►
From YouTube: CHAOSS Risk Working Group November 3, 2022
Description
Links to minutes from this meeting are on https://chaoss.community/participate.
A
I'm,
not
a
person
in
the
world.
Welcome
to
the
risk
working
gear
meeting
we
forgot
to
start
recording
I
forgot
to
start
recording.
So
here
we
go.
We've
been
discussing
some
of
the
really
amazing
insights
that
emerged
last
week
when
David
and
Johan
and
I
were
in
Sweden
at
a
naspocon
event
and
I.
Think
where
we
are
now
in
the
agenda
is
discussing
just
kind
of
a
if
there
are
I
think
the
to
do.
A
I
see
from
last
week,
which
I
wasn't
here
till
know
to
do,
is
to
look
at
other
risk
metrics
and
see
where
folks
think
metrics
need
to
be
developed,
and
it
seems
like
a
brief
overview
of
the
GTI
and
tooling
versus
application.
Discussions
might
be
helpful,
I
don't
know
if
Sophia,
if
you're,
comfortable
or
renisha,
if
you're
comfortable
helping
us.
B
A
B
Found
it
yeah
and
it
okay
yeah,
and
that
next
line
is
absolutely
wrong.
Okay,
we
are
okay
by
Tool
chain.
We
mean
tools
like
GCC
and
I
want
to
make
very,
very
clear.
It's
important
to
be
clear
on
this
point:
okay,
the
gnu
tools
are
not
moving
into
the
LF,
so
all
the
tools
are,
let's
see,
are
not
moving
into
the
LF
okay.
B
Instead
of
the
the
support
LF
is
preparing
to
support.
B
Yeah
you
know
and
heart
and
on
hardening
it
you
know
you
know.
So.
Basically,
let's
say
you
make
a
change
to
GCC.
Okay,
you
are
going
to
propose
a
change,
but
you
want
to
now
run
a
whole
bunch
of
tests
on
a
whole
bunch
of
different
platforms.
Okay,
you.
B
Sure
that
works
properly
and
so
on,
okay,
but
basically,
and
and
they
also
want
to
make
it
so
that's
much
harder
for
attackers
to
subvert
this
stuff,
okay
and
so
basically,.
A
Is
this
getting
into
the
runtime
executables
and
messing
with
them
or.
B
This
source
code,
no
problem-
no,
this
is
this,
is
think,
think,
build
and
test.
Okay,
okay
and,
by
the
way,
the
gnu
tools.
Folks,
typically,
don't
I
mean
they
don't.
Release
executables
or
probably
more
accurately,
to
say
is
that
a
lot
of
people
are
not
gonna,
just
download
from
the
gnu
folks
and
executable.
Okay
generally,
the
key
thing
that
they
release
that
most
people
grabs
are
the
source
code.
Like
you
want
that
source
code
well
tested,
you
want
the
infrastructure
hardened
against
attackers.
C
B
And
in
particular,
a
lot
of
them
are
more
used
to
a
mailing
list
based
infrastructure,
where
you
you
put
post
patches
and
stuff.
That's
what
the
limit
this
Colonel
has
been
doing
since
the
its
Inception,
and
so
we
already
have
a
you
know.
We
have
already
got
all
the
infrastructure
necessary
to
support
that.
So
we'll
wait
a
minute.
You
know
why
not
just
reuse
that,
and
the
short
answer
is
well.
You
could
but
there's
some
people
time,
and
we
need
to
pay
for
that
people
time
now.
I
do
want
to
be
clear.
B
B
Yeah,
it's
another
organization
that
it
would
be,
will
that
some
folks
would
like
to
be
move
to
instead
most
of
the
gnu
tool.
Actual
leaders
would
like
to
use
this
one
that
has
real
funding
and
so
on,
but
you
know
what
just
now
you
know
that
there
is
this
thing.
This
thing
called
GTI
and.
C
B
Yeah,
so
it's
Reviving
okay,
it
provides
a
more
robust
and
secure
infrastructure
for
these
projects.
Okay,
we
are
not
taking
over.
These
are
not
moving
from
gnu,
okay,
so.
B
A
Mean
and
what
about
tooling
versus
application?
Is
there
a
quick
summary
there
because
I
think
I
think
some
of
these
questions
might
lead
us
toward
what
we
want
to
work
on
and
I
know?
We
talked
about
maybe
two
months
ago
now,
working
more
closely
with
the
ossf
to
try
to
understand
how
we
complement
or
collaborate
with
each
other
and
I.
Think
I
was
supposed
to
be
there
at
a
meeting
and
I
did
I
didn't
get
there
I
don't
know
if
you
remember
that
David.
A
I
was
talking
more
like
a
few
months
ago.
We
talked
about
like
what
is
risk
and
what
is
ossf
and
I
actually
went
to
the
ossf
meetings
for
a
spell
at
OSS
Summit
North
America,
like
we
use
in
auger,
we
use
the
scorecard
it's
one
of
the
metrics.
That
auger
provides
because
it's
useful
and
it's
there.
B
B
That
certain
types
of
the
Supply
software
component
analysis
I
mean
they
do
various
things,
but
they
they
sell
SCA
tools
and
services
and
they
also
produce
an
annual
report
on
open
source
software.
Supply
chains.
A
B
And
I'll.
B
A
The
critique,
I
suppose
they're
the
kind
of
it's
a
critique,
but
the
focus
is
on
packages
in
the
application,
not
necessarily
whether
or
not
they're
used
in
the
package
in
the
application
right,
so
that
what.
B
A
C
In
Stockholm,
we
were
just
talking
about
in
our
current
knowledge
of
what
we
can
see
in
dependency,
analysis
tools
or
dependency
like
anytime,
you
say,
pull
all
the
packages
that
are
used
in
your
system
and
sort
of
commenting
on
where,
where
we
see
gaps
or
where
we
expect
there
to
be
gaps
just
as
a
way
to
see
to
discuss,
how
do
we
improve
what
data
we
can
gather
in
these
in
these
sorts
of
things?
But
we
didn't
really
have
any
solutions
coming
out
of
it.
C
We
were
just
sort
of
talking
in
general
about
where
we
would
like
to
see
more
information,
and
so
here
it
was
on
context
of
what's
in
use,
as
well
as
what
you
might
be
using
with
it,
which
isn't
necessarily
captured
in
that
dependency
chain.
B
B
A
B
Right:
okay,
around
the
run
time,
dependencies
of
an
application
versus
the
two,
the
tools
that
are
that
are
used,
otherwise
an
EG
to
build
or
test
it
or
test
or
distribute
it.
B
Okay,
I
think
State
restated
that
way
see
now.
If,
if
that's
what
you
mean,
I
totally
understand
what
you
mean
now
I
think
that's
fair,
although
there
is
work
going
on
right
now
to
extend
there's
nothing
that
prevents
you
know
s-bombs
from
including
that
information
that
said,
I
I
think
the
expectation
I,
don't
think
this
is
it's
wrong
to
have
done
it
that
way,
I
think
it's
quite
reasonable.
B
Let's
start
by
focusing
on
the
code
that's
running
on
your
system,
because,
while
it's
true
that
compilers,
for
example,
can
insert
vulnerabilities
unintentionally
or
intentionally
in
stuff,
they
generate
to
A
first
order.
Those
are
less
common
than
the
just
I've
got
a
dependency
I'm,
calling
it
directly
and
it
has
a
vulnerability.
So
it's
absolutely
true
that
people
are
working
on
this
there's
already
some
support
now
that
I
think
there
will
be
more
later,
but
I
think
it's
rightly
that's
a
second
order
effect.
C
The
last
point
was
I
shouldn't
be
under
this
bullet
because
it
was
separate
entirely
as
well.
The
system's
the
analysis,
too,.
A
C
C
I
think
again,
like
we
were
kind
of
running
the
gamut
more
here
in
a
way
that
I
think,
if
we
do,
we
could
always
get
broader,
as
the
group
and
I
think
if
we
want
to
focus
ourselves
a
bit
I,
I
kind
of
like
the
last
thing
that
we
were
talking
about
in
the
sense
of
actually
we'll
connect
you
to
the
first
thing
that
didn't
make
the
recording,
but
in
collaboration
with
the
risk
working
group
in
the
openssf.
That's
thinking
about
this
dashboard,
this
particular
group.
C
That's
what
we
need
is
a
set
of
metrics
that
has
a
well-rounded
view
of
risk
as
we
see
it
and
whether
or
not
that's
what
ends
up
going
to
the
dashboard
another
story,
but
at
least
what
provide
a
starting
point
or
a
point
of
discussion.
I
think
David,
I
love
that
you
raised
this
point
last
time.
It's
much
easier
to
react
to
something
than
it
is
to
create
something
organically
with
a
group
of
people.
C
So
I
could
see
this
group
in
a
position
to
create
something
to
react
to
in
terms
of
set
selecting
the
number
of
metrics
I.
Think
we
have
some
to
work
with
already,
but
I
know
we're
like.
Basically
almost
that
time
here,
I'm
going
to
be
to
our
next
meeting.
B
Like
they
wanted,
if,
if
if
this,
if
this
group
could
actually
move
that
quickly
to
create
a
starting,
a
starting
set
of
here's,
a
proposed
set
I
mean
if
you,
if
you
go,
look
I
actually
created
and
I,
you
should
have
already
gotten
a
copy
of
it,
but
a
you
know
some
ideas
for
the
dashboard,
some
metrics
and
so
on,
but
it
was
basically
hey:
hey,
let's
come
up
with
a
list
of
plausible
metrics,
let's
winnow
it
down
quickly
come
up
with
something
and
iterate
I
I
do
think
it'd
be
awesome
to
have
something
more
principled,
but
I.
B
I
think
that
the
dashboard
thing
is
going
to
be
one
of
those
things
where
Implement
best
you
can
and
then,
if
we
can
in
a
shorter
term
and
then,
if
we
can
make
it
more
principled,
focused
on
broader
issues
based
on
feedback.
That
would
be
awesome.
Well,.
A
B
I
think
I
mean
it's
scorecard,
they
already
know
that's
already
in
there,
I
know
about
that's
best
practices.
They
already
know
about
the
badge
they
already
know
about
that
yeah
I
did
mention
lib
years
and
also
chaos,
but
you
know
if
there's
other
things
and
ways
we
can
figure
things
out.
That'd
be
great.
A
Yeah
I
think
I
think
there
are,
and
maybe
that
that
should
be
our.
We
should
be
looking
at
okay,
they're
supposed
to
have
scorecard
plus
what
would
produce
a
useful
risk.
Metrics
model
and
that's
metrics
model
has
really
become
David.
The
word
that
we
use
for
dashboards.
So
if
you
imagine
that
every
use
case
may
have
its
own
dashboard,
so
you
end
up
with
infinite
dashboards.
A
Yeah,
it's
a
published.
It's
a
published
metric
auger
calculates
it.
We
haven't
it's
it's
figuring
out
how
to
promote
that
part
of
it.
A
I
guess
is
part
of
where
we're
going
we're
very
close
to
a
hosted
version
of
auger.
That
will
make
that
a
lot
easier
and
there's
also
a
hosted
I
think
this
may
have
come
up
in
the
community
meeting
Sophia
the
compass
dashboard,
that's
being
developed
in
by
Getty
that
will
work
on
any
open
source
project.
Have
you
heard
of
this.
C
A
Yeah,
what
they're
really
doing
are
they're
implementing
the
metrics
models
that
have
been
defined
so
far,
so
it's
a
way
different
ways
of
baking,
the
metrics
that
we
have
together
and
I
think
I.
Think
looking
at
that
and
looking
at
some
of
that
will
be
an
interesting
discussion
for
sure
and
I
apologize.
I
I
did
put
these
down
as
our
things
to
talk
about
next
time,
which
I
think
will
be
pretty
exciting
and
worthwhile.
Okay,
I
do
have
to
take
off
myself,
so
our
choices,
I.
A
Right
I
will
call.
Let
me
do
a
close
then
and
wish
you
all
farewell
see
you
in
two
weeks
thanks.
Everyone
I'll
probably
see
some
of
you
next
week.