►
From YouTube: CHAOSS.Risk.WG.Sept.10.2020
Description
CHAOSS.Risk.WG.Sept.10.2020
A
So
the
risk
question
that
we
were
taking
a
look
at
in
dni
was
with
was
in
relation
to
dem
speaker,
demographics
and
attendee
demographics
and
just
trying
to
point
organizers,
event
organizers
to
some
standard
language
around
the
ethics
of
of
how
to
handle
that
data.
And
so
surprisingly,
it
sounds
like
sophia.
Maybe
didn't
find
something,
and
nobody.
B
C
A
C
Well,
if
it's
p,
if
it's
personally
identifying
in
person,
if
it's
personal
data,
then
in
the
you
have
the
european
gdpr,
you
have
in
the
u.s
a
number
of
very
specific
privacy
laws,
although
in
the
u.s
it's
a
little
more
complicated.
C
D
I
found
interesting
because,
like
you're
reading,
all
these
general
processes-
that's
all
coming
out
of
one
institution,
but
at
least
the
language
that
I
was
reading
was
is
designed
to
be
more
general
because
it's
trying
to
apply
to
any
type
of
research
so
like
one
that
I
really
liked
for
this
perspective-
and
I
put
it
in
the
notes-
was
the
informed
consent
template?
D
How
do
I
paste
this
on
mm-hmm?
Oh
sorry,
I
just
did
it.
B
D
I
thought
that
was
kind
of
a
nice
like
if
we
didn't
want
to
suggest
anything
to
say,
point
to
an
established
process
and
say
here's
just
basically
what
you
should
consider
before
you
collect
information.
But
again
it's
like
it's,
not
it's
not
the
same
case
at
all.
It's
just.
I
liked
it
as
a
starting
template
and
it's
the
language
is
very
broad
because
it
is
applying
to
both
data
collection
and
scientific
experiments
that
might
include
bio
specimens.
So
it's
not
just
collection
of
your
data.
D
It
could
be
collection
of
your
cells,
because
this
is
all
research,
so
it's
kind
of
fun
to
see
that
language
in
there.
But
it's
again
I
think,
there's
a
lot
to
build
on
so
ideally,
ideally
it
wouldn't
be
recolly
reinventing
the
wheel.
I
think
the
one
the
think
I
wanted
to
bring
up
from
the
other
meeting
is.
I
did
notice
in
the
dni
working
group
page
on
github.
D
It
says
explicitly
that
this
task
will
not
address
data
collection
ethics,
so
we
do
state
that
so
we're
not
at
least
we're
not
like
we've
kind
of
like
paved
the
way
to
not
be
held
liable
for
any
of
this,
because
we've
actively
claimed
we're
not
addressing
it.
Yet
that
doesn't
mean
we
shouldn't,
but
I
don't
know
if
necessarily
where
the
right
project
goes.
Looking
through
the
open
demographics
site,
that's
linked
to
it.
That's
I
guess
we're
referring
to
and
they
have
a
section
on
ethics.
D
That's
currently
blank,
so
it's
clear
that
they
think
that
that's
something
they
might
want
to
accomplish
as
a
group.
D
So
I
I
don't
know
like
I
I
would
be
curious
to
maybe
I
don't
know
if
I
know
anyone
on
it.
I
can
look
into
that
and
just
see
if
that's
something
that
they
started
working
on
already,
because
I
think
ideally
it
would
be
a
collaborative
effort
across
many
different
open
source
organizations,
because
it's
something
that
we
all
care
about.
E
Yeah,
it's
and
I
I
wonder
if
there
is,
I
feel
like
we
talked
about
this
in
the
main
meeting.
There
must
be
some
open
source
project
that
has
considered
what
its
data
collection,
ethics
are
and
and
posted
it
david.
I
don't
know
if
the
linux
foundation
has
thought
about
that
at
all.
What
about
data
collection,
dna
collection,
ethics,
like
what
do
we
store?
What
don't
we
store?
Yes,
there's
a
legal
compliance
component.
F
C
Yay,
okay,
so
all
right,
so,
first
of
all,
there
are
some
things
I
I
mean
a
lot
of.
It
gets
pulled
into
the
the
legal
side
here
and
to
be
fair,
I
think
legal
is
actually
probably
a
little
bit
misleading
because
you
know
mike
dolan
and
stephenslow
are
interested,
not
just
in
you
know.
What
can?
How
close
can
we
get
but
they're
they're
generally
trying
to
keep
things
on
the
straight
and
narrow
far
away
from
wow?
C
You
know
how
close
can
we
get
before
we
break
the
law
yeah,
so
I
think
you're
going
to
immediately
see
there
is
indeed
a
policy
involving
privacy.
There's.
A
related
policy
involving
specifically
was
a
telemetry
data,
because
that's
where
some
of
this
really
shows
up
in
spades
is
when
software
starts
monitoring
itself,
which
and
then
self-reporting
back,
that's
a
particularly
concerning
case,
and
so
they
we
have.
The
linux
foundation.
Has
you
know
gdpr
things
and
so
on
so
yeah.
F
But
the
open
ssf
has
actually
got
that
project
actually
has
a
whole
group
working
on
identity,
and
it
seems
to
me
that
that's
potentially
quite
related
here
in
terms
of
the
constraints.
F
E
What
what
project
is
that?
Is
there
a
link
for
it.
C
Open
source
security
foundation,
yes,
but
what
you
really
want
is
the
working
group
for
developer
identity
on
github
and
I'm
going
to
copy
and
paste
that
into
these
little
notes.
Right
here,
if
I
know
where
I'm
putting
yes
all
righty
so
all
right,
so
I'm
gonna
stick
in
as
e.
C
C
One
thing
I
should
note
is
that
the
open
ssf
I
mean
they
have
in
theory
established
working
groups,
but
they're
still
writing
up
what
scope
they're
actually
have
so
like
the
developer
id
is
talking
about.
Well,
maybe
we
broaden
our
scope
radically
and
change
it,
and
so
they're
still
figuring
out
kind
of
what
they're
be
they're
doing,
but
it
seems
like
it
could
be
related.
C
D
C
E
C
C
E
So
our
goals
are
right
now
focused
on
I.
I
would
not
sure
how
to
put
this,
but
looking
at
sort
of
developer
flow
and
approval
and
using
tags
to
try
to
start
to
assess
the
process
in
projects
to
understand
the
degree
or
extent
of
quality
that
is
is
present
or
identifiable
from
the
trace
data
that
that
can
be
drawn
from
the
artifacts
that
are
left
behind
in
the
process.
E
F
Can
I
let
me
try
to
up
level
it
and
see
if
I
can
do
it
right?
Basically,
this
group
is
trying
to
focus
on
identifying
elements
that
could
be
used
for
doing
risk
and
assessment
of
project
health
as
well
as
you
know,
can
you
trust
this
project?
Does
it
have
certain
things?
Are
there
indicators
that
we
can
find
from
the
data
that
are
risk,
and
so
we've
a
set
of
metrics
have
already
been
defined,
one
of
which
is
actually
doesn't
have
a
ci
badge.
C
F
Because
a
lot
of
the
things
that
we
were
caring
about
initially
have
been
covered
by
that
in
some
ways
and
by
sub
areas
in
there.
And
that
is
one.
F
Yeah,
it
is
a
defined
metric
and
it
is
so
there's
some
other
areas
around
there
we're
looking
at,
but
what
we're
looking
at
is,
like
you
know,
okay,
if
one
of
the
things
we
started
tackling
a
bit
earlier,
you
know
how:
how
long
does
it
take
for
pull
requests
to
get
satisfied?
Is
a
community
responsive
things
like
that?
F
That
was
one
of
the
risk
metrics
that
was
emerged
yeah
and
now
we're
sort
of
looking
at
you
know.
How
well
are
they
signaling
communication
between
themselves,
things
like
and
that's
where
the
tagging
is
coming
in.
E
How
is
that
gone?
That
was?
This
is
really
good.
That
was
that's
very
good.
We
also,
we
also
are
concerned
in
about.
We
have
a
scope
that
is
broader
than
that.
That
includes
looking
at
tests,
testing
and
test
coverage
kinds
of
metrics,
as
well
as
have
already
get
released
and
have
tools
that
give
us
some
really
good
licensing
metrics,
so
legal
risk
is
covered.
I
think
I
think
this
flow
is
largely
related
to
wanting
to
understand.
E
I
think,
safety,
critical
systems
and
how
good
their
process
is
because
there's
a
I
suppose
I
don't
know
how
to
say
this,
but
from
kate
and
the
discussions
that
we've
had.
I
think
it's
the
concern
for
safety.
Critical
systems
is
process
as
an
indicator.
It's
not
necessarily
the
only
indicator,
but
it's
a
significant
indicator,
and
I
think
sophia's
interest
is-
is
less
from
a
safety
critical
system
perspective,
but
more
from
a
broader
open
source
health
perspective.
E
F
Yeah,
sometimes
open
source
is
higher,
it's
just.
They
don't
have
ways
of
expressing
it
yet.
E
D
I
mean,
I
think
it.
I
think
the
up
leveling
point
is
it's
all
coming
back
to
things
that
impact
project
health
and
that
if
we
look
at
it
from
a
risk
lens,
how
do
we
reduce
that
to
ensure
the
project
continues
to
run
smoothly,
continues
to
grow
and
continues
to
mature
and
things
that
might
interfere
with?
That
are
things
that
would
slide
on
the
approval
process
or
the
barrier
to
contribute,
because
it
just
takes
too
long
to
get
a
code
contribution
reviewed
and
into
the
system
and
so
by
better
understanding.
D
My
my
focus
I'm
trying
to
solve
this,
both
internally
and
externally,
just
to
get
a
better
visibility
on
approval
change
within
projects
to
potentially
identify
if
there
are
an
excessive
number
of
people
involved
or
if
there
are
people
that
are
on
list
that
are
actually
doing
anything
and
should
be
removed
and
are
they're
just
slowing
the
project
down
because
they're
getting
cc'd
and
not
participating.
D
So
if
we
find
a
way
to
automatically
flag
how
many
people
are
actively
contributing
during
the
chain,
then
maybe
we
can
find
a
way
to
either
reduce
the
process
and
or
proactively
prune
it
so
that
people
aren't
still
sitting
in
approval
chains
when
they're
not
actually
moving
things
along.
If
people
move
around
they
they
contribute,
then
they
move
to
other
parts
of
the
project,
and
that
isn't
an
issue
it's
just.
D
If
the
records
aren't
kept
up
to
date,
then
that
can
create
lag
and
frustration
and
friction
in
the
contribution
flow
and
so
we're
thinking
about
it
from
the
perspective
of
mostly
the
kubernetes
community,
because
that's
the
project,
I'm
working
with
the
most
right
now,
but
I
think
it's
an
issue
that
could
expand
to
more
projects
and
just
thinking
about
it
from
keeping
contributors
happy
and
reducing
burnout
by
not
making
the
contributor
flow
too
cumbersome.
C
Okay,
you
I
I
just
added
a
note
to
another
open,
ssf
working
group,
which
I
I
wouldn't
be
surprised
that
there's
a
need
for
some
liaison
of
some
kind,
because
they're
also
interested
in
measuring.
Although
they're
interested
in
measuring
risk
for
security,
specifically.
E
D
Yeah,
so
I
followed
that
a
little
bit
more
turns
out.
It's
one
guy
and
there's
no
meetings.
Oh
my
god,.
E
It's
so
there's
a
but
there's
a
bus
factor
right
there.
D
D
But
if
you
look
at
it
for
individual
repositories,
then
individual
repository
owners
can
have
more
visibility
in
what's
happening
within
their
subwoofer,
so
that
was
probably
the
most
structured
part
of
it.
After
that,
this
suggestion
was
like.
Oh,
if
you
have
ideas,
just
put
them
into
the
github
account
sorry
into
the
github
repo
cause.
He's
got
a
github
repo
and
that's
probably
the
best
way
to
just
like
openly
suggest
commenting
feedback
for
anyone
that
might
be
interested.
D
But
it
is
sounds
like
it's
very
unstructured
and
it's
given
that
a
very
limited
support,
then
I
don't
know
how
quickly
it's
going
to
move
forward,
which
is
both
good
and
bad
because
more
time
to
think
about
it,
but
also
there's
only
one
guy.
D
Well,
I
think,
there's
a
lot
of
cloning
that
happens,
yeah
so
like.
If
you
look
at
it
all
of
the
all
of
the
tables
have
the
same
structure
and
they're
all
calling
on
the
same
the
same
apis
and
even
the
company
attribution
is
all
coming
out
of
the
same
json
file.
So
it
looks
like
it's
just
maintaining
the
one
series
of
tables
and
whether
or
not
they
want
to
keep
that
and
then
once
they
have
it,
then
they
replicate
it
across
those
projects.
A
A
C
C
It's
all
right,
the
it's
baptism
by
fire.
I
got
it
yeah
yeah.
D
So
I'm
trying
to
serve
as
a
little
bit
of
a
liaison
for
that
effort,
because
I
think
cncf
projects
have
a
lot
of
metrics
that
most
other
projects
do
not.
So,
I
think
they're
less
out
of
the
scope
of
chaos
and
the
sense
of
trying
to
bring
metrics
and
visibility
to
projects
who
don't
have
those
resources
where
they
do,
even
if
the
resource
is
just
one
guy.
D
But
I
still
wanted
to
pay
attention
to
what
they're
working
on
to
see
what
we
can
learn
from
them
as
a
metrics
and
dashboard
solution,
as
well
as
how
they're
being
used.
So
I
think
that
in
itself
has
been
interesting.
D
In
theory,
def
stats
filters
out
bots
and
I
know
we
do
for
our
own
data
sets
as
well,
so
they're
usually
pretty
well
identifiable,
at
least
that's
the
assumption.
I
don't
actually
know
what
that
that
script
looks
like
okay,.
E
So
we
have
some
to
do
on
tagging
and
I
mean
I
don't
I
mean
I
think
handling
like
I
don't.
I
don't
know
that.
There's
a
working
group,
I
I
think
the
when
it
comes
to
the
pii
question.
I
think
it
could
be
considered
a
matter
of
risk.
E
E
Yeah
yeah,
I
mean,
and
I
think
I
think
it's
the
irb
is
interesting,
because
it's
really
about
is,
is
the
thing
I'm
doing
going
to
affect
somebody
in
a
negative
way
or
a
positive
way.
So
really
it's
about
protecting
a
research
subject,
and
I
think
this
by
the
same
token,
protecting
someone's
identifiable
information
is
it's
a
similar
responsibility
and
I
think
particularly
social
science,
irbs
ones
that
aren't
grounded
in
medical
irb,
probably
have
some
really
reusable
parts.
D
I
tend
to
agree
I've
also,
through
the
help
of
some
colleagues,
have
been
trying
to
just
get
wind
of
other
organizations
that
are
thinking
about
this.
So,
like
I
found
the
responsible
data
group,
they
are
seemingly
a
non-profit
that
thinks
about
this
information
and
the
responsible
usage
of
data,
but
nothing
focused
specifically
on
our
question
in
terms
of
say,
like
how
open
source
communities
and
projects
collect
information
about
their
user
bases
and
portray
that
information
out
as
as
some
sort
of
summary
aggregate
categorization.
D
So
I'm
just
trying
to
to
see
what
we
can
find
in
terms
of
other
bodies
of
people
that
are
thinking
about
this
so
potentially
starting
too
broad
for
anything
actionable
immediately,
but
yeah
I'm
gonna
keep
asking
around,
because
I
seemingly
have
more
people
that
I
thought
of
that
are
in
my
network
that
care
about
ethics.
E
D
It
wasn't
even
like
it's
not
even
gdpr,
specifically,
they
just
had
like
a
laundry
list
of
turns
and
expectations
around
what
would
go
into
ethics
and
ethics.
Ethical
considerations,
it's
like.
Basically,
if
you
wanted
a
huge,
comprehensive
dump
over
what
all
the
terminology
and
things
you
should
know
in
this
topic
are,
let
me
see
if
I
can
find
that
and
add
it
to
them.
D
E
D
C
C
These
are
just
general
efforts
to
was
related
to
this
group.
I
think.
E
D
E
Well,
probably
for
people
like
us
who
stumble
stumble
into
it
on
a
on
a
community
call
and
realize
it's
something
we
actually
have
to
deal
with.
If
we're
going
to
collect
data.
E
E
There
are
the
I'll
just
is
there
anything
more
that
we
want
to
discuss
right
now,
or
do
we
want
to
just
do
we
want
to
discuss?
Like
is
data
collection?
Ethics
aren't
really
a
metric?
What
do
we?
It's
a
cons?
It's
a
concern
that
came
up
in
the
community
called
it's.
It's
a
risk
that
open
source
projects
you
collect
data
take
on.
I
I'm
sorry
if
you
please,
for
the
for
those
reports,
if
you're,
if
you're
going
to
say
that
someone
having
this
event
is
following
ethical
guidelines
for
data
collection,
you
have
to
have
some
way
of
measuring
it,
so
it
has
to
be
a
metric.
F
C
F
I
E
Yeah,
I
mean,
I
think
in
the
case
of
the
badging
program,
which
is
where
this
conversation
originated.
The
the
one
of
the
concerns
is
people
from
underrepresented
populations.
If
there's
a
small
number
of
them
filling
out
a
survey
at
a
medium-sized
conference,
they're,
basically
identifiable
if
they
share
their
their
background,
what
are
their
ways
I
mean?
I
don't
know
how
to
handle
that,
and
I
think
what
sophia
has
been
searching
for
is
precedent
for
how
that
gets
handled.
F
Yeah
when
we
were
having
at
least
plumbers,
we
had
a
buff
about
the
kernel,
stats
and
some
of
the
diversity
stats
in
there,
and
the
question
was
asked
about.
Well,
you
know
you're,
just
a
male,
female
and
well
the
the
challenge.
Is
we
don't
have
ways
for
people
to
self-identify
in
a
way
that
we
they
can
trust
responsibly?
F
It
tends
to
be
a
one-on-one
personal
relationship
perspective,
and
so
you
know
I
know,
there's
a
couple
of
other
well,
you
know
basically
non-binary
sitting
in
in
the
community
participating,
but
we
didn't
have
a
really
good
way
of
including
them
explicitly
and
they're
such
a
small
number
compared
to
the
larger
scale.
Four
thousand
having
one
or
two
doesn't
really
show
up.
You
know
statistic
so
to
speak,
so
it's
a
it
was
something
that
was
talked
about
affair
about
no
good
solution
out
there.
C
I
will
note
that
under
the
gdpr,
a
lot
of
that
kind
of
data
is
considered
especially
sensitive,
and
you
know,
and
and
you
you
you
have
to
have
there-
there's
a
signific
there's
a
higher,
it's
called
sensitive
data
and
it's
subject
to
all
sorts
of
higher
thresholds
and
unfortunately
that
includes
racial
ethnic
origin.
C
F
Yeah,
I
think
that's
getting
into
the
ethics
that
we're
talking
about
here.
The
question
is:
how
do
you
like
you
know?
How
can
you
classify
a
project
in
terms
of
its
responsibility
of
behavior?
I
guess
to
sophia's
point.
I
just
don't
know
if
she's
found
anything
on
this
stuff,
where
you
know,
if
a
project's
busy
collecting
data
about
people,
how
can
they
assert
how
it's
being
handled
and,
what's
being
reported.
F
You
know
and
the
sense
of
you
you're
keeping
it
for
your
own
demographic,
you
know
purposes
and
for
trying
to
improve
certain
characteristics
or
trying
to
do
outreach,
which
are
ethical
in
theory,
practices.
How?
How
do
you
make
sure
that
it's
not
being
it
cannot
be?
You
know
the
information
cannot
be
scraped
and
then
used
for
something.
That's
not.
D
These
are
the
actual
guidelines
that
we're
taking
around
the
consumption,
handling
and
usage
of
the
data,
and
I
think
ethically,
you
need
some
sort
of
privacy
statement,
so
it's
they're
related,
but
not
the
same
thing,
and
so
within
the
scope
of
our
working
group
and
chaos.
Working
groups
are
do
the
metrics
that
we
encourage
focus
on
ethics
or
the
creation
of
a
privacy
policy.
F
I
think
more
privacy
policies
where
the
the
any
f
any
any
focus
has
been
had
until
now.
I
don't
I'm.
You
know,
I
think,
there's
elements
of
how
the
data
is
being
used
incorporated
in
that
policy.
Some
of
the
policies,
but
I
don't
know
if
it's
consistent.
D
Yeah,
well,
I
know,
for
the
most
part,
most
most
projects
have
some
statements,
sometimes
at
least
the
ones
that
have
apis
where
you
can
export
the
data
like
at
least
working
with
grammar
labs
and
knowing
the
projects
that
we're
going
to
be
pulling
from.
Most
of
them
do
have
some
sort
of
data
handling
privacy
policy,
at
least
they
the
ones
that
they
do.
We
have
to
put
in
our
own
privacy
statement
internally
for
documentation
to
recognize
that
we're
complying
with
their
handling.
E
Policies
interesting,
we
talked
on
the
on
the
main
call
and
we've
got
about
six
minutes
here
about
is,
is
the
privacy
policy
the
same
thing
as
data
ethics
and
data
handling,
concern.
I
I
think
those
are
two
different
things
per
the
discussion
we've
had
prior.
E
I
So
I
think
the
two
questions
so
similar
to
how
the
the
code
of
conduct
is
kind
of
a
binary
metric
that
you
can
say
does
this
project
have
a
code
of
conduct?
Yes,
no,
you
can
say:
does
this
project
have
a
privacy
policy?
I
Yes,
no
right
and
that's
something
we
can
measure,
but
then,
when
we
look
at
the
the
ethical
use
of
the
data,
that's
almost
that's
an
assessment
of
of
how
they're
using
their
data,
that's
a
little
bit
different
than
just
whether
or
not
they
have
a
privacy
policy.
E
Well-
and
I
think
actually
at
first,
I
thought
sophia
was
being
possibly
too
rigorous.
Thinking
about
it
as
an
irb
concern,
but
in
fact
I
think
there
is
a
desire
for
us
to
have
some
people
in
a
project
have
access
to
the
sensitive
data.
So
they
can
understand
where
the
project
is
at,
but
not
publish.
E
Information
that
we
derive
from
data
that
people
use
to
when
they
share
when
they
fill
out
surveys,
if
it
identifies
people
so
there
are,
there
could
be
a
levels
of
treatment
I
think
which
would
which
does
become
pretty
similar
to
irb,
where,
as
a
researcher,
I
know
the
identities
of
the
people
who,
whose
identities
I
obscure.
When
I
write
about
them,.
F
F
I'm
just
gonna
also
flag,
there's
just
come
out
a
blog
from
mozilla
on
this
type
of
topic.
F
I
I'm
wondering
I'm
wondering
if
it
might
be
as
easy
as
just
saying
something
to
the
of
treating
gdpr
as
the
metric
and
saying
is
the
project
gdpr
compliant?
And
then
you
have
a
checklist
of
all
the
things
that
make
up
gdpr.
D
D
E
F
And
we
know
emma
too
so.
F
E
I'm
just
making
that
understood.
I
would
do
the
same,
draw
his
attention
to
that,
because
one
one
thing
we
might
want
to
do
is
invite
emma
to
talk.
E
We
seem
to
all
have
some
interest
in
this
and
about
a
minute
left,
so
I
could
invite
emma
to
talk
with
us,
the
next
time
that
we
get
together
about
this
and,
if
she's
not
available,
then
we
can
find
you
know
we
meet
every
two
weeks.
I
imagine
we'll
find
some
alignment
she's
in
the
pacific
time
zone
so
this
time
isn't
too
terrible
for
her.
E
I
think
I
don't
actually
know
what
anybody's
life
is
like
right
now,
but
I
will
take
the
task
of
inviting
her
unless
somebody
else
wants
it.
I'll
always
surrender
work.
E
I'll
I
shouldn't
even
have
my
emails,
not
a
hard
task
with
with
that.
I
think.
Thank
you
all
for
a
really
lively
discussion
of
things
I
didn't
expect.
I
just
I
want
to
mention.
I
do
owe
from
august
sort
of
the
the
provenance
and
the
sourcing
of
the
community
reports
and
how
that
works
and
explaining
that,
and
so
I
will
bring
that
with
me
to
the
next
risk
meeting.
C
Yeah,
it
was
just
a
real,
quick
sean
before
we
go.
The
you've
got
a
link
off
to
the
chaos
metrics
v2
level
of
completeness
is
that
the
current
spreadsheet,
in
terms
of
the
kind
of
the
status.
C
E
Yes,
I
think
it's
it's
a
pretty
good.
I
mean
it's
a
representation
of
working,
how
it's
working.
What
am
I
trying
to
say
so
by
the
oh
wait,
a
minute
I
went,
I
went
to
it
and
then
I
forgot
that
I'd
stop
screen
sharing.
E
So
when,
when
we're
building
metrics
out
which
ultimately,
we
will
begin
to
do
again,
but
I'm
sure
there'll
be
some
metrics
that
are
drawn
from
the
tagging
and
process
practices
that
we're
looking
at,
and
I
think
there
could
be
some
metrics
and
risk
under
business
risk,
possibly
or
transparency
possibly
related
to
privacy.
E
So
if
we
decide
to
work
on
it,
then
we
would
put
it
into
it.
We
would
create
the
metric
title
and
then
an
in
progress
tag
and,
and
then
we
have
a
new
status
called
moved
so
like
we
could
start
working
on
this
pii
privacy
practice
metric
and
I'll.
You
know
it
could
end
up
being
more
appropriate
to
a
different
group.
I
don't
know
which
group
that
might
be
other
than
the
common
working
group
so,
but
we
would
still
keep
it.
E
It
gives
us
a
way
to
keep
it
in
here
for
cross-referencing
right,
because
we've
we've
grown
as
a
project
to
having
the
number
of
things
that
we're
working
on
across
working
groups.
We
need
a
way
to
track
that,
for
example,
risk
is
interested
in
certain
things
that
evolution
or
value
have
defined
or
common
has
defined,
and
we
can
just
link
to
their
metric
so
that
right
we
don't.
F
So
one
of
the
yeah
actually
since
we're
looking
at
this
list
right
now
on
the
business
risk.
One
yeah
I'd
be
interested
having
a
bit
of
a
discussion
about
that
and
talking
about
bill
versus
execution
dependencies,
because
that
would
be
useful
for
me
for
some
discussions
that
are
having
on
evolution
of
s.
C
C
Yeah
I
I
I
should
mention
that
one
of
the
reasons
I'm
asking
is
that
I'm
working
with
this
newly
forming
open
source
security
foundation
and
their
interest
there's
a
subgroup
in
there.
That's
interested
it's
it's
badly
named.
They
call
it
security
threats,
but
I
think
they're
really
interested
in
a
security.
Metrics
security
focus
metrics
dashboard
and
I
have
alerted
them
to
the
existence
of
chaos
which
they
were
unaware
of,
and
now
I'm
alerting
you
about
their
existence,
all
right,
I'm
hoping
to
at
least
at
least
be
aware.
C
Yes,
and
if
you
want
to,
if
you're
looking
for
a
more
ambiguous
hard
to
figure
out
what
in
the
world,
they
mean
working
group,
don't
bother,
they've
won.
C
I
C
This
is
a
very
very
early
we
just
got
announced
so
they're
still
gathering
people
they
just
made
their
mailing
list
they're
still
working
out
some
things,
so
I
want
to
make
sure
that
folks
are
aware
of
each
other.
I
mean
it's
okay,
that
different
groups
do
different
things,
that's
fine
or
maybe
take
different
approaches
on
the
same
thing.
I
just
want
to
make
sure
people
are
aware
of
each
other
yeah.
E
Definitely
all
right!
Well,
we
can
cover
that
next
time
and
thank
you
all
for
a
really
lively
and
wonderful
discussion,
and
I
will
see
you
in
a
couple
of
weeks.