►
From YouTube: CHAOSS Risk Working Group April 13 2023
Description
Minutes from this meeting can be found here: https://docs.google.com/document/d/1iqIMpLBwuKSnE0BbQTgbsb9Im87IoN7IUzukochClCw/edit?pli=1#
A
Okay,
this
is
the
group
meeting
for
April
13th
23
2023,
not
2013.
I'm
a
decade
behind
and
yeah
go
ahead
and
start
with
the
the
announcements
of.
B
You
yeah,
no,
it
is
it
is
that
it's
that
we
finally
have
a
desktop
Dev
API,
so
I'm
I
was
pretty
happy
to
see
this
launch,
because
this
was
like
one
of
the
first
things
that
I
heard
is
feedback
from
the
community,
but
like
it's
a
really
cool
UI.
But
like
can
you
just
give
me
an
API
and
I
passed
along
comments
from
this
group
from
Dwayne
from
folks
that
I
spoke
with
and
they
did
it.
B
So
that
always
makes
me
happy
when
clearly
they
listened
and
offer
that
up
to
the
community,
so
I'm
excited
to
see
how
people
use
it
and
see
where
see
how
helpful
it
is,
and
if
hopefully
it
means
that
there
are
others
that
are
going
through
and
trying
to
aggregate
this
information
on
their
own
because
they
don't
need
to
anymore.
It's
already.
There.
A
Yeah
so
like
I
I
actually
went
through,
and
this
is
part
of
the
note
that
I
posted
in
the
risk,
Channel
and
slack
and
yeah
I
was
pretty
pretty
pumped
I
could
say
like
it.
A
One
of
the
things
it
does
is.
It
shows
the
CD
Easter
packages
and
it
Crea
there's
a
clear
navigation
from
the
package
manager
to
the
GitHub
repository
or
other
repository,
which
hasn't
really
existed
anywhere
in
a
clean
and
easy
to
use
way
before
so
like,
and
it
runs.
Os
open,
ssf
scorecard
as
well
like
I,
was
pretty
excited
to
see
that
like.
If
you
hit
like
this,
you
you
can
see
like
it's.
A
The
scorecard
data
for
react,
which
is
awesome,
I,
don't
know
how
often
it's
run
but
like
it's
one
thing,
auger
does
right
now
is
we
run
the
scorecard
now
we
could
just
call
this
API
instead
I
also
like
it's
enumeration
of
the
dependencies
in
a
project
and
the
versions.
That's
also
a
very
we
all
are
also
manually
scans
for
that
now
and
doesn't
need
to
anymore,
and
you
can
get
really
detailed
information
on
specific
package
versions,
whether
it's
the
default
I
think
it
was.
Was
it
this
one
or
this
one
I.
B
B
A
B
I
think
it's
impossible
to
actually
have
everything,
because
everything
is
growing
and
there's
probably
some
mathematical
equation
that
talks
about
how
much
we
can
Aggregate
and
in
constantly
growing
set
of
information.
I,
don't
know,
David
I
feel,
like
you
might
know
such
things,
but
I
feel
like
that's
impossible,
but
it
just
I,
don't
know
well.
A
C
A
And
and
that
that's
important.
C
That
is
important.
It
is
a
it's
a
well-known
problem
with
the
cve
I
mean
to
be
fair.
Historically,
the
cves,
the
Assumption
was
that
humans
would
read
them
and
everyone,
because
there's
only
a
few
dozen
a
year,
yeah
that
that
failed,
and
so
there
are
options
for
recording
information
for
mechanical
mapping.
C
But
you
know
a
lot
of
people,
don't
use
them.
Some
people
use
something
called
a
CPE
identifier,
but
most
projects
don't
have
a
CPE
identifier,
so
open
ssf
has
a
project
called
osv
which
actually
does
tries
to
connect
between
vulnerability
reports
like
cves
and
act
specific
projects
so
that
you
can
mechanically
map
them.
A
Well,
what
what
I
was
just
very
timely
and
interesting
to
me
is,
is
that
Matt
and
I
are
actually
having
a
conversation
about
libraries.io
yep
recently
and
like
why
people
do
or
don't
use
it,
and
he
turned
me
on,
and
so
I
did
a
little
bit
of
looking
around
and
he
I
think
you've
mentioned
this
before
David.
That's
the
nvd
database.
C
A
Okay,
yeah,
and
so
it's
like
I,
was
actually
playing
with
this
yeah
API
yesterday,
but
I,
don't
I
didn't
actually
open
up.
C
Right
I
mean
lots
of
people,
look
at
the
nvd
and
you
know:
hey
I'm
glad
it's
there.
My
concern
is
with
the
nvd
has
always
been
this.
You
know
you
know,
please.
We
need
clear,
mechanical
mapping
from
a
vulnerability
report
to
the
software.
That's
vulnerable
every
time.
If
it's
not
there,
I
don't
care,
please
throw
it
away.
C
Tell
me
when
you're
ready
to
to
be
to
tell
me
about
a
vulnerability
there's
something
in
there
is
a
vulnerability,
but
I
don't
know
where
it
is,
doesn't
make
any
sense
with
you
know
when
in
the
scale
of
today's
world,
so
it's
and
the
sad
thing
is
that
they're
doing
almost
all
the
work
except
this
little
piece,
it's
it's
you're.
So.
C
Yeah,
what
we
want
to
do
is
the
other
way.
Here's
a
package
where
is
its
source
Repository,
because
a
single
Source
repo
can
show
up
in
many
many
different
package
repositories,
but
you
should
have
a
one-way
link
from
a
given
package
given
reap
a
given
package
report.
Repository
back
to
a
specific
Source
Repository.
C
I'm,
sorry,
well,
okay!
Well,
it's
actually
broader
than
that.
If
you
get
a
cve,
what
you
get
is
a
text
description
of
the
program.
That's
vulnerable.
You
know.
Now
what
you
might
get
is
a
CPE
ID.
C
C
A
big
fan
of
package
IDs
for
this
purpose,
they're,
not
perfect.
They
got
problems
but
they're.
The
closest
we've
got
because
then
they
can
say
things
like
in
Maven.
This
specific
name
has
that
vulnerability.
C
Now
we're
talking.
Okay,.
A
C
Maven
this
particular
package
name,
this
particular
version
they
are
working
on
version
ranges
that
the
big
weakness
of
package
ID
right
now,
but
at
least
they've
got
a
way
to
uniquely
identify
a
package,
a
compiled
package
and
not
just
a
source
repo,
but
just
be
able
to
do.
C
You'd
have
to
hunt
I
mean
very,
very
few
open
source
software
projects
have
cpes,
openssl
does
I
know
some
big
ones.
Do.
C
Well,
right,
I
mean
pretty
much
every
system.
You
know
you
know
so
you
what
you're
going
to
have
is
fedora's
repos
and
rel's
repos
and
debian's
repos
and
ubuntu's
repos,
so
yeah,
so
open
SSL
is
going
to
be
packaged
in
a
lot
of
different
repositories.
It's
true
for
most
system
software,
actually.
C
C
A
C
C
Well,
that's
why
you
need
something
like
package
ID,
because
package
ID
does
is
a
package
URLs,
I'm,
sorry,
I
didn't
say:
package
IDs
by
Min
package,
URLs
Now
package
URLs
are
as
their
URLs
that
refer
uniquely
to
a
particular
package,
and
so
you
can
distinguish,
do
you
mean
the
npm
one?
Do
you
mean
the
Fedora
one?
What
are
we
talking
about.
C
Ssl
that
you're
familiar
with
is
written
in
C.
It's
not
going
to
be
all
by
itself
in
npm
right,
that's
a
JavaScript
now
I
would.
The
odds
are
excellent,
that
the
npm
module
called
openssl
is
a
shim
that
then
calls
the
actual
open
SSL
and
that
matters,
because
it's
quite
possible
for
a
say,
a
JavaScript
interface
to
have
a
vulnerability
and
not
the
underlying
program.
Yeah,
okay,
and
so
you
need
to
be
able
to
distinguish
between
those
cases.
A
C
Right,
you
have
to
know
what
the
CPE
on
is
before
you
can
search
for
it
I
mean
that
that
stands
to
reason.
Yeah.
C
A
Okay,
so
I
have
when
I
just
asked
for
low
vulnerabilities
and
limited
my
search
more
I
got
I
got
some
descriptions.
A
C
Right
right
well,
but
but
the
thing
is
remember
this
was
designed
originally
for
all
software,
proprietary
or
or
you
know,
open
source
or
closed
source.
So
most
closed,
Source
folks,
they're
not
going
to
release
their
code
so
that
didn't
make
that
wouldn't
have
made
any
sense
to
them.
They
want
to
know
what
program
that
you
know.
What
is
the
executable
that
has
the
vulnerability
we,
we
would
call
a
package.
A
Yeah
yeah
and
under
a
different
having.
C
Well-
and
you
know,
I
would
say
it's
not
that
the
nvd
doesn't
scale:
okay,
okay,
you
know
I,
would
say
yeah
nvd
of
some
use
it.
It
reports,
vulnerabilities,
known
vulnerabilities.
C
C
Yeah,
the
naming
Authority
for
cpes
I
think
there
used
to
be
somebody
else,
but
you
know
so
imagine
that
congratulations,
here's
the
job
every
time
you've
got
a
vulnerability.
You
need
to
assign
a
CPE
to
whatever
it
is:
that's
vulnerable,
yeah,
there's
several
million,
oh,
and
by
the
way
you
have
no
money.
C
So
what
I
tell
people
over
and
over
again
it's
you
know,
because
I
used
to
work
with
the
government
is
you
have
to
remember.
Nist
is
not
a
money.
Source,
yes,
does
a
money
sink.
Someone
has
to
pay
them
to
do
stuff.
That's
not
necessarily
a
bad
thing,
and
it
has
some
good
people
and
they've
got
some
good
support
people.
C
A
Okay,
well,
what's
what's
really
interesting
about,
like
both
of
these
things,
depths.gov
to
me
is
even
though
it's
not
complete,
or
it
does
cover
some
very
large
package
managers
and
gives
a
lot
of
useful
information.
It
seems
to
imply
that
it
will
provide
vulnerability,
information
in
some
places,
but
it's
it's
not
I
haven't
looked
at
it
close
enough
to
know.
If
that's
clear,
this
nvd
database
seems
hard
to
connect
directly
to
a
piece
of
software
and,
as
you
mentioned
Dave,
it
doesn't.
A
There's
a
lot
of
Open
Source
software.
Actually
that
has
cpes
Sophia.
What
I
guess
I'll
I'm
just
curious
if
to
expand
the
available
data
in
the
depths.gov
API?
Might
there
be
some
I
guess
I
might
ask
someday?
If
the
code
for
creating
that
database
would
be
open
sourced,
then
it
could
be
expanded.
A
C
B
That
was
the
second
most
interesting
thing
to
bring
up
from
when
I
talk
to
folks
about
it,
mostly
because
it's
kind
of
listed
as
an
open
source
support
tool,
but
not
actually
open
sourced,
in
the
sense
that
it
is
a
closed
model.
It's
not
a
collaborative
model,
and
so
I
think
that
is
it's
worth
raising
again.
I've
brought
it
up
before
I'm,
just
kind
of
curious
to
hear.
If
that's,
if
that
has
any
place
in
the
road
map,.
A
A
Think
the
thing
that
they've
done
that
is
really
powerful
is
getting
to
these
I
think
it's
this
one.
A
C
By
the
way,
yeah
I
I,
I,
I,
I
I-
don't
want.
My
goal
is
not
to
derail
anything
but
specific
to
that
problem.
It's
a
well-known
big
problem.
I'm
many
other
people
actually
signed
a
petition
and
I
just
included
a
petition
in
the
notes.
Here.
C
C
Also
so
you
you
know,
and
we
actually
talk
about
what
to
do
in
those
cases
too,
but
they
it's
a
signed
petition
by
folks,
analytics
foundation
and
owasp
and
lots
and
lots
of
other
folks,
okay,
so
they're
aware
so
they're
aware
of
the
problem,
you
know,
I
mean
we've
got,
you
know
spdx
and
red
and
various
you
know
ION
channel
and
Oracle,
and
you
know
oasp
and
Linux
foundation
and
the
Mayo
Clinic
among
the
gram
attacked
a
whole
bunch
of
people.
C
C
A
C
A
C
Whoops
I,
just
it's.
C
A
C
C
Basically
the
problem
is
we
can't
map
anything.
We've
got
this
big
vulnerability
database
that
can't
be
used
because
it
can't
be
automated,
and
everybody
agrees
that
naming
is
hard
and
we
propose
very
you
know.
Yes,
we
identified
the
we
admit
the
problem
and
we
specifically
recommend
pearls
and
we
have
some
suggestions
and
for
Hardware
we
suggested
G
tins
and
gmns.
That
probably
doesn't
matter
to
you,
but
basically
you
know
instead
of
noodling
on
the
problem
forever
and
having
nothing
useful.
C
A
B
Well,
I'm
just
kind
of
curious
in
terms
of
like.
If
the
petition
is
closed,
then,
if
there's
something
I
feel
like
they're,
potentially
more
folks,
that
would
agree
and
either
promote
and
or
continue
the
conversation.
Is
there
any
Avenue
for
that,
or
is
this
just
sort
of?
If
we
know
the
people
that
are
interested
in
changing
this,
we
know
where
to
find
them
kind
of
thing.
C
I,
don't
if
you
can
think
of
another
way
to
cause
action.
Please
do
it.
You
don't
need
my
permission
that
this
this
particular
petition
I
mean
our
cosigner
of
it.
This
particular
petition
was
born
out
of
a
frustration
that
we
keep
telling
the
gov
U.S
government,
specifically
the
US
government,
the
US
government
that
you're
doing
a
lot
of
stuff.
It's
almost
useful,
if
only
you
would
do
this
one
thing,
it
would
be
useful,
but
you
won't
do
the
thing
that
makes
it
useful
plea.
Okay
and
part
of
the
argument.
Was
it's
really
hard?
C
Okay,
that's
why
they
create
the
CPE
process.
If
you
identify
things
all
right,
I
got
that
it's
hard.
This
is
the
best
available
solution.
It's
not
perfect
use
it
anyway,
and
so
you
have
a
whole
bunch
of
people.
They
know
us
wrote
this
letter,
you
signed
it,
you
send
it
in
they're,
aware
of
it.
Nothing's
changed
and
in
the
end
only
government
employees
get
to
make
these
the
decision
of
what
the
government
does.
C
A
A
C
A
What
would
be
the
first
one
and
then
the
second
thing
is:
are
there
some
things
that
open
ssf?
What
is
what
might
it
be
the
right
way
to
collaborate
with
openssf
to
enable
some
of
the
things
that
they're
doing
to
also
be
formalized
as
metrics
or
work
that
they
do
could
be
referred
to
and
constructed
within
a
metric
and
then
somehow
connected
to
the
tool
set
that
we're
using
so,
for
example,
okay,.
C
So
so
I
can
quickly
respond
because
I'm
deeply
involved
in
all
those
things.
I
mean
I'm
at
almost
every
openness
up
meeting
I'm,
certainly
at
every
dashboard
meeting,
almost
every
scorecards
meeting
I
lead
the
best
practice
badge
so
I'm,
I,
yeah
I,
know
you're
super
involved,
I
I'm
all
involved
in
this
stuff
and
I'm
here
too.
C
So
so
I
have
opinions
about
this,
and
that
doesn't
mean
you
have
to
agree
with
me,
but
let
me
try
at
least
how
at
least
I've
been
operating
the
obviously
the
scorecard
has
tried
to
identify
some
very
simple,
simple
heuristics.
They
scale
from
zero
to
ten
and
measure
that
okay,
the
dashboard
is
a
broader
effort
to
take
metrics
of
different
kinds
and
present
them
to
users
to
help
them
figure
out.
What's
the
risk
level
things
like
hey,
do
you
do
you
have
recent
contributions?
C
C
The
the
long-term
goal
is
that
dashboard
will
be
the
the
point
where
that
data
is
tucked
in
where
it
brings
in
store
cars
and
the
crux's
badge
and
lots
of
other
data
to
help
people
make
decisions.
Okay.
Now,
how
does
that
relate
to
this
group
and
Chaos
in
general?
Okay,
my
view
is
that
chaos
in
general,
especially
this
risk
working
group,
is
basically
does
deep
Dives
to
help
identify
some
potentially
useful
metric.
Okay,
you
you,
our
drill
in
try
to
figure
out
exactly
how
to
measure
it.
Where
are
the
problems
with
measurements?
C
How
can
we
try
to
counter
some
of
those
problems?
No
matter
what
you
do,
any
metric
can
be
gained
and
there's
always
the
risk
of
in
particular,
if
you
only
have
one
metric
of
of
of
driving
the
project
to
the
metric
instead
of
what's
actually
important,
but
you
can
make
better
and
worse
metrics,
and
so
the
goal
at
least
hope
is
chaos.
This
group,
in
particular,
has
a
better
metric.
The
dashboard
app
folks
are
going
to
grab
whatever
metrics
they
can
find
absolutely
I've
told
them.
C
I
I've
pointed
them
cast
a
number
of
times,
I
believe
they
are
planning
to
reuse.
Some
cast
metrics
I,
don't
right
now
they
aren't
using
some
of
the
tools
like
auger
and
so
on,
but
I
think
they
are
thinking
about
it
right
now,
they're
just
trying
to
come
up
with
some
basic
evolutionary
prototype
that
they
can
use,
and
basically
what
they're
planning
to
do
is
we're
gonna,
we're
gonna,
Define
a
whole
bunch
of
metrics,
implement
it.
Try
it
out,
repeat,
repeat
many
times:
I.
C
I
have
so
they
basically
they're
the
the
dashboard
there's
a
dashboard
project,
I
guess
where
basically
they're
taking
that
as
their
first
step
and
they're,
the
plan
is
they're
going
to
start
for
various
reasons.
They
want
to
start
over
Okay
and
so
they're
re-implementing
a
whole
new
dashboard,
but
they're
going
to
use
the
current
prototype
as
basically
the
first
version
they
had
was
kind
of
a
throwaway
prototype.
Okay,
we
learned
some
stuff.
Now,
let's
make
an
evolutionary
prototype
and
so
on.
Oh
yeah.
If
you
go
to
metrics.open
ssf.org.
C
Hopefully
it's
still
up
org
yeah,
well,
okay,
I
think
they're.
Their
certificate
expired,
yep,
yeah
go
ahead,
accept
the
risk.
A
Yeah
I
think
that
there
is,
there
might
be
a
sometimes
at
the
server
level
they
block
HTTP
requests,
so
it
could
even
be
their
server.
Oh
there
we.
C
Go
there,
we
go
yeah,
yeah,
I,
think
I
think
it
it
goes.
It
I
think
it
shuts
down
after
being
up
for
a
while.
C
There's
that
it
says
https
interesting,
oh
yeah,
it's
just
an
old
cert.
That's
the
problem!
Yeah!
We
need
to
turn
well
yeah.
The
problem
is
we're
not
really
being
serious
about
updating
this,
because
it's
about
to
go
away
yeah,
so
this
version
was
basically
a
graffada
instance,
all
the
work's
actually
being
done
by
okay.
C
A
Yeah
we
have,
we
certainly
have
the
our
the
chaos
tooling
has
most
of
that
available
as
well.
So
there's
a
way
to
collaborate
there
we
are
out
of
time
and
I
have
to
teach
a
class
in
nine,
eight,
nine
and
a
half
minutes.
So
okay
take
care,
I,
think
I
think
next
time.
Hopefully
we
can
all
still
be
here
and
we
can
work
on
a
metric
model
together
and
if,
if
there's
when
is
the
dashboard
meeting
for
openssf.