►
From YouTube: CHAOSS Weekly Community Call - 2-17-21
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Welcome
everybody
to
the
chaos
community
weekly
call
it's
kind
of
a
weird
day:
everyone's,
not
everyone.
A
lot
of
people
are
freezing
and
no
power.
So
we're
really
grateful
for
those
of
you
who
are
able
to
show
up.
We
have
a
little
bit
of
a
light
agenda
today,
which
is
probably
good
just
so.
People
don't
feel
like
they're
missing
out
if
they're
unable
to
make
it,
but
we
do
have
a
few
things
to
talk
about.
A
So
if
you
have
not
added
your
name
to
the
agenda-
and
you
would
like
to
do
that,
please
feel
free
to
do
that
on
the
minutes.
I
think
matt
just
posted
them
in
the
chat
and
we
will
get
started.
Oh
one,
quick
thing,
I
wanted
to
ask
everyone
how
they
feel
about
this.
I
I
think
I
emailed
a
few
of
you,
but
there's
an
option
I
believe
in
zoom
to
save
the
chat.
A
I
don't
know
if
we
want
to
enable
that
if
that
would
be
invasive
or
feel
weird
to
people
like
they
couldn't
ch
chat,
but
sometimes
there
are
really
good
links
that
people
post
in
the
chat
so
and
they
get
lost
when
we
close
our
zoom.
So
I
don't
know
if
people
have
feelings
about
that.
What
do
you
all
think.
B
I
don't
know
I
I
the
remember
when
we
were
on
the
uno.
Zoom
account
I
always
had
the
chat,
but
I
never
did
anything
with
it,
so
we
were
preserving
it,
but
I
never
posted
it
or
anything
like
that.
So.
C
D
I
have
a
question
when
the
in
terms
of
the
record
of
the
video
versus
the
chat,
are
they
synced
at
all,
because
I
I
could
see
like
if
it
is,
is
in
line
with
the
conversation
and
you
could
see
how
the
chats
were
supplementing
what
we
were
discussing.
But
if
there's
no
relation,
then
they
like
the
links
would
provide
insight.
But
the
like,
random,
banter
or,
like
plus
ones,
will
have
no
context.
A
E
A
A
All
right!
Let's
move
on!
Thank
you
all
for
your
input
on
that.
I
feel
better.
Okay.
So
the
first
thing
on
the
agenda
is
the
google
season
of
docs
is
open
and
I
know
we
have
some
people.
I
don't
know
if
any
of
them
are
on
this
call,
but
I
know
that's
been
kind
of
floating
around
so
not
sure
what
we
want
to
chat
about
with
that.
But
if
anyone
wants
to
jump
in
here.
B
So
I
think
the
question
the
question
basically
is:
do
we
want
to
set
up
ourselves
as
our
own
organization
for
season
of
docs?
This
is
season
index
right,
yeah
and
or
the
linux
foundation
always
provides
kind
of
an
umbrella,
and
you
can
submit
things
via
the
linux
foundation
and
apparently
we
did
it
via
the
lf
last
year.
Is
that
correct?
E
B
So
it
seemed
like
venue
was
kind
of
inclined
to
do
our
own,
our
own
organization,
which
I
don't
see
any
problem
in
doing
that.
B
And
we've
done
this,
we
had
this
same
kind
of
conversation
with
summer
of
code
too.
You
know
what
I
mean
like:
do
we
submit
as
part
of
the
lf
or
do
we
submit
on
our
own?
I
think
maybe
one
time
we
submitted
as
part
of
the
lf
georg.
Do
you
remember
that
like
really
early-
and
I
actually
think
it
wasn't
accepted
like
the
lf-
was
not.
B
A
F
So
one
of
the
things
I
noticed
is
talking
with
some
of
the
other
previous
google
summer
of
code
people.
Evidently,
google
likes
it
when
you
show
a
lot
of
cl
cross
collaborations
on
these
different
projects
with
different
groups
here
in
different
groups
there
and
things
of
that
nature.
So
in
a
way
having
your
own
entity
to
do
that
and
sit
there
and
show.
Oh
also
collaborating
here
here
and
here
looks
good
because
they
want
to
see
that
sweeping.
F
It's
one
of
those
things
where,
when
people
are
coming
forward
and
they're
trying
to
figure
out
who
you
are
and
what
you
are
and
where
they're
going
to
be
impacting
and
all
that
you
really
do
need
your
own
brand
for
that
right
and
so,
and
chaos
has
a
very
particular
thing
that
it's
solving
and
it's
super
important
and
so
having
that
established
outside
of
it.
I
mean,
if
you
sit
there
and
think
about
it,
would
cncf
do
it
any
other
way
they
wouldn't
right.
They
would
be
they
go
in
this
cnc
cnc.
F
Sorry,
so
I
think
I
think
that
it
is
appropriate
to
go
in
there
and
do
that
because,
like
I
said,
google
likes,
I
don't
know
about
this
other
one,
but
I
know
that
google
normally
likes
seeing
that,
and
so
that's
actually
what
we're
trying
to
do
with
our
stuff
too,
with
the
ieee,
because
I
triple
e
is
also
gargantuan
and
I
triple
you
know,
an
essay
open
is
yet
another
separate
thing,
and
so
we're
just
kind
of
like
going.
F
A
A
That's
that's
all
it
takes
really
is
just
to
put
it
in
minutes
and
then
you
can
pretty
much
just
decide
anything.
You
want
okay.
So
let's
move
on
unless
anybody
has
any
final
thoughts
on
that.
A
Nope,
okay,
so
the
next
one
on
the
agenda
is
outreachy.
There
is
a
march
first
deadline
for
the
community
sign
up
and
we
do
have
some
ideas.
Some
concrete
ideas
for
that
and
I
see
matt
is
giving
myself
and
him
a
an
action
item
to
just
do
this
so
cool
we'll
just
do
that.
Is
there
any
discussion
we
need
to
have
around
this.
B
I
don't
think
so.
I
think
you
and
I
can
just
solicit
the
ideas.
Just
so
everybody
knows
we
don't
have
the
the
funds
to
pay,
but
we
can
still.
I
believe
we
can
still
apply
because
outreachy
gets
external
support
from
organizations
and
that
external
support
can
be
used
to
support
folks
associated
with
projects
and
where
the
projects
don't
necessarily
have
the
funds.
Does
that
make
sense,
so
we
can
still
apply,
even
though
we
don't
outreaching.
A
I
like
that
idea,
and
it
looks
like
we're
gonna-
send
we're
gonna
focus
centrally
on
the
website
audits
for
marketing,
accessibility
and
inclusiveness,
and
I
assume
that
kevin
you're
cool,
with
kind
of
leading
that
and
being
the
mentor
there
right.
G
I
would
envision
that
activity
as
having
several
mentors,
though,
because
there
there
are
a
couple,
different
types
of
audits,
and
we
have
had
some
volunteers
for
some
marketing
people
to
take
to
kind
of
take
lead
on
the
marketing
audit
and
and
so
on,
and
so
forth.
A
B
There's
one
other
mentorship
thing:
just
you
can
put
it
in
the
minutes,
but
here
at
the
university
at
my
university
we
do
summer
internship
programs
for
students,
high
school
students
in
the
area
to
participate
in
projects
and
the
university
pays
them,
and
so
I
vanad,
I
think
it
was
vanad
and
matt
I
kind
of
forget,
or
was
it
just
you
matt?
I
think
it
might
have
just
been
you
matt
to
kind
of
say
you
know,
put
together
a
small.
B
You
know
a
couple
paragraphs
as
to
what
the
engagement
might
look
like
and
then
those
go
onto
the
university
website
and
they
get
sent
out.
So
we
may
have
some
additional
mentorship
and
I
think
it
was
with
respect
to
the
dna
badging
program.
Is
that
right,
matt.
A
I'm
just
curious:
what
do
we
have
a
specific
thing
for
them
to
work
on?
I'm
just
curious.
B
I
think
it
was
okay,
so
the
dna
badging
program
is
based
on
arfon
smith's
work
when
he
was
at
github
in
the
journal
of
open
source
software.
So
the
kind
of
the
model
that
arffon
put
together
was
kind
of
the
model
that
we
have
implemented
with
dni
badging,
just
because
we
really
liked
the
openness
and
transparency
of
how
joss
journal
of
open
source
software
was
running.
B
Joss
has
an
automated
tool
called
whedon,
get
it
ja,
sweden.
So
it's
one
of
the
things
we're
doing
is
taking
a
look
at
how
we
can
bring
the
the
work.
That's
been
done
on
whedon
into
the
dna
badging
program
to
help
automate
things
where
automation
can
occur.
There's
certainly
still
a
need
for
a
lot
of
human
interaction
and
thoughtfulness,
but
there
might
be
places
where
we
can
continue
to
automate.
Did
I
get
that
right?
Matt.
H
Yeah
we've
already
built
out
a
lot
of
the
proposal,
for
it
looks
like,
but
I'm
excited
to
see
how
that
turns
out.
B
I
did
it
a
long
time
ago
when
I
was
involved
with
spdx,
and
so
it
it's.
It
can
be
tricky
right,
because
a
lot
of
the
a
lot
of
high
school
students
are
not
really
familiar
with
just
what
open
source.
I
B
How
it
works,
so
a
lot
of
time
is
actually
spent
just
kind
of
introducing
people
to
to
the
community
and
getting
them
to
understand
the
structure.
So
it
takes
a
little
while,
but
it
does
work
out
well
and
it's
just
a
really
nice
experience
for
a
lot
of
people.
A
I
really
look
forward
to
having
them
be
a
part
of
our
community.
I
think
that
would
be
awesome,
so
yeah,
that's
exciting.
A
Okay,
the
next
one
is
actually
something
sean
wanted
to
talk
about,
and
he
is
had
to
step
away
for
a
minute.
So.
A
Is
yeah
his
chair
cannot
speak
for
him.
Sadly,
so
I
will
let
him
talk
about
this
in
a
second
just
as
a
a
side.
Note
shawn-
and
I
did
have
some
great
conversations
about-
we
did
a
hackathon
on
saturday
while
he
did
the
hackathon
on
saturday
and
it
was
pretty
light
turnout.
But
some
great
ideas
came
of
that
for
the
next
hackathon
that
we're
gonna
do
and
we
are
gonna
do
another
one.
A
We're
gonna
do
a
series
of
these
some
for
the
north
american
users
and
then
we're
going
to
do
an
asia
pacific
one,
that's
a
little
more
friendly
for
that
time
zone
as
well.
So
we'll
do
some
a
series
of
those
as
well,
so
those
will
be
happening
on
like
a
friday
night,
central
u.s
time,
which
will
be
like
saturday
day
for
asia,
pacific.
A
So
that's
that's
kind
of
the
the
overall
plan.
I
know
that
what
shawn
wanted
to
ask
was
to
pose
this
question
to
the
working
groups,
people
who
are
on
the
call
that
from
the
different
working
groups,
if
there
are
specific
metrics
that
we
want
to
capture
data
around,
but
we're
not
sure
how
if
they
can
think
about
that.
Because
that's
we
want
to
kind
of
take
those
hackathons.
I
hate
to
steal,
sean's
thunder,
don't
tell
them!
A
I'm
telling
you
this,
but
we
kind
of
want
to
take
those
hackathons
and
make
them
a
little
more
purposeful
and
deliberate
in
our
like
what
the
goal
is.
A
So
we
thought
it
would
be
great
to
have
a
purpose
in
that
helping
the
working
groups,
kind
of
figure
out
or
or
nail
down
some
data
that
they
were
requiring
so
kind
of
be,
like
a
you
know,
not
self-serving
to
chaos,
but
also
to
help
the
kind
of
bridge
the
gap
between
auger
and
the
metrics
and
what
we're
doing
there
so
and
then
you
know,
use
the
hackathon
as
a
great
venue
for
that.
A
B
I
also
think
this
is
a
really
good
call
what
you're
talking
about
elizabeth,
just
because
we
don't
like
to
develop
metrics
in
a
methodological
or
technical
vacuum.
H
So,
as
as
I
went
to
the
hackathon
last
saturday-
and
I
thought
it
was-
it
was
kind
of
it
was
fun
we
didn't,
we
did
have
a
light
turn
out,
but
like
we
had
people,
I
think
one
person
was
interested
in
the
outreachy
program,
which
is
pretty
cool,
but
it
was
something
we
ran
into
that
I'd
like
to
try
and
avoid
in
the
future
is
that
we
had
a
an
install
debugging
session
for
most
of
the
hackathon.
So
I
just
want
to
do
something.
H
A
And
that
is
perfect
timing,
sean
because
we
were
just
talking
about
the
auger,
hackathon
and
kind
of
our
plans
and
matt
to
your
matt
snell.
To
your
point,
sean-
and
I
did
talk
about
that,
and
so
we
have
some
ideas
floating
around,
but
I
will
let
sean
kind
of
take
this
sorry
sean
to
put
you
right
on
this.
I
No,
it's
all
right,
sorry
about
that.
My
furnace
died
two
weeks
after
I
finished
the
garage
because
it's
just
I'm
lucky
that
way.
So
I'm
just
following
the
minutes
here.
A
Yeah,
so
I
had
just
brought
up
that
we
were
looking
to
some
guidance
from
the
working
groups
as
to
some
metrics
that
they
would
want
some
data
around
that
we
haven't
really.
I
But
the
other
thing
that
that
I've
talked
about
is
the
common
experience
I
have
in
hackathons
for
auger
or
other
hackathons
is
there's
this
sort
of
this
level
of
getting
your
operating
environment
on
your
local
machine,
prepared
to
actually
do
python
development
and
open
source.
In
this
case,
and
with
different
operating
systems,
there
are
c
libraries
and
things
like
that
that
need
often
to
be
upgraded
versions
of
python
that
need
to
be
tuned
and
we
usually
spend
one
to
two
hours
of
any
hackathon
on
auger
or
otherwise.
I
Getting
folks's
environment
set
up
so
elizabeth,
and
I
think,
when
talking
with
elizabeth,
that
that
this
is
an
obstacle
for
open
source
software
engagement,
especially
more
diverse,
open
source
software
engagement,
so
we
discussed
having,
I
don't,
know,
sort
of
work-a-thon
hackathon-like
tutorials.
Perhaps
one
focused
on
configuring
python
for
open
source
development
on
your
local
computer.
I
Another
focused
on
the
nuances
of
github.
I
think
most
people
understand
the
very
high
level
functions
of
github,
but
few
have
actually
created
a
fork
merged
it
back
in
worked
with
branches
and
had
that
experience,
and
sometimes
when
people
get
into
that,
it's
an
obstacle
for
going
further.
Another
thing
that
we
discussed
was
jupiter
notebooks.
I
think
a
lot
of
experimentation
should
be
done
in
jupiter
notebooks
and
it's
a
lower
bar
to
entry
for
getting
started
and
since
most
of
what
we're
doing
on
chaos
is
actually
working
with
data
and
producing
metrics.
I
H
So
I'm
kind
of
thinking,
hearing
this
and
talking
about
it,
a
little
bit
makes
me
think
that
we
need
some
kind
of
design
or
concept
focus
hackathon
as
well.
I
mean
it
doesn't
necessarily
have
to
be
in
code,
because
there's
such
an
overhead
to
learning
that
that
schema
everything
that's
involved
with
algorithms
takes
a
long
time
to
learn.
It
took
me
who
has.
H
I
was
just
saying
that
if
we,
if
we
could
have
something,
that's
higher
level
and
like
easier
to
understand
right
off
the
bat-
or
at
least
we
could
get
them
started
in
an
hour
or
less,
I
think
that'd
be
very
valuable,
especially
if
we're
our
purpose
is
like
onboarding.
It's
not
necessarily
to
get
the
way.
I
see
it.
It
shouldn't
be
necessarily
to
get
things
done
for
agar
as
much
as
it
should
be
to
show
new
people
the
project
I.
I
I
agree,
I
agree,
I
think
I
think
getting
people
involved
in
the
technical
parts
of
open
source
could
be
auger.
It
could
be
femoral
habit,
but
technology
isn't
what's
important,
I
think,
bringing
the
working
groups
into
hackathon
environments
where
essentially,
we
have
people
who
understand
a
set
of
requirements
that
they
want
met
and
using
things
like
jupiter
notebooks
and
the
data
underlying
gremore
lab
or
auger.
We
can
start
to
actually
implement
some
met.
You
know
some
the
combinations
of
metrics
that
are
most
often
what
people
end
up
asking
for.
I
So
it's
very
rare
that
we
have
somebody
ask
us
to
write
a
jupiter
notebook
or
build
a
visualization
of
an
individual
chaos
metric.
It's
almost
always
a
sort
of
a
symphony
of
different
metrics
that
together
tell
a
story
and
and
so
having
the
working
groups
there.
Not
for
the
technical,
like
you
can
you
can
sort
of
bail
on
the
technical
part
at
your
leisure
but
driving
what
we
might
build
technically
in
the
course
of
a
hackathon
from
those
requirements
from
that
design.
Work
that
you
described,
I
think,
is
that's
exactly
what
we
mean.
H
I'm
totally
popping
off
today,
but
I
I
just
also
wanted
to
say
that
I
think
the
biggest
thing
we
can
get.
In
my
opinion,
this
is
definitely
an
opinion
thing,
but
and
the
biggest
thing
that
we
can
get
from
these
hackathons
for
the
working
groups
just
to
challenge
the
metrics
and
challenge
how
we
measure
them.
I
think
that's
a
really
important
part
of
it.
I
I
I
I
would,
I
think,
the
sort
of
the
other
side
of
that
coin
is
that
sometimes
it's
hard
to
imagine
what
a
metric
actually
is
unless
it's
built-
and
I
think
there's
this
re
iterative
cycle
that
will
happen
where
I
people
have
an
idea
for
a
metric.
We
show
them
what
that
metric
looks
like
based
on
some
collection
of
data
and
then
they're
like
well,
okay,
what
I
really
meant
was
x
so
by
by
being
able
to
iterate,
which
we
could
do
pretty
quickly
in
jupiter
notebooks.
D
I
must
want
to
re-ask
my
question
now
because
I
think
it
seems
like,
after
before
you
got
back
sean
I
was
asking
if
future
hackathons,
we
want
to
really
build
out
a
round.
Auger
versus
it
sounds
like
what
you've
just
been
describing
could
be
something
a
little
bit
more
general,
maybe
maybe
wouldn't
necessarily
apply
to
augur
in
terms
of
future
hackathons
doesn't
necessarily
mean
that
you're
going
to
be
working
directly
with
argo
or
on
or
using
it.
Even
in
that
context,.
I
Yeah
I
mean,
I
think
so
so
there's
really
three
way:
four
ways
that
we
can
get
data
one
is
the
auger
has
a
set
of
tools
and
data
that
it's
collected.
Gremore
lab
has
a
set
of
data
it's
collected,
but
there's
also
direct
calls
into
the
apis
of
these
platforms
that
could
be
used
for
generating
metrics.
I
think
there's
and
of
course,
then
we
can
mine
the
git
logs.
So
there's
I
think,
there's
a
lot
of
data
sources
and
I
mean
I
I
don't.
I
don't
think
these
be
tied
directly
to
auger.
I
C
I
I
would
propose
that
we
bring
one
metric
as
a
trial
case
from
each
working
group
and
do
the
hackathon
not
tied
to
the
auger,
but
as
a
data
source
collecting
it
and
maybe
trying
it
in
jupiter
and
notebook
to
collect
the
ideas,
how
it's
being
implemented.
And
then
we
can
formalize
it
in
augur
or
grimola.
As
the
outcome
of
the
hackathon.
I
Yeah
yeah
it'll
depend.
I
mean
that
yeah,
I
agree.
It'll
depend
on
the
metrics.
Some
metrics
require
advanced
data
collection,
others,
don't
it
depends
what
kind
of
temporal
processes
you
know
what
kind
of
temporal
trends
you
want
to
show,
but
yeah.
I
I
think
I
wouldn't
exclude
data
sources.
I
would
say
we
have
percival
is
a
powerful
data
source.
We
could
gather
a
bunch
of
data
around
a
metric
from
using
percival.
We
could
have
a
bunch
of
data
in
augur.
We
could
have
a
list
of
github
and
gitlab
apis
that
deliver
that
data
ready.
I
Yeah
I
a
github
archive
is
a
valid,
a
valid
data
source.
It
has
obvious,
obviously
like
all
of
the
other
public
data
sources.
There
are
limits
to
it,
but
there's
a
lot
there.
D
D
Well-
and
I
can
see
other
other
data
sets
as
well,
but
I
know
we
maintain
a
public
version
of
the
github
archive.
It
is
anonymized
and
it
is
if
you
work
with
archive
data.
It's
logs
versus
active,
commit
streams.
So
it's
it's
a
different
kind
of
data
source,
so
it
might
limit
what
you
can
look
at,
but
it's
great
for
sort
of
aggregate
trends
and
sort
of
big
questions
like
how
many
prs
are
getting
accepted
and
merged
into
projects
on
average.
D
D
D
Sort
of
a
little
lossy,
so
it
won't,
it
doesn't
have
say,
like
total
number
commits,
but
it'll
track
prs,
and
then
you
can
see
how
many
commits
are
part
of
the
pr,
but
it
doesn't
necessarily
give
you
the
complete
picture
of
contributor
activity.
Okay,.
E
C
One
of
the
thing
I
have
observed
in
the
open
source
is
a
lot
of
open
source
program
used
jira
and
we
have
not
been
able
to
look
at
that
platform
in
any
sense
or,
like
I
haven't,
come
across
in
any
of
the
chaos
discussion.
Looking
at
the
jira
in
detail,
subject:
here's
my
issue
tracker
though,
isn't
it.
E
I
G
G
And
I
wouldn't
say
I
wouldn't
say
a
lot
of
projects
use
jira,
but
there
are.
There
are
a
few
notable
linux
foundation
projects
there
even.
G
I
A
Okay,
I'm
gonna
bring
this
conversation
back
around,
so
it
sounds
like
we
have
a
really
good
start
for
this
kind
of
new
path
that
we're
going
to
take
for
these
for
these
hackathons
so
sean.
What
would
be
the
next
steps
for
people
on
this
call
if
there
are
any.
I
I
I
think
the
asia
pacific
call
the
hackathon,
that's
focused
on
the
giddy
worker
that
they
want
to
build
for
augur.
That
can
stand
alone,
and
I
think
when
it
comes
to
these
to
the
working
group
focused
requirements,
you
know
here's
here's
a
set
of
of
metrics
that
we
want
to
try
to
build
out
with
tools.
I
I
think
we
maybe
make
them
more
agnostic
and
that
the
advanced
work
is
making
data
available,
making
the
location
of
data
available
from
a
number
of
different
metric
platforms.
I
Like
the
github,
you
know,
github
archive
here's,
your
path,
gitlab,
github,
api,
here's,
your
path,
here's
a
personal
data
set
we
collected
or
we
collect
with
percival
or
whatever
else
grimore
lab,
might
recommend
here's
an
auger
database.
We
give
people
multiple
options
for
engineering
it
and
and
see
what
happens.
You
know
see
how
people
want
to
build
a
metric
out
and-
and
I
I'm
totally
open
to
saying-
okay-
we're
not
going
to
use
any
of
those
things
like
some.
I
If
somebody
defines
a
data
set
like
they
played
like
a
test
data
set
that
we
want
to
build
the
metric
from,
I
would.
I
would
be
okay
facilitating
a
hackathon
car
partnership
with
george
or
other
folks
from
peturgia
or
google,
or
wherever
just
focused
on
the
metrics,
because
I
think
I
think
the
focus
on
the
metrics
without
caring
about
what
technology
we're
using
is
how
we
get
the
working
groups
engaged
and
unders.
You
know
helping
us
to
build
tools
that
more
closely
serve
the
needs
of
the
community.
A
Okay,
so
I
think
we're
good
to
move
on
then,
unless
anyone
has
any
final
thoughts
for
sean
or
for
anyone,
okay,
cool.
Let's,
let's
move
on
because
we
do
have
a
few
other
things
on
the
agenda
here.
So
the
next
one
is
community.
Reviews
on
the
metrics
are
still
ongoing.
So
if
you've
not
had
a
chance
to
look
at
some
of
the
metrics
that
have
been
released
in
this
under
this
community
review
window
feel
free
to
poke
around
and
see
what
you
think
about
them.
A
It
does
not
have
to
be
in
the
working
group
that
you
usually
attend.
It
can
be.
You
can
offer
your
feedback
on
any
of
the
metrics,
so
don't
feel
con
constrained
by
your
imagination.
It's
all
up
to
you,
and
I
see
that
georg
has
a
big
thanks
ray
so
ray
apparently
has
been
doing
some
work.
Even
though
he's
on
this
call,
we
will
give
him
a
shout
out.
He.
B
A
B
Yeah
so
I
made
I,
I
made
a
picture
that
solves
everything,
so
you
can
look
at
my
my
picture
so
in
kind
of
in
the
I
the
the
same
light
as
bringing
tooling
and
metrics
closer
together.
B
B
What
are
the,
what
are
the
things
that
we
actually
want
to
ask
questions
against
that
dependency
set
right,
so
we
I
I
create,
you
know
a
list
of
of
20
packages
that
I
care
about
as
part
of
this
dependency
world
that
I
live
in,
whether
it's
upstream
or
downstream.
B
I
don't
particularly
care
and
I'm
just
trying
to
listen
to
the
conversation
as
to
what
people
seem
to
be
concerned
about,
and
so
licensing
seems
to
be
one
of
those
things
that
people
care
about
vulnerabilities
seems
to
be
one
thing
that
people
particularly
care
about
and
then
there's
this
tsunami
security
scanner.
It's
from
google,
I'm
not
particularly
familiar
with
what
this
is
so
not
looking
at
you
sofia,.
B
So
I'm
just
trying
to
think
through
ways
that
that
we
could-
and
this
is
obviously
just
a
augur-
I
just
threw
that
in
there
just
ways
that
we
can
start
kind
of
thinking
about
architecture
that
might
be
useful
once
we
start
getting
dependency
data
and
so
the
like
the
manage
project
information.
You
know,
package
information
that
was
just
that
was
the
passing
comment
in
the
asia
pacific
call
that
you
can
start
getting
package
level
information
say
from
the
pom
file
and
maven
right,
so
you
can.
I
B
And
so
it's
just
kind
of
keeping
like
if
we're
asking
around,
if
we're
asking
for
things
like
vulnerabilities,
just
kind
of
knowing
what
our
technical
limitations
are
in
the
project,
if
we're
asking
around
things
like
security
again,
I'm
not
quite
sure
what
that
is
with
different
from
vulnerabilities
kind
of
thinking.
What
would
be
required
to
to
even
ask
questions
around
security,
so
I
don't
know
I'm
just
trying
to
you
can
all
say
this
is
the
worst.
The
colors
are
horrible.
The
arrows
are
terrible.
B
D
I
would
love
to
ensure
that
we
couch
it
with
things
that
we
can
have
influence
over
like
if
you're
reviewing
someone's
security
architecture
that
I
wouldn't
say
we
have
any.
I
wouldn't
want
to
say
that
we
have
expertise
there,
we're
just
trying
to
suggest
things
that
can
be
measured
objectively,
so
how
you
implement
something
can
yield
your
overall
security
posture
like
I
didn't
set
up
any
authentication,
you
are
less
secure
and
that's
not
that's
a
decision
that
you
made
not
something
that
we
would
look
for
versus,
say.
D
Vulnerability
scanning
is
just
something
that
would
be
more
of
an
objective
risk
point
versus,
say
how
you
chose
to
implement
something.
So
I
just
want
to
make
sure
that
the
things
that
we
choose
to
measure
are
sit
in
that
objective
category
versus
subjective
implementation,
because
I
don't
want
to
become
a
security
architect.
Recommender.
J
J
Then
we
can
now
say:
okay,
as
opposed
to
sometimes
might
be.
This
is
the
best
practice
like
a
design
pattern.
This
group
of
people
are
following
this
and
if
you
just
report
in
a
kind
of
summarized
way,
instead
of
being
causing
like
cause
and
effect
with
things
like
that
which
might
resolve
to
the
kind
of
things
you
mentioned.
B
B
There's,
there's
kind
of
two
parts
to
dependencies.
One
is
right
mapping
I
got
to
figure
out
what
I
care
about.
This
is
only
based
on
what
I'm
hearing
and
then
the
second
is.
I
want
to
ask
questions
against
that
suite
of
things
that
I
care
about
and
the
the
questions
that
always
seem
to
be
that
people
seem
to
want
to
ask
all
the
time
are
around
licensing
around
vulnerabilities,
and
maybe
those
are
the
two
biggest
things.
I
And
so
yeah
and
yeah
there's
a
lot.
I
mean
there's
a
lot
of
license
scanning
and
other
kind
of
vulnerable.
We
don't
nobody
does
security,
vulnerability,
testing
and
the
risk
working
group
is
having
a
pretty
active
discussion
about
how
to
incorporate
that
into
the
risk
metrics
right
now.
There.
I
Of
things
out
there
that
that
are
databases,
there's
the
nist
database,
but
then
there's
also
some
tools
that
google
offers
from.
I
That
I
just
put
in
there
yeah
yeah
so
there's
there
are
there's
a
lot
to
look
at
from
a
risk
perspective,
and
this
this
may
be
one
of
the
things,
because
there
are
so
many
existing
tools
that
we
could
build
a
hackathon
around.
Not
to
make
it
about
that.
But
there's
there's
enough
different
tools
out
there
that
we
could
actually
get
into
it
with
software.
B
I
B
I
Give
the
risk
group
should
be
fun
this
week.
I've
talked
to
I'm
talking
to
four
people
from
the
group
who
have
a
lot
of
different
pieces
of
software
on
the
list
that
I'm
trying
to
consolidate
that
list,
and
it's
and
I'm
doing
that
in
advance
of
the
working
group
meeting,
because
and
there's
so
much
about
dependencies.
That's
being
talked
about
the
same
seems
to
apply
to
software.
I'd
like
to
focus
the
discussion
on
on
where
we,
where
we
work,
but
so.
B
Thursday
is
the
tooling
in
what
you're
talking
about
about
determining
dependencies
or
is
the
tooling
about
it?
Also
asking
questions
against
that
list.
Some
of
its
security.
I
B
So
so,
maybe
in
an
effort
like
you
have
a
good
handle
on
kind
of
well
no,
but
like
you're
you're
in
a
good
position
to
think
through
the
available
tooling,
like,
I
think
the
conversations
that
come
at
you
can
maybe
make
sense
right
away.
So
if
we're
gonna
start
talking
about
this
to
a
group
that
doesn't
talk
about
dependencies
and
licensing
and
vulnerabilities
on
a
day-to-day
basis,
maybe
at
some
point
we
need
to
start
kind
of
narrowing
down
the
band
of
things
that
we're
working
with
so
in
the
chaos
project.
B
We're
always
talking
about
just
trying
to
move
off
zero
right,
so
we're
just
trying
to
improve
transparency
on
a
known
set
of
dependencies
in
a
particular
case-
and
here
are
some
tools
that
can
help
provide
some
transparency
on.
That
is
physology
scanner
perfect.
No,
it
certainly
is
not.
Is
osv
perfect,
probably
not
no,
and
so,
but
are
they
better
than
not
asking
questions
you
know?
So
maybe
part
of
the
goal
is
to
narrow
this
down,
because
I
I'm
with
you,
I
feel
like
oftentimes,
in
whether
it's
the
asia
pacific
color,
the
risk
hall.
I
D
Yeah
I
mean
I
really
like
your
approach,
because
I
think
the
trouble
that
we've
been
facing
in
the
working
group
is
trying
to
solve
this
problem
theoretically
and
practically
at
the
same
time,
and
I
think
those
are
two
very
different
questions,
so
I
think
we
spent
a
lot
of
time
trying
to
theoretically
organize
our
thoughts,
but
now
I
think
it's
important
to
focus
more
on
what's
practically
available.
So
I
like
the
idea
of
going
through
seeing
the
available
tooling
the
available
data
sets
and
what
we
could
actually
measure
and
achieve
on
a
repeatable
basis.
D
So
I'm
almost
thinking
of
say
that
the
scenario
of
bringing
something
like
this
to
a
hackathon
would
be
to
explore.
How
feasible
is
it
to
measure
something
like
this,
I'm
using
the
tools
available
to
us
and
then
when
we
recommend
this
is
how
you
implement
or
measure
something
like
this.
We
know
it
can
be
measurable
versus
just
saying:
wouldn't
it
be
nice
if
you
could
see
this,
which
is
where
we
kind
of
are
now,
whereas
looking
looking
backwards
from
the
tooling
would
be
a
little
bit
more
practical
on,
what's
achievable
now,.
E
The
approach
that
we'll
be
talking
about
is
very
quick
and
dirty
high
level.
Just
what's
the
activity
level
like
and
I
mean
that's
a
valid
place
to
start,
we
don't
have
to
bring
in
all
of
the
complexity
of
vulnerabilities
and
whatnot.
If
it's
just,
we
just
want
to
get
started,
and
then
we
can
add
those
later.
J
Gear
are
you
hoping
to
see
a
kind
of
discussion
that
relates
the
downstream
loose
in
loose
couple?
Completion
with
the
upstream
or
just
like
they
are
tightly
coupled
that'll
like
give
feedbacks
on
regular
bezel
truly
strongly
depends
on
the
upstream.
J
B
Well,
okay,
I
can.
This
is
helpful
and
sorry
I
keep
bringing
dependencies
up
like
every
time.
I
appear
on
a
screen,
but
this
just
has
this
feeling
of
one
of
those
like
shall
go
on
forever
in
this,
like
kind
of
cloudy
space
and
we'll
at
some
point
I
would,
I
think,
it's
good
to
kind
of
bring
it
down
to
earth
somehow,
and
I
don't
know
what
that
somehow
might
be,
but.
A
A
We
are
almost
out
of
time,
so
just
wanted
to
mention
two
quick
things
that
are
still
on
the
agenda.
First
is
the
google
summer
of
code.
We
are
just
finalizing
the
ideas
and
there
is
a
doc
in
the
minutes,
assuming
that
people
can
click
on
that
and
add
their
feedback
and
then
is
that
all
georg
and
sean
was
there
anything
specific.
I
I
I'll
I
I've
already
added
one
of
them
so,
but
we
have
to
create
actual
github
issues
in
the
in
some
repository
before
the
19th.
Is
that
right.
I
I
E
I
So
I'll
I'll
finish,
flushing
out
the
let's,
maybe
you
and
elizabeth
and
I
should
have
a
10-minute
conversation
on
the
18th
at
some
point,
just
to
make
sure
we
know
what
the
list
is
collectively.
E
A
And
then
one
final
just
shout
out
to
sophia
for
being
our
newest
panelist
on
chaos
cast
because
she
was
so
amazing
as
a
guest
that
we
were
like.
Please
come
be
a
panelist,
because
you
are
awesome
and
we
love
you
and
she
said
yes.
So
congratulations
to
sophia
and
we
look
so
we
look
forward
to
having
you
again
and
again
on
the
on
chaos
cast
because
you
really
add
a
lot
to
the
conversation.
So
thank
you
very
much.