►
From YouTube: Scorecards Biweekly Sync (November 3, 2022)
A
I'll
give
it
another
minute
to
make
sure
that
people
coming
in
or
I
jump
in
and
start
the
meeting.
A
A
A
Ers
of
scorecard
welcome
about,
we
do
see
new
faces
here.
It's
a
good
opportunity,
if
you
guys
want
to
introduce
yourself
foreign.
B
Hey
I'm,
one
of
the
new
faces
Sarah
Evans
from
Dell
Technologies.
One
of
my
roles
within
the
company
is
to
help
understand
how
my
company
can
activate
and
contribute
to
the
accomplishment
of
the
software
security
mobilization
plan.
So
one
of
the
goals
and
work
streams
is
around
digital
digital,
risk-based,
metrics
dashboards,
and
that's
that's
something
that
we're
internally
leaning
into
how
we
can
help
contribute
to
that
so
I'm
attending.
B
This
call
for
the
first
time
to
understand
the
role
that
this
a
working
group
may
play
in
helping
to
accomplish
that
mission
with
the
mobilization
plan.
A
Thank
you,
I
think,
if
I'm
not
wrong
rest
of
them
being
these
meetings
prior
next
I'm,
going
to
jump
on
to
the
project
and
mutual
updates,
Ryan
Russell
and
I
will
be
presenting
in
the
Linux
Foundation
member
Summit
we
are
presenting,
which
is
next
Thursday.
A
A
A
The
next
item
is
Raga
raghav.
You
have
and
I
don't
regarding
kid
signing.
C
Hi
yeah,
so
we
we
had
a
couple
of
open,
open
issues
for
score
scorecard
to
check
whether
git
commits
are
signed
and
both
of
those
issues
are
kind
of
like
pre
pre.
The
recent
changes
with
SSH
Keys
being
being
useful
for
creating
good
signatures,
so
I
I
just
wanted
to
get
people's
thoughts
on
these
two.
C
C
The
first
is
that
we
have
a
branch
protection
check,
so
there's
a
branch
protection
setting
in
GitHub
that
that
can
where
a
maintainer
can
require
a
commit
to
be
signed
so
like
every
commit
that
goes
into
a
project
like
on
the
default
branches,
would
be
required
to
to
have
like
a
signature
with
a
real
committer
identity
there
and
then
indeed
the
other
one
is
the
the
other
kind
of
way
scorecard
could
help.
C
D
C
Like
some
kind
of
identity,
so.
B
C
I
think
my
my
view
is
like
SSH,
commit
signing,
is
still
fairly
new
and
not
a
lot
of
people
have
adopted
this
yet.
So
it
would
be
good
for,
for
this
check
to
be
useful
for
like
maintainers
and
actionable
like
if
they
don't
know
how
to
set
up
signing
over
to
like
help
them
set
that
up
that
that's
kind
of
what
I
see.
A
I'm
gonna
I
want
to
comment
on
this.
Obviously
rag
upgrade
the
thing
itself.
There's
not
many
of
them
are
utilizing
SSH,
like
you
mentioned
so
so
you
mentioned
it's
gonna
and
obviously
the
git
sign
from
the
six
total
communities
also
there.
So
if
you
attack
process
to
include
SSH
and
the
git
sign,
and
that.
C
Yeah,
like
I
I
guess
we
would
accept
any
any
kind
of
signatures
that,
from
from
from
GitHub
I've,
only
seen
like
gpg,
SSH
and
I
think
like
s,
mine
signatures,
I'm.
A
The
get
the
six
store
has
came
has
come
up
with
a
using
six
dollar
identity
to
sign
comments,
but
that,
but
that
root
key
is
not
still
in
github's
rookie.
So
essentially
they
don't
consider
it
as
sign
comments,
that's
something
we
probably
should
think
about
what
how
do
we
deal
with
that
Jeff?
Do
you
have
a
comment.
E
Yeah
I
feel
like
this
is
that
you
know
you're
you're
concerned
about
it's
not
widely
used.
Yet
is
something
that
comes
up
with
multiple
checks
in
general,
where
you
know
we
want
to
have
different
levels
of
maybe
not
like
score.
I
mean
clearly
like
there's.
We
have
levels
of
score,
but
kind
of
you
know
what
we
consider
requirements
and
we'll
give
you
a
bad
score
for
and
then
other
checks
for,
maybe
maybe
like
going
above
and
beyond,
or
maybe
something
that's
optional.
E
So
I
think
you
know
taking
a
step
back
and
saying
like
is
there
a
way
we
can
categorize
checks
for
things
that
maybe
don't
go
into
the
primary
school
or
maybe
there's
a
secondary
score
or
maybe
there's
an
optional
like
you
know,
an
optional
score
with
with
optional
things
enabled,
and
if
we
had
that,
then
it
would
be
super
easy
to
throw
something
like
this
in
or
anything
else,
that's
kind
of
experimental
and
say
hey.
E
This
is
something
we're
throwing
in
we're
going
to
start
measuring
it
we're
going
to
start
reporting
it,
but
it's
not
going
to
affect
people's
score
until
we've
seen.
You
know
how
people
react
to
it
and
then
decided
that
it's
something
we
want
to
kind
of
make
part
of
some
a
requirement
to
achieve
a
high
score.
A
C
Yeah,
like
experimental
scores,
would
be
good,
I.
Think
there's
also
like
the
the
structured
results
changes
that
may
that
could
be
there
in
the
future.
That
could
help
like
present
something
like
this,
and
if
we
really
really
don't
want
it
like
anywhere
near
the
scores
at
all,
it
could
also
just
be
in
the
in
the
Raw
results
where,
where
we
like
present
structured
information
about.
E
Yeah,
because
one
thing
I
think
I
would
be
worried
about
is
like
if
we
added
it
behind
a
flag
and
it
didn't
actually
run
unless
you
turned
it
on,
then
nobody,
we
wouldn't
we
wouldn't
get
any
data
like
nobody
would
run
it
and
we
wouldn't
see
what
it
is
what's
going
on.
E
D
B
D
Just
one
other
thing,
as
we
have
a
contributor
working
on
gitlab
support,
for
example,
SSH
key
signing
on
gitlab
is
something
that's
being
developed
to
so
I
know.
If
signing
commits
is
going
to
be
a
new
check.
You
can
already
sign
with
gpg
on
gitlab
and
SSH
supports
coming
too.
A
C
Yeah
I
was
looking
for
kind
of
like
to
to
not
identify
answers
yet
just
like
to
identify
open
questions,
and
it
seems
like
one
open
question,
is
what
verification
methods
do
we
accept
for
like
signatures
like
it
sounds
like
at
least
like
three
in
GitHub
and
then
maybe
also
get
signed?
Maybe
there's
some
more.
So
that's
like
one
thing,
I'm
going
to
try
to
think
about.
C
A
And
on
that
note,
you
should
probably
explore
Community
as
their
opinion,
because
yeah
I,
if
you
just
jump
on
this,
like
they
usually
have
people
asking
similar
questions
and
it'd-
be
nice
to
get
their
opinion.
Also
on
that
just
to
hear
some
thoughts
on
that
they've
really
thought
about
these
things.
D
C
A
Okay,
I,
don't
see
any
other
agenda
items.
Does
anyone
else
have
any
of
that
thought
process
that
we
want
to
discuss
it's
open
floor
right
now.
E
Did
we
want
to
have
spend
some
time
talking
about
how
you
know
if
see,
if
Sarah
has
any
questions
as
if
a
scorecard
can
work
in
dashboards
or.
E
B
Yeah
so
I'm
looking
for
I,
don't
know
how
familiar
you
are
with
the
software
security
mobilization
plan
you're
trying
to
get
a
link
to
it.
Real,
quick,
so
I
can
throw
in
the
chat
to
kind
of
Drive
what
I'm
trying
to
accomplish
Sarah.
B
There
was
a
a
group
of
a
lot
of
representatives
from
different
companies
that
went
to
the
White
House
and
had
this
follow-up
Summit
to
one
that
was
in
January
that
created
this.
This
mobilization
planet
has
three
goals
and,
within
each
of
those
goals,
I
think
a
total
of
10
work
streams
within
goal,
one
there's
the
goal
to
secure
OSS
production
and
if
you
go
down
and
you
look
at
I-
can
put
this
link
in
the
chat
button.
B
Goal
two
is
to
establish
a
public
vendor
neutral,
objective,
metrics-based,
risk
assessment,
dashboard
for
the
top
of
10,
000
or
more
components,
and
you
know
it
references
the
security
scorecards
for
that
assessment.
So
one
of
the
things
that
I'm
interested
in
understanding
a
little
bit
more
deeply
and
that's
hence
my
attending
today
is
if
my
company
wants
to
have
some
industry
participation
in
helping
to
accomplish
the
goals
of
the
stream
too.
B
Where
can
companies
that
are
interested
in
participating
in
accomplishing
this
goal
and
streaming
in
stream
to
kind
of
lean
in
so
I
wanted
to
attend
the
security
scorecard
meeting
since
it
was
specifically
hyperlinked
and
referenced
in
this
in
this
plan
to
kind
of
figure
out
and
develop
some
relationships
and
networking
and
to
understand
how
one
might
accomplish
this
and
get
involved
in
accomplishing.
E
E
That
they
say
hey,
we
should
you
know,
measure
the
the
the
you
know,
the
posture
of
Open
Source,
so
so
yeah
I
think
that
the
vision
there
is
that
this,
this
tool
that
this
group
works
on
is
going
to
power
that
dashboard
we're
not
working
on
the
dashboard
and
then
the
case
that,
of
course,
it
asks
for
they
mentioned
that
the
dashboard
could
pull
in
other
other
things.
E
But
you
know
so
yeah
we're
we're
that's
the
point
of
this
scorecards
is
to
measure
the
the
you
know
how
how
how
reliable
or
you
know,
secure
a
third-party
open
source
project
is
and
then
come
up
with
one
top
level
score
and
multiple,
like
you
know,
scores
you
can
drill
down
into
for
for
where
it
it
ranks
in
different
areas.
E
And
so
you
know
if,
if
anybody
wants
to
contribute
on
that,
then
then
this
is
the
place.
So
here
it's
here,
it's
slack,
it's
our
and
it's
our
GitHub
repository
the
openssf,
slash
scorecard
I
was
going
to
say
something
else,
but
I
forgot.
Oh
the
other
things,
so
you
know
scorecard
kind
of
helps,
signing
and
s-bomb
indirectly.
So
we
don't.
We
don't
build
tools
to
help
make
that
easier,
but
we
it
the
more
scorecard,
gets
popular.
B
Do
you
know,
has
this
Team
yet
I
haven't,
you
know,
gone
back
and
looked
to
the
agenda
I'm
trying
to
get
access
to
that
explored
how
what
that
Dash
more
board
format,
how
it
might
formalize
and
take
shape?
Has
that
really
been
something
disgusting.
E
Yeah,
we've
mostly
just
been
focused
on
the
tool,
so
it's
just
yeah
we,
you
know
there
are
some
efforts
like
a
website
and
you
know
trying
to
get
core
cards
to
show
up
and
show
up
in
other
other
tools
like
if
you
go
to
the
go
package
manager.
You
know
the
package
website
package.
E
What
is
it
called
I
forget,
it'll,
show
you
the
score
or
the
other
sorry
I'm,
not
I'm,
I
can't
remember
all
the
different
websites,
but
and
and
we're
trying
to
have
like
a
scorecard
website
ourself,
but
there's
things
like
badges,
we're
doing
a
lot
of
things
to
try
to
get
people
to
know
about
scorecards,
but
we're
not
actually
focused
specifically
on
this.
This
dashboard,
that's
called
out
on
this
in
this.
E
In
this
plan,
it's
we're
the
we
hope
to
be
the
the
true
the
source
of
data,
the
primary
source
of
data
honestly
to
to
that
where
and
then
they
may
pull
in
other
sources
that
are
not
automatable
so
kind
of
to
the
two
things
that
are
on
that
on
that
work,
stream
are
scorecards
and
the
CII
best
practice
badge
which
has
been
renamed.
E
The
kind
of
difference
between
those
is
the
best
practices
badge
is
something
that
you
attest
to,
and
it's
not
necessarily
something
that
can
be
proven
or
automated.
With
code
to
measure
the
whether
you
achieve
the
badge
or
not
and
scorecards,
tries
to
measure
and
and
rank
everything
that
can
be
detected
automatically.
A
D
A
That
that
the
cncf
Team
build
they
came
to
cncf
and
they
took
they
took
the
CNT
of
all
projects
and
took
scorecard
API
and
got
a
monitoring
dashboard.
This
is
just
for
it's
an
open
source
project
so,
but
they
built
it
for
cncf
and
explanation
projects
just
wanted
to
answer
your
question
Sarah.
It's
not.
B
Okay
and
I
know
I've
worked
with
my
colleague
internally,
who
was
deeply
involved
in
the
LF
Edge
website
and
something
called
project
alvarium,
which
was
doing
some
attestation
and
confident
scoring
algorithms,
and
he
combined
the
two
to
create
a
dashboard
of
sorts
and
so
I
wonder
you
know
what
might
be
that
the
next
steps
to
activate
taking
you
know
the
value.
That's
in
this
work
hard
or
the
best
practices
and
building
out
a
dashboard
or
if
that's
another.
You
know
something
like
a
clo
monitor.
A
I
do
I
I,
don't
know
David
wheeler,
who
works
with
open,
ssf,
okay,
and
he
had
mentioned
the
Linux
Foundation
has
is
working
on
a
similar
dashboard
effort.
A
Someone
was
supposed
to
come
and
talk
to
us
in
our
scorecards
meeting
supposed
to
come
and
ask
us
because
they
were
trying
to
get
data
from
scorecard
to
go.
Pull
into
that
and
initial
scope
was
again.
It
could
be
wrong.
The
initial
scope
was
only
for
the
Linux
Foundation,
but
then
they
decided
it's
essentially
going
to
be
for
lots
of
other
projects
until
another.
Another
project
I,
don't
know
if
you're
aware,
there's
another
open,
SSL
project
called
it's
called.
A
It's
called
criticality
score,
which
takes
a
thousand
critical
projects
like
that
takes
not
just
thousand
that
it
takes
probably
about
first
hundred
thousand
figures
out
what
are
the
top
100
000
critical
projects?
This
is
something
if
you're
interested
in
if
your
team
is
interested
in
building
a
dashboard.
Would
specifically
this
data
would
be
helpful,
because
this
is
calculating
criticality
score
based
on
certain
algorithm
and
metrics.
E
B
Possible
that
kind
of
the
dashboard
functionality
wrote
requires
some
additional
conversations,
perhaps
with
the
team
doing
criticality
score.
David
wheeler,
just
kind
of
maybe
getting
getting
those
interested
in
helping
to
build
a
dashboard
that
pulls
off
the
scorecards
kind
of
trying
to
talk
through
what
that
I.
E
E
You
know,
I
think
the
answer
might
be,
please,
you
know
go
ahead
and
if
you
know
if,
if
you're
interested
just
try
to
try
to
lead
an
effort
here,
because
maybe
we
have
a
gap
where
we
need
somebody
to
think
okay,
let's,
let's
pick,
let's
do
a
dashboard
and
we
need
to
start
off
with
analyzing
like
is
there
anything
out
there
that
we
can
use?
Is
anybody
already
working
on
it
and
what
can
we?
What
can
we
adapt
to
kind
of
pulling
all
this
data
in.
B
A
gap
and
I'm
learning
things,
especially
if
you
know
I
lean
into
some
additional
resources
on
my
team
who
may
have
some
ideas,
then
we
can
see
where
that
goes
yeah
to
be.
E
Continue
I
think
it
would
be
yeah
I
think
it
would
be
trying
to
drop
in
on
some
of
the
other
working
groups.
This
isn't
actually
a
working
group.
This
is
a
maintainer
meeting
for
these
projects.
Working
groups
are
kind
of
places
where
you
would
start
like
propose
a
new
work
effort
to
try
to
say:
hey,
like
I,
want
to
start
looking
into
these.
Is
there
anybody
that
wants
to
work
with
me.
That
kind
of
stuff
is
this?
Is
this
working
group
a
good
home
for
this
effort?
E
I
work
on
the
securing
critical
projects
working
group
I
can
tell
you,
we
don't
have
anybody
there.
Looking
at
dashboards,
we're
more
about
criticality
in
the
this
scorecards
comes
from
the
best
practices
group
I,
don't
know
you
know
that
one
might
be
one
to
check
out
and
then
there's
a
few
there's.
There
seems
to
be
new
ones
coming
up
pretty
often,
but
they
tend
to
have
you
know
they
tend
to
have
like
a
GitHub
repository
with
the
readme.
E
That
kind
of
covers
their
efforts
that
they're
working
on
at
the
moment
and
then,
of
course
they
all
have
they'll
have
slack
channels.
So
if
I'm
sure
it'll
take
a
lot
of
time
to
try
to
go
to
Every
meeting,
but
it
might
be
faster
to
just
can
ask
in
each
slack
channel
for
the
working
groups
or
even
General
in
the
open
ssf
to
see.
Is
anybody
working
on
dashboards
for
scorecards
and
stuff
like
that.
B
Okay,
I
know
Brian
bellendorf
a
while
back
had
put
together
this
possible
alignment
for
those
mobilization
plan
streams
to
working
groups
and
the
one
he
the
one
that
was
just
draft
version
suggested
was
to
align
with
the
identifying
security
threats
working
group.
Did
you
say
that
was
one
that
you
were
on
or
which
one
did
you
say
you
were
on.
B
E
But
yeah
long-term
thinking
forward,
like
we
absolutely
like
as
the
scorecards
tool,
we
want
it
to
work
and
integrate
with,
and
you
know,
work
well
with
any
kind
of
dashboard
or
the
way
that
we
can
make
that
this
data
visible.
So
if
you
end
up
coming
up
with,
you
know
some
kind
of
existing
software
that
you're
looking
to
adapt
and
you
need
us
to
look
and
see
how
we
can
pipe
our
data
in
or
figure
it
out.
How
that
can
can
get
integrated.
Yeah
we'll
be
happy
to
take
a
look.
E
B
I,
don't
think
so.
I
have
got
some
really
good
information
and
made
a
couple
new
contacts
today.
So
I
appreciate
the
conversation.
I
don't
have
anything
further
today,
perfect.
A
A
A
A
A
C
A
Perfect,
okay,
nothing
else.
We
have
time
back
for
everybody,
see
you
all
next
two
weeks.
Thank
you.
Yes,.