►
From YouTube: Scorecards Biweekly Sync (August 11, 2022)
A
As
if
I
added
a
few
sections
on
top
of
project
updates
on
the
meeting
agenda,
like
I,
just
want
to
just
want
to,
let
you
know
about
that
you'll
be
like
I
added
that
section
just
when
I'm
looking
up.
A
B
B
Yeah,
let's
get
started
so
usually
we
do
this
by.
You
know,
asking
anyone
who's
who's
new
here
to
the
meeting.
So
if
the
folks
are
joining
us
for
the
first
time
who
haven't
introduced
yourself,
you
know
please
say
hi
and
let
us
know
what
it
is.
You're
looking
for.
C
Hello,
my
name
is
Scott
hissam
I'm,
with
the
software
engineering
Institute
at
Carnegie,
Mellon
I've
been
playing
around
with
the
scorecard
now
for
a
couple
weeks.
Looking
for
ways
to
get
insight
into
open
source
software
practices
being
employed
by
teams
and
I
was
encouraged
to
check
out
the
scorecard
and
want
to
find
out
what's
been
going
on
what
the
plans
are
and
see
about
addressing
issues
over
time
over.
B
I'm
sorry,
anybody
else
wants
to
go.
B
C
Yeah,
in
fact,
unless
they've
changed,
I
just
requested
access.
A
B
B
I
I
pasted
it
in
the
zoom
chat
link.
So
that's
a
Google
group
and
if
you
join
that
you
should
get
access.
A
A
It's
just
that
we
don't
have.
None
of
us
have
permission
and
then
people
in
the
next
Foundation.
D
Well,
I
I
might
but
I.
Don't
you
know
what
I'm
gonna
aim
it
send
that
on
to
can,
can
you
send?
Can
somebody
send
that
request
to
Jay
the
J
Ben's
story.
A
C
A
B
All
right
so
oh
yeah
I
mean
this
is
to
the
best
of
my
knowledge,
I'm,
just
reading
it
right
now.
So
so
the
scorecard
and
All-Star
team,
you
know
presented
a
bunch
of
Open,
Source,
Summits
I
think
there
are
videos
that
are
uploaded
there.
I
think
they're
talking
about
and
I
mean
what
what
are
the
different
talks
here.
I
think
some.
A
Of
them
yeah
sure
right,
yeah,
like
just
want
to
add
to
what.
As
you
mentioned,
we
just.
We
just
wanted
to
highlight
some
of
the
talks
that
we
presented
at
the
Osa
Summit,
so
that
people
who
couldn't
attend
the
Ursa
Summit
get
an
opportunity
to
go
see
about
what
scorecard
and
All-Star
is
and
how
it
is
essentially
helping
the
open
source.
Community
I
just
want
to
call
that
that
so
that
it
gives
an
opportunity
for
everybody
to
do
that.
B
Yeah
thanks
again
I
think
the
other
update
we
had
is
we
have
a
new
beta
version
of
scorecard
action,
so
what
the
Beta
release
really
does
is
it
allows
you
to
start
displaying
a
scorecard
badge
on
your
repository,
so
it's
a
way
for
you
to
basically
say
this
is
the
security
score
of
your
repository
and
the
other
thing
that
that
this
action
would
do
for
you
is
it
will
start
publishing
your
results,
which
are
accessible
through
a
risk
API?
B
So
if
you
install
this
action,
your
scorecard
results
will
be
accessible
on
a
per
commit
basis,
so
yeah
feel
free
to
try
it
out.
We
should
have
a
broad
production
version
coming
soon,
but
we
have
quite
a
few
repositories
using
this
already
so
so
we
also
have
a
v
4.0
release.
A
Think
and
yeah,
one
of
the
one
of
the
critical
reasons
is
Ethan
and
Lauren
wanted
is
the
is
the
wave
in
which
we
can
have
these
jar
files
not
be
complained.
We
added
that
update.
You
can
added
that
update,
so
that
was
one
of
the
primary
reason
we
released.
It
I
think
that
there
are
a
bunch
of
bunch
of
bunch
of
things
that
people
solved.
A
B
I
think
the
other
thing
this
besides
is
this
is
probably
our
first
time
trying
out
a
salsa
release
flow,
so
I
think
we're
still
trying
to
improve
on
it,
but
yeah
with
this
release
is
released
to
a
salsa
release
workflow,
so
the
artifacts
here
should
be
salsa
compliant
all
right.
So
I
think
with
that.
If
anyone
else.
B
Oh
yeah
I
think
we
are
still
like
working
on
it.
So,
okay,
okay,
yeah
yeah,
but
yeah.
We
have
a
website
coming
out
soon,
so
hopefully
the
next
time
we
meet.
We
I
should
have
a
better
update.
A
B
I
think
so
I
I
I,
usually
we
all
see
a
lot
of
open
items.
So
I
think
this
was
one
of
the
debits
we
had
long
back
to
like
the
the
open
items
are
so
so
many
that
we
are
unable
to
get
to.
Member
updates.
I,
don't
know
I'm,
okay
with
going
through
the
open
items
and
then
like
kind
of
going
back
and
seeing
if
there.
C
B
Purpose
and
updates,
if
that
works
so
folks,.
F
B
Cool,
so
we
have
a
few
opens:
should
we
quickly
start
going
through
them,
Naveen
I?
Did
you
want
to
make
an
update
on
the
scorecard
API
results,
yeah.
A
Yeah
I,
so
we
recently
did
the
API
results
available
for
its
part
of
data
that
that
we
are
working
on
one
of
the
things
that
we
could
potentially
also
provide
and
or
providers
get
the
release
information
part
of
the
part
of
the
API,
so
essentially
people
utilizing
the
API
should
be
able
to
say
hey
if
I'm
example,
depending
on
kubernetes,
can
I
get
scorecard
results
for
say
like
18.4
or
any
of
those
particular
release,
because
it
makes
people
think
okay
I'm
using
this
particular
version
of
scorecard.
A
Oh
this,
this
version
of
dependency
I
want
to
know
it's
the
the
health
of
that
repository
at
that
moment
of
time,
because
it
gives
me
warm
and
fuzzy
feel
instead
of
me
going
on
tip
because
obviously
I'm
not
going
to
be
on
tip
every
moment.
A
That
is
my
thought
process
in
opening
this
request,
so
that
I
wanted
to
get
people's
thoughts
and
that's
the
reason
I'm
gonna
pause
right
now.
Let
others
talk
about
it.
D
I'm,
okay,
in
principle
of
caching,
things
for
for
performance,
but
I
do
worry
that
some
of
these
things,
some
values
are
not
just
based
on
hashes
like
Branch
protection,
I
mean
you
may
be
off
and
then
may
turn
on
or
best
practices
badge.
Maybe
it
wasn't
there
before
it
is
now
and
yet
so
I
mean
I
mean
there.
There's
a
I
worry
if
it's.
If
it's
cash
forever,
you're
gonna
eventually
get
old
data.
D
On
the
other
hand,
I
understand
you
don't
want
to
beat
up
systems,
so
you
know
re-running.
Every
every
two
seconds
is
ridiculous.
So
how
long
do
we
expect
these
to
get
to
stay
cash
before
the
scan
gets
rerun.
A
It's
a
buy
it's
a
weekly
scan,
so
we
do
have
weekly
scans
to
do
that.
So
essentially
it
gives
the
people
an
opportunity
to
say:
hey.
I
want
to
have
the
latest,
but
I
also
want
to
go
back
in
time
and
because
I
gives
you
know,
people
an
opportunity
to
say:
hey
I
want
probably
these
checks
on
this
release
so
that
it
gives
me
it
gives
me
essentially
seeing
a
consumer
of
to
know
what
it
is
on
that
on
the
point
of
time,
on
the
release
so.
D
A
F
A
Right:
okay,
two
for
the
larger
Community
I,
just
want
to
say
we
already
added
shot.
So
we
should
essentially,
you
know
in
our
API
result
in
the
chat
they
say
Hey,
you
can
go
fetch
by
this
commit
and
to
get
scorecard
results
by
a
commit
chart
to
figure
out
what
it
is
and
what
I'm
suggesting
is
along
with
this
also
go
fetch
the
latest
release
and
add
that,
as
as
another
option
to
say,
hey
here's
on
the
release
of
that
repositories.
What's
the
date
it
is
I,
do
understand.
A
Some
of
the
some
of
the
checks
aren't
valid
like
like
the
branch
prediction
stuff,
but
there
are
things
that
are
still
valid
with
that.
That's
my
thought.
Process.
E
Yeah
I
mean
I,
think
the
the
not
doing
this
originally
was
just
a
limitation
of
you
know,
time
and
effort
to
be
able
to
implement
it.
So
yeah
I.
Think
as
this
was,
you
know
it's
pretty
clear
that
this
would
be
better
just
a
question
of.
Can
we
do
this.
A
C
B
So
Ethan
do
you
want
to
take
the
next
one
I
think
it's
talking
about
the
action
policy
proposal.
G
G
G
Some
other
examples
for
groups
that
you
could
do
are
you
could
do
a
deny
list
style
or
an
allow
list
Style
just
as
examples
currently,
GitHub
only
allows
organizations
to
I
believe
set
up
allowless
style
policies,
but
those
aren't
really
smart.
They
kind
of
just
use
glove
matching,
I
believe
for
the
action,
so
this
allows
more
specific
version
targeting
and
well
yeah.
That's
the
gist
of
the
configuration
and
then
also
including
the
proposal
are
examples
of
what
the
output
might
look
like.
So,
if
you
wouldn't
mind
scrolling
down
a
little
there's
an
example
somewhere.
G
Oh
yeah,
there
you
go
so
this
is
an
example
of
what
the
output
might
look
like
when,
in
the
first
example
an
action
hits
a
deny
rule.
So,
as
you
can
see,
it's
not
matched
by
any
of
the
require
or
allow
rules
that
came
before
so
it's
denied
and
then
in
the
second
example,
and
a
requirement
is
not
met,
so
some
proposals
are
given
for
how
to
meet
that
requirement
for
the
role.
So
in
this
case
there
are
multiple
actions
that
might
satisfy
the
set
of
rules
that
match
this
repo
here.
G
A
This
is
cool
I,
really
like
it.
I
have
one
question
on
this.
This
is
this
is
very
similar
to
like
any
firewall
policies.
A
I
could
have
different
things,
and
most
of
the
firewall
policy
example
on
any
Cloud
gives
you
some
kind
of
a
number
to
say:
hey
thousand
thousand
one
thousand
two
so
ordering
of
which
policy
has
to
run
would
be
a
great
addition
to
this
day
because
they
order
in
which,
because
each
one
of
them,
one
of
them,
can
step
over
each
other.
So
that's
one
feedback
on
this.
To
essentially
do
that,
as
if
you
don't
mind,
can
you
scroll
up
a
little
back
to
the
top
of
the
policy.
B
Sure,
while
I
do
that,
do
you
mind
just
repeating
what
your
concern
was?
I
just
want
to
write
it
down.
A
Not
as
a
concern
I
just
want
to
say
add
a
suggestion
is
to
add
a
sorting
order
so
that
we
can
we
can.
We
can
pick
up
which,
which
policy
has
to
run
and
what
order.
Because,
as
that
was
my
that
was
my
suggestion.
A
G
C
A
Now
it
makes
sense:
okay,
okay
or
another
tradition-
is
to
have
a
number,
so
essentially
I
don't
have
to
okay.
If
I
do
one,
if
I
open
a
PR,
then
I
need
to
know
where
that
needs
to
go.
If
that's
a
problem,
do
you
get
as
I
go
this
and
that's
why
people
have
numbers
to
say
hey?
A
This
is
the
most
critical
thing
that
I
want
to
run
and
that's
why
people
usually
tag
PRS
to
the
bottom,
but
but
the
future
I
could
have
a
critical
policy
that
needs
to
be
on
top
or
something
in
between
that
becomes
have
a
number.
That's
that's
a
reason
to
do
that,
and
that's
why
five
hour
policies
usually
come
up
with
a
ordering
number.
F
Gotcha
yeah,
so
I
I,
like
it
I
like
I,
like
the
direction
I
think
that
they're,
so
so
one
with
a
proposal.
F
We
need
to
make
it
clear
what
the
system
is
going
to
be
doing
by
default
if
it
is
default,
deny
for
example,
which,
if
we're
talking
about
firewalls,
that's
that's
usually
what
happens
the
priorities
I
agree
with
if
we
can
figure
out
how
to
group
priorities
being
able
to
specify
that
this
is
a
critical
priority
versus
you
know
it
I'm
trying
maybe
trying
to
steer
away
from
arbitrary
numbering
systems
that
that
you
might
see
in
in
these
priority
lists.
F
G
Definitely
thanks
for
the
suggestions
you
too
currently
how
the
group
system
works.
Is
you
can
reorganize
the
groups
so
as
soon
as
any
single
set
of
rules
is
or
any
single
rule
is
failing,
it'll
create
an
issue
for
it
on
the
repo
assuming
the
issue,
action
is
selected
within
the
configuration
and
you're
able
to
rearrange
the
different
groups.
So
if
you
wanted,
you
could
make
one
higher
priority
and
that
would
show
above
in
the
issue,
if
that
resolves,
that
concern
I
I.
F
Would
say
that
the
the
I
guess
priority
wise.
It
should
be
explicit
as
expect
as
opposed
to
specified
by
ordering
within
the
yaml
configuration
that
way.
You
you
kind
of
get
away
from
well.
I
was
I,
was
adding
some
rules
and
I
just
wanted
to
make
sure
they
were
alphabetized
or
something
like
that
right.
F
Where
the
priority
you
know
everything
goes
out
of
whack,
because
someone
had
some
understanding
of
the
system.
That
is
not
necessarily
what
the
intent
was
right.
So
being
explicit
with
saying
that
this
is
a
critical
priority,
or
this
is
ranked
X
right
is
going
to
give.
You
is
going
to
give
you
a
clear
output.
C
D
Do
we
have
an
organization
who
is
who
is
volunteered
to
give
this
thing
a
try,
I.
D
A
So
I
want
to
know,
I'll
be
having
like
regex
match
and
some
of
these
things,
because,
like
I,
would
I
wouldn't
want
to
like
another
I'm,
not
saying
this,
you
must
have,
but
I
can
be
like
all
of
scorecard
repost
like
examples
scorecard,
Dash
or
Star,
which
gets
initially
mean
because,
if
think
of
an
organization,
the
Thousand
reposites
then
coming
up
with
all
these
things
would
be
a
little
harder.
That's
my
two
cents
on
the
having
a
regex
would
be
helpful
and
that
could
be
an
option
to
think
abroad.
B
A
G
G
There's
at
least
glob
matching
for
Action
names,
so
you
could
just
allow
a
broad
set
of
actions,
and
by
default
it's
not
in
allow
us
mode,
it's
in
I,
guess
a
denialist
mode.
You
could
say
so
until
how
the
deny
how
deny
is
applied
is
basically,
it
will
go
over
each
action
and
then
run
through
all
the
rules
with
set
action
and
check
if
the
action
should
be
denied,
depending
on
what
they're,
specifically
Allowed
by
a
rule
before
it
hits
a
deny
rule.
But
if
it
doesn't
ever
hit
a
deny
rule,
then
it's
allowed.
A
Cool
last
feedback,
this
and
I
know
got
people
also
looking
at
a
way
to
do
this.
It
would
be
great
if
we
obviously
I
see
another.
If
we
can
do
this
together,.
C
F
F
F
F
Think
there's
an
opportunity
for
us
to
work
on
a
lot
of
these
things
in
tandem,
but
the
the
idea
is
basically
to
ensure
that
if
you've
got
dependencies
in
a
in
a
repo
that
are
maybe
specified
by
file
and
and
not
necessarily
like
checked
by
some
system
that
you
can
say
hey,
this
is
supposed
to
be
version
blah.
Don't
you
know
like
make
sure
that
all
of
the
references
to
version
blah
are
updated
to
that
version.
Right.
A
This
is
what
ony
also
does
they
have
on.
My
proxy
has
something
similar
they
also
have,
but
they
this
is
something
similar.
Even
they
use
that.
G
Very
neat,
thanks
for
sharing
yeah.
That
could
make
sense
to
do
some
kind
of
collaboration
on
this
for
sure
yeah.
F
F
Oh
some
of
my
projects,
as
well
as
k-native
uses
it
for
for
in
a
few
places,
so
it'd
be
cool
to
to
it'd,
be
cool
that,
like
we're
all
writing
some
of
the
same
functionality.
So
maybe
we
can
we
definitely
collab
on
it.
G
Yeah
sounds
great
also
I
got
a
question
from
Laura
in
chat,
and
the
question
was
about
pinning
with
hashes
there's
a
yeah
I
just
recently
updated
this
to
include
support
for
that.
So
what
will
happen
is
if
you
have
a
specific,
commit
hash
reference
within
your
workflow
for
a
specific
action.
G
What
will
happen
is
All-Star
will,
at
least
with
the
current
proposal,
it'll
go
over
to
that
repo,
that
the
action's
in
and
it'll
look
at
the
releases
to
find
one
that
corresponds
to
that
hash
and
then
use
the
tag
from
that
release.
To
do
the
version
check
with
the
version
specified
at
the
in
the
configuration.
B
F
B
B
B
B
F
I
have
I
have
opinions,
so
I
think
I
I
think
it's
partially
there
there's
subtext,
I,
I,
think
David,
which
is
that
the
organization,
the
GitHub
org
owners
receive
depend
about
alerts
for
all
or
have
the
option
to
receive
dependabots
for
all
repos
within
the
organization.
So.
F
So
I
think
it's
I
think
it's
as
you
notice
them,
hopefully,
as
you
notice
them
you're
kind
of
tackling
them
and
that's
what
I
try
to
do
for
the
scorecard.
Repos
I
did
some
patching
on
some
of
the
scorecard
web
app
stuff
over
the
last
few
days,
but
I
think
that
it
should
be.
F
It
should
be
explicit
and,
and
it
should
I
think
it's
it's
assumed
all
right.
I,
I,
assume
it
and
and
I,
but
I
think
it
should
be
made
explicit
that
the
maintainers
of
the
of
the
repo
should
be
patching.
I.
C
A
Out
I
help
out
a
lot
with
that
I
spend
my
time
in
trying
to
look
at.
There
are
certain
things
that
are
not
okay.
Let
me,
okay,
I'm
gonna,
unpack
that
a
little
bit
some
things
which
we
haven't,
because
we
have
to
upgrade
to
go
1.18
or
1.19,
because
1.17
is
Sunset
and
we
have
some.
A
We
have
some
issues
in
solving
that
problem.
If
I
fix
that
other
goal,
other
depending
about
running,
should
go
away,
but
if
you,
if
you
usually
see
scorecard
actions
and
scorecard
I
I've,
been
taking
care
of
that
on
that,
but
for
some
of
the
things
that
are
still
there,
it's
primarily
because
we
haven't
upgraded
goal,
but
that's
what
needs
to
happen.
I
have
a
work
in
progress
PR,
but
that
PR
had
other
problems.
A
I
should
just
pick
that
up
and
work
for
all
that,
and
then
essentially
then,
after
that,
solving
on
this
scorecard
depend
about
warnings
should
essentially
go
away.
Yeah.
F
D
Yeah
so
I
don't
think
that's
true
for
all
of
them.
There's
one
reason:
I
I,
don't
want
to
make
point
out
details
in
this
open
call,
but
yeah
there's
a
recent
one.
That
I,
don't
think
is
it
was
just
opened
yesterday.
So
not
not
having
responded
to
it
within
one
day
is
totally
understandable,
but.
F
Okay,
so
yeah
so
tag
us
offline.
If
you
want.
D
D
D
So
so
I
understand
the
other
ones,
but
the
one
that
was
just
pinged
yesterday,
it's
it's
a
it's
a
high
one.
I,
don't
think
it
hasn't
it
I,
don't
think
the
go.
Dependency
is
an
issue
in
this
case
stuff
and
updates,
and
you
know
good
luck,
I
I'm
totally
sympathetic,
but
that
other
one
I
don't
think
is
caught
up
in
that
I.
Think
yeah
I
can
be
wrong.
Yes,.
A
Some
of
these
things
are
indirect,
so
so
it
looks
like
that,
but
it
is
but
I
just
want
to
unpack
that
somebody
thinks,
but
we
will
look
at
that
I
like
any
time
like
this
go
ahead
and
like
on
that
particular
issue,
or
any
of
that
you
can
like
hit
at
the
radar,
and
one
of
us
should
be
able
to
pick
it
up.
F
Yeah
we
had
mentioned
the
go
updates.
Specifically
you
know.
Part
of
the
reason
is,
is
the
module
resolution.
F
There
are
yeah
there
so
that
so
with
indirect
dependencies,
there
are
a
few
that
have
done
interesting
things
for
their
modules,
which
make
the
calculus
unresolvable.
So
it
in
newer
versions
of
go.
That
is
less
friction.
Full
I,
don't
know
words,
but
yeah
I
I,
you
know
either
I
I
can
I
can
pick
up
the
the
newest
one
I'm
looking
at
it
now.
D
D
F
Yeah
I
think
the
the
explanation
too
is
is
important
for
the
recording,
because
it
is,
it
is
easy
to
look
at
a
repo
and
see
updates
flying
by
and
and
them
not
getting
resolved
and
and
nervous
about
that,
especially
given
what
our
project
is
right,
right
right.
B
Thanks
Stephen
for
taking
that
up
now
in
the
next
one,
is
this
about
getting
the
PRN
or
was
there
a
bigger
discussion.
A
We
need
to
we
need
it
in
my
car
because
we
like
I
just
want
to
make
sure
that
we
all
of
us
like
I,
don't
think
she's
already
part
of
the
scorecard
repo
I
just
want
to
make
sure
before
I
I
include
her
to
the
for
having
right
access
for
markdowns
that
this
is
open.
We
all
agree
to
this
and
then
merge
the
PRN.
A
F
So
I
think
I,
I,
I,
I,
I,
I,
I
I
think
that
it's
worthwhile
to
to
go
back
and
and
revisit
the
discussion
around
the
settings
bot
as
well
as
code
owners
and
kind
of
how
they
interact
there.
I
I
think
there's
one
PR
open
for
web
app
to
update
the
code
owners.
That
is
invalid
because
there's
a
manual
process
of
actually
adding
the
person
to
the
repo
as
a
collaborator
or
or
to
a
team.
Really
we
should
be
doing
this
on
a
team
level,
not
individual
level.
F
F
Think
the
problem
that
you
run
into
when
you
do
teams
is
that
for
folks
who
can't
introspect
the
teams,
you
don't
know
necessarily
who
to
go
to
for
support
outside
of
them
being
automatically
tagged
on
on
PRS,
so
I
think
in
addition
to
the
teams
we
can
list
out
in
comments
who,
who
were
the
members
of
those
teams
but
I,
think
it's
important
to
to
to
use
teams
for
scalability.
A
I
I
agree:
I
totally
agree
on
that.
So,
if
that's
the
that's
the
way,
we
want
to
go
about
doing
it,
I'm
I'm
more
than
like,
should
we
create
teams,
and
should
we
create,
like
call
walk
around,
create
a
docs
team?
Add
her
to
that
and
then
list
those
people
who
are
those
members?
That
is
the
process.
We
can
do
that.
F
So
it's
so
it's
multiple
groups
involved
is
is
the
thing
right?
So
if,
if
she
is
not
currently
part
of
the
org,
then
it's
reach
out
to
folks
who
have
Origins.
A
F
That's
that's
out
of
the
way
we
already
have
teams.
We
have
the
scorecard
team,
we
have
scorecard
admins
and
scorecard
maintainers.
We
can
create
a
I,
can
help
out
with
this
as
well.
We
can
create
a
new
docs
maintainers
team,
the
the
what
needs
to
be
handled
is
the
decision
around
using
settings
spot.
A
E
Do
do
does
anybody
on
the
scorecard
containers
have
access
to
create
teams
and
also
what
for
people
that
aren't
already
part
of
the
org
like?
What
do
we
have
to
do
to
get
them
to
be
part
of
the
work,
because
using
teams
requires
all
of
that.
F
You
say
so
you
would
ping
someone
who
is
kind
of
like
on
the
operations
list
for
FNS
stuff,
so
one
of
the
program
editors
can
help
out
with
adding
folks
to
the
this
is
this
is
opening
up
a
separate
discussion
which
David
I
will
take
offline
with
you,
because
you
wanted
help
with
some
of
this
stuff
and
I
have
ideas.
So,
okay,.
D
Awesome
just
just
a
quick
note:
there's
been
some
some
complications.
What
one
of
our
PMS
she's
just
going
off
on
maternity
leave!
Another
is
returning
from
leave,
so
the
correct
people
to
contact
right
now
for
openness,
except
for
any
of
those
things,
are
either
jewelry
person
or
Khalil
white
happy
to
post
email
addresses
for
both
we
really
just
email,
both
and-
and
we
will
get
that
done
and
if
it
doesn't
get
done,
quick
and
negative
and
complain
at
us
and
we'll
we'll
say
sorry
we'll
get
it
done.
Yeah.
E
They
also
have
to
be
added
to
the
org,
which
comes
with
permissions
like
I
think
you
can
actually
create
repos
if
you're
an
org
member
right.
Are
we
worried,
like?
Are
we
okay
with
anybody?
That's
like
that
should
be
a
part
of
a
team.
Be
is
also
part
of
the
orc.
D
I
I
actually
picked
up
the
the
the
exciting
and
well
I
would
say,
probably
thankless
task
of
trying
to
gather
a
little
group
of
to
figure
out
what
the
permission
should
be
for
the
GitHub
org.
All
the
way
across
I
I
picked
that
up
and
then
I
decided
to
get
coveted
instead
really
a
bad
decision
on
my
part,
terrible
decision,
so
I'll
I'll
try
to
make
better
decisions
in
the
future.
D
I'm,
okay,
now,
but
just
so
that
is
a
that
is
a
a
job
in
the
job
jar,
but
it
got
pushed
out
a
little
bit
and
we
we
are
gonna,
get
through
that
right.
The
quick
short
answers
for
now
permissions
talk
to
Khalil
and
our
jewelry
email
them.
They'll
get
they'll,
try
to
get
it
done
and
then
we're
gonna
work
out
a
longer
term.
D
You
know
trying
to
make
the
policies,
you
know
much
simple,
but
for
now
I
think
the
key
is
just
just
figure
out
what
needs
to
happen.
F
F
So
I
I
had
mentioned
this
to
Brian
on
a
separate
call
and-
and
it's
related
to
your
your
your
email,
David,
but
out
of
scope
for
this
call,
the
what
open
ssf
needs
is
a
the
equivalent
of
the
the
kubernetes
contributor
experience,
the
cncf
tag,
contributor
strategy
and
effectively
that
that
function
of
helping
out
with
like
so
there
was
a
separate
sub
project
for
GitHub
Administration.
That
lives
in
in,
like
in
in
kubernetes
and
within,
say,
contributor.
Experience
right.
F
I
can
help
y'all
work
out
the
details
for
that,
because
I
I
think
I
think
in
addition
to
kind
of
some
of
the
mechanical
of
of
like
handling
the
the
GitHub
stuff,
there's
also
the
the
contributor
experience
how
how
do
I
know
where
to
go
to
get
help?
What
are
what's
the
the
map
of
of
what
openssf
is
and
and
how
do
I
get
plugged
in
so
I?
Will
that
will
be
my
that
will
be
a
thing
that
I
I
think
needs
to
start
moving.
D
Can
you
can
you
send
me
a
just
a
quick
email
with
with
a
pointer,
because
that's
actually
one
of
the
questions
is,
you
know,
cncf
has
a
huge
amount
of
stuff,
but
I
think
the
challenge
is
that
it's
you
know.
Cncf
is
just
so
much
larger
than
almost
everything
else
and
there's
a
question
about
whether
or
not
it's
excessively
heavyweight
for
what
we're
trying
to
accomplish
I
wholeheartedly.
C
Endorse
it
and
and
I
think
it's
just
a
question
of
where
should
it
live
and
I
think
that's
a
question
for
this
work
group?
If
it's
in
this
work
group
or
if
it's
its
own,
then
it's
just
a
simple
proposal
to
the
attack
and
we've
got
a
process
for
creating
new
working
groups
that
involve
you
know,
have
a
few
meetings
try
to
pull
some
people
together,
so
so
Steve
and
I
I'd
suggest
getting
started
with
that
as
soon
as
soon
as
we
can
yeah.
F
Sounds
great
and
I
think
you
know
what
I'll
do
is
likely
bring
it
to
because
I
think
David,
where
you
found
me,
was
from
the
planning
committee
meetings
via
VM
right.
F
C
A
We
by
then
by
then
can
we
can
we
does
anybody
have
so
the
the.
F
Actual
answer
to
to
the
question
from
the
the
beginning
right,
I,
believe:
I
have
access
to
create
teams.
A
Right
I
I
agree,
so
so
Widow
we
shouldn't
have
a
blocker
for
anybody
to
like
we
don't
have
a
blocker.
That's
all
I
want
to
do
so
that
we
can
move
this.
F
I,
don't
think,
there's
a
I,
don't
think
there's
a
blocker
because
we
have
done
it
in
the
past.
I
think
the
the
longer
tail
exercise
of
auditing
what
the
GitHub
org
settings
are
out
of
scope
for
this
discussion,
so
I
I
think
I
think
it's
it's
fine.
F
What
I
would
want
to
resolve
on
the
on
the
maintainer
level
is:
does
making
the
decision
around
setting
spot
because
we
can
lace,
we
can
lay
stuff
down
in
code
owners,
but
if
they're
not
reconciling
and
people
are
making
changes
outside
of
that,
then
we're
kind
of
fighting
ourselves.
A
Okay
and
on
that
note,
Stephen
right
now,
I
think
only
you
have
the
owner
privileges
on
those
teams.
Could
you
add
another
person.
F
A
Okay,
perfect,
okay,
yeah
okay,
because
we
try
to
update-
and
we
didn't
have
permission
so
probably
you've
changed-
that
we
couldn't
do
that.
Okay,
that's
good
thanks!.
B
Yeah
before
I
move
on
just
wanted
to
give
a
huge
question
to
what
Stephen
said.
I
think
we've
had
similar
discussions
multiple
times
before
about
like
contributor
ladder.
Should
we
have
the
settings
spot
and
things
like
that
so
would
be
very
helpful
to
open.
Ssf
has
like
an
organization
level
instructions
of
how
to
do
it.
I
think
it
save
us
a
lot
of
time,
cool
moving
on
to
the
next
one,
I
I
think
Lawrence
and
Ethan.
You
added
this
I'm
assuming
this
is
the
Gradle
binary
exception
thing
yeah.
G
Sure
so
I
believe
the
question
here
is:
should
there
be
a
process
by
which
scorecard
creates
exceptions
to
the
binary
artifacts
policy
based
on
potentially
they're
the
results
of
an
external
action
being
run
on
a
repository
or
based
on
some
kind
of
internal
check,
I
think.
Currently,
we
were
leaning
towards
having
an
external
action
and
creating
some
kind
of
way
for
that
external
action
to
communicate
with
scorecard,
potentially
so
that
other
actions
could
do
the
same
thing
through.
What
is
it
check
run
annotations
on
GitHub.
G
Verification
requirement
would
be
good
for
that
and
yeah
happy
to
hear
other
thoughts
about
it.
A
G
The
idea
would
be
that
we
would,
because
someone
in
this
issue
was
talking
about
verifying
some
type
of
binaries
that
were
provided
by
Microsoft
I,
think
they
wanted
to
create
an
action
for
it,
I
think
or
some
kind
of
check
for
it.
So
the
idea
here
would
be
that
on
scorecards
end,
we
would
interpret
the
results
from
that
check
using
this
format,
but
potentially
other
checks
could
return
results
in
the
same
format,
so
that
those
could
be
used
to
create
exceptions
to
the
binary
artifacts
rule
as
well.
A
Perfect
I
just
want
to
make
it
explicit,
saying
that's
what
we're
planning
to
do
and
Ethan.
On
the
second
note,
you
said
the
action
we
are
we
proposing.
We
create
an
action
within
the
osis
of
org
to
do
this
or
what
is
your
proposal.
G
Well,
at
the
very
least,
it
would
be
nice
to
have
this
system
on
scorecards
end
for
confirming
that
binaries
are
valid,
or
at
least
receiving
that
result
from
an
action
whether
we
create
an
action
I
guess
we
could
create
an
action
just
to
do
that,
I
mean
that
would
help
resolve
the
specific
problem
that
someone
was
having
who
was
using
scorecard
for
I'm
just
having
problems
with
their
Microsoft
signed.
Binary
is
not
being
considered.
B
So
yeah
I
I,
don't
think
I
fully
understand
the
proposition
here.
So
are
we
saying
we
plan
to
provide
an
action
that
will
run
on
the
client's
repository
and
then
what
happens
when
somebody
runs
scorecard
CLI
on
this
Repository.
G
Okay
yeah
so
on
scorecard,
then
the
idea
would
be
that
it'll.
Just
look
at
the
check,
runs
for
that
repo
and
see,
if
any,
have
annotations
that
look
like
this
format,
where
it
says
that
those
binary
files
are
verified,
so
they
can
be
Exempted
from
the
binary
artifacts
policy
or
check
and
Laurent
was
talking
about
creating
an
action
to
help
resolve
someone's
problem
where
they
were
not
able
to,
or
they
were
verifying
their
Microsoft
sign
binaries.
This
is
a
total.
F
So
so
I
think
that
you
know
I
I,
think
at
least
here
I
would
I
would
call
out
that
I'm
looking
at
this
verified,
true
versus
false
I,
would
I
would
call
out
explicitly
that
the
that
the
file
in
question
was
Exempted
as
opposed
to
whether
or
not
it's
verified,
because
it
could.
You
could
be
kind
of
mixing
the
concerns
of
whether
something
was
actually
checked
by
the
system
and
dubbed
verified,
or
it
was
Exempted
and
and
we're
switching
and
we're
flipping
verified
to
choose
a
result.
G
Maybe
I
mean
the
idea
here
is
that
when
this
is
this
data
here,
I
don't
know
if
I'm
communicating
this
well,
but
basically
an
action
that
could
be
provided
by
a
third
party
is
running
and
providing
this
result.
So
the
the
intention
here
was
to
make
it
so
that
that
action
could
communicate
to
scorecard
which
files
it
has
verified.
So,
for
example,
if
someone
creates
an
action
to
verify
Microsoft
sign
binaries,
for
example,
this
action
would
create
The
annotation.
G
That
looks
like
this
saying
whether
it's
been
able
to
verify
each
specific
binary
file,
binary
executable
file
and
then
scorecard
can
look
at
the
whether
it's
been
verified
and
then
make
its
own
determination
about
what
to
exempt
it
from
the
binary
artifacts
policy
or
Chaco.
B
I
I
mean
this
is
my
very
high
level
commentator
like
I
think
I
get
the
direction,
but
I
feel
like
the
implementation
is
super
specific
and
super
Niche
like
I
I.
Think
the
general
idea
is
yes,
we
should.
B
We
should
have
scorecard
be
more
customizable,
so
that,
like
let's
say
a
Microsoft
repository,
can
kind
of
you
know
customize
it
for
their
use
case,
but
I
I
think
the
solution
is
a
bit
too
specific
for,
like
one
exact
use
case
and
like
it's
not
very
scalable
like
like
what
Stephen
said:
If
Tomorrow
someone
comes
up
and
says:
I
I,
don't
care
about
verification,
I
care
about
ignoring
binaries
in
a
folder
or
something
of
the
sort
of
like
or
any
such
case,
I
I
think
it
really
doesn't
scale
that
you
well
so
I
agree
with
the
like
the
sentimentality
of
it,
but
I
I
don't
agree
with
the
solution.
G
C
G
Like
do
you
still
like
the
idea
of
having
actions
or
checks,
provide
a
result
to
scorecard
to
help
this
policy
out
or
this
checkout.
B
Of
the
like
a
a
good
thing
about
scorecard
is
we
basically
say
give
us
a
repository.
Url
go
and
run
right
like
I
and
I
mean
getting
scorecard
adopted,
is
itself
a
pretty
like
it's
a
big
hurdle,
I
think
the
more
third-party
Integrations
that
we
start
expecting
users
to
add.
Now
we
are
basically
saying
you
want
scorecard
to
run
better
for
you
install
this
option
right
like
and
it
doesn't,
in
my
opinion,
I
I,
don't
think
it
scales
well
in
the
long
term
story.
G
A
Enough
Ethan
I
have
an
opinion.
I
certainly
concur
with
your
thought
process
is
wherein
it
shouldn't
be
school
cards,
responsibility
to
run
these
checks,
because
that
means
we
are
bringing
these
additional
dependencies
rather
depend
on
these
external
actions
to
say:
hey
these
actions,
Ran
So,
that
we
trust
these
actions
to
the
job
instead
of
us
doing
the
job,
which,
for
example,
is
the
greatest
rapper
which
Gradle
is
there,
this
is,
is
being
utilized
in
hundreds
of
thousands
repositories.
How
do
we
verify
the
Gradle?
How?
A
G
Awesome
thanks
nivian,
yeah
and
for
context.
So
there
is
currently
an
exception
to
the
binary
artifacts
check
which
says
that
if
a
repo
has
the
Gradle
wrapper,
validation,
action
currently
enabled
and
passing
on
the
latest,
commit
then
scorecard
will
ignore
the
Gradle
rapper.jar
files,
which
apparently
are
required
for
people
using
Gradle,
so
that
helps
resolve
some
false
positives
with
Gradle
wrapper.
The
idea
here
would
be
yeah
I
mean.
Maybe
the
interface
could
be
changed.
Who
knows?
G
But
the
idea
here
is
that,
fundamentally,
there
should
be
some
way
for
actions
to
communicate
in
a
standard
standardized
way
to
score
a
card
that
they
have
verified
files
because
well
yeah.
The
idea
would
be
just
to
reduce
false
positives
and
Downstream.
This
helps
out
all
star
because
we
have
a
binary
artifacts
policy
that
sometimes
that
we
would
like
to
reduce
the
carve
outs
for
because
currently
people
have
created
exceptions,
for
example,
for
the
Gradle
wrapper.jar
file,
and
that
does
reduce
their
security
because
they
have
no
action,
checking
it
often
enough.
G
B
So
we
have
three
minutes:
I
I,
think
I
see.
The
next
item
is
maybe.
C
E
B
So
one
quick
thing-
maybe
David
probably
will
know
more
about
this.
There's
end
users,
group,
that's
being
created,
I,
think
there's
a
need
for
it
coming
up.
I
think!
That's!
That's
a
group,
for
you
know
figuring
out
how
usable
our
tools
are
if
I
understand
correctly.
So
maybe
that's
that's
one
place.
We
can
start
asking
these
questions.
E
B
Right
cool
final,
two
minutes:
I
think
this
is
Drago
who's.
Talking
about
adding
a
binary
authorization
feature
in
scorecard,
drag
out.
You
want
to
quickly
talk
about
that.
C
Guess
introduce
this
this,
like
idea
for
for
a
feature
today,
we
have
scorecard
policies
that
can
enable
or
disable
whether
a
certain
check
runs
and
also
like
you
can
kind
of
check
whether
that
checks
score
meets
a
certain
threshold
and
we
have
kind
of
hidden
this,
and
there
is
a
plan
to
do
more
settings
based
policy,
but
in
this
feature,
request
I,
just
I'm
kind
of
introducing
a
kind
of
alternate
design
for
how
how
policies
can
look
and
it's
more
of
a
settings
based
policy
and
the
idea.
C
The
idea
is
like
what
policy
just
means:
how
do
we
go
from
the
data?
That's
core
card
outputs
to
answering
a
yes
or
no
question
that
a
user
of
scorecard
may
have
so
that
that's
the
feature
I
I
would
particularly
like
like
people's
feedback
on
like
kind
of
0.3
in
that
in
that
feature,
which
is
if
we
were
to
do
something
that
kind
of
looks
at
scorecard
data
and
then
answers
yes
or
no
questions.
Where
should
that
live
so
that
that's
what
I
wanted
to
talk
about.
B
Please
take
a
look
at
the
issues
like
before.
We
continue
discussion.
I
I
just
wanted
to
close
the
facilitator
question.
Jeff
says
he
can
translate
sorry.