►
From YouTube: Scorecards Biweekly Sync (November 3, 2022)
A
A
A
A
B
Hey
I'm,
one
of
the
new
faces
Sarah
Evans
from
Dell
Technologies.
One
of
my
roles
within
the
company
is
to
help
understand
how
my
company
can
activate
and
contribute
to
the
accomplishment
of
the
software
security
mobilization
plan.
So
one
of
the
goals
and
work
streams
is
around
digital
digital,
risk-based,
metrics
dashboards,
and
that's
that's
something
that
we're
internally
leaning
into
how
we
can
help
contribute
to
that
so
I'm
attending.
A
A
C
Hi
yeah,
so
we
we
had
a
couple
of
open,
open
issues
for
score
scorecard
to
check
whether
git
commits
are
signed
and
both
of
those
issues
are
kind
of
like
pre
pre.
The
recent
changes
with
SSH
Keys
being
being
useful
for
creating
good
signatures,
so
I
I
just
wanted
to
get
people's
thoughts
on
these
two.
C
D
B
C
I
think
my
my
view
is
like
SSH,
commit
signing,
is
still
fairly
new
and
not
a
lot
of
people
have
adopted
this
yet.
So
it
would
be
good
for,
for
this
check
to
be
useful
for
like
maintainers
and
actionable
like
if
they
don't
know
how
to
set
up
signing
over
to
like
help
them
set
that
up
that
that's
kind
of
what
I
see.
A
I'm
gonna
I
want
to
comment
on
this.
Obviously
rag
upgrade
the
thing
itself.
There's
not
many
of
them
are
utilizing
SSH,
like
you
mentioned
so
so
you
mentioned
it's
gonna
and
obviously
the
git
sign
from
the
six
total
communities
also
there.
So
if
you
attack
process
to
include
SSH
and
the
git
sign,
and
that.
A
The
get
the
six
store
has
came
has
come
up
with
a
using
six
dollar
identity
to
sign
comments,
but
that,
but
that
root
key
is
not
still
in
github's
rookie.
So
essentially
they
don't
consider
it
as
sign
comments,
that's
something
we
probably
should
think
about
what
how
do
we
deal
with
that
Jeff?
Do
you
have
a
comment.
E
Yeah
I
feel
like
this
is
that
you
know
you're
you're
concerned
about
it's
not
widely
used.
Yet
is
something
that
comes
up
with
multiple
checks
in
general,
where
you
know
we
want
to
have
different
levels
of
maybe
not
like
score.
I
mean
clearly
like
there's.
We
have
levels
of
score,
but
kind
of
you
know
what
we
consider
requirements
and
we'll
give
you
a
bad
score
for
and
then
other
checks
for,
maybe
maybe
like
going
above
and
beyond,
or
maybe
something
that's
optional.
E
This
is
something
we're
throwing
in
we're
going
to
start
measuring
it
we're
going
to
start
reporting
it,
but
it's
not
going
to
affect
people's
score
until
we've
seen.
You
know
how
people
react
to
it
and
then
decided
that
it's
something
we
want
to
kind
of
make
part
of
some
a
requirement
to
achieve
a
high
score.
A
C
Yeah,
like
experimental
scores,
would
be
good,
I.
Think
there's
also
like
the
the
structured
results
changes
that
may
that
could
be
there
in
the
future.
That
could
help
like
present
something
like
this,
and
if
we
really
really
don't
want
it
like
anywhere
near
the
scores
at
all,
it
could
also
just
be
in
the
in
the
Raw
results
where,
where
we
like
present
structured
information
about.
E
D
B
D
A
C
Yeah
I
was
looking
for
kind
of
like
to
to
not
identify
answers
yet
just
like
to
identify
open
questions,
and
it
seems
like
one
open
question,
is
what
verification
methods
do
we
accept
for
like
signatures
like
it
sounds
like
at
least
like
three
in
GitHub
and
then
maybe
also
get
signed?
Maybe
there's
some
more.
So
that's
like
one
thing,
I'm
going
to
try
to
think
about.
C
A
And
on
that
note,
you
should
probably
explore
Community
as
their
opinion,
because
yeah
I,
if
you
just
jump
on
this,
like
they
usually
have
people
asking
similar
questions
and
it'd-
be
nice
to
get
their
opinion.
Also
on
that
just
to
hear
some
thoughts
on
that
they've
really
thought
about
these
things.
D
C
A
E
B
B
There
was
a
a
group
of
a
lot
of
representatives
from
different
companies
that
went
to
the
White
House
and
had
this
follow-up
Summit
to
one
that
was
in
January
that
created
this.
This
mobilization
planet
has
three
goals
and,
within
each
of
those
goals,
I
think
a
total
of
10
work
streams
within
goal,
one
there's
the
goal
to
secure
OSS
production
and
if
you
go
down
and
you
look
at
I-
can
put
this
link
in
the
chat
button.
B
Goal
two
is
to
establish
a
public
vendor
neutral,
objective,
metrics-based,
risk
assessment,
dashboard
for
the
top
of
10,
000
or
more
components,
and
you
know
it
references
the
security
scorecards
for
that
assessment.
So
one
of
the
things
that
I'm
interested
in
understanding
a
little
bit
more
deeply
and
that's
hence
my
attending
today
is
if
my
company
wants
to
have
some
industry
participation
in
helping
to
accomplish
the
goals
of
the
stream
too.
E
E
And
so
you
know
if,
if
anybody
wants
to
contribute
on
that,
then
then
this
is
the
place.
So
here
it's
here,
it's
slack,
it's
our
and
it's
our
GitHub
repository
the
openssf,
slash
scorecard
I
was
going
to
say
something
else,
but
I
forgot.
Oh
the
other
things,
so
you
know
scorecard
kind
of
helps,
signing
and
s-bomb
indirectly.
So
we
don't.
We
don't
build
tools
to
help
make
that
easier,
but
we
it
the
more
scorecard,
gets
popular.
B
E
E
What
is
it
called
I
forget,
it'll,
show
you
the
score
or
the
other
sorry
I'm,
not
I'm,
I
can't
remember
all
the
different
websites,
but
and
and
we're
trying
to
have
like
a
scorecard
website
ourself,
but
there's
things
like
badges,
we're
doing
a
lot
of
things
to
try
to
get
people
to
know
about
scorecards,
but
we're
not
actually
focused
specifically
on
this.
This
dashboard,
that's
called
out
on
this
in
this.
E
The
kind
of
difference
between
those
is
the
best
practices
badge
is
something
that
you
attest
to,
and
it's
not
necessarily
something
that
can
be
proven
or
automated.
With
code
to
measure
the
whether
you
achieve
the
badge
or
not
and
scorecards,
tries
to
measure
and
and
rank
everything
that
can
be
detected
automatically.
D
A
That
that
the
cncf
Team
build
they
came
to
cncf
and
they
took
they
took
the
CNT
of
all
projects
and
took
scorecard
API
and
got
a
monitoring
dashboard.
This
is
just
for
it's
an
open
source
project
so,
but
they
built
it
for
cncf
and
explanation
projects
just
wanted
to
answer
your
question
Sarah.
It's
not.
B
Okay
and
I
know
I've
worked
with
my
colleague
internally,
who
was
deeply
involved
in
the
LF
Edge
website
and
something
called
project
alvarium,
which
was
doing
some
attestation
and
confident
scoring
algorithms,
and
he
combined
the
two
to
create
a
dashboard
of
sorts
and
so
I
wonder
you
know
what
might
be
that
the
next
steps
to
activate
taking
you
know
the
value.
That's
in
this
work
hard
or
the
best
practices
and
building
out
a
dashboard
or
if
that's
another.
You
know
something
like
a
clo
monitor.
A
Someone
was
supposed
to
come
and
talk
to
us
in
our
scorecards
meeting
supposed
to
come
and
ask
us
because
they
were
trying
to
get
data
from
scorecard
to
go.
Pull
into
that
and
initial
scope
was
again.
It
could
be
wrong.
The
initial
scope
was
only
for
the
Linux
Foundation,
but
then
they
decided
it's
essentially
going
to
be
for
lots
of
other
projects
until
another.
Another
project
I,
don't
know
if
you're
aware,
there's
another
open,
SSL
project
called
it's
called.
A
It's
called
criticality
score,
which
takes
a
thousand
critical
projects
like
that
takes
not
just
thousand
that
it
takes
probably
about
first
hundred
thousand
figures
out
what
are
the
top
100
000
critical
projects?
This
is
something
if
you're
interested
in
if
your
team
is
interested
in
building
a
dashboard.
Would
specifically
this
data
would
be
helpful,
because
this
is
calculating
criticality
score
based
on
certain
algorithm
and
metrics.
E
B
Possible
that
kind
of
the
dashboard
functionality
wrote
requires
some
additional
conversations,
perhaps
with
the
team
doing
criticality
score.
David
wheeler,
just
kind
of
maybe
getting
getting
those
interested
in
helping
to
build
a
dashboard
that
pulls
off
the
scorecards
kind
of
trying
to
talk
through
what
that
I.
E
You
know,
I
think
the
answer
might
be,
please,
you
know
go
ahead
and
if
you
know
if,
if
you're
interested
just
try
to
try
to
lead
an
effort
here,
because
maybe
we
have
a
gap
where
we
need
somebody
to
think
okay,
let's,
let's
pick,
let's
do
a
dashboard
and
we
need
to
start
off
with
analyzing
like
is
there
anything
out
there
that
we
can
use?
Is
anybody
already
working
on
it
and
what
can
we?
What
can
we
adapt
to
kind
of
pulling
all
this
data
in.
E
Continue
I
think
it
would
be
yeah
I
think
it
would
be
trying
to
drop
in
on
some
of
the
other
working
groups.
This
isn't
actually
a
working
group.
This
is
a
maintainer
meeting
for
these
projects.
Working
groups
are
kind
of
places
where
you
would
start
like
propose
a
new
work
effort
to
try
to
say:
hey,
like
I,
want
to
start
looking
into
these.
Is
there
anybody
that
wants
to
work
with
me.
That
kind
of
stuff
is
this?
Is
this
working
group
a
good
home
for
this
effort?
E
I
work
on
the
securing
critical
projects
working
group
I
can
tell
you,
we
don't
have
anybody
there.
Looking
at
dashboards,
we're
more
about
criticality
in
the
this
scorecards
comes
from
the
best
practices
group
I,
don't
know
you
know
that
one
might
be
one
to
check
out
and
then
there's
a
few
there's.
There
seems
to
be
new
ones
coming
up
pretty
often,
but
they
tend
to
have
you
know
they
tend
to
have
like
a
GitHub
repository
with
the
readme.
E
That
kind
of
covers
their
efforts
that
they're
working
on
at
the
moment
and
then,
of
course
they
all
have
they'll
have
slack
channels.
So
if
I'm
sure
it'll
take
a
lot
of
time
to
try
to
go
to
Every
meeting,
but
it
might
be
faster
to
just
can
ask
in
each
slack
channel
for
the
working
groups
or
even
General
in
the
open
ssf
to
see.
Is
anybody
working
on
dashboards
for
scorecards
and
stuff
like
that.
B
Okay,
I
know
Brian
bellendorf
a
while
back
had
put
together
this
possible
alignment
for
those
mobilization
plan
streams
to
working
groups
and
the
one
he
the
one
that
was
just
draft
version
suggested
was
to
align
with
the
identifying
security
threats
working
group.
Did
you
say
that
was
one
that
you
were
on
or
which
one
did
you
say
you
were
on.
B
E
But
yeah
long-term
thinking
forward,
like
we
absolutely
like
as
the
scorecards
tool,
we
want
it
to
work
and
integrate
with,
and
you
know,
work
well
with
any
kind
of
dashboard
or
the
way
that
we
can
make
that
this
data
visible.
So
if
you
end
up
coming
up
with,
you
know
some
kind
of
existing
software
that
you're
looking
to
adapt
and
you
need
us
to
look
and
see
how
we
can
pipe
our
data
in
or
figure
it
out.
How
that
can
can
get
integrated.
Yeah
we'll
be
happy
to
take
a
look.