►
From YouTube: CHAOSS.Risk.May.22.2020
Description
CHAOSS.Risk.May.22.2020
A
A
D
A
C
And
it's
not
and
it's
asking
for
an
s
bomb,
but
that's
about
it.
It's
a
binary,
and
so
I
think,
there's
a
questionnaire,
a
self-assessment
and
I
think
the
I
think
just
basically
the
same
way
with
ci
we
trigger
off
of
the
questionnaire
there.
I
think
just
triggering
off
that
has,
you
know,
has
the
has
the
participant
self-certified,
but
it's
at
a
company
level,
not
at
a
project
level.
A
A
C
A
E
C
A
C
C
You
know,
we've
got
metrics
in
other
areas
which
are
talking
about
you
know,
is
it
dominated
by
one
big
company
or
not,
and
things
like
that,
and
you
know,
maybe
a
nuance
in
that
area
might
be.
Is
the
company?
Does
a
company
have
a
history
of
knowing
what
to
do
about
open
source?
I.E
an
open
chain
might
be
a
way
of
assessing
that.
F
Yep,
so
on
that
question,
one
of
the
things
we
do
in
the
chaos
project
is,
we
simply
try
to
articulate
work.
That
is
already
being
done
like
capture
that
so,
for
example,
you
had
mentioned
like
determining
whether
or
not
an
upstream
vendor
has
maybe
an
ospo.
I
don't
know
if
that's
actually
what's
looked
at,
but
something
along
those
lines,
and
I
mean
we
do
develop
metrics
that
already
exist,
but
haven't
been
articulated
yep.
C
F
C
Yeah-
and
so
you
know,
is
the
right
level
of
discipline
in
place
that
they
can
generate
that
and
for
large
companies.
It
takes
a
lot
amount
of
effort
to
finally
get
to
the
stage
where
they
can
generate
that
and
we're
going
to
be
seeing
more
push
coming
in
that
we're
going
to
want
to
be
seeing
these
software
build
materials
you're
going
to
be
seeing.
C
F
F
So
we
do
in
the
chaos
project
we
we
do
have
the
metric
around
the
spdx
document
is
an
important
thing
to
look
for
which
I
know
it's
kind
of
related.
I
think
it
is
every
yeah.
Okay,
it's
an
s-bomb,
yes,
and
then
I
mean,
maybe
you
had
mentioned
training
as
well.
Is
there
a
formal
way
that
within
open
chain
that
training
is
understood,
yeah.
C
A
A
C
F
E
F
A
F
Are
certified?
No,
it
was
so
like,
for
example,
with
in
in
risk
one
of
the
things
that
one
of
the
metrics
that
we
have
is
osi
approved
licenses
right
right.
So
a
measure
of
osi
approved
licenses
right-
and
I
mean
osi-
obviously,
is
a
organization
that
that
sets
kind
of
these
standards
or
sets
this
approval
process
is
kind
of
a
gold
standard
as
to
what
licenses
are
right
and
we
have
a
metric
that
measures
that
like
do.
F
You
refer
to
the
osi
light,
or
do
you,
how
are
the
osi
licenses
represented
and
with
training
I
mean.
One
of
the
things
we
could
do
is
basically
saying.
Listen.
Open
chain
is
the
the
place
to
go
when
it
comes
to
internally
training,
your
developers
and
your
managers
around
open
source.
I
see
so
we
could
direct
people
towards
open
chain
when
it
comes
to
yeah.
The
metric
would
be
have
you
a
determination
of
engagement
with
the
open
chain,
training,
material.
A
And
would
we
rep
so
that's,
I
guess,
does
that
get
to
a
metric
and
is
the
metric
tied
to
a
company,
or
is
it
tied
to
an
affiliation
for
an
individual
developer
or
a
percentage
of
developers
from
companies
that
have
had
the
training
yep?
I'm
just
trying
to
I'm
trying,
I'm
just
you
know,
trying
to
figure
out
okay.
What
is
the
metric
we
operationalize
here.
F
D
B
C
F
F
C
C
F
C
C
C
C
A
C
C
A
B
C
C
F
C
I
was
looking
at
all
the
people's
faces.
That's
the
thing
as
opposed
to
that,
and
so
I
seem
to
have
the
ability
to
go
back
and
forth
between
the
tags
or
not.
I
may
rejoin
it's
a
bit,
weird,
okay,
I'm
thinking
the
other
thing.
I
was
wondering
if
we
could
squeeze
into
the
agenda
for
today
by
the
way
yeah.
E
A
C
A
C
C
C
C
C
So
you
know
I
did
a
first
pass
of
just
starting
to
assign
that
type
of
you
know
the
type
to
it
to
see.
If
I
could
get
some
sort
of
insight
and
there's
certain
ones
that
I
just
don't
quite
understand
like
you
know
what
css
here
and
you
know
life
cycle
rotten
that
one
I
thought
was
pretty
interesting
from
many
perspectives
and
then
I
didn't
understand
the
sig
slash
and
whether
that
it's
likely
a
classification.
C
A
A
You
know,
there's
there's
been
no
there's
been
no
attempt
in
what
I
sent
you
to
sort
of
identify
a
number
of
repositories
using
each
of
these
right,
so
it
could
be
that
a
very
active
repository
is
using
lifecycle,
rotten
like
that,
could
be
the
linux
kernel
or
or
some
something
else.
That's
very
large.
A
C
Yeah
but,
like
you
know,
help
wanted
okay
to
test.
That's
basically
saying
there's
an
action
to
be
taken
and
we
want
someone
to
take
an
action
and
then
the
classifications
are
effectively
okay.
How
do
we
prioritize
what
we're
working
on
and
then
you
know,
an
affirmation
in
some
sense
could
be
a
solicitation.
Well,
it's
it's.
It's
usually
signaling
the
state.
I
think
it's
test
and
it's
simply
no
further
actions
done
for
the
negation
like
won't
fix
and
so
forth.
I
mean
serve
the
end
of
the
workflow.
In
my
mind,.
C
A
A
C
C
Okay,
you
know
this
thing's
like
update
bot,
which
I
sort
of
said:
that's
a
process
check
and
cla
is
being
signed
and
then
sometimes
this
is
a
process
check
kind
of
how
I
it
sort
of
looked
to
me.
But,
like
you
know
pr
action
merged.
Well,
yeah.
Someone
wanted
something
to
do
and
kind
question
that
one
you
know
is
I'm
not
quite
sure
where
it
goes
now.
I
think
about
it,
but
like
kind
flake,
you
know
there
could
be
classifications,
it's
hard
to
say
rgw.
C
C
A
E
A
But
that's
that's
actually,
there's
a
lot
more
tagging
in
issues
actually
than
there
is
in
pull
requests
in
terms
of
like
the
like
the
number
of
different
tags
added
to
an
issue
they
tend
to
be
I
mean
the
numbers
are
significantly
higher.
If
you
look
at
the
there
should
be
another
spreadsheet,
that's
called
polar
crosstags
and
that
folder
I
shared
and.
C
Those,
I
would
say
could
mostly
be,
would
probably
have
more
of
the
solicitation
of
classification
as
opposed
to
issues,
and
I
find
it
interesting
that
the
top
ones
are
looks
good
to
me
and
yes,
which
are
effectively
affirmations
right
right.
You
know,
you
know,
are
approved
and
the
two
to
me
and
then
the
other
one
is
a
cla
check
that
came
here.
Okay,
this
is
you
know,
because
that's
not
going
to
be
showing
up
in
a
workflow
generally,
but
it's
something
that's
necessary
on
the
process
side.
C
C
A
A
C
A
C
C
A
A
Yeah
and
I'm
just
wondering
if
so,
there's
the
what
are
the
tags
that
are
used
a
lot,
but
then
maybe
there's
our
subjective,
because
what
I
think
we're
gonna
see
is
like
some
of
these
tags
are
just
gonna
end
up
in
a
cluster
of
the
the
highest
tags
like
they'll.
Be
will
end
up
classif,
you
know
ultimately
classifying
them.
Some
ways
in
in
the
like,
looks
good
to
me
as
an
affirmation,
there's
probably
a
bunch
of
different
ways
that
that's
essentially
said
right,
yeah
in
a
tag,
and
so
we
can.
A
We
can
map
similar
tags
at
some
point
so
that
they
fall
into
the
same
micro
category.
Maybe
we
would
call
that
and
we
can
be.
You
know
we
can
begin
with
just
this
list
of
the
top
200
and
how
they're
classified
I'm
really
curious
about
things
like
life
cycle,
rotten
and
like
v4
and
css.
Are
I'm
really
curious?
What
that
all
means?
And
if
there's
just
like
one
giant
repository
that
uses
it
all
the
time
or
if
it's
actually
spread
across.
A
Making
a
comment
just
in
the
I
put
your
I
put
your
category,
including
I
added
other,
under
implementation
in
the
doc
that
has
started,
and
I
also
made
a
comment:
how
many
different
repos
are
using
each
of
the
tags
in
the
top
200?
In
other
words,
are
they
are
they
are?
This?
Is
the
top
200
skewed
heavily
towards
extremely
active
repos,
and
is
there
another
cut
that
we
want
to
make
it
popular
words.
A
A
C
C
You
know
in
the
top
twenty
you
probably
got
the
bulk
of
them
yeah,
but
where
our
reasonable
cut
points
would
be
another
question
too
yeah.
If
you
could
equally
well
just
say,
take
the
top
50
and
say:
okay,
you
know,
but
I
I
am
curious
as
to
of
those
top
200
how
many
which
projects
are
doing
it.
Are
we
having
a
dominant.
A
Thing:
yeah,
yeah,
that's
that's
my
first.
You
know
it's
like.
I
think.
As
I
look
at
these,
I
should
have
thought
of
that.
Actually,
when
we
gen
when
I
generated
the
list,
I
could
have
run
that
query
to
show
how
many
different
repos
are
using
them,
but
I'm
curious
about
that
I'll.
Throw
that
into
the
same
share.
Do
you.
C
A
A
C
C
You
don't
really
need
to
log
in
and
then
just
set
up
an
email
account
potentially
subtract
things,
but
you
can
look
at
the
the
repos
and
histories
yeah.
If
you
go
to
community,
you
go
to
develop
release
the
tech
and
all
our
minutes
are
visible
online
and
we've
just
finished
having
a
workshop
on
monday
through
wednesday,
and
the
sessions
from
that
are
all
gonna
have
been
were
all
recorded.
Everyone
agreed
to
let
them
be
recorded,
so
we've
got
them
recorded,
and
so
you
can
you'll
be
able
to
get
a
pretty
good
overview.
A
C
I
think
it's
just
nice.
I
think
I
think
quite
frankly,
it's
just
now,
I'm
seeing
it
again.
Okay,
I
think
it's
my
thing
so
yeah
lisa.
So
if
you
scroll
down
on
this
one,
you
scroll
down
this
page,
which
one
oh
you're
in
maine.
No,
you
don't
want
the
main
one.
You
want
the
davell
one.
The
community
takes
you
right
to.
A
A
C
E
C
Other
side
is,
we
could
tape
it
all
that
was
the
upside
yeah
and
so
in
the
next
time,
yep
the
next
couple
days.
The
links
will
be
available,
so
people
can
figure
out
what's
going
on,
but
I'd
say
watch
the
newcomers.
If
you
want
to
understand
what
we're
doing
with
elisa
once
the
lens
is
posted
and
I
just
go
to
release
yeah.
I
don't
think
we'll
update
that
blog,
we'll
just
put
a
new
blog
out
with
the
links
and
everything
and,
in
fact.
C
C
A
A
C
A
B
So
what
we
did
was
we
took
a
lot
of
time
to
well.
I
took
I
took
about
most
of
yesterday
to
automate
the
process,
and
now
it
doesn't
work
so
monolithically
it
can
it's
like
kind
of
search
for
repositories
and
all
the
stuff
that
should
have
been
automated
before
it
is
now
automated.
So
we
should
be
getting
it
put
it
as
a
worker
and
august
soon,
so
that
people
can
do
it
themselves
without
doing
all
the
work.