►
From YouTube: CHAOSS Risk Working Group 5/19/22
Description
Links to minutes from this meeting are on https://chaoss.community/participate.
A
Hit
the
live,
transcript
button
and
welcome
to
the
risk
meeting
here
on
may
19th
of
the
year
2022..
A
A
And
the
first
we
had
a
long
discussion
last
time
about
legacy
patch
support
that
lucas
guns
led
us
through
and
it
it
required
a
lot
of
thought
on
my
part,
and
I
I
still
I'm
not
sure
where
I
land
on
what
to
do
with
with
that
idea.
A
C
C
B
A
little
bit
of
remnants
in
that,
but
mostly
I,
like
generally,
what
tidelift
is
trying
to
do
with
these
types
of
pieces,
which
is
just
kind
of
create
more
awareness
of
it,
and
so
for
me,
I
I
shoved
it
in
the
chats
I
found
it
was
like.
Oh,
these
are
things
that
we're
already
talking
about
in
risk.
It's
always
nice
to
see
how
someone
else
has
approached
the
same
problem.
B
Yeah
I
was
like
what
is
this:
it
is
marketing
yes,
they're
trying
to
sell
the
tool
to
people,
but
on
slide
12
of
that
deck
that
I
linked.
It's
key
factors
when
choosing
open
source
packages
they
had
listed
out.
Things
like
acceptable
license.
How
much
activity
is
happening,
how
responsive
our
maintainers?
How
establishes
documentation
and
policies?
How
welcoming
is
the
community
number
of
disclosed
vulnerabilities?
So
these
are.
B
A
Yeah,
that's
why
I
I
realized
if
I
disabled
privacy
badger,
I
might
be
better
off.
B
B
A
A
B
B
Oh
yeah,
I
just
I
mostly
just
wanted
to
raise
it,
because
I
again,
I
I
like
seeing
how
other
people
approach
the
same
kind
of
conversations,
and
this
is
just
an
example
of
that,
and
so
in
my
head,
this
is
sort
of
their
risk
model
that
they're
coaching
their
customers
through
in
terms
of
open
source
package
selection.
B
B
B
I
think
responsiveness
was
interesting
one
because
we
did
talk
about
that.
I
think
I
want
to
say
there's
another
metric.
That
is
also
looking
at
responsiveness
and
one
of
the
other
working
groups,
whereas
rs
was
looking
at
specifically
defect,
responsiveness,
yeah,.
B
C
B
A
E
A
E
Right
right
I
mean
I
in
the
course
on
developing
on
secure
software.
We
list
things
to
look
for,
but
we're
focused
more
on
security.
E
You
know
things
like
you
know,
do.
Are
they
active
and
such,
but
also
things
like?
Do
they
have
a
badge
you
know?
Is
it
you
know
the
whole
idea
of
multiple
you
know?
Is
it
multiple
people
or
an
organization?
I
think,
covers
many
grounds,
because
it's
both
sustainability
and
also,
if
somebody
goes
rogue,
can
somebody
else
do
something
or
at
least
notice.
E
Yes,
other
than
g,
all
my
data
has
been
exfiltrated.
My
bitcoins
are
gone.
That's
the
incorrect
mode
of
observation.
B
E
E
Yeah,
I'm
overall
familiar,
I
mean
they're.
Basically,
they
pay
certain
golf
developers
who
have
to
sign
a
contract
and
then
various
folks
pay
into
tide
lift.
So
it's
an
I
mean
I
actually
think
they're
interesting.
It's
it's
a
way
to
try
to
get
money
out
to
open
source
developers
who
might
not
otherwise.
B
B
So
something
like
maintainer
responsiveness
is
something
that
potentially
they
could
be
directly
incentivizing
as
tide
lift
with
their
lifters
of
projects
that
are
within
their
purview.
E
Right
I
mean
I
have
no.
I
have
seen
no
moral
objection
to
a
reasonable
contract.
I
will
pay
you
x.
You
guarantee
why,
as
long
as
all
parties
are
aware
of
the
exchange,
both
parties
are
understanding
of
the
exchange.
For
you
know
of
dollars,
for
services
seems
perfectly
reasonable,
but
it
is.
It
is
different.
That's
okay,
different's,
okay!
I
I
would
definitely
worry
about
the
is
this.
You
know.
Do
the
people
agreeing
to
it
actually
understand
it?
Are
these
reasonable
requirements
at
some
point
we
have
to
let
adults
be
adults,
but.
A
When
I
hear
when
I
hear
service
level
agreement,
I
mean
I
think,
that's
why.
Companies,
who,
who
create
commercial
versions
of
open
source
operating
systems,
for
example,
are
paid
a
fair
premium
for
the
services
they
provide
because
they
have
entire
organizations
that
and
that
are
that
are
able
to
ensure
that
service
level
agreement.
I
I
have
a
hard
time
trusting
that
any
individual
will
always
be
able
to
fulfill
a
service
level
agreement.
E
I
mean
red
hat's,
probably
one
more
capable
you
know
open
source
plays,
but
if
you
gave
it
something
where
you
know,
oh
my
gosh,
you
know
you
have
to
rewrite
the
kernel.
I
mean
there's
a
limit
to
what
anyone
can
do,
but
that
really
comes
back
to
my
concern
about
you
know:
does
the
person
who's
agreeing
to
the
sla
actually
understand
what
they're
agreeing
to
I
mean
I
could.
E
I
could
agree
to
an
sla
of
two
weeks
for
certain
things,
especially
if
there
were
exceptions
for
a
grave
illness
or
something
like
that
I
mean
I
would
have
to
coordinate
with
folks
but
how's.
I
don't.
I
haven't
seen
the
specific
text
of
their
agreements.
I
know
they
exist,
but
I
can
imagine
such
an
agreement
would
be
possible.
I
just
you
know
they
would
have
to
figure
that
out.
B
What
behavior
are
you
incentivizing
by
doing
this,
and
could
it
have
other
ramifications
from
the
project
like
something
I
would
think
of
immediately
is
if
you're
getting
paid
to
ensure
that
the
product
is
up
and
running,
then
are
you
spending
as
much
time
as
you
should
be
on
things
like
documentation
and
onboarding
of
new
individuals
to
the
project?
So
when
you
decide
to
step
away,
I
don't
like
I
don't.
I
don't
know
like
it's
just
a
question
of
what.
B
E
E
So
it's
a
lot
easier
for
a
group
to
agree
on
that
and
now
you've
got
to
get
agreements
between
the
people
in
the
group
some
kind
of-
but
I
mean
that's,
that's
actually
how
organizations
work
too,
so
companies
work
too.
So
these
are.
These
are
painful
and
awkward
and
normal
problems.
E
E
It
would
be
easy
to
keep
it
secret,
but
my
guess
is
that
they
want
to
work
with
a
whole
bunch
and,
as
benjamin
franklin
observed,
two
can
keep
a
secret
if
one
is
dead.
So
the
more
people.
E
Person
he
had
a
way
with
phrases
yeah.
So
basically,
you
know
it
gets
really
really
hard
to
keep
a
secret.
The
more
people
have
to
keep
the
secrets.
My
guess
is
that
it's
not
worth
it
to
them
to
try
to
keep
that
secret
and.
E
Not
worth
it
to
try
to
tweak
it
for
every
single
org,
because
their
the
scalability
gets
awkward.
Then.
B
E
B
A
There
are
some
metric
updates.
We
have
some
tasks
possibly
to
update
our
metrics.
I
don't
know
if
we
have
gotten
our
feedback,
yet
we
did
not
get
it
at
the
la
as
of
the
last
time
and
we
still
don't
have
it.
I
don't
know
who
owns
risk
as
a
review,
but
we
have
not
been
reviewed
yet
so,
as
most
of
you
know,
we're
going
through
older
metrics
and
ensuring
that
they're
up
to
date,
current
look
nice
or
correct.
A
I
I
think
absent
lucas
being
here.
I
don't
really
want
to
engage
in
the
legacy
patch
support
discussion.
A
B
Yeah,
I
kind
of
saw
it
as
of
like
an
extrapolation
of
metrics
that
we
already
have
in
terms
of
just
supportability
whether
or
not
someone
is
actively
supporting
something
or
not.
His
case
was
particularly
on
versioning,
so
like
supporting
older
versions.
C
B
B
And
so
sort
of
the
question
was
for
a
lot
of
legacy
systems
that
depend
on
older
versions
they're
also
depending
on
constant
patching
of
those
older
versions
and
essentially
assessing
just
that
portion
of
things
versus
overall
patching
support
across
all
versions
of
product
or
project.
Rather
so
I
don't,
I
don't
know
if
it
made
sense
to
have
its
own
metric
versus
we
if
it's
something
that
he
thinks
is
really
important
to
discuss.
Perhaps
it's
something
where
we
describe
how
basically
to
use
the
metrics
we
already
have
to
suffice
for
this
case.
A
Yeah-
and
I
think
that's
that's-
I
kind
of
landed
in
the
same
place
that
I
think
we
have
metrics
that
can
sufficiently
get
to
the
ques
to
answer
the
questions
that
are
that
he
presented
last
time.
Many
since
he's
not
here,
maybe
maybe
table
that
my
my
next
question
would
be
what
are
the
components
of
risk
in
open
source
software
and
it's
a
very
significant
topic
right
now
that
chaos
is
well
suited
to
help
address
compared
to
the
ossf
or
the
other
organizations.
A
So
it's
kind
of
a
big
question,
but
where,
where
can
chaos's
risk
working
group
prove
to
be
most
useful
in
the
open
source
ecosystem
is?
Is
the
continued
definition
of
metrics
the
place?
Are
the
development
of
metrics
models
or
software
components
the
place?
I
I
I
ask,
I
throw
it
to
the
crowd
and
we
have
a
nice
crowd
here.
E
B
E
C
A
I
I
and
I'm
biased,
so
I'm
glad
that
you
said
that
kate
and
I
didn't
because
my
sense
is
making
the
the
metrics
that
we
do
have
related
to
risk
visible
and
part
of
the
community
discussion
and
the
awareness
of
people
who
work
within
chaos
and
within
this
working
group
and
beyond
making
those
more
visible.
I
think,
may
be
one
one
really
important
piece
of
work
that
we
can
accomplish.
E
I
have
a
crazy
idea.
It'll
take
me
a
moment.
We
can
keep
talking
about
some
other
things,
but
if
you
want
to
pursue
the
broader
question,
hey
what
would
be
useful
in
the
fundamentals
course
on
how
to
develop
a
software.
E
A
I
can,
I
can
add
that
to
the
it
is,
it
should
be
in
the
chat,
but
let
me
add
it
again:
I.
E
Going
to
do
is
I'm
going
to
add
actually
two
links.
Oh
how's,
this
I'll
first
add
the
actual
link
to
the
materials.
So
boop
give
me
just
a
second.
It's
actually
you'll
be
shocked
to
know
that
the
course
materials
are
managed
on
github.
C
C
E
Course,
material
here
and
sorry
I
can
only
okay
now
what
you're
seeing
here
is
the
is
an
entire
course
just
presented
as
text
as
a
big
markdown
file.
Okay,
now,
within
that
there
is,
should.
E
E
It
is
because
it's
about
16
hours
worth,
of
course,
so,
let's
see
here
so
let
me
pop
to
the
specific
section
that
we
actually
care
about
something
about
evaluating,
open
or
evaluation.
E
I
may
actually
have
to
find
the
section
here
anyway,
what
I'm
thinking
of
is
you
know
when
we
talk
about
something
else,
while
I
go
find
the
ref,
but
what
I'm
saying
is
why
don't
we
in
a
moment,
once
I
find
the
section
of
the
document,
I
will
pull
out
just
that
part.
Maybe
I
can
even
copy
and
paste
it
in,
and
then
we
can
talk
about
how
metrics
might
be
able
to
support
those
things.
Does
that
sound
like
a
at
least
a
reasonable
area
of
discussion.
E
Give
me
give
me
a
second,
because
I
wasn't
prepared
to
do
this,
so
I'm
doing
this,
I'm
doing
this
as
quick
as
I
can
somebody
stall
for
me.
Please
yeah.
B
A
A
E
E
Let's
see
here,
we
actually
there's
actually
another
one
too.
Now
this
one's
even
newer,
oh
and
it
steals
directly
from
the
course.
So
all
right,
so
basically
the
best
practices
working
group
is
taking.
You
know
note
that
is,
is
actually
taking
that
material
and
trying
to
turn
it
into
a
short
document.
E
E
A
What
I'll
say
about
this
document
just
looking
at
it
quickly?
Is
it.
It
sounds
like
a
process
focused
checklist
for
evaluating
risk
associated
with
open
source
software
in
your
stack
that
is
sort
of
a
it's
a
it's
a
elaboration
of
how
you
might
go
about
applying
metrics,
it's
a
manual
to
metric
utilization
and
risk.
Perhaps.
D
E
E
If
you
have
a
metric
and
it
doesn't
support
a
decision,
I
don't
care,
I
can
count
the
number
of
e's
in
my
dictionary.
It's
a
metric,
don't
care
okay.
So
the
problem,
of
course,
is
that
we've
got
many
many
decisions
that
right
now
have
to
be
supported
purely
by
manual
approaches,
because
we
don't
have
good
automated
metrics.
E
E
E
B
E
A
E
E
Yeah
I
mean
it's
messy
because
it's
an
early
draft,
but
I
think
you
know
it.
It
is
it's
simple
and
probably
for
our
purposes,
it's
a
google
doc.
So
it's
easy
to
copy
and
paste
into
our
notes.
A
E
E
You
know
proceed
to
manual
view
that
doesn't
really
add
any
value.
Much
value
there
I
mean
could
just
been
in
one
line.
Look
at
their
get
the
scorecard
value.
All
right
should
be
added
at
all.
I
don't
see
how
you
can
do
that
with
the
simple
metric
believe
it
or
not.
Last
commandment.
E
E
Last
commit
date
that
is
a
ridiculously
simple
measure.
It's
not
crazy!
A
C
C
D
E
A
E
It
doesn't
quite
it's
deleted,
but
but
I
I
will
observe
that
there
are
other
languages,
particularly
rust
and
ada
and
fortran,
which
run
just
as
fast
as
cnc
plus
plus
and
for
a
lot
of
folks.
It
doesn't
matter
that
much
and
go
and
java
are
fine,
but.
C
E
E
Yeah
they
are
working,
they
are
moving
towards
rust.
D
E
Here's
one
in
c
here's
one
in
in
some
other
language,
the
c
one's
more
risky
because
you're
going
to
have,
you
know
almost
triple
the
number
of
vulnerabilities
in
on
average,
because
most
vulnerabilities
are
caused
by
weaknesses
in
those
languages.
Now,
if
you
don't
have
a
choice,
it
does
your
decisions
clear
right.
E
E
The
way
what
happened
to
what
that
was
deleted
in
your
original,
I'm
curious
how
that
the
cnc,
plus
one
wasn't
actually
deleted
in
the
original.
So
what
or
at
least
suggested
deleted.
A
E
That's
that's
true,
and
you
can
have
create
weird
common
blocks
in
in
fortran,
but
there
are,
but
typically
when
you're
using
fortran
you're,
not
using
one
of
those
odd
variants,
yeah
you're
right
there
are
some
some
you
know.
If
you
use
a
modern
fortran
and
add
the
you
add
the
pointer
stuff,
but
I've
I'm
sure
it's
somewhere.
I
don't
think
that's
the
usual
case,
but
the
the
problem
isn't
just
pointers,
it's
the
safety
of
them
anyway.
You
know
my
my
point
earlier
was
review
the
last.
A
E
A
E
All
right
review
the
last
cop
commit,
and
it's
date
number
one
I
mean
the
obvious
metric
is
measure
the
date.
If
you
don't
want
to
measure
language,
that's
fine.
Let's
move
on
to
number
four!
I
think
we're.
I
don't
want
to
get
stuck
on
that.
What
I
I
just
want
to
look
through
this
list
and
see
if
there
are
potential
metrics
that
would
support
these
kinds
of
questions.
Does
that
make
sense.
D
E
So
your
number
four
is:
is
there
evidence
that
the
developers
work
to
make
it
secure?
We
already
have
the
best
practices
badge,
the
scorecard,
that's
a
different
group.
E
So
let's
see
here
use
of
tools
an
assurance
case.
Does
it
have
a
secure
review.
E
Some
of
these
are
probably
either
they
already
exist,
or
it's
a
little
tricky.
Are
there
instructions
on
how
to
report
vulnerabilities?
You
might
be
able
to
measure
that
actually.
E
E
E
I
would
not
run
a
project
that
way,
but
if
people
do
then
using
a
github
issue
is
fine,
but
that
means
you
have
to
tell
the
world
it's
okay,
to
report
a
security.
So
what
you're
looking
for
is
their
various
indicators
in
various
documents
that
say:
here's
how
to
report
a
security,
vulnerability.
C
Yeah
so
the
cde,
the
cnas,
have
a
process
and
I
think,
trying
to
steer
towards
following
what
the
which
is
having
an
email
id
at
the
minimum.
That
is
going
to
a
secure
group
of
people,
and
so
I
would
basically
take
this
from
the
cna
best
practices
and
we're
trying
to
I'm
trying
to
line
up
with
them.
Where
I
can,
I
don't
know
if
anyone's
in
openssf
is
trying
to
create
yet
something
different.
But.
E
There
isn't
a
group
within
open
ssf
called
the
vulnerability
disclosures
working
group,
which
has
some
practices
that
they
suggest
for
reporting.
E
I'm
not
sure,
that's
to
the
point
where
you
can
easily
measure
it,
but
that
maybe
that's
the
thing
to
do
is
make
changes
in
what
they
say
so
that
it's
easier
to
do,
but
they
do
have
like
a
template
for,
if
you're,
an
open
source
project
slap,
this
sucker
in
and
and
kate's
right,
usually
the
way
is
you
tell
people
if
you
find
a
security
vulnerability?
You
send
an
email
to
this
address
if
you're
a
larger
organization,
it's
probably
secure
or
security
at
blah,
blah
blah
blah
blah
and
if
you're
an
individual.
E
D
A
So
it
seems
to
me
that
I
requested
edit
access
or
at
least
comment
access
on
this,
but
I
see
I'm
seeing
I
think
you
said
this
already
david,
but
there's
cases
where
we
could
point
to
existing
chaos
metrics.
That
would.
A
And
there's
other
cases
where
and
then
the
other
side
right
is.
There
are
places
where
we
don't
have
metrics
and
we
would
either.
I
think
we
can
either
cross-reference,
for
example,
to
something
like
the
osf
scorecard
or
put
put
a
metric
that
we
don't
think
another
working
group
inside
the
foundation
is
going
to
address
on
onto
our
the
word
bucket
list
came
to
mind,
but
that's
not
the
right
word.
A
The
you
know.
To-Do
list,
I
think,
is
better
yeah.
A
E
A
D
E
Yeah,
so
I
mean
how's
this.
If
you
can
skin
that
cat
there's
a
whole
lot
of
people
who
want
to
hear
about
it,
oh
and
and
kate's
already
going
to
be
excited
because
number
eight
is
about
software
licensing,
because
it
does
turn
out
that
licensing
matters.
Okay,
kate,
you
you!
You
might
already
know
that.
C
A
E
E
Not
convinced
about
the
forks,
but
I
because
there's
you
know
it
depends
on
how
the
project
works
and
not
everybody's
underground.
But
if
people
make
issues
that
doesn't
mean
it's
maintained,
but
it
probably
means
it's
used.
That's
fair.
A
No
and
then
there
are
projects
that
track
downloads
and
if
you
own
or
have
rights
on
a
project,
you
can
see
the
number
of
clones
and
if
it's
distributed,
of
course,
through
package
managed.
So
there
are
different
ways
to
get
at
it.
But
there's
no
one,
there's
not
a
consistent
way.
E
Yeah-
and
you
always
have
these
weird
ones
like
the
the
number
one-
I
believe
is
it
the
mysql
database
connector,
it's
one
of
the
database
connectors,
I
think
it's
mysql
within
javascript
sounds.
D
E
D
So
yeah
they
they.
E
A
A
A
B
B
E
Obviously,
terrible
don't
waste
your
time
if
it's
looking,
if
you're
unsure,
but
it's
plausible,
you
know,
there's
your
next
step,
but
okay
yeah.
So
from
that
sense,
yes,
I'd
agree
with
you
and
but
more
broadly
so
you,
you
asked
hey
what
could
this
group
do
and
I
came
up
with
a
list
of
questions
which
would
be
awesome
to
have
more
more
and
better
metrics
for.
A
A
A
A
E
E
A
Auger
fogger
gathers
the
data.
The
question
is,
I
I
can't
remember
if
we
created
a
metric
for
it
off
the
top
of
my
head
and
since
we're
out
of
time
I'll
just
take
my
action
item
and
thank
you
all
for
a
very
productive
risk.
Working
group
discussion.