►
From YouTube: Scorecards Biweekly Sync (August 11, 2022)
A
B
B
C
Hello,
my
name
is
Scott
hissam
I'm,
with
the
software
engineering
Institute
at
Carnegie,
Mellon
I've
been
playing
around
with
the
scorecard
now
for
a
couple
weeks.
Looking
for
ways
to
get
insight
into
open
source
software
practices
being
employed
by
teams
and
I
was
encouraged
to
check
out
the
scorecard
and
want
to
find
out
what's
been
going
on
what
the
plans
are
and
see
about
addressing
issues
over
time
over.
B
A
E
B
B
A
D
A
C
A
B
All
right
so
oh
yeah
I
mean
this
is
to
the
best
of
my
knowledge,
I'm,
just
reading
it
right
now.
So
so
the
scorecard
and
All-Star
team,
you
know
presented
a
bunch
of
Open,
Source,
Summits
I
think
there
are
videos
that
are
uploaded
there.
I
think
they're
talking
about
and
I
mean
what
what
are
the
different
talks
here.
I
think
some.
A
Of
them
yeah
sure
right,
yeah,
like
just
want
to
add
to
what.
As
you
mentioned,
we
just.
We
just
wanted
to
highlight
some
of
the
talks
that
we
presented
at
the
Osa
Summit,
so
that
people
who
couldn't
attend
the
Ursa
Summit
get
an
opportunity
to
go
see
about
what
scorecard
and
All-Star
is
and
how
it
is
essentially
helping
the
open
source.
Community
I
just
want
to
call
that
that
so
that
it
gives
an
opportunity
for
everybody
to
do
that.
B
A
Think
and
yeah,
one
of
the
one
of
the
critical
reasons
is
Ethan
and
Lauren
wanted
is
the
is
the
wave
in
which
we
can
have
these
jar
files
not
be
complained.
We
added
that
update.
You
can
added
that
update,
so
that
was
one
of
the
primary
reason
we
released.
It
I
think
that
there
are
a
bunch
of
bunch
of
bunch
of
things
that
people
solved.
A
B
I
think
the
other
thing
this
besides
is
this
is
probably
our
first
time
trying
out
a
salsa
release
flow,
so
I
think
we're
still
trying
to
improve
on
it,
but
yeah
with
this
release
is
released
to
a
salsa
release
workflow,
so
the
artifacts
here
should
be
salsa
compliant
all
right.
So
I
think
with
that.
If
anyone
else.
B
A
B
I
think
so
I
I
I,
usually
we
all
see
a
lot
of
open
items.
So
I
think
this
was
one
of
the
debits
we
had
long
back
to
like
the
the
open
items
are
so
so
many
that
we
are
unable
to
get
to.
Member
updates.
I,
don't
know
I'm,
okay
with
going
through
the
open
items
and
then
like
kind
of
going
back
and
seeing
if
there.
C
F
B
A
D
I'm,
okay,
in
principle
of
caching,
things
for
for
performance,
but
I
do
worry
that
some
of
these
things,
some
values
are
not
just
based
on
hashes
like
Branch
protection,
I
mean
you
may
be
off
and
then
may
turn
on
or
best
practices
badge.
Maybe
it
wasn't
there
before
it
is
now
and
yet
so
I
mean
I
mean
there.
There's
a
I
worry
if
it's.
If
it's
cash
forever,
you're
gonna
eventually
get
old
data.
D
A
It's
a
buy
it's
a
weekly
scan,
so
we
do
have
weekly
scans
to
do
that.
So
essentially
it
gives
the
people
an
opportunity
to
say:
hey.
I
want
to
have
the
latest,
but
I
also
want
to
go
back
in
time
and
because
I
gives
you
know,
people
an
opportunity
to
say:
hey
I
want
probably
these
checks
on
this
release
so
that
it
gives
me
it
gives
me
essentially
seeing
a
consumer
of
to
know
what
it
is
on
that
on
the
point
of
time,
on
the
release
so.
D
A
F
A
Right:
okay,
two
for
the
larger
Community
I,
just
want
to
say
we
already
added
shot.
So
we
should
essentially,
you
know
in
our
API
result
in
the
chat
they
say
Hey,
you
can
go
fetch
by
this
commit
and
to
get
scorecard
results
by
a
commit
chart
to
figure
out
what
it
is
and
what
I'm
suggesting
is
along
with
this
also
go
fetch
the
latest
release
and
add
that,
as
as
another
option
to
say,
hey
here's
on
the
release
of
that
repositories.
What's
the
date
it
is
I,
do
understand.
A
E
A
C
G
G
G
Some
other
examples
for
groups
that
you
could
do
are
you
could
do
a
deny
list
style
or
an
allow
list
Style
just
as
examples
currently,
GitHub
only
allows
organizations
to
I
believe
set
up
allowless
style
policies,
but
those
aren't
really
smart.
They
kind
of
just
use
glove
matching,
I
believe
for
the
action,
so
this
allows
more
specific
version
targeting
and
well
yeah.
That's
the
gist
of
the
configuration
and
then
also
including
the
proposal
are
examples
of
what
the
output
might
look
like.
So,
if
you
wouldn't
mind
scrolling
down
a
little
there's
an
example
somewhere.
G
Oh
yeah,
there
you
go
so
this
is
an
example
of
what
the
output
might
look
like
when,
in
the
first
example
an
action
hits
a
deny
rule.
So,
as
you
can
see,
it's
not
matched
by
any
of
the
require
or
allow
rules
that
came
before
so
it's
denied
and
then
in
the
second
example,
and
a
requirement
is
not
met,
so
some
proposals
are
given
for
how
to
meet
that
requirement
for
the
role.
So
in
this
case
there
are
multiple
actions
that
might
satisfy
the
set
of
rules
that
match
this
repo
here.
G
A
A
I
could
have
different
things,
and
most
of
the
firewall
policy
example
on
any
Cloud
gives
you
some
kind
of
a
number
to
say:
hey
thousand
thousand
one
thousand
two
so
ordering
of
which
policy
has
to
run
would
be
a
great
addition
to
this
day
because
they
order
in
which,
because
each
one
of
them,
one
of
them,
can
step
over
each
other.
So
that's
one
feedback
on
this.
To
essentially
do
that,
as
if
you
don't
mind,
can
you
scroll
up
a
little
back
to
the
top
of
the
policy.
B
A
A
C
A
A
This
is
the
most
critical
thing
that
I
want
to
run
and
that's
why
people
usually
tag
PRS
to
the
bottom,
but
but
the
future
I
could
have
a
critical
policy
that
needs
to
be
on
top
or
something
in
between
that
becomes
have
a
number.
That's
that's
a
reason
to
do
that,
and
that's
why
five
hour
policies
usually
come
up
with
a
ordering
number.
A
F
G
Definitely
thanks
for
the
suggestions
you
too
currently
how
the
group
system
works.
Is
you
can
reorganize
the
groups
so
as
soon
as
any
single
set
of
rules
is
or
any
single
rule
is
failing,
it'll
create
an
issue
for
it
on
the
repo
assuming
the
issue,
action
is
selected
within
the
configuration
and
you're
able
to
rearrange
the
different
groups.
So
if
you
wanted,
you
could
make
one
higher
priority
and
that
would
show
above
in
the
issue,
if
that
resolves,
that
concern
I
I.
F
Would
say
that
the
the
I
guess
priority
wise.
It
should
be
explicit
as
expect
as
opposed
to
specified
by
ordering
within
the
yaml
configuration
that
way.
You
you
kind
of
get
away
from
well.
I
was
I,
was
adding
some
rules
and
I
just
wanted
to
make
sure
they
were
alphabetized
or
something
like
that
right.
F
Where
the
priority
you
know
everything
goes
out
of
whack,
because
someone
had
some
understanding
of
the
system.
That
is
not
necessarily
what
the
intent
was
right.
So
being
explicit
with
saying
that
this
is
a
critical
priority,
or
this
is
ranked
X
right
is
going
to
give.
You
is
going
to
give
you
a
clear
output.
C
D
A
So
I
want
to
know,
I'll
be
having
like
regex
match
and
some
of
these
things,
because,
like
I,
would
I
wouldn't
want
to
like
another
I'm,
not
saying
this,
you
must
have,
but
I
can
be
like
all
of
scorecard
repost
like
examples
scorecard,
Dash
or
Star,
which
gets
initially
mean
because,
if
think
of
an
organization,
the
Thousand
reposites
then
coming
up
with
all
these
things
would
be
a
little
harder.
That's
my
two
cents
on
the
having
a
regex
would
be
helpful
and
that
could
be
an
option
to
think
abroad.
B
A
G
G
There's
at
least
glob
matching
for
Action
names,
so
you
could
just
allow
a
broad
set
of
actions,
and
by
default
it's
not
in
allow
us
mode,
it's
in
I,
guess
a
denialist
mode.
You
could
say
so
until
how
the
deny
how
deny
is
applied
is
basically,
it
will
go
over
each
action
and
then
run
through
all
the
rules
with
set
action
and
check
if
the
action
should
be
denied,
depending
on
what
they're,
specifically
Allowed
by
a
rule
before
it
hits
a
deny
rule.
But
if
it
doesn't
ever
hit
a
deny
rule,
then
it's
allowed.
A
C
F
Think
there's
an
opportunity
for
us
to
work
on
a
lot
of
these
things
in
tandem,
but
the
the
idea
is
basically
to
ensure
that
if
you've
got
dependencies
in
a
in
a
repo
that
are
maybe
specified
by
file
and
and
not
necessarily
like
checked
by
some
system
that
you
can
say
hey,
this
is
supposed
to
be
version
blah.
Don't
you
know
like
make
sure
that
all
of
the
references
to
version
blah
are
updated
to
that
version.
Right.
A
G
F
G
G
What
will
happen
is
All-Star
will,
at
least
with
the
current
proposal,
it'll
go
over
to
that
repo,
that
the
action's
in
and
it'll
look
at
the
releases
to
find
one
that
corresponds
to
that
hash
and
then
use
the
tag
from
that
release.
To
do
the
version
check
with
the
version
specified
at
the
in
the
configuration.
B
F
B
B
B
B
F
F
F
C
A
A
We
have
some
issues
in
solving
that
problem.
If
I
fix
that
other
goal,
other
depending
about
running,
should
go
away,
but
if
you,
if
you
usually
see
scorecard
actions
and
scorecard
I
I've,
been
taking
care
of
that
on
that,
but
for
some
of
the
things
that
are
still
there,
it's
primarily
because
we
haven't
upgraded
goal,
but
that's
what
needs
to
happen.
I
have
a
work
in
progress
PR,
but
that
PR
had
other
problems.
A
F
D
D
D
D
So
so
I
understand
the
other
ones,
but
the
one
that
was
just
pinged
yesterday,
it's
it's
a
it's
a
high
one.
I,
don't
think
it
hasn't
it
I,
don't
think
the
go.
Dependency
is
an
issue
in
this
case
stuff
and
updates,
and
you
know
good
luck,
I
I'm
totally
sympathetic,
but
that
other
one
I
don't
think
is
caught
up
in
that
I.
Think
yeah
I
can
be
wrong.
Yes,.
F
F
There
are
yeah
there
so
that
so
with
indirect
dependencies,
there
are
a
few
that
have
done
interesting
things
for
their
modules,
which
make
the
calculus
unresolvable.
So
it
in
newer
versions
of
go.
That
is
less
friction.
Full
I,
don't
know
words,
but
yeah
I
I,
you
know
either
I
I
can
I
can
pick
up
the
the
newest
one
I'm
looking
at
it
now.
D
D
A
We
need
to
we
need
it
in
my
car
because
we
like
I
just
want
to
make
sure
that
we
all
of
us
like
I,
don't
think
she's
already
part
of
the
scorecard
repo
I
just
want
to
make
sure
before
I
I
include
her
to
the
for
having
right
access
for
markdowns
that
this
is
open.
We
all
agree
to
this
and
then
merge
the
PRN.
A
F
So
I
think
I,
I,
I,
I,
I,
I,
I
I
think
that
it's
worthwhile
to
to
go
back
and
and
revisit
the
discussion
around
the
settings
bot
as
well
as
code
owners
and
kind
of
how
they
interact
there.
I
I
think
there's
one
PR
open
for
web
app
to
update
the
code
owners.
That
is
invalid
because
there's
a
manual
process
of
actually
adding
the
person
to
the
repo
as
a
collaborator
or
or
to
a
team.
Really
we
should
be
doing
this
on
a
team
level,
not
individual
level.
F
A
I
I
agree:
I
totally
agree
on
that.
So,
if
that's
the
that's
the
way,
we
want
to
go
about
doing
it,
I'm
I'm
more
than
like,
should
we
create
teams,
and
should
we
create,
like
call
walk
around,
create
a
docs
team?
Add
her
to
that
and
then
list
those
people
who
are
those
members?
That
is
the
process.
We
can
do
that.
F
A
F
That's
that's
out
of
the
way
we
already
have
teams.
We
have
the
scorecard
team,
we
have
scorecard
admins
and
scorecard
maintainers.
We
can
create
a
I,
can
help
out
with
this
as
well.
We
can
create
a
new
docs
maintainers
team,
the
the
what
needs
to
be
handled
is
the
decision
around
using
settings
spot.
E
F
You
say
so
you
would
ping
someone
who
is
kind
of
like
on
the
operations
list
for
FNS
stuff,
so
one
of
the
program
editors
can
help
out
with
adding
folks
to
the
this
is
this
is
opening
up
a
separate
discussion
which
David
I
will
take
offline
with
you,
because
you
wanted
help
with
some
of
this
stuff
and
I
have
ideas.
So,
okay,.
D
Awesome
just
just
a
quick
note:
there's
been
some
some
complications.
What
one
of
our
PMS
she's
just
going
off
on
maternity
leave!
Another
is
returning
from
leave,
so
the
correct
people
to
contact
right
now
for
openness,
except
for
any
of
those
things,
are
either
jewelry
person
or
Khalil
white
happy
to
post
email
addresses
for
both
we
really
just
email,
both
and-
and
we
will
get
that
done
and
if
it
doesn't
get
done,
quick
and
negative
and
complain
at
us
and
we'll
we'll
say
sorry
we'll
get
it
done.
Yeah.
E
D
I
I
actually
picked
up
the
the
the
exciting
and
well
I
would
say,
probably
thankless
task
of
trying
to
gather
a
little
group
of
to
figure
out
what
the
permission
should
be
for
the
GitHub
org.
All
the
way
across
I
I
picked
that
up
and
then
I
decided
to
get
coveted
instead
really
a
bad
decision
on
my
part,
terrible
decision,
so
I'll
I'll
try
to
make
better
decisions
in
the
future.
D
I'm,
okay,
now,
but
just
so
that
is
a
that
is
a
a
job
in
the
job
jar,
but
it
got
pushed
out
a
little
bit
and
we
we
are
gonna,
get
through
that
right.
The
quick
short
answers
for
now
permissions
talk
to
Khalil
and
our
jewelry
email
them.
They'll
get
they'll,
try
to
get
it
done
and
then
we're
gonna
work
out
a
longer
term.
F
F
So
I
I
had
mentioned
this
to
Brian
on
a
separate
call
and-
and
it's
related
to
your
your
your
email,
David,
but
out
of
scope
for
this
call,
the
what
open
ssf
needs
is
a
the
equivalent
of
the
the
kubernetes
contributor
experience,
the
cncf
tag,
contributor
strategy
and
effectively
that
that
function
of
helping
out
with
like
so
there
was
a
separate
sub
project
for
GitHub
Administration.
That
lives
in
in,
like
in
in
kubernetes
and
within,
say,
contributor.
Experience
right.
F
I
can
help
y'all
work
out
the
details
for
that,
because
I
I
think
I
think
in
addition
to
kind
of
some
of
the
mechanical
of
of
like
handling
the
the
GitHub
stuff,
there's
also
the
the
contributor
experience
how
how
do
I
know
where
to
go
to
get
help?
What
are
what's
the
the
map
of
of
what
openssf
is
and
and
how
do
I
get
plugged
in
so
I?
Will
that
will
be
my
that
will
be
a
thing
that
I
I
think
needs
to
start
moving.
D
Can
you
can
you
send
me
a
just
a
quick
email
with
with
a
pointer,
because
that's
actually
one
of
the
questions
is,
you
know,
cncf
has
a
huge
amount
of
stuff,
but
I
think
the
challenge
is
that
it's
you
know.
Cncf
is
just
so
much
larger
than
almost
everything
else
and
there's
a
question
about
whether
or
not
it's
excessively
heavyweight
for
what
we're
trying
to
accomplish
I
wholeheartedly.
C
Endorse
it
and
and
I
think
it's
just
a
question
of
where
should
it
live
and
I
think
that's
a
question
for
this
work
group?
If
it's
in
this
work
group
or
if
it's
its
own,
then
it's
just
a
simple
proposal
to
the
attack
and
we've
got
a
process
for
creating
new
working
groups
that
involve
you
know,
have
a
few
meetings
try
to
pull
some
people
together,
so
so
Steve
and
I
I'd
suggest
getting
started
with
that
as
soon
as
soon
as
we
can
yeah.
C
A
F
A
F
A
B
Yeah
before
I
move
on
just
wanted
to
give
a
huge
question
to
what
Stephen
said.
I
think
we've
had
similar
discussions
multiple
times
before
about
like
contributor
ladder.
Should
we
have
the
settings
spot
and
things
like
that
so
would
be
very
helpful
to
open.
Ssf
has
like
an
organization
level
instructions
of
how
to
do
it.
I
think
it
save
us
a
lot
of
time,
cool
moving
on
to
the
next
one,
I
I
think
Lawrence
and
Ethan.
You
added
this
I'm
assuming
this
is
the
Gradle
binary
exception
thing
yeah.
G
Sure
so
I
believe
the
question
here
is:
should
there
be
a
process
by
which
scorecard
creates
exceptions
to
the
binary
artifacts
policy
based
on
potentially
they're
the
results
of
an
external
action
being
run
on
a
repository
or
based
on
some
kind
of
internal
check,
I
think.
Currently,
we
were
leaning
towards
having
an
external
action
and
creating
some
kind
of
way
for
that
external
action
to
communicate
with
scorecard,
potentially
so
that
other
actions
could
do
the
same
thing
through.
What
is
it
check
run
annotations
on
GitHub.
A
G
The
idea
would
be
that
we
would,
because
someone
in
this
issue
was
talking
about
verifying
some
type
of
binaries
that
were
provided
by
Microsoft
I,
think
they
wanted
to
create
an
action
for
it,
I
think
or
some
kind
of
check
for
it.
So
the
idea
here
would
be
that
on
scorecards
end,
we
would
interpret
the
results
from
that
check
using
this
format,
but
potentially
other
checks
could
return
results
in
the
same
format,
so
that
those
could
be
used
to
create
exceptions
to
the
binary
artifacts
rule
as
well.
A
G
Well,
at
the
very
least,
it
would
be
nice
to
have
this
system
on
scorecards
end
for
confirming
that
binaries
are
valid,
or
at
least
receiving
that
result
from
an
action
whether
we
create
an
action
I
guess
we
could
create
an
action
just
to
do
that,
I
mean
that
would
help
resolve
the
specific
problem
that
someone
was
having
who
was
using
scorecard
for
I'm
just
having
problems
with
their
Microsoft
signed.
Binary
is
not
being
considered.
B
G
Okay
yeah
so
on
scorecard,
then
the
idea
would
be
that
it'll.
Just
look
at
the
check,
runs
for
that
repo
and
see,
if
any,
have
annotations
that
look
like
this
format,
where
it
says
that
those
binary
files
are
verified,
so
they
can
be
Exempted
from
the
binary
artifacts
policy
or
check
and
Laurent
was
talking
about
creating
an
action
to
help
resolve
someone's
problem
where
they
were
not
able
to,
or
they
were
verifying
their
Microsoft
sign
binaries.
This
is
a
total.
F
So
so
I
think
that
you
know
I
I,
think
at
least
here
I
would
I
would
call
out
that
I'm
looking
at
this
verified,
true
versus
false
I,
would
I
would
call
out
explicitly
that
the
that
the
file
in
question
was
Exempted
as
opposed
to
whether
or
not
it's
verified,
because
it
could.
You
could
be
kind
of
mixing
the
concerns
of
whether
something
was
actually
checked
by
the
system
and
dubbed
verified,
or
it
was
Exempted
and
and
we're
switching
and
we're
flipping
verified
to
choose
a
result.
G
Maybe
I
mean
the
idea
here
is
that
when
this
is
this
data
here,
I
don't
know
if
I'm
communicating
this
well,
but
basically
an
action
that
could
be
provided
by
a
third
party
is
running
and
providing
this
result.
So
the
the
intention
here
was
to
make
it
so
that
that
action
could
communicate
to
scorecard
which
files
it
has
verified.
So,
for
example,
if
someone
creates
an
action
to
verify
Microsoft
sign
binaries,
for
example,
this
action
would
create
The
annotation.
B
G
C
B
Of
the
like
a
a
good
thing
about
scorecard
is
we
basically
say
give
us
a
repository.
Url
go
and
run
right
like
I
and
I
mean
getting
scorecard
adopted,
is
itself
a
pretty
like
it's
a
big
hurdle,
I
think
the
more
third-party
Integrations
that
we
start
expecting
users
to
add.
Now
we
are
basically
saying
you
want
scorecard
to
run
better
for
you
install
this
option
right
like
and
it
doesn't,
in
my
opinion,
I
I,
don't
think
it
scales
well
in
the
long
term
story.
G
A
Enough
Ethan
I
have
an
opinion.
I
certainly
concur
with
your
thought
process
is
wherein
it
shouldn't
be
school
cards,
responsibility
to
run
these
checks,
because
that
means
we
are
bringing
these
additional
dependencies
rather
depend
on
these
external
actions
to
say:
hey
these
actions,
Ran
So,
that
we
trust
these
actions
to
the
job
instead
of
us
doing
the
job,
which,
for
example,
is
the
greatest
rapper
which
Gradle
is
there,
this
is,
is
being
utilized
in
hundreds
of
thousands
repositories.
How
do
we
verify
the
Gradle?
How?
A
G
Awesome
thanks
nivian,
yeah
and
for
context.
So
there
is
currently
an
exception
to
the
binary
artifacts
check
which
says
that
if
a
repo
has
the
Gradle
wrapper,
validation,
action
currently
enabled
and
passing
on
the
latest,
commit
then
scorecard
will
ignore
the
Gradle
rapper.jar
files,
which
apparently
are
required
for
people
using
Gradle,
so
that
helps
resolve
some
false
positives
with
Gradle
wrapper.
The
idea
here
would
be
yeah
I
mean.
Maybe
the
interface
could
be
changed.
Who
knows?
G
But
the
idea
here
is
that,
fundamentally,
there
should
be
some
way
for
actions
to
communicate
in
a
standard
standardized
way
to
score
a
card
that
they
have
verified
files
because
well
yeah.
The
idea
would
be
just
to
reduce
false
positives
and
Downstream.
This
helps
out
all
star
because
we
have
a
binary
artifacts
policy
that
sometimes
that
we
would
like
to
reduce
the
carve
outs
for
because
currently
people
have
created
exceptions,
for
example,
for
the
Gradle
wrapper.jar
file,
and
that
does
reduce
their
security
because
they
have
no
action,
checking
it
often
enough.
G
C
B
So
one
quick
thing-
maybe
David
probably
will
know
more
about
this.
There's
end
users,
group,
that's
being
created,
I,
think
there's
a
need
for
it
coming
up.
I
think!
That's!
That's
a
group,
for
you
know
figuring
out
how
usable
our
tools
are
if
I
understand
correctly.
So
maybe
that's
that's
one
place.
We
can
start
asking
these
questions.
E
B
C
The
idea
is
like
what
policy
just
means:
how
do
we
go
from
the
data?
That's
core
card
outputs
to
answering
a
yes
or
no
question
that
a
user
of
scorecard
may
have
so
that
that's
the
feature
I
I
would
particularly
like
like
people's
feedback
on
like
kind
of
0.3
in
that
in
that
feature,
which
is
if
we
were
to
do
something
that
kind
of
looks
at
scorecard
data
and
then
answers
yes
or
no
questions.
Where
should
that
live
so
that
that's
what
I
wanted
to
talk
about.