►
From YouTube: CHAOSS Risk Working Group April 27, 2023
Description
Minutes from this meeting can be found here: https://docs.google.com/document/d/1iqIMpLBwuKSnE0BbQTgbsb9Im87IoN7IUzukochClCw/edit?pli=1#
D
A
A
B
B
B
In
these,
all
of
these
measures
are
kind
of
getting
at
the
core
of
the
community,
like
that's,
not
elephant,
background
committers
and
bus
factor,
and
lately
I've
been
struggling
with
how
to
actually
count
the
number
of
maintainers
in
a
community.
If
there's
no
specific
identification
of
them,
then
say
an
owner's
file
or
something
like
that
where
I
think
looking
at
the
number
of
contributors,
but
surprisingly
misleading
when
there
are
many
of
them
and
only
one
maintainer
yeah.
A
Actually,
in
a
way
yeah
most
projects-
that's
actually
not
very
hard.
Well,
I,
I,
guess
a
step
one
if
there's
only
one
person
maintaining
it
they're
the
maintainer
and
that
covers
half
around
half
the
cases
more
than
half
of
all
cases
and
in
general.
If
somebody
was
able
to
directly
commit
to
the
project,
then
therefore
they
are
a
main
they're.
A
D
A
E
A
B
A
B
A
I
think
the
problem
is
that
some
people
use
the
committers
and
what
they
really
mean
is
core
committers.
So
if
we
just
use
committers
in
the
keyword
search,
you
can
Define
it
more
generally,
but
I
I
think
the
term
is
used
often
enough.
Loosely
that
you're
better
off
just
doing
the
search
for
the
keyword,
search,
accepting
the
more
general
term.
D
D
B
Finish
your
thoughts
well
as
I
was
curious,
because
this
is
maybe
a
me
problem
or
the
products
I
work
with
problem,
but
you
can
only
see
that
the
access
levels,
if
you
have
work
privileges,
it
says
administrative
privileges
of
that
org,
because
I
really
need
for
third-party
work.
You
can
actually
see
who
has
approval
access
within
a
project.
It's
like
you're
doing
it
for
other
project.
Then
you
it's
harder
to
like,
say
you're,
trying
to
assess
the
risk
of
a
project.
B
So
you
actually
figure
out
who's
approving
things
to
be
merged.
You
have
to
go
through
the
Comet
Field
of
the
payload,
which
is
incredibly
messy.
So
it's
difficult
for
the
average
person
to
go
in
and
figure
out
how
many
maintainers
are
there
without
looking
at
owner's
files,
but
that's
indicative
by
the
project,
not
with
General.
A
B
A
A
Yeah
right
there
may
be
a
better
way
to
do
what
you're
doing,
because
there's
there's
actually
a
number
of
work
streams
like
that,
where
you
do
where
some
bot
doesn't
merge
and
it's
actually
bringing
in
two
branches
and
depending
on
the
tool
you're
using
it,
may
only
show
like
the
main
line.
It
won't
show
the
other
one
that
James
is
coming
from,
so
you
basically
have
to
turn
on
some
options
to
show
the
full
path
there.
A
B
A
Okay,
yeah
yeah
yeah,
but
yeah,
okay,
I,
don't
know
all
the
data
that
that
is
included
within
the
Getty
vet
GitHub
event
stream.
But
if
nothing
else
you
can
identify
well
presuming
it's
you're,
getting
the
pull
request,
the
the
merge
ID
you
can
then
ask
GitHub,
hey,
given
this
merge,
ID
or
just
frankly,
I
would
just
download
the
whole
repo
from
get
GitHub
and
use
get
because
get
actually
can
manage
and
display
a
whole
lot
of
that
stuff.
A
B
A
By
the
way,
if
you,
if
you
were
to
interact
with
me,
you'll
know
I,
actually
don't
like
the
phrase
intellectual
property,
not
because
it's
a
problem
among
the
lawyers
lawyers
understand
it.
The
problem
is
everybody
else
knows
that
property
is
a
physical
object
and
I.
Just
it
just
is
not
worth
that
fight.
Just
don't
use
the
word
otherwise
people.
You
know.
As
I
said,
the
lawyers
know
what
they
mean.
They
have
a
very
specific
meaning.
It's
just
not
what.
A
A
They
are
synonyms.
There
is
no
difference,
at
least
within
the
U.S.
Okay,
I'm
not
familiar
with
other
jurisdictions,
but
within
the
U.S,
if
you
say
the
word
property
as
just
another
word
for
the
word
rights.
That's
all
it
means
now
everybody
else
in
the
world
when
you
say
property,
you're
thinking
about
real
estate
or
physical
property.
Okay,.
E
E
A
But
but
the
thing
is,
your
response
is
I,
think
exactly
how
most
non-lawyers
respond.
There
is
an
assumption
with
the
word
property.
That's
a
physical
object
and
that's
just
an
implication
in
normal
non-specialized
use
of
the
English
language
and
I
just
have
found
that
it
is
trying
to
get
people
to
become
lawyers
is
not
worth
the
fight.
If
you
want
to
be
a
lawyer,
there's
some
awesome
law.
Schools
go.
E
A
B
B
A
E
B
A
E
A
E
A
C
A
C
E
C
A
Yep
now
you
know
what
this,
however,
suggests
to
me:
we've
been
working
very,
very
hard
on
very
carefully
defining
certain
things:
Mary
now
I'm
working
with
the
open
ssf,
so
maybe
I'm
a
little
biased
here.
But
it
seems
to
me
that
there
are
metrics
created
by
the
openssf
that
the
chaos
folks
can
just
reuse
and
declare
Victory
on.
A
A
A
A
A
D
D
A
What
we're
having
trouble
getting
agreement?
We
we
want
to
Define
these
clearly,
it's
hard
to
do
it
all
at
once,
so
the
defined
tracks,
okay
and
I'm
I
and
what's
for
in
1.0,
is
build
tracks,
one
through
three.
Okay,
and
let
me
see
if
I
go
down,
you
know.
Let
me
just
go
down
to
this.
I
think
this
is
a
quick
way
of
explaining
it
in
one
chart.
Okay,
so
the
build
salsa
build
track
has
three
levels
besides
level
zero,
which
is
we,
you
know,
okay
for
build
one.
A
You
have
to
meet
the
little
check
marks
and
these
are
basically
requirements
on
your
build
processing
platform.
You
know,
basically,
the
build
platform
has
to
have
certain
characteristics.
You
have
to
follow
a
consistent,
build
process
and
you'd
have
to
tell
people.
How
are
you
building
this,
which
is
what
providence
is
at
L1?
There
has
to
exist
basic
information
about.
You
know
the
pro
how
you
generate
at
level
two.
We
have
the
ability
to
say
hey.
A
In
all
services,
there's
a
lot
of
projects
which
build
under
somebody's
desk
and
if
that
person
dies,
we
can't
build
this
offer
anymore.
Yeah,
that's
bad,
okay
and
at
level
three
what's
ages
is
ways
to
make
that
unforgeable
and
isolated.
Now
the
isolation
is
not
full
Network
isolation.
That's
something
called
hermetic
builds,
which
turn
out
to
be
harder
than
you
might
think.
But
the
idea
here
is
that
one
build
shouldn't
be
influencing
another
build.
If
you
rebuild
something
it
shouldn't
be
quietly
and
silently,
you
know
subverted
because
of
some
other
build
somewhere
else.
E
A
Said
this
isn't
a
and
the
idea,
and
if
you
want
there's
much
more
description
about
you
know
what
what
are
the
threats
they're
worrying
about?
Why
these
count?
What
threats
do
these
counter
versus
what
they
don't
right?
Okay
and
the
idea
here,
is,
if
you're
you
know,
if
you're
downloading
the
software
straight
As
source
code,
then
you
don't
care,
but
if
you
are
like
most
people,
you're
downloading
a
pre-built
package
and
using
the
pre-built
package,
you'd
like
to
have
some
confidence
that
the
pre-built
package
was
built
in
a
in
a
secure
way.
C
A
A
build
process
would
be
implementing
this.
Typically,
a
project
itself
would
do
it
on
if
you're
on,
like
npm
or
Pi
Pi,
but
if
you're
a
separate.
If
you
know
Bill,
there
are
separate
Builders,
particularly
system
packages
are
often
built.
That
way,
and
that's
fine
too,
you
know
it's
basically,
whoever
is
building
the
software
is
trying
to
implement
this
in
a
way
that
you
know
increases
the
likelihood
that
what
the
package
that
you're
using
is
what
was
generated
from
the.
C
A
A
Well,
the
Assumption
with
this
is
that
you're
going
to
distribute.
You
know
how,
basically,
how
did
I
build
this
thing?
Okay,
so
I
I
mean
I,
won't
say
that
it's
required
to
use
the
open
source
software,
but
it's
much
more
focused
on
the
now
I.
Don't
know
if
it
requires
public
come
to
think
of
it.
Let's
go
back
to
that,
because
I
think
it
says,
distribute
provenance,
it
doesn't
say
yeah
you're
right
actually
come
to
think
of
it.
A
E
A
Yeah
it
come
to
originally,
this
was
developed
from
what
Google
does
internally
Google
does
a
whole
bunch
of
stuff
when
they
build
things
and
they
came
up
with
a
version,
what
we
called
0.1
and
then
people
beat
it
up
and
basically
basically
the
the
good
thing
is
that
people
actually
were
doing
this.
That
is
always
a
big
plus
there's
so
many
specs
that
no
one's
actually
tried.
The
big
negative
is
that
it
turns
out
not
everyone's
Google
and
some
things
that
Google
finds
easy
to
do
are
really
hard
for
other
organizations
to
do.
C
A
A
Because
everybody
yeah
everybody
by
the
way
can
be
described
that
way,
no
matter
what
you
do,
you're
going
to
make
it
work
within
your
organization
and
whenever
a
spec
comes
out
that
was
developed
by
you
know
from
Real
World
Experience.
First
of
all,
that's
the
way
you
want
to
do
it,
but
there's
always
the
challenge
of
weight.
What
is
really
focused
on
that
one
organization
versus
what's
more
General,
and
so
it's
been
over
a
year
working
out
how
to
generalize
it
and-
and
it's
and
you
know,
I-
think
any
good
spec
process.
A
C
A
C
A
That
right
now,
the
only
thing
in
salsa
is
these
is
the
build
levels,
but
they
have
already
said
they
plan
to
do
that.
We
do
have
drafts
of
that
material.
So
I
think
that
for
for
Chaos's
own
sake,
it
would
be
wise
to
say
okay.
This
is
the
measure
that
is
solid,
we'll
use
that
the
other
measures
they're
working
on
it.
A
B
A
A
A
Minute
got
the
best
breakfast
badge
we
could
add
scorecards
and
salsa
build
levels.
Scorecards
is
easy,
there's
a
tool.
There's
a
metric
salsa
build
levels.
It's
that's
much
more
of
a
the
project,
does
work
to
implement
them
and
then
produces
information
that
says:
hey
I've
got
this
build
level.
So
it's
a
very
different
kind
of
measurement.
E
A
C
B
That
might
be
distinct,
so
I
don't
know,
I
wouldn't
want
to
conflict,
or
maybe
we
would
pinch
it
as
part
of
that
Davey.
You
might
have
a
better
sense
of
I,
don't
know
if
they
have
an
open
cfp
last
time
for
for
that
event,
so,
but
I
thought
it
might
be
nice
just
to
instead
of
presenting
on
it,
maybe
having
a
discussion
on
it
in
that.
C
D
C
B
Mean
I
can
propose
a
talk
if
we're
not
really
sure
if
folks
are
going
to
be
there.
I
just
think
I'd
rather
do
a
pick
just
because
it's
so
context,
driven
when
people
Define
risk
in
their
own
ways
where
we
can
talk
risk
in
general,
like
we
do
here,
but
I
think
I
also
find
it
valuable
when
we
get
people
from
specific
areas
that
are
more.