►
From YouTube: CHAOSS Risk Working Group 4/7/22
Description
Links to minutes from this meeting are on https://chaoss.community/participate.
A
You
don't
there
you
go.
I
welcome
to
the
risk
meeting
april
7th
2022.
I
was
not
here
at
the
last
risk
working
group
meeting.
I
was
in
spain
at
the
peturgia
anniversary
and
working
on
chaos.
Software
stuff.
C
Sean
might
have
been
blacked
out
that
whole
week.
Sorry,
this
is
on
the
recording
now,
but
you
were
also
in
the
other
meeting
and
I
took
you.
You
might
have
been
in
like
a
state
of
mind,
or
maybe
black
has
a
hard
time,
but,
like
you
weren't,
you
were
present,
but
you
weren't
retaining
it's
like
your
ram
was
turned
off.
A
Well,
yeah
that
would
have
been
the
day
that
I
was
that
had
just
arrived,
so
I
would
have
been
that
would
have
been
like
at
the
very
very
end
of
my
ability
to
pay
attention.
So
I
I
do
remember.
I
guess
I
do
remember
some
of
this.
I
just
wasn't
sure
because
it
looked
very
similar
to
the
meeting
before
that
if
it
was
yeah.
I
was
in
this
discussion.
In
fact
we
met
march
10th.
I
made
a
comment
all
right.
A
A
A
Well,
I
guess
I
was
here
at
the
last
meeting
david
and
but
I
I
have
limited
recollection
of
that
and
now
that
sophia
says
I
was
there.
I
do
remember
being
on
a
bunch
of
calls
late
at
night,
the
thursday
I
arrived
in
spain,
so
this
must
have
been
one
of
them,
but
I
think
you
know
I
was
up
a
lot
the
night
before
on
a
plane,
and
I
was
just
trying
to
stay
awake
until
sundown
and
I
guess
I
accomplished
that
a
little
too
well
so.
E
Interestingly,
I
I'm
usually
the
person
who
talks
about
z
scores,
but
I
don't
think
I
was
at
that
last
night.
No.
B
E
Was
david.
F
Was
not
there,
it
was
what
does
that
mean,
so
we.
F
F
C
And
then
this
didn't
make.
I
don't
know
I
just
anytime.
There
are
similarly
minded
metrics
out
there,
it's
nice
to
discuss
them
and
know
how
ours
are
either
related,
similar
and
or
different.
So
we
were
mostly
just
discussing
what
we
thought
went
into
them,
but
without
actual
specific,
if
you
know
how
it's
calculated,
that
might
be
nice.
No,
I
don't
know
if
that
was
sort
of
a
proprietary
thing
or
something
that
can
be
shared.
E
I'm
pretty
sure
harvard
used
it.
I
actually
would
I
I.
I
actually
went
to
some
folks
within
my
previous
company,
where
we
have
like
phds
and
statistics.
A
E
I
was
helpful,
just
hey
down
the
road,
you
know
walk
down
the
hallway
here,
you
got
a
phd
in
stats
and
who
actually
said
that
for
the
application
that
they
were
using
it,
for
it
was
a
perfectly
reasonable
measure.
E
E
E
A
Right,
no,
I
mean.
F
E
A
E
Now,
there's
two
solutions
to
that:
one
is
admit,
you
don't
know
and
move
on,
which
is
originally
how
I
was
going
to
do.
The
analysis
harvard
said
you
know,
that's
an
important
problem,
so
we're
going
to
use
the
sca
vendors
to
tell
us
what
you
know
to
tell
us
what's
actually
in
applications
that
people
use
pay
to
analyze
and
use,
and
then
that's
what
the
z
score
came
from
the
problem.
E
There
is
really
then,
what's
this
I
I
you
know,
I
don't
know
who
can
most
projects
are
not
gonna
be
able
to
do
this
metric?
Then
I'm
trying
to
figure
out
what
you're
trying
to
accomplish
with
this
metric
who's
using
this
and
why
I'm
already
skeptical
sorry,
I'm
I'm
poking
poking
in,
and
I
wasn't
here.
D
A
E
Okay,
now
I
was
actually
I
actually
developed
what
we
called
the
census
2
strategy,
so.
D
E
It's
actually
a
public,
that's
actually
a
published
document
by
ida,
my
name's,
you
know
I
wrote
it
where
we
attempted
to
do
measurements
like
this.
That
was
harvard
then
used
that
and
other
stuff
built
on
things,
and
then
that's
where
the
actual
census
2
came
from.
We
we
did
some
prototyping,
we
didn't
try
to
use
sca
data,
we
did,
we
turned
you
know,
and
we
had
problems
and
challenges.
E
We
we
solved
them
turns
out
by
the
way
doing
this
downstream
dependency,
ignoring
sca
data
is
non-trivial,
there's
a
whole
bunch
of
ways
to
do
the
matrix
calculation
to
do
the
total,
the
of
dependency
and
most
of
them.
E
We
don't
know
how
long
they
take,
because
we
stopped
after
a
week.
So
you
have
to
be
really
really
careful
about
the
order
operations
where
technically
it
doesn't
matter,
but
it
sure
does,
if
you'd
like
to
be
there
for
the
results.
A
A
E
We
went
all
the
way
down
the
rabbit
hole
we
get.
We
actually
got
these
counts
and
then
we
sorted
them
by
the
counts.
The
good
news
was
you.
If
you
are
very
careful
about
order
of
operations,
you
can
actually
achieve
them
well,
and
you
also
have
to
have
data
sets.
One
of
the
problems
was
that
libraries.io
isn't
as
maintained
as
as
needed.
Harvard
had
this
trouble
as
well.
E
E
Yeah
they
have
debts.dev
yeah,
pretty.
E
A
E
Right
right,
I
don't,
they
may
have
a
big
table
interface,
although
those
tend
to
be
expensive,
but
but
but
my
here's,
my
point.
E
E
A
E
Static
analysis
call
through
well,
and
you
know
what
the
static
analysis
is
still
irrelevant,
because
you
know,
let's
say
that
c
is
dependent
on,
but
never
used
by.
Something
called
that
brings
an
a
that
actually
doesn't
matter,
because,
if
c
becomes
unavailable
or
is
subverted,
you're
still
doomed.
E
A
E
Okay,
yeah,
I'm
not
communicating
clearly
you're
you're,
asking
questions.
E
A
E
Communication
problems
welcome
to
humans
right
all
right,
okay,
so
I
was
maybe
I
was
trying
to
be
a
little
too
short,
okay
at
my
previous
employer.
I
did
do
this
count.
The
way
we
did
this
was
we
downloaded
from
libraries.oh
and
all
the
data
of
every
package
and
what
its
declared
dependencies
were,
and
by
declared
I
mean
statically,
in
other
words
somewhere.
It
says
it
includes
the
other
thing.
D
E
Okay,
then
you
can
do
the
raw
counts
of
things
like
how
many
other
packages
directly
or
indirectly
bring
in
this
one,
and
if
you
do
it,
transitively,
it's
basically
a
big
matrix
operation
and
the
mathematicians
will
tell
you
that,
although
matrix
operations
are
actually
ordered,
there's
a
lot
of
ways,
you
can
do
them.
But
as
soon
as
you
talk
about
how
long
it'll
take
a
computer
to
run,
it
matters,
how
you
do
it
okay,
so
it's
total.
If,
if
the
answer.
A
E
Yeah
right,
okay,
now
so,
but
we
we
did
the
analysis
of
counting
the
now
we
wrote
a
paper,
we
talked
about
the
necessary
necessity
of
doing
it
in
certain
orders.
I
keep
emphasizing
that
because
it's
an
easy.
E
E
The
problem
with
that
approach-
and
we
documented
this
as
well-
is
you
don't
know
if
anybody
depends
on
a
or
b
or
c
a
depends
on
b
b
depends
on
c,
okay.
That
means
that
your
downstream
dependencies
for
c
are
b
and
a
okay.
Because
c
and
b,
a
b,
a
and
b
depend
on
c.
But
what
that
doesn't
tell
you
is:
does
anyone
actually
use
a
or
b
or
c?
E
A
Okay,
but
what
would
you,
what
did
you
do
for
well.
A
E
E
Okay,
what's
my
brain
yeah.
A
E
A
E
Yeah,
okay,
now,
let's
go
to
the
real
world.
It
turns
out
that
no
one
actually
uses
a
or
b
or
c,
no
one,
so
your
counts
are
misleading
when
compared
to
the
real
world.
It's
true
that
a
and
b
and
c
are
in
the
database,
but
but
people
stopped
using
a
a
long
time
ago
they
stopped
using
b
and
no
one
else
uses
b
or
maybe
a
lot
of
people
use,
b
and
c,
but
again
no
one
uses
nobody
brings
in
b.
Nobody
brings
in
anything
that
uses
b
anymore.
E
A
Did
but
what
I
I
think
so,
I'm
thinking
of
it
from
an
so
the
census,
2
report
is,
was
a
sort
of
an
ecosystem
level
report
where
in
fact
it
could
be
in
a
package
manager
but
never
never
used
by
any
software
in
the
world.
That's
right,
and
so,
if
I'm
in
an
ospo,
I'm
not
going
to
be
scoping
in
things
that
none
of
my
projects
use.
A
Well,
it's
it's
I'm
just
thinking
of
it.
So
from
the
perspective
of
an
hospital,
though
we're
not
looking
at
the
whole
like
everything
in
a
package
manager,
for
example,
that's
not
the
scope
of
the
analysis.
It's
here
are
my
repos
now
go
look
at
the
package
manager
and
find
out
what
might
my
what
is
dependent
on
my
packages
if
I'm
looking
at
downstream
dependency,
what
other,
what
other
things
are
dependent
or
import?
A
E
A
Or
or
a
community
manager,
so
anyone
who
wants
to
understand
yeah.
D
A
Have
a
project-
and
I
have
packages
that
I
distribute
but
you're.
What
is
the
scope
of
my
who's
importing
me,
and
so,
if
I
go,
I
guess
like
if
I
go
and
look
at
a
package
managing
database
like
libraries.io
or
something
similar,
and
I
don't
see
anybody
using
me
as
a
dependency,
then
I
would
know
that
I'm
I've
got
no
exposure
whatsoever.
F
F
A
So
if
I
start
with
the
package
manager,
then
I
I
don't
know
the
impact
I'm
just
kind
of
back
to.
I
wonder
if
our
problem
is
the
same
as
david's,
because
if
I've
got
a
package
that
I'm
distributing,
I
am
kind
of
assuming
that
it's
being
used
somewhere.
D
E
Okay,
react
may
actually
be
a
bad
example,
but
but
okay.
E
Right
we,
we
notice
that
said
now
I
suspect.
Actually,
this
is
a
bad
example,
because
I
bet,
if
I
looked
at
a
database,
I'll
find
a
whole
bunch
of
dependencies
on
it
in
the
public
database.
But
let
me
go
with
this,
even
though
I
think
it's
not
quite
accurate.
There
are
going
to
be
some
big
packages
that
are
widely
used
but
are
in
fact,
at
the
top
level.
It's
not
that
anything
else
in
the
public
database
depends
on
them.
E
Developers
depend
on
them,
but
nothing
in
the
public
database
depends
on
them.
React,
I'm
not
sure
is,
is
actually
a
valid
top
level,
but
it's
that
kind
of
thing
where
you
developers
will
know
right
away.
Oh
yeah:
either
you
use
it
or
you've
certainly
heard
of
react
and
vue.
Okay,
you've
probably
heard
about
many
other
high-level
tools
that
you
use
directly,
but
it's
not
necessarily
something
the
database
would
have
a
hey.
Everybody
uses
me
because
in
fact
the
users
are
outside
the
data
outside
the
repo
database.
H
E
A
E
Would
would
have
this
maybe.
F
F
D
If
we
add
this
as
another
section
to
this
document
like
who
the
metric
is
for
or
might
benefit,.
A
E
Well,
it's
not
really
that
yeah
that
deploy
packages
to
determine,
and
why
are
they
why
they
want
to
know
they
want
to
know,
because
they
want
to
know
which
packages
are
especially
important
to
them
right.
Do
their
organization.
C
I
mean
I
just
like
in
a
practical
example,
I
was
working
with
a
project
that
was
interested
in
knowing
what
versions
were
still
being
used
for
things
to
know
what
things
to
do
to
prioritize
support
for
or
which
one
of
the
things
they
could
actually
spin
down.
But
that
was
not
a
dependency,
that's
more
of
a
use.
So
I
think.
E
Okay,
so
so
let
me
keep
going
because
I
think
now
my
question
is
getting
an
answer,
at
least
in
my
brain,
you
know,
and
osbo
is
going
to
have
an
advantage
over
somebody
using
libraries.io
because
they
won't
just
have
oh
look.
Here's
data
from
the
public
database
about
stuff
in
the
package
manager.
They
can
know
hey.
E
These
are
the
projects
that
my
organization
develops
and
therefore
will
we
don't
just
see
the
public
repository,
but
here's
all
the
stuff
we
depend
on
internally
for
all
our
projects,
here's
all
the
projects
that
we
use
and
contribute
to,
and
so
so
you're
you're
going
beyond
just
what's
in
the
repo
database.
That
was
my
concern
and
also
the
concern
of
harvard
was
that
if
you
only
look
at
the
repo
database,
you
you
don't
get
how
you
get
there.
E
If
that
makes
any
sense,
you
have
the
interconnections
within
the
within
the
public
package
repository,
but
not
what
parts
of
that
lead
you
there,
but
an
ospo
could
have
that
additional
data
set
and
in
fact
they
might
want
to
know
it
for
their
sets
and
who
cares
what
anybody
else
you
know
I
am
I'm
company
x
and
yeah
we're
the
only
ones
that
use
this
package,
but
everything
depends
on
it.
E
Yeah
I
I've
had
I
had
an
interesting
conversation
with
a
fintech,
a
guy
talking
about
a
fintech
organization
and
the
way
they
use
some
systems
is
well
different
and
but
they
they
basically
have
standardized
on
certain
activities
and
certain
processes
leading
to
certain
tools
in
a
way
that
probably
no
one
else
does,
but
it's
critically
important
to
them
and
noticing
that
wow
every
project
uses
x.
E
A
That's
that's
the
high
the
high
the
high
velocity
training,
no.
E
No,
no,
no,
no,
no,
actually,
not
that
part,
but
a
lot
more
of
their
mundane
stuff.
But
but
the
point
was
my
point,
though,
was
that
I
think
this
is
true
for
many
orgs.
You
know
you
got
a
lot
of
specialized
stuff
that
you
use
in
house
and
you
probably
over
time,
have
developed
a
way
of
doing
things
that
has
led
you
to
depend
on
certain
packages
in
a
way
that
maybe
is
different
for
everybody
else.
But
for
you
this
thing
matters.
A
I'm
in
the
downs,
do
you
see
the
screen?
I'm
sharing.
E
A
A
A
Most
of
the
libraries.ios
style
analysis
that
I've
seen
does
not
look
at
container
level
distribution
more
of
a
container
level
package.
It
just
looks
at
you
know
like
something
things
similar
to
what
desert
depths
dot
dev
looks
at
and
what
the
census
2
report
looks
at,
which
are
packages
that
are
imported
or
used
by
other
pieces
of
software
right.
Am
I
getting
that
right,
or
did
I
go
out
of
bounds
again.
C
Feel
like
it
might
be
just
really
dependent
on
the
company.
I
mean
I'm
thinking
about
this
in
construct
of
what
I
know
about
what
we
do
and
it's.
I
think
that
everyone's
going
to
do
a
little
bit
differently
in
terms
of
what
you
rely
on
as
external
imports
versus
what
you
copy
internally
and
then,
when
you
choose
to
re-pull
re-mirror
or
pull
straight
from
the
package
manager
in
an
active
build.
G
C
This
we'll
just
like
okay,
so
you
depend
on
a
third-party
package.
You
either
call
it
directly
or
you
can
mirror
it
into
something
else,
and
then
call
that
and
then
potentially
now,
there's
two
versions
of
the
same
thing
and
this
one
can
keep
evolving,
and
this
is
a
version
at
a
particular
point
in
time
and
then,
depending
on
what
you
need
in
relation
to
that,
if
it's
the
third
third
third
party,
then
you
might
actually
end
up
calling
a
package
manager
for
an
embedded
dependency
within
the
thing
that
you're
calling.
C
So
I
don't
know
I
this
is
this
isn't
really
like
necessary
to
write
out
in
such
detail?
I'm
just
trying
to
recognize
that
if
we're
actually
going
to
explicitly
try
to
define
it
that
it's
going
to
be
either,
we
have
to
say
super
general
or
we
have
to
pick
something
very
specific,
because
it's
going
to
look
a
little
bit
different
in
practice
in
every
organization.
I
have
to
imagine.
D
D
C
C
Not
an
actual
measure
of
usage,
so
we
were
looking
at
one
that
was
basically
just
like
this
lumpy
chart.
That
was
just
like
any
time.
You're
going
through
a
build
cycle,
it's
going
to
make
a
bunch
of
calls,
but
that's
not
actually
a
level
of
usage.
You
have
to
look
at
that
over
time
to
see.
Is
this
shrinking,
but
you're
generally
going
to
get
a
seasonality
of
calls
or
downloads
that
are
potentially
all
coming
from
the
same
person
or
implementation,
so
the
raw
account
doesn't
mean
anything.
E
E
Note
you
know
note
that
this
is
not
simply
download
counts,
I'm
going
to
write
this
in
implementation
and
then,
if
we
move
it
somewhere
else,
that's
great,
unfortunately,
download
counts
can
be
misleading.
A
E
You
go
yes,
boy,
we've
seen
that
in
spades,
but
not
only
does
it
get
it.
You
know
the
most
important
measure
factor
for
that
download
count
is,
as
far
as
I
can
tell,
is
how
many
people
cash
it.
Well,
it's
basically
a
measure
of
who
cashes.
G
E
A
E
A
C
I've
been
doing
a
lot
of
random
queries
of
known
thoughts
against
github
archive
and
the
activity
per
bot
is
growing
exponentially
where
the
activity
per
all
actors
is
holding
steady
and
so
just
like
what,
depending
on
how
you're
accounting
and
what
you're
counting,
unless
you
know,
you're
filtering
out
all
automated
activity,
it's
just
going
to
become
increasingly
more
skewed
to
just
activity
counts,
not
human-driven
activity
counts
because
we
are.
We
can't
tell
the
difference.
C
D
C
F
A
I
mean
yeah,
it's
not
derailed,
it's
just
I,
my
brain
went
off
in
another
direction,
trying
to
contemplate
all
that
and
the
appropriate
work
arounds
for
it.
C
A
C
So
actually,
I
want
to
put
this
question
to
david,
because
this
is
what
we
had
discussed
as
well
in
terms
of
the
broader
like
who
is
using
this,
and
why
are
we
even
thinking
about
it?
Because.
C
That
it
is
kind
of
like
a
really
it
depends
whether
or
not
this
number
means
anything
to
you
and
how
you
counted
it,
but
we're
also
thinking
about
in
the
construct
of
creating
a
better,
more
comprehensive
view
of
dependencies
in
a
risk.
Sorry,
in
a
metric
model
versus.
C
Metrics
would
involve
defining
a
few
different
kinds
of
metrics
in
their
own
dependencies,
of
which,
having
the
inverse
of
upstream
makes
sense
to
have
both
sides
of
the
tree.
Depending
on
how
you're.
Looking
at
a
single
point
thing,
you
have
the
things,
it
depends
on
the
things
that
depend
on
it,
which
gives
you
a
more
well-rounded
view
of
all
the
different
ways
that
things
can
depend
on
each
other.
C
And
so,
if
we
were
going
to
try
to
pursue
a
metrics
model
in
the
realm
of
dependencies,
then
it
would
most
likely
include
this,
in
which
case
we
have
to
define
it,
and
so
I
think
we
would
have
gotten
to
this
point,
even
if
we
didn't
start
with
it,
but
you
can
just
feel
free
to
disagree.
If
you
think
that's
not
that
wouldn't
have
been
covered
in
that
kind
of
thing.
E
I
I'm
gonna
push
back
slightly
against
a
phrase
just
because
I
don't
I
I
don't
like
the
phrase,
but
I
I
more
because
I'm
I'm
afraid
of
over
complicating
things
which
is
easy
enough
to
do.
Metrics
model
makes
me
think
of
complicated
things
and.
E
Yeah
exactly,
I
think
all
we
need
to
do
is
answer
the
question.
You
know
instead
of
here's
a
metric,
it's
a
what
is
this
metric
useful
for
and
then
here's
a
metric
as
long
as
the
metric
has
a
use?
If
that's
not
your
use,
you
ignore
it.
If
you
say
hey,
I
have
this
problem.
Well,
here's
a
metric
for
you
that'll
help
you
I
you
know
if,
if,
if
that's
what
you
mean
by
a
metrics
model,.
A
The
metrics
models
are
really
simple:
accumulations:
not
of
of
chaos
metrics
into
forms
that
ospos
community
managers,
other
people
engaged
in
the
project
would
ordinarily
use.
So
I
know
it
several
different
companies
that
use
auger,
there's
different
standards,
sorts
of
dashboard
thingies
that
they
use
and
all
we're
trying
to
do
is
define
those
types
of
things
as
metrics
models.
H
A
Then
do
I
certainly
I
care
about
upstream
dependencies,
because
that
lets
me
know
about
what
things
that
I
depend
on
I'm
potentially
vulnerable
to,
because
they're
out
of
date
or
whatever,
but
downstream,
is
sort
of
it's
like
any
company
that
produces
open
source
software
that
other
people
use
would
have.
Also
this
downstream
concern,
I
would
think
yeah.
E
And
I
can
see
two
different
things:
one
is
an
ospo.
You
know
you're
you're,
trying
to
keep
track
of
all
the
open
source.
You
know-
and
you
know,
because
you're
worried
about
basically
what's
showing
up
in
the
projects
that
you're,
that
your
organization
yeah
the.
F
E
One
is
a
financial,
you
know,
you
know,
know
the
importance
of
impact.
It's
it's
0.3.
E
E
If
they're
questioning,
if
of
who
uses
me
in
the
great
grand
world,
I
can
see
why
you
want
it,
I
don't
know
how
you
get
it.
E
C
You
can
use
them,
but
I
think
it's
it's
a
to
your
point.
It's
severely.
It
depends
on
the
model
you
set
up,
because
I
can't
think
of
an
example
where
there's
more
active,
downstream
collaboration,
but
it's
done
through
a
very
curated
community.
So
there
is
a
feedback
mechanism
from
right.
The,
however
many
vendor
products
that
are
dependent
on
a
particular
architectural
change.
You
might
know
what
project
I'm
talking
about
right
now,
but
this
is
the
sense
of
like
there
has.
C
There
has
to
be
some
sort
of
mechanism
to
understand
what's
in
use
and
how
it's
being
used.
So
if
there
are
any
sort
of
major
changes
to
the
technical
architecture
of
the
project
that
have
supply
chain
issues
or
downline
issues,
then
you
need
to
have
a
better
understanding
of
how
things
are
being
used
and
what's
being
used,
and
so
it
might,
it
might
be,
have
to
be
more
informal
like
the
problem
is,
I
feel
like
most
of
the
real
applications
of
this
are
direct
contacts.
C
C
How
this
being
used
like
we're,
we're
going
through
this
other
projects
right
now
and
predominantly
relying
on
surveys
just
because
we
don't
really
understand
usage
out
once
it
gets
like
again
like
you,
can
tell
whether
or
not
there
is
or
is
not
usage,
which
is
binary,
not
a
volumetric
component.
So
to
have
any
sort
of
nuance
of
what
components
of
the
project
are
more
like
useful
to
be
prioritized
or
not
we're
mostly
leaning
on
surveys
as
a
way
to
provide
open
feedback
to
areas
of
focus.
C
E
But
let
me
go
back
to
your
earlier
point
about.
You've
got
an
established
community
in
at
least
some
cases.
In
that
case,
I
think
you
do
you're.
You
know
as
long
as
you're
able
to
scope
it
out
to
a
cooperative
community
or
you
know
then
you're.
Okay,
it's
that
general
world
class.
That's
hard,
yeah.
C
G
E
C
E
I
I
added
a
link
to
the
the
sample
code
that
we
did
so.