►
From YouTube: CHAOSS.Risk.WG.Sept.10.2020
Description
CHAOSS.Risk.WG.Sept.10.2020
A
So
the
risk
question
that
we
were
taking
a
look
at
in
dni
was
with
was
in
relation
to
dem
speaker,
demographics
and
attendee
demographics
and
just
trying
to
point
organizers,
event
organizers
to
some
standard
language
around
the
ethics
of
of
how
to
handle
that
data.
And
so
surprisingly,
it
sounds
like
sophia.
Maybe
didn't
find
something,
and
nobody.
B
C
A
C
B
D
I
thought
that
was
kind
of
a
nice
like
if
we
didn't
want
to
suggest
anything
to
say,
point
to
an
established
process
and
say
here's
just
basically
what
you
should
consider
before
you
collect
information.
But
again
it's
like
it's,
not
it's
not
the
same
case
at
all.
It's
just.
I
liked
it
as
a
starting
template
and
it's
the
language
is
very
broad
because
it
is
applying
to
both
data
collection
and
scientific
experiments
that
might
include
bio
specimens.
So
it's
not
just
collection
of
your
data.
D
It
could
be
collection
of
your
cells,
because
this
is
all
research,
so
it's
kind
of
fun
to
see
that
language
in
there.
But
it's
again
I
think,
there's
a
lot
to
build
on
so
ideally,
ideally
it
wouldn't
be
recolly
reinventing
the
wheel.
I
think
the
one
the
think
I
wanted
to
bring
up
from
the
other
meeting
is.
I
did
notice
in
the
dni
working
group
page
on
github.
D
It
says
explicitly
that
this
task
will
not
address
data
collection
ethics,
so
we
do
state
that
so
we're
not
at
least
we're
not
like
we've
kind
of
like
paved
the
way
to
not
be
held
liable
for
any
of
this,
because
we've
actively
claimed
we're
not
addressing
it.
Yet
that
doesn't
mean
we
shouldn't,
but
I
don't
know
if
necessarily
where
the
right
project
goes.
Looking
through
the
open
demographics
site,
that's
linked
to
it.
That's
I
guess
we're
referring
to
and
they
have
a
section
on
ethics.
D
So
I
I
don't
know
like
I
I
would
be
curious
to
maybe
I
don't
know
if
I
know
anyone
on
it.
I
can
look
into
that
and
just
see
if
that's
something
that
they
started
working
on
already,
because
I
think
ideally
it
would
be
a
collaborative
effort
across
many
different
open
source
organizations,
because
it's
something
that
we
all
care
about.
E
Yeah,
it's
and
I
I
wonder
if
there
is,
I
feel
like
we
talked
about
this
in
the
main
meeting.
There
must
be
some
open
source
project
that
has
considered
what
its
data
collection,
ethics
are
and
and
posted
it
david.
I
don't
know
if
the
linux
foundation
has
thought
about
that
at
all.
What
about
data
collection,
dna
collection,
ethics,
like
what
do
we
store?
What
don't
we
store?
Yes,
there's
a
legal
compliance
component.
F
C
Yay,
okay,
so
all
right,
so,
first
of
all,
there
are
some
things
I
I
mean
a
lot
of.
It
gets
pulled
into
the
the
legal
side
here
and
to
be
fair,
I
think
legal
is
actually
probably
a
little
bit
misleading
because
you
know
mike
dolan
and
stephenslow
are
interested,
not
just
in
you
know.
What
can?
How
close
can
we
get
but
they're
they're
generally
trying
to
keep
things
on
the
straight
and
narrow
far
away
from
wow?
C
You
know
how
close
can
we
get
before
we
break
the
law
yeah,
so
I
think
you're
going
to
immediately
see
there
is
indeed
a
policy
involving
privacy.
There's.
A
related
policy
involving
specifically
was
a
telemetry
data,
because
that's
where
some
of
this
really
shows
up
in
spades
is
when
software
starts
monitoring
itself,
which
and
then
self-reporting
back,
that's
a
particularly
concerning
case,
and
so
they
we
have.
The
linux
foundation.
Has
you
know
gdpr
things
and
so
on
so
yeah.
F
C
C
One
thing
I
should
note
is
that
the
open
ssf
I
mean
they
have
in
theory
established
working
groups,
but
they're
still
writing
up
what
scope
they're
actually
have
so
like
the
developer
id
is
talking
about.
Well,
maybe
we
broaden
our
scope
radically
and
change
it,
and
so
they're
still
figuring
out
kind
of
what
they're
be
they're
doing,
but
it
seems
like
it
could
be
related.
C
D
C
E
C
C
E
So
our
goals
are
right
now
focused
on
I.
I
would
not
sure
how
to
put
this,
but
looking
at
sort
of
developer
flow
and
approval
and
using
tags
to
try
to
start
to
assess
the
process
in
projects
to
understand
the
degree
or
extent
of
quality
that
is
is
present
or
identifiable
from
the
trace
data
that
that
can
be
drawn
from
the
artifacts
that
are
left
behind
in
the
process.
E
F
Can
I
let
me
try
to
up
level
it
and
see
if
I
can
do
it
right?
Basically,
this
group
is
trying
to
focus
on
identifying
elements
that
could
be
used
for
doing
risk
and
assessment
of
project
health
as
well
as
you
know,
can
you
trust
this
project?
Does
it
have
certain
things?
Are
there
indicators
that
we
can
find
from
the
data
that
are
risk,
and
so
we've
a
set
of
metrics
have
already
been
defined,
one
of
which
is
actually
doesn't
have
a
ci
badge.
C
F
F
Yeah,
it
is
a
defined
metric
and
it
is
so
there's
some
other
areas
around
there
we're
looking
at,
but
what
we're
looking
at
is,
like
you
know,
okay,
if
one
of
the
things
we
started
tackling
a
bit
earlier,
you
know
how:
how
long
does
it
take
for
pull
requests
to
get
satisfied?
Is
a
community
responsive
things
like
that?
F
E
How
is
that
gone?
That
was?
This
is
really
good.
That
was
that's
very
good.
We
also,
we
also
are
concerned
in
about.
We
have
a
scope
that
is
broader
than
that.
That
includes
looking
at
tests,
testing
and
test
coverage
kinds
of
metrics,
as
well
as
have
already
get
released
and
have
tools
that
give
us
some
really
good
licensing
metrics,
so
legal
risk
is
covered.
I
think
I
think
this
flow
is
largely
related
to
wanting
to
understand.
E
I
think,
safety,
critical
systems
and
how
good
their
process
is
because
there's
a
I
suppose
I
don't
know
how
to
say
this,
but
from
kate
and
the
discussions
that
we've
had.
I
think
it's
the
concern
for
safety.
Critical
systems
is
process
as
an
indicator.
It's
not
necessarily
the
only
indicator,
but
it's
a
significant
indicator,
and
I
think
sophia's
interest
is-
is
less
from
a
safety
critical
system
perspective,
but
more
from
a
broader
open
source
health
perspective.
E
E
D
I
mean,
I
think
it.
I
think
the
up
leveling
point
is
it's
all
coming
back
to
things
that
impact
project
health
and
that
if
we
look
at
it
from
a
risk
lens,
how
do
we
reduce
that
to
ensure
the
project
continues
to
run
smoothly,
continues
to
grow
and
continues
to
mature
and
things
that
might
interfere
with?
That
are
things
that
would
slide
on
the
approval
process
or
the
barrier
to
contribute,
because
it
just
takes
too
long
to
get
a
code
contribution
reviewed
and
into
the
system
and
so
by
better
understanding.
D
So
if
we
find
a
way
to
automatically
flag
how
many
people
are
actively
contributing
during
the
chain,
then
maybe
we
can
find
a
way
to
either
reduce
the
process
and
or
proactively
prune
it
so
that
people
aren't
still
sitting
in
approval
chains
when
they're
not
actually
moving
things
along.
If
people
move
around
they
they
contribute,
then
they
move
to
other
parts
of
the
project,
and
that
isn't
an
issue
it's
just.
C
D
D
D
But
if
you
look
at
it
for
individual
repositories,
then
individual
repository
owners
can
have
more
visibility
in
what's
happening
within
their
subwoofer,
so
that
was
probably
the
most
structured
part
of
it.
After
that,
this
suggestion
was
like.
Oh,
if
you
have
ideas,
just
put
them
into
the
github
account
sorry
into
the
github
repo
cause.
He's
got
a
github
repo
and
that's
probably
the
best
way
to
just
like
openly
suggest
commenting
feedback
for
anyone
that
might
be
interested.
D
Well,
I
think,
there's
a
lot
of
cloning
that
happens,
yeah
so
like.
If
you
look
at
it
all
of
the
all
of
the
tables
have
the
same
structure
and
they're
all
calling
on
the
same
the
same
apis
and
even
the
company
attribution
is
all
coming
out
of
the
same
json
file.
So
it
looks
like
it's
just
maintaining
the
one
series
of
tables
and
whether
or
not
they
want
to
keep
that
and
then
once
they
have
it,
then
they
replicate
it
across
those
projects.
A
A
C
D
So
I'm
trying
to
serve
as
a
little
bit
of
a
liaison
for
that
effort,
because
I
think
cncf
projects
have
a
lot
of
metrics
that
most
other
projects
do
not.
So,
I
think
they're
less
out
of
the
scope
of
chaos
and
the
sense
of
trying
to
bring
metrics
and
visibility
to
projects
who
don't
have
those
resources
where
they
do,
even
if
the
resource
is
just
one
guy.
D
D
E
E
Yeah
yeah,
I
mean,
and
I
think
I
think
it's
the
irb
is
interesting,
because
it's
really
about
is,
is
the
thing
I'm
doing
going
to
affect
somebody
in
a
negative
way
or
a
positive
way.
So
really
it's
about
protecting
a
research
subject,
and
I
think
this
by
the
same
token,
protecting
someone's
identifiable
information
is
it's
a
similar
responsibility
and
I
think
particularly
social
science,
irbs
ones
that
aren't
grounded
in
medical
irb,
probably
have
some
really
reusable
parts.
D
I
tend
to
agree
I've
also,
through
the
help
of
some
colleagues,
have
been
trying
to
just
get
wind
of
other
organizations
that
are
thinking
about
this.
So,
like
I
found
the
responsible
data
group,
they
are
seemingly
a
non-profit
that
thinks
about
this
information
and
the
responsible
usage
of
data,
but
nothing
focused
specifically
on
our
question
in
terms
of
say,
like
how
open
source
communities
and
projects
collect
information
about
their
user
bases
and
portray
that
information
out
as
as
some
sort
of
summary
aggregate
categorization.
E
D
It
wasn't
even
like
it's
not
even
gdpr,
specifically,
they
just
had
like
a
laundry
list
of
turns
and
expectations
around
what
would
go
into
ethics
and
ethics.
Ethical
considerations,
it's
like.
Basically,
if
you
wanted
a
huge,
comprehensive
dump
over
what
all
the
terminology
and
things
you
should
know
in
this
topic
are,
let
me
see
if
I
can
find
that
and
add
it
to
them.
E
D
C
E
E
E
E
E
There
are
the
I'll
just
is
there
anything
more
that
we
want
to
discuss
right
now,
or
do
we
want
to
just
do
we
want
to
discuss?
Like
is
data
collection?
Ethics
aren't
really
a
metric?
What
do
we?
It's
a
cons?
It's
a
concern
that
came
up
in
the
community
called
it's.
It's
a
risk
that
open
source
projects
you
collect
data
take
on.
F
C
F
I
E
Yeah,
I
mean,
I
think
in
the
case
of
the
badging
program,
which
is
where
this
conversation
originated.
The
the
one
of
the
concerns
is
people
from
underrepresented
populations.
If
there's
a
small
number
of
them
filling
out
a
survey
at
a
medium-sized
conference,
they're,
basically
identifiable
if
they
share
their
their
background,
what
are
their
ways
I
mean?
I
don't
know
how
to
handle
that,
and
I
think
what
sophia
has
been
searching
for
is
precedent
for
how
that
gets
handled.
F
Yeah
when
we
were
having
at
least
plumbers,
we
had
a
buff
about
the
kernel,
stats
and
some
of
the
diversity
stats
in
there,
and
the
question
was
asked
about.
Well,
you
know
you're,
just
a
male,
female
and
well
the
the
challenge.
Is
we
don't
have
ways
for
people
to
self-identify
in
a
way
that
we
they
can
trust
responsibly?
F
It
tends
to
be
a
one-on-one
personal
relationship
perspective,
and
so
you
know
I
know,
there's
a
couple
of
other
well,
you
know
basically
non-binary
sitting
in
in
the
community
participating,
but
we
didn't
have
a
really
good
way
of
including
them
explicitly
and
they're
such
a
small
number
compared
to
the
larger
scale.
Four
thousand
having
one
or
two
doesn't
really
show
up.
You
know
statistic
so
to
speak,
so
it's
a
it
was
something
that
was
talked
about
affair
about
no
good
solution
out
there.
C
F
Yeah,
I
think
that's
getting
into
the
ethics
that
we're
talking
about
here.
The
question
is:
how
do
you
like
you
know?
How
can
you
classify
a
project
in
terms
of
its
responsibility
of
behavior?
I
guess
to
sophia's
point.
I
just
don't
know
if
she's
found
anything
on
this
stuff,
where
you
know,
if
a
project's
busy
collecting
data
about
people,
how
can
they
assert
how
it's
being
handled
and,
what's
being
reported.
F
You
know
and
the
sense
of
you
you're
keeping
it
for
your
own
demographic,
you
know
purposes
and
for
trying
to
improve
certain
characteristics
or
trying
to
do
outreach,
which
are
ethical
in
theory,
practices.
How?
How
do
you
make
sure
that
it's
not
being
it
cannot
be?
You
know
the
information
cannot
be
scraped
and
then
used
for
something.
That's
not.
D
These
are
the
actual
guidelines
that
we're
taking
around
the
consumption,
handling
and
usage
of
the
data,
and
I
think
ethically,
you
need
some
sort
of
privacy
statement,
so
it's
they're
related,
but
not
the
same
thing,
and
so
within
the
scope
of
our
working
group
and
chaos.
Working
groups
are
do
the
metrics
that
we
encourage
focus
on
ethics
or
the
creation
of
a
privacy
policy.
F
D
Yeah,
well,
I
know,
for
the
most
part,
most
most
projects
have
some
statements,
sometimes
at
least
the
ones
that
have
apis
where
you
can
export
the
data
like
at
least
working
with
grammar
labs
and
knowing
the
projects
that
we're
going
to
be
pulling
from.
Most
of
them
do
have
some
sort
of
data
handling
privacy
policy,
at
least
they
the
ones
that
they
do.
We
have
to
put
in
our
own
privacy
statement
internally
for
documentation
to
recognize
that
we're
complying
with
their
handling.
E
I
E
Well-
and
I
think
actually
at
first,
I
thought
sophia
was
being
possibly
too
rigorous.
Thinking
about
it
as
an
irb
concern,
but
in
fact
I
think
there
is
a
desire
for
us
to
have
some
people
in
a
project
have
access
to
the
sensitive
data.
So
they
can
understand
where
the
project
is
at,
but
not
publish.
E
Information
that
we
derive
from
data
that
people
use
to
when
they
share
when
they
fill
out
surveys,
if
it
identifies
people
so
there
are,
there
could
be
a
levels
of
treatment
I
think
which
would
which
does
become
pretty
similar
to
irb,
where,
as
a
researcher,
I
know
the
identities
of
the
people
who,
whose
identities
I
obscure.
When
I
write
about
them,.
F
F
I
D
D
E
F
E
E
We
seem
to
all
have
some
interest
in
this
and
about
a
minute
left,
so
I
could
invite
emma
to
talk
with
us,
the
next
time
that
we
get
together
about
this
and,
if
she's
not
available,
then
we
can
find
you
know
we
meet
every
two
weeks.
I
imagine
we'll
find
some
alignment
she's
in
the
pacific
time
zone
so
this
time
isn't
too
terrible
for
her.
E
E
I'll
I
shouldn't
even
have
my
emails,
not
a
hard
task
with
with
that.
I
think.
Thank
you
all
for
a
really
lively
discussion
of
things
I
didn't
expect.
I
just
I
want
to
mention.
I
do
owe
from
august
sort
of
the
the
provenance
and
the
sourcing
of
the
community
reports
and
how
that
works
and
explaining
that,
and
so
I
will
bring
that
with
me
to
the
next
risk
meeting.
C
C
E
E
So
if
we
decide
to
work
on
it,
then
we
would
put
it
into
it.
We
would
create
the
metric
title
and
then
an
in
progress
tag
and,
and
then
we
have
a
new
status
called
moved
so
like
we
could
start
working
on
this
pii
privacy
practice
metric
and
I'll.
You
know
it
could
end
up
being
more
appropriate
to
a
different
group.
I
don't
know
which
group
that
might
be
other
than
the
common
working
group
so,
but
we
would
still
keep
it.
E
It
gives
us
a
way
to
keep
it
in
here
for
cross-referencing
right,
because
we've
we've
grown
as
a
project
to
having
the
number
of
things
that
we're
working
on
across
working
groups.
We
need
a
way
to
track
that,
for
example,
risk
is
interested
in
certain
things
that
evolution
or
value
have
defined
or
common
has
defined,
and
we
can
just
link
to
their
metric
so
that
right
we
don't.
F
So
one
of
the
yeah
actually
since
we're
looking
at
this
list
right
now
on
the
business
risk.
One
yeah
I'd
be
interested
having
a
bit
of
a
discussion
about
that
and
talking
about
bill
versus
execution
dependencies,
because
that
would
be
useful
for
me
for
some
discussions
that
are
having
on
evolution
of
s.
C
C
Yeah
I
I
I
should
mention
that
one
of
the
reasons
I'm
asking
is
that
I'm
working
with
this
newly
forming
open
source
security
foundation
and
their
interest
there's
a
subgroup
in
there.
That's
interested
it's
it's
badly
named.
They
call
it
security
threats,
but
I
think
they're
really
interested
in
a
security.
Metrics
security
focus
metrics
dashboard
and
I
have
alerted
them
to
the
existence
of
chaos
which
they
were
unaware
of,
and
now
I'm
alerting
you
about
their
existence,
all
right,
I'm
hoping
to
at
least
at
least
be
aware.
C
I
C
This
is
a
very
very
early
we
just
got
announced
so
they're
still
gathering
people
they
just
made
their
mailing
list
they're
still
working
out
some
things,
so
I
want
to
make
sure
that
folks
are
aware
of
each
other.
I
mean
it's
okay,
that
different
groups
do
different
things,
that's
fine
or
maybe
take
different
approaches
on
the
same
thing.
I
just
want
to
make
sure
people
are
aware
of
each
other
yeah.