►
From YouTube: CHAOSS Risk Working Group 3-18-21
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
So
let
me
know
when
you
hit
record,
I
did
so
welcome
to
the
risk
meeting
march
18th
2021,
starting
up
by
looking
at
issues
and
pull
requests.
We've
got
one
from
matt
snell
there
just
a
little
formatting
change
and
I
think
a
couple
of
files
on
the
osi
license
list.
A
I
I
see
no
reason
not
to
merge
this
pull
request.
It
looks
just
like
making
what
we're
doing
what
this
metric
is
a
bit
more
clear.
B
B
If
it's
a
big
change,
we
go
back
out
for
review,
but
grammar
things
or
small
edits.
Don't
necessarily
need
to
do
that.
A
All
right,
so
we
merge
that
pull
request
that
should
help
our
pull
request.
Merge
statistics
already
got
one
down
current
state
of
risk
metrics.
This
is
that
spreadsheet
this
one
here
were
there
no
issues
that
needed
attention.
No,
they
were
all
they
were
all
like.
The
release.
Notes
was
the
last
one
and
the
others
are,
I
think,
related
really
to
the
work
that
we're
working
on
okay
dependency,
and
I
don't
want
to
use.
A
A
So
the
current
state
of
the
risk
metrics
is
we
kind
of
have
this.
C
A
I
put
the
wrong
link
in
here
current
yeah.
That
is
the
current
state
in
a
sense,
but
you
know
this,
is
you
know
really?
This
would
be,
I
would
call
it.
This
is
badly
word,
and
this
is
like
current
risk
metric
mvps,
most.
B
Minimum
viable
product
sean
that
link
is
to
the
that,
should
that
link
is
to
the
metrics
spreadsheet
right,
I
know,
and
so
I'm
going
to
replace
it
with
the
correct
link
to
this
okay.
Well,
I
had
put
it
in
there
to
the
metric
spreadsheet
so
that
we
could
talk
through.
Oh
okay,
the
risk
metrics
you're
subtly
deleting.
C
Okay,
sorry,
all
right
and
so
very
casually
removing
my
item
so
so
what
I
so
we
also
have.
A
Our
mvp
spreadsheet,
which
I
think
is
closely
related,
so
let's
go
in
that
order,
the
mvp
spreadsheet's
kind
of
a
list
of
what
we've
been
working
on.
So
this
spreadsheet
is
our
overall
list
of
metrics
that
we're
working
on
under
risk
and
there's
a
number
of
them,
and
so
in
an
effort
to
focus
then
so
why
don't
I
do
you
want
to
walk
through
this
one
matt.
B
C
B
Okay,
so
there
were
a
couple
things
that
I
wanted
to
bring
up
on
this,
so
one
was
see,
rows,
29
and
31
number
of
dependencies
in
the
libya
one.
We
had
started
by
putting
those
in
business
risk,
but
we've
also
now
created
focus
areas
around
dependencies.
So
I
was
wondering
if
those
are
better
suited
to
be.
E
One
of
the
things
I'm
almost
wondering
yeah.
So
if
we
go
yeah
I'll
move
it
to
dependencies
since
we've
got
somewhere.
E
E
E
B
B
A
A
A
A
F
F
Upstream
dependency,
but
we
have
put
it
in
the
downstream
dependency
project
section.
G
A
B
H
E
E
Okay,
then,
if
you
want
to
just
say,
dependency
risk
assessment
and
just.
G
Where
is
dependency
risk
assessment
line
70?
He
did
it.
A
A
B
Dependency
risk
assessment
right
so
now
this
is
better
because
I
think
we
have
one
focus
area
for
dependency
concerns,
yes,
yucky
clean.
I
agree.
B
E
B
E
Okay,
I
see
what
you're
saying
about
the
your
comments
in
there.
I
think
the
dimension.
E
G
E
B
A
K
K
K
K
E
E
E
Licensed
fragmentation
or
something
like
that
as
a
way
of
summarizing,
it
is
in
my
head
right
now.
Sorry,
I
just
need
to
get
a
little
bit
of
food.
I've
not
eaten
yet.
D
A
K
E
A
E
A
E
E
E
I
said
so
like
steve
winslow's
been,
has
got
a
nice
little
hack
project
that
he's
been
working
on
with
inside
cmake
and
zephyr
to
automatically
generate
the
bill
and
materials
of
the
binary
for
zephyr
down
to
the
source
file
level.
E
It's
true
the
licensing
side
of
it,
which
is
a
risk
as
well.
So
there's
some
interesting
discussions
going
on
on
the
fact
that
csos
don't
talk
to
ospos
right
now,
very
well
and
so
david.
That's
something
that
you
and
I
need
to
chat
about.
K
The
list
of
people
who
don't
talk
to
each
other
is
long
and
painful.
Indeed,
so
so
I
had
a
proposed
re-title,
which
is
long.
Maybe
we
don't
need
all
of
it,
but
you
know.
J
K
Of
packages
with
unknown
or
uncommon
licenses,
I
mean
you
could
claim
that
if
it's
unknown
we'll
assume
it's
uncommon,
but
you
know
it's
basically
how
many
packages
do
we
need
to
worry
about
the
licensing.
E
G
E
Sure,
yeah,
kate,
I'm
sorry!
Let
me
talk
through
a
little
bit
with
you
sure
I
wouldn't
say
that
they're
unknown,
but
it
is
I'd,
say
not
common.
Well,.
E
F
K
Okay,
all
right
so
how's
this.
If,
if
it
is,
if
the
license
is
unknown.
F
G
F
K
Right
thing
to
measure,
we
think
the
right
thing
to
measure
is
number
of
packages
with
uncommon
licenses
and
if
it's
speed,
if
the
license
is
sp
and
x,
registered,
it's
considered
common.
If
we
can't
figure
out
what
the
license
is
at
all,
we're
going
to
assume
it's
uncommon
and
the
notion
here
is
higher
number
equal,
bigger.
E
J
E
I
apologize
all
right,
you
know
when
we
start
seeing
uncommon
licenses
or
things
like
that.
I
I
consider
it
risky
more
risky.
J
E
J
E
If
there's
you
know
things
that
are
sort
of
like
you
know,
copyright
intel
all
rights
reserved
type
of
deal
or
you
know,
company
or
copyright.
Indeed,
all
rights
reserved
right.
That
would
be
something
I
would
consider
a
risk
factor
in
an
open
source
project,
although
would
that
be
an
uncommon
license?
Actually
not
common,
but,
like
I
mean
like
indeed's,
license,
not
not
copyright
mindset.
My
dad
speak.
J
K
K
J
J
E
Okay,
thank
you
all
right.
J
All
right,
so
so
for
so
for
some
additional
context,
like
part
of
part
of
one
of
the
things
I've
had
to
do
recently
with
rsca
tool,
is
take.
This
giant
bucket
of
these
licenses
need
review
licenses
and
manually
go
through
and
figure
out
what
what
they're
meant
to
be
yeah-
and
I
don't
know,
what's
typical
for
sca
vendors
who
provide
this
information,
but
that
number
was
quite
large
when
I
first
saw
it
where
it
could
figure
it
out.
No,
we.
K
J
J
E
I
Just
and
I
think
it's
looking
at
their
website,
it
seems
like
this
is
something
that
you
could
easily
check
for
both
either
registered
and
s
pdx,
as
well
as
whether
or
not
it's
recognized
by
the
osi.
K
Be
a
different
number,
I
don't.
E
E
E
B
G
K
G
K
E
I
know
so
that
that
the
way
it's
there
is
useful
to
me.
G
A
E
E
K
E
I
I
B
Made
so
then,
if,
if
we
include
the
fsf
approved
licenses
similar
to
the
osi
approved
licenses,
does
does
row
61
the
one
that
started
out
as
spdx
approved
licenses
that
has
slowly
morphed
into
number
of
packages
with
uncommon
license?
Do
we
roll
that
back.
E
K
E
E
E
So
like
when
you
went
when,
when
sean
was
just
showing
us
the
example
of
the
osi
one
yeah
sean
can
find.
G
That
right,
probably
but.
E
G
E
The
one
you
know
would
be
removing
from
that
set
that
that
sean's,
bringing
up
in
jason
yeah
those
that
are
on
the
sbdx
list
and
the
ones
that
are
not
there.
You
know
our
fragments
or
things
like
that,
there'd
be
a
lot
of
license
refs
and
things
that
you
need
further
investigation,
and
so
I
think
higher
number
is
you
know.
Oh.
E
A
E
K
By
the
way,
fyi-
and
I
see
a
similar
comment-
the
the
ci
best
practices
badge.
If
you
go
look
at
what
does
it
mean
to
be
floss?
Basically,
the
license
must
be
approved
in
one
of
the
following
lists:
osi
fsf,
debian,
maine
or
good
license
by
fedora.
A
And
alyssa
wrote
in
chat
those
plus
or
minus
the
fedora
one
night.
Oh
no.
She
wrote
the
fedora
one
as
well.
H
K
H
That's
sorry,
I
know
I'm
just
jumping
in
and
I'm
learning
a
lot
from
you
all,
but
those
those
were
the
foundations
for
the
indeed
foss
contributor
fund
and-
and
I
I
come
off
and
I
come
from
the
open
street
map
space,
where
the
open
dbl
license
like
isn't
on
a
lot
of
the
lists,
but
well.
E
Like
I
say,
if
you
want
to
add
on
the
list,
it's
easy
enough
to
add
just
open,
for
you
know,
I'd
pull
up
the
polar
question,
I'm
happy
to
coach
you.
If
you
want
to
have
some
licenses
added,
no
problem,
it's
just
they
need
to
be
common
and
they
need
to
be
in
use
right.
You
know
we're
not
trying
to
we're
trying
to
make
it
easy
for
people
as
opposed
to
proliferate.
It
so
big
that
it's
a
pain.
A
B
B
B
That's
totally
fine,
but
I
didn't
even
get
there
yet
so
so
we
do
have
the
osi
approved
licenses.
We
have
a
second
metric
which
is
fsf,
approved,
licenses
done
and
and
and
then
the
next.
How
about
this?
Let
me
phrase
it
this
way.
What
is
the
next
metric
in
the
line
of
metrics
that
we
should
think
about.
E
K
B
B
E
B
B
K
Right,
but
we
don't
need
to
name
it
specifically.
Our
our
notion
here
is
it's
the
unknown.
E
Maybe
any
yeah
we,
we
can
say
they're
not
registered,
but
basically
we
can
be
explicit
that
we're
using
the
spdx
list
as
presence
on
the
spdx
list
as
an
indication
of
a
common
license.
That's
fine
that
can
be
found
in
open
source,
which
is
the
definition
for
the
logic
list.
That's
criteria.
Thank
you.
K
E
E
E
K
K
Let's
say
that
I've
got
cc,
nd,
okay,
creative
commons,
no,
no
derivatives,
it's
not
open
source,
it
is
a.
It
is
a
common
license.
Would
you
include
it
in
the
account
yep
you
would?
Yes,
it's.
K
B
B
K
Well,
let's,
in
fact
we
can
type
it
for
you,
so
I
think
it
comes
down
to
I
don't
see.
Oh
you
don't!
Okay,
I
don't
have
the
actual.
What
is
the.
K
B
Currently,
are
you
in
the
right
tab?
Look
at
the
tabs
at
the
bottom.
K
K
I
think
number
of
number
of
files
with
is
what
we're
you
know.
K
K
E
Like
say
if
what
they've
got
is
they've
got
those
that
are
and
aren't
already
in
the
counts
and
they've
got
a
percentage,
and
so
the
ones
where
the
percentage
is
low?
That's
when
it's
in
you
know
like
say
if
they're,
if
it's
not
sitting
in
high
90s,
that's
a
indicator
to
look
at
it.
K
K
F
K
E
E
K
K
B
E
K
B
K
B
B
E
I
B
K
B
E
K
E
There's
actually
spreadsheets
because
we've
been
trying
to
get
the
fedora
ones
all
moved
into
a
common
base
and
fedora
is
not
specific.
In
a
few
cases,
it
causes
problems.
E
They
just
refer
to
things
as
bsd
or
bsd
like
in
a
few
places.
Oh.