►
From YouTube: Scorecards Biweekly Sync (May 5, 2022)
A
Hi
everyone
who's
joining.
This
is
the
scorecard
and
all-star
bi-weekly
sync.
A
B
A
All
right
I'll
say
it
again
for
those
who
just
joined
I'm
presenting
the
meeting
notes
and
you
can
find
the
link
in
the
calendar
invite
you
can
pull
those
up
or
you
can
just
follow
along
and
view
through
the
the
present
feel
free
to
add
yourself,
an
attendee
if
you'd
like
yeah,
and
seeing
that
it's
about
almost
five
after
I'll
go
ahead
and
start
the
agenda.
A
A
A
C
C
I
do,
and
recently
I
went
to
a
east
portland
conference
and
gave
a
presentation
trying
to
promote
open
assistance
scorecards
for
use
at
the
hackathon,
so
people
who
are
building
you
know,
cryptocurrency
crypto
network
related
projects
might
have
some
indicator
of
the
risk
they're,
including
in
their
project
when
you
know
they're
finalized
with
their
project,
and
they
might
want
to
start
thinking
about
the
security
concerns
of
what
they
were
working
on.
C
A
Awesome
thanks
john
that's
really
cool
to
hear
getting
new
people
into
scorecard.
Welcome
anyone
else.
D
I
am
lucra,
I
am
a
phd
student
at
insisted
university
and
recently
I
am
working
on
a
project
where
I
especially
looking
into
npm
and
pi
by
ecosystem
and
trying
to
see
what
scorecard
does
on
those
packages
and
how
many
matchsticks
are
actually
feasible
for
npm
or
wi-fi
stuff
like
that.
So
this
is
my
first
time
joining
the
meeting
nice
to
meet
you
all.
A
E
I
just
joined
cisco
and
I'm
catching
up
on
on
the
scorecard
stuff
nice
to
meet.
You.
F
Yeah
hi-
all
I
am.
F
I
am
also
from
nc
state
university
and
I
am
working
along
with
nusrat
on
working
on
a
research
paper,
promoting
the
use
of
scorecards
tool
and
they're,
trying
to
develop
a
case
study
about
how
scorecards
can
actually
be
used
in
real
life
on
projects,
along
with
collecting
data
for
npm
and
pipe
ecosystem.
A
Welcome
parth
yeah
good
to
have
you
and,
and
I'm
excited
to
see
about
the
the
research
that
you
all
do.
G
Hey
everybody,
I'm
probe.
I
get
the
great
pleasure
to
work
with
the
developer,
best
practices,
working
group,
the
vulnerability,
disclosures
working
group,
the
openssf
technical
advisory
committee
and
the
governing
board's
public
policy
committee,
and
I
saw
the
invite
to
the
mailing
list
and
I
just
wanted
to
poke
my
head
in
and
see
all
the
awesome
stuff
going
on
here
in
the
scorecard
team.
H
A
All
right,
well
great
great,
to
see
all
the
new
faces.
I
think
we're
gonna
have
an
exciting
meeting
today.
A
Talking
about
our
our
mission,
also
on
the
announcements,
I
just
threw
some
things
up
there
for
like
major
project
updates
for
scorecard
and
all-star
laurent,
and
I
did
a
presentation
this
morning
about
how
we
contribute
and
maintain
those
projects,
and
you
can
click
that
and
see
that
you
might
have
to
register
and
apologies
for
that.
If,
if
you
want
to
wait,
that'll
get
posted
to
youtube
at
a
later
date.
A
Also
there's
an
just
as
a
a
warning
of
a
of
an
upcoming
session.
Stephen
and
I
are
going
to
present
scorecards
and
all-star
I'd
open
ssf
day
at
the
open
sf
summit,
as
well
as
we'll
talk
about
maybe
some
other
stuff
like
cii
badge
and
so
yeah
there.
You
can
see
the
the
information
for
that
there
as
well.
A
If
anybody
else
has
anything
feel
free
to
mention
that
or
bring
that
up
as
an
announcement,
don't
see
any
other
major
kind
of
announcement
level
updates
on
the
agenda,
so
I
think
we'll
go
ahead
and
move
to
the
the
meet
of
our
meeting.
The
mission
and
vision
working
time
and
for
that
I'll
hand
it
over
to
brian.
I
Great
first
of
all,
thank
you
all
for
joining.
I
put
out
a
message
in
the
chat,
and
I
wanted
to
make
sure
that
anybody
who
was
interested
in
mission
or
vision
writing
for
these
projects
to
to
get
involved.
If
you
know
of
anyone
that
you
think
would
be
interested-
and
you
you
don't
see
here,
I
highly
doubt
unless
we're
really
efficient-
that
we're
gonna
get
a
finalized
mission
envision
by
the
end
of
this
meeting.
I
So,
just
to
recap
of
where
this
started
a
few
weeks
ago,
I
kicked
off
topic
of
wanting
to
create
commission
and
vision
statements
for
both
scorecards
and
for
all-star.
I
These
are
useful
in
a
few
different
contexts,
but
if
they're
done
well,
I
think
they
can
help
people
that
are
curious
about
the
project
really
get
a
sense
of
what
we're
working
towards.
So
anybody
that
is
either
joining
a
meeting
or
curious
about
the
project.
They
should
be
able
to
at
a
glance
get
a
better
sense
of
where
things
are
going
and
then
also
for
existing
members
as
we're
making
decisions.
I
I
So
up
till
this
point,
this
there
has
been
two
separate
mission,
envision
statements
opened
as
github
issues
for
both
scorecard
and
all-star.
I
I
think,
rather
than
try
to
do
both
at
once,
we
can
start
with
scorecards
and
time
permitting.
You
know
we
could
talk
about
all-star
and
there's
been
related
discussions
about.
You
know
how
coupled
some
of
these
things
should
be.
I
think
we
can
have
that
discussion
as
a
result
of
of
kind
of
what
we
arrive
at
for
the
mission
and
vision
of
both
of
these.
I
I
wanted
to
first
just
give
an
opportunity
for
people
in
this
group
to
talk
about
what
they
would,
what
what
qualities
they
would
view
as
useful
for
a
mission
and
a
vision.
I
think,
without
some
shared
some
shared
criteria,
for
how
we
want
to
evaluate
it.
It
would
would
make
consensus
just
that
much
tougher
for
everybody
in
the
group,
so
I
thought
that
we
could
take.
I
You
know
just
maybe
five
minutes,
and
if
people
have
different
ideas
on
what
they
would
see
as
useful,
you
know
feel
free
to
raise
your
hands
and
then
I'm
not
sure.
If
we
have
a
designated
note
taker,
but
maybe
we
could
get
a
volunteer
to
start
recording
in
the
meeting
notes,
doc
and
actually
before
we
go
further.
If
I
could
get
a
volunteer
right
now
that
that
would
be
great.
A
I
A
Actually,
I
I
might,
I
might
do,
do
you
want
brian,
do
you
want
to
present
and
I'll.
I
Do
the
notes
we
could
do
that?
I'm
not
sure
if
azim
is
on
the
call,
if
he's
still
able
to
be
a
note
taker
right,
I
know
at
some
point
he
said
he
might
be
able
to,
and
I'm
not
sure
if
that
was
a
future
session
or
for
this
one.
K
L
K
M
Hey
folks,
can
you
hear
me
yes,
yeah
yeah,
oh
okay,
yeah!
I
can
be
the
notetaker
okay.
M
Do
you
want
the
notes
in
the
github
issue
directly
or
do
you
want
this?
Why
don't
we.
M
I
I
If
you
want
to
just
project
that
the
notes,
while
we
have
this
discussion,
feel
free
to
put
a
hand
up
just
to
start
off,
like
I
would
say
for
me
having
a
mission
that
helps
us
prioritize
decisions
like
if,
if
we're
reading
a
statement
and
not
feeling
like
we
can
derive
from
that,
I
would
say
that
that's
a
criteria
for
me-
and
I
would
also
say
you
know,
from
a
vision,
standpoint,
giving
a
clear
sense
of
what
a
successful
future
looks
like
is
something
that
I
would
be
looking
for.
So
I'm
gonna.
K
Yeah,
so
I
was
going
to
suggest
that
I
think
you
know
alignment
and
you
know
see
this
all
over
the
place
with
you
know,
working
groups
and
their
sub
projects
or
projects
or
whatever
they
may
be
defined
as
in
the
respective
community.
But
you
know
a
lack
of
necessary
alignment
between
the
owning
group
and
the
project
itself
right.
So
I
think
it
would
be
valuable
if
we
we
worked
backwards.
K
So
scorecard
is
a
project
of
the
of
the
best
practices
working
group
right.
So
what
I'm
gonna
do
is
just
dump
the
best
practices
part
of
the
readme
into
the
notes,
and
it's
going
to
be
messy
for
now.
But
but
that
includes
a
vision
right.
That
includes
scorecard
right
and
then
are
we
also
aligning
to
what
we've
already
stated
on
our.
I
Great,
I
don't
see
any
other
hands
up
at
the
moment,
so
I
think
maybe
steven
if
you,
if
you
want
to
just
call
attention
to
some
of
what
you're
putting
in
there
as
what
you
like
like
the
vision
as
it
stands
right.
K
Yeah
I
I
broke
out
of
the
yeah.
I
broke
out
of
the
the
bullets
just
because
I
knew
it
was
going
to
be
messier
so
yeah.
So
the
vision
for
you
know
for
the
best
practices
working
group
is
to
make
it
easy
for
developers
to
adopt
best
practices,
things
to
identifying
good
practices
requirements
so
on
and
so
forth.
K
Helping
maintainers
to
learn-
and
these
are
bolded-
identifying,
learn
and
providing
tools
to
help
develop
developers
adopt
right,
so
scorecard
falls
into
the
adoption
criteria
and
then
further
in
the
further
in
that
readme,
you
can
see.
K
Let
me
scroll
down
so
for
scorecard.
What
it
mentions
is
purpose,
adopt,
automate
analysis
and
trust
decisions
on
the
security
posture
of
open
source
projects
is
what
we've
got
listed
today.
So
we
we
should
work
from
that.
I
just
pasted
that
into
the
notes,
as
well
and
I'll
scrub,
anything
that
is
not
directly
a
scorecard
related
in
a
second.
K
Yeah
sure
it's
the
the
read
me
of
the
best
practices
working
group
I'll
just
rush
that
at
the
top
that's
perfect.
I
And
I
I
guess
too,
along
with
the
example
that
we
have
here,
I
wasn't
sure
stephen,
if
just
given
your
work
with
some
of
the
other
groups,
if
they're,
like
kind
of
what
some
of
your
underlying
criteria
would
be,
you
know
to
assess.
This
is
a
good
vision
versus
not
you
know.
This
is
a
good
mission
versus
not.
K
Yeah
I
mean
I,
I
really
start
with
the
you
know.
I
often
start
with
the
maintainers
and
really
understand
to
try
to
better
understand
what
they're
trying
to
achieve
with
the
project
right.
So
I
mean
part
of
the
reason
I
I
started.
Contributing
here
was
that
this
is.
This
is
a
useful
tool
to
me
right
as
a
maintainer
of
like
multiple
github
words.
K
It's
it's
good
to
know,
like
anything
that
you
can
anything
that
you
can
manage
to
you
know
automate
away
right
or
provide
you
know,
provide
some
sort
of
programmatic
analysis
too,
is
is
a
little
better
off
than
you
know
than
than
having
to
to
kind
of
hammer
away
at
it
manually
right
so
being
able
to
to
run
a
tool,
like
you
know,
say
scorecard
or
scorecard
action
across
multiple
repos
and
get
some
get
some
same
data
out
of
that
without
having
to
to
do
the
guesswork
that
you
often
do
right
after
a
while,
you
build
up
this
context
with
your
with
your
individual
projects
and
you
go
well.
K
I
know
you
know,
I
know
kubernetes
release.
You
know,
for
example,
is
going
to
be,
you
know,
that's
that's
the
place
where
I
put
all
the
release.
Engineering
tooling,
and
I
know
that
you
know
that's
the
most
important
one
for
me.
So
it's
going
to
be
the
best
maintained
and
then
all
the
other
subprojects
that
we
we
maintain,
they
kind
of
fall
below
that
that
bar
right
so
being
able
to
run
something
like
scorecard
and
immediately.
You
know
get
ideas
of
like
hey.
K
We
need
an
automated
process
for
enabling
branch
protection
or
the
folks
who
are
doing
you
know
are
we
noticed
as
repo
does
not
have
you
know
or
we're
not
doing
reviews
our
reviews
aren't
required
for
this
repo
right
so
for
for
kubernetes,
for
example,
you
know
a
lot
of
a
lot
of
these
things
that
we
would
get
out
of
a
scorecard
report
are,
are
already
enforced
right
for,
but
for
a
you
know,
for
a
more
casual
maintainer
not
having
to
being
able
to
leverage.
K
You
know
stand
on
the
shoulders
of
giants
and
kind
of
leverage.
You
know
best
practices
from
people
who
are
who
are
doing
the
work
in
the
industry
is
really
really
valuable.
G
I
agree
with
you
stephen:
this
is
krobe
and
the
nomenclature
we
have
identify,
learn
and
adopt,
because
I
posted
a
link.
There's
a.
We
have
a
beautiful
diagram
that
kind
of
shows
how
the
projects
within
the
group
are
structured
and
yeah.
The
the
scorecard
piece
we
thought
was
really
great,
underneath
the
identify
that
not
work.
That
makes
me
sad.
K
Do
do
we
have
something
that
extends
even
further
out
from.
I
think
it
would
be
curious
too,
and
this
is
kind
of
like
not
a.
This
is
not
a
huge
question
necessarily
but
like
open
ssf
wide.
Is
there
a
map
like
this
for
projects
and
working
groups.
G
I
have
an
unsanctioned
one
that
I've
been
trying
to
get
the
tac
to
devote
a
little
time
to
do
a
reference
architecture
for
the
whole
foundation,
so
yeah.
I
would
love
to
have
that
to
be
able
to
show
the
relationships
and
hyperlink
between
the
different
efforts
and
kind
of
show
where
the
synergies
are.
Let
me
see
if
I
can
find
that
other
diagram
just
to
kind
of
give
you
a
straw
man
idea
of
it
yeah.
K
That'd
be
awesome
because
I
think
that
also
is
a
you
know.
That's
kind
of
like
a
a
a
point
to
build
contribution,
letters
around
motivate
contributors
to
know
where
to
go
agreed.
A
It's
not
a
singular
flow
of
like
best
practices
that
are
identified
from
the
working
group.
I
don't
know
if
that
should
be
part
of
the
division
or
the
the
the
goal
here,
but
maybe
something
to
call
out
that
we,
you
know,
I
think
we
do.
I
mean
anytime,
we
find
something
that
we
think
could
be
automatable.
Maybe
it's
the
best
practice,
that's
known,
and
we
just
haven't
really
thought
about
how
we
can
automate
it
yet.
But
anytime,
we
find
something
like
that.
K
And
go
to
freda
saw
your
hand
up.
N
Yeah,
I
was
just
wanted
to
say
that,
as
a
user
of
scorecards,
the
main
benefit
that
we
have
been
getting
out
of
it
is
to
identify
the
current
state
of
the
repository
security
posture.
N
So
he
had
been
helping
us
to
identify
so
many
different
things
that
we
didn't
know
about,
and
it
has
been
saving
a
lot
of
time
for
us
rather
than
just
trying
to
identify
different
things
by
looking
at
the
different
parts
of
the
source
code.
Just
running
a
score
cards
give
us
a
better
view
of
all
the
different
things
where
we
are
failing
to
provide
enough
security
and
then
fixing
those
and
identify
new
ones.
D
I
will
add
one
short
thing:
along
with
all
those
lines,
I
think
I
see
scorecards
also
applicable
for
a
user's
perspective,
who
doesn't
know
security
or
who
don't
develop
software
they
can,
since
scorecard
is
automatic,
they
can
run
it
and
they
can
get
an
idea
about
it,
project,
security,
posture
and
when
I
was
looking
into
different
security
framework
proposed
by
different
organizations,
you
will
see
that
there
are
hundreds
of
best
practice
or
security
practice
and
they
are
just
telling
us.
This
is
what
you
should
do,
but
very
little.
D
We
know
about
how
we
should
do
or
how
can
we
automate
it
and
that's
where
I
think
us
at
a
good
value
there.
Even
if
you
you
are
not
from
a
security
background,
you
can
get
an
idea.
I
I
think
that's
the
point,
and
I
I
was
also
just
gonna,
say
I
think,
we're
starting
to
get
into
more
the
what
we
would
like
to
to
see
content-wise.
You
know
in
kind
of
the
scorecard
mission
envision,
and
I
I
think,
as
as
we're
going
along.
Let's
I
I
I
think
we
we've
gotten
a
good
set
of
kind
of
the
previous
work
on
the
table.
I
So
I
think
this
is
a
good
time
to
start
going
into
that,
and
I
I
think
what
was
just
said
is
is
a
great
kind
of
piece
of
content
to
be
considered
and
unless
anyone
else
has
any
other
kind
of
just
general
criteria,
maybe
maybe
we
can
shift
gears
a
little
bit
into
more
of
that
content
piece,
I'm
actually
going
to
copy
and
paste
over
what
I
I
started
out
as
a
draft
example
from
the
github
issue
as
something
that
you
know,
I
think
we
could.
I
We
could
start
incorporating
pieces
that
you
might
see
as
is
missing
or
see
if
it
if
it
covers.
What's
already
there.
K
Would
it
make
sense
for
us
to
break
out
into
another
document
just
to
keep
the
meetings
clean.
I
I
I
think
it
could,
or
or
we
could
keep
it
here
and
then
copy
and
paste
it
at
the
end
just
so
we're.
I
agree.
We
don't
want
to
this
big
chunk
of
meeting
notes
right.
There.
B
I
have
few
points
so
yeah,
I'm
working
with
ibm
and
I'm
part
of
compliance,
team
or
a
team,
so
we
have
different
bridges
unit
and
they
have
different
way
of
doing
their
auditing
and
doing
the
compliance
thing,
checking
the
stored
expert
as
per
standard
or
not
so
they
have
their
different
different
measurement
of
looking
for
their
reports
and
code
and
everything-
and
this
is
where
I
see
the
scorecard-
is
the
centralized
location
where
I
can
see
this
numbers
given
to
the
all
what
we
are
working
on
and
what
this
number
is
given
to.
B
K
K
You
know
I
would
say
that
that
sounds
like
a
a
goal.
You
know,
that's
not
something
that
we
necessarily
do
today
right,
so
that
that's
actually
great
as
a
you
know
as
something
that
we'd
want
to
steer
towards
right.
The
aggregate
of
all
of
these
results
is
not
something
that
we
actively
present
these.
You
know
these
are
kind
of
ad
hoc
processes
right.
B
Yes,
but
yeah,
it
helps
we
are
running
some
of
internally
in
ibm
and
putting
some
score
points
for
each.
What
we
are
open
source
project
we're
using
and-
and
it's
really
nice
picture
how
it
it
is.
It
is
helpful
for
us,
because
each
team
has
a
different
way
of
doing
this,
vulnerability
checks
for
audit
and
other
stuff,
and
this
also
helps
in
it.
For
us,
it's
really
good
for
us.
K
Do
you
have
a
and
in
the
interest
of
not
veering
too
far
off
the
the
working
session?
If
you
are
willing
to
to
share
some
of
that
criteria,
I
think
it'd
be
interesting
to
have
a
a
use
case
to
build
around
to
a.
B
C
C
So
here
here
goes
this
highlighted
section
vision,
provide
visibility
of
security,
posture
of
open
source
projects,
mission,
build
a
tool
that
unifies
the
measurement
of
security
posture
for
open
source
projects,
and
for
me,
vision
is
why
we
do
what
we
do
and
mission
is
what
we're
doing
to
make
that
vision,
a
reality
and
the
strategy
is
kind
of
like
how
we
get
there,
which
wasn't
requested
to
provide,
but
I
just
thought
it
might
be
nice
as
an
additional
afterthought,
but
yeah.
I
I
didn't
really
want
to
post
that
in
the
github
issue.
C
I
I
So
I
I
think,
there's
a
lot
of
different
ways
to
say
kind
of
the
the
main
piece
of
of
what
we
want,
scorecards
to
start
being
and
already
has
been
becoming.
I
I
guess
we've
got
a
couple
of
graphs
there
like
are
there?
Are
there
aspects
that
people
like
or
think
we
should
be
incorporating?
Are
there
things
that
don't
make
sense
if
you've
got
another
alternate
draft?
I
I
think
it'd
be
a
good
time
to
pop
that
into,
but
I
I
think,
looking
for
things
that
that
work
and
looking
for
things
that
don't
and
I
I
think
when
people
call
it
out
just
explaining
kind
of
what
aspect
of
it
feels
like
it's,
it's
not
helping
us
or
see
something
more
clearly
or
have
more
of
a
clear
purpose.
I
think
that
would
be
great
in
the
feedback.
K
K
That's
it's
stated
within
the
within
the
working
group.
The
best
practices
working
group
read
me.
I
listed
that
at
the
bottom
under
help
build
a
community.
K
I
realized
it
was
not
an
answer.
G
Well,
and
that's,
at
least
with
the
the
initial
proposal
that
the
team
had
posted
where
you're
talking
about
the
secure
development,
at
least
that
puts
a
little
bit
of
a
qualifier
on
it.
I
don't
know
what
all
the
checks
are.
That
scorecard
goes
out
and
looks
at,
but
if
it's
primarily
around
software
development
practices,
perhaps
you
could
adjust
that
but
you're
going
to
want
to
probably
define
what
you
mean
by
security
posture.
K
I
think
you
know,
I
think
some
of
this
goes
to
it's.
It's
a
it's
a
bit
all
over
the
map.
Right
there.
You
know
there
are
various
components.
You
know
some
are
looking
at.
You
know
some
are
looking
at
the
presentation
mechanisms
right.
So
if
you
look
at
something
like
cii
best
practices
or
other,
you
know,
ssf
best
practices
badge
right.
Then
there
are
components
that
are
specific
to.
I
guess
the
human
interaction
community
health.
So
again,
I
think
of
an
ssf
best
practices
badge
falls
into
that
as
well
as
like.
K
Do
you
have
a
security
policy
defined
right
there?
You
know
there's
mention
of,
or
you
know
their
checks
for
how
we
are,
how
we
are
processing
things
within
the
the
pre-submit
environment
right.
So
so
are
we?
You
know
you
know,
are
we
doing?
Are
we
doing
code
reviews?
Are
we
doing
you
know?
Are
we
looking
at
you
know
the
the
part
of
the
pipeline
before
code
is
merged?
There's
there's
after
code
is
merged.
There
is
the
code
resting
in
the
repository.
K
I
think
like
there
are
a
lot
of
different
vectors
that
you
know
it
would.
I
I
do
agree
that
it
would
be
useful
to
to
try
to
distill
that
into
various
targets.
Right
like
are
we
I
mean,
I
think
you
know
the.
If
you
think
of
like
chaos,
chaos
is
working
group
risk
right.
They
have
some
definitions.
There,
too,.
K
M
So
just
wanted
to
drop
an
opinion
on
the
security
posture
thing.
This
is
something
I
saw
on
some
other
tools
also,
I,
I
think
other
tools
use
this
term
called
security
hygiene,
which
is
basically
just
like
what
stephen
was
saying.
M
I
think
we
are
trying
to
measure
everything
from
like
not
just
static
code
analysis,
but
also
like
what
kind
of
code
review
process
does
this
follow
right,
like
what
kind
of
best
practices
does
this
project
follow?
I
I
don't
have
a
clear
definition,
but
I
I
guess
that's
what
we
are
trying
to
like
imply
here
when
we
say
security,
posture.
M
A
A
term
that
can
be
misinterpreted,
and
I
like.
D
A
A
Yeah,
I
think,
there's
some
yeah
with
just
assess,
there's
some
unsaid
part
that
the
project
is
building
a
tool.
So
yeah,
that's
a
good
point
like
do.
We
need
to
say
that
in
the
mission
or
the
vision
that
there
is
a
a
tool
that
you
run
or
is
it
just
assumed
that
this
project
is
producing
a
code
base.
C
Well,
I
feel
like
there's
more
than
just
a
code
base
right
like
you
want
user
adoption,
so
it's
not
just
about
contributing
code
you're,
also
cultivating
a
community
that
uses
the
product.
You
know
so
there's
like
a
product,
it's
implemented
in
code,
but
the
intention
is
for
it
to
be
useful
outside
of
the
confines
of
its
own
little
binary
or
you
know,
source
code
platform.
So
yeah,
that's
why
I
I
thought
so
I
think.
K
Yeah,
so
I
think
we're
speaking
to
I
mean
if
looking
at
the
checks,
I'll
just
read
them
out
really
quickly
for
people
who
don't
have
it
at
hand,
binary
artifacts
branch
protection,
ci
tests,
ci,
cii,
best
practices,
code,
review,
contributors,
dependency,
update
tool,
fuzzing
maintained
packaging,
pin
dependencies,
static
analysis
tools,
security
policy
signed
releases,
token
permissions
and
vulnerabilities.
K
So
much
of
of
what
is
what
the
current
checks
are:
we're
looking
at
security
from
the
lens
of
community
health,
not
it's
like
if
we
can
there's
so
many
things
that
here
that
say,
like
is
your
project
like
is
your
project
maintained?
Should
I
even
should
I
even
risk
ingesting
it
right
and
like
a
lot
of
these?
Are
you
know,
are:
are
the
contributors
from
diverse,
diverse
companies
or
you
know,
affiliations
right?
Have
you
have
you
done
the
due
diligence
to
fill
out,
something
that
would
that
would
allow
you
to
be
badged
right?
K
Are
you
protecting
those
assets
before
they
get
merged
into
the
the
main
line
right?
So
many
of
these
things
are
are
about
community
health
right
so
so
are.
We
are
the
words
that
are
on
the
paper
right
now.
Reflective
of
that.
K
I
Something
something
that's
standing
out
to
me
is
that
it,
it
seems,
like
we've,
got
kind
of
similar
statements.
You
know
both
from
the
common
working
group,
whose
vision,
I
think
is
a
little
bit
broader,
but
we
could,
you
know,
also
derive
similar
things
for
us
from
that
we've
got
a
couple
of
drafts
that
you
know
are
both
citing
security.
Posture
which
seems
like
you
know,
can
mean
different
things.
I
I'm
wondering
if,
like
the
way
that
I'm
wondering
what
people
think
about
a
vision
and
a
mission
for
scorecards
that
is,
is
going
to
roll
up
to
more
of
that
common
purpose,
but
it's
going
to
have
just
a
little
bit
more
specificity
about
scorecards
itself,
like
maybe,
instead
of
using
the
term
security
posture
we
take
within
that
things
that
are
are
more
specific
to
scorecards
as
a
way
to
to
basically
say
you
know
we're
united
in
this
bigger
vision,
but
as
it
applies
to
scorecards,
there's
there's
a
few
more
specifics
here
that
we
could
use.
I
But
I
but
like
in
my
mind,
that's
that's
one
way
of
structuring
it
that
we
could
have
kind
of
the
common
piece
that
you
know
just
looking
at.
It
does
look
like
we.
We
could
be
working
within
that,
but
taking
it
one
level
more
specific
and
ign,
and
you
know
kind
of
cross-linking
back
to
it
to
say
you
know
it's
highly
related
to
this.
I
Just
one
to
see.
I
wanted
to
see
what
people
thought
of
that
approach.
I
I
think,
from
that
standpoint
and
too,
if
we
like,
if
we
were
to
put
a
few
more
specifics
around
like
which
what
aspects
of
security
posture
are
we
talking
about,
you
know
and
we
plug
that
into
one
of
these
drafts,
like
I
I'm
wondering
if
that
might
be
sufficient
to
get
us
to
a
little
bit
more
of
a
specific
place,
and
then,
if
you
know
we,
we
could
then
get
into
kind
of
the
surrounding
language.
But
to
me
it
seems
like
that's.
K
Yeah,
I
think
we
also
started
with
with
something
we
haven't
really
dug
into,
which
are
the
user
personas
right.
We
heard
from
we
heard
from
developers
of
scorecards,
we
heard
from
maintainers
a
scorecard.
We
heard
from
users
of
scorecard
right.
I
think,
building
around
what
each
of
those
personas
is
trying
to
achieve
makes
a
lot
of
sense
too
right
and
can
also
inform
the
maintainers
on
how
to
proceed
like
we
have
lots
of
discussions
around.
Should
we
include
this
check?
K
What
should
it
look
like
right
and
there's
not
really
a
framework
to
process
that
right,
but
being
able
to
have
that?
You
know
like.
Does
this
align
with
our
mission
statement
right
and
and
and
making
sure
that
the
mission
statement
is
incorporating
the
viewpoints
of
that
developer,
that
that
contributor?
That.
I
So
I
I
want
to
just
see
stephen.
If
I
was
understanding
correctly,
I
think
I
was
hearing
us
kind
of
a
suggestion
or
almost
a
motion
to
kind
of
spend
some
time
focusing
first
on
defining
those
personas
such
that
we
can
then
revisit
like
a
mission
and
a
vision
statement
with
a
little
bit
more
of
a
way
to
measure
if
these
are
are
meeting
all
the
goals
of
those
individual
personas.
I
So,
basically,
you
know
kind
of
table,
table
mission
and
vision
for
a
little
bit
and
spend
some
time
whether
that's
with
time
remaining
or
you
know,
kind
of
a
separate,
github
offline
discussion
around
around
what
all
of
those
personas
are.
K
Yeah,
I
I
think
that
would
be
useful
and
it
and
it
will
go
to
inform
even
ahead
of
crystallizing
mission
and
vision,
the
decisions
that
we
make
as
maintainers
right
like
how
to
you
know.
I
think
I
think
what
happens
with
a
you
know
with
fledgling
projects,
not
saying
that
that
is
what
this
is
right
now
is
that
you
have
a
you
know.
You
have
a
core
group
of
maintainers
you're,
writing
some
code.
You
get
you
get
it
done.
You
ship
it
you're
like
cool
all
right.
K
We
we
wrote
some
stuff
and-
and
you
know,
and
and
eventually,
and
we're
kind
of
moving
into
the
eventually,
where
the
decisions
that
we
make
are
gonna
reverberate
for
a
while
right,
so
deciding
to
merge
this
piece
of
code,
knowing
that,
maybe
it
doesn't
align
to
something
right.
We
haven't
defined.
What
that
something
is.
A
Jeff
yeah,
I
think
I
agree
you
know
kind
of
I
think,
with
the
mission.
It's
build,
something
you
know
write
some
code,
build
it
ship
it.
I
think
the
vision
is
where
we
yeah.
We
definitely
should
capture
not
just
like
that.
We
envision
that
this
perfect
tool
exists,
but
also
like
that
how
people
will
use
it
and
in
what
ways.
A
So
you
know
not
just
that
it's
accessible
and
understandable,
but
that
I
mean,
I
guess
understandable.
It
kind
of
applies
that
a
user
could
use
it
and
and
get
benefit
from
it.
But
you
know
yeah
a
little
bit
more
on.
You
know
what
we,
what
the
state
of
the
world
is
and
how
we
intend
those
different
personas
to
interact
with
what
we
do
in
the
vision.
I
agree.
K
So
I'll
I'll
give
an
example
and
I'll
try
to
do
the
the
the
story
style.
As
a
you
know,
as
a
leader
in
an
open
source
program
office,
I
would
love
to
have
a
tool
to
automate
some
of
the
process
and
procedure
in
assessing
the
the
posture
and
the
safety
of
releasing
open
source
software
right.
K
If
this
is
if
this
is
something
I
could
eventually
roll
into
my
pipeline
at
cisco
and
say,
run
scorecard
like
before
you
even
file
this
request
to
open
source
a
project
you
run
scorecard
on
it,
and
you
tell
me
what
you
get
and
if
it
is,
and
if
it
is
under
this
then
go.
Do
this
go
look
at
the
remediation
steps
and
then
we'll
come
back
and
have
a
conversation
being
able
to
being
able
to
bring
a
tool
into
the
process
for
the
sake
of
compliance,
it
would
be
huge.
I
So
with
just
about
10
minutes
left,
I'm
thinking,
I'm
thinking
just
in
terms
of
where
we
go
from
here,
I
I
would
I'm
going
to
put
out
an
idea
and
if
I,
unless
there's
concern,
I
think
we
could
go
with
it,
which
is,
let's
start
a
related
issue
around
different
personas
on
as
a
github
issue
related
to
this,
I
think,
let's,
let's
get
some
of
those
on
paper.
I
I
think
it's
worth
having
an
additional
discussion
around
that
at
a
future
meeting
and
from
there.
I
think
that
that
gets
back
to
what
I
was
originally
hoping
to
get,
which
is
you
know,
criteria
to
assess
if,
if
we're
on
the
right
track
with
the
mission
and
vision,
so
I
think
all
of
these
make
sense
but
yeah,
I
guess
my
proposal
would
be.
I
We
can
start
a
new
github
issue
specifically
around
creating
personas
for
score
cards
and
then
making
that
known
to
the
group
whoever's
here
and
on
slack
to
add
different
cases
that
they
might
have
in
mind
and
then
at
a
future
meeting.
Let's,
let's
go
through
some
of
those
cases
and
whatever
we
we
can't
cover
offline.
You
know
we'll
do
it
in
a
meeting.
M
Brian
just
to
clarify
these,
are
you
know,
follow-up
action
items?
I
I
think
I
see
we
have
two
action
items.
One
is
like
you
said
the
whole
personas
thing
like.
I
guess
we
want
to
list
out
the
different
personas
figure
out,
who
figure
out
who
we
want
to
prioritize
or
like
who
are
our
like.
M
You
know
primary
personas
that
we
want
to
like
target,
and
I
guess
the
other
action
item
is
this
thing
around
which
you
mentioned
like
have
specific
wordings
or
like
specifics
mission
vision,
which
is
like
scorecard
specific,
but
also
figure
out
how
it
rolls
up
to
the
best
practices
working
mission
region.
Are
these
the
two
action
items
we
have.
A
You
know
not
just
like
distilling
it
to
to
prioritize
percentage
like
let's
just
every
possible
user
story
and
try
to
list
it
and
try
to
define
the
persona
by
the
user
story.
That
stephen
mentioned,
where
it's
like
as
a.
I
will
want
to
do
this
for
this
and
I
think
because
a
lot
of
people
have
different
ideas
on
like
what
a
consumer
versus
a
user
means,
but
I
think
if
we,
if
we
have
every
suggestion
as
the
user
story,
then
it
makes
exit
clear
and
then
with
the
vision.
Then
we
can
try
to
cut.
A
You
know
come
up
with
a
short
vision
that
will
will
cover
all
all
the
exact
stories
and
I
think
just
interpolating
for
all-star
here.
I
think
we'll
have
the
same
discussion
on
the.
What
is
a
posture,
so
we
can
have
just
a
single
discussion
there,
but
for
the
user
stories,
that'll
be
completely
different,
so
I
can
have
a
similar
issue
for
all
star
to
put
user
stories
there
as
well
bring
personas.
K
And-
and
I
you
know
in
addition,
I
want
to
make
sure
that
we're
not
doing
this
in
isolation
right.
I
think
that
you
know,
given
we've,
we
kind
of
have
this
this.
This
co-community
call
between
the
projects
where
we've
already
identified
that
we
need
to
establish
definitions
for
for
for
common
terms,
right.
That
suggests
that
it
is
working
group
level,
crossword
group
level,
tax
level
right.
So
let's
make
sure
that,
as
we
kind
of
move
down
the
line
with
this,
that
we're
also
bubbling
this
up
to
to
higher
bodies.
I
I
think
that
makes
sense
with
regard
to
kicking
off
the
personas
issue.
You
know,
I
do
think,
having
a
format
for
how
these
issues
should
be
written
would
be
really
helpful
just
so
that
we
can
compare
them
quickly.
I
was
gonna
ask
stephen
if
he
would
volunteer
to
kick
off.
I
Well,
I
I
think
at
this
point
I
I
think
we've
got
clear
next
steps
and
and
thanks
to
seem
for
putting
those
down
unless
there's
any
parting
pieces
on
the
mission
and
vision.
I
think
if
there
were
any
other
topics
I'll
I'll
hand
it
back
to
jeff.
A
Yeah
we
did
want
to
reserve
the
whole
meeting
for
this,
but
with
a
few
minutes
left
we
do
have
one
topic:
how
to
go
for
it.
I
think,
hopefully
we
can
target
that
go
to
freight
early
on.
Do
I
discuss
this.
N
Yeah,
so
I
do
have
a
few
questions
about
the
vulnerability
scanning
check
on
the
scorecards.
I'm
not
sure
if
it
is
actually
scanning
like
a
pi,
pi
files
or
any
other
files
from
the
from
different
and
then
grabbing
the
vulnerabilities
from
there.
Or
is
it
something
like
just
the
commit
from
the
from
the
repository
where
it
is
running
on.
M
Yeah,
it's
the
second
one.
It's
we
basically
look
at
the
comment
on
which
on
which
you
want
to
find
the
vulnerability,
and
then
we
look
up
the
osv
database
and
see
if
this
comment
hide
a
reported
vulnerability
like
whether
it's
open
or
closed
and
that's
what
we
report
back.
M
Third-Party
dependency,
you
mean
like
transitive
dependencies
for
the
project.
Is
we.
L
M
Exploring
it,
but
we
we
don't,
have
a
clear
picture
as
to
where
this
should
fit
well,
whether
it
should
be
a
scorecard
check
whether
it
should
be
like
an
all-star
policy.
I
I
we
are
exploring
how
to
kind
of
you
know
have
transitive
dependencies,
but
we
don't
have
a
clear
picture
of
you
know
when
it
will
be
delivered
or
rather
like,
where
it
will
fit
in.
N
K
Ahead,
this
is
a
great
example
of
like
if
you
ask
a
maintainer,
a
question,
you
know
what
is
you
know
like
like?
Can
we
point
to
a
like
here
is
what
we
were
trying
to
do
with
that
right.
So
I
think
you
know
I
had
mentioned
on
a
previous
call,
that
there
are
certain
things
that
we
shouldn't
try
to
build
or
over
rotate
on,
and
I
think
one
of
them
is
presenting
vulnerability.
Information
from
you
know
in
instead
of
instead
of
populating.
K
A
Awesome
thanks
for
that
parth
did
you
want
to
discuss
something
we
have
a
minute
or
two.
F
Like
I
before
I
begin
that,
like
I
want
to
ensure
that
I
do
not
eat
in
into
the
mission
and
mission
meeting
time,
so
if
there
were
more
for
that
yeah,
given
two
minutes
for
this
particular
thing,
it's
related
to
our
research
case
study,
in
which
our
goal
is
to
keep
up,
bring,
get
the
scorecard
scores
for
almost
all
of
the
existing
packages
that
are
there
in
the
npm
and
github
repository
so
corresponding
to
each
packages.
F
We
ourselves
have
mapped
the
github
repositories
and
in
order
for
your
cron
scheduler
job,
to
pick
up
those
repositories
for
further
scanning,
we
found
out
that
there
were
a
list
of
github
repositories
that
needs
to
be
added
to
the
existing
set.
F
So
I
raised
a
pr
yesterday
and
which
included
the
additional
github
repositories
that
we
found
that
we
believe
that
would,
whose
would
be
important
to
a
lot
of
people
in
that
pr.
I
I
was
actually
requesting
like
what
additionally,
I
need
to
do
from
mind,
because
I
I
ensure
that
I
did
follow
the
documentation.
F
Achieve
the
goal
of
merging
that
pr
successfully,
but
I
am
failing
in
that
issue
like
I-
am
failing
and
running
that
command
successfully
and
if
I
get
that
command
run
successfully,
then
I
think
you
guys
can
merge
that
yeah
successfully,
so
it
gets
picked
up
in
your
crown.
Scheduler
too
yeah.
K
M
Yeah,
I
can
give
you
a
very
quick
overview
of
what's
happening
there,
so
the
command
that
I'm
asking
you
to
run,
which
is
the
make
ad
projects,
is
a
validation
command.
So
if
you're
failing
it,
that's
that's
because
the
urls
are
not
properly
formatted.
So
the
idea
is
either
you
delete
those
urls
or
like
fix
them,
so
that
the
command
passes.
So
it's
basically
our
validation
to
get
it
working,
but
yeah
we
can.
We
can
take
it
on
select
if
you
have
having
issues
there.
A
Okay,
sure
all
right
so
we're
right
at
the
end
and
facilitate
our
rotation.
I
see
we
have
naveen
sign
up
for
next
week.
Hopefully
he'll
be
here,
so
we're
good
to
go
thanks.
Everyone
for
attending
see
you
in
two
weeks,
but
thanks.
Everyone
later
folks.