►
Description
Weekly meeting of the Identifying Security Threats working group. Our GitHub page is located at https://github.com/ossf/wg-identifying-security-threats and from there you can find meeting minutes and other information.
A
They're
in
my
queue
and
yeah
anyway,
introductions
anybody
or
we
can
just
get
started.
A
Awesome.
Okay,
so
I
hope
everybody
is
seeing
the
meeting
notes.
They
should
be
linked
from
the
invite
sure.
I
think
it's
just
an
edit
link
if
you
have
any
any
problems.
Let
me
know
but
on
the
agenda
for
today
talk
a
little
bit
about
the
the
the
metrics
at
openssf.org
security
insights
from
luigi
who
will
join
15
or
20
minutes
late
amir.
A
If
you
have
any
updates
from
scooter
reviews
happy
to
do
that,
happy
to
talk
about
alpha,
omega
and
and
what's
going
on
there
or
just
any
questions
I
mean
we
had
the
the
the
white
house
meeting
last
week.
A
So
if
there
are
any
questions
and
things
of
things
that
we
can
talk
about,
we
I'm
sure
we
can
have
that
as
a
discussion
point
and
just
anything
else
like
you
know,
especially
for
the
new
folks
happy
to
answer,
answer
questions
and
talk
about
what
we're
doing
and
what
we
want
to
do
and
and
stuff
like
that.
B
So
so,
michael,
I
was
thinking
one
thing
since
we
there
is
a
great
opportunity
for
all
of
us
that
you
know
we
have
someone
who
attended
the
white
house
meeting
such
as
you.
I
was
wondering
david
and
david,
I
guess
yeah
sorry.
I
was
not
aware
of
that.
A
Yeah
absolutely
yeah
sure,
so
so,
david
I'll,
like
tag
tame
it
with
you,
I
thought
the
meeting
went
well,
I
thought
most
of
the
participants
were
focused
on
the
right
things.
They
had
kind
of
insightful
insightful
comments,
kind
of
common
realization
that
the
world
depends
on
open
source
and
they
needed
to
be
secure
and
trustworthy
and
resilient,
and
that
there's
no,
I
I
think
the
phrase
there
was
no
sil
like
there
was
no
silver
bullet
was
mentioned
at
least
like
six
times
during
the
meeting.
A
So
I
think
that
that
was
encouraging
that
that
they
there
was
there
wasn't
any
talk
about.
You
know
we
should
use
less
open
source
or
we
should
like
do
anything
like
weirdly
draconian
or
you
know
anything
completely
like
opposite
the
route
that
we've
been
going.
I
thought
open
ssf
was
mentioned,
and
you
know
both
jim
and
david
and
brian.
You
know
talked
a
lot
about.
You
know
the
goals
of
openssf
and
how
it
kind
of
blinds
david
feel
free
to
kind
of
yeah.
C
Yeah
sure
so
I
was
there
too.
I
thought
there
was
a
lot
of
useful
comments.
I
I
threw
in
a
a
link
to
a
readout
from
the
white
house
and
I
actually
thought
they
did
a
fine
job
of
summarizing.
C
You
know
a
multi-hour
meeting,
so
basically
three
main
topics
kind
of
emerged,
preventing
security,
defects
and
vulnerabilities,
improving
the
process
for
finding
them
and
shortening
response
time
because
perfection's
kind
of
hard.
C
I'm
I'm
a
big
believer
that
you
know
it's
going
to
be
impossible
to
find
humans
that
ever
make
mistakes,
but
instead
of
saying
gee
mistakes
will
happen,
nothing
will
change.
I
think
it's
important
to
say
great.
Well,
it's
that's
unfortunate.
What
can
we
learn?
What
can
we
do
to
make
things
better,
because
I
believe
that
there
are
always
ways
you
know
both
there
are
almost
always
ways
to
make
better.
C
Certainly
true
in
this
case,
just
from
an
lf
perspective,
brian
and
I
and
jim
sat
down
and
tried
to
work
up
some
sort
of
summary.
C
C
Ssf
was
a
really
important
part
of
that,
but
a
whole
lot
of
stuff
that
we've
been
talking
about
already
things
like
there
needs
to
be
funding
for
well,
we
didn't
call
it
alpha
omega,
but
I
I
think
michael
scaveda
saw
our
text
and
I
think
he
had
no
trouble
figuring
out
what
we
were
talking
about
without
using
the
words.
C
So,
basically,
you
know
identify
the
critical
software
projects
really
focus
in
on
helping
those
for
the
a
broader
list
of
important.
But
you
can't
do
everything
you
know.
What
can
we
do
with
tooling
to
try
to
quickly
find
at
least
some
of
the
more
important
vulnerabilities
and
get
those
fixed?
C
I
mean
we
talked
about
a
number
of
other
issues
as
well,
but
basically
it
would
be
awesome
if
some
money
popped
out
of
that,
I'm
not
sure,
but
if
nothing
else,
if
we
can
get
more
people
to
participate,
the
openssf
has
a
huge
number
of
folks
now
involved
and
that's
great
there's
still
some
folks
that
we
think
should
be
involved
that
aren't
yet
but
we'd
like
them
to
be
so.
C
While
we
can't
force
anybody
to
be
involved,
we
are
trying
to
encourage
them
to
be
involved,
and
I
think
there
is
interest
in
either
folks
outside
getting
involved
or
folks
who
are
involved
being
more
so
and
that's
a
very,
very
good
thing,
one
one
last
quick
note
that
didn't
come
out
in
their
summary
is:
we
did
talk
about
the
need
for
this
to
be
international.
C
It's
not
really
a
u.s
only
problem,
and
we
actually
got
some
pointers
from
the
u.s
government
because
they
have
contacts
with
other
governments
and
maybe
trying
to
get
more
collaboration
and
such
with
many
different
governments,
which
would
be,
I
think,
a
good
thing,
because
it's
not
unique
to
this
is
not.
These
are
not
issues
unique
to
any
one
country.
A
And
I
I
guess
the
only
thing,
I'm
fairly
optimistic,
that
this
will
be
funded
for
real
in
the
you
know,
short
to
medium
term.
I
think
I
think
now
is
the
right
time
the
realization's
there.
I
think
organizations
are
being
pressured,
particularly
with
the
executive
order,
actually
to
be
able
to
assert
that
all
of
this
open
source
that
they
depend
on
is
like
meets
the
bar
and
an
understanding
that
the
bar
is
not
like
free
of
known
cves.
A
So
I'm
yeah,
I'm
I'm
optimistic
right.
Oh,
oh
great
news,
thanks
yeah,
okay
to
to
more
mundane
things,
I
guess
the
metrics
dot
open
ssf.org.
We
got
that
migrated
over
to
the
open
ssf
subscription,
so
that
is
now
fully
detached
from.
Like
my
work
account,
that's
good.
It
was
rebuilt,
everything's
been
updated.
We
got
the
the
dns
moved
over
it
now
scorecard.
V4
was
released
this
morning.
A
A
Slowly
because
I'm
missing
an
index-
and
I
just
need
to
do
that
over
the
weekend
and
fix
all
that,
but
long
term,
though
I
had
a
conversation
with
jim
zemlin
and
brian
yesterday,
I
think
that
the
right
place
for
metrics.openssf.org
to
be
is
lfx
security
as
a
platform
and
for
that
platform
to
be
expanded
out
to
cover
all
of
the
projects
so
so
directionally
like
I
don't.
I
don't
think
we
want
to
run
our
own
infrastructure,
especially
for
for
something
like
this,
where
we're
just
aggregating
existing
data
sources.
A
I
know
there's
active
discussions
going
on
on
on
lfx
security
on
how
to
scale
and
financing
and
and
stuff
like
that,
we'll
cross
that
bridge.
You
know
when
when
we
get
there,
but
I
think
directionally,
that's
the
right
way
to
go
for
that.
So
metric
the
site
will
probably
live
on
for
at
least
six
months,
maybe
maybe
longer
depending
on
and
when
that's
when
that
shoot
is
good.
C
Yeah,
I
think
the
the
big
challenge-
and
you
I
presume
you
talked
about
this-
is
the
whole.
You
know
originally
lfx
was
more
for
lf
projects.
So
how
do
we
expand
out
so
much
more
broadly,
so
glad
to
see
the
conversation
happening,
yep.
A
C
A
Cool
security
is
luigi,
not
yet
how
about
how
about
security
reviews
samir?
How
are
you.
D
Good,
thank
you
had
a
good
session
with
dylan
before
our
meeting
big
thanks
to
to
dylan
for
helping
fix
some
of
the
validator
issues
that
we
were
having
and
just
cleaning
up
the
repo,
a
cool
thing
that
dylan
did
too,
which
we
just
tested
that
seems
to
be
working.
D
Is
he
split
up
the
actions
into
kind
of
separate
compartments,
one
of
them
being
to
automatically
update
that
overview
table
as
soon
as
a
security
review,
a
new
one
is
uploaded
into
the
repo,
so
we
tested
that
and
that's
working
and
really
just
working
to
make
the
process
easy
consistent
to
drive
more
engagement
and
to
to
make
it
easier
for
folks
to
share
the
work
that
they
are
doing.
D
Dylan.
I
I
know
you,
you
typically
have
to
leave
a
little
early,
but
did
I
miss
anything
that
you
wanted.
E
D
E
No,
no-
that
was
great-
I,
I
guess
just
for
some
updates,
oh
yeah,
to
what
amir
just
said.
It's
kind
of
confusing
the
reason
why
I
did
this,
but
I
had
to
separate
the
I
had
to
separate
the
the
workflow,
the
github
workflow.
E
You
know
how
you
have
that
validator
script
running
mic
so
before
previously,
I
just
kind
of
tacked
on
a
step
to
that
to
like
generate
an
overview
and
stuff
like
that,
but
that
only
that
only
works
on
pushes
where
the
validator
works
on
should
be
run
on,
pushes
and
pull
requests
after
a
while.
I
couldn't
figure
out.
That
was
the
issue
because
it
does
its
own
ad
commit
push
from
the
generate
overview
to
like
automatically
recycle
it.
E
So
I
can't
do
that
on
a
pull
request,
because
you
can't
like
push
to
someone
else's
repo
from
your.
If
that
makes
sense,
it's
a
very
logistical
thing,
but
I
so
I
did
that
and
then
I
made
some
fixes
to
the
some
of
the
reviews
that
were
breaking
the
validator
one
of
them.
I
only
realized
until
after
I
fixed
them
that
you
had
already
done
it
like
so
apologies.
E
So
you
scrapped
your
there,
but
anyway
yeah
just
logistical
stuff,
so
that
the
build
succeeds
now
and
and
just
to
make
sure
it
stays
consistent
like
that
we're
walking
through.
I
was
like
discussing
with
amir
how
to
like,
so
to
make
to
help
us
ensure
that
we
are
like
trying
to
prevent
that
from
staying
tainted
in
the
future
by
like
submitting
everything
through
pr's.
Even
if
it's.
F
E
Right
and
all
that
kind
of
stuff
yeah,
that's
so.
C
E
Done
it's
it's
already.
You
can
already
look
at
the
most
recent
commit
says
updateoverview.md
that
was
not
written
by
anyone
that
was
posted
by
the
script
upon
a
push
by
amir
and
it
went
through
and
it
found
anything
that
needed
to
be
changed
but
the
overview
and
it
changed
it.
C
E
E
A
good
working
draft
yeah,
I'm
not
sure
the
only
thing,
I'm
not
sure
about
because
we
haven't
tested
it
yet
is
because
that
only
works
on
pushes,
if
that
only
works,
when
amir
pushes
because
he's
the
admin-
and
he
just
did
made
this
push
or
if,
like
maybe
someone,
help
me
out
here
guys
when
you
like.
So
if
I
were
to
fork
this
repo,
do
I
get
all
the
actions
like
with
it
into
my
own
like
little
fork
and
will
that
run
in
my
own
fork?
I'm
not
sure.
E
If
that's
the
case,
then
this
just
fully
works.
If
not,
it
works
when
a
mirror
posts,
something
I
I'm.
C
E
Right
but
I
disabled
it
on
pull
requests
only
on
push
yeah.
So
it's
a
it's
a
weird
thing,
but
regardless
it'll
at
least
update
as
frequently
as
amir
makes,
a
change,
which
is
a
lot
more
than
not
updating
it,
but
yeah,
ideally
yeah.
So
we're
going
to
keep
our
eyes
on
that.
I
think
it'll
work
still
if
someone
else
makes
a
change
and
pushes
and
then
submits
a
pr
but
yeah,
I
don't
want
to
suck
up
too
much
time.
That's.
D
But
yeah
moving
along
nicely
and
thanks
to
dylan
for
helping
with
with
the
back
end
stuff.
E
Very
cool
thanks
for
those
review
reviews
too,
I
think
amir,
I
think-
maybe
it's
just
after
our
last
before
after
our
last
meeting,
but
constantly
turning
in
reviews
there.
So
it's
awesome
stuff,
it's
definitely
growing
each
each
meeting
we
got
so
awesome
good
work
to
you
tumor.
Thank
you.
C
F
C
C
The
read
me
yeah.
G
C
C
E
All
right,
yeah,
you
only
added
just
in
the
okay.
C
E
E
Well,
yeah,
I
still
haven't
gone
through
this
old
one
and
compare
it
see
it
if
I've
seen
if
there
was
anything
yeah,
we
kind
of
just
left
it
up
here
to
see
if
there
was
anything
that
because
this
is
actually
you
know,
this
is
a
little
prettier
because
it
was
manually
done.
So
maybe,
if
there's
to
get
any
inspiration
from
this,
I
haven't
revisited
that
yet
I
don't
know
if
you
guys
have
any
questions.
C
E
No
problem
I'll
do
I'll
get
on
that
right
away
and
does
it
sound
like
I
have
you
got
permission
to?
Should
we
just
delete
this
previous
one,
the
overview
of
all
reviews
and
or.
A
A
Cool
awesome,
so
no
luigi,
yet
so
I'll
wait
on
that
for
a
little
bit,
let's
see
alpha
omega,
we
are
I'm
I'm
waiting
to
get
job
rex,
finalized
and
and
sent
out.
I
was
hoping
to
have
that
done
already.
A
It'll
be
it'll,
be
really
soon
so
we're
gonna,
be,
I
think,
we're
I
think
the
initial
highest
head
is
six
though
it
might
be
five
but
it'll,
wind
up
being
a
combination
of
we
need
at
least
one
security
analyst
at
least
one
one,
a
top-tier
engineer,
who's
gonna,
be
like
writing
rules
and
doing
things
like
that.
A
project
manager
and
a
at
least
one
product
manager,
a
product
manager,
would
be
overseeing
the
entire
program
and
the
question
is:
do
we
need
one
for?
A
Can
one
split
between
alpha
and
omega,
or
do
we
need
one
for
alpha
and
one
for
omega?
So
if
you
know
any
people
now
is
great
time
to
shoot
me
a
note
and
we'll
we'll
start
chatting.
A
Obviously,
once
job
descriptions
are
out,
it'll
be
a
little
bit
easier,
but
we're
also
looking
for
the
right
person
to
you
know,
run
this
and
kind
of
own.
This
kind
of
take
ownership
and
be
like
the
you
know:
it's
a
startup,
so
it's
like
one
of
the
first
first
key
hires
in
the
startup
npm
colors.
I
thought
this
was
was
an
interesting
one
just
to
touch
on,
because
it
was
kind
of
an
interesting
attack
for
those
of
you
who
have
not
aren't
aware
of
it.
A
This
was
a
little
bit
controversial,
so
I'll
do
my
best
to
just
like
state
the
facts
about
this
was
a
little
over
a
week
ago,
maybe
maybe
almost
two
weeks
ago,
a
the
the
author
of
the
maintainer
of
the
npm
colors
package,
which
I
think
gets
20
million
download
or
20
million
or
4
million
it's
it's
a
super
popular
npm
package,
sabotaged
their
own
package,
basically
turned
it
into
a
it,
had
to
be
an
infinite
loop
and
pushed
a
couple.
A
New
versions
in-
and
this
is
reportedly
due
to
them
being
upset
at
not
being
compensated
by
commercial
organizations
that
we're
using
as
package
they
also
deleted
or
published
an
empty
version
of
faker
and
cleared
out
their
github
repository
for
faker.
So
this
is
interesting
because
in
most
threat
models
we
don't
really.
A
You
know
it's
kind
of
akin
to
insider
threat
for
within
the
open
source
community.
We
usually
like
expect
compromised
accounts
or
fake
stuff,
david.
C
A
A
So
yeah
so
I
mean
some
of
the
the
cleanup
was
a
little
bit.
It
was
a
little
bit
awkward
and
and
some
stuff
in
the
news
on
whether
the
right
actions
were
taken.
You
know
within
npm
and
github
and-
and
things
like
that,
I
think
what's
done
is
done.
I
think
it's
it's
stable
at
this
point
and
the
bad
versions
were
the
bad
version
of
colors
was
removed
from
npm.
I
believe,
faker
being
empty
is
still
there,
but
it
was
not
malicious
or
destructive.
A
C
Yeah,
my
main
comment
was
which
I
mentioned
earlier.
You
know
many
many
folks,
you
know
a
malicious
developer
is
not
a
new
construct,
so
I
mean
it
is
much
less
common,
obviously
than
the
unintentional
vulnerabilities
by
far,
but
it's
certainly
not
new.
I
just
put
down
at
least
two
key
things.
You
know
how
because
in
my
mind-
and
I
try
to
emphasize
this
also
during
that
white
house
meeting-
you
know
the
you
know.
C
C
One
problem
is
that
in
general,
libraries
shouldn't
pin,
particularly
if
you
can
only
load
one
version,
but
even
if
you
can't
that's
a
problem,
but
at
least
apps,
if
they
do
that,
then
this
can
counter
that,
because
you
don't
just
automatically
load
the
what
happened
is
a
lot
of
mpm
apps
automatically
load,
the
latest
version,
they've,
never
tested
and
all
of
a
sudden
shocker
of
shockers.
C
You
know
the
latest
version
screws
things
up,
and
that
can
happen
just
unintentionally.
Another
thing
that
is
test
before
shipping,
what
an
amazing
construct.
I
think
it's
a
good
idea.
C
A
But
but
I
I
think
that
I
think
the
problem
there
is
that,
like
you
know
in
in
some
ways
like
the
like,
you
could
argue
it
was
an
attack,
but
it
wasn't
like
you
know
if
if
the
maintainer
was
really
trying
to
make
the
like,
he
would
have
like
waited
a
bit
or
exfiltrated
variables
or
like
dumped
memory
or
like
there's
a
ton
of
other
things
that
that
that
could
have
been
done.
That
would
have
been
malicious
and
would
not
have
shown
up
through
tests.
A
A
That
turns
malicious
without
like
just
kind
of
wakes
up
one
day
and
becomes
malicious
is
really
hard
to
defend
against,
and
I
agree
that,
like
pinning
dependencies
will
keep
you
safe
but
then
like.
When
do
you
ever
update,
like
without
any
validation
like
you,
just
defer
updates
until
maybe
someone
else
figures
it
out?
You
know
I
I
don't
know
it's
this
one
kind
of
the
the
the
copycats
to
this
attack
frighten
me
more
than
than
most
of
the
other
ones
out
there.
B
C
C
I'm
not
revealing
any
state
secrets,
but
at
least
for
some
folks
you
know
for
some
organizations,
particularly
governments.
I
mean
they're,
actually
worried
about
militias
and
nation
states
yeah.
C
Not
just
I
mean
not
just
an
individual,
so
the
whole
hey,
I'm
worried
about
a
malicious
developer,
again
much
rarer,
but
not
a
first
yeah
you're
right
about
the
exfiltration
on
not
being
discovered
by
testing,
but
I
still
think
it's
it's
a
good
idea,
because,
oh
definitely,
even
in
fact,
even
if
that
the
testing
only
works
against
availability
attacks
as
opposed
to
exfiltration
attacks,
they
obviously
can
happen
and
it
does
seem
like
a.
I
think
it's
always
a
good
idea
to
test.
Before
you
shift,
I
mean,
I
guess,
I'm
kind
of
radical.
H
Against
functionality,
but
what
about
acquiring
information
I
mean,
if
you
are
not
doing
anything
malicious
but
just
acquiring
something
that
you
are
not
supposed
to,
or
a
performance
impact
I
mean
answering
in
time
depends
on
the
time
frame.
You
want
to
answer
so,
yes,
and
regarding
of
the
I
mean
as
a
developer
as
an
open
source
developer,
you
usually
do
it
on
your
spare
time.
H
If
you
are
happy
it
will.
If
you
are
lucky,
you
will
get
paid
or
any
other
source
of
income,
but
if
you're
talking
about
enterprises
or
states,
they
have
more
resources
in
terms
of
persons
and
and
time
and
money,
so
it
and
open
source
is
based
a
lot
on
trust.
So,
yes,
I'm
with
you
michael.
C
Yeah
a
little
bit
on
this
on
that
narrative,
because
we
did
a
survey
of
open
source
developers
and
a
little
over
half
of
the
developers
were
specifically
being
paid
to
develop
and
maintain
the
open
source
software.
Now
that
does
mean
that
a
little
under
half
aren't
being
and
therefore
our
volunteers
as
you
described,
but
I
I
I
don't
want
to
leave
this
conversation
thinking
that
everyone's
a
volunteer,
because
that's
not
true
anymore,
it
hasn't
the
apache
software,
the
apache
web
server.
They
stopped
being
volunteers
in
the
I
think,
late
90s.
C
H
A
C
The
problem
with
surveys,
as
anybody
who's
done
a
survey
knows,
is
the
survey
is
of
those
who
respond
to
the
stinking
survey,
which
is
a
perennial
problem.
So
this
was
actually
a
a
survey
done
by
harvard
what
they
did
is
they
first
went
out
with
the
list
of
critical
projects
they
had
done
earlier
and
contacted
them.
C
Specifically,
they
had
a
mailing
list
of
of
those
developers
and
contacted
them
first,
however,
because
that's
obviously
a
relatively
narrow
microcosm,
they
you
know
there
was
then
a
number
of
broad
pushes
to
try
to
get.
C
I
went
on
podcasts
and
you
know
basically
trying
to
reach
out
through
various
blog
posts
and
so
on,
to
reach
out
to
anyone
who
develops
open
source
software.
So
it
was
really
open
to
anyone
who
develops
open
source
software,
but
there
was
a
special
push
to
emphasize
the
ones
who
were
developing
the
software.
That
really
everybody
depends
on
yeah.
A
Cool
awesome,
I
think
we're
probably
good
on
that
topic.
Luigi,
hello,
oh
you're,
on
mute.
A
G
Yes,
I've
written
a
yaml
configuration
with
some
rejects.
I
need
to
add
the
description,
for
example,
because
now
there
is
the
schema
schema
and
but
there
is
no
description
for
every
voice
or
every
inputs.
I
prefer
to
add
the
short
description
for
everything.
So
people
know
why
we
had.
We
have
had
a
particular
level,
for
example,
and
how
to
use
it
in
the
right
way.
G
I
have
added
some
regex
just
why
not?
It
is
a
first
version.
It
is
just
where
I
mean
it
is
a.
The
logic
is
that
the
user
adds
the
input
and
this
this
input
is
used
by
the
scorecard
to
add
the
missing
information
to
solve
false
positive,
for
example,
and
of
course
we
can
improve
improve
the
current
scheme,
especially,
I
would
like
to
add
something
related
to
dependencies,
slash
bomb
or
sbm
home.
G
I
am
not
sure
how
to
proceed
now,
because
I
mean
there
is
that
this
should
be
a
sort
of
a
human
readable
file.
But
if
we
add
the
long
list
of
dependencies,
probably
it's
not
sort
of
edible,
so
maybe
we
can
find
a
good
solution
from
user
experience,
because
I
am
concerned
about
this
point
honestly.
G
Maybe
the
standard
is
good,
but
if
people
don't
start
to
use
it,
it
is
totally
useless
and
I
am
involved
with
the
security.txt
txt
creator
ad
overflow.
Why
not
because
well,
our
approach
about
methodology
is
similar
to
the
security.xt,
of
course,
with
more
information,
and
I
have
seen
that
where
people
start
to
comment
on
slack.
So
probably
this
means
that
the
project
is
becoming
much
or
more
mature.
G
We
have
a
first
draft.
I
have
created
on
my
github
a
repo,
but
we
can
move
under
of
an
ssf,
so
people
can
open
issue
and
especially,
I
have
written
first
version,
but
it
is
not
still
the
first
version.
G
It
is
just
a
draft,
but
in
this
way
people
can
open
an
issue
and
we
can
track
them.
The
improvement
that
we
can
do
before
launching
it,
but
we
have
a
schema
and.
G
C
G
Well,
initially,
our
question
was
creating
a
fight
where
some
information,
like
the
vulnerabilities,
crucial
policy,
can
be
added
in
the
weapon
and
similar.
But
yes,
I
need
to
I
mean
this:
bike
can
be
scanned
by
the
the
scorecard.
It's
not
the
issue,
and
especially
we
can
improve
them.
G
The
fields
related
to
the
cmci
and
cd,
because
at
the
moment
it
is
not
mandatory,
probably
cannot
be
mandatory
if
someone
has
not
see
high,
especially
for
small,
open
source
project,
but
I
would
like
to
have
more
information
about
ci.
So
if
the
scorecard
doesn't
find
the
ci
directly,
because
the
ci
is
a
very
custom
implementation,
usually
it
can
read
the
ci
configuration
and
it
can
check
if
it
is
true
because
the
user
need
to
add
the
url,
and
in
this
way
we
can
create.
G
A
yama
that
can
be
used
by
the
scorecard,
because
for
the
scorecard
I
mean
for
the
first
implementation.
I
suppose
that
the
most
important
feature
are
reduce
the
first
positive
related
to
ci
and
reduce
the
fast
positive
positivity
to
security.
Md
or
something
similar
like
pdp,
reduce
the
missing
contact.
G
Because
in
this
file
you
can
add
the
contact,
the
owner
of
the
project,
and
it
can
help
also
with
the
type
of
squatting,
because
if
the
user
ad,
where
a
particular
package
is
uploaded
or
shared,
the
user
and
the
scorecard
or
similar
tool,
can
say.
Okay
in
this
channel,
we
have
an
official
version.
G
A
C
G
I
mean
yes
exactly.
Sometimes
you
have
a
public
ci,
for
example,
if
you
you
are
using
a
github
action,
you
can
say
we
are
using
the
github
action.
The
final
user
cannot
see
the
result
or
the
output
of
this
ci
is
not.
The
problem
is
normal.
G
G
If
you
have
a
file
on
your
repo,
you
can,
if
you
haven't,
for
any
infrastructure,
configuration
or
particular
environment
setting,
you
cannot
easily
prove
that
you
have
a
ci.
At
the
same
time,
the
score
card,
I
mean
the
open,
ssf,
dashboard
use,
tree,
color,
green,
red
and
yellow.
Maybe
we
can,
as
when
a
project
say
that
there
is
a
ci,
but
it
cannot
prove
this.
G
We
can
use
the
yellow,
color
or
add
the
flag
by
say
the
user
say
this,
but
we
have
no
proof
so
in
the
count
in
the
the
final
counter.
We
cannot,
of
course,
increase
the
score
for
this
information,
but
at
the
same
time,
we
can
share
with
the
final
user.
This
information.
A
Well,
so,
actually,
the
next
thing
so
scorecards
v4
switched
from
a
pass
fail
to
a
0
to
10
scale,
and
I,
as
far
as
I
can
see,
there's
no
like
built
in
what
what
makes
a
pass?
What
makes
a
fail
you
decide
yourself
like:
do
you
want
nine
or
better
to
be
fair,
pass
or
fought?
A
So
the
idea
of
having-
and
I
posted
this
into
the
into
the
meeting
notes
as
an
example
from
I
think
this
is
left
pad
left
pad,
doesn't
have
a
security
policy,
but
if
letpad
had
a
security
insights
file.
That
said
that
my
my
security
policy
is,
I
call
it,
you
know
security
dash,
foo
dot,
md
then
I
would.
A
G
This
is
the
because
at
the
moment
you
can
adjust
the
security
dot,
md
empty
and
the
security
scorecard
say
that
you
have
so.
The
point
is
that
sometimes
it
is
helpful
to
have
a
link,
so
the
user
can
read
it
their
search,
for
example,
and
the
yammer5
can
add
the
scorecard
in
this
way.
The
point
for
me
is
now
that,
probably
after
that,
we
agree
on
the
first
version
of
the
schema,
please
dab
it.
You
can
open
all
your
the
issue
that
you
want,
so
I
can
implement
them.
Don't
worry.
H
C
G
But
we
we
need
to
agree
on
the
first
version
at
the
moment.
I
would
like
to
keep
the
thing
easy,
because
I'm
really
concerned
that
people
can
just
not
start
to
use
it
because
it
is
too
difficult.
G
At
the
same
time,
then
we
need
to
talk
with
the
scorecard
team
to
say
we
want
to.
We
would
like
to
create
this
new
standard
with
this
information
like
a
sort
of
security
xt
for
weapon,
and
if
you
start
to
scan
it,
we
can
maybe
spread
better.
Also
for
the
alpha
omega,
we
could
ask
to
the
maintainer
to
ride
this
fight.
It
can
help
them.
G
It
cannot
pass
and
if
we
start
to
spread
this
standard
in
the
popular
project,
especially
in
the
big
corporate
or
a
popular
open
source
project
or
an
entity,
I
suppose
that
people
then
follow,
because
if
there
is
a
standard,
usually
people
like.
A
G
Yes,
I
would
like
to
fix
this
with
the
first
implementation
so
having
the
right
path,
having
the
right
url
that
maybe
the
scorecard
cannot
find
having
the
contact
for
the
human
having
some
information
on
the
ci
with
the
url,
if
you
can
prove
it
better
because
so
the
scorecard
can
improve
it
and
the
scorecard
needs
just
to
implement
this
check
and
again
david.
Sometimes
so,
maybe
I
don't
remember
everything
that
yes,
another
point.
Yes,
please.
Let
me
open
issue
in
the
repo
for
now,
so
I
can
update
in
a
synchronous
way.
G
I
really
need
this
or
just
write
on
slack,
so
discussion
can
receive
other
comments
and
we
can
find
the
best
solution.
They
probably
you
are
right.
The
our
first
draft
document
draft
for
this
project
is
now
not
so
aligned.
I
mean
it's
aligned,
but
not
well
ordered,
and
probably
I
would
like
to
rewrite
it
in
markdown,
because
some
people
we
can
easily
update
it
on
github.
G
I
have
just
do
a
very
quick
copy
paste
of
some
main
paragraph,
but
probably
I
need
to
rewrite
it
in
markdown
on
the
repo-
and
I
will
add
you
as
reviewer
using
it.
So
we
can
have
also
the
review
process
and
we
can
proceed
in
this
way.
So
next
steps
probably
are
formalize
the
ci
check
or
where
people
can
put
the
url
for
ci
or
something
similar
and.
C
G
C
Back
to
them
was
that,
okay,
maybe
you
don't
have
as
much
confidence
but
you've
already
got
a
0-10
score.
So
maybe
you
give
it
a
lower
score
if
you
can't
find
the
tool,
but
there's
a
security
insights
that
says
that
it
is
the
one
thing
I'm
concerned.
I
I
raised
this
earlier
and
I'm
not
sure
how
to
deal
with
it
is.
C
You
know
I'm
open
to
using
this
within
the
best
practices
badge
you
know
in
in
concept,
but
we're
gonna
have
to
find
a
way
to
get
the
information
that
the
badge
needs
so,
for
example,
most
in
many
many
cases
it
needs
not
just
a
where
it
is,
but
why
does
this
meet
the
criteria,
a
justification
which
is
at
least
a
url
and
in
many
cases
text,
because
this
markdown
text
was
with
urls
allowed,
and
so
that's
going
to
be.
C
G
G
Yes,
I
mean
just
about
the
page,
just
to
be
sure
if
I
have
rightly
understood
the
flow
at
the
moment.
You
have
an
open
source
project
and
you
want
to
obtain
the
page
to
obtain
the
badge
you
need
to
to
meet
some
requirement
right.
Okay,
this
requirement
can
be
checked
by
a
automated
tool
like
the
scorecard,
a
a
small.
C
Minority
can
most
cannot
the
the
badge
early
on
we
identified.
We
tried
to
identify
what
was
important
and
we
found
the
vast
majority
were
really
not
automatable.
Therefore
we
emphasize
what
was
what
a
human
could
respond
to,
whether
or
not
it
could
be
automated.
If
it
can
be
automated,
we
try
to
automate
it.
G
G
To
be
automatable,
okay,
so
the
point
is,
I
have
my
open
source
project.
I
want.
I
meet
the
requirement
for
the
page,
but
I
need
to
prove
this
because
there
are
no
automated
scanners.
That
can
prove
this
for
me.
So
I
can
add
this
information
with
url
with
tags,
so
we
can
define
it
to
the
jumble
and
then
the
scanner
can.
G
C
G
One
you
talking
about
okay,
so
the
scorecard
don't
need
to
use
this
information
just
for
human.
C
C
If
you
want
to
plug
into
the
automated
system
of
the
badging
system,
you've
got
to
provide
the
data
that
it
needs,
which
is
in
many
cases
not
just
a
it
whether
or
not
something
is
true
or
false.
It
needs
to
know
whether
or
not
something
is
true
or
false,
and
the
justification
for
it.
Okay,.
G
A
second
question:
the
justification
can
be
long,
I
suppose
sometimes
okay-
and
this
is
the
point,
the
same
challenge
that
I
have,
for
example,
for
the
third
party
packages.
We
want
to
add
the
text
directly
in
the
yaml
and
it
can
be
not
so
human
friendly,
then,
or
we
want
to
ask
to
the
developer
developer,
to
write
a
text
file
put
where
they
want
to
add
the
link
to
the
yaml
file.
C
I
I'm
not
sure
I
understand
what
you
say,
but
it
said,
but
I
mean
it's
not
hard
to
edit
a
yaml
file
and
although
you,
the
text
can
be
long
for
the
justification.
What
we
typically
tell
people
is
write
a
short
justification
with
the
url
that
points
off
to
the.
C
You
could
there
is
actually
a
limit
on
it.
I
I
think
it's
like
64k,
so
it's
not
much
of
a
limit,
but
but
it
has
to
be
utf-8
there
we
go,
there
are
so
there
are
limits.
But
let's
see
here,
we're
are,
are
there
other
things
or
is
this
the
last
topic
mike.
A
I
think
that
was
the
last
topic.
Wait
did
I
have
something
else?
Oh,
I
just
wanted
to
see
if
anybody,
if
anybody
thought
that
we
should
iterate
again
on
the
on
the
threats
paper
and
and
actually
put
some
put
some
time
and
cycles
into
a
v-neck
that
the
paper's
coming
up
on
two
years
old
now,
so
I
don't
know
how
much
of
the
ecosystem
has
changed,
but
that
this
is
a
you
know,
couple
dozen
hours
worth
of
work
if
we
want
to.
If
we
want
to
do
it.
C
I
suspect
we've
got
other
fish
that
are
higher
priority.
So,
let's
see
you
know
what
I
probably
can
can
I
share
my
screen.
You
can
try,
I
can
try
alrighty.
Did
it
work.
C
All
right,
so,
let's
see
here
I'm
just
going
to
go
to.
Oh,
we
can
look
at
the
linux
kernel.
We
can
look
at.
I
usually
use
the
badge
itself,
because
the
badge
itself
also
earns
its
own
badge
because
we're
trying
not
to
be
hypocrites
and
which
what
you
find
is
that
there's
a
whole
bunch
of
criteria
that
have
to
be
met
with
some
cases.
They
can
be.
C
C
C
I
did
it
okay,
all
right.
Let
me
quickly
log
in
because
I'm
trying
to
not
all
right,
let's
see
here
all
right,
we
don't
use
a
password,
but
still
yeah.
Actually
I'm
not
using
a
password.
So
I
guess
it
doesn't
matter
all
right.
Well,
I
did
that
anyway.
So
let
me
go
back
to
the
microsoft
teams
and
click
on
share
screen.
C
Okay,
so
if
I
look
at
its
json
format,.
C
C
The
page
yeah,
although
to
be
fair,
I
mean
there's
there
are
three
tiers,
and
so
you
don't
you
don't
actually
need
to
answer
all
questions
and
the
automation
does
help
all
right.
But
but
here
is,
if
you
look
at
the
json
format,
I'm
using
firefox
because
it
does
a
nice
job
of
prettily
showing
json
for
each
of
these
there's
a
you
know,
a
status,
basically
a
matter
of
met
and
a
justification.
C
Well,
you
don't
have
to
add
them
all,
but
obviously
the
ones
that
are
that
are
done
means
that
we
can
try
to
kill
this.
C
The
the
ones
that
are
done
are
ones
that
we
can
then
automatically
extract
from
also,
and
the
reason
to
automatically
extract
is
you
know
it's
really
not
hard
for
a
human
to
enter
into
a
form
for
a
single
project.
The
real
challenge
has
been,
for
example,
the
npm
packages,
where
people
like
to
package
up
is
odd
and
is
even
and
answering
a
lot
of
questions
for
something.
That's
one
line.
Long
is
a
little
more
dubious.
E
C
Yep
yeah,
so,
let's
see
here
so
I
will
add
a
link
as
the
sample
and
we
can.
I
would
be
happy
to
talk
about
that
as
a
and
you
know
a
potential
user,
but
we'll
need
to
figure
out
how
to
make
it
provide
data
that
we
we
can
actually
directly
use.
G
Because,
for
example,
there
are
some
some
inputs,
or
I
mean
data
that
we
already
have
in
the
first
in
in
the
current
schema,
and
I
don't
know
if
we
want
to
create
a
sort
of
duplicate.
If.
C
We
can
create,
we
don't
have
to,
but
then
then,
we've
gotta,
then
we've
gotta
figure
out
what
the
mapping
is,
and
obviously
that
adds
additional
complexity
to
the
processing,
because
now
it
means
you
gotta,
look
at
multiple
places
and
for
all
of
them,
even
if
they're
somewhere
else,
it's
not
a
big
deal,
but
it's
not
just
hey,
is
something
present
for
some
of
these
it's
a
present
and
does
it
meet
certain
criteria?
A
If,
if
I
could
make
make
a
recommendation-
and
I
don't
feel
strongly
either
way,
but
I
think
we
should
be
intentional
about
whether
or
not
security
insights
kind
of
subsumes
in
some
way
the
criteria
from
badge
or
because
you
make
it
probably
make
similar
arguments
that
you
know
the
security
policy
should
actually
be
defined
within
security
and
sites
and
not
within
security
md,
and
I
think
that
would
be
the
wrong
thing
to
go,
that
it
would
be
wrong
to
do
that
for
security,
md
and
not
sure.
A
C
It's
the
the
connector,
as
you
will.
A
Yeah,
I'm
just
afraid
of
security
insights
becoming
this
enormous,
complicated,
never
finished
and
never
used
tidbit
of
history.
I'd
much
rather
have
something
simple
that
is
used
in
the
next
month
that
we
all
try
out
and
then
the
we
iterate
on
it
for
1.1
with
the
complaints
of
people.
That
say
you
know
what.
Yes,
we
include
the
links
secured
at
md
but
like
40
of
them,
are
blank
files,
so.
C
Right,
you
know
what
and-
and
it's
perfectly
reasonable,
for
example,
for
the
security
insights
to
only
have
a
couple
fields
relevant
to
the
badge,
and
then
it
looks
it
just
look
it
loads
in
security.
Insights!
Look
at
that
if
it
exists
and
loads
in
just
those
fields
if
they
are
present
and
then
uses
only
them,
and
that
would
be
a
perfectly
fine
way
to
use
it.
A
C
Here's
how
to
find
the
other
direction
yeah.
I
was
actually
thinking
the
other
direction.
The
when
you
start
a
badge,
let's
say:
you're
you're,
managing
100
npm
packages,
and
you
want
a
badge
for
each
of
them
being
able
to
create
a
little
security
insights
file
that
pre-fills
in
some
information,
and
then
you
you
make
a
copy
and
say:
hey
yeah.
I
do
this
because
I
do
it
the
same
way
for
all
my
projects.
A
A
Perfect,
I
I
have
to
run
to
another
meeting.
Thank
you
all
very
much.
I
really
appreciate
everybody's
time.
Great
conversation
today
enjoy
the
rest
of
your
week.
Everybody
thank
you.
So.