►
From YouTube: CHAOSS.Risk.September.23.2019
Description
CHAOSS.Risk.September.23.2019
A
You're
now
recording
okay.
So
one
of
the
questions
that
we
have
that
I
think
we're
looking
for
some
help
from
Jessica
with
is
what
the
different,
whether
or
not
there
is
like.
We
have
one
kind
of
s
bomb:
that's
currently
an
auger
that
I
think
you've
seen
the
link
for
and
also
gave
us
some
really
helpful
feedback
on.
How
do
you
put
back
all
the
things
you
like
about
the
old
version
of
auger
and
the
auger
meeting
last
week?
A
But
but
we're
wondering
like
there
is
a
there-
is
a
complete
SPD
X
compliant
s
bomb
that
could
also
be
delivered.
I
think
and
the
question
and
I
think
that
we
have
is:
where
does
that
sit
in
terms
of
a
priority,
or
how
would
you
want
the
s
bomb
defined
and
that
may
be
met
remand
pretty?
Maybe
you
can
clarify
a
little
bit
what
I'm
trying
desperately
to
communicate?
A
C
Let
me
let
me
say
what
I
think
you're
saying,
and
then
you
tell
me
if
I'm
wrong:
okay,
so
in
the
the
s
phone
that
gets
generated
by
the
auger
tool.
Currently
you
are
asking
one
if
that
is
sufficient,
if
it
needs
more
information
and
if
it
needs
more
information
with
that,
what
form
that
information
needs
to
pick
so.
A
B
A
So
what
what
scene
this
was
you've
probably
seen
this
risk
page.
The
four
count
by
week
is
just
low
because
something
hasn't
been
run
against
this
database
yet,
but
the
download.
What
we
have
now
is
this
download
software
Bill
of
Materials
and
it's
a
standard
data
exchange
format
called
JSON,
so
I
guess
I,
guys
download
that
which
causes
me
to
download
it.
C
One
of
the
big
concerns
about
s
bomb
for
a
lot
of
the
people
who
are
in
that
conversation
or
just
in
generally,
is
they
don't
know
how
to
generate
one?
They
don't
they
don't
even
know
so
they're,
not
to
the
point
necessarily
of
asking
what
it
looks
like
or
having
opinions
on
what
it
should
or
shouldn't
look
like
they
just
can't.
C
They
can't
even
have
that
conversation
yet
because
they
don't
know
how
they're
supposed
to
make
one-
and
so
I
will
say
this
with
having
a
tool
like
this,
like
auger,
that
will
just
pop
up
in
the
s
bomb
I
think
is
such
a
leap
forward
for
most
people,
that
I
mean
whatever
you
give
them
at
this
point,
I'm
fine
with,
because
I
expect.
What
will
end
up
happening
is
that
you
will
have
feedback
and
you'll
have
people
who
are
like
ooh.
This
is
really
great
kid.
What
about
this?
We
do
that.
A
So,
thank
you.
That's
good!
That's
good.
To
hear
and
I
do
understand
those
kinds
of
conversations.
People
are
I
tell
my
suffering
students
this
all
the
time.
People
are
terrible
at
expressing
what
they
want
without
an
example
and
so
with
design.
You
can
work
up
examples
with
on
paper
and
start
to
do
things
I
think
what
we
have
right
now,
I
think
we're
pretty
confident
isn't
quite
enough.
It
includes
some
basic
packages,
services,
assertion,
information,
license
coverage,
things
like
that
and
the
enumeration
of
all
of
the
licenses
that
know
most
detects
in
the
scan.
A
A
It
just
tells
you
that
these
are
the
licenses
that
were
detected
in
this
package,
so
there
isn't
an
order
that
all
right
so
right
now
all
it
is,
is
really
and
that's
not
a
criticism.
That's
now
right
now,
it's
only
the
license
information
and
before
we
proceeded
to
start
to
add
other
things
that
are
part
of
the
SPD
expec.
We
thought
we
should
talk
it
through
in
this
meeting.
Yeah.
C
Okay,
okay,
I
guess,
I'm
a
little
bit
more
clear,
I.
Think
I'm,
where
you're
coming
from
so
the
to
two
things
on
the
licenses
declared
part
I.
Think
I
wouldn't
worry
so
much
about
this,
because
I
think
for
the
life
is
declared
from
a
legal
perspective
for
a
lot
of
these
folks.
It's
going
to
be.
Does
this
have
a
you
know,
one
of
the
types
of
licenses
that
I
know:
I
can't
use
because
that
license
has
restrictions
that
I
don't
want.
No.
C
A
So
essentially,
the
licenses
are
below
like
there's
an
enumeration
of
every
license.
That's
in
it
below
the
screen.
So
like
there's
a
GPL
dual
license:
public
I,
don't
know
what
license
are
public
domain
is
not
familiar
with
that
one
license.
She
files,
you
are
I,
don't
I,
don't
know
exactly
what
all
these
like.
Obviously
BSD
is
I
know
what
that
is.
So,
oh
yeah,
sorry.
A
C
E
C
Because
I
think
what
again
like,
if
I
was
let's
say,
we
actually
have
a
very
competent
open-source
office
at
one
of
these
companies
and
they
have
you
know
a
savvy
lawyer
who
said
like
here's,
the
list
of
ok
licenses
and
not
ok.
Licenses
I
can
essentially
take
my
list
of
organizations
acceptable
and
not
accessible.
License
doesn't
go
check
them
against
this
license.
Declare
box
if
I
want
to
use
a
package
and
I
know
that
I
can't
use
GPL
2.0
and
it's
you
know
this
says
it
doesn't
on
here.
A
C
B
C
A
city
exercise
soon
is
in
there
somewhere
and
sort
of
step
up
one
level
and
create
these
contexts
around
all
of
them,
which
is
fantastic
because
I
gotta
tell
you,
I've
described
some
of
these
tools
to
the
folks
that
I
work
with
on
like
the
global
product
security
officers,
and
they
like
the
idea
of
the
tools
they
do
not
like
the
idea
of
the
amount
of
time
it
would
take
them
to
learn
the
tools
and
then
to
deploy
them.
Yes,
oh
this
kind
of
thing
kept
a
lot
of
that
out.
The.
B
A
C
A
Thank
you,
yeah
and
kudos
to
Matt.
Snell
is
the
one
that's
really
kind
of
taking
the
G
Sox
scanners
and
put
it
into
a
page
that
integrates
it
with
the
other
things
that
we're
doing
and
I
think
one
question
from
a
I
guess:
sort
of
a
tooling.
So
one
of
the
things
we're
doing
is
we're
taking
some
of
the
metrics
that
we're
providing
that
are
in
the
tool
that
aren't
yet
defined
in
the
next
metrics
released
for
risk.
I
think
another
question
we
have
is,
and
this
is
where
Mets
know
I
don't
know
a
B.
A
You
can
use
chat,
but
I
think
it
would
be
helpful
to
know
like
what's
what's
the
level
of
so
it
sounds
like
it
would
be
cool
if
we
could
click
on
a
license
and
see
a
list
of
the
parts
of
the
program
or
the
files
and
the
program
or
the
package
that
include
that
license.
Yeah
I'm,
reasonably
confident,
that's
in
the
database
Matt
Snell.
Can
you
confirm
that
my
reasonable
certainty
has
a
merit.
D
A
A
D
As
far
as
finding
out
what
relations
the
like,
what
file
they're
found
and
I'm
pretty
sure,
there's
a
column
that
just
tells
you
what
file
that
was
found
and-
and
we
can
go
off
for
just
that
and
do
like
all
kinds
of
information
kind
of
scraping.
I'm
tell
you
where
what
where
this
license
is
kind
of
found.
But
I,
don't
know
what
the
best
way
to
implement
that.
C
And
what
you're
saying
I
like
the
Maps
idea
of
like
if
I
click,
if
I,
if
there
were
files
that
had
about
you
2.0
if
I,
could
click
Apache
and
it
gave
me
a
drop-down.
That
said,
you
know:
here's
here's,
the
five
or
six
packages
that
used
Apache
2.0,
something
as
simple
as
that
I
think
would
be
very
useful.
Well,.
A
C
A
Gonna
work
as
well,
but
a
downloadable
list
is
possible.
It's
also
possible
that
the
information
and
I'm
just
sort
of
discussing
design
possibilities-
and
that's
now
can
address
feasibility
or
what's
optimal.
But
one
possibility
is
that
you
would
just
download
a
list
of
the
files
where
it's
included
so
that
you
can
see
that
and
it
and.
F
A
Maybe
that
list
is
structured
by
directory,
so
it
becomes
fairly
clear
if
there's
a
particular
directory,
which
is
often
the
case
that
contains
files
with
that
license.
I
find
that
that
when
you
have
multiple
licenses
declared
often
it's
one
piece
of
the
whole
program
that
has
a
hundred
hundreds
or
maybe
a
dozen
dozen
to
it,
dozens
of
thousands
of
files
that
contain
that
license,
declaration
and
they're,
usually
under
one
part
of
the
system
not
like
peppered
throughout
it.
A
B
B
B
D
B
B
Has
included?
Are
you
familiar
with
TR
DL
TLDR
illegal,
so
the
idea
would
be
as
you
could-
click
on
Apache,
oh
it'll,
actually
take
you
to
the
TLDR
page
to
give
you
a
little
information
if
you'd
like
it
mm-hmm
and
then
under
note,
that
could
be
where
it
says.
You
know,
click
here
to
see
all
files
that
contain
this
license.
Yeah.
G
A
And-
and
it
sounds
like
like
the
way
I
would
do
it,
Matt
is
I,
would
I
would
look
at
all
the
files
and
then
maybe
at
the
top
I
would
show
a
listing
of
the
top-level
directory
where
those
files
are
found
within
the
package,
because
that
I
mean
you
can
problem.
People
can
figure
that
out
by
looking
at
it,
but
if
you
have
a
list
of
thousands
of
files,
it
would
be
helpful
to
know
what
what
what
top-level
some
directory
their
licenses
are.
D
A
I'll
brave
ysabellabrave
is
Shawn
today,
I
haven't
I,
haven't
looked
at
this
since
I
started
things
up
after
humility
the
other
day,
so
there
shouldn't
be
any
insights.
There
should
be
repose.
Yeah
looks
like
we
have
commit
counts
and
some
issue
counts
in
the
cases
where
there
aren't
issue
counts,
its
I
will
check
on
the
backend
to
see
if
that's
because
it's
not
done
counting
or
because
those
repositories
simply
aren't
using
github
issues.
Okay,.
C
C
A
C
E
C
E
A
See
so
I
think
yes,
this
needs
to
be
more
clear
because
these
look
like
it's
actually
a
year
month,
but
it
looks
like
only
when
I'm
reading
it.
My
first
impression
is
that
it's
like
seven
days
in
January
or
nine
days
in
January
that
we're
looking
at
yeah
that's
years
so
I,
don't
think
that's
very
clear.
C
A
A
A
I
will
go
get
that
connected
up
here
this
afternoon,
okay,
what's
going
on
just
double
check
that
the
facade
completed
successfully
and
that
that
one
weird
repo
that
we
were
looking
at
at
the
very
beginning,
I
think
that
just
has
that
and
I
forget
which
one
it
was
now,
but
I'll
just
make
sure
everything
finished
correctly
in
facade
it
looks
it
looks
like
it
did,
or
else
we
wouldn't
be
seeing
those
commits
totals
for
anything.
I
am.
C
On
the
question
on
the
f-bomb
sufficiency
for
a
lack
of
a
better
term,
the
one
thing
I
will
say
about
Estefan
that
everyone
sort
of
agrees
as
a
minimum
minimum
necessary
is
the
list
of
packages
that
are
given
package
includes.
So
it's
listed
dependencies
so
today,
except
that
that
is
not
currently
in
the
US
on
capability.
That
would
be
nice,
I
will
say:
I
wouldn't
I,
wouldn't
make
it
the
top
priority.
C
A
C
I
mean
for
visibility's
sake,
so
one
of
the
when
we
talk
about
summer
villa
materials
at
a
high
level
for
a
lot
of
folks.
What
they're
usually
talking
about
is
when
they
are
sold
a
product
like
a
software
product,
they
don't
normally
know
they
know
that
they're
buying
product
X,
but
they
don't
know
what
product
X
is
built
out
of,
and
so
they
want
to
know
what
it
is.
And
so
the
question
for
me
would
be:
does
this
s
some
capability
built
into
the
honor
tool
if
I
feed
it
product
X?
D
A
It's
pasta,
how
are
imported
libraries
treated
with
regards
to
licensing
and
it
was
a
question
from
that
German
pray,
probably
because
I,
don't
think
the
scanner.
So
this
game,
though,
sounds
like
the
scanner,
doesn't
pull
out
all
the
import
statements
explicitly
and
I'm
just
curious
about
I.
Don't
know
enough
about
how
important
SAR
treated
in
terms
of
what
the
license
is
underlying
a
package
are
so.
A
Do
an
import
like
something
like
I:
do
import
sci-fi
for
statistical
analysis?
That's
a
Python
library
that
gets
loaded
in
the
local
environment.
It's
not
part
of
what
I
am
distributing.
It's
just
part
of
the
environment
that
the
program
runs
in.
Is
that
considered
a
licensing
thing
or
a
dependency
thing,
or
both.
B
A
B
A
B
The
example
that
you
provided
right
that's
one
way
and
then
different
licenses
trigger
based
on
those
different
ways
of
importing
mm-hmm.
So
there
are
just
so
many
potential
cases.
That's
why
I
didn't
answer
this
really
squarely
right.
That's
all
that
you're
kind
of
always
one
case
away
from
breaking
situation
here,
yeah.
So
it's
a
bit
of
a
sticky
wicket
because
it
is.
C
C
A
It
is
on
the
augur
roadmap
to
include
functionality
similar
to
what
libraries
io
provides,
which
is
aimed
at
understanding
software
dependencies
and
up
streaming
downstream
dependencies,
and
that
is
those
are
cases
where
it's
basically
skiing
for
the
import
statements
and
the
number
of
places
that
a
package
is
used
in
other
packages.
Yeah.
C
People
will
start
to
understand
it
better,
but
I
think
I,
just
I
think
that
them,
the
metro
that
are
built
around
it,
are
so
important
that
I
want
to
make
sure
that
the
metrics
themselves
get
really
well
developed
so
that
we
have
the
capability
to
sort
of
like
we're
talking
about
a
few
minutes
ago,
of
being
able
to
contextualize
a
lot
of
these
tools
for
people
who,
frankly,
wouldn't
use
the
tools.
If
there
wasn't
something
like
this
to
help
them,
simplify
it
having
fun.
Yes,.
A
Yes,
I
think
so,
I
think
the
next
level
4s
mom
is
the
list
of
files
where
each
of
these
licenses
are
included
within
a
package.
I
think
that
sounds
like
the
next
thing
that
we
would
either
add
to
the
s-bahn
at
the
bottom
or
add.
That
is
a
link
in
the
note
as
met
described
or
do
both
I,
don't
know
what
do
you
think
mentor
and
Trey
should
we
do
both,
like
included
in
the
fullest
BOM
and
provide
a
list
with
a
link
for
in
terms
of
the
files
yeah?
A
C
A
B
A
B
A
B
A
B
A
B
A
Yeah,
just
in
the
repo
mat,
so
the
just
so
you
know
there
is
a
we
do.
We
can
use
that
tool.
I've
been
using
manually
upon
request
so
far,
but
tarp
is
building
a
worker
for
to
do
for
the
complexity.
It
provides
a
Kokomo
based
complexity,
score
for
each
file
in
a
repository
okay,
and
so
you
could
do
you
know,
like
some
kind
of
mean
or
average
and
I
could
give
you
like
one
projects
worth
of
that
data.
Just
you
kind
of
know
what
that.
B
C
B
C
It
not
yes,
evolution
evolution,
because
so
when
we
started
looking
at
some
of
the
results
that
we
were
seeing
from
the
census
project,
one
of
the
first
questions
out
of
everyone's
mouth
was:
when
was
the
last
time.
This
thing
was
updated,
Romans,
Oh,
awesome,
it
was
touched,
and
so
I
think
that,
having
that
somewhere
on
again
I'm
calling
them
the
home
pages,
like
the
the
auger
home
page
for
a
given
package,
would
also
be
really
great.
Yet.
A
B
C
B
This
is
just
kind
of
a
funny
thing
about
the
project
itself.
The
chaos
project
is
weird
of
the
metrics
that,
because
that
certain
times
they
could
sit
one
place
than
certain
times
they
could
sit
somewhere
else
right.
So,
like
yeah,
the
number
of
commits
you
could
look
at
it
from
the
perspective
of
trying
to
understand
how
much
growth
is
occurring
and
then
you
could
also
look
at
it
as
how
dead
is
this
project?