CHAOSS Risk Working Group, 18 Nov 2019

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: CHAOSS.Risk.November.18.2019

Description

CHAOSS.Risk.November.18.2019

A

Hello and welcome to the risk to talk so so there's a translate document in physiology. Do you know about this? No I, don't can you so apparently there's a document or a tool in Physiology you're, taking a look right now, you're sharing you're.

B

A

B

Yeah I sure AM, oh well, I'll pull that off. So.

A

So the you are essentially gonna. Do it translate what comes out of us, ology and I? Think it translate to the s translations to the SPD excellest, okay,.

C

A

Not familiar with this, and if it's not on the list, then there's a no assertion. Declaration.

B

Okay, so we just changed it to no assertion instead of no warranty yeah.

A

B

I can do that quickly. Okay,.

A

But again, you'll have to look for this translate list like it takes. You know how pathology the scanners, don't always out, give you the results in SPD, X or yeah.

C

A

Just translating those like, if you have a BSD 3 clause, oops just using this translate tool or documented Russia what it is to see if this is actually an SPD X license. Okay,.

B

And we right now, we just put it up against the list of SPD X licenses, my short name, okay,.

D

B

I'll see I'll, look at that now. You.

A

Look around I'm, not I'm, not familiar with it myself.

E

Okay, all right.

F

The next item on the agenda.

F

F

Looking at and that you distribute ES bombing implementation as well, so well, that's what you just did and I suppose what we should do next is just review the spreadsheet and we're at.

A

There so the f-bomb implementation is now the SPD X implementation. Is that correct? Yes,.

F

B

We have another- the name SPD X document, pretty much everywhere now and I just got it to it actually took a couple characters and that was it, but I got a pretty print JSON. So it looks better lot better than just one line. Now: okay, a.

A

F

Things yeah I know: it's not my fault, it's the terminology. I did not do that on purpose, so the those of you playing along with the home game whole game means that yellow is these. Are things with focus England, so CI a best practices badge?

F

We have a pretty good definition for that that we're moving through average issue resolution time edition volume are two metrics that we're looking to define, as is code complexity and I. Believe I have beat two dates to draft issue volume. An average issue resolution time is.

A

Ci best practice is done. Is it in a pull request? Yeah.

B

Well, I, we I've been looking at that poll request and it looks like it's all done. It just needs to be populated, so I can fix the front end, which would take about five minutes. No.

A

I'm talking about actually issuing.

F

B

I fixed it, since we talked about it, I think the only issue is GCO, which.

B

F

So you know that's good, okay, so I'm gonna jump over to our four requests, which you can see that I'm doing actually, since I'm sharing the screen.

F

And that updated this to include the content of the full breast.

B

Reduction older one I have my most recent one that has actually, that might be the one with all the changes. My bed, this.

F

Should be like, if your, if your four pieces not been blown away, this just updates with yeah.

B

Okay, gotcha yeah.

F

One of those things that you come to really comprehend the hard way when you delete.

C

Your fourth before they pull request is merged which have done.

F

Man is this: the I mean I think this is in.

A

Pretty good, pretty good shape, yeah, it's missing one. So a couple things one.

A

Get rid of the so scroll up, get rid of the the numbers before like description and objectives. Okay got it and then does this currently have a question associated with it. I.

F

B

No I, don't think I have any questions in there.

A

F

You have a Google Doc.

A

F

Like we're in this way, if.

A

We can just work on this. I'll drop it in that's, okay,.

F

B

Is a Google Doc, a lot of the most recent updates are done in markdown, so it have to be transferred back to the Google Doc yeah.

A

It's just so much easier if we work in a Google Doc, there's our sources over there.

F

All right, I just shared the Google Doc, that knows of the issue that you're seeing so.

A

So there needs to be a question here.

A

Just a single question. You know gold question metric.

A

Yeah, this is a really old.

A

F

Maybe the Google app isn't to do is take the pull request. Can you do that, bring it over I sure? Can technology.

F

A

You know that's way better. There we go who's. Okay, this is what we wanted yep alright. So then we need somebody put the name CIA best practices metric here.

A

So Matt, could you, with the name of the metric.

F

A

Best practices.

F

Is it best practices, Maj or best practices? Oh, it is best, it is, it is the batch. Is it I guess if you wanted to get the most descriptive thing, be the same best practice badge status is that's exactly what this is well.

B

It includes more than the status aw. Oh sorry, I was muted, I was saying, compliance was mine,.

A

B

Is badge and so okay.

A

Does this have a question associated with it? What does his.

F

Badge status was the current badge progress level for this project. There can there are there's badged, silver and gold, okay.

A

All right implementation, visualization, probably three of those tools providing the metric exam data collection strategies, I, don't.

B

Necessarily say the badge status, because it does have a lot more to do than just the budge right.

F

B

Just change it then: okay.

C

F

Badge is the prize that people are looking for, though, but I'm cool with changing it, because I'll dive in evolution.

A

Okay, so let's take a look at the description there. We fast I.

B

Think Kevin had actually contributed this from the CIA website when he looked over the original Google Doc. Okay,.

A

Matt, are you okay, with this objective.

B

That looks fine to me.

G

A

All right, so one of the things we've talked about is so what Matt? What is yes,.

B

Under implementation, that's where I get a little more granular and explain how do you do it? It get requests to get the information from their API. Okay,.

G

A

Been rid of these okay just only because it might be right right now.

A

But to provide insight into.

B

We can refer to them to the API is documentation, if that would make it more high-level, probably.

A

So yeah, why don't you do that? If you could include that and.

F

That we were committing to current location is yeah.

A

We've been trying to back away from putting like source code of any sort into these metrics.

A

Just for that very reason,.

A

I'm gonna have the same response to some of the stuff. That's in data collection strategies.

B

That's five about as granular as it gets and there's just some sample data, but I understand what you mean. Yeah.

A

So I don't know if there's another way.

A

Kind of like what you're doing right now, if there's any way to represent the.

B

Data collection strategies I honestly think that I could go into the API documentation as well. Okay,.

A

So let me if you could almost just repeat that line you know again: CCI is documentation strategies.

A

Tools providing the metric, a org, does or more lab do any CIA stuff.

E

Okay, not yet not.

F

Yet exactly yeah and it's not hard once you guys dig it realize it's.

E

B

A

A

They're much cleaned up very much.

F

Matt, if you update your fork with that, we can potentially accept that today.

A

Were there any other comments from people on the line Georg did you have.

E

I'm, proposing right now changed to, rather than have the your l2 for the API to have the actual work linked to it. Okay, I think.

A

We'll have the same issue below yeah.

E

That's what I'm proposing? Okay, that's fine! Just to clean up even more yep.

A

A

And then I guess Kevin or Kevin Matt you had said: Kevin had pulled some of this stuff, you think from the CIA. He.

B

Was oh today from the Google Doc, and he had said he's mentioned in a comment that summer that I think it was only the description. The objectives were from CIA.

A

So I think if we had this text, we might want to indicate that it's from CII.

B

Yeah I found it I'll put it in the chat it's on the front page. So.

A

B

A

I think we should.

A

Something like, as.

A

Something like that: how do you do this.

D

By doing it right, yeah yep, that's it right! There all right.

A

Just to give credit where credit's due that's all.

B

E

Do we need the explanation of how the criteria worked in the second paragraph.

A

Like what what's the the.

E

Whole thing met unmet and a unknown future like.

A

Do we even need it is your question? Yes, probably not I'd.

B

Say that was good going data collection strategies if they actually have a place in the document, because.

C

That's the kind of stuff that you're looking at when you're looking at.

B

The actual data.

A

So if it was gonna move, so that would be the description at that point, just a way for open source projects yeah to show that they follow best. But that's the that's the description, fair enough and then.

A

This, what you're talking about Matt I, just put it down below? mmm Yes, actually, that's fine! That's a fine level of detail without getting.

A

Super crazy is that all so where'd you get that so. Did you write that no.

B

I think that's the other. It's part of the top session that Kevin got.

E

It sounds very much like it's from there. Please I, just I added another I.

B

Had in the child, I have I had the link to the front page where you can find all those all that text. Basically, we've made a couple edits to it, but I mean.

A

I'm totally happy just reusing that text. It makes all the sense of the world, but no.

A

Okay, any other comments.

A

Mark this one done.

B

Okay, I'm gonna go ahead and copy it over them. Yeah.

A

And then issue it as a pull request and actually hold on before you do that this is gonna, be bad.

C

A

See what I did is the title has to be I go, and maybe we call it core infrastructure initiative.

A

Just see what I did man got.

B

A

A

Hey that's the first to be released metric from risk well for this release. Yeah for this release, yeah.

E

Very much not for putting this together in fluent enough thanks.

A

A

Hey and actually with B and I earlier today, there were two. So that's three today total productive, a very productive name.

A

So Shawn are there.

F

A

That are on this list very kind of there.

F

Are others on the list, but none that are in the position of having a full request? Okay, prepared thinking back to the.

B

Before request is submitted by the way is updated.

F

B

You put it in the minutes.

F

So, are we all good accepting this over glass I am.

G

C

C

C

Chose the dynamic.

F

E

So before we move on to the next item on the agenda yeah, we have a guest Nick from the open source initiative on the call Rina, because I invited him for the item on open source metric. Yes, Oh si all status I.

G

Charge hi everyone, hi, Nick and Nick. Thank.

C

F

For thank you for having.

G

F

Thanks for taking the time to come, come on every two weeks, we were always here.

G

Yes, I believe I met. Many of you, kids call Vancouver last year likely.

A

E

Yeah I remember that.

E

G

G

E

An introduction saying that Nick and I Patrick and Daniel, we talked at the all things open conference about the idea of having a metric and open-source metric around whether projects have OSI approved licenses, and the idea is to then also have some shared marketing around this metric between OSI and chaos, because Osias interested in well obviously promoting that project is open source much of licenses and for us we talked about this two weeks ago. It seems to be fairly easy to Internet I. Think.

A

Matt, did it didn't you Matt.

B

Yeah I can show guys I know if you want yeah.

A

You do need to do that. Can you see the screen well.

G

Yeah I can see it. Okay, so I guess the main motivation behind it is they're. Probably you guys are aware. There have been a few companies, they have created known, OSI, compatible licenses, yep.

F

So open source pretend yeah.

G

Exactly, and so this is, this metric will be a way to reaffirm they're all projects have an OSI approved lastness and that they are compatible. If we give something that it's not compatible with dk, this can cause legal problems or whoever is distributed, is or where is releasing these other software. So this is I, think it's a trivial change, but an important one as well and I added a few links for you guys and number five to eighteen number. Five I know you guys are using in acts so the website.

G

We also provide an API in case. You guys want to look at that or, if you guys want to perhaps study, clearly define I'm, not sure if you heard of that yeah, it's a very promising project, it's quite new, but it's growing a lot, and perhaps you might want to check that as well and see that can help the chaos team.

G

So I just put that up. There clearly.

A

G

Excuse me: when does early defined? Do oh, so we had some merit aid metadata to different projects with all kinds of information away from lessons. What kind of lessons does they have and also security related metadata everything that the name kind of defines? What is it we're trying to clearly define projects or a piece of code and make sure that that code is secure, that he has an OSI proof, glasses and other other types of metrics?

G

So this might be a nice way for the Cales team, who collaborates with clearly define and see if there is a way for or for collaboration, is.

A

There, an API yeah.

G

It's very a guy trading. If you go to I, have to link there yeah.

E

G

Oh, you know you can look around. The the person behind is is Carol Smith from Microsoft's, okay,.

F

G

Also, though, a cyborg, and if you guys want to talk with her, feel free to ask me and I'll get you guys in touch.

A

So clearly defined it provides license. Information did.

G

You say: nauseous license information, all kinds of metadata, you know around projects, but.

A

Also, security information, yeah.

G

A

Yeah I mean that would be great because in the I can tell you in the chaos project. If somebody else has done the work, is it yeah we're happy to use it? So if that's a way to bring it forward.

G

To people great and we're happy to collaborate, so yeah I, I, actually don't know much about the clearly fine. All we know is that Carol Smith she's behind that yeah him. She knows all about it. They also have a very good collaboration with github, yep and you're working on on adding that kind of metadata to all projects. Here, anyway, anyways thanks for hearing you guys yeah.

F

So, did you see your screen yeah yeah.

G

You see their screen shared.

F

So there's there's already data: oh yeah.

G

Nice so 99 the family 7%. These.

F

Are these are project on this ever project, which tends to be license where yeah.

B

This one is reals rails, it is no.

F

B

This one is a smaller project. I think this one is either that for reals reals, though.

G

B

Onto a bunch of different projects, and normally they have upwards of ninety percent, which is good, mm-hmm I've, really seen a lot to have lower than ninety percent. That kind of that that spread of where they kind of lie on the spectrum is also very important to.

G

Me yeah. Thank you very much for implementing there. We really appreciate.

A

B

A

Man, I have a one question and then I come in. So is this showing the OSI approved licenses for.

A

So if a project had one license identified and it was OSI, then it would say a hundred percent all right.

B

Yes, I think it has to be taken into factor with license coverage as well. Yeah.

A

Okay, I see yeah I can see that. Why so why?

A

Why would on the upper one? Why would light files with the declared license bee7bea, four thirty and the total for the percent OSI be seven thousand. Fifty two.

F

There are three not OSI, Russo 77049 plus three is 70/50.

A

F

A

The above on the above box, though, license coverage, I think.

B

That's probably that there are some some of the no assertion kind.

E

B

Kind of show up is the license, but don't show up is anything specific and there's more than that show up in the no assertion category. In the end, okay, one of the big plans I have for the, but both us I approved and the license count, is information on where you're going to be able to find the files which I think is very valuable, like it.

E

Tells you what.

B

The percentage is, but it doesn't tell you right now where those files are what the license is related are so I'm plenty to do that as well. Yeah, nice.

A

So does does clearly-defined show that does it show the license coverage you might have to look at that a little bit Matt yeah, yeah, well, yeah.

G

So clearly defines a really big project, I'm happy to connect you with Carol, but she knows more.

E

G

I'm I'm actually putting it, but if you, if you look at it, yeah yeah.

A

We'll take a look at it: Thanks.

G

I just wanted to bring you bring this to your attention. Yeah and I also want to apologize Patrick here. Why don't you come to this meeting well, I believe he's traveling back from Europe today, so he wasn't able to.

G

E

One of the links that you should make is also that the Oh sighs providing and Jason you know we have an API for a very long time and.

G

Our licenses here, OSI approved you're, listen here, but I think it's similar to speed. X, I I couldn't see I, don't know much about speed. X I heard about it. First I, don't know what what are the differences, but if you guys are using speed ax, please do go ahead and continue using that yeah.

A

We are using it it's a pretty good way of kind of representing data. Yeah.

G

I just wanted to bring your attention to this, but and we're always happy to collaborate. Yeah.

A

So mad I might might be worth just checking out the kind of data that's in the API.

B

Okay, I can do that today. Yeah get back to you guys I'm.

A

Curious I have a couple of curiosities. One is what's the scanner that's behind clearly-defined how current is the day so.

G

Clearly, the fine is a really big project. I think we received like half a million dollars around this project. I, don't I, don't know how how it works, but I know there are many companies involved, so Microsoft's give her.

G

Facebook is also looking into their Google Amazon. So we have a lot of traction and, but to be honest, I had to study this as well. Okay,.

B

E

Data maybe can see kilt Smith has time to talk with us. Yeah just join one of our list meetings, yeah.

G

I, don't want you deviate from your meeting, so I'll just put this as a test for myself. Will you put you guys in touch with Carol and see if she can provide an overview of clearly define I?

G

Don't want to disturb you guys because.

F

Yeah, it would be I, think, is there? Is it all API based so we're using pathologies are from the scanner from pathology, yeah.

E

F

This information out and I can see that you're using a Mac odontology.

F

So I mean I: did it I'm trying to think about if there's an API, that's reasonably current for a reasonably broad number of projects and I suspect that's where an API might be limited so like if I want to scan any repository? Your problem in that persisting games hurry it github this way, although, if github does it then.

D

There's less reason, trust this game, more evil itself, yeah.

G

I believe it's. The idea here is to have a really strong partnership with all those big companies Microsoft's. He have a Facebook, Amazon Google, and so it would be very up-to-date, the all the metadata around it. Okay.

E

A source of data, including our tools, I, think.

F

Connecting with Carol would be great, a great stuff that would be awesome. It could be inside the context of this discussion, nor we could set up a separate time, dependent, yeah, yeah yeah, be a benefit to the kiosk. I mean yeah if her schedule fit one of our meetings but I.

A

Think we can schedule, especially as long so.

F

Perfect I wouldn't.

A

Suggest from this discussion.

E

A

Hearing back yeah so.

E

A

I was gonna say that we should probably just have another metric, which is OSI coverage.

E

So yeah I think we can create a separate metric right now. The pull request 61 is proposing it as a filter, but I agree. We can have its own derived metric, basically because I think it has enough importance that it's not it's more than a filter. Yeah.

A

That's what I was I didn't know. It was proposed as a filter, but I thought it was pretty important not to get it out in front of people. I think.

G

The way that Matt's implemented it was it looked really nice. The percentage yeah.

A

So that's why it was looking at you, Matt I, think actually putting that forward. Really pretty straightforward. Yeah.

G

G

Matt's implemented that right did I.

D

Get any what's there.

G

To Matt's yeah.

D

G

D

The same last week, all the MATLAB right, okay, yeah.

G

E

Charlie, so when you take a look and the chat is that's how I had thought okay, they could do it, but I a much better approach would be to have the open source metric, be a separate measure. Yeah.

A

I, like that idea, great Matt I can work on that with you.

B

Sounds good also.

E

B

A just for context, this is a clearly defined API call it's really fast on and on everything, NPM and their licenses. If you go under curations, it's just all their licenses declared from the NPM repositories. It's pretty nice.

A

See that yeah all right.

C

A

Cool all right so I'm gonna add this in the list, though,.

F

What do we call this open source metric, /, open source initiative, OSI license metric? Isn't that what this is yeah.

A

E

I, don't know what do you think Nick we've been calling it the open source metric I, see it I.

G

Think I'll ask Patrick about it. If it's too big, we can have just OSI approved yeah.

A

That would yeah. We like we like metrics that have clearly understood names. Oh the.

D

F

A

Might be a little grandiose.

F

Although when you need this little chaos project unnecessary one metric, there's the whole thing, yeah.

G

I think, whatever you guys think is good hmm I. Just.

A

G

A spreadsheet, I called.

A

It OSI approved, licensed metric or OSI approved licenses, messy.

G

F

Okay, give me an having nasally things today.

E

Okay, well, thank you very much for joining us today. Nick Thank, You Jorge, oh yeah, one that you add or bring up for discuss with us.

G

Thank you for having me I'll. Let Patrick know about this. I apologize again and I'll reach out to Carole you'll, see it'll, be great. She killed a special meeting with you Thanks great. Thank you. Thank you. Everyone, oh I, think.

E

A

I did we have any other? That was great.

F

There was I was jumping to something else, but we find my your place. Yeah.

A

Any Oh start code complexity metric was that it yeah.

D

A

We're working on that.

F

Won't even help you with that man like we could, we could probably like I mean actually I can show you what some again.

A

These metrics are at this point: they're they're meant to be fairly easy to put forward. Yeah I mean uh ya, know yeah, like what is code complexity? Why do we want it? Why do we care about code complexity?

A

Whatever ya? Do it I mean that's a yeah? That would be pretty want me to take that one. Yes, I'm gonna put your name on the alright. Thank you, sir may I have another. That's right! Code, complexity, CH, don't forget the new template, I.

F

Thought you guys are cleaning up. All example is well.

A

Yeah I mean we're running a new one, just used. You know, yeah I made sure easily separate and I've already cleaned up all the templates they're all done. Yeah and I cleaned up evolution. So there are no extras. Are they.

F

All done it wasn't, although all the old templates are gone, Thank, You, Carter,.

F

And I think that that was the last material item, because there's still there's still testing metrics that were in the business of developing but I'm still in the discovery phase. On that terms, it's technically how to climb that.

A

Mountain well actually to me this would be great, because I think a couple of things would be to new meant. One metric got done. New metrics are on the table. Yeah. Then we have this I. Think Matt. You should check out clearly defined and see. What's in there yeah is it sounded like there were a few things that might actually be revealing for risk. Yeah.

B

Cuz the security like vulnerability, resolution and stuff like that is really important right now, yeah.

A

B

To measure that, if.

A

That's in there, but then also to Shawn's point like what the coverage is yeah on.

D

F

That's yeah and that's really that's more of a technical question. You.

D

F

We continue to invest in doing this. There's some things. The.

A

Man, I would kind of put that in your camp to to come on just take a look at what's in clearly-defined, got it cool I.

F

Think I mean looking at the results of the API.

D

F

They do not have same level of brand Larry.

F

We got out of file level and a lot of github hashes here mm-hmm, so maybe that is the I guess that is the file level, possibly, but a.

B

Lot of the granularity I found with some core requests or.

F

Use a yeah there's a spiderweb in this API. That I mean we should look at the docs. Maybe maybe you can find the docs before you dive into hard Matt yeah.

B

I have the docs open well, I can prepare some kind of quick notes. Show everybody next time so.

A

And then Sean, can you take a look at the poll Rick what's outstanding on risk they're just up there.

F

Yeah it started to do that. Actually, I mean.

A

They should be in this tumbler third, encourage merge, merge, merge.

F

Yeah I think you're right, I think that's where I was headed. When we last, we started eyes to find that I'll share my screen again, so we can process these together. I believe you that you're doing it I mean it's just you know, observe.

A

You doing you know it's a it.

F

A

Like it's off, starting with software bill of materials that actually has to be renamed, I. Think at this point, yeah.

F

D

Know I'm gonna, I'm gonna start at the bottom I'll.

F

Speed test coverage merge, pull request.

A

Because these are just formatting changes, alright yep, that's it I mean and I may have removed, like some of the girls now yada yeah yeah. This.

F

All looks good me, I mean these are the kinds of things that coups. Thank you for the pop-up calendar.

A

These are really the like. The Sol's are really like, really normal.

A

And if we have to do little changes of the end, we can yeah I think.

F

And making the content consistent across all of the Technic light. He is deep technical izing, a phrase it is. It is now its copyright, Jean Goggins training up, actually use the technical izing, the only dollar you can sure it's on to make money. So.

A

This week, I'm gonna go through I'll, go through all the repositories again I'm, just gonna kind of make sure that everybody's alright.

D

So this one I'm not gonna verse because I think well Matt. You want me to merge this and I've changed the other later well,.

A

We I mean I just take a look at the files changed really fast, because there's we gotta change this just to be like yeah really.

F

This one outstanding, unless you want to merge it so that other people can edit this it's up for you if you want. Basically, if we keep.

A

This for requests I'll edit it okay, well because it just needs to be changed over to SP DX, okay,.

F

Open sourcing here we and that one that we're gonna make a new metric, making new metric right, close.

C

It what's your call great funny more at all, no I'm all for.

E

Kids, we have it on the metrics repo in the governance Rico. So there's a proposal to also put on the working group so either I mean.

E

If you want to see how it looks, metrics people and does it show all these different ways of contributing? No, that's just the template file and will only show community groups, because that's the only one with the bad.

F

Okay, then that's perfect I was worried when I saw all those things with the very end of be concerned enough. We would be displaying like 12 different ways to fund us, and all that would do is confuse people, but that that's.

D

Not what's happening that.

F

I mean I think it's good for those more review so.

E

F

E

To give refresh you don't have to sponsor button at the top there. Do you see that the hard sponsor.

E

Yeah and so now, people can go and sponsor on community bridge.

A

And that to everything, I mean, like a class project, saw just everything show.

C

Me four dollars.

F

That's excellent thanks for doing your no won't come. My pleasure, hey I! Think that concludes the agenda. That I had that we hadn't prepared. There are not there any of the topics that people would like to bring up at this minute. All right, I think. As long I'll see y'all overcome a week on risk and earlier I'll see.

A