►
From YouTube: CHAOSS.Risk.May.22.2020
Description
CHAOSS.Risk.May.22.2020
A
Okay,
so
this
is
the
risk
working
group
meeting
for
may
22nd,
and
this
is
the
agenda
that
we
have,
which
I'm
sharing
and
right
now
we
we
want
to
discuss
just
spdx
changes
right
now.
We
have
a
there's
a
scanner
in
augur
that
follows
the
three
is,
which
spec
does
it
follow?
Matt
snell.
B
The
it
was
the
latest
spdx
once
we
built
it.
So
let
me
look
at
that
up.
A
D
A
And
then,
if
we
look
at
the
open
open
chain,
I'm
just
getting
my
head
around
a
little
bit
and
is
that
where
should
we
be
thinking
about
risk
metrics
when
it
comes
to
open
chain,
you
know
what
what
kinds
of
things
are?
Are
they
like?
I
listened
to
one
call,
but
I
didn't
make
a
connection
yet
so.
C
And
it's
not
and
it's
asking
for
an
s
bomb,
but
that's
about
it.
It's
a
binary,
and
so
I
think,
there's
a
questionnaire,
a
self-assessment
and
I
think
the
I
think
just
basically
the
same
way
with
ci
we
trigger
off
of
the
questionnaire
there.
I
think
just
triggering
off
that
has,
you
know,
has
the
has
the
participant
self-certified,
but
it's
at
a
company
level,
not
at
a
project
level.
A
A
C
A
E
C
A
You
know
people.
So
how
does
a
yes
do
you?
Does
anyone
have
a
thought,
I'm
trying
in
my
head,
I'm
like
wrestling
with?
How
do
we
crosswalk
company?
Is
there
a
way
or
is
it
useful
from
a
metric
perspective
to
crosswalk
company,
certifications
with
open
chain
and
particular
projects.
C
C
You
know,
we've
got
metrics
in
other
areas
which
are
talking
about
you
know,
is
it
dominated
by
one
big
company
or
not,
and
things
like
that,
and
you
know,
maybe
a
nuance
in
that
area
might
be.
Is
the
company?
Does
a
company
have
a
history
of
knowing
what
to
do
about
open
source?
I.E
an
open
chain
might
be
a
way
of
assessing
that.
F
Yep,
so
on
that
question,
one
of
the
things
we
do
in
the
chaos
project
is,
we
simply
try
to
articulate
work.
That
is
already
being
done
like
capture
that
so,
for
example,
you
had
mentioned
like
determining
whether
or
not
an
upstream
vendor
has
maybe
an
ospo.
I
don't
know
if
that's
actually
what's
looked
at,
but
something
along
those
lines,
and
I
mean
we
do
develop
metrics
that
already
exist,
but
haven't
been
articulated
yep.
C
F
C
Yeah-
and
so
you
know,
is
the
right
level
of
discipline
in
place
that
they
can
generate
that
and
for
large
companies.
It
takes
a
lot
amount
of
effort
to
finally
get
to
the
stage
where
they
can
generate
that
and
we're
going
to
be
seeing
more
push
coming
in
that
we're
going
to
want
to
be
seeing
these
software
build
materials
you're
going
to
be
seeing.
C
F
C
Okay
and
there's
proof
of
concepts
going
on
exchanging
s-bombs
right
now
in
that
area,
so
we're
gonna
see,
I
think
an
automotive
needs
it
as
well
and
and
it's
coming
in
from
the
security
side,
but
it's
valid
in
a
bunch
of
other
spaces
too.
F
So
we
do
in
the
chaos
project
we
we
do
have
the
metric
around
the
spdx
document
is
an
important
thing
to
look
for
which
I
know
it's
kind
of
related.
I
think
it
is
every
yeah.
Okay,
it's
an
s-bomb,
yes,
and
then
I
mean,
maybe
you
had
mentioned
training
as
well.
Is
there
a
formal
way
that
within
open
chain
that
training
is
understood,
yeah.
C
A
A
C
And
so
there's
an
one
of
the
criteria
is
that
a
certain
portion
of
a
company
you
know
of
the
developers
that
are
working
with
the
software
have
taken
this
training.
F
Okay
in
open
chain,
is
there
a
determination
of
whether
or
not
that
has
happened,
or
is
it
kind
of
done
in
good
faith.
C
F
E
F
A
F
Are
certified?
No,
it
was
so
like,
for
example,
with
in
in
risk
one
of
the
things
that
one
of
the
metrics
that
we
have
is
osi
approved
licenses
right
right.
So
a
measure
of
osi
approved
licenses
right-
and
I
mean
osi-
obviously,
is
a
organization
that
that
sets
kind
of
these
standards
or
sets
this
approval
process
is
kind
of
a
gold
standard
as
to
what
licenses
are
right
and
we
have
a
metric
that
measures
that
like
do.
F
You
refer
to
the
osi
light,
or
do
you,
how
are
the
osi
licenses
represented
and
with
training
I
mean.
One
of
the
things
we
could
do
is
basically
saying.
Listen.
Open
chain
is
the
the
place
to
go
when
it
comes
to
internally
training,
your
developers
and
your
managers
around
open
source.
I
see
so
we
could
direct
people
towards
open
chain
when
it
comes
to
yeah.
The
metric
would
be
have
you
a
determination
of
engagement
with
the
open
chain,
training,
material.
A
And
would
we
rep
so
that's,
I
guess,
does
that
get
to
a
metric
and
is
the
metric
tied
to
a
company,
or
is
it
tied
to
an
affiliation
for
an
individual
developer
or
a
percentage
of
developers
from
companies
that
have
had
the
training
yep?
I'm
just
trying
to
I'm
trying,
I'm
just
you
know,
trying
to
figure
out
okay.
What
is
the
metric
we
operationalize
here.
F
D
B
I've
got
a
question
about
this,
just
clarification,
so
we
have
this
kind
of
metric.
That
kind
of
measures
are
you
participating
kind
of?
Are
you
doing
this
right?
So
are
we
looking
to
validate
that
in
any
way,
or
are
we
just
saying
this
is
a
good
way
to
something
to
look
at.
F
I
think
it's
just
the
the
latter,
it's
kind
of
like
the
cii
yeah,
not
quite
I
think,
as
badged
as
cii,
but
yeah.
C
F
C
Well,
the
number
of
so
I
would
say,
be
the
number
of
participant
companies
in
the
project
that
have
adhered
to
the.
F
C
C
F
C
Well,
yeah
the
example
is
you've
got
you
know,
you've
got
a
bunch
of
okay.
You've
got
some
domain
I'll,
give
specifics
if
you're
not
recording,
but
right
now
you
have
some.
C
C
C
Well,
they're,
not
real,
so
spdx
approved
licenses
just
means
they've
been
added.
The
spdx
list.
Okay
and.
A
C
We
have
things
like
we
have
licenses
on
that
list
that
are
part
of
the
free
soft.
The
fsf
approved
list
that
are
not
osi,
approved.
Okay,
there's
also
licenses
that
are
commonly
found
that
are
not
osi
approved.
C
A
B
That,
well
all
the
due
socks
licenses
and
all
the
licenses
we
show
are
our
kind
of
the
ideas
are
pulled
from
the
spdx
list.
So
I
figure
that's
how
we
we
don't
have
any
ones
that
aren't
on
that
list.
I
should
say.
C
C
F
The
upper
left
corner
do
you
have
switch
to
screen
sharing?
I
I
do,
but
I
believe,
because
I
see
his
screen.
C
I
was
looking
at
all
the
people's
faces.
That's
the
thing
as
opposed
to
that,
and
so
I
seem
to
have
the
ability
to
go
back
and
forth
between
the
tags
or
not.
I
may
rejoin
it's
a
bit,
weird,
okay,
I'm
thinking
the
other
thing.
I
was
wondering
if
we
could
squeeze
into
the
agenda
for
today
by
the
way
yeah.
E
C
Did
spend
some
time
going
through
and
doing
a
classification
exercise
on
the
tags.
A
C
and
I
wanted
to
surf
see
if
what
I
was
doing
made
some
sense.
C
A
I
think
matt
has
to
make
you
or
I
can
make
you
co-host,
maybe
okay,
I
cannot
make
cake
co-host,
but
matt
can
you.
A
C
C
C
C
C
So
you
know
I
did
a
first
pass
of
just
starting
to
assign
that
type
of
you
know
the
type
to
it
to
see.
If
I
could
get
some
sort
of
insight
and
there's
certain
ones
that
I
just
don't
quite
understand
like
you
know
what
css
here
and
you
know
life
cycle
rotten
that
one
I
thought
was
pretty
interesting
from
many
perspectives
and
then
I
didn't
understand
the
sig
slash
and
whether
that
it's
likely
a
classification.
C
A
A
You
know,
there's
there's
been
no
there's
been
no
attempt
in
what
I
sent
you
to
sort
of
identify
a
number
of
repositories
using
each
of
these
right,
so
it
could
be
that
a
very
active
repository
is
using
lifecycle,
rotten
like
that,
could
be
the
linux
kernel
or
or
some
something
else.
That's
very
large.
A
C
Yeah
but,
like
you
know,
help
wanted
okay
to
test.
That's
basically
saying
there's
an
action
to
be
taken
and
we
want
someone
to
take
an
action
and
then
the
classifications
are
effectively
okay.
How
do
we
prioritize
what
we're
working
on
and
then
you
know,
an
affirmation
in
some
sense
could
be
a
solicitation.
Well,
it's
it's.
It's
usually
signaling
the
state.
I
think
it's
test
and
it's
simply
no
further
actions
done
for
the
negation
like
won't
fix
and
so
forth.
I
mean
serve
the
end
of
the
workflow.
In
my
mind,.
C
Yeah
sig
usually
means
special
interest
group.
I
just
understand
how
related
to
this
label
yeah,
you
know,
there's
also
like
you
know,
teams
team,
slash,
plug-ins
team,
slash.
You
know
che
qe,
that
type
of
one.
A
A
C
C
Okay,
you
know
this
thing's
like
update
bot,
which
I
sort
of
said:
that's
a
process
check
and
cla
is
being
signed
and
then
sometimes
this
is
a
process
check
kind
of
how
I
it
sort
of
looked
to
me.
But,
like
you
know
pr
action
merged.
Well,
yeah.
Someone
wanted
something
to
do
and
kind
question
that
one
you
know
is
I'm
not
quite
sure
where
it
goes
now.
I
think
about
it,
but
like
kind
flake,
you
know
there
could
be
classifications,
it's
hard
to
say
rgw.
C
I
had
no
clue,
you
know
and
then
the
teams
and
kinds
like
say
likely
their
classifications
but
wasn't
feeling
ack.
You
know
affirmations
so
forth,
so
I
figured
taking
a
looking
at
the
top
200.
I
haven't
finished
them
all,
obviously,
but
that
gives
us
a
reasonable
because
there's
a
long
tail
here.
C
So
the
question
is:
where
does
one
sort
of
drop
it?
You
know,
stop
it
off,
but
I
want
to
see
you
know.
Can
we
get
some
degree
of
coverage
for
some
basic
typing
as
a
way
of
starting
to
build
up
a
metric
on
the
labels?
The
label
usage
in
the
project.
A
And
I
think
I
think
we
can
like
one
one
way
to
one
way
to
proceed
is
is
to
suggest
in
the
metric
that
that
tag
I
mean,
I
think
I
think
I
think
I
think
the
list
you're
working
with
is
the
issues
t
issue
tag
list.
Okay,.
E
A
But
that's
that's
actually,
there's
a
lot
more
tagging
in
issues
actually
than
there
is
in
pull
requests
in
terms
of
like
the
like
the
number
of
different
tags
added
to
an
issue
they
tend
to
be
I
mean
the
numbers
are
significantly
higher.
If
you
look
at
the
there
should
be
another
spreadsheet,
that's
called
polar
crosstags
and
that
folder
I
shared
and.
C
Those,
I
would
say
could
mostly
be,
would
probably
have
more
of
the
solicitation
of
classification
as
opposed
to
issues,
and
I
find
it
interesting
that
the
top
ones
are
looks
good
to
me
and
yes,
which
are
effectively
affirmations
right
right.
You
know,
you
know,
are
approved
and
the
two
to
me
and
then
the
other
one
is
a
cla
check
that
came
here.
Okay,
this
is
you
know,
because
that's
not
going
to
be
showing
up
in
a
workflow
generally,
but
it's
something
that's
necessary
on
the
process
side.
C
C
You
know
you
know,
I
guess
that,
so
I
guess
that's
an
open
question
is
how
many
of
these
were
generated
by
bots.
A
I
think
there's
a
way
that
we
can
determine
that
because
the
person,
the
the
bot
has
an
identity
when
they
add
the
tag,
and
I
think
I
think,
there's
there's
some
kind
of
practice
around
labeling
bots.
C
A
A
C
A
C
A
Work,
at
least
as
a
starting
point.
C
A
I
think
work
I
mean,
I
think
it's
about
workflow
it
could.
Some
tags
are
about
newcomer
interests
like
this
there's
some
repositories
that
have
things
like
good
issue
for
for
newcomers
or
good
first
issue.
Obviously,
that's
not
showing
up
as
a
highly
used
tag,
but.
A
Yeah
and
I'm
just
wondering
if
so,
there's
the
what
are
the
tags
that
are
used
a
lot,
but
then
maybe
there's
our
subjective,
because
what
I
think
we're
gonna
see
is
like
some
of
these
tags
are
just
gonna
end
up
in
a
cluster
of
the
the
highest
tags
like
they'll.
Be
will
end
up
classif,
you
know
ultimately
classifying
them.
Some
ways
in
in
the
like,
looks
good
to
me
as
an
affirmation,
there's
probably
a
bunch
of
different
ways
that
that's
essentially
said
right,
yeah
in
a
tag,
and
so
we
can.
A
We
can
map
similar
tags
at
some
point
so
that
they
fall
into
the
same
micro
category.
Maybe
we
would
call
that
and
we
can
be.
You
know
we
can
begin
with
just
this
list
of
the
top
200
and
how
they're
classified
I'm
really
curious
about
things
like
life
cycle,
rotten
and
like
v4
and
css.
Are
I'm
really
curious?
What
that
all
means?
And
if
there's
just
like
one
giant
repository
that
uses
it
all
the
time
or
if
it's
actually
spread
across.
C
Yeah,
I
still
have
a
few
more
to
make
a
full
pass
at,
but
I
wanted
to
sort
of
do
a
cross
check
that
I
was
sort
of
aiming
in
a
reasonable
direction
with
you
guys
before
I,
and
we
can
take
it
down
more
if
you
think
it's
useful,
but
I
figure.
A
Making
a
comment
just
in
the
I
put
your
I
put
your
category,
including
I
added
other,
under
implementation
in
the
doc
that
has
started,
and
I
also
made
a
comment:
how
many
different
repos
are
using
each
of
the
tags
in
the
top
200?
In
other
words,
are
they
are
they
are?
This?
Is
the
top
200
skewed
heavily
towards
extremely
active
repos,
and
is
there
another
cut
that
we
want
to
make
it
popular
words.
A
A
Yeah
no
and
I
made.
A
Yeah
no-
and
this
is-
I
think
this
is
super
helpful
like
I,
I
think
it's
it's.
I
think
it'll
be
useful
for
people
to
see
what
kinds
of
tags
are
being
used
and
that
reduced
that
that
somebody's
done
this
work,
and
I
think
we
can
you
know,
there's
there's
ways
that
we
could
have.
C
Tanks,
like
I
said
you
see,
co-occurring,
are
you
thinking
like
patterns
like
okay,
cla,
there
cla,
not
things
like
that
related
or.
C
C
You
know
in
the
top
twenty
you
probably
got
the
bulk
of
them
yeah,
but
where
our
reasonable
cut
points
would
be
another
question
too
yeah.
If
you
could
equally
well
just
say,
take
the
top
50
and
say:
okay,
you
know,
but
I
I
am
curious
as
to
of
those
top
200
how
many
which
projects
are
doing
it.
Are
we
having
a
dominant.
A
Thing:
yeah,
yeah,
that's
that's
my
first.
You
know
it's
like.
I
think.
As
I
look
at
these,
I
should
have
thought
of
that.
Actually,
when
we
gen
when
I
generated
the
list,
I
could
have
run
that
query
to
show
how
many
different
repos
are
using
them,
but
I'm
curious
about
that
I'll.
Throw
that
into
the
same
share.
Do
you.
C
A
A
A
Things
out,
but
I
looked
at
membership
and
I
looked
at
join
alyssa
and
maybe
that
wasn't.
C
C
You
don't
really
need
to
log
in
and
then
just
set
up
an
email
account
potentially
subtract
things,
but
you
can
look
at
the
the
repos
and
histories
yeah.
If
you
go
to
community,
you
go
to
develop
release
the
tech
and
all
our
minutes
are
visible
online
and
we've
just
finished
having
a
workshop
on
monday
through
wednesday,
and
the
sessions
from
that
are
all
gonna
have
been
were
all
recorded.
Everyone
agreed
to
let
them
be
recorded,
so
we've
got
them
recorded,
and
so
you
can
you'll
be
able
to
get
a
pretty
good
overview.
A
Oh,
I
wonder
I
wonder
if
it's
so
when
I
change
tabs,
I
wonder
if
it's
not
showing
the
tab,
change.
C
I
think
it's
just
nice.
I
think
I
think
quite
frankly,
it's
just
now,
I'm
seeing
it
again.
Okay,
I
think
it's
my
thing
so
yeah
lisa.
So
if
you
scroll
down
on
this
one,
you
scroll
down
this
page,
which
one
oh
you're
in
maine.
No,
you
don't
want
the
main
one.
You
want
the
davell
one.
The
community
takes
you
right
to.
A
A
C
E
C
Other
side
is,
we
could
tape
it
all
that
was
the
upside
yeah
and
so
in
the
next
time,
yep
the
next
couple
days.
The
links
will
be
available,
so
people
can
figure
out
what's
going
on,
but
I'd
say
watch
the
newcomers.
If
you
want
to
understand
what
we're
doing
with
elisa
once
the
lens
is
posted
and
I
just
go
to
release
yeah.
I
don't
think
we'll
update
that
blog,
we'll
just
put
a
new
blog
out
with
the
links
and
everything
and,
in
fact.
C
Which
is
our
notes?
We
did
all
our
notes
publicly
as
well,
and
they
they'll
be
having
the
links
to
everything.
Okay,
lisa.
C
Yeah
see
if
I
can
get
if
I
can
call
it
up
fast
enough
or
not
it's
just
being
a
bit
slow.
C
A
A
C
Yeah,
it's
open
to
everyone
like
I
say
we
try
to
keep
this
project
as
transparent
as
we
can
there's
nothing
new,
there's
not
too
much.
That's
other
than
the
board
minutes.
They're
confidential.
A
Yeah
matt
snell.
Do
you
want
to
say
anything
about
the
change?
The
updates
that
you
made
to
the
auger
spx.
B
B
So
what
we
did
was
we
took
a
lot
of
time
to
well.
I
took
I
took
about
most
of
yesterday
to
automate
the
process,
and
now
it
doesn't
work
so
monolithically
it
can
it's
like
kind
of
search
for
repositories
and
all
the
stuff
that
should
have
been
automated
before
it
is
now
automated.
So
we
should
be
getting
it
put
it
as
a
worker
and
august
soon,
so
that
people
can
do
it
themselves
without
doing
all
the
work.
B
A
Yeah,
no
I'm
very,
very,
very
happy.
I
haven't
tested
it
yet,
but
I'm
really
excited
about
it.
Well
then,
don't
be
excited
yet
yeah
I
mean
so.
Is
it?
Is
it
it's
it's
in
the?
Is
it
in
the
worker
directory
of
an
auger
branch
or
is
it
in
the
auger
spdx
project.
B
It
is
under,
I
think
it's
called
auger
jenkins,
spdx,
matte
or
auger
jenkins,
matt
spdx.
I
just
tested
it
with
the
jenkins
stuff
that
you
that
you
copied
for
me.
Okay,
so
that's.
B
Yeah,
okay
and
also
the
updates
to
the
config,
because
I
added
a
couple
things
that
you
can
customize
yeah
and
I
I
messaged
carter
this
morning
actually
well
david
reached
out
to
me
and
said
I
can
help
you
make
that
a
worker.
So
I'm
talking
to
him
probably
next
week
too.
A
A
C
That
was
the
source
of
that
was
the
source
of
the
zoom
bombing.
I
saw
recently,
oh
really
annotations,
yeah
someone
didn't
lock
it
down
and
had
an
open
call.
Oh.
C
Drawing
obscene
well
there's
like
my
body
parts
and
actions
on
it.
Let's
put
it
that
way,.
C
C
A
B
A
B
By
the
way,
matt.
F
Do
you
think
you
can
hang
around
for
just
a
moment?
Yeah
you
got
to
be
really
quick.
I
have
a
10
o'clock
that
I
have
to
prepare
for.
What's
up,
okay,.