►
From YouTube: Scorecards Biweekly Sync (April 20, 2023)
A
A
All
right
we're
about
two
minutes
in
so
why
don't
we
go
ahead
and
get
started?
My
name
is
Brian
Russell
I
am
product
manager
on
Google's,
open
source
security,
team
I
work
with
a
few
different
projects
in
the
open
ssf,
including
scorecards
I'll,
be
facilitating
today
and
I
just
want
to.
Thank
you
all
for
coming.
A
If
you
haven't
attended
one
of
these
meetings
before
there
is
a
document
attached
to
the
meeting,
invite
which
will
link
you
to
the
notes
that
you're
seeing
on
screen
and
has
a
list
of
who's
attending,
it's
your
first
time
attending.
Please
add
your
name
to
the
attendees
and,
if
you've
been
before,
hope
that
your
name's
there
go
ahead
and
just
make
sure
it's
highlighted
so
that
we
can
see
you've
attended
before
we
get
into
the
main
part
of
the
agenda.
A
B
I'm
new
Justin,
Abrams
and
I
want
to
talk
about
sbob,
scorecard
inclusion
possibilities.
A
I
think
I
recognize
everyone
else,
but
if
there's
anyone
else
go
ahead
and
introduce
yourself
right
now
all
right.
Well,
let's
go
ahead
and
just
jump
into
the
agenda
say
if
there
are
any
topics
you
don't
see
on
here
that
you
think
should
be
added
I.
Think
our
agenda's
light
enough.
Today
you
could
just
jump
in
quick
to
the
dock
and
just
add
a
topic
towards
the
end,
but.
D
So
just
project
updates
here
I
we
had
an
issue
updating
to
the
latest
scorecard.
D
It
was
using
out
more
memory
than
than
we
it
used
to
and
it
turns
out
it's
the
transport
we're
passing
in
is
for
was
mostly
for
authentication,
but
it's
also
for
we
also
have
caching
attached
to
it,
and
it
was
an
old
change.
But
scorecard
is
now
using
that
transport
for
tarball
downloads,
which
is
good
so
that
it
can
download
tarballs
for
private
repositories,
but
it
also
means
that
our
cash
is
overflowing.
D
D
A
A
B
That's
mine,
so
I
have
a
utility
called
s-bomb
scorecard
and,
as
the
name
implies
it
scores.
S-Pops
I
think
that
it
it
may
make
sense
to
include
that
within
the
broader
security
scorecard
I've
like
there's
an
issue
about
it,
which
is
linked
to
the
document
it
is,
there
was
some
interest
and
I'm
here
to
figure
out
what
needs
to
happen
to
push
that
forward.
A
Foreign
I
guess:
do
you
just
have
a
sense
of
of
where
things
are
at
right
now?
Are
there
any
significant
concerns
that
you
know
would
be
helpful
just
to
discuss
in
this
meeting.
B
I,
don't
I
don't
have
specific
concerns,
it's
mostly
a
how
do
I
get
from
here
to
the
destination.
What
do
you
want
for
me
to
make?
Make
that
happen?
I'm
happy
to
contribute
code
or
whatever,
just
I,
need
to
know
what
what
you'd
like.
A
A
E
Yeah
I'm
checking
out
the
issue
right
now:
I
I
think
the
how
something
would
be
included
would
determine
sort
of
where
so
I'm
just
gonna
flick.
The
issue
real
quick.
A
I
mean
I
would
say
already
a
good
start
just
having
an
issue
open.
Usually
a
lot
of
our
discussion
is
just
done
on
GitHub
I
think
you
know
generally
when
issues
are
open,
we'd,
look
or
just
a
general
criteria
of
you
know.
Does
this
really
help
Advance,
scorecards
and,
and
you
know,
does
it
change
anything
fundamental
about
it?
Based
on
what
you've
said
it
does
it
doesn't
sound
like
you
know
it's
it's
a
major
change
to
scorecard
itself.
It's
extending
what
it
does
and
basically
making
it
work
better
with
s
bomb.
B
Yep,
that's
right
and
a
username
Lawrence
Simon
suggested
that
I
attend
this
meeting
to
discuss
to
propose
the
idea.
F
Oh
go
ahead,
I
think
it
was
in
this
call.
Last
last
time
we
had
this
call
I
believe
it
was.
Somebody
brought
up
another
tool
that
kind
of
had
some
similar
overlap
here
and
we
were
gonna
see
if
we
could
get
people
together
to
kind
of
see
if
there's
opportunities
for
collaboration
or
if
there
was
not
significant
overlap,
it
might
be
in
the
the
meeting
notice.
The
minutes
from
last
meeting
but
I
forget
who
the
gentleman
was
he'd
been
at
a
conference
and
kind
of
got,
might
have
been
hip
check.
A
Let's
say
a
lot
of
times:
David
does
attend
this
meeting,
couldn't
make
it
today.
I
think
that
the
best
way
to
move
it
forward
is
just
I.
Think
two
things
one
for
this
meeting.
A
You
could
just
maybe
share
a
little
bit
more
Justin
about
who
you
anticipate
using
the
feature
and
what
you
know
kind
of
core
problem.
It
solves
I,
think
sure
it's
helpful
just
for
the
whole
group.
B
Yes,
so
the
there's
a
lot
of
push
to
generate
s,
fonts
and
I-
think
that's
well
founded,
but
it
turns
out
that
the
quality
of
s-bombs
is
questionable
and
I
have
a
large
number
of
s-bombs
that
can
kind
of
back
that
up.
B
Some
are
not
even
spec
compliant
some
don't
list
the
version
of
the
package
being
used.
Some
don't
say
like
what
hat
like.
What's
the
identifier
for
this
piece
of
software
like
how
do
I
know
that
this
is
what
it
is,
and
so
the
intent
of
the
s-bomb
scorecard
is
simply
to
assign
a
grade
to
an
s-bomb
and
say
yeah.
This
does
actually
have
the
relevant
pieces
of
information
needed
to
have
actionable
insights
like
if
there's
a
security,
vulnerability.
I
would
be
able
to
tie
that
back
to
this
piece
of
software.
B
B
That's
not
great
or
you
don't
have
any
package
URLs
here,
so
we
don't
know
how
to
actually
Trace
that
back
to
any
sort
of
known
identifier
of
a
repository
or
we
don't
know
how
this
s-bomb
was
made.
F
I
would
definitely,
second,
that
that
we
see
a
lot
of
of
issues
around
s
bomb
quality
I
think
it
would
be
helpful
to
be
able
to
have
a
project
that
you
know
scores
at
and
obviously
that's
useful
standalone
it'll
be
interesting
to
see
exactly
what
your
vision
for
integrating
that
into
the
overall
score
is.
E
You
linked
I
think
you
said
that
for
your
two
cents,
you
should
put
the
s-bomb
along
the
artifact
and
not
in
Source
control,
so
I'm
curious.
What
role
or
I
guess
how
you
would
include
it
with
scorecard.
B
B
So
it
should
be
able
to
like,
if
I
had
access
to
a
GitHub,
API
I
could
look
at
the
releases
that
have
been
made
for
a
given
project
and
see
if
there
are
s-bombs
associated
or
you
know,
stations
like
those
sorts
of
artifacts
that
are
included
along
with
it
and
I
think
that
that
is
still
within
the
realm
of
give
me
your
GitHub
URL
or
your
gitlab
URL,
and
being
able
to
infer
it
from
that
I.
Don't
know
if
that's
additional
scope
creep
for
the
project.
That
is
not
welcome.
E
So
I
I
think
based
on
what
you
just
said.
It
definitely
fits
better
with
sort
of
the
release
check
which
we
have
a
check
for,
and
not
necessarily
the
binary
artifact
stage,
which
is
the
issue
that
was
linked
in
the
agenda.
E
But
yes,
I'm,
trying
to
remember
I
think
we
just
checked
that
there's
a
publishing
workflow,
although
I,
might
be
confusing
with
Packaging,
but
it
I
think
having
an
issue
to
discuss
or
just
changing
the
issue.
To
mention
the
release.
Workflow
would
fit
better
with
sort
of
the
scorecard
frame
so
that
that
sounds
reasonable.
For
me,.
A
Any
other
thoughts
from
anyone
else
on
that
does
that
make
sense
what
Spencer's
suggesting.
G
B
Yeah
I
think
that
there
are
I'm
very
happy
to
build
in
functionality
to
say:
is
this
an
s-bomb,
yes
or
no
within
the
context
of
the
s-bomb
scorecard,
and
then
we
could
just
try
files
and
see
if
they
are
in
fact
s-bombs
that
are
known
to
the
to
the
project.
E
I
can
include
a
link,
but
Google
has
a
utility
called
osv
scanner
and
they
have
they
had
this
sort
of
like
how
do
we
determine
what
an
s-bomb
is
and
there's
you
know
some
naming
conventions
that
people
may
or
may
not
follow
and
I'll
link
the
issue
and
put
it
in
the
agenda.
A
Yeah,
thanks
for
adding
that
Spencer,
so
I
would
say,
I
think
on
the
issue
itself.
A
There's
maybe
a
few
things
just
to
clarify
to
add
to
it
basically
feedback
here,
one
is,
let's
maybe
adjust
where
exactly
this
would,
which
check
this
would
exactly
be
linked
to
and
then
kind
of
just
describe
the
general
method
that
you're
planning
to
find
s-bombs
and
Metal.
A
Otherwise,
you
know
I
I,
think
what
we
could
do
is
clarify
a
few
of
those
things
on
the
issue
and
then
either
we'll
close
it
out
on
the
issue
or
we
can
bring
it
back
to
the
meeting.
If
there's
there's
a
lot
of
back
and
forth
on
it.
A
Yeah,
that
that
should
be
pretty
good
path
forward.
A
Thank
you
again
just
for
for
bringing
it
to
the
group.
I
think
I
think
that's
an
exciting
extension
other
topics
that
folks
want
to
bring
up,
or
also
last
chance
to
chime
in
on
this
one.
G
G
And
I
I
do
have
a
totally
different
topic
that
I
wanted
to
talk
about
real,
quick
last
minute
proposal
on
the
agenda,
so
I
understand,
if
you
don't
want
it,
but.
A
I'd
say
we're
doing
good
on
time.
We've
just
got
a
few
announcements
at
the
end
and
we
definitely
have
time
to
take
on
another
topic.
G
Okay,
this
one's
really
just
more
of
a
heads
up
and
if
you
don't
mind,
I'd
like
to
share
my
screen
real
quickly
here
sure
so,
let's
see
here,
let's
see
if
I
can
manage
to
push
the
right
button.
I
can
push
buttons.
Let's
see
if
I
can
push
the
right
button.
G
All
right,
this
horrible
thing
pretends
to
be
my
desktop,
so
basically,
probe
and
I
are
going
to
be
giving
a
brief
overview
on
both
the
opennesses
have
best
practices
badge
and
scorecard
and
we're
a
little
bit.
Both
of
us
are
kind
of
too
many
things
trying
to
do
too
many
things,
and
so
we're
right
now
trying
to
wrap
up
the
the
scorecard
presentation.
G
This
is
not
the
final.
This
is
the
starter
of
it
though,
but
I
just
wanted
to
talk
about
some
of
the
things
that
we
intend
to
talk
about
and
basically
see.
If
there's
you
know
anything
that,
oh
my
gosh,
you
messed
it.
You
missed
something
important,
or
at
least
in
particular,
missed
something
important
or
got
something
wrong:
I'm
not
going
to
go
through
details,
because
I
presume
that
all
of
us
have
some
idea.
What
scorecard
is,
but
hey,
there's
scorecard
automatically
scores
OSS
with
a
bunch
of
checks.
G
0-10,
you
know
listing
some
of
the
sample
checks.
Is
that
I'm
I'm
playing
you
know,
and
you
know,
and
it
gives
an
aggregate
score.
G
G
I
intend
to
talk
briefly
about
sonotypes
analysis.
I.
Think
that's
really
interesting.
So
you
know
I
mean
that's
really.
Sometimes
analysis,
not
your
own,
but
I
think
it's
helpful
to
know
that
in
particular-
and
you
know
that
some
of
them-
you
know
that
hey
it
looked
good
overall
and
that
those
four
in
particular
were
interesting.
I
did
by
the
way,
find
it
very,
very
interesting,
I
think
nobody
was
surprised
that
code,
review
and
Branch
protection
were
important.
G
G
G
If
yeah
I
I
think
we
ought
to
mentioned
that
get
lab
progress
is
ongoing,
Milwaukee's
been
doing
it
as
far
as
I
know.
That's
not
a
secret,
so
I
think
we
should.
You
know
both
both
that
it's
happening
and
who's
working
it
improving
Automation
in
general,
with
better
support
for
different
kinds
of
pipelines.
G
You
know
better
tool.
Detection
I
know
that
you
know
that's
that
Amazon
is
funding
that
work.
I
know,
there's
been
talk
about
potential
new
metrics,
you
know
you
know
empty
and
maybe
maybe
I
should
even
mention
the
s-bomb.
You
know
s-bomb
scorecards
as
something
that's
a
potential
new
metric
and
some
various
cleanups
all
right.
And
finally,
this
is
my
pitch
about
how
to
explain
these
two
projects.
G
Okay,
my
pitch
is
that
best
practices
badge
and
scorecard
both
work
together
can
work
together.
They
take
very
different
approaches
to
it
scorecard
I
mean
the
big
advantages
of
it.
Is
that
projects
don't
need
to
do
anything?
You
can
just
measure
them
and
you
can
get
quick
results
on
any
project.
That's
a
real
big
plus.
That
contrasts
pretty.
Obviously
the
badge
where
it
requires
best
practices
out
requires
project
participation,
Journal
about
20,
30
minutes.
G
There
is
some
automation,
but
a
lot
of
it
is
you
know
it's
still
a
form
fill
in
what
are
the
negatives
though,
and
I
don't
think
these
are
killing
it's
just
I'm
trying
to
do
a
contrast.
The
big
challenge
with
scorecard
is
the
challenge
for
all
tools,
which
is
you've,
got
false.
Pauses,
false
negatives,
I
think
that's
just
maybe
maybe
I
should
even
say.
You
know,
like
all
tools
right
here.
G
Like
that,
okay
yo,
you
know
so
you
know
detecting
tools,
detecting
the
CI
system.
You
know
the
detecting
a
file
is
not
you
know.
The
presence
of
a
file
does
not
mean
that
something
useful
is
happening.
Necessarily
it's
a
good
sign.
G
Currently,
it
always
does.
Github
gitlab
is
coming
and
going
report
on
things
that
are
automatable
best
practices
badge.
It
works
with
any
Forge
and
it
can
report
on
what's
important,
with
the
caveat
that
that
requires
you,
an
analysis
which
is
the
the
challenge.
So
the
theory
here
is
they
should
work
together
like
chocolate
and
peanut
butter,
okay,
so
thoughts,
comments,
I
I
think
this
I'm
trying
to
be
fair
to
both
to
both
sides,
because
I
think
each
of
them
has
their
pluses
and
minuses.
A
I'll
say
personally:
I
I
think
this
is
a
really
nice
way
of
laying
them
both
out
I'm
wondering
just
in
this
last
comparison.
If
you
were
to
say
you
know,
scorecards
is
automated
best
practices
badge
is
manual
if
that
would
just
immediately
kind
of
get
in
people's
heads.
This
is
this
is
the
significant.
G
Part
yeah:
this
is
part
of
a
larger
brief,
where
it
talks
a
lot
about
it,
and
the
problem
is
if
I
just
say
it's
manual.
It's
not
actually
true,
because
there's
something
like
a
quarter
or
a
third
of
them
that
actually
are
automated.
The
the
difference
is,
if
there's
no
Automation
in
most
cases
you
can
override,
unless
the
automation
determines
that
the
human
claim
is
false,
so
there's
automation
to
figure
out
the
defaults,
but
to
deal
with
the
false,
positive
and
false
negatives.
In
most
cases,
humans
can
override.
A
Yeah
I
would
I
mean
I
would
agree
with
that.
I
think
that
the
mix
of
the
two
is
is
just
I
think,
but
maybe
didn't
come
through
for
me
right
away
that
there
is
some
automated
in
some
manual
for
best
friends
right.
G
And
and
I
didn't
want
to
show
that
part
because
limited
time
I
mean
if
you
want
to
talk
with
me
offline
happy
to
do
that
and
sorry
that
we're
not
quite
as
far
along
on
the
actual
slides
but
we're
we're
getting
there.
But
we're
not
very
worried
about
this,
because
I
I
think
you
know.
Scorecards
are
known
quantity,
but
we
want
to
make
sure
that
people
who
aren't
aware
of
Scar
card
will
will
become
aware
and
start
using.
It.
A
We
definitely
all
want
that
when,
when
it
comes
to
again
who
the
audience
is,
this
is
I
think
you
said
for
open
ssf
day
yeah
great.
G
So,
okay,
that
that
that's
all
I
just
wanted
to
give
you
know,
even
though
we're
not
quite
as
far
along
as
I,
want
as
we
wanted
to
be
I
wanted
to
share
that
now,
so
that
if
there's
some
something
wrong
and
really
is,
is
there
something
important
that
I
missed
and
we
need
to
clean
up
the
slides
and
eliminate
the
dupes?
But
is
there
something
that
was
really
important
that
we
didn't
include.
G
Great
yeah
yeah
now
and
to
be
fair
for
the
best
practices
badge.
We
have
silver.
We
have
gold,
we
encourage
projects
to
get
them,
but
the
reality
is
we've
been
from
a
this
is
not
really
a
scorecards
relevant,
but
what
the
heck?
You
asked
the
question
for
for
badging
we've
been
focusing
on
our
messages
focusing
on
getting
people
the
passing
level
we
do
for
the
ones
that
are
important.
G
We
want
them
to
go
beyond,
but
the
theory
right
now
is
that,
if
you're,
not
even
at
the
passing
level,
you're
probably
the
biggest
risk-
and
you
know
for
the
projects
that
are
used
everywhere
and
really
security
critical-
absolutely
we
want
to
go
higher,
kernels
and
so
on.
But
you
know
if
you
don't,
if
you
don't
have
a
way
to
report
vulnerabilities
and
you
don't
have
any
tools
and
that
sort
of
thing
we're
more
worried
foreign.
So
that's
where
we've
been
focusing
on
our
messaging
anyway,.
A
C
A
Other
feedback
I
think
before
we've
got
another
presentation
announcement
that
Spencer's
adding
right
now
all
right
fencer.
If
you
want
to
just
give
a
quick
note,
then.
E
Oh
yeah,
just
that
David
reminded
me
that
this
is
a
great
form
to
get
feedback
on,
for
something
like
a
talk.
So
Davina
and
I
are
giving
a
brief
talk
on
six
door
and
how
scorecard
action
uses
it.
When
we
sort
of
crowdsource
some
scorecard
scores
that
feed
into
the
API.
E
So
David
jokes,
that
you
know
his
slides
aren't
done,
but
ours
are
even
less
finalized
but
I'm.
Looking
at
two
weeks
from
now,
and
it's
still
before
the
conference
so
I
might
bring
that
forward
in
next
week
or
next
meeting.
A
I
think
that'd
be
great
and
unless
there's
any
other
topics
to
add,
we
should
talk
about
that
next
meeting
and
see
if
I
can
get
a
volunteer
for
a
facilitator
unless
we
already
have
one
nope,
so
this
would
be
May
3rd,
I
believe
sorry,
May,
4th
Jeff
is
that.
Are
you.
D
Okay,
I
was
looking
at
the
the
readme's
or
any
generalized
guidance
for
pulling
in
scorecardita
I
know
we
have
the
API,
the
rest
API
and
there
is
bigquery
I,
don't
know
if
that's
available,
publicly
or
and
then
there's
also
depths.dev
I
think
it'd
be
nice
to
have
like
a
comparison
between
the
three
and,
if
you're,
building
an
integration
that
needs
to
pull
data
like
which
one
is
the
one
you
should
use
or
if
anybody
has
anything
to
say
about
that
right
now,
I'd
be
appreciated.
A
I
would
agree
that
the
comparison
would
be
good.
You
know
when
each
of
these
became
available
they
built
on
something
that
wasn't
there
before
so
I
think
bigquery
was
initially
made
publicly
available.
An
API
was
built
on
top
of
that
to
make
it
easier
to
access
and
since
that
time,
depths.dev
is
a
large
consumer
of
that
data.
It
started
making
a
public
API
available
for
themselves
as
of
just
a
few
days
ago.
A
So
I
don't
know
if
anyone
has
a
strong
feeling
that
they
would
like
to
to
be
part
of
that
evaluation.
Otherwise,
I
will
see
if
I
can
round
up
some
participants
because
I
agree.
That's
an
important
thing
to
do.
A
D
A
I'll
be
I'll,
be
asking
around
for
some
help.
D
Yeah
I
was
looking
at
some
of
the
rest
apis
on
the
on
the
readme
I.
Don't
know
if
any
of
the
others
are
but
yeah
right
now
for
the
guac
project,
we're
pulling
in
depths.dev
and
yeah
I
didn't
know
if
it
would
make
make
sense
to
do
one
or
the
any
of
the
other
ones.
A
I'll
give
the
disclaimer
Dev
is
a
Google
project,
so
it's
it's
not
in
the
openssf
I
I
can
speak
just
as
being
a
little
bit
familiar
with
that
project.
My
understanding
is,
their
API
is
open
for
use
and
basically
what
you're
using
it
for
now
would
appear
to
fall
within
the
terms
of
what
is
acceptable
to
use
it
for
I,
don't
know
if
anyone
else
has
other
thoughts
on
that
I
think.
A
lot
of
this
will
come
down
too,
to
kind
of
just
throw
some
cons
of
each
one.
E
Okay,
well,
I
will
add
that
Dev
does
filter
some
data
out.
So
if
you
want
the
complete
picture,
definitely
stick
with
bigquery
or
the
rest
API
pretty.
E
There's
a
couple
checks
that
were
previously
enabled
in
the
Quran
job
and
are
still
being
tweaked
under
our
new
GitHub
approach,
where
the
data
were
not,
you
know
it
changes
a
lot
week
to
week
and
it
may
differ
from
what
projects
previously
had
so
just
for
all
scorecard
works
on
figuring
it
out.
Debs.Dev
is
hiding
some
of
those
values.
E
A
A
D
Yeah,
and
are
there
any
plans
to
like
merge
the
two,
like
I'd
hate,
to
build
a
integration
on
the
rest
API?
If
tomorrow,
you
say,
I,
just
pull
it
from
back
to
that
day,.
A
So,
at
least,
to
my
knowledge
there,
there
is
no
any
plan
to
do
that.
I
I
think
doing
an
evaluation
of
all
of
the
ways
to
access.
The
data,
though,
is
is
a
start
towards.
Does
that
even
make
sense?
Is
that
something
we
should
be
talking
about,
so
yeah
I
will
no
doubt
be
maybe
twisting
some
arms
seeing
if
I
can
get
some
get
some
help
to
build
out
that
comparison.
C
No
worries
it
was
I'm
happy
to
facilitate
the
next
meeting
so
irrelevant
to
the
discussion.
C
Quite
a
I
do
have
one
minor
one
I
think
it's
kind
of
it's
a
small
note.
You
know
my
employer.
We
talk
a
lot
to
gitlab,
so
we
had
another
meeting
last
week
where
we
talked
to
the
chief
product
officer
and
some
other
folks,
and
so
we
made
our
desire
to
get
them
involved
here.
Very
clear
and
I
know.
Azine
and
ragoff
are
on
it.
There's
a
public
channel
that
they
created
specifically
to
support
this
activity.
C
So
if
you
need
to
reach
out
directly
to
like
the
lab
leadership,
his
name
is
Sam
white.
He
is
the
manager
product
manager
in
front
of
all
their
government
stuff,
so
he's
very
much
aware
of
this
and
create
that
slash
data
specifically
to
help
this
team
out.
So
if
there's
anything,
you
need
from
GitHub
I
know
you're
already
talking
to
them
a
little
bit,
but
this
would
be
another
really
good
way
to
reach
out
and
make
any
needs
known.
A
A
All
right
last
call
for
any
other
topics.
G
G
So,
if
somebody
has
thoughts
on
that
between
now
and
next
meeting,
that
would
be
awesome.
A
C
A
I
will
say:
I'm
guessing
I
will
not
have
that
by
next
meeting,
so
I
very
much
if
you,
if
you
have
this
already
or
could
compile
quick
thoughts,
you
know
between
now
and
then
it
sounds
like
both
David
and
all
of
the
audience.
Members
in
that
presentation
would
would
appreciate
it.
A
All
right,
well,
I,
I,
think
we've
kind
of
covered
everything
at
this
point
very,
very,
very
last
call
for
for
any
last
topics.
We've
got
a
facilitator
for
next
time.