►
From YouTube: CHAOSS.Risk.April.8.2019
Description
CHAOSS.Risk.April.8.2019
A
D
B
D
C
Can
press
we
can
proceed
with
what
we
were
doing?
Okay,
I'm,
just
taking
the
time
to
update
the
our
notice
for
next
week,
so
cool
this
problem
doesn't
happen
again
we're
in
the
wrong
zoom,
okay.
So
our
agendas
in
the
minutes
which
I
posted-
and
this
is
our
first
official
meeting
and
I-
thought
we
kind
of
decided,
as
we
launched
this,
that
we'd
talk
about
risk
focus
areas.
How
the
working
group
works
our
OSS
in
North
America,
so
it
proposal
and
engaging
volunteers,
so
focus
areas.
C
C
C
C
C
But
I
am
okay.
E
A
B
C
A
C
C
E
A
The
only
thing
that
I've
asked
the
other
groups
to
do
is
when
you
have
metrics
so,
for
example,
in
this
list
here
in
the
focus
area
list,
so
you
obviously
have
potential
metrics
in
there
say,
like
code
complexity
or
test
coverage
as
you're,
adding
them
in
your
repository.
Can
you
always
just
ping
me
on
those
pull
requests
or
those
commits
so
that
I
have
some
sort
of
marker
to
keep
it
up-to-date
with
the
metrics
repository?
A
Does
that
make
sense
so
obviously,
in
the
risk,
workgroup
you're
going
to
be
adding
things,
you're
gonna
have
the
focus
areas
with
the
particular
metrics
inside
of
each
one
of
them,
and
the
idea
is
to
make
sure
that
the
metrics
page
is
capturing
the
work
that's
being
done
in
the
working
groups.
I
can
do
it
manually.
This
is
a
little
bit
easier,
workflow
wise.
If
you
just
ping
me.
B
B
E
That's
just
the
one
and
I
think
I
confirmed
it.
My
this
all
semester
is
gonna
have
started
by
then
so
unlikely
I
will
be
there
in
spirit
that
I
will
unlikely
be
there
in
person.
Okay,.
C
G
E
C
Our
final
agenda
item
was
encouraging
volunteers,
I
did
and
I
did
send
an
invite
to
the
individuals
who
expressed
interest
at
our
last.
The
open
source
summit,
North,
America
leadership,
open
source
leadership
summit
and
I
will
send
individual
messages
to
those
people
again
because
I
everybody
likes
to
be
invited
twice
if
their
inbox
is
like
mine,.
B
E
I,
this
is
just
general
clarification
on
understanding,
I
guess:
okay,
oh
Simon,
Says
a
whole
works,
but
when
you
say
volunteers,
what
exactly
I
mean
because
I
have
people
who
probably
want
to
come
in
and
be
like?
I
want
X
metric
and
Y
metric
and
Z
metric.
So
when
you
say
volunteers
like
what
are
you
actually
looking
for
them?
That's
you
saying.
C
What
they
want
is
volunteering
I
think
that's
useful
information,
okay,
volunteering,
their
time
to
join
these
calls
and
if
they
dependent
like,
if
they
want
something-
and
they
join
the
call,
then
they
can
be
more
certain.
We
understand
together
what
they
want
and
they
may
learn
some
things
about
other
things
they
want
or
how
to
maybe
refine
what
they're
asking
for
so
I
think
it
even
that
their
participation
will
advance
whatever
their
other
interests
are
I.
Think
in
this
area,
yeah.
E
E
A
E
C
We
will
be.
This
group
will
be
actually
working
on
developing
definitions
of
the
metrics
okay
when
it
comes
to
equations
where,
where
that
applies,
that
might
be
implemented
in
software,
and
this
this
working
group
can
decide
how
they
might
want
to
see
work
examples.
So
if
you
want,
if
we
decide
that
we
want
to
see
them
in
Jupiter
notebooks,
because
that's
low-hanging
fruit,
we
could
decide
to
do
that.
If
we
decide
that
we
prefer
to
see
them
in
an
augur
prototype,
we
can
we
can
choose
to
do
that.
C
A
Yeah
I
mean
that
one
you
think
yeah
I
mean
I
was
I,
was
gonna,
say
Sean,
Sean
kind
of
wears
two
hats
on
this
call.
Yeah
one
is
to
develop
the
is
iam,
saying
kind
of
that
goal:
question
metric
approach
right,
which
I
think
you're
familiar
with
no
and
then
actually
deploying
them.
Sean
also
wears
the
augur
hat
and
there's
a
team
of
developers
behind
that
which
is
Sean
and
then
many
other
people,
and
so
when
there's
questions
about
and
same
with,
the
but
the
folks
at
batters,
eeeh
right.
So
there's
the
grimore
lab.
A
There's
there's
two
tools
in
chaos.
One
is
there's
three
there's,
but
the
two
tools
that
would
be
relevant
here
would
be
auger,
which
is
kind
of
Shawn
and
the
team
that
he
has
and
then
there's
the
grimore
lab
deployment
from
an
organization
called
dr.
Zia,
which
is
hey,
sue
sand
and
Daniel
and
Men
wreak
kind
of
a
group
of
guys
in
group
of
people
in
Spain
who
may
be
interested
in
helping
with
deployments
as
well
around
these
areas.
E
Yes,
the
reason
I
asked
again
is
I.
Think
Matt.
You
and
I
had
a
conversation
about
this
when
I
first
started
joining
the
calls
about
just
me
getting
up
to
speed
about
like
some
of
these
could,
theoretically
speaking,
be
done
without
software
like,
provided
that
you
could
get
the
raw
data,
for
example,
of
like
average
issue
resolution
time.
So
assuming
that
you
could
figure
out
some
way
to
even
manually
be
able
to
locate
all.
E
You
can
be
able
to
manually
calculate
the
M
the
resolution
time
and
then
take
the
average
that
doesn't
necessarily
need
software,
yet
that
obviously
be
way
more
convenient
in
an
automated
fashion,
but
trying
to
figure
out
you
know:
when
can
people
start
using
these
I
guess
is
the
question.
So
is
it
because
I
could
almost
see
this
is
a
staged
process
where
we
define
what
the
metrics
would
be?
E
C
The
impose
I
think
the
implementation
and
the
definition
through
what
we
learned
by
actually
taking
a
look
at
it
and
and
while
that
implementation
work
happens,
I
think
we
can,
you
know
forward
and
define
focus
a
5/5
additional
metrics
and
go
through
the
same
cycle
so
where
it's
possible
to
build
something
to
see
what,
if
what
we
have
asked
for
is
what
we
want.
We
should
do
that.
Mm-Hmm
I,
don't
know
what
you
think
of
that.
E
Now
that
sounds
good
I
think
it's
just
some
of
the
promise
of
this
for
some
of
the
folks
that
I'm
talking
to
you
right
now.
Is
this
idea,
frankly,
being
able
to
do
it
sooner
rather
than
later?
Yeah,
especially
for
those
who
are
in
like
contract
negotiations
or
in
the
middle
of
development
cycles,
where
they're
trying
to
pick
what
open-source
package
to
use
and
if
they
had
a
little
bit
quicker
access
to
say
like
okay
I
can
conceptually
I
can
understand.
E
I
need
to
go
figure
out
what
the
resolution
times
for
all
of
these
things
are,
but
if
there
was
a
little
bit
more
of
like
a
guide
of
how
that
happened,
that
they
could
then
be
provided
that
isn't
necessarily
software
proper
based,
you
know
it
it's
just.
It
would
be
an
interesting
intermediate
step,
but
I
also
don't
know
if
it's
worth
the
amount
of
work
that
might
be
involved
to
do
that
when
just
jumping
straight
to
the
software
implementation,
or
what
have
you
is
after
and
ultimately
gives
more
value,
are.
C
The
are
the
repository
so
other
repositories,
they
want
scanned
publicly
available
or
are
they
behind
the
proprietary
wall
and
the
reason
I
ask
is
because,
if,
if
they
have
repositories
that
are
public,
that
they're
interested
in
specific
information
about
I
could
go,
get
those
and
use
what
we
have
to
see.
If
the
information
we're
able
to
provide
is
useful,
when
you.
C
E
E
C
We
might
be
able
to
help
them,
I
mean
on
occasion
what
we've
done
is
just
talked
off
line
or
sort
of
on
the
side
with
particular
stakeholder,
while
they
explain
their
interests
or
needs
and
and
tried
to,
and
we
provided
little
examples
of
what
what
about
this?
What
about
that
and
that
helps
us
refine
both
the
metrics
definitions
and
the
software
mm-hmm,
and
then
the
software
that
we
use
to
analyze
things
so
and
I'm
comfortable,
like
sometimes
companies,
don't
want
those
those
experiments
happening
in
a
public
forum
like
this,
so
right.
C
A
E
F
C
C
It's
let's
thank
you
for
that
courtesy.
Eighty,
we
cannot
tell
you
how
helpful
that
is.
A
E
A
So
this
is,
as
you
can
see,
risk
value,
DNA
growth,
maturity
and
decline,
so
I
mean
really
just
that
risk
tab
would
potentially
be
a
home
for
the
different
focus
areas
and
the
subsequent
metrics
mm-hmm.
And
so
then
it's
fairly
straightforward
for
Sean
to
just
point
her
this
tool.
At
the
repository
of
interest
to
build
out
those
metrics
right.
E
Assuming
that
the
back
end
code
has
been
defined
and
written
to
actually
like
go
out
and
grab
yeah,
okay,
that
make
sense,
III,
guess,
I'm,
trying
to
figure
out
and
I
know
I'm,
not
explaining
this
particularly
well,
so
I
apologize.
But
the
first
question
that
anyone
who's
interested
in
this
is
going
to
ask
me
is
like
what
do
you
want
me
to
do
next
and
I'm
trying
to
figure
out
exactly
what
I
tell
them
like
if
I
tell
them
I
need
you
to
get
me
like
what,
if
you're
considering?
E
This
is
a
terrible
example,
but
that's
the
only
thing
I
can
think
of
at
the
moment.
Is
that
you're,
considering
what
SSL
package
to
use
like
if
you're
going
to
use,
open,
SSL
or
boring
SSL
or
whatever
some
of
the
other
versions
are,
and
they
wanted
to
say
like
apply
some
of
the
current
risk
metrics
that
we
have
defined
to
the
universe
of
SSL
packages?
A
E
A
And
then
just
tell
us
where
you
want
to
point
and
now
every
metric
to
Shawn's
point
though
to
every
metric
may
not
be
attainable
from
from
the
repository,
so
some
of
some
of
the
metrics
this
has
come
the
earlier
conversation.
Some
of
the
metrics
might
require
a
different
style
of
data
that
isn't
available
from
the
trace
data
in
the
repository.
Mm-Hmm
diversity
and
inclusion
runs
into
this
all
the
time
right.
So
the
questions
that
they
ask
aren't
necessarily
from
you
can't
get
it
from
github
trace
data
right.
A
B
E
E
Okay,
okay!
Well,
in
that
case,
like
I,
know,
I've
got
at
least
three
people
to
the
product
officers:
a
medical
device
companies
in
one
of
them's,
with
sort
of
like
a
best
practices
organization
for
healthcare
who
I'd
like
to
frankly
just
handle
them.
The
proposed
risk
level
document
and
be
like
these
are
the
metrics
that
we're
currently
looking
at
for
risk.
E
What
do
you
think
and
then,
if
they
pretty
much
come
back
with
I'm,
expecting
them
to
come
back
and
say
like
these
all
sound
good,
maybe
they'll
add
some,
maybe
they'll,
say
I,
don't
need
these,
but
I'm
relatively
certain
I
gonna
come
back
and
be
like
okay,
yeah
like
you
now
what
and
then
I
just
see
yours
telling
me
that
what
I
need
to
get
from
them
is
the
packages
that
they
would
like
to
apply
this
to,
and
then
we
can.
You.
E
F
F
A
A
C
A
B
B
D
B
B
C
B
A
G
B
B
It's
table
away
from
the
meet
like
I
could
say
if
you
cut
in
an
LTS
okay
thinking
that,
except
for
those
ones-
and
there
are
security
fixes
that
are
fixed
upstream,
we
want
them
back
ported
into
certain
releases
and
so
I'm
not
quite
sure
like
how
current
is
a
version
of
a
code
with
the
known
security
state.
There's
an
element
of
risk
in
my
mind
and
I'm,
not
quite
sure
how
other
to
express
that.
A
B
A
B
B
Yeah
backporting
in
Channel
TSS,
so
all
the
stuff
that
Greg
puts
up
in
mainline
and
then
he
backed
ports
them.
You
know
things
go
and
put
in
me
like
that
he
backed
force
them
and
to
these
supported
releases,
yeah
and
releases
its
a
point
in
time
to,
and
so
there
may
be
people
using
them
and
there
may
be
no
bugs,
but
no
one's
really
tracking
that
so
there's
a
lot
of
dimensions
here:
okay,.
B
B
B
You
know
so
it's
a
question
like
okay:
this
is
security,
fixes
up
their
mainline
system
in
life.
Okay,
it
gets
ported
it
back
into
the
back,
pointing
to
the
LTS
okay.
Now
your
version
of
Android
is
used
to
being
a
certain
version
of
the
LCS
kernel.
How
far
out
of
date
is
it
from
that
upstream
and
the
security
fixes
that
are
known
upstream
in
the
version
that
Google
has
got
on
your
phone
today?
Okay,
you
know.
B
A
E
Yeah
that
I
mean
I
know
that
that's
a
huge
problem
for
like
I
think
terrible
medical
equipment
is
the
official
term
where
they
they
know
that
their
civil
versions
behind
in
their
embedded
XP
version,
for
example.
So
that
makes
sense
to
me
like
that
was
a
that's
still
an
issue
with
the
wanna
cry
bug.
B
B
C
A
E
Matt
and
Sean,
just
for
your
own
awareness,
I,
think
now
that
I
sort
of
understand
better
precisely
what
you
need
for
me,
you're,
like
me
from
the
people
who
I'm
gonna,
try
and
pull
in
I
am
gonna,
have
some
conversations
with
some
folks
this
week,
okay
on
and
I'll
provide
them
the
risk,
the
high
level
risk
service
areas
document
and
then,
if
they
come
back
and
say
yeah,
these
look
good.
Just
like.
Let's
see
it,
let's
see
an
example
or
whatever
it
looks,
see
a
proof
of
concept.
A
D
A
D
C
E
I
haven't
seen
the
invite
yet
so
Shawn
I,
assume
or
somebody's
gonna
be
sending
out
said
than
you.
I
can.