►
From YouTube: Scorecards Biweekly Sync (August 25, 2022)
C
B
C
C
C
A
All
right
well
we're
a
few
minutes
after
the
hour,
so
we'll
go
ahead
and
get
started
with
our
agenda.
First
of
all,
like
to
invite
any
new
people
that
are
here
haven't
been
here
for
a
while
or
haven't
introduced
themselves.
Yet,
if
you'd
like
go
ahead-
and
let
us
know
who
you
are,
where
you're
from
anything
about
you
or
just
introduce
yourself.
A
E
Hey
folks
so
yeah
I
wanted
to
give
an
update
on
the
upcoming
launch.
We
have.
We
are
planning
to
do
a
scorecard
action,
v2
launch
on
september
8th,
so
our
tech
writer
who's
also
the
scorecard
doc
maintainer
cara.
She
is
she's
working
with
openssf
to
get
this
blog
out.
So
once
we
have
like
a
skeleton
of
the
blog
blog
and
share
it
out
with
the
rest
of
the
scorecard
maintainers
and
can
all
like
contribute
to
it
and,
like
you
know,
we
can
get
this
out.
E
So
some
of
the
staging
sites
and
api
have
been
available
feel
free
to
like
use
it.
If
you
have
any
last-minute
feedbacks
would
be
happy
to
incorporate
that.
I
am
trying
to
track
the
pending
tasks
that
we
may
want
to
do
before
we
actually
launch
this.
I
was
hoping
david
could
be
here,
so
I
could
like
catch
him
about
the
domain
name
changes,
but
he's
not
here
I'll
try
to
catch
him
later,
I'm
working
on
making
sure
the
api
can
have
some
throttling.
E
B
Yeah,
so
the
the
installer
tool
that
was
initially
committed,
I'm
not
sure
if
it
ever
worked
to
be
honest,
but
the
the
the
last
push
gets
it
to
a
working
state.
It's
not
a
perfect
state,
but
you
can
now
pick
up
that
installer
and
if
you
go
to
the
command
installer
within
square
card,
just
do
like
a
go
run
command.
You
know,
installer
main.go
it'll,
give
you
some
options
and
you
can
either
choose
to
install
across
each
across
all
repositories
within
an
org
or
or
to
explicit
repositories.
B
B
E
B
Yeah,
so
at
this
point
they
would
have
to
do
a
git
checkout,
there's,
no,
so
so
I
mean
in
in
that
case,
what
I
can
do
is
prioritize
the
work
of
turning
that
into
a
sub
command.
That
way,
whatever
we're
publishing
as
containers
it'll
automatically
be
out
there.
So
you
can,
you
can
opt
to.
You,
cannot
to
install
you
know
from
from
the
repo
or
you
can
opt
to
pull
the
container
into
the
installation.
That.
D
E
B
B
E
So
just
a
heads-up
that
you
might
be
seeing
some
pr's
around
that
it
shouldn't
be
affecting
any
scorecard
prawn,
job
thing
or
it
shouldn't
be
affecting
anything
on
our
side.
It's
it's.
I
think
the
only
work
vs
scorecard
maintainer
should
be
doing
is
like
reviewing
the
pr's.
So
just
a
heads
up
on
that.
E
B
C
Hi,
so
I
have
been
looking
at
issue
2092,
looking
at
it
with
sauro
and
so
we're
interested
in
taking
this
on
and
just
for
some
background.
I've
been
looking
around
and
trying
to
see
the
crown
related
documentation,
but
it
looks
like
in
the
contributing.md
file
there's
a
section
heading,
but
no
information
in
there.
E
D
D
B
Let
let
me
interject
for
a
hot
second.
I
think
you
know,
I
think
part
of
the
the
mentoring
through
that
should
be
like
you
know,
caroline,
if
he
can
take
an
action
to
document
all
the
things
that
we're
missing
all
right.
Not
not
not
actually
do
the
documentation
but
say
like
this
is
what
I
bumped
into
that
I
couldn't
do
right
and
that
and
that
that
should
firmly
be
on
maintainers
to
to
help
through
the
documentation
process,
so
that
it
is
easier
for
you
to
pick
up
without
handle.
C
Yeah
but
overall
yeah,
so
this
has
been
saurabh
and
I
just
working
on
this
together,
I
think
tripad
I
had
been
working
with
before
was
also
interested,
so
I
think,
there's
a
bunch
of
eyes
working
on
it,
so
we
can
continue
chatting
about
whether
or
not
it's
the
right
fit
for
like.
If
this
is
the
right
first
issue
to
work
on
or
if
there's
something
that
would
be
better
to
ease
into
this.
E
E
Yeah,
I
I
think
he
maybe
we
can
like
sink
on
slag
and,
like
probably
figure
out,
I
I
there
might
be
some
overlap
in
like
how
the
release
for
scorecard
tron
and
the
gauge
tool
does
and
like.
Maybe
you
can
figure
out
like
what?
What
might
be
the
long
term
thing
and
in
our
next
meeting
we
probably
can
have
a
plan
that
we
propose
to
maintainers.
E
Let's
have
a
list
of
bugs
and
like
ask
the
community,
hey
yeah,
you
know,
come
and
fix
these
bugs
and
there
might
be
some
rewards
either
some
swag
that
we
give
out,
or
maybe
even
like
monetary
reports,
if
needed,
just
a
way
to
like
get
some
more
involvement,
more
diverse
ideas
and
like
how
scorecard
is
doing.
I
don't
know
if
any
other
open
source
project
has
done
something
like
this,
maybe
like
kubernetes,
so
wanted
to
hear
ideas.
B
B
Actually,
you
know
to
the
previous
issue
that
we
were
just
talking
about
2092,
make
sure
that
it
is
in
in
the
chunks
that
are
actually
workable
by
new
contributors
right,
the
the
if
you,
if
you
land
on
you,
know,
say
you
do
some
some
contribution,
work
and
close.
You
know
x,
amount
of
issues
or
land
in
our
our
releases
page
that
that's
that
should
be
sufficient
to
get
the
swag
right
as
opposed
to
it
needs
to
be
a
bug.
B
I
think
the
worry
that
I
have
with
a
bug
bounty
is
that
that's
going
to
attract
lots
of
maybe
unwanted
traffic,
maybe
more
more
noise
than
signal.
So
so
I
I
think,
like
the
the
overall
goal
or
the
overarching
goal
of
interview,
you
know
increasing
the
contributor
base,
I
think,
is
a
solid
one.
I
think
the
scoping
it
to
bug
bounty
is
maybe
maybe
not
the
best
approach.
E
B
Yeah
I
mean,
if
you
think,
of
something
like
you
know,
hacktoberfest
right
and
then
hacktoberfest
is
what
comes
to
mind
when,
like
you
know
flagging
something,
as
you
know,
good
first
issue
or
something
hacktoberfest
leads
to
the
you
know
leads
to
the
the
errant.
You
know
typo
fixed
prs,
or
you
know
lots
of
traffic
that
is
maybe
not
as
high
quality
as
it
needs
to
be.
E
Yeah,
I
see
the
next
one.
Sorry
I
think
the
next
one
is
also
me.
I
quickly
I
I
stopped
seeing
the
meeting
recordings
being
uploaded
on
youtube.
That
used
to
be
a
thing
again.
I
don't
know
if
anyone
from
openness
is
f
or
lf
is
here
but
yeah.
That's
something
that
that
I
don't
see
is
happening
right
now.
So
I'll,
probably
just
like
plug
this
to
david
separately.
E
B
A
Do
you
want
to
do
you
want
to
talk
about
any
of
the
changes
to
the
design
review
that
we
had
last
last
session?
Oh
sure
yeah.
So
there
have
been
some
changes
to
the
action
use
policy
for
all
star,
though
a
lot
of
the
feedback
has
been
integrated,
including
now
priority
is
taken
into
account
when
evaluating
the
rules,
though
pretty
much
everything
should
be
deterministic
and
how
rules
are
evaluated
now.
C
A
There
were
also
some
corresponding
changes
to
how
issues
are
handled
in
all-star,
so
now
they're
edited
if
the,
if
the
notify
reason
changes.
So
that
means
especially
for
this
policy
it'll
be
helpful
because
you'll
be
able
to
keep
updated
about
when
there
are
changes
to
how
well
you're
doing
in
regards
to
the
organization's
various
rules.
A
B
Hey
so
I
know
there,
there
was
an
issue
that
we
opened
a
while
back
talking
about.
What's
next
for
scorecard
and-
and
I
think
you
know,
the
short
answer
for
me
is
I'm
I'm
not
quite
sure,
but
I
know
that
I
signed
up
for
being
the
release
manager
for
scorecard
v5,
and
we
may
be
approaching
the
point
where
we
want
to
consider
that.
So
I
you
know
curious
to
get
some
thoughts
from
the
team
on
on
timeline
as
well
as
are
there
remaining
or
you
know?
D
Sorry,
I
think
one
of
the
things
that
I
I
I
I
don't
know
how
I
missed
that
I've
seen
bunch
tagged
a
bunch
of
items
specifically
based
on
one
of
the
universities,
research
findings,
so
I
think
that
would
be
a
great
to
be
great
to
go
into
v5.
If
we
are
thinking
of
getting
that.
That
was
my
take
assume.
Sorry
all
right,
let
me
just
go
ahead.
E
E
If
you
have
you
know,
ideas
or
feedback
on
like
what
we
should
accomplish
before
that
or
like
you
know,
if
you
should
just
concentrate
on
release
process
or
should
we
target
having
some
word
compatibility
whatever
it
is,
but
I
think
we
can
look
into
it,
but
yeah
nothing
blocking
as
such.
I
think
we
have
a
decent
chunk
of
changes
in
there
to
start
thinking
about
rb5
release.
B
Okay
yeah,
I
I
the
primary
reason
for
me:
volunteering
is
to
exercise
our
release
process
and
and
see
and
try
to
see
where
the
gaps
are.
I
think
there's
also
some
opportunity
to
collapse,
some
of
the
various
environment,
variables
and
switches
and
levers
and
doodads
that
you
have
to
pull
to
enable
certain
or
enable
or
disable
certain
features
or
formats.
So
I
know
that
there's
been
some
work
into
collapsing,
some
of
that
stuff
already,
but
it
would
be
good
to
close
out
on
that
and
decide.
B
E
B
Yeah,
so
I
did
some
documentation
work
on
the
basically
what
I
grocked
from
conversations
with
y'all
around
the
scorecard
action
stuff,
but
it
would
be
great
to
get
the
full
picture
of
like
scorecard
to
score.
You
know
scorecard
scorecard
action
scorecard
web
app
any
and
any
things
that
need
to
happen
in
between,
like
regenerating
swagger
documentation,
for
example,
right.
A
C
D
C
C
B
D
B
It
got
it
all
right,
so
so
one
password
we've
got
the
bot
account
needs.
There's
also
did
someone
do
the
we
should
maybe
try
to
close
out
on
the
conversation
around.
There
is
the
one
that
came
up
around
a
doc,
docs
maintainer
team,
but
also
the
overall
settings
bot
plus
code
owners
situation.
I
know
that
we
haven't
merged
those
pr's.
Yet
do
we
want
to
take
some
time
to
chat
about
that.
E
B
E
Should
probably
talk
about
the
setting
spot
thing,
I'm
always
a
fan
of
having
everything
written
in
code
rather
than
changing
things
in
ui.
I
just
I'm
not
super
familiar
with
what
this
setting
spot
is.
Is
this
a
trusted
board
by
github?
I
I
don't
know
about
that.
So
as
long
as
we
think
we
can
trust
this,
I
I'm
okay,
I'm
more
than
happy
to
have
a
settings
file
which
kind
of
you
know.
B
B
My
worry
with
introducing
a
new
team
is
that,
if
we're
not
gonna
enforce
the
fact
that
the
team
manages
the
repo,
then
at
some
point
someone's
going
to
change
something
and
it'll
fall
out
of
sync
right,
so
so
having
that
enforced
in
in
both
settings
as
well
as
code
owners
would
be
good
and
then
every
and
then
every
change
becomes
a
pr.
Instead
right.
B
D
B
B
Laurenta
to
answer
your
question
from
this
issue,
you
know
the
infrastructure
is,
is
basically
the
github
apps
context.
Folks
have
branch
protection
bypass?
This
is
again
something
that
can
be
enforced
or
reverted
via
that
bot
and
and
part
of
the
reason
that
you
install
them
together
or
use
them
together.
Is
that
the
the
settings
are.
D
B
B
B
Right
and
then
you'll
see
that
there
are
two
segments,
one
for
the
entire
repo
which
the
steering
committee
has
has
access
over,
and
then
I
mean
really
there's
only
one
there,
one
group
of
people
reviewing
for
this
repo,
but
you
know
one:
you
you'd
set
a
code
owners
explicitly
for
for
the
settings.yaml
and
then
and
then
one
for
the
rest
of
the
repo.
However,
you
want
to
carve
that
up.
D
Unless
there's
a
pressing
need,
I
am
not
in
favor
of
this
because
it's
one
bad
thing
that
has
to
happen
that
can
compromise
stuff.
That's
my
take
again.
It's
only
my
take
I'm
gonna,
I'm
gonna
state
that
if
there's
it's
not
that
we
have
hundreds
of
changes
pretty
often
that
we
can
look
at
it
anytime.
At
least
I
can
speak
for
myself
anytime.
If
I
have
to
change
any
of
the
settings,
I
hate
wrapping
slack
saying
I
think
other
maintainers
have
also
done
that
saying:
hey.
D
B
B
D
B
C
D
B
B
D
It's
okay,
sometimes
right.
I
I
okay,
because
because
if
if
they
did,
okay,
sorry,
I'm
not
gonna,
I'm
not
gonna
go
down
the
tiny
of
doing
that.
I'm
I'm
just
trying
to
say
if
we
say
we're,
gonna
agree
upon
kira
being
the
gold
standard
for
everything
I'm
like
saying:
no,
they
might
not
be
so
just
so
that
we
know
that
and
we're
trying
to
mitigate
those
risks
and
that's
why
I'm
trying
to
play
that.
B
Yeah,
I
know
no,
I
completely
understand
I
completely
understand
for
for
what
it's
worth
I've
been
using
this
for
a
while
with
no
issue.
It
was
suggested
to
me
by
cncf's
cto
in
the
first
place
so
like
like
there's
some
there's
some
prior
art
within
lf
projects
for
using
it.
If
it's
a
decision
that
we
we
don't
want
to
go
forward
with
this,
then
we
need
a
process
in
place
for
auditing
the
way
we
are
doing
changes
for
github
settings
the
the
process.
B
F
F
B
F
B
It
it
it's
it's
not
bypass
unless
you
configure.
This
is
also
you
know,
so
so
kubernetes
will
do
this
a
slightly
different
way
like
we.
We
have
proud
running
and
they're
various
pro
plug-ins
that
ensure
that
you
know,
branch
protection
is
being
enforced,
for
example
right
for
you
know,
if
you,
if
you
come
from
kubernetes
land,
you
get
a
lot
of
things
out
of
the
box
by
using
one
of
their
repos
just
by
way
of
having
prow
running
in
the
background
for
any
other
lf
project.
B
That
is
not
necessarily
the
case
unless
they're
taking
advantage
of
crowd2
what's
great
about
this,
is
that
if
you're
trying
to
figure
out
how
your
branch
settings-
or
you
know
your
branch
protection
settings-
are
configured,
that
config
is
going
to
tell
you
exactly
how
they're
configured
so
you
can.
You
can
go
down
to
like
this
branches
protect.
This
is
our
default
branch.
This
is
the
you
know.
This
branch
is
protected.
It
requires
x,
amount
of
reviews,
yada
yada.
All
the
settings
are
included
in
settings.yemen.
B
Not
the
settings
no
setting
bot
doesn't
do
that.
There
are
other
bots.
There
are
other
bots
yeah
they're.
You
know
they're
they're
bots,
like
mergify,
for
example,
which
which
you
can
configure
to
auto
merge
the
same
way.
We
we
could.
We
click
auto,
merge
for
a
bunch
of
rpr's-
or
we
might
say
you
know,
depend
a
bot
squat.
You
know
if
we
approve
a
request
from
from
the
pandabot
and
say
like
squash
and
merge.
It
will
take
that
as
an
approval,
but
but
setting
spot
doesn't
do
that.
F
Yeah
personally,
I
would
also
like
to
have
like
a
bot
that
is
read-only
and
can
post
the
setting
somewhere,
so
it
doesn't
have
to
like.
I
don't
remember
exactly
how
this
bot
works.
I
remember
last
time
we
had
some
common
sense.
I
don't
know
what
what
those
were.
So
I
I
cannot
really
comment
exactly.
B
We
don't
have
the
same
level
of
privileges
so
so
that
trust
is
delegated
already
it's
it's
whether
or
not
we
want
to
manage
it
manually
or
not,
and
and
if
it
is
a
wider
discussion
about
what
the
security
implications
are
around
setting
spot,
we
can
do
that.
Then
we're
kind
of
doing
it
right
now,
right.
B
B
E
Well,
like
I
said
I
mean
I
can
go
either
way,
I'm
always
a
fan
of
like
having
things
written
down
in
code,
but,
like
I
said
I,
I
am
not
super
familiar
with
how
you
would
trust
something
or
like
what
might
be
the
security
implications
here.
But
if,
if
folks
think
this
is
trustworthy,
I
think
I'm
happy
to
have
the
settings
in
in
code
like,
I
think
that's,
that's
always
a
good
practice
in
my
opinion,
yeah.
That's
that's
my
view.
C
F
Yeah
I
mean
I
also
like
to
have
configure
score,
but
to
me
I
think
we
need
to
do.
I
mean
I'd
like
to
see
a
document
that
says
these
are
the
security
risks
and
this
is
how
the
bot
works
like
right.
Now,
honestly,
I
don't
remember
anything
about
what
that
bot
does.
So
I
can't
really
say
anything
my
for
me.
I
would
just
delay
it
and
write
a
doc
and
then
maybe
even
run
it
by
the
tack,
because
that's
an
open,
ssf
project
so
that
the
discussion
is
also
okay,
yeah.
You
know
a
broader
discussion.
C
D
B
C
E
B
On
on
the
upstream,
I'm
seeing
a
lot
of
you
know:
username
slash
future
x,
blah
right,
and
that
leads
to
a
bunch
of
right.
Now,
we've
you
know.
If
I
look
at
you
know,
scorecard
repo
we've
got
more
than
one
page
of
stale
branches
around
and-
and
that's
you
know,
and
that
doesn't
need
to
that-
doesn't
need
to
exist.
I
think
that
you
know
that
we
can
decraft
this
repo
a
little
bit
if
we,
if
we
stick
to
doing
branches
from
forks
instead,
our
pr
is
from
forks.
D
B
D
D
B
Yeah
yeah,
I
know
I
totally
understand
it's.
It's
it's
a
it's
a
it's
a
cleanliness
thing
really
and
especially
as
if,
if
we
scale
up
maintainers
and
stuff,
we
want
to
set
the
expectation
that
keep
minimal
branches
and
branches
that
are
useful
right
they're.
I
I
don't
see
a
good
reason
to
track
additional
branches
on
the
upstream
unless
we're
working
on
or
co-developing
on
some
future
branch
or
something.
B
Yeah,
it's
very
easy
to
overlook
that,
and-
and
I
mean
I-
I
have
to
train
myself
when
I'm
working
on
like
a
personal
project
or
something
to
not
necessarily
keep
long-lived
branches
around
and
assume
and
try
to
try
to
work
as
if
I
was
a
contributor
to
the
project.
Without
those
elevated
privileges,
yep.