►
From YouTube: Scorecards Biweekly Sync (April 7, 2022)
C
E
E
A
E
C
Cool
all
right,
so
it
is
three
past
four.
If
you
were
in
the
u.s
eastern
hello,
hello,
everyone
today
is
april
7th.
This
is
one
of
the
bi-weekly
meetings
of
the
scorecards
and
all-star
projects.
This
is
a
meeting
that
will
be
recorded
and
available
on
the
internet
later.
So
please
be
mindful
of
what
you
say
and
do
please
be
sure
to
adhere
to
the
open,
ssf
code
of
conduct,
which
you
know
essentially
amounts
to
be
kind.
Be
awesome.
C
People
be
excellent
to
each
other,
so
yeah,
let's,
let's
jump
into
it.
We
have
a
standing
agenda
which
I
see
some
people
are
commenting
on
we're
moving
some
things
around
jeff.
Let
me
pull
your
update
down
and
okay.
You
already
did
that
cool
all
right,
let's
jump
in
if
there
are,
if
there
are
any
new
folks,
I
would
love
if
you
took
some
time
to
introduce
yourself
to
the
group
and
what
you're
looking
to
do
here.
C
G
G
C
Yeah,
I
think
we
we
we
still
need
to
massage
this
a
little
bit.
I
would
say
that
project
updates
really
fall
into
everything,
that's
being
filled
out
under
open
issues
and
one-off
discussions
in
terms
of
announcements.
I
think
you
know
announcements
will
hit
when
we're
either
getting
close
to
a
release
or
or
releasing
so
we
can
probably
skip
this
section
in
terms
of
road
map
updates,
we'll
we'll
talk
about
that
in
brian
section,
around
mission
and
vision
updates.
So
with
that
said,
sorry
jeff
are
you
about.
G
G
I
mean
I
did
do
a
release
of
all
star
last
week
or
the
week
before.
It's
the
first
release
we've
made
because
it's
typically
just
used
by
people
as
an
app,
and
I
I
have
a
proposal
for
release
process
for
like
a
cadence.
That's
not
been
adopted
yet
so
they're
caught
that's
their
issues.
If
anybody
has
comments
on
that,
but
we'll
we'll
be
making
issues
on
a
rig,
I
mean
sorry
releases
on
a
regular
basis
at
some
point
cool.
So
there
is
a
v2.
C
C
J
J
A
C
E
F
A
F
C
F
E
F
C
E
C
C
All
right,
so
I
don't
have
it's
not.
I
don't
think
it's
a
it's
a
here
announcement
specifically,
but
I
do
want
to
mention
that
which
is
kind
of
cool
we're.
So,
on
the
on
the
kubernetes
side,
we
just
landed
some
improvements
in
our
image
promotion
process
that
will
start
signing
all
the
container
images.
So.
E
C
Hoping
with
the
next,
the
kubernetes
124
release
coming
out-
and
you
know
optimistically
two
weeks
or
less
than
two
weeks
that
those
images
will
be
signed
by
our
image
promoter
and
then
and
then
we'll
start
going
into
the
the
the
fun
stuff
of
trust
delegation
for
separate
teams
and
stuff.
But
yeah
not
really
relevant
to
here.
But
I
did
want
to
mention
it
since
you're
all
hip
and
hip
about
security.
C
So
there's
some
consistencies,
but
they're
not
you
know
so
we're
personally,
not
using
we're
personally,
not
using
the
you
know
scorecard
or
our
all-star
right
now,
outside
of
like
things
that
I
have
run
on
my
local,
we
are
we've
enabled
we
we
have
an
actually.
No.
We
have
enabled
code,
ql
and
and
scorecard
for
the
for
k
release
which
is,
is
you
know
where
we
do
a
lot
of
our?
We
do
a
lot
of
our
release.
C
Engineering
work,
so
there
is
a
we
are
using
the
scorecard
action
here.
As
you
can
see
from
security,
there
are
tons
of
fun
things
to
clean
up,
which
I
won't
click
into,
but
they're
they're
mainly
around
pin
dependencies.
So
there
are
some
some
questions
about
independencies
that
I
think
will
come
with
some
of
the
some
of
the
notes
that
jordan
left
in
slack,
which
I
transposed
into
a
github
issue
for
tracking
but
really
around.
C
A
C
So
in
instances
where
they
may
flag
something
like
from
from
base
image,
that's
parameterized
right,
so
I
think
there's
some
maybe
work
to
be
done
to
recognize
when,
when
images
are
because
we
build
multiple
variants
for
for
all
of
these
images,
so
so
I
think
there
are
some
there's
some
work
to
be
done
to
like
be
like
os
codename
to
to
build
out
this
right.
So
this
is
never
going
to
be
pinned
to
an
exact.
You
know
it's
an
exact
version
and
and
digest.
I
I
I
C
So
I'm
gonna,
I'm
gonna,
pause,
really
quick
and
just
mention
that
that
is
a
similar
to
like
the
hack,
folder
third
party
is
in
google
ism,
and
so
it's
not
necessarily
a
best
practice.
It
is
something
that
has
kind
of
like
spread
into
the
ecosystem
as
a
result
of
usage
in
google.
I'm
just
going
to
call
that
out.
I.
C
That's
a
great
question
and
I
I
don't
think
it
has
an
easy
answer,
because
I
think
it's
going
to
depend
on
the
use
case.
There
is,
I
think
you
know
it
would
be
worthwhile
to
review
the
so
google
has
a
playbook
if
you
will
for
releasing
open
source
code
right,
and
I
think
some
of
it
goes
into
what
to
do
when
you're
dealing
with
third-party
code
right.
C
I
I
believe
one
of
them
is
one
of
the
in
this
case,
the
product
that
I'm
talking
about
is
the
ide
for
for
flutter,
the
intellij
ide,
and
one
of
those
binaries
is
license
a
licensed
binary.
So
I'm
not
sure
how
to
deal
with
that
one,
but
basically,
from
the
chromium
perspective.
The
way
they
do
it
is
they
they
have
something
called
ct.
I
C
So
I
just
linked
in
the
notes
the
the
preparing
for
an
open
source
release,
the
third-party
component
section
from
the
google
open
source
documents.
I'm
not
sure
that
everything
that
you
need
is
going
to
be
there,
because
I
know
that
some
of
that
some
of
that's
also
like
internal
specific,
may,
have
internal
specific
links.
I
C
So
kubernetes
does
some
stuff
like
this
too.
We
have
a
vendor
so
for
core
kubernetes
that
there
is
a
vendor
folder
and
we
do
track.
Is
this?
You
know
if
there
are
forbidden
if
they're
forbidden
dependencies
for
licensing
reasons,
maybe
we
do
track
that
I
can.
I
can
dig
up
links
to
that,
but
yeah
I
would.
C
Right
yeah,
I
think
I
think
the
answer
is.
It
depends
right
there.
You
know
there
are
some
instances
where
you
know
the
dependencies
I'm
usually
looking
at
can
can
be
shipped
in
in
containers.
Basically
right
so,
and
usually
it's
around,
like
tooling
and
and
darcy's
saying
I
know
of
many
bad
practices.
E
E
C
Right
so
that's
a
situation
where
I'm
I'm
probably
going
to
try
to
stick
all
of
that
stuff
in
a
container.
So
it's
not
considered
a
dependency
right
and
pull
the
container
do
that
check
in
in
ci.
Instead,
I
think
I
think
it
it
could
be
worthwhile,
and
maybe
this
is
not
the
time
to
do
it,
but
to
have
a
discussion
on
what
are
the
bad
practices,
and
maybe
we
can
use
that
to
inform
what
what
the
the
better
practices
are
right.
C
G
C
G
Yeah,
so
the
second
discussion,
I
think,
is
okay,
so
I
asked
what's
the
what's
the
best
practice,
and
maybe
we
don't
know
the
best
practice,
but
the
the
the
next
step
is
okay.
Let's
say
I
do
need
binaries.
Let's
say
I'm
following
best
practices,
my
own
best
practice
on
those.
How
do
I
tell
all
star
and
or
score
cards
to
ignore
those
so
for
all
star?
G
G
Clearly
you
know,
as
with
all
software,
we
can
make
it
better
and
have
a
a
list
to
opt
out
whether
it's
you
list
the
files,
maybe
list
the
files
in
the
hashes.
Maybe
you
you
put
a
dot
something
file
like
is
recommended
there.
I
think
all
of
those
are
potential
potential
solutions,
and
I
have
this
issue
here
where
we
can
discuss
it
so
feel
free
to
drop.
Your
suggestions
go
fredo.
There.
C
G
That
in
a
file
yeah,
if
you
have
a
file
with
the
list,
you
get
you
you
have.
You
have
that
list
there
to
kind
of
know
exactly
where
all
the
binary
artifacts
are
in
your
repo,
because
if
they're
not
in
that
list,
then
you'd
be
getting
an
all-star
alert,
but
secondary
to
this
is
that
we
could
do
the
filtering
on
the
all-star
side.
But
we
are
running
the
scorecard
check
underneath
and
I
created
a
second
issue
in
the
scorecard
repo
is,
should
scorecard.
G
Be
able
to
also
have
this
option,
you
know
it
wouldn't
be
on
for
the
for
the
public
results,
because
this
would
be
like
if
you're
running
scorecard
on
your
own
repo,
and
you
want
to
you
know
what
to
ignore
another
option.
I'm
proposing
here
is
that
there
are
certain
well-known
artifacts
that
like,
for
example,
the
gradle
wrapper
here
on
their
own
by
their
own
admission,
there's
2.8
million
github
repos,
with
this
binary
checked
in,
and
there
are
recommended
security
best
practices
like
they,
they
say
on
their
page.
G
This
is
a
vulnerability
like
this
is
a
potential
you
know
vector
of
attack.
You
should
be
doing
these
checks
and
validations
in
your
repo.
If
you
actually
check
this
in
should
scorecards
be
able
to,
you
know,
opt
this
out
specifically
like
this
is
well
known,
binary
or,
and
and
or
should
it
and
if
it
does,
should
it
also
only
allow
you
to
give
you
a
passing
score
if
you
are
also
following
the
best
practices
for
that
particular
binary.
C
Yeah,
I
think
I
think
my
concern
with
all
of
these
things.
Checks
in
general
is
like.
Where
is
like
what
is
the
good
stopping
point
right
for
us
to
like,
like
where
where's
our
responsibility?
Stop,
and
you
know
so
so
there
is
an
element
of
it
like
where
I
feel
hey
like
don't
do
bad
things
to
your
repo
and
and
if
you're,
maintaining
a
repo
you
should
be
in
charge
of
that
largely.
C
I
think
there
are
things
that
we
can
report
on,
but
the
second
we
get
into,
I
think
the
second
we
get
into
here's
this
very
specific
file
right
for
this
ecosystem
that
does
foo
barbaz,
make
sure
it's
not
checked
in
right.
Then
we,
we
sort
of
assume
the
responsibility
of
enumerating
those
files
for
multiple
ecosystems
right,
and
we
spend
the
time
on
trying
to
do
the
enumeration
instead
of
improving
the
checks,
so
I'm
personally
negative,
I'm
personally
negative
one
to
to
specific
files.
H
Yeah
just
to
add
to
this,
I
think
we
had
a
very
similar
discussion
with
oss,
first
and
cluster
first
light
here,
where
you
can't
pin
those
dependencies,
so
they
wanted
an
exception.
I
think
the
outcome
of
that
discussion
was
very
similar.
That
scorecard
should
still
be
probably
be
complaining
about
that,
but
something
like
all
star
or
someone
like
a
client
level
policy
can
say
that
we
don't
care
about
this
scorecard
complaining
about.
C
E
But
by
the
way
the
same
thing
happens,
for
I
think
many
of
these
other
things
yeah.
I
I
actually
I'm
actually
thinking,
and
I
don't
think
anybody
has
necessarily
agreed
to
that,
but
I
think
in
the
long
term
it
would
be
useful
to
have
two
scores.
The
you
know
here
is,
I
accept
all
the
claims
from
the
project
and
the
other
is
I'm
going
to
ignore
the
ignore
files
and
everything
else
and
just
here's
the
raw
score
and
the
the
one
is
basically
more
useful,
the
developers
of
the
project.
C
Yeah
and
I'm
I'm
kind
of
yeah.
I
think
I
think
this
comes
up
for
for
all
of
our
checks,
some
of
the
stuff
that
jordan
logged
in
that
and
that
in
the
slack,
chat
and
issue
reflects
it
as
well,
and
I
think
that
david
you
had,
you
had
filed
something
way
back
about
modifying
scores
based
on
our
tolerance
right.
E
Most
of
our
vulnerabilities
are
of
the
unintentional
kind
and
we're
just
trying
to
steer
developers
who
aren't
aware
of
good
practices
to
do
good
practices
if
you've
got
malicious
developers,
then
yeah,
but
this
this
scorecard
is
not
going
to
find
malicious
code
subtly
hidden
in
inside
there.
That's
just
not
what
it's
good
for.
I
C
Yeah
for
sure,
so
I
think
you
know,
if
you
look
at
the
you
know
like
the
the
hardened
security
steps
for
like
step
security
where,
by
default,
the
policy
will
give
you
audit
and
then
it's
your
responsibility
to
switch
to
block
when
you're
ready.
If
you
look
at
you
know
from
the
all-star
perspective,
you've
got
you've
got
a
few
different
paths.
C
You
can
go
down
right,
you
know,
one
being
you
know,
one
being
log,
you
know
log
issue
or
you
know,
fix
and
and
fix
for
for
the
most
part,
I
think,
is
not
implemented
for
for
many
of
the
the
reporting
pieces.
But
that's
you
know,
I
think
I
think
the
the
permissive
versus
you
know,
full
full-on
block
makes
a
lot
of
sense
right.
I
think
that
we
have
enough
of
the
levers
already
open
to
say
like
this
is
an
exception
right
for
for
several
of
those
checks.
M
H
Yeah,
so
just
to
clarify,
I
mean
laurent
is
working
on
this
feature
where
we'll
just
dump
out
the
true
raw
facts
from
scorecard.
So
basically
you
can
apply
your
own
policy
and
get
whatever
kind
of
change
score
that
you
want.
So
that
way,
you'll
have
your
opinionated
score,
but
you'll
also
have
a
score
from
scorecard.
E
C
Cool,
so
it
sounds
like
we.
We've
got
some
things
in
flight,
some
things
that
still
need
discussion
again.
I
would.
I
would
request
that
anyone
who's
interested
in
working
on
this
or
chatting
about
this
hit
the
issues
on
you
know
on
the
respective
repos
anything
we
need
to
cover
before
we
move
on
to
the
next
topic.
B
C
So
so
yeah,
so
the
idea
would
be
that
we,
you
know
one.
We
produced
the
the
raw
public
score
like
this
is
the
expectation
if,
if
you
had
no
exceptions
to
the
default
policy
right
and
then
there's
another
scenario
where
you'd
produce
the
I've
customized,
this
scorecard
check
and
I
want
to
do
xyz,
I'm
okay
with
certain
things
being
wrong
or
not
to
the
expected
intentions
of
the
default
public
policy
and
have
a
score.
That's
derived
off
of
that
right
so
like
how
to
tweak
the
like.
C
We
want
to
enable
that
and
then
you
know
and
and
then
also
figure
out
like
how
does
the
score
change
based
on
based
on
those
changes
right
if
you've
done
something
that
is
completely
you
know,
I
don't
know
you
decide
that
zero
maintainers
is
okay
for
your
maintainers
check
or
something
like
that
right,
that's
something
that
we
should
still
like:
whoa
whoa,
whoa,
whoa,
whoa
whoa.
I.
C
B
C
A
C
In
so
far
like,
even
with
the
you
know,
even
with
the
you
know,
grading
with
a
curve,
if
you're
still
coming
in
under
a
certain
value,
we
should
say:
hey,
listen,
I
I
know
you
said
this,
but
are
you
sure
and
how
that
works
we
can
discuss,
but
but
yeah
I
would.
I
would
suggest,
leaving
comments
on
these
issues
if
you're
interested
in
that
too.
E
E
E
All
right,
so
I
was
going
to
propose,
but
before
doing
that,
wanted
to
you
know,
raise
the
issue
if
somebody's
already
done
this,
but
earlier
today
there
there's
an
open
ssf
governing
board
meeting
new
rep.
There
is
jonathan
hunt
who
works
for
get
lab
and
right
now,
scorecards
only
works
on
get
hub.
I
I
mean
I've
been
trying
to
convince
try
to
make
adjustments
to
the
scorecards
text
to
at
least
it
isn't
locked
to
get
up,
but
it
only
actually
generates
anything
useful
on
github.
So
I'd
like
to
contact.
C
C
E
C
So,
let's
so,
let's
based
on
that
you're
using
get
and
and
then
I
think
that
you
know
we
we're
going
to
encounter
the
same
problem
that
we
do
with
just
the
the
idea
of
like
I,
like
I
spend
enough
time
working
on
like
these
different
things
that
are
are
like
you
can
stick
a
lot
of
things
into
the
box
and
the
the
the
thing
that
gets.
The
most
support
is
the
the
thing
that
people
have
the
most
context
on
right.
C
So
I
think
that,
because
we
are
on
you
know,
because
we
are
on
github,
we
are
going
to
have
a
natural
bias
to
building
things
for
github.
That's
not
to
say
that
should
be
the
only
thing
that
we
should
do,
but
at
the
same
time,
if
we
are
going
to
build
support
in
certain
vectors
for
git
lab,
then
we
would
would
request
that
we
have.
We
have
support
from
git
lab
in
terms
of
like
not
just
not
just
like.
Yes,
you
should
do
it,
but
also
you
know,
personnel
to
help
out
with
that.
E
I
I
got
that
yeah,
so
I,
but
I
I
think
basically
is
before
I
went
anywhere
because
I
I
was
going
to,
but
I
was
going
to
suggest
I
mean
I
can
go,
send
any.
I
have
the
ability
to
send
an
email,
but
basically
tell
jonathan
hunt,
hey
you
know.
Scorecards
right
now
really
looks
you
know
it
looks
for
data
on
github.
E
C
Exactly
yeah,
so
I
think
you
know
using
making
sure
that
we're
using
you
know-
and
this
goes
into
for
the
for
the
maintainers
who've-
been
having
this
discussion.
What
do
we
do
with
all
of
the
clients?
You
know
the
you
know.
All
of
our
clients
are
maybe
like
not
consistently
written
and
there's
an
opportunity
for
like
here's.
What
the
interface
looks
like
for
this
client
go,
build,
they
go
build.
The
the
gitlab
version
go,
build
the
x
provider
version
of
it
right.
E
C
So
I
yeah,
I
definitely.
I
definitely
agree
I
just
I.
You
know.
I
know
that
because
I've,
you
know
seen
it
in
kubernetes,
you
know,
but
we've
had
like
dex
vulnerabilities,
for
example,
because
we've
got
all
these
plug-ins.
You
know
we
had.
We
had
one
that
you
know
around,
like
xml
validation
for
the
samwell
plug-in
and
and
I'm
like
cool
I'll
help
patch
the
vulnerability.
C
So
as
long
as
we
are,
you
know,
as
long
as
we
can
move
forward
with,
like
you
know
the
promise
that
we
will,
we
will
try
to
deliver
generic
enough
interfaces
for
people
to
implement
on
top
of-
and
you
know
you
know
married
with,
can
we
bring
people
who
have
expertise
of
this
to
help
maintain
it
as
well?
And
I
think
we've
potentially
got
a
good
plan.
E
H
Yeah,
I
I
just
want
to
chime
in,
I
think
what
stephen
said.
Basically,
we
have
interface
which,
which
will
let
us
integrate
with
git
lab.
I
just
don't
think
we
are
focusing
on
it
right
now,
because
you're
just
shot
on
resources,
so
yeah
it'll
be
very,
very
helpful.
If,
if
you
could
get
us
in
touch
with
gitlab
or
someone
from
get
lab,
who's
interested
in
you
know
contributing
here,
we
can
even
look
into
like
adding
them
as
maintainers
if
they
have
contributed
enough.
So
yeah
right.
E
C
So
yeah,
let
me
so
I
think
what
we
should
do
and
I
meant
to
mention
to
the
maintainers.
If
I
haven't
already,
is
that
we
set
up
a
group
for
for
the
project
specific
maintainers.
I
don't
know
if
that
needs
to
be
on.
You
know
if
it's
on
google
groups
or
we
do
it
on
lists
or
groups
that
I
o
or
something
but
like
you
should
be
able
to
send
a
note
to
to
score.
You
know
scorecard
maintainers
and
get
a
response,
especially
as
it
relates
to.
C
So
we
do
have
the
mailing
list
just
to
be
clear.
We
do
have
the
mailing
list
today
for,
like,
I
think,
the
scorecard
scorecard
dev
right.
You
can
use
that
will
hit
everyone
who's
subscribing,
but
like
very
specifically.
If
you
want
to
reach
maintainers,
we
don't
have
a
maintainer
specific
list.
Okay
right
and
we
can,
we
can
out
of
band,
give
you
the
maintainer
addresses
if
you
want
to
keep
the
the
scope
smaller
for
the
meantime,.
K
C
C
Sweet
okay,
so
we
talked
about
the
bad
practices.
Stuff
briefly,
are
all
sources
hosts
and
artifacts
treated
equally
at
the
moment,
I
don't
think
they
are,
and
I
think
it
goes
back
to
that
whole
we
ish
ish
right.
I
think
it's
going
to
depend
on
what
we
have
most
experience
with
and
what
we've
built
right.
C
So
one
of
the
the
issues
that
are
currently
open
from
from
jordan
or
for
me
you
know
proxying
jordan,
is-
is
that
there's
lots
of
experience
on
the
on
the
npm
side
there
right
and
there
is
a
plan
to
publish
best
practices
for
npm
package
management
right.
So
that's
one
example
of
like
once
that
guidance
is
out.
That's
something
that
we
could
integrate
into.
You
know
our
our
systems
right,
the
okay
sequel.
I
might
not
get.
D
A
C
C
J
C
All
right
moving
down
the
list
from
alan
is
there
a
thought
about
stirring
attestations,
certain
checks
being
run
out
of
band
without
needing
manual
overrides
to
bring
the
score
up
great
question?
I
don't
know
that
we
have
an
answer.
The
who
is
who
is
attesting
and
do
we.
You
trust
that
attestation.
L
Yeah,
it's
just
so.
We
have
a
couple
open
source
operating
system
projects
and
I
was
running
the
scorecard
on
them.
I'm
not
too
happy
with
the
results.
So
I'm
like
working
on
some
fixes,
but
there's
some
that
I
I
have
to
get
into
how
the
scores
are
being
created,
but
without
knowing
all
the
details.
Yet
I
was
just
trying
to
figure
out
if
there's
a
way
in
our
other
pipelines
to
bring
like
a
attribute
file.
E
L
L
We
have
partners,
we
work
with
and
they
are
throwing
issues
at
us
that
we
know
we've
solved
already
and
so
there's
a
lot
of
background
noise
that,
while
the
raw
score
is
good
to
know
about
it,
still
causes
churn
on
the
teams
to
to
research
something
or
to
review
a
ticket
that
came
in
that
says,
hey
you
says:
you're
not
doing
any
ci
checks.
We
don't
like
that.
So
what
are
you
going
to
do
about
it
like?
No,
we
do
ci
checks.
C
So
that's
one
thing
to
consider:
if
they're,
if
they're
running
local
checks
versus
against
your
repo,
the
I
think
there
is
a
yeah
there
is
like
what
is
the
remediation
path
for
any
one
check
right,
if
you,
if
you
have,
if
you
have
done
the
right
things
and
your
score
does
not
go
up,
then
that
is
that's
our
problem
right.
That
means
that
we're
not
you
know.
That
means
that
we're
not
exposing
enough
information
for
that
remediation
to
be
counted
right.
C
Okay,
so
so
I
think,
but
but
it's
hard
to
it's
hard
to
generalize
any
one
specific
case
right,
so
it'd
be
helpful
like
when
you
run
into
those
to
file
issues
or
so
look
for
existing
issues,
because
I
think
a
lot
of
these
things
are
are
a
lot
of
these.
Things
are
captured
in
the
repo
and
maybe-
and
maybe
we
haven't
gotten
to
it-
and
maybe
it's
a
great
opportunity
for
you
to
come
in
and
contribute
to
that.
E
E
C
Yeah,
so
I
I
think
that
you
know
for
as
much
as
you're
willing
to
share
like
you
know,
I'm
I'm
sensitive
to
the
sensitivity
as
much
as
you're
willing
to
share
to
you
know,
provide
provide
data
for
us
to
improve
that'd,
be
awesome.
I
you
know
I
when,
when
I
hear
this,
I
think
of
you
know
like
container
image
scanning,
for
example
right.
C
If
you
look
at
trivia,
there
is
a
there's,
a
flag
that
is
ignore,
unfixed
right,
so
so
there
are
instances
where
you
will
have
there's
a
report
of
a
cv
and
you're
like
yes,
I
know
it
exists.
This
is
bad.
I
would
like
to
fix
it,
but
there's
no
upstream
fix
for
it
right.
So
there's
a
scenario
where
you'll
run
the
report
for
your
container
image
scanning
and
you'll
get
a
dump
of
all
these
cves
that
you
actually
can't
fix,
because
they're
not
fixed
on
the
operating
system
level.
Right.
C
So
that's
why
that
flag
exists
and
I'm
sure
that
there
are
scenarios
just
like
that
within
you
know,
within
our
code
that
we
need
to
that.
We
need
to
to
kind
of
guard
against
so
yeah.
Any
any
data
that
you
can
can
provide
from
the
real
world
would
be
super
helpful,
not
to
say
we
don't
live
in
the
real.
A
C
E
C
E
C
G
C
M
M
M
Not
at
all,
you
know
it's
not
ranked
on
importance.
It
was
just
ranked
on
who
opened
the
dock
first,
so
a
quick
plug
following
up
on
on
something
that
I
talked
about
in
our
last
meeting,
which
is
we
have
a
general
need,
as
our
group
is
growing,
to
kind
of
formalize
a
mission
and
vision
just
to
be
clear
on
where
this
project
is
is
going.
M
I
think
these
apply
to
both
all-star
and
scorecards,
so,
if
you're
interested
in
helping
craft,
what
those
are
going
to
look
like,
I
opened
up
a
couple
of
issues
on
each
project
that
are
linked
in
this
doc
tag
yourself
there
if
you're
interested
we'll
kind
of
work
on
the
right
format
to
do
this
kind
of
joint
writing.
I
think
we'll
see
how
far
the
github
issue
can
take
us,
but
we
may
have
you
know
kind
of
a
special
one-off
meeting
for
anyone,
that's
interested
in
writing.