►
From YouTube: CHAOSS Risk Working Group 9-16-21
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
I
can,
and
we
are
now
recording
for
the
thursday
september
16th
risk
meeting
things
that
are
on
the
agenda
today.
I
don't
know
if
everybody
was
here
when
I
shared
the
link
but
I'll
make
sure
I
do
that
again.
Right
now,.
A
Powerpoint
right
now,
but
I
can
quick
upload
it.
I
can
quickly
upload
it
to
google
drive
okay.
A
Yeah
so
I
tried
to
and
yeah
so
I
I
tried
to
incorporate
the
feedback
that
I
got
early
on.
Yeah.
A
A
A
A
Yeah
but
I
was
gonna.
B
Well,
if
we're,
if
we're
just
gonna,
see
it,
maybe
that
should
happen
after
just
let's,
let's
walk
through,
we,
we
have
a
little.
B
You
can
upload
the
the
improved
deck.
D
A
E
A
Well,
if
you
remember
the
film
fletch
david
and
I
refer
to
you
because
you're
only
the
probably
only
person
on
the
call
who's
seen
it,
he
talks
about
harry
s,
truman,
just
the
s
didn't
actually
stand
for
anything,
that's
fine!
There.
A
A
You
know
I'm
trying
to
like
act
as
an
agent
of
the
group.
You
know.
A
B
F
A
A
Yes,
I
suppose
that
becomes
redundant.
Doesn't
it.
B
A
B
A
A
Know
right,
okay,
so
the
next
thing
is
just
kind
of
giving
you
the.
B
A
Okay,
so
these
are
just
sort
of
laying
out
some
really
high
level
things
like
what
indicates
dependency
risk.
How
can
we
quantify
them?
What
are
the
results
of
having
measurements
for
things
like,
and
I
said
this
is
like
take-
this
is
like.
A
C
I
think
yeah
to
even
do
that
up
here.
We
could
it's
not
pedantic
when
we're
trying
to
to
provide
it
as
a
scope,
which
is
one
conversation.
We
were
having
a
glossary
of
what
it
means
to
be
a
dependency
and
what
it
means
to
be
risk,
and
because
I
think
there
you
do
want
to
sort
of
provide
thousands
of
view
before
we
provide
where
we
focus
just
to
offer
that
out
as
context.
So
it's
not
being
pedantic
explaining
how
we
scoped
it.
C
It's
like,
I
guess
I
want
to
say,
defining
dependency,
but
what
does
dependency
mean
in
the
context
of
open
source?
How
are
we
thinking
about
what
risk
means?
F
A
E
G
A
A
B
A
B
B
B
B
B
A
B
F
This
is
in
contradiction
to
what
we
have
defined
in
our
upstream
dependencies,
where
we
have
defined
transitive
dependencies
as
a
indirect
dependencies
that
is
dependencies
beyond
first
order
dependencies
yeah,
oh.
B
A
All
right
somebody
have
it
handy.
B
A
All
right,
I'll
I'll
make
edits
to
that
as
becomes
necessary.
A
So,
but
what
I'm
trying
to
illustrate
with
absolutely
the
wrong
terminology
is
that
you
have
your
direct
dependencies
and
then
second
and
third
order
dependencies
which
are
transitive,
and
sometimes
you
have
circular
dependencies
where
this
library,
that's
third
order
here
or
second
order
here
depends
on,
is
a
dependency
for
one
of
your
first
order.
Dependencies.
F
Sean
can
I
propose
something,
an
image
I
guess
sophia
you
lost
and
shared
where
there
were
the
blogs
from
some
tech
person
showing
the
dependency
on
the
depending
on
one
pillar
of
those.
Do
you
remember
that
image.
A
Just
gonna
show
your
whole
screen,
so
I
have
to
go
back
and
forth.
If
I
go
to
the
notes.
F
F
G
A
A
A
Yeah,
if
you
want
to
send
that
to
me,
bernad,
let's
put
x
case
x,
x,
k,
c
d.
C
A
A
So
this
is
the
overview
and
then
I
talk
about
libyars.
So
libya's
is,
you
know.
Each
direct
dependency
has
a
number
of
libyars
and
libyas
are
the
cumulative
age
of
all
dependencies
calculated
using
the
difference
between
the
release
and
use
and
the
date
of
the
most
recent
release
and
then
totaling
them
all
up.
A
So
I
provide
an
example
of
one
of
the
metrics
that
we
use
and
I
use
I
use
the
same
visual
to
populate
things
like
years
and
then
I
go
to
a
metric
that
we
haven't
discussed
a
lot
except
when
dwayne's
been
on
the
meetings.
But
it's
a
metric
that
matters
a
lot
to
him
and
it's
slightly
different
than
libya's,
because
it's
what
he
calls
technical
debt
and
it's
the
cumulative
age
of
all
dependencies,
calculating
calculating
the
difference
between
the
current
date
and
the
date
of
the
most
recent
release.
A
If
you're
not
on
the
most
recent
release,
is
that
right?
That's
right!
The
current
date
right.
So
if,
if
they
did
the
most
recent
release,
if
you're
not
on
it
so-
and
he
took
me-
it
took
him
a
minute
to
explain
that
to
me.
But
let's
say
I'm
using
a
14
year
old
library,
I
still
have
a
14
year
old
technical
debt
if
there's
been
a
release,
even
if
it
was
two
months
later
than
the
release,
I'm
using
that's
like
13
years
and
10
months.
C
I
think
the
distinction
is
interesting
in
terms
of
explaining
how
in
any
metric
that
we
propose
you
have
to
make
it
work
for
your
own
context
and
that's
an
example,
a
team
that
is
using
something
very
similar
but
making
it
work
for
their
specific
need.
I
think
the
only
concern
I
have
with
that
is
technical
debt
tends
to
have
a
broader
interpretation.
C
That's
used
quite
frequently,
maybe
again,
this
is,
I
can't
unlive
the
the
analyst
days,
but
we
use
the
tech,
the
term
technical
debt
a
lot
to
describe
sort
of
the
the
older
skill
sets
and
tech
like
class
of
technologies
that
not
only
are
getting
outdated,
but
that
you
are
they're
losing
support
ability
from
both
the
vendor,
as
well
as
the
staffing
side.
So.
B
B
Of
technical
debt
was
is,
basically
is
the
analogy
of
a
house.
I'm
going
to
intentionally
do
things
that
will
cause
some
long-term
costs
in
order
to
get
the
software
done
now,
and
I'm
now
going
to
have
to
go
back
and
fix
things
later,
just
like.
Ideally,
you
would
do
everything
perfectly
the
first
time.
A
B
In
the
same
way
that,
ideally,
whenever
you
see
a
house,
you
pull
out
your
cash
and
you
buy
it
since
few
people
just
pull
out
their
cash
and
buy
it
you're
going
to
go
into
debt
and
the
goal
is
to
pay
it
off
in
time
so
that
you
don't
go
into
you,
don't
get
in
the
situation
where
the
debt
gets
worse
over
time.
Right.
B
B
C
B
A
Is
there
so
there's
two
reasons,
one
it
in
the
ospo
discussions
that
I've
had
this?
Is
libya
resonates
less
well
than
this
particular
metric,
so
duane's,
not
the
only
person
that
gets
this
or
what
it
is
in
the
in
a
different
way
and
that's
running
an
ospo.
So
that's
one
reason.
The
other
is
there's
a
high
degree
of
similarity
between
libya
and
tech
and
what
we're
calling
technical
debt,
but
which
we'll
call
something
else,
and
I
think
making
sure
that
people
recognize
that
you
know.
B
Or
call
it
a
different
name,
I
think
you
ought
to
be
careful.
I
I'm
fine
with
using
different
different
things,
but
naming
is,
although
it's
hard
is
important.
A
B
A
I
agree,
and
I
won't
so
the
thing
is
these
two
things
are
very
similar
and
if
you
look
at
them
uncarefully
as
most
people
will
it's
hard
to
tell
the
difference
and
yeah,
and
so
it's
really
a
conversation
about
making
sure
that
one
of
the
challenges
in
this
space
that
we
encountered
was
getting
on
the
same
page,
that
all
the
words
that
we
were
using
meant
the
same
thing
to
each
of
us,
because
there's
a
securities
and
vulnerabilities
perspective,
there's
an
ospo
perspective.
There's
a
maintainer
perspective.
A
Don't
know
what
you're
doing
yeah
yeah.
B
A
C
Yeah,
I
I
like
that,
because
I
I
think
it
is
it's
talking
about
what
we're
trying
to
do
as
an
organization
and
chaos
and
then
also
how
we're
taking
a
more
general
approach,
because
you
have
to
make
it
work
for
you
right,
like
so
acknowledging
all
the
different
personas
and
use
cases,
and
this
is
an
example
where
an
ospo
interprets
it
this
way
or
implements
a
similar
metric
to
accomplish
this
purpose.
And
I
think
that's
a
really
nice.
G
B
C
B
E
B
Don't
think
so
I
I
you
know
I
would
just
color
in
a
couple
of
the
intermediaries,
because
technically
I'm
thinking
about
this
as
an
application
level.
In
many
many
circumstances,
it's
the
application
that
decides
exactly
what
versions
javascript,
as
always
a
weird
exception,
but
for
most
programming
languages
the
application
decides
the
version
for
each
of
the
transit
dependencies.
B
F
A
Yeah
yeah,
as
opposed
to
like
what
having
you
watch
me,
make
changes,
because
I
realize
my
my
work
is
entertaining,
but
you
can
you
can.
You
can
watch
me
on
what
is
that
streaming
service
stitch,
twitch
twitch,
you
can
watch
me
on
tw.
You
can
watch
me
on
twitch
later
working.
A
A
Understand
so
so
here
I'd
start
I've
sort
of
started
one,
but
the
idea
is
from
an
hospital
perspective.
The
question
that's
coming
up
is:
this
is
great.
Show
me
all
this
on
a
project
by
project
basis,
but
I
have
11
000
projects
in
my
ecosystem
and
that
I'm
using
in
one
way
or
another
in
my
enterprise,
and
it's
really
great,
to
know
all
of
this
information
one
project
at
a
time.
A
C
No,
I
mean,
I
think
the
like
the
subtext
is
it's
always,
though,
like
you
need
to
weight
this
for
your
own
context,
but
I
mean
we're
constantly
doing
exercises
like
this.
It's
still
huge,
but
in
terms
of
what
we
care
more
or
less
about,
will
change,
depending
on
what's
more
important
in
that
given
moment
it
could
be,
could
discontinue
a
product,
and
maybe
then
we
don't
care
as
much
about
that
dependency
or
maybe
something
launches
and
now
is
a
real
product.
And
now
we
care
a
lot
more
about
it
and
we
did
it
before.
A
A
So
I'd
like
to
know
what
other
scenarios
exist
in
the
in
the
lives
of
all
of
the
people
who
the
three
people
who
show
up
that
they
want
to
see
developed
by
us.
You
know,
so
I
look
at
this
a
little
bit
as
a
perspective
eliciting
activity,
and
these
these
won't
be
long.
But
I
think
there'll
be
questions
about
each
of
these
things,
because
I
I
think
we
haven't
fully
developed
the
common
definition
and
we
certainly
haven't
had
it
widely
accepted.
A
A
B
Now,
you're
not
talking
a
lot
about
the
other
one
that
we
created
just
the
list
of
the.
A
Yeah
you're
right
you're
right
and
I
think
we
can
you
know
upstream
dependencies-
might
be
the
what
we
bring
up
before
we
get
into
the
magic
of
libyars.
A
F
B
A
A
B
B
So
that's
kind
of
the
point:
there
is
yes,
it's
gotta
be
slower
than
folks
are
just
trying
to
make
up
stuff
and
quickly
measure
something.
But
the
goal
is
to
have
a
common
definition.
A
A
B
B
A
A
Because
I
think,
because
I
think
the
value
that
we
bring
is
is
in
many
respects,
it's
the
consistency.
We
may
not
have
the
right
definition
of
a
metric,
but
we
have
a
consistent
one
so
that,
when
you're
doing
a
metrics
project
you're
trying
to
find
the
key
indicators
in
your
environment,
if
you
call
it
a
commit,
if
you
call
it
libya
it,
you
may
not
have
the
right
perfect
definition,
but
it's
a
consistent
one.
A
C
A
C
A
A
All
right
close
enough-
and
we
have
like
two
minutes
left
so
where
I
went
out
for
this
was
I
was
going
to
talk
about
our
minimum,
viable
metrics
and
the
things
that
we're
working
on
a
little
bit
more
and
I
want
to
do
a
tool
slide.
I've
got
some
of
the
tool
slides
from
the
presentation
that
we
went
through
a
while
ago,
and
I
think,
if
I
recall,
there's
some
pieces
of
this,
that
weren't
exactly
right,
but
these
are
the
key
points
that
we
talked
about
making,
and
so
maybe
this
isn't
the
right
graphic.
A
C
Remember
this,
I
guess
first
question
is
why
translations
and
the
in
the
subject.
C
C
Because
I
think
there
isn't
enough
context
on
what
we've
already
thought
about.
So,
if
you,
if
you
just
start
asking
people's,
are
sharing
they're
there,
I
don't
know
how
many
people
learn
new
stuff
versus
saying
presenting
either
like
this
or
slide
13
that
have
a
lot
more
rigor
in
terms
of
fleshing
out
the.
C
Depending
on
where
you
want
to
route
them,
you
could
have
a
prompt
on
stakeholders.
You
could
have
a
prompt
on
themes.
You
could
have
a
prompt
on
categorization
like
there's
so
many
different
areas
that
you
could
prompt.
So
I
think
somewhere
in
between
slide
12
and
13.
You
have
all
the
possible
prompts
that
you
could
have
yeah.
G
C
A
And
if
it's
a
high,
if
it's
a
high,
if
it
ends
up
being
highly
virtual
in
participation,
then
you
know
that
whole
thought
could
go
out
the
window
completely
yeah
and
the
rest
of
this.
These
are
just
from
the
last
time
I
went
through
this
with
you
and
I'm
gonna
make
these
more
visual
and
add
some
description.
A
A
All
right,
yeah
yeah,
you're
right,
so
this
is
so
this
you
know,
looking
at
the
different
perspectives
that
each
of
these
stakeholders
take
on,
it
is
a
is
one
I
think
going
through.
Our
minimum.
Viable
metrics
in
the
discussion
is,
is
there's
a
lot
there
where
which
direct
I
mean
so
those
two
looking
at
these
different
perspectives,
acro
outside
of
our
group
or
looking
at
I.
B
B
Why
do
we
care
about
metrics
and
why
do
we
care
about
measuring
about
defining
them
precisely.
C
I
also
think
you
could
take
some
inspiration
from
what
the
blurb
is
and
in
the
content
overview,
so
you
had
presented
sort
of
a
higher
level
structure
of
what
to
measure
how
to
measure
dependency
risk
and
then,
in
order
to
do
that,
you
really
have
to
understand
your
own
context
through
the
goal.
Question
metric
approach,
and
so
I
think
you
have
all
the
pieces
in
here,
but
it's
kind
of
right
now
it's
a
story
versus
frame
and
something
that's
repeatable,
yeah.
G
C
I
think
you
could
get
value
in
structuring
this
and
in
an
approach
that
can
be
repeated
for
other
things
where
here
we're
talking
about
the
approach.
We're
talking
about
the
approach
and
we
comply
dependency
risk
analysis
to
that
approach.
But
by
laying
it
out
as
approach,
then
the
approach
itself
is
part
of
the
content.
A
B
And
I'll
tell
you
what
you
don't
have.
Is
there
there's
all
more
than
a
little
detail
in
the
definitions?
B
A
A
B
C
B
Think
you
also
need
to
drill
in
and
here's
what
we
did.
We
looked
at
this
and
we
identified
these
variants
and
you
know
that's
really
the
story
of
what
this
group
has
done
so
tell
it.