►
From YouTube: CHAOSS Risk Working Group 8-5-21
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
We
had
at
some
point,
put
the
put
the
link
to
the
spreadsheet,
where
we
had
all
of
our
ideas.
B
Sean,
if,
if
the,
if
the
presentation
is
highly
likely
to
be
accepted,
I
suggest
that
we
spend
the
limited
time
here
basically
kind
of
trying
to
collect
some
brainstorm
ideas
of
of
points
that
are
important
to
include.
B
Then
you
or
somebody
else
can
try
to
turn
it
into
a
first
cut
and
then
we
can
beat
on
it
either
offline
or
in
a
another
meeting.
But
you
know,
since
we
don't
meet
that
often
it
won't
take
long
for
us
to
suddenly
run
out
of
time.
C
B
B
B
A
place
to
put
this
a
google
doc
or
something
else
where
we
can
just
note
down
our
you
know:
suggestions,
put
things
down
and
sean,
I'm
assuming
that
you're
gonna
take
lead
on
turning
into
a
presentation
and
come
a
first
cut
and
then
come
back
and
we'll
beat
on
you.
I
mean
the
the
presentation.
A
Yes,
I'll,
I
will
be
drafting
it
and
okay
getting
I'll.
E
E
F
B
E
A
I
mean
I
I
I
I
grabbed
it
the
these
are,
these
are
the
so
what
we
have
our
previous
discussions
and
that's
linked
in
this
other
google
doc
and
I'll
bring
over
the
the
the
panel.
That
blue
is
the
panel
idea
we're
going
to
focus
on
right,
no.
B
A
panel
is
easy.
You
show
up,
we
you
talk
unless
somebody
is
presenting
and
even
if
you're
going
to
present
usually
panels,
you
have
like
a
five
minute
talk
just
presenting
your
own
view,
and
presumably
people
can
present
their
own
views
in
five
minutes
easily
enough.
Now,
I
think
the
issue
here
is
this
broader
metrics
talk
because
you're
in
many
ways
trying
to
represent
this
group
right.
A
F
A
So
yeah
I'll
I'll,
open
up
kate's
document,
which
I
have
now
and
I
pasted
a
link
and
from
that
link
I
think
I
can
paste
the
abstract.
A
So
this
is
these
are
the
notes
that
led
to
the
abstract-
and
I
had
and
and
basically
above
above
this
line,
is
largely
what
was
submitted
as
a
panel
instead
of
a
talk
and
but
what
I
but
the
final
er,
the
final
narrative
of
it
is
just
refined.
It's
just
there's
editing
that
I
did
just
to
make
it
sound
a
little
more
perfect.
F
F
A
Awesome,
and
so
we
should
talk
about
how
how
we
want
to
talk
about
this,
and
if
we
want
to
do
it
as
a
group
presentation,
I
kind
of
okay,
I
don't
know
how
do
people
feel
about
that.
E
Yeah,
I
think
it's
only
been
set
up
to
accept
one
presenter
actually
right
now,
but
I
think
us
presenting
you
can
only
go.
You
can
give
us
credit
when
you,
you
know
what
what
is
the
risk
working
group
if
you
want
to?
I
don't
think
we
need
to
be
standing
on
stage,
though.
A
So
I
think
the
I
think
that
I
think
nominally
we
want
to
communicate
the
complexity
and
I
think,
that's
partly
visual
of
of
what
dependencies
are
and
how
they
can
come
into
existence
in
various
ways
like
as
we
work
through
with
the
google
summer
of
code
students
to
be
calculating
libyars,
there
are
libraries
that
say
has
to
be
less
than
or
equal
than
a
version
or
greater
than
a
version.
And
what
do
you
say
the
libya
is
on
that
I
mean
most
package
managers
will
just
use
the
highest
level
version
that
that
it
allows.
A
B
Well,
sort
of
there's
actually
not
choices
that
you're
making.
If
I,
if
I
depend
on,
let's
walk,
rose,
we're
going
into
the
weeds,
but
this
is
probably
important.
Since
it's
kind
of
the
central
to
the
dependency
issue
is
the
versioning
I
mean
libya's
is
supposed
I'm
interpreting
libyars
as
what
are
the
versions
that
you're
using
versus
the
version
you
should
use
and
that's
the
definition
and
but
unless,
unless
you
have
a
good
reason,
otherwise
the
what
you
should
be
using
is
the
current
version.
B
A
A
B
B
As
you
know,
allowing
it
it
more
likely
involves
some
code
changes,
so
you
can,
or
must,
or
or
as
updates
to
the
more
recent
version,
but
it's
perfectly
reasonable
for
a
system
to
because
of
the
set
of
dependencies.
In
fact,
that
is
the
problem,
because
the
set
of
dependencies
you
use,
some
of
them
are
forcing
the
use
of
old
versions
and
the
point
of
measurement,
not
just
libyars,
but
measurement
in
general,
is
to
alert
you
of
that
state
so
that
you
can.
B
Decisions
because
I
view
measurements
as
the
point
measurement
isn't
for
amusement
it's
to
help.
You
make
better
decisions.
A
Right
right,
and
then
I
mean
the
complexities
that
that
we've
identified
just
maybe
maybe
the
focus
should
be.
We
had
like
a
few
minutes
of
we
had
these
discussions,
a
solicitation
of
other
experiences
that
other
people
have
had
in
in
trying
to
resolve
these
challenges
and
a
our
proposed
minimum,
viable
metrics,
and
why
we
think
those
are
the
minimum
viable
metrics.
C
Yeah,
I'm
also
just
kind
of
thinking
what
what
do
you
so
you
mentioned
in
the
beginning.
What
you
want
to
get
out
of
it
is
for
people
to
recognize
the
complexity
of
this,
but
there's
a
second
part
that
you
want
them
to
help
with
this.
Or
do
you
want
them
to
test
it?
Do
you
want
them
to
challenge
it?
Do
you
want
them
to
present
their
own
ideas
like
what
is
what
is
the
ideal
outcome
from
sharing
this
information.
A
C
C
You
I
just
I
was
just
pushing
on
it
just
in
terms
of
the
thing
that
we're
trying
to
convey
is
that
there's
a
rapid
acceleration
of
this
as
an
issue.
So
we
as
a
community
need
to
take
an
approach,
or
just
like,
take
some
kind
of
recognition
for
this
being
a
problem
and
to
start
to
explore
ways
to
turn
this
into
something.
That's
manageable
versus
untenable.
A
Right-
and
I
think
then,
the
that
sort
of
leads
in
naturally
to
the
minimum
viable
metric
idea,
where
we
have
this,
this
core
set
of
things
that
we
think
can
be
measured
consistently
and
would
provide
a
shared
sort
of
reference
point.
A
A
And
there's-
and
there
is
not
a
there's,
not
a
clear.
This
there's
been,
we've
started
a
few
conversations,
but
we
haven't
there's
not
a
clear
differentiation
between
like
security,
work
and
understanding
dependencies
security.
Work
dependencies
surely
affect
security
work,
but
security
work
encompasses
more
than
dependencies.
Is
that
fair.
A
Right,
yeah,
yeah,
absolutely
and-
and
I
think,
dependencies
influence
or
they're
an
input
to
analysis
of
system
security,
whereas
I
don't
know
that
security
concerns,
I
suppose,
are
an
input
into
how
we
evaluate
dependency.
Metrics,
like
libya,
has
a
meaning
to
somebody
when
it
when
it's
the
libraries
they're
using,
are
so
outdated.
There's
there
are
clear
and
present
security
risks.
B
A
C
B
B
Well,
I
know
this
broad
as
you
can
make
it,
but
I
mean
there
are
actually
official
definitions
of
of
risk.
I'll
have
to
jump
up,
jump
one
for
you,
but
let's
see
here
define
risk
and
typically
it's
defined
in
terms
of
of
probability
and
impact.
Yep.
B
Okay,
whoops.
B
We
got
two
of
those
what
okay,
so
you
want
ro.
What
is
wrong
yeah?
I
wouldn't
do
that.
First,
by
the
way
I
I
would
you
know
what
the
heck
is,
what
is
yeah.
A
I
I
I
yeah
yeah,
I'm
I'm
just.
I
think,
there's
also
this.
How
embedded
are
different
risks
in
my
organization
like
I
can
identify
it's
there's
the
there's,
a
project
by
project
mindset
about
risk
and
but
there's
also
an
ospo
mindset
about
risk,
and
those
are
two
very
different
things
and
I
think
there's
a
third
emerg
merging
mindset
about
dependencies
and
risk
inside
of
corporations
that
are
not
traditionally
open
source
contributors
but
they're,
just
like
insurance
companies
or
I
think.
E
Insurance
is
the
right
word
insurance,
because
I'm
seeing
a
lot
of
resonance
on
insurance
happening
in
supply
chain
now,
so
maybe
work
on
the
word
insurance
here,
but
you
know
I'm
seeing
a
lot
of
discussion
too,
that
we
need
a
way
for
consumers
to
understand,
what's
really
happening,
and
you
know
who
can
actually
tell
consumers
whether
something
is
secure
or
not
in
the
dependencies
and
so
forth.
So
some
of
these
are
factors
that
will
eventually
be
used
in
insurance
discussions.
I
think
like
what
is
the?
What
is
a
consumer's
report
happening
for
security
yeah?
E
Like?
Can
you
trust
this
or
not?
That
type
of
thing
it's
more
than
safety,
but
yeah,
it's
less
less
stringent
than
safety,
but
I
think
we're
going
to
start
to
see
you
know.
Have
people
made
a
conscious
effort
and
we're
starting
to
see
criteria
where
I
think
people
like
consumers,
reports
and
other
groups
are
going
to
focus
on
some
metrics
to
look
at
and
compare
across
products
so
that
they
can
give
a
read
for
security.
They
can
give
a
read
for
other
things.
A
Yeah
and
I've
actually
given
a
couple
of
talks
to
research
to
the
insurance
industry
and
and
they're
very
wildly
regulated
like
there's.
No
consistency
across
state
lines.
A
A
Yeah
and
they
they
they
do
things
that
are
they
interpret.
I
mean
like
so,
for
example,
we're
not
supposed
to
use
things
like
credit
score
to
determine
insurance
ability
in
some
states,
but
they
not
only
do
that
all
the
time,
but
they
also
look
at
your
facebook
profile
and
your
twitter.
Your
twitter
feed,
like
insurance
companies,
are
incorporating
those
things
inside
so
from
a
risk
perspective.
A
What
do
we
create?
There's
a
potential
we
measure
something
that
ends
up
undermining
a
piece
of
software.
That's
just
fine.
A
B
B
And
you
know
the
dod
has
a
reason
to
worry
about
risks.
You
said
I
I
I
I
I
really
you're
being
a
little
facetious
there,
sofia,
no
no
sophia,
I'd,
say
everything.
I
know
you
didn't
actually
mean
that,
but
I
think
I
what
I
tell
people
is:
if
it's
currently
happening,
it's
no
longer
a
risk,
it's
a
problem
and
you
have
to
solve
problems,
but
now
it's
not
a
risk
anymore.
It's
already
happened.
The
point
of
risk
management
is
to
identify
and
eliminate
them
before
they
become
problems.
B
Seem
to
think
that,
oh,
I
now
have
a
problem,
that's
a
risk.
No,
no!
The
the
risk
was
that
you
failed
to
think
about
risks,
and
now
you
have
a
problem
because
you
didn't
anticipate
the
obvious
in
many
cases
so,
but
I
think
that's
that's
the
I
realize
you
were
being
facetious,
but
I
really
do
think
that
this
proactiveness
of
looking
ahead
is
kind
of
the
key
to
thinking
about
risks.
The
whole
point
of
thinking
about
risks
is
so
you
can
be
proactive
and
fix
things
before
they
become
problems.
C
Yeah
also
I'm
just
like,
I
guess
for
me,
it
part
of
my
like
the
stickiness
is
that
I
used
to
work
on
risk
models
from
a
business
investment
standpoint.
Everything
was
quantified
to
a
dollar
amount
like
an.
C
C
Like
yeah,
it's
like
if
something
could
go
wrong
like
it's,
just
it's
gonna
cost
more
money
to
deal
with
it,
so
everything
gets
a
taller
amount
associated
with
it,
whereas
in
the
context
of
open
source,
yes,
there
is
funds
flowing,
but
that
isn't
actually
how
you're
equating
things.
So,
I'm
just
kind
of
trying
to
wonder
what
is
the
singular
currency
that
things
get
equated
back
to
it's?
Not
if
it's
not
always
it's
dollars
still
those
dollars.
E
Yeah
like
so,
you
will
find
articles
out
there
from
the
cost
of
solar
winds
and
things
like
that.
You
know
where
serve
hundreds
of
millions
of
dollars
type
of
deal
where
they
have
made
the
estimate
of
how
much
it
took
to
resolve
some
of
that
and
that's
all
supply
chain
issues
that
have
happened
in
different
ways,
and
you
know
they
had
dependencies
and
the
dependencies
were
corrupted.
C
So
I
guess,
then
it's
really
changing
the
view
of
who's
accountable
for
paying
for
that
problem.
That's
different,
whereas
in
an
organization
you're
you're
assuming
all
risk
of
that,
because
you've
made
that
choice,
whereas
in
an
open
source
supply
chain,
there
isn't
as
clear
of
a
delineation
of
accountability,
pays
for
the
resolution.
No.
E
E
B
Yeah
now
I
will
say
that
a
lot
of
people
r-
it
is
a
big
struggle
to
do
that
estimate
of
the
s
I
mean
you
know
mathematically,
it's
easy!
You
multiply
the
probability
by
the
loss.
If
it
occurs,
you
know,
there's
your
expected
value
right.
We're
done.
I've
even
got
some
books
about
this.
If
you
give
me
a
moment,
I
can.
I
can
dredge
them
up
where
they
do.
B
Some
there's
actually
been
some
interesting
models
that
do
this,
but,
regardless
of
that,
even
if
you
don't
know
or
can't
justify
it,
knowing
that
there
is
going
to
be
a
potential
expected
cost
now
there
are
some
nuances
we
may
or
may
not
want
to
talk
about.
One
is
that
for
a
lot
of
organizations,
those
who
bear
the
costs
are
not
the
ones
who
who
are
making
money.
B
Basically,
you
know,
users
are
the
ones
who
end
up
with
the
costs.
Does
that
mean
the
money
flows
up
to
the
developers?
Well,
no,
and
so
the
developer's
not
got
expecting,
have
any
cost.
You
know.
Oh,
I
put
a
buffer
overflow
in
am
I
expected
to
get
sued,
probably
not.
D
B
Now
you
got
now,
you
have
a
different
conversation
right
right,
but
yeah
absolutely
well.
The
good
news
is
that's
not
limited
to
the
open
source.
Most
of
the
proprietary
or
closed
source
licenses
also
disclaim
anything
so
see.
We
know,
there's
no
need
to
do
any
work,
because
the
costs
are
entirely
borne
by
the
customers.
A
To
the
problem
solved,
so
if
there's
a
process
for
us
to
follow
here,
to
make
sure
that
you
know
this
comes
off
to
communicate
a
really
complex
series
of
conversations.
C
E
A
I've
been
frantically
texting,
my
wife
for
15
minutes.
Could
you
get
my
charger
from
the
car,
but
our
children
are
active
so
like
they're,
just
in
the
restaurant,
but
lord
knows
what's
going
on,
I
was
saying
is
I
would
put
together.
I
could
put
together
like
a
draft
organization
of
what
the
the
presentation
structure
of
the
session
might
look
like
and
and
then
share
share
that
with
this
group,
and
we
could
go
back
and
forth
asynchronously
with
it,
maybe
even
create
a
temporary
slack
channel
for
this
discussion.
A
I
don't
know
if
that
I
don't
know
if
it's
like
another
slack
channel,
no,
no
slack
channel.
How
do
people
prefer
to
edit
or
ping
each
other
on
these
google
docs.
B
Yeah,
you
can
tag
the
person
in
the
doc,
although
really
I'm
expecting
sean,
I'm
guessing
that
you're
going
to
be
creating
an
early
draft
deck
and
then
I
would
propose
working
off
that
I
mean
right
now.
I
think
we're
brainstorming
we're
trying
to
get
the
keep
some
key
points.
You're
gonna
go
off,
create
a
magic
version
and
then
absolutely
you
know
announce
it
to
everybody.
B
I
will
note
that
mailing
lists
are
probably
the
better
way.
I
I
it's
very
hard
for
me
to
track
3
000
slack
channels.
B
Yes
search
for
me,
attracts
3,
000
emails,
oh
well,
it's
easier
than
3
000
slack
channels,
because
email
actually.
A
A
Yeah
all
right,
like
yeah
I'll
use.
No,
then,
since
there
seems
to
be
some
preference
there
and
all
in
some
of
the
other
folks
like
mike
mike
mark,
I
can't
remember
his
name
from
microsoft
as
well
as
dwayne
from
indeed
discussion,
because
I
think
they
gave
some
really
important
contributions
to
what
we
all
ended
up.
Presenting
here.
B
So
sean
here's-
what
I
would
suggest
you're
gonna
take
this
doc
that
we
wrote
where
you're
gonna
create
a
slide
deck
from
it
announce
on
the
mailing
list.
I
got
a
slide.
Deck
include
the
url,
so
we
can
go
see
it
if
you
want
particular
people
work
on
sections
within
the
google
doc.
You
can
just
say
you
know
highlight
with
a
comment
say
at
somebody
and
that
will
kind
of
assign
hey
look
at
this.
Please
do
this
what's
wrong
with
that.
Okay,
and
that
way,
we
don't.
B
We
don't
have
to
try
to
do
the
minute.
You
know
tweaking
with
any
mailing
list
which
doesn't
make
any
sense,
but
the
the
general
announcement
of
hey.
I
got
a
first
cut
and
I
would
try
to
get
that
done.
If
you
know
I'm
happy
to
schedule
your
time,
but
you
know
I
would
suggest
trying
to
get
that
done.
Soonish
yeah.
B
Because,
whatever
whatever
you
come
up
with
as
a
first
cut,
once
you
have
some
structure,
we
can,
we
can
make
a
lot
make
progress
on.
A
Okay-
and
I
I
do,
I
think,
is
it
all
right
or
does
it
seem
overkill
to
try
to
also
have
a
corresponding
sort
of
to
keep
the
elevator
pitch
in
front
of
us
so
that
as
we
go
through
and
make
the
edits
that
the?
A
A
B
B
A
B
B
A
Yeah
yeah,
I
I
agree.
That's
that's
today's
wednesday,
I
thursday
yeah.
I
certainly
have
a
few
other
tasks
like
this
that
need
to
get
taken
care
of
so
this
this
will.
This
will
be
right
in
my
wheelhouse
of
things
I'm
doing
this
weekend
and
I'll
get
it
up
early
next
week.
C
B
A
Okay,
that
is
what
I
will
do
we're
at
simon
for
the
third
time
this
summer,
I'm
randomly
in
illinois
between
chicago
and
my
home
during
this
2pm
thursday
call
and
there's
absolutely
no
coordination
or
conspiracy
here.
So
I
do
not
believe
I
have
any
travel
plan
for
the
remainder
of
the
year
until
I
get
to
oss
summit
north
america,
assuming
I'm
allowed
to
go,
I
think
I
will
be,
though
I
think
it's
easier
for
me
than
a
corporate
person.
C
B
A
B
A
Yeah,
well,
what
I
can
tell
you
as
a
survivor
of
the
delta
variant
being
the
hotbed
of
that
here
in
missouri
is
you're
tired
for
two
days
you
have
some
intestinal
difficulty
and
then
then
it's
over
like
if
you're
vaccinated,
it's
just
an
inconvenience,
no
more
or
less
than
the
flu,
but
I
guess
they
hear
their.
You
know
if
there's
new
variants
that
get
worse,
then
that's
a
different
problem.
C
A
Yeah
I
hear
ya.
Well
thanks
for
a
great
meeting
for
the
risk
working
group.
I
think
I
let
us
go
over
time
by
only
one
minute
today,
which
is,
I
think,
a
record.
So
I
will
see
you
all
you'll
hear
from
me
early
next
week
and
we
will
talk
again
two
weeks
from
today.
Whenever
that
might
I
guess,
four
plus
four
teams
on
the
18th
of
august.