►
From YouTube: CHAOSS Risk Working Group 2-4-21
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
The
insufficiency
of
numbers-
and
we
talked
about
minimum
viable
product
for
dependency,
metrics
and
so
matt
german
prairie,
had
to
do
to
organize
and
bring
additional
clarity.
I
didn't
do
my
to-do
if
I
had
one
so
I
won't
throw
any
shade
here's
some
good
links
from
the
dependency.
We
talked
about
the
github
oss
scorecard
and
I'm
getting
a
chat
message.
A
A
A
A
A
D
In
yeah,
so
just
a
little
bit
of
background
here,
I've
been
working
in
the
risk
repository
lately,
just
to
try
to
clean
up
cold
issues
and
any
pull
requests
that
might
have
been
outstanding
and
one
of
the
things
I
came
across
this
is
how
issues
are
they're
kind
of
useful.
Was
somebody
had
posted
a
package
phobia
link?
D
I
have
no
idea
what
it
is,
but
it
might
be
worth
checking
out
because
it
looked
like
it
was
associated
with
dependencies,
and
so
I
just
I
roll
it
in,
as
is
worth
taking
a
look
or
if
somebody
had
seen
it.
D
E
F
G
F
G
You
paste
the
link
in
there
yeah.
I
will
yes
and
then
the
chat
or
the
or
there
even
better.
A
A
A
So
there's
we
have
some
number
of
dependabilities
another
number
of
dependencies.
Excuse
me
and
then
there
was
also
some.
We
sort
of
we
framed
out
these
dependency
oriented
focus
areas,
and
so
I
wonder
if,
if
we
want
to
maybe
make
our
mission
going
forward
to
fill
in
this
grid
under
six,
seven
and
eight
and
let
that
atrophy
out
through
the
rest
of
the
focus
areas
after
a
little
bit
of
work,
maybe
we
can
revisit
what
the
right
set
of
focus
areas
is
for
risk.
A
But
it
seems
from
the
discussions
that
dependency
is
a
place
that
we
want
to
focus
in
right
now,
and
we
have
these
three
general
focus
areas
that
we
defined
and
we
listed
a
bunch
of
metrics
at
the
dependency
risk
in
downstream
project
level.
D
F
A
F
F
A
That
all
right,
so
maybe
I
mean,
isn't
the
first
place
that
we
that
people
look
is
then
given
these
definitions
is
the
upstream
dependency
count.
G
Yeah
and
I
would
separate
direct
versus
indirect,
because
those
are
two
very
very
different
measures.
G
E
G
Basically,
you
have
to
go.
My
only
successes
have
been.
If
I
have
problems
with
my
indirect
dependencies,
you
now
have
to
track
backwards
to
find
out
what
the
heck's
going
on
and
talk
to
them,
that
up
potential
or
upstream
or
potential
upstream
I,
by
the
way,
have
had
some
successes,
but
you
know
I
I
for
a
trivial
example,
went
upstream.
They
included
the
universe
at
runtime,
even
though
almost
everything
was
only
dependent
on
for
testing
and
it
bloated
up
everything.
G
F
The
other
question
is,
I
don't
think
I
see
it
here
in
the
list.
Is
that
build
dependencies
supply
chain?
Do
we
want
to
start?
Do
we
want
to
potentially
have
those
listed
too.
G
Maybe
maybe
we
should
start
by
just
differentiating
these.
You
know
direct
versus
indirect
static
versus
dynamic,
build
tests.
I
would
separate
test
from
build,
build
test.
Runtime.
D
Me
I
was
just
I
thought
you
were
kind
of
leading
things
house.
You
can
delete
mine
if
you'd
like.
A
F
So
direct
and
indirect
static
and
dynamic.
G
Good,
what
can
I
say?
Well,
yeah,
you
don't
have
to
agree
with
me
by
the
way.
A
F
G
Yeah,
the
ones
you
say,
I
directly
depend
on
your
direct
dependencies.
Everything
that
they
depend
on
transitively
are
the
indirect
ones
turtles
all
the
way
down
there,
though
right
I
mean
well,
not
not
all
the
way
down
there.
Eventually,
somebody
doesn't
bring
in
a
library
else.
There
are
eventually
programs
that
don't
bring
other
libraries
in
okay.
A
Okay,
thank
you
for
clarifying
the
transitive
part
of
that,
and
so
with
the
11
minutes
that
we
have
left.
I
might
I
might
suggest
we
just
spend
some
time
working
on
this
metric
and
trying
to
flush
it
out,
but
I'll.
Take
other
suggestions.
F
A
G
G
You
know
if
I
depend
on
postgresql,
that's
very
very
different
than
depending
on
is
odd,
but
I'd
like
to
think
this
still
has
value,
even
though
that's
a
problem,
because
clearly,
I'm
going
to
have
to
deal
with
different
groups
for
every
different
project
if
there's
an
issue,
so
I
I
I'd
like
to
think
that
there's
going
to
be
an
obvious
problem
with
this,
and
I
still
think
it's
okay
comments.
G
A
I
was
thinking
when
you
mentioned
postgres,
I
was
thinking.
Is
there
a
difference
between
platforms,
things
that
are
in
essential
parts
of
the
infrastructure
and
the
the
other
things?
So
I
look
at
operating
systems
and
databases,
and
even
things
like
kubernetes
is
sort
of
essential
pieces
of
infrastructure.
A
I
may
not
import
them
directly,
but
I
may
not
be
able
to
deploy
without
them,
so
those
are
almost
they're
kind
of
I
mean
I
may
not
even
import
postgres
as
a
database
directly.
It's
just
sort
of
implied
by
my
use
of
it
and
my
calling
of
libraries
that
connect
my
application
to
it
right.
G
E
All
right,
I'll
I'll
chime
in
with
maybe
an
opinion
here
and
in
the
in
the
most
loving
and
kind
way
possible.
You
are
pointed
in
the
way
of
madness.
E
I
think
I
think
the
more
you
can
constrain
this
definition
to
what
you
are
talking
about
and
and
avoid
talking
about
infrastructure
as
dependency
like
upstream
dependency
has
has
a
particular
connotation
when
you're
talking
about
code-
and
if
you
you
can
you
can
handle
infrastructure,
dependencies
and
kind
of
these
bigger
questions
and
and
maybe
a
different
metric
and
and
just
focus
in
on
on
maybe
the
historical
way
we
think
about
it
with
code.
Otherwise
you
will
wind
up
with
everything
is
a
dependency.
G
C
Well,
I
I
feel
like
doing
your
your
point
of
it
being
trying
to
limited
scope,
what's
included
in
this
specific
metric,
where
we
went
back
to
the
original
spreadsheet.
I
think
we
had
something
like
infrastructure
feasibility
in
there,
where
we're
segmenting,
that,
as
a
separate
category
of
dependencies
versus
just
what's
needed
to
test
build,
run
a
piece
of
software.
C
When
we
assume
there's
always
going
to
be
infrastructure
dependencies,
it
has
to
run
on
something
it
has
to
be
compatible
with
it.
So
I
think
just
for
the
sake
of
keeping
this
more
actionable
narrowing
it
to
just
the
software
piece
in
this
particular
metric
and
then
say
use
another
metric
as
a
way
to.
If
you
do
want
to
say,
track
your
dependencies
on
specific
pieces
of
infrastructure
and
infrastructure
software,
then
you
measure
that
separately
from
the
code
dependencies
in
the
software
package
that
you're
looking
at
currently.
E
G
G
G
G
C
G
Now
that
now
that
I
agree
with-
and
I
think
what
we
should
do
is
try
to
figure
out
what
are
we
trying
to
do
with
this
metric
and
hopefully
that
will
help
us.
You
know
figure
that
out.
So
you
know
I'm
coming
at
this
with
a
security
bent
and
so
I'm
worried
about
what
I
depend
on
and
what's
going
to
be
subverted,
and
so
for
me
I
don't
care
if
it's,
if
you
call
it
infrastructure
or
whatever,
if
it's
subverted,
I
got
a
problem.
C
No,
I
I
think
it
is,
I
think
it's
like
the
can.
We
use
it
in
in
a
sentence
like
I'm
going
to
use
this
metric
when
I
evaluate
whether
to
install
this
or
use
this
project
in
my
ex
product.
Yes,
so
I
guess
the
question
is:
is
using
the
project
to
generic
to
narrow
down
this
distinction.
G
A
So
I
created
an
upstream
infrastructure
dependency
metric
if
you,
if
you're
staring
at
your
screen
like
a
football
game-
and
you
saw
that
I
think
I
think
things
that
are
infrastructure
dependencies.
We
might
want
to
think
about
over
there.
Because
often
those
are
they're
not
as
explicitly
stated
in
the
code,
and
you
know
the
code
doesn't
say
it's
the
readme.
That
tells
you
you
need
postgres
and
certain
version
of
the
linux
kernel
and
what
other
other
operating
system
libraries
are
required.
A
A
A
G
So
maybe
maybe
this
should
be
just
language
level
upstream
dependency
count.
I
think
package
level.
No
cuz
system
packages
are
packages.
A
G
G
Dependencies
what
worries
me
is
this:
is
this
narrowing
means
we're
ignoring
a
lot
of
the
stuff.
That's
really
important
that
can
hurt
you
from
the
point
of
view
of
you
know
again,
I'm
focusing
on
from
a
security
perspective.
A
E
I
I
I
just
don't
see
how
we
can
apply
one
metric
that
accounts
for
both
is
odd
and
postgres.
I
think
you
have
to
treat
them
a
little
differently
right.
We
can,
and
I
don't
think
it
means
ignoring
the
second
one
in
favor
of
the
first
one.
It
just
means
if
you
try
to
talk
about
everything
with
the
same
metric
again
you're
going
to
wind
up
in
the
in
the
everything
everything
is
a
sandwich.
Everything
is
a
taco
kind
of
kind
of
world.
G
I
would
probably,
but
so.
G
G
A
F
H
How
about
we
keep
it
broad
and
explain
it
in
the
filters
like
package
dependency
or
software
dependency
or
system
dependency
in
the
filters
option
in
that
in
this
way,
we
capture
the
dependency
as
a
journal,
and
then
we
have
a
specific
section
for
each.
I
know.
A
Some
people
have
to
go
at
the
bottom
of
the
hour
and
that
seems
like
it
was
a
pretty
hard
cutoff,
but
I'm
creating
container
level
packages.
B
But
keep
going.
B
G
D
A
No,
you
raise
you
raise
good
questions
and
I
I
think
it's
like.
When
do
we
put
the
bot
I
mean:
when
do
we
define
the
boundaries?
It's
sometimes
maybe
it's
easier
to
define
the
boundaries
a
little
too
unrealistically
as
a
practical
matter,
just
to
get
something
to
find
and
then
deal
with
the
complexity
later
I've
seen
it
happen,
both
ways
on
chaos,
the
metrics
that
people
end
up
using,
I
think,
are
often
the
ones
that
start
more
atomic.
G
If,
if
we're
going
to
do
that,
then,
though,
I
think
it's
important
that
the
names
clearly
identify
where
they
are
so,
for
example,
if
upstream
into
upstream
dependencies
what
we
really
mean
is
upstream
language,
specific
dependence,
language
or
package
level
dependencies.
You
know
upstream
package
level
dependencies.
G
Why
don't
you
say
it
that
way?
Something
like
that
where
it's
it's,
because
if
you
say
upstream
dependency
count
dependency
means
you
depend
on
it,
that's
what
it
means.
So
if
we
actually
have
a
subset,
then
the
name
should
say
that,
because
it's
right
now,
that's
what
I
I
I
would
assume
that
a
dependency
is
a
dependency.
D
So
you're
working
so
in
in
this
case,
you
would
have
you
know
upstream
blank
dependency
count.
G
G
G
Yeah,
so
how
okay,
let
me
upstream,
you
know
how
about
let's
see
here
upstream.
A
G
D
G
D
G
D
G
A
A
G
D
D
I
will
start
just
creating
the
really
rough
templates
for
each
one
of
these
and
then
kind
of
get
it
updated
here
in
the
spreadsheet.
A
G
A
Yeah,
I
think
maybe
I
mean
because
when
you
get
into
like
upstream
package
version
dependency
count
there,
I
think,
when
you're
talking
about
version
level
dependencies,
that's.
G
Okay,
what's
the
difference
between
the
package
level
and
the
container?
Sorry?
Okay,
sorry,
sorry
yeah,
but
by
the
way,
although
I'm
sorry
to
I
didn't
mean
to
slow
things
down,
I'm
actually
happier
that
this
that
the
we
now
have
multiple
metrics
that
are
a
lot
clearer,
we're
starting
to
clarify
what
we're
measuring.
G
A
Well,
when
it
comes
to,
I
think,
at
deployment,
so
there's
there's
developer,
and
this
is
where
the
there's
like
a
matrix
of
development,
dependencies
and
container
and
infrastructure
and
depending
how
I'm
doing
my
development
I
may
depend
on
like
if
I
look
at
the
infrastructure.
Overall
containers
may
just
go
inside
that,
but
docker
deployments
and
distribution
is
becoming
more
and
more
common.
So
at
some
point
does
do
containers
become
their
own
set
of
special
case
dependencies.
That
people
need
to
care
about.
G
Os
having
I
don't
know,
having
had
to
do
all
these
things.
G
I
I
I
mean
the
commands
obviously
are
different.
There's
some
different
files.
A
G
Right
I
got
that
yeah
for
for
one
project,
I'm
on
we're
full
we're,
definitely
devops,
but
what
that
means
is.
Oh,
if
it's
a
death
problem,
it's
your
problem!
If
it's
an
ops
problem,
it's
still
your
problem,
yeah
yeah
yeah.
C
G
Yeah,
okay,
so.
K
A
H
K
G
Obviously,
are
a
thing
so
are
not
containers
a
thing
I
mean
from
the
point
of
view
of
what
software
do
I
depend
on
and
if
subverted,
what
a?
What
makes
me
toast,
I'm
not
sure
it
matters
yeah.
A
I
think
I
think
it's
I'm
also.
I
also,
of
course,
think
about
the
provenance
of
the
information
that
I'm
going
to
use
to
understand
the
scope
in
each
case
and
the
language
level
dependency
count.
There's
there's
a
particular
set
of
definable
methods
that
I
might
use
even
possibly
definable
pieces
of
software
that
I'm
going
to
use
to
understand
language
level
dependencies
that
are
different
than
how
I
might
understand
infrastructure
dependencies,
and
I
think
infrastructure
dependencies
are
often
not
explicitly
stated
in
the
package
itself.
H
G
Yeah,
but
by
the
way
I
I
have
had
some
success
in
identifying
os's
less
success
than
one
would
hope
I'll
give
away.
The
the
technique
is:
look
at
the
test
system.
What
os
does
the
test
request
require?
G
A
G
A
I
think
I
think
this
is
good
you're
right.
A
G
Yep,
I
probably
do
it's.
It's
the
cheap
brand.
My
cell
phone
doesn't
work
in
the
basement
because
there's
no
self.