
specifics
and
contribution
and
control
as
like
a
sub
component
of
elephant
Factor,
because
you're
looking
at
the
percentage
of
contribution
by
one
company,
then,
if
you're,
defining
contribution
as
commits
or
PRS
or
reviewers
you're,
basically
doing
that
it's
just
more
again
like
if
you,
if
you
have
a
high
I
guess
you
want
a
low
elephant.
Vector
is
a
small
number
of
firms
or
like
say
one,
then
that
might
be
a
case
to
review
it
from
that
lens
or
maybe
again
like
it's
up
to
your
risk.
D
Yeah
I
think
that
there's
got
to
be
some
room
for
interpretation,
because
I
I
feel
like
it
might
be,
hitting
Bedrock
to
say
that
you
can
create
a
profile
of
a
given
company
has
such
and
such
kind
of
reputation
based
on
these
metrics.
It's
it's
very
much
based
on
governance
policies,
they've
made
or
how
they've
changed
a
license,
or
something
like
that.
D
Those
events
would
give
an
indication
that
if
an
elephant
factor
is
very
high
and
a
specific
company
is,
is
one
of
the
elephants
right
like
you
might
want
to
consider
that
differently,
if
you're
at
one
firm
versus
another,
even
like
there's,
there's
a
lot
of
angles
to
how
do
you
view
a
company
in
your
risk
profile
and
I'm,
not
sure
that
that's
worth
trying
to
like
specifically
pinpoint
because
it
could
be
something?
That's
so
highly
specific
to
your
application
or
your
team?
B
It
does
and
I
think
you
could
go.
You
could
always
go
further,
so
I
feel
like
I
like
coming
back
to
this
sort
of.
Do
you
have
XYZ
documentation,
public
and
what's
the
elephant
Factor
as
sort
of
like
the
main
indicators
yeah
and
then
after
that
you
should
probably
know
what
that
company
is.
If
it's
one
and
then
you
you,
take
that
in
your
own
contextual,
Direction,.
A
A
C
B
Actually
skip
to
the
next
one
and
we
come
back
to
the
start.
To
be
honest,
because
I
want
to
get
Kate's
opinion
on
this,
because
we
we
poked
David
and
it
sounds
like
there's
another
paper
coming
which
we'll
see
when
that
happens.
B
But
we
were
coming
back
to
this
idea
of
trying
to
how
to
how
to
look
at
a
project
or
package
in
relation
to
the
ecosystem
as
sort
of
part
of
an
understanding
of
what
it
is,
and
we
talked
about
the
census
report
as
one
method
for
sort
of
scoring
relevance
or
usage
based
on
the
criteria
that
were
outlined
by
those
researchers.
B
And
then
this
is
the
rattle.
I
went
down
found
another
paper
that
was
looking
at
the
npm
package
manager
and
looking
at
Network
robustness
and
basically
started
testing
the
impact
of
removing
a
certain
amount
of
nodes
and
the
conductedness
of
the
nodes
on
the
impact
of
whether
or
not
you
were
going
to
have
failure
in
that
one
portion
or
across
the
entire
project.
So,
basically,
looking
at
the
correlation
of
failure
and
specific
nodes
to
functionality
or
I
guess
they
had
is.
B
B
The
terminology
was
a
little
odd
and
I
was
trying
to
put
it
in
both
like
because
there's
like
research
terms
and
math
terms,
but
they're
also
talking
about
technical
things
and
some
of
the
language
overlaps
in
a
funky
way.
And
it's
not
the
same
thing.
So
I
apologize,
I'm
struggling
to
talk
about
it,
but
I
thought
it
was
an
interesting
approach
and
the
more
that
I
was
reading
and
I
was
like
I.
B
Don't
think
that
people
can
just
do
this
like
on
off
the
cuff,
and
so
maybe
this
shouldn't
be
what
we
recommend,
but
I
was
basically
just
trying
to
find
if
there
were
existing
mechanisms
that
people
have
looked
at
for
sort
of
the
role
in
in
the
ecosystem,
and
this
is
one
of
the
ones
that
came
up,
at
least
from
a
dependency
perspective,
and
it
also
relied
a
lot
on
page
rank
and
looking
at
the
methodology
behind
the
page
rank
as
a
way
to
rate
connections
within
an
ecosystem.
C
B
I,
mostly
just
like
I
guess
what
I
was
circling
around
is
I'm,
not
really
sure
if
we
can
recommend
a
metric
for
this
and
that
I
think
there
are
definitely
considerations
that
you
should
have.
But
to
be
able
to
do
this
type
of
analysis
for
everything
that
you're
considering
just
seems
a
bit
cumbersome.
B
Actually,
that
paper
goes
into
it
a
bit.
They
looked
at
it
for
a
10-year
period,
which
I
thought
was
fun,
and
so
they
looked
at
the
evolution
of
adding
and
removing
dependencies,
and
actually
the
number
of
dependencies
is
capping
and
a
bit
like
it
was
growing
more
and
now
it's
slowing
down,
but
they
tried
to
look
at
the
evolution
of
it
as
well.
It's
not
a
very
long
paper,
but
it
took
me
a
while
to
read
Because
of
again
the
aforementioned
terminology
detect
overlap.
C
A
B
C
Well,
like
I,
say
what
it
meant
to
me
is
it's
very
much
a
packaging
ecosystem
thing.
I
thought
your
comment
that
things
are
starting
to
Plateau
I
found
very
fascinating,
I.
Think
that's
a
growing
awareness
of
the
fact
that
having
lots
of
dependencies
trimming
it
down
is
important
for
reducing
the
attack
surface
on
the
security
side,
yeah.
C
So
the
question:
well
so
in
some
senses
the
ecosystem
criticality
store,
is
in
some
senses
like
you
know
how?
How
much
is
it
really
pulling
in
from
a
dependency?
What's
your
attack
surface
potential
to
me,
and
can
we
basically
do
something
about
you
know
if
it's
got
a
very
large,
you
know
the
smaller
number
of
dependencies
I.
C
B
B
They're,
just
public
data
sets
on
bigquery
and
I.
Don't
have
a
bigquery
budget
because
I
work
at
Google,
I
guess
I
shouldn't
say
that
out
loud
but
I
don't
think
that's.
B
So
I
guess
for
the
ecosystem
piece,
what
I
guess,
because
we
have
our
dependency
metrics,
but
I
feel
like
the
more
that
we're
talking
about
it.
In
this
context,
we
might
have
met
something
broader
by
ecosystem
and
I.
Think
we
come
back
to
dependencies
as
like
a
a
volume
or
some
sort
of
magnitude
problem
where
I
think
I
almost
think
that
the
more
we
were
talking
about
the
sort
of
interplay
between
the
project
and
the
company
is
also
part
of
that
ecosystem.
Conversation
like
I,
think
it's
like.
B
If
this
is
a
project
coming
out
of
red
hat,
then
to
me
that
has
a
different
flavor
or
role
in
the
market
than
a
project
like
python.
That's
a
language
and
community-led
like
again
I
guess
it
couldn't
correlate
languages
to
anything
else,
but
I.
Just
think
that
there
is
Nuance
like
besides,
like
asking
people
to
Define
what
it
is
in
the
ecosystem
like
that,
that's
not
really
what
metrics
do
versus
measuring
it.
A
I
I
mean
I,
think
dependencies
anytime,
that
you're
reliant
on
a
package
manager
to
understand
the
dependencies
and
usually
we
are
I-
think
it
gets
pretty
messy
very
quickly.
I.
A
If
you've
jumped
in
on
a
discussion
about
a
metrics
model
that
we're
talking
about
developing
for
the
risk
working
group
or
as
part
of
our
work
in
the
risk
working
group-
and
you
can
hear
the
things
we
were
talking
about
and
if
you
have
any
thoughts
on
dependencies
and
how
they
might
relate
to
providing
an
introductory
model
of
risk.
E
Yeah
I
listened
to
a
lot
of
discussion,
but
I
dependency
haven't
thought
about
that.
Yet.
B
I
guess
maybe
I
don't
want
to
put
you
on
the
spot,
but
I
sort
of
do
because
I
feel
like
I
I
get
stuck
in
my
own
head
and
World
a
lot
so
I
feel
like
if
you
heard
the
term
ecosystem
criticality.
What
do
you
have
any
sort
of
immediate
reactions
or
like
thoughts
on
what
that
would
mean
for
you
in
the
case
of
evaluating
a
package
or
a
project.
E
B
I
think
that's
a
fair
reaction.
There
is
actually
multiple
schools
of
thought
across
the
research
Community
as
to
how
to
actually
Define
open
source
ecosystem.
So
that's
a
fairly
relevant
question
to
date.
There
are
some
that
have
looked
at
specific
ecosystems,
say
within
a
foundation
or
like
defined
Community
like
the
python
Foundation,
the
Apache
foundation
and
looking
at
the
interplay
of
community
project
and
collaboration
happening
in
these
spaces
as
sort
of
an
ecosystem.
B
But
there
are
others
that
are
looking
at
open
source
ecosystems
more
broadly
and
using
the
definition
from
biology
that
is
sort
of
the
definition
of
a
living
system
and
has
the
ecological
and
biological
components,
as
well
as
the
the
concrete
things
I'm.
Just
doing
this
really
poorly
right
now,
honestly,
but
essentially
that
it's
it's
not
a
stagnant
system,
it
has
living
and
evolving
things
in
it
that
interact
and
interplay
with
each
other.
And
so
we
in
this
particular
thought
we
were
thinking
about
ecosystem
to
the
broadest
definition,
but
recognize
that
I
think.
B
It's
really
valid
that
to
free
to
say
that
Victor,
because
I
think
again,
I
get
stuck
in
my
own
little
world,
where
all
the
people
around
me
talk
about
open
source
ecosystem
so
like.
Why
wouldn't
the
rest
of
the
world,
but
maybe
then
that
term
itself
Sean.
We
need
to
find
something:
that's
a
little
bit
more
yeah.
B
Or
maybe
that'll
help
us
narrow
down
what
we
should
be
looking
at
in
terms
of
ecosystem,
like
I,
think
I
think
when
we
originally
talked
about
it,
it
was
sort
of
trying
to
conceptualize
the
role
of
a
project
to
the
world
of
Open
Source
users,
which
is
again
incredibly
Broad
and
diverse.
So
I
guess.
If
we
look
at
an
example
like
Linux
versus
python
like
they
are,
they
serve
different
purposes.
B
They
have
different
users,
they
have
different
roles
in
the
technology,
stack
different
communities,
different
types
of
projects
that
work
with
them
and
so
like
I,
would
say
both
of
them
are
integral
to
their
own
communities,
but
maybe
because
they're
so
broad
like
that,
that
isn't
the
actual
mesh
we
need.
What
we
need
is
some
random
package
or
version
of
something
that
we
want
to
know
is
this
something
that
is
going
to
be
easily
disrupted
by
another
alternative
in
the
market,
and
people
will
will
drop
it
and
pick
up
something
else.
B
I
think
like
looking
at
the
evolution
of
service
measures
in
the
cloud
native
space,
I
think
I
know
so.
I
feel
like
to
maybe
narrow
ecosystem.
We
could
try
to
say
within
the
technical
sphere,
maybe
an
Edward
word:
that's
not
even
a
good
name
for
it
like
a
segment
or
a
text,
segment
or
infrastructure.
It's
like
how
would
you
define
a
language
versus
an
operating
system
versus
a
like?
Is
that
a
segment
to
you
is
that
it's
not
really
industry?
B
A
E
A
E
E
E
So
so
yeah
so
for
me,
so
Amazon
has
a
first
mover
advantage
in
the
Cloud
public
Cloud
in
a
different
sense.
Google
is
strong
in
the
description
of
that,
so
so
I
think
Google
has
done
a
great
job,
building
a
really
open
source
ecosystem.
E
So
there's
also
like
surrounding
small
animals
and
trying
to
live
together
and
then
try
to
help
each
other,
so
I
think
yes,
also
so
still
pumpkin
like
Google
and
then
later
on,
I
had
VM
and
every
joint.
So
that's
an
ecosystem.
That's
basically
building
a
system
ecosystem
so
vast
and
so
attractive
to
everybody,
including
the
users
who
are
not
necessarily
part
of
the
ecosystem
to
to
use
this
ecosystem,
because
that
that
made
Amazon
has
to
basically
join
the
whole
open.
D
E
Plate
right,
so
that's
that's
a
view
of
that
ecosystem.
So,
okay.
B
Well,
I
think
he
was
under
like
he
was
coming,
describing
sort
of
his
view
of
ecosystems
like
I.
Do
agree
that
I
think,
like
companies
can
be
sort
of
the
central
player
in
an
ecosystem
as
much
as
projects
can
at
least
that's
kind
of
how
I
was
interpreting
where
you
were
going
with
that
Victor,
we
lost
you
again.
B
Yeah
I
actually
had
I
have
a
thing
in
mind
that
I'm
trying
to
find
because
I
think
it
actually
does
both
of
the
things
in
terms
of
showcasing
popular
projects
and
Frameworks
as
an
ecosystem
as
well
as
sort
of
the
proprietary
and
vendor
relationship
to
the
ecosystem,
because
I
think
I
think
what
we're
struggling
with
in
general
is.
If
we
want
to
limit
the
secret
system
to
something
that
is
measurable,
then
we
have
to
basically
write
that
descriptively
and
without
getting
stuck
in
sort
of
a
language
that
doesn't
make
sense
in
all
contexts.
B
I
agree,
Victor
that
I
think
that
looking
at
companies
will
there's
definitely
ecosystem
effect
of
large
players
from
both
what
they've
released
as
well
as
like
I
think.
For
me,
it
was
always
thinking
about
like
the
VMware
ecosystem
and
looking
at
all
of
the
products
that
worked
with
it
and
grew
around
it
and
I
think
Linux
kind
of
has
had
the
same
phenomena.
B
I'm
sorry
I
can't
find
this
I'm
gonna
find
this
one.
Okay,
I'm,
basically
trying
to
find
a
stack,
Overflow
survey
that
actually
showed
the
technical
technology
overlap
of
user
respondents
and
it
essentially
showed
a
natural
grouping
of
technical,
like
technology
classes
and
ecosystems
like
the
node.js
ecosystem
versus
the
pikeathon
ecosystem
and
all
the
analytics
tools.
That
kind
of
grew
up
around
Python
and
kind
of
I
like
the
way
that
it
did.
That
and
I.
B
B
B
I
can
try
to
see
if
there's
an
existing
model.
I
think
that
the
challenge
inherently
here
is
that,
as
we
said
with
the
comment
of
dependencies,
it's
always
changing.
B
B
I
was
a
market
analyst,
evolving
Market
categories
and
groupings
and
relationships,
as
defined
by
the
nature
of
the
product
offering
so
I
was
looking
at
like
products
as
they
were
defined
by
vendors
and
then
looking
at
sort
of
permutations
and
groupings
around
similar
product
functionality,
like
one
example,
would
be
the
DCIM
Market,
which
was
the
data
center
infrastructure
monitoring
tool
set,
which
was
a
variety
of
things
that
were
basically
built
around
Telemetry
in
a
data
center,
but
the
functionality
that
was
incredibly
broad
because
you
had
supply
chain
monitoring
tools
to
how
hot
is
my
rack
tools
and
they
all
kind
of
fit
in
this
place,
because
it
ended
up
being
a
combination
of
monitoring,
inventory
management,
process,
control
and
a
whole
bunch
of
other
things.
B
So,
in
terms
of
say,
looking
at
and
defining
that
space,
it
was
always
moving
because
of
what
people
offered
in
a
way
that
like.
If,
if
we
try
to
do
this
to
open
source
I,
don't
I
don't
know
if
that's
going
to
be
a
fruitful
exercise,
but
I
don't
know,
I
feel
like
I
I'm
struggling
to
even
know
how
to
limit
this
into
a
metric.
So
maybe
it's
something
that
we
we
chew
on
and
say:
I
think
there's
value
in
here,
but
I
don't
know
how
we
would
actually
Define
it.
A
E
Maybe
maybe
can
really
use
the
analogies
even
further
I
think
there's
things
that
probably
won't
need
to
be
autoscope
like
politics
right
relationships,
so
so,
just
just
from
a
economics
point
of
view
like
just
like
a
company
right.
So
when
did
the
company
what
kind
of
Matrix
to
or
symptoms
you
see
when
the
company
is
going
to
make
major
decisions,
that's
going
to
have
an
impact
on
the
on
the
ecosystem
right.
So
just
like
a
big
animal.
E
If,
if
it
has
a
like
a
big
fish
right,
he
has
a
lot
of
small
fish
surrounding
him
and
if
he's
benefited
from
that,
you
know
getting
all
the
surrounding
whatever
nutritions
you
need
is
to
to
really
have
a
better
life,
and
everything
is
cool.
Just
like
company.
You
know,
when
he's
in
the
open
source
system,
making
all
the
good
money
all
the
stuff
he's
contributing,
is
coming
back
and
benefiting
the
company
itself.
E
Everything
is
cool,
but
when
a
company
start
to
realize
that
it's
more
benefit
for
him
to
eat
the
Smith
fish
beside
him
and
then
basically
destroy
the
ecosystem,
meaning
that
he's
also
so,
for
example,
indicator
is
the
company.
You
know
revenue
is
not
growing
as
much
expected.
He
might
need
to
do
something
to
even
you
know,
earn
more
money
by
even
damaging
the
ecosystem,
and
that
probably
will
it
will
do
that
so
that
that
so
so
things
like
that
could
be
indicators
or
Matrix
for.
B
I
yeah,
you
just
I
love
it
Victor
and
it
just
blew
it
up
in
my
head
more
where
I
was
like,
you
have
to
count
politics,
not
that
that's
like
a
PC
topic
for
this
forum,
but
just
thinking
about
the
geopolitical
influence
on
open
source
right
now.
It's
pretty
major
in
terms
of
say,
separating
out
china-specific
ecosystems
because
of
concern
from
Western
companies,
not
to
say
that
there
isn't
working
and
productive
collaborative
relationships
from
the
community
level,
but
the
companies
they
have
their
own
political
Arena.
B
That
they're
fighting
with
from
a
regulatory
and
from
a
political
aspect
that
are
influencing
their
decisions
on
what
to
do,
what
to
adopt
and
who
to
work
with
and
we're
seeing
that
explicitly
in
things
like
funding
and
sponsorship
for
specific
countries
right
now,
especially
with
conflicts
going
on
and
at
a
certain
point
like
we
shouldn't
have
politics
in
a
marker,
but
they
do
directly
impact
open
source
ecosystems,
because
people
live
in
these
worlds
and
are
subject
to
these
conflicts
and
these
regulations.
B
So
oh,
my
gosh
Sean
I,
almost
like
want
to
go
full
Blitz
and
instead
of
a
metric.
Maybe
we
just
have
like
and
I
just
as
Victor
was
talking,
I
was
thinking
seeing
like
a
big
undersea
environment
with
fish
in
it
and
plants,
and
it's
like
I,
don't
know,
I,
don't
know
how
we
can
do
this
yeah
I,
don't
know
how
to
define
this
Sean.
Maybe
we've
picked
something
too
big.
A
Yeah
I
think
I'm
just
going
to
make
a
note
Anoka
time
anyway,
a
large
undersea
environment.
You.
B
B
A
Yeah
I'm
I'm
doing
I'm
using
chaos
data
a
lot
right
now
to
try
to
find
these
things.
Dependencies
is
one
companies
and
individuals
are
another
dimension,
yeah,
it's
finding
finding
the
information
and
finding
the
things
that
seem
to
go
together,
not
only
in
deployment
and
dependency,
but
you
know
how
to
how
do
things
flow?
You
know
what
is
what
are
the?
What
are
the
marketplaces
within
this
ecosystem?
A
You
know
I
think
there's
probably
multiple
ways
to
think
about
segmenting
open
source
that
contribute
to
whatever
the
market,
whatever
the
what's
the
word
segments
in
the
market
are.
A
D
B
Linux
kernel
versus
a
language
like
I'm
I'm,
assuming
that
there's
some
sort
of
technical
or
experience
based
compatibility.
But
then
the
question
is
people
that
contribute
to
open
source
are
most
likely
working
on
more
than
one
project,
potentially
and
sort
of
how
there's
surveys
that
everyone
that
indicate
that
selection
is
very
much
based
on
more
of
the
like
a
community
fit
or
an
interest,
Fit
versus,
say,
like
a
technical,
fit
or
functional
fit.
B
I
need
it
so
yeah,
there's
always
sort
of
the
open
shift
and
beturgia
Analysis.
That
happened
with
I
think
it
was
Brian
and
Miguel
might
have
worked
on
it
from
Patricia,
but
it
also
had
done
it
earlier,
where
they're
looking
at
the
people
overlap
across
the
cncf
and
an
openshift
and
basically
looking
at
the
sort
of
the
people
that
were
working
on
things.
B
But
if
you
look
at
sort
of
the
cncf
that
is
sort
of
a
group
of
related
Technologies,
so
then
you
have
the
sort
of
functional
relationship
between
the
projects,
but
then
underneath
it
there's
sort
of
the
community
relationship
and
so
they're
sort
of
the
assumption
that
functionally
you
might
work
on
these
projects
because
there's
alignment
or
dependency
or
interaction.
B
Are
they
coming
together
because
of
the
functional
comparison
and
I?
Think
in
my
former
market
research
days
we
only
looked
at
the
functional
side
of
things
where
now
I'm
curious
to
know.
Can
we
demonstrate
that
there
is
something
else
from
the
community
and
social
component
that
drives
more
interconnection
between
these
things
that
can
make
them
more
of
a
like
a
connected
ecosystem
versus
a
despair
ecosystem
because
of
the
social
Community
connections
versus
just
the
functional
Connections
in
the
technology.
A
I
mean
we
do
know
like
I,
did
a
paper
in
2016,
where
we
showed
that
people
follow
pop
people,
follow
user,
like
users
who
are
followed
a
lot
or
start
a
lot.
If
people
yeah
people
go
to
a
new
project,
if
those
people
go
to
a
new
project,
a
lot
of
not
a
lot,
but
some
people
will
follow
them
like
if
I
go
to
a
new
project.
Maybe
nobody
follows
me,
but
the
people
at
the
top
of
the
rank
on
the
on
the
platform
they
do
have
people
who
follow
them
to
new
projects.
A
E
At
that
definitely
definitely
people
groups
or
clusters,
starting
from
the
like
the
PayPal
I
forgot.
What
is
called
PayPal,
Mafia
I.
Think
it's
called
you
don't
ask.
E
You
know
that
the
part
of
the
PayPal
again
of
Mafia
and
then
so
in
that
yeah
I,
even
just
the
past
several
months,
I
see
that
many
of
the
projects
you
can
see
that
I
started
as
everybody
working
on
the
same
same
project
and
so
one
there's
a
for
example,
venture
capital
investment
in
one
product
and
that
everybody
started
grouping
to
you
know
clustered
into
one
company
sometimes
and
that's
also
not
very
healthy
for
the
sometimes.
D
E
B
E
Think
it's
okay
yeah!
It's
a
what
is
called
Elon.
Musk
is
one
also
they're
very
popular,
the
PayPal
founder
of
God,
so
it
is
yeah
yeah,
they're,
they're,
successful
they're
all
coming
for
that
one
organization
and
start
out
to
to
just
open.
You
know
found
in
many
many
other
companies.
B
B
Es
well
just
that
that
the
transparency
and
interplay
between
Community
people
and
Company,
it
seems
to
also
be
coming
into
this
sort
of
ecosystem
metric.
So
maybe
we
use
that
section
for
providing
more
clarity
on
it.
This
is
actually
a
metric,
because
I
I
think
this
is
such
a
like.
Risk
is
always
going
to
be
such
a
big
thing.
B
That
is
so
contextually
specific
and
you
could
always
look
at
more
things
and
so
I
think.
Perhaps
the
ecosystem
is
just
sort
of
a
discussion
on
how
to
fine-tune
the
other
metrics
that
we
suggest.
E
B
One
thought
thank.