►
From YouTube: Scorecards Biweekly Sync (August 25, 2022)
A
Yeah
and
if
you
need
access
where's.
B
There's
a
mailing
list,
so
is
that
a
is
that
a
google
workspace
account
cmu.
C
B
C
B
Okay,
which
list
did
you
subscribe
to.
C
B
Yeah,
announce
we'll
give
it
to
you,
I
mean
devil
will
give
it
to
you,
but
unannounced
that.
C
A
All
right
well
we're
a
few
minutes
after
the
hour,
so
we'll
go
ahead
and
get
started
with
our
agenda.
First
of
all,
like
to
invite
any
new
people
that
are
here
haven't
been
here
for
a
while
or
haven't
introduced
themselves.
Yet,
if
you'd
like
go
ahead-
and
let
us
know
who
you
are,
where
you're
from
anything
about
you
or
just
introduce
yourself.
A
Oh
looks
like
we're
all
regulars,
so
no
new
faces
today,
so
we'll
go
ahead
and
continue
on
so
project
updates.
We'll
start
with
the
zine.
E
Hey
folks
so
yeah
I
wanted
to
give
an
update
on
the
upcoming
launch.
We
have.
We
are
planning
to
do
a
scorecard
action,
v2
launch
on
september
8th,
so
our
tech
writer
who's
also
the
scorecard
doc
maintainer
cara.
She
is
she's
working
with
openssf
to
get
this
blog
out.
So
once
we
have
like
a
skeleton
of
the
blog
blog
and
share
it
out
with
the
rest
of
the
scorecard
maintainers
and
can
all
like
contribute
to
it
and,
like
you
know,
we
can
get
this
out.
E
So
some
of
the
staging
sites
and
api
have
been
available
feel
free
to
like
use
it.
If
you
have
any
last-minute
feedbacks
would
be
happy
to
incorporate
that.
I
am
trying
to
track
the
pending
tasks
that
we
may
want
to
do
before
we
actually
launch
this.
I
was
hoping
david
could
be
here,
so
I
could
like
catch
him
about
the
domain
name
changes,
but
he's
not
here
I'll
try
to
catch
him
later,
I'm
working
on
making
sure
the
api
can
have
some
throttling.
E
I
have
the
endpoints
and
load
are
enabled
for
the
api.
I
can
work
on
the
throttling,
probably
over
the
weekend,
stephen.
I
I
know
you're
working
on
the
installer
tool.
B
Yeah,
so
the
the
installer
tool
that
was
initially
committed,
I'm
not
sure
if
it
ever
worked
to
be
honest,
but
the
the
the
last
push
gets
it
to
a
working
state.
It's
not
a
perfect
state,
but
you
can
now
pick
up
that
installer
and
if
you
go
to
the
command
installer
within
square
card,
just
do
like
a
go
run
command.
You
know,
installer
main.go
it'll,
give
you
some
options
and
you
can
either
choose
to
install
across
each
across
all
repositories
within
an
org
or
or
to
explicit
repositories.
B
If
you
supply
like
owner
the
owner
flag
as
well
as
the
the
repos
you
can,
you
can
do
individual
repos,
you
can
do
a
cluster
repos
there.
Eventually.
What
I'd
like
to
do
is
this
is
just
to
get
it
out
of
the
door
for
for
v2,
but
eventually
what
I'll
do
is
kind
of
up
level.
B
Some
of
the
the
logic
that's
in
the
entry
point
directory
into
just
a
main
for
the
the
command
line
tool
and
then
the
install
can
be
a
sub
command
of
that
that
that
way,
when
we
provide
the
container
images,
you
can
also
opt
to
use
a
container
image
to
do
the
the
installation
of
the
action
crossover.
B
E
The
installer
tool
today
without
doing
a
git
checkout,
I'm
basically
I
I
want
to
be
in
a
state
when
they
let's
say
read
the
blog
post.
They
have
like
maybe
one
or
two
commands
that
they
run
and
can
install
it.
I
think
they'll
kind
of
help
adoption.
So
I
just
wanted
to
understand.
B
Yeah,
so
at
this
point
they
would
have
to
do
a
git
checkout,
there's,
no,
so
so
I
mean
in
in
that
case,
what
I
can
do
is
prioritize
the
work
of
turning
that
into
a
sub
command.
That
way,
whatever
we're
publishing
as
containers
it'll
automatically
be
out
there.
So
you
can,
you
can
opt
to.
You,
cannot
to
install
you
know
from
from
the
repo
or
you
can
opt
to
pull
the
container
into
the
installation.
That.
D
E
I
I'm
okay
with
that
yeah
anything
that
basically
reduces
folks.
The
number
of
steps
folks
need
to
take
to
get
this
installed.
Stephen,
do
you
think
I
I
mean
I'm
not
sure
how
much
work
it
would
be.
So
do
you
think
this
is
doable
or
it's.
B
It
shouldn't
be
too
bad.
Let
me
just
I
I
would
want
to
make
sure
that
do
you
think
feature
work-wise,
we're
done
anything
any
changes
to
the
entry
point
where
we're
effectively
done
for
this
release.
B
E
E
That
is
like
take
a
bunch
of
urls
and
then
you
know,
run
criticality
score
on
it
and
dump
it
out,
so
they
they
reached
out
to
us
and
they
asked
if
they
can
use
the
same
infrastructure
that
scorecard
crown
is
using
and
what
they
hope
to
do
is
like
kind
of
refactor,
the
cron
library
like,
so
that
it
becomes
like
a
framework
where
you
can
say
here's
my
you
know,
worker
plug-in
and
you
plug
in
either
the
scorecard
worker
or
the
criticality
score
worker.
E
So
just
a
heads-up
that
you
might
be
seeing
some
pr's
around
that
it
shouldn't
be
affecting
any
scorecard
prawn,
job
thing
or
it
shouldn't
be
affecting
anything
on
our
side.
It's
it's.
I
think
the
only
work
vs
scorecard
maintainer
should
be
doing
is
like
reviewing
the
pr's.
So
just
a
heads
up
on
that.
B
E
For
a
while,
it's
I
I
guess
it's
just
no
one
has
prioritized
to
actually
do
it,
but
yeah
that
that
should
be
what
I
think
it
should
be
to
it.
It's
generic
enough
that
any
openness
is
a
project
can
use
it,
and
maybe,
with
this
criticality
score
push
we
can
kind
of
get
there.
B
A
All
right,
moving
on
caroline.
C
Hi,
so
I
have
been
looking
at
issue
2092,
looking
at
it
with
sauro
and
so
we're
interested
in
taking
this
on
and
just
for
some
background.
I've
been
looking
around
and
trying
to
see
the
crown
related
documentation,
but
it
looks
like
in
the
contributing.md
file
there's
a
section
heading,
but
no
information
in
there.
E
Yeah,
I
think
that's
that's
my
bad.
I
if
there
are
any
specific
questions,
I
can
try
and
answer
them
here
on
the
on
the
call.
If
not
you
can
find
me
on
slack
and
I
can
try
and
answer
that,
but
yeah
you're
right.
We
don't
have
a
lot
of
docs
on
how
the
prawn
is
set
up.
D
Sorry
is
there
a
specific
reason,
I
I
I
appreciate
you
trying
to
take
on
this
issue,
but
because
the
number
of
moving
parts
are
really
high,
it's
going
to
take
a
lot
of
hand.
Holding
from
my
opinion,
you
need
a
lot
of
setup
with
respect
to
the
pops
up
worker.
D
B
Let
let
me
interject
for
a
hot
second.
I
think
you
know,
I
think
part
of
the
the
mentoring
through
that
should
be
like
you
know,
caroline,
if
he
can
take
an
action
to
document
all
the
things
that
we're
missing
all
right.
Not
not
not
actually
do
the
documentation
but
say
like
this
is
what
I
bumped
into
that
I
couldn't
do
right
and
that
and
that
that
should
firmly
be
on
maintainers
to
to
help
through
the
documentation
process,
so
that
it
is
easier
for
you
to
pick
up
without
handle.
C
Yeah
but
overall
yeah,
so
this
has
been
saurabh
and
I
just
working
on
this
together,
I
think
tripad
I
had
been
working
with
before
was
also
interested,
so
I
think,
there's
a
bunch
of
eyes
working
on
it,
so
we
can
continue
chatting
about
whether
or
not
it's
the
right
fit
for
like.
If
this
is
the
right
first
issue
to
work
on
or
if
there's
something
that
would
be
better
to
ease
into
this.
E
Calling
quick
question
so
you
mentioned
sripa
is:
are
you
also
part
of
I?
I
think
it
is
called
the
gorge.
E
Yeah,
I
I
think
he
maybe
we
can
like
sink
on
slag
and,
like
probably
figure
out,
I
I
there
might
be
some
overlap
in
like
how
the
release
for
scorecard
tron
and
the
gauge
tool
does
and
like.
Maybe
you
can
figure
out
like
what?
What
might
be
the
long
term
thing
and
in
our
next
meeting
we
probably
can
have
a
plan
that
we
propose
to
maintainers.
A
Cool
so
moving
on
bug,
bounty,
azim.
E
E
Let's
have
a
list
of
bugs
and
like
ask
the
community,
hey
yeah,
you
know,
come
and
fix
these
bugs
and
there
might
be
some
rewards
either
some
swag
that
we
give
out,
or
maybe
even
like
monetary
reports,
if
needed,
just
a
way
to
like
get
some
more
involvement,
more
diverse
ideas
and
like
how
scorecard
is
doing.
I
don't
know
if
any
other
open
source
project
has
done
something
like
this,
maybe
like
kubernetes,
so
wanted
to
hear
ideas.
E
B
So
I
I
like
the
I
like
the
idea
of
increasing
the
the
contributor
base.
I
think
you
know
one
of
the
ways
that
we
need
to
approach.
That
is,
is
by
understanding
what
our
road
map
is
publicizing,
that
and
and
and
providing
opportunities
making
sure
that
we're.
B
Actually,
you
know
to
the
previous
issue
that
we
were
just
talking
about
2092,
make
sure
that
it
is
in
in
the
chunks
that
are
actually
workable
by
new
contributors
right,
the
the
if
you,
if
you
land
on
you,
know,
say
you
do
some
some
contribution,
work
and
close.
You
know
x,
amount
of
issues
or
land
in
our
our
releases
page
that
that's
that
should
be
sufficient
to
get
the
swag
right
as
opposed
to
it
needs
to
be
a
bug.
B
I
think
the
worry
that
I
have
with
a
bug
bounty
is
that
that's
going
to
attract
lots
of
maybe
unwanted
traffic,
maybe
more
more
noise
than
signal.
So
so
I
I
think,
like
the
the
overall
goal
or
the
overarching
goal
of
interview,
you
know
increasing
the
contributor
base,
I
think,
is
a
solid
one.
I
think
the
scoping
it
to
bug
bounty
is
maybe
maybe
not
the
best
approach.
E
B
Yeah
I
mean,
if
you
think,
of
something
like
you
know,
hacktoberfest
right
and
then
hacktoberfest
is
what
comes
to
mind
when,
like
you
know
flagging
something,
as
you
know,
good
first
issue
or
something
hacktoberfest
leads
to
the
you
know
leads
to
the
the
errant.
You
know
typo
fixed
prs,
or
you
know
lots
of
traffic
that
is
maybe
not
as
high
quality
as
it
needs
to
be.
E
Yeah,
I
see
the
next
one.
Sorry
I
think
the
next
one
is
also
me.
I
quickly
I
I
stopped
seeing
the
meeting
recordings
being
uploaded
on
youtube.
That
used
to
be
a
thing
again.
I
don't
know
if
anyone
from
openness
is
f
or
lf
is
here
but
yeah.
That's
something
that
that
I
don't
see
is
happening
right
now.
So
I'll,
probably
just
like
plug
this
to
david
separately.
C
Yeah,
if
you.
B
If
you
don't
mind,
maybe
sending
an
an
email
out
instead
to
operations
at
openssf.org
that
way
it
hits
everyone,
because
I
know
I
know
a
few
people
may
be
on
the
way
to
vacation
or
coming
back
from
vacation,
so
that
that's
the
list
to
hit
everyone
and-
and
I
I
would
agree
that
like
do
when,
when
did
we
have
a
drop-off
in
meeting
recordings.
E
Actually,
not
so
sure
I
think
it's
been
like.
Maybe
the
last
two
three
meetings
have
not
been
recorded,
but
we
we
used
to
have
consistently
recorded
meetings
uploaded
okay,.
B
Okay,
maybe
an
integration
drop
to
maybe
it's
not
a
human
thing.
I
know
in
kubernetes
we're
using
we're
using
this
plug-in
that
just
like
fails
all
the
time
is
so
often
it
does.
It
does
require
human
intervention.
A
Do
you
want
to
do
you
want
to
talk
about
any
of
the
changes
to
the
design
review
that
we
had
last
last
session?
Oh
sure
yeah.
So
there
have
been
some
changes
to
the
action
use
policy
for
all
star,
though
a
lot
of
the
feedback
has
been
integrated,
including
now
priority
is
taken
into
account
when
evaluating
the
rules,
though
pretty
much
everything
should
be
deterministic
and
how
rules
are
evaluated
now.
A
C
A
There
were
also
some
corresponding
changes
to
how
issues
are
handled
in
all-star,
so
now
they're
edited
if
the,
if
the
notify
reason
changes.
So
that
means
especially
for
this
policy
it'll
be
helpful
because
you'll
be
able
to
keep
updated
about
when
there
are
changes
to
how
well
you're
doing
in
regards
to
the
organization's
various
rules.
A
B
Hey
so
I
know
there,
there
was
an
issue
that
we
opened
a
while
back
talking
about.
What's
next
for
scorecard
and-
and
I
think
you
know,
the
short
answer
for
me
is
I'm
I'm
not
quite
sure,
but
I
know
that
I
signed
up
for
being
the
release
manager
for
scorecard
v5,
and
we
may
be
approaching
the
point
where
we
want
to
consider
that.
So
I
you
know
curious
to
get
some
thoughts
from
the
team
on
on
timeline
as
well
as
are
there
remaining
or
you
know?
D
Sorry,
I
think
one
of
the
things
that
I
I
I
I
don't
know
how
I
missed
that
I've
seen
bunch
tagged
a
bunch
of
items
specifically
based
on
one
of
the
universities,
research
findings,
so
I
think
that
would
be
a
great
to
be
great
to
go
into
v5.
If
we
are
thinking
of
getting
that.
That
was
my
take
assume.
Sorry
all
right,
let
me
just
go
ahead.
E
Sure
yeah,
so
I
I
just
wanted
to
say
I
I
don't
think
we
have
like
any
major.
You
know
blocking
features
to
release
v5,
so
I
yeah
I.
I
think
it
would
be
a
great
time
to
like
start
thinking
about
wifi
release
and
like
yeah
and
stephen.
E
If
you
have
you
know,
ideas
or
feedback
on
like
what
we
should
accomplish
before
that
or
like
you
know,
if
you
should
just
concentrate
on
release
process
or
should
we
target
having
some
word
compatibility
whatever
it
is,
but
I
think
we
can
look
into
it,
but
yeah
nothing
blocking
as
such.
I
think
we
have
a
decent
chunk
of
changes
in
there
to
start
thinking
about
rb5
release.
B
Okay
yeah,
I
I
the
primary
reason
for
me:
volunteering
is
to
exercise
our
release
process
and
and
see
and
try
to
see
where
the
gaps
are.
I
think
there's
also
some
opportunity
to
collapse,
some
of
the
various
environment,
variables
and
switches
and
levers
and
doodads
that
you
have
to
pull
to
enable
certain
or
enable
or
disable
certain
features
or
formats.
So
I
know
that
there's
been
some
work
into
collapsing,
some
of
that
stuff
already,
but
it
would
be
good
to
close
out
on
that
and
decide.
B
What
is
the
official
feature
set
for
for
v5
to
the
the
changes
that
you
had
mentioned
are
to
the
suggestions
that
were
made
for
for
inclusion
around
the
the
university
work.
Do
we
have
a
do?
We
have
a
tag
for
that
or
do
we
have
a
an
umbrella
issue?
That's
tracking
those
requests.
E
Yeah
I'll
put
in
the
meeting
notes,
I've
tagged
them
all
as
score
reports
score.
B
Reporting,
okay,
so
I'll
I'll,
take
the
score
reporting
anything
that's
in
the
score
reporting
label
and
I'll
put
that
into
the
v5
milestone.
E
Okay,
but
yeah,
I
I
think
it
would
be
great
if
you
you
know,
could
help
us
like
plan
out
like
a
release,
process
or
like
if
we
even
have
a
documented
release
process
that
we
can
all
follow.
Yeah.
B
Yeah,
so
I
did
some
documentation
work
on
the
basically
what
I
grocked
from
conversations
with
y'all
around
the
scorecard
action
stuff,
but
it
would
be
great
to
get
the
full
picture
of
like
scorecard
to
score.
You
know
scorecard
scorecard
action
scorecard
web
app
any
and
any
things
that
need
to
happen
in
between,
like
regenerating
swagger
documentation,
for
example,
right.
A
I
don't
see
any
hanging
on
agenda
before
we
get
to
the
end.
I
wanted
to
circle
back
with
scott:
were
you
able
to
get
access
after
you
joined
the
dev
group.
C
D
C
I
I
already
have:
I
already
have
one:
I
have
a
pr
in
action
right
now.
So,
oh
great,
so
I'm
working
through
it
and
it
is
it's
an
update
to
the
security
policy
scoring
algorithm
cool.
You
can
look
at
awesome.
I
forget
the
number
here.
It's.
C
It
so
I've
been
I've
already
made
it
through
one
pipeline.
Now,
I'm
working
through
comments
so
so
so
all
happy.
B
Very
cool
folks
I
had
I
forgot
to
put
this,
but
I
I
I'm
tossing
it
on
the
agenda
in
the
process.
So
the
question
I
know
there
have
been
questions
in
the
past
around
like
the
having
a
bot
account
for
scorecard.
Do
we
did
we
get
an
update?
I
know
there
were
some
things
on
that
issue
too.
No,
we.
D
Still
didn't
we
didn't
get
any
update,
we
like
I,
I
think
I
wrote
to
operations.
I
don't
get
an
update,
probably
again
doing
that
would
be
better
yeah.
We
still
haven't
gotten
any
update,
gotcha.
D
B
It
got
it
all
right,
so
so
one
password
we've
got
the
bot
account
needs.
There's
also
did
someone
do
the
we
should
maybe
try
to
close
out
on
the
conversation
around.
There
is
the
one
that
came
up
around
a
doc,
docs
maintainer
team,
but
also
the
overall
settings
bot
plus
code
owners
situation.
I
know
that
we
haven't
merged
those
pr's.
Yet
do
we
want
to
take
some
time
to
chat
about
that.
E
I
think
docs
maintainer,
I
see
a
scorecard
document
in
our
team
and
cara
is
probably
part
of
it.
I
I
don't
know
who
did
that
maybe
naveen?
I
did
that.
D
I
did
that
sorry
I,
like
I
I
mentioned
in
the
previous
scorecard
meeting
agenda
that
I'm
gonna
take
that
I
did
that
cool.
E
Yeah,
so
I
think
that's
that's
taken
care
of.
Let
me
just
fix
that
oh
yeah.
B
E
Should
probably
talk
about
the
setting
spot
thing,
I'm
always
a
fan
of
having
everything
written
in
code
rather
than
changing
things
in
ui.
I
just
I'm
not
super
familiar
with
what
this
setting
spot
is.
Is
this
a
trusted
board
by
github?
I
I
don't
know
about
that.
So
as
long
as
we
think
we
can
trust
this,
I
I'm
okay,
I'm
more
than
happy
to
have
a
settings
file
which
kind
of
you
know.
B
Yes,
yes,
it
is,
it
is
a
github
box.
It's
under
kind
of
like
the
auspice
of
robot.
It's
it's
used.
It's
used
in
several
of
my
orgs
include,
which
include
lf,
orgs
or
lf
project
orgs.
I
think
it's
fine
to
use
here
and
settings
bot
plus
plus
code
owners
means
that
we're
so.
B
My
worry
with
introducing
a
new
team
is
that,
if
we're
not
gonna
enforce
the
fact
that
the
team
manages
the
repo,
then
at
some
point
someone's
going
to
change
something
and
it'll
fall
out
of
sync
right,
so
so
having
that
enforced
in
in
both
settings
as
well
as
code
owners
would
be
good
and
then
every
and
then
every
change
becomes
a
pr.
Instead
right.
B
D
Think
I
can
I
I'm
gonna,
I'm
gonna
ask
questions
here.
Stephen.
Can
you
specifically
mention
which
repositories
are
using
what
permission
levels?
They
are
who's,
maintaining
that
tool
it'd
be
nice
to
know
about
it
like,
because
that
makes
the
someone
talk
for
myself.
It
makes
me
comfortable.
B
Oh
yeah
for
sure-
and
I
I
think
if
there
was
a
supply
chain
attack
on
on
that
side,
we
would
have
multiple
lf
repos,
that
we'd
be
worried
about.
So
one
I'll
give
a
I'm
gonna
try
to
dig
up
the
initial
issue
around
this.
B
So
I
just
popped
that
open
on
just
popped
it
in
chat.
If
you
want
to
pull
that
one.
B
Laurenta
to
answer
your
question
from
this
issue,
you
know
the
infrastructure
is,
is
basically
the
github
apps
context.
Folks
have
branch
protection
bypass?
This
is
again
something
that
can
be
enforced
or
reverted
via
that
bot
and
and
part
of
the
reason
that
you
install
them
together
or
use
them
together.
Is
that
the
the
settings
are.
B
You
basically
have
two
levels
of
settings,
one
specifically
that
controls
the
the
dots,
github
folder
or
more
specifically
like
github,
settings.yaml
and
then
another
one
that
controls
the
rest
of
the
rebound,
so
one
you're
ensuring
that
the
that's
part
of
the
reason
that
I
created
multiple
teams
to
to
start
not
just
not
just
a
maintainer
scene
but
a
an
admins
and
a
maintenance
team.
B
The
admins
team
would
would
hold
control
over
the
settings
configurations
for
the
repos,
where
it
would
give
us
an
opportunity
to
to
bring
on
triagers
that
don't
have
that
level
of
of
merge
access.
D
B
B
So
and
then
concrete
concrete
usage
is
here.
If
you
want
to
pull
this
up
on
screen.
B
B
Right
and
then
you'll
see
that
there
are
two
segments,
one
for
the
entire
repo
which
the
steering
committee
has
has
access
over,
and
then
I
mean
really
there's
only
one
there,
one
group
of
people
reviewing
for
this
repo,
but
you
know
one:
you
you'd
set
a
code
owners
explicitly
for
for
the
settings.yaml
and
then
and
then
one
for
the
rest
of
the
repo.
However,
you
want
to
carve
that
up.
D
Unless
there's
a
pressing
need,
I
am
not
in
favor
of
this
because
it's
one
bad
thing
that
has
to
happen
that
can
compromise
stuff.
That's
my
take
again.
It's
only
my
take
I'm
gonna,
I'm
gonna
state
that
if
there's
it's
not
that
we
have
hundreds
of
changes
pretty
often
that
we
can
look
at
it
anytime.
At
least
I
can
speak
for
myself
anytime.
If
I
have
to
change
any
of
the
settings,
I
hate
wrapping
slack
saying
I
think
other
maintainers
have
also
done
that
saying:
hey.
D
B
So
so
let
me
just
note
that
the
difference
between
those
those
stances
is
that
auditing
auditing,
the
changes
between
you
know
figuring
out
exactly
who
said
what,
on
slack,
at
what
time
about
what
change
right
versus
reviewing
a
pr
log.
I.
B
D
B
C
D
B
B
D
It's
okay,
sometimes
right.
I
I
okay,
because
because
if
if
they
did,
okay,
sorry,
I'm
not
gonna,
I'm
not
gonna
go
down
the
tiny
of
doing
that.
I'm
I'm
just
trying
to
say
if
we
say
we're,
gonna
agree
upon
kira
being
the
gold
standard
for
everything
I'm
like
saying:
no,
they
might
not
be
so
just
so
that
we
know
that
and
we're
trying
to
mitigate
those
risks
and
that's
why
I'm
trying
to
play
that.
B
Yeah,
I
know
no,
I
completely
understand
I
completely
understand
for
for
what
it's
worth
I've
been
using
this
for
a
while
with
no
issue.
It
was
suggested
to
me
by
cncf's
cto
in
the
first
place
so
like
like
there's
some
there's
some
prior
art
within
lf
projects
for
using
it.
If
it's
a
decision
that
we
we
don't
want
to
go
forward
with
this,
then
we
need
a
process
in
place
for
auditing
the
way
we
are
doing
changes
for
github
settings
the
the
process.
B
If
we
decide
to
use
the
bot,
the
process
is
as
simple
as
as
simple
as
reviewing
commits
to
the
settings.yaml.
B
F
F
B
F
B
It
it
it's
it's
not
bypass
unless
you
configure.
This
is
also
you
know,
so
so
kubernetes
will
do
this
a
slightly
different
way
like
we.
We
have
proud
running
and
they're
various
pro
plug-ins
that
ensure
that
you
know,
branch
protection
is
being
enforced,
for
example
right
for
you
know,
if
you,
if
you
come
from
kubernetes
land,
you
get
a
lot
of
things
out
of
the
box
by
using
one
of
their
repos
just
by
way
of
having
prow
running
in
the
background
for
any
other
lf
project.
B
That
is
not
necessarily
the
case
unless
they're
taking
advantage
of
crowd2
what's
great
about
this,
is
that
if
you're
trying
to
figure
out
how
your
branch
settings-
or
you
know
your
branch
protection
settings-
are
configured,
that
config
is
going
to
tell
you
exactly
how
they're
configured
so
you
can.
You
can
go
down
to
like
this
branches
protect.
This
is
our
default
branch.
This
is
the
you
know.
This
branch
is
protected.
It
requires
x,
amount
of
reviews,
yada
yada.
All
the
settings
are
included
in
settings.yemen.
B
Not
the
settings
no
setting
bot
doesn't
do
that.
There
are
other
bots.
There
are
other
bots
yeah
they're.
You
know
they're
they're
bots,
like
mergify,
for
example,
which
which
you
can
configure
to
auto
merge
the
same
way.
We
we
could.
We
click
auto,
merge
for
a
bunch
of
rpr's-
or
we
might
say
you
know,
depend
a
bot
squat.
You
know
if
we
approve
a
request
from
from
the
pandabot
and
say
like
squash
and
merge.
It
will
take
that
as
an
approval,
but
but
setting
spot
doesn't
do
that.
F
Yeah
personally,
I
would
also
like
to
have
like
a
bot
that
is
read-only
and
can
post
the
setting
somewhere,
so
it
doesn't
have
to
like.
I
don't
remember
exactly
how
this
bot
works.
I
remember
last
time
we
had
some
common
sense.
I
don't
know
what
what
those
were.
So
I
I
cannot
really
comment
exactly.
B
But
but
yeah
to
answer
the
question
I'm
looking
at
you
know
one
of
one
of
the
notes
that
you
left
is
you
know
the
the
having
the
bot
have
the
ability
to
change
branch
protection,
admin,
users-
and
you
know,
theoretically
we're
we
are
in
a
way
we're
we're
third
parties
right
to
to
the
the
overall
org
right.
B
We
don't
have
the
same
level
of
privileges
so
so
that
trust
is
delegated
already
it's
it's
whether
or
not
we
want
to
manage
it
manually
or
not,
and
and
if
it
is
a
wider
discussion
about
what
the
security
implications
are
around
setting
spot,
we
can
do
that.
Then
we're
kind
of
doing
it
right
now,
right.
B
But
I
you
know,
I
I
endorse
it.
If
only
for
the
whole,
it's
you
know
if
the
settings
are
auditable
and
it
and
it
takes
the
the
need
for
us
to
manage
them
actively
or
figure
out
how
they
were
done
when
they
were
done
by
who
they
were
done
out
of
our
hands.
B
D
So
at
least
right
now
we
have
four
maintainers,
so
you
are
in
favor
again
your
thought
process.
E
Well,
like
I
said
I
mean
I
can
go
either
way,
I'm
always
a
fan
of
like
having
things
written
down
in
code,
but,
like
I
said
I,
I
am
not
super
familiar
with
how
you
would
trust
something
or
like
what
might
be
the
security
implications
here.
But
if,
if
folks
think
this
is
trustworthy,
I
think
I'm
happy
to
have
the
settings
in
in
code
like,
I
think
that's,
that's
always
a
good
practice
in
my
opinion,
yeah.
That's
that's
my
view.
C
D
To
be
okay,
do
you
want
to
lauren
dear
meeting
space.
F
Yeah
I
mean
I
also
like
to
have
configure
score,
but
to
me
I
think
we
need
to
do.
I
mean
I'd
like
to
see
a
document
that
says
these
are
the
security
risks
and
this
is
how
the
bot
works
like
right.
Now,
honestly,
I
don't
remember
anything
about
what
that
bot
does.
So
I
can't
really
say
anything
my
for
me.
I
would
just
delay
it
and
write
a
doc
and
then
maybe
even
run
it
by
the
tack,
because
that's
an
open,
ssf
project
so
that
the
discussion
is
also
okay,
yeah.
You
know
a
broader
discussion.
C
D
So
sorry,
I
I'm
like
stephen.
Could
that
be
the
next
step
and
you
write
a
dark
and
three
percent
attack
and
let
them
decide.
B
Yeah,
that's
totally
fine,
I
think
you
know,
I
think,
as
part
of
that
we
had
mentioned
on
the
last
call
that
you
know
that
I'm
gonna
be
investigating
some
contributor
experience,
contributor
strategy
points,
and-
and
this
is
definitely
part
of
that-
because
I
think
you
know
ultimately
with
any
of
these-
these
orgs
projects,
the
question
becomes,
how
do
we
manage
things
consistently
over
time
and
really
it's
it's
to
not
let
the
humans
do
it
and
and
to
have
it
you
know
configured
by
by
app
so
so
yeah.
B
This
will
be
part
of
that
proposal
anyway,
but
yeah.
That's
that's
completely
fine.
If
we
want
to,
I,
I
think
you
know
to
install
it
even
to
even
get
this
this
the
spot
installed.
It
would
need
permission
from
someone
who
is
an
org
owner,
so
that
would
be
a
discussion
that
has
to
happen.
C
E
B
I
I
you
know,
sometimes
I'm
not
able
to
show
up
to
these
meetings,
so
I've
gotta
I've
gotta
get
my
licks
in
while
I
can
so
the
one
one
note
about
pull
requests,
and
I
would
I
would
love
to
see
because
I
know
I
know
that
this
is
easily
missed
when
you
have
elevated
privileges,
but
I
I
think
you
know
I
would
strongly
suggest
we
move
towards
pull
requests
coming
in
from
from
individual
forks,
as
opposed
to
as
opposed
to
branches.
B
On
on
the
upstream,
I'm
seeing
a
lot
of
you
know:
username
slash
future
x,
blah
right,
and
that
leads
to
a
bunch
of
right.
Now,
we've
you
know.
If
I
look
at
you
know,
scorecard
repo
we've
got
more
than
one
page
of
stale
branches
around
and-
and
that's
you
know,
and
that
doesn't
need
to
that-
doesn't
need
to
exist.
I
think
that
you
know
that
we
can
decraft
this
repo
a
little
bit
if
we,
if
we
stick
to
doing
branches
from
forks
instead,
our
pr
is
from
forks.
D
There's
a
setting
on
that
to
delete
branches
after
pull
request
so
merge.
Unless,
unless
for
some
branches,
we
didn't
open
pr's,
those
are
the
leftovers
in
my
opinion,
because
by
default
those
branches
should
get
deleted
after
they
get
merged
in.
B
D
D
Yeah.
Okay,
I'm
going
to
talk
about
these
for
myself.
I
have
pushed,
but
I
haven't
opened
a
pr,
so
probably
those
things
I'm
not
denying
that
we
should
not
do
from
forks,
but
I
just
want
to
say
what
it
is
on
that.
B
Yeah
yeah,
I
know
I
totally
understand
it's.
It's
it's
a
it's
a
it's
a
cleanliness
thing
really
and
especially
as
if,
if
we
scale
up
maintainers
and
stuff,
we
want
to
set
the
expectation
that
keep
minimal
branches
and
branches
that
are
useful
right
they're.
I
I
don't
see
a
good
reason
to
track
additional
branches
on
the
upstream
unless
we're
working
on
or
co-developing
on
some
future
branch
or
something.
B
Yeah,
it's
very
easy
to
overlook
that,
and-
and
I
mean
I-
I
have
to
train
myself
when
I'm
working
on
like
a
personal
project
or
something
to
not
necessarily
keep
long-lived
branches
around
and
assume
and
try
to
try
to
work
as
if
I
was
a
contributor
to
the
project.
Without
those
elevated
privileges,
yep.
B
Cool
cool
so
request,
it
seems,
like
everyone
is
fine
with
that.
Hopefully
so,
a
request
to
the
team
delete
your
sale
branches.
A
Should
we
document
this
and
yeah,
we
absolutely.
A
Okay,
all
right
any
other
topics.
A
Speak
now,
okay!
Well,
we'll
call
it
early.
Thank
you,
everyone
and
we'll
end
with
a
fin
facilitator
transition.
I
would
like
to
facilitate
next
time.
D
Nobody
else
is
thinking;
I
can
take
it
if
somebody
else,
I,
like
others,
pick
it
up.
D
A
Awesome
well
again,
thanks
everybody
for
joining
yep,
see
you
on
slack,
see
you
on
github
issues,
see
you
next
meeting
thanks!
Thank
you.