►
From YouTube: Scorecards Biweekly Sync (February 24, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
C
A
F
I
think
yours
is
making
some
noise
here
or
something.
Oh,
this
one's
something
sure.
F
E
All
right,
I
guess
we
can
get
started.
Are
there
any
new
folks
that
want
to
introduce
themselves
on
the
call?
Maybe
before
we
get
started
so
you're.
A
I
am
working
with
the
security
compliance
team
as
a
dev
engineer
and
that's
a
new
role
for
me
and
before
that
I
was
working
as
a
infrastructure
site
fabric
side
and
I
have
around
16
17
years
of
experience
before
that
I
was
in
india
for
for
ten
labs,
arona
and
vyasart
for
telecom
site.
I
was
working
with
them
and
then
this
is
my
new
and
I
was
very
keen
to
start
with
this
open
source
things
and
work
with
the
security
side,
and
I
got
this
opportunity
here
in
ibm
to
start
with
open
source.
A
A
E
Cool
thanks
any
anyone
else
wants
to
go.
I
know
veron
has
a
demo
coming
up.
So
if
anyone,
apart
from
what
wants
to
go.
E
Yeah,
I
think
I
I
don't
see
any
new
folks.
Actually
what
do
you
want
to
get
started?
So
varun
has
a
demo
for
us
about
step
security.
D
D
So
let
me
actually
just
start
the
you
know
demo
and
I
think
things
will
become
clearer.
So
what
we'll
do
is
we'll
use
this
github
actions
workflow.
You
know
as
something
that
you
know
that
that
we'll
sort
of
try
and
secure
and
as
next
steps-
you
know-
I
just
pasted
it
here-
and
I
click
on
secure
workflow,
and
I
mean
this
is
a
different
system,
but
what
it
essentially
does
is
it
adds
this
step
to
the
workflow,
which
is
you
know,
which
is
the
hardened
runner
and.
H
Hey
faroon,
would
you
mind
just
stepping
back
for
a
second
and
kind
of
like
setting
context
for
people
about
what
step
runner
is
before
we
get
into
exactly
the
implementation
details.
D
Sure
sure,
let's,
let's
just
commit
the
switch,
starts
to
run
so
we'll
save
some
time.
So
what
this
says
you
know
this
is
like.
I
said
it's,
it's
essentially
a
purpose-built
agent
for
build
servers.
So
when
you
add
it,
what
it
does
is
that
you
know
it's
essentially
for
security
monitoring
of
the
build
server
and
you
know
in
order
to
both
prevent
and
detect.
D
You
know
security
issues
that
are
targeting
the
build
server.
You
know,
for
example,
things
like
the
code
called
breach
where
credentials
were
exfiltrated
and
so
on
and
actually
I'll
cover
that
as
part
of
the
demo.
D
So
what
it
does
isn't
here
is
that
you
know
in
this
in
this
step
it
installs
this
agent,
so
typically
actions.
You
know
they've
done
some
some
stuff.
Instead,
this
actually
downloads
and
installs
an
agent
onto
the
ubuntu
vm,
which
is
you
know,
which
is
running
this
particular
build,
and
then
it
starts
to
monitor
outbound
traffic
and
file.
You
know
file
changes
and
processes
and
so
on
and
once
the
the
workflow
is
complete
you
can
you
know
you
there's
a
link
here,
so
you
can
click
on
that
and
you
get
sort
of
these
security
insights.
D
You
know,
so
it's,
for
example,
telling
that
when
the
actions
checkout
step
was
run,
you
know
this
was
the
process
that
was
called,
and
this
was
the
outbound
call
that
was
made.
And
then
you
know
when
you
ran,
let's
say
upload
coverage
to
code
cop.
Then
it
you
know,
call
this
process
and
then
it
you
know,
call
these
outbound
endpoints.
D
D
So
earlier
the
egress
policy
was
ordered.
Now
it's
changed
to
block
and
you
know
to
these
endpoints.
So
let
me
actually
go
and
quickly
simulate.
Some
of
the
you
know
some
of
the
previous
attacks.
So
what
we'll
do
is
one
will
simulate
dns
exfiltration,
you
know,
which
was
something
that
happened
in
the
dependency
confusion
attack.
So
let's
see
so
in
here
it's
just
going
to
do
an
ns,
lookup,
so
I'll
copy
this
and
you
know
just
like
in
an
actual
scenario.
This
would
have
happened.
D
D
Right,
so
that's
so
I
just
set
all
of
these
things
up
and
I'll
just
run
this
again.
E
What
what
so
just
just
quickly
in
interest
of
time,
so
while
the
build
runs,
maybe
we
can
in
parallel,
take
questions
it
works
out,
because
I
mean,
if
I
understand,
I
think
at
least
I
get
the
gist
of
what
the
tool
is
doing.
So
I
just
wanted
to
see
if
folks
have
any
questions.
H
So
I
you
know,
I'm
fairly
new
to
github
actions,
because
I
spend
a
bunch
of
time
in
kubernetes
and
they've
got
their
own
doodad
for
that.
But
so
I
you
know
so
we're
we've
got
the
we've
got
the
scorecard
action
right
now.
What
I
see
is
kind
of
a
common
pattern
is,
is
essentially
having
multiple
directories
that
that
execute
different
actions.
So
I
see
the
there's
a
a
note
to
discuss
donating
the
project
to
open
ssf
like
is
that
something
like
curious
about
opinions
like?
E
D
I
mean
so
the
intent
of
you
know
this
would
be
to
to
run
it
actually
as
part
of
some
of
the
existing
workflows.
So
let's
say
there
is
a
publishing
workflow.
You
know
which
is
publishing.
You
know
an
npm
package
or
a
docker
image.
D
So
you
know,
whereas
the
scorecard
action
runs
as
a
separate
workflow
and
you
know
analyzes
the
repository
for
various
different
issues.
This
one
will
not
necessarily
execute
as
a
separate
workflow
but
will
get
added
to
existing
workflows
as
the
first
step.
So
then
it
can
monitor
that
you
know
each
of
those
workflows
did
that
answer.
H
Your
question
so
sorry
I
was
referring
more
in,
like
as
we
start,
the
donation,
the
potential
donation
discussion
more
like
a
code
organization,
standpoint
right,
so
I
linked
an
example
for
code
ql,
the
codeql
action,
a
lot
of
those
like
each
of
those
directories
like
so
analyze,
auto
build
pr
checks.
All
of
those
are
separate
actions
right
so
like
if
it
were
to
be
donated.
I
I
don't
know
what
the
process
is
for
that
but
like
if
it
were
to
be
donated
like
would
that
be
a
consideration
like
could?
J
I
want
to
take
a
step
stab
in
this.
I
don't
know
whether
baron
has
the
thought
process.
We
multiple
things
obviously
can
be
done.
Whether
scorecards
can
check
other
actions
out
of
our
scan
and
say
hey.
You
should
probably
use
the
hardened
runner
and
set
permissions
said
outbound
traffic,
that's
something
that
schoolcat
can
recommend.
J
If
it's
contributed
to
osf
my
twitter,
my
two
cents-
I
don't
know
where
does
it
feel
the
thought
process.
D
I
think
the
question
is
around
the
repository
and
I
think
it
would
make
sense
to
have
it
in
a
separate
repository.
You
know
something
like
ossf
slash
hardened
runner,
because
it
does
something
different
from
school,
so
otherwise
people
might
get
confused
between.
You
know
what
scorecard
does
versus
what
a
hardware,
but
I
don't.
J
H
K
D
K
Oh
no,
I
just
wanted
to
say
that
I
guess
there
are
ways
to
infiltrate
the
token
through
the
github
api,
but
so
basically
to
make
it
even
harder.
You'd
have
to
hook
into
the
the
cause.
You
know
before
it's
even
doing
the
tls.
Unless
you
want
to
man
in
the
middle
of
the
tls
connection
like
if
I
have
the
secret,
I
can
basically
send
it
to
a.
K
D
D
But
essentially
the
whole
idea
is
you
know,
once
you
have
an
agent
running
on
the
ubuntu
vm,
then
you
know
you
can
just
do
a
lot
of
more
stuff
in
the
future
right
now
it
only
does
based
on
you
know,
domains
and
endpoints
not
used
not
not
at
an
http
level,
but
I
think
that's
something
that
can
be.
You
know
done
in
the
future.
C
Yeah,
so
this
is
interesting
stuff
and
I
think
it's
really
valuable
to
be
able
to
obviously
watch
and
especially
you
know,
policy
have
policies
around
outbound
end
coins
during
the
build
process.
So
I
think
the
hardened
server
or
the
hardened
runners
is
generally
a
great
idea.
I'm
wondering
how
does
it
connect
with
scorecards?
C
I
mean.
Why
is
it?
Why
are
we
bringing
it
to
this
particular
working
group
if
the
goal
is
to
get
it
into
the
open
ssf
which
it
sounds
like
this
is
probably
a
good
fit
for
an
open,
ssf
project
looking
at
just
a
quick
overview
of
what
it
does
it,
it
almost
seems
like
it
might
be
a
benefit
for
tooling
or
well.
C
I
don't
know
whether
I
don't
want
the
project
to
get
held
up
in
entering
open
ssf
through
some
procedural
sort
of
thing
right
and
if
there's
a
better
place
to
present
it
such
that
it
can
get
streamlined
through
the
process
more
effectively.
H
Yeah,
so
I
would
say
that
you
know,
probably
I'm
I'm
sure
we
haven't
documented
somewhere
what
the
actual
process
is,
but
I
believe
it
is.
It
would
be
going
through
the
the
attack
for
approval,
so
the
technical
advice.
C
For
the
council,
yeah
and
I've
been
on
several
tech
calls,
and
it
certainly
will
end
up.
There
wasn't
sure
what
the
process
was
before
it
gets
to
the
tech,
whether
it
goes
through
a
working
group
and
if
so,
which
working
group
makes
the
most
sense
to
make
this
move
most
smoothly.
I
So
that's
where
I
think
the
parent
working
group
for
this
one
is,
I
think,
best
practices
right.
We
can
go
there,
but
it's
good
to
understand
like
what's
the
purpose
or
like
do
we
fit
it
out?
Do
we
see
this
fitting
as
a
right
project
for
open
ssl,
and
there
are
some
key
things
which
I
definitely
like
about
the
project?
I
It's
the
remediation
aspects
like
it
doesn't
need
to
be
part
of
scorecard,
but
it
can
actually
plug
in
pretty
well,
which
is
more
around
automatic
remediation
of
ci
cd
workflows
in
some
way
and
scorecards
could
get
a
recommendation
around
it,
which
I
think
it
does.
But
this
is
more
like
an
automatic
remediation
project
that
I
see
evolving.
H
K
G
K
Today,
allow
you
to
set
up
firewall
rules
on
the
on
the
runners
that
they
have
on
the
github
hosted
runners,
probably
not
public,
github,
okay,
because
because
in
the
best
practice
group
there
are
several
faults
from
github.
So
I
guess
they
would
ask
the
question
like
hey.
Why
do
we
need
this?
So
I
think
if
github
doesn't
have
even
this
ability,
that's
pretty
valuable
for
someone
who
wants
to
add
networking
firewall
to
their
runners.
E
So
in
interest
of
time,
I
think
maybe
we
can
move
on
to
the
other
topics.
I
just
I,
I
think
the
stiffens
sorry
yeah
steven's
feedback
on
like
whether
to
integrate
this
with
scorecards
or
not,
is
definitely
pretty
interesting.
Maybe
we
should
take
this
offline,
like
have
a
github
issue
where
we
can
discuss
this,
because
there
is
some
slight
overlap,
so
that
is
actually
one
of
the
reasons
scorecards.
I
even
recommend
step
security.
There
is.
E
G
H
Like
I
know,
I
just
hardened
this
repo,
but
I
did
I
do
this
or
like
we
bumped
this
version
of
go,
and
now
we
have
to
do
blah
like
did
I
do
it
for
all
of
my
repo,
so
the
reason
I
was
suggesting
code
organization
doesn't
necessarily
need
to
be
underscore
card,
but
knowing
that
the
actions
that
open
ssf
produces
flow
through
a
similar
build
process,
build
and
publish
process
right
so
like
if
we.
E
Yeah
yeah
plus
one,
I
think
the
another
consideration
which
is
on
similar
side
is
like
as
open
as
this.
We
should
also
be
mindful
about
how
many
different
actions
we
ask
folks
to
keep
installing.
So,
if
it's
possible
for
us
that
we
see
a
path
to
kind
of
merging
it
and
going
forward
as
a
single
tool
that
definitely
would
be
ideal
so
yeah.
I
think
we
should
definitely
take
this
offline
and
have
a
broader
discussion
there
before
we
move
on.
Does
anyone
have
any
other
questions.
A
Yeah,
just
to
just
yeah
just
to
yeah,
does
it
takes?
Does
it
take
lfs
guitar,
also
in
consideration
any
any
something?
Some
if
we
put
large
data
in
that
that
also
covers,
while
checking
this
runner.
H
Yeah,
I
think
it
would
be
like
trying
to
understand
what
the
use
case
would
be
there
so
like
how
many
repos
are
you
managing
that
have
lfs
enabled?
Are
you
like?
What's
the
like
kind
of
like?
What's
the
what's
the
tie-in
between
the
the
large
files
and
and
the
runner,
I
think
you
know
in
some
scenarios
where
we're,
maybe
not
necessarily
checking,
for
you
know,
say
like
an
all-star
check
for
like
binary
artifacts
right,
maybe
someone's
committed
something,
that's
that's
huge,
that's
sensitive
and
they
shouldn't
have
right.
H
E
Cool
should
we
move
on
to
updates.
Maybe
I
think
I
mean
I
guess.
J
Sorry
yeah
so
updates
by
just
two
weeks.
One
of
the
things
that
we're
doing
is
scorecard
actions
is
primarily
on
shell
script
and
we're
having
a
bunch
of
issues,
especially
writing
tests
that
I
pretty
much
put
in
most
of
that
to
go,
and
thanks
to
raw
and
rawness
cleaning
it
up,
hopefully,
for
some
of
the
things
that
I'm
missing.
That
second
thing
is:
our
bills
are
sequential
one
of
the
things
I
did
is
paralyze
the
belt
down.
You
have
about
30
to
35
items
going
concurrently.
J
I
know
it's,
but
we
are
almost
a
mono
repo.
So
that's
a
reason
on
that.
So
another
one
thing
is
scorecard:
wii
food
v4.1.0
was
released,
bunch
of
updates.
J
That's
one
thing,
and
there
was
a
couple
of
dangling
items
thanks
to
steven.
We
also
addressed
different
about
dependable
volume
issues.
That
was
complaining,
though
it's
not
an
actually
an
issue
issue,
but
because
we
want
to
take
care
of
that
last
last
one
is
we
have
code
coverage
code
cop
installed
across
the
whole
organization.
J
Now
the
good
thing
is
anytime.
There's
a
pr
that
comes
in
the
code
card
will
comment
on
things
that
that
does
not
have
unit
test
or
coverage.
So
that's
a
good
thing
and
we
also
have
good
car
on
scorecards
action.
That's
my
update.
Thank
you.
H
H
Should
do
it?
Okay,
okay,
cool
coco,
I'll
I'll!
Add
that
to
the
contributor?
Yes,
maintainer,
docs
punch
list.
Yes,
so
let
me
let
me
share
my
screen
and
I'll,
because
we
can
do
updates
via
the
project
board
as
well.
So
I'll
walk
you
through
some
of
the
stuff
that
I
did
recently.
H
Yes,
cool
awesome,
all
right
cool,
so
here
is
project
board.
So
one
of
the
things
that
I
do
whenever
I
get
access
to
organization-
or
I
have
access
to
repo
as
I
try
to
create
a
project
board
github
makes
this
pretty
easy.
There's
just
some
things
to
keep
in
mind.
H
I
know
some
folks
were
mentioning
that
github
is
not
necessarily
their
their
day-to-day,
so
they're
not
familiar
with
some
of
this,
so
I'll
I'll
do
the
the
eli
five
right
so
within
so
once
you
have
access
to
an
organization
depending
on
how
the
organization
is
configured,
you
may
so
an
org
admin
can
kind
of
flip
the
switch
on
whether
or
not
users
can
create
project
boards,
as
well
as
repos
and
various
other
things.
H
So
github
is
kind
of
like
two
project
flows,
one
that's
in
beta
right
now
and
another
one
that
has
been
out
for
a
bit.
So
you
can
see
that
there
are
a
few.
H
A
few
project
boards
are
ready.
A
few
are
private,
but
the
scorecard
one
is
not
so
I
will
talk
about
this
real
quick.
So
when
you
create
a
new
project
board,
you
have
the
and
I'll
create
a
test
and
then
delete
that
just
for
the
sake
of
like
cool.
C
H
Project
right
and
description,
the
visibility
of
it.
So
there's
a
cool
piece
around
project
template
and
you
can
choose.
If
you
want
the
you
can
choose
what
you
want.
The
kind
of
automation
flow
to
be
so
this
the
the
scorecards
one
right
now
is
configured
as
automated
kanban,
with
reviews,
so
it'll
set
up
five
columns
or
five
or
so
columns
right,
four
or
five,
and
they
are
to
do
in
progress,
review
and
progress,
review,
approved,
reviewer,
approved
and
done
right.
So
there
are
two
kinds
of
project
boards
within
github.
H
One
is
a
one:
is
an
org
level
project
board
the
other
one
is
a
repo
level
project
board
right.
So
the
the
repo
level
project
board
is
is
kind
of
nice
because
I
think
it
will
automatically
pull
things
into
the
project
board.
H
However,
what
you
get
out
of
an
org
level
project
board
is
that
I
can
go
to
the
configuration
and
settings,
and
so
when
I
can
set
visibility
across
the
org,
I
can
set
default
org
member
permissions,
but
I
can
also
set
linked
repositories
right
so
right
now
I've
got
the
scorecard
scorecard
action
scorecard
web,
app
and
and
all
star
in
here
right.
I
added
all
star
just
to
bubble
up
some
things
that
maybe
cross
cross
project.
H
You
can
also
configure
collaborators
teams.
So
if
you
have
access
to
do
this,
you
can
also
create
teams.
I
created
some
initial
teams
for
scorecard
a
parent
team
that
we
can
assign.
So
when
you
look
at
teams,
you
can
see
that
youtube.
H
If
you
go
to
repositories,
you
can
see
that
that
team
has
access
to
triage
things
on
the
scorecard
repository,
so
I
don't
have
access
to
the
other
scorecard
repos
or
else
I
would
add
them
here
too,
but
that
allows
us
to
default
permissions
for
someone
who
gets
added
to
the
scorecard
team.
So,
like
you
do
some
work,
you
use
triage
work.
You
do
some
review.
You
do
some
approvals.
Eventually,
you
get
that
triage
hat
and
we'll
work
out
what
the
contributor
ladder
looks
like
and
then
from
there
you
know,
we'd.
H
Add
you
to
one
of
these
teams
and
then
the
teams
are
turtles.
We've.
You
know
I've
nested,
a
scorecard
admins
team
and
scorecard
maintainers
team
and
you'll
see
that
if
we
look
at
the
repository
again
this
this
team
has
admin
privileges
and
then
this
maintainers
team
has
maintained
privileges
right.
So
that's
teams,
what's
cool
about
teams
is
that
you
can
also
assign
them
to
project
boards.
H
So
you'll
see
that
the
scorecard
parent
team
has
read
access
and
you
should
probably
just
bump
that
to
right,
scorecard
admin
scorecard
maintainers
admin
and
write
respectively,
right
so
back
to
the
board
any
questions
on
that
before
I
continue.
H
Cool
all
right,
so,
by
default,
when
these
project
boards
get
created,
you
you
get
that
to
do
in
progress,
review
and
progress,
review,
approved
and
then
done
right,
and
you
can
see
that
each
of
these
has
like
a
little
automated
as
blah
right.
So
you
can
hit
the
manage
automation
and
then
configure
how
things
move
through
the
board
right
or
how
they
move
into
that
column
or
out
of
that
column.
What
the
exit
criteria
is,
but
the
entry
criteria
is
at
least
so.
H
What
I
usually
do
with
these
boards
is,
I
also
add
a
backlog,
and
I
reconfigure
so
that
to
do
by
default
is
automated
as
to
do
I
configure
the
backlog
one
to
be
to
do
instead,
because
to
do
you
want
to
be
kind
of
like
these
are
things
that
we're
focused
on
and
and
backlogged
this,
like
we
gotta,
look
at
it,
we
gotta
treat
ourselves
right.
H
So
to
start,
I
grabbed
everything
that
was
in
these
repos,
I
just
tossed
them
in
the
backlog
right
and
I
left
a
few
undone
so
that
we
could
do
this
on
the
call
too
right
so
we'll
see,
things
are
in
scores.
Scores
this
is
scorecard
actions.
I
can
just
drag
and
drop
things
and
we'll
do
some
of
those.
H
H
So
if
I'm,
when
I
get
to
github,
whenever
I
get
to
github
one
of
the
first
things
I
do
is
I
go
to
my
created
and
I
might
sort
by
you
know
recently
updated
see
if
there's
any
progress
on
some
of
these
things
that
I'm
doing
and
then
I'll
try
to
hit
them
from
top
to
bottom,
then
I'll
hit
my
usually
like.
I
get
little
like
very
little
focus
time,
so
I'll
try
to
push
like
if
there
are
updates
to
my
personal
prs
I'll
try
to
push
those
along
before
I
go
into
assigned.
H
Review
requested
and
then
I'll
jump
over
to
mentioned
right,
so
you
know
so
that's
my
workflow
at
least
for
github.
I
don't
really
use
the
the
inbox
because
it
doesn't
have
some
of
the
filtering
that
I
want,
but
from
the
project
board,
you
do
have
this
filter
cards
option
right,
so
something
else
that
I
did
was
I
renamed
the
milestones
from
milestone
v
whatever
to
just
the
whatever
right,
so
I
can
choose
to
so.
H
The
things
that
are
going
to
do
right
now
are
milestone
colon
v4
right,
and
you
can
see
that
it's.
It
will
filter
everything
out
of
the
board
outside
of
just
p4
and
then
I
can
also
do
v5
you'll
see
that
all
the
v5
stuff
is
in
the
to-do
column.
H
Some
of
it
may
be
in
progress
again.
I
didn't
make
assumptions
about
what
the
progress
was
until
we
chatted
about
it
right,
something
great
you
can
do
is
so
anyone
has
access
to
this
board.
They
can
go
to
this
board
and
say
hey.
I
want
to
know
what
is
you
know?
I
think
I
think
it's
space
right.
H
I
want
to
know:
what's
health
wanted
boom
right
and
you
get
an
idea
of
what
what
you
know
where
it's
at
you
know
if
you're,
maybe
a
newer
contributor,
you
want
to
look
at
good
first
issue
and
I
can
drop
this
label
here
right,
really
cool
good
first
issue,
maybe
I
know
I'm
going
to
be
able
to
write
the
code
quickly
and
it's
something
that's
in
the
current
milestone,
so
I'm
like
cool,
maybe
I'll
I'll,
grab
this
right.
Maybe
I
want
to
go
a
little
slower.
Ask
some
questions.
H
Maybe
I'll
grab
something
that's
in
here
right.
Let's
say
this:
handle
copyright
and
handle
copyright
dates
and
headers.
That's
that's
in
progress
because
we
started
to
chat
about
that.
So
rob's,
going
to
work
on
that
right,
so
milestones
are
things
that
you
can
do.
You
can
also
do
you
can
search
by
assignees
so
and
that's
just
going
to
be
your
github
username.
H
If
I
can
spell
my
name
correctly
right
and
I
can
see,
I've
got
some
things
in
progress.
I
can
also
do
there
are
a
few
keywords
for
no.
I
think
you
can
do
no
milestone
right.
So
these
are
things
that
are
not
milestone.
You
can
see
that
there
are
a
few
things
in
progress,
review
and
progress
so
as
they
move
through
your
pr
workflow
for
the
vr,
specifically
right
as
they
move
through
workflows.
H
If
the
pr
is
approved
and
it's
on
the
board,
it'll
it'll
slide
over
right,
it'll
slide
over
to
review
reviewer
approved
right,
so
reviewer
approved,
might
not
even
be
super
useful
to
us,
because
we,
you
know
we're
we're
doing
the
you
know
it's.
We
might
click
auto
merge
on
the
on
the
pr,
so
they're
gonna
pretty
quickly
move
out
of
this
column,
and
it's
done
right
if
they're,
if
they're
tests
are
passing
the
you
can
also
do
so.
Ideally
we
have
things
that
are
milestones
assigned
right.
H
So
one
of
the
first
things
I
would
do
if
we're
kind
of
doing
like
sprint
planning
as
it
were,
is
check
out.
You
know
one
drain
the
drain,
the
existing
milestone
or
drain
the
previous
milestone,
so
we've
got
a
v4
milestone
as
well
as
a
v5
milestone.
We
should
ideally
drain
the
v4
one
before
we
and
close
that
out
before
we
head
to
v5,
but
you'll
you'll
see
that
a
lot
of
these
have
no
assignee
right.
So
if
people
are
working
on
them,
we
should
get
them
assigned
now.
H
Tricky
thing
about
assigning
people
in
in
github
is
that
sometimes
you
need
to
be
an
org
member
to
have
that
assignment
right.
So
that's
something
to
consider
too
and
that
I
think
that's,
maybe
a
larger
discussion
in
terms
of
how
we
handle
org
membership
for
open
ssf.
So
any
questions
on
that
stuff.
C
C
I
had
a
minor
problem
where,
when
I
went
to
look
at
it
because
github
automatically
for
some
reason
dumped
me
into
a
beta
view
of
projects-
and
it
showed
there
were
no
project
boards-
there
was
a
drop
down
in
the
upper
left
right
yeah
and
then
I
said
that
and
it
showed
up.
So
if
you're
not
seeing
it
try
the
other
option.
K
Okay,
I
found
it.
I
found
it.
H
H
Chatting
about
this
settings
like
ammo
right
so
the
settings.yaml
separate
discussion,
but
you
can
see
ben
vicki.
This
may
look
familiar
since
I
did
it
on
the
to
do
group
stuff
too,
but
you
can
see
that,
like
we
have
the
collaborators
listed,
and
this
is
just
this
is
just
a
list
of
the
current
collaborators,
not
not
to
say
that,
like
those
like
all
the
people
listed
need
the
permissions
that
they
have.
H
So
we
should
just
discuss
that,
but
there's
also
a
team
section
right
where
you
can
assign
permissions
by
team,
so
preferably
you're,
doing
a
permission
assignment
via
team
and
for
for
you
to
be
a
part
of
a
team,
you
need
to
be
an
org
member.
H
So
for
a
few
of
you
who
are
maintainers
but
not
org,
members
they're,
you,
you
don't
have
access
to
like
write
on
the
board,
so
we
should
fix
org
membership
as
well,
and
then
this
listing
right
here,
if
we're
running
you
know,
if
we're
running
scorecard
against
ourselves,
we're
you
know
we're
not
doing
a
good
job
because
we've
got
our
right.
Rather,
if
we
had
all-star
enabled
right
it
would
it
would
flag
you
for
having
outside
collaborators
here
right.
E
J
H
Let's
maybe
make
sure
that
we
get
into
discussions
for
like
definitely
for
rob
so
yeah,
it's
something
to
walk
away
with
around
the
copyright
stuff
and
then
go
into
maintainer
discussions.
E
Agree
sure
yeah,
you
can
do
that.
Do
you
wanna
leave
that
I
think
you
have
context
about
the
copyright
header
discussion.
H
Sure
yeah,
so
I
I
pretty
much
always
preface
these
discussions
with.
I
am
not
a
lawyer,
but
based
on
some
of
the
feedback
that
we
we
got
here.
I
think
the
the
question
comes
up
pretty
often
like
you
know
what
what
do
I
do?
I'm
gonna
share
my
screen
again.
So
here
is
a
discussion
that
popped
up
on
one
of
the
issues
and
the
question
was
around
like
hey:
well,
what
should
we
do
with
copyright
headers
right?
So
currently
we
have
it's.
H
You
know
copyright
year
score
security,
scorecard
authors
for
generated
files
in
in
for
generated
files
in
general,
but
specifically
in
in
in
in
go.
They
we
don't
care
to
list
the
year.
So
the
question
overall
is:
do
we
care
to
list
the
year
at
all?
Do
we
need
to?
Is
there
right?
You.
H
So
boom
there's
the
answer
so
and
then
you
know,
and
then
I
I
think,
a
larger
organizational
question
is
we
have
multiple
projects
here
right
so
like
for
an
example,
I
was
working
on
a
pr
and
I
was
pushing.
I
was
refactoring
some
packages
in
scorecard
for
the
sake
of
testing
them
out
in
all-star,
so
I
actually
started
the
refactor.
I
basically
copied
a
bunch
of
stuff
and
started
the
refactor
in
all-star
and
then
just
kept
on
trying
like
that.
H
What
I
realized,
as
a
result
of
that
is
a
few
of
the
files
that
I
created
had
all-star
authors
on
it
instead
right
so
given
you
know
using
as
as
usual,
using
kubernetes
as
an
example,
kubernetes
authors
is
kind
of
like
across
the
board
for
the
project
right,
the
it's
there's,
no
there's.
No
differentiation
between
you
know
some
projects
or
sigs.
You
know
it's
not
kubernetes,
release,
authors
or
anything
like
that.
It's
just
kubernetes
authors
right!
So
the
question
is:
are
we
fine
with
continuing
to
so?
H
E
H
Cool
yeah,
that
sounds
great
absolutely
so.
A
H
A
Yeah
and
sorry
for
it
yeah
so
the
date
the
year
we
need
to
maintain.
You
want
to
say
that.
H
Don't
need
to
continue
so
yeah.
So
concretely,
you
know
just
listing
this
here.
Concretely.
What
you
you
you'll
want
to
do
is,
I
believe
we
also
have
a
check
in
the
repo
that's
using
ad
license
so
ad
license.
As
far
as
I
know,
and
I've
only
used
it
a
few
times
at
this
point
you
can
specify,
I
think,
if
you
do
like
dash
c
for
ad
license,
you
can
specify
exactly
who
the
copyright
holder
is
right.
So
you
do
like
an
ad
license.
H
That's
the
scorecard
authors
right
and
I
I
think
it
has
support
for
not
including
the
date.
So
as
far
as
I
know,
the
existing
behavior
is
that
it.
If
a
copyright
header
already
exists
on
a
file,
it
will
not
try
to
modify
it.
I'm
not
sure
if
there
is
an
edit
option
for
that,
but
that's
something
worth
checking
out.
H
If
the
edit
option
does
not
exist
so
you're
going
to
do
a
few
things
right,
you're
going
to
ensure
that
there
are
headers
on
all
of
the
files
which
I
mean
our
rci
cd
should
already
be
doing
that
and
then
you'll
want
to
check
the
the
workflows
for
the
ad
license
check
itself,
because,
basically,
what
the
adolescence
check
is
doing
is
it's
like
it's
pulling
the
content,
it's
pulling
the
the
ad
license
tool,
it's
running
it
against
the
repo
and
then
it's
doing
a
get
diff
dash
exit
code
right.
H
So
if
it,
if
the
exit
code
is
zero,
that
basically
means
there
was
no
diff.
So
a
it's.
A
test
pass
right.
So
you'll
want
to
edit
that
command
to
to
to
ensure
that
we're
using
the
right.
The
copyright
holder,
okay,.
J
Was
done
with
this
bad,
like
you
should
be
able
to
look
at
like
I
can
point
you
a
couple
of
couple
of
pieces
of
code
where
it
is
so
that
right,
there's
a
workflow
file
that
does
that
so
yeah.
So
that's
yeah
right,
so
you
should
be
so
if
you
go
modify
those
things
and
then
grab
and
replace
without
the
date
it
should.
Probably.
H
H
J
H
J
Yep,
that's
that's
where
it
is
sorry
if
you,
if
you
want
to
look
at
that.
H
Yeah,
so
I
would
drop
the
we
should
we,
we
should
include
the
the
the
the
shell
scripts
test
data.
H
H
You
can
you
can,
if
you
specify,
I
think,
do
I
have
it
on
this
computer
yeah.
If
you
specify
dash
s
it'll
give
you
the
sp
x,
identifier,.
J
Ticket
circuit
item,
so
that
we
don't
want
zara
to
actually
overload.
H
Yeah
yeah,
so
I
mean
well
here's
the
thing,
because
you're
going
to
be
doing
the
greps
anyway
it
you
know
this
is
you
know
the
adding
the
spdx
for
new
files
is
just
adding
the
dashes
flag
somewhere
right
and
if
you're
gonna
be
doing
the
graphs
anyway,
you
might
as
well
add
the
spdx
identifiers
right
yeah.
So
so,
just
to
start
just
to
start.
A
Okay,
I
may
need
more
information,
while
doing
it
I'll
ask
you
yeah.
A
E
A
C
J
If
you
read
through
the
makefile,
the
makefile,
that's
all
the
targets
so
like
as
eve,
and
I
have
spent
too
much
time
on
a
big
file
trying
to
address
everything.
So
you
can,
you
can
read
through
the
makefile.
Also
has
decent
number
of
comments.
So,
if
you
don't
make
help,
it
should
give
you
all
the
stuff
that
requires.
H
For
for
context,
for
for
folks
I'll
do
another
screen
share
and
show
it
off
real,
quick,
the
I
think
it's
release
at
least
details.
Oh.
K
H
Yeah,
so
it's
it's
not
everywhere,
but
for
the
newer
repos,
what
I'll
do
is
I'll
have
this
one
has
like
a
baseline
mage
file
and
it's
just
doing
the
the
execute
of
the
main,
but
the
the
mage
file
itself
is
basically
it's
meant
to
replace,
make
a
make
file
right.
So
you
can
what's
great
about
it.
Is
you
can
write
the
same
way?
You
normally
would,
if
you're,
if
you're,
normally
writing
and
go,
but
I
am
so
like
and
then
you
can,
you
can
build
up.
H
You
know
libraries,
you
can
build
a
separate
package
for
it,
which
is
pretty
cool
check
for
dependencies
and
stuff
like
that.
So.
E
Yeah,
that's
pretty
cool.
We
should
probably
consider
it
actually
at
some
point,
because
that
makefile
seems
to
be
just
keep
growing
and
growing.
Yeah.
E
Cool
we
have
about
seven
minutes.
I
I
quickly
wanted
to
see
folks
folks
want
to
discuss
the
v5
milestone.
I
just
want
to
get
some
consensus
on.
If
people
are
folks
things
can
I
can
I
yeah
there?
Is
there.
J
L
So
appreciate
checking
in
I
I
saw
on
the
agenda.
We
were
going
to
just
give
a
couple
of
updates
on
the
scorecards.dev
site,
but
I
also
joined
a
couple
of
minutes
late,
so
I
I
didn't
didn't
want
to
rehash
something
if
it
already
come
up.
E
Yeah
right,
I
know
it
sorry,
I
can
quickly
get
the
contacts,
so
I
was
hoping
david
wheeler
could
join
us
today.
So
we
we're
kind
of
waiting
on
david
to
kind
of
unlock
us
on
getting
us
the
domain
so
yeah.
So
that
was
the
only
thing
to
discuss
about
the
cycle.
J
E
Yeah,
we
are
not
blocked
on
it
as
such.
That's
why
I
didn't
want
to
like
also
ping
david.
I
know
he's
kind
of
on
vacation
and
not
really
responding
to
me
email,
so
yeah.
I
can
get
him
talk
to
him
some
other
time
cool.
Should
we
discuss
with
myself
yeah.
H
So
I
I
think
the
the
first
thing
I'll
mention
about
v5
is
that
so
so
one
we
should.
We
should
walk
into
ideally
we're
walking
into
to
v5
with
you
know,
with
a
release
process
documented
and
all
of
the
maintainers,
with
the
appropriate
access
to
the
repos
and
stuff
like.
C
E
Yeah,
I
I
I
definitely
like
the
idea
of
having
a
well-defined
release
process
for
v5.
I
I
just
wanted
to,
like
you,
know,
open
up
the
board
and
ask
folks
if
this
seems
too
much
work
for
wifi
or
if
people
want
to
hide
more
things
on
it.
Like
you
mentioned
the
release
process,
you
know
if
it
looks
good,
we
should
probably
they
can
create
a
milestone,
agree
on
it
and
then
kind
of
start
working
on
it.
E
H
We've
got
the
milestone
open.
What
I
would
say
is
that
I
think
being
able
to
set
a
date
for
it.
If
we
know
when
v5
is
going
to
be,
then
we'll
we'll
get
a
better
idea
of
capacity.
E
H
Also
in
as
part
of
the
the
process,
I
would
like
to
do
some
configuration
around
like
release
notes,
because
we
can,
I
think,
in
terms
of
I
think
I
think,
it's
possible
for
me
to
just
template
again
floating
over
to
kubernetes
repo,
but
we
have
a
so
for
kubernetes.
We
have
a
release,
notes
tool.
So
when
I'm,
when
I'm
creating
a
release,
I
basically
run.
I
do
the
auto
generation
of
the
github
notes.
H
First,
because
it
gives
you
it
gives
you
some
like
nice
doodads,
like
the
contributors
list
and
the
changelog,
but
for
the
for
the
the
release
notes
tool
in
kubernetes,
you
can
specify
like
from
shadowshaw
and
if
you're,
if
you're
tagging
you
know
so
we're
using
like
kind
labels
in
in
kubernetes
at
least
right.
H
So
it's
it's
looking
for
these
kind
labels,
but
I
think
you
can
specify
like
what
what
labels
a
thing
has,
and
maybe
what
we
can
do
is
like
do
auto
assignment
of
the
late
of
the
labels
based
on
the
based
on
the
the
conventional
commit
emojis
or
use
the
emojis
to
filter
things
into
these
buckets
right.
So
I'm
able
to
look
at,
like
you
know
so,
to
to
kind
of
do
the
the
side
by
side.
H
Right
of
you
know
the
you
know
one
example
of
kubernetes
release
notes,
and
this
is
actually
what
we
use
for
the
the
change
log
itself
on
kubernetes
right.
So,
if
we
look
at
you
know,
we
look
at
the
scorecard
for
4.1,
and
this
is
it's
it's
it's
good
because
we're
doing
squashes.
So
it's
kind
of
like
a
singular
idea,
but
the
the
reason
we
prefer
these
for
kubernetes
at
least,
is
there's
no
guarantee.
H
So
you
know
basically
what's
happening
in
this.
This
template
is
the
same
questions.
We'd
ask
in
the
same
questions
we
asked
kind
of
for
the
issue
template
for
open
ssf.
The
only
the
only
change
is
that,
well
one
there's
the
the
slash
commands
for
the
kinds
and
areas,
but
also
there's
a
code
fence
block
that
says,
release
note
right
so.
C
H
I
you
know
so
if
I
say,
if
I
say,
release
note
none,
you
know
if
I
label
something
as
release
note
none
I
can.
I
can
just
write
none
into
this
block
and
the
bots
will
figure
out
that
it's
no
release
note,
but
if
there
is
a
if
there's
content
in
the
code
fence,
when
I
run
the
tool
against
the
pr
it
will,
it
will
pull
that
content
out.
So
this
gives
maintainers
an
opportunity
to
write
something
that
is
like
reasonable,
like
something
that
people
need
to
know
like.
G
E
Sorry
now
I
I
just
want
to
say
yeah
I
mean
scorecard
has
been
like
looking
for
something
like
this.
For
a
long
time
I
mean
we've
been
kind
of
struggling
with.
You
know
how
to
do
this
neat
release,
notes
and
also
like
automate
it
in
a
nice
way.
So
if
you
don't
mind,
if
you
could
like
document
this
for
us
and
like
something,
we
can
follow
as
a
process,
that'll
be
very,
very
helpful.
E
I
mean
I'm
completely
on
board
to
following
such
a
process
if
it
makes
our
releases
easier,
but
I
think
we
we
all
need
a
way
like
like
a
document
to
go
to
and
say
hey.
This
is
what
we
need
to
start
doing
from
now
on
yeah.
H
Is
that
because
I'm
sure
that
I'm
sure
that,
like
one
not
everyone,
has
access
to
do
a
release,
and
and
and
two
so
like
yeah,
that's
you
know
so
like
one
of
the
things
on
my
list
is
ensuring
that
I
have
access
to
the
to
each
of
the
scorecard
repos,
and
I
know
there's
also
discussion
about
maybe
or
maybe
not
the
what
happens
with
the
cron
stuff
like
do
we
do.
We
want
it
to
continue
being
in
the
repo.
E
E
Easier
but
yeah,
let
us
know
if,
if
we
can
like
help
you
or
like,
if
you
need
any
any
kind
of
permissions
or
anything
of
the
sort
to
do
this
year,
like
it'll,
be
very
useful
to
kind
of
have
this
process
set
up
for
at
least
a
few
scorecard
repos
that
we
have
like
scorecard
actions
or
even
scorecard
just
to
start
with.
H
Yeah,
so
I
think
you
know
going
back
to
the
going
back
to
the
board
real
quick.
So
if
we
can
do
this,
so
if
the
teams,
if
you
can
add
the
parent
team
as
triage
for
all
of
the
scorecard
repos
and
then
also
add
the
add,
the
maintain
the
admin
team
as
admins
and
then
the
maintainers
team
is
maintained
and
that
will
that'll
give
me
access.
E
Okay,
I
can
do
that
right
now.
Let
me
just
do
it
right
now,
once
this
meeting
is
done.
C
E
I
think
I'm
good,
it
sounds
like
the
consistency
seems
to
be.
We
most
people
probably
don't,
have
any
comments
on
the
stuff
already
there
we
can
add
an
extra
issue
there
talking
about
how
we
also
want
to
have
a
well-defined
release
process,
and
maybe
that
should
be
good
to
go
for
wi-fi.
H
All
right
cool.
We
should
also
make
a
decision
about
december.
Oh
only
because
I've
seen
some
I've
seen
some
things
pop
up
recently,
it'd
be
nice.
So
again
with
kubernetes
like
you
can
flag,
you
know.
If
you
have
an
owner's
file,
you
can
you
can
label
things
automatically.
H
So
like
there's
certain
instances
where
we
may
label.
You
know
certain
certain
directories
as
like
api
changes
right.
So
at
the
point
where
you
know
at
the
point
where
something
triggers
an
api
change,
we
should
say
like
hey
this.
Is
you
know,
because
we,
because
we
let
out
the
logging
in
4.1,
but
that's
really
a
breaking
change
for
people,
so
that
should
have
been
a
five.
You
know:
release.
E
Yeah
yeah,
that
makes
sense
yeah.
We
should
probably
put
out
some
talks
like
lauren,
said
saying:
maybe
we
don't
have-
or
at
least
we
don't
support,
breaking
changes
or
backward
compatible
changes
in
using
scorecard
as
a
library
or
we
should
actually
make.
H
Should
do
it,
we
should
do
it
yeah,
because
because
I
think
you
know,
whenever
you
see
whenever
you
see
a
semver
compliant
tag,
you
know
the
the
the
immediate
assumption
and
and
and
maybe
it's
the
wrong
assumption.
But
the
immediate
assumption
is
that
the
the
the
repo
is
actually
adhering
to
december
right.
So
we
should.
We
should
strive
for
that.
If
we're
going
to
use
some.