►
From YouTube: Scorecards Biweekly Sync (July 13, 2023)
A
B
C
C
C
C
D
D
E
C
All
right
with
that,
we
can
jump
into
things,
so
it
doesn't
look
like
we
have
any
announcements.
I
did
miss
last
sync
I,
don't
see
it
scorecard.
Vae
11
came
out
a
little
bit
ago,
which
you
know
had
some
things
in
the
patch
notes,
but
leads
me
into
the
first
agenda
item
and
that
was
sort
of
a
change
in
how
two
of
the
checks
work,
where
sometime
between
V10
dot
I
think
it
was
four
and
v11.
C
There
was
a
change
in
a
check
that
for
gitlab
made
no
sense
so
gitlab
didn't
support
the
notion
of
GitHub
workloads,
understandably,
and
how
GitHub
token
permissions
work.
So
there
was
this
PR
that
basically
changed
it
to
say
that
if
you
don't
have
any
GitHub
workflow
files,
then
we're
going
to
return
a
minus
one
score
for
repositories
that
were
on
GitHub.
This
meant
that
the
score
now
dropped
from
a
10
to
a
negative
one.
C
Yeah
so
David
in
chat
says
that
we
say
the
score
is
zero
to
ten,
so
negative
one
doesn't
make
sense.
Traditionally,
we've
used
it
for
when,
like
we
either
don't
have
enough
information
to
score
a
particular
check
or
if
there's
some
sort
of
error
that
prevents
us
from
doing
the
analysis.
So
this
might
be.
A
C
C
A
C
Also
so
like
historically
when
it
was
just
GitHub,
it
was
how
trustworthy
is
your
GitHub
actions,
because,
like
people
still
used
Travis
or
Circle
Ci,
or
something
like
that
and
I,
don't
think
we
ever
like.
That
was
to
my
understanding,
not
the
part
of
the
check
because,
like
I
I'd
have
to
get
input
of
someone,
that's
been
on
the
project
a
little
bit
longer,
but
I'm
proceeding
under
the
basis
that
it
was
just
to
look
at
GitHub
actions.
G
Support
you
there
Spencer,
like
the
the
point,
is
to
check
to
see
if
you're
doing
something
wrong,
not
to
check
if
you're
doing
everything
right.
So
it's
it's
really
just
for
the
the
things
that
scorecard
knows
about.
Are
you
doing
anything
wrong,
so
yeah
somebody's
using
Travis
if
somebody's
using
whatever
CI
it,
wouldn't
give
you
a
bad
score,
but
it
also
wouldn't
give
you
you
know
and,
and
that's
just
the
the
extent
of
scorecard's
knowledge
and
then
it
would.
G
G
C
Yeah
and
the
way
scorecard
scores
right
now,
there's
not
sort
of
a
great
answer
of
what
happens
because,
like
the
aggregate
score
is
based
on
all
of
the
checks
and
if
we
continue
to
say
you
have
no
GitHub
workflows,
so
everything
is
a
10..
You
know
that
sort
of
vacuously,
true
that
will
sort
of
boost
up
your
score,
but,
as
jogo
mentioned
in
the
issue
thread,
if
you
say
you
know,
you
have
no
workflows.
I
can't
really
give
you
a
score
based
on
this,
then
that
inflates
the
weight
of
all
the
other
checks
as
well.
H
Yeah
I
was
immediate
reacting
to
the
hey.
We
tell
everybody
that
we
give
score
everything
zero
through
ten,
so
it
should
be
at
the
very
least.
We
should
fulfill
our
promises
and
score
it
0
through
10..
As
far
as
the
hey.
What
do
you
do
when
you
don't
know
I
mean
that's
always
been
a
challenge,
and
you
know
in
in
one
additional
Quirk
I
should
add.
Is
you
know
some
systems
may
use
multiples.
I
mean
I
will
point
out
the
best
practices
badge.
We
use
GitHub
actions
for
a
couple
things.
H
I
think
it's
defensible,
but
then
we
need
to
say:
hey
we
didn't
detect
it.
You
know
you
might
have
one.
We
just
don't
see.
One
see
I
see
a
CI
pipeline,
but
you
have
a
problem.
I
can
see
it.
You
know
a
certain
score
at
that
level
and
more
generally,
I
think
we
always
want
to
have
the
higher
level
description
in
the
scorecard,
the
more
General
description
and
then
within
the
scoring
in
more
details.
Hey
you've
got
a
pipeline.
It
has
these
kinds
of
problems
the
score,
because
you
know
hey.
H
C
A
J
H
J
But
if
an
expert
in
circle
CI
wants
to
come
in,
say,
here's
what
a
dangerous
workflow
looks
like
at
Circle,
Ci
or
I
think
some
of
the
gitlab
people
who
have
more
experience
with
that
would
be
like
this
is
what
a
dangerous
workflow
looks.
Dangerous
pipeline
looks
like
in
gitlab.
That's
certainly
with
a
scope
of
the
scorecard,
and
we
we
should
do
that
and
the
the
reason
I
believe
that
a
inconclusive
result
is
suitable
in
the
case
where
we
don't
find
workflows.
C
Yeah
I
think
that
argument
is
a
lot
easier.
Sorry
Pedro,
real
quick
if
we
had
structured
results
now
sort
of
thing
where,
if
we
could
say
this
is
the
GitHub
sort
of
check,
then
returning
minus
one
makes
sense.
I
I
think
you
know
you
bring
up
a
good
point
that
right
now
the
check
is
dangerous
workflow
and
we
can't
evaluate
it
in
the
sense
of
if
this
is
a
git
lab
or
a
GitHub
project
and
I.
Think.
H
C
I
Yeah
I
know,
and
but
just
like
giveaway,
like
raghav
mentioned
of
like
we
might
include
dangerous,
CI
CD
on
other
platforms,
the
minus
one
becomes
more
explainable
becomes
more
defensible.
Shall
we
say
in
in
that
regard,
because
then
it's
a
minus
one.
Now
and
then
we
add
information
on
Travis
in
tomorrow
and
then
the
minus
one
becomes
a
real
score.
I
That
is
more
natural.
Shall
we
say
than
you
get
a
10
out
of
10
and
then
we
add
Travis
tomorrow
and
your
10
out
of
10
becomes
a
zero
that
becomes
a
bit
that's
a
bit.
I
might
feel
a
bit
weirder.
Shall
we
say
in
terms
of
hey.
If
you
couldn't
judge
my
dangerous
workflow,
maybe
you
shouldn't
have
been
giving
you
the
points
all
along,
so
I,
don't
think
anyone's
going
to
be
currently
complaining
about
getting
a
10
out
of
10.
C
So
I
mean
it
sounds
like
there's
some
votes
both
for
and
against
I'd
be
curious
to
get
laurent's
opinion.
As
you
know,
we
work
towards
structured
results
on
if
we
just
maintain
the
status
quo
for
now
on
tens
and
then,
if
structured
results,
are
you
know
six
months
out?
Does
that
change
sort
of
the
discussion?
F
C
Know
a
point
boost
and
do
certain
repos
get
Point
boosts
for
either
choosing
to
or
choosing
not
to,
but
yeah.
Thank
you
for
those
that
left
comments
in
the
issues.
I
I
think
it's
hard
to
make
I
guess
a
conclusive
decision
with
only
two
maintainers,
but
thank
you.
Everyone
for
comments,
so
I'm
happy
to
move
on
to
the
next
issue.
Pedro.
I
If
that
has
happened,
one
solution
is
to
instead
of
looking
at
the
PRS
or
as
well
as
looking
at
the
PRS
is
looking.
If
the
project
has
the
dependabot
yaml
file
the
settings
file
for
the
pendabot,
but
that
file
isn't
strictly
required
for
the
pendabot
to
run.
You
only
need
that
the
depend
about
yaml
file.
If
the
project
wants
the
consistent,
frequent
dependabot
version
bump
PRS.
I
However,
a
project
might
not
want
that,
and
only
opt-in
for
what
they
call
the
dependabot
security
updates,
where
dependabot
will
send
a
PR
to
fix
dependencies
having
known
vulnerability,
and
if,
if
you
have
a
product,
only
opts
in
for
security
updates,
it
doesn't
need
a
depend
about
the
ammo
file.
So
the
question
that
ends
up
happening
here
in
this
issue,
especially
further
further
down,
is,
should
we
should
it
be
like?
A
H
I
Yeah,
the
the
current
setup
for
dependency
update
tool
is
the
second
one
of
looking
at
DRS
and
how
mistaken
it
only
looks
for
like.
Are
you
receiving
the
pendabot
update,
dependent
Bots,
for
example,
or
renovate
bot?
Whatever?
Are
you
receiving
those
PRS
I'm,
not
sure
if
it
looks
at
whether
they're
merged
or
not,
but
just
like?
Is
it?
Do
you
have
it?
I
So
we
don't
have
that
signal.
Unfortunately,
as
far
as
I
can
tell,
and
so
the
file
would
give
us
a
cheap
way
of
figuring
out
that
of
skipping
that
whole
thought
process,
but
it
also
is
forcing
people
to
accept
version
updates
instead
of
just
security
updates,
which
is
I
think
probably
closer
to
the
spirit
of
scorecard.
C
I
I
don't
think
it
has
to
be
an
either
or
kind
of
thing
where
a
project
can
just
sign
up
for
depend
about
security
updates
like
they're
doing
now,
and
we
do
attempt
to
look
for
it
in
recent
PRS.
It's
just
if
a
project
isn't
happy
that
you
know
hey
I
have
depend
about
installed,
they
can
go
out
and
create
I'm
curious
if
even
like
an
empty
dependabot.yaml
Works,
where
you
know
you
don't
sign
up
for
anything
but
I,
I.
Think
in
the
thread
I
can
change
my
tab
back
to
it.
C
I
was
sort
of
suggesting,
like
a
repository,
can
add
a
dependabot.yaml
to
say
yes,
I
am
actually
using
this
sort
of
thing,
so
I
I,
don't
know
if
too
much
is
required
to
be
changed
on
the
scorecard
side
other
for
other
than
the
issue.
You
mentioned
that
this
project
three
years
ago
used
depend
about
once
and
then
turned
it
off
sort
of
thing.
C
So,
at
least
to
me
what
makes
sense
is
some
sort
of
look
back
with
a
window
which
will
hopefully
get
rid
of
those
false
positives,
but
may
introduce
false
negatives,
in
which
case
the
solution
would
be
potentially
adding
an
extra
file,
which
kind
of
sucks
and
scorecard
has
this
problem
every
now
and
then,
where
we
don't
detect
everything
and
we're
working
towards
user
specified
remediations
or
like
saying
no,
no!
No!
This
is
why
that's
not
accurate,
but
we're
not
there
yet
so
in
the
meantime,
I
I
think
are
you
just
seeing.
I
I
C
I
think
that's
why
I
opened
the
check
doc?
Assuming
you
know,
the
docs
are
accurate,
which
they're
not
I,
guess
the
purpose
of
the
check
is
to
see
if
you
use
a
dependency
update
tool
and
If
part
of
this
says
out
of
date.
Dependencies
make
you
vulnerable
to
flaws
and
dependabot
is
giving
you
security
updates,
then,
to
me,
as
written,
requiring
a
file,
that's
not
necessary
for
what
the
tool
is
trying
to
check
wouldn't
be
necessary.
C
If
we
want
to
add
like
a
recommended
like
hey,
if
you're
using
this
but
you're,
not
we're
not
picking
it
up,
here's
something
you
can
do
as
a
hint
I
think
that
works,
but
I'd
be
curious.
If
someone
feels
strongly,
if
saying
you
know
the
point
of
a
dependency
update
tool,
isn't
just
for
security
updates,
but
also
blah
blah
blah.
H
I
I,
let
me
I
certainly
encourage
updating
in
general,
because
if
you
don't
update,
it
gets
harder
later
on
when
there
is
a
security
update
but
I'm
a
little
hesitant
to
press
the.
You
know,
please
keep
your
everything
updated
at
all
times,
because
there
are
cases
where
you
can't
update
I'm
thinking,
particularly
of
a
case
where
there's
some
software
components
that
we're
licensed
to
a
non-open
source
software
component.
C
H
H
Two
minds
on
this
I
do
think
in
general.
It's
wise
to
update
I
also
do
think
that
you
want
to
prioritize
the
important
ones
whatever
that
means
for
the
bigger
projects.
It's
a
little
over
Dependable
could
be
a
little
overwhelming
if
you
actually
enable
it
for
all
versions,
I'm
pretty
sure
we
only
enable
it
for
the
security
vulnerabilities,
for
example,
so
best
practices.
H
I
guess
we're
on
firm
ground
on
asking
people
to
you
know,
make
sure
you've
been
automated.
You
have
automated
enabling
of
security
vulnerabilities
and
you
know
encouraging.
You
know,
push
the
button
and
update
the
question
here
is:
should
we
broaden
that
to
just
you're
out
of
date
period
as
a
warning.
C
K
H
H
C
C
I
I
G
I
Ago
and
you
don't
have
the
dependent
body
ammo
file,
we
don't
know
if
this
thing's
still
running,
but
maybe
it
is
so
we'll
give
you
a
couple
of
points
we
kind
of
give
the.
If
they
don't
have
the
file
we
give
them
fewer
points
as
time
goes
on,
as
we
lose
confidence
that
they
actually
have
depend
about
turned
on,
like
it's
a
clunky.
A
I
I
That
I
yeah
I
have
no
idea,
but
I
wouldn't
be
surprised
if
what
it
means
is
that
it
runs
as
like.
It
runs
the
the
scan,
which
means
nothing,
but
if
you
have
the,
but
if
you
have
it
active
for
version
updates,
which
is
what
you
would
with
the
Dependable
with
the
yaml
file,
you
also
have
it
active
for
security
updates.
So
it
actually
might
be
that,
having
like
a
blank
file,
also
automatically
puts
you
in
for
security
updates
as
well,
but
haven't
texted.
It
so
can't
be
sure
foreign.
H
I
Yeah
so
I
mean
the
things
I
depend
about
is
a
specific
case
because
with
renovate
and
the
other
ones
they
are
like
config
as
code
like
renovate,
you
can
usually
identify,
and
actually
you
can't
actually
I'm
I'm
I'm
wrong
right
depend
about
it.
Renovate's
actually
activated
on
the
account,
not
on
the
that's
true,
never
mind.
We.
C
H
Okay,
but
you're
still
looking
for
it
and
again
you're
you're,
just
looking
for
evidence
right.
If
you
have
evidence
hooray,
you
get
some
points
so
we're
just
looking
I
mean
this
is
just
no
different
from
the
other
Checkers.
It's
you're.
Looking
for
evidence,
I
mean
same
for
gymnasium
on
the
get
lab
side
right,
I,
don't
know
if
that's
being
looked
for
today,
but
you
could
certainly
look
for
it
at
some
point.
C
H
J
H
H
I
think
the
the
coming
bound
to
the
brass
tacks,
though
the
whole
point
is
if
there
is
a
vulnerable
dependency,
we
want
there
to
be
automated
reporting
and,
ideally,
automated
repair
and
the
only
indicators
we
have
are
pull
request,
merge
requests
and
the
pre
and
a
yaml
file
which
may
have
to
be
more
than
empty.
Depending
on
the
results
of
your
tests.
The
empty
dependency
case
is
actually
easy
put
in
the
ammo
file.
H
I
C
But
you've
done
your
CI
CD
on
another
system
sort
of
thing,
and
it
would
be
easy
if
we
had
structured
results
because
we
could,
you
know,
say
not
applicable
or
something
like
that.
But
in
the
current
framework
like
does
it
make
a
difference
where,
like
a
gitlab,
repo
gets
a
minus
one,
a
GitHub
repo
gets
a
10.
But
what,
if
you
have
your
CI
in
a
different
system?.
L
C
C
L
L
The
score
yeah
I
think
even
for
gitlab
I'm,
not
sure
that
minus
one
makes
sense
because
minus
one
means
inconclusive,
which,
which
means
I,
think
we
we
don't
know,
I,
think
what
we're
looking
for
is
like
a
new
one
that
says
not
applicable,
which
is
basically
a
yeah.
So
I
guess
I.
Guess
that's
my
first
reaction
about
the
minus
one.
Maybe
it's
not
a
problem
in
practice
when
we
compute
the
score,
I
haven't
thought
enough
about
it
and
on
GitHub
yeah.
L
L
C
I
I
I
think
it's
something
you
know
before.
We
move
structured
results
to
a
release,
kind
of
thing
we
should
say
and
I
I
think
we'll
see
this
as
we
migrate
more
more
checks,
I
I
think
the
only
action
item
for
right
now
is
sort
of
getting
a
maintainer
majority
on
If.
Part
of
the
scoring
change
should
be
reverted
if
this
is
just
something
that
we're
going
to
deal
with
until
we
have
structured
results,
I
don't
think
that
has
to
be
right
in
this
meeting.
C
L
Yeah
sounds
good,
so
just
at
a
high
level,
I,
don't
think
waiting
for
structured
results
is
necessary,
because
anything
that
structured
result
does
is
really
just
reusing.
It's
reformatting
the
output,
but
it's
the
scoring
is
happening
independently
of
the
structured
results,
so
anything
that
any
scoring
we
would
change
I
think
wouldn't
affect
the
structured
result.
It's
just
that
the
scoring
will
happen
on
the
structured
result
instead
of
happening
on
the
Raw
results.
L
C
Yeah
I
mean
I
think
there's
some
interesting
like
major
version.
This
is
how
we
change
scorings,
like
does
it
make
sense
to
change
How
We
Do
scoring
significantly
in
the
middle
of
E4
like
right.
Now
we
have
zero
to
ten
with
a
minus
one
if
we're
not
applicable.
So,
at
least
in
my
mind,
as
long
as
we're
on
V4,
that's
sort
of
what
we're
sticking
to.
F
Yeah
I
thought
I'd
just
take
an
update
that
Steven
put
in
slack.
It's
also
generally
my
update
building
off
of
the
road
mapping,
I,
guess
presentation
or
what
I
I
talked
about
in
our
last
meeting,
for
just
what
at
least
at
Google,
we
were
committing
to
and
the
feedback
from
the
group
to
build
a
broader
Community
road
map,
I'm
gonna
be
chatting
with
Stephen
and
Adrian
Markham,
who,
if
you
haven't
met
yet
is
a
is
a
new
TPM
for
the
openssf.
F
So
if
you
remember
from
the
previous
meeting,
Stephen
volunteered
to
kind
of
walk
through
how
some
other
projects
built
up,
Community
road
maps
with
me-
and
so
we
delayed
that
a
little
bit-
and
it
just
happens-
that
patreon
is-
is
looking
at
a
very
similar
thing
across
a
lot
of
different
projects.
So
the
three
of
us
are
gonna,
just
have
a
discussion
about
what
that
can
look
like
and
then,
hopefully
for
next
meeting.
L
Time
zone
I
think
someone
said
they
would
share
a
doodle
or
or
something
equivalent.
I
was
I
just
wanted
to
to
follow
up
because
I
know
this
thing
just
slip
through
the
cracks
and
then
we're
going
to
forget.
But
just
I
was
just
curious.
If
anyone
has
updates
on
whether
something
was
shared
on
slack
or
anything,.