►
From YouTube: CHAOSS Risk Working Group April 27, 2023
Description
Minutes from this meeting can be found here: https://docs.google.com/document/d/1iqIMpLBwuKSnE0BbQTgbsb9Im87IoN7IUzukochClCw/edit?pli=1#
D
A
A
A
Not
okay,
I
understand
why
you
want
for
these,
but
I
would
say
contributors
and
maintainers
for
all
three
of
these.
B
B
B
In
these,
all
of
these
measures
are
kind
of
getting
at
the
core
of
the
community,
like
that's,
not
elephant,
background
committers
and
bus
factor,
and
lately
I've
been
struggling
with
how
to
actually
count
the
number
of
maintainers
in
a
community.
If
there's
no
specific
identification
of
them,
then
say
an
owner's
file
or
something
like
that
where
I
think
looking
at
the
number
of
contributors,
but
surprisingly
misleading
when
there
are
many
of
them
and
only
one
maintainer
yeah.
A
Actually,
in
a
way
yeah
most
projects-
that's
actually
not
very
hard.
Well,
I,
I,
guess
a
step
one
if
there's
only
one
person
maintaining
it
they're
the
maintainer
and
that
covers
half
around
half
the
cases
more
than
half
of
all
cases
and
in
general.
If
somebody
was
able
to
directly
commit
to
the
project,
then
therefore
they
are
a
main
they're.
A
You
can
estimate
that
there
must
be
a
maintainer
because
they're,
obviously
not
just
somebody
who's
contributing
to
the
side.
That's
assuming
you're,
using
GitHub
or
get
lab,
or
something
like
that.
A
Right
merging
into
a
main
branch-
yeah,
sorry,
sorry,
yeah
I
mean
committing
into
the
main
of
the
project,
not
to
the
to
say
their
own
fork
or
someone.
D
A
So
basically,
if
you
have
a
commitment,
you
are
a
you
are
not
just
contributing,
you
are
a
committer
or
a
maintainer,
and
I
often
use
the
two
words
synonymously.
Even
though
anyone
can
you
know
anyone
can
make
a
copy
and
commit
to
their
local
copy.
So.
E
A
B
A
B
I
know
because
everyone
uses
different
terms
like
the
picture
do
folks
like
they
talk
about
onion
analysis.
It's
basically
that
we're
trying
to
identify
the
core
of
the
thing,
the
percentage
that's
doing,
the
top
50
or
more.
A
I
think
the
problem
is
that
some
people
use
the
committers
and
what
they
really
mean
is
core
committers.
So
if
we
just
use
committers
in
the
keyword
search,
you
can
Define
it
more
generally,
but
I
I
think
the
term
is
used
often
enough.
Loosely
that
you're
better
off
just
doing
the
search
for
the
keyword,
search,
accepting
the
more
general
term.
D
D
B
Finish
your
thoughts
well
as
I
was
curious,
because
this
is
maybe
a
me
problem
or
the
products
I
work
with
problem,
but
you
can
only
see
that
the
access
levels,
if
you
have
work
privileges,
it
says
administrative
privileges
of
that
org,
because
I
really
need
for
third-party
work.
You
can
actually
see
who
has
approval
access
within
a
project.
It's
like
you're
doing
it
for
other
project.
Then
you
it's
harder
to
like,
say
you're,
trying
to
assess
the
risk
of
a
project.
B
You
can't
actually
see
that
so
then
you're
sort
of
left
with
approximations
for
just
who's,
doing
how
much
work,
but
the
other
problem
is
that
maybe
I'm
just
coming
out
of
kipcon
and
kubernetes
problems,
82
of
their
open
pull
requests
are
emerged
by
a
robot
called
CI
robot.
B
So
you
actually
figure
out
who's
approving
things
to
be
merged.
You
have
to
go
through
the
Comet
Field
of
the
payload,
which
is
incredibly
messy.
So
it's
difficult
for
the
average
person
to
go
in
and
figure
out
how
many
maintainers
are
there
without
looking
at
owner's
files,
but
that's
indicative
by
the
project,
not
with
General.
A
B
A
They
using
get
in
which
case
it's
likely
that
the
merge
is
referring
to
another
get
commit
where
the
actual
change
is
taking
place
and
the
bot
is
just
doing
a
merge,
commit
they're
not
using
get
then
I,
don't
know.
I'm.
A
Yeah
right
there
may
be
a
better
way
to
do
what
you're
doing,
because
there's
there's
actually
a
number
of
work
streams
like
that,
where
you
do
where
some
bot
doesn't
merge
and
it's
actually
bringing
in
two
branches
and
depending
on
the
tool
you're
using
it,
may
only
show
like
the
main
line.
It
won't
show
the
other
one
that
James
is
coming
from,
so
you
basically
have
to
turn
on
some
options
to
show
the
full
path
there.
A
I
have
I,
have
done
more
little
code,
analyzing
get
data
from
git
so
and
other
sem
tools.
So
you
can
feel
sorry
for
me
later.
B
A
Okay,
yeah
yeah
yeah,
but
yeah,
okay,
I,
don't
know
all
the
data
that
that
is
included
within
the
Getty
vet
GitHub
event
stream.
But
if
nothing
else
you
can
identify
well
presuming
it's
you're,
getting
the
pull
request,
the
the
merge
ID
you
can
then
ask
GitHub,
hey,
given
this
merge,
ID
or
just
frankly,
I
would
just
download
the
whole
repo
from
get
GitHub
and
use
get
because
get
actually
can
manage
and
display
a
whole
lot
of
that
stuff.
A
You
know
give
me
this
show
me
that
it
has
a
format
string,
that'll,
help
you
do
all
sorts
of
AdSense
if
you're
going
to
go
down
that
path
and
dump
it
into
the
database.
If
you
want
to.
B
A
I
I
agree
is
fine,
let's
see
here
and
I
guess
for
the
OSI
approved
licenses,
I
would
say
the
same
rights,
legal
law.
A
By
the
way,
if
you,
if
you
were
to
interact
with
me,
you'll
know
I,
actually
don't
like
the
phrase
intellectual
property,
not
because
it's
a
problem
among
the
lawyers
lawyers
understand
it.
The
problem
is
everybody
else
knows
that
property
is
a
physical
object
and
I.
Just
it
just
is
not
worth
that
fight.
Just
don't
use
the
word
otherwise
people.
You
know.
As
I
said,
the
lawyers
know
what
they
mean.
They
have
a
very
specific
meaning.
It's
just
not
what.
A
A
They
are
synonyms.
There
is
no
difference,
at
least
within
the
U.S.
Okay,
I'm
not
familiar
with
other
jurisdictions,
but
within
the
U.S,
if
you
say
the
word
property
as
just
another
word
for
the
word
rights.
That's
all
it
means
now
everybody
else
in
the
world
when
you
say
property,
you're
thinking
about
real
estate
or
physical
property.
Okay,.
E
E
A
But
but
the
thing
is,
your
response
is
I,
think
exactly
how
most
non-lawyers
respond.
There
is
an
assumption
with
the
word
property.
That's
a
physical
object
and
that's
just
an
implication
in
normal
non-specialized
use
of
the
English
language
and
I
just
have
found
that
it
is
trying
to
get
people
to
become
lawyers
is
not
worth
the
fight.
If
you
want
to
be
a
lawyer,
there's
some
awesome
law.
Schools
go.
E
A
B
B
A
E
I
would
if
we
go
to
line
58
OSI
approved
licenses
yep
there
I
would
propose
deleting
just
word
approved
and
just
word
acceptable.
E
B
A
E
A
E
A
C
A
C
E
C
A
Yep
now
you
know
what
this,
however,
suggests
to
me:
we've
been
working
very,
very
hard
on
very
carefully
defining
certain
things:
Mary
now
I'm
working
with
the
open
ssf,
so
maybe
I'm
a
little
biased
here.
But
it
seems
to
me
that
there
are
metrics
created
by
the
openssf
that
the
chaos
folks
can
just
reuse
and
declare
Victory
on.
A
In
which
case,
let's,
let's
now
salsa
me,
salsa
I,
totally
understand
it
was
at
0.1
we're.
In
fact,
I
was
just
I.
Just
came
from
an
interview
talking
about
the
release
of
1-0
recently,
but
it's
released,
so
you
know
we
can
use
it.
A
No
no
more
in
terms
of
currently
okay.
The
way
now
works
is
they
have
what
they
call
tears.
Okay,
they
have
okay,
they
have
various
levels
and
various
groupings
within
the
various
groupings
and
various
levels
within
the
groupings.
Okay,
the
salsa
build.
A
Sure
what
could
possibly
go
wrong?
I.
A
A
Okay,
all
right,
I,
don't
know
why
things
got
there,
but,
okay.
This
is
salsa.dev,
and
this
is
basically
announcing
the
big
new
release.
Salsa
1.0,
okay,
which
is
pretty
recently.
A
Well,
it's
a
spec
so
but
it's
open,
okay,
okay!
So
basically.
C
So
this
is
a
PDX
in
that
way.
It's
like.
A
I'll
show
you
in
a
second
what
it's
about,
but
basically
the
main
thing
that
it's
about
is
in
1.0.
They
split
originally.
D
D
A
What
we're
having
trouble
getting
agreement?
We
we
want
to
Define
these
clearly,
it's
hard
to
do
it
all
at
once,
so
the
defined
tracks,
okay
and
I'm
I
and
what's
for
in
1.0,
is
build
tracks,
one
through
three.
Okay,
and
let
me
see
if
I
go
down,
you
know.
Let
me
just
go
down
to
this.
I
think
this
is
a
quick
way
of
explaining
it
in
one
chart.
Okay,
so
the
build
salsa
build
track
has
three
levels
besides
level
zero,
which
is
we,
you
know,
okay
for
build
one.
A
You
have
to
meet
the
little
check
marks
and
these
are
basically
requirements
on
your
build
processing
platform.
You
know,
basically,
the
build
platform
has
to
have
certain
characteristics.
You
have
to
follow
a
consistent,
build
process
and
you'd
have
to
tell
people.
How
are
you
building
this,
which
is
what
providence
is
at
L1?
There
has
to
exist
basic
information
about.
You
know
the
pro
how
you
generate
at
level
two.
We
have
the
ability
to
say
hey.
A
In
all
services,
there's
a
lot
of
projects
which
build
under
somebody's
desk
and
if
that
person
dies,
we
can't
build
this
offer
anymore.
Yeah,
that's
bad,
okay
and
at
level
three
what's
ages
is
ways
to
make
that
unforgeable
and
isolated.
Now
the
isolation
is
not
full
Network
isolation.
That's
something
called
hermetic
builds,
which
turn
out
to
be
harder
than
you
might
think.
But
the
idea
here
is
that
one
build
shouldn't
be
influencing
another
build.
If
you
rebuild
something
it
shouldn't
be
quietly
and
silently,
you
know
subverted
because
of
some
other
build
somewhere
else.
E
A
Said
this
isn't
a
and
the
idea,
and
if
you
want
there's
much
more
description
about
you
know
what
what
are
the
threats
they're
worrying
about?
Why
these
count?
What
threats
do
these
counter
versus
what
they
don't
right?
Okay
and
the
idea
here,
is,
if
you're
you
know,
if
you're
downloading
the
software
straight
As
source
code,
then
you
don't
care,
but
if
you
are
like
most
people,
you're
downloading
a
pre-built
package
and
using
the
pre-built
package,
you'd
like
to
have
some
confidence
that
the
pre-built
package
was
built
in
a
in
a
secure
way.
C
A
A
build
process
would
be
implementing
this.
Typically,
a
project
itself
would
do
it
on
if
you're
on,
like
npm
or
Pi
Pi,
but
if
you're
a
separate.
If
you
know
Bill,
there
are
separate
Builders,
particularly
system
packages
are
often
built.
That
way,
and
that's
fine
too,
you
know
it's
basically,
whoever
is
building
the
software
is
trying
to
implement
this
in
a
way
that
you
know
increases
the
likelihood
that
what
the
package
that
you're
using
is
what
was
generated
from
the.
C
C
A
We
just
yo,
you
know
what
I
don't
want
to
say
that
it's
always
bad
to
develop
under
your
desk,
but.
E
Is
it
tied
to
publicly
available
like
even
the
GitHub,
you
can
keep
the
build
as
a
private.
A
Well,
the
Assumption
with
this
is
that
you're
going
to
distribute.
You
know
how,
basically,
how
did
I
build
this
thing?
Okay,
so
I
I
mean
I,
won't
say
that
it's
required
to
use
the
open
source
software,
but
it's
much
more
focused
on
the
now
I.
Don't
know
if
it
requires
public
come
to
think
of
it.
Let's
go
back
to
that,
because
I
think
it
says,
distribute
provenance,
it
doesn't
say
yeah
you're
right
actually
come
to
think
of
it.
A
I've
been
only
thinking
about
it
in
terms
of
open
source
components,
but
all
it
says
is:
distribute
provenance,
I.
A
E
A
Yeah
it
come
to
originally,
this
was
developed
from
what
Google
does
internally
Google
does
a
whole
bunch
of
stuff
when
they
build
things
and
they
came
up
with
a
version,
what
we
called
0.1
and
then
people
beat
it
up
and
basically
basically
the
the
good
thing
is
that
people
actually
were
doing
this.
That
is
always
a
big
plus
there's
so
many
specs
that
no
one's
actually
tried.
The
big
negative
is
that
it
turns
out
not
everyone's
Google
and
some
things
that
Google
finds
easy
to
do
are
really
hard
for
other
organizations
to
do.
C
A
A
Because
everybody
yeah
everybody
by
the
way
can
be
described
that
way,
no
matter
what
you
do,
you're
going
to
make
it
work
within
your
organization
and
whenever
a
spec
comes
out
that
was
developed
by
you
know
from
Real
World
Experience.
First
of
all,
that's
the
way
you
want
to
do
it,
but
there's
always
the
challenge
of
weight.
What
is
really
focused
on
that
one
organization
versus
what's
more
General,
and
so
it's
been
over
a
year
working
out
how
to
generalize
it
and-
and
it's
and
you
know,
I-
think
any
good
spec
process.
A
C
A
C
A
That
right
now,
the
only
thing
in
salsa
is
these
is
the
build
levels,
but
they
have
already
said
they
plan
to
do
that.
We
do
have
drafts
of
that
material.
So
I
think
that
for
for
Chaos's
own
sake,
it
would
be
wise
to
say
okay.
This
is
the
measure
that
is
solid,
we'll
use
that
the
other
measures
they're
working
on
it.
A
Now
the
challenge
will
be
measuring
this.
Let's
see.
C
I'm,
looking
at
this
spreadsheet
too
and
I'm,
trying
to
figure
out
explosive,
build
levels,
would
that
go
under
transparency
or.
A
E
So
like
it
is,
is
it
this
is
more
on
the
process,
but
this
section
is
more
on
the
licensing.
B
E
Think
it
also
goes
to
the
transparency,
because
it's
you
are
being
transparent
on
the
process
of
this,
so
it
might
go
to
the
section
5
transparency.
A
A
A
Minute
got
the
best
breakfast
badge
we
could
add
scorecards
and
salsa
build
levels.
Scorecards
is
easy,
there's
a
tool.
There's
a
metric
salsa
build
levels.
It's
that's
much
more
of
a
the
project,
does
work
to
implement
them
and
then
produces
information
that
says:
hey
I've
got
this
build
level.
So
it's
a
very
different
kind
of
measurement.
E
A
C
I'm
just
gonna
say
like
let's
make
these
and
let's
make
these
priorities
that
we
built
on
I
just
changed
scorecards
and
it's
also
build
levels
in
progress.
Okay,.
B
Mostly
because
I
try
to
figure
out
if
I
want
to
submit
a
cfp
for
osseu
and
we're
about
to
hit
North
America,
but
of
course
the
cfp
for
the
next
one's
already
due
May,
2nd
I,
don't
know
if
if
y'all
were
planning
to
go,
but
I
was
thinking
about
suggesting
a
risk
metrics
panel
that
I
don't
know,
if
would
it
be
appropriate,
I
know
open
ssf
has
had
their
own
days.
B
That
might
be
distinct,
so
I
don't
know,
I
wouldn't
want
to
conflict,
or
maybe
we
would
pinch
it
as
part
of
that
Davey.
You
might
have
a
better
sense
of
I,
don't
know
if
they
have
an
open
cfp
last
time
for
for
that
event,
so,
but
I
thought
it
might
be
nice
just
to
instead
of
presenting
on
it,
maybe
having
a
discussion
on
it
in
that.
C
D
C
B
Mean
I
can
propose
a
talk
if
we're
not
really
sure
if
folks
are
going
to
be
there.
I
just
think
I'd
rather
do
a
pick
just
because
it's
so
context,
driven
when
people
Define
risk
in
their
own
ways
where
we
can
talk
risk
in
general,
like
we
do
here,
but
I
think
I
also
find
it
valuable
when
we
get
people
from
specific
areas
that
are
more.