Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
CHAOSS / Risk Working Group / 27 Apr 2020
CHAOSS / Risk Working Group / 27 Apr 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: CHAOSS.Risk.April.27.2020

Description

CHAOSS.Risk.April.27.2020

A

Oh, this is the risk meeting for April 27 and then beginning on May 5th, we'll be meeting every Tuesday instead of Monday at 9 a.m. to avoid a serious, a series of holiday related conflicts throughout the summer.

A

Not that anyone's made. You name it sitting at home for the holidays, but we thought we would not work on them and we discussed last week also the focus on the hiring of the community manager. I think we have close to a hundred applications for that now is that, right now we have over well.

B

Over hundred you know, I mean keep in mind the high variation.

B

Yes.

A

And so our goals, you know we disgusted testing safety, critical systems, a list of the active project and got specific on some things. I think there was and I don't know. We probably couldn't get Dave wheeler for this meeting, but I believe there was a yeah.

C

We're reaching out see if we can get him on for the one on the fifth okay.

A

Ok, giving anyone in this business, so we can notice, is not enough time hmm so remind me Kate what we were going to talk to Dave about I I. Think it's the static analysis, dynamic analysis tool set.

C

Alissa.

A

What what no.

C

He's coming in from the CII side, the director for the CII and love that is supporting what sustainability, what is sustainability? What is you know what sorts of things should we be looking at tracking prospective.

A

So when it comes to actually sort of ordering the priorities for this this year, he will be very helpful input, that's kind of what I'm hoping all right, I.

C

Have my opinions as to each of us, but it might be good to get an understanding person of eyes too yeah.

B

Are.

D

There.

A

Other.

B

Projects that are kind of in risk space at all that I haven't was ever which one that.

C

First, going after safety, okay.

B

And then CII and then obviously SP DX and open J, I'm thinking yep any others that are kind of in that world to.

C

Zhen Zhen.

B

Zhen.

C

Is going after safety, the ones that are served on the risk world in my mind, are the ones are going after safety to some extent.

A

Virtualization yeah.

C

Their people are using hypervisors is a way of doing separation a little bit of that there. Oh the.

B

Is it a distinction like with Zephyr and then yeah risk is about the space in and then with like open chain, SP DX and see I I, it's about defining it for, like a better worth the standards.

A

When you think about risk.

B

Is that yeah.

C

It's and I'd say ELISA, is you know? How does you know police is about Linux and risk? Okay, you know a lot of the things in the safety standards called for you to understand the risks and mitigate Alliance there. Okay,.

B

Just to clarify them out, I'm, not sure what you mean by going after risk, cuz like Timmy's, N and Zephyr our projects that are developing things developing software, but the space is kind of the context that these projects work in is a risk related context. So that's just where these projects work, but something like SP DX.

B

It's about developing a standard by which you can get your bearings on risk.

D

I think SP DX has.

C

Got one of the variables or the variables we would want to consider for risk yeah and it's evolving to have more variables, we'll be wanting to consider for risk measured from it so, for instance, pedigree provenance, informations ie, where the code is flown from who's created it. What process is reused in the creation and so forth? All of those are things that might influence. Do your decision as to whether or not you want to use it so in some senses risk is you know what you know? What do we want to be?

C

What do we want to I'm actually I'm hoping that some of this may or may not influence some of what we end up putting into some of the SPD x3, for instance, for the you know, provenance and pedigree aspects?

C

What do we want to make sure that it's available to be tracked and used as a metric.

A

And from a CI CI CI concern is lighting security, supply chain security and transparency.

C

So.

A

There's the there's dimensions of just kind of knowing what's in the software dimensions,.

C

Adequate.

A

Testing for things that are safety, critical and dimensions of licensing that are related to provenance and pedigree, but also can be process implications for safety, critical kinds of systems. The.

C

Other side of it is like you know: do you know that an authorized person has built your image right? What the risk metric in my mind, okay, you know, are you using software from a place where there's you know what hasn't been tampered with.

A

So there's the possibility that I would deploy a piece of software. That's an open source project, but if it was one you'll pay someone who's not authorized, then potentially other did malware or whatever could be injected or not. Intestines.

A

I guess I think about over auto-grade linux, where some in your thought it'd be great idea, just throw some power window controls in there and they accidentally affect the braking system. Yeah.

C

Like I say, there's you know are the people who are doing creating the image that you're deploying do. They know what they're doing right, I.

D

Think.

C

Open chain and CII as well as now, some of the SPD x-step, are also heading towards that direction. You know: do we have a way of catching? You know open chains today, what they're doing with open source in general?

C

That's PDX right now is how do we start adding the information, so you can make a policy about something.

B

Can I ask a process question to you Kate, so we have, um we have open chain right and Toyota is a member. As an example. Toyota is a member of open chain. We have automotive grade Linux.

C

Which.

B

Toyota is also a member of a lot of next, so what so, from a kind of a process perspective when, as an example, an organization is thinking about risk and they have membership and a variety of these different kind of risk projects or risk related projects? How does that? How does that work so, like does? Does an organization contribute open chain hoping to see the way that work is specified kind of in the open chain space? Do they hope to see that work deployed in an automotive grade, Linux I'm.

D

A totally.

B

Thinking about this wrong, like is SPD X, just a tool process, sometimes I have a hard time like connecting all of these risk things. What.

C

You want in my head, okay,.

C

So I can't speak specifically for Toyota. Yes, I'm, not a toilet person right, but the way it comes across to me is they participate in various projects that are advancing their interests and, if they're carrying about a certain topic, they're going to try to participate in it. So.

D

For.

C

Instance, Toyota was one of the founders of Alisa safety-critical. They were also you know very strong. You know participant in automotive grade Linux yeah as part of the automotive grade Linux stuff. They were doing a fair amount of work. You know helping to promote open chain and they also promoted open chain into Alisa. Okay,.

D

So.

C

They act to that. They try to cross-pollinate yeah.

D

From.

C

Their interest because they see these things as being part of a solution.

C

That's up not how I read it. Okay, and so you know between us, PDX and open chain and between act right, automation of compliance, tooling, stuff, that's emerging, you know how do we get all of these tools to interact and communicate effectively? Well, that's kind of where some of these you know, standards like open chain and SP DX come in okay,.

B

Right so does does Zephyr it's a project track. What's going on in open chain, zephyros.

C

A project does not track what's going on in open chain, there's members in Zephyr who are members in open chain how much they cross pollinate and how much they pay attention is remember. My member specific.

C

You know yeah, there's, certainly various levels of engagement in various projects, depending on who the participants are, it's all people at the end of the day. hmm You know it's people in management objectives and you know, is there a KPI associated with something and that someone saw someone's motivation? Make things happen.

A

Here.

C

Actually act isn't a risk. Standard act will be a Ritz context, racing context. Okay, in your terms, it's trying to get the tooling to interact properly using the standards.

A

I'm also like when I see the SPD X open chain, ELISA s, I'd, SPD X, twice their integration I, mmm that's sort of the that's something to think about as we develop metrics and yeah.

C

These are all places that you know: I'd eat more than I'd, say SPX, open chain, an act or more than your triplet there, okay, okay, because it's you know what's lets the.

C

Act is when some of this stuff will be part of okay. What flows we want to put in place elites is just at least as specific to Linux and in terms of trying to figure out.

A

And then yeah so so-and-so act is like assembling, basically I, don't know pipelines yeah.

C

Act as well, what that is trying to do is form enough of a structure such that all the open source projects associated with these types of compliance. Workflows can have a place for prioritizing gaps being chilled between them, and you know we can identify what workflows are missing.

C

But you know the data that's going to come in is what we want to extend us PDX out to, for instance,.

B

So from your perspective, Kate huh I I mean I. Think I have a pretty good handle on SPD X. If there was an another.

C

I'm actually gonna challenge you on that. One Matt.

B

Feel.

C

Like you have on SPD x3.

B

Like what the goals of SPD X are just in the sense of providing a standard that can be exchanged to provide right things like pedigree and provenance but in terms of fields, know right.

C

So, what's happening right now is should be coming out this week, yeah.

D

We're.

C

In the last week of the public review period, it's been public all the way along, but nonetheless we're saying, ok line in the sand is out and then we're gonna be pretty active on 300 k3o is refactoring the specification to have the notion of a baseline, where there are certain fields that no matter which stories we want to tell are there, and then we have a licensing profile.

C

As well as some security profiles, as well as a pedigree provenance export so forth, okay.

B

So.

C

What we're trying to do is expand like we took a lesson from what came in from the Japanese and a lot of moments. I'd dspd, x-lite know this is what they considered the minimum viable in order to understand what they've got in their system.

C

Other people, don't even wanna, include- include licensing. They just want. Okay, I want to identify this object and I want to say its relationship to other objects. Okay,.

B

That's.

C

What's effectively going to go into base want to say, has it's been tampered with right and there's an element of integrity? Checking that needs to come into play, I think that's likely to be the base and then from that, what will probably end up doing is building up from there in terms of okay. Well, the automotive manufacturers, for instance, and people are doing, safety are going to need to know who did the builds?

C

What tools were used because that's part of the safety standards you know and having that evidence being able to be generated, as part of you know, satisfying the criteria.

D

So.

A

Is it can.

C

I understand.

A

Where this PDX right now is, excuse me I'm trying to sneeze it, it's really a an enumeration of the things that are in a package or set of packages, and it sounds like the processes that go along to assemble a package or set of packages are. This is that's the significant and add to the 3.0 version of the specification am I getting that right.

C

I'd say that's one of the dimensions of that: okay.

D

Like.

C

For instance, we still don't have a good safety story sitting there right, that's another dimension about not safety. Sorry, security story, s words Monday morning, the security. You know what vulnerabilities do you know about at a point in time? There's a risk story, yeah safe for me to deploy this or not. What follow are known- and you know from my understandings of talking to people over the last couple of years.

C

There is an insurance industry that cares about this sort of thing, and so, when people decide to deploy something, they may or may not get insurance, and they need to know the state of something and so being able to articulate. Oh well right now we have us like CPEs. We can go query the database, okay, you know what points, but we've got no way of recording what that's known at a point in time, right so adding that dimension.

C

This is what is known at this point in time is one of the things that you know as a clear direction. We have to go for risk.

B

Can I make a comment here, so it would probably try to think of how what you think the best approach is in terms of trying to gain understanding from these variety of communities. So I think I can jump on SPD X pretty quickly and get my bearings pretty fast on. What's going on, see I I I've had some familiarity with, and it sounds like it's kind of getting a reading.

B

So is there of that list of Zen and Zephyr and Lisa and act and open chain I? Think.

C

Open chain see Insp DX are you where the standards are being created will influence what we want to be looking at, for what can we put get make sure that gets caught in those standards? For one thing, and what can we extract out? It.

B

Would be worth my time to like participate in SPD X participate in participate in the sense of getting my bearings on how the work is being done in SPD, X, open chain and CII, because this may be some time I can afford. If we hire a community manager.

B

I know.

C

You mean yeah and I think having so we're, probably gonna be forming some workgroups in these areas on the SPD exercise to him. You know, that's I want to close this one and I want to quite frankly get some of the talk with like the reproducible builds in the compiler folk can get that side of it going so that we can get an articulation accurate, a fairly good agreement on these are the fields we will try to get build things to create. So the evidence is there.

C

The step of okay: well, if the evidence is there, what metrics are going to be necessary to look at so policies can get created. Okay, the creation, the policies is where open chain might span into okay,.

B

Well,.

C

So what I think with chaos here and the risk metrics? No, are we catching the right thing? So it's it's not a one-to-one tool and I think it's been real need that loop here.

B

Helped me a lot if I can kind of track. All of these things sure, personally, no.

C

No, no! It's okay! Matt! To spend more time with you.

A

Knowing where to go with with the risk working group, I think I think there's a dynamic and expanding universe of things to think about and they're, clearly more interconnected than then we've addressed them so far, I think it's really the end product and ensuring its assemblage and the safety checks that went into that assemblage that it seemed like they might be part of this same standard like when I read, SPD X to X I read a standard, that's largely an inventory what's there, and this sounds a lot more like an inventory and then the processes that get us to another packaged piece of software and then a separate process for deployment.

A

So it's it's almost sort of following risk across the entire software development lifecycle. If, if I think I'm here, if I'm hearing this correctly.

C

Yeah I think I.

C

Think it is a I think, there's a full set of information about life cycles that are coming into play and.

C

It's figuring out how we can get the information flowing automatically through the system, so the right decisions can be made in risking it mitigated and the you know where chaos is. Is you know what information can be used for policies.

A

And it it also sound, like I I'm sort of trying to see in a crystal ball here, but it seems like SP DX is going to have to incorporate either a series of embedded, schemas or possibly different schemas for different parts of this that have integration points, whereas right now, I can comprehend what SP DX is as a kind of an inventory or bill of material.

C

Want to turn off, recording I'll basically show you a quick video.