►
From YouTube: Scorecards Biweekly Sync (June 1, 2023)
A
A
D
E
A
It
seems
like
it's
probably
close
to
a
quorum
to
get
going
so
I'll
kick
us
off,
so
hi
everybody,
I'm,
Jeremy,
Katz
I'm,
with
tidelift
I've
volunteered
to
be
the
facilitator
for
today.
At
the
end
of
this
meeting,
we'll
ask
for
somebody
to
facilitate
the
next
meeting
in
two
weeks.
So
you
too
can
do
this.
A
If
you
would
like
in
two
weeks,
I
think
that
if
there's
anybody,
who's
new
who
hasn't
joined
here
before
and
wants
to
do,
an
intro
feel
free
to
unmute
and
do
so.
F
F
Of
adding
some
things
to
the
minutes
that
we'd
like
to
talk
to
a
bit
later
and
so
yeah,
we
were
basically
a
team
that
we're
Google
employees
and
we
work
full-time
on
external
contributions,
so
basically
helping
other
projects
improve
their
supply
chain.
Security
and
scorecard
is
basically
the
tool
that
we
use
to
do
this,
so
our
work
is
both
trying
to
improve
scorecard
adoption
type.
The
scorecard
action,
for
example,
for
repositories
and
also
simply
suggesting
supply
chain
improvements
in
all
the
Myriad
ways.
A
H
Oh
thanks,
Jeremy
yep,
so
I'm
Josh,
Clements
I'm
I
work
on
an
osbo
at
Analog.
Devices
I
was
lucky
enough
to
stumble
into
the
open
ssf
day
at
open
source,
Summit
North
America.
This
is
past
month
and,
like
I,
made
the
mistake
of
telling
my
company
that
I
went
and
they're
like
cool
go.
Do
more
of
that
I
am
starting
to
see
some
familiar
faces,
since
I
am
doing
more
of
that,
but
I'm
still
going
to
continue
to
get
as
much
mileage
as
I
can
out
of
that
joke.
H
So
I
am
I'm
happy
to
be
here
specifically
we're
we're
looking
at
implementing
the
school
card
processes
at
at
ADI.
So
I
am
very
interested
in
what
we're
going
to
be
talking
about
here.
A
I
Yeah
I
do
that
on
there
I
wanted
to
give
an
FYI
to
everybody
to
check
the
or
the
scorecard
people
have
access
to
see
who
who
has
access
to
scorecard
and
the
other
GitHub
repos.
I
A
lot
of
people
are
taken
off
of
admin,
which
means
you
can
actually
see
what
the
collaborator
settings
are
on.
The
repos
I
think
scorecard
folks
added
your
own
admin.
Repo
I
had
to
have
an
All-Star
admin.
I
mean
admin,
team
added,
so
yeah,
just
an
FYI
to
double
check
that
any
GitHub
settings
and
permissions
are
correct.
The
right
people
have
access
that
they
should
have
or
shouldn't
have
yeah.
That's
it
for
that.
B
Yeah
thanks
Jeff,
the
scorecard
repo
I
think
had
a
team-based
approach
ahead
of
time.
So
I
don't
think
our
access
changed
much,
but
I
will
double
check.
A
Yeah
I
saw
some
of
that
I.
Don't
remember,
it
was
on
slack
or
email
because
they
kind
of
blend
together
some
days
for
other
open
ssf
projects.
So
good
call
out
thanks,
Joe
next
up
code
review,
proportional
exploring
changes.
J
Hi
this
this
is
me
so
the
pr
that
is
being
referred
to
is
here,
but
code
review
changed
to
leveled
scoring
last
year,
and
the
idea
is
that,
instead
of
having
kind
of
like
All
or
Nothing,
meaning
like
any
unreviewed
commits
or
pull
requests
that
are
immersion
to
main
kind
of
count
as
much
as
having
like
no
reviews
that
that's
what
level
scoring
meant,
we
would
just
kind
of
go
back
to
proportional
scoring,
meaning
like
the
number
of
unreviewed
PRS
that
you
have
is
proportional.
J
Your
score
is
proportional
to
the
inverse
of
that
more
the
more
reviewed
PRS.
You
have,
the
better
your
score
and
the
probably
the
the
only
change
now
from
status
quo
before
that
is
that
there's
only
activity
by
like
like
automated
activity,
we
just
kind
of
erase
that
there's
insufficient
data
to
give
a
scorecard
score.
So
I
think
most
leaders
like
maintainer
alignment
on
this,
but
or
like
on
on
the
general
approach
and
maybe
like
a
few
edge
cases
that
need
to
be
figured
out.
J
But
this
will
probably
this
will
probably
be
the
change
that
we
are
like
something
like
this
is
what
we
will
arrive
at
soon
after
this
PR
is
merged,
so.
J
To
give
that
as
a
heads
up
and
ask
if
anyone
has
any
comments
or
thoughts.
K
B
Foreign
I
think
my
opinion,
I
left
on
the
pr.
In
terms
of
you
know,
the
revert
is
good,
is
just
kind
of
one
of
those
edge
cases
you're
talking
about
so
yeah,
just
needing
consensus
between
you
and
I
and
then
Naveen
and
some
of
the
other
maintainers.
L
D
J
J
J
Like
the
percentage
of
reviewed.
B
J
Of
out
of
total
yeah,
it's
not
like
you
start
at
10
and
then
and
then
deduct
yeah.
D
B
Yeah
so
I
I'm
working
on
a
testing
tool
that
will
help
sort
of
run
scorecard
against
like
an
a
known
set
of
repos
and
then
with
a
proposed
change,
re-running
it
and
then
doing
a
comparison.
B
So
that's
something
I've
mentioned
probably
a
month
ago,
at
this
point,
I
I
have
a
design
document
that
I
I'm
working
on
and
will
be
bringing
towards
the
meeting
when
it's
ready.
It's
just
not
quite
there.
Yet.
A
K
Great
just
a
quick
update
in
anticipation
of
of
some
of
our
git
lab
support,
getting
closer
to
launching
I,
wanted
to
just
make
sure
that
the
message
of
what
we're
providing
connects
with
everyone
who
might
be
interested
so
I
wrote
a
short
Doc
I'm,
getting
some
feedback
first
from
folks
directly
involved
in
the
project
and
then
I'm
gonna
make
sure
to
share
that
out
with
the
broader
group.
K
I
want
to
let
everyone
know,
so
it
doesn't
feel
like
a
random
document
that
shows
up
at
some
point
and
then
I
also
just
wanted
to
say.
I
I
think
that
as
I
started
putting
this
together,
it
starts
opening
up
the
door
to
the
larger
conversation
of
how
we
want
to
version
different
releases.
I.
Don't
think
that's
really
in
scope
for
for
this,
but
I
think
it's
a
topic
for
the
future
too,
that
I'll
I'll
be
bringing
back.
A
F
Yeah,
so
that
is
what
it
sounds
like
one
thing
that,
like
we
think
that
would
be
pretty
good
for
scorecards
and
honestly
other
open
ssf
projects
as
well
would
be
having
a
contributor
ladder.
So
there's
already
an
open
issue
for
that,
and
so
we
actually
already
came
up
with
a
quick
draft
of
what
we
would
like
to
see.
I
don't
know,
and
it's
heavily
based
on
six
doors
ladder.
They
they
have
one.
F
So
we
made
some
changes
on
top
of
it,
but
something
just
to
to
check
out
and
I
shared
it
as
a
as
a
Google
doc.
Just
because
it's
like
for
this
sort
of
thing,
I
think
it's
been
easier
to
collaborate,
but
obviously,
if
everyone
prefers,
we
can
obviously
send
this
over
as
a
PR
instead,
and
the
dock
is
currently
written
like
as
a
like
overall
open,
ssf
contribution
ladder.
F
F
F
I,
my
intent
is
to
get
this
with,
as
with
whoever
wants
it.
So
if
there
is
appetite
in
with
the
open
ssf,
then
we'd
be
him
and
then
that'd
be
great,
and
if
not,
if,
where
people
want
to
do
it
different
ways.
F
E
I
think
it
makes
a
lot
of
sense.
I
would
suggest
somebody
either
yourself
or
somebody
here,
get
it
on
a
future
attack
agenda
or
or
go
ahead
and
open
an
issue
in
the
tax
repo
and
and
propose
this
for
for
a
attack
agenda.
Conversation
at
some
point.
I
I
I'll
make
some
comments,
but
one
thing
I
think
is
good,
given
that
I
was
just
messing
with
all
the
GitHub
teams
is
yeah
like
be
really
clear,
at
least
for
the
one
that
scorecard
adopts,
which
level
reflects
to
which
team
and
and
what
what
permissions
that
gives
you
I
do
see
that
there
are
some
like
defined
by
and
privileges
here.
So
that's
good,
so
yeah
I'd
be
explicit.
There.
I
I
And
one
kind
of
like
General
thing,
I'm
getting
as
I.
Look
here
not
specific
to
any
line
or
anything
is
you
know,
there's
three
main
levels
here:
Community
member
triage
or
maintainer.
I
I
You
know
the
the
pr
writer
can
can
care,
but
they
don't
actually
go
towards
like
the
approvals
needed
to
merge
a
PR,
so
I
honestly,
I
think
there's
like
should
be
two
levels
at
right,
access
or
right
and
above
one,
that's
like
the
probably
representative
of
the
current
maintainers
and
what
you
have
here
and
then
a
level
that
has
right
access
and
the
ability
to
approve,
review
and
approve
PRS,
but
not
necessarily
like
set
the
direction
of
the
project
or
be
a
core
maintainer.
I
So
that
might
be
a
tweak
to
to
do.
Here
is
kind
of
have
the
Community
member
contributor
level
as
the
lower
one.
The
middle
one
be.
Somebody
who
works
on
the
project
approves
PR's
messes
with
issues
and
then
the
the
maintainers
is
the
ones
that
set
the
direction.
F
I
mean
that
makes
perfect
sense.
Just
like
one
question,
though,
and
the
scorecard
maintainers
will
obviously
be
able
to
answer
this
better
than
I
could
also
Imagine
is
how
much
of
a
workload
is
just
handling
the
PRS
and
handling
the
issues
and
answering
all
the
issues,
because
the
triage
role
does
not
have
shall
we
say,
contents
right
permissions,
but
they
do
have
issues
right
permissions
and
that
they
can
close
or
reopen
issues
the
label
issues
they
can
label
PR's.
They
can
close
PRS
again
to
prove
them
or
merge
them,
but
they
can.
K
F
B
Foreign
yeah
so
like
we
get
a
lot
of
issues
and
more
issues
than
you
know,
we
can
work
on
so
just
triaging
in
general
would
help
and
a
lot
of
the
times
when
we
get
external
contributions,
it
you
know,
makes
sense
to
have
you
know
a
maintainer
have
the
final
say,
but
there's
a
lot
of
little
stuff
like
oh,
you
edited
this
readme
without
the
underlying
yaml
that
we
use
to
generate
it.
B
So,
like
there's
a
lot
of
first
past
review,
that
would
still
be
beneficial,
even
if
they,
the
review,
couldn't
make
it
all
the
way
through
or
like
be
good
enough.
It
would
still,
at
least
for
me,
take
some
cognitive
load
off,
but.
N
Another
point
that
I
I
see
is
like
the
three
Ager
could
be
kind
of
a
way
to
get
to
be
a
maintainer
so
you'll.
By
being
a
treasure,
you
will
like
you,
get
to
know
a
lot
of
issues.
Label
them
and
get
them
are
like
knowledge
of
the
the
the
repository
and
they'll
like
make
it
make
it
a
easier
path
to
become
a
maintainer
as
well.
It's
kind
of
in
the
middle
of
the
way.
A
In
some
cases,
it
certainly
is
the
unwramped
to
bigger
contributions
in
a
lot
of
other
cases.
They're
there
there
is
a
large
set
of
folks
out
in
the
world
who
actually
just
really
enjoy
doing
sort
of
that
triage
sort
of
that
that
grooming
of
kind
of
I
always
think
about
bugzilla
grooming
for
Mozilla
back
in
the
day,
or
you
know
that
there
was
actually
a
pretty
strong
community
of
folks
who
were
focused
purely
on
just
the
like
triage,
getting
rid
of
the
things
that
are
noise.
Saying
that
things
are.
A
You
know
out
of
scope
and
some
stuff
like
that
without
in
some
cases,
even
being
developers.
So,
like
that's
actually
one
of
the
nice
things
about
a
triage
role
in
my
experience,
but.
A
F
But
yeah
like
I,
mean
obviously
like
I'm.
This
is
very
much
a
draft.
Please
make
whatever
changes.
You
want
I
thought
in
the
comments.
Keith
danger
danger:
danger,
they're,
not
pronounce
that
sorry
said
something
about
like
trusted
reviewer,
and
that
is
also
a
bit
like
in
the
spirit
exactly
about
what
a
triager.
D
F
Be
is
you
know
they
can
take
exactly
that
first
pass
review
and
they
can
say.
O
F
This
looks
good,
but
then
exactly
maintainer
would
actually
need
to
go
and
actually
give
the
final
walk
clear.
So
that
is
very
much
the
spirit
of
triage
which,
by
the
way
is
a
word
I
am
absolutely
not
in
love
with.
So
if
anyone
has
a
better
name
than
triage
or
perhaps
trusted
reviewer,
that
would
be
great.
F
F
The
next
step
is
next
thing
that
we
have,
that
we
would
like
to
talk
about.
Is
the
scorecards
score
viewer?
That
is
that
you
see
that
co-monitor
is
suggesting
is
like
saying,
they'd
be
willing
to
donate
to
scorecards
scorecard.
Somebody
could
use
that
and
like.
That
is
something
that
we
would
really
like
to
see
happen,
and,
let's
put
it
this
way,
the
sooner
the
better
in
terms
that
the
sooner
it
gets
done,
the
fewer
badges.
F
We
then
need
to
modify
to
point
to
the
correct
URL,
so
I
mean
like,
as
everyone
says,
in
the
comments
like
it's,
it's
a
really
Nifty
tool
and
so
being
able
to
get
that
legibility
instead
of
the
current
Json
dump
that
you
get
from
the
the
badge
would
be
really
nice
and
the
sooner
we
get.
We
get
that
the
quicker
that
we
have
to
end
the
go
South
Korean
team
can
submit
a
bunch
of
PR's
helping
projects,
have
cleaner
badges.
F
Yeah,
okay
looks
perfect,
that's
really
happy
to
hear
and
now
I
think
Joe
was
going
to
just
talk
about
some
issues
that
we've
had
that
we'd
like
to
point
out.
L
One
quick
question
I
had
like:
if
the
people
working
on
the
monitor,
if
we're
just
waiting
for
them
to
send
a
PR,
is
it
clear
that
they
have
the
the
green
light
to
do
so
or
are
they
still
waiting
for?
Any
sort
of
confirmation
from
us
just
want
to
make
sure
that
it's
not
lost
on
their
side,
but
they
know
that
we're
ready
to
accept
it.
B
I
I
believe
I
left
an
ish
or
a
comment
saying:
go
ahead,
but
I
I
can
confirm
or
ping.
A
Yeah
also
I
just
got
a
text
and
need
to
go.
Do
a
kid
pickup.
So
could
someone
pick
up
a
facilitating
for
the
last
little
bit.
J
Yeah
yeah:
let's
do
the
priority
issues.
N
Okay
yeah
so,
as
Peter
said,
our
team
that
goes
substant
stream,
Works
simultaneous
recommend
them
score
cards
and
Skipper
and
security
enhancements,
and
we
have
like.
We
have
lots
of
feedbacks
and
like
contacts
with
flaws,
some
flaws
of
security
of,
and
we
for
the
next
month's
quieter.
Maybe
we
are
looking
forward
to
contribute
more
to
scorecard
to
help
the
two
enhance
and
like
be
like
better
to
the
maintainers
as
well.
N
So
we
have
came
up
with
a
list
of
like
issues
that
we
want
to
contribute
with
and
that
we
we
believe
like
there
might
be
priority
to
import
to
improve
the
satisfaction
of
the
maintenance
in
general,
so
like,
please
feel
free
to
take
a
look
and
give
some
any
tweaks
or
opinions
on
the
list.
I
brought
up
some
the
first
three
of
them
like
first
one
is
actually
the
the
topic
that
have
have
brought
up
at
the
beginning
of
the
meeting,
so
it
was
already
covered.
N
The
second
one
just
open
my
laptop
here,
because
I
can
see
on
the
screen
yeah
the
next
one
like
if
the
token
permissions
check
recently
there,
there
was
a
PR
that
made
the
job
level
rights
permissions
like
write,
content
permission,
not
decrease
the
score
of
a
project,
but
it
didn't
change
the
the
square
decreased
for
low
risk
permissions
So.
Currently,
the
high
risk
job
level.
Permissions
are
not
being
Point
punished,
but
the
low
risk
permissions
in
job
level
are
being
punished.
N
So
this
is
a
a
issue
that
described
that,
and
this
should
be
our
priority
to
to
solve
the
second
one
that
I
am
already
assigned
to
work
on
is
to
allow
unpin
dependencies,
while
the
the
action
is
called
only
with
read
permissions.
N
I
might
I
will
bring
up
the
discussion
on
the
issue
about
rather
not
punishing
at
all
or
like
decreasing
a
very
low
points.
For
example,
if
there
is
a
action
being
called
with
not
hash
pin
not
actual
an
action,
not
hash
pinned
but
call
with
with
permission,
if
we
can,
on
the
independencies
check,
decrease
the
score
like
for
I,
don't
know
half
a
point
or
0.1
I.
N
Don't
or
just
not
decreased
at
all,
I
I
will
bring
up
this
discussion,
but
I
I
think
this
should
be
straightforward
to
there's
a
lot
of
noise
from
the
maintenance,
not
nice,
but
like
disagreements
of
having
low
low
low
points
in
pin
dependencies
when
having
hash
pinned
on
action
that
have
only
read.
Permissions
doesn't
encourage
much
of
the
security.
So
that's
also
an
important
point.
N
Yeah,
that's
all
just
wanted
to
bring
this
list
and
make
sure
guys
can
follow.
Follow
up
with
this.
L
Quick
question
I
remember
there
was
there
was
some
maintainers
who
also
wanted,
who
didn't
see
the
value
of
scorecard
Beyond,
just
fixing
the
things
and
they
were
asking
for
PR
support
in
the
action.
I
was
just
wondering
if
this
is
still
something
that
you've
found
or
or
do
you
think
it's
not
something
we
need
to
prioritize.
O
Yeah
many
many
maintainers
are
really
interested
in
PR
support
because
they
don't
see
much
value
on
just
being
notified
about
the
score
decrease
after
the
the
pair
were
the
pair
was
merged,
so
they
are
really
interested
in
that.
It
is
also
in
our
priority
issues,
but
we
choose
to
prioritize
the
ones
that
are
affecting
their
scores
and
they
are
really
upset
about
it
yeah.
So
this
is
something
they
are
interested,
but
not
really
upset.
F
C
Next,
actually
can
I
make
like
just
one
more
Point
Pedro.
Would
it
be
is
for
like
if
we
raise
some
peers
like
to
solve
some
of
these
issues,
if
we
bring
it
here
to
discuss
first
or
like
discuss
after
we
create
a
beer,
so
we
can
have
like
a
review
or
discuss
some
points
during
the
meeting.
J
Yeah
like,
for
example,
for
the
token
permissions
one
it's
still
like,
maybe
like
which,
like
so
yeah
like
not
not
penalizing
I
I,
think
the
problem
is
like
accurately
defined,
but
maybe
like
there's
like
complexity
in
how
we
would
how
we
would
like
go
about
scoring
it
like.
J
Book
like
just
like
a
flat
flat
score
depending
on
whether
permissions
are
like
too
broadly
scoped
at
the
workflow
level
or
like
narrowly
scoped
at
the
job
level.
Yeah,
maybe
that
it
just
like
needs.
J
Like
an
an
opinionated
implementation
or
something
also
I,
feel
like
we're
pretty
flexible
with
like
scoring,
and
we
can
like
adjust
more
over
time
but
yeah,
maybe
it
just
like
needs
more
like
opinions
or
something
or
like
more
like,
like
just
like
a
a
opinionated
stance
on.
Why,
like
one
of
those,
is
superior
and
like
why-
and
it
should
just
like
be
in
the
issue
and
it's
like
gets
like
a
thumbs
up
and
then
it
can
be
implemented.
C
That
make
sense,
yeah
sure
so
we'll
describe
well
in
the
issues
and
bring
it
here
to
make
sure
if
it
does
not
like
receive
a
thumbs
up
they're
like
you're,
taking
a
look
at
it.
So
we
can
discuss
with
all
of
you
if
that's
like
okay
to
implement
or
if
we
should
do
some
fixes
in
the
in
the
idea,
cool.
J
Kind
of
like,
as
long
as
her
permission
is
at
at
a
at
a
job
level
like
and
it's
the
right
permission
it.
It
just
seems
like
not
not
as
not
as
bad,
because
people
will
need
need,
write
permissions
in
in
jobs,
but
we
should
just
like
discourage
top
top
level
write
permissions.
So.
D
J
Like
just
a
a
a
leveled
like
score,
makes
sense
to
me,
which
I
think
is
like
the
second
option
that
you've
that
you've
described
something
yeah
yeah.
L
I
have
a
quick
question
on
the
second
on
the
PIN
dependencies,
so
unprivileged
workflows,
so
basically
I
guess
the
only
contentious
issue.
There
is
like
pull
request.
L
So
if
you
get
a
pull
request
from
a
remote
report-
and
it's
read
by
default,
so
so
you're
safe,
but
sometimes
pull
requests
also
can
come
from
internal
contributors
and
doing
it
on
like
a
local
branch
on
the
same
repo.
So
are
we
going
to
force
people
to
also?
F
Exactly
yeah,
as
far
as
I
know,
there's
no
way
to
distinguish
if,
like
a
project,
forbids
branches
or
Branch
PR's.
Therefore,
yeah
like
pull
requests,
will
need
to
have
permissions
permissions
really
yeah
top
level.
F
And-
and
they
also
naturally
can't
have
secrets
either
because
contents
read
along
with
Secrets
also,
but
it
wouldn't
be
safe,
so
it
have
to
be
contents
read
and
the
job
can't
have
secrets.
G
It
appears
as
though
it's
pretty
unambiguous
to
determine
if
GitHub
actions
are
being
generated
in
that
way,
though,
certainly
that's
not
the
only
way
that
s-bombs
can
be
generated
so
there's
a
fairly
straightforward
way
to
Ensure
to
detect
whether
or
not
s-bombs
are
being
created,
which
is
one
of
the
two
proposed
criteria
that
we
judge
this
s-bomb
section
on
the
second
one
is
the
quality
of
those
s-bombs
which
requires
us
to
be
able
to
find
out
where
they
ended
up.
G
G
L
So
I
guess
I
might
be
repeating
what
we
said
at
the
previous
at
the
previous
meeting.
I
was
wondering:
how
do
we?
How
do
we
figure
out
if
it's,
if
the
project
is
a
library
and
therefore
has
so
sorry
if
the
project
is
a
is
an
application
and
therefore
needs
an
s-bomb,
because
I
think,
as
we
said
before,
like
libraries
do
not
need
an
s-bomb
I.
L
L
N
D
L
L
Okay,
so
that
that
would
be
the
use
case,
but
then
it's
it's
Like
My
worry
is
that
we're
gonna,
ask
let's
say:
there's
10
of
libraries
that
do
this.
How
do
we
like
for
libraries
that
don't
do
this?
Are
we
expecting
an
MTS
Bond
or
like
or
an
esbom
that
says,
I
don't
have
any?
Is
there
a
concept
of
MTS
bomb,
I?
Guess.
L
M
I
think
you
do
see
the
same
phenomenon
against
Python
and
and
even
Java,
to
some
extent
where
the
the
actual
determination
of
what
version
is
picked
is
dependent
on
all
the
other
dependencies
in
the
project,
and
then
package
manager
makes
the
best
choice
of
what
version
to
pick
beep.
You
know,
based
on
the
specified
versions.
M
I
think
it
might
might
be
some
opportunity
to
like
take
this
to
the
Cyclone,
DX
working
group
and
and
perhaps
spdx
and
see,
if
there's
maybe
a
different
specification
for
Library
bombs,
where
you
could
have
that
version
range
specified,
because
I
I
do
think.
There's
value
to
having
a
library,
s-bomb,
but
I
fully
get
the
point
that
that
does
not
specify
the
exact
version,
which
is
very
important
from
a
vulnerability
perspective,
especially.
G
L
L
A
broad
question
is,
is:
are
the
GitHub
release
assets
the
right
way
to
ask
people
to
put
their
s-bomb
or
not
because
a
lot
of
projects
upload
like
to
they
publish
to
say
the
npm
registry
and
it
looks
like
a
better
place
to
have
an
s-bomb-
is
over
there
because
that's
where
you
download
your
application
from
so
that's
where
also
npm
has
the
salsati
station
today.
So
if
there
were
any
kind
of
s-bomb,
would
it
would
it
be
more
like?
L
Would
it
make
more
sense
to
have
it
on
the
registries
rather
than
on
the
on
the
git?
On
the
on
the
repository
I
guess,
my
argument
is
more
like
my
gut
feeling.
Is
that
even
for
applications,
a
lot
of
people
do
not
consume
application
from
a
GitHub
project.
G
But
there's
a
difference
between
the
GitHub
repository,
the
git
repository,
which
I
do
not
think
should
have
the
s-bomb
versus
github's
release
notion
when
you
make
a
GitHub
release.
I
do
think
that
that
should
have
the
s-bomb
for
that
release,
but
I
will
take.
I
will
take
that
to
the
working
group
and
ask
them
if
they
have
guidance,
there's
nothing
to
say
that
you
so
in
one
of
the
libraries
that
I
maintain
I
upload
my
s-bomb
to
Maven
and
I.
Do
not
put
it
in
GitHub
releases
because.
K
G
L
Yeah
but
I
guess
it's
still
something
that
open
ssf
should
kind
of
see
what
to
prioritize,
because
if
the
consumption
happens
happens
at
you
know,
dbn
is
recompiling
everything
they
have
the
s-bomb
for
everything.
Container
images
know
what
they
are
compiling.
They
can
generate
an
S1
and
package
managers,
all
the
entry
pointers,
so
what
we
download.
L
So
if
the
end,
if
we
want
to
be
there
in
two
years
from
now
like
I,
think
the
open
ssf
should
take
a
call
to
say
that
we're
going
to
spend
and
prioritize
those
Avenues
rather
than
saying
put
it
in
your
GitHub
release,
assets
which
I'm
not
saying
is,
is
bad
per
se.
But
it's
it's
not
going
to
have
the
impact
that
we
could
have.
If,
if
we,
if.
L
If
we,
if
we
actually
prioritize
instead
of
just
saying,
let's
ask
everyone
to
to
write
an
s-bomb
which
you
know
nobody
is
going
to
do
and
who
is
going
to
consume
it
I
guess
the
consumption
problem
is.
My
question
is
like
today
on
salsa
we
ask
people
to
put
the
salsa
attestation
in
the
GitHub
release.
L
G
Download
something
from
apt
and
then
also
look
at
its
as
pump
to
validate
it
like
there's
a
there's,
a
whole
line
of
tooling.
That
will
need
to
be
built
to
facilitate
that
and
I'm,
not
saying
we
we
put
a
stake
in
the
ground
and
say:
GitHub
releases
are
the
only
way
that
you
can
ever
put
out
an
s-bomb
I'm,
just
saying
that
that's
a
like
there's
prior
art
people
do
that
today,
like
that's
the
that's
an
easy
place
to
start
and
if
we
want
to
go
through
and
do
more
with
the
package
managers
themselves.
D
G
But
I
I
will
go
to
the
the
two
working
groups
just
to
be
clear.
Those
are.
G
The
s-bomb
everywhere
group
and
the
repositories
group
and
I
will
I
will
ask
them.
Do
we
recommend
that
libraries
have
s-bombs?
What
do
we
do
about
unresolved
dependencies
and
is
GitHub
releases
the
correct
place
to
look
for
s-bombs,
or
should
it
be
in
the
package
repositories
or
both.
J
J
Exactly
I
believe
we
have
some
kind
of
or
sorry
no,
not
maybe
not,
packaging.
J
I
recall
we
we
do
do
some
kind
of
like
ecosystem,
specific
checks
or
or
like
we.
We
we
we
can
navigate
to
package
repositories
across
like
multiple
ecosystems.
I
think
this
is
just
when
you're
specifying
the
project
that
you
want
to
scan
as
like
a
in
the
CLI.
So
maybe
there's
like
you,
you
can
like
Implement,
One,
s-bomb
Source
and
then
leave
it
like
leave
it
open
in
the
architecture,
to
like
add
other
places,
to
search
for
S
bombs
or
something
in.
O
G
G
L
D
G
L
G
G
J
Okay
thanks
everyone
for
joining.
We
need
a
facilitator
for
next
week
next
week,
we'll
be
meeting
on
the
or
sorry
two
weeks
from
now
the
15th
of
June.
There
will
be
a
sink
yeah.
B
I
can
facilitate
Argo.