►
From YouTube: Scorecards Biweekly Sync (June 1, 2023)
A
D
E
A
It
seems
like
it's
probably
close
to
a
quorum
to
get
going
so
I'll
kick
us
off,
so
hi
everybody,
I'm,
Jeremy,
Katz
I'm,
with
tidelift
I've
volunteered
to
be
the
facilitator
for
today.
At
the
end
of
this
meeting,
we'll
ask
for
somebody
to
facilitate
the
next
meeting
in
two
weeks.
So
you
too
can
do
this.
F
Of
adding
some
things
to
the
minutes
that
we'd
like
to
talk
to
a
bit
later
and
so
yeah,
we
were
basically
a
team
that
we're
Google
employees
and
we
work
full-time
on
external
contributions,
so
basically
helping
other
projects
improve
their
supply
chain.
Security
and
scorecard
is
basically
the
tool
that
we
use
to
do
this,
so
our
work
is
both
trying
to
improve
scorecard
adoption
type.
The
scorecard
action,
for
example,
for
repositories
and
also
simply
suggesting
supply
chain
improvements
in
all
the
Myriad
ways.
A
H
Oh
thanks,
Jeremy
yep,
so
I'm
Josh,
Clements
I'm
I
work
on
an
osbo
at
Analog.
Devices
I
was
lucky
enough
to
stumble
into
the
open
ssf
day
at
open
source,
Summit
North
America.
This
is
past
month
and,
like
I,
made
the
mistake
of
telling
my
company
that
I
went
and
they're
like
cool
go.
Do
more
of
that
I
am
starting
to
see
some
familiar
faces,
since
I
am
doing
more
of
that,
but
I'm
still
going
to
continue
to
get
as
much
mileage
as
I
can
out
of
that
joke.
H
A
I
A
lot
of
people
are
taken
off
of
admin,
which
means
you
can
actually
see
what
the
collaborator
settings
are
on.
The
repos
I
think
scorecard
folks
added
your
own
admin.
Repo
I
had
to
have
an
All-Star
admin.
I
mean
admin,
team
added,
so
yeah,
just
an
FYI
to
double
check
that
any
GitHub
settings
and
permissions
are
correct.
The
right
people
have
access
that
they
should
have
or
shouldn't
have
yeah.
That's
it
for
that.
B
A
J
Your
score
is
proportional
to
the
inverse
of
that
more
the
more
reviewed
PRS.
You
have,
the
better
your
score
and
the
probably
the
the
only
change
now
from
status
quo
before
that
is
that
there's
only
activity
by
like
like
automated
activity,
we
just
kind
of
erase
that
there's
insufficient
data
to
give
a
scorecard
score.
So
I
think
most
leaders
like
maintainer
alignment
on
this,
but
or
like
on
on
the
general
approach
and
maybe
like
a
few
edge
cases
that
need
to
be
figured
out.
K
B
L
D
J
J
B
D
B
K
I
want
to
let
everyone
know,
so
it
doesn't
feel
like
a
random
document
that
shows
up
at
some
point
and
then
I
also
just
wanted
to
say.
I
I
think
that
as
I
started
putting
this
together,
it
starts
opening
up
the
door
to
the
larger
conversation
of
how
we
want
to
version
different
releases.
I.
Don't
think
that's
really
in
scope
for
for
this,
but
I
think
it's
a
topic
for
the
future
too,
that
I'll
I'll
be
bringing
back.
A
F
Yeah,
so
that
is
what
it
sounds
like
one
thing
that,
like
we
think
that
would
be
pretty
good
for
scorecards
and
honestly
other
open
ssf
projects
as
well
would
be
having
a
contributor
ladder.
So
there's
already
an
open
issue
for
that,
and
so
we
actually
already
came
up
with
a
quick
draft
of
what
we
would
like
to
see.
I
don't
know,
and
it's
heavily
based
on
six
doors
ladder.
They
they
have
one.
F
So
we
made
some
changes
on
top
of
it,
but
something
just
to
to
check
out
and
I
shared
it
as
a
as
a
Google
doc.
Just
because
it's
like
for
this
sort
of
thing,
I
think
it's
been
easier
to
collaborate,
but
obviously,
if
everyone
prefers,
we
can
obviously
send
this
over
as
a
PR
instead,
and
the
dock
is
currently
written
like
as
a
like
overall
open,
ssf
contribution
ladder.
F
F
F
E
I
I
I'll
make
some
comments,
but
one
thing
I
think
is
good,
given
that
I
was
just
messing
with
all
the
GitHub
teams
is
yeah
like
be
really
clear,
at
least
for
the
one
that
scorecard
adopts,
which
level
reflects
to
which
team
and
and
what
what
permissions
that
gives
you
I
do
see
that
there
are
some
like
defined
by
and
privileges
here.
So
that's
good,
so
yeah
I'd
be
explicit.
There.
I
I
I
F
I
mean
that
makes
perfect
sense.
Just
like
one
question,
though,
and
the
scorecard
maintainers
will
obviously
be
able
to
answer
this
better
than
I
could
also
Imagine
is
how
much
of
a
workload
is
just
handling
the
PRS
and
handling
the
issues
and
answering
all
the
issues,
because
the
triage
role
does
not
have
shall
we
say,
contents
right
permissions,
but
they
do
have
issues
right
permissions
and
that
they
can
close
or
reopen
issues
the
label
issues
they
can
label
PR's.
They
can
close
PRS
again
to
prove
them
or
merge
them,
but
they
can.
K
F
B
N
Another
point
that
I
I
see
is
like
the
three
Ager
could
be
kind
of
a
way
to
get
to
be
a
maintainer
so
you'll.
By
being
a
treasure,
you
will
like
you,
get
to
know
a
lot
of
issues.
Label
them
and
get
them
are
like
knowledge
of
the
the
the
repository
and
they'll
like
make
it
make
it
a
easier
path
to
become
a
maintainer
as
well.
It's
kind
of
in
the
middle
of
the
way.
A
In
some
cases,
it
certainly
is
the
unwramped
to
bigger
contributions
in
a
lot
of
other
cases.
They're
there
there
is
a
large
set
of
folks
out
in
the
world
who
actually
just
really
enjoy
doing
sort
of
that
triage
sort
of
that
that
grooming
of
kind
of
I
always
think
about
bugzilla
grooming
for
Mozilla
back
in
the
day,
or
you
know
that
there
was
actually
a
pretty
strong
community
of
folks
who
were
focused
purely
on
just
the
like
triage,
getting
rid
of
the
things
that
are
noise.
Saying
that
things
are.
A
A
F
But
yeah
like
I,
mean
obviously
like
I'm.
This
is
very
much
a
draft.
Please
make
whatever
changes.
You
want
I
thought
in
the
comments.
Keith
danger
danger:
danger,
they're,
not
pronounce
that
sorry
said
something
about
like
trusted
reviewer,
and
that
is
also
a
bit
like
in
the
spirit
exactly
about
what
a
triager.
D
O
F
This
looks
good,
but
then
exactly
maintainer
would
actually
need
to
go
and
actually
give
the
final
walk
clear.
So
that
is
very
much
the
spirit
of
triage
which,
by
the
way
is
a
word
I
am
absolutely
not
in
love
with.
So
if
anyone
has
a
better
name
than
triage
or
perhaps
trusted
reviewer,
that
would
be
great.
F
F
The
next
step
is
next
thing
that
we
have,
that
we
would
like
to
talk
about.
Is
the
scorecards
score
viewer?
That
is
that
you
see
that
co-monitor
is
suggesting
is
like
saying,
they'd
be
willing
to
donate
to
scorecards
scorecard.
Somebody
could
use
that
and
like.
That
is
something
that
we
would
really
like
to
see
happen,
and,
let's
put
it
this
way,
the
sooner
the
better
in
terms
that
the
sooner
it
gets
done,
the
fewer
badges.
F
We
then
need
to
modify
to
point
to
the
correct
URL,
so
I
mean
like,
as
everyone
says,
in
the
comments
like
it's,
it's
a
really
Nifty
tool
and
so
being
able
to
get
that
legibility
instead
of
the
current
Json
dump
that
you
get
from
the
the
badge
would
be
really
nice
and
the
sooner
we
get.
We
get
that
the
quicker
that
we
have
to
end
the
go
South
Korean
team
can
submit
a
bunch
of
PR's
helping
projects,
have
cleaner
badges.
L
One
quick
question
I
had
like:
if
the
people
working
on
the
monitor,
if
we're
just
waiting
for
them
to
send
a
PR,
is
it
clear
that
they
have
the
the
green
light
to
do
so
or
are
they
still
waiting
for?
Any
sort
of
confirmation
from
us
just
want
to
make
sure
that
it's
not
lost
on
their
side,
but
they
know
that
we're
ready
to
accept
it.
A
N
Okay
yeah
so,
as
Peter
said,
our
team
that
goes
substant
stream,
Works
simultaneous
recommend
them
score
cards
and
Skipper
and
security
enhancements,
and
we
have
like.
We
have
lots
of
feedbacks
and
like
contacts
with
flaws,
some
flaws
of
security
of,
and
we
for
the
next
month's
quieter.
Maybe
we
are
looking
forward
to
contribute
more
to
scorecard
to
help
the
two
enhance
and
like
be
like
better
to
the
maintainers
as
well.
N
So
we
have
came
up
with
a
list
of
like
issues
that
we
want
to
contribute
with
and
that
we
we
believe
like
there
might
be
priority
to
import
to
improve
the
satisfaction
of
the
maintenance
in
general,
so
like,
please
feel
free
to
take
a
look
and
give
some
any
tweaks
or
opinions
on
the
list.
I
brought
up
some
the
first
three
of
them
like
first
one
is
actually
the
the
topic
that
have
have
brought
up
at
the
beginning
of
the
meeting,
so
it
was
already
covered.
N
The
second
one
just
open
my
laptop
here,
because
I
can
see
on
the
screen
yeah
the
next
one
like
if
the
token
permissions
check
recently
there,
there
was
a
PR
that
made
the
job
level
rights
permissions
like
write,
content
permission,
not
decrease
the
score
of
a
project,
but
it
didn't
change
the
the
square
decreased
for
low
risk
permissions
So.
Currently,
the
high
risk
job
level.
Permissions
are
not
being
Point
punished,
but
the
low
risk
permissions
in
job
level
are
being
punished.
N
I
might
I
will
bring
up
the
discussion
on
the
issue
about
rather
not
punishing
at
all
or
like
decreasing
a
very
low
points.
For
example,
if
there
is
a
action
being
called
with
not
hash
pin
not
actual
an
action,
not
hash
pinned
but
call
with
with
permission,
if
we
can,
on
the
independencies
check,
decrease
the
score
like
for
I,
don't
know
half
a
point
or
0.1
I.
N
Don't
or
just
not
decreased
at
all,
I
I
will
bring
up
this
discussion,
but
I
I
think
this
should
be
straightforward
to
there's
a
lot
of
noise
from
the
maintenance,
not
nice,
but
like
disagreements
of
having
low
low
low
points
in
pin
dependencies
when
having
hash
pinned
on
action
that
have
only
read.
Permissions
doesn't
encourage
much
of
the
security.
So
that's
also
an
important
point.
N
L
Quick
question
I
remember
there
was
there
was
some
maintainers
who
also
wanted,
who
didn't
see
the
value
of
scorecard
Beyond,
just
fixing
the
things
and
they
were
asking
for
PR
support
in
the
action.
I
was
just
wondering
if
this
is
still
something
that
you've
found
or
or
do
you
think
it's
not
something
we
need
to
prioritize.
O
Yeah
many
many
maintainers
are
really
interested
in
PR
support
because
they
don't
see
much
value
on
just
being
notified
about
the
score
decrease
after
the
the
pair
were
the
pair
was
merged,
so
they
are
really
interested
in
that.
It
is
also
in
our
priority
issues,
but
we
choose
to
prioritize
the
ones
that
are
affecting
their
scores
and
they
are
really
upset
about
it
yeah.
So
this
is
something
they
are
interested,
but
not
really
upset.
F
C
J
J
Like
an
an
opinionated
implementation
or
something
also
I,
feel
like
we're
pretty
flexible
with
like
scoring,
and
we
can
like
adjust
more
over
time
but
yeah,
maybe
it
just
like
needs
more
like
opinions
or
something
or
like
more
like,
like
just
like
a
a
opinionated
stance
on.
Why,
like
one
of
those,
is
superior
and
like
why-
and
it
should
just
like
be
in
the
issue
and
it's
like
gets
like
a
thumbs
up
and
then
it
can
be
implemented.
C
J
D
L
L
F
L
So
I
guess
I
might
be
repeating
what
we
said
at
the
previous
at
the
previous
meeting.
I
was
wondering:
how
do
we?
How
do
we
figure
out
if
it's,
if
the
project
is
a
library
and
therefore
has
so
sorry
if
the
project
is
a
is
an
application
and
therefore
needs
an
s-bomb,
because
I
think,
as
we
said
before,
like
libraries
do
not
need
an
s-bomb
I.
L
L
N
D
L
L
Okay,
so
that
that
would
be
the
use
case,
but
then
it's
it's
Like
My
worry
is
that
we're
gonna,
ask
let's
say:
there's
10
of
libraries
that
do
this.
How
do
we
like
for
libraries
that
don't
do
this?
Are
we
expecting
an
MTS
Bond
or
like
or
an
esbom
that
says,
I
don't
have
any?
Is
there
a
concept
of
MTS
bomb,
I?
Guess.
L
M
I
think
you
do
see
the
same
phenomenon
against
Python
and
and
even
Java,
to
some
extent
where
the
the
actual
determination
of
what
version
is
picked
is
dependent
on
all
the
other
dependencies
in
the
project,
and
then
package
manager
makes
the
best
choice
of
what
version
to
pick
beep.
You
know,
based
on
the
specified
versions.
M
I
think
it
might
might
be
some
opportunity
to
like
take
this
to
the
Cyclone,
DX
working
group
and
and
perhaps
spdx
and
see,
if
there's
maybe
a
different
specification
for
Library
bombs,
where
you
could
have
that
version
range
specified,
because
I
I
do
think.
There's
value
to
having
a
library,
s-bomb,
but
I
fully
get
the
point
that
that
does
not
specify
the
exact
version,
which
is
very
important
from
a
vulnerability
perspective,
especially.
G
L
L
A
broad
question
is,
is:
are
the
GitHub
release
assets
the
right
way
to
ask
people
to
put
their
s-bomb
or
not
because
a
lot
of
projects
upload
like
to
they
publish
to
say
the
npm
registry
and
it
looks
like
a
better
place
to
have
an
s-bomb-
is
over
there
because
that's
where
you
download
your
application
from
so
that's
where
also
npm
has
the
salsati
station
today.
So
if
there
were
any
kind
of
s-bomb,
would
it
would
it
be
more
like?
L
G
But
there's
a
difference
between
the
GitHub
repository,
the
git
repository,
which
I
do
not
think
should
have
the
s-bomb
versus
github's
release
notion
when
you
make
a
GitHub
release.
I
do
think
that
that
should
have
the
s-bomb
for
that
release,
but
I
will
take.
I
will
take
that
to
the
working
group
and
ask
them
if
they
have
guidance,
there's
nothing
to
say
that
you
so
in
one
of
the
libraries
that
I
maintain
I
upload
my
s-bomb
to
Maven
and
I.
Do
not
put
it
in
GitHub
releases
because.
K
G
L
Yeah
but
I
guess
it's
still
something
that
open
ssf
should
kind
of
see
what
to
prioritize,
because
if
the
consumption
happens
happens
at
you
know,
dbn
is
recompiling
everything
they
have
the
s-bomb
for
everything.
Container
images
know
what
they
are
compiling.
They
can
generate
an
S1
and
package
managers,
all
the
entry
pointers,
so
what
we
download.
L
So
if
the
end,
if
we
want
to
be
there
in
two
years
from
now
like
I,
think
the
open
ssf
should
take
a
call
to
say
that
we're
going
to
spend
and
prioritize
those
Avenues
rather
than
saying
put
it
in
your
GitHub
release,
assets
which
I'm
not
saying
is,
is
bad
per
se.
But
it's
it's
not
going
to
have
the
impact
that
we
could
have.
If,
if
we,
if.
L
If
we,
if
we
actually
prioritize
instead
of
just
saying,
let's
ask
everyone
to
to
write
an
s-bomb
which
you
know
nobody
is
going
to
do
and
who
is
going
to
consume
it
I
guess
the
consumption
problem
is.
My
question
is
like
today
on
salsa
we
ask
people
to
put
the
salsa
attestation
in
the
GitHub
release.
L
G
Download
something
from
apt
and
then
also
look
at
its
as
pump
to
validate
it
like
there's
a
there's,
a
whole
line
of
tooling.
That
will
need
to
be
built
to
facilitate
that
and
I'm,
not
saying
we
we
put
a
stake
in
the
ground
and
say:
GitHub
releases
are
the
only
way
that
you
can
ever
put
out
an
s-bomb
I'm,
just
saying
that
that's
a
like
there's
prior
art
people
do
that
today,
like
that's
the
that's
an
easy
place
to
start
and
if
we
want
to
go
through
and
do
more
with
the
package
managers
themselves.
D
G
J
J
I
recall
we
we
do
do
some
kind
of
like
ecosystem,
specific
checks
or
or
like
we.
We
we
we
can
navigate
to
package
repositories
across
like
multiple
ecosystems.
I
think
this
is
just
when
you're
specifying
the
project
that
you
want
to
scan
as
like
a
in
the
CLI.
So
maybe
there's
like
you,
you
can
like
Implement,
One,
s-bomb
Source
and
then
leave
it
like
leave
it
open
in
the
architecture,
to
like
add
other
places,
to
search
for
S
bombs
or
something
in.