►
From YouTube: Scorecards Biweekly Sync (April 20, 2023)
A
A
All
right
we're
about
two
minutes
in
so
why
don't
we
go
ahead
and
get
started?
My
name
is
Brian
Russell
I
am
product
manager
on
Google's,
open
source
security,
team
I
work
with
a
few
different
projects
in
the
open
ssf,
including
scorecards
I'll,
be
facilitating
today
and
I
just
want
to.
Thank
you
all
for
coming.
A
If
you
haven't
attended
one
of
these
meetings
before
there
is
a
document
attached
to
the
meeting,
invite
which
will
link
you
to
the
notes
that
you're
seeing
on
screen
and
has
a
list
of
who's
attending,
it's
your
first
time
attending.
Please
add
your
name
to
the
attendees
and,
if
you've
been
before,
hope
that
your
name's
there
go
ahead
and
just
make
sure
it's
highlighted
so
that
we
can
see
you've
attended
before
we
get
into
the
main
part
of
the
agenda.
A
A
I
think
I
recognize
everyone
else,
but
if
there's
anyone
else
go
ahead
and
introduce
yourself
right
now
all
right.
Well,
let's
go
ahead
and
just
jump
into
the
agenda
say
if
there
are
any
topics
you
don't
see
on
here
that
you
think
should
be
added
I.
Think
our
agenda's
light
enough.
Today
you
could
just
jump
in
quick
to
the
dock
and
just
add
a
topic
towards
the
end,
but.
D
It
was
using
out
more
memory
than
than
we
it
used
to
and
it
turns
out
it's
the
transport
we're
passing
in
is
for
was
mostly
for
authentication,
but
it's
also
for
we
also
have
caching
attached
to
it,
and
it
was
an
old
change.
But
scorecard
is
now
using
that
transport
for
tarball
downloads,
which
is
good
so
that
it
can
download
tarballs
for
private
repositories,
but
it
also
means
that
our
cash
is
overflowing.
A
A
B
That's
mine,
so
I
have
a
utility
called
s-bomb
scorecard
and,
as
the
name
implies
it
scores.
S-Pops
I
think
that
it
it
may
make
sense
to
include
that
within
the
broader
security
scorecard
I've
like
there's
an
issue
about
it,
which
is
linked
to
the
document
it
is,
there
was
some
interest
and
I'm
here
to
figure
out
what
needs
to
happen
to
push
that
forward.
A
B
A
E
A
I
mean
I
would
say
already
a
good
start
just
having
an
issue
open.
Usually
a
lot
of
our
discussion
is
just
done
on
GitHub
I
think
you
know
generally
when
issues
are
open,
we'd,
look
or
just
a
general
criteria
of
you
know.
Does
this
really
help
Advance,
scorecards
and,
and
you
know,
does
it
change
anything
fundamental
about
it?
Based
on
what
you've
said
it
does
it
doesn't
sound
like
you
know
it's
it's
a
major
change
to
scorecard
itself.
It's
extending
what
it
does
and
basically
making
it
work
better
with
s
bomb.
F
Oh
go
ahead,
I
think
it
was
in
this
call.
Last
last
time
we
had
this
call
I
believe
it
was.
Somebody
brought
up
another
tool
that
kind
of
had
some
similar
overlap
here
and
we
were
gonna
see
if
we
could
get
people
together
to
kind
of
see
if
there's
opportunities
for
collaboration
or
if
there
was
not
significant
overlap,
it
might
be
in
the
the
meeting
notice.
The
minutes
from
last
meeting
but
I
forget
who
the
gentleman
was
he'd
been
at
a
conference
and
kind
of
got,
might
have
been
hip
check.
A
A
B
Some
are
not
even
spec
compliant
some
don't
list
the
version
of
the
package
being
used.
Some
don't
say
like
what
hat
like.
What's
the
identifier
for
this
piece
of
software
like
how
do
I
know
that
this
is
what
it
is,
and
so
the
intent
of
the
s-bomb
scorecard
is
simply
to
assign
a
grade
to
an
s-bomb
and
say
yeah.
This
does
actually
have
the
relevant
pieces
of
information
needed
to
have
actionable
insights
like
if
there's
a
security,
vulnerability.
I
would
be
able
to
tie
that
back
to
this
piece
of
software.
E
B
So
it
should
be
able
to
like,
if
I
had
access
to
a
GitHub,
API
I
could
look
at
the
releases
that
have
been
made
for
a
given
project
and
see
if
there
are
s-bombs
associated
or
you
know,
stations
like
those
sorts
of
artifacts
that
are
included
along
with
it
and
I
think
that
that
is
still
within
the
realm
of
give
me
your
GitHub
URL
or
your
gitlab
URL,
and
being
able
to
infer
it
from
that
I.
Don't
know
if
that's
additional
scope
creep
for
the
project.
That
is
not
welcome.
E
E
But
yes,
I'm,
trying
to
remember
I
think
we
just
checked
that
there's
a
publishing
workflow,
although
I,
might
be
confusing
with
Packaging,
but
it
I
think
having
an
issue
to
discuss
or
just
changing
the
issue.
To
mention
the
release.
Workflow
would
fit
better
with
sort
of
the
scorecard
frame
so
that
that
sounds
reasonable.
For
me,.
G
A
A
G
A
G
G
All
right,
this
horrible
thing
pretends
to
be
my
desktop,
so
basically,
probe
and
I
are
going
to
be
giving
a
brief
overview
on
both
the
opennesses
have
best
practices
badge
and
scorecard
and
we're
a
little
bit.
Both
of
us
are
kind
of
too
many
things
trying
to
do
too
many
things,
and
so
we're
right
now
trying
to
wrap
up
the
the
scorecard
presentation.
G
This
is
not
the
final.
This
is
the
starter
of
it
though,
but
I
just
wanted
to
talk
about
some
of
the
things
that
we
intend
to
talk
about
and
basically
see.
If
there's
you
know
anything
that,
oh
my
gosh,
you
messed
it.
You
missed
something
important,
or
at
least
in
particular,
missed
something
important
or
got
something
wrong:
I'm
not
going
to
go
through
details,
because
I
presume
that
all
of
us
have
some
idea.
What
scorecard
is,
but
hey,
there's
scorecard
automatically
scores
OSS
with
a
bunch
of
checks.
G
G
G
I
intend
to
talk
briefly
about
sonotypes
analysis.
I.
Think
that's
really
interesting.
So
you
know
I
mean
that's
really.
Sometimes
analysis,
not
your
own,
but
I
think
it's
helpful
to
know
that
in
particular-
and
you
know
that
some
of
them-
you
know
that
hey
it
looked
good
overall
and
that
those
four
in
particular
were
interesting.
I
did
by
the
way,
find
it
very,
very
interesting,
I
think
nobody
was
surprised
that
code,
review
and
Branch
protection
were
important.
G
G
G
If
yeah
I
I
think
we
ought
to
mentioned
that
get
lab
progress
is
ongoing,
Milwaukee's
been
doing
it
as
far
as
I
know.
That's
not
a
secret,
so
I
think
we
should.
You
know
both
both
that
it's
happening
and
who's
working
it
improving
Automation
in
general,
with
better
support
for
different
kinds
of
pipelines.
G
You
know
better
tool.
Detection
I
know
that
you
know
that's
that
Amazon
is
funding
that
work.
I
know,
there's
been
talk
about
potential
new
metrics,
you
know
you
know
empty
and
maybe
maybe
I
should
even
mention
the
s-bomb.
You
know
s-bomb
scorecards
as
something
that's
a
potential
new
metric
and
some
various
cleanups
all
right.
And
finally,
this
is
my
pitch
about
how
to
explain
these
two
projects.
G
Okay,
my
pitch
is
that
best
practices
badge
and
scorecard
both
work
together
can
work
together.
They
take
very
different
approaches
to
it
scorecard
I
mean
the
big
advantages
of
it.
Is
that
projects
don't
need
to
do
anything?
You
can
just
measure
them
and
you
can
get
quick
results
on
any
project.
That's
a
real
big
plus.
That
contrasts
pretty.
Obviously
the
badge
where
it
requires
best
practices
out
requires
project
participation,
Journal
about
20,
30
minutes.
G
There
is
some
automation,
but
a
lot
of
it
is
you
know
it's
still
a
form
fill
in
what
are
the
negatives
though,
and
I
don't
think
these
are
killing
it's
just
I'm
trying
to
do
a
contrast.
The
big
challenge
with
scorecard
is
the
challenge
for
all
tools,
which
is
you've,
got
false.
Pauses,
false
negatives,
I
think
that's
just
maybe
maybe
I
should
even
say.
You
know,
like
all
tools
right
here.
G
G
Currently,
it
always
does.
Github
gitlab
is
coming
and
going
report
on
things
that
are
automatable
best
practices
badge.
It
works
with
any
Forge
and
it
can
report
on
what's
important,
with
the
caveat
that
that
requires
you,
an
analysis
which
is
the
the
challenge.
So
the
theory
here
is
they
should
work
together
like
chocolate
and
peanut
butter,
okay,
so
thoughts,
comments,
I
I
think
this
I'm
trying
to
be
fair
to
both
to
both
sides,
because
I
think
each
of
them
has
their
pluses
and
minuses.
A
I'll
say
personally:
I
I
think
this
is
a
really
nice
way
of
laying
them
both
out
I'm
wondering
just
in
this
last
comparison.
If
you
were
to
say
you
know,
scorecards
is
automated
best
practices
badge
is
manual
if
that
would
just
immediately
kind
of
get
in
people's
heads.
This
is
this
is
the
significant.
G
Part
yeah:
this
is
part
of
a
larger
brief,
where
it
talks
a
lot
about
it,
and
the
problem
is
if
I
just
say
it's
manual.
It's
not
actually
true,
because
there's
something
like
a
quarter
or
a
third
of
them
that
actually
are
automated.
The
the
difference
is,
if
there's
no
Automation
in
most
cases
you
can
override,
unless
the
automation
determines
that
the
human
claim
is
false,
so
there's
automation
to
figure
out
the
defaults,
but
to
deal
with
the
false,
positive
and
false
negatives.
In
most
cases,
humans
can
override.
A
G
And
and
I
didn't
want
to
show
that
part
because
limited
time
I
mean
if
you
want
to
talk
with
me
offline
happy
to
do
that
and
sorry
that
we're
not
quite
as
far
along
on
the
actual
slides
but
we're
we're
getting
there.
But
we're
not
very
worried
about
this,
because
I
I
think
you
know.
Scorecards
are
known
quantity,
but
we
want
to
make
sure
that
people
who
aren't
aware
of
Scar
card
will
will
become
aware
and
start
using.
It.
G
So,
okay,
that
that
that's
all
I
just
wanted
to
give
you
know,
even
though
we're
not
quite
as
far
along
as
I,
want
as
we
wanted
to
be
I
wanted
to
share
that
now,
so
that
if
there's
some
something
wrong
and
really
is,
is
there
something
important
that
I
missed
and
we
need
to
clean
up
the
slides
and
eliminate
the
dupes?
But
is
there
something
that
was
really
important
that
we
didn't
include.
G
Great
yeah
yeah
now
and
to
be
fair
for
the
best
practices
badge.
We
have
silver.
We
have
gold,
we
encourage
projects
to
get
them,
but
the
reality
is
we've
been
from
a
this
is
not
really
a
scorecards
relevant,
but
what
the
heck?
You
asked
the
question
for
for
badging
we've
been
focusing
on
our
messages
focusing
on
getting
people
the
passing
level
we
do
for
the
ones
that
are
important.
G
We
want
them
to
go
beyond,
but
the
theory
right
now
is
that,
if
you're,
not
even
at
the
passing
level,
you're
probably
the
biggest
risk-
and
you
know
for
the
projects
that
are
used
everywhere
and
really
security
critical-
absolutely
we
want
to
go
higher,
kernels
and
so
on.
But
you
know
if
you
don't,
if
you
don't
have
a
way
to
report
vulnerabilities
and
you
don't
have
any
tools
and
that
sort
of
thing
we're
more
worried
foreign.
So
that's
where
we've
been
focusing
on
our
messaging
anyway,.
A
C
A
E
E
A
A
I
would
agree
that
the
comparison
would
be
good.
You
know
when
each
of
these
became
available
they
built
on
something
that
wasn't
there
before
so
I
think
bigquery
was
initially
made
publicly
available.
An
API
was
built
on
top
of
that
to
make
it
easier
to
access
and
since
that
time,
depths.dev
is
a
large
consumer
of
that
data.
It
started
making
a
public
API
available
for
themselves
as
of
just
a
few
days
ago.
A
A
D
D
A
I'll
give
the
disclaimer
Dev
is
a
Google
project,
so
it's
it's
not
in
the
openssf
I
I
can
speak
just
as
being
a
little
bit
familiar
with
that
project.
My
understanding
is,
their
API
is
open
for
use
and
basically
what
you're
using
it
for
now
would
appear
to
fall
within
the
terms
of
what
is
acceptable
to
use
it
for
I,
don't
know
if
anyone
else
has
other
thoughts
on
that
I
think.
A
lot
of
this
will
come
down
too,
to
kind
of
just
throw
some
cons
of
each
one.
E
E
There's
a
couple
checks
that
were
previously
enabled
in
the
Quran
job
and
are
still
being
tweaked
under
our
new
GitHub
approach,
where
the
data
were
not,
you
know
it
changes
a
lot
week
to
week
and
it
may
differ
from
what
projects
previously
had
so
just
for
all
scorecard
works
on
figuring
it
out.
Debs.Dev
is
hiding
some
of
those
values.
E
A
A
D
A
So,
at
least,
to
my
knowledge
there,
there
is
no
any
plan
to
do
that.
I
I
think
doing
an
evaluation
of
all
of
the
ways
to
access.
The
data,
though,
is
is
a
start
towards.
Does
that
even
make
sense?
Is
that
something
we
should
be
talking
about,
so
yeah
I
will
no
doubt
be
maybe
twisting
some
arms
seeing
if
I
can
get
some
get
some
help
to
build
out
that
comparison.
C
Quite
a
I
do
have
one
minor
one
I
think
it's
kind
of
it's
a
small
note.
You
know
my
employer.
We
talk
a
lot
to
gitlab,
so
we
had
another
meeting
last
week
where
we
talked
to
the
chief
product
officer
and
some
other
folks,
and
so
we
made
our
desire
to
get
them
involved
here.
Very
clear
and
I
know.
Azine
and
ragoff
are
on
it.
There's
a
public
channel
that
they
created
specifically
to
support
this
activity.
C
So
if
you
need
to
reach
out
directly
to
like
the
lab
leadership,
his
name
is
Sam
white.
He
is
the
manager
product
manager
in
front
of
all
their
government
stuff,
so
he's
very
much
aware
of
this
and
create
that
slash
data
specifically
to
help
this
team
out.
So
if
there's
anything,
you
need
from
GitHub
I
know
you're
already
talking
to
them
a
little
bit,
but
this
would
be
another
really
good
way
to
reach
out
and
make
any
needs
known.