►
From YouTube: CHAOSS Risk Working Group 7-22-21
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
B
I'm
looking
forward
to
to
joining.
B
Excellent,
so
at
fyi
I
have
discovered
that
the
communications
of
the
acm,
which
is,
I
would
say,
one
of
the
most
important
academic
computing.
Well,
software
journals
basically
in
their
july
edition.
They
have
an
article
viewpoint,
it's
a
viewpoint,
but
you
know
why
computing
pro
computing
students
should
contribute
to
open
source
software
projects.
Oh
wow,
who
wrote
that
diameters
spinellis,
my
apologies,
if
I'm
mispronouncing
no.
A
I
don't
know
but
yeah
I
use
open
source
in
all
my
classes,
yeah.
B
Well,
I
I
for
one
of
my
classes
they
have
a
project
they're
not
required
to
release
as
open
source.
However,
most
of
them
just
make
a
game
and
whatever,
but
a
couple
say
I
don't
want
to
make
a
game.
I
want
to
change
the
world
and
prove
it
in
some
way
and
say
fine.
B
You
can
have
a
do
a
special
project,
but
you
gotta
release
this
open
source
because
it's
gonna
take
me
more
time
to
review
that
and,
if
you're,
if
I'm
going
to
put
in
that
time,
I
want
to
help
the
world
too
yeah.
Just
your
company.
A
B
C
B
So
yeah
so
we're
by
the
for
folks
who
are
joining
us
just
fyi
in
the
communications
of
the
acm,
which
is
very
important
academic
software
journal.
They
have
a
viewpoint
article
why
competing
students
should
contribute
to
open
source
software
projects.
B
B
A
B
I
I
I
think,
there's
a
long
list
of
I
I
there's
a
long
list
of
reasons
to
be
involved
in
open
source
projects.
To
be
honest,
one
of
the
main
ones
I
think
more
broadly,
is
connection
to
reality.
B
That
I
I
can
actually
speak,
I'm
gonna
name
names
and
tell
all,
but
that
there
was
a
after
the
unix
source
code
stopped
being
so
widely
available.
There
was
a
series
of
many
many
years
where
the
operating
system
research,
community
couldn't
see
and
certainly
couldn't
publish
code,
and
increasingly
they
focused
on
stuff.
That
was,
frankly,
not
all
that
important.
B
This
is
a
time
when
you
would
find
hundreds
of
articles
about
scheduling,
algorithms
and,
while
they're
important
99.9
of
the
time,
they're
not
important,
and
they
couldn't
talk
about
the
stuff
that
was
actually
important
because
the
academics
had
no
idea.
B
They
couldn't
see
what
actual
systems
look
like
and
then,
when
the
linux
kernel
and
to
lesser
extent,
the
bsds
became
available
all
of
a
sudden,
they
could
talk
about
real
world
things
yeah
and,
and
it
really
there
were
some
really
bizarre
things
that
that
got
into
fads
because
of
their
disconnect
with
what
was
actually
important.
And
you
can
see.
A
Yeah,
that's
I
mean,
I
know
that
I
was
I
inserted
myself
into
some
linux
kernel
security
stuff
between
my
alma
mater,
the
university
of
minnesota
and
the
lf
recently
very
quietly.
In
the
background.
A
Yeah
no
and
I
think
yeah,
and
I
think
I
think
the
you
had
a
lot
of
well-meaning
people
who
just
effed
up
at
the
university
of
minnesota,
and
I
think
I
think
what
happens
in
some
situations
where
you
try
to
introduce
students
to
the
real
world.
Is
they
don't
understand
the
context
at
all,
because
it's
so
new
to
them?.
B
B
I
wrote
the
primary
I
mean
people
edited,
you
know
mike
dolan
signed
it
and
sent
it
to
them.
I
mean
he
more
than
signed.
He
actually
had
some
great
comments.
If
you
get
involved
in
research,
it's
particularly
experimentation.
B
May
I
urge
you
to
read
the
menlo
report.
It
is
thin
thin,
thin,
it's
very
few
pages,
but
it
basically
it's
august
2012
the
ethical
principles,
guiding
information
and
communications
technology
research,
so
basically
don't
experiment
on
people
without
their
permission,
etc.
D
B
Men
will
report
yeah
now
there
is
a
url
for
this
stuff.
So,
let's
see
here,
men
low
report.
G
I'm
sorry
so
I'm
thinking
of
it
in
terms
of
a
deceptive
study
like
where
you
don't
tell
the
participant
what
you're
doing
otherwise
how
they
are
going
to.
Otherwise,
the
like
maintainer
will
be
cautious
of
the
things
they
are
doing.
Yeah.
B
D
B
If
you're
curious,
why
and
you
may
smile,
but
in
the
u.s-
my
apologies-
I
don't
know
where
you
where
you
are
living,
but
in
the
u.s
there
have
been
some
extremely
harmful
experiments
done
on
people
in
the
u.s,
particularly
medical
communities.
In
the
past
there
were
a
number
of
men
who
were
in
intentionally
infected
with
a
venereal
disease
and
left
untreated.
B
Yeah,
so
there
have
been
some
extremely
awful
things
that
have
been
done
in
the
name
of
science,
and
you
know
there
has
to
be
limits
to
it,
and
so
you
know
people
have
studied
this.
There
are,
you
know
there
are,
and
if
you
get
money
in
the
u.s
you're
actually
required
by
the
federal
funding
to
obey
certain
rules
that
are
based
on
on
that
and
it's
there's
actually
more
general
reports.
B
The
fundamental
the
men
will
report
specifically
on
security,
there's
a
more
general
report,
the
belmont
report,
which
is
more
general
exp
ethics
and
scientific
experiments.
So
when,
when
humans
are
involved,
so
yeah
anyway,.
A
I
put
a
I
put
up.
I
put
a
google
link
to
I
downloaded
a
copy
using
my
acm
credentials
of
the
pdf
and
put
it
in
my
google
drive
and
put
a
link
in
the
agenda.
If
anybody
wants
the
original
pdf
of
that
article,
that
you
are
referencing.
A
B
A
It's
as
an
academic,
I
have
what's
called
fair
use.
A
B
A
Yeah,
no,
I
well,
let's
not
talk
about
me,
although
my
personal
story
involves
building
a
substantial
system
for
a
major
academic
publisher
at
one
point,
and
I
can
promise
you
they
have
way
too
much
of
our
money.
A
I
tend
to
taunt
them
with,
with
my
use
of
links
to
my
own
articles,
that
they
say
I'm
not
supposed
to
post
and
I'm
just
basically
daring
them
to
come
after
me.
A
A
A
G
G
A
Want
to
take
five
minutes
and
just
quickly
review
it
before
we
asked
for
now
to
do
that
or
or
do
you
think
it's
like
super
ready
to
go?
We
should
just
have
an
ad.
A
A
If
we
feel
good
about
the
metric,
then
we
let
it
out
and
let
the
review
process
do
its
job.
So
all
right
I'll
set
set
a
five
minute
timer
in
my
head,
it's
211
and
I'll
read
it.
B
A
A
Uncertain
it
looks
like
so
execution.
Dependency
is
defining
build
test
and
runtime
dependencies,
yes
as
separate
concepts,
sort
of
conceptually
and
then
the
language
runtime
dependencies
are
going
into
the
detail
of
that
specific
type
of
dependency,
which
has
some
important
differences
from
development.
Rep
dependencies.
B
And
I
would
it's,
I
would
assume
that
runtime,
for
example,
is
a
subset
of
all
the
execution
dependencies
say
during
you
know
during
production
use.
A
B
B
B
H
A
Bless
you
apparently,
you
have
pollen
in
your
area.
B
It's
true
it'll,
be
there
tomorrow,
too,.
B
I
understand
them:
okay,.
D
B
E
B
So,
for
example,
re
is
a
package
within
python.
When
you
install
python,
you
get
re.
If
you
import
re,
it
doesn't
need
to
you,
don't
need
to
install
any
third-party
libraries.
It's
just
part
of
the
set.
It's
true
for
c
also
c
includes
standard
io,
which
you
know.
B
Built-In
libraries
and
they're
typically
implemented
separately
sort
of,
but
you
know,
but
you
know
the
syntax
is
no
different
than
anything
else,
but
you
don't
have
to
install
anything
separate.
A
So
bob
this
could
so
let
me
ask-
and
I
know
we've
discussed
this
before-
but
really
this
is
so
inventory
of
the
specific
major
and
minor
release.
Release
of
the
language
will
will
give
us
that
dependency.
B
Often,
but
though,
absolutely
that's
not
true
in
all
cases,
yeah
yeah
and
different
ecosystems
are
quite
different
in
that
respect,
for
example,
typically
in
a
ruby
project,
it
would
be
recorded
because
the
tools
kind
of
encourage
that,
but
again
it's
ecosystem,
specific.
A
B
A
B
You
know
they
still
think
that,
because.
D
I'll
make
sure
I
understand
this.
The
languages
built
in
libraries
count
so
we're
counting
those
as
dependencies,
even
though
we
assume
that
they're
all
present,
because
then,
if
you're
using
python,
then
is
it
only
dependency?
If
you
import
it
into
that
particular
script
or
is
it?
Are
you
just
assuming
that
there's
dependencies
on
things,
you
want
to
count
the
entire
python
library?
You
only
want
to
count
the
ones
you're.
Actually
importing
do
we
care.
Are
we
saying
count
the
ones
that
you're
importing
for
your
script.
B
There
might
be
because
of
transitive
dependencies,
true
yeah,
so
I
I
would
say
that
languages
built
in
libraries
are
executive
dependencies
but
are
not
counted
simple,
because
you
typically
just
record
that
you
depend
on
the
language.
A
Yeah,
but
I
mean
with
python
and
especially
pi
pi
has
been
under
attack,
ddns
attack
for
a
while
now
and
python
major
releases
do
matter
and
minor
releases
end
up
mattering
a
lot
for
right
stuff,
so
knowing
the
version
of
python,
major
and
minor
is
ends
up
being
kind
of
important
for
python
developers.
A
G
So
a
question
for
all
of
you
is
like:
are
these
the
infrastructure,
libraries
or
these
like?
Because
for
this
metric
we
are
excluding
the
infrastructure,
libraries
as
a
dependencies?
So
are
these
language?
Built-In
libraries
are
in
fact
part
of
infrastructure,
or
they
are
like
separate
libraries
which
are
using
in
the
program.
D
A
And
I
think
a
record
of
the
particular
especially
for
languages
like
python
that
have
different
package
managers
and
have
different
groups
that
release
it,
knowing
which
one
can
be
helpful
for
understanding
different
problems
that
you
might
encounter.
D
Yeah,
I
guess
the
the
major
minor
release
piece.
I
guess
I'm
struggling
with
that,
because
I'm
thinking
about
version
inversions
as
a
layer
of
context
on
dependencies
versus
the
count
of
dependencies,
you're,
counting
the
number
of
versions.
A
A
D
Yeah
make
it
actionable
or
knowing
okay.
What,
where
do
I
have
the
most
dependency,
or
what
thing
am
I
depend
on
the
most
or
what
is
the
most
out
of
date
or
kind
of
like
identifying?
What
is
a
higher
lower
level
risk,
and
to
do
that?
That
sort
of
part
of
that
the
filters
that
we
have
here
in
terms
of
trends
over
time
number
of
virgins
up
for
each
dependency,
multiple
references,
direct
flat,
basically,
all
the
context
that
you
can
use
to
better
enumerate
risk
versus
just
a
count.
A
D
B
And
you
know
what
I:
how
is
this,
instead
of
just
eliminating
them?
Why
don't
we
list
these
as
categories
of
these
aren't
really
the
parameters.
A
B
B
Yeah,
the
language
and
language
implementation,
major
minor,
is
a
different
kind
of
thing,
although
you
could
say,
does
it
include
the
minor?
You
know.
A
I
I'm
I'm
wondering
if
it's
like,
when
we
talk
about
infrastructure
dependencies,
I
wonder
if
it
falls
into
the
same
category
as
something
like
a
docker
version,
or
I
need
a
certain
database
installed
like
if
these
would
be
pieces
of
software
or
languages
loaded
on
the
operate
at
the
operating
system
level
that
are
just
assumed
to
be
there
when
we
do
this
other
counting
work
sophia.
What
do
you
think.
D
I'm
not
sure
I
feel
like
it.
It
isn't
saying
that
this
is
to
me
this
isn't
part
of
infrastructure.
It's
still
language,
okay,
but
it's.
I
am
agreeing
with
david
that
it's
kind
of
it's
not
like
the
rest
of
the
things,
I'm
kind
of.
If
I
remove
all
the
things
that
we
have
written
they're,
I'm
looking
at
them
holistically,
they're,
all
things
that
we
can
count
and
definitive
categories
of
things
to
count.
E
B
Yeah
I
tried
to
tweak
it
to
deal
with
that,
but
that
problem
still
exists.
It's
not
really
a
count.
It's
really
its
own
thing.
I
think
one
of
the
challenges
is,
if
you
later
on,
I
think
the
reason
it's
important
is:
let's
say
that
you
wanted
to
count
the
built-in
libraries
and
the
other
kinds
of
runtime
dependencies.
B
Okay,
not
knowing
the
specific
version
number
of
the
language
of
the
language
implementation
makes
it
hard
to
do
that
it
it.
Basically,
because,
typically,
you
admit
certain
information,
that's
not
so
bad
as
long
as
you
have
this
other
piece,
but
if
you
have
neither
set,
then
some
kind
of
analysis
get
really
hard.
A
A
B
B
A
But
having
deployed
front
ends
with
node,
I
can
tell
you
one
of
those
downsides
is
stability,
so
do
we
include
this
or.
D
A
We,
we
could
add
it
under
implement,
like
the
implementation.
G
At
the
bottom
of
this
implementation,
sorry
at
the
bottom
of
parameter,
we
can
create
a
note
of
this
as
a
separate
bulleted
point
that.
B
At
run
time,
some
some
often
language.
B
But
you
know
what
that's
a
good
point.
Do
we
need
as
a
parameter
of
the
version
numbers?
Not
just
the
names.
B
D
A
D
D
B
A
B
A
H
So
the
only
thing
I
would
say
is
you're
saying
direct
dependencies.
You
say
you
know,
our
project
goes
a
anc
service
self-explanatory,
but
the
transitive
one
you
could
say.
I
think
it
might
be
useful
to
say
you
know
c-
is
a
transitive
dependency
of
our
project
or
something
like
that
or
to
make
that
explicit.
G
G
So,
in
the
transitive
dependency,
I
have
explained
this
in
an
example,
I'm
highlighting
this,
for
example,
this
this
portion.
If
you
go
to
the
very
top
of
the
parameters,
I
have
selected
a
paragraph.
A
D
H
H
B
B
I'm
gonna
do
a
google
I'm
going
to
do
a
quick
google
search
here
flat
depend
flat
dash
dependencies
as
an
npm
resolve
all
the
projects
flat
dependencies
interesting.
A
B
All
right.
Okay,
assuming
you
already
know
what
it
is,
how
does
npm3
define
decide
how
to
install
flat
versus
nested.
G
A
Flat
dependency
is,
I
think
that
what
they're
defining
is
direct
dependencies
is
what
they're
calling
flash.
B
H
D
Yeah
that
would
make
sense
to
me
if
it's
like
mathematically
instead
of
saying
I
depend
on
function
x,
you
define
function
x
like
so.
It's
basically
listing
everything
in
itself
versus
linking
it
out
to
separate
things.
So
it
can
be
the
same
dependency.
You
can
just
explicitly
be
spelled
out
in
it
versus
linking
to
it.
B
B
In
other
words,
it's
it's
a
how
you
organize
the
naming
and
I
don't
think
we
care
about.
I
don't.
H
B
H
Are
we
yeah
and
is
everyone
comfortable
with,
quite
frankly,
transitive
being
considered
a
nested
dependency?
So
that's
the
other
term
that
gets
thrown
around.
B
I
certainly
I
know
I
I
have
heard
the
term
many
times.
I
prefer
transitive
because
I
think
that's
clearer.
B
It's
usually
a
synonym
of
nested;
it
can
be
it.
It
can
be
talking
about
the
naming
construct
instead
of
the
instead
of
whether
or
not
they're
transitive.
That's
one
of
the
reasons
I
prefer
transitive,
because
you
can
some
people
mean
other
things.
B
B
I
I
I
can't
I
I
I
I'm
only
joking,
but
I'm
not
the
first
to
say
this
because
in
fact
I
think
the
devil's
dictionary
did
that
hundreds
of
years
ago.
So,
let's
see
here
circular
dependencies
are
dependencies
which,
when
traced
end
up
back
at
themselves,
can
end
up
back
to
themselves.
Can
we
define
that?
Where
do
we
define
these
things
so
under
filters
or
elsewhere.
B
Okay,
yeah
depend
dependencies.
B
Where,
if
traced,
eventually
lee,
eventually
lead
back
to
themselves,.
B
That's
a
good
definition:
okay,
yeah
and-
and
I
I
I
think,
basically,
we
we,
I
think
we
should
assume
that
in
systems
we
that
allow
this
a
dependency
is
only
counted
once.
A
B
B
Okay,
as
declared
in
the
source
code
and
or
packet
and
or
package.
B
What
would
you
call
the
package
managers
and
our
package
manager
configuration.
A
Yeah,
actually,
the
there's
a
the
auger
followed
this
model
as
well,
but
the
down
here
at
the
bottom,
the
libraries.I
o,
has
a
something
called
biblio
the
carry
which
I'm
not
I'm,
not
sure
what
that
word
means,
but
it
actually
will
scan
all
of
the
different
ways
that
dependencies
can
be
identified
in
different
languages
and
there's
like
four
different
ways
in
python
yeah
and
they
address
them
all.
So
I
think
that
was
a
nice
advance
from
the
previous
work.
I'd
seen
that
they
did.
E
Here
or
do
we
want
to?
I
think
this
looks
good.
If,
if
you
all
are
okay,
then
I
can
proceed
with
the
release
of
this
metric.
A
B
A
B
A
B
B
So
it's
not
really
a
filter.
So
much
as
a
parameter.
Do
you
get
the
you
know,
you
do
get
the
specific
versions
and
how
do
you
count
them.
A
A
A
A
G
So,
looking
at
this,
I
think
we
just
keep
first
parameter
trained
over
time
and
delete
all
five,
because
we
have
already
explained
them
in
the
parameters
like
we.
D
B
Other
the
other
two,
the
of
the
version
stuff,
that's
first
of
all,
I
I
don't.
I
does
anybody
care
about
multiple
references
to
the
same
dependency.
A
D
D
B
Yeah,
okay,
all
right
so,
okay,
I
guess
I
can
see
if
filters
really
more
information,
but
this
the
other
question
still
is
more
than
just
number
of
versions
for
each
dependency.
I'm
thinking
that
actually
also,
maybe
that's,
okay
as
a
filter,
but
I
think
it
also
goes
up
as
a
parameter.
Do
you
get.
B
Of
that
is
used
for
each
are
dependencies
right.
B
I
mean
at
least
it's
noting
that,
but
we're
still
not
figuring
out
whether
or
not
do
we
count
different
depend
different
versions
of
a
dependency
once
or
multiple
times.
I
think.
D
B
D
A
G
If,
if
I
end
it
at
the
bottom,
multiple
versions
of
same
library.
H
Yeah
and
I
don't
have
a
good
stat
for
you,
sorry
david,
but
it's
a
pretty
common
pattern.
B
H
A
A
All
right
so
we're
at
time-
and
this
is
great-
that
we
can
release
a
metric.
I
feel
like
a
very
productive
working
meeting.
I
I
have,
unfortunately,
neither
of
the
proposals
that
we
made
for
open
source
summit
were
accepted
and
I
believe
I
am
responsible
for
that
because
when
I
went
back
and
looked,
I
pasted
the
wrong
description.
I
reversed
the
descriptions
that
I
pasted.
Oh.
B
A
B
I
I
will
quickly
note
that,
although
we
don't
know
the
answers
yet,
I'm
on
the
program
committee
for
the
linux
security
summit
and
we
had
a
crazy
large
number
of
submissions,
and
so
you
could
have
done
everything
right
and
still
not
been
accepted,
simple,
because
there's
just
so
much
and
something
had
to
get
dropped.
So.
A
A
Okay,
I
will
I
will.
I
will
send.
A
A
A
Yeah,
okay,
I
will
send
that
to
you
today,
meaning
like.
H
H
Yeah,
it's
fine.
I
could
say
you
know,
understanding
where
the
dependabilities
are
and
risk
and
so
forth
can
potentially
fit
under
the
dependability
track.
But,
okay,
I
don't
know
if
I'll
have
any
openings
there
and
I'll
see
if
there's
maybe
on
the
wild
card
or
something
like
that.
D
It
was
due
last
week
and
I
like
started
one
and
then
never
did
it,
and
I
was
like.
I
already
have
four
talks.
This
fall.
Do
I
really
want
another
one,
but
it's
it's
focused
on
financial
services.
I
was
partially
interested
in
it
because
there's
one
in
new
york
and
it'd
be
nice
for
me
to
meet
some
local
folks.
H
D
This
space,
but
if
I
did
end
up
submitting
a
talk,
it
probably
would
be
more
on
the
risk
side
just
because
I
think
there's
more
interest
in
financial
services
and
risk
management
in
open
source.
I
just
feel
like
that.
Topic
is
more
appealing
than
not
just.
How
do
you
understand
communities
through
metrics,
which
is
kind
of
what
my
other
topics
have
been
so
I'll?
Let
you
know
if
I
do,
if
there's
opportunity
for
a
panel
or
something
like
that,
I'll
reach
out
to
this
group,
I
don't
actually
really
know
I
haven't
again.
A
And
if,
if,
if
you
do
want
to
admit
I'll,
tell
you
this
if
you
want
to,
I
used
to
live
in
philly,
if
you
want
to
meet
fintech
people
in
new
york,
the
r
user
group
there
has
all
of
the
hedge
fund
people
and
the
quants
that
are
on
wall
street,
that
just
flock
to
it.
It's
like
150
people
every
month.
I
don't.
D
A
Right:
yeah,
yeah,
yeah;
okay,
thank
you
all
for
a
very
productive
meeting,
vernad
thanks
for
throwing
out
the
release
process
for
this
metric
and
we'll
pick
a
metric
and
run
with
it.
Next
time.